From f048825c7fa70e5f6c7372433005ec34bf61b7c5 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Tue, 19 Apr 2022 13:36:37 +0200 Subject: [PATCH] Merge pull request #61 from cryspen/franziskus/dev-cleanup initial version --- .ci/kitware-archive.sh | 103 + .clabot | 2 +- .clang-format | 1 + .drone.yml | 36 + .github/workflows/build.yml | 246 + .github/workflows/gh-pages.yml | 29 + .github/workflows/ocaml.yml | 79 + .github/workflows/rust.yml | 107 + .gitignore | 17 + .vscode/settings.json | 37 + CLA.md | 4 +- CMakeLists.txt | 366 + LICENSE | 222 +- LICENSE-APACHE | 201 + Makefile | 6 + Readme.md | 126 +- _build.sh | 9 + config/Config.h.in | 33 + config/aarch64-android.cmake | 14 + config/aarch64-darwin.cmake | 17 + config/aarch64-ios.cmake | 16 + config/bug81300.c | 59 + config/config.json | 328 + config/constants.cmake | 9 + config/default_config.cmake | 19 + config/explicit_bzero.c | 8 + config/int128.c | 5 + config/options.cmake | 31 + config/osx_c.sh | 5 + config/s390x.cmake | 10 + config/toolchain.cmake | 139 + config/vec128.c | 29 + config/vec256.c | 13 + config/x64-darwin.cmake | 17 + cpu-features.md | 141 + cpu-features/include/hacl-cpu-features.h | 33 + cpu-features/include/internal_state.h | 40 + cpu-features/src/cpu-features.c | 283 + cpu-features/src/main.c | 43 + docker/Dockerfile | 12 + docker/build.sh | 18 + docker/everest/Dockerfile | 160 + docker/generate/Dockerfile | 9 + docker/generate/generate.sh | 16 + docs/.gitignore | 1 + docs/book.toml | 6 + docs/src/SUMMARY.md | 39 + docs/src/algorithms.md | 28 + docs/src/developers/build-process.md | 44 + docs/src/developers/ci.md | 1 + docs/src/developers/ocaml-build.md | 39 + docs/src/developers/readme.md | 4 + docs/src/developers/repo-overview.md | 69 + docs/src/developers/rust-build.md | 1 + docs/src/hacl-c/readme.md | 1 + docs/src/hacl-js/readme.md | 1 + docs/src/hacl-ocaml/readme.md | 1 + docs/src/hacl-rust/aead.md | 61 + docs/src/hacl-rust/readme.md | 8 + docs/src/installation.md | 1 + docs/src/mach/build.md | 67 + docs/src/mach/readme.md | 24 + docs/src/mach/test.md | 13 + docs/src/platforms.md | 40 + docs/src/readme.md | 57 + include/EverCrypt_AEAD.h | 276 + include/EverCrypt_AutoConfig2.h | 118 + include/EverCrypt_CTR.h | 85 + include/EverCrypt_Chacha20Poly1305.h | 73 + include/EverCrypt_Cipher.h | 56 + include/EverCrypt_Curve25519.h | 54 + include/EverCrypt_DRBG.h | 224 + include/EverCrypt_Ed25519.h | 57 + include/EverCrypt_Error.h | 67 + include/EverCrypt_HKDF.h | 207 + include/EverCrypt_HMAC.h | 119 + include/EverCrypt_Hacl.h | 72 + include/EverCrypt_Hash.h | 291 + include/EverCrypt_Helpers.h | 62 + include/EverCrypt_Poly1305.h | 51 + include/EverCrypt_StaticConfig.h | 54 + include/Hacl_AES128.h | 51 + include/Hacl_Bignum25519_51.h | 678 ++ include/Hacl_Bignum256.h | 409 + include/Hacl_Bignum256_32.h | 401 + include/Hacl_Bignum32.h | 400 + include/Hacl_Bignum4096.h | 405 + include/Hacl_Bignum4096_32.h | 405 + include/Hacl_Bignum64.h | 400 + include/Hacl_Bignum_Base.h | 77 + include/Hacl_Chacha20.h | 66 + include/Hacl_Chacha20Poly1305_128.h | 72 + include/Hacl_Chacha20Poly1305_256.h | 72 + include/Hacl_Chacha20Poly1305_32.h | 72 + include/Hacl_Chacha20_Vec128.h | 66 + include/Hacl_Chacha20_Vec256.h | 66 + include/Hacl_Chacha20_Vec32.h | 66 + include/Hacl_Curve25519_51.h | 53 + include/Hacl_Curve25519_64.h | 52 + include/Hacl_Curve25519_64_Slow.h | 53 + include/Hacl_EC_Ed25519.h | 79 + include/Hacl_Ed25519.h | 59 + include/Hacl_FFDHE.h | 73 + include/Hacl_Frodo1344.h | 63 + include/Hacl_Frodo64.h | 68 + include/Hacl_Frodo640.h | 63 + include/Hacl_Frodo976.h | 63 + include/Hacl_Frodo_KEM.h | 583 ++ include/Hacl_GenericField32.h | 279 + include/Hacl_GenericField64.h | 270 + include/Hacl_HKDF.h | 122 + include/Hacl_HKDF_Blake2b_256.h | 65 + include/Hacl_HKDF_Blake2s_128.h | 65 + include/Hacl_HMAC.h | 103 + include/Hacl_HMAC_Blake2b_256.h | 56 + include/Hacl_HMAC_Blake2s_128.h | 55 + include/Hacl_HMAC_DRBG.h | 106 + include/Hacl_HPKE_Curve51_CP128_SHA256.h | 92 + include/Hacl_HPKE_Curve51_CP128_SHA512.h | 92 + include/Hacl_HPKE_Curve51_CP256_SHA256.h | 92 + include/Hacl_HPKE_Curve51_CP256_SHA512.h | 92 + include/Hacl_HPKE_Curve51_CP32_SHA256.h | 92 + include/Hacl_HPKE_Curve51_CP32_SHA512.h | 92 + include/Hacl_HPKE_Curve64_CP128_SHA256.h | 92 + include/Hacl_HPKE_Curve64_CP128_SHA512.h | 92 + include/Hacl_HPKE_Curve64_CP256_SHA256.h | 92 + include/Hacl_HPKE_Curve64_CP256_SHA512.h | 92 + include/Hacl_HPKE_Curve64_CP32_SHA256.h | 92 + include/Hacl_HPKE_Curve64_CP32_SHA512.h | 92 + include/Hacl_HPKE_P256_CP128_SHA256.h | 91 + include/Hacl_HPKE_P256_CP256_SHA256.h | 91 + include/Hacl_HPKE_P256_CP32_SHA256.h | 91 + include/Hacl_Hash_Base.h | 54 + include/Hacl_Hash_Blake2.h | 140 + include/Hacl_Hash_Blake2b_256.h | 97 + include/Hacl_Hash_Blake2s_128.h | 97 + include/Hacl_Hash_MD5.h | 58 + include/Hacl_Hash_SHA1.h | 58 + include/Hacl_Hash_SHA2.h | 94 + include/Hacl_Impl_Blake2_Constants.h | 96 + include/Hacl_Impl_FFDHE_Constants.h | 570 ++ include/Hacl_IntTypes_Intrinsics.h | 87 + include/Hacl_IntTypes_Intrinsics_128.h | 75 + include/Hacl_Kremlib.h | 88 + include/Hacl_NaCl.h | 162 + include/Hacl_P256.h | 393 + include/Hacl_Poly1305_128.h | 70 + include/Hacl_Poly1305_256.h | 70 + include/Hacl_Poly1305_32.h | 60 + include/Hacl_RSAPSS.h | 117 + include/Hacl_SHA2_Generic.h | 135 + include/Hacl_SHA2_Scalar32.h | 55 + include/Hacl_SHA2_Vec128.h | 73 + include/Hacl_SHA2_Vec256.h | 115 + include/Hacl_SHA3.h | 113 + include/Hacl_Salsa20.h | 70 + include/Hacl_Spec.h | 97 + include/Hacl_Streaming_Blake2.h | 149 + include/Hacl_Streaming_Blake2b_256.h | 106 + include/Hacl_Streaming_Blake2s_128.h | 105 + include/Hacl_Streaming_MD5.h | 64 + include/Hacl_Streaming_Poly1305_128.h | 76 + include/Hacl_Streaming_Poly1305_256.h | 76 + include/Hacl_Streaming_Poly1305_32.h | 75 + include/Hacl_Streaming_SHA1.h | 65 + include/Hacl_Streaming_SHA2.h | 127 + include/Lib_Memzero0.h | 48 + include/Lib_PrintBuffer.h | 56 + include/Lib_RandomBuffer_System.h | 54 + include/MerkleTree.h | 550 ++ include/TestLib.h | 91 + include/c89/EverCrypt_AEAD.h | 276 + include/c89/EverCrypt_AutoConfig2.h | 118 + include/c89/EverCrypt_CTR.h | 85 + include/c89/EverCrypt_Chacha20Poly1305.h | 73 + include/c89/EverCrypt_Cipher.h | 56 + include/c89/EverCrypt_Curve25519.h | 54 + include/c89/EverCrypt_DRBG.h | 224 + include/c89/EverCrypt_Ed25519.h | 57 + include/c89/EverCrypt_Error.h | 67 + include/c89/EverCrypt_HKDF.h | 207 + include/c89/EverCrypt_HMAC.h | 119 + include/c89/EverCrypt_Hacl.h | 72 + include/c89/EverCrypt_Hash.h | 291 + include/c89/EverCrypt_Helpers.h | 62 + include/c89/EverCrypt_Poly1305.h | 51 + include/c89/EverCrypt_StaticConfig.h | 54 + include/c89/Hacl_AES128.h | 51 + include/c89/Hacl_Bignum25519_51.h | 679 ++ include/c89/Hacl_Bignum256.h | 409 + include/c89/Hacl_Bignum256_32.h | 401 + include/c89/Hacl_Bignum32.h | 400 + include/c89/Hacl_Bignum4096.h | 405 + include/c89/Hacl_Bignum4096_32.h | 405 + include/c89/Hacl_Bignum64.h | 400 + include/c89/Hacl_Bignum_Base.h | 77 + include/c89/Hacl_Chacha20.h | 66 + include/c89/Hacl_Chacha20Poly1305_128.h | 72 + include/c89/Hacl_Chacha20Poly1305_256.h | 72 + include/c89/Hacl_Chacha20Poly1305_32.h | 72 + include/c89/Hacl_Chacha20_Vec128.h | 66 + include/c89/Hacl_Chacha20_Vec256.h | 66 + include/c89/Hacl_Chacha20_Vec32.h | 66 + include/c89/Hacl_Curve25519_51.h | 53 + include/c89/Hacl_Curve25519_64.h | 52 + include/c89/Hacl_Curve25519_64_Slow.h | 53 + include/c89/Hacl_EC_Ed25519.h | 79 + include/c89/Hacl_Ed25519.h | 59 + include/c89/Hacl_FFDHE.h | 73 + include/c89/Hacl_Frodo1344.h | 63 + include/c89/Hacl_Frodo64.h | 68 + include/c89/Hacl_Frodo640.h | 63 + include/c89/Hacl_Frodo976.h | 63 + include/c89/Hacl_Frodo_KEM.h | 663 ++ include/c89/Hacl_GenericField32.h | 279 + include/c89/Hacl_GenericField64.h | 270 + include/c89/Hacl_HKDF.h | 122 + include/c89/Hacl_HKDF_Blake2b_256.h | 65 + include/c89/Hacl_HKDF_Blake2s_128.h | 65 + include/c89/Hacl_HMAC.h | 103 + include/c89/Hacl_HMAC_Blake2b_256.h | 56 + include/c89/Hacl_HMAC_Blake2s_128.h | 55 + include/c89/Hacl_HMAC_DRBG.h | 106 + include/c89/Hacl_HPKE_Curve51_CP128_SHA256.h | 92 + include/c89/Hacl_HPKE_Curve51_CP128_SHA512.h | 92 + include/c89/Hacl_HPKE_Curve51_CP256_SHA256.h | 92 + include/c89/Hacl_HPKE_Curve51_CP256_SHA512.h | 92 + include/c89/Hacl_HPKE_Curve51_CP32_SHA256.h | 92 + include/c89/Hacl_HPKE_Curve51_CP32_SHA512.h | 92 + include/c89/Hacl_HPKE_Curve64_CP128_SHA256.h | 92 + include/c89/Hacl_HPKE_Curve64_CP128_SHA512.h | 92 + include/c89/Hacl_HPKE_Curve64_CP256_SHA256.h | 92 + include/c89/Hacl_HPKE_Curve64_CP256_SHA512.h | 92 + include/c89/Hacl_HPKE_Curve64_CP32_SHA256.h | 92 + include/c89/Hacl_HPKE_Curve64_CP32_SHA512.h | 92 + include/c89/Hacl_HPKE_P256_CP128_SHA256.h | 91 + include/c89/Hacl_HPKE_P256_CP256_SHA256.h | 91 + include/c89/Hacl_HPKE_P256_CP32_SHA256.h | 91 + include/c89/Hacl_Hash_Base.h | 54 + include/c89/Hacl_Hash_Blake2.h | 140 + include/c89/Hacl_Hash_Blake2b_256.h | 97 + include/c89/Hacl_Hash_Blake2s_128.h | 97 + include/c89/Hacl_Hash_MD5.h | 58 + include/c89/Hacl_Hash_SHA1.h | 58 + include/c89/Hacl_Hash_SHA2.h | 94 + include/c89/Hacl_Impl_Blake2_Constants.h | 96 + include/c89/Hacl_Impl_FFDHE_Constants.h | 570 ++ include/c89/Hacl_IntTypes_Intrinsics.h | 87 + include/c89/Hacl_IntTypes_Intrinsics_128.h | 75 + include/c89/Hacl_Kremlib.h | 88 + include/c89/Hacl_NaCl.h | 162 + include/c89/Hacl_P256.h | 393 + include/c89/Hacl_Poly1305_128.h | 70 + include/c89/Hacl_Poly1305_256.h | 70 + include/c89/Hacl_Poly1305_32.h | 60 + include/c89/Hacl_RSAPSS.h | 117 + include/c89/Hacl_SHA2_Generic.h | 135 + include/c89/Hacl_SHA2_Scalar32.h | 55 + include/c89/Hacl_SHA2_Vec128.h | 73 + include/c89/Hacl_SHA2_Vec256.h | 115 + include/c89/Hacl_SHA3.h | 113 + include/c89/Hacl_Salsa20.h | 70 + include/c89/Hacl_Spec.h | 97 + include/c89/Hacl_Streaming_Blake2.h | 149 + include/c89/Hacl_Streaming_Blake2b_256.h | 106 + include/c89/Hacl_Streaming_Blake2s_128.h | 105 + include/c89/Hacl_Streaming_MD5.h | 64 + include/c89/Hacl_Streaming_Poly1305_128.h | 76 + include/c89/Hacl_Streaming_Poly1305_256.h | 76 + include/c89/Hacl_Streaming_Poly1305_32.h | 75 + include/c89/Hacl_Streaming_SHA1.h | 65 + include/c89/Hacl_Streaming_SHA2.h | 127 + include/c89/Lib_Memzero0.h | 48 + include/c89/Lib_PrintBuffer.h | 56 + include/c89/Lib_RandomBuffer_System.h | 54 + include/c89/TestLib.h | 91 + include/c89/curve25519-inline.h | 751 ++ include/c89/evercrypt_targetconfig.h | 56 + include/c89/internal/Hacl_Bignum.h | 366 + include/c89/internal/Hacl_Chacha20.h | 61 + include/c89/internal/Hacl_Curve25519_51.h | 56 + include/c89/internal/Hacl_Ed25519.h | 68 + include/c89/internal/Hacl_Frodo_KEM.h | 48 + include/c89/internal/Hacl_HMAC.h | 63 + include/c89/internal/Hacl_Hash_Blake2.h | 123 + include/c89/internal/Hacl_Hash_Blake2b_256.h | 73 + include/c89/internal/Hacl_Hash_Blake2s_128.h | 73 + include/c89/internal/Hacl_Hash_MD5.h | 52 + include/c89/internal/Hacl_Hash_SHA1.h | 52 + include/c89/internal/Hacl_Hash_SHA2.h | 68 + include/c89/internal/Hacl_P256.h | 65 + include/c89/internal/Hacl_Poly1305_128.h | 55 + include/c89/internal/Hacl_Poly1305_256.h | 55 + include/c89/internal/Hacl_SHA2_Vec256.h | 75 + include/c89/internal/Hacl_Spec.h | 61 + include/c89/internal/Vale.h | 216 + include/c89/lib_intrinsics.h | 83 + include/c89/libintvector.h | 937 ++ include/curve25519-inline.h | 751 ++ include/evercrypt_targetconfig.h | 56 + include/internal/Hacl_Bignum.h | 367 + include/internal/Hacl_Chacha20.h | 61 + include/internal/Hacl_Curve25519_51.h | 57 + include/internal/Hacl_Ed25519.h | 69 + include/internal/Hacl_Frodo_KEM.h | 49 + include/internal/Hacl_HMAC.h | 63 + include/internal/Hacl_Hash_Blake2.h | 124 + include/internal/Hacl_Hash_Blake2b_256.h | 74 + include/internal/Hacl_Hash_Blake2s_128.h | 74 + include/internal/Hacl_Hash_MD5.h | 52 + include/internal/Hacl_Hash_SHA1.h | 52 + include/internal/Hacl_Hash_SHA2.h | 68 + include/internal/Hacl_Kremlib.h | 48 + include/internal/Hacl_P256.h | 66 + include/internal/Hacl_Poly1305_128.h | 55 + include/internal/Hacl_Poly1305_256.h | 55 + include/internal/Hacl_SHA2_Vec128.h | 76 + include/internal/Hacl_SHA2_Vec256.h | 75 + include/internal/Hacl_Spec.h | 61 + include/internal/Vale.h | 216 + include/lib_intrinsics.h | 83 + include/libintvector.h | 937 ++ include/msvc/EverCrypt_AEAD.h | 276 + include/msvc/EverCrypt_AutoConfig2.h | 118 + include/msvc/EverCrypt_CTR.h | 85 + include/msvc/EverCrypt_Chacha20Poly1305.h | 73 + include/msvc/EverCrypt_Cipher.h | 56 + include/msvc/EverCrypt_Curve25519.h | 54 + include/msvc/EverCrypt_DRBG.h | 224 + include/msvc/EverCrypt_Ed25519.h | 57 + include/msvc/EverCrypt_Error.h | 67 + include/msvc/EverCrypt_HKDF.h | 207 + include/msvc/EverCrypt_HMAC.h | 119 + include/msvc/EverCrypt_Hacl.h | 72 + include/msvc/EverCrypt_Hash.h | 291 + include/msvc/EverCrypt_Helpers.h | 62 + include/msvc/EverCrypt_Poly1305.h | 51 + include/msvc/EverCrypt_StaticConfig.h | 54 + include/msvc/Hacl_AES128.h | 51 + include/msvc/Hacl_Bignum25519_51.h | 678 ++ include/msvc/Hacl_Bignum256.h | 409 + include/msvc/Hacl_Bignum256_32.h | 401 + include/msvc/Hacl_Bignum32.h | 400 + include/msvc/Hacl_Bignum4096.h | 405 + include/msvc/Hacl_Bignum4096_32.h | 405 + include/msvc/Hacl_Bignum64.h | 400 + include/msvc/Hacl_Bignum_Base.h | 77 + include/msvc/Hacl_Chacha20.h | 66 + include/msvc/Hacl_Chacha20Poly1305_128.h | 72 + include/msvc/Hacl_Chacha20Poly1305_256.h | 72 + include/msvc/Hacl_Chacha20Poly1305_32.h | 72 + include/msvc/Hacl_Chacha20_Vec128.h | 66 + include/msvc/Hacl_Chacha20_Vec256.h | 66 + include/msvc/Hacl_Chacha20_Vec32.h | 66 + include/msvc/Hacl_Curve25519_51.h | 53 + include/msvc/Hacl_Curve25519_64.h | 52 + include/msvc/Hacl_Curve25519_64_Slow.h | 53 + include/msvc/Hacl_EC_Ed25519.h | 79 + include/msvc/Hacl_Ed25519.h | 59 + include/msvc/Hacl_FFDHE.h | 73 + include/msvc/Hacl_Frodo1344.h | 63 + include/msvc/Hacl_Frodo64.h | 68 + include/msvc/Hacl_Frodo640.h | 63 + include/msvc/Hacl_Frodo976.h | 63 + include/msvc/Hacl_Frodo_KEM.h | 583 ++ include/msvc/Hacl_GenericField32.h | 279 + include/msvc/Hacl_GenericField64.h | 270 + include/msvc/Hacl_HKDF.h | 122 + include/msvc/Hacl_HKDF_Blake2b_256.h | 65 + include/msvc/Hacl_HKDF_Blake2s_128.h | 65 + include/msvc/Hacl_HMAC.h | 103 + include/msvc/Hacl_HMAC_Blake2b_256.h | 56 + include/msvc/Hacl_HMAC_Blake2s_128.h | 55 + include/msvc/Hacl_HMAC_DRBG.h | 106 + include/msvc/Hacl_HPKE_Curve51_CP128_SHA256.h | 92 + include/msvc/Hacl_HPKE_Curve51_CP128_SHA512.h | 92 + include/msvc/Hacl_HPKE_Curve51_CP256_SHA256.h | 92 + include/msvc/Hacl_HPKE_Curve51_CP256_SHA512.h | 92 + include/msvc/Hacl_HPKE_Curve51_CP32_SHA256.h | 92 + include/msvc/Hacl_HPKE_Curve51_CP32_SHA512.h | 92 + include/msvc/Hacl_HPKE_Curve64_CP128_SHA256.h | 92 + include/msvc/Hacl_HPKE_Curve64_CP128_SHA512.h | 92 + include/msvc/Hacl_HPKE_Curve64_CP256_SHA256.h | 92 + include/msvc/Hacl_HPKE_Curve64_CP256_SHA512.h | 92 + include/msvc/Hacl_HPKE_Curve64_CP32_SHA256.h | 92 + include/msvc/Hacl_HPKE_Curve64_CP32_SHA512.h | 92 + include/msvc/Hacl_HPKE_P256_CP128_SHA256.h | 91 + include/msvc/Hacl_HPKE_P256_CP256_SHA256.h | 91 + include/msvc/Hacl_HPKE_P256_CP32_SHA256.h | 91 + include/msvc/Hacl_Hash_Base.h | 54 + include/msvc/Hacl_Hash_Blake2.h | 140 + include/msvc/Hacl_Hash_Blake2b_256.h | 97 + include/msvc/Hacl_Hash_Blake2s_128.h | 97 + include/msvc/Hacl_Hash_MD5.h | 58 + include/msvc/Hacl_Hash_SHA1.h | 58 + include/msvc/Hacl_Hash_SHA2.h | 94 + include/msvc/Hacl_Impl_Blake2_Constants.h | 96 + include/msvc/Hacl_Impl_FFDHE_Constants.h | 570 ++ include/msvc/Hacl_IntTypes_Intrinsics.h | 87 + include/msvc/Hacl_IntTypes_Intrinsics_128.h | 75 + include/msvc/Hacl_Kremlib.h | 88 + include/msvc/Hacl_NaCl.h | 162 + include/msvc/Hacl_P256.h | 393 + include/msvc/Hacl_Poly1305_128.h | 70 + include/msvc/Hacl_Poly1305_256.h | 70 + include/msvc/Hacl_Poly1305_32.h | 60 + include/msvc/Hacl_RSAPSS.h | 117 + include/msvc/Hacl_SHA2_Generic.h | 135 + include/msvc/Hacl_SHA2_Scalar32.h | 55 + include/msvc/Hacl_SHA2_Vec128.h | 73 + include/msvc/Hacl_SHA2_Vec256.h | 115 + include/msvc/Hacl_SHA3.h | 113 + include/msvc/Hacl_Salsa20.h | 70 + include/msvc/Hacl_Spec.h | 97 + include/msvc/Hacl_Streaming_Blake2.h | 149 + include/msvc/Hacl_Streaming_Blake2b_256.h | 106 + include/msvc/Hacl_Streaming_Blake2s_128.h | 105 + include/msvc/Hacl_Streaming_MD5.h | 64 + include/msvc/Hacl_Streaming_Poly1305_128.h | 76 + include/msvc/Hacl_Streaming_Poly1305_256.h | 76 + include/msvc/Hacl_Streaming_Poly1305_32.h | 75 + include/msvc/Hacl_Streaming_SHA1.h | 65 + include/msvc/Hacl_Streaming_SHA2.h | 127 + include/msvc/Lib_Memzero0.h | 48 + include/msvc/Lib_PrintBuffer.h | 56 + include/msvc/Lib_RandomBuffer_System.h | 54 + include/msvc/MerkleTree.h | 550 ++ include/msvc/TestLib.h | 91 + include/msvc/curve25519-inline.h | 751 ++ include/msvc/evercrypt_targetconfig.h | 56 + include/msvc/internal/Hacl_Bignum.h | 367 + include/msvc/internal/Hacl_Chacha20.h | 61 + include/msvc/internal/Hacl_Curve25519_51.h | 57 + include/msvc/internal/Hacl_Ed25519.h | 69 + include/msvc/internal/Hacl_Frodo_KEM.h | 49 + include/msvc/internal/Hacl_HMAC.h | 63 + include/msvc/internal/Hacl_Hash_Blake2.h | 124 + include/msvc/internal/Hacl_Hash_Blake2b_256.h | 74 + include/msvc/internal/Hacl_Hash_Blake2s_128.h | 74 + include/msvc/internal/Hacl_Hash_MD5.h | 52 + include/msvc/internal/Hacl_Hash_SHA1.h | 52 + include/msvc/internal/Hacl_Hash_SHA2.h | 68 + include/msvc/internal/Hacl_Kremlib.h | 48 + include/msvc/internal/Hacl_P256.h | 66 + include/msvc/internal/Hacl_Poly1305_128.h | 55 + include/msvc/internal/Hacl_Poly1305_256.h | 55 + include/msvc/internal/Hacl_SHA2_Vec128.h | 76 + include/msvc/internal/Hacl_SHA2_Vec256.h | 75 + include/msvc/internal/Hacl_Spec.h | 61 + include/msvc/internal/Vale.h | 216 + include/msvc/lib_intrinsics.h | 83 + include/msvc/libintvector.h | 937 ++ kremlin/include/kremlib.h | 28 + kremlin/include/kremlin/c_endianness.h | 13 + kremlin/include/kremlin/fstar_int.h | 81 + kremlin/include/kremlin/internal/builtin.h | 16 + kremlin/include/kremlin/internal/callconv.h | 46 + kremlin/include/kremlin/internal/compat.h | 32 + kremlin/include/kremlin/internal/debug.h | 57 + kremlin/include/kremlin/internal/target.h | 113 + kremlin/include/kremlin/internal/types.h | 105 + .../include/kremlin/internal/wasmsupport.h | 5 + kremlin/include/kremlin/lowstar_endianness.h | 230 + kremlin/kremlib/dist/minimal/FStar_UInt128.h | 80 + .../dist/minimal/FStar_UInt128_Verified.h | 347 + .../dist/minimal/FStar_UInt_8_16_32_64.h | 215 + .../kremlib/dist/minimal/LowStar_Endianness.h | 29 + kremlin/kremlib/dist/minimal/Makefile.basic | 56 + kremlin/kremlib/dist/minimal/Makefile.include | 5 + .../dist/minimal/fstar_uint128_gcc64.h | 165 + .../kremlib/dist/minimal/fstar_uint128_msvc.h | 510 + .../minimal/fstar_uint128_struct_endianness.h | 68 + kremlin/kremlib/dist/minimal/libkremlib.def | 11 + mach | 352 + ocaml/.gitignore | 15 + ocaml/META | 6 + ocaml/Makefile | 156 + ocaml/__init__.py | 0 ocaml/ctypes.depend | 277 + ocaml/hacl-star-raw.opam | 37 + ocaml/hacl-star/.gitignore | 5 + ocaml/hacl-star/AutoConfig2.ml | 28 + ocaml/hacl-star/CHANGES.md | 46 + ocaml/hacl-star/EverCrypt.ml | 311 + ocaml/hacl-star/EverCrypt.mli | 331 + ocaml/hacl-star/Hacl.ml | 582 ++ ocaml/hacl-star/Hacl.mli | 554 ++ ocaml/hacl-star/SharedDefs.ml | 384 + ocaml/hacl-star/SharedFunctors.ml | 402 + ocaml/hacl-star/dune | 16 + ocaml/hacl-star/dune-project | 2 + ocaml/hacl-star/hacl-star.opam | 35 + ocaml/hacl-star/index.mld | 5 + ocaml/hacl-star/tests/aead_test.ml | 147 + ocaml/hacl-star/tests/config_test.ml | 33 + ocaml/hacl-star/tests/curve25519_test.ml | 82 + ocaml/hacl-star/tests/drbg_test.ml | 31 + ocaml/hacl-star/tests/dune | 20 + ocaml/hacl-star/tests/ed25519_test.ml | 74 + ocaml/hacl-star/tests/hash_test.ml | 349 + ocaml/hacl-star/tests/hkdf_test.ml | 104 + ocaml/hacl-star/tests/hmac_test.ml | 105 + ocaml/hacl-star/tests/nacl_test.ml | 229 + ocaml/hacl-star/tests/p256_test.ml | 183 + ocaml/hacl-star/tests/poly1305_test.ml | 65 + ocaml/hacl-star/tests/test_utils.ml | 33 + ocaml/lib/EverCrypt_AEAD_bindings.ml | 194 + ocaml/lib/EverCrypt_AutoConfig2_bindings.ml | 88 + ocaml/lib/EverCrypt_CTR_bindings.ml | 40 + .../EverCrypt_Chacha20Poly1305_bindings.ml | 24 + ocaml/lib/EverCrypt_Cipher_bindings.ml | 12 + ocaml/lib/EverCrypt_Curve25519_bindings.ml | 14 + ocaml/lib/EverCrypt_DRBG_bindings.ml | 122 + ocaml/lib/EverCrypt_Ed25519_bindings.ml | 23 + ocaml/lib/EverCrypt_Error_bindings.ml | 20 + ocaml/lib/EverCrypt_HKDF_bindings.ml | 109 + ocaml/lib/EverCrypt_HMAC_bindings.ml | 50 + ocaml/lib/EverCrypt_Hash_bindings.ml | 215 + ocaml/lib/EverCrypt_Poly1305_bindings.ml | 9 + ocaml/lib/EverCrypt_StaticConfig_bindings.ml | 13 + ocaml/lib/EverCrypt_Vale_bindings.ml | 16 + ocaml/lib/Hacl_Bignum25519_51_bindings.ml | 24 + ocaml/lib/Hacl_Bignum256_32_bindings.ml | 99 + ocaml/lib/Hacl_Bignum256_bindings.ml | 110 + ocaml/lib/Hacl_Bignum32_bindings.ml | 112 + ocaml/lib/Hacl_Bignum4096_32_bindings.ml | 99 + ocaml/lib/Hacl_Bignum4096_bindings.ml | 99 + ocaml/lib/Hacl_Bignum64_bindings.ml | 112 + ocaml/lib/Hacl_Bignum_Base_bindings.ml | 20 + ocaml/lib/Hacl_Bignum_bindings.ml | 257 + .../lib/Hacl_Chacha20Poly1305_128_bindings.ml | 24 + .../lib/Hacl_Chacha20Poly1305_256_bindings.ml | 24 + .../lib/Hacl_Chacha20Poly1305_32_bindings.ml | 24 + ocaml/lib/Hacl_Chacha20_Vec128_bindings.ml | 19 + ocaml/lib/Hacl_Chacha20_Vec256_bindings.ml | 19 + ocaml/lib/Hacl_Chacha20_Vec32_bindings.ml | 19 + ocaml/lib/Hacl_Chacha20_bindings.ml | 31 + ocaml/lib/Hacl_Curve25519_51_bindings.ml | 14 + ocaml/lib/Hacl_Curve25519_64_Slow_bindings.ml | 14 + ocaml/lib/Hacl_Curve25519_64_bindings.ml | 14 + ocaml/lib/Hacl_EC_Ed25519_bindings.ml | 58 + ocaml/lib/Hacl_Ed25519_bindings.ml | 55 + ocaml/lib/Hacl_FFDHE_bindings.ml | 33 + ocaml/lib/Hacl_Frodo1344_bindings.ml | 24 + ocaml/lib/Hacl_Frodo640_bindings.ml | 24 + ocaml/lib/Hacl_Frodo64_bindings.ml | 24 + ocaml/lib/Hacl_Frodo976_bindings.ml | 24 + ocaml/lib/Hacl_Frodo_KEM_bindings.ml | 117 + ocaml/lib/Hacl_GenericField32_bindings.ml | 82 + ocaml/lib/Hacl_GenericField64_bindings.ml | 71 + ocaml/lib/Hacl_HKDF_Blake2b_256_bindings.ml | 17 + ocaml/lib/Hacl_HKDF_Blake2s_128_bindings.ml | 17 + ocaml/lib/Hacl_HKDF_bindings.ml | 53 + ocaml/lib/Hacl_HMAC_Blake2b_256_bindings.ml | 10 + ocaml/lib/Hacl_HMAC_Blake2s_128_bindings.ml | 10 + ocaml/lib/Hacl_HMAC_DRBG_bindings.ml | 58 + ocaml/lib/Hacl_HMAC_bindings.ml | 35 + ...Hacl_HPKE_Curve51_CP128_SHA256_bindings.ml | 38 + ...Hacl_HPKE_Curve51_CP128_SHA512_bindings.ml | 38 + ...Hacl_HPKE_Curve51_CP256_SHA256_bindings.ml | 38 + ...Hacl_HPKE_Curve51_CP256_SHA512_bindings.ml | 38 + .../Hacl_HPKE_Curve51_CP32_SHA256_bindings.ml | 38 + .../Hacl_HPKE_Curve51_CP32_SHA512_bindings.ml | 38 + ...Hacl_HPKE_Curve64_CP128_SHA256_bindings.ml | 38 + ...Hacl_HPKE_Curve64_CP128_SHA512_bindings.ml | 38 + ...Hacl_HPKE_Curve64_CP256_SHA256_bindings.ml | 38 + ...Hacl_HPKE_Curve64_CP256_SHA512_bindings.ml | 38 + .../Hacl_HPKE_Curve64_CP32_SHA256_bindings.ml | 38 + .../Hacl_HPKE_Curve64_CP32_SHA512_bindings.ml | 38 + .../Hacl_HPKE_P256_CP128_SHA256_bindings.ml | 38 + .../Hacl_HPKE_P256_CP256_SHA256_bindings.ml | 38 + .../Hacl_HPKE_P256_CP32_SHA256_bindings.ml | 38 + ocaml/lib/Hacl_Hash_Base_bindings.ml | 19 + ocaml/lib/Hacl_Hash_Blake2_bindings.ml | 88 + ocaml/lib/Hacl_Hash_Blake2b_256_bindings.ml | 15 + ocaml/lib/Hacl_Hash_Blake2s_128_bindings.ml | 15 + ocaml/lib/Hacl_Hash_MD5_bindings.ml | 24 + ocaml/lib/Hacl_Hash_SHA1_bindings.ml | 24 + ocaml/lib/Hacl_Hash_SHA2_bindings.ml | 70 + .../Hacl_IntTypes_Intrinsics_128_bindings.ml | 15 + .../lib/Hacl_IntTypes_Intrinsics_bindings.ml | 25 + ocaml/lib/Hacl_NaCl_bindings.ml | 93 + ocaml/lib/Hacl_P256_bindings.ml | 97 + ocaml/lib/Hacl_Poly1305_128_bindings.ml | 11 + ocaml/lib/Hacl_Poly1305_256_bindings.ml | 11 + ocaml/lib/Hacl_Poly1305_32_bindings.ml | 24 + ocaml/lib/Hacl_RSAPSS_bindings.ml | 68 + ocaml/lib/Hacl_SHA2_Scalar32_bindings.ml | 17 + ocaml/lib/Hacl_SHA2_Vec128_bindings.ml | 27 + ocaml/lib/Hacl_SHA2_Vec256_bindings.ml | 67 + ocaml/lib/Hacl_SHA3_bindings.ml | 54 + ocaml/lib/Hacl_Salsa20_bindings.ml | 25 + ocaml/lib/Hacl_Spec_bindings.ml | 76 + ocaml/lib/Hacl_Streaming_Blake2_bindings.ml | 94 + ocaml/lib/Hacl_Streaming_MD5_bindings.ml | 29 + .../Hacl_Streaming_Poly1305_32_bindings.ml | 42 + ocaml/lib/Hacl_Streaming_SHA1_bindings.ml | 29 + ocaml/lib/Hacl_Streaming_SHA2_bindings.ml | 107 + ocaml/lib/Lib_RandomBuffer_System_bindings.ml | 8 + ocaml/lib_gen/EverCrypt_AEAD_gen.ml | 10 + ocaml/lib_gen/EverCrypt_AutoConfig2_gen.ml | 10 + ocaml/lib_gen/EverCrypt_CTR_gen.ml | 10 + .../lib_gen/EverCrypt_Chacha20Poly1305_gen.ml | 10 + ocaml/lib_gen/EverCrypt_Cipher_gen.ml | 10 + ocaml/lib_gen/EverCrypt_Curve25519_gen.ml | 10 + ocaml/lib_gen/EverCrypt_DRBG_gen.ml | 10 + ocaml/lib_gen/EverCrypt_Ed25519_gen.ml | 10 + ocaml/lib_gen/EverCrypt_Error_gen.ml | 10 + ocaml/lib_gen/EverCrypt_HKDF_gen.ml | 10 + ocaml/lib_gen/EverCrypt_HMAC_gen.ml | 10 + ocaml/lib_gen/EverCrypt_Hash_gen.ml | 10 + ocaml/lib_gen/EverCrypt_Poly1305_gen.ml | 10 + ocaml/lib_gen/EverCrypt_StaticConfig_gen.ml | 10 + ocaml/lib_gen/EverCrypt_Vale_gen.ml | 10 + ocaml/lib_gen/Hacl_Bignum25519_51_gen.ml | 10 + ocaml/lib_gen/Hacl_Bignum256_32_gen.ml | 10 + ocaml/lib_gen/Hacl_Bignum256_gen.ml | 10 + ocaml/lib_gen/Hacl_Bignum32_gen.ml | 10 + ocaml/lib_gen/Hacl_Bignum4096_32_gen.ml | 10 + ocaml/lib_gen/Hacl_Bignum4096_gen.ml | 10 + ocaml/lib_gen/Hacl_Bignum64_gen.ml | 10 + ocaml/lib_gen/Hacl_Bignum_Base_gen.ml | 10 + ocaml/lib_gen/Hacl_Bignum_gen.ml | 10 + .../lib_gen/Hacl_Chacha20Poly1305_128_gen.ml | 10 + .../lib_gen/Hacl_Chacha20Poly1305_256_gen.ml | 10 + ocaml/lib_gen/Hacl_Chacha20Poly1305_32_gen.ml | 10 + ocaml/lib_gen/Hacl_Chacha20_Vec128_gen.ml | 10 + ocaml/lib_gen/Hacl_Chacha20_Vec256_gen.ml | 10 + ocaml/lib_gen/Hacl_Chacha20_Vec32_gen.ml | 10 + ocaml/lib_gen/Hacl_Chacha20_gen.ml | 11 + ocaml/lib_gen/Hacl_Curve25519_51_gen.ml | 11 + ocaml/lib_gen/Hacl_Curve25519_64_Slow_gen.ml | 10 + ocaml/lib_gen/Hacl_Curve25519_64_gen.ml | 10 + ocaml/lib_gen/Hacl_EC_Ed25519_gen.ml | 10 + ocaml/lib_gen/Hacl_Ed25519_gen.ml | 11 + ocaml/lib_gen/Hacl_FFDHE_gen.ml | 10 + ocaml/lib_gen/Hacl_Frodo1344_gen.ml | 10 + ocaml/lib_gen/Hacl_Frodo640_gen.ml | 10 + ocaml/lib_gen/Hacl_Frodo64_gen.ml | 10 + ocaml/lib_gen/Hacl_Frodo976_gen.ml | 10 + ocaml/lib_gen/Hacl_Frodo_KEM_gen.ml | 11 + ocaml/lib_gen/Hacl_GenericField32_gen.ml | 10 + ocaml/lib_gen/Hacl_GenericField64_gen.ml | 10 + ocaml/lib_gen/Hacl_HKDF_Blake2b_256_gen.ml | 10 + ocaml/lib_gen/Hacl_HKDF_Blake2s_128_gen.ml | 10 + ocaml/lib_gen/Hacl_HKDF_gen.ml | 8 + ocaml/lib_gen/Hacl_HMAC_Blake2b_256_gen.ml | 10 + ocaml/lib_gen/Hacl_HMAC_Blake2s_128_gen.ml | 10 + ocaml/lib_gen/Hacl_HMAC_DRBG_gen.ml | 10 + ocaml/lib_gen/Hacl_HMAC_gen.ml | 9 + .../Hacl_HPKE_Curve51_CP128_SHA256_gen.ml | 10 + .../Hacl_HPKE_Curve51_CP128_SHA512_gen.ml | 10 + .../Hacl_HPKE_Curve51_CP256_SHA256_gen.ml | 10 + .../Hacl_HPKE_Curve51_CP256_SHA512_gen.ml | 10 + .../Hacl_HPKE_Curve51_CP32_SHA256_gen.ml | 10 + .../Hacl_HPKE_Curve51_CP32_SHA512_gen.ml | 10 + .../Hacl_HPKE_Curve64_CP128_SHA256_gen.ml | 10 + .../Hacl_HPKE_Curve64_CP128_SHA512_gen.ml | 10 + .../Hacl_HPKE_Curve64_CP256_SHA256_gen.ml | 10 + .../Hacl_HPKE_Curve64_CP256_SHA512_gen.ml | 10 + .../Hacl_HPKE_Curve64_CP32_SHA256_gen.ml | 10 + .../Hacl_HPKE_Curve64_CP32_SHA512_gen.ml | 10 + .../Hacl_HPKE_P256_CP128_SHA256_gen.ml | 10 + .../Hacl_HPKE_P256_CP256_SHA256_gen.ml | 10 + .../lib_gen/Hacl_HPKE_P256_CP32_SHA256_gen.ml | 10 + ocaml/lib_gen/Hacl_Hash_Base_gen.ml | 10 + ocaml/lib_gen/Hacl_Hash_Blake2_gen.ml | 11 + ocaml/lib_gen/Hacl_Hash_Blake2b_256_gen.ml | 11 + ocaml/lib_gen/Hacl_Hash_Blake2s_128_gen.ml | 11 + ocaml/lib_gen/Hacl_Hash_MD5_gen.ml | 11 + ocaml/lib_gen/Hacl_Hash_SHA1_gen.ml | 11 + ocaml/lib_gen/Hacl_Hash_SHA2_gen.ml | 11 + .../Hacl_IntTypes_Intrinsics_128_gen.ml | 10 + ocaml/lib_gen/Hacl_IntTypes_Intrinsics_gen.ml | 10 + ocaml/lib_gen/Hacl_NaCl_gen.ml | 8 + ocaml/lib_gen/Hacl_P256_gen.ml | 9 + ocaml/lib_gen/Hacl_Poly1305_128_gen.ml | 11 + ocaml/lib_gen/Hacl_Poly1305_256_gen.ml | 11 + ocaml/lib_gen/Hacl_Poly1305_32_gen.ml | 10 + ocaml/lib_gen/Hacl_RSAPSS_gen.ml | 10 + ocaml/lib_gen/Hacl_SHA2_Scalar32_gen.ml | 10 + ocaml/lib_gen/Hacl_SHA2_Vec128_gen.ml | 10 + ocaml/lib_gen/Hacl_SHA2_Vec256_gen.ml | 11 + ocaml/lib_gen/Hacl_SHA3_gen.ml | 8 + ocaml/lib_gen/Hacl_Salsa20_gen.ml | 10 + ocaml/lib_gen/Hacl_Spec_gen.ml | 9 + ocaml/lib_gen/Hacl_Streaming_Blake2_gen.ml | 10 + ocaml/lib_gen/Hacl_Streaming_MD5_gen.ml | 10 + .../lib_gen/Hacl_Streaming_Poly1305_32_gen.ml | 10 + ocaml/lib_gen/Hacl_Streaming_SHA1_gen.ml | 10 + ocaml/lib_gen/Hacl_Streaming_SHA2_gen.ml | 10 + ocaml/lib_gen/Lib_RandomBuffer_System_gen.ml | 9 + ocaml/setup.py | 112 + rust/.gitignore | 4 + rust/Cargo.toml | 39 + rust/README.md | 63 + rust/benches/aead.rs | 116 + rust/benches/benchmark.rs | 766 ++ rust/fuzz/.gitignore | 4 + rust/fuzz/Cargo.toml | 41 + rust/fuzz/fuzz_targets/aead.rs | 62 + rust/fuzz/fuzz_targets/ecdh.rs | 20 + rust/fuzz/fuzz_targets/ed25519.rs | 31 + rust/hacl-rust-sys/Cargo.toml | 22 + rust/hacl-rust-sys/README.md | 41 + rust/hacl-rust-sys/build.rs | 159 + rust/hacl-rust-sys/metadata.json | 6864 +++++++++++++ rust/hacl-rust-sys/src/bindings/bindings.rs | 972 ++ rust/hacl-rust-sys/src/hacl_bindings.rs | 21 + rust/hacl-rust-sys/src/lib.rs | 7 + rust/hacl-rust-sys/wrapper.h | 8 + rust/src/aead.rs | 555 ++ rust/src/digest.rs | 425 + rust/src/ecdh.rs | 122 + rust/src/ed25519.rs | 84 + rust/src/hkdf.rs | 68 + rust/src/hmac.rs | 76 + rust/src/lib.rs | 18 + rust/src/p256.rs | 312 + rust/src/prelude.rs | 44 + rust/src/rand_util.rs | 23 + rust/src/signature.rs | 132 + rust/src/util.rs | 10 + rust/src/x25519.rs | 69 + rust/tests/aead-book.rs | 68 + rust/tests/test_aead.rs | 213 + rust/tests/test_blake2.rs | 46 + rust/tests/test_ed25519.rs | 103 + rust/tests/test_hkdf.rs | 112 + rust/tests/test_hmac.rs | 89 + rust/tests/test_p256_ecdh.rs | 86 + rust/tests/test_p256_ecdsa.rs | 198 + rust/tests/test_sha.rs | 96 + rust/tests/test_signatures.rs | 17 + rust/tests/test_util.rs | 49 + rust/tests/test_x25519.rs | 130 + rust/tests/wycheproof/aes_gcm_test.json | 3570 +++++++ .../wycheproof/chacha20_poly1305_test.json | 3679 +++++++ .../ecdh_secp256r1_ecpoint_test.json | 1994 ++++ .../ecdsa_secp256r1_sha256_test.json | 4578 +++++++++ rust/tests/wycheproof/eddsa_test.json | 2262 +++++ rust/tests/wycheproof/hkdf_sha1_test.json | 1269 +++ rust/tests/wycheproof/hkdf_sha256_test.json | 1250 +++ rust/tests/wycheproof/hkdf_sha384_test.json | 1209 +++ rust/tests/wycheproof/hkdf_sha512_test.json | 1209 +++ rust/tests/wycheproof/hmac_sha1_test.json | 1586 +++ rust/tests/wycheproof/hmac_sha224_test.json | 1604 +++ rust/tests/wycheproof/hmac_sha256_test.json | 1622 +++ rust/tests/wycheproof/hmac_sha384_test.json | 1622 +++ rust/tests/wycheproof/hmac_sha3_224_test.json | 1604 +++ rust/tests/wycheproof/hmac_sha3_256_test.json | 1622 +++ rust/tests/wycheproof/hmac_sha3_384_test.json | 1622 +++ rust/tests/wycheproof/hmac_sha3_512_test.json | 1622 +++ rust/tests/wycheproof/hmac_sha512_test.json | 1622 +++ rust/tests/wycheproof/x25519_test.json | 5248 ++++++++++ src/EverCrypt_AEAD.c | 2134 ++++ src/EverCrypt_AutoConfig2.c | 314 + src/EverCrypt_CTR.c | 383 + src/EverCrypt_Chacha20Poly1305.c | 92 + src/EverCrypt_Cipher.c | 43 + src/EverCrypt_Curve25519.c | 70 + src/EverCrypt_DRBG.c | 2006 ++++ src/EverCrypt_Ed25519.c | 54 + src/EverCrypt_Error.c | 118 + src/EverCrypt_HKDF.c | 526 + src/EverCrypt_HMAC.c | 855 ++ src/EverCrypt_Hash.c | 2012 ++++ src/EverCrypt_Poly1305.c | 87 + src/Hacl_Bignum.c | 2594 +++++ src/Hacl_Bignum256.c | 1617 +++ src/Hacl_Bignum256_32.c | 1612 +++ src/Hacl_Bignum32.c | 853 ++ src/Hacl_Bignum4096.c | 1485 +++ src/Hacl_Bignum4096_32.c | 1480 +++ src/Hacl_Bignum64.c | 853 ++ src/Hacl_Chacha20.c | 237 + src/Hacl_Chacha20Poly1305_128.c | 1195 +++ src/Hacl_Chacha20Poly1305_256.c | 1197 +++ src/Hacl_Chacha20Poly1305_32.c | 601 ++ src/Hacl_Chacha20_Vec128.c | 827 ++ src/Hacl_Chacha20_Vec256.c | 1215 +++ src/Hacl_Curve25519_51.c | 296 + src/Hacl_Curve25519_64.c | 388 + src/Hacl_Ed25519.c | 1857 ++++ src/Hacl_GenericField32.c | 591 ++ src/Hacl_GenericField64.c | 591 ++ src/Hacl_HKDF.c | 272 + src/Hacl_HMAC.c | 769 ++ src/Hacl_HMAC_DRBG.c | 1043 ++ src/Hacl_Hash_Base.c | 204 + src/Hacl_Hash_Blake2.c | 3056 ++++++ src/Hacl_Hash_Blake2b_256.c | 854 ++ src/Hacl_Hash_Blake2s_128.c | 830 ++ src/Hacl_Hash_MD5.c | 1209 +++ src/Hacl_Hash_SHA1.c | 243 + src/Hacl_Hash_SHA2.c | 915 ++ src/Hacl_Kremlib.c | 45 + src/Hacl_NaCl.c | 413 + src/Hacl_P256.c | 3118 ++++++ src/Hacl_Poly1305_128.c | 1632 +++ src/Hacl_Poly1305_256.c | 2103 ++++ src/Hacl_Poly1305_32.c | 575 ++ src/Hacl_RSAPSS.c | 814 ++ src/Hacl_SHA2_Vec128.c | 942 ++ src/Hacl_SHA2_Vec256.c | 2401 +++++ src/Hacl_SHA3.c | 304 + src/Hacl_Salsa20.c | 429 + src/Hacl_Spec.c | 53 + src/Hacl_Streaming_Blake2.c | 1179 +++ src/Hacl_Streaming_Blake2b_256.c | 582 ++ src/Hacl_Streaming_Blake2s_128.c | 582 ++ src/Hacl_Streaming_SHA1.c | 277 + src/Hacl_Streaming_SHA2.c | 1026 ++ src/Lib_Memzero0.c | 53 + src/Lib_RandomBuffer_System.c | 62 + src/c89/EverCrypt_AEAD.c | 2302 +++++ src/c89/EverCrypt_AutoConfig2.c | 330 + src/c89/EverCrypt_CTR.c | 405 + src/c89/EverCrypt_Chacha20Poly1305.c | 92 + src/c89/EverCrypt_Cipher.c | 43 + src/c89/EverCrypt_Curve25519.c | 70 + src/c89/EverCrypt_DRBG.c | 2597 +++++ src/c89/EverCrypt_Ed25519.c | 54 + src/c89/EverCrypt_Error.c | 118 + src/c89/EverCrypt_HKDF.c | 580 ++ src/c89/EverCrypt_HMAC.c | 1079 ++ src/c89/EverCrypt_Hash.c | 2192 +++++ src/c89/EverCrypt_Poly1305.c | 100 + src/c89/Hacl_Bignum.c | 3634 +++++++ src/c89/Hacl_Bignum256.c | 2117 ++++ src/c89/Hacl_Bignum256_32.c | 2103 ++++ src/c89/Hacl_Bignum32.c | 1050 ++ src/c89/Hacl_Bignum4096.c | 1904 ++++ src/c89/Hacl_Bignum4096_32.c | 1892 ++++ src/c89/Hacl_Bignum64.c | 1054 ++ src/c89/Hacl_Chacha20.c | 282 + src/c89/Hacl_Chacha20Poly1305_128.c | 1408 +++ src/c89/Hacl_Chacha20Poly1305_256.c | 1409 +++ src/c89/Hacl_Chacha20Poly1305_32.c | 811 ++ src/c89/Hacl_Chacha20_Vec128.c | 937 ++ src/c89/Hacl_Chacha20_Vec256.c | 1325 +++ src/c89/Hacl_Curve25519_51.c | 365 + src/c89/Hacl_Curve25519_64.c | 461 + src/c89/Hacl_Ed25519.c | 2048 ++++ src/c89/Hacl_GenericField32.c | 707 ++ src/c89/Hacl_GenericField64.c | 707 ++ src/c89/Hacl_HKDF.c | 308 + src/c89/Hacl_HMAC.c | 993 ++ src/c89/Hacl_HMAC_DRBG.c | 1337 +++ src/c89/Hacl_Hash_Base.c | 204 + src/c89/Hacl_Hash_Blake2.c | 5452 +++++++++++ src/c89/Hacl_Hash_Blake2b_256.c | 1376 +++ src/c89/Hacl_Hash_Blake2s_128.c | 1355 +++ src/c89/Hacl_Hash_MD5.c | 1732 ++++ src/c89/Hacl_Hash_SHA1.c | 276 + src/c89/Hacl_Hash_SHA2.c | 1019 ++ src/c89/Hacl_NaCl.c | 444 + src/c89/Hacl_P256.c | 3663 +++++++ src/c89/Hacl_Poly1305_128.c | 1951 ++++ src/c89/Hacl_Poly1305_256.c | 2472 +++++ src/c89/Hacl_Poly1305_32.c | 829 ++ src/c89/Hacl_RSAPSS.c | 1023 ++ src/c89/Hacl_SHA2_Vec128.c | 1368 +++ src/c89/Hacl_SHA2_Vec256.c | 3505 +++++++ src/c89/Hacl_SHA3.c | 346 + src/c89/Hacl_Salsa20.c | 557 ++ src/c89/Hacl_Spec.c | 53 + src/c89/Hacl_Streaming_Blake2.c | 1305 +++ src/c89/Hacl_Streaming_Blake2b_256.c | 667 ++ src/c89/Hacl_Streaming_Blake2s_128.c | 667 ++ src/c89/Hacl_Streaming_SHA1.c | 306 + src/c89/Hacl_Streaming_SHA2.c | 1142 +++ src/c89/Lib_Memzero0.c | 53 + src/c89/Lib_RandomBuffer_System.c | 62 + src/msvc/EverCrypt_AEAD.c | 2134 ++++ src/msvc/EverCrypt_AutoConfig2.c | 314 + src/msvc/EverCrypt_CTR.c | 383 + src/msvc/EverCrypt_Chacha20Poly1305.c | 92 + src/msvc/EverCrypt_Cipher.c | 43 + src/msvc/EverCrypt_Curve25519.c | 70 + src/msvc/EverCrypt_DRBG.c | 2018 ++++ src/msvc/EverCrypt_Ed25519.c | 54 + src/msvc/EverCrypt_Error.c | 118 + src/msvc/EverCrypt_HKDF.c | 526 + src/msvc/EverCrypt_HMAC.c | 855 ++ src/msvc/EverCrypt_Hash.c | 2012 ++++ src/msvc/EverCrypt_Poly1305.c | 87 + src/msvc/Hacl_Bignum.c | 2594 +++++ src/msvc/Hacl_Bignum256.c | 1617 +++ src/msvc/Hacl_Bignum256_32.c | 1612 +++ src/msvc/Hacl_Bignum32.c | 853 ++ src/msvc/Hacl_Bignum4096.c | 1485 +++ src/msvc/Hacl_Bignum4096_32.c | 1480 +++ src/msvc/Hacl_Bignum64.c | 853 ++ src/msvc/Hacl_Chacha20.c | 237 + src/msvc/Hacl_Chacha20Poly1305_128.c | 1195 +++ src/msvc/Hacl_Chacha20Poly1305_256.c | 1197 +++ src/msvc/Hacl_Chacha20Poly1305_32.c | 601 ++ src/msvc/Hacl_Chacha20_Vec128.c | 827 ++ src/msvc/Hacl_Chacha20_Vec256.c | 1215 +++ src/msvc/Hacl_Curve25519_51.c | 296 + src/msvc/Hacl_Curve25519_64.c | 388 + src/msvc/Hacl_Ed25519.c | 1857 ++++ src/msvc/Hacl_GenericField32.c | 591 ++ src/msvc/Hacl_GenericField64.c | 591 ++ src/msvc/Hacl_HKDF.c | 272 + src/msvc/Hacl_HMAC.c | 769 ++ src/msvc/Hacl_HMAC_DRBG.c | 1055 ++ src/msvc/Hacl_Hash_Base.c | 204 + src/msvc/Hacl_Hash_Blake2.c | 3056 ++++++ src/msvc/Hacl_Hash_Blake2b_256.c | 858 ++ src/msvc/Hacl_Hash_Blake2s_128.c | 834 ++ src/msvc/Hacl_Hash_MD5.c | 1209 +++ src/msvc/Hacl_Hash_SHA1.c | 243 + src/msvc/Hacl_Hash_SHA2.c | 915 ++ src/msvc/Hacl_Kremlib.c | 45 + src/msvc/Hacl_NaCl.c | 413 + src/msvc/Hacl_P256.c | 3118 ++++++ src/msvc/Hacl_Poly1305_128.c | 1632 +++ src/msvc/Hacl_Poly1305_256.c | 2103 ++++ src/msvc/Hacl_Poly1305_32.c | 575 ++ src/msvc/Hacl_RSAPSS.c | 818 ++ src/msvc/Hacl_SHA2_Vec128.c | 942 ++ src/msvc/Hacl_SHA2_Vec256.c | 2401 +++++ src/msvc/Hacl_SHA3.c | 304 + src/msvc/Hacl_Salsa20.c | 429 + src/msvc/Hacl_Spec.c | 53 + src/msvc/Hacl_Streaming_Blake2.c | 1179 +++ src/msvc/Hacl_Streaming_Blake2b_256.c | 584 ++ src/msvc/Hacl_Streaming_Blake2s_128.c | 584 ++ src/msvc/Hacl_Streaming_SHA1.c | 277 + src/msvc/Hacl_Streaming_SHA2.c | 1026 ++ src/msvc/Lib_Memzero0.c | 53 + src/msvc/Lib_RandomBuffer_System.c | 62 + tests/blake2_vectors.h | 251 + tests/blake2b.cc | 92 + tests/blake2s.cc | 65 + tests/chacha20poly1305.cc | 310 + .../chacha20_poly1305_test.json | 3679 +++++++ tests/chacha20poly1305_vectors.h | 62 + tests/curve25519_vectors.h | 35 + tests/ed25519.cc | 103 + tests/ed25519/eddsa_test.json | 2262 +++++ tests/p256_ecdh.cc | 119 + .../ecdh_secp256r1_ecpoint_test.json | 1994 ++++ tests/p256_ecdsa.cc | 245 + .../ecdsa_secp256r1_sha256_test.json | 4578 +++++++++ tests/util.h | 56 + tests/x25519.cc | 127 + tests/x25519/x25519_test.json | 5248 ++++++++++ tools/configure.py | 255 + tools/macos.py | 23 + tools/ocaml.py | 68 + tools/test.py | 83 + tools/utils.py | 108 + tools/vcbuild.cmd | 7 + update.py | 194 + vale/include/EverCrypt_Vale.h | 93 + vale/include/Vale.h | 217 + vale/src/EverCrypt_Vale.c | 66 + vale/src/Vale.c | 28 + vale/src/aes-i686.asm | 342 + vale/src/aes-x86_64-darwin.S | 279 + vale/src/aes-x86_64-linux.S | 279 + vale/src/aes-x86_64-mingw.S | 276 + vale/src/aes-x86_64-msvc.asm | 276 + vale/src/aesgcm-x86_64-darwin.S | 8101 +++++++++++++++ vale/src/aesgcm-x86_64-linux.S | 8101 +++++++++++++++ vale/src/aesgcm-x86_64-mingw.S | 8705 +++++++++++++++++ vale/src/aesgcm-x86_64-msvc.asm | 8705 +++++++++++++++++ vale/src/cpuid-x86_64-darwin.S | 166 + vale/src/cpuid-x86_64-linux.S | 166 + vale/src/cpuid-x86_64-mingw.S | 166 + vale/src/cpuid-x86_64-msvc.asm | 166 + vale/src/curve25519-inline.h | 751 ++ vale/src/curve25519-x86_64-darwin.S | 986 ++ vale/src/curve25519-x86_64-linux.S | 986 ++ vale/src/curve25519-x86_64-mingw.S | 1041 ++ vale/src/curve25519-x86_64-msvc.asm | 1041 ++ vale/src/evercrypt_vale_stubs.c | 66 + vale/src/poly1305-x86_64-darwin.S | 203 + vale/src/poly1305-x86_64-linux.S | 203 + vale/src/poly1305-x86_64-mingw.S | 207 + vale/src/poly1305-x86_64-msvc.asm | 207 + vale/src/sha256-x86_64-darwin.S | 257 + vale/src/sha256-x86_64-linux.S | 257 + vale/src/sha256-x86_64-mingw.S | 341 + vale/src/sha256-x86_64-msvc.asm | 341 + 988 files changed, 361431 insertions(+), 208 deletions(-) create mode 100755 .ci/kitware-archive.sh create mode 100644 .clang-format create mode 100644 .drone.yml create mode 100644 .github/workflows/build.yml create mode 100644 .github/workflows/gh-pages.yml create mode 100644 .github/workflows/ocaml.yml create mode 100644 .github/workflows/rust.yml create mode 100644 .vscode/settings.json create mode 100644 CMakeLists.txt create mode 100644 LICENSE-APACHE create mode 100644 Makefile create mode 100755 _build.sh create mode 100644 config/Config.h.in create mode 100644 config/aarch64-android.cmake create mode 100644 config/aarch64-darwin.cmake create mode 100644 config/aarch64-ios.cmake create mode 100644 config/bug81300.c create mode 100644 config/config.json create mode 100644 config/constants.cmake create mode 100644 config/default_config.cmake create mode 100644 config/explicit_bzero.c create mode 100644 config/int128.c create mode 100644 config/options.cmake create mode 100755 config/osx_c.sh create mode 100644 config/s390x.cmake create mode 100644 config/toolchain.cmake create mode 100644 config/vec128.c create mode 100644 config/vec256.c create mode 100644 config/x64-darwin.cmake create mode 100644 cpu-features.md create mode 100644 cpu-features/include/hacl-cpu-features.h create mode 100644 cpu-features/include/internal_state.h create mode 100644 cpu-features/src/cpu-features.c create mode 100644 cpu-features/src/main.c create mode 100644 docker/Dockerfile create mode 100755 docker/build.sh create mode 100644 docker/everest/Dockerfile create mode 100644 docker/generate/Dockerfile create mode 100644 docker/generate/generate.sh create mode 100644 docs/.gitignore create mode 100644 docs/book.toml create mode 100644 docs/src/SUMMARY.md create mode 100644 docs/src/algorithms.md create mode 100644 docs/src/developers/build-process.md create mode 100644 docs/src/developers/ci.md create mode 100644 docs/src/developers/ocaml-build.md create mode 100644 docs/src/developers/readme.md create mode 100644 docs/src/developers/repo-overview.md create mode 100644 docs/src/developers/rust-build.md create mode 100644 docs/src/hacl-c/readme.md create mode 100644 docs/src/hacl-js/readme.md create mode 100644 docs/src/hacl-ocaml/readme.md create mode 100644 docs/src/hacl-rust/aead.md create mode 100644 docs/src/hacl-rust/readme.md create mode 100644 docs/src/installation.md create mode 100644 docs/src/mach/build.md create mode 100644 docs/src/mach/readme.md create mode 100644 docs/src/mach/test.md create mode 100644 docs/src/platforms.md create mode 100644 docs/src/readme.md create mode 100644 include/EverCrypt_AEAD.h create mode 100644 include/EverCrypt_AutoConfig2.h create mode 100644 include/EverCrypt_CTR.h create mode 100644 include/EverCrypt_Chacha20Poly1305.h create mode 100644 include/EverCrypt_Cipher.h create mode 100644 include/EverCrypt_Curve25519.h create mode 100644 include/EverCrypt_DRBG.h create mode 100644 include/EverCrypt_Ed25519.h create mode 100644 include/EverCrypt_Error.h create mode 100644 include/EverCrypt_HKDF.h create mode 100644 include/EverCrypt_HMAC.h create mode 100644 include/EverCrypt_Hacl.h create mode 100644 include/EverCrypt_Hash.h create mode 100644 include/EverCrypt_Helpers.h create mode 100644 include/EverCrypt_Poly1305.h create mode 100644 include/EverCrypt_StaticConfig.h create mode 100644 include/Hacl_AES128.h create mode 100644 include/Hacl_Bignum25519_51.h create mode 100644 include/Hacl_Bignum256.h create mode 100644 include/Hacl_Bignum256_32.h create mode 100644 include/Hacl_Bignum32.h create mode 100644 include/Hacl_Bignum4096.h create mode 100644 include/Hacl_Bignum4096_32.h create mode 100644 include/Hacl_Bignum64.h create mode 100644 include/Hacl_Bignum_Base.h create mode 100644 include/Hacl_Chacha20.h create mode 100644 include/Hacl_Chacha20Poly1305_128.h create mode 100644 include/Hacl_Chacha20Poly1305_256.h create mode 100644 include/Hacl_Chacha20Poly1305_32.h create mode 100644 include/Hacl_Chacha20_Vec128.h create mode 100644 include/Hacl_Chacha20_Vec256.h create mode 100644 include/Hacl_Chacha20_Vec32.h create mode 100644 include/Hacl_Curve25519_51.h create mode 100644 include/Hacl_Curve25519_64.h create mode 100644 include/Hacl_Curve25519_64_Slow.h create mode 100644 include/Hacl_EC_Ed25519.h create mode 100644 include/Hacl_Ed25519.h create mode 100644 include/Hacl_FFDHE.h create mode 100644 include/Hacl_Frodo1344.h create mode 100644 include/Hacl_Frodo64.h create mode 100644 include/Hacl_Frodo640.h create mode 100644 include/Hacl_Frodo976.h create mode 100644 include/Hacl_Frodo_KEM.h create mode 100644 include/Hacl_GenericField32.h create mode 100644 include/Hacl_GenericField64.h create mode 100644 include/Hacl_HKDF.h create mode 100644 include/Hacl_HKDF_Blake2b_256.h create mode 100644 include/Hacl_HKDF_Blake2s_128.h create mode 100644 include/Hacl_HMAC.h create mode 100644 include/Hacl_HMAC_Blake2b_256.h create mode 100644 include/Hacl_HMAC_Blake2s_128.h create mode 100644 include/Hacl_HMAC_DRBG.h create mode 100644 include/Hacl_HPKE_Curve51_CP128_SHA256.h create mode 100644 include/Hacl_HPKE_Curve51_CP128_SHA512.h create mode 100644 include/Hacl_HPKE_Curve51_CP256_SHA256.h create mode 100644 include/Hacl_HPKE_Curve51_CP256_SHA512.h create mode 100644 include/Hacl_HPKE_Curve51_CP32_SHA256.h create mode 100644 include/Hacl_HPKE_Curve51_CP32_SHA512.h create mode 100644 include/Hacl_HPKE_Curve64_CP128_SHA256.h create mode 100644 include/Hacl_HPKE_Curve64_CP128_SHA512.h create mode 100644 include/Hacl_HPKE_Curve64_CP256_SHA256.h create mode 100644 include/Hacl_HPKE_Curve64_CP256_SHA512.h create mode 100644 include/Hacl_HPKE_Curve64_CP32_SHA256.h create mode 100644 include/Hacl_HPKE_Curve64_CP32_SHA512.h create mode 100644 include/Hacl_HPKE_P256_CP128_SHA256.h create mode 100644 include/Hacl_HPKE_P256_CP256_SHA256.h create mode 100644 include/Hacl_HPKE_P256_CP32_SHA256.h create mode 100644 include/Hacl_Hash_Base.h create mode 100644 include/Hacl_Hash_Blake2.h create mode 100644 include/Hacl_Hash_Blake2b_256.h create mode 100644 include/Hacl_Hash_Blake2s_128.h create mode 100644 include/Hacl_Hash_MD5.h create mode 100644 include/Hacl_Hash_SHA1.h create mode 100644 include/Hacl_Hash_SHA2.h create mode 100644 include/Hacl_Impl_Blake2_Constants.h create mode 100644 include/Hacl_Impl_FFDHE_Constants.h create mode 100644 include/Hacl_IntTypes_Intrinsics.h create mode 100644 include/Hacl_IntTypes_Intrinsics_128.h create mode 100644 include/Hacl_Kremlib.h create mode 100644 include/Hacl_NaCl.h create mode 100644 include/Hacl_P256.h create mode 100644 include/Hacl_Poly1305_128.h create mode 100644 include/Hacl_Poly1305_256.h create mode 100644 include/Hacl_Poly1305_32.h create mode 100644 include/Hacl_RSAPSS.h create mode 100644 include/Hacl_SHA2_Generic.h create mode 100644 include/Hacl_SHA2_Scalar32.h create mode 100644 include/Hacl_SHA2_Vec128.h create mode 100644 include/Hacl_SHA2_Vec256.h create mode 100644 include/Hacl_SHA3.h create mode 100644 include/Hacl_Salsa20.h create mode 100644 include/Hacl_Spec.h create mode 100644 include/Hacl_Streaming_Blake2.h create mode 100644 include/Hacl_Streaming_Blake2b_256.h create mode 100644 include/Hacl_Streaming_Blake2s_128.h create mode 100644 include/Hacl_Streaming_MD5.h create mode 100644 include/Hacl_Streaming_Poly1305_128.h create mode 100644 include/Hacl_Streaming_Poly1305_256.h create mode 100644 include/Hacl_Streaming_Poly1305_32.h create mode 100644 include/Hacl_Streaming_SHA1.h create mode 100644 include/Hacl_Streaming_SHA2.h create mode 100644 include/Lib_Memzero0.h create mode 100644 include/Lib_PrintBuffer.h create mode 100644 include/Lib_RandomBuffer_System.h create mode 100644 include/MerkleTree.h create mode 100644 include/TestLib.h create mode 100644 include/c89/EverCrypt_AEAD.h create mode 100644 include/c89/EverCrypt_AutoConfig2.h create mode 100644 include/c89/EverCrypt_CTR.h create mode 100644 include/c89/EverCrypt_Chacha20Poly1305.h create mode 100644 include/c89/EverCrypt_Cipher.h create mode 100644 include/c89/EverCrypt_Curve25519.h create mode 100644 include/c89/EverCrypt_DRBG.h create mode 100644 include/c89/EverCrypt_Ed25519.h create mode 100644 include/c89/EverCrypt_Error.h create mode 100644 include/c89/EverCrypt_HKDF.h create mode 100644 include/c89/EverCrypt_HMAC.h create mode 100644 include/c89/EverCrypt_Hacl.h create mode 100644 include/c89/EverCrypt_Hash.h create mode 100644 include/c89/EverCrypt_Helpers.h create mode 100644 include/c89/EverCrypt_Poly1305.h create mode 100644 include/c89/EverCrypt_StaticConfig.h create mode 100644 include/c89/Hacl_AES128.h create mode 100644 include/c89/Hacl_Bignum25519_51.h create mode 100644 include/c89/Hacl_Bignum256.h create mode 100644 include/c89/Hacl_Bignum256_32.h create mode 100644 include/c89/Hacl_Bignum32.h create mode 100644 include/c89/Hacl_Bignum4096.h create mode 100644 include/c89/Hacl_Bignum4096_32.h create mode 100644 include/c89/Hacl_Bignum64.h create mode 100644 include/c89/Hacl_Bignum_Base.h create mode 100644 include/c89/Hacl_Chacha20.h create mode 100644 include/c89/Hacl_Chacha20Poly1305_128.h create mode 100644 include/c89/Hacl_Chacha20Poly1305_256.h create mode 100644 include/c89/Hacl_Chacha20Poly1305_32.h create mode 100644 include/c89/Hacl_Chacha20_Vec128.h create mode 100644 include/c89/Hacl_Chacha20_Vec256.h create mode 100644 include/c89/Hacl_Chacha20_Vec32.h create mode 100644 include/c89/Hacl_Curve25519_51.h create mode 100644 include/c89/Hacl_Curve25519_64.h create mode 100644 include/c89/Hacl_Curve25519_64_Slow.h create mode 100644 include/c89/Hacl_EC_Ed25519.h create mode 100644 include/c89/Hacl_Ed25519.h create mode 100644 include/c89/Hacl_FFDHE.h create mode 100644 include/c89/Hacl_Frodo1344.h create mode 100644 include/c89/Hacl_Frodo64.h create mode 100644 include/c89/Hacl_Frodo640.h create mode 100644 include/c89/Hacl_Frodo976.h create mode 100644 include/c89/Hacl_Frodo_KEM.h create mode 100644 include/c89/Hacl_GenericField32.h create mode 100644 include/c89/Hacl_GenericField64.h create mode 100644 include/c89/Hacl_HKDF.h create mode 100644 include/c89/Hacl_HKDF_Blake2b_256.h create mode 100644 include/c89/Hacl_HKDF_Blake2s_128.h create mode 100644 include/c89/Hacl_HMAC.h create mode 100644 include/c89/Hacl_HMAC_Blake2b_256.h create mode 100644 include/c89/Hacl_HMAC_Blake2s_128.h create mode 100644 include/c89/Hacl_HMAC_DRBG.h create mode 100644 include/c89/Hacl_HPKE_Curve51_CP128_SHA256.h create mode 100644 include/c89/Hacl_HPKE_Curve51_CP128_SHA512.h create mode 100644 include/c89/Hacl_HPKE_Curve51_CP256_SHA256.h create mode 100644 include/c89/Hacl_HPKE_Curve51_CP256_SHA512.h create mode 100644 include/c89/Hacl_HPKE_Curve51_CP32_SHA256.h create mode 100644 include/c89/Hacl_HPKE_Curve51_CP32_SHA512.h create mode 100644 include/c89/Hacl_HPKE_Curve64_CP128_SHA256.h create mode 100644 include/c89/Hacl_HPKE_Curve64_CP128_SHA512.h create mode 100644 include/c89/Hacl_HPKE_Curve64_CP256_SHA256.h create mode 100644 include/c89/Hacl_HPKE_Curve64_CP256_SHA512.h create mode 100644 include/c89/Hacl_HPKE_Curve64_CP32_SHA256.h create mode 100644 include/c89/Hacl_HPKE_Curve64_CP32_SHA512.h create mode 100644 include/c89/Hacl_HPKE_P256_CP128_SHA256.h create mode 100644 include/c89/Hacl_HPKE_P256_CP256_SHA256.h create mode 100644 include/c89/Hacl_HPKE_P256_CP32_SHA256.h create mode 100644 include/c89/Hacl_Hash_Base.h create mode 100644 include/c89/Hacl_Hash_Blake2.h create mode 100644 include/c89/Hacl_Hash_Blake2b_256.h create mode 100644 include/c89/Hacl_Hash_Blake2s_128.h create mode 100644 include/c89/Hacl_Hash_MD5.h create mode 100644 include/c89/Hacl_Hash_SHA1.h create mode 100644 include/c89/Hacl_Hash_SHA2.h create mode 100644 include/c89/Hacl_Impl_Blake2_Constants.h create mode 100644 include/c89/Hacl_Impl_FFDHE_Constants.h create mode 100644 include/c89/Hacl_IntTypes_Intrinsics.h create mode 100644 include/c89/Hacl_IntTypes_Intrinsics_128.h create mode 100644 include/c89/Hacl_Kremlib.h create mode 100644 include/c89/Hacl_NaCl.h create mode 100644 include/c89/Hacl_P256.h create mode 100644 include/c89/Hacl_Poly1305_128.h create mode 100644 include/c89/Hacl_Poly1305_256.h create mode 100644 include/c89/Hacl_Poly1305_32.h create mode 100644 include/c89/Hacl_RSAPSS.h create mode 100644 include/c89/Hacl_SHA2_Generic.h create mode 100644 include/c89/Hacl_SHA2_Scalar32.h create mode 100644 include/c89/Hacl_SHA2_Vec128.h create mode 100644 include/c89/Hacl_SHA2_Vec256.h create mode 100644 include/c89/Hacl_SHA3.h create mode 100644 include/c89/Hacl_Salsa20.h create mode 100644 include/c89/Hacl_Spec.h create mode 100644 include/c89/Hacl_Streaming_Blake2.h create mode 100644 include/c89/Hacl_Streaming_Blake2b_256.h create mode 100644 include/c89/Hacl_Streaming_Blake2s_128.h create mode 100644 include/c89/Hacl_Streaming_MD5.h create mode 100644 include/c89/Hacl_Streaming_Poly1305_128.h create mode 100644 include/c89/Hacl_Streaming_Poly1305_256.h create mode 100644 include/c89/Hacl_Streaming_Poly1305_32.h create mode 100644 include/c89/Hacl_Streaming_SHA1.h create mode 100644 include/c89/Hacl_Streaming_SHA2.h create mode 100644 include/c89/Lib_Memzero0.h create mode 100644 include/c89/Lib_PrintBuffer.h create mode 100644 include/c89/Lib_RandomBuffer_System.h create mode 100644 include/c89/TestLib.h create mode 100644 include/c89/curve25519-inline.h create mode 100644 include/c89/evercrypt_targetconfig.h create mode 100644 include/c89/internal/Hacl_Bignum.h create mode 100644 include/c89/internal/Hacl_Chacha20.h create mode 100644 include/c89/internal/Hacl_Curve25519_51.h create mode 100644 include/c89/internal/Hacl_Ed25519.h create mode 100644 include/c89/internal/Hacl_Frodo_KEM.h create mode 100644 include/c89/internal/Hacl_HMAC.h create mode 100644 include/c89/internal/Hacl_Hash_Blake2.h create mode 100644 include/c89/internal/Hacl_Hash_Blake2b_256.h create mode 100644 include/c89/internal/Hacl_Hash_Blake2s_128.h create mode 100644 include/c89/internal/Hacl_Hash_MD5.h create mode 100644 include/c89/internal/Hacl_Hash_SHA1.h create mode 100644 include/c89/internal/Hacl_Hash_SHA2.h create mode 100644 include/c89/internal/Hacl_P256.h create mode 100644 include/c89/internal/Hacl_Poly1305_128.h create mode 100644 include/c89/internal/Hacl_Poly1305_256.h create mode 100644 include/c89/internal/Hacl_SHA2_Vec256.h create mode 100644 include/c89/internal/Hacl_Spec.h create mode 100644 include/c89/internal/Vale.h create mode 100644 include/c89/lib_intrinsics.h create mode 100644 include/c89/libintvector.h create mode 100644 include/curve25519-inline.h create mode 100644 include/evercrypt_targetconfig.h create mode 100644 include/internal/Hacl_Bignum.h create mode 100644 include/internal/Hacl_Chacha20.h create mode 100644 include/internal/Hacl_Curve25519_51.h create mode 100644 include/internal/Hacl_Ed25519.h create mode 100644 include/internal/Hacl_Frodo_KEM.h create mode 100644 include/internal/Hacl_HMAC.h create mode 100644 include/internal/Hacl_Hash_Blake2.h create mode 100644 include/internal/Hacl_Hash_Blake2b_256.h create mode 100644 include/internal/Hacl_Hash_Blake2s_128.h create mode 100644 include/internal/Hacl_Hash_MD5.h create mode 100644 include/internal/Hacl_Hash_SHA1.h create mode 100644 include/internal/Hacl_Hash_SHA2.h create mode 100644 include/internal/Hacl_Kremlib.h create mode 100644 include/internal/Hacl_P256.h create mode 100644 include/internal/Hacl_Poly1305_128.h create mode 100644 include/internal/Hacl_Poly1305_256.h create mode 100644 include/internal/Hacl_SHA2_Vec128.h create mode 100644 include/internal/Hacl_SHA2_Vec256.h create mode 100644 include/internal/Hacl_Spec.h create mode 100644 include/internal/Vale.h create mode 100644 include/lib_intrinsics.h create mode 100644 include/libintvector.h create mode 100644 include/msvc/EverCrypt_AEAD.h create mode 100644 include/msvc/EverCrypt_AutoConfig2.h create mode 100644 include/msvc/EverCrypt_CTR.h create mode 100644 include/msvc/EverCrypt_Chacha20Poly1305.h create mode 100644 include/msvc/EverCrypt_Cipher.h create mode 100644 include/msvc/EverCrypt_Curve25519.h create mode 100644 include/msvc/EverCrypt_DRBG.h create mode 100644 include/msvc/EverCrypt_Ed25519.h create mode 100644 include/msvc/EverCrypt_Error.h create mode 100644 include/msvc/EverCrypt_HKDF.h create mode 100644 include/msvc/EverCrypt_HMAC.h create mode 100644 include/msvc/EverCrypt_Hacl.h create mode 100644 include/msvc/EverCrypt_Hash.h create mode 100644 include/msvc/EverCrypt_Helpers.h create mode 100644 include/msvc/EverCrypt_Poly1305.h create mode 100644 include/msvc/EverCrypt_StaticConfig.h create mode 100644 include/msvc/Hacl_AES128.h create mode 100644 include/msvc/Hacl_Bignum25519_51.h create mode 100644 include/msvc/Hacl_Bignum256.h create mode 100644 include/msvc/Hacl_Bignum256_32.h create mode 100644 include/msvc/Hacl_Bignum32.h create mode 100644 include/msvc/Hacl_Bignum4096.h create mode 100644 include/msvc/Hacl_Bignum4096_32.h create mode 100644 include/msvc/Hacl_Bignum64.h create mode 100644 include/msvc/Hacl_Bignum_Base.h create mode 100644 include/msvc/Hacl_Chacha20.h create mode 100644 include/msvc/Hacl_Chacha20Poly1305_128.h create mode 100644 include/msvc/Hacl_Chacha20Poly1305_256.h create mode 100644 include/msvc/Hacl_Chacha20Poly1305_32.h create mode 100644 include/msvc/Hacl_Chacha20_Vec128.h create mode 100644 include/msvc/Hacl_Chacha20_Vec256.h create mode 100644 include/msvc/Hacl_Chacha20_Vec32.h create mode 100644 include/msvc/Hacl_Curve25519_51.h create mode 100644 include/msvc/Hacl_Curve25519_64.h create mode 100644 include/msvc/Hacl_Curve25519_64_Slow.h create mode 100644 include/msvc/Hacl_EC_Ed25519.h create mode 100644 include/msvc/Hacl_Ed25519.h create mode 100644 include/msvc/Hacl_FFDHE.h create mode 100644 include/msvc/Hacl_Frodo1344.h create mode 100644 include/msvc/Hacl_Frodo64.h create mode 100644 include/msvc/Hacl_Frodo640.h create mode 100644 include/msvc/Hacl_Frodo976.h create mode 100644 include/msvc/Hacl_Frodo_KEM.h create mode 100644 include/msvc/Hacl_GenericField32.h create mode 100644 include/msvc/Hacl_GenericField64.h create mode 100644 include/msvc/Hacl_HKDF.h create mode 100644 include/msvc/Hacl_HKDF_Blake2b_256.h create mode 100644 include/msvc/Hacl_HKDF_Blake2s_128.h create mode 100644 include/msvc/Hacl_HMAC.h create mode 100644 include/msvc/Hacl_HMAC_Blake2b_256.h create mode 100644 include/msvc/Hacl_HMAC_Blake2s_128.h create mode 100644 include/msvc/Hacl_HMAC_DRBG.h create mode 100644 include/msvc/Hacl_HPKE_Curve51_CP128_SHA256.h create mode 100644 include/msvc/Hacl_HPKE_Curve51_CP128_SHA512.h create mode 100644 include/msvc/Hacl_HPKE_Curve51_CP256_SHA256.h create mode 100644 include/msvc/Hacl_HPKE_Curve51_CP256_SHA512.h create mode 100644 include/msvc/Hacl_HPKE_Curve51_CP32_SHA256.h create mode 100644 include/msvc/Hacl_HPKE_Curve51_CP32_SHA512.h create mode 100644 include/msvc/Hacl_HPKE_Curve64_CP128_SHA256.h create mode 100644 include/msvc/Hacl_HPKE_Curve64_CP128_SHA512.h create mode 100644 include/msvc/Hacl_HPKE_Curve64_CP256_SHA256.h create mode 100644 include/msvc/Hacl_HPKE_Curve64_CP256_SHA512.h create mode 100644 include/msvc/Hacl_HPKE_Curve64_CP32_SHA256.h create mode 100644 include/msvc/Hacl_HPKE_Curve64_CP32_SHA512.h create mode 100644 include/msvc/Hacl_HPKE_P256_CP128_SHA256.h create mode 100644 include/msvc/Hacl_HPKE_P256_CP256_SHA256.h create mode 100644 include/msvc/Hacl_HPKE_P256_CP32_SHA256.h create mode 100644 include/msvc/Hacl_Hash_Base.h create mode 100644 include/msvc/Hacl_Hash_Blake2.h create mode 100644 include/msvc/Hacl_Hash_Blake2b_256.h create mode 100644 include/msvc/Hacl_Hash_Blake2s_128.h create mode 100644 include/msvc/Hacl_Hash_MD5.h create mode 100644 include/msvc/Hacl_Hash_SHA1.h create mode 100644 include/msvc/Hacl_Hash_SHA2.h create mode 100644 include/msvc/Hacl_Impl_Blake2_Constants.h create mode 100644 include/msvc/Hacl_Impl_FFDHE_Constants.h create mode 100644 include/msvc/Hacl_IntTypes_Intrinsics.h create mode 100644 include/msvc/Hacl_IntTypes_Intrinsics_128.h create mode 100644 include/msvc/Hacl_Kremlib.h create mode 100644 include/msvc/Hacl_NaCl.h create mode 100644 include/msvc/Hacl_P256.h create mode 100644 include/msvc/Hacl_Poly1305_128.h create mode 100644 include/msvc/Hacl_Poly1305_256.h create mode 100644 include/msvc/Hacl_Poly1305_32.h create mode 100644 include/msvc/Hacl_RSAPSS.h create mode 100644 include/msvc/Hacl_SHA2_Generic.h create mode 100644 include/msvc/Hacl_SHA2_Scalar32.h create mode 100644 include/msvc/Hacl_SHA2_Vec128.h create mode 100644 include/msvc/Hacl_SHA2_Vec256.h create mode 100644 include/msvc/Hacl_SHA3.h create mode 100644 include/msvc/Hacl_Salsa20.h create mode 100644 include/msvc/Hacl_Spec.h create mode 100644 include/msvc/Hacl_Streaming_Blake2.h create mode 100644 include/msvc/Hacl_Streaming_Blake2b_256.h create mode 100644 include/msvc/Hacl_Streaming_Blake2s_128.h create mode 100644 include/msvc/Hacl_Streaming_MD5.h create mode 100644 include/msvc/Hacl_Streaming_Poly1305_128.h create mode 100644 include/msvc/Hacl_Streaming_Poly1305_256.h create mode 100644 include/msvc/Hacl_Streaming_Poly1305_32.h create mode 100644 include/msvc/Hacl_Streaming_SHA1.h create mode 100644 include/msvc/Hacl_Streaming_SHA2.h create mode 100644 include/msvc/Lib_Memzero0.h create mode 100644 include/msvc/Lib_PrintBuffer.h create mode 100644 include/msvc/Lib_RandomBuffer_System.h create mode 100644 include/msvc/MerkleTree.h create mode 100644 include/msvc/TestLib.h create mode 100644 include/msvc/curve25519-inline.h create mode 100644 include/msvc/evercrypt_targetconfig.h create mode 100644 include/msvc/internal/Hacl_Bignum.h create mode 100644 include/msvc/internal/Hacl_Chacha20.h create mode 100644 include/msvc/internal/Hacl_Curve25519_51.h create mode 100644 include/msvc/internal/Hacl_Ed25519.h create mode 100644 include/msvc/internal/Hacl_Frodo_KEM.h create mode 100644 include/msvc/internal/Hacl_HMAC.h create mode 100644 include/msvc/internal/Hacl_Hash_Blake2.h create mode 100644 include/msvc/internal/Hacl_Hash_Blake2b_256.h create mode 100644 include/msvc/internal/Hacl_Hash_Blake2s_128.h create mode 100644 include/msvc/internal/Hacl_Hash_MD5.h create mode 100644 include/msvc/internal/Hacl_Hash_SHA1.h create mode 100644 include/msvc/internal/Hacl_Hash_SHA2.h create mode 100644 include/msvc/internal/Hacl_Kremlib.h create mode 100644 include/msvc/internal/Hacl_P256.h create mode 100644 include/msvc/internal/Hacl_Poly1305_128.h create mode 100644 include/msvc/internal/Hacl_Poly1305_256.h create mode 100644 include/msvc/internal/Hacl_SHA2_Vec128.h create mode 100644 include/msvc/internal/Hacl_SHA2_Vec256.h create mode 100644 include/msvc/internal/Hacl_Spec.h create mode 100644 include/msvc/internal/Vale.h create mode 100644 include/msvc/lib_intrinsics.h create mode 100644 include/msvc/libintvector.h create mode 100644 kremlin/include/kremlib.h create mode 100644 kremlin/include/kremlin/c_endianness.h create mode 100644 kremlin/include/kremlin/fstar_int.h create mode 100644 kremlin/include/kremlin/internal/builtin.h create mode 100644 kremlin/include/kremlin/internal/callconv.h create mode 100644 kremlin/include/kremlin/internal/compat.h create mode 100644 kremlin/include/kremlin/internal/debug.h create mode 100644 kremlin/include/kremlin/internal/target.h create mode 100644 kremlin/include/kremlin/internal/types.h create mode 100644 kremlin/include/kremlin/internal/wasmsupport.h create mode 100644 kremlin/include/kremlin/lowstar_endianness.h create mode 100644 kremlin/kremlib/dist/minimal/FStar_UInt128.h create mode 100644 kremlin/kremlib/dist/minimal/FStar_UInt128_Verified.h create mode 100644 kremlin/kremlib/dist/minimal/FStar_UInt_8_16_32_64.h create mode 100644 kremlin/kremlib/dist/minimal/LowStar_Endianness.h create mode 100644 kremlin/kremlib/dist/minimal/Makefile.basic create mode 100644 kremlin/kremlib/dist/minimal/Makefile.include create mode 100644 kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h create mode 100644 kremlin/kremlib/dist/minimal/fstar_uint128_msvc.h create mode 100644 kremlin/kremlib/dist/minimal/fstar_uint128_struct_endianness.h create mode 100644 kremlin/kremlib/dist/minimal/libkremlib.def create mode 100755 mach create mode 100644 ocaml/.gitignore create mode 100644 ocaml/META create mode 100644 ocaml/Makefile create mode 100644 ocaml/__init__.py create mode 100644 ocaml/ctypes.depend create mode 100644 ocaml/hacl-star-raw.opam create mode 100644 ocaml/hacl-star/.gitignore create mode 100644 ocaml/hacl-star/AutoConfig2.ml create mode 100644 ocaml/hacl-star/CHANGES.md create mode 100644 ocaml/hacl-star/EverCrypt.ml create mode 100644 ocaml/hacl-star/EverCrypt.mli create mode 100644 ocaml/hacl-star/Hacl.ml create mode 100644 ocaml/hacl-star/Hacl.mli create mode 100644 ocaml/hacl-star/SharedDefs.ml create mode 100644 ocaml/hacl-star/SharedFunctors.ml create mode 100644 ocaml/hacl-star/dune create mode 100644 ocaml/hacl-star/dune-project create mode 100644 ocaml/hacl-star/hacl-star.opam create mode 100644 ocaml/hacl-star/index.mld create mode 100644 ocaml/hacl-star/tests/aead_test.ml create mode 100644 ocaml/hacl-star/tests/config_test.ml create mode 100644 ocaml/hacl-star/tests/curve25519_test.ml create mode 100644 ocaml/hacl-star/tests/drbg_test.ml create mode 100644 ocaml/hacl-star/tests/dune create mode 100644 ocaml/hacl-star/tests/ed25519_test.ml create mode 100644 ocaml/hacl-star/tests/hash_test.ml create mode 100644 ocaml/hacl-star/tests/hkdf_test.ml create mode 100644 ocaml/hacl-star/tests/hmac_test.ml create mode 100644 ocaml/hacl-star/tests/nacl_test.ml create mode 100644 ocaml/hacl-star/tests/p256_test.ml create mode 100644 ocaml/hacl-star/tests/poly1305_test.ml create mode 100644 ocaml/hacl-star/tests/test_utils.ml create mode 100644 ocaml/lib/EverCrypt_AEAD_bindings.ml create mode 100644 ocaml/lib/EverCrypt_AutoConfig2_bindings.ml create mode 100644 ocaml/lib/EverCrypt_CTR_bindings.ml create mode 100644 ocaml/lib/EverCrypt_Chacha20Poly1305_bindings.ml create mode 100644 ocaml/lib/EverCrypt_Cipher_bindings.ml create mode 100644 ocaml/lib/EverCrypt_Curve25519_bindings.ml create mode 100644 ocaml/lib/EverCrypt_DRBG_bindings.ml create mode 100644 ocaml/lib/EverCrypt_Ed25519_bindings.ml create mode 100644 ocaml/lib/EverCrypt_Error_bindings.ml create mode 100644 ocaml/lib/EverCrypt_HKDF_bindings.ml create mode 100644 ocaml/lib/EverCrypt_HMAC_bindings.ml create mode 100644 ocaml/lib/EverCrypt_Hash_bindings.ml create mode 100644 ocaml/lib/EverCrypt_Poly1305_bindings.ml create mode 100644 ocaml/lib/EverCrypt_StaticConfig_bindings.ml create mode 100644 ocaml/lib/EverCrypt_Vale_bindings.ml create mode 100644 ocaml/lib/Hacl_Bignum25519_51_bindings.ml create mode 100644 ocaml/lib/Hacl_Bignum256_32_bindings.ml create mode 100644 ocaml/lib/Hacl_Bignum256_bindings.ml create mode 100644 ocaml/lib/Hacl_Bignum32_bindings.ml create mode 100644 ocaml/lib/Hacl_Bignum4096_32_bindings.ml create mode 100644 ocaml/lib/Hacl_Bignum4096_bindings.ml create mode 100644 ocaml/lib/Hacl_Bignum64_bindings.ml create mode 100644 ocaml/lib/Hacl_Bignum_Base_bindings.ml create mode 100644 ocaml/lib/Hacl_Bignum_bindings.ml create mode 100644 ocaml/lib/Hacl_Chacha20Poly1305_128_bindings.ml create mode 100644 ocaml/lib/Hacl_Chacha20Poly1305_256_bindings.ml create mode 100644 ocaml/lib/Hacl_Chacha20Poly1305_32_bindings.ml create mode 100644 ocaml/lib/Hacl_Chacha20_Vec128_bindings.ml create mode 100644 ocaml/lib/Hacl_Chacha20_Vec256_bindings.ml create mode 100644 ocaml/lib/Hacl_Chacha20_Vec32_bindings.ml create mode 100644 ocaml/lib/Hacl_Chacha20_bindings.ml create mode 100644 ocaml/lib/Hacl_Curve25519_51_bindings.ml create mode 100644 ocaml/lib/Hacl_Curve25519_64_Slow_bindings.ml create mode 100644 ocaml/lib/Hacl_Curve25519_64_bindings.ml create mode 100644 ocaml/lib/Hacl_EC_Ed25519_bindings.ml create mode 100644 ocaml/lib/Hacl_Ed25519_bindings.ml create mode 100644 ocaml/lib/Hacl_FFDHE_bindings.ml create mode 100644 ocaml/lib/Hacl_Frodo1344_bindings.ml create mode 100644 ocaml/lib/Hacl_Frodo640_bindings.ml create mode 100644 ocaml/lib/Hacl_Frodo64_bindings.ml create mode 100644 ocaml/lib/Hacl_Frodo976_bindings.ml create mode 100644 ocaml/lib/Hacl_Frodo_KEM_bindings.ml create mode 100644 ocaml/lib/Hacl_GenericField32_bindings.ml create mode 100644 ocaml/lib/Hacl_GenericField64_bindings.ml create mode 100644 ocaml/lib/Hacl_HKDF_Blake2b_256_bindings.ml create mode 100644 ocaml/lib/Hacl_HKDF_Blake2s_128_bindings.ml create mode 100644 ocaml/lib/Hacl_HKDF_bindings.ml create mode 100644 ocaml/lib/Hacl_HMAC_Blake2b_256_bindings.ml create mode 100644 ocaml/lib/Hacl_HMAC_Blake2s_128_bindings.ml create mode 100644 ocaml/lib/Hacl_HMAC_DRBG_bindings.ml create mode 100644 ocaml/lib/Hacl_HMAC_bindings.ml create mode 100644 ocaml/lib/Hacl_HPKE_Curve51_CP128_SHA256_bindings.ml create mode 100644 ocaml/lib/Hacl_HPKE_Curve51_CP128_SHA512_bindings.ml create mode 100644 ocaml/lib/Hacl_HPKE_Curve51_CP256_SHA256_bindings.ml create mode 100644 ocaml/lib/Hacl_HPKE_Curve51_CP256_SHA512_bindings.ml create mode 100644 ocaml/lib/Hacl_HPKE_Curve51_CP32_SHA256_bindings.ml create mode 100644 ocaml/lib/Hacl_HPKE_Curve51_CP32_SHA512_bindings.ml create mode 100644 ocaml/lib/Hacl_HPKE_Curve64_CP128_SHA256_bindings.ml create mode 100644 ocaml/lib/Hacl_HPKE_Curve64_CP128_SHA512_bindings.ml create mode 100644 ocaml/lib/Hacl_HPKE_Curve64_CP256_SHA256_bindings.ml create mode 100644 ocaml/lib/Hacl_HPKE_Curve64_CP256_SHA512_bindings.ml create mode 100644 ocaml/lib/Hacl_HPKE_Curve64_CP32_SHA256_bindings.ml create mode 100644 ocaml/lib/Hacl_HPKE_Curve64_CP32_SHA512_bindings.ml create mode 100644 ocaml/lib/Hacl_HPKE_P256_CP128_SHA256_bindings.ml create mode 100644 ocaml/lib/Hacl_HPKE_P256_CP256_SHA256_bindings.ml create mode 100644 ocaml/lib/Hacl_HPKE_P256_CP32_SHA256_bindings.ml create mode 100644 ocaml/lib/Hacl_Hash_Base_bindings.ml create mode 100644 ocaml/lib/Hacl_Hash_Blake2_bindings.ml create mode 100644 ocaml/lib/Hacl_Hash_Blake2b_256_bindings.ml create mode 100644 ocaml/lib/Hacl_Hash_Blake2s_128_bindings.ml create mode 100644 ocaml/lib/Hacl_Hash_MD5_bindings.ml create mode 100644 ocaml/lib/Hacl_Hash_SHA1_bindings.ml create mode 100644 ocaml/lib/Hacl_Hash_SHA2_bindings.ml create mode 100644 ocaml/lib/Hacl_IntTypes_Intrinsics_128_bindings.ml create mode 100644 ocaml/lib/Hacl_IntTypes_Intrinsics_bindings.ml create mode 100644 ocaml/lib/Hacl_NaCl_bindings.ml create mode 100644 ocaml/lib/Hacl_P256_bindings.ml create mode 100644 ocaml/lib/Hacl_Poly1305_128_bindings.ml create mode 100644 ocaml/lib/Hacl_Poly1305_256_bindings.ml create mode 100644 ocaml/lib/Hacl_Poly1305_32_bindings.ml create mode 100644 ocaml/lib/Hacl_RSAPSS_bindings.ml create mode 100644 ocaml/lib/Hacl_SHA2_Scalar32_bindings.ml create mode 100644 ocaml/lib/Hacl_SHA2_Vec128_bindings.ml create mode 100644 ocaml/lib/Hacl_SHA2_Vec256_bindings.ml create mode 100644 ocaml/lib/Hacl_SHA3_bindings.ml create mode 100644 ocaml/lib/Hacl_Salsa20_bindings.ml create mode 100644 ocaml/lib/Hacl_Spec_bindings.ml create mode 100644 ocaml/lib/Hacl_Streaming_Blake2_bindings.ml create mode 100644 ocaml/lib/Hacl_Streaming_MD5_bindings.ml create mode 100644 ocaml/lib/Hacl_Streaming_Poly1305_32_bindings.ml create mode 100644 ocaml/lib/Hacl_Streaming_SHA1_bindings.ml create mode 100644 ocaml/lib/Hacl_Streaming_SHA2_bindings.ml create mode 100644 ocaml/lib/Lib_RandomBuffer_System_bindings.ml create mode 100644 ocaml/lib_gen/EverCrypt_AEAD_gen.ml create mode 100644 ocaml/lib_gen/EverCrypt_AutoConfig2_gen.ml create mode 100644 ocaml/lib_gen/EverCrypt_CTR_gen.ml create mode 100644 ocaml/lib_gen/EverCrypt_Chacha20Poly1305_gen.ml create mode 100644 ocaml/lib_gen/EverCrypt_Cipher_gen.ml create mode 100644 ocaml/lib_gen/EverCrypt_Curve25519_gen.ml create mode 100644 ocaml/lib_gen/EverCrypt_DRBG_gen.ml create mode 100644 ocaml/lib_gen/EverCrypt_Ed25519_gen.ml create mode 100644 ocaml/lib_gen/EverCrypt_Error_gen.ml create mode 100644 ocaml/lib_gen/EverCrypt_HKDF_gen.ml create mode 100644 ocaml/lib_gen/EverCrypt_HMAC_gen.ml create mode 100644 ocaml/lib_gen/EverCrypt_Hash_gen.ml create mode 100644 ocaml/lib_gen/EverCrypt_Poly1305_gen.ml create mode 100644 ocaml/lib_gen/EverCrypt_StaticConfig_gen.ml create mode 100644 ocaml/lib_gen/EverCrypt_Vale_gen.ml create mode 100644 ocaml/lib_gen/Hacl_Bignum25519_51_gen.ml create mode 100644 ocaml/lib_gen/Hacl_Bignum256_32_gen.ml create mode 100644 ocaml/lib_gen/Hacl_Bignum256_gen.ml create mode 100644 ocaml/lib_gen/Hacl_Bignum32_gen.ml create mode 100644 ocaml/lib_gen/Hacl_Bignum4096_32_gen.ml create mode 100644 ocaml/lib_gen/Hacl_Bignum4096_gen.ml create mode 100644 ocaml/lib_gen/Hacl_Bignum64_gen.ml create mode 100644 ocaml/lib_gen/Hacl_Bignum_Base_gen.ml create mode 100644 ocaml/lib_gen/Hacl_Bignum_gen.ml create mode 100644 ocaml/lib_gen/Hacl_Chacha20Poly1305_128_gen.ml create mode 100644 ocaml/lib_gen/Hacl_Chacha20Poly1305_256_gen.ml create mode 100644 ocaml/lib_gen/Hacl_Chacha20Poly1305_32_gen.ml create mode 100644 ocaml/lib_gen/Hacl_Chacha20_Vec128_gen.ml create mode 100644 ocaml/lib_gen/Hacl_Chacha20_Vec256_gen.ml create mode 100644 ocaml/lib_gen/Hacl_Chacha20_Vec32_gen.ml create mode 100644 ocaml/lib_gen/Hacl_Chacha20_gen.ml create mode 100644 ocaml/lib_gen/Hacl_Curve25519_51_gen.ml create mode 100644 ocaml/lib_gen/Hacl_Curve25519_64_Slow_gen.ml create mode 100644 ocaml/lib_gen/Hacl_Curve25519_64_gen.ml create mode 100644 ocaml/lib_gen/Hacl_EC_Ed25519_gen.ml create mode 100644 ocaml/lib_gen/Hacl_Ed25519_gen.ml create mode 100644 ocaml/lib_gen/Hacl_FFDHE_gen.ml create mode 100644 ocaml/lib_gen/Hacl_Frodo1344_gen.ml create mode 100644 ocaml/lib_gen/Hacl_Frodo640_gen.ml create mode 100644 ocaml/lib_gen/Hacl_Frodo64_gen.ml create mode 100644 ocaml/lib_gen/Hacl_Frodo976_gen.ml create mode 100644 ocaml/lib_gen/Hacl_Frodo_KEM_gen.ml create mode 100644 ocaml/lib_gen/Hacl_GenericField32_gen.ml create mode 100644 ocaml/lib_gen/Hacl_GenericField64_gen.ml create mode 100644 ocaml/lib_gen/Hacl_HKDF_Blake2b_256_gen.ml create mode 100644 ocaml/lib_gen/Hacl_HKDF_Blake2s_128_gen.ml create mode 100644 ocaml/lib_gen/Hacl_HKDF_gen.ml create mode 100644 ocaml/lib_gen/Hacl_HMAC_Blake2b_256_gen.ml create mode 100644 ocaml/lib_gen/Hacl_HMAC_Blake2s_128_gen.ml create mode 100644 ocaml/lib_gen/Hacl_HMAC_DRBG_gen.ml create mode 100644 ocaml/lib_gen/Hacl_HMAC_gen.ml create mode 100644 ocaml/lib_gen/Hacl_HPKE_Curve51_CP128_SHA256_gen.ml create mode 100644 ocaml/lib_gen/Hacl_HPKE_Curve51_CP128_SHA512_gen.ml create mode 100644 ocaml/lib_gen/Hacl_HPKE_Curve51_CP256_SHA256_gen.ml create mode 100644 ocaml/lib_gen/Hacl_HPKE_Curve51_CP256_SHA512_gen.ml create mode 100644 ocaml/lib_gen/Hacl_HPKE_Curve51_CP32_SHA256_gen.ml create mode 100644 ocaml/lib_gen/Hacl_HPKE_Curve51_CP32_SHA512_gen.ml create mode 100644 ocaml/lib_gen/Hacl_HPKE_Curve64_CP128_SHA256_gen.ml create mode 100644 ocaml/lib_gen/Hacl_HPKE_Curve64_CP128_SHA512_gen.ml create mode 100644 ocaml/lib_gen/Hacl_HPKE_Curve64_CP256_SHA256_gen.ml create mode 100644 ocaml/lib_gen/Hacl_HPKE_Curve64_CP256_SHA512_gen.ml create mode 100644 ocaml/lib_gen/Hacl_HPKE_Curve64_CP32_SHA256_gen.ml create mode 100644 ocaml/lib_gen/Hacl_HPKE_Curve64_CP32_SHA512_gen.ml create mode 100644 ocaml/lib_gen/Hacl_HPKE_P256_CP128_SHA256_gen.ml create mode 100644 ocaml/lib_gen/Hacl_HPKE_P256_CP256_SHA256_gen.ml create mode 100644 ocaml/lib_gen/Hacl_HPKE_P256_CP32_SHA256_gen.ml create mode 100644 ocaml/lib_gen/Hacl_Hash_Base_gen.ml create mode 100644 ocaml/lib_gen/Hacl_Hash_Blake2_gen.ml create mode 100644 ocaml/lib_gen/Hacl_Hash_Blake2b_256_gen.ml create mode 100644 ocaml/lib_gen/Hacl_Hash_Blake2s_128_gen.ml create mode 100644 ocaml/lib_gen/Hacl_Hash_MD5_gen.ml create mode 100644 ocaml/lib_gen/Hacl_Hash_SHA1_gen.ml create mode 100644 ocaml/lib_gen/Hacl_Hash_SHA2_gen.ml create mode 100644 ocaml/lib_gen/Hacl_IntTypes_Intrinsics_128_gen.ml create mode 100644 ocaml/lib_gen/Hacl_IntTypes_Intrinsics_gen.ml create mode 100644 ocaml/lib_gen/Hacl_NaCl_gen.ml create mode 100644 ocaml/lib_gen/Hacl_P256_gen.ml create mode 100644 ocaml/lib_gen/Hacl_Poly1305_128_gen.ml create mode 100644 ocaml/lib_gen/Hacl_Poly1305_256_gen.ml create mode 100644 ocaml/lib_gen/Hacl_Poly1305_32_gen.ml create mode 100644 ocaml/lib_gen/Hacl_RSAPSS_gen.ml create mode 100644 ocaml/lib_gen/Hacl_SHA2_Scalar32_gen.ml create mode 100644 ocaml/lib_gen/Hacl_SHA2_Vec128_gen.ml create mode 100644 ocaml/lib_gen/Hacl_SHA2_Vec256_gen.ml create mode 100644 ocaml/lib_gen/Hacl_SHA3_gen.ml create mode 100644 ocaml/lib_gen/Hacl_Salsa20_gen.ml create mode 100644 ocaml/lib_gen/Hacl_Spec_gen.ml create mode 100644 ocaml/lib_gen/Hacl_Streaming_Blake2_gen.ml create mode 100644 ocaml/lib_gen/Hacl_Streaming_MD5_gen.ml create mode 100644 ocaml/lib_gen/Hacl_Streaming_Poly1305_32_gen.ml create mode 100644 ocaml/lib_gen/Hacl_Streaming_SHA1_gen.ml create mode 100644 ocaml/lib_gen/Hacl_Streaming_SHA2_gen.ml create mode 100644 ocaml/lib_gen/Lib_RandomBuffer_System_gen.ml create mode 100755 ocaml/setup.py create mode 100644 rust/.gitignore create mode 100644 rust/Cargo.toml create mode 100644 rust/README.md create mode 100644 rust/benches/aead.rs create mode 100644 rust/benches/benchmark.rs create mode 100644 rust/fuzz/.gitignore create mode 100644 rust/fuzz/Cargo.toml create mode 100644 rust/fuzz/fuzz_targets/aead.rs create mode 100644 rust/fuzz/fuzz_targets/ecdh.rs create mode 100644 rust/fuzz/fuzz_targets/ed25519.rs create mode 100644 rust/hacl-rust-sys/Cargo.toml create mode 100644 rust/hacl-rust-sys/README.md create mode 100644 rust/hacl-rust-sys/build.rs create mode 100644 rust/hacl-rust-sys/metadata.json create mode 100644 rust/hacl-rust-sys/src/bindings/bindings.rs create mode 100644 rust/hacl-rust-sys/src/hacl_bindings.rs create mode 100644 rust/hacl-rust-sys/src/lib.rs create mode 100644 rust/hacl-rust-sys/wrapper.h create mode 100644 rust/src/aead.rs create mode 100644 rust/src/digest.rs create mode 100644 rust/src/ecdh.rs create mode 100644 rust/src/ed25519.rs create mode 100644 rust/src/hkdf.rs create mode 100644 rust/src/hmac.rs create mode 100644 rust/src/lib.rs create mode 100644 rust/src/p256.rs create mode 100644 rust/src/prelude.rs create mode 100644 rust/src/rand_util.rs create mode 100644 rust/src/signature.rs create mode 100644 rust/src/util.rs create mode 100644 rust/src/x25519.rs create mode 100644 rust/tests/aead-book.rs create mode 100644 rust/tests/test_aead.rs create mode 100644 rust/tests/test_blake2.rs create mode 100644 rust/tests/test_ed25519.rs create mode 100644 rust/tests/test_hkdf.rs create mode 100644 rust/tests/test_hmac.rs create mode 100644 rust/tests/test_p256_ecdh.rs create mode 100644 rust/tests/test_p256_ecdsa.rs create mode 100644 rust/tests/test_sha.rs create mode 100644 rust/tests/test_signatures.rs create mode 100644 rust/tests/test_util.rs create mode 100644 rust/tests/test_x25519.rs create mode 100644 rust/tests/wycheproof/aes_gcm_test.json create mode 100644 rust/tests/wycheproof/chacha20_poly1305_test.json create mode 100644 rust/tests/wycheproof/ecdh_secp256r1_ecpoint_test.json create mode 100644 rust/tests/wycheproof/ecdsa_secp256r1_sha256_test.json create mode 100644 rust/tests/wycheproof/eddsa_test.json create mode 100644 rust/tests/wycheproof/hkdf_sha1_test.json create mode 100644 rust/tests/wycheproof/hkdf_sha256_test.json create mode 100644 rust/tests/wycheproof/hkdf_sha384_test.json create mode 100644 rust/tests/wycheproof/hkdf_sha512_test.json create mode 100644 rust/tests/wycheproof/hmac_sha1_test.json create mode 100644 rust/tests/wycheproof/hmac_sha224_test.json create mode 100644 rust/tests/wycheproof/hmac_sha256_test.json create mode 100644 rust/tests/wycheproof/hmac_sha384_test.json create mode 100644 rust/tests/wycheproof/hmac_sha3_224_test.json create mode 100644 rust/tests/wycheproof/hmac_sha3_256_test.json create mode 100644 rust/tests/wycheproof/hmac_sha3_384_test.json create mode 100644 rust/tests/wycheproof/hmac_sha3_512_test.json create mode 100644 rust/tests/wycheproof/hmac_sha512_test.json create mode 100644 rust/tests/wycheproof/x25519_test.json create mode 100644 src/EverCrypt_AEAD.c create mode 100644 src/EverCrypt_AutoConfig2.c create mode 100644 src/EverCrypt_CTR.c create mode 100644 src/EverCrypt_Chacha20Poly1305.c create mode 100644 src/EverCrypt_Cipher.c create mode 100644 src/EverCrypt_Curve25519.c create mode 100644 src/EverCrypt_DRBG.c create mode 100644 src/EverCrypt_Ed25519.c create mode 100644 src/EverCrypt_Error.c create mode 100644 src/EverCrypt_HKDF.c create mode 100644 src/EverCrypt_HMAC.c create mode 100644 src/EverCrypt_Hash.c create mode 100644 src/EverCrypt_Poly1305.c create mode 100644 src/Hacl_Bignum.c create mode 100644 src/Hacl_Bignum256.c create mode 100644 src/Hacl_Bignum256_32.c create mode 100644 src/Hacl_Bignum32.c create mode 100644 src/Hacl_Bignum4096.c create mode 100644 src/Hacl_Bignum4096_32.c create mode 100644 src/Hacl_Bignum64.c create mode 100644 src/Hacl_Chacha20.c create mode 100644 src/Hacl_Chacha20Poly1305_128.c create mode 100644 src/Hacl_Chacha20Poly1305_256.c create mode 100644 src/Hacl_Chacha20Poly1305_32.c create mode 100644 src/Hacl_Chacha20_Vec128.c create mode 100644 src/Hacl_Chacha20_Vec256.c create mode 100644 src/Hacl_Curve25519_51.c create mode 100644 src/Hacl_Curve25519_64.c create mode 100644 src/Hacl_Ed25519.c create mode 100644 src/Hacl_GenericField32.c create mode 100644 src/Hacl_GenericField64.c create mode 100644 src/Hacl_HKDF.c create mode 100644 src/Hacl_HMAC.c create mode 100644 src/Hacl_HMAC_DRBG.c create mode 100644 src/Hacl_Hash_Base.c create mode 100644 src/Hacl_Hash_Blake2.c create mode 100644 src/Hacl_Hash_Blake2b_256.c create mode 100644 src/Hacl_Hash_Blake2s_128.c create mode 100644 src/Hacl_Hash_MD5.c create mode 100644 src/Hacl_Hash_SHA1.c create mode 100644 src/Hacl_Hash_SHA2.c create mode 100644 src/Hacl_Kremlib.c create mode 100644 src/Hacl_NaCl.c create mode 100644 src/Hacl_P256.c create mode 100644 src/Hacl_Poly1305_128.c create mode 100644 src/Hacl_Poly1305_256.c create mode 100644 src/Hacl_Poly1305_32.c create mode 100644 src/Hacl_RSAPSS.c create mode 100644 src/Hacl_SHA2_Vec128.c create mode 100644 src/Hacl_SHA2_Vec256.c create mode 100644 src/Hacl_SHA3.c create mode 100644 src/Hacl_Salsa20.c create mode 100644 src/Hacl_Spec.c create mode 100644 src/Hacl_Streaming_Blake2.c create mode 100644 src/Hacl_Streaming_Blake2b_256.c create mode 100644 src/Hacl_Streaming_Blake2s_128.c create mode 100644 src/Hacl_Streaming_SHA1.c create mode 100644 src/Hacl_Streaming_SHA2.c create mode 100644 src/Lib_Memzero0.c create mode 100644 src/Lib_RandomBuffer_System.c create mode 100644 src/c89/EverCrypt_AEAD.c create mode 100644 src/c89/EverCrypt_AutoConfig2.c create mode 100644 src/c89/EverCrypt_CTR.c create mode 100644 src/c89/EverCrypt_Chacha20Poly1305.c create mode 100644 src/c89/EverCrypt_Cipher.c create mode 100644 src/c89/EverCrypt_Curve25519.c create mode 100644 src/c89/EverCrypt_DRBG.c create mode 100644 src/c89/EverCrypt_Ed25519.c create mode 100644 src/c89/EverCrypt_Error.c create mode 100644 src/c89/EverCrypt_HKDF.c create mode 100644 src/c89/EverCrypt_HMAC.c create mode 100644 src/c89/EverCrypt_Hash.c create mode 100644 src/c89/EverCrypt_Poly1305.c create mode 100644 src/c89/Hacl_Bignum.c create mode 100644 src/c89/Hacl_Bignum256.c create mode 100644 src/c89/Hacl_Bignum256_32.c create mode 100644 src/c89/Hacl_Bignum32.c create mode 100644 src/c89/Hacl_Bignum4096.c create mode 100644 src/c89/Hacl_Bignum4096_32.c create mode 100644 src/c89/Hacl_Bignum64.c create mode 100644 src/c89/Hacl_Chacha20.c create mode 100644 src/c89/Hacl_Chacha20Poly1305_128.c create mode 100644 src/c89/Hacl_Chacha20Poly1305_256.c create mode 100644 src/c89/Hacl_Chacha20Poly1305_32.c create mode 100644 src/c89/Hacl_Chacha20_Vec128.c create mode 100644 src/c89/Hacl_Chacha20_Vec256.c create mode 100644 src/c89/Hacl_Curve25519_51.c create mode 100644 src/c89/Hacl_Curve25519_64.c create mode 100644 src/c89/Hacl_Ed25519.c create mode 100644 src/c89/Hacl_GenericField32.c create mode 100644 src/c89/Hacl_GenericField64.c create mode 100644 src/c89/Hacl_HKDF.c create mode 100644 src/c89/Hacl_HMAC.c create mode 100644 src/c89/Hacl_HMAC_DRBG.c create mode 100644 src/c89/Hacl_Hash_Base.c create mode 100644 src/c89/Hacl_Hash_Blake2.c create mode 100644 src/c89/Hacl_Hash_Blake2b_256.c create mode 100644 src/c89/Hacl_Hash_Blake2s_128.c create mode 100644 src/c89/Hacl_Hash_MD5.c create mode 100644 src/c89/Hacl_Hash_SHA1.c create mode 100644 src/c89/Hacl_Hash_SHA2.c create mode 100644 src/c89/Hacl_NaCl.c create mode 100644 src/c89/Hacl_P256.c create mode 100644 src/c89/Hacl_Poly1305_128.c create mode 100644 src/c89/Hacl_Poly1305_256.c create mode 100644 src/c89/Hacl_Poly1305_32.c create mode 100644 src/c89/Hacl_RSAPSS.c create mode 100644 src/c89/Hacl_SHA2_Vec128.c create mode 100644 src/c89/Hacl_SHA2_Vec256.c create mode 100644 src/c89/Hacl_SHA3.c create mode 100644 src/c89/Hacl_Salsa20.c create mode 100644 src/c89/Hacl_Spec.c create mode 100644 src/c89/Hacl_Streaming_Blake2.c create mode 100644 src/c89/Hacl_Streaming_Blake2b_256.c create mode 100644 src/c89/Hacl_Streaming_Blake2s_128.c create mode 100644 src/c89/Hacl_Streaming_SHA1.c create mode 100644 src/c89/Hacl_Streaming_SHA2.c create mode 100644 src/c89/Lib_Memzero0.c create mode 100644 src/c89/Lib_RandomBuffer_System.c create mode 100644 src/msvc/EverCrypt_AEAD.c create mode 100644 src/msvc/EverCrypt_AutoConfig2.c create mode 100644 src/msvc/EverCrypt_CTR.c create mode 100644 src/msvc/EverCrypt_Chacha20Poly1305.c create mode 100644 src/msvc/EverCrypt_Cipher.c create mode 100644 src/msvc/EverCrypt_Curve25519.c create mode 100644 src/msvc/EverCrypt_DRBG.c create mode 100644 src/msvc/EverCrypt_Ed25519.c create mode 100644 src/msvc/EverCrypt_Error.c create mode 100644 src/msvc/EverCrypt_HKDF.c create mode 100644 src/msvc/EverCrypt_HMAC.c create mode 100644 src/msvc/EverCrypt_Hash.c create mode 100644 src/msvc/EverCrypt_Poly1305.c create mode 100644 src/msvc/Hacl_Bignum.c create mode 100644 src/msvc/Hacl_Bignum256.c create mode 100644 src/msvc/Hacl_Bignum256_32.c create mode 100644 src/msvc/Hacl_Bignum32.c create mode 100644 src/msvc/Hacl_Bignum4096.c create mode 100644 src/msvc/Hacl_Bignum4096_32.c create mode 100644 src/msvc/Hacl_Bignum64.c create mode 100644 src/msvc/Hacl_Chacha20.c create mode 100644 src/msvc/Hacl_Chacha20Poly1305_128.c create mode 100644 src/msvc/Hacl_Chacha20Poly1305_256.c create mode 100644 src/msvc/Hacl_Chacha20Poly1305_32.c create mode 100644 src/msvc/Hacl_Chacha20_Vec128.c create mode 100644 src/msvc/Hacl_Chacha20_Vec256.c create mode 100644 src/msvc/Hacl_Curve25519_51.c create mode 100644 src/msvc/Hacl_Curve25519_64.c create mode 100644 src/msvc/Hacl_Ed25519.c create mode 100644 src/msvc/Hacl_GenericField32.c create mode 100644 src/msvc/Hacl_GenericField64.c create mode 100644 src/msvc/Hacl_HKDF.c create mode 100644 src/msvc/Hacl_HMAC.c create mode 100644 src/msvc/Hacl_HMAC_DRBG.c create mode 100644 src/msvc/Hacl_Hash_Base.c create mode 100644 src/msvc/Hacl_Hash_Blake2.c create mode 100644 src/msvc/Hacl_Hash_Blake2b_256.c create mode 100644 src/msvc/Hacl_Hash_Blake2s_128.c create mode 100644 src/msvc/Hacl_Hash_MD5.c create mode 100644 src/msvc/Hacl_Hash_SHA1.c create mode 100644 src/msvc/Hacl_Hash_SHA2.c create mode 100644 src/msvc/Hacl_Kremlib.c create mode 100644 src/msvc/Hacl_NaCl.c create mode 100644 src/msvc/Hacl_P256.c create mode 100644 src/msvc/Hacl_Poly1305_128.c create mode 100644 src/msvc/Hacl_Poly1305_256.c create mode 100644 src/msvc/Hacl_Poly1305_32.c create mode 100644 src/msvc/Hacl_RSAPSS.c create mode 100644 src/msvc/Hacl_SHA2_Vec128.c create mode 100644 src/msvc/Hacl_SHA2_Vec256.c create mode 100644 src/msvc/Hacl_SHA3.c create mode 100644 src/msvc/Hacl_Salsa20.c create mode 100644 src/msvc/Hacl_Spec.c create mode 100644 src/msvc/Hacl_Streaming_Blake2.c create mode 100644 src/msvc/Hacl_Streaming_Blake2b_256.c create mode 100644 src/msvc/Hacl_Streaming_Blake2s_128.c create mode 100644 src/msvc/Hacl_Streaming_SHA1.c create mode 100644 src/msvc/Hacl_Streaming_SHA2.c create mode 100644 src/msvc/Lib_Memzero0.c create mode 100644 src/msvc/Lib_RandomBuffer_System.c create mode 100644 tests/blake2_vectors.h create mode 100644 tests/blake2b.cc create mode 100644 tests/blake2s.cc create mode 100644 tests/chacha20poly1305.cc create mode 100644 tests/chacha20poly1305/chacha20_poly1305_test.json create mode 100644 tests/chacha20poly1305_vectors.h create mode 100644 tests/curve25519_vectors.h create mode 100644 tests/ed25519.cc create mode 100644 tests/ed25519/eddsa_test.json create mode 100644 tests/p256_ecdh.cc create mode 100644 tests/p256_ecdh/ecdh_secp256r1_ecpoint_test.json create mode 100644 tests/p256_ecdsa.cc create mode 100644 tests/p256_ecdsa/ecdsa_secp256r1_sha256_test.json create mode 100644 tests/util.h create mode 100644 tests/x25519.cc create mode 100644 tests/x25519/x25519_test.json create mode 100644 tools/configure.py create mode 100644 tools/macos.py create mode 100644 tools/ocaml.py create mode 100644 tools/test.py create mode 100644 tools/utils.py create mode 100644 tools/vcbuild.cmd create mode 100755 update.py create mode 100644 vale/include/EverCrypt_Vale.h create mode 100644 vale/include/Vale.h create mode 100644 vale/src/EverCrypt_Vale.c create mode 100644 vale/src/Vale.c create mode 100644 vale/src/aes-i686.asm create mode 100644 vale/src/aes-x86_64-darwin.S create mode 100644 vale/src/aes-x86_64-linux.S create mode 100644 vale/src/aes-x86_64-mingw.S create mode 100644 vale/src/aes-x86_64-msvc.asm create mode 100644 vale/src/aesgcm-x86_64-darwin.S create mode 100644 vale/src/aesgcm-x86_64-linux.S create mode 100644 vale/src/aesgcm-x86_64-mingw.S create mode 100644 vale/src/aesgcm-x86_64-msvc.asm create mode 100644 vale/src/cpuid-x86_64-darwin.S create mode 100644 vale/src/cpuid-x86_64-linux.S create mode 100644 vale/src/cpuid-x86_64-mingw.S create mode 100644 vale/src/cpuid-x86_64-msvc.asm create mode 100644 vale/src/curve25519-inline.h create mode 100644 vale/src/curve25519-x86_64-darwin.S create mode 100644 vale/src/curve25519-x86_64-linux.S create mode 100644 vale/src/curve25519-x86_64-mingw.S create mode 100644 vale/src/curve25519-x86_64-msvc.asm create mode 100644 vale/src/evercrypt_vale_stubs.c create mode 100644 vale/src/poly1305-x86_64-darwin.S create mode 100644 vale/src/poly1305-x86_64-linux.S create mode 100644 vale/src/poly1305-x86_64-mingw.S create mode 100644 vale/src/poly1305-x86_64-msvc.asm create mode 100644 vale/src/sha256-x86_64-darwin.S create mode 100644 vale/src/sha256-x86_64-linux.S create mode 100644 vale/src/sha256-x86_64-mingw.S create mode 100644 vale/src/sha256-x86_64-msvc.asm diff --git a/.ci/kitware-archive.sh b/.ci/kitware-archive.sh new file mode 100755 index 00000000..998ed9cc --- /dev/null +++ b/.ci/kitware-archive.sh @@ -0,0 +1,103 @@ +#!/bin/sh + +set -eu + +help() { + echo "Usage: $0 [--release ] [--rc]" > /dev/stderr +} + +doing= +rc= +release= +help= +for opt in "$@" +do + case "${doing}" in + release) + release="${opt}" + doing= + ;; + "") + case "${opt}" in + --rc) + rc=1 + ;; + --release) + doing=release + ;; + --help) + help=1 + ;; + esac + ;; + esac +done + +if [ -n "${doing}" ] +then + echo "--${doing} option given no argument." > /dev/stderr + echo > /dev/stderr + help + exit 1 +fi + +if [ -n "${help}" ] +then + help + exit +fi + +if [ -z "${release}" ] +then + unset UBUNTU_CODENAME + . /etc/os-release + + if [ -z "${UBUNTU_CODENAME+x}" ] + then + echo "This is not an Ubuntu system. Aborting." > /dev/stderr + exit 1 + fi + + release="${UBUNTU_CODENAME}" +fi + +case "${release}" in +xenial) + packages="apt-transport-https" + keyring_packages="wget" + ;; +bionic|focal) + packages= + keyring_packages="gpg wget" + ;; +*) + echo "Only Ubuntu Xenial (16.04), Bionic (18.04), and Focal (20.04) are supported. Aborting." > /dev/stderr + exit 1 + ;; +esac + +get_keyring= +if [ ! -f /usr/share/keyrings/kitware-archive-keyring.gpg ] +then + packages="${packages} ${keyring_packages}" + get_keyring=1 +fi + +# Start the real work +set -x + +apt-get update +# shellcheck disable=SC2086 +apt-get install -y ${packages} + +test -n "${get_keyring}" && (wget -O - https://apt.kitware.com/keys/kitware-archive-latest.asc 2>/dev/null | gpg --dearmor - > /usr/share/keyrings/kitware-archive-keyring.gpg) + +echo "deb [signed-by=/usr/share/keyrings/kitware-archive-keyring.gpg] https://apt.kitware.com/ubuntu/ ${release} main" > /etc/apt/sources.list.d/kitware.list +if [ -n "${rc}" ] +then + echo "deb [signed-by=/usr/share/keyrings/kitware-archive-keyring.gpg] https://apt.kitware.com/ubuntu/ ${release}-rc main" >> /etc/apt/sources.list.d/kitware.list +fi + +apt-get update +test -n "${get_keyring}" && rm /usr/share/keyrings/kitware-archive-keyring.gpg +apt-get install -y kitware-archive-keyring diff --git a/.clabot b/.clabot index 0c662fc0..167f856d 100644 --- a/.clabot +++ b/.clabot @@ -1,4 +1,4 @@ { "contributors": ["franziskuskiefer","karthikbhargavan"], - "message": "We require contributors to sign our Contributor License Agreement https://github.com/cryspen/hacl/blob/main/CLA.md ensuring that the contribution can be licensed under Apache 2.0. In order for us to review and merge your code, please mention @cryspen/core in a comment below to get yourself added." + "message": "We require contributors to sign our Contributor License Agreement https://github.com/cryspen/hacl/blob/main/CLA.md ensuring that the contribution can be licensed under Apache 2.0 and MIT. In order for us to review and merge your code, please mention @cryspen/core in a comment below to get yourself added." } diff --git a/.clang-format b/.clang-format new file mode 100644 index 00000000..dc33c722 --- /dev/null +++ b/.clang-format @@ -0,0 +1 @@ +BasedOnStyle: Mozilla diff --git a/.drone.yml b/.drone.yml new file mode 100644 index 00000000..0f60fa1a --- /dev/null +++ b/.drone.yml @@ -0,0 +1,36 @@ +kind: pipeline +type: docker +name: arm64 + +platform: + arch: arm64 + +steps: +- name: test + image: ubuntu:20.04 + commands: + - ./.ci/kitware-archive.sh + - apt-get update -qq --yes && apt-get install -qq --yes clang cmake ninja-build python3 + - ./mach build --test -v -c + - ./mach build --release --test -v -c + +# --- +# Doesn't work right now "At least one invalid signature was encountered" +# +# kind: pipeline +# type: docker +# name: arm32 +# +# platform: +# arch: arm +# +# steps: +# - name: test +# image: ubuntu:20.04 +# commands: +# +# - ./.ci/kitware-archive.sh +# - apt-get update -qq --yes && apt-get install -qq --yes clang cmake ninja-build python3 +# - ./mach build --test -v -c +# - ./mach build --release --test -v -c + \ No newline at end of file diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 00000000..61c9b451 --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,246 @@ +name: c + +on: [pull_request] + +jobs: + macos: + runs-on: macos-latest + strategy: + fail-fast: false + matrix: + compiler: [{ cpp: g++-11, c: gcc-11 }, { cpp: clang++, c: clang }] + env: + CC: ${{ matrix.compiler.c }} + CXX: ${{ matrix.compiler.cpp }} + steps: + - uses: actions/checkout@v2 + - name: Output name + id: vars + run: | + echo ::set-output name=short_sha::${GITHUB_SHA: -8} + - name: Setup + run: brew install ninja + - name: Debug Build & Test + run: ./mach build --test -v + - name: Release Build & Test + run: ./mach build --release --test -v + - name: Install + run: | + mkdir pkg-release + ./mach install -p $PWD/pkg-release -c Release + mkdir pkg-debug + ./mach install -p $PWD/pkg-debug + - name: Upload Artifacts + uses: actions/upload-artifact@v2 + with: + name: macos-x64-${{ matrix.compiler.c }}-${{ steps.vars.outputs.short_sha }} + path: | + pkg-debug + pkg-release + build/Debug + build/Release + macos-aarch64: + runs-on: macos-latest + strategy: + fail-fast: false + matrix: + target: ["aarch64-apple-ios", "aarch64-apple-darwin"] + steps: + - uses: actions/checkout@v2 + - name: Output name + id: vars + run: | + echo ::set-output name=short_sha::${GITHUB_SHA: -8} + - name: Setup + run: brew install ninja + - name: Debug Build + run: ./mach build --tests -v --target ${{ matrix.target }} + - name: Release Build + run: ./mach build --release --tests -v --target ${{ matrix.target }} + - name: Upload Artifacts + uses: actions/upload-artifact@v2 + with: + name: ${{ matrix.target }}-${{ steps.vars.outputs.short_sha }} + path: | + build/Debug + build/Release + linux-gcc: + runs-on: ubuntu-latest + strategy: + matrix: + compiler: [7, 8, 9, 10, 11] + env: + CC: gcc-${{ matrix.compiler }} + CXX: g++-${{ matrix.compiler }} + steps: + - name: Output name + id: vars + run: | + echo ::set-output name=short_sha::${GITHUB_SHA: -8} + - name: Setup + run: | + sudo apt-get update + sudo apt-get install ninja-build gcc-${{ matrix.compiler }} g++-${{ matrix.compiler }} + - uses: actions/checkout@v2 + - name: Debug Build & Test + run: ./mach build --test -v + - name: Release Build & Test + run: ./mach build --release --test -v + - name: Install + run: | + mkdir pkg-release + ./mach install -p $PWD/pkg-release -c Release + mkdir pkg-debug + ./mach install -p $PWD/pkg-debug + - name: Upload Artifacts + uses: actions/upload-artifact@v2 + with: + name: linux-x64-gcc${{ matrix.compiler }}-${{ steps.vars.outputs.short_sha }} + path: | + pkg-debug + pkg-release + build/Debug + build/Release + linux-clang: + runs-on: ubuntu-latest + strategy: + matrix: + compiler: [7, 8, 9, 10] + options: ["", "-m32"] + env: + CC: clang-${{ matrix.compiler }} + CXX: clang++-${{ matrix.compiler }} + steps: + - name: Output name + id: vars + run: | + echo ::set-output name=short_sha::${GITHUB_SHA: -8} + - name: Setup + run: | + sudo apt-get update + sudo apt-get install ninja-build clang-${{ matrix.compiler }} gcc-multilib g++-multilib + - uses: actions/checkout@v2 + - name: Debug Build & Test + run: ./mach build --test -v ${{ matrix.options }} + - name: Release Build & Test + run: ./mach build --release --test -v ${{ matrix.options }} + - name: Install + run: | + mkdir pkg-release + ./mach install -p $PWD/pkg-release -c Release + mkdir pkg-debug + ./mach install -p $PWD/pkg-debug + - name: Upload Artifacts + uses: actions/upload-artifact@v2 + with: + name: linux-x64-clang${{ matrix.compiler }}-${{ steps.vars.outputs.short_sha }}${{ matrix.options }} + path: | + pkg-debug + pkg-release + build/Debug + build/Release + android: + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + target: ["aarch64-linux-android"] + steps: + - name: Output name + id: vars + run: | + echo ::set-output name=short_sha::${GITHUB_SHA: -8} + - name: Setup + run: | + sudo apt-get update + sudo apt-get install ninja-build + - uses: actions/checkout@v2 + - name: Debug Build + run: ./mach build --tests -v --target ${{ matrix.target }} --ndk $ANDROID_NDK_HOME + - name: Release Build + run: ./mach build --release --tests -v --target ${{ matrix.target }} --ndk $ANDROID_NDK_HOME + - name: Upload Artifacts + uses: actions/upload-artifact@v2 + with: + name: ${{ matrix.target }}-${{ steps.vars.outputs.short_sha }} + path: | + build/Debug + build/Release + s390x-gcc: + runs-on: ubuntu-latest + steps: + - name: Output name + id: vars + run: | + echo ::set-output name=short_sha::${GITHUB_SHA: -8} + - name: Setup + run: | + sudo apt-get update + sudo apt-get install ninja-build g++-10-s390x-linux-gnu gcc-10-s390x-linux-gnu + - uses: actions/checkout@v2 + - name: Debug Build + run: ./mach build --tests --target s390x -v + - name: Release Build + run: ./mach build --release --target s390x --tests -v + - name: Install + run: | + mkdir pkg-release + ./mach install -p $PWD/pkg-release -c Release + mkdir pkg-debug + ./mach install -p $PWD/pkg-debug + - name: Upload Artifacts + uses: actions/upload-artifact@v2 + with: + name: linux-s390x-gcc10-${{ steps.vars.outputs.short_sha }} + path: | + pkg-debug + pkg-release + build/Debug + build/Release + windows: + runs-on: windows-latest + strategy: + fail-fast: false + matrix: + compiler: ["", "--msvc"] + # options: ["", "-m32"] + steps: + - uses: actions/checkout@v2 + - uses: ilammy/msvc-dev-cmd@v1 + - name: Output name + id: vars + shell: bash + run: | + echo ::set-output name=short_sha::${GITHUB_SHA: -8} + - name: Setup + run: choco install ninja + - name: Debug Build & Test + run: python mach build --test -v ${{ matrix.compiler }} + - name: Release Build & Test + run: python mach build --release --test -v ${{ matrix.compiler }} + - name: Upload Artifacts + uses: actions/upload-artifact@v2 + with: + name: windows-x64${{ matrix.compiler }}-${{ steps.vars.outputs.short_sha }} + path: | + build/Debug + build/Release + default: + runs-on: ubuntu-latest + steps: + - name: Output name + id: vars + run: | + echo ::set-output name=short_sha::${GITHUB_SHA: -8} + - name: Setup + run: | + sudo apt-get update + sudo apt-get install ninja-build + - uses: actions/checkout@v2 + - name: Build + run: ./_build.sh + - name: Upload Artifacts + uses: actions/upload-artifact@v2 + with: + name: linux-default-${{ steps.vars.outputs.short_sha }} + path: build/Release diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml new file mode 100644 index 00000000..e34cf3e0 --- /dev/null +++ b/.github/workflows/gh-pages.yml @@ -0,0 +1,29 @@ +name: gh-pages + +on: + push: + branches: + - main + workflow_dispatch: + +defaults: + run: + working-directory: docs + +jobs: + documentation: + runs-on: ubuntu-latest + steps: + - uses: hecrj/setup-rust-action@master + - uses: actions/checkout@master + - name: Setup mdBook + uses: peaceiris/actions-mdbook@v1 + with: + mdbook-version: 'latest' + - name: Build docs + run: mdbook build + - name: Deploy docs to GitHub Pages + uses: peaceiris/actions-gh-pages@v3 + with: + github_token: ${{ secrets.GITHUB_TOKEN }} + publish_dir: docs/book diff --git a/.github/workflows/ocaml.yml b/.github/workflows/ocaml.yml new file mode 100644 index 00000000..d960d391 --- /dev/null +++ b/.github/workflows/ocaml.yml @@ -0,0 +1,79 @@ +name: ocaml + +on: [pull_request] + +jobs: + mach: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + + - name: Cache Setup + id: cache-ocaml-setup + uses: actions/cache@v3 + with: + path: ~/.opam + key: ${{ runner.os }}-ocaml-setup + + - name: System Setup + run: sudo apt-get install ninja-build opam libgmp-dev + - name: OCaml Setup + if: steps.cache-ocaml-setup.outputs.cache-hit != 'true' + run: | + OPAMYES=true opam init --auto-setup --disable-sandboxing --yes --bare + opam switch create 4.12.0 --yes + eval $(opam env) + opam install --yes ocamlfind ctypes zarith cppo + + - name: Debug Build + run: | + eval $(opam env) + ./mach build -l ocaml -v + + - name: Release Build + run: | + eval $(opam env) + ./mach build --release -l ocaml -v + + - name: Test Debug + run: | + eval $(opam env) + ./mach test -l ocaml -v + + standalone: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + + - name: Cache Setup + id: cache-ocaml-setup + uses: actions/cache@v3 + with: + path: ~/.opam + key: ${{ runner.os }}-ocaml-setup + + - name: System Setup + run: sudo apt-get install ninja-build opam libgmp-dev + - name: OCaml Setup + if: steps.cache-ocaml-setup.outputs.cache-hit != 'true' + run: | + OPAMYES=true opam init --auto-setup --disable-sandboxing --yes --bare + opam switch create 4.12.0 --yes + eval $(opam env) + opam install --yes ocamlfind ctypes zarith cppo + + - name: Build + working-directory: ocaml + run: | + eval $(opam env) + ./setup.py + HACL_MAKE_CONFIG=hacl-packages/config/cached-config.txt make ocamlevercrypt.cmxa + HACL_MAKE_CONFIG=hacl-packages/config/cached-config.txt make -j + + - name: Test + working-directory: ocaml + run: | + eval $(opam env) + HACL_MAKE_CONFIG=hacl-packages/config/cached-config.txt make -j test diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml new file mode 100644 index 00000000..f1b6621b --- /dev/null +++ b/.github/workflows/rust.yml @@ -0,0 +1,107 @@ +name: rust + +on: [pull_request] + +jobs: + mach: + strategy: + fail-fast: false + matrix: + os: + - macos-latest + - ubuntu-latest + - windows-latest + + runs-on: ${{ matrix.os }} + + steps: + - uses: actions/checkout@v2 + - uses: actions/cache@v3 + with: + path: | + ~/.cargo/bin/ + ~/.cargo/registry/index/ + ~/.cargo/registry/cache/ + ~/.cargo/git/db/ + target/ + key: ${{ runner.os }}-cargo + + - if: matrix.os == 'macos-latest' + run: brew install ninja + + - if: matrix.os == 'ubuntu-latest' + run: sudo apt-get install ninja-build + + - if: matrix.os == 'windows-latest' + uses: ilammy/msvc-dev-cmd@v1 + + - if: matrix.os == 'windows-latest' + run: choco install ninja + + - name: Cargo update + working-directory: rust + run: cargo update + + - name: Debug Build + run: ./mach build -l rust -v + + - name: Release Build + run: ./mach build --release -l rust -v + + - name: Test Debug + if: matrix.os != 'windows-latest' + run: cargo test --manifest-path rust/Cargo.toml + env: + MACH_BUILD: 1 + + standalone: + strategy: + fail-fast: false + matrix: + os: + - macos-latest + - ubuntu-latest + # - windows-latest # FIXME + + runs-on: ${{ matrix.os }} + + steps: + - uses: actions/checkout@v2 + + - uses: actions/cache@v3 + with: + path: | + ~/.cargo/bin/ + ~/.cargo/registry/index/ + ~/.cargo/registry/cache/ + ~/.cargo/git/db/ + target/ + key: ${{ runner.os }}-cargo + + - if: matrix.os == 'macos-latest' + run: brew install ninja + + - if: matrix.os == 'ubuntu-latest' + run: sudo apt-get install ninja-build + + - if: matrix.os == 'windows-latest' + uses: ilammy/msvc-dev-cmd@v1 + + - if: matrix.os == 'windows-latest' + run: choco install ninja + + - name: Cargo update + working-directory: rust + run: cargo update + + - name: Debug Build + working-directory: rust + run: cargo build -v + + - name: Release Build + working-directory: rust + run: cargo build --release -v + + - name: Test Debug + working-directory: rust + run: cargo test -v diff --git a/.gitignore b/.gitignore index e69de29b..7264645c 100644 --- a/.gitignore +++ b/.gitignore @@ -0,0 +1,17 @@ +/build +/Testing +/config/build +/config/cached-config.txt +/tmp +/tools/__pycache__ +/config/config.cmake +/config/dep_config.json +config/.dependency_check +/rust/evercrypt-rs/target +/rust/evercrypt-sys/target +docs/source/__pycache__ +docs/build +cpu-features/detect +/pkg +__pycache__/ +config/.cache diff --git a/.vscode/settings.json b/.vscode/settings.json new file mode 100644 index 00000000..8eec4a88 --- /dev/null +++ b/.vscode/settings.json @@ -0,0 +1,37 @@ +{ + "files.associations": { + "*.in": "cpp", + "stdio.h": "c", + "stdlib.h": "c", + "limits.h": "c", + "inttypes.h": "c", + "libintvector.h": "c", + "hacl_hash_blake2s_128.h": "c", + "hacl_hash_blake2.h": "c", + "hacl_streaming_blake2s_128.h": "c", + "hacl_streaming_blake2.h": "c", + "__hash_table": "cpp", + "__split_buffer": "cpp", + "__tree": "cpp", + "array": "cpp", + "bitset": "cpp", + "deque": "cpp", + "initializer_list": "cpp", + "iterator": "cpp", + "list": "cpp", + "map": "cpp", + "set": "cpp", + "stack": "cpp", + "string": "cpp", + "string_view": "cpp", + "unordered_map": "cpp", + "unordered_set": "cpp", + "utility": "cpp", + "vector": "cpp", + "span": "cpp", + "iosfwd": "cpp" + }, + "python.pythonPath": "/opt/homebrew/bin/python3", + "C_Cpp.default.configurationProvider": "ms-vscode.cmake-tools", + "python.formatting.provider": "autopep8" +} \ No newline at end of file diff --git a/CLA.md b/CLA.md index 2061712a..686619dd 100644 --- a/CLA.md +++ b/CLA.md @@ -1,8 +1,8 @@ By making a contribution to this project, I certify that: -(a) The contribution was created in whole or in part by me and I have the right to submit it under the Apache 2.0 license; or +(a) The contribution was created in whole or in part by me and I have the right to submit it under the Apache 2.0 and MIT license; or -(b) The contribution is based upon previous work that, to the best of my knowledge, is covered under an appropriate open source license and I have the right under that license to submit that work with modifications, whether created in whole or in part by me, under the Apache 2.0 license; or +(b) The contribution is based upon previous work that, to the best of my knowledge, is covered under an appropriate open source license and I have the right under that license to submit that work with modifications, whether created in whole or in part by me, under the Apache 2.0 and MIT license; or (c) The contribution was provided directly to me by some other person who certified (a), (b) or (c) and I have not modified it. diff --git a/CMakeLists.txt b/CMakeLists.txt new file mode 100644 index 00000000..61d9f670 --- /dev/null +++ b/CMakeLists.txt @@ -0,0 +1,366 @@ + +# +# Copyright 2022 Cryspen Sarl +# +# Licensed under the Apache License, Version 2.0 or MIT. +# * http://www.apache.org/licenses/LICENSE-2.0 +# * http://opensource.org/licenses/MIT +# +# CMake configuration for HACL. +# +# We only support Ninja as target, which is set in PreLoad.cmake, and require a +# modern CMake environment. +# WARNING: Preload.cmake is undocumented und apparently unfinished. +# The Ninja Multi-Config generator is only available since 3.17 +# https://cmake.org/cmake/help/latest/generator/Ninja%20Multi-Config.html +cmake_minimum_required(VERSION 3.17) +if(WIN32) + # Make sure we have visual studio enabled + cmake_policy(SET CMP0091 NEW) + # Avoid picking something that's not clang, unless the caller wants MSVC. + if(NOT USE_MSVC) + SET(CMAKE_C_COMPILER clang) + SET(CMAKE_CXX_COMPILER clang++) + else() + SET(CMAKE_C_COMPILER cl) + SET(CMAKE_CXX_COMPILER cl) + endif(NOT USE_MSVC) +endif() + +# Library version and name +project(hacl + VERSION 0.1.0 + DESCRIPTION "The High Assurance Crypto Library" + HOMEPAGE_URL "https://www.cryspen.com/hacl" + LANGUAGES C CXX +) + +# The assembly is different for MSVC ... +if(MSVC) + enable_language(ASM_MASM) +else() + enable_language(ASM) +endif() + +set(hacl_VERSION_TWEAK "alpha.1") + +# Load global config from exteral file. +# This file must be generated before running cmake with ./mach.py --configure +# If the build is invoked through ./mach.py, a separate configuration is not +# needed. +include(config/config.cmake) + +# Constants used throughout hacl and the build. +include(config/constants.cmake) + +# Set system processor to 32-bit. +# Note that this only works on intel for now. +if(CMAKE_C_FLAGS MATCHES ".*-m32.*") + set(CMAKE_SYSTEM_PROCESSOR "i686") +endif() + +# Configure C globally +# This defaults to C11 but C90 might be set on the outside. +# https://cmake.org/cmake/help/latest/prop_tgt/C_STANDARD.html#prop_tgt:C_STANDARD +if(NOT CMAKE_C_STANDARD) + set(CMAKE_C_STANDARD 11) +endif(NOT CMAKE_C_STANDARD) +set(CMAKE_C_STANDARD_REQUIRED True) + +# Read config from file +include(config/config.cmake) + +# Configure different targets +# TODO: Set flags for MSVC +if(NOT MSVC) + add_compile_options( + # -Wall + # -Wextra + # -pedantic + # -Wconversion + # -Wsign-conversion + # -Werror=gcc-compat + $<$:-g> + $<$:-Og> + $<$:-O3> + ) +endif() + +if(WIN32 AND NOT MSVC) + # Enable everywhere for windows as long as libintvector.h is not included correctly. + add_compile_options( + -mavx + -mavx2 + ) +endif() + +# Set include paths +include_directories(${INCLUDE_PATHS} ${PROJECT_BINARY_DIR}) + +# Test the toolchain to get supported CPU features +include(config/toolchain.cmake) + +if(NOT EXPLICIT_BZERO_SUPPORT) + set(LINUX_NO_EXPLICIT_BZERO 1) + message(STATUS "LINUX_NO_EXPLICIT_BZERO: ${LINUX_NO_EXPLICIT_BZERO}") +endif() + +if(${CMAKE_SYSTEM_NAME} MATCHES Linux) + add_compile_options( + -fPIC + ) +endif(${CMAKE_SYSTEM_NAME} MATCHES Linux) + +# XXX: Investigate whether we can use CHECK_C_COMPILER_FLAG here at all + +# Get command line options. +# This has to happen after the toolchain detection because it might disable +# toolchain features. +include(config/options.cmake) + +# Write out config to file +write_file(${PROJECT_SOURCE_DIR}/config/cached-config.txt + "TOOLCHAIN_CAN_COMPILE_VEC128=${TOOLCHAIN_CAN_COMPILE_VEC128}\n\ +TOOLCHAIN_CAN_COMPILE_VEC256=${TOOLCHAIN_CAN_COMPILE_VEC256}\n\ +TOOLCHAIN_CAN_COMPILE_VALE=${TOOLCHAIN_CAN_COMPILE_VALE}\ + ") + +# Sources are written by mach.py into the following lists +# - SOURCES_std: All regular files +# - SOURCES_vec128: Files that require vec128 hardware +# - SOURCES_vec256: Files that require vec256 hardware + +# Remove files that require missing toolchain features +# and enable the features for compilation that are available. +if(TOOLCHAIN_CAN_COMPILE_VEC128) + add_compile_options( + -DHACL_CAN_COMPILE_VEC128 + ) + set(HACL_CAN_COMPILE_VEC128 1) + ## We make separate compilation units (objects) for each hardware feature + list(LENGTH SOURCES_vec128 SOURCES_VEC128_LEN) + if(NOT SOURCES_VEC128_LEN EQUAL 0) + set(HACL_VEC128_O ON) + add_library(hacl_vec128 OBJECT ${SOURCES_vec128}) + target_include_directories(hacl_vec128 PRIVATE) + if(CMAKE_SYSTEM_PROCESSOR MATCHES "i386|i586|i686|i86pc|ia32|x86_64|amd64|AMD64") + if(MSVC) + # Nothing to do here. MSVC has it covered + else() + target_compile_options(hacl_vec128 PRIVATE + -msse2 + -msse3 + -msse4.1 + -msse4.2 + ) + endif(MSVC) + elseif(CMAKE_SYSTEM_PROCESSOR MATCHES "aarch64|arm64|arm64v8") + target_compile_options(hacl_vec128 PRIVATE + -march=armv8-a+simd + ) + elseif(CMAKE_SYSTEM_PROCESSOR MATCHES "s390x") + # In the case of IBMz, some of the vectorized functions are defined as + # inline static rather than as macros, meaning we need to compile all + # the files with the vector compilation options. + # https://gcc.gnu.org/onlinedocs/gcc/S_002f390-and-zSeries-Options.html#S_002f390-and-zSeries-Options + add_compile_options( + -mzarch + -mvx + -mzvector + -march=z14 + ) + target_compile_options(hacl_vec128 PRIVATE + -mzarch + -mvx + -mzvector + -march=z14 + ) + endif() + endif() +endif() +if(TOOLCHAIN_CAN_COMPILE_VEC256) + add_compile_options( + -DHACL_CAN_COMPILE_VEC256 + ) + set(HACL_CAN_COMPILE_VEC256 1) + ## We make separate compilation units (objects) for each hardware feature + list(LENGTH SOURCES_vec256 SOURCES_VEC256_LEN) + if(NOT SOURCES_VEC256_LEN EQUAL 0) + set(HACL_VEC256_O ON) + add_library(hacl_vec256 OBJECT ${SOURCES_vec256}) + target_include_directories(hacl_vec256 PRIVATE) + # We really should only get here on x86 architectures. But let's make sure. + if(CMAKE_SYSTEM_PROCESSOR MATCHES "i386|i586|i686|i86pc|ia32|x86_64|amd64|AMD64") + if(MSVC) + target_compile_options(hacl_vec256 PRIVATE + /arch:AVX + /arch:AVX2 + ) + else() + target_compile_options(hacl_vec256 PRIVATE + -mavx + -mavx2 + ) + endif() + endif() + endif() +endif() +if(TOOLCHAIN_CAN_COMPILE_VALE) + # Select the files for the target OS/Compiler + if(WIN32 AND NOT MSVC) + # On Windows with clang-cl (our default) we take the Linux assembly + set(VALE_OBJECTS ${VALE_SOURCES_linux}) + else() + set(VALE_OBJECTS ${VALE_SOURCES_${HACL_TARGET_OS}}) + endif() + # Add SOURCES_vale to SOURCES_std as we don't need any + # special compiler flags for it. + list(APPEND SOURCES_std ${SOURCES_vale}) + set(HACL_CAN_COMPILE_VALE 1) +endif() +if(TOOLCHAIN_CAN_COMPILE_INLINE_ASM) + # TODO: include inline assembly source code +endif() +if(TOOLCHAIN_CAN_COMPILE_INTRINSICS) + # TODO: include intrinsics source code +endif() + +# x64 +# Set the architecture here. These come from the CMAKE_TOOLCHAIN_FILE +if(CMAKE_SYSTEM_PROCESSOR MATCHES "x86_64|amd64|AMD64") + message(STATUS "Detected an x64 architecture") + set(ARCHITECTURE intel) + set(HACL_TARGET_ARCHITECTURE ${HACL_ARCHITECTURE_X64}) +# x86 +elseif(CMAKE_SYSTEM_PROCESSOR MATCHES "i386|i586|i686|i86pc|ia32") + message(STATUS "Detected an x86 architecture") + set(ARCHITECTURE intel) + set(HACL_TARGET_ARCHITECTURE ${HACL_ARCHITECTURE_X86}) +# arm64 +elseif(CMAKE_SYSTEM_PROCESSOR MATCHES "aarch64|arm64|arm64v8") + message(STATUS "Detected an arm64 architecture") + set(ARCHITECTURE arm) + set(HACL_TARGET_ARCHITECTURE ${HACL_ARCHITECTURE_ARM64}) +# arm32 +elseif(CMAKE_SYSTEM_PROCESSOR MATCHES "armel|armhf|armv7|arm32v7") + message(STATUS "Detected an arm32 architecture") + set(ARCHITECTURE arm) + set(HACL_TARGET_ARCHITECTURE ${HACL_ARCHITECTURE_ARM32}) +# s390x +elseif(CMAKE_SYSTEM_PROCESSOR MATCHES "s390x") + message(STATUS "Detected an s390x (systemz) architecture") + set(ARCHITECTURE arm) + set(HACL_TARGET_ARCHITECTURE ${HACL_ARCHITECTURE_SYSTEMZ}) +# unsupported architecture +else() + message(FATAL_ERROR "Unsupported architecture ${CMAKE_SYSTEM_PROCESSOR}") +endif() + +# Write configuration +configure_file(config/Config.h.in config.h) + +# Sanitizer +if(ENABLE_ASAN) + add_compile_options(-fsanitize=address -fno-omit-frame-pointer) + add_link_options(-fsanitize=address) +endif() +if(ENABLE_UBSAN) + add_compile_options(-fsanitize=undefined) + add_link_options(-fsanitize=undefined) +endif() + +# Set library config and files +# Now combine everything into the hacl library +## Dynamic library +add_library(hacl SHARED ${SOURCES_std} ${VALE_OBJECTS}) +if(TOOLCHAIN_CAN_COMPILE_VEC128 AND HACL_VEC128_O) + add_dependencies(hacl hacl_vec128) + target_link_libraries(hacl PRIVATE $) +endif() +if(TOOLCHAIN_CAN_COMPILE_VEC256 AND HACL_VEC256_O) + add_dependencies(hacl hacl_vec256) + target_link_libraries(hacl PRIVATE $) +endif() + +## Static library +add_library(hacl_static STATIC ${SOURCES_std} ${VALE_OBJECTS}) +if(TOOLCHAIN_CAN_COMPILE_VEC128 AND HACL_VEC128_O) + target_sources(hacl_static PRIVATE $) +endif() +if(TOOLCHAIN_CAN_COMPILE_VEC256 AND HACL_VEC256_O) + target_sources(hacl_static PRIVATE $) +endif() + +# Install +## This allows package maintainers to control the install destination by setting +## the appropriate cache variables. +set(CMAKE_INSTALL_LIBDIR lib) +include(GNUInstallDirs) +set(CMAKE_INSTALL_MESSAGE LAZY) +install(TARGETS hacl_static hacl) +## Copy hacl headers +install(FILES ${PUBLIC_INCLUDES} DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}/hacl) +## Copy kremlin headers +install(DIRECTORY kremlin/include/kremlin/ DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}/kremlin + FILES_MATCHING PATTERN "*.h") +install(DIRECTORY kremlin/kremlib/dist/minimal/ DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}/kremlin + FILES_MATCHING PATTERN "*.h") +## Install vale headers +install(DIRECTORY vale/include/ DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}/vale + FILES_MATCHING PATTERN "*.h") +## Install config.h +install(FILES build/config.h DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}/hacl) + +# Testing +# It's only one binary. Everything else is done with gtest arguments. +if(ENABLE_TESTS) + # Get gtests + include(FetchContent) + FetchContent_Declare(googletest + URL https://github.com/google/googletest/archive/refs/tags/release-1.11.0.zip + ) + # For Windows: Prevent overriding the parent project's compiler/linker settings + set(gtest_force_shared_crt ON CACHE BOOL "" FORCE) + FetchContent_MakeAvailable(googletest) + + # Get nlohmann json + FetchContent_Declare(json + URL https://github.com/nlohmann/json/archive/refs/tags/v3.10.3.zip + ) + FetchContent_MakeAvailable(json) + + # CPU feature detection for tests + add_library(hacl_cpu_features OBJECT ${PROJECT_SOURCE_DIR}/cpu-features/src/cpu-features.c) + target_include_directories(hacl_cpu_features PUBLIC ${PROJECT_SOURCE_DIR}/cpu-features/include) + + foreach(TEST_FILE IN LISTS TEST_SOURCES) + get_filename_component(TEST_NAME ${TEST_FILE} NAME_WE) + add_executable(${TEST_NAME} + ${TEST_FILE} + ) + + # Be nice to MSVC and make sure we don't have variable length arrays in + # tests + if(NOT MSVC) + target_compile_options(${TEST_NAME} PRIVATE -Werror=vla) + else() + # MSVC needs a modern C++ for designated initializers. + target_compile_options(${TEST_NAME} PRIVATE /std:c++20) + endif(NOT MSVC) + add_dependencies(${TEST_NAME} hacl hacl_cpu_features) + target_sources(${TEST_NAME} PRIVATE $) + target_link_libraries(${TEST_NAME} PRIVATE + gtest_main + hacl_static + nlohmann_json::nlohmann_json + ) + target_include_directories(${TEST_NAME} PUBLIC ${PROJECT_SOURCE_DIR}/cpu-features/include) + if(EXISTS ${PROJECT_SOURCE_DIR}/tests/${TEST_NAME}) + # Copy test input files. They must be in a directory with the same + # name as the test and get copied to the build directory. + add_custom_command(TARGET ${TEST_NAME} POST_BUILD + COMMAND ${CMAKE_COMMAND} -E copy_directory + ${PROJECT_SOURCE_DIR}/tests/${TEST_NAME} $) + endif() + endforeach() +endif() diff --git a/LICENSE b/LICENSE index 95bd0363..871f9c33 100644 --- a/LICENSE +++ b/LICENSE @@ -1,201 +1,21 @@ - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "[]" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright 2022 Cryspen Sarl - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. +MIT License + +Copyright (c) 2022 Cryspen Sarl + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/LICENSE-APACHE b/LICENSE-APACHE new file mode 100644 index 00000000..261eeb9e --- /dev/null +++ b/LICENSE-APACHE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/Makefile b/Makefile new file mode 100644 index 00000000..8be2c722 --- /dev/null +++ b/Makefile @@ -0,0 +1,6 @@ +# Please don't use make. +# This will only tell you to use mach.py. + +all: + @echo " ⚠️ ⚠️ ⚠️ Please use 'mach.py'. I'm calling './mach build' for you now ⚠️ ⚠️ ⚠️" + ./mach build diff --git a/Readme.md b/Readme.md index 0f36c4ae..3c303f72 100644 --- a/Readme.md +++ b/Readme.md @@ -8,16 +8,134 @@ from the [Vale] project, and an agile multiplexed cryptographic provider called As such, the full [HACL*] repository contains many software artifacts and a complicated build system that can be intimidating to a crypto developer who simply wishes to use verified crypto. -This repository addresses this gap by presenting several usable crypto packages developed by Cryspen on top of HACL*. +This repository addresses this gap by presenting several usable crypto packages developed by Cryspen on top of HACL\*. In particular, it contains a portable C crypto library that selects optimized implementations for each platform, as well as Rust, OCaml, and JavaScript bindings for this library. Cryspen is in the process of adding more usable APIs for crypto primitives, as well as extensive documentation for these APIs. Cryspen is also working on more optimized versions of some algorithms. +## Build + +We uses [cmake] to configure the C build and [ninja] to build. + +Quick start: `./mach build --test` + +Build dependencies + +- [cmake] +- [ninja] +- [python] + +## mach + +All actions are driven by [mach]. +See `./mach --help` for details. + +## Platform Support + +The HACL Packages are supported based on the following tiers. + +### Tier 1 + +Tier 1 targets are guaranteed to work. These targets have automated testing to +ensure that changes do not break them. + +- [x] x86_64 Linux (x86_64-unknown-linux-gnu) +- [x] x86 Linux (i686-unknown-linux-gnu) +- [x] x86_64 macOS (x86_64-apple-darwin) +- [x] x86_64 Windows + - [x] x86_64-pc-windows-msvc + - [x] x86_64-pc-windows-clang +- [ ] x86 Windows (i686-pc-windows-msvc) + +### Tier 2 + +Tier 2 targets are guaranteed to build. +These targets have automated builds to ensure that changes do not break the +builds. However, not all of them are always tested. + +- [x] arm64 macOS (aarch64-apple-darwin) +- [x] arm64 Linux (aarch64-unknown-linux-gnu) +- [x] arm64 Android (aarch64-linux-android) +- [x] arm64 iOS (aarch64-apple-ios) +- [x] s390x z14 Linux (s390x-unknown-linux-gnu) + +### Tier 3 + +Tier 3 targets are supported by the code but there are no automated checks and +there is no guarantee that they work. + +- ARMv7 Android (aarch64arm-linux-androideabi) +- arm64 iOS Simulator (aarch64-apple-ios-sim) +- x86_64 iOS (x86_64-apple-ios) +- PowerPC +- IBM Z15 +- FreeBSD / x64 + +## Compiler support + +When using the `c89` edition of HACL GCC 4.8 and up are supported. +In any other case a modern C compiler is expected. + +## Algorithms + +The following tables gives an overview over the algorithms supported by the HACL +packages. + +| Family | Algorithm | Support | +| -------------------- | ----------------- | --------------------------------------- | +| AEAD | AES-GCM 128 | AES-NI & CLMUL (x86 only) | +| AEAD | AES-GCM 256 | AES-NI & CLMUL (x86 only) | +| AEAD | Chacha20-Poly1305 | Portable \| vec128 \| vec256 | +| ECDH | Curve25519 | Portable \| BMI2 & ADX | +| ECDH | P-256 | Portable | +| Signature | Ed25519 | Portable | +| Signature | P-256 | Portable | +| Hash | SHA2-224 | Portable \| SHAEXT | +| Hash | SHA2-256 | Portable \| SHAEXT | +| Hash | SHA2-384 | Portable | +| Hash | SHA2-512 | Portable | +| Hash | SHA3 | Portable | +| Hash | Blake2 | Portable \| vec128 \| vec256 | +| Key Derivation | HKDF | Portable (depends on hash) | +| Symmetric Encryption | Chacha20 | Portable \| vec128 \| vec256 | +| Symmetric Encryption | AES 128 | AES-NI & CLMUL (x86 only) | +| Symmetric Encryption | AES 256 | AES-NI & CLMUL (x86 only) | +| MAC | HMAC | Portable (depends on hash) | +| MAC | Poly1305 | Portable \| vec128 \| vec256 \| x64 ASM | + +## Testing + +Testing is done with [gtest] and requires a C++11 compiler (or C++20 MSVC). + +### Dependencies + +Tests require the [nlohmann_json] package to read json test files. +CMake takes care of pulling and building the package. + +## Code Style + +Handwritten C and CPP code is formatted with the Mozilla clang-format style. + +## License + +HACL packages are licensed under either of + +- [Apache License, Version 2.0](http://www.apache.org/licenses/LICENSE-2.0) +- [MIT license](http://opensource.org/licenses/MIT) + +at your option. + [//]: # "links" +[cmake]: https://cmake.org/ +[ninja]: https://ninja-build.org/ +[mach]: ./mach +[gtest]: https://google.github.io/googletest/ +[nlohmann_json]: https://github.com/nlohmann/json [hacl*]: https://hacl-star.github.io -[F*]: https://fstar-lang.org +[f*]: https://fstar-lang.org [vale]: https://hacl-star.github.io/HaclValeEverCrypt.html [evercrypt]: https://hacl-star.github.io/HaclValeEverCrypt.html -[status]: https://img.shields.io/badge/status-alpha-red.svg?style=for-the-badge -[Project Everest]: https://project-everest.github.io/ \ No newline at end of file +[status]: https://img.shields.io/badge/status-beta-orange.svg?style=for-the-badge +[project everest]: https://project-everest.github.io/ +[python]: https://www.python.org/ diff --git a/_build.sh b/_build.sh new file mode 100755 index 00000000..8de811d1 --- /dev/null +++ b/_build.sh @@ -0,0 +1,9 @@ +#!/usr/bin/env bash +set -e + +printf "\n ! THIS IS A COMPLETE BUT UNCONFIGURABLE BUILD !\n" +printf " ! USE ./mach FOR MORE OPTIONS !\n\n" + +cp config/default_config.cmake config/config.cmake +cmake -B build -G"Ninja Multi-Config" +ninja -f build-Release.ninja -C build diff --git a/config/Config.h.in b/config/Config.h.in new file mode 100644 index 00000000..e1daf166 --- /dev/null +++ b/config/Config.h.in @@ -0,0 +1,33 @@ +// DO NOT EDIT THIS HEADER FILE. IT IS AUTO GENERATED BY CMAKE. +// Global HACL configuration file. +// The variables in here get populated by CMake + +// HACL version information +#define HACL_VERSION_MAJOR @hacl_VERSION_MAJOR@ +#define HACL_VERSION_MINOR @hacl_VERSION_MINOR@ +#define HACL_VERSION_PATCH @hacl_VERSION_PATCH@ +#define HACL_VERSION_TWEAK @hacl_VERSION_TWEAK@ + +// Configure platform and features +#define TARGET_ARCHITECTURE_ID_UNKNOWN @HACL_ARCHITECTURE_UNKNOWN@ +#define TARGET_ARCHITECTURE_ID_X86 @HACL_ARCHITECTURE_X86@ +#define TARGET_ARCHITECTURE_ID_X64 @HACL_ARCHITECTURE_X64@ +#define TARGET_ARCHITECTURE_ID_ARM32 @HACL_ARCHITECTURE_ARM32@ +#define TARGET_ARCHITECTURE_ID_ARM64 @HACL_ARCHITECTURE_ARM64@ +#define TARGET_ARCHITECTURE_ID_SYSTEMZ @HACL_ARCHITECTURE_SYSTEMZ@ +#define TARGET_ARCHITECTURE_ID_POWERPC64 @HACL_ARCHITECTURE_POWERPC64@ + +#define TARGET_ARCHITECTURE @HACL_TARGET_ARCHITECTURE@ + +#cmakedefine HACL_CAN_COMPILE_VEC128 @HACL_CAN_COMPILE_VEC128@ +#cmakedefine HACL_CAN_COMPILE_VEC256 @HACL_CAN_COMPILE_VEC256@ +#cmakedefine HACL_CAN_COMPILE_UINT128 @HACL_CAN_COMPILE_UINT128@ +#cmakedefine HACL_CAN_COMPILE_VALE @HACL_CAN_COMPILE_VALE@ +#cmakedefine LINUX_NO_EXPLICIT_BZERO @LINUX_NO_EXPLICIT_BZERO@ + +#ifndef HACL_CAN_COMPILE_VEC128 + #define Lib_IntVector_Intrinsics_vec128 void * +#endif +#ifndef HACL_CAN_COMPILE_VEC256 + #define Lib_IntVector_Intrinsics_vec256 void * +#endif diff --git a/config/aarch64-android.cmake b/config/aarch64-android.cmake new file mode 100644 index 00000000..52c11990 --- /dev/null +++ b/config/aarch64-android.cmake @@ -0,0 +1,14 @@ +# Toolchain file compiling for aarch64 Android + +set(triple aarch64-linux-android) +set(arch aarch64) + +# For some reason we have to set the system name here in order to make the +# CMAKE_SYSTEM_PROCESSOR being picked up correctly. +set(CMAKE_SYSTEM_NAME Android) +# We don't set the cmake version here as Android comes with an ancient cmake. +# set(CMAKE_SYSTEM_VERSION "${CMAKE_HOST_SYSTEM_VERSION}") +set(CMAKE_SYSTEM_PROCESSOR ${arch}) +set(CMAKE_ANDROID_ARCH_ABI arm64-v8a) +set(CMAKE_ANDROID_NDK "${ANDROID_NDK_PATH}") +set(HACL_TARGET_OS android) diff --git a/config/aarch64-darwin.cmake b/config/aarch64-darwin.cmake new file mode 100644 index 00000000..4533b686 --- /dev/null +++ b/config/aarch64-darwin.cmake @@ -0,0 +1,17 @@ +# Toolchain file compiling for aarch64 macOS + +set(triple arm64-apple-macos12) +set(arch arm64) + +# For some reason we have to set the system name here in order to make the +# CMAKE_SYSTEM_PROCESSOR being picked up correctly. +set(CMAKE_SYSTEM_NAME Darwin) +set(CMAKE_SYSTEM_VERSION "${CMAKE_HOST_SYSTEM_VERSION}") +set(CMAKE_SYSTEM_PROCESSOR ${arch}) +set(CMAKE_C_COMPILER clang) +set(CMAKE_C_COMPILER_TARGET ${triple}) +set(CMAKE_CXX_COMPILER clang++) +set(CMAKE_CXX_COMPILER_TARGET ${triple}) +set(CMAKE_OSX_ARCHITECTURES ${arch}) + +set(HACL_TARGET_OS osx) diff --git a/config/aarch64-ios.cmake b/config/aarch64-ios.cmake new file mode 100644 index 00000000..863dbc10 --- /dev/null +++ b/config/aarch64-ios.cmake @@ -0,0 +1,16 @@ +# Toolchain file compiling for aarch64 iOS + +set(triple arm64-apple-ios) +set(arch arm64) + +# For some reason we have to set the system name here in order to make the +# CMAKE_SYSTEM_PROCESSOR being picked up correctly. +set(CMAKE_SYSTEM_NAME Darwin) +set(CMAKE_SYSTEM_PROCESSOR ${arch}) +set(CMAKE_C_COMPILER clang) +set(CMAKE_C_COMPILER_TARGET ${triple}) +set(CMAKE_CXX_COMPILER clang++) +set(CMAKE_CXX_COMPILER_TARGET ${triple}) +set(CMAKE_OSX_ARCHITECTURES ${arch}) + +set(HACL_TARGET_OS ios) diff --git a/config/bug81300.c b/config/bug81300.c new file mode 100644 index 00000000..5b953f16 --- /dev/null +++ b/config/bug81300.c @@ -0,0 +1,59 @@ +/* Perform the check only if lib_intrinsics.h is present. In practice, +* lib_intrinsics.h is present in all the directories which contain libintvector.h, +* but mozilla. If lib_intrinsics.h is not present, assume there is no bug and +* return success. +* https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81300 + */ +#include +#include +#include + +#include "lib_intrinsics.h" + +uint64_t add4_variables(uint64_t *x, uint64_t y0) +{ + uint64_t *r2 = x + 2; + uint64_t *r3 = x + 3; + uint64_t cc = Lib_IntTypes_Intrinsics_add_carry_u64(0, x[0], y0, x); + uint64_t cc1 = Lib_IntTypes_Intrinsics_add_carry_u64(cc, 1, 0, x); + uint64_t cc2 = Lib_IntTypes_Intrinsics_add_carry_u64(1, 0, 0, r2); + uint64_t cc3 = Lib_IntTypes_Intrinsics_add_carry_u64(cc2, x[3], y0, r3); + return cc3; +} + +uint64_t sub4(uint64_t *x, uint64_t *y, uint64_t *result) +{ + uint64_t *r3 = result + 3; + uint64_t cc3 = Lib_IntTypes_Intrinsics_sub_borrow_u64(1, x[3], y[3], r3); + return cc3; +} + +void p256_sub(uint64_t *arg1, uint64_t *arg2, uint64_t *out) +{ + uint64_t t = sub4(arg1, arg2, out); + uint64_t c = add4_variables(out, t); + (void)c; +} + +#if defined(FOO_TEST) +kajfdlksjfd +int main() {} +#endif + + +#if !defined(FOO_TEST) +int main() +{ + uint64_t *a = (uint64_t *)malloc(sizeof(uint64_t) * 4); + memset(a, 0, 32); + uint64_t *b = (uint64_t *)malloc(sizeof(uint64_t) * 4); + memset(b, 0, 32); + uint64_t *c = (uint64_t *)malloc(sizeof(uint64_t) * 4); + memset(c, 0, 32); + a[3] = 16561854653415423667ul; + b[3] = 16275405352713846784ul; + p256_sub(a, b, c); + printf("result == %" PRIu64 " \n", c[3]); + return 0; +} +#endif diff --git a/config/config.json b/config/config.json new file mode 100644 index 00000000..7a7f06da --- /dev/null +++ b/config/config.json @@ -0,0 +1,328 @@ +{ + "kremlin_include_paths": [ + "kremlin/include", + "kremlin/kremlib/dist/minimal" + ], + "vale_include_paths": [ + "vale/include" + ], + "hacl_sources": { + "nacl": [ + { + "file": "Hacl_NaCl.c", + "features": "std" + } + ], + "salsa20": [ + { + "file": "Hacl_Salsa20.c", + "features": "std" + } + ], + "aesgcm": [], + "drbg": [ + { + "file": "Hacl_HMAC_DRBG.c", + "features": "std" + } + ], + "ed25519": [ + { + "file": "Hacl_Ed25519.c", + "features": "std" + } + ], + "blake2": [ + { + "file": "Hacl_Hash_Base.c", + "features": "std" + }, + { + "file": "Hacl_Hash_Blake2.c", + "features": "std" + }, + { + "file": "Hacl_Streaming_Blake2.c", + "features": "std" + }, + { + "file": "Hacl_Hash_Blake2b_256.c", + "features": "vec256" + }, + { + "file": "Hacl_Streaming_Blake2b_256.c", + "features": "vec256" + }, + { + "file": "Hacl_Hash_Blake2s_128.c", + "features": "vec128" + }, + { + "file": "Hacl_Streaming_Blake2s_128.c", + "features": "vec128" + } + ], + "bignum": [ + { + "file": "Hacl_Bignum256_32.c", + "features": "std" + }, + { + "file": "Hacl_Bignum32.c", + "features": "std" + }, + { + "file": "Hacl_Bignum4096_32.c", + "features": "std" + }, + { + "file": "Hacl_Bignum4096.c", + "features": "vec128" + }, + { + "file": "Hacl_Bignum64.c", + "features": "vec128" + } + ], + "generic-field": [ + { + "file": "Hacl_GenericField32.c", + "features": "std" + }, + { + "file": "Hacl_GenericField64.c", + "features": "vec128" + } + ], + "chacha20poly1305": [ + { + "file": "Hacl_Chacha20Poly1305_32.c", + "features": "std" + }, + { + "file": "Hacl_Chacha20Poly1305_128.c", + "features": "vec128" + }, + { + "file": "Hacl_Chacha20Poly1305_256.c", + "features": "vec256" + } + ], + "curve25519": [ + { + "file": "Hacl_Curve25519_51.c", + "features": "std" + }, + { + "file": "Hacl_Curve25519_64.c", + "features": "vale" + } + ], + "p256": [ + { + "file": "Hacl_P256.c", + "features": "std" + } + ], + "sha3": [ + { + "file": "Hacl_SHA3.c", + "features": "std" + } + ], + "sha2": [ + { + "file": "Hacl_Hash_Base.c", + "features": "std" + }, + { + "file": "Hacl_Hash_SHA2.c", + "features": "std" + }, + { + "file": "Hacl_SHA2_Vec128.c", + "features": "vec128" + }, + { + "file": "Hacl_SHA2_Vec256.c", + "features": "vec256" + }, + { + "file": "Hacl_Streaming_SHA2.c", + "features": "std" + } + ], + "sha1": [ + { + "file": "Hacl_Hash_Base.c", + "features": "std" + }, + { + "file": "Hacl_Hash_SHA1.c", + "features": "std" + }, + { + "file": "Hacl_Streaming_SHA1.c", + "features": "std" + } + ], + "md5": [ + { + "file": "Hacl_Hash_Base.c", + "features": "std" + }, + { + "file": "Hacl_Hash_MD5.c", + "features": "std" + } + ], + "hmac": [ + { + "file": "Hacl_HMAC.c", + "features": "std" + } + ], + "hkdf": [ + { + "file": "Hacl_HKDF.c", + "features": "std" + } + ], + "rsapss": [ + { + "file": "Hacl_RSAPSS.c", + "features": "std" + } + ] + }, + "vale_sources": { + "std": { + "osx": [ + "cpuid-x86_64-darwin.S" + ], + "linux": [ + "cpuid-x86_64-linux.S" + ], + "mingw": [ + "cpuid-x86_64-mingw.S" + ], + "msvc": [ + "cpuid-x86_64-msvc.asm" + ] + }, + "sha2": { + "osx": [ + "sha256-x86_64-darwin.S" + ], + "linux": [ + "sha256-x86_64-linux.S" + ], + "mingw": [ + "sha256-x86_64-mingw.S" + ], + "msvc": [ + "sha256-x86_64-msvc.asm" + ] + }, + "aesgcm": { + "osx": [ + "aesgcm-x86_64-darwin.S", + "aes-x86_64-darwin.S" + ], + "linux": [ + "aesgcm-x86_64-linux.S", + "aes-x86_64-linux.S" + ], + "mingw": [ + "aesgcm-x86_64-mingw.S", + "aes-x86_64-mingw.S" + ], + "msvc": [ + "aesgcm-x86_64-msvc.asm", + "aes-x86_64-msvc.asm" + ] + }, + "curve25519": { + "osx": [ + "curve25519-x86_64-darwin.S" + ], + "linux": [ + "curve25519-x86_64-linux.S" + ], + "mingw": [ + "curve25519-x86_64-mingw.S" + ], + "msvc": [ + "curve25519-x86_64-msvc.asm" + ] + }, + "poly1305": { + "osx": [ + "poly1305-x86_64-darwin.S" + ], + "linux": [ + "poly1305-x86_64-linux.S" + ], + "mingw": [ + "poly1305-x86_64-mingw.S" + ], + "msvc": [ + "poly1305-x86_64-msvc.asm" + ] + } + }, + "evercrypt_sources": { + "drbg": [ + "EverCrypt_DRBG.c" + ], + "ed25519": [ + "EverCrypt_Ed25519.c" + ], + "curve25519": [ + "EverCrypt_Curve25519.c" + ], + "ctr": [ + "EverCrypt_CTR.c" + ], + "hkdf": [ + "EverCrypt_HKDF.c" + ], + "hmac": [ + "EverCrypt_HMAC.c" + ], + "cipher": [ + "EverCrypt_Cipher.c" + ], + "chacha20poly1305": [ + "EverCrypt_Chacha20Poly1305.c" + ], + "hash": [ + "EverCrypt_Hash.c" + ], + "poly1305": [ + "EverCrypt_Poly1305.c" + ], + "aead": [ + "EverCrypt_AEAD.c" + ] + }, + "tests": { + "blake2": [ + "blake2b.cc", + "blake2s.cc" + ], + "p256": [ + "p256_ecdh.cc", + "p256_ecdsa.cc" + ], + "chacha20poly1305": [ + "chacha20poly1305.cc" + ], + "ed25519": [ + "ed25519.cc" + ], + "curve25519": [ + "x25519.cc" + ] + } +} \ No newline at end of file diff --git a/config/constants.cmake b/config/constants.cmake new file mode 100644 index 00000000..fee19068 --- /dev/null +++ b/config/constants.cmake @@ -0,0 +1,9 @@ + +# Set configuration constants +set(HACL_ARCHITECTURE_UNKNOWN 0) +set(HACL_ARCHITECTURE_X86 1) +set(HACL_ARCHITECTURE_X64 2) +set(HACL_ARCHITECTURE_ARM32 3) +set(HACL_ARCHITECTURE_ARM64 4) +set(HACL_ARCHITECTURE_SYSTEMZ 5) +set(HACL_ARCHITECTURE_POWERPC64 6) diff --git a/config/default_config.cmake b/config/default_config.cmake new file mode 100644 index 00000000..e6f572bb --- /dev/null +++ b/config/default_config.cmake @@ -0,0 +1,19 @@ +set(SOURCES_std ${PROJECT_SOURCE_DIR}/src/Hacl_NaCl.c ${PROJECT_SOURCE_DIR}/src/Hacl_Salsa20.c ${PROJECT_SOURCE_DIR}/src/Hacl_Kremlib.c ${PROJECT_SOURCE_DIR}/src/Hacl_Poly1305_32.c ${PROJECT_SOURCE_DIR}/src/Hacl_Curve25519_51.c ${PROJECT_SOURCE_DIR}/src/Hacl_HMAC_DRBG.c ${PROJECT_SOURCE_DIR}/src/Hacl_Spec.c ${PROJECT_SOURCE_DIR}/src/Hacl_HMAC.c ${PROJECT_SOURCE_DIR}/src/Hacl_Hash_SHA2.c ${PROJECT_SOURCE_DIR}/src/Hacl_Hash_SHA1.c ${PROJECT_SOURCE_DIR}/src/Hacl_Ed25519.c ${PROJECT_SOURCE_DIR}/src/Hacl_Streaming_SHA2.c ${PROJECT_SOURCE_DIR}/src/Hacl_Hash_Base.c ${PROJECT_SOURCE_DIR}/src/Hacl_Hash_Blake2.c ${PROJECT_SOURCE_DIR}/src/Lib_Memzero0.c ${PROJECT_SOURCE_DIR}/src/Hacl_Streaming_Blake2.c ${PROJECT_SOURCE_DIR}/src/Hacl_Bignum256_32.c ${PROJECT_SOURCE_DIR}/src/Hacl_GenericField32.c ${PROJECT_SOURCE_DIR}/src/Hacl_Bignum.c ${PROJECT_SOURCE_DIR}/src/Hacl_Bignum32.c ${PROJECT_SOURCE_DIR}/src/Hacl_Bignum4096_32.c ${PROJECT_SOURCE_DIR}/src/Hacl_Chacha20Poly1305_32.c ${PROJECT_SOURCE_DIR}/src/Hacl_Chacha20.c ${PROJECT_SOURCE_DIR}/src/Hacl_P256.c ${PROJECT_SOURCE_DIR}/src/Hacl_SHA3.c ${PROJECT_SOURCE_DIR}/src/Hacl_Streaming_SHA1.c ${PROJECT_SOURCE_DIR}/src/Hacl_Hash_MD5.c ${PROJECT_SOURCE_DIR}/src/Hacl_HKDF.c ${PROJECT_SOURCE_DIR}/src/Hacl_RSAPSS.c ${PROJECT_SOURCE_DIR}/src/EverCrypt_DRBG.c ${PROJECT_SOURCE_DIR}/src/Lib_RandomBuffer_System.c ${PROJECT_SOURCE_DIR}/src/Lib_Memzero0.c ${PROJECT_SOURCE_DIR}/src/EverCrypt_HMAC.c ${PROJECT_SOURCE_DIR}/src/EverCrypt_Hash.c ${PROJECT_SOURCE_DIR}/src/EverCrypt_AutoConfig2.c ${PROJECT_SOURCE_DIR}/src/EverCrypt_Ed25519.c ${PROJECT_SOURCE_DIR}/src/EverCrypt_Curve25519.c ${PROJECT_SOURCE_DIR}/src/EverCrypt_CTR.c ${PROJECT_SOURCE_DIR}/src/EverCrypt_Error.c ${PROJECT_SOURCE_DIR}/src/EverCrypt_HKDF.c ${PROJECT_SOURCE_DIR}/src/EverCrypt_Cipher.c ${PROJECT_SOURCE_DIR}/src/EverCrypt_Chacha20Poly1305.c ${PROJECT_SOURCE_DIR}/src/EverCrypt_Poly1305.c ${PROJECT_SOURCE_DIR}/src/EverCrypt_AEAD.c) +set(SOURCES_vec256 ${PROJECT_SOURCE_DIR}/src/Hacl_Hash_Blake2b_256.c ${PROJECT_SOURCE_DIR}/src/Hacl_Streaming_Blake2b_256.c ${PROJECT_SOURCE_DIR}/src/Hacl_Chacha20Poly1305_256.c ${PROJECT_SOURCE_DIR}/src/Hacl_Poly1305_256.c ${PROJECT_SOURCE_DIR}/src/Hacl_Chacha20_Vec256.c ${PROJECT_SOURCE_DIR}/src/Hacl_SHA2_Vec256.c) +set(SOURCES_vec128 ${PROJECT_SOURCE_DIR}/src/Hacl_Hash_Blake2s_128.c ${PROJECT_SOURCE_DIR}/src/Hacl_Streaming_Blake2s_128.c ${PROJECT_SOURCE_DIR}/src/Hacl_Bignum4096.c ${PROJECT_SOURCE_DIR}/src/Hacl_Bignum256.c ${PROJECT_SOURCE_DIR}/src/Hacl_Bignum64.c ${PROJECT_SOURCE_DIR}/src/Hacl_GenericField64.c ${PROJECT_SOURCE_DIR}/src/Hacl_Chacha20Poly1305_128.c ${PROJECT_SOURCE_DIR}/src/Hacl_Poly1305_128.c ${PROJECT_SOURCE_DIR}/src/Hacl_Chacha20_Vec128.c ${PROJECT_SOURCE_DIR}/src/Hacl_SHA2_Vec128.c) +set(SOURCES_vale ${PROJECT_SOURCE_DIR}/src/Hacl_Curve25519_64.c) +set(INCLUDES ${PROJECT_SOURCE_DIR}/include/Hacl_NaCl.h ${PROJECT_SOURCE_DIR}/kremlin/include/kremlin/internal/types.h ${PROJECT_SOURCE_DIR}/kremlin/include/kremlin/lowstar_endianness.h ${PROJECT_SOURCE_DIR}/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h ${PROJECT_SOURCE_DIR}/kremlin/kremlib/dist/minimal/FStar_UInt128.h ${PROJECT_SOURCE_DIR}/kremlin/include/kremlin/internal/compat.h ${PROJECT_SOURCE_DIR}/kremlin/include/kremlin/internal/target.h ${PROJECT_SOURCE_DIR}/kremlin/include/kremlin/internal/callconv.h ${PROJECT_SOURCE_DIR}/kremlin/kremlib/dist/minimal/FStar_UInt_8_16_32_64.h ${PROJECT_SOURCE_DIR}/kremlin/kremlib/dist/minimal/LowStar_Endianness.h ${PROJECT_SOURCE_DIR}/include/Hacl_Salsa20.h ${PROJECT_SOURCE_DIR}/include/Hacl_Kremlib.h ${PROJECT_SOURCE_DIR}/include/evercrypt_targetconfig.h ${PROJECT_SOURCE_DIR}/build/config.h ${PROJECT_SOURCE_DIR}/include/libintvector.h ${PROJECT_SOURCE_DIR}/include/Hacl_Poly1305_32.h ${PROJECT_SOURCE_DIR}/include/Hacl_Curve25519_51.h ${PROJECT_SOURCE_DIR}/include/Hacl_Bignum25519_51.h ${PROJECT_SOURCE_DIR}/include/internal/Hacl_Kremlib.h ${PROJECT_SOURCE_DIR}/include/internal/../Hacl_Kremlib.h ${PROJECT_SOURCE_DIR}/include/Hacl_HMAC_DRBG.h ${PROJECT_SOURCE_DIR}/include/Hacl_Spec.h ${PROJECT_SOURCE_DIR}/include/Hacl_HMAC.h ${PROJECT_SOURCE_DIR}/include/Hacl_Impl_Blake2_Constants.h ${PROJECT_SOURCE_DIR}/include/Hacl_Hash_SHA2.h ${PROJECT_SOURCE_DIR}/include/Hacl_Hash_SHA1.h ${PROJECT_SOURCE_DIR}/include/internal/Hacl_Ed25519.h ${PROJECT_SOURCE_DIR}/include/internal/Hacl_Hash_SHA2.h ${PROJECT_SOURCE_DIR}/include/internal/../Hacl_Hash_SHA2.h ${PROJECT_SOURCE_DIR}/include/internal/Hacl_Curve25519_51.h ${PROJECT_SOURCE_DIR}/include/internal/../Hacl_Curve25519_51.h ${PROJECT_SOURCE_DIR}/include/internal/../Hacl_Ed25519.h ${PROJECT_SOURCE_DIR}/include/Hacl_Streaming_SHA2.h ${PROJECT_SOURCE_DIR}/include/Hacl_Hash_Base.h ${PROJECT_SOURCE_DIR}/include/internal/Hacl_Hash_Blake2.h ${PROJECT_SOURCE_DIR}/include/internal/../Hacl_Hash_Blake2.h ${PROJECT_SOURCE_DIR}/include/Lib_Memzero0.h ${PROJECT_SOURCE_DIR}/include/Hacl_Streaming_Blake2.h ${PROJECT_SOURCE_DIR}/include/Hacl_Hash_Blake2.h ${PROJECT_SOURCE_DIR}/include/internal/Hacl_Hash_Blake2b_256.h ${PROJECT_SOURCE_DIR}/include/internal/../Hacl_Hash_Blake2b_256.h ${PROJECT_SOURCE_DIR}/include/Hacl_Streaming_Blake2b_256.h ${PROJECT_SOURCE_DIR}/include/Hacl_Hash_Blake2b_256.h ${PROJECT_SOURCE_DIR}/include/internal/Hacl_Hash_Blake2s_128.h ${PROJECT_SOURCE_DIR}/include/internal/../Hacl_Hash_Blake2s_128.h ${PROJECT_SOURCE_DIR}/include/Hacl_Streaming_Blake2s_128.h ${PROJECT_SOURCE_DIR}/include/Hacl_Hash_Blake2s_128.h ${PROJECT_SOURCE_DIR}/include/Hacl_Bignum256_32.h ${PROJECT_SOURCE_DIR}/include/Hacl_GenericField32.h ${PROJECT_SOURCE_DIR}/include/Hacl_Bignum_Base.h ${PROJECT_SOURCE_DIR}/include/internal/Hacl_Bignum.h ${PROJECT_SOURCE_DIR}/include/lib_intrinsics.h ${PROJECT_SOURCE_DIR}/include/Hacl_IntTypes_Intrinsics.h ${PROJECT_SOURCE_DIR}/include/Hacl_IntTypes_Intrinsics_128.h ${PROJECT_SOURCE_DIR}/include/Hacl_Bignum32.h ${PROJECT_SOURCE_DIR}/include/Hacl_Bignum4096_32.h ${PROJECT_SOURCE_DIR}/include/Hacl_Bignum4096.h ${PROJECT_SOURCE_DIR}/include/Hacl_Bignum256.h ${PROJECT_SOURCE_DIR}/include/Hacl_Bignum64.h ${PROJECT_SOURCE_DIR}/include/Hacl_GenericField64.h ${PROJECT_SOURCE_DIR}/include/Hacl_Chacha20Poly1305_32.h ${PROJECT_SOURCE_DIR}/include/Hacl_Chacha20.h ${PROJECT_SOURCE_DIR}/include/Hacl_Chacha20Poly1305_128.h ${PROJECT_SOURCE_DIR}/include/Hacl_Poly1305_128.h ${PROJECT_SOURCE_DIR}/include/Hacl_Chacha20_Vec128.h ${PROJECT_SOURCE_DIR}/include/internal/Hacl_Poly1305_128.h ${PROJECT_SOURCE_DIR}/include/internal/../Hacl_Poly1305_128.h ${PROJECT_SOURCE_DIR}/include/Hacl_Chacha20Poly1305_256.h ${PROJECT_SOURCE_DIR}/include/Hacl_Poly1305_256.h ${PROJECT_SOURCE_DIR}/include/Hacl_Chacha20_Vec256.h ${PROJECT_SOURCE_DIR}/include/internal/Hacl_Poly1305_256.h ${PROJECT_SOURCE_DIR}/include/internal/../Hacl_Poly1305_256.h ${PROJECT_SOURCE_DIR}/include/Hacl_Curve25519_64.h ${PROJECT_SOURCE_DIR}/include/internal/Vale.h ${PROJECT_SOURCE_DIR}/include/curve25519-inline.h ${PROJECT_SOURCE_DIR}/include/internal/Hacl_P256.h ${PROJECT_SOURCE_DIR}/include/internal/Hacl_Spec.h ${PROJECT_SOURCE_DIR}/include/internal/../Hacl_Spec.h ${PROJECT_SOURCE_DIR}/include/internal/../Hacl_P256.h ${PROJECT_SOURCE_DIR}/include/Hacl_SHA3.h ${PROJECT_SOURCE_DIR}/include/Hacl_SHA2_Vec128.h ${PROJECT_SOURCE_DIR}/include/Hacl_SHA2_Generic.h ${PROJECT_SOURCE_DIR}/include/internal/Hacl_SHA2_Vec128.h ${PROJECT_SOURCE_DIR}/include/internal/../Hacl_SHA2_Vec128.h ${PROJECT_SOURCE_DIR}/include/internal/Hacl_SHA2_Vec256.h ${PROJECT_SOURCE_DIR}/include/internal/../Hacl_SHA2_Vec256.h ${PROJECT_SOURCE_DIR}/include/internal/Hacl_Hash_SHA1.h ${PROJECT_SOURCE_DIR}/include/internal/../Hacl_Hash_SHA1.h ${PROJECT_SOURCE_DIR}/include/Hacl_Streaming_SHA1.h ${PROJECT_SOURCE_DIR}/include/internal/Hacl_Hash_MD5.h ${PROJECT_SOURCE_DIR}/include/internal/../Hacl_Hash_MD5.h ${PROJECT_SOURCE_DIR}/include/internal/Hacl_HMAC.h ${PROJECT_SOURCE_DIR}/include/internal/../Hacl_HMAC.h ${PROJECT_SOURCE_DIR}/include/Hacl_HKDF.h ${PROJECT_SOURCE_DIR}/include/Hacl_RSAPSS.h ${PROJECT_SOURCE_DIR}/include/EverCrypt_DRBG.h ${PROJECT_SOURCE_DIR}/include/Lib_RandomBuffer_System.h ${PROJECT_SOURCE_DIR}/include/EverCrypt_HMAC.h ${PROJECT_SOURCE_DIR}/include/EverCrypt_Hash.h ${PROJECT_SOURCE_DIR}/include/Hacl_Hash_MD5.h ${PROJECT_SOURCE_DIR}/include/EverCrypt_AutoConfig2.h ${PROJECT_SOURCE_DIR}/include/EverCrypt_Ed25519.h ${PROJECT_SOURCE_DIR}/include/Hacl_Ed25519.h ${PROJECT_SOURCE_DIR}/include/EverCrypt_Curve25519.h ${PROJECT_SOURCE_DIR}/include/EverCrypt_CTR.h ${PROJECT_SOURCE_DIR}/include/EverCrypt_Error.h ${PROJECT_SOURCE_DIR}/include/internal/Hacl_Chacha20.h ${PROJECT_SOURCE_DIR}/include/internal/../Hacl_Chacha20.h ${PROJECT_SOURCE_DIR}/include/EverCrypt_HKDF.h ${PROJECT_SOURCE_DIR}/include/EverCrypt_Cipher.h ${PROJECT_SOURCE_DIR}/include/EverCrypt_Chacha20Poly1305.h ${PROJECT_SOURCE_DIR}/include/EverCrypt_Poly1305.h ${PROJECT_SOURCE_DIR}/include/EverCrypt_AEAD.h) +set(PUBLIC_INCLUDES ${PROJECT_SOURCE_DIR}/include/Hacl_NaCl.h ${PROJECT_SOURCE_DIR}/kremlin/include/kremlin/lowstar_endianness.h ${PROJECT_SOURCE_DIR}/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h ${PROJECT_SOURCE_DIR}/kremlin/kremlib/dist/minimal/FStar_UInt128.h ${PROJECT_SOURCE_DIR}/kremlin/kremlib/dist/minimal/FStar_UInt_8_16_32_64.h ${PROJECT_SOURCE_DIR}/kremlin/kremlib/dist/minimal/LowStar_Endianness.h ${PROJECT_SOURCE_DIR}/include/Hacl_Salsa20.h ${PROJECT_SOURCE_DIR}/include/Hacl_Kremlib.h ${PROJECT_SOURCE_DIR}/include/evercrypt_targetconfig.h ${PROJECT_SOURCE_DIR}/build/config.h ${PROJECT_SOURCE_DIR}/include/libintvector.h ${PROJECT_SOURCE_DIR}/include/Hacl_Poly1305_32.h ${PROJECT_SOURCE_DIR}/include/Hacl_Curve25519_51.h ${PROJECT_SOURCE_DIR}/include/Hacl_Bignum25519_51.h ${PROJECT_SOURCE_DIR}/include/internal/../Hacl_Kremlib.h ${PROJECT_SOURCE_DIR}/include/Hacl_HMAC_DRBG.h ${PROJECT_SOURCE_DIR}/include/Hacl_Spec.h ${PROJECT_SOURCE_DIR}/include/Hacl_HMAC.h ${PROJECT_SOURCE_DIR}/include/Hacl_Impl_Blake2_Constants.h ${PROJECT_SOURCE_DIR}/include/Hacl_Hash_SHA2.h ${PROJECT_SOURCE_DIR}/include/Hacl_Hash_SHA1.h ${PROJECT_SOURCE_DIR}/include/internal/../Hacl_Hash_SHA2.h ${PROJECT_SOURCE_DIR}/include/internal/../Hacl_Curve25519_51.h ${PROJECT_SOURCE_DIR}/include/internal/../Hacl_Ed25519.h ${PROJECT_SOURCE_DIR}/include/Hacl_Streaming_SHA2.h ${PROJECT_SOURCE_DIR}/include/Hacl_Hash_Base.h ${PROJECT_SOURCE_DIR}/include/internal/../Hacl_Hash_Blake2.h ${PROJECT_SOURCE_DIR}/include/Lib_Memzero0.h ${PROJECT_SOURCE_DIR}/include/Hacl_Streaming_Blake2.h ${PROJECT_SOURCE_DIR}/include/Hacl_Hash_Blake2.h ${PROJECT_SOURCE_DIR}/include/internal/../Hacl_Hash_Blake2b_256.h ${PROJECT_SOURCE_DIR}/include/Hacl_Streaming_Blake2b_256.h ${PROJECT_SOURCE_DIR}/include/Hacl_Hash_Blake2b_256.h ${PROJECT_SOURCE_DIR}/include/internal/../Hacl_Hash_Blake2s_128.h ${PROJECT_SOURCE_DIR}/include/Hacl_Streaming_Blake2s_128.h ${PROJECT_SOURCE_DIR}/include/Hacl_Hash_Blake2s_128.h ${PROJECT_SOURCE_DIR}/include/Hacl_Bignum256_32.h ${PROJECT_SOURCE_DIR}/include/Hacl_GenericField32.h ${PROJECT_SOURCE_DIR}/include/Hacl_Bignum_Base.h ${PROJECT_SOURCE_DIR}/include/lib_intrinsics.h ${PROJECT_SOURCE_DIR}/include/Hacl_IntTypes_Intrinsics.h ${PROJECT_SOURCE_DIR}/include/Hacl_IntTypes_Intrinsics_128.h ${PROJECT_SOURCE_DIR}/include/Hacl_Bignum32.h ${PROJECT_SOURCE_DIR}/include/Hacl_Bignum4096_32.h ${PROJECT_SOURCE_DIR}/include/Hacl_Bignum4096.h ${PROJECT_SOURCE_DIR}/include/Hacl_Bignum256.h ${PROJECT_SOURCE_DIR}/include/Hacl_Bignum64.h ${PROJECT_SOURCE_DIR}/include/Hacl_GenericField64.h ${PROJECT_SOURCE_DIR}/include/Hacl_Chacha20Poly1305_32.h ${PROJECT_SOURCE_DIR}/include/Hacl_Chacha20.h ${PROJECT_SOURCE_DIR}/include/Hacl_Chacha20Poly1305_128.h ${PROJECT_SOURCE_DIR}/include/Hacl_Poly1305_128.h ${PROJECT_SOURCE_DIR}/include/Hacl_Chacha20_Vec128.h ${PROJECT_SOURCE_DIR}/include/internal/../Hacl_Poly1305_128.h ${PROJECT_SOURCE_DIR}/include/Hacl_Chacha20Poly1305_256.h ${PROJECT_SOURCE_DIR}/include/Hacl_Poly1305_256.h ${PROJECT_SOURCE_DIR}/include/Hacl_Chacha20_Vec256.h ${PROJECT_SOURCE_DIR}/include/internal/../Hacl_Poly1305_256.h ${PROJECT_SOURCE_DIR}/include/Hacl_Curve25519_64.h ${PROJECT_SOURCE_DIR}/include/curve25519-inline.h ${PROJECT_SOURCE_DIR}/include/internal/../Hacl_Spec.h ${PROJECT_SOURCE_DIR}/include/internal/../Hacl_P256.h ${PROJECT_SOURCE_DIR}/include/Hacl_SHA3.h ${PROJECT_SOURCE_DIR}/include/Hacl_SHA2_Vec128.h ${PROJECT_SOURCE_DIR}/include/Hacl_SHA2_Generic.h ${PROJECT_SOURCE_DIR}/include/internal/../Hacl_SHA2_Vec128.h ${PROJECT_SOURCE_DIR}/include/internal/../Hacl_SHA2_Vec256.h ${PROJECT_SOURCE_DIR}/include/internal/../Hacl_Hash_SHA1.h ${PROJECT_SOURCE_DIR}/include/Hacl_Streaming_SHA1.h ${PROJECT_SOURCE_DIR}/include/internal/../Hacl_Hash_MD5.h ${PROJECT_SOURCE_DIR}/include/internal/../Hacl_HMAC.h ${PROJECT_SOURCE_DIR}/include/Hacl_HKDF.h ${PROJECT_SOURCE_DIR}/include/Hacl_RSAPSS.h ${PROJECT_SOURCE_DIR}/include/EverCrypt_DRBG.h ${PROJECT_SOURCE_DIR}/include/Lib_RandomBuffer_System.h ${PROJECT_SOURCE_DIR}/include/EverCrypt_HMAC.h ${PROJECT_SOURCE_DIR}/include/EverCrypt_Hash.h ${PROJECT_SOURCE_DIR}/include/Hacl_Hash_MD5.h ${PROJECT_SOURCE_DIR}/include/EverCrypt_AutoConfig2.h ${PROJECT_SOURCE_DIR}/include/EverCrypt_Ed25519.h ${PROJECT_SOURCE_DIR}/include/Hacl_Ed25519.h ${PROJECT_SOURCE_DIR}/include/EverCrypt_Curve25519.h ${PROJECT_SOURCE_DIR}/include/EverCrypt_CTR.h ${PROJECT_SOURCE_DIR}/include/EverCrypt_Error.h ${PROJECT_SOURCE_DIR}/include/internal/../Hacl_Chacha20.h ${PROJECT_SOURCE_DIR}/include/EverCrypt_HKDF.h ${PROJECT_SOURCE_DIR}/include/EverCrypt_Cipher.h ${PROJECT_SOURCE_DIR}/include/EverCrypt_Chacha20Poly1305.h ${PROJECT_SOURCE_DIR}/include/EverCrypt_Poly1305.h ${PROJECT_SOURCE_DIR}/include/EverCrypt_AEAD.h) +set(ALGORITHMS nacl salsa20 aesgcm drbg ed25519 blake2 bignum generic-field chacha20poly1305 curve25519 p256 sha3 sha2 sha1 md5 hmac hkdf rsapss) +set(INCLUDE_PATHS ${PROJECT_SOURCE_DIR}/include ${PROJECT_SOURCE_DIR}/build ${PROJECT_SOURCE_DIR}/kremlin/include ${PROJECT_SOURCE_DIR}/kremlin/kremlib/dist/minimal ${PROJECT_SOURCE_DIR}/vale/include) +set(TEST_SOURCES ${PROJECT_SOURCE_DIR}/tests/blake2b.cc ${PROJECT_SOURCE_DIR}/tests/blake2s.cc ${PROJECT_SOURCE_DIR}/tests/p256_ecdh.cc ${PROJECT_SOURCE_DIR}/tests/p256_ecdsa.cc ${PROJECT_SOURCE_DIR}/tests/chacha20poly1305.cc ${PROJECT_SOURCE_DIR}/tests/ed25519.cc ${PROJECT_SOURCE_DIR}/tests/x25519.cc) +set(VALE_SOURCES_osx ${PROJECT_SOURCE_DIR}/vale/src/cpuid-x86_64-darwin.S ${PROJECT_SOURCE_DIR}/vale/src/sha256-x86_64-darwin.S ${PROJECT_SOURCE_DIR}/vale/src/aesgcm-x86_64-darwin.S ${PROJECT_SOURCE_DIR}/vale/src/aes-x86_64-darwin.S ${PROJECT_SOURCE_DIR}/vale/src/curve25519-x86_64-darwin.S ${PROJECT_SOURCE_DIR}/vale/src/poly1305-x86_64-darwin.S) +set(VALE_SOURCES_linux ${PROJECT_SOURCE_DIR}/vale/src/cpuid-x86_64-linux.S ${PROJECT_SOURCE_DIR}/vale/src/sha256-x86_64-linux.S ${PROJECT_SOURCE_DIR}/vale/src/aesgcm-x86_64-linux.S ${PROJECT_SOURCE_DIR}/vale/src/aes-x86_64-linux.S ${PROJECT_SOURCE_DIR}/vale/src/curve25519-x86_64-linux.S ${PROJECT_SOURCE_DIR}/vale/src/poly1305-x86_64-linux.S) +set(VALE_SOURCES_mingw ${PROJECT_SOURCE_DIR}/vale/src/cpuid-x86_64-mingw.S ${PROJECT_SOURCE_DIR}/vale/src/sha256-x86_64-mingw.S ${PROJECT_SOURCE_DIR}/vale/src/aesgcm-x86_64-mingw.S ${PROJECT_SOURCE_DIR}/vale/src/aes-x86_64-mingw.S ${PROJECT_SOURCE_DIR}/vale/src/curve25519-x86_64-mingw.S ${PROJECT_SOURCE_DIR}/vale/src/poly1305-x86_64-mingw.S) +set(VALE_SOURCES_msvc ${PROJECT_SOURCE_DIR}/vale/src/cpuid-x86_64-msvc.asm ${PROJECT_SOURCE_DIR}/vale/src/sha256-x86_64-msvc.asm ${PROJECT_SOURCE_DIR}/vale/src/aesgcm-x86_64-msvc.asm ${PROJECT_SOURCE_DIR}/vale/src/aes-x86_64-msvc.asm ${PROJECT_SOURCE_DIR}/vale/src/curve25519-x86_64-msvc.asm ${PROJECT_SOURCE_DIR}/vale/src/poly1305-x86_64-msvc.asm) +set(ALGORITHM_TEST_FILES TEST_FILES_blake2 TEST_FILES_p256 TEST_FILES_chacha20poly1305 TEST_FILES_ed25519 TEST_FILES_curve25519) +set(TEST_FILES_blake2 blake2b.cc blake2s.cc) +set(TEST_FILES_p256 p256_ecdh.cc p256_ecdsa.cc) +set(TEST_FILES_chacha20poly1305 chacha20poly1305.cc) +set(TEST_FILES_ed25519 ed25519.cc) +set(TEST_FILES_curve25519 x25519.cc) diff --git a/config/explicit_bzero.c b/config/explicit_bzero.c new file mode 100644 index 00000000..ecee0880 --- /dev/null +++ b/config/explicit_bzero.c @@ -0,0 +1,8 @@ +#include + +int main() +{ + unsigned char *block[32] = {0}; + explicit_bzero(block, 32); + return 0; +} diff --git a/config/int128.c b/config/int128.c new file mode 100644 index 00000000..0a96c0da --- /dev/null +++ b/config/int128.c @@ -0,0 +1,5 @@ +int main(int argc, char const *argv[]) +{ + unsigned __int128 x = 0; + return 0; +} diff --git a/config/options.cmake b/config/options.cmake new file mode 100644 index 00000000..2ad94382 --- /dev/null +++ b/config/options.cmake @@ -0,0 +1,31 @@ + +# Options for features. +# They all default to off and have to be explicitely enabled. +option(DISABLE_VEC128 "Disable code requiring vec128 hardware support.") +option(DISABLE_VEC256 "Disable code requiring vec256 hardware support.") +option(DISABLE_VALE "Disable vale code.") +option(DISABLE_INLINE_ASM "Disable inline assembly code.") +option(DISABLE_INTRINSICS "Disable intrinsics.") +if(DISABLE_VEC128) + set(TOOLCHAIN_CAN_COMPILE_VEC128 OFF) +endif() +if(DISABLE_VEC256) + set(TOOLCHAIN_CAN_COMPILE_VEC256 OFF) +endif() +if(DISABLE_VALE) + set(TOOLCHAIN_CAN_COMPILE_VALE OFF) +endif() +if(DISABLE_INLINE_ASM) + set(TOOLCHAIN_CAN_COMPILE_INLINE_ASM OFF) +endif() +if(DISABLE_INTRINSICS) + set(TOOLCHAIN_CAN_COMPILE_INTRINSICS OFF) +endif() + +# Enable tests. +# By default tests aren't built +option(ENABLE_TESTS "Enable HACL tests.") + +# Sannitaizers +option(ENABLE_ASAN "Enable address sanitizers.") +option(ENABLE_UBSAN "Enable undefined behaviour sanitizers.") diff --git a/config/osx_c.sh b/config/osx_c.sh new file mode 100755 index 00000000..40abe1f0 --- /dev/null +++ b/config/osx_c.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +set -e + +$1 --version | grep clang-1000.11.45.5 diff --git a/config/s390x.cmake b/config/s390x.cmake new file mode 100644 index 00000000..a901dabe --- /dev/null +++ b/config/s390x.cmake @@ -0,0 +1,10 @@ +# Toolchain file compiling for s390x + +set(triple s390x-linux-gnu) +set(arch s390x) +set(HACL_TARGET_OS linux) +set(CMAKE_SYSTEM_NAME Linux) +set(CMAKE_C_COMPILER_TARGET ${triple}) +set(CMAKE_CXX_COMPILER_TARGET ${triple}) +# This isn't working unfortunately. It's being set in CMakeLists.txt again +set(CMAKE_SYSTEM_PROCESSOR s390x) diff --git a/config/toolchain.cmake b/config/toolchain.cmake new file mode 100644 index 00000000..40ab259a --- /dev/null +++ b/config/toolchain.cmake @@ -0,0 +1,139 @@ +# Test the toolchain to get supported CPU features + +INCLUDE(CheckCCompilerFlag) +set(CMAKE_TRY_COMPILE_TARGET_TYPE EXECUTABLE) + +## Check for gcc compiler bug 81300 +if(NOT DEFINED BUG_81300) + try_compile(BUG_81300 + ${PROJECT_SOURCE_DIR}/config/build + ${PROJECT_SOURCE_DIR}/config/bug81300.c + # TODO: get the include paths from global variables + # We should probably get rid of the march=native! + COMPILE_DEFINITIONS "-DCOMPILE_INTRINSICS \ + -O3" + ) +endif() +message(STATUS "Bug 81300 check: ${BUG_81300}") + +## Check for int128 support +if(NOT DEFINED INT128_SUPPORT) + try_compile(INT128_SUPPORT + ${PROJECT_SOURCE_DIR}/config/build + ${PROJECT_SOURCE_DIR}/config/int128.c + ) +endif() +message(STATUS "int128 support: ${INT128_SUPPORT}") +if(${INT128_SUPPORT}) + set(HACL_CAN_COMPILE_UINT128 1) +endif() + +## Check for explicit_bzero support +if(NOT DEFINED EXPLICIT_BZERO_SUPPORT) + try_compile(EXPLICIT_BZERO_SUPPORT + ${PROJECT_SOURCE_DIR}/config/build + ${PROJECT_SOURCE_DIR}/config/explicit_bzero.c + ) +endif() +message(STATUS "explicit_bzero support: ${EXPLICIT_BZERO_SUPPORT}") + +## Check for vec128 support +if(NOT DEFINED TOOLCHAIN_CAN_COMPILE_VEC128) + set(CPU_FLAGS "") + # TODO: read these flag from a common definition + if(CMAKE_SYSTEM_PROCESSOR MATCHES "i386|i586|i686|i86pc|ia32|x86_64|amd64|AMD64") + set(CPU_FLAGS "${CPU_FLAGS} -msse2 -msse3 -msse4.1 -msse4.2") + endif() + if(CMAKE_SYSTEM_PROCESSOR MATCHES "s390x") + set(CPU_FLAGS "${CPU_FLAGS} -mzarch -mvx -mzvector -march=z14") + endif() + try_compile(TOOLCHAIN_CAN_COMPILE_VEC128 + ${PROJECT_SOURCE_DIR}/config/build + ${PROJECT_SOURCE_DIR}/config/vec128.c + # TODO: get the include paths from global variables + # When do we need -march=armv8-a+simd or something else here? + COMPILE_DEFINITIONS "-DHACL_CAN_COMPILE_VEC128 \ + -I${PROJECT_SOURCE_DIR}/include \ + -I${PROJECT_SOURCE_DIR}/kremlin/include \ + -I${PROJECT_SOURCE_DIR}/kremlin/kremlib/dist/minimal \ + ${CPU_FLAGS}" + ) +endif() +message(STATUS "vec128 support: ${TOOLCHAIN_CAN_COMPILE_VEC128}") + +## Check for vec256 support +if(NOT DEFINED TOOLCHAIN_CAN_COMPILE_VEC256) + set(CPU_FLAGS "") + # TODO: read these flag from a common definition + if(CMAKE_SYSTEM_PROCESSOR MATCHES "i386|i586|i686|i86pc|ia32|x86_64|amd64|AMD64") + set(CPU_FLAGS "${CPU_FLAGS} -mavx2 -mavx") + endif() + try_compile(TOOLCHAIN_CAN_COMPILE_VEC256 + ${PROJECT_SOURCE_DIR}/config/build + ${PROJECT_SOURCE_DIR}/config/vec256.c + # TODO: get the include paths from global variables + # When do we need -march=armv8-a+simd or something else here? + COMPILE_DEFINITIONS "-DHACL_CAN_COMPILE_VEC256 \ + -I${PROJECT_SOURCE_DIR}/include \ + -I${PROJECT_SOURCE_DIR}/kremlin/include \ + -I${PROJECT_SOURCE_DIR}/kremlin/kremlib/dist/minimal \ + ${CPU_FLAGS}" + ) +endif() +message(STATUS "vec256 support: ${TOOLCHAIN_CAN_COMPILE_VEC256}") + +## Check for vale support +if(NOT DEFINED TOOLCHAIN_CAN_COMPILE_VALE) + # Always enable for x64 + set(TOOLCHAIN_CAN_COMPILE_VALE FALSE) + if(CMAKE_SYSTEM_PROCESSOR MATCHES "x86_64|amd64|AMD64") + set(TOOLCHAIN_CAN_COMPILE_VALE TRUE) + endif() +endif() + +# Check for inline assembly support +if(NOT DEFINED TOOLCHAIN_CAN_COMPILE_INLINE_ASM) + set(TOOLCHAIN_CAN_COMPILE_INLINE_ASM OFF) + # Only available on x64 + if(CMAKE_SYSTEM_PROCESSOR MATCHES "x86_64|amd64|AMD64") + execute_process(COMMAND + ${PROJECT_SOURCE_DIR}/config/osx_c.sh ${CMAKE_C_COMPILER} + RESULT_VARIABLE BAD_CC + ) + if(${BAD_CC} EQUAL 1) + set(TOOLCHAIN_CAN_COMPILE_INLINE_ASM TRUE) + endif() + endif() +endif() + +# Check for intrinsics support +if(NOT DEFINED TOOLCHAIN_CAN_COMPILE_INTRINSICS) + set(TOOLCHAIN_CAN_COMPILE_INTRINSICS OFF) + # x86 or x86_64 + if(CMAKE_SYSTEM_PROCESSOR MATCHES "x86_64|amd64|AMD64|i386|i586|i686|i86pc|ia32") + if(NOT BUG_81300) + set(TOOLCHAIN_CAN_COMPILE_INTRINSICS TRUE) + endif() + endif() +endif() +# TODO: Check for these +set(TOOLCHAIN_CAN_COMPILE_INTRINSICS OFF) # XXX: FOR TESTING ONLY + +# Set OS consistently for compiling, independent of cross-compilation +# Note that HACL_TARGET_OS is set by the cross-compilation tool chain when using +# one. +if(NOT HACL_TARGET_OS) + if(${CMAKE_SYSTEM_NAME} MATCHES "Linux") + set(HACL_TARGET_OS linux) + endif() + if(${CMAKE_SYSTEM_NAME} MATCHES "Darwin") + set(HACL_TARGET_OS osx) + endif() + if(${CMAKE_SYSTEM_NAME} MATCHES "Windows") + if(${MINGW}) + set(HACL_TARGET_OS mingw) + else() + set(HACL_TARGET_OS msvc) + endif() + endif() +endif() diff --git a/config/vec128.c b/config/vec128.c new file mode 100644 index 00000000..b530e6a4 --- /dev/null +++ b/config/vec128.c @@ -0,0 +1,29 @@ +#include "libintvector.h" + +#if TARGET_ARCHITECTURE == TARGET_ARCHITECTURE_ID_X64 +#include +#endif + +int +main() +{ + uint8_t block[32] = { 0 }; + Lib_IntVector_Intrinsics_vec128 b1 = + Lib_IntVector_Intrinsics_vec128_load32_le( + block); // SSE2 | NEON - A7, A32, A64 + Lib_IntVector_Intrinsics_vec128 b2 = + Lib_IntVector_Intrinsics_vec128_load32_le(block + + 16); // SSE2 | NEON - A7, A32, A64 + Lib_IntVector_Intrinsics_vec128 test = + Lib_IntVector_Intrinsics_vec128_interleave_high64(b1, + b2); // SSE2 | NEON A64 + Lib_IntVector_Intrinsics_vec128 eq = Lib_IntVector_Intrinsics_vec128_eq64( + b1, b1); // SSE4.1 | NEON - A7, A32, A64 + Lib_IntVector_Intrinsics_vec128 gt = Lib_IntVector_Intrinsics_vec128_eq64( + b1, b2); // SSE4.2 | NEON - A7, A32, A64 + + Lib_IntVector_Intrinsics_vec128 rotated = + Lib_IntVector_Intrinsics_vec128_rotate_left32( + test, (uint32_t)7U); // SSE3 | NEON - A7, A32, A64 + return 0; +} diff --git a/config/vec256.c b/config/vec256.c new file mode 100644 index 00000000..404765c1 --- /dev/null +++ b/config/vec256.c @@ -0,0 +1,13 @@ +#include "libintvector.h" + +#if TARGET_ARCHITECTURE == TARGET_ARCHITECTURE_ID_X64 + #include +#endif + +int main () { + uint8_t block[64] = { 0 }; + Lib_IntVector_Intrinsics_vec256 b1 = Lib_IntVector_Intrinsics_vec256_load32_le(block); + Lib_IntVector_Intrinsics_vec256 b2 = Lib_IntVector_Intrinsics_vec256_load32_le(block + 32); + Lib_IntVector_Intrinsics_vec256 test = Lib_IntVector_Intrinsics_vec256_interleave_high64(b1, b2); + return 0; +} diff --git a/config/x64-darwin.cmake b/config/x64-darwin.cmake new file mode 100644 index 00000000..47bb8f72 --- /dev/null +++ b/config/x64-darwin.cmake @@ -0,0 +1,17 @@ +# Toolchain file compiling for x64 macOS + +set(arch x86_64) +set(triple x86_64-apple-darwin) + +# For some reason we have to set the system name here in order to make the +# CMAKE_SYSTEM_PROCESSOR being picked up correctly. +set(CMAKE_SYSTEM_NAME Darwin) +set(CMAKE_SYSTEM_VERSION "${CMAKE_HOST_SYSTEM_VERSION}") +set(CMAKE_SYSTEM_PROCESSOR ${arch}) +set(CMAKE_OSX_ARCHITECTURES ${arch}) +set(CMAKE_C_COMPILER clang) +set(CMAKE_C_COMPILER_TARGET ${triple}) +set(CMAKE_CXX_COMPILER clang++) +set(CMAKE_CXX_COMPILER_TARGET ${triple}) + +set(HACL_TARGET_OS osx) diff --git a/cpu-features.md b/cpu-features.md new file mode 100644 index 00000000..392d62c5 --- /dev/null +++ b/cpu-features.md @@ -0,0 +1,141 @@ +# Vec128 + +| Function | ARM | Intel | IBM z | PowerPC64 | Uses | +| ---------------------------------------------------- | ------------------- | ------ | ----- | --------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| high32 | NEON - A7, A32, A64 | SSE2 | | | Hacl_Chacha20_Vec256.c, Hacl_SHA2_Vec256.c, Hacl_SHA2_Vec128.c, Hacl_Chacha20_Vec128.c | +| Lib_IntVector_Intrinsics_vec128_add32 | NEON - A7, A32, A64 | SSE2 | | | Hacl_Hash_Blake2s_128.c, Hacl_SHA2_Vec128.c, Hacl_Chacha20_Vec128.c | +| Lib_IntVector_Intrinsics_vec128_add64 | NEON - A7, A32, A64 | SSE2 | | | Hacl_Poly1305_128.c, Hacl_Chacha20Poly1305_128.c | +| Lib_IntVector_Intrinsics_vec128_and | NEON - A7, A32, A64 | SSE2 | | | Hacl_Poly1305_128.c, Hacl_Chacha20Poly1305_128.c, Hacl_SHA2_Vec128.c | +| Lib_IntVector_Intrinsics_vec128_eq32 | NEON - A7, A32, A64 | SSE2 | | | | +| Lib_IntVector_Intrinsics_vec128_eq64 | NEON - A7, A32, A64 | SSE4.1 | | | Hacl_Poly1305_128.c | +| Lib_IntVector_Intrinsics_vec128_extract32 | NEON - A7, A32, A64 | SSE4.1 | | | | +| Lib_IntVector_Intrinsics_vec128_extract64 | NEON - A7, A32, A64 | SSE4.1 | | | Hacl_Poly1305_128.c | +| Lib_IntVector_Intrinsics_vec128_extract8 | NEON - A7, A32, A64 | SSE4.1 | | | | +| Lib_IntVector_Intrinsics_vec128_gt32 | NEON - A7, A32, A64 | SSE2 | | | | +| Lib_IntVector_Intrinsics_vec128_gt64 | NEON - A7, A32, A64 | SSE4.2 | | | Hacl_Poly1305_128.c | +| Lib_IntVector_Intrinsics_vec128_insert32 | NEON - A7, A32, A64 | SSE4.1 | | | | +| Lib_IntVector_Intrinsics_vec128_insert64 | NEON - A7, A32, A64 | SSE4.1 | | | Hacl_Poly1305_128.c | +| Lib_IntVector_Intrinsics_vec128_insert8 | NEON - A7, A32, A64 | SSE4.1 | | | | +| Lib_IntVector_Intrinsics_vec128_interleave_high32 | NEON - A64 | SSE2 | | | Hacl_SHA2_Vec128.c, Hacl_Chacha20_Vec128.c | +| Lib_IntVector_Intrinsics_vec128_interleave_high64 | NEON - A64 | SSE2 | | | Hacl_Poly1305_128.c, Hacl_Chacha20Poly1305_128.c, Hacl_SHA2_Vec128.c, Hacl_Chacha20_Vec128.c | +| Lib_IntVector_Intrinsics_vec128_interleave_low32 | NEON - A64 | SSE2 | | | Hacl_SHA2_Vec128.c, Hacl_Chacha20_Vec128.c | +| Lib_IntVector_Intrinsics_vec128_interleave_low64 | NEON - A64 | SSE2 | | | Hacl_Poly1305_128.c, Hacl_Chacha20Poly1305_128.c,Hacl_SHA2_Vec128.c, Hacl_Chacha20_Vec128.c | +| Lib_IntVector_Intrinsics_vec128_load_be | - | SSE3 | | | | +| Lib_IntVector_Intrinsics_vec128_load128 | NEON - A7, A32, A64 | - | | | | +| Lib_IntVector_Intrinsics_vec128_load32 | NEON - A7, A32, A64 | SSE2 | | | Hacl_Hash_Blake2s_128.c, Hacl_SHA2_Vec128.c, Hacl_Chacha20_Vec128.c, Hacl_HMAC_Blake2s_128.c | +| Lib_IntVector_Intrinsics_vec128_load32_be | NEON - A7, A32, A64 | SSE3 | | | Hacl_SHA2_Vec128.c | +| Lib_IntVector_Intrinsics_vec128_load32_le | NEON - A7, A32, A64 | SSE2 | | | Hacl_Chacha20_Vec128.c | +| Lib_IntVector_Intrinsics_vec128_load32s | NEON - A7, A32, A64 | SSE2 | | | Hacl_Hash_Blake2s_128.c, Hacl_Chacha20_Vec128.c, Hacl_HMAC_Blake2s_128.c | +| Lib_IntVector_Intrinsics_vec128_load64 | NEON - A7, A32, A64 | SSE2 | | | Hacl_Poly1305_128.c, Hacl_Chacha20Poly1305_128.c | +| Lib_IntVector_Intrinsics_vec128_load64_be | NEON - A7, A32, A64 | SSE3 | | | | +| Lib_IntVector_Intrinsics_vec128_load64_le | NEON - A7, A32, A64 | SSE2 | | | Hacl_Poly1305_128.c, Hacl_Chacha20Poly1305_128.c | +| Lib_IntVector_Intrinsics_vec128_load64s | NEON - A7, A32, A64 | SSE2 | | | | +| Lib_IntVector_Intrinsics_vec128_lognot | NEON - A7, A32, A64 | SSE2 | | | Hacl_Poly1305_128.c, Hacl_SHA2_Vec128.c | +| Lib_IntVector_Intrinsics_vec128_mul32 | NEON - A7, A32, A64 | SSE4.1 | | | | +| Lib_IntVector_Intrinsics_vec128_mul64 | NEON - A7, A32, A64 | SSE2 | | | Hacl_Poly1305_128.c, Hacl_Chacha20Poly1305_128.c | +| Lib_IntVector_Intrinsics_vec128_or | NEON - A7, A32, A64 | SSE2 | | | Hacl_Poly1305_128.c, Hacl_Chacha20Poly1305_128.c | +| Lib_IntVector_Intrinsics_vec128_rotate_left32 | NEON - A7, A32, A64 | SSE3 | | | Hacl_Chacha20_Vec128.c | +| Lib_IntVector_Intrinsics_vec128_rotate_left32_16 | NEON - A7, A32, A64 | SSE3 | | | | +| Lib_IntVector_Intrinsics_vec128_rotate_left32_24 | - | SSE3 | | | | +| Lib_IntVector_Intrinsics_vec128_rotate_left32_8 | - | SSE3 | | | | +| Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32 | NEON - A7, A32, A64 | SSE2 | | | Hacl_Hash_Blake2s_128.c | +| Lib_IntVector_Intrinsics_vec128_rotate_right_lanes64 | NEON - A7, A32, A64 | SSE2 | | | | +| Lib_IntVector_Intrinsics_vec128_rotate_right32 | NEON - A7, A32, A64 | SSE3 | | | Hacl_Hash_Blake2s_128.c, Hacl_SHA2_Vec128.c | +| Lib_IntVector_Intrinsics_vec128_rotate_right32_16 | NEON - A7, A32, A64 | - | | | | +| Lib_IntVector_Intrinsics_vec128_shift_left | NEON - A7, A32, A64 | SSE2 | | | Hacl_Poly1305_128.c, Hacl_Chacha20Poly1305_128.c | +| Lib_IntVector_Intrinsics_vec128_shift_left32 | NEON - A7, A32, A64 | SSE2 | | | | +| Lib_IntVector_Intrinsics_vec128_shift_left64 | NEON - A7, A32, A64 | SSE2 | | | Hacl_Poly1305_128.c, Hacl_Chacha20Poly1305_128.c | +| Lib_IntVector_Intrinsics_vec128_shift_right | NEON - A7, A32, A64 | SSE2 | | | Hacl_Poly1305_128.c, Hacl_Chacha20Poly1305_128.c, Hacl_SHA2_Vec128.c | +| Lib_IntVector_Intrinsics_vec128_shift_right32 | NEON - A7, A32, A64 | SSE2 | | | Hacl_SHA2_Vec128.c | +| Lib_IntVector_Intrinsics_vec128_shift_right64 | NEON - A7, A32, A64 | SSE2 | | | Hacl_Poly1305_128.c, Hacl_Chacha20Poly1305_128.c | +| Lib_IntVector_Intrinsics_vec128_shuffle32 | - | SSE2 | | | | +| Lib_IntVector_Intrinsics_vec128_shuffle64 | - | SSE2 | | | | +| Lib_IntVector_Intrinsics_vec128_smul32 | NEON - A7, A32, A64 | SSE4.1 | | | | +| Lib_IntVector_Intrinsics_vec128_smul64 | NEON - A7, A32, A64 | SSE2 | | | Hacl_Poly1305_128.c | +| Lib_IntVector_Intrinsics_vec128_store_be | - | SSE3 | | | | +| Lib_IntVector_Intrinsics_vec128_store32_be | NEON - A7, A32, A64 | SSE3 | | | Hacl_SHA2_Vec128.c | +| Lib_IntVector_Intrinsics_vec128_store32_le | NEON - A7, A32, A64 | SSE2 | | | Hacl_Hash_Blake2s_128.c, Hacl_Chacha20_Vec128.c | +| Lib_IntVector_Intrinsics_vec128_store64_be | NEON - A7, A32, A64 | SSE3 | | | | +| Lib_IntVector_Intrinsics_vec128_store64_le | NEON - A7, A32, A64 | SSE2 | | | | +| Lib_IntVector_Intrinsics_vec128_sub32 | NEON - A7, A32, A64 | SSE2 | | | | +| Lib_IntVector_Intrinsics_vec128_sub64 | NEON - A7, A32, A64 | SSE2 | | | Hacl_Poly1305_128.c | +| Lib_IntVector_Intrinsics_vec128_xor | NEON - A7, A32, A64 | SSE2 | | | Hacl_Hash_Blake2s_128.c, Hacl_SHA2_Vec128.c, Hacl_Chacha20_Vec128.c | +| Lib_IntVector_Intrinsics_vec128_zero | NEON - A7, A32, A64 | SSE2 | | | Hacl_Hash_Blake2s_128.c Hacl_Poly1305_128.c Hacl_Streaming_Blake2s_128.c Hacl_Chacha20Poly1305_128.c Hacl_SHA2_Vec128.c Hacl_Chacha20_Vec128.c Hacl_HMAC_Blake2s_128.c Hacl_Streaming_Poly1305_128.c | +| low32 | NEON - A7, A32, A64 | - | | | Hacl_Chacha20_Vec256.c, Hacl_SHA2_Vec256.c, Hacl_SHA2_Vec128.c, Hacl_Chacha20_Vec128.c | + +Note that for SSE only the highest version is mentions. +We have to check for all lower versions. + +# Vec 256 + +| Function | ARM | Intel | IBM z | PowerPC64 | Uses | +| ---------------------------------------------------- | --- | ----- | ----- | --------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Lib_IntVector_Intrinsics_vec256_add32 | | AVX2 | | | Hacl_Chacha20_Vec256.c, Hacl_SHA2_Vec256.c, libintvector.h | +| Lib_IntVector_Intrinsics_vec256_add64 | | AVX2 | | | Hacl_SHA2_Vec256.c, Hacl_Poly1305_256.c, Hacl_Hash_Blake2b_256.c, Hacl_Chacha20Poly1305_256.c | +| Lib_IntVector_Intrinsics_vec256_and | | AVX2 | | | Hacl_SHA2_Vec256.c, Hacl_Poly1305_256.c, Hacl_Chacha20Poly1305_256.c | +| Lib_IntVector_Intrinsics_vec256_eq32 | | AVX2 | | | | +| Lib_IntVector_Intrinsics_vec256_extract8 | | AVX2 | | | | +| Lib_IntVector_Intrinsics_vec256_gt32 | | AVX2 | | | | +| Lib_IntVector_Intrinsics_vec256_gt64 | | AVX2 | | | Hacl_Poly1305_256.c | +| Lib_IntVector_Intrinsics_vec256_interleave_high128 | | AVX2 | | | Hacl_Chacha20_Vec256.c, Hacl_SHA2_Vec256.c, Hacl_Poly1305_256.c, Hacl_Chacha20Poly1305_256.c | +| Lib_IntVector_Intrinsics_vec256_interleave_high32 | | AVX2 | | | Hacl_Chacha20_Vec256.c, Hacl_SHA2_Vec256.c | +| Lib_IntVector_Intrinsics_vec256_interleave_high64 | | AVX2 | | | Hacl_Chacha20_Vec256.c, Hacl_SHA2_Vec256.c, Hacl_Poly1305_256.c, Hacl_Chacha20Poly1305_256.c | +| Lib_IntVector_Intrinsics_vec256_interleave_low128 | | AVX2 | | | Hacl_Chacha20_Vec256.c, Hacl_SHA2_Vec256.c, Hacl_Poly1305_256.c, Hacl_Chacha20Poly1305_256.c | +| Lib_IntVector_Intrinsics_vec256_interleave_low32 | | AVX2 | | | Hacl_Chacha20_Vec256.c, Hacl_SHA2_Vec256.c | +| Lib_IntVector_Intrinsics_vec256_interleave_low64 | | AVX2 | | | Hacl_Chacha20_Vec256.c, Hacl_SHA2_Vec256.c, Hacl_Poly1305_256.c, Hacl_Chacha20Poly1305_256.c | +| Lib_IntVector_Intrinsics_vec256_mul32 | | AVX2 | | | | +| Lib_IntVector_Intrinsics_vec256_mul64 | | AVX2 | | | Hacl_Poly1305_256.c, Hacl_Chacha20Poly1305_256.c | +| Lib_IntVector_Intrinsics_vec256_or | | AVX2 | | | Hacl_Poly1305_256.c, Hacl_Chacha20Poly1305_256.c | +| Lib_IntVector_Intrinsics_vec256_rotate_left32 | | AVX2 | | | Hacl_Chacha20_Vec256.c | +| Lib_IntVector_Intrinsics_vec256_rotate_left32_16 | | AVX2 | | | | +| Lib_IntVector_Intrinsics_vec256_rotate_left32_24 | | AVX2 | | | | +| Lib_IntVector_Intrinsics_vec256_rotate_left32_8 | | AVX2 | | | | +| Lib_IntVector_Intrinsics_vec256_rotate_left64 | | AVX2 | | | | +| Lib_IntVector_Intrinsics_vec256_rotate_right_lanes32 | | AVX2 | | | | +| Lib_IntVector_Intrinsics_vec256_rotate_right_lanes64 | | AVX2 | | | Hacl_Hash_Blake2b_256.c | +| Lib_IntVector_Intrinsics_vec256_rotate_right32 | | AVX2 | | | Hacl_SHA2_Vec256.c | +| Lib_IntVector_Intrinsics_vec256_rotate_right64 | | AVX2 | | | Hacl_SHA2_Vec256.c, Hacl_Hash_Blake2b_256.c | +| Lib_IntVector_Intrinsics_vec256_rotate_right64_16 | | AVX2 | | | | +| Lib_IntVector_Intrinsics_vec256_rotate_right64_24 | | AVX2 | | | | +| Lib_IntVector_Intrinsics_vec256_rotate_right64_32 | | AVX2 | | | | +| Lib_IntVector_Intrinsics_vec256_rotate_right64_40 | | AVX2 | | | | +| Lib_IntVector_Intrinsics_vec256_rotate_right64_48 | | AVX2 | | | | +| Lib_IntVector_Intrinsics_vec256_rotate_right64_56 | | AVX2 | | | | +| Lib_IntVector_Intrinsics_vec256_rotate_right64_8 | | AVX2 | | | | +| Lib_IntVector_Intrinsics_vec256_shift_left | | AVX2 | | | Hacl_Poly1305_256.c, Hacl_Chacha20Poly1305_256.c | +| Lib_IntVector_Intrinsics_vec256_shift_left32 | | AVX2 | | | | +| Lib_IntVector_Intrinsics_vec256_shift_left64 | | AVX2 | | | Hacl_Poly1305_256.c, Hacl_Chacha20Poly1305_256.c | +| Lib_IntVector_Intrinsics_vec256_shift_right | | AVX2 | | | Hacl_SHA2_Vec256.c, Hacl_Poly1305_256.c, Hacl_Chacha20Poly1305_256.c | +| Lib_IntVector_Intrinsics_vec256_shift_right32 | | AVX2 | | | Hacl_SHA2_Vec256.c | +| Lib_IntVector_Intrinsics_vec256_shift_right64 | | AVX2 | | | Hacl_SHA2_Vec256.c, Hacl_Poly1305_256.c, Hacl_Chacha20Poly1305_256.c | +| Lib_IntVector_Intrinsics_vec256_shuffle32 | | AVX2 | | | | +| Lib_IntVector_Intrinsics_vec256_shuffle64 | | AVX2 | | | | +| Lib_IntVector_Intrinsics_vec256_smul64 | | AVX2 | | | Hacl_Poly1305_256.c | +| Lib_IntVector_Intrinsics_vec256_sub32 | | AVX2 | | | | +| Lib_IntVector_Intrinsics_vec256_sub64 | | AVX2 | | | Hacl_Poly1305_256.c | +| Lib_IntVector_Intrinsics_vec256_xor | | AVX2 | | | Hacl_Chacha20_Vec256.c, Hacl_SHA2_Vec256.c, Hacl_Hash_Blake2b_256.c | +| Lib_IntVector_Intrinsics_vec256_eq64 | | AVX2 | | | Hacl_Poly1305_256.c | +| Lib_IntVector_Intrinsics_vec256_load32_be | | AVX2 | | | Hacl_SHA2_Vec256.c | +| Lib_IntVector_Intrinsics_vec256_load64_be | | AVX2 | | | Hacl_SHA2_Vec256.c | +| Lib_IntVector_Intrinsics_vec256_lognot | | AVX2 | | | Hacl_SHA2_Vec256.c, Hacl_Poly1305_256.c | +| Lib_IntVector_Intrinsics_vec256_smul32 | | AVX2 | | | | +| Lib_IntVector_Intrinsics_vec256_store32_be | | AVX2 | | | Hacl_SHA2_Vec256.c | +| Lib_IntVector_Intrinsics_vec256_store64_be | | AVX2 | | | Hacl_SHA2_Vec256.c | +| Lib_IntVector_Intrinsics_vec256_extract32 | | AVX | | | | +| Lib_IntVector_Intrinsics_vec256_extract64 | | AVX | | | Hacl_Poly1305_256.c | +| Lib_IntVector_Intrinsics_vec256_insert32 | | AVX | | | | +| Lib_IntVector_Intrinsics_vec256_insert64 | | AVX | | | Hacl_Poly1305_256.c | +| Lib_IntVector_Intrinsics_vec256_insert8 | | AVX | | | | +| Lib_IntVector_Intrinsics_vec256_load128 | | AVX | | | | +| Lib_IntVector_Intrinsics_vec256_load128s | | AVX | | | | +| Lib_IntVector_Intrinsics_vec256_load32 | | AVX | | | Hacl_Chacha20_Vec256.c, Hacl_SHA2_Vec256.c | +| Lib_IntVector_Intrinsics_vec256_load32_le | | AVX | | | Hacl_Chacha20_Vec256.c | +| Lib_IntVector_Intrinsics_vec256_load32s | | AVX | | | Hacl_Chacha20_Vec256.c | +| Lib_IntVector_Intrinsics_vec256_load64 | | AVX | | | Hacl_SHA2_Vec256.c, Hacl_Poly1305_256.c, Hacl_Hash_Blake2b_256.c, Hacl_Chacha20Poly1305_256.c, Hacl_HMAC_Blake2b_256.c | +| Lib_IntVector_Intrinsics_vec256_load64_le | | AVX | | | Hacl_Poly1305_256.c, Hacl_Chacha20Poly1305_256.c | +| Lib_IntVector_Intrinsics_vec256_load64s | | AVX | | | Hacl_Hash_Blake2b_256.c, Hacl_HMAC_Blake2b_256.c | +| Lib_IntVector_Intrinsics_vec256_store32_le | | AVX | | | Hacl_Chacha20_Vec256.c | +| Lib_IntVector_Intrinsics_vec256_store64_le | | AVX | | | Hacl_Hash_Blake2b_256.c | +| Lib_IntVector_Intrinsics_vec256_zero | | AVX | | | Hacl_Streaming_Poly1305_256.c, Hacl_Chacha20_Vec256.c, Hacl_SHA2_Vec256.c, Hacl_Poly1305_256.c, Hacl_Hash_Blake2b_256.c, Hacl_Chacha20Poly1305_256.c, Hacl_HMAC_Blake2b_256.c, Hacl_Streaming_Blake2b_256.c | + +AVX2 requires AVX as well. diff --git a/cpu-features/include/hacl-cpu-features.h b/cpu-features/include/hacl-cpu-features.h new file mode 100644 index 00000000..221a1100 --- /dev/null +++ b/cpu-features/include/hacl-cpu-features.h @@ -0,0 +1,33 @@ +/* + * Copyright 2022 Cryspen Sarl + * + * Licensed under the Apache License, Version 2.0 or MIT. + * - http://www.apache.org/licenses/LICENSE-2.0 + * - http://opensource.org/licenses/MIT + */ + +#ifndef __Hacl_cpu_features_H +#define __Hacl_cpu_features_H + +#if defined(__cplusplus) +extern "C" +{ +#endif + + void hacl_init_cpu_features(); + + unsigned int hacl_vec128_support(); + + unsigned int hacl_vec256_support(); + + unsigned int vale_aesgcm_support(); + + unsigned int vale_x25519_support(); + + unsigned int vale_sha2_support(); + +#if defined(__cplusplus) +} +#endif + +#endif // __Hacl_cpu_features_H diff --git a/cpu-features/include/internal_state.h b/cpu-features/include/internal_state.h new file mode 100644 index 00000000..b1161054 --- /dev/null +++ b/cpu-features/include/internal_state.h @@ -0,0 +1,40 @@ +/* + * Copyright 2022 Cryspen Sarl + * + * Licensed under the Apache License, Version 2.0 or MIT. + * - http://www.apache.org/licenses/LICENSE-2.0 + * - http://opensource.org/licenses/MIT + */ + +unsigned int +hacl_adx_support(); +unsigned int +hacl_aes_support(); +unsigned int +hacl_sha_support(); +unsigned int +hacl_avx_support(); +unsigned int +hacl_avx2_support(); +unsigned int +hacl_sse_support(); +unsigned int +hacl_sse2_support(); +unsigned int +hacl_sse3_support(); +unsigned int +hacl_ssse3_support(); +unsigned int +hacl_sse41_support(); +unsigned int +hacl_sse42_support(); +unsigned int +hacl_bmi1_support(); +unsigned int +hacl_bmi2_support(); +unsigned int +hacl_pclmul_support(); +unsigned int +hacl_movbe_support(); +unsigned int +hacl_cmov_support(); diff --git a/cpu-features/src/cpu-features.c b/cpu-features/src/cpu-features.c new file mode 100644 index 00000000..94f9eeb0 --- /dev/null +++ b/cpu-features/src/cpu-features.c @@ -0,0 +1,283 @@ +/* + * https://www.intel.com/content/dam/develop/external/us/en/documents/architecture-instruction-set-extensions-programming-reference-806695.pdf + * + * Copyright 2022 Cryspen Sarl + * + * Licensed under the Apache License, Version 2.0 or MIT. + * - http://www.apache.org/licenses/LICENSE-2.0 + * - http://opensource.org/licenses/MIT + */ + +#include "hacl-cpu-features.h" +#include "internal_state.h" + +#if defined(i386) || defined(__i386) || defined(__X86__) || defined(_M_IX86) +#define CPU_FEATURES_X86 +#elif defined(__x86_64__) || defined(__x86_64) || defined(_M_AMD64) +#define CPU_FEATURES_X64 +#elif defined(__arm64__) || defined(__arm64) || defined(__aarch64__) +#define CPU_FEATURES_ARM64 +#elif defined(__s390x__) +#define CPU_FEATURES_POWERZ +#else +#error "Unsupported CPU" +#endif + +#if defined(__APPLE__) || defined(__APPLE_CC__) +#include +#include +#define CPU_FEATURES_MACOS +#elif defined(__GNUC__) +#define CPU_FEATURES_LINUX +#elif defined(_MSC_VER) +#define CPU_FEATURES_WINDOWS +#else +#error "Unsupported OS" +#endif + +// === x86 | x64 + +#if (defined(CPU_FEATURES_LINUX) || defined(CPU_FEATURES_MACOS)) && \ + defined(CPU_FEATURES_X64) && !defined(CPU_FEATURES_POWERZ) +void +cpuid(unsigned long leaf, + unsigned long* eax, + unsigned long* ebx, + unsigned long* ecx, + unsigned long* edx) +{ + __asm__("xor %%ecx, %%ecx\n\t" + "mov %%ebx,%%edi\n\t" + "cpuid\n\t" + "xchgl %%ebx,%%edi\n\t" + : "=a"(*eax), "=D"(*ebx), "=c"(*ecx), "=d"(*edx) + : "0"(leaf)); +} + +#elif defined(CPU_FEATURES_LINUX) && defined(CPU_FEATURES_X86) +/* XXX: Find a 32-bit CPU to actually test this */ +void +cpuid(unsigned long leaf, + unsigned long* eax, + unsigned long* ebx, + unsigned long* ecx, + unsigned long* edx) +{ + __asm__("xor %%ecx, %%ecx\n\t" + "mov %%ebx,%%edi\n\t" + "cpuid\n\t" + "xchgl %%ebx,%%edi\n\t" + : "=a"(*eax), "=D"(*ebx), "=c"(*ecx), "=d"(*edx) + : "0"(leaf)); +} +#endif + +// ECX +#define ECX_SSE3 (1 << 0) +#define ECX_PCLMUL (1 << 1) +#define ECX_SSSE3 (1 << 9) +#define ECX_FMA (1 << 12) +#define ECX_SSE4_1 (1 << 19) +#define ECX_SSE4_2 (1 << 20) +#define ECX_MOVBE (1 << 22) +#define ECX_AESNI (1 << 25) +#define ECX_AVX (1 << 28) + +// EBX +#define EBX_BMI1 (1 << 3) +#define EBX_AVX2 (1 << 5) +#define EBX_BMI2 (1 << 8) +#define EBX_ADX (1 << 19) +#define EBX_SHA (1 << 29) + +// EDX +#define EDX_SSE (1 << 25) +#define EDX_SSE2 (1 << 26) +#define EDX_CMOV (1 << 15) + +// === End x86 | x64 + +// === MacOS ARM + +// === End MacOS ARM + +// Static feature variables +static unsigned int _adx = 0; +static unsigned int _aes = 0; +static unsigned int _sha = 0; +static unsigned int _avx = 0; +static unsigned int _avx2 = 0; +static unsigned int _sse = 0; +static unsigned int _sse2 = 0; +static unsigned int _sse3 = 0; +static unsigned int _ssse3 = 0; +static unsigned int _sse41 = 0; +static unsigned int _sse42 = 0; +static unsigned int _bmi1 = 0; +static unsigned int _bmi2 = 0; +static unsigned int _pclmul = 0; +static unsigned int _movbe = 0; +static unsigned int _cmov = 0; + +// API + +unsigned int +hacl_vec128_support() +{ +#if defined(CPU_FEATURES_X64) || defined(CPU_FEATURES_X86) + return _sse && _sse2 && _sse3 && _sse41 && _sse41 && _cmov; +#elif defined(CPU_FEATURES_ARM64) || defined(CPU_FEATURES_POWERZ) + return 1; +#else + return 0; +#endif +} + +unsigned int +hacl_vec256_support() +{ + return _avx && _avx2; +} + +unsigned int +vale_aesgcm_support() +{ + return _aes && _pclmul && _avx && _sse && _movbe; +} + +unsigned int +vale_x25519_support() +{ + return _bmi2 && _adx; +} + +unsigned int +vale_sha2_support() +{ + return _sha && _sse; +} + +void +hacl_init_cpu_features() +{ + // TODO: Make this work for Windows. +#if (defined(CPU_FEATURES_X64) || defined(CPU_FEATURES_X86)) && \ + (defined(CPU_FEATURES_LINUX) || defined(CPU_FEATURES_MACOS)) + unsigned long eax, ebx, ecx, edx, eax_sub, ebx_sub, ecx_sub, edx_sub; + cpuid(1, &eax, &ebx, &ecx, &edx); + cpuid(7, &eax_sub, &ebx_sub, &ecx_sub, &edx_sub); + + _aes = (ecx & ECX_AESNI) != 0; + _avx = (ecx & ECX_AVX) != 0; + _pclmul = (ecx & ECX_PCLMUL) != 0; + _movbe = (ecx & ECX_MOVBE) != 0; + + _avx2 = (ebx_sub & EBX_AVX2) != 0; + _bmi1 = (ebx_sub & EBX_BMI1) != 0; + _bmi2 = (ebx_sub & EBX_BMI2) != 0; + _adx = (ebx_sub & EBX_ADX) != 0; + _sha = (ebx_sub & EBX_SHA) != 0; + + _sse = (edx & EDX_SSE) != 0; + _sse2 = (edx & EDX_SSE2) != 0; + _cmov = (edx & EDX_CMOV) != 0; + + _sse3 = (ecx & ECX_SSE3) != 0; + _ssse3 = (ecx & ECX_SSSE3) != 0; + _sse41 = (ecx & ECX_SSE4_1) != 0; + _sse42 = (ecx & ECX_SSE4_2) != 0; +#endif + +#if defined(CPU_FEATURES_MACOS) && defined(CPU_FEATURES_ARM64) + int64_t ret = 0; + size_t size = sizeof(ret); + + sysctlbyname("hw.optional.neon", &ret, &size, NULL, 0); + if (ret == 1) { + _aes = 1; + _sha = 1; + } +#endif +} + +// CPU specific API +unsigned int +hacl_adx_support() +{ + return _adx; +} +unsigned int +hacl_aes_support() +{ + return _aes; +} +unsigned int +hacl_sha_support() +{ + return _sha; +} +unsigned int +hacl_avx_support() +{ + return _avx; +} +unsigned int +hacl_avx2_support() +{ + return _avx2; +} +unsigned int +hacl_sse_support() +{ + return _sse; +} +unsigned int +hacl_sse2_support() +{ + return _sse2; +} +unsigned int +hacl_sse3_support() +{ + return _sse3; +} +unsigned int +hacl_ssse3_support() +{ + return _ssse3; +} +unsigned int +hacl_sse41_support() +{ + return _sse41; +} +unsigned int +hacl_sse42_support() +{ + return _sse42; +} +unsigned int +hacl_bmi1_support() +{ + return _bmi1; +} +unsigned int +hacl_bmi2_support() +{ + return _bmi2; +} +unsigned int +hacl_pclmul_support() +{ + return _pclmul; +} +unsigned int +hacl_movbe_support() +{ + return _movbe; +} +unsigned int +hacl_cmov_support() +{ + return _cmov; +} diff --git a/cpu-features/src/main.c b/cpu-features/src/main.c new file mode 100644 index 00000000..e398007f --- /dev/null +++ b/cpu-features/src/main.c @@ -0,0 +1,43 @@ +/* + * Copyright 2022 Cryspen Sarl + * + * Licensed under the Apache License, Version 2.0 or MIT. + * - http://www.apache.org/licenses/LICENSE-2.0 + * - http://opensource.org/licenses/MIT + */ + +#include + +#include "hacl-cpu-features.h" +#include "internal_state.h" + +int +main() +{ + hacl_init_cpu_features(); + printf("\n\n ========== HACL Available CPU Features ==========\n"); + printf("\tAES \t%s supported\n", hacl_aes_support() ? " " : "not"); + printf("\tAVX \t%s supported\n", hacl_avx_support() ? " " : "not"); + printf("\tAVX2 \t%s supported\n", hacl_avx2_support() ? " " : "not"); + printf("\tBMI1 \t%s supported\n", hacl_bmi1_support() ? " " : "not"); + printf("\tBMI2 \t%s supported\n", hacl_bmi2_support() ? " " : "not"); + printf("\tADX \t%s supported\n", hacl_adx_support() ? " " : "not"); + printf("\tSHA \t%s supported\n", hacl_sha_support() ? " " : "not"); + printf("\tSSE \t%s supported\n", hacl_sse_support() ? " " : "not"); + printf("\tSSE2 \t%s supported\n", hacl_sse2_support() ? " " : "not"); + printf("\tSSE3 \t%s supported\n", hacl_sse3_support() ? " " : "not"); + printf("\tSSSE3 \t%s supported\n", hacl_ssse3_support() ? " " : "not"); + printf("\tSSE4.1 \t%s supported\n", hacl_sse41_support() ? " " : "not"); + printf("\tSSE4.2 \t%s supported\n", hacl_sse42_support() ? " " : "not"); + printf(" ==================================================\n\n\n"); + + printf("\n\n ========= HACL Available Implementations =========\n"); + printf("\tVec128 \t\t%s supported\n", hacl_vec128_support() ? " " : "not"); + printf("\tVec256 \t\t%s supported\n", hacl_vec256_support() ? " " : "not"); + printf("\tVale AES-GCM \t%s supported\n", + vale_aesgcm_support() ? " " : "not"); + printf("\tVace x25519 \t%s supported\n", + vale_x25519_support() ? " " : "not"); + printf("\tVace SHA2 \t%s supported\n", vale_sha2_support() ? " " : "not"); + printf(" ==================================================\n\n\n"); +} diff --git a/docker/Dockerfile b/docker/Dockerfile new file mode 100644 index 00000000..c68f76b9 --- /dev/null +++ b/docker/Dockerfile @@ -0,0 +1,12 @@ +FROM everest_base_image:1 + +ARG everest_revision + +# Checkout the most recent everest revision that "knows" how to build the +# desired HACL version. +RUN git checkout $everest_revision +RUN ./everest --yes hacl-star pull_projects +RUN ./everest --yes pull_vale +RUN ./everest --yes FStar pull_projects FStar make --admit -j 4 +RUN ./everest --yes kremlin pull_projects kremlin make --admit -j 4 +RUN OTHERFLAGS="--warn_error -282+16+19+303" OCAMLRUNPARAM=b=1 ./everest --yes hacl-star make -j 2 diff --git a/docker/build.sh b/docker/build.sh new file mode 100755 index 00000000..bf59263e --- /dev/null +++ b/docker/build.sh @@ -0,0 +1,18 @@ +#!/usr/bin/env bash + +set -e +set -o pipefail + +if [[ $1 == "-h" || $1 == "--help" || $1 == "" ]]; then + echo "Usage: $0 [EVEREST-REVISION]" + echo + echo "Creates a container with a successful build of HACL* based on the provided Everest revision" + exit 1 +fi + +# Essentially this, with a few customizations: +# https://raw.githubusercontent.com/project-everest/everest-ci/master/server-infra/linux/.docker/Dockerfile +docker build -t everest_base_image:1 everest --progress=plain # --no-cache +docker build . --progress=plain --build-arg everest_revision=$1 |& tee build-log +warning_count=$(cat build-log | grep -e '(Warning \(19\|16\))' | wc -l) +echo Build succeeded with $warning_count verification errors diff --git a/docker/everest/Dockerfile b/docker/everest/Dockerfile new file mode 100644 index 00000000..58ae14e4 --- /dev/null +++ b/docker/everest/Dockerfile @@ -0,0 +1,160 @@ +# This is the Everest Base Image +# Version 1 +# If you make changes to this file, make sure to update the version above and rebuild the image, +# also update all references to use the new version, this image should be built using: +# docker build -f Dockerfile -t everest_base_image:$V . +# Where $V is the number of the version above +FROM ubuntu:focal + +# Add a new mirror, maybe more stable than Docker's +# RUN echo 'deb http://mirror.pnl.gov/ubuntu/ focal main' >> /etc/apt/sources.list +# RUN echo "deb http://mirror.math.ucdavis.edu/ubuntu/ focal main" >> /etc/apt/sources.list + +# Try to overcome the "Hash Sum Mismatch" failure by retrying if failed +RUN echo "Acquire::Retries \"16\";" > /etc/apt/apt.conf.d/99acquire-retries + +# Commit changes +RUN apt-get --yes update + +# Configure new PPA for mono +# from: https://www.mono-project.com/download/stable/#download-lin +RUN apt-get install --no-install-recommends --yes software-properties-common curl gnupg ca-certificates +RUN apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 3FA7E0328081BFF6A14DA29AA6A19B38D3D831EF +RUN echo "deb https://download.mono-project.com/repo/ubuntu stable-focal main" | tee /etc/apt/sources.list.d/mono-official-stable.list +RUN apt-get --yes update + +# Configure repository for node.js 14.x LTS +# from: https://github.com/nodesource/distributions/blob/master/README.md#debinstall +RUN curl -sL https://deb.nodesource.com/setup_14.x | bash - + +# Configure new PPA for python3.6 +# from: https://askubuntu.com/questions/865554/how-do-i-install-python-3-6-using-apt-get +RUN add-apt-repository ppa:deadsnakes/ppa +RUN apt-get --yes update + +# Here start the Everest-specific packages +RUN until apt-get install --no-install-recommends --yes \ + libssl-dev \ + libsqlite3-dev \ + g++ \ + gcc \ + m4 \ + make \ + opam \ + git \ + pandoc \ + pkg-config \ + python \ + libgmp3-dev \ + zip \ + unzip \ + build-essential \ + automake \ + ca-certificates-mono \ + fsharp \ + msbuild \ + libunwind8 \ + sudo \ + python3.6 \ + python3-pip \ + python3-setuptools \ + nuget \ + ca-certificates \ + cmake \ + libtool \ + autoconf \ + tzdata \ + openssh-server \ + vim \ + curl \ + wget \ + tcptraceroute \ + emacs \ + libc6 \ + libc6-dev \ + time \ + jq \ + nodejs \ + ; do apt-get --yes update ; done + +#Make python3 point to python3.6 (since update-alternatives does not seem to be used here) +RUN ln -sf /usr/bin/python3.6 /usr/bin/python3 + +#Install sphinx (for the Low* tutorial) +RUN pip3 install sphinx==1.7.2 sphinx_rtd_theme + +#Install scons +RUN wget https://downloads.sourceforge.net/project/scons/scons/3.0.1/scons-3.0.1.tar.gz +RUN tar xf scons-3.0.1.tar.gz +WORKDIR scons-3.0.1 +RUN python3.6 setup.py install +WORKDIR .. + +#install typescript +RUN npm install -g typescript + +#install less +RUN npm install -g less + +# Install madoko +RUN npm install madoko -g && npm install jsdoc -g + +# Install node server +RUN npm install http-server -g + +# Setup ssh +RUN mkdir /var/run/sshd + +# Set root password +RUN echo root:Docker! | chpasswd +RUN sed -i 's/PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config + +# SSH login fix. Otherwise user is kicked off after login +RUN sed 's@session\s*required\s*pam_loginuid.so@session optional pam_loginuid.so@g' -i /etc/pam.d/sshd +RUN sed -i 's/PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config + +# start service +RUN service ssh start + +# Create user everest. +# We define a home directory by ourselves, because there is no way to have the HOME variable caught by WORKDIR. +# So, to make it consistent, we explicitly make this directory home when creating the user. +ENV MYHOME /home/everest +RUN useradd --shell /bin/bash --create-home --home-dir ${MYHOME} everest +RUN echo "everest ALL=(ALL:ALL) NOPASSWD:ALL" >> /etc/sudoers +RUN echo everest:Docker! | chpasswd + +# --login: Ensure that the .profile is read at each subsequent RUN (to take all the settings and environment that opam will write there). +# Other options to bash may be added here, but -c MUST BE the last one (it introduces the actual command to be RUN) +SHELL ["/bin/bash", "--login", "-c"] + +# Switch to user mode +USER everest +WORKDIR ${MYHOME} + +# Prepare build (OCaml packages). Remove sandboxing once we upgrade to a saner +# version of Ubuntu +ENV opamv 4.12.0 +ENV OPAMYES true +RUN opam init --auto-setup --disable-sandboxing --comp ${opamv} --yes + +# Setup the user that will be used to interact with github. +RUN git config --global user.email "everbld@microsoft.com" +RUN git config --global user.name "Dzomo the everest Yak" + +# Prepare Everest; we write the everest-specific settings into the GLOBAL +# /etc/profile so that all users benefit from them. Note: had to modify +# init_container.sh so that its dumb writeout of the entire environment goes +# before our customizations. +RUN git clone --branch protz_aarch64 https://github.com/project-everest/everest.git +RUN rm -rf .git +ENV EVEREST_ENV_DEST_FILE ${MYHOME}/.profile +RUN ./everest/everest --yes check +RUN eval $(opam config env) + +RUN echo "echo \$(date -u '+%Y-%m-%d %H:%M:%S') > ~/mru.txt" >> ~/.bashrc + +EXPOSE 22 80 443 + +# Set the final directory entrypoint +WORKDIR ${MYHOME}/everest diff --git a/docker/generate/Dockerfile b/docker/generate/Dockerfile new file mode 100644 index 00000000..80e0fe5c --- /dev/null +++ b/docker/generate/Dockerfile @@ -0,0 +1,9 @@ +FROM hacl:aarch64 + +ARG everest_revision +ADD --chown=everest:everest generate.sh /home/everest/everest/ +RUN chmod +x /home/everest/everest/generate.sh + +SHELL ["/bin/bash", "-c"] +# git checkout $everest_revision +ENTRYPOINT ["/home/everest/everest/generate.sh"] diff --git a/docker/generate/generate.sh b/docker/generate/generate.sh new file mode 100644 index 00000000..7390dfe0 --- /dev/null +++ b/docker/generate/generate.sh @@ -0,0 +1,16 @@ +#!/usr/bin/env bash + +set -e +set -o pipefail + +source ~/.profile +git checkout . +git clean -f +cd hacl-star && git checkout . && git pull && git checkout $1 && cd - +./everest --yes hacl-star pull_projects +./everest --yes pull_vale +./everest --yes FStar pull_projects FStar make --admit -j 4 +./everest --yes kremlin pull_projects kremlin make --admit -j 4 + +NOOPENSSLCHECK=1 OTHERFLAGS="--warn_error -282+16+19 --admit_smt_queries true" \ + OCAMLRUNPARAM=b=1 ./everest --yes hacl-star make --admit -j 2 diff --git a/docs/.gitignore b/docs/.gitignore new file mode 100644 index 00000000..7585238e --- /dev/null +++ b/docs/.gitignore @@ -0,0 +1 @@ +book diff --git a/docs/book.toml b/docs/book.toml new file mode 100644 index 00000000..7d38bed8 --- /dev/null +++ b/docs/book.toml @@ -0,0 +1,6 @@ +[book] +authors = ["Franziskus Kiefer"] +language = "en" +multilingual = false +src = "src" +title = "Cryspen HACL Packages" diff --git a/docs/src/SUMMARY.md b/docs/src/SUMMARY.md new file mode 100644 index 00000000..e48c312a --- /dev/null +++ b/docs/src/SUMMARY.md @@ -0,0 +1,39 @@ +# Summary + +[Introduction](readme.md) + +- [Algorithms](./algorithms.md) +- [Platforms](./platforms.md) +- [Installation](./installation.md) + +# Building + +- [mach](./mach/readme.md) + - [build](./mach/build.md) + - [test](./mach/test.md) + +# HACL C + +- [Introduction](./hacl-c/readme.md) + +# HACL Rust + +- [Introduction](./hacl-rust/readme.md) + - [AEADs](./hacl-rust/aead.md) + +# HACL OCaml + +- [Introduction](./hacl-ocaml/readme.md) + +# HACL JavaScript + +- [Introduction](./hacl-js/readme.md) + +# Developer Guide + +- [Introduction](./developers/readme.md) + - [Repository Overview](./developers/repo-overview.md) + - [Build Process](./developers/build-process.md) + - [Rust](./developers/rust-build.md) + - [OCaml](./developers/ocaml-build.md) + - [Continuous Integration](./developers/ci.md) diff --git a/docs/src/algorithms.md b/docs/src/algorithms.md new file mode 100644 index 00000000..c33071e9 --- /dev/null +++ b/docs/src/algorithms.md @@ -0,0 +1,28 @@ +# Algorithms + +The following tables gives an overview over the algorithms supported by the HACL +packages. + +| Family | Algorithm | Support | +| -------------------- | ----------------- | --------------------------------------- | +| AEAD | AES-GCM 128 | AES-NI & CLMUL (x86 only) | +| AEAD | AES-GCM 256 | AES-NI & CLMUL (x86 only) | +| AEAD | Chacha20-Poly1305 | Portable \| vec128 \| vec256 | +| ECDH | Curve25519 | Portable \| BMI2 & ADX | +| ECDH | P-256 | Portable | +| Signature | Ed25519 | Portable | +| Signature | P-256 | Portable | +| Hash | SHA2-224 | Portable \| SHAEXT | +| Hash | SHA2-256 | Portable \| SHAEXT | +| Hash | SHA2-384 | Portable | +| Hash | SHA2-512 | Portable | +| Hash | SHA3 | Portable | +| Hash | Blake2 | Portable \| vec128 \| vec256 | +| Key Derivation | HKDF | Portable (depends on hash) | +| Symmetric Encryption | Chacha20 | Portable \| vec128 \| vec256 | +| Symmetric Encryption | AES 128 | AES-NI & CLMUL (x86 only) | +| Symmetric Encryption | AES 256 | AES-NI & CLMUL (x86 only) | +| MAC | HMAC | Portable (depends on hash) | +| MAC | Poly1305 | Portable \| vec128 \| vec256 \| x64 ASM | + +TODO: Salsa, Nacl API diff --git a/docs/src/developers/build-process.md b/docs/src/developers/build-process.md new file mode 100644 index 00000000..0e61a4ae --- /dev/null +++ b/docs/src/developers/build-process.md @@ -0,0 +1,44 @@ +# Build Process + +The HACL C library is built with [CMake] and [ninja] and uses a Python driver +script called `mach`. +Due to the modular nature of the library the build is more complex than for +many other libraries. + +## Selecting Algorithms + +The algorithms compiled into the library can be selected using the `-a|--algorithm` +argument on `mach`. +By default all algorithms are selected. +The files used in the build are selected by running a dependency analysis on the +requested algorithm files (see `configure.py`). +The resulting configuration is written into `config/config.cmake`, which is used +as input into the main build process. +This process is part of the `mach` script. + +## Platform Detection + +Depending on the used toolchain a different set of algorithms can be used. +In order to define the feature set available in the toolchain CMake runs a set +of tests. +The resulting configuration is written into `config/cached-config.txt` for +bindings to use. +Note that the toolchain feature must not be the same as the platform feature +set the build is running on (due to cross compilation or extended features in the +toolchain compared to the actual hardware). +The library has runtime feature detection to ensure that hardware features are +only used when they are actually available. + +## Release Builds + +By default the builds use the debug mode. +For release builds + +``` +./mach build --release +``` + +is used. + +[cmake]: https://cmake.org/ +[ninja]: https://ninja-build.org/ diff --git a/docs/src/developers/ci.md b/docs/src/developers/ci.md new file mode 100644 index 00000000..257fa0f8 --- /dev/null +++ b/docs/src/developers/ci.md @@ -0,0 +1 @@ +# Continuous Integration diff --git a/docs/src/developers/ocaml-build.md b/docs/src/developers/ocaml-build.md new file mode 100644 index 00000000..e690519e --- /dev/null +++ b/docs/src/developers/ocaml-build.md @@ -0,0 +1,39 @@ +# OCaml + +There are two different ways of building the OCaml bindings. + +## Mach (Dev Mode) + +When working on the library `mach` offers a convenient way of building the C +library and the ocaml bindings through `mach` using the `-l|--language` argument. + +``` +./mach build -l ocaml +``` + +This build the C library, copies the result into the `ocaml` directory, and then +builds the OCaml bindings on top. +Tests can be called through mach as well `./mach test -l ocaml`. + +## Standalone (Packaging) + +For packaging the hacl-star opam package the bindings can be built standalone. +In this case the local copy of the HACL C library is ignored. +Instead a fresh copy is pulled from the git repository and built locally within +the `ocaml` directory. +The following command run in the `ocaml` directory will build a standalone +version of the package. + +``` +./setup.py +export HACL_MAKE_CONFIG=hacl-packages/config/cached-config.txt +make ocamlevercrypt.cmxa +make -j +``` + +First we need to get the HACL C code, build it, and put it where the Makefile +expects the result. +This is what the `setup.py` script does. +Because the OCaml build requires information about the platform features we +export `HACL_MAKE_CONFIG` to point to the CMake generated information. +Then we can build the bindings with make. diff --git a/docs/src/developers/readme.md b/docs/src/developers/readme.md new file mode 100644 index 00000000..892f44f5 --- /dev/null +++ b/docs/src/developers/readme.md @@ -0,0 +1,4 @@ +# Introduction + +## Contributing +See CONTRIBUTING.md diff --git a/docs/src/developers/repo-overview.md b/docs/src/developers/repo-overview.md new file mode 100644 index 00000000..50968b9e --- /dev/null +++ b/docs/src/developers/repo-overview.md @@ -0,0 +1,69 @@ +# Repository Overview + +The [hacl-packages repository] is a mono repository for all HACL packages and +bindings. +The top level holds the HACL C library that is based on the output of [HACL*]. + +## Source Code + +The C source code lives in the `src` directory for most platforms and the +standard editions. +The c89 edition can be found in `src/c89` and the source code for MSVC is found +int `src/msvc`. + +The includes are found in the corresponding `include` directories (`include`, +`include/c89`, and `include/msvc`). + +Vale is considered an external dependency and therefore lives in its own +directory `vale` --- sources in `vale/src` and headers in `vale/include`. + +### Tests + +Tests are found in the `tests` folder and are written in modern C++ rather than +C. + +### Karamel + +The [KaRaMeL] dependency is found in `kremlin` and holds only headers that are +used by the HACL C source code. + +### CPU Features + +A tool for basic CPU feature detection can be found in `cpu-features`. +This is only used for tests and will probably be removed from this repository +in future. + +## Tools + +The build is driven by the `mach` script and the `CMakeLists.txt`. +They rely on the contents of the `tools` folder (general tools for managing the +repository and building in Python), as well as the `config` folder (platform +detection and build configuration helper). + +### Docker + +Docker tools for extracting the source code from [HACL*] are found in `docker`. + +### Docs + +The `docs` folder contains this book you're reading right now. + +## Bindings + +The language bindings are in sub folders. + +### Rust + +The Rust bindings can be found in the `rust` folder. +See the [Rust chapter] for more details on the build and structure. + +### OCaml + +The OCaml bindings can be found in the `ocaml` folder. +See the [OCaml chapter] for more details on the build and structure. + +[hacl-packages repository]: https://github.com/cryspen/hacl-packages +[hacl*]: https://github.com/project-everest/hacl-star +[karamel]: https://github.com/FStarLang/karamel +[ocaml chapter]: ./rust-build.md +[rust chapter]: ./ocaml-build.md diff --git a/docs/src/developers/rust-build.md b/docs/src/developers/rust-build.md new file mode 100644 index 00000000..2f1d5efe --- /dev/null +++ b/docs/src/developers/rust-build.md @@ -0,0 +1 @@ +# Rust diff --git a/docs/src/hacl-c/readme.md b/docs/src/hacl-c/readme.md new file mode 100644 index 00000000..ddcd3c29 --- /dev/null +++ b/docs/src/hacl-c/readme.md @@ -0,0 +1 @@ +# The HACL C Package diff --git a/docs/src/hacl-js/readme.md b/docs/src/hacl-js/readme.md new file mode 100644 index 00000000..e10b99d0 --- /dev/null +++ b/docs/src/hacl-js/readme.md @@ -0,0 +1 @@ +# Introduction diff --git a/docs/src/hacl-ocaml/readme.md b/docs/src/hacl-ocaml/readme.md new file mode 100644 index 00000000..e10b99d0 --- /dev/null +++ b/docs/src/hacl-ocaml/readme.md @@ -0,0 +1 @@ +# Introduction diff --git a/docs/src/hacl-rust/aead.md b/docs/src/hacl-rust/aead.md new file mode 100644 index 00000000..3ebcf4ce --- /dev/null +++ b/docs/src/hacl-rust/aead.md @@ -0,0 +1,61 @@ +# AEADs + +`hacl-rust` implements three AEADs + +```rust,noplayground +{{#include ../../../rust/src/aead.rs:aead_algorithm}} +``` + +There are two different ways of using AEADs. + +## Single shot API + +The entrypoint for many people will be the single shot API that takes all +necessary arguments in one function call. + +```rust,noplayground +{{#include ../../../rust/tests/aead-book.rs:single_shot_encrypt}} +``` + +```rust,noplayground +{{#include ../../../rust/tests/aead-book.rs:single_shot_decrypt}} +``` + +## Stateful API + +In many cases a key is used multiple times though. +For this case there's a stateful API. + +```rust,noplayground +{{#include ../../../rust/tests/aead-book.rs:stateful_cipher}} +``` + +```rust,noplayground +{{#include ../../../rust/tests/aead-book.rs:stateful_encrypt}} +``` + +## In-place APIs + +The API also allows to use in-place encryption and decryption, which avoids +having to allocate memory for the result. + +```rust,noplayground +{{#include ../../../rust/src/aead.rs:aead_encrypt_in_place}} +``` + +```rust,noplayground +{{#include ../../../rust/src/aead.rs:aead_decrypt_in_place}} +``` + +## Combined APIs + +In many protocols such as TLS the tag is appended to the cipher text. +To avoid unnecessary copy operations there's an API doing this for you. + +```rust,noplayground +{{#include ../../../rust/src/aead.rs:aead_encrypt_combined}} +``` + +```rust,noplayground +{{#include ../../../rust/src/aead.rs:aead_decrypt_combined}} +``` diff --git a/docs/src/hacl-rust/readme.md b/docs/src/hacl-rust/readme.md new file mode 100644 index 00000000..43e47141 --- /dev/null +++ b/docs/src/hacl-rust/readme.md @@ -0,0 +1,8 @@ +# Introduction + +The `hacl-rust` crate provides bindings to the HACL C package in Rust. + +This documentation shows how to use `hacl-rust`. +There are also [rustdocs] for full API documentation. + +[rustdocs]: https://docs.rs/hacl-rust diff --git a/docs/src/installation.md b/docs/src/installation.md new file mode 100644 index 00000000..25267fe2 --- /dev/null +++ b/docs/src/installation.md @@ -0,0 +1 @@ +# Installation diff --git a/docs/src/mach/build.md b/docs/src/mach/build.md new file mode 100644 index 00000000..51b9138a --- /dev/null +++ b/docs/src/mach/build.md @@ -0,0 +1,67 @@ +# build + +``` +usage: mach build [-h] [-c] [--tests] [--test] [-r] [-a ALGORITHMS] [-p TARGET] [-d DISABLE] + [-s SANITIZER] [--msvc] [-e EDITION] [-l LANGUAGE] [-v] [-m32] + +Main entry point for building HACL + + For convenience it is possible to run tests right after building using --test. + + Supported cross compilation targets: + - x86_64-apple-darwin (macOS aarch64 only) + - s390x + - aarch64-apple-ios (macOS only) + - aarch64-apple-darwin (macOS x64 only) + - aarch64-linux-android + + Features that can be disabled (TBD): + - vec128 (avx/neon) + - vec256 (avx2) + - vale (x64 assembly) + + Supported sanitizers: + - asan + - ubsan + + Use an edition if you want a different build. Note that this build will + use the MSVC version by default on Windows. + Supported editions: + - c89 + + HACL can be built for another language than C. + Note that bindings will always require the full C library such that the + algorithm flag will be ignored. + - rust + - ocaml (TBD) + - wasm (TBD) + + 💡 Windows builds are limited. The following arguments are not supported: + - algorithms + - sanitizer + - edition + - disable + + +optional arguments: + -h, --help show this help message and exit + -c, --clean Clean before building. + --tests Build tests. + --test Build and run tests. + -r, --release Build in release mode. + -a ALGORITHMS, --algorithms ALGORITHMS + A list of algorithms to enable. Defaults to all. + -p TARGET, --target TARGET + Define compile target for cross compilation. + -d DISABLE, --disable DISABLE + Disable (hardware) features even if available. + -s SANITIZER, --sanitizer SANITIZER + Enable sanitizers. + --msvc Use MSVC on Windows (default is clang-cl). + -e EDITION, --edition EDITION + Choose a different HACL* edition. + -l LANGUAGE, --language LANGUAGE + Build language bindings for the given language. + -v, --verbose Make builds verbose. + -m32 Build for 32-bit (even when on 64-bit). +``` diff --git a/docs/src/mach/readme.md b/docs/src/mach/readme.md new file mode 100644 index 00000000..53755c9f --- /dev/null +++ b/docs/src/mach/readme.md @@ -0,0 +1,24 @@ +# mach + +The main entry point for all operations is the `mach` script. + +## Dependencies + +Building HACL from sources requires a set of basic dependencies + +- cmake > 3.17 +- ninja +- python > 3.8 +- clang or gcc (note that primarily clang is used) + +## Command line reference + +``` +usage: mach [-h] {test,install,build,clean} ... + +positional arguments: + {test,install,build,clean} + +optional arguments: + -h, --help show this help message and exit +``` diff --git a/docs/src/mach/test.md b/docs/src/mach/test.md new file mode 100644 index 00000000..b94c7b01 --- /dev/null +++ b/docs/src/mach/test.md @@ -0,0 +1,13 @@ +# test + +``` +usage: mach test [-h] [-a ALGORITHMS] + +Test HACL* + + +optional arguments: + -h, --help show this help message and exit + -a ALGORITHMS, --algorithms ALGORITHMS + The algorithms to test. +``` diff --git a/docs/src/platforms.md b/docs/src/platforms.md new file mode 100644 index 00000000..705e3dc8 --- /dev/null +++ b/docs/src/platforms.md @@ -0,0 +1,40 @@ +# Platforms + +The HACL Packages are supported based on the following tiers. + +### Tier 1 + +Tier 1 targets are guaranteed to work. These targets have automated testing to +ensure that changes do not break them. + +- [x] x86_64 Linux (x86_64-unknown-linux-gnu) +- [x] x86 Linux (i686-unknown-linux-gnu) +- [x] x86_64 macOS (x86_64-apple-darwin) +- [x] x86_64 Windows + - [x] x86_64-pc-windows-msvc + - [x] x86_64-pc-windows-clang +- [ ] x86 Windows (i686-pc-windows-msvc) + +### Tier 2 + +Tier 2 targets are guaranteed to build. +These targets have automated builds to ensure that changes do not break the +builds. However, not all of them are always tested. + +- [ ] arm64 macOS (aarch64-apple-darwin) +- [x] arm64 Linux (aarch64-unknown-linux-gnu) +- [ ] arm64 Android (aarch64-linux-android) +- [ ] arm64 iOS (aarch64-apple-ios) +- [x] s390x z14 Linux (s390x-unknown-linux-gnu) + +### Tier 3 + +Tier 3 targets are supported by the code but there are no automated checks and +there is no guarantee that they work. + +- ARMv7 Android (aarch64arm-linux-androideabi) +- arm64 iOS Simulator (aarch64-apple-ios-sim) +- x86_64 iOS (x86_64-apple-ios) +- PowerPC +- IBM Z15 +- FreeBSD / x64 diff --git a/docs/src/readme.md b/docs/src/readme.md new file mode 100644 index 00000000..ca33685d --- /dev/null +++ b/docs/src/readme.md @@ -0,0 +1,57 @@ +# Introduction + +The Cryspen HACL packages is a collection of cryptographic libraries developed +by Cryspen on top of [HACL*]. +In particular, it contains a portable [C crypto library] that selects optimized +implementations for each platform, as well as [Rust], [OCaml], and [JavaScript] +bindings for this library. + +## Getting Started + +If you want to build from sources or run tests, [start here](./). + +Depending on the language you are looking for there are different entry points. + +- [C][c crypto library] +- [Rust] +- [OCaml] +- [JavaScript] + +## Contributing + +The Cryspen HACL packages are free and open source. +You can find the source code on [GitHub] and issues and feature requests can be +posted on the [GitHub issue tracker]. +If you'd like to contribute, please read the [CONTRIBUTING] guide and +[developer section] and consider opening a [pull request]. + +--- + +The [HACL*] repository is a collection of high-assurance cryptographic +algorithms developed as part of [Project Everest]. +It includes source code written in [F*], generated code in C, verified assembly +code from the [Vale] project, and an agile multiplexed cryptographic provider +called [EverCrypt]. +As such, the full [HACL*] repository contains many software artifacts. + +[//]: # "links" +[cmake]: https://cmake.org/ +[ninja]: https://ninja-build.org/ +[mach]: ./mach +[gtest]: https://google.github.io/googletest/ +[nlohmann_json]: https://github.com/nlohmann/json +[hacl*]: https://hacl-star.github.io +[f*]: https://fstar-lang.org +[vale]: https://hacl-star.github.io/HaclValeEverCrypt.html +[evercrypt]: https://hacl-star.github.io/HaclValeEverCrypt.html +[status]: https://img.shields.io/badge/status-alpha-red.svg?style=for-the-badge +[project everest]: https://project-everest.github.io/ +[c crypto library]: ./hacl-c/ +[rust]: ./hacl-rust/ +[ocaml]: ./hacl-ocaml/ +[javascript]: ./hacl-js/ +[developer section]: ./developers/ +[github]: https://github.com/cryspen/hacl-packages +[github issue tracker]: https://github.com/cryspen/hacl-packages/issues +[pull request]: https://github.com/cryspen/hacl-packages/pulls +[contributing]: https://github.com/cryspen/hacl-packages/blob/main/CONTRIBUTIN.md diff --git a/include/EverCrypt_AEAD.h b/include/EverCrypt_AEAD.h new file mode 100644 index 00000000..1de457aa --- /dev/null +++ b/include/EverCrypt_AEAD.h @@ -0,0 +1,276 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __EverCrypt_AEAD_H +#define __EverCrypt_AEAD_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Spec.h" +#include "EverCrypt_Error.h" +#include "EverCrypt_Chacha20Poly1305.h" +#include "EverCrypt_AutoConfig2.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +typedef struct EverCrypt_AEAD_state_s_s EverCrypt_AEAD_state_s; + +bool EverCrypt_AEAD_uu___is_Ek(Spec_Agile_AEAD_alg a, EverCrypt_AEAD_state_s projectee); + +Spec_Agile_AEAD_alg EverCrypt_AEAD_alg_of_state(EverCrypt_AEAD_state_s *s); + +EverCrypt_Error_error_code +EverCrypt_AEAD_create_in(Spec_Agile_AEAD_alg a, EverCrypt_AEAD_state_s **dst, uint8_t *k); + +EverCrypt_Error_error_code +EverCrypt_AEAD_encrypt( + EverCrypt_AEAD_state_s *s, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *plain, + uint32_t plain_len, + uint8_t *cipher, + uint8_t *tag +); + +/* +WARNING: this function doesn't perform any dynamic + hardware check. You MUST make sure your hardware supports the + implementation of AESGCM. Besides, this function was not designed + for cross-compilation: if you compile it on a system which doesn't + support Vale, it will compile it to a function which makes the + program exit. +*/ +EverCrypt_Error_error_code +EverCrypt_AEAD_encrypt_expand_aes128_gcm_no_check( + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *plain, + uint32_t plain_len, + uint8_t *cipher, + uint8_t *tag +); + +/* +WARNING: this function doesn't perform any dynamic + hardware check. You MUST make sure your hardware supports the + implementation of AESGCM. Besides, this function was not designed + for cross-compilation: if you compile it on a system which doesn't + support Vale, it will compile it to a function which makes the + program exit. +*/ +EverCrypt_Error_error_code +EverCrypt_AEAD_encrypt_expand_aes256_gcm_no_check( + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *plain, + uint32_t plain_len, + uint8_t *cipher, + uint8_t *tag +); + +EverCrypt_Error_error_code +EverCrypt_AEAD_encrypt_expand_aes128_gcm( + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *plain, + uint32_t plain_len, + uint8_t *cipher, + uint8_t *tag +); + +EverCrypt_Error_error_code +EverCrypt_AEAD_encrypt_expand_aes256_gcm( + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *plain, + uint32_t plain_len, + uint8_t *cipher, + uint8_t *tag +); + +EverCrypt_Error_error_code +EverCrypt_AEAD_encrypt_expand_chacha20_poly1305( + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *plain, + uint32_t plain_len, + uint8_t *cipher, + uint8_t *tag +); + +EverCrypt_Error_error_code +EverCrypt_AEAD_encrypt_expand( + Spec_Agile_AEAD_alg a, + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *plain, + uint32_t plain_len, + uint8_t *cipher, + uint8_t *tag +); + +EverCrypt_Error_error_code +EverCrypt_AEAD_decrypt( + EverCrypt_AEAD_state_s *s, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *cipher, + uint32_t cipher_len, + uint8_t *tag, + uint8_t *dst +); + +/* +WARNING: this function doesn't perform any dynamic + hardware check. You MUST make sure your hardware supports the + implementation of AESGCM. Besides, this function was not designed + for cross-compilation: if you compile it on a system which doesn't + support Vale, it will compile it to a function which makes the + program exit. +*/ +EverCrypt_Error_error_code +EverCrypt_AEAD_decrypt_expand_aes128_gcm_no_check( + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *cipher, + uint32_t cipher_len, + uint8_t *tag, + uint8_t *dst +); + +/* +WARNING: this function doesn't perform any dynamic + hardware check. You MUST make sure your hardware supports the + implementation of AESGCM. Besides, this function was not designed + for cross-compilation: if you compile it on a system which doesn't + support Vale, it will compile it to a function which makes the + program exit. +*/ +EverCrypt_Error_error_code +EverCrypt_AEAD_decrypt_expand_aes256_gcm_no_check( + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *cipher, + uint32_t cipher_len, + uint8_t *tag, + uint8_t *dst +); + +EverCrypt_Error_error_code +EverCrypt_AEAD_decrypt_expand_aes128_gcm( + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *cipher, + uint32_t cipher_len, + uint8_t *tag, + uint8_t *dst +); + +EverCrypt_Error_error_code +EverCrypt_AEAD_decrypt_expand_aes256_gcm( + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *cipher, + uint32_t cipher_len, + uint8_t *tag, + uint8_t *dst +); + +EverCrypt_Error_error_code +EverCrypt_AEAD_decrypt_expand_chacha20_poly1305( + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *cipher, + uint32_t cipher_len, + uint8_t *tag, + uint8_t *dst +); + +EverCrypt_Error_error_code +EverCrypt_AEAD_decrypt_expand( + Spec_Agile_AEAD_alg a, + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *cipher, + uint32_t cipher_len, + uint8_t *tag, + uint8_t *dst +); + +void EverCrypt_AEAD_free(EverCrypt_AEAD_state_s *s); + +#if defined(__cplusplus) +} +#endif + +#define __EverCrypt_AEAD_H_DEFINED +#endif diff --git a/include/EverCrypt_AutoConfig2.h b/include/EverCrypt_AutoConfig2.h new file mode 100644 index 00000000..fcef2832 --- /dev/null +++ b/include/EverCrypt_AutoConfig2.h @@ -0,0 +1,118 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __EverCrypt_AutoConfig2_H +#define __EverCrypt_AutoConfig2_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + + +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +bool EverCrypt_AutoConfig2_has_shaext(); + +bool EverCrypt_AutoConfig2_has_aesni(); + +bool EverCrypt_AutoConfig2_has_pclmulqdq(); + +bool EverCrypt_AutoConfig2_has_avx2(); + +bool EverCrypt_AutoConfig2_has_avx(); + +bool EverCrypt_AutoConfig2_has_bmi2(); + +bool EverCrypt_AutoConfig2_has_adx(); + +bool EverCrypt_AutoConfig2_has_sse(); + +bool EverCrypt_AutoConfig2_has_movbe(); + +bool EverCrypt_AutoConfig2_has_rdrand(); + +bool EverCrypt_AutoConfig2_has_avx512(); + +KRML_DEPRECATED("") + +bool EverCrypt_AutoConfig2_wants_vale(); + +bool EverCrypt_AutoConfig2_wants_hacl(); + +bool EverCrypt_AutoConfig2_wants_openssl(); + +bool EverCrypt_AutoConfig2_wants_bcrypt(); + +void EverCrypt_AutoConfig2_recall(); + +void EverCrypt_AutoConfig2_init(); + +typedef void (*EverCrypt_AutoConfig2_disabler)(); + +void EverCrypt_AutoConfig2_disable_avx2(); + +void EverCrypt_AutoConfig2_disable_avx(); + +void EverCrypt_AutoConfig2_disable_bmi2(); + +void EverCrypt_AutoConfig2_disable_adx(); + +void EverCrypt_AutoConfig2_disable_shaext(); + +void EverCrypt_AutoConfig2_disable_aesni(); + +void EverCrypt_AutoConfig2_disable_pclmulqdq(); + +void EverCrypt_AutoConfig2_disable_sse(); + +void EverCrypt_AutoConfig2_disable_movbe(); + +void EverCrypt_AutoConfig2_disable_rdrand(); + +void EverCrypt_AutoConfig2_disable_avx512(); + +void EverCrypt_AutoConfig2_disable_vale(); + +void EverCrypt_AutoConfig2_disable_hacl(); + +void EverCrypt_AutoConfig2_disable_openssl(); + +void EverCrypt_AutoConfig2_disable_bcrypt(); + +bool EverCrypt_AutoConfig2_has_vec128(); + +bool EverCrypt_AutoConfig2_has_vec256(); + +#if defined(__cplusplus) +} +#endif + +#define __EverCrypt_AutoConfig2_H_DEFINED +#endif diff --git a/include/EverCrypt_CTR.h b/include/EverCrypt_CTR.h new file mode 100644 index 00000000..10397d58 --- /dev/null +++ b/include/EverCrypt_CTR.h @@ -0,0 +1,85 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __EverCrypt_CTR_H +#define __EverCrypt_CTR_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Spec.h" +#include "Hacl_Kremlib.h" +#include "EverCrypt_Error.h" +#include "EverCrypt_AutoConfig2.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +typedef struct EverCrypt_CTR_state_s_s EverCrypt_CTR_state_s; + +bool +EverCrypt_CTR_uu___is_State(Spec_Agile_Cipher_cipher_alg a, EverCrypt_CTR_state_s projectee); + +typedef uint8_t EverCrypt_CTR_uint8; + +uint8_t EverCrypt_CTR_xor8(uint8_t a, uint8_t b); + +typedef void *EverCrypt_CTR_e_alg; + +Spec_Agile_Cipher_cipher_alg EverCrypt_CTR_alg_of_state(EverCrypt_CTR_state_s *s); + +EverCrypt_Error_error_code +EverCrypt_CTR_create_in( + Spec_Agile_Cipher_cipher_alg a, + EverCrypt_CTR_state_s **dst, + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint32_t c +); + +void +EverCrypt_CTR_init( + EverCrypt_CTR_state_s *p, + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint32_t c +); + +void EverCrypt_CTR_update_block(EverCrypt_CTR_state_s *p, uint8_t *dst, uint8_t *src); + +void EverCrypt_CTR_free(EverCrypt_CTR_state_s *p); + +#if defined(__cplusplus) +} +#endif + +#define __EverCrypt_CTR_H_DEFINED +#endif diff --git a/include/EverCrypt_Chacha20Poly1305.h b/include/EverCrypt_Chacha20Poly1305.h new file mode 100644 index 00000000..52706f75 --- /dev/null +++ b/include/EverCrypt_Chacha20Poly1305.h @@ -0,0 +1,73 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __EverCrypt_Chacha20Poly1305_H +#define __EverCrypt_Chacha20Poly1305_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Chacha20Poly1305_32.h" +#include "Hacl_Chacha20Poly1305_256.h" +#include "Hacl_Chacha20Poly1305_128.h" +#include "EverCrypt_AutoConfig2.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +EverCrypt_Chacha20Poly1305_aead_encrypt( + uint8_t *k, + uint8_t *n, + uint32_t aadlen, + uint8_t *aad, + uint32_t mlen, + uint8_t *m, + uint8_t *cipher, + uint8_t *tag +); + +uint32_t +EverCrypt_Chacha20Poly1305_aead_decrypt( + uint8_t *k, + uint8_t *n, + uint32_t aadlen, + uint8_t *aad, + uint32_t mlen, + uint8_t *m, + uint8_t *cipher, + uint8_t *tag +); + +#if defined(__cplusplus) +} +#endif + +#define __EverCrypt_Chacha20Poly1305_H_DEFINED +#endif diff --git a/include/EverCrypt_Cipher.h b/include/EverCrypt_Cipher.h new file mode 100644 index 00000000..75a37e6e --- /dev/null +++ b/include/EverCrypt_Cipher.h @@ -0,0 +1,56 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __EverCrypt_Cipher_H +#define __EverCrypt_Cipher_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + + +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +EverCrypt_Cipher_chacha20( + uint32_t len, + uint8_t *dst, + uint8_t *src, + uint8_t *key, + uint8_t *iv, + uint32_t ctr +); + +#if defined(__cplusplus) +} +#endif + +#define __EverCrypt_Cipher_H_DEFINED +#endif diff --git a/include/EverCrypt_Curve25519.h b/include/EverCrypt_Curve25519.h new file mode 100644 index 00000000..850694de --- /dev/null +++ b/include/EverCrypt_Curve25519.h @@ -0,0 +1,54 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __EverCrypt_Curve25519_H +#define __EverCrypt_Curve25519_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Curve25519_64.h" +#include "Hacl_Curve25519_51.h" +#include "EverCrypt_AutoConfig2.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void EverCrypt_Curve25519_secret_to_public(uint8_t *pub, uint8_t *priv); + +void EverCrypt_Curve25519_scalarmult(uint8_t *shared, uint8_t *my_priv, uint8_t *their_pub); + +bool EverCrypt_Curve25519_ecdh(uint8_t *shared, uint8_t *my_priv, uint8_t *their_pub); + +#if defined(__cplusplus) +} +#endif + +#define __EverCrypt_Curve25519_H_DEFINED +#endif diff --git a/include/EverCrypt_DRBG.h b/include/EverCrypt_DRBG.h new file mode 100644 index 00000000..a40a93a8 --- /dev/null +++ b/include/EverCrypt_DRBG.h @@ -0,0 +1,224 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __EverCrypt_DRBG_H +#define __EverCrypt_DRBG_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Lib_RandomBuffer_System.h" +#include "Lib_Memzero0.h" +#include "Hacl_Spec.h" +#include "Hacl_HMAC_DRBG.h" +#include "EverCrypt_HMAC.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +typedef Spec_Hash_Definitions_hash_alg EverCrypt_DRBG_supported_alg; + +extern uint32_t EverCrypt_DRBG_reseed_interval; + +extern uint32_t EverCrypt_DRBG_max_output_length; + +extern uint32_t EverCrypt_DRBG_max_length; + +extern uint32_t EverCrypt_DRBG_max_personalization_string_length; + +extern uint32_t EverCrypt_DRBG_max_additional_input_length; + +uint32_t EverCrypt_DRBG_min_length(Spec_Hash_Definitions_hash_alg a); + +#define EverCrypt_DRBG_SHA1_s 0 +#define EverCrypt_DRBG_SHA2_256_s 1 +#define EverCrypt_DRBG_SHA2_384_s 2 +#define EverCrypt_DRBG_SHA2_512_s 3 + +typedef uint8_t EverCrypt_DRBG_state_s_tags; + +typedef struct EverCrypt_DRBG_state_s_s EverCrypt_DRBG_state_s; + +bool +EverCrypt_DRBG_uu___is_SHA1_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_DRBG_state_s projectee +); + +bool +EverCrypt_DRBG_uu___is_SHA2_256_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_DRBG_state_s projectee +); + +bool +EverCrypt_DRBG_uu___is_SHA2_384_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_DRBG_state_s projectee +); + +bool +EverCrypt_DRBG_uu___is_SHA2_512_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_DRBG_state_s projectee +); + +EverCrypt_DRBG_state_s *EverCrypt_DRBG_create(Spec_Hash_Definitions_hash_alg a); + +bool +EverCrypt_DRBG_instantiate_sha1( + EverCrypt_DRBG_state_s *st, + uint8_t *personalization_string, + uint32_t personalization_string_len +); + +bool +EverCrypt_DRBG_instantiate_sha2_256( + EverCrypt_DRBG_state_s *st, + uint8_t *personalization_string, + uint32_t personalization_string_len +); + +bool +EverCrypt_DRBG_instantiate_sha2_384( + EverCrypt_DRBG_state_s *st, + uint8_t *personalization_string, + uint32_t personalization_string_len +); + +bool +EverCrypt_DRBG_instantiate_sha2_512( + EverCrypt_DRBG_state_s *st, + uint8_t *personalization_string, + uint32_t personalization_string_len +); + +bool +EverCrypt_DRBG_reseed_sha1( + EverCrypt_DRBG_state_s *st, + uint8_t *additional_input, + uint32_t additional_input_len +); + +bool +EverCrypt_DRBG_reseed_sha2_256( + EverCrypt_DRBG_state_s *st, + uint8_t *additional_input, + uint32_t additional_input_len +); + +bool +EverCrypt_DRBG_reseed_sha2_384( + EverCrypt_DRBG_state_s *st, + uint8_t *additional_input, + uint32_t additional_input_len +); + +bool +EverCrypt_DRBG_reseed_sha2_512( + EverCrypt_DRBG_state_s *st, + uint8_t *additional_input, + uint32_t additional_input_len +); + +bool +EverCrypt_DRBG_generate_sha1( + uint8_t *output, + EverCrypt_DRBG_state_s *st, + uint32_t n, + uint8_t *additional_input, + uint32_t additional_input_len +); + +bool +EverCrypt_DRBG_generate_sha2_256( + uint8_t *output, + EverCrypt_DRBG_state_s *st, + uint32_t n, + uint8_t *additional_input, + uint32_t additional_input_len +); + +bool +EverCrypt_DRBG_generate_sha2_384( + uint8_t *output, + EverCrypt_DRBG_state_s *st, + uint32_t n, + uint8_t *additional_input, + uint32_t additional_input_len +); + +bool +EverCrypt_DRBG_generate_sha2_512( + uint8_t *output, + EverCrypt_DRBG_state_s *st, + uint32_t n, + uint8_t *additional_input, + uint32_t additional_input_len +); + +void EverCrypt_DRBG_uninstantiate_sha1(EverCrypt_DRBG_state_s *st); + +void EverCrypt_DRBG_uninstantiate_sha2_256(EverCrypt_DRBG_state_s *st); + +void EverCrypt_DRBG_uninstantiate_sha2_384(EverCrypt_DRBG_state_s *st); + +void EverCrypt_DRBG_uninstantiate_sha2_512(EverCrypt_DRBG_state_s *st); + +bool +EverCrypt_DRBG_instantiate( + EverCrypt_DRBG_state_s *st, + uint8_t *personalization_string, + uint32_t personalization_string_len +); + +bool +EverCrypt_DRBG_reseed( + EverCrypt_DRBG_state_s *st, + uint8_t *additional_input, + uint32_t additional_input_len +); + +bool +EverCrypt_DRBG_generate( + uint8_t *output, + EverCrypt_DRBG_state_s *st, + uint32_t n, + uint8_t *additional_input, + uint32_t additional_input_len +); + +void EverCrypt_DRBG_uninstantiate(EverCrypt_DRBG_state_s *st); + +#if defined(__cplusplus) +} +#endif + +#define __EverCrypt_DRBG_H_DEFINED +#endif diff --git a/include/EverCrypt_Ed25519.h b/include/EverCrypt_Ed25519.h new file mode 100644 index 00000000..81c1ca7a --- /dev/null +++ b/include/EverCrypt_Ed25519.h @@ -0,0 +1,57 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __EverCrypt_Ed25519_H +#define __EverCrypt_Ed25519_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Ed25519.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void EverCrypt_Ed25519_sign(uint8_t *signature, uint8_t *secret, uint32_t len, uint8_t *msg); + +bool EverCrypt_Ed25519_verify(uint8_t *pubkey, uint32_t len, uint8_t *msg, uint8_t *signature); + +void EverCrypt_Ed25519_secret_to_public(uint8_t *output, uint8_t *secret); + +void EverCrypt_Ed25519_expand_keys(uint8_t *ks, uint8_t *secret); + +void +EverCrypt_Ed25519_sign_expanded(uint8_t *signature, uint8_t *ks, uint32_t len, uint8_t *msg); + +#if defined(__cplusplus) +} +#endif + +#define __EverCrypt_Ed25519_H_DEFINED +#endif diff --git a/include/EverCrypt_Error.h b/include/EverCrypt_Error.h new file mode 100644 index 00000000..8556d509 --- /dev/null +++ b/include/EverCrypt_Error.h @@ -0,0 +1,67 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __EverCrypt_Error_H +#define __EverCrypt_Error_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + + +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +#define EverCrypt_Error_Success 0 +#define EverCrypt_Error_UnsupportedAlgorithm 1 +#define EverCrypt_Error_InvalidKey 2 +#define EverCrypt_Error_AuthenticationFailure 3 +#define EverCrypt_Error_InvalidIVLength 4 +#define EverCrypt_Error_DecodeError 5 + +typedef uint8_t EverCrypt_Error_error_code; + +bool EverCrypt_Error_uu___is_Success(EverCrypt_Error_error_code projectee); + +bool EverCrypt_Error_uu___is_UnsupportedAlgorithm(EverCrypt_Error_error_code projectee); + +bool EverCrypt_Error_uu___is_InvalidKey(EverCrypt_Error_error_code projectee); + +bool EverCrypt_Error_uu___is_AuthenticationFailure(EverCrypt_Error_error_code projectee); + +bool EverCrypt_Error_uu___is_InvalidIVLength(EverCrypt_Error_error_code projectee); + +bool EverCrypt_Error_uu___is_DecodeError(EverCrypt_Error_error_code projectee); + +#if defined(__cplusplus) +} +#endif + +#define __EverCrypt_Error_H_DEFINED +#endif diff --git a/include/EverCrypt_HKDF.h b/include/EverCrypt_HKDF.h new file mode 100644 index 00000000..3f51c207 --- /dev/null +++ b/include/EverCrypt_HKDF.h @@ -0,0 +1,207 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __EverCrypt_HKDF_H +#define __EverCrypt_HKDF_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Spec.h" +#include "EverCrypt_HMAC.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +EverCrypt_HKDF_expand_sha1( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +); + +void +EverCrypt_HKDF_extract_sha1( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +); + +void +EverCrypt_HKDF_expand_sha2_256( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +); + +void +EverCrypt_HKDF_extract_sha2_256( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +); + +void +EverCrypt_HKDF_expand_sha2_384( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +); + +void +EverCrypt_HKDF_extract_sha2_384( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +); + +void +EverCrypt_HKDF_expand_sha2_512( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +); + +void +EverCrypt_HKDF_extract_sha2_512( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +); + +void +EverCrypt_HKDF_expand_blake2s( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +); + +void +EverCrypt_HKDF_extract_blake2s( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +); + +void +EverCrypt_HKDF_expand_blake2b( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +); + +void +EverCrypt_HKDF_extract_blake2b( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +); + +void +EverCrypt_HKDF_expand( + Spec_Hash_Definitions_hash_alg a, + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +); + +void +EverCrypt_HKDF_extract( + Spec_Hash_Definitions_hash_alg a, + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +); + +KRML_DEPRECATED("expand") + +void +EverCrypt_HKDF_hkdf_expand( + Spec_Hash_Definitions_hash_alg a, + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +); + +KRML_DEPRECATED("extract") + +void +EverCrypt_HKDF_hkdf_extract( + Spec_Hash_Definitions_hash_alg a, + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +); + +#if defined(__cplusplus) +} +#endif + +#define __EverCrypt_HKDF_H_DEFINED +#endif diff --git a/include/EverCrypt_HMAC.h b/include/EverCrypt_HMAC.h new file mode 100644 index 00000000..7c882f4a --- /dev/null +++ b/include/EverCrypt_HMAC.h @@ -0,0 +1,119 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __EverCrypt_HMAC_H +#define __EverCrypt_HMAC_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Spec.h" +#include "Hacl_Kremlib.h" +#include "Hacl_Impl_Blake2_Constants.h" +#include "Hacl_Hash_SHA2.h" +#include "Hacl_Hash_SHA1.h" +#include "EverCrypt_Hash.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +EverCrypt_HMAC_compute_sha1( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +); + +void +EverCrypt_HMAC_compute_sha2_256( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +); + +void +EverCrypt_HMAC_compute_sha2_384( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +); + +void +EverCrypt_HMAC_compute_sha2_512( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +); + +void +EverCrypt_HMAC_compute_blake2s( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +); + +void +EverCrypt_HMAC_compute_blake2b( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +); + +bool EverCrypt_HMAC_is_supported_alg(Spec_Hash_Definitions_hash_alg uu___); + +typedef Spec_Hash_Definitions_hash_alg EverCrypt_HMAC_supported_alg; + +void +EverCrypt_HMAC_compute( + Spec_Hash_Definitions_hash_alg a, + uint8_t *mac, + uint8_t *key, + uint32_t keylen, + uint8_t *data, + uint32_t datalen +); + +#if defined(__cplusplus) +} +#endif + +#define __EverCrypt_HMAC_H_DEFINED +#endif diff --git a/include/EverCrypt_Hacl.h b/include/EverCrypt_Hacl.h new file mode 100644 index 00000000..1e9cba4c --- /dev/null +++ b/include/EverCrypt_Hacl.h @@ -0,0 +1,72 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __EverCrypt_Hacl_H +#define __EverCrypt_Hacl_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + + +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +#define EverCrypt_Hacl_aes128_mk_sbox Crypto_Symmetric_AES128_mk_sbox + +extern void EverCrypt_Hacl_aes128_mk_sbox(uint8_t *sb); + +#define EverCrypt_Hacl_aes128_keyExpansion Crypto_Symmetric_AES128_keyExpansion + +extern void EverCrypt_Hacl_aes128_keyExpansion(uint8_t *key, uint8_t *w, uint8_t *sb); + +#define EverCrypt_Hacl_aes128_cipher Crypto_Symmetric_AES128_cipher + +extern void +EverCrypt_Hacl_aes128_cipher(uint8_t *cipher, uint8_t *plain, uint8_t *w, uint8_t *sb); + +#define EverCrypt_Hacl_aes256_mk_sbox Crypto_Symmetric_AES_mk_sbox + +extern void EverCrypt_Hacl_aes256_mk_sbox(uint8_t *sb); + +#define EverCrypt_Hacl_aes256_keyExpansion Crypto_Symmetric_AES_keyExpansion + +extern void EverCrypt_Hacl_aes256_keyExpansion(uint8_t *key, uint8_t *w, uint8_t *sb); + +#define EverCrypt_Hacl_aes256_cipher Crypto_Symmetric_AES_cipher + +extern void +EverCrypt_Hacl_aes256_cipher(uint8_t *cipher, uint8_t *plain, uint8_t *w, uint8_t *sb); + +#if defined(__cplusplus) +} +#endif + +#define __EverCrypt_Hacl_H_DEFINED +#endif diff --git a/include/EverCrypt_Hash.h b/include/EverCrypt_Hash.h new file mode 100644 index 00000000..fa435883 --- /dev/null +++ b/include/EverCrypt_Hash.h @@ -0,0 +1,291 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __EverCrypt_Hash_H +#define __EverCrypt_Hash_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Spec.h" +#include "Hacl_Kremlib.h" +#include "Hacl_Impl_Blake2_Constants.h" +#include "Hacl_Hash_SHA2.h" +#include "Hacl_Hash_SHA1.h" +#include "Hacl_Hash_MD5.h" +#include "EverCrypt_AutoConfig2.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +typedef Spec_Hash_Definitions_hash_alg EverCrypt_Hash_alg; + +C_String_t EverCrypt_Hash_string_of_alg(Spec_Hash_Definitions_hash_alg uu___); + +typedef Spec_Hash_Definitions_hash_alg EverCrypt_Hash_broken_alg; + +typedef Spec_Hash_Definitions_hash_alg EverCrypt_Hash_alg13; + +typedef void *EverCrypt_Hash_e_alg; + +#define EverCrypt_Hash_MD5_s 0 +#define EverCrypt_Hash_SHA1_s 1 +#define EverCrypt_Hash_SHA2_224_s 2 +#define EverCrypt_Hash_SHA2_256_s 3 +#define EverCrypt_Hash_SHA2_384_s 4 +#define EverCrypt_Hash_SHA2_512_s 5 +#define EverCrypt_Hash_Blake2S_s 6 +#define EverCrypt_Hash_Blake2B_s 7 + +typedef uint8_t EverCrypt_Hash_state_s_tags; + +typedef struct EverCrypt_Hash_state_s_s +{ + EverCrypt_Hash_state_s_tags tag; + union { + uint32_t *case_MD5_s; + uint32_t *case_SHA1_s; + uint32_t *case_SHA2_224_s; + uint32_t *case_SHA2_256_s; + uint64_t *case_SHA2_384_s; + uint64_t *case_SHA2_512_s; + uint32_t *case_Blake2S_s; + uint64_t *case_Blake2B_s; + } + ; +} +EverCrypt_Hash_state_s; + +bool +EverCrypt_Hash_uu___is_MD5_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_Hash_state_s projectee +); + +bool +EverCrypt_Hash_uu___is_SHA1_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_Hash_state_s projectee +); + +bool +EverCrypt_Hash_uu___is_SHA2_224_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_Hash_state_s projectee +); + +bool +EverCrypt_Hash_uu___is_SHA2_256_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_Hash_state_s projectee +); + +bool +EverCrypt_Hash_uu___is_SHA2_384_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_Hash_state_s projectee +); + +bool +EverCrypt_Hash_uu___is_SHA2_512_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_Hash_state_s projectee +); + +bool +EverCrypt_Hash_uu___is_Blake2S_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_Hash_state_s projectee +); + +bool +EverCrypt_Hash_uu___is_Blake2B_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_Hash_state_s projectee +); + +Spec_Hash_Definitions_hash_alg EverCrypt_Hash_alg_of_state(EverCrypt_Hash_state_s *s); + +EverCrypt_Hash_state_s *EverCrypt_Hash_create_in(Spec_Hash_Definitions_hash_alg a); + +EverCrypt_Hash_state_s *EverCrypt_Hash_create(Spec_Hash_Definitions_hash_alg a); + +void EverCrypt_Hash_init(EverCrypt_Hash_state_s *s); + +void EverCrypt_Hash_update_multi_256(uint32_t *s, uint8_t *blocks, uint32_t n); + +void EverCrypt_Hash_update2(EverCrypt_Hash_state_s *s, uint64_t prevlen, uint8_t *block); + +KRML_DEPRECATED("Use update2 instead") + +void EverCrypt_Hash_update(EverCrypt_Hash_state_s *s, uint8_t *block); + +void +EverCrypt_Hash_update_multi2( + EverCrypt_Hash_state_s *s, + uint64_t prevlen, + uint8_t *blocks, + uint32_t len +); + +KRML_DEPRECATED("Use update_multi2 instead") + +void EverCrypt_Hash_update_multi(EverCrypt_Hash_state_s *s, uint8_t *blocks, uint32_t len); + +void +EverCrypt_Hash_update_last_256( + uint32_t *s, + uint64_t input, + uint8_t *input_len, + uint32_t input_len1 +); + +void +EverCrypt_Hash_update_last2( + EverCrypt_Hash_state_s *s, + uint64_t prev_len, + uint8_t *last, + uint32_t last_len +); + +KRML_DEPRECATED("Use update_last2 instead") + +void EverCrypt_Hash_update_last(EverCrypt_Hash_state_s *s, uint8_t *last, uint64_t total_len); + +void EverCrypt_Hash_finish(EverCrypt_Hash_state_s *s, uint8_t *dst); + +void EverCrypt_Hash_free(EverCrypt_Hash_state_s *s); + +void EverCrypt_Hash_copy(EverCrypt_Hash_state_s *s_src, EverCrypt_Hash_state_s *s_dst); + +void EverCrypt_Hash_hash_256(uint8_t *input, uint32_t input_len, uint8_t *dst); + +void EverCrypt_Hash_hash_224(uint8_t *input, uint32_t input_len, uint8_t *dst); + +void +EverCrypt_Hash_hash( + Spec_Hash_Definitions_hash_alg a, + uint8_t *dst, + uint8_t *input, + uint32_t len +); + +uint32_t EverCrypt_Hash_Incremental_hash_len(Spec_Hash_Definitions_hash_alg a); + +uint32_t EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_hash_alg a); + +typedef struct Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s_____s +{ + EverCrypt_Hash_state_s *block_state; + uint8_t *buf; + uint64_t total_len; +} +Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____; + +Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ +*EverCrypt_Hash_Incremental_create_in(Spec_Hash_Definitions_hash_alg a); + +void +EverCrypt_Hash_Incremental_init(Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *s); + +void +EverCrypt_Hash_Incremental_update( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *p, + uint8_t *data, + uint32_t len +); + +void +EverCrypt_Hash_Incremental_finish_md5( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *p, + uint8_t *dst +); + +void +EverCrypt_Hash_Incremental_finish_sha1( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *p, + uint8_t *dst +); + +void +EverCrypt_Hash_Incremental_finish_sha224( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *p, + uint8_t *dst +); + +void +EverCrypt_Hash_Incremental_finish_sha256( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *p, + uint8_t *dst +); + +void +EverCrypt_Hash_Incremental_finish_sha384( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *p, + uint8_t *dst +); + +void +EverCrypt_Hash_Incremental_finish_sha512( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *p, + uint8_t *dst +); + +void +EverCrypt_Hash_Incremental_finish_blake2s( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *p, + uint8_t *dst +); + +void +EverCrypt_Hash_Incremental_finish_blake2b( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *p, + uint8_t *dst +); + +Spec_Hash_Definitions_hash_alg +EverCrypt_Hash_Incremental_alg_of_state( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *s +); + +void +EverCrypt_Hash_Incremental_finish( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *s, + uint8_t *dst +); + +void +EverCrypt_Hash_Incremental_free(Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *s); + +#if defined(__cplusplus) +} +#endif + +#define __EverCrypt_Hash_H_DEFINED +#endif diff --git a/include/EverCrypt_Helpers.h b/include/EverCrypt_Helpers.h new file mode 100644 index 00000000..1cad1faf --- /dev/null +++ b/include/EverCrypt_Helpers.h @@ -0,0 +1,62 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __EverCrypt_Helpers_H +#define __EverCrypt_Helpers_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + + +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +typedef uint8_t EverCrypt_Helpers_uint8_t; + +typedef uint16_t EverCrypt_Helpers_uint16_t; + +typedef uint32_t EverCrypt_Helpers_uint32_t; + +typedef uint64_t EverCrypt_Helpers_uint64_t; + +typedef uint8_t *EverCrypt_Helpers_uint8_p; + +typedef uint16_t *EverCrypt_Helpers_uint16_p; + +typedef uint32_t *EverCrypt_Helpers_uint32_p; + +typedef uint64_t *EverCrypt_Helpers_uint64_p; + +#if defined(__cplusplus) +} +#endif + +#define __EverCrypt_Helpers_H_DEFINED +#endif diff --git a/include/EverCrypt_Poly1305.h b/include/EverCrypt_Poly1305.h new file mode 100644 index 00000000..d4dfe597 --- /dev/null +++ b/include/EverCrypt_Poly1305.h @@ -0,0 +1,51 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __EverCrypt_Poly1305_H +#define __EverCrypt_Poly1305_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Poly1305_32.h" +#include "Hacl_Poly1305_256.h" +#include "Hacl_Poly1305_128.h" +#include "EverCrypt_AutoConfig2.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void EverCrypt_Poly1305_poly1305(uint8_t *dst, uint8_t *src, uint32_t len, uint8_t *key); + +#if defined(__cplusplus) +} +#endif + +#define __EverCrypt_Poly1305_H_DEFINED +#endif diff --git a/include/EverCrypt_StaticConfig.h b/include/EverCrypt_StaticConfig.h new file mode 100644 index 00000000..057cdec7 --- /dev/null +++ b/include/EverCrypt_StaticConfig.h @@ -0,0 +1,54 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __EverCrypt_StaticConfig_H +#define __EverCrypt_StaticConfig_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + + +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +extern bool EverCrypt_StaticConfig_hacl; + +extern bool EverCrypt_StaticConfig_vale; + +extern bool EverCrypt_StaticConfig_openssl; + +extern bool EverCrypt_StaticConfig_bcrypt; + +#if defined(__cplusplus) +} +#endif + +#define __EverCrypt_StaticConfig_H_DEFINED +#endif diff --git a/include/Hacl_AES128.h b/include/Hacl_AES128.h new file mode 100644 index 00000000..4fdb0078 --- /dev/null +++ b/include/Hacl_AES128.h @@ -0,0 +1,51 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_AES128_H +#define __Hacl_AES128_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + + +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +extern void Hacl_AES128_aes128_key_expansion(uint8_t *key, uint8_t *expanded_key); + +extern void +Hacl_AES128_aes128_encrypt_block(uint16_t *cipher, uint16_t *plain, uint8_t *expanded_key); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_AES128_H_DEFINED +#endif diff --git a/include/Hacl_Bignum25519_51.h b/include/Hacl_Bignum25519_51.h new file mode 100644 index 00000000..e619f600 --- /dev/null +++ b/include/Hacl_Bignum25519_51.h @@ -0,0 +1,678 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Bignum25519_51_H +#define __Hacl_Bignum25519_51_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +static inline void Hacl_Impl_Curve25519_Field51_fadd(uint64_t *out, uint64_t *f1, uint64_t *f2) +{ + uint64_t f10 = f1[0U]; + uint64_t f20 = f2[0U]; + uint64_t f11 = f1[1U]; + uint64_t f21 = f2[1U]; + uint64_t f12 = f1[2U]; + uint64_t f22 = f2[2U]; + uint64_t f13 = f1[3U]; + uint64_t f23 = f2[3U]; + uint64_t f14 = f1[4U]; + uint64_t f24 = f2[4U]; + out[0U] = f10 + f20; + out[1U] = f11 + f21; + out[2U] = f12 + f22; + out[3U] = f13 + f23; + out[4U] = f14 + f24; +} + +static inline void Hacl_Impl_Curve25519_Field51_fsub(uint64_t *out, uint64_t *f1, uint64_t *f2) +{ + uint64_t f10 = f1[0U]; + uint64_t f20 = f2[0U]; + uint64_t f11 = f1[1U]; + uint64_t f21 = f2[1U]; + uint64_t f12 = f1[2U]; + uint64_t f22 = f2[2U]; + uint64_t f13 = f1[3U]; + uint64_t f23 = f2[3U]; + uint64_t f14 = f1[4U]; + uint64_t f24 = f2[4U]; + out[0U] = f10 + (uint64_t)0x3fffffffffff68U - f20; + out[1U] = f11 + (uint64_t)0x3ffffffffffff8U - f21; + out[2U] = f12 + (uint64_t)0x3ffffffffffff8U - f22; + out[3U] = f13 + (uint64_t)0x3ffffffffffff8U - f23; + out[4U] = f14 + (uint64_t)0x3ffffffffffff8U - f24; +} + +static inline void +Hacl_Impl_Curve25519_Field51_fmul( + uint64_t *out, + uint64_t *f1, + uint64_t *f2, + FStar_UInt128_uint128 *uu___ +) +{ + uint64_t f10 = f1[0U]; + uint64_t f11 = f1[1U]; + uint64_t f12 = f1[2U]; + uint64_t f13 = f1[3U]; + uint64_t f14 = f1[4U]; + uint64_t f20 = f2[0U]; + uint64_t f21 = f2[1U]; + uint64_t f22 = f2[2U]; + uint64_t f23 = f2[3U]; + uint64_t f24 = f2[4U]; + uint64_t tmp1 = f21 * (uint64_t)19U; + uint64_t tmp2 = f22 * (uint64_t)19U; + uint64_t tmp3 = f23 * (uint64_t)19U; + uint64_t tmp4 = f24 * (uint64_t)19U; + FStar_UInt128_uint128 o00 = FStar_UInt128_mul_wide(f10, f20); + FStar_UInt128_uint128 o10 = FStar_UInt128_mul_wide(f10, f21); + FStar_UInt128_uint128 o20 = FStar_UInt128_mul_wide(f10, f22); + FStar_UInt128_uint128 o30 = FStar_UInt128_mul_wide(f10, f23); + FStar_UInt128_uint128 o40 = FStar_UInt128_mul_wide(f10, f24); + FStar_UInt128_uint128 o01 = FStar_UInt128_add(o00, FStar_UInt128_mul_wide(f11, tmp4)); + FStar_UInt128_uint128 o11 = FStar_UInt128_add(o10, FStar_UInt128_mul_wide(f11, f20)); + FStar_UInt128_uint128 o21 = FStar_UInt128_add(o20, FStar_UInt128_mul_wide(f11, f21)); + FStar_UInt128_uint128 o31 = FStar_UInt128_add(o30, FStar_UInt128_mul_wide(f11, f22)); + FStar_UInt128_uint128 o41 = FStar_UInt128_add(o40, FStar_UInt128_mul_wide(f11, f23)); + FStar_UInt128_uint128 o02 = FStar_UInt128_add(o01, FStar_UInt128_mul_wide(f12, tmp3)); + FStar_UInt128_uint128 o12 = FStar_UInt128_add(o11, FStar_UInt128_mul_wide(f12, tmp4)); + FStar_UInt128_uint128 o22 = FStar_UInt128_add(o21, FStar_UInt128_mul_wide(f12, f20)); + FStar_UInt128_uint128 o32 = FStar_UInt128_add(o31, FStar_UInt128_mul_wide(f12, f21)); + FStar_UInt128_uint128 o42 = FStar_UInt128_add(o41, FStar_UInt128_mul_wide(f12, f22)); + FStar_UInt128_uint128 o03 = FStar_UInt128_add(o02, FStar_UInt128_mul_wide(f13, tmp2)); + FStar_UInt128_uint128 o13 = FStar_UInt128_add(o12, FStar_UInt128_mul_wide(f13, tmp3)); + FStar_UInt128_uint128 o23 = FStar_UInt128_add(o22, FStar_UInt128_mul_wide(f13, tmp4)); + FStar_UInt128_uint128 o33 = FStar_UInt128_add(o32, FStar_UInt128_mul_wide(f13, f20)); + FStar_UInt128_uint128 o43 = FStar_UInt128_add(o42, FStar_UInt128_mul_wide(f13, f21)); + FStar_UInt128_uint128 o04 = FStar_UInt128_add(o03, FStar_UInt128_mul_wide(f14, tmp1)); + FStar_UInt128_uint128 o14 = FStar_UInt128_add(o13, FStar_UInt128_mul_wide(f14, tmp2)); + FStar_UInt128_uint128 o24 = FStar_UInt128_add(o23, FStar_UInt128_mul_wide(f14, tmp3)); + FStar_UInt128_uint128 o34 = FStar_UInt128_add(o33, FStar_UInt128_mul_wide(f14, tmp4)); + FStar_UInt128_uint128 o44 = FStar_UInt128_add(o43, FStar_UInt128_mul_wide(f14, f20)); + FStar_UInt128_uint128 tmp_w0 = o04; + FStar_UInt128_uint128 tmp_w1 = o14; + FStar_UInt128_uint128 tmp_w2 = o24; + FStar_UInt128_uint128 tmp_w3 = o34; + FStar_UInt128_uint128 tmp_w4 = o44; + FStar_UInt128_uint128 + l_ = FStar_UInt128_add(tmp_w0, FStar_UInt128_uint64_to_uint128((uint64_t)0U)); + uint64_t tmp01 = FStar_UInt128_uint128_to_uint64(l_) & (uint64_t)0x7ffffffffffffU; + uint64_t c0 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_, (uint32_t)51U)); + FStar_UInt128_uint128 l_0 = FStar_UInt128_add(tmp_w1, FStar_UInt128_uint64_to_uint128(c0)); + uint64_t tmp11 = FStar_UInt128_uint128_to_uint64(l_0) & (uint64_t)0x7ffffffffffffU; + uint64_t c1 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_0, (uint32_t)51U)); + FStar_UInt128_uint128 l_1 = FStar_UInt128_add(tmp_w2, FStar_UInt128_uint64_to_uint128(c1)); + uint64_t tmp21 = FStar_UInt128_uint128_to_uint64(l_1) & (uint64_t)0x7ffffffffffffU; + uint64_t c2 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_1, (uint32_t)51U)); + FStar_UInt128_uint128 l_2 = FStar_UInt128_add(tmp_w3, FStar_UInt128_uint64_to_uint128(c2)); + uint64_t tmp31 = FStar_UInt128_uint128_to_uint64(l_2) & (uint64_t)0x7ffffffffffffU; + uint64_t c3 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_2, (uint32_t)51U)); + FStar_UInt128_uint128 l_3 = FStar_UInt128_add(tmp_w4, FStar_UInt128_uint64_to_uint128(c3)); + uint64_t tmp41 = FStar_UInt128_uint128_to_uint64(l_3) & (uint64_t)0x7ffffffffffffU; + uint64_t c4 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_3, (uint32_t)51U)); + uint64_t l_4 = tmp01 + c4 * (uint64_t)19U; + uint64_t tmp0_ = l_4 & (uint64_t)0x7ffffffffffffU; + uint64_t c5 = l_4 >> (uint32_t)51U; + uint64_t o0 = tmp0_; + uint64_t o1 = tmp11 + c5; + uint64_t o2 = tmp21; + uint64_t o3 = tmp31; + uint64_t o4 = tmp41; + out[0U] = o0; + out[1U] = o1; + out[2U] = o2; + out[3U] = o3; + out[4U] = o4; +} + +static inline void +Hacl_Impl_Curve25519_Field51_fmul2( + uint64_t *out, + uint64_t *f1, + uint64_t *f2, + FStar_UInt128_uint128 *uu___ +) +{ + uint64_t f10 = f1[0U]; + uint64_t f11 = f1[1U]; + uint64_t f12 = f1[2U]; + uint64_t f13 = f1[3U]; + uint64_t f14 = f1[4U]; + uint64_t f20 = f2[0U]; + uint64_t f21 = f2[1U]; + uint64_t f22 = f2[2U]; + uint64_t f23 = f2[3U]; + uint64_t f24 = f2[4U]; + uint64_t f30 = f1[5U]; + uint64_t f31 = f1[6U]; + uint64_t f32 = f1[7U]; + uint64_t f33 = f1[8U]; + uint64_t f34 = f1[9U]; + uint64_t f40 = f2[5U]; + uint64_t f41 = f2[6U]; + uint64_t f42 = f2[7U]; + uint64_t f43 = f2[8U]; + uint64_t f44 = f2[9U]; + uint64_t tmp11 = f21 * (uint64_t)19U; + uint64_t tmp12 = f22 * (uint64_t)19U; + uint64_t tmp13 = f23 * (uint64_t)19U; + uint64_t tmp14 = f24 * (uint64_t)19U; + uint64_t tmp21 = f41 * (uint64_t)19U; + uint64_t tmp22 = f42 * (uint64_t)19U; + uint64_t tmp23 = f43 * (uint64_t)19U; + uint64_t tmp24 = f44 * (uint64_t)19U; + FStar_UInt128_uint128 o00 = FStar_UInt128_mul_wide(f10, f20); + FStar_UInt128_uint128 o15 = FStar_UInt128_mul_wide(f10, f21); + FStar_UInt128_uint128 o25 = FStar_UInt128_mul_wide(f10, f22); + FStar_UInt128_uint128 o30 = FStar_UInt128_mul_wide(f10, f23); + FStar_UInt128_uint128 o40 = FStar_UInt128_mul_wide(f10, f24); + FStar_UInt128_uint128 o010 = FStar_UInt128_add(o00, FStar_UInt128_mul_wide(f11, tmp14)); + FStar_UInt128_uint128 o110 = FStar_UInt128_add(o15, FStar_UInt128_mul_wide(f11, f20)); + FStar_UInt128_uint128 o210 = FStar_UInt128_add(o25, FStar_UInt128_mul_wide(f11, f21)); + FStar_UInt128_uint128 o310 = FStar_UInt128_add(o30, FStar_UInt128_mul_wide(f11, f22)); + FStar_UInt128_uint128 o410 = FStar_UInt128_add(o40, FStar_UInt128_mul_wide(f11, f23)); + FStar_UInt128_uint128 o020 = FStar_UInt128_add(o010, FStar_UInt128_mul_wide(f12, tmp13)); + FStar_UInt128_uint128 o120 = FStar_UInt128_add(o110, FStar_UInt128_mul_wide(f12, tmp14)); + FStar_UInt128_uint128 o220 = FStar_UInt128_add(o210, FStar_UInt128_mul_wide(f12, f20)); + FStar_UInt128_uint128 o320 = FStar_UInt128_add(o310, FStar_UInt128_mul_wide(f12, f21)); + FStar_UInt128_uint128 o420 = FStar_UInt128_add(o410, FStar_UInt128_mul_wide(f12, f22)); + FStar_UInt128_uint128 o030 = FStar_UInt128_add(o020, FStar_UInt128_mul_wide(f13, tmp12)); + FStar_UInt128_uint128 o130 = FStar_UInt128_add(o120, FStar_UInt128_mul_wide(f13, tmp13)); + FStar_UInt128_uint128 o230 = FStar_UInt128_add(o220, FStar_UInt128_mul_wide(f13, tmp14)); + FStar_UInt128_uint128 o330 = FStar_UInt128_add(o320, FStar_UInt128_mul_wide(f13, f20)); + FStar_UInt128_uint128 o430 = FStar_UInt128_add(o420, FStar_UInt128_mul_wide(f13, f21)); + FStar_UInt128_uint128 o040 = FStar_UInt128_add(o030, FStar_UInt128_mul_wide(f14, tmp11)); + FStar_UInt128_uint128 o140 = FStar_UInt128_add(o130, FStar_UInt128_mul_wide(f14, tmp12)); + FStar_UInt128_uint128 o240 = FStar_UInt128_add(o230, FStar_UInt128_mul_wide(f14, tmp13)); + FStar_UInt128_uint128 o340 = FStar_UInt128_add(o330, FStar_UInt128_mul_wide(f14, tmp14)); + FStar_UInt128_uint128 o440 = FStar_UInt128_add(o430, FStar_UInt128_mul_wide(f14, f20)); + FStar_UInt128_uint128 tmp_w10 = o040; + FStar_UInt128_uint128 tmp_w11 = o140; + FStar_UInt128_uint128 tmp_w12 = o240; + FStar_UInt128_uint128 tmp_w13 = o340; + FStar_UInt128_uint128 tmp_w14 = o440; + FStar_UInt128_uint128 o0 = FStar_UInt128_mul_wide(f30, f40); + FStar_UInt128_uint128 o1 = FStar_UInt128_mul_wide(f30, f41); + FStar_UInt128_uint128 o2 = FStar_UInt128_mul_wide(f30, f42); + FStar_UInt128_uint128 o3 = FStar_UInt128_mul_wide(f30, f43); + FStar_UInt128_uint128 o4 = FStar_UInt128_mul_wide(f30, f44); + FStar_UInt128_uint128 o01 = FStar_UInt128_add(o0, FStar_UInt128_mul_wide(f31, tmp24)); + FStar_UInt128_uint128 o111 = FStar_UInt128_add(o1, FStar_UInt128_mul_wide(f31, f40)); + FStar_UInt128_uint128 o211 = FStar_UInt128_add(o2, FStar_UInt128_mul_wide(f31, f41)); + FStar_UInt128_uint128 o31 = FStar_UInt128_add(o3, FStar_UInt128_mul_wide(f31, f42)); + FStar_UInt128_uint128 o41 = FStar_UInt128_add(o4, FStar_UInt128_mul_wide(f31, f43)); + FStar_UInt128_uint128 o02 = FStar_UInt128_add(o01, FStar_UInt128_mul_wide(f32, tmp23)); + FStar_UInt128_uint128 o121 = FStar_UInt128_add(o111, FStar_UInt128_mul_wide(f32, tmp24)); + FStar_UInt128_uint128 o221 = FStar_UInt128_add(o211, FStar_UInt128_mul_wide(f32, f40)); + FStar_UInt128_uint128 o32 = FStar_UInt128_add(o31, FStar_UInt128_mul_wide(f32, f41)); + FStar_UInt128_uint128 o42 = FStar_UInt128_add(o41, FStar_UInt128_mul_wide(f32, f42)); + FStar_UInt128_uint128 o03 = FStar_UInt128_add(o02, FStar_UInt128_mul_wide(f33, tmp22)); + FStar_UInt128_uint128 o131 = FStar_UInt128_add(o121, FStar_UInt128_mul_wide(f33, tmp23)); + FStar_UInt128_uint128 o231 = FStar_UInt128_add(o221, FStar_UInt128_mul_wide(f33, tmp24)); + FStar_UInt128_uint128 o33 = FStar_UInt128_add(o32, FStar_UInt128_mul_wide(f33, f40)); + FStar_UInt128_uint128 o43 = FStar_UInt128_add(o42, FStar_UInt128_mul_wide(f33, f41)); + FStar_UInt128_uint128 o04 = FStar_UInt128_add(o03, FStar_UInt128_mul_wide(f34, tmp21)); + FStar_UInt128_uint128 o141 = FStar_UInt128_add(o131, FStar_UInt128_mul_wide(f34, tmp22)); + FStar_UInt128_uint128 o241 = FStar_UInt128_add(o231, FStar_UInt128_mul_wide(f34, tmp23)); + FStar_UInt128_uint128 o34 = FStar_UInt128_add(o33, FStar_UInt128_mul_wide(f34, tmp24)); + FStar_UInt128_uint128 o44 = FStar_UInt128_add(o43, FStar_UInt128_mul_wide(f34, f40)); + FStar_UInt128_uint128 tmp_w20 = o04; + FStar_UInt128_uint128 tmp_w21 = o141; + FStar_UInt128_uint128 tmp_w22 = o241; + FStar_UInt128_uint128 tmp_w23 = o34; + FStar_UInt128_uint128 tmp_w24 = o44; + FStar_UInt128_uint128 + l_ = FStar_UInt128_add(tmp_w10, FStar_UInt128_uint64_to_uint128((uint64_t)0U)); + uint64_t tmp00 = FStar_UInt128_uint128_to_uint64(l_) & (uint64_t)0x7ffffffffffffU; + uint64_t c00 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_, (uint32_t)51U)); + FStar_UInt128_uint128 l_0 = FStar_UInt128_add(tmp_w11, FStar_UInt128_uint64_to_uint128(c00)); + uint64_t tmp10 = FStar_UInt128_uint128_to_uint64(l_0) & (uint64_t)0x7ffffffffffffU; + uint64_t c10 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_0, (uint32_t)51U)); + FStar_UInt128_uint128 l_1 = FStar_UInt128_add(tmp_w12, FStar_UInt128_uint64_to_uint128(c10)); + uint64_t tmp20 = FStar_UInt128_uint128_to_uint64(l_1) & (uint64_t)0x7ffffffffffffU; + uint64_t c20 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_1, (uint32_t)51U)); + FStar_UInt128_uint128 l_2 = FStar_UInt128_add(tmp_w13, FStar_UInt128_uint64_to_uint128(c20)); + uint64_t tmp30 = FStar_UInt128_uint128_to_uint64(l_2) & (uint64_t)0x7ffffffffffffU; + uint64_t c30 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_2, (uint32_t)51U)); + FStar_UInt128_uint128 l_3 = FStar_UInt128_add(tmp_w14, FStar_UInt128_uint64_to_uint128(c30)); + uint64_t tmp40 = FStar_UInt128_uint128_to_uint64(l_3) & (uint64_t)0x7ffffffffffffU; + uint64_t c40 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_3, (uint32_t)51U)); + uint64_t l_4 = tmp00 + c40 * (uint64_t)19U; + uint64_t tmp0_ = l_4 & (uint64_t)0x7ffffffffffffU; + uint64_t c50 = l_4 >> (uint32_t)51U; + uint64_t o100 = tmp0_; + uint64_t o112 = tmp10 + c50; + uint64_t o122 = tmp20; + uint64_t o132 = tmp30; + uint64_t o142 = tmp40; + FStar_UInt128_uint128 + l_5 = FStar_UInt128_add(tmp_w20, FStar_UInt128_uint64_to_uint128((uint64_t)0U)); + uint64_t tmp0 = FStar_UInt128_uint128_to_uint64(l_5) & (uint64_t)0x7ffffffffffffU; + uint64_t c0 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_5, (uint32_t)51U)); + FStar_UInt128_uint128 l_6 = FStar_UInt128_add(tmp_w21, FStar_UInt128_uint64_to_uint128(c0)); + uint64_t tmp1 = FStar_UInt128_uint128_to_uint64(l_6) & (uint64_t)0x7ffffffffffffU; + uint64_t c1 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_6, (uint32_t)51U)); + FStar_UInt128_uint128 l_7 = FStar_UInt128_add(tmp_w22, FStar_UInt128_uint64_to_uint128(c1)); + uint64_t tmp2 = FStar_UInt128_uint128_to_uint64(l_7) & (uint64_t)0x7ffffffffffffU; + uint64_t c2 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_7, (uint32_t)51U)); + FStar_UInt128_uint128 l_8 = FStar_UInt128_add(tmp_w23, FStar_UInt128_uint64_to_uint128(c2)); + uint64_t tmp3 = FStar_UInt128_uint128_to_uint64(l_8) & (uint64_t)0x7ffffffffffffU; + uint64_t c3 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_8, (uint32_t)51U)); + FStar_UInt128_uint128 l_9 = FStar_UInt128_add(tmp_w24, FStar_UInt128_uint64_to_uint128(c3)); + uint64_t tmp4 = FStar_UInt128_uint128_to_uint64(l_9) & (uint64_t)0x7ffffffffffffU; + uint64_t c4 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_9, (uint32_t)51U)); + uint64_t l_10 = tmp0 + c4 * (uint64_t)19U; + uint64_t tmp0_0 = l_10 & (uint64_t)0x7ffffffffffffU; + uint64_t c5 = l_10 >> (uint32_t)51U; + uint64_t o200 = tmp0_0; + uint64_t o212 = tmp1 + c5; + uint64_t o222 = tmp2; + uint64_t o232 = tmp3; + uint64_t o242 = tmp4; + uint64_t o10 = o100; + uint64_t o11 = o112; + uint64_t o12 = o122; + uint64_t o13 = o132; + uint64_t o14 = o142; + uint64_t o20 = o200; + uint64_t o21 = o212; + uint64_t o22 = o222; + uint64_t o23 = o232; + uint64_t o24 = o242; + out[0U] = o10; + out[1U] = o11; + out[2U] = o12; + out[3U] = o13; + out[4U] = o14; + out[5U] = o20; + out[6U] = o21; + out[7U] = o22; + out[8U] = o23; + out[9U] = o24; +} + +static inline void Hacl_Impl_Curve25519_Field51_fmul1(uint64_t *out, uint64_t *f1, uint64_t f2) +{ + uint64_t f10 = f1[0U]; + uint64_t f11 = f1[1U]; + uint64_t f12 = f1[2U]; + uint64_t f13 = f1[3U]; + uint64_t f14 = f1[4U]; + FStar_UInt128_uint128 tmp_w0 = FStar_UInt128_mul_wide(f2, f10); + FStar_UInt128_uint128 tmp_w1 = FStar_UInt128_mul_wide(f2, f11); + FStar_UInt128_uint128 tmp_w2 = FStar_UInt128_mul_wide(f2, f12); + FStar_UInt128_uint128 tmp_w3 = FStar_UInt128_mul_wide(f2, f13); + FStar_UInt128_uint128 tmp_w4 = FStar_UInt128_mul_wide(f2, f14); + FStar_UInt128_uint128 + l_ = FStar_UInt128_add(tmp_w0, FStar_UInt128_uint64_to_uint128((uint64_t)0U)); + uint64_t tmp0 = FStar_UInt128_uint128_to_uint64(l_) & (uint64_t)0x7ffffffffffffU; + uint64_t c0 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_, (uint32_t)51U)); + FStar_UInt128_uint128 l_0 = FStar_UInt128_add(tmp_w1, FStar_UInt128_uint64_to_uint128(c0)); + uint64_t tmp1 = FStar_UInt128_uint128_to_uint64(l_0) & (uint64_t)0x7ffffffffffffU; + uint64_t c1 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_0, (uint32_t)51U)); + FStar_UInt128_uint128 l_1 = FStar_UInt128_add(tmp_w2, FStar_UInt128_uint64_to_uint128(c1)); + uint64_t tmp2 = FStar_UInt128_uint128_to_uint64(l_1) & (uint64_t)0x7ffffffffffffU; + uint64_t c2 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_1, (uint32_t)51U)); + FStar_UInt128_uint128 l_2 = FStar_UInt128_add(tmp_w3, FStar_UInt128_uint64_to_uint128(c2)); + uint64_t tmp3 = FStar_UInt128_uint128_to_uint64(l_2) & (uint64_t)0x7ffffffffffffU; + uint64_t c3 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_2, (uint32_t)51U)); + FStar_UInt128_uint128 l_3 = FStar_UInt128_add(tmp_w4, FStar_UInt128_uint64_to_uint128(c3)); + uint64_t tmp4 = FStar_UInt128_uint128_to_uint64(l_3) & (uint64_t)0x7ffffffffffffU; + uint64_t c4 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_3, (uint32_t)51U)); + uint64_t l_4 = tmp0 + c4 * (uint64_t)19U; + uint64_t tmp0_ = l_4 & (uint64_t)0x7ffffffffffffU; + uint64_t c5 = l_4 >> (uint32_t)51U; + uint64_t o0 = tmp0_; + uint64_t o1 = tmp1 + c5; + uint64_t o2 = tmp2; + uint64_t o3 = tmp3; + uint64_t o4 = tmp4; + out[0U] = o0; + out[1U] = o1; + out[2U] = o2; + out[3U] = o3; + out[4U] = o4; +} + +static inline void +Hacl_Impl_Curve25519_Field51_fsqr(uint64_t *out, uint64_t *f, FStar_UInt128_uint128 *uu___) +{ + uint64_t f0 = f[0U]; + uint64_t f1 = f[1U]; + uint64_t f2 = f[2U]; + uint64_t f3 = f[3U]; + uint64_t f4 = f[4U]; + uint64_t d0 = (uint64_t)2U * f0; + uint64_t d1 = (uint64_t)2U * f1; + uint64_t d2 = (uint64_t)38U * f2; + uint64_t d3 = (uint64_t)19U * f3; + uint64_t d419 = (uint64_t)19U * f4; + uint64_t d4 = (uint64_t)2U * d419; + FStar_UInt128_uint128 + s0 = + FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(f0, f0), + FStar_UInt128_mul_wide(d4, f1)), + FStar_UInt128_mul_wide(d2, f3)); + FStar_UInt128_uint128 + s1 = + FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, f1), + FStar_UInt128_mul_wide(d4, f2)), + FStar_UInt128_mul_wide(d3, f3)); + FStar_UInt128_uint128 + s2 = + FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, f2), + FStar_UInt128_mul_wide(f1, f1)), + FStar_UInt128_mul_wide(d4, f3)); + FStar_UInt128_uint128 + s3 = + FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, f3), + FStar_UInt128_mul_wide(d1, f2)), + FStar_UInt128_mul_wide(f4, d419)); + FStar_UInt128_uint128 + s4 = + FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, f4), + FStar_UInt128_mul_wide(d1, f3)), + FStar_UInt128_mul_wide(f2, f2)); + FStar_UInt128_uint128 o00 = s0; + FStar_UInt128_uint128 o10 = s1; + FStar_UInt128_uint128 o20 = s2; + FStar_UInt128_uint128 o30 = s3; + FStar_UInt128_uint128 o40 = s4; + FStar_UInt128_uint128 + l_ = FStar_UInt128_add(o00, FStar_UInt128_uint64_to_uint128((uint64_t)0U)); + uint64_t tmp0 = FStar_UInt128_uint128_to_uint64(l_) & (uint64_t)0x7ffffffffffffU; + uint64_t c0 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_, (uint32_t)51U)); + FStar_UInt128_uint128 l_0 = FStar_UInt128_add(o10, FStar_UInt128_uint64_to_uint128(c0)); + uint64_t tmp1 = FStar_UInt128_uint128_to_uint64(l_0) & (uint64_t)0x7ffffffffffffU; + uint64_t c1 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_0, (uint32_t)51U)); + FStar_UInt128_uint128 l_1 = FStar_UInt128_add(o20, FStar_UInt128_uint64_to_uint128(c1)); + uint64_t tmp2 = FStar_UInt128_uint128_to_uint64(l_1) & (uint64_t)0x7ffffffffffffU; + uint64_t c2 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_1, (uint32_t)51U)); + FStar_UInt128_uint128 l_2 = FStar_UInt128_add(o30, FStar_UInt128_uint64_to_uint128(c2)); + uint64_t tmp3 = FStar_UInt128_uint128_to_uint64(l_2) & (uint64_t)0x7ffffffffffffU; + uint64_t c3 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_2, (uint32_t)51U)); + FStar_UInt128_uint128 l_3 = FStar_UInt128_add(o40, FStar_UInt128_uint64_to_uint128(c3)); + uint64_t tmp4 = FStar_UInt128_uint128_to_uint64(l_3) & (uint64_t)0x7ffffffffffffU; + uint64_t c4 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_3, (uint32_t)51U)); + uint64_t l_4 = tmp0 + c4 * (uint64_t)19U; + uint64_t tmp0_ = l_4 & (uint64_t)0x7ffffffffffffU; + uint64_t c5 = l_4 >> (uint32_t)51U; + uint64_t o0 = tmp0_; + uint64_t o1 = tmp1 + c5; + uint64_t o2 = tmp2; + uint64_t o3 = tmp3; + uint64_t o4 = tmp4; + out[0U] = o0; + out[1U] = o1; + out[2U] = o2; + out[3U] = o3; + out[4U] = o4; +} + +static inline void +Hacl_Impl_Curve25519_Field51_fsqr2(uint64_t *out, uint64_t *f, FStar_UInt128_uint128 *uu___) +{ + uint64_t f10 = f[0U]; + uint64_t f11 = f[1U]; + uint64_t f12 = f[2U]; + uint64_t f13 = f[3U]; + uint64_t f14 = f[4U]; + uint64_t f20 = f[5U]; + uint64_t f21 = f[6U]; + uint64_t f22 = f[7U]; + uint64_t f23 = f[8U]; + uint64_t f24 = f[9U]; + uint64_t d00 = (uint64_t)2U * f10; + uint64_t d10 = (uint64_t)2U * f11; + uint64_t d20 = (uint64_t)38U * f12; + uint64_t d30 = (uint64_t)19U * f13; + uint64_t d4190 = (uint64_t)19U * f14; + uint64_t d40 = (uint64_t)2U * d4190; + FStar_UInt128_uint128 + s00 = + FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(f10, f10), + FStar_UInt128_mul_wide(d40, f11)), + FStar_UInt128_mul_wide(d20, f13)); + FStar_UInt128_uint128 + s10 = + FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d00, f11), + FStar_UInt128_mul_wide(d40, f12)), + FStar_UInt128_mul_wide(d30, f13)); + FStar_UInt128_uint128 + s20 = + FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d00, f12), + FStar_UInt128_mul_wide(f11, f11)), + FStar_UInt128_mul_wide(d40, f13)); + FStar_UInt128_uint128 + s30 = + FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d00, f13), + FStar_UInt128_mul_wide(d10, f12)), + FStar_UInt128_mul_wide(f14, d4190)); + FStar_UInt128_uint128 + s40 = + FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d00, f14), + FStar_UInt128_mul_wide(d10, f13)), + FStar_UInt128_mul_wide(f12, f12)); + FStar_UInt128_uint128 o100 = s00; + FStar_UInt128_uint128 o110 = s10; + FStar_UInt128_uint128 o120 = s20; + FStar_UInt128_uint128 o130 = s30; + FStar_UInt128_uint128 o140 = s40; + uint64_t d0 = (uint64_t)2U * f20; + uint64_t d1 = (uint64_t)2U * f21; + uint64_t d2 = (uint64_t)38U * f22; + uint64_t d3 = (uint64_t)19U * f23; + uint64_t d419 = (uint64_t)19U * f24; + uint64_t d4 = (uint64_t)2U * d419; + FStar_UInt128_uint128 + s0 = + FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(f20, f20), + FStar_UInt128_mul_wide(d4, f21)), + FStar_UInt128_mul_wide(d2, f23)); + FStar_UInt128_uint128 + s1 = + FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, f21), + FStar_UInt128_mul_wide(d4, f22)), + FStar_UInt128_mul_wide(d3, f23)); + FStar_UInt128_uint128 + s2 = + FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, f22), + FStar_UInt128_mul_wide(f21, f21)), + FStar_UInt128_mul_wide(d4, f23)); + FStar_UInt128_uint128 + s3 = + FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, f23), + FStar_UInt128_mul_wide(d1, f22)), + FStar_UInt128_mul_wide(f24, d419)); + FStar_UInt128_uint128 + s4 = + FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, f24), + FStar_UInt128_mul_wide(d1, f23)), + FStar_UInt128_mul_wide(f22, f22)); + FStar_UInt128_uint128 o200 = s0; + FStar_UInt128_uint128 o210 = s1; + FStar_UInt128_uint128 o220 = s2; + FStar_UInt128_uint128 o230 = s3; + FStar_UInt128_uint128 o240 = s4; + FStar_UInt128_uint128 + l_ = FStar_UInt128_add(o100, FStar_UInt128_uint64_to_uint128((uint64_t)0U)); + uint64_t tmp00 = FStar_UInt128_uint128_to_uint64(l_) & (uint64_t)0x7ffffffffffffU; + uint64_t c00 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_, (uint32_t)51U)); + FStar_UInt128_uint128 l_0 = FStar_UInt128_add(o110, FStar_UInt128_uint64_to_uint128(c00)); + uint64_t tmp10 = FStar_UInt128_uint128_to_uint64(l_0) & (uint64_t)0x7ffffffffffffU; + uint64_t c10 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_0, (uint32_t)51U)); + FStar_UInt128_uint128 l_1 = FStar_UInt128_add(o120, FStar_UInt128_uint64_to_uint128(c10)); + uint64_t tmp20 = FStar_UInt128_uint128_to_uint64(l_1) & (uint64_t)0x7ffffffffffffU; + uint64_t c20 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_1, (uint32_t)51U)); + FStar_UInt128_uint128 l_2 = FStar_UInt128_add(o130, FStar_UInt128_uint64_to_uint128(c20)); + uint64_t tmp30 = FStar_UInt128_uint128_to_uint64(l_2) & (uint64_t)0x7ffffffffffffU; + uint64_t c30 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_2, (uint32_t)51U)); + FStar_UInt128_uint128 l_3 = FStar_UInt128_add(o140, FStar_UInt128_uint64_to_uint128(c30)); + uint64_t tmp40 = FStar_UInt128_uint128_to_uint64(l_3) & (uint64_t)0x7ffffffffffffU; + uint64_t c40 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_3, (uint32_t)51U)); + uint64_t l_4 = tmp00 + c40 * (uint64_t)19U; + uint64_t tmp0_ = l_4 & (uint64_t)0x7ffffffffffffU; + uint64_t c50 = l_4 >> (uint32_t)51U; + uint64_t o101 = tmp0_; + uint64_t o111 = tmp10 + c50; + uint64_t o121 = tmp20; + uint64_t o131 = tmp30; + uint64_t o141 = tmp40; + FStar_UInt128_uint128 + l_5 = FStar_UInt128_add(o200, FStar_UInt128_uint64_to_uint128((uint64_t)0U)); + uint64_t tmp0 = FStar_UInt128_uint128_to_uint64(l_5) & (uint64_t)0x7ffffffffffffU; + uint64_t c0 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_5, (uint32_t)51U)); + FStar_UInt128_uint128 l_6 = FStar_UInt128_add(o210, FStar_UInt128_uint64_to_uint128(c0)); + uint64_t tmp1 = FStar_UInt128_uint128_to_uint64(l_6) & (uint64_t)0x7ffffffffffffU; + uint64_t c1 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_6, (uint32_t)51U)); + FStar_UInt128_uint128 l_7 = FStar_UInt128_add(o220, FStar_UInt128_uint64_to_uint128(c1)); + uint64_t tmp2 = FStar_UInt128_uint128_to_uint64(l_7) & (uint64_t)0x7ffffffffffffU; + uint64_t c2 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_7, (uint32_t)51U)); + FStar_UInt128_uint128 l_8 = FStar_UInt128_add(o230, FStar_UInt128_uint64_to_uint128(c2)); + uint64_t tmp3 = FStar_UInt128_uint128_to_uint64(l_8) & (uint64_t)0x7ffffffffffffU; + uint64_t c3 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_8, (uint32_t)51U)); + FStar_UInt128_uint128 l_9 = FStar_UInt128_add(o240, FStar_UInt128_uint64_to_uint128(c3)); + uint64_t tmp4 = FStar_UInt128_uint128_to_uint64(l_9) & (uint64_t)0x7ffffffffffffU; + uint64_t c4 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_9, (uint32_t)51U)); + uint64_t l_10 = tmp0 + c4 * (uint64_t)19U; + uint64_t tmp0_0 = l_10 & (uint64_t)0x7ffffffffffffU; + uint64_t c5 = l_10 >> (uint32_t)51U; + uint64_t o201 = tmp0_0; + uint64_t o211 = tmp1 + c5; + uint64_t o221 = tmp2; + uint64_t o231 = tmp3; + uint64_t o241 = tmp4; + uint64_t o10 = o101; + uint64_t o11 = o111; + uint64_t o12 = o121; + uint64_t o13 = o131; + uint64_t o14 = o141; + uint64_t o20 = o201; + uint64_t o21 = o211; + uint64_t o22 = o221; + uint64_t o23 = o231; + uint64_t o24 = o241; + out[0U] = o10; + out[1U] = o11; + out[2U] = o12; + out[3U] = o13; + out[4U] = o14; + out[5U] = o20; + out[6U] = o21; + out[7U] = o22; + out[8U] = o23; + out[9U] = o24; +} + +static inline void Hacl_Impl_Curve25519_Field51_store_felem(uint64_t *u64s, uint64_t *f) +{ + uint64_t f0 = f[0U]; + uint64_t f1 = f[1U]; + uint64_t f2 = f[2U]; + uint64_t f3 = f[3U]; + uint64_t f4 = f[4U]; + uint64_t l_ = f0 + (uint64_t)0U; + uint64_t tmp0 = l_ & (uint64_t)0x7ffffffffffffU; + uint64_t c0 = l_ >> (uint32_t)51U; + uint64_t l_0 = f1 + c0; + uint64_t tmp1 = l_0 & (uint64_t)0x7ffffffffffffU; + uint64_t c1 = l_0 >> (uint32_t)51U; + uint64_t l_1 = f2 + c1; + uint64_t tmp2 = l_1 & (uint64_t)0x7ffffffffffffU; + uint64_t c2 = l_1 >> (uint32_t)51U; + uint64_t l_2 = f3 + c2; + uint64_t tmp3 = l_2 & (uint64_t)0x7ffffffffffffU; + uint64_t c3 = l_2 >> (uint32_t)51U; + uint64_t l_3 = f4 + c3; + uint64_t tmp4 = l_3 & (uint64_t)0x7ffffffffffffU; + uint64_t c4 = l_3 >> (uint32_t)51U; + uint64_t l_4 = tmp0 + c4 * (uint64_t)19U; + uint64_t tmp0_ = l_4 & (uint64_t)0x7ffffffffffffU; + uint64_t c5 = l_4 >> (uint32_t)51U; + uint64_t f01 = tmp0_; + uint64_t f11 = tmp1 + c5; + uint64_t f21 = tmp2; + uint64_t f31 = tmp3; + uint64_t f41 = tmp4; + uint64_t m0 = FStar_UInt64_gte_mask(f01, (uint64_t)0x7ffffffffffedU); + uint64_t m1 = FStar_UInt64_eq_mask(f11, (uint64_t)0x7ffffffffffffU); + uint64_t m2 = FStar_UInt64_eq_mask(f21, (uint64_t)0x7ffffffffffffU); + uint64_t m3 = FStar_UInt64_eq_mask(f31, (uint64_t)0x7ffffffffffffU); + uint64_t m4 = FStar_UInt64_eq_mask(f41, (uint64_t)0x7ffffffffffffU); + uint64_t mask = (((m0 & m1) & m2) & m3) & m4; + uint64_t f0_ = f01 - (mask & (uint64_t)0x7ffffffffffedU); + uint64_t f1_ = f11 - (mask & (uint64_t)0x7ffffffffffffU); + uint64_t f2_ = f21 - (mask & (uint64_t)0x7ffffffffffffU); + uint64_t f3_ = f31 - (mask & (uint64_t)0x7ffffffffffffU); + uint64_t f4_ = f41 - (mask & (uint64_t)0x7ffffffffffffU); + uint64_t f02 = f0_; + uint64_t f12 = f1_; + uint64_t f22 = f2_; + uint64_t f32 = f3_; + uint64_t f42 = f4_; + uint64_t o00 = f02 | f12 << (uint32_t)51U; + uint64_t o10 = f12 >> (uint32_t)13U | f22 << (uint32_t)38U; + uint64_t o20 = f22 >> (uint32_t)26U | f32 << (uint32_t)25U; + uint64_t o30 = f32 >> (uint32_t)39U | f42 << (uint32_t)12U; + uint64_t o0 = o00; + uint64_t o1 = o10; + uint64_t o2 = o20; + uint64_t o3 = o30; + u64s[0U] = o0; + u64s[1U] = o1; + u64s[2U] = o2; + u64s[3U] = o3; +} + +static inline void +Hacl_Impl_Curve25519_Field51_cswap2(uint64_t bit, uint64_t *p1, uint64_t *p2) +{ + uint64_t mask = (uint64_t)0U - bit; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)10U; i++) + { + uint64_t dummy = mask & (p1[i] ^ p2[i]); + p1[i] = p1[i] ^ dummy; + p2[i] = p2[i] ^ dummy; + } +} + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Bignum25519_51_H_DEFINED +#endif diff --git a/include/Hacl_Bignum256.h b/include/Hacl_Bignum256.h new file mode 100644 index 00000000..87c22666 --- /dev/null +++ b/include/Hacl_Bignum256.h @@ -0,0 +1,409 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Bignum256_H +#define __Hacl_Bignum256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "Hacl_Bignum_Base.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +/******************************************************************************* + +A verified 256-bit bignum library. + +This is a 64-bit optimized version, where bignums are represented as an array +of four unsigned 64-bit integers, i.e. uint64_t[4]. Furthermore, the +limbs are stored in little-endian format, i.e. the least significant limb is at +index 0. Each limb is stored in native format in memory. Example: + + uint64_t sixteen[4] = { 0x10; 0x00; 0x00; 0x00 } + +We strongly encourage users to go through the conversion functions, e.g. +bn_from_bytes_be, to i) not depend on internal representation choices and ii) +have the ability to switch easily to a 32-bit optimized version in the future. + +*******************************************************************************/ + +/************************/ +/* Arithmetic functions */ +/************************/ + + +/* +Write `a + b mod 2^256` in `res`. + + This functions returns the carry. + + The arguments a, b and res are meant to be 256-bit bignums, i.e. uint64_t[4] +*/ +uint64_t Hacl_Bignum256_add(uint64_t *a, uint64_t *b, uint64_t *res); + +/* +Write `a - b mod 2^256` in `res`. + + This functions returns the carry. + + The arguments a, b and res are meant to be 256-bit bignums, i.e. uint64_t[4] +*/ +uint64_t Hacl_Bignum256_sub(uint64_t *a, uint64_t *b, uint64_t *res); + +/* +Write `(a + b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be 256-bit bignums, i.e. uint64_t[4]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum256_add_mod(uint64_t *n, uint64_t *a, uint64_t *b, uint64_t *res); + +/* +Write `(a - b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be 256-bit bignums, i.e. uint64_t[4]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum256_sub_mod(uint64_t *n, uint64_t *a, uint64_t *b, uint64_t *res); + +/* +Write `a * b` in `res`. + + The arguments a and b are meant to be 256-bit bignums, i.e. uint64_t[4]. + The outparam res is meant to be a 512-bit bignum, i.e. uint64_t[8]. +*/ +void Hacl_Bignum256_mul(uint64_t *a, uint64_t *b, uint64_t *res); + +/* +Write `a * a` in `res`. + + The argument a is meant to be a 256-bit bignum, i.e. uint64_t[4]. + The outparam res is meant to be a 512-bit bignum, i.e. uint64_t[8]. +*/ +void Hacl_Bignum256_sqr(uint64_t *a, uint64_t *res); + +/* +Write `a mod n` in `res`. + + The argument a is meant to be a 512-bit bignum, i.e. uint64_t[8]. + The argument n and the outparam res are meant to be 256-bit bignums, i.e. uint64_t[4]. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • 1 < n + • n % 2 = 1 +*/ +bool Hacl_Bignum256_mod(uint64_t *n, uint64_t *a, uint64_t *res); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 256-bit bignums, i.e. uint64_t[4]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum256_mod_exp_vartime( + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 256-bit bignums, i.e. uint64_t[4]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum256_mod_exp_consttime( + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +); + +/* +Write `a ^ (-1) mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 256-bit bignums, i.e. uint64_t[4]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + + The function returns false if any of the following preconditions are violated, true otherwise. + • n % 2 = 1 + • 1 < n + • 0 < a + • a < n +*/ +bool Hacl_Bignum256_mod_inv_prime_vartime(uint64_t *n, uint64_t *a, uint64_t *res); + +typedef struct Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64_s +{ + uint32_t len; + uint64_t *n; + uint64_t mu; + uint64_t *r2; +} +Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64; + + +/**********************************************/ +/* Arithmetic functions with precomputations. */ +/**********************************************/ + + +/* +Heap-allocate and initialize a montgomery context. + + The argument n is meant to be a 256-bit bignum, i.e. uint64_t[4]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n % 2 = 1 + • 1 < n + + The caller will need to call Hacl_Bignum256_mont_ctx_free on the return value + to avoid memory leaks. +*/ +Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *Hacl_Bignum256_mont_ctx_init(uint64_t *n); + +/* +Deallocate the memory previously allocated by Hacl_Bignum256_mont_ctx_init. + + The argument k is a montgomery context obtained through Hacl_Bignum256_mont_ctx_init. +*/ +void Hacl_Bignum256_mont_ctx_free(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k); + +/* +Write `a mod n` in `res`. + + The argument a is meant to be a 512-bit bignum, i.e. uint64_t[8]. + The outparam res is meant to be a 256-bit bignum, i.e. uint64_t[4]. + The argument k is a montgomery context obtained through Hacl_Bignum256_mont_ctx_init. +*/ +void +Hacl_Bignum256_mod_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint64_t *res +); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be 256-bit bignums, i.e. uint64_t[4]. + The argument k is a montgomery context obtained through Hacl_Bignum256_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum256_mod_exp_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be 256-bit bignums, i.e. uint64_t[4]. + The argument k is a montgomery context obtained through Hacl_Bignum256_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime_*. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum256_mod_exp_consttime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +); + +/* +Write `a ^ (-1) mod n` in `res`. + + The argument a and the outparam res are meant to be 256-bit bignums, i.e. uint64_t[4]. + The argument k is a montgomery context obtained through Hacl_Bignum256_mont_ctx_init. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + • 0 < a + • a < n +*/ +void +Hacl_Bignum256_mod_inv_prime_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint64_t *res +); + + +/********************/ +/* Loads and stores */ +/********************/ + + +/* +Load a bid-endian bignum from memory. + + The argument b points to len bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint64_t *Hacl_Bignum256_new_bn_from_bytes_be(uint32_t len, uint8_t *b); + +/* +Load a little-endian bignum from memory. + + The argument b points to len bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint64_t *Hacl_Bignum256_new_bn_from_bytes_le(uint32_t len, uint8_t *b); + +/* +Serialize a bignum into big-endian memory. + + The argument b points to a 256-bit bignum. + The outparam res points to 32 bytes of valid memory. +*/ +void Hacl_Bignum256_bn_to_bytes_be(uint64_t *b, uint8_t *res); + +/* +Serialize a bignum into little-endian memory. + + The argument b points to a 256-bit bignum. + The outparam res points to 32 bytes of valid memory. +*/ +void Hacl_Bignum256_bn_to_bytes_le(uint64_t *b, uint8_t *res); + + +/***************/ +/* Comparisons */ +/***************/ + + +/* +Returns 2^64 - 1 if a < b, otherwise returns 0. + + The arguments a and b are meant to be 256-bit bignums, i.e. uint64_t[4]. +*/ +uint64_t Hacl_Bignum256_lt_mask(uint64_t *a, uint64_t *b); + +/* +Returns 2^64 - 1 if a = b, otherwise returns 0. + + The arguments a and b are meant to be 256-bit bignums, i.e. uint64_t[4]. +*/ +uint64_t Hacl_Bignum256_eq_mask(uint64_t *a, uint64_t *b); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Bignum256_H_DEFINED +#endif diff --git a/include/Hacl_Bignum256_32.h b/include/Hacl_Bignum256_32.h new file mode 100644 index 00000000..88eacdcb --- /dev/null +++ b/include/Hacl_Bignum256_32.h @@ -0,0 +1,401 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Bignum256_32_H +#define __Hacl_Bignum256_32_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "Hacl_GenericField32.h" +#include "Hacl_Bignum_Base.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +/******************************************************************************* + +A verified 256-bit bignum library. + +This is a 32-bit optimized version, where bignums are represented as an array +of eight unsigned 32-bit integers, i.e. uint32_t[8]. Furthermore, the +limbs are stored in little-endian format, i.e. the least significant limb is at +index 0. Each limb is stored in native format in memory. Example: + + uint32_t sixteen[8] = { 0x10; 0x00; 0x00; 0x00; 0x00; 0x00; 0x00; 0x00 } + +We strongly encourage users to go through the conversion functions, e.g. +bn_from_bytes_be, to i) not depend on internal representation choices and ii) +have the ability to switch easily to a 64-bit optimized version in the future. + +*******************************************************************************/ + +/************************/ +/* Arithmetic functions */ +/************************/ + + +/* +Write `a + b mod 2^256` in `res`. + + This functions returns the carry. + + The arguments a, b and res are meant to be 256-bit bignums, i.e. uint32_t[8] +*/ +uint32_t Hacl_Bignum256_32_add(uint32_t *a, uint32_t *b, uint32_t *res); + +/* +Write `a - b mod 2^256` in `res`. + + This functions returns the carry. + + The arguments a, b and res are meant to be 256-bit bignums, i.e. uint32_t[8] +*/ +uint32_t Hacl_Bignum256_32_sub(uint32_t *a, uint32_t *b, uint32_t *res); + +/* +Write `(a + b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be 256-bit bignums, i.e. uint32_t[8]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum256_32_add_mod(uint32_t *n, uint32_t *a, uint32_t *b, uint32_t *res); + +/* +Write `(a - b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be 256-bit bignums, i.e. uint32_t[8]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum256_32_sub_mod(uint32_t *n, uint32_t *a, uint32_t *b, uint32_t *res); + +/* +Write `a * b` in `res`. + + The arguments a and b are meant to be 256-bit bignums, i.e. uint32_t[8]. + The outparam res is meant to be a 512-bit bignum, i.e. uint32_t[16]. +*/ +void Hacl_Bignum256_32_mul(uint32_t *a, uint32_t *b, uint32_t *res); + +/* +Write `a * a` in `res`. + + The argument a is meant to be a 256-bit bignum, i.e. uint32_t[8]. + The outparam res is meant to be a 512-bit bignum, i.e. uint32_t[16]. +*/ +void Hacl_Bignum256_32_sqr(uint32_t *a, uint32_t *res); + +/* +Write `a mod n` in `res`. + + The argument a is meant to be a 512-bit bignum, i.e. uint32_t[16]. + The argument n and the outparam res are meant to be 256-bit bignums, i.e. uint32_t[8]. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • 1 < n + • n % 2 = 1 +*/ +bool Hacl_Bignum256_32_mod(uint32_t *n, uint32_t *a, uint32_t *res); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 256-bit bignums, i.e. uint32_t[8]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum256_32_mod_exp_vartime( + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 256-bit bignums, i.e. uint32_t[8]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum256_32_mod_exp_consttime( + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +); + +/* +Write `a ^ (-1) mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 256-bit bignums, i.e. uint32_t[8]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + + The function returns false if any of the following preconditions are violated, true otherwise. + • n % 2 = 1 + • 1 < n + • 0 < a + • a < n +*/ +bool Hacl_Bignum256_32_mod_inv_prime_vartime(uint32_t *n, uint32_t *a, uint32_t *res); + + +/**********************************************/ +/* Arithmetic functions with precomputations. */ +/**********************************************/ + + +/* +Heap-allocate and initialize a montgomery context. + + The argument n is meant to be a 256-bit bignum, i.e. uint32_t[8]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n % 2 = 1 + • 1 < n + + The caller will need to call Hacl_Bignum256_mont_ctx_free on the return value + to avoid memory leaks. +*/ +Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *Hacl_Bignum256_32_mont_ctx_init(uint32_t *n); + +/* +Deallocate the memory previously allocated by Hacl_Bignum256_mont_ctx_init. + + The argument k is a montgomery context obtained through Hacl_Bignum256_mont_ctx_init. +*/ +void Hacl_Bignum256_32_mont_ctx_free(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k); + +/* +Write `a mod n` in `res`. + + The argument a is meant to be a 512-bit bignum, i.e. uint32_t[16]. + The outparam res is meant to be a 256-bit bignum, i.e. uint32_t[8]. + The argument k is a montgomery context obtained through Hacl_Bignum256_mont_ctx_init. +*/ +void +Hacl_Bignum256_32_mod_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t *res +); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be 256-bit bignums, i.e. uint32_t[8]. + The argument k is a montgomery context obtained through Hacl_Bignum256_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum256_32_mod_exp_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be 256-bit bignums, i.e. uint32_t[8]. + The argument k is a montgomery context obtained through Hacl_Bignum256_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime_*. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum256_32_mod_exp_consttime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +); + +/* +Write `a ^ (-1) mod n` in `res`. + + The argument a and the outparam res are meant to be 256-bit bignums, i.e. uint32_t[8]. + The argument k is a montgomery context obtained through Hacl_Bignum256_mont_ctx_init. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + • 0 < a + • a < n +*/ +void +Hacl_Bignum256_32_mod_inv_prime_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t *res +); + + +/********************/ +/* Loads and stores */ +/********************/ + + +/* +Load a bid-endian bignum from memory. + + The argument b points to len bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint32_t *Hacl_Bignum256_32_new_bn_from_bytes_be(uint32_t len, uint8_t *b); + +/* +Load a little-endian bignum from memory. + + The argument b points to len bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint32_t *Hacl_Bignum256_32_new_bn_from_bytes_le(uint32_t len, uint8_t *b); + +/* +Serialize a bignum into big-endian memory. + + The argument b points to a 256-bit bignum. + The outparam res points to 32 bytes of valid memory. +*/ +void Hacl_Bignum256_32_bn_to_bytes_be(uint32_t *b, uint8_t *res); + +/* +Serialize a bignum into little-endian memory. + + The argument b points to a 256-bit bignum. + The outparam res points to 32 bytes of valid memory. +*/ +void Hacl_Bignum256_32_bn_to_bytes_le(uint32_t *b, uint8_t *res); + + +/***************/ +/* Comparisons */ +/***************/ + + +/* +Returns 2^32 - 1 if a < b, otherwise returns 0. + + The arguments a and b are meant to be 256-bit bignums, i.e. uint32_t[8]. +*/ +uint32_t Hacl_Bignum256_32_lt_mask(uint32_t *a, uint32_t *b); + +/* +Returns 2^32 - 1 if a = b, otherwise returns 0. + + The arguments a and b are meant to be 256-bit bignums, i.e. uint32_t[8]. +*/ +uint32_t Hacl_Bignum256_32_eq_mask(uint32_t *a, uint32_t *b); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Bignum256_32_H_DEFINED +#endif diff --git a/include/Hacl_Bignum32.h b/include/Hacl_Bignum32.h new file mode 100644 index 00000000..93288f64 --- /dev/null +++ b/include/Hacl_Bignum32.h @@ -0,0 +1,400 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Bignum32_H +#define __Hacl_Bignum32_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "Hacl_GenericField32.h" +#include "Hacl_Bignum_Base.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +typedef Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *Hacl_Bignum32_pbn_mont_ctx_u32; + +/******************************************************************************* + +A verified bignum library. + +This is a 32-bit optimized version, where bignums are represented as an array +of `len` unsigned 32-bit integers, i.e. uint32_t[len]. + +*******************************************************************************/ + +/************************/ +/* Arithmetic functions */ +/************************/ + + +/* +Write `a + b mod 2 ^ (32 * len)` in `res`. + + This functions returns the carry. + + The arguments a, b and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len] +*/ +uint32_t Hacl_Bignum32_add(uint32_t len, uint32_t *a, uint32_t *b, uint32_t *res); + +/* +Write `a - b mod 2 ^ (32 * len)` in `res`. + + This functions returns the carry. + + The arguments a, b and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len] +*/ +uint32_t Hacl_Bignum32_sub(uint32_t len, uint32_t *a, uint32_t *b, uint32_t *res); + +/* +Write `(a + b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum32_add_mod(uint32_t len, uint32_t *n, uint32_t *a, uint32_t *b, uint32_t *res); + +/* +Write `(a - b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum32_sub_mod(uint32_t len, uint32_t *n, uint32_t *a, uint32_t *b, uint32_t *res); + +/* +Write `a * b` in `res`. + + The arguments a and b are meant to be `len` limbs in size, i.e. uint32_t[len]. + The outparam res is meant to be `2*len` limbs in size, i.e. uint32_t[2*len]. +*/ +void Hacl_Bignum32_mul(uint32_t len, uint32_t *a, uint32_t *b, uint32_t *res); + +/* +Write `a * a` in `res`. + + The argument a is meant to be `len` limbs in size, i.e. uint32_t[len]. + The outparam res is meant to be `2*len` limbs in size, i.e. uint32_t[2*len]. +*/ +void Hacl_Bignum32_sqr(uint32_t len, uint32_t *a, uint32_t *res); + +/* +Write `a mod n` in `res`. + + The argument a is meant to be `2*len` limbs in size, i.e. uint32_t[2*len]. + The argument n and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • 1 < n + • n % 2 = 1 +*/ +bool Hacl_Bignum32_mod(uint32_t len, uint32_t *n, uint32_t *a, uint32_t *res); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum32_mod_exp_vartime( + uint32_t len, + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum32_mod_exp_consttime( + uint32_t len, + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +); + +/* +Write `a ^ (-1) mod n` in `res`. + + The arguments a, n and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • 0 < a + • a < n +*/ +bool +Hacl_Bignum32_mod_inv_prime_vartime(uint32_t len, uint32_t *n, uint32_t *a, uint32_t *res); + + +/**********************************************/ +/* Arithmetic functions with precomputations. */ +/**********************************************/ + + +/* +Heap-allocate and initialize a montgomery context. + + The argument n is meant to be `len` limbs in size, i.e. uint32_t[len]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n % 2 = 1 + • 1 < n + + The caller will need to call Hacl_Bignum32_mont_ctx_free on the return value + to avoid memory leaks. +*/ +Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 +*Hacl_Bignum32_mont_ctx_init(uint32_t len, uint32_t *n); + +/* +Deallocate the memory previously allocated by Hacl_Bignum32_mont_ctx_init. + + The argument k is a montgomery context obtained through Hacl_Bignum32_mont_ctx_init. +*/ +void Hacl_Bignum32_mont_ctx_free(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k); + +/* +Write `a mod n` in `res`. + + The argument a is meant to be `2*len` limbs in size, i.e. uint32_t[2*len]. + The outparam res is meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_Bignum32_mont_ctx_init. +*/ +void +Hacl_Bignum32_mod_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t *res +); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_Bignum32_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum32_mod_exp_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_Bignum32_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime_*. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum32_mod_exp_consttime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +); + +/* +Write `a ^ (-1) mod n` in `res`. + + The argument a and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_Bignum32_mont_ctx_init. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + • 0 < a + • a < n +*/ +void +Hacl_Bignum32_mod_inv_prime_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t *res +); + + +/********************/ +/* Loads and stores */ +/********************/ + + +/* +Load a bid-endian bignum from memory. + + The argument b points to `len` bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint32_t *Hacl_Bignum32_new_bn_from_bytes_be(uint32_t len, uint8_t *b); + +/* +Load a little-endian bignum from memory. + + The argument b points to `len` bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint32_t *Hacl_Bignum32_new_bn_from_bytes_le(uint32_t len, uint8_t *b); + +/* +Serialize a bignum into big-endian memory. + + The argument b points to a bignum of ⌈len / 4⌉ size. + The outparam res points to `len` bytes of valid memory. +*/ +void Hacl_Bignum32_bn_to_bytes_be(uint32_t len, uint32_t *b, uint8_t *res); + +/* +Serialize a bignum into little-endian memory. + + The argument b points to a bignum of ⌈len / 4⌉ size. + The outparam res points to `len` bytes of valid memory. +*/ +void Hacl_Bignum32_bn_to_bytes_le(uint32_t len, uint32_t *b, uint8_t *res); + + +/***************/ +/* Comparisons */ +/***************/ + + +/* +Returns 2^32 - 1 if a < b, otherwise returns 0. + + The arguments a and b are meant to be `len` limbs in size, i.e. uint32_t[len]. +*/ +uint32_t Hacl_Bignum32_lt_mask(uint32_t len, uint32_t *a, uint32_t *b); + +/* +Returns 2^32 - 1 if a = b, otherwise returns 0. + + The arguments a and b are meant to be `len` limbs in size, i.e. uint32_t[len]. +*/ +uint32_t Hacl_Bignum32_eq_mask(uint32_t len, uint32_t *a, uint32_t *b); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Bignum32_H_DEFINED +#endif diff --git a/include/Hacl_Bignum4096.h b/include/Hacl_Bignum4096.h new file mode 100644 index 00000000..c3716546 --- /dev/null +++ b/include/Hacl_Bignum4096.h @@ -0,0 +1,405 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Bignum4096_H +#define __Hacl_Bignum4096_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "Hacl_Bignum_Base.h" +#include "Hacl_Bignum256.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +/******************************************************************************* + +A verified 4096-bit bignum library. + +This is a 64-bit optimized version, where bignums are represented as an array +of sixty four unsigned 64-bit integers, i.e. uint64_t[64]. Furthermore, the +limbs are stored in little-endian format, i.e. the least significant limb is at +index 0. Each limb is stored in native format in memory. Example: + + uint64_t sixteen[64] = { 0x10 } + + (relying on the fact that when an initializer-list is provided, the remainder + of the object gets initialized as if it had static storage duration, i.e. with + zeroes) + +We strongly encourage users to go through the conversion functions, e.g. +bn_from_bytes_be, to i) not depend on internal representation choices and ii) +have the ability to switch easily to a 32-bit optimized version in the future. + +*******************************************************************************/ + +/************************/ +/* Arithmetic functions */ +/************************/ + + +/* +Write `a + b mod 2^4096` in `res`. + + This functions returns the carry. + + The arguments a, b and res are meant to be 4096-bit bignums, i.e. uint64_t[64] +*/ +uint64_t Hacl_Bignum4096_add(uint64_t *a, uint64_t *b, uint64_t *res); + +/* +Write `a - b mod 2^4096` in `res`. + + This functions returns the carry. + + The arguments a, b and res are meant to be 4096-bit bignums, i.e. uint64_t[64] +*/ +uint64_t Hacl_Bignum4096_sub(uint64_t *a, uint64_t *b, uint64_t *res); + +/* +Write `(a + b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be 4096-bit bignums, i.e. uint64_t[64]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum4096_add_mod(uint64_t *n, uint64_t *a, uint64_t *b, uint64_t *res); + +/* +Write `(a - b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be 4096-bit bignums, i.e. uint64_t[64]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum4096_sub_mod(uint64_t *n, uint64_t *a, uint64_t *b, uint64_t *res); + +/* +Write `a * b` in `res`. + + The arguments a and b are meant to be 4096-bit bignums, i.e. uint64_t[64]. + The outparam res is meant to be a 8192-bit bignum, i.e. uint64_t[128]. +*/ +void Hacl_Bignum4096_mul(uint64_t *a, uint64_t *b, uint64_t *res); + +/* +Write `a * a` in `res`. + + The argument a is meant to be a 4096-bit bignum, i.e. uint64_t[64]. + The outparam res is meant to be a 8192-bit bignum, i.e. uint64_t[128]. +*/ +void Hacl_Bignum4096_sqr(uint64_t *a, uint64_t *res); + +/* +Write `a mod n` in `res`. + + The argument a is meant to be a 8192-bit bignum, i.e. uint64_t[128]. + The argument n and the outparam res are meant to be 4096-bit bignums, i.e. uint64_t[64]. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • 1 < n + • n % 2 = 1 +*/ +bool Hacl_Bignum4096_mod(uint64_t *n, uint64_t *a, uint64_t *res); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 4096-bit bignums, i.e. uint64_t[64]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum4096_mod_exp_vartime( + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 4096-bit bignums, i.e. uint64_t[64]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum4096_mod_exp_consttime( + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +); + +/* +Write `a ^ (-1) mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 4096-bit bignums, i.e. uint64_t[64]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + + The function returns false if any of the following preconditions are violated, true otherwise. + • n % 2 = 1 + • 1 < n + • 0 < a + • a < n +*/ +bool Hacl_Bignum4096_mod_inv_prime_vartime(uint64_t *n, uint64_t *a, uint64_t *res); + + +/**********************************************/ +/* Arithmetic functions with precomputations. */ +/**********************************************/ + + +/* +Heap-allocate and initialize a montgomery context. + + The argument n is meant to be a 4096-bit bignum, i.e. uint64_t[64]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n % 2 = 1 + • 1 < n + + The caller will need to call Hacl_Bignum4096_mont_ctx_free on the return value + to avoid memory leaks. +*/ +Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *Hacl_Bignum4096_mont_ctx_init(uint64_t *n); + +/* +Deallocate the memory previously allocated by Hacl_Bignum4096_mont_ctx_init. + + The argument k is a montgomery context obtained through Hacl_Bignum4096_mont_ctx_init. +*/ +void Hacl_Bignum4096_mont_ctx_free(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k); + +/* +Write `a mod n` in `res`. + + The argument a is meant to be a 8192-bit bignum, i.e. uint64_t[128]. + The outparam res is meant to be a 4096-bit bignum, i.e. uint64_t[64]. + The argument k is a montgomery context obtained through Hacl_Bignum4096_mont_ctx_init. +*/ +void +Hacl_Bignum4096_mod_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint64_t *res +); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be 4096-bit bignums, i.e. uint64_t[64]. + The argument k is a montgomery context obtained through Hacl_Bignum4096_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum4096_mod_exp_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be 4096-bit bignums, i.e. uint64_t[64]. + The argument k is a montgomery context obtained through Hacl_Bignum4096_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime_*. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum4096_mod_exp_consttime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +); + +/* +Write `a ^ (-1) mod n` in `res`. + + The argument a and the outparam res are meant to be 4096-bit bignums, i.e. uint64_t[64]. + The argument k is a montgomery context obtained through Hacl_Bignum4096_mont_ctx_init. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + • 0 < a + • a < n +*/ +void +Hacl_Bignum4096_mod_inv_prime_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint64_t *res +); + + +/********************/ +/* Loads and stores */ +/********************/ + + +/* +Load a bid-endian bignum from memory. + + The argument b points to len bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint64_t *Hacl_Bignum4096_new_bn_from_bytes_be(uint32_t len, uint8_t *b); + +/* +Load a little-endian bignum from memory. + + The argument b points to len bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint64_t *Hacl_Bignum4096_new_bn_from_bytes_le(uint32_t len, uint8_t *b); + +/* +Serialize a bignum into big-endian memory. + + The argument b points to a 4096-bit bignum. + The outparam res points to 512 bytes of valid memory. +*/ +void Hacl_Bignum4096_bn_to_bytes_be(uint64_t *b, uint8_t *res); + +/* +Serialize a bignum into little-endian memory. + + The argument b points to a 4096-bit bignum. + The outparam res points to 512 bytes of valid memory. +*/ +void Hacl_Bignum4096_bn_to_bytes_le(uint64_t *b, uint8_t *res); + + +/***************/ +/* Comparisons */ +/***************/ + + +/* +Returns 2^64 - 1 if a < b, otherwise returns 0. + + The arguments a and b are meant to be 4096-bit bignums, i.e. uint64_t[64]. +*/ +uint64_t Hacl_Bignum4096_lt_mask(uint64_t *a, uint64_t *b); + +/* +Returns 2^64 - 1 if a = b, otherwise returns 0. + + The arguments a and b are meant to be 4096-bit bignums, i.e. uint64_t[64]. +*/ +uint64_t Hacl_Bignum4096_eq_mask(uint64_t *a, uint64_t *b); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Bignum4096_H_DEFINED +#endif diff --git a/include/Hacl_Bignum4096_32.h b/include/Hacl_Bignum4096_32.h new file mode 100644 index 00000000..5d4c3d64 --- /dev/null +++ b/include/Hacl_Bignum4096_32.h @@ -0,0 +1,405 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Bignum4096_32_H +#define __Hacl_Bignum4096_32_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "Hacl_GenericField32.h" +#include "Hacl_Bignum_Base.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +/******************************************************************************* + +A verified 4096-bit bignum library. + +This is a 32-bit optimized version, where bignums are represented as an array +of 128 unsigned 32-bit integers, i.e. uint32_t[128]. Furthermore, the +limbs are stored in little-endian format, i.e. the least significant limb is at +index 0. Each limb is stored in native format in memory. Example: + + uint32_t sixteen[128] = { 0x10 } + + (relying on the fact that when an initializer-list is provided, the remainder + of the object gets initialized as if it had static storage duration, i.e. with + zeroes) + +We strongly encourage users to go through the conversion functions, e.g. +bn_from_bytes_be, to i) not depend on internal representation choices and ii) +have the ability to switch easily to a 64-bit optimized version in the future. + +*******************************************************************************/ + +/************************/ +/* Arithmetic functions */ +/************************/ + + +/* +Write `a + b mod 2^4096` in `res`. + + This functions returns the carry. + + The arguments a, b and res are meant to be 4096-bit bignums, i.e. uint32_t[128] +*/ +uint32_t Hacl_Bignum4096_32_add(uint32_t *a, uint32_t *b, uint32_t *res); + +/* +Write `a - b mod 2^4096` in `res`. + + This functions returns the carry. + + The arguments a, b and res are meant to be 4096-bit bignums, i.e. uint32_t[128] +*/ +uint32_t Hacl_Bignum4096_32_sub(uint32_t *a, uint32_t *b, uint32_t *res); + +/* +Write `(a + b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be 4096-bit bignums, i.e. uint32_t[128]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum4096_32_add_mod(uint32_t *n, uint32_t *a, uint32_t *b, uint32_t *res); + +/* +Write `(a - b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be 4096-bit bignums, i.e. uint32_t[128]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum4096_32_sub_mod(uint32_t *n, uint32_t *a, uint32_t *b, uint32_t *res); + +/* +Write `a * b` in `res`. + + The arguments a and b are meant to be 4096-bit bignums, i.e. uint32_t[128]. + The outparam res is meant to be a 8192-bit bignum, i.e. uint32_t[256]. +*/ +void Hacl_Bignum4096_32_mul(uint32_t *a, uint32_t *b, uint32_t *res); + +/* +Write `a * a` in `res`. + + The argument a is meant to be a 4096-bit bignum, i.e. uint32_t[128]. + The outparam res is meant to be a 8192-bit bignum, i.e. uint32_t[256]. +*/ +void Hacl_Bignum4096_32_sqr(uint32_t *a, uint32_t *res); + +/* +Write `a mod n` in `res`. + + The argument a is meant to be a 8192-bit bignum, i.e. uint32_t[256]. + The argument n and the outparam res are meant to be 4096-bit bignums, i.e. uint32_t[128]. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • 1 < n + • n % 2 = 1 +*/ +bool Hacl_Bignum4096_32_mod(uint32_t *n, uint32_t *a, uint32_t *res); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 4096-bit bignums, i.e. uint32_t[128]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum4096_32_mod_exp_vartime( + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 4096-bit bignums, i.e. uint32_t[128]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum4096_32_mod_exp_consttime( + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +); + +/* +Write `a ^ (-1) mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 4096-bit bignums, i.e. uint32_t[128]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + + The function returns false if any of the following preconditions are violated, true otherwise. + • n % 2 = 1 + • 1 < n + • 0 < a + • a < n +*/ +bool Hacl_Bignum4096_32_mod_inv_prime_vartime(uint32_t *n, uint32_t *a, uint32_t *res); + + +/**********************************************/ +/* Arithmetic functions with precomputations. */ +/**********************************************/ + + +/* +Heap-allocate and initialize a montgomery context. + + The argument n is meant to be a 4096-bit bignum, i.e. uint32_t[128]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n % 2 = 1 + • 1 < n + + The caller will need to call Hacl_Bignum4096_mont_ctx_free on the return value + to avoid memory leaks. +*/ +Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *Hacl_Bignum4096_32_mont_ctx_init(uint32_t *n); + +/* +Deallocate the memory previously allocated by Hacl_Bignum4096_mont_ctx_init. + + The argument k is a montgomery context obtained through Hacl_Bignum4096_mont_ctx_init. +*/ +void Hacl_Bignum4096_32_mont_ctx_free(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k); + +/* +Write `a mod n` in `res`. + + The argument a is meant to be a 8192-bit bignum, i.e. uint32_t[256]. + The outparam res is meant to be a 4096-bit bignum, i.e. uint32_t[128]. + The argument k is a montgomery context obtained through Hacl_Bignum4096_mont_ctx_init. +*/ +void +Hacl_Bignum4096_32_mod_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t *res +); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be 4096-bit bignums, i.e. uint32_t[128]. + The argument k is a montgomery context obtained through Hacl_Bignum4096_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum4096_32_mod_exp_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be 4096-bit bignums, i.e. uint32_t[128]. + The argument k is a montgomery context obtained through Hacl_Bignum4096_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime_*. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum4096_32_mod_exp_consttime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +); + +/* +Write `a ^ (-1) mod n` in `res`. + + The argument a and the outparam res are meant to be 4096-bit bignums, i.e. uint32_t[128]. + The argument k is a montgomery context obtained through Hacl_Bignum4096_mont_ctx_init. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + • 0 < a + • a < n +*/ +void +Hacl_Bignum4096_32_mod_inv_prime_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t *res +); + + +/********************/ +/* Loads and stores */ +/********************/ + + +/* +Load a bid-endian bignum from memory. + + The argument b points to len bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint32_t *Hacl_Bignum4096_32_new_bn_from_bytes_be(uint32_t len, uint8_t *b); + +/* +Load a little-endian bignum from memory. + + The argument b points to len bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint32_t *Hacl_Bignum4096_32_new_bn_from_bytes_le(uint32_t len, uint8_t *b); + +/* +Serialize a bignum into big-endian memory. + + The argument b points to a 4096-bit bignum. + The outparam res points to 512 bytes of valid memory. +*/ +void Hacl_Bignum4096_32_bn_to_bytes_be(uint32_t *b, uint8_t *res); + +/* +Serialize a bignum into little-endian memory. + + The argument b points to a 4096-bit bignum. + The outparam res points to 512 bytes of valid memory. +*/ +void Hacl_Bignum4096_32_bn_to_bytes_le(uint32_t *b, uint8_t *res); + + +/***************/ +/* Comparisons */ +/***************/ + + +/* +Returns 2^32 - 1 if a < b, otherwise returns 0. + + The arguments a and b are meant to be 4096-bit bignums, i.e. uint32_t[128]. +*/ +uint32_t Hacl_Bignum4096_32_lt_mask(uint32_t *a, uint32_t *b); + +/* +Returns 2^32 - 1 if a = b, otherwise returns 0. + + The arguments a and b are meant to be 4096-bit bignums, i.e. uint32_t[128]. +*/ +uint32_t Hacl_Bignum4096_32_eq_mask(uint32_t *a, uint32_t *b); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Bignum4096_32_H_DEFINED +#endif diff --git a/include/Hacl_Bignum64.h b/include/Hacl_Bignum64.h new file mode 100644 index 00000000..caf5a7a3 --- /dev/null +++ b/include/Hacl_Bignum64.h @@ -0,0 +1,400 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Bignum64_H +#define __Hacl_Bignum64_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "Hacl_Bignum_Base.h" +#include "Hacl_Bignum256.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +typedef Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *Hacl_Bignum64_pbn_mont_ctx_u64; + +/******************************************************************************* + +A verified bignum library. + +This is a 64-bit optimized version, where bignums are represented as an array +of `len` unsigned 64-bit integers, i.e. uint64_t[len]. + +*******************************************************************************/ + +/************************/ +/* Arithmetic functions */ +/************************/ + + +/* +Write `a + b mod 2 ^ (64 * len)` in `res`. + + This functions returns the carry. + + The arguments a, b and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len] +*/ +uint64_t Hacl_Bignum64_add(uint32_t len, uint64_t *a, uint64_t *b, uint64_t *res); + +/* +Write `a - b mod 2 ^ (64 * len)` in `res`. + + This functions returns the carry. + + The arguments a, b and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len] +*/ +uint64_t Hacl_Bignum64_sub(uint32_t len, uint64_t *a, uint64_t *b, uint64_t *res); + +/* +Write `(a + b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum64_add_mod(uint32_t len, uint64_t *n, uint64_t *a, uint64_t *b, uint64_t *res); + +/* +Write `(a - b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum64_sub_mod(uint32_t len, uint64_t *n, uint64_t *a, uint64_t *b, uint64_t *res); + +/* +Write `a * b` in `res`. + + The arguments a and b are meant to be `len` limbs in size, i.e. uint64_t[len]. + The outparam res is meant to be `2*len` limbs in size, i.e. uint64_t[2*len]. +*/ +void Hacl_Bignum64_mul(uint32_t len, uint64_t *a, uint64_t *b, uint64_t *res); + +/* +Write `a * a` in `res`. + + The argument a is meant to be `len` limbs in size, i.e. uint64_t[len]. + The outparam res is meant to be `2*len` limbs in size, i.e. uint64_t[2*len]. +*/ +void Hacl_Bignum64_sqr(uint32_t len, uint64_t *a, uint64_t *res); + +/* +Write `a mod n` in `res`. + + The argument a is meant to be `2*len` limbs in size, i.e. uint64_t[2*len]. + The argument n and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len]. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • 1 < n + • n % 2 = 1 +*/ +bool Hacl_Bignum64_mod(uint32_t len, uint64_t *n, uint64_t *a, uint64_t *res); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum64_mod_exp_vartime( + uint32_t len, + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum64_mod_exp_consttime( + uint32_t len, + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +); + +/* +Write `a ^ (-1) mod n` in `res`. + + The arguments a, n and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • 0 < a + • a < n +*/ +bool +Hacl_Bignum64_mod_inv_prime_vartime(uint32_t len, uint64_t *n, uint64_t *a, uint64_t *res); + + +/**********************************************/ +/* Arithmetic functions with precomputations. */ +/**********************************************/ + + +/* +Heap-allocate and initialize a montgomery context. + + The argument n is meant to be `len` limbs in size, i.e. uint64_t[len]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n % 2 = 1 + • 1 < n + + The caller will need to call Hacl_Bignum64_mont_ctx_free on the return value + to avoid memory leaks. +*/ +Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 +*Hacl_Bignum64_mont_ctx_init(uint32_t len, uint64_t *n); + +/* +Deallocate the memory previously allocated by Hacl_Bignum64_mont_ctx_init. + + The argument k is a montgomery context obtained through Hacl_Bignum64_mont_ctx_init. +*/ +void Hacl_Bignum64_mont_ctx_free(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k); + +/* +Write `a mod n` in `res`. + + The argument a is meant to be `2*len` limbs in size, i.e. uint64_t[2*len]. + The outparam res is meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_Bignum64_mont_ctx_init. +*/ +void +Hacl_Bignum64_mod_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint64_t *res +); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_Bignum64_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum64_mod_exp_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_Bignum64_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime_*. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum64_mod_exp_consttime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +); + +/* +Write `a ^ (-1) mod n` in `res`. + + The argument a and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_Bignum64_mont_ctx_init. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + • 0 < a + • a < n +*/ +void +Hacl_Bignum64_mod_inv_prime_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint64_t *res +); + + +/********************/ +/* Loads and stores */ +/********************/ + + +/* +Load a bid-endian bignum from memory. + + The argument b points to `len` bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint64_t *Hacl_Bignum64_new_bn_from_bytes_be(uint32_t len, uint8_t *b); + +/* +Load a little-endian bignum from memory. + + The argument b points to `len` bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint64_t *Hacl_Bignum64_new_bn_from_bytes_le(uint32_t len, uint8_t *b); + +/* +Serialize a bignum into big-endian memory. + + The argument b points to a bignum of ⌈len / 8⌉ size. + The outparam res points to `len` bytes of valid memory. +*/ +void Hacl_Bignum64_bn_to_bytes_be(uint32_t len, uint64_t *b, uint8_t *res); + +/* +Serialize a bignum into little-endian memory. + + The argument b points to a bignum of ⌈len / 8⌉ size. + The outparam res points to `len` bytes of valid memory. +*/ +void Hacl_Bignum64_bn_to_bytes_le(uint32_t len, uint64_t *b, uint8_t *res); + + +/***************/ +/* Comparisons */ +/***************/ + + +/* +Returns 2^64 - 1 if a < b, otherwise returns 0. + + The arguments a and b are meant to be `len` limbs in size, i.e. uint64_t[len]. +*/ +uint64_t Hacl_Bignum64_lt_mask(uint32_t len, uint64_t *a, uint64_t *b); + +/* +Returns 2^64 - 1 if a = b, otherwise returns 0. + + The arguments a and b are meant to be `len` limbs in size, i.e. uint64_t[len]. +*/ +uint64_t Hacl_Bignum64_eq_mask(uint32_t len, uint64_t *a, uint64_t *b); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Bignum64_H_DEFINED +#endif diff --git a/include/Hacl_Bignum_Base.h b/include/Hacl_Bignum_Base.h new file mode 100644 index 00000000..9e947748 --- /dev/null +++ b/include/Hacl_Bignum_Base.h @@ -0,0 +1,77 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Bignum_Base_H +#define __Hacl_Bignum_Base_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +static inline uint64_t +Hacl_Bignum_Base_mul_wide_add_u64(uint64_t a, uint64_t b, uint64_t c_in, uint64_t *out) +{ + FStar_UInt128_uint128 + res = FStar_UInt128_add(FStar_UInt128_mul_wide(a, b), FStar_UInt128_uint64_to_uint128(c_in)); + out[0U] = FStar_UInt128_uint128_to_uint64(res); + return FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(res, (uint32_t)64U)); +} + +static inline uint32_t +Hacl_Bignum_Base_mul_wide_add2_u32(uint32_t a, uint32_t b, uint32_t c_in, uint32_t *out) +{ + uint32_t out0 = out[0U]; + uint64_t res = (uint64_t)a * (uint64_t)b + (uint64_t)c_in + (uint64_t)out0; + out[0U] = (uint32_t)res; + return (uint32_t)(res >> (uint32_t)32U); +} + +static inline uint64_t +Hacl_Bignum_Base_mul_wide_add2_u64(uint64_t a, uint64_t b, uint64_t c_in, uint64_t *out) +{ + uint64_t out0 = out[0U]; + FStar_UInt128_uint128 + res = + FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(a, b), + FStar_UInt128_uint64_to_uint128(c_in)), + FStar_UInt128_uint64_to_uint128(out0)); + out[0U] = FStar_UInt128_uint128_to_uint64(res); + return FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(res, (uint32_t)64U)); +} + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Bignum_Base_H_DEFINED +#endif diff --git a/include/Hacl_Chacha20.h b/include/Hacl_Chacha20.h new file mode 100644 index 00000000..2794419e --- /dev/null +++ b/include/Hacl_Chacha20.h @@ -0,0 +1,66 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Chacha20_H +#define __Hacl_Chacha20_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_Chacha20_chacha20_encrypt( + uint32_t len, + uint8_t *out, + uint8_t *text, + uint8_t *key, + uint8_t *n, + uint32_t ctr +); + +void +Hacl_Chacha20_chacha20_decrypt( + uint32_t len, + uint8_t *out, + uint8_t *cipher, + uint8_t *key, + uint8_t *n, + uint32_t ctr +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Chacha20_H_DEFINED +#endif diff --git a/include/Hacl_Chacha20Poly1305_128.h b/include/Hacl_Chacha20Poly1305_128.h new file mode 100644 index 00000000..30ac47b8 --- /dev/null +++ b/include/Hacl_Chacha20Poly1305_128.h @@ -0,0 +1,72 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Chacha20Poly1305_128_H +#define __Hacl_Chacha20Poly1305_128_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Poly1305_128.h" +#include "Hacl_Kremlib.h" +#include "Hacl_Chacha20_Vec128.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_Chacha20Poly1305_128_aead_encrypt( + uint8_t *k, + uint8_t *n, + uint32_t aadlen, + uint8_t *aad, + uint32_t mlen, + uint8_t *m, + uint8_t *cipher, + uint8_t *mac +); + +uint32_t +Hacl_Chacha20Poly1305_128_aead_decrypt( + uint8_t *k, + uint8_t *n, + uint32_t aadlen, + uint8_t *aad, + uint32_t mlen, + uint8_t *m, + uint8_t *cipher, + uint8_t *mac +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Chacha20Poly1305_128_H_DEFINED +#endif diff --git a/include/Hacl_Chacha20Poly1305_256.h b/include/Hacl_Chacha20Poly1305_256.h new file mode 100644 index 00000000..3c9e5456 --- /dev/null +++ b/include/Hacl_Chacha20Poly1305_256.h @@ -0,0 +1,72 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Chacha20Poly1305_256_H +#define __Hacl_Chacha20Poly1305_256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Poly1305_256.h" +#include "Hacl_Kremlib.h" +#include "Hacl_Chacha20_Vec256.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_Chacha20Poly1305_256_aead_encrypt( + uint8_t *k, + uint8_t *n, + uint32_t aadlen, + uint8_t *aad, + uint32_t mlen, + uint8_t *m, + uint8_t *cipher, + uint8_t *mac +); + +uint32_t +Hacl_Chacha20Poly1305_256_aead_decrypt( + uint8_t *k, + uint8_t *n, + uint32_t aadlen, + uint8_t *aad, + uint32_t mlen, + uint8_t *m, + uint8_t *cipher, + uint8_t *mac +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Chacha20Poly1305_256_H_DEFINED +#endif diff --git a/include/Hacl_Chacha20Poly1305_32.h b/include/Hacl_Chacha20Poly1305_32.h new file mode 100644 index 00000000..9162ffa0 --- /dev/null +++ b/include/Hacl_Chacha20Poly1305_32.h @@ -0,0 +1,72 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Chacha20Poly1305_32_H +#define __Hacl_Chacha20Poly1305_32_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Poly1305_32.h" +#include "Hacl_Kremlib.h" +#include "Hacl_Chacha20.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_Chacha20Poly1305_32_aead_encrypt( + uint8_t *k, + uint8_t *n, + uint32_t aadlen, + uint8_t *aad, + uint32_t mlen, + uint8_t *m, + uint8_t *cipher, + uint8_t *mac +); + +uint32_t +Hacl_Chacha20Poly1305_32_aead_decrypt( + uint8_t *k, + uint8_t *n, + uint32_t aadlen, + uint8_t *aad, + uint32_t mlen, + uint8_t *m, + uint8_t *cipher, + uint8_t *mac +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Chacha20Poly1305_32_H_DEFINED +#endif diff --git a/include/Hacl_Chacha20_Vec128.h b/include/Hacl_Chacha20_Vec128.h new file mode 100644 index 00000000..0e4f2402 --- /dev/null +++ b/include/Hacl_Chacha20_Vec128.h @@ -0,0 +1,66 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Chacha20_Vec128_H +#define __Hacl_Chacha20_Vec128_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_Chacha20_Vec128_chacha20_encrypt_128( + uint32_t len, + uint8_t *out, + uint8_t *text, + uint8_t *key, + uint8_t *n, + uint32_t ctr +); + +void +Hacl_Chacha20_Vec128_chacha20_decrypt_128( + uint32_t len, + uint8_t *out, + uint8_t *cipher, + uint8_t *key, + uint8_t *n, + uint32_t ctr +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Chacha20_Vec128_H_DEFINED +#endif diff --git a/include/Hacl_Chacha20_Vec256.h b/include/Hacl_Chacha20_Vec256.h new file mode 100644 index 00000000..c99ec184 --- /dev/null +++ b/include/Hacl_Chacha20_Vec256.h @@ -0,0 +1,66 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Chacha20_Vec256_H +#define __Hacl_Chacha20_Vec256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_Chacha20_Vec256_chacha20_encrypt_256( + uint32_t len, + uint8_t *out, + uint8_t *text, + uint8_t *key, + uint8_t *n, + uint32_t ctr +); + +void +Hacl_Chacha20_Vec256_chacha20_decrypt_256( + uint32_t len, + uint8_t *out, + uint8_t *cipher, + uint8_t *key, + uint8_t *n, + uint32_t ctr +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Chacha20_Vec256_H_DEFINED +#endif diff --git a/include/Hacl_Chacha20_Vec32.h b/include/Hacl_Chacha20_Vec32.h new file mode 100644 index 00000000..95aaea0d --- /dev/null +++ b/include/Hacl_Chacha20_Vec32.h @@ -0,0 +1,66 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Chacha20_Vec32_H +#define __Hacl_Chacha20_Vec32_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_Chacha20_Vec32_chacha20_encrypt_32( + uint32_t len, + uint8_t *out, + uint8_t *text, + uint8_t *key, + uint8_t *n, + uint32_t ctr +); + +void +Hacl_Chacha20_Vec32_chacha20_decrypt_32( + uint32_t len, + uint8_t *out, + uint8_t *cipher, + uint8_t *key, + uint8_t *n, + uint32_t ctr +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Chacha20_Vec32_H_DEFINED +#endif diff --git a/include/Hacl_Curve25519_51.h b/include/Hacl_Curve25519_51.h new file mode 100644 index 00000000..23cb104d --- /dev/null +++ b/include/Hacl_Curve25519_51.h @@ -0,0 +1,53 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Curve25519_51_H +#define __Hacl_Curve25519_51_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "Hacl_Bignum25519_51.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void Hacl_Curve25519_51_scalarmult(uint8_t *out, uint8_t *priv, uint8_t *pub); + +void Hacl_Curve25519_51_secret_to_public(uint8_t *pub, uint8_t *priv); + +bool Hacl_Curve25519_51_ecdh(uint8_t *out, uint8_t *priv, uint8_t *pub); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Curve25519_51_H_DEFINED +#endif diff --git a/include/Hacl_Curve25519_64.h b/include/Hacl_Curve25519_64.h new file mode 100644 index 00000000..3c2b8221 --- /dev/null +++ b/include/Hacl_Curve25519_64.h @@ -0,0 +1,52 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Curve25519_64_H +#define __Hacl_Curve25519_64_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void Hacl_Curve25519_64_scalarmult(uint8_t *out, uint8_t *priv, uint8_t *pub); + +void Hacl_Curve25519_64_secret_to_public(uint8_t *pub, uint8_t *priv); + +bool Hacl_Curve25519_64_ecdh(uint8_t *out, uint8_t *priv, uint8_t *pub); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Curve25519_64_H_DEFINED +#endif diff --git a/include/Hacl_Curve25519_64_Slow.h b/include/Hacl_Curve25519_64_Slow.h new file mode 100644 index 00000000..57f2d01e --- /dev/null +++ b/include/Hacl_Curve25519_64_Slow.h @@ -0,0 +1,53 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Curve25519_64_Slow_H +#define __Hacl_Curve25519_64_Slow_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "Hacl_Bignum_Base.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void Hacl_Curve25519_64_Slow_scalarmult(uint8_t *out, uint8_t *priv, uint8_t *pub); + +void Hacl_Curve25519_64_Slow_secret_to_public(uint8_t *pub, uint8_t *priv); + +bool Hacl_Curve25519_64_Slow_ecdh(uint8_t *out, uint8_t *priv, uint8_t *pub); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Curve25519_64_Slow_H_DEFINED +#endif diff --git a/include/Hacl_EC_Ed25519.h b/include/Hacl_EC_Ed25519.h new file mode 100644 index 00000000..2b5313f7 --- /dev/null +++ b/include/Hacl_EC_Ed25519.h @@ -0,0 +1,79 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_EC_Ed25519_H +#define __Hacl_EC_Ed25519_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "Hacl_Bignum25519_51.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void Hacl_EC_Ed25519_mk_felem_zero(uint64_t *b); + +void Hacl_EC_Ed25519_mk_felem_one(uint64_t *b); + +void Hacl_EC_Ed25519_felem_add(uint64_t *a, uint64_t *b, uint64_t *out); + +void Hacl_EC_Ed25519_felem_sub(uint64_t *a, uint64_t *b, uint64_t *out); + +void Hacl_EC_Ed25519_felem_mul(uint64_t *a, uint64_t *b, uint64_t *out); + +void Hacl_EC_Ed25519_felem_inv(uint64_t *a, uint64_t *out); + +void Hacl_EC_Ed25519_felem_load(uint8_t *b, uint64_t *out); + +void Hacl_EC_Ed25519_felem_store(uint64_t *a, uint8_t *out); + +void Hacl_EC_Ed25519_mk_point_at_inf(uint64_t *p); + +void Hacl_EC_Ed25519_mk_base_point(uint64_t *p); + +void Hacl_EC_Ed25519_point_negate(uint64_t *p, uint64_t *out); + +void Hacl_EC_Ed25519_point_add(uint64_t *p, uint64_t *q, uint64_t *out); + +void Hacl_EC_Ed25519_point_mul(uint8_t *scalar, uint64_t *p, uint64_t *out); + +bool Hacl_EC_Ed25519_point_eq(uint64_t *p, uint64_t *q); + +void Hacl_EC_Ed25519_point_compress(uint64_t *p, uint8_t *out); + +bool Hacl_EC_Ed25519_point_decompress(uint8_t *s, uint64_t *out); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_EC_Ed25519_H_DEFINED +#endif diff --git a/include/Hacl_Ed25519.h b/include/Hacl_Ed25519.h new file mode 100644 index 00000000..0c65c822 --- /dev/null +++ b/include/Hacl_Ed25519.h @@ -0,0 +1,59 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Ed25519_H +#define __Hacl_Ed25519_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Streaming_SHA2.h" +#include "Hacl_Kremlib.h" +#include "Hacl_Hash_SHA2.h" +#include "Hacl_Bignum25519_51.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void Hacl_Ed25519_sign(uint8_t *signature, uint8_t *priv, uint32_t len, uint8_t *msg); + +bool Hacl_Ed25519_verify(uint8_t *pub, uint32_t len, uint8_t *msg, uint8_t *signature); + +void Hacl_Ed25519_secret_to_public(uint8_t *pub, uint8_t *priv); + +void Hacl_Ed25519_expand_keys(uint8_t *ks, uint8_t *priv); + +void Hacl_Ed25519_sign_expanded(uint8_t *signature, uint8_t *ks, uint32_t len, uint8_t *msg); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Ed25519_H_DEFINED +#endif diff --git a/include/Hacl_FFDHE.h b/include/Hacl_FFDHE.h new file mode 100644 index 00000000..ea969c01 --- /dev/null +++ b/include/Hacl_FFDHE.h @@ -0,0 +1,73 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_FFDHE_H +#define __Hacl_FFDHE_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Spec.h" +#include "Hacl_Impl_FFDHE_Constants.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +uint32_t Hacl_FFDHE_ffdhe_len(Spec_FFDHE_ffdhe_alg a); + +uint64_t *Hacl_FFDHE_new_ffdhe_precomp_p(Spec_FFDHE_ffdhe_alg a); + +void +Hacl_FFDHE_ffdhe_secret_to_public_precomp( + Spec_FFDHE_ffdhe_alg a, + uint64_t *p_r2_n, + uint8_t *sk, + uint8_t *pk +); + +void Hacl_FFDHE_ffdhe_secret_to_public(Spec_FFDHE_ffdhe_alg a, uint8_t *sk, uint8_t *pk); + +uint64_t +Hacl_FFDHE_ffdhe_shared_secret_precomp( + Spec_FFDHE_ffdhe_alg a, + uint64_t *p_r2_n, + uint8_t *sk, + uint8_t *pk, + uint8_t *ss +); + +uint64_t +Hacl_FFDHE_ffdhe_shared_secret(Spec_FFDHE_ffdhe_alg a, uint8_t *sk, uint8_t *pk, uint8_t *ss); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_FFDHE_H_DEFINED +#endif diff --git a/include/Hacl_Frodo1344.h b/include/Hacl_Frodo1344.h new file mode 100644 index 00000000..10443f22 --- /dev/null +++ b/include/Hacl_Frodo1344.h @@ -0,0 +1,63 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Frodo1344_H +#define __Hacl_Frodo1344_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Lib_Memzero0.h" +#include "Hacl_Spec.h" +#include "Hacl_SHA3.h" +#include "Hacl_Frodo_KEM.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +extern uint32_t Hacl_Frodo1344_crypto_bytes; + +extern uint32_t Hacl_Frodo1344_crypto_publickeybytes; + +extern uint32_t Hacl_Frodo1344_crypto_secretkeybytes; + +extern uint32_t Hacl_Frodo1344_crypto_ciphertextbytes; + +uint32_t Hacl_Frodo1344_crypto_kem_keypair(uint8_t *pk, uint8_t *sk); + +uint32_t Hacl_Frodo1344_crypto_kem_enc(uint8_t *ct, uint8_t *ss, uint8_t *pk); + +uint32_t Hacl_Frodo1344_crypto_kem_dec(uint8_t *ss, uint8_t *ct, uint8_t *sk); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Frodo1344_H_DEFINED +#endif diff --git a/include/Hacl_Frodo64.h b/include/Hacl_Frodo64.h new file mode 100644 index 00000000..6c5677de --- /dev/null +++ b/include/Hacl_Frodo64.h @@ -0,0 +1,68 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Frodo64_H +#define __Hacl_Frodo64_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Lib_Memzero0.h" +#include "Hacl_Spec.h" +#include "Hacl_SHA3.h" +#include "Hacl_Frodo_KEM.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +/* + this variant is used only for testing purposes! + */ + + +extern uint32_t Hacl_Frodo64_crypto_bytes; + +extern uint32_t Hacl_Frodo64_crypto_publickeybytes; + +extern uint32_t Hacl_Frodo64_crypto_secretkeybytes; + +extern uint32_t Hacl_Frodo64_crypto_ciphertextbytes; + +uint32_t Hacl_Frodo64_crypto_kem_keypair(uint8_t *pk, uint8_t *sk); + +uint32_t Hacl_Frodo64_crypto_kem_enc(uint8_t *ct, uint8_t *ss, uint8_t *pk); + +uint32_t Hacl_Frodo64_crypto_kem_dec(uint8_t *ss, uint8_t *ct, uint8_t *sk); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Frodo64_H_DEFINED +#endif diff --git a/include/Hacl_Frodo640.h b/include/Hacl_Frodo640.h new file mode 100644 index 00000000..9016c3e8 --- /dev/null +++ b/include/Hacl_Frodo640.h @@ -0,0 +1,63 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Frodo640_H +#define __Hacl_Frodo640_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Lib_Memzero0.h" +#include "Hacl_Spec.h" +#include "Hacl_SHA3.h" +#include "Hacl_Frodo_KEM.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +extern uint32_t Hacl_Frodo640_crypto_bytes; + +extern uint32_t Hacl_Frodo640_crypto_publickeybytes; + +extern uint32_t Hacl_Frodo640_crypto_secretkeybytes; + +extern uint32_t Hacl_Frodo640_crypto_ciphertextbytes; + +uint32_t Hacl_Frodo640_crypto_kem_keypair(uint8_t *pk, uint8_t *sk); + +uint32_t Hacl_Frodo640_crypto_kem_enc(uint8_t *ct, uint8_t *ss, uint8_t *pk); + +uint32_t Hacl_Frodo640_crypto_kem_dec(uint8_t *ss, uint8_t *ct, uint8_t *sk); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Frodo640_H_DEFINED +#endif diff --git a/include/Hacl_Frodo976.h b/include/Hacl_Frodo976.h new file mode 100644 index 00000000..5551506b --- /dev/null +++ b/include/Hacl_Frodo976.h @@ -0,0 +1,63 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Frodo976_H +#define __Hacl_Frodo976_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Lib_Memzero0.h" +#include "Hacl_Spec.h" +#include "Hacl_SHA3.h" +#include "Hacl_Frodo_KEM.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +extern uint32_t Hacl_Frodo976_crypto_bytes; + +extern uint32_t Hacl_Frodo976_crypto_publickeybytes; + +extern uint32_t Hacl_Frodo976_crypto_secretkeybytes; + +extern uint32_t Hacl_Frodo976_crypto_ciphertextbytes; + +uint32_t Hacl_Frodo976_crypto_kem_keypair(uint8_t *pk, uint8_t *sk); + +uint32_t Hacl_Frodo976_crypto_kem_enc(uint8_t *ct, uint8_t *ss, uint8_t *pk); + +uint32_t Hacl_Frodo976_crypto_kem_dec(uint8_t *ss, uint8_t *ct, uint8_t *sk); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Frodo976_H_DEFINED +#endif diff --git a/include/Hacl_Frodo_KEM.h b/include/Hacl_Frodo_KEM.h new file mode 100644 index 00000000..9e431af4 --- /dev/null +++ b/include/Hacl_Frodo_KEM.h @@ -0,0 +1,583 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Frodo_KEM_H +#define __Hacl_Frodo_KEM_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Lib_RandomBuffer_System.h" +#include "Hacl_Spec.h" +#include "Hacl_SHA3.h" +#include "Hacl_Kremlib.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +static inline void +Hacl_Keccak_shake128_4x( + uint32_t input_len, + uint8_t *input0, + uint8_t *input1, + uint8_t *input2, + uint8_t *input3, + uint32_t output_len, + uint8_t *output0, + uint8_t *output1, + uint8_t *output2, + uint8_t *output3 +) +{ + Hacl_SHA3_shake128_hacl(input_len, input0, output_len, output0); + Hacl_SHA3_shake128_hacl(input_len, input1, output_len, output1); + Hacl_SHA3_shake128_hacl(input_len, input2, output_len, output2); + Hacl_SHA3_shake128_hacl(input_len, input3, output_len, output3); +} + +static inline void +Hacl_Impl_Matrix_mod_pow2(uint32_t n1, uint32_t n2, uint32_t logq, uint16_t *a) +{ + if (logq < (uint32_t)16U) + { + for (uint32_t i0 = (uint32_t)0U; i0 < n1; i0++) + { + for (uint32_t i = (uint32_t)0U; i < n2; i++) + { + a[i0 * n2 + i] = a[i0 * n2 + i] & (((uint16_t)1U << logq) - (uint16_t)1U); + } + } + return; + } +} + +static inline void +Hacl_Impl_Matrix_matrix_add(uint32_t n1, uint32_t n2, uint16_t *a, uint16_t *b) +{ + for (uint32_t i0 = (uint32_t)0U; i0 < n1; i0++) + { + for (uint32_t i = (uint32_t)0U; i < n2; i++) + { + a[i0 * n2 + i] = a[i0 * n2 + i] + b[i0 * n2 + i]; + } + } +} + +static inline void +Hacl_Impl_Matrix_matrix_sub(uint32_t n1, uint32_t n2, uint16_t *a, uint16_t *b) +{ + for (uint32_t i0 = (uint32_t)0U; i0 < n1; i0++) + { + for (uint32_t i = (uint32_t)0U; i < n2; i++) + { + b[i0 * n2 + i] = a[i0 * n2 + i] - b[i0 * n2 + i]; + } + } +} + +static inline void +Hacl_Impl_Matrix_matrix_mul( + uint32_t n1, + uint32_t n2, + uint32_t n3, + uint16_t *a, + uint16_t *b, + uint16_t *c +) +{ + for (uint32_t i0 = (uint32_t)0U; i0 < n1; i0++) + { + for (uint32_t i1 = (uint32_t)0U; i1 < n3; i1++) + { + uint16_t res = (uint16_t)0U; + for (uint32_t i = (uint32_t)0U; i < n2; i++) + { + uint16_t aij = a[i0 * n2 + i]; + uint16_t bjk = b[i * n3 + i1]; + uint16_t res0 = res; + res = res0 + aij * bjk; + } + c[i0 * n3 + i1] = res; + } + } +} + +static inline void +Hacl_Impl_Matrix_matrix_mul_s( + uint32_t n1, + uint32_t n2, + uint32_t n3, + uint16_t *a, + uint16_t *b, + uint16_t *c +) +{ + for (uint32_t i0 = (uint32_t)0U; i0 < n1; i0++) + { + for (uint32_t i1 = (uint32_t)0U; i1 < n3; i1++) + { + uint16_t res = (uint16_t)0U; + for (uint32_t i = (uint32_t)0U; i < n2; i++) + { + uint16_t aij = a[i0 * n2 + i]; + uint16_t bjk = b[i1 * n2 + i]; + uint16_t res0 = res; + res = res0 + aij * bjk; + } + c[i0 * n3 + i1] = res; + } + } +} + +static inline uint16_t +Hacl_Impl_Matrix_matrix_eq(uint32_t n1, uint32_t n2, uint16_t *a, uint16_t *b) +{ + uint16_t res = (uint16_t)0xFFFFU; + for (uint32_t i = (uint32_t)0U; i < n1 * n2; i++) + { + uint16_t uu____0 = FStar_UInt16_eq_mask(a[i], b[i]); + res = uu____0 & res; + } + uint16_t r = res; + return r; +} + +static inline void +Hacl_Impl_Matrix_matrix_to_lbytes(uint32_t n1, uint32_t n2, uint16_t *m, uint8_t *res) +{ + for (uint32_t i = (uint32_t)0U; i < n1 * n2; i++) + { + store16_le(res + (uint32_t)2U * i, m[i]); + } +} + +static inline void +Hacl_Impl_Matrix_matrix_from_lbytes(uint32_t n1, uint32_t n2, uint8_t *b, uint16_t *res) +{ + for (uint32_t i = (uint32_t)0U; i < n1 * n2; i++) + { + uint16_t *os = res; + uint16_t u = load16_le(b + (uint32_t)2U * i); + uint16_t x = u; + os[i] = x; + } +} + +static inline void +Hacl_Impl_Frodo_Gen_frodo_gen_matrix_shake_4x(uint32_t n, uint8_t *seed, uint16_t *res) +{ + KRML_CHECK_SIZE(sizeof (uint8_t), (uint32_t)8U * n); + uint8_t r[(uint32_t)8U * n]; + memset(r, 0U, (uint32_t)8U * n * sizeof (uint8_t)); + uint8_t tmp_seed[72U] = { 0U }; + memcpy(tmp_seed + (uint32_t)2U, seed, (uint32_t)16U * sizeof (uint8_t)); + memcpy(tmp_seed + (uint32_t)20U, seed, (uint32_t)16U * sizeof (uint8_t)); + memcpy(tmp_seed + (uint32_t)38U, seed, (uint32_t)16U * sizeof (uint8_t)); + memcpy(tmp_seed + (uint32_t)56U, seed, (uint32_t)16U * sizeof (uint8_t)); + memset(res, 0U, n * n * sizeof (uint16_t)); + for (uint32_t i = (uint32_t)0U; i < n / (uint32_t)4U; i++) + { + uint8_t *r0 = r + (uint32_t)0U * n; + uint8_t *r1 = r + (uint32_t)2U * n; + uint8_t *r2 = r + (uint32_t)4U * n; + uint8_t *r3 = r + (uint32_t)6U * n; + uint8_t *tmp_seed0 = tmp_seed; + uint8_t *tmp_seed1 = tmp_seed + (uint32_t)18U; + uint8_t *tmp_seed2 = tmp_seed + (uint32_t)36U; + uint8_t *tmp_seed3 = tmp_seed + (uint32_t)54U; + store16_le(tmp_seed0, (uint16_t)((uint32_t)4U * i + (uint32_t)0U)); + store16_le(tmp_seed1, (uint16_t)((uint32_t)4U * i + (uint32_t)1U)); + store16_le(tmp_seed2, (uint16_t)((uint32_t)4U * i + (uint32_t)2U)); + store16_le(tmp_seed3, (uint16_t)((uint32_t)4U * i + (uint32_t)3U)); + Hacl_Keccak_shake128_4x((uint32_t)18U, + tmp_seed0, + tmp_seed1, + tmp_seed2, + tmp_seed3, + (uint32_t)2U * n, + r0, + r1, + r2, + r3); + for (uint32_t i0 = (uint32_t)0U; i0 < n; i0++) + { + uint8_t *resij0 = r0 + i0 * (uint32_t)2U; + uint8_t *resij1 = r1 + i0 * (uint32_t)2U; + uint8_t *resij2 = r2 + i0 * (uint32_t)2U; + uint8_t *resij3 = r3 + i0 * (uint32_t)2U; + uint16_t u = load16_le(resij0); + res[((uint32_t)4U * i + (uint32_t)0U) * n + i0] = u; + uint16_t u0 = load16_le(resij1); + res[((uint32_t)4U * i + (uint32_t)1U) * n + i0] = u0; + uint16_t u1 = load16_le(resij2); + res[((uint32_t)4U * i + (uint32_t)2U) * n + i0] = u1; + uint16_t u2 = load16_le(resij3); + res[((uint32_t)4U * i + (uint32_t)3U) * n + i0] = u2; + } + } +} + +static inline void +Hacl_Impl_Frodo_Params_frodo_gen_matrix( + Spec_Frodo_Params_frodo_gen_a a, + uint32_t n, + uint8_t *seed, + uint16_t *a_matrix +) +{ + switch (a) + { + case Spec_Frodo_Params_SHAKE128: + { + Hacl_Impl_Frodo_Gen_frodo_gen_matrix_shake_4x(n, seed, a_matrix); + break; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +static const +uint16_t +Hacl_Impl_Frodo_Params_cdf_table640[13U] = + { + (uint16_t)4643U, (uint16_t)13363U, (uint16_t)20579U, (uint16_t)25843U, (uint16_t)29227U, + (uint16_t)31145U, (uint16_t)32103U, (uint16_t)32525U, (uint16_t)32689U, (uint16_t)32745U, + (uint16_t)32762U, (uint16_t)32766U, (uint16_t)32767U + }; + +static const +uint16_t +Hacl_Impl_Frodo_Params_cdf_table976[11U] = + { + (uint16_t)5638U, (uint16_t)15915U, (uint16_t)23689U, (uint16_t)28571U, (uint16_t)31116U, + (uint16_t)32217U, (uint16_t)32613U, (uint16_t)32731U, (uint16_t)32760U, (uint16_t)32766U, + (uint16_t)32767U + }; + +static const +uint16_t +Hacl_Impl_Frodo_Params_cdf_table1344[7U] = + { + (uint16_t)9142U, (uint16_t)23462U, (uint16_t)30338U, (uint16_t)32361U, (uint16_t)32725U, + (uint16_t)32765U, (uint16_t)32767U + }; + +static inline void +Hacl_Impl_Frodo_Sample_frodo_sample_matrix64( + uint32_t n1, + uint32_t n2, + uint8_t *r, + uint16_t *res +) +{ + memset(res, 0U, n1 * n2 * sizeof (uint16_t)); + for (uint32_t i0 = (uint32_t)0U; i0 < n1; i0++) + { + for (uint32_t i1 = (uint32_t)0U; i1 < n2; i1++) + { + uint8_t *resij = r + (uint32_t)2U * (n2 * i0 + i1); + uint16_t u = load16_le(resij); + uint16_t uu____0 = u; + uint16_t prnd = uu____0 >> (uint32_t)1U; + uint16_t sign = uu____0 & (uint16_t)1U; + uint16_t sample = (uint16_t)0U; + uint32_t bound = (uint32_t)12U; + for (uint32_t i = (uint32_t)0U; i < bound; i++) + { + uint16_t sample0 = sample; + uint16_t ti = Hacl_Impl_Frodo_Params_cdf_table640[i]; + uint16_t samplei = (uint16_t)(uint32_t)(ti - prnd) >> (uint32_t)15U; + sample = samplei + sample0; + } + uint16_t sample0 = sample; + res[i0 * n2 + i1] = ((~sign + (uint16_t)1U) ^ sample0) + sign; + } + } +} + +static inline void +Hacl_Impl_Frodo_Sample_frodo_sample_matrix640( + uint32_t n1, + uint32_t n2, + uint8_t *r, + uint16_t *res +) +{ + memset(res, 0U, n1 * n2 * sizeof (uint16_t)); + for (uint32_t i0 = (uint32_t)0U; i0 < n1; i0++) + { + for (uint32_t i1 = (uint32_t)0U; i1 < n2; i1++) + { + uint8_t *resij = r + (uint32_t)2U * (n2 * i0 + i1); + uint16_t u = load16_le(resij); + uint16_t uu____0 = u; + uint16_t prnd = uu____0 >> (uint32_t)1U; + uint16_t sign = uu____0 & (uint16_t)1U; + uint16_t sample = (uint16_t)0U; + uint32_t bound = (uint32_t)12U; + for (uint32_t i = (uint32_t)0U; i < bound; i++) + { + uint16_t sample0 = sample; + uint16_t ti = Hacl_Impl_Frodo_Params_cdf_table640[i]; + uint16_t samplei = (uint16_t)(uint32_t)(ti - prnd) >> (uint32_t)15U; + sample = samplei + sample0; + } + uint16_t sample0 = sample; + res[i0 * n2 + i1] = ((~sign + (uint16_t)1U) ^ sample0) + sign; + } + } +} + +static inline void +Hacl_Impl_Frodo_Sample_frodo_sample_matrix976( + uint32_t n1, + uint32_t n2, + uint8_t *r, + uint16_t *res +) +{ + memset(res, 0U, n1 * n2 * sizeof (uint16_t)); + for (uint32_t i0 = (uint32_t)0U; i0 < n1; i0++) + { + for (uint32_t i1 = (uint32_t)0U; i1 < n2; i1++) + { + uint8_t *resij = r + (uint32_t)2U * (n2 * i0 + i1); + uint16_t u = load16_le(resij); + uint16_t uu____0 = u; + uint16_t prnd = uu____0 >> (uint32_t)1U; + uint16_t sign = uu____0 & (uint16_t)1U; + uint16_t sample = (uint16_t)0U; + uint32_t bound = (uint32_t)10U; + for (uint32_t i = (uint32_t)0U; i < bound; i++) + { + uint16_t sample0 = sample; + uint16_t ti = Hacl_Impl_Frodo_Params_cdf_table976[i]; + uint16_t samplei = (uint16_t)(uint32_t)(ti - prnd) >> (uint32_t)15U; + sample = samplei + sample0; + } + uint16_t sample0 = sample; + res[i0 * n2 + i1] = ((~sign + (uint16_t)1U) ^ sample0) + sign; + } + } +} + +static inline void +Hacl_Impl_Frodo_Sample_frodo_sample_matrix1344( + uint32_t n1, + uint32_t n2, + uint8_t *r, + uint16_t *res +) +{ + memset(res, 0U, n1 * n2 * sizeof (uint16_t)); + for (uint32_t i0 = (uint32_t)0U; i0 < n1; i0++) + { + for (uint32_t i1 = (uint32_t)0U; i1 < n2; i1++) + { + uint8_t *resij = r + (uint32_t)2U * (n2 * i0 + i1); + uint16_t u = load16_le(resij); + uint16_t uu____0 = u; + uint16_t prnd = uu____0 >> (uint32_t)1U; + uint16_t sign = uu____0 & (uint16_t)1U; + uint16_t sample = (uint16_t)0U; + uint32_t bound = (uint32_t)6U; + for (uint32_t i = (uint32_t)0U; i < bound; i++) + { + uint16_t sample0 = sample; + uint16_t ti = Hacl_Impl_Frodo_Params_cdf_table1344[i]; + uint16_t samplei = (uint16_t)(uint32_t)(ti - prnd) >> (uint32_t)15U; + sample = samplei + sample0; + } + uint16_t sample0 = sample; + res[i0 * n2 + i1] = ((~sign + (uint16_t)1U) ^ sample0) + sign; + } + } +} + +static inline void +Hacl_Impl_Frodo_Pack_frodo_pack( + uint32_t n1, + uint32_t n2, + uint32_t d, + uint16_t *a, + uint8_t *res +) +{ + uint32_t n = n1 * n2 / (uint32_t)8U; + for (uint32_t i = (uint32_t)0U; i < n; i++) + { + uint16_t *a1 = a + (uint32_t)8U * i; + uint8_t *r = res + d * i; + uint16_t maskd = (uint16_t)((uint32_t)1U << d) - (uint16_t)1U; + uint8_t v16[16U] = { 0U }; + uint16_t a0 = a1[0U] & maskd; + uint16_t a11 = a1[1U] & maskd; + uint16_t a2 = a1[2U] & maskd; + uint16_t a3 = a1[3U] & maskd; + uint16_t a4 = a1[4U] & maskd; + uint16_t a5 = a1[5U] & maskd; + uint16_t a6 = a1[6U] & maskd; + uint16_t a7 = a1[7U] & maskd; + FStar_UInt128_uint128 + templong = + FStar_UInt128_logor(FStar_UInt128_logor(FStar_UInt128_logor(FStar_UInt128_logor(FStar_UInt128_logor(FStar_UInt128_logor(FStar_UInt128_logor(FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)a0), + (uint32_t)7U * d), + FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)a11), + (uint32_t)6U * d)), + FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)a2), + (uint32_t)5U * d)), + FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)a3), + (uint32_t)4U * d)), + FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)a4), + (uint32_t)3U * d)), + FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)a5), + (uint32_t)2U * d)), + FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)a6), (uint32_t)1U * d)), + FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)a7), (uint32_t)0U * d)); + store128_be(v16, templong); + uint8_t *src = v16 + (uint32_t)16U - d; + memcpy(r, src, d * sizeof (uint8_t)); + } +} + +static inline void +Hacl_Impl_Frodo_Pack_frodo_unpack( + uint32_t n1, + uint32_t n2, + uint32_t d, + uint8_t *b, + uint16_t *res +) +{ + uint32_t n = n1 * n2 / (uint32_t)8U; + for (uint32_t i = (uint32_t)0U; i < n; i++) + { + uint8_t *b1 = b + d * i; + uint16_t *r = res + (uint32_t)8U * i; + uint16_t maskd = (uint16_t)((uint32_t)1U << d) - (uint16_t)1U; + uint8_t src[16U] = { 0U }; + memcpy(src + (uint32_t)16U - d, b1, d * sizeof (uint8_t)); + FStar_UInt128_uint128 u = load128_be(src); + FStar_UInt128_uint128 templong = u; + r[0U] = + (uint16_t)FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(templong, + (uint32_t)7U * d)) + & maskd; + r[1U] = + (uint16_t)FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(templong, + (uint32_t)6U * d)) + & maskd; + r[2U] = + (uint16_t)FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(templong, + (uint32_t)5U * d)) + & maskd; + r[3U] = + (uint16_t)FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(templong, + (uint32_t)4U * d)) + & maskd; + r[4U] = + (uint16_t)FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(templong, + (uint32_t)3U * d)) + & maskd; + r[5U] = + (uint16_t)FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(templong, + (uint32_t)2U * d)) + & maskd; + r[6U] = + (uint16_t)FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(templong, + (uint32_t)1U * d)) + & maskd; + r[7U] = + (uint16_t)FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(templong, + (uint32_t)0U * d)) + & maskd; + } +} + +static inline void +Hacl_Impl_Frodo_Encode_frodo_key_encode( + uint32_t logq, + uint32_t b, + uint32_t n, + uint8_t *a, + uint16_t *res +) +{ + for (uint32_t i0 = (uint32_t)0U; i0 < n; i0++) + { + uint8_t v8[8U] = { 0U }; + uint8_t *chunk = a + i0 * b; + memcpy(v8, chunk, b * sizeof (uint8_t)); + uint64_t u = load64_le(v8); + uint64_t x = u; + uint64_t x0 = x; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint64_t rk = x0 >> b * i & (((uint64_t)1U << b) - (uint64_t)1U); + res[i0 * n + i] = (uint16_t)rk << (logq - b); + } + } +} + +static inline void +Hacl_Impl_Frodo_Encode_frodo_key_decode( + uint32_t logq, + uint32_t b, + uint32_t n, + uint16_t *a, + uint8_t *res +) +{ + for (uint32_t i0 = (uint32_t)0U; i0 < n; i0++) + { + uint64_t templong = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint16_t aik = a[i0 * n + i]; + uint16_t res1 = (aik + ((uint16_t)1U << (logq - b - (uint32_t)1U))) >> (logq - b); + templong = templong | (uint64_t)(res1 & (((uint16_t)1U << b) - (uint16_t)1U)) << b * i; + } + uint64_t templong0 = templong; + uint8_t v8[8U] = { 0U }; + store64_le(v8, templong0); + uint8_t *tmp = v8; + memcpy(res + i0 * b, tmp, b * sizeof (uint8_t)); + } +} + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Frodo_KEM_H_DEFINED +#endif diff --git a/include/Hacl_GenericField32.h b/include/Hacl_GenericField32.h new file mode 100644 index 00000000..1dcec1d8 --- /dev/null +++ b/include/Hacl_GenericField32.h @@ -0,0 +1,279 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_GenericField32_H +#define __Hacl_GenericField32_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + + +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +typedef struct Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32_s +{ + uint32_t len; + uint32_t *n; + uint32_t mu; + uint32_t *r2; +} +Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32; + +typedef Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *Hacl_GenericField32_pbn_mont_ctx_u32; + +/******************************************************************************* + +A verified field arithmetic library. + +This is a 32-bit optimized version, where bignums are represented as an array +of `len` unsigned 32-bit integers, i.e. uint32_t[len]. + +All the arithmetic operations are performed in the Montgomery domain. + +All the functions below preserve the following invariant for a bignum `aM` in +Montgomery form. + • aM < n + +*******************************************************************************/ + + +/* +Check whether this library will work for a modulus `n`. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n +*/ +bool Hacl_GenericField32_field_modulus_check(uint32_t len, uint32_t *n); + +/* +Heap-allocate and initialize a montgomery context. + + The argument n is meant to be `len` limbs in size, i.e. uint32_t[len]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n % 2 = 1 + • 1 < n + + The caller will need to call Hacl_GenericField32_field_free on the return value + to avoid memory leaks. +*/ +Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 +*Hacl_GenericField32_field_init(uint32_t len, uint32_t *n); + +/* +Deallocate the memory previously allocated by Hacl_GenericField32_field_init. + + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. +*/ +void Hacl_GenericField32_field_free(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k); + +/* +Return the size of a modulus `n` in limbs. + + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. +*/ +uint32_t Hacl_GenericField32_field_get_len(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k); + +/* +Convert a bignum from the regular representation to the Montgomery representation. + + Write `a * R mod n` in `aM`. + + The argument a and the outparam aM are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. +*/ +void +Hacl_GenericField32_to_field( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t *aM +); + +/* +Convert a result back from the Montgomery representation to the regular representation. + + Write `aM / R mod n` in `a`, i.e. + Hacl_GenericField32_from_field(k, Hacl_GenericField32_to_field(k, a)) == a % n + + The argument aM and the outparam a are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. +*/ +void +Hacl_GenericField32_from_field( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *aM, + uint32_t *a +); + +/* +Write `aM + bM mod n` in `cM`. + + The arguments aM, bM, and the outparam cM are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. +*/ +void +Hacl_GenericField32_add( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *aM, + uint32_t *bM, + uint32_t *cM +); + +/* +Write `aM - bM mod n` to `cM`. + + The arguments aM, bM, and the outparam cM are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. +*/ +void +Hacl_GenericField32_sub( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *aM, + uint32_t *bM, + uint32_t *cM +); + +/* +Write `aM * bM mod n` in `cM`. + + The arguments aM, bM, and the outparam cM are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. +*/ +void +Hacl_GenericField32_mul( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *aM, + uint32_t *bM, + uint32_t *cM +); + +/* +Write `aM * aM mod n` in `cM`. + + The argument aM and the outparam cM are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. +*/ +void +Hacl_GenericField32_sqr( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *aM, + uint32_t *cM +); + +/* +Convert a bignum `one` to its Montgomery representation. + + The outparam oneM is meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. +*/ +void Hacl_GenericField32_one(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, uint32_t *oneM); + +/* +Write `aM ^ b mod n` in `resM`. + + The argument aM and the outparam resM are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + This function is constant-time over its argument b, at the cost of a slower + execution time than exp_vartime. + + Before calling this function, the caller will need to ensure that the following + precondition is observed. + • b < pow2 bBits +*/ +void +Hacl_GenericField32_exp_consttime( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *aM, + uint32_t bBits, + uint32_t *b, + uint32_t *resM +); + +/* +Write `aM ^ b mod n` in `resM`. + + The argument aM and the outparam resM are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + The function is *NOT* constant-time on the argument b. See the + exp_consttime function for constant-time variant. + + Before calling this function, the caller will need to ensure that the following + precondition is observed. + • b < pow2 bBits +*/ +void +Hacl_GenericField32_exp_vartime( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *aM, + uint32_t bBits, + uint32_t *b, + uint32_t *resM +); + +/* +Write `aM ^ (-1) mod n` in `aInvM`. + + The argument aM and the outparam aInvM are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + • 0 < aM +*/ +void +Hacl_GenericField32_inverse( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *aM, + uint32_t *aInvM +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_GenericField32_H_DEFINED +#endif diff --git a/include/Hacl_GenericField64.h b/include/Hacl_GenericField64.h new file mode 100644 index 00000000..c4411b45 --- /dev/null +++ b/include/Hacl_GenericField64.h @@ -0,0 +1,270 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_GenericField64_H +#define __Hacl_GenericField64_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Bignum256.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +typedef Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *Hacl_GenericField64_pbn_mont_ctx_u64; + +/******************************************************************************* + +A verified field arithmetic library. + +This is a 64-bit optimized version, where bignums are represented as an array +of `len` unsigned 64-bit integers, i.e. uint64_t[len]. + +All the arithmetic operations are performed in the Montgomery domain. + +All the functions below preserve the following invariant for a bignum `aM` in +Montgomery form. + • aM < n + +*******************************************************************************/ + + +/* +Check whether this library will work for a modulus `n`. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n +*/ +bool Hacl_GenericField64_field_modulus_check(uint32_t len, uint64_t *n); + +/* +Heap-allocate and initialize a montgomery context. + + The argument n is meant to be `len` limbs in size, i.e. uint64_t[len]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n % 2 = 1 + • 1 < n + + The caller will need to call Hacl_GenericField64_field_free on the return value + to avoid memory leaks. +*/ +Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 +*Hacl_GenericField64_field_init(uint32_t len, uint64_t *n); + +/* +Deallocate the memory previously allocated by Hacl_GenericField64_field_init. + + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. +*/ +void Hacl_GenericField64_field_free(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k); + +/* +Return the size of a modulus `n` in limbs. + + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. +*/ +uint32_t Hacl_GenericField64_field_get_len(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k); + +/* +Convert a bignum from the regular representation to the Montgomery representation. + + Write `a * R mod n` in `aM`. + + The argument a and the outparam aM are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. +*/ +void +Hacl_GenericField64_to_field( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint64_t *aM +); + +/* +Convert a result back from the Montgomery representation to the regular representation. + + Write `aM / R mod n` in `a`, i.e. + Hacl_GenericField64_from_field(k, Hacl_GenericField64_to_field(k, a)) == a % n + + The argument aM and the outparam a are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. +*/ +void +Hacl_GenericField64_from_field( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *aM, + uint64_t *a +); + +/* +Write `aM + bM mod n` in `cM`. + + The arguments aM, bM, and the outparam cM are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. +*/ +void +Hacl_GenericField64_add( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *aM, + uint64_t *bM, + uint64_t *cM +); + +/* +Write `aM - bM mod n` to `cM`. + + The arguments aM, bM, and the outparam cM are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. +*/ +void +Hacl_GenericField64_sub( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *aM, + uint64_t *bM, + uint64_t *cM +); + +/* +Write `aM * bM mod n` in `cM`. + + The arguments aM, bM, and the outparam cM are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. +*/ +void +Hacl_GenericField64_mul( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *aM, + uint64_t *bM, + uint64_t *cM +); + +/* +Write `aM * aM mod n` in `cM`. + + The argument aM and the outparam cM are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. +*/ +void +Hacl_GenericField64_sqr( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *aM, + uint64_t *cM +); + +/* +Convert a bignum `one` to its Montgomery representation. + + The outparam oneM is meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. +*/ +void Hacl_GenericField64_one(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, uint64_t *oneM); + +/* +Write `aM ^ b mod n` in `resM`. + + The argument aM and the outparam resM are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + This function is constant-time over its argument b, at the cost of a slower + execution time than exp_vartime. + + Before calling this function, the caller will need to ensure that the following + precondition is observed. + • b < pow2 bBits +*/ +void +Hacl_GenericField64_exp_consttime( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *aM, + uint32_t bBits, + uint64_t *b, + uint64_t *resM +); + +/* +Write `aM ^ b mod n` in `resM`. + + The argument aM and the outparam resM are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + The function is *NOT* constant-time on the argument b. See the + exp_consttime function for constant-time variant. + + Before calling this function, the caller will need to ensure that the following + precondition is observed. + • b < pow2 bBits +*/ +void +Hacl_GenericField64_exp_vartime( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *aM, + uint32_t bBits, + uint64_t *b, + uint64_t *resM +); + +/* +Write `aM ^ (-1) mod n` in `aInvM`. + + The argument aM and the outparam aInvM are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + • 0 < aM +*/ +void +Hacl_GenericField64_inverse( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *aM, + uint64_t *aInvM +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_GenericField64_H_DEFINED +#endif diff --git a/include/Hacl_HKDF.h b/include/Hacl_HKDF.h new file mode 100644 index 00000000..c2a8e911 --- /dev/null +++ b/include/Hacl_HKDF.h @@ -0,0 +1,122 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HKDF_H +#define __Hacl_HKDF_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_HMAC.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_HKDF_expand_sha2_256( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +); + +void +Hacl_HKDF_extract_sha2_256( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +); + +void +Hacl_HKDF_expand_sha2_512( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +); + +void +Hacl_HKDF_extract_sha2_512( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +); + +void +Hacl_HKDF_expand_blake2s_32( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +); + +void +Hacl_HKDF_extract_blake2s_32( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +); + +void +Hacl_HKDF_expand_blake2b_32( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +); + +void +Hacl_HKDF_extract_blake2b_32( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HKDF_H_DEFINED +#endif diff --git a/include/Hacl_HKDF_Blake2b_256.h b/include/Hacl_HKDF_Blake2b_256.h new file mode 100644 index 00000000..12228eae --- /dev/null +++ b/include/Hacl_HKDF_Blake2b_256.h @@ -0,0 +1,65 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HKDF_Blake2b_256_H +#define __Hacl_HKDF_Blake2b_256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_HMAC_Blake2b_256.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_HKDF_Blake2b_256_expand_blake2b_256( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +); + +void +Hacl_HKDF_Blake2b_256_extract_blake2b_256( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HKDF_Blake2b_256_H_DEFINED +#endif diff --git a/include/Hacl_HKDF_Blake2s_128.h b/include/Hacl_HKDF_Blake2s_128.h new file mode 100644 index 00000000..b01cb01c --- /dev/null +++ b/include/Hacl_HKDF_Blake2s_128.h @@ -0,0 +1,65 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HKDF_Blake2s_128_H +#define __Hacl_HKDF_Blake2s_128_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_HMAC_Blake2s_128.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_HKDF_Blake2s_128_expand_blake2s_128( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +); + +void +Hacl_HKDF_Blake2s_128_extract_blake2s_128( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HKDF_Blake2s_128_H_DEFINED +#endif diff --git a/include/Hacl_HMAC.h b/include/Hacl_HMAC.h new file mode 100644 index 00000000..238c7b43 --- /dev/null +++ b/include/Hacl_HMAC.h @@ -0,0 +1,103 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HMAC_H +#define __Hacl_HMAC_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "Hacl_Impl_Blake2_Constants.h" +#include "Hacl_Hash_SHA2.h" +#include "Hacl_Hash_SHA1.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_HMAC_legacy_compute_sha1( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +); + +void +Hacl_HMAC_compute_sha2_256( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +); + +void +Hacl_HMAC_compute_sha2_384( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +); + +void +Hacl_HMAC_compute_sha2_512( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +); + +void +Hacl_HMAC_compute_blake2s_32( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +); + +void +Hacl_HMAC_compute_blake2b_32( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HMAC_H_DEFINED +#endif diff --git a/include/Hacl_HMAC_Blake2b_256.h b/include/Hacl_HMAC_Blake2b_256.h new file mode 100644 index 00000000..797075cb --- /dev/null +++ b/include/Hacl_HMAC_Blake2b_256.h @@ -0,0 +1,56 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HMAC_Blake2b_256_H +#define __Hacl_HMAC_Blake2b_256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "Hacl_Impl_Blake2_Constants.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_HMAC_Blake2b_256_compute_blake2b_256( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HMAC_Blake2b_256_H_DEFINED +#endif diff --git a/include/Hacl_HMAC_Blake2s_128.h b/include/Hacl_HMAC_Blake2s_128.h new file mode 100644 index 00000000..c9b320ba --- /dev/null +++ b/include/Hacl_HMAC_Blake2s_128.h @@ -0,0 +1,55 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HMAC_Blake2s_128_H +#define __Hacl_HMAC_Blake2s_128_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Impl_Blake2_Constants.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_HMAC_Blake2s_128_compute_blake2s_128( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HMAC_Blake2s_128_H_DEFINED +#endif diff --git a/include/Hacl_HMAC_DRBG.h b/include/Hacl_HMAC_DRBG.h new file mode 100644 index 00000000..c3172e3a --- /dev/null +++ b/include/Hacl_HMAC_DRBG.h @@ -0,0 +1,106 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HMAC_DRBG_H +#define __Hacl_HMAC_DRBG_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Spec.h" +#include "Hacl_HMAC.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +typedef Spec_Hash_Definitions_hash_alg Hacl_HMAC_DRBG_supported_alg; + +extern uint32_t Hacl_HMAC_DRBG_reseed_interval; + +extern uint32_t Hacl_HMAC_DRBG_max_output_length; + +extern uint32_t Hacl_HMAC_DRBG_max_length; + +extern uint32_t Hacl_HMAC_DRBG_max_personalization_string_length; + +extern uint32_t Hacl_HMAC_DRBG_max_additional_input_length; + +uint32_t Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_hash_alg a); + +typedef struct Hacl_HMAC_DRBG_state_s +{ + uint8_t *k; + uint8_t *v; + uint32_t *reseed_counter; +} +Hacl_HMAC_DRBG_state; + +bool +Hacl_HMAC_DRBG_uu___is_State(Spec_Hash_Definitions_hash_alg a, Hacl_HMAC_DRBG_state projectee); + +Hacl_HMAC_DRBG_state Hacl_HMAC_DRBG_create_in(Spec_Hash_Definitions_hash_alg a); + +void +Hacl_HMAC_DRBG_instantiate( + Spec_Hash_Definitions_hash_alg a, + Hacl_HMAC_DRBG_state st, + uint32_t entropy_input_len, + uint8_t *entropy_input, + uint32_t nonce_len, + uint8_t *nonce, + uint32_t personalization_string_len, + uint8_t *personalization_string +); + +void +Hacl_HMAC_DRBG_reseed( + Spec_Hash_Definitions_hash_alg a, + Hacl_HMAC_DRBG_state st, + uint32_t entropy_input_len, + uint8_t *entropy_input, + uint32_t additional_input_input_len, + uint8_t *additional_input_input +); + +bool +Hacl_HMAC_DRBG_generate( + Spec_Hash_Definitions_hash_alg a, + uint8_t *output, + Hacl_HMAC_DRBG_state st, + uint32_t n, + uint32_t additional_input_len, + uint8_t *additional_input +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HMAC_DRBG_H_DEFINED +#endif diff --git a/include/Hacl_HPKE_Curve51_CP128_SHA256.h b/include/Hacl_HPKE_Curve51_CP128_SHA256.h new file mode 100644 index 00000000..f337e4c2 --- /dev/null +++ b/include/Hacl_HPKE_Curve51_CP128_SHA256.h @@ -0,0 +1,92 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HPKE_Curve51_CP128_SHA256_H +#define __Hacl_HPKE_Curve51_CP128_SHA256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Hash_SHA2.h" +#include "Hacl_HKDF.h" +#include "Hacl_Curve25519_51.h" +#include "Hacl_Chacha20Poly1305_128.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +uint32_t +Hacl_HPKE_Curve51_CP128_SHA256_setupBaseI( + uint8_t *o_pkE, + uint8_t *o_k, + uint8_t *o_n, + uint8_t *skE, + uint8_t *pkR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve51_CP128_SHA256_setupBaseR( + uint8_t *o_key_aead, + uint8_t *o_nonce_aead, + uint8_t *pkE, + uint8_t *skR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve51_CP128_SHA256_sealBase( + uint8_t *skE, + uint8_t *pkR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +uint32_t +Hacl_HPKE_Curve51_CP128_SHA256_openBase( + uint8_t *pkE, + uint8_t *skR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HPKE_Curve51_CP128_SHA256_H_DEFINED +#endif diff --git a/include/Hacl_HPKE_Curve51_CP128_SHA512.h b/include/Hacl_HPKE_Curve51_CP128_SHA512.h new file mode 100644 index 00000000..1c870340 --- /dev/null +++ b/include/Hacl_HPKE_Curve51_CP128_SHA512.h @@ -0,0 +1,92 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HPKE_Curve51_CP128_SHA512_H +#define __Hacl_HPKE_Curve51_CP128_SHA512_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Hash_SHA2.h" +#include "Hacl_HKDF.h" +#include "Hacl_Curve25519_51.h" +#include "Hacl_Chacha20Poly1305_128.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +uint32_t +Hacl_HPKE_Curve51_CP128_SHA512_setupBaseI( + uint8_t *o_pkE, + uint8_t *o_k, + uint8_t *o_n, + uint8_t *skE, + uint8_t *pkR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve51_CP128_SHA512_setupBaseR( + uint8_t *o_key_aead, + uint8_t *o_nonce_aead, + uint8_t *pkE, + uint8_t *skR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve51_CP128_SHA512_sealBase( + uint8_t *skE, + uint8_t *pkR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +uint32_t +Hacl_HPKE_Curve51_CP128_SHA512_openBase( + uint8_t *pkE, + uint8_t *skR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HPKE_Curve51_CP128_SHA512_H_DEFINED +#endif diff --git a/include/Hacl_HPKE_Curve51_CP256_SHA256.h b/include/Hacl_HPKE_Curve51_CP256_SHA256.h new file mode 100644 index 00000000..9c2c8fb9 --- /dev/null +++ b/include/Hacl_HPKE_Curve51_CP256_SHA256.h @@ -0,0 +1,92 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HPKE_Curve51_CP256_SHA256_H +#define __Hacl_HPKE_Curve51_CP256_SHA256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Hash_SHA2.h" +#include "Hacl_HKDF.h" +#include "Hacl_Curve25519_51.h" +#include "Hacl_Chacha20Poly1305_256.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +uint32_t +Hacl_HPKE_Curve51_CP256_SHA256_setupBaseI( + uint8_t *o_pkE, + uint8_t *o_k, + uint8_t *o_n, + uint8_t *skE, + uint8_t *pkR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve51_CP256_SHA256_setupBaseR( + uint8_t *o_key_aead, + uint8_t *o_nonce_aead, + uint8_t *pkE, + uint8_t *skR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve51_CP256_SHA256_sealBase( + uint8_t *skE, + uint8_t *pkR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +uint32_t +Hacl_HPKE_Curve51_CP256_SHA256_openBase( + uint8_t *pkE, + uint8_t *skR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HPKE_Curve51_CP256_SHA256_H_DEFINED +#endif diff --git a/include/Hacl_HPKE_Curve51_CP256_SHA512.h b/include/Hacl_HPKE_Curve51_CP256_SHA512.h new file mode 100644 index 00000000..b03673d0 --- /dev/null +++ b/include/Hacl_HPKE_Curve51_CP256_SHA512.h @@ -0,0 +1,92 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HPKE_Curve51_CP256_SHA512_H +#define __Hacl_HPKE_Curve51_CP256_SHA512_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Hash_SHA2.h" +#include "Hacl_HKDF.h" +#include "Hacl_Curve25519_51.h" +#include "Hacl_Chacha20Poly1305_256.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +uint32_t +Hacl_HPKE_Curve51_CP256_SHA512_setupBaseI( + uint8_t *o_pkE, + uint8_t *o_k, + uint8_t *o_n, + uint8_t *skE, + uint8_t *pkR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve51_CP256_SHA512_setupBaseR( + uint8_t *o_key_aead, + uint8_t *o_nonce_aead, + uint8_t *pkE, + uint8_t *skR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve51_CP256_SHA512_sealBase( + uint8_t *skE, + uint8_t *pkR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +uint32_t +Hacl_HPKE_Curve51_CP256_SHA512_openBase( + uint8_t *pkE, + uint8_t *skR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HPKE_Curve51_CP256_SHA512_H_DEFINED +#endif diff --git a/include/Hacl_HPKE_Curve51_CP32_SHA256.h b/include/Hacl_HPKE_Curve51_CP32_SHA256.h new file mode 100644 index 00000000..2e98b356 --- /dev/null +++ b/include/Hacl_HPKE_Curve51_CP32_SHA256.h @@ -0,0 +1,92 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HPKE_Curve51_CP32_SHA256_H +#define __Hacl_HPKE_Curve51_CP32_SHA256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Hash_SHA2.h" +#include "Hacl_HKDF.h" +#include "Hacl_Curve25519_51.h" +#include "Hacl_Chacha20Poly1305_32.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +uint32_t +Hacl_HPKE_Curve51_CP32_SHA256_setupBaseI( + uint8_t *o_pkE, + uint8_t *o_k, + uint8_t *o_n, + uint8_t *skE, + uint8_t *pkR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve51_CP32_SHA256_setupBaseR( + uint8_t *o_key_aead, + uint8_t *o_nonce_aead, + uint8_t *pkE, + uint8_t *skR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve51_CP32_SHA256_sealBase( + uint8_t *skE, + uint8_t *pkR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +uint32_t +Hacl_HPKE_Curve51_CP32_SHA256_openBase( + uint8_t *pkE, + uint8_t *skR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HPKE_Curve51_CP32_SHA256_H_DEFINED +#endif diff --git a/include/Hacl_HPKE_Curve51_CP32_SHA512.h b/include/Hacl_HPKE_Curve51_CP32_SHA512.h new file mode 100644 index 00000000..6533ca08 --- /dev/null +++ b/include/Hacl_HPKE_Curve51_CP32_SHA512.h @@ -0,0 +1,92 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HPKE_Curve51_CP32_SHA512_H +#define __Hacl_HPKE_Curve51_CP32_SHA512_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Hash_SHA2.h" +#include "Hacl_HKDF.h" +#include "Hacl_Curve25519_51.h" +#include "Hacl_Chacha20Poly1305_32.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +uint32_t +Hacl_HPKE_Curve51_CP32_SHA512_setupBaseI( + uint8_t *o_pkE, + uint8_t *o_k, + uint8_t *o_n, + uint8_t *skE, + uint8_t *pkR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve51_CP32_SHA512_setupBaseR( + uint8_t *o_key_aead, + uint8_t *o_nonce_aead, + uint8_t *pkE, + uint8_t *skR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve51_CP32_SHA512_sealBase( + uint8_t *skE, + uint8_t *pkR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +uint32_t +Hacl_HPKE_Curve51_CP32_SHA512_openBase( + uint8_t *pkE, + uint8_t *skR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HPKE_Curve51_CP32_SHA512_H_DEFINED +#endif diff --git a/include/Hacl_HPKE_Curve64_CP128_SHA256.h b/include/Hacl_HPKE_Curve64_CP128_SHA256.h new file mode 100644 index 00000000..7e3ba549 --- /dev/null +++ b/include/Hacl_HPKE_Curve64_CP128_SHA256.h @@ -0,0 +1,92 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HPKE_Curve64_CP128_SHA256_H +#define __Hacl_HPKE_Curve64_CP128_SHA256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Hash_SHA2.h" +#include "Hacl_HKDF.h" +#include "Hacl_Curve25519_64.h" +#include "Hacl_Chacha20Poly1305_128.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +uint32_t +Hacl_HPKE_Curve64_CP128_SHA256_setupBaseI( + uint8_t *o_pkE, + uint8_t *o_k, + uint8_t *o_n, + uint8_t *skE, + uint8_t *pkR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve64_CP128_SHA256_setupBaseR( + uint8_t *o_key_aead, + uint8_t *o_nonce_aead, + uint8_t *pkE, + uint8_t *skR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve64_CP128_SHA256_sealBase( + uint8_t *skE, + uint8_t *pkR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +uint32_t +Hacl_HPKE_Curve64_CP128_SHA256_openBase( + uint8_t *pkE, + uint8_t *skR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HPKE_Curve64_CP128_SHA256_H_DEFINED +#endif diff --git a/include/Hacl_HPKE_Curve64_CP128_SHA512.h b/include/Hacl_HPKE_Curve64_CP128_SHA512.h new file mode 100644 index 00000000..c8728cf0 --- /dev/null +++ b/include/Hacl_HPKE_Curve64_CP128_SHA512.h @@ -0,0 +1,92 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HPKE_Curve64_CP128_SHA512_H +#define __Hacl_HPKE_Curve64_CP128_SHA512_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Hash_SHA2.h" +#include "Hacl_HKDF.h" +#include "Hacl_Curve25519_64.h" +#include "Hacl_Chacha20Poly1305_128.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +uint32_t +Hacl_HPKE_Curve64_CP128_SHA512_setupBaseI( + uint8_t *o_pkE, + uint8_t *o_k, + uint8_t *o_n, + uint8_t *skE, + uint8_t *pkR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve64_CP128_SHA512_setupBaseR( + uint8_t *o_key_aead, + uint8_t *o_nonce_aead, + uint8_t *pkE, + uint8_t *skR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve64_CP128_SHA512_sealBase( + uint8_t *skE, + uint8_t *pkR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +uint32_t +Hacl_HPKE_Curve64_CP128_SHA512_openBase( + uint8_t *pkE, + uint8_t *skR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HPKE_Curve64_CP128_SHA512_H_DEFINED +#endif diff --git a/include/Hacl_HPKE_Curve64_CP256_SHA256.h b/include/Hacl_HPKE_Curve64_CP256_SHA256.h new file mode 100644 index 00000000..eddeb5fe --- /dev/null +++ b/include/Hacl_HPKE_Curve64_CP256_SHA256.h @@ -0,0 +1,92 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HPKE_Curve64_CP256_SHA256_H +#define __Hacl_HPKE_Curve64_CP256_SHA256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Hash_SHA2.h" +#include "Hacl_HKDF.h" +#include "Hacl_Curve25519_64.h" +#include "Hacl_Chacha20Poly1305_256.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +uint32_t +Hacl_HPKE_Curve64_CP256_SHA256_setupBaseI( + uint8_t *o_pkE, + uint8_t *o_k, + uint8_t *o_n, + uint8_t *skE, + uint8_t *pkR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve64_CP256_SHA256_setupBaseR( + uint8_t *o_key_aead, + uint8_t *o_nonce_aead, + uint8_t *pkE, + uint8_t *skR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve64_CP256_SHA256_sealBase( + uint8_t *skE, + uint8_t *pkR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +uint32_t +Hacl_HPKE_Curve64_CP256_SHA256_openBase( + uint8_t *pkE, + uint8_t *skR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HPKE_Curve64_CP256_SHA256_H_DEFINED +#endif diff --git a/include/Hacl_HPKE_Curve64_CP256_SHA512.h b/include/Hacl_HPKE_Curve64_CP256_SHA512.h new file mode 100644 index 00000000..9294aaec --- /dev/null +++ b/include/Hacl_HPKE_Curve64_CP256_SHA512.h @@ -0,0 +1,92 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HPKE_Curve64_CP256_SHA512_H +#define __Hacl_HPKE_Curve64_CP256_SHA512_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Hash_SHA2.h" +#include "Hacl_HKDF.h" +#include "Hacl_Curve25519_64.h" +#include "Hacl_Chacha20Poly1305_256.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +uint32_t +Hacl_HPKE_Curve64_CP256_SHA512_setupBaseI( + uint8_t *o_pkE, + uint8_t *o_k, + uint8_t *o_n, + uint8_t *skE, + uint8_t *pkR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve64_CP256_SHA512_setupBaseR( + uint8_t *o_key_aead, + uint8_t *o_nonce_aead, + uint8_t *pkE, + uint8_t *skR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve64_CP256_SHA512_sealBase( + uint8_t *skE, + uint8_t *pkR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +uint32_t +Hacl_HPKE_Curve64_CP256_SHA512_openBase( + uint8_t *pkE, + uint8_t *skR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HPKE_Curve64_CP256_SHA512_H_DEFINED +#endif diff --git a/include/Hacl_HPKE_Curve64_CP32_SHA256.h b/include/Hacl_HPKE_Curve64_CP32_SHA256.h new file mode 100644 index 00000000..603fe9a9 --- /dev/null +++ b/include/Hacl_HPKE_Curve64_CP32_SHA256.h @@ -0,0 +1,92 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HPKE_Curve64_CP32_SHA256_H +#define __Hacl_HPKE_Curve64_CP32_SHA256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Hash_SHA2.h" +#include "Hacl_HKDF.h" +#include "Hacl_Curve25519_64.h" +#include "Hacl_Chacha20Poly1305_32.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +uint32_t +Hacl_HPKE_Curve64_CP32_SHA256_setupBaseI( + uint8_t *o_pkE, + uint8_t *o_k, + uint8_t *o_n, + uint8_t *skE, + uint8_t *pkR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve64_CP32_SHA256_setupBaseR( + uint8_t *o_key_aead, + uint8_t *o_nonce_aead, + uint8_t *pkE, + uint8_t *skR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve64_CP32_SHA256_sealBase( + uint8_t *skE, + uint8_t *pkR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +uint32_t +Hacl_HPKE_Curve64_CP32_SHA256_openBase( + uint8_t *pkE, + uint8_t *skR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HPKE_Curve64_CP32_SHA256_H_DEFINED +#endif diff --git a/include/Hacl_HPKE_Curve64_CP32_SHA512.h b/include/Hacl_HPKE_Curve64_CP32_SHA512.h new file mode 100644 index 00000000..ad1bab4e --- /dev/null +++ b/include/Hacl_HPKE_Curve64_CP32_SHA512.h @@ -0,0 +1,92 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HPKE_Curve64_CP32_SHA512_H +#define __Hacl_HPKE_Curve64_CP32_SHA512_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Hash_SHA2.h" +#include "Hacl_HKDF.h" +#include "Hacl_Curve25519_64.h" +#include "Hacl_Chacha20Poly1305_32.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +uint32_t +Hacl_HPKE_Curve64_CP32_SHA512_setupBaseI( + uint8_t *o_pkE, + uint8_t *o_k, + uint8_t *o_n, + uint8_t *skE, + uint8_t *pkR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve64_CP32_SHA512_setupBaseR( + uint8_t *o_key_aead, + uint8_t *o_nonce_aead, + uint8_t *pkE, + uint8_t *skR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve64_CP32_SHA512_sealBase( + uint8_t *skE, + uint8_t *pkR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +uint32_t +Hacl_HPKE_Curve64_CP32_SHA512_openBase( + uint8_t *pkE, + uint8_t *skR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HPKE_Curve64_CP32_SHA512_H_DEFINED +#endif diff --git a/include/Hacl_HPKE_P256_CP128_SHA256.h b/include/Hacl_HPKE_P256_CP128_SHA256.h new file mode 100644 index 00000000..857ec1c8 --- /dev/null +++ b/include/Hacl_HPKE_P256_CP128_SHA256.h @@ -0,0 +1,91 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HPKE_P256_CP128_SHA256_H +#define __Hacl_HPKE_P256_CP128_SHA256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Hash_SHA2.h" +#include "Hacl_HKDF.h" +#include "Hacl_Chacha20Poly1305_128.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +uint32_t +Hacl_HPKE_P256_CP128_SHA256_setupBaseI( + uint8_t *o_pkE, + uint8_t *o_k, + uint8_t *o_n, + uint8_t *skE, + uint8_t *pkR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_P256_CP128_SHA256_setupBaseR( + uint8_t *o_key_aead, + uint8_t *o_nonce_aead, + uint8_t *pkE, + uint8_t *skR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_P256_CP128_SHA256_sealBase( + uint8_t *skE, + uint8_t *pkR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +uint32_t +Hacl_HPKE_P256_CP128_SHA256_openBase( + uint8_t *pkE, + uint8_t *skR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HPKE_P256_CP128_SHA256_H_DEFINED +#endif diff --git a/include/Hacl_HPKE_P256_CP256_SHA256.h b/include/Hacl_HPKE_P256_CP256_SHA256.h new file mode 100644 index 00000000..60a4febf --- /dev/null +++ b/include/Hacl_HPKE_P256_CP256_SHA256.h @@ -0,0 +1,91 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HPKE_P256_CP256_SHA256_H +#define __Hacl_HPKE_P256_CP256_SHA256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Hash_SHA2.h" +#include "Hacl_HKDF.h" +#include "Hacl_Chacha20Poly1305_256.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +uint32_t +Hacl_HPKE_P256_CP256_SHA256_setupBaseI( + uint8_t *o_pkE, + uint8_t *o_k, + uint8_t *o_n, + uint8_t *skE, + uint8_t *pkR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_P256_CP256_SHA256_setupBaseR( + uint8_t *o_key_aead, + uint8_t *o_nonce_aead, + uint8_t *pkE, + uint8_t *skR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_P256_CP256_SHA256_sealBase( + uint8_t *skE, + uint8_t *pkR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +uint32_t +Hacl_HPKE_P256_CP256_SHA256_openBase( + uint8_t *pkE, + uint8_t *skR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HPKE_P256_CP256_SHA256_H_DEFINED +#endif diff --git a/include/Hacl_HPKE_P256_CP32_SHA256.h b/include/Hacl_HPKE_P256_CP32_SHA256.h new file mode 100644 index 00000000..77430c7f --- /dev/null +++ b/include/Hacl_HPKE_P256_CP32_SHA256.h @@ -0,0 +1,91 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HPKE_P256_CP32_SHA256_H +#define __Hacl_HPKE_P256_CP32_SHA256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Hash_SHA2.h" +#include "Hacl_HKDF.h" +#include "Hacl_Chacha20Poly1305_32.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +uint32_t +Hacl_HPKE_P256_CP32_SHA256_setupBaseI( + uint8_t *o_pkE, + uint8_t *o_k, + uint8_t *o_n, + uint8_t *skE, + uint8_t *pkR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_P256_CP32_SHA256_setupBaseR( + uint8_t *o_key_aead, + uint8_t *o_nonce_aead, + uint8_t *pkE, + uint8_t *skR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_P256_CP32_SHA256_sealBase( + uint8_t *skE, + uint8_t *pkR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +uint32_t +Hacl_HPKE_P256_CP32_SHA256_openBase( + uint8_t *pkE, + uint8_t *skR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HPKE_P256_CP32_SHA256_H_DEFINED +#endif diff --git a/include/Hacl_Hash_Base.h b/include/Hacl_Hash_Base.h new file mode 100644 index 00000000..e4ec8cad --- /dev/null +++ b/include/Hacl_Hash_Base.h @@ -0,0 +1,54 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Hash_Base_H +#define __Hacl_Hash_Base_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Spec.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +uint32_t Hacl_Hash_Definitions_word_len(Spec_Hash_Definitions_hash_alg a); + +uint32_t Hacl_Hash_Definitions_block_len(Spec_Hash_Definitions_hash_alg a); + +uint32_t Hacl_Hash_Definitions_hash_word_len(Spec_Hash_Definitions_hash_alg a); + +uint32_t Hacl_Hash_Definitions_hash_len(Spec_Hash_Definitions_hash_alg a); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Hash_Base_H_DEFINED +#endif diff --git a/include/Hacl_Hash_Blake2.h b/include/Hacl_Hash_Blake2.h new file mode 100644 index 00000000..9651ffa2 --- /dev/null +++ b/include/Hacl_Hash_Blake2.h @@ -0,0 +1,140 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Hash_Blake2_H +#define __Hacl_Hash_Blake2_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Lib_Memzero0.h" +#include "Hacl_Kremlib.h" +#include "Hacl_Impl_Blake2_Constants.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +#define Hacl_Impl_Blake2_Core_M32 0 +#define Hacl_Impl_Blake2_Core_M128 1 +#define Hacl_Impl_Blake2_Core_M256 2 + +typedef uint8_t Hacl_Impl_Blake2_Core_m_spec; + +void Hacl_Blake2b_32_blake2b_init(uint64_t *hash, uint32_t kk, uint32_t nn); + +void +Hacl_Blake2b_32_blake2b_update_key( + uint64_t *wv, + uint64_t *hash, + uint32_t kk, + uint8_t *k, + uint32_t ll +); + +void +Hacl_Blake2b_32_blake2b_update_multi( + uint32_t len, + uint64_t *wv, + uint64_t *hash, + FStar_UInt128_uint128 prev, + uint8_t *blocks, + uint32_t nb +); + +void +Hacl_Blake2b_32_blake2b_update_last( + uint32_t len, + uint64_t *wv, + uint64_t *hash, + FStar_UInt128_uint128 prev, + uint32_t rem, + uint8_t *d +); + +void Hacl_Blake2b_32_blake2b_finish(uint32_t nn, uint8_t *output, uint64_t *hash); + +void +Hacl_Blake2b_32_blake2b( + uint32_t nn, + uint8_t *output, + uint32_t ll, + uint8_t *d, + uint32_t kk, + uint8_t *k +); + +void Hacl_Blake2s_32_blake2s_init(uint32_t *hash, uint32_t kk, uint32_t nn); + +void +Hacl_Blake2s_32_blake2s_update_key( + uint32_t *wv, + uint32_t *hash, + uint32_t kk, + uint8_t *k, + uint32_t ll +); + +void +Hacl_Blake2s_32_blake2s_update_multi( + uint32_t len, + uint32_t *wv, + uint32_t *hash, + uint64_t prev, + uint8_t *blocks, + uint32_t nb +); + +void +Hacl_Blake2s_32_blake2s_update_last( + uint32_t len, + uint32_t *wv, + uint32_t *hash, + uint64_t prev, + uint32_t rem, + uint8_t *d +); + +void Hacl_Blake2s_32_blake2s_finish(uint32_t nn, uint8_t *output, uint32_t *hash); + +void +Hacl_Blake2s_32_blake2s( + uint32_t nn, + uint8_t *output, + uint32_t ll, + uint8_t *d, + uint32_t kk, + uint8_t *k +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Hash_Blake2_H_DEFINED +#endif diff --git a/include/Hacl_Hash_Blake2b_256.h b/include/Hacl_Hash_Blake2b_256.h new file mode 100644 index 00000000..8514a6d1 --- /dev/null +++ b/include/Hacl_Hash_Blake2b_256.h @@ -0,0 +1,97 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Hash_Blake2b_256_H +#define __Hacl_Hash_Blake2b_256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Lib_Memzero0.h" +#include "Hacl_Kremlib.h" +#include "Hacl_Impl_Blake2_Constants.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_Blake2b_256_blake2b_init(Lib_IntVector_Intrinsics_vec256 *hash, uint32_t kk, uint32_t nn); + +void +Hacl_Blake2b_256_blake2b_update_key( + Lib_IntVector_Intrinsics_vec256 *wv, + Lib_IntVector_Intrinsics_vec256 *hash, + uint32_t kk, + uint8_t *k, + uint32_t ll +); + +void +Hacl_Blake2b_256_blake2b_update_multi( + uint32_t len, + Lib_IntVector_Intrinsics_vec256 *wv, + Lib_IntVector_Intrinsics_vec256 *hash, + FStar_UInt128_uint128 prev, + uint8_t *blocks, + uint32_t nb +); + +void +Hacl_Blake2b_256_blake2b_update_last( + uint32_t len, + Lib_IntVector_Intrinsics_vec256 *wv, + Lib_IntVector_Intrinsics_vec256 *hash, + FStar_UInt128_uint128 prev, + uint32_t rem, + uint8_t *d +); + +void +Hacl_Blake2b_256_blake2b_finish( + uint32_t nn, + uint8_t *output, + Lib_IntVector_Intrinsics_vec256 *hash +); + +void +Hacl_Blake2b_256_blake2b( + uint32_t nn, + uint8_t *output, + uint32_t ll, + uint8_t *d, + uint32_t kk, + uint8_t *k +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Hash_Blake2b_256_H_DEFINED +#endif diff --git a/include/Hacl_Hash_Blake2s_128.h b/include/Hacl_Hash_Blake2s_128.h new file mode 100644 index 00000000..228298b9 --- /dev/null +++ b/include/Hacl_Hash_Blake2s_128.h @@ -0,0 +1,97 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Hash_Blake2s_128_H +#define __Hacl_Hash_Blake2s_128_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Lib_Memzero0.h" +#include "Hacl_Kremlib.h" +#include "Hacl_Impl_Blake2_Constants.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_Blake2s_128_blake2s_init(Lib_IntVector_Intrinsics_vec128 *hash, uint32_t kk, uint32_t nn); + +void +Hacl_Blake2s_128_blake2s_update_key( + Lib_IntVector_Intrinsics_vec128 *wv, + Lib_IntVector_Intrinsics_vec128 *hash, + uint32_t kk, + uint8_t *k, + uint32_t ll +); + +void +Hacl_Blake2s_128_blake2s_update_multi( + uint32_t len, + Lib_IntVector_Intrinsics_vec128 *wv, + Lib_IntVector_Intrinsics_vec128 *hash, + uint64_t prev, + uint8_t *blocks, + uint32_t nb +); + +void +Hacl_Blake2s_128_blake2s_update_last( + uint32_t len, + Lib_IntVector_Intrinsics_vec128 *wv, + Lib_IntVector_Intrinsics_vec128 *hash, + uint64_t prev, + uint32_t rem, + uint8_t *d +); + +void +Hacl_Blake2s_128_blake2s_finish( + uint32_t nn, + uint8_t *output, + Lib_IntVector_Intrinsics_vec128 *hash +); + +void +Hacl_Blake2s_128_blake2s( + uint32_t nn, + uint8_t *output, + uint32_t ll, + uint8_t *d, + uint32_t kk, + uint8_t *k +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Hash_Blake2s_128_H_DEFINED +#endif diff --git a/include/Hacl_Hash_MD5.h b/include/Hacl_Hash_MD5.h new file mode 100644 index 00000000..178aa51f --- /dev/null +++ b/include/Hacl_Hash_MD5.h @@ -0,0 +1,58 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Hash_MD5_H +#define __Hacl_Hash_MD5_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void Hacl_Hash_MD5_legacy_update_multi(uint32_t *s, uint8_t *blocks, uint32_t n_blocks); + +void +Hacl_Hash_MD5_legacy_update_last( + uint32_t *s, + uint64_t prev_len, + uint8_t *input, + uint32_t input_len +); + +void Hacl_Hash_MD5_legacy_hash(uint8_t *input, uint32_t input_len, uint8_t *dst); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Hash_MD5_H_DEFINED +#endif diff --git a/include/Hacl_Hash_SHA1.h b/include/Hacl_Hash_SHA1.h new file mode 100644 index 00000000..d7af8c3c --- /dev/null +++ b/include/Hacl_Hash_SHA1.h @@ -0,0 +1,58 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Hash_SHA1_H +#define __Hacl_Hash_SHA1_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void Hacl_Hash_SHA1_legacy_update_multi(uint32_t *s, uint8_t *blocks, uint32_t n_blocks); + +void +Hacl_Hash_SHA1_legacy_update_last( + uint32_t *s, + uint64_t prev_len, + uint8_t *input, + uint32_t input_len +); + +void Hacl_Hash_SHA1_legacy_hash(uint8_t *input, uint32_t input_len, uint8_t *dst); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Hash_SHA1_H_DEFINED +#endif diff --git a/include/Hacl_Hash_SHA2.h b/include/Hacl_Hash_SHA2.h new file mode 100644 index 00000000..31eaea37 --- /dev/null +++ b/include/Hacl_Hash_SHA2.h @@ -0,0 +1,94 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Hash_SHA2_H +#define __Hacl_Hash_SHA2_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void Hacl_Hash_SHA2_update_multi_224(uint32_t *s, uint8_t *blocks, uint32_t n_blocks); + +void Hacl_Hash_SHA2_update_multi_256(uint32_t *s, uint8_t *blocks, uint32_t n_blocks); + +void Hacl_Hash_SHA2_update_multi_384(uint64_t *s, uint8_t *blocks, uint32_t n_blocks); + +void Hacl_Hash_SHA2_update_multi_512(uint64_t *s, uint8_t *blocks, uint32_t n_blocks); + +void +Hacl_Hash_SHA2_update_last_224( + uint32_t *s, + uint64_t prev_len, + uint8_t *input, + uint32_t input_len +); + +void +Hacl_Hash_SHA2_update_last_256( + uint32_t *s, + uint64_t prev_len, + uint8_t *input, + uint32_t input_len +); + +void +Hacl_Hash_SHA2_update_last_384( + uint64_t *s, + FStar_UInt128_uint128 prev_len, + uint8_t *input, + uint32_t input_len +); + +void +Hacl_Hash_SHA2_update_last_512( + uint64_t *s, + FStar_UInt128_uint128 prev_len, + uint8_t *input, + uint32_t input_len +); + +void Hacl_Hash_SHA2_hash_224(uint8_t *input, uint32_t input_len, uint8_t *dst); + +void Hacl_Hash_SHA2_hash_256(uint8_t *input, uint32_t input_len, uint8_t *dst); + +void Hacl_Hash_SHA2_hash_384(uint8_t *input, uint32_t input_len, uint8_t *dst); + +void Hacl_Hash_SHA2_hash_512(uint8_t *input, uint32_t input_len, uint8_t *dst); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Hash_SHA2_H_DEFINED +#endif diff --git a/include/Hacl_Impl_Blake2_Constants.h b/include/Hacl_Impl_Blake2_Constants.h new file mode 100644 index 00000000..173269b7 --- /dev/null +++ b/include/Hacl_Impl_Blake2_Constants.h @@ -0,0 +1,96 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Impl_Blake2_Constants_H +#define __Hacl_Impl_Blake2_Constants_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + + +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +static const +uint32_t +Hacl_Impl_Blake2_Constants_sigmaTable[160U] = + { + (uint32_t)0U, (uint32_t)1U, (uint32_t)2U, (uint32_t)3U, (uint32_t)4U, (uint32_t)5U, + (uint32_t)6U, (uint32_t)7U, (uint32_t)8U, (uint32_t)9U, (uint32_t)10U, (uint32_t)11U, + (uint32_t)12U, (uint32_t)13U, (uint32_t)14U, (uint32_t)15U, (uint32_t)14U, (uint32_t)10U, + (uint32_t)4U, (uint32_t)8U, (uint32_t)9U, (uint32_t)15U, (uint32_t)13U, (uint32_t)6U, + (uint32_t)1U, (uint32_t)12U, (uint32_t)0U, (uint32_t)2U, (uint32_t)11U, (uint32_t)7U, + (uint32_t)5U, (uint32_t)3U, (uint32_t)11U, (uint32_t)8U, (uint32_t)12U, (uint32_t)0U, + (uint32_t)5U, (uint32_t)2U, (uint32_t)15U, (uint32_t)13U, (uint32_t)10U, (uint32_t)14U, + (uint32_t)3U, (uint32_t)6U, (uint32_t)7U, (uint32_t)1U, (uint32_t)9U, (uint32_t)4U, + (uint32_t)7U, (uint32_t)9U, (uint32_t)3U, (uint32_t)1U, (uint32_t)13U, (uint32_t)12U, + (uint32_t)11U, (uint32_t)14U, (uint32_t)2U, (uint32_t)6U, (uint32_t)5U, (uint32_t)10U, + (uint32_t)4U, (uint32_t)0U, (uint32_t)15U, (uint32_t)8U, (uint32_t)9U, (uint32_t)0U, + (uint32_t)5U, (uint32_t)7U, (uint32_t)2U, (uint32_t)4U, (uint32_t)10U, (uint32_t)15U, + (uint32_t)14U, (uint32_t)1U, (uint32_t)11U, (uint32_t)12U, (uint32_t)6U, (uint32_t)8U, + (uint32_t)3U, (uint32_t)13U, (uint32_t)2U, (uint32_t)12U, (uint32_t)6U, (uint32_t)10U, + (uint32_t)0U, (uint32_t)11U, (uint32_t)8U, (uint32_t)3U, (uint32_t)4U, (uint32_t)13U, + (uint32_t)7U, (uint32_t)5U, (uint32_t)15U, (uint32_t)14U, (uint32_t)1U, (uint32_t)9U, + (uint32_t)12U, (uint32_t)5U, (uint32_t)1U, (uint32_t)15U, (uint32_t)14U, (uint32_t)13U, + (uint32_t)4U, (uint32_t)10U, (uint32_t)0U, (uint32_t)7U, (uint32_t)6U, (uint32_t)3U, + (uint32_t)9U, (uint32_t)2U, (uint32_t)8U, (uint32_t)11U, (uint32_t)13U, (uint32_t)11U, + (uint32_t)7U, (uint32_t)14U, (uint32_t)12U, (uint32_t)1U, (uint32_t)3U, (uint32_t)9U, + (uint32_t)5U, (uint32_t)0U, (uint32_t)15U, (uint32_t)4U, (uint32_t)8U, (uint32_t)6U, + (uint32_t)2U, (uint32_t)10U, (uint32_t)6U, (uint32_t)15U, (uint32_t)14U, (uint32_t)9U, + (uint32_t)11U, (uint32_t)3U, (uint32_t)0U, (uint32_t)8U, (uint32_t)12U, (uint32_t)2U, + (uint32_t)13U, (uint32_t)7U, (uint32_t)1U, (uint32_t)4U, (uint32_t)10U, (uint32_t)5U, + (uint32_t)10U, (uint32_t)2U, (uint32_t)8U, (uint32_t)4U, (uint32_t)7U, (uint32_t)6U, + (uint32_t)1U, (uint32_t)5U, (uint32_t)15U, (uint32_t)11U, (uint32_t)9U, (uint32_t)14U, + (uint32_t)3U, (uint32_t)12U, (uint32_t)13U + }; + +static const +uint32_t +Hacl_Impl_Blake2_Constants_ivTable_S[8U] = + { + (uint32_t)0x6A09E667U, (uint32_t)0xBB67AE85U, (uint32_t)0x3C6EF372U, (uint32_t)0xA54FF53AU, + (uint32_t)0x510E527FU, (uint32_t)0x9B05688CU, (uint32_t)0x1F83D9ABU, (uint32_t)0x5BE0CD19U + }; + +static const +uint64_t +Hacl_Impl_Blake2_Constants_ivTable_B[8U] = + { + (uint64_t)0x6A09E667F3BCC908U, (uint64_t)0xBB67AE8584CAA73BU, (uint64_t)0x3C6EF372FE94F82BU, + (uint64_t)0xA54FF53A5F1D36F1U, (uint64_t)0x510E527FADE682D1U, (uint64_t)0x9B05688C2B3E6C1FU, + (uint64_t)0x1F83D9ABFB41BD6BU, (uint64_t)0x5BE0CD19137E2179U + }; + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Impl_Blake2_Constants_H_DEFINED +#endif diff --git a/include/Hacl_Impl_FFDHE_Constants.h b/include/Hacl_Impl_FFDHE_Constants.h new file mode 100644 index 00000000..539eb949 --- /dev/null +++ b/include/Hacl_Impl_FFDHE_Constants.h @@ -0,0 +1,570 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Impl_FFDHE_Constants_H +#define __Hacl_Impl_FFDHE_Constants_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + + +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +static const uint8_t Hacl_Impl_FFDHE_Constants_ffdhe_g2[1U] = { (uint8_t)0x02U }; + +static const +uint8_t +Hacl_Impl_FFDHE_Constants_ffdhe_p2048[256U] = + { + (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, + (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xADU, (uint8_t)0xF8U, (uint8_t)0x54U, (uint8_t)0x58U, + (uint8_t)0xA2U, (uint8_t)0xBBU, (uint8_t)0x4AU, (uint8_t)0x9AU, (uint8_t)0xAFU, (uint8_t)0xDCU, + (uint8_t)0x56U, (uint8_t)0x20U, (uint8_t)0x27U, (uint8_t)0x3DU, (uint8_t)0x3CU, (uint8_t)0xF1U, + (uint8_t)0xD8U, (uint8_t)0xB9U, (uint8_t)0xC5U, (uint8_t)0x83U, (uint8_t)0xCEU, (uint8_t)0x2DU, + (uint8_t)0x36U, (uint8_t)0x95U, (uint8_t)0xA9U, (uint8_t)0xE1U, (uint8_t)0x36U, (uint8_t)0x41U, + (uint8_t)0x14U, (uint8_t)0x64U, (uint8_t)0x33U, (uint8_t)0xFBU, (uint8_t)0xCCU, (uint8_t)0x93U, + (uint8_t)0x9DU, (uint8_t)0xCEU, (uint8_t)0x24U, (uint8_t)0x9BU, (uint8_t)0x3EU, (uint8_t)0xF9U, + (uint8_t)0x7DU, (uint8_t)0x2FU, (uint8_t)0xE3U, (uint8_t)0x63U, (uint8_t)0x63U, (uint8_t)0x0CU, + (uint8_t)0x75U, (uint8_t)0xD8U, (uint8_t)0xF6U, (uint8_t)0x81U, (uint8_t)0xB2U, (uint8_t)0x02U, + (uint8_t)0xAEU, (uint8_t)0xC4U, (uint8_t)0x61U, (uint8_t)0x7AU, (uint8_t)0xD3U, (uint8_t)0xDFU, + (uint8_t)0x1EU, (uint8_t)0xD5U, (uint8_t)0xD5U, (uint8_t)0xFDU, (uint8_t)0x65U, (uint8_t)0x61U, + (uint8_t)0x24U, (uint8_t)0x33U, (uint8_t)0xF5U, (uint8_t)0x1FU, (uint8_t)0x5FU, (uint8_t)0x06U, + (uint8_t)0x6EU, (uint8_t)0xD0U, (uint8_t)0x85U, (uint8_t)0x63U, (uint8_t)0x65U, (uint8_t)0x55U, + (uint8_t)0x3DU, (uint8_t)0xEDU, (uint8_t)0x1AU, (uint8_t)0xF3U, (uint8_t)0xB5U, (uint8_t)0x57U, + (uint8_t)0x13U, (uint8_t)0x5EU, (uint8_t)0x7FU, (uint8_t)0x57U, (uint8_t)0xC9U, (uint8_t)0x35U, + (uint8_t)0x98U, (uint8_t)0x4FU, (uint8_t)0x0CU, (uint8_t)0x70U, (uint8_t)0xE0U, (uint8_t)0xE6U, + (uint8_t)0x8BU, (uint8_t)0x77U, (uint8_t)0xE2U, (uint8_t)0xA6U, (uint8_t)0x89U, (uint8_t)0xDAU, + (uint8_t)0xF3U, (uint8_t)0xEFU, (uint8_t)0xE8U, (uint8_t)0x72U, (uint8_t)0x1DU, (uint8_t)0xF1U, + (uint8_t)0x58U, (uint8_t)0xA1U, (uint8_t)0x36U, (uint8_t)0xADU, (uint8_t)0xE7U, (uint8_t)0x35U, + (uint8_t)0x30U, (uint8_t)0xACU, (uint8_t)0xCAU, (uint8_t)0x4FU, (uint8_t)0x48U, (uint8_t)0x3AU, + (uint8_t)0x79U, (uint8_t)0x7AU, (uint8_t)0xBCU, (uint8_t)0x0AU, (uint8_t)0xB1U, (uint8_t)0x82U, + (uint8_t)0xB3U, (uint8_t)0x24U, (uint8_t)0xFBU, (uint8_t)0x61U, (uint8_t)0xD1U, (uint8_t)0x08U, + (uint8_t)0xA9U, (uint8_t)0x4BU, (uint8_t)0xB2U, (uint8_t)0xC8U, (uint8_t)0xE3U, (uint8_t)0xFBU, + (uint8_t)0xB9U, (uint8_t)0x6AU, (uint8_t)0xDAU, (uint8_t)0xB7U, (uint8_t)0x60U, (uint8_t)0xD7U, + (uint8_t)0xF4U, (uint8_t)0x68U, (uint8_t)0x1DU, (uint8_t)0x4FU, (uint8_t)0x42U, (uint8_t)0xA3U, + (uint8_t)0xDEU, (uint8_t)0x39U, (uint8_t)0x4DU, (uint8_t)0xF4U, (uint8_t)0xAEU, (uint8_t)0x56U, + (uint8_t)0xEDU, (uint8_t)0xE7U, (uint8_t)0x63U, (uint8_t)0x72U, (uint8_t)0xBBU, (uint8_t)0x19U, + (uint8_t)0x0BU, (uint8_t)0x07U, (uint8_t)0xA7U, (uint8_t)0xC8U, (uint8_t)0xEEU, (uint8_t)0x0AU, + (uint8_t)0x6DU, (uint8_t)0x70U, (uint8_t)0x9EU, (uint8_t)0x02U, (uint8_t)0xFCU, (uint8_t)0xE1U, + (uint8_t)0xCDU, (uint8_t)0xF7U, (uint8_t)0xE2U, (uint8_t)0xECU, (uint8_t)0xC0U, (uint8_t)0x34U, + (uint8_t)0x04U, (uint8_t)0xCDU, (uint8_t)0x28U, (uint8_t)0x34U, (uint8_t)0x2FU, (uint8_t)0x61U, + (uint8_t)0x91U, (uint8_t)0x72U, (uint8_t)0xFEU, (uint8_t)0x9CU, (uint8_t)0xE9U, (uint8_t)0x85U, + (uint8_t)0x83U, (uint8_t)0xFFU, (uint8_t)0x8EU, (uint8_t)0x4FU, (uint8_t)0x12U, (uint8_t)0x32U, + (uint8_t)0xEEU, (uint8_t)0xF2U, (uint8_t)0x81U, (uint8_t)0x83U, (uint8_t)0xC3U, (uint8_t)0xFEU, + (uint8_t)0x3BU, (uint8_t)0x1BU, (uint8_t)0x4CU, (uint8_t)0x6FU, (uint8_t)0xADU, (uint8_t)0x73U, + (uint8_t)0x3BU, (uint8_t)0xB5U, (uint8_t)0xFCU, (uint8_t)0xBCU, (uint8_t)0x2EU, (uint8_t)0xC2U, + (uint8_t)0x20U, (uint8_t)0x05U, (uint8_t)0xC5U, (uint8_t)0x8EU, (uint8_t)0xF1U, (uint8_t)0x83U, + (uint8_t)0x7DU, (uint8_t)0x16U, (uint8_t)0x83U, (uint8_t)0xB2U, (uint8_t)0xC6U, (uint8_t)0xF3U, + (uint8_t)0x4AU, (uint8_t)0x26U, (uint8_t)0xC1U, (uint8_t)0xB2U, (uint8_t)0xEFU, (uint8_t)0xFAU, + (uint8_t)0x88U, (uint8_t)0x6BU, (uint8_t)0x42U, (uint8_t)0x38U, (uint8_t)0x61U, (uint8_t)0x28U, + (uint8_t)0x5CU, (uint8_t)0x97U, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, + (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU + }; + +static const +uint8_t +Hacl_Impl_FFDHE_Constants_ffdhe_p3072[384U] = + { + (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, + (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xADU, (uint8_t)0xF8U, (uint8_t)0x54U, (uint8_t)0x58U, + (uint8_t)0xA2U, (uint8_t)0xBBU, (uint8_t)0x4AU, (uint8_t)0x9AU, (uint8_t)0xAFU, (uint8_t)0xDCU, + (uint8_t)0x56U, (uint8_t)0x20U, (uint8_t)0x27U, (uint8_t)0x3DU, (uint8_t)0x3CU, (uint8_t)0xF1U, + (uint8_t)0xD8U, (uint8_t)0xB9U, (uint8_t)0xC5U, (uint8_t)0x83U, (uint8_t)0xCEU, (uint8_t)0x2DU, + (uint8_t)0x36U, (uint8_t)0x95U, (uint8_t)0xA9U, (uint8_t)0xE1U, (uint8_t)0x36U, (uint8_t)0x41U, + (uint8_t)0x14U, (uint8_t)0x64U, (uint8_t)0x33U, (uint8_t)0xFBU, (uint8_t)0xCCU, (uint8_t)0x93U, + (uint8_t)0x9DU, (uint8_t)0xCEU, (uint8_t)0x24U, (uint8_t)0x9BU, (uint8_t)0x3EU, (uint8_t)0xF9U, + (uint8_t)0x7DU, (uint8_t)0x2FU, (uint8_t)0xE3U, (uint8_t)0x63U, (uint8_t)0x63U, (uint8_t)0x0CU, + (uint8_t)0x75U, (uint8_t)0xD8U, (uint8_t)0xF6U, (uint8_t)0x81U, (uint8_t)0xB2U, (uint8_t)0x02U, + (uint8_t)0xAEU, (uint8_t)0xC4U, (uint8_t)0x61U, (uint8_t)0x7AU, (uint8_t)0xD3U, (uint8_t)0xDFU, + (uint8_t)0x1EU, (uint8_t)0xD5U, (uint8_t)0xD5U, (uint8_t)0xFDU, (uint8_t)0x65U, (uint8_t)0x61U, + (uint8_t)0x24U, (uint8_t)0x33U, (uint8_t)0xF5U, (uint8_t)0x1FU, (uint8_t)0x5FU, (uint8_t)0x06U, + (uint8_t)0x6EU, (uint8_t)0xD0U, (uint8_t)0x85U, (uint8_t)0x63U, (uint8_t)0x65U, (uint8_t)0x55U, + (uint8_t)0x3DU, (uint8_t)0xEDU, (uint8_t)0x1AU, (uint8_t)0xF3U, (uint8_t)0xB5U, (uint8_t)0x57U, + (uint8_t)0x13U, (uint8_t)0x5EU, (uint8_t)0x7FU, (uint8_t)0x57U, (uint8_t)0xC9U, (uint8_t)0x35U, + (uint8_t)0x98U, (uint8_t)0x4FU, (uint8_t)0x0CU, (uint8_t)0x70U, (uint8_t)0xE0U, (uint8_t)0xE6U, + (uint8_t)0x8BU, (uint8_t)0x77U, (uint8_t)0xE2U, (uint8_t)0xA6U, (uint8_t)0x89U, (uint8_t)0xDAU, + (uint8_t)0xF3U, (uint8_t)0xEFU, (uint8_t)0xE8U, (uint8_t)0x72U, (uint8_t)0x1DU, (uint8_t)0xF1U, + (uint8_t)0x58U, (uint8_t)0xA1U, (uint8_t)0x36U, (uint8_t)0xADU, (uint8_t)0xE7U, (uint8_t)0x35U, + (uint8_t)0x30U, (uint8_t)0xACU, (uint8_t)0xCAU, (uint8_t)0x4FU, (uint8_t)0x48U, (uint8_t)0x3AU, + (uint8_t)0x79U, (uint8_t)0x7AU, (uint8_t)0xBCU, (uint8_t)0x0AU, (uint8_t)0xB1U, (uint8_t)0x82U, + (uint8_t)0xB3U, (uint8_t)0x24U, (uint8_t)0xFBU, (uint8_t)0x61U, (uint8_t)0xD1U, (uint8_t)0x08U, + (uint8_t)0xA9U, (uint8_t)0x4BU, (uint8_t)0xB2U, (uint8_t)0xC8U, (uint8_t)0xE3U, (uint8_t)0xFBU, + (uint8_t)0xB9U, (uint8_t)0x6AU, (uint8_t)0xDAU, (uint8_t)0xB7U, (uint8_t)0x60U, (uint8_t)0xD7U, + (uint8_t)0xF4U, (uint8_t)0x68U, (uint8_t)0x1DU, (uint8_t)0x4FU, (uint8_t)0x42U, (uint8_t)0xA3U, + (uint8_t)0xDEU, (uint8_t)0x39U, (uint8_t)0x4DU, (uint8_t)0xF4U, (uint8_t)0xAEU, (uint8_t)0x56U, + (uint8_t)0xEDU, (uint8_t)0xE7U, (uint8_t)0x63U, (uint8_t)0x72U, (uint8_t)0xBBU, (uint8_t)0x19U, + (uint8_t)0x0BU, (uint8_t)0x07U, (uint8_t)0xA7U, (uint8_t)0xC8U, (uint8_t)0xEEU, (uint8_t)0x0AU, + (uint8_t)0x6DU, (uint8_t)0x70U, (uint8_t)0x9EU, (uint8_t)0x02U, (uint8_t)0xFCU, (uint8_t)0xE1U, + (uint8_t)0xCDU, (uint8_t)0xF7U, (uint8_t)0xE2U, (uint8_t)0xECU, (uint8_t)0xC0U, (uint8_t)0x34U, + (uint8_t)0x04U, (uint8_t)0xCDU, (uint8_t)0x28U, (uint8_t)0x34U, (uint8_t)0x2FU, (uint8_t)0x61U, + (uint8_t)0x91U, (uint8_t)0x72U, (uint8_t)0xFEU, (uint8_t)0x9CU, (uint8_t)0xE9U, (uint8_t)0x85U, + (uint8_t)0x83U, (uint8_t)0xFFU, (uint8_t)0x8EU, (uint8_t)0x4FU, (uint8_t)0x12U, (uint8_t)0x32U, + (uint8_t)0xEEU, (uint8_t)0xF2U, (uint8_t)0x81U, (uint8_t)0x83U, (uint8_t)0xC3U, (uint8_t)0xFEU, + (uint8_t)0x3BU, (uint8_t)0x1BU, (uint8_t)0x4CU, (uint8_t)0x6FU, (uint8_t)0xADU, (uint8_t)0x73U, + (uint8_t)0x3BU, (uint8_t)0xB5U, (uint8_t)0xFCU, (uint8_t)0xBCU, (uint8_t)0x2EU, (uint8_t)0xC2U, + (uint8_t)0x20U, (uint8_t)0x05U, (uint8_t)0xC5U, (uint8_t)0x8EU, (uint8_t)0xF1U, (uint8_t)0x83U, + (uint8_t)0x7DU, (uint8_t)0x16U, (uint8_t)0x83U, (uint8_t)0xB2U, (uint8_t)0xC6U, (uint8_t)0xF3U, + (uint8_t)0x4AU, (uint8_t)0x26U, (uint8_t)0xC1U, (uint8_t)0xB2U, (uint8_t)0xEFU, (uint8_t)0xFAU, + (uint8_t)0x88U, (uint8_t)0x6BU, (uint8_t)0x42U, (uint8_t)0x38U, (uint8_t)0x61U, (uint8_t)0x1FU, + (uint8_t)0xCFU, (uint8_t)0xDCU, (uint8_t)0xDEU, (uint8_t)0x35U, (uint8_t)0x5BU, (uint8_t)0x3BU, + (uint8_t)0x65U, (uint8_t)0x19U, (uint8_t)0x03U, (uint8_t)0x5BU, (uint8_t)0xBCU, (uint8_t)0x34U, + (uint8_t)0xF4U, (uint8_t)0xDEU, (uint8_t)0xF9U, (uint8_t)0x9CU, (uint8_t)0x02U, (uint8_t)0x38U, + (uint8_t)0x61U, (uint8_t)0xB4U, (uint8_t)0x6FU, (uint8_t)0xC9U, (uint8_t)0xD6U, (uint8_t)0xE6U, + (uint8_t)0xC9U, (uint8_t)0x07U, (uint8_t)0x7AU, (uint8_t)0xD9U, (uint8_t)0x1DU, (uint8_t)0x26U, + (uint8_t)0x91U, (uint8_t)0xF7U, (uint8_t)0xF7U, (uint8_t)0xEEU, (uint8_t)0x59U, (uint8_t)0x8CU, + (uint8_t)0xB0U, (uint8_t)0xFAU, (uint8_t)0xC1U, (uint8_t)0x86U, (uint8_t)0xD9U, (uint8_t)0x1CU, + (uint8_t)0xAEU, (uint8_t)0xFEU, (uint8_t)0x13U, (uint8_t)0x09U, (uint8_t)0x85U, (uint8_t)0x13U, + (uint8_t)0x92U, (uint8_t)0x70U, (uint8_t)0xB4U, (uint8_t)0x13U, (uint8_t)0x0CU, (uint8_t)0x93U, + (uint8_t)0xBCU, (uint8_t)0x43U, (uint8_t)0x79U, (uint8_t)0x44U, (uint8_t)0xF4U, (uint8_t)0xFDU, + (uint8_t)0x44U, (uint8_t)0x52U, (uint8_t)0xE2U, (uint8_t)0xD7U, (uint8_t)0x4DU, (uint8_t)0xD3U, + (uint8_t)0x64U, (uint8_t)0xF2U, (uint8_t)0xE2U, (uint8_t)0x1EU, (uint8_t)0x71U, (uint8_t)0xF5U, + (uint8_t)0x4BU, (uint8_t)0xFFU, (uint8_t)0x5CU, (uint8_t)0xAEU, (uint8_t)0x82U, (uint8_t)0xABU, + (uint8_t)0x9CU, (uint8_t)0x9DU, (uint8_t)0xF6U, (uint8_t)0x9EU, (uint8_t)0xE8U, (uint8_t)0x6DU, + (uint8_t)0x2BU, (uint8_t)0xC5U, (uint8_t)0x22U, (uint8_t)0x36U, (uint8_t)0x3AU, (uint8_t)0x0DU, + (uint8_t)0xABU, (uint8_t)0xC5U, (uint8_t)0x21U, (uint8_t)0x97U, (uint8_t)0x9BU, (uint8_t)0x0DU, + (uint8_t)0xEAU, (uint8_t)0xDAU, (uint8_t)0x1DU, (uint8_t)0xBFU, (uint8_t)0x9AU, (uint8_t)0x42U, + (uint8_t)0xD5U, (uint8_t)0xC4U, (uint8_t)0x48U, (uint8_t)0x4EU, (uint8_t)0x0AU, (uint8_t)0xBCU, + (uint8_t)0xD0U, (uint8_t)0x6BU, (uint8_t)0xFAU, (uint8_t)0x53U, (uint8_t)0xDDU, (uint8_t)0xEFU, + (uint8_t)0x3CU, (uint8_t)0x1BU, (uint8_t)0x20U, (uint8_t)0xEEU, (uint8_t)0x3FU, (uint8_t)0xD5U, + (uint8_t)0x9DU, (uint8_t)0x7CU, (uint8_t)0x25U, (uint8_t)0xE4U, (uint8_t)0x1DU, (uint8_t)0x2BU, + (uint8_t)0x66U, (uint8_t)0xC6U, (uint8_t)0x2EU, (uint8_t)0x37U, (uint8_t)0xFFU, (uint8_t)0xFFU, + (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU + }; + +static const +uint8_t +Hacl_Impl_FFDHE_Constants_ffdhe_p4096[512U] = + { + (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, + (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xADU, (uint8_t)0xF8U, (uint8_t)0x54U, (uint8_t)0x58U, + (uint8_t)0xA2U, (uint8_t)0xBBU, (uint8_t)0x4AU, (uint8_t)0x9AU, (uint8_t)0xAFU, (uint8_t)0xDCU, + (uint8_t)0x56U, (uint8_t)0x20U, (uint8_t)0x27U, (uint8_t)0x3DU, (uint8_t)0x3CU, (uint8_t)0xF1U, + (uint8_t)0xD8U, (uint8_t)0xB9U, (uint8_t)0xC5U, (uint8_t)0x83U, (uint8_t)0xCEU, (uint8_t)0x2DU, + (uint8_t)0x36U, (uint8_t)0x95U, (uint8_t)0xA9U, (uint8_t)0xE1U, (uint8_t)0x36U, (uint8_t)0x41U, + (uint8_t)0x14U, (uint8_t)0x64U, (uint8_t)0x33U, (uint8_t)0xFBU, (uint8_t)0xCCU, (uint8_t)0x93U, + (uint8_t)0x9DU, (uint8_t)0xCEU, (uint8_t)0x24U, (uint8_t)0x9BU, (uint8_t)0x3EU, (uint8_t)0xF9U, + (uint8_t)0x7DU, (uint8_t)0x2FU, (uint8_t)0xE3U, (uint8_t)0x63U, (uint8_t)0x63U, (uint8_t)0x0CU, + (uint8_t)0x75U, (uint8_t)0xD8U, (uint8_t)0xF6U, (uint8_t)0x81U, (uint8_t)0xB2U, (uint8_t)0x02U, + (uint8_t)0xAEU, (uint8_t)0xC4U, (uint8_t)0x61U, (uint8_t)0x7AU, (uint8_t)0xD3U, (uint8_t)0xDFU, + (uint8_t)0x1EU, (uint8_t)0xD5U, (uint8_t)0xD5U, (uint8_t)0xFDU, (uint8_t)0x65U, (uint8_t)0x61U, + (uint8_t)0x24U, (uint8_t)0x33U, (uint8_t)0xF5U, (uint8_t)0x1FU, (uint8_t)0x5FU, (uint8_t)0x06U, + (uint8_t)0x6EU, (uint8_t)0xD0U, (uint8_t)0x85U, (uint8_t)0x63U, (uint8_t)0x65U, (uint8_t)0x55U, + (uint8_t)0x3DU, (uint8_t)0xEDU, (uint8_t)0x1AU, (uint8_t)0xF3U, (uint8_t)0xB5U, (uint8_t)0x57U, + (uint8_t)0x13U, (uint8_t)0x5EU, (uint8_t)0x7FU, (uint8_t)0x57U, (uint8_t)0xC9U, (uint8_t)0x35U, + (uint8_t)0x98U, (uint8_t)0x4FU, (uint8_t)0x0CU, (uint8_t)0x70U, (uint8_t)0xE0U, (uint8_t)0xE6U, + (uint8_t)0x8BU, (uint8_t)0x77U, (uint8_t)0xE2U, (uint8_t)0xA6U, (uint8_t)0x89U, (uint8_t)0xDAU, + (uint8_t)0xF3U, (uint8_t)0xEFU, (uint8_t)0xE8U, (uint8_t)0x72U, (uint8_t)0x1DU, (uint8_t)0xF1U, + (uint8_t)0x58U, (uint8_t)0xA1U, (uint8_t)0x36U, (uint8_t)0xADU, (uint8_t)0xE7U, (uint8_t)0x35U, + (uint8_t)0x30U, (uint8_t)0xACU, (uint8_t)0xCAU, (uint8_t)0x4FU, (uint8_t)0x48U, (uint8_t)0x3AU, + (uint8_t)0x79U, (uint8_t)0x7AU, (uint8_t)0xBCU, (uint8_t)0x0AU, (uint8_t)0xB1U, (uint8_t)0x82U, + (uint8_t)0xB3U, (uint8_t)0x24U, (uint8_t)0xFBU, (uint8_t)0x61U, (uint8_t)0xD1U, (uint8_t)0x08U, + (uint8_t)0xA9U, (uint8_t)0x4BU, (uint8_t)0xB2U, (uint8_t)0xC8U, (uint8_t)0xE3U, (uint8_t)0xFBU, + (uint8_t)0xB9U, (uint8_t)0x6AU, (uint8_t)0xDAU, (uint8_t)0xB7U, (uint8_t)0x60U, (uint8_t)0xD7U, + (uint8_t)0xF4U, (uint8_t)0x68U, (uint8_t)0x1DU, (uint8_t)0x4FU, (uint8_t)0x42U, (uint8_t)0xA3U, + (uint8_t)0xDEU, (uint8_t)0x39U, (uint8_t)0x4DU, (uint8_t)0xF4U, (uint8_t)0xAEU, (uint8_t)0x56U, + (uint8_t)0xEDU, (uint8_t)0xE7U, (uint8_t)0x63U, (uint8_t)0x72U, (uint8_t)0xBBU, (uint8_t)0x19U, + (uint8_t)0x0BU, (uint8_t)0x07U, (uint8_t)0xA7U, (uint8_t)0xC8U, (uint8_t)0xEEU, (uint8_t)0x0AU, + (uint8_t)0x6DU, (uint8_t)0x70U, (uint8_t)0x9EU, (uint8_t)0x02U, (uint8_t)0xFCU, (uint8_t)0xE1U, + (uint8_t)0xCDU, (uint8_t)0xF7U, (uint8_t)0xE2U, (uint8_t)0xECU, (uint8_t)0xC0U, (uint8_t)0x34U, + (uint8_t)0x04U, (uint8_t)0xCDU, (uint8_t)0x28U, (uint8_t)0x34U, (uint8_t)0x2FU, (uint8_t)0x61U, + (uint8_t)0x91U, (uint8_t)0x72U, (uint8_t)0xFEU, (uint8_t)0x9CU, (uint8_t)0xE9U, (uint8_t)0x85U, + (uint8_t)0x83U, (uint8_t)0xFFU, (uint8_t)0x8EU, (uint8_t)0x4FU, (uint8_t)0x12U, (uint8_t)0x32U, + (uint8_t)0xEEU, (uint8_t)0xF2U, (uint8_t)0x81U, (uint8_t)0x83U, (uint8_t)0xC3U, (uint8_t)0xFEU, + (uint8_t)0x3BU, (uint8_t)0x1BU, (uint8_t)0x4CU, (uint8_t)0x6FU, (uint8_t)0xADU, (uint8_t)0x73U, + (uint8_t)0x3BU, (uint8_t)0xB5U, (uint8_t)0xFCU, (uint8_t)0xBCU, (uint8_t)0x2EU, (uint8_t)0xC2U, + (uint8_t)0x20U, (uint8_t)0x05U, (uint8_t)0xC5U, (uint8_t)0x8EU, (uint8_t)0xF1U, (uint8_t)0x83U, + (uint8_t)0x7DU, (uint8_t)0x16U, (uint8_t)0x83U, (uint8_t)0xB2U, (uint8_t)0xC6U, (uint8_t)0xF3U, + (uint8_t)0x4AU, (uint8_t)0x26U, (uint8_t)0xC1U, (uint8_t)0xB2U, (uint8_t)0xEFU, (uint8_t)0xFAU, + (uint8_t)0x88U, (uint8_t)0x6BU, (uint8_t)0x42U, (uint8_t)0x38U, (uint8_t)0x61U, (uint8_t)0x1FU, + (uint8_t)0xCFU, (uint8_t)0xDCU, (uint8_t)0xDEU, (uint8_t)0x35U, (uint8_t)0x5BU, (uint8_t)0x3BU, + (uint8_t)0x65U, (uint8_t)0x19U, (uint8_t)0x03U, (uint8_t)0x5BU, (uint8_t)0xBCU, (uint8_t)0x34U, + (uint8_t)0xF4U, (uint8_t)0xDEU, (uint8_t)0xF9U, (uint8_t)0x9CU, (uint8_t)0x02U, (uint8_t)0x38U, + (uint8_t)0x61U, (uint8_t)0xB4U, (uint8_t)0x6FU, (uint8_t)0xC9U, (uint8_t)0xD6U, (uint8_t)0xE6U, + (uint8_t)0xC9U, (uint8_t)0x07U, (uint8_t)0x7AU, (uint8_t)0xD9U, (uint8_t)0x1DU, (uint8_t)0x26U, + (uint8_t)0x91U, (uint8_t)0xF7U, (uint8_t)0xF7U, (uint8_t)0xEEU, (uint8_t)0x59U, (uint8_t)0x8CU, + (uint8_t)0xB0U, (uint8_t)0xFAU, (uint8_t)0xC1U, (uint8_t)0x86U, (uint8_t)0xD9U, (uint8_t)0x1CU, + (uint8_t)0xAEU, (uint8_t)0xFEU, (uint8_t)0x13U, (uint8_t)0x09U, (uint8_t)0x85U, (uint8_t)0x13U, + (uint8_t)0x92U, (uint8_t)0x70U, (uint8_t)0xB4U, (uint8_t)0x13U, (uint8_t)0x0CU, (uint8_t)0x93U, + (uint8_t)0xBCU, (uint8_t)0x43U, (uint8_t)0x79U, (uint8_t)0x44U, (uint8_t)0xF4U, (uint8_t)0xFDU, + (uint8_t)0x44U, (uint8_t)0x52U, (uint8_t)0xE2U, (uint8_t)0xD7U, (uint8_t)0x4DU, (uint8_t)0xD3U, + (uint8_t)0x64U, (uint8_t)0xF2U, (uint8_t)0xE2U, (uint8_t)0x1EU, (uint8_t)0x71U, (uint8_t)0xF5U, + (uint8_t)0x4BU, (uint8_t)0xFFU, (uint8_t)0x5CU, (uint8_t)0xAEU, (uint8_t)0x82U, (uint8_t)0xABU, + (uint8_t)0x9CU, (uint8_t)0x9DU, (uint8_t)0xF6U, (uint8_t)0x9EU, (uint8_t)0xE8U, (uint8_t)0x6DU, + (uint8_t)0x2BU, (uint8_t)0xC5U, (uint8_t)0x22U, (uint8_t)0x36U, (uint8_t)0x3AU, (uint8_t)0x0DU, + (uint8_t)0xABU, (uint8_t)0xC5U, (uint8_t)0x21U, (uint8_t)0x97U, (uint8_t)0x9BU, (uint8_t)0x0DU, + (uint8_t)0xEAU, (uint8_t)0xDAU, (uint8_t)0x1DU, (uint8_t)0xBFU, (uint8_t)0x9AU, (uint8_t)0x42U, + (uint8_t)0xD5U, (uint8_t)0xC4U, (uint8_t)0x48U, (uint8_t)0x4EU, (uint8_t)0x0AU, (uint8_t)0xBCU, + (uint8_t)0xD0U, (uint8_t)0x6BU, (uint8_t)0xFAU, (uint8_t)0x53U, (uint8_t)0xDDU, (uint8_t)0xEFU, + (uint8_t)0x3CU, (uint8_t)0x1BU, (uint8_t)0x20U, (uint8_t)0xEEU, (uint8_t)0x3FU, (uint8_t)0xD5U, + (uint8_t)0x9DU, (uint8_t)0x7CU, (uint8_t)0x25U, (uint8_t)0xE4U, (uint8_t)0x1DU, (uint8_t)0x2BU, + (uint8_t)0x66U, (uint8_t)0x9EU, (uint8_t)0x1EU, (uint8_t)0xF1U, (uint8_t)0x6EU, (uint8_t)0x6FU, + (uint8_t)0x52U, (uint8_t)0xC3U, (uint8_t)0x16U, (uint8_t)0x4DU, (uint8_t)0xF4U, (uint8_t)0xFBU, + (uint8_t)0x79U, (uint8_t)0x30U, (uint8_t)0xE9U, (uint8_t)0xE4U, (uint8_t)0xE5U, (uint8_t)0x88U, + (uint8_t)0x57U, (uint8_t)0xB6U, (uint8_t)0xACU, (uint8_t)0x7DU, (uint8_t)0x5FU, (uint8_t)0x42U, + (uint8_t)0xD6U, (uint8_t)0x9FU, (uint8_t)0x6DU, (uint8_t)0x18U, (uint8_t)0x77U, (uint8_t)0x63U, + (uint8_t)0xCFU, (uint8_t)0x1DU, (uint8_t)0x55U, (uint8_t)0x03U, (uint8_t)0x40U, (uint8_t)0x04U, + (uint8_t)0x87U, (uint8_t)0xF5U, (uint8_t)0x5BU, (uint8_t)0xA5U, (uint8_t)0x7EU, (uint8_t)0x31U, + (uint8_t)0xCCU, (uint8_t)0x7AU, (uint8_t)0x71U, (uint8_t)0x35U, (uint8_t)0xC8U, (uint8_t)0x86U, + (uint8_t)0xEFU, (uint8_t)0xB4U, (uint8_t)0x31U, (uint8_t)0x8AU, (uint8_t)0xEDU, (uint8_t)0x6AU, + (uint8_t)0x1EU, (uint8_t)0x01U, (uint8_t)0x2DU, (uint8_t)0x9EU, (uint8_t)0x68U, (uint8_t)0x32U, + (uint8_t)0xA9U, (uint8_t)0x07U, (uint8_t)0x60U, (uint8_t)0x0AU, (uint8_t)0x91U, (uint8_t)0x81U, + (uint8_t)0x30U, (uint8_t)0xC4U, (uint8_t)0x6DU, (uint8_t)0xC7U, (uint8_t)0x78U, (uint8_t)0xF9U, + (uint8_t)0x71U, (uint8_t)0xADU, (uint8_t)0x00U, (uint8_t)0x38U, (uint8_t)0x09U, (uint8_t)0x29U, + (uint8_t)0x99U, (uint8_t)0xA3U, (uint8_t)0x33U, (uint8_t)0xCBU, (uint8_t)0x8BU, (uint8_t)0x7AU, + (uint8_t)0x1AU, (uint8_t)0x1DU, (uint8_t)0xB9U, (uint8_t)0x3DU, (uint8_t)0x71U, (uint8_t)0x40U, + (uint8_t)0x00U, (uint8_t)0x3CU, (uint8_t)0x2AU, (uint8_t)0x4EU, (uint8_t)0xCEU, (uint8_t)0xA9U, + (uint8_t)0xF9U, (uint8_t)0x8DU, (uint8_t)0x0AU, (uint8_t)0xCCU, (uint8_t)0x0AU, (uint8_t)0x82U, + (uint8_t)0x91U, (uint8_t)0xCDU, (uint8_t)0xCEU, (uint8_t)0xC9U, (uint8_t)0x7DU, (uint8_t)0xCFU, + (uint8_t)0x8EU, (uint8_t)0xC9U, (uint8_t)0xB5U, (uint8_t)0x5AU, (uint8_t)0x7FU, (uint8_t)0x88U, + (uint8_t)0xA4U, (uint8_t)0x6BU, (uint8_t)0x4DU, (uint8_t)0xB5U, (uint8_t)0xA8U, (uint8_t)0x51U, + (uint8_t)0xF4U, (uint8_t)0x41U, (uint8_t)0x82U, (uint8_t)0xE1U, (uint8_t)0xC6U, (uint8_t)0x8AU, + (uint8_t)0x00U, (uint8_t)0x7EU, (uint8_t)0x5EU, (uint8_t)0x65U, (uint8_t)0x5FU, (uint8_t)0x6AU, + (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, + (uint8_t)0xFFU, (uint8_t)0xFFU + }; + +static const +uint8_t +Hacl_Impl_FFDHE_Constants_ffdhe_p6144[768U] = + { + (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, + (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xADU, (uint8_t)0xF8U, (uint8_t)0x54U, (uint8_t)0x58U, + (uint8_t)0xA2U, (uint8_t)0xBBU, (uint8_t)0x4AU, (uint8_t)0x9AU, (uint8_t)0xAFU, (uint8_t)0xDCU, + (uint8_t)0x56U, (uint8_t)0x20U, (uint8_t)0x27U, (uint8_t)0x3DU, (uint8_t)0x3CU, (uint8_t)0xF1U, + (uint8_t)0xD8U, (uint8_t)0xB9U, (uint8_t)0xC5U, (uint8_t)0x83U, (uint8_t)0xCEU, (uint8_t)0x2DU, + (uint8_t)0x36U, (uint8_t)0x95U, (uint8_t)0xA9U, (uint8_t)0xE1U, (uint8_t)0x36U, (uint8_t)0x41U, + (uint8_t)0x14U, (uint8_t)0x64U, (uint8_t)0x33U, (uint8_t)0xFBU, (uint8_t)0xCCU, (uint8_t)0x93U, + (uint8_t)0x9DU, (uint8_t)0xCEU, (uint8_t)0x24U, (uint8_t)0x9BU, (uint8_t)0x3EU, (uint8_t)0xF9U, + (uint8_t)0x7DU, (uint8_t)0x2FU, (uint8_t)0xE3U, (uint8_t)0x63U, (uint8_t)0x63U, (uint8_t)0x0CU, + (uint8_t)0x75U, (uint8_t)0xD8U, (uint8_t)0xF6U, (uint8_t)0x81U, (uint8_t)0xB2U, (uint8_t)0x02U, + (uint8_t)0xAEU, (uint8_t)0xC4U, (uint8_t)0x61U, (uint8_t)0x7AU, (uint8_t)0xD3U, (uint8_t)0xDFU, + (uint8_t)0x1EU, (uint8_t)0xD5U, (uint8_t)0xD5U, (uint8_t)0xFDU, (uint8_t)0x65U, (uint8_t)0x61U, + (uint8_t)0x24U, (uint8_t)0x33U, (uint8_t)0xF5U, (uint8_t)0x1FU, (uint8_t)0x5FU, (uint8_t)0x06U, + (uint8_t)0x6EU, (uint8_t)0xD0U, (uint8_t)0x85U, (uint8_t)0x63U, (uint8_t)0x65U, (uint8_t)0x55U, + (uint8_t)0x3DU, (uint8_t)0xEDU, (uint8_t)0x1AU, (uint8_t)0xF3U, (uint8_t)0xB5U, (uint8_t)0x57U, + (uint8_t)0x13U, (uint8_t)0x5EU, (uint8_t)0x7FU, (uint8_t)0x57U, (uint8_t)0xC9U, (uint8_t)0x35U, + (uint8_t)0x98U, (uint8_t)0x4FU, (uint8_t)0x0CU, (uint8_t)0x70U, (uint8_t)0xE0U, (uint8_t)0xE6U, + (uint8_t)0x8BU, (uint8_t)0x77U, (uint8_t)0xE2U, (uint8_t)0xA6U, (uint8_t)0x89U, (uint8_t)0xDAU, + (uint8_t)0xF3U, (uint8_t)0xEFU, (uint8_t)0xE8U, (uint8_t)0x72U, (uint8_t)0x1DU, (uint8_t)0xF1U, + (uint8_t)0x58U, (uint8_t)0xA1U, (uint8_t)0x36U, (uint8_t)0xADU, (uint8_t)0xE7U, (uint8_t)0x35U, + (uint8_t)0x30U, (uint8_t)0xACU, (uint8_t)0xCAU, (uint8_t)0x4FU, (uint8_t)0x48U, (uint8_t)0x3AU, + (uint8_t)0x79U, (uint8_t)0x7AU, (uint8_t)0xBCU, (uint8_t)0x0AU, (uint8_t)0xB1U, (uint8_t)0x82U, + (uint8_t)0xB3U, (uint8_t)0x24U, (uint8_t)0xFBU, (uint8_t)0x61U, (uint8_t)0xD1U, (uint8_t)0x08U, + (uint8_t)0xA9U, (uint8_t)0x4BU, (uint8_t)0xB2U, (uint8_t)0xC8U, (uint8_t)0xE3U, (uint8_t)0xFBU, + (uint8_t)0xB9U, (uint8_t)0x6AU, (uint8_t)0xDAU, (uint8_t)0xB7U, (uint8_t)0x60U, (uint8_t)0xD7U, + (uint8_t)0xF4U, (uint8_t)0x68U, (uint8_t)0x1DU, (uint8_t)0x4FU, (uint8_t)0x42U, (uint8_t)0xA3U, + (uint8_t)0xDEU, (uint8_t)0x39U, (uint8_t)0x4DU, (uint8_t)0xF4U, (uint8_t)0xAEU, (uint8_t)0x56U, + (uint8_t)0xEDU, (uint8_t)0xE7U, (uint8_t)0x63U, (uint8_t)0x72U, (uint8_t)0xBBU, (uint8_t)0x19U, + (uint8_t)0x0BU, (uint8_t)0x07U, (uint8_t)0xA7U, (uint8_t)0xC8U, (uint8_t)0xEEU, (uint8_t)0x0AU, + (uint8_t)0x6DU, (uint8_t)0x70U, (uint8_t)0x9EU, (uint8_t)0x02U, (uint8_t)0xFCU, (uint8_t)0xE1U, + (uint8_t)0xCDU, (uint8_t)0xF7U, (uint8_t)0xE2U, (uint8_t)0xECU, (uint8_t)0xC0U, (uint8_t)0x34U, + (uint8_t)0x04U, (uint8_t)0xCDU, (uint8_t)0x28U, (uint8_t)0x34U, (uint8_t)0x2FU, (uint8_t)0x61U, + (uint8_t)0x91U, (uint8_t)0x72U, (uint8_t)0xFEU, (uint8_t)0x9CU, (uint8_t)0xE9U, (uint8_t)0x85U, + (uint8_t)0x83U, (uint8_t)0xFFU, (uint8_t)0x8EU, (uint8_t)0x4FU, (uint8_t)0x12U, (uint8_t)0x32U, + (uint8_t)0xEEU, (uint8_t)0xF2U, (uint8_t)0x81U, (uint8_t)0x83U, (uint8_t)0xC3U, (uint8_t)0xFEU, + (uint8_t)0x3BU, (uint8_t)0x1BU, (uint8_t)0x4CU, (uint8_t)0x6FU, (uint8_t)0xADU, (uint8_t)0x73U, + (uint8_t)0x3BU, (uint8_t)0xB5U, (uint8_t)0xFCU, (uint8_t)0xBCU, (uint8_t)0x2EU, (uint8_t)0xC2U, + (uint8_t)0x20U, (uint8_t)0x05U, (uint8_t)0xC5U, (uint8_t)0x8EU, (uint8_t)0xF1U, (uint8_t)0x83U, + (uint8_t)0x7DU, (uint8_t)0x16U, (uint8_t)0x83U, (uint8_t)0xB2U, (uint8_t)0xC6U, (uint8_t)0xF3U, + (uint8_t)0x4AU, (uint8_t)0x26U, (uint8_t)0xC1U, (uint8_t)0xB2U, (uint8_t)0xEFU, (uint8_t)0xFAU, + (uint8_t)0x88U, (uint8_t)0x6BU, (uint8_t)0x42U, (uint8_t)0x38U, (uint8_t)0x61U, (uint8_t)0x1FU, + (uint8_t)0xCFU, (uint8_t)0xDCU, (uint8_t)0xDEU, (uint8_t)0x35U, (uint8_t)0x5BU, (uint8_t)0x3BU, + (uint8_t)0x65U, (uint8_t)0x19U, (uint8_t)0x03U, (uint8_t)0x5BU, (uint8_t)0xBCU, (uint8_t)0x34U, + (uint8_t)0xF4U, (uint8_t)0xDEU, (uint8_t)0xF9U, (uint8_t)0x9CU, (uint8_t)0x02U, (uint8_t)0x38U, + (uint8_t)0x61U, (uint8_t)0xB4U, (uint8_t)0x6FU, (uint8_t)0xC9U, (uint8_t)0xD6U, (uint8_t)0xE6U, + (uint8_t)0xC9U, (uint8_t)0x07U, (uint8_t)0x7AU, (uint8_t)0xD9U, (uint8_t)0x1DU, (uint8_t)0x26U, + (uint8_t)0x91U, (uint8_t)0xF7U, (uint8_t)0xF7U, (uint8_t)0xEEU, (uint8_t)0x59U, (uint8_t)0x8CU, + (uint8_t)0xB0U, (uint8_t)0xFAU, (uint8_t)0xC1U, (uint8_t)0x86U, (uint8_t)0xD9U, (uint8_t)0x1CU, + (uint8_t)0xAEU, (uint8_t)0xFEU, (uint8_t)0x13U, (uint8_t)0x09U, (uint8_t)0x85U, (uint8_t)0x13U, + (uint8_t)0x92U, (uint8_t)0x70U, (uint8_t)0xB4U, (uint8_t)0x13U, (uint8_t)0x0CU, (uint8_t)0x93U, + (uint8_t)0xBCU, (uint8_t)0x43U, (uint8_t)0x79U, (uint8_t)0x44U, (uint8_t)0xF4U, (uint8_t)0xFDU, + (uint8_t)0x44U, (uint8_t)0x52U, (uint8_t)0xE2U, (uint8_t)0xD7U, (uint8_t)0x4DU, (uint8_t)0xD3U, + (uint8_t)0x64U, (uint8_t)0xF2U, (uint8_t)0xE2U, (uint8_t)0x1EU, (uint8_t)0x71U, (uint8_t)0xF5U, + (uint8_t)0x4BU, (uint8_t)0xFFU, (uint8_t)0x5CU, (uint8_t)0xAEU, (uint8_t)0x82U, (uint8_t)0xABU, + (uint8_t)0x9CU, (uint8_t)0x9DU, (uint8_t)0xF6U, (uint8_t)0x9EU, (uint8_t)0xE8U, (uint8_t)0x6DU, + (uint8_t)0x2BU, (uint8_t)0xC5U, (uint8_t)0x22U, (uint8_t)0x36U, (uint8_t)0x3AU, (uint8_t)0x0DU, + (uint8_t)0xABU, (uint8_t)0xC5U, (uint8_t)0x21U, (uint8_t)0x97U, (uint8_t)0x9BU, (uint8_t)0x0DU, + (uint8_t)0xEAU, (uint8_t)0xDAU, (uint8_t)0x1DU, (uint8_t)0xBFU, (uint8_t)0x9AU, (uint8_t)0x42U, + (uint8_t)0xD5U, (uint8_t)0xC4U, (uint8_t)0x48U, (uint8_t)0x4EU, (uint8_t)0x0AU, (uint8_t)0xBCU, + (uint8_t)0xD0U, (uint8_t)0x6BU, (uint8_t)0xFAU, (uint8_t)0x53U, (uint8_t)0xDDU, (uint8_t)0xEFU, + (uint8_t)0x3CU, (uint8_t)0x1BU, (uint8_t)0x20U, (uint8_t)0xEEU, (uint8_t)0x3FU, (uint8_t)0xD5U, + (uint8_t)0x9DU, (uint8_t)0x7CU, (uint8_t)0x25U, (uint8_t)0xE4U, (uint8_t)0x1DU, (uint8_t)0x2BU, + (uint8_t)0x66U, (uint8_t)0x9EU, (uint8_t)0x1EU, (uint8_t)0xF1U, (uint8_t)0x6EU, (uint8_t)0x6FU, + (uint8_t)0x52U, (uint8_t)0xC3U, (uint8_t)0x16U, (uint8_t)0x4DU, (uint8_t)0xF4U, (uint8_t)0xFBU, + (uint8_t)0x79U, (uint8_t)0x30U, (uint8_t)0xE9U, (uint8_t)0xE4U, (uint8_t)0xE5U, (uint8_t)0x88U, + (uint8_t)0x57U, (uint8_t)0xB6U, (uint8_t)0xACU, (uint8_t)0x7DU, (uint8_t)0x5FU, (uint8_t)0x42U, + (uint8_t)0xD6U, (uint8_t)0x9FU, (uint8_t)0x6DU, (uint8_t)0x18U, (uint8_t)0x77U, (uint8_t)0x63U, + (uint8_t)0xCFU, (uint8_t)0x1DU, (uint8_t)0x55U, (uint8_t)0x03U, (uint8_t)0x40U, (uint8_t)0x04U, + (uint8_t)0x87U, (uint8_t)0xF5U, (uint8_t)0x5BU, (uint8_t)0xA5U, (uint8_t)0x7EU, (uint8_t)0x31U, + (uint8_t)0xCCU, (uint8_t)0x7AU, (uint8_t)0x71U, (uint8_t)0x35U, (uint8_t)0xC8U, (uint8_t)0x86U, + (uint8_t)0xEFU, (uint8_t)0xB4U, (uint8_t)0x31U, (uint8_t)0x8AU, (uint8_t)0xEDU, (uint8_t)0x6AU, + (uint8_t)0x1EU, (uint8_t)0x01U, (uint8_t)0x2DU, (uint8_t)0x9EU, (uint8_t)0x68U, (uint8_t)0x32U, + (uint8_t)0xA9U, (uint8_t)0x07U, (uint8_t)0x60U, (uint8_t)0x0AU, (uint8_t)0x91U, (uint8_t)0x81U, + (uint8_t)0x30U, (uint8_t)0xC4U, (uint8_t)0x6DU, (uint8_t)0xC7U, (uint8_t)0x78U, (uint8_t)0xF9U, + (uint8_t)0x71U, (uint8_t)0xADU, (uint8_t)0x00U, (uint8_t)0x38U, (uint8_t)0x09U, (uint8_t)0x29U, + (uint8_t)0x99U, (uint8_t)0xA3U, (uint8_t)0x33U, (uint8_t)0xCBU, (uint8_t)0x8BU, (uint8_t)0x7AU, + (uint8_t)0x1AU, (uint8_t)0x1DU, (uint8_t)0xB9U, (uint8_t)0x3DU, (uint8_t)0x71U, (uint8_t)0x40U, + (uint8_t)0x00U, (uint8_t)0x3CU, (uint8_t)0x2AU, (uint8_t)0x4EU, (uint8_t)0xCEU, (uint8_t)0xA9U, + (uint8_t)0xF9U, (uint8_t)0x8DU, (uint8_t)0x0AU, (uint8_t)0xCCU, (uint8_t)0x0AU, (uint8_t)0x82U, + (uint8_t)0x91U, (uint8_t)0xCDU, (uint8_t)0xCEU, (uint8_t)0xC9U, (uint8_t)0x7DU, (uint8_t)0xCFU, + (uint8_t)0x8EU, (uint8_t)0xC9U, (uint8_t)0xB5U, (uint8_t)0x5AU, (uint8_t)0x7FU, (uint8_t)0x88U, + (uint8_t)0xA4U, (uint8_t)0x6BU, (uint8_t)0x4DU, (uint8_t)0xB5U, (uint8_t)0xA8U, (uint8_t)0x51U, + (uint8_t)0xF4U, (uint8_t)0x41U, (uint8_t)0x82U, (uint8_t)0xE1U, (uint8_t)0xC6U, (uint8_t)0x8AU, + (uint8_t)0x00U, (uint8_t)0x7EU, (uint8_t)0x5EU, (uint8_t)0x0DU, (uint8_t)0xD9U, (uint8_t)0x02U, + (uint8_t)0x0BU, (uint8_t)0xFDU, (uint8_t)0x64U, (uint8_t)0xB6U, (uint8_t)0x45U, (uint8_t)0x03U, + (uint8_t)0x6CU, (uint8_t)0x7AU, (uint8_t)0x4EU, (uint8_t)0x67U, (uint8_t)0x7DU, (uint8_t)0x2CU, + (uint8_t)0x38U, (uint8_t)0x53U, (uint8_t)0x2AU, (uint8_t)0x3AU, (uint8_t)0x23U, (uint8_t)0xBAU, + (uint8_t)0x44U, (uint8_t)0x42U, (uint8_t)0xCAU, (uint8_t)0xF5U, (uint8_t)0x3EU, (uint8_t)0xA6U, + (uint8_t)0x3BU, (uint8_t)0xB4U, (uint8_t)0x54U, (uint8_t)0x32U, (uint8_t)0x9BU, (uint8_t)0x76U, + (uint8_t)0x24U, (uint8_t)0xC8U, (uint8_t)0x91U, (uint8_t)0x7BU, (uint8_t)0xDDU, (uint8_t)0x64U, + (uint8_t)0xB1U, (uint8_t)0xC0U, (uint8_t)0xFDU, (uint8_t)0x4CU, (uint8_t)0xB3U, (uint8_t)0x8EU, + (uint8_t)0x8CU, (uint8_t)0x33U, (uint8_t)0x4CU, (uint8_t)0x70U, (uint8_t)0x1CU, (uint8_t)0x3AU, + (uint8_t)0xCDU, (uint8_t)0xADU, (uint8_t)0x06U, (uint8_t)0x57U, (uint8_t)0xFCU, (uint8_t)0xCFU, + (uint8_t)0xECU, (uint8_t)0x71U, (uint8_t)0x9BU, (uint8_t)0x1FU, (uint8_t)0x5CU, (uint8_t)0x3EU, + (uint8_t)0x4EU, (uint8_t)0x46U, (uint8_t)0x04U, (uint8_t)0x1FU, (uint8_t)0x38U, (uint8_t)0x81U, + (uint8_t)0x47U, (uint8_t)0xFBU, (uint8_t)0x4CU, (uint8_t)0xFDU, (uint8_t)0xB4U, (uint8_t)0x77U, + (uint8_t)0xA5U, (uint8_t)0x24U, (uint8_t)0x71U, (uint8_t)0xF7U, (uint8_t)0xA9U, (uint8_t)0xA9U, + (uint8_t)0x69U, (uint8_t)0x10U, (uint8_t)0xB8U, (uint8_t)0x55U, (uint8_t)0x32U, (uint8_t)0x2EU, + (uint8_t)0xDBU, (uint8_t)0x63U, (uint8_t)0x40U, (uint8_t)0xD8U, (uint8_t)0xA0U, (uint8_t)0x0EU, + (uint8_t)0xF0U, (uint8_t)0x92U, (uint8_t)0x35U, (uint8_t)0x05U, (uint8_t)0x11U, (uint8_t)0xE3U, + (uint8_t)0x0AU, (uint8_t)0xBEU, (uint8_t)0xC1U, (uint8_t)0xFFU, (uint8_t)0xF9U, (uint8_t)0xE3U, + (uint8_t)0xA2U, (uint8_t)0x6EU, (uint8_t)0x7FU, (uint8_t)0xB2U, (uint8_t)0x9FU, (uint8_t)0x8CU, + (uint8_t)0x18U, (uint8_t)0x30U, (uint8_t)0x23U, (uint8_t)0xC3U, (uint8_t)0x58U, (uint8_t)0x7EU, + (uint8_t)0x38U, (uint8_t)0xDAU, (uint8_t)0x00U, (uint8_t)0x77U, (uint8_t)0xD9U, (uint8_t)0xB4U, + (uint8_t)0x76U, (uint8_t)0x3EU, (uint8_t)0x4EU, (uint8_t)0x4BU, (uint8_t)0x94U, (uint8_t)0xB2U, + (uint8_t)0xBBU, (uint8_t)0xC1U, (uint8_t)0x94U, (uint8_t)0xC6U, (uint8_t)0x65U, (uint8_t)0x1EU, + (uint8_t)0x77U, (uint8_t)0xCAU, (uint8_t)0xF9U, (uint8_t)0x92U, (uint8_t)0xEEU, (uint8_t)0xAAU, + (uint8_t)0xC0U, (uint8_t)0x23U, (uint8_t)0x2AU, (uint8_t)0x28U, (uint8_t)0x1BU, (uint8_t)0xF6U, + (uint8_t)0xB3U, (uint8_t)0xA7U, (uint8_t)0x39U, (uint8_t)0xC1U, (uint8_t)0x22U, (uint8_t)0x61U, + (uint8_t)0x16U, (uint8_t)0x82U, (uint8_t)0x0AU, (uint8_t)0xE8U, (uint8_t)0xDBU, (uint8_t)0x58U, + (uint8_t)0x47U, (uint8_t)0xA6U, (uint8_t)0x7CU, (uint8_t)0xBEU, (uint8_t)0xF9U, (uint8_t)0xC9U, + (uint8_t)0x09U, (uint8_t)0x1BU, (uint8_t)0x46U, (uint8_t)0x2DU, (uint8_t)0x53U, (uint8_t)0x8CU, + (uint8_t)0xD7U, (uint8_t)0x2BU, (uint8_t)0x03U, (uint8_t)0x74U, (uint8_t)0x6AU, (uint8_t)0xE7U, + (uint8_t)0x7FU, (uint8_t)0x5EU, (uint8_t)0x62U, (uint8_t)0x29U, (uint8_t)0x2CU, (uint8_t)0x31U, + (uint8_t)0x15U, (uint8_t)0x62U, (uint8_t)0xA8U, (uint8_t)0x46U, (uint8_t)0x50U, (uint8_t)0x5DU, + (uint8_t)0xC8U, (uint8_t)0x2DU, (uint8_t)0xB8U, (uint8_t)0x54U, (uint8_t)0x33U, (uint8_t)0x8AU, + (uint8_t)0xE4U, (uint8_t)0x9FU, (uint8_t)0x52U, (uint8_t)0x35U, (uint8_t)0xC9U, (uint8_t)0x5BU, + (uint8_t)0x91U, (uint8_t)0x17U, (uint8_t)0x8CU, (uint8_t)0xCFU, (uint8_t)0x2DU, (uint8_t)0xD5U, + (uint8_t)0xCAU, (uint8_t)0xCEU, (uint8_t)0xF4U, (uint8_t)0x03U, (uint8_t)0xECU, (uint8_t)0x9DU, + (uint8_t)0x18U, (uint8_t)0x10U, (uint8_t)0xC6U, (uint8_t)0x27U, (uint8_t)0x2BU, (uint8_t)0x04U, + (uint8_t)0x5BU, (uint8_t)0x3BU, (uint8_t)0x71U, (uint8_t)0xF9U, (uint8_t)0xDCU, (uint8_t)0x6BU, + (uint8_t)0x80U, (uint8_t)0xD6U, (uint8_t)0x3FU, (uint8_t)0xDDU, (uint8_t)0x4AU, (uint8_t)0x8EU, + (uint8_t)0x9AU, (uint8_t)0xDBU, (uint8_t)0x1EU, (uint8_t)0x69U, (uint8_t)0x62U, (uint8_t)0xA6U, + (uint8_t)0x95U, (uint8_t)0x26U, (uint8_t)0xD4U, (uint8_t)0x31U, (uint8_t)0x61U, (uint8_t)0xC1U, + (uint8_t)0xA4U, (uint8_t)0x1DU, (uint8_t)0x57U, (uint8_t)0x0DU, (uint8_t)0x79U, (uint8_t)0x38U, + (uint8_t)0xDAU, (uint8_t)0xD4U, (uint8_t)0xA4U, (uint8_t)0x0EU, (uint8_t)0x32U, (uint8_t)0x9CU, + (uint8_t)0xD0U, (uint8_t)0xE4U, (uint8_t)0x0EU, (uint8_t)0x65U, (uint8_t)0xFFU, (uint8_t)0xFFU, + (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU + }; + +static const +uint8_t +Hacl_Impl_FFDHE_Constants_ffdhe_p8192[1024U] = + { + (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, + (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xADU, (uint8_t)0xF8U, (uint8_t)0x54U, (uint8_t)0x58U, + (uint8_t)0xA2U, (uint8_t)0xBBU, (uint8_t)0x4AU, (uint8_t)0x9AU, (uint8_t)0xAFU, (uint8_t)0xDCU, + (uint8_t)0x56U, (uint8_t)0x20U, (uint8_t)0x27U, (uint8_t)0x3DU, (uint8_t)0x3CU, (uint8_t)0xF1U, + (uint8_t)0xD8U, (uint8_t)0xB9U, (uint8_t)0xC5U, (uint8_t)0x83U, (uint8_t)0xCEU, (uint8_t)0x2DU, + (uint8_t)0x36U, (uint8_t)0x95U, (uint8_t)0xA9U, (uint8_t)0xE1U, (uint8_t)0x36U, (uint8_t)0x41U, + (uint8_t)0x14U, (uint8_t)0x64U, (uint8_t)0x33U, (uint8_t)0xFBU, (uint8_t)0xCCU, (uint8_t)0x93U, + (uint8_t)0x9DU, (uint8_t)0xCEU, (uint8_t)0x24U, (uint8_t)0x9BU, (uint8_t)0x3EU, (uint8_t)0xF9U, + (uint8_t)0x7DU, (uint8_t)0x2FU, (uint8_t)0xE3U, (uint8_t)0x63U, (uint8_t)0x63U, (uint8_t)0x0CU, + (uint8_t)0x75U, (uint8_t)0xD8U, (uint8_t)0xF6U, (uint8_t)0x81U, (uint8_t)0xB2U, (uint8_t)0x02U, + (uint8_t)0xAEU, (uint8_t)0xC4U, (uint8_t)0x61U, (uint8_t)0x7AU, (uint8_t)0xD3U, (uint8_t)0xDFU, + (uint8_t)0x1EU, (uint8_t)0xD5U, (uint8_t)0xD5U, (uint8_t)0xFDU, (uint8_t)0x65U, (uint8_t)0x61U, + (uint8_t)0x24U, (uint8_t)0x33U, (uint8_t)0xF5U, (uint8_t)0x1FU, (uint8_t)0x5FU, (uint8_t)0x06U, + (uint8_t)0x6EU, (uint8_t)0xD0U, (uint8_t)0x85U, (uint8_t)0x63U, (uint8_t)0x65U, (uint8_t)0x55U, + (uint8_t)0x3DU, (uint8_t)0xEDU, (uint8_t)0x1AU, (uint8_t)0xF3U, (uint8_t)0xB5U, (uint8_t)0x57U, + (uint8_t)0x13U, (uint8_t)0x5EU, (uint8_t)0x7FU, (uint8_t)0x57U, (uint8_t)0xC9U, (uint8_t)0x35U, + (uint8_t)0x98U, (uint8_t)0x4FU, (uint8_t)0x0CU, (uint8_t)0x70U, (uint8_t)0xE0U, (uint8_t)0xE6U, + (uint8_t)0x8BU, (uint8_t)0x77U, (uint8_t)0xE2U, (uint8_t)0xA6U, (uint8_t)0x89U, (uint8_t)0xDAU, + (uint8_t)0xF3U, (uint8_t)0xEFU, (uint8_t)0xE8U, (uint8_t)0x72U, (uint8_t)0x1DU, (uint8_t)0xF1U, + (uint8_t)0x58U, (uint8_t)0xA1U, (uint8_t)0x36U, (uint8_t)0xADU, (uint8_t)0xE7U, (uint8_t)0x35U, + (uint8_t)0x30U, (uint8_t)0xACU, (uint8_t)0xCAU, (uint8_t)0x4FU, (uint8_t)0x48U, (uint8_t)0x3AU, + (uint8_t)0x79U, (uint8_t)0x7AU, (uint8_t)0xBCU, (uint8_t)0x0AU, (uint8_t)0xB1U, (uint8_t)0x82U, + (uint8_t)0xB3U, (uint8_t)0x24U, (uint8_t)0xFBU, (uint8_t)0x61U, (uint8_t)0xD1U, (uint8_t)0x08U, + (uint8_t)0xA9U, (uint8_t)0x4BU, (uint8_t)0xB2U, (uint8_t)0xC8U, (uint8_t)0xE3U, (uint8_t)0xFBU, + (uint8_t)0xB9U, (uint8_t)0x6AU, (uint8_t)0xDAU, (uint8_t)0xB7U, (uint8_t)0x60U, (uint8_t)0xD7U, + (uint8_t)0xF4U, (uint8_t)0x68U, (uint8_t)0x1DU, (uint8_t)0x4FU, (uint8_t)0x42U, (uint8_t)0xA3U, + (uint8_t)0xDEU, (uint8_t)0x39U, (uint8_t)0x4DU, (uint8_t)0xF4U, (uint8_t)0xAEU, (uint8_t)0x56U, + (uint8_t)0xEDU, (uint8_t)0xE7U, (uint8_t)0x63U, (uint8_t)0x72U, (uint8_t)0xBBU, (uint8_t)0x19U, + (uint8_t)0x0BU, (uint8_t)0x07U, (uint8_t)0xA7U, (uint8_t)0xC8U, (uint8_t)0xEEU, (uint8_t)0x0AU, + (uint8_t)0x6DU, (uint8_t)0x70U, (uint8_t)0x9EU, (uint8_t)0x02U, (uint8_t)0xFCU, (uint8_t)0xE1U, + (uint8_t)0xCDU, (uint8_t)0xF7U, (uint8_t)0xE2U, (uint8_t)0xECU, (uint8_t)0xC0U, (uint8_t)0x34U, + (uint8_t)0x04U, (uint8_t)0xCDU, (uint8_t)0x28U, (uint8_t)0x34U, (uint8_t)0x2FU, (uint8_t)0x61U, + (uint8_t)0x91U, (uint8_t)0x72U, (uint8_t)0xFEU, (uint8_t)0x9CU, (uint8_t)0xE9U, (uint8_t)0x85U, + (uint8_t)0x83U, (uint8_t)0xFFU, (uint8_t)0x8EU, (uint8_t)0x4FU, (uint8_t)0x12U, (uint8_t)0x32U, + (uint8_t)0xEEU, (uint8_t)0xF2U, (uint8_t)0x81U, (uint8_t)0x83U, (uint8_t)0xC3U, (uint8_t)0xFEU, + (uint8_t)0x3BU, (uint8_t)0x1BU, (uint8_t)0x4CU, (uint8_t)0x6FU, (uint8_t)0xADU, (uint8_t)0x73U, + (uint8_t)0x3BU, (uint8_t)0xB5U, (uint8_t)0xFCU, (uint8_t)0xBCU, (uint8_t)0x2EU, (uint8_t)0xC2U, + (uint8_t)0x20U, (uint8_t)0x05U, (uint8_t)0xC5U, (uint8_t)0x8EU, (uint8_t)0xF1U, (uint8_t)0x83U, + (uint8_t)0x7DU, (uint8_t)0x16U, (uint8_t)0x83U, (uint8_t)0xB2U, (uint8_t)0xC6U, (uint8_t)0xF3U, + (uint8_t)0x4AU, (uint8_t)0x26U, (uint8_t)0xC1U, (uint8_t)0xB2U, (uint8_t)0xEFU, (uint8_t)0xFAU, + (uint8_t)0x88U, (uint8_t)0x6BU, (uint8_t)0x42U, (uint8_t)0x38U, (uint8_t)0x61U, (uint8_t)0x1FU, + (uint8_t)0xCFU, (uint8_t)0xDCU, (uint8_t)0xDEU, (uint8_t)0x35U, (uint8_t)0x5BU, (uint8_t)0x3BU, + (uint8_t)0x65U, (uint8_t)0x19U, (uint8_t)0x03U, (uint8_t)0x5BU, (uint8_t)0xBCU, (uint8_t)0x34U, + (uint8_t)0xF4U, (uint8_t)0xDEU, (uint8_t)0xF9U, (uint8_t)0x9CU, (uint8_t)0x02U, (uint8_t)0x38U, + (uint8_t)0x61U, (uint8_t)0xB4U, (uint8_t)0x6FU, (uint8_t)0xC9U, (uint8_t)0xD6U, (uint8_t)0xE6U, + (uint8_t)0xC9U, (uint8_t)0x07U, (uint8_t)0x7AU, (uint8_t)0xD9U, (uint8_t)0x1DU, (uint8_t)0x26U, + (uint8_t)0x91U, (uint8_t)0xF7U, (uint8_t)0xF7U, (uint8_t)0xEEU, (uint8_t)0x59U, (uint8_t)0x8CU, + (uint8_t)0xB0U, (uint8_t)0xFAU, (uint8_t)0xC1U, (uint8_t)0x86U, (uint8_t)0xD9U, (uint8_t)0x1CU, + (uint8_t)0xAEU, (uint8_t)0xFEU, (uint8_t)0x13U, (uint8_t)0x09U, (uint8_t)0x85U, (uint8_t)0x13U, + (uint8_t)0x92U, (uint8_t)0x70U, (uint8_t)0xB4U, (uint8_t)0x13U, (uint8_t)0x0CU, (uint8_t)0x93U, + (uint8_t)0xBCU, (uint8_t)0x43U, (uint8_t)0x79U, (uint8_t)0x44U, (uint8_t)0xF4U, (uint8_t)0xFDU, + (uint8_t)0x44U, (uint8_t)0x52U, (uint8_t)0xE2U, (uint8_t)0xD7U, (uint8_t)0x4DU, (uint8_t)0xD3U, + (uint8_t)0x64U, (uint8_t)0xF2U, (uint8_t)0xE2U, (uint8_t)0x1EU, (uint8_t)0x71U, (uint8_t)0xF5U, + (uint8_t)0x4BU, (uint8_t)0xFFU, (uint8_t)0x5CU, (uint8_t)0xAEU, (uint8_t)0x82U, (uint8_t)0xABU, + (uint8_t)0x9CU, (uint8_t)0x9DU, (uint8_t)0xF6U, (uint8_t)0x9EU, (uint8_t)0xE8U, (uint8_t)0x6DU, + (uint8_t)0x2BU, (uint8_t)0xC5U, (uint8_t)0x22U, (uint8_t)0x36U, (uint8_t)0x3AU, (uint8_t)0x0DU, + (uint8_t)0xABU, (uint8_t)0xC5U, (uint8_t)0x21U, (uint8_t)0x97U, (uint8_t)0x9BU, (uint8_t)0x0DU, + (uint8_t)0xEAU, (uint8_t)0xDAU, (uint8_t)0x1DU, (uint8_t)0xBFU, (uint8_t)0x9AU, (uint8_t)0x42U, + (uint8_t)0xD5U, (uint8_t)0xC4U, (uint8_t)0x48U, (uint8_t)0x4EU, (uint8_t)0x0AU, (uint8_t)0xBCU, + (uint8_t)0xD0U, (uint8_t)0x6BU, (uint8_t)0xFAU, (uint8_t)0x53U, (uint8_t)0xDDU, (uint8_t)0xEFU, + (uint8_t)0x3CU, (uint8_t)0x1BU, (uint8_t)0x20U, (uint8_t)0xEEU, (uint8_t)0x3FU, (uint8_t)0xD5U, + (uint8_t)0x9DU, (uint8_t)0x7CU, (uint8_t)0x25U, (uint8_t)0xE4U, (uint8_t)0x1DU, (uint8_t)0x2BU, + (uint8_t)0x66U, (uint8_t)0x9EU, (uint8_t)0x1EU, (uint8_t)0xF1U, (uint8_t)0x6EU, (uint8_t)0x6FU, + (uint8_t)0x52U, (uint8_t)0xC3U, (uint8_t)0x16U, (uint8_t)0x4DU, (uint8_t)0xF4U, (uint8_t)0xFBU, + (uint8_t)0x79U, (uint8_t)0x30U, (uint8_t)0xE9U, (uint8_t)0xE4U, (uint8_t)0xE5U, (uint8_t)0x88U, + (uint8_t)0x57U, (uint8_t)0xB6U, (uint8_t)0xACU, (uint8_t)0x7DU, (uint8_t)0x5FU, (uint8_t)0x42U, + (uint8_t)0xD6U, (uint8_t)0x9FU, (uint8_t)0x6DU, (uint8_t)0x18U, (uint8_t)0x77U, (uint8_t)0x63U, + (uint8_t)0xCFU, (uint8_t)0x1DU, (uint8_t)0x55U, (uint8_t)0x03U, (uint8_t)0x40U, (uint8_t)0x04U, + (uint8_t)0x87U, (uint8_t)0xF5U, (uint8_t)0x5BU, (uint8_t)0xA5U, (uint8_t)0x7EU, (uint8_t)0x31U, + (uint8_t)0xCCU, (uint8_t)0x7AU, (uint8_t)0x71U, (uint8_t)0x35U, (uint8_t)0xC8U, (uint8_t)0x86U, + (uint8_t)0xEFU, (uint8_t)0xB4U, (uint8_t)0x31U, (uint8_t)0x8AU, (uint8_t)0xEDU, (uint8_t)0x6AU, + (uint8_t)0x1EU, (uint8_t)0x01U, (uint8_t)0x2DU, (uint8_t)0x9EU, (uint8_t)0x68U, (uint8_t)0x32U, + (uint8_t)0xA9U, (uint8_t)0x07U, (uint8_t)0x60U, (uint8_t)0x0AU, (uint8_t)0x91U, (uint8_t)0x81U, + (uint8_t)0x30U, (uint8_t)0xC4U, (uint8_t)0x6DU, (uint8_t)0xC7U, (uint8_t)0x78U, (uint8_t)0xF9U, + (uint8_t)0x71U, (uint8_t)0xADU, (uint8_t)0x00U, (uint8_t)0x38U, (uint8_t)0x09U, (uint8_t)0x29U, + (uint8_t)0x99U, (uint8_t)0xA3U, (uint8_t)0x33U, (uint8_t)0xCBU, (uint8_t)0x8BU, (uint8_t)0x7AU, + (uint8_t)0x1AU, (uint8_t)0x1DU, (uint8_t)0xB9U, (uint8_t)0x3DU, (uint8_t)0x71U, (uint8_t)0x40U, + (uint8_t)0x00U, (uint8_t)0x3CU, (uint8_t)0x2AU, (uint8_t)0x4EU, (uint8_t)0xCEU, (uint8_t)0xA9U, + (uint8_t)0xF9U, (uint8_t)0x8DU, (uint8_t)0x0AU, (uint8_t)0xCCU, (uint8_t)0x0AU, (uint8_t)0x82U, + (uint8_t)0x91U, (uint8_t)0xCDU, (uint8_t)0xCEU, (uint8_t)0xC9U, (uint8_t)0x7DU, (uint8_t)0xCFU, + (uint8_t)0x8EU, (uint8_t)0xC9U, (uint8_t)0xB5U, (uint8_t)0x5AU, (uint8_t)0x7FU, (uint8_t)0x88U, + (uint8_t)0xA4U, (uint8_t)0x6BU, (uint8_t)0x4DU, (uint8_t)0xB5U, (uint8_t)0xA8U, (uint8_t)0x51U, + (uint8_t)0xF4U, (uint8_t)0x41U, (uint8_t)0x82U, (uint8_t)0xE1U, (uint8_t)0xC6U, (uint8_t)0x8AU, + (uint8_t)0x00U, (uint8_t)0x7EU, (uint8_t)0x5EU, (uint8_t)0x0DU, (uint8_t)0xD9U, (uint8_t)0x02U, + (uint8_t)0x0BU, (uint8_t)0xFDU, (uint8_t)0x64U, (uint8_t)0xB6U, (uint8_t)0x45U, (uint8_t)0x03U, + (uint8_t)0x6CU, (uint8_t)0x7AU, (uint8_t)0x4EU, (uint8_t)0x67U, (uint8_t)0x7DU, (uint8_t)0x2CU, + (uint8_t)0x38U, (uint8_t)0x53U, (uint8_t)0x2AU, (uint8_t)0x3AU, (uint8_t)0x23U, (uint8_t)0xBAU, + (uint8_t)0x44U, (uint8_t)0x42U, (uint8_t)0xCAU, (uint8_t)0xF5U, (uint8_t)0x3EU, (uint8_t)0xA6U, + (uint8_t)0x3BU, (uint8_t)0xB4U, (uint8_t)0x54U, (uint8_t)0x32U, (uint8_t)0x9BU, (uint8_t)0x76U, + (uint8_t)0x24U, (uint8_t)0xC8U, (uint8_t)0x91U, (uint8_t)0x7BU, (uint8_t)0xDDU, (uint8_t)0x64U, + (uint8_t)0xB1U, (uint8_t)0xC0U, (uint8_t)0xFDU, (uint8_t)0x4CU, (uint8_t)0xB3U, (uint8_t)0x8EU, + (uint8_t)0x8CU, (uint8_t)0x33U, (uint8_t)0x4CU, (uint8_t)0x70U, (uint8_t)0x1CU, (uint8_t)0x3AU, + (uint8_t)0xCDU, (uint8_t)0xADU, (uint8_t)0x06U, (uint8_t)0x57U, (uint8_t)0xFCU, (uint8_t)0xCFU, + (uint8_t)0xECU, (uint8_t)0x71U, (uint8_t)0x9BU, (uint8_t)0x1FU, (uint8_t)0x5CU, (uint8_t)0x3EU, + (uint8_t)0x4EU, (uint8_t)0x46U, (uint8_t)0x04U, (uint8_t)0x1FU, (uint8_t)0x38U, (uint8_t)0x81U, + (uint8_t)0x47U, (uint8_t)0xFBU, (uint8_t)0x4CU, (uint8_t)0xFDU, (uint8_t)0xB4U, (uint8_t)0x77U, + (uint8_t)0xA5U, (uint8_t)0x24U, (uint8_t)0x71U, (uint8_t)0xF7U, (uint8_t)0xA9U, (uint8_t)0xA9U, + (uint8_t)0x69U, (uint8_t)0x10U, (uint8_t)0xB8U, (uint8_t)0x55U, (uint8_t)0x32U, (uint8_t)0x2EU, + (uint8_t)0xDBU, (uint8_t)0x63U, (uint8_t)0x40U, (uint8_t)0xD8U, (uint8_t)0xA0U, (uint8_t)0x0EU, + (uint8_t)0xF0U, (uint8_t)0x92U, (uint8_t)0x35U, (uint8_t)0x05U, (uint8_t)0x11U, (uint8_t)0xE3U, + (uint8_t)0x0AU, (uint8_t)0xBEU, (uint8_t)0xC1U, (uint8_t)0xFFU, (uint8_t)0xF9U, (uint8_t)0xE3U, + (uint8_t)0xA2U, (uint8_t)0x6EU, (uint8_t)0x7FU, (uint8_t)0xB2U, (uint8_t)0x9FU, (uint8_t)0x8CU, + (uint8_t)0x18U, (uint8_t)0x30U, (uint8_t)0x23U, (uint8_t)0xC3U, (uint8_t)0x58U, (uint8_t)0x7EU, + (uint8_t)0x38U, (uint8_t)0xDAU, (uint8_t)0x00U, (uint8_t)0x77U, (uint8_t)0xD9U, (uint8_t)0xB4U, + (uint8_t)0x76U, (uint8_t)0x3EU, (uint8_t)0x4EU, (uint8_t)0x4BU, (uint8_t)0x94U, (uint8_t)0xB2U, + (uint8_t)0xBBU, (uint8_t)0xC1U, (uint8_t)0x94U, (uint8_t)0xC6U, (uint8_t)0x65U, (uint8_t)0x1EU, + (uint8_t)0x77U, (uint8_t)0xCAU, (uint8_t)0xF9U, (uint8_t)0x92U, (uint8_t)0xEEU, (uint8_t)0xAAU, + (uint8_t)0xC0U, (uint8_t)0x23U, (uint8_t)0x2AU, (uint8_t)0x28U, (uint8_t)0x1BU, (uint8_t)0xF6U, + (uint8_t)0xB3U, (uint8_t)0xA7U, (uint8_t)0x39U, (uint8_t)0xC1U, (uint8_t)0x22U, (uint8_t)0x61U, + (uint8_t)0x16U, (uint8_t)0x82U, (uint8_t)0x0AU, (uint8_t)0xE8U, (uint8_t)0xDBU, (uint8_t)0x58U, + (uint8_t)0x47U, (uint8_t)0xA6U, (uint8_t)0x7CU, (uint8_t)0xBEU, (uint8_t)0xF9U, (uint8_t)0xC9U, + (uint8_t)0x09U, (uint8_t)0x1BU, (uint8_t)0x46U, (uint8_t)0x2DU, (uint8_t)0x53U, (uint8_t)0x8CU, + (uint8_t)0xD7U, (uint8_t)0x2BU, (uint8_t)0x03U, (uint8_t)0x74U, (uint8_t)0x6AU, (uint8_t)0xE7U, + (uint8_t)0x7FU, (uint8_t)0x5EU, (uint8_t)0x62U, (uint8_t)0x29U, (uint8_t)0x2CU, (uint8_t)0x31U, + (uint8_t)0x15U, (uint8_t)0x62U, (uint8_t)0xA8U, (uint8_t)0x46U, (uint8_t)0x50U, (uint8_t)0x5DU, + (uint8_t)0xC8U, (uint8_t)0x2DU, (uint8_t)0xB8U, (uint8_t)0x54U, (uint8_t)0x33U, (uint8_t)0x8AU, + (uint8_t)0xE4U, (uint8_t)0x9FU, (uint8_t)0x52U, (uint8_t)0x35U, (uint8_t)0xC9U, (uint8_t)0x5BU, + (uint8_t)0x91U, (uint8_t)0x17U, (uint8_t)0x8CU, (uint8_t)0xCFU, (uint8_t)0x2DU, (uint8_t)0xD5U, + (uint8_t)0xCAU, (uint8_t)0xCEU, (uint8_t)0xF4U, (uint8_t)0x03U, (uint8_t)0xECU, (uint8_t)0x9DU, + (uint8_t)0x18U, (uint8_t)0x10U, (uint8_t)0xC6U, (uint8_t)0x27U, (uint8_t)0x2BU, (uint8_t)0x04U, + (uint8_t)0x5BU, (uint8_t)0x3BU, (uint8_t)0x71U, (uint8_t)0xF9U, (uint8_t)0xDCU, (uint8_t)0x6BU, + (uint8_t)0x80U, (uint8_t)0xD6U, (uint8_t)0x3FU, (uint8_t)0xDDU, (uint8_t)0x4AU, (uint8_t)0x8EU, + (uint8_t)0x9AU, (uint8_t)0xDBU, (uint8_t)0x1EU, (uint8_t)0x69U, (uint8_t)0x62U, (uint8_t)0xA6U, + (uint8_t)0x95U, (uint8_t)0x26U, (uint8_t)0xD4U, (uint8_t)0x31U, (uint8_t)0x61U, (uint8_t)0xC1U, + (uint8_t)0xA4U, (uint8_t)0x1DU, (uint8_t)0x57U, (uint8_t)0x0DU, (uint8_t)0x79U, (uint8_t)0x38U, + (uint8_t)0xDAU, (uint8_t)0xD4U, (uint8_t)0xA4U, (uint8_t)0x0EU, (uint8_t)0x32U, (uint8_t)0x9CU, + (uint8_t)0xCFU, (uint8_t)0xF4U, (uint8_t)0x6AU, (uint8_t)0xAAU, (uint8_t)0x36U, (uint8_t)0xADU, + (uint8_t)0x00U, (uint8_t)0x4CU, (uint8_t)0xF6U, (uint8_t)0x00U, (uint8_t)0xC8U, (uint8_t)0x38U, + (uint8_t)0x1EU, (uint8_t)0x42U, (uint8_t)0x5AU, (uint8_t)0x31U, (uint8_t)0xD9U, (uint8_t)0x51U, + (uint8_t)0xAEU, (uint8_t)0x64U, (uint8_t)0xFDU, (uint8_t)0xB2U, (uint8_t)0x3FU, (uint8_t)0xCEU, + (uint8_t)0xC9U, (uint8_t)0x50U, (uint8_t)0x9DU, (uint8_t)0x43U, (uint8_t)0x68U, (uint8_t)0x7FU, + (uint8_t)0xEBU, (uint8_t)0x69U, (uint8_t)0xEDU, (uint8_t)0xD1U, (uint8_t)0xCCU, (uint8_t)0x5EU, + (uint8_t)0x0BU, (uint8_t)0x8CU, (uint8_t)0xC3U, (uint8_t)0xBDU, (uint8_t)0xF6U, (uint8_t)0x4BU, + (uint8_t)0x10U, (uint8_t)0xEFU, (uint8_t)0x86U, (uint8_t)0xB6U, (uint8_t)0x31U, (uint8_t)0x42U, + (uint8_t)0xA3U, (uint8_t)0xABU, (uint8_t)0x88U, (uint8_t)0x29U, (uint8_t)0x55U, (uint8_t)0x5BU, + (uint8_t)0x2FU, (uint8_t)0x74U, (uint8_t)0x7CU, (uint8_t)0x93U, (uint8_t)0x26U, (uint8_t)0x65U, + (uint8_t)0xCBU, (uint8_t)0x2CU, (uint8_t)0x0FU, (uint8_t)0x1CU, (uint8_t)0xC0U, (uint8_t)0x1BU, + (uint8_t)0xD7U, (uint8_t)0x02U, (uint8_t)0x29U, (uint8_t)0x38U, (uint8_t)0x88U, (uint8_t)0x39U, + (uint8_t)0xD2U, (uint8_t)0xAFU, (uint8_t)0x05U, (uint8_t)0xE4U, (uint8_t)0x54U, (uint8_t)0x50U, + (uint8_t)0x4AU, (uint8_t)0xC7U, (uint8_t)0x8BU, (uint8_t)0x75U, (uint8_t)0x82U, (uint8_t)0x82U, + (uint8_t)0x28U, (uint8_t)0x46U, (uint8_t)0xC0U, (uint8_t)0xBAU, (uint8_t)0x35U, (uint8_t)0xC3U, + (uint8_t)0x5FU, (uint8_t)0x5CU, (uint8_t)0x59U, (uint8_t)0x16U, (uint8_t)0x0CU, (uint8_t)0xC0U, + (uint8_t)0x46U, (uint8_t)0xFDU, (uint8_t)0x82U, (uint8_t)0x51U, (uint8_t)0x54U, (uint8_t)0x1FU, + (uint8_t)0xC6U, (uint8_t)0x8CU, (uint8_t)0x9CU, (uint8_t)0x86U, (uint8_t)0xB0U, (uint8_t)0x22U, + (uint8_t)0xBBU, (uint8_t)0x70U, (uint8_t)0x99U, (uint8_t)0x87U, (uint8_t)0x6AU, (uint8_t)0x46U, + (uint8_t)0x0EU, (uint8_t)0x74U, (uint8_t)0x51U, (uint8_t)0xA8U, (uint8_t)0xA9U, (uint8_t)0x31U, + (uint8_t)0x09U, (uint8_t)0x70U, (uint8_t)0x3FU, (uint8_t)0xEEU, (uint8_t)0x1CU, (uint8_t)0x21U, + (uint8_t)0x7EU, (uint8_t)0x6CU, (uint8_t)0x38U, (uint8_t)0x26U, (uint8_t)0xE5U, (uint8_t)0x2CU, + (uint8_t)0x51U, (uint8_t)0xAAU, (uint8_t)0x69U, (uint8_t)0x1EU, (uint8_t)0x0EU, (uint8_t)0x42U, + (uint8_t)0x3CU, (uint8_t)0xFCU, (uint8_t)0x99U, (uint8_t)0xE9U, (uint8_t)0xE3U, (uint8_t)0x16U, + (uint8_t)0x50U, (uint8_t)0xC1U, (uint8_t)0x21U, (uint8_t)0x7BU, (uint8_t)0x62U, (uint8_t)0x48U, + (uint8_t)0x16U, (uint8_t)0xCDU, (uint8_t)0xADU, (uint8_t)0x9AU, (uint8_t)0x95U, (uint8_t)0xF9U, + (uint8_t)0xD5U, (uint8_t)0xB8U, (uint8_t)0x01U, (uint8_t)0x94U, (uint8_t)0x88U, (uint8_t)0xD9U, + (uint8_t)0xC0U, (uint8_t)0xA0U, (uint8_t)0xA1U, (uint8_t)0xFEU, (uint8_t)0x30U, (uint8_t)0x75U, + (uint8_t)0xA5U, (uint8_t)0x77U, (uint8_t)0xE2U, (uint8_t)0x31U, (uint8_t)0x83U, (uint8_t)0xF8U, + (uint8_t)0x1DU, (uint8_t)0x4AU, (uint8_t)0x3FU, (uint8_t)0x2FU, (uint8_t)0xA4U, (uint8_t)0x57U, + (uint8_t)0x1EU, (uint8_t)0xFCU, (uint8_t)0x8CU, (uint8_t)0xE0U, (uint8_t)0xBAU, (uint8_t)0x8AU, + (uint8_t)0x4FU, (uint8_t)0xE8U, (uint8_t)0xB6U, (uint8_t)0x85U, (uint8_t)0x5DU, (uint8_t)0xFEU, + (uint8_t)0x72U, (uint8_t)0xB0U, (uint8_t)0xA6U, (uint8_t)0x6EU, (uint8_t)0xDEU, (uint8_t)0xD2U, + (uint8_t)0xFBU, (uint8_t)0xABU, (uint8_t)0xFBU, (uint8_t)0xE5U, (uint8_t)0x8AU, (uint8_t)0x30U, + (uint8_t)0xFAU, (uint8_t)0xFAU, (uint8_t)0xBEU, (uint8_t)0x1CU, (uint8_t)0x5DU, (uint8_t)0x71U, + (uint8_t)0xA8U, (uint8_t)0x7EU, (uint8_t)0x2FU, (uint8_t)0x74U, (uint8_t)0x1EU, (uint8_t)0xF8U, + (uint8_t)0xC1U, (uint8_t)0xFEU, (uint8_t)0x86U, (uint8_t)0xFEU, (uint8_t)0xA6U, (uint8_t)0xBBU, + (uint8_t)0xFDU, (uint8_t)0xE5U, (uint8_t)0x30U, (uint8_t)0x67U, (uint8_t)0x7FU, (uint8_t)0x0DU, + (uint8_t)0x97U, (uint8_t)0xD1U, (uint8_t)0x1DU, (uint8_t)0x49U, (uint8_t)0xF7U, (uint8_t)0xA8U, + (uint8_t)0x44U, (uint8_t)0x3DU, (uint8_t)0x08U, (uint8_t)0x22U, (uint8_t)0xE5U, (uint8_t)0x06U, + (uint8_t)0xA9U, (uint8_t)0xF4U, (uint8_t)0x61U, (uint8_t)0x4EU, (uint8_t)0x01U, (uint8_t)0x1EU, + (uint8_t)0x2AU, (uint8_t)0x94U, (uint8_t)0x83U, (uint8_t)0x8FU, (uint8_t)0xF8U, (uint8_t)0x8CU, + (uint8_t)0xD6U, (uint8_t)0x8CU, (uint8_t)0x8BU, (uint8_t)0xB7U, (uint8_t)0xC5U, (uint8_t)0xC6U, + (uint8_t)0x42U, (uint8_t)0x4CU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, + (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU + }; + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Impl_FFDHE_Constants_H_DEFINED +#endif diff --git a/include/Hacl_IntTypes_Intrinsics.h b/include/Hacl_IntTypes_Intrinsics.h new file mode 100644 index 00000000..362b4cfc --- /dev/null +++ b/include/Hacl_IntTypes_Intrinsics.h @@ -0,0 +1,87 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_IntTypes_Intrinsics_H +#define __Hacl_IntTypes_Intrinsics_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + + +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +static inline uint32_t +Hacl_IntTypes_Intrinsics_add_carry_u32(uint32_t cin, uint32_t x, uint32_t y, uint32_t *r) +{ + uint64_t res = (uint64_t)x + (uint64_t)cin + (uint64_t)y; + uint32_t c = (uint32_t)(res >> (uint32_t)32U); + r[0U] = (uint32_t)res; + return c; +} + +static inline uint32_t +Hacl_IntTypes_Intrinsics_sub_borrow_u32(uint32_t cin, uint32_t x, uint32_t y, uint32_t *r) +{ + uint64_t res = (uint64_t)x - (uint64_t)y - (uint64_t)cin; + uint32_t c = (uint32_t)(res >> (uint32_t)32U) & (uint32_t)1U; + r[0U] = (uint32_t)res; + return c; +} + +static inline uint64_t +Hacl_IntTypes_Intrinsics_add_carry_u64(uint64_t cin, uint64_t x, uint64_t y, uint64_t *r) +{ + uint64_t res = x + cin + y; + uint64_t + c = (~FStar_UInt64_gte_mask(res, x) | (FStar_UInt64_eq_mask(res, x) & cin)) & (uint64_t)1U; + r[0U] = res; + return c; +} + +static inline uint64_t +Hacl_IntTypes_Intrinsics_sub_borrow_u64(uint64_t cin, uint64_t x, uint64_t y, uint64_t *r) +{ + uint64_t res = x - y - cin; + uint64_t + c = + ((FStar_UInt64_gte_mask(res, x) & ~FStar_UInt64_eq_mask(res, x)) + | (FStar_UInt64_eq_mask(res, x) & cin)) + & (uint64_t)1U; + r[0U] = res; + return c; +} + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_IntTypes_Intrinsics_H_DEFINED +#endif diff --git a/include/Hacl_IntTypes_Intrinsics_128.h b/include/Hacl_IntTypes_Intrinsics_128.h new file mode 100644 index 00000000..084dfe74 --- /dev/null +++ b/include/Hacl_IntTypes_Intrinsics_128.h @@ -0,0 +1,75 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_IntTypes_Intrinsics_128_H +#define __Hacl_IntTypes_Intrinsics_128_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +static inline uint64_t +Hacl_IntTypes_Intrinsics_128_add_carry_u64(uint64_t cin, uint64_t x, uint64_t y, uint64_t *r) +{ + FStar_UInt128_uint128 + res = + FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_uint64_to_uint128(x), + FStar_UInt128_uint64_to_uint128(cin)), + FStar_UInt128_uint64_to_uint128(y)); + uint64_t c = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(res, (uint32_t)64U)); + r[0U] = FStar_UInt128_uint128_to_uint64(res); + return c; +} + +static inline uint64_t +Hacl_IntTypes_Intrinsics_128_sub_borrow_u64(uint64_t cin, uint64_t x, uint64_t y, uint64_t *r) +{ + FStar_UInt128_uint128 + res = + FStar_UInt128_sub_mod(FStar_UInt128_sub_mod(FStar_UInt128_uint64_to_uint128(x), + FStar_UInt128_uint64_to_uint128(y)), + FStar_UInt128_uint64_to_uint128(cin)); + uint64_t + c = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(res, (uint32_t)64U)) + & (uint64_t)1U; + r[0U] = FStar_UInt128_uint128_to_uint64(res); + return c; +} + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_IntTypes_Intrinsics_128_H_DEFINED +#endif diff --git a/include/Hacl_Kremlib.h b/include/Hacl_Kremlib.h new file mode 100644 index 00000000..deef15ba --- /dev/null +++ b/include/Hacl_Kremlib.h @@ -0,0 +1,88 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Kremlib_H +#define __Hacl_Kremlib_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + + +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +static inline uint32_t FStar_UInt32_eq_mask(uint32_t a, uint32_t b); + +static inline uint32_t FStar_UInt32_gte_mask(uint32_t a, uint32_t b); + +static inline uint8_t FStar_UInt8_eq_mask(uint8_t a, uint8_t b); + +static inline uint64_t FStar_UInt64_eq_mask(uint64_t a, uint64_t b); + +static inline uint64_t FStar_UInt64_gte_mask(uint64_t a, uint64_t b); + +static inline uint16_t FStar_UInt16_eq_mask(uint16_t a, uint16_t b); + +static inline FStar_UInt128_uint128 +FStar_UInt128_add(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); + +static inline FStar_UInt128_uint128 +FStar_UInt128_add_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); + +static inline FStar_UInt128_uint128 +FStar_UInt128_sub_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); + +static inline FStar_UInt128_uint128 +FStar_UInt128_logor(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); + +static inline FStar_UInt128_uint128 +FStar_UInt128_shift_left(FStar_UInt128_uint128 a, uint32_t s); + +static inline FStar_UInt128_uint128 +FStar_UInt128_shift_right(FStar_UInt128_uint128 a, uint32_t s); + +static inline FStar_UInt128_uint128 FStar_UInt128_uint64_to_uint128(uint64_t a); + +static inline uint64_t FStar_UInt128_uint128_to_uint64(FStar_UInt128_uint128 a); + +static inline FStar_UInt128_uint128 FStar_UInt128_mul_wide(uint64_t x, uint64_t y); + +static inline void store128_le(uint8_t *x0, FStar_UInt128_uint128 x1); + +static inline void store128_be(uint8_t *x0, FStar_UInt128_uint128 x1); + +static inline FStar_UInt128_uint128 load128_be(uint8_t *x0); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Kremlib_H_DEFINED +#endif diff --git a/include/Hacl_NaCl.h b/include/Hacl_NaCl.h new file mode 100644 index 00000000..425c7208 --- /dev/null +++ b/include/Hacl_NaCl.h @@ -0,0 +1,162 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_NaCl_H +#define __Hacl_NaCl_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Salsa20.h" +#include "Hacl_Poly1305_32.h" +#include "Hacl_Curve25519_51.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +uint32_t +Hacl_NaCl_crypto_secretbox_detached( + uint8_t *c, + uint8_t *tag, + uint8_t *m, + uint32_t mlen, + uint8_t *n, + uint8_t *k +); + +uint32_t +Hacl_NaCl_crypto_secretbox_open_detached( + uint8_t *m, + uint8_t *c, + uint8_t *tag, + uint32_t mlen, + uint8_t *n, + uint8_t *k +); + +uint32_t +Hacl_NaCl_crypto_secretbox_easy(uint8_t *c, uint8_t *m, uint32_t mlen, uint8_t *n, uint8_t *k); + +uint32_t +Hacl_NaCl_crypto_secretbox_open_easy( + uint8_t *m, + uint8_t *c, + uint32_t clen, + uint8_t *n, + uint8_t *k +); + +uint32_t Hacl_NaCl_crypto_box_beforenm(uint8_t *k, uint8_t *pk, uint8_t *sk); + +uint32_t +Hacl_NaCl_crypto_box_detached_afternm( + uint8_t *c, + uint8_t *tag, + uint8_t *m, + uint32_t mlen, + uint8_t *n, + uint8_t *k +); + +uint32_t +Hacl_NaCl_crypto_box_detached( + uint8_t *c, + uint8_t *tag, + uint8_t *m, + uint32_t mlen, + uint8_t *n, + uint8_t *pk, + uint8_t *sk +); + +uint32_t +Hacl_NaCl_crypto_box_open_detached_afternm( + uint8_t *m, + uint8_t *c, + uint8_t *tag, + uint32_t mlen, + uint8_t *n, + uint8_t *k +); + +uint32_t +Hacl_NaCl_crypto_box_open_detached( + uint8_t *m, + uint8_t *c, + uint8_t *tag, + uint32_t mlen, + uint8_t *n, + uint8_t *pk, + uint8_t *sk +); + +uint32_t +Hacl_NaCl_crypto_box_easy_afternm( + uint8_t *c, + uint8_t *m, + uint32_t mlen, + uint8_t *n, + uint8_t *k +); + +uint32_t +Hacl_NaCl_crypto_box_easy( + uint8_t *c, + uint8_t *m, + uint32_t mlen, + uint8_t *n, + uint8_t *pk, + uint8_t *sk +); + +uint32_t +Hacl_NaCl_crypto_box_open_easy_afternm( + uint8_t *m, + uint8_t *c, + uint32_t clen, + uint8_t *n, + uint8_t *k +); + +uint32_t +Hacl_NaCl_crypto_box_open_easy( + uint8_t *m, + uint8_t *c, + uint32_t clen, + uint8_t *n, + uint8_t *pk, + uint8_t *sk +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_NaCl_H_DEFINED +#endif diff --git a/include/Hacl_P256.h b/include/Hacl_P256.h new file mode 100644 index 00000000..e7bd9f2c --- /dev/null +++ b/include/Hacl_P256.h @@ -0,0 +1,393 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_P256_H +#define __Hacl_P256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Spec.h" +#include "Hacl_Kremlib.h" +#include "Hacl_Hash_SHA2.h" +#include "evercrypt_targetconfig.h" +#include "lib_intrinsics.h" +#include "libintvector.h" + +/******************************************************************************* + +ECDSA and ECDH functions over the P-256 NIST curve. + +This module implements signing and verification, key validation, conversions +between various point representations, and ECDH key agreement. + +*******************************************************************************/ + +/**************/ +/* Signatures */ +/**************/ + +/* + Per the standard, a hash function *shall* be used. Therefore, we recommend + using one of the three combined hash-and-sign variants. +*/ + +/* +Hash the message with SHA2-256, then sign the resulting digest with the P256 signature function. + +Input: result buffer: uint8[64], + m buffer: uint8 [mLen], + priv(ate)Key: uint8[32], + k (nonce): uint32[32]. + + Output: bool, where True stands for the correct signature generation. False value means that an error has occurred. + + The private key and the nonce are expected to be more than 0 and less than the curve order. +*/ +bool +Hacl_P256_ecdsa_sign_p256_sha2( + uint8_t *result, + uint32_t mLen, + uint8_t *m, + uint8_t *privKey, + uint8_t *k +); + +/* +Hash the message with SHA2-384, then sign the resulting digest with the P256 signature function. + +Input: result buffer: uint8[64], + m buffer: uint8 [mLen], + priv(ate)Key: uint8[32], + k (nonce): uint32[32]. + + Output: bool, where True stands for the correct signature generation. False value means that an error has occurred. + + The private key and the nonce are expected to be more than 0 and less than the curve order. +*/ +bool +Hacl_P256_ecdsa_sign_p256_sha384( + uint8_t *result, + uint32_t mLen, + uint8_t *m, + uint8_t *privKey, + uint8_t *k +); + +/* +Hash the message with SHA2-512, then sign the resulting digest with the P256 signature function. + +Input: result buffer: uint8[64], + m buffer: uint8 [mLen], + priv(ate)Key: uint8[32], + k (nonce): uint32[32]. + + Output: bool, where True stands for the correct signature generation. False value means that an error has occurred. + + The private key and the nonce are expected to be more than 0 and less than the curve order. +*/ +bool +Hacl_P256_ecdsa_sign_p256_sha512( + uint8_t *result, + uint32_t mLen, + uint8_t *m, + uint8_t *privKey, + uint8_t *k +); + +/* +P256 signature WITHOUT hashing first. + +This function is intended to receive a hash of the input. For convenience, we +recommend using one of the hash-and-sign combined functions above. + +The argument `m` MUST be at least 32 bytes (i.e. `mLen >= 32`). + +NOTE: The equivalent functions in OpenSSL and Fiat-Crypto both accept inputs +smaller than 32 bytes. These libraries left-pad the input with enough zeroes to +reach the minimum 32 byte size. Clients who need behavior identical to OpenSSL +need to perform the left-padding themselves. + +Input: result buffer: uint8[64], + m buffer: uint8 [mLen], + priv(ate)Key: uint8[32], + k (nonce): uint32[32]. + + Output: bool, where True stands for the correct signature generation. False value means that an error has occurred. + + The private key and the nonce are expected to be more than 0 and less than the curve order. + + The message m is expected to be hashed by a strong hash function, the lenght of the message is expected to be 32 bytes and more. +*/ +bool +Hacl_P256_ecdsa_sign_p256_without_hash( + uint8_t *result, + uint32_t mLen, + uint8_t *m, + uint8_t *privKey, + uint8_t *k +); + + +/****************/ +/* Verification */ +/****************/ + +/* + Verify a message signature. These functions internally validate the public key using validate_public_key. +*/ + + +/* + The input of the function is considered to be public, + thus this code is not secret independent with respect to the operations done over the input. + + Input: m buffer: uint8 [mLen], + pub(lic)Key: uint8[64], + r: uint8[32], + s: uint8[32]. + + Output: bool, where true stands for the correct signature verification. +*/ +bool +Hacl_P256_ecdsa_verif_p256_sha2( + uint32_t mLen, + uint8_t *m, + uint8_t *pubKey, + uint8_t *r, + uint8_t *s +); + +/* + The input of the function is considered to be public, + thus this code is not secret independent with respect to the operations done over the input. + + Input: m buffer: uint8 [mLen], + pub(lic)Key: uint8[64], + r: uint8[32], + s: uint8[32]. + + Output: bool, where true stands for the correct signature verification. +*/ +bool +Hacl_P256_ecdsa_verif_p256_sha384( + uint32_t mLen, + uint8_t *m, + uint8_t *pubKey, + uint8_t *r, + uint8_t *s +); + +/* + The input of the function is considered to be public, + thus this code is not secret independent with respect to the operations done over the input. + + Input: m buffer: uint8 [mLen], + pub(lic)Key: uint8[64], + r: uint8[32], + s: uint8[32]. + + Output: bool, where true stands for the correct signature verification. +*/ +bool +Hacl_P256_ecdsa_verif_p256_sha512( + uint32_t mLen, + uint8_t *m, + uint8_t *pubKey, + uint8_t *r, + uint8_t *s +); + +/* + The input of the function is considered to be public, + thus this code is not secret independent with respect to the operations done over the input. + + Input: m buffer: uint8 [mLen], + pub(lic)Key: uint8[64], + r: uint8[32], + s: uint8[32]. + + Output: bool, where true stands for the correct signature verification. + + The message m is expected to be hashed by a strong hash function, the lenght of the message is expected to be 32 bytes and more. +*/ +bool +Hacl_P256_ecdsa_verif_without_hash( + uint32_t mLen, + uint8_t *m, + uint8_t *pubKey, + uint8_t *r, + uint8_t *s +); + + +/******************/ +/* Key validation */ +/******************/ + + +/* +Validate a public key. + + + The input of the function is considered to be public, + thus this code is not secret independent with respect to the operations done over the input. + + Input: pub(lic)Key: uint8[64]. + + Output: bool, where 0 stands for the public key to be correct with respect to SP 800-56A: + Verify that the public key is not the “point at infinity”, represented as O. + Verify that the affine x and y coordinates of the point represented by the public key are in the range [0, p – 1] where p is the prime defining the finite field. + Verify that y2 = x3 + ax + b where a and b are the coefficients of the curve equation. + Verify that nQ = O (the point at infinity), where n is the order of the curve and Q is the public key point. + + The last extract is taken from : https://neilmadden.blog/2017/05/17/so-how-do-you-validate-nist-ecdh-public-keys/ +*/ +bool Hacl_P256_validate_public_key(uint8_t *pubKey); + +/* +Validate a private key, e.g. prior to signing. + +Input: scalar: uint8[32]. + + Output: bool, where true stands for the scalar to be more than 0 and less than order. +*/ +bool Hacl_P256_validate_private_key(uint8_t *x); + + +/*****************************************/ +/* Point representations and conversions */ +/*****************************************/ + +/* + Elliptic curve points have 2 32-byte coordinates (x, y) and can be represented in 3 ways: + + - "raw" form (64 bytes): the concatenation of the 2 coordinates, also known as "internal" + - "compressed" form (33 bytes): first the sign byte of y (either 0x02 or 0x03), followed by x + - "uncompressed" form (65 bytes): first a constant byte (always 0x04), followed by the "raw" form + + For all of the conversation functions below, the input and output MUST NOT overlap. +*/ + + +/* +Convert 65-byte uncompressed to raw. + +The function errors out if the first byte is incorrect, or if the resulting point is invalid. + + + + Input: a point in not compressed form (uint8[65]), + result: uint8[64] (internal point representation). + + Output: bool, where true stands for the correct decompression. + +*/ +bool Hacl_P256_uncompressed_to_raw(uint8_t *b, uint8_t *result); + +/* +Convert 33-byte compressed to raw. + +The function errors out if the first byte is incorrect, or if the resulting point is invalid. + +Input: a point in compressed form (uint8[33]), + result: uint8[64] (internal point representation). + + Output: bool, where true stands for the correct decompression. + +*/ +bool Hacl_P256_compressed_to_raw(uint8_t *b, uint8_t *result); + +/* +Convert raw to 65-byte uncompressed. + +This function effectively prepends a 0x04 byte. + +Input: a point buffer (internal representation: uint8[64]), + result: a point in not compressed form (uint8[65]). +*/ +void Hacl_P256_raw_to_uncompressed(uint8_t *b, uint8_t *result); + +/* +Convert raw to 33-byte compressed. + + Input: `b`, the pointer buffer in internal representation, of type `uint8[64]` + Output: `result`, a point in compressed form, of type `uint8[33]` + +*/ +void Hacl_P256_raw_to_compressed(uint8_t *b, uint8_t *result); + + +/******************/ +/* ECDH agreement */ +/******************/ + +/* +Convert a private key into a raw public key. + +This function performs no key validation. + + Input: `scalar`, the private key, of type `uint8[32]`. + Output: `result`, the public key, of type `uint8[64]`. + Returns: + - `true`, for success, meaning the public key is not a point at infinity + - `false`, otherwise. + + `scalar` and `result` MUST NOT overlap. +*/ +bool Hacl_P256_dh_initiator(uint8_t *result, uint8_t *scalar); + +/* +ECDH key agreement. + +This function takes a 32-byte secret key, another party's 64-byte raw public +key, and computeds the 64-byte ECDH shared key. + +This function ONLY validates the public key. + + The pub(lic)_key input of the function is considered to be public, + thus this code is not secret independent with respect to the operations done over this variable. + + Input: result: uint8[64], + pub(lic)Key: uint8[64], + scalar: uint8[32]. + + Output: bool, where True stands for the correct key generation. False value means that an error has occurred (possibly the provided public key was incorrect or the result represents point at infinity). + +*/ +bool Hacl_P256_dh_responder(uint8_t *result, uint8_t *pubKey, uint8_t *scalar); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_P256_H_DEFINED +#endif diff --git a/include/Hacl_Poly1305_128.h b/include/Hacl_Poly1305_128.h new file mode 100644 index 00000000..210e34b1 --- /dev/null +++ b/include/Hacl_Poly1305_128.h @@ -0,0 +1,70 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Poly1305_128_H +#define __Hacl_Poly1305_128_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +extern uint32_t Hacl_Poly1305_128_blocklen; + +typedef Lib_IntVector_Intrinsics_vec128 *Hacl_Poly1305_128_poly1305_ctx; + +void Hacl_Poly1305_128_poly1305_init(Lib_IntVector_Intrinsics_vec128 *ctx, uint8_t *key); + +void Hacl_Poly1305_128_poly1305_update1(Lib_IntVector_Intrinsics_vec128 *ctx, uint8_t *text); + +void +Hacl_Poly1305_128_poly1305_update( + Lib_IntVector_Intrinsics_vec128 *ctx, + uint32_t len, + uint8_t *text +); + +void +Hacl_Poly1305_128_poly1305_finish( + uint8_t *tag, + uint8_t *key, + Lib_IntVector_Intrinsics_vec128 *ctx +); + +void Hacl_Poly1305_128_poly1305_mac(uint8_t *tag, uint32_t len, uint8_t *text, uint8_t *key); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Poly1305_128_H_DEFINED +#endif diff --git a/include/Hacl_Poly1305_256.h b/include/Hacl_Poly1305_256.h new file mode 100644 index 00000000..6d2c2a74 --- /dev/null +++ b/include/Hacl_Poly1305_256.h @@ -0,0 +1,70 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Poly1305_256_H +#define __Hacl_Poly1305_256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +extern uint32_t Hacl_Poly1305_256_blocklen; + +typedef Lib_IntVector_Intrinsics_vec256 *Hacl_Poly1305_256_poly1305_ctx; + +void Hacl_Poly1305_256_poly1305_init(Lib_IntVector_Intrinsics_vec256 *ctx, uint8_t *key); + +void Hacl_Poly1305_256_poly1305_update1(Lib_IntVector_Intrinsics_vec256 *ctx, uint8_t *text); + +void +Hacl_Poly1305_256_poly1305_update( + Lib_IntVector_Intrinsics_vec256 *ctx, + uint32_t len, + uint8_t *text +); + +void +Hacl_Poly1305_256_poly1305_finish( + uint8_t *tag, + uint8_t *key, + Lib_IntVector_Intrinsics_vec256 *ctx +); + +void Hacl_Poly1305_256_poly1305_mac(uint8_t *tag, uint32_t len, uint8_t *text, uint8_t *key); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Poly1305_256_H_DEFINED +#endif diff --git a/include/Hacl_Poly1305_32.h b/include/Hacl_Poly1305_32.h new file mode 100644 index 00000000..093160e2 --- /dev/null +++ b/include/Hacl_Poly1305_32.h @@ -0,0 +1,60 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Poly1305_32_H +#define __Hacl_Poly1305_32_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +extern uint32_t Hacl_Poly1305_32_blocklen; + +typedef uint64_t *Hacl_Poly1305_32_poly1305_ctx; + +void Hacl_Poly1305_32_poly1305_init(uint64_t *ctx, uint8_t *key); + +void Hacl_Poly1305_32_poly1305_update1(uint64_t *ctx, uint8_t *text); + +void Hacl_Poly1305_32_poly1305_update(uint64_t *ctx, uint32_t len, uint8_t *text); + +void Hacl_Poly1305_32_poly1305_finish(uint8_t *tag, uint8_t *key, uint64_t *ctx); + +void Hacl_Poly1305_32_poly1305_mac(uint8_t *tag, uint32_t len, uint8_t *text, uint8_t *key); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Poly1305_32_H_DEFINED +#endif diff --git a/include/Hacl_RSAPSS.h b/include/Hacl_RSAPSS.h new file mode 100644 index 00000000..1e7f4c5d --- /dev/null +++ b/include/Hacl_RSAPSS.h @@ -0,0 +1,117 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_RSAPSS_H +#define __Hacl_RSAPSS_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Spec.h" +#include "Hacl_Hash_SHA2.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +bool +Hacl_RSAPSS_rsapss_sign( + Spec_Hash_Definitions_hash_alg a, + uint32_t modBits, + uint32_t eBits, + uint32_t dBits, + uint64_t *skey, + uint32_t saltLen, + uint8_t *salt, + uint32_t msgLen, + uint8_t *msg, + uint8_t *sgnt +); + +bool +Hacl_RSAPSS_rsapss_verify( + Spec_Hash_Definitions_hash_alg a, + uint32_t modBits, + uint32_t eBits, + uint64_t *pkey, + uint32_t saltLen, + uint32_t sgntLen, + uint8_t *sgnt, + uint32_t msgLen, + uint8_t *msg +); + +uint64_t +*Hacl_RSAPSS_new_rsapss_load_pkey(uint32_t modBits, uint32_t eBits, uint8_t *nb, uint8_t *eb); + +uint64_t +*Hacl_RSAPSS_new_rsapss_load_skey( + uint32_t modBits, + uint32_t eBits, + uint32_t dBits, + uint8_t *nb, + uint8_t *eb, + uint8_t *db +); + +bool +Hacl_RSAPSS_rsapss_skey_sign( + Spec_Hash_Definitions_hash_alg a, + uint32_t modBits, + uint32_t eBits, + uint32_t dBits, + uint8_t *nb, + uint8_t *eb, + uint8_t *db, + uint32_t saltLen, + uint8_t *salt, + uint32_t msgLen, + uint8_t *msg, + uint8_t *sgnt +); + +bool +Hacl_RSAPSS_rsapss_pkey_verify( + Spec_Hash_Definitions_hash_alg a, + uint32_t modBits, + uint32_t eBits, + uint8_t *nb, + uint8_t *eb, + uint32_t saltLen, + uint32_t sgntLen, + uint8_t *sgnt, + uint32_t msgLen, + uint8_t *msg +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_RSAPSS_H_DEFINED +#endif diff --git a/include/Hacl_SHA2_Generic.h b/include/Hacl_SHA2_Generic.h new file mode 100644 index 00000000..d29978fe --- /dev/null +++ b/include/Hacl_SHA2_Generic.h @@ -0,0 +1,135 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_SHA2_Generic_H +#define __Hacl_SHA2_Generic_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + + +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +static const +uint32_t +Hacl_Impl_SHA2_Generic_h224[8U] = + { + (uint32_t)0xc1059ed8U, (uint32_t)0x367cd507U, (uint32_t)0x3070dd17U, (uint32_t)0xf70e5939U, + (uint32_t)0xffc00b31U, (uint32_t)0x68581511U, (uint32_t)0x64f98fa7U, (uint32_t)0xbefa4fa4U + }; + +static const +uint32_t +Hacl_Impl_SHA2_Generic_h256[8U] = + { + (uint32_t)0x6a09e667U, (uint32_t)0xbb67ae85U, (uint32_t)0x3c6ef372U, (uint32_t)0xa54ff53aU, + (uint32_t)0x510e527fU, (uint32_t)0x9b05688cU, (uint32_t)0x1f83d9abU, (uint32_t)0x5be0cd19U + }; + +static const +uint64_t +Hacl_Impl_SHA2_Generic_h384[8U] = + { + (uint64_t)0xcbbb9d5dc1059ed8U, (uint64_t)0x629a292a367cd507U, (uint64_t)0x9159015a3070dd17U, + (uint64_t)0x152fecd8f70e5939U, (uint64_t)0x67332667ffc00b31U, (uint64_t)0x8eb44a8768581511U, + (uint64_t)0xdb0c2e0d64f98fa7U, (uint64_t)0x47b5481dbefa4fa4U + }; + +static const +uint64_t +Hacl_Impl_SHA2_Generic_h512[8U] = + { + (uint64_t)0x6a09e667f3bcc908U, (uint64_t)0xbb67ae8584caa73bU, (uint64_t)0x3c6ef372fe94f82bU, + (uint64_t)0xa54ff53a5f1d36f1U, (uint64_t)0x510e527fade682d1U, (uint64_t)0x9b05688c2b3e6c1fU, + (uint64_t)0x1f83d9abfb41bd6bU, (uint64_t)0x5be0cd19137e2179U + }; + +static const +uint32_t +Hacl_Impl_SHA2_Generic_k224_256[64U] = + { + (uint32_t)0x428a2f98U, (uint32_t)0x71374491U, (uint32_t)0xb5c0fbcfU, (uint32_t)0xe9b5dba5U, + (uint32_t)0x3956c25bU, (uint32_t)0x59f111f1U, (uint32_t)0x923f82a4U, (uint32_t)0xab1c5ed5U, + (uint32_t)0xd807aa98U, (uint32_t)0x12835b01U, (uint32_t)0x243185beU, (uint32_t)0x550c7dc3U, + (uint32_t)0x72be5d74U, (uint32_t)0x80deb1feU, (uint32_t)0x9bdc06a7U, (uint32_t)0xc19bf174U, + (uint32_t)0xe49b69c1U, (uint32_t)0xefbe4786U, (uint32_t)0x0fc19dc6U, (uint32_t)0x240ca1ccU, + (uint32_t)0x2de92c6fU, (uint32_t)0x4a7484aaU, (uint32_t)0x5cb0a9dcU, (uint32_t)0x76f988daU, + (uint32_t)0x983e5152U, (uint32_t)0xa831c66dU, (uint32_t)0xb00327c8U, (uint32_t)0xbf597fc7U, + (uint32_t)0xc6e00bf3U, (uint32_t)0xd5a79147U, (uint32_t)0x06ca6351U, (uint32_t)0x14292967U, + (uint32_t)0x27b70a85U, (uint32_t)0x2e1b2138U, (uint32_t)0x4d2c6dfcU, (uint32_t)0x53380d13U, + (uint32_t)0x650a7354U, (uint32_t)0x766a0abbU, (uint32_t)0x81c2c92eU, (uint32_t)0x92722c85U, + (uint32_t)0xa2bfe8a1U, (uint32_t)0xa81a664bU, (uint32_t)0xc24b8b70U, (uint32_t)0xc76c51a3U, + (uint32_t)0xd192e819U, (uint32_t)0xd6990624U, (uint32_t)0xf40e3585U, (uint32_t)0x106aa070U, + (uint32_t)0x19a4c116U, (uint32_t)0x1e376c08U, (uint32_t)0x2748774cU, (uint32_t)0x34b0bcb5U, + (uint32_t)0x391c0cb3U, (uint32_t)0x4ed8aa4aU, (uint32_t)0x5b9cca4fU, (uint32_t)0x682e6ff3U, + (uint32_t)0x748f82eeU, (uint32_t)0x78a5636fU, (uint32_t)0x84c87814U, (uint32_t)0x8cc70208U, + (uint32_t)0x90befffaU, (uint32_t)0xa4506cebU, (uint32_t)0xbef9a3f7U, (uint32_t)0xc67178f2U + }; + +static const +uint64_t +Hacl_Impl_SHA2_Generic_k384_512[80U] = + { + (uint64_t)0x428a2f98d728ae22U, (uint64_t)0x7137449123ef65cdU, (uint64_t)0xb5c0fbcfec4d3b2fU, + (uint64_t)0xe9b5dba58189dbbcU, (uint64_t)0x3956c25bf348b538U, (uint64_t)0x59f111f1b605d019U, + (uint64_t)0x923f82a4af194f9bU, (uint64_t)0xab1c5ed5da6d8118U, (uint64_t)0xd807aa98a3030242U, + (uint64_t)0x12835b0145706fbeU, (uint64_t)0x243185be4ee4b28cU, (uint64_t)0x550c7dc3d5ffb4e2U, + (uint64_t)0x72be5d74f27b896fU, (uint64_t)0x80deb1fe3b1696b1U, (uint64_t)0x9bdc06a725c71235U, + (uint64_t)0xc19bf174cf692694U, (uint64_t)0xe49b69c19ef14ad2U, (uint64_t)0xefbe4786384f25e3U, + (uint64_t)0x0fc19dc68b8cd5b5U, (uint64_t)0x240ca1cc77ac9c65U, (uint64_t)0x2de92c6f592b0275U, + (uint64_t)0x4a7484aa6ea6e483U, (uint64_t)0x5cb0a9dcbd41fbd4U, (uint64_t)0x76f988da831153b5U, + (uint64_t)0x983e5152ee66dfabU, (uint64_t)0xa831c66d2db43210U, (uint64_t)0xb00327c898fb213fU, + (uint64_t)0xbf597fc7beef0ee4U, (uint64_t)0xc6e00bf33da88fc2U, (uint64_t)0xd5a79147930aa725U, + (uint64_t)0x06ca6351e003826fU, (uint64_t)0x142929670a0e6e70U, (uint64_t)0x27b70a8546d22ffcU, + (uint64_t)0x2e1b21385c26c926U, (uint64_t)0x4d2c6dfc5ac42aedU, (uint64_t)0x53380d139d95b3dfU, + (uint64_t)0x650a73548baf63deU, (uint64_t)0x766a0abb3c77b2a8U, (uint64_t)0x81c2c92e47edaee6U, + (uint64_t)0x92722c851482353bU, (uint64_t)0xa2bfe8a14cf10364U, (uint64_t)0xa81a664bbc423001U, + (uint64_t)0xc24b8b70d0f89791U, (uint64_t)0xc76c51a30654be30U, (uint64_t)0xd192e819d6ef5218U, + (uint64_t)0xd69906245565a910U, (uint64_t)0xf40e35855771202aU, (uint64_t)0x106aa07032bbd1b8U, + (uint64_t)0x19a4c116b8d2d0c8U, (uint64_t)0x1e376c085141ab53U, (uint64_t)0x2748774cdf8eeb99U, + (uint64_t)0x34b0bcb5e19b48a8U, (uint64_t)0x391c0cb3c5c95a63U, (uint64_t)0x4ed8aa4ae3418acbU, + (uint64_t)0x5b9cca4f7763e373U, (uint64_t)0x682e6ff3d6b2b8a3U, (uint64_t)0x748f82ee5defb2fcU, + (uint64_t)0x78a5636f43172f60U, (uint64_t)0x84c87814a1f0ab72U, (uint64_t)0x8cc702081a6439ecU, + (uint64_t)0x90befffa23631e28U, (uint64_t)0xa4506cebde82bde9U, (uint64_t)0xbef9a3f7b2c67915U, + (uint64_t)0xc67178f2e372532bU, (uint64_t)0xca273eceea26619cU, (uint64_t)0xd186b8c721c0c207U, + (uint64_t)0xeada7dd6cde0eb1eU, (uint64_t)0xf57d4f7fee6ed178U, (uint64_t)0x06f067aa72176fbaU, + (uint64_t)0x0a637dc5a2c898a6U, (uint64_t)0x113f9804bef90daeU, (uint64_t)0x1b710b35131c471bU, + (uint64_t)0x28db77f523047d84U, (uint64_t)0x32caab7b40c72493U, (uint64_t)0x3c9ebe0a15c9bebcU, + (uint64_t)0x431d67c49c100d4cU, (uint64_t)0x4cc5d4becb3e42b6U, (uint64_t)0x597f299cfc657e2aU, + (uint64_t)0x5fcb6fab3ad6faecU, (uint64_t)0x6c44198c4a475817U + }; + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_SHA2_Generic_H_DEFINED +#endif diff --git a/include/Hacl_SHA2_Scalar32.h b/include/Hacl_SHA2_Scalar32.h new file mode 100644 index 00000000..56a407b6 --- /dev/null +++ b/include/Hacl_SHA2_Scalar32.h @@ -0,0 +1,55 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_SHA2_Scalar32_H +#define __Hacl_SHA2_Scalar32_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_SHA2_Generic.h" +#include "Hacl_Kremlib.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void Hacl_SHA2_Scalar32_sha224(uint8_t *dst, uint32_t input_len, uint8_t *input); + +void Hacl_SHA2_Scalar32_sha256(uint8_t *dst, uint32_t input_len, uint8_t *input); + +void Hacl_SHA2_Scalar32_sha384(uint8_t *dst, uint32_t input_len, uint8_t *input); + +void Hacl_SHA2_Scalar32_sha512(uint8_t *dst, uint32_t input_len, uint8_t *input); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_SHA2_Scalar32_H_DEFINED +#endif diff --git a/include/Hacl_SHA2_Vec128.h b/include/Hacl_SHA2_Vec128.h new file mode 100644 index 00000000..0f07e448 --- /dev/null +++ b/include/Hacl_SHA2_Vec128.h @@ -0,0 +1,73 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_SHA2_Vec128_H +#define __Hacl_SHA2_Vec128_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_SHA2_Generic.h" +#include "Hacl_Kremlib.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_SHA2_Vec128_sha224_4( + uint8_t *dst0, + uint8_t *dst1, + uint8_t *dst2, + uint8_t *dst3, + uint32_t input_len, + uint8_t *input0, + uint8_t *input1, + uint8_t *input2, + uint8_t *input3 +); + +void +Hacl_SHA2_Vec128_sha256_4( + uint8_t *dst0, + uint8_t *dst1, + uint8_t *dst2, + uint8_t *dst3, + uint32_t input_len, + uint8_t *input0, + uint8_t *input1, + uint8_t *input2, + uint8_t *input3 +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_SHA2_Vec128_H_DEFINED +#endif diff --git a/include/Hacl_SHA2_Vec256.h b/include/Hacl_SHA2_Vec256.h new file mode 100644 index 00000000..a2ba3c56 --- /dev/null +++ b/include/Hacl_SHA2_Vec256.h @@ -0,0 +1,115 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_SHA2_Vec256_H +#define __Hacl_SHA2_Vec256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_SHA2_Generic.h" +#include "Hacl_Kremlib.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_SHA2_Vec256_sha224_8( + uint8_t *dst0, + uint8_t *dst1, + uint8_t *dst2, + uint8_t *dst3, + uint8_t *dst4, + uint8_t *dst5, + uint8_t *dst6, + uint8_t *dst7, + uint32_t input_len, + uint8_t *input0, + uint8_t *input1, + uint8_t *input2, + uint8_t *input3, + uint8_t *input4, + uint8_t *input5, + uint8_t *input6, + uint8_t *input7 +); + +void +Hacl_SHA2_Vec256_sha256_8( + uint8_t *dst0, + uint8_t *dst1, + uint8_t *dst2, + uint8_t *dst3, + uint8_t *dst4, + uint8_t *dst5, + uint8_t *dst6, + uint8_t *dst7, + uint32_t input_len, + uint8_t *input0, + uint8_t *input1, + uint8_t *input2, + uint8_t *input3, + uint8_t *input4, + uint8_t *input5, + uint8_t *input6, + uint8_t *input7 +); + +void +Hacl_SHA2_Vec256_sha384_4( + uint8_t *dst0, + uint8_t *dst1, + uint8_t *dst2, + uint8_t *dst3, + uint32_t input_len, + uint8_t *input0, + uint8_t *input1, + uint8_t *input2, + uint8_t *input3 +); + +void +Hacl_SHA2_Vec256_sha512_4( + uint8_t *dst0, + uint8_t *dst1, + uint8_t *dst2, + uint8_t *dst3, + uint32_t input_len, + uint8_t *input0, + uint8_t *input1, + uint8_t *input2, + uint8_t *input3 +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_SHA2_Vec256_H_DEFINED +#endif diff --git a/include/Hacl_SHA3.h b/include/Hacl_SHA3.h new file mode 100644 index 00000000..1d40bad9 --- /dev/null +++ b/include/Hacl_SHA3.h @@ -0,0 +1,113 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_SHA3_H +#define __Hacl_SHA3_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Lib_Memzero0.h" +#include "Hacl_Kremlib.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +extern const uint32_t Hacl_Impl_SHA3_keccak_rotc[24U]; + +extern const uint32_t Hacl_Impl_SHA3_keccak_piln[24U]; + +extern const uint64_t Hacl_Impl_SHA3_keccak_rndc[24U]; + +uint64_t Hacl_Impl_SHA3_rotl(uint64_t a, uint32_t b); + +void Hacl_Impl_SHA3_state_permute(uint64_t *s); + +void Hacl_Impl_SHA3_loadState(uint32_t rateInBytes, uint8_t *input, uint64_t *s); + +void Hacl_Impl_SHA3_storeState(uint32_t rateInBytes, uint64_t *s, uint8_t *res); + +void +Hacl_Impl_SHA3_absorb( + uint64_t *s, + uint32_t rateInBytes, + uint32_t inputByteLen, + uint8_t *input, + uint8_t delimitedSuffix +); + +void +Hacl_Impl_SHA3_squeeze( + uint64_t *s, + uint32_t rateInBytes, + uint32_t outputByteLen, + uint8_t *output +); + +void +Hacl_Impl_SHA3_keccak( + uint32_t rate, + uint32_t capacity, + uint32_t inputByteLen, + uint8_t *input, + uint8_t delimitedSuffix, + uint32_t outputByteLen, + uint8_t *output +); + +void +Hacl_SHA3_shake128_hacl( + uint32_t inputByteLen, + uint8_t *input, + uint32_t outputByteLen, + uint8_t *output +); + +void +Hacl_SHA3_shake256_hacl( + uint32_t inputByteLen, + uint8_t *input, + uint32_t outputByteLen, + uint8_t *output +); + +void Hacl_SHA3_sha3_224(uint32_t inputByteLen, uint8_t *input, uint8_t *output); + +void Hacl_SHA3_sha3_256(uint32_t inputByteLen, uint8_t *input, uint8_t *output); + +void Hacl_SHA3_sha3_384(uint32_t inputByteLen, uint8_t *input, uint8_t *output); + +void Hacl_SHA3_sha3_512(uint32_t inputByteLen, uint8_t *input, uint8_t *output); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_SHA3_H_DEFINED +#endif diff --git a/include/Hacl_Salsa20.h b/include/Hacl_Salsa20.h new file mode 100644 index 00000000..480eb900 --- /dev/null +++ b/include/Hacl_Salsa20.h @@ -0,0 +1,70 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Salsa20_H +#define __Hacl_Salsa20_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_Salsa20_salsa20_encrypt( + uint32_t len, + uint8_t *out, + uint8_t *text, + uint8_t *key, + uint8_t *n, + uint32_t ctr +); + +void +Hacl_Salsa20_salsa20_decrypt( + uint32_t len, + uint8_t *out, + uint8_t *cipher, + uint8_t *key, + uint8_t *n, + uint32_t ctr +); + +void Hacl_Salsa20_salsa20_key_block0(uint8_t *out, uint8_t *key, uint8_t *n); + +void Hacl_Salsa20_hsalsa20(uint8_t *out, uint8_t *key, uint8_t *n); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Salsa20_H_DEFINED +#endif diff --git a/include/Hacl_Spec.h b/include/Hacl_Spec.h new file mode 100644 index 00000000..2c6693c6 --- /dev/null +++ b/include/Hacl_Spec.h @@ -0,0 +1,97 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Spec_H +#define __Hacl_Spec_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + + +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +#define Spec_Blake2_Blake2S 0 +#define Spec_Blake2_Blake2B 1 + +typedef uint8_t Spec_Blake2_alg; + +#define Spec_Hash_Definitions_SHA2_224 0 +#define Spec_Hash_Definitions_SHA2_256 1 +#define Spec_Hash_Definitions_SHA2_384 2 +#define Spec_Hash_Definitions_SHA2_512 3 +#define Spec_Hash_Definitions_SHA1 4 +#define Spec_Hash_Definitions_MD5 5 +#define Spec_Hash_Definitions_Blake2S 6 +#define Spec_Hash_Definitions_Blake2B 7 + +typedef uint8_t Spec_Hash_Definitions_hash_alg; + +#define Spec_FFDHE_FFDHE2048 0 +#define Spec_FFDHE_FFDHE3072 1 +#define Spec_FFDHE_FFDHE4096 2 +#define Spec_FFDHE_FFDHE6144 3 +#define Spec_FFDHE_FFDHE8192 4 + +typedef uint8_t Spec_FFDHE_ffdhe_alg; + +#define Spec_Agile_Cipher_AES128 0 +#define Spec_Agile_Cipher_AES256 1 +#define Spec_Agile_Cipher_CHACHA20 2 + +typedef uint8_t Spec_Agile_Cipher_cipher_alg; + +#define Spec_Cipher_Expansion_Hacl_CHACHA20 0 +#define Spec_Cipher_Expansion_Vale_AES128 1 +#define Spec_Cipher_Expansion_Vale_AES256 2 + +typedef uint8_t Spec_Cipher_Expansion_impl; + +#define Spec_Agile_AEAD_AES128_GCM 0 +#define Spec_Agile_AEAD_AES256_GCM 1 +#define Spec_Agile_AEAD_CHACHA20_POLY1305 2 +#define Spec_Agile_AEAD_AES128_CCM 3 +#define Spec_Agile_AEAD_AES256_CCM 4 +#define Spec_Agile_AEAD_AES128_CCM8 5 +#define Spec_Agile_AEAD_AES256_CCM8 6 + +typedef uint8_t Spec_Agile_AEAD_alg; + +#define Spec_Frodo_Params_SHAKE128 0 +#define Spec_Frodo_Params_AES128 1 + +typedef uint8_t Spec_Frodo_Params_frodo_gen_a; + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Spec_H_DEFINED +#endif diff --git a/include/Hacl_Streaming_Blake2.h b/include/Hacl_Streaming_Blake2.h new file mode 100644 index 00000000..c64b8545 --- /dev/null +++ b/include/Hacl_Streaming_Blake2.h @@ -0,0 +1,149 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Streaming_Blake2_H +#define __Hacl_Streaming_Blake2_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Spec.h" +#include "Hacl_Kremlib.h" +#include "Hacl_Hash_Blake2.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +uint32_t +Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_alg a, Hacl_Impl_Blake2_Core_m_spec m); + +typedef struct Hacl_Streaming_Blake2_blake2s_32_block_state_s +{ + uint32_t *fst; + uint32_t *snd; +} +Hacl_Streaming_Blake2_blake2s_32_block_state; + +typedef struct Hacl_Streaming_Blake2_blake2s_32_state_s +{ + Hacl_Streaming_Blake2_blake2s_32_block_state block_state; + uint8_t *buf; + uint64_t total_len; +} +Hacl_Streaming_Blake2_blake2s_32_state; + +/* + State allocation function when there is no key +*/ +Hacl_Streaming_Blake2_blake2s_32_state *Hacl_Streaming_Blake2_blake2s_32_no_key_create_in(); + +/* + (Re-)initialization function when there is no key +*/ +void Hacl_Streaming_Blake2_blake2s_32_no_key_init(Hacl_Streaming_Blake2_blake2s_32_state *s1); + +/* + Update function when there is no key +*/ +void +Hacl_Streaming_Blake2_blake2s_32_no_key_update( + Hacl_Streaming_Blake2_blake2s_32_state *p, + uint8_t *data, + uint32_t len +); + +/* + Finish function when there is no key +*/ +void +Hacl_Streaming_Blake2_blake2s_32_no_key_finish( + Hacl_Streaming_Blake2_blake2s_32_state *p, + uint8_t *dst +); + +/* + Free state function when there is no key +*/ +void Hacl_Streaming_Blake2_blake2s_32_no_key_free(Hacl_Streaming_Blake2_blake2s_32_state *s1); + +typedef struct Hacl_Streaming_Blake2_blake2b_32_block_state_s +{ + uint64_t *fst; + uint64_t *snd; +} +Hacl_Streaming_Blake2_blake2b_32_block_state; + +typedef struct Hacl_Streaming_Blake2_blake2b_32_state_s +{ + Hacl_Streaming_Blake2_blake2b_32_block_state block_state; + uint8_t *buf; + uint64_t total_len; +} +Hacl_Streaming_Blake2_blake2b_32_state; + +/* + State allocation function when there is no key +*/ +Hacl_Streaming_Blake2_blake2b_32_state *Hacl_Streaming_Blake2_blake2b_32_no_key_create_in(); + +/* + (Re)-initialization function when there is no key +*/ +void Hacl_Streaming_Blake2_blake2b_32_no_key_init(Hacl_Streaming_Blake2_blake2b_32_state *s1); + +/* + Update function when there is no key +*/ +void +Hacl_Streaming_Blake2_blake2b_32_no_key_update( + Hacl_Streaming_Blake2_blake2b_32_state *p, + uint8_t *data, + uint32_t len +); + +/* + Finish function when there is no key +*/ +void +Hacl_Streaming_Blake2_blake2b_32_no_key_finish( + Hacl_Streaming_Blake2_blake2b_32_state *p, + uint8_t *dst +); + +/* + Free state function when there is no key +*/ +void Hacl_Streaming_Blake2_blake2b_32_no_key_free(Hacl_Streaming_Blake2_blake2b_32_state *s1); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Streaming_Blake2_H_DEFINED +#endif diff --git a/include/Hacl_Streaming_Blake2b_256.h b/include/Hacl_Streaming_Blake2b_256.h new file mode 100644 index 00000000..6d6e8c3a --- /dev/null +++ b/include/Hacl_Streaming_Blake2b_256.h @@ -0,0 +1,106 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Streaming_Blake2b_256_H +#define __Hacl_Streaming_Blake2b_256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Streaming_Blake2.h" +#include "Hacl_Spec.h" +#include "Hacl_Kremlib.h" +#include "Hacl_Hash_Blake2b_256.h" +#include "Hacl_Hash_Blake2.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +typedef struct Hacl_Streaming_Blake2b_256_blake2b_256_block_state_s +{ + Lib_IntVector_Intrinsics_vec256 *fst; + Lib_IntVector_Intrinsics_vec256 *snd; +} +Hacl_Streaming_Blake2b_256_blake2b_256_block_state; + +typedef struct Hacl_Streaming_Blake2b_256_blake2b_256_state_s +{ + Hacl_Streaming_Blake2b_256_blake2b_256_block_state block_state; + uint8_t *buf; + uint64_t total_len; +} +Hacl_Streaming_Blake2b_256_blake2b_256_state; + +/* + State allocation function when there is no key +*/ +Hacl_Streaming_Blake2b_256_blake2b_256_state +*Hacl_Streaming_Blake2b_256_blake2b_256_no_key_create_in(); + +/* + (Re-)initialization function when there is no key +*/ +void +Hacl_Streaming_Blake2b_256_blake2b_256_no_key_init( + Hacl_Streaming_Blake2b_256_blake2b_256_state *s +); + +/* + Update function when there is no key +*/ +void +Hacl_Streaming_Blake2b_256_blake2b_256_no_key_update( + Hacl_Streaming_Blake2b_256_blake2b_256_state *p, + uint8_t *data, + uint32_t len +); + +/* + Finish function when there is no key +*/ +void +Hacl_Streaming_Blake2b_256_blake2b_256_no_key_finish( + Hacl_Streaming_Blake2b_256_blake2b_256_state *p, + uint8_t *dst +); + +/* + Free state function when there is no key +*/ +void +Hacl_Streaming_Blake2b_256_blake2b_256_no_key_free( + Hacl_Streaming_Blake2b_256_blake2b_256_state *s +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Streaming_Blake2b_256_H_DEFINED +#endif diff --git a/include/Hacl_Streaming_Blake2s_128.h b/include/Hacl_Streaming_Blake2s_128.h new file mode 100644 index 00000000..991b5ddc --- /dev/null +++ b/include/Hacl_Streaming_Blake2s_128.h @@ -0,0 +1,105 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Streaming_Blake2s_128_H +#define __Hacl_Streaming_Blake2s_128_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Streaming_Blake2.h" +#include "Hacl_Spec.h" +#include "Hacl_Hash_Blake2s_128.h" +#include "Hacl_Hash_Blake2.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +typedef struct Hacl_Streaming_Blake2s_128_blake2s_128_block_state_s +{ + Lib_IntVector_Intrinsics_vec128 *fst; + Lib_IntVector_Intrinsics_vec128 *snd; +} +Hacl_Streaming_Blake2s_128_blake2s_128_block_state; + +typedef struct Hacl_Streaming_Blake2s_128_blake2s_128_state_s +{ + Hacl_Streaming_Blake2s_128_blake2s_128_block_state block_state; + uint8_t *buf; + uint64_t total_len; +} +Hacl_Streaming_Blake2s_128_blake2s_128_state; + +/* + State allocation function when there is no key +*/ +Hacl_Streaming_Blake2s_128_blake2s_128_state +*Hacl_Streaming_Blake2s_128_blake2s_128_no_key_create_in(); + +/* + (Re-)initialization function when there is no key +*/ +void +Hacl_Streaming_Blake2s_128_blake2s_128_no_key_init( + Hacl_Streaming_Blake2s_128_blake2s_128_state *s +); + +/* + Update function when there is no key +*/ +void +Hacl_Streaming_Blake2s_128_blake2s_128_no_key_update( + Hacl_Streaming_Blake2s_128_blake2s_128_state *p, + uint8_t *data, + uint32_t len +); + +/* + Finish function when there is no key +*/ +void +Hacl_Streaming_Blake2s_128_blake2s_128_no_key_finish( + Hacl_Streaming_Blake2s_128_blake2s_128_state *p, + uint8_t *dst +); + +/* + Free state function when there is no key +*/ +void +Hacl_Streaming_Blake2s_128_blake2s_128_no_key_free( + Hacl_Streaming_Blake2s_128_blake2s_128_state *s +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Streaming_Blake2s_128_H_DEFINED +#endif diff --git a/include/Hacl_Streaming_MD5.h b/include/Hacl_Streaming_MD5.h new file mode 100644 index 00000000..f8bb4ee4 --- /dev/null +++ b/include/Hacl_Streaming_MD5.h @@ -0,0 +1,64 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Streaming_MD5_H +#define __Hacl_Streaming_MD5_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Streaming_SHA2.h" +#include "Hacl_Hash_MD5.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +typedef Hacl_Streaming_SHA2_state_sha2_224 Hacl_Streaming_MD5_state_md5; + +Hacl_Streaming_SHA2_state_sha2_224 *Hacl_Streaming_MD5_legacy_create_in_md5(); + +void Hacl_Streaming_MD5_legacy_init_md5(Hacl_Streaming_SHA2_state_sha2_224 *s); + +void +Hacl_Streaming_MD5_legacy_update_md5( + Hacl_Streaming_SHA2_state_sha2_224 *p, + uint8_t *data, + uint32_t len +); + +void Hacl_Streaming_MD5_legacy_finish_md5(Hacl_Streaming_SHA2_state_sha2_224 *p, uint8_t *dst); + +void Hacl_Streaming_MD5_legacy_free_md5(Hacl_Streaming_SHA2_state_sha2_224 *s); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Streaming_MD5_H_DEFINED +#endif diff --git a/include/Hacl_Streaming_Poly1305_128.h b/include/Hacl_Streaming_Poly1305_128.h new file mode 100644 index 00000000..8e4bc864 --- /dev/null +++ b/include/Hacl_Streaming_Poly1305_128.h @@ -0,0 +1,76 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Streaming_Poly1305_128_H +#define __Hacl_Streaming_Poly1305_128_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Poly1305_128.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +typedef struct Hacl_Streaming_Poly1305_128_poly1305_128_state_s +{ + Lib_IntVector_Intrinsics_vec128 *block_state; + uint8_t *buf; + uint64_t total_len; + uint8_t *p_key; +} +Hacl_Streaming_Poly1305_128_poly1305_128_state; + +Hacl_Streaming_Poly1305_128_poly1305_128_state +*Hacl_Streaming_Poly1305_128_create_in(uint8_t *k); + +void +Hacl_Streaming_Poly1305_128_init(uint8_t *k, Hacl_Streaming_Poly1305_128_poly1305_128_state *s); + +void +Hacl_Streaming_Poly1305_128_update( + Hacl_Streaming_Poly1305_128_poly1305_128_state *p, + uint8_t *data, + uint32_t len +); + +void +Hacl_Streaming_Poly1305_128_finish( + Hacl_Streaming_Poly1305_128_poly1305_128_state *p, + uint8_t *dst +); + +void Hacl_Streaming_Poly1305_128_free(Hacl_Streaming_Poly1305_128_poly1305_128_state *s); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Streaming_Poly1305_128_H_DEFINED +#endif diff --git a/include/Hacl_Streaming_Poly1305_256.h b/include/Hacl_Streaming_Poly1305_256.h new file mode 100644 index 00000000..2049d759 --- /dev/null +++ b/include/Hacl_Streaming_Poly1305_256.h @@ -0,0 +1,76 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Streaming_Poly1305_256_H +#define __Hacl_Streaming_Poly1305_256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Poly1305_256.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +typedef struct Hacl_Streaming_Poly1305_256_poly1305_256_state_s +{ + Lib_IntVector_Intrinsics_vec256 *block_state; + uint8_t *buf; + uint64_t total_len; + uint8_t *p_key; +} +Hacl_Streaming_Poly1305_256_poly1305_256_state; + +Hacl_Streaming_Poly1305_256_poly1305_256_state +*Hacl_Streaming_Poly1305_256_create_in(uint8_t *k); + +void +Hacl_Streaming_Poly1305_256_init(uint8_t *k, Hacl_Streaming_Poly1305_256_poly1305_256_state *s); + +void +Hacl_Streaming_Poly1305_256_update( + Hacl_Streaming_Poly1305_256_poly1305_256_state *p, + uint8_t *data, + uint32_t len +); + +void +Hacl_Streaming_Poly1305_256_finish( + Hacl_Streaming_Poly1305_256_poly1305_256_state *p, + uint8_t *dst +); + +void Hacl_Streaming_Poly1305_256_free(Hacl_Streaming_Poly1305_256_poly1305_256_state *s); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Streaming_Poly1305_256_H_DEFINED +#endif diff --git a/include/Hacl_Streaming_Poly1305_32.h b/include/Hacl_Streaming_Poly1305_32.h new file mode 100644 index 00000000..b08a73a5 --- /dev/null +++ b/include/Hacl_Streaming_Poly1305_32.h @@ -0,0 +1,75 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Streaming_Poly1305_32_H +#define __Hacl_Streaming_Poly1305_32_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Poly1305_32.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +typedef struct Hacl_Streaming_Poly1305_32_poly1305_32_state_s +{ + uint64_t *block_state; + uint8_t *buf; + uint64_t total_len; + uint8_t *p_key; +} +Hacl_Streaming_Poly1305_32_poly1305_32_state; + +Hacl_Streaming_Poly1305_32_poly1305_32_state *Hacl_Streaming_Poly1305_32_create_in(uint8_t *k); + +void +Hacl_Streaming_Poly1305_32_init(uint8_t *k, Hacl_Streaming_Poly1305_32_poly1305_32_state *s); + +void +Hacl_Streaming_Poly1305_32_update( + Hacl_Streaming_Poly1305_32_poly1305_32_state *p, + uint8_t *data, + uint32_t len +); + +void +Hacl_Streaming_Poly1305_32_finish( + Hacl_Streaming_Poly1305_32_poly1305_32_state *p, + uint8_t *dst +); + +void Hacl_Streaming_Poly1305_32_free(Hacl_Streaming_Poly1305_32_poly1305_32_state *s); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Streaming_Poly1305_32_H_DEFINED +#endif diff --git a/include/Hacl_Streaming_SHA1.h b/include/Hacl_Streaming_SHA1.h new file mode 100644 index 00000000..b9d636b6 --- /dev/null +++ b/include/Hacl_Streaming_SHA1.h @@ -0,0 +1,65 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Streaming_SHA1_H +#define __Hacl_Streaming_SHA1_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Streaming_SHA2.h" +#include "Hacl_Hash_SHA1.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +typedef Hacl_Streaming_SHA2_state_sha2_224 Hacl_Streaming_SHA1_state_sha1; + +Hacl_Streaming_SHA2_state_sha2_224 *Hacl_Streaming_SHA1_legacy_create_in_sha1(); + +void Hacl_Streaming_SHA1_legacy_init_sha1(Hacl_Streaming_SHA2_state_sha2_224 *s); + +void +Hacl_Streaming_SHA1_legacy_update_sha1( + Hacl_Streaming_SHA2_state_sha2_224 *p, + uint8_t *data, + uint32_t len +); + +void +Hacl_Streaming_SHA1_legacy_finish_sha1(Hacl_Streaming_SHA2_state_sha2_224 *p, uint8_t *dst); + +void Hacl_Streaming_SHA1_legacy_free_sha1(Hacl_Streaming_SHA2_state_sha2_224 *s); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Streaming_SHA1_H_DEFINED +#endif diff --git a/include/Hacl_Streaming_SHA2.h b/include/Hacl_Streaming_SHA2.h new file mode 100644 index 00000000..377c2be1 --- /dev/null +++ b/include/Hacl_Streaming_SHA2.h @@ -0,0 +1,127 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Streaming_SHA2_H +#define __Hacl_Streaming_SHA2_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "Hacl_Hash_SHA2.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +typedef struct Hacl_Streaming_SHA2_state_sha2_224_s +{ + uint32_t *block_state; + uint8_t *buf; + uint64_t total_len; +} +Hacl_Streaming_SHA2_state_sha2_224; + +typedef Hacl_Streaming_SHA2_state_sha2_224 Hacl_Streaming_SHA2_state_sha2_256; + +typedef struct Hacl_Streaming_SHA2_state_sha2_384_s +{ + uint64_t *block_state; + uint8_t *buf; + uint64_t total_len; +} +Hacl_Streaming_SHA2_state_sha2_384; + +typedef Hacl_Streaming_SHA2_state_sha2_384 Hacl_Streaming_SHA2_state_sha2_512; + +Hacl_Streaming_SHA2_state_sha2_224 *Hacl_Streaming_SHA2_create_in_224(); + +void Hacl_Streaming_SHA2_init_224(Hacl_Streaming_SHA2_state_sha2_224 *s); + +void +Hacl_Streaming_SHA2_update_224( + Hacl_Streaming_SHA2_state_sha2_224 *p, + uint8_t *data, + uint32_t len +); + +void Hacl_Streaming_SHA2_finish_224(Hacl_Streaming_SHA2_state_sha2_224 *p, uint8_t *dst); + +void Hacl_Streaming_SHA2_free_224(Hacl_Streaming_SHA2_state_sha2_224 *s); + +Hacl_Streaming_SHA2_state_sha2_224 *Hacl_Streaming_SHA2_create_in_256(); + +void Hacl_Streaming_SHA2_init_256(Hacl_Streaming_SHA2_state_sha2_224 *s); + +void +Hacl_Streaming_SHA2_update_256( + Hacl_Streaming_SHA2_state_sha2_224 *p, + uint8_t *data, + uint32_t len +); + +void Hacl_Streaming_SHA2_finish_256(Hacl_Streaming_SHA2_state_sha2_224 *p, uint8_t *dst); + +void Hacl_Streaming_SHA2_free_256(Hacl_Streaming_SHA2_state_sha2_224 *s); + +Hacl_Streaming_SHA2_state_sha2_384 *Hacl_Streaming_SHA2_create_in_384(); + +void Hacl_Streaming_SHA2_init_384(Hacl_Streaming_SHA2_state_sha2_384 *s); + +void +Hacl_Streaming_SHA2_update_384( + Hacl_Streaming_SHA2_state_sha2_384 *p, + uint8_t *data, + uint32_t len +); + +void Hacl_Streaming_SHA2_finish_384(Hacl_Streaming_SHA2_state_sha2_384 *p, uint8_t *dst); + +void Hacl_Streaming_SHA2_free_384(Hacl_Streaming_SHA2_state_sha2_384 *s); + +Hacl_Streaming_SHA2_state_sha2_384 *Hacl_Streaming_SHA2_create_in_512(); + +void Hacl_Streaming_SHA2_init_512(Hacl_Streaming_SHA2_state_sha2_384 *s); + +void +Hacl_Streaming_SHA2_update_512( + Hacl_Streaming_SHA2_state_sha2_384 *p, + uint8_t *data, + uint32_t len +); + +void Hacl_Streaming_SHA2_finish_512(Hacl_Streaming_SHA2_state_sha2_384 *p, uint8_t *dst); + +void Hacl_Streaming_SHA2_free_512(Hacl_Streaming_SHA2_state_sha2_384 *s); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Streaming_SHA2_H_DEFINED +#endif diff --git a/include/Lib_Memzero0.h b/include/Lib_Memzero0.h new file mode 100644 index 00000000..978f2139 --- /dev/null +++ b/include/Lib_Memzero0.h @@ -0,0 +1,48 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Lib_Memzero0_H +#define __Lib_Memzero0_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + + +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +extern void Lib_Memzero0_memzero(void *x0, uint64_t x1); + +#if defined(__cplusplus) +} +#endif + +#define __Lib_Memzero0_H_DEFINED +#endif diff --git a/include/Lib_PrintBuffer.h b/include/Lib_PrintBuffer.h new file mode 100644 index 00000000..0d6a3ef3 --- /dev/null +++ b/include/Lib_PrintBuffer.h @@ -0,0 +1,56 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Lib_PrintBuffer_H +#define __Lib_PrintBuffer_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + + +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +extern void Lib_PrintBuffer_print_bytes(uint32_t len, uint8_t *buf); + +extern void Lib_PrintBuffer_print_compare(uint32_t len, uint8_t *buf0, uint8_t *buf1); + +extern void +Lib_PrintBuffer_print_compare_display(uint32_t len, const uint8_t *buf0, const uint8_t *buf1); + +extern bool +Lib_PrintBuffer_result_compare_display(uint32_t len, const uint8_t *buf0, const uint8_t *buf1); + +#if defined(__cplusplus) +} +#endif + +#define __Lib_PrintBuffer_H_DEFINED +#endif diff --git a/include/Lib_RandomBuffer_System.h b/include/Lib_RandomBuffer_System.h new file mode 100644 index 00000000..7045e7bb --- /dev/null +++ b/include/Lib_RandomBuffer_System.h @@ -0,0 +1,54 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Lib_RandomBuffer_System_H +#define __Lib_RandomBuffer_System_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + + +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +KRML_DEPRECATED("random_crypto") + +extern bool Lib_RandomBuffer_System_randombytes(uint8_t *buf, uint32_t len); + +extern void *Lib_RandomBuffer_System_entropy_p; + +extern void Lib_RandomBuffer_System_crypto_random(uint8_t *buf, uint32_t len); + +#if defined(__cplusplus) +} +#endif + +#define __Lib_RandomBuffer_System_H_DEFINED +#endif diff --git a/include/MerkleTree.h b/include/MerkleTree.h new file mode 100644 index 00000000..39692df7 --- /dev/null +++ b/include/MerkleTree.h @@ -0,0 +1,550 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __MerkleTree_H +#define __MerkleTree_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Spec.h" +#include "EverCrypt_Hash.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +typedef struct LowStar_Vector_vector_str___uint8_t__s +{ + uint32_t sz; + uint32_t cap; + uint8_t **vs; +} +LowStar_Vector_vector_str___uint8_t_; + +typedef uint32_t hash_size_t; + +typedef uint64_t offset_t; + +typedef uint32_t index_t; + +typedef struct MerkleTree_Low_path_s +{ + uint32_t hash_size; + LowStar_Vector_vector_str___uint8_t_ hashes; +} +MerkleTree_Low_path; + +typedef MerkleTree_Low_path path; + +typedef MerkleTree_Low_path *path_p; + +typedef const MerkleTree_Low_path *const_path_p; + +typedef struct LowStar_Vector_vector_str__LowStar_Vector_vector_str___uint8_t__s +{ + uint32_t sz; + uint32_t cap; + LowStar_Vector_vector_str___uint8_t_ *vs; +} +LowStar_Vector_vector_str__LowStar_Vector_vector_str___uint8_t_; + +typedef struct MerkleTree_Low_merkle_tree_s +{ + uint32_t hash_size; + uint64_t offset; + uint32_t i; + uint32_t j; + LowStar_Vector_vector_str__LowStar_Vector_vector_str___uint8_t_ hs; + bool rhs_ok; + LowStar_Vector_vector_str___uint8_t_ rhs; + uint8_t *mroot; + void (*hash_fun)(uint8_t *x0, uint8_t *x1, uint8_t *x2); +} +MerkleTree_Low_merkle_tree; + +typedef MerkleTree_Low_merkle_tree merkle_tree; + +typedef MerkleTree_Low_merkle_tree *mt_p; + +typedef const MerkleTree_Low_merkle_tree *const_mt_p; + +/* + Constructor for hashes +*/ +uint8_t *mt_init_hash(uint32_t hash_size); + +/* + Destructor for hashes +*/ +void mt_free_hash(uint8_t *h); + +/* + Constructor for paths +*/ +MerkleTree_Low_path *mt_init_path(uint32_t hash_size); + +/* + Destructor for paths +*/ +void mt_free_path(MerkleTree_Low_path *path1); + +/* + Length of a path + + @param[in] p Path + + return The length of the path +*/ +uint32_t mt_get_path_length(const MerkleTree_Low_path *path1); + +/* + Insert hash into path + + @param[in] p Path + @param[in] hash Hash to insert +*/ +void mt_path_insert(MerkleTree_Low_path *path1, uint8_t *hash1); + +/* + Get step on a path + + @param[in] p Path + @param[in] i Path step index + + return The hash at step i of p +*/ +uint8_t *mt_get_path_step(const MerkleTree_Low_path *path1, uint32_t i); + +/* + Precondition predicate for mt_get_path_step +*/ +bool mt_get_path_step_pre(const MerkleTree_Low_path *path1, uint32_t i); + +/* + Construction with custom hash functions + + @param[in] hash_size Hash size (in bytes) + @param[in] i The initial hash + + return The new Merkle tree +*/ +MerkleTree_Low_merkle_tree +*mt_create_custom( + uint32_t hash_size, + uint8_t *i, + void (*hash_fun)(uint8_t *x0, uint8_t *x1, uint8_t *x2) +); + +/* + Destruction + + @param[in] mt The Merkle tree +*/ +void mt_free(MerkleTree_Low_merkle_tree *mt); + +/* + Insertion + + @param[in] mt The Merkle tree + @param[in] v The tree does not take ownership of the hash, it makes a copy of its content. + + Note: The content of the hash will be overwritten with an arbitrary value. +*/ +void mt_insert(MerkleTree_Low_merkle_tree *mt, uint8_t *v); + +/* + Precondition predicate for mt_insert +*/ +bool mt_insert_pre(const MerkleTree_Low_merkle_tree *mt, uint8_t *v); + +/* + Getting the Merkle root + + @param[in] mt The Merkle tree + @param[out] root The Merkle root +*/ +void mt_get_root(const MerkleTree_Low_merkle_tree *mt, uint8_t *root); + +/* + Precondition predicate for mt_get_root +*/ +bool mt_get_root_pre(const MerkleTree_Low_merkle_tree *mt, uint8_t *root); + +/* + Getting a Merkle path + + @param[in] mt The Merkle tree + @param[in] idx The index of the target hash + @param[out] path A resulting Merkle path that contains the leaf hash. + @param[out] root The Merkle root + + return The number of elements in the tree + + Notes: + - The resulting path contains pointers to hashes in the tree, not copies of + the hash values. + - idx must be within the currently held indices in the tree (past the + last flush index). +*/ +uint32_t +mt_get_path( + const MerkleTree_Low_merkle_tree *mt, + uint64_t idx, + MerkleTree_Low_path *path1, + uint8_t *root +); + +/* + Precondition predicate for mt_get_path +*/ +bool +mt_get_path_pre( + const MerkleTree_Low_merkle_tree *mt, + uint64_t idx, + const MerkleTree_Low_path *path1, + uint8_t *root +); + +/* + Flush the Merkle tree + + @param[in] mt The Merkle tree +*/ +void mt_flush(MerkleTree_Low_merkle_tree *mt); + +/* + Precondition predicate for mt_flush +*/ +bool mt_flush_pre(const MerkleTree_Low_merkle_tree *mt); + +/* + Flush the Merkle tree up to a given index + + @param[in] mt The Merkle tree + @param[in] idx The index up to which to flush the tree +*/ +void mt_flush_to(MerkleTree_Low_merkle_tree *mt, uint64_t idx); + +/* + Precondition predicate for mt_flush_to +*/ +bool mt_flush_to_pre(const MerkleTree_Low_merkle_tree *mt, uint64_t idx); + +/* + Retract the Merkle tree down to a given index + + @param[in] mt The Merkle tree + @param[in] idx The index to retract the tree to + + Note: The element and idx will remain in the tree. +*/ +void mt_retract_to(MerkleTree_Low_merkle_tree *mt, uint64_t idx); + +/* + Precondition predicate for mt_retract_to +*/ +bool mt_retract_to_pre(const MerkleTree_Low_merkle_tree *mt, uint64_t idx); + +/* + Client-side verification + + @param[in] mt The Merkle tree + @param[in] tgt The index of the target hash + @param[in] max The maximum index + 1 of the tree when the path was generated + @param[in] path The Merkle path to verify + @param[in] root + + return true if the verification succeeded, false otherwise + + Note: max - tgt must be less than 2^32. +*/ +bool +mt_verify( + const MerkleTree_Low_merkle_tree *mt, + uint64_t tgt, + uint64_t max, + const MerkleTree_Low_path *path1, + uint8_t *root +); + +/* + Precondition predicate for mt_verify +*/ +bool +mt_verify_pre( + const MerkleTree_Low_merkle_tree *mt, + uint64_t tgt, + uint64_t max, + const MerkleTree_Low_path *path1, + uint8_t *root +); + +/* + Serialization size + + @param[in] mt The Merkle tree + + return the number of bytes required to serialize the tree +*/ +uint64_t mt_serialize_size(const MerkleTree_Low_merkle_tree *mt); + +/* + Merkle tree serialization + + @param[in] mt The Merkle tree + @param[out] buf The buffer to serialize the tree into + @param[in] len Length of buf + + return the number of bytes written + + Note: buf must be a buffer of size mt_serialize_size(mt) or larger, but + smaller than 2^32 (larger buffers are currently not supported). +*/ +uint64_t mt_serialize(const MerkleTree_Low_merkle_tree *mt, uint8_t *buf, uint64_t len); + +/* + Merkle tree deserialization + + @param[in] expected_hash_size Expected hash size to match hash_fun + @param[in] buf The buffer to deserialize the tree from + @param[in] len Length of buf + @param[in] hash_fun Hash function + + return pointer to the new tree if successful, NULL otherwise + + Note: buf must point to an allocated buffer. +*/ +MerkleTree_Low_merkle_tree +*mt_deserialize( + const uint8_t *buf, + uint64_t len, + void (*hash_fun)(uint8_t *x0, uint8_t *x1, uint8_t *x2) +); + +/* + Path serialization + + @param[in] path The path + @param[out] buf The buffer to serialize the path into + @param[in] len Length of buf + + return the number of bytes written +*/ +uint64_t mt_serialize_path(const MerkleTree_Low_path *path1, uint8_t *buf, uint64_t len); + +/* + Path deserialization + + @param[in] buf The buffer to deserialize the path from + @param[in] len Length of buf + + return pointer to the new path if successful, NULL otherwise + + Note: buf must point to an allocated buffer. +*/ +MerkleTree_Low_path *mt_deserialize_path(const uint8_t *buf, uint64_t len); + +typedef MerkleTree_Low_merkle_tree *mt_p0; + +/* + Default hash function +*/ +void mt_sha256_compress(uint8_t *src1, uint8_t *src2, uint8_t *dst); + +/* + Construction wired to sha256 from EverCrypt + + @param[in] init The initial hash +*/ +MerkleTree_Low_merkle_tree *mt_create(uint8_t *init); + +typedef uint32_t MerkleTree_Low_index_t; + +extern uint32_t MerkleTree_Low_uint32_32_max; + +extern uint64_t MerkleTree_Low_uint32_max; + +extern uint64_t MerkleTree_Low_uint64_max; + +extern uint64_t MerkleTree_Low_offset_range_limit; + +typedef uint64_t MerkleTree_Low_offset_t; + +extern uint32_t MerkleTree_Low_merkle_tree_size_lg; + +bool MerkleTree_Low_uu___is_MT(MerkleTree_Low_merkle_tree projectee); + +typedef MerkleTree_Low_merkle_tree *MerkleTree_Low_mt_p; + +typedef const MerkleTree_Low_merkle_tree *MerkleTree_Low_const_mt_p; + +bool +MerkleTree_Low_merkle_tree_conditions( + uint64_t offset, + uint32_t i, + uint32_t j, + LowStar_Vector_vector_str__LowStar_Vector_vector_str___uint8_t_ hs, + bool rhs_ok, + LowStar_Vector_vector_str___uint8_t_ rhs, + uint8_t *mroot +); + +uint32_t MerkleTree_Low_offset_of(uint32_t i); + +void MerkleTree_Low_mt_free(MerkleTree_Low_merkle_tree *mt); + +bool MerkleTree_Low_mt_insert_pre(const MerkleTree_Low_merkle_tree *mt, uint8_t *v); + +void MerkleTree_Low_mt_insert(MerkleTree_Low_merkle_tree *mt, uint8_t *v); + +MerkleTree_Low_merkle_tree +*MerkleTree_Low_mt_create_custom( + uint32_t hsz, + uint8_t *init, + void (*hash_fun)(uint8_t *x0, uint8_t *x1, uint8_t *x2) +); + +bool MerkleTree_Low_uu___is_Path(MerkleTree_Low_path projectee); + +typedef MerkleTree_Low_path *MerkleTree_Low_path_p; + +typedef const MerkleTree_Low_path *MerkleTree_Low_const_path_p; + +MerkleTree_Low_path *MerkleTree_Low_init_path(uint32_t hsz); + +void MerkleTree_Low_clear_path(MerkleTree_Low_path *p); + +void MerkleTree_Low_free_path(MerkleTree_Low_path *p); + +bool MerkleTree_Low_mt_get_root_pre(const MerkleTree_Low_merkle_tree *mt, uint8_t *rt); + +void MerkleTree_Low_mt_get_root(const MerkleTree_Low_merkle_tree *mt, uint8_t *rt); + +void MerkleTree_Low_mt_path_insert(uint32_t hsz, MerkleTree_Low_path *p, uint8_t *hp); + +uint32_t MerkleTree_Low_mt_get_path_length(const MerkleTree_Low_path *p); + +bool MerkleTree_Low_mt_get_path_step_pre(const MerkleTree_Low_path *p, uint32_t i); + +uint8_t *MerkleTree_Low_mt_get_path_step(const MerkleTree_Low_path *p, uint32_t i); + +bool +MerkleTree_Low_mt_get_path_pre( + const MerkleTree_Low_merkle_tree *mt, + uint64_t idx, + const MerkleTree_Low_path *p, + uint8_t *root +); + +uint32_t +MerkleTree_Low_mt_get_path( + const MerkleTree_Low_merkle_tree *mt, + uint64_t idx, + MerkleTree_Low_path *p, + uint8_t *root +); + +bool MerkleTree_Low_mt_flush_to_pre(const MerkleTree_Low_merkle_tree *mt, uint64_t idx); + +void MerkleTree_Low_mt_flush_to(MerkleTree_Low_merkle_tree *mt, uint64_t idx); + +bool MerkleTree_Low_mt_flush_pre(const MerkleTree_Low_merkle_tree *mt); + +void MerkleTree_Low_mt_flush(MerkleTree_Low_merkle_tree *mt); + +bool MerkleTree_Low_mt_retract_to_pre(const MerkleTree_Low_merkle_tree *mt, uint64_t r); + +void MerkleTree_Low_mt_retract_to(MerkleTree_Low_merkle_tree *mt, uint64_t r); + +bool +MerkleTree_Low_mt_verify_pre( + const MerkleTree_Low_merkle_tree *mt, + uint64_t k, + uint64_t j, + const MerkleTree_Low_path *p, + uint8_t *rt +); + +bool +MerkleTree_Low_mt_verify( + const MerkleTree_Low_merkle_tree *mt, + uint64_t k, + uint64_t j, + const MerkleTree_Low_path *p, + uint8_t *rt +); + +typedef uint8_t MerkleTree_Low_Serialization_uint8_t; + +typedef uint16_t MerkleTree_Low_Serialization_uint16_t; + +typedef uint32_t MerkleTree_Low_Serialization_uint32_t; + +typedef uint64_t MerkleTree_Low_Serialization_uint64_t; + +typedef uint8_t *MerkleTree_Low_Serialization_uint8_p; + +typedef const uint8_t *MerkleTree_Low_Serialization_const_uint8_p; + +uint64_t MerkleTree_Low_Serialization_mt_serialize_size(const MerkleTree_Low_merkle_tree *mt); + +uint64_t +MerkleTree_Low_Serialization_mt_serialize( + const MerkleTree_Low_merkle_tree *mt, + uint8_t *output, + uint64_t sz +); + +MerkleTree_Low_merkle_tree +*MerkleTree_Low_Serialization_mt_deserialize( + const uint8_t *input, + uint64_t sz, + void (*hash_fun)(uint8_t *x0, uint8_t *x1, uint8_t *x2) +); + +uint64_t +MerkleTree_Low_Serialization_mt_serialize_path( + const MerkleTree_Low_path *p, + uint8_t *output, + uint64_t sz +); + +MerkleTree_Low_path +*MerkleTree_Low_Serialization_mt_deserialize_path(const uint8_t *input, uint64_t sz); + +uint8_t *MerkleTree_Low_Hashfunctions_init_hash(uint32_t hsz); + +void MerkleTree_Low_Hashfunctions_free_hash(uint8_t *h); + +#if defined(__cplusplus) +} +#endif + +#define __MerkleTree_H_DEFINED +#endif diff --git a/include/TestLib.h b/include/TestLib.h new file mode 100644 index 00000000..71e516e8 --- /dev/null +++ b/include/TestLib.h @@ -0,0 +1,91 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __TestLib_H +#define __TestLib_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + + +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +extern void TestLib_touch(int32_t uu___); + +extern void TestLib_check(bool uu___); + +extern void TestLib_check8(int8_t uu___, int8_t uu___1); + +extern void TestLib_check16(int16_t uu___, int16_t uu___1); + +extern void TestLib_check32(int32_t uu___, int32_t uu___1); + +extern void TestLib_check64(int64_t uu___, int64_t uu___1); + +extern void TestLib_checku8(uint8_t uu___, uint8_t uu___1); + +extern void TestLib_checku16(uint16_t uu___, uint16_t uu___1); + +extern void TestLib_checku32(uint32_t uu___, uint32_t uu___1); + +extern void TestLib_checku64(uint64_t uu___, uint64_t uu___1); + +extern void TestLib_compare_and_print(C_String_t uu___, uint8_t *b1, uint8_t *b2, uint32_t l); + +extern uint8_t *TestLib_unsafe_malloc(uint32_t l); + +extern void TestLib_perr(uint32_t uu___); + +extern void TestLib_print_clock_diff(clock_t uu___, clock_t uu___1); + +KRML_DEPRECATED("p_null from TestLib; use LowStar.Buffer.null instead") + +extern uint8_t *TestLib_uint8_p_null; + +KRML_DEPRECATED("p_null from TestLib; use LowStar.Buffer.null instead") + +extern uint32_t *TestLib_uint32_p_null; + +KRML_DEPRECATED("p_null from TestLib; use LowStar.Buffer.null instead") + +extern uint64_t *TestLib_uint64_p_null; + +extern TestLib_cycles TestLib_cpucycles(); + +extern void +TestLib_print_cycles_per_round(TestLib_cycles uu___, TestLib_cycles uu___1, uint32_t uu___2); + +#if defined(__cplusplus) +} +#endif + +#define __TestLib_H_DEFINED +#endif diff --git a/include/c89/EverCrypt_AEAD.h b/include/c89/EverCrypt_AEAD.h new file mode 100644 index 00000000..1de457aa --- /dev/null +++ b/include/c89/EverCrypt_AEAD.h @@ -0,0 +1,276 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __EverCrypt_AEAD_H +#define __EverCrypt_AEAD_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Spec.h" +#include "EverCrypt_Error.h" +#include "EverCrypt_Chacha20Poly1305.h" +#include "EverCrypt_AutoConfig2.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +typedef struct EverCrypt_AEAD_state_s_s EverCrypt_AEAD_state_s; + +bool EverCrypt_AEAD_uu___is_Ek(Spec_Agile_AEAD_alg a, EverCrypt_AEAD_state_s projectee); + +Spec_Agile_AEAD_alg EverCrypt_AEAD_alg_of_state(EverCrypt_AEAD_state_s *s); + +EverCrypt_Error_error_code +EverCrypt_AEAD_create_in(Spec_Agile_AEAD_alg a, EverCrypt_AEAD_state_s **dst, uint8_t *k); + +EverCrypt_Error_error_code +EverCrypt_AEAD_encrypt( + EverCrypt_AEAD_state_s *s, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *plain, + uint32_t plain_len, + uint8_t *cipher, + uint8_t *tag +); + +/* +WARNING: this function doesn't perform any dynamic + hardware check. You MUST make sure your hardware supports the + implementation of AESGCM. Besides, this function was not designed + for cross-compilation: if you compile it on a system which doesn't + support Vale, it will compile it to a function which makes the + program exit. +*/ +EverCrypt_Error_error_code +EverCrypt_AEAD_encrypt_expand_aes128_gcm_no_check( + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *plain, + uint32_t plain_len, + uint8_t *cipher, + uint8_t *tag +); + +/* +WARNING: this function doesn't perform any dynamic + hardware check. You MUST make sure your hardware supports the + implementation of AESGCM. Besides, this function was not designed + for cross-compilation: if you compile it on a system which doesn't + support Vale, it will compile it to a function which makes the + program exit. +*/ +EverCrypt_Error_error_code +EverCrypt_AEAD_encrypt_expand_aes256_gcm_no_check( + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *plain, + uint32_t plain_len, + uint8_t *cipher, + uint8_t *tag +); + +EverCrypt_Error_error_code +EverCrypt_AEAD_encrypt_expand_aes128_gcm( + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *plain, + uint32_t plain_len, + uint8_t *cipher, + uint8_t *tag +); + +EverCrypt_Error_error_code +EverCrypt_AEAD_encrypt_expand_aes256_gcm( + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *plain, + uint32_t plain_len, + uint8_t *cipher, + uint8_t *tag +); + +EverCrypt_Error_error_code +EverCrypt_AEAD_encrypt_expand_chacha20_poly1305( + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *plain, + uint32_t plain_len, + uint8_t *cipher, + uint8_t *tag +); + +EverCrypt_Error_error_code +EverCrypt_AEAD_encrypt_expand( + Spec_Agile_AEAD_alg a, + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *plain, + uint32_t plain_len, + uint8_t *cipher, + uint8_t *tag +); + +EverCrypt_Error_error_code +EverCrypt_AEAD_decrypt( + EverCrypt_AEAD_state_s *s, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *cipher, + uint32_t cipher_len, + uint8_t *tag, + uint8_t *dst +); + +/* +WARNING: this function doesn't perform any dynamic + hardware check. You MUST make sure your hardware supports the + implementation of AESGCM. Besides, this function was not designed + for cross-compilation: if you compile it on a system which doesn't + support Vale, it will compile it to a function which makes the + program exit. +*/ +EverCrypt_Error_error_code +EverCrypt_AEAD_decrypt_expand_aes128_gcm_no_check( + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *cipher, + uint32_t cipher_len, + uint8_t *tag, + uint8_t *dst +); + +/* +WARNING: this function doesn't perform any dynamic + hardware check. You MUST make sure your hardware supports the + implementation of AESGCM. Besides, this function was not designed + for cross-compilation: if you compile it on a system which doesn't + support Vale, it will compile it to a function which makes the + program exit. +*/ +EverCrypt_Error_error_code +EverCrypt_AEAD_decrypt_expand_aes256_gcm_no_check( + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *cipher, + uint32_t cipher_len, + uint8_t *tag, + uint8_t *dst +); + +EverCrypt_Error_error_code +EverCrypt_AEAD_decrypt_expand_aes128_gcm( + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *cipher, + uint32_t cipher_len, + uint8_t *tag, + uint8_t *dst +); + +EverCrypt_Error_error_code +EverCrypt_AEAD_decrypt_expand_aes256_gcm( + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *cipher, + uint32_t cipher_len, + uint8_t *tag, + uint8_t *dst +); + +EverCrypt_Error_error_code +EverCrypt_AEAD_decrypt_expand_chacha20_poly1305( + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *cipher, + uint32_t cipher_len, + uint8_t *tag, + uint8_t *dst +); + +EverCrypt_Error_error_code +EverCrypt_AEAD_decrypt_expand( + Spec_Agile_AEAD_alg a, + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *cipher, + uint32_t cipher_len, + uint8_t *tag, + uint8_t *dst +); + +void EverCrypt_AEAD_free(EverCrypt_AEAD_state_s *s); + +#if defined(__cplusplus) +} +#endif + +#define __EverCrypt_AEAD_H_DEFINED +#endif diff --git a/include/c89/EverCrypt_AutoConfig2.h b/include/c89/EverCrypt_AutoConfig2.h new file mode 100644 index 00000000..fcef2832 --- /dev/null +++ b/include/c89/EverCrypt_AutoConfig2.h @@ -0,0 +1,118 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __EverCrypt_AutoConfig2_H +#define __EverCrypt_AutoConfig2_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + + +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +bool EverCrypt_AutoConfig2_has_shaext(); + +bool EverCrypt_AutoConfig2_has_aesni(); + +bool EverCrypt_AutoConfig2_has_pclmulqdq(); + +bool EverCrypt_AutoConfig2_has_avx2(); + +bool EverCrypt_AutoConfig2_has_avx(); + +bool EverCrypt_AutoConfig2_has_bmi2(); + +bool EverCrypt_AutoConfig2_has_adx(); + +bool EverCrypt_AutoConfig2_has_sse(); + +bool EverCrypt_AutoConfig2_has_movbe(); + +bool EverCrypt_AutoConfig2_has_rdrand(); + +bool EverCrypt_AutoConfig2_has_avx512(); + +KRML_DEPRECATED("") + +bool EverCrypt_AutoConfig2_wants_vale(); + +bool EverCrypt_AutoConfig2_wants_hacl(); + +bool EverCrypt_AutoConfig2_wants_openssl(); + +bool EverCrypt_AutoConfig2_wants_bcrypt(); + +void EverCrypt_AutoConfig2_recall(); + +void EverCrypt_AutoConfig2_init(); + +typedef void (*EverCrypt_AutoConfig2_disabler)(); + +void EverCrypt_AutoConfig2_disable_avx2(); + +void EverCrypt_AutoConfig2_disable_avx(); + +void EverCrypt_AutoConfig2_disable_bmi2(); + +void EverCrypt_AutoConfig2_disable_adx(); + +void EverCrypt_AutoConfig2_disable_shaext(); + +void EverCrypt_AutoConfig2_disable_aesni(); + +void EverCrypt_AutoConfig2_disable_pclmulqdq(); + +void EverCrypt_AutoConfig2_disable_sse(); + +void EverCrypt_AutoConfig2_disable_movbe(); + +void EverCrypt_AutoConfig2_disable_rdrand(); + +void EverCrypt_AutoConfig2_disable_avx512(); + +void EverCrypt_AutoConfig2_disable_vale(); + +void EverCrypt_AutoConfig2_disable_hacl(); + +void EverCrypt_AutoConfig2_disable_openssl(); + +void EverCrypt_AutoConfig2_disable_bcrypt(); + +bool EverCrypt_AutoConfig2_has_vec128(); + +bool EverCrypt_AutoConfig2_has_vec256(); + +#if defined(__cplusplus) +} +#endif + +#define __EverCrypt_AutoConfig2_H_DEFINED +#endif diff --git a/include/c89/EverCrypt_CTR.h b/include/c89/EverCrypt_CTR.h new file mode 100644 index 00000000..10397d58 --- /dev/null +++ b/include/c89/EverCrypt_CTR.h @@ -0,0 +1,85 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __EverCrypt_CTR_H +#define __EverCrypt_CTR_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Spec.h" +#include "Hacl_Kremlib.h" +#include "EverCrypt_Error.h" +#include "EverCrypt_AutoConfig2.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +typedef struct EverCrypt_CTR_state_s_s EverCrypt_CTR_state_s; + +bool +EverCrypt_CTR_uu___is_State(Spec_Agile_Cipher_cipher_alg a, EverCrypt_CTR_state_s projectee); + +typedef uint8_t EverCrypt_CTR_uint8; + +uint8_t EverCrypt_CTR_xor8(uint8_t a, uint8_t b); + +typedef void *EverCrypt_CTR_e_alg; + +Spec_Agile_Cipher_cipher_alg EverCrypt_CTR_alg_of_state(EverCrypt_CTR_state_s *s); + +EverCrypt_Error_error_code +EverCrypt_CTR_create_in( + Spec_Agile_Cipher_cipher_alg a, + EverCrypt_CTR_state_s **dst, + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint32_t c +); + +void +EverCrypt_CTR_init( + EverCrypt_CTR_state_s *p, + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint32_t c +); + +void EverCrypt_CTR_update_block(EverCrypt_CTR_state_s *p, uint8_t *dst, uint8_t *src); + +void EverCrypt_CTR_free(EverCrypt_CTR_state_s *p); + +#if defined(__cplusplus) +} +#endif + +#define __EverCrypt_CTR_H_DEFINED +#endif diff --git a/include/c89/EverCrypt_Chacha20Poly1305.h b/include/c89/EverCrypt_Chacha20Poly1305.h new file mode 100644 index 00000000..52706f75 --- /dev/null +++ b/include/c89/EverCrypt_Chacha20Poly1305.h @@ -0,0 +1,73 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __EverCrypt_Chacha20Poly1305_H +#define __EverCrypt_Chacha20Poly1305_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Chacha20Poly1305_32.h" +#include "Hacl_Chacha20Poly1305_256.h" +#include "Hacl_Chacha20Poly1305_128.h" +#include "EverCrypt_AutoConfig2.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +EverCrypt_Chacha20Poly1305_aead_encrypt( + uint8_t *k, + uint8_t *n, + uint32_t aadlen, + uint8_t *aad, + uint32_t mlen, + uint8_t *m, + uint8_t *cipher, + uint8_t *tag +); + +uint32_t +EverCrypt_Chacha20Poly1305_aead_decrypt( + uint8_t *k, + uint8_t *n, + uint32_t aadlen, + uint8_t *aad, + uint32_t mlen, + uint8_t *m, + uint8_t *cipher, + uint8_t *tag +); + +#if defined(__cplusplus) +} +#endif + +#define __EverCrypt_Chacha20Poly1305_H_DEFINED +#endif diff --git a/include/c89/EverCrypt_Cipher.h b/include/c89/EverCrypt_Cipher.h new file mode 100644 index 00000000..75a37e6e --- /dev/null +++ b/include/c89/EverCrypt_Cipher.h @@ -0,0 +1,56 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __EverCrypt_Cipher_H +#define __EverCrypt_Cipher_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + + +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +EverCrypt_Cipher_chacha20( + uint32_t len, + uint8_t *dst, + uint8_t *src, + uint8_t *key, + uint8_t *iv, + uint32_t ctr +); + +#if defined(__cplusplus) +} +#endif + +#define __EverCrypt_Cipher_H_DEFINED +#endif diff --git a/include/c89/EverCrypt_Curve25519.h b/include/c89/EverCrypt_Curve25519.h new file mode 100644 index 00000000..850694de --- /dev/null +++ b/include/c89/EverCrypt_Curve25519.h @@ -0,0 +1,54 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __EverCrypt_Curve25519_H +#define __EverCrypt_Curve25519_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Curve25519_64.h" +#include "Hacl_Curve25519_51.h" +#include "EverCrypt_AutoConfig2.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void EverCrypt_Curve25519_secret_to_public(uint8_t *pub, uint8_t *priv); + +void EverCrypt_Curve25519_scalarmult(uint8_t *shared, uint8_t *my_priv, uint8_t *their_pub); + +bool EverCrypt_Curve25519_ecdh(uint8_t *shared, uint8_t *my_priv, uint8_t *their_pub); + +#if defined(__cplusplus) +} +#endif + +#define __EverCrypt_Curve25519_H_DEFINED +#endif diff --git a/include/c89/EverCrypt_DRBG.h b/include/c89/EverCrypt_DRBG.h new file mode 100644 index 00000000..a40a93a8 --- /dev/null +++ b/include/c89/EverCrypt_DRBG.h @@ -0,0 +1,224 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __EverCrypt_DRBG_H +#define __EverCrypt_DRBG_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Lib_RandomBuffer_System.h" +#include "Lib_Memzero0.h" +#include "Hacl_Spec.h" +#include "Hacl_HMAC_DRBG.h" +#include "EverCrypt_HMAC.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +typedef Spec_Hash_Definitions_hash_alg EverCrypt_DRBG_supported_alg; + +extern uint32_t EverCrypt_DRBG_reseed_interval; + +extern uint32_t EverCrypt_DRBG_max_output_length; + +extern uint32_t EverCrypt_DRBG_max_length; + +extern uint32_t EverCrypt_DRBG_max_personalization_string_length; + +extern uint32_t EverCrypt_DRBG_max_additional_input_length; + +uint32_t EverCrypt_DRBG_min_length(Spec_Hash_Definitions_hash_alg a); + +#define EverCrypt_DRBG_SHA1_s 0 +#define EverCrypt_DRBG_SHA2_256_s 1 +#define EverCrypt_DRBG_SHA2_384_s 2 +#define EverCrypt_DRBG_SHA2_512_s 3 + +typedef uint8_t EverCrypt_DRBG_state_s_tags; + +typedef struct EverCrypt_DRBG_state_s_s EverCrypt_DRBG_state_s; + +bool +EverCrypt_DRBG_uu___is_SHA1_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_DRBG_state_s projectee +); + +bool +EverCrypt_DRBG_uu___is_SHA2_256_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_DRBG_state_s projectee +); + +bool +EverCrypt_DRBG_uu___is_SHA2_384_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_DRBG_state_s projectee +); + +bool +EverCrypt_DRBG_uu___is_SHA2_512_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_DRBG_state_s projectee +); + +EverCrypt_DRBG_state_s *EverCrypt_DRBG_create(Spec_Hash_Definitions_hash_alg a); + +bool +EverCrypt_DRBG_instantiate_sha1( + EverCrypt_DRBG_state_s *st, + uint8_t *personalization_string, + uint32_t personalization_string_len +); + +bool +EverCrypt_DRBG_instantiate_sha2_256( + EverCrypt_DRBG_state_s *st, + uint8_t *personalization_string, + uint32_t personalization_string_len +); + +bool +EverCrypt_DRBG_instantiate_sha2_384( + EverCrypt_DRBG_state_s *st, + uint8_t *personalization_string, + uint32_t personalization_string_len +); + +bool +EverCrypt_DRBG_instantiate_sha2_512( + EverCrypt_DRBG_state_s *st, + uint8_t *personalization_string, + uint32_t personalization_string_len +); + +bool +EverCrypt_DRBG_reseed_sha1( + EverCrypt_DRBG_state_s *st, + uint8_t *additional_input, + uint32_t additional_input_len +); + +bool +EverCrypt_DRBG_reseed_sha2_256( + EverCrypt_DRBG_state_s *st, + uint8_t *additional_input, + uint32_t additional_input_len +); + +bool +EverCrypt_DRBG_reseed_sha2_384( + EverCrypt_DRBG_state_s *st, + uint8_t *additional_input, + uint32_t additional_input_len +); + +bool +EverCrypt_DRBG_reseed_sha2_512( + EverCrypt_DRBG_state_s *st, + uint8_t *additional_input, + uint32_t additional_input_len +); + +bool +EverCrypt_DRBG_generate_sha1( + uint8_t *output, + EverCrypt_DRBG_state_s *st, + uint32_t n, + uint8_t *additional_input, + uint32_t additional_input_len +); + +bool +EverCrypt_DRBG_generate_sha2_256( + uint8_t *output, + EverCrypt_DRBG_state_s *st, + uint32_t n, + uint8_t *additional_input, + uint32_t additional_input_len +); + +bool +EverCrypt_DRBG_generate_sha2_384( + uint8_t *output, + EverCrypt_DRBG_state_s *st, + uint32_t n, + uint8_t *additional_input, + uint32_t additional_input_len +); + +bool +EverCrypt_DRBG_generate_sha2_512( + uint8_t *output, + EverCrypt_DRBG_state_s *st, + uint32_t n, + uint8_t *additional_input, + uint32_t additional_input_len +); + +void EverCrypt_DRBG_uninstantiate_sha1(EverCrypt_DRBG_state_s *st); + +void EverCrypt_DRBG_uninstantiate_sha2_256(EverCrypt_DRBG_state_s *st); + +void EverCrypt_DRBG_uninstantiate_sha2_384(EverCrypt_DRBG_state_s *st); + +void EverCrypt_DRBG_uninstantiate_sha2_512(EverCrypt_DRBG_state_s *st); + +bool +EverCrypt_DRBG_instantiate( + EverCrypt_DRBG_state_s *st, + uint8_t *personalization_string, + uint32_t personalization_string_len +); + +bool +EverCrypt_DRBG_reseed( + EverCrypt_DRBG_state_s *st, + uint8_t *additional_input, + uint32_t additional_input_len +); + +bool +EverCrypt_DRBG_generate( + uint8_t *output, + EverCrypt_DRBG_state_s *st, + uint32_t n, + uint8_t *additional_input, + uint32_t additional_input_len +); + +void EverCrypt_DRBG_uninstantiate(EverCrypt_DRBG_state_s *st); + +#if defined(__cplusplus) +} +#endif + +#define __EverCrypt_DRBG_H_DEFINED +#endif diff --git a/include/c89/EverCrypt_Ed25519.h b/include/c89/EverCrypt_Ed25519.h new file mode 100644 index 00000000..81c1ca7a --- /dev/null +++ b/include/c89/EverCrypt_Ed25519.h @@ -0,0 +1,57 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __EverCrypt_Ed25519_H +#define __EverCrypt_Ed25519_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Ed25519.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void EverCrypt_Ed25519_sign(uint8_t *signature, uint8_t *secret, uint32_t len, uint8_t *msg); + +bool EverCrypt_Ed25519_verify(uint8_t *pubkey, uint32_t len, uint8_t *msg, uint8_t *signature); + +void EverCrypt_Ed25519_secret_to_public(uint8_t *output, uint8_t *secret); + +void EverCrypt_Ed25519_expand_keys(uint8_t *ks, uint8_t *secret); + +void +EverCrypt_Ed25519_sign_expanded(uint8_t *signature, uint8_t *ks, uint32_t len, uint8_t *msg); + +#if defined(__cplusplus) +} +#endif + +#define __EverCrypt_Ed25519_H_DEFINED +#endif diff --git a/include/c89/EverCrypt_Error.h b/include/c89/EverCrypt_Error.h new file mode 100644 index 00000000..8556d509 --- /dev/null +++ b/include/c89/EverCrypt_Error.h @@ -0,0 +1,67 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __EverCrypt_Error_H +#define __EverCrypt_Error_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + + +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +#define EverCrypt_Error_Success 0 +#define EverCrypt_Error_UnsupportedAlgorithm 1 +#define EverCrypt_Error_InvalidKey 2 +#define EverCrypt_Error_AuthenticationFailure 3 +#define EverCrypt_Error_InvalidIVLength 4 +#define EverCrypt_Error_DecodeError 5 + +typedef uint8_t EverCrypt_Error_error_code; + +bool EverCrypt_Error_uu___is_Success(EverCrypt_Error_error_code projectee); + +bool EverCrypt_Error_uu___is_UnsupportedAlgorithm(EverCrypt_Error_error_code projectee); + +bool EverCrypt_Error_uu___is_InvalidKey(EverCrypt_Error_error_code projectee); + +bool EverCrypt_Error_uu___is_AuthenticationFailure(EverCrypt_Error_error_code projectee); + +bool EverCrypt_Error_uu___is_InvalidIVLength(EverCrypt_Error_error_code projectee); + +bool EverCrypt_Error_uu___is_DecodeError(EverCrypt_Error_error_code projectee); + +#if defined(__cplusplus) +} +#endif + +#define __EverCrypt_Error_H_DEFINED +#endif diff --git a/include/c89/EverCrypt_HKDF.h b/include/c89/EverCrypt_HKDF.h new file mode 100644 index 00000000..3f51c207 --- /dev/null +++ b/include/c89/EverCrypt_HKDF.h @@ -0,0 +1,207 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __EverCrypt_HKDF_H +#define __EverCrypt_HKDF_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Spec.h" +#include "EverCrypt_HMAC.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +EverCrypt_HKDF_expand_sha1( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +); + +void +EverCrypt_HKDF_extract_sha1( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +); + +void +EverCrypt_HKDF_expand_sha2_256( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +); + +void +EverCrypt_HKDF_extract_sha2_256( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +); + +void +EverCrypt_HKDF_expand_sha2_384( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +); + +void +EverCrypt_HKDF_extract_sha2_384( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +); + +void +EverCrypt_HKDF_expand_sha2_512( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +); + +void +EverCrypt_HKDF_extract_sha2_512( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +); + +void +EverCrypt_HKDF_expand_blake2s( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +); + +void +EverCrypt_HKDF_extract_blake2s( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +); + +void +EverCrypt_HKDF_expand_blake2b( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +); + +void +EverCrypt_HKDF_extract_blake2b( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +); + +void +EverCrypt_HKDF_expand( + Spec_Hash_Definitions_hash_alg a, + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +); + +void +EverCrypt_HKDF_extract( + Spec_Hash_Definitions_hash_alg a, + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +); + +KRML_DEPRECATED("expand") + +void +EverCrypt_HKDF_hkdf_expand( + Spec_Hash_Definitions_hash_alg a, + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +); + +KRML_DEPRECATED("extract") + +void +EverCrypt_HKDF_hkdf_extract( + Spec_Hash_Definitions_hash_alg a, + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +); + +#if defined(__cplusplus) +} +#endif + +#define __EverCrypt_HKDF_H_DEFINED +#endif diff --git a/include/c89/EverCrypt_HMAC.h b/include/c89/EverCrypt_HMAC.h new file mode 100644 index 00000000..7c882f4a --- /dev/null +++ b/include/c89/EverCrypt_HMAC.h @@ -0,0 +1,119 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __EverCrypt_HMAC_H +#define __EverCrypt_HMAC_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Spec.h" +#include "Hacl_Kremlib.h" +#include "Hacl_Impl_Blake2_Constants.h" +#include "Hacl_Hash_SHA2.h" +#include "Hacl_Hash_SHA1.h" +#include "EverCrypt_Hash.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +EverCrypt_HMAC_compute_sha1( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +); + +void +EverCrypt_HMAC_compute_sha2_256( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +); + +void +EverCrypt_HMAC_compute_sha2_384( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +); + +void +EverCrypt_HMAC_compute_sha2_512( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +); + +void +EverCrypt_HMAC_compute_blake2s( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +); + +void +EverCrypt_HMAC_compute_blake2b( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +); + +bool EverCrypt_HMAC_is_supported_alg(Spec_Hash_Definitions_hash_alg uu___); + +typedef Spec_Hash_Definitions_hash_alg EverCrypt_HMAC_supported_alg; + +void +EverCrypt_HMAC_compute( + Spec_Hash_Definitions_hash_alg a, + uint8_t *mac, + uint8_t *key, + uint32_t keylen, + uint8_t *data, + uint32_t datalen +); + +#if defined(__cplusplus) +} +#endif + +#define __EverCrypt_HMAC_H_DEFINED +#endif diff --git a/include/c89/EverCrypt_Hacl.h b/include/c89/EverCrypt_Hacl.h new file mode 100644 index 00000000..1e9cba4c --- /dev/null +++ b/include/c89/EverCrypt_Hacl.h @@ -0,0 +1,72 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __EverCrypt_Hacl_H +#define __EverCrypt_Hacl_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + + +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +#define EverCrypt_Hacl_aes128_mk_sbox Crypto_Symmetric_AES128_mk_sbox + +extern void EverCrypt_Hacl_aes128_mk_sbox(uint8_t *sb); + +#define EverCrypt_Hacl_aes128_keyExpansion Crypto_Symmetric_AES128_keyExpansion + +extern void EverCrypt_Hacl_aes128_keyExpansion(uint8_t *key, uint8_t *w, uint8_t *sb); + +#define EverCrypt_Hacl_aes128_cipher Crypto_Symmetric_AES128_cipher + +extern void +EverCrypt_Hacl_aes128_cipher(uint8_t *cipher, uint8_t *plain, uint8_t *w, uint8_t *sb); + +#define EverCrypt_Hacl_aes256_mk_sbox Crypto_Symmetric_AES_mk_sbox + +extern void EverCrypt_Hacl_aes256_mk_sbox(uint8_t *sb); + +#define EverCrypt_Hacl_aes256_keyExpansion Crypto_Symmetric_AES_keyExpansion + +extern void EverCrypt_Hacl_aes256_keyExpansion(uint8_t *key, uint8_t *w, uint8_t *sb); + +#define EverCrypt_Hacl_aes256_cipher Crypto_Symmetric_AES_cipher + +extern void +EverCrypt_Hacl_aes256_cipher(uint8_t *cipher, uint8_t *plain, uint8_t *w, uint8_t *sb); + +#if defined(__cplusplus) +} +#endif + +#define __EverCrypt_Hacl_H_DEFINED +#endif diff --git a/include/c89/EverCrypt_Hash.h b/include/c89/EverCrypt_Hash.h new file mode 100644 index 00000000..0e1cd3f5 --- /dev/null +++ b/include/c89/EverCrypt_Hash.h @@ -0,0 +1,291 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __EverCrypt_Hash_H +#define __EverCrypt_Hash_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Spec.h" +#include "Hacl_Kremlib.h" +#include "Hacl_Impl_Blake2_Constants.h" +#include "Hacl_Hash_SHA2.h" +#include "Hacl_Hash_SHA1.h" +#include "Hacl_Hash_MD5.h" +#include "EverCrypt_AutoConfig2.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +typedef Spec_Hash_Definitions_hash_alg EverCrypt_Hash_alg; + +C_String_t EverCrypt_Hash_string_of_alg(Spec_Hash_Definitions_hash_alg uu___); + +typedef Spec_Hash_Definitions_hash_alg EverCrypt_Hash_broken_alg; + +typedef Spec_Hash_Definitions_hash_alg EverCrypt_Hash_alg13; + +typedef void *EverCrypt_Hash_e_alg; + +#define EverCrypt_Hash_MD5_s 0 +#define EverCrypt_Hash_SHA1_s 1 +#define EverCrypt_Hash_SHA2_224_s 2 +#define EverCrypt_Hash_SHA2_256_s 3 +#define EverCrypt_Hash_SHA2_384_s 4 +#define EverCrypt_Hash_SHA2_512_s 5 +#define EverCrypt_Hash_Blake2S_s 6 +#define EverCrypt_Hash_Blake2B_s 7 + +typedef uint8_t EverCrypt_Hash_state_s_tags; + +typedef struct EverCrypt_Hash_state_s_s +{ + EverCrypt_Hash_state_s_tags tag; + union { + uint32_t *case_MD5_s; + uint32_t *case_SHA1_s; + uint32_t *case_SHA2_224_s; + uint32_t *case_SHA2_256_s; + uint64_t *case_SHA2_384_s; + uint64_t *case_SHA2_512_s; + uint32_t *case_Blake2S_s; + uint64_t *case_Blake2B_s; + } + val; +} +EverCrypt_Hash_state_s; + +bool +EverCrypt_Hash_uu___is_MD5_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_Hash_state_s projectee +); + +bool +EverCrypt_Hash_uu___is_SHA1_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_Hash_state_s projectee +); + +bool +EverCrypt_Hash_uu___is_SHA2_224_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_Hash_state_s projectee +); + +bool +EverCrypt_Hash_uu___is_SHA2_256_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_Hash_state_s projectee +); + +bool +EverCrypt_Hash_uu___is_SHA2_384_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_Hash_state_s projectee +); + +bool +EverCrypt_Hash_uu___is_SHA2_512_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_Hash_state_s projectee +); + +bool +EverCrypt_Hash_uu___is_Blake2S_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_Hash_state_s projectee +); + +bool +EverCrypt_Hash_uu___is_Blake2B_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_Hash_state_s projectee +); + +Spec_Hash_Definitions_hash_alg EverCrypt_Hash_alg_of_state(EverCrypt_Hash_state_s *s); + +EverCrypt_Hash_state_s *EverCrypt_Hash_create_in(Spec_Hash_Definitions_hash_alg a); + +EverCrypt_Hash_state_s *EverCrypt_Hash_create(Spec_Hash_Definitions_hash_alg a); + +void EverCrypt_Hash_init(EverCrypt_Hash_state_s *s); + +void EverCrypt_Hash_update_multi_256(uint32_t *s, uint8_t *blocks, uint32_t n); + +void EverCrypt_Hash_update2(EverCrypt_Hash_state_s *s, uint64_t prevlen, uint8_t *block); + +KRML_DEPRECATED("Use update2 instead") + +void EverCrypt_Hash_update(EverCrypt_Hash_state_s *s, uint8_t *block); + +void +EverCrypt_Hash_update_multi2( + EverCrypt_Hash_state_s *s, + uint64_t prevlen, + uint8_t *blocks, + uint32_t len +); + +KRML_DEPRECATED("Use update_multi2 instead") + +void EverCrypt_Hash_update_multi(EverCrypt_Hash_state_s *s, uint8_t *blocks, uint32_t len); + +void +EverCrypt_Hash_update_last_256( + uint32_t *s, + uint64_t input, + uint8_t *input_len, + uint32_t input_len1 +); + +void +EverCrypt_Hash_update_last2( + EverCrypt_Hash_state_s *s, + uint64_t prev_len, + uint8_t *last, + uint32_t last_len +); + +KRML_DEPRECATED("Use update_last2 instead") + +void EverCrypt_Hash_update_last(EverCrypt_Hash_state_s *s, uint8_t *last, uint64_t total_len); + +void EverCrypt_Hash_finish(EverCrypt_Hash_state_s *s, uint8_t *dst); + +void EverCrypt_Hash_free(EverCrypt_Hash_state_s *s); + +void EverCrypt_Hash_copy(EverCrypt_Hash_state_s *s_src, EverCrypt_Hash_state_s *s_dst); + +void EverCrypt_Hash_hash_256(uint8_t *input, uint32_t input_len, uint8_t *dst); + +void EverCrypt_Hash_hash_224(uint8_t *input, uint32_t input_len, uint8_t *dst); + +void +EverCrypt_Hash_hash( + Spec_Hash_Definitions_hash_alg a, + uint8_t *dst, + uint8_t *input, + uint32_t len +); + +uint32_t EverCrypt_Hash_Incremental_hash_len(Spec_Hash_Definitions_hash_alg a); + +uint32_t EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_hash_alg a); + +typedef struct Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s_____s +{ + EverCrypt_Hash_state_s *block_state; + uint8_t *buf; + uint64_t total_len; +} +Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____; + +Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ +*EverCrypt_Hash_Incremental_create_in(Spec_Hash_Definitions_hash_alg a); + +void +EverCrypt_Hash_Incremental_init(Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *s); + +void +EverCrypt_Hash_Incremental_update( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *p, + uint8_t *data, + uint32_t len +); + +void +EverCrypt_Hash_Incremental_finish_md5( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *p, + uint8_t *dst +); + +void +EverCrypt_Hash_Incremental_finish_sha1( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *p, + uint8_t *dst +); + +void +EverCrypt_Hash_Incremental_finish_sha224( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *p, + uint8_t *dst +); + +void +EverCrypt_Hash_Incremental_finish_sha256( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *p, + uint8_t *dst +); + +void +EverCrypt_Hash_Incremental_finish_sha384( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *p, + uint8_t *dst +); + +void +EverCrypt_Hash_Incremental_finish_sha512( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *p, + uint8_t *dst +); + +void +EverCrypt_Hash_Incremental_finish_blake2s( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *p, + uint8_t *dst +); + +void +EverCrypt_Hash_Incremental_finish_blake2b( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *p, + uint8_t *dst +); + +Spec_Hash_Definitions_hash_alg +EverCrypt_Hash_Incremental_alg_of_state( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *s +); + +void +EverCrypt_Hash_Incremental_finish( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *s, + uint8_t *dst +); + +void +EverCrypt_Hash_Incremental_free(Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *s); + +#if defined(__cplusplus) +} +#endif + +#define __EverCrypt_Hash_H_DEFINED +#endif diff --git a/include/c89/EverCrypt_Helpers.h b/include/c89/EverCrypt_Helpers.h new file mode 100644 index 00000000..1cad1faf --- /dev/null +++ b/include/c89/EverCrypt_Helpers.h @@ -0,0 +1,62 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __EverCrypt_Helpers_H +#define __EverCrypt_Helpers_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + + +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +typedef uint8_t EverCrypt_Helpers_uint8_t; + +typedef uint16_t EverCrypt_Helpers_uint16_t; + +typedef uint32_t EverCrypt_Helpers_uint32_t; + +typedef uint64_t EverCrypt_Helpers_uint64_t; + +typedef uint8_t *EverCrypt_Helpers_uint8_p; + +typedef uint16_t *EverCrypt_Helpers_uint16_p; + +typedef uint32_t *EverCrypt_Helpers_uint32_p; + +typedef uint64_t *EverCrypt_Helpers_uint64_p; + +#if defined(__cplusplus) +} +#endif + +#define __EverCrypt_Helpers_H_DEFINED +#endif diff --git a/include/c89/EverCrypt_Poly1305.h b/include/c89/EverCrypt_Poly1305.h new file mode 100644 index 00000000..d4dfe597 --- /dev/null +++ b/include/c89/EverCrypt_Poly1305.h @@ -0,0 +1,51 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __EverCrypt_Poly1305_H +#define __EverCrypt_Poly1305_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Poly1305_32.h" +#include "Hacl_Poly1305_256.h" +#include "Hacl_Poly1305_128.h" +#include "EverCrypt_AutoConfig2.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void EverCrypt_Poly1305_poly1305(uint8_t *dst, uint8_t *src, uint32_t len, uint8_t *key); + +#if defined(__cplusplus) +} +#endif + +#define __EverCrypt_Poly1305_H_DEFINED +#endif diff --git a/include/c89/EverCrypt_StaticConfig.h b/include/c89/EverCrypt_StaticConfig.h new file mode 100644 index 00000000..057cdec7 --- /dev/null +++ b/include/c89/EverCrypt_StaticConfig.h @@ -0,0 +1,54 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __EverCrypt_StaticConfig_H +#define __EverCrypt_StaticConfig_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + + +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +extern bool EverCrypt_StaticConfig_hacl; + +extern bool EverCrypt_StaticConfig_vale; + +extern bool EverCrypt_StaticConfig_openssl; + +extern bool EverCrypt_StaticConfig_bcrypt; + +#if defined(__cplusplus) +} +#endif + +#define __EverCrypt_StaticConfig_H_DEFINED +#endif diff --git a/include/c89/Hacl_AES128.h b/include/c89/Hacl_AES128.h new file mode 100644 index 00000000..4fdb0078 --- /dev/null +++ b/include/c89/Hacl_AES128.h @@ -0,0 +1,51 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_AES128_H +#define __Hacl_AES128_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + + +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +extern void Hacl_AES128_aes128_key_expansion(uint8_t *key, uint8_t *expanded_key); + +extern void +Hacl_AES128_aes128_encrypt_block(uint16_t *cipher, uint16_t *plain, uint8_t *expanded_key); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_AES128_H_DEFINED +#endif diff --git a/include/c89/Hacl_Bignum25519_51.h b/include/c89/Hacl_Bignum25519_51.h new file mode 100644 index 00000000..059feb6a --- /dev/null +++ b/include/c89/Hacl_Bignum25519_51.h @@ -0,0 +1,679 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Bignum25519_51_H +#define __Hacl_Bignum25519_51_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +static inline void Hacl_Impl_Curve25519_Field51_fadd(uint64_t *out, uint64_t *f1, uint64_t *f2) +{ + uint64_t f10 = f1[0U]; + uint64_t f20 = f2[0U]; + uint64_t f11 = f1[1U]; + uint64_t f21 = f2[1U]; + uint64_t f12 = f1[2U]; + uint64_t f22 = f2[2U]; + uint64_t f13 = f1[3U]; + uint64_t f23 = f2[3U]; + uint64_t f14 = f1[4U]; + uint64_t f24 = f2[4U]; + out[0U] = f10 + f20; + out[1U] = f11 + f21; + out[2U] = f12 + f22; + out[3U] = f13 + f23; + out[4U] = f14 + f24; +} + +static inline void Hacl_Impl_Curve25519_Field51_fsub(uint64_t *out, uint64_t *f1, uint64_t *f2) +{ + uint64_t f10 = f1[0U]; + uint64_t f20 = f2[0U]; + uint64_t f11 = f1[1U]; + uint64_t f21 = f2[1U]; + uint64_t f12 = f1[2U]; + uint64_t f22 = f2[2U]; + uint64_t f13 = f1[3U]; + uint64_t f23 = f2[3U]; + uint64_t f14 = f1[4U]; + uint64_t f24 = f2[4U]; + out[0U] = f10 + (uint64_t)0x3fffffffffff68U - f20; + out[1U] = f11 + (uint64_t)0x3ffffffffffff8U - f21; + out[2U] = f12 + (uint64_t)0x3ffffffffffff8U - f22; + out[3U] = f13 + (uint64_t)0x3ffffffffffff8U - f23; + out[4U] = f14 + (uint64_t)0x3ffffffffffff8U - f24; +} + +static inline void +Hacl_Impl_Curve25519_Field51_fmul( + uint64_t *out, + uint64_t *f1, + uint64_t *f2, + FStar_UInt128_uint128 *uu___ +) +{ + uint64_t f10 = f1[0U]; + uint64_t f11 = f1[1U]; + uint64_t f12 = f1[2U]; + uint64_t f13 = f1[3U]; + uint64_t f14 = f1[4U]; + uint64_t f20 = f2[0U]; + uint64_t f21 = f2[1U]; + uint64_t f22 = f2[2U]; + uint64_t f23 = f2[3U]; + uint64_t f24 = f2[4U]; + uint64_t tmp1 = f21 * (uint64_t)19U; + uint64_t tmp2 = f22 * (uint64_t)19U; + uint64_t tmp3 = f23 * (uint64_t)19U; + uint64_t tmp4 = f24 * (uint64_t)19U; + FStar_UInt128_uint128 o00 = FStar_UInt128_mul_wide(f10, f20); + FStar_UInt128_uint128 o10 = FStar_UInt128_mul_wide(f10, f21); + FStar_UInt128_uint128 o20 = FStar_UInt128_mul_wide(f10, f22); + FStar_UInt128_uint128 o30 = FStar_UInt128_mul_wide(f10, f23); + FStar_UInt128_uint128 o40 = FStar_UInt128_mul_wide(f10, f24); + FStar_UInt128_uint128 o01 = FStar_UInt128_add(o00, FStar_UInt128_mul_wide(f11, tmp4)); + FStar_UInt128_uint128 o11 = FStar_UInt128_add(o10, FStar_UInt128_mul_wide(f11, f20)); + FStar_UInt128_uint128 o21 = FStar_UInt128_add(o20, FStar_UInt128_mul_wide(f11, f21)); + FStar_UInt128_uint128 o31 = FStar_UInt128_add(o30, FStar_UInt128_mul_wide(f11, f22)); + FStar_UInt128_uint128 o41 = FStar_UInt128_add(o40, FStar_UInt128_mul_wide(f11, f23)); + FStar_UInt128_uint128 o02 = FStar_UInt128_add(o01, FStar_UInt128_mul_wide(f12, tmp3)); + FStar_UInt128_uint128 o12 = FStar_UInt128_add(o11, FStar_UInt128_mul_wide(f12, tmp4)); + FStar_UInt128_uint128 o22 = FStar_UInt128_add(o21, FStar_UInt128_mul_wide(f12, f20)); + FStar_UInt128_uint128 o32 = FStar_UInt128_add(o31, FStar_UInt128_mul_wide(f12, f21)); + FStar_UInt128_uint128 o42 = FStar_UInt128_add(o41, FStar_UInt128_mul_wide(f12, f22)); + FStar_UInt128_uint128 o03 = FStar_UInt128_add(o02, FStar_UInt128_mul_wide(f13, tmp2)); + FStar_UInt128_uint128 o13 = FStar_UInt128_add(o12, FStar_UInt128_mul_wide(f13, tmp3)); + FStar_UInt128_uint128 o23 = FStar_UInt128_add(o22, FStar_UInt128_mul_wide(f13, tmp4)); + FStar_UInt128_uint128 o33 = FStar_UInt128_add(o32, FStar_UInt128_mul_wide(f13, f20)); + FStar_UInt128_uint128 o43 = FStar_UInt128_add(o42, FStar_UInt128_mul_wide(f13, f21)); + FStar_UInt128_uint128 o04 = FStar_UInt128_add(o03, FStar_UInt128_mul_wide(f14, tmp1)); + FStar_UInt128_uint128 o14 = FStar_UInt128_add(o13, FStar_UInt128_mul_wide(f14, tmp2)); + FStar_UInt128_uint128 o24 = FStar_UInt128_add(o23, FStar_UInt128_mul_wide(f14, tmp3)); + FStar_UInt128_uint128 o34 = FStar_UInt128_add(o33, FStar_UInt128_mul_wide(f14, tmp4)); + FStar_UInt128_uint128 o44 = FStar_UInt128_add(o43, FStar_UInt128_mul_wide(f14, f20)); + FStar_UInt128_uint128 tmp_w0 = o04; + FStar_UInt128_uint128 tmp_w1 = o14; + FStar_UInt128_uint128 tmp_w2 = o24; + FStar_UInt128_uint128 tmp_w3 = o34; + FStar_UInt128_uint128 tmp_w4 = o44; + FStar_UInt128_uint128 + l_ = FStar_UInt128_add(tmp_w0, FStar_UInt128_uint64_to_uint128((uint64_t)0U)); + uint64_t tmp01 = FStar_UInt128_uint128_to_uint64(l_) & (uint64_t)0x7ffffffffffffU; + uint64_t c0 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_, (uint32_t)51U)); + FStar_UInt128_uint128 l_0 = FStar_UInt128_add(tmp_w1, FStar_UInt128_uint64_to_uint128(c0)); + uint64_t tmp11 = FStar_UInt128_uint128_to_uint64(l_0) & (uint64_t)0x7ffffffffffffU; + uint64_t c1 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_0, (uint32_t)51U)); + FStar_UInt128_uint128 l_1 = FStar_UInt128_add(tmp_w2, FStar_UInt128_uint64_to_uint128(c1)); + uint64_t tmp21 = FStar_UInt128_uint128_to_uint64(l_1) & (uint64_t)0x7ffffffffffffU; + uint64_t c2 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_1, (uint32_t)51U)); + FStar_UInt128_uint128 l_2 = FStar_UInt128_add(tmp_w3, FStar_UInt128_uint64_to_uint128(c2)); + uint64_t tmp31 = FStar_UInt128_uint128_to_uint64(l_2) & (uint64_t)0x7ffffffffffffU; + uint64_t c3 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_2, (uint32_t)51U)); + FStar_UInt128_uint128 l_3 = FStar_UInt128_add(tmp_w4, FStar_UInt128_uint64_to_uint128(c3)); + uint64_t tmp41 = FStar_UInt128_uint128_to_uint64(l_3) & (uint64_t)0x7ffffffffffffU; + uint64_t c4 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_3, (uint32_t)51U)); + uint64_t l_4 = tmp01 + c4 * (uint64_t)19U; + uint64_t tmp0_ = l_4 & (uint64_t)0x7ffffffffffffU; + uint64_t c5 = l_4 >> (uint32_t)51U; + uint64_t o0 = tmp0_; + uint64_t o1 = tmp11 + c5; + uint64_t o2 = tmp21; + uint64_t o3 = tmp31; + uint64_t o4 = tmp41; + out[0U] = o0; + out[1U] = o1; + out[2U] = o2; + out[3U] = o3; + out[4U] = o4; +} + +static inline void +Hacl_Impl_Curve25519_Field51_fmul2( + uint64_t *out, + uint64_t *f1, + uint64_t *f2, + FStar_UInt128_uint128 *uu___ +) +{ + uint64_t f10 = f1[0U]; + uint64_t f11 = f1[1U]; + uint64_t f12 = f1[2U]; + uint64_t f13 = f1[3U]; + uint64_t f14 = f1[4U]; + uint64_t f20 = f2[0U]; + uint64_t f21 = f2[1U]; + uint64_t f22 = f2[2U]; + uint64_t f23 = f2[3U]; + uint64_t f24 = f2[4U]; + uint64_t f30 = f1[5U]; + uint64_t f31 = f1[6U]; + uint64_t f32 = f1[7U]; + uint64_t f33 = f1[8U]; + uint64_t f34 = f1[9U]; + uint64_t f40 = f2[5U]; + uint64_t f41 = f2[6U]; + uint64_t f42 = f2[7U]; + uint64_t f43 = f2[8U]; + uint64_t f44 = f2[9U]; + uint64_t tmp11 = f21 * (uint64_t)19U; + uint64_t tmp12 = f22 * (uint64_t)19U; + uint64_t tmp13 = f23 * (uint64_t)19U; + uint64_t tmp14 = f24 * (uint64_t)19U; + uint64_t tmp21 = f41 * (uint64_t)19U; + uint64_t tmp22 = f42 * (uint64_t)19U; + uint64_t tmp23 = f43 * (uint64_t)19U; + uint64_t tmp24 = f44 * (uint64_t)19U; + FStar_UInt128_uint128 o00 = FStar_UInt128_mul_wide(f10, f20); + FStar_UInt128_uint128 o15 = FStar_UInt128_mul_wide(f10, f21); + FStar_UInt128_uint128 o25 = FStar_UInt128_mul_wide(f10, f22); + FStar_UInt128_uint128 o30 = FStar_UInt128_mul_wide(f10, f23); + FStar_UInt128_uint128 o40 = FStar_UInt128_mul_wide(f10, f24); + FStar_UInt128_uint128 o010 = FStar_UInt128_add(o00, FStar_UInt128_mul_wide(f11, tmp14)); + FStar_UInt128_uint128 o110 = FStar_UInt128_add(o15, FStar_UInt128_mul_wide(f11, f20)); + FStar_UInt128_uint128 o210 = FStar_UInt128_add(o25, FStar_UInt128_mul_wide(f11, f21)); + FStar_UInt128_uint128 o310 = FStar_UInt128_add(o30, FStar_UInt128_mul_wide(f11, f22)); + FStar_UInt128_uint128 o410 = FStar_UInt128_add(o40, FStar_UInt128_mul_wide(f11, f23)); + FStar_UInt128_uint128 o020 = FStar_UInt128_add(o010, FStar_UInt128_mul_wide(f12, tmp13)); + FStar_UInt128_uint128 o120 = FStar_UInt128_add(o110, FStar_UInt128_mul_wide(f12, tmp14)); + FStar_UInt128_uint128 o220 = FStar_UInt128_add(o210, FStar_UInt128_mul_wide(f12, f20)); + FStar_UInt128_uint128 o320 = FStar_UInt128_add(o310, FStar_UInt128_mul_wide(f12, f21)); + FStar_UInt128_uint128 o420 = FStar_UInt128_add(o410, FStar_UInt128_mul_wide(f12, f22)); + FStar_UInt128_uint128 o030 = FStar_UInt128_add(o020, FStar_UInt128_mul_wide(f13, tmp12)); + FStar_UInt128_uint128 o130 = FStar_UInt128_add(o120, FStar_UInt128_mul_wide(f13, tmp13)); + FStar_UInt128_uint128 o230 = FStar_UInt128_add(o220, FStar_UInt128_mul_wide(f13, tmp14)); + FStar_UInt128_uint128 o330 = FStar_UInt128_add(o320, FStar_UInt128_mul_wide(f13, f20)); + FStar_UInt128_uint128 o430 = FStar_UInt128_add(o420, FStar_UInt128_mul_wide(f13, f21)); + FStar_UInt128_uint128 o040 = FStar_UInt128_add(o030, FStar_UInt128_mul_wide(f14, tmp11)); + FStar_UInt128_uint128 o140 = FStar_UInt128_add(o130, FStar_UInt128_mul_wide(f14, tmp12)); + FStar_UInt128_uint128 o240 = FStar_UInt128_add(o230, FStar_UInt128_mul_wide(f14, tmp13)); + FStar_UInt128_uint128 o340 = FStar_UInt128_add(o330, FStar_UInt128_mul_wide(f14, tmp14)); + FStar_UInt128_uint128 o440 = FStar_UInt128_add(o430, FStar_UInt128_mul_wide(f14, f20)); + FStar_UInt128_uint128 tmp_w10 = o040; + FStar_UInt128_uint128 tmp_w11 = o140; + FStar_UInt128_uint128 tmp_w12 = o240; + FStar_UInt128_uint128 tmp_w13 = o340; + FStar_UInt128_uint128 tmp_w14 = o440; + FStar_UInt128_uint128 o0 = FStar_UInt128_mul_wide(f30, f40); + FStar_UInt128_uint128 o1 = FStar_UInt128_mul_wide(f30, f41); + FStar_UInt128_uint128 o2 = FStar_UInt128_mul_wide(f30, f42); + FStar_UInt128_uint128 o3 = FStar_UInt128_mul_wide(f30, f43); + FStar_UInt128_uint128 o4 = FStar_UInt128_mul_wide(f30, f44); + FStar_UInt128_uint128 o01 = FStar_UInt128_add(o0, FStar_UInt128_mul_wide(f31, tmp24)); + FStar_UInt128_uint128 o111 = FStar_UInt128_add(o1, FStar_UInt128_mul_wide(f31, f40)); + FStar_UInt128_uint128 o211 = FStar_UInt128_add(o2, FStar_UInt128_mul_wide(f31, f41)); + FStar_UInt128_uint128 o31 = FStar_UInt128_add(o3, FStar_UInt128_mul_wide(f31, f42)); + FStar_UInt128_uint128 o41 = FStar_UInt128_add(o4, FStar_UInt128_mul_wide(f31, f43)); + FStar_UInt128_uint128 o02 = FStar_UInt128_add(o01, FStar_UInt128_mul_wide(f32, tmp23)); + FStar_UInt128_uint128 o121 = FStar_UInt128_add(o111, FStar_UInt128_mul_wide(f32, tmp24)); + FStar_UInt128_uint128 o221 = FStar_UInt128_add(o211, FStar_UInt128_mul_wide(f32, f40)); + FStar_UInt128_uint128 o32 = FStar_UInt128_add(o31, FStar_UInt128_mul_wide(f32, f41)); + FStar_UInt128_uint128 o42 = FStar_UInt128_add(o41, FStar_UInt128_mul_wide(f32, f42)); + FStar_UInt128_uint128 o03 = FStar_UInt128_add(o02, FStar_UInt128_mul_wide(f33, tmp22)); + FStar_UInt128_uint128 o131 = FStar_UInt128_add(o121, FStar_UInt128_mul_wide(f33, tmp23)); + FStar_UInt128_uint128 o231 = FStar_UInt128_add(o221, FStar_UInt128_mul_wide(f33, tmp24)); + FStar_UInt128_uint128 o33 = FStar_UInt128_add(o32, FStar_UInt128_mul_wide(f33, f40)); + FStar_UInt128_uint128 o43 = FStar_UInt128_add(o42, FStar_UInt128_mul_wide(f33, f41)); + FStar_UInt128_uint128 o04 = FStar_UInt128_add(o03, FStar_UInt128_mul_wide(f34, tmp21)); + FStar_UInt128_uint128 o141 = FStar_UInt128_add(o131, FStar_UInt128_mul_wide(f34, tmp22)); + FStar_UInt128_uint128 o241 = FStar_UInt128_add(o231, FStar_UInt128_mul_wide(f34, tmp23)); + FStar_UInt128_uint128 o34 = FStar_UInt128_add(o33, FStar_UInt128_mul_wide(f34, tmp24)); + FStar_UInt128_uint128 o44 = FStar_UInt128_add(o43, FStar_UInt128_mul_wide(f34, f40)); + FStar_UInt128_uint128 tmp_w20 = o04; + FStar_UInt128_uint128 tmp_w21 = o141; + FStar_UInt128_uint128 tmp_w22 = o241; + FStar_UInt128_uint128 tmp_w23 = o34; + FStar_UInt128_uint128 tmp_w24 = o44; + FStar_UInt128_uint128 + l_ = FStar_UInt128_add(tmp_w10, FStar_UInt128_uint64_to_uint128((uint64_t)0U)); + uint64_t tmp00 = FStar_UInt128_uint128_to_uint64(l_) & (uint64_t)0x7ffffffffffffU; + uint64_t c00 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_, (uint32_t)51U)); + FStar_UInt128_uint128 l_0 = FStar_UInt128_add(tmp_w11, FStar_UInt128_uint64_to_uint128(c00)); + uint64_t tmp10 = FStar_UInt128_uint128_to_uint64(l_0) & (uint64_t)0x7ffffffffffffU; + uint64_t c10 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_0, (uint32_t)51U)); + FStar_UInt128_uint128 l_1 = FStar_UInt128_add(tmp_w12, FStar_UInt128_uint64_to_uint128(c10)); + uint64_t tmp20 = FStar_UInt128_uint128_to_uint64(l_1) & (uint64_t)0x7ffffffffffffU; + uint64_t c20 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_1, (uint32_t)51U)); + FStar_UInt128_uint128 l_2 = FStar_UInt128_add(tmp_w13, FStar_UInt128_uint64_to_uint128(c20)); + uint64_t tmp30 = FStar_UInt128_uint128_to_uint64(l_2) & (uint64_t)0x7ffffffffffffU; + uint64_t c30 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_2, (uint32_t)51U)); + FStar_UInt128_uint128 l_3 = FStar_UInt128_add(tmp_w14, FStar_UInt128_uint64_to_uint128(c30)); + uint64_t tmp40 = FStar_UInt128_uint128_to_uint64(l_3) & (uint64_t)0x7ffffffffffffU; + uint64_t c40 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_3, (uint32_t)51U)); + uint64_t l_4 = tmp00 + c40 * (uint64_t)19U; + uint64_t tmp0_ = l_4 & (uint64_t)0x7ffffffffffffU; + uint64_t c50 = l_4 >> (uint32_t)51U; + uint64_t o100 = tmp0_; + uint64_t o112 = tmp10 + c50; + uint64_t o122 = tmp20; + uint64_t o132 = tmp30; + uint64_t o142 = tmp40; + FStar_UInt128_uint128 + l_5 = FStar_UInt128_add(tmp_w20, FStar_UInt128_uint64_to_uint128((uint64_t)0U)); + uint64_t tmp0 = FStar_UInt128_uint128_to_uint64(l_5) & (uint64_t)0x7ffffffffffffU; + uint64_t c0 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_5, (uint32_t)51U)); + FStar_UInt128_uint128 l_6 = FStar_UInt128_add(tmp_w21, FStar_UInt128_uint64_to_uint128(c0)); + uint64_t tmp1 = FStar_UInt128_uint128_to_uint64(l_6) & (uint64_t)0x7ffffffffffffU; + uint64_t c1 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_6, (uint32_t)51U)); + FStar_UInt128_uint128 l_7 = FStar_UInt128_add(tmp_w22, FStar_UInt128_uint64_to_uint128(c1)); + uint64_t tmp2 = FStar_UInt128_uint128_to_uint64(l_7) & (uint64_t)0x7ffffffffffffU; + uint64_t c2 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_7, (uint32_t)51U)); + FStar_UInt128_uint128 l_8 = FStar_UInt128_add(tmp_w23, FStar_UInt128_uint64_to_uint128(c2)); + uint64_t tmp3 = FStar_UInt128_uint128_to_uint64(l_8) & (uint64_t)0x7ffffffffffffU; + uint64_t c3 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_8, (uint32_t)51U)); + FStar_UInt128_uint128 l_9 = FStar_UInt128_add(tmp_w24, FStar_UInt128_uint64_to_uint128(c3)); + uint64_t tmp4 = FStar_UInt128_uint128_to_uint64(l_9) & (uint64_t)0x7ffffffffffffU; + uint64_t c4 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_9, (uint32_t)51U)); + uint64_t l_10 = tmp0 + c4 * (uint64_t)19U; + uint64_t tmp0_0 = l_10 & (uint64_t)0x7ffffffffffffU; + uint64_t c5 = l_10 >> (uint32_t)51U; + uint64_t o200 = tmp0_0; + uint64_t o212 = tmp1 + c5; + uint64_t o222 = tmp2; + uint64_t o232 = tmp3; + uint64_t o242 = tmp4; + uint64_t o10 = o100; + uint64_t o11 = o112; + uint64_t o12 = o122; + uint64_t o13 = o132; + uint64_t o14 = o142; + uint64_t o20 = o200; + uint64_t o21 = o212; + uint64_t o22 = o222; + uint64_t o23 = o232; + uint64_t o24 = o242; + out[0U] = o10; + out[1U] = o11; + out[2U] = o12; + out[3U] = o13; + out[4U] = o14; + out[5U] = o20; + out[6U] = o21; + out[7U] = o22; + out[8U] = o23; + out[9U] = o24; +} + +static inline void Hacl_Impl_Curve25519_Field51_fmul1(uint64_t *out, uint64_t *f1, uint64_t f2) +{ + uint64_t f10 = f1[0U]; + uint64_t f11 = f1[1U]; + uint64_t f12 = f1[2U]; + uint64_t f13 = f1[3U]; + uint64_t f14 = f1[4U]; + FStar_UInt128_uint128 tmp_w0 = FStar_UInt128_mul_wide(f2, f10); + FStar_UInt128_uint128 tmp_w1 = FStar_UInt128_mul_wide(f2, f11); + FStar_UInt128_uint128 tmp_w2 = FStar_UInt128_mul_wide(f2, f12); + FStar_UInt128_uint128 tmp_w3 = FStar_UInt128_mul_wide(f2, f13); + FStar_UInt128_uint128 tmp_w4 = FStar_UInt128_mul_wide(f2, f14); + FStar_UInt128_uint128 + l_ = FStar_UInt128_add(tmp_w0, FStar_UInt128_uint64_to_uint128((uint64_t)0U)); + uint64_t tmp0 = FStar_UInt128_uint128_to_uint64(l_) & (uint64_t)0x7ffffffffffffU; + uint64_t c0 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_, (uint32_t)51U)); + FStar_UInt128_uint128 l_0 = FStar_UInt128_add(tmp_w1, FStar_UInt128_uint64_to_uint128(c0)); + uint64_t tmp1 = FStar_UInt128_uint128_to_uint64(l_0) & (uint64_t)0x7ffffffffffffU; + uint64_t c1 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_0, (uint32_t)51U)); + FStar_UInt128_uint128 l_1 = FStar_UInt128_add(tmp_w2, FStar_UInt128_uint64_to_uint128(c1)); + uint64_t tmp2 = FStar_UInt128_uint128_to_uint64(l_1) & (uint64_t)0x7ffffffffffffU; + uint64_t c2 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_1, (uint32_t)51U)); + FStar_UInt128_uint128 l_2 = FStar_UInt128_add(tmp_w3, FStar_UInt128_uint64_to_uint128(c2)); + uint64_t tmp3 = FStar_UInt128_uint128_to_uint64(l_2) & (uint64_t)0x7ffffffffffffU; + uint64_t c3 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_2, (uint32_t)51U)); + FStar_UInt128_uint128 l_3 = FStar_UInt128_add(tmp_w4, FStar_UInt128_uint64_to_uint128(c3)); + uint64_t tmp4 = FStar_UInt128_uint128_to_uint64(l_3) & (uint64_t)0x7ffffffffffffU; + uint64_t c4 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_3, (uint32_t)51U)); + uint64_t l_4 = tmp0 + c4 * (uint64_t)19U; + uint64_t tmp0_ = l_4 & (uint64_t)0x7ffffffffffffU; + uint64_t c5 = l_4 >> (uint32_t)51U; + uint64_t o0 = tmp0_; + uint64_t o1 = tmp1 + c5; + uint64_t o2 = tmp2; + uint64_t o3 = tmp3; + uint64_t o4 = tmp4; + out[0U] = o0; + out[1U] = o1; + out[2U] = o2; + out[3U] = o3; + out[4U] = o4; +} + +static inline void +Hacl_Impl_Curve25519_Field51_fsqr(uint64_t *out, uint64_t *f, FStar_UInt128_uint128 *uu___) +{ + uint64_t f0 = f[0U]; + uint64_t f1 = f[1U]; + uint64_t f2 = f[2U]; + uint64_t f3 = f[3U]; + uint64_t f4 = f[4U]; + uint64_t d0 = (uint64_t)2U * f0; + uint64_t d1 = (uint64_t)2U * f1; + uint64_t d2 = (uint64_t)38U * f2; + uint64_t d3 = (uint64_t)19U * f3; + uint64_t d419 = (uint64_t)19U * f4; + uint64_t d4 = (uint64_t)2U * d419; + FStar_UInt128_uint128 + s0 = + FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(f0, f0), + FStar_UInt128_mul_wide(d4, f1)), + FStar_UInt128_mul_wide(d2, f3)); + FStar_UInt128_uint128 + s1 = + FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, f1), + FStar_UInt128_mul_wide(d4, f2)), + FStar_UInt128_mul_wide(d3, f3)); + FStar_UInt128_uint128 + s2 = + FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, f2), + FStar_UInt128_mul_wide(f1, f1)), + FStar_UInt128_mul_wide(d4, f3)); + FStar_UInt128_uint128 + s3 = + FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, f3), + FStar_UInt128_mul_wide(d1, f2)), + FStar_UInt128_mul_wide(f4, d419)); + FStar_UInt128_uint128 + s4 = + FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, f4), + FStar_UInt128_mul_wide(d1, f3)), + FStar_UInt128_mul_wide(f2, f2)); + FStar_UInt128_uint128 o00 = s0; + FStar_UInt128_uint128 o10 = s1; + FStar_UInt128_uint128 o20 = s2; + FStar_UInt128_uint128 o30 = s3; + FStar_UInt128_uint128 o40 = s4; + FStar_UInt128_uint128 + l_ = FStar_UInt128_add(o00, FStar_UInt128_uint64_to_uint128((uint64_t)0U)); + uint64_t tmp0 = FStar_UInt128_uint128_to_uint64(l_) & (uint64_t)0x7ffffffffffffU; + uint64_t c0 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_, (uint32_t)51U)); + FStar_UInt128_uint128 l_0 = FStar_UInt128_add(o10, FStar_UInt128_uint64_to_uint128(c0)); + uint64_t tmp1 = FStar_UInt128_uint128_to_uint64(l_0) & (uint64_t)0x7ffffffffffffU; + uint64_t c1 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_0, (uint32_t)51U)); + FStar_UInt128_uint128 l_1 = FStar_UInt128_add(o20, FStar_UInt128_uint64_to_uint128(c1)); + uint64_t tmp2 = FStar_UInt128_uint128_to_uint64(l_1) & (uint64_t)0x7ffffffffffffU; + uint64_t c2 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_1, (uint32_t)51U)); + FStar_UInt128_uint128 l_2 = FStar_UInt128_add(o30, FStar_UInt128_uint64_to_uint128(c2)); + uint64_t tmp3 = FStar_UInt128_uint128_to_uint64(l_2) & (uint64_t)0x7ffffffffffffU; + uint64_t c3 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_2, (uint32_t)51U)); + FStar_UInt128_uint128 l_3 = FStar_UInt128_add(o40, FStar_UInt128_uint64_to_uint128(c3)); + uint64_t tmp4 = FStar_UInt128_uint128_to_uint64(l_3) & (uint64_t)0x7ffffffffffffU; + uint64_t c4 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_3, (uint32_t)51U)); + uint64_t l_4 = tmp0 + c4 * (uint64_t)19U; + uint64_t tmp0_ = l_4 & (uint64_t)0x7ffffffffffffU; + uint64_t c5 = l_4 >> (uint32_t)51U; + uint64_t o0 = tmp0_; + uint64_t o1 = tmp1 + c5; + uint64_t o2 = tmp2; + uint64_t o3 = tmp3; + uint64_t o4 = tmp4; + out[0U] = o0; + out[1U] = o1; + out[2U] = o2; + out[3U] = o3; + out[4U] = o4; +} + +static inline void +Hacl_Impl_Curve25519_Field51_fsqr2(uint64_t *out, uint64_t *f, FStar_UInt128_uint128 *uu___) +{ + uint64_t f10 = f[0U]; + uint64_t f11 = f[1U]; + uint64_t f12 = f[2U]; + uint64_t f13 = f[3U]; + uint64_t f14 = f[4U]; + uint64_t f20 = f[5U]; + uint64_t f21 = f[6U]; + uint64_t f22 = f[7U]; + uint64_t f23 = f[8U]; + uint64_t f24 = f[9U]; + uint64_t d00 = (uint64_t)2U * f10; + uint64_t d10 = (uint64_t)2U * f11; + uint64_t d20 = (uint64_t)38U * f12; + uint64_t d30 = (uint64_t)19U * f13; + uint64_t d4190 = (uint64_t)19U * f14; + uint64_t d40 = (uint64_t)2U * d4190; + FStar_UInt128_uint128 + s00 = + FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(f10, f10), + FStar_UInt128_mul_wide(d40, f11)), + FStar_UInt128_mul_wide(d20, f13)); + FStar_UInt128_uint128 + s10 = + FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d00, f11), + FStar_UInt128_mul_wide(d40, f12)), + FStar_UInt128_mul_wide(d30, f13)); + FStar_UInt128_uint128 + s20 = + FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d00, f12), + FStar_UInt128_mul_wide(f11, f11)), + FStar_UInt128_mul_wide(d40, f13)); + FStar_UInt128_uint128 + s30 = + FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d00, f13), + FStar_UInt128_mul_wide(d10, f12)), + FStar_UInt128_mul_wide(f14, d4190)); + FStar_UInt128_uint128 + s40 = + FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d00, f14), + FStar_UInt128_mul_wide(d10, f13)), + FStar_UInt128_mul_wide(f12, f12)); + FStar_UInt128_uint128 o100 = s00; + FStar_UInt128_uint128 o110 = s10; + FStar_UInt128_uint128 o120 = s20; + FStar_UInt128_uint128 o130 = s30; + FStar_UInt128_uint128 o140 = s40; + uint64_t d0 = (uint64_t)2U * f20; + uint64_t d1 = (uint64_t)2U * f21; + uint64_t d2 = (uint64_t)38U * f22; + uint64_t d3 = (uint64_t)19U * f23; + uint64_t d419 = (uint64_t)19U * f24; + uint64_t d4 = (uint64_t)2U * d419; + FStar_UInt128_uint128 + s0 = + FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(f20, f20), + FStar_UInt128_mul_wide(d4, f21)), + FStar_UInt128_mul_wide(d2, f23)); + FStar_UInt128_uint128 + s1 = + FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, f21), + FStar_UInt128_mul_wide(d4, f22)), + FStar_UInt128_mul_wide(d3, f23)); + FStar_UInt128_uint128 + s2 = + FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, f22), + FStar_UInt128_mul_wide(f21, f21)), + FStar_UInt128_mul_wide(d4, f23)); + FStar_UInt128_uint128 + s3 = + FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, f23), + FStar_UInt128_mul_wide(d1, f22)), + FStar_UInt128_mul_wide(f24, d419)); + FStar_UInt128_uint128 + s4 = + FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, f24), + FStar_UInt128_mul_wide(d1, f23)), + FStar_UInt128_mul_wide(f22, f22)); + FStar_UInt128_uint128 o200 = s0; + FStar_UInt128_uint128 o210 = s1; + FStar_UInt128_uint128 o220 = s2; + FStar_UInt128_uint128 o230 = s3; + FStar_UInt128_uint128 o240 = s4; + FStar_UInt128_uint128 + l_ = FStar_UInt128_add(o100, FStar_UInt128_uint64_to_uint128((uint64_t)0U)); + uint64_t tmp00 = FStar_UInt128_uint128_to_uint64(l_) & (uint64_t)0x7ffffffffffffU; + uint64_t c00 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_, (uint32_t)51U)); + FStar_UInt128_uint128 l_0 = FStar_UInt128_add(o110, FStar_UInt128_uint64_to_uint128(c00)); + uint64_t tmp10 = FStar_UInt128_uint128_to_uint64(l_0) & (uint64_t)0x7ffffffffffffU; + uint64_t c10 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_0, (uint32_t)51U)); + FStar_UInt128_uint128 l_1 = FStar_UInt128_add(o120, FStar_UInt128_uint64_to_uint128(c10)); + uint64_t tmp20 = FStar_UInt128_uint128_to_uint64(l_1) & (uint64_t)0x7ffffffffffffU; + uint64_t c20 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_1, (uint32_t)51U)); + FStar_UInt128_uint128 l_2 = FStar_UInt128_add(o130, FStar_UInt128_uint64_to_uint128(c20)); + uint64_t tmp30 = FStar_UInt128_uint128_to_uint64(l_2) & (uint64_t)0x7ffffffffffffU; + uint64_t c30 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_2, (uint32_t)51U)); + FStar_UInt128_uint128 l_3 = FStar_UInt128_add(o140, FStar_UInt128_uint64_to_uint128(c30)); + uint64_t tmp40 = FStar_UInt128_uint128_to_uint64(l_3) & (uint64_t)0x7ffffffffffffU; + uint64_t c40 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_3, (uint32_t)51U)); + uint64_t l_4 = tmp00 + c40 * (uint64_t)19U; + uint64_t tmp0_ = l_4 & (uint64_t)0x7ffffffffffffU; + uint64_t c50 = l_4 >> (uint32_t)51U; + uint64_t o101 = tmp0_; + uint64_t o111 = tmp10 + c50; + uint64_t o121 = tmp20; + uint64_t o131 = tmp30; + uint64_t o141 = tmp40; + FStar_UInt128_uint128 + l_5 = FStar_UInt128_add(o200, FStar_UInt128_uint64_to_uint128((uint64_t)0U)); + uint64_t tmp0 = FStar_UInt128_uint128_to_uint64(l_5) & (uint64_t)0x7ffffffffffffU; + uint64_t c0 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_5, (uint32_t)51U)); + FStar_UInt128_uint128 l_6 = FStar_UInt128_add(o210, FStar_UInt128_uint64_to_uint128(c0)); + uint64_t tmp1 = FStar_UInt128_uint128_to_uint64(l_6) & (uint64_t)0x7ffffffffffffU; + uint64_t c1 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_6, (uint32_t)51U)); + FStar_UInt128_uint128 l_7 = FStar_UInt128_add(o220, FStar_UInt128_uint64_to_uint128(c1)); + uint64_t tmp2 = FStar_UInt128_uint128_to_uint64(l_7) & (uint64_t)0x7ffffffffffffU; + uint64_t c2 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_7, (uint32_t)51U)); + FStar_UInt128_uint128 l_8 = FStar_UInt128_add(o230, FStar_UInt128_uint64_to_uint128(c2)); + uint64_t tmp3 = FStar_UInt128_uint128_to_uint64(l_8) & (uint64_t)0x7ffffffffffffU; + uint64_t c3 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_8, (uint32_t)51U)); + FStar_UInt128_uint128 l_9 = FStar_UInt128_add(o240, FStar_UInt128_uint64_to_uint128(c3)); + uint64_t tmp4 = FStar_UInt128_uint128_to_uint64(l_9) & (uint64_t)0x7ffffffffffffU; + uint64_t c4 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_9, (uint32_t)51U)); + uint64_t l_10 = tmp0 + c4 * (uint64_t)19U; + uint64_t tmp0_0 = l_10 & (uint64_t)0x7ffffffffffffU; + uint64_t c5 = l_10 >> (uint32_t)51U; + uint64_t o201 = tmp0_0; + uint64_t o211 = tmp1 + c5; + uint64_t o221 = tmp2; + uint64_t o231 = tmp3; + uint64_t o241 = tmp4; + uint64_t o10 = o101; + uint64_t o11 = o111; + uint64_t o12 = o121; + uint64_t o13 = o131; + uint64_t o14 = o141; + uint64_t o20 = o201; + uint64_t o21 = o211; + uint64_t o22 = o221; + uint64_t o23 = o231; + uint64_t o24 = o241; + out[0U] = o10; + out[1U] = o11; + out[2U] = o12; + out[3U] = o13; + out[4U] = o14; + out[5U] = o20; + out[6U] = o21; + out[7U] = o22; + out[8U] = o23; + out[9U] = o24; +} + +static inline void Hacl_Impl_Curve25519_Field51_store_felem(uint64_t *u64s, uint64_t *f) +{ + uint64_t f0 = f[0U]; + uint64_t f1 = f[1U]; + uint64_t f2 = f[2U]; + uint64_t f3 = f[3U]; + uint64_t f4 = f[4U]; + uint64_t l_ = f0 + (uint64_t)0U; + uint64_t tmp0 = l_ & (uint64_t)0x7ffffffffffffU; + uint64_t c0 = l_ >> (uint32_t)51U; + uint64_t l_0 = f1 + c0; + uint64_t tmp1 = l_0 & (uint64_t)0x7ffffffffffffU; + uint64_t c1 = l_0 >> (uint32_t)51U; + uint64_t l_1 = f2 + c1; + uint64_t tmp2 = l_1 & (uint64_t)0x7ffffffffffffU; + uint64_t c2 = l_1 >> (uint32_t)51U; + uint64_t l_2 = f3 + c2; + uint64_t tmp3 = l_2 & (uint64_t)0x7ffffffffffffU; + uint64_t c3 = l_2 >> (uint32_t)51U; + uint64_t l_3 = f4 + c3; + uint64_t tmp4 = l_3 & (uint64_t)0x7ffffffffffffU; + uint64_t c4 = l_3 >> (uint32_t)51U; + uint64_t l_4 = tmp0 + c4 * (uint64_t)19U; + uint64_t tmp0_ = l_4 & (uint64_t)0x7ffffffffffffU; + uint64_t c5 = l_4 >> (uint32_t)51U; + uint64_t f01 = tmp0_; + uint64_t f11 = tmp1 + c5; + uint64_t f21 = tmp2; + uint64_t f31 = tmp3; + uint64_t f41 = tmp4; + uint64_t m0 = FStar_UInt64_gte_mask(f01, (uint64_t)0x7ffffffffffedU); + uint64_t m1 = FStar_UInt64_eq_mask(f11, (uint64_t)0x7ffffffffffffU); + uint64_t m2 = FStar_UInt64_eq_mask(f21, (uint64_t)0x7ffffffffffffU); + uint64_t m3 = FStar_UInt64_eq_mask(f31, (uint64_t)0x7ffffffffffffU); + uint64_t m4 = FStar_UInt64_eq_mask(f41, (uint64_t)0x7ffffffffffffU); + uint64_t mask = (((m0 & m1) & m2) & m3) & m4; + uint64_t f0_ = f01 - (mask & (uint64_t)0x7ffffffffffedU); + uint64_t f1_ = f11 - (mask & (uint64_t)0x7ffffffffffffU); + uint64_t f2_ = f21 - (mask & (uint64_t)0x7ffffffffffffU); + uint64_t f3_ = f31 - (mask & (uint64_t)0x7ffffffffffffU); + uint64_t f4_ = f41 - (mask & (uint64_t)0x7ffffffffffffU); + uint64_t f02 = f0_; + uint64_t f12 = f1_; + uint64_t f22 = f2_; + uint64_t f32 = f3_; + uint64_t f42 = f4_; + uint64_t o00 = f02 | f12 << (uint32_t)51U; + uint64_t o10 = f12 >> (uint32_t)13U | f22 << (uint32_t)38U; + uint64_t o20 = f22 >> (uint32_t)26U | f32 << (uint32_t)25U; + uint64_t o30 = f32 >> (uint32_t)39U | f42 << (uint32_t)12U; + uint64_t o0 = o00; + uint64_t o1 = o10; + uint64_t o2 = o20; + uint64_t o3 = o30; + u64s[0U] = o0; + u64s[1U] = o1; + u64s[2U] = o2; + u64s[3U] = o3; +} + +static inline void +Hacl_Impl_Curve25519_Field51_cswap2(uint64_t bit, uint64_t *p1, uint64_t *p2) +{ + uint64_t mask = (uint64_t)0U - bit; + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)10U; i++) + { + uint64_t dummy = mask & (p1[i] ^ p2[i]); + p1[i] = p1[i] ^ dummy; + p2[i] = p2[i] ^ dummy; + } +} + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Bignum25519_51_H_DEFINED +#endif diff --git a/include/c89/Hacl_Bignum256.h b/include/c89/Hacl_Bignum256.h new file mode 100644 index 00000000..87c22666 --- /dev/null +++ b/include/c89/Hacl_Bignum256.h @@ -0,0 +1,409 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Bignum256_H +#define __Hacl_Bignum256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "Hacl_Bignum_Base.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +/******************************************************************************* + +A verified 256-bit bignum library. + +This is a 64-bit optimized version, where bignums are represented as an array +of four unsigned 64-bit integers, i.e. uint64_t[4]. Furthermore, the +limbs are stored in little-endian format, i.e. the least significant limb is at +index 0. Each limb is stored in native format in memory. Example: + + uint64_t sixteen[4] = { 0x10; 0x00; 0x00; 0x00 } + +We strongly encourage users to go through the conversion functions, e.g. +bn_from_bytes_be, to i) not depend on internal representation choices and ii) +have the ability to switch easily to a 32-bit optimized version in the future. + +*******************************************************************************/ + +/************************/ +/* Arithmetic functions */ +/************************/ + + +/* +Write `a + b mod 2^256` in `res`. + + This functions returns the carry. + + The arguments a, b and res are meant to be 256-bit bignums, i.e. uint64_t[4] +*/ +uint64_t Hacl_Bignum256_add(uint64_t *a, uint64_t *b, uint64_t *res); + +/* +Write `a - b mod 2^256` in `res`. + + This functions returns the carry. + + The arguments a, b and res are meant to be 256-bit bignums, i.e. uint64_t[4] +*/ +uint64_t Hacl_Bignum256_sub(uint64_t *a, uint64_t *b, uint64_t *res); + +/* +Write `(a + b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be 256-bit bignums, i.e. uint64_t[4]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum256_add_mod(uint64_t *n, uint64_t *a, uint64_t *b, uint64_t *res); + +/* +Write `(a - b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be 256-bit bignums, i.e. uint64_t[4]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum256_sub_mod(uint64_t *n, uint64_t *a, uint64_t *b, uint64_t *res); + +/* +Write `a * b` in `res`. + + The arguments a and b are meant to be 256-bit bignums, i.e. uint64_t[4]. + The outparam res is meant to be a 512-bit bignum, i.e. uint64_t[8]. +*/ +void Hacl_Bignum256_mul(uint64_t *a, uint64_t *b, uint64_t *res); + +/* +Write `a * a` in `res`. + + The argument a is meant to be a 256-bit bignum, i.e. uint64_t[4]. + The outparam res is meant to be a 512-bit bignum, i.e. uint64_t[8]. +*/ +void Hacl_Bignum256_sqr(uint64_t *a, uint64_t *res); + +/* +Write `a mod n` in `res`. + + The argument a is meant to be a 512-bit bignum, i.e. uint64_t[8]. + The argument n and the outparam res are meant to be 256-bit bignums, i.e. uint64_t[4]. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • 1 < n + • n % 2 = 1 +*/ +bool Hacl_Bignum256_mod(uint64_t *n, uint64_t *a, uint64_t *res); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 256-bit bignums, i.e. uint64_t[4]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum256_mod_exp_vartime( + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 256-bit bignums, i.e. uint64_t[4]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum256_mod_exp_consttime( + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +); + +/* +Write `a ^ (-1) mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 256-bit bignums, i.e. uint64_t[4]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + + The function returns false if any of the following preconditions are violated, true otherwise. + • n % 2 = 1 + • 1 < n + • 0 < a + • a < n +*/ +bool Hacl_Bignum256_mod_inv_prime_vartime(uint64_t *n, uint64_t *a, uint64_t *res); + +typedef struct Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64_s +{ + uint32_t len; + uint64_t *n; + uint64_t mu; + uint64_t *r2; +} +Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64; + + +/**********************************************/ +/* Arithmetic functions with precomputations. */ +/**********************************************/ + + +/* +Heap-allocate and initialize a montgomery context. + + The argument n is meant to be a 256-bit bignum, i.e. uint64_t[4]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n % 2 = 1 + • 1 < n + + The caller will need to call Hacl_Bignum256_mont_ctx_free on the return value + to avoid memory leaks. +*/ +Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *Hacl_Bignum256_mont_ctx_init(uint64_t *n); + +/* +Deallocate the memory previously allocated by Hacl_Bignum256_mont_ctx_init. + + The argument k is a montgomery context obtained through Hacl_Bignum256_mont_ctx_init. +*/ +void Hacl_Bignum256_mont_ctx_free(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k); + +/* +Write `a mod n` in `res`. + + The argument a is meant to be a 512-bit bignum, i.e. uint64_t[8]. + The outparam res is meant to be a 256-bit bignum, i.e. uint64_t[4]. + The argument k is a montgomery context obtained through Hacl_Bignum256_mont_ctx_init. +*/ +void +Hacl_Bignum256_mod_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint64_t *res +); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be 256-bit bignums, i.e. uint64_t[4]. + The argument k is a montgomery context obtained through Hacl_Bignum256_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum256_mod_exp_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be 256-bit bignums, i.e. uint64_t[4]. + The argument k is a montgomery context obtained through Hacl_Bignum256_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime_*. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum256_mod_exp_consttime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +); + +/* +Write `a ^ (-1) mod n` in `res`. + + The argument a and the outparam res are meant to be 256-bit bignums, i.e. uint64_t[4]. + The argument k is a montgomery context obtained through Hacl_Bignum256_mont_ctx_init. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + • 0 < a + • a < n +*/ +void +Hacl_Bignum256_mod_inv_prime_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint64_t *res +); + + +/********************/ +/* Loads and stores */ +/********************/ + + +/* +Load a bid-endian bignum from memory. + + The argument b points to len bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint64_t *Hacl_Bignum256_new_bn_from_bytes_be(uint32_t len, uint8_t *b); + +/* +Load a little-endian bignum from memory. + + The argument b points to len bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint64_t *Hacl_Bignum256_new_bn_from_bytes_le(uint32_t len, uint8_t *b); + +/* +Serialize a bignum into big-endian memory. + + The argument b points to a 256-bit bignum. + The outparam res points to 32 bytes of valid memory. +*/ +void Hacl_Bignum256_bn_to_bytes_be(uint64_t *b, uint8_t *res); + +/* +Serialize a bignum into little-endian memory. + + The argument b points to a 256-bit bignum. + The outparam res points to 32 bytes of valid memory. +*/ +void Hacl_Bignum256_bn_to_bytes_le(uint64_t *b, uint8_t *res); + + +/***************/ +/* Comparisons */ +/***************/ + + +/* +Returns 2^64 - 1 if a < b, otherwise returns 0. + + The arguments a and b are meant to be 256-bit bignums, i.e. uint64_t[4]. +*/ +uint64_t Hacl_Bignum256_lt_mask(uint64_t *a, uint64_t *b); + +/* +Returns 2^64 - 1 if a = b, otherwise returns 0. + + The arguments a and b are meant to be 256-bit bignums, i.e. uint64_t[4]. +*/ +uint64_t Hacl_Bignum256_eq_mask(uint64_t *a, uint64_t *b); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Bignum256_H_DEFINED +#endif diff --git a/include/c89/Hacl_Bignum256_32.h b/include/c89/Hacl_Bignum256_32.h new file mode 100644 index 00000000..88eacdcb --- /dev/null +++ b/include/c89/Hacl_Bignum256_32.h @@ -0,0 +1,401 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Bignum256_32_H +#define __Hacl_Bignum256_32_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "Hacl_GenericField32.h" +#include "Hacl_Bignum_Base.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +/******************************************************************************* + +A verified 256-bit bignum library. + +This is a 32-bit optimized version, where bignums are represented as an array +of eight unsigned 32-bit integers, i.e. uint32_t[8]. Furthermore, the +limbs are stored in little-endian format, i.e. the least significant limb is at +index 0. Each limb is stored in native format in memory. Example: + + uint32_t sixteen[8] = { 0x10; 0x00; 0x00; 0x00; 0x00; 0x00; 0x00; 0x00 } + +We strongly encourage users to go through the conversion functions, e.g. +bn_from_bytes_be, to i) not depend on internal representation choices and ii) +have the ability to switch easily to a 64-bit optimized version in the future. + +*******************************************************************************/ + +/************************/ +/* Arithmetic functions */ +/************************/ + + +/* +Write `a + b mod 2^256` in `res`. + + This functions returns the carry. + + The arguments a, b and res are meant to be 256-bit bignums, i.e. uint32_t[8] +*/ +uint32_t Hacl_Bignum256_32_add(uint32_t *a, uint32_t *b, uint32_t *res); + +/* +Write `a - b mod 2^256` in `res`. + + This functions returns the carry. + + The arguments a, b and res are meant to be 256-bit bignums, i.e. uint32_t[8] +*/ +uint32_t Hacl_Bignum256_32_sub(uint32_t *a, uint32_t *b, uint32_t *res); + +/* +Write `(a + b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be 256-bit bignums, i.e. uint32_t[8]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum256_32_add_mod(uint32_t *n, uint32_t *a, uint32_t *b, uint32_t *res); + +/* +Write `(a - b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be 256-bit bignums, i.e. uint32_t[8]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum256_32_sub_mod(uint32_t *n, uint32_t *a, uint32_t *b, uint32_t *res); + +/* +Write `a * b` in `res`. + + The arguments a and b are meant to be 256-bit bignums, i.e. uint32_t[8]. + The outparam res is meant to be a 512-bit bignum, i.e. uint32_t[16]. +*/ +void Hacl_Bignum256_32_mul(uint32_t *a, uint32_t *b, uint32_t *res); + +/* +Write `a * a` in `res`. + + The argument a is meant to be a 256-bit bignum, i.e. uint32_t[8]. + The outparam res is meant to be a 512-bit bignum, i.e. uint32_t[16]. +*/ +void Hacl_Bignum256_32_sqr(uint32_t *a, uint32_t *res); + +/* +Write `a mod n` in `res`. + + The argument a is meant to be a 512-bit bignum, i.e. uint32_t[16]. + The argument n and the outparam res are meant to be 256-bit bignums, i.e. uint32_t[8]. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • 1 < n + • n % 2 = 1 +*/ +bool Hacl_Bignum256_32_mod(uint32_t *n, uint32_t *a, uint32_t *res); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 256-bit bignums, i.e. uint32_t[8]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum256_32_mod_exp_vartime( + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 256-bit bignums, i.e. uint32_t[8]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum256_32_mod_exp_consttime( + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +); + +/* +Write `a ^ (-1) mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 256-bit bignums, i.e. uint32_t[8]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + + The function returns false if any of the following preconditions are violated, true otherwise. + • n % 2 = 1 + • 1 < n + • 0 < a + • a < n +*/ +bool Hacl_Bignum256_32_mod_inv_prime_vartime(uint32_t *n, uint32_t *a, uint32_t *res); + + +/**********************************************/ +/* Arithmetic functions with precomputations. */ +/**********************************************/ + + +/* +Heap-allocate and initialize a montgomery context. + + The argument n is meant to be a 256-bit bignum, i.e. uint32_t[8]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n % 2 = 1 + • 1 < n + + The caller will need to call Hacl_Bignum256_mont_ctx_free on the return value + to avoid memory leaks. +*/ +Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *Hacl_Bignum256_32_mont_ctx_init(uint32_t *n); + +/* +Deallocate the memory previously allocated by Hacl_Bignum256_mont_ctx_init. + + The argument k is a montgomery context obtained through Hacl_Bignum256_mont_ctx_init. +*/ +void Hacl_Bignum256_32_mont_ctx_free(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k); + +/* +Write `a mod n` in `res`. + + The argument a is meant to be a 512-bit bignum, i.e. uint32_t[16]. + The outparam res is meant to be a 256-bit bignum, i.e. uint32_t[8]. + The argument k is a montgomery context obtained through Hacl_Bignum256_mont_ctx_init. +*/ +void +Hacl_Bignum256_32_mod_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t *res +); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be 256-bit bignums, i.e. uint32_t[8]. + The argument k is a montgomery context obtained through Hacl_Bignum256_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum256_32_mod_exp_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be 256-bit bignums, i.e. uint32_t[8]. + The argument k is a montgomery context obtained through Hacl_Bignum256_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime_*. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum256_32_mod_exp_consttime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +); + +/* +Write `a ^ (-1) mod n` in `res`. + + The argument a and the outparam res are meant to be 256-bit bignums, i.e. uint32_t[8]. + The argument k is a montgomery context obtained through Hacl_Bignum256_mont_ctx_init. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + • 0 < a + • a < n +*/ +void +Hacl_Bignum256_32_mod_inv_prime_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t *res +); + + +/********************/ +/* Loads and stores */ +/********************/ + + +/* +Load a bid-endian bignum from memory. + + The argument b points to len bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint32_t *Hacl_Bignum256_32_new_bn_from_bytes_be(uint32_t len, uint8_t *b); + +/* +Load a little-endian bignum from memory. + + The argument b points to len bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint32_t *Hacl_Bignum256_32_new_bn_from_bytes_le(uint32_t len, uint8_t *b); + +/* +Serialize a bignum into big-endian memory. + + The argument b points to a 256-bit bignum. + The outparam res points to 32 bytes of valid memory. +*/ +void Hacl_Bignum256_32_bn_to_bytes_be(uint32_t *b, uint8_t *res); + +/* +Serialize a bignum into little-endian memory. + + The argument b points to a 256-bit bignum. + The outparam res points to 32 bytes of valid memory. +*/ +void Hacl_Bignum256_32_bn_to_bytes_le(uint32_t *b, uint8_t *res); + + +/***************/ +/* Comparisons */ +/***************/ + + +/* +Returns 2^32 - 1 if a < b, otherwise returns 0. + + The arguments a and b are meant to be 256-bit bignums, i.e. uint32_t[8]. +*/ +uint32_t Hacl_Bignum256_32_lt_mask(uint32_t *a, uint32_t *b); + +/* +Returns 2^32 - 1 if a = b, otherwise returns 0. + + The arguments a and b are meant to be 256-bit bignums, i.e. uint32_t[8]. +*/ +uint32_t Hacl_Bignum256_32_eq_mask(uint32_t *a, uint32_t *b); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Bignum256_32_H_DEFINED +#endif diff --git a/include/c89/Hacl_Bignum32.h b/include/c89/Hacl_Bignum32.h new file mode 100644 index 00000000..93288f64 --- /dev/null +++ b/include/c89/Hacl_Bignum32.h @@ -0,0 +1,400 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Bignum32_H +#define __Hacl_Bignum32_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "Hacl_GenericField32.h" +#include "Hacl_Bignum_Base.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +typedef Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *Hacl_Bignum32_pbn_mont_ctx_u32; + +/******************************************************************************* + +A verified bignum library. + +This is a 32-bit optimized version, where bignums are represented as an array +of `len` unsigned 32-bit integers, i.e. uint32_t[len]. + +*******************************************************************************/ + +/************************/ +/* Arithmetic functions */ +/************************/ + + +/* +Write `a + b mod 2 ^ (32 * len)` in `res`. + + This functions returns the carry. + + The arguments a, b and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len] +*/ +uint32_t Hacl_Bignum32_add(uint32_t len, uint32_t *a, uint32_t *b, uint32_t *res); + +/* +Write `a - b mod 2 ^ (32 * len)` in `res`. + + This functions returns the carry. + + The arguments a, b and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len] +*/ +uint32_t Hacl_Bignum32_sub(uint32_t len, uint32_t *a, uint32_t *b, uint32_t *res); + +/* +Write `(a + b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum32_add_mod(uint32_t len, uint32_t *n, uint32_t *a, uint32_t *b, uint32_t *res); + +/* +Write `(a - b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum32_sub_mod(uint32_t len, uint32_t *n, uint32_t *a, uint32_t *b, uint32_t *res); + +/* +Write `a * b` in `res`. + + The arguments a and b are meant to be `len` limbs in size, i.e. uint32_t[len]. + The outparam res is meant to be `2*len` limbs in size, i.e. uint32_t[2*len]. +*/ +void Hacl_Bignum32_mul(uint32_t len, uint32_t *a, uint32_t *b, uint32_t *res); + +/* +Write `a * a` in `res`. + + The argument a is meant to be `len` limbs in size, i.e. uint32_t[len]. + The outparam res is meant to be `2*len` limbs in size, i.e. uint32_t[2*len]. +*/ +void Hacl_Bignum32_sqr(uint32_t len, uint32_t *a, uint32_t *res); + +/* +Write `a mod n` in `res`. + + The argument a is meant to be `2*len` limbs in size, i.e. uint32_t[2*len]. + The argument n and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • 1 < n + • n % 2 = 1 +*/ +bool Hacl_Bignum32_mod(uint32_t len, uint32_t *n, uint32_t *a, uint32_t *res); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum32_mod_exp_vartime( + uint32_t len, + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum32_mod_exp_consttime( + uint32_t len, + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +); + +/* +Write `a ^ (-1) mod n` in `res`. + + The arguments a, n and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • 0 < a + • a < n +*/ +bool +Hacl_Bignum32_mod_inv_prime_vartime(uint32_t len, uint32_t *n, uint32_t *a, uint32_t *res); + + +/**********************************************/ +/* Arithmetic functions with precomputations. */ +/**********************************************/ + + +/* +Heap-allocate and initialize a montgomery context. + + The argument n is meant to be `len` limbs in size, i.e. uint32_t[len]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n % 2 = 1 + • 1 < n + + The caller will need to call Hacl_Bignum32_mont_ctx_free on the return value + to avoid memory leaks. +*/ +Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 +*Hacl_Bignum32_mont_ctx_init(uint32_t len, uint32_t *n); + +/* +Deallocate the memory previously allocated by Hacl_Bignum32_mont_ctx_init. + + The argument k is a montgomery context obtained through Hacl_Bignum32_mont_ctx_init. +*/ +void Hacl_Bignum32_mont_ctx_free(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k); + +/* +Write `a mod n` in `res`. + + The argument a is meant to be `2*len` limbs in size, i.e. uint32_t[2*len]. + The outparam res is meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_Bignum32_mont_ctx_init. +*/ +void +Hacl_Bignum32_mod_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t *res +); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_Bignum32_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum32_mod_exp_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_Bignum32_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime_*. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum32_mod_exp_consttime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +); + +/* +Write `a ^ (-1) mod n` in `res`. + + The argument a and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_Bignum32_mont_ctx_init. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + • 0 < a + • a < n +*/ +void +Hacl_Bignum32_mod_inv_prime_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t *res +); + + +/********************/ +/* Loads and stores */ +/********************/ + + +/* +Load a bid-endian bignum from memory. + + The argument b points to `len` bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint32_t *Hacl_Bignum32_new_bn_from_bytes_be(uint32_t len, uint8_t *b); + +/* +Load a little-endian bignum from memory. + + The argument b points to `len` bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint32_t *Hacl_Bignum32_new_bn_from_bytes_le(uint32_t len, uint8_t *b); + +/* +Serialize a bignum into big-endian memory. + + The argument b points to a bignum of ⌈len / 4⌉ size. + The outparam res points to `len` bytes of valid memory. +*/ +void Hacl_Bignum32_bn_to_bytes_be(uint32_t len, uint32_t *b, uint8_t *res); + +/* +Serialize a bignum into little-endian memory. + + The argument b points to a bignum of ⌈len / 4⌉ size. + The outparam res points to `len` bytes of valid memory. +*/ +void Hacl_Bignum32_bn_to_bytes_le(uint32_t len, uint32_t *b, uint8_t *res); + + +/***************/ +/* Comparisons */ +/***************/ + + +/* +Returns 2^32 - 1 if a < b, otherwise returns 0. + + The arguments a and b are meant to be `len` limbs in size, i.e. uint32_t[len]. +*/ +uint32_t Hacl_Bignum32_lt_mask(uint32_t len, uint32_t *a, uint32_t *b); + +/* +Returns 2^32 - 1 if a = b, otherwise returns 0. + + The arguments a and b are meant to be `len` limbs in size, i.e. uint32_t[len]. +*/ +uint32_t Hacl_Bignum32_eq_mask(uint32_t len, uint32_t *a, uint32_t *b); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Bignum32_H_DEFINED +#endif diff --git a/include/c89/Hacl_Bignum4096.h b/include/c89/Hacl_Bignum4096.h new file mode 100644 index 00000000..c3716546 --- /dev/null +++ b/include/c89/Hacl_Bignum4096.h @@ -0,0 +1,405 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Bignum4096_H +#define __Hacl_Bignum4096_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "Hacl_Bignum_Base.h" +#include "Hacl_Bignum256.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +/******************************************************************************* + +A verified 4096-bit bignum library. + +This is a 64-bit optimized version, where bignums are represented as an array +of sixty four unsigned 64-bit integers, i.e. uint64_t[64]. Furthermore, the +limbs are stored in little-endian format, i.e. the least significant limb is at +index 0. Each limb is stored in native format in memory. Example: + + uint64_t sixteen[64] = { 0x10 } + + (relying on the fact that when an initializer-list is provided, the remainder + of the object gets initialized as if it had static storage duration, i.e. with + zeroes) + +We strongly encourage users to go through the conversion functions, e.g. +bn_from_bytes_be, to i) not depend on internal representation choices and ii) +have the ability to switch easily to a 32-bit optimized version in the future. + +*******************************************************************************/ + +/************************/ +/* Arithmetic functions */ +/************************/ + + +/* +Write `a + b mod 2^4096` in `res`. + + This functions returns the carry. + + The arguments a, b and res are meant to be 4096-bit bignums, i.e. uint64_t[64] +*/ +uint64_t Hacl_Bignum4096_add(uint64_t *a, uint64_t *b, uint64_t *res); + +/* +Write `a - b mod 2^4096` in `res`. + + This functions returns the carry. + + The arguments a, b and res are meant to be 4096-bit bignums, i.e. uint64_t[64] +*/ +uint64_t Hacl_Bignum4096_sub(uint64_t *a, uint64_t *b, uint64_t *res); + +/* +Write `(a + b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be 4096-bit bignums, i.e. uint64_t[64]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum4096_add_mod(uint64_t *n, uint64_t *a, uint64_t *b, uint64_t *res); + +/* +Write `(a - b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be 4096-bit bignums, i.e. uint64_t[64]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum4096_sub_mod(uint64_t *n, uint64_t *a, uint64_t *b, uint64_t *res); + +/* +Write `a * b` in `res`. + + The arguments a and b are meant to be 4096-bit bignums, i.e. uint64_t[64]. + The outparam res is meant to be a 8192-bit bignum, i.e. uint64_t[128]. +*/ +void Hacl_Bignum4096_mul(uint64_t *a, uint64_t *b, uint64_t *res); + +/* +Write `a * a` in `res`. + + The argument a is meant to be a 4096-bit bignum, i.e. uint64_t[64]. + The outparam res is meant to be a 8192-bit bignum, i.e. uint64_t[128]. +*/ +void Hacl_Bignum4096_sqr(uint64_t *a, uint64_t *res); + +/* +Write `a mod n` in `res`. + + The argument a is meant to be a 8192-bit bignum, i.e. uint64_t[128]. + The argument n and the outparam res are meant to be 4096-bit bignums, i.e. uint64_t[64]. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • 1 < n + • n % 2 = 1 +*/ +bool Hacl_Bignum4096_mod(uint64_t *n, uint64_t *a, uint64_t *res); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 4096-bit bignums, i.e. uint64_t[64]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum4096_mod_exp_vartime( + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 4096-bit bignums, i.e. uint64_t[64]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum4096_mod_exp_consttime( + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +); + +/* +Write `a ^ (-1) mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 4096-bit bignums, i.e. uint64_t[64]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + + The function returns false if any of the following preconditions are violated, true otherwise. + • n % 2 = 1 + • 1 < n + • 0 < a + • a < n +*/ +bool Hacl_Bignum4096_mod_inv_prime_vartime(uint64_t *n, uint64_t *a, uint64_t *res); + + +/**********************************************/ +/* Arithmetic functions with precomputations. */ +/**********************************************/ + + +/* +Heap-allocate and initialize a montgomery context. + + The argument n is meant to be a 4096-bit bignum, i.e. uint64_t[64]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n % 2 = 1 + • 1 < n + + The caller will need to call Hacl_Bignum4096_mont_ctx_free on the return value + to avoid memory leaks. +*/ +Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *Hacl_Bignum4096_mont_ctx_init(uint64_t *n); + +/* +Deallocate the memory previously allocated by Hacl_Bignum4096_mont_ctx_init. + + The argument k is a montgomery context obtained through Hacl_Bignum4096_mont_ctx_init. +*/ +void Hacl_Bignum4096_mont_ctx_free(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k); + +/* +Write `a mod n` in `res`. + + The argument a is meant to be a 8192-bit bignum, i.e. uint64_t[128]. + The outparam res is meant to be a 4096-bit bignum, i.e. uint64_t[64]. + The argument k is a montgomery context obtained through Hacl_Bignum4096_mont_ctx_init. +*/ +void +Hacl_Bignum4096_mod_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint64_t *res +); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be 4096-bit bignums, i.e. uint64_t[64]. + The argument k is a montgomery context obtained through Hacl_Bignum4096_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum4096_mod_exp_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be 4096-bit bignums, i.e. uint64_t[64]. + The argument k is a montgomery context obtained through Hacl_Bignum4096_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime_*. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum4096_mod_exp_consttime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +); + +/* +Write `a ^ (-1) mod n` in `res`. + + The argument a and the outparam res are meant to be 4096-bit bignums, i.e. uint64_t[64]. + The argument k is a montgomery context obtained through Hacl_Bignum4096_mont_ctx_init. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + • 0 < a + • a < n +*/ +void +Hacl_Bignum4096_mod_inv_prime_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint64_t *res +); + + +/********************/ +/* Loads and stores */ +/********************/ + + +/* +Load a bid-endian bignum from memory. + + The argument b points to len bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint64_t *Hacl_Bignum4096_new_bn_from_bytes_be(uint32_t len, uint8_t *b); + +/* +Load a little-endian bignum from memory. + + The argument b points to len bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint64_t *Hacl_Bignum4096_new_bn_from_bytes_le(uint32_t len, uint8_t *b); + +/* +Serialize a bignum into big-endian memory. + + The argument b points to a 4096-bit bignum. + The outparam res points to 512 bytes of valid memory. +*/ +void Hacl_Bignum4096_bn_to_bytes_be(uint64_t *b, uint8_t *res); + +/* +Serialize a bignum into little-endian memory. + + The argument b points to a 4096-bit bignum. + The outparam res points to 512 bytes of valid memory. +*/ +void Hacl_Bignum4096_bn_to_bytes_le(uint64_t *b, uint8_t *res); + + +/***************/ +/* Comparisons */ +/***************/ + + +/* +Returns 2^64 - 1 if a < b, otherwise returns 0. + + The arguments a and b are meant to be 4096-bit bignums, i.e. uint64_t[64]. +*/ +uint64_t Hacl_Bignum4096_lt_mask(uint64_t *a, uint64_t *b); + +/* +Returns 2^64 - 1 if a = b, otherwise returns 0. + + The arguments a and b are meant to be 4096-bit bignums, i.e. uint64_t[64]. +*/ +uint64_t Hacl_Bignum4096_eq_mask(uint64_t *a, uint64_t *b); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Bignum4096_H_DEFINED +#endif diff --git a/include/c89/Hacl_Bignum4096_32.h b/include/c89/Hacl_Bignum4096_32.h new file mode 100644 index 00000000..5d4c3d64 --- /dev/null +++ b/include/c89/Hacl_Bignum4096_32.h @@ -0,0 +1,405 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Bignum4096_32_H +#define __Hacl_Bignum4096_32_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "Hacl_GenericField32.h" +#include "Hacl_Bignum_Base.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +/******************************************************************************* + +A verified 4096-bit bignum library. + +This is a 32-bit optimized version, where bignums are represented as an array +of 128 unsigned 32-bit integers, i.e. uint32_t[128]. Furthermore, the +limbs are stored in little-endian format, i.e. the least significant limb is at +index 0. Each limb is stored in native format in memory. Example: + + uint32_t sixteen[128] = { 0x10 } + + (relying on the fact that when an initializer-list is provided, the remainder + of the object gets initialized as if it had static storage duration, i.e. with + zeroes) + +We strongly encourage users to go through the conversion functions, e.g. +bn_from_bytes_be, to i) not depend on internal representation choices and ii) +have the ability to switch easily to a 64-bit optimized version in the future. + +*******************************************************************************/ + +/************************/ +/* Arithmetic functions */ +/************************/ + + +/* +Write `a + b mod 2^4096` in `res`. + + This functions returns the carry. + + The arguments a, b and res are meant to be 4096-bit bignums, i.e. uint32_t[128] +*/ +uint32_t Hacl_Bignum4096_32_add(uint32_t *a, uint32_t *b, uint32_t *res); + +/* +Write `a - b mod 2^4096` in `res`. + + This functions returns the carry. + + The arguments a, b and res are meant to be 4096-bit bignums, i.e. uint32_t[128] +*/ +uint32_t Hacl_Bignum4096_32_sub(uint32_t *a, uint32_t *b, uint32_t *res); + +/* +Write `(a + b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be 4096-bit bignums, i.e. uint32_t[128]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum4096_32_add_mod(uint32_t *n, uint32_t *a, uint32_t *b, uint32_t *res); + +/* +Write `(a - b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be 4096-bit bignums, i.e. uint32_t[128]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum4096_32_sub_mod(uint32_t *n, uint32_t *a, uint32_t *b, uint32_t *res); + +/* +Write `a * b` in `res`. + + The arguments a and b are meant to be 4096-bit bignums, i.e. uint32_t[128]. + The outparam res is meant to be a 8192-bit bignum, i.e. uint32_t[256]. +*/ +void Hacl_Bignum4096_32_mul(uint32_t *a, uint32_t *b, uint32_t *res); + +/* +Write `a * a` in `res`. + + The argument a is meant to be a 4096-bit bignum, i.e. uint32_t[128]. + The outparam res is meant to be a 8192-bit bignum, i.e. uint32_t[256]. +*/ +void Hacl_Bignum4096_32_sqr(uint32_t *a, uint32_t *res); + +/* +Write `a mod n` in `res`. + + The argument a is meant to be a 8192-bit bignum, i.e. uint32_t[256]. + The argument n and the outparam res are meant to be 4096-bit bignums, i.e. uint32_t[128]. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • 1 < n + • n % 2 = 1 +*/ +bool Hacl_Bignum4096_32_mod(uint32_t *n, uint32_t *a, uint32_t *res); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 4096-bit bignums, i.e. uint32_t[128]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum4096_32_mod_exp_vartime( + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 4096-bit bignums, i.e. uint32_t[128]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum4096_32_mod_exp_consttime( + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +); + +/* +Write `a ^ (-1) mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 4096-bit bignums, i.e. uint32_t[128]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + + The function returns false if any of the following preconditions are violated, true otherwise. + • n % 2 = 1 + • 1 < n + • 0 < a + • a < n +*/ +bool Hacl_Bignum4096_32_mod_inv_prime_vartime(uint32_t *n, uint32_t *a, uint32_t *res); + + +/**********************************************/ +/* Arithmetic functions with precomputations. */ +/**********************************************/ + + +/* +Heap-allocate and initialize a montgomery context. + + The argument n is meant to be a 4096-bit bignum, i.e. uint32_t[128]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n % 2 = 1 + • 1 < n + + The caller will need to call Hacl_Bignum4096_mont_ctx_free on the return value + to avoid memory leaks. +*/ +Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *Hacl_Bignum4096_32_mont_ctx_init(uint32_t *n); + +/* +Deallocate the memory previously allocated by Hacl_Bignum4096_mont_ctx_init. + + The argument k is a montgomery context obtained through Hacl_Bignum4096_mont_ctx_init. +*/ +void Hacl_Bignum4096_32_mont_ctx_free(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k); + +/* +Write `a mod n` in `res`. + + The argument a is meant to be a 8192-bit bignum, i.e. uint32_t[256]. + The outparam res is meant to be a 4096-bit bignum, i.e. uint32_t[128]. + The argument k is a montgomery context obtained through Hacl_Bignum4096_mont_ctx_init. +*/ +void +Hacl_Bignum4096_32_mod_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t *res +); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be 4096-bit bignums, i.e. uint32_t[128]. + The argument k is a montgomery context obtained through Hacl_Bignum4096_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum4096_32_mod_exp_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be 4096-bit bignums, i.e. uint32_t[128]. + The argument k is a montgomery context obtained through Hacl_Bignum4096_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime_*. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum4096_32_mod_exp_consttime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +); + +/* +Write `a ^ (-1) mod n` in `res`. + + The argument a and the outparam res are meant to be 4096-bit bignums, i.e. uint32_t[128]. + The argument k is a montgomery context obtained through Hacl_Bignum4096_mont_ctx_init. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + • 0 < a + • a < n +*/ +void +Hacl_Bignum4096_32_mod_inv_prime_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t *res +); + + +/********************/ +/* Loads and stores */ +/********************/ + + +/* +Load a bid-endian bignum from memory. + + The argument b points to len bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint32_t *Hacl_Bignum4096_32_new_bn_from_bytes_be(uint32_t len, uint8_t *b); + +/* +Load a little-endian bignum from memory. + + The argument b points to len bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint32_t *Hacl_Bignum4096_32_new_bn_from_bytes_le(uint32_t len, uint8_t *b); + +/* +Serialize a bignum into big-endian memory. + + The argument b points to a 4096-bit bignum. + The outparam res points to 512 bytes of valid memory. +*/ +void Hacl_Bignum4096_32_bn_to_bytes_be(uint32_t *b, uint8_t *res); + +/* +Serialize a bignum into little-endian memory. + + The argument b points to a 4096-bit bignum. + The outparam res points to 512 bytes of valid memory. +*/ +void Hacl_Bignum4096_32_bn_to_bytes_le(uint32_t *b, uint8_t *res); + + +/***************/ +/* Comparisons */ +/***************/ + + +/* +Returns 2^32 - 1 if a < b, otherwise returns 0. + + The arguments a and b are meant to be 4096-bit bignums, i.e. uint32_t[128]. +*/ +uint32_t Hacl_Bignum4096_32_lt_mask(uint32_t *a, uint32_t *b); + +/* +Returns 2^32 - 1 if a = b, otherwise returns 0. + + The arguments a and b are meant to be 4096-bit bignums, i.e. uint32_t[128]. +*/ +uint32_t Hacl_Bignum4096_32_eq_mask(uint32_t *a, uint32_t *b); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Bignum4096_32_H_DEFINED +#endif diff --git a/include/c89/Hacl_Bignum64.h b/include/c89/Hacl_Bignum64.h new file mode 100644 index 00000000..caf5a7a3 --- /dev/null +++ b/include/c89/Hacl_Bignum64.h @@ -0,0 +1,400 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Bignum64_H +#define __Hacl_Bignum64_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "Hacl_Bignum_Base.h" +#include "Hacl_Bignum256.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +typedef Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *Hacl_Bignum64_pbn_mont_ctx_u64; + +/******************************************************************************* + +A verified bignum library. + +This is a 64-bit optimized version, where bignums are represented as an array +of `len` unsigned 64-bit integers, i.e. uint64_t[len]. + +*******************************************************************************/ + +/************************/ +/* Arithmetic functions */ +/************************/ + + +/* +Write `a + b mod 2 ^ (64 * len)` in `res`. + + This functions returns the carry. + + The arguments a, b and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len] +*/ +uint64_t Hacl_Bignum64_add(uint32_t len, uint64_t *a, uint64_t *b, uint64_t *res); + +/* +Write `a - b mod 2 ^ (64 * len)` in `res`. + + This functions returns the carry. + + The arguments a, b and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len] +*/ +uint64_t Hacl_Bignum64_sub(uint32_t len, uint64_t *a, uint64_t *b, uint64_t *res); + +/* +Write `(a + b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum64_add_mod(uint32_t len, uint64_t *n, uint64_t *a, uint64_t *b, uint64_t *res); + +/* +Write `(a - b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum64_sub_mod(uint32_t len, uint64_t *n, uint64_t *a, uint64_t *b, uint64_t *res); + +/* +Write `a * b` in `res`. + + The arguments a and b are meant to be `len` limbs in size, i.e. uint64_t[len]. + The outparam res is meant to be `2*len` limbs in size, i.e. uint64_t[2*len]. +*/ +void Hacl_Bignum64_mul(uint32_t len, uint64_t *a, uint64_t *b, uint64_t *res); + +/* +Write `a * a` in `res`. + + The argument a is meant to be `len` limbs in size, i.e. uint64_t[len]. + The outparam res is meant to be `2*len` limbs in size, i.e. uint64_t[2*len]. +*/ +void Hacl_Bignum64_sqr(uint32_t len, uint64_t *a, uint64_t *res); + +/* +Write `a mod n` in `res`. + + The argument a is meant to be `2*len` limbs in size, i.e. uint64_t[2*len]. + The argument n and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len]. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • 1 < n + • n % 2 = 1 +*/ +bool Hacl_Bignum64_mod(uint32_t len, uint64_t *n, uint64_t *a, uint64_t *res); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum64_mod_exp_vartime( + uint32_t len, + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum64_mod_exp_consttime( + uint32_t len, + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +); + +/* +Write `a ^ (-1) mod n` in `res`. + + The arguments a, n and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • 0 < a + • a < n +*/ +bool +Hacl_Bignum64_mod_inv_prime_vartime(uint32_t len, uint64_t *n, uint64_t *a, uint64_t *res); + + +/**********************************************/ +/* Arithmetic functions with precomputations. */ +/**********************************************/ + + +/* +Heap-allocate and initialize a montgomery context. + + The argument n is meant to be `len` limbs in size, i.e. uint64_t[len]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n % 2 = 1 + • 1 < n + + The caller will need to call Hacl_Bignum64_mont_ctx_free on the return value + to avoid memory leaks. +*/ +Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 +*Hacl_Bignum64_mont_ctx_init(uint32_t len, uint64_t *n); + +/* +Deallocate the memory previously allocated by Hacl_Bignum64_mont_ctx_init. + + The argument k is a montgomery context obtained through Hacl_Bignum64_mont_ctx_init. +*/ +void Hacl_Bignum64_mont_ctx_free(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k); + +/* +Write `a mod n` in `res`. + + The argument a is meant to be `2*len` limbs in size, i.e. uint64_t[2*len]. + The outparam res is meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_Bignum64_mont_ctx_init. +*/ +void +Hacl_Bignum64_mod_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint64_t *res +); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_Bignum64_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum64_mod_exp_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_Bignum64_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime_*. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum64_mod_exp_consttime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +); + +/* +Write `a ^ (-1) mod n` in `res`. + + The argument a and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_Bignum64_mont_ctx_init. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + • 0 < a + • a < n +*/ +void +Hacl_Bignum64_mod_inv_prime_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint64_t *res +); + + +/********************/ +/* Loads and stores */ +/********************/ + + +/* +Load a bid-endian bignum from memory. + + The argument b points to `len` bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint64_t *Hacl_Bignum64_new_bn_from_bytes_be(uint32_t len, uint8_t *b); + +/* +Load a little-endian bignum from memory. + + The argument b points to `len` bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint64_t *Hacl_Bignum64_new_bn_from_bytes_le(uint32_t len, uint8_t *b); + +/* +Serialize a bignum into big-endian memory. + + The argument b points to a bignum of ⌈len / 8⌉ size. + The outparam res points to `len` bytes of valid memory. +*/ +void Hacl_Bignum64_bn_to_bytes_be(uint32_t len, uint64_t *b, uint8_t *res); + +/* +Serialize a bignum into little-endian memory. + + The argument b points to a bignum of ⌈len / 8⌉ size. + The outparam res points to `len` bytes of valid memory. +*/ +void Hacl_Bignum64_bn_to_bytes_le(uint32_t len, uint64_t *b, uint8_t *res); + + +/***************/ +/* Comparisons */ +/***************/ + + +/* +Returns 2^64 - 1 if a < b, otherwise returns 0. + + The arguments a and b are meant to be `len` limbs in size, i.e. uint64_t[len]. +*/ +uint64_t Hacl_Bignum64_lt_mask(uint32_t len, uint64_t *a, uint64_t *b); + +/* +Returns 2^64 - 1 if a = b, otherwise returns 0. + + The arguments a and b are meant to be `len` limbs in size, i.e. uint64_t[len]. +*/ +uint64_t Hacl_Bignum64_eq_mask(uint32_t len, uint64_t *a, uint64_t *b); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Bignum64_H_DEFINED +#endif diff --git a/include/c89/Hacl_Bignum_Base.h b/include/c89/Hacl_Bignum_Base.h new file mode 100644 index 00000000..9e947748 --- /dev/null +++ b/include/c89/Hacl_Bignum_Base.h @@ -0,0 +1,77 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Bignum_Base_H +#define __Hacl_Bignum_Base_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +static inline uint64_t +Hacl_Bignum_Base_mul_wide_add_u64(uint64_t a, uint64_t b, uint64_t c_in, uint64_t *out) +{ + FStar_UInt128_uint128 + res = FStar_UInt128_add(FStar_UInt128_mul_wide(a, b), FStar_UInt128_uint64_to_uint128(c_in)); + out[0U] = FStar_UInt128_uint128_to_uint64(res); + return FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(res, (uint32_t)64U)); +} + +static inline uint32_t +Hacl_Bignum_Base_mul_wide_add2_u32(uint32_t a, uint32_t b, uint32_t c_in, uint32_t *out) +{ + uint32_t out0 = out[0U]; + uint64_t res = (uint64_t)a * (uint64_t)b + (uint64_t)c_in + (uint64_t)out0; + out[0U] = (uint32_t)res; + return (uint32_t)(res >> (uint32_t)32U); +} + +static inline uint64_t +Hacl_Bignum_Base_mul_wide_add2_u64(uint64_t a, uint64_t b, uint64_t c_in, uint64_t *out) +{ + uint64_t out0 = out[0U]; + FStar_UInt128_uint128 + res = + FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(a, b), + FStar_UInt128_uint64_to_uint128(c_in)), + FStar_UInt128_uint64_to_uint128(out0)); + out[0U] = FStar_UInt128_uint128_to_uint64(res); + return FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(res, (uint32_t)64U)); +} + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Bignum_Base_H_DEFINED +#endif diff --git a/include/c89/Hacl_Chacha20.h b/include/c89/Hacl_Chacha20.h new file mode 100644 index 00000000..2794419e --- /dev/null +++ b/include/c89/Hacl_Chacha20.h @@ -0,0 +1,66 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Chacha20_H +#define __Hacl_Chacha20_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_Chacha20_chacha20_encrypt( + uint32_t len, + uint8_t *out, + uint8_t *text, + uint8_t *key, + uint8_t *n, + uint32_t ctr +); + +void +Hacl_Chacha20_chacha20_decrypt( + uint32_t len, + uint8_t *out, + uint8_t *cipher, + uint8_t *key, + uint8_t *n, + uint32_t ctr +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Chacha20_H_DEFINED +#endif diff --git a/include/c89/Hacl_Chacha20Poly1305_128.h b/include/c89/Hacl_Chacha20Poly1305_128.h new file mode 100644 index 00000000..30ac47b8 --- /dev/null +++ b/include/c89/Hacl_Chacha20Poly1305_128.h @@ -0,0 +1,72 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Chacha20Poly1305_128_H +#define __Hacl_Chacha20Poly1305_128_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Poly1305_128.h" +#include "Hacl_Kremlib.h" +#include "Hacl_Chacha20_Vec128.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_Chacha20Poly1305_128_aead_encrypt( + uint8_t *k, + uint8_t *n, + uint32_t aadlen, + uint8_t *aad, + uint32_t mlen, + uint8_t *m, + uint8_t *cipher, + uint8_t *mac +); + +uint32_t +Hacl_Chacha20Poly1305_128_aead_decrypt( + uint8_t *k, + uint8_t *n, + uint32_t aadlen, + uint8_t *aad, + uint32_t mlen, + uint8_t *m, + uint8_t *cipher, + uint8_t *mac +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Chacha20Poly1305_128_H_DEFINED +#endif diff --git a/include/c89/Hacl_Chacha20Poly1305_256.h b/include/c89/Hacl_Chacha20Poly1305_256.h new file mode 100644 index 00000000..3c9e5456 --- /dev/null +++ b/include/c89/Hacl_Chacha20Poly1305_256.h @@ -0,0 +1,72 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Chacha20Poly1305_256_H +#define __Hacl_Chacha20Poly1305_256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Poly1305_256.h" +#include "Hacl_Kremlib.h" +#include "Hacl_Chacha20_Vec256.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_Chacha20Poly1305_256_aead_encrypt( + uint8_t *k, + uint8_t *n, + uint32_t aadlen, + uint8_t *aad, + uint32_t mlen, + uint8_t *m, + uint8_t *cipher, + uint8_t *mac +); + +uint32_t +Hacl_Chacha20Poly1305_256_aead_decrypt( + uint8_t *k, + uint8_t *n, + uint32_t aadlen, + uint8_t *aad, + uint32_t mlen, + uint8_t *m, + uint8_t *cipher, + uint8_t *mac +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Chacha20Poly1305_256_H_DEFINED +#endif diff --git a/include/c89/Hacl_Chacha20Poly1305_32.h b/include/c89/Hacl_Chacha20Poly1305_32.h new file mode 100644 index 00000000..9162ffa0 --- /dev/null +++ b/include/c89/Hacl_Chacha20Poly1305_32.h @@ -0,0 +1,72 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Chacha20Poly1305_32_H +#define __Hacl_Chacha20Poly1305_32_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Poly1305_32.h" +#include "Hacl_Kremlib.h" +#include "Hacl_Chacha20.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_Chacha20Poly1305_32_aead_encrypt( + uint8_t *k, + uint8_t *n, + uint32_t aadlen, + uint8_t *aad, + uint32_t mlen, + uint8_t *m, + uint8_t *cipher, + uint8_t *mac +); + +uint32_t +Hacl_Chacha20Poly1305_32_aead_decrypt( + uint8_t *k, + uint8_t *n, + uint32_t aadlen, + uint8_t *aad, + uint32_t mlen, + uint8_t *m, + uint8_t *cipher, + uint8_t *mac +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Chacha20Poly1305_32_H_DEFINED +#endif diff --git a/include/c89/Hacl_Chacha20_Vec128.h b/include/c89/Hacl_Chacha20_Vec128.h new file mode 100644 index 00000000..0e4f2402 --- /dev/null +++ b/include/c89/Hacl_Chacha20_Vec128.h @@ -0,0 +1,66 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Chacha20_Vec128_H +#define __Hacl_Chacha20_Vec128_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_Chacha20_Vec128_chacha20_encrypt_128( + uint32_t len, + uint8_t *out, + uint8_t *text, + uint8_t *key, + uint8_t *n, + uint32_t ctr +); + +void +Hacl_Chacha20_Vec128_chacha20_decrypt_128( + uint32_t len, + uint8_t *out, + uint8_t *cipher, + uint8_t *key, + uint8_t *n, + uint32_t ctr +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Chacha20_Vec128_H_DEFINED +#endif diff --git a/include/c89/Hacl_Chacha20_Vec256.h b/include/c89/Hacl_Chacha20_Vec256.h new file mode 100644 index 00000000..c99ec184 --- /dev/null +++ b/include/c89/Hacl_Chacha20_Vec256.h @@ -0,0 +1,66 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Chacha20_Vec256_H +#define __Hacl_Chacha20_Vec256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_Chacha20_Vec256_chacha20_encrypt_256( + uint32_t len, + uint8_t *out, + uint8_t *text, + uint8_t *key, + uint8_t *n, + uint32_t ctr +); + +void +Hacl_Chacha20_Vec256_chacha20_decrypt_256( + uint32_t len, + uint8_t *out, + uint8_t *cipher, + uint8_t *key, + uint8_t *n, + uint32_t ctr +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Chacha20_Vec256_H_DEFINED +#endif diff --git a/include/c89/Hacl_Chacha20_Vec32.h b/include/c89/Hacl_Chacha20_Vec32.h new file mode 100644 index 00000000..95aaea0d --- /dev/null +++ b/include/c89/Hacl_Chacha20_Vec32.h @@ -0,0 +1,66 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Chacha20_Vec32_H +#define __Hacl_Chacha20_Vec32_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_Chacha20_Vec32_chacha20_encrypt_32( + uint32_t len, + uint8_t *out, + uint8_t *text, + uint8_t *key, + uint8_t *n, + uint32_t ctr +); + +void +Hacl_Chacha20_Vec32_chacha20_decrypt_32( + uint32_t len, + uint8_t *out, + uint8_t *cipher, + uint8_t *key, + uint8_t *n, + uint32_t ctr +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Chacha20_Vec32_H_DEFINED +#endif diff --git a/include/c89/Hacl_Curve25519_51.h b/include/c89/Hacl_Curve25519_51.h new file mode 100644 index 00000000..23cb104d --- /dev/null +++ b/include/c89/Hacl_Curve25519_51.h @@ -0,0 +1,53 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Curve25519_51_H +#define __Hacl_Curve25519_51_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "Hacl_Bignum25519_51.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void Hacl_Curve25519_51_scalarmult(uint8_t *out, uint8_t *priv, uint8_t *pub); + +void Hacl_Curve25519_51_secret_to_public(uint8_t *pub, uint8_t *priv); + +bool Hacl_Curve25519_51_ecdh(uint8_t *out, uint8_t *priv, uint8_t *pub); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Curve25519_51_H_DEFINED +#endif diff --git a/include/c89/Hacl_Curve25519_64.h b/include/c89/Hacl_Curve25519_64.h new file mode 100644 index 00000000..3c2b8221 --- /dev/null +++ b/include/c89/Hacl_Curve25519_64.h @@ -0,0 +1,52 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Curve25519_64_H +#define __Hacl_Curve25519_64_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void Hacl_Curve25519_64_scalarmult(uint8_t *out, uint8_t *priv, uint8_t *pub); + +void Hacl_Curve25519_64_secret_to_public(uint8_t *pub, uint8_t *priv); + +bool Hacl_Curve25519_64_ecdh(uint8_t *out, uint8_t *priv, uint8_t *pub); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Curve25519_64_H_DEFINED +#endif diff --git a/include/c89/Hacl_Curve25519_64_Slow.h b/include/c89/Hacl_Curve25519_64_Slow.h new file mode 100644 index 00000000..57f2d01e --- /dev/null +++ b/include/c89/Hacl_Curve25519_64_Slow.h @@ -0,0 +1,53 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Curve25519_64_Slow_H +#define __Hacl_Curve25519_64_Slow_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "Hacl_Bignum_Base.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void Hacl_Curve25519_64_Slow_scalarmult(uint8_t *out, uint8_t *priv, uint8_t *pub); + +void Hacl_Curve25519_64_Slow_secret_to_public(uint8_t *pub, uint8_t *priv); + +bool Hacl_Curve25519_64_Slow_ecdh(uint8_t *out, uint8_t *priv, uint8_t *pub); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Curve25519_64_Slow_H_DEFINED +#endif diff --git a/include/c89/Hacl_EC_Ed25519.h b/include/c89/Hacl_EC_Ed25519.h new file mode 100644 index 00000000..2b5313f7 --- /dev/null +++ b/include/c89/Hacl_EC_Ed25519.h @@ -0,0 +1,79 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_EC_Ed25519_H +#define __Hacl_EC_Ed25519_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "Hacl_Bignum25519_51.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void Hacl_EC_Ed25519_mk_felem_zero(uint64_t *b); + +void Hacl_EC_Ed25519_mk_felem_one(uint64_t *b); + +void Hacl_EC_Ed25519_felem_add(uint64_t *a, uint64_t *b, uint64_t *out); + +void Hacl_EC_Ed25519_felem_sub(uint64_t *a, uint64_t *b, uint64_t *out); + +void Hacl_EC_Ed25519_felem_mul(uint64_t *a, uint64_t *b, uint64_t *out); + +void Hacl_EC_Ed25519_felem_inv(uint64_t *a, uint64_t *out); + +void Hacl_EC_Ed25519_felem_load(uint8_t *b, uint64_t *out); + +void Hacl_EC_Ed25519_felem_store(uint64_t *a, uint8_t *out); + +void Hacl_EC_Ed25519_mk_point_at_inf(uint64_t *p); + +void Hacl_EC_Ed25519_mk_base_point(uint64_t *p); + +void Hacl_EC_Ed25519_point_negate(uint64_t *p, uint64_t *out); + +void Hacl_EC_Ed25519_point_add(uint64_t *p, uint64_t *q, uint64_t *out); + +void Hacl_EC_Ed25519_point_mul(uint8_t *scalar, uint64_t *p, uint64_t *out); + +bool Hacl_EC_Ed25519_point_eq(uint64_t *p, uint64_t *q); + +void Hacl_EC_Ed25519_point_compress(uint64_t *p, uint8_t *out); + +bool Hacl_EC_Ed25519_point_decompress(uint8_t *s, uint64_t *out); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_EC_Ed25519_H_DEFINED +#endif diff --git a/include/c89/Hacl_Ed25519.h b/include/c89/Hacl_Ed25519.h new file mode 100644 index 00000000..0c65c822 --- /dev/null +++ b/include/c89/Hacl_Ed25519.h @@ -0,0 +1,59 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Ed25519_H +#define __Hacl_Ed25519_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Streaming_SHA2.h" +#include "Hacl_Kremlib.h" +#include "Hacl_Hash_SHA2.h" +#include "Hacl_Bignum25519_51.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void Hacl_Ed25519_sign(uint8_t *signature, uint8_t *priv, uint32_t len, uint8_t *msg); + +bool Hacl_Ed25519_verify(uint8_t *pub, uint32_t len, uint8_t *msg, uint8_t *signature); + +void Hacl_Ed25519_secret_to_public(uint8_t *pub, uint8_t *priv); + +void Hacl_Ed25519_expand_keys(uint8_t *ks, uint8_t *priv); + +void Hacl_Ed25519_sign_expanded(uint8_t *signature, uint8_t *ks, uint32_t len, uint8_t *msg); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Ed25519_H_DEFINED +#endif diff --git a/include/c89/Hacl_FFDHE.h b/include/c89/Hacl_FFDHE.h new file mode 100644 index 00000000..ea969c01 --- /dev/null +++ b/include/c89/Hacl_FFDHE.h @@ -0,0 +1,73 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_FFDHE_H +#define __Hacl_FFDHE_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Spec.h" +#include "Hacl_Impl_FFDHE_Constants.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +uint32_t Hacl_FFDHE_ffdhe_len(Spec_FFDHE_ffdhe_alg a); + +uint64_t *Hacl_FFDHE_new_ffdhe_precomp_p(Spec_FFDHE_ffdhe_alg a); + +void +Hacl_FFDHE_ffdhe_secret_to_public_precomp( + Spec_FFDHE_ffdhe_alg a, + uint64_t *p_r2_n, + uint8_t *sk, + uint8_t *pk +); + +void Hacl_FFDHE_ffdhe_secret_to_public(Spec_FFDHE_ffdhe_alg a, uint8_t *sk, uint8_t *pk); + +uint64_t +Hacl_FFDHE_ffdhe_shared_secret_precomp( + Spec_FFDHE_ffdhe_alg a, + uint64_t *p_r2_n, + uint8_t *sk, + uint8_t *pk, + uint8_t *ss +); + +uint64_t +Hacl_FFDHE_ffdhe_shared_secret(Spec_FFDHE_ffdhe_alg a, uint8_t *sk, uint8_t *pk, uint8_t *ss); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_FFDHE_H_DEFINED +#endif diff --git a/include/c89/Hacl_Frodo1344.h b/include/c89/Hacl_Frodo1344.h new file mode 100644 index 00000000..10443f22 --- /dev/null +++ b/include/c89/Hacl_Frodo1344.h @@ -0,0 +1,63 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Frodo1344_H +#define __Hacl_Frodo1344_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Lib_Memzero0.h" +#include "Hacl_Spec.h" +#include "Hacl_SHA3.h" +#include "Hacl_Frodo_KEM.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +extern uint32_t Hacl_Frodo1344_crypto_bytes; + +extern uint32_t Hacl_Frodo1344_crypto_publickeybytes; + +extern uint32_t Hacl_Frodo1344_crypto_secretkeybytes; + +extern uint32_t Hacl_Frodo1344_crypto_ciphertextbytes; + +uint32_t Hacl_Frodo1344_crypto_kem_keypair(uint8_t *pk, uint8_t *sk); + +uint32_t Hacl_Frodo1344_crypto_kem_enc(uint8_t *ct, uint8_t *ss, uint8_t *pk); + +uint32_t Hacl_Frodo1344_crypto_kem_dec(uint8_t *ss, uint8_t *ct, uint8_t *sk); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Frodo1344_H_DEFINED +#endif diff --git a/include/c89/Hacl_Frodo64.h b/include/c89/Hacl_Frodo64.h new file mode 100644 index 00000000..6c5677de --- /dev/null +++ b/include/c89/Hacl_Frodo64.h @@ -0,0 +1,68 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Frodo64_H +#define __Hacl_Frodo64_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Lib_Memzero0.h" +#include "Hacl_Spec.h" +#include "Hacl_SHA3.h" +#include "Hacl_Frodo_KEM.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +/* + this variant is used only for testing purposes! + */ + + +extern uint32_t Hacl_Frodo64_crypto_bytes; + +extern uint32_t Hacl_Frodo64_crypto_publickeybytes; + +extern uint32_t Hacl_Frodo64_crypto_secretkeybytes; + +extern uint32_t Hacl_Frodo64_crypto_ciphertextbytes; + +uint32_t Hacl_Frodo64_crypto_kem_keypair(uint8_t *pk, uint8_t *sk); + +uint32_t Hacl_Frodo64_crypto_kem_enc(uint8_t *ct, uint8_t *ss, uint8_t *pk); + +uint32_t Hacl_Frodo64_crypto_kem_dec(uint8_t *ss, uint8_t *ct, uint8_t *sk); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Frodo64_H_DEFINED +#endif diff --git a/include/c89/Hacl_Frodo640.h b/include/c89/Hacl_Frodo640.h new file mode 100644 index 00000000..9016c3e8 --- /dev/null +++ b/include/c89/Hacl_Frodo640.h @@ -0,0 +1,63 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Frodo640_H +#define __Hacl_Frodo640_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Lib_Memzero0.h" +#include "Hacl_Spec.h" +#include "Hacl_SHA3.h" +#include "Hacl_Frodo_KEM.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +extern uint32_t Hacl_Frodo640_crypto_bytes; + +extern uint32_t Hacl_Frodo640_crypto_publickeybytes; + +extern uint32_t Hacl_Frodo640_crypto_secretkeybytes; + +extern uint32_t Hacl_Frodo640_crypto_ciphertextbytes; + +uint32_t Hacl_Frodo640_crypto_kem_keypair(uint8_t *pk, uint8_t *sk); + +uint32_t Hacl_Frodo640_crypto_kem_enc(uint8_t *ct, uint8_t *ss, uint8_t *pk); + +uint32_t Hacl_Frodo640_crypto_kem_dec(uint8_t *ss, uint8_t *ct, uint8_t *sk); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Frodo640_H_DEFINED +#endif diff --git a/include/c89/Hacl_Frodo976.h b/include/c89/Hacl_Frodo976.h new file mode 100644 index 00000000..5551506b --- /dev/null +++ b/include/c89/Hacl_Frodo976.h @@ -0,0 +1,63 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Frodo976_H +#define __Hacl_Frodo976_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Lib_Memzero0.h" +#include "Hacl_Spec.h" +#include "Hacl_SHA3.h" +#include "Hacl_Frodo_KEM.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +extern uint32_t Hacl_Frodo976_crypto_bytes; + +extern uint32_t Hacl_Frodo976_crypto_publickeybytes; + +extern uint32_t Hacl_Frodo976_crypto_secretkeybytes; + +extern uint32_t Hacl_Frodo976_crypto_ciphertextbytes; + +uint32_t Hacl_Frodo976_crypto_kem_keypair(uint8_t *pk, uint8_t *sk); + +uint32_t Hacl_Frodo976_crypto_kem_enc(uint8_t *ct, uint8_t *ss, uint8_t *pk); + +uint32_t Hacl_Frodo976_crypto_kem_dec(uint8_t *ss, uint8_t *ct, uint8_t *sk); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Frodo976_H_DEFINED +#endif diff --git a/include/c89/Hacl_Frodo_KEM.h b/include/c89/Hacl_Frodo_KEM.h new file mode 100644 index 00000000..50fbe0aa --- /dev/null +++ b/include/c89/Hacl_Frodo_KEM.h @@ -0,0 +1,663 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Frodo_KEM_H +#define __Hacl_Frodo_KEM_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Lib_RandomBuffer_System.h" +#include "Hacl_Spec.h" +#include "Hacl_SHA3.h" +#include "Hacl_Kremlib.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +static inline void +Hacl_Keccak_shake128_4x( + uint32_t input_len, + uint8_t *input0, + uint8_t *input1, + uint8_t *input2, + uint8_t *input3, + uint32_t output_len, + uint8_t *output0, + uint8_t *output1, + uint8_t *output2, + uint8_t *output3 +) +{ + Hacl_SHA3_shake128_hacl(input_len, input0, output_len, output0); + Hacl_SHA3_shake128_hacl(input_len, input1, output_len, output1); + Hacl_SHA3_shake128_hacl(input_len, input2, output_len, output2); + Hacl_SHA3_shake128_hacl(input_len, input3, output_len, output3); +} + +static inline void +Hacl_Impl_Matrix_mod_pow2(uint32_t n1, uint32_t n2, uint32_t logq, uint16_t *a) +{ + if (logq < (uint32_t)16U) + { + uint32_t i; + for (i = (uint32_t)0U; i < n1; i++) + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < n2; i0++) + { + a[i * n2 + i0] = a[i * n2 + i0] & (((uint16_t)1U << logq) - (uint16_t)1U); + } + } + return; + } +} + +static inline void +Hacl_Impl_Matrix_matrix_add(uint32_t n1, uint32_t n2, uint16_t *a, uint16_t *b) +{ + uint32_t i; + for (i = (uint32_t)0U; i < n1; i++) + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < n2; i0++) + { + a[i * n2 + i0] = a[i * n2 + i0] + b[i * n2 + i0]; + } + } +} + +static inline void +Hacl_Impl_Matrix_matrix_sub(uint32_t n1, uint32_t n2, uint16_t *a, uint16_t *b) +{ + uint32_t i; + for (i = (uint32_t)0U; i < n1; i++) + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < n2; i0++) + { + b[i * n2 + i0] = a[i * n2 + i0] - b[i * n2 + i0]; + } + } +} + +static inline void +Hacl_Impl_Matrix_matrix_mul( + uint32_t n1, + uint32_t n2, + uint32_t n3, + uint16_t *a, + uint16_t *b, + uint16_t *c +) +{ + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < n1; i0++) + { + uint32_t i1; + for (i1 = (uint32_t)0U; i1 < n3; i1++) + { + uint16_t res = (uint16_t)0U; + { + uint32_t i; + for (i = (uint32_t)0U; i < n2; i++) + { + uint16_t aij = a[i0 * n2 + i]; + uint16_t bjk = b[i * n3 + i1]; + uint16_t res0 = res; + res = res0 + aij * bjk; + } + } + c[i0 * n3 + i1] = res; + } + } +} + +static inline void +Hacl_Impl_Matrix_matrix_mul_s( + uint32_t n1, + uint32_t n2, + uint32_t n3, + uint16_t *a, + uint16_t *b, + uint16_t *c +) +{ + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < n1; i0++) + { + uint32_t i1; + for (i1 = (uint32_t)0U; i1 < n3; i1++) + { + uint16_t res = (uint16_t)0U; + { + uint32_t i; + for (i = (uint32_t)0U; i < n2; i++) + { + uint16_t aij = a[i0 * n2 + i]; + uint16_t bjk = b[i1 * n2 + i]; + uint16_t res0 = res; + res = res0 + aij * bjk; + } + } + c[i0 * n3 + i1] = res; + } + } +} + +static inline uint16_t +Hacl_Impl_Matrix_matrix_eq(uint32_t n1, uint32_t n2, uint16_t *a, uint16_t *b) +{ + uint16_t res = (uint16_t)0xFFFFU; + uint16_t r; + { + uint32_t i; + for (i = (uint32_t)0U; i < n1 * n2; i++) + { + uint16_t uu____0 = FStar_UInt16_eq_mask(a[i], b[i]); + res = uu____0 & res; + } + } + r = res; + return r; +} + +static inline void +Hacl_Impl_Matrix_matrix_to_lbytes(uint32_t n1, uint32_t n2, uint16_t *m, uint8_t *res) +{ + uint32_t i; + for (i = (uint32_t)0U; i < n1 * n2; i++) + { + store16_le(res + (uint32_t)2U * i, m[i]); + } +} + +static inline void +Hacl_Impl_Matrix_matrix_from_lbytes(uint32_t n1, uint32_t n2, uint8_t *b, uint16_t *res) +{ + uint32_t i; + for (i = (uint32_t)0U; i < n1 * n2; i++) + { + uint16_t *os = res; + uint16_t u = load16_le(b + (uint32_t)2U * i); + uint16_t x = u; + os[i] = x; + } +} + +static inline void +Hacl_Impl_Frodo_Gen_frodo_gen_matrix_shake_4x(uint32_t n, uint8_t *seed, uint16_t *res) +{ + KRML_CHECK_SIZE(sizeof (uint8_t), (uint32_t)8U * n); + { + uint8_t r[(uint32_t)8U * n]; + memset(r, 0U, (uint32_t)8U * n * sizeof (uint8_t)); + { + uint8_t tmp_seed[72U] = { 0U }; + memcpy(tmp_seed + (uint32_t)2U, seed, (uint32_t)16U * sizeof (uint8_t)); + memcpy(tmp_seed + (uint32_t)20U, seed, (uint32_t)16U * sizeof (uint8_t)); + memcpy(tmp_seed + (uint32_t)38U, seed, (uint32_t)16U * sizeof (uint8_t)); + memcpy(tmp_seed + (uint32_t)56U, seed, (uint32_t)16U * sizeof (uint8_t)); + memset(res, 0U, n * n * sizeof (uint16_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < n / (uint32_t)4U; i++) + { + uint8_t *r0 = r + (uint32_t)0U * n; + uint8_t *r1 = r + (uint32_t)2U * n; + uint8_t *r2 = r + (uint32_t)4U * n; + uint8_t *r3 = r + (uint32_t)6U * n; + uint8_t *tmp_seed0 = tmp_seed; + uint8_t *tmp_seed1 = tmp_seed + (uint32_t)18U; + uint8_t *tmp_seed2 = tmp_seed + (uint32_t)36U; + uint8_t *tmp_seed3 = tmp_seed + (uint32_t)54U; + store16_le(tmp_seed0, (uint16_t)((uint32_t)4U * i + (uint32_t)0U)); + store16_le(tmp_seed1, (uint16_t)((uint32_t)4U * i + (uint32_t)1U)); + store16_le(tmp_seed2, (uint16_t)((uint32_t)4U * i + (uint32_t)2U)); + store16_le(tmp_seed3, (uint16_t)((uint32_t)4U * i + (uint32_t)3U)); + Hacl_Keccak_shake128_4x((uint32_t)18U, + tmp_seed0, + tmp_seed1, + tmp_seed2, + tmp_seed3, + (uint32_t)2U * n, + r0, + r1, + r2, + r3); + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < n; i0++) + { + uint8_t *resij0 = r0 + i0 * (uint32_t)2U; + uint8_t *resij1 = r1 + i0 * (uint32_t)2U; + uint8_t *resij2 = r2 + i0 * (uint32_t)2U; + uint8_t *resij3 = r3 + i0 * (uint32_t)2U; + uint16_t u = load16_le(resij0); + res[((uint32_t)4U * i + (uint32_t)0U) * n + i0] = u; + { + uint16_t u0 = load16_le(resij1); + res[((uint32_t)4U * i + (uint32_t)1U) * n + i0] = u0; + { + uint16_t u1 = load16_le(resij2); + res[((uint32_t)4U * i + (uint32_t)2U) * n + i0] = u1; + { + uint16_t u2 = load16_le(resij3); + res[((uint32_t)4U * i + (uint32_t)3U) * n + i0] = u2; + } + } + } + } + } + } + } + } + } +} + +static inline void +Hacl_Impl_Frodo_Params_frodo_gen_matrix( + Spec_Frodo_Params_frodo_gen_a a, + uint32_t n, + uint8_t *seed, + uint16_t *a_matrix +) +{ + switch (a) + { + case Spec_Frodo_Params_SHAKE128: + { + Hacl_Impl_Frodo_Gen_frodo_gen_matrix_shake_4x(n, seed, a_matrix); + break; + } + default: + { + KRML_HOST_PRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +static const +uint16_t +Hacl_Impl_Frodo_Params_cdf_table640[13U] = + { + (uint16_t)4643U, (uint16_t)13363U, (uint16_t)20579U, (uint16_t)25843U, (uint16_t)29227U, + (uint16_t)31145U, (uint16_t)32103U, (uint16_t)32525U, (uint16_t)32689U, (uint16_t)32745U, + (uint16_t)32762U, (uint16_t)32766U, (uint16_t)32767U + }; + +static const +uint16_t +Hacl_Impl_Frodo_Params_cdf_table976[11U] = + { + (uint16_t)5638U, (uint16_t)15915U, (uint16_t)23689U, (uint16_t)28571U, (uint16_t)31116U, + (uint16_t)32217U, (uint16_t)32613U, (uint16_t)32731U, (uint16_t)32760U, (uint16_t)32766U, + (uint16_t)32767U + }; + +static const +uint16_t +Hacl_Impl_Frodo_Params_cdf_table1344[7U] = + { + (uint16_t)9142U, (uint16_t)23462U, (uint16_t)30338U, (uint16_t)32361U, (uint16_t)32725U, + (uint16_t)32765U, (uint16_t)32767U + }; + +static inline void +Hacl_Impl_Frodo_Sample_frodo_sample_matrix64( + uint32_t n1, + uint32_t n2, + uint8_t *r, + uint16_t *res +) +{ + uint32_t i; + memset(res, 0U, n1 * n2 * sizeof (uint16_t)); + for (i = (uint32_t)0U; i < n1; i++) + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < n2; i0++) + { + uint8_t *resij = r + (uint32_t)2U * (n2 * i + i0); + uint16_t u = load16_le(resij); + uint16_t uu____0 = u; + uint16_t prnd = uu____0 >> (uint32_t)1U; + uint16_t sign = uu____0 & (uint16_t)1U; + uint16_t sample = (uint16_t)0U; + uint32_t bound = (uint32_t)12U; + uint16_t sample00; + { + uint32_t i1; + for (i1 = (uint32_t)0U; i1 < bound; i1++) + { + uint16_t sample0 = sample; + uint16_t ti = Hacl_Impl_Frodo_Params_cdf_table640[i1]; + uint16_t samplei = (uint16_t)(uint32_t)(ti - prnd) >> (uint32_t)15U; + sample = samplei + sample0; + } + } + sample00 = sample; + res[i * n2 + i0] = ((~sign + (uint16_t)1U) ^ sample00) + sign; + } + } +} + +static inline void +Hacl_Impl_Frodo_Sample_frodo_sample_matrix640( + uint32_t n1, + uint32_t n2, + uint8_t *r, + uint16_t *res +) +{ + uint32_t i; + memset(res, 0U, n1 * n2 * sizeof (uint16_t)); + for (i = (uint32_t)0U; i < n1; i++) + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < n2; i0++) + { + uint8_t *resij = r + (uint32_t)2U * (n2 * i + i0); + uint16_t u = load16_le(resij); + uint16_t uu____0 = u; + uint16_t prnd = uu____0 >> (uint32_t)1U; + uint16_t sign = uu____0 & (uint16_t)1U; + uint16_t sample = (uint16_t)0U; + uint32_t bound = (uint32_t)12U; + uint16_t sample00; + { + uint32_t i1; + for (i1 = (uint32_t)0U; i1 < bound; i1++) + { + uint16_t sample0 = sample; + uint16_t ti = Hacl_Impl_Frodo_Params_cdf_table640[i1]; + uint16_t samplei = (uint16_t)(uint32_t)(ti - prnd) >> (uint32_t)15U; + sample = samplei + sample0; + } + } + sample00 = sample; + res[i * n2 + i0] = ((~sign + (uint16_t)1U) ^ sample00) + sign; + } + } +} + +static inline void +Hacl_Impl_Frodo_Sample_frodo_sample_matrix976( + uint32_t n1, + uint32_t n2, + uint8_t *r, + uint16_t *res +) +{ + uint32_t i; + memset(res, 0U, n1 * n2 * sizeof (uint16_t)); + for (i = (uint32_t)0U; i < n1; i++) + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < n2; i0++) + { + uint8_t *resij = r + (uint32_t)2U * (n2 * i + i0); + uint16_t u = load16_le(resij); + uint16_t uu____0 = u; + uint16_t prnd = uu____0 >> (uint32_t)1U; + uint16_t sign = uu____0 & (uint16_t)1U; + uint16_t sample = (uint16_t)0U; + uint32_t bound = (uint32_t)10U; + uint16_t sample00; + { + uint32_t i1; + for (i1 = (uint32_t)0U; i1 < bound; i1++) + { + uint16_t sample0 = sample; + uint16_t ti = Hacl_Impl_Frodo_Params_cdf_table976[i1]; + uint16_t samplei = (uint16_t)(uint32_t)(ti - prnd) >> (uint32_t)15U; + sample = samplei + sample0; + } + } + sample00 = sample; + res[i * n2 + i0] = ((~sign + (uint16_t)1U) ^ sample00) + sign; + } + } +} + +static inline void +Hacl_Impl_Frodo_Sample_frodo_sample_matrix1344( + uint32_t n1, + uint32_t n2, + uint8_t *r, + uint16_t *res +) +{ + uint32_t i; + memset(res, 0U, n1 * n2 * sizeof (uint16_t)); + for (i = (uint32_t)0U; i < n1; i++) + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < n2; i0++) + { + uint8_t *resij = r + (uint32_t)2U * (n2 * i + i0); + uint16_t u = load16_le(resij); + uint16_t uu____0 = u; + uint16_t prnd = uu____0 >> (uint32_t)1U; + uint16_t sign = uu____0 & (uint16_t)1U; + uint16_t sample = (uint16_t)0U; + uint32_t bound = (uint32_t)6U; + uint16_t sample00; + { + uint32_t i1; + for (i1 = (uint32_t)0U; i1 < bound; i1++) + { + uint16_t sample0 = sample; + uint16_t ti = Hacl_Impl_Frodo_Params_cdf_table1344[i1]; + uint16_t samplei = (uint16_t)(uint32_t)(ti - prnd) >> (uint32_t)15U; + sample = samplei + sample0; + } + } + sample00 = sample; + res[i * n2 + i0] = ((~sign + (uint16_t)1U) ^ sample00) + sign; + } + } +} + +static inline void +Hacl_Impl_Frodo_Pack_frodo_pack( + uint32_t n1, + uint32_t n2, + uint32_t d, + uint16_t *a, + uint8_t *res +) +{ + uint32_t n = n1 * n2 / (uint32_t)8U; + uint32_t i; + for (i = (uint32_t)0U; i < n; i++) + { + uint16_t *a1 = a + (uint32_t)8U * i; + uint8_t *r = res + d * i; + uint16_t maskd = (uint16_t)((uint32_t)1U << d) - (uint16_t)1U; + uint8_t v16[16U] = { 0U }; + uint16_t a0 = a1[0U] & maskd; + uint16_t a11 = a1[1U] & maskd; + uint16_t a2 = a1[2U] & maskd; + uint16_t a3 = a1[3U] & maskd; + uint16_t a4 = a1[4U] & maskd; + uint16_t a5 = a1[5U] & maskd; + uint16_t a6 = a1[6U] & maskd; + uint16_t a7 = a1[7U] & maskd; + FStar_UInt128_uint128 + templong = + FStar_UInt128_logor(FStar_UInt128_logor(FStar_UInt128_logor(FStar_UInt128_logor(FStar_UInt128_logor(FStar_UInt128_logor(FStar_UInt128_logor(FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)a0), + (uint32_t)7U * d), + FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)a11), + (uint32_t)6U * d)), + FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)a2), + (uint32_t)5U * d)), + FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)a3), + (uint32_t)4U * d)), + FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)a4), + (uint32_t)3U * d)), + FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)a5), + (uint32_t)2U * d)), + FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)a6), (uint32_t)1U * d)), + FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)a7), (uint32_t)0U * d)); + uint8_t *src; + store128_be(v16, templong); + src = v16 + (uint32_t)16U - d; + memcpy(r, src, d * sizeof (uint8_t)); + } +} + +static inline void +Hacl_Impl_Frodo_Pack_frodo_unpack( + uint32_t n1, + uint32_t n2, + uint32_t d, + uint8_t *b, + uint16_t *res +) +{ + uint32_t n = n1 * n2 / (uint32_t)8U; + uint32_t i; + for (i = (uint32_t)0U; i < n; i++) + { + uint8_t *b1 = b + d * i; + uint16_t *r = res + (uint32_t)8U * i; + uint16_t maskd = (uint16_t)((uint32_t)1U << d) - (uint16_t)1U; + uint8_t src[16U] = { 0U }; + FStar_UInt128_uint128 u; + FStar_UInt128_uint128 templong; + memcpy(src + (uint32_t)16U - d, b1, d * sizeof (uint8_t)); + u = load128_be(src); + templong = u; + r[0U] = + (uint16_t)FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(templong, + (uint32_t)7U * d)) + & maskd; + r[1U] = + (uint16_t)FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(templong, + (uint32_t)6U * d)) + & maskd; + r[2U] = + (uint16_t)FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(templong, + (uint32_t)5U * d)) + & maskd; + r[3U] = + (uint16_t)FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(templong, + (uint32_t)4U * d)) + & maskd; + r[4U] = + (uint16_t)FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(templong, + (uint32_t)3U * d)) + & maskd; + r[5U] = + (uint16_t)FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(templong, + (uint32_t)2U * d)) + & maskd; + r[6U] = + (uint16_t)FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(templong, + (uint32_t)1U * d)) + & maskd; + r[7U] = + (uint16_t)FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(templong, + (uint32_t)0U * d)) + & maskd; + } +} + +static inline void +Hacl_Impl_Frodo_Encode_frodo_key_encode( + uint32_t logq, + uint32_t b, + uint32_t n, + uint8_t *a, + uint16_t *res +) +{ + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < n; i0++) + { + uint8_t v8[8U] = { 0U }; + uint8_t *chunk = a + i0 * b; + uint64_t u; + uint64_t x0; + uint64_t x; + uint32_t i; + memcpy(v8, chunk, b * sizeof (uint8_t)); + u = load64_le(v8); + x0 = u; + x = x0; + for (i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint64_t rk = x >> b * i & (((uint64_t)1U << b) - (uint64_t)1U); + res[i0 * n + i] = (uint16_t)rk << (logq - b); + } + } +} + +static inline void +Hacl_Impl_Frodo_Encode_frodo_key_decode( + uint32_t logq, + uint32_t b, + uint32_t n, + uint16_t *a, + uint8_t *res +) +{ + uint32_t i; + for (i = (uint32_t)0U; i < n; i++) + { + uint64_t templong0 = (uint64_t)0U; + uint64_t templong; + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < (uint32_t)8U; i0++) + { + uint16_t aik = a[i * n + i0]; + uint16_t res1 = (aik + ((uint16_t)1U << (logq - b - (uint32_t)1U))) >> (logq - b); + templong0 = templong0 | (uint64_t)(res1 & (((uint16_t)1U << b) - (uint16_t)1U)) << b * i0; + } + } + templong = templong0; + { + uint8_t v8[8U] = { 0U }; + uint8_t *tmp; + store64_le(v8, templong); + tmp = v8; + memcpy(res + i * b, tmp, b * sizeof (uint8_t)); + } + } +} + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Frodo_KEM_H_DEFINED +#endif diff --git a/include/c89/Hacl_GenericField32.h b/include/c89/Hacl_GenericField32.h new file mode 100644 index 00000000..1dcec1d8 --- /dev/null +++ b/include/c89/Hacl_GenericField32.h @@ -0,0 +1,279 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_GenericField32_H +#define __Hacl_GenericField32_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + + +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +typedef struct Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32_s +{ + uint32_t len; + uint32_t *n; + uint32_t mu; + uint32_t *r2; +} +Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32; + +typedef Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *Hacl_GenericField32_pbn_mont_ctx_u32; + +/******************************************************************************* + +A verified field arithmetic library. + +This is a 32-bit optimized version, where bignums are represented as an array +of `len` unsigned 32-bit integers, i.e. uint32_t[len]. + +All the arithmetic operations are performed in the Montgomery domain. + +All the functions below preserve the following invariant for a bignum `aM` in +Montgomery form. + • aM < n + +*******************************************************************************/ + + +/* +Check whether this library will work for a modulus `n`. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n +*/ +bool Hacl_GenericField32_field_modulus_check(uint32_t len, uint32_t *n); + +/* +Heap-allocate and initialize a montgomery context. + + The argument n is meant to be `len` limbs in size, i.e. uint32_t[len]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n % 2 = 1 + • 1 < n + + The caller will need to call Hacl_GenericField32_field_free on the return value + to avoid memory leaks. +*/ +Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 +*Hacl_GenericField32_field_init(uint32_t len, uint32_t *n); + +/* +Deallocate the memory previously allocated by Hacl_GenericField32_field_init. + + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. +*/ +void Hacl_GenericField32_field_free(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k); + +/* +Return the size of a modulus `n` in limbs. + + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. +*/ +uint32_t Hacl_GenericField32_field_get_len(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k); + +/* +Convert a bignum from the regular representation to the Montgomery representation. + + Write `a * R mod n` in `aM`. + + The argument a and the outparam aM are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. +*/ +void +Hacl_GenericField32_to_field( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t *aM +); + +/* +Convert a result back from the Montgomery representation to the regular representation. + + Write `aM / R mod n` in `a`, i.e. + Hacl_GenericField32_from_field(k, Hacl_GenericField32_to_field(k, a)) == a % n + + The argument aM and the outparam a are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. +*/ +void +Hacl_GenericField32_from_field( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *aM, + uint32_t *a +); + +/* +Write `aM + bM mod n` in `cM`. + + The arguments aM, bM, and the outparam cM are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. +*/ +void +Hacl_GenericField32_add( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *aM, + uint32_t *bM, + uint32_t *cM +); + +/* +Write `aM - bM mod n` to `cM`. + + The arguments aM, bM, and the outparam cM are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. +*/ +void +Hacl_GenericField32_sub( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *aM, + uint32_t *bM, + uint32_t *cM +); + +/* +Write `aM * bM mod n` in `cM`. + + The arguments aM, bM, and the outparam cM are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. +*/ +void +Hacl_GenericField32_mul( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *aM, + uint32_t *bM, + uint32_t *cM +); + +/* +Write `aM * aM mod n` in `cM`. + + The argument aM and the outparam cM are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. +*/ +void +Hacl_GenericField32_sqr( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *aM, + uint32_t *cM +); + +/* +Convert a bignum `one` to its Montgomery representation. + + The outparam oneM is meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. +*/ +void Hacl_GenericField32_one(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, uint32_t *oneM); + +/* +Write `aM ^ b mod n` in `resM`. + + The argument aM and the outparam resM are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + This function is constant-time over its argument b, at the cost of a slower + execution time than exp_vartime. + + Before calling this function, the caller will need to ensure that the following + precondition is observed. + • b < pow2 bBits +*/ +void +Hacl_GenericField32_exp_consttime( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *aM, + uint32_t bBits, + uint32_t *b, + uint32_t *resM +); + +/* +Write `aM ^ b mod n` in `resM`. + + The argument aM and the outparam resM are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + The function is *NOT* constant-time on the argument b. See the + exp_consttime function for constant-time variant. + + Before calling this function, the caller will need to ensure that the following + precondition is observed. + • b < pow2 bBits +*/ +void +Hacl_GenericField32_exp_vartime( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *aM, + uint32_t bBits, + uint32_t *b, + uint32_t *resM +); + +/* +Write `aM ^ (-1) mod n` in `aInvM`. + + The argument aM and the outparam aInvM are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + • 0 < aM +*/ +void +Hacl_GenericField32_inverse( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *aM, + uint32_t *aInvM +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_GenericField32_H_DEFINED +#endif diff --git a/include/c89/Hacl_GenericField64.h b/include/c89/Hacl_GenericField64.h new file mode 100644 index 00000000..c4411b45 --- /dev/null +++ b/include/c89/Hacl_GenericField64.h @@ -0,0 +1,270 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_GenericField64_H +#define __Hacl_GenericField64_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Bignum256.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +typedef Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *Hacl_GenericField64_pbn_mont_ctx_u64; + +/******************************************************************************* + +A verified field arithmetic library. + +This is a 64-bit optimized version, where bignums are represented as an array +of `len` unsigned 64-bit integers, i.e. uint64_t[len]. + +All the arithmetic operations are performed in the Montgomery domain. + +All the functions below preserve the following invariant for a bignum `aM` in +Montgomery form. + • aM < n + +*******************************************************************************/ + + +/* +Check whether this library will work for a modulus `n`. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n +*/ +bool Hacl_GenericField64_field_modulus_check(uint32_t len, uint64_t *n); + +/* +Heap-allocate and initialize a montgomery context. + + The argument n is meant to be `len` limbs in size, i.e. uint64_t[len]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n % 2 = 1 + • 1 < n + + The caller will need to call Hacl_GenericField64_field_free on the return value + to avoid memory leaks. +*/ +Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 +*Hacl_GenericField64_field_init(uint32_t len, uint64_t *n); + +/* +Deallocate the memory previously allocated by Hacl_GenericField64_field_init. + + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. +*/ +void Hacl_GenericField64_field_free(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k); + +/* +Return the size of a modulus `n` in limbs. + + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. +*/ +uint32_t Hacl_GenericField64_field_get_len(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k); + +/* +Convert a bignum from the regular representation to the Montgomery representation. + + Write `a * R mod n` in `aM`. + + The argument a and the outparam aM are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. +*/ +void +Hacl_GenericField64_to_field( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint64_t *aM +); + +/* +Convert a result back from the Montgomery representation to the regular representation. + + Write `aM / R mod n` in `a`, i.e. + Hacl_GenericField64_from_field(k, Hacl_GenericField64_to_field(k, a)) == a % n + + The argument aM and the outparam a are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. +*/ +void +Hacl_GenericField64_from_field( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *aM, + uint64_t *a +); + +/* +Write `aM + bM mod n` in `cM`. + + The arguments aM, bM, and the outparam cM are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. +*/ +void +Hacl_GenericField64_add( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *aM, + uint64_t *bM, + uint64_t *cM +); + +/* +Write `aM - bM mod n` to `cM`. + + The arguments aM, bM, and the outparam cM are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. +*/ +void +Hacl_GenericField64_sub( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *aM, + uint64_t *bM, + uint64_t *cM +); + +/* +Write `aM * bM mod n` in `cM`. + + The arguments aM, bM, and the outparam cM are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. +*/ +void +Hacl_GenericField64_mul( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *aM, + uint64_t *bM, + uint64_t *cM +); + +/* +Write `aM * aM mod n` in `cM`. + + The argument aM and the outparam cM are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. +*/ +void +Hacl_GenericField64_sqr( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *aM, + uint64_t *cM +); + +/* +Convert a bignum `one` to its Montgomery representation. + + The outparam oneM is meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. +*/ +void Hacl_GenericField64_one(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, uint64_t *oneM); + +/* +Write `aM ^ b mod n` in `resM`. + + The argument aM and the outparam resM are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + This function is constant-time over its argument b, at the cost of a slower + execution time than exp_vartime. + + Before calling this function, the caller will need to ensure that the following + precondition is observed. + • b < pow2 bBits +*/ +void +Hacl_GenericField64_exp_consttime( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *aM, + uint32_t bBits, + uint64_t *b, + uint64_t *resM +); + +/* +Write `aM ^ b mod n` in `resM`. + + The argument aM and the outparam resM are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + The function is *NOT* constant-time on the argument b. See the + exp_consttime function for constant-time variant. + + Before calling this function, the caller will need to ensure that the following + precondition is observed. + • b < pow2 bBits +*/ +void +Hacl_GenericField64_exp_vartime( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *aM, + uint32_t bBits, + uint64_t *b, + uint64_t *resM +); + +/* +Write `aM ^ (-1) mod n` in `aInvM`. + + The argument aM and the outparam aInvM are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + • 0 < aM +*/ +void +Hacl_GenericField64_inverse( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *aM, + uint64_t *aInvM +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_GenericField64_H_DEFINED +#endif diff --git a/include/c89/Hacl_HKDF.h b/include/c89/Hacl_HKDF.h new file mode 100644 index 00000000..c2a8e911 --- /dev/null +++ b/include/c89/Hacl_HKDF.h @@ -0,0 +1,122 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HKDF_H +#define __Hacl_HKDF_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_HMAC.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_HKDF_expand_sha2_256( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +); + +void +Hacl_HKDF_extract_sha2_256( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +); + +void +Hacl_HKDF_expand_sha2_512( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +); + +void +Hacl_HKDF_extract_sha2_512( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +); + +void +Hacl_HKDF_expand_blake2s_32( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +); + +void +Hacl_HKDF_extract_blake2s_32( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +); + +void +Hacl_HKDF_expand_blake2b_32( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +); + +void +Hacl_HKDF_extract_blake2b_32( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HKDF_H_DEFINED +#endif diff --git a/include/c89/Hacl_HKDF_Blake2b_256.h b/include/c89/Hacl_HKDF_Blake2b_256.h new file mode 100644 index 00000000..12228eae --- /dev/null +++ b/include/c89/Hacl_HKDF_Blake2b_256.h @@ -0,0 +1,65 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HKDF_Blake2b_256_H +#define __Hacl_HKDF_Blake2b_256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_HMAC_Blake2b_256.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_HKDF_Blake2b_256_expand_blake2b_256( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +); + +void +Hacl_HKDF_Blake2b_256_extract_blake2b_256( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HKDF_Blake2b_256_H_DEFINED +#endif diff --git a/include/c89/Hacl_HKDF_Blake2s_128.h b/include/c89/Hacl_HKDF_Blake2s_128.h new file mode 100644 index 00000000..b01cb01c --- /dev/null +++ b/include/c89/Hacl_HKDF_Blake2s_128.h @@ -0,0 +1,65 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HKDF_Blake2s_128_H +#define __Hacl_HKDF_Blake2s_128_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_HMAC_Blake2s_128.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_HKDF_Blake2s_128_expand_blake2s_128( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +); + +void +Hacl_HKDF_Blake2s_128_extract_blake2s_128( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HKDF_Blake2s_128_H_DEFINED +#endif diff --git a/include/c89/Hacl_HMAC.h b/include/c89/Hacl_HMAC.h new file mode 100644 index 00000000..238c7b43 --- /dev/null +++ b/include/c89/Hacl_HMAC.h @@ -0,0 +1,103 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HMAC_H +#define __Hacl_HMAC_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "Hacl_Impl_Blake2_Constants.h" +#include "Hacl_Hash_SHA2.h" +#include "Hacl_Hash_SHA1.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_HMAC_legacy_compute_sha1( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +); + +void +Hacl_HMAC_compute_sha2_256( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +); + +void +Hacl_HMAC_compute_sha2_384( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +); + +void +Hacl_HMAC_compute_sha2_512( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +); + +void +Hacl_HMAC_compute_blake2s_32( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +); + +void +Hacl_HMAC_compute_blake2b_32( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HMAC_H_DEFINED +#endif diff --git a/include/c89/Hacl_HMAC_Blake2b_256.h b/include/c89/Hacl_HMAC_Blake2b_256.h new file mode 100644 index 00000000..797075cb --- /dev/null +++ b/include/c89/Hacl_HMAC_Blake2b_256.h @@ -0,0 +1,56 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HMAC_Blake2b_256_H +#define __Hacl_HMAC_Blake2b_256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "Hacl_Impl_Blake2_Constants.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_HMAC_Blake2b_256_compute_blake2b_256( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HMAC_Blake2b_256_H_DEFINED +#endif diff --git a/include/c89/Hacl_HMAC_Blake2s_128.h b/include/c89/Hacl_HMAC_Blake2s_128.h new file mode 100644 index 00000000..c9b320ba --- /dev/null +++ b/include/c89/Hacl_HMAC_Blake2s_128.h @@ -0,0 +1,55 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HMAC_Blake2s_128_H +#define __Hacl_HMAC_Blake2s_128_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Impl_Blake2_Constants.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_HMAC_Blake2s_128_compute_blake2s_128( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HMAC_Blake2s_128_H_DEFINED +#endif diff --git a/include/c89/Hacl_HMAC_DRBG.h b/include/c89/Hacl_HMAC_DRBG.h new file mode 100644 index 00000000..c3172e3a --- /dev/null +++ b/include/c89/Hacl_HMAC_DRBG.h @@ -0,0 +1,106 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HMAC_DRBG_H +#define __Hacl_HMAC_DRBG_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Spec.h" +#include "Hacl_HMAC.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +typedef Spec_Hash_Definitions_hash_alg Hacl_HMAC_DRBG_supported_alg; + +extern uint32_t Hacl_HMAC_DRBG_reseed_interval; + +extern uint32_t Hacl_HMAC_DRBG_max_output_length; + +extern uint32_t Hacl_HMAC_DRBG_max_length; + +extern uint32_t Hacl_HMAC_DRBG_max_personalization_string_length; + +extern uint32_t Hacl_HMAC_DRBG_max_additional_input_length; + +uint32_t Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_hash_alg a); + +typedef struct Hacl_HMAC_DRBG_state_s +{ + uint8_t *k; + uint8_t *v; + uint32_t *reseed_counter; +} +Hacl_HMAC_DRBG_state; + +bool +Hacl_HMAC_DRBG_uu___is_State(Spec_Hash_Definitions_hash_alg a, Hacl_HMAC_DRBG_state projectee); + +Hacl_HMAC_DRBG_state Hacl_HMAC_DRBG_create_in(Spec_Hash_Definitions_hash_alg a); + +void +Hacl_HMAC_DRBG_instantiate( + Spec_Hash_Definitions_hash_alg a, + Hacl_HMAC_DRBG_state st, + uint32_t entropy_input_len, + uint8_t *entropy_input, + uint32_t nonce_len, + uint8_t *nonce, + uint32_t personalization_string_len, + uint8_t *personalization_string +); + +void +Hacl_HMAC_DRBG_reseed( + Spec_Hash_Definitions_hash_alg a, + Hacl_HMAC_DRBG_state st, + uint32_t entropy_input_len, + uint8_t *entropy_input, + uint32_t additional_input_input_len, + uint8_t *additional_input_input +); + +bool +Hacl_HMAC_DRBG_generate( + Spec_Hash_Definitions_hash_alg a, + uint8_t *output, + Hacl_HMAC_DRBG_state st, + uint32_t n, + uint32_t additional_input_len, + uint8_t *additional_input +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HMAC_DRBG_H_DEFINED +#endif diff --git a/include/c89/Hacl_HPKE_Curve51_CP128_SHA256.h b/include/c89/Hacl_HPKE_Curve51_CP128_SHA256.h new file mode 100644 index 00000000..f337e4c2 --- /dev/null +++ b/include/c89/Hacl_HPKE_Curve51_CP128_SHA256.h @@ -0,0 +1,92 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HPKE_Curve51_CP128_SHA256_H +#define __Hacl_HPKE_Curve51_CP128_SHA256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Hash_SHA2.h" +#include "Hacl_HKDF.h" +#include "Hacl_Curve25519_51.h" +#include "Hacl_Chacha20Poly1305_128.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +uint32_t +Hacl_HPKE_Curve51_CP128_SHA256_setupBaseI( + uint8_t *o_pkE, + uint8_t *o_k, + uint8_t *o_n, + uint8_t *skE, + uint8_t *pkR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve51_CP128_SHA256_setupBaseR( + uint8_t *o_key_aead, + uint8_t *o_nonce_aead, + uint8_t *pkE, + uint8_t *skR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve51_CP128_SHA256_sealBase( + uint8_t *skE, + uint8_t *pkR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +uint32_t +Hacl_HPKE_Curve51_CP128_SHA256_openBase( + uint8_t *pkE, + uint8_t *skR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HPKE_Curve51_CP128_SHA256_H_DEFINED +#endif diff --git a/include/c89/Hacl_HPKE_Curve51_CP128_SHA512.h b/include/c89/Hacl_HPKE_Curve51_CP128_SHA512.h new file mode 100644 index 00000000..1c870340 --- /dev/null +++ b/include/c89/Hacl_HPKE_Curve51_CP128_SHA512.h @@ -0,0 +1,92 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HPKE_Curve51_CP128_SHA512_H +#define __Hacl_HPKE_Curve51_CP128_SHA512_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Hash_SHA2.h" +#include "Hacl_HKDF.h" +#include "Hacl_Curve25519_51.h" +#include "Hacl_Chacha20Poly1305_128.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +uint32_t +Hacl_HPKE_Curve51_CP128_SHA512_setupBaseI( + uint8_t *o_pkE, + uint8_t *o_k, + uint8_t *o_n, + uint8_t *skE, + uint8_t *pkR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve51_CP128_SHA512_setupBaseR( + uint8_t *o_key_aead, + uint8_t *o_nonce_aead, + uint8_t *pkE, + uint8_t *skR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve51_CP128_SHA512_sealBase( + uint8_t *skE, + uint8_t *pkR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +uint32_t +Hacl_HPKE_Curve51_CP128_SHA512_openBase( + uint8_t *pkE, + uint8_t *skR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HPKE_Curve51_CP128_SHA512_H_DEFINED +#endif diff --git a/include/c89/Hacl_HPKE_Curve51_CP256_SHA256.h b/include/c89/Hacl_HPKE_Curve51_CP256_SHA256.h new file mode 100644 index 00000000..9c2c8fb9 --- /dev/null +++ b/include/c89/Hacl_HPKE_Curve51_CP256_SHA256.h @@ -0,0 +1,92 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HPKE_Curve51_CP256_SHA256_H +#define __Hacl_HPKE_Curve51_CP256_SHA256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Hash_SHA2.h" +#include "Hacl_HKDF.h" +#include "Hacl_Curve25519_51.h" +#include "Hacl_Chacha20Poly1305_256.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +uint32_t +Hacl_HPKE_Curve51_CP256_SHA256_setupBaseI( + uint8_t *o_pkE, + uint8_t *o_k, + uint8_t *o_n, + uint8_t *skE, + uint8_t *pkR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve51_CP256_SHA256_setupBaseR( + uint8_t *o_key_aead, + uint8_t *o_nonce_aead, + uint8_t *pkE, + uint8_t *skR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve51_CP256_SHA256_sealBase( + uint8_t *skE, + uint8_t *pkR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +uint32_t +Hacl_HPKE_Curve51_CP256_SHA256_openBase( + uint8_t *pkE, + uint8_t *skR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HPKE_Curve51_CP256_SHA256_H_DEFINED +#endif diff --git a/include/c89/Hacl_HPKE_Curve51_CP256_SHA512.h b/include/c89/Hacl_HPKE_Curve51_CP256_SHA512.h new file mode 100644 index 00000000..b03673d0 --- /dev/null +++ b/include/c89/Hacl_HPKE_Curve51_CP256_SHA512.h @@ -0,0 +1,92 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HPKE_Curve51_CP256_SHA512_H +#define __Hacl_HPKE_Curve51_CP256_SHA512_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Hash_SHA2.h" +#include "Hacl_HKDF.h" +#include "Hacl_Curve25519_51.h" +#include "Hacl_Chacha20Poly1305_256.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +uint32_t +Hacl_HPKE_Curve51_CP256_SHA512_setupBaseI( + uint8_t *o_pkE, + uint8_t *o_k, + uint8_t *o_n, + uint8_t *skE, + uint8_t *pkR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve51_CP256_SHA512_setupBaseR( + uint8_t *o_key_aead, + uint8_t *o_nonce_aead, + uint8_t *pkE, + uint8_t *skR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve51_CP256_SHA512_sealBase( + uint8_t *skE, + uint8_t *pkR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +uint32_t +Hacl_HPKE_Curve51_CP256_SHA512_openBase( + uint8_t *pkE, + uint8_t *skR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HPKE_Curve51_CP256_SHA512_H_DEFINED +#endif diff --git a/include/c89/Hacl_HPKE_Curve51_CP32_SHA256.h b/include/c89/Hacl_HPKE_Curve51_CP32_SHA256.h new file mode 100644 index 00000000..2e98b356 --- /dev/null +++ b/include/c89/Hacl_HPKE_Curve51_CP32_SHA256.h @@ -0,0 +1,92 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HPKE_Curve51_CP32_SHA256_H +#define __Hacl_HPKE_Curve51_CP32_SHA256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Hash_SHA2.h" +#include "Hacl_HKDF.h" +#include "Hacl_Curve25519_51.h" +#include "Hacl_Chacha20Poly1305_32.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +uint32_t +Hacl_HPKE_Curve51_CP32_SHA256_setupBaseI( + uint8_t *o_pkE, + uint8_t *o_k, + uint8_t *o_n, + uint8_t *skE, + uint8_t *pkR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve51_CP32_SHA256_setupBaseR( + uint8_t *o_key_aead, + uint8_t *o_nonce_aead, + uint8_t *pkE, + uint8_t *skR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve51_CP32_SHA256_sealBase( + uint8_t *skE, + uint8_t *pkR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +uint32_t +Hacl_HPKE_Curve51_CP32_SHA256_openBase( + uint8_t *pkE, + uint8_t *skR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HPKE_Curve51_CP32_SHA256_H_DEFINED +#endif diff --git a/include/c89/Hacl_HPKE_Curve51_CP32_SHA512.h b/include/c89/Hacl_HPKE_Curve51_CP32_SHA512.h new file mode 100644 index 00000000..6533ca08 --- /dev/null +++ b/include/c89/Hacl_HPKE_Curve51_CP32_SHA512.h @@ -0,0 +1,92 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HPKE_Curve51_CP32_SHA512_H +#define __Hacl_HPKE_Curve51_CP32_SHA512_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Hash_SHA2.h" +#include "Hacl_HKDF.h" +#include "Hacl_Curve25519_51.h" +#include "Hacl_Chacha20Poly1305_32.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +uint32_t +Hacl_HPKE_Curve51_CP32_SHA512_setupBaseI( + uint8_t *o_pkE, + uint8_t *o_k, + uint8_t *o_n, + uint8_t *skE, + uint8_t *pkR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve51_CP32_SHA512_setupBaseR( + uint8_t *o_key_aead, + uint8_t *o_nonce_aead, + uint8_t *pkE, + uint8_t *skR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve51_CP32_SHA512_sealBase( + uint8_t *skE, + uint8_t *pkR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +uint32_t +Hacl_HPKE_Curve51_CP32_SHA512_openBase( + uint8_t *pkE, + uint8_t *skR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HPKE_Curve51_CP32_SHA512_H_DEFINED +#endif diff --git a/include/c89/Hacl_HPKE_Curve64_CP128_SHA256.h b/include/c89/Hacl_HPKE_Curve64_CP128_SHA256.h new file mode 100644 index 00000000..7e3ba549 --- /dev/null +++ b/include/c89/Hacl_HPKE_Curve64_CP128_SHA256.h @@ -0,0 +1,92 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HPKE_Curve64_CP128_SHA256_H +#define __Hacl_HPKE_Curve64_CP128_SHA256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Hash_SHA2.h" +#include "Hacl_HKDF.h" +#include "Hacl_Curve25519_64.h" +#include "Hacl_Chacha20Poly1305_128.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +uint32_t +Hacl_HPKE_Curve64_CP128_SHA256_setupBaseI( + uint8_t *o_pkE, + uint8_t *o_k, + uint8_t *o_n, + uint8_t *skE, + uint8_t *pkR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve64_CP128_SHA256_setupBaseR( + uint8_t *o_key_aead, + uint8_t *o_nonce_aead, + uint8_t *pkE, + uint8_t *skR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve64_CP128_SHA256_sealBase( + uint8_t *skE, + uint8_t *pkR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +uint32_t +Hacl_HPKE_Curve64_CP128_SHA256_openBase( + uint8_t *pkE, + uint8_t *skR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HPKE_Curve64_CP128_SHA256_H_DEFINED +#endif diff --git a/include/c89/Hacl_HPKE_Curve64_CP128_SHA512.h b/include/c89/Hacl_HPKE_Curve64_CP128_SHA512.h new file mode 100644 index 00000000..c8728cf0 --- /dev/null +++ b/include/c89/Hacl_HPKE_Curve64_CP128_SHA512.h @@ -0,0 +1,92 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HPKE_Curve64_CP128_SHA512_H +#define __Hacl_HPKE_Curve64_CP128_SHA512_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Hash_SHA2.h" +#include "Hacl_HKDF.h" +#include "Hacl_Curve25519_64.h" +#include "Hacl_Chacha20Poly1305_128.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +uint32_t +Hacl_HPKE_Curve64_CP128_SHA512_setupBaseI( + uint8_t *o_pkE, + uint8_t *o_k, + uint8_t *o_n, + uint8_t *skE, + uint8_t *pkR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve64_CP128_SHA512_setupBaseR( + uint8_t *o_key_aead, + uint8_t *o_nonce_aead, + uint8_t *pkE, + uint8_t *skR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve64_CP128_SHA512_sealBase( + uint8_t *skE, + uint8_t *pkR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +uint32_t +Hacl_HPKE_Curve64_CP128_SHA512_openBase( + uint8_t *pkE, + uint8_t *skR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HPKE_Curve64_CP128_SHA512_H_DEFINED +#endif diff --git a/include/c89/Hacl_HPKE_Curve64_CP256_SHA256.h b/include/c89/Hacl_HPKE_Curve64_CP256_SHA256.h new file mode 100644 index 00000000..eddeb5fe --- /dev/null +++ b/include/c89/Hacl_HPKE_Curve64_CP256_SHA256.h @@ -0,0 +1,92 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HPKE_Curve64_CP256_SHA256_H +#define __Hacl_HPKE_Curve64_CP256_SHA256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Hash_SHA2.h" +#include "Hacl_HKDF.h" +#include "Hacl_Curve25519_64.h" +#include "Hacl_Chacha20Poly1305_256.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +uint32_t +Hacl_HPKE_Curve64_CP256_SHA256_setupBaseI( + uint8_t *o_pkE, + uint8_t *o_k, + uint8_t *o_n, + uint8_t *skE, + uint8_t *pkR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve64_CP256_SHA256_setupBaseR( + uint8_t *o_key_aead, + uint8_t *o_nonce_aead, + uint8_t *pkE, + uint8_t *skR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve64_CP256_SHA256_sealBase( + uint8_t *skE, + uint8_t *pkR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +uint32_t +Hacl_HPKE_Curve64_CP256_SHA256_openBase( + uint8_t *pkE, + uint8_t *skR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HPKE_Curve64_CP256_SHA256_H_DEFINED +#endif diff --git a/include/c89/Hacl_HPKE_Curve64_CP256_SHA512.h b/include/c89/Hacl_HPKE_Curve64_CP256_SHA512.h new file mode 100644 index 00000000..9294aaec --- /dev/null +++ b/include/c89/Hacl_HPKE_Curve64_CP256_SHA512.h @@ -0,0 +1,92 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HPKE_Curve64_CP256_SHA512_H +#define __Hacl_HPKE_Curve64_CP256_SHA512_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Hash_SHA2.h" +#include "Hacl_HKDF.h" +#include "Hacl_Curve25519_64.h" +#include "Hacl_Chacha20Poly1305_256.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +uint32_t +Hacl_HPKE_Curve64_CP256_SHA512_setupBaseI( + uint8_t *o_pkE, + uint8_t *o_k, + uint8_t *o_n, + uint8_t *skE, + uint8_t *pkR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve64_CP256_SHA512_setupBaseR( + uint8_t *o_key_aead, + uint8_t *o_nonce_aead, + uint8_t *pkE, + uint8_t *skR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve64_CP256_SHA512_sealBase( + uint8_t *skE, + uint8_t *pkR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +uint32_t +Hacl_HPKE_Curve64_CP256_SHA512_openBase( + uint8_t *pkE, + uint8_t *skR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HPKE_Curve64_CP256_SHA512_H_DEFINED +#endif diff --git a/include/c89/Hacl_HPKE_Curve64_CP32_SHA256.h b/include/c89/Hacl_HPKE_Curve64_CP32_SHA256.h new file mode 100644 index 00000000..603fe9a9 --- /dev/null +++ b/include/c89/Hacl_HPKE_Curve64_CP32_SHA256.h @@ -0,0 +1,92 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HPKE_Curve64_CP32_SHA256_H +#define __Hacl_HPKE_Curve64_CP32_SHA256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Hash_SHA2.h" +#include "Hacl_HKDF.h" +#include "Hacl_Curve25519_64.h" +#include "Hacl_Chacha20Poly1305_32.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +uint32_t +Hacl_HPKE_Curve64_CP32_SHA256_setupBaseI( + uint8_t *o_pkE, + uint8_t *o_k, + uint8_t *o_n, + uint8_t *skE, + uint8_t *pkR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve64_CP32_SHA256_setupBaseR( + uint8_t *o_key_aead, + uint8_t *o_nonce_aead, + uint8_t *pkE, + uint8_t *skR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve64_CP32_SHA256_sealBase( + uint8_t *skE, + uint8_t *pkR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +uint32_t +Hacl_HPKE_Curve64_CP32_SHA256_openBase( + uint8_t *pkE, + uint8_t *skR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HPKE_Curve64_CP32_SHA256_H_DEFINED +#endif diff --git a/include/c89/Hacl_HPKE_Curve64_CP32_SHA512.h b/include/c89/Hacl_HPKE_Curve64_CP32_SHA512.h new file mode 100644 index 00000000..ad1bab4e --- /dev/null +++ b/include/c89/Hacl_HPKE_Curve64_CP32_SHA512.h @@ -0,0 +1,92 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HPKE_Curve64_CP32_SHA512_H +#define __Hacl_HPKE_Curve64_CP32_SHA512_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Hash_SHA2.h" +#include "Hacl_HKDF.h" +#include "Hacl_Curve25519_64.h" +#include "Hacl_Chacha20Poly1305_32.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +uint32_t +Hacl_HPKE_Curve64_CP32_SHA512_setupBaseI( + uint8_t *o_pkE, + uint8_t *o_k, + uint8_t *o_n, + uint8_t *skE, + uint8_t *pkR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve64_CP32_SHA512_setupBaseR( + uint8_t *o_key_aead, + uint8_t *o_nonce_aead, + uint8_t *pkE, + uint8_t *skR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve64_CP32_SHA512_sealBase( + uint8_t *skE, + uint8_t *pkR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +uint32_t +Hacl_HPKE_Curve64_CP32_SHA512_openBase( + uint8_t *pkE, + uint8_t *skR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HPKE_Curve64_CP32_SHA512_H_DEFINED +#endif diff --git a/include/c89/Hacl_HPKE_P256_CP128_SHA256.h b/include/c89/Hacl_HPKE_P256_CP128_SHA256.h new file mode 100644 index 00000000..857ec1c8 --- /dev/null +++ b/include/c89/Hacl_HPKE_P256_CP128_SHA256.h @@ -0,0 +1,91 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HPKE_P256_CP128_SHA256_H +#define __Hacl_HPKE_P256_CP128_SHA256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Hash_SHA2.h" +#include "Hacl_HKDF.h" +#include "Hacl_Chacha20Poly1305_128.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +uint32_t +Hacl_HPKE_P256_CP128_SHA256_setupBaseI( + uint8_t *o_pkE, + uint8_t *o_k, + uint8_t *o_n, + uint8_t *skE, + uint8_t *pkR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_P256_CP128_SHA256_setupBaseR( + uint8_t *o_key_aead, + uint8_t *o_nonce_aead, + uint8_t *pkE, + uint8_t *skR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_P256_CP128_SHA256_sealBase( + uint8_t *skE, + uint8_t *pkR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +uint32_t +Hacl_HPKE_P256_CP128_SHA256_openBase( + uint8_t *pkE, + uint8_t *skR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HPKE_P256_CP128_SHA256_H_DEFINED +#endif diff --git a/include/c89/Hacl_HPKE_P256_CP256_SHA256.h b/include/c89/Hacl_HPKE_P256_CP256_SHA256.h new file mode 100644 index 00000000..60a4febf --- /dev/null +++ b/include/c89/Hacl_HPKE_P256_CP256_SHA256.h @@ -0,0 +1,91 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HPKE_P256_CP256_SHA256_H +#define __Hacl_HPKE_P256_CP256_SHA256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Hash_SHA2.h" +#include "Hacl_HKDF.h" +#include "Hacl_Chacha20Poly1305_256.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +uint32_t +Hacl_HPKE_P256_CP256_SHA256_setupBaseI( + uint8_t *o_pkE, + uint8_t *o_k, + uint8_t *o_n, + uint8_t *skE, + uint8_t *pkR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_P256_CP256_SHA256_setupBaseR( + uint8_t *o_key_aead, + uint8_t *o_nonce_aead, + uint8_t *pkE, + uint8_t *skR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_P256_CP256_SHA256_sealBase( + uint8_t *skE, + uint8_t *pkR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +uint32_t +Hacl_HPKE_P256_CP256_SHA256_openBase( + uint8_t *pkE, + uint8_t *skR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HPKE_P256_CP256_SHA256_H_DEFINED +#endif diff --git a/include/c89/Hacl_HPKE_P256_CP32_SHA256.h b/include/c89/Hacl_HPKE_P256_CP32_SHA256.h new file mode 100644 index 00000000..77430c7f --- /dev/null +++ b/include/c89/Hacl_HPKE_P256_CP32_SHA256.h @@ -0,0 +1,91 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HPKE_P256_CP32_SHA256_H +#define __Hacl_HPKE_P256_CP32_SHA256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Hash_SHA2.h" +#include "Hacl_HKDF.h" +#include "Hacl_Chacha20Poly1305_32.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +uint32_t +Hacl_HPKE_P256_CP32_SHA256_setupBaseI( + uint8_t *o_pkE, + uint8_t *o_k, + uint8_t *o_n, + uint8_t *skE, + uint8_t *pkR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_P256_CP32_SHA256_setupBaseR( + uint8_t *o_key_aead, + uint8_t *o_nonce_aead, + uint8_t *pkE, + uint8_t *skR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_P256_CP32_SHA256_sealBase( + uint8_t *skE, + uint8_t *pkR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +uint32_t +Hacl_HPKE_P256_CP32_SHA256_openBase( + uint8_t *pkE, + uint8_t *skR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HPKE_P256_CP32_SHA256_H_DEFINED +#endif diff --git a/include/c89/Hacl_Hash_Base.h b/include/c89/Hacl_Hash_Base.h new file mode 100644 index 00000000..e4ec8cad --- /dev/null +++ b/include/c89/Hacl_Hash_Base.h @@ -0,0 +1,54 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Hash_Base_H +#define __Hacl_Hash_Base_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Spec.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +uint32_t Hacl_Hash_Definitions_word_len(Spec_Hash_Definitions_hash_alg a); + +uint32_t Hacl_Hash_Definitions_block_len(Spec_Hash_Definitions_hash_alg a); + +uint32_t Hacl_Hash_Definitions_hash_word_len(Spec_Hash_Definitions_hash_alg a); + +uint32_t Hacl_Hash_Definitions_hash_len(Spec_Hash_Definitions_hash_alg a); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Hash_Base_H_DEFINED +#endif diff --git a/include/c89/Hacl_Hash_Blake2.h b/include/c89/Hacl_Hash_Blake2.h new file mode 100644 index 00000000..9651ffa2 --- /dev/null +++ b/include/c89/Hacl_Hash_Blake2.h @@ -0,0 +1,140 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Hash_Blake2_H +#define __Hacl_Hash_Blake2_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Lib_Memzero0.h" +#include "Hacl_Kremlib.h" +#include "Hacl_Impl_Blake2_Constants.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +#define Hacl_Impl_Blake2_Core_M32 0 +#define Hacl_Impl_Blake2_Core_M128 1 +#define Hacl_Impl_Blake2_Core_M256 2 + +typedef uint8_t Hacl_Impl_Blake2_Core_m_spec; + +void Hacl_Blake2b_32_blake2b_init(uint64_t *hash, uint32_t kk, uint32_t nn); + +void +Hacl_Blake2b_32_blake2b_update_key( + uint64_t *wv, + uint64_t *hash, + uint32_t kk, + uint8_t *k, + uint32_t ll +); + +void +Hacl_Blake2b_32_blake2b_update_multi( + uint32_t len, + uint64_t *wv, + uint64_t *hash, + FStar_UInt128_uint128 prev, + uint8_t *blocks, + uint32_t nb +); + +void +Hacl_Blake2b_32_blake2b_update_last( + uint32_t len, + uint64_t *wv, + uint64_t *hash, + FStar_UInt128_uint128 prev, + uint32_t rem, + uint8_t *d +); + +void Hacl_Blake2b_32_blake2b_finish(uint32_t nn, uint8_t *output, uint64_t *hash); + +void +Hacl_Blake2b_32_blake2b( + uint32_t nn, + uint8_t *output, + uint32_t ll, + uint8_t *d, + uint32_t kk, + uint8_t *k +); + +void Hacl_Blake2s_32_blake2s_init(uint32_t *hash, uint32_t kk, uint32_t nn); + +void +Hacl_Blake2s_32_blake2s_update_key( + uint32_t *wv, + uint32_t *hash, + uint32_t kk, + uint8_t *k, + uint32_t ll +); + +void +Hacl_Blake2s_32_blake2s_update_multi( + uint32_t len, + uint32_t *wv, + uint32_t *hash, + uint64_t prev, + uint8_t *blocks, + uint32_t nb +); + +void +Hacl_Blake2s_32_blake2s_update_last( + uint32_t len, + uint32_t *wv, + uint32_t *hash, + uint64_t prev, + uint32_t rem, + uint8_t *d +); + +void Hacl_Blake2s_32_blake2s_finish(uint32_t nn, uint8_t *output, uint32_t *hash); + +void +Hacl_Blake2s_32_blake2s( + uint32_t nn, + uint8_t *output, + uint32_t ll, + uint8_t *d, + uint32_t kk, + uint8_t *k +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Hash_Blake2_H_DEFINED +#endif diff --git a/include/c89/Hacl_Hash_Blake2b_256.h b/include/c89/Hacl_Hash_Blake2b_256.h new file mode 100644 index 00000000..8514a6d1 --- /dev/null +++ b/include/c89/Hacl_Hash_Blake2b_256.h @@ -0,0 +1,97 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Hash_Blake2b_256_H +#define __Hacl_Hash_Blake2b_256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Lib_Memzero0.h" +#include "Hacl_Kremlib.h" +#include "Hacl_Impl_Blake2_Constants.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_Blake2b_256_blake2b_init(Lib_IntVector_Intrinsics_vec256 *hash, uint32_t kk, uint32_t nn); + +void +Hacl_Blake2b_256_blake2b_update_key( + Lib_IntVector_Intrinsics_vec256 *wv, + Lib_IntVector_Intrinsics_vec256 *hash, + uint32_t kk, + uint8_t *k, + uint32_t ll +); + +void +Hacl_Blake2b_256_blake2b_update_multi( + uint32_t len, + Lib_IntVector_Intrinsics_vec256 *wv, + Lib_IntVector_Intrinsics_vec256 *hash, + FStar_UInt128_uint128 prev, + uint8_t *blocks, + uint32_t nb +); + +void +Hacl_Blake2b_256_blake2b_update_last( + uint32_t len, + Lib_IntVector_Intrinsics_vec256 *wv, + Lib_IntVector_Intrinsics_vec256 *hash, + FStar_UInt128_uint128 prev, + uint32_t rem, + uint8_t *d +); + +void +Hacl_Blake2b_256_blake2b_finish( + uint32_t nn, + uint8_t *output, + Lib_IntVector_Intrinsics_vec256 *hash +); + +void +Hacl_Blake2b_256_blake2b( + uint32_t nn, + uint8_t *output, + uint32_t ll, + uint8_t *d, + uint32_t kk, + uint8_t *k +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Hash_Blake2b_256_H_DEFINED +#endif diff --git a/include/c89/Hacl_Hash_Blake2s_128.h b/include/c89/Hacl_Hash_Blake2s_128.h new file mode 100644 index 00000000..228298b9 --- /dev/null +++ b/include/c89/Hacl_Hash_Blake2s_128.h @@ -0,0 +1,97 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Hash_Blake2s_128_H +#define __Hacl_Hash_Blake2s_128_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Lib_Memzero0.h" +#include "Hacl_Kremlib.h" +#include "Hacl_Impl_Blake2_Constants.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_Blake2s_128_blake2s_init(Lib_IntVector_Intrinsics_vec128 *hash, uint32_t kk, uint32_t nn); + +void +Hacl_Blake2s_128_blake2s_update_key( + Lib_IntVector_Intrinsics_vec128 *wv, + Lib_IntVector_Intrinsics_vec128 *hash, + uint32_t kk, + uint8_t *k, + uint32_t ll +); + +void +Hacl_Blake2s_128_blake2s_update_multi( + uint32_t len, + Lib_IntVector_Intrinsics_vec128 *wv, + Lib_IntVector_Intrinsics_vec128 *hash, + uint64_t prev, + uint8_t *blocks, + uint32_t nb +); + +void +Hacl_Blake2s_128_blake2s_update_last( + uint32_t len, + Lib_IntVector_Intrinsics_vec128 *wv, + Lib_IntVector_Intrinsics_vec128 *hash, + uint64_t prev, + uint32_t rem, + uint8_t *d +); + +void +Hacl_Blake2s_128_blake2s_finish( + uint32_t nn, + uint8_t *output, + Lib_IntVector_Intrinsics_vec128 *hash +); + +void +Hacl_Blake2s_128_blake2s( + uint32_t nn, + uint8_t *output, + uint32_t ll, + uint8_t *d, + uint32_t kk, + uint8_t *k +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Hash_Blake2s_128_H_DEFINED +#endif diff --git a/include/c89/Hacl_Hash_MD5.h b/include/c89/Hacl_Hash_MD5.h new file mode 100644 index 00000000..178aa51f --- /dev/null +++ b/include/c89/Hacl_Hash_MD5.h @@ -0,0 +1,58 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Hash_MD5_H +#define __Hacl_Hash_MD5_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void Hacl_Hash_MD5_legacy_update_multi(uint32_t *s, uint8_t *blocks, uint32_t n_blocks); + +void +Hacl_Hash_MD5_legacy_update_last( + uint32_t *s, + uint64_t prev_len, + uint8_t *input, + uint32_t input_len +); + +void Hacl_Hash_MD5_legacy_hash(uint8_t *input, uint32_t input_len, uint8_t *dst); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Hash_MD5_H_DEFINED +#endif diff --git a/include/c89/Hacl_Hash_SHA1.h b/include/c89/Hacl_Hash_SHA1.h new file mode 100644 index 00000000..d7af8c3c --- /dev/null +++ b/include/c89/Hacl_Hash_SHA1.h @@ -0,0 +1,58 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Hash_SHA1_H +#define __Hacl_Hash_SHA1_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void Hacl_Hash_SHA1_legacy_update_multi(uint32_t *s, uint8_t *blocks, uint32_t n_blocks); + +void +Hacl_Hash_SHA1_legacy_update_last( + uint32_t *s, + uint64_t prev_len, + uint8_t *input, + uint32_t input_len +); + +void Hacl_Hash_SHA1_legacy_hash(uint8_t *input, uint32_t input_len, uint8_t *dst); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Hash_SHA1_H_DEFINED +#endif diff --git a/include/c89/Hacl_Hash_SHA2.h b/include/c89/Hacl_Hash_SHA2.h new file mode 100644 index 00000000..31eaea37 --- /dev/null +++ b/include/c89/Hacl_Hash_SHA2.h @@ -0,0 +1,94 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Hash_SHA2_H +#define __Hacl_Hash_SHA2_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void Hacl_Hash_SHA2_update_multi_224(uint32_t *s, uint8_t *blocks, uint32_t n_blocks); + +void Hacl_Hash_SHA2_update_multi_256(uint32_t *s, uint8_t *blocks, uint32_t n_blocks); + +void Hacl_Hash_SHA2_update_multi_384(uint64_t *s, uint8_t *blocks, uint32_t n_blocks); + +void Hacl_Hash_SHA2_update_multi_512(uint64_t *s, uint8_t *blocks, uint32_t n_blocks); + +void +Hacl_Hash_SHA2_update_last_224( + uint32_t *s, + uint64_t prev_len, + uint8_t *input, + uint32_t input_len +); + +void +Hacl_Hash_SHA2_update_last_256( + uint32_t *s, + uint64_t prev_len, + uint8_t *input, + uint32_t input_len +); + +void +Hacl_Hash_SHA2_update_last_384( + uint64_t *s, + FStar_UInt128_uint128 prev_len, + uint8_t *input, + uint32_t input_len +); + +void +Hacl_Hash_SHA2_update_last_512( + uint64_t *s, + FStar_UInt128_uint128 prev_len, + uint8_t *input, + uint32_t input_len +); + +void Hacl_Hash_SHA2_hash_224(uint8_t *input, uint32_t input_len, uint8_t *dst); + +void Hacl_Hash_SHA2_hash_256(uint8_t *input, uint32_t input_len, uint8_t *dst); + +void Hacl_Hash_SHA2_hash_384(uint8_t *input, uint32_t input_len, uint8_t *dst); + +void Hacl_Hash_SHA2_hash_512(uint8_t *input, uint32_t input_len, uint8_t *dst); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Hash_SHA2_H_DEFINED +#endif diff --git a/include/c89/Hacl_Impl_Blake2_Constants.h b/include/c89/Hacl_Impl_Blake2_Constants.h new file mode 100644 index 00000000..173269b7 --- /dev/null +++ b/include/c89/Hacl_Impl_Blake2_Constants.h @@ -0,0 +1,96 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Impl_Blake2_Constants_H +#define __Hacl_Impl_Blake2_Constants_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + + +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +static const +uint32_t +Hacl_Impl_Blake2_Constants_sigmaTable[160U] = + { + (uint32_t)0U, (uint32_t)1U, (uint32_t)2U, (uint32_t)3U, (uint32_t)4U, (uint32_t)5U, + (uint32_t)6U, (uint32_t)7U, (uint32_t)8U, (uint32_t)9U, (uint32_t)10U, (uint32_t)11U, + (uint32_t)12U, (uint32_t)13U, (uint32_t)14U, (uint32_t)15U, (uint32_t)14U, (uint32_t)10U, + (uint32_t)4U, (uint32_t)8U, (uint32_t)9U, (uint32_t)15U, (uint32_t)13U, (uint32_t)6U, + (uint32_t)1U, (uint32_t)12U, (uint32_t)0U, (uint32_t)2U, (uint32_t)11U, (uint32_t)7U, + (uint32_t)5U, (uint32_t)3U, (uint32_t)11U, (uint32_t)8U, (uint32_t)12U, (uint32_t)0U, + (uint32_t)5U, (uint32_t)2U, (uint32_t)15U, (uint32_t)13U, (uint32_t)10U, (uint32_t)14U, + (uint32_t)3U, (uint32_t)6U, (uint32_t)7U, (uint32_t)1U, (uint32_t)9U, (uint32_t)4U, + (uint32_t)7U, (uint32_t)9U, (uint32_t)3U, (uint32_t)1U, (uint32_t)13U, (uint32_t)12U, + (uint32_t)11U, (uint32_t)14U, (uint32_t)2U, (uint32_t)6U, (uint32_t)5U, (uint32_t)10U, + (uint32_t)4U, (uint32_t)0U, (uint32_t)15U, (uint32_t)8U, (uint32_t)9U, (uint32_t)0U, + (uint32_t)5U, (uint32_t)7U, (uint32_t)2U, (uint32_t)4U, (uint32_t)10U, (uint32_t)15U, + (uint32_t)14U, (uint32_t)1U, (uint32_t)11U, (uint32_t)12U, (uint32_t)6U, (uint32_t)8U, + (uint32_t)3U, (uint32_t)13U, (uint32_t)2U, (uint32_t)12U, (uint32_t)6U, (uint32_t)10U, + (uint32_t)0U, (uint32_t)11U, (uint32_t)8U, (uint32_t)3U, (uint32_t)4U, (uint32_t)13U, + (uint32_t)7U, (uint32_t)5U, (uint32_t)15U, (uint32_t)14U, (uint32_t)1U, (uint32_t)9U, + (uint32_t)12U, (uint32_t)5U, (uint32_t)1U, (uint32_t)15U, (uint32_t)14U, (uint32_t)13U, + (uint32_t)4U, (uint32_t)10U, (uint32_t)0U, (uint32_t)7U, (uint32_t)6U, (uint32_t)3U, + (uint32_t)9U, (uint32_t)2U, (uint32_t)8U, (uint32_t)11U, (uint32_t)13U, (uint32_t)11U, + (uint32_t)7U, (uint32_t)14U, (uint32_t)12U, (uint32_t)1U, (uint32_t)3U, (uint32_t)9U, + (uint32_t)5U, (uint32_t)0U, (uint32_t)15U, (uint32_t)4U, (uint32_t)8U, (uint32_t)6U, + (uint32_t)2U, (uint32_t)10U, (uint32_t)6U, (uint32_t)15U, (uint32_t)14U, (uint32_t)9U, + (uint32_t)11U, (uint32_t)3U, (uint32_t)0U, (uint32_t)8U, (uint32_t)12U, (uint32_t)2U, + (uint32_t)13U, (uint32_t)7U, (uint32_t)1U, (uint32_t)4U, (uint32_t)10U, (uint32_t)5U, + (uint32_t)10U, (uint32_t)2U, (uint32_t)8U, (uint32_t)4U, (uint32_t)7U, (uint32_t)6U, + (uint32_t)1U, (uint32_t)5U, (uint32_t)15U, (uint32_t)11U, (uint32_t)9U, (uint32_t)14U, + (uint32_t)3U, (uint32_t)12U, (uint32_t)13U + }; + +static const +uint32_t +Hacl_Impl_Blake2_Constants_ivTable_S[8U] = + { + (uint32_t)0x6A09E667U, (uint32_t)0xBB67AE85U, (uint32_t)0x3C6EF372U, (uint32_t)0xA54FF53AU, + (uint32_t)0x510E527FU, (uint32_t)0x9B05688CU, (uint32_t)0x1F83D9ABU, (uint32_t)0x5BE0CD19U + }; + +static const +uint64_t +Hacl_Impl_Blake2_Constants_ivTable_B[8U] = + { + (uint64_t)0x6A09E667F3BCC908U, (uint64_t)0xBB67AE8584CAA73BU, (uint64_t)0x3C6EF372FE94F82BU, + (uint64_t)0xA54FF53A5F1D36F1U, (uint64_t)0x510E527FADE682D1U, (uint64_t)0x9B05688C2B3E6C1FU, + (uint64_t)0x1F83D9ABFB41BD6BU, (uint64_t)0x5BE0CD19137E2179U + }; + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Impl_Blake2_Constants_H_DEFINED +#endif diff --git a/include/c89/Hacl_Impl_FFDHE_Constants.h b/include/c89/Hacl_Impl_FFDHE_Constants.h new file mode 100644 index 00000000..539eb949 --- /dev/null +++ b/include/c89/Hacl_Impl_FFDHE_Constants.h @@ -0,0 +1,570 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Impl_FFDHE_Constants_H +#define __Hacl_Impl_FFDHE_Constants_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + + +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +static const uint8_t Hacl_Impl_FFDHE_Constants_ffdhe_g2[1U] = { (uint8_t)0x02U }; + +static const +uint8_t +Hacl_Impl_FFDHE_Constants_ffdhe_p2048[256U] = + { + (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, + (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xADU, (uint8_t)0xF8U, (uint8_t)0x54U, (uint8_t)0x58U, + (uint8_t)0xA2U, (uint8_t)0xBBU, (uint8_t)0x4AU, (uint8_t)0x9AU, (uint8_t)0xAFU, (uint8_t)0xDCU, + (uint8_t)0x56U, (uint8_t)0x20U, (uint8_t)0x27U, (uint8_t)0x3DU, (uint8_t)0x3CU, (uint8_t)0xF1U, + (uint8_t)0xD8U, (uint8_t)0xB9U, (uint8_t)0xC5U, (uint8_t)0x83U, (uint8_t)0xCEU, (uint8_t)0x2DU, + (uint8_t)0x36U, (uint8_t)0x95U, (uint8_t)0xA9U, (uint8_t)0xE1U, (uint8_t)0x36U, (uint8_t)0x41U, + (uint8_t)0x14U, (uint8_t)0x64U, (uint8_t)0x33U, (uint8_t)0xFBU, (uint8_t)0xCCU, (uint8_t)0x93U, + (uint8_t)0x9DU, (uint8_t)0xCEU, (uint8_t)0x24U, (uint8_t)0x9BU, (uint8_t)0x3EU, (uint8_t)0xF9U, + (uint8_t)0x7DU, (uint8_t)0x2FU, (uint8_t)0xE3U, (uint8_t)0x63U, (uint8_t)0x63U, (uint8_t)0x0CU, + (uint8_t)0x75U, (uint8_t)0xD8U, (uint8_t)0xF6U, (uint8_t)0x81U, (uint8_t)0xB2U, (uint8_t)0x02U, + (uint8_t)0xAEU, (uint8_t)0xC4U, (uint8_t)0x61U, (uint8_t)0x7AU, (uint8_t)0xD3U, (uint8_t)0xDFU, + (uint8_t)0x1EU, (uint8_t)0xD5U, (uint8_t)0xD5U, (uint8_t)0xFDU, (uint8_t)0x65U, (uint8_t)0x61U, + (uint8_t)0x24U, (uint8_t)0x33U, (uint8_t)0xF5U, (uint8_t)0x1FU, (uint8_t)0x5FU, (uint8_t)0x06U, + (uint8_t)0x6EU, (uint8_t)0xD0U, (uint8_t)0x85U, (uint8_t)0x63U, (uint8_t)0x65U, (uint8_t)0x55U, + (uint8_t)0x3DU, (uint8_t)0xEDU, (uint8_t)0x1AU, (uint8_t)0xF3U, (uint8_t)0xB5U, (uint8_t)0x57U, + (uint8_t)0x13U, (uint8_t)0x5EU, (uint8_t)0x7FU, (uint8_t)0x57U, (uint8_t)0xC9U, (uint8_t)0x35U, + (uint8_t)0x98U, (uint8_t)0x4FU, (uint8_t)0x0CU, (uint8_t)0x70U, (uint8_t)0xE0U, (uint8_t)0xE6U, + (uint8_t)0x8BU, (uint8_t)0x77U, (uint8_t)0xE2U, (uint8_t)0xA6U, (uint8_t)0x89U, (uint8_t)0xDAU, + (uint8_t)0xF3U, (uint8_t)0xEFU, (uint8_t)0xE8U, (uint8_t)0x72U, (uint8_t)0x1DU, (uint8_t)0xF1U, + (uint8_t)0x58U, (uint8_t)0xA1U, (uint8_t)0x36U, (uint8_t)0xADU, (uint8_t)0xE7U, (uint8_t)0x35U, + (uint8_t)0x30U, (uint8_t)0xACU, (uint8_t)0xCAU, (uint8_t)0x4FU, (uint8_t)0x48U, (uint8_t)0x3AU, + (uint8_t)0x79U, (uint8_t)0x7AU, (uint8_t)0xBCU, (uint8_t)0x0AU, (uint8_t)0xB1U, (uint8_t)0x82U, + (uint8_t)0xB3U, (uint8_t)0x24U, (uint8_t)0xFBU, (uint8_t)0x61U, (uint8_t)0xD1U, (uint8_t)0x08U, + (uint8_t)0xA9U, (uint8_t)0x4BU, (uint8_t)0xB2U, (uint8_t)0xC8U, (uint8_t)0xE3U, (uint8_t)0xFBU, + (uint8_t)0xB9U, (uint8_t)0x6AU, (uint8_t)0xDAU, (uint8_t)0xB7U, (uint8_t)0x60U, (uint8_t)0xD7U, + (uint8_t)0xF4U, (uint8_t)0x68U, (uint8_t)0x1DU, (uint8_t)0x4FU, (uint8_t)0x42U, (uint8_t)0xA3U, + (uint8_t)0xDEU, (uint8_t)0x39U, (uint8_t)0x4DU, (uint8_t)0xF4U, (uint8_t)0xAEU, (uint8_t)0x56U, + (uint8_t)0xEDU, (uint8_t)0xE7U, (uint8_t)0x63U, (uint8_t)0x72U, (uint8_t)0xBBU, (uint8_t)0x19U, + (uint8_t)0x0BU, (uint8_t)0x07U, (uint8_t)0xA7U, (uint8_t)0xC8U, (uint8_t)0xEEU, (uint8_t)0x0AU, + (uint8_t)0x6DU, (uint8_t)0x70U, (uint8_t)0x9EU, (uint8_t)0x02U, (uint8_t)0xFCU, (uint8_t)0xE1U, + (uint8_t)0xCDU, (uint8_t)0xF7U, (uint8_t)0xE2U, (uint8_t)0xECU, (uint8_t)0xC0U, (uint8_t)0x34U, + (uint8_t)0x04U, (uint8_t)0xCDU, (uint8_t)0x28U, (uint8_t)0x34U, (uint8_t)0x2FU, (uint8_t)0x61U, + (uint8_t)0x91U, (uint8_t)0x72U, (uint8_t)0xFEU, (uint8_t)0x9CU, (uint8_t)0xE9U, (uint8_t)0x85U, + (uint8_t)0x83U, (uint8_t)0xFFU, (uint8_t)0x8EU, (uint8_t)0x4FU, (uint8_t)0x12U, (uint8_t)0x32U, + (uint8_t)0xEEU, (uint8_t)0xF2U, (uint8_t)0x81U, (uint8_t)0x83U, (uint8_t)0xC3U, (uint8_t)0xFEU, + (uint8_t)0x3BU, (uint8_t)0x1BU, (uint8_t)0x4CU, (uint8_t)0x6FU, (uint8_t)0xADU, (uint8_t)0x73U, + (uint8_t)0x3BU, (uint8_t)0xB5U, (uint8_t)0xFCU, (uint8_t)0xBCU, (uint8_t)0x2EU, (uint8_t)0xC2U, + (uint8_t)0x20U, (uint8_t)0x05U, (uint8_t)0xC5U, (uint8_t)0x8EU, (uint8_t)0xF1U, (uint8_t)0x83U, + (uint8_t)0x7DU, (uint8_t)0x16U, (uint8_t)0x83U, (uint8_t)0xB2U, (uint8_t)0xC6U, (uint8_t)0xF3U, + (uint8_t)0x4AU, (uint8_t)0x26U, (uint8_t)0xC1U, (uint8_t)0xB2U, (uint8_t)0xEFU, (uint8_t)0xFAU, + (uint8_t)0x88U, (uint8_t)0x6BU, (uint8_t)0x42U, (uint8_t)0x38U, (uint8_t)0x61U, (uint8_t)0x28U, + (uint8_t)0x5CU, (uint8_t)0x97U, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, + (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU + }; + +static const +uint8_t +Hacl_Impl_FFDHE_Constants_ffdhe_p3072[384U] = + { + (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, + (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xADU, (uint8_t)0xF8U, (uint8_t)0x54U, (uint8_t)0x58U, + (uint8_t)0xA2U, (uint8_t)0xBBU, (uint8_t)0x4AU, (uint8_t)0x9AU, (uint8_t)0xAFU, (uint8_t)0xDCU, + (uint8_t)0x56U, (uint8_t)0x20U, (uint8_t)0x27U, (uint8_t)0x3DU, (uint8_t)0x3CU, (uint8_t)0xF1U, + (uint8_t)0xD8U, (uint8_t)0xB9U, (uint8_t)0xC5U, (uint8_t)0x83U, (uint8_t)0xCEU, (uint8_t)0x2DU, + (uint8_t)0x36U, (uint8_t)0x95U, (uint8_t)0xA9U, (uint8_t)0xE1U, (uint8_t)0x36U, (uint8_t)0x41U, + (uint8_t)0x14U, (uint8_t)0x64U, (uint8_t)0x33U, (uint8_t)0xFBU, (uint8_t)0xCCU, (uint8_t)0x93U, + (uint8_t)0x9DU, (uint8_t)0xCEU, (uint8_t)0x24U, (uint8_t)0x9BU, (uint8_t)0x3EU, (uint8_t)0xF9U, + (uint8_t)0x7DU, (uint8_t)0x2FU, (uint8_t)0xE3U, (uint8_t)0x63U, (uint8_t)0x63U, (uint8_t)0x0CU, + (uint8_t)0x75U, (uint8_t)0xD8U, (uint8_t)0xF6U, (uint8_t)0x81U, (uint8_t)0xB2U, (uint8_t)0x02U, + (uint8_t)0xAEU, (uint8_t)0xC4U, (uint8_t)0x61U, (uint8_t)0x7AU, (uint8_t)0xD3U, (uint8_t)0xDFU, + (uint8_t)0x1EU, (uint8_t)0xD5U, (uint8_t)0xD5U, (uint8_t)0xFDU, (uint8_t)0x65U, (uint8_t)0x61U, + (uint8_t)0x24U, (uint8_t)0x33U, (uint8_t)0xF5U, (uint8_t)0x1FU, (uint8_t)0x5FU, (uint8_t)0x06U, + (uint8_t)0x6EU, (uint8_t)0xD0U, (uint8_t)0x85U, (uint8_t)0x63U, (uint8_t)0x65U, (uint8_t)0x55U, + (uint8_t)0x3DU, (uint8_t)0xEDU, (uint8_t)0x1AU, (uint8_t)0xF3U, (uint8_t)0xB5U, (uint8_t)0x57U, + (uint8_t)0x13U, (uint8_t)0x5EU, (uint8_t)0x7FU, (uint8_t)0x57U, (uint8_t)0xC9U, (uint8_t)0x35U, + (uint8_t)0x98U, (uint8_t)0x4FU, (uint8_t)0x0CU, (uint8_t)0x70U, (uint8_t)0xE0U, (uint8_t)0xE6U, + (uint8_t)0x8BU, (uint8_t)0x77U, (uint8_t)0xE2U, (uint8_t)0xA6U, (uint8_t)0x89U, (uint8_t)0xDAU, + (uint8_t)0xF3U, (uint8_t)0xEFU, (uint8_t)0xE8U, (uint8_t)0x72U, (uint8_t)0x1DU, (uint8_t)0xF1U, + (uint8_t)0x58U, (uint8_t)0xA1U, (uint8_t)0x36U, (uint8_t)0xADU, (uint8_t)0xE7U, (uint8_t)0x35U, + (uint8_t)0x30U, (uint8_t)0xACU, (uint8_t)0xCAU, (uint8_t)0x4FU, (uint8_t)0x48U, (uint8_t)0x3AU, + (uint8_t)0x79U, (uint8_t)0x7AU, (uint8_t)0xBCU, (uint8_t)0x0AU, (uint8_t)0xB1U, (uint8_t)0x82U, + (uint8_t)0xB3U, (uint8_t)0x24U, (uint8_t)0xFBU, (uint8_t)0x61U, (uint8_t)0xD1U, (uint8_t)0x08U, + (uint8_t)0xA9U, (uint8_t)0x4BU, (uint8_t)0xB2U, (uint8_t)0xC8U, (uint8_t)0xE3U, (uint8_t)0xFBU, + (uint8_t)0xB9U, (uint8_t)0x6AU, (uint8_t)0xDAU, (uint8_t)0xB7U, (uint8_t)0x60U, (uint8_t)0xD7U, + (uint8_t)0xF4U, (uint8_t)0x68U, (uint8_t)0x1DU, (uint8_t)0x4FU, (uint8_t)0x42U, (uint8_t)0xA3U, + (uint8_t)0xDEU, (uint8_t)0x39U, (uint8_t)0x4DU, (uint8_t)0xF4U, (uint8_t)0xAEU, (uint8_t)0x56U, + (uint8_t)0xEDU, (uint8_t)0xE7U, (uint8_t)0x63U, (uint8_t)0x72U, (uint8_t)0xBBU, (uint8_t)0x19U, + (uint8_t)0x0BU, (uint8_t)0x07U, (uint8_t)0xA7U, (uint8_t)0xC8U, (uint8_t)0xEEU, (uint8_t)0x0AU, + (uint8_t)0x6DU, (uint8_t)0x70U, (uint8_t)0x9EU, (uint8_t)0x02U, (uint8_t)0xFCU, (uint8_t)0xE1U, + (uint8_t)0xCDU, (uint8_t)0xF7U, (uint8_t)0xE2U, (uint8_t)0xECU, (uint8_t)0xC0U, (uint8_t)0x34U, + (uint8_t)0x04U, (uint8_t)0xCDU, (uint8_t)0x28U, (uint8_t)0x34U, (uint8_t)0x2FU, (uint8_t)0x61U, + (uint8_t)0x91U, (uint8_t)0x72U, (uint8_t)0xFEU, (uint8_t)0x9CU, (uint8_t)0xE9U, (uint8_t)0x85U, + (uint8_t)0x83U, (uint8_t)0xFFU, (uint8_t)0x8EU, (uint8_t)0x4FU, (uint8_t)0x12U, (uint8_t)0x32U, + (uint8_t)0xEEU, (uint8_t)0xF2U, (uint8_t)0x81U, (uint8_t)0x83U, (uint8_t)0xC3U, (uint8_t)0xFEU, + (uint8_t)0x3BU, (uint8_t)0x1BU, (uint8_t)0x4CU, (uint8_t)0x6FU, (uint8_t)0xADU, (uint8_t)0x73U, + (uint8_t)0x3BU, (uint8_t)0xB5U, (uint8_t)0xFCU, (uint8_t)0xBCU, (uint8_t)0x2EU, (uint8_t)0xC2U, + (uint8_t)0x20U, (uint8_t)0x05U, (uint8_t)0xC5U, (uint8_t)0x8EU, (uint8_t)0xF1U, (uint8_t)0x83U, + (uint8_t)0x7DU, (uint8_t)0x16U, (uint8_t)0x83U, (uint8_t)0xB2U, (uint8_t)0xC6U, (uint8_t)0xF3U, + (uint8_t)0x4AU, (uint8_t)0x26U, (uint8_t)0xC1U, (uint8_t)0xB2U, (uint8_t)0xEFU, (uint8_t)0xFAU, + (uint8_t)0x88U, (uint8_t)0x6BU, (uint8_t)0x42U, (uint8_t)0x38U, (uint8_t)0x61U, (uint8_t)0x1FU, + (uint8_t)0xCFU, (uint8_t)0xDCU, (uint8_t)0xDEU, (uint8_t)0x35U, (uint8_t)0x5BU, (uint8_t)0x3BU, + (uint8_t)0x65U, (uint8_t)0x19U, (uint8_t)0x03U, (uint8_t)0x5BU, (uint8_t)0xBCU, (uint8_t)0x34U, + (uint8_t)0xF4U, (uint8_t)0xDEU, (uint8_t)0xF9U, (uint8_t)0x9CU, (uint8_t)0x02U, (uint8_t)0x38U, + (uint8_t)0x61U, (uint8_t)0xB4U, (uint8_t)0x6FU, (uint8_t)0xC9U, (uint8_t)0xD6U, (uint8_t)0xE6U, + (uint8_t)0xC9U, (uint8_t)0x07U, (uint8_t)0x7AU, (uint8_t)0xD9U, (uint8_t)0x1DU, (uint8_t)0x26U, + (uint8_t)0x91U, (uint8_t)0xF7U, (uint8_t)0xF7U, (uint8_t)0xEEU, (uint8_t)0x59U, (uint8_t)0x8CU, + (uint8_t)0xB0U, (uint8_t)0xFAU, (uint8_t)0xC1U, (uint8_t)0x86U, (uint8_t)0xD9U, (uint8_t)0x1CU, + (uint8_t)0xAEU, (uint8_t)0xFEU, (uint8_t)0x13U, (uint8_t)0x09U, (uint8_t)0x85U, (uint8_t)0x13U, + (uint8_t)0x92U, (uint8_t)0x70U, (uint8_t)0xB4U, (uint8_t)0x13U, (uint8_t)0x0CU, (uint8_t)0x93U, + (uint8_t)0xBCU, (uint8_t)0x43U, (uint8_t)0x79U, (uint8_t)0x44U, (uint8_t)0xF4U, (uint8_t)0xFDU, + (uint8_t)0x44U, (uint8_t)0x52U, (uint8_t)0xE2U, (uint8_t)0xD7U, (uint8_t)0x4DU, (uint8_t)0xD3U, + (uint8_t)0x64U, (uint8_t)0xF2U, (uint8_t)0xE2U, (uint8_t)0x1EU, (uint8_t)0x71U, (uint8_t)0xF5U, + (uint8_t)0x4BU, (uint8_t)0xFFU, (uint8_t)0x5CU, (uint8_t)0xAEU, (uint8_t)0x82U, (uint8_t)0xABU, + (uint8_t)0x9CU, (uint8_t)0x9DU, (uint8_t)0xF6U, (uint8_t)0x9EU, (uint8_t)0xE8U, (uint8_t)0x6DU, + (uint8_t)0x2BU, (uint8_t)0xC5U, (uint8_t)0x22U, (uint8_t)0x36U, (uint8_t)0x3AU, (uint8_t)0x0DU, + (uint8_t)0xABU, (uint8_t)0xC5U, (uint8_t)0x21U, (uint8_t)0x97U, (uint8_t)0x9BU, (uint8_t)0x0DU, + (uint8_t)0xEAU, (uint8_t)0xDAU, (uint8_t)0x1DU, (uint8_t)0xBFU, (uint8_t)0x9AU, (uint8_t)0x42U, + (uint8_t)0xD5U, (uint8_t)0xC4U, (uint8_t)0x48U, (uint8_t)0x4EU, (uint8_t)0x0AU, (uint8_t)0xBCU, + (uint8_t)0xD0U, (uint8_t)0x6BU, (uint8_t)0xFAU, (uint8_t)0x53U, (uint8_t)0xDDU, (uint8_t)0xEFU, + (uint8_t)0x3CU, (uint8_t)0x1BU, (uint8_t)0x20U, (uint8_t)0xEEU, (uint8_t)0x3FU, (uint8_t)0xD5U, + (uint8_t)0x9DU, (uint8_t)0x7CU, (uint8_t)0x25U, (uint8_t)0xE4U, (uint8_t)0x1DU, (uint8_t)0x2BU, + (uint8_t)0x66U, (uint8_t)0xC6U, (uint8_t)0x2EU, (uint8_t)0x37U, (uint8_t)0xFFU, (uint8_t)0xFFU, + (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU + }; + +static const +uint8_t +Hacl_Impl_FFDHE_Constants_ffdhe_p4096[512U] = + { + (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, + (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xADU, (uint8_t)0xF8U, (uint8_t)0x54U, (uint8_t)0x58U, + (uint8_t)0xA2U, (uint8_t)0xBBU, (uint8_t)0x4AU, (uint8_t)0x9AU, (uint8_t)0xAFU, (uint8_t)0xDCU, + (uint8_t)0x56U, (uint8_t)0x20U, (uint8_t)0x27U, (uint8_t)0x3DU, (uint8_t)0x3CU, (uint8_t)0xF1U, + (uint8_t)0xD8U, (uint8_t)0xB9U, (uint8_t)0xC5U, (uint8_t)0x83U, (uint8_t)0xCEU, (uint8_t)0x2DU, + (uint8_t)0x36U, (uint8_t)0x95U, (uint8_t)0xA9U, (uint8_t)0xE1U, (uint8_t)0x36U, (uint8_t)0x41U, + (uint8_t)0x14U, (uint8_t)0x64U, (uint8_t)0x33U, (uint8_t)0xFBU, (uint8_t)0xCCU, (uint8_t)0x93U, + (uint8_t)0x9DU, (uint8_t)0xCEU, (uint8_t)0x24U, (uint8_t)0x9BU, (uint8_t)0x3EU, (uint8_t)0xF9U, + (uint8_t)0x7DU, (uint8_t)0x2FU, (uint8_t)0xE3U, (uint8_t)0x63U, (uint8_t)0x63U, (uint8_t)0x0CU, + (uint8_t)0x75U, (uint8_t)0xD8U, (uint8_t)0xF6U, (uint8_t)0x81U, (uint8_t)0xB2U, (uint8_t)0x02U, + (uint8_t)0xAEU, (uint8_t)0xC4U, (uint8_t)0x61U, (uint8_t)0x7AU, (uint8_t)0xD3U, (uint8_t)0xDFU, + (uint8_t)0x1EU, (uint8_t)0xD5U, (uint8_t)0xD5U, (uint8_t)0xFDU, (uint8_t)0x65U, (uint8_t)0x61U, + (uint8_t)0x24U, (uint8_t)0x33U, (uint8_t)0xF5U, (uint8_t)0x1FU, (uint8_t)0x5FU, (uint8_t)0x06U, + (uint8_t)0x6EU, (uint8_t)0xD0U, (uint8_t)0x85U, (uint8_t)0x63U, (uint8_t)0x65U, (uint8_t)0x55U, + (uint8_t)0x3DU, (uint8_t)0xEDU, (uint8_t)0x1AU, (uint8_t)0xF3U, (uint8_t)0xB5U, (uint8_t)0x57U, + (uint8_t)0x13U, (uint8_t)0x5EU, (uint8_t)0x7FU, (uint8_t)0x57U, (uint8_t)0xC9U, (uint8_t)0x35U, + (uint8_t)0x98U, (uint8_t)0x4FU, (uint8_t)0x0CU, (uint8_t)0x70U, (uint8_t)0xE0U, (uint8_t)0xE6U, + (uint8_t)0x8BU, (uint8_t)0x77U, (uint8_t)0xE2U, (uint8_t)0xA6U, (uint8_t)0x89U, (uint8_t)0xDAU, + (uint8_t)0xF3U, (uint8_t)0xEFU, (uint8_t)0xE8U, (uint8_t)0x72U, (uint8_t)0x1DU, (uint8_t)0xF1U, + (uint8_t)0x58U, (uint8_t)0xA1U, (uint8_t)0x36U, (uint8_t)0xADU, (uint8_t)0xE7U, (uint8_t)0x35U, + (uint8_t)0x30U, (uint8_t)0xACU, (uint8_t)0xCAU, (uint8_t)0x4FU, (uint8_t)0x48U, (uint8_t)0x3AU, + (uint8_t)0x79U, (uint8_t)0x7AU, (uint8_t)0xBCU, (uint8_t)0x0AU, (uint8_t)0xB1U, (uint8_t)0x82U, + (uint8_t)0xB3U, (uint8_t)0x24U, (uint8_t)0xFBU, (uint8_t)0x61U, (uint8_t)0xD1U, (uint8_t)0x08U, + (uint8_t)0xA9U, (uint8_t)0x4BU, (uint8_t)0xB2U, (uint8_t)0xC8U, (uint8_t)0xE3U, (uint8_t)0xFBU, + (uint8_t)0xB9U, (uint8_t)0x6AU, (uint8_t)0xDAU, (uint8_t)0xB7U, (uint8_t)0x60U, (uint8_t)0xD7U, + (uint8_t)0xF4U, (uint8_t)0x68U, (uint8_t)0x1DU, (uint8_t)0x4FU, (uint8_t)0x42U, (uint8_t)0xA3U, + (uint8_t)0xDEU, (uint8_t)0x39U, (uint8_t)0x4DU, (uint8_t)0xF4U, (uint8_t)0xAEU, (uint8_t)0x56U, + (uint8_t)0xEDU, (uint8_t)0xE7U, (uint8_t)0x63U, (uint8_t)0x72U, (uint8_t)0xBBU, (uint8_t)0x19U, + (uint8_t)0x0BU, (uint8_t)0x07U, (uint8_t)0xA7U, (uint8_t)0xC8U, (uint8_t)0xEEU, (uint8_t)0x0AU, + (uint8_t)0x6DU, (uint8_t)0x70U, (uint8_t)0x9EU, (uint8_t)0x02U, (uint8_t)0xFCU, (uint8_t)0xE1U, + (uint8_t)0xCDU, (uint8_t)0xF7U, (uint8_t)0xE2U, (uint8_t)0xECU, (uint8_t)0xC0U, (uint8_t)0x34U, + (uint8_t)0x04U, (uint8_t)0xCDU, (uint8_t)0x28U, (uint8_t)0x34U, (uint8_t)0x2FU, (uint8_t)0x61U, + (uint8_t)0x91U, (uint8_t)0x72U, (uint8_t)0xFEU, (uint8_t)0x9CU, (uint8_t)0xE9U, (uint8_t)0x85U, + (uint8_t)0x83U, (uint8_t)0xFFU, (uint8_t)0x8EU, (uint8_t)0x4FU, (uint8_t)0x12U, (uint8_t)0x32U, + (uint8_t)0xEEU, (uint8_t)0xF2U, (uint8_t)0x81U, (uint8_t)0x83U, (uint8_t)0xC3U, (uint8_t)0xFEU, + (uint8_t)0x3BU, (uint8_t)0x1BU, (uint8_t)0x4CU, (uint8_t)0x6FU, (uint8_t)0xADU, (uint8_t)0x73U, + (uint8_t)0x3BU, (uint8_t)0xB5U, (uint8_t)0xFCU, (uint8_t)0xBCU, (uint8_t)0x2EU, (uint8_t)0xC2U, + (uint8_t)0x20U, (uint8_t)0x05U, (uint8_t)0xC5U, (uint8_t)0x8EU, (uint8_t)0xF1U, (uint8_t)0x83U, + (uint8_t)0x7DU, (uint8_t)0x16U, (uint8_t)0x83U, (uint8_t)0xB2U, (uint8_t)0xC6U, (uint8_t)0xF3U, + (uint8_t)0x4AU, (uint8_t)0x26U, (uint8_t)0xC1U, (uint8_t)0xB2U, (uint8_t)0xEFU, (uint8_t)0xFAU, + (uint8_t)0x88U, (uint8_t)0x6BU, (uint8_t)0x42U, (uint8_t)0x38U, (uint8_t)0x61U, (uint8_t)0x1FU, + (uint8_t)0xCFU, (uint8_t)0xDCU, (uint8_t)0xDEU, (uint8_t)0x35U, (uint8_t)0x5BU, (uint8_t)0x3BU, + (uint8_t)0x65U, (uint8_t)0x19U, (uint8_t)0x03U, (uint8_t)0x5BU, (uint8_t)0xBCU, (uint8_t)0x34U, + (uint8_t)0xF4U, (uint8_t)0xDEU, (uint8_t)0xF9U, (uint8_t)0x9CU, (uint8_t)0x02U, (uint8_t)0x38U, + (uint8_t)0x61U, (uint8_t)0xB4U, (uint8_t)0x6FU, (uint8_t)0xC9U, (uint8_t)0xD6U, (uint8_t)0xE6U, + (uint8_t)0xC9U, (uint8_t)0x07U, (uint8_t)0x7AU, (uint8_t)0xD9U, (uint8_t)0x1DU, (uint8_t)0x26U, + (uint8_t)0x91U, (uint8_t)0xF7U, (uint8_t)0xF7U, (uint8_t)0xEEU, (uint8_t)0x59U, (uint8_t)0x8CU, + (uint8_t)0xB0U, (uint8_t)0xFAU, (uint8_t)0xC1U, (uint8_t)0x86U, (uint8_t)0xD9U, (uint8_t)0x1CU, + (uint8_t)0xAEU, (uint8_t)0xFEU, (uint8_t)0x13U, (uint8_t)0x09U, (uint8_t)0x85U, (uint8_t)0x13U, + (uint8_t)0x92U, (uint8_t)0x70U, (uint8_t)0xB4U, (uint8_t)0x13U, (uint8_t)0x0CU, (uint8_t)0x93U, + (uint8_t)0xBCU, (uint8_t)0x43U, (uint8_t)0x79U, (uint8_t)0x44U, (uint8_t)0xF4U, (uint8_t)0xFDU, + (uint8_t)0x44U, (uint8_t)0x52U, (uint8_t)0xE2U, (uint8_t)0xD7U, (uint8_t)0x4DU, (uint8_t)0xD3U, + (uint8_t)0x64U, (uint8_t)0xF2U, (uint8_t)0xE2U, (uint8_t)0x1EU, (uint8_t)0x71U, (uint8_t)0xF5U, + (uint8_t)0x4BU, (uint8_t)0xFFU, (uint8_t)0x5CU, (uint8_t)0xAEU, (uint8_t)0x82U, (uint8_t)0xABU, + (uint8_t)0x9CU, (uint8_t)0x9DU, (uint8_t)0xF6U, (uint8_t)0x9EU, (uint8_t)0xE8U, (uint8_t)0x6DU, + (uint8_t)0x2BU, (uint8_t)0xC5U, (uint8_t)0x22U, (uint8_t)0x36U, (uint8_t)0x3AU, (uint8_t)0x0DU, + (uint8_t)0xABU, (uint8_t)0xC5U, (uint8_t)0x21U, (uint8_t)0x97U, (uint8_t)0x9BU, (uint8_t)0x0DU, + (uint8_t)0xEAU, (uint8_t)0xDAU, (uint8_t)0x1DU, (uint8_t)0xBFU, (uint8_t)0x9AU, (uint8_t)0x42U, + (uint8_t)0xD5U, (uint8_t)0xC4U, (uint8_t)0x48U, (uint8_t)0x4EU, (uint8_t)0x0AU, (uint8_t)0xBCU, + (uint8_t)0xD0U, (uint8_t)0x6BU, (uint8_t)0xFAU, (uint8_t)0x53U, (uint8_t)0xDDU, (uint8_t)0xEFU, + (uint8_t)0x3CU, (uint8_t)0x1BU, (uint8_t)0x20U, (uint8_t)0xEEU, (uint8_t)0x3FU, (uint8_t)0xD5U, + (uint8_t)0x9DU, (uint8_t)0x7CU, (uint8_t)0x25U, (uint8_t)0xE4U, (uint8_t)0x1DU, (uint8_t)0x2BU, + (uint8_t)0x66U, (uint8_t)0x9EU, (uint8_t)0x1EU, (uint8_t)0xF1U, (uint8_t)0x6EU, (uint8_t)0x6FU, + (uint8_t)0x52U, (uint8_t)0xC3U, (uint8_t)0x16U, (uint8_t)0x4DU, (uint8_t)0xF4U, (uint8_t)0xFBU, + (uint8_t)0x79U, (uint8_t)0x30U, (uint8_t)0xE9U, (uint8_t)0xE4U, (uint8_t)0xE5U, (uint8_t)0x88U, + (uint8_t)0x57U, (uint8_t)0xB6U, (uint8_t)0xACU, (uint8_t)0x7DU, (uint8_t)0x5FU, (uint8_t)0x42U, + (uint8_t)0xD6U, (uint8_t)0x9FU, (uint8_t)0x6DU, (uint8_t)0x18U, (uint8_t)0x77U, (uint8_t)0x63U, + (uint8_t)0xCFU, (uint8_t)0x1DU, (uint8_t)0x55U, (uint8_t)0x03U, (uint8_t)0x40U, (uint8_t)0x04U, + (uint8_t)0x87U, (uint8_t)0xF5U, (uint8_t)0x5BU, (uint8_t)0xA5U, (uint8_t)0x7EU, (uint8_t)0x31U, + (uint8_t)0xCCU, (uint8_t)0x7AU, (uint8_t)0x71U, (uint8_t)0x35U, (uint8_t)0xC8U, (uint8_t)0x86U, + (uint8_t)0xEFU, (uint8_t)0xB4U, (uint8_t)0x31U, (uint8_t)0x8AU, (uint8_t)0xEDU, (uint8_t)0x6AU, + (uint8_t)0x1EU, (uint8_t)0x01U, (uint8_t)0x2DU, (uint8_t)0x9EU, (uint8_t)0x68U, (uint8_t)0x32U, + (uint8_t)0xA9U, (uint8_t)0x07U, (uint8_t)0x60U, (uint8_t)0x0AU, (uint8_t)0x91U, (uint8_t)0x81U, + (uint8_t)0x30U, (uint8_t)0xC4U, (uint8_t)0x6DU, (uint8_t)0xC7U, (uint8_t)0x78U, (uint8_t)0xF9U, + (uint8_t)0x71U, (uint8_t)0xADU, (uint8_t)0x00U, (uint8_t)0x38U, (uint8_t)0x09U, (uint8_t)0x29U, + (uint8_t)0x99U, (uint8_t)0xA3U, (uint8_t)0x33U, (uint8_t)0xCBU, (uint8_t)0x8BU, (uint8_t)0x7AU, + (uint8_t)0x1AU, (uint8_t)0x1DU, (uint8_t)0xB9U, (uint8_t)0x3DU, (uint8_t)0x71U, (uint8_t)0x40U, + (uint8_t)0x00U, (uint8_t)0x3CU, (uint8_t)0x2AU, (uint8_t)0x4EU, (uint8_t)0xCEU, (uint8_t)0xA9U, + (uint8_t)0xF9U, (uint8_t)0x8DU, (uint8_t)0x0AU, (uint8_t)0xCCU, (uint8_t)0x0AU, (uint8_t)0x82U, + (uint8_t)0x91U, (uint8_t)0xCDU, (uint8_t)0xCEU, (uint8_t)0xC9U, (uint8_t)0x7DU, (uint8_t)0xCFU, + (uint8_t)0x8EU, (uint8_t)0xC9U, (uint8_t)0xB5U, (uint8_t)0x5AU, (uint8_t)0x7FU, (uint8_t)0x88U, + (uint8_t)0xA4U, (uint8_t)0x6BU, (uint8_t)0x4DU, (uint8_t)0xB5U, (uint8_t)0xA8U, (uint8_t)0x51U, + (uint8_t)0xF4U, (uint8_t)0x41U, (uint8_t)0x82U, (uint8_t)0xE1U, (uint8_t)0xC6U, (uint8_t)0x8AU, + (uint8_t)0x00U, (uint8_t)0x7EU, (uint8_t)0x5EU, (uint8_t)0x65U, (uint8_t)0x5FU, (uint8_t)0x6AU, + (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, + (uint8_t)0xFFU, (uint8_t)0xFFU + }; + +static const +uint8_t +Hacl_Impl_FFDHE_Constants_ffdhe_p6144[768U] = + { + (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, + (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xADU, (uint8_t)0xF8U, (uint8_t)0x54U, (uint8_t)0x58U, + (uint8_t)0xA2U, (uint8_t)0xBBU, (uint8_t)0x4AU, (uint8_t)0x9AU, (uint8_t)0xAFU, (uint8_t)0xDCU, + (uint8_t)0x56U, (uint8_t)0x20U, (uint8_t)0x27U, (uint8_t)0x3DU, (uint8_t)0x3CU, (uint8_t)0xF1U, + (uint8_t)0xD8U, (uint8_t)0xB9U, (uint8_t)0xC5U, (uint8_t)0x83U, (uint8_t)0xCEU, (uint8_t)0x2DU, + (uint8_t)0x36U, (uint8_t)0x95U, (uint8_t)0xA9U, (uint8_t)0xE1U, (uint8_t)0x36U, (uint8_t)0x41U, + (uint8_t)0x14U, (uint8_t)0x64U, (uint8_t)0x33U, (uint8_t)0xFBU, (uint8_t)0xCCU, (uint8_t)0x93U, + (uint8_t)0x9DU, (uint8_t)0xCEU, (uint8_t)0x24U, (uint8_t)0x9BU, (uint8_t)0x3EU, (uint8_t)0xF9U, + (uint8_t)0x7DU, (uint8_t)0x2FU, (uint8_t)0xE3U, (uint8_t)0x63U, (uint8_t)0x63U, (uint8_t)0x0CU, + (uint8_t)0x75U, (uint8_t)0xD8U, (uint8_t)0xF6U, (uint8_t)0x81U, (uint8_t)0xB2U, (uint8_t)0x02U, + (uint8_t)0xAEU, (uint8_t)0xC4U, (uint8_t)0x61U, (uint8_t)0x7AU, (uint8_t)0xD3U, (uint8_t)0xDFU, + (uint8_t)0x1EU, (uint8_t)0xD5U, (uint8_t)0xD5U, (uint8_t)0xFDU, (uint8_t)0x65U, (uint8_t)0x61U, + (uint8_t)0x24U, (uint8_t)0x33U, (uint8_t)0xF5U, (uint8_t)0x1FU, (uint8_t)0x5FU, (uint8_t)0x06U, + (uint8_t)0x6EU, (uint8_t)0xD0U, (uint8_t)0x85U, (uint8_t)0x63U, (uint8_t)0x65U, (uint8_t)0x55U, + (uint8_t)0x3DU, (uint8_t)0xEDU, (uint8_t)0x1AU, (uint8_t)0xF3U, (uint8_t)0xB5U, (uint8_t)0x57U, + (uint8_t)0x13U, (uint8_t)0x5EU, (uint8_t)0x7FU, (uint8_t)0x57U, (uint8_t)0xC9U, (uint8_t)0x35U, + (uint8_t)0x98U, (uint8_t)0x4FU, (uint8_t)0x0CU, (uint8_t)0x70U, (uint8_t)0xE0U, (uint8_t)0xE6U, + (uint8_t)0x8BU, (uint8_t)0x77U, (uint8_t)0xE2U, (uint8_t)0xA6U, (uint8_t)0x89U, (uint8_t)0xDAU, + (uint8_t)0xF3U, (uint8_t)0xEFU, (uint8_t)0xE8U, (uint8_t)0x72U, (uint8_t)0x1DU, (uint8_t)0xF1U, + (uint8_t)0x58U, (uint8_t)0xA1U, (uint8_t)0x36U, (uint8_t)0xADU, (uint8_t)0xE7U, (uint8_t)0x35U, + (uint8_t)0x30U, (uint8_t)0xACU, (uint8_t)0xCAU, (uint8_t)0x4FU, (uint8_t)0x48U, (uint8_t)0x3AU, + (uint8_t)0x79U, (uint8_t)0x7AU, (uint8_t)0xBCU, (uint8_t)0x0AU, (uint8_t)0xB1U, (uint8_t)0x82U, + (uint8_t)0xB3U, (uint8_t)0x24U, (uint8_t)0xFBU, (uint8_t)0x61U, (uint8_t)0xD1U, (uint8_t)0x08U, + (uint8_t)0xA9U, (uint8_t)0x4BU, (uint8_t)0xB2U, (uint8_t)0xC8U, (uint8_t)0xE3U, (uint8_t)0xFBU, + (uint8_t)0xB9U, (uint8_t)0x6AU, (uint8_t)0xDAU, (uint8_t)0xB7U, (uint8_t)0x60U, (uint8_t)0xD7U, + (uint8_t)0xF4U, (uint8_t)0x68U, (uint8_t)0x1DU, (uint8_t)0x4FU, (uint8_t)0x42U, (uint8_t)0xA3U, + (uint8_t)0xDEU, (uint8_t)0x39U, (uint8_t)0x4DU, (uint8_t)0xF4U, (uint8_t)0xAEU, (uint8_t)0x56U, + (uint8_t)0xEDU, (uint8_t)0xE7U, (uint8_t)0x63U, (uint8_t)0x72U, (uint8_t)0xBBU, (uint8_t)0x19U, + (uint8_t)0x0BU, (uint8_t)0x07U, (uint8_t)0xA7U, (uint8_t)0xC8U, (uint8_t)0xEEU, (uint8_t)0x0AU, + (uint8_t)0x6DU, (uint8_t)0x70U, (uint8_t)0x9EU, (uint8_t)0x02U, (uint8_t)0xFCU, (uint8_t)0xE1U, + (uint8_t)0xCDU, (uint8_t)0xF7U, (uint8_t)0xE2U, (uint8_t)0xECU, (uint8_t)0xC0U, (uint8_t)0x34U, + (uint8_t)0x04U, (uint8_t)0xCDU, (uint8_t)0x28U, (uint8_t)0x34U, (uint8_t)0x2FU, (uint8_t)0x61U, + (uint8_t)0x91U, (uint8_t)0x72U, (uint8_t)0xFEU, (uint8_t)0x9CU, (uint8_t)0xE9U, (uint8_t)0x85U, + (uint8_t)0x83U, (uint8_t)0xFFU, (uint8_t)0x8EU, (uint8_t)0x4FU, (uint8_t)0x12U, (uint8_t)0x32U, + (uint8_t)0xEEU, (uint8_t)0xF2U, (uint8_t)0x81U, (uint8_t)0x83U, (uint8_t)0xC3U, (uint8_t)0xFEU, + (uint8_t)0x3BU, (uint8_t)0x1BU, (uint8_t)0x4CU, (uint8_t)0x6FU, (uint8_t)0xADU, (uint8_t)0x73U, + (uint8_t)0x3BU, (uint8_t)0xB5U, (uint8_t)0xFCU, (uint8_t)0xBCU, (uint8_t)0x2EU, (uint8_t)0xC2U, + (uint8_t)0x20U, (uint8_t)0x05U, (uint8_t)0xC5U, (uint8_t)0x8EU, (uint8_t)0xF1U, (uint8_t)0x83U, + (uint8_t)0x7DU, (uint8_t)0x16U, (uint8_t)0x83U, (uint8_t)0xB2U, (uint8_t)0xC6U, (uint8_t)0xF3U, + (uint8_t)0x4AU, (uint8_t)0x26U, (uint8_t)0xC1U, (uint8_t)0xB2U, (uint8_t)0xEFU, (uint8_t)0xFAU, + (uint8_t)0x88U, (uint8_t)0x6BU, (uint8_t)0x42U, (uint8_t)0x38U, (uint8_t)0x61U, (uint8_t)0x1FU, + (uint8_t)0xCFU, (uint8_t)0xDCU, (uint8_t)0xDEU, (uint8_t)0x35U, (uint8_t)0x5BU, (uint8_t)0x3BU, + (uint8_t)0x65U, (uint8_t)0x19U, (uint8_t)0x03U, (uint8_t)0x5BU, (uint8_t)0xBCU, (uint8_t)0x34U, + (uint8_t)0xF4U, (uint8_t)0xDEU, (uint8_t)0xF9U, (uint8_t)0x9CU, (uint8_t)0x02U, (uint8_t)0x38U, + (uint8_t)0x61U, (uint8_t)0xB4U, (uint8_t)0x6FU, (uint8_t)0xC9U, (uint8_t)0xD6U, (uint8_t)0xE6U, + (uint8_t)0xC9U, (uint8_t)0x07U, (uint8_t)0x7AU, (uint8_t)0xD9U, (uint8_t)0x1DU, (uint8_t)0x26U, + (uint8_t)0x91U, (uint8_t)0xF7U, (uint8_t)0xF7U, (uint8_t)0xEEU, (uint8_t)0x59U, (uint8_t)0x8CU, + (uint8_t)0xB0U, (uint8_t)0xFAU, (uint8_t)0xC1U, (uint8_t)0x86U, (uint8_t)0xD9U, (uint8_t)0x1CU, + (uint8_t)0xAEU, (uint8_t)0xFEU, (uint8_t)0x13U, (uint8_t)0x09U, (uint8_t)0x85U, (uint8_t)0x13U, + (uint8_t)0x92U, (uint8_t)0x70U, (uint8_t)0xB4U, (uint8_t)0x13U, (uint8_t)0x0CU, (uint8_t)0x93U, + (uint8_t)0xBCU, (uint8_t)0x43U, (uint8_t)0x79U, (uint8_t)0x44U, (uint8_t)0xF4U, (uint8_t)0xFDU, + (uint8_t)0x44U, (uint8_t)0x52U, (uint8_t)0xE2U, (uint8_t)0xD7U, (uint8_t)0x4DU, (uint8_t)0xD3U, + (uint8_t)0x64U, (uint8_t)0xF2U, (uint8_t)0xE2U, (uint8_t)0x1EU, (uint8_t)0x71U, (uint8_t)0xF5U, + (uint8_t)0x4BU, (uint8_t)0xFFU, (uint8_t)0x5CU, (uint8_t)0xAEU, (uint8_t)0x82U, (uint8_t)0xABU, + (uint8_t)0x9CU, (uint8_t)0x9DU, (uint8_t)0xF6U, (uint8_t)0x9EU, (uint8_t)0xE8U, (uint8_t)0x6DU, + (uint8_t)0x2BU, (uint8_t)0xC5U, (uint8_t)0x22U, (uint8_t)0x36U, (uint8_t)0x3AU, (uint8_t)0x0DU, + (uint8_t)0xABU, (uint8_t)0xC5U, (uint8_t)0x21U, (uint8_t)0x97U, (uint8_t)0x9BU, (uint8_t)0x0DU, + (uint8_t)0xEAU, (uint8_t)0xDAU, (uint8_t)0x1DU, (uint8_t)0xBFU, (uint8_t)0x9AU, (uint8_t)0x42U, + (uint8_t)0xD5U, (uint8_t)0xC4U, (uint8_t)0x48U, (uint8_t)0x4EU, (uint8_t)0x0AU, (uint8_t)0xBCU, + (uint8_t)0xD0U, (uint8_t)0x6BU, (uint8_t)0xFAU, (uint8_t)0x53U, (uint8_t)0xDDU, (uint8_t)0xEFU, + (uint8_t)0x3CU, (uint8_t)0x1BU, (uint8_t)0x20U, (uint8_t)0xEEU, (uint8_t)0x3FU, (uint8_t)0xD5U, + (uint8_t)0x9DU, (uint8_t)0x7CU, (uint8_t)0x25U, (uint8_t)0xE4U, (uint8_t)0x1DU, (uint8_t)0x2BU, + (uint8_t)0x66U, (uint8_t)0x9EU, (uint8_t)0x1EU, (uint8_t)0xF1U, (uint8_t)0x6EU, (uint8_t)0x6FU, + (uint8_t)0x52U, (uint8_t)0xC3U, (uint8_t)0x16U, (uint8_t)0x4DU, (uint8_t)0xF4U, (uint8_t)0xFBU, + (uint8_t)0x79U, (uint8_t)0x30U, (uint8_t)0xE9U, (uint8_t)0xE4U, (uint8_t)0xE5U, (uint8_t)0x88U, + (uint8_t)0x57U, (uint8_t)0xB6U, (uint8_t)0xACU, (uint8_t)0x7DU, (uint8_t)0x5FU, (uint8_t)0x42U, + (uint8_t)0xD6U, (uint8_t)0x9FU, (uint8_t)0x6DU, (uint8_t)0x18U, (uint8_t)0x77U, (uint8_t)0x63U, + (uint8_t)0xCFU, (uint8_t)0x1DU, (uint8_t)0x55U, (uint8_t)0x03U, (uint8_t)0x40U, (uint8_t)0x04U, + (uint8_t)0x87U, (uint8_t)0xF5U, (uint8_t)0x5BU, (uint8_t)0xA5U, (uint8_t)0x7EU, (uint8_t)0x31U, + (uint8_t)0xCCU, (uint8_t)0x7AU, (uint8_t)0x71U, (uint8_t)0x35U, (uint8_t)0xC8U, (uint8_t)0x86U, + (uint8_t)0xEFU, (uint8_t)0xB4U, (uint8_t)0x31U, (uint8_t)0x8AU, (uint8_t)0xEDU, (uint8_t)0x6AU, + (uint8_t)0x1EU, (uint8_t)0x01U, (uint8_t)0x2DU, (uint8_t)0x9EU, (uint8_t)0x68U, (uint8_t)0x32U, + (uint8_t)0xA9U, (uint8_t)0x07U, (uint8_t)0x60U, (uint8_t)0x0AU, (uint8_t)0x91U, (uint8_t)0x81U, + (uint8_t)0x30U, (uint8_t)0xC4U, (uint8_t)0x6DU, (uint8_t)0xC7U, (uint8_t)0x78U, (uint8_t)0xF9U, + (uint8_t)0x71U, (uint8_t)0xADU, (uint8_t)0x00U, (uint8_t)0x38U, (uint8_t)0x09U, (uint8_t)0x29U, + (uint8_t)0x99U, (uint8_t)0xA3U, (uint8_t)0x33U, (uint8_t)0xCBU, (uint8_t)0x8BU, (uint8_t)0x7AU, + (uint8_t)0x1AU, (uint8_t)0x1DU, (uint8_t)0xB9U, (uint8_t)0x3DU, (uint8_t)0x71U, (uint8_t)0x40U, + (uint8_t)0x00U, (uint8_t)0x3CU, (uint8_t)0x2AU, (uint8_t)0x4EU, (uint8_t)0xCEU, (uint8_t)0xA9U, + (uint8_t)0xF9U, (uint8_t)0x8DU, (uint8_t)0x0AU, (uint8_t)0xCCU, (uint8_t)0x0AU, (uint8_t)0x82U, + (uint8_t)0x91U, (uint8_t)0xCDU, (uint8_t)0xCEU, (uint8_t)0xC9U, (uint8_t)0x7DU, (uint8_t)0xCFU, + (uint8_t)0x8EU, (uint8_t)0xC9U, (uint8_t)0xB5U, (uint8_t)0x5AU, (uint8_t)0x7FU, (uint8_t)0x88U, + (uint8_t)0xA4U, (uint8_t)0x6BU, (uint8_t)0x4DU, (uint8_t)0xB5U, (uint8_t)0xA8U, (uint8_t)0x51U, + (uint8_t)0xF4U, (uint8_t)0x41U, (uint8_t)0x82U, (uint8_t)0xE1U, (uint8_t)0xC6U, (uint8_t)0x8AU, + (uint8_t)0x00U, (uint8_t)0x7EU, (uint8_t)0x5EU, (uint8_t)0x0DU, (uint8_t)0xD9U, (uint8_t)0x02U, + (uint8_t)0x0BU, (uint8_t)0xFDU, (uint8_t)0x64U, (uint8_t)0xB6U, (uint8_t)0x45U, (uint8_t)0x03U, + (uint8_t)0x6CU, (uint8_t)0x7AU, (uint8_t)0x4EU, (uint8_t)0x67U, (uint8_t)0x7DU, (uint8_t)0x2CU, + (uint8_t)0x38U, (uint8_t)0x53U, (uint8_t)0x2AU, (uint8_t)0x3AU, (uint8_t)0x23U, (uint8_t)0xBAU, + (uint8_t)0x44U, (uint8_t)0x42U, (uint8_t)0xCAU, (uint8_t)0xF5U, (uint8_t)0x3EU, (uint8_t)0xA6U, + (uint8_t)0x3BU, (uint8_t)0xB4U, (uint8_t)0x54U, (uint8_t)0x32U, (uint8_t)0x9BU, (uint8_t)0x76U, + (uint8_t)0x24U, (uint8_t)0xC8U, (uint8_t)0x91U, (uint8_t)0x7BU, (uint8_t)0xDDU, (uint8_t)0x64U, + (uint8_t)0xB1U, (uint8_t)0xC0U, (uint8_t)0xFDU, (uint8_t)0x4CU, (uint8_t)0xB3U, (uint8_t)0x8EU, + (uint8_t)0x8CU, (uint8_t)0x33U, (uint8_t)0x4CU, (uint8_t)0x70U, (uint8_t)0x1CU, (uint8_t)0x3AU, + (uint8_t)0xCDU, (uint8_t)0xADU, (uint8_t)0x06U, (uint8_t)0x57U, (uint8_t)0xFCU, (uint8_t)0xCFU, + (uint8_t)0xECU, (uint8_t)0x71U, (uint8_t)0x9BU, (uint8_t)0x1FU, (uint8_t)0x5CU, (uint8_t)0x3EU, + (uint8_t)0x4EU, (uint8_t)0x46U, (uint8_t)0x04U, (uint8_t)0x1FU, (uint8_t)0x38U, (uint8_t)0x81U, + (uint8_t)0x47U, (uint8_t)0xFBU, (uint8_t)0x4CU, (uint8_t)0xFDU, (uint8_t)0xB4U, (uint8_t)0x77U, + (uint8_t)0xA5U, (uint8_t)0x24U, (uint8_t)0x71U, (uint8_t)0xF7U, (uint8_t)0xA9U, (uint8_t)0xA9U, + (uint8_t)0x69U, (uint8_t)0x10U, (uint8_t)0xB8U, (uint8_t)0x55U, (uint8_t)0x32U, (uint8_t)0x2EU, + (uint8_t)0xDBU, (uint8_t)0x63U, (uint8_t)0x40U, (uint8_t)0xD8U, (uint8_t)0xA0U, (uint8_t)0x0EU, + (uint8_t)0xF0U, (uint8_t)0x92U, (uint8_t)0x35U, (uint8_t)0x05U, (uint8_t)0x11U, (uint8_t)0xE3U, + (uint8_t)0x0AU, (uint8_t)0xBEU, (uint8_t)0xC1U, (uint8_t)0xFFU, (uint8_t)0xF9U, (uint8_t)0xE3U, + (uint8_t)0xA2U, (uint8_t)0x6EU, (uint8_t)0x7FU, (uint8_t)0xB2U, (uint8_t)0x9FU, (uint8_t)0x8CU, + (uint8_t)0x18U, (uint8_t)0x30U, (uint8_t)0x23U, (uint8_t)0xC3U, (uint8_t)0x58U, (uint8_t)0x7EU, + (uint8_t)0x38U, (uint8_t)0xDAU, (uint8_t)0x00U, (uint8_t)0x77U, (uint8_t)0xD9U, (uint8_t)0xB4U, + (uint8_t)0x76U, (uint8_t)0x3EU, (uint8_t)0x4EU, (uint8_t)0x4BU, (uint8_t)0x94U, (uint8_t)0xB2U, + (uint8_t)0xBBU, (uint8_t)0xC1U, (uint8_t)0x94U, (uint8_t)0xC6U, (uint8_t)0x65U, (uint8_t)0x1EU, + (uint8_t)0x77U, (uint8_t)0xCAU, (uint8_t)0xF9U, (uint8_t)0x92U, (uint8_t)0xEEU, (uint8_t)0xAAU, + (uint8_t)0xC0U, (uint8_t)0x23U, (uint8_t)0x2AU, (uint8_t)0x28U, (uint8_t)0x1BU, (uint8_t)0xF6U, + (uint8_t)0xB3U, (uint8_t)0xA7U, (uint8_t)0x39U, (uint8_t)0xC1U, (uint8_t)0x22U, (uint8_t)0x61U, + (uint8_t)0x16U, (uint8_t)0x82U, (uint8_t)0x0AU, (uint8_t)0xE8U, (uint8_t)0xDBU, (uint8_t)0x58U, + (uint8_t)0x47U, (uint8_t)0xA6U, (uint8_t)0x7CU, (uint8_t)0xBEU, (uint8_t)0xF9U, (uint8_t)0xC9U, + (uint8_t)0x09U, (uint8_t)0x1BU, (uint8_t)0x46U, (uint8_t)0x2DU, (uint8_t)0x53U, (uint8_t)0x8CU, + (uint8_t)0xD7U, (uint8_t)0x2BU, (uint8_t)0x03U, (uint8_t)0x74U, (uint8_t)0x6AU, (uint8_t)0xE7U, + (uint8_t)0x7FU, (uint8_t)0x5EU, (uint8_t)0x62U, (uint8_t)0x29U, (uint8_t)0x2CU, (uint8_t)0x31U, + (uint8_t)0x15U, (uint8_t)0x62U, (uint8_t)0xA8U, (uint8_t)0x46U, (uint8_t)0x50U, (uint8_t)0x5DU, + (uint8_t)0xC8U, (uint8_t)0x2DU, (uint8_t)0xB8U, (uint8_t)0x54U, (uint8_t)0x33U, (uint8_t)0x8AU, + (uint8_t)0xE4U, (uint8_t)0x9FU, (uint8_t)0x52U, (uint8_t)0x35U, (uint8_t)0xC9U, (uint8_t)0x5BU, + (uint8_t)0x91U, (uint8_t)0x17U, (uint8_t)0x8CU, (uint8_t)0xCFU, (uint8_t)0x2DU, (uint8_t)0xD5U, + (uint8_t)0xCAU, (uint8_t)0xCEU, (uint8_t)0xF4U, (uint8_t)0x03U, (uint8_t)0xECU, (uint8_t)0x9DU, + (uint8_t)0x18U, (uint8_t)0x10U, (uint8_t)0xC6U, (uint8_t)0x27U, (uint8_t)0x2BU, (uint8_t)0x04U, + (uint8_t)0x5BU, (uint8_t)0x3BU, (uint8_t)0x71U, (uint8_t)0xF9U, (uint8_t)0xDCU, (uint8_t)0x6BU, + (uint8_t)0x80U, (uint8_t)0xD6U, (uint8_t)0x3FU, (uint8_t)0xDDU, (uint8_t)0x4AU, (uint8_t)0x8EU, + (uint8_t)0x9AU, (uint8_t)0xDBU, (uint8_t)0x1EU, (uint8_t)0x69U, (uint8_t)0x62U, (uint8_t)0xA6U, + (uint8_t)0x95U, (uint8_t)0x26U, (uint8_t)0xD4U, (uint8_t)0x31U, (uint8_t)0x61U, (uint8_t)0xC1U, + (uint8_t)0xA4U, (uint8_t)0x1DU, (uint8_t)0x57U, (uint8_t)0x0DU, (uint8_t)0x79U, (uint8_t)0x38U, + (uint8_t)0xDAU, (uint8_t)0xD4U, (uint8_t)0xA4U, (uint8_t)0x0EU, (uint8_t)0x32U, (uint8_t)0x9CU, + (uint8_t)0xD0U, (uint8_t)0xE4U, (uint8_t)0x0EU, (uint8_t)0x65U, (uint8_t)0xFFU, (uint8_t)0xFFU, + (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU + }; + +static const +uint8_t +Hacl_Impl_FFDHE_Constants_ffdhe_p8192[1024U] = + { + (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, + (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xADU, (uint8_t)0xF8U, (uint8_t)0x54U, (uint8_t)0x58U, + (uint8_t)0xA2U, (uint8_t)0xBBU, (uint8_t)0x4AU, (uint8_t)0x9AU, (uint8_t)0xAFU, (uint8_t)0xDCU, + (uint8_t)0x56U, (uint8_t)0x20U, (uint8_t)0x27U, (uint8_t)0x3DU, (uint8_t)0x3CU, (uint8_t)0xF1U, + (uint8_t)0xD8U, (uint8_t)0xB9U, (uint8_t)0xC5U, (uint8_t)0x83U, (uint8_t)0xCEU, (uint8_t)0x2DU, + (uint8_t)0x36U, (uint8_t)0x95U, (uint8_t)0xA9U, (uint8_t)0xE1U, (uint8_t)0x36U, (uint8_t)0x41U, + (uint8_t)0x14U, (uint8_t)0x64U, (uint8_t)0x33U, (uint8_t)0xFBU, (uint8_t)0xCCU, (uint8_t)0x93U, + (uint8_t)0x9DU, (uint8_t)0xCEU, (uint8_t)0x24U, (uint8_t)0x9BU, (uint8_t)0x3EU, (uint8_t)0xF9U, + (uint8_t)0x7DU, (uint8_t)0x2FU, (uint8_t)0xE3U, (uint8_t)0x63U, (uint8_t)0x63U, (uint8_t)0x0CU, + (uint8_t)0x75U, (uint8_t)0xD8U, (uint8_t)0xF6U, (uint8_t)0x81U, (uint8_t)0xB2U, (uint8_t)0x02U, + (uint8_t)0xAEU, (uint8_t)0xC4U, (uint8_t)0x61U, (uint8_t)0x7AU, (uint8_t)0xD3U, (uint8_t)0xDFU, + (uint8_t)0x1EU, (uint8_t)0xD5U, (uint8_t)0xD5U, (uint8_t)0xFDU, (uint8_t)0x65U, (uint8_t)0x61U, + (uint8_t)0x24U, (uint8_t)0x33U, (uint8_t)0xF5U, (uint8_t)0x1FU, (uint8_t)0x5FU, (uint8_t)0x06U, + (uint8_t)0x6EU, (uint8_t)0xD0U, (uint8_t)0x85U, (uint8_t)0x63U, (uint8_t)0x65U, (uint8_t)0x55U, + (uint8_t)0x3DU, (uint8_t)0xEDU, (uint8_t)0x1AU, (uint8_t)0xF3U, (uint8_t)0xB5U, (uint8_t)0x57U, + (uint8_t)0x13U, (uint8_t)0x5EU, (uint8_t)0x7FU, (uint8_t)0x57U, (uint8_t)0xC9U, (uint8_t)0x35U, + (uint8_t)0x98U, (uint8_t)0x4FU, (uint8_t)0x0CU, (uint8_t)0x70U, (uint8_t)0xE0U, (uint8_t)0xE6U, + (uint8_t)0x8BU, (uint8_t)0x77U, (uint8_t)0xE2U, (uint8_t)0xA6U, (uint8_t)0x89U, (uint8_t)0xDAU, + (uint8_t)0xF3U, (uint8_t)0xEFU, (uint8_t)0xE8U, (uint8_t)0x72U, (uint8_t)0x1DU, (uint8_t)0xF1U, + (uint8_t)0x58U, (uint8_t)0xA1U, (uint8_t)0x36U, (uint8_t)0xADU, (uint8_t)0xE7U, (uint8_t)0x35U, + (uint8_t)0x30U, (uint8_t)0xACU, (uint8_t)0xCAU, (uint8_t)0x4FU, (uint8_t)0x48U, (uint8_t)0x3AU, + (uint8_t)0x79U, (uint8_t)0x7AU, (uint8_t)0xBCU, (uint8_t)0x0AU, (uint8_t)0xB1U, (uint8_t)0x82U, + (uint8_t)0xB3U, (uint8_t)0x24U, (uint8_t)0xFBU, (uint8_t)0x61U, (uint8_t)0xD1U, (uint8_t)0x08U, + (uint8_t)0xA9U, (uint8_t)0x4BU, (uint8_t)0xB2U, (uint8_t)0xC8U, (uint8_t)0xE3U, (uint8_t)0xFBU, + (uint8_t)0xB9U, (uint8_t)0x6AU, (uint8_t)0xDAU, (uint8_t)0xB7U, (uint8_t)0x60U, (uint8_t)0xD7U, + (uint8_t)0xF4U, (uint8_t)0x68U, (uint8_t)0x1DU, (uint8_t)0x4FU, (uint8_t)0x42U, (uint8_t)0xA3U, + (uint8_t)0xDEU, (uint8_t)0x39U, (uint8_t)0x4DU, (uint8_t)0xF4U, (uint8_t)0xAEU, (uint8_t)0x56U, + (uint8_t)0xEDU, (uint8_t)0xE7U, (uint8_t)0x63U, (uint8_t)0x72U, (uint8_t)0xBBU, (uint8_t)0x19U, + (uint8_t)0x0BU, (uint8_t)0x07U, (uint8_t)0xA7U, (uint8_t)0xC8U, (uint8_t)0xEEU, (uint8_t)0x0AU, + (uint8_t)0x6DU, (uint8_t)0x70U, (uint8_t)0x9EU, (uint8_t)0x02U, (uint8_t)0xFCU, (uint8_t)0xE1U, + (uint8_t)0xCDU, (uint8_t)0xF7U, (uint8_t)0xE2U, (uint8_t)0xECU, (uint8_t)0xC0U, (uint8_t)0x34U, + (uint8_t)0x04U, (uint8_t)0xCDU, (uint8_t)0x28U, (uint8_t)0x34U, (uint8_t)0x2FU, (uint8_t)0x61U, + (uint8_t)0x91U, (uint8_t)0x72U, (uint8_t)0xFEU, (uint8_t)0x9CU, (uint8_t)0xE9U, (uint8_t)0x85U, + (uint8_t)0x83U, (uint8_t)0xFFU, (uint8_t)0x8EU, (uint8_t)0x4FU, (uint8_t)0x12U, (uint8_t)0x32U, + (uint8_t)0xEEU, (uint8_t)0xF2U, (uint8_t)0x81U, (uint8_t)0x83U, (uint8_t)0xC3U, (uint8_t)0xFEU, + (uint8_t)0x3BU, (uint8_t)0x1BU, (uint8_t)0x4CU, (uint8_t)0x6FU, (uint8_t)0xADU, (uint8_t)0x73U, + (uint8_t)0x3BU, (uint8_t)0xB5U, (uint8_t)0xFCU, (uint8_t)0xBCU, (uint8_t)0x2EU, (uint8_t)0xC2U, + (uint8_t)0x20U, (uint8_t)0x05U, (uint8_t)0xC5U, (uint8_t)0x8EU, (uint8_t)0xF1U, (uint8_t)0x83U, + (uint8_t)0x7DU, (uint8_t)0x16U, (uint8_t)0x83U, (uint8_t)0xB2U, (uint8_t)0xC6U, (uint8_t)0xF3U, + (uint8_t)0x4AU, (uint8_t)0x26U, (uint8_t)0xC1U, (uint8_t)0xB2U, (uint8_t)0xEFU, (uint8_t)0xFAU, + (uint8_t)0x88U, (uint8_t)0x6BU, (uint8_t)0x42U, (uint8_t)0x38U, (uint8_t)0x61U, (uint8_t)0x1FU, + (uint8_t)0xCFU, (uint8_t)0xDCU, (uint8_t)0xDEU, (uint8_t)0x35U, (uint8_t)0x5BU, (uint8_t)0x3BU, + (uint8_t)0x65U, (uint8_t)0x19U, (uint8_t)0x03U, (uint8_t)0x5BU, (uint8_t)0xBCU, (uint8_t)0x34U, + (uint8_t)0xF4U, (uint8_t)0xDEU, (uint8_t)0xF9U, (uint8_t)0x9CU, (uint8_t)0x02U, (uint8_t)0x38U, + (uint8_t)0x61U, (uint8_t)0xB4U, (uint8_t)0x6FU, (uint8_t)0xC9U, (uint8_t)0xD6U, (uint8_t)0xE6U, + (uint8_t)0xC9U, (uint8_t)0x07U, (uint8_t)0x7AU, (uint8_t)0xD9U, (uint8_t)0x1DU, (uint8_t)0x26U, + (uint8_t)0x91U, (uint8_t)0xF7U, (uint8_t)0xF7U, (uint8_t)0xEEU, (uint8_t)0x59U, (uint8_t)0x8CU, + (uint8_t)0xB0U, (uint8_t)0xFAU, (uint8_t)0xC1U, (uint8_t)0x86U, (uint8_t)0xD9U, (uint8_t)0x1CU, + (uint8_t)0xAEU, (uint8_t)0xFEU, (uint8_t)0x13U, (uint8_t)0x09U, (uint8_t)0x85U, (uint8_t)0x13U, + (uint8_t)0x92U, (uint8_t)0x70U, (uint8_t)0xB4U, (uint8_t)0x13U, (uint8_t)0x0CU, (uint8_t)0x93U, + (uint8_t)0xBCU, (uint8_t)0x43U, (uint8_t)0x79U, (uint8_t)0x44U, (uint8_t)0xF4U, (uint8_t)0xFDU, + (uint8_t)0x44U, (uint8_t)0x52U, (uint8_t)0xE2U, (uint8_t)0xD7U, (uint8_t)0x4DU, (uint8_t)0xD3U, + (uint8_t)0x64U, (uint8_t)0xF2U, (uint8_t)0xE2U, (uint8_t)0x1EU, (uint8_t)0x71U, (uint8_t)0xF5U, + (uint8_t)0x4BU, (uint8_t)0xFFU, (uint8_t)0x5CU, (uint8_t)0xAEU, (uint8_t)0x82U, (uint8_t)0xABU, + (uint8_t)0x9CU, (uint8_t)0x9DU, (uint8_t)0xF6U, (uint8_t)0x9EU, (uint8_t)0xE8U, (uint8_t)0x6DU, + (uint8_t)0x2BU, (uint8_t)0xC5U, (uint8_t)0x22U, (uint8_t)0x36U, (uint8_t)0x3AU, (uint8_t)0x0DU, + (uint8_t)0xABU, (uint8_t)0xC5U, (uint8_t)0x21U, (uint8_t)0x97U, (uint8_t)0x9BU, (uint8_t)0x0DU, + (uint8_t)0xEAU, (uint8_t)0xDAU, (uint8_t)0x1DU, (uint8_t)0xBFU, (uint8_t)0x9AU, (uint8_t)0x42U, + (uint8_t)0xD5U, (uint8_t)0xC4U, (uint8_t)0x48U, (uint8_t)0x4EU, (uint8_t)0x0AU, (uint8_t)0xBCU, + (uint8_t)0xD0U, (uint8_t)0x6BU, (uint8_t)0xFAU, (uint8_t)0x53U, (uint8_t)0xDDU, (uint8_t)0xEFU, + (uint8_t)0x3CU, (uint8_t)0x1BU, (uint8_t)0x20U, (uint8_t)0xEEU, (uint8_t)0x3FU, (uint8_t)0xD5U, + (uint8_t)0x9DU, (uint8_t)0x7CU, (uint8_t)0x25U, (uint8_t)0xE4U, (uint8_t)0x1DU, (uint8_t)0x2BU, + (uint8_t)0x66U, (uint8_t)0x9EU, (uint8_t)0x1EU, (uint8_t)0xF1U, (uint8_t)0x6EU, (uint8_t)0x6FU, + (uint8_t)0x52U, (uint8_t)0xC3U, (uint8_t)0x16U, (uint8_t)0x4DU, (uint8_t)0xF4U, (uint8_t)0xFBU, + (uint8_t)0x79U, (uint8_t)0x30U, (uint8_t)0xE9U, (uint8_t)0xE4U, (uint8_t)0xE5U, (uint8_t)0x88U, + (uint8_t)0x57U, (uint8_t)0xB6U, (uint8_t)0xACU, (uint8_t)0x7DU, (uint8_t)0x5FU, (uint8_t)0x42U, + (uint8_t)0xD6U, (uint8_t)0x9FU, (uint8_t)0x6DU, (uint8_t)0x18U, (uint8_t)0x77U, (uint8_t)0x63U, + (uint8_t)0xCFU, (uint8_t)0x1DU, (uint8_t)0x55U, (uint8_t)0x03U, (uint8_t)0x40U, (uint8_t)0x04U, + (uint8_t)0x87U, (uint8_t)0xF5U, (uint8_t)0x5BU, (uint8_t)0xA5U, (uint8_t)0x7EU, (uint8_t)0x31U, + (uint8_t)0xCCU, (uint8_t)0x7AU, (uint8_t)0x71U, (uint8_t)0x35U, (uint8_t)0xC8U, (uint8_t)0x86U, + (uint8_t)0xEFU, (uint8_t)0xB4U, (uint8_t)0x31U, (uint8_t)0x8AU, (uint8_t)0xEDU, (uint8_t)0x6AU, + (uint8_t)0x1EU, (uint8_t)0x01U, (uint8_t)0x2DU, (uint8_t)0x9EU, (uint8_t)0x68U, (uint8_t)0x32U, + (uint8_t)0xA9U, (uint8_t)0x07U, (uint8_t)0x60U, (uint8_t)0x0AU, (uint8_t)0x91U, (uint8_t)0x81U, + (uint8_t)0x30U, (uint8_t)0xC4U, (uint8_t)0x6DU, (uint8_t)0xC7U, (uint8_t)0x78U, (uint8_t)0xF9U, + (uint8_t)0x71U, (uint8_t)0xADU, (uint8_t)0x00U, (uint8_t)0x38U, (uint8_t)0x09U, (uint8_t)0x29U, + (uint8_t)0x99U, (uint8_t)0xA3U, (uint8_t)0x33U, (uint8_t)0xCBU, (uint8_t)0x8BU, (uint8_t)0x7AU, + (uint8_t)0x1AU, (uint8_t)0x1DU, (uint8_t)0xB9U, (uint8_t)0x3DU, (uint8_t)0x71U, (uint8_t)0x40U, + (uint8_t)0x00U, (uint8_t)0x3CU, (uint8_t)0x2AU, (uint8_t)0x4EU, (uint8_t)0xCEU, (uint8_t)0xA9U, + (uint8_t)0xF9U, (uint8_t)0x8DU, (uint8_t)0x0AU, (uint8_t)0xCCU, (uint8_t)0x0AU, (uint8_t)0x82U, + (uint8_t)0x91U, (uint8_t)0xCDU, (uint8_t)0xCEU, (uint8_t)0xC9U, (uint8_t)0x7DU, (uint8_t)0xCFU, + (uint8_t)0x8EU, (uint8_t)0xC9U, (uint8_t)0xB5U, (uint8_t)0x5AU, (uint8_t)0x7FU, (uint8_t)0x88U, + (uint8_t)0xA4U, (uint8_t)0x6BU, (uint8_t)0x4DU, (uint8_t)0xB5U, (uint8_t)0xA8U, (uint8_t)0x51U, + (uint8_t)0xF4U, (uint8_t)0x41U, (uint8_t)0x82U, (uint8_t)0xE1U, (uint8_t)0xC6U, (uint8_t)0x8AU, + (uint8_t)0x00U, (uint8_t)0x7EU, (uint8_t)0x5EU, (uint8_t)0x0DU, (uint8_t)0xD9U, (uint8_t)0x02U, + (uint8_t)0x0BU, (uint8_t)0xFDU, (uint8_t)0x64U, (uint8_t)0xB6U, (uint8_t)0x45U, (uint8_t)0x03U, + (uint8_t)0x6CU, (uint8_t)0x7AU, (uint8_t)0x4EU, (uint8_t)0x67U, (uint8_t)0x7DU, (uint8_t)0x2CU, + (uint8_t)0x38U, (uint8_t)0x53U, (uint8_t)0x2AU, (uint8_t)0x3AU, (uint8_t)0x23U, (uint8_t)0xBAU, + (uint8_t)0x44U, (uint8_t)0x42U, (uint8_t)0xCAU, (uint8_t)0xF5U, (uint8_t)0x3EU, (uint8_t)0xA6U, + (uint8_t)0x3BU, (uint8_t)0xB4U, (uint8_t)0x54U, (uint8_t)0x32U, (uint8_t)0x9BU, (uint8_t)0x76U, + (uint8_t)0x24U, (uint8_t)0xC8U, (uint8_t)0x91U, (uint8_t)0x7BU, (uint8_t)0xDDU, (uint8_t)0x64U, + (uint8_t)0xB1U, (uint8_t)0xC0U, (uint8_t)0xFDU, (uint8_t)0x4CU, (uint8_t)0xB3U, (uint8_t)0x8EU, + (uint8_t)0x8CU, (uint8_t)0x33U, (uint8_t)0x4CU, (uint8_t)0x70U, (uint8_t)0x1CU, (uint8_t)0x3AU, + (uint8_t)0xCDU, (uint8_t)0xADU, (uint8_t)0x06U, (uint8_t)0x57U, (uint8_t)0xFCU, (uint8_t)0xCFU, + (uint8_t)0xECU, (uint8_t)0x71U, (uint8_t)0x9BU, (uint8_t)0x1FU, (uint8_t)0x5CU, (uint8_t)0x3EU, + (uint8_t)0x4EU, (uint8_t)0x46U, (uint8_t)0x04U, (uint8_t)0x1FU, (uint8_t)0x38U, (uint8_t)0x81U, + (uint8_t)0x47U, (uint8_t)0xFBU, (uint8_t)0x4CU, (uint8_t)0xFDU, (uint8_t)0xB4U, (uint8_t)0x77U, + (uint8_t)0xA5U, (uint8_t)0x24U, (uint8_t)0x71U, (uint8_t)0xF7U, (uint8_t)0xA9U, (uint8_t)0xA9U, + (uint8_t)0x69U, (uint8_t)0x10U, (uint8_t)0xB8U, (uint8_t)0x55U, (uint8_t)0x32U, (uint8_t)0x2EU, + (uint8_t)0xDBU, (uint8_t)0x63U, (uint8_t)0x40U, (uint8_t)0xD8U, (uint8_t)0xA0U, (uint8_t)0x0EU, + (uint8_t)0xF0U, (uint8_t)0x92U, (uint8_t)0x35U, (uint8_t)0x05U, (uint8_t)0x11U, (uint8_t)0xE3U, + (uint8_t)0x0AU, (uint8_t)0xBEU, (uint8_t)0xC1U, (uint8_t)0xFFU, (uint8_t)0xF9U, (uint8_t)0xE3U, + (uint8_t)0xA2U, (uint8_t)0x6EU, (uint8_t)0x7FU, (uint8_t)0xB2U, (uint8_t)0x9FU, (uint8_t)0x8CU, + (uint8_t)0x18U, (uint8_t)0x30U, (uint8_t)0x23U, (uint8_t)0xC3U, (uint8_t)0x58U, (uint8_t)0x7EU, + (uint8_t)0x38U, (uint8_t)0xDAU, (uint8_t)0x00U, (uint8_t)0x77U, (uint8_t)0xD9U, (uint8_t)0xB4U, + (uint8_t)0x76U, (uint8_t)0x3EU, (uint8_t)0x4EU, (uint8_t)0x4BU, (uint8_t)0x94U, (uint8_t)0xB2U, + (uint8_t)0xBBU, (uint8_t)0xC1U, (uint8_t)0x94U, (uint8_t)0xC6U, (uint8_t)0x65U, (uint8_t)0x1EU, + (uint8_t)0x77U, (uint8_t)0xCAU, (uint8_t)0xF9U, (uint8_t)0x92U, (uint8_t)0xEEU, (uint8_t)0xAAU, + (uint8_t)0xC0U, (uint8_t)0x23U, (uint8_t)0x2AU, (uint8_t)0x28U, (uint8_t)0x1BU, (uint8_t)0xF6U, + (uint8_t)0xB3U, (uint8_t)0xA7U, (uint8_t)0x39U, (uint8_t)0xC1U, (uint8_t)0x22U, (uint8_t)0x61U, + (uint8_t)0x16U, (uint8_t)0x82U, (uint8_t)0x0AU, (uint8_t)0xE8U, (uint8_t)0xDBU, (uint8_t)0x58U, + (uint8_t)0x47U, (uint8_t)0xA6U, (uint8_t)0x7CU, (uint8_t)0xBEU, (uint8_t)0xF9U, (uint8_t)0xC9U, + (uint8_t)0x09U, (uint8_t)0x1BU, (uint8_t)0x46U, (uint8_t)0x2DU, (uint8_t)0x53U, (uint8_t)0x8CU, + (uint8_t)0xD7U, (uint8_t)0x2BU, (uint8_t)0x03U, (uint8_t)0x74U, (uint8_t)0x6AU, (uint8_t)0xE7U, + (uint8_t)0x7FU, (uint8_t)0x5EU, (uint8_t)0x62U, (uint8_t)0x29U, (uint8_t)0x2CU, (uint8_t)0x31U, + (uint8_t)0x15U, (uint8_t)0x62U, (uint8_t)0xA8U, (uint8_t)0x46U, (uint8_t)0x50U, (uint8_t)0x5DU, + (uint8_t)0xC8U, (uint8_t)0x2DU, (uint8_t)0xB8U, (uint8_t)0x54U, (uint8_t)0x33U, (uint8_t)0x8AU, + (uint8_t)0xE4U, (uint8_t)0x9FU, (uint8_t)0x52U, (uint8_t)0x35U, (uint8_t)0xC9U, (uint8_t)0x5BU, + (uint8_t)0x91U, (uint8_t)0x17U, (uint8_t)0x8CU, (uint8_t)0xCFU, (uint8_t)0x2DU, (uint8_t)0xD5U, + (uint8_t)0xCAU, (uint8_t)0xCEU, (uint8_t)0xF4U, (uint8_t)0x03U, (uint8_t)0xECU, (uint8_t)0x9DU, + (uint8_t)0x18U, (uint8_t)0x10U, (uint8_t)0xC6U, (uint8_t)0x27U, (uint8_t)0x2BU, (uint8_t)0x04U, + (uint8_t)0x5BU, (uint8_t)0x3BU, (uint8_t)0x71U, (uint8_t)0xF9U, (uint8_t)0xDCU, (uint8_t)0x6BU, + (uint8_t)0x80U, (uint8_t)0xD6U, (uint8_t)0x3FU, (uint8_t)0xDDU, (uint8_t)0x4AU, (uint8_t)0x8EU, + (uint8_t)0x9AU, (uint8_t)0xDBU, (uint8_t)0x1EU, (uint8_t)0x69U, (uint8_t)0x62U, (uint8_t)0xA6U, + (uint8_t)0x95U, (uint8_t)0x26U, (uint8_t)0xD4U, (uint8_t)0x31U, (uint8_t)0x61U, (uint8_t)0xC1U, + (uint8_t)0xA4U, (uint8_t)0x1DU, (uint8_t)0x57U, (uint8_t)0x0DU, (uint8_t)0x79U, (uint8_t)0x38U, + (uint8_t)0xDAU, (uint8_t)0xD4U, (uint8_t)0xA4U, (uint8_t)0x0EU, (uint8_t)0x32U, (uint8_t)0x9CU, + (uint8_t)0xCFU, (uint8_t)0xF4U, (uint8_t)0x6AU, (uint8_t)0xAAU, (uint8_t)0x36U, (uint8_t)0xADU, + (uint8_t)0x00U, (uint8_t)0x4CU, (uint8_t)0xF6U, (uint8_t)0x00U, (uint8_t)0xC8U, (uint8_t)0x38U, + (uint8_t)0x1EU, (uint8_t)0x42U, (uint8_t)0x5AU, (uint8_t)0x31U, (uint8_t)0xD9U, (uint8_t)0x51U, + (uint8_t)0xAEU, (uint8_t)0x64U, (uint8_t)0xFDU, (uint8_t)0xB2U, (uint8_t)0x3FU, (uint8_t)0xCEU, + (uint8_t)0xC9U, (uint8_t)0x50U, (uint8_t)0x9DU, (uint8_t)0x43U, (uint8_t)0x68U, (uint8_t)0x7FU, + (uint8_t)0xEBU, (uint8_t)0x69U, (uint8_t)0xEDU, (uint8_t)0xD1U, (uint8_t)0xCCU, (uint8_t)0x5EU, + (uint8_t)0x0BU, (uint8_t)0x8CU, (uint8_t)0xC3U, (uint8_t)0xBDU, (uint8_t)0xF6U, (uint8_t)0x4BU, + (uint8_t)0x10U, (uint8_t)0xEFU, (uint8_t)0x86U, (uint8_t)0xB6U, (uint8_t)0x31U, (uint8_t)0x42U, + (uint8_t)0xA3U, (uint8_t)0xABU, (uint8_t)0x88U, (uint8_t)0x29U, (uint8_t)0x55U, (uint8_t)0x5BU, + (uint8_t)0x2FU, (uint8_t)0x74U, (uint8_t)0x7CU, (uint8_t)0x93U, (uint8_t)0x26U, (uint8_t)0x65U, + (uint8_t)0xCBU, (uint8_t)0x2CU, (uint8_t)0x0FU, (uint8_t)0x1CU, (uint8_t)0xC0U, (uint8_t)0x1BU, + (uint8_t)0xD7U, (uint8_t)0x02U, (uint8_t)0x29U, (uint8_t)0x38U, (uint8_t)0x88U, (uint8_t)0x39U, + (uint8_t)0xD2U, (uint8_t)0xAFU, (uint8_t)0x05U, (uint8_t)0xE4U, (uint8_t)0x54U, (uint8_t)0x50U, + (uint8_t)0x4AU, (uint8_t)0xC7U, (uint8_t)0x8BU, (uint8_t)0x75U, (uint8_t)0x82U, (uint8_t)0x82U, + (uint8_t)0x28U, (uint8_t)0x46U, (uint8_t)0xC0U, (uint8_t)0xBAU, (uint8_t)0x35U, (uint8_t)0xC3U, + (uint8_t)0x5FU, (uint8_t)0x5CU, (uint8_t)0x59U, (uint8_t)0x16U, (uint8_t)0x0CU, (uint8_t)0xC0U, + (uint8_t)0x46U, (uint8_t)0xFDU, (uint8_t)0x82U, (uint8_t)0x51U, (uint8_t)0x54U, (uint8_t)0x1FU, + (uint8_t)0xC6U, (uint8_t)0x8CU, (uint8_t)0x9CU, (uint8_t)0x86U, (uint8_t)0xB0U, (uint8_t)0x22U, + (uint8_t)0xBBU, (uint8_t)0x70U, (uint8_t)0x99U, (uint8_t)0x87U, (uint8_t)0x6AU, (uint8_t)0x46U, + (uint8_t)0x0EU, (uint8_t)0x74U, (uint8_t)0x51U, (uint8_t)0xA8U, (uint8_t)0xA9U, (uint8_t)0x31U, + (uint8_t)0x09U, (uint8_t)0x70U, (uint8_t)0x3FU, (uint8_t)0xEEU, (uint8_t)0x1CU, (uint8_t)0x21U, + (uint8_t)0x7EU, (uint8_t)0x6CU, (uint8_t)0x38U, (uint8_t)0x26U, (uint8_t)0xE5U, (uint8_t)0x2CU, + (uint8_t)0x51U, (uint8_t)0xAAU, (uint8_t)0x69U, (uint8_t)0x1EU, (uint8_t)0x0EU, (uint8_t)0x42U, + (uint8_t)0x3CU, (uint8_t)0xFCU, (uint8_t)0x99U, (uint8_t)0xE9U, (uint8_t)0xE3U, (uint8_t)0x16U, + (uint8_t)0x50U, (uint8_t)0xC1U, (uint8_t)0x21U, (uint8_t)0x7BU, (uint8_t)0x62U, (uint8_t)0x48U, + (uint8_t)0x16U, (uint8_t)0xCDU, (uint8_t)0xADU, (uint8_t)0x9AU, (uint8_t)0x95U, (uint8_t)0xF9U, + (uint8_t)0xD5U, (uint8_t)0xB8U, (uint8_t)0x01U, (uint8_t)0x94U, (uint8_t)0x88U, (uint8_t)0xD9U, + (uint8_t)0xC0U, (uint8_t)0xA0U, (uint8_t)0xA1U, (uint8_t)0xFEU, (uint8_t)0x30U, (uint8_t)0x75U, + (uint8_t)0xA5U, (uint8_t)0x77U, (uint8_t)0xE2U, (uint8_t)0x31U, (uint8_t)0x83U, (uint8_t)0xF8U, + (uint8_t)0x1DU, (uint8_t)0x4AU, (uint8_t)0x3FU, (uint8_t)0x2FU, (uint8_t)0xA4U, (uint8_t)0x57U, + (uint8_t)0x1EU, (uint8_t)0xFCU, (uint8_t)0x8CU, (uint8_t)0xE0U, (uint8_t)0xBAU, (uint8_t)0x8AU, + (uint8_t)0x4FU, (uint8_t)0xE8U, (uint8_t)0xB6U, (uint8_t)0x85U, (uint8_t)0x5DU, (uint8_t)0xFEU, + (uint8_t)0x72U, (uint8_t)0xB0U, (uint8_t)0xA6U, (uint8_t)0x6EU, (uint8_t)0xDEU, (uint8_t)0xD2U, + (uint8_t)0xFBU, (uint8_t)0xABU, (uint8_t)0xFBU, (uint8_t)0xE5U, (uint8_t)0x8AU, (uint8_t)0x30U, + (uint8_t)0xFAU, (uint8_t)0xFAU, (uint8_t)0xBEU, (uint8_t)0x1CU, (uint8_t)0x5DU, (uint8_t)0x71U, + (uint8_t)0xA8U, (uint8_t)0x7EU, (uint8_t)0x2FU, (uint8_t)0x74U, (uint8_t)0x1EU, (uint8_t)0xF8U, + (uint8_t)0xC1U, (uint8_t)0xFEU, (uint8_t)0x86U, (uint8_t)0xFEU, (uint8_t)0xA6U, (uint8_t)0xBBU, + (uint8_t)0xFDU, (uint8_t)0xE5U, (uint8_t)0x30U, (uint8_t)0x67U, (uint8_t)0x7FU, (uint8_t)0x0DU, + (uint8_t)0x97U, (uint8_t)0xD1U, (uint8_t)0x1DU, (uint8_t)0x49U, (uint8_t)0xF7U, (uint8_t)0xA8U, + (uint8_t)0x44U, (uint8_t)0x3DU, (uint8_t)0x08U, (uint8_t)0x22U, (uint8_t)0xE5U, (uint8_t)0x06U, + (uint8_t)0xA9U, (uint8_t)0xF4U, (uint8_t)0x61U, (uint8_t)0x4EU, (uint8_t)0x01U, (uint8_t)0x1EU, + (uint8_t)0x2AU, (uint8_t)0x94U, (uint8_t)0x83U, (uint8_t)0x8FU, (uint8_t)0xF8U, (uint8_t)0x8CU, + (uint8_t)0xD6U, (uint8_t)0x8CU, (uint8_t)0x8BU, (uint8_t)0xB7U, (uint8_t)0xC5U, (uint8_t)0xC6U, + (uint8_t)0x42U, (uint8_t)0x4CU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, + (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU + }; + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Impl_FFDHE_Constants_H_DEFINED +#endif diff --git a/include/c89/Hacl_IntTypes_Intrinsics.h b/include/c89/Hacl_IntTypes_Intrinsics.h new file mode 100644 index 00000000..362b4cfc --- /dev/null +++ b/include/c89/Hacl_IntTypes_Intrinsics.h @@ -0,0 +1,87 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_IntTypes_Intrinsics_H +#define __Hacl_IntTypes_Intrinsics_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + + +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +static inline uint32_t +Hacl_IntTypes_Intrinsics_add_carry_u32(uint32_t cin, uint32_t x, uint32_t y, uint32_t *r) +{ + uint64_t res = (uint64_t)x + (uint64_t)cin + (uint64_t)y; + uint32_t c = (uint32_t)(res >> (uint32_t)32U); + r[0U] = (uint32_t)res; + return c; +} + +static inline uint32_t +Hacl_IntTypes_Intrinsics_sub_borrow_u32(uint32_t cin, uint32_t x, uint32_t y, uint32_t *r) +{ + uint64_t res = (uint64_t)x - (uint64_t)y - (uint64_t)cin; + uint32_t c = (uint32_t)(res >> (uint32_t)32U) & (uint32_t)1U; + r[0U] = (uint32_t)res; + return c; +} + +static inline uint64_t +Hacl_IntTypes_Intrinsics_add_carry_u64(uint64_t cin, uint64_t x, uint64_t y, uint64_t *r) +{ + uint64_t res = x + cin + y; + uint64_t + c = (~FStar_UInt64_gte_mask(res, x) | (FStar_UInt64_eq_mask(res, x) & cin)) & (uint64_t)1U; + r[0U] = res; + return c; +} + +static inline uint64_t +Hacl_IntTypes_Intrinsics_sub_borrow_u64(uint64_t cin, uint64_t x, uint64_t y, uint64_t *r) +{ + uint64_t res = x - y - cin; + uint64_t + c = + ((FStar_UInt64_gte_mask(res, x) & ~FStar_UInt64_eq_mask(res, x)) + | (FStar_UInt64_eq_mask(res, x) & cin)) + & (uint64_t)1U; + r[0U] = res; + return c; +} + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_IntTypes_Intrinsics_H_DEFINED +#endif diff --git a/include/c89/Hacl_IntTypes_Intrinsics_128.h b/include/c89/Hacl_IntTypes_Intrinsics_128.h new file mode 100644 index 00000000..084dfe74 --- /dev/null +++ b/include/c89/Hacl_IntTypes_Intrinsics_128.h @@ -0,0 +1,75 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_IntTypes_Intrinsics_128_H +#define __Hacl_IntTypes_Intrinsics_128_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +static inline uint64_t +Hacl_IntTypes_Intrinsics_128_add_carry_u64(uint64_t cin, uint64_t x, uint64_t y, uint64_t *r) +{ + FStar_UInt128_uint128 + res = + FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_uint64_to_uint128(x), + FStar_UInt128_uint64_to_uint128(cin)), + FStar_UInt128_uint64_to_uint128(y)); + uint64_t c = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(res, (uint32_t)64U)); + r[0U] = FStar_UInt128_uint128_to_uint64(res); + return c; +} + +static inline uint64_t +Hacl_IntTypes_Intrinsics_128_sub_borrow_u64(uint64_t cin, uint64_t x, uint64_t y, uint64_t *r) +{ + FStar_UInt128_uint128 + res = + FStar_UInt128_sub_mod(FStar_UInt128_sub_mod(FStar_UInt128_uint64_to_uint128(x), + FStar_UInt128_uint64_to_uint128(y)), + FStar_UInt128_uint64_to_uint128(cin)); + uint64_t + c = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(res, (uint32_t)64U)) + & (uint64_t)1U; + r[0U] = FStar_UInt128_uint128_to_uint64(res); + return c; +} + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_IntTypes_Intrinsics_128_H_DEFINED +#endif diff --git a/include/c89/Hacl_Kremlib.h b/include/c89/Hacl_Kremlib.h new file mode 100644 index 00000000..deef15ba --- /dev/null +++ b/include/c89/Hacl_Kremlib.h @@ -0,0 +1,88 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Kremlib_H +#define __Hacl_Kremlib_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + + +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +static inline uint32_t FStar_UInt32_eq_mask(uint32_t a, uint32_t b); + +static inline uint32_t FStar_UInt32_gte_mask(uint32_t a, uint32_t b); + +static inline uint8_t FStar_UInt8_eq_mask(uint8_t a, uint8_t b); + +static inline uint64_t FStar_UInt64_eq_mask(uint64_t a, uint64_t b); + +static inline uint64_t FStar_UInt64_gte_mask(uint64_t a, uint64_t b); + +static inline uint16_t FStar_UInt16_eq_mask(uint16_t a, uint16_t b); + +static inline FStar_UInt128_uint128 +FStar_UInt128_add(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); + +static inline FStar_UInt128_uint128 +FStar_UInt128_add_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); + +static inline FStar_UInt128_uint128 +FStar_UInt128_sub_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); + +static inline FStar_UInt128_uint128 +FStar_UInt128_logor(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); + +static inline FStar_UInt128_uint128 +FStar_UInt128_shift_left(FStar_UInt128_uint128 a, uint32_t s); + +static inline FStar_UInt128_uint128 +FStar_UInt128_shift_right(FStar_UInt128_uint128 a, uint32_t s); + +static inline FStar_UInt128_uint128 FStar_UInt128_uint64_to_uint128(uint64_t a); + +static inline uint64_t FStar_UInt128_uint128_to_uint64(FStar_UInt128_uint128 a); + +static inline FStar_UInt128_uint128 FStar_UInt128_mul_wide(uint64_t x, uint64_t y); + +static inline void store128_le(uint8_t *x0, FStar_UInt128_uint128 x1); + +static inline void store128_be(uint8_t *x0, FStar_UInt128_uint128 x1); + +static inline FStar_UInt128_uint128 load128_be(uint8_t *x0); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Kremlib_H_DEFINED +#endif diff --git a/include/c89/Hacl_NaCl.h b/include/c89/Hacl_NaCl.h new file mode 100644 index 00000000..425c7208 --- /dev/null +++ b/include/c89/Hacl_NaCl.h @@ -0,0 +1,162 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_NaCl_H +#define __Hacl_NaCl_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Salsa20.h" +#include "Hacl_Poly1305_32.h" +#include "Hacl_Curve25519_51.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +uint32_t +Hacl_NaCl_crypto_secretbox_detached( + uint8_t *c, + uint8_t *tag, + uint8_t *m, + uint32_t mlen, + uint8_t *n, + uint8_t *k +); + +uint32_t +Hacl_NaCl_crypto_secretbox_open_detached( + uint8_t *m, + uint8_t *c, + uint8_t *tag, + uint32_t mlen, + uint8_t *n, + uint8_t *k +); + +uint32_t +Hacl_NaCl_crypto_secretbox_easy(uint8_t *c, uint8_t *m, uint32_t mlen, uint8_t *n, uint8_t *k); + +uint32_t +Hacl_NaCl_crypto_secretbox_open_easy( + uint8_t *m, + uint8_t *c, + uint32_t clen, + uint8_t *n, + uint8_t *k +); + +uint32_t Hacl_NaCl_crypto_box_beforenm(uint8_t *k, uint8_t *pk, uint8_t *sk); + +uint32_t +Hacl_NaCl_crypto_box_detached_afternm( + uint8_t *c, + uint8_t *tag, + uint8_t *m, + uint32_t mlen, + uint8_t *n, + uint8_t *k +); + +uint32_t +Hacl_NaCl_crypto_box_detached( + uint8_t *c, + uint8_t *tag, + uint8_t *m, + uint32_t mlen, + uint8_t *n, + uint8_t *pk, + uint8_t *sk +); + +uint32_t +Hacl_NaCl_crypto_box_open_detached_afternm( + uint8_t *m, + uint8_t *c, + uint8_t *tag, + uint32_t mlen, + uint8_t *n, + uint8_t *k +); + +uint32_t +Hacl_NaCl_crypto_box_open_detached( + uint8_t *m, + uint8_t *c, + uint8_t *tag, + uint32_t mlen, + uint8_t *n, + uint8_t *pk, + uint8_t *sk +); + +uint32_t +Hacl_NaCl_crypto_box_easy_afternm( + uint8_t *c, + uint8_t *m, + uint32_t mlen, + uint8_t *n, + uint8_t *k +); + +uint32_t +Hacl_NaCl_crypto_box_easy( + uint8_t *c, + uint8_t *m, + uint32_t mlen, + uint8_t *n, + uint8_t *pk, + uint8_t *sk +); + +uint32_t +Hacl_NaCl_crypto_box_open_easy_afternm( + uint8_t *m, + uint8_t *c, + uint32_t clen, + uint8_t *n, + uint8_t *k +); + +uint32_t +Hacl_NaCl_crypto_box_open_easy( + uint8_t *m, + uint8_t *c, + uint32_t clen, + uint8_t *n, + uint8_t *pk, + uint8_t *sk +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_NaCl_H_DEFINED +#endif diff --git a/include/c89/Hacl_P256.h b/include/c89/Hacl_P256.h new file mode 100644 index 00000000..e7bd9f2c --- /dev/null +++ b/include/c89/Hacl_P256.h @@ -0,0 +1,393 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_P256_H +#define __Hacl_P256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Spec.h" +#include "Hacl_Kremlib.h" +#include "Hacl_Hash_SHA2.h" +#include "evercrypt_targetconfig.h" +#include "lib_intrinsics.h" +#include "libintvector.h" + +/******************************************************************************* + +ECDSA and ECDH functions over the P-256 NIST curve. + +This module implements signing and verification, key validation, conversions +between various point representations, and ECDH key agreement. + +*******************************************************************************/ + +/**************/ +/* Signatures */ +/**************/ + +/* + Per the standard, a hash function *shall* be used. Therefore, we recommend + using one of the three combined hash-and-sign variants. +*/ + +/* +Hash the message with SHA2-256, then sign the resulting digest with the P256 signature function. + +Input: result buffer: uint8[64], + m buffer: uint8 [mLen], + priv(ate)Key: uint8[32], + k (nonce): uint32[32]. + + Output: bool, where True stands for the correct signature generation. False value means that an error has occurred. + + The private key and the nonce are expected to be more than 0 and less than the curve order. +*/ +bool +Hacl_P256_ecdsa_sign_p256_sha2( + uint8_t *result, + uint32_t mLen, + uint8_t *m, + uint8_t *privKey, + uint8_t *k +); + +/* +Hash the message with SHA2-384, then sign the resulting digest with the P256 signature function. + +Input: result buffer: uint8[64], + m buffer: uint8 [mLen], + priv(ate)Key: uint8[32], + k (nonce): uint32[32]. + + Output: bool, where True stands for the correct signature generation. False value means that an error has occurred. + + The private key and the nonce are expected to be more than 0 and less than the curve order. +*/ +bool +Hacl_P256_ecdsa_sign_p256_sha384( + uint8_t *result, + uint32_t mLen, + uint8_t *m, + uint8_t *privKey, + uint8_t *k +); + +/* +Hash the message with SHA2-512, then sign the resulting digest with the P256 signature function. + +Input: result buffer: uint8[64], + m buffer: uint8 [mLen], + priv(ate)Key: uint8[32], + k (nonce): uint32[32]. + + Output: bool, where True stands for the correct signature generation. False value means that an error has occurred. + + The private key and the nonce are expected to be more than 0 and less than the curve order. +*/ +bool +Hacl_P256_ecdsa_sign_p256_sha512( + uint8_t *result, + uint32_t mLen, + uint8_t *m, + uint8_t *privKey, + uint8_t *k +); + +/* +P256 signature WITHOUT hashing first. + +This function is intended to receive a hash of the input. For convenience, we +recommend using one of the hash-and-sign combined functions above. + +The argument `m` MUST be at least 32 bytes (i.e. `mLen >= 32`). + +NOTE: The equivalent functions in OpenSSL and Fiat-Crypto both accept inputs +smaller than 32 bytes. These libraries left-pad the input with enough zeroes to +reach the minimum 32 byte size. Clients who need behavior identical to OpenSSL +need to perform the left-padding themselves. + +Input: result buffer: uint8[64], + m buffer: uint8 [mLen], + priv(ate)Key: uint8[32], + k (nonce): uint32[32]. + + Output: bool, where True stands for the correct signature generation. False value means that an error has occurred. + + The private key and the nonce are expected to be more than 0 and less than the curve order. + + The message m is expected to be hashed by a strong hash function, the lenght of the message is expected to be 32 bytes and more. +*/ +bool +Hacl_P256_ecdsa_sign_p256_without_hash( + uint8_t *result, + uint32_t mLen, + uint8_t *m, + uint8_t *privKey, + uint8_t *k +); + + +/****************/ +/* Verification */ +/****************/ + +/* + Verify a message signature. These functions internally validate the public key using validate_public_key. +*/ + + +/* + The input of the function is considered to be public, + thus this code is not secret independent with respect to the operations done over the input. + + Input: m buffer: uint8 [mLen], + pub(lic)Key: uint8[64], + r: uint8[32], + s: uint8[32]. + + Output: bool, where true stands for the correct signature verification. +*/ +bool +Hacl_P256_ecdsa_verif_p256_sha2( + uint32_t mLen, + uint8_t *m, + uint8_t *pubKey, + uint8_t *r, + uint8_t *s +); + +/* + The input of the function is considered to be public, + thus this code is not secret independent with respect to the operations done over the input. + + Input: m buffer: uint8 [mLen], + pub(lic)Key: uint8[64], + r: uint8[32], + s: uint8[32]. + + Output: bool, where true stands for the correct signature verification. +*/ +bool +Hacl_P256_ecdsa_verif_p256_sha384( + uint32_t mLen, + uint8_t *m, + uint8_t *pubKey, + uint8_t *r, + uint8_t *s +); + +/* + The input of the function is considered to be public, + thus this code is not secret independent with respect to the operations done over the input. + + Input: m buffer: uint8 [mLen], + pub(lic)Key: uint8[64], + r: uint8[32], + s: uint8[32]. + + Output: bool, where true stands for the correct signature verification. +*/ +bool +Hacl_P256_ecdsa_verif_p256_sha512( + uint32_t mLen, + uint8_t *m, + uint8_t *pubKey, + uint8_t *r, + uint8_t *s +); + +/* + The input of the function is considered to be public, + thus this code is not secret independent with respect to the operations done over the input. + + Input: m buffer: uint8 [mLen], + pub(lic)Key: uint8[64], + r: uint8[32], + s: uint8[32]. + + Output: bool, where true stands for the correct signature verification. + + The message m is expected to be hashed by a strong hash function, the lenght of the message is expected to be 32 bytes and more. +*/ +bool +Hacl_P256_ecdsa_verif_without_hash( + uint32_t mLen, + uint8_t *m, + uint8_t *pubKey, + uint8_t *r, + uint8_t *s +); + + +/******************/ +/* Key validation */ +/******************/ + + +/* +Validate a public key. + + + The input of the function is considered to be public, + thus this code is not secret independent with respect to the operations done over the input. + + Input: pub(lic)Key: uint8[64]. + + Output: bool, where 0 stands for the public key to be correct with respect to SP 800-56A: + Verify that the public key is not the “point at infinity”, represented as O. + Verify that the affine x and y coordinates of the point represented by the public key are in the range [0, p – 1] where p is the prime defining the finite field. + Verify that y2 = x3 + ax + b where a and b are the coefficients of the curve equation. + Verify that nQ = O (the point at infinity), where n is the order of the curve and Q is the public key point. + + The last extract is taken from : https://neilmadden.blog/2017/05/17/so-how-do-you-validate-nist-ecdh-public-keys/ +*/ +bool Hacl_P256_validate_public_key(uint8_t *pubKey); + +/* +Validate a private key, e.g. prior to signing. + +Input: scalar: uint8[32]. + + Output: bool, where true stands for the scalar to be more than 0 and less than order. +*/ +bool Hacl_P256_validate_private_key(uint8_t *x); + + +/*****************************************/ +/* Point representations and conversions */ +/*****************************************/ + +/* + Elliptic curve points have 2 32-byte coordinates (x, y) and can be represented in 3 ways: + + - "raw" form (64 bytes): the concatenation of the 2 coordinates, also known as "internal" + - "compressed" form (33 bytes): first the sign byte of y (either 0x02 or 0x03), followed by x + - "uncompressed" form (65 bytes): first a constant byte (always 0x04), followed by the "raw" form + + For all of the conversation functions below, the input and output MUST NOT overlap. +*/ + + +/* +Convert 65-byte uncompressed to raw. + +The function errors out if the first byte is incorrect, or if the resulting point is invalid. + + + + Input: a point in not compressed form (uint8[65]), + result: uint8[64] (internal point representation). + + Output: bool, where true stands for the correct decompression. + +*/ +bool Hacl_P256_uncompressed_to_raw(uint8_t *b, uint8_t *result); + +/* +Convert 33-byte compressed to raw. + +The function errors out if the first byte is incorrect, or if the resulting point is invalid. + +Input: a point in compressed form (uint8[33]), + result: uint8[64] (internal point representation). + + Output: bool, where true stands for the correct decompression. + +*/ +bool Hacl_P256_compressed_to_raw(uint8_t *b, uint8_t *result); + +/* +Convert raw to 65-byte uncompressed. + +This function effectively prepends a 0x04 byte. + +Input: a point buffer (internal representation: uint8[64]), + result: a point in not compressed form (uint8[65]). +*/ +void Hacl_P256_raw_to_uncompressed(uint8_t *b, uint8_t *result); + +/* +Convert raw to 33-byte compressed. + + Input: `b`, the pointer buffer in internal representation, of type `uint8[64]` + Output: `result`, a point in compressed form, of type `uint8[33]` + +*/ +void Hacl_P256_raw_to_compressed(uint8_t *b, uint8_t *result); + + +/******************/ +/* ECDH agreement */ +/******************/ + +/* +Convert a private key into a raw public key. + +This function performs no key validation. + + Input: `scalar`, the private key, of type `uint8[32]`. + Output: `result`, the public key, of type `uint8[64]`. + Returns: + - `true`, for success, meaning the public key is not a point at infinity + - `false`, otherwise. + + `scalar` and `result` MUST NOT overlap. +*/ +bool Hacl_P256_dh_initiator(uint8_t *result, uint8_t *scalar); + +/* +ECDH key agreement. + +This function takes a 32-byte secret key, another party's 64-byte raw public +key, and computeds the 64-byte ECDH shared key. + +This function ONLY validates the public key. + + The pub(lic)_key input of the function is considered to be public, + thus this code is not secret independent with respect to the operations done over this variable. + + Input: result: uint8[64], + pub(lic)Key: uint8[64], + scalar: uint8[32]. + + Output: bool, where True stands for the correct key generation. False value means that an error has occurred (possibly the provided public key was incorrect or the result represents point at infinity). + +*/ +bool Hacl_P256_dh_responder(uint8_t *result, uint8_t *pubKey, uint8_t *scalar); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_P256_H_DEFINED +#endif diff --git a/include/c89/Hacl_Poly1305_128.h b/include/c89/Hacl_Poly1305_128.h new file mode 100644 index 00000000..210e34b1 --- /dev/null +++ b/include/c89/Hacl_Poly1305_128.h @@ -0,0 +1,70 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Poly1305_128_H +#define __Hacl_Poly1305_128_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +extern uint32_t Hacl_Poly1305_128_blocklen; + +typedef Lib_IntVector_Intrinsics_vec128 *Hacl_Poly1305_128_poly1305_ctx; + +void Hacl_Poly1305_128_poly1305_init(Lib_IntVector_Intrinsics_vec128 *ctx, uint8_t *key); + +void Hacl_Poly1305_128_poly1305_update1(Lib_IntVector_Intrinsics_vec128 *ctx, uint8_t *text); + +void +Hacl_Poly1305_128_poly1305_update( + Lib_IntVector_Intrinsics_vec128 *ctx, + uint32_t len, + uint8_t *text +); + +void +Hacl_Poly1305_128_poly1305_finish( + uint8_t *tag, + uint8_t *key, + Lib_IntVector_Intrinsics_vec128 *ctx +); + +void Hacl_Poly1305_128_poly1305_mac(uint8_t *tag, uint32_t len, uint8_t *text, uint8_t *key); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Poly1305_128_H_DEFINED +#endif diff --git a/include/c89/Hacl_Poly1305_256.h b/include/c89/Hacl_Poly1305_256.h new file mode 100644 index 00000000..6d2c2a74 --- /dev/null +++ b/include/c89/Hacl_Poly1305_256.h @@ -0,0 +1,70 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Poly1305_256_H +#define __Hacl_Poly1305_256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +extern uint32_t Hacl_Poly1305_256_blocklen; + +typedef Lib_IntVector_Intrinsics_vec256 *Hacl_Poly1305_256_poly1305_ctx; + +void Hacl_Poly1305_256_poly1305_init(Lib_IntVector_Intrinsics_vec256 *ctx, uint8_t *key); + +void Hacl_Poly1305_256_poly1305_update1(Lib_IntVector_Intrinsics_vec256 *ctx, uint8_t *text); + +void +Hacl_Poly1305_256_poly1305_update( + Lib_IntVector_Intrinsics_vec256 *ctx, + uint32_t len, + uint8_t *text +); + +void +Hacl_Poly1305_256_poly1305_finish( + uint8_t *tag, + uint8_t *key, + Lib_IntVector_Intrinsics_vec256 *ctx +); + +void Hacl_Poly1305_256_poly1305_mac(uint8_t *tag, uint32_t len, uint8_t *text, uint8_t *key); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Poly1305_256_H_DEFINED +#endif diff --git a/include/c89/Hacl_Poly1305_32.h b/include/c89/Hacl_Poly1305_32.h new file mode 100644 index 00000000..093160e2 --- /dev/null +++ b/include/c89/Hacl_Poly1305_32.h @@ -0,0 +1,60 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Poly1305_32_H +#define __Hacl_Poly1305_32_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +extern uint32_t Hacl_Poly1305_32_blocklen; + +typedef uint64_t *Hacl_Poly1305_32_poly1305_ctx; + +void Hacl_Poly1305_32_poly1305_init(uint64_t *ctx, uint8_t *key); + +void Hacl_Poly1305_32_poly1305_update1(uint64_t *ctx, uint8_t *text); + +void Hacl_Poly1305_32_poly1305_update(uint64_t *ctx, uint32_t len, uint8_t *text); + +void Hacl_Poly1305_32_poly1305_finish(uint8_t *tag, uint8_t *key, uint64_t *ctx); + +void Hacl_Poly1305_32_poly1305_mac(uint8_t *tag, uint32_t len, uint8_t *text, uint8_t *key); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Poly1305_32_H_DEFINED +#endif diff --git a/include/c89/Hacl_RSAPSS.h b/include/c89/Hacl_RSAPSS.h new file mode 100644 index 00000000..1e7f4c5d --- /dev/null +++ b/include/c89/Hacl_RSAPSS.h @@ -0,0 +1,117 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_RSAPSS_H +#define __Hacl_RSAPSS_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Spec.h" +#include "Hacl_Hash_SHA2.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +bool +Hacl_RSAPSS_rsapss_sign( + Spec_Hash_Definitions_hash_alg a, + uint32_t modBits, + uint32_t eBits, + uint32_t dBits, + uint64_t *skey, + uint32_t saltLen, + uint8_t *salt, + uint32_t msgLen, + uint8_t *msg, + uint8_t *sgnt +); + +bool +Hacl_RSAPSS_rsapss_verify( + Spec_Hash_Definitions_hash_alg a, + uint32_t modBits, + uint32_t eBits, + uint64_t *pkey, + uint32_t saltLen, + uint32_t sgntLen, + uint8_t *sgnt, + uint32_t msgLen, + uint8_t *msg +); + +uint64_t +*Hacl_RSAPSS_new_rsapss_load_pkey(uint32_t modBits, uint32_t eBits, uint8_t *nb, uint8_t *eb); + +uint64_t +*Hacl_RSAPSS_new_rsapss_load_skey( + uint32_t modBits, + uint32_t eBits, + uint32_t dBits, + uint8_t *nb, + uint8_t *eb, + uint8_t *db +); + +bool +Hacl_RSAPSS_rsapss_skey_sign( + Spec_Hash_Definitions_hash_alg a, + uint32_t modBits, + uint32_t eBits, + uint32_t dBits, + uint8_t *nb, + uint8_t *eb, + uint8_t *db, + uint32_t saltLen, + uint8_t *salt, + uint32_t msgLen, + uint8_t *msg, + uint8_t *sgnt +); + +bool +Hacl_RSAPSS_rsapss_pkey_verify( + Spec_Hash_Definitions_hash_alg a, + uint32_t modBits, + uint32_t eBits, + uint8_t *nb, + uint8_t *eb, + uint32_t saltLen, + uint32_t sgntLen, + uint8_t *sgnt, + uint32_t msgLen, + uint8_t *msg +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_RSAPSS_H_DEFINED +#endif diff --git a/include/c89/Hacl_SHA2_Generic.h b/include/c89/Hacl_SHA2_Generic.h new file mode 100644 index 00000000..d29978fe --- /dev/null +++ b/include/c89/Hacl_SHA2_Generic.h @@ -0,0 +1,135 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_SHA2_Generic_H +#define __Hacl_SHA2_Generic_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + + +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +static const +uint32_t +Hacl_Impl_SHA2_Generic_h224[8U] = + { + (uint32_t)0xc1059ed8U, (uint32_t)0x367cd507U, (uint32_t)0x3070dd17U, (uint32_t)0xf70e5939U, + (uint32_t)0xffc00b31U, (uint32_t)0x68581511U, (uint32_t)0x64f98fa7U, (uint32_t)0xbefa4fa4U + }; + +static const +uint32_t +Hacl_Impl_SHA2_Generic_h256[8U] = + { + (uint32_t)0x6a09e667U, (uint32_t)0xbb67ae85U, (uint32_t)0x3c6ef372U, (uint32_t)0xa54ff53aU, + (uint32_t)0x510e527fU, (uint32_t)0x9b05688cU, (uint32_t)0x1f83d9abU, (uint32_t)0x5be0cd19U + }; + +static const +uint64_t +Hacl_Impl_SHA2_Generic_h384[8U] = + { + (uint64_t)0xcbbb9d5dc1059ed8U, (uint64_t)0x629a292a367cd507U, (uint64_t)0x9159015a3070dd17U, + (uint64_t)0x152fecd8f70e5939U, (uint64_t)0x67332667ffc00b31U, (uint64_t)0x8eb44a8768581511U, + (uint64_t)0xdb0c2e0d64f98fa7U, (uint64_t)0x47b5481dbefa4fa4U + }; + +static const +uint64_t +Hacl_Impl_SHA2_Generic_h512[8U] = + { + (uint64_t)0x6a09e667f3bcc908U, (uint64_t)0xbb67ae8584caa73bU, (uint64_t)0x3c6ef372fe94f82bU, + (uint64_t)0xa54ff53a5f1d36f1U, (uint64_t)0x510e527fade682d1U, (uint64_t)0x9b05688c2b3e6c1fU, + (uint64_t)0x1f83d9abfb41bd6bU, (uint64_t)0x5be0cd19137e2179U + }; + +static const +uint32_t +Hacl_Impl_SHA2_Generic_k224_256[64U] = + { + (uint32_t)0x428a2f98U, (uint32_t)0x71374491U, (uint32_t)0xb5c0fbcfU, (uint32_t)0xe9b5dba5U, + (uint32_t)0x3956c25bU, (uint32_t)0x59f111f1U, (uint32_t)0x923f82a4U, (uint32_t)0xab1c5ed5U, + (uint32_t)0xd807aa98U, (uint32_t)0x12835b01U, (uint32_t)0x243185beU, (uint32_t)0x550c7dc3U, + (uint32_t)0x72be5d74U, (uint32_t)0x80deb1feU, (uint32_t)0x9bdc06a7U, (uint32_t)0xc19bf174U, + (uint32_t)0xe49b69c1U, (uint32_t)0xefbe4786U, (uint32_t)0x0fc19dc6U, (uint32_t)0x240ca1ccU, + (uint32_t)0x2de92c6fU, (uint32_t)0x4a7484aaU, (uint32_t)0x5cb0a9dcU, (uint32_t)0x76f988daU, + (uint32_t)0x983e5152U, (uint32_t)0xa831c66dU, (uint32_t)0xb00327c8U, (uint32_t)0xbf597fc7U, + (uint32_t)0xc6e00bf3U, (uint32_t)0xd5a79147U, (uint32_t)0x06ca6351U, (uint32_t)0x14292967U, + (uint32_t)0x27b70a85U, (uint32_t)0x2e1b2138U, (uint32_t)0x4d2c6dfcU, (uint32_t)0x53380d13U, + (uint32_t)0x650a7354U, (uint32_t)0x766a0abbU, (uint32_t)0x81c2c92eU, (uint32_t)0x92722c85U, + (uint32_t)0xa2bfe8a1U, (uint32_t)0xa81a664bU, (uint32_t)0xc24b8b70U, (uint32_t)0xc76c51a3U, + (uint32_t)0xd192e819U, (uint32_t)0xd6990624U, (uint32_t)0xf40e3585U, (uint32_t)0x106aa070U, + (uint32_t)0x19a4c116U, (uint32_t)0x1e376c08U, (uint32_t)0x2748774cU, (uint32_t)0x34b0bcb5U, + (uint32_t)0x391c0cb3U, (uint32_t)0x4ed8aa4aU, (uint32_t)0x5b9cca4fU, (uint32_t)0x682e6ff3U, + (uint32_t)0x748f82eeU, (uint32_t)0x78a5636fU, (uint32_t)0x84c87814U, (uint32_t)0x8cc70208U, + (uint32_t)0x90befffaU, (uint32_t)0xa4506cebU, (uint32_t)0xbef9a3f7U, (uint32_t)0xc67178f2U + }; + +static const +uint64_t +Hacl_Impl_SHA2_Generic_k384_512[80U] = + { + (uint64_t)0x428a2f98d728ae22U, (uint64_t)0x7137449123ef65cdU, (uint64_t)0xb5c0fbcfec4d3b2fU, + (uint64_t)0xe9b5dba58189dbbcU, (uint64_t)0x3956c25bf348b538U, (uint64_t)0x59f111f1b605d019U, + (uint64_t)0x923f82a4af194f9bU, (uint64_t)0xab1c5ed5da6d8118U, (uint64_t)0xd807aa98a3030242U, + (uint64_t)0x12835b0145706fbeU, (uint64_t)0x243185be4ee4b28cU, (uint64_t)0x550c7dc3d5ffb4e2U, + (uint64_t)0x72be5d74f27b896fU, (uint64_t)0x80deb1fe3b1696b1U, (uint64_t)0x9bdc06a725c71235U, + (uint64_t)0xc19bf174cf692694U, (uint64_t)0xe49b69c19ef14ad2U, (uint64_t)0xefbe4786384f25e3U, + (uint64_t)0x0fc19dc68b8cd5b5U, (uint64_t)0x240ca1cc77ac9c65U, (uint64_t)0x2de92c6f592b0275U, + (uint64_t)0x4a7484aa6ea6e483U, (uint64_t)0x5cb0a9dcbd41fbd4U, (uint64_t)0x76f988da831153b5U, + (uint64_t)0x983e5152ee66dfabU, (uint64_t)0xa831c66d2db43210U, (uint64_t)0xb00327c898fb213fU, + (uint64_t)0xbf597fc7beef0ee4U, (uint64_t)0xc6e00bf33da88fc2U, (uint64_t)0xd5a79147930aa725U, + (uint64_t)0x06ca6351e003826fU, (uint64_t)0x142929670a0e6e70U, (uint64_t)0x27b70a8546d22ffcU, + (uint64_t)0x2e1b21385c26c926U, (uint64_t)0x4d2c6dfc5ac42aedU, (uint64_t)0x53380d139d95b3dfU, + (uint64_t)0x650a73548baf63deU, (uint64_t)0x766a0abb3c77b2a8U, (uint64_t)0x81c2c92e47edaee6U, + (uint64_t)0x92722c851482353bU, (uint64_t)0xa2bfe8a14cf10364U, (uint64_t)0xa81a664bbc423001U, + (uint64_t)0xc24b8b70d0f89791U, (uint64_t)0xc76c51a30654be30U, (uint64_t)0xd192e819d6ef5218U, + (uint64_t)0xd69906245565a910U, (uint64_t)0xf40e35855771202aU, (uint64_t)0x106aa07032bbd1b8U, + (uint64_t)0x19a4c116b8d2d0c8U, (uint64_t)0x1e376c085141ab53U, (uint64_t)0x2748774cdf8eeb99U, + (uint64_t)0x34b0bcb5e19b48a8U, (uint64_t)0x391c0cb3c5c95a63U, (uint64_t)0x4ed8aa4ae3418acbU, + (uint64_t)0x5b9cca4f7763e373U, (uint64_t)0x682e6ff3d6b2b8a3U, (uint64_t)0x748f82ee5defb2fcU, + (uint64_t)0x78a5636f43172f60U, (uint64_t)0x84c87814a1f0ab72U, (uint64_t)0x8cc702081a6439ecU, + (uint64_t)0x90befffa23631e28U, (uint64_t)0xa4506cebde82bde9U, (uint64_t)0xbef9a3f7b2c67915U, + (uint64_t)0xc67178f2e372532bU, (uint64_t)0xca273eceea26619cU, (uint64_t)0xd186b8c721c0c207U, + (uint64_t)0xeada7dd6cde0eb1eU, (uint64_t)0xf57d4f7fee6ed178U, (uint64_t)0x06f067aa72176fbaU, + (uint64_t)0x0a637dc5a2c898a6U, (uint64_t)0x113f9804bef90daeU, (uint64_t)0x1b710b35131c471bU, + (uint64_t)0x28db77f523047d84U, (uint64_t)0x32caab7b40c72493U, (uint64_t)0x3c9ebe0a15c9bebcU, + (uint64_t)0x431d67c49c100d4cU, (uint64_t)0x4cc5d4becb3e42b6U, (uint64_t)0x597f299cfc657e2aU, + (uint64_t)0x5fcb6fab3ad6faecU, (uint64_t)0x6c44198c4a475817U + }; + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_SHA2_Generic_H_DEFINED +#endif diff --git a/include/c89/Hacl_SHA2_Scalar32.h b/include/c89/Hacl_SHA2_Scalar32.h new file mode 100644 index 00000000..56a407b6 --- /dev/null +++ b/include/c89/Hacl_SHA2_Scalar32.h @@ -0,0 +1,55 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_SHA2_Scalar32_H +#define __Hacl_SHA2_Scalar32_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_SHA2_Generic.h" +#include "Hacl_Kremlib.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void Hacl_SHA2_Scalar32_sha224(uint8_t *dst, uint32_t input_len, uint8_t *input); + +void Hacl_SHA2_Scalar32_sha256(uint8_t *dst, uint32_t input_len, uint8_t *input); + +void Hacl_SHA2_Scalar32_sha384(uint8_t *dst, uint32_t input_len, uint8_t *input); + +void Hacl_SHA2_Scalar32_sha512(uint8_t *dst, uint32_t input_len, uint8_t *input); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_SHA2_Scalar32_H_DEFINED +#endif diff --git a/include/c89/Hacl_SHA2_Vec128.h b/include/c89/Hacl_SHA2_Vec128.h new file mode 100644 index 00000000..0f07e448 --- /dev/null +++ b/include/c89/Hacl_SHA2_Vec128.h @@ -0,0 +1,73 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_SHA2_Vec128_H +#define __Hacl_SHA2_Vec128_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_SHA2_Generic.h" +#include "Hacl_Kremlib.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_SHA2_Vec128_sha224_4( + uint8_t *dst0, + uint8_t *dst1, + uint8_t *dst2, + uint8_t *dst3, + uint32_t input_len, + uint8_t *input0, + uint8_t *input1, + uint8_t *input2, + uint8_t *input3 +); + +void +Hacl_SHA2_Vec128_sha256_4( + uint8_t *dst0, + uint8_t *dst1, + uint8_t *dst2, + uint8_t *dst3, + uint32_t input_len, + uint8_t *input0, + uint8_t *input1, + uint8_t *input2, + uint8_t *input3 +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_SHA2_Vec128_H_DEFINED +#endif diff --git a/include/c89/Hacl_SHA2_Vec256.h b/include/c89/Hacl_SHA2_Vec256.h new file mode 100644 index 00000000..a2ba3c56 --- /dev/null +++ b/include/c89/Hacl_SHA2_Vec256.h @@ -0,0 +1,115 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_SHA2_Vec256_H +#define __Hacl_SHA2_Vec256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_SHA2_Generic.h" +#include "Hacl_Kremlib.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_SHA2_Vec256_sha224_8( + uint8_t *dst0, + uint8_t *dst1, + uint8_t *dst2, + uint8_t *dst3, + uint8_t *dst4, + uint8_t *dst5, + uint8_t *dst6, + uint8_t *dst7, + uint32_t input_len, + uint8_t *input0, + uint8_t *input1, + uint8_t *input2, + uint8_t *input3, + uint8_t *input4, + uint8_t *input5, + uint8_t *input6, + uint8_t *input7 +); + +void +Hacl_SHA2_Vec256_sha256_8( + uint8_t *dst0, + uint8_t *dst1, + uint8_t *dst2, + uint8_t *dst3, + uint8_t *dst4, + uint8_t *dst5, + uint8_t *dst6, + uint8_t *dst7, + uint32_t input_len, + uint8_t *input0, + uint8_t *input1, + uint8_t *input2, + uint8_t *input3, + uint8_t *input4, + uint8_t *input5, + uint8_t *input6, + uint8_t *input7 +); + +void +Hacl_SHA2_Vec256_sha384_4( + uint8_t *dst0, + uint8_t *dst1, + uint8_t *dst2, + uint8_t *dst3, + uint32_t input_len, + uint8_t *input0, + uint8_t *input1, + uint8_t *input2, + uint8_t *input3 +); + +void +Hacl_SHA2_Vec256_sha512_4( + uint8_t *dst0, + uint8_t *dst1, + uint8_t *dst2, + uint8_t *dst3, + uint32_t input_len, + uint8_t *input0, + uint8_t *input1, + uint8_t *input2, + uint8_t *input3 +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_SHA2_Vec256_H_DEFINED +#endif diff --git a/include/c89/Hacl_SHA3.h b/include/c89/Hacl_SHA3.h new file mode 100644 index 00000000..1d40bad9 --- /dev/null +++ b/include/c89/Hacl_SHA3.h @@ -0,0 +1,113 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_SHA3_H +#define __Hacl_SHA3_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Lib_Memzero0.h" +#include "Hacl_Kremlib.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +extern const uint32_t Hacl_Impl_SHA3_keccak_rotc[24U]; + +extern const uint32_t Hacl_Impl_SHA3_keccak_piln[24U]; + +extern const uint64_t Hacl_Impl_SHA3_keccak_rndc[24U]; + +uint64_t Hacl_Impl_SHA3_rotl(uint64_t a, uint32_t b); + +void Hacl_Impl_SHA3_state_permute(uint64_t *s); + +void Hacl_Impl_SHA3_loadState(uint32_t rateInBytes, uint8_t *input, uint64_t *s); + +void Hacl_Impl_SHA3_storeState(uint32_t rateInBytes, uint64_t *s, uint8_t *res); + +void +Hacl_Impl_SHA3_absorb( + uint64_t *s, + uint32_t rateInBytes, + uint32_t inputByteLen, + uint8_t *input, + uint8_t delimitedSuffix +); + +void +Hacl_Impl_SHA3_squeeze( + uint64_t *s, + uint32_t rateInBytes, + uint32_t outputByteLen, + uint8_t *output +); + +void +Hacl_Impl_SHA3_keccak( + uint32_t rate, + uint32_t capacity, + uint32_t inputByteLen, + uint8_t *input, + uint8_t delimitedSuffix, + uint32_t outputByteLen, + uint8_t *output +); + +void +Hacl_SHA3_shake128_hacl( + uint32_t inputByteLen, + uint8_t *input, + uint32_t outputByteLen, + uint8_t *output +); + +void +Hacl_SHA3_shake256_hacl( + uint32_t inputByteLen, + uint8_t *input, + uint32_t outputByteLen, + uint8_t *output +); + +void Hacl_SHA3_sha3_224(uint32_t inputByteLen, uint8_t *input, uint8_t *output); + +void Hacl_SHA3_sha3_256(uint32_t inputByteLen, uint8_t *input, uint8_t *output); + +void Hacl_SHA3_sha3_384(uint32_t inputByteLen, uint8_t *input, uint8_t *output); + +void Hacl_SHA3_sha3_512(uint32_t inputByteLen, uint8_t *input, uint8_t *output); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_SHA3_H_DEFINED +#endif diff --git a/include/c89/Hacl_Salsa20.h b/include/c89/Hacl_Salsa20.h new file mode 100644 index 00000000..480eb900 --- /dev/null +++ b/include/c89/Hacl_Salsa20.h @@ -0,0 +1,70 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Salsa20_H +#define __Hacl_Salsa20_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_Salsa20_salsa20_encrypt( + uint32_t len, + uint8_t *out, + uint8_t *text, + uint8_t *key, + uint8_t *n, + uint32_t ctr +); + +void +Hacl_Salsa20_salsa20_decrypt( + uint32_t len, + uint8_t *out, + uint8_t *cipher, + uint8_t *key, + uint8_t *n, + uint32_t ctr +); + +void Hacl_Salsa20_salsa20_key_block0(uint8_t *out, uint8_t *key, uint8_t *n); + +void Hacl_Salsa20_hsalsa20(uint8_t *out, uint8_t *key, uint8_t *n); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Salsa20_H_DEFINED +#endif diff --git a/include/c89/Hacl_Spec.h b/include/c89/Hacl_Spec.h new file mode 100644 index 00000000..2c6693c6 --- /dev/null +++ b/include/c89/Hacl_Spec.h @@ -0,0 +1,97 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Spec_H +#define __Hacl_Spec_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + + +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +#define Spec_Blake2_Blake2S 0 +#define Spec_Blake2_Blake2B 1 + +typedef uint8_t Spec_Blake2_alg; + +#define Spec_Hash_Definitions_SHA2_224 0 +#define Spec_Hash_Definitions_SHA2_256 1 +#define Spec_Hash_Definitions_SHA2_384 2 +#define Spec_Hash_Definitions_SHA2_512 3 +#define Spec_Hash_Definitions_SHA1 4 +#define Spec_Hash_Definitions_MD5 5 +#define Spec_Hash_Definitions_Blake2S 6 +#define Spec_Hash_Definitions_Blake2B 7 + +typedef uint8_t Spec_Hash_Definitions_hash_alg; + +#define Spec_FFDHE_FFDHE2048 0 +#define Spec_FFDHE_FFDHE3072 1 +#define Spec_FFDHE_FFDHE4096 2 +#define Spec_FFDHE_FFDHE6144 3 +#define Spec_FFDHE_FFDHE8192 4 + +typedef uint8_t Spec_FFDHE_ffdhe_alg; + +#define Spec_Agile_Cipher_AES128 0 +#define Spec_Agile_Cipher_AES256 1 +#define Spec_Agile_Cipher_CHACHA20 2 + +typedef uint8_t Spec_Agile_Cipher_cipher_alg; + +#define Spec_Cipher_Expansion_Hacl_CHACHA20 0 +#define Spec_Cipher_Expansion_Vale_AES128 1 +#define Spec_Cipher_Expansion_Vale_AES256 2 + +typedef uint8_t Spec_Cipher_Expansion_impl; + +#define Spec_Agile_AEAD_AES128_GCM 0 +#define Spec_Agile_AEAD_AES256_GCM 1 +#define Spec_Agile_AEAD_CHACHA20_POLY1305 2 +#define Spec_Agile_AEAD_AES128_CCM 3 +#define Spec_Agile_AEAD_AES256_CCM 4 +#define Spec_Agile_AEAD_AES128_CCM8 5 +#define Spec_Agile_AEAD_AES256_CCM8 6 + +typedef uint8_t Spec_Agile_AEAD_alg; + +#define Spec_Frodo_Params_SHAKE128 0 +#define Spec_Frodo_Params_AES128 1 + +typedef uint8_t Spec_Frodo_Params_frodo_gen_a; + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Spec_H_DEFINED +#endif diff --git a/include/c89/Hacl_Streaming_Blake2.h b/include/c89/Hacl_Streaming_Blake2.h new file mode 100644 index 00000000..c64b8545 --- /dev/null +++ b/include/c89/Hacl_Streaming_Blake2.h @@ -0,0 +1,149 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Streaming_Blake2_H +#define __Hacl_Streaming_Blake2_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Spec.h" +#include "Hacl_Kremlib.h" +#include "Hacl_Hash_Blake2.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +uint32_t +Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_alg a, Hacl_Impl_Blake2_Core_m_spec m); + +typedef struct Hacl_Streaming_Blake2_blake2s_32_block_state_s +{ + uint32_t *fst; + uint32_t *snd; +} +Hacl_Streaming_Blake2_blake2s_32_block_state; + +typedef struct Hacl_Streaming_Blake2_blake2s_32_state_s +{ + Hacl_Streaming_Blake2_blake2s_32_block_state block_state; + uint8_t *buf; + uint64_t total_len; +} +Hacl_Streaming_Blake2_blake2s_32_state; + +/* + State allocation function when there is no key +*/ +Hacl_Streaming_Blake2_blake2s_32_state *Hacl_Streaming_Blake2_blake2s_32_no_key_create_in(); + +/* + (Re-)initialization function when there is no key +*/ +void Hacl_Streaming_Blake2_blake2s_32_no_key_init(Hacl_Streaming_Blake2_blake2s_32_state *s1); + +/* + Update function when there is no key +*/ +void +Hacl_Streaming_Blake2_blake2s_32_no_key_update( + Hacl_Streaming_Blake2_blake2s_32_state *p, + uint8_t *data, + uint32_t len +); + +/* + Finish function when there is no key +*/ +void +Hacl_Streaming_Blake2_blake2s_32_no_key_finish( + Hacl_Streaming_Blake2_blake2s_32_state *p, + uint8_t *dst +); + +/* + Free state function when there is no key +*/ +void Hacl_Streaming_Blake2_blake2s_32_no_key_free(Hacl_Streaming_Blake2_blake2s_32_state *s1); + +typedef struct Hacl_Streaming_Blake2_blake2b_32_block_state_s +{ + uint64_t *fst; + uint64_t *snd; +} +Hacl_Streaming_Blake2_blake2b_32_block_state; + +typedef struct Hacl_Streaming_Blake2_blake2b_32_state_s +{ + Hacl_Streaming_Blake2_blake2b_32_block_state block_state; + uint8_t *buf; + uint64_t total_len; +} +Hacl_Streaming_Blake2_blake2b_32_state; + +/* + State allocation function when there is no key +*/ +Hacl_Streaming_Blake2_blake2b_32_state *Hacl_Streaming_Blake2_blake2b_32_no_key_create_in(); + +/* + (Re)-initialization function when there is no key +*/ +void Hacl_Streaming_Blake2_blake2b_32_no_key_init(Hacl_Streaming_Blake2_blake2b_32_state *s1); + +/* + Update function when there is no key +*/ +void +Hacl_Streaming_Blake2_blake2b_32_no_key_update( + Hacl_Streaming_Blake2_blake2b_32_state *p, + uint8_t *data, + uint32_t len +); + +/* + Finish function when there is no key +*/ +void +Hacl_Streaming_Blake2_blake2b_32_no_key_finish( + Hacl_Streaming_Blake2_blake2b_32_state *p, + uint8_t *dst +); + +/* + Free state function when there is no key +*/ +void Hacl_Streaming_Blake2_blake2b_32_no_key_free(Hacl_Streaming_Blake2_blake2b_32_state *s1); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Streaming_Blake2_H_DEFINED +#endif diff --git a/include/c89/Hacl_Streaming_Blake2b_256.h b/include/c89/Hacl_Streaming_Blake2b_256.h new file mode 100644 index 00000000..6d6e8c3a --- /dev/null +++ b/include/c89/Hacl_Streaming_Blake2b_256.h @@ -0,0 +1,106 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Streaming_Blake2b_256_H +#define __Hacl_Streaming_Blake2b_256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Streaming_Blake2.h" +#include "Hacl_Spec.h" +#include "Hacl_Kremlib.h" +#include "Hacl_Hash_Blake2b_256.h" +#include "Hacl_Hash_Blake2.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +typedef struct Hacl_Streaming_Blake2b_256_blake2b_256_block_state_s +{ + Lib_IntVector_Intrinsics_vec256 *fst; + Lib_IntVector_Intrinsics_vec256 *snd; +} +Hacl_Streaming_Blake2b_256_blake2b_256_block_state; + +typedef struct Hacl_Streaming_Blake2b_256_blake2b_256_state_s +{ + Hacl_Streaming_Blake2b_256_blake2b_256_block_state block_state; + uint8_t *buf; + uint64_t total_len; +} +Hacl_Streaming_Blake2b_256_blake2b_256_state; + +/* + State allocation function when there is no key +*/ +Hacl_Streaming_Blake2b_256_blake2b_256_state +*Hacl_Streaming_Blake2b_256_blake2b_256_no_key_create_in(); + +/* + (Re-)initialization function when there is no key +*/ +void +Hacl_Streaming_Blake2b_256_blake2b_256_no_key_init( + Hacl_Streaming_Blake2b_256_blake2b_256_state *s +); + +/* + Update function when there is no key +*/ +void +Hacl_Streaming_Blake2b_256_blake2b_256_no_key_update( + Hacl_Streaming_Blake2b_256_blake2b_256_state *p, + uint8_t *data, + uint32_t len +); + +/* + Finish function when there is no key +*/ +void +Hacl_Streaming_Blake2b_256_blake2b_256_no_key_finish( + Hacl_Streaming_Blake2b_256_blake2b_256_state *p, + uint8_t *dst +); + +/* + Free state function when there is no key +*/ +void +Hacl_Streaming_Blake2b_256_blake2b_256_no_key_free( + Hacl_Streaming_Blake2b_256_blake2b_256_state *s +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Streaming_Blake2b_256_H_DEFINED +#endif diff --git a/include/c89/Hacl_Streaming_Blake2s_128.h b/include/c89/Hacl_Streaming_Blake2s_128.h new file mode 100644 index 00000000..991b5ddc --- /dev/null +++ b/include/c89/Hacl_Streaming_Blake2s_128.h @@ -0,0 +1,105 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Streaming_Blake2s_128_H +#define __Hacl_Streaming_Blake2s_128_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Streaming_Blake2.h" +#include "Hacl_Spec.h" +#include "Hacl_Hash_Blake2s_128.h" +#include "Hacl_Hash_Blake2.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +typedef struct Hacl_Streaming_Blake2s_128_blake2s_128_block_state_s +{ + Lib_IntVector_Intrinsics_vec128 *fst; + Lib_IntVector_Intrinsics_vec128 *snd; +} +Hacl_Streaming_Blake2s_128_blake2s_128_block_state; + +typedef struct Hacl_Streaming_Blake2s_128_blake2s_128_state_s +{ + Hacl_Streaming_Blake2s_128_blake2s_128_block_state block_state; + uint8_t *buf; + uint64_t total_len; +} +Hacl_Streaming_Blake2s_128_blake2s_128_state; + +/* + State allocation function when there is no key +*/ +Hacl_Streaming_Blake2s_128_blake2s_128_state +*Hacl_Streaming_Blake2s_128_blake2s_128_no_key_create_in(); + +/* + (Re-)initialization function when there is no key +*/ +void +Hacl_Streaming_Blake2s_128_blake2s_128_no_key_init( + Hacl_Streaming_Blake2s_128_blake2s_128_state *s +); + +/* + Update function when there is no key +*/ +void +Hacl_Streaming_Blake2s_128_blake2s_128_no_key_update( + Hacl_Streaming_Blake2s_128_blake2s_128_state *p, + uint8_t *data, + uint32_t len +); + +/* + Finish function when there is no key +*/ +void +Hacl_Streaming_Blake2s_128_blake2s_128_no_key_finish( + Hacl_Streaming_Blake2s_128_blake2s_128_state *p, + uint8_t *dst +); + +/* + Free state function when there is no key +*/ +void +Hacl_Streaming_Blake2s_128_blake2s_128_no_key_free( + Hacl_Streaming_Blake2s_128_blake2s_128_state *s +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Streaming_Blake2s_128_H_DEFINED +#endif diff --git a/include/c89/Hacl_Streaming_MD5.h b/include/c89/Hacl_Streaming_MD5.h new file mode 100644 index 00000000..f8bb4ee4 --- /dev/null +++ b/include/c89/Hacl_Streaming_MD5.h @@ -0,0 +1,64 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Streaming_MD5_H +#define __Hacl_Streaming_MD5_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Streaming_SHA2.h" +#include "Hacl_Hash_MD5.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +typedef Hacl_Streaming_SHA2_state_sha2_224 Hacl_Streaming_MD5_state_md5; + +Hacl_Streaming_SHA2_state_sha2_224 *Hacl_Streaming_MD5_legacy_create_in_md5(); + +void Hacl_Streaming_MD5_legacy_init_md5(Hacl_Streaming_SHA2_state_sha2_224 *s); + +void +Hacl_Streaming_MD5_legacy_update_md5( + Hacl_Streaming_SHA2_state_sha2_224 *p, + uint8_t *data, + uint32_t len +); + +void Hacl_Streaming_MD5_legacy_finish_md5(Hacl_Streaming_SHA2_state_sha2_224 *p, uint8_t *dst); + +void Hacl_Streaming_MD5_legacy_free_md5(Hacl_Streaming_SHA2_state_sha2_224 *s); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Streaming_MD5_H_DEFINED +#endif diff --git a/include/c89/Hacl_Streaming_Poly1305_128.h b/include/c89/Hacl_Streaming_Poly1305_128.h new file mode 100644 index 00000000..8e4bc864 --- /dev/null +++ b/include/c89/Hacl_Streaming_Poly1305_128.h @@ -0,0 +1,76 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Streaming_Poly1305_128_H +#define __Hacl_Streaming_Poly1305_128_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Poly1305_128.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +typedef struct Hacl_Streaming_Poly1305_128_poly1305_128_state_s +{ + Lib_IntVector_Intrinsics_vec128 *block_state; + uint8_t *buf; + uint64_t total_len; + uint8_t *p_key; +} +Hacl_Streaming_Poly1305_128_poly1305_128_state; + +Hacl_Streaming_Poly1305_128_poly1305_128_state +*Hacl_Streaming_Poly1305_128_create_in(uint8_t *k); + +void +Hacl_Streaming_Poly1305_128_init(uint8_t *k, Hacl_Streaming_Poly1305_128_poly1305_128_state *s); + +void +Hacl_Streaming_Poly1305_128_update( + Hacl_Streaming_Poly1305_128_poly1305_128_state *p, + uint8_t *data, + uint32_t len +); + +void +Hacl_Streaming_Poly1305_128_finish( + Hacl_Streaming_Poly1305_128_poly1305_128_state *p, + uint8_t *dst +); + +void Hacl_Streaming_Poly1305_128_free(Hacl_Streaming_Poly1305_128_poly1305_128_state *s); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Streaming_Poly1305_128_H_DEFINED +#endif diff --git a/include/c89/Hacl_Streaming_Poly1305_256.h b/include/c89/Hacl_Streaming_Poly1305_256.h new file mode 100644 index 00000000..2049d759 --- /dev/null +++ b/include/c89/Hacl_Streaming_Poly1305_256.h @@ -0,0 +1,76 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Streaming_Poly1305_256_H +#define __Hacl_Streaming_Poly1305_256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Poly1305_256.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +typedef struct Hacl_Streaming_Poly1305_256_poly1305_256_state_s +{ + Lib_IntVector_Intrinsics_vec256 *block_state; + uint8_t *buf; + uint64_t total_len; + uint8_t *p_key; +} +Hacl_Streaming_Poly1305_256_poly1305_256_state; + +Hacl_Streaming_Poly1305_256_poly1305_256_state +*Hacl_Streaming_Poly1305_256_create_in(uint8_t *k); + +void +Hacl_Streaming_Poly1305_256_init(uint8_t *k, Hacl_Streaming_Poly1305_256_poly1305_256_state *s); + +void +Hacl_Streaming_Poly1305_256_update( + Hacl_Streaming_Poly1305_256_poly1305_256_state *p, + uint8_t *data, + uint32_t len +); + +void +Hacl_Streaming_Poly1305_256_finish( + Hacl_Streaming_Poly1305_256_poly1305_256_state *p, + uint8_t *dst +); + +void Hacl_Streaming_Poly1305_256_free(Hacl_Streaming_Poly1305_256_poly1305_256_state *s); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Streaming_Poly1305_256_H_DEFINED +#endif diff --git a/include/c89/Hacl_Streaming_Poly1305_32.h b/include/c89/Hacl_Streaming_Poly1305_32.h new file mode 100644 index 00000000..b08a73a5 --- /dev/null +++ b/include/c89/Hacl_Streaming_Poly1305_32.h @@ -0,0 +1,75 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Streaming_Poly1305_32_H +#define __Hacl_Streaming_Poly1305_32_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Poly1305_32.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +typedef struct Hacl_Streaming_Poly1305_32_poly1305_32_state_s +{ + uint64_t *block_state; + uint8_t *buf; + uint64_t total_len; + uint8_t *p_key; +} +Hacl_Streaming_Poly1305_32_poly1305_32_state; + +Hacl_Streaming_Poly1305_32_poly1305_32_state *Hacl_Streaming_Poly1305_32_create_in(uint8_t *k); + +void +Hacl_Streaming_Poly1305_32_init(uint8_t *k, Hacl_Streaming_Poly1305_32_poly1305_32_state *s); + +void +Hacl_Streaming_Poly1305_32_update( + Hacl_Streaming_Poly1305_32_poly1305_32_state *p, + uint8_t *data, + uint32_t len +); + +void +Hacl_Streaming_Poly1305_32_finish( + Hacl_Streaming_Poly1305_32_poly1305_32_state *p, + uint8_t *dst +); + +void Hacl_Streaming_Poly1305_32_free(Hacl_Streaming_Poly1305_32_poly1305_32_state *s); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Streaming_Poly1305_32_H_DEFINED +#endif diff --git a/include/c89/Hacl_Streaming_SHA1.h b/include/c89/Hacl_Streaming_SHA1.h new file mode 100644 index 00000000..b9d636b6 --- /dev/null +++ b/include/c89/Hacl_Streaming_SHA1.h @@ -0,0 +1,65 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Streaming_SHA1_H +#define __Hacl_Streaming_SHA1_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Streaming_SHA2.h" +#include "Hacl_Hash_SHA1.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +typedef Hacl_Streaming_SHA2_state_sha2_224 Hacl_Streaming_SHA1_state_sha1; + +Hacl_Streaming_SHA2_state_sha2_224 *Hacl_Streaming_SHA1_legacy_create_in_sha1(); + +void Hacl_Streaming_SHA1_legacy_init_sha1(Hacl_Streaming_SHA2_state_sha2_224 *s); + +void +Hacl_Streaming_SHA1_legacy_update_sha1( + Hacl_Streaming_SHA2_state_sha2_224 *p, + uint8_t *data, + uint32_t len +); + +void +Hacl_Streaming_SHA1_legacy_finish_sha1(Hacl_Streaming_SHA2_state_sha2_224 *p, uint8_t *dst); + +void Hacl_Streaming_SHA1_legacy_free_sha1(Hacl_Streaming_SHA2_state_sha2_224 *s); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Streaming_SHA1_H_DEFINED +#endif diff --git a/include/c89/Hacl_Streaming_SHA2.h b/include/c89/Hacl_Streaming_SHA2.h new file mode 100644 index 00000000..377c2be1 --- /dev/null +++ b/include/c89/Hacl_Streaming_SHA2.h @@ -0,0 +1,127 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Streaming_SHA2_H +#define __Hacl_Streaming_SHA2_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "Hacl_Hash_SHA2.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +typedef struct Hacl_Streaming_SHA2_state_sha2_224_s +{ + uint32_t *block_state; + uint8_t *buf; + uint64_t total_len; +} +Hacl_Streaming_SHA2_state_sha2_224; + +typedef Hacl_Streaming_SHA2_state_sha2_224 Hacl_Streaming_SHA2_state_sha2_256; + +typedef struct Hacl_Streaming_SHA2_state_sha2_384_s +{ + uint64_t *block_state; + uint8_t *buf; + uint64_t total_len; +} +Hacl_Streaming_SHA2_state_sha2_384; + +typedef Hacl_Streaming_SHA2_state_sha2_384 Hacl_Streaming_SHA2_state_sha2_512; + +Hacl_Streaming_SHA2_state_sha2_224 *Hacl_Streaming_SHA2_create_in_224(); + +void Hacl_Streaming_SHA2_init_224(Hacl_Streaming_SHA2_state_sha2_224 *s); + +void +Hacl_Streaming_SHA2_update_224( + Hacl_Streaming_SHA2_state_sha2_224 *p, + uint8_t *data, + uint32_t len +); + +void Hacl_Streaming_SHA2_finish_224(Hacl_Streaming_SHA2_state_sha2_224 *p, uint8_t *dst); + +void Hacl_Streaming_SHA2_free_224(Hacl_Streaming_SHA2_state_sha2_224 *s); + +Hacl_Streaming_SHA2_state_sha2_224 *Hacl_Streaming_SHA2_create_in_256(); + +void Hacl_Streaming_SHA2_init_256(Hacl_Streaming_SHA2_state_sha2_224 *s); + +void +Hacl_Streaming_SHA2_update_256( + Hacl_Streaming_SHA2_state_sha2_224 *p, + uint8_t *data, + uint32_t len +); + +void Hacl_Streaming_SHA2_finish_256(Hacl_Streaming_SHA2_state_sha2_224 *p, uint8_t *dst); + +void Hacl_Streaming_SHA2_free_256(Hacl_Streaming_SHA2_state_sha2_224 *s); + +Hacl_Streaming_SHA2_state_sha2_384 *Hacl_Streaming_SHA2_create_in_384(); + +void Hacl_Streaming_SHA2_init_384(Hacl_Streaming_SHA2_state_sha2_384 *s); + +void +Hacl_Streaming_SHA2_update_384( + Hacl_Streaming_SHA2_state_sha2_384 *p, + uint8_t *data, + uint32_t len +); + +void Hacl_Streaming_SHA2_finish_384(Hacl_Streaming_SHA2_state_sha2_384 *p, uint8_t *dst); + +void Hacl_Streaming_SHA2_free_384(Hacl_Streaming_SHA2_state_sha2_384 *s); + +Hacl_Streaming_SHA2_state_sha2_384 *Hacl_Streaming_SHA2_create_in_512(); + +void Hacl_Streaming_SHA2_init_512(Hacl_Streaming_SHA2_state_sha2_384 *s); + +void +Hacl_Streaming_SHA2_update_512( + Hacl_Streaming_SHA2_state_sha2_384 *p, + uint8_t *data, + uint32_t len +); + +void Hacl_Streaming_SHA2_finish_512(Hacl_Streaming_SHA2_state_sha2_384 *p, uint8_t *dst); + +void Hacl_Streaming_SHA2_free_512(Hacl_Streaming_SHA2_state_sha2_384 *s); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Streaming_SHA2_H_DEFINED +#endif diff --git a/include/c89/Lib_Memzero0.h b/include/c89/Lib_Memzero0.h new file mode 100644 index 00000000..978f2139 --- /dev/null +++ b/include/c89/Lib_Memzero0.h @@ -0,0 +1,48 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Lib_Memzero0_H +#define __Lib_Memzero0_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + + +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +extern void Lib_Memzero0_memzero(void *x0, uint64_t x1); + +#if defined(__cplusplus) +} +#endif + +#define __Lib_Memzero0_H_DEFINED +#endif diff --git a/include/c89/Lib_PrintBuffer.h b/include/c89/Lib_PrintBuffer.h new file mode 100644 index 00000000..0d6a3ef3 --- /dev/null +++ b/include/c89/Lib_PrintBuffer.h @@ -0,0 +1,56 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Lib_PrintBuffer_H +#define __Lib_PrintBuffer_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + + +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +extern void Lib_PrintBuffer_print_bytes(uint32_t len, uint8_t *buf); + +extern void Lib_PrintBuffer_print_compare(uint32_t len, uint8_t *buf0, uint8_t *buf1); + +extern void +Lib_PrintBuffer_print_compare_display(uint32_t len, const uint8_t *buf0, const uint8_t *buf1); + +extern bool +Lib_PrintBuffer_result_compare_display(uint32_t len, const uint8_t *buf0, const uint8_t *buf1); + +#if defined(__cplusplus) +} +#endif + +#define __Lib_PrintBuffer_H_DEFINED +#endif diff --git a/include/c89/Lib_RandomBuffer_System.h b/include/c89/Lib_RandomBuffer_System.h new file mode 100644 index 00000000..7045e7bb --- /dev/null +++ b/include/c89/Lib_RandomBuffer_System.h @@ -0,0 +1,54 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Lib_RandomBuffer_System_H +#define __Lib_RandomBuffer_System_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + + +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +KRML_DEPRECATED("random_crypto") + +extern bool Lib_RandomBuffer_System_randombytes(uint8_t *buf, uint32_t len); + +extern void *Lib_RandomBuffer_System_entropy_p; + +extern void Lib_RandomBuffer_System_crypto_random(uint8_t *buf, uint32_t len); + +#if defined(__cplusplus) +} +#endif + +#define __Lib_RandomBuffer_System_H_DEFINED +#endif diff --git a/include/c89/TestLib.h b/include/c89/TestLib.h new file mode 100644 index 00000000..71e516e8 --- /dev/null +++ b/include/c89/TestLib.h @@ -0,0 +1,91 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __TestLib_H +#define __TestLib_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + + +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +extern void TestLib_touch(int32_t uu___); + +extern void TestLib_check(bool uu___); + +extern void TestLib_check8(int8_t uu___, int8_t uu___1); + +extern void TestLib_check16(int16_t uu___, int16_t uu___1); + +extern void TestLib_check32(int32_t uu___, int32_t uu___1); + +extern void TestLib_check64(int64_t uu___, int64_t uu___1); + +extern void TestLib_checku8(uint8_t uu___, uint8_t uu___1); + +extern void TestLib_checku16(uint16_t uu___, uint16_t uu___1); + +extern void TestLib_checku32(uint32_t uu___, uint32_t uu___1); + +extern void TestLib_checku64(uint64_t uu___, uint64_t uu___1); + +extern void TestLib_compare_and_print(C_String_t uu___, uint8_t *b1, uint8_t *b2, uint32_t l); + +extern uint8_t *TestLib_unsafe_malloc(uint32_t l); + +extern void TestLib_perr(uint32_t uu___); + +extern void TestLib_print_clock_diff(clock_t uu___, clock_t uu___1); + +KRML_DEPRECATED("p_null from TestLib; use LowStar.Buffer.null instead") + +extern uint8_t *TestLib_uint8_p_null; + +KRML_DEPRECATED("p_null from TestLib; use LowStar.Buffer.null instead") + +extern uint32_t *TestLib_uint32_p_null; + +KRML_DEPRECATED("p_null from TestLib; use LowStar.Buffer.null instead") + +extern uint64_t *TestLib_uint64_p_null; + +extern TestLib_cycles TestLib_cpucycles(); + +extern void +TestLib_print_cycles_per_round(TestLib_cycles uu___, TestLib_cycles uu___1, uint32_t uu___2); + +#if defined(__cplusplus) +} +#endif + +#define __TestLib_H_DEFINED +#endif diff --git a/include/c89/curve25519-inline.h b/include/c89/curve25519-inline.h new file mode 100644 index 00000000..e69f7a59 --- /dev/null +++ b/include/c89/curve25519-inline.h @@ -0,0 +1,751 @@ +#ifdef __GNUC__ +#if defined(__x86_64__) || defined(_M_X64) +#pragma once +#include + +// Computes the addition of four-element f1 with value in f2 +// and returns the carry (if any) +static inline uint64_t add_scalar (uint64_t *out, uint64_t *f1, uint64_t f2) +{ + uint64_t carry_r; + + asm volatile( + // Clear registers to propagate the carry bit + " xor %%r8d, %%r8d;" + " xor %%r9d, %%r9d;" + " xor %%r10d, %%r10d;" + " xor %%r11d, %%r11d;" + " xor %k1, %k1;" + + // Begin addition chain + " addq 0(%3), %0;" + " movq %0, 0(%2);" + " adcxq 8(%3), %%r8;" + " movq %%r8, 8(%2);" + " adcxq 16(%3), %%r9;" + " movq %%r9, 16(%2);" + " adcxq 24(%3), %%r10;" + " movq %%r10, 24(%2);" + + // Return the carry bit in a register + " adcx %%r11, %1;" + : "+&r" (f2), "=&r" (carry_r) + : "r" (out), "r" (f1) + : "%r8", "%r9", "%r10", "%r11", "memory", "cc" + ); + + return carry_r; +} + +// Computes the field addition of two field elements +static inline void fadd (uint64_t *out, uint64_t *f1, uint64_t *f2) +{ + asm volatile( + // Compute the raw addition of f1 + f2 + " movq 0(%0), %%r8;" + " addq 0(%2), %%r8;" + " movq 8(%0), %%r9;" + " adcxq 8(%2), %%r9;" + " movq 16(%0), %%r10;" + " adcxq 16(%2), %%r10;" + " movq 24(%0), %%r11;" + " adcxq 24(%2), %%r11;" + + /////// Wrap the result back into the field ////// + + // Step 1: Compute carry*38 + " mov $0, %%rax;" + " mov $38, %0;" + " cmovc %0, %%rax;" + + // Step 2: Add carry*38 to the original sum + " xor %%ecx, %%ecx;" + " add %%rax, %%r8;" + " adcx %%rcx, %%r9;" + " movq %%r9, 8(%1);" + " adcx %%rcx, %%r10;" + " movq %%r10, 16(%1);" + " adcx %%rcx, %%r11;" + " movq %%r11, 24(%1);" + + // Step 3: Fold the carry bit back in; guaranteed not to carry at this point + " mov $0, %%rax;" + " cmovc %0, %%rax;" + " add %%rax, %%r8;" + " movq %%r8, 0(%1);" + : "+&r" (f2) + : "r" (out), "r" (f1) + : "%rax", "%rcx", "%r8", "%r9", "%r10", "%r11", "memory", "cc" + ); +} + +// Computes the field substraction of two field elements +static inline void fsub (uint64_t *out, uint64_t *f1, uint64_t *f2) +{ + asm volatile( + // Compute the raw substraction of f1-f2 + " movq 0(%1), %%r8;" + " subq 0(%2), %%r8;" + " movq 8(%1), %%r9;" + " sbbq 8(%2), %%r9;" + " movq 16(%1), %%r10;" + " sbbq 16(%2), %%r10;" + " movq 24(%1), %%r11;" + " sbbq 24(%2), %%r11;" + + /////// Wrap the result back into the field ////// + + // Step 1: Compute carry*38 + " mov $0, %%rax;" + " mov $38, %%rcx;" + " cmovc %%rcx, %%rax;" + + // Step 2: Substract carry*38 from the original difference + " sub %%rax, %%r8;" + " sbb $0, %%r9;" + " sbb $0, %%r10;" + " sbb $0, %%r11;" + + // Step 3: Fold the carry bit back in; guaranteed not to carry at this point + " mov $0, %%rax;" + " cmovc %%rcx, %%rax;" + " sub %%rax, %%r8;" + + // Store the result + " movq %%r8, 0(%0);" + " movq %%r9, 8(%0);" + " movq %%r10, 16(%0);" + " movq %%r11, 24(%0);" + : + : "r" (out), "r" (f1), "r" (f2) + : "%rax", "%rcx", "%r8", "%r9", "%r10", "%r11", "memory", "cc" + ); +} + +// Computes a field multiplication: out <- f1 * f2 +// Uses the 8-element buffer tmp for intermediate results +static inline void fmul (uint64_t *out, uint64_t *f1, uint64_t *f2, uint64_t *tmp) +{ + asm volatile( + + /////// Compute the raw multiplication: tmp <- src1 * src2 ////// + + // Compute src1[0] * src2 + " movq 0(%0), %%rdx;" + " mulxq 0(%1), %%r8, %%r9;" " xor %%r10d, %%r10d;" " movq %%r8, 0(%2);" + " mulxq 8(%1), %%r10, %%r11;" " adox %%r9, %%r10;" " movq %%r10, 8(%2);" + " mulxq 16(%1), %%rbx, %%r13;" " adox %%r11, %%rbx;" + " mulxq 24(%1), %%r14, %%rdx;" " adox %%r13, %%r14;" " mov $0, %%rax;" + " adox %%rdx, %%rax;" + + // Compute src1[1] * src2 + " movq 8(%0), %%rdx;" + " mulxq 0(%1), %%r8, %%r9;" " xor %%r10d, %%r10d;" " adcxq 8(%2), %%r8;" " movq %%r8, 8(%2);" + " mulxq 8(%1), %%r10, %%r11;" " adox %%r9, %%r10;" " adcx %%rbx, %%r10;" " movq %%r10, 16(%2);" + " mulxq 16(%1), %%rbx, %%r13;" " adox %%r11, %%rbx;" " adcx %%r14, %%rbx;" " mov $0, %%r8;" + " mulxq 24(%1), %%r14, %%rdx;" " adox %%r13, %%r14;" " adcx %%rax, %%r14;" " mov $0, %%rax;" + " adox %%rdx, %%rax;" " adcx %%r8, %%rax;" + + + // Compute src1[2] * src2 + " movq 16(%0), %%rdx;" + " mulxq 0(%1), %%r8, %%r9;" " xor %%r10d, %%r10d;" " adcxq 16(%2), %%r8;" " movq %%r8, 16(%2);" + " mulxq 8(%1), %%r10, %%r11;" " adox %%r9, %%r10;" " adcx %%rbx, %%r10;" " movq %%r10, 24(%2);" + " mulxq 16(%1), %%rbx, %%r13;" " adox %%r11, %%rbx;" " adcx %%r14, %%rbx;" " mov $0, %%r8;" + " mulxq 24(%1), %%r14, %%rdx;" " adox %%r13, %%r14;" " adcx %%rax, %%r14;" " mov $0, %%rax;" + " adox %%rdx, %%rax;" " adcx %%r8, %%rax;" + + + // Compute src1[3] * src2 + " movq 24(%0), %%rdx;" + " mulxq 0(%1), %%r8, %%r9;" " xor %%r10d, %%r10d;" " adcxq 24(%2), %%r8;" " movq %%r8, 24(%2);" + " mulxq 8(%1), %%r10, %%r11;" " adox %%r9, %%r10;" " adcx %%rbx, %%r10;" " movq %%r10, 32(%2);" + " mulxq 16(%1), %%rbx, %%r13;" " adox %%r11, %%rbx;" " adcx %%r14, %%rbx;" " movq %%rbx, 40(%2);" " mov $0, %%r8;" + " mulxq 24(%1), %%r14, %%rdx;" " adox %%r13, %%r14;" " adcx %%rax, %%r14;" " movq %%r14, 48(%2);" " mov $0, %%rax;" + " adox %%rdx, %%rax;" " adcx %%r8, %%rax;" " movq %%rax, 56(%2);" + + // Line up pointers + " mov %2, %0;" + " mov %3, %2;" + + /////// Wrap the result back into the field ////// + + // Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo + " mov $38, %%rdx;" + " mulxq 32(%0), %%r8, %%r13;" + " xor %k1, %k1;" + " adoxq 0(%0), %%r8;" + " mulxq 40(%0), %%r9, %%rbx;" + " adcx %%r13, %%r9;" + " adoxq 8(%0), %%r9;" + " mulxq 48(%0), %%r10, %%r13;" + " adcx %%rbx, %%r10;" + " adoxq 16(%0), %%r10;" + " mulxq 56(%0), %%r11, %%rax;" + " adcx %%r13, %%r11;" + " adoxq 24(%0), %%r11;" + " adcx %1, %%rax;" + " adox %1, %%rax;" + " imul %%rdx, %%rax;" + + // Step 2: Fold the carry back into dst + " add %%rax, %%r8;" + " adcx %1, %%r9;" + " movq %%r9, 8(%2);" + " adcx %1, %%r10;" + " movq %%r10, 16(%2);" + " adcx %1, %%r11;" + " movq %%r11, 24(%2);" + + // Step 3: Fold the carry bit back in; guaranteed not to carry at this point + " mov $0, %%rax;" + " cmovc %%rdx, %%rax;" + " add %%rax, %%r8;" + " movq %%r8, 0(%2);" + : "+&r" (f1), "+&r" (f2), "+&r" (tmp) + : "r" (out) + : "%rax", "%rbx", "%rdx", "%r8", "%r9", "%r10", "%r11", "%r13", "%r14", "memory", "cc" + ); +} + +// Computes two field multiplications: +// out[0] <- f1[0] * f2[0] +// out[1] <- f1[1] * f2[1] +// Uses the 16-element buffer tmp for intermediate results: +static inline void fmul2 (uint64_t *out, uint64_t *f1, uint64_t *f2, uint64_t *tmp) +{ + asm volatile( + + /////// Compute the raw multiplication tmp[0] <- f1[0] * f2[0] ////// + + // Compute src1[0] * src2 + " movq 0(%0), %%rdx;" + " mulxq 0(%1), %%r8, %%r9;" " xor %%r10d, %%r10d;" " movq %%r8, 0(%2);" + " mulxq 8(%1), %%r10, %%r11;" " adox %%r9, %%r10;" " movq %%r10, 8(%2);" + " mulxq 16(%1), %%rbx, %%r13;" " adox %%r11, %%rbx;" + " mulxq 24(%1), %%r14, %%rdx;" " adox %%r13, %%r14;" " mov $0, %%rax;" + " adox %%rdx, %%rax;" + + // Compute src1[1] * src2 + " movq 8(%0), %%rdx;" + " mulxq 0(%1), %%r8, %%r9;" " xor %%r10d, %%r10d;" " adcxq 8(%2), %%r8;" " movq %%r8, 8(%2);" + " mulxq 8(%1), %%r10, %%r11;" " adox %%r9, %%r10;" " adcx %%rbx, %%r10;" " movq %%r10, 16(%2);" + " mulxq 16(%1), %%rbx, %%r13;" " adox %%r11, %%rbx;" " adcx %%r14, %%rbx;" " mov $0, %%r8;" + " mulxq 24(%1), %%r14, %%rdx;" " adox %%r13, %%r14;" " adcx %%rax, %%r14;" " mov $0, %%rax;" + " adox %%rdx, %%rax;" " adcx %%r8, %%rax;" + + + // Compute src1[2] * src2 + " movq 16(%0), %%rdx;" + " mulxq 0(%1), %%r8, %%r9;" " xor %%r10d, %%r10d;" " adcxq 16(%2), %%r8;" " movq %%r8, 16(%2);" + " mulxq 8(%1), %%r10, %%r11;" " adox %%r9, %%r10;" " adcx %%rbx, %%r10;" " movq %%r10, 24(%2);" + " mulxq 16(%1), %%rbx, %%r13;" " adox %%r11, %%rbx;" " adcx %%r14, %%rbx;" " mov $0, %%r8;" + " mulxq 24(%1), %%r14, %%rdx;" " adox %%r13, %%r14;" " adcx %%rax, %%r14;" " mov $0, %%rax;" + " adox %%rdx, %%rax;" " adcx %%r8, %%rax;" + + + // Compute src1[3] * src2 + " movq 24(%0), %%rdx;" + " mulxq 0(%1), %%r8, %%r9;" " xor %%r10d, %%r10d;" " adcxq 24(%2), %%r8;" " movq %%r8, 24(%2);" + " mulxq 8(%1), %%r10, %%r11;" " adox %%r9, %%r10;" " adcx %%rbx, %%r10;" " movq %%r10, 32(%2);" + " mulxq 16(%1), %%rbx, %%r13;" " adox %%r11, %%rbx;" " adcx %%r14, %%rbx;" " movq %%rbx, 40(%2);" " mov $0, %%r8;" + " mulxq 24(%1), %%r14, %%rdx;" " adox %%r13, %%r14;" " adcx %%rax, %%r14;" " movq %%r14, 48(%2);" " mov $0, %%rax;" + " adox %%rdx, %%rax;" " adcx %%r8, %%rax;" " movq %%rax, 56(%2);" + + /////// Compute the raw multiplication tmp[1] <- f1[1] * f2[1] ////// + + // Compute src1[0] * src2 + " movq 32(%0), %%rdx;" + " mulxq 32(%1), %%r8, %%r9;" " xor %%r10d, %%r10d;" " movq %%r8, 64(%2);" + " mulxq 40(%1), %%r10, %%r11;" " adox %%r9, %%r10;" " movq %%r10, 72(%2);" + " mulxq 48(%1), %%rbx, %%r13;" " adox %%r11, %%rbx;" + " mulxq 56(%1), %%r14, %%rdx;" " adox %%r13, %%r14;" " mov $0, %%rax;" + " adox %%rdx, %%rax;" + + // Compute src1[1] * src2 + " movq 40(%0), %%rdx;" + " mulxq 32(%1), %%r8, %%r9;" " xor %%r10d, %%r10d;" " adcxq 72(%2), %%r8;" " movq %%r8, 72(%2);" + " mulxq 40(%1), %%r10, %%r11;" " adox %%r9, %%r10;" " adcx %%rbx, %%r10;" " movq %%r10, 80(%2);" + " mulxq 48(%1), %%rbx, %%r13;" " adox %%r11, %%rbx;" " adcx %%r14, %%rbx;" " mov $0, %%r8;" + " mulxq 56(%1), %%r14, %%rdx;" " adox %%r13, %%r14;" " adcx %%rax, %%r14;" " mov $0, %%rax;" + " adox %%rdx, %%rax;" " adcx %%r8, %%rax;" + + + // Compute src1[2] * src2 + " movq 48(%0), %%rdx;" + " mulxq 32(%1), %%r8, %%r9;" " xor %%r10d, %%r10d;" " adcxq 80(%2), %%r8;" " movq %%r8, 80(%2);" + " mulxq 40(%1), %%r10, %%r11;" " adox %%r9, %%r10;" " adcx %%rbx, %%r10;" " movq %%r10, 88(%2);" + " mulxq 48(%1), %%rbx, %%r13;" " adox %%r11, %%rbx;" " adcx %%r14, %%rbx;" " mov $0, %%r8;" + " mulxq 56(%1), %%r14, %%rdx;" " adox %%r13, %%r14;" " adcx %%rax, %%r14;" " mov $0, %%rax;" + " adox %%rdx, %%rax;" " adcx %%r8, %%rax;" + + + // Compute src1[3] * src2 + " movq 56(%0), %%rdx;" + " mulxq 32(%1), %%r8, %%r9;" " xor %%r10d, %%r10d;" " adcxq 88(%2), %%r8;" " movq %%r8, 88(%2);" + " mulxq 40(%1), %%r10, %%r11;" " adox %%r9, %%r10;" " adcx %%rbx, %%r10;" " movq %%r10, 96(%2);" + " mulxq 48(%1), %%rbx, %%r13;" " adox %%r11, %%rbx;" " adcx %%r14, %%rbx;" " movq %%rbx, 104(%2);" " mov $0, %%r8;" + " mulxq 56(%1), %%r14, %%rdx;" " adox %%r13, %%r14;" " adcx %%rax, %%r14;" " movq %%r14, 112(%2);" " mov $0, %%rax;" + " adox %%rdx, %%rax;" " adcx %%r8, %%rax;" " movq %%rax, 120(%2);" + + // Line up pointers + " mov %2, %0;" + " mov %3, %2;" + + /////// Wrap the results back into the field ////// + + // Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo + " mov $38, %%rdx;" + " mulxq 32(%0), %%r8, %%r13;" + " xor %k1, %k1;" + " adoxq 0(%0), %%r8;" + " mulxq 40(%0), %%r9, %%rbx;" + " adcx %%r13, %%r9;" + " adoxq 8(%0), %%r9;" + " mulxq 48(%0), %%r10, %%r13;" + " adcx %%rbx, %%r10;" + " adoxq 16(%0), %%r10;" + " mulxq 56(%0), %%r11, %%rax;" + " adcx %%r13, %%r11;" + " adoxq 24(%0), %%r11;" + " adcx %1, %%rax;" + " adox %1, %%rax;" + " imul %%rdx, %%rax;" + + // Step 2: Fold the carry back into dst + " add %%rax, %%r8;" + " adcx %1, %%r9;" + " movq %%r9, 8(%2);" + " adcx %1, %%r10;" + " movq %%r10, 16(%2);" + " adcx %1, %%r11;" + " movq %%r11, 24(%2);" + + // Step 3: Fold the carry bit back in; guaranteed not to carry at this point + " mov $0, %%rax;" + " cmovc %%rdx, %%rax;" + " add %%rax, %%r8;" + " movq %%r8, 0(%2);" + + // Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo + " mov $38, %%rdx;" + " mulxq 96(%0), %%r8, %%r13;" + " xor %k1, %k1;" + " adoxq 64(%0), %%r8;" + " mulxq 104(%0), %%r9, %%rbx;" + " adcx %%r13, %%r9;" + " adoxq 72(%0), %%r9;" + " mulxq 112(%0), %%r10, %%r13;" + " adcx %%rbx, %%r10;" + " adoxq 80(%0), %%r10;" + " mulxq 120(%0), %%r11, %%rax;" + " adcx %%r13, %%r11;" + " adoxq 88(%0), %%r11;" + " adcx %1, %%rax;" + " adox %1, %%rax;" + " imul %%rdx, %%rax;" + + // Step 2: Fold the carry back into dst + " add %%rax, %%r8;" + " adcx %1, %%r9;" + " movq %%r9, 40(%2);" + " adcx %1, %%r10;" + " movq %%r10, 48(%2);" + " adcx %1, %%r11;" + " movq %%r11, 56(%2);" + + // Step 3: Fold the carry bit back in; guaranteed not to carry at this point + " mov $0, %%rax;" + " cmovc %%rdx, %%rax;" + " add %%rax, %%r8;" + " movq %%r8, 32(%2);" + : "+&r" (f1), "+&r" (f2), "+&r" (tmp) + : "r" (out) + : "%rax", "%rbx", "%rdx", "%r8", "%r9", "%r10", "%r11", "%r13", "%r14", "memory", "cc" + ); +} + +// Computes the field multiplication of four-element f1 with value in f2 +// Requires f2 to be smaller than 2^17 +static inline void fmul_scalar (uint64_t *out, uint64_t *f1, uint64_t f2) +{ + register uint64_t f2_r asm("rdx") = f2; + + asm volatile( + // Compute the raw multiplication of f1*f2 + " mulxq 0(%2), %%r8, %%rcx;" // f1[0]*f2 + " mulxq 8(%2), %%r9, %%rbx;" // f1[1]*f2 + " add %%rcx, %%r9;" + " mov $0, %%rcx;" + " mulxq 16(%2), %%r10, %%r13;" // f1[2]*f2 + " adcx %%rbx, %%r10;" + " mulxq 24(%2), %%r11, %%rax;" // f1[3]*f2 + " adcx %%r13, %%r11;" + " adcx %%rcx, %%rax;" + + /////// Wrap the result back into the field ////// + + // Step 1: Compute carry*38 + " mov $38, %%rdx;" + " imul %%rdx, %%rax;" + + // Step 2: Fold the carry back into dst + " add %%rax, %%r8;" + " adcx %%rcx, %%r9;" + " movq %%r9, 8(%1);" + " adcx %%rcx, %%r10;" + " movq %%r10, 16(%1);" + " adcx %%rcx, %%r11;" + " movq %%r11, 24(%1);" + + // Step 3: Fold the carry bit back in; guaranteed not to carry at this point + " mov $0, %%rax;" + " cmovc %%rdx, %%rax;" + " add %%rax, %%r8;" + " movq %%r8, 0(%1);" + : "+&r" (f2_r) + : "r" (out), "r" (f1) + : "%rax", "%rbx", "%rcx", "%r8", "%r9", "%r10", "%r11", "%r13", "memory", "cc" + ); +} + +// Computes p1 <- bit ? p2 : p1 in constant time +static inline void cswap2 (uint64_t bit, uint64_t *p1, uint64_t *p2) +{ + asm volatile( + // Transfer bit into CF flag + " add $18446744073709551615, %0;" + + // cswap p1[0], p2[0] + " movq 0(%1), %%r8;" + " movq 0(%2), %%r9;" + " mov %%r8, %%r10;" + " cmovc %%r9, %%r8;" + " cmovc %%r10, %%r9;" + " movq %%r8, 0(%1);" + " movq %%r9, 0(%2);" + + // cswap p1[1], p2[1] + " movq 8(%1), %%r8;" + " movq 8(%2), %%r9;" + " mov %%r8, %%r10;" + " cmovc %%r9, %%r8;" + " cmovc %%r10, %%r9;" + " movq %%r8, 8(%1);" + " movq %%r9, 8(%2);" + + // cswap p1[2], p2[2] + " movq 16(%1), %%r8;" + " movq 16(%2), %%r9;" + " mov %%r8, %%r10;" + " cmovc %%r9, %%r8;" + " cmovc %%r10, %%r9;" + " movq %%r8, 16(%1);" + " movq %%r9, 16(%2);" + + // cswap p1[3], p2[3] + " movq 24(%1), %%r8;" + " movq 24(%2), %%r9;" + " mov %%r8, %%r10;" + " cmovc %%r9, %%r8;" + " cmovc %%r10, %%r9;" + " movq %%r8, 24(%1);" + " movq %%r9, 24(%2);" + + // cswap p1[4], p2[4] + " movq 32(%1), %%r8;" + " movq 32(%2), %%r9;" + " mov %%r8, %%r10;" + " cmovc %%r9, %%r8;" + " cmovc %%r10, %%r9;" + " movq %%r8, 32(%1);" + " movq %%r9, 32(%2);" + + // cswap p1[5], p2[5] + " movq 40(%1), %%r8;" + " movq 40(%2), %%r9;" + " mov %%r8, %%r10;" + " cmovc %%r9, %%r8;" + " cmovc %%r10, %%r9;" + " movq %%r8, 40(%1);" + " movq %%r9, 40(%2);" + + // cswap p1[6], p2[6] + " movq 48(%1), %%r8;" + " movq 48(%2), %%r9;" + " mov %%r8, %%r10;" + " cmovc %%r9, %%r8;" + " cmovc %%r10, %%r9;" + " movq %%r8, 48(%1);" + " movq %%r9, 48(%2);" + + // cswap p1[7], p2[7] + " movq 56(%1), %%r8;" + " movq 56(%2), %%r9;" + " mov %%r8, %%r10;" + " cmovc %%r9, %%r8;" + " cmovc %%r10, %%r9;" + " movq %%r8, 56(%1);" + " movq %%r9, 56(%2);" + : "+&r" (bit) + : "r" (p1), "r" (p2) + : "%r8", "%r9", "%r10", "memory", "cc" + ); +} + +// Computes the square of a field element: out <- f * f +// Uses the 8-element buffer tmp for intermediate results +static inline void fsqr (uint64_t *out, uint64_t *f, uint64_t *tmp) +{ + asm volatile( + + /////// Compute the raw multiplication: tmp <- f * f ////// + + // Step 1: Compute all partial products + " movq 0(%0), %%rdx;" // f[0] + " mulxq 8(%0), %%r8, %%r14;" " xor %%r15d, %%r15d;" // f[1]*f[0] + " mulxq 16(%0), %%r9, %%r10;" " adcx %%r14, %%r9;" // f[2]*f[0] + " mulxq 24(%0), %%rax, %%rcx;" " adcx %%rax, %%r10;" // f[3]*f[0] + " movq 24(%0), %%rdx;" // f[3] + " mulxq 8(%0), %%r11, %%rbx;" " adcx %%rcx, %%r11;" // f[1]*f[3] + " mulxq 16(%0), %%rax, %%r13;" " adcx %%rax, %%rbx;" // f[2]*f[3] + " movq 8(%0), %%rdx;" " adcx %%r15, %%r13;" // f1 + " mulxq 16(%0), %%rax, %%rcx;" " mov $0, %%r14;" // f[2]*f[1] + + // Step 2: Compute two parallel carry chains + " xor %%r15d, %%r15d;" + " adox %%rax, %%r10;" + " adcx %%r8, %%r8;" + " adox %%rcx, %%r11;" + " adcx %%r9, %%r9;" + " adox %%r15, %%rbx;" + " adcx %%r10, %%r10;" + " adox %%r15, %%r13;" + " adcx %%r11, %%r11;" + " adox %%r15, %%r14;" + " adcx %%rbx, %%rbx;" + " adcx %%r13, %%r13;" + " adcx %%r14, %%r14;" + + // Step 3: Compute intermediate squares + " movq 0(%0), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" // f[0]^2 + " movq %%rax, 0(%1);" + " add %%rcx, %%r8;" " movq %%r8, 8(%1);" + " movq 8(%0), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" // f[1]^2 + " adcx %%rax, %%r9;" " movq %%r9, 16(%1);" + " adcx %%rcx, %%r10;" " movq %%r10, 24(%1);" + " movq 16(%0), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" // f[2]^2 + " adcx %%rax, %%r11;" " movq %%r11, 32(%1);" + " adcx %%rcx, %%rbx;" " movq %%rbx, 40(%1);" + " movq 24(%0), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" // f[3]^2 + " adcx %%rax, %%r13;" " movq %%r13, 48(%1);" + " adcx %%rcx, %%r14;" " movq %%r14, 56(%1);" + + // Line up pointers + " mov %1, %0;" + " mov %2, %1;" + + /////// Wrap the result back into the field ////// + + // Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo + " mov $38, %%rdx;" + " mulxq 32(%0), %%r8, %%r13;" + " xor %%ecx, %%ecx;" + " adoxq 0(%0), %%r8;" + " mulxq 40(%0), %%r9, %%rbx;" + " adcx %%r13, %%r9;" + " adoxq 8(%0), %%r9;" + " mulxq 48(%0), %%r10, %%r13;" + " adcx %%rbx, %%r10;" + " adoxq 16(%0), %%r10;" + " mulxq 56(%0), %%r11, %%rax;" + " adcx %%r13, %%r11;" + " adoxq 24(%0), %%r11;" + " adcx %%rcx, %%rax;" + " adox %%rcx, %%rax;" + " imul %%rdx, %%rax;" + + // Step 2: Fold the carry back into dst + " add %%rax, %%r8;" + " adcx %%rcx, %%r9;" + " movq %%r9, 8(%1);" + " adcx %%rcx, %%r10;" + " movq %%r10, 16(%1);" + " adcx %%rcx, %%r11;" + " movq %%r11, 24(%1);" + + // Step 3: Fold the carry bit back in; guaranteed not to carry at this point + " mov $0, %%rax;" + " cmovc %%rdx, %%rax;" + " add %%rax, %%r8;" + " movq %%r8, 0(%1);" + : "+&r" (f), "+&r" (tmp) + : "r" (out) + : "%rax", "%rbx", "%rcx", "%rdx", "%r8", "%r9", "%r10", "%r11", "%r13", "%r14", "%r15", "memory", "cc" + ); +} + +// Computes two field squarings: +// out[0] <- f[0] * f[0] +// out[1] <- f[1] * f[1] +// Uses the 16-element buffer tmp for intermediate results +static inline void fsqr2 (uint64_t *out, uint64_t *f, uint64_t *tmp) +{ + asm volatile( + // Step 1: Compute all partial products + " movq 0(%0), %%rdx;" // f[0] + " mulxq 8(%0), %%r8, %%r14;" " xor %%r15d, %%r15d;" // f[1]*f[0] + " mulxq 16(%0), %%r9, %%r10;" " adcx %%r14, %%r9;" // f[2]*f[0] + " mulxq 24(%0), %%rax, %%rcx;" " adcx %%rax, %%r10;" // f[3]*f[0] + " movq 24(%0), %%rdx;" // f[3] + " mulxq 8(%0), %%r11, %%rbx;" " adcx %%rcx, %%r11;" // f[1]*f[3] + " mulxq 16(%0), %%rax, %%r13;" " adcx %%rax, %%rbx;" // f[2]*f[3] + " movq 8(%0), %%rdx;" " adcx %%r15, %%r13;" // f1 + " mulxq 16(%0), %%rax, %%rcx;" " mov $0, %%r14;" // f[2]*f[1] + + // Step 2: Compute two parallel carry chains + " xor %%r15d, %%r15d;" + " adox %%rax, %%r10;" + " adcx %%r8, %%r8;" + " adox %%rcx, %%r11;" + " adcx %%r9, %%r9;" + " adox %%r15, %%rbx;" + " adcx %%r10, %%r10;" + " adox %%r15, %%r13;" + " adcx %%r11, %%r11;" + " adox %%r15, %%r14;" + " adcx %%rbx, %%rbx;" + " adcx %%r13, %%r13;" + " adcx %%r14, %%r14;" + + // Step 3: Compute intermediate squares + " movq 0(%0), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" // f[0]^2 + " movq %%rax, 0(%1);" + " add %%rcx, %%r8;" " movq %%r8, 8(%1);" + " movq 8(%0), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" // f[1]^2 + " adcx %%rax, %%r9;" " movq %%r9, 16(%1);" + " adcx %%rcx, %%r10;" " movq %%r10, 24(%1);" + " movq 16(%0), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" // f[2]^2 + " adcx %%rax, %%r11;" " movq %%r11, 32(%1);" + " adcx %%rcx, %%rbx;" " movq %%rbx, 40(%1);" + " movq 24(%0), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" // f[3]^2 + " adcx %%rax, %%r13;" " movq %%r13, 48(%1);" + " adcx %%rcx, %%r14;" " movq %%r14, 56(%1);" + + // Step 1: Compute all partial products + " movq 32(%0), %%rdx;" // f[0] + " mulxq 40(%0), %%r8, %%r14;" " xor %%r15d, %%r15d;" // f[1]*f[0] + " mulxq 48(%0), %%r9, %%r10;" " adcx %%r14, %%r9;" // f[2]*f[0] + " mulxq 56(%0), %%rax, %%rcx;" " adcx %%rax, %%r10;" // f[3]*f[0] + " movq 56(%0), %%rdx;" // f[3] + " mulxq 40(%0), %%r11, %%rbx;" " adcx %%rcx, %%r11;" // f[1]*f[3] + " mulxq 48(%0), %%rax, %%r13;" " adcx %%rax, %%rbx;" // f[2]*f[3] + " movq 40(%0), %%rdx;" " adcx %%r15, %%r13;" // f1 + " mulxq 48(%0), %%rax, %%rcx;" " mov $0, %%r14;" // f[2]*f[1] + + // Step 2: Compute two parallel carry chains + " xor %%r15d, %%r15d;" + " adox %%rax, %%r10;" + " adcx %%r8, %%r8;" + " adox %%rcx, %%r11;" + " adcx %%r9, %%r9;" + " adox %%r15, %%rbx;" + " adcx %%r10, %%r10;" + " adox %%r15, %%r13;" + " adcx %%r11, %%r11;" + " adox %%r15, %%r14;" + " adcx %%rbx, %%rbx;" + " adcx %%r13, %%r13;" + " adcx %%r14, %%r14;" + + // Step 3: Compute intermediate squares + " movq 32(%0), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" // f[0]^2 + " movq %%rax, 64(%1);" + " add %%rcx, %%r8;" " movq %%r8, 72(%1);" + " movq 40(%0), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" // f[1]^2 + " adcx %%rax, %%r9;" " movq %%r9, 80(%1);" + " adcx %%rcx, %%r10;" " movq %%r10, 88(%1);" + " movq 48(%0), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" // f[2]^2 + " adcx %%rax, %%r11;" " movq %%r11, 96(%1);" + " adcx %%rcx, %%rbx;" " movq %%rbx, 104(%1);" + " movq 56(%0), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" // f[3]^2 + " adcx %%rax, %%r13;" " movq %%r13, 112(%1);" + " adcx %%rcx, %%r14;" " movq %%r14, 120(%1);" + + // Line up pointers + " mov %1, %0;" + " mov %2, %1;" + + // Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo + " mov $38, %%rdx;" + " mulxq 32(%0), %%r8, %%r13;" + " xor %%ecx, %%ecx;" + " adoxq 0(%0), %%r8;" + " mulxq 40(%0), %%r9, %%rbx;" + " adcx %%r13, %%r9;" + " adoxq 8(%0), %%r9;" + " mulxq 48(%0), %%r10, %%r13;" + " adcx %%rbx, %%r10;" + " adoxq 16(%0), %%r10;" + " mulxq 56(%0), %%r11, %%rax;" + " adcx %%r13, %%r11;" + " adoxq 24(%0), %%r11;" + " adcx %%rcx, %%rax;" + " adox %%rcx, %%rax;" + " imul %%rdx, %%rax;" + + // Step 2: Fold the carry back into dst + " add %%rax, %%r8;" + " adcx %%rcx, %%r9;" + " movq %%r9, 8(%1);" + " adcx %%rcx, %%r10;" + " movq %%r10, 16(%1);" + " adcx %%rcx, %%r11;" + " movq %%r11, 24(%1);" + + // Step 3: Fold the carry bit back in; guaranteed not to carry at this point + " mov $0, %%rax;" + " cmovc %%rdx, %%rax;" + " add %%rax, %%r8;" + " movq %%r8, 0(%1);" + + // Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo + " mov $38, %%rdx;" + " mulxq 96(%0), %%r8, %%r13;" + " xor %%ecx, %%ecx;" + " adoxq 64(%0), %%r8;" + " mulxq 104(%0), %%r9, %%rbx;" + " adcx %%r13, %%r9;" + " adoxq 72(%0), %%r9;" + " mulxq 112(%0), %%r10, %%r13;" + " adcx %%rbx, %%r10;" + " adoxq 80(%0), %%r10;" + " mulxq 120(%0), %%r11, %%rax;" + " adcx %%r13, %%r11;" + " adoxq 88(%0), %%r11;" + " adcx %%rcx, %%rax;" + " adox %%rcx, %%rax;" + " imul %%rdx, %%rax;" + + // Step 2: Fold the carry back into dst + " add %%rax, %%r8;" + " adcx %%rcx, %%r9;" + " movq %%r9, 40(%1);" + " adcx %%rcx, %%r10;" + " movq %%r10, 48(%1);" + " adcx %%rcx, %%r11;" + " movq %%r11, 56(%1);" + + // Step 3: Fold the carry bit back in; guaranteed not to carry at this point + " mov $0, %%rax;" + " cmovc %%rdx, %%rax;" + " add %%rax, %%r8;" + " movq %%r8, 32(%1);" + : "+&r" (f), "+&r" (tmp) + : "r" (out) + : "%rax", "%rbx", "%rcx", "%rdx", "%r8", "%r9", "%r10", "%r11", "%r13", "%r14", "%r15", "memory", "cc" + ); +} + +#endif /* defined(__x86_64__) || defined(_M_X64) */ +#endif /* __GNUC__ */ diff --git a/include/c89/evercrypt_targetconfig.h b/include/c89/evercrypt_targetconfig.h new file mode 100644 index 00000000..d6d7c032 --- /dev/null +++ b/include/c89/evercrypt_targetconfig.h @@ -0,0 +1,56 @@ +#ifndef __EVERCRYPT_TARGETCONFIG_H +#define __EVERCRYPT_TARGETCONFIG_H + +// Instead of listing the identifiers for the target architectures +// then defining the constant TARGET_ARCHITECTURE in config.h, we might simply +// define exactly one tag of the form TARGET_ARCHITECTURE_IS_... in config.h. +// However, for maintenance purposes, we use the first method in +// order to have all the possible values listed in one place. +// Note that for now, the only important id is TARGET_ARCHITECTURE_ID_X64, +// but the other ids might prove useful in the future if we make +// the dynamic feature detection more precise (see the functions +// has_vec128_not_avx/has_vec256_not_avx2 below). +#define TARGET_ARCHITECTURE_ID_UNKNOWN 0 +#define TARGET_ARCHITECTURE_ID_X86 1 +#define TARGET_ARCHITECTURE_ID_X64 2 +#define TARGET_ARCHITECTURE_ID_ARM7 3 +#define TARGET_ARCHITECTURE_ID_ARM8 4 +#define TARGET_ARCHITECTURE_ID_SYSTEMZ 5 +#define TARGET_ARCHITECTURE_ID_POWERPC64 6 + +#if defined(__has_include) +#if __has_include("config.h") +#include "config.h" +#else +#define TARGET_ARCHITECTURE TARGET_ARCHITECTURE_ID_UNKNOWN +#endif +#endif + +// Those functions are called on non-x64 platforms for which the feature detection +// is not covered by vale's CPUID support; therefore, we hand-write in C ourselves. +// For now, on non-x64 platforms, if we can compile 128-bit vector code, we can +// also execute it; this is true of: Z, Power, ARM8. In the future, if we consider +// cross-compilation scenarios, we'll have to refine this predicate; it could be the case, +// for instance, that we want our code to run on old revisions of a system without +// vector instructions, in which case we'll have to do run-time feature detection +// in addition to compile-time detection. + +#include + +static inline bool has_vec128_not_avx () { +#if (TARGET_ARCHITECTURE != TARGET_ARCHITECTURE_ID_X64) && HACL_CAN_COMPILE_VEC128 + return true; +#else + return false; +#endif +} + +static inline bool has_vec256_not_avx2 () { +#if (TARGET_ARCHITECTURE != TARGET_ARCHITECTURE_ID_X64) && HACL_CAN_COMPILE_VEC256 + return true; +#else + return false; +#endif +} + +#endif diff --git a/include/c89/internal/Hacl_Bignum.h b/include/c89/internal/Hacl_Bignum.h new file mode 100644 index 00000000..e7d63f9d --- /dev/null +++ b/include/c89/internal/Hacl_Bignum.h @@ -0,0 +1,366 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_Hacl_Bignum_H +#define __internal_Hacl_Bignum_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "Hacl_Bignum_Base.h" +#include "evercrypt_targetconfig.h" +#include "lib_intrinsics.h" +#include "libintvector.h" +void Hacl_Bignum_Convert_bn_from_bytes_be_uint64(uint32_t len, uint8_t *b, uint64_t *res); + +void Hacl_Bignum_Convert_bn_to_bytes_be_uint64(uint32_t len, uint64_t *b, uint8_t *res); + +uint32_t Hacl_Bignum_Lib_bn_get_top_index_u32(uint32_t len, uint32_t *b); + +uint64_t Hacl_Bignum_Lib_bn_get_top_index_u64(uint32_t len, uint64_t *b); + +uint32_t +Hacl_Bignum_Addition_bn_sub_eq_len_u32(uint32_t aLen, uint32_t *a, uint32_t *b, uint32_t *res); + +uint64_t +Hacl_Bignum_Addition_bn_sub_eq_len_u64(uint32_t aLen, uint64_t *a, uint64_t *b, uint64_t *res); + +uint32_t +Hacl_Bignum_Addition_bn_add_eq_len_u32(uint32_t aLen, uint32_t *a, uint32_t *b, uint32_t *res); + +uint64_t +Hacl_Bignum_Addition_bn_add_eq_len_u64(uint32_t aLen, uint64_t *a, uint64_t *b, uint64_t *res); + +void +Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint32( + uint32_t aLen, + uint32_t *a, + uint32_t *b, + uint32_t *tmp, + uint32_t *res +); + +void +Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint64( + uint32_t aLen, + uint64_t *a, + uint64_t *b, + uint64_t *tmp, + uint64_t *res +); + +void +Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint32( + uint32_t aLen, + uint32_t *a, + uint32_t *tmp, + uint32_t *res +); + +void +Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint64( + uint32_t aLen, + uint64_t *a, + uint64_t *tmp, + uint64_t *res +); + +void +Hacl_Bignum_bn_add_mod_n_u32( + uint32_t len1, + uint32_t *n, + uint32_t *a, + uint32_t *b, + uint32_t *res +); + +void +Hacl_Bignum_bn_add_mod_n_u64( + uint32_t len1, + uint64_t *n, + uint64_t *a, + uint64_t *b, + uint64_t *res +); + +void +Hacl_Bignum_bn_sub_mod_n_u32( + uint32_t len1, + uint32_t *n, + uint32_t *a, + uint32_t *b, + uint32_t *res +); + +void +Hacl_Bignum_bn_sub_mod_n_u64( + uint32_t len1, + uint64_t *n, + uint64_t *a, + uint64_t *b, + uint64_t *res +); + +uint32_t Hacl_Bignum_ModInvLimb_mod_inv_uint32(uint32_t n0); + +uint64_t Hacl_Bignum_ModInvLimb_mod_inv_uint64(uint64_t n0); + +uint32_t Hacl_Bignum_Montgomery_bn_check_modulus_u32(uint32_t len, uint32_t *n); + +void +Hacl_Bignum_Montgomery_bn_precomp_r2_mod_n_u32( + uint32_t len, + uint32_t nBits, + uint32_t *n, + uint32_t *res +); + +void +Hacl_Bignum_Montgomery_bn_mont_reduction_u32( + uint32_t len, + uint32_t *n, + uint32_t nInv, + uint32_t *c, + uint32_t *res +); + +void +Hacl_Bignum_Montgomery_bn_to_mont_u32( + uint32_t len, + uint32_t *n, + uint32_t nInv, + uint32_t *r2, + uint32_t *a, + uint32_t *aM +); + +void +Hacl_Bignum_Montgomery_bn_from_mont_u32( + uint32_t len, + uint32_t *n, + uint32_t nInv_u64, + uint32_t *aM, + uint32_t *a +); + +void +Hacl_Bignum_Montgomery_bn_mont_mul_u32( + uint32_t len, + uint32_t *n, + uint32_t nInv_u64, + uint32_t *aM, + uint32_t *bM, + uint32_t *resM +); + +void +Hacl_Bignum_Montgomery_bn_mont_sqr_u32( + uint32_t len, + uint32_t *n, + uint32_t nInv_u64, + uint32_t *aM, + uint32_t *resM +); + +uint64_t Hacl_Bignum_Montgomery_bn_check_modulus_u64(uint32_t len, uint64_t *n); + +void +Hacl_Bignum_Montgomery_bn_precomp_r2_mod_n_u64( + uint32_t len, + uint32_t nBits, + uint64_t *n, + uint64_t *res +); + +void +Hacl_Bignum_Montgomery_bn_mont_reduction_u64( + uint32_t len, + uint64_t *n, + uint64_t nInv, + uint64_t *c, + uint64_t *res +); + +void +Hacl_Bignum_Montgomery_bn_to_mont_u64( + uint32_t len, + uint64_t *n, + uint64_t nInv, + uint64_t *r2, + uint64_t *a, + uint64_t *aM +); + +void +Hacl_Bignum_Montgomery_bn_from_mont_u64( + uint32_t len, + uint64_t *n, + uint64_t nInv_u64, + uint64_t *aM, + uint64_t *a +); + +void +Hacl_Bignum_Montgomery_bn_mont_mul_u64( + uint32_t len, + uint64_t *n, + uint64_t nInv_u64, + uint64_t *aM, + uint64_t *bM, + uint64_t *resM +); + +void +Hacl_Bignum_Montgomery_bn_mont_sqr_u64( + uint32_t len, + uint64_t *n, + uint64_t nInv_u64, + uint64_t *aM, + uint64_t *resM +); + +uint32_t +Hacl_Bignum_Exponentiation_bn_check_mod_exp_u32( + uint32_t len, + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b +); + +void +Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_precomp_u32( + uint32_t len, + uint32_t *n, + uint32_t mu, + uint32_t *r2, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +); + +void +Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_precomp_u32( + uint32_t len, + uint32_t *n, + uint32_t mu, + uint32_t *r2, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +); + +void +Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_u32( + uint32_t len, + uint32_t nBits, + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +); + +void +Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_u32( + uint32_t len, + uint32_t nBits, + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +); + +uint64_t +Hacl_Bignum_Exponentiation_bn_check_mod_exp_u64( + uint32_t len, + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b +); + +void +Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_precomp_u64( + uint32_t len, + uint64_t *n, + uint64_t mu, + uint64_t *r2, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +); + +void +Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_precomp_u64( + uint32_t len, + uint64_t *n, + uint64_t mu, + uint64_t *r2, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +); + +void +Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_u64( + uint32_t len, + uint32_t nBits, + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +); + +void +Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_u64( + uint32_t len, + uint32_t nBits, + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +); + +#if defined(__cplusplus) +} +#endif + +#define __internal_Hacl_Bignum_H_DEFINED +#endif diff --git a/include/c89/internal/Hacl_Chacha20.h b/include/c89/internal/Hacl_Chacha20.h new file mode 100644 index 00000000..2a440491 --- /dev/null +++ b/include/c89/internal/Hacl_Chacha20.h @@ -0,0 +1,61 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_Hacl_Chacha20_H +#define __internal_Hacl_Chacha20_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "../Hacl_Chacha20.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +extern const uint32_t Hacl_Impl_Chacha20_Vec_chacha20_constants[4U]; + +void Hacl_Impl_Chacha20_chacha20_init(uint32_t *ctx, uint8_t *k, uint8_t *n, uint32_t ctr); + +void +Hacl_Impl_Chacha20_chacha20_encrypt_block( + uint32_t *ctx, + uint8_t *out, + uint32_t incr, + uint8_t *text +); + +void +Hacl_Impl_Chacha20_chacha20_update(uint32_t *ctx, uint32_t len, uint8_t *out, uint8_t *text); + +#if defined(__cplusplus) +} +#endif + +#define __internal_Hacl_Chacha20_H_DEFINED +#endif diff --git a/include/c89/internal/Hacl_Curve25519_51.h b/include/c89/internal/Hacl_Curve25519_51.h new file mode 100644 index 00000000..7c7820ef --- /dev/null +++ b/include/c89/internal/Hacl_Curve25519_51.h @@ -0,0 +1,56 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_Hacl_Curve25519_51_H +#define __internal_Hacl_Curve25519_51_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "../Hacl_Curve25519_51.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_Curve25519_51_fsquare_times( + uint64_t *o, + uint64_t *inp, + FStar_UInt128_uint128 *tmp, + uint32_t n +); + +void Hacl_Curve25519_51_finv(uint64_t *o, uint64_t *i, FStar_UInt128_uint128 *tmp); + +#if defined(__cplusplus) +} +#endif + +#define __internal_Hacl_Curve25519_51_H_DEFINED +#endif diff --git a/include/c89/internal/Hacl_Ed25519.h b/include/c89/internal/Hacl_Ed25519.h new file mode 100644 index 00000000..4ef145b8 --- /dev/null +++ b/include/c89/internal/Hacl_Ed25519.h @@ -0,0 +1,68 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_Hacl_Ed25519_H +#define __internal_Hacl_Ed25519_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "internal/Hacl_Hash_SHA2.h" +#include "internal/Hacl_Curve25519_51.h" +#include "../Hacl_Ed25519.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void Hacl_Bignum25519_reduce_513(uint64_t *a); + +void Hacl_Bignum25519_inverse(uint64_t *out, uint64_t *a); + +void Hacl_Bignum25519_load_51(uint64_t *output, uint8_t *input); + +void Hacl_Bignum25519_store_51(uint8_t *output, uint64_t *input); + +void Hacl_Impl_Ed25519_PointAdd_point_add(uint64_t *out, uint64_t *p, uint64_t *q); + +void Hacl_Impl_Ed25519_Ladder_point_mul(uint64_t *result, uint8_t *scalar, uint64_t *q); + +void Hacl_Impl_Ed25519_PointCompress_point_compress(uint8_t *z, uint64_t *p); + +bool Hacl_Impl_Ed25519_PointDecompress_point_decompress(uint64_t *out, uint8_t *s); + +bool Hacl_Impl_Ed25519_PointEqual_point_equal(uint64_t *p, uint64_t *q); + +void Hacl_Impl_Ed25519_PointNegate_point_negate(uint64_t *p, uint64_t *out); + +#if defined(__cplusplus) +} +#endif + +#define __internal_Hacl_Ed25519_H_DEFINED +#endif diff --git a/include/c89/internal/Hacl_Frodo_KEM.h b/include/c89/internal/Hacl_Frodo_KEM.h new file mode 100644 index 00000000..2243fbe9 --- /dev/null +++ b/include/c89/internal/Hacl_Frodo_KEM.h @@ -0,0 +1,48 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_Hacl_Frodo_KEM_H +#define __internal_Hacl_Frodo_KEM_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "../Hacl_Frodo_KEM.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void randombytes_(uint32_t len, uint8_t *res); + +#if defined(__cplusplus) +} +#endif + +#define __internal_Hacl_Frodo_KEM_H_DEFINED +#endif diff --git a/include/c89/internal/Hacl_HMAC.h b/include/c89/internal/Hacl_HMAC.h new file mode 100644 index 00000000..1e29b87f --- /dev/null +++ b/include/c89/internal/Hacl_HMAC.h @@ -0,0 +1,63 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_Hacl_HMAC_H +#define __internal_Hacl_HMAC_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "internal/Hacl_Hash_SHA2.h" +#include "internal/Hacl_Hash_SHA1.h" +#include "internal/Hacl_Hash_Blake2.h" +#include "../Hacl_HMAC.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +typedef struct K____uint32_t__uint64_t_s +{ + uint32_t *fst; + uint64_t snd; +} +K____uint32_t__uint64_t; + +typedef struct K____uint64_t__FStar_UInt128_uint128_s +{ + uint64_t *fst; + FStar_UInt128_uint128 snd; +} +K____uint64_t__FStar_UInt128_uint128; + +#if defined(__cplusplus) +} +#endif + +#define __internal_Hacl_HMAC_H_DEFINED +#endif diff --git a/include/c89/internal/Hacl_Hash_Blake2.h b/include/c89/internal/Hacl_Hash_Blake2.h new file mode 100644 index 00000000..b660c383 --- /dev/null +++ b/include/c89/internal/Hacl_Hash_Blake2.h @@ -0,0 +1,123 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_Hacl_Hash_Blake2_H +#define __internal_Hacl_Hash_Blake2_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "../Hacl_Hash_Blake2.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +uint64_t Hacl_Hash_Core_Blake2_update_blake2s_32(uint32_t *s, uint64_t totlen, uint8_t *block); + +void Hacl_Hash_Core_Blake2_finish_blake2s_32(uint32_t *s, uint64_t ev, uint8_t *dst); + +FStar_UInt128_uint128 +Hacl_Hash_Core_Blake2_update_blake2b_32( + uint64_t *s, + FStar_UInt128_uint128 totlen, + uint8_t *block +); + +void +Hacl_Hash_Core_Blake2_finish_blake2b_32(uint64_t *s, FStar_UInt128_uint128 ev, uint8_t *dst); + +uint64_t +Hacl_Hash_Blake2_update_multi_blake2s_32( + uint32_t *s, + uint64_t ev, + uint8_t *blocks, + uint32_t n_blocks +); + +FStar_UInt128_uint128 +Hacl_Hash_Blake2_update_multi_blake2b_32( + uint64_t *s, + FStar_UInt128_uint128 ev, + uint8_t *blocks, + uint32_t n_blocks +); + +typedef struct K___uint32_t_uint32_t_uint32_t__uint8_t___uint8_t__s +{ + uint32_t fst; + uint32_t snd; + uint32_t thd; + uint8_t *f3; + uint8_t *f4; +} +K___uint32_t_uint32_t_uint32_t__uint8_t___uint8_t_; + +typedef struct K___uint32_t_uint32_t_uint32_t_s +{ + uint32_t fst; + uint32_t snd; + uint32_t thd; +} +K___uint32_t_uint32_t_uint32_t; + +uint64_t +Hacl_Hash_Blake2_update_last_blake2s_32( + uint32_t *s, + uint64_t ev, + uint64_t prev_len, + uint8_t *input, + uint32_t input_len +); + +FStar_UInt128_uint128 +Hacl_Hash_Blake2_update_last_blake2b_32( + uint64_t *s, + FStar_UInt128_uint128 ev, + FStar_UInt128_uint128 prev_len, + uint8_t *input, + uint32_t input_len +); + +void Hacl_Hash_Blake2_hash_blake2s_32(uint8_t *input, uint32_t input_len, uint8_t *dst); + +void Hacl_Hash_Blake2_hash_blake2b_32(uint8_t *input, uint32_t input_len, uint8_t *dst); + +typedef struct K___uint32_t_uint32_t_s +{ + uint32_t fst; + uint32_t snd; +} +K___uint32_t_uint32_t; + +#if defined(__cplusplus) +} +#endif + +#define __internal_Hacl_Hash_Blake2_H_DEFINED +#endif diff --git a/include/c89/internal/Hacl_Hash_Blake2b_256.h b/include/c89/internal/Hacl_Hash_Blake2b_256.h new file mode 100644 index 00000000..49f0a165 --- /dev/null +++ b/include/c89/internal/Hacl_Hash_Blake2b_256.h @@ -0,0 +1,73 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_Hacl_Hash_Blake2b_256_H +#define __internal_Hacl_Hash_Blake2b_256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "internal/Hacl_Hash_Blake2.h" +#include "../Hacl_Hash_Blake2b_256.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_Hash_Blake2b_256_finish_blake2b_256( + Lib_IntVector_Intrinsics_vec256 *s, + FStar_UInt128_uint128 ev, + uint8_t *dst +); + +FStar_UInt128_uint128 +Hacl_Hash_Blake2b_256_update_multi_blake2b_256( + Lib_IntVector_Intrinsics_vec256 *s, + FStar_UInt128_uint128 ev, + uint8_t *blocks, + uint32_t n_blocks +); + +FStar_UInt128_uint128 +Hacl_Hash_Blake2b_256_update_last_blake2b_256( + Lib_IntVector_Intrinsics_vec256 *s, + FStar_UInt128_uint128 ev, + FStar_UInt128_uint128 prev_len, + uint8_t *input, + uint32_t input_len +); + +void Hacl_Hash_Blake2b_256_hash_blake2b_256(uint8_t *input, uint32_t input_len, uint8_t *dst); + +#if defined(__cplusplus) +} +#endif + +#define __internal_Hacl_Hash_Blake2b_256_H_DEFINED +#endif diff --git a/include/c89/internal/Hacl_Hash_Blake2s_128.h b/include/c89/internal/Hacl_Hash_Blake2s_128.h new file mode 100644 index 00000000..762493a1 --- /dev/null +++ b/include/c89/internal/Hacl_Hash_Blake2s_128.h @@ -0,0 +1,73 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_Hacl_Hash_Blake2s_128_H +#define __internal_Hacl_Hash_Blake2s_128_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "internal/Hacl_Hash_Blake2.h" +#include "../Hacl_Hash_Blake2s_128.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_Hash_Blake2s_128_finish_blake2s_128( + Lib_IntVector_Intrinsics_vec128 *s, + uint64_t ev, + uint8_t *dst +); + +uint64_t +Hacl_Hash_Blake2s_128_update_multi_blake2s_128( + Lib_IntVector_Intrinsics_vec128 *s, + uint64_t ev, + uint8_t *blocks, + uint32_t n_blocks +); + +uint64_t +Hacl_Hash_Blake2s_128_update_last_blake2s_128( + Lib_IntVector_Intrinsics_vec128 *s, + uint64_t ev, + uint64_t prev_len, + uint8_t *input, + uint32_t input_len +); + +void Hacl_Hash_Blake2s_128_hash_blake2s_128(uint8_t *input, uint32_t input_len, uint8_t *dst); + +#if defined(__cplusplus) +} +#endif + +#define __internal_Hacl_Hash_Blake2s_128_H_DEFINED +#endif diff --git a/include/c89/internal/Hacl_Hash_MD5.h b/include/c89/internal/Hacl_Hash_MD5.h new file mode 100644 index 00000000..bd9f2278 --- /dev/null +++ b/include/c89/internal/Hacl_Hash_MD5.h @@ -0,0 +1,52 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_Hacl_Hash_MD5_H +#define __internal_Hacl_Hash_MD5_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "../Hacl_Hash_MD5.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void Hacl_Hash_Core_MD5_legacy_init(uint32_t *s); + +void Hacl_Hash_Core_MD5_legacy_update(uint32_t *abcd, uint8_t *x); + +void Hacl_Hash_Core_MD5_legacy_finish(uint32_t *s, uint8_t *dst); + +#if defined(__cplusplus) +} +#endif + +#define __internal_Hacl_Hash_MD5_H_DEFINED +#endif diff --git a/include/c89/internal/Hacl_Hash_SHA1.h b/include/c89/internal/Hacl_Hash_SHA1.h new file mode 100644 index 00000000..b387630e --- /dev/null +++ b/include/c89/internal/Hacl_Hash_SHA1.h @@ -0,0 +1,52 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_Hacl_Hash_SHA1_H +#define __internal_Hacl_Hash_SHA1_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "../Hacl_Hash_SHA1.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void Hacl_Hash_Core_SHA1_legacy_init(uint32_t *s); + +void Hacl_Hash_Core_SHA1_legacy_update(uint32_t *h, uint8_t *l); + +void Hacl_Hash_Core_SHA1_legacy_finish(uint32_t *s, uint8_t *dst); + +#if defined(__cplusplus) +} +#endif + +#define __internal_Hacl_Hash_SHA1_H_DEFINED +#endif diff --git a/include/c89/internal/Hacl_Hash_SHA2.h b/include/c89/internal/Hacl_Hash_SHA2.h new file mode 100644 index 00000000..9bd45e4d --- /dev/null +++ b/include/c89/internal/Hacl_Hash_SHA2.h @@ -0,0 +1,68 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_Hacl_Hash_SHA2_H +#define __internal_Hacl_Hash_SHA2_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "../Hacl_Hash_SHA2.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void Hacl_Hash_Core_SHA2_init_224(uint32_t *s); + +void Hacl_Hash_Core_SHA2_init_256(uint32_t *s); + +void Hacl_Hash_Core_SHA2_init_384(uint64_t *s); + +void Hacl_Hash_Core_SHA2_init_512(uint64_t *s); + +void Hacl_Hash_Core_SHA2_update_384(uint64_t *hash, uint8_t *block); + +void Hacl_Hash_Core_SHA2_update_512(uint64_t *hash, uint8_t *block); + +void Hacl_Hash_Core_SHA2_pad_256(uint64_t len, uint8_t *dst); + +void Hacl_Hash_Core_SHA2_finish_224(uint32_t *s, uint8_t *dst); + +void Hacl_Hash_Core_SHA2_finish_256(uint32_t *s, uint8_t *dst); + +void Hacl_Hash_Core_SHA2_finish_384(uint64_t *s, uint8_t *dst); + +void Hacl_Hash_Core_SHA2_finish_512(uint64_t *s, uint8_t *dst); + +#if defined(__cplusplus) +} +#endif + +#define __internal_Hacl_Hash_SHA2_H_DEFINED +#endif diff --git a/include/c89/internal/Hacl_P256.h b/include/c89/internal/Hacl_P256.h new file mode 100644 index 00000000..af347b4f --- /dev/null +++ b/include/c89/internal/Hacl_P256.h @@ -0,0 +1,65 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_Hacl_P256_H +#define __internal_Hacl_P256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "internal/Hacl_Spec.h" +#include "../Hacl_P256.h" +#include "evercrypt_targetconfig.h" +#include "lib_intrinsics.h" +#include "libintvector.h" +void Hacl_Impl_P256_LowLevel_toUint8(uint64_t *i, uint8_t *o); + +void Hacl_Impl_P256_LowLevel_changeEndian(uint64_t *i); + +void Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(uint8_t *i, uint64_t *o); + +uint64_t Hacl_Impl_P256_Core_isPointAtInfinityPrivate(uint64_t *p); + +void +Hacl_Impl_P256_Core_secretToPublic(uint64_t *result, uint8_t *scalar, uint64_t *tempBuffer); + +/* + The pub(lic)_key input of the function is considered to be public, + thus this code is not secret independent with respect to the operations done over this variable. +*/ +uint64_t Hacl_Impl_P256_DH__ecp256dh_r(uint64_t *result, uint64_t *pubKey, uint8_t *scalar); + +#if defined(__cplusplus) +} +#endif + +#define __internal_Hacl_P256_H_DEFINED +#endif diff --git a/include/c89/internal/Hacl_Poly1305_128.h b/include/c89/internal/Hacl_Poly1305_128.h new file mode 100644 index 00000000..838b4048 --- /dev/null +++ b/include/c89/internal/Hacl_Poly1305_128.h @@ -0,0 +1,55 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_Hacl_Poly1305_128_H +#define __internal_Hacl_Poly1305_128_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "../Hacl_Poly1305_128.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_Impl_Poly1305_Field32xN_128_load_acc2(Lib_IntVector_Intrinsics_vec128 *acc, uint8_t *b); + +void +Hacl_Impl_Poly1305_Field32xN_128_fmul_r2_normalize( + Lib_IntVector_Intrinsics_vec128 *out, + Lib_IntVector_Intrinsics_vec128 *p +); + +#if defined(__cplusplus) +} +#endif + +#define __internal_Hacl_Poly1305_128_H_DEFINED +#endif diff --git a/include/c89/internal/Hacl_Poly1305_256.h b/include/c89/internal/Hacl_Poly1305_256.h new file mode 100644 index 00000000..ac635802 --- /dev/null +++ b/include/c89/internal/Hacl_Poly1305_256.h @@ -0,0 +1,55 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_Hacl_Poly1305_256_H +#define __internal_Hacl_Poly1305_256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "../Hacl_Poly1305_256.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_Impl_Poly1305_Field32xN_256_load_acc4(Lib_IntVector_Intrinsics_vec256 *acc, uint8_t *b); + +void +Hacl_Impl_Poly1305_Field32xN_256_fmul_r4_normalize( + Lib_IntVector_Intrinsics_vec256 *out, + Lib_IntVector_Intrinsics_vec256 *p +); + +#if defined(__cplusplus) +} +#endif + +#define __internal_Hacl_Poly1305_256_H_DEFINED +#endif diff --git a/include/c89/internal/Hacl_SHA2_Vec256.h b/include/c89/internal/Hacl_SHA2_Vec256.h new file mode 100644 index 00000000..a0a9e228 --- /dev/null +++ b/include/c89/internal/Hacl_SHA2_Vec256.h @@ -0,0 +1,75 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_Hacl_SHA2_Vec256_H +#define __internal_Hacl_SHA2_Vec256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "../Hacl_SHA2_Vec256.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +typedef struct K____uint8_t___uint8_t__s +{ + uint8_t *fst; + uint8_t *snd; +} +K____uint8_t___uint8_t_; + +typedef struct K____uint8_t__K____uint8_t___uint8_t__s +{ + uint8_t *fst; + K____uint8_t___uint8_t_ snd; +} +K____uint8_t__K____uint8_t___uint8_t_; + +typedef struct K____uint8_t__K____uint8_t__K____uint8_t___uint8_t__s +{ + uint8_t *fst; + K____uint8_t__K____uint8_t___uint8_t_ snd; +} +K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_; + +typedef struct +K___K____uint8_t__K____uint8_t__K____uint8_t___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t__s +{ + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ fst; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ snd; +} +K___K____uint8_t__K____uint8_t__K____uint8_t___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_; + +#if defined(__cplusplus) +} +#endif + +#define __internal_Hacl_SHA2_Vec256_H_DEFINED +#endif diff --git a/include/c89/internal/Hacl_Spec.h b/include/c89/internal/Hacl_Spec.h new file mode 100644 index 00000000..51002a18 --- /dev/null +++ b/include/c89/internal/Hacl_Spec.h @@ -0,0 +1,61 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_Hacl_Spec_H +#define __internal_Hacl_Spec_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "../Hacl_Spec.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +#define Spec_ECDSA_NoHash 0 +#define Spec_ECDSA_Hash 1 + +typedef uint8_t Spec_ECDSA_hash_alg_ecdsa_tags; + +typedef struct Spec_ECDSA_hash_alg_ecdsa_s +{ + Spec_ECDSA_hash_alg_ecdsa_tags tag; + Spec_Hash_Definitions_hash_alg _0; +} +Spec_ECDSA_hash_alg_ecdsa; + +Spec_Agile_Cipher_cipher_alg +Spec_Cipher_Expansion_cipher_alg_of_impl(Spec_Cipher_Expansion_impl i); + +#if defined(__cplusplus) +} +#endif + +#define __internal_Hacl_Spec_H_DEFINED +#endif diff --git a/include/c89/internal/Vale.h b/include/c89/internal/Vale.h new file mode 100644 index 00000000..fae8b9f3 --- /dev/null +++ b/include/c89/internal/Vale.h @@ -0,0 +1,216 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_Vale_H +#define __internal_Vale_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + + +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +extern uint64_t add_scalar_e(uint64_t *x0, uint64_t *x1, uint64_t x2); + +extern uint64_t fadd_e(uint64_t *x0, uint64_t *x1, uint64_t *x2); + +extern uint64_t sha256_update(uint32_t *x0, uint8_t *x1, uint64_t x2, uint32_t *x3); + +extern uint64_t x64_poly1305(uint8_t *x0, uint8_t *x1, uint64_t x2, uint64_t x3); + +extern uint64_t check_aesni(); + +extern uint64_t check_sha(); + +extern uint64_t check_adx_bmi2(); + +extern uint64_t check_avx(); + +extern uint64_t check_avx2(); + +extern uint64_t check_movbe(); + +extern uint64_t check_sse(); + +extern uint64_t check_rdrand(); + +extern uint64_t check_avx512(); + +extern uint64_t check_osxsave(); + +extern uint64_t check_avx_xcr0(); + +extern uint64_t check_avx512_xcr0(); + +extern uint64_t cswap2_e(uint64_t x0, uint64_t *x1, uint64_t *x2); + +extern uint64_t fsqr_e(uint64_t *x0, uint64_t *x1, uint64_t *x2); + +extern uint64_t fsqr2_e(uint64_t *x0, uint64_t *x1, uint64_t *x2); + +extern uint64_t fmul_e(uint64_t *x0, uint64_t *x1, uint64_t *x2, uint64_t *x3); + +extern uint64_t fmul2_e(uint64_t *x0, uint64_t *x1, uint64_t *x2, uint64_t *x3); + +extern uint64_t fmul_scalar_e(uint64_t *x0, uint64_t *x1, uint64_t x2); + +extern uint64_t fsub_e(uint64_t *x0, uint64_t *x1, uint64_t *x2); + +extern uint64_t +gcm128_decrypt_opt( + uint8_t *x0, + uint64_t x1, + uint64_t x2, + uint8_t *x3, + uint8_t *x4, + uint8_t *x5, + uint8_t *x6, + uint8_t *x7, + uint8_t *x8, + uint64_t x9, + uint8_t *x10, + uint8_t *x11, + uint64_t x12, + uint8_t *x13, + uint64_t x14, + uint8_t *x15, + uint8_t *x16 +); + +extern uint64_t +gcm256_decrypt_opt( + uint8_t *x0, + uint64_t x1, + uint64_t x2, + uint8_t *x3, + uint8_t *x4, + uint8_t *x5, + uint8_t *x6, + uint8_t *x7, + uint8_t *x8, + uint64_t x9, + uint8_t *x10, + uint8_t *x11, + uint64_t x12, + uint8_t *x13, + uint64_t x14, + uint8_t *x15, + uint8_t *x16 +); + +extern uint64_t aes128_key_expansion(uint8_t *x0, uint8_t *x1); + +extern uint64_t aes256_key_expansion(uint8_t *x0, uint8_t *x1); + +extern uint64_t +compute_iv_stdcall( + uint8_t *x0, + uint64_t x1, + uint64_t x2, + uint8_t *x3, + uint8_t *x4, + uint8_t *x5 +); + +extern uint64_t +gcm128_encrypt_opt( + uint8_t *x0, + uint64_t x1, + uint64_t x2, + uint8_t *x3, + uint8_t *x4, + uint8_t *x5, + uint8_t *x6, + uint8_t *x7, + uint8_t *x8, + uint64_t x9, + uint8_t *x10, + uint8_t *x11, + uint64_t x12, + uint8_t *x13, + uint64_t x14, + uint8_t *x15, + uint8_t *x16 +); + +extern uint64_t +gcm256_encrypt_opt( + uint8_t *x0, + uint64_t x1, + uint64_t x2, + uint8_t *x3, + uint8_t *x4, + uint8_t *x5, + uint8_t *x6, + uint8_t *x7, + uint8_t *x8, + uint64_t x9, + uint8_t *x10, + uint8_t *x11, + uint64_t x12, + uint8_t *x13, + uint64_t x14, + uint8_t *x15, + uint8_t *x16 +); + +extern uint64_t aes128_keyhash_init(uint8_t *x0, uint8_t *x1); + +extern uint64_t aes256_keyhash_init(uint8_t *x0, uint8_t *x1); + +extern uint64_t +gctr128_bytes( + uint8_t *x0, + uint64_t x1, + uint8_t *x2, + uint8_t *x3, + uint8_t *x4, + uint8_t *x5, + uint64_t x6 +); + +extern uint64_t +gctr256_bytes( + uint8_t *x0, + uint64_t x1, + uint8_t *x2, + uint8_t *x3, + uint8_t *x4, + uint8_t *x5, + uint64_t x6 +); + +#if defined(__cplusplus) +} +#endif + +#define __internal_Vale_H_DEFINED +#endif diff --git a/include/c89/lib_intrinsics.h b/include/c89/lib_intrinsics.h new file mode 100644 index 00000000..0c35026e --- /dev/null +++ b/include/c89/lib_intrinsics.h @@ -0,0 +1,83 @@ +#pragma once + +#include + +#if defined(__has_include) +#if __has_include("config.h") +#include "config.h" +#endif +#endif + +#if defined(HACL_CAN_COMPILE_INTRINSICS) +#if defined(_MSC_VER) +#include +#else +#include +#endif +#endif + +#if !defined(HACL_CAN_COMPILE_INTRINSICS) + +#include "Hacl_IntTypes_Intrinsics.h" + +#if defined(HACL_CAN_COMPILE_UINT128) + +#include "Hacl_IntTypes_Intrinsics_128.h" + +#define Lib_IntTypes_Intrinsics_add_carry_u64(x1, x2, x3, x4) \ + (Hacl_IntTypes_Intrinsics_128_add_carry_u64(x1, x2, x3, x4)) + +#define Lib_IntTypes_Intrinsics_sub_borrow_u64(x1, x2, x3, x4) \ + (Hacl_IntTypes_Intrinsics_128_sub_borrow_u64(x1, x2, x3, x4)) + +#else + +#define Lib_IntTypes_Intrinsics_add_carry_u64(x1, x2, x3, x4) \ + (Hacl_IntTypes_Intrinsics_add_carry_u64(x1, x2, x3, x4)) + +#define Lib_IntTypes_Intrinsics_sub_borrow_u64(x1, x2, x3, x4) \ + (Hacl_IntTypes_Intrinsics_sub_borrow_u64(x1, x2, x3, x4)) + +#endif // defined(HACL_CAN_COMPILE_UINT128) + +#define Lib_IntTypes_Intrinsics_add_carry_u32(x1, x2, x3, x4) \ + (Hacl_IntTypes_Intrinsics_add_carry_u32(x1, x2, x3, x4)) + +#define Lib_IntTypes_Intrinsics_sub_borrow_u32(x1, x2, x3, x4) \ + (Hacl_IntTypes_Intrinsics_sub_borrow_u32(x1, x2, x3, x4)) + +#else // !defined(HACL_CAN_COMPILE_INTRINSICS) + +#define Lib_IntTypes_Intrinsics_add_carry_u32(x1, x2, x3, x4) \ + (_addcarry_u32(x1, x2, x3, (unsigned int *) x4)) + +#define Lib_IntTypes_Intrinsics_add_carry_u64(x1, x2, x3, x4) \ + (_addcarry_u64(x1, x2, x3, (long long unsigned int *) x4)) + + +/* + GCC versions prior to 7.2 pass arguments to _subborrow_u{32,64} + in an incorrect order. + + See https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81294 +*/ +#if defined(__GNUC__) && !defined (__clang__) && \ + (__GNUC__ < 7 || (__GNUC__ == 7 && (__GNUC_MINOR__ < 2))) + +#define Lib_IntTypes_Intrinsics_sub_borrow_u32(x1, x2, x3, x4) \ + (_subborrow_u32(x1, x3, x2, (unsigned int *) x4)) + +#define Lib_IntTypes_Intrinsics_sub_borrow_u64(x1, x2, x3, x4) \ + (_subborrow_u64(x1, x3, x2, (long long unsigned int *) x4)) + +#else + +#define Lib_IntTypes_Intrinsics_sub_borrow_u32(x1, x2, x3, x4) \ + (_subborrow_u32(x1, x2, x3, (unsigned int *) x4)) + +#define Lib_IntTypes_Intrinsics_sub_borrow_u64(x1, x2, x3, x4) \ + (_subborrow_u64(x1, x2, x3, (long long unsigned int *) x4)) + +#endif // GCC < 7.2 + +#endif // !HACL_CAN_COMPILE_INTRINSICS diff --git a/include/c89/libintvector.h b/include/c89/libintvector.h new file mode 100644 index 00000000..fe2ba5eb --- /dev/null +++ b/include/c89/libintvector.h @@ -0,0 +1,937 @@ +#ifndef __Vec_Intrin_H +#define __Vec_Intrin_H + +#include + +/* We include config.h here to ensure that the various feature-flags are + * properly brought into scope. Users can either run the configure script, or + * write a config.h themselves and put it under version control. */ +#if defined(__has_include) +#if __has_include("config.h") +#include "config.h" +#endif +#endif + +/* # DEBUGGING: + * ============ + * It is possible to debug the current definitions by using libintvector_debug.h + * See the include at the bottom of the file. */ + +#define Lib_IntVector_Intrinsics_bit_mask64(x) -((x) & 1) + +#if defined(__x86_64__) || defined(_M_X64) + +#if defined(HACL_CAN_COMPILE_VEC128) + +#include +#include +#include + +typedef __m128i Lib_IntVector_Intrinsics_vec128; + +#define Lib_IntVector_Intrinsics_ni_aes_enc(x0, x1) \ + (_mm_aesenc_si128(x0, x1)) + +#define Lib_IntVector_Intrinsics_ni_aes_enc_last(x0, x1) \ + (_mm_aesenclast_si128(x0, x1)) + +#define Lib_IntVector_Intrinsics_ni_aes_keygen_assist(x0, x1) \ + (_mm_aeskeygenassist_si128(x0, x1)) + +#define Lib_IntVector_Intrinsics_ni_clmul(x0, x1, x2) \ + (_mm_clmulepi64_si128(x0, x1, x2)) + + +#define Lib_IntVector_Intrinsics_vec128_xor(x0, x1) \ + (_mm_xor_si128(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_eq64(x0, x1) \ + (_mm_cmpeq_epi64(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_eq32(x0, x1) \ + (_mm_cmpeq_epi32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_gt64(x0, x1) \ + (_mm_cmpgt_epi64(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_gt32(x0, x1) \ + (_mm_cmpgt_epi32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_or(x0, x1) \ + (_mm_or_si128(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_and(x0, x1) \ + (_mm_and_si128(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_lognot(x0) \ + (_mm_xor_si128(x0, _mm_set1_epi32(-1))) + + +#define Lib_IntVector_Intrinsics_vec128_shift_left(x0, x1) \ + (_mm_slli_si128(x0, (x1)/8)) + +#define Lib_IntVector_Intrinsics_vec128_shift_right(x0, x1) \ + (_mm_srli_si128(x0, (x1)/8)) + +#define Lib_IntVector_Intrinsics_vec128_shift_left64(x0, x1) \ + (_mm_slli_epi64(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_shift_right64(x0, x1) \ + (_mm_srli_epi64(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_shift_left32(x0, x1) \ + (_mm_slli_epi32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_shift_right32(x0, x1) \ + (_mm_srli_epi32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_rotate_left32_8(x0) \ + (_mm_shuffle_epi8(x0, _mm_set_epi8(14,13,12,15,10,9,8,11,6,5,4,7,2,1,0,3))) + +#define Lib_IntVector_Intrinsics_vec128_rotate_left32_16(x0) \ + (_mm_shuffle_epi8(x0, _mm_set_epi8(13,12,15,14,9,8,11,10,5,4,7,6,1,0,3,2))) + +#define Lib_IntVector_Intrinsics_vec128_rotate_left32_24(x0) \ + (_mm_shuffle_epi8(x0, _mm_set_epi8(12,15,14,13,8,11,10,9,4,7,6,5,0,3,2,1))) + +#define Lib_IntVector_Intrinsics_vec128_rotate_left32(x0,x1) \ + (((x1) == 8? Lib_IntVector_Intrinsics_vec128_rotate_left32_8(x0) : \ + ((x1) == 16? Lib_IntVector_Intrinsics_vec128_rotate_left32_16(x0) : \ + ((x1) == 24? Lib_IntVector_Intrinsics_vec128_rotate_left32_24(x0) : \ + _mm_xor_si128(_mm_slli_epi32(x0,x1),_mm_srli_epi32(x0,32-(x1))))))) + +#define Lib_IntVector_Intrinsics_vec128_rotate_right32(x0,x1) \ + (Lib_IntVector_Intrinsics_vec128_rotate_left32(x0,32-(x1))) + +#define Lib_IntVector_Intrinsics_vec128_shuffle32(x0, x1, x2, x3, x4) \ + (_mm_shuffle_epi32(x0, _MM_SHUFFLE(x4,x3,x2,x1))) + +#define Lib_IntVector_Intrinsics_vec128_shuffle64(x0, x1, x2) \ + (_mm_shuffle_epi32(x0, _MM_SHUFFLE(2*x1+1,2*x1,2*x2+1,2*x2))) + +#define Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(x0, x1) \ + (_mm_shuffle_epi32(x0, _MM_SHUFFLE((x1+3)%4,(x1+2)%4,(x1+1)%4,x1%4))) + +#define Lib_IntVector_Intrinsics_vec128_rotate_right_lanes64(x0, x1) \ + (_mm_shuffle_epi32(x0, _MM_SHUFFLE((2*x1+3)%4,(2*x1+2)%4,(2*x1+1)%4,(2*x1)%4))) + +#define Lib_IntVector_Intrinsics_vec128_load32_le(x0) \ + (_mm_loadu_si128((__m128i*)(x0))) + +#define Lib_IntVector_Intrinsics_vec128_load64_le(x0) \ + (_mm_loadu_si128((__m128i*)(x0))) + +#define Lib_IntVector_Intrinsics_vec128_store32_le(x0, x1) \ + (_mm_storeu_si128((__m128i*)(x0), x1)) + +#define Lib_IntVector_Intrinsics_vec128_store64_le(x0, x1) \ + (_mm_storeu_si128((__m128i*)(x0), x1)) + +#define Lib_IntVector_Intrinsics_vec128_load_be(x0) \ + (_mm_shuffle_epi8(_mm_loadu_si128((__m128i*)(x0)), _mm_set_epi8(0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15))) + +#define Lib_IntVector_Intrinsics_vec128_load32_be(x0) \ + (_mm_shuffle_epi8(_mm_loadu_si128((__m128i*)(x0)), _mm_set_epi8(12, 13, 14, 15, 8, 9, 10, 11, 4, 5, 6, 7, 0, 1, 2, 3))) + +#define Lib_IntVector_Intrinsics_vec128_load64_be(x0) \ + (_mm_shuffle_epi8(_mm_loadu_si128((__m128i*)(x0)), _mm_set_epi8(8, 9, 10, 11, 12, 13, 14, 15, 0, 1, 2, 3, 4, 5, 6, 7))) + +#define Lib_IntVector_Intrinsics_vec128_store_be(x0, x1) \ + (_mm_storeu_si128((__m128i*)(x0), _mm_shuffle_epi8(x1, _mm_set_epi8(0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)))) + + +#define Lib_IntVector_Intrinsics_vec128_store32_be(x0, x1) \ + (_mm_storeu_si128((__m128i*)(x0), _mm_shuffle_epi8(x1, _mm_set_epi8(12, 13, 14, 15, 8, 9, 10, 11, 4, 5, 6, 7, 0, 1, 2, 3)))) + +#define Lib_IntVector_Intrinsics_vec128_store64_be(x0, x1) \ + (_mm_storeu_si128((__m128i*)(x0), _mm_shuffle_epi8(x1, _mm_set_epi8(8, 9, 10, 11, 12, 13, 14, 15, 0, 1, 2, 3, 4, 5, 6, 7)))) + + + +#define Lib_IntVector_Intrinsics_vec128_insert8(x0, x1, x2) \ + (_mm_insert_epi8(x0, x1, x2)) + +#define Lib_IntVector_Intrinsics_vec128_insert32(x0, x1, x2) \ + (_mm_insert_epi32(x0, x1, x2)) + +#define Lib_IntVector_Intrinsics_vec128_insert64(x0, x1, x2) \ + (_mm_insert_epi64(x0, x1, x2)) + +#define Lib_IntVector_Intrinsics_vec128_extract8(x0, x1) \ + (_mm_extract_epi8(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_extract32(x0, x1) \ + (_mm_extract_epi32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_extract64(x0, x1) \ + (_mm_extract_epi64(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_zero \ + (_mm_setzero_si128()) + + +#define Lib_IntVector_Intrinsics_vec128_add64(x0, x1) \ + (_mm_add_epi64(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_sub64(x0, x1) \ + (_mm_sub_epi64(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_mul64(x0, x1) \ + (_mm_mul_epu32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_smul64(x0, x1) \ + (_mm_mul_epu32(x0, _mm_set1_epi64x(x1))) + +#define Lib_IntVector_Intrinsics_vec128_add32(x0, x1) \ + (_mm_add_epi32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_sub32(x0, x1) \ + (_mm_sub_epi32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_mul32(x0, x1) \ + (_mm_mullo_epi32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_smul32(x0, x1) \ + (_mm_mullo_epi32(x0, _mm_set1_epi32(x1))) + +#define Lib_IntVector_Intrinsics_vec128_load128(x) \ + ((__m128i)x) + +#define Lib_IntVector_Intrinsics_vec128_load64(x) \ + (_mm_set1_epi64x(x)) /* hi lo */ + +#define Lib_IntVector_Intrinsics_vec128_load64s(x0, x1) \ + (_mm_set_epi64x(x1, x0)) /* hi lo */ + +#define Lib_IntVector_Intrinsics_vec128_load32(x) \ + (_mm_set1_epi32(x)) + +#define Lib_IntVector_Intrinsics_vec128_load32s(x0, x1, x2, x3) \ + (_mm_set_epi32(x3, x2, x1, x0)) /* hi lo */ + +#define Lib_IntVector_Intrinsics_vec128_interleave_low32(x1, x2) \ + (_mm_unpacklo_epi32(x1, x2)) + +#define Lib_IntVector_Intrinsics_vec128_interleave_high32(x1, x2) \ + (_mm_unpackhi_epi32(x1, x2)) + +#define Lib_IntVector_Intrinsics_vec128_interleave_low64(x1, x2) \ + (_mm_unpacklo_epi64(x1, x2)) + +#define Lib_IntVector_Intrinsics_vec128_interleave_high64(x1, x2) \ + (_mm_unpackhi_epi64(x1, x2)) + +#endif /* HACL_CAN_COMPILE_VEC128 */ + +#if defined(HACL_CAN_COMPILE_VEC256) + +#include +#include + +typedef __m256i Lib_IntVector_Intrinsics_vec256; + + +#define Lib_IntVector_Intrinsics_vec256_eq64(x0, x1) \ + (_mm256_cmpeq_epi64(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec256_eq32(x0, x1) \ + (_mm256_cmpeq_epi32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec256_gt64(x0, x1) \ + (_mm256_cmpgt_epi64(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec256_gt32(x0, x1) \ + (_mm256_cmpgt_epi32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec256_xor(x0, x1) \ + (_mm256_xor_si256(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec256_or(x0, x1) \ + (_mm256_or_si256(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec256_and(x0, x1) \ + (_mm256_and_si256(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec256_lognot(x0) \ + (_mm256_xor_si256(x0, _mm256_set1_epi32(-1))) + +#define Lib_IntVector_Intrinsics_vec256_shift_left(x0, x1) \ + (_mm256_slli_si256(x0, (x1)/8)) + +#define Lib_IntVector_Intrinsics_vec256_shift_right(x0, x1) \ + (_mm256_srli_si256(x0, (x1)/8)) + +#define Lib_IntVector_Intrinsics_vec256_shift_left64(x0, x1) \ + (_mm256_slli_epi64(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec256_shift_right64(x0, x1) \ + (_mm256_srli_epi64(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec256_shift_left32(x0, x1) \ + (_mm256_slli_epi32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec256_shift_right32(x0, x1) \ + (_mm256_srli_epi32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec256_rotate_left32_8(x0) \ + (_mm256_shuffle_epi8(x0, _mm256_set_epi8(14,13,12,15,10,9,8,11,6,5,4,7,2,1,0,3,14,13,12,15,10,9,8,11,6,5,4,7,2,1,0,3))) + +#define Lib_IntVector_Intrinsics_vec256_rotate_left32_16(x0) \ + (_mm256_shuffle_epi8(x0, _mm256_set_epi8(13,12,15,14,9,8,11,10,5,4,7,6,1,0,3,2,13,12,15,14,9,8,11,10,5,4,7,6,1,0,3,2))) + +#define Lib_IntVector_Intrinsics_vec256_rotate_left32_24(x0) \ + (_mm256_shuffle_epi8(x0, _mm256_set_epi8(12,15,14,13,8,11,10,9,4,7,6,5,0,3,2,1,12,15,14,13,8,11,10,9,4,7,6,5,0,3,2,1))) + +#define Lib_IntVector_Intrinsics_vec256_rotate_left32(x0,x1) \ + ((x1 == 8? Lib_IntVector_Intrinsics_vec256_rotate_left32_8(x0) : \ + (x1 == 16? Lib_IntVector_Intrinsics_vec256_rotate_left32_16(x0) : \ + (x1 == 24? Lib_IntVector_Intrinsics_vec256_rotate_left32_24(x0) : \ + _mm256_or_si256(_mm256_slli_epi32(x0,x1),_mm256_srli_epi32(x0,32-(x1))))))) + +#define Lib_IntVector_Intrinsics_vec256_rotate_right32(x0,x1) \ + (Lib_IntVector_Intrinsics_vec256_rotate_left32(x0,32-(x1))) + +#define Lib_IntVector_Intrinsics_vec256_rotate_right64_8(x0) \ + (_mm256_shuffle_epi8(x0, _mm256_set_epi8(8,15,14,13,12,11,10,9,0,7,6,5,4,3,2,1,8,15,14,13,12,11,10,9,0,7,6,5,4,3,2,1))) + +#define Lib_IntVector_Intrinsics_vec256_rotate_right64_16(x0) \ + (_mm256_shuffle_epi8(x0, _mm256_set_epi8(9,8,15,14,13,12,11,10,1,0,7,6,5,4,3,2,9,8,15,14,13,12,11,10,1,0,7,6,5,4,3,2))) + +#define Lib_IntVector_Intrinsics_vec256_rotate_right64_24(x0) \ + (_mm256_shuffle_epi8(x0, _mm256_set_epi8(10,9,8,15,14,13,12,11,2,1,0,7,6,5,4,3,10,9,8,15,14,13,12,11,2,1,0,7,6,5,4,3))) + +#define Lib_IntVector_Intrinsics_vec256_rotate_right64_32(x0) \ + (_mm256_shuffle_epi8(x0, _mm256_set_epi8(11,10,9,8,15,14,13,12,3,2,1,0,7,6,5,4,11,10,9,8,15,14,13,12,3,2,1,0,7,6,5,4))) + +#define Lib_IntVector_Intrinsics_vec256_rotate_right64_40(x0) \ + (_mm256_shuffle_epi8(x0, _mm256_set_epi8(12,11,10,9,8,15,14,13,4,3,2,1,0,7,6,5,12,11,10,9,8,15,14,13,4,3,2,1,0,7,6,5))) + +#define Lib_IntVector_Intrinsics_vec256_rotate_right64_48(x0) \ + (_mm256_shuffle_epi8(x0, _mm256_set_epi8(13,12,11,10,9,8,15,14,5,4,3,2,1,0,7,6,13,12,11,10,9,8,15,14,5,4,3,2,1,0,7,6))) + +#define Lib_IntVector_Intrinsics_vec256_rotate_right64_56(x0) \ + (_mm256_shuffle_epi8(x0, _mm256_set_epi8(14,13,12,11,10,9,8,15,6,5,4,3,2,1,0,7,14,13,12,11,10,9,8,15,6,5,4,3,2,1,0,7))) + +#define Lib_IntVector_Intrinsics_vec256_rotate_right64(x0,x1) \ + ((x1 == 8? Lib_IntVector_Intrinsics_vec256_rotate_right64_8(x0) : \ + (x1 == 16? Lib_IntVector_Intrinsics_vec256_rotate_right64_16(x0) : \ + (x1 == 24? Lib_IntVector_Intrinsics_vec256_rotate_right64_24(x0) : \ + (x1 == 32? Lib_IntVector_Intrinsics_vec256_rotate_right64_32(x0) : \ + (x1 == 40? Lib_IntVector_Intrinsics_vec256_rotate_right64_40(x0) : \ + (x1 == 48? Lib_IntVector_Intrinsics_vec256_rotate_right64_48(x0) : \ + (x1 == 56? Lib_IntVector_Intrinsics_vec256_rotate_right64_56(x0) : \ + _mm256_xor_si256(_mm256_srli_epi64((x0),(x1)),_mm256_slli_epi64((x0),(64-(x1)))))))))))) + +#define Lib_IntVector_Intrinsics_vec256_rotate_left64(x0,x1) \ + (Lib_IntVector_Intrinsics_vec256_rotate_right64(x0,64-(x1))) + +#define Lib_IntVector_Intrinsics_vec256_shuffle64(x0, x1, x2, x3, x4) \ + (_mm256_permute4x64_epi64(x0, _MM_SHUFFLE(x4,x3,x2,x1))) + +#define Lib_IntVector_Intrinsics_vec256_shuffle32(x0, x1, x2, x3, x4, x5, x6, x7, x8) \ + (_mm256_permutevar8x32_epi32(x0, _mm256_set_epi32(x8,x7,x6,x5,x4,x3,x2,x1))) + +#define Lib_IntVector_Intrinsics_vec256_rotate_right_lanes32(x0, x1) \ + (_mm256_permutevar8x32_epi32(x0, _mm256_set_epi32((x1+7)%8,(x1+6)%8,(x1+5)%8,(x1+4)%8,(x1+3%8),(x1+2)%8,(x1+1)%8,x1%8))) + +#define Lib_IntVector_Intrinsics_vec256_rotate_right_lanes64(x0, x1) \ + (_mm256_permute4x64_epi64(x0, _MM_SHUFFLE((x1+3)%4,(x1+2)%4,(x1+1)%4,x1%4))) + +#define Lib_IntVector_Intrinsics_vec256_load32_le(x0) \ + (_mm256_loadu_si256((__m256i*)(x0))) + +#define Lib_IntVector_Intrinsics_vec256_load64_le(x0) \ + (_mm256_loadu_si256((__m256i*)(x0))) + +#define Lib_IntVector_Intrinsics_vec256_load32_be(x0) \ + (_mm256_shuffle_epi8(_mm256_loadu_si256((__m256i*)(x0)), _mm256_set_epi8(12, 13, 14, 15, 8, 9, 10, 11, 4, 5, 6, 7, 0, 1, 2, 3, 12, 13, 14, 15, 8, 9, 10, 11, 4, 5, 6, 7, 0, 1, 2, 3))) + +#define Lib_IntVector_Intrinsics_vec256_load64_be(x0) \ + (_mm256_shuffle_epi8(_mm256_loadu_si256((__m256i*)(x0)), _mm256_set_epi8(8, 9, 10, 11, 12, 13, 14, 15, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 0, 1, 2, 3, 4, 5, 6, 7))) + + +#define Lib_IntVector_Intrinsics_vec256_store32_le(x0, x1) \ + (_mm256_storeu_si256((__m256i*)(x0), x1)) + +#define Lib_IntVector_Intrinsics_vec256_store64_le(x0, x1) \ + (_mm256_storeu_si256((__m256i*)(x0), x1)) + +#define Lib_IntVector_Intrinsics_vec256_store32_be(x0, x1) \ + (_mm256_storeu_si256((__m256i*)(x0), _mm256_shuffle_epi8(x1, _mm256_set_epi8(12, 13, 14, 15, 8, 9, 10, 11, 4, 5, 6, 7, 0, 1, 2, 3, 12, 13, 14, 15, 8, 9, 10, 11, 4, 5, 6, 7, 0, 1, 2, 3)))) + +#define Lib_IntVector_Intrinsics_vec256_store64_be(x0, x1) \ + (_mm256_storeu_si256((__m256i*)(x0), _mm256_shuffle_epi8(x1, _mm256_set_epi8(8, 9, 10, 11, 12, 13, 14, 15, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 0, 1, 2, 3, 4, 5, 6, 7)))) + + +#define Lib_IntVector_Intrinsics_vec256_insert8(x0, x1, x2) \ + (_mm256_insert_epi8(x0, x1, x2)) + +#define Lib_IntVector_Intrinsics_vec256_insert32(x0, x1, x2) \ + (_mm256_insert_epi32(x0, x1, x2)) + +#define Lib_IntVector_Intrinsics_vec256_insert64(x0, x1, x2) \ + (_mm256_insert_epi64(x0, x1, x2)) + +#define Lib_IntVector_Intrinsics_vec256_extract8(x0, x1) \ + (_mm256_extract_epi8(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec256_extract32(x0, x1) \ + (_mm256_extract_epi32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec256_extract64(x0, x1) \ + (_mm256_extract_epi64(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec256_zero \ + (_mm256_setzero_si256()) + +#define Lib_IntVector_Intrinsics_vec256_add64(x0, x1) \ + (_mm256_add_epi64(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec256_sub64(x0, x1) \ + (_mm256_sub_epi64(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec256_mul64(x0, x1) \ + (_mm256_mul_epu32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec256_smul64(x0, x1) \ + (_mm256_mul_epu32(x0, _mm256_set1_epi64x(x1))) + + +#define Lib_IntVector_Intrinsics_vec256_add32(x0, x1) \ + (_mm256_add_epi32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec256_sub32(x0, x1) \ + (_mm256_sub_epi32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec256_mul32(x0, x1) \ + (_mm256_mullo_epi32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec256_smul32(x0, x1) \ + (_mm256_mullo_epi32(x0, _mm256_set1_epi32(x1))) + + +#define Lib_IntVector_Intrinsics_vec256_load64(x1) \ + (_mm256_set1_epi64x(x1)) /* hi lo */ + +#define Lib_IntVector_Intrinsics_vec256_load64s(x0, x1, x2, x3) \ + (_mm256_set_epi64x(x3,x2,x1,x0)) /* hi lo */ + +#define Lib_IntVector_Intrinsics_vec256_load32(x) \ + (_mm256_set1_epi32(x)) + +#define Lib_IntVector_Intrinsics_vec256_load32s(x0,x1,x2,x3,x4, x5, x6, x7) \ + (_mm256_set_epi32(x7, x6, x5, x4, x3, x2, x1, x0)) /* hi lo */ + +#define Lib_IntVector_Intrinsics_vec256_load128(x) \ + (_mm256_set_m128i((__m128i)x)) + +#define Lib_IntVector_Intrinsics_vec256_load128s(x0,x1) \ + (_mm256_set_m128i((__m128i)x1,(__m128i)x0)) + +#define Lib_IntVector_Intrinsics_vec256_interleave_low32(x1, x2) \ + (_mm256_unpacklo_epi32(x1, x2)) + +#define Lib_IntVector_Intrinsics_vec256_interleave_high32(x1, x2) \ + (_mm256_unpackhi_epi32(x1, x2)) + +#define Lib_IntVector_Intrinsics_vec256_interleave_low64(x1, x2) \ + (_mm256_unpacklo_epi64(x1, x2)) + +#define Lib_IntVector_Intrinsics_vec256_interleave_high64(x1, x2) \ + (_mm256_unpackhi_epi64(x1, x2)) + +#define Lib_IntVector_Intrinsics_vec256_interleave_low128(x1, x2) \ + (_mm256_permute2x128_si256(x1, x2, 0x20)) + +#define Lib_IntVector_Intrinsics_vec256_interleave_high128(x1, x2) \ + (_mm256_permute2x128_si256(x1, x2, 0x31)) + +#endif /* HACL_CAN_COMPILE_VEC256 */ + +#elif (defined(__aarch64__) || defined(_M_ARM64) || defined(__arm__) || defined(_M_ARM)) \ + && !defined(__ARM_32BIT_STATE) + +#if defined(HACL_CAN_COMPILE_VEC128) + +#include + +typedef uint32x4_t Lib_IntVector_Intrinsics_vec128; + +#define Lib_IntVector_Intrinsics_vec128_xor(x0, x1) \ + (veorq_u32(x0,x1)) + +#define Lib_IntVector_Intrinsics_vec128_eq64(x0, x1) \ + (vceqq_u32(x0,x1)) + +#define Lib_IntVector_Intrinsics_vec128_eq32(x0, x1) \ + (vceqq_u32(x0,x1)) + +#define Lib_IntVector_Intrinsics_vec128_gt32(x0, x1) \ + (vcgtq_u32(x0, x1)) + +#define high32(x0) \ + (vmovn_u64(vshrq_n_u64(vreinterpretq_u64_u32(x0),32))) + +#define low32(x0) \ + (vmovn_u64(vreinterpretq_u64_u32(x0))) + +#define Lib_IntVector_Intrinsics_vec128_gt64(x0, x1) \ + (vreinterpretq_u32_u64(vmovl_u32(vorr_u32(vcgt_u32(high32(x0),high32(x1)),vand_u32(vceq_u32(high32(x0),high32(x1)),vcgt_u32(low32(x0),low32(x1))))))) + +#define Lib_IntVector_Intrinsics_vec128_or(x0, x1) \ + (vorrq_u32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_and(x0, x1) \ + (vandq_u32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_lognot(x0) \ + (vmvnq_u32(x0)) + + +#define Lib_IntVector_Intrinsics_vec128_shift_left(x0, x1) \ + (vextq_u32(x0, vdupq_n_u8(0), 16-(x1)/8)) + +#define Lib_IntVector_Intrinsics_vec128_shift_right(x0, x1) \ + (vextq_u32(x0, vdupq_n_u8(0), (x1)/8)) + +#define Lib_IntVector_Intrinsics_vec128_shift_left64(x0, x1) \ + (vreinterpretq_u32_u64(vshlq_n_u64(vreinterpretq_u64_u32(x0), x1))) + +#define Lib_IntVector_Intrinsics_vec128_shift_right64(x0, x1) \ + (vreinterpretq_u32_u64(vshrq_n_u64(vreinterpretq_u64_u32(x0), x1))) + +#define Lib_IntVector_Intrinsics_vec128_shift_left32(x0, x1) \ + (vshlq_n_u32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_shift_right32(x0, x1) \ + (vshrq_n_u32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_rotate_left32_16(x1) \ + (vreinterpretq_u32_u16(vrev32q_u16(vreinterpretq_u16_u32(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_rotate_left32(x0,x1) \ + (((x1) == 16? Lib_IntVector_Intrinsics_vec128_rotate_left32_16(x0) : \ + vsriq_n_u32(vshlq_n_u32((x0),(x1)),(x0),32-(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_rotate_right32_16(x1) \ + (vreinterpretq_u32_u16(vrev32q_u16(vreinterpretq_u16_u32(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_rotate_right32(x0,x1) \ + (((x1) == 16? Lib_IntVector_Intrinsics_vec128_rotate_right32_16(x0) : \ + vsriq_n_u32(vshlq_n_u32((x0),32-(x1)),(x0),(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(x0, x1) \ + (vextq_u32(x0,x0,x1)) + +#define Lib_IntVector_Intrinsics_vec128_rotate_right_lanes64(x0, x1) \ + (vextq_u64(x0,x0,x1)) + + +/* +#define Lib_IntVector_Intrinsics_vec128_shuffle32(x0, x1, x2, x3, x4) \ + (_mm_shuffle_epi32(x0, _MM_SHUFFLE(x1,x2,x3,x4))) + +#define Lib_IntVector_Intrinsics_vec128_shuffle64(x0, x1, x2) \ + (_mm_shuffle_epi32(x0, _MM_SHUFFLE(2*x1+1,2*x1,2*x2+1,2*x2))) +*/ + +#define Lib_IntVector_Intrinsics_vec128_load32_le(x0) \ + (vld1q_u32((const uint32_t*) (x0))) + +#define Lib_IntVector_Intrinsics_vec128_load64_le(x0) \ + (vld1q_u32((const uint32_t*) (x0))) + +#define Lib_IntVector_Intrinsics_vec128_store32_le(x0, x1) \ + (vst1q_u32((uint32_t*)(x0),(x1))) + +#define Lib_IntVector_Intrinsics_vec128_store64_le(x0, x1) \ + (vst1q_u32((uint32_t*)(x0),(x1))) + +/* +#define Lib_IntVector_Intrinsics_vec128_load_be(x0) \ + ( Lib_IntVector_Intrinsics_vec128 l = vrev64q_u8(vld1q_u32((uint32_t*)(x0))); + +*/ + +#define Lib_IntVector_Intrinsics_vec128_load32_be(x0) \ + (vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(vld1q_u32((const uint32_t*)(x0)))))) + +#define Lib_IntVector_Intrinsics_vec128_load64_be(x0) \ + (vreinterpretq_u32_u8(vrev64q_u8(vreinterpretq_u8_u32(vld1q_u32((const uint32_t*)(x0)))))) + +/* +#define Lib_IntVector_Intrinsics_vec128_store_be(x0, x1) \ + (_mm_storeu_si128((__m128i*)(x0), _mm_shuffle_epi8(x1, _mm_set_epi8(0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)))) +*/ + +#define Lib_IntVector_Intrinsics_vec128_store32_be(x0, x1) \ + (vst1q_u32((uint32_t*)(x0),(vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(x1)))))) + +#define Lib_IntVector_Intrinsics_vec128_store64_be(x0, x1) \ + (vst1q_u32((uint32_t*)(x0),(vreinterpretq_u32_u8(vrev64q_u8(vreinterpretq_u8_u32(x1)))))) + +#define Lib_IntVector_Intrinsics_vec128_insert8(x0, x1, x2) \ + (vsetq_lane_u8(x1,x0,x2)) + +#define Lib_IntVector_Intrinsics_vec128_insert32(x0, x1, x2) \ + (vsetq_lane_u32(x1,x0,x2)) + +#define Lib_IntVector_Intrinsics_vec128_insert64(x0, x1, x2) \ + (vreinterpretq_u32_u64(vsetq_lane_u64(x1,vreinterpretq_u64_u32(x0),x2))) + +#define Lib_IntVector_Intrinsics_vec128_extract8(x0, x1) \ + (vgetq_lane_u8(x0,x1)) + +#define Lib_IntVector_Intrinsics_vec128_extract32(x0, x1) \ + (vgetq_lane_u32(x0,x1)) + +#define Lib_IntVector_Intrinsics_vec128_extract64(x0, x1) \ + (vgetq_lane_u64(vreinterpretq_u64_u32(x0),x1)) + +#define Lib_IntVector_Intrinsics_vec128_zero \ + (vdupq_n_u32(0)) + +#define Lib_IntVector_Intrinsics_vec128_add64(x0, x1) \ + (vreinterpretq_u32_u64(vaddq_u64(vreinterpretq_u64_u32(x0), vreinterpretq_u64_u32(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_sub64(x0, x1) \ + (vreinterpretq_u32_u64(vsubq_u64(vreinterpretq_u64_u32(x0), vreinterpretq_u64_u32(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_mul64(x0, x1) \ + (vreinterpretq_u32_u64(vmull_u32(vmovn_u64(vreinterpretq_u64_u32(x0)), vmovn_u64(vreinterpretq_u64_u32(x1))))) + +#define Lib_IntVector_Intrinsics_vec128_smul64(x0, x1) \ + (vreinterpretq_u32_u64(vmull_n_u32(vmovn_u64(vreinterpretq_u64_u32(x0)), (uint32_t)x1))) + +#define Lib_IntVector_Intrinsics_vec128_add32(x0, x1) \ + (vaddq_u32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_sub32(x0, x1) \ + (vsubq_u32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_mul32(x0, x1) \ + (vmulq_lane_u32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_smul32(x0, x1) \ + (vmulq_lane_u32(x0, vdupq_n_u32(x1))) + +#define Lib_IntVector_Intrinsics_vec128_load128(x) \ + ((uint32x4_t)(x)) + +#define Lib_IntVector_Intrinsics_vec128_load64(x) \ + (vreinterpretq_u32_u64(vdupq_n_u64(x))) /* hi lo */ + +#define Lib_IntVector_Intrinsics_vec128_load32(x) \ + (vdupq_n_u32(x)) /* hi lo */ + +static inline Lib_IntVector_Intrinsics_vec128 Lib_IntVector_Intrinsics_vec128_load64s(uint64_t x1, uint64_t x2){ + const uint64_t a[2] = {x1,x2}; + return vreinterpretq_u32_u64(vld1q_u64(a)); +} + +static inline Lib_IntVector_Intrinsics_vec128 Lib_IntVector_Intrinsics_vec128_load32s(uint32_t x1, uint32_t x2, uint32_t x3, uint32_t x4){ + const uint32_t a[4] = {x1,x2,x3,x4}; + return vld1q_u32(a); +} + +#define Lib_IntVector_Intrinsics_vec128_interleave_low32(x1, x2) \ + (vzip1q_u32(x1,x2)) + +#define Lib_IntVector_Intrinsics_vec128_interleave_high32(x1, x2) \ + (vzip2q_u32(x1,x2)) + +#define Lib_IntVector_Intrinsics_vec128_interleave_low64(x1,x2) \ + (vreinterpretq_u32_u64(vzip1q_u64(vreinterpretq_u64_u32(x1),vreinterpretq_u64_u32(x2)))) + +#define Lib_IntVector_Intrinsics_vec128_interleave_high64(x1,x2) \ + (vreinterpretq_u32_u64(vzip2q_u64(vreinterpretq_u64_u32(x1),vreinterpretq_u64_u32(x2)))) + +#endif /* HACL_CAN_COMPILE_VEC128 */ + +/* IBM z architecture */ +#elif defined(__s390x__) /* this flag is for GCC only */ + +#if defined(HACL_CAN_COMPILE_VEC128) + +#include +#include + +/* The main vector 128 type + * We can't use uint8_t, uint32_t, uint64_t... instead of unsigned char, + * unsigned int, unsigned long long: the compiler complains that the parameter + * combination is invalid. */ +typedef unsigned char vector128_8 __attribute__ ((vector_size(16))); +typedef unsigned int vector128_32 __attribute__ ((vector_size(16))); +typedef unsigned long long vector128_64 __attribute__ ((vector_size(16))); + +typedef vector128_8 Lib_IntVector_Intrinsics_vec128; +typedef vector128_8 vector128; + +#define Lib_IntVector_Intrinsics_vec128_load32_le(x) \ + (vector128) ((vector128_32) vec_revb(*((vector128_32*) (const uint8_t*)(x)))) + +#define Lib_IntVector_Intrinsics_vec128_load32_be(x) \ + (vector128) (*((vector128_32*) (const uint8_t*)(x))) + +#define Lib_IntVector_Intrinsics_vec128_load64_le(x) \ + (vector128) ((vector128_64) vec_revb(*((vector128_64*) (const uint8_t*)(x)))) + +static inline +void Lib_IntVector_Intrinsics_vec128_store32_le(const uint8_t *x0, vector128 x1) { + *((vector128_32*)x0) = vec_revb((vector128_32) x1); +} + +static inline +void Lib_IntVector_Intrinsics_vec128_store32_be(const uint8_t *x0, vector128 x1) { + *((vector128_32*)x0) = (vector128_32) x1; +} + +static inline +void Lib_IntVector_Intrinsics_vec128_store64_le(const uint8_t *x0, vector128 x1) { + *((vector128_64*)x0) = vec_revb((vector128_64) x1); +} + +#define Lib_IntVector_Intrinsics_vec128_add32(x0,x1) \ + ((vector128)((vector128_32)(((vector128_32)(x0)) + ((vector128_32)(x1))))) + +#define Lib_IntVector_Intrinsics_vec128_add64(x0, x1) \ + ((vector128)((vector128_64)(((vector128_64)(x0)) + ((vector128_64)(x1))))) + +#define Lib_IntVector_Intrinsics_vec128_and(x0, x1) \ + ((vector128)(vec_and((vector128)(x0),(vector128)(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_eq32(x0, x1) \ + ((vector128)(vec_cmpeq(((vector128_32)(x0)),((vector128_32)(x1))))) + +#define Lib_IntVector_Intrinsics_vec128_eq64(x0, x1) \ + ((vector128)(vec_cmpeq(((vector128_64)(x0)),((vector128_64)(x1))))) + +#define Lib_IntVector_Intrinsics_vec128_extract32(x0, x1) \ + ((unsigned int)(vec_extract((vector128_32)(x0), x1))) + +#define Lib_IntVector_Intrinsics_vec128_extract64(x0, x1) \ + ((unsigned long long)(vec_extract((vector128_64)(x0), x1))) + +#define Lib_IntVector_Intrinsics_vec128_gt32(x0, x1) \ + ((vector128)((vector128_32)(((vector128_32)(x0)) > ((vector128_32)(x1))))) + +#define Lib_IntVector_Intrinsics_vec128_gt64(x0, x1) \ + ((vector128)((vector128_64)(((vector128_64)(x0)) > ((vector128_64)(x1))))) + +#define Lib_IntVector_Intrinsics_vec128_insert32(x0, x1, x2) \ + ((vector128)((vector128_32)vec_insert((unsigned int)(x1), (vector128_32)(x0), x2))) + +#define Lib_IntVector_Intrinsics_vec128_insert64(x0, x1, x2) \ + ((vector128)((vector128_64)vec_insert((unsigned long long)(x1), (vector128_64)(x0), x2))) + +#define Lib_IntVector_Intrinsics_vec128_interleave_high32(x0, x1) \ + ((vector128)((vector128_32)vec_mergel((vector128_32)(x0), (vector128_32)(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_interleave_high64(x0, x1) \ + ((vector128)((vector128_64)vec_mergel((vector128_64)(x0), (vector128_64)(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_interleave_low32(x0, x1) \ + ((vector128)((vector128_32)vec_mergeh((vector128_32)(x0), (vector128_32)(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_interleave_low64(x0, x1) \ + ((vector128)((vector128_64)vec_mergeh((vector128_64)(x0), (vector128_64)(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_load32(x) \ + ((vector128)((vector128_32){(unsigned int)(x), (unsigned int)(x), \ + (unsigned int)(x), (unsigned int)(x)})) + +#define Lib_IntVector_Intrinsics_vec128_load32s(x0, x1, x2, x3) \ + ((vector128)((vector128_32){(unsigned int)(x0),(unsigned int)(x1),(unsigned int)(x2),(unsigned int)(x3)})) + +#define Lib_IntVector_Intrinsics_vec128_load64(x) \ + ((vector128)((vector128_64)vec_load_pair((unsigned long long)(x),(unsigned long long)(x)))) + +#define Lib_IntVector_Intrinsics_vec128_lognot(x0) \ + ((vector128)(vec_xor((vector128)(x0), (vector128)vec_splat_u32(-1)))) + +#define Lib_IntVector_Intrinsics_vec128_mul64(x0, x1) \ + ((vector128)(vec_mulo((vector128_32)(x0), \ + (vector128_32)(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_or(x0, x1) \ + ((vector128)(vec_or((vector128)(x0),(vector128)(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_rotate_left32(x0, x1) \ + ((vector128)(vec_rli((vector128_32)(x0), (unsigned long)(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_rotate_right32(x0, x1) \ + (Lib_IntVector_Intrinsics_vec128_rotate_left32(x0,(uint32_t)(32-(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(x0, x1) \ + ((vector128)(vec_sld((vector128)(x0), (vector128)(x0), (x1%4)*4))) + +#define Lib_IntVector_Intrinsics_vec128_shift_left64(x0, x1) \ + (((vector128)((vector128_64)vec_rli((vector128_64)(x0), (unsigned long)(x1)))) & \ + ((vector128)((vector128_64){0xffffffffffffffff << (x1), 0xffffffffffffffff << (x1)}))) + +#define Lib_IntVector_Intrinsics_vec128_shift_right64(x0, x1) \ + (((vector128)((vector128_64)vec_rli((vector128_64)(x0), (unsigned long)(64-(x1))))) & \ + ((vector128)((vector128_64){0xffffffffffffffff >> (x1), 0xffffffffffffffff >> (x1)}))) + +#define Lib_IntVector_Intrinsics_vec128_shift_right32(x0, x1) \ + (((vector128)((vector128_32)vec_rli((vector128_32)(x0), (unsigned int)(32-(x1))))) & \ + ((vector128)((vector128_32){0xffffffff >> (x1), 0xffffffff >> (x1), \ + 0xffffffff >> (x1), 0xffffffff >> (x1)}))) + +/* Doesn't work with vec_splat_u64 */ +#define Lib_IntVector_Intrinsics_vec128_smul64(x0, x1) \ + ((vector128)(Lib_IntVector_Intrinsics_vec128_mul64(x0,((vector128_64){(unsigned long long)(x1),(unsigned long long)(x1)})))) + +#define Lib_IntVector_Intrinsics_vec128_sub64(x0, x1) \ + ((vector128)((vector128_64)(x0) - (vector128_64)(x1))) + +static inline +vector128 Lib_IntVector_Intrinsics_vec128_xor(vector128 x0, vector128 x1) { + return ((vector128)(vec_xor((vector128)(x0), (vector128)(x1)))); +} + + +#define Lib_IntVector_Intrinsics_vec128_zero \ + ((vector128){}) + +#endif /* HACL_CAN_COMPILE_VEC128 */ + +#elif defined(__powerpc64__) // PowerPC 64 - this flag is for GCC only + +#if defined(HACL_CAN_COMPILE_VEC128) + +#include +#include // for memcpy +#include + +// The main vector 128 type +// We can't use uint8_t, uint32_t, uint64_t... instead of unsigned char, +// unsigned int, unsigned long long: the compiler complains that the parameter +// combination is invalid. +typedef vector unsigned char vector128_8; +typedef vector unsigned int vector128_32; +typedef vector unsigned long long vector128_64; + +typedef vector128_8 Lib_IntVector_Intrinsics_vec128; +typedef vector128_8 vector128; + +#define Lib_IntVector_Intrinsics_vec128_load32_le(x) \ + ((vector128)((vector128_32)(vec_xl(0, (const unsigned int*) ((const uint8_t*)(x)))))) + +#define Lib_IntVector_Intrinsics_vec128_load64_le(x) \ + ((vector128)((vector128_64)(vec_xl(0, (const unsigned long long*) ((const uint8_t*)(x)))))) + +#define Lib_IntVector_Intrinsics_vec128_store32_le(x0, x1) \ + (vec_xst((vector128_32)(x1), 0, (unsigned int*) ((uint8_t*)(x0)))) + +#define Lib_IntVector_Intrinsics_vec128_store64_le(x0, x1) \ + (vec_xst((vector128_64)(x1), 0, (unsigned long long*) ((uint8_t*)(x0)))) + +#define Lib_IntVector_Intrinsics_vec128_add32(x0,x1) \ + ((vector128)((vector128_32)(((vector128_32)(x0)) + ((vector128_32)(x1))))) + +#define Lib_IntVector_Intrinsics_vec128_add64(x0, x1) \ + ((vector128)((vector128_64)(((vector128_64)(x0)) + ((vector128_64)(x1))))) + +#define Lib_IntVector_Intrinsics_vec128_and(x0, x1) \ + ((vector128)(vec_and((vector128)(x0),(vector128)(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_eq32(x0, x1) \ + ((vector128)(vec_cmpeq(((vector128_32)(x0)),((vector128_32)(x1))))) + +#define Lib_IntVector_Intrinsics_vec128_eq64(x0, x1) \ + ((vector128)(vec_cmpeq(((vector128_64)(x0)),((vector128_64)(x1))))) + +#define Lib_IntVector_Intrinsics_vec128_extract32(x0, x1) \ + ((unsigned int)(vec_extract((vector128_32)(x0), x1))) + +#define Lib_IntVector_Intrinsics_vec128_extract64(x0, x1) \ + ((unsigned long long)(vec_extract((vector128_64)(x0), x1))) + +#define Lib_IntVector_Intrinsics_vec128_gt32(x0, x1) \ + ((vector128)((vector128_32)(((vector128_32)(x0)) > ((vector128_32)(x1))))) + +#define Lib_IntVector_Intrinsics_vec128_gt64(x0, x1) \ + ((vector128)((vector128_64)(((vector128_64)(x0)) > ((vector128_64)(x1))))) + +#define Lib_IntVector_Intrinsics_vec128_insert32(x0, x1, x2) \ + ((vector128)((vector128_32)vec_insert((unsigned int)(x1), (vector128_32)(x0), x2))) + +#define Lib_IntVector_Intrinsics_vec128_insert64(x0, x1, x2) \ + ((vector128)((vector128_64)vec_insert((unsigned long long)(x1), (vector128_64)(x0), x2))) + +#define Lib_IntVector_Intrinsics_vec128_interleave_high32(x0, x1) \ + ((vector128)((vector128_32)vec_mergel((vector128_32)(x0), (vector128_32)(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_interleave_high64(x0, x1) \ + ((vector128)((vector128_64)vec_mergel((vector128_64)(x0), (vector128_64)(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_interleave_low32(x0, x1) \ + ((vector128)((vector128_32)vec_mergeh((vector128_32)(x0), (vector128_32)(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_interleave_low64(x0, x1) \ + ((vector128)((vector128_64)vec_mergeh((vector128_64)(x0), (vector128_64)(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_load32(x) \ + ((vector128)((vector128_32){(unsigned int)(x), (unsigned int)(x), \ + (unsigned int)(x), (unsigned int)(x)})) + +#define Lib_IntVector_Intrinsics_vec128_load32s(x0, x1, x2, x3) \ + ((vector128)((vector128_32){(unsigned int)(x0),(unsigned int)(x1),(unsigned int)(x2),(unsigned int)(x3)})) + +#define Lib_IntVector_Intrinsics_vec128_load64(x) \ + ((vector128)((vector128_64){(unsigned long long)(x),(unsigned long long)(x)})) + +#define Lib_IntVector_Intrinsics_vec128_lognot(x0) \ + ((vector128)(vec_xor((vector128)(x0), (vector128)vec_splat_u32(-1)))) + +#define Lib_IntVector_Intrinsics_vec128_mul64(x0, x1) \ + ((vector128)(vec_mule((vector128_32)(x0), \ + (vector128_32)(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_or(x0, x1) \ + ((vector128)(vec_or((vector128)(x0),(vector128)(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_rotate_left32(x0, x1) \ + ((vector128)(vec_rl((vector128_32)(x0), (vector128_32){(unsigned int)(x1),(unsigned int)(x1),(unsigned int)(x1),(unsigned int)(x1)}))) + +#define Lib_IntVector_Intrinsics_vec128_rotate_right32(x0, x1) \ + (Lib_IntVector_Intrinsics_vec128_rotate_left32(x0,(uint32_t)(32-(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(x0, x1) \ + ((vector128)(vec_sld((vector128)(x0), (vector128)(x0), ((4-(x1))%4)*4))) + +#define Lib_IntVector_Intrinsics_vec128_shift_left64(x0, x1) \ + ((vector128)((vector128_64)vec_sl((vector128_64)(x0), (vector128_64){(unsigned long)(x1),(unsigned long)(x1)}))) + +#define Lib_IntVector_Intrinsics_vec128_shift_right64(x0, x1) \ + ((vector128)((vector128_64)vec_sr((vector128_64)(x0), (vector128_64){(unsigned long)(x1),(unsigned long)(x1)}))) + +// Doesn't work with vec_splat_u64 +#define Lib_IntVector_Intrinsics_vec128_smul64(x0, x1) \ + ((vector128)(Lib_IntVector_Intrinsics_vec128_mul64(x0,((vector128_64){(unsigned long long)(x1),(unsigned long long)(x1)})))) + +#define Lib_IntVector_Intrinsics_vec128_sub64(x0, x1) \ + ((vector128)((vector128_64)(x0) - (vector128_64)(x1))) + +#define Lib_IntVector_Intrinsics_vec128_xor(x0, x1) \ + ((vector128)(vec_xor((vector128)(x0), (vector128)(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_zero \ + ((vector128){}) + +#endif /* HACL_CAN_COMPILE_VEC128 */ + +#endif // PowerPC64 + +// DEBUGGING: +// If libintvector_debug.h exists, use it to debug the current implementations. +// Note that some flags must be enabled for the debugging to be effective: +// see libintvector_debug.h for more details. +#if defined(__has_include) +#if __has_include("libintvector_debug.h") +#include "libintvector_debug.h" +#endif +#endif + +#endif // __Vec_Intrin_H diff --git a/include/curve25519-inline.h b/include/curve25519-inline.h new file mode 100644 index 00000000..e69f7a59 --- /dev/null +++ b/include/curve25519-inline.h @@ -0,0 +1,751 @@ +#ifdef __GNUC__ +#if defined(__x86_64__) || defined(_M_X64) +#pragma once +#include + +// Computes the addition of four-element f1 with value in f2 +// and returns the carry (if any) +static inline uint64_t add_scalar (uint64_t *out, uint64_t *f1, uint64_t f2) +{ + uint64_t carry_r; + + asm volatile( + // Clear registers to propagate the carry bit + " xor %%r8d, %%r8d;" + " xor %%r9d, %%r9d;" + " xor %%r10d, %%r10d;" + " xor %%r11d, %%r11d;" + " xor %k1, %k1;" + + // Begin addition chain + " addq 0(%3), %0;" + " movq %0, 0(%2);" + " adcxq 8(%3), %%r8;" + " movq %%r8, 8(%2);" + " adcxq 16(%3), %%r9;" + " movq %%r9, 16(%2);" + " adcxq 24(%3), %%r10;" + " movq %%r10, 24(%2);" + + // Return the carry bit in a register + " adcx %%r11, %1;" + : "+&r" (f2), "=&r" (carry_r) + : "r" (out), "r" (f1) + : "%r8", "%r9", "%r10", "%r11", "memory", "cc" + ); + + return carry_r; +} + +// Computes the field addition of two field elements +static inline void fadd (uint64_t *out, uint64_t *f1, uint64_t *f2) +{ + asm volatile( + // Compute the raw addition of f1 + f2 + " movq 0(%0), %%r8;" + " addq 0(%2), %%r8;" + " movq 8(%0), %%r9;" + " adcxq 8(%2), %%r9;" + " movq 16(%0), %%r10;" + " adcxq 16(%2), %%r10;" + " movq 24(%0), %%r11;" + " adcxq 24(%2), %%r11;" + + /////// Wrap the result back into the field ////// + + // Step 1: Compute carry*38 + " mov $0, %%rax;" + " mov $38, %0;" + " cmovc %0, %%rax;" + + // Step 2: Add carry*38 to the original sum + " xor %%ecx, %%ecx;" + " add %%rax, %%r8;" + " adcx %%rcx, %%r9;" + " movq %%r9, 8(%1);" + " adcx %%rcx, %%r10;" + " movq %%r10, 16(%1);" + " adcx %%rcx, %%r11;" + " movq %%r11, 24(%1);" + + // Step 3: Fold the carry bit back in; guaranteed not to carry at this point + " mov $0, %%rax;" + " cmovc %0, %%rax;" + " add %%rax, %%r8;" + " movq %%r8, 0(%1);" + : "+&r" (f2) + : "r" (out), "r" (f1) + : "%rax", "%rcx", "%r8", "%r9", "%r10", "%r11", "memory", "cc" + ); +} + +// Computes the field substraction of two field elements +static inline void fsub (uint64_t *out, uint64_t *f1, uint64_t *f2) +{ + asm volatile( + // Compute the raw substraction of f1-f2 + " movq 0(%1), %%r8;" + " subq 0(%2), %%r8;" + " movq 8(%1), %%r9;" + " sbbq 8(%2), %%r9;" + " movq 16(%1), %%r10;" + " sbbq 16(%2), %%r10;" + " movq 24(%1), %%r11;" + " sbbq 24(%2), %%r11;" + + /////// Wrap the result back into the field ////// + + // Step 1: Compute carry*38 + " mov $0, %%rax;" + " mov $38, %%rcx;" + " cmovc %%rcx, %%rax;" + + // Step 2: Substract carry*38 from the original difference + " sub %%rax, %%r8;" + " sbb $0, %%r9;" + " sbb $0, %%r10;" + " sbb $0, %%r11;" + + // Step 3: Fold the carry bit back in; guaranteed not to carry at this point + " mov $0, %%rax;" + " cmovc %%rcx, %%rax;" + " sub %%rax, %%r8;" + + // Store the result + " movq %%r8, 0(%0);" + " movq %%r9, 8(%0);" + " movq %%r10, 16(%0);" + " movq %%r11, 24(%0);" + : + : "r" (out), "r" (f1), "r" (f2) + : "%rax", "%rcx", "%r8", "%r9", "%r10", "%r11", "memory", "cc" + ); +} + +// Computes a field multiplication: out <- f1 * f2 +// Uses the 8-element buffer tmp for intermediate results +static inline void fmul (uint64_t *out, uint64_t *f1, uint64_t *f2, uint64_t *tmp) +{ + asm volatile( + + /////// Compute the raw multiplication: tmp <- src1 * src2 ////// + + // Compute src1[0] * src2 + " movq 0(%0), %%rdx;" + " mulxq 0(%1), %%r8, %%r9;" " xor %%r10d, %%r10d;" " movq %%r8, 0(%2);" + " mulxq 8(%1), %%r10, %%r11;" " adox %%r9, %%r10;" " movq %%r10, 8(%2);" + " mulxq 16(%1), %%rbx, %%r13;" " adox %%r11, %%rbx;" + " mulxq 24(%1), %%r14, %%rdx;" " adox %%r13, %%r14;" " mov $0, %%rax;" + " adox %%rdx, %%rax;" + + // Compute src1[1] * src2 + " movq 8(%0), %%rdx;" + " mulxq 0(%1), %%r8, %%r9;" " xor %%r10d, %%r10d;" " adcxq 8(%2), %%r8;" " movq %%r8, 8(%2);" + " mulxq 8(%1), %%r10, %%r11;" " adox %%r9, %%r10;" " adcx %%rbx, %%r10;" " movq %%r10, 16(%2);" + " mulxq 16(%1), %%rbx, %%r13;" " adox %%r11, %%rbx;" " adcx %%r14, %%rbx;" " mov $0, %%r8;" + " mulxq 24(%1), %%r14, %%rdx;" " adox %%r13, %%r14;" " adcx %%rax, %%r14;" " mov $0, %%rax;" + " adox %%rdx, %%rax;" " adcx %%r8, %%rax;" + + + // Compute src1[2] * src2 + " movq 16(%0), %%rdx;" + " mulxq 0(%1), %%r8, %%r9;" " xor %%r10d, %%r10d;" " adcxq 16(%2), %%r8;" " movq %%r8, 16(%2);" + " mulxq 8(%1), %%r10, %%r11;" " adox %%r9, %%r10;" " adcx %%rbx, %%r10;" " movq %%r10, 24(%2);" + " mulxq 16(%1), %%rbx, %%r13;" " adox %%r11, %%rbx;" " adcx %%r14, %%rbx;" " mov $0, %%r8;" + " mulxq 24(%1), %%r14, %%rdx;" " adox %%r13, %%r14;" " adcx %%rax, %%r14;" " mov $0, %%rax;" + " adox %%rdx, %%rax;" " adcx %%r8, %%rax;" + + + // Compute src1[3] * src2 + " movq 24(%0), %%rdx;" + " mulxq 0(%1), %%r8, %%r9;" " xor %%r10d, %%r10d;" " adcxq 24(%2), %%r8;" " movq %%r8, 24(%2);" + " mulxq 8(%1), %%r10, %%r11;" " adox %%r9, %%r10;" " adcx %%rbx, %%r10;" " movq %%r10, 32(%2);" + " mulxq 16(%1), %%rbx, %%r13;" " adox %%r11, %%rbx;" " adcx %%r14, %%rbx;" " movq %%rbx, 40(%2);" " mov $0, %%r8;" + " mulxq 24(%1), %%r14, %%rdx;" " adox %%r13, %%r14;" " adcx %%rax, %%r14;" " movq %%r14, 48(%2);" " mov $0, %%rax;" + " adox %%rdx, %%rax;" " adcx %%r8, %%rax;" " movq %%rax, 56(%2);" + + // Line up pointers + " mov %2, %0;" + " mov %3, %2;" + + /////// Wrap the result back into the field ////// + + // Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo + " mov $38, %%rdx;" + " mulxq 32(%0), %%r8, %%r13;" + " xor %k1, %k1;" + " adoxq 0(%0), %%r8;" + " mulxq 40(%0), %%r9, %%rbx;" + " adcx %%r13, %%r9;" + " adoxq 8(%0), %%r9;" + " mulxq 48(%0), %%r10, %%r13;" + " adcx %%rbx, %%r10;" + " adoxq 16(%0), %%r10;" + " mulxq 56(%0), %%r11, %%rax;" + " adcx %%r13, %%r11;" + " adoxq 24(%0), %%r11;" + " adcx %1, %%rax;" + " adox %1, %%rax;" + " imul %%rdx, %%rax;" + + // Step 2: Fold the carry back into dst + " add %%rax, %%r8;" + " adcx %1, %%r9;" + " movq %%r9, 8(%2);" + " adcx %1, %%r10;" + " movq %%r10, 16(%2);" + " adcx %1, %%r11;" + " movq %%r11, 24(%2);" + + // Step 3: Fold the carry bit back in; guaranteed not to carry at this point + " mov $0, %%rax;" + " cmovc %%rdx, %%rax;" + " add %%rax, %%r8;" + " movq %%r8, 0(%2);" + : "+&r" (f1), "+&r" (f2), "+&r" (tmp) + : "r" (out) + : "%rax", "%rbx", "%rdx", "%r8", "%r9", "%r10", "%r11", "%r13", "%r14", "memory", "cc" + ); +} + +// Computes two field multiplications: +// out[0] <- f1[0] * f2[0] +// out[1] <- f1[1] * f2[1] +// Uses the 16-element buffer tmp for intermediate results: +static inline void fmul2 (uint64_t *out, uint64_t *f1, uint64_t *f2, uint64_t *tmp) +{ + asm volatile( + + /////// Compute the raw multiplication tmp[0] <- f1[0] * f2[0] ////// + + // Compute src1[0] * src2 + " movq 0(%0), %%rdx;" + " mulxq 0(%1), %%r8, %%r9;" " xor %%r10d, %%r10d;" " movq %%r8, 0(%2);" + " mulxq 8(%1), %%r10, %%r11;" " adox %%r9, %%r10;" " movq %%r10, 8(%2);" + " mulxq 16(%1), %%rbx, %%r13;" " adox %%r11, %%rbx;" + " mulxq 24(%1), %%r14, %%rdx;" " adox %%r13, %%r14;" " mov $0, %%rax;" + " adox %%rdx, %%rax;" + + // Compute src1[1] * src2 + " movq 8(%0), %%rdx;" + " mulxq 0(%1), %%r8, %%r9;" " xor %%r10d, %%r10d;" " adcxq 8(%2), %%r8;" " movq %%r8, 8(%2);" + " mulxq 8(%1), %%r10, %%r11;" " adox %%r9, %%r10;" " adcx %%rbx, %%r10;" " movq %%r10, 16(%2);" + " mulxq 16(%1), %%rbx, %%r13;" " adox %%r11, %%rbx;" " adcx %%r14, %%rbx;" " mov $0, %%r8;" + " mulxq 24(%1), %%r14, %%rdx;" " adox %%r13, %%r14;" " adcx %%rax, %%r14;" " mov $0, %%rax;" + " adox %%rdx, %%rax;" " adcx %%r8, %%rax;" + + + // Compute src1[2] * src2 + " movq 16(%0), %%rdx;" + " mulxq 0(%1), %%r8, %%r9;" " xor %%r10d, %%r10d;" " adcxq 16(%2), %%r8;" " movq %%r8, 16(%2);" + " mulxq 8(%1), %%r10, %%r11;" " adox %%r9, %%r10;" " adcx %%rbx, %%r10;" " movq %%r10, 24(%2);" + " mulxq 16(%1), %%rbx, %%r13;" " adox %%r11, %%rbx;" " adcx %%r14, %%rbx;" " mov $0, %%r8;" + " mulxq 24(%1), %%r14, %%rdx;" " adox %%r13, %%r14;" " adcx %%rax, %%r14;" " mov $0, %%rax;" + " adox %%rdx, %%rax;" " adcx %%r8, %%rax;" + + + // Compute src1[3] * src2 + " movq 24(%0), %%rdx;" + " mulxq 0(%1), %%r8, %%r9;" " xor %%r10d, %%r10d;" " adcxq 24(%2), %%r8;" " movq %%r8, 24(%2);" + " mulxq 8(%1), %%r10, %%r11;" " adox %%r9, %%r10;" " adcx %%rbx, %%r10;" " movq %%r10, 32(%2);" + " mulxq 16(%1), %%rbx, %%r13;" " adox %%r11, %%rbx;" " adcx %%r14, %%rbx;" " movq %%rbx, 40(%2);" " mov $0, %%r8;" + " mulxq 24(%1), %%r14, %%rdx;" " adox %%r13, %%r14;" " adcx %%rax, %%r14;" " movq %%r14, 48(%2);" " mov $0, %%rax;" + " adox %%rdx, %%rax;" " adcx %%r8, %%rax;" " movq %%rax, 56(%2);" + + /////// Compute the raw multiplication tmp[1] <- f1[1] * f2[1] ////// + + // Compute src1[0] * src2 + " movq 32(%0), %%rdx;" + " mulxq 32(%1), %%r8, %%r9;" " xor %%r10d, %%r10d;" " movq %%r8, 64(%2);" + " mulxq 40(%1), %%r10, %%r11;" " adox %%r9, %%r10;" " movq %%r10, 72(%2);" + " mulxq 48(%1), %%rbx, %%r13;" " adox %%r11, %%rbx;" + " mulxq 56(%1), %%r14, %%rdx;" " adox %%r13, %%r14;" " mov $0, %%rax;" + " adox %%rdx, %%rax;" + + // Compute src1[1] * src2 + " movq 40(%0), %%rdx;" + " mulxq 32(%1), %%r8, %%r9;" " xor %%r10d, %%r10d;" " adcxq 72(%2), %%r8;" " movq %%r8, 72(%2);" + " mulxq 40(%1), %%r10, %%r11;" " adox %%r9, %%r10;" " adcx %%rbx, %%r10;" " movq %%r10, 80(%2);" + " mulxq 48(%1), %%rbx, %%r13;" " adox %%r11, %%rbx;" " adcx %%r14, %%rbx;" " mov $0, %%r8;" + " mulxq 56(%1), %%r14, %%rdx;" " adox %%r13, %%r14;" " adcx %%rax, %%r14;" " mov $0, %%rax;" + " adox %%rdx, %%rax;" " adcx %%r8, %%rax;" + + + // Compute src1[2] * src2 + " movq 48(%0), %%rdx;" + " mulxq 32(%1), %%r8, %%r9;" " xor %%r10d, %%r10d;" " adcxq 80(%2), %%r8;" " movq %%r8, 80(%2);" + " mulxq 40(%1), %%r10, %%r11;" " adox %%r9, %%r10;" " adcx %%rbx, %%r10;" " movq %%r10, 88(%2);" + " mulxq 48(%1), %%rbx, %%r13;" " adox %%r11, %%rbx;" " adcx %%r14, %%rbx;" " mov $0, %%r8;" + " mulxq 56(%1), %%r14, %%rdx;" " adox %%r13, %%r14;" " adcx %%rax, %%r14;" " mov $0, %%rax;" + " adox %%rdx, %%rax;" " adcx %%r8, %%rax;" + + + // Compute src1[3] * src2 + " movq 56(%0), %%rdx;" + " mulxq 32(%1), %%r8, %%r9;" " xor %%r10d, %%r10d;" " adcxq 88(%2), %%r8;" " movq %%r8, 88(%2);" + " mulxq 40(%1), %%r10, %%r11;" " adox %%r9, %%r10;" " adcx %%rbx, %%r10;" " movq %%r10, 96(%2);" + " mulxq 48(%1), %%rbx, %%r13;" " adox %%r11, %%rbx;" " adcx %%r14, %%rbx;" " movq %%rbx, 104(%2);" " mov $0, %%r8;" + " mulxq 56(%1), %%r14, %%rdx;" " adox %%r13, %%r14;" " adcx %%rax, %%r14;" " movq %%r14, 112(%2);" " mov $0, %%rax;" + " adox %%rdx, %%rax;" " adcx %%r8, %%rax;" " movq %%rax, 120(%2);" + + // Line up pointers + " mov %2, %0;" + " mov %3, %2;" + + /////// Wrap the results back into the field ////// + + // Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo + " mov $38, %%rdx;" + " mulxq 32(%0), %%r8, %%r13;" + " xor %k1, %k1;" + " adoxq 0(%0), %%r8;" + " mulxq 40(%0), %%r9, %%rbx;" + " adcx %%r13, %%r9;" + " adoxq 8(%0), %%r9;" + " mulxq 48(%0), %%r10, %%r13;" + " adcx %%rbx, %%r10;" + " adoxq 16(%0), %%r10;" + " mulxq 56(%0), %%r11, %%rax;" + " adcx %%r13, %%r11;" + " adoxq 24(%0), %%r11;" + " adcx %1, %%rax;" + " adox %1, %%rax;" + " imul %%rdx, %%rax;" + + // Step 2: Fold the carry back into dst + " add %%rax, %%r8;" + " adcx %1, %%r9;" + " movq %%r9, 8(%2);" + " adcx %1, %%r10;" + " movq %%r10, 16(%2);" + " adcx %1, %%r11;" + " movq %%r11, 24(%2);" + + // Step 3: Fold the carry bit back in; guaranteed not to carry at this point + " mov $0, %%rax;" + " cmovc %%rdx, %%rax;" + " add %%rax, %%r8;" + " movq %%r8, 0(%2);" + + // Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo + " mov $38, %%rdx;" + " mulxq 96(%0), %%r8, %%r13;" + " xor %k1, %k1;" + " adoxq 64(%0), %%r8;" + " mulxq 104(%0), %%r9, %%rbx;" + " adcx %%r13, %%r9;" + " adoxq 72(%0), %%r9;" + " mulxq 112(%0), %%r10, %%r13;" + " adcx %%rbx, %%r10;" + " adoxq 80(%0), %%r10;" + " mulxq 120(%0), %%r11, %%rax;" + " adcx %%r13, %%r11;" + " adoxq 88(%0), %%r11;" + " adcx %1, %%rax;" + " adox %1, %%rax;" + " imul %%rdx, %%rax;" + + // Step 2: Fold the carry back into dst + " add %%rax, %%r8;" + " adcx %1, %%r9;" + " movq %%r9, 40(%2);" + " adcx %1, %%r10;" + " movq %%r10, 48(%2);" + " adcx %1, %%r11;" + " movq %%r11, 56(%2);" + + // Step 3: Fold the carry bit back in; guaranteed not to carry at this point + " mov $0, %%rax;" + " cmovc %%rdx, %%rax;" + " add %%rax, %%r8;" + " movq %%r8, 32(%2);" + : "+&r" (f1), "+&r" (f2), "+&r" (tmp) + : "r" (out) + : "%rax", "%rbx", "%rdx", "%r8", "%r9", "%r10", "%r11", "%r13", "%r14", "memory", "cc" + ); +} + +// Computes the field multiplication of four-element f1 with value in f2 +// Requires f2 to be smaller than 2^17 +static inline void fmul_scalar (uint64_t *out, uint64_t *f1, uint64_t f2) +{ + register uint64_t f2_r asm("rdx") = f2; + + asm volatile( + // Compute the raw multiplication of f1*f2 + " mulxq 0(%2), %%r8, %%rcx;" // f1[0]*f2 + " mulxq 8(%2), %%r9, %%rbx;" // f1[1]*f2 + " add %%rcx, %%r9;" + " mov $0, %%rcx;" + " mulxq 16(%2), %%r10, %%r13;" // f1[2]*f2 + " adcx %%rbx, %%r10;" + " mulxq 24(%2), %%r11, %%rax;" // f1[3]*f2 + " adcx %%r13, %%r11;" + " adcx %%rcx, %%rax;" + + /////// Wrap the result back into the field ////// + + // Step 1: Compute carry*38 + " mov $38, %%rdx;" + " imul %%rdx, %%rax;" + + // Step 2: Fold the carry back into dst + " add %%rax, %%r8;" + " adcx %%rcx, %%r9;" + " movq %%r9, 8(%1);" + " adcx %%rcx, %%r10;" + " movq %%r10, 16(%1);" + " adcx %%rcx, %%r11;" + " movq %%r11, 24(%1);" + + // Step 3: Fold the carry bit back in; guaranteed not to carry at this point + " mov $0, %%rax;" + " cmovc %%rdx, %%rax;" + " add %%rax, %%r8;" + " movq %%r8, 0(%1);" + : "+&r" (f2_r) + : "r" (out), "r" (f1) + : "%rax", "%rbx", "%rcx", "%r8", "%r9", "%r10", "%r11", "%r13", "memory", "cc" + ); +} + +// Computes p1 <- bit ? p2 : p1 in constant time +static inline void cswap2 (uint64_t bit, uint64_t *p1, uint64_t *p2) +{ + asm volatile( + // Transfer bit into CF flag + " add $18446744073709551615, %0;" + + // cswap p1[0], p2[0] + " movq 0(%1), %%r8;" + " movq 0(%2), %%r9;" + " mov %%r8, %%r10;" + " cmovc %%r9, %%r8;" + " cmovc %%r10, %%r9;" + " movq %%r8, 0(%1);" + " movq %%r9, 0(%2);" + + // cswap p1[1], p2[1] + " movq 8(%1), %%r8;" + " movq 8(%2), %%r9;" + " mov %%r8, %%r10;" + " cmovc %%r9, %%r8;" + " cmovc %%r10, %%r9;" + " movq %%r8, 8(%1);" + " movq %%r9, 8(%2);" + + // cswap p1[2], p2[2] + " movq 16(%1), %%r8;" + " movq 16(%2), %%r9;" + " mov %%r8, %%r10;" + " cmovc %%r9, %%r8;" + " cmovc %%r10, %%r9;" + " movq %%r8, 16(%1);" + " movq %%r9, 16(%2);" + + // cswap p1[3], p2[3] + " movq 24(%1), %%r8;" + " movq 24(%2), %%r9;" + " mov %%r8, %%r10;" + " cmovc %%r9, %%r8;" + " cmovc %%r10, %%r9;" + " movq %%r8, 24(%1);" + " movq %%r9, 24(%2);" + + // cswap p1[4], p2[4] + " movq 32(%1), %%r8;" + " movq 32(%2), %%r9;" + " mov %%r8, %%r10;" + " cmovc %%r9, %%r8;" + " cmovc %%r10, %%r9;" + " movq %%r8, 32(%1);" + " movq %%r9, 32(%2);" + + // cswap p1[5], p2[5] + " movq 40(%1), %%r8;" + " movq 40(%2), %%r9;" + " mov %%r8, %%r10;" + " cmovc %%r9, %%r8;" + " cmovc %%r10, %%r9;" + " movq %%r8, 40(%1);" + " movq %%r9, 40(%2);" + + // cswap p1[6], p2[6] + " movq 48(%1), %%r8;" + " movq 48(%2), %%r9;" + " mov %%r8, %%r10;" + " cmovc %%r9, %%r8;" + " cmovc %%r10, %%r9;" + " movq %%r8, 48(%1);" + " movq %%r9, 48(%2);" + + // cswap p1[7], p2[7] + " movq 56(%1), %%r8;" + " movq 56(%2), %%r9;" + " mov %%r8, %%r10;" + " cmovc %%r9, %%r8;" + " cmovc %%r10, %%r9;" + " movq %%r8, 56(%1);" + " movq %%r9, 56(%2);" + : "+&r" (bit) + : "r" (p1), "r" (p2) + : "%r8", "%r9", "%r10", "memory", "cc" + ); +} + +// Computes the square of a field element: out <- f * f +// Uses the 8-element buffer tmp for intermediate results +static inline void fsqr (uint64_t *out, uint64_t *f, uint64_t *tmp) +{ + asm volatile( + + /////// Compute the raw multiplication: tmp <- f * f ////// + + // Step 1: Compute all partial products + " movq 0(%0), %%rdx;" // f[0] + " mulxq 8(%0), %%r8, %%r14;" " xor %%r15d, %%r15d;" // f[1]*f[0] + " mulxq 16(%0), %%r9, %%r10;" " adcx %%r14, %%r9;" // f[2]*f[0] + " mulxq 24(%0), %%rax, %%rcx;" " adcx %%rax, %%r10;" // f[3]*f[0] + " movq 24(%0), %%rdx;" // f[3] + " mulxq 8(%0), %%r11, %%rbx;" " adcx %%rcx, %%r11;" // f[1]*f[3] + " mulxq 16(%0), %%rax, %%r13;" " adcx %%rax, %%rbx;" // f[2]*f[3] + " movq 8(%0), %%rdx;" " adcx %%r15, %%r13;" // f1 + " mulxq 16(%0), %%rax, %%rcx;" " mov $0, %%r14;" // f[2]*f[1] + + // Step 2: Compute two parallel carry chains + " xor %%r15d, %%r15d;" + " adox %%rax, %%r10;" + " adcx %%r8, %%r8;" + " adox %%rcx, %%r11;" + " adcx %%r9, %%r9;" + " adox %%r15, %%rbx;" + " adcx %%r10, %%r10;" + " adox %%r15, %%r13;" + " adcx %%r11, %%r11;" + " adox %%r15, %%r14;" + " adcx %%rbx, %%rbx;" + " adcx %%r13, %%r13;" + " adcx %%r14, %%r14;" + + // Step 3: Compute intermediate squares + " movq 0(%0), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" // f[0]^2 + " movq %%rax, 0(%1);" + " add %%rcx, %%r8;" " movq %%r8, 8(%1);" + " movq 8(%0), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" // f[1]^2 + " adcx %%rax, %%r9;" " movq %%r9, 16(%1);" + " adcx %%rcx, %%r10;" " movq %%r10, 24(%1);" + " movq 16(%0), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" // f[2]^2 + " adcx %%rax, %%r11;" " movq %%r11, 32(%1);" + " adcx %%rcx, %%rbx;" " movq %%rbx, 40(%1);" + " movq 24(%0), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" // f[3]^2 + " adcx %%rax, %%r13;" " movq %%r13, 48(%1);" + " adcx %%rcx, %%r14;" " movq %%r14, 56(%1);" + + // Line up pointers + " mov %1, %0;" + " mov %2, %1;" + + /////// Wrap the result back into the field ////// + + // Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo + " mov $38, %%rdx;" + " mulxq 32(%0), %%r8, %%r13;" + " xor %%ecx, %%ecx;" + " adoxq 0(%0), %%r8;" + " mulxq 40(%0), %%r9, %%rbx;" + " adcx %%r13, %%r9;" + " adoxq 8(%0), %%r9;" + " mulxq 48(%0), %%r10, %%r13;" + " adcx %%rbx, %%r10;" + " adoxq 16(%0), %%r10;" + " mulxq 56(%0), %%r11, %%rax;" + " adcx %%r13, %%r11;" + " adoxq 24(%0), %%r11;" + " adcx %%rcx, %%rax;" + " adox %%rcx, %%rax;" + " imul %%rdx, %%rax;" + + // Step 2: Fold the carry back into dst + " add %%rax, %%r8;" + " adcx %%rcx, %%r9;" + " movq %%r9, 8(%1);" + " adcx %%rcx, %%r10;" + " movq %%r10, 16(%1);" + " adcx %%rcx, %%r11;" + " movq %%r11, 24(%1);" + + // Step 3: Fold the carry bit back in; guaranteed not to carry at this point + " mov $0, %%rax;" + " cmovc %%rdx, %%rax;" + " add %%rax, %%r8;" + " movq %%r8, 0(%1);" + : "+&r" (f), "+&r" (tmp) + : "r" (out) + : "%rax", "%rbx", "%rcx", "%rdx", "%r8", "%r9", "%r10", "%r11", "%r13", "%r14", "%r15", "memory", "cc" + ); +} + +// Computes two field squarings: +// out[0] <- f[0] * f[0] +// out[1] <- f[1] * f[1] +// Uses the 16-element buffer tmp for intermediate results +static inline void fsqr2 (uint64_t *out, uint64_t *f, uint64_t *tmp) +{ + asm volatile( + // Step 1: Compute all partial products + " movq 0(%0), %%rdx;" // f[0] + " mulxq 8(%0), %%r8, %%r14;" " xor %%r15d, %%r15d;" // f[1]*f[0] + " mulxq 16(%0), %%r9, %%r10;" " adcx %%r14, %%r9;" // f[2]*f[0] + " mulxq 24(%0), %%rax, %%rcx;" " adcx %%rax, %%r10;" // f[3]*f[0] + " movq 24(%0), %%rdx;" // f[3] + " mulxq 8(%0), %%r11, %%rbx;" " adcx %%rcx, %%r11;" // f[1]*f[3] + " mulxq 16(%0), %%rax, %%r13;" " adcx %%rax, %%rbx;" // f[2]*f[3] + " movq 8(%0), %%rdx;" " adcx %%r15, %%r13;" // f1 + " mulxq 16(%0), %%rax, %%rcx;" " mov $0, %%r14;" // f[2]*f[1] + + // Step 2: Compute two parallel carry chains + " xor %%r15d, %%r15d;" + " adox %%rax, %%r10;" + " adcx %%r8, %%r8;" + " adox %%rcx, %%r11;" + " adcx %%r9, %%r9;" + " adox %%r15, %%rbx;" + " adcx %%r10, %%r10;" + " adox %%r15, %%r13;" + " adcx %%r11, %%r11;" + " adox %%r15, %%r14;" + " adcx %%rbx, %%rbx;" + " adcx %%r13, %%r13;" + " adcx %%r14, %%r14;" + + // Step 3: Compute intermediate squares + " movq 0(%0), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" // f[0]^2 + " movq %%rax, 0(%1);" + " add %%rcx, %%r8;" " movq %%r8, 8(%1);" + " movq 8(%0), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" // f[1]^2 + " adcx %%rax, %%r9;" " movq %%r9, 16(%1);" + " adcx %%rcx, %%r10;" " movq %%r10, 24(%1);" + " movq 16(%0), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" // f[2]^2 + " adcx %%rax, %%r11;" " movq %%r11, 32(%1);" + " adcx %%rcx, %%rbx;" " movq %%rbx, 40(%1);" + " movq 24(%0), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" // f[3]^2 + " adcx %%rax, %%r13;" " movq %%r13, 48(%1);" + " adcx %%rcx, %%r14;" " movq %%r14, 56(%1);" + + // Step 1: Compute all partial products + " movq 32(%0), %%rdx;" // f[0] + " mulxq 40(%0), %%r8, %%r14;" " xor %%r15d, %%r15d;" // f[1]*f[0] + " mulxq 48(%0), %%r9, %%r10;" " adcx %%r14, %%r9;" // f[2]*f[0] + " mulxq 56(%0), %%rax, %%rcx;" " adcx %%rax, %%r10;" // f[3]*f[0] + " movq 56(%0), %%rdx;" // f[3] + " mulxq 40(%0), %%r11, %%rbx;" " adcx %%rcx, %%r11;" // f[1]*f[3] + " mulxq 48(%0), %%rax, %%r13;" " adcx %%rax, %%rbx;" // f[2]*f[3] + " movq 40(%0), %%rdx;" " adcx %%r15, %%r13;" // f1 + " mulxq 48(%0), %%rax, %%rcx;" " mov $0, %%r14;" // f[2]*f[1] + + // Step 2: Compute two parallel carry chains + " xor %%r15d, %%r15d;" + " adox %%rax, %%r10;" + " adcx %%r8, %%r8;" + " adox %%rcx, %%r11;" + " adcx %%r9, %%r9;" + " adox %%r15, %%rbx;" + " adcx %%r10, %%r10;" + " adox %%r15, %%r13;" + " adcx %%r11, %%r11;" + " adox %%r15, %%r14;" + " adcx %%rbx, %%rbx;" + " adcx %%r13, %%r13;" + " adcx %%r14, %%r14;" + + // Step 3: Compute intermediate squares + " movq 32(%0), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" // f[0]^2 + " movq %%rax, 64(%1);" + " add %%rcx, %%r8;" " movq %%r8, 72(%1);" + " movq 40(%0), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" // f[1]^2 + " adcx %%rax, %%r9;" " movq %%r9, 80(%1);" + " adcx %%rcx, %%r10;" " movq %%r10, 88(%1);" + " movq 48(%0), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" // f[2]^2 + " adcx %%rax, %%r11;" " movq %%r11, 96(%1);" + " adcx %%rcx, %%rbx;" " movq %%rbx, 104(%1);" + " movq 56(%0), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" // f[3]^2 + " adcx %%rax, %%r13;" " movq %%r13, 112(%1);" + " adcx %%rcx, %%r14;" " movq %%r14, 120(%1);" + + // Line up pointers + " mov %1, %0;" + " mov %2, %1;" + + // Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo + " mov $38, %%rdx;" + " mulxq 32(%0), %%r8, %%r13;" + " xor %%ecx, %%ecx;" + " adoxq 0(%0), %%r8;" + " mulxq 40(%0), %%r9, %%rbx;" + " adcx %%r13, %%r9;" + " adoxq 8(%0), %%r9;" + " mulxq 48(%0), %%r10, %%r13;" + " adcx %%rbx, %%r10;" + " adoxq 16(%0), %%r10;" + " mulxq 56(%0), %%r11, %%rax;" + " adcx %%r13, %%r11;" + " adoxq 24(%0), %%r11;" + " adcx %%rcx, %%rax;" + " adox %%rcx, %%rax;" + " imul %%rdx, %%rax;" + + // Step 2: Fold the carry back into dst + " add %%rax, %%r8;" + " adcx %%rcx, %%r9;" + " movq %%r9, 8(%1);" + " adcx %%rcx, %%r10;" + " movq %%r10, 16(%1);" + " adcx %%rcx, %%r11;" + " movq %%r11, 24(%1);" + + // Step 3: Fold the carry bit back in; guaranteed not to carry at this point + " mov $0, %%rax;" + " cmovc %%rdx, %%rax;" + " add %%rax, %%r8;" + " movq %%r8, 0(%1);" + + // Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo + " mov $38, %%rdx;" + " mulxq 96(%0), %%r8, %%r13;" + " xor %%ecx, %%ecx;" + " adoxq 64(%0), %%r8;" + " mulxq 104(%0), %%r9, %%rbx;" + " adcx %%r13, %%r9;" + " adoxq 72(%0), %%r9;" + " mulxq 112(%0), %%r10, %%r13;" + " adcx %%rbx, %%r10;" + " adoxq 80(%0), %%r10;" + " mulxq 120(%0), %%r11, %%rax;" + " adcx %%r13, %%r11;" + " adoxq 88(%0), %%r11;" + " adcx %%rcx, %%rax;" + " adox %%rcx, %%rax;" + " imul %%rdx, %%rax;" + + // Step 2: Fold the carry back into dst + " add %%rax, %%r8;" + " adcx %%rcx, %%r9;" + " movq %%r9, 40(%1);" + " adcx %%rcx, %%r10;" + " movq %%r10, 48(%1);" + " adcx %%rcx, %%r11;" + " movq %%r11, 56(%1);" + + // Step 3: Fold the carry bit back in; guaranteed not to carry at this point + " mov $0, %%rax;" + " cmovc %%rdx, %%rax;" + " add %%rax, %%r8;" + " movq %%r8, 32(%1);" + : "+&r" (f), "+&r" (tmp) + : "r" (out) + : "%rax", "%rbx", "%rcx", "%rdx", "%r8", "%r9", "%r10", "%r11", "%r13", "%r14", "%r15", "memory", "cc" + ); +} + +#endif /* defined(__x86_64__) || defined(_M_X64) */ +#endif /* __GNUC__ */ diff --git a/include/evercrypt_targetconfig.h b/include/evercrypt_targetconfig.h new file mode 100644 index 00000000..d6d7c032 --- /dev/null +++ b/include/evercrypt_targetconfig.h @@ -0,0 +1,56 @@ +#ifndef __EVERCRYPT_TARGETCONFIG_H +#define __EVERCRYPT_TARGETCONFIG_H + +// Instead of listing the identifiers for the target architectures +// then defining the constant TARGET_ARCHITECTURE in config.h, we might simply +// define exactly one tag of the form TARGET_ARCHITECTURE_IS_... in config.h. +// However, for maintenance purposes, we use the first method in +// order to have all the possible values listed in one place. +// Note that for now, the only important id is TARGET_ARCHITECTURE_ID_X64, +// but the other ids might prove useful in the future if we make +// the dynamic feature detection more precise (see the functions +// has_vec128_not_avx/has_vec256_not_avx2 below). +#define TARGET_ARCHITECTURE_ID_UNKNOWN 0 +#define TARGET_ARCHITECTURE_ID_X86 1 +#define TARGET_ARCHITECTURE_ID_X64 2 +#define TARGET_ARCHITECTURE_ID_ARM7 3 +#define TARGET_ARCHITECTURE_ID_ARM8 4 +#define TARGET_ARCHITECTURE_ID_SYSTEMZ 5 +#define TARGET_ARCHITECTURE_ID_POWERPC64 6 + +#if defined(__has_include) +#if __has_include("config.h") +#include "config.h" +#else +#define TARGET_ARCHITECTURE TARGET_ARCHITECTURE_ID_UNKNOWN +#endif +#endif + +// Those functions are called on non-x64 platforms for which the feature detection +// is not covered by vale's CPUID support; therefore, we hand-write in C ourselves. +// For now, on non-x64 platforms, if we can compile 128-bit vector code, we can +// also execute it; this is true of: Z, Power, ARM8. In the future, if we consider +// cross-compilation scenarios, we'll have to refine this predicate; it could be the case, +// for instance, that we want our code to run on old revisions of a system without +// vector instructions, in which case we'll have to do run-time feature detection +// in addition to compile-time detection. + +#include + +static inline bool has_vec128_not_avx () { +#if (TARGET_ARCHITECTURE != TARGET_ARCHITECTURE_ID_X64) && HACL_CAN_COMPILE_VEC128 + return true; +#else + return false; +#endif +} + +static inline bool has_vec256_not_avx2 () { +#if (TARGET_ARCHITECTURE != TARGET_ARCHITECTURE_ID_X64) && HACL_CAN_COMPILE_VEC256 + return true; +#else + return false; +#endif +} + +#endif diff --git a/include/internal/Hacl_Bignum.h b/include/internal/Hacl_Bignum.h new file mode 100644 index 00000000..8d2dc606 --- /dev/null +++ b/include/internal/Hacl_Bignum.h @@ -0,0 +1,367 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_Hacl_Bignum_H +#define __internal_Hacl_Bignum_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "internal/Hacl_Kremlib.h" +#include "Hacl_Kremlib.h" +#include "Hacl_Bignum_Base.h" +#include "evercrypt_targetconfig.h" +#include "lib_intrinsics.h" +#include "libintvector.h" +void Hacl_Bignum_Convert_bn_from_bytes_be_uint64(uint32_t len, uint8_t *b, uint64_t *res); + +void Hacl_Bignum_Convert_bn_to_bytes_be_uint64(uint32_t len, uint64_t *b, uint8_t *res); + +uint32_t Hacl_Bignum_Lib_bn_get_top_index_u32(uint32_t len, uint32_t *b); + +uint64_t Hacl_Bignum_Lib_bn_get_top_index_u64(uint32_t len, uint64_t *b); + +uint32_t +Hacl_Bignum_Addition_bn_sub_eq_len_u32(uint32_t aLen, uint32_t *a, uint32_t *b, uint32_t *res); + +uint64_t +Hacl_Bignum_Addition_bn_sub_eq_len_u64(uint32_t aLen, uint64_t *a, uint64_t *b, uint64_t *res); + +uint32_t +Hacl_Bignum_Addition_bn_add_eq_len_u32(uint32_t aLen, uint32_t *a, uint32_t *b, uint32_t *res); + +uint64_t +Hacl_Bignum_Addition_bn_add_eq_len_u64(uint32_t aLen, uint64_t *a, uint64_t *b, uint64_t *res); + +void +Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint32( + uint32_t aLen, + uint32_t *a, + uint32_t *b, + uint32_t *tmp, + uint32_t *res +); + +void +Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint64( + uint32_t aLen, + uint64_t *a, + uint64_t *b, + uint64_t *tmp, + uint64_t *res +); + +void +Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint32( + uint32_t aLen, + uint32_t *a, + uint32_t *tmp, + uint32_t *res +); + +void +Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint64( + uint32_t aLen, + uint64_t *a, + uint64_t *tmp, + uint64_t *res +); + +void +Hacl_Bignum_bn_add_mod_n_u32( + uint32_t len1, + uint32_t *n, + uint32_t *a, + uint32_t *b, + uint32_t *res +); + +void +Hacl_Bignum_bn_add_mod_n_u64( + uint32_t len1, + uint64_t *n, + uint64_t *a, + uint64_t *b, + uint64_t *res +); + +void +Hacl_Bignum_bn_sub_mod_n_u32( + uint32_t len1, + uint32_t *n, + uint32_t *a, + uint32_t *b, + uint32_t *res +); + +void +Hacl_Bignum_bn_sub_mod_n_u64( + uint32_t len1, + uint64_t *n, + uint64_t *a, + uint64_t *b, + uint64_t *res +); + +uint32_t Hacl_Bignum_ModInvLimb_mod_inv_uint32(uint32_t n0); + +uint64_t Hacl_Bignum_ModInvLimb_mod_inv_uint64(uint64_t n0); + +uint32_t Hacl_Bignum_Montgomery_bn_check_modulus_u32(uint32_t len, uint32_t *n); + +void +Hacl_Bignum_Montgomery_bn_precomp_r2_mod_n_u32( + uint32_t len, + uint32_t nBits, + uint32_t *n, + uint32_t *res +); + +void +Hacl_Bignum_Montgomery_bn_mont_reduction_u32( + uint32_t len, + uint32_t *n, + uint32_t nInv, + uint32_t *c, + uint32_t *res +); + +void +Hacl_Bignum_Montgomery_bn_to_mont_u32( + uint32_t len, + uint32_t *n, + uint32_t nInv, + uint32_t *r2, + uint32_t *a, + uint32_t *aM +); + +void +Hacl_Bignum_Montgomery_bn_from_mont_u32( + uint32_t len, + uint32_t *n, + uint32_t nInv_u64, + uint32_t *aM, + uint32_t *a +); + +void +Hacl_Bignum_Montgomery_bn_mont_mul_u32( + uint32_t len, + uint32_t *n, + uint32_t nInv_u64, + uint32_t *aM, + uint32_t *bM, + uint32_t *resM +); + +void +Hacl_Bignum_Montgomery_bn_mont_sqr_u32( + uint32_t len, + uint32_t *n, + uint32_t nInv_u64, + uint32_t *aM, + uint32_t *resM +); + +uint64_t Hacl_Bignum_Montgomery_bn_check_modulus_u64(uint32_t len, uint64_t *n); + +void +Hacl_Bignum_Montgomery_bn_precomp_r2_mod_n_u64( + uint32_t len, + uint32_t nBits, + uint64_t *n, + uint64_t *res +); + +void +Hacl_Bignum_Montgomery_bn_mont_reduction_u64( + uint32_t len, + uint64_t *n, + uint64_t nInv, + uint64_t *c, + uint64_t *res +); + +void +Hacl_Bignum_Montgomery_bn_to_mont_u64( + uint32_t len, + uint64_t *n, + uint64_t nInv, + uint64_t *r2, + uint64_t *a, + uint64_t *aM +); + +void +Hacl_Bignum_Montgomery_bn_from_mont_u64( + uint32_t len, + uint64_t *n, + uint64_t nInv_u64, + uint64_t *aM, + uint64_t *a +); + +void +Hacl_Bignum_Montgomery_bn_mont_mul_u64( + uint32_t len, + uint64_t *n, + uint64_t nInv_u64, + uint64_t *aM, + uint64_t *bM, + uint64_t *resM +); + +void +Hacl_Bignum_Montgomery_bn_mont_sqr_u64( + uint32_t len, + uint64_t *n, + uint64_t nInv_u64, + uint64_t *aM, + uint64_t *resM +); + +uint32_t +Hacl_Bignum_Exponentiation_bn_check_mod_exp_u32( + uint32_t len, + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b +); + +void +Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_precomp_u32( + uint32_t len, + uint32_t *n, + uint32_t mu, + uint32_t *r2, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +); + +void +Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_precomp_u32( + uint32_t len, + uint32_t *n, + uint32_t mu, + uint32_t *r2, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +); + +void +Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_u32( + uint32_t len, + uint32_t nBits, + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +); + +void +Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_u32( + uint32_t len, + uint32_t nBits, + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +); + +uint64_t +Hacl_Bignum_Exponentiation_bn_check_mod_exp_u64( + uint32_t len, + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b +); + +void +Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_precomp_u64( + uint32_t len, + uint64_t *n, + uint64_t mu, + uint64_t *r2, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +); + +void +Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_precomp_u64( + uint32_t len, + uint64_t *n, + uint64_t mu, + uint64_t *r2, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +); + +void +Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_u64( + uint32_t len, + uint32_t nBits, + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +); + +void +Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_u64( + uint32_t len, + uint32_t nBits, + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +); + +#if defined(__cplusplus) +} +#endif + +#define __internal_Hacl_Bignum_H_DEFINED +#endif diff --git a/include/internal/Hacl_Chacha20.h b/include/internal/Hacl_Chacha20.h new file mode 100644 index 00000000..2a440491 --- /dev/null +++ b/include/internal/Hacl_Chacha20.h @@ -0,0 +1,61 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_Hacl_Chacha20_H +#define __internal_Hacl_Chacha20_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "../Hacl_Chacha20.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +extern const uint32_t Hacl_Impl_Chacha20_Vec_chacha20_constants[4U]; + +void Hacl_Impl_Chacha20_chacha20_init(uint32_t *ctx, uint8_t *k, uint8_t *n, uint32_t ctr); + +void +Hacl_Impl_Chacha20_chacha20_encrypt_block( + uint32_t *ctx, + uint8_t *out, + uint32_t incr, + uint8_t *text +); + +void +Hacl_Impl_Chacha20_chacha20_update(uint32_t *ctx, uint32_t len, uint8_t *out, uint8_t *text); + +#if defined(__cplusplus) +} +#endif + +#define __internal_Hacl_Chacha20_H_DEFINED +#endif diff --git a/include/internal/Hacl_Curve25519_51.h b/include/internal/Hacl_Curve25519_51.h new file mode 100644 index 00000000..c3304756 --- /dev/null +++ b/include/internal/Hacl_Curve25519_51.h @@ -0,0 +1,57 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_Hacl_Curve25519_51_H +#define __internal_Hacl_Curve25519_51_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "internal/Hacl_Kremlib.h" +#include "../Hacl_Curve25519_51.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_Curve25519_51_fsquare_times( + uint64_t *o, + uint64_t *inp, + FStar_UInt128_uint128 *tmp, + uint32_t n +); + +void Hacl_Curve25519_51_finv(uint64_t *o, uint64_t *i, FStar_UInt128_uint128 *tmp); + +#if defined(__cplusplus) +} +#endif + +#define __internal_Hacl_Curve25519_51_H_DEFINED +#endif diff --git a/include/internal/Hacl_Ed25519.h b/include/internal/Hacl_Ed25519.h new file mode 100644 index 00000000..baf147a5 --- /dev/null +++ b/include/internal/Hacl_Ed25519.h @@ -0,0 +1,69 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_Hacl_Ed25519_H +#define __internal_Hacl_Ed25519_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "internal/Hacl_Kremlib.h" +#include "internal/Hacl_Hash_SHA2.h" +#include "internal/Hacl_Curve25519_51.h" +#include "../Hacl_Ed25519.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void Hacl_Bignum25519_reduce_513(uint64_t *a); + +void Hacl_Bignum25519_inverse(uint64_t *out, uint64_t *a); + +void Hacl_Bignum25519_load_51(uint64_t *output, uint8_t *input); + +void Hacl_Bignum25519_store_51(uint8_t *output, uint64_t *input); + +void Hacl_Impl_Ed25519_PointAdd_point_add(uint64_t *out, uint64_t *p, uint64_t *q); + +void Hacl_Impl_Ed25519_Ladder_point_mul(uint64_t *result, uint8_t *scalar, uint64_t *q); + +void Hacl_Impl_Ed25519_PointCompress_point_compress(uint8_t *z, uint64_t *p); + +bool Hacl_Impl_Ed25519_PointDecompress_point_decompress(uint64_t *out, uint8_t *s); + +bool Hacl_Impl_Ed25519_PointEqual_point_equal(uint64_t *p, uint64_t *q); + +void Hacl_Impl_Ed25519_PointNegate_point_negate(uint64_t *p, uint64_t *out); + +#if defined(__cplusplus) +} +#endif + +#define __internal_Hacl_Ed25519_H_DEFINED +#endif diff --git a/include/internal/Hacl_Frodo_KEM.h b/include/internal/Hacl_Frodo_KEM.h new file mode 100644 index 00000000..3e1d36e2 --- /dev/null +++ b/include/internal/Hacl_Frodo_KEM.h @@ -0,0 +1,49 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_Hacl_Frodo_KEM_H +#define __internal_Hacl_Frodo_KEM_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "internal/Hacl_Kremlib.h" +#include "../Hacl_Frodo_KEM.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void randombytes_(uint32_t len, uint8_t *res); + +#if defined(__cplusplus) +} +#endif + +#define __internal_Hacl_Frodo_KEM_H_DEFINED +#endif diff --git a/include/internal/Hacl_HMAC.h b/include/internal/Hacl_HMAC.h new file mode 100644 index 00000000..1e29b87f --- /dev/null +++ b/include/internal/Hacl_HMAC.h @@ -0,0 +1,63 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_Hacl_HMAC_H +#define __internal_Hacl_HMAC_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "internal/Hacl_Hash_SHA2.h" +#include "internal/Hacl_Hash_SHA1.h" +#include "internal/Hacl_Hash_Blake2.h" +#include "../Hacl_HMAC.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +typedef struct K____uint32_t__uint64_t_s +{ + uint32_t *fst; + uint64_t snd; +} +K____uint32_t__uint64_t; + +typedef struct K____uint64_t__FStar_UInt128_uint128_s +{ + uint64_t *fst; + FStar_UInt128_uint128 snd; +} +K____uint64_t__FStar_UInt128_uint128; + +#if defined(__cplusplus) +} +#endif + +#define __internal_Hacl_HMAC_H_DEFINED +#endif diff --git a/include/internal/Hacl_Hash_Blake2.h b/include/internal/Hacl_Hash_Blake2.h new file mode 100644 index 00000000..2491c7d3 --- /dev/null +++ b/include/internal/Hacl_Hash_Blake2.h @@ -0,0 +1,124 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_Hacl_Hash_Blake2_H +#define __internal_Hacl_Hash_Blake2_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "internal/Hacl_Kremlib.h" +#include "../Hacl_Hash_Blake2.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +uint64_t Hacl_Hash_Core_Blake2_update_blake2s_32(uint32_t *s, uint64_t totlen, uint8_t *block); + +void Hacl_Hash_Core_Blake2_finish_blake2s_32(uint32_t *s, uint64_t ev, uint8_t *dst); + +FStar_UInt128_uint128 +Hacl_Hash_Core_Blake2_update_blake2b_32( + uint64_t *s, + FStar_UInt128_uint128 totlen, + uint8_t *block +); + +void +Hacl_Hash_Core_Blake2_finish_blake2b_32(uint64_t *s, FStar_UInt128_uint128 ev, uint8_t *dst); + +uint64_t +Hacl_Hash_Blake2_update_multi_blake2s_32( + uint32_t *s, + uint64_t ev, + uint8_t *blocks, + uint32_t n_blocks +); + +FStar_UInt128_uint128 +Hacl_Hash_Blake2_update_multi_blake2b_32( + uint64_t *s, + FStar_UInt128_uint128 ev, + uint8_t *blocks, + uint32_t n_blocks +); + +typedef struct K___uint32_t_uint32_t_uint32_t__uint8_t___uint8_t__s +{ + uint32_t fst; + uint32_t snd; + uint32_t thd; + uint8_t *f3; + uint8_t *f4; +} +K___uint32_t_uint32_t_uint32_t__uint8_t___uint8_t_; + +typedef struct K___uint32_t_uint32_t_uint32_t_s +{ + uint32_t fst; + uint32_t snd; + uint32_t thd; +} +K___uint32_t_uint32_t_uint32_t; + +uint64_t +Hacl_Hash_Blake2_update_last_blake2s_32( + uint32_t *s, + uint64_t ev, + uint64_t prev_len, + uint8_t *input, + uint32_t input_len +); + +FStar_UInt128_uint128 +Hacl_Hash_Blake2_update_last_blake2b_32( + uint64_t *s, + FStar_UInt128_uint128 ev, + FStar_UInt128_uint128 prev_len, + uint8_t *input, + uint32_t input_len +); + +void Hacl_Hash_Blake2_hash_blake2s_32(uint8_t *input, uint32_t input_len, uint8_t *dst); + +void Hacl_Hash_Blake2_hash_blake2b_32(uint8_t *input, uint32_t input_len, uint8_t *dst); + +typedef struct K___uint32_t_uint32_t_s +{ + uint32_t fst; + uint32_t snd; +} +K___uint32_t_uint32_t; + +#if defined(__cplusplus) +} +#endif + +#define __internal_Hacl_Hash_Blake2_H_DEFINED +#endif diff --git a/include/internal/Hacl_Hash_Blake2b_256.h b/include/internal/Hacl_Hash_Blake2b_256.h new file mode 100644 index 00000000..bfe35db2 --- /dev/null +++ b/include/internal/Hacl_Hash_Blake2b_256.h @@ -0,0 +1,74 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_Hacl_Hash_Blake2b_256_H +#define __internal_Hacl_Hash_Blake2b_256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "internal/Hacl_Kremlib.h" +#include "internal/Hacl_Hash_Blake2.h" +#include "../Hacl_Hash_Blake2b_256.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_Hash_Blake2b_256_finish_blake2b_256( + Lib_IntVector_Intrinsics_vec256 *s, + FStar_UInt128_uint128 ev, + uint8_t *dst +); + +FStar_UInt128_uint128 +Hacl_Hash_Blake2b_256_update_multi_blake2b_256( + Lib_IntVector_Intrinsics_vec256 *s, + FStar_UInt128_uint128 ev, + uint8_t *blocks, + uint32_t n_blocks +); + +FStar_UInt128_uint128 +Hacl_Hash_Blake2b_256_update_last_blake2b_256( + Lib_IntVector_Intrinsics_vec256 *s, + FStar_UInt128_uint128 ev, + FStar_UInt128_uint128 prev_len, + uint8_t *input, + uint32_t input_len +); + +void Hacl_Hash_Blake2b_256_hash_blake2b_256(uint8_t *input, uint32_t input_len, uint8_t *dst); + +#if defined(__cplusplus) +} +#endif + +#define __internal_Hacl_Hash_Blake2b_256_H_DEFINED +#endif diff --git a/include/internal/Hacl_Hash_Blake2s_128.h b/include/internal/Hacl_Hash_Blake2s_128.h new file mode 100644 index 00000000..4abb2415 --- /dev/null +++ b/include/internal/Hacl_Hash_Blake2s_128.h @@ -0,0 +1,74 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_Hacl_Hash_Blake2s_128_H +#define __internal_Hacl_Hash_Blake2s_128_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "internal/Hacl_Kremlib.h" +#include "internal/Hacl_Hash_Blake2.h" +#include "../Hacl_Hash_Blake2s_128.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_Hash_Blake2s_128_finish_blake2s_128( + Lib_IntVector_Intrinsics_vec128 *s, + uint64_t ev, + uint8_t *dst +); + +uint64_t +Hacl_Hash_Blake2s_128_update_multi_blake2s_128( + Lib_IntVector_Intrinsics_vec128 *s, + uint64_t ev, + uint8_t *blocks, + uint32_t n_blocks +); + +uint64_t +Hacl_Hash_Blake2s_128_update_last_blake2s_128( + Lib_IntVector_Intrinsics_vec128 *s, + uint64_t ev, + uint64_t prev_len, + uint8_t *input, + uint32_t input_len +); + +void Hacl_Hash_Blake2s_128_hash_blake2s_128(uint8_t *input, uint32_t input_len, uint8_t *dst); + +#if defined(__cplusplus) +} +#endif + +#define __internal_Hacl_Hash_Blake2s_128_H_DEFINED +#endif diff --git a/include/internal/Hacl_Hash_MD5.h b/include/internal/Hacl_Hash_MD5.h new file mode 100644 index 00000000..bd9f2278 --- /dev/null +++ b/include/internal/Hacl_Hash_MD5.h @@ -0,0 +1,52 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_Hacl_Hash_MD5_H +#define __internal_Hacl_Hash_MD5_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "../Hacl_Hash_MD5.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void Hacl_Hash_Core_MD5_legacy_init(uint32_t *s); + +void Hacl_Hash_Core_MD5_legacy_update(uint32_t *abcd, uint8_t *x); + +void Hacl_Hash_Core_MD5_legacy_finish(uint32_t *s, uint8_t *dst); + +#if defined(__cplusplus) +} +#endif + +#define __internal_Hacl_Hash_MD5_H_DEFINED +#endif diff --git a/include/internal/Hacl_Hash_SHA1.h b/include/internal/Hacl_Hash_SHA1.h new file mode 100644 index 00000000..b387630e --- /dev/null +++ b/include/internal/Hacl_Hash_SHA1.h @@ -0,0 +1,52 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_Hacl_Hash_SHA1_H +#define __internal_Hacl_Hash_SHA1_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "../Hacl_Hash_SHA1.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void Hacl_Hash_Core_SHA1_legacy_init(uint32_t *s); + +void Hacl_Hash_Core_SHA1_legacy_update(uint32_t *h, uint8_t *l); + +void Hacl_Hash_Core_SHA1_legacy_finish(uint32_t *s, uint8_t *dst); + +#if defined(__cplusplus) +} +#endif + +#define __internal_Hacl_Hash_SHA1_H_DEFINED +#endif diff --git a/include/internal/Hacl_Hash_SHA2.h b/include/internal/Hacl_Hash_SHA2.h new file mode 100644 index 00000000..9bd45e4d --- /dev/null +++ b/include/internal/Hacl_Hash_SHA2.h @@ -0,0 +1,68 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_Hacl_Hash_SHA2_H +#define __internal_Hacl_Hash_SHA2_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "../Hacl_Hash_SHA2.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void Hacl_Hash_Core_SHA2_init_224(uint32_t *s); + +void Hacl_Hash_Core_SHA2_init_256(uint32_t *s); + +void Hacl_Hash_Core_SHA2_init_384(uint64_t *s); + +void Hacl_Hash_Core_SHA2_init_512(uint64_t *s); + +void Hacl_Hash_Core_SHA2_update_384(uint64_t *hash, uint8_t *block); + +void Hacl_Hash_Core_SHA2_update_512(uint64_t *hash, uint8_t *block); + +void Hacl_Hash_Core_SHA2_pad_256(uint64_t len, uint8_t *dst); + +void Hacl_Hash_Core_SHA2_finish_224(uint32_t *s, uint8_t *dst); + +void Hacl_Hash_Core_SHA2_finish_256(uint32_t *s, uint8_t *dst); + +void Hacl_Hash_Core_SHA2_finish_384(uint64_t *s, uint8_t *dst); + +void Hacl_Hash_Core_SHA2_finish_512(uint64_t *s, uint8_t *dst); + +#if defined(__cplusplus) +} +#endif + +#define __internal_Hacl_Hash_SHA2_H_DEFINED +#endif diff --git a/include/internal/Hacl_Kremlib.h b/include/internal/Hacl_Kremlib.h new file mode 100644 index 00000000..97939c02 --- /dev/null +++ b/include/internal/Hacl_Kremlib.h @@ -0,0 +1,48 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_Hacl_Kremlib_H +#define __internal_Hacl_Kremlib_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "../Hacl_Kremlib.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +uint32_t LowStar_Vector_new_capacity(uint32_t cap); + +#if defined(__cplusplus) +} +#endif + +#define __internal_Hacl_Kremlib_H_DEFINED +#endif diff --git a/include/internal/Hacl_P256.h b/include/internal/Hacl_P256.h new file mode 100644 index 00000000..8ee3d467 --- /dev/null +++ b/include/internal/Hacl_P256.h @@ -0,0 +1,66 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_Hacl_P256_H +#define __internal_Hacl_P256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "internal/Hacl_Spec.h" +#include "internal/Hacl_Kremlib.h" +#include "../Hacl_P256.h" +#include "evercrypt_targetconfig.h" +#include "lib_intrinsics.h" +#include "libintvector.h" +void Hacl_Impl_P256_LowLevel_toUint8(uint64_t *i, uint8_t *o); + +void Hacl_Impl_P256_LowLevel_changeEndian(uint64_t *i); + +void Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(uint8_t *i, uint64_t *o); + +uint64_t Hacl_Impl_P256_Core_isPointAtInfinityPrivate(uint64_t *p); + +void +Hacl_Impl_P256_Core_secretToPublic(uint64_t *result, uint8_t *scalar, uint64_t *tempBuffer); + +/* + The pub(lic)_key input of the function is considered to be public, + thus this code is not secret independent with respect to the operations done over this variable. +*/ +uint64_t Hacl_Impl_P256_DH__ecp256dh_r(uint64_t *result, uint64_t *pubKey, uint8_t *scalar); + +#if defined(__cplusplus) +} +#endif + +#define __internal_Hacl_P256_H_DEFINED +#endif diff --git a/include/internal/Hacl_Poly1305_128.h b/include/internal/Hacl_Poly1305_128.h new file mode 100644 index 00000000..838b4048 --- /dev/null +++ b/include/internal/Hacl_Poly1305_128.h @@ -0,0 +1,55 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_Hacl_Poly1305_128_H +#define __internal_Hacl_Poly1305_128_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "../Hacl_Poly1305_128.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_Impl_Poly1305_Field32xN_128_load_acc2(Lib_IntVector_Intrinsics_vec128 *acc, uint8_t *b); + +void +Hacl_Impl_Poly1305_Field32xN_128_fmul_r2_normalize( + Lib_IntVector_Intrinsics_vec128 *out, + Lib_IntVector_Intrinsics_vec128 *p +); + +#if defined(__cplusplus) +} +#endif + +#define __internal_Hacl_Poly1305_128_H_DEFINED +#endif diff --git a/include/internal/Hacl_Poly1305_256.h b/include/internal/Hacl_Poly1305_256.h new file mode 100644 index 00000000..ac635802 --- /dev/null +++ b/include/internal/Hacl_Poly1305_256.h @@ -0,0 +1,55 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_Hacl_Poly1305_256_H +#define __internal_Hacl_Poly1305_256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "../Hacl_Poly1305_256.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_Impl_Poly1305_Field32xN_256_load_acc4(Lib_IntVector_Intrinsics_vec256 *acc, uint8_t *b); + +void +Hacl_Impl_Poly1305_Field32xN_256_fmul_r4_normalize( + Lib_IntVector_Intrinsics_vec256 *out, + Lib_IntVector_Intrinsics_vec256 *p +); + +#if defined(__cplusplus) +} +#endif + +#define __internal_Hacl_Poly1305_256_H_DEFINED +#endif diff --git a/include/internal/Hacl_SHA2_Vec128.h b/include/internal/Hacl_SHA2_Vec128.h new file mode 100644 index 00000000..09979844 --- /dev/null +++ b/include/internal/Hacl_SHA2_Vec128.h @@ -0,0 +1,76 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_Hacl_SHA2_Vec128_H +#define __internal_Hacl_SHA2_Vec128_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include +#include "kremlin/internal/target.h" + + +#include "../Hacl_SHA2_Vec128.h" + +typedef struct K____uint8_t___uint8_t__s +{ + uint8_t *fst; + uint8_t *snd; +} +K____uint8_t___uint8_t_; + +typedef struct K____uint8_t__K____uint8_t___uint8_t__s +{ + uint8_t *fst; + K____uint8_t___uint8_t_ snd; +} +K____uint8_t__K____uint8_t___uint8_t_; + +typedef struct K____uint8_t__K____uint8_t__K____uint8_t___uint8_t__s +{ + uint8_t *fst; + K____uint8_t__K____uint8_t___uint8_t_ snd; +} +K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_; + +typedef struct +K___K____uint8_t__K____uint8_t__K____uint8_t___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t__s +{ + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ fst; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ snd; +} +K___K____uint8_t__K____uint8_t__K____uint8_t___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_; + +#if defined(__cplusplus) +} +#endif + +#define __internal_Hacl_SHA2_Vec128_H_DEFINED +#endif diff --git a/include/internal/Hacl_SHA2_Vec256.h b/include/internal/Hacl_SHA2_Vec256.h new file mode 100644 index 00000000..a0a9e228 --- /dev/null +++ b/include/internal/Hacl_SHA2_Vec256.h @@ -0,0 +1,75 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_Hacl_SHA2_Vec256_H +#define __internal_Hacl_SHA2_Vec256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "../Hacl_SHA2_Vec256.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +typedef struct K____uint8_t___uint8_t__s +{ + uint8_t *fst; + uint8_t *snd; +} +K____uint8_t___uint8_t_; + +typedef struct K____uint8_t__K____uint8_t___uint8_t__s +{ + uint8_t *fst; + K____uint8_t___uint8_t_ snd; +} +K____uint8_t__K____uint8_t___uint8_t_; + +typedef struct K____uint8_t__K____uint8_t__K____uint8_t___uint8_t__s +{ + uint8_t *fst; + K____uint8_t__K____uint8_t___uint8_t_ snd; +} +K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_; + +typedef struct +K___K____uint8_t__K____uint8_t__K____uint8_t___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t__s +{ + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ fst; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ snd; +} +K___K____uint8_t__K____uint8_t__K____uint8_t___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_; + +#if defined(__cplusplus) +} +#endif + +#define __internal_Hacl_SHA2_Vec256_H_DEFINED +#endif diff --git a/include/internal/Hacl_Spec.h b/include/internal/Hacl_Spec.h new file mode 100644 index 00000000..51002a18 --- /dev/null +++ b/include/internal/Hacl_Spec.h @@ -0,0 +1,61 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_Hacl_Spec_H +#define __internal_Hacl_Spec_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "../Hacl_Spec.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +#define Spec_ECDSA_NoHash 0 +#define Spec_ECDSA_Hash 1 + +typedef uint8_t Spec_ECDSA_hash_alg_ecdsa_tags; + +typedef struct Spec_ECDSA_hash_alg_ecdsa_s +{ + Spec_ECDSA_hash_alg_ecdsa_tags tag; + Spec_Hash_Definitions_hash_alg _0; +} +Spec_ECDSA_hash_alg_ecdsa; + +Spec_Agile_Cipher_cipher_alg +Spec_Cipher_Expansion_cipher_alg_of_impl(Spec_Cipher_Expansion_impl i); + +#if defined(__cplusplus) +} +#endif + +#define __internal_Hacl_Spec_H_DEFINED +#endif diff --git a/include/internal/Vale.h b/include/internal/Vale.h new file mode 100644 index 00000000..fae8b9f3 --- /dev/null +++ b/include/internal/Vale.h @@ -0,0 +1,216 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_Vale_H +#define __internal_Vale_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + + +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +extern uint64_t add_scalar_e(uint64_t *x0, uint64_t *x1, uint64_t x2); + +extern uint64_t fadd_e(uint64_t *x0, uint64_t *x1, uint64_t *x2); + +extern uint64_t sha256_update(uint32_t *x0, uint8_t *x1, uint64_t x2, uint32_t *x3); + +extern uint64_t x64_poly1305(uint8_t *x0, uint8_t *x1, uint64_t x2, uint64_t x3); + +extern uint64_t check_aesni(); + +extern uint64_t check_sha(); + +extern uint64_t check_adx_bmi2(); + +extern uint64_t check_avx(); + +extern uint64_t check_avx2(); + +extern uint64_t check_movbe(); + +extern uint64_t check_sse(); + +extern uint64_t check_rdrand(); + +extern uint64_t check_avx512(); + +extern uint64_t check_osxsave(); + +extern uint64_t check_avx_xcr0(); + +extern uint64_t check_avx512_xcr0(); + +extern uint64_t cswap2_e(uint64_t x0, uint64_t *x1, uint64_t *x2); + +extern uint64_t fsqr_e(uint64_t *x0, uint64_t *x1, uint64_t *x2); + +extern uint64_t fsqr2_e(uint64_t *x0, uint64_t *x1, uint64_t *x2); + +extern uint64_t fmul_e(uint64_t *x0, uint64_t *x1, uint64_t *x2, uint64_t *x3); + +extern uint64_t fmul2_e(uint64_t *x0, uint64_t *x1, uint64_t *x2, uint64_t *x3); + +extern uint64_t fmul_scalar_e(uint64_t *x0, uint64_t *x1, uint64_t x2); + +extern uint64_t fsub_e(uint64_t *x0, uint64_t *x1, uint64_t *x2); + +extern uint64_t +gcm128_decrypt_opt( + uint8_t *x0, + uint64_t x1, + uint64_t x2, + uint8_t *x3, + uint8_t *x4, + uint8_t *x5, + uint8_t *x6, + uint8_t *x7, + uint8_t *x8, + uint64_t x9, + uint8_t *x10, + uint8_t *x11, + uint64_t x12, + uint8_t *x13, + uint64_t x14, + uint8_t *x15, + uint8_t *x16 +); + +extern uint64_t +gcm256_decrypt_opt( + uint8_t *x0, + uint64_t x1, + uint64_t x2, + uint8_t *x3, + uint8_t *x4, + uint8_t *x5, + uint8_t *x6, + uint8_t *x7, + uint8_t *x8, + uint64_t x9, + uint8_t *x10, + uint8_t *x11, + uint64_t x12, + uint8_t *x13, + uint64_t x14, + uint8_t *x15, + uint8_t *x16 +); + +extern uint64_t aes128_key_expansion(uint8_t *x0, uint8_t *x1); + +extern uint64_t aes256_key_expansion(uint8_t *x0, uint8_t *x1); + +extern uint64_t +compute_iv_stdcall( + uint8_t *x0, + uint64_t x1, + uint64_t x2, + uint8_t *x3, + uint8_t *x4, + uint8_t *x5 +); + +extern uint64_t +gcm128_encrypt_opt( + uint8_t *x0, + uint64_t x1, + uint64_t x2, + uint8_t *x3, + uint8_t *x4, + uint8_t *x5, + uint8_t *x6, + uint8_t *x7, + uint8_t *x8, + uint64_t x9, + uint8_t *x10, + uint8_t *x11, + uint64_t x12, + uint8_t *x13, + uint64_t x14, + uint8_t *x15, + uint8_t *x16 +); + +extern uint64_t +gcm256_encrypt_opt( + uint8_t *x0, + uint64_t x1, + uint64_t x2, + uint8_t *x3, + uint8_t *x4, + uint8_t *x5, + uint8_t *x6, + uint8_t *x7, + uint8_t *x8, + uint64_t x9, + uint8_t *x10, + uint8_t *x11, + uint64_t x12, + uint8_t *x13, + uint64_t x14, + uint8_t *x15, + uint8_t *x16 +); + +extern uint64_t aes128_keyhash_init(uint8_t *x0, uint8_t *x1); + +extern uint64_t aes256_keyhash_init(uint8_t *x0, uint8_t *x1); + +extern uint64_t +gctr128_bytes( + uint8_t *x0, + uint64_t x1, + uint8_t *x2, + uint8_t *x3, + uint8_t *x4, + uint8_t *x5, + uint64_t x6 +); + +extern uint64_t +gctr256_bytes( + uint8_t *x0, + uint64_t x1, + uint8_t *x2, + uint8_t *x3, + uint8_t *x4, + uint8_t *x5, + uint64_t x6 +); + +#if defined(__cplusplus) +} +#endif + +#define __internal_Vale_H_DEFINED +#endif diff --git a/include/lib_intrinsics.h b/include/lib_intrinsics.h new file mode 100644 index 00000000..0c35026e --- /dev/null +++ b/include/lib_intrinsics.h @@ -0,0 +1,83 @@ +#pragma once + +#include + +#if defined(__has_include) +#if __has_include("config.h") +#include "config.h" +#endif +#endif + +#if defined(HACL_CAN_COMPILE_INTRINSICS) +#if defined(_MSC_VER) +#include +#else +#include +#endif +#endif + +#if !defined(HACL_CAN_COMPILE_INTRINSICS) + +#include "Hacl_IntTypes_Intrinsics.h" + +#if defined(HACL_CAN_COMPILE_UINT128) + +#include "Hacl_IntTypes_Intrinsics_128.h" + +#define Lib_IntTypes_Intrinsics_add_carry_u64(x1, x2, x3, x4) \ + (Hacl_IntTypes_Intrinsics_128_add_carry_u64(x1, x2, x3, x4)) + +#define Lib_IntTypes_Intrinsics_sub_borrow_u64(x1, x2, x3, x4) \ + (Hacl_IntTypes_Intrinsics_128_sub_borrow_u64(x1, x2, x3, x4)) + +#else + +#define Lib_IntTypes_Intrinsics_add_carry_u64(x1, x2, x3, x4) \ + (Hacl_IntTypes_Intrinsics_add_carry_u64(x1, x2, x3, x4)) + +#define Lib_IntTypes_Intrinsics_sub_borrow_u64(x1, x2, x3, x4) \ + (Hacl_IntTypes_Intrinsics_sub_borrow_u64(x1, x2, x3, x4)) + +#endif // defined(HACL_CAN_COMPILE_UINT128) + +#define Lib_IntTypes_Intrinsics_add_carry_u32(x1, x2, x3, x4) \ + (Hacl_IntTypes_Intrinsics_add_carry_u32(x1, x2, x3, x4)) + +#define Lib_IntTypes_Intrinsics_sub_borrow_u32(x1, x2, x3, x4) \ + (Hacl_IntTypes_Intrinsics_sub_borrow_u32(x1, x2, x3, x4)) + +#else // !defined(HACL_CAN_COMPILE_INTRINSICS) + +#define Lib_IntTypes_Intrinsics_add_carry_u32(x1, x2, x3, x4) \ + (_addcarry_u32(x1, x2, x3, (unsigned int *) x4)) + +#define Lib_IntTypes_Intrinsics_add_carry_u64(x1, x2, x3, x4) \ + (_addcarry_u64(x1, x2, x3, (long long unsigned int *) x4)) + + +/* + GCC versions prior to 7.2 pass arguments to _subborrow_u{32,64} + in an incorrect order. + + See https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81294 +*/ +#if defined(__GNUC__) && !defined (__clang__) && \ + (__GNUC__ < 7 || (__GNUC__ == 7 && (__GNUC_MINOR__ < 2))) + +#define Lib_IntTypes_Intrinsics_sub_borrow_u32(x1, x2, x3, x4) \ + (_subborrow_u32(x1, x3, x2, (unsigned int *) x4)) + +#define Lib_IntTypes_Intrinsics_sub_borrow_u64(x1, x2, x3, x4) \ + (_subborrow_u64(x1, x3, x2, (long long unsigned int *) x4)) + +#else + +#define Lib_IntTypes_Intrinsics_sub_borrow_u32(x1, x2, x3, x4) \ + (_subborrow_u32(x1, x2, x3, (unsigned int *) x4)) + +#define Lib_IntTypes_Intrinsics_sub_borrow_u64(x1, x2, x3, x4) \ + (_subborrow_u64(x1, x2, x3, (long long unsigned int *) x4)) + +#endif // GCC < 7.2 + +#endif // !HACL_CAN_COMPILE_INTRINSICS diff --git a/include/libintvector.h b/include/libintvector.h new file mode 100644 index 00000000..fe2ba5eb --- /dev/null +++ b/include/libintvector.h @@ -0,0 +1,937 @@ +#ifndef __Vec_Intrin_H +#define __Vec_Intrin_H + +#include + +/* We include config.h here to ensure that the various feature-flags are + * properly brought into scope. Users can either run the configure script, or + * write a config.h themselves and put it under version control. */ +#if defined(__has_include) +#if __has_include("config.h") +#include "config.h" +#endif +#endif + +/* # DEBUGGING: + * ============ + * It is possible to debug the current definitions by using libintvector_debug.h + * See the include at the bottom of the file. */ + +#define Lib_IntVector_Intrinsics_bit_mask64(x) -((x) & 1) + +#if defined(__x86_64__) || defined(_M_X64) + +#if defined(HACL_CAN_COMPILE_VEC128) + +#include +#include +#include + +typedef __m128i Lib_IntVector_Intrinsics_vec128; + +#define Lib_IntVector_Intrinsics_ni_aes_enc(x0, x1) \ + (_mm_aesenc_si128(x0, x1)) + +#define Lib_IntVector_Intrinsics_ni_aes_enc_last(x0, x1) \ + (_mm_aesenclast_si128(x0, x1)) + +#define Lib_IntVector_Intrinsics_ni_aes_keygen_assist(x0, x1) \ + (_mm_aeskeygenassist_si128(x0, x1)) + +#define Lib_IntVector_Intrinsics_ni_clmul(x0, x1, x2) \ + (_mm_clmulepi64_si128(x0, x1, x2)) + + +#define Lib_IntVector_Intrinsics_vec128_xor(x0, x1) \ + (_mm_xor_si128(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_eq64(x0, x1) \ + (_mm_cmpeq_epi64(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_eq32(x0, x1) \ + (_mm_cmpeq_epi32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_gt64(x0, x1) \ + (_mm_cmpgt_epi64(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_gt32(x0, x1) \ + (_mm_cmpgt_epi32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_or(x0, x1) \ + (_mm_or_si128(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_and(x0, x1) \ + (_mm_and_si128(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_lognot(x0) \ + (_mm_xor_si128(x0, _mm_set1_epi32(-1))) + + +#define Lib_IntVector_Intrinsics_vec128_shift_left(x0, x1) \ + (_mm_slli_si128(x0, (x1)/8)) + +#define Lib_IntVector_Intrinsics_vec128_shift_right(x0, x1) \ + (_mm_srli_si128(x0, (x1)/8)) + +#define Lib_IntVector_Intrinsics_vec128_shift_left64(x0, x1) \ + (_mm_slli_epi64(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_shift_right64(x0, x1) \ + (_mm_srli_epi64(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_shift_left32(x0, x1) \ + (_mm_slli_epi32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_shift_right32(x0, x1) \ + (_mm_srli_epi32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_rotate_left32_8(x0) \ + (_mm_shuffle_epi8(x0, _mm_set_epi8(14,13,12,15,10,9,8,11,6,5,4,7,2,1,0,3))) + +#define Lib_IntVector_Intrinsics_vec128_rotate_left32_16(x0) \ + (_mm_shuffle_epi8(x0, _mm_set_epi8(13,12,15,14,9,8,11,10,5,4,7,6,1,0,3,2))) + +#define Lib_IntVector_Intrinsics_vec128_rotate_left32_24(x0) \ + (_mm_shuffle_epi8(x0, _mm_set_epi8(12,15,14,13,8,11,10,9,4,7,6,5,0,3,2,1))) + +#define Lib_IntVector_Intrinsics_vec128_rotate_left32(x0,x1) \ + (((x1) == 8? Lib_IntVector_Intrinsics_vec128_rotate_left32_8(x0) : \ + ((x1) == 16? Lib_IntVector_Intrinsics_vec128_rotate_left32_16(x0) : \ + ((x1) == 24? Lib_IntVector_Intrinsics_vec128_rotate_left32_24(x0) : \ + _mm_xor_si128(_mm_slli_epi32(x0,x1),_mm_srli_epi32(x0,32-(x1))))))) + +#define Lib_IntVector_Intrinsics_vec128_rotate_right32(x0,x1) \ + (Lib_IntVector_Intrinsics_vec128_rotate_left32(x0,32-(x1))) + +#define Lib_IntVector_Intrinsics_vec128_shuffle32(x0, x1, x2, x3, x4) \ + (_mm_shuffle_epi32(x0, _MM_SHUFFLE(x4,x3,x2,x1))) + +#define Lib_IntVector_Intrinsics_vec128_shuffle64(x0, x1, x2) \ + (_mm_shuffle_epi32(x0, _MM_SHUFFLE(2*x1+1,2*x1,2*x2+1,2*x2))) + +#define Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(x0, x1) \ + (_mm_shuffle_epi32(x0, _MM_SHUFFLE((x1+3)%4,(x1+2)%4,(x1+1)%4,x1%4))) + +#define Lib_IntVector_Intrinsics_vec128_rotate_right_lanes64(x0, x1) \ + (_mm_shuffle_epi32(x0, _MM_SHUFFLE((2*x1+3)%4,(2*x1+2)%4,(2*x1+1)%4,(2*x1)%4))) + +#define Lib_IntVector_Intrinsics_vec128_load32_le(x0) \ + (_mm_loadu_si128((__m128i*)(x0))) + +#define Lib_IntVector_Intrinsics_vec128_load64_le(x0) \ + (_mm_loadu_si128((__m128i*)(x0))) + +#define Lib_IntVector_Intrinsics_vec128_store32_le(x0, x1) \ + (_mm_storeu_si128((__m128i*)(x0), x1)) + +#define Lib_IntVector_Intrinsics_vec128_store64_le(x0, x1) \ + (_mm_storeu_si128((__m128i*)(x0), x1)) + +#define Lib_IntVector_Intrinsics_vec128_load_be(x0) \ + (_mm_shuffle_epi8(_mm_loadu_si128((__m128i*)(x0)), _mm_set_epi8(0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15))) + +#define Lib_IntVector_Intrinsics_vec128_load32_be(x0) \ + (_mm_shuffle_epi8(_mm_loadu_si128((__m128i*)(x0)), _mm_set_epi8(12, 13, 14, 15, 8, 9, 10, 11, 4, 5, 6, 7, 0, 1, 2, 3))) + +#define Lib_IntVector_Intrinsics_vec128_load64_be(x0) \ + (_mm_shuffle_epi8(_mm_loadu_si128((__m128i*)(x0)), _mm_set_epi8(8, 9, 10, 11, 12, 13, 14, 15, 0, 1, 2, 3, 4, 5, 6, 7))) + +#define Lib_IntVector_Intrinsics_vec128_store_be(x0, x1) \ + (_mm_storeu_si128((__m128i*)(x0), _mm_shuffle_epi8(x1, _mm_set_epi8(0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)))) + + +#define Lib_IntVector_Intrinsics_vec128_store32_be(x0, x1) \ + (_mm_storeu_si128((__m128i*)(x0), _mm_shuffle_epi8(x1, _mm_set_epi8(12, 13, 14, 15, 8, 9, 10, 11, 4, 5, 6, 7, 0, 1, 2, 3)))) + +#define Lib_IntVector_Intrinsics_vec128_store64_be(x0, x1) \ + (_mm_storeu_si128((__m128i*)(x0), _mm_shuffle_epi8(x1, _mm_set_epi8(8, 9, 10, 11, 12, 13, 14, 15, 0, 1, 2, 3, 4, 5, 6, 7)))) + + + +#define Lib_IntVector_Intrinsics_vec128_insert8(x0, x1, x2) \ + (_mm_insert_epi8(x0, x1, x2)) + +#define Lib_IntVector_Intrinsics_vec128_insert32(x0, x1, x2) \ + (_mm_insert_epi32(x0, x1, x2)) + +#define Lib_IntVector_Intrinsics_vec128_insert64(x0, x1, x2) \ + (_mm_insert_epi64(x0, x1, x2)) + +#define Lib_IntVector_Intrinsics_vec128_extract8(x0, x1) \ + (_mm_extract_epi8(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_extract32(x0, x1) \ + (_mm_extract_epi32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_extract64(x0, x1) \ + (_mm_extract_epi64(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_zero \ + (_mm_setzero_si128()) + + +#define Lib_IntVector_Intrinsics_vec128_add64(x0, x1) \ + (_mm_add_epi64(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_sub64(x0, x1) \ + (_mm_sub_epi64(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_mul64(x0, x1) \ + (_mm_mul_epu32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_smul64(x0, x1) \ + (_mm_mul_epu32(x0, _mm_set1_epi64x(x1))) + +#define Lib_IntVector_Intrinsics_vec128_add32(x0, x1) \ + (_mm_add_epi32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_sub32(x0, x1) \ + (_mm_sub_epi32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_mul32(x0, x1) \ + (_mm_mullo_epi32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_smul32(x0, x1) \ + (_mm_mullo_epi32(x0, _mm_set1_epi32(x1))) + +#define Lib_IntVector_Intrinsics_vec128_load128(x) \ + ((__m128i)x) + +#define Lib_IntVector_Intrinsics_vec128_load64(x) \ + (_mm_set1_epi64x(x)) /* hi lo */ + +#define Lib_IntVector_Intrinsics_vec128_load64s(x0, x1) \ + (_mm_set_epi64x(x1, x0)) /* hi lo */ + +#define Lib_IntVector_Intrinsics_vec128_load32(x) \ + (_mm_set1_epi32(x)) + +#define Lib_IntVector_Intrinsics_vec128_load32s(x0, x1, x2, x3) \ + (_mm_set_epi32(x3, x2, x1, x0)) /* hi lo */ + +#define Lib_IntVector_Intrinsics_vec128_interleave_low32(x1, x2) \ + (_mm_unpacklo_epi32(x1, x2)) + +#define Lib_IntVector_Intrinsics_vec128_interleave_high32(x1, x2) \ + (_mm_unpackhi_epi32(x1, x2)) + +#define Lib_IntVector_Intrinsics_vec128_interleave_low64(x1, x2) \ + (_mm_unpacklo_epi64(x1, x2)) + +#define Lib_IntVector_Intrinsics_vec128_interleave_high64(x1, x2) \ + (_mm_unpackhi_epi64(x1, x2)) + +#endif /* HACL_CAN_COMPILE_VEC128 */ + +#if defined(HACL_CAN_COMPILE_VEC256) + +#include +#include + +typedef __m256i Lib_IntVector_Intrinsics_vec256; + + +#define Lib_IntVector_Intrinsics_vec256_eq64(x0, x1) \ + (_mm256_cmpeq_epi64(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec256_eq32(x0, x1) \ + (_mm256_cmpeq_epi32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec256_gt64(x0, x1) \ + (_mm256_cmpgt_epi64(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec256_gt32(x0, x1) \ + (_mm256_cmpgt_epi32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec256_xor(x0, x1) \ + (_mm256_xor_si256(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec256_or(x0, x1) \ + (_mm256_or_si256(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec256_and(x0, x1) \ + (_mm256_and_si256(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec256_lognot(x0) \ + (_mm256_xor_si256(x0, _mm256_set1_epi32(-1))) + +#define Lib_IntVector_Intrinsics_vec256_shift_left(x0, x1) \ + (_mm256_slli_si256(x0, (x1)/8)) + +#define Lib_IntVector_Intrinsics_vec256_shift_right(x0, x1) \ + (_mm256_srli_si256(x0, (x1)/8)) + +#define Lib_IntVector_Intrinsics_vec256_shift_left64(x0, x1) \ + (_mm256_slli_epi64(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec256_shift_right64(x0, x1) \ + (_mm256_srli_epi64(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec256_shift_left32(x0, x1) \ + (_mm256_slli_epi32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec256_shift_right32(x0, x1) \ + (_mm256_srli_epi32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec256_rotate_left32_8(x0) \ + (_mm256_shuffle_epi8(x0, _mm256_set_epi8(14,13,12,15,10,9,8,11,6,5,4,7,2,1,0,3,14,13,12,15,10,9,8,11,6,5,4,7,2,1,0,3))) + +#define Lib_IntVector_Intrinsics_vec256_rotate_left32_16(x0) \ + (_mm256_shuffle_epi8(x0, _mm256_set_epi8(13,12,15,14,9,8,11,10,5,4,7,6,1,0,3,2,13,12,15,14,9,8,11,10,5,4,7,6,1,0,3,2))) + +#define Lib_IntVector_Intrinsics_vec256_rotate_left32_24(x0) \ + (_mm256_shuffle_epi8(x0, _mm256_set_epi8(12,15,14,13,8,11,10,9,4,7,6,5,0,3,2,1,12,15,14,13,8,11,10,9,4,7,6,5,0,3,2,1))) + +#define Lib_IntVector_Intrinsics_vec256_rotate_left32(x0,x1) \ + ((x1 == 8? Lib_IntVector_Intrinsics_vec256_rotate_left32_8(x0) : \ + (x1 == 16? Lib_IntVector_Intrinsics_vec256_rotate_left32_16(x0) : \ + (x1 == 24? Lib_IntVector_Intrinsics_vec256_rotate_left32_24(x0) : \ + _mm256_or_si256(_mm256_slli_epi32(x0,x1),_mm256_srli_epi32(x0,32-(x1))))))) + +#define Lib_IntVector_Intrinsics_vec256_rotate_right32(x0,x1) \ + (Lib_IntVector_Intrinsics_vec256_rotate_left32(x0,32-(x1))) + +#define Lib_IntVector_Intrinsics_vec256_rotate_right64_8(x0) \ + (_mm256_shuffle_epi8(x0, _mm256_set_epi8(8,15,14,13,12,11,10,9,0,7,6,5,4,3,2,1,8,15,14,13,12,11,10,9,0,7,6,5,4,3,2,1))) + +#define Lib_IntVector_Intrinsics_vec256_rotate_right64_16(x0) \ + (_mm256_shuffle_epi8(x0, _mm256_set_epi8(9,8,15,14,13,12,11,10,1,0,7,6,5,4,3,2,9,8,15,14,13,12,11,10,1,0,7,6,5,4,3,2))) + +#define Lib_IntVector_Intrinsics_vec256_rotate_right64_24(x0) \ + (_mm256_shuffle_epi8(x0, _mm256_set_epi8(10,9,8,15,14,13,12,11,2,1,0,7,6,5,4,3,10,9,8,15,14,13,12,11,2,1,0,7,6,5,4,3))) + +#define Lib_IntVector_Intrinsics_vec256_rotate_right64_32(x0) \ + (_mm256_shuffle_epi8(x0, _mm256_set_epi8(11,10,9,8,15,14,13,12,3,2,1,0,7,6,5,4,11,10,9,8,15,14,13,12,3,2,1,0,7,6,5,4))) + +#define Lib_IntVector_Intrinsics_vec256_rotate_right64_40(x0) \ + (_mm256_shuffle_epi8(x0, _mm256_set_epi8(12,11,10,9,8,15,14,13,4,3,2,1,0,7,6,5,12,11,10,9,8,15,14,13,4,3,2,1,0,7,6,5))) + +#define Lib_IntVector_Intrinsics_vec256_rotate_right64_48(x0) \ + (_mm256_shuffle_epi8(x0, _mm256_set_epi8(13,12,11,10,9,8,15,14,5,4,3,2,1,0,7,6,13,12,11,10,9,8,15,14,5,4,3,2,1,0,7,6))) + +#define Lib_IntVector_Intrinsics_vec256_rotate_right64_56(x0) \ + (_mm256_shuffle_epi8(x0, _mm256_set_epi8(14,13,12,11,10,9,8,15,6,5,4,3,2,1,0,7,14,13,12,11,10,9,8,15,6,5,4,3,2,1,0,7))) + +#define Lib_IntVector_Intrinsics_vec256_rotate_right64(x0,x1) \ + ((x1 == 8? Lib_IntVector_Intrinsics_vec256_rotate_right64_8(x0) : \ + (x1 == 16? Lib_IntVector_Intrinsics_vec256_rotate_right64_16(x0) : \ + (x1 == 24? Lib_IntVector_Intrinsics_vec256_rotate_right64_24(x0) : \ + (x1 == 32? Lib_IntVector_Intrinsics_vec256_rotate_right64_32(x0) : \ + (x1 == 40? Lib_IntVector_Intrinsics_vec256_rotate_right64_40(x0) : \ + (x1 == 48? Lib_IntVector_Intrinsics_vec256_rotate_right64_48(x0) : \ + (x1 == 56? Lib_IntVector_Intrinsics_vec256_rotate_right64_56(x0) : \ + _mm256_xor_si256(_mm256_srli_epi64((x0),(x1)),_mm256_slli_epi64((x0),(64-(x1)))))))))))) + +#define Lib_IntVector_Intrinsics_vec256_rotate_left64(x0,x1) \ + (Lib_IntVector_Intrinsics_vec256_rotate_right64(x0,64-(x1))) + +#define Lib_IntVector_Intrinsics_vec256_shuffle64(x0, x1, x2, x3, x4) \ + (_mm256_permute4x64_epi64(x0, _MM_SHUFFLE(x4,x3,x2,x1))) + +#define Lib_IntVector_Intrinsics_vec256_shuffle32(x0, x1, x2, x3, x4, x5, x6, x7, x8) \ + (_mm256_permutevar8x32_epi32(x0, _mm256_set_epi32(x8,x7,x6,x5,x4,x3,x2,x1))) + +#define Lib_IntVector_Intrinsics_vec256_rotate_right_lanes32(x0, x1) \ + (_mm256_permutevar8x32_epi32(x0, _mm256_set_epi32((x1+7)%8,(x1+6)%8,(x1+5)%8,(x1+4)%8,(x1+3%8),(x1+2)%8,(x1+1)%8,x1%8))) + +#define Lib_IntVector_Intrinsics_vec256_rotate_right_lanes64(x0, x1) \ + (_mm256_permute4x64_epi64(x0, _MM_SHUFFLE((x1+3)%4,(x1+2)%4,(x1+1)%4,x1%4))) + +#define Lib_IntVector_Intrinsics_vec256_load32_le(x0) \ + (_mm256_loadu_si256((__m256i*)(x0))) + +#define Lib_IntVector_Intrinsics_vec256_load64_le(x0) \ + (_mm256_loadu_si256((__m256i*)(x0))) + +#define Lib_IntVector_Intrinsics_vec256_load32_be(x0) \ + (_mm256_shuffle_epi8(_mm256_loadu_si256((__m256i*)(x0)), _mm256_set_epi8(12, 13, 14, 15, 8, 9, 10, 11, 4, 5, 6, 7, 0, 1, 2, 3, 12, 13, 14, 15, 8, 9, 10, 11, 4, 5, 6, 7, 0, 1, 2, 3))) + +#define Lib_IntVector_Intrinsics_vec256_load64_be(x0) \ + (_mm256_shuffle_epi8(_mm256_loadu_si256((__m256i*)(x0)), _mm256_set_epi8(8, 9, 10, 11, 12, 13, 14, 15, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 0, 1, 2, 3, 4, 5, 6, 7))) + + +#define Lib_IntVector_Intrinsics_vec256_store32_le(x0, x1) \ + (_mm256_storeu_si256((__m256i*)(x0), x1)) + +#define Lib_IntVector_Intrinsics_vec256_store64_le(x0, x1) \ + (_mm256_storeu_si256((__m256i*)(x0), x1)) + +#define Lib_IntVector_Intrinsics_vec256_store32_be(x0, x1) \ + (_mm256_storeu_si256((__m256i*)(x0), _mm256_shuffle_epi8(x1, _mm256_set_epi8(12, 13, 14, 15, 8, 9, 10, 11, 4, 5, 6, 7, 0, 1, 2, 3, 12, 13, 14, 15, 8, 9, 10, 11, 4, 5, 6, 7, 0, 1, 2, 3)))) + +#define Lib_IntVector_Intrinsics_vec256_store64_be(x0, x1) \ + (_mm256_storeu_si256((__m256i*)(x0), _mm256_shuffle_epi8(x1, _mm256_set_epi8(8, 9, 10, 11, 12, 13, 14, 15, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 0, 1, 2, 3, 4, 5, 6, 7)))) + + +#define Lib_IntVector_Intrinsics_vec256_insert8(x0, x1, x2) \ + (_mm256_insert_epi8(x0, x1, x2)) + +#define Lib_IntVector_Intrinsics_vec256_insert32(x0, x1, x2) \ + (_mm256_insert_epi32(x0, x1, x2)) + +#define Lib_IntVector_Intrinsics_vec256_insert64(x0, x1, x2) \ + (_mm256_insert_epi64(x0, x1, x2)) + +#define Lib_IntVector_Intrinsics_vec256_extract8(x0, x1) \ + (_mm256_extract_epi8(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec256_extract32(x0, x1) \ + (_mm256_extract_epi32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec256_extract64(x0, x1) \ + (_mm256_extract_epi64(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec256_zero \ + (_mm256_setzero_si256()) + +#define Lib_IntVector_Intrinsics_vec256_add64(x0, x1) \ + (_mm256_add_epi64(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec256_sub64(x0, x1) \ + (_mm256_sub_epi64(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec256_mul64(x0, x1) \ + (_mm256_mul_epu32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec256_smul64(x0, x1) \ + (_mm256_mul_epu32(x0, _mm256_set1_epi64x(x1))) + + +#define Lib_IntVector_Intrinsics_vec256_add32(x0, x1) \ + (_mm256_add_epi32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec256_sub32(x0, x1) \ + (_mm256_sub_epi32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec256_mul32(x0, x1) \ + (_mm256_mullo_epi32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec256_smul32(x0, x1) \ + (_mm256_mullo_epi32(x0, _mm256_set1_epi32(x1))) + + +#define Lib_IntVector_Intrinsics_vec256_load64(x1) \ + (_mm256_set1_epi64x(x1)) /* hi lo */ + +#define Lib_IntVector_Intrinsics_vec256_load64s(x0, x1, x2, x3) \ + (_mm256_set_epi64x(x3,x2,x1,x0)) /* hi lo */ + +#define Lib_IntVector_Intrinsics_vec256_load32(x) \ + (_mm256_set1_epi32(x)) + +#define Lib_IntVector_Intrinsics_vec256_load32s(x0,x1,x2,x3,x4, x5, x6, x7) \ + (_mm256_set_epi32(x7, x6, x5, x4, x3, x2, x1, x0)) /* hi lo */ + +#define Lib_IntVector_Intrinsics_vec256_load128(x) \ + (_mm256_set_m128i((__m128i)x)) + +#define Lib_IntVector_Intrinsics_vec256_load128s(x0,x1) \ + (_mm256_set_m128i((__m128i)x1,(__m128i)x0)) + +#define Lib_IntVector_Intrinsics_vec256_interleave_low32(x1, x2) \ + (_mm256_unpacklo_epi32(x1, x2)) + +#define Lib_IntVector_Intrinsics_vec256_interleave_high32(x1, x2) \ + (_mm256_unpackhi_epi32(x1, x2)) + +#define Lib_IntVector_Intrinsics_vec256_interleave_low64(x1, x2) \ + (_mm256_unpacklo_epi64(x1, x2)) + +#define Lib_IntVector_Intrinsics_vec256_interleave_high64(x1, x2) \ + (_mm256_unpackhi_epi64(x1, x2)) + +#define Lib_IntVector_Intrinsics_vec256_interleave_low128(x1, x2) \ + (_mm256_permute2x128_si256(x1, x2, 0x20)) + +#define Lib_IntVector_Intrinsics_vec256_interleave_high128(x1, x2) \ + (_mm256_permute2x128_si256(x1, x2, 0x31)) + +#endif /* HACL_CAN_COMPILE_VEC256 */ + +#elif (defined(__aarch64__) || defined(_M_ARM64) || defined(__arm__) || defined(_M_ARM)) \ + && !defined(__ARM_32BIT_STATE) + +#if defined(HACL_CAN_COMPILE_VEC128) + +#include + +typedef uint32x4_t Lib_IntVector_Intrinsics_vec128; + +#define Lib_IntVector_Intrinsics_vec128_xor(x0, x1) \ + (veorq_u32(x0,x1)) + +#define Lib_IntVector_Intrinsics_vec128_eq64(x0, x1) \ + (vceqq_u32(x0,x1)) + +#define Lib_IntVector_Intrinsics_vec128_eq32(x0, x1) \ + (vceqq_u32(x0,x1)) + +#define Lib_IntVector_Intrinsics_vec128_gt32(x0, x1) \ + (vcgtq_u32(x0, x1)) + +#define high32(x0) \ + (vmovn_u64(vshrq_n_u64(vreinterpretq_u64_u32(x0),32))) + +#define low32(x0) \ + (vmovn_u64(vreinterpretq_u64_u32(x0))) + +#define Lib_IntVector_Intrinsics_vec128_gt64(x0, x1) \ + (vreinterpretq_u32_u64(vmovl_u32(vorr_u32(vcgt_u32(high32(x0),high32(x1)),vand_u32(vceq_u32(high32(x0),high32(x1)),vcgt_u32(low32(x0),low32(x1))))))) + +#define Lib_IntVector_Intrinsics_vec128_or(x0, x1) \ + (vorrq_u32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_and(x0, x1) \ + (vandq_u32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_lognot(x0) \ + (vmvnq_u32(x0)) + + +#define Lib_IntVector_Intrinsics_vec128_shift_left(x0, x1) \ + (vextq_u32(x0, vdupq_n_u8(0), 16-(x1)/8)) + +#define Lib_IntVector_Intrinsics_vec128_shift_right(x0, x1) \ + (vextq_u32(x0, vdupq_n_u8(0), (x1)/8)) + +#define Lib_IntVector_Intrinsics_vec128_shift_left64(x0, x1) \ + (vreinterpretq_u32_u64(vshlq_n_u64(vreinterpretq_u64_u32(x0), x1))) + +#define Lib_IntVector_Intrinsics_vec128_shift_right64(x0, x1) \ + (vreinterpretq_u32_u64(vshrq_n_u64(vreinterpretq_u64_u32(x0), x1))) + +#define Lib_IntVector_Intrinsics_vec128_shift_left32(x0, x1) \ + (vshlq_n_u32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_shift_right32(x0, x1) \ + (vshrq_n_u32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_rotate_left32_16(x1) \ + (vreinterpretq_u32_u16(vrev32q_u16(vreinterpretq_u16_u32(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_rotate_left32(x0,x1) \ + (((x1) == 16? Lib_IntVector_Intrinsics_vec128_rotate_left32_16(x0) : \ + vsriq_n_u32(vshlq_n_u32((x0),(x1)),(x0),32-(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_rotate_right32_16(x1) \ + (vreinterpretq_u32_u16(vrev32q_u16(vreinterpretq_u16_u32(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_rotate_right32(x0,x1) \ + (((x1) == 16? Lib_IntVector_Intrinsics_vec128_rotate_right32_16(x0) : \ + vsriq_n_u32(vshlq_n_u32((x0),32-(x1)),(x0),(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(x0, x1) \ + (vextq_u32(x0,x0,x1)) + +#define Lib_IntVector_Intrinsics_vec128_rotate_right_lanes64(x0, x1) \ + (vextq_u64(x0,x0,x1)) + + +/* +#define Lib_IntVector_Intrinsics_vec128_shuffle32(x0, x1, x2, x3, x4) \ + (_mm_shuffle_epi32(x0, _MM_SHUFFLE(x1,x2,x3,x4))) + +#define Lib_IntVector_Intrinsics_vec128_shuffle64(x0, x1, x2) \ + (_mm_shuffle_epi32(x0, _MM_SHUFFLE(2*x1+1,2*x1,2*x2+1,2*x2))) +*/ + +#define Lib_IntVector_Intrinsics_vec128_load32_le(x0) \ + (vld1q_u32((const uint32_t*) (x0))) + +#define Lib_IntVector_Intrinsics_vec128_load64_le(x0) \ + (vld1q_u32((const uint32_t*) (x0))) + +#define Lib_IntVector_Intrinsics_vec128_store32_le(x0, x1) \ + (vst1q_u32((uint32_t*)(x0),(x1))) + +#define Lib_IntVector_Intrinsics_vec128_store64_le(x0, x1) \ + (vst1q_u32((uint32_t*)(x0),(x1))) + +/* +#define Lib_IntVector_Intrinsics_vec128_load_be(x0) \ + ( Lib_IntVector_Intrinsics_vec128 l = vrev64q_u8(vld1q_u32((uint32_t*)(x0))); + +*/ + +#define Lib_IntVector_Intrinsics_vec128_load32_be(x0) \ + (vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(vld1q_u32((const uint32_t*)(x0)))))) + +#define Lib_IntVector_Intrinsics_vec128_load64_be(x0) \ + (vreinterpretq_u32_u8(vrev64q_u8(vreinterpretq_u8_u32(vld1q_u32((const uint32_t*)(x0)))))) + +/* +#define Lib_IntVector_Intrinsics_vec128_store_be(x0, x1) \ + (_mm_storeu_si128((__m128i*)(x0), _mm_shuffle_epi8(x1, _mm_set_epi8(0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)))) +*/ + +#define Lib_IntVector_Intrinsics_vec128_store32_be(x0, x1) \ + (vst1q_u32((uint32_t*)(x0),(vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(x1)))))) + +#define Lib_IntVector_Intrinsics_vec128_store64_be(x0, x1) \ + (vst1q_u32((uint32_t*)(x0),(vreinterpretq_u32_u8(vrev64q_u8(vreinterpretq_u8_u32(x1)))))) + +#define Lib_IntVector_Intrinsics_vec128_insert8(x0, x1, x2) \ + (vsetq_lane_u8(x1,x0,x2)) + +#define Lib_IntVector_Intrinsics_vec128_insert32(x0, x1, x2) \ + (vsetq_lane_u32(x1,x0,x2)) + +#define Lib_IntVector_Intrinsics_vec128_insert64(x0, x1, x2) \ + (vreinterpretq_u32_u64(vsetq_lane_u64(x1,vreinterpretq_u64_u32(x0),x2))) + +#define Lib_IntVector_Intrinsics_vec128_extract8(x0, x1) \ + (vgetq_lane_u8(x0,x1)) + +#define Lib_IntVector_Intrinsics_vec128_extract32(x0, x1) \ + (vgetq_lane_u32(x0,x1)) + +#define Lib_IntVector_Intrinsics_vec128_extract64(x0, x1) \ + (vgetq_lane_u64(vreinterpretq_u64_u32(x0),x1)) + +#define Lib_IntVector_Intrinsics_vec128_zero \ + (vdupq_n_u32(0)) + +#define Lib_IntVector_Intrinsics_vec128_add64(x0, x1) \ + (vreinterpretq_u32_u64(vaddq_u64(vreinterpretq_u64_u32(x0), vreinterpretq_u64_u32(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_sub64(x0, x1) \ + (vreinterpretq_u32_u64(vsubq_u64(vreinterpretq_u64_u32(x0), vreinterpretq_u64_u32(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_mul64(x0, x1) \ + (vreinterpretq_u32_u64(vmull_u32(vmovn_u64(vreinterpretq_u64_u32(x0)), vmovn_u64(vreinterpretq_u64_u32(x1))))) + +#define Lib_IntVector_Intrinsics_vec128_smul64(x0, x1) \ + (vreinterpretq_u32_u64(vmull_n_u32(vmovn_u64(vreinterpretq_u64_u32(x0)), (uint32_t)x1))) + +#define Lib_IntVector_Intrinsics_vec128_add32(x0, x1) \ + (vaddq_u32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_sub32(x0, x1) \ + (vsubq_u32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_mul32(x0, x1) \ + (vmulq_lane_u32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_smul32(x0, x1) \ + (vmulq_lane_u32(x0, vdupq_n_u32(x1))) + +#define Lib_IntVector_Intrinsics_vec128_load128(x) \ + ((uint32x4_t)(x)) + +#define Lib_IntVector_Intrinsics_vec128_load64(x) \ + (vreinterpretq_u32_u64(vdupq_n_u64(x))) /* hi lo */ + +#define Lib_IntVector_Intrinsics_vec128_load32(x) \ + (vdupq_n_u32(x)) /* hi lo */ + +static inline Lib_IntVector_Intrinsics_vec128 Lib_IntVector_Intrinsics_vec128_load64s(uint64_t x1, uint64_t x2){ + const uint64_t a[2] = {x1,x2}; + return vreinterpretq_u32_u64(vld1q_u64(a)); +} + +static inline Lib_IntVector_Intrinsics_vec128 Lib_IntVector_Intrinsics_vec128_load32s(uint32_t x1, uint32_t x2, uint32_t x3, uint32_t x4){ + const uint32_t a[4] = {x1,x2,x3,x4}; + return vld1q_u32(a); +} + +#define Lib_IntVector_Intrinsics_vec128_interleave_low32(x1, x2) \ + (vzip1q_u32(x1,x2)) + +#define Lib_IntVector_Intrinsics_vec128_interleave_high32(x1, x2) \ + (vzip2q_u32(x1,x2)) + +#define Lib_IntVector_Intrinsics_vec128_interleave_low64(x1,x2) \ + (vreinterpretq_u32_u64(vzip1q_u64(vreinterpretq_u64_u32(x1),vreinterpretq_u64_u32(x2)))) + +#define Lib_IntVector_Intrinsics_vec128_interleave_high64(x1,x2) \ + (vreinterpretq_u32_u64(vzip2q_u64(vreinterpretq_u64_u32(x1),vreinterpretq_u64_u32(x2)))) + +#endif /* HACL_CAN_COMPILE_VEC128 */ + +/* IBM z architecture */ +#elif defined(__s390x__) /* this flag is for GCC only */ + +#if defined(HACL_CAN_COMPILE_VEC128) + +#include +#include + +/* The main vector 128 type + * We can't use uint8_t, uint32_t, uint64_t... instead of unsigned char, + * unsigned int, unsigned long long: the compiler complains that the parameter + * combination is invalid. */ +typedef unsigned char vector128_8 __attribute__ ((vector_size(16))); +typedef unsigned int vector128_32 __attribute__ ((vector_size(16))); +typedef unsigned long long vector128_64 __attribute__ ((vector_size(16))); + +typedef vector128_8 Lib_IntVector_Intrinsics_vec128; +typedef vector128_8 vector128; + +#define Lib_IntVector_Intrinsics_vec128_load32_le(x) \ + (vector128) ((vector128_32) vec_revb(*((vector128_32*) (const uint8_t*)(x)))) + +#define Lib_IntVector_Intrinsics_vec128_load32_be(x) \ + (vector128) (*((vector128_32*) (const uint8_t*)(x))) + +#define Lib_IntVector_Intrinsics_vec128_load64_le(x) \ + (vector128) ((vector128_64) vec_revb(*((vector128_64*) (const uint8_t*)(x)))) + +static inline +void Lib_IntVector_Intrinsics_vec128_store32_le(const uint8_t *x0, vector128 x1) { + *((vector128_32*)x0) = vec_revb((vector128_32) x1); +} + +static inline +void Lib_IntVector_Intrinsics_vec128_store32_be(const uint8_t *x0, vector128 x1) { + *((vector128_32*)x0) = (vector128_32) x1; +} + +static inline +void Lib_IntVector_Intrinsics_vec128_store64_le(const uint8_t *x0, vector128 x1) { + *((vector128_64*)x0) = vec_revb((vector128_64) x1); +} + +#define Lib_IntVector_Intrinsics_vec128_add32(x0,x1) \ + ((vector128)((vector128_32)(((vector128_32)(x0)) + ((vector128_32)(x1))))) + +#define Lib_IntVector_Intrinsics_vec128_add64(x0, x1) \ + ((vector128)((vector128_64)(((vector128_64)(x0)) + ((vector128_64)(x1))))) + +#define Lib_IntVector_Intrinsics_vec128_and(x0, x1) \ + ((vector128)(vec_and((vector128)(x0),(vector128)(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_eq32(x0, x1) \ + ((vector128)(vec_cmpeq(((vector128_32)(x0)),((vector128_32)(x1))))) + +#define Lib_IntVector_Intrinsics_vec128_eq64(x0, x1) \ + ((vector128)(vec_cmpeq(((vector128_64)(x0)),((vector128_64)(x1))))) + +#define Lib_IntVector_Intrinsics_vec128_extract32(x0, x1) \ + ((unsigned int)(vec_extract((vector128_32)(x0), x1))) + +#define Lib_IntVector_Intrinsics_vec128_extract64(x0, x1) \ + ((unsigned long long)(vec_extract((vector128_64)(x0), x1))) + +#define Lib_IntVector_Intrinsics_vec128_gt32(x0, x1) \ + ((vector128)((vector128_32)(((vector128_32)(x0)) > ((vector128_32)(x1))))) + +#define Lib_IntVector_Intrinsics_vec128_gt64(x0, x1) \ + ((vector128)((vector128_64)(((vector128_64)(x0)) > ((vector128_64)(x1))))) + +#define Lib_IntVector_Intrinsics_vec128_insert32(x0, x1, x2) \ + ((vector128)((vector128_32)vec_insert((unsigned int)(x1), (vector128_32)(x0), x2))) + +#define Lib_IntVector_Intrinsics_vec128_insert64(x0, x1, x2) \ + ((vector128)((vector128_64)vec_insert((unsigned long long)(x1), (vector128_64)(x0), x2))) + +#define Lib_IntVector_Intrinsics_vec128_interleave_high32(x0, x1) \ + ((vector128)((vector128_32)vec_mergel((vector128_32)(x0), (vector128_32)(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_interleave_high64(x0, x1) \ + ((vector128)((vector128_64)vec_mergel((vector128_64)(x0), (vector128_64)(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_interleave_low32(x0, x1) \ + ((vector128)((vector128_32)vec_mergeh((vector128_32)(x0), (vector128_32)(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_interleave_low64(x0, x1) \ + ((vector128)((vector128_64)vec_mergeh((vector128_64)(x0), (vector128_64)(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_load32(x) \ + ((vector128)((vector128_32){(unsigned int)(x), (unsigned int)(x), \ + (unsigned int)(x), (unsigned int)(x)})) + +#define Lib_IntVector_Intrinsics_vec128_load32s(x0, x1, x2, x3) \ + ((vector128)((vector128_32){(unsigned int)(x0),(unsigned int)(x1),(unsigned int)(x2),(unsigned int)(x3)})) + +#define Lib_IntVector_Intrinsics_vec128_load64(x) \ + ((vector128)((vector128_64)vec_load_pair((unsigned long long)(x),(unsigned long long)(x)))) + +#define Lib_IntVector_Intrinsics_vec128_lognot(x0) \ + ((vector128)(vec_xor((vector128)(x0), (vector128)vec_splat_u32(-1)))) + +#define Lib_IntVector_Intrinsics_vec128_mul64(x0, x1) \ + ((vector128)(vec_mulo((vector128_32)(x0), \ + (vector128_32)(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_or(x0, x1) \ + ((vector128)(vec_or((vector128)(x0),(vector128)(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_rotate_left32(x0, x1) \ + ((vector128)(vec_rli((vector128_32)(x0), (unsigned long)(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_rotate_right32(x0, x1) \ + (Lib_IntVector_Intrinsics_vec128_rotate_left32(x0,(uint32_t)(32-(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(x0, x1) \ + ((vector128)(vec_sld((vector128)(x0), (vector128)(x0), (x1%4)*4))) + +#define Lib_IntVector_Intrinsics_vec128_shift_left64(x0, x1) \ + (((vector128)((vector128_64)vec_rli((vector128_64)(x0), (unsigned long)(x1)))) & \ + ((vector128)((vector128_64){0xffffffffffffffff << (x1), 0xffffffffffffffff << (x1)}))) + +#define Lib_IntVector_Intrinsics_vec128_shift_right64(x0, x1) \ + (((vector128)((vector128_64)vec_rli((vector128_64)(x0), (unsigned long)(64-(x1))))) & \ + ((vector128)((vector128_64){0xffffffffffffffff >> (x1), 0xffffffffffffffff >> (x1)}))) + +#define Lib_IntVector_Intrinsics_vec128_shift_right32(x0, x1) \ + (((vector128)((vector128_32)vec_rli((vector128_32)(x0), (unsigned int)(32-(x1))))) & \ + ((vector128)((vector128_32){0xffffffff >> (x1), 0xffffffff >> (x1), \ + 0xffffffff >> (x1), 0xffffffff >> (x1)}))) + +/* Doesn't work with vec_splat_u64 */ +#define Lib_IntVector_Intrinsics_vec128_smul64(x0, x1) \ + ((vector128)(Lib_IntVector_Intrinsics_vec128_mul64(x0,((vector128_64){(unsigned long long)(x1),(unsigned long long)(x1)})))) + +#define Lib_IntVector_Intrinsics_vec128_sub64(x0, x1) \ + ((vector128)((vector128_64)(x0) - (vector128_64)(x1))) + +static inline +vector128 Lib_IntVector_Intrinsics_vec128_xor(vector128 x0, vector128 x1) { + return ((vector128)(vec_xor((vector128)(x0), (vector128)(x1)))); +} + + +#define Lib_IntVector_Intrinsics_vec128_zero \ + ((vector128){}) + +#endif /* HACL_CAN_COMPILE_VEC128 */ + +#elif defined(__powerpc64__) // PowerPC 64 - this flag is for GCC only + +#if defined(HACL_CAN_COMPILE_VEC128) + +#include +#include // for memcpy +#include + +// The main vector 128 type +// We can't use uint8_t, uint32_t, uint64_t... instead of unsigned char, +// unsigned int, unsigned long long: the compiler complains that the parameter +// combination is invalid. +typedef vector unsigned char vector128_8; +typedef vector unsigned int vector128_32; +typedef vector unsigned long long vector128_64; + +typedef vector128_8 Lib_IntVector_Intrinsics_vec128; +typedef vector128_8 vector128; + +#define Lib_IntVector_Intrinsics_vec128_load32_le(x) \ + ((vector128)((vector128_32)(vec_xl(0, (const unsigned int*) ((const uint8_t*)(x)))))) + +#define Lib_IntVector_Intrinsics_vec128_load64_le(x) \ + ((vector128)((vector128_64)(vec_xl(0, (const unsigned long long*) ((const uint8_t*)(x)))))) + +#define Lib_IntVector_Intrinsics_vec128_store32_le(x0, x1) \ + (vec_xst((vector128_32)(x1), 0, (unsigned int*) ((uint8_t*)(x0)))) + +#define Lib_IntVector_Intrinsics_vec128_store64_le(x0, x1) \ + (vec_xst((vector128_64)(x1), 0, (unsigned long long*) ((uint8_t*)(x0)))) + +#define Lib_IntVector_Intrinsics_vec128_add32(x0,x1) \ + ((vector128)((vector128_32)(((vector128_32)(x0)) + ((vector128_32)(x1))))) + +#define Lib_IntVector_Intrinsics_vec128_add64(x0, x1) \ + ((vector128)((vector128_64)(((vector128_64)(x0)) + ((vector128_64)(x1))))) + +#define Lib_IntVector_Intrinsics_vec128_and(x0, x1) \ + ((vector128)(vec_and((vector128)(x0),(vector128)(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_eq32(x0, x1) \ + ((vector128)(vec_cmpeq(((vector128_32)(x0)),((vector128_32)(x1))))) + +#define Lib_IntVector_Intrinsics_vec128_eq64(x0, x1) \ + ((vector128)(vec_cmpeq(((vector128_64)(x0)),((vector128_64)(x1))))) + +#define Lib_IntVector_Intrinsics_vec128_extract32(x0, x1) \ + ((unsigned int)(vec_extract((vector128_32)(x0), x1))) + +#define Lib_IntVector_Intrinsics_vec128_extract64(x0, x1) \ + ((unsigned long long)(vec_extract((vector128_64)(x0), x1))) + +#define Lib_IntVector_Intrinsics_vec128_gt32(x0, x1) \ + ((vector128)((vector128_32)(((vector128_32)(x0)) > ((vector128_32)(x1))))) + +#define Lib_IntVector_Intrinsics_vec128_gt64(x0, x1) \ + ((vector128)((vector128_64)(((vector128_64)(x0)) > ((vector128_64)(x1))))) + +#define Lib_IntVector_Intrinsics_vec128_insert32(x0, x1, x2) \ + ((vector128)((vector128_32)vec_insert((unsigned int)(x1), (vector128_32)(x0), x2))) + +#define Lib_IntVector_Intrinsics_vec128_insert64(x0, x1, x2) \ + ((vector128)((vector128_64)vec_insert((unsigned long long)(x1), (vector128_64)(x0), x2))) + +#define Lib_IntVector_Intrinsics_vec128_interleave_high32(x0, x1) \ + ((vector128)((vector128_32)vec_mergel((vector128_32)(x0), (vector128_32)(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_interleave_high64(x0, x1) \ + ((vector128)((vector128_64)vec_mergel((vector128_64)(x0), (vector128_64)(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_interleave_low32(x0, x1) \ + ((vector128)((vector128_32)vec_mergeh((vector128_32)(x0), (vector128_32)(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_interleave_low64(x0, x1) \ + ((vector128)((vector128_64)vec_mergeh((vector128_64)(x0), (vector128_64)(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_load32(x) \ + ((vector128)((vector128_32){(unsigned int)(x), (unsigned int)(x), \ + (unsigned int)(x), (unsigned int)(x)})) + +#define Lib_IntVector_Intrinsics_vec128_load32s(x0, x1, x2, x3) \ + ((vector128)((vector128_32){(unsigned int)(x0),(unsigned int)(x1),(unsigned int)(x2),(unsigned int)(x3)})) + +#define Lib_IntVector_Intrinsics_vec128_load64(x) \ + ((vector128)((vector128_64){(unsigned long long)(x),(unsigned long long)(x)})) + +#define Lib_IntVector_Intrinsics_vec128_lognot(x0) \ + ((vector128)(vec_xor((vector128)(x0), (vector128)vec_splat_u32(-1)))) + +#define Lib_IntVector_Intrinsics_vec128_mul64(x0, x1) \ + ((vector128)(vec_mule((vector128_32)(x0), \ + (vector128_32)(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_or(x0, x1) \ + ((vector128)(vec_or((vector128)(x0),(vector128)(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_rotate_left32(x0, x1) \ + ((vector128)(vec_rl((vector128_32)(x0), (vector128_32){(unsigned int)(x1),(unsigned int)(x1),(unsigned int)(x1),(unsigned int)(x1)}))) + +#define Lib_IntVector_Intrinsics_vec128_rotate_right32(x0, x1) \ + (Lib_IntVector_Intrinsics_vec128_rotate_left32(x0,(uint32_t)(32-(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(x0, x1) \ + ((vector128)(vec_sld((vector128)(x0), (vector128)(x0), ((4-(x1))%4)*4))) + +#define Lib_IntVector_Intrinsics_vec128_shift_left64(x0, x1) \ + ((vector128)((vector128_64)vec_sl((vector128_64)(x0), (vector128_64){(unsigned long)(x1),(unsigned long)(x1)}))) + +#define Lib_IntVector_Intrinsics_vec128_shift_right64(x0, x1) \ + ((vector128)((vector128_64)vec_sr((vector128_64)(x0), (vector128_64){(unsigned long)(x1),(unsigned long)(x1)}))) + +// Doesn't work with vec_splat_u64 +#define Lib_IntVector_Intrinsics_vec128_smul64(x0, x1) \ + ((vector128)(Lib_IntVector_Intrinsics_vec128_mul64(x0,((vector128_64){(unsigned long long)(x1),(unsigned long long)(x1)})))) + +#define Lib_IntVector_Intrinsics_vec128_sub64(x0, x1) \ + ((vector128)((vector128_64)(x0) - (vector128_64)(x1))) + +#define Lib_IntVector_Intrinsics_vec128_xor(x0, x1) \ + ((vector128)(vec_xor((vector128)(x0), (vector128)(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_zero \ + ((vector128){}) + +#endif /* HACL_CAN_COMPILE_VEC128 */ + +#endif // PowerPC64 + +// DEBUGGING: +// If libintvector_debug.h exists, use it to debug the current implementations. +// Note that some flags must be enabled for the debugging to be effective: +// see libintvector_debug.h for more details. +#if defined(__has_include) +#if __has_include("libintvector_debug.h") +#include "libintvector_debug.h" +#endif +#endif + +#endif // __Vec_Intrin_H diff --git a/include/msvc/EverCrypt_AEAD.h b/include/msvc/EverCrypt_AEAD.h new file mode 100644 index 00000000..1de457aa --- /dev/null +++ b/include/msvc/EverCrypt_AEAD.h @@ -0,0 +1,276 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __EverCrypt_AEAD_H +#define __EverCrypt_AEAD_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Spec.h" +#include "EverCrypt_Error.h" +#include "EverCrypt_Chacha20Poly1305.h" +#include "EverCrypt_AutoConfig2.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +typedef struct EverCrypt_AEAD_state_s_s EverCrypt_AEAD_state_s; + +bool EverCrypt_AEAD_uu___is_Ek(Spec_Agile_AEAD_alg a, EverCrypt_AEAD_state_s projectee); + +Spec_Agile_AEAD_alg EverCrypt_AEAD_alg_of_state(EverCrypt_AEAD_state_s *s); + +EverCrypt_Error_error_code +EverCrypt_AEAD_create_in(Spec_Agile_AEAD_alg a, EverCrypt_AEAD_state_s **dst, uint8_t *k); + +EverCrypt_Error_error_code +EverCrypt_AEAD_encrypt( + EverCrypt_AEAD_state_s *s, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *plain, + uint32_t plain_len, + uint8_t *cipher, + uint8_t *tag +); + +/* +WARNING: this function doesn't perform any dynamic + hardware check. You MUST make sure your hardware supports the + implementation of AESGCM. Besides, this function was not designed + for cross-compilation: if you compile it on a system which doesn't + support Vale, it will compile it to a function which makes the + program exit. +*/ +EverCrypt_Error_error_code +EverCrypt_AEAD_encrypt_expand_aes128_gcm_no_check( + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *plain, + uint32_t plain_len, + uint8_t *cipher, + uint8_t *tag +); + +/* +WARNING: this function doesn't perform any dynamic + hardware check. You MUST make sure your hardware supports the + implementation of AESGCM. Besides, this function was not designed + for cross-compilation: if you compile it on a system which doesn't + support Vale, it will compile it to a function which makes the + program exit. +*/ +EverCrypt_Error_error_code +EverCrypt_AEAD_encrypt_expand_aes256_gcm_no_check( + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *plain, + uint32_t plain_len, + uint8_t *cipher, + uint8_t *tag +); + +EverCrypt_Error_error_code +EverCrypt_AEAD_encrypt_expand_aes128_gcm( + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *plain, + uint32_t plain_len, + uint8_t *cipher, + uint8_t *tag +); + +EverCrypt_Error_error_code +EverCrypt_AEAD_encrypt_expand_aes256_gcm( + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *plain, + uint32_t plain_len, + uint8_t *cipher, + uint8_t *tag +); + +EverCrypt_Error_error_code +EverCrypt_AEAD_encrypt_expand_chacha20_poly1305( + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *plain, + uint32_t plain_len, + uint8_t *cipher, + uint8_t *tag +); + +EverCrypt_Error_error_code +EverCrypt_AEAD_encrypt_expand( + Spec_Agile_AEAD_alg a, + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *plain, + uint32_t plain_len, + uint8_t *cipher, + uint8_t *tag +); + +EverCrypt_Error_error_code +EverCrypt_AEAD_decrypt( + EverCrypt_AEAD_state_s *s, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *cipher, + uint32_t cipher_len, + uint8_t *tag, + uint8_t *dst +); + +/* +WARNING: this function doesn't perform any dynamic + hardware check. You MUST make sure your hardware supports the + implementation of AESGCM. Besides, this function was not designed + for cross-compilation: if you compile it on a system which doesn't + support Vale, it will compile it to a function which makes the + program exit. +*/ +EverCrypt_Error_error_code +EverCrypt_AEAD_decrypt_expand_aes128_gcm_no_check( + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *cipher, + uint32_t cipher_len, + uint8_t *tag, + uint8_t *dst +); + +/* +WARNING: this function doesn't perform any dynamic + hardware check. You MUST make sure your hardware supports the + implementation of AESGCM. Besides, this function was not designed + for cross-compilation: if you compile it on a system which doesn't + support Vale, it will compile it to a function which makes the + program exit. +*/ +EverCrypt_Error_error_code +EverCrypt_AEAD_decrypt_expand_aes256_gcm_no_check( + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *cipher, + uint32_t cipher_len, + uint8_t *tag, + uint8_t *dst +); + +EverCrypt_Error_error_code +EverCrypt_AEAD_decrypt_expand_aes128_gcm( + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *cipher, + uint32_t cipher_len, + uint8_t *tag, + uint8_t *dst +); + +EverCrypt_Error_error_code +EverCrypt_AEAD_decrypt_expand_aes256_gcm( + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *cipher, + uint32_t cipher_len, + uint8_t *tag, + uint8_t *dst +); + +EverCrypt_Error_error_code +EverCrypt_AEAD_decrypt_expand_chacha20_poly1305( + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *cipher, + uint32_t cipher_len, + uint8_t *tag, + uint8_t *dst +); + +EverCrypt_Error_error_code +EverCrypt_AEAD_decrypt_expand( + Spec_Agile_AEAD_alg a, + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *cipher, + uint32_t cipher_len, + uint8_t *tag, + uint8_t *dst +); + +void EverCrypt_AEAD_free(EverCrypt_AEAD_state_s *s); + +#if defined(__cplusplus) +} +#endif + +#define __EverCrypt_AEAD_H_DEFINED +#endif diff --git a/include/msvc/EverCrypt_AutoConfig2.h b/include/msvc/EverCrypt_AutoConfig2.h new file mode 100644 index 00000000..fcef2832 --- /dev/null +++ b/include/msvc/EverCrypt_AutoConfig2.h @@ -0,0 +1,118 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __EverCrypt_AutoConfig2_H +#define __EverCrypt_AutoConfig2_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + + +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +bool EverCrypt_AutoConfig2_has_shaext(); + +bool EverCrypt_AutoConfig2_has_aesni(); + +bool EverCrypt_AutoConfig2_has_pclmulqdq(); + +bool EverCrypt_AutoConfig2_has_avx2(); + +bool EverCrypt_AutoConfig2_has_avx(); + +bool EverCrypt_AutoConfig2_has_bmi2(); + +bool EverCrypt_AutoConfig2_has_adx(); + +bool EverCrypt_AutoConfig2_has_sse(); + +bool EverCrypt_AutoConfig2_has_movbe(); + +bool EverCrypt_AutoConfig2_has_rdrand(); + +bool EverCrypt_AutoConfig2_has_avx512(); + +KRML_DEPRECATED("") + +bool EverCrypt_AutoConfig2_wants_vale(); + +bool EverCrypt_AutoConfig2_wants_hacl(); + +bool EverCrypt_AutoConfig2_wants_openssl(); + +bool EverCrypt_AutoConfig2_wants_bcrypt(); + +void EverCrypt_AutoConfig2_recall(); + +void EverCrypt_AutoConfig2_init(); + +typedef void (*EverCrypt_AutoConfig2_disabler)(); + +void EverCrypt_AutoConfig2_disable_avx2(); + +void EverCrypt_AutoConfig2_disable_avx(); + +void EverCrypt_AutoConfig2_disable_bmi2(); + +void EverCrypt_AutoConfig2_disable_adx(); + +void EverCrypt_AutoConfig2_disable_shaext(); + +void EverCrypt_AutoConfig2_disable_aesni(); + +void EverCrypt_AutoConfig2_disable_pclmulqdq(); + +void EverCrypt_AutoConfig2_disable_sse(); + +void EverCrypt_AutoConfig2_disable_movbe(); + +void EverCrypt_AutoConfig2_disable_rdrand(); + +void EverCrypt_AutoConfig2_disable_avx512(); + +void EverCrypt_AutoConfig2_disable_vale(); + +void EverCrypt_AutoConfig2_disable_hacl(); + +void EverCrypt_AutoConfig2_disable_openssl(); + +void EverCrypt_AutoConfig2_disable_bcrypt(); + +bool EverCrypt_AutoConfig2_has_vec128(); + +bool EverCrypt_AutoConfig2_has_vec256(); + +#if defined(__cplusplus) +} +#endif + +#define __EverCrypt_AutoConfig2_H_DEFINED +#endif diff --git a/include/msvc/EverCrypt_CTR.h b/include/msvc/EverCrypt_CTR.h new file mode 100644 index 00000000..10397d58 --- /dev/null +++ b/include/msvc/EverCrypt_CTR.h @@ -0,0 +1,85 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __EverCrypt_CTR_H +#define __EverCrypt_CTR_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Spec.h" +#include "Hacl_Kremlib.h" +#include "EverCrypt_Error.h" +#include "EverCrypt_AutoConfig2.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +typedef struct EverCrypt_CTR_state_s_s EverCrypt_CTR_state_s; + +bool +EverCrypt_CTR_uu___is_State(Spec_Agile_Cipher_cipher_alg a, EverCrypt_CTR_state_s projectee); + +typedef uint8_t EverCrypt_CTR_uint8; + +uint8_t EverCrypt_CTR_xor8(uint8_t a, uint8_t b); + +typedef void *EverCrypt_CTR_e_alg; + +Spec_Agile_Cipher_cipher_alg EverCrypt_CTR_alg_of_state(EverCrypt_CTR_state_s *s); + +EverCrypt_Error_error_code +EverCrypt_CTR_create_in( + Spec_Agile_Cipher_cipher_alg a, + EverCrypt_CTR_state_s **dst, + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint32_t c +); + +void +EverCrypt_CTR_init( + EverCrypt_CTR_state_s *p, + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint32_t c +); + +void EverCrypt_CTR_update_block(EverCrypt_CTR_state_s *p, uint8_t *dst, uint8_t *src); + +void EverCrypt_CTR_free(EverCrypt_CTR_state_s *p); + +#if defined(__cplusplus) +} +#endif + +#define __EverCrypt_CTR_H_DEFINED +#endif diff --git a/include/msvc/EverCrypt_Chacha20Poly1305.h b/include/msvc/EverCrypt_Chacha20Poly1305.h new file mode 100644 index 00000000..52706f75 --- /dev/null +++ b/include/msvc/EverCrypt_Chacha20Poly1305.h @@ -0,0 +1,73 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __EverCrypt_Chacha20Poly1305_H +#define __EverCrypt_Chacha20Poly1305_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Chacha20Poly1305_32.h" +#include "Hacl_Chacha20Poly1305_256.h" +#include "Hacl_Chacha20Poly1305_128.h" +#include "EverCrypt_AutoConfig2.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +EverCrypt_Chacha20Poly1305_aead_encrypt( + uint8_t *k, + uint8_t *n, + uint32_t aadlen, + uint8_t *aad, + uint32_t mlen, + uint8_t *m, + uint8_t *cipher, + uint8_t *tag +); + +uint32_t +EverCrypt_Chacha20Poly1305_aead_decrypt( + uint8_t *k, + uint8_t *n, + uint32_t aadlen, + uint8_t *aad, + uint32_t mlen, + uint8_t *m, + uint8_t *cipher, + uint8_t *tag +); + +#if defined(__cplusplus) +} +#endif + +#define __EverCrypt_Chacha20Poly1305_H_DEFINED +#endif diff --git a/include/msvc/EverCrypt_Cipher.h b/include/msvc/EverCrypt_Cipher.h new file mode 100644 index 00000000..75a37e6e --- /dev/null +++ b/include/msvc/EverCrypt_Cipher.h @@ -0,0 +1,56 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __EverCrypt_Cipher_H +#define __EverCrypt_Cipher_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + + +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +EverCrypt_Cipher_chacha20( + uint32_t len, + uint8_t *dst, + uint8_t *src, + uint8_t *key, + uint8_t *iv, + uint32_t ctr +); + +#if defined(__cplusplus) +} +#endif + +#define __EverCrypt_Cipher_H_DEFINED +#endif diff --git a/include/msvc/EverCrypt_Curve25519.h b/include/msvc/EverCrypt_Curve25519.h new file mode 100644 index 00000000..850694de --- /dev/null +++ b/include/msvc/EverCrypt_Curve25519.h @@ -0,0 +1,54 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __EverCrypt_Curve25519_H +#define __EverCrypt_Curve25519_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Curve25519_64.h" +#include "Hacl_Curve25519_51.h" +#include "EverCrypt_AutoConfig2.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void EverCrypt_Curve25519_secret_to_public(uint8_t *pub, uint8_t *priv); + +void EverCrypt_Curve25519_scalarmult(uint8_t *shared, uint8_t *my_priv, uint8_t *their_pub); + +bool EverCrypt_Curve25519_ecdh(uint8_t *shared, uint8_t *my_priv, uint8_t *their_pub); + +#if defined(__cplusplus) +} +#endif + +#define __EverCrypt_Curve25519_H_DEFINED +#endif diff --git a/include/msvc/EverCrypt_DRBG.h b/include/msvc/EverCrypt_DRBG.h new file mode 100644 index 00000000..a40a93a8 --- /dev/null +++ b/include/msvc/EverCrypt_DRBG.h @@ -0,0 +1,224 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __EverCrypt_DRBG_H +#define __EverCrypt_DRBG_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Lib_RandomBuffer_System.h" +#include "Lib_Memzero0.h" +#include "Hacl_Spec.h" +#include "Hacl_HMAC_DRBG.h" +#include "EverCrypt_HMAC.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +typedef Spec_Hash_Definitions_hash_alg EverCrypt_DRBG_supported_alg; + +extern uint32_t EverCrypt_DRBG_reseed_interval; + +extern uint32_t EverCrypt_DRBG_max_output_length; + +extern uint32_t EverCrypt_DRBG_max_length; + +extern uint32_t EverCrypt_DRBG_max_personalization_string_length; + +extern uint32_t EverCrypt_DRBG_max_additional_input_length; + +uint32_t EverCrypt_DRBG_min_length(Spec_Hash_Definitions_hash_alg a); + +#define EverCrypt_DRBG_SHA1_s 0 +#define EverCrypt_DRBG_SHA2_256_s 1 +#define EverCrypt_DRBG_SHA2_384_s 2 +#define EverCrypt_DRBG_SHA2_512_s 3 + +typedef uint8_t EverCrypt_DRBG_state_s_tags; + +typedef struct EverCrypt_DRBG_state_s_s EverCrypt_DRBG_state_s; + +bool +EverCrypt_DRBG_uu___is_SHA1_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_DRBG_state_s projectee +); + +bool +EverCrypt_DRBG_uu___is_SHA2_256_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_DRBG_state_s projectee +); + +bool +EverCrypt_DRBG_uu___is_SHA2_384_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_DRBG_state_s projectee +); + +bool +EverCrypt_DRBG_uu___is_SHA2_512_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_DRBG_state_s projectee +); + +EverCrypt_DRBG_state_s *EverCrypt_DRBG_create(Spec_Hash_Definitions_hash_alg a); + +bool +EverCrypt_DRBG_instantiate_sha1( + EverCrypt_DRBG_state_s *st, + uint8_t *personalization_string, + uint32_t personalization_string_len +); + +bool +EverCrypt_DRBG_instantiate_sha2_256( + EverCrypt_DRBG_state_s *st, + uint8_t *personalization_string, + uint32_t personalization_string_len +); + +bool +EverCrypt_DRBG_instantiate_sha2_384( + EverCrypt_DRBG_state_s *st, + uint8_t *personalization_string, + uint32_t personalization_string_len +); + +bool +EverCrypt_DRBG_instantiate_sha2_512( + EverCrypt_DRBG_state_s *st, + uint8_t *personalization_string, + uint32_t personalization_string_len +); + +bool +EverCrypt_DRBG_reseed_sha1( + EverCrypt_DRBG_state_s *st, + uint8_t *additional_input, + uint32_t additional_input_len +); + +bool +EverCrypt_DRBG_reseed_sha2_256( + EverCrypt_DRBG_state_s *st, + uint8_t *additional_input, + uint32_t additional_input_len +); + +bool +EverCrypt_DRBG_reseed_sha2_384( + EverCrypt_DRBG_state_s *st, + uint8_t *additional_input, + uint32_t additional_input_len +); + +bool +EverCrypt_DRBG_reseed_sha2_512( + EverCrypt_DRBG_state_s *st, + uint8_t *additional_input, + uint32_t additional_input_len +); + +bool +EverCrypt_DRBG_generate_sha1( + uint8_t *output, + EverCrypt_DRBG_state_s *st, + uint32_t n, + uint8_t *additional_input, + uint32_t additional_input_len +); + +bool +EverCrypt_DRBG_generate_sha2_256( + uint8_t *output, + EverCrypt_DRBG_state_s *st, + uint32_t n, + uint8_t *additional_input, + uint32_t additional_input_len +); + +bool +EverCrypt_DRBG_generate_sha2_384( + uint8_t *output, + EverCrypt_DRBG_state_s *st, + uint32_t n, + uint8_t *additional_input, + uint32_t additional_input_len +); + +bool +EverCrypt_DRBG_generate_sha2_512( + uint8_t *output, + EverCrypt_DRBG_state_s *st, + uint32_t n, + uint8_t *additional_input, + uint32_t additional_input_len +); + +void EverCrypt_DRBG_uninstantiate_sha1(EverCrypt_DRBG_state_s *st); + +void EverCrypt_DRBG_uninstantiate_sha2_256(EverCrypt_DRBG_state_s *st); + +void EverCrypt_DRBG_uninstantiate_sha2_384(EverCrypt_DRBG_state_s *st); + +void EverCrypt_DRBG_uninstantiate_sha2_512(EverCrypt_DRBG_state_s *st); + +bool +EverCrypt_DRBG_instantiate( + EverCrypt_DRBG_state_s *st, + uint8_t *personalization_string, + uint32_t personalization_string_len +); + +bool +EverCrypt_DRBG_reseed( + EverCrypt_DRBG_state_s *st, + uint8_t *additional_input, + uint32_t additional_input_len +); + +bool +EverCrypt_DRBG_generate( + uint8_t *output, + EverCrypt_DRBG_state_s *st, + uint32_t n, + uint8_t *additional_input, + uint32_t additional_input_len +); + +void EverCrypt_DRBG_uninstantiate(EverCrypt_DRBG_state_s *st); + +#if defined(__cplusplus) +} +#endif + +#define __EverCrypt_DRBG_H_DEFINED +#endif diff --git a/include/msvc/EverCrypt_Ed25519.h b/include/msvc/EverCrypt_Ed25519.h new file mode 100644 index 00000000..81c1ca7a --- /dev/null +++ b/include/msvc/EverCrypt_Ed25519.h @@ -0,0 +1,57 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __EverCrypt_Ed25519_H +#define __EverCrypt_Ed25519_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Ed25519.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void EverCrypt_Ed25519_sign(uint8_t *signature, uint8_t *secret, uint32_t len, uint8_t *msg); + +bool EverCrypt_Ed25519_verify(uint8_t *pubkey, uint32_t len, uint8_t *msg, uint8_t *signature); + +void EverCrypt_Ed25519_secret_to_public(uint8_t *output, uint8_t *secret); + +void EverCrypt_Ed25519_expand_keys(uint8_t *ks, uint8_t *secret); + +void +EverCrypt_Ed25519_sign_expanded(uint8_t *signature, uint8_t *ks, uint32_t len, uint8_t *msg); + +#if defined(__cplusplus) +} +#endif + +#define __EverCrypt_Ed25519_H_DEFINED +#endif diff --git a/include/msvc/EverCrypt_Error.h b/include/msvc/EverCrypt_Error.h new file mode 100644 index 00000000..8556d509 --- /dev/null +++ b/include/msvc/EverCrypt_Error.h @@ -0,0 +1,67 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __EverCrypt_Error_H +#define __EverCrypt_Error_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + + +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +#define EverCrypt_Error_Success 0 +#define EverCrypt_Error_UnsupportedAlgorithm 1 +#define EverCrypt_Error_InvalidKey 2 +#define EverCrypt_Error_AuthenticationFailure 3 +#define EverCrypt_Error_InvalidIVLength 4 +#define EverCrypt_Error_DecodeError 5 + +typedef uint8_t EverCrypt_Error_error_code; + +bool EverCrypt_Error_uu___is_Success(EverCrypt_Error_error_code projectee); + +bool EverCrypt_Error_uu___is_UnsupportedAlgorithm(EverCrypt_Error_error_code projectee); + +bool EverCrypt_Error_uu___is_InvalidKey(EverCrypt_Error_error_code projectee); + +bool EverCrypt_Error_uu___is_AuthenticationFailure(EverCrypt_Error_error_code projectee); + +bool EverCrypt_Error_uu___is_InvalidIVLength(EverCrypt_Error_error_code projectee); + +bool EverCrypt_Error_uu___is_DecodeError(EverCrypt_Error_error_code projectee); + +#if defined(__cplusplus) +} +#endif + +#define __EverCrypt_Error_H_DEFINED +#endif diff --git a/include/msvc/EverCrypt_HKDF.h b/include/msvc/EverCrypt_HKDF.h new file mode 100644 index 00000000..3f51c207 --- /dev/null +++ b/include/msvc/EverCrypt_HKDF.h @@ -0,0 +1,207 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __EverCrypt_HKDF_H +#define __EverCrypt_HKDF_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Spec.h" +#include "EverCrypt_HMAC.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +EverCrypt_HKDF_expand_sha1( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +); + +void +EverCrypt_HKDF_extract_sha1( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +); + +void +EverCrypt_HKDF_expand_sha2_256( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +); + +void +EverCrypt_HKDF_extract_sha2_256( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +); + +void +EverCrypt_HKDF_expand_sha2_384( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +); + +void +EverCrypt_HKDF_extract_sha2_384( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +); + +void +EverCrypt_HKDF_expand_sha2_512( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +); + +void +EverCrypt_HKDF_extract_sha2_512( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +); + +void +EverCrypt_HKDF_expand_blake2s( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +); + +void +EverCrypt_HKDF_extract_blake2s( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +); + +void +EverCrypt_HKDF_expand_blake2b( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +); + +void +EverCrypt_HKDF_extract_blake2b( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +); + +void +EverCrypt_HKDF_expand( + Spec_Hash_Definitions_hash_alg a, + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +); + +void +EverCrypt_HKDF_extract( + Spec_Hash_Definitions_hash_alg a, + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +); + +KRML_DEPRECATED("expand") + +void +EverCrypt_HKDF_hkdf_expand( + Spec_Hash_Definitions_hash_alg a, + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +); + +KRML_DEPRECATED("extract") + +void +EverCrypt_HKDF_hkdf_extract( + Spec_Hash_Definitions_hash_alg a, + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +); + +#if defined(__cplusplus) +} +#endif + +#define __EverCrypt_HKDF_H_DEFINED +#endif diff --git a/include/msvc/EverCrypt_HMAC.h b/include/msvc/EverCrypt_HMAC.h new file mode 100644 index 00000000..7c882f4a --- /dev/null +++ b/include/msvc/EverCrypt_HMAC.h @@ -0,0 +1,119 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __EverCrypt_HMAC_H +#define __EverCrypt_HMAC_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Spec.h" +#include "Hacl_Kremlib.h" +#include "Hacl_Impl_Blake2_Constants.h" +#include "Hacl_Hash_SHA2.h" +#include "Hacl_Hash_SHA1.h" +#include "EverCrypt_Hash.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +EverCrypt_HMAC_compute_sha1( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +); + +void +EverCrypt_HMAC_compute_sha2_256( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +); + +void +EverCrypt_HMAC_compute_sha2_384( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +); + +void +EverCrypt_HMAC_compute_sha2_512( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +); + +void +EverCrypt_HMAC_compute_blake2s( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +); + +void +EverCrypt_HMAC_compute_blake2b( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +); + +bool EverCrypt_HMAC_is_supported_alg(Spec_Hash_Definitions_hash_alg uu___); + +typedef Spec_Hash_Definitions_hash_alg EverCrypt_HMAC_supported_alg; + +void +EverCrypt_HMAC_compute( + Spec_Hash_Definitions_hash_alg a, + uint8_t *mac, + uint8_t *key, + uint32_t keylen, + uint8_t *data, + uint32_t datalen +); + +#if defined(__cplusplus) +} +#endif + +#define __EverCrypt_HMAC_H_DEFINED +#endif diff --git a/include/msvc/EverCrypt_Hacl.h b/include/msvc/EverCrypt_Hacl.h new file mode 100644 index 00000000..1e9cba4c --- /dev/null +++ b/include/msvc/EverCrypt_Hacl.h @@ -0,0 +1,72 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __EverCrypt_Hacl_H +#define __EverCrypt_Hacl_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + + +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +#define EverCrypt_Hacl_aes128_mk_sbox Crypto_Symmetric_AES128_mk_sbox + +extern void EverCrypt_Hacl_aes128_mk_sbox(uint8_t *sb); + +#define EverCrypt_Hacl_aes128_keyExpansion Crypto_Symmetric_AES128_keyExpansion + +extern void EverCrypt_Hacl_aes128_keyExpansion(uint8_t *key, uint8_t *w, uint8_t *sb); + +#define EverCrypt_Hacl_aes128_cipher Crypto_Symmetric_AES128_cipher + +extern void +EverCrypt_Hacl_aes128_cipher(uint8_t *cipher, uint8_t *plain, uint8_t *w, uint8_t *sb); + +#define EverCrypt_Hacl_aes256_mk_sbox Crypto_Symmetric_AES_mk_sbox + +extern void EverCrypt_Hacl_aes256_mk_sbox(uint8_t *sb); + +#define EverCrypt_Hacl_aes256_keyExpansion Crypto_Symmetric_AES_keyExpansion + +extern void EverCrypt_Hacl_aes256_keyExpansion(uint8_t *key, uint8_t *w, uint8_t *sb); + +#define EverCrypt_Hacl_aes256_cipher Crypto_Symmetric_AES_cipher + +extern void +EverCrypt_Hacl_aes256_cipher(uint8_t *cipher, uint8_t *plain, uint8_t *w, uint8_t *sb); + +#if defined(__cplusplus) +} +#endif + +#define __EverCrypt_Hacl_H_DEFINED +#endif diff --git a/include/msvc/EverCrypt_Hash.h b/include/msvc/EverCrypt_Hash.h new file mode 100644 index 00000000..fa435883 --- /dev/null +++ b/include/msvc/EverCrypt_Hash.h @@ -0,0 +1,291 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __EverCrypt_Hash_H +#define __EverCrypt_Hash_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Spec.h" +#include "Hacl_Kremlib.h" +#include "Hacl_Impl_Blake2_Constants.h" +#include "Hacl_Hash_SHA2.h" +#include "Hacl_Hash_SHA1.h" +#include "Hacl_Hash_MD5.h" +#include "EverCrypt_AutoConfig2.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +typedef Spec_Hash_Definitions_hash_alg EverCrypt_Hash_alg; + +C_String_t EverCrypt_Hash_string_of_alg(Spec_Hash_Definitions_hash_alg uu___); + +typedef Spec_Hash_Definitions_hash_alg EverCrypt_Hash_broken_alg; + +typedef Spec_Hash_Definitions_hash_alg EverCrypt_Hash_alg13; + +typedef void *EverCrypt_Hash_e_alg; + +#define EverCrypt_Hash_MD5_s 0 +#define EverCrypt_Hash_SHA1_s 1 +#define EverCrypt_Hash_SHA2_224_s 2 +#define EverCrypt_Hash_SHA2_256_s 3 +#define EverCrypt_Hash_SHA2_384_s 4 +#define EverCrypt_Hash_SHA2_512_s 5 +#define EverCrypt_Hash_Blake2S_s 6 +#define EverCrypt_Hash_Blake2B_s 7 + +typedef uint8_t EverCrypt_Hash_state_s_tags; + +typedef struct EverCrypt_Hash_state_s_s +{ + EverCrypt_Hash_state_s_tags tag; + union { + uint32_t *case_MD5_s; + uint32_t *case_SHA1_s; + uint32_t *case_SHA2_224_s; + uint32_t *case_SHA2_256_s; + uint64_t *case_SHA2_384_s; + uint64_t *case_SHA2_512_s; + uint32_t *case_Blake2S_s; + uint64_t *case_Blake2B_s; + } + ; +} +EverCrypt_Hash_state_s; + +bool +EverCrypt_Hash_uu___is_MD5_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_Hash_state_s projectee +); + +bool +EverCrypt_Hash_uu___is_SHA1_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_Hash_state_s projectee +); + +bool +EverCrypt_Hash_uu___is_SHA2_224_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_Hash_state_s projectee +); + +bool +EverCrypt_Hash_uu___is_SHA2_256_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_Hash_state_s projectee +); + +bool +EverCrypt_Hash_uu___is_SHA2_384_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_Hash_state_s projectee +); + +bool +EverCrypt_Hash_uu___is_SHA2_512_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_Hash_state_s projectee +); + +bool +EverCrypt_Hash_uu___is_Blake2S_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_Hash_state_s projectee +); + +bool +EverCrypt_Hash_uu___is_Blake2B_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_Hash_state_s projectee +); + +Spec_Hash_Definitions_hash_alg EverCrypt_Hash_alg_of_state(EverCrypt_Hash_state_s *s); + +EverCrypt_Hash_state_s *EverCrypt_Hash_create_in(Spec_Hash_Definitions_hash_alg a); + +EverCrypt_Hash_state_s *EverCrypt_Hash_create(Spec_Hash_Definitions_hash_alg a); + +void EverCrypt_Hash_init(EverCrypt_Hash_state_s *s); + +void EverCrypt_Hash_update_multi_256(uint32_t *s, uint8_t *blocks, uint32_t n); + +void EverCrypt_Hash_update2(EverCrypt_Hash_state_s *s, uint64_t prevlen, uint8_t *block); + +KRML_DEPRECATED("Use update2 instead") + +void EverCrypt_Hash_update(EverCrypt_Hash_state_s *s, uint8_t *block); + +void +EverCrypt_Hash_update_multi2( + EverCrypt_Hash_state_s *s, + uint64_t prevlen, + uint8_t *blocks, + uint32_t len +); + +KRML_DEPRECATED("Use update_multi2 instead") + +void EverCrypt_Hash_update_multi(EverCrypt_Hash_state_s *s, uint8_t *blocks, uint32_t len); + +void +EverCrypt_Hash_update_last_256( + uint32_t *s, + uint64_t input, + uint8_t *input_len, + uint32_t input_len1 +); + +void +EverCrypt_Hash_update_last2( + EverCrypt_Hash_state_s *s, + uint64_t prev_len, + uint8_t *last, + uint32_t last_len +); + +KRML_DEPRECATED("Use update_last2 instead") + +void EverCrypt_Hash_update_last(EverCrypt_Hash_state_s *s, uint8_t *last, uint64_t total_len); + +void EverCrypt_Hash_finish(EverCrypt_Hash_state_s *s, uint8_t *dst); + +void EverCrypt_Hash_free(EverCrypt_Hash_state_s *s); + +void EverCrypt_Hash_copy(EverCrypt_Hash_state_s *s_src, EverCrypt_Hash_state_s *s_dst); + +void EverCrypt_Hash_hash_256(uint8_t *input, uint32_t input_len, uint8_t *dst); + +void EverCrypt_Hash_hash_224(uint8_t *input, uint32_t input_len, uint8_t *dst); + +void +EverCrypt_Hash_hash( + Spec_Hash_Definitions_hash_alg a, + uint8_t *dst, + uint8_t *input, + uint32_t len +); + +uint32_t EverCrypt_Hash_Incremental_hash_len(Spec_Hash_Definitions_hash_alg a); + +uint32_t EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_hash_alg a); + +typedef struct Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s_____s +{ + EverCrypt_Hash_state_s *block_state; + uint8_t *buf; + uint64_t total_len; +} +Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____; + +Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ +*EverCrypt_Hash_Incremental_create_in(Spec_Hash_Definitions_hash_alg a); + +void +EverCrypt_Hash_Incremental_init(Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *s); + +void +EverCrypt_Hash_Incremental_update( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *p, + uint8_t *data, + uint32_t len +); + +void +EverCrypt_Hash_Incremental_finish_md5( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *p, + uint8_t *dst +); + +void +EverCrypt_Hash_Incremental_finish_sha1( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *p, + uint8_t *dst +); + +void +EverCrypt_Hash_Incremental_finish_sha224( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *p, + uint8_t *dst +); + +void +EverCrypt_Hash_Incremental_finish_sha256( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *p, + uint8_t *dst +); + +void +EverCrypt_Hash_Incremental_finish_sha384( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *p, + uint8_t *dst +); + +void +EverCrypt_Hash_Incremental_finish_sha512( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *p, + uint8_t *dst +); + +void +EverCrypt_Hash_Incremental_finish_blake2s( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *p, + uint8_t *dst +); + +void +EverCrypt_Hash_Incremental_finish_blake2b( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *p, + uint8_t *dst +); + +Spec_Hash_Definitions_hash_alg +EverCrypt_Hash_Incremental_alg_of_state( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *s +); + +void +EverCrypt_Hash_Incremental_finish( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *s, + uint8_t *dst +); + +void +EverCrypt_Hash_Incremental_free(Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *s); + +#if defined(__cplusplus) +} +#endif + +#define __EverCrypt_Hash_H_DEFINED +#endif diff --git a/include/msvc/EverCrypt_Helpers.h b/include/msvc/EverCrypt_Helpers.h new file mode 100644 index 00000000..1cad1faf --- /dev/null +++ b/include/msvc/EverCrypt_Helpers.h @@ -0,0 +1,62 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __EverCrypt_Helpers_H +#define __EverCrypt_Helpers_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + + +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +typedef uint8_t EverCrypt_Helpers_uint8_t; + +typedef uint16_t EverCrypt_Helpers_uint16_t; + +typedef uint32_t EverCrypt_Helpers_uint32_t; + +typedef uint64_t EverCrypt_Helpers_uint64_t; + +typedef uint8_t *EverCrypt_Helpers_uint8_p; + +typedef uint16_t *EverCrypt_Helpers_uint16_p; + +typedef uint32_t *EverCrypt_Helpers_uint32_p; + +typedef uint64_t *EverCrypt_Helpers_uint64_p; + +#if defined(__cplusplus) +} +#endif + +#define __EverCrypt_Helpers_H_DEFINED +#endif diff --git a/include/msvc/EverCrypt_Poly1305.h b/include/msvc/EverCrypt_Poly1305.h new file mode 100644 index 00000000..d4dfe597 --- /dev/null +++ b/include/msvc/EverCrypt_Poly1305.h @@ -0,0 +1,51 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __EverCrypt_Poly1305_H +#define __EverCrypt_Poly1305_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Poly1305_32.h" +#include "Hacl_Poly1305_256.h" +#include "Hacl_Poly1305_128.h" +#include "EverCrypt_AutoConfig2.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void EverCrypt_Poly1305_poly1305(uint8_t *dst, uint8_t *src, uint32_t len, uint8_t *key); + +#if defined(__cplusplus) +} +#endif + +#define __EverCrypt_Poly1305_H_DEFINED +#endif diff --git a/include/msvc/EverCrypt_StaticConfig.h b/include/msvc/EverCrypt_StaticConfig.h new file mode 100644 index 00000000..057cdec7 --- /dev/null +++ b/include/msvc/EverCrypt_StaticConfig.h @@ -0,0 +1,54 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __EverCrypt_StaticConfig_H +#define __EverCrypt_StaticConfig_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + + +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +extern bool EverCrypt_StaticConfig_hacl; + +extern bool EverCrypt_StaticConfig_vale; + +extern bool EverCrypt_StaticConfig_openssl; + +extern bool EverCrypt_StaticConfig_bcrypt; + +#if defined(__cplusplus) +} +#endif + +#define __EverCrypt_StaticConfig_H_DEFINED +#endif diff --git a/include/msvc/Hacl_AES128.h b/include/msvc/Hacl_AES128.h new file mode 100644 index 00000000..4fdb0078 --- /dev/null +++ b/include/msvc/Hacl_AES128.h @@ -0,0 +1,51 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_AES128_H +#define __Hacl_AES128_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + + +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +extern void Hacl_AES128_aes128_key_expansion(uint8_t *key, uint8_t *expanded_key); + +extern void +Hacl_AES128_aes128_encrypt_block(uint16_t *cipher, uint16_t *plain, uint8_t *expanded_key); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_AES128_H_DEFINED +#endif diff --git a/include/msvc/Hacl_Bignum25519_51.h b/include/msvc/Hacl_Bignum25519_51.h new file mode 100644 index 00000000..e619f600 --- /dev/null +++ b/include/msvc/Hacl_Bignum25519_51.h @@ -0,0 +1,678 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Bignum25519_51_H +#define __Hacl_Bignum25519_51_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +static inline void Hacl_Impl_Curve25519_Field51_fadd(uint64_t *out, uint64_t *f1, uint64_t *f2) +{ + uint64_t f10 = f1[0U]; + uint64_t f20 = f2[0U]; + uint64_t f11 = f1[1U]; + uint64_t f21 = f2[1U]; + uint64_t f12 = f1[2U]; + uint64_t f22 = f2[2U]; + uint64_t f13 = f1[3U]; + uint64_t f23 = f2[3U]; + uint64_t f14 = f1[4U]; + uint64_t f24 = f2[4U]; + out[0U] = f10 + f20; + out[1U] = f11 + f21; + out[2U] = f12 + f22; + out[3U] = f13 + f23; + out[4U] = f14 + f24; +} + +static inline void Hacl_Impl_Curve25519_Field51_fsub(uint64_t *out, uint64_t *f1, uint64_t *f2) +{ + uint64_t f10 = f1[0U]; + uint64_t f20 = f2[0U]; + uint64_t f11 = f1[1U]; + uint64_t f21 = f2[1U]; + uint64_t f12 = f1[2U]; + uint64_t f22 = f2[2U]; + uint64_t f13 = f1[3U]; + uint64_t f23 = f2[3U]; + uint64_t f14 = f1[4U]; + uint64_t f24 = f2[4U]; + out[0U] = f10 + (uint64_t)0x3fffffffffff68U - f20; + out[1U] = f11 + (uint64_t)0x3ffffffffffff8U - f21; + out[2U] = f12 + (uint64_t)0x3ffffffffffff8U - f22; + out[3U] = f13 + (uint64_t)0x3ffffffffffff8U - f23; + out[4U] = f14 + (uint64_t)0x3ffffffffffff8U - f24; +} + +static inline void +Hacl_Impl_Curve25519_Field51_fmul( + uint64_t *out, + uint64_t *f1, + uint64_t *f2, + FStar_UInt128_uint128 *uu___ +) +{ + uint64_t f10 = f1[0U]; + uint64_t f11 = f1[1U]; + uint64_t f12 = f1[2U]; + uint64_t f13 = f1[3U]; + uint64_t f14 = f1[4U]; + uint64_t f20 = f2[0U]; + uint64_t f21 = f2[1U]; + uint64_t f22 = f2[2U]; + uint64_t f23 = f2[3U]; + uint64_t f24 = f2[4U]; + uint64_t tmp1 = f21 * (uint64_t)19U; + uint64_t tmp2 = f22 * (uint64_t)19U; + uint64_t tmp3 = f23 * (uint64_t)19U; + uint64_t tmp4 = f24 * (uint64_t)19U; + FStar_UInt128_uint128 o00 = FStar_UInt128_mul_wide(f10, f20); + FStar_UInt128_uint128 o10 = FStar_UInt128_mul_wide(f10, f21); + FStar_UInt128_uint128 o20 = FStar_UInt128_mul_wide(f10, f22); + FStar_UInt128_uint128 o30 = FStar_UInt128_mul_wide(f10, f23); + FStar_UInt128_uint128 o40 = FStar_UInt128_mul_wide(f10, f24); + FStar_UInt128_uint128 o01 = FStar_UInt128_add(o00, FStar_UInt128_mul_wide(f11, tmp4)); + FStar_UInt128_uint128 o11 = FStar_UInt128_add(o10, FStar_UInt128_mul_wide(f11, f20)); + FStar_UInt128_uint128 o21 = FStar_UInt128_add(o20, FStar_UInt128_mul_wide(f11, f21)); + FStar_UInt128_uint128 o31 = FStar_UInt128_add(o30, FStar_UInt128_mul_wide(f11, f22)); + FStar_UInt128_uint128 o41 = FStar_UInt128_add(o40, FStar_UInt128_mul_wide(f11, f23)); + FStar_UInt128_uint128 o02 = FStar_UInt128_add(o01, FStar_UInt128_mul_wide(f12, tmp3)); + FStar_UInt128_uint128 o12 = FStar_UInt128_add(o11, FStar_UInt128_mul_wide(f12, tmp4)); + FStar_UInt128_uint128 o22 = FStar_UInt128_add(o21, FStar_UInt128_mul_wide(f12, f20)); + FStar_UInt128_uint128 o32 = FStar_UInt128_add(o31, FStar_UInt128_mul_wide(f12, f21)); + FStar_UInt128_uint128 o42 = FStar_UInt128_add(o41, FStar_UInt128_mul_wide(f12, f22)); + FStar_UInt128_uint128 o03 = FStar_UInt128_add(o02, FStar_UInt128_mul_wide(f13, tmp2)); + FStar_UInt128_uint128 o13 = FStar_UInt128_add(o12, FStar_UInt128_mul_wide(f13, tmp3)); + FStar_UInt128_uint128 o23 = FStar_UInt128_add(o22, FStar_UInt128_mul_wide(f13, tmp4)); + FStar_UInt128_uint128 o33 = FStar_UInt128_add(o32, FStar_UInt128_mul_wide(f13, f20)); + FStar_UInt128_uint128 o43 = FStar_UInt128_add(o42, FStar_UInt128_mul_wide(f13, f21)); + FStar_UInt128_uint128 o04 = FStar_UInt128_add(o03, FStar_UInt128_mul_wide(f14, tmp1)); + FStar_UInt128_uint128 o14 = FStar_UInt128_add(o13, FStar_UInt128_mul_wide(f14, tmp2)); + FStar_UInt128_uint128 o24 = FStar_UInt128_add(o23, FStar_UInt128_mul_wide(f14, tmp3)); + FStar_UInt128_uint128 o34 = FStar_UInt128_add(o33, FStar_UInt128_mul_wide(f14, tmp4)); + FStar_UInt128_uint128 o44 = FStar_UInt128_add(o43, FStar_UInt128_mul_wide(f14, f20)); + FStar_UInt128_uint128 tmp_w0 = o04; + FStar_UInt128_uint128 tmp_w1 = o14; + FStar_UInt128_uint128 tmp_w2 = o24; + FStar_UInt128_uint128 tmp_w3 = o34; + FStar_UInt128_uint128 tmp_w4 = o44; + FStar_UInt128_uint128 + l_ = FStar_UInt128_add(tmp_w0, FStar_UInt128_uint64_to_uint128((uint64_t)0U)); + uint64_t tmp01 = FStar_UInt128_uint128_to_uint64(l_) & (uint64_t)0x7ffffffffffffU; + uint64_t c0 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_, (uint32_t)51U)); + FStar_UInt128_uint128 l_0 = FStar_UInt128_add(tmp_w1, FStar_UInt128_uint64_to_uint128(c0)); + uint64_t tmp11 = FStar_UInt128_uint128_to_uint64(l_0) & (uint64_t)0x7ffffffffffffU; + uint64_t c1 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_0, (uint32_t)51U)); + FStar_UInt128_uint128 l_1 = FStar_UInt128_add(tmp_w2, FStar_UInt128_uint64_to_uint128(c1)); + uint64_t tmp21 = FStar_UInt128_uint128_to_uint64(l_1) & (uint64_t)0x7ffffffffffffU; + uint64_t c2 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_1, (uint32_t)51U)); + FStar_UInt128_uint128 l_2 = FStar_UInt128_add(tmp_w3, FStar_UInt128_uint64_to_uint128(c2)); + uint64_t tmp31 = FStar_UInt128_uint128_to_uint64(l_2) & (uint64_t)0x7ffffffffffffU; + uint64_t c3 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_2, (uint32_t)51U)); + FStar_UInt128_uint128 l_3 = FStar_UInt128_add(tmp_w4, FStar_UInt128_uint64_to_uint128(c3)); + uint64_t tmp41 = FStar_UInt128_uint128_to_uint64(l_3) & (uint64_t)0x7ffffffffffffU; + uint64_t c4 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_3, (uint32_t)51U)); + uint64_t l_4 = tmp01 + c4 * (uint64_t)19U; + uint64_t tmp0_ = l_4 & (uint64_t)0x7ffffffffffffU; + uint64_t c5 = l_4 >> (uint32_t)51U; + uint64_t o0 = tmp0_; + uint64_t o1 = tmp11 + c5; + uint64_t o2 = tmp21; + uint64_t o3 = tmp31; + uint64_t o4 = tmp41; + out[0U] = o0; + out[1U] = o1; + out[2U] = o2; + out[3U] = o3; + out[4U] = o4; +} + +static inline void +Hacl_Impl_Curve25519_Field51_fmul2( + uint64_t *out, + uint64_t *f1, + uint64_t *f2, + FStar_UInt128_uint128 *uu___ +) +{ + uint64_t f10 = f1[0U]; + uint64_t f11 = f1[1U]; + uint64_t f12 = f1[2U]; + uint64_t f13 = f1[3U]; + uint64_t f14 = f1[4U]; + uint64_t f20 = f2[0U]; + uint64_t f21 = f2[1U]; + uint64_t f22 = f2[2U]; + uint64_t f23 = f2[3U]; + uint64_t f24 = f2[4U]; + uint64_t f30 = f1[5U]; + uint64_t f31 = f1[6U]; + uint64_t f32 = f1[7U]; + uint64_t f33 = f1[8U]; + uint64_t f34 = f1[9U]; + uint64_t f40 = f2[5U]; + uint64_t f41 = f2[6U]; + uint64_t f42 = f2[7U]; + uint64_t f43 = f2[8U]; + uint64_t f44 = f2[9U]; + uint64_t tmp11 = f21 * (uint64_t)19U; + uint64_t tmp12 = f22 * (uint64_t)19U; + uint64_t tmp13 = f23 * (uint64_t)19U; + uint64_t tmp14 = f24 * (uint64_t)19U; + uint64_t tmp21 = f41 * (uint64_t)19U; + uint64_t tmp22 = f42 * (uint64_t)19U; + uint64_t tmp23 = f43 * (uint64_t)19U; + uint64_t tmp24 = f44 * (uint64_t)19U; + FStar_UInt128_uint128 o00 = FStar_UInt128_mul_wide(f10, f20); + FStar_UInt128_uint128 o15 = FStar_UInt128_mul_wide(f10, f21); + FStar_UInt128_uint128 o25 = FStar_UInt128_mul_wide(f10, f22); + FStar_UInt128_uint128 o30 = FStar_UInt128_mul_wide(f10, f23); + FStar_UInt128_uint128 o40 = FStar_UInt128_mul_wide(f10, f24); + FStar_UInt128_uint128 o010 = FStar_UInt128_add(o00, FStar_UInt128_mul_wide(f11, tmp14)); + FStar_UInt128_uint128 o110 = FStar_UInt128_add(o15, FStar_UInt128_mul_wide(f11, f20)); + FStar_UInt128_uint128 o210 = FStar_UInt128_add(o25, FStar_UInt128_mul_wide(f11, f21)); + FStar_UInt128_uint128 o310 = FStar_UInt128_add(o30, FStar_UInt128_mul_wide(f11, f22)); + FStar_UInt128_uint128 o410 = FStar_UInt128_add(o40, FStar_UInt128_mul_wide(f11, f23)); + FStar_UInt128_uint128 o020 = FStar_UInt128_add(o010, FStar_UInt128_mul_wide(f12, tmp13)); + FStar_UInt128_uint128 o120 = FStar_UInt128_add(o110, FStar_UInt128_mul_wide(f12, tmp14)); + FStar_UInt128_uint128 o220 = FStar_UInt128_add(o210, FStar_UInt128_mul_wide(f12, f20)); + FStar_UInt128_uint128 o320 = FStar_UInt128_add(o310, FStar_UInt128_mul_wide(f12, f21)); + FStar_UInt128_uint128 o420 = FStar_UInt128_add(o410, FStar_UInt128_mul_wide(f12, f22)); + FStar_UInt128_uint128 o030 = FStar_UInt128_add(o020, FStar_UInt128_mul_wide(f13, tmp12)); + FStar_UInt128_uint128 o130 = FStar_UInt128_add(o120, FStar_UInt128_mul_wide(f13, tmp13)); + FStar_UInt128_uint128 o230 = FStar_UInt128_add(o220, FStar_UInt128_mul_wide(f13, tmp14)); + FStar_UInt128_uint128 o330 = FStar_UInt128_add(o320, FStar_UInt128_mul_wide(f13, f20)); + FStar_UInt128_uint128 o430 = FStar_UInt128_add(o420, FStar_UInt128_mul_wide(f13, f21)); + FStar_UInt128_uint128 o040 = FStar_UInt128_add(o030, FStar_UInt128_mul_wide(f14, tmp11)); + FStar_UInt128_uint128 o140 = FStar_UInt128_add(o130, FStar_UInt128_mul_wide(f14, tmp12)); + FStar_UInt128_uint128 o240 = FStar_UInt128_add(o230, FStar_UInt128_mul_wide(f14, tmp13)); + FStar_UInt128_uint128 o340 = FStar_UInt128_add(o330, FStar_UInt128_mul_wide(f14, tmp14)); + FStar_UInt128_uint128 o440 = FStar_UInt128_add(o430, FStar_UInt128_mul_wide(f14, f20)); + FStar_UInt128_uint128 tmp_w10 = o040; + FStar_UInt128_uint128 tmp_w11 = o140; + FStar_UInt128_uint128 tmp_w12 = o240; + FStar_UInt128_uint128 tmp_w13 = o340; + FStar_UInt128_uint128 tmp_w14 = o440; + FStar_UInt128_uint128 o0 = FStar_UInt128_mul_wide(f30, f40); + FStar_UInt128_uint128 o1 = FStar_UInt128_mul_wide(f30, f41); + FStar_UInt128_uint128 o2 = FStar_UInt128_mul_wide(f30, f42); + FStar_UInt128_uint128 o3 = FStar_UInt128_mul_wide(f30, f43); + FStar_UInt128_uint128 o4 = FStar_UInt128_mul_wide(f30, f44); + FStar_UInt128_uint128 o01 = FStar_UInt128_add(o0, FStar_UInt128_mul_wide(f31, tmp24)); + FStar_UInt128_uint128 o111 = FStar_UInt128_add(o1, FStar_UInt128_mul_wide(f31, f40)); + FStar_UInt128_uint128 o211 = FStar_UInt128_add(o2, FStar_UInt128_mul_wide(f31, f41)); + FStar_UInt128_uint128 o31 = FStar_UInt128_add(o3, FStar_UInt128_mul_wide(f31, f42)); + FStar_UInt128_uint128 o41 = FStar_UInt128_add(o4, FStar_UInt128_mul_wide(f31, f43)); + FStar_UInt128_uint128 o02 = FStar_UInt128_add(o01, FStar_UInt128_mul_wide(f32, tmp23)); + FStar_UInt128_uint128 o121 = FStar_UInt128_add(o111, FStar_UInt128_mul_wide(f32, tmp24)); + FStar_UInt128_uint128 o221 = FStar_UInt128_add(o211, FStar_UInt128_mul_wide(f32, f40)); + FStar_UInt128_uint128 o32 = FStar_UInt128_add(o31, FStar_UInt128_mul_wide(f32, f41)); + FStar_UInt128_uint128 o42 = FStar_UInt128_add(o41, FStar_UInt128_mul_wide(f32, f42)); + FStar_UInt128_uint128 o03 = FStar_UInt128_add(o02, FStar_UInt128_mul_wide(f33, tmp22)); + FStar_UInt128_uint128 o131 = FStar_UInt128_add(o121, FStar_UInt128_mul_wide(f33, tmp23)); + FStar_UInt128_uint128 o231 = FStar_UInt128_add(o221, FStar_UInt128_mul_wide(f33, tmp24)); + FStar_UInt128_uint128 o33 = FStar_UInt128_add(o32, FStar_UInt128_mul_wide(f33, f40)); + FStar_UInt128_uint128 o43 = FStar_UInt128_add(o42, FStar_UInt128_mul_wide(f33, f41)); + FStar_UInt128_uint128 o04 = FStar_UInt128_add(o03, FStar_UInt128_mul_wide(f34, tmp21)); + FStar_UInt128_uint128 o141 = FStar_UInt128_add(o131, FStar_UInt128_mul_wide(f34, tmp22)); + FStar_UInt128_uint128 o241 = FStar_UInt128_add(o231, FStar_UInt128_mul_wide(f34, tmp23)); + FStar_UInt128_uint128 o34 = FStar_UInt128_add(o33, FStar_UInt128_mul_wide(f34, tmp24)); + FStar_UInt128_uint128 o44 = FStar_UInt128_add(o43, FStar_UInt128_mul_wide(f34, f40)); + FStar_UInt128_uint128 tmp_w20 = o04; + FStar_UInt128_uint128 tmp_w21 = o141; + FStar_UInt128_uint128 tmp_w22 = o241; + FStar_UInt128_uint128 tmp_w23 = o34; + FStar_UInt128_uint128 tmp_w24 = o44; + FStar_UInt128_uint128 + l_ = FStar_UInt128_add(tmp_w10, FStar_UInt128_uint64_to_uint128((uint64_t)0U)); + uint64_t tmp00 = FStar_UInt128_uint128_to_uint64(l_) & (uint64_t)0x7ffffffffffffU; + uint64_t c00 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_, (uint32_t)51U)); + FStar_UInt128_uint128 l_0 = FStar_UInt128_add(tmp_w11, FStar_UInt128_uint64_to_uint128(c00)); + uint64_t tmp10 = FStar_UInt128_uint128_to_uint64(l_0) & (uint64_t)0x7ffffffffffffU; + uint64_t c10 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_0, (uint32_t)51U)); + FStar_UInt128_uint128 l_1 = FStar_UInt128_add(tmp_w12, FStar_UInt128_uint64_to_uint128(c10)); + uint64_t tmp20 = FStar_UInt128_uint128_to_uint64(l_1) & (uint64_t)0x7ffffffffffffU; + uint64_t c20 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_1, (uint32_t)51U)); + FStar_UInt128_uint128 l_2 = FStar_UInt128_add(tmp_w13, FStar_UInt128_uint64_to_uint128(c20)); + uint64_t tmp30 = FStar_UInt128_uint128_to_uint64(l_2) & (uint64_t)0x7ffffffffffffU; + uint64_t c30 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_2, (uint32_t)51U)); + FStar_UInt128_uint128 l_3 = FStar_UInt128_add(tmp_w14, FStar_UInt128_uint64_to_uint128(c30)); + uint64_t tmp40 = FStar_UInt128_uint128_to_uint64(l_3) & (uint64_t)0x7ffffffffffffU; + uint64_t c40 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_3, (uint32_t)51U)); + uint64_t l_4 = tmp00 + c40 * (uint64_t)19U; + uint64_t tmp0_ = l_4 & (uint64_t)0x7ffffffffffffU; + uint64_t c50 = l_4 >> (uint32_t)51U; + uint64_t o100 = tmp0_; + uint64_t o112 = tmp10 + c50; + uint64_t o122 = tmp20; + uint64_t o132 = tmp30; + uint64_t o142 = tmp40; + FStar_UInt128_uint128 + l_5 = FStar_UInt128_add(tmp_w20, FStar_UInt128_uint64_to_uint128((uint64_t)0U)); + uint64_t tmp0 = FStar_UInt128_uint128_to_uint64(l_5) & (uint64_t)0x7ffffffffffffU; + uint64_t c0 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_5, (uint32_t)51U)); + FStar_UInt128_uint128 l_6 = FStar_UInt128_add(tmp_w21, FStar_UInt128_uint64_to_uint128(c0)); + uint64_t tmp1 = FStar_UInt128_uint128_to_uint64(l_6) & (uint64_t)0x7ffffffffffffU; + uint64_t c1 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_6, (uint32_t)51U)); + FStar_UInt128_uint128 l_7 = FStar_UInt128_add(tmp_w22, FStar_UInt128_uint64_to_uint128(c1)); + uint64_t tmp2 = FStar_UInt128_uint128_to_uint64(l_7) & (uint64_t)0x7ffffffffffffU; + uint64_t c2 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_7, (uint32_t)51U)); + FStar_UInt128_uint128 l_8 = FStar_UInt128_add(tmp_w23, FStar_UInt128_uint64_to_uint128(c2)); + uint64_t tmp3 = FStar_UInt128_uint128_to_uint64(l_8) & (uint64_t)0x7ffffffffffffU; + uint64_t c3 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_8, (uint32_t)51U)); + FStar_UInt128_uint128 l_9 = FStar_UInt128_add(tmp_w24, FStar_UInt128_uint64_to_uint128(c3)); + uint64_t tmp4 = FStar_UInt128_uint128_to_uint64(l_9) & (uint64_t)0x7ffffffffffffU; + uint64_t c4 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_9, (uint32_t)51U)); + uint64_t l_10 = tmp0 + c4 * (uint64_t)19U; + uint64_t tmp0_0 = l_10 & (uint64_t)0x7ffffffffffffU; + uint64_t c5 = l_10 >> (uint32_t)51U; + uint64_t o200 = tmp0_0; + uint64_t o212 = tmp1 + c5; + uint64_t o222 = tmp2; + uint64_t o232 = tmp3; + uint64_t o242 = tmp4; + uint64_t o10 = o100; + uint64_t o11 = o112; + uint64_t o12 = o122; + uint64_t o13 = o132; + uint64_t o14 = o142; + uint64_t o20 = o200; + uint64_t o21 = o212; + uint64_t o22 = o222; + uint64_t o23 = o232; + uint64_t o24 = o242; + out[0U] = o10; + out[1U] = o11; + out[2U] = o12; + out[3U] = o13; + out[4U] = o14; + out[5U] = o20; + out[6U] = o21; + out[7U] = o22; + out[8U] = o23; + out[9U] = o24; +} + +static inline void Hacl_Impl_Curve25519_Field51_fmul1(uint64_t *out, uint64_t *f1, uint64_t f2) +{ + uint64_t f10 = f1[0U]; + uint64_t f11 = f1[1U]; + uint64_t f12 = f1[2U]; + uint64_t f13 = f1[3U]; + uint64_t f14 = f1[4U]; + FStar_UInt128_uint128 tmp_w0 = FStar_UInt128_mul_wide(f2, f10); + FStar_UInt128_uint128 tmp_w1 = FStar_UInt128_mul_wide(f2, f11); + FStar_UInt128_uint128 tmp_w2 = FStar_UInt128_mul_wide(f2, f12); + FStar_UInt128_uint128 tmp_w3 = FStar_UInt128_mul_wide(f2, f13); + FStar_UInt128_uint128 tmp_w4 = FStar_UInt128_mul_wide(f2, f14); + FStar_UInt128_uint128 + l_ = FStar_UInt128_add(tmp_w0, FStar_UInt128_uint64_to_uint128((uint64_t)0U)); + uint64_t tmp0 = FStar_UInt128_uint128_to_uint64(l_) & (uint64_t)0x7ffffffffffffU; + uint64_t c0 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_, (uint32_t)51U)); + FStar_UInt128_uint128 l_0 = FStar_UInt128_add(tmp_w1, FStar_UInt128_uint64_to_uint128(c0)); + uint64_t tmp1 = FStar_UInt128_uint128_to_uint64(l_0) & (uint64_t)0x7ffffffffffffU; + uint64_t c1 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_0, (uint32_t)51U)); + FStar_UInt128_uint128 l_1 = FStar_UInt128_add(tmp_w2, FStar_UInt128_uint64_to_uint128(c1)); + uint64_t tmp2 = FStar_UInt128_uint128_to_uint64(l_1) & (uint64_t)0x7ffffffffffffU; + uint64_t c2 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_1, (uint32_t)51U)); + FStar_UInt128_uint128 l_2 = FStar_UInt128_add(tmp_w3, FStar_UInt128_uint64_to_uint128(c2)); + uint64_t tmp3 = FStar_UInt128_uint128_to_uint64(l_2) & (uint64_t)0x7ffffffffffffU; + uint64_t c3 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_2, (uint32_t)51U)); + FStar_UInt128_uint128 l_3 = FStar_UInt128_add(tmp_w4, FStar_UInt128_uint64_to_uint128(c3)); + uint64_t tmp4 = FStar_UInt128_uint128_to_uint64(l_3) & (uint64_t)0x7ffffffffffffU; + uint64_t c4 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_3, (uint32_t)51U)); + uint64_t l_4 = tmp0 + c4 * (uint64_t)19U; + uint64_t tmp0_ = l_4 & (uint64_t)0x7ffffffffffffU; + uint64_t c5 = l_4 >> (uint32_t)51U; + uint64_t o0 = tmp0_; + uint64_t o1 = tmp1 + c5; + uint64_t o2 = tmp2; + uint64_t o3 = tmp3; + uint64_t o4 = tmp4; + out[0U] = o0; + out[1U] = o1; + out[2U] = o2; + out[3U] = o3; + out[4U] = o4; +} + +static inline void +Hacl_Impl_Curve25519_Field51_fsqr(uint64_t *out, uint64_t *f, FStar_UInt128_uint128 *uu___) +{ + uint64_t f0 = f[0U]; + uint64_t f1 = f[1U]; + uint64_t f2 = f[2U]; + uint64_t f3 = f[3U]; + uint64_t f4 = f[4U]; + uint64_t d0 = (uint64_t)2U * f0; + uint64_t d1 = (uint64_t)2U * f1; + uint64_t d2 = (uint64_t)38U * f2; + uint64_t d3 = (uint64_t)19U * f3; + uint64_t d419 = (uint64_t)19U * f4; + uint64_t d4 = (uint64_t)2U * d419; + FStar_UInt128_uint128 + s0 = + FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(f0, f0), + FStar_UInt128_mul_wide(d4, f1)), + FStar_UInt128_mul_wide(d2, f3)); + FStar_UInt128_uint128 + s1 = + FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, f1), + FStar_UInt128_mul_wide(d4, f2)), + FStar_UInt128_mul_wide(d3, f3)); + FStar_UInt128_uint128 + s2 = + FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, f2), + FStar_UInt128_mul_wide(f1, f1)), + FStar_UInt128_mul_wide(d4, f3)); + FStar_UInt128_uint128 + s3 = + FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, f3), + FStar_UInt128_mul_wide(d1, f2)), + FStar_UInt128_mul_wide(f4, d419)); + FStar_UInt128_uint128 + s4 = + FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, f4), + FStar_UInt128_mul_wide(d1, f3)), + FStar_UInt128_mul_wide(f2, f2)); + FStar_UInt128_uint128 o00 = s0; + FStar_UInt128_uint128 o10 = s1; + FStar_UInt128_uint128 o20 = s2; + FStar_UInt128_uint128 o30 = s3; + FStar_UInt128_uint128 o40 = s4; + FStar_UInt128_uint128 + l_ = FStar_UInt128_add(o00, FStar_UInt128_uint64_to_uint128((uint64_t)0U)); + uint64_t tmp0 = FStar_UInt128_uint128_to_uint64(l_) & (uint64_t)0x7ffffffffffffU; + uint64_t c0 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_, (uint32_t)51U)); + FStar_UInt128_uint128 l_0 = FStar_UInt128_add(o10, FStar_UInt128_uint64_to_uint128(c0)); + uint64_t tmp1 = FStar_UInt128_uint128_to_uint64(l_0) & (uint64_t)0x7ffffffffffffU; + uint64_t c1 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_0, (uint32_t)51U)); + FStar_UInt128_uint128 l_1 = FStar_UInt128_add(o20, FStar_UInt128_uint64_to_uint128(c1)); + uint64_t tmp2 = FStar_UInt128_uint128_to_uint64(l_1) & (uint64_t)0x7ffffffffffffU; + uint64_t c2 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_1, (uint32_t)51U)); + FStar_UInt128_uint128 l_2 = FStar_UInt128_add(o30, FStar_UInt128_uint64_to_uint128(c2)); + uint64_t tmp3 = FStar_UInt128_uint128_to_uint64(l_2) & (uint64_t)0x7ffffffffffffU; + uint64_t c3 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_2, (uint32_t)51U)); + FStar_UInt128_uint128 l_3 = FStar_UInt128_add(o40, FStar_UInt128_uint64_to_uint128(c3)); + uint64_t tmp4 = FStar_UInt128_uint128_to_uint64(l_3) & (uint64_t)0x7ffffffffffffU; + uint64_t c4 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_3, (uint32_t)51U)); + uint64_t l_4 = tmp0 + c4 * (uint64_t)19U; + uint64_t tmp0_ = l_4 & (uint64_t)0x7ffffffffffffU; + uint64_t c5 = l_4 >> (uint32_t)51U; + uint64_t o0 = tmp0_; + uint64_t o1 = tmp1 + c5; + uint64_t o2 = tmp2; + uint64_t o3 = tmp3; + uint64_t o4 = tmp4; + out[0U] = o0; + out[1U] = o1; + out[2U] = o2; + out[3U] = o3; + out[4U] = o4; +} + +static inline void +Hacl_Impl_Curve25519_Field51_fsqr2(uint64_t *out, uint64_t *f, FStar_UInt128_uint128 *uu___) +{ + uint64_t f10 = f[0U]; + uint64_t f11 = f[1U]; + uint64_t f12 = f[2U]; + uint64_t f13 = f[3U]; + uint64_t f14 = f[4U]; + uint64_t f20 = f[5U]; + uint64_t f21 = f[6U]; + uint64_t f22 = f[7U]; + uint64_t f23 = f[8U]; + uint64_t f24 = f[9U]; + uint64_t d00 = (uint64_t)2U * f10; + uint64_t d10 = (uint64_t)2U * f11; + uint64_t d20 = (uint64_t)38U * f12; + uint64_t d30 = (uint64_t)19U * f13; + uint64_t d4190 = (uint64_t)19U * f14; + uint64_t d40 = (uint64_t)2U * d4190; + FStar_UInt128_uint128 + s00 = + FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(f10, f10), + FStar_UInt128_mul_wide(d40, f11)), + FStar_UInt128_mul_wide(d20, f13)); + FStar_UInt128_uint128 + s10 = + FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d00, f11), + FStar_UInt128_mul_wide(d40, f12)), + FStar_UInt128_mul_wide(d30, f13)); + FStar_UInt128_uint128 + s20 = + FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d00, f12), + FStar_UInt128_mul_wide(f11, f11)), + FStar_UInt128_mul_wide(d40, f13)); + FStar_UInt128_uint128 + s30 = + FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d00, f13), + FStar_UInt128_mul_wide(d10, f12)), + FStar_UInt128_mul_wide(f14, d4190)); + FStar_UInt128_uint128 + s40 = + FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d00, f14), + FStar_UInt128_mul_wide(d10, f13)), + FStar_UInt128_mul_wide(f12, f12)); + FStar_UInt128_uint128 o100 = s00; + FStar_UInt128_uint128 o110 = s10; + FStar_UInt128_uint128 o120 = s20; + FStar_UInt128_uint128 o130 = s30; + FStar_UInt128_uint128 o140 = s40; + uint64_t d0 = (uint64_t)2U * f20; + uint64_t d1 = (uint64_t)2U * f21; + uint64_t d2 = (uint64_t)38U * f22; + uint64_t d3 = (uint64_t)19U * f23; + uint64_t d419 = (uint64_t)19U * f24; + uint64_t d4 = (uint64_t)2U * d419; + FStar_UInt128_uint128 + s0 = + FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(f20, f20), + FStar_UInt128_mul_wide(d4, f21)), + FStar_UInt128_mul_wide(d2, f23)); + FStar_UInt128_uint128 + s1 = + FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, f21), + FStar_UInt128_mul_wide(d4, f22)), + FStar_UInt128_mul_wide(d3, f23)); + FStar_UInt128_uint128 + s2 = + FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, f22), + FStar_UInt128_mul_wide(f21, f21)), + FStar_UInt128_mul_wide(d4, f23)); + FStar_UInt128_uint128 + s3 = + FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, f23), + FStar_UInt128_mul_wide(d1, f22)), + FStar_UInt128_mul_wide(f24, d419)); + FStar_UInt128_uint128 + s4 = + FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, f24), + FStar_UInt128_mul_wide(d1, f23)), + FStar_UInt128_mul_wide(f22, f22)); + FStar_UInt128_uint128 o200 = s0; + FStar_UInt128_uint128 o210 = s1; + FStar_UInt128_uint128 o220 = s2; + FStar_UInt128_uint128 o230 = s3; + FStar_UInt128_uint128 o240 = s4; + FStar_UInt128_uint128 + l_ = FStar_UInt128_add(o100, FStar_UInt128_uint64_to_uint128((uint64_t)0U)); + uint64_t tmp00 = FStar_UInt128_uint128_to_uint64(l_) & (uint64_t)0x7ffffffffffffU; + uint64_t c00 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_, (uint32_t)51U)); + FStar_UInt128_uint128 l_0 = FStar_UInt128_add(o110, FStar_UInt128_uint64_to_uint128(c00)); + uint64_t tmp10 = FStar_UInt128_uint128_to_uint64(l_0) & (uint64_t)0x7ffffffffffffU; + uint64_t c10 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_0, (uint32_t)51U)); + FStar_UInt128_uint128 l_1 = FStar_UInt128_add(o120, FStar_UInt128_uint64_to_uint128(c10)); + uint64_t tmp20 = FStar_UInt128_uint128_to_uint64(l_1) & (uint64_t)0x7ffffffffffffU; + uint64_t c20 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_1, (uint32_t)51U)); + FStar_UInt128_uint128 l_2 = FStar_UInt128_add(o130, FStar_UInt128_uint64_to_uint128(c20)); + uint64_t tmp30 = FStar_UInt128_uint128_to_uint64(l_2) & (uint64_t)0x7ffffffffffffU; + uint64_t c30 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_2, (uint32_t)51U)); + FStar_UInt128_uint128 l_3 = FStar_UInt128_add(o140, FStar_UInt128_uint64_to_uint128(c30)); + uint64_t tmp40 = FStar_UInt128_uint128_to_uint64(l_3) & (uint64_t)0x7ffffffffffffU; + uint64_t c40 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_3, (uint32_t)51U)); + uint64_t l_4 = tmp00 + c40 * (uint64_t)19U; + uint64_t tmp0_ = l_4 & (uint64_t)0x7ffffffffffffU; + uint64_t c50 = l_4 >> (uint32_t)51U; + uint64_t o101 = tmp0_; + uint64_t o111 = tmp10 + c50; + uint64_t o121 = tmp20; + uint64_t o131 = tmp30; + uint64_t o141 = tmp40; + FStar_UInt128_uint128 + l_5 = FStar_UInt128_add(o200, FStar_UInt128_uint64_to_uint128((uint64_t)0U)); + uint64_t tmp0 = FStar_UInt128_uint128_to_uint64(l_5) & (uint64_t)0x7ffffffffffffU; + uint64_t c0 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_5, (uint32_t)51U)); + FStar_UInt128_uint128 l_6 = FStar_UInt128_add(o210, FStar_UInt128_uint64_to_uint128(c0)); + uint64_t tmp1 = FStar_UInt128_uint128_to_uint64(l_6) & (uint64_t)0x7ffffffffffffU; + uint64_t c1 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_6, (uint32_t)51U)); + FStar_UInt128_uint128 l_7 = FStar_UInt128_add(o220, FStar_UInt128_uint64_to_uint128(c1)); + uint64_t tmp2 = FStar_UInt128_uint128_to_uint64(l_7) & (uint64_t)0x7ffffffffffffU; + uint64_t c2 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_7, (uint32_t)51U)); + FStar_UInt128_uint128 l_8 = FStar_UInt128_add(o230, FStar_UInt128_uint64_to_uint128(c2)); + uint64_t tmp3 = FStar_UInt128_uint128_to_uint64(l_8) & (uint64_t)0x7ffffffffffffU; + uint64_t c3 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_8, (uint32_t)51U)); + FStar_UInt128_uint128 l_9 = FStar_UInt128_add(o240, FStar_UInt128_uint64_to_uint128(c3)); + uint64_t tmp4 = FStar_UInt128_uint128_to_uint64(l_9) & (uint64_t)0x7ffffffffffffU; + uint64_t c4 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_9, (uint32_t)51U)); + uint64_t l_10 = tmp0 + c4 * (uint64_t)19U; + uint64_t tmp0_0 = l_10 & (uint64_t)0x7ffffffffffffU; + uint64_t c5 = l_10 >> (uint32_t)51U; + uint64_t o201 = tmp0_0; + uint64_t o211 = tmp1 + c5; + uint64_t o221 = tmp2; + uint64_t o231 = tmp3; + uint64_t o241 = tmp4; + uint64_t o10 = o101; + uint64_t o11 = o111; + uint64_t o12 = o121; + uint64_t o13 = o131; + uint64_t o14 = o141; + uint64_t o20 = o201; + uint64_t o21 = o211; + uint64_t o22 = o221; + uint64_t o23 = o231; + uint64_t o24 = o241; + out[0U] = o10; + out[1U] = o11; + out[2U] = o12; + out[3U] = o13; + out[4U] = o14; + out[5U] = o20; + out[6U] = o21; + out[7U] = o22; + out[8U] = o23; + out[9U] = o24; +} + +static inline void Hacl_Impl_Curve25519_Field51_store_felem(uint64_t *u64s, uint64_t *f) +{ + uint64_t f0 = f[0U]; + uint64_t f1 = f[1U]; + uint64_t f2 = f[2U]; + uint64_t f3 = f[3U]; + uint64_t f4 = f[4U]; + uint64_t l_ = f0 + (uint64_t)0U; + uint64_t tmp0 = l_ & (uint64_t)0x7ffffffffffffU; + uint64_t c0 = l_ >> (uint32_t)51U; + uint64_t l_0 = f1 + c0; + uint64_t tmp1 = l_0 & (uint64_t)0x7ffffffffffffU; + uint64_t c1 = l_0 >> (uint32_t)51U; + uint64_t l_1 = f2 + c1; + uint64_t tmp2 = l_1 & (uint64_t)0x7ffffffffffffU; + uint64_t c2 = l_1 >> (uint32_t)51U; + uint64_t l_2 = f3 + c2; + uint64_t tmp3 = l_2 & (uint64_t)0x7ffffffffffffU; + uint64_t c3 = l_2 >> (uint32_t)51U; + uint64_t l_3 = f4 + c3; + uint64_t tmp4 = l_3 & (uint64_t)0x7ffffffffffffU; + uint64_t c4 = l_3 >> (uint32_t)51U; + uint64_t l_4 = tmp0 + c4 * (uint64_t)19U; + uint64_t tmp0_ = l_4 & (uint64_t)0x7ffffffffffffU; + uint64_t c5 = l_4 >> (uint32_t)51U; + uint64_t f01 = tmp0_; + uint64_t f11 = tmp1 + c5; + uint64_t f21 = tmp2; + uint64_t f31 = tmp3; + uint64_t f41 = tmp4; + uint64_t m0 = FStar_UInt64_gte_mask(f01, (uint64_t)0x7ffffffffffedU); + uint64_t m1 = FStar_UInt64_eq_mask(f11, (uint64_t)0x7ffffffffffffU); + uint64_t m2 = FStar_UInt64_eq_mask(f21, (uint64_t)0x7ffffffffffffU); + uint64_t m3 = FStar_UInt64_eq_mask(f31, (uint64_t)0x7ffffffffffffU); + uint64_t m4 = FStar_UInt64_eq_mask(f41, (uint64_t)0x7ffffffffffffU); + uint64_t mask = (((m0 & m1) & m2) & m3) & m4; + uint64_t f0_ = f01 - (mask & (uint64_t)0x7ffffffffffedU); + uint64_t f1_ = f11 - (mask & (uint64_t)0x7ffffffffffffU); + uint64_t f2_ = f21 - (mask & (uint64_t)0x7ffffffffffffU); + uint64_t f3_ = f31 - (mask & (uint64_t)0x7ffffffffffffU); + uint64_t f4_ = f41 - (mask & (uint64_t)0x7ffffffffffffU); + uint64_t f02 = f0_; + uint64_t f12 = f1_; + uint64_t f22 = f2_; + uint64_t f32 = f3_; + uint64_t f42 = f4_; + uint64_t o00 = f02 | f12 << (uint32_t)51U; + uint64_t o10 = f12 >> (uint32_t)13U | f22 << (uint32_t)38U; + uint64_t o20 = f22 >> (uint32_t)26U | f32 << (uint32_t)25U; + uint64_t o30 = f32 >> (uint32_t)39U | f42 << (uint32_t)12U; + uint64_t o0 = o00; + uint64_t o1 = o10; + uint64_t o2 = o20; + uint64_t o3 = o30; + u64s[0U] = o0; + u64s[1U] = o1; + u64s[2U] = o2; + u64s[3U] = o3; +} + +static inline void +Hacl_Impl_Curve25519_Field51_cswap2(uint64_t bit, uint64_t *p1, uint64_t *p2) +{ + uint64_t mask = (uint64_t)0U - bit; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)10U; i++) + { + uint64_t dummy = mask & (p1[i] ^ p2[i]); + p1[i] = p1[i] ^ dummy; + p2[i] = p2[i] ^ dummy; + } +} + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Bignum25519_51_H_DEFINED +#endif diff --git a/include/msvc/Hacl_Bignum256.h b/include/msvc/Hacl_Bignum256.h new file mode 100644 index 00000000..87c22666 --- /dev/null +++ b/include/msvc/Hacl_Bignum256.h @@ -0,0 +1,409 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Bignum256_H +#define __Hacl_Bignum256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "Hacl_Bignum_Base.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +/******************************************************************************* + +A verified 256-bit bignum library. + +This is a 64-bit optimized version, where bignums are represented as an array +of four unsigned 64-bit integers, i.e. uint64_t[4]. Furthermore, the +limbs are stored in little-endian format, i.e. the least significant limb is at +index 0. Each limb is stored in native format in memory. Example: + + uint64_t sixteen[4] = { 0x10; 0x00; 0x00; 0x00 } + +We strongly encourage users to go through the conversion functions, e.g. +bn_from_bytes_be, to i) not depend on internal representation choices and ii) +have the ability to switch easily to a 32-bit optimized version in the future. + +*******************************************************************************/ + +/************************/ +/* Arithmetic functions */ +/************************/ + + +/* +Write `a + b mod 2^256` in `res`. + + This functions returns the carry. + + The arguments a, b and res are meant to be 256-bit bignums, i.e. uint64_t[4] +*/ +uint64_t Hacl_Bignum256_add(uint64_t *a, uint64_t *b, uint64_t *res); + +/* +Write `a - b mod 2^256` in `res`. + + This functions returns the carry. + + The arguments a, b and res are meant to be 256-bit bignums, i.e. uint64_t[4] +*/ +uint64_t Hacl_Bignum256_sub(uint64_t *a, uint64_t *b, uint64_t *res); + +/* +Write `(a + b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be 256-bit bignums, i.e. uint64_t[4]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum256_add_mod(uint64_t *n, uint64_t *a, uint64_t *b, uint64_t *res); + +/* +Write `(a - b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be 256-bit bignums, i.e. uint64_t[4]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum256_sub_mod(uint64_t *n, uint64_t *a, uint64_t *b, uint64_t *res); + +/* +Write `a * b` in `res`. + + The arguments a and b are meant to be 256-bit bignums, i.e. uint64_t[4]. + The outparam res is meant to be a 512-bit bignum, i.e. uint64_t[8]. +*/ +void Hacl_Bignum256_mul(uint64_t *a, uint64_t *b, uint64_t *res); + +/* +Write `a * a` in `res`. + + The argument a is meant to be a 256-bit bignum, i.e. uint64_t[4]. + The outparam res is meant to be a 512-bit bignum, i.e. uint64_t[8]. +*/ +void Hacl_Bignum256_sqr(uint64_t *a, uint64_t *res); + +/* +Write `a mod n` in `res`. + + The argument a is meant to be a 512-bit bignum, i.e. uint64_t[8]. + The argument n and the outparam res are meant to be 256-bit bignums, i.e. uint64_t[4]. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • 1 < n + • n % 2 = 1 +*/ +bool Hacl_Bignum256_mod(uint64_t *n, uint64_t *a, uint64_t *res); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 256-bit bignums, i.e. uint64_t[4]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum256_mod_exp_vartime( + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 256-bit bignums, i.e. uint64_t[4]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum256_mod_exp_consttime( + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +); + +/* +Write `a ^ (-1) mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 256-bit bignums, i.e. uint64_t[4]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + + The function returns false if any of the following preconditions are violated, true otherwise. + • n % 2 = 1 + • 1 < n + • 0 < a + • a < n +*/ +bool Hacl_Bignum256_mod_inv_prime_vartime(uint64_t *n, uint64_t *a, uint64_t *res); + +typedef struct Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64_s +{ + uint32_t len; + uint64_t *n; + uint64_t mu; + uint64_t *r2; +} +Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64; + + +/**********************************************/ +/* Arithmetic functions with precomputations. */ +/**********************************************/ + + +/* +Heap-allocate and initialize a montgomery context. + + The argument n is meant to be a 256-bit bignum, i.e. uint64_t[4]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n % 2 = 1 + • 1 < n + + The caller will need to call Hacl_Bignum256_mont_ctx_free on the return value + to avoid memory leaks. +*/ +Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *Hacl_Bignum256_mont_ctx_init(uint64_t *n); + +/* +Deallocate the memory previously allocated by Hacl_Bignum256_mont_ctx_init. + + The argument k is a montgomery context obtained through Hacl_Bignum256_mont_ctx_init. +*/ +void Hacl_Bignum256_mont_ctx_free(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k); + +/* +Write `a mod n` in `res`. + + The argument a is meant to be a 512-bit bignum, i.e. uint64_t[8]. + The outparam res is meant to be a 256-bit bignum, i.e. uint64_t[4]. + The argument k is a montgomery context obtained through Hacl_Bignum256_mont_ctx_init. +*/ +void +Hacl_Bignum256_mod_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint64_t *res +); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be 256-bit bignums, i.e. uint64_t[4]. + The argument k is a montgomery context obtained through Hacl_Bignum256_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum256_mod_exp_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be 256-bit bignums, i.e. uint64_t[4]. + The argument k is a montgomery context obtained through Hacl_Bignum256_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime_*. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum256_mod_exp_consttime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +); + +/* +Write `a ^ (-1) mod n` in `res`. + + The argument a and the outparam res are meant to be 256-bit bignums, i.e. uint64_t[4]. + The argument k is a montgomery context obtained through Hacl_Bignum256_mont_ctx_init. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + • 0 < a + • a < n +*/ +void +Hacl_Bignum256_mod_inv_prime_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint64_t *res +); + + +/********************/ +/* Loads and stores */ +/********************/ + + +/* +Load a bid-endian bignum from memory. + + The argument b points to len bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint64_t *Hacl_Bignum256_new_bn_from_bytes_be(uint32_t len, uint8_t *b); + +/* +Load a little-endian bignum from memory. + + The argument b points to len bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint64_t *Hacl_Bignum256_new_bn_from_bytes_le(uint32_t len, uint8_t *b); + +/* +Serialize a bignum into big-endian memory. + + The argument b points to a 256-bit bignum. + The outparam res points to 32 bytes of valid memory. +*/ +void Hacl_Bignum256_bn_to_bytes_be(uint64_t *b, uint8_t *res); + +/* +Serialize a bignum into little-endian memory. + + The argument b points to a 256-bit bignum. + The outparam res points to 32 bytes of valid memory. +*/ +void Hacl_Bignum256_bn_to_bytes_le(uint64_t *b, uint8_t *res); + + +/***************/ +/* Comparisons */ +/***************/ + + +/* +Returns 2^64 - 1 if a < b, otherwise returns 0. + + The arguments a and b are meant to be 256-bit bignums, i.e. uint64_t[4]. +*/ +uint64_t Hacl_Bignum256_lt_mask(uint64_t *a, uint64_t *b); + +/* +Returns 2^64 - 1 if a = b, otherwise returns 0. + + The arguments a and b are meant to be 256-bit bignums, i.e. uint64_t[4]. +*/ +uint64_t Hacl_Bignum256_eq_mask(uint64_t *a, uint64_t *b); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Bignum256_H_DEFINED +#endif diff --git a/include/msvc/Hacl_Bignum256_32.h b/include/msvc/Hacl_Bignum256_32.h new file mode 100644 index 00000000..88eacdcb --- /dev/null +++ b/include/msvc/Hacl_Bignum256_32.h @@ -0,0 +1,401 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Bignum256_32_H +#define __Hacl_Bignum256_32_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "Hacl_GenericField32.h" +#include "Hacl_Bignum_Base.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +/******************************************************************************* + +A verified 256-bit bignum library. + +This is a 32-bit optimized version, where bignums are represented as an array +of eight unsigned 32-bit integers, i.e. uint32_t[8]. Furthermore, the +limbs are stored in little-endian format, i.e. the least significant limb is at +index 0. Each limb is stored in native format in memory. Example: + + uint32_t sixteen[8] = { 0x10; 0x00; 0x00; 0x00; 0x00; 0x00; 0x00; 0x00 } + +We strongly encourage users to go through the conversion functions, e.g. +bn_from_bytes_be, to i) not depend on internal representation choices and ii) +have the ability to switch easily to a 64-bit optimized version in the future. + +*******************************************************************************/ + +/************************/ +/* Arithmetic functions */ +/************************/ + + +/* +Write `a + b mod 2^256` in `res`. + + This functions returns the carry. + + The arguments a, b and res are meant to be 256-bit bignums, i.e. uint32_t[8] +*/ +uint32_t Hacl_Bignum256_32_add(uint32_t *a, uint32_t *b, uint32_t *res); + +/* +Write `a - b mod 2^256` in `res`. + + This functions returns the carry. + + The arguments a, b and res are meant to be 256-bit bignums, i.e. uint32_t[8] +*/ +uint32_t Hacl_Bignum256_32_sub(uint32_t *a, uint32_t *b, uint32_t *res); + +/* +Write `(a + b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be 256-bit bignums, i.e. uint32_t[8]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum256_32_add_mod(uint32_t *n, uint32_t *a, uint32_t *b, uint32_t *res); + +/* +Write `(a - b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be 256-bit bignums, i.e. uint32_t[8]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum256_32_sub_mod(uint32_t *n, uint32_t *a, uint32_t *b, uint32_t *res); + +/* +Write `a * b` in `res`. + + The arguments a and b are meant to be 256-bit bignums, i.e. uint32_t[8]. + The outparam res is meant to be a 512-bit bignum, i.e. uint32_t[16]. +*/ +void Hacl_Bignum256_32_mul(uint32_t *a, uint32_t *b, uint32_t *res); + +/* +Write `a * a` in `res`. + + The argument a is meant to be a 256-bit bignum, i.e. uint32_t[8]. + The outparam res is meant to be a 512-bit bignum, i.e. uint32_t[16]. +*/ +void Hacl_Bignum256_32_sqr(uint32_t *a, uint32_t *res); + +/* +Write `a mod n` in `res`. + + The argument a is meant to be a 512-bit bignum, i.e. uint32_t[16]. + The argument n and the outparam res are meant to be 256-bit bignums, i.e. uint32_t[8]. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • 1 < n + • n % 2 = 1 +*/ +bool Hacl_Bignum256_32_mod(uint32_t *n, uint32_t *a, uint32_t *res); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 256-bit bignums, i.e. uint32_t[8]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum256_32_mod_exp_vartime( + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 256-bit bignums, i.e. uint32_t[8]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum256_32_mod_exp_consttime( + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +); + +/* +Write `a ^ (-1) mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 256-bit bignums, i.e. uint32_t[8]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + + The function returns false if any of the following preconditions are violated, true otherwise. + • n % 2 = 1 + • 1 < n + • 0 < a + • a < n +*/ +bool Hacl_Bignum256_32_mod_inv_prime_vartime(uint32_t *n, uint32_t *a, uint32_t *res); + + +/**********************************************/ +/* Arithmetic functions with precomputations. */ +/**********************************************/ + + +/* +Heap-allocate and initialize a montgomery context. + + The argument n is meant to be a 256-bit bignum, i.e. uint32_t[8]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n % 2 = 1 + • 1 < n + + The caller will need to call Hacl_Bignum256_mont_ctx_free on the return value + to avoid memory leaks. +*/ +Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *Hacl_Bignum256_32_mont_ctx_init(uint32_t *n); + +/* +Deallocate the memory previously allocated by Hacl_Bignum256_mont_ctx_init. + + The argument k is a montgomery context obtained through Hacl_Bignum256_mont_ctx_init. +*/ +void Hacl_Bignum256_32_mont_ctx_free(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k); + +/* +Write `a mod n` in `res`. + + The argument a is meant to be a 512-bit bignum, i.e. uint32_t[16]. + The outparam res is meant to be a 256-bit bignum, i.e. uint32_t[8]. + The argument k is a montgomery context obtained through Hacl_Bignum256_mont_ctx_init. +*/ +void +Hacl_Bignum256_32_mod_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t *res +); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be 256-bit bignums, i.e. uint32_t[8]. + The argument k is a montgomery context obtained through Hacl_Bignum256_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum256_32_mod_exp_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be 256-bit bignums, i.e. uint32_t[8]. + The argument k is a montgomery context obtained through Hacl_Bignum256_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime_*. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum256_32_mod_exp_consttime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +); + +/* +Write `a ^ (-1) mod n` in `res`. + + The argument a and the outparam res are meant to be 256-bit bignums, i.e. uint32_t[8]. + The argument k is a montgomery context obtained through Hacl_Bignum256_mont_ctx_init. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + • 0 < a + • a < n +*/ +void +Hacl_Bignum256_32_mod_inv_prime_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t *res +); + + +/********************/ +/* Loads and stores */ +/********************/ + + +/* +Load a bid-endian bignum from memory. + + The argument b points to len bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint32_t *Hacl_Bignum256_32_new_bn_from_bytes_be(uint32_t len, uint8_t *b); + +/* +Load a little-endian bignum from memory. + + The argument b points to len bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint32_t *Hacl_Bignum256_32_new_bn_from_bytes_le(uint32_t len, uint8_t *b); + +/* +Serialize a bignum into big-endian memory. + + The argument b points to a 256-bit bignum. + The outparam res points to 32 bytes of valid memory. +*/ +void Hacl_Bignum256_32_bn_to_bytes_be(uint32_t *b, uint8_t *res); + +/* +Serialize a bignum into little-endian memory. + + The argument b points to a 256-bit bignum. + The outparam res points to 32 bytes of valid memory. +*/ +void Hacl_Bignum256_32_bn_to_bytes_le(uint32_t *b, uint8_t *res); + + +/***************/ +/* Comparisons */ +/***************/ + + +/* +Returns 2^32 - 1 if a < b, otherwise returns 0. + + The arguments a and b are meant to be 256-bit bignums, i.e. uint32_t[8]. +*/ +uint32_t Hacl_Bignum256_32_lt_mask(uint32_t *a, uint32_t *b); + +/* +Returns 2^32 - 1 if a = b, otherwise returns 0. + + The arguments a and b are meant to be 256-bit bignums, i.e. uint32_t[8]. +*/ +uint32_t Hacl_Bignum256_32_eq_mask(uint32_t *a, uint32_t *b); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Bignum256_32_H_DEFINED +#endif diff --git a/include/msvc/Hacl_Bignum32.h b/include/msvc/Hacl_Bignum32.h new file mode 100644 index 00000000..93288f64 --- /dev/null +++ b/include/msvc/Hacl_Bignum32.h @@ -0,0 +1,400 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Bignum32_H +#define __Hacl_Bignum32_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "Hacl_GenericField32.h" +#include "Hacl_Bignum_Base.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +typedef Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *Hacl_Bignum32_pbn_mont_ctx_u32; + +/******************************************************************************* + +A verified bignum library. + +This is a 32-bit optimized version, where bignums are represented as an array +of `len` unsigned 32-bit integers, i.e. uint32_t[len]. + +*******************************************************************************/ + +/************************/ +/* Arithmetic functions */ +/************************/ + + +/* +Write `a + b mod 2 ^ (32 * len)` in `res`. + + This functions returns the carry. + + The arguments a, b and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len] +*/ +uint32_t Hacl_Bignum32_add(uint32_t len, uint32_t *a, uint32_t *b, uint32_t *res); + +/* +Write `a - b mod 2 ^ (32 * len)` in `res`. + + This functions returns the carry. + + The arguments a, b and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len] +*/ +uint32_t Hacl_Bignum32_sub(uint32_t len, uint32_t *a, uint32_t *b, uint32_t *res); + +/* +Write `(a + b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum32_add_mod(uint32_t len, uint32_t *n, uint32_t *a, uint32_t *b, uint32_t *res); + +/* +Write `(a - b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum32_sub_mod(uint32_t len, uint32_t *n, uint32_t *a, uint32_t *b, uint32_t *res); + +/* +Write `a * b` in `res`. + + The arguments a and b are meant to be `len` limbs in size, i.e. uint32_t[len]. + The outparam res is meant to be `2*len` limbs in size, i.e. uint32_t[2*len]. +*/ +void Hacl_Bignum32_mul(uint32_t len, uint32_t *a, uint32_t *b, uint32_t *res); + +/* +Write `a * a` in `res`. + + The argument a is meant to be `len` limbs in size, i.e. uint32_t[len]. + The outparam res is meant to be `2*len` limbs in size, i.e. uint32_t[2*len]. +*/ +void Hacl_Bignum32_sqr(uint32_t len, uint32_t *a, uint32_t *res); + +/* +Write `a mod n` in `res`. + + The argument a is meant to be `2*len` limbs in size, i.e. uint32_t[2*len]. + The argument n and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • 1 < n + • n % 2 = 1 +*/ +bool Hacl_Bignum32_mod(uint32_t len, uint32_t *n, uint32_t *a, uint32_t *res); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum32_mod_exp_vartime( + uint32_t len, + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum32_mod_exp_consttime( + uint32_t len, + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +); + +/* +Write `a ^ (-1) mod n` in `res`. + + The arguments a, n and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • 0 < a + • a < n +*/ +bool +Hacl_Bignum32_mod_inv_prime_vartime(uint32_t len, uint32_t *n, uint32_t *a, uint32_t *res); + + +/**********************************************/ +/* Arithmetic functions with precomputations. */ +/**********************************************/ + + +/* +Heap-allocate and initialize a montgomery context. + + The argument n is meant to be `len` limbs in size, i.e. uint32_t[len]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n % 2 = 1 + • 1 < n + + The caller will need to call Hacl_Bignum32_mont_ctx_free on the return value + to avoid memory leaks. +*/ +Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 +*Hacl_Bignum32_mont_ctx_init(uint32_t len, uint32_t *n); + +/* +Deallocate the memory previously allocated by Hacl_Bignum32_mont_ctx_init. + + The argument k is a montgomery context obtained through Hacl_Bignum32_mont_ctx_init. +*/ +void Hacl_Bignum32_mont_ctx_free(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k); + +/* +Write `a mod n` in `res`. + + The argument a is meant to be `2*len` limbs in size, i.e. uint32_t[2*len]. + The outparam res is meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_Bignum32_mont_ctx_init. +*/ +void +Hacl_Bignum32_mod_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t *res +); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_Bignum32_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum32_mod_exp_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_Bignum32_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime_*. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum32_mod_exp_consttime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +); + +/* +Write `a ^ (-1) mod n` in `res`. + + The argument a and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_Bignum32_mont_ctx_init. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + • 0 < a + • a < n +*/ +void +Hacl_Bignum32_mod_inv_prime_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t *res +); + + +/********************/ +/* Loads and stores */ +/********************/ + + +/* +Load a bid-endian bignum from memory. + + The argument b points to `len` bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint32_t *Hacl_Bignum32_new_bn_from_bytes_be(uint32_t len, uint8_t *b); + +/* +Load a little-endian bignum from memory. + + The argument b points to `len` bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint32_t *Hacl_Bignum32_new_bn_from_bytes_le(uint32_t len, uint8_t *b); + +/* +Serialize a bignum into big-endian memory. + + The argument b points to a bignum of ⌈len / 4⌉ size. + The outparam res points to `len` bytes of valid memory. +*/ +void Hacl_Bignum32_bn_to_bytes_be(uint32_t len, uint32_t *b, uint8_t *res); + +/* +Serialize a bignum into little-endian memory. + + The argument b points to a bignum of ⌈len / 4⌉ size. + The outparam res points to `len` bytes of valid memory. +*/ +void Hacl_Bignum32_bn_to_bytes_le(uint32_t len, uint32_t *b, uint8_t *res); + + +/***************/ +/* Comparisons */ +/***************/ + + +/* +Returns 2^32 - 1 if a < b, otherwise returns 0. + + The arguments a and b are meant to be `len` limbs in size, i.e. uint32_t[len]. +*/ +uint32_t Hacl_Bignum32_lt_mask(uint32_t len, uint32_t *a, uint32_t *b); + +/* +Returns 2^32 - 1 if a = b, otherwise returns 0. + + The arguments a and b are meant to be `len` limbs in size, i.e. uint32_t[len]. +*/ +uint32_t Hacl_Bignum32_eq_mask(uint32_t len, uint32_t *a, uint32_t *b); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Bignum32_H_DEFINED +#endif diff --git a/include/msvc/Hacl_Bignum4096.h b/include/msvc/Hacl_Bignum4096.h new file mode 100644 index 00000000..c3716546 --- /dev/null +++ b/include/msvc/Hacl_Bignum4096.h @@ -0,0 +1,405 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Bignum4096_H +#define __Hacl_Bignum4096_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "Hacl_Bignum_Base.h" +#include "Hacl_Bignum256.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +/******************************************************************************* + +A verified 4096-bit bignum library. + +This is a 64-bit optimized version, where bignums are represented as an array +of sixty four unsigned 64-bit integers, i.e. uint64_t[64]. Furthermore, the +limbs are stored in little-endian format, i.e. the least significant limb is at +index 0. Each limb is stored in native format in memory. Example: + + uint64_t sixteen[64] = { 0x10 } + + (relying on the fact that when an initializer-list is provided, the remainder + of the object gets initialized as if it had static storage duration, i.e. with + zeroes) + +We strongly encourage users to go through the conversion functions, e.g. +bn_from_bytes_be, to i) not depend on internal representation choices and ii) +have the ability to switch easily to a 32-bit optimized version in the future. + +*******************************************************************************/ + +/************************/ +/* Arithmetic functions */ +/************************/ + + +/* +Write `a + b mod 2^4096` in `res`. + + This functions returns the carry. + + The arguments a, b and res are meant to be 4096-bit bignums, i.e. uint64_t[64] +*/ +uint64_t Hacl_Bignum4096_add(uint64_t *a, uint64_t *b, uint64_t *res); + +/* +Write `a - b mod 2^4096` in `res`. + + This functions returns the carry. + + The arguments a, b and res are meant to be 4096-bit bignums, i.e. uint64_t[64] +*/ +uint64_t Hacl_Bignum4096_sub(uint64_t *a, uint64_t *b, uint64_t *res); + +/* +Write `(a + b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be 4096-bit bignums, i.e. uint64_t[64]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum4096_add_mod(uint64_t *n, uint64_t *a, uint64_t *b, uint64_t *res); + +/* +Write `(a - b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be 4096-bit bignums, i.e. uint64_t[64]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum4096_sub_mod(uint64_t *n, uint64_t *a, uint64_t *b, uint64_t *res); + +/* +Write `a * b` in `res`. + + The arguments a and b are meant to be 4096-bit bignums, i.e. uint64_t[64]. + The outparam res is meant to be a 8192-bit bignum, i.e. uint64_t[128]. +*/ +void Hacl_Bignum4096_mul(uint64_t *a, uint64_t *b, uint64_t *res); + +/* +Write `a * a` in `res`. + + The argument a is meant to be a 4096-bit bignum, i.e. uint64_t[64]. + The outparam res is meant to be a 8192-bit bignum, i.e. uint64_t[128]. +*/ +void Hacl_Bignum4096_sqr(uint64_t *a, uint64_t *res); + +/* +Write `a mod n` in `res`. + + The argument a is meant to be a 8192-bit bignum, i.e. uint64_t[128]. + The argument n and the outparam res are meant to be 4096-bit bignums, i.e. uint64_t[64]. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • 1 < n + • n % 2 = 1 +*/ +bool Hacl_Bignum4096_mod(uint64_t *n, uint64_t *a, uint64_t *res); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 4096-bit bignums, i.e. uint64_t[64]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum4096_mod_exp_vartime( + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 4096-bit bignums, i.e. uint64_t[64]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum4096_mod_exp_consttime( + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +); + +/* +Write `a ^ (-1) mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 4096-bit bignums, i.e. uint64_t[64]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + + The function returns false if any of the following preconditions are violated, true otherwise. + • n % 2 = 1 + • 1 < n + • 0 < a + • a < n +*/ +bool Hacl_Bignum4096_mod_inv_prime_vartime(uint64_t *n, uint64_t *a, uint64_t *res); + + +/**********************************************/ +/* Arithmetic functions with precomputations. */ +/**********************************************/ + + +/* +Heap-allocate and initialize a montgomery context. + + The argument n is meant to be a 4096-bit bignum, i.e. uint64_t[64]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n % 2 = 1 + • 1 < n + + The caller will need to call Hacl_Bignum4096_mont_ctx_free on the return value + to avoid memory leaks. +*/ +Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *Hacl_Bignum4096_mont_ctx_init(uint64_t *n); + +/* +Deallocate the memory previously allocated by Hacl_Bignum4096_mont_ctx_init. + + The argument k is a montgomery context obtained through Hacl_Bignum4096_mont_ctx_init. +*/ +void Hacl_Bignum4096_mont_ctx_free(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k); + +/* +Write `a mod n` in `res`. + + The argument a is meant to be a 8192-bit bignum, i.e. uint64_t[128]. + The outparam res is meant to be a 4096-bit bignum, i.e. uint64_t[64]. + The argument k is a montgomery context obtained through Hacl_Bignum4096_mont_ctx_init. +*/ +void +Hacl_Bignum4096_mod_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint64_t *res +); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be 4096-bit bignums, i.e. uint64_t[64]. + The argument k is a montgomery context obtained through Hacl_Bignum4096_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum4096_mod_exp_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be 4096-bit bignums, i.e. uint64_t[64]. + The argument k is a montgomery context obtained through Hacl_Bignum4096_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime_*. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum4096_mod_exp_consttime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +); + +/* +Write `a ^ (-1) mod n` in `res`. + + The argument a and the outparam res are meant to be 4096-bit bignums, i.e. uint64_t[64]. + The argument k is a montgomery context obtained through Hacl_Bignum4096_mont_ctx_init. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + • 0 < a + • a < n +*/ +void +Hacl_Bignum4096_mod_inv_prime_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint64_t *res +); + + +/********************/ +/* Loads and stores */ +/********************/ + + +/* +Load a bid-endian bignum from memory. + + The argument b points to len bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint64_t *Hacl_Bignum4096_new_bn_from_bytes_be(uint32_t len, uint8_t *b); + +/* +Load a little-endian bignum from memory. + + The argument b points to len bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint64_t *Hacl_Bignum4096_new_bn_from_bytes_le(uint32_t len, uint8_t *b); + +/* +Serialize a bignum into big-endian memory. + + The argument b points to a 4096-bit bignum. + The outparam res points to 512 bytes of valid memory. +*/ +void Hacl_Bignum4096_bn_to_bytes_be(uint64_t *b, uint8_t *res); + +/* +Serialize a bignum into little-endian memory. + + The argument b points to a 4096-bit bignum. + The outparam res points to 512 bytes of valid memory. +*/ +void Hacl_Bignum4096_bn_to_bytes_le(uint64_t *b, uint8_t *res); + + +/***************/ +/* Comparisons */ +/***************/ + + +/* +Returns 2^64 - 1 if a < b, otherwise returns 0. + + The arguments a and b are meant to be 4096-bit bignums, i.e. uint64_t[64]. +*/ +uint64_t Hacl_Bignum4096_lt_mask(uint64_t *a, uint64_t *b); + +/* +Returns 2^64 - 1 if a = b, otherwise returns 0. + + The arguments a and b are meant to be 4096-bit bignums, i.e. uint64_t[64]. +*/ +uint64_t Hacl_Bignum4096_eq_mask(uint64_t *a, uint64_t *b); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Bignum4096_H_DEFINED +#endif diff --git a/include/msvc/Hacl_Bignum4096_32.h b/include/msvc/Hacl_Bignum4096_32.h new file mode 100644 index 00000000..5d4c3d64 --- /dev/null +++ b/include/msvc/Hacl_Bignum4096_32.h @@ -0,0 +1,405 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Bignum4096_32_H +#define __Hacl_Bignum4096_32_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "Hacl_GenericField32.h" +#include "Hacl_Bignum_Base.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +/******************************************************************************* + +A verified 4096-bit bignum library. + +This is a 32-bit optimized version, where bignums are represented as an array +of 128 unsigned 32-bit integers, i.e. uint32_t[128]. Furthermore, the +limbs are stored in little-endian format, i.e. the least significant limb is at +index 0. Each limb is stored in native format in memory. Example: + + uint32_t sixteen[128] = { 0x10 } + + (relying on the fact that when an initializer-list is provided, the remainder + of the object gets initialized as if it had static storage duration, i.e. with + zeroes) + +We strongly encourage users to go through the conversion functions, e.g. +bn_from_bytes_be, to i) not depend on internal representation choices and ii) +have the ability to switch easily to a 64-bit optimized version in the future. + +*******************************************************************************/ + +/************************/ +/* Arithmetic functions */ +/************************/ + + +/* +Write `a + b mod 2^4096` in `res`. + + This functions returns the carry. + + The arguments a, b and res are meant to be 4096-bit bignums, i.e. uint32_t[128] +*/ +uint32_t Hacl_Bignum4096_32_add(uint32_t *a, uint32_t *b, uint32_t *res); + +/* +Write `a - b mod 2^4096` in `res`. + + This functions returns the carry. + + The arguments a, b and res are meant to be 4096-bit bignums, i.e. uint32_t[128] +*/ +uint32_t Hacl_Bignum4096_32_sub(uint32_t *a, uint32_t *b, uint32_t *res); + +/* +Write `(a + b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be 4096-bit bignums, i.e. uint32_t[128]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum4096_32_add_mod(uint32_t *n, uint32_t *a, uint32_t *b, uint32_t *res); + +/* +Write `(a - b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be 4096-bit bignums, i.e. uint32_t[128]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum4096_32_sub_mod(uint32_t *n, uint32_t *a, uint32_t *b, uint32_t *res); + +/* +Write `a * b` in `res`. + + The arguments a and b are meant to be 4096-bit bignums, i.e. uint32_t[128]. + The outparam res is meant to be a 8192-bit bignum, i.e. uint32_t[256]. +*/ +void Hacl_Bignum4096_32_mul(uint32_t *a, uint32_t *b, uint32_t *res); + +/* +Write `a * a` in `res`. + + The argument a is meant to be a 4096-bit bignum, i.e. uint32_t[128]. + The outparam res is meant to be a 8192-bit bignum, i.e. uint32_t[256]. +*/ +void Hacl_Bignum4096_32_sqr(uint32_t *a, uint32_t *res); + +/* +Write `a mod n` in `res`. + + The argument a is meant to be a 8192-bit bignum, i.e. uint32_t[256]. + The argument n and the outparam res are meant to be 4096-bit bignums, i.e. uint32_t[128]. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • 1 < n + • n % 2 = 1 +*/ +bool Hacl_Bignum4096_32_mod(uint32_t *n, uint32_t *a, uint32_t *res); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 4096-bit bignums, i.e. uint32_t[128]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum4096_32_mod_exp_vartime( + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 4096-bit bignums, i.e. uint32_t[128]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum4096_32_mod_exp_consttime( + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +); + +/* +Write `a ^ (-1) mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 4096-bit bignums, i.e. uint32_t[128]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + + The function returns false if any of the following preconditions are violated, true otherwise. + • n % 2 = 1 + • 1 < n + • 0 < a + • a < n +*/ +bool Hacl_Bignum4096_32_mod_inv_prime_vartime(uint32_t *n, uint32_t *a, uint32_t *res); + + +/**********************************************/ +/* Arithmetic functions with precomputations. */ +/**********************************************/ + + +/* +Heap-allocate and initialize a montgomery context. + + The argument n is meant to be a 4096-bit bignum, i.e. uint32_t[128]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n % 2 = 1 + • 1 < n + + The caller will need to call Hacl_Bignum4096_mont_ctx_free on the return value + to avoid memory leaks. +*/ +Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *Hacl_Bignum4096_32_mont_ctx_init(uint32_t *n); + +/* +Deallocate the memory previously allocated by Hacl_Bignum4096_mont_ctx_init. + + The argument k is a montgomery context obtained through Hacl_Bignum4096_mont_ctx_init. +*/ +void Hacl_Bignum4096_32_mont_ctx_free(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k); + +/* +Write `a mod n` in `res`. + + The argument a is meant to be a 8192-bit bignum, i.e. uint32_t[256]. + The outparam res is meant to be a 4096-bit bignum, i.e. uint32_t[128]. + The argument k is a montgomery context obtained through Hacl_Bignum4096_mont_ctx_init. +*/ +void +Hacl_Bignum4096_32_mod_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t *res +); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be 4096-bit bignums, i.e. uint32_t[128]. + The argument k is a montgomery context obtained through Hacl_Bignum4096_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum4096_32_mod_exp_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be 4096-bit bignums, i.e. uint32_t[128]. + The argument k is a montgomery context obtained through Hacl_Bignum4096_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime_*. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum4096_32_mod_exp_consttime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +); + +/* +Write `a ^ (-1) mod n` in `res`. + + The argument a and the outparam res are meant to be 4096-bit bignums, i.e. uint32_t[128]. + The argument k is a montgomery context obtained through Hacl_Bignum4096_mont_ctx_init. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + • 0 < a + • a < n +*/ +void +Hacl_Bignum4096_32_mod_inv_prime_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t *res +); + + +/********************/ +/* Loads and stores */ +/********************/ + + +/* +Load a bid-endian bignum from memory. + + The argument b points to len bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint32_t *Hacl_Bignum4096_32_new_bn_from_bytes_be(uint32_t len, uint8_t *b); + +/* +Load a little-endian bignum from memory. + + The argument b points to len bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint32_t *Hacl_Bignum4096_32_new_bn_from_bytes_le(uint32_t len, uint8_t *b); + +/* +Serialize a bignum into big-endian memory. + + The argument b points to a 4096-bit bignum. + The outparam res points to 512 bytes of valid memory. +*/ +void Hacl_Bignum4096_32_bn_to_bytes_be(uint32_t *b, uint8_t *res); + +/* +Serialize a bignum into little-endian memory. + + The argument b points to a 4096-bit bignum. + The outparam res points to 512 bytes of valid memory. +*/ +void Hacl_Bignum4096_32_bn_to_bytes_le(uint32_t *b, uint8_t *res); + + +/***************/ +/* Comparisons */ +/***************/ + + +/* +Returns 2^32 - 1 if a < b, otherwise returns 0. + + The arguments a and b are meant to be 4096-bit bignums, i.e. uint32_t[128]. +*/ +uint32_t Hacl_Bignum4096_32_lt_mask(uint32_t *a, uint32_t *b); + +/* +Returns 2^32 - 1 if a = b, otherwise returns 0. + + The arguments a and b are meant to be 4096-bit bignums, i.e. uint32_t[128]. +*/ +uint32_t Hacl_Bignum4096_32_eq_mask(uint32_t *a, uint32_t *b); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Bignum4096_32_H_DEFINED +#endif diff --git a/include/msvc/Hacl_Bignum64.h b/include/msvc/Hacl_Bignum64.h new file mode 100644 index 00000000..caf5a7a3 --- /dev/null +++ b/include/msvc/Hacl_Bignum64.h @@ -0,0 +1,400 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Bignum64_H +#define __Hacl_Bignum64_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "Hacl_Bignum_Base.h" +#include "Hacl_Bignum256.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +typedef Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *Hacl_Bignum64_pbn_mont_ctx_u64; + +/******************************************************************************* + +A verified bignum library. + +This is a 64-bit optimized version, where bignums are represented as an array +of `len` unsigned 64-bit integers, i.e. uint64_t[len]. + +*******************************************************************************/ + +/************************/ +/* Arithmetic functions */ +/************************/ + + +/* +Write `a + b mod 2 ^ (64 * len)` in `res`. + + This functions returns the carry. + + The arguments a, b and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len] +*/ +uint64_t Hacl_Bignum64_add(uint32_t len, uint64_t *a, uint64_t *b, uint64_t *res); + +/* +Write `a - b mod 2 ^ (64 * len)` in `res`. + + This functions returns the carry. + + The arguments a, b and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len] +*/ +uint64_t Hacl_Bignum64_sub(uint32_t len, uint64_t *a, uint64_t *b, uint64_t *res); + +/* +Write `(a + b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum64_add_mod(uint32_t len, uint64_t *n, uint64_t *a, uint64_t *b, uint64_t *res); + +/* +Write `(a - b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum64_sub_mod(uint32_t len, uint64_t *n, uint64_t *a, uint64_t *b, uint64_t *res); + +/* +Write `a * b` in `res`. + + The arguments a and b are meant to be `len` limbs in size, i.e. uint64_t[len]. + The outparam res is meant to be `2*len` limbs in size, i.e. uint64_t[2*len]. +*/ +void Hacl_Bignum64_mul(uint32_t len, uint64_t *a, uint64_t *b, uint64_t *res); + +/* +Write `a * a` in `res`. + + The argument a is meant to be `len` limbs in size, i.e. uint64_t[len]. + The outparam res is meant to be `2*len` limbs in size, i.e. uint64_t[2*len]. +*/ +void Hacl_Bignum64_sqr(uint32_t len, uint64_t *a, uint64_t *res); + +/* +Write `a mod n` in `res`. + + The argument a is meant to be `2*len` limbs in size, i.e. uint64_t[2*len]. + The argument n and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len]. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • 1 < n + • n % 2 = 1 +*/ +bool Hacl_Bignum64_mod(uint32_t len, uint64_t *n, uint64_t *a, uint64_t *res); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum64_mod_exp_vartime( + uint32_t len, + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum64_mod_exp_consttime( + uint32_t len, + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +); + +/* +Write `a ^ (-1) mod n` in `res`. + + The arguments a, n and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • 0 < a + • a < n +*/ +bool +Hacl_Bignum64_mod_inv_prime_vartime(uint32_t len, uint64_t *n, uint64_t *a, uint64_t *res); + + +/**********************************************/ +/* Arithmetic functions with precomputations. */ +/**********************************************/ + + +/* +Heap-allocate and initialize a montgomery context. + + The argument n is meant to be `len` limbs in size, i.e. uint64_t[len]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n % 2 = 1 + • 1 < n + + The caller will need to call Hacl_Bignum64_mont_ctx_free on the return value + to avoid memory leaks. +*/ +Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 +*Hacl_Bignum64_mont_ctx_init(uint32_t len, uint64_t *n); + +/* +Deallocate the memory previously allocated by Hacl_Bignum64_mont_ctx_init. + + The argument k is a montgomery context obtained through Hacl_Bignum64_mont_ctx_init. +*/ +void Hacl_Bignum64_mont_ctx_free(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k); + +/* +Write `a mod n` in `res`. + + The argument a is meant to be `2*len` limbs in size, i.e. uint64_t[2*len]. + The outparam res is meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_Bignum64_mont_ctx_init. +*/ +void +Hacl_Bignum64_mod_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint64_t *res +); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_Bignum64_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum64_mod_exp_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +); + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_Bignum64_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime_*. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum64_mod_exp_consttime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +); + +/* +Write `a ^ (-1) mod n` in `res`. + + The argument a and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_Bignum64_mont_ctx_init. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + • 0 < a + • a < n +*/ +void +Hacl_Bignum64_mod_inv_prime_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint64_t *res +); + + +/********************/ +/* Loads and stores */ +/********************/ + + +/* +Load a bid-endian bignum from memory. + + The argument b points to `len` bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint64_t *Hacl_Bignum64_new_bn_from_bytes_be(uint32_t len, uint8_t *b); + +/* +Load a little-endian bignum from memory. + + The argument b points to `len` bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint64_t *Hacl_Bignum64_new_bn_from_bytes_le(uint32_t len, uint8_t *b); + +/* +Serialize a bignum into big-endian memory. + + The argument b points to a bignum of ⌈len / 8⌉ size. + The outparam res points to `len` bytes of valid memory. +*/ +void Hacl_Bignum64_bn_to_bytes_be(uint32_t len, uint64_t *b, uint8_t *res); + +/* +Serialize a bignum into little-endian memory. + + The argument b points to a bignum of ⌈len / 8⌉ size. + The outparam res points to `len` bytes of valid memory. +*/ +void Hacl_Bignum64_bn_to_bytes_le(uint32_t len, uint64_t *b, uint8_t *res); + + +/***************/ +/* Comparisons */ +/***************/ + + +/* +Returns 2^64 - 1 if a < b, otherwise returns 0. + + The arguments a and b are meant to be `len` limbs in size, i.e. uint64_t[len]. +*/ +uint64_t Hacl_Bignum64_lt_mask(uint32_t len, uint64_t *a, uint64_t *b); + +/* +Returns 2^64 - 1 if a = b, otherwise returns 0. + + The arguments a and b are meant to be `len` limbs in size, i.e. uint64_t[len]. +*/ +uint64_t Hacl_Bignum64_eq_mask(uint32_t len, uint64_t *a, uint64_t *b); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Bignum64_H_DEFINED +#endif diff --git a/include/msvc/Hacl_Bignum_Base.h b/include/msvc/Hacl_Bignum_Base.h new file mode 100644 index 00000000..9e947748 --- /dev/null +++ b/include/msvc/Hacl_Bignum_Base.h @@ -0,0 +1,77 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Bignum_Base_H +#define __Hacl_Bignum_Base_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +static inline uint64_t +Hacl_Bignum_Base_mul_wide_add_u64(uint64_t a, uint64_t b, uint64_t c_in, uint64_t *out) +{ + FStar_UInt128_uint128 + res = FStar_UInt128_add(FStar_UInt128_mul_wide(a, b), FStar_UInt128_uint64_to_uint128(c_in)); + out[0U] = FStar_UInt128_uint128_to_uint64(res); + return FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(res, (uint32_t)64U)); +} + +static inline uint32_t +Hacl_Bignum_Base_mul_wide_add2_u32(uint32_t a, uint32_t b, uint32_t c_in, uint32_t *out) +{ + uint32_t out0 = out[0U]; + uint64_t res = (uint64_t)a * (uint64_t)b + (uint64_t)c_in + (uint64_t)out0; + out[0U] = (uint32_t)res; + return (uint32_t)(res >> (uint32_t)32U); +} + +static inline uint64_t +Hacl_Bignum_Base_mul_wide_add2_u64(uint64_t a, uint64_t b, uint64_t c_in, uint64_t *out) +{ + uint64_t out0 = out[0U]; + FStar_UInt128_uint128 + res = + FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(a, b), + FStar_UInt128_uint64_to_uint128(c_in)), + FStar_UInt128_uint64_to_uint128(out0)); + out[0U] = FStar_UInt128_uint128_to_uint64(res); + return FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(res, (uint32_t)64U)); +} + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Bignum_Base_H_DEFINED +#endif diff --git a/include/msvc/Hacl_Chacha20.h b/include/msvc/Hacl_Chacha20.h new file mode 100644 index 00000000..2794419e --- /dev/null +++ b/include/msvc/Hacl_Chacha20.h @@ -0,0 +1,66 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Chacha20_H +#define __Hacl_Chacha20_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_Chacha20_chacha20_encrypt( + uint32_t len, + uint8_t *out, + uint8_t *text, + uint8_t *key, + uint8_t *n, + uint32_t ctr +); + +void +Hacl_Chacha20_chacha20_decrypt( + uint32_t len, + uint8_t *out, + uint8_t *cipher, + uint8_t *key, + uint8_t *n, + uint32_t ctr +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Chacha20_H_DEFINED +#endif diff --git a/include/msvc/Hacl_Chacha20Poly1305_128.h b/include/msvc/Hacl_Chacha20Poly1305_128.h new file mode 100644 index 00000000..30ac47b8 --- /dev/null +++ b/include/msvc/Hacl_Chacha20Poly1305_128.h @@ -0,0 +1,72 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Chacha20Poly1305_128_H +#define __Hacl_Chacha20Poly1305_128_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Poly1305_128.h" +#include "Hacl_Kremlib.h" +#include "Hacl_Chacha20_Vec128.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_Chacha20Poly1305_128_aead_encrypt( + uint8_t *k, + uint8_t *n, + uint32_t aadlen, + uint8_t *aad, + uint32_t mlen, + uint8_t *m, + uint8_t *cipher, + uint8_t *mac +); + +uint32_t +Hacl_Chacha20Poly1305_128_aead_decrypt( + uint8_t *k, + uint8_t *n, + uint32_t aadlen, + uint8_t *aad, + uint32_t mlen, + uint8_t *m, + uint8_t *cipher, + uint8_t *mac +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Chacha20Poly1305_128_H_DEFINED +#endif diff --git a/include/msvc/Hacl_Chacha20Poly1305_256.h b/include/msvc/Hacl_Chacha20Poly1305_256.h new file mode 100644 index 00000000..3c9e5456 --- /dev/null +++ b/include/msvc/Hacl_Chacha20Poly1305_256.h @@ -0,0 +1,72 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Chacha20Poly1305_256_H +#define __Hacl_Chacha20Poly1305_256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Poly1305_256.h" +#include "Hacl_Kremlib.h" +#include "Hacl_Chacha20_Vec256.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_Chacha20Poly1305_256_aead_encrypt( + uint8_t *k, + uint8_t *n, + uint32_t aadlen, + uint8_t *aad, + uint32_t mlen, + uint8_t *m, + uint8_t *cipher, + uint8_t *mac +); + +uint32_t +Hacl_Chacha20Poly1305_256_aead_decrypt( + uint8_t *k, + uint8_t *n, + uint32_t aadlen, + uint8_t *aad, + uint32_t mlen, + uint8_t *m, + uint8_t *cipher, + uint8_t *mac +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Chacha20Poly1305_256_H_DEFINED +#endif diff --git a/include/msvc/Hacl_Chacha20Poly1305_32.h b/include/msvc/Hacl_Chacha20Poly1305_32.h new file mode 100644 index 00000000..9162ffa0 --- /dev/null +++ b/include/msvc/Hacl_Chacha20Poly1305_32.h @@ -0,0 +1,72 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Chacha20Poly1305_32_H +#define __Hacl_Chacha20Poly1305_32_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Poly1305_32.h" +#include "Hacl_Kremlib.h" +#include "Hacl_Chacha20.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_Chacha20Poly1305_32_aead_encrypt( + uint8_t *k, + uint8_t *n, + uint32_t aadlen, + uint8_t *aad, + uint32_t mlen, + uint8_t *m, + uint8_t *cipher, + uint8_t *mac +); + +uint32_t +Hacl_Chacha20Poly1305_32_aead_decrypt( + uint8_t *k, + uint8_t *n, + uint32_t aadlen, + uint8_t *aad, + uint32_t mlen, + uint8_t *m, + uint8_t *cipher, + uint8_t *mac +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Chacha20Poly1305_32_H_DEFINED +#endif diff --git a/include/msvc/Hacl_Chacha20_Vec128.h b/include/msvc/Hacl_Chacha20_Vec128.h new file mode 100644 index 00000000..0e4f2402 --- /dev/null +++ b/include/msvc/Hacl_Chacha20_Vec128.h @@ -0,0 +1,66 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Chacha20_Vec128_H +#define __Hacl_Chacha20_Vec128_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_Chacha20_Vec128_chacha20_encrypt_128( + uint32_t len, + uint8_t *out, + uint8_t *text, + uint8_t *key, + uint8_t *n, + uint32_t ctr +); + +void +Hacl_Chacha20_Vec128_chacha20_decrypt_128( + uint32_t len, + uint8_t *out, + uint8_t *cipher, + uint8_t *key, + uint8_t *n, + uint32_t ctr +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Chacha20_Vec128_H_DEFINED +#endif diff --git a/include/msvc/Hacl_Chacha20_Vec256.h b/include/msvc/Hacl_Chacha20_Vec256.h new file mode 100644 index 00000000..c99ec184 --- /dev/null +++ b/include/msvc/Hacl_Chacha20_Vec256.h @@ -0,0 +1,66 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Chacha20_Vec256_H +#define __Hacl_Chacha20_Vec256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_Chacha20_Vec256_chacha20_encrypt_256( + uint32_t len, + uint8_t *out, + uint8_t *text, + uint8_t *key, + uint8_t *n, + uint32_t ctr +); + +void +Hacl_Chacha20_Vec256_chacha20_decrypt_256( + uint32_t len, + uint8_t *out, + uint8_t *cipher, + uint8_t *key, + uint8_t *n, + uint32_t ctr +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Chacha20_Vec256_H_DEFINED +#endif diff --git a/include/msvc/Hacl_Chacha20_Vec32.h b/include/msvc/Hacl_Chacha20_Vec32.h new file mode 100644 index 00000000..95aaea0d --- /dev/null +++ b/include/msvc/Hacl_Chacha20_Vec32.h @@ -0,0 +1,66 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Chacha20_Vec32_H +#define __Hacl_Chacha20_Vec32_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_Chacha20_Vec32_chacha20_encrypt_32( + uint32_t len, + uint8_t *out, + uint8_t *text, + uint8_t *key, + uint8_t *n, + uint32_t ctr +); + +void +Hacl_Chacha20_Vec32_chacha20_decrypt_32( + uint32_t len, + uint8_t *out, + uint8_t *cipher, + uint8_t *key, + uint8_t *n, + uint32_t ctr +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Chacha20_Vec32_H_DEFINED +#endif diff --git a/include/msvc/Hacl_Curve25519_51.h b/include/msvc/Hacl_Curve25519_51.h new file mode 100644 index 00000000..23cb104d --- /dev/null +++ b/include/msvc/Hacl_Curve25519_51.h @@ -0,0 +1,53 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Curve25519_51_H +#define __Hacl_Curve25519_51_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "Hacl_Bignum25519_51.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void Hacl_Curve25519_51_scalarmult(uint8_t *out, uint8_t *priv, uint8_t *pub); + +void Hacl_Curve25519_51_secret_to_public(uint8_t *pub, uint8_t *priv); + +bool Hacl_Curve25519_51_ecdh(uint8_t *out, uint8_t *priv, uint8_t *pub); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Curve25519_51_H_DEFINED +#endif diff --git a/include/msvc/Hacl_Curve25519_64.h b/include/msvc/Hacl_Curve25519_64.h new file mode 100644 index 00000000..3c2b8221 --- /dev/null +++ b/include/msvc/Hacl_Curve25519_64.h @@ -0,0 +1,52 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Curve25519_64_H +#define __Hacl_Curve25519_64_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void Hacl_Curve25519_64_scalarmult(uint8_t *out, uint8_t *priv, uint8_t *pub); + +void Hacl_Curve25519_64_secret_to_public(uint8_t *pub, uint8_t *priv); + +bool Hacl_Curve25519_64_ecdh(uint8_t *out, uint8_t *priv, uint8_t *pub); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Curve25519_64_H_DEFINED +#endif diff --git a/include/msvc/Hacl_Curve25519_64_Slow.h b/include/msvc/Hacl_Curve25519_64_Slow.h new file mode 100644 index 00000000..57f2d01e --- /dev/null +++ b/include/msvc/Hacl_Curve25519_64_Slow.h @@ -0,0 +1,53 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Curve25519_64_Slow_H +#define __Hacl_Curve25519_64_Slow_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "Hacl_Bignum_Base.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void Hacl_Curve25519_64_Slow_scalarmult(uint8_t *out, uint8_t *priv, uint8_t *pub); + +void Hacl_Curve25519_64_Slow_secret_to_public(uint8_t *pub, uint8_t *priv); + +bool Hacl_Curve25519_64_Slow_ecdh(uint8_t *out, uint8_t *priv, uint8_t *pub); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Curve25519_64_Slow_H_DEFINED +#endif diff --git a/include/msvc/Hacl_EC_Ed25519.h b/include/msvc/Hacl_EC_Ed25519.h new file mode 100644 index 00000000..2b5313f7 --- /dev/null +++ b/include/msvc/Hacl_EC_Ed25519.h @@ -0,0 +1,79 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_EC_Ed25519_H +#define __Hacl_EC_Ed25519_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "Hacl_Bignum25519_51.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void Hacl_EC_Ed25519_mk_felem_zero(uint64_t *b); + +void Hacl_EC_Ed25519_mk_felem_one(uint64_t *b); + +void Hacl_EC_Ed25519_felem_add(uint64_t *a, uint64_t *b, uint64_t *out); + +void Hacl_EC_Ed25519_felem_sub(uint64_t *a, uint64_t *b, uint64_t *out); + +void Hacl_EC_Ed25519_felem_mul(uint64_t *a, uint64_t *b, uint64_t *out); + +void Hacl_EC_Ed25519_felem_inv(uint64_t *a, uint64_t *out); + +void Hacl_EC_Ed25519_felem_load(uint8_t *b, uint64_t *out); + +void Hacl_EC_Ed25519_felem_store(uint64_t *a, uint8_t *out); + +void Hacl_EC_Ed25519_mk_point_at_inf(uint64_t *p); + +void Hacl_EC_Ed25519_mk_base_point(uint64_t *p); + +void Hacl_EC_Ed25519_point_negate(uint64_t *p, uint64_t *out); + +void Hacl_EC_Ed25519_point_add(uint64_t *p, uint64_t *q, uint64_t *out); + +void Hacl_EC_Ed25519_point_mul(uint8_t *scalar, uint64_t *p, uint64_t *out); + +bool Hacl_EC_Ed25519_point_eq(uint64_t *p, uint64_t *q); + +void Hacl_EC_Ed25519_point_compress(uint64_t *p, uint8_t *out); + +bool Hacl_EC_Ed25519_point_decompress(uint8_t *s, uint64_t *out); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_EC_Ed25519_H_DEFINED +#endif diff --git a/include/msvc/Hacl_Ed25519.h b/include/msvc/Hacl_Ed25519.h new file mode 100644 index 00000000..0c65c822 --- /dev/null +++ b/include/msvc/Hacl_Ed25519.h @@ -0,0 +1,59 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Ed25519_H +#define __Hacl_Ed25519_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Streaming_SHA2.h" +#include "Hacl_Kremlib.h" +#include "Hacl_Hash_SHA2.h" +#include "Hacl_Bignum25519_51.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void Hacl_Ed25519_sign(uint8_t *signature, uint8_t *priv, uint32_t len, uint8_t *msg); + +bool Hacl_Ed25519_verify(uint8_t *pub, uint32_t len, uint8_t *msg, uint8_t *signature); + +void Hacl_Ed25519_secret_to_public(uint8_t *pub, uint8_t *priv); + +void Hacl_Ed25519_expand_keys(uint8_t *ks, uint8_t *priv); + +void Hacl_Ed25519_sign_expanded(uint8_t *signature, uint8_t *ks, uint32_t len, uint8_t *msg); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Ed25519_H_DEFINED +#endif diff --git a/include/msvc/Hacl_FFDHE.h b/include/msvc/Hacl_FFDHE.h new file mode 100644 index 00000000..ea969c01 --- /dev/null +++ b/include/msvc/Hacl_FFDHE.h @@ -0,0 +1,73 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_FFDHE_H +#define __Hacl_FFDHE_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Spec.h" +#include "Hacl_Impl_FFDHE_Constants.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +uint32_t Hacl_FFDHE_ffdhe_len(Spec_FFDHE_ffdhe_alg a); + +uint64_t *Hacl_FFDHE_new_ffdhe_precomp_p(Spec_FFDHE_ffdhe_alg a); + +void +Hacl_FFDHE_ffdhe_secret_to_public_precomp( + Spec_FFDHE_ffdhe_alg a, + uint64_t *p_r2_n, + uint8_t *sk, + uint8_t *pk +); + +void Hacl_FFDHE_ffdhe_secret_to_public(Spec_FFDHE_ffdhe_alg a, uint8_t *sk, uint8_t *pk); + +uint64_t +Hacl_FFDHE_ffdhe_shared_secret_precomp( + Spec_FFDHE_ffdhe_alg a, + uint64_t *p_r2_n, + uint8_t *sk, + uint8_t *pk, + uint8_t *ss +); + +uint64_t +Hacl_FFDHE_ffdhe_shared_secret(Spec_FFDHE_ffdhe_alg a, uint8_t *sk, uint8_t *pk, uint8_t *ss); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_FFDHE_H_DEFINED +#endif diff --git a/include/msvc/Hacl_Frodo1344.h b/include/msvc/Hacl_Frodo1344.h new file mode 100644 index 00000000..10443f22 --- /dev/null +++ b/include/msvc/Hacl_Frodo1344.h @@ -0,0 +1,63 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Frodo1344_H +#define __Hacl_Frodo1344_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Lib_Memzero0.h" +#include "Hacl_Spec.h" +#include "Hacl_SHA3.h" +#include "Hacl_Frodo_KEM.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +extern uint32_t Hacl_Frodo1344_crypto_bytes; + +extern uint32_t Hacl_Frodo1344_crypto_publickeybytes; + +extern uint32_t Hacl_Frodo1344_crypto_secretkeybytes; + +extern uint32_t Hacl_Frodo1344_crypto_ciphertextbytes; + +uint32_t Hacl_Frodo1344_crypto_kem_keypair(uint8_t *pk, uint8_t *sk); + +uint32_t Hacl_Frodo1344_crypto_kem_enc(uint8_t *ct, uint8_t *ss, uint8_t *pk); + +uint32_t Hacl_Frodo1344_crypto_kem_dec(uint8_t *ss, uint8_t *ct, uint8_t *sk); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Frodo1344_H_DEFINED +#endif diff --git a/include/msvc/Hacl_Frodo64.h b/include/msvc/Hacl_Frodo64.h new file mode 100644 index 00000000..6c5677de --- /dev/null +++ b/include/msvc/Hacl_Frodo64.h @@ -0,0 +1,68 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Frodo64_H +#define __Hacl_Frodo64_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Lib_Memzero0.h" +#include "Hacl_Spec.h" +#include "Hacl_SHA3.h" +#include "Hacl_Frodo_KEM.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +/* + this variant is used only for testing purposes! + */ + + +extern uint32_t Hacl_Frodo64_crypto_bytes; + +extern uint32_t Hacl_Frodo64_crypto_publickeybytes; + +extern uint32_t Hacl_Frodo64_crypto_secretkeybytes; + +extern uint32_t Hacl_Frodo64_crypto_ciphertextbytes; + +uint32_t Hacl_Frodo64_crypto_kem_keypair(uint8_t *pk, uint8_t *sk); + +uint32_t Hacl_Frodo64_crypto_kem_enc(uint8_t *ct, uint8_t *ss, uint8_t *pk); + +uint32_t Hacl_Frodo64_crypto_kem_dec(uint8_t *ss, uint8_t *ct, uint8_t *sk); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Frodo64_H_DEFINED +#endif diff --git a/include/msvc/Hacl_Frodo640.h b/include/msvc/Hacl_Frodo640.h new file mode 100644 index 00000000..9016c3e8 --- /dev/null +++ b/include/msvc/Hacl_Frodo640.h @@ -0,0 +1,63 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Frodo640_H +#define __Hacl_Frodo640_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Lib_Memzero0.h" +#include "Hacl_Spec.h" +#include "Hacl_SHA3.h" +#include "Hacl_Frodo_KEM.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +extern uint32_t Hacl_Frodo640_crypto_bytes; + +extern uint32_t Hacl_Frodo640_crypto_publickeybytes; + +extern uint32_t Hacl_Frodo640_crypto_secretkeybytes; + +extern uint32_t Hacl_Frodo640_crypto_ciphertextbytes; + +uint32_t Hacl_Frodo640_crypto_kem_keypair(uint8_t *pk, uint8_t *sk); + +uint32_t Hacl_Frodo640_crypto_kem_enc(uint8_t *ct, uint8_t *ss, uint8_t *pk); + +uint32_t Hacl_Frodo640_crypto_kem_dec(uint8_t *ss, uint8_t *ct, uint8_t *sk); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Frodo640_H_DEFINED +#endif diff --git a/include/msvc/Hacl_Frodo976.h b/include/msvc/Hacl_Frodo976.h new file mode 100644 index 00000000..5551506b --- /dev/null +++ b/include/msvc/Hacl_Frodo976.h @@ -0,0 +1,63 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Frodo976_H +#define __Hacl_Frodo976_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Lib_Memzero0.h" +#include "Hacl_Spec.h" +#include "Hacl_SHA3.h" +#include "Hacl_Frodo_KEM.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +extern uint32_t Hacl_Frodo976_crypto_bytes; + +extern uint32_t Hacl_Frodo976_crypto_publickeybytes; + +extern uint32_t Hacl_Frodo976_crypto_secretkeybytes; + +extern uint32_t Hacl_Frodo976_crypto_ciphertextbytes; + +uint32_t Hacl_Frodo976_crypto_kem_keypair(uint8_t *pk, uint8_t *sk); + +uint32_t Hacl_Frodo976_crypto_kem_enc(uint8_t *ct, uint8_t *ss, uint8_t *pk); + +uint32_t Hacl_Frodo976_crypto_kem_dec(uint8_t *ss, uint8_t *ct, uint8_t *sk); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Frodo976_H_DEFINED +#endif diff --git a/include/msvc/Hacl_Frodo_KEM.h b/include/msvc/Hacl_Frodo_KEM.h new file mode 100644 index 00000000..9ab987aa --- /dev/null +++ b/include/msvc/Hacl_Frodo_KEM.h @@ -0,0 +1,583 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Frodo_KEM_H +#define __Hacl_Frodo_KEM_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Lib_RandomBuffer_System.h" +#include "Hacl_Spec.h" +#include "Hacl_SHA3.h" +#include "Hacl_Kremlib.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +static inline void +Hacl_Keccak_shake128_4x( + uint32_t input_len, + uint8_t *input0, + uint8_t *input1, + uint8_t *input2, + uint8_t *input3, + uint32_t output_len, + uint8_t *output0, + uint8_t *output1, + uint8_t *output2, + uint8_t *output3 +) +{ + Hacl_SHA3_shake128_hacl(input_len, input0, output_len, output0); + Hacl_SHA3_shake128_hacl(input_len, input1, output_len, output1); + Hacl_SHA3_shake128_hacl(input_len, input2, output_len, output2); + Hacl_SHA3_shake128_hacl(input_len, input3, output_len, output3); +} + +static inline void +Hacl_Impl_Matrix_mod_pow2(uint32_t n1, uint32_t n2, uint32_t logq, uint16_t *a) +{ + if (logq < (uint32_t)16U) + { + for (uint32_t i0 = (uint32_t)0U; i0 < n1; i0++) + { + for (uint32_t i = (uint32_t)0U; i < n2; i++) + { + a[i0 * n2 + i] = a[i0 * n2 + i] & (((uint16_t)1U << logq) - (uint16_t)1U); + } + } + return; + } +} + +static inline void +Hacl_Impl_Matrix_matrix_add(uint32_t n1, uint32_t n2, uint16_t *a, uint16_t *b) +{ + for (uint32_t i0 = (uint32_t)0U; i0 < n1; i0++) + { + for (uint32_t i = (uint32_t)0U; i < n2; i++) + { + a[i0 * n2 + i] = a[i0 * n2 + i] + b[i0 * n2 + i]; + } + } +} + +static inline void +Hacl_Impl_Matrix_matrix_sub(uint32_t n1, uint32_t n2, uint16_t *a, uint16_t *b) +{ + for (uint32_t i0 = (uint32_t)0U; i0 < n1; i0++) + { + for (uint32_t i = (uint32_t)0U; i < n2; i++) + { + b[i0 * n2 + i] = a[i0 * n2 + i] - b[i0 * n2 + i]; + } + } +} + +static inline void +Hacl_Impl_Matrix_matrix_mul( + uint32_t n1, + uint32_t n2, + uint32_t n3, + uint16_t *a, + uint16_t *b, + uint16_t *c +) +{ + for (uint32_t i0 = (uint32_t)0U; i0 < n1; i0++) + { + for (uint32_t i1 = (uint32_t)0U; i1 < n3; i1++) + { + uint16_t res = (uint16_t)0U; + for (uint32_t i = (uint32_t)0U; i < n2; i++) + { + uint16_t aij = a[i0 * n2 + i]; + uint16_t bjk = b[i * n3 + i1]; + uint16_t res0 = res; + res = res0 + aij * bjk; + } + c[i0 * n3 + i1] = res; + } + } +} + +static inline void +Hacl_Impl_Matrix_matrix_mul_s( + uint32_t n1, + uint32_t n2, + uint32_t n3, + uint16_t *a, + uint16_t *b, + uint16_t *c +) +{ + for (uint32_t i0 = (uint32_t)0U; i0 < n1; i0++) + { + for (uint32_t i1 = (uint32_t)0U; i1 < n3; i1++) + { + uint16_t res = (uint16_t)0U; + for (uint32_t i = (uint32_t)0U; i < n2; i++) + { + uint16_t aij = a[i0 * n2 + i]; + uint16_t bjk = b[i1 * n2 + i]; + uint16_t res0 = res; + res = res0 + aij * bjk; + } + c[i0 * n3 + i1] = res; + } + } +} + +static inline uint16_t +Hacl_Impl_Matrix_matrix_eq(uint32_t n1, uint32_t n2, uint16_t *a, uint16_t *b) +{ + uint16_t res = (uint16_t)0xFFFFU; + for (uint32_t i = (uint32_t)0U; i < n1 * n2; i++) + { + uint16_t uu____0 = FStar_UInt16_eq_mask(a[i], b[i]); + res = uu____0 & res; + } + uint16_t r = res; + return r; +} + +static inline void +Hacl_Impl_Matrix_matrix_to_lbytes(uint32_t n1, uint32_t n2, uint16_t *m, uint8_t *res) +{ + for (uint32_t i = (uint32_t)0U; i < n1 * n2; i++) + { + store16_le(res + (uint32_t)2U * i, m[i]); + } +} + +static inline void +Hacl_Impl_Matrix_matrix_from_lbytes(uint32_t n1, uint32_t n2, uint8_t *b, uint16_t *res) +{ + for (uint32_t i = (uint32_t)0U; i < n1 * n2; i++) + { + uint16_t *os = res; + uint16_t u = load16_le(b + (uint32_t)2U * i); + uint16_t x = u; + os[i] = x; + } +} + +static inline void +Hacl_Impl_Frodo_Gen_frodo_gen_matrix_shake_4x(uint32_t n, uint8_t *seed, uint16_t *res) +{ + KRML_CHECK_SIZE(sizeof (uint8_t), (uint32_t)8U * n); + uint8_t *r = alloca((uint32_t)8U * n * sizeof (uint8_t)); + memset(r, 0U, (uint32_t)8U * n * sizeof (uint8_t)); + uint8_t tmp_seed[72U] = { 0U }; + memcpy(tmp_seed + (uint32_t)2U, seed, (uint32_t)16U * sizeof (uint8_t)); + memcpy(tmp_seed + (uint32_t)20U, seed, (uint32_t)16U * sizeof (uint8_t)); + memcpy(tmp_seed + (uint32_t)38U, seed, (uint32_t)16U * sizeof (uint8_t)); + memcpy(tmp_seed + (uint32_t)56U, seed, (uint32_t)16U * sizeof (uint8_t)); + memset(res, 0U, n * n * sizeof (uint16_t)); + for (uint32_t i = (uint32_t)0U; i < n / (uint32_t)4U; i++) + { + uint8_t *r0 = r + (uint32_t)0U * n; + uint8_t *r1 = r + (uint32_t)2U * n; + uint8_t *r2 = r + (uint32_t)4U * n; + uint8_t *r3 = r + (uint32_t)6U * n; + uint8_t *tmp_seed0 = tmp_seed; + uint8_t *tmp_seed1 = tmp_seed + (uint32_t)18U; + uint8_t *tmp_seed2 = tmp_seed + (uint32_t)36U; + uint8_t *tmp_seed3 = tmp_seed + (uint32_t)54U; + store16_le(tmp_seed0, (uint16_t)((uint32_t)4U * i + (uint32_t)0U)); + store16_le(tmp_seed1, (uint16_t)((uint32_t)4U * i + (uint32_t)1U)); + store16_le(tmp_seed2, (uint16_t)((uint32_t)4U * i + (uint32_t)2U)); + store16_le(tmp_seed3, (uint16_t)((uint32_t)4U * i + (uint32_t)3U)); + Hacl_Keccak_shake128_4x((uint32_t)18U, + tmp_seed0, + tmp_seed1, + tmp_seed2, + tmp_seed3, + (uint32_t)2U * n, + r0, + r1, + r2, + r3); + for (uint32_t i0 = (uint32_t)0U; i0 < n; i0++) + { + uint8_t *resij0 = r0 + i0 * (uint32_t)2U; + uint8_t *resij1 = r1 + i0 * (uint32_t)2U; + uint8_t *resij2 = r2 + i0 * (uint32_t)2U; + uint8_t *resij3 = r3 + i0 * (uint32_t)2U; + uint16_t u = load16_le(resij0); + res[((uint32_t)4U * i + (uint32_t)0U) * n + i0] = u; + uint16_t u0 = load16_le(resij1); + res[((uint32_t)4U * i + (uint32_t)1U) * n + i0] = u0; + uint16_t u1 = load16_le(resij2); + res[((uint32_t)4U * i + (uint32_t)2U) * n + i0] = u1; + uint16_t u2 = load16_le(resij3); + res[((uint32_t)4U * i + (uint32_t)3U) * n + i0] = u2; + } + } +} + +static inline void +Hacl_Impl_Frodo_Params_frodo_gen_matrix( + Spec_Frodo_Params_frodo_gen_a a, + uint32_t n, + uint8_t *seed, + uint16_t *a_matrix +) +{ + switch (a) + { + case Spec_Frodo_Params_SHAKE128: + { + Hacl_Impl_Frodo_Gen_frodo_gen_matrix_shake_4x(n, seed, a_matrix); + break; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +static const +uint16_t +Hacl_Impl_Frodo_Params_cdf_table640[13U] = + { + (uint16_t)4643U, (uint16_t)13363U, (uint16_t)20579U, (uint16_t)25843U, (uint16_t)29227U, + (uint16_t)31145U, (uint16_t)32103U, (uint16_t)32525U, (uint16_t)32689U, (uint16_t)32745U, + (uint16_t)32762U, (uint16_t)32766U, (uint16_t)32767U + }; + +static const +uint16_t +Hacl_Impl_Frodo_Params_cdf_table976[11U] = + { + (uint16_t)5638U, (uint16_t)15915U, (uint16_t)23689U, (uint16_t)28571U, (uint16_t)31116U, + (uint16_t)32217U, (uint16_t)32613U, (uint16_t)32731U, (uint16_t)32760U, (uint16_t)32766U, + (uint16_t)32767U + }; + +static const +uint16_t +Hacl_Impl_Frodo_Params_cdf_table1344[7U] = + { + (uint16_t)9142U, (uint16_t)23462U, (uint16_t)30338U, (uint16_t)32361U, (uint16_t)32725U, + (uint16_t)32765U, (uint16_t)32767U + }; + +static inline void +Hacl_Impl_Frodo_Sample_frodo_sample_matrix64( + uint32_t n1, + uint32_t n2, + uint8_t *r, + uint16_t *res +) +{ + memset(res, 0U, n1 * n2 * sizeof (uint16_t)); + for (uint32_t i0 = (uint32_t)0U; i0 < n1; i0++) + { + for (uint32_t i1 = (uint32_t)0U; i1 < n2; i1++) + { + uint8_t *resij = r + (uint32_t)2U * (n2 * i0 + i1); + uint16_t u = load16_le(resij); + uint16_t uu____0 = u; + uint16_t prnd = uu____0 >> (uint32_t)1U; + uint16_t sign = uu____0 & (uint16_t)1U; + uint16_t sample = (uint16_t)0U; + uint32_t bound = (uint32_t)12U; + for (uint32_t i = (uint32_t)0U; i < bound; i++) + { + uint16_t sample0 = sample; + uint16_t ti = Hacl_Impl_Frodo_Params_cdf_table640[i]; + uint16_t samplei = (uint16_t)(uint32_t)(ti - prnd) >> (uint32_t)15U; + sample = samplei + sample0; + } + uint16_t sample0 = sample; + res[i0 * n2 + i1] = ((~sign + (uint16_t)1U) ^ sample0) + sign; + } + } +} + +static inline void +Hacl_Impl_Frodo_Sample_frodo_sample_matrix640( + uint32_t n1, + uint32_t n2, + uint8_t *r, + uint16_t *res +) +{ + memset(res, 0U, n1 * n2 * sizeof (uint16_t)); + for (uint32_t i0 = (uint32_t)0U; i0 < n1; i0++) + { + for (uint32_t i1 = (uint32_t)0U; i1 < n2; i1++) + { + uint8_t *resij = r + (uint32_t)2U * (n2 * i0 + i1); + uint16_t u = load16_le(resij); + uint16_t uu____0 = u; + uint16_t prnd = uu____0 >> (uint32_t)1U; + uint16_t sign = uu____0 & (uint16_t)1U; + uint16_t sample = (uint16_t)0U; + uint32_t bound = (uint32_t)12U; + for (uint32_t i = (uint32_t)0U; i < bound; i++) + { + uint16_t sample0 = sample; + uint16_t ti = Hacl_Impl_Frodo_Params_cdf_table640[i]; + uint16_t samplei = (uint16_t)(uint32_t)(ti - prnd) >> (uint32_t)15U; + sample = samplei + sample0; + } + uint16_t sample0 = sample; + res[i0 * n2 + i1] = ((~sign + (uint16_t)1U) ^ sample0) + sign; + } + } +} + +static inline void +Hacl_Impl_Frodo_Sample_frodo_sample_matrix976( + uint32_t n1, + uint32_t n2, + uint8_t *r, + uint16_t *res +) +{ + memset(res, 0U, n1 * n2 * sizeof (uint16_t)); + for (uint32_t i0 = (uint32_t)0U; i0 < n1; i0++) + { + for (uint32_t i1 = (uint32_t)0U; i1 < n2; i1++) + { + uint8_t *resij = r + (uint32_t)2U * (n2 * i0 + i1); + uint16_t u = load16_le(resij); + uint16_t uu____0 = u; + uint16_t prnd = uu____0 >> (uint32_t)1U; + uint16_t sign = uu____0 & (uint16_t)1U; + uint16_t sample = (uint16_t)0U; + uint32_t bound = (uint32_t)10U; + for (uint32_t i = (uint32_t)0U; i < bound; i++) + { + uint16_t sample0 = sample; + uint16_t ti = Hacl_Impl_Frodo_Params_cdf_table976[i]; + uint16_t samplei = (uint16_t)(uint32_t)(ti - prnd) >> (uint32_t)15U; + sample = samplei + sample0; + } + uint16_t sample0 = sample; + res[i0 * n2 + i1] = ((~sign + (uint16_t)1U) ^ sample0) + sign; + } + } +} + +static inline void +Hacl_Impl_Frodo_Sample_frodo_sample_matrix1344( + uint32_t n1, + uint32_t n2, + uint8_t *r, + uint16_t *res +) +{ + memset(res, 0U, n1 * n2 * sizeof (uint16_t)); + for (uint32_t i0 = (uint32_t)0U; i0 < n1; i0++) + { + for (uint32_t i1 = (uint32_t)0U; i1 < n2; i1++) + { + uint8_t *resij = r + (uint32_t)2U * (n2 * i0 + i1); + uint16_t u = load16_le(resij); + uint16_t uu____0 = u; + uint16_t prnd = uu____0 >> (uint32_t)1U; + uint16_t sign = uu____0 & (uint16_t)1U; + uint16_t sample = (uint16_t)0U; + uint32_t bound = (uint32_t)6U; + for (uint32_t i = (uint32_t)0U; i < bound; i++) + { + uint16_t sample0 = sample; + uint16_t ti = Hacl_Impl_Frodo_Params_cdf_table1344[i]; + uint16_t samplei = (uint16_t)(uint32_t)(ti - prnd) >> (uint32_t)15U; + sample = samplei + sample0; + } + uint16_t sample0 = sample; + res[i0 * n2 + i1] = ((~sign + (uint16_t)1U) ^ sample0) + sign; + } + } +} + +static inline void +Hacl_Impl_Frodo_Pack_frodo_pack( + uint32_t n1, + uint32_t n2, + uint32_t d, + uint16_t *a, + uint8_t *res +) +{ + uint32_t n = n1 * n2 / (uint32_t)8U; + for (uint32_t i = (uint32_t)0U; i < n; i++) + { + uint16_t *a1 = a + (uint32_t)8U * i; + uint8_t *r = res + d * i; + uint16_t maskd = (uint16_t)((uint32_t)1U << d) - (uint16_t)1U; + uint8_t v16[16U] = { 0U }; + uint16_t a0 = a1[0U] & maskd; + uint16_t a11 = a1[1U] & maskd; + uint16_t a2 = a1[2U] & maskd; + uint16_t a3 = a1[3U] & maskd; + uint16_t a4 = a1[4U] & maskd; + uint16_t a5 = a1[5U] & maskd; + uint16_t a6 = a1[6U] & maskd; + uint16_t a7 = a1[7U] & maskd; + FStar_UInt128_uint128 + templong = + FStar_UInt128_logor(FStar_UInt128_logor(FStar_UInt128_logor(FStar_UInt128_logor(FStar_UInt128_logor(FStar_UInt128_logor(FStar_UInt128_logor(FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)a0), + (uint32_t)7U * d), + FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)a11), + (uint32_t)6U * d)), + FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)a2), + (uint32_t)5U * d)), + FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)a3), + (uint32_t)4U * d)), + FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)a4), + (uint32_t)3U * d)), + FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)a5), + (uint32_t)2U * d)), + FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)a6), (uint32_t)1U * d)), + FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)a7), (uint32_t)0U * d)); + store128_be(v16, templong); + uint8_t *src = v16 + (uint32_t)16U - d; + memcpy(r, src, d * sizeof (uint8_t)); + } +} + +static inline void +Hacl_Impl_Frodo_Pack_frodo_unpack( + uint32_t n1, + uint32_t n2, + uint32_t d, + uint8_t *b, + uint16_t *res +) +{ + uint32_t n = n1 * n2 / (uint32_t)8U; + for (uint32_t i = (uint32_t)0U; i < n; i++) + { + uint8_t *b1 = b + d * i; + uint16_t *r = res + (uint32_t)8U * i; + uint16_t maskd = (uint16_t)((uint32_t)1U << d) - (uint16_t)1U; + uint8_t src[16U] = { 0U }; + memcpy(src + (uint32_t)16U - d, b1, d * sizeof (uint8_t)); + FStar_UInt128_uint128 u = load128_be(src); + FStar_UInt128_uint128 templong = u; + r[0U] = + (uint16_t)FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(templong, + (uint32_t)7U * d)) + & maskd; + r[1U] = + (uint16_t)FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(templong, + (uint32_t)6U * d)) + & maskd; + r[2U] = + (uint16_t)FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(templong, + (uint32_t)5U * d)) + & maskd; + r[3U] = + (uint16_t)FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(templong, + (uint32_t)4U * d)) + & maskd; + r[4U] = + (uint16_t)FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(templong, + (uint32_t)3U * d)) + & maskd; + r[5U] = + (uint16_t)FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(templong, + (uint32_t)2U * d)) + & maskd; + r[6U] = + (uint16_t)FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(templong, + (uint32_t)1U * d)) + & maskd; + r[7U] = + (uint16_t)FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(templong, + (uint32_t)0U * d)) + & maskd; + } +} + +static inline void +Hacl_Impl_Frodo_Encode_frodo_key_encode( + uint32_t logq, + uint32_t b, + uint32_t n, + uint8_t *a, + uint16_t *res +) +{ + for (uint32_t i0 = (uint32_t)0U; i0 < n; i0++) + { + uint8_t v8[8U] = { 0U }; + uint8_t *chunk = a + i0 * b; + memcpy(v8, chunk, b * sizeof (uint8_t)); + uint64_t u = load64_le(v8); + uint64_t x = u; + uint64_t x0 = x; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint64_t rk = x0 >> b * i & (((uint64_t)1U << b) - (uint64_t)1U); + res[i0 * n + i] = (uint16_t)rk << (logq - b); + } + } +} + +static inline void +Hacl_Impl_Frodo_Encode_frodo_key_decode( + uint32_t logq, + uint32_t b, + uint32_t n, + uint16_t *a, + uint8_t *res +) +{ + for (uint32_t i0 = (uint32_t)0U; i0 < n; i0++) + { + uint64_t templong = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint16_t aik = a[i0 * n + i]; + uint16_t res1 = (aik + ((uint16_t)1U << (logq - b - (uint32_t)1U))) >> (logq - b); + templong = templong | (uint64_t)(res1 & (((uint16_t)1U << b) - (uint16_t)1U)) << b * i; + } + uint64_t templong0 = templong; + uint8_t v8[8U] = { 0U }; + store64_le(v8, templong0); + uint8_t *tmp = v8; + memcpy(res + i0 * b, tmp, b * sizeof (uint8_t)); + } +} + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Frodo_KEM_H_DEFINED +#endif diff --git a/include/msvc/Hacl_GenericField32.h b/include/msvc/Hacl_GenericField32.h new file mode 100644 index 00000000..1dcec1d8 --- /dev/null +++ b/include/msvc/Hacl_GenericField32.h @@ -0,0 +1,279 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_GenericField32_H +#define __Hacl_GenericField32_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + + +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +typedef struct Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32_s +{ + uint32_t len; + uint32_t *n; + uint32_t mu; + uint32_t *r2; +} +Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32; + +typedef Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *Hacl_GenericField32_pbn_mont_ctx_u32; + +/******************************************************************************* + +A verified field arithmetic library. + +This is a 32-bit optimized version, where bignums are represented as an array +of `len` unsigned 32-bit integers, i.e. uint32_t[len]. + +All the arithmetic operations are performed in the Montgomery domain. + +All the functions below preserve the following invariant for a bignum `aM` in +Montgomery form. + • aM < n + +*******************************************************************************/ + + +/* +Check whether this library will work for a modulus `n`. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n +*/ +bool Hacl_GenericField32_field_modulus_check(uint32_t len, uint32_t *n); + +/* +Heap-allocate and initialize a montgomery context. + + The argument n is meant to be `len` limbs in size, i.e. uint32_t[len]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n % 2 = 1 + • 1 < n + + The caller will need to call Hacl_GenericField32_field_free on the return value + to avoid memory leaks. +*/ +Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 +*Hacl_GenericField32_field_init(uint32_t len, uint32_t *n); + +/* +Deallocate the memory previously allocated by Hacl_GenericField32_field_init. + + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. +*/ +void Hacl_GenericField32_field_free(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k); + +/* +Return the size of a modulus `n` in limbs. + + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. +*/ +uint32_t Hacl_GenericField32_field_get_len(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k); + +/* +Convert a bignum from the regular representation to the Montgomery representation. + + Write `a * R mod n` in `aM`. + + The argument a and the outparam aM are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. +*/ +void +Hacl_GenericField32_to_field( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t *aM +); + +/* +Convert a result back from the Montgomery representation to the regular representation. + + Write `aM / R mod n` in `a`, i.e. + Hacl_GenericField32_from_field(k, Hacl_GenericField32_to_field(k, a)) == a % n + + The argument aM and the outparam a are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. +*/ +void +Hacl_GenericField32_from_field( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *aM, + uint32_t *a +); + +/* +Write `aM + bM mod n` in `cM`. + + The arguments aM, bM, and the outparam cM are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. +*/ +void +Hacl_GenericField32_add( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *aM, + uint32_t *bM, + uint32_t *cM +); + +/* +Write `aM - bM mod n` to `cM`. + + The arguments aM, bM, and the outparam cM are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. +*/ +void +Hacl_GenericField32_sub( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *aM, + uint32_t *bM, + uint32_t *cM +); + +/* +Write `aM * bM mod n` in `cM`. + + The arguments aM, bM, and the outparam cM are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. +*/ +void +Hacl_GenericField32_mul( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *aM, + uint32_t *bM, + uint32_t *cM +); + +/* +Write `aM * aM mod n` in `cM`. + + The argument aM and the outparam cM are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. +*/ +void +Hacl_GenericField32_sqr( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *aM, + uint32_t *cM +); + +/* +Convert a bignum `one` to its Montgomery representation. + + The outparam oneM is meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. +*/ +void Hacl_GenericField32_one(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, uint32_t *oneM); + +/* +Write `aM ^ b mod n` in `resM`. + + The argument aM and the outparam resM are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + This function is constant-time over its argument b, at the cost of a slower + execution time than exp_vartime. + + Before calling this function, the caller will need to ensure that the following + precondition is observed. + • b < pow2 bBits +*/ +void +Hacl_GenericField32_exp_consttime( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *aM, + uint32_t bBits, + uint32_t *b, + uint32_t *resM +); + +/* +Write `aM ^ b mod n` in `resM`. + + The argument aM and the outparam resM are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + The function is *NOT* constant-time on the argument b. See the + exp_consttime function for constant-time variant. + + Before calling this function, the caller will need to ensure that the following + precondition is observed. + • b < pow2 bBits +*/ +void +Hacl_GenericField32_exp_vartime( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *aM, + uint32_t bBits, + uint32_t *b, + uint32_t *resM +); + +/* +Write `aM ^ (-1) mod n` in `aInvM`. + + The argument aM and the outparam aInvM are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + • 0 < aM +*/ +void +Hacl_GenericField32_inverse( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *aM, + uint32_t *aInvM +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_GenericField32_H_DEFINED +#endif diff --git a/include/msvc/Hacl_GenericField64.h b/include/msvc/Hacl_GenericField64.h new file mode 100644 index 00000000..c4411b45 --- /dev/null +++ b/include/msvc/Hacl_GenericField64.h @@ -0,0 +1,270 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_GenericField64_H +#define __Hacl_GenericField64_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Bignum256.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +typedef Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *Hacl_GenericField64_pbn_mont_ctx_u64; + +/******************************************************************************* + +A verified field arithmetic library. + +This is a 64-bit optimized version, where bignums are represented as an array +of `len` unsigned 64-bit integers, i.e. uint64_t[len]. + +All the arithmetic operations are performed in the Montgomery domain. + +All the functions below preserve the following invariant for a bignum `aM` in +Montgomery form. + • aM < n + +*******************************************************************************/ + + +/* +Check whether this library will work for a modulus `n`. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n +*/ +bool Hacl_GenericField64_field_modulus_check(uint32_t len, uint64_t *n); + +/* +Heap-allocate and initialize a montgomery context. + + The argument n is meant to be `len` limbs in size, i.e. uint64_t[len]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n % 2 = 1 + • 1 < n + + The caller will need to call Hacl_GenericField64_field_free on the return value + to avoid memory leaks. +*/ +Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 +*Hacl_GenericField64_field_init(uint32_t len, uint64_t *n); + +/* +Deallocate the memory previously allocated by Hacl_GenericField64_field_init. + + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. +*/ +void Hacl_GenericField64_field_free(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k); + +/* +Return the size of a modulus `n` in limbs. + + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. +*/ +uint32_t Hacl_GenericField64_field_get_len(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k); + +/* +Convert a bignum from the regular representation to the Montgomery representation. + + Write `a * R mod n` in `aM`. + + The argument a and the outparam aM are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. +*/ +void +Hacl_GenericField64_to_field( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint64_t *aM +); + +/* +Convert a result back from the Montgomery representation to the regular representation. + + Write `aM / R mod n` in `a`, i.e. + Hacl_GenericField64_from_field(k, Hacl_GenericField64_to_field(k, a)) == a % n + + The argument aM and the outparam a are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. +*/ +void +Hacl_GenericField64_from_field( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *aM, + uint64_t *a +); + +/* +Write `aM + bM mod n` in `cM`. + + The arguments aM, bM, and the outparam cM are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. +*/ +void +Hacl_GenericField64_add( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *aM, + uint64_t *bM, + uint64_t *cM +); + +/* +Write `aM - bM mod n` to `cM`. + + The arguments aM, bM, and the outparam cM are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. +*/ +void +Hacl_GenericField64_sub( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *aM, + uint64_t *bM, + uint64_t *cM +); + +/* +Write `aM * bM mod n` in `cM`. + + The arguments aM, bM, and the outparam cM are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. +*/ +void +Hacl_GenericField64_mul( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *aM, + uint64_t *bM, + uint64_t *cM +); + +/* +Write `aM * aM mod n` in `cM`. + + The argument aM and the outparam cM are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. +*/ +void +Hacl_GenericField64_sqr( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *aM, + uint64_t *cM +); + +/* +Convert a bignum `one` to its Montgomery representation. + + The outparam oneM is meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. +*/ +void Hacl_GenericField64_one(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, uint64_t *oneM); + +/* +Write `aM ^ b mod n` in `resM`. + + The argument aM and the outparam resM are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + This function is constant-time over its argument b, at the cost of a slower + execution time than exp_vartime. + + Before calling this function, the caller will need to ensure that the following + precondition is observed. + • b < pow2 bBits +*/ +void +Hacl_GenericField64_exp_consttime( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *aM, + uint32_t bBits, + uint64_t *b, + uint64_t *resM +); + +/* +Write `aM ^ b mod n` in `resM`. + + The argument aM and the outparam resM are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + The function is *NOT* constant-time on the argument b. See the + exp_consttime function for constant-time variant. + + Before calling this function, the caller will need to ensure that the following + precondition is observed. + • b < pow2 bBits +*/ +void +Hacl_GenericField64_exp_vartime( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *aM, + uint32_t bBits, + uint64_t *b, + uint64_t *resM +); + +/* +Write `aM ^ (-1) mod n` in `aInvM`. + + The argument aM and the outparam aInvM are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + • 0 < aM +*/ +void +Hacl_GenericField64_inverse( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *aM, + uint64_t *aInvM +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_GenericField64_H_DEFINED +#endif diff --git a/include/msvc/Hacl_HKDF.h b/include/msvc/Hacl_HKDF.h new file mode 100644 index 00000000..c2a8e911 --- /dev/null +++ b/include/msvc/Hacl_HKDF.h @@ -0,0 +1,122 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HKDF_H +#define __Hacl_HKDF_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_HMAC.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_HKDF_expand_sha2_256( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +); + +void +Hacl_HKDF_extract_sha2_256( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +); + +void +Hacl_HKDF_expand_sha2_512( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +); + +void +Hacl_HKDF_extract_sha2_512( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +); + +void +Hacl_HKDF_expand_blake2s_32( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +); + +void +Hacl_HKDF_extract_blake2s_32( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +); + +void +Hacl_HKDF_expand_blake2b_32( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +); + +void +Hacl_HKDF_extract_blake2b_32( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HKDF_H_DEFINED +#endif diff --git a/include/msvc/Hacl_HKDF_Blake2b_256.h b/include/msvc/Hacl_HKDF_Blake2b_256.h new file mode 100644 index 00000000..12228eae --- /dev/null +++ b/include/msvc/Hacl_HKDF_Blake2b_256.h @@ -0,0 +1,65 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HKDF_Blake2b_256_H +#define __Hacl_HKDF_Blake2b_256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_HMAC_Blake2b_256.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_HKDF_Blake2b_256_expand_blake2b_256( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +); + +void +Hacl_HKDF_Blake2b_256_extract_blake2b_256( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HKDF_Blake2b_256_H_DEFINED +#endif diff --git a/include/msvc/Hacl_HKDF_Blake2s_128.h b/include/msvc/Hacl_HKDF_Blake2s_128.h new file mode 100644 index 00000000..b01cb01c --- /dev/null +++ b/include/msvc/Hacl_HKDF_Blake2s_128.h @@ -0,0 +1,65 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HKDF_Blake2s_128_H +#define __Hacl_HKDF_Blake2s_128_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_HMAC_Blake2s_128.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_HKDF_Blake2s_128_expand_blake2s_128( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +); + +void +Hacl_HKDF_Blake2s_128_extract_blake2s_128( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HKDF_Blake2s_128_H_DEFINED +#endif diff --git a/include/msvc/Hacl_HMAC.h b/include/msvc/Hacl_HMAC.h new file mode 100644 index 00000000..238c7b43 --- /dev/null +++ b/include/msvc/Hacl_HMAC.h @@ -0,0 +1,103 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HMAC_H +#define __Hacl_HMAC_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "Hacl_Impl_Blake2_Constants.h" +#include "Hacl_Hash_SHA2.h" +#include "Hacl_Hash_SHA1.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_HMAC_legacy_compute_sha1( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +); + +void +Hacl_HMAC_compute_sha2_256( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +); + +void +Hacl_HMAC_compute_sha2_384( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +); + +void +Hacl_HMAC_compute_sha2_512( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +); + +void +Hacl_HMAC_compute_blake2s_32( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +); + +void +Hacl_HMAC_compute_blake2b_32( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HMAC_H_DEFINED +#endif diff --git a/include/msvc/Hacl_HMAC_Blake2b_256.h b/include/msvc/Hacl_HMAC_Blake2b_256.h new file mode 100644 index 00000000..797075cb --- /dev/null +++ b/include/msvc/Hacl_HMAC_Blake2b_256.h @@ -0,0 +1,56 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HMAC_Blake2b_256_H +#define __Hacl_HMAC_Blake2b_256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "Hacl_Impl_Blake2_Constants.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_HMAC_Blake2b_256_compute_blake2b_256( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HMAC_Blake2b_256_H_DEFINED +#endif diff --git a/include/msvc/Hacl_HMAC_Blake2s_128.h b/include/msvc/Hacl_HMAC_Blake2s_128.h new file mode 100644 index 00000000..c9b320ba --- /dev/null +++ b/include/msvc/Hacl_HMAC_Blake2s_128.h @@ -0,0 +1,55 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HMAC_Blake2s_128_H +#define __Hacl_HMAC_Blake2s_128_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Impl_Blake2_Constants.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_HMAC_Blake2s_128_compute_blake2s_128( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HMAC_Blake2s_128_H_DEFINED +#endif diff --git a/include/msvc/Hacl_HMAC_DRBG.h b/include/msvc/Hacl_HMAC_DRBG.h new file mode 100644 index 00000000..c3172e3a --- /dev/null +++ b/include/msvc/Hacl_HMAC_DRBG.h @@ -0,0 +1,106 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HMAC_DRBG_H +#define __Hacl_HMAC_DRBG_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Spec.h" +#include "Hacl_HMAC.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +typedef Spec_Hash_Definitions_hash_alg Hacl_HMAC_DRBG_supported_alg; + +extern uint32_t Hacl_HMAC_DRBG_reseed_interval; + +extern uint32_t Hacl_HMAC_DRBG_max_output_length; + +extern uint32_t Hacl_HMAC_DRBG_max_length; + +extern uint32_t Hacl_HMAC_DRBG_max_personalization_string_length; + +extern uint32_t Hacl_HMAC_DRBG_max_additional_input_length; + +uint32_t Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_hash_alg a); + +typedef struct Hacl_HMAC_DRBG_state_s +{ + uint8_t *k; + uint8_t *v; + uint32_t *reseed_counter; +} +Hacl_HMAC_DRBG_state; + +bool +Hacl_HMAC_DRBG_uu___is_State(Spec_Hash_Definitions_hash_alg a, Hacl_HMAC_DRBG_state projectee); + +Hacl_HMAC_DRBG_state Hacl_HMAC_DRBG_create_in(Spec_Hash_Definitions_hash_alg a); + +void +Hacl_HMAC_DRBG_instantiate( + Spec_Hash_Definitions_hash_alg a, + Hacl_HMAC_DRBG_state st, + uint32_t entropy_input_len, + uint8_t *entropy_input, + uint32_t nonce_len, + uint8_t *nonce, + uint32_t personalization_string_len, + uint8_t *personalization_string +); + +void +Hacl_HMAC_DRBG_reseed( + Spec_Hash_Definitions_hash_alg a, + Hacl_HMAC_DRBG_state st, + uint32_t entropy_input_len, + uint8_t *entropy_input, + uint32_t additional_input_input_len, + uint8_t *additional_input_input +); + +bool +Hacl_HMAC_DRBG_generate( + Spec_Hash_Definitions_hash_alg a, + uint8_t *output, + Hacl_HMAC_DRBG_state st, + uint32_t n, + uint32_t additional_input_len, + uint8_t *additional_input +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HMAC_DRBG_H_DEFINED +#endif diff --git a/include/msvc/Hacl_HPKE_Curve51_CP128_SHA256.h b/include/msvc/Hacl_HPKE_Curve51_CP128_SHA256.h new file mode 100644 index 00000000..f337e4c2 --- /dev/null +++ b/include/msvc/Hacl_HPKE_Curve51_CP128_SHA256.h @@ -0,0 +1,92 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HPKE_Curve51_CP128_SHA256_H +#define __Hacl_HPKE_Curve51_CP128_SHA256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Hash_SHA2.h" +#include "Hacl_HKDF.h" +#include "Hacl_Curve25519_51.h" +#include "Hacl_Chacha20Poly1305_128.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +uint32_t +Hacl_HPKE_Curve51_CP128_SHA256_setupBaseI( + uint8_t *o_pkE, + uint8_t *o_k, + uint8_t *o_n, + uint8_t *skE, + uint8_t *pkR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve51_CP128_SHA256_setupBaseR( + uint8_t *o_key_aead, + uint8_t *o_nonce_aead, + uint8_t *pkE, + uint8_t *skR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve51_CP128_SHA256_sealBase( + uint8_t *skE, + uint8_t *pkR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +uint32_t +Hacl_HPKE_Curve51_CP128_SHA256_openBase( + uint8_t *pkE, + uint8_t *skR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HPKE_Curve51_CP128_SHA256_H_DEFINED +#endif diff --git a/include/msvc/Hacl_HPKE_Curve51_CP128_SHA512.h b/include/msvc/Hacl_HPKE_Curve51_CP128_SHA512.h new file mode 100644 index 00000000..1c870340 --- /dev/null +++ b/include/msvc/Hacl_HPKE_Curve51_CP128_SHA512.h @@ -0,0 +1,92 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HPKE_Curve51_CP128_SHA512_H +#define __Hacl_HPKE_Curve51_CP128_SHA512_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Hash_SHA2.h" +#include "Hacl_HKDF.h" +#include "Hacl_Curve25519_51.h" +#include "Hacl_Chacha20Poly1305_128.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +uint32_t +Hacl_HPKE_Curve51_CP128_SHA512_setupBaseI( + uint8_t *o_pkE, + uint8_t *o_k, + uint8_t *o_n, + uint8_t *skE, + uint8_t *pkR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve51_CP128_SHA512_setupBaseR( + uint8_t *o_key_aead, + uint8_t *o_nonce_aead, + uint8_t *pkE, + uint8_t *skR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve51_CP128_SHA512_sealBase( + uint8_t *skE, + uint8_t *pkR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +uint32_t +Hacl_HPKE_Curve51_CP128_SHA512_openBase( + uint8_t *pkE, + uint8_t *skR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HPKE_Curve51_CP128_SHA512_H_DEFINED +#endif diff --git a/include/msvc/Hacl_HPKE_Curve51_CP256_SHA256.h b/include/msvc/Hacl_HPKE_Curve51_CP256_SHA256.h new file mode 100644 index 00000000..9c2c8fb9 --- /dev/null +++ b/include/msvc/Hacl_HPKE_Curve51_CP256_SHA256.h @@ -0,0 +1,92 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HPKE_Curve51_CP256_SHA256_H +#define __Hacl_HPKE_Curve51_CP256_SHA256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Hash_SHA2.h" +#include "Hacl_HKDF.h" +#include "Hacl_Curve25519_51.h" +#include "Hacl_Chacha20Poly1305_256.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +uint32_t +Hacl_HPKE_Curve51_CP256_SHA256_setupBaseI( + uint8_t *o_pkE, + uint8_t *o_k, + uint8_t *o_n, + uint8_t *skE, + uint8_t *pkR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve51_CP256_SHA256_setupBaseR( + uint8_t *o_key_aead, + uint8_t *o_nonce_aead, + uint8_t *pkE, + uint8_t *skR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve51_CP256_SHA256_sealBase( + uint8_t *skE, + uint8_t *pkR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +uint32_t +Hacl_HPKE_Curve51_CP256_SHA256_openBase( + uint8_t *pkE, + uint8_t *skR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HPKE_Curve51_CP256_SHA256_H_DEFINED +#endif diff --git a/include/msvc/Hacl_HPKE_Curve51_CP256_SHA512.h b/include/msvc/Hacl_HPKE_Curve51_CP256_SHA512.h new file mode 100644 index 00000000..b03673d0 --- /dev/null +++ b/include/msvc/Hacl_HPKE_Curve51_CP256_SHA512.h @@ -0,0 +1,92 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HPKE_Curve51_CP256_SHA512_H +#define __Hacl_HPKE_Curve51_CP256_SHA512_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Hash_SHA2.h" +#include "Hacl_HKDF.h" +#include "Hacl_Curve25519_51.h" +#include "Hacl_Chacha20Poly1305_256.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +uint32_t +Hacl_HPKE_Curve51_CP256_SHA512_setupBaseI( + uint8_t *o_pkE, + uint8_t *o_k, + uint8_t *o_n, + uint8_t *skE, + uint8_t *pkR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve51_CP256_SHA512_setupBaseR( + uint8_t *o_key_aead, + uint8_t *o_nonce_aead, + uint8_t *pkE, + uint8_t *skR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve51_CP256_SHA512_sealBase( + uint8_t *skE, + uint8_t *pkR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +uint32_t +Hacl_HPKE_Curve51_CP256_SHA512_openBase( + uint8_t *pkE, + uint8_t *skR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HPKE_Curve51_CP256_SHA512_H_DEFINED +#endif diff --git a/include/msvc/Hacl_HPKE_Curve51_CP32_SHA256.h b/include/msvc/Hacl_HPKE_Curve51_CP32_SHA256.h new file mode 100644 index 00000000..2e98b356 --- /dev/null +++ b/include/msvc/Hacl_HPKE_Curve51_CP32_SHA256.h @@ -0,0 +1,92 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HPKE_Curve51_CP32_SHA256_H +#define __Hacl_HPKE_Curve51_CP32_SHA256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Hash_SHA2.h" +#include "Hacl_HKDF.h" +#include "Hacl_Curve25519_51.h" +#include "Hacl_Chacha20Poly1305_32.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +uint32_t +Hacl_HPKE_Curve51_CP32_SHA256_setupBaseI( + uint8_t *o_pkE, + uint8_t *o_k, + uint8_t *o_n, + uint8_t *skE, + uint8_t *pkR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve51_CP32_SHA256_setupBaseR( + uint8_t *o_key_aead, + uint8_t *o_nonce_aead, + uint8_t *pkE, + uint8_t *skR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve51_CP32_SHA256_sealBase( + uint8_t *skE, + uint8_t *pkR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +uint32_t +Hacl_HPKE_Curve51_CP32_SHA256_openBase( + uint8_t *pkE, + uint8_t *skR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HPKE_Curve51_CP32_SHA256_H_DEFINED +#endif diff --git a/include/msvc/Hacl_HPKE_Curve51_CP32_SHA512.h b/include/msvc/Hacl_HPKE_Curve51_CP32_SHA512.h new file mode 100644 index 00000000..6533ca08 --- /dev/null +++ b/include/msvc/Hacl_HPKE_Curve51_CP32_SHA512.h @@ -0,0 +1,92 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HPKE_Curve51_CP32_SHA512_H +#define __Hacl_HPKE_Curve51_CP32_SHA512_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Hash_SHA2.h" +#include "Hacl_HKDF.h" +#include "Hacl_Curve25519_51.h" +#include "Hacl_Chacha20Poly1305_32.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +uint32_t +Hacl_HPKE_Curve51_CP32_SHA512_setupBaseI( + uint8_t *o_pkE, + uint8_t *o_k, + uint8_t *o_n, + uint8_t *skE, + uint8_t *pkR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve51_CP32_SHA512_setupBaseR( + uint8_t *o_key_aead, + uint8_t *o_nonce_aead, + uint8_t *pkE, + uint8_t *skR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve51_CP32_SHA512_sealBase( + uint8_t *skE, + uint8_t *pkR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +uint32_t +Hacl_HPKE_Curve51_CP32_SHA512_openBase( + uint8_t *pkE, + uint8_t *skR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HPKE_Curve51_CP32_SHA512_H_DEFINED +#endif diff --git a/include/msvc/Hacl_HPKE_Curve64_CP128_SHA256.h b/include/msvc/Hacl_HPKE_Curve64_CP128_SHA256.h new file mode 100644 index 00000000..7e3ba549 --- /dev/null +++ b/include/msvc/Hacl_HPKE_Curve64_CP128_SHA256.h @@ -0,0 +1,92 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HPKE_Curve64_CP128_SHA256_H +#define __Hacl_HPKE_Curve64_CP128_SHA256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Hash_SHA2.h" +#include "Hacl_HKDF.h" +#include "Hacl_Curve25519_64.h" +#include "Hacl_Chacha20Poly1305_128.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +uint32_t +Hacl_HPKE_Curve64_CP128_SHA256_setupBaseI( + uint8_t *o_pkE, + uint8_t *o_k, + uint8_t *o_n, + uint8_t *skE, + uint8_t *pkR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve64_CP128_SHA256_setupBaseR( + uint8_t *o_key_aead, + uint8_t *o_nonce_aead, + uint8_t *pkE, + uint8_t *skR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve64_CP128_SHA256_sealBase( + uint8_t *skE, + uint8_t *pkR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +uint32_t +Hacl_HPKE_Curve64_CP128_SHA256_openBase( + uint8_t *pkE, + uint8_t *skR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HPKE_Curve64_CP128_SHA256_H_DEFINED +#endif diff --git a/include/msvc/Hacl_HPKE_Curve64_CP128_SHA512.h b/include/msvc/Hacl_HPKE_Curve64_CP128_SHA512.h new file mode 100644 index 00000000..c8728cf0 --- /dev/null +++ b/include/msvc/Hacl_HPKE_Curve64_CP128_SHA512.h @@ -0,0 +1,92 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HPKE_Curve64_CP128_SHA512_H +#define __Hacl_HPKE_Curve64_CP128_SHA512_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Hash_SHA2.h" +#include "Hacl_HKDF.h" +#include "Hacl_Curve25519_64.h" +#include "Hacl_Chacha20Poly1305_128.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +uint32_t +Hacl_HPKE_Curve64_CP128_SHA512_setupBaseI( + uint8_t *o_pkE, + uint8_t *o_k, + uint8_t *o_n, + uint8_t *skE, + uint8_t *pkR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve64_CP128_SHA512_setupBaseR( + uint8_t *o_key_aead, + uint8_t *o_nonce_aead, + uint8_t *pkE, + uint8_t *skR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve64_CP128_SHA512_sealBase( + uint8_t *skE, + uint8_t *pkR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +uint32_t +Hacl_HPKE_Curve64_CP128_SHA512_openBase( + uint8_t *pkE, + uint8_t *skR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HPKE_Curve64_CP128_SHA512_H_DEFINED +#endif diff --git a/include/msvc/Hacl_HPKE_Curve64_CP256_SHA256.h b/include/msvc/Hacl_HPKE_Curve64_CP256_SHA256.h new file mode 100644 index 00000000..eddeb5fe --- /dev/null +++ b/include/msvc/Hacl_HPKE_Curve64_CP256_SHA256.h @@ -0,0 +1,92 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HPKE_Curve64_CP256_SHA256_H +#define __Hacl_HPKE_Curve64_CP256_SHA256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Hash_SHA2.h" +#include "Hacl_HKDF.h" +#include "Hacl_Curve25519_64.h" +#include "Hacl_Chacha20Poly1305_256.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +uint32_t +Hacl_HPKE_Curve64_CP256_SHA256_setupBaseI( + uint8_t *o_pkE, + uint8_t *o_k, + uint8_t *o_n, + uint8_t *skE, + uint8_t *pkR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve64_CP256_SHA256_setupBaseR( + uint8_t *o_key_aead, + uint8_t *o_nonce_aead, + uint8_t *pkE, + uint8_t *skR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve64_CP256_SHA256_sealBase( + uint8_t *skE, + uint8_t *pkR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +uint32_t +Hacl_HPKE_Curve64_CP256_SHA256_openBase( + uint8_t *pkE, + uint8_t *skR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HPKE_Curve64_CP256_SHA256_H_DEFINED +#endif diff --git a/include/msvc/Hacl_HPKE_Curve64_CP256_SHA512.h b/include/msvc/Hacl_HPKE_Curve64_CP256_SHA512.h new file mode 100644 index 00000000..9294aaec --- /dev/null +++ b/include/msvc/Hacl_HPKE_Curve64_CP256_SHA512.h @@ -0,0 +1,92 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HPKE_Curve64_CP256_SHA512_H +#define __Hacl_HPKE_Curve64_CP256_SHA512_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Hash_SHA2.h" +#include "Hacl_HKDF.h" +#include "Hacl_Curve25519_64.h" +#include "Hacl_Chacha20Poly1305_256.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +uint32_t +Hacl_HPKE_Curve64_CP256_SHA512_setupBaseI( + uint8_t *o_pkE, + uint8_t *o_k, + uint8_t *o_n, + uint8_t *skE, + uint8_t *pkR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve64_CP256_SHA512_setupBaseR( + uint8_t *o_key_aead, + uint8_t *o_nonce_aead, + uint8_t *pkE, + uint8_t *skR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve64_CP256_SHA512_sealBase( + uint8_t *skE, + uint8_t *pkR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +uint32_t +Hacl_HPKE_Curve64_CP256_SHA512_openBase( + uint8_t *pkE, + uint8_t *skR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HPKE_Curve64_CP256_SHA512_H_DEFINED +#endif diff --git a/include/msvc/Hacl_HPKE_Curve64_CP32_SHA256.h b/include/msvc/Hacl_HPKE_Curve64_CP32_SHA256.h new file mode 100644 index 00000000..603fe9a9 --- /dev/null +++ b/include/msvc/Hacl_HPKE_Curve64_CP32_SHA256.h @@ -0,0 +1,92 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HPKE_Curve64_CP32_SHA256_H +#define __Hacl_HPKE_Curve64_CP32_SHA256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Hash_SHA2.h" +#include "Hacl_HKDF.h" +#include "Hacl_Curve25519_64.h" +#include "Hacl_Chacha20Poly1305_32.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +uint32_t +Hacl_HPKE_Curve64_CP32_SHA256_setupBaseI( + uint8_t *o_pkE, + uint8_t *o_k, + uint8_t *o_n, + uint8_t *skE, + uint8_t *pkR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve64_CP32_SHA256_setupBaseR( + uint8_t *o_key_aead, + uint8_t *o_nonce_aead, + uint8_t *pkE, + uint8_t *skR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve64_CP32_SHA256_sealBase( + uint8_t *skE, + uint8_t *pkR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +uint32_t +Hacl_HPKE_Curve64_CP32_SHA256_openBase( + uint8_t *pkE, + uint8_t *skR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HPKE_Curve64_CP32_SHA256_H_DEFINED +#endif diff --git a/include/msvc/Hacl_HPKE_Curve64_CP32_SHA512.h b/include/msvc/Hacl_HPKE_Curve64_CP32_SHA512.h new file mode 100644 index 00000000..ad1bab4e --- /dev/null +++ b/include/msvc/Hacl_HPKE_Curve64_CP32_SHA512.h @@ -0,0 +1,92 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HPKE_Curve64_CP32_SHA512_H +#define __Hacl_HPKE_Curve64_CP32_SHA512_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Hash_SHA2.h" +#include "Hacl_HKDF.h" +#include "Hacl_Curve25519_64.h" +#include "Hacl_Chacha20Poly1305_32.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +uint32_t +Hacl_HPKE_Curve64_CP32_SHA512_setupBaseI( + uint8_t *o_pkE, + uint8_t *o_k, + uint8_t *o_n, + uint8_t *skE, + uint8_t *pkR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve64_CP32_SHA512_setupBaseR( + uint8_t *o_key_aead, + uint8_t *o_nonce_aead, + uint8_t *pkE, + uint8_t *skR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_Curve64_CP32_SHA512_sealBase( + uint8_t *skE, + uint8_t *pkR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +uint32_t +Hacl_HPKE_Curve64_CP32_SHA512_openBase( + uint8_t *pkE, + uint8_t *skR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HPKE_Curve64_CP32_SHA512_H_DEFINED +#endif diff --git a/include/msvc/Hacl_HPKE_P256_CP128_SHA256.h b/include/msvc/Hacl_HPKE_P256_CP128_SHA256.h new file mode 100644 index 00000000..857ec1c8 --- /dev/null +++ b/include/msvc/Hacl_HPKE_P256_CP128_SHA256.h @@ -0,0 +1,91 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HPKE_P256_CP128_SHA256_H +#define __Hacl_HPKE_P256_CP128_SHA256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Hash_SHA2.h" +#include "Hacl_HKDF.h" +#include "Hacl_Chacha20Poly1305_128.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +uint32_t +Hacl_HPKE_P256_CP128_SHA256_setupBaseI( + uint8_t *o_pkE, + uint8_t *o_k, + uint8_t *o_n, + uint8_t *skE, + uint8_t *pkR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_P256_CP128_SHA256_setupBaseR( + uint8_t *o_key_aead, + uint8_t *o_nonce_aead, + uint8_t *pkE, + uint8_t *skR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_P256_CP128_SHA256_sealBase( + uint8_t *skE, + uint8_t *pkR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +uint32_t +Hacl_HPKE_P256_CP128_SHA256_openBase( + uint8_t *pkE, + uint8_t *skR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HPKE_P256_CP128_SHA256_H_DEFINED +#endif diff --git a/include/msvc/Hacl_HPKE_P256_CP256_SHA256.h b/include/msvc/Hacl_HPKE_P256_CP256_SHA256.h new file mode 100644 index 00000000..60a4febf --- /dev/null +++ b/include/msvc/Hacl_HPKE_P256_CP256_SHA256.h @@ -0,0 +1,91 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HPKE_P256_CP256_SHA256_H +#define __Hacl_HPKE_P256_CP256_SHA256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Hash_SHA2.h" +#include "Hacl_HKDF.h" +#include "Hacl_Chacha20Poly1305_256.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +uint32_t +Hacl_HPKE_P256_CP256_SHA256_setupBaseI( + uint8_t *o_pkE, + uint8_t *o_k, + uint8_t *o_n, + uint8_t *skE, + uint8_t *pkR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_P256_CP256_SHA256_setupBaseR( + uint8_t *o_key_aead, + uint8_t *o_nonce_aead, + uint8_t *pkE, + uint8_t *skR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_P256_CP256_SHA256_sealBase( + uint8_t *skE, + uint8_t *pkR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +uint32_t +Hacl_HPKE_P256_CP256_SHA256_openBase( + uint8_t *pkE, + uint8_t *skR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HPKE_P256_CP256_SHA256_H_DEFINED +#endif diff --git a/include/msvc/Hacl_HPKE_P256_CP32_SHA256.h b/include/msvc/Hacl_HPKE_P256_CP32_SHA256.h new file mode 100644 index 00000000..77430c7f --- /dev/null +++ b/include/msvc/Hacl_HPKE_P256_CP32_SHA256.h @@ -0,0 +1,91 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_HPKE_P256_CP32_SHA256_H +#define __Hacl_HPKE_P256_CP32_SHA256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Hash_SHA2.h" +#include "Hacl_HKDF.h" +#include "Hacl_Chacha20Poly1305_32.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +uint32_t +Hacl_HPKE_P256_CP32_SHA256_setupBaseI( + uint8_t *o_pkE, + uint8_t *o_k, + uint8_t *o_n, + uint8_t *skE, + uint8_t *pkR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_P256_CP32_SHA256_setupBaseR( + uint8_t *o_key_aead, + uint8_t *o_nonce_aead, + uint8_t *pkE, + uint8_t *skR, + uint32_t infolen, + uint8_t *info +); + +uint32_t +Hacl_HPKE_P256_CP32_SHA256_sealBase( + uint8_t *skE, + uint8_t *pkR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +uint32_t +Hacl_HPKE_P256_CP32_SHA256_openBase( + uint8_t *pkE, + uint8_t *skR, + uint32_t mlen, + uint8_t *m, + uint32_t infolen, + uint8_t *info, + uint8_t *output +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_HPKE_P256_CP32_SHA256_H_DEFINED +#endif diff --git a/include/msvc/Hacl_Hash_Base.h b/include/msvc/Hacl_Hash_Base.h new file mode 100644 index 00000000..e4ec8cad --- /dev/null +++ b/include/msvc/Hacl_Hash_Base.h @@ -0,0 +1,54 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Hash_Base_H +#define __Hacl_Hash_Base_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Spec.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +uint32_t Hacl_Hash_Definitions_word_len(Spec_Hash_Definitions_hash_alg a); + +uint32_t Hacl_Hash_Definitions_block_len(Spec_Hash_Definitions_hash_alg a); + +uint32_t Hacl_Hash_Definitions_hash_word_len(Spec_Hash_Definitions_hash_alg a); + +uint32_t Hacl_Hash_Definitions_hash_len(Spec_Hash_Definitions_hash_alg a); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Hash_Base_H_DEFINED +#endif diff --git a/include/msvc/Hacl_Hash_Blake2.h b/include/msvc/Hacl_Hash_Blake2.h new file mode 100644 index 00000000..9651ffa2 --- /dev/null +++ b/include/msvc/Hacl_Hash_Blake2.h @@ -0,0 +1,140 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Hash_Blake2_H +#define __Hacl_Hash_Blake2_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Lib_Memzero0.h" +#include "Hacl_Kremlib.h" +#include "Hacl_Impl_Blake2_Constants.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +#define Hacl_Impl_Blake2_Core_M32 0 +#define Hacl_Impl_Blake2_Core_M128 1 +#define Hacl_Impl_Blake2_Core_M256 2 + +typedef uint8_t Hacl_Impl_Blake2_Core_m_spec; + +void Hacl_Blake2b_32_blake2b_init(uint64_t *hash, uint32_t kk, uint32_t nn); + +void +Hacl_Blake2b_32_blake2b_update_key( + uint64_t *wv, + uint64_t *hash, + uint32_t kk, + uint8_t *k, + uint32_t ll +); + +void +Hacl_Blake2b_32_blake2b_update_multi( + uint32_t len, + uint64_t *wv, + uint64_t *hash, + FStar_UInt128_uint128 prev, + uint8_t *blocks, + uint32_t nb +); + +void +Hacl_Blake2b_32_blake2b_update_last( + uint32_t len, + uint64_t *wv, + uint64_t *hash, + FStar_UInt128_uint128 prev, + uint32_t rem, + uint8_t *d +); + +void Hacl_Blake2b_32_blake2b_finish(uint32_t nn, uint8_t *output, uint64_t *hash); + +void +Hacl_Blake2b_32_blake2b( + uint32_t nn, + uint8_t *output, + uint32_t ll, + uint8_t *d, + uint32_t kk, + uint8_t *k +); + +void Hacl_Blake2s_32_blake2s_init(uint32_t *hash, uint32_t kk, uint32_t nn); + +void +Hacl_Blake2s_32_blake2s_update_key( + uint32_t *wv, + uint32_t *hash, + uint32_t kk, + uint8_t *k, + uint32_t ll +); + +void +Hacl_Blake2s_32_blake2s_update_multi( + uint32_t len, + uint32_t *wv, + uint32_t *hash, + uint64_t prev, + uint8_t *blocks, + uint32_t nb +); + +void +Hacl_Blake2s_32_blake2s_update_last( + uint32_t len, + uint32_t *wv, + uint32_t *hash, + uint64_t prev, + uint32_t rem, + uint8_t *d +); + +void Hacl_Blake2s_32_blake2s_finish(uint32_t nn, uint8_t *output, uint32_t *hash); + +void +Hacl_Blake2s_32_blake2s( + uint32_t nn, + uint8_t *output, + uint32_t ll, + uint8_t *d, + uint32_t kk, + uint8_t *k +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Hash_Blake2_H_DEFINED +#endif diff --git a/include/msvc/Hacl_Hash_Blake2b_256.h b/include/msvc/Hacl_Hash_Blake2b_256.h new file mode 100644 index 00000000..8514a6d1 --- /dev/null +++ b/include/msvc/Hacl_Hash_Blake2b_256.h @@ -0,0 +1,97 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Hash_Blake2b_256_H +#define __Hacl_Hash_Blake2b_256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Lib_Memzero0.h" +#include "Hacl_Kremlib.h" +#include "Hacl_Impl_Blake2_Constants.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_Blake2b_256_blake2b_init(Lib_IntVector_Intrinsics_vec256 *hash, uint32_t kk, uint32_t nn); + +void +Hacl_Blake2b_256_blake2b_update_key( + Lib_IntVector_Intrinsics_vec256 *wv, + Lib_IntVector_Intrinsics_vec256 *hash, + uint32_t kk, + uint8_t *k, + uint32_t ll +); + +void +Hacl_Blake2b_256_blake2b_update_multi( + uint32_t len, + Lib_IntVector_Intrinsics_vec256 *wv, + Lib_IntVector_Intrinsics_vec256 *hash, + FStar_UInt128_uint128 prev, + uint8_t *blocks, + uint32_t nb +); + +void +Hacl_Blake2b_256_blake2b_update_last( + uint32_t len, + Lib_IntVector_Intrinsics_vec256 *wv, + Lib_IntVector_Intrinsics_vec256 *hash, + FStar_UInt128_uint128 prev, + uint32_t rem, + uint8_t *d +); + +void +Hacl_Blake2b_256_blake2b_finish( + uint32_t nn, + uint8_t *output, + Lib_IntVector_Intrinsics_vec256 *hash +); + +void +Hacl_Blake2b_256_blake2b( + uint32_t nn, + uint8_t *output, + uint32_t ll, + uint8_t *d, + uint32_t kk, + uint8_t *k +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Hash_Blake2b_256_H_DEFINED +#endif diff --git a/include/msvc/Hacl_Hash_Blake2s_128.h b/include/msvc/Hacl_Hash_Blake2s_128.h new file mode 100644 index 00000000..228298b9 --- /dev/null +++ b/include/msvc/Hacl_Hash_Blake2s_128.h @@ -0,0 +1,97 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Hash_Blake2s_128_H +#define __Hacl_Hash_Blake2s_128_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Lib_Memzero0.h" +#include "Hacl_Kremlib.h" +#include "Hacl_Impl_Blake2_Constants.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_Blake2s_128_blake2s_init(Lib_IntVector_Intrinsics_vec128 *hash, uint32_t kk, uint32_t nn); + +void +Hacl_Blake2s_128_blake2s_update_key( + Lib_IntVector_Intrinsics_vec128 *wv, + Lib_IntVector_Intrinsics_vec128 *hash, + uint32_t kk, + uint8_t *k, + uint32_t ll +); + +void +Hacl_Blake2s_128_blake2s_update_multi( + uint32_t len, + Lib_IntVector_Intrinsics_vec128 *wv, + Lib_IntVector_Intrinsics_vec128 *hash, + uint64_t prev, + uint8_t *blocks, + uint32_t nb +); + +void +Hacl_Blake2s_128_blake2s_update_last( + uint32_t len, + Lib_IntVector_Intrinsics_vec128 *wv, + Lib_IntVector_Intrinsics_vec128 *hash, + uint64_t prev, + uint32_t rem, + uint8_t *d +); + +void +Hacl_Blake2s_128_blake2s_finish( + uint32_t nn, + uint8_t *output, + Lib_IntVector_Intrinsics_vec128 *hash +); + +void +Hacl_Blake2s_128_blake2s( + uint32_t nn, + uint8_t *output, + uint32_t ll, + uint8_t *d, + uint32_t kk, + uint8_t *k +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Hash_Blake2s_128_H_DEFINED +#endif diff --git a/include/msvc/Hacl_Hash_MD5.h b/include/msvc/Hacl_Hash_MD5.h new file mode 100644 index 00000000..178aa51f --- /dev/null +++ b/include/msvc/Hacl_Hash_MD5.h @@ -0,0 +1,58 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Hash_MD5_H +#define __Hacl_Hash_MD5_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void Hacl_Hash_MD5_legacy_update_multi(uint32_t *s, uint8_t *blocks, uint32_t n_blocks); + +void +Hacl_Hash_MD5_legacy_update_last( + uint32_t *s, + uint64_t prev_len, + uint8_t *input, + uint32_t input_len +); + +void Hacl_Hash_MD5_legacy_hash(uint8_t *input, uint32_t input_len, uint8_t *dst); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Hash_MD5_H_DEFINED +#endif diff --git a/include/msvc/Hacl_Hash_SHA1.h b/include/msvc/Hacl_Hash_SHA1.h new file mode 100644 index 00000000..d7af8c3c --- /dev/null +++ b/include/msvc/Hacl_Hash_SHA1.h @@ -0,0 +1,58 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Hash_SHA1_H +#define __Hacl_Hash_SHA1_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void Hacl_Hash_SHA1_legacy_update_multi(uint32_t *s, uint8_t *blocks, uint32_t n_blocks); + +void +Hacl_Hash_SHA1_legacy_update_last( + uint32_t *s, + uint64_t prev_len, + uint8_t *input, + uint32_t input_len +); + +void Hacl_Hash_SHA1_legacy_hash(uint8_t *input, uint32_t input_len, uint8_t *dst); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Hash_SHA1_H_DEFINED +#endif diff --git a/include/msvc/Hacl_Hash_SHA2.h b/include/msvc/Hacl_Hash_SHA2.h new file mode 100644 index 00000000..31eaea37 --- /dev/null +++ b/include/msvc/Hacl_Hash_SHA2.h @@ -0,0 +1,94 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Hash_SHA2_H +#define __Hacl_Hash_SHA2_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void Hacl_Hash_SHA2_update_multi_224(uint32_t *s, uint8_t *blocks, uint32_t n_blocks); + +void Hacl_Hash_SHA2_update_multi_256(uint32_t *s, uint8_t *blocks, uint32_t n_blocks); + +void Hacl_Hash_SHA2_update_multi_384(uint64_t *s, uint8_t *blocks, uint32_t n_blocks); + +void Hacl_Hash_SHA2_update_multi_512(uint64_t *s, uint8_t *blocks, uint32_t n_blocks); + +void +Hacl_Hash_SHA2_update_last_224( + uint32_t *s, + uint64_t prev_len, + uint8_t *input, + uint32_t input_len +); + +void +Hacl_Hash_SHA2_update_last_256( + uint32_t *s, + uint64_t prev_len, + uint8_t *input, + uint32_t input_len +); + +void +Hacl_Hash_SHA2_update_last_384( + uint64_t *s, + FStar_UInt128_uint128 prev_len, + uint8_t *input, + uint32_t input_len +); + +void +Hacl_Hash_SHA2_update_last_512( + uint64_t *s, + FStar_UInt128_uint128 prev_len, + uint8_t *input, + uint32_t input_len +); + +void Hacl_Hash_SHA2_hash_224(uint8_t *input, uint32_t input_len, uint8_t *dst); + +void Hacl_Hash_SHA2_hash_256(uint8_t *input, uint32_t input_len, uint8_t *dst); + +void Hacl_Hash_SHA2_hash_384(uint8_t *input, uint32_t input_len, uint8_t *dst); + +void Hacl_Hash_SHA2_hash_512(uint8_t *input, uint32_t input_len, uint8_t *dst); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Hash_SHA2_H_DEFINED +#endif diff --git a/include/msvc/Hacl_Impl_Blake2_Constants.h b/include/msvc/Hacl_Impl_Blake2_Constants.h new file mode 100644 index 00000000..173269b7 --- /dev/null +++ b/include/msvc/Hacl_Impl_Blake2_Constants.h @@ -0,0 +1,96 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Impl_Blake2_Constants_H +#define __Hacl_Impl_Blake2_Constants_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + + +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +static const +uint32_t +Hacl_Impl_Blake2_Constants_sigmaTable[160U] = + { + (uint32_t)0U, (uint32_t)1U, (uint32_t)2U, (uint32_t)3U, (uint32_t)4U, (uint32_t)5U, + (uint32_t)6U, (uint32_t)7U, (uint32_t)8U, (uint32_t)9U, (uint32_t)10U, (uint32_t)11U, + (uint32_t)12U, (uint32_t)13U, (uint32_t)14U, (uint32_t)15U, (uint32_t)14U, (uint32_t)10U, + (uint32_t)4U, (uint32_t)8U, (uint32_t)9U, (uint32_t)15U, (uint32_t)13U, (uint32_t)6U, + (uint32_t)1U, (uint32_t)12U, (uint32_t)0U, (uint32_t)2U, (uint32_t)11U, (uint32_t)7U, + (uint32_t)5U, (uint32_t)3U, (uint32_t)11U, (uint32_t)8U, (uint32_t)12U, (uint32_t)0U, + (uint32_t)5U, (uint32_t)2U, (uint32_t)15U, (uint32_t)13U, (uint32_t)10U, (uint32_t)14U, + (uint32_t)3U, (uint32_t)6U, (uint32_t)7U, (uint32_t)1U, (uint32_t)9U, (uint32_t)4U, + (uint32_t)7U, (uint32_t)9U, (uint32_t)3U, (uint32_t)1U, (uint32_t)13U, (uint32_t)12U, + (uint32_t)11U, (uint32_t)14U, (uint32_t)2U, (uint32_t)6U, (uint32_t)5U, (uint32_t)10U, + (uint32_t)4U, (uint32_t)0U, (uint32_t)15U, (uint32_t)8U, (uint32_t)9U, (uint32_t)0U, + (uint32_t)5U, (uint32_t)7U, (uint32_t)2U, (uint32_t)4U, (uint32_t)10U, (uint32_t)15U, + (uint32_t)14U, (uint32_t)1U, (uint32_t)11U, (uint32_t)12U, (uint32_t)6U, (uint32_t)8U, + (uint32_t)3U, (uint32_t)13U, (uint32_t)2U, (uint32_t)12U, (uint32_t)6U, (uint32_t)10U, + (uint32_t)0U, (uint32_t)11U, (uint32_t)8U, (uint32_t)3U, (uint32_t)4U, (uint32_t)13U, + (uint32_t)7U, (uint32_t)5U, (uint32_t)15U, (uint32_t)14U, (uint32_t)1U, (uint32_t)9U, + (uint32_t)12U, (uint32_t)5U, (uint32_t)1U, (uint32_t)15U, (uint32_t)14U, (uint32_t)13U, + (uint32_t)4U, (uint32_t)10U, (uint32_t)0U, (uint32_t)7U, (uint32_t)6U, (uint32_t)3U, + (uint32_t)9U, (uint32_t)2U, (uint32_t)8U, (uint32_t)11U, (uint32_t)13U, (uint32_t)11U, + (uint32_t)7U, (uint32_t)14U, (uint32_t)12U, (uint32_t)1U, (uint32_t)3U, (uint32_t)9U, + (uint32_t)5U, (uint32_t)0U, (uint32_t)15U, (uint32_t)4U, (uint32_t)8U, (uint32_t)6U, + (uint32_t)2U, (uint32_t)10U, (uint32_t)6U, (uint32_t)15U, (uint32_t)14U, (uint32_t)9U, + (uint32_t)11U, (uint32_t)3U, (uint32_t)0U, (uint32_t)8U, (uint32_t)12U, (uint32_t)2U, + (uint32_t)13U, (uint32_t)7U, (uint32_t)1U, (uint32_t)4U, (uint32_t)10U, (uint32_t)5U, + (uint32_t)10U, (uint32_t)2U, (uint32_t)8U, (uint32_t)4U, (uint32_t)7U, (uint32_t)6U, + (uint32_t)1U, (uint32_t)5U, (uint32_t)15U, (uint32_t)11U, (uint32_t)9U, (uint32_t)14U, + (uint32_t)3U, (uint32_t)12U, (uint32_t)13U + }; + +static const +uint32_t +Hacl_Impl_Blake2_Constants_ivTable_S[8U] = + { + (uint32_t)0x6A09E667U, (uint32_t)0xBB67AE85U, (uint32_t)0x3C6EF372U, (uint32_t)0xA54FF53AU, + (uint32_t)0x510E527FU, (uint32_t)0x9B05688CU, (uint32_t)0x1F83D9ABU, (uint32_t)0x5BE0CD19U + }; + +static const +uint64_t +Hacl_Impl_Blake2_Constants_ivTable_B[8U] = + { + (uint64_t)0x6A09E667F3BCC908U, (uint64_t)0xBB67AE8584CAA73BU, (uint64_t)0x3C6EF372FE94F82BU, + (uint64_t)0xA54FF53A5F1D36F1U, (uint64_t)0x510E527FADE682D1U, (uint64_t)0x9B05688C2B3E6C1FU, + (uint64_t)0x1F83D9ABFB41BD6BU, (uint64_t)0x5BE0CD19137E2179U + }; + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Impl_Blake2_Constants_H_DEFINED +#endif diff --git a/include/msvc/Hacl_Impl_FFDHE_Constants.h b/include/msvc/Hacl_Impl_FFDHE_Constants.h new file mode 100644 index 00000000..539eb949 --- /dev/null +++ b/include/msvc/Hacl_Impl_FFDHE_Constants.h @@ -0,0 +1,570 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Impl_FFDHE_Constants_H +#define __Hacl_Impl_FFDHE_Constants_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + + +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +static const uint8_t Hacl_Impl_FFDHE_Constants_ffdhe_g2[1U] = { (uint8_t)0x02U }; + +static const +uint8_t +Hacl_Impl_FFDHE_Constants_ffdhe_p2048[256U] = + { + (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, + (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xADU, (uint8_t)0xF8U, (uint8_t)0x54U, (uint8_t)0x58U, + (uint8_t)0xA2U, (uint8_t)0xBBU, (uint8_t)0x4AU, (uint8_t)0x9AU, (uint8_t)0xAFU, (uint8_t)0xDCU, + (uint8_t)0x56U, (uint8_t)0x20U, (uint8_t)0x27U, (uint8_t)0x3DU, (uint8_t)0x3CU, (uint8_t)0xF1U, + (uint8_t)0xD8U, (uint8_t)0xB9U, (uint8_t)0xC5U, (uint8_t)0x83U, (uint8_t)0xCEU, (uint8_t)0x2DU, + (uint8_t)0x36U, (uint8_t)0x95U, (uint8_t)0xA9U, (uint8_t)0xE1U, (uint8_t)0x36U, (uint8_t)0x41U, + (uint8_t)0x14U, (uint8_t)0x64U, (uint8_t)0x33U, (uint8_t)0xFBU, (uint8_t)0xCCU, (uint8_t)0x93U, + (uint8_t)0x9DU, (uint8_t)0xCEU, (uint8_t)0x24U, (uint8_t)0x9BU, (uint8_t)0x3EU, (uint8_t)0xF9U, + (uint8_t)0x7DU, (uint8_t)0x2FU, (uint8_t)0xE3U, (uint8_t)0x63U, (uint8_t)0x63U, (uint8_t)0x0CU, + (uint8_t)0x75U, (uint8_t)0xD8U, (uint8_t)0xF6U, (uint8_t)0x81U, (uint8_t)0xB2U, (uint8_t)0x02U, + (uint8_t)0xAEU, (uint8_t)0xC4U, (uint8_t)0x61U, (uint8_t)0x7AU, (uint8_t)0xD3U, (uint8_t)0xDFU, + (uint8_t)0x1EU, (uint8_t)0xD5U, (uint8_t)0xD5U, (uint8_t)0xFDU, (uint8_t)0x65U, (uint8_t)0x61U, + (uint8_t)0x24U, (uint8_t)0x33U, (uint8_t)0xF5U, (uint8_t)0x1FU, (uint8_t)0x5FU, (uint8_t)0x06U, + (uint8_t)0x6EU, (uint8_t)0xD0U, (uint8_t)0x85U, (uint8_t)0x63U, (uint8_t)0x65U, (uint8_t)0x55U, + (uint8_t)0x3DU, (uint8_t)0xEDU, (uint8_t)0x1AU, (uint8_t)0xF3U, (uint8_t)0xB5U, (uint8_t)0x57U, + (uint8_t)0x13U, (uint8_t)0x5EU, (uint8_t)0x7FU, (uint8_t)0x57U, (uint8_t)0xC9U, (uint8_t)0x35U, + (uint8_t)0x98U, (uint8_t)0x4FU, (uint8_t)0x0CU, (uint8_t)0x70U, (uint8_t)0xE0U, (uint8_t)0xE6U, + (uint8_t)0x8BU, (uint8_t)0x77U, (uint8_t)0xE2U, (uint8_t)0xA6U, (uint8_t)0x89U, (uint8_t)0xDAU, + (uint8_t)0xF3U, (uint8_t)0xEFU, (uint8_t)0xE8U, (uint8_t)0x72U, (uint8_t)0x1DU, (uint8_t)0xF1U, + (uint8_t)0x58U, (uint8_t)0xA1U, (uint8_t)0x36U, (uint8_t)0xADU, (uint8_t)0xE7U, (uint8_t)0x35U, + (uint8_t)0x30U, (uint8_t)0xACU, (uint8_t)0xCAU, (uint8_t)0x4FU, (uint8_t)0x48U, (uint8_t)0x3AU, + (uint8_t)0x79U, (uint8_t)0x7AU, (uint8_t)0xBCU, (uint8_t)0x0AU, (uint8_t)0xB1U, (uint8_t)0x82U, + (uint8_t)0xB3U, (uint8_t)0x24U, (uint8_t)0xFBU, (uint8_t)0x61U, (uint8_t)0xD1U, (uint8_t)0x08U, + (uint8_t)0xA9U, (uint8_t)0x4BU, (uint8_t)0xB2U, (uint8_t)0xC8U, (uint8_t)0xE3U, (uint8_t)0xFBU, + (uint8_t)0xB9U, (uint8_t)0x6AU, (uint8_t)0xDAU, (uint8_t)0xB7U, (uint8_t)0x60U, (uint8_t)0xD7U, + (uint8_t)0xF4U, (uint8_t)0x68U, (uint8_t)0x1DU, (uint8_t)0x4FU, (uint8_t)0x42U, (uint8_t)0xA3U, + (uint8_t)0xDEU, (uint8_t)0x39U, (uint8_t)0x4DU, (uint8_t)0xF4U, (uint8_t)0xAEU, (uint8_t)0x56U, + (uint8_t)0xEDU, (uint8_t)0xE7U, (uint8_t)0x63U, (uint8_t)0x72U, (uint8_t)0xBBU, (uint8_t)0x19U, + (uint8_t)0x0BU, (uint8_t)0x07U, (uint8_t)0xA7U, (uint8_t)0xC8U, (uint8_t)0xEEU, (uint8_t)0x0AU, + (uint8_t)0x6DU, (uint8_t)0x70U, (uint8_t)0x9EU, (uint8_t)0x02U, (uint8_t)0xFCU, (uint8_t)0xE1U, + (uint8_t)0xCDU, (uint8_t)0xF7U, (uint8_t)0xE2U, (uint8_t)0xECU, (uint8_t)0xC0U, (uint8_t)0x34U, + (uint8_t)0x04U, (uint8_t)0xCDU, (uint8_t)0x28U, (uint8_t)0x34U, (uint8_t)0x2FU, (uint8_t)0x61U, + (uint8_t)0x91U, (uint8_t)0x72U, (uint8_t)0xFEU, (uint8_t)0x9CU, (uint8_t)0xE9U, (uint8_t)0x85U, + (uint8_t)0x83U, (uint8_t)0xFFU, (uint8_t)0x8EU, (uint8_t)0x4FU, (uint8_t)0x12U, (uint8_t)0x32U, + (uint8_t)0xEEU, (uint8_t)0xF2U, (uint8_t)0x81U, (uint8_t)0x83U, (uint8_t)0xC3U, (uint8_t)0xFEU, + (uint8_t)0x3BU, (uint8_t)0x1BU, (uint8_t)0x4CU, (uint8_t)0x6FU, (uint8_t)0xADU, (uint8_t)0x73U, + (uint8_t)0x3BU, (uint8_t)0xB5U, (uint8_t)0xFCU, (uint8_t)0xBCU, (uint8_t)0x2EU, (uint8_t)0xC2U, + (uint8_t)0x20U, (uint8_t)0x05U, (uint8_t)0xC5U, (uint8_t)0x8EU, (uint8_t)0xF1U, (uint8_t)0x83U, + (uint8_t)0x7DU, (uint8_t)0x16U, (uint8_t)0x83U, (uint8_t)0xB2U, (uint8_t)0xC6U, (uint8_t)0xF3U, + (uint8_t)0x4AU, (uint8_t)0x26U, (uint8_t)0xC1U, (uint8_t)0xB2U, (uint8_t)0xEFU, (uint8_t)0xFAU, + (uint8_t)0x88U, (uint8_t)0x6BU, (uint8_t)0x42U, (uint8_t)0x38U, (uint8_t)0x61U, (uint8_t)0x28U, + (uint8_t)0x5CU, (uint8_t)0x97U, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, + (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU + }; + +static const +uint8_t +Hacl_Impl_FFDHE_Constants_ffdhe_p3072[384U] = + { + (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, + (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xADU, (uint8_t)0xF8U, (uint8_t)0x54U, (uint8_t)0x58U, + (uint8_t)0xA2U, (uint8_t)0xBBU, (uint8_t)0x4AU, (uint8_t)0x9AU, (uint8_t)0xAFU, (uint8_t)0xDCU, + (uint8_t)0x56U, (uint8_t)0x20U, (uint8_t)0x27U, (uint8_t)0x3DU, (uint8_t)0x3CU, (uint8_t)0xF1U, + (uint8_t)0xD8U, (uint8_t)0xB9U, (uint8_t)0xC5U, (uint8_t)0x83U, (uint8_t)0xCEU, (uint8_t)0x2DU, + (uint8_t)0x36U, (uint8_t)0x95U, (uint8_t)0xA9U, (uint8_t)0xE1U, (uint8_t)0x36U, (uint8_t)0x41U, + (uint8_t)0x14U, (uint8_t)0x64U, (uint8_t)0x33U, (uint8_t)0xFBU, (uint8_t)0xCCU, (uint8_t)0x93U, + (uint8_t)0x9DU, (uint8_t)0xCEU, (uint8_t)0x24U, (uint8_t)0x9BU, (uint8_t)0x3EU, (uint8_t)0xF9U, + (uint8_t)0x7DU, (uint8_t)0x2FU, (uint8_t)0xE3U, (uint8_t)0x63U, (uint8_t)0x63U, (uint8_t)0x0CU, + (uint8_t)0x75U, (uint8_t)0xD8U, (uint8_t)0xF6U, (uint8_t)0x81U, (uint8_t)0xB2U, (uint8_t)0x02U, + (uint8_t)0xAEU, (uint8_t)0xC4U, (uint8_t)0x61U, (uint8_t)0x7AU, (uint8_t)0xD3U, (uint8_t)0xDFU, + (uint8_t)0x1EU, (uint8_t)0xD5U, (uint8_t)0xD5U, (uint8_t)0xFDU, (uint8_t)0x65U, (uint8_t)0x61U, + (uint8_t)0x24U, (uint8_t)0x33U, (uint8_t)0xF5U, (uint8_t)0x1FU, (uint8_t)0x5FU, (uint8_t)0x06U, + (uint8_t)0x6EU, (uint8_t)0xD0U, (uint8_t)0x85U, (uint8_t)0x63U, (uint8_t)0x65U, (uint8_t)0x55U, + (uint8_t)0x3DU, (uint8_t)0xEDU, (uint8_t)0x1AU, (uint8_t)0xF3U, (uint8_t)0xB5U, (uint8_t)0x57U, + (uint8_t)0x13U, (uint8_t)0x5EU, (uint8_t)0x7FU, (uint8_t)0x57U, (uint8_t)0xC9U, (uint8_t)0x35U, + (uint8_t)0x98U, (uint8_t)0x4FU, (uint8_t)0x0CU, (uint8_t)0x70U, (uint8_t)0xE0U, (uint8_t)0xE6U, + (uint8_t)0x8BU, (uint8_t)0x77U, (uint8_t)0xE2U, (uint8_t)0xA6U, (uint8_t)0x89U, (uint8_t)0xDAU, + (uint8_t)0xF3U, (uint8_t)0xEFU, (uint8_t)0xE8U, (uint8_t)0x72U, (uint8_t)0x1DU, (uint8_t)0xF1U, + (uint8_t)0x58U, (uint8_t)0xA1U, (uint8_t)0x36U, (uint8_t)0xADU, (uint8_t)0xE7U, (uint8_t)0x35U, + (uint8_t)0x30U, (uint8_t)0xACU, (uint8_t)0xCAU, (uint8_t)0x4FU, (uint8_t)0x48U, (uint8_t)0x3AU, + (uint8_t)0x79U, (uint8_t)0x7AU, (uint8_t)0xBCU, (uint8_t)0x0AU, (uint8_t)0xB1U, (uint8_t)0x82U, + (uint8_t)0xB3U, (uint8_t)0x24U, (uint8_t)0xFBU, (uint8_t)0x61U, (uint8_t)0xD1U, (uint8_t)0x08U, + (uint8_t)0xA9U, (uint8_t)0x4BU, (uint8_t)0xB2U, (uint8_t)0xC8U, (uint8_t)0xE3U, (uint8_t)0xFBU, + (uint8_t)0xB9U, (uint8_t)0x6AU, (uint8_t)0xDAU, (uint8_t)0xB7U, (uint8_t)0x60U, (uint8_t)0xD7U, + (uint8_t)0xF4U, (uint8_t)0x68U, (uint8_t)0x1DU, (uint8_t)0x4FU, (uint8_t)0x42U, (uint8_t)0xA3U, + (uint8_t)0xDEU, (uint8_t)0x39U, (uint8_t)0x4DU, (uint8_t)0xF4U, (uint8_t)0xAEU, (uint8_t)0x56U, + (uint8_t)0xEDU, (uint8_t)0xE7U, (uint8_t)0x63U, (uint8_t)0x72U, (uint8_t)0xBBU, (uint8_t)0x19U, + (uint8_t)0x0BU, (uint8_t)0x07U, (uint8_t)0xA7U, (uint8_t)0xC8U, (uint8_t)0xEEU, (uint8_t)0x0AU, + (uint8_t)0x6DU, (uint8_t)0x70U, (uint8_t)0x9EU, (uint8_t)0x02U, (uint8_t)0xFCU, (uint8_t)0xE1U, + (uint8_t)0xCDU, (uint8_t)0xF7U, (uint8_t)0xE2U, (uint8_t)0xECU, (uint8_t)0xC0U, (uint8_t)0x34U, + (uint8_t)0x04U, (uint8_t)0xCDU, (uint8_t)0x28U, (uint8_t)0x34U, (uint8_t)0x2FU, (uint8_t)0x61U, + (uint8_t)0x91U, (uint8_t)0x72U, (uint8_t)0xFEU, (uint8_t)0x9CU, (uint8_t)0xE9U, (uint8_t)0x85U, + (uint8_t)0x83U, (uint8_t)0xFFU, (uint8_t)0x8EU, (uint8_t)0x4FU, (uint8_t)0x12U, (uint8_t)0x32U, + (uint8_t)0xEEU, (uint8_t)0xF2U, (uint8_t)0x81U, (uint8_t)0x83U, (uint8_t)0xC3U, (uint8_t)0xFEU, + (uint8_t)0x3BU, (uint8_t)0x1BU, (uint8_t)0x4CU, (uint8_t)0x6FU, (uint8_t)0xADU, (uint8_t)0x73U, + (uint8_t)0x3BU, (uint8_t)0xB5U, (uint8_t)0xFCU, (uint8_t)0xBCU, (uint8_t)0x2EU, (uint8_t)0xC2U, + (uint8_t)0x20U, (uint8_t)0x05U, (uint8_t)0xC5U, (uint8_t)0x8EU, (uint8_t)0xF1U, (uint8_t)0x83U, + (uint8_t)0x7DU, (uint8_t)0x16U, (uint8_t)0x83U, (uint8_t)0xB2U, (uint8_t)0xC6U, (uint8_t)0xF3U, + (uint8_t)0x4AU, (uint8_t)0x26U, (uint8_t)0xC1U, (uint8_t)0xB2U, (uint8_t)0xEFU, (uint8_t)0xFAU, + (uint8_t)0x88U, (uint8_t)0x6BU, (uint8_t)0x42U, (uint8_t)0x38U, (uint8_t)0x61U, (uint8_t)0x1FU, + (uint8_t)0xCFU, (uint8_t)0xDCU, (uint8_t)0xDEU, (uint8_t)0x35U, (uint8_t)0x5BU, (uint8_t)0x3BU, + (uint8_t)0x65U, (uint8_t)0x19U, (uint8_t)0x03U, (uint8_t)0x5BU, (uint8_t)0xBCU, (uint8_t)0x34U, + (uint8_t)0xF4U, (uint8_t)0xDEU, (uint8_t)0xF9U, (uint8_t)0x9CU, (uint8_t)0x02U, (uint8_t)0x38U, + (uint8_t)0x61U, (uint8_t)0xB4U, (uint8_t)0x6FU, (uint8_t)0xC9U, (uint8_t)0xD6U, (uint8_t)0xE6U, + (uint8_t)0xC9U, (uint8_t)0x07U, (uint8_t)0x7AU, (uint8_t)0xD9U, (uint8_t)0x1DU, (uint8_t)0x26U, + (uint8_t)0x91U, (uint8_t)0xF7U, (uint8_t)0xF7U, (uint8_t)0xEEU, (uint8_t)0x59U, (uint8_t)0x8CU, + (uint8_t)0xB0U, (uint8_t)0xFAU, (uint8_t)0xC1U, (uint8_t)0x86U, (uint8_t)0xD9U, (uint8_t)0x1CU, + (uint8_t)0xAEU, (uint8_t)0xFEU, (uint8_t)0x13U, (uint8_t)0x09U, (uint8_t)0x85U, (uint8_t)0x13U, + (uint8_t)0x92U, (uint8_t)0x70U, (uint8_t)0xB4U, (uint8_t)0x13U, (uint8_t)0x0CU, (uint8_t)0x93U, + (uint8_t)0xBCU, (uint8_t)0x43U, (uint8_t)0x79U, (uint8_t)0x44U, (uint8_t)0xF4U, (uint8_t)0xFDU, + (uint8_t)0x44U, (uint8_t)0x52U, (uint8_t)0xE2U, (uint8_t)0xD7U, (uint8_t)0x4DU, (uint8_t)0xD3U, + (uint8_t)0x64U, (uint8_t)0xF2U, (uint8_t)0xE2U, (uint8_t)0x1EU, (uint8_t)0x71U, (uint8_t)0xF5U, + (uint8_t)0x4BU, (uint8_t)0xFFU, (uint8_t)0x5CU, (uint8_t)0xAEU, (uint8_t)0x82U, (uint8_t)0xABU, + (uint8_t)0x9CU, (uint8_t)0x9DU, (uint8_t)0xF6U, (uint8_t)0x9EU, (uint8_t)0xE8U, (uint8_t)0x6DU, + (uint8_t)0x2BU, (uint8_t)0xC5U, (uint8_t)0x22U, (uint8_t)0x36U, (uint8_t)0x3AU, (uint8_t)0x0DU, + (uint8_t)0xABU, (uint8_t)0xC5U, (uint8_t)0x21U, (uint8_t)0x97U, (uint8_t)0x9BU, (uint8_t)0x0DU, + (uint8_t)0xEAU, (uint8_t)0xDAU, (uint8_t)0x1DU, (uint8_t)0xBFU, (uint8_t)0x9AU, (uint8_t)0x42U, + (uint8_t)0xD5U, (uint8_t)0xC4U, (uint8_t)0x48U, (uint8_t)0x4EU, (uint8_t)0x0AU, (uint8_t)0xBCU, + (uint8_t)0xD0U, (uint8_t)0x6BU, (uint8_t)0xFAU, (uint8_t)0x53U, (uint8_t)0xDDU, (uint8_t)0xEFU, + (uint8_t)0x3CU, (uint8_t)0x1BU, (uint8_t)0x20U, (uint8_t)0xEEU, (uint8_t)0x3FU, (uint8_t)0xD5U, + (uint8_t)0x9DU, (uint8_t)0x7CU, (uint8_t)0x25U, (uint8_t)0xE4U, (uint8_t)0x1DU, (uint8_t)0x2BU, + (uint8_t)0x66U, (uint8_t)0xC6U, (uint8_t)0x2EU, (uint8_t)0x37U, (uint8_t)0xFFU, (uint8_t)0xFFU, + (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU + }; + +static const +uint8_t +Hacl_Impl_FFDHE_Constants_ffdhe_p4096[512U] = + { + (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, + (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xADU, (uint8_t)0xF8U, (uint8_t)0x54U, (uint8_t)0x58U, + (uint8_t)0xA2U, (uint8_t)0xBBU, (uint8_t)0x4AU, (uint8_t)0x9AU, (uint8_t)0xAFU, (uint8_t)0xDCU, + (uint8_t)0x56U, (uint8_t)0x20U, (uint8_t)0x27U, (uint8_t)0x3DU, (uint8_t)0x3CU, (uint8_t)0xF1U, + (uint8_t)0xD8U, (uint8_t)0xB9U, (uint8_t)0xC5U, (uint8_t)0x83U, (uint8_t)0xCEU, (uint8_t)0x2DU, + (uint8_t)0x36U, (uint8_t)0x95U, (uint8_t)0xA9U, (uint8_t)0xE1U, (uint8_t)0x36U, (uint8_t)0x41U, + (uint8_t)0x14U, (uint8_t)0x64U, (uint8_t)0x33U, (uint8_t)0xFBU, (uint8_t)0xCCU, (uint8_t)0x93U, + (uint8_t)0x9DU, (uint8_t)0xCEU, (uint8_t)0x24U, (uint8_t)0x9BU, (uint8_t)0x3EU, (uint8_t)0xF9U, + (uint8_t)0x7DU, (uint8_t)0x2FU, (uint8_t)0xE3U, (uint8_t)0x63U, (uint8_t)0x63U, (uint8_t)0x0CU, + (uint8_t)0x75U, (uint8_t)0xD8U, (uint8_t)0xF6U, (uint8_t)0x81U, (uint8_t)0xB2U, (uint8_t)0x02U, + (uint8_t)0xAEU, (uint8_t)0xC4U, (uint8_t)0x61U, (uint8_t)0x7AU, (uint8_t)0xD3U, (uint8_t)0xDFU, + (uint8_t)0x1EU, (uint8_t)0xD5U, (uint8_t)0xD5U, (uint8_t)0xFDU, (uint8_t)0x65U, (uint8_t)0x61U, + (uint8_t)0x24U, (uint8_t)0x33U, (uint8_t)0xF5U, (uint8_t)0x1FU, (uint8_t)0x5FU, (uint8_t)0x06U, + (uint8_t)0x6EU, (uint8_t)0xD0U, (uint8_t)0x85U, (uint8_t)0x63U, (uint8_t)0x65U, (uint8_t)0x55U, + (uint8_t)0x3DU, (uint8_t)0xEDU, (uint8_t)0x1AU, (uint8_t)0xF3U, (uint8_t)0xB5U, (uint8_t)0x57U, + (uint8_t)0x13U, (uint8_t)0x5EU, (uint8_t)0x7FU, (uint8_t)0x57U, (uint8_t)0xC9U, (uint8_t)0x35U, + (uint8_t)0x98U, (uint8_t)0x4FU, (uint8_t)0x0CU, (uint8_t)0x70U, (uint8_t)0xE0U, (uint8_t)0xE6U, + (uint8_t)0x8BU, (uint8_t)0x77U, (uint8_t)0xE2U, (uint8_t)0xA6U, (uint8_t)0x89U, (uint8_t)0xDAU, + (uint8_t)0xF3U, (uint8_t)0xEFU, (uint8_t)0xE8U, (uint8_t)0x72U, (uint8_t)0x1DU, (uint8_t)0xF1U, + (uint8_t)0x58U, (uint8_t)0xA1U, (uint8_t)0x36U, (uint8_t)0xADU, (uint8_t)0xE7U, (uint8_t)0x35U, + (uint8_t)0x30U, (uint8_t)0xACU, (uint8_t)0xCAU, (uint8_t)0x4FU, (uint8_t)0x48U, (uint8_t)0x3AU, + (uint8_t)0x79U, (uint8_t)0x7AU, (uint8_t)0xBCU, (uint8_t)0x0AU, (uint8_t)0xB1U, (uint8_t)0x82U, + (uint8_t)0xB3U, (uint8_t)0x24U, (uint8_t)0xFBU, (uint8_t)0x61U, (uint8_t)0xD1U, (uint8_t)0x08U, + (uint8_t)0xA9U, (uint8_t)0x4BU, (uint8_t)0xB2U, (uint8_t)0xC8U, (uint8_t)0xE3U, (uint8_t)0xFBU, + (uint8_t)0xB9U, (uint8_t)0x6AU, (uint8_t)0xDAU, (uint8_t)0xB7U, (uint8_t)0x60U, (uint8_t)0xD7U, + (uint8_t)0xF4U, (uint8_t)0x68U, (uint8_t)0x1DU, (uint8_t)0x4FU, (uint8_t)0x42U, (uint8_t)0xA3U, + (uint8_t)0xDEU, (uint8_t)0x39U, (uint8_t)0x4DU, (uint8_t)0xF4U, (uint8_t)0xAEU, (uint8_t)0x56U, + (uint8_t)0xEDU, (uint8_t)0xE7U, (uint8_t)0x63U, (uint8_t)0x72U, (uint8_t)0xBBU, (uint8_t)0x19U, + (uint8_t)0x0BU, (uint8_t)0x07U, (uint8_t)0xA7U, (uint8_t)0xC8U, (uint8_t)0xEEU, (uint8_t)0x0AU, + (uint8_t)0x6DU, (uint8_t)0x70U, (uint8_t)0x9EU, (uint8_t)0x02U, (uint8_t)0xFCU, (uint8_t)0xE1U, + (uint8_t)0xCDU, (uint8_t)0xF7U, (uint8_t)0xE2U, (uint8_t)0xECU, (uint8_t)0xC0U, (uint8_t)0x34U, + (uint8_t)0x04U, (uint8_t)0xCDU, (uint8_t)0x28U, (uint8_t)0x34U, (uint8_t)0x2FU, (uint8_t)0x61U, + (uint8_t)0x91U, (uint8_t)0x72U, (uint8_t)0xFEU, (uint8_t)0x9CU, (uint8_t)0xE9U, (uint8_t)0x85U, + (uint8_t)0x83U, (uint8_t)0xFFU, (uint8_t)0x8EU, (uint8_t)0x4FU, (uint8_t)0x12U, (uint8_t)0x32U, + (uint8_t)0xEEU, (uint8_t)0xF2U, (uint8_t)0x81U, (uint8_t)0x83U, (uint8_t)0xC3U, (uint8_t)0xFEU, + (uint8_t)0x3BU, (uint8_t)0x1BU, (uint8_t)0x4CU, (uint8_t)0x6FU, (uint8_t)0xADU, (uint8_t)0x73U, + (uint8_t)0x3BU, (uint8_t)0xB5U, (uint8_t)0xFCU, (uint8_t)0xBCU, (uint8_t)0x2EU, (uint8_t)0xC2U, + (uint8_t)0x20U, (uint8_t)0x05U, (uint8_t)0xC5U, (uint8_t)0x8EU, (uint8_t)0xF1U, (uint8_t)0x83U, + (uint8_t)0x7DU, (uint8_t)0x16U, (uint8_t)0x83U, (uint8_t)0xB2U, (uint8_t)0xC6U, (uint8_t)0xF3U, + (uint8_t)0x4AU, (uint8_t)0x26U, (uint8_t)0xC1U, (uint8_t)0xB2U, (uint8_t)0xEFU, (uint8_t)0xFAU, + (uint8_t)0x88U, (uint8_t)0x6BU, (uint8_t)0x42U, (uint8_t)0x38U, (uint8_t)0x61U, (uint8_t)0x1FU, + (uint8_t)0xCFU, (uint8_t)0xDCU, (uint8_t)0xDEU, (uint8_t)0x35U, (uint8_t)0x5BU, (uint8_t)0x3BU, + (uint8_t)0x65U, (uint8_t)0x19U, (uint8_t)0x03U, (uint8_t)0x5BU, (uint8_t)0xBCU, (uint8_t)0x34U, + (uint8_t)0xF4U, (uint8_t)0xDEU, (uint8_t)0xF9U, (uint8_t)0x9CU, (uint8_t)0x02U, (uint8_t)0x38U, + (uint8_t)0x61U, (uint8_t)0xB4U, (uint8_t)0x6FU, (uint8_t)0xC9U, (uint8_t)0xD6U, (uint8_t)0xE6U, + (uint8_t)0xC9U, (uint8_t)0x07U, (uint8_t)0x7AU, (uint8_t)0xD9U, (uint8_t)0x1DU, (uint8_t)0x26U, + (uint8_t)0x91U, (uint8_t)0xF7U, (uint8_t)0xF7U, (uint8_t)0xEEU, (uint8_t)0x59U, (uint8_t)0x8CU, + (uint8_t)0xB0U, (uint8_t)0xFAU, (uint8_t)0xC1U, (uint8_t)0x86U, (uint8_t)0xD9U, (uint8_t)0x1CU, + (uint8_t)0xAEU, (uint8_t)0xFEU, (uint8_t)0x13U, (uint8_t)0x09U, (uint8_t)0x85U, (uint8_t)0x13U, + (uint8_t)0x92U, (uint8_t)0x70U, (uint8_t)0xB4U, (uint8_t)0x13U, (uint8_t)0x0CU, (uint8_t)0x93U, + (uint8_t)0xBCU, (uint8_t)0x43U, (uint8_t)0x79U, (uint8_t)0x44U, (uint8_t)0xF4U, (uint8_t)0xFDU, + (uint8_t)0x44U, (uint8_t)0x52U, (uint8_t)0xE2U, (uint8_t)0xD7U, (uint8_t)0x4DU, (uint8_t)0xD3U, + (uint8_t)0x64U, (uint8_t)0xF2U, (uint8_t)0xE2U, (uint8_t)0x1EU, (uint8_t)0x71U, (uint8_t)0xF5U, + (uint8_t)0x4BU, (uint8_t)0xFFU, (uint8_t)0x5CU, (uint8_t)0xAEU, (uint8_t)0x82U, (uint8_t)0xABU, + (uint8_t)0x9CU, (uint8_t)0x9DU, (uint8_t)0xF6U, (uint8_t)0x9EU, (uint8_t)0xE8U, (uint8_t)0x6DU, + (uint8_t)0x2BU, (uint8_t)0xC5U, (uint8_t)0x22U, (uint8_t)0x36U, (uint8_t)0x3AU, (uint8_t)0x0DU, + (uint8_t)0xABU, (uint8_t)0xC5U, (uint8_t)0x21U, (uint8_t)0x97U, (uint8_t)0x9BU, (uint8_t)0x0DU, + (uint8_t)0xEAU, (uint8_t)0xDAU, (uint8_t)0x1DU, (uint8_t)0xBFU, (uint8_t)0x9AU, (uint8_t)0x42U, + (uint8_t)0xD5U, (uint8_t)0xC4U, (uint8_t)0x48U, (uint8_t)0x4EU, (uint8_t)0x0AU, (uint8_t)0xBCU, + (uint8_t)0xD0U, (uint8_t)0x6BU, (uint8_t)0xFAU, (uint8_t)0x53U, (uint8_t)0xDDU, (uint8_t)0xEFU, + (uint8_t)0x3CU, (uint8_t)0x1BU, (uint8_t)0x20U, (uint8_t)0xEEU, (uint8_t)0x3FU, (uint8_t)0xD5U, + (uint8_t)0x9DU, (uint8_t)0x7CU, (uint8_t)0x25U, (uint8_t)0xE4U, (uint8_t)0x1DU, (uint8_t)0x2BU, + (uint8_t)0x66U, (uint8_t)0x9EU, (uint8_t)0x1EU, (uint8_t)0xF1U, (uint8_t)0x6EU, (uint8_t)0x6FU, + (uint8_t)0x52U, (uint8_t)0xC3U, (uint8_t)0x16U, (uint8_t)0x4DU, (uint8_t)0xF4U, (uint8_t)0xFBU, + (uint8_t)0x79U, (uint8_t)0x30U, (uint8_t)0xE9U, (uint8_t)0xE4U, (uint8_t)0xE5U, (uint8_t)0x88U, + (uint8_t)0x57U, (uint8_t)0xB6U, (uint8_t)0xACU, (uint8_t)0x7DU, (uint8_t)0x5FU, (uint8_t)0x42U, + (uint8_t)0xD6U, (uint8_t)0x9FU, (uint8_t)0x6DU, (uint8_t)0x18U, (uint8_t)0x77U, (uint8_t)0x63U, + (uint8_t)0xCFU, (uint8_t)0x1DU, (uint8_t)0x55U, (uint8_t)0x03U, (uint8_t)0x40U, (uint8_t)0x04U, + (uint8_t)0x87U, (uint8_t)0xF5U, (uint8_t)0x5BU, (uint8_t)0xA5U, (uint8_t)0x7EU, (uint8_t)0x31U, + (uint8_t)0xCCU, (uint8_t)0x7AU, (uint8_t)0x71U, (uint8_t)0x35U, (uint8_t)0xC8U, (uint8_t)0x86U, + (uint8_t)0xEFU, (uint8_t)0xB4U, (uint8_t)0x31U, (uint8_t)0x8AU, (uint8_t)0xEDU, (uint8_t)0x6AU, + (uint8_t)0x1EU, (uint8_t)0x01U, (uint8_t)0x2DU, (uint8_t)0x9EU, (uint8_t)0x68U, (uint8_t)0x32U, + (uint8_t)0xA9U, (uint8_t)0x07U, (uint8_t)0x60U, (uint8_t)0x0AU, (uint8_t)0x91U, (uint8_t)0x81U, + (uint8_t)0x30U, (uint8_t)0xC4U, (uint8_t)0x6DU, (uint8_t)0xC7U, (uint8_t)0x78U, (uint8_t)0xF9U, + (uint8_t)0x71U, (uint8_t)0xADU, (uint8_t)0x00U, (uint8_t)0x38U, (uint8_t)0x09U, (uint8_t)0x29U, + (uint8_t)0x99U, (uint8_t)0xA3U, (uint8_t)0x33U, (uint8_t)0xCBU, (uint8_t)0x8BU, (uint8_t)0x7AU, + (uint8_t)0x1AU, (uint8_t)0x1DU, (uint8_t)0xB9U, (uint8_t)0x3DU, (uint8_t)0x71U, (uint8_t)0x40U, + (uint8_t)0x00U, (uint8_t)0x3CU, (uint8_t)0x2AU, (uint8_t)0x4EU, (uint8_t)0xCEU, (uint8_t)0xA9U, + (uint8_t)0xF9U, (uint8_t)0x8DU, (uint8_t)0x0AU, (uint8_t)0xCCU, (uint8_t)0x0AU, (uint8_t)0x82U, + (uint8_t)0x91U, (uint8_t)0xCDU, (uint8_t)0xCEU, (uint8_t)0xC9U, (uint8_t)0x7DU, (uint8_t)0xCFU, + (uint8_t)0x8EU, (uint8_t)0xC9U, (uint8_t)0xB5U, (uint8_t)0x5AU, (uint8_t)0x7FU, (uint8_t)0x88U, + (uint8_t)0xA4U, (uint8_t)0x6BU, (uint8_t)0x4DU, (uint8_t)0xB5U, (uint8_t)0xA8U, (uint8_t)0x51U, + (uint8_t)0xF4U, (uint8_t)0x41U, (uint8_t)0x82U, (uint8_t)0xE1U, (uint8_t)0xC6U, (uint8_t)0x8AU, + (uint8_t)0x00U, (uint8_t)0x7EU, (uint8_t)0x5EU, (uint8_t)0x65U, (uint8_t)0x5FU, (uint8_t)0x6AU, + (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, + (uint8_t)0xFFU, (uint8_t)0xFFU + }; + +static const +uint8_t +Hacl_Impl_FFDHE_Constants_ffdhe_p6144[768U] = + { + (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, + (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xADU, (uint8_t)0xF8U, (uint8_t)0x54U, (uint8_t)0x58U, + (uint8_t)0xA2U, (uint8_t)0xBBU, (uint8_t)0x4AU, (uint8_t)0x9AU, (uint8_t)0xAFU, (uint8_t)0xDCU, + (uint8_t)0x56U, (uint8_t)0x20U, (uint8_t)0x27U, (uint8_t)0x3DU, (uint8_t)0x3CU, (uint8_t)0xF1U, + (uint8_t)0xD8U, (uint8_t)0xB9U, (uint8_t)0xC5U, (uint8_t)0x83U, (uint8_t)0xCEU, (uint8_t)0x2DU, + (uint8_t)0x36U, (uint8_t)0x95U, (uint8_t)0xA9U, (uint8_t)0xE1U, (uint8_t)0x36U, (uint8_t)0x41U, + (uint8_t)0x14U, (uint8_t)0x64U, (uint8_t)0x33U, (uint8_t)0xFBU, (uint8_t)0xCCU, (uint8_t)0x93U, + (uint8_t)0x9DU, (uint8_t)0xCEU, (uint8_t)0x24U, (uint8_t)0x9BU, (uint8_t)0x3EU, (uint8_t)0xF9U, + (uint8_t)0x7DU, (uint8_t)0x2FU, (uint8_t)0xE3U, (uint8_t)0x63U, (uint8_t)0x63U, (uint8_t)0x0CU, + (uint8_t)0x75U, (uint8_t)0xD8U, (uint8_t)0xF6U, (uint8_t)0x81U, (uint8_t)0xB2U, (uint8_t)0x02U, + (uint8_t)0xAEU, (uint8_t)0xC4U, (uint8_t)0x61U, (uint8_t)0x7AU, (uint8_t)0xD3U, (uint8_t)0xDFU, + (uint8_t)0x1EU, (uint8_t)0xD5U, (uint8_t)0xD5U, (uint8_t)0xFDU, (uint8_t)0x65U, (uint8_t)0x61U, + (uint8_t)0x24U, (uint8_t)0x33U, (uint8_t)0xF5U, (uint8_t)0x1FU, (uint8_t)0x5FU, (uint8_t)0x06U, + (uint8_t)0x6EU, (uint8_t)0xD0U, (uint8_t)0x85U, (uint8_t)0x63U, (uint8_t)0x65U, (uint8_t)0x55U, + (uint8_t)0x3DU, (uint8_t)0xEDU, (uint8_t)0x1AU, (uint8_t)0xF3U, (uint8_t)0xB5U, (uint8_t)0x57U, + (uint8_t)0x13U, (uint8_t)0x5EU, (uint8_t)0x7FU, (uint8_t)0x57U, (uint8_t)0xC9U, (uint8_t)0x35U, + (uint8_t)0x98U, (uint8_t)0x4FU, (uint8_t)0x0CU, (uint8_t)0x70U, (uint8_t)0xE0U, (uint8_t)0xE6U, + (uint8_t)0x8BU, (uint8_t)0x77U, (uint8_t)0xE2U, (uint8_t)0xA6U, (uint8_t)0x89U, (uint8_t)0xDAU, + (uint8_t)0xF3U, (uint8_t)0xEFU, (uint8_t)0xE8U, (uint8_t)0x72U, (uint8_t)0x1DU, (uint8_t)0xF1U, + (uint8_t)0x58U, (uint8_t)0xA1U, (uint8_t)0x36U, (uint8_t)0xADU, (uint8_t)0xE7U, (uint8_t)0x35U, + (uint8_t)0x30U, (uint8_t)0xACU, (uint8_t)0xCAU, (uint8_t)0x4FU, (uint8_t)0x48U, (uint8_t)0x3AU, + (uint8_t)0x79U, (uint8_t)0x7AU, (uint8_t)0xBCU, (uint8_t)0x0AU, (uint8_t)0xB1U, (uint8_t)0x82U, + (uint8_t)0xB3U, (uint8_t)0x24U, (uint8_t)0xFBU, (uint8_t)0x61U, (uint8_t)0xD1U, (uint8_t)0x08U, + (uint8_t)0xA9U, (uint8_t)0x4BU, (uint8_t)0xB2U, (uint8_t)0xC8U, (uint8_t)0xE3U, (uint8_t)0xFBU, + (uint8_t)0xB9U, (uint8_t)0x6AU, (uint8_t)0xDAU, (uint8_t)0xB7U, (uint8_t)0x60U, (uint8_t)0xD7U, + (uint8_t)0xF4U, (uint8_t)0x68U, (uint8_t)0x1DU, (uint8_t)0x4FU, (uint8_t)0x42U, (uint8_t)0xA3U, + (uint8_t)0xDEU, (uint8_t)0x39U, (uint8_t)0x4DU, (uint8_t)0xF4U, (uint8_t)0xAEU, (uint8_t)0x56U, + (uint8_t)0xEDU, (uint8_t)0xE7U, (uint8_t)0x63U, (uint8_t)0x72U, (uint8_t)0xBBU, (uint8_t)0x19U, + (uint8_t)0x0BU, (uint8_t)0x07U, (uint8_t)0xA7U, (uint8_t)0xC8U, (uint8_t)0xEEU, (uint8_t)0x0AU, + (uint8_t)0x6DU, (uint8_t)0x70U, (uint8_t)0x9EU, (uint8_t)0x02U, (uint8_t)0xFCU, (uint8_t)0xE1U, + (uint8_t)0xCDU, (uint8_t)0xF7U, (uint8_t)0xE2U, (uint8_t)0xECU, (uint8_t)0xC0U, (uint8_t)0x34U, + (uint8_t)0x04U, (uint8_t)0xCDU, (uint8_t)0x28U, (uint8_t)0x34U, (uint8_t)0x2FU, (uint8_t)0x61U, + (uint8_t)0x91U, (uint8_t)0x72U, (uint8_t)0xFEU, (uint8_t)0x9CU, (uint8_t)0xE9U, (uint8_t)0x85U, + (uint8_t)0x83U, (uint8_t)0xFFU, (uint8_t)0x8EU, (uint8_t)0x4FU, (uint8_t)0x12U, (uint8_t)0x32U, + (uint8_t)0xEEU, (uint8_t)0xF2U, (uint8_t)0x81U, (uint8_t)0x83U, (uint8_t)0xC3U, (uint8_t)0xFEU, + (uint8_t)0x3BU, (uint8_t)0x1BU, (uint8_t)0x4CU, (uint8_t)0x6FU, (uint8_t)0xADU, (uint8_t)0x73U, + (uint8_t)0x3BU, (uint8_t)0xB5U, (uint8_t)0xFCU, (uint8_t)0xBCU, (uint8_t)0x2EU, (uint8_t)0xC2U, + (uint8_t)0x20U, (uint8_t)0x05U, (uint8_t)0xC5U, (uint8_t)0x8EU, (uint8_t)0xF1U, (uint8_t)0x83U, + (uint8_t)0x7DU, (uint8_t)0x16U, (uint8_t)0x83U, (uint8_t)0xB2U, (uint8_t)0xC6U, (uint8_t)0xF3U, + (uint8_t)0x4AU, (uint8_t)0x26U, (uint8_t)0xC1U, (uint8_t)0xB2U, (uint8_t)0xEFU, (uint8_t)0xFAU, + (uint8_t)0x88U, (uint8_t)0x6BU, (uint8_t)0x42U, (uint8_t)0x38U, (uint8_t)0x61U, (uint8_t)0x1FU, + (uint8_t)0xCFU, (uint8_t)0xDCU, (uint8_t)0xDEU, (uint8_t)0x35U, (uint8_t)0x5BU, (uint8_t)0x3BU, + (uint8_t)0x65U, (uint8_t)0x19U, (uint8_t)0x03U, (uint8_t)0x5BU, (uint8_t)0xBCU, (uint8_t)0x34U, + (uint8_t)0xF4U, (uint8_t)0xDEU, (uint8_t)0xF9U, (uint8_t)0x9CU, (uint8_t)0x02U, (uint8_t)0x38U, + (uint8_t)0x61U, (uint8_t)0xB4U, (uint8_t)0x6FU, (uint8_t)0xC9U, (uint8_t)0xD6U, (uint8_t)0xE6U, + (uint8_t)0xC9U, (uint8_t)0x07U, (uint8_t)0x7AU, (uint8_t)0xD9U, (uint8_t)0x1DU, (uint8_t)0x26U, + (uint8_t)0x91U, (uint8_t)0xF7U, (uint8_t)0xF7U, (uint8_t)0xEEU, (uint8_t)0x59U, (uint8_t)0x8CU, + (uint8_t)0xB0U, (uint8_t)0xFAU, (uint8_t)0xC1U, (uint8_t)0x86U, (uint8_t)0xD9U, (uint8_t)0x1CU, + (uint8_t)0xAEU, (uint8_t)0xFEU, (uint8_t)0x13U, (uint8_t)0x09U, (uint8_t)0x85U, (uint8_t)0x13U, + (uint8_t)0x92U, (uint8_t)0x70U, (uint8_t)0xB4U, (uint8_t)0x13U, (uint8_t)0x0CU, (uint8_t)0x93U, + (uint8_t)0xBCU, (uint8_t)0x43U, (uint8_t)0x79U, (uint8_t)0x44U, (uint8_t)0xF4U, (uint8_t)0xFDU, + (uint8_t)0x44U, (uint8_t)0x52U, (uint8_t)0xE2U, (uint8_t)0xD7U, (uint8_t)0x4DU, (uint8_t)0xD3U, + (uint8_t)0x64U, (uint8_t)0xF2U, (uint8_t)0xE2U, (uint8_t)0x1EU, (uint8_t)0x71U, (uint8_t)0xF5U, + (uint8_t)0x4BU, (uint8_t)0xFFU, (uint8_t)0x5CU, (uint8_t)0xAEU, (uint8_t)0x82U, (uint8_t)0xABU, + (uint8_t)0x9CU, (uint8_t)0x9DU, (uint8_t)0xF6U, (uint8_t)0x9EU, (uint8_t)0xE8U, (uint8_t)0x6DU, + (uint8_t)0x2BU, (uint8_t)0xC5U, (uint8_t)0x22U, (uint8_t)0x36U, (uint8_t)0x3AU, (uint8_t)0x0DU, + (uint8_t)0xABU, (uint8_t)0xC5U, (uint8_t)0x21U, (uint8_t)0x97U, (uint8_t)0x9BU, (uint8_t)0x0DU, + (uint8_t)0xEAU, (uint8_t)0xDAU, (uint8_t)0x1DU, (uint8_t)0xBFU, (uint8_t)0x9AU, (uint8_t)0x42U, + (uint8_t)0xD5U, (uint8_t)0xC4U, (uint8_t)0x48U, (uint8_t)0x4EU, (uint8_t)0x0AU, (uint8_t)0xBCU, + (uint8_t)0xD0U, (uint8_t)0x6BU, (uint8_t)0xFAU, (uint8_t)0x53U, (uint8_t)0xDDU, (uint8_t)0xEFU, + (uint8_t)0x3CU, (uint8_t)0x1BU, (uint8_t)0x20U, (uint8_t)0xEEU, (uint8_t)0x3FU, (uint8_t)0xD5U, + (uint8_t)0x9DU, (uint8_t)0x7CU, (uint8_t)0x25U, (uint8_t)0xE4U, (uint8_t)0x1DU, (uint8_t)0x2BU, + (uint8_t)0x66U, (uint8_t)0x9EU, (uint8_t)0x1EU, (uint8_t)0xF1U, (uint8_t)0x6EU, (uint8_t)0x6FU, + (uint8_t)0x52U, (uint8_t)0xC3U, (uint8_t)0x16U, (uint8_t)0x4DU, (uint8_t)0xF4U, (uint8_t)0xFBU, + (uint8_t)0x79U, (uint8_t)0x30U, (uint8_t)0xE9U, (uint8_t)0xE4U, (uint8_t)0xE5U, (uint8_t)0x88U, + (uint8_t)0x57U, (uint8_t)0xB6U, (uint8_t)0xACU, (uint8_t)0x7DU, (uint8_t)0x5FU, (uint8_t)0x42U, + (uint8_t)0xD6U, (uint8_t)0x9FU, (uint8_t)0x6DU, (uint8_t)0x18U, (uint8_t)0x77U, (uint8_t)0x63U, + (uint8_t)0xCFU, (uint8_t)0x1DU, (uint8_t)0x55U, (uint8_t)0x03U, (uint8_t)0x40U, (uint8_t)0x04U, + (uint8_t)0x87U, (uint8_t)0xF5U, (uint8_t)0x5BU, (uint8_t)0xA5U, (uint8_t)0x7EU, (uint8_t)0x31U, + (uint8_t)0xCCU, (uint8_t)0x7AU, (uint8_t)0x71U, (uint8_t)0x35U, (uint8_t)0xC8U, (uint8_t)0x86U, + (uint8_t)0xEFU, (uint8_t)0xB4U, (uint8_t)0x31U, (uint8_t)0x8AU, (uint8_t)0xEDU, (uint8_t)0x6AU, + (uint8_t)0x1EU, (uint8_t)0x01U, (uint8_t)0x2DU, (uint8_t)0x9EU, (uint8_t)0x68U, (uint8_t)0x32U, + (uint8_t)0xA9U, (uint8_t)0x07U, (uint8_t)0x60U, (uint8_t)0x0AU, (uint8_t)0x91U, (uint8_t)0x81U, + (uint8_t)0x30U, (uint8_t)0xC4U, (uint8_t)0x6DU, (uint8_t)0xC7U, (uint8_t)0x78U, (uint8_t)0xF9U, + (uint8_t)0x71U, (uint8_t)0xADU, (uint8_t)0x00U, (uint8_t)0x38U, (uint8_t)0x09U, (uint8_t)0x29U, + (uint8_t)0x99U, (uint8_t)0xA3U, (uint8_t)0x33U, (uint8_t)0xCBU, (uint8_t)0x8BU, (uint8_t)0x7AU, + (uint8_t)0x1AU, (uint8_t)0x1DU, (uint8_t)0xB9U, (uint8_t)0x3DU, (uint8_t)0x71U, (uint8_t)0x40U, + (uint8_t)0x00U, (uint8_t)0x3CU, (uint8_t)0x2AU, (uint8_t)0x4EU, (uint8_t)0xCEU, (uint8_t)0xA9U, + (uint8_t)0xF9U, (uint8_t)0x8DU, (uint8_t)0x0AU, (uint8_t)0xCCU, (uint8_t)0x0AU, (uint8_t)0x82U, + (uint8_t)0x91U, (uint8_t)0xCDU, (uint8_t)0xCEU, (uint8_t)0xC9U, (uint8_t)0x7DU, (uint8_t)0xCFU, + (uint8_t)0x8EU, (uint8_t)0xC9U, (uint8_t)0xB5U, (uint8_t)0x5AU, (uint8_t)0x7FU, (uint8_t)0x88U, + (uint8_t)0xA4U, (uint8_t)0x6BU, (uint8_t)0x4DU, (uint8_t)0xB5U, (uint8_t)0xA8U, (uint8_t)0x51U, + (uint8_t)0xF4U, (uint8_t)0x41U, (uint8_t)0x82U, (uint8_t)0xE1U, (uint8_t)0xC6U, (uint8_t)0x8AU, + (uint8_t)0x00U, (uint8_t)0x7EU, (uint8_t)0x5EU, (uint8_t)0x0DU, (uint8_t)0xD9U, (uint8_t)0x02U, + (uint8_t)0x0BU, (uint8_t)0xFDU, (uint8_t)0x64U, (uint8_t)0xB6U, (uint8_t)0x45U, (uint8_t)0x03U, + (uint8_t)0x6CU, (uint8_t)0x7AU, (uint8_t)0x4EU, (uint8_t)0x67U, (uint8_t)0x7DU, (uint8_t)0x2CU, + (uint8_t)0x38U, (uint8_t)0x53U, (uint8_t)0x2AU, (uint8_t)0x3AU, (uint8_t)0x23U, (uint8_t)0xBAU, + (uint8_t)0x44U, (uint8_t)0x42U, (uint8_t)0xCAU, (uint8_t)0xF5U, (uint8_t)0x3EU, (uint8_t)0xA6U, + (uint8_t)0x3BU, (uint8_t)0xB4U, (uint8_t)0x54U, (uint8_t)0x32U, (uint8_t)0x9BU, (uint8_t)0x76U, + (uint8_t)0x24U, (uint8_t)0xC8U, (uint8_t)0x91U, (uint8_t)0x7BU, (uint8_t)0xDDU, (uint8_t)0x64U, + (uint8_t)0xB1U, (uint8_t)0xC0U, (uint8_t)0xFDU, (uint8_t)0x4CU, (uint8_t)0xB3U, (uint8_t)0x8EU, + (uint8_t)0x8CU, (uint8_t)0x33U, (uint8_t)0x4CU, (uint8_t)0x70U, (uint8_t)0x1CU, (uint8_t)0x3AU, + (uint8_t)0xCDU, (uint8_t)0xADU, (uint8_t)0x06U, (uint8_t)0x57U, (uint8_t)0xFCU, (uint8_t)0xCFU, + (uint8_t)0xECU, (uint8_t)0x71U, (uint8_t)0x9BU, (uint8_t)0x1FU, (uint8_t)0x5CU, (uint8_t)0x3EU, + (uint8_t)0x4EU, (uint8_t)0x46U, (uint8_t)0x04U, (uint8_t)0x1FU, (uint8_t)0x38U, (uint8_t)0x81U, + (uint8_t)0x47U, (uint8_t)0xFBU, (uint8_t)0x4CU, (uint8_t)0xFDU, (uint8_t)0xB4U, (uint8_t)0x77U, + (uint8_t)0xA5U, (uint8_t)0x24U, (uint8_t)0x71U, (uint8_t)0xF7U, (uint8_t)0xA9U, (uint8_t)0xA9U, + (uint8_t)0x69U, (uint8_t)0x10U, (uint8_t)0xB8U, (uint8_t)0x55U, (uint8_t)0x32U, (uint8_t)0x2EU, + (uint8_t)0xDBU, (uint8_t)0x63U, (uint8_t)0x40U, (uint8_t)0xD8U, (uint8_t)0xA0U, (uint8_t)0x0EU, + (uint8_t)0xF0U, (uint8_t)0x92U, (uint8_t)0x35U, (uint8_t)0x05U, (uint8_t)0x11U, (uint8_t)0xE3U, + (uint8_t)0x0AU, (uint8_t)0xBEU, (uint8_t)0xC1U, (uint8_t)0xFFU, (uint8_t)0xF9U, (uint8_t)0xE3U, + (uint8_t)0xA2U, (uint8_t)0x6EU, (uint8_t)0x7FU, (uint8_t)0xB2U, (uint8_t)0x9FU, (uint8_t)0x8CU, + (uint8_t)0x18U, (uint8_t)0x30U, (uint8_t)0x23U, (uint8_t)0xC3U, (uint8_t)0x58U, (uint8_t)0x7EU, + (uint8_t)0x38U, (uint8_t)0xDAU, (uint8_t)0x00U, (uint8_t)0x77U, (uint8_t)0xD9U, (uint8_t)0xB4U, + (uint8_t)0x76U, (uint8_t)0x3EU, (uint8_t)0x4EU, (uint8_t)0x4BU, (uint8_t)0x94U, (uint8_t)0xB2U, + (uint8_t)0xBBU, (uint8_t)0xC1U, (uint8_t)0x94U, (uint8_t)0xC6U, (uint8_t)0x65U, (uint8_t)0x1EU, + (uint8_t)0x77U, (uint8_t)0xCAU, (uint8_t)0xF9U, (uint8_t)0x92U, (uint8_t)0xEEU, (uint8_t)0xAAU, + (uint8_t)0xC0U, (uint8_t)0x23U, (uint8_t)0x2AU, (uint8_t)0x28U, (uint8_t)0x1BU, (uint8_t)0xF6U, + (uint8_t)0xB3U, (uint8_t)0xA7U, (uint8_t)0x39U, (uint8_t)0xC1U, (uint8_t)0x22U, (uint8_t)0x61U, + (uint8_t)0x16U, (uint8_t)0x82U, (uint8_t)0x0AU, (uint8_t)0xE8U, (uint8_t)0xDBU, (uint8_t)0x58U, + (uint8_t)0x47U, (uint8_t)0xA6U, (uint8_t)0x7CU, (uint8_t)0xBEU, (uint8_t)0xF9U, (uint8_t)0xC9U, + (uint8_t)0x09U, (uint8_t)0x1BU, (uint8_t)0x46U, (uint8_t)0x2DU, (uint8_t)0x53U, (uint8_t)0x8CU, + (uint8_t)0xD7U, (uint8_t)0x2BU, (uint8_t)0x03U, (uint8_t)0x74U, (uint8_t)0x6AU, (uint8_t)0xE7U, + (uint8_t)0x7FU, (uint8_t)0x5EU, (uint8_t)0x62U, (uint8_t)0x29U, (uint8_t)0x2CU, (uint8_t)0x31U, + (uint8_t)0x15U, (uint8_t)0x62U, (uint8_t)0xA8U, (uint8_t)0x46U, (uint8_t)0x50U, (uint8_t)0x5DU, + (uint8_t)0xC8U, (uint8_t)0x2DU, (uint8_t)0xB8U, (uint8_t)0x54U, (uint8_t)0x33U, (uint8_t)0x8AU, + (uint8_t)0xE4U, (uint8_t)0x9FU, (uint8_t)0x52U, (uint8_t)0x35U, (uint8_t)0xC9U, (uint8_t)0x5BU, + (uint8_t)0x91U, (uint8_t)0x17U, (uint8_t)0x8CU, (uint8_t)0xCFU, (uint8_t)0x2DU, (uint8_t)0xD5U, + (uint8_t)0xCAU, (uint8_t)0xCEU, (uint8_t)0xF4U, (uint8_t)0x03U, (uint8_t)0xECU, (uint8_t)0x9DU, + (uint8_t)0x18U, (uint8_t)0x10U, (uint8_t)0xC6U, (uint8_t)0x27U, (uint8_t)0x2BU, (uint8_t)0x04U, + (uint8_t)0x5BU, (uint8_t)0x3BU, (uint8_t)0x71U, (uint8_t)0xF9U, (uint8_t)0xDCU, (uint8_t)0x6BU, + (uint8_t)0x80U, (uint8_t)0xD6U, (uint8_t)0x3FU, (uint8_t)0xDDU, (uint8_t)0x4AU, (uint8_t)0x8EU, + (uint8_t)0x9AU, (uint8_t)0xDBU, (uint8_t)0x1EU, (uint8_t)0x69U, (uint8_t)0x62U, (uint8_t)0xA6U, + (uint8_t)0x95U, (uint8_t)0x26U, (uint8_t)0xD4U, (uint8_t)0x31U, (uint8_t)0x61U, (uint8_t)0xC1U, + (uint8_t)0xA4U, (uint8_t)0x1DU, (uint8_t)0x57U, (uint8_t)0x0DU, (uint8_t)0x79U, (uint8_t)0x38U, + (uint8_t)0xDAU, (uint8_t)0xD4U, (uint8_t)0xA4U, (uint8_t)0x0EU, (uint8_t)0x32U, (uint8_t)0x9CU, + (uint8_t)0xD0U, (uint8_t)0xE4U, (uint8_t)0x0EU, (uint8_t)0x65U, (uint8_t)0xFFU, (uint8_t)0xFFU, + (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU + }; + +static const +uint8_t +Hacl_Impl_FFDHE_Constants_ffdhe_p8192[1024U] = + { + (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, + (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xADU, (uint8_t)0xF8U, (uint8_t)0x54U, (uint8_t)0x58U, + (uint8_t)0xA2U, (uint8_t)0xBBU, (uint8_t)0x4AU, (uint8_t)0x9AU, (uint8_t)0xAFU, (uint8_t)0xDCU, + (uint8_t)0x56U, (uint8_t)0x20U, (uint8_t)0x27U, (uint8_t)0x3DU, (uint8_t)0x3CU, (uint8_t)0xF1U, + (uint8_t)0xD8U, (uint8_t)0xB9U, (uint8_t)0xC5U, (uint8_t)0x83U, (uint8_t)0xCEU, (uint8_t)0x2DU, + (uint8_t)0x36U, (uint8_t)0x95U, (uint8_t)0xA9U, (uint8_t)0xE1U, (uint8_t)0x36U, (uint8_t)0x41U, + (uint8_t)0x14U, (uint8_t)0x64U, (uint8_t)0x33U, (uint8_t)0xFBU, (uint8_t)0xCCU, (uint8_t)0x93U, + (uint8_t)0x9DU, (uint8_t)0xCEU, (uint8_t)0x24U, (uint8_t)0x9BU, (uint8_t)0x3EU, (uint8_t)0xF9U, + (uint8_t)0x7DU, (uint8_t)0x2FU, (uint8_t)0xE3U, (uint8_t)0x63U, (uint8_t)0x63U, (uint8_t)0x0CU, + (uint8_t)0x75U, (uint8_t)0xD8U, (uint8_t)0xF6U, (uint8_t)0x81U, (uint8_t)0xB2U, (uint8_t)0x02U, + (uint8_t)0xAEU, (uint8_t)0xC4U, (uint8_t)0x61U, (uint8_t)0x7AU, (uint8_t)0xD3U, (uint8_t)0xDFU, + (uint8_t)0x1EU, (uint8_t)0xD5U, (uint8_t)0xD5U, (uint8_t)0xFDU, (uint8_t)0x65U, (uint8_t)0x61U, + (uint8_t)0x24U, (uint8_t)0x33U, (uint8_t)0xF5U, (uint8_t)0x1FU, (uint8_t)0x5FU, (uint8_t)0x06U, + (uint8_t)0x6EU, (uint8_t)0xD0U, (uint8_t)0x85U, (uint8_t)0x63U, (uint8_t)0x65U, (uint8_t)0x55U, + (uint8_t)0x3DU, (uint8_t)0xEDU, (uint8_t)0x1AU, (uint8_t)0xF3U, (uint8_t)0xB5U, (uint8_t)0x57U, + (uint8_t)0x13U, (uint8_t)0x5EU, (uint8_t)0x7FU, (uint8_t)0x57U, (uint8_t)0xC9U, (uint8_t)0x35U, + (uint8_t)0x98U, (uint8_t)0x4FU, (uint8_t)0x0CU, (uint8_t)0x70U, (uint8_t)0xE0U, (uint8_t)0xE6U, + (uint8_t)0x8BU, (uint8_t)0x77U, (uint8_t)0xE2U, (uint8_t)0xA6U, (uint8_t)0x89U, (uint8_t)0xDAU, + (uint8_t)0xF3U, (uint8_t)0xEFU, (uint8_t)0xE8U, (uint8_t)0x72U, (uint8_t)0x1DU, (uint8_t)0xF1U, + (uint8_t)0x58U, (uint8_t)0xA1U, (uint8_t)0x36U, (uint8_t)0xADU, (uint8_t)0xE7U, (uint8_t)0x35U, + (uint8_t)0x30U, (uint8_t)0xACU, (uint8_t)0xCAU, (uint8_t)0x4FU, (uint8_t)0x48U, (uint8_t)0x3AU, + (uint8_t)0x79U, (uint8_t)0x7AU, (uint8_t)0xBCU, (uint8_t)0x0AU, (uint8_t)0xB1U, (uint8_t)0x82U, + (uint8_t)0xB3U, (uint8_t)0x24U, (uint8_t)0xFBU, (uint8_t)0x61U, (uint8_t)0xD1U, (uint8_t)0x08U, + (uint8_t)0xA9U, (uint8_t)0x4BU, (uint8_t)0xB2U, (uint8_t)0xC8U, (uint8_t)0xE3U, (uint8_t)0xFBU, + (uint8_t)0xB9U, (uint8_t)0x6AU, (uint8_t)0xDAU, (uint8_t)0xB7U, (uint8_t)0x60U, (uint8_t)0xD7U, + (uint8_t)0xF4U, (uint8_t)0x68U, (uint8_t)0x1DU, (uint8_t)0x4FU, (uint8_t)0x42U, (uint8_t)0xA3U, + (uint8_t)0xDEU, (uint8_t)0x39U, (uint8_t)0x4DU, (uint8_t)0xF4U, (uint8_t)0xAEU, (uint8_t)0x56U, + (uint8_t)0xEDU, (uint8_t)0xE7U, (uint8_t)0x63U, (uint8_t)0x72U, (uint8_t)0xBBU, (uint8_t)0x19U, + (uint8_t)0x0BU, (uint8_t)0x07U, (uint8_t)0xA7U, (uint8_t)0xC8U, (uint8_t)0xEEU, (uint8_t)0x0AU, + (uint8_t)0x6DU, (uint8_t)0x70U, (uint8_t)0x9EU, (uint8_t)0x02U, (uint8_t)0xFCU, (uint8_t)0xE1U, + (uint8_t)0xCDU, (uint8_t)0xF7U, (uint8_t)0xE2U, (uint8_t)0xECU, (uint8_t)0xC0U, (uint8_t)0x34U, + (uint8_t)0x04U, (uint8_t)0xCDU, (uint8_t)0x28U, (uint8_t)0x34U, (uint8_t)0x2FU, (uint8_t)0x61U, + (uint8_t)0x91U, (uint8_t)0x72U, (uint8_t)0xFEU, (uint8_t)0x9CU, (uint8_t)0xE9U, (uint8_t)0x85U, + (uint8_t)0x83U, (uint8_t)0xFFU, (uint8_t)0x8EU, (uint8_t)0x4FU, (uint8_t)0x12U, (uint8_t)0x32U, + (uint8_t)0xEEU, (uint8_t)0xF2U, (uint8_t)0x81U, (uint8_t)0x83U, (uint8_t)0xC3U, (uint8_t)0xFEU, + (uint8_t)0x3BU, (uint8_t)0x1BU, (uint8_t)0x4CU, (uint8_t)0x6FU, (uint8_t)0xADU, (uint8_t)0x73U, + (uint8_t)0x3BU, (uint8_t)0xB5U, (uint8_t)0xFCU, (uint8_t)0xBCU, (uint8_t)0x2EU, (uint8_t)0xC2U, + (uint8_t)0x20U, (uint8_t)0x05U, (uint8_t)0xC5U, (uint8_t)0x8EU, (uint8_t)0xF1U, (uint8_t)0x83U, + (uint8_t)0x7DU, (uint8_t)0x16U, (uint8_t)0x83U, (uint8_t)0xB2U, (uint8_t)0xC6U, (uint8_t)0xF3U, + (uint8_t)0x4AU, (uint8_t)0x26U, (uint8_t)0xC1U, (uint8_t)0xB2U, (uint8_t)0xEFU, (uint8_t)0xFAU, + (uint8_t)0x88U, (uint8_t)0x6BU, (uint8_t)0x42U, (uint8_t)0x38U, (uint8_t)0x61U, (uint8_t)0x1FU, + (uint8_t)0xCFU, (uint8_t)0xDCU, (uint8_t)0xDEU, (uint8_t)0x35U, (uint8_t)0x5BU, (uint8_t)0x3BU, + (uint8_t)0x65U, (uint8_t)0x19U, (uint8_t)0x03U, (uint8_t)0x5BU, (uint8_t)0xBCU, (uint8_t)0x34U, + (uint8_t)0xF4U, (uint8_t)0xDEU, (uint8_t)0xF9U, (uint8_t)0x9CU, (uint8_t)0x02U, (uint8_t)0x38U, + (uint8_t)0x61U, (uint8_t)0xB4U, (uint8_t)0x6FU, (uint8_t)0xC9U, (uint8_t)0xD6U, (uint8_t)0xE6U, + (uint8_t)0xC9U, (uint8_t)0x07U, (uint8_t)0x7AU, (uint8_t)0xD9U, (uint8_t)0x1DU, (uint8_t)0x26U, + (uint8_t)0x91U, (uint8_t)0xF7U, (uint8_t)0xF7U, (uint8_t)0xEEU, (uint8_t)0x59U, (uint8_t)0x8CU, + (uint8_t)0xB0U, (uint8_t)0xFAU, (uint8_t)0xC1U, (uint8_t)0x86U, (uint8_t)0xD9U, (uint8_t)0x1CU, + (uint8_t)0xAEU, (uint8_t)0xFEU, (uint8_t)0x13U, (uint8_t)0x09U, (uint8_t)0x85U, (uint8_t)0x13U, + (uint8_t)0x92U, (uint8_t)0x70U, (uint8_t)0xB4U, (uint8_t)0x13U, (uint8_t)0x0CU, (uint8_t)0x93U, + (uint8_t)0xBCU, (uint8_t)0x43U, (uint8_t)0x79U, (uint8_t)0x44U, (uint8_t)0xF4U, (uint8_t)0xFDU, + (uint8_t)0x44U, (uint8_t)0x52U, (uint8_t)0xE2U, (uint8_t)0xD7U, (uint8_t)0x4DU, (uint8_t)0xD3U, + (uint8_t)0x64U, (uint8_t)0xF2U, (uint8_t)0xE2U, (uint8_t)0x1EU, (uint8_t)0x71U, (uint8_t)0xF5U, + (uint8_t)0x4BU, (uint8_t)0xFFU, (uint8_t)0x5CU, (uint8_t)0xAEU, (uint8_t)0x82U, (uint8_t)0xABU, + (uint8_t)0x9CU, (uint8_t)0x9DU, (uint8_t)0xF6U, (uint8_t)0x9EU, (uint8_t)0xE8U, (uint8_t)0x6DU, + (uint8_t)0x2BU, (uint8_t)0xC5U, (uint8_t)0x22U, (uint8_t)0x36U, (uint8_t)0x3AU, (uint8_t)0x0DU, + (uint8_t)0xABU, (uint8_t)0xC5U, (uint8_t)0x21U, (uint8_t)0x97U, (uint8_t)0x9BU, (uint8_t)0x0DU, + (uint8_t)0xEAU, (uint8_t)0xDAU, (uint8_t)0x1DU, (uint8_t)0xBFU, (uint8_t)0x9AU, (uint8_t)0x42U, + (uint8_t)0xD5U, (uint8_t)0xC4U, (uint8_t)0x48U, (uint8_t)0x4EU, (uint8_t)0x0AU, (uint8_t)0xBCU, + (uint8_t)0xD0U, (uint8_t)0x6BU, (uint8_t)0xFAU, (uint8_t)0x53U, (uint8_t)0xDDU, (uint8_t)0xEFU, + (uint8_t)0x3CU, (uint8_t)0x1BU, (uint8_t)0x20U, (uint8_t)0xEEU, (uint8_t)0x3FU, (uint8_t)0xD5U, + (uint8_t)0x9DU, (uint8_t)0x7CU, (uint8_t)0x25U, (uint8_t)0xE4U, (uint8_t)0x1DU, (uint8_t)0x2BU, + (uint8_t)0x66U, (uint8_t)0x9EU, (uint8_t)0x1EU, (uint8_t)0xF1U, (uint8_t)0x6EU, (uint8_t)0x6FU, + (uint8_t)0x52U, (uint8_t)0xC3U, (uint8_t)0x16U, (uint8_t)0x4DU, (uint8_t)0xF4U, (uint8_t)0xFBU, + (uint8_t)0x79U, (uint8_t)0x30U, (uint8_t)0xE9U, (uint8_t)0xE4U, (uint8_t)0xE5U, (uint8_t)0x88U, + (uint8_t)0x57U, (uint8_t)0xB6U, (uint8_t)0xACU, (uint8_t)0x7DU, (uint8_t)0x5FU, (uint8_t)0x42U, + (uint8_t)0xD6U, (uint8_t)0x9FU, (uint8_t)0x6DU, (uint8_t)0x18U, (uint8_t)0x77U, (uint8_t)0x63U, + (uint8_t)0xCFU, (uint8_t)0x1DU, (uint8_t)0x55U, (uint8_t)0x03U, (uint8_t)0x40U, (uint8_t)0x04U, + (uint8_t)0x87U, (uint8_t)0xF5U, (uint8_t)0x5BU, (uint8_t)0xA5U, (uint8_t)0x7EU, (uint8_t)0x31U, + (uint8_t)0xCCU, (uint8_t)0x7AU, (uint8_t)0x71U, (uint8_t)0x35U, (uint8_t)0xC8U, (uint8_t)0x86U, + (uint8_t)0xEFU, (uint8_t)0xB4U, (uint8_t)0x31U, (uint8_t)0x8AU, (uint8_t)0xEDU, (uint8_t)0x6AU, + (uint8_t)0x1EU, (uint8_t)0x01U, (uint8_t)0x2DU, (uint8_t)0x9EU, (uint8_t)0x68U, (uint8_t)0x32U, + (uint8_t)0xA9U, (uint8_t)0x07U, (uint8_t)0x60U, (uint8_t)0x0AU, (uint8_t)0x91U, (uint8_t)0x81U, + (uint8_t)0x30U, (uint8_t)0xC4U, (uint8_t)0x6DU, (uint8_t)0xC7U, (uint8_t)0x78U, (uint8_t)0xF9U, + (uint8_t)0x71U, (uint8_t)0xADU, (uint8_t)0x00U, (uint8_t)0x38U, (uint8_t)0x09U, (uint8_t)0x29U, + (uint8_t)0x99U, (uint8_t)0xA3U, (uint8_t)0x33U, (uint8_t)0xCBU, (uint8_t)0x8BU, (uint8_t)0x7AU, + (uint8_t)0x1AU, (uint8_t)0x1DU, (uint8_t)0xB9U, (uint8_t)0x3DU, (uint8_t)0x71U, (uint8_t)0x40U, + (uint8_t)0x00U, (uint8_t)0x3CU, (uint8_t)0x2AU, (uint8_t)0x4EU, (uint8_t)0xCEU, (uint8_t)0xA9U, + (uint8_t)0xF9U, (uint8_t)0x8DU, (uint8_t)0x0AU, (uint8_t)0xCCU, (uint8_t)0x0AU, (uint8_t)0x82U, + (uint8_t)0x91U, (uint8_t)0xCDU, (uint8_t)0xCEU, (uint8_t)0xC9U, (uint8_t)0x7DU, (uint8_t)0xCFU, + (uint8_t)0x8EU, (uint8_t)0xC9U, (uint8_t)0xB5U, (uint8_t)0x5AU, (uint8_t)0x7FU, (uint8_t)0x88U, + (uint8_t)0xA4U, (uint8_t)0x6BU, (uint8_t)0x4DU, (uint8_t)0xB5U, (uint8_t)0xA8U, (uint8_t)0x51U, + (uint8_t)0xF4U, (uint8_t)0x41U, (uint8_t)0x82U, (uint8_t)0xE1U, (uint8_t)0xC6U, (uint8_t)0x8AU, + (uint8_t)0x00U, (uint8_t)0x7EU, (uint8_t)0x5EU, (uint8_t)0x0DU, (uint8_t)0xD9U, (uint8_t)0x02U, + (uint8_t)0x0BU, (uint8_t)0xFDU, (uint8_t)0x64U, (uint8_t)0xB6U, (uint8_t)0x45U, (uint8_t)0x03U, + (uint8_t)0x6CU, (uint8_t)0x7AU, (uint8_t)0x4EU, (uint8_t)0x67U, (uint8_t)0x7DU, (uint8_t)0x2CU, + (uint8_t)0x38U, (uint8_t)0x53U, (uint8_t)0x2AU, (uint8_t)0x3AU, (uint8_t)0x23U, (uint8_t)0xBAU, + (uint8_t)0x44U, (uint8_t)0x42U, (uint8_t)0xCAU, (uint8_t)0xF5U, (uint8_t)0x3EU, (uint8_t)0xA6U, + (uint8_t)0x3BU, (uint8_t)0xB4U, (uint8_t)0x54U, (uint8_t)0x32U, (uint8_t)0x9BU, (uint8_t)0x76U, + (uint8_t)0x24U, (uint8_t)0xC8U, (uint8_t)0x91U, (uint8_t)0x7BU, (uint8_t)0xDDU, (uint8_t)0x64U, + (uint8_t)0xB1U, (uint8_t)0xC0U, (uint8_t)0xFDU, (uint8_t)0x4CU, (uint8_t)0xB3U, (uint8_t)0x8EU, + (uint8_t)0x8CU, (uint8_t)0x33U, (uint8_t)0x4CU, (uint8_t)0x70U, (uint8_t)0x1CU, (uint8_t)0x3AU, + (uint8_t)0xCDU, (uint8_t)0xADU, (uint8_t)0x06U, (uint8_t)0x57U, (uint8_t)0xFCU, (uint8_t)0xCFU, + (uint8_t)0xECU, (uint8_t)0x71U, (uint8_t)0x9BU, (uint8_t)0x1FU, (uint8_t)0x5CU, (uint8_t)0x3EU, + (uint8_t)0x4EU, (uint8_t)0x46U, (uint8_t)0x04U, (uint8_t)0x1FU, (uint8_t)0x38U, (uint8_t)0x81U, + (uint8_t)0x47U, (uint8_t)0xFBU, (uint8_t)0x4CU, (uint8_t)0xFDU, (uint8_t)0xB4U, (uint8_t)0x77U, + (uint8_t)0xA5U, (uint8_t)0x24U, (uint8_t)0x71U, (uint8_t)0xF7U, (uint8_t)0xA9U, (uint8_t)0xA9U, + (uint8_t)0x69U, (uint8_t)0x10U, (uint8_t)0xB8U, (uint8_t)0x55U, (uint8_t)0x32U, (uint8_t)0x2EU, + (uint8_t)0xDBU, (uint8_t)0x63U, (uint8_t)0x40U, (uint8_t)0xD8U, (uint8_t)0xA0U, (uint8_t)0x0EU, + (uint8_t)0xF0U, (uint8_t)0x92U, (uint8_t)0x35U, (uint8_t)0x05U, (uint8_t)0x11U, (uint8_t)0xE3U, + (uint8_t)0x0AU, (uint8_t)0xBEU, (uint8_t)0xC1U, (uint8_t)0xFFU, (uint8_t)0xF9U, (uint8_t)0xE3U, + (uint8_t)0xA2U, (uint8_t)0x6EU, (uint8_t)0x7FU, (uint8_t)0xB2U, (uint8_t)0x9FU, (uint8_t)0x8CU, + (uint8_t)0x18U, (uint8_t)0x30U, (uint8_t)0x23U, (uint8_t)0xC3U, (uint8_t)0x58U, (uint8_t)0x7EU, + (uint8_t)0x38U, (uint8_t)0xDAU, (uint8_t)0x00U, (uint8_t)0x77U, (uint8_t)0xD9U, (uint8_t)0xB4U, + (uint8_t)0x76U, (uint8_t)0x3EU, (uint8_t)0x4EU, (uint8_t)0x4BU, (uint8_t)0x94U, (uint8_t)0xB2U, + (uint8_t)0xBBU, (uint8_t)0xC1U, (uint8_t)0x94U, (uint8_t)0xC6U, (uint8_t)0x65U, (uint8_t)0x1EU, + (uint8_t)0x77U, (uint8_t)0xCAU, (uint8_t)0xF9U, (uint8_t)0x92U, (uint8_t)0xEEU, (uint8_t)0xAAU, + (uint8_t)0xC0U, (uint8_t)0x23U, (uint8_t)0x2AU, (uint8_t)0x28U, (uint8_t)0x1BU, (uint8_t)0xF6U, + (uint8_t)0xB3U, (uint8_t)0xA7U, (uint8_t)0x39U, (uint8_t)0xC1U, (uint8_t)0x22U, (uint8_t)0x61U, + (uint8_t)0x16U, (uint8_t)0x82U, (uint8_t)0x0AU, (uint8_t)0xE8U, (uint8_t)0xDBU, (uint8_t)0x58U, + (uint8_t)0x47U, (uint8_t)0xA6U, (uint8_t)0x7CU, (uint8_t)0xBEU, (uint8_t)0xF9U, (uint8_t)0xC9U, + (uint8_t)0x09U, (uint8_t)0x1BU, (uint8_t)0x46U, (uint8_t)0x2DU, (uint8_t)0x53U, (uint8_t)0x8CU, + (uint8_t)0xD7U, (uint8_t)0x2BU, (uint8_t)0x03U, (uint8_t)0x74U, (uint8_t)0x6AU, (uint8_t)0xE7U, + (uint8_t)0x7FU, (uint8_t)0x5EU, (uint8_t)0x62U, (uint8_t)0x29U, (uint8_t)0x2CU, (uint8_t)0x31U, + (uint8_t)0x15U, (uint8_t)0x62U, (uint8_t)0xA8U, (uint8_t)0x46U, (uint8_t)0x50U, (uint8_t)0x5DU, + (uint8_t)0xC8U, (uint8_t)0x2DU, (uint8_t)0xB8U, (uint8_t)0x54U, (uint8_t)0x33U, (uint8_t)0x8AU, + (uint8_t)0xE4U, (uint8_t)0x9FU, (uint8_t)0x52U, (uint8_t)0x35U, (uint8_t)0xC9U, (uint8_t)0x5BU, + (uint8_t)0x91U, (uint8_t)0x17U, (uint8_t)0x8CU, (uint8_t)0xCFU, (uint8_t)0x2DU, (uint8_t)0xD5U, + (uint8_t)0xCAU, (uint8_t)0xCEU, (uint8_t)0xF4U, (uint8_t)0x03U, (uint8_t)0xECU, (uint8_t)0x9DU, + (uint8_t)0x18U, (uint8_t)0x10U, (uint8_t)0xC6U, (uint8_t)0x27U, (uint8_t)0x2BU, (uint8_t)0x04U, + (uint8_t)0x5BU, (uint8_t)0x3BU, (uint8_t)0x71U, (uint8_t)0xF9U, (uint8_t)0xDCU, (uint8_t)0x6BU, + (uint8_t)0x80U, (uint8_t)0xD6U, (uint8_t)0x3FU, (uint8_t)0xDDU, (uint8_t)0x4AU, (uint8_t)0x8EU, + (uint8_t)0x9AU, (uint8_t)0xDBU, (uint8_t)0x1EU, (uint8_t)0x69U, (uint8_t)0x62U, (uint8_t)0xA6U, + (uint8_t)0x95U, (uint8_t)0x26U, (uint8_t)0xD4U, (uint8_t)0x31U, (uint8_t)0x61U, (uint8_t)0xC1U, + (uint8_t)0xA4U, (uint8_t)0x1DU, (uint8_t)0x57U, (uint8_t)0x0DU, (uint8_t)0x79U, (uint8_t)0x38U, + (uint8_t)0xDAU, (uint8_t)0xD4U, (uint8_t)0xA4U, (uint8_t)0x0EU, (uint8_t)0x32U, (uint8_t)0x9CU, + (uint8_t)0xCFU, (uint8_t)0xF4U, (uint8_t)0x6AU, (uint8_t)0xAAU, (uint8_t)0x36U, (uint8_t)0xADU, + (uint8_t)0x00U, (uint8_t)0x4CU, (uint8_t)0xF6U, (uint8_t)0x00U, (uint8_t)0xC8U, (uint8_t)0x38U, + (uint8_t)0x1EU, (uint8_t)0x42U, (uint8_t)0x5AU, (uint8_t)0x31U, (uint8_t)0xD9U, (uint8_t)0x51U, + (uint8_t)0xAEU, (uint8_t)0x64U, (uint8_t)0xFDU, (uint8_t)0xB2U, (uint8_t)0x3FU, (uint8_t)0xCEU, + (uint8_t)0xC9U, (uint8_t)0x50U, (uint8_t)0x9DU, (uint8_t)0x43U, (uint8_t)0x68U, (uint8_t)0x7FU, + (uint8_t)0xEBU, (uint8_t)0x69U, (uint8_t)0xEDU, (uint8_t)0xD1U, (uint8_t)0xCCU, (uint8_t)0x5EU, + (uint8_t)0x0BU, (uint8_t)0x8CU, (uint8_t)0xC3U, (uint8_t)0xBDU, (uint8_t)0xF6U, (uint8_t)0x4BU, + (uint8_t)0x10U, (uint8_t)0xEFU, (uint8_t)0x86U, (uint8_t)0xB6U, (uint8_t)0x31U, (uint8_t)0x42U, + (uint8_t)0xA3U, (uint8_t)0xABU, (uint8_t)0x88U, (uint8_t)0x29U, (uint8_t)0x55U, (uint8_t)0x5BU, + (uint8_t)0x2FU, (uint8_t)0x74U, (uint8_t)0x7CU, (uint8_t)0x93U, (uint8_t)0x26U, (uint8_t)0x65U, + (uint8_t)0xCBU, (uint8_t)0x2CU, (uint8_t)0x0FU, (uint8_t)0x1CU, (uint8_t)0xC0U, (uint8_t)0x1BU, + (uint8_t)0xD7U, (uint8_t)0x02U, (uint8_t)0x29U, (uint8_t)0x38U, (uint8_t)0x88U, (uint8_t)0x39U, + (uint8_t)0xD2U, (uint8_t)0xAFU, (uint8_t)0x05U, (uint8_t)0xE4U, (uint8_t)0x54U, (uint8_t)0x50U, + (uint8_t)0x4AU, (uint8_t)0xC7U, (uint8_t)0x8BU, (uint8_t)0x75U, (uint8_t)0x82U, (uint8_t)0x82U, + (uint8_t)0x28U, (uint8_t)0x46U, (uint8_t)0xC0U, (uint8_t)0xBAU, (uint8_t)0x35U, (uint8_t)0xC3U, + (uint8_t)0x5FU, (uint8_t)0x5CU, (uint8_t)0x59U, (uint8_t)0x16U, (uint8_t)0x0CU, (uint8_t)0xC0U, + (uint8_t)0x46U, (uint8_t)0xFDU, (uint8_t)0x82U, (uint8_t)0x51U, (uint8_t)0x54U, (uint8_t)0x1FU, + (uint8_t)0xC6U, (uint8_t)0x8CU, (uint8_t)0x9CU, (uint8_t)0x86U, (uint8_t)0xB0U, (uint8_t)0x22U, + (uint8_t)0xBBU, (uint8_t)0x70U, (uint8_t)0x99U, (uint8_t)0x87U, (uint8_t)0x6AU, (uint8_t)0x46U, + (uint8_t)0x0EU, (uint8_t)0x74U, (uint8_t)0x51U, (uint8_t)0xA8U, (uint8_t)0xA9U, (uint8_t)0x31U, + (uint8_t)0x09U, (uint8_t)0x70U, (uint8_t)0x3FU, (uint8_t)0xEEU, (uint8_t)0x1CU, (uint8_t)0x21U, + (uint8_t)0x7EU, (uint8_t)0x6CU, (uint8_t)0x38U, (uint8_t)0x26U, (uint8_t)0xE5U, (uint8_t)0x2CU, + (uint8_t)0x51U, (uint8_t)0xAAU, (uint8_t)0x69U, (uint8_t)0x1EU, (uint8_t)0x0EU, (uint8_t)0x42U, + (uint8_t)0x3CU, (uint8_t)0xFCU, (uint8_t)0x99U, (uint8_t)0xE9U, (uint8_t)0xE3U, (uint8_t)0x16U, + (uint8_t)0x50U, (uint8_t)0xC1U, (uint8_t)0x21U, (uint8_t)0x7BU, (uint8_t)0x62U, (uint8_t)0x48U, + (uint8_t)0x16U, (uint8_t)0xCDU, (uint8_t)0xADU, (uint8_t)0x9AU, (uint8_t)0x95U, (uint8_t)0xF9U, + (uint8_t)0xD5U, (uint8_t)0xB8U, (uint8_t)0x01U, (uint8_t)0x94U, (uint8_t)0x88U, (uint8_t)0xD9U, + (uint8_t)0xC0U, (uint8_t)0xA0U, (uint8_t)0xA1U, (uint8_t)0xFEU, (uint8_t)0x30U, (uint8_t)0x75U, + (uint8_t)0xA5U, (uint8_t)0x77U, (uint8_t)0xE2U, (uint8_t)0x31U, (uint8_t)0x83U, (uint8_t)0xF8U, + (uint8_t)0x1DU, (uint8_t)0x4AU, (uint8_t)0x3FU, (uint8_t)0x2FU, (uint8_t)0xA4U, (uint8_t)0x57U, + (uint8_t)0x1EU, (uint8_t)0xFCU, (uint8_t)0x8CU, (uint8_t)0xE0U, (uint8_t)0xBAU, (uint8_t)0x8AU, + (uint8_t)0x4FU, (uint8_t)0xE8U, (uint8_t)0xB6U, (uint8_t)0x85U, (uint8_t)0x5DU, (uint8_t)0xFEU, + (uint8_t)0x72U, (uint8_t)0xB0U, (uint8_t)0xA6U, (uint8_t)0x6EU, (uint8_t)0xDEU, (uint8_t)0xD2U, + (uint8_t)0xFBU, (uint8_t)0xABU, (uint8_t)0xFBU, (uint8_t)0xE5U, (uint8_t)0x8AU, (uint8_t)0x30U, + (uint8_t)0xFAU, (uint8_t)0xFAU, (uint8_t)0xBEU, (uint8_t)0x1CU, (uint8_t)0x5DU, (uint8_t)0x71U, + (uint8_t)0xA8U, (uint8_t)0x7EU, (uint8_t)0x2FU, (uint8_t)0x74U, (uint8_t)0x1EU, (uint8_t)0xF8U, + (uint8_t)0xC1U, (uint8_t)0xFEU, (uint8_t)0x86U, (uint8_t)0xFEU, (uint8_t)0xA6U, (uint8_t)0xBBU, + (uint8_t)0xFDU, (uint8_t)0xE5U, (uint8_t)0x30U, (uint8_t)0x67U, (uint8_t)0x7FU, (uint8_t)0x0DU, + (uint8_t)0x97U, (uint8_t)0xD1U, (uint8_t)0x1DU, (uint8_t)0x49U, (uint8_t)0xF7U, (uint8_t)0xA8U, + (uint8_t)0x44U, (uint8_t)0x3DU, (uint8_t)0x08U, (uint8_t)0x22U, (uint8_t)0xE5U, (uint8_t)0x06U, + (uint8_t)0xA9U, (uint8_t)0xF4U, (uint8_t)0x61U, (uint8_t)0x4EU, (uint8_t)0x01U, (uint8_t)0x1EU, + (uint8_t)0x2AU, (uint8_t)0x94U, (uint8_t)0x83U, (uint8_t)0x8FU, (uint8_t)0xF8U, (uint8_t)0x8CU, + (uint8_t)0xD6U, (uint8_t)0x8CU, (uint8_t)0x8BU, (uint8_t)0xB7U, (uint8_t)0xC5U, (uint8_t)0xC6U, + (uint8_t)0x42U, (uint8_t)0x4CU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, + (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU, (uint8_t)0xFFU + }; + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Impl_FFDHE_Constants_H_DEFINED +#endif diff --git a/include/msvc/Hacl_IntTypes_Intrinsics.h b/include/msvc/Hacl_IntTypes_Intrinsics.h new file mode 100644 index 00000000..362b4cfc --- /dev/null +++ b/include/msvc/Hacl_IntTypes_Intrinsics.h @@ -0,0 +1,87 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_IntTypes_Intrinsics_H +#define __Hacl_IntTypes_Intrinsics_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + + +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +static inline uint32_t +Hacl_IntTypes_Intrinsics_add_carry_u32(uint32_t cin, uint32_t x, uint32_t y, uint32_t *r) +{ + uint64_t res = (uint64_t)x + (uint64_t)cin + (uint64_t)y; + uint32_t c = (uint32_t)(res >> (uint32_t)32U); + r[0U] = (uint32_t)res; + return c; +} + +static inline uint32_t +Hacl_IntTypes_Intrinsics_sub_borrow_u32(uint32_t cin, uint32_t x, uint32_t y, uint32_t *r) +{ + uint64_t res = (uint64_t)x - (uint64_t)y - (uint64_t)cin; + uint32_t c = (uint32_t)(res >> (uint32_t)32U) & (uint32_t)1U; + r[0U] = (uint32_t)res; + return c; +} + +static inline uint64_t +Hacl_IntTypes_Intrinsics_add_carry_u64(uint64_t cin, uint64_t x, uint64_t y, uint64_t *r) +{ + uint64_t res = x + cin + y; + uint64_t + c = (~FStar_UInt64_gte_mask(res, x) | (FStar_UInt64_eq_mask(res, x) & cin)) & (uint64_t)1U; + r[0U] = res; + return c; +} + +static inline uint64_t +Hacl_IntTypes_Intrinsics_sub_borrow_u64(uint64_t cin, uint64_t x, uint64_t y, uint64_t *r) +{ + uint64_t res = x - y - cin; + uint64_t + c = + ((FStar_UInt64_gte_mask(res, x) & ~FStar_UInt64_eq_mask(res, x)) + | (FStar_UInt64_eq_mask(res, x) & cin)) + & (uint64_t)1U; + r[0U] = res; + return c; +} + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_IntTypes_Intrinsics_H_DEFINED +#endif diff --git a/include/msvc/Hacl_IntTypes_Intrinsics_128.h b/include/msvc/Hacl_IntTypes_Intrinsics_128.h new file mode 100644 index 00000000..084dfe74 --- /dev/null +++ b/include/msvc/Hacl_IntTypes_Intrinsics_128.h @@ -0,0 +1,75 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_IntTypes_Intrinsics_128_H +#define __Hacl_IntTypes_Intrinsics_128_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +static inline uint64_t +Hacl_IntTypes_Intrinsics_128_add_carry_u64(uint64_t cin, uint64_t x, uint64_t y, uint64_t *r) +{ + FStar_UInt128_uint128 + res = + FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_uint64_to_uint128(x), + FStar_UInt128_uint64_to_uint128(cin)), + FStar_UInt128_uint64_to_uint128(y)); + uint64_t c = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(res, (uint32_t)64U)); + r[0U] = FStar_UInt128_uint128_to_uint64(res); + return c; +} + +static inline uint64_t +Hacl_IntTypes_Intrinsics_128_sub_borrow_u64(uint64_t cin, uint64_t x, uint64_t y, uint64_t *r) +{ + FStar_UInt128_uint128 + res = + FStar_UInt128_sub_mod(FStar_UInt128_sub_mod(FStar_UInt128_uint64_to_uint128(x), + FStar_UInt128_uint64_to_uint128(y)), + FStar_UInt128_uint64_to_uint128(cin)); + uint64_t + c = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(res, (uint32_t)64U)) + & (uint64_t)1U; + r[0U] = FStar_UInt128_uint128_to_uint64(res); + return c; +} + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_IntTypes_Intrinsics_128_H_DEFINED +#endif diff --git a/include/msvc/Hacl_Kremlib.h b/include/msvc/Hacl_Kremlib.h new file mode 100644 index 00000000..deef15ba --- /dev/null +++ b/include/msvc/Hacl_Kremlib.h @@ -0,0 +1,88 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Kremlib_H +#define __Hacl_Kremlib_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + + +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +static inline uint32_t FStar_UInt32_eq_mask(uint32_t a, uint32_t b); + +static inline uint32_t FStar_UInt32_gte_mask(uint32_t a, uint32_t b); + +static inline uint8_t FStar_UInt8_eq_mask(uint8_t a, uint8_t b); + +static inline uint64_t FStar_UInt64_eq_mask(uint64_t a, uint64_t b); + +static inline uint64_t FStar_UInt64_gte_mask(uint64_t a, uint64_t b); + +static inline uint16_t FStar_UInt16_eq_mask(uint16_t a, uint16_t b); + +static inline FStar_UInt128_uint128 +FStar_UInt128_add(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); + +static inline FStar_UInt128_uint128 +FStar_UInt128_add_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); + +static inline FStar_UInt128_uint128 +FStar_UInt128_sub_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); + +static inline FStar_UInt128_uint128 +FStar_UInt128_logor(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); + +static inline FStar_UInt128_uint128 +FStar_UInt128_shift_left(FStar_UInt128_uint128 a, uint32_t s); + +static inline FStar_UInt128_uint128 +FStar_UInt128_shift_right(FStar_UInt128_uint128 a, uint32_t s); + +static inline FStar_UInt128_uint128 FStar_UInt128_uint64_to_uint128(uint64_t a); + +static inline uint64_t FStar_UInt128_uint128_to_uint64(FStar_UInt128_uint128 a); + +static inline FStar_UInt128_uint128 FStar_UInt128_mul_wide(uint64_t x, uint64_t y); + +static inline void store128_le(uint8_t *x0, FStar_UInt128_uint128 x1); + +static inline void store128_be(uint8_t *x0, FStar_UInt128_uint128 x1); + +static inline FStar_UInt128_uint128 load128_be(uint8_t *x0); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Kremlib_H_DEFINED +#endif diff --git a/include/msvc/Hacl_NaCl.h b/include/msvc/Hacl_NaCl.h new file mode 100644 index 00000000..425c7208 --- /dev/null +++ b/include/msvc/Hacl_NaCl.h @@ -0,0 +1,162 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_NaCl_H +#define __Hacl_NaCl_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Salsa20.h" +#include "Hacl_Poly1305_32.h" +#include "Hacl_Curve25519_51.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +uint32_t +Hacl_NaCl_crypto_secretbox_detached( + uint8_t *c, + uint8_t *tag, + uint8_t *m, + uint32_t mlen, + uint8_t *n, + uint8_t *k +); + +uint32_t +Hacl_NaCl_crypto_secretbox_open_detached( + uint8_t *m, + uint8_t *c, + uint8_t *tag, + uint32_t mlen, + uint8_t *n, + uint8_t *k +); + +uint32_t +Hacl_NaCl_crypto_secretbox_easy(uint8_t *c, uint8_t *m, uint32_t mlen, uint8_t *n, uint8_t *k); + +uint32_t +Hacl_NaCl_crypto_secretbox_open_easy( + uint8_t *m, + uint8_t *c, + uint32_t clen, + uint8_t *n, + uint8_t *k +); + +uint32_t Hacl_NaCl_crypto_box_beforenm(uint8_t *k, uint8_t *pk, uint8_t *sk); + +uint32_t +Hacl_NaCl_crypto_box_detached_afternm( + uint8_t *c, + uint8_t *tag, + uint8_t *m, + uint32_t mlen, + uint8_t *n, + uint8_t *k +); + +uint32_t +Hacl_NaCl_crypto_box_detached( + uint8_t *c, + uint8_t *tag, + uint8_t *m, + uint32_t mlen, + uint8_t *n, + uint8_t *pk, + uint8_t *sk +); + +uint32_t +Hacl_NaCl_crypto_box_open_detached_afternm( + uint8_t *m, + uint8_t *c, + uint8_t *tag, + uint32_t mlen, + uint8_t *n, + uint8_t *k +); + +uint32_t +Hacl_NaCl_crypto_box_open_detached( + uint8_t *m, + uint8_t *c, + uint8_t *tag, + uint32_t mlen, + uint8_t *n, + uint8_t *pk, + uint8_t *sk +); + +uint32_t +Hacl_NaCl_crypto_box_easy_afternm( + uint8_t *c, + uint8_t *m, + uint32_t mlen, + uint8_t *n, + uint8_t *k +); + +uint32_t +Hacl_NaCl_crypto_box_easy( + uint8_t *c, + uint8_t *m, + uint32_t mlen, + uint8_t *n, + uint8_t *pk, + uint8_t *sk +); + +uint32_t +Hacl_NaCl_crypto_box_open_easy_afternm( + uint8_t *m, + uint8_t *c, + uint32_t clen, + uint8_t *n, + uint8_t *k +); + +uint32_t +Hacl_NaCl_crypto_box_open_easy( + uint8_t *m, + uint8_t *c, + uint32_t clen, + uint8_t *n, + uint8_t *pk, + uint8_t *sk +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_NaCl_H_DEFINED +#endif diff --git a/include/msvc/Hacl_P256.h b/include/msvc/Hacl_P256.h new file mode 100644 index 00000000..e7bd9f2c --- /dev/null +++ b/include/msvc/Hacl_P256.h @@ -0,0 +1,393 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_P256_H +#define __Hacl_P256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Spec.h" +#include "Hacl_Kremlib.h" +#include "Hacl_Hash_SHA2.h" +#include "evercrypt_targetconfig.h" +#include "lib_intrinsics.h" +#include "libintvector.h" + +/******************************************************************************* + +ECDSA and ECDH functions over the P-256 NIST curve. + +This module implements signing and verification, key validation, conversions +between various point representations, and ECDH key agreement. + +*******************************************************************************/ + +/**************/ +/* Signatures */ +/**************/ + +/* + Per the standard, a hash function *shall* be used. Therefore, we recommend + using one of the three combined hash-and-sign variants. +*/ + +/* +Hash the message with SHA2-256, then sign the resulting digest with the P256 signature function. + +Input: result buffer: uint8[64], + m buffer: uint8 [mLen], + priv(ate)Key: uint8[32], + k (nonce): uint32[32]. + + Output: bool, where True stands for the correct signature generation. False value means that an error has occurred. + + The private key and the nonce are expected to be more than 0 and less than the curve order. +*/ +bool +Hacl_P256_ecdsa_sign_p256_sha2( + uint8_t *result, + uint32_t mLen, + uint8_t *m, + uint8_t *privKey, + uint8_t *k +); + +/* +Hash the message with SHA2-384, then sign the resulting digest with the P256 signature function. + +Input: result buffer: uint8[64], + m buffer: uint8 [mLen], + priv(ate)Key: uint8[32], + k (nonce): uint32[32]. + + Output: bool, where True stands for the correct signature generation. False value means that an error has occurred. + + The private key and the nonce are expected to be more than 0 and less than the curve order. +*/ +bool +Hacl_P256_ecdsa_sign_p256_sha384( + uint8_t *result, + uint32_t mLen, + uint8_t *m, + uint8_t *privKey, + uint8_t *k +); + +/* +Hash the message with SHA2-512, then sign the resulting digest with the P256 signature function. + +Input: result buffer: uint8[64], + m buffer: uint8 [mLen], + priv(ate)Key: uint8[32], + k (nonce): uint32[32]. + + Output: bool, where True stands for the correct signature generation. False value means that an error has occurred. + + The private key and the nonce are expected to be more than 0 and less than the curve order. +*/ +bool +Hacl_P256_ecdsa_sign_p256_sha512( + uint8_t *result, + uint32_t mLen, + uint8_t *m, + uint8_t *privKey, + uint8_t *k +); + +/* +P256 signature WITHOUT hashing first. + +This function is intended to receive a hash of the input. For convenience, we +recommend using one of the hash-and-sign combined functions above. + +The argument `m` MUST be at least 32 bytes (i.e. `mLen >= 32`). + +NOTE: The equivalent functions in OpenSSL and Fiat-Crypto both accept inputs +smaller than 32 bytes. These libraries left-pad the input with enough zeroes to +reach the minimum 32 byte size. Clients who need behavior identical to OpenSSL +need to perform the left-padding themselves. + +Input: result buffer: uint8[64], + m buffer: uint8 [mLen], + priv(ate)Key: uint8[32], + k (nonce): uint32[32]. + + Output: bool, where True stands for the correct signature generation. False value means that an error has occurred. + + The private key and the nonce are expected to be more than 0 and less than the curve order. + + The message m is expected to be hashed by a strong hash function, the lenght of the message is expected to be 32 bytes and more. +*/ +bool +Hacl_P256_ecdsa_sign_p256_without_hash( + uint8_t *result, + uint32_t mLen, + uint8_t *m, + uint8_t *privKey, + uint8_t *k +); + + +/****************/ +/* Verification */ +/****************/ + +/* + Verify a message signature. These functions internally validate the public key using validate_public_key. +*/ + + +/* + The input of the function is considered to be public, + thus this code is not secret independent with respect to the operations done over the input. + + Input: m buffer: uint8 [mLen], + pub(lic)Key: uint8[64], + r: uint8[32], + s: uint8[32]. + + Output: bool, where true stands for the correct signature verification. +*/ +bool +Hacl_P256_ecdsa_verif_p256_sha2( + uint32_t mLen, + uint8_t *m, + uint8_t *pubKey, + uint8_t *r, + uint8_t *s +); + +/* + The input of the function is considered to be public, + thus this code is not secret independent with respect to the operations done over the input. + + Input: m buffer: uint8 [mLen], + pub(lic)Key: uint8[64], + r: uint8[32], + s: uint8[32]. + + Output: bool, where true stands for the correct signature verification. +*/ +bool +Hacl_P256_ecdsa_verif_p256_sha384( + uint32_t mLen, + uint8_t *m, + uint8_t *pubKey, + uint8_t *r, + uint8_t *s +); + +/* + The input of the function is considered to be public, + thus this code is not secret independent with respect to the operations done over the input. + + Input: m buffer: uint8 [mLen], + pub(lic)Key: uint8[64], + r: uint8[32], + s: uint8[32]. + + Output: bool, where true stands for the correct signature verification. +*/ +bool +Hacl_P256_ecdsa_verif_p256_sha512( + uint32_t mLen, + uint8_t *m, + uint8_t *pubKey, + uint8_t *r, + uint8_t *s +); + +/* + The input of the function is considered to be public, + thus this code is not secret independent with respect to the operations done over the input. + + Input: m buffer: uint8 [mLen], + pub(lic)Key: uint8[64], + r: uint8[32], + s: uint8[32]. + + Output: bool, where true stands for the correct signature verification. + + The message m is expected to be hashed by a strong hash function, the lenght of the message is expected to be 32 bytes and more. +*/ +bool +Hacl_P256_ecdsa_verif_without_hash( + uint32_t mLen, + uint8_t *m, + uint8_t *pubKey, + uint8_t *r, + uint8_t *s +); + + +/******************/ +/* Key validation */ +/******************/ + + +/* +Validate a public key. + + + The input of the function is considered to be public, + thus this code is not secret independent with respect to the operations done over the input. + + Input: pub(lic)Key: uint8[64]. + + Output: bool, where 0 stands for the public key to be correct with respect to SP 800-56A: + Verify that the public key is not the “point at infinity”, represented as O. + Verify that the affine x and y coordinates of the point represented by the public key are in the range [0, p – 1] where p is the prime defining the finite field. + Verify that y2 = x3 + ax + b where a and b are the coefficients of the curve equation. + Verify that nQ = O (the point at infinity), where n is the order of the curve and Q is the public key point. + + The last extract is taken from : https://neilmadden.blog/2017/05/17/so-how-do-you-validate-nist-ecdh-public-keys/ +*/ +bool Hacl_P256_validate_public_key(uint8_t *pubKey); + +/* +Validate a private key, e.g. prior to signing. + +Input: scalar: uint8[32]. + + Output: bool, where true stands for the scalar to be more than 0 and less than order. +*/ +bool Hacl_P256_validate_private_key(uint8_t *x); + + +/*****************************************/ +/* Point representations and conversions */ +/*****************************************/ + +/* + Elliptic curve points have 2 32-byte coordinates (x, y) and can be represented in 3 ways: + + - "raw" form (64 bytes): the concatenation of the 2 coordinates, also known as "internal" + - "compressed" form (33 bytes): first the sign byte of y (either 0x02 or 0x03), followed by x + - "uncompressed" form (65 bytes): first a constant byte (always 0x04), followed by the "raw" form + + For all of the conversation functions below, the input and output MUST NOT overlap. +*/ + + +/* +Convert 65-byte uncompressed to raw. + +The function errors out if the first byte is incorrect, or if the resulting point is invalid. + + + + Input: a point in not compressed form (uint8[65]), + result: uint8[64] (internal point representation). + + Output: bool, where true stands for the correct decompression. + +*/ +bool Hacl_P256_uncompressed_to_raw(uint8_t *b, uint8_t *result); + +/* +Convert 33-byte compressed to raw. + +The function errors out if the first byte is incorrect, or if the resulting point is invalid. + +Input: a point in compressed form (uint8[33]), + result: uint8[64] (internal point representation). + + Output: bool, where true stands for the correct decompression. + +*/ +bool Hacl_P256_compressed_to_raw(uint8_t *b, uint8_t *result); + +/* +Convert raw to 65-byte uncompressed. + +This function effectively prepends a 0x04 byte. + +Input: a point buffer (internal representation: uint8[64]), + result: a point in not compressed form (uint8[65]). +*/ +void Hacl_P256_raw_to_uncompressed(uint8_t *b, uint8_t *result); + +/* +Convert raw to 33-byte compressed. + + Input: `b`, the pointer buffer in internal representation, of type `uint8[64]` + Output: `result`, a point in compressed form, of type `uint8[33]` + +*/ +void Hacl_P256_raw_to_compressed(uint8_t *b, uint8_t *result); + + +/******************/ +/* ECDH agreement */ +/******************/ + +/* +Convert a private key into a raw public key. + +This function performs no key validation. + + Input: `scalar`, the private key, of type `uint8[32]`. + Output: `result`, the public key, of type `uint8[64]`. + Returns: + - `true`, for success, meaning the public key is not a point at infinity + - `false`, otherwise. + + `scalar` and `result` MUST NOT overlap. +*/ +bool Hacl_P256_dh_initiator(uint8_t *result, uint8_t *scalar); + +/* +ECDH key agreement. + +This function takes a 32-byte secret key, another party's 64-byte raw public +key, and computeds the 64-byte ECDH shared key. + +This function ONLY validates the public key. + + The pub(lic)_key input of the function is considered to be public, + thus this code is not secret independent with respect to the operations done over this variable. + + Input: result: uint8[64], + pub(lic)Key: uint8[64], + scalar: uint8[32]. + + Output: bool, where True stands for the correct key generation. False value means that an error has occurred (possibly the provided public key was incorrect or the result represents point at infinity). + +*/ +bool Hacl_P256_dh_responder(uint8_t *result, uint8_t *pubKey, uint8_t *scalar); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_P256_H_DEFINED +#endif diff --git a/include/msvc/Hacl_Poly1305_128.h b/include/msvc/Hacl_Poly1305_128.h new file mode 100644 index 00000000..210e34b1 --- /dev/null +++ b/include/msvc/Hacl_Poly1305_128.h @@ -0,0 +1,70 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Poly1305_128_H +#define __Hacl_Poly1305_128_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +extern uint32_t Hacl_Poly1305_128_blocklen; + +typedef Lib_IntVector_Intrinsics_vec128 *Hacl_Poly1305_128_poly1305_ctx; + +void Hacl_Poly1305_128_poly1305_init(Lib_IntVector_Intrinsics_vec128 *ctx, uint8_t *key); + +void Hacl_Poly1305_128_poly1305_update1(Lib_IntVector_Intrinsics_vec128 *ctx, uint8_t *text); + +void +Hacl_Poly1305_128_poly1305_update( + Lib_IntVector_Intrinsics_vec128 *ctx, + uint32_t len, + uint8_t *text +); + +void +Hacl_Poly1305_128_poly1305_finish( + uint8_t *tag, + uint8_t *key, + Lib_IntVector_Intrinsics_vec128 *ctx +); + +void Hacl_Poly1305_128_poly1305_mac(uint8_t *tag, uint32_t len, uint8_t *text, uint8_t *key); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Poly1305_128_H_DEFINED +#endif diff --git a/include/msvc/Hacl_Poly1305_256.h b/include/msvc/Hacl_Poly1305_256.h new file mode 100644 index 00000000..6d2c2a74 --- /dev/null +++ b/include/msvc/Hacl_Poly1305_256.h @@ -0,0 +1,70 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Poly1305_256_H +#define __Hacl_Poly1305_256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +extern uint32_t Hacl_Poly1305_256_blocklen; + +typedef Lib_IntVector_Intrinsics_vec256 *Hacl_Poly1305_256_poly1305_ctx; + +void Hacl_Poly1305_256_poly1305_init(Lib_IntVector_Intrinsics_vec256 *ctx, uint8_t *key); + +void Hacl_Poly1305_256_poly1305_update1(Lib_IntVector_Intrinsics_vec256 *ctx, uint8_t *text); + +void +Hacl_Poly1305_256_poly1305_update( + Lib_IntVector_Intrinsics_vec256 *ctx, + uint32_t len, + uint8_t *text +); + +void +Hacl_Poly1305_256_poly1305_finish( + uint8_t *tag, + uint8_t *key, + Lib_IntVector_Intrinsics_vec256 *ctx +); + +void Hacl_Poly1305_256_poly1305_mac(uint8_t *tag, uint32_t len, uint8_t *text, uint8_t *key); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Poly1305_256_H_DEFINED +#endif diff --git a/include/msvc/Hacl_Poly1305_32.h b/include/msvc/Hacl_Poly1305_32.h new file mode 100644 index 00000000..093160e2 --- /dev/null +++ b/include/msvc/Hacl_Poly1305_32.h @@ -0,0 +1,60 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Poly1305_32_H +#define __Hacl_Poly1305_32_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +extern uint32_t Hacl_Poly1305_32_blocklen; + +typedef uint64_t *Hacl_Poly1305_32_poly1305_ctx; + +void Hacl_Poly1305_32_poly1305_init(uint64_t *ctx, uint8_t *key); + +void Hacl_Poly1305_32_poly1305_update1(uint64_t *ctx, uint8_t *text); + +void Hacl_Poly1305_32_poly1305_update(uint64_t *ctx, uint32_t len, uint8_t *text); + +void Hacl_Poly1305_32_poly1305_finish(uint8_t *tag, uint8_t *key, uint64_t *ctx); + +void Hacl_Poly1305_32_poly1305_mac(uint8_t *tag, uint32_t len, uint8_t *text, uint8_t *key); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Poly1305_32_H_DEFINED +#endif diff --git a/include/msvc/Hacl_RSAPSS.h b/include/msvc/Hacl_RSAPSS.h new file mode 100644 index 00000000..1e7f4c5d --- /dev/null +++ b/include/msvc/Hacl_RSAPSS.h @@ -0,0 +1,117 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_RSAPSS_H +#define __Hacl_RSAPSS_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Spec.h" +#include "Hacl_Hash_SHA2.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +bool +Hacl_RSAPSS_rsapss_sign( + Spec_Hash_Definitions_hash_alg a, + uint32_t modBits, + uint32_t eBits, + uint32_t dBits, + uint64_t *skey, + uint32_t saltLen, + uint8_t *salt, + uint32_t msgLen, + uint8_t *msg, + uint8_t *sgnt +); + +bool +Hacl_RSAPSS_rsapss_verify( + Spec_Hash_Definitions_hash_alg a, + uint32_t modBits, + uint32_t eBits, + uint64_t *pkey, + uint32_t saltLen, + uint32_t sgntLen, + uint8_t *sgnt, + uint32_t msgLen, + uint8_t *msg +); + +uint64_t +*Hacl_RSAPSS_new_rsapss_load_pkey(uint32_t modBits, uint32_t eBits, uint8_t *nb, uint8_t *eb); + +uint64_t +*Hacl_RSAPSS_new_rsapss_load_skey( + uint32_t modBits, + uint32_t eBits, + uint32_t dBits, + uint8_t *nb, + uint8_t *eb, + uint8_t *db +); + +bool +Hacl_RSAPSS_rsapss_skey_sign( + Spec_Hash_Definitions_hash_alg a, + uint32_t modBits, + uint32_t eBits, + uint32_t dBits, + uint8_t *nb, + uint8_t *eb, + uint8_t *db, + uint32_t saltLen, + uint8_t *salt, + uint32_t msgLen, + uint8_t *msg, + uint8_t *sgnt +); + +bool +Hacl_RSAPSS_rsapss_pkey_verify( + Spec_Hash_Definitions_hash_alg a, + uint32_t modBits, + uint32_t eBits, + uint8_t *nb, + uint8_t *eb, + uint32_t saltLen, + uint32_t sgntLen, + uint8_t *sgnt, + uint32_t msgLen, + uint8_t *msg +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_RSAPSS_H_DEFINED +#endif diff --git a/include/msvc/Hacl_SHA2_Generic.h b/include/msvc/Hacl_SHA2_Generic.h new file mode 100644 index 00000000..d29978fe --- /dev/null +++ b/include/msvc/Hacl_SHA2_Generic.h @@ -0,0 +1,135 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_SHA2_Generic_H +#define __Hacl_SHA2_Generic_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + + +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +static const +uint32_t +Hacl_Impl_SHA2_Generic_h224[8U] = + { + (uint32_t)0xc1059ed8U, (uint32_t)0x367cd507U, (uint32_t)0x3070dd17U, (uint32_t)0xf70e5939U, + (uint32_t)0xffc00b31U, (uint32_t)0x68581511U, (uint32_t)0x64f98fa7U, (uint32_t)0xbefa4fa4U + }; + +static const +uint32_t +Hacl_Impl_SHA2_Generic_h256[8U] = + { + (uint32_t)0x6a09e667U, (uint32_t)0xbb67ae85U, (uint32_t)0x3c6ef372U, (uint32_t)0xa54ff53aU, + (uint32_t)0x510e527fU, (uint32_t)0x9b05688cU, (uint32_t)0x1f83d9abU, (uint32_t)0x5be0cd19U + }; + +static const +uint64_t +Hacl_Impl_SHA2_Generic_h384[8U] = + { + (uint64_t)0xcbbb9d5dc1059ed8U, (uint64_t)0x629a292a367cd507U, (uint64_t)0x9159015a3070dd17U, + (uint64_t)0x152fecd8f70e5939U, (uint64_t)0x67332667ffc00b31U, (uint64_t)0x8eb44a8768581511U, + (uint64_t)0xdb0c2e0d64f98fa7U, (uint64_t)0x47b5481dbefa4fa4U + }; + +static const +uint64_t +Hacl_Impl_SHA2_Generic_h512[8U] = + { + (uint64_t)0x6a09e667f3bcc908U, (uint64_t)0xbb67ae8584caa73bU, (uint64_t)0x3c6ef372fe94f82bU, + (uint64_t)0xa54ff53a5f1d36f1U, (uint64_t)0x510e527fade682d1U, (uint64_t)0x9b05688c2b3e6c1fU, + (uint64_t)0x1f83d9abfb41bd6bU, (uint64_t)0x5be0cd19137e2179U + }; + +static const +uint32_t +Hacl_Impl_SHA2_Generic_k224_256[64U] = + { + (uint32_t)0x428a2f98U, (uint32_t)0x71374491U, (uint32_t)0xb5c0fbcfU, (uint32_t)0xe9b5dba5U, + (uint32_t)0x3956c25bU, (uint32_t)0x59f111f1U, (uint32_t)0x923f82a4U, (uint32_t)0xab1c5ed5U, + (uint32_t)0xd807aa98U, (uint32_t)0x12835b01U, (uint32_t)0x243185beU, (uint32_t)0x550c7dc3U, + (uint32_t)0x72be5d74U, (uint32_t)0x80deb1feU, (uint32_t)0x9bdc06a7U, (uint32_t)0xc19bf174U, + (uint32_t)0xe49b69c1U, (uint32_t)0xefbe4786U, (uint32_t)0x0fc19dc6U, (uint32_t)0x240ca1ccU, + (uint32_t)0x2de92c6fU, (uint32_t)0x4a7484aaU, (uint32_t)0x5cb0a9dcU, (uint32_t)0x76f988daU, + (uint32_t)0x983e5152U, (uint32_t)0xa831c66dU, (uint32_t)0xb00327c8U, (uint32_t)0xbf597fc7U, + (uint32_t)0xc6e00bf3U, (uint32_t)0xd5a79147U, (uint32_t)0x06ca6351U, (uint32_t)0x14292967U, + (uint32_t)0x27b70a85U, (uint32_t)0x2e1b2138U, (uint32_t)0x4d2c6dfcU, (uint32_t)0x53380d13U, + (uint32_t)0x650a7354U, (uint32_t)0x766a0abbU, (uint32_t)0x81c2c92eU, (uint32_t)0x92722c85U, + (uint32_t)0xa2bfe8a1U, (uint32_t)0xa81a664bU, (uint32_t)0xc24b8b70U, (uint32_t)0xc76c51a3U, + (uint32_t)0xd192e819U, (uint32_t)0xd6990624U, (uint32_t)0xf40e3585U, (uint32_t)0x106aa070U, + (uint32_t)0x19a4c116U, (uint32_t)0x1e376c08U, (uint32_t)0x2748774cU, (uint32_t)0x34b0bcb5U, + (uint32_t)0x391c0cb3U, (uint32_t)0x4ed8aa4aU, (uint32_t)0x5b9cca4fU, (uint32_t)0x682e6ff3U, + (uint32_t)0x748f82eeU, (uint32_t)0x78a5636fU, (uint32_t)0x84c87814U, (uint32_t)0x8cc70208U, + (uint32_t)0x90befffaU, (uint32_t)0xa4506cebU, (uint32_t)0xbef9a3f7U, (uint32_t)0xc67178f2U + }; + +static const +uint64_t +Hacl_Impl_SHA2_Generic_k384_512[80U] = + { + (uint64_t)0x428a2f98d728ae22U, (uint64_t)0x7137449123ef65cdU, (uint64_t)0xb5c0fbcfec4d3b2fU, + (uint64_t)0xe9b5dba58189dbbcU, (uint64_t)0x3956c25bf348b538U, (uint64_t)0x59f111f1b605d019U, + (uint64_t)0x923f82a4af194f9bU, (uint64_t)0xab1c5ed5da6d8118U, (uint64_t)0xd807aa98a3030242U, + (uint64_t)0x12835b0145706fbeU, (uint64_t)0x243185be4ee4b28cU, (uint64_t)0x550c7dc3d5ffb4e2U, + (uint64_t)0x72be5d74f27b896fU, (uint64_t)0x80deb1fe3b1696b1U, (uint64_t)0x9bdc06a725c71235U, + (uint64_t)0xc19bf174cf692694U, (uint64_t)0xe49b69c19ef14ad2U, (uint64_t)0xefbe4786384f25e3U, + (uint64_t)0x0fc19dc68b8cd5b5U, (uint64_t)0x240ca1cc77ac9c65U, (uint64_t)0x2de92c6f592b0275U, + (uint64_t)0x4a7484aa6ea6e483U, (uint64_t)0x5cb0a9dcbd41fbd4U, (uint64_t)0x76f988da831153b5U, + (uint64_t)0x983e5152ee66dfabU, (uint64_t)0xa831c66d2db43210U, (uint64_t)0xb00327c898fb213fU, + (uint64_t)0xbf597fc7beef0ee4U, (uint64_t)0xc6e00bf33da88fc2U, (uint64_t)0xd5a79147930aa725U, + (uint64_t)0x06ca6351e003826fU, (uint64_t)0x142929670a0e6e70U, (uint64_t)0x27b70a8546d22ffcU, + (uint64_t)0x2e1b21385c26c926U, (uint64_t)0x4d2c6dfc5ac42aedU, (uint64_t)0x53380d139d95b3dfU, + (uint64_t)0x650a73548baf63deU, (uint64_t)0x766a0abb3c77b2a8U, (uint64_t)0x81c2c92e47edaee6U, + (uint64_t)0x92722c851482353bU, (uint64_t)0xa2bfe8a14cf10364U, (uint64_t)0xa81a664bbc423001U, + (uint64_t)0xc24b8b70d0f89791U, (uint64_t)0xc76c51a30654be30U, (uint64_t)0xd192e819d6ef5218U, + (uint64_t)0xd69906245565a910U, (uint64_t)0xf40e35855771202aU, (uint64_t)0x106aa07032bbd1b8U, + (uint64_t)0x19a4c116b8d2d0c8U, (uint64_t)0x1e376c085141ab53U, (uint64_t)0x2748774cdf8eeb99U, + (uint64_t)0x34b0bcb5e19b48a8U, (uint64_t)0x391c0cb3c5c95a63U, (uint64_t)0x4ed8aa4ae3418acbU, + (uint64_t)0x5b9cca4f7763e373U, (uint64_t)0x682e6ff3d6b2b8a3U, (uint64_t)0x748f82ee5defb2fcU, + (uint64_t)0x78a5636f43172f60U, (uint64_t)0x84c87814a1f0ab72U, (uint64_t)0x8cc702081a6439ecU, + (uint64_t)0x90befffa23631e28U, (uint64_t)0xa4506cebde82bde9U, (uint64_t)0xbef9a3f7b2c67915U, + (uint64_t)0xc67178f2e372532bU, (uint64_t)0xca273eceea26619cU, (uint64_t)0xd186b8c721c0c207U, + (uint64_t)0xeada7dd6cde0eb1eU, (uint64_t)0xf57d4f7fee6ed178U, (uint64_t)0x06f067aa72176fbaU, + (uint64_t)0x0a637dc5a2c898a6U, (uint64_t)0x113f9804bef90daeU, (uint64_t)0x1b710b35131c471bU, + (uint64_t)0x28db77f523047d84U, (uint64_t)0x32caab7b40c72493U, (uint64_t)0x3c9ebe0a15c9bebcU, + (uint64_t)0x431d67c49c100d4cU, (uint64_t)0x4cc5d4becb3e42b6U, (uint64_t)0x597f299cfc657e2aU, + (uint64_t)0x5fcb6fab3ad6faecU, (uint64_t)0x6c44198c4a475817U + }; + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_SHA2_Generic_H_DEFINED +#endif diff --git a/include/msvc/Hacl_SHA2_Scalar32.h b/include/msvc/Hacl_SHA2_Scalar32.h new file mode 100644 index 00000000..56a407b6 --- /dev/null +++ b/include/msvc/Hacl_SHA2_Scalar32.h @@ -0,0 +1,55 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_SHA2_Scalar32_H +#define __Hacl_SHA2_Scalar32_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_SHA2_Generic.h" +#include "Hacl_Kremlib.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void Hacl_SHA2_Scalar32_sha224(uint8_t *dst, uint32_t input_len, uint8_t *input); + +void Hacl_SHA2_Scalar32_sha256(uint8_t *dst, uint32_t input_len, uint8_t *input); + +void Hacl_SHA2_Scalar32_sha384(uint8_t *dst, uint32_t input_len, uint8_t *input); + +void Hacl_SHA2_Scalar32_sha512(uint8_t *dst, uint32_t input_len, uint8_t *input); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_SHA2_Scalar32_H_DEFINED +#endif diff --git a/include/msvc/Hacl_SHA2_Vec128.h b/include/msvc/Hacl_SHA2_Vec128.h new file mode 100644 index 00000000..0f07e448 --- /dev/null +++ b/include/msvc/Hacl_SHA2_Vec128.h @@ -0,0 +1,73 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_SHA2_Vec128_H +#define __Hacl_SHA2_Vec128_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_SHA2_Generic.h" +#include "Hacl_Kremlib.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_SHA2_Vec128_sha224_4( + uint8_t *dst0, + uint8_t *dst1, + uint8_t *dst2, + uint8_t *dst3, + uint32_t input_len, + uint8_t *input0, + uint8_t *input1, + uint8_t *input2, + uint8_t *input3 +); + +void +Hacl_SHA2_Vec128_sha256_4( + uint8_t *dst0, + uint8_t *dst1, + uint8_t *dst2, + uint8_t *dst3, + uint32_t input_len, + uint8_t *input0, + uint8_t *input1, + uint8_t *input2, + uint8_t *input3 +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_SHA2_Vec128_H_DEFINED +#endif diff --git a/include/msvc/Hacl_SHA2_Vec256.h b/include/msvc/Hacl_SHA2_Vec256.h new file mode 100644 index 00000000..a2ba3c56 --- /dev/null +++ b/include/msvc/Hacl_SHA2_Vec256.h @@ -0,0 +1,115 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_SHA2_Vec256_H +#define __Hacl_SHA2_Vec256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_SHA2_Generic.h" +#include "Hacl_Kremlib.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_SHA2_Vec256_sha224_8( + uint8_t *dst0, + uint8_t *dst1, + uint8_t *dst2, + uint8_t *dst3, + uint8_t *dst4, + uint8_t *dst5, + uint8_t *dst6, + uint8_t *dst7, + uint32_t input_len, + uint8_t *input0, + uint8_t *input1, + uint8_t *input2, + uint8_t *input3, + uint8_t *input4, + uint8_t *input5, + uint8_t *input6, + uint8_t *input7 +); + +void +Hacl_SHA2_Vec256_sha256_8( + uint8_t *dst0, + uint8_t *dst1, + uint8_t *dst2, + uint8_t *dst3, + uint8_t *dst4, + uint8_t *dst5, + uint8_t *dst6, + uint8_t *dst7, + uint32_t input_len, + uint8_t *input0, + uint8_t *input1, + uint8_t *input2, + uint8_t *input3, + uint8_t *input4, + uint8_t *input5, + uint8_t *input6, + uint8_t *input7 +); + +void +Hacl_SHA2_Vec256_sha384_4( + uint8_t *dst0, + uint8_t *dst1, + uint8_t *dst2, + uint8_t *dst3, + uint32_t input_len, + uint8_t *input0, + uint8_t *input1, + uint8_t *input2, + uint8_t *input3 +); + +void +Hacl_SHA2_Vec256_sha512_4( + uint8_t *dst0, + uint8_t *dst1, + uint8_t *dst2, + uint8_t *dst3, + uint32_t input_len, + uint8_t *input0, + uint8_t *input1, + uint8_t *input2, + uint8_t *input3 +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_SHA2_Vec256_H_DEFINED +#endif diff --git a/include/msvc/Hacl_SHA3.h b/include/msvc/Hacl_SHA3.h new file mode 100644 index 00000000..1d40bad9 --- /dev/null +++ b/include/msvc/Hacl_SHA3.h @@ -0,0 +1,113 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_SHA3_H +#define __Hacl_SHA3_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Lib_Memzero0.h" +#include "Hacl_Kremlib.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +extern const uint32_t Hacl_Impl_SHA3_keccak_rotc[24U]; + +extern const uint32_t Hacl_Impl_SHA3_keccak_piln[24U]; + +extern const uint64_t Hacl_Impl_SHA3_keccak_rndc[24U]; + +uint64_t Hacl_Impl_SHA3_rotl(uint64_t a, uint32_t b); + +void Hacl_Impl_SHA3_state_permute(uint64_t *s); + +void Hacl_Impl_SHA3_loadState(uint32_t rateInBytes, uint8_t *input, uint64_t *s); + +void Hacl_Impl_SHA3_storeState(uint32_t rateInBytes, uint64_t *s, uint8_t *res); + +void +Hacl_Impl_SHA3_absorb( + uint64_t *s, + uint32_t rateInBytes, + uint32_t inputByteLen, + uint8_t *input, + uint8_t delimitedSuffix +); + +void +Hacl_Impl_SHA3_squeeze( + uint64_t *s, + uint32_t rateInBytes, + uint32_t outputByteLen, + uint8_t *output +); + +void +Hacl_Impl_SHA3_keccak( + uint32_t rate, + uint32_t capacity, + uint32_t inputByteLen, + uint8_t *input, + uint8_t delimitedSuffix, + uint32_t outputByteLen, + uint8_t *output +); + +void +Hacl_SHA3_shake128_hacl( + uint32_t inputByteLen, + uint8_t *input, + uint32_t outputByteLen, + uint8_t *output +); + +void +Hacl_SHA3_shake256_hacl( + uint32_t inputByteLen, + uint8_t *input, + uint32_t outputByteLen, + uint8_t *output +); + +void Hacl_SHA3_sha3_224(uint32_t inputByteLen, uint8_t *input, uint8_t *output); + +void Hacl_SHA3_sha3_256(uint32_t inputByteLen, uint8_t *input, uint8_t *output); + +void Hacl_SHA3_sha3_384(uint32_t inputByteLen, uint8_t *input, uint8_t *output); + +void Hacl_SHA3_sha3_512(uint32_t inputByteLen, uint8_t *input, uint8_t *output); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_SHA3_H_DEFINED +#endif diff --git a/include/msvc/Hacl_Salsa20.h b/include/msvc/Hacl_Salsa20.h new file mode 100644 index 00000000..480eb900 --- /dev/null +++ b/include/msvc/Hacl_Salsa20.h @@ -0,0 +1,70 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Salsa20_H +#define __Hacl_Salsa20_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_Salsa20_salsa20_encrypt( + uint32_t len, + uint8_t *out, + uint8_t *text, + uint8_t *key, + uint8_t *n, + uint32_t ctr +); + +void +Hacl_Salsa20_salsa20_decrypt( + uint32_t len, + uint8_t *out, + uint8_t *cipher, + uint8_t *key, + uint8_t *n, + uint32_t ctr +); + +void Hacl_Salsa20_salsa20_key_block0(uint8_t *out, uint8_t *key, uint8_t *n); + +void Hacl_Salsa20_hsalsa20(uint8_t *out, uint8_t *key, uint8_t *n); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Salsa20_H_DEFINED +#endif diff --git a/include/msvc/Hacl_Spec.h b/include/msvc/Hacl_Spec.h new file mode 100644 index 00000000..2c6693c6 --- /dev/null +++ b/include/msvc/Hacl_Spec.h @@ -0,0 +1,97 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Spec_H +#define __Hacl_Spec_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + + +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +#define Spec_Blake2_Blake2S 0 +#define Spec_Blake2_Blake2B 1 + +typedef uint8_t Spec_Blake2_alg; + +#define Spec_Hash_Definitions_SHA2_224 0 +#define Spec_Hash_Definitions_SHA2_256 1 +#define Spec_Hash_Definitions_SHA2_384 2 +#define Spec_Hash_Definitions_SHA2_512 3 +#define Spec_Hash_Definitions_SHA1 4 +#define Spec_Hash_Definitions_MD5 5 +#define Spec_Hash_Definitions_Blake2S 6 +#define Spec_Hash_Definitions_Blake2B 7 + +typedef uint8_t Spec_Hash_Definitions_hash_alg; + +#define Spec_FFDHE_FFDHE2048 0 +#define Spec_FFDHE_FFDHE3072 1 +#define Spec_FFDHE_FFDHE4096 2 +#define Spec_FFDHE_FFDHE6144 3 +#define Spec_FFDHE_FFDHE8192 4 + +typedef uint8_t Spec_FFDHE_ffdhe_alg; + +#define Spec_Agile_Cipher_AES128 0 +#define Spec_Agile_Cipher_AES256 1 +#define Spec_Agile_Cipher_CHACHA20 2 + +typedef uint8_t Spec_Agile_Cipher_cipher_alg; + +#define Spec_Cipher_Expansion_Hacl_CHACHA20 0 +#define Spec_Cipher_Expansion_Vale_AES128 1 +#define Spec_Cipher_Expansion_Vale_AES256 2 + +typedef uint8_t Spec_Cipher_Expansion_impl; + +#define Spec_Agile_AEAD_AES128_GCM 0 +#define Spec_Agile_AEAD_AES256_GCM 1 +#define Spec_Agile_AEAD_CHACHA20_POLY1305 2 +#define Spec_Agile_AEAD_AES128_CCM 3 +#define Spec_Agile_AEAD_AES256_CCM 4 +#define Spec_Agile_AEAD_AES128_CCM8 5 +#define Spec_Agile_AEAD_AES256_CCM8 6 + +typedef uint8_t Spec_Agile_AEAD_alg; + +#define Spec_Frodo_Params_SHAKE128 0 +#define Spec_Frodo_Params_AES128 1 + +typedef uint8_t Spec_Frodo_Params_frodo_gen_a; + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Spec_H_DEFINED +#endif diff --git a/include/msvc/Hacl_Streaming_Blake2.h b/include/msvc/Hacl_Streaming_Blake2.h new file mode 100644 index 00000000..c64b8545 --- /dev/null +++ b/include/msvc/Hacl_Streaming_Blake2.h @@ -0,0 +1,149 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Streaming_Blake2_H +#define __Hacl_Streaming_Blake2_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Spec.h" +#include "Hacl_Kremlib.h" +#include "Hacl_Hash_Blake2.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +uint32_t +Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_alg a, Hacl_Impl_Blake2_Core_m_spec m); + +typedef struct Hacl_Streaming_Blake2_blake2s_32_block_state_s +{ + uint32_t *fst; + uint32_t *snd; +} +Hacl_Streaming_Blake2_blake2s_32_block_state; + +typedef struct Hacl_Streaming_Blake2_blake2s_32_state_s +{ + Hacl_Streaming_Blake2_blake2s_32_block_state block_state; + uint8_t *buf; + uint64_t total_len; +} +Hacl_Streaming_Blake2_blake2s_32_state; + +/* + State allocation function when there is no key +*/ +Hacl_Streaming_Blake2_blake2s_32_state *Hacl_Streaming_Blake2_blake2s_32_no_key_create_in(); + +/* + (Re-)initialization function when there is no key +*/ +void Hacl_Streaming_Blake2_blake2s_32_no_key_init(Hacl_Streaming_Blake2_blake2s_32_state *s1); + +/* + Update function when there is no key +*/ +void +Hacl_Streaming_Blake2_blake2s_32_no_key_update( + Hacl_Streaming_Blake2_blake2s_32_state *p, + uint8_t *data, + uint32_t len +); + +/* + Finish function when there is no key +*/ +void +Hacl_Streaming_Blake2_blake2s_32_no_key_finish( + Hacl_Streaming_Blake2_blake2s_32_state *p, + uint8_t *dst +); + +/* + Free state function when there is no key +*/ +void Hacl_Streaming_Blake2_blake2s_32_no_key_free(Hacl_Streaming_Blake2_blake2s_32_state *s1); + +typedef struct Hacl_Streaming_Blake2_blake2b_32_block_state_s +{ + uint64_t *fst; + uint64_t *snd; +} +Hacl_Streaming_Blake2_blake2b_32_block_state; + +typedef struct Hacl_Streaming_Blake2_blake2b_32_state_s +{ + Hacl_Streaming_Blake2_blake2b_32_block_state block_state; + uint8_t *buf; + uint64_t total_len; +} +Hacl_Streaming_Blake2_blake2b_32_state; + +/* + State allocation function when there is no key +*/ +Hacl_Streaming_Blake2_blake2b_32_state *Hacl_Streaming_Blake2_blake2b_32_no_key_create_in(); + +/* + (Re)-initialization function when there is no key +*/ +void Hacl_Streaming_Blake2_blake2b_32_no_key_init(Hacl_Streaming_Blake2_blake2b_32_state *s1); + +/* + Update function when there is no key +*/ +void +Hacl_Streaming_Blake2_blake2b_32_no_key_update( + Hacl_Streaming_Blake2_blake2b_32_state *p, + uint8_t *data, + uint32_t len +); + +/* + Finish function when there is no key +*/ +void +Hacl_Streaming_Blake2_blake2b_32_no_key_finish( + Hacl_Streaming_Blake2_blake2b_32_state *p, + uint8_t *dst +); + +/* + Free state function when there is no key +*/ +void Hacl_Streaming_Blake2_blake2b_32_no_key_free(Hacl_Streaming_Blake2_blake2b_32_state *s1); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Streaming_Blake2_H_DEFINED +#endif diff --git a/include/msvc/Hacl_Streaming_Blake2b_256.h b/include/msvc/Hacl_Streaming_Blake2b_256.h new file mode 100644 index 00000000..6d6e8c3a --- /dev/null +++ b/include/msvc/Hacl_Streaming_Blake2b_256.h @@ -0,0 +1,106 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Streaming_Blake2b_256_H +#define __Hacl_Streaming_Blake2b_256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Streaming_Blake2.h" +#include "Hacl_Spec.h" +#include "Hacl_Kremlib.h" +#include "Hacl_Hash_Blake2b_256.h" +#include "Hacl_Hash_Blake2.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +typedef struct Hacl_Streaming_Blake2b_256_blake2b_256_block_state_s +{ + Lib_IntVector_Intrinsics_vec256 *fst; + Lib_IntVector_Intrinsics_vec256 *snd; +} +Hacl_Streaming_Blake2b_256_blake2b_256_block_state; + +typedef struct Hacl_Streaming_Blake2b_256_blake2b_256_state_s +{ + Hacl_Streaming_Blake2b_256_blake2b_256_block_state block_state; + uint8_t *buf; + uint64_t total_len; +} +Hacl_Streaming_Blake2b_256_blake2b_256_state; + +/* + State allocation function when there is no key +*/ +Hacl_Streaming_Blake2b_256_blake2b_256_state +*Hacl_Streaming_Blake2b_256_blake2b_256_no_key_create_in(); + +/* + (Re-)initialization function when there is no key +*/ +void +Hacl_Streaming_Blake2b_256_blake2b_256_no_key_init( + Hacl_Streaming_Blake2b_256_blake2b_256_state *s +); + +/* + Update function when there is no key +*/ +void +Hacl_Streaming_Blake2b_256_blake2b_256_no_key_update( + Hacl_Streaming_Blake2b_256_blake2b_256_state *p, + uint8_t *data, + uint32_t len +); + +/* + Finish function when there is no key +*/ +void +Hacl_Streaming_Blake2b_256_blake2b_256_no_key_finish( + Hacl_Streaming_Blake2b_256_blake2b_256_state *p, + uint8_t *dst +); + +/* + Free state function when there is no key +*/ +void +Hacl_Streaming_Blake2b_256_blake2b_256_no_key_free( + Hacl_Streaming_Blake2b_256_blake2b_256_state *s +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Streaming_Blake2b_256_H_DEFINED +#endif diff --git a/include/msvc/Hacl_Streaming_Blake2s_128.h b/include/msvc/Hacl_Streaming_Blake2s_128.h new file mode 100644 index 00000000..991b5ddc --- /dev/null +++ b/include/msvc/Hacl_Streaming_Blake2s_128.h @@ -0,0 +1,105 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Streaming_Blake2s_128_H +#define __Hacl_Streaming_Blake2s_128_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Streaming_Blake2.h" +#include "Hacl_Spec.h" +#include "Hacl_Hash_Blake2s_128.h" +#include "Hacl_Hash_Blake2.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +typedef struct Hacl_Streaming_Blake2s_128_blake2s_128_block_state_s +{ + Lib_IntVector_Intrinsics_vec128 *fst; + Lib_IntVector_Intrinsics_vec128 *snd; +} +Hacl_Streaming_Blake2s_128_blake2s_128_block_state; + +typedef struct Hacl_Streaming_Blake2s_128_blake2s_128_state_s +{ + Hacl_Streaming_Blake2s_128_blake2s_128_block_state block_state; + uint8_t *buf; + uint64_t total_len; +} +Hacl_Streaming_Blake2s_128_blake2s_128_state; + +/* + State allocation function when there is no key +*/ +Hacl_Streaming_Blake2s_128_blake2s_128_state +*Hacl_Streaming_Blake2s_128_blake2s_128_no_key_create_in(); + +/* + (Re-)initialization function when there is no key +*/ +void +Hacl_Streaming_Blake2s_128_blake2s_128_no_key_init( + Hacl_Streaming_Blake2s_128_blake2s_128_state *s +); + +/* + Update function when there is no key +*/ +void +Hacl_Streaming_Blake2s_128_blake2s_128_no_key_update( + Hacl_Streaming_Blake2s_128_blake2s_128_state *p, + uint8_t *data, + uint32_t len +); + +/* + Finish function when there is no key +*/ +void +Hacl_Streaming_Blake2s_128_blake2s_128_no_key_finish( + Hacl_Streaming_Blake2s_128_blake2s_128_state *p, + uint8_t *dst +); + +/* + Free state function when there is no key +*/ +void +Hacl_Streaming_Blake2s_128_blake2s_128_no_key_free( + Hacl_Streaming_Blake2s_128_blake2s_128_state *s +); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Streaming_Blake2s_128_H_DEFINED +#endif diff --git a/include/msvc/Hacl_Streaming_MD5.h b/include/msvc/Hacl_Streaming_MD5.h new file mode 100644 index 00000000..f8bb4ee4 --- /dev/null +++ b/include/msvc/Hacl_Streaming_MD5.h @@ -0,0 +1,64 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Streaming_MD5_H +#define __Hacl_Streaming_MD5_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Streaming_SHA2.h" +#include "Hacl_Hash_MD5.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +typedef Hacl_Streaming_SHA2_state_sha2_224 Hacl_Streaming_MD5_state_md5; + +Hacl_Streaming_SHA2_state_sha2_224 *Hacl_Streaming_MD5_legacy_create_in_md5(); + +void Hacl_Streaming_MD5_legacy_init_md5(Hacl_Streaming_SHA2_state_sha2_224 *s); + +void +Hacl_Streaming_MD5_legacy_update_md5( + Hacl_Streaming_SHA2_state_sha2_224 *p, + uint8_t *data, + uint32_t len +); + +void Hacl_Streaming_MD5_legacy_finish_md5(Hacl_Streaming_SHA2_state_sha2_224 *p, uint8_t *dst); + +void Hacl_Streaming_MD5_legacy_free_md5(Hacl_Streaming_SHA2_state_sha2_224 *s); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Streaming_MD5_H_DEFINED +#endif diff --git a/include/msvc/Hacl_Streaming_Poly1305_128.h b/include/msvc/Hacl_Streaming_Poly1305_128.h new file mode 100644 index 00000000..8e4bc864 --- /dev/null +++ b/include/msvc/Hacl_Streaming_Poly1305_128.h @@ -0,0 +1,76 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Streaming_Poly1305_128_H +#define __Hacl_Streaming_Poly1305_128_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Poly1305_128.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +typedef struct Hacl_Streaming_Poly1305_128_poly1305_128_state_s +{ + Lib_IntVector_Intrinsics_vec128 *block_state; + uint8_t *buf; + uint64_t total_len; + uint8_t *p_key; +} +Hacl_Streaming_Poly1305_128_poly1305_128_state; + +Hacl_Streaming_Poly1305_128_poly1305_128_state +*Hacl_Streaming_Poly1305_128_create_in(uint8_t *k); + +void +Hacl_Streaming_Poly1305_128_init(uint8_t *k, Hacl_Streaming_Poly1305_128_poly1305_128_state *s); + +void +Hacl_Streaming_Poly1305_128_update( + Hacl_Streaming_Poly1305_128_poly1305_128_state *p, + uint8_t *data, + uint32_t len +); + +void +Hacl_Streaming_Poly1305_128_finish( + Hacl_Streaming_Poly1305_128_poly1305_128_state *p, + uint8_t *dst +); + +void Hacl_Streaming_Poly1305_128_free(Hacl_Streaming_Poly1305_128_poly1305_128_state *s); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Streaming_Poly1305_128_H_DEFINED +#endif diff --git a/include/msvc/Hacl_Streaming_Poly1305_256.h b/include/msvc/Hacl_Streaming_Poly1305_256.h new file mode 100644 index 00000000..2049d759 --- /dev/null +++ b/include/msvc/Hacl_Streaming_Poly1305_256.h @@ -0,0 +1,76 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Streaming_Poly1305_256_H +#define __Hacl_Streaming_Poly1305_256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Poly1305_256.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +typedef struct Hacl_Streaming_Poly1305_256_poly1305_256_state_s +{ + Lib_IntVector_Intrinsics_vec256 *block_state; + uint8_t *buf; + uint64_t total_len; + uint8_t *p_key; +} +Hacl_Streaming_Poly1305_256_poly1305_256_state; + +Hacl_Streaming_Poly1305_256_poly1305_256_state +*Hacl_Streaming_Poly1305_256_create_in(uint8_t *k); + +void +Hacl_Streaming_Poly1305_256_init(uint8_t *k, Hacl_Streaming_Poly1305_256_poly1305_256_state *s); + +void +Hacl_Streaming_Poly1305_256_update( + Hacl_Streaming_Poly1305_256_poly1305_256_state *p, + uint8_t *data, + uint32_t len +); + +void +Hacl_Streaming_Poly1305_256_finish( + Hacl_Streaming_Poly1305_256_poly1305_256_state *p, + uint8_t *dst +); + +void Hacl_Streaming_Poly1305_256_free(Hacl_Streaming_Poly1305_256_poly1305_256_state *s); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Streaming_Poly1305_256_H_DEFINED +#endif diff --git a/include/msvc/Hacl_Streaming_Poly1305_32.h b/include/msvc/Hacl_Streaming_Poly1305_32.h new file mode 100644 index 00000000..b08a73a5 --- /dev/null +++ b/include/msvc/Hacl_Streaming_Poly1305_32.h @@ -0,0 +1,75 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Streaming_Poly1305_32_H +#define __Hacl_Streaming_Poly1305_32_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Poly1305_32.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +typedef struct Hacl_Streaming_Poly1305_32_poly1305_32_state_s +{ + uint64_t *block_state; + uint8_t *buf; + uint64_t total_len; + uint8_t *p_key; +} +Hacl_Streaming_Poly1305_32_poly1305_32_state; + +Hacl_Streaming_Poly1305_32_poly1305_32_state *Hacl_Streaming_Poly1305_32_create_in(uint8_t *k); + +void +Hacl_Streaming_Poly1305_32_init(uint8_t *k, Hacl_Streaming_Poly1305_32_poly1305_32_state *s); + +void +Hacl_Streaming_Poly1305_32_update( + Hacl_Streaming_Poly1305_32_poly1305_32_state *p, + uint8_t *data, + uint32_t len +); + +void +Hacl_Streaming_Poly1305_32_finish( + Hacl_Streaming_Poly1305_32_poly1305_32_state *p, + uint8_t *dst +); + +void Hacl_Streaming_Poly1305_32_free(Hacl_Streaming_Poly1305_32_poly1305_32_state *s); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Streaming_Poly1305_32_H_DEFINED +#endif diff --git a/include/msvc/Hacl_Streaming_SHA1.h b/include/msvc/Hacl_Streaming_SHA1.h new file mode 100644 index 00000000..b9d636b6 --- /dev/null +++ b/include/msvc/Hacl_Streaming_SHA1.h @@ -0,0 +1,65 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Streaming_SHA1_H +#define __Hacl_Streaming_SHA1_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Streaming_SHA2.h" +#include "Hacl_Hash_SHA1.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +typedef Hacl_Streaming_SHA2_state_sha2_224 Hacl_Streaming_SHA1_state_sha1; + +Hacl_Streaming_SHA2_state_sha2_224 *Hacl_Streaming_SHA1_legacy_create_in_sha1(); + +void Hacl_Streaming_SHA1_legacy_init_sha1(Hacl_Streaming_SHA2_state_sha2_224 *s); + +void +Hacl_Streaming_SHA1_legacy_update_sha1( + Hacl_Streaming_SHA2_state_sha2_224 *p, + uint8_t *data, + uint32_t len +); + +void +Hacl_Streaming_SHA1_legacy_finish_sha1(Hacl_Streaming_SHA2_state_sha2_224 *p, uint8_t *dst); + +void Hacl_Streaming_SHA1_legacy_free_sha1(Hacl_Streaming_SHA2_state_sha2_224 *s); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Streaming_SHA1_H_DEFINED +#endif diff --git a/include/msvc/Hacl_Streaming_SHA2.h b/include/msvc/Hacl_Streaming_SHA2.h new file mode 100644 index 00000000..377c2be1 --- /dev/null +++ b/include/msvc/Hacl_Streaming_SHA2.h @@ -0,0 +1,127 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Streaming_SHA2_H +#define __Hacl_Streaming_SHA2_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Kremlib.h" +#include "Hacl_Hash_SHA2.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +typedef struct Hacl_Streaming_SHA2_state_sha2_224_s +{ + uint32_t *block_state; + uint8_t *buf; + uint64_t total_len; +} +Hacl_Streaming_SHA2_state_sha2_224; + +typedef Hacl_Streaming_SHA2_state_sha2_224 Hacl_Streaming_SHA2_state_sha2_256; + +typedef struct Hacl_Streaming_SHA2_state_sha2_384_s +{ + uint64_t *block_state; + uint8_t *buf; + uint64_t total_len; +} +Hacl_Streaming_SHA2_state_sha2_384; + +typedef Hacl_Streaming_SHA2_state_sha2_384 Hacl_Streaming_SHA2_state_sha2_512; + +Hacl_Streaming_SHA2_state_sha2_224 *Hacl_Streaming_SHA2_create_in_224(); + +void Hacl_Streaming_SHA2_init_224(Hacl_Streaming_SHA2_state_sha2_224 *s); + +void +Hacl_Streaming_SHA2_update_224( + Hacl_Streaming_SHA2_state_sha2_224 *p, + uint8_t *data, + uint32_t len +); + +void Hacl_Streaming_SHA2_finish_224(Hacl_Streaming_SHA2_state_sha2_224 *p, uint8_t *dst); + +void Hacl_Streaming_SHA2_free_224(Hacl_Streaming_SHA2_state_sha2_224 *s); + +Hacl_Streaming_SHA2_state_sha2_224 *Hacl_Streaming_SHA2_create_in_256(); + +void Hacl_Streaming_SHA2_init_256(Hacl_Streaming_SHA2_state_sha2_224 *s); + +void +Hacl_Streaming_SHA2_update_256( + Hacl_Streaming_SHA2_state_sha2_224 *p, + uint8_t *data, + uint32_t len +); + +void Hacl_Streaming_SHA2_finish_256(Hacl_Streaming_SHA2_state_sha2_224 *p, uint8_t *dst); + +void Hacl_Streaming_SHA2_free_256(Hacl_Streaming_SHA2_state_sha2_224 *s); + +Hacl_Streaming_SHA2_state_sha2_384 *Hacl_Streaming_SHA2_create_in_384(); + +void Hacl_Streaming_SHA2_init_384(Hacl_Streaming_SHA2_state_sha2_384 *s); + +void +Hacl_Streaming_SHA2_update_384( + Hacl_Streaming_SHA2_state_sha2_384 *p, + uint8_t *data, + uint32_t len +); + +void Hacl_Streaming_SHA2_finish_384(Hacl_Streaming_SHA2_state_sha2_384 *p, uint8_t *dst); + +void Hacl_Streaming_SHA2_free_384(Hacl_Streaming_SHA2_state_sha2_384 *s); + +Hacl_Streaming_SHA2_state_sha2_384 *Hacl_Streaming_SHA2_create_in_512(); + +void Hacl_Streaming_SHA2_init_512(Hacl_Streaming_SHA2_state_sha2_384 *s); + +void +Hacl_Streaming_SHA2_update_512( + Hacl_Streaming_SHA2_state_sha2_384 *p, + uint8_t *data, + uint32_t len +); + +void Hacl_Streaming_SHA2_finish_512(Hacl_Streaming_SHA2_state_sha2_384 *p, uint8_t *dst); + +void Hacl_Streaming_SHA2_free_512(Hacl_Streaming_SHA2_state_sha2_384 *s); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Streaming_SHA2_H_DEFINED +#endif diff --git a/include/msvc/Lib_Memzero0.h b/include/msvc/Lib_Memzero0.h new file mode 100644 index 00000000..978f2139 --- /dev/null +++ b/include/msvc/Lib_Memzero0.h @@ -0,0 +1,48 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Lib_Memzero0_H +#define __Lib_Memzero0_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + + +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +extern void Lib_Memzero0_memzero(void *x0, uint64_t x1); + +#if defined(__cplusplus) +} +#endif + +#define __Lib_Memzero0_H_DEFINED +#endif diff --git a/include/msvc/Lib_PrintBuffer.h b/include/msvc/Lib_PrintBuffer.h new file mode 100644 index 00000000..0d6a3ef3 --- /dev/null +++ b/include/msvc/Lib_PrintBuffer.h @@ -0,0 +1,56 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Lib_PrintBuffer_H +#define __Lib_PrintBuffer_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + + +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +extern void Lib_PrintBuffer_print_bytes(uint32_t len, uint8_t *buf); + +extern void Lib_PrintBuffer_print_compare(uint32_t len, uint8_t *buf0, uint8_t *buf1); + +extern void +Lib_PrintBuffer_print_compare_display(uint32_t len, const uint8_t *buf0, const uint8_t *buf1); + +extern bool +Lib_PrintBuffer_result_compare_display(uint32_t len, const uint8_t *buf0, const uint8_t *buf1); + +#if defined(__cplusplus) +} +#endif + +#define __Lib_PrintBuffer_H_DEFINED +#endif diff --git a/include/msvc/Lib_RandomBuffer_System.h b/include/msvc/Lib_RandomBuffer_System.h new file mode 100644 index 00000000..7045e7bb --- /dev/null +++ b/include/msvc/Lib_RandomBuffer_System.h @@ -0,0 +1,54 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Lib_RandomBuffer_System_H +#define __Lib_RandomBuffer_System_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + + +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +KRML_DEPRECATED("random_crypto") + +extern bool Lib_RandomBuffer_System_randombytes(uint8_t *buf, uint32_t len); + +extern void *Lib_RandomBuffer_System_entropy_p; + +extern void Lib_RandomBuffer_System_crypto_random(uint8_t *buf, uint32_t len); + +#if defined(__cplusplus) +} +#endif + +#define __Lib_RandomBuffer_System_H_DEFINED +#endif diff --git a/include/msvc/MerkleTree.h b/include/msvc/MerkleTree.h new file mode 100644 index 00000000..39692df7 --- /dev/null +++ b/include/msvc/MerkleTree.h @@ -0,0 +1,550 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __MerkleTree_H +#define __MerkleTree_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "Hacl_Spec.h" +#include "EverCrypt_Hash.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +typedef struct LowStar_Vector_vector_str___uint8_t__s +{ + uint32_t sz; + uint32_t cap; + uint8_t **vs; +} +LowStar_Vector_vector_str___uint8_t_; + +typedef uint32_t hash_size_t; + +typedef uint64_t offset_t; + +typedef uint32_t index_t; + +typedef struct MerkleTree_Low_path_s +{ + uint32_t hash_size; + LowStar_Vector_vector_str___uint8_t_ hashes; +} +MerkleTree_Low_path; + +typedef MerkleTree_Low_path path; + +typedef MerkleTree_Low_path *path_p; + +typedef const MerkleTree_Low_path *const_path_p; + +typedef struct LowStar_Vector_vector_str__LowStar_Vector_vector_str___uint8_t__s +{ + uint32_t sz; + uint32_t cap; + LowStar_Vector_vector_str___uint8_t_ *vs; +} +LowStar_Vector_vector_str__LowStar_Vector_vector_str___uint8_t_; + +typedef struct MerkleTree_Low_merkle_tree_s +{ + uint32_t hash_size; + uint64_t offset; + uint32_t i; + uint32_t j; + LowStar_Vector_vector_str__LowStar_Vector_vector_str___uint8_t_ hs; + bool rhs_ok; + LowStar_Vector_vector_str___uint8_t_ rhs; + uint8_t *mroot; + void (*hash_fun)(uint8_t *x0, uint8_t *x1, uint8_t *x2); +} +MerkleTree_Low_merkle_tree; + +typedef MerkleTree_Low_merkle_tree merkle_tree; + +typedef MerkleTree_Low_merkle_tree *mt_p; + +typedef const MerkleTree_Low_merkle_tree *const_mt_p; + +/* + Constructor for hashes +*/ +uint8_t *mt_init_hash(uint32_t hash_size); + +/* + Destructor for hashes +*/ +void mt_free_hash(uint8_t *h); + +/* + Constructor for paths +*/ +MerkleTree_Low_path *mt_init_path(uint32_t hash_size); + +/* + Destructor for paths +*/ +void mt_free_path(MerkleTree_Low_path *path1); + +/* + Length of a path + + @param[in] p Path + + return The length of the path +*/ +uint32_t mt_get_path_length(const MerkleTree_Low_path *path1); + +/* + Insert hash into path + + @param[in] p Path + @param[in] hash Hash to insert +*/ +void mt_path_insert(MerkleTree_Low_path *path1, uint8_t *hash1); + +/* + Get step on a path + + @param[in] p Path + @param[in] i Path step index + + return The hash at step i of p +*/ +uint8_t *mt_get_path_step(const MerkleTree_Low_path *path1, uint32_t i); + +/* + Precondition predicate for mt_get_path_step +*/ +bool mt_get_path_step_pre(const MerkleTree_Low_path *path1, uint32_t i); + +/* + Construction with custom hash functions + + @param[in] hash_size Hash size (in bytes) + @param[in] i The initial hash + + return The new Merkle tree +*/ +MerkleTree_Low_merkle_tree +*mt_create_custom( + uint32_t hash_size, + uint8_t *i, + void (*hash_fun)(uint8_t *x0, uint8_t *x1, uint8_t *x2) +); + +/* + Destruction + + @param[in] mt The Merkle tree +*/ +void mt_free(MerkleTree_Low_merkle_tree *mt); + +/* + Insertion + + @param[in] mt The Merkle tree + @param[in] v The tree does not take ownership of the hash, it makes a copy of its content. + + Note: The content of the hash will be overwritten with an arbitrary value. +*/ +void mt_insert(MerkleTree_Low_merkle_tree *mt, uint8_t *v); + +/* + Precondition predicate for mt_insert +*/ +bool mt_insert_pre(const MerkleTree_Low_merkle_tree *mt, uint8_t *v); + +/* + Getting the Merkle root + + @param[in] mt The Merkle tree + @param[out] root The Merkle root +*/ +void mt_get_root(const MerkleTree_Low_merkle_tree *mt, uint8_t *root); + +/* + Precondition predicate for mt_get_root +*/ +bool mt_get_root_pre(const MerkleTree_Low_merkle_tree *mt, uint8_t *root); + +/* + Getting a Merkle path + + @param[in] mt The Merkle tree + @param[in] idx The index of the target hash + @param[out] path A resulting Merkle path that contains the leaf hash. + @param[out] root The Merkle root + + return The number of elements in the tree + + Notes: + - The resulting path contains pointers to hashes in the tree, not copies of + the hash values. + - idx must be within the currently held indices in the tree (past the + last flush index). +*/ +uint32_t +mt_get_path( + const MerkleTree_Low_merkle_tree *mt, + uint64_t idx, + MerkleTree_Low_path *path1, + uint8_t *root +); + +/* + Precondition predicate for mt_get_path +*/ +bool +mt_get_path_pre( + const MerkleTree_Low_merkle_tree *mt, + uint64_t idx, + const MerkleTree_Low_path *path1, + uint8_t *root +); + +/* + Flush the Merkle tree + + @param[in] mt The Merkle tree +*/ +void mt_flush(MerkleTree_Low_merkle_tree *mt); + +/* + Precondition predicate for mt_flush +*/ +bool mt_flush_pre(const MerkleTree_Low_merkle_tree *mt); + +/* + Flush the Merkle tree up to a given index + + @param[in] mt The Merkle tree + @param[in] idx The index up to which to flush the tree +*/ +void mt_flush_to(MerkleTree_Low_merkle_tree *mt, uint64_t idx); + +/* + Precondition predicate for mt_flush_to +*/ +bool mt_flush_to_pre(const MerkleTree_Low_merkle_tree *mt, uint64_t idx); + +/* + Retract the Merkle tree down to a given index + + @param[in] mt The Merkle tree + @param[in] idx The index to retract the tree to + + Note: The element and idx will remain in the tree. +*/ +void mt_retract_to(MerkleTree_Low_merkle_tree *mt, uint64_t idx); + +/* + Precondition predicate for mt_retract_to +*/ +bool mt_retract_to_pre(const MerkleTree_Low_merkle_tree *mt, uint64_t idx); + +/* + Client-side verification + + @param[in] mt The Merkle tree + @param[in] tgt The index of the target hash + @param[in] max The maximum index + 1 of the tree when the path was generated + @param[in] path The Merkle path to verify + @param[in] root + + return true if the verification succeeded, false otherwise + + Note: max - tgt must be less than 2^32. +*/ +bool +mt_verify( + const MerkleTree_Low_merkle_tree *mt, + uint64_t tgt, + uint64_t max, + const MerkleTree_Low_path *path1, + uint8_t *root +); + +/* + Precondition predicate for mt_verify +*/ +bool +mt_verify_pre( + const MerkleTree_Low_merkle_tree *mt, + uint64_t tgt, + uint64_t max, + const MerkleTree_Low_path *path1, + uint8_t *root +); + +/* + Serialization size + + @param[in] mt The Merkle tree + + return the number of bytes required to serialize the tree +*/ +uint64_t mt_serialize_size(const MerkleTree_Low_merkle_tree *mt); + +/* + Merkle tree serialization + + @param[in] mt The Merkle tree + @param[out] buf The buffer to serialize the tree into + @param[in] len Length of buf + + return the number of bytes written + + Note: buf must be a buffer of size mt_serialize_size(mt) or larger, but + smaller than 2^32 (larger buffers are currently not supported). +*/ +uint64_t mt_serialize(const MerkleTree_Low_merkle_tree *mt, uint8_t *buf, uint64_t len); + +/* + Merkle tree deserialization + + @param[in] expected_hash_size Expected hash size to match hash_fun + @param[in] buf The buffer to deserialize the tree from + @param[in] len Length of buf + @param[in] hash_fun Hash function + + return pointer to the new tree if successful, NULL otherwise + + Note: buf must point to an allocated buffer. +*/ +MerkleTree_Low_merkle_tree +*mt_deserialize( + const uint8_t *buf, + uint64_t len, + void (*hash_fun)(uint8_t *x0, uint8_t *x1, uint8_t *x2) +); + +/* + Path serialization + + @param[in] path The path + @param[out] buf The buffer to serialize the path into + @param[in] len Length of buf + + return the number of bytes written +*/ +uint64_t mt_serialize_path(const MerkleTree_Low_path *path1, uint8_t *buf, uint64_t len); + +/* + Path deserialization + + @param[in] buf The buffer to deserialize the path from + @param[in] len Length of buf + + return pointer to the new path if successful, NULL otherwise + + Note: buf must point to an allocated buffer. +*/ +MerkleTree_Low_path *mt_deserialize_path(const uint8_t *buf, uint64_t len); + +typedef MerkleTree_Low_merkle_tree *mt_p0; + +/* + Default hash function +*/ +void mt_sha256_compress(uint8_t *src1, uint8_t *src2, uint8_t *dst); + +/* + Construction wired to sha256 from EverCrypt + + @param[in] init The initial hash +*/ +MerkleTree_Low_merkle_tree *mt_create(uint8_t *init); + +typedef uint32_t MerkleTree_Low_index_t; + +extern uint32_t MerkleTree_Low_uint32_32_max; + +extern uint64_t MerkleTree_Low_uint32_max; + +extern uint64_t MerkleTree_Low_uint64_max; + +extern uint64_t MerkleTree_Low_offset_range_limit; + +typedef uint64_t MerkleTree_Low_offset_t; + +extern uint32_t MerkleTree_Low_merkle_tree_size_lg; + +bool MerkleTree_Low_uu___is_MT(MerkleTree_Low_merkle_tree projectee); + +typedef MerkleTree_Low_merkle_tree *MerkleTree_Low_mt_p; + +typedef const MerkleTree_Low_merkle_tree *MerkleTree_Low_const_mt_p; + +bool +MerkleTree_Low_merkle_tree_conditions( + uint64_t offset, + uint32_t i, + uint32_t j, + LowStar_Vector_vector_str__LowStar_Vector_vector_str___uint8_t_ hs, + bool rhs_ok, + LowStar_Vector_vector_str___uint8_t_ rhs, + uint8_t *mroot +); + +uint32_t MerkleTree_Low_offset_of(uint32_t i); + +void MerkleTree_Low_mt_free(MerkleTree_Low_merkle_tree *mt); + +bool MerkleTree_Low_mt_insert_pre(const MerkleTree_Low_merkle_tree *mt, uint8_t *v); + +void MerkleTree_Low_mt_insert(MerkleTree_Low_merkle_tree *mt, uint8_t *v); + +MerkleTree_Low_merkle_tree +*MerkleTree_Low_mt_create_custom( + uint32_t hsz, + uint8_t *init, + void (*hash_fun)(uint8_t *x0, uint8_t *x1, uint8_t *x2) +); + +bool MerkleTree_Low_uu___is_Path(MerkleTree_Low_path projectee); + +typedef MerkleTree_Low_path *MerkleTree_Low_path_p; + +typedef const MerkleTree_Low_path *MerkleTree_Low_const_path_p; + +MerkleTree_Low_path *MerkleTree_Low_init_path(uint32_t hsz); + +void MerkleTree_Low_clear_path(MerkleTree_Low_path *p); + +void MerkleTree_Low_free_path(MerkleTree_Low_path *p); + +bool MerkleTree_Low_mt_get_root_pre(const MerkleTree_Low_merkle_tree *mt, uint8_t *rt); + +void MerkleTree_Low_mt_get_root(const MerkleTree_Low_merkle_tree *mt, uint8_t *rt); + +void MerkleTree_Low_mt_path_insert(uint32_t hsz, MerkleTree_Low_path *p, uint8_t *hp); + +uint32_t MerkleTree_Low_mt_get_path_length(const MerkleTree_Low_path *p); + +bool MerkleTree_Low_mt_get_path_step_pre(const MerkleTree_Low_path *p, uint32_t i); + +uint8_t *MerkleTree_Low_mt_get_path_step(const MerkleTree_Low_path *p, uint32_t i); + +bool +MerkleTree_Low_mt_get_path_pre( + const MerkleTree_Low_merkle_tree *mt, + uint64_t idx, + const MerkleTree_Low_path *p, + uint8_t *root +); + +uint32_t +MerkleTree_Low_mt_get_path( + const MerkleTree_Low_merkle_tree *mt, + uint64_t idx, + MerkleTree_Low_path *p, + uint8_t *root +); + +bool MerkleTree_Low_mt_flush_to_pre(const MerkleTree_Low_merkle_tree *mt, uint64_t idx); + +void MerkleTree_Low_mt_flush_to(MerkleTree_Low_merkle_tree *mt, uint64_t idx); + +bool MerkleTree_Low_mt_flush_pre(const MerkleTree_Low_merkle_tree *mt); + +void MerkleTree_Low_mt_flush(MerkleTree_Low_merkle_tree *mt); + +bool MerkleTree_Low_mt_retract_to_pre(const MerkleTree_Low_merkle_tree *mt, uint64_t r); + +void MerkleTree_Low_mt_retract_to(MerkleTree_Low_merkle_tree *mt, uint64_t r); + +bool +MerkleTree_Low_mt_verify_pre( + const MerkleTree_Low_merkle_tree *mt, + uint64_t k, + uint64_t j, + const MerkleTree_Low_path *p, + uint8_t *rt +); + +bool +MerkleTree_Low_mt_verify( + const MerkleTree_Low_merkle_tree *mt, + uint64_t k, + uint64_t j, + const MerkleTree_Low_path *p, + uint8_t *rt +); + +typedef uint8_t MerkleTree_Low_Serialization_uint8_t; + +typedef uint16_t MerkleTree_Low_Serialization_uint16_t; + +typedef uint32_t MerkleTree_Low_Serialization_uint32_t; + +typedef uint64_t MerkleTree_Low_Serialization_uint64_t; + +typedef uint8_t *MerkleTree_Low_Serialization_uint8_p; + +typedef const uint8_t *MerkleTree_Low_Serialization_const_uint8_p; + +uint64_t MerkleTree_Low_Serialization_mt_serialize_size(const MerkleTree_Low_merkle_tree *mt); + +uint64_t +MerkleTree_Low_Serialization_mt_serialize( + const MerkleTree_Low_merkle_tree *mt, + uint8_t *output, + uint64_t sz +); + +MerkleTree_Low_merkle_tree +*MerkleTree_Low_Serialization_mt_deserialize( + const uint8_t *input, + uint64_t sz, + void (*hash_fun)(uint8_t *x0, uint8_t *x1, uint8_t *x2) +); + +uint64_t +MerkleTree_Low_Serialization_mt_serialize_path( + const MerkleTree_Low_path *p, + uint8_t *output, + uint64_t sz +); + +MerkleTree_Low_path +*MerkleTree_Low_Serialization_mt_deserialize_path(const uint8_t *input, uint64_t sz); + +uint8_t *MerkleTree_Low_Hashfunctions_init_hash(uint32_t hsz); + +void MerkleTree_Low_Hashfunctions_free_hash(uint8_t *h); + +#if defined(__cplusplus) +} +#endif + +#define __MerkleTree_H_DEFINED +#endif diff --git a/include/msvc/TestLib.h b/include/msvc/TestLib.h new file mode 100644 index 00000000..71e516e8 --- /dev/null +++ b/include/msvc/TestLib.h @@ -0,0 +1,91 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __TestLib_H +#define __TestLib_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + + +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +extern void TestLib_touch(int32_t uu___); + +extern void TestLib_check(bool uu___); + +extern void TestLib_check8(int8_t uu___, int8_t uu___1); + +extern void TestLib_check16(int16_t uu___, int16_t uu___1); + +extern void TestLib_check32(int32_t uu___, int32_t uu___1); + +extern void TestLib_check64(int64_t uu___, int64_t uu___1); + +extern void TestLib_checku8(uint8_t uu___, uint8_t uu___1); + +extern void TestLib_checku16(uint16_t uu___, uint16_t uu___1); + +extern void TestLib_checku32(uint32_t uu___, uint32_t uu___1); + +extern void TestLib_checku64(uint64_t uu___, uint64_t uu___1); + +extern void TestLib_compare_and_print(C_String_t uu___, uint8_t *b1, uint8_t *b2, uint32_t l); + +extern uint8_t *TestLib_unsafe_malloc(uint32_t l); + +extern void TestLib_perr(uint32_t uu___); + +extern void TestLib_print_clock_diff(clock_t uu___, clock_t uu___1); + +KRML_DEPRECATED("p_null from TestLib; use LowStar.Buffer.null instead") + +extern uint8_t *TestLib_uint8_p_null; + +KRML_DEPRECATED("p_null from TestLib; use LowStar.Buffer.null instead") + +extern uint32_t *TestLib_uint32_p_null; + +KRML_DEPRECATED("p_null from TestLib; use LowStar.Buffer.null instead") + +extern uint64_t *TestLib_uint64_p_null; + +extern TestLib_cycles TestLib_cpucycles(); + +extern void +TestLib_print_cycles_per_round(TestLib_cycles uu___, TestLib_cycles uu___1, uint32_t uu___2); + +#if defined(__cplusplus) +} +#endif + +#define __TestLib_H_DEFINED +#endif diff --git a/include/msvc/curve25519-inline.h b/include/msvc/curve25519-inline.h new file mode 100644 index 00000000..e69f7a59 --- /dev/null +++ b/include/msvc/curve25519-inline.h @@ -0,0 +1,751 @@ +#ifdef __GNUC__ +#if defined(__x86_64__) || defined(_M_X64) +#pragma once +#include + +// Computes the addition of four-element f1 with value in f2 +// and returns the carry (if any) +static inline uint64_t add_scalar (uint64_t *out, uint64_t *f1, uint64_t f2) +{ + uint64_t carry_r; + + asm volatile( + // Clear registers to propagate the carry bit + " xor %%r8d, %%r8d;" + " xor %%r9d, %%r9d;" + " xor %%r10d, %%r10d;" + " xor %%r11d, %%r11d;" + " xor %k1, %k1;" + + // Begin addition chain + " addq 0(%3), %0;" + " movq %0, 0(%2);" + " adcxq 8(%3), %%r8;" + " movq %%r8, 8(%2);" + " adcxq 16(%3), %%r9;" + " movq %%r9, 16(%2);" + " adcxq 24(%3), %%r10;" + " movq %%r10, 24(%2);" + + // Return the carry bit in a register + " adcx %%r11, %1;" + : "+&r" (f2), "=&r" (carry_r) + : "r" (out), "r" (f1) + : "%r8", "%r9", "%r10", "%r11", "memory", "cc" + ); + + return carry_r; +} + +// Computes the field addition of two field elements +static inline void fadd (uint64_t *out, uint64_t *f1, uint64_t *f2) +{ + asm volatile( + // Compute the raw addition of f1 + f2 + " movq 0(%0), %%r8;" + " addq 0(%2), %%r8;" + " movq 8(%0), %%r9;" + " adcxq 8(%2), %%r9;" + " movq 16(%0), %%r10;" + " adcxq 16(%2), %%r10;" + " movq 24(%0), %%r11;" + " adcxq 24(%2), %%r11;" + + /////// Wrap the result back into the field ////// + + // Step 1: Compute carry*38 + " mov $0, %%rax;" + " mov $38, %0;" + " cmovc %0, %%rax;" + + // Step 2: Add carry*38 to the original sum + " xor %%ecx, %%ecx;" + " add %%rax, %%r8;" + " adcx %%rcx, %%r9;" + " movq %%r9, 8(%1);" + " adcx %%rcx, %%r10;" + " movq %%r10, 16(%1);" + " adcx %%rcx, %%r11;" + " movq %%r11, 24(%1);" + + // Step 3: Fold the carry bit back in; guaranteed not to carry at this point + " mov $0, %%rax;" + " cmovc %0, %%rax;" + " add %%rax, %%r8;" + " movq %%r8, 0(%1);" + : "+&r" (f2) + : "r" (out), "r" (f1) + : "%rax", "%rcx", "%r8", "%r9", "%r10", "%r11", "memory", "cc" + ); +} + +// Computes the field substraction of two field elements +static inline void fsub (uint64_t *out, uint64_t *f1, uint64_t *f2) +{ + asm volatile( + // Compute the raw substraction of f1-f2 + " movq 0(%1), %%r8;" + " subq 0(%2), %%r8;" + " movq 8(%1), %%r9;" + " sbbq 8(%2), %%r9;" + " movq 16(%1), %%r10;" + " sbbq 16(%2), %%r10;" + " movq 24(%1), %%r11;" + " sbbq 24(%2), %%r11;" + + /////// Wrap the result back into the field ////// + + // Step 1: Compute carry*38 + " mov $0, %%rax;" + " mov $38, %%rcx;" + " cmovc %%rcx, %%rax;" + + // Step 2: Substract carry*38 from the original difference + " sub %%rax, %%r8;" + " sbb $0, %%r9;" + " sbb $0, %%r10;" + " sbb $0, %%r11;" + + // Step 3: Fold the carry bit back in; guaranteed not to carry at this point + " mov $0, %%rax;" + " cmovc %%rcx, %%rax;" + " sub %%rax, %%r8;" + + // Store the result + " movq %%r8, 0(%0);" + " movq %%r9, 8(%0);" + " movq %%r10, 16(%0);" + " movq %%r11, 24(%0);" + : + : "r" (out), "r" (f1), "r" (f2) + : "%rax", "%rcx", "%r8", "%r9", "%r10", "%r11", "memory", "cc" + ); +} + +// Computes a field multiplication: out <- f1 * f2 +// Uses the 8-element buffer tmp for intermediate results +static inline void fmul (uint64_t *out, uint64_t *f1, uint64_t *f2, uint64_t *tmp) +{ + asm volatile( + + /////// Compute the raw multiplication: tmp <- src1 * src2 ////// + + // Compute src1[0] * src2 + " movq 0(%0), %%rdx;" + " mulxq 0(%1), %%r8, %%r9;" " xor %%r10d, %%r10d;" " movq %%r8, 0(%2);" + " mulxq 8(%1), %%r10, %%r11;" " adox %%r9, %%r10;" " movq %%r10, 8(%2);" + " mulxq 16(%1), %%rbx, %%r13;" " adox %%r11, %%rbx;" + " mulxq 24(%1), %%r14, %%rdx;" " adox %%r13, %%r14;" " mov $0, %%rax;" + " adox %%rdx, %%rax;" + + // Compute src1[1] * src2 + " movq 8(%0), %%rdx;" + " mulxq 0(%1), %%r8, %%r9;" " xor %%r10d, %%r10d;" " adcxq 8(%2), %%r8;" " movq %%r8, 8(%2);" + " mulxq 8(%1), %%r10, %%r11;" " adox %%r9, %%r10;" " adcx %%rbx, %%r10;" " movq %%r10, 16(%2);" + " mulxq 16(%1), %%rbx, %%r13;" " adox %%r11, %%rbx;" " adcx %%r14, %%rbx;" " mov $0, %%r8;" + " mulxq 24(%1), %%r14, %%rdx;" " adox %%r13, %%r14;" " adcx %%rax, %%r14;" " mov $0, %%rax;" + " adox %%rdx, %%rax;" " adcx %%r8, %%rax;" + + + // Compute src1[2] * src2 + " movq 16(%0), %%rdx;" + " mulxq 0(%1), %%r8, %%r9;" " xor %%r10d, %%r10d;" " adcxq 16(%2), %%r8;" " movq %%r8, 16(%2);" + " mulxq 8(%1), %%r10, %%r11;" " adox %%r9, %%r10;" " adcx %%rbx, %%r10;" " movq %%r10, 24(%2);" + " mulxq 16(%1), %%rbx, %%r13;" " adox %%r11, %%rbx;" " adcx %%r14, %%rbx;" " mov $0, %%r8;" + " mulxq 24(%1), %%r14, %%rdx;" " adox %%r13, %%r14;" " adcx %%rax, %%r14;" " mov $0, %%rax;" + " adox %%rdx, %%rax;" " adcx %%r8, %%rax;" + + + // Compute src1[3] * src2 + " movq 24(%0), %%rdx;" + " mulxq 0(%1), %%r8, %%r9;" " xor %%r10d, %%r10d;" " adcxq 24(%2), %%r8;" " movq %%r8, 24(%2);" + " mulxq 8(%1), %%r10, %%r11;" " adox %%r9, %%r10;" " adcx %%rbx, %%r10;" " movq %%r10, 32(%2);" + " mulxq 16(%1), %%rbx, %%r13;" " adox %%r11, %%rbx;" " adcx %%r14, %%rbx;" " movq %%rbx, 40(%2);" " mov $0, %%r8;" + " mulxq 24(%1), %%r14, %%rdx;" " adox %%r13, %%r14;" " adcx %%rax, %%r14;" " movq %%r14, 48(%2);" " mov $0, %%rax;" + " adox %%rdx, %%rax;" " adcx %%r8, %%rax;" " movq %%rax, 56(%2);" + + // Line up pointers + " mov %2, %0;" + " mov %3, %2;" + + /////// Wrap the result back into the field ////// + + // Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo + " mov $38, %%rdx;" + " mulxq 32(%0), %%r8, %%r13;" + " xor %k1, %k1;" + " adoxq 0(%0), %%r8;" + " mulxq 40(%0), %%r9, %%rbx;" + " adcx %%r13, %%r9;" + " adoxq 8(%0), %%r9;" + " mulxq 48(%0), %%r10, %%r13;" + " adcx %%rbx, %%r10;" + " adoxq 16(%0), %%r10;" + " mulxq 56(%0), %%r11, %%rax;" + " adcx %%r13, %%r11;" + " adoxq 24(%0), %%r11;" + " adcx %1, %%rax;" + " adox %1, %%rax;" + " imul %%rdx, %%rax;" + + // Step 2: Fold the carry back into dst + " add %%rax, %%r8;" + " adcx %1, %%r9;" + " movq %%r9, 8(%2);" + " adcx %1, %%r10;" + " movq %%r10, 16(%2);" + " adcx %1, %%r11;" + " movq %%r11, 24(%2);" + + // Step 3: Fold the carry bit back in; guaranteed not to carry at this point + " mov $0, %%rax;" + " cmovc %%rdx, %%rax;" + " add %%rax, %%r8;" + " movq %%r8, 0(%2);" + : "+&r" (f1), "+&r" (f2), "+&r" (tmp) + : "r" (out) + : "%rax", "%rbx", "%rdx", "%r8", "%r9", "%r10", "%r11", "%r13", "%r14", "memory", "cc" + ); +} + +// Computes two field multiplications: +// out[0] <- f1[0] * f2[0] +// out[1] <- f1[1] * f2[1] +// Uses the 16-element buffer tmp for intermediate results: +static inline void fmul2 (uint64_t *out, uint64_t *f1, uint64_t *f2, uint64_t *tmp) +{ + asm volatile( + + /////// Compute the raw multiplication tmp[0] <- f1[0] * f2[0] ////// + + // Compute src1[0] * src2 + " movq 0(%0), %%rdx;" + " mulxq 0(%1), %%r8, %%r9;" " xor %%r10d, %%r10d;" " movq %%r8, 0(%2);" + " mulxq 8(%1), %%r10, %%r11;" " adox %%r9, %%r10;" " movq %%r10, 8(%2);" + " mulxq 16(%1), %%rbx, %%r13;" " adox %%r11, %%rbx;" + " mulxq 24(%1), %%r14, %%rdx;" " adox %%r13, %%r14;" " mov $0, %%rax;" + " adox %%rdx, %%rax;" + + // Compute src1[1] * src2 + " movq 8(%0), %%rdx;" + " mulxq 0(%1), %%r8, %%r9;" " xor %%r10d, %%r10d;" " adcxq 8(%2), %%r8;" " movq %%r8, 8(%2);" + " mulxq 8(%1), %%r10, %%r11;" " adox %%r9, %%r10;" " adcx %%rbx, %%r10;" " movq %%r10, 16(%2);" + " mulxq 16(%1), %%rbx, %%r13;" " adox %%r11, %%rbx;" " adcx %%r14, %%rbx;" " mov $0, %%r8;" + " mulxq 24(%1), %%r14, %%rdx;" " adox %%r13, %%r14;" " adcx %%rax, %%r14;" " mov $0, %%rax;" + " adox %%rdx, %%rax;" " adcx %%r8, %%rax;" + + + // Compute src1[2] * src2 + " movq 16(%0), %%rdx;" + " mulxq 0(%1), %%r8, %%r9;" " xor %%r10d, %%r10d;" " adcxq 16(%2), %%r8;" " movq %%r8, 16(%2);" + " mulxq 8(%1), %%r10, %%r11;" " adox %%r9, %%r10;" " adcx %%rbx, %%r10;" " movq %%r10, 24(%2);" + " mulxq 16(%1), %%rbx, %%r13;" " adox %%r11, %%rbx;" " adcx %%r14, %%rbx;" " mov $0, %%r8;" + " mulxq 24(%1), %%r14, %%rdx;" " adox %%r13, %%r14;" " adcx %%rax, %%r14;" " mov $0, %%rax;" + " adox %%rdx, %%rax;" " adcx %%r8, %%rax;" + + + // Compute src1[3] * src2 + " movq 24(%0), %%rdx;" + " mulxq 0(%1), %%r8, %%r9;" " xor %%r10d, %%r10d;" " adcxq 24(%2), %%r8;" " movq %%r8, 24(%2);" + " mulxq 8(%1), %%r10, %%r11;" " adox %%r9, %%r10;" " adcx %%rbx, %%r10;" " movq %%r10, 32(%2);" + " mulxq 16(%1), %%rbx, %%r13;" " adox %%r11, %%rbx;" " adcx %%r14, %%rbx;" " movq %%rbx, 40(%2);" " mov $0, %%r8;" + " mulxq 24(%1), %%r14, %%rdx;" " adox %%r13, %%r14;" " adcx %%rax, %%r14;" " movq %%r14, 48(%2);" " mov $0, %%rax;" + " adox %%rdx, %%rax;" " adcx %%r8, %%rax;" " movq %%rax, 56(%2);" + + /////// Compute the raw multiplication tmp[1] <- f1[1] * f2[1] ////// + + // Compute src1[0] * src2 + " movq 32(%0), %%rdx;" + " mulxq 32(%1), %%r8, %%r9;" " xor %%r10d, %%r10d;" " movq %%r8, 64(%2);" + " mulxq 40(%1), %%r10, %%r11;" " adox %%r9, %%r10;" " movq %%r10, 72(%2);" + " mulxq 48(%1), %%rbx, %%r13;" " adox %%r11, %%rbx;" + " mulxq 56(%1), %%r14, %%rdx;" " adox %%r13, %%r14;" " mov $0, %%rax;" + " adox %%rdx, %%rax;" + + // Compute src1[1] * src2 + " movq 40(%0), %%rdx;" + " mulxq 32(%1), %%r8, %%r9;" " xor %%r10d, %%r10d;" " adcxq 72(%2), %%r8;" " movq %%r8, 72(%2);" + " mulxq 40(%1), %%r10, %%r11;" " adox %%r9, %%r10;" " adcx %%rbx, %%r10;" " movq %%r10, 80(%2);" + " mulxq 48(%1), %%rbx, %%r13;" " adox %%r11, %%rbx;" " adcx %%r14, %%rbx;" " mov $0, %%r8;" + " mulxq 56(%1), %%r14, %%rdx;" " adox %%r13, %%r14;" " adcx %%rax, %%r14;" " mov $0, %%rax;" + " adox %%rdx, %%rax;" " adcx %%r8, %%rax;" + + + // Compute src1[2] * src2 + " movq 48(%0), %%rdx;" + " mulxq 32(%1), %%r8, %%r9;" " xor %%r10d, %%r10d;" " adcxq 80(%2), %%r8;" " movq %%r8, 80(%2);" + " mulxq 40(%1), %%r10, %%r11;" " adox %%r9, %%r10;" " adcx %%rbx, %%r10;" " movq %%r10, 88(%2);" + " mulxq 48(%1), %%rbx, %%r13;" " adox %%r11, %%rbx;" " adcx %%r14, %%rbx;" " mov $0, %%r8;" + " mulxq 56(%1), %%r14, %%rdx;" " adox %%r13, %%r14;" " adcx %%rax, %%r14;" " mov $0, %%rax;" + " adox %%rdx, %%rax;" " adcx %%r8, %%rax;" + + + // Compute src1[3] * src2 + " movq 56(%0), %%rdx;" + " mulxq 32(%1), %%r8, %%r9;" " xor %%r10d, %%r10d;" " adcxq 88(%2), %%r8;" " movq %%r8, 88(%2);" + " mulxq 40(%1), %%r10, %%r11;" " adox %%r9, %%r10;" " adcx %%rbx, %%r10;" " movq %%r10, 96(%2);" + " mulxq 48(%1), %%rbx, %%r13;" " adox %%r11, %%rbx;" " adcx %%r14, %%rbx;" " movq %%rbx, 104(%2);" " mov $0, %%r8;" + " mulxq 56(%1), %%r14, %%rdx;" " adox %%r13, %%r14;" " adcx %%rax, %%r14;" " movq %%r14, 112(%2);" " mov $0, %%rax;" + " adox %%rdx, %%rax;" " adcx %%r8, %%rax;" " movq %%rax, 120(%2);" + + // Line up pointers + " mov %2, %0;" + " mov %3, %2;" + + /////// Wrap the results back into the field ////// + + // Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo + " mov $38, %%rdx;" + " mulxq 32(%0), %%r8, %%r13;" + " xor %k1, %k1;" + " adoxq 0(%0), %%r8;" + " mulxq 40(%0), %%r9, %%rbx;" + " adcx %%r13, %%r9;" + " adoxq 8(%0), %%r9;" + " mulxq 48(%0), %%r10, %%r13;" + " adcx %%rbx, %%r10;" + " adoxq 16(%0), %%r10;" + " mulxq 56(%0), %%r11, %%rax;" + " adcx %%r13, %%r11;" + " adoxq 24(%0), %%r11;" + " adcx %1, %%rax;" + " adox %1, %%rax;" + " imul %%rdx, %%rax;" + + // Step 2: Fold the carry back into dst + " add %%rax, %%r8;" + " adcx %1, %%r9;" + " movq %%r9, 8(%2);" + " adcx %1, %%r10;" + " movq %%r10, 16(%2);" + " adcx %1, %%r11;" + " movq %%r11, 24(%2);" + + // Step 3: Fold the carry bit back in; guaranteed not to carry at this point + " mov $0, %%rax;" + " cmovc %%rdx, %%rax;" + " add %%rax, %%r8;" + " movq %%r8, 0(%2);" + + // Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo + " mov $38, %%rdx;" + " mulxq 96(%0), %%r8, %%r13;" + " xor %k1, %k1;" + " adoxq 64(%0), %%r8;" + " mulxq 104(%0), %%r9, %%rbx;" + " adcx %%r13, %%r9;" + " adoxq 72(%0), %%r9;" + " mulxq 112(%0), %%r10, %%r13;" + " adcx %%rbx, %%r10;" + " adoxq 80(%0), %%r10;" + " mulxq 120(%0), %%r11, %%rax;" + " adcx %%r13, %%r11;" + " adoxq 88(%0), %%r11;" + " adcx %1, %%rax;" + " adox %1, %%rax;" + " imul %%rdx, %%rax;" + + // Step 2: Fold the carry back into dst + " add %%rax, %%r8;" + " adcx %1, %%r9;" + " movq %%r9, 40(%2);" + " adcx %1, %%r10;" + " movq %%r10, 48(%2);" + " adcx %1, %%r11;" + " movq %%r11, 56(%2);" + + // Step 3: Fold the carry bit back in; guaranteed not to carry at this point + " mov $0, %%rax;" + " cmovc %%rdx, %%rax;" + " add %%rax, %%r8;" + " movq %%r8, 32(%2);" + : "+&r" (f1), "+&r" (f2), "+&r" (tmp) + : "r" (out) + : "%rax", "%rbx", "%rdx", "%r8", "%r9", "%r10", "%r11", "%r13", "%r14", "memory", "cc" + ); +} + +// Computes the field multiplication of four-element f1 with value in f2 +// Requires f2 to be smaller than 2^17 +static inline void fmul_scalar (uint64_t *out, uint64_t *f1, uint64_t f2) +{ + register uint64_t f2_r asm("rdx") = f2; + + asm volatile( + // Compute the raw multiplication of f1*f2 + " mulxq 0(%2), %%r8, %%rcx;" // f1[0]*f2 + " mulxq 8(%2), %%r9, %%rbx;" // f1[1]*f2 + " add %%rcx, %%r9;" + " mov $0, %%rcx;" + " mulxq 16(%2), %%r10, %%r13;" // f1[2]*f2 + " adcx %%rbx, %%r10;" + " mulxq 24(%2), %%r11, %%rax;" // f1[3]*f2 + " adcx %%r13, %%r11;" + " adcx %%rcx, %%rax;" + + /////// Wrap the result back into the field ////// + + // Step 1: Compute carry*38 + " mov $38, %%rdx;" + " imul %%rdx, %%rax;" + + // Step 2: Fold the carry back into dst + " add %%rax, %%r8;" + " adcx %%rcx, %%r9;" + " movq %%r9, 8(%1);" + " adcx %%rcx, %%r10;" + " movq %%r10, 16(%1);" + " adcx %%rcx, %%r11;" + " movq %%r11, 24(%1);" + + // Step 3: Fold the carry bit back in; guaranteed not to carry at this point + " mov $0, %%rax;" + " cmovc %%rdx, %%rax;" + " add %%rax, %%r8;" + " movq %%r8, 0(%1);" + : "+&r" (f2_r) + : "r" (out), "r" (f1) + : "%rax", "%rbx", "%rcx", "%r8", "%r9", "%r10", "%r11", "%r13", "memory", "cc" + ); +} + +// Computes p1 <- bit ? p2 : p1 in constant time +static inline void cswap2 (uint64_t bit, uint64_t *p1, uint64_t *p2) +{ + asm volatile( + // Transfer bit into CF flag + " add $18446744073709551615, %0;" + + // cswap p1[0], p2[0] + " movq 0(%1), %%r8;" + " movq 0(%2), %%r9;" + " mov %%r8, %%r10;" + " cmovc %%r9, %%r8;" + " cmovc %%r10, %%r9;" + " movq %%r8, 0(%1);" + " movq %%r9, 0(%2);" + + // cswap p1[1], p2[1] + " movq 8(%1), %%r8;" + " movq 8(%2), %%r9;" + " mov %%r8, %%r10;" + " cmovc %%r9, %%r8;" + " cmovc %%r10, %%r9;" + " movq %%r8, 8(%1);" + " movq %%r9, 8(%2);" + + // cswap p1[2], p2[2] + " movq 16(%1), %%r8;" + " movq 16(%2), %%r9;" + " mov %%r8, %%r10;" + " cmovc %%r9, %%r8;" + " cmovc %%r10, %%r9;" + " movq %%r8, 16(%1);" + " movq %%r9, 16(%2);" + + // cswap p1[3], p2[3] + " movq 24(%1), %%r8;" + " movq 24(%2), %%r9;" + " mov %%r8, %%r10;" + " cmovc %%r9, %%r8;" + " cmovc %%r10, %%r9;" + " movq %%r8, 24(%1);" + " movq %%r9, 24(%2);" + + // cswap p1[4], p2[4] + " movq 32(%1), %%r8;" + " movq 32(%2), %%r9;" + " mov %%r8, %%r10;" + " cmovc %%r9, %%r8;" + " cmovc %%r10, %%r9;" + " movq %%r8, 32(%1);" + " movq %%r9, 32(%2);" + + // cswap p1[5], p2[5] + " movq 40(%1), %%r8;" + " movq 40(%2), %%r9;" + " mov %%r8, %%r10;" + " cmovc %%r9, %%r8;" + " cmovc %%r10, %%r9;" + " movq %%r8, 40(%1);" + " movq %%r9, 40(%2);" + + // cswap p1[6], p2[6] + " movq 48(%1), %%r8;" + " movq 48(%2), %%r9;" + " mov %%r8, %%r10;" + " cmovc %%r9, %%r8;" + " cmovc %%r10, %%r9;" + " movq %%r8, 48(%1);" + " movq %%r9, 48(%2);" + + // cswap p1[7], p2[7] + " movq 56(%1), %%r8;" + " movq 56(%2), %%r9;" + " mov %%r8, %%r10;" + " cmovc %%r9, %%r8;" + " cmovc %%r10, %%r9;" + " movq %%r8, 56(%1);" + " movq %%r9, 56(%2);" + : "+&r" (bit) + : "r" (p1), "r" (p2) + : "%r8", "%r9", "%r10", "memory", "cc" + ); +} + +// Computes the square of a field element: out <- f * f +// Uses the 8-element buffer tmp for intermediate results +static inline void fsqr (uint64_t *out, uint64_t *f, uint64_t *tmp) +{ + asm volatile( + + /////// Compute the raw multiplication: tmp <- f * f ////// + + // Step 1: Compute all partial products + " movq 0(%0), %%rdx;" // f[0] + " mulxq 8(%0), %%r8, %%r14;" " xor %%r15d, %%r15d;" // f[1]*f[0] + " mulxq 16(%0), %%r9, %%r10;" " adcx %%r14, %%r9;" // f[2]*f[0] + " mulxq 24(%0), %%rax, %%rcx;" " adcx %%rax, %%r10;" // f[3]*f[0] + " movq 24(%0), %%rdx;" // f[3] + " mulxq 8(%0), %%r11, %%rbx;" " adcx %%rcx, %%r11;" // f[1]*f[3] + " mulxq 16(%0), %%rax, %%r13;" " adcx %%rax, %%rbx;" // f[2]*f[3] + " movq 8(%0), %%rdx;" " adcx %%r15, %%r13;" // f1 + " mulxq 16(%0), %%rax, %%rcx;" " mov $0, %%r14;" // f[2]*f[1] + + // Step 2: Compute two parallel carry chains + " xor %%r15d, %%r15d;" + " adox %%rax, %%r10;" + " adcx %%r8, %%r8;" + " adox %%rcx, %%r11;" + " adcx %%r9, %%r9;" + " adox %%r15, %%rbx;" + " adcx %%r10, %%r10;" + " adox %%r15, %%r13;" + " adcx %%r11, %%r11;" + " adox %%r15, %%r14;" + " adcx %%rbx, %%rbx;" + " adcx %%r13, %%r13;" + " adcx %%r14, %%r14;" + + // Step 3: Compute intermediate squares + " movq 0(%0), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" // f[0]^2 + " movq %%rax, 0(%1);" + " add %%rcx, %%r8;" " movq %%r8, 8(%1);" + " movq 8(%0), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" // f[1]^2 + " adcx %%rax, %%r9;" " movq %%r9, 16(%1);" + " adcx %%rcx, %%r10;" " movq %%r10, 24(%1);" + " movq 16(%0), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" // f[2]^2 + " adcx %%rax, %%r11;" " movq %%r11, 32(%1);" + " adcx %%rcx, %%rbx;" " movq %%rbx, 40(%1);" + " movq 24(%0), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" // f[3]^2 + " adcx %%rax, %%r13;" " movq %%r13, 48(%1);" + " adcx %%rcx, %%r14;" " movq %%r14, 56(%1);" + + // Line up pointers + " mov %1, %0;" + " mov %2, %1;" + + /////// Wrap the result back into the field ////// + + // Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo + " mov $38, %%rdx;" + " mulxq 32(%0), %%r8, %%r13;" + " xor %%ecx, %%ecx;" + " adoxq 0(%0), %%r8;" + " mulxq 40(%0), %%r9, %%rbx;" + " adcx %%r13, %%r9;" + " adoxq 8(%0), %%r9;" + " mulxq 48(%0), %%r10, %%r13;" + " adcx %%rbx, %%r10;" + " adoxq 16(%0), %%r10;" + " mulxq 56(%0), %%r11, %%rax;" + " adcx %%r13, %%r11;" + " adoxq 24(%0), %%r11;" + " adcx %%rcx, %%rax;" + " adox %%rcx, %%rax;" + " imul %%rdx, %%rax;" + + // Step 2: Fold the carry back into dst + " add %%rax, %%r8;" + " adcx %%rcx, %%r9;" + " movq %%r9, 8(%1);" + " adcx %%rcx, %%r10;" + " movq %%r10, 16(%1);" + " adcx %%rcx, %%r11;" + " movq %%r11, 24(%1);" + + // Step 3: Fold the carry bit back in; guaranteed not to carry at this point + " mov $0, %%rax;" + " cmovc %%rdx, %%rax;" + " add %%rax, %%r8;" + " movq %%r8, 0(%1);" + : "+&r" (f), "+&r" (tmp) + : "r" (out) + : "%rax", "%rbx", "%rcx", "%rdx", "%r8", "%r9", "%r10", "%r11", "%r13", "%r14", "%r15", "memory", "cc" + ); +} + +// Computes two field squarings: +// out[0] <- f[0] * f[0] +// out[1] <- f[1] * f[1] +// Uses the 16-element buffer tmp for intermediate results +static inline void fsqr2 (uint64_t *out, uint64_t *f, uint64_t *tmp) +{ + asm volatile( + // Step 1: Compute all partial products + " movq 0(%0), %%rdx;" // f[0] + " mulxq 8(%0), %%r8, %%r14;" " xor %%r15d, %%r15d;" // f[1]*f[0] + " mulxq 16(%0), %%r9, %%r10;" " adcx %%r14, %%r9;" // f[2]*f[0] + " mulxq 24(%0), %%rax, %%rcx;" " adcx %%rax, %%r10;" // f[3]*f[0] + " movq 24(%0), %%rdx;" // f[3] + " mulxq 8(%0), %%r11, %%rbx;" " adcx %%rcx, %%r11;" // f[1]*f[3] + " mulxq 16(%0), %%rax, %%r13;" " adcx %%rax, %%rbx;" // f[2]*f[3] + " movq 8(%0), %%rdx;" " adcx %%r15, %%r13;" // f1 + " mulxq 16(%0), %%rax, %%rcx;" " mov $0, %%r14;" // f[2]*f[1] + + // Step 2: Compute two parallel carry chains + " xor %%r15d, %%r15d;" + " adox %%rax, %%r10;" + " adcx %%r8, %%r8;" + " adox %%rcx, %%r11;" + " adcx %%r9, %%r9;" + " adox %%r15, %%rbx;" + " adcx %%r10, %%r10;" + " adox %%r15, %%r13;" + " adcx %%r11, %%r11;" + " adox %%r15, %%r14;" + " adcx %%rbx, %%rbx;" + " adcx %%r13, %%r13;" + " adcx %%r14, %%r14;" + + // Step 3: Compute intermediate squares + " movq 0(%0), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" // f[0]^2 + " movq %%rax, 0(%1);" + " add %%rcx, %%r8;" " movq %%r8, 8(%1);" + " movq 8(%0), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" // f[1]^2 + " adcx %%rax, %%r9;" " movq %%r9, 16(%1);" + " adcx %%rcx, %%r10;" " movq %%r10, 24(%1);" + " movq 16(%0), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" // f[2]^2 + " adcx %%rax, %%r11;" " movq %%r11, 32(%1);" + " adcx %%rcx, %%rbx;" " movq %%rbx, 40(%1);" + " movq 24(%0), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" // f[3]^2 + " adcx %%rax, %%r13;" " movq %%r13, 48(%1);" + " adcx %%rcx, %%r14;" " movq %%r14, 56(%1);" + + // Step 1: Compute all partial products + " movq 32(%0), %%rdx;" // f[0] + " mulxq 40(%0), %%r8, %%r14;" " xor %%r15d, %%r15d;" // f[1]*f[0] + " mulxq 48(%0), %%r9, %%r10;" " adcx %%r14, %%r9;" // f[2]*f[0] + " mulxq 56(%0), %%rax, %%rcx;" " adcx %%rax, %%r10;" // f[3]*f[0] + " movq 56(%0), %%rdx;" // f[3] + " mulxq 40(%0), %%r11, %%rbx;" " adcx %%rcx, %%r11;" // f[1]*f[3] + " mulxq 48(%0), %%rax, %%r13;" " adcx %%rax, %%rbx;" // f[2]*f[3] + " movq 40(%0), %%rdx;" " adcx %%r15, %%r13;" // f1 + " mulxq 48(%0), %%rax, %%rcx;" " mov $0, %%r14;" // f[2]*f[1] + + // Step 2: Compute two parallel carry chains + " xor %%r15d, %%r15d;" + " adox %%rax, %%r10;" + " adcx %%r8, %%r8;" + " adox %%rcx, %%r11;" + " adcx %%r9, %%r9;" + " adox %%r15, %%rbx;" + " adcx %%r10, %%r10;" + " adox %%r15, %%r13;" + " adcx %%r11, %%r11;" + " adox %%r15, %%r14;" + " adcx %%rbx, %%rbx;" + " adcx %%r13, %%r13;" + " adcx %%r14, %%r14;" + + // Step 3: Compute intermediate squares + " movq 32(%0), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" // f[0]^2 + " movq %%rax, 64(%1);" + " add %%rcx, %%r8;" " movq %%r8, 72(%1);" + " movq 40(%0), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" // f[1]^2 + " adcx %%rax, %%r9;" " movq %%r9, 80(%1);" + " adcx %%rcx, %%r10;" " movq %%r10, 88(%1);" + " movq 48(%0), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" // f[2]^2 + " adcx %%rax, %%r11;" " movq %%r11, 96(%1);" + " adcx %%rcx, %%rbx;" " movq %%rbx, 104(%1);" + " movq 56(%0), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" // f[3]^2 + " adcx %%rax, %%r13;" " movq %%r13, 112(%1);" + " adcx %%rcx, %%r14;" " movq %%r14, 120(%1);" + + // Line up pointers + " mov %1, %0;" + " mov %2, %1;" + + // Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo + " mov $38, %%rdx;" + " mulxq 32(%0), %%r8, %%r13;" + " xor %%ecx, %%ecx;" + " adoxq 0(%0), %%r8;" + " mulxq 40(%0), %%r9, %%rbx;" + " adcx %%r13, %%r9;" + " adoxq 8(%0), %%r9;" + " mulxq 48(%0), %%r10, %%r13;" + " adcx %%rbx, %%r10;" + " adoxq 16(%0), %%r10;" + " mulxq 56(%0), %%r11, %%rax;" + " adcx %%r13, %%r11;" + " adoxq 24(%0), %%r11;" + " adcx %%rcx, %%rax;" + " adox %%rcx, %%rax;" + " imul %%rdx, %%rax;" + + // Step 2: Fold the carry back into dst + " add %%rax, %%r8;" + " adcx %%rcx, %%r9;" + " movq %%r9, 8(%1);" + " adcx %%rcx, %%r10;" + " movq %%r10, 16(%1);" + " adcx %%rcx, %%r11;" + " movq %%r11, 24(%1);" + + // Step 3: Fold the carry bit back in; guaranteed not to carry at this point + " mov $0, %%rax;" + " cmovc %%rdx, %%rax;" + " add %%rax, %%r8;" + " movq %%r8, 0(%1);" + + // Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo + " mov $38, %%rdx;" + " mulxq 96(%0), %%r8, %%r13;" + " xor %%ecx, %%ecx;" + " adoxq 64(%0), %%r8;" + " mulxq 104(%0), %%r9, %%rbx;" + " adcx %%r13, %%r9;" + " adoxq 72(%0), %%r9;" + " mulxq 112(%0), %%r10, %%r13;" + " adcx %%rbx, %%r10;" + " adoxq 80(%0), %%r10;" + " mulxq 120(%0), %%r11, %%rax;" + " adcx %%r13, %%r11;" + " adoxq 88(%0), %%r11;" + " adcx %%rcx, %%rax;" + " adox %%rcx, %%rax;" + " imul %%rdx, %%rax;" + + // Step 2: Fold the carry back into dst + " add %%rax, %%r8;" + " adcx %%rcx, %%r9;" + " movq %%r9, 40(%1);" + " adcx %%rcx, %%r10;" + " movq %%r10, 48(%1);" + " adcx %%rcx, %%r11;" + " movq %%r11, 56(%1);" + + // Step 3: Fold the carry bit back in; guaranteed not to carry at this point + " mov $0, %%rax;" + " cmovc %%rdx, %%rax;" + " add %%rax, %%r8;" + " movq %%r8, 32(%1);" + : "+&r" (f), "+&r" (tmp) + : "r" (out) + : "%rax", "%rbx", "%rcx", "%rdx", "%r8", "%r9", "%r10", "%r11", "%r13", "%r14", "%r15", "memory", "cc" + ); +} + +#endif /* defined(__x86_64__) || defined(_M_X64) */ +#endif /* __GNUC__ */ diff --git a/include/msvc/evercrypt_targetconfig.h b/include/msvc/evercrypt_targetconfig.h new file mode 100644 index 00000000..d6d7c032 --- /dev/null +++ b/include/msvc/evercrypt_targetconfig.h @@ -0,0 +1,56 @@ +#ifndef __EVERCRYPT_TARGETCONFIG_H +#define __EVERCRYPT_TARGETCONFIG_H + +// Instead of listing the identifiers for the target architectures +// then defining the constant TARGET_ARCHITECTURE in config.h, we might simply +// define exactly one tag of the form TARGET_ARCHITECTURE_IS_... in config.h. +// However, for maintenance purposes, we use the first method in +// order to have all the possible values listed in one place. +// Note that for now, the only important id is TARGET_ARCHITECTURE_ID_X64, +// but the other ids might prove useful in the future if we make +// the dynamic feature detection more precise (see the functions +// has_vec128_not_avx/has_vec256_not_avx2 below). +#define TARGET_ARCHITECTURE_ID_UNKNOWN 0 +#define TARGET_ARCHITECTURE_ID_X86 1 +#define TARGET_ARCHITECTURE_ID_X64 2 +#define TARGET_ARCHITECTURE_ID_ARM7 3 +#define TARGET_ARCHITECTURE_ID_ARM8 4 +#define TARGET_ARCHITECTURE_ID_SYSTEMZ 5 +#define TARGET_ARCHITECTURE_ID_POWERPC64 6 + +#if defined(__has_include) +#if __has_include("config.h") +#include "config.h" +#else +#define TARGET_ARCHITECTURE TARGET_ARCHITECTURE_ID_UNKNOWN +#endif +#endif + +// Those functions are called on non-x64 platforms for which the feature detection +// is not covered by vale's CPUID support; therefore, we hand-write in C ourselves. +// For now, on non-x64 platforms, if we can compile 128-bit vector code, we can +// also execute it; this is true of: Z, Power, ARM8. In the future, if we consider +// cross-compilation scenarios, we'll have to refine this predicate; it could be the case, +// for instance, that we want our code to run on old revisions of a system without +// vector instructions, in which case we'll have to do run-time feature detection +// in addition to compile-time detection. + +#include + +static inline bool has_vec128_not_avx () { +#if (TARGET_ARCHITECTURE != TARGET_ARCHITECTURE_ID_X64) && HACL_CAN_COMPILE_VEC128 + return true; +#else + return false; +#endif +} + +static inline bool has_vec256_not_avx2 () { +#if (TARGET_ARCHITECTURE != TARGET_ARCHITECTURE_ID_X64) && HACL_CAN_COMPILE_VEC256 + return true; +#else + return false; +#endif +} + +#endif diff --git a/include/msvc/internal/Hacl_Bignum.h b/include/msvc/internal/Hacl_Bignum.h new file mode 100644 index 00000000..8d2dc606 --- /dev/null +++ b/include/msvc/internal/Hacl_Bignum.h @@ -0,0 +1,367 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_Hacl_Bignum_H +#define __internal_Hacl_Bignum_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "internal/Hacl_Kremlib.h" +#include "Hacl_Kremlib.h" +#include "Hacl_Bignum_Base.h" +#include "evercrypt_targetconfig.h" +#include "lib_intrinsics.h" +#include "libintvector.h" +void Hacl_Bignum_Convert_bn_from_bytes_be_uint64(uint32_t len, uint8_t *b, uint64_t *res); + +void Hacl_Bignum_Convert_bn_to_bytes_be_uint64(uint32_t len, uint64_t *b, uint8_t *res); + +uint32_t Hacl_Bignum_Lib_bn_get_top_index_u32(uint32_t len, uint32_t *b); + +uint64_t Hacl_Bignum_Lib_bn_get_top_index_u64(uint32_t len, uint64_t *b); + +uint32_t +Hacl_Bignum_Addition_bn_sub_eq_len_u32(uint32_t aLen, uint32_t *a, uint32_t *b, uint32_t *res); + +uint64_t +Hacl_Bignum_Addition_bn_sub_eq_len_u64(uint32_t aLen, uint64_t *a, uint64_t *b, uint64_t *res); + +uint32_t +Hacl_Bignum_Addition_bn_add_eq_len_u32(uint32_t aLen, uint32_t *a, uint32_t *b, uint32_t *res); + +uint64_t +Hacl_Bignum_Addition_bn_add_eq_len_u64(uint32_t aLen, uint64_t *a, uint64_t *b, uint64_t *res); + +void +Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint32( + uint32_t aLen, + uint32_t *a, + uint32_t *b, + uint32_t *tmp, + uint32_t *res +); + +void +Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint64( + uint32_t aLen, + uint64_t *a, + uint64_t *b, + uint64_t *tmp, + uint64_t *res +); + +void +Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint32( + uint32_t aLen, + uint32_t *a, + uint32_t *tmp, + uint32_t *res +); + +void +Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint64( + uint32_t aLen, + uint64_t *a, + uint64_t *tmp, + uint64_t *res +); + +void +Hacl_Bignum_bn_add_mod_n_u32( + uint32_t len1, + uint32_t *n, + uint32_t *a, + uint32_t *b, + uint32_t *res +); + +void +Hacl_Bignum_bn_add_mod_n_u64( + uint32_t len1, + uint64_t *n, + uint64_t *a, + uint64_t *b, + uint64_t *res +); + +void +Hacl_Bignum_bn_sub_mod_n_u32( + uint32_t len1, + uint32_t *n, + uint32_t *a, + uint32_t *b, + uint32_t *res +); + +void +Hacl_Bignum_bn_sub_mod_n_u64( + uint32_t len1, + uint64_t *n, + uint64_t *a, + uint64_t *b, + uint64_t *res +); + +uint32_t Hacl_Bignum_ModInvLimb_mod_inv_uint32(uint32_t n0); + +uint64_t Hacl_Bignum_ModInvLimb_mod_inv_uint64(uint64_t n0); + +uint32_t Hacl_Bignum_Montgomery_bn_check_modulus_u32(uint32_t len, uint32_t *n); + +void +Hacl_Bignum_Montgomery_bn_precomp_r2_mod_n_u32( + uint32_t len, + uint32_t nBits, + uint32_t *n, + uint32_t *res +); + +void +Hacl_Bignum_Montgomery_bn_mont_reduction_u32( + uint32_t len, + uint32_t *n, + uint32_t nInv, + uint32_t *c, + uint32_t *res +); + +void +Hacl_Bignum_Montgomery_bn_to_mont_u32( + uint32_t len, + uint32_t *n, + uint32_t nInv, + uint32_t *r2, + uint32_t *a, + uint32_t *aM +); + +void +Hacl_Bignum_Montgomery_bn_from_mont_u32( + uint32_t len, + uint32_t *n, + uint32_t nInv_u64, + uint32_t *aM, + uint32_t *a +); + +void +Hacl_Bignum_Montgomery_bn_mont_mul_u32( + uint32_t len, + uint32_t *n, + uint32_t nInv_u64, + uint32_t *aM, + uint32_t *bM, + uint32_t *resM +); + +void +Hacl_Bignum_Montgomery_bn_mont_sqr_u32( + uint32_t len, + uint32_t *n, + uint32_t nInv_u64, + uint32_t *aM, + uint32_t *resM +); + +uint64_t Hacl_Bignum_Montgomery_bn_check_modulus_u64(uint32_t len, uint64_t *n); + +void +Hacl_Bignum_Montgomery_bn_precomp_r2_mod_n_u64( + uint32_t len, + uint32_t nBits, + uint64_t *n, + uint64_t *res +); + +void +Hacl_Bignum_Montgomery_bn_mont_reduction_u64( + uint32_t len, + uint64_t *n, + uint64_t nInv, + uint64_t *c, + uint64_t *res +); + +void +Hacl_Bignum_Montgomery_bn_to_mont_u64( + uint32_t len, + uint64_t *n, + uint64_t nInv, + uint64_t *r2, + uint64_t *a, + uint64_t *aM +); + +void +Hacl_Bignum_Montgomery_bn_from_mont_u64( + uint32_t len, + uint64_t *n, + uint64_t nInv_u64, + uint64_t *aM, + uint64_t *a +); + +void +Hacl_Bignum_Montgomery_bn_mont_mul_u64( + uint32_t len, + uint64_t *n, + uint64_t nInv_u64, + uint64_t *aM, + uint64_t *bM, + uint64_t *resM +); + +void +Hacl_Bignum_Montgomery_bn_mont_sqr_u64( + uint32_t len, + uint64_t *n, + uint64_t nInv_u64, + uint64_t *aM, + uint64_t *resM +); + +uint32_t +Hacl_Bignum_Exponentiation_bn_check_mod_exp_u32( + uint32_t len, + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b +); + +void +Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_precomp_u32( + uint32_t len, + uint32_t *n, + uint32_t mu, + uint32_t *r2, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +); + +void +Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_precomp_u32( + uint32_t len, + uint32_t *n, + uint32_t mu, + uint32_t *r2, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +); + +void +Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_u32( + uint32_t len, + uint32_t nBits, + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +); + +void +Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_u32( + uint32_t len, + uint32_t nBits, + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +); + +uint64_t +Hacl_Bignum_Exponentiation_bn_check_mod_exp_u64( + uint32_t len, + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b +); + +void +Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_precomp_u64( + uint32_t len, + uint64_t *n, + uint64_t mu, + uint64_t *r2, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +); + +void +Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_precomp_u64( + uint32_t len, + uint64_t *n, + uint64_t mu, + uint64_t *r2, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +); + +void +Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_u64( + uint32_t len, + uint32_t nBits, + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +); + +void +Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_u64( + uint32_t len, + uint32_t nBits, + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +); + +#if defined(__cplusplus) +} +#endif + +#define __internal_Hacl_Bignum_H_DEFINED +#endif diff --git a/include/msvc/internal/Hacl_Chacha20.h b/include/msvc/internal/Hacl_Chacha20.h new file mode 100644 index 00000000..2a440491 --- /dev/null +++ b/include/msvc/internal/Hacl_Chacha20.h @@ -0,0 +1,61 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_Hacl_Chacha20_H +#define __internal_Hacl_Chacha20_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "../Hacl_Chacha20.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +extern const uint32_t Hacl_Impl_Chacha20_Vec_chacha20_constants[4U]; + +void Hacl_Impl_Chacha20_chacha20_init(uint32_t *ctx, uint8_t *k, uint8_t *n, uint32_t ctr); + +void +Hacl_Impl_Chacha20_chacha20_encrypt_block( + uint32_t *ctx, + uint8_t *out, + uint32_t incr, + uint8_t *text +); + +void +Hacl_Impl_Chacha20_chacha20_update(uint32_t *ctx, uint32_t len, uint8_t *out, uint8_t *text); + +#if defined(__cplusplus) +} +#endif + +#define __internal_Hacl_Chacha20_H_DEFINED +#endif diff --git a/include/msvc/internal/Hacl_Curve25519_51.h b/include/msvc/internal/Hacl_Curve25519_51.h new file mode 100644 index 00000000..c3304756 --- /dev/null +++ b/include/msvc/internal/Hacl_Curve25519_51.h @@ -0,0 +1,57 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_Hacl_Curve25519_51_H +#define __internal_Hacl_Curve25519_51_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "internal/Hacl_Kremlib.h" +#include "../Hacl_Curve25519_51.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_Curve25519_51_fsquare_times( + uint64_t *o, + uint64_t *inp, + FStar_UInt128_uint128 *tmp, + uint32_t n +); + +void Hacl_Curve25519_51_finv(uint64_t *o, uint64_t *i, FStar_UInt128_uint128 *tmp); + +#if defined(__cplusplus) +} +#endif + +#define __internal_Hacl_Curve25519_51_H_DEFINED +#endif diff --git a/include/msvc/internal/Hacl_Ed25519.h b/include/msvc/internal/Hacl_Ed25519.h new file mode 100644 index 00000000..baf147a5 --- /dev/null +++ b/include/msvc/internal/Hacl_Ed25519.h @@ -0,0 +1,69 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_Hacl_Ed25519_H +#define __internal_Hacl_Ed25519_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "internal/Hacl_Kremlib.h" +#include "internal/Hacl_Hash_SHA2.h" +#include "internal/Hacl_Curve25519_51.h" +#include "../Hacl_Ed25519.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void Hacl_Bignum25519_reduce_513(uint64_t *a); + +void Hacl_Bignum25519_inverse(uint64_t *out, uint64_t *a); + +void Hacl_Bignum25519_load_51(uint64_t *output, uint8_t *input); + +void Hacl_Bignum25519_store_51(uint8_t *output, uint64_t *input); + +void Hacl_Impl_Ed25519_PointAdd_point_add(uint64_t *out, uint64_t *p, uint64_t *q); + +void Hacl_Impl_Ed25519_Ladder_point_mul(uint64_t *result, uint8_t *scalar, uint64_t *q); + +void Hacl_Impl_Ed25519_PointCompress_point_compress(uint8_t *z, uint64_t *p); + +bool Hacl_Impl_Ed25519_PointDecompress_point_decompress(uint64_t *out, uint8_t *s); + +bool Hacl_Impl_Ed25519_PointEqual_point_equal(uint64_t *p, uint64_t *q); + +void Hacl_Impl_Ed25519_PointNegate_point_negate(uint64_t *p, uint64_t *out); + +#if defined(__cplusplus) +} +#endif + +#define __internal_Hacl_Ed25519_H_DEFINED +#endif diff --git a/include/msvc/internal/Hacl_Frodo_KEM.h b/include/msvc/internal/Hacl_Frodo_KEM.h new file mode 100644 index 00000000..3e1d36e2 --- /dev/null +++ b/include/msvc/internal/Hacl_Frodo_KEM.h @@ -0,0 +1,49 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_Hacl_Frodo_KEM_H +#define __internal_Hacl_Frodo_KEM_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "internal/Hacl_Kremlib.h" +#include "../Hacl_Frodo_KEM.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void randombytes_(uint32_t len, uint8_t *res); + +#if defined(__cplusplus) +} +#endif + +#define __internal_Hacl_Frodo_KEM_H_DEFINED +#endif diff --git a/include/msvc/internal/Hacl_HMAC.h b/include/msvc/internal/Hacl_HMAC.h new file mode 100644 index 00000000..1e29b87f --- /dev/null +++ b/include/msvc/internal/Hacl_HMAC.h @@ -0,0 +1,63 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_Hacl_HMAC_H +#define __internal_Hacl_HMAC_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "internal/Hacl_Hash_SHA2.h" +#include "internal/Hacl_Hash_SHA1.h" +#include "internal/Hacl_Hash_Blake2.h" +#include "../Hacl_HMAC.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +typedef struct K____uint32_t__uint64_t_s +{ + uint32_t *fst; + uint64_t snd; +} +K____uint32_t__uint64_t; + +typedef struct K____uint64_t__FStar_UInt128_uint128_s +{ + uint64_t *fst; + FStar_UInt128_uint128 snd; +} +K____uint64_t__FStar_UInt128_uint128; + +#if defined(__cplusplus) +} +#endif + +#define __internal_Hacl_HMAC_H_DEFINED +#endif diff --git a/include/msvc/internal/Hacl_Hash_Blake2.h b/include/msvc/internal/Hacl_Hash_Blake2.h new file mode 100644 index 00000000..2491c7d3 --- /dev/null +++ b/include/msvc/internal/Hacl_Hash_Blake2.h @@ -0,0 +1,124 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_Hacl_Hash_Blake2_H +#define __internal_Hacl_Hash_Blake2_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "internal/Hacl_Kremlib.h" +#include "../Hacl_Hash_Blake2.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +uint64_t Hacl_Hash_Core_Blake2_update_blake2s_32(uint32_t *s, uint64_t totlen, uint8_t *block); + +void Hacl_Hash_Core_Blake2_finish_blake2s_32(uint32_t *s, uint64_t ev, uint8_t *dst); + +FStar_UInt128_uint128 +Hacl_Hash_Core_Blake2_update_blake2b_32( + uint64_t *s, + FStar_UInt128_uint128 totlen, + uint8_t *block +); + +void +Hacl_Hash_Core_Blake2_finish_blake2b_32(uint64_t *s, FStar_UInt128_uint128 ev, uint8_t *dst); + +uint64_t +Hacl_Hash_Blake2_update_multi_blake2s_32( + uint32_t *s, + uint64_t ev, + uint8_t *blocks, + uint32_t n_blocks +); + +FStar_UInt128_uint128 +Hacl_Hash_Blake2_update_multi_blake2b_32( + uint64_t *s, + FStar_UInt128_uint128 ev, + uint8_t *blocks, + uint32_t n_blocks +); + +typedef struct K___uint32_t_uint32_t_uint32_t__uint8_t___uint8_t__s +{ + uint32_t fst; + uint32_t snd; + uint32_t thd; + uint8_t *f3; + uint8_t *f4; +} +K___uint32_t_uint32_t_uint32_t__uint8_t___uint8_t_; + +typedef struct K___uint32_t_uint32_t_uint32_t_s +{ + uint32_t fst; + uint32_t snd; + uint32_t thd; +} +K___uint32_t_uint32_t_uint32_t; + +uint64_t +Hacl_Hash_Blake2_update_last_blake2s_32( + uint32_t *s, + uint64_t ev, + uint64_t prev_len, + uint8_t *input, + uint32_t input_len +); + +FStar_UInt128_uint128 +Hacl_Hash_Blake2_update_last_blake2b_32( + uint64_t *s, + FStar_UInt128_uint128 ev, + FStar_UInt128_uint128 prev_len, + uint8_t *input, + uint32_t input_len +); + +void Hacl_Hash_Blake2_hash_blake2s_32(uint8_t *input, uint32_t input_len, uint8_t *dst); + +void Hacl_Hash_Blake2_hash_blake2b_32(uint8_t *input, uint32_t input_len, uint8_t *dst); + +typedef struct K___uint32_t_uint32_t_s +{ + uint32_t fst; + uint32_t snd; +} +K___uint32_t_uint32_t; + +#if defined(__cplusplus) +} +#endif + +#define __internal_Hacl_Hash_Blake2_H_DEFINED +#endif diff --git a/include/msvc/internal/Hacl_Hash_Blake2b_256.h b/include/msvc/internal/Hacl_Hash_Blake2b_256.h new file mode 100644 index 00000000..bfe35db2 --- /dev/null +++ b/include/msvc/internal/Hacl_Hash_Blake2b_256.h @@ -0,0 +1,74 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_Hacl_Hash_Blake2b_256_H +#define __internal_Hacl_Hash_Blake2b_256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "internal/Hacl_Kremlib.h" +#include "internal/Hacl_Hash_Blake2.h" +#include "../Hacl_Hash_Blake2b_256.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_Hash_Blake2b_256_finish_blake2b_256( + Lib_IntVector_Intrinsics_vec256 *s, + FStar_UInt128_uint128 ev, + uint8_t *dst +); + +FStar_UInt128_uint128 +Hacl_Hash_Blake2b_256_update_multi_blake2b_256( + Lib_IntVector_Intrinsics_vec256 *s, + FStar_UInt128_uint128 ev, + uint8_t *blocks, + uint32_t n_blocks +); + +FStar_UInt128_uint128 +Hacl_Hash_Blake2b_256_update_last_blake2b_256( + Lib_IntVector_Intrinsics_vec256 *s, + FStar_UInt128_uint128 ev, + FStar_UInt128_uint128 prev_len, + uint8_t *input, + uint32_t input_len +); + +void Hacl_Hash_Blake2b_256_hash_blake2b_256(uint8_t *input, uint32_t input_len, uint8_t *dst); + +#if defined(__cplusplus) +} +#endif + +#define __internal_Hacl_Hash_Blake2b_256_H_DEFINED +#endif diff --git a/include/msvc/internal/Hacl_Hash_Blake2s_128.h b/include/msvc/internal/Hacl_Hash_Blake2s_128.h new file mode 100644 index 00000000..4abb2415 --- /dev/null +++ b/include/msvc/internal/Hacl_Hash_Blake2s_128.h @@ -0,0 +1,74 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_Hacl_Hash_Blake2s_128_H +#define __internal_Hacl_Hash_Blake2s_128_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "internal/Hacl_Kremlib.h" +#include "internal/Hacl_Hash_Blake2.h" +#include "../Hacl_Hash_Blake2s_128.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_Hash_Blake2s_128_finish_blake2s_128( + Lib_IntVector_Intrinsics_vec128 *s, + uint64_t ev, + uint8_t *dst +); + +uint64_t +Hacl_Hash_Blake2s_128_update_multi_blake2s_128( + Lib_IntVector_Intrinsics_vec128 *s, + uint64_t ev, + uint8_t *blocks, + uint32_t n_blocks +); + +uint64_t +Hacl_Hash_Blake2s_128_update_last_blake2s_128( + Lib_IntVector_Intrinsics_vec128 *s, + uint64_t ev, + uint64_t prev_len, + uint8_t *input, + uint32_t input_len +); + +void Hacl_Hash_Blake2s_128_hash_blake2s_128(uint8_t *input, uint32_t input_len, uint8_t *dst); + +#if defined(__cplusplus) +} +#endif + +#define __internal_Hacl_Hash_Blake2s_128_H_DEFINED +#endif diff --git a/include/msvc/internal/Hacl_Hash_MD5.h b/include/msvc/internal/Hacl_Hash_MD5.h new file mode 100644 index 00000000..bd9f2278 --- /dev/null +++ b/include/msvc/internal/Hacl_Hash_MD5.h @@ -0,0 +1,52 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_Hacl_Hash_MD5_H +#define __internal_Hacl_Hash_MD5_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "../Hacl_Hash_MD5.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void Hacl_Hash_Core_MD5_legacy_init(uint32_t *s); + +void Hacl_Hash_Core_MD5_legacy_update(uint32_t *abcd, uint8_t *x); + +void Hacl_Hash_Core_MD5_legacy_finish(uint32_t *s, uint8_t *dst); + +#if defined(__cplusplus) +} +#endif + +#define __internal_Hacl_Hash_MD5_H_DEFINED +#endif diff --git a/include/msvc/internal/Hacl_Hash_SHA1.h b/include/msvc/internal/Hacl_Hash_SHA1.h new file mode 100644 index 00000000..b387630e --- /dev/null +++ b/include/msvc/internal/Hacl_Hash_SHA1.h @@ -0,0 +1,52 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_Hacl_Hash_SHA1_H +#define __internal_Hacl_Hash_SHA1_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "../Hacl_Hash_SHA1.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void Hacl_Hash_Core_SHA1_legacy_init(uint32_t *s); + +void Hacl_Hash_Core_SHA1_legacy_update(uint32_t *h, uint8_t *l); + +void Hacl_Hash_Core_SHA1_legacy_finish(uint32_t *s, uint8_t *dst); + +#if defined(__cplusplus) +} +#endif + +#define __internal_Hacl_Hash_SHA1_H_DEFINED +#endif diff --git a/include/msvc/internal/Hacl_Hash_SHA2.h b/include/msvc/internal/Hacl_Hash_SHA2.h new file mode 100644 index 00000000..9bd45e4d --- /dev/null +++ b/include/msvc/internal/Hacl_Hash_SHA2.h @@ -0,0 +1,68 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_Hacl_Hash_SHA2_H +#define __internal_Hacl_Hash_SHA2_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "../Hacl_Hash_SHA2.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void Hacl_Hash_Core_SHA2_init_224(uint32_t *s); + +void Hacl_Hash_Core_SHA2_init_256(uint32_t *s); + +void Hacl_Hash_Core_SHA2_init_384(uint64_t *s); + +void Hacl_Hash_Core_SHA2_init_512(uint64_t *s); + +void Hacl_Hash_Core_SHA2_update_384(uint64_t *hash, uint8_t *block); + +void Hacl_Hash_Core_SHA2_update_512(uint64_t *hash, uint8_t *block); + +void Hacl_Hash_Core_SHA2_pad_256(uint64_t len, uint8_t *dst); + +void Hacl_Hash_Core_SHA2_finish_224(uint32_t *s, uint8_t *dst); + +void Hacl_Hash_Core_SHA2_finish_256(uint32_t *s, uint8_t *dst); + +void Hacl_Hash_Core_SHA2_finish_384(uint64_t *s, uint8_t *dst); + +void Hacl_Hash_Core_SHA2_finish_512(uint64_t *s, uint8_t *dst); + +#if defined(__cplusplus) +} +#endif + +#define __internal_Hacl_Hash_SHA2_H_DEFINED +#endif diff --git a/include/msvc/internal/Hacl_Kremlib.h b/include/msvc/internal/Hacl_Kremlib.h new file mode 100644 index 00000000..97939c02 --- /dev/null +++ b/include/msvc/internal/Hacl_Kremlib.h @@ -0,0 +1,48 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_Hacl_Kremlib_H +#define __internal_Hacl_Kremlib_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "../Hacl_Kremlib.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +uint32_t LowStar_Vector_new_capacity(uint32_t cap); + +#if defined(__cplusplus) +} +#endif + +#define __internal_Hacl_Kremlib_H_DEFINED +#endif diff --git a/include/msvc/internal/Hacl_P256.h b/include/msvc/internal/Hacl_P256.h new file mode 100644 index 00000000..8ee3d467 --- /dev/null +++ b/include/msvc/internal/Hacl_P256.h @@ -0,0 +1,66 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_Hacl_P256_H +#define __internal_Hacl_P256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "internal/Hacl_Spec.h" +#include "internal/Hacl_Kremlib.h" +#include "../Hacl_P256.h" +#include "evercrypt_targetconfig.h" +#include "lib_intrinsics.h" +#include "libintvector.h" +void Hacl_Impl_P256_LowLevel_toUint8(uint64_t *i, uint8_t *o); + +void Hacl_Impl_P256_LowLevel_changeEndian(uint64_t *i); + +void Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(uint8_t *i, uint64_t *o); + +uint64_t Hacl_Impl_P256_Core_isPointAtInfinityPrivate(uint64_t *p); + +void +Hacl_Impl_P256_Core_secretToPublic(uint64_t *result, uint8_t *scalar, uint64_t *tempBuffer); + +/* + The pub(lic)_key input of the function is considered to be public, + thus this code is not secret independent with respect to the operations done over this variable. +*/ +uint64_t Hacl_Impl_P256_DH__ecp256dh_r(uint64_t *result, uint64_t *pubKey, uint8_t *scalar); + +#if defined(__cplusplus) +} +#endif + +#define __internal_Hacl_P256_H_DEFINED +#endif diff --git a/include/msvc/internal/Hacl_Poly1305_128.h b/include/msvc/internal/Hacl_Poly1305_128.h new file mode 100644 index 00000000..838b4048 --- /dev/null +++ b/include/msvc/internal/Hacl_Poly1305_128.h @@ -0,0 +1,55 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_Hacl_Poly1305_128_H +#define __internal_Hacl_Poly1305_128_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "../Hacl_Poly1305_128.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_Impl_Poly1305_Field32xN_128_load_acc2(Lib_IntVector_Intrinsics_vec128 *acc, uint8_t *b); + +void +Hacl_Impl_Poly1305_Field32xN_128_fmul_r2_normalize( + Lib_IntVector_Intrinsics_vec128 *out, + Lib_IntVector_Intrinsics_vec128 *p +); + +#if defined(__cplusplus) +} +#endif + +#define __internal_Hacl_Poly1305_128_H_DEFINED +#endif diff --git a/include/msvc/internal/Hacl_Poly1305_256.h b/include/msvc/internal/Hacl_Poly1305_256.h new file mode 100644 index 00000000..ac635802 --- /dev/null +++ b/include/msvc/internal/Hacl_Poly1305_256.h @@ -0,0 +1,55 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_Hacl_Poly1305_256_H +#define __internal_Hacl_Poly1305_256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "../Hacl_Poly1305_256.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +void +Hacl_Impl_Poly1305_Field32xN_256_load_acc4(Lib_IntVector_Intrinsics_vec256 *acc, uint8_t *b); + +void +Hacl_Impl_Poly1305_Field32xN_256_fmul_r4_normalize( + Lib_IntVector_Intrinsics_vec256 *out, + Lib_IntVector_Intrinsics_vec256 *p +); + +#if defined(__cplusplus) +} +#endif + +#define __internal_Hacl_Poly1305_256_H_DEFINED +#endif diff --git a/include/msvc/internal/Hacl_SHA2_Vec128.h b/include/msvc/internal/Hacl_SHA2_Vec128.h new file mode 100644 index 00000000..09979844 --- /dev/null +++ b/include/msvc/internal/Hacl_SHA2_Vec128.h @@ -0,0 +1,76 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_Hacl_SHA2_Vec128_H +#define __internal_Hacl_SHA2_Vec128_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include +#include "kremlin/internal/target.h" + + +#include "../Hacl_SHA2_Vec128.h" + +typedef struct K____uint8_t___uint8_t__s +{ + uint8_t *fst; + uint8_t *snd; +} +K____uint8_t___uint8_t_; + +typedef struct K____uint8_t__K____uint8_t___uint8_t__s +{ + uint8_t *fst; + K____uint8_t___uint8_t_ snd; +} +K____uint8_t__K____uint8_t___uint8_t_; + +typedef struct K____uint8_t__K____uint8_t__K____uint8_t___uint8_t__s +{ + uint8_t *fst; + K____uint8_t__K____uint8_t___uint8_t_ snd; +} +K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_; + +typedef struct +K___K____uint8_t__K____uint8_t__K____uint8_t___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t__s +{ + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ fst; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ snd; +} +K___K____uint8_t__K____uint8_t__K____uint8_t___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_; + +#if defined(__cplusplus) +} +#endif + +#define __internal_Hacl_SHA2_Vec128_H_DEFINED +#endif diff --git a/include/msvc/internal/Hacl_SHA2_Vec256.h b/include/msvc/internal/Hacl_SHA2_Vec256.h new file mode 100644 index 00000000..a0a9e228 --- /dev/null +++ b/include/msvc/internal/Hacl_SHA2_Vec256.h @@ -0,0 +1,75 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_Hacl_SHA2_Vec256_H +#define __internal_Hacl_SHA2_Vec256_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "../Hacl_SHA2_Vec256.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +typedef struct K____uint8_t___uint8_t__s +{ + uint8_t *fst; + uint8_t *snd; +} +K____uint8_t___uint8_t_; + +typedef struct K____uint8_t__K____uint8_t___uint8_t__s +{ + uint8_t *fst; + K____uint8_t___uint8_t_ snd; +} +K____uint8_t__K____uint8_t___uint8_t_; + +typedef struct K____uint8_t__K____uint8_t__K____uint8_t___uint8_t__s +{ + uint8_t *fst; + K____uint8_t__K____uint8_t___uint8_t_ snd; +} +K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_; + +typedef struct +K___K____uint8_t__K____uint8_t__K____uint8_t___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t__s +{ + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ fst; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ snd; +} +K___K____uint8_t__K____uint8_t__K____uint8_t___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_; + +#if defined(__cplusplus) +} +#endif + +#define __internal_Hacl_SHA2_Vec256_H_DEFINED +#endif diff --git a/include/msvc/internal/Hacl_Spec.h b/include/msvc/internal/Hacl_Spec.h new file mode 100644 index 00000000..51002a18 --- /dev/null +++ b/include/msvc/internal/Hacl_Spec.h @@ -0,0 +1,61 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_Hacl_Spec_H +#define __internal_Hacl_Spec_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + +#include "../Hacl_Spec.h" +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +#define Spec_ECDSA_NoHash 0 +#define Spec_ECDSA_Hash 1 + +typedef uint8_t Spec_ECDSA_hash_alg_ecdsa_tags; + +typedef struct Spec_ECDSA_hash_alg_ecdsa_s +{ + Spec_ECDSA_hash_alg_ecdsa_tags tag; + Spec_Hash_Definitions_hash_alg _0; +} +Spec_ECDSA_hash_alg_ecdsa; + +Spec_Agile_Cipher_cipher_alg +Spec_Cipher_Expansion_cipher_alg_of_impl(Spec_Cipher_Expansion_impl i); + +#if defined(__cplusplus) +} +#endif + +#define __internal_Hacl_Spec_H_DEFINED +#endif diff --git a/include/msvc/internal/Vale.h b/include/msvc/internal/Vale.h new file mode 100644 index 00000000..fae8b9f3 --- /dev/null +++ b/include/msvc/internal/Vale.h @@ -0,0 +1,216 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_Vale_H +#define __internal_Vale_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/target.h" + + + +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +extern uint64_t add_scalar_e(uint64_t *x0, uint64_t *x1, uint64_t x2); + +extern uint64_t fadd_e(uint64_t *x0, uint64_t *x1, uint64_t *x2); + +extern uint64_t sha256_update(uint32_t *x0, uint8_t *x1, uint64_t x2, uint32_t *x3); + +extern uint64_t x64_poly1305(uint8_t *x0, uint8_t *x1, uint64_t x2, uint64_t x3); + +extern uint64_t check_aesni(); + +extern uint64_t check_sha(); + +extern uint64_t check_adx_bmi2(); + +extern uint64_t check_avx(); + +extern uint64_t check_avx2(); + +extern uint64_t check_movbe(); + +extern uint64_t check_sse(); + +extern uint64_t check_rdrand(); + +extern uint64_t check_avx512(); + +extern uint64_t check_osxsave(); + +extern uint64_t check_avx_xcr0(); + +extern uint64_t check_avx512_xcr0(); + +extern uint64_t cswap2_e(uint64_t x0, uint64_t *x1, uint64_t *x2); + +extern uint64_t fsqr_e(uint64_t *x0, uint64_t *x1, uint64_t *x2); + +extern uint64_t fsqr2_e(uint64_t *x0, uint64_t *x1, uint64_t *x2); + +extern uint64_t fmul_e(uint64_t *x0, uint64_t *x1, uint64_t *x2, uint64_t *x3); + +extern uint64_t fmul2_e(uint64_t *x0, uint64_t *x1, uint64_t *x2, uint64_t *x3); + +extern uint64_t fmul_scalar_e(uint64_t *x0, uint64_t *x1, uint64_t x2); + +extern uint64_t fsub_e(uint64_t *x0, uint64_t *x1, uint64_t *x2); + +extern uint64_t +gcm128_decrypt_opt( + uint8_t *x0, + uint64_t x1, + uint64_t x2, + uint8_t *x3, + uint8_t *x4, + uint8_t *x5, + uint8_t *x6, + uint8_t *x7, + uint8_t *x8, + uint64_t x9, + uint8_t *x10, + uint8_t *x11, + uint64_t x12, + uint8_t *x13, + uint64_t x14, + uint8_t *x15, + uint8_t *x16 +); + +extern uint64_t +gcm256_decrypt_opt( + uint8_t *x0, + uint64_t x1, + uint64_t x2, + uint8_t *x3, + uint8_t *x4, + uint8_t *x5, + uint8_t *x6, + uint8_t *x7, + uint8_t *x8, + uint64_t x9, + uint8_t *x10, + uint8_t *x11, + uint64_t x12, + uint8_t *x13, + uint64_t x14, + uint8_t *x15, + uint8_t *x16 +); + +extern uint64_t aes128_key_expansion(uint8_t *x0, uint8_t *x1); + +extern uint64_t aes256_key_expansion(uint8_t *x0, uint8_t *x1); + +extern uint64_t +compute_iv_stdcall( + uint8_t *x0, + uint64_t x1, + uint64_t x2, + uint8_t *x3, + uint8_t *x4, + uint8_t *x5 +); + +extern uint64_t +gcm128_encrypt_opt( + uint8_t *x0, + uint64_t x1, + uint64_t x2, + uint8_t *x3, + uint8_t *x4, + uint8_t *x5, + uint8_t *x6, + uint8_t *x7, + uint8_t *x8, + uint64_t x9, + uint8_t *x10, + uint8_t *x11, + uint64_t x12, + uint8_t *x13, + uint64_t x14, + uint8_t *x15, + uint8_t *x16 +); + +extern uint64_t +gcm256_encrypt_opt( + uint8_t *x0, + uint64_t x1, + uint64_t x2, + uint8_t *x3, + uint8_t *x4, + uint8_t *x5, + uint8_t *x6, + uint8_t *x7, + uint8_t *x8, + uint64_t x9, + uint8_t *x10, + uint8_t *x11, + uint64_t x12, + uint8_t *x13, + uint64_t x14, + uint8_t *x15, + uint8_t *x16 +); + +extern uint64_t aes128_keyhash_init(uint8_t *x0, uint8_t *x1); + +extern uint64_t aes256_keyhash_init(uint8_t *x0, uint8_t *x1); + +extern uint64_t +gctr128_bytes( + uint8_t *x0, + uint64_t x1, + uint8_t *x2, + uint8_t *x3, + uint8_t *x4, + uint8_t *x5, + uint64_t x6 +); + +extern uint64_t +gctr256_bytes( + uint8_t *x0, + uint64_t x1, + uint8_t *x2, + uint8_t *x3, + uint8_t *x4, + uint8_t *x5, + uint64_t x6 +); + +#if defined(__cplusplus) +} +#endif + +#define __internal_Vale_H_DEFINED +#endif diff --git a/include/msvc/lib_intrinsics.h b/include/msvc/lib_intrinsics.h new file mode 100644 index 00000000..0c35026e --- /dev/null +++ b/include/msvc/lib_intrinsics.h @@ -0,0 +1,83 @@ +#pragma once + +#include + +#if defined(__has_include) +#if __has_include("config.h") +#include "config.h" +#endif +#endif + +#if defined(HACL_CAN_COMPILE_INTRINSICS) +#if defined(_MSC_VER) +#include +#else +#include +#endif +#endif + +#if !defined(HACL_CAN_COMPILE_INTRINSICS) + +#include "Hacl_IntTypes_Intrinsics.h" + +#if defined(HACL_CAN_COMPILE_UINT128) + +#include "Hacl_IntTypes_Intrinsics_128.h" + +#define Lib_IntTypes_Intrinsics_add_carry_u64(x1, x2, x3, x4) \ + (Hacl_IntTypes_Intrinsics_128_add_carry_u64(x1, x2, x3, x4)) + +#define Lib_IntTypes_Intrinsics_sub_borrow_u64(x1, x2, x3, x4) \ + (Hacl_IntTypes_Intrinsics_128_sub_borrow_u64(x1, x2, x3, x4)) + +#else + +#define Lib_IntTypes_Intrinsics_add_carry_u64(x1, x2, x3, x4) \ + (Hacl_IntTypes_Intrinsics_add_carry_u64(x1, x2, x3, x4)) + +#define Lib_IntTypes_Intrinsics_sub_borrow_u64(x1, x2, x3, x4) \ + (Hacl_IntTypes_Intrinsics_sub_borrow_u64(x1, x2, x3, x4)) + +#endif // defined(HACL_CAN_COMPILE_UINT128) + +#define Lib_IntTypes_Intrinsics_add_carry_u32(x1, x2, x3, x4) \ + (Hacl_IntTypes_Intrinsics_add_carry_u32(x1, x2, x3, x4)) + +#define Lib_IntTypes_Intrinsics_sub_borrow_u32(x1, x2, x3, x4) \ + (Hacl_IntTypes_Intrinsics_sub_borrow_u32(x1, x2, x3, x4)) + +#else // !defined(HACL_CAN_COMPILE_INTRINSICS) + +#define Lib_IntTypes_Intrinsics_add_carry_u32(x1, x2, x3, x4) \ + (_addcarry_u32(x1, x2, x3, (unsigned int *) x4)) + +#define Lib_IntTypes_Intrinsics_add_carry_u64(x1, x2, x3, x4) \ + (_addcarry_u64(x1, x2, x3, (long long unsigned int *) x4)) + + +/* + GCC versions prior to 7.2 pass arguments to _subborrow_u{32,64} + in an incorrect order. + + See https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81294 +*/ +#if defined(__GNUC__) && !defined (__clang__) && \ + (__GNUC__ < 7 || (__GNUC__ == 7 && (__GNUC_MINOR__ < 2))) + +#define Lib_IntTypes_Intrinsics_sub_borrow_u32(x1, x2, x3, x4) \ + (_subborrow_u32(x1, x3, x2, (unsigned int *) x4)) + +#define Lib_IntTypes_Intrinsics_sub_borrow_u64(x1, x2, x3, x4) \ + (_subborrow_u64(x1, x3, x2, (long long unsigned int *) x4)) + +#else + +#define Lib_IntTypes_Intrinsics_sub_borrow_u32(x1, x2, x3, x4) \ + (_subborrow_u32(x1, x2, x3, (unsigned int *) x4)) + +#define Lib_IntTypes_Intrinsics_sub_borrow_u64(x1, x2, x3, x4) \ + (_subborrow_u64(x1, x2, x3, (long long unsigned int *) x4)) + +#endif // GCC < 7.2 + +#endif // !HACL_CAN_COMPILE_INTRINSICS diff --git a/include/msvc/libintvector.h b/include/msvc/libintvector.h new file mode 100644 index 00000000..fe2ba5eb --- /dev/null +++ b/include/msvc/libintvector.h @@ -0,0 +1,937 @@ +#ifndef __Vec_Intrin_H +#define __Vec_Intrin_H + +#include + +/* We include config.h here to ensure that the various feature-flags are + * properly brought into scope. Users can either run the configure script, or + * write a config.h themselves and put it under version control. */ +#if defined(__has_include) +#if __has_include("config.h") +#include "config.h" +#endif +#endif + +/* # DEBUGGING: + * ============ + * It is possible to debug the current definitions by using libintvector_debug.h + * See the include at the bottom of the file. */ + +#define Lib_IntVector_Intrinsics_bit_mask64(x) -((x) & 1) + +#if defined(__x86_64__) || defined(_M_X64) + +#if defined(HACL_CAN_COMPILE_VEC128) + +#include +#include +#include + +typedef __m128i Lib_IntVector_Intrinsics_vec128; + +#define Lib_IntVector_Intrinsics_ni_aes_enc(x0, x1) \ + (_mm_aesenc_si128(x0, x1)) + +#define Lib_IntVector_Intrinsics_ni_aes_enc_last(x0, x1) \ + (_mm_aesenclast_si128(x0, x1)) + +#define Lib_IntVector_Intrinsics_ni_aes_keygen_assist(x0, x1) \ + (_mm_aeskeygenassist_si128(x0, x1)) + +#define Lib_IntVector_Intrinsics_ni_clmul(x0, x1, x2) \ + (_mm_clmulepi64_si128(x0, x1, x2)) + + +#define Lib_IntVector_Intrinsics_vec128_xor(x0, x1) \ + (_mm_xor_si128(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_eq64(x0, x1) \ + (_mm_cmpeq_epi64(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_eq32(x0, x1) \ + (_mm_cmpeq_epi32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_gt64(x0, x1) \ + (_mm_cmpgt_epi64(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_gt32(x0, x1) \ + (_mm_cmpgt_epi32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_or(x0, x1) \ + (_mm_or_si128(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_and(x0, x1) \ + (_mm_and_si128(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_lognot(x0) \ + (_mm_xor_si128(x0, _mm_set1_epi32(-1))) + + +#define Lib_IntVector_Intrinsics_vec128_shift_left(x0, x1) \ + (_mm_slli_si128(x0, (x1)/8)) + +#define Lib_IntVector_Intrinsics_vec128_shift_right(x0, x1) \ + (_mm_srli_si128(x0, (x1)/8)) + +#define Lib_IntVector_Intrinsics_vec128_shift_left64(x0, x1) \ + (_mm_slli_epi64(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_shift_right64(x0, x1) \ + (_mm_srli_epi64(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_shift_left32(x0, x1) \ + (_mm_slli_epi32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_shift_right32(x0, x1) \ + (_mm_srli_epi32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_rotate_left32_8(x0) \ + (_mm_shuffle_epi8(x0, _mm_set_epi8(14,13,12,15,10,9,8,11,6,5,4,7,2,1,0,3))) + +#define Lib_IntVector_Intrinsics_vec128_rotate_left32_16(x0) \ + (_mm_shuffle_epi8(x0, _mm_set_epi8(13,12,15,14,9,8,11,10,5,4,7,6,1,0,3,2))) + +#define Lib_IntVector_Intrinsics_vec128_rotate_left32_24(x0) \ + (_mm_shuffle_epi8(x0, _mm_set_epi8(12,15,14,13,8,11,10,9,4,7,6,5,0,3,2,1))) + +#define Lib_IntVector_Intrinsics_vec128_rotate_left32(x0,x1) \ + (((x1) == 8? Lib_IntVector_Intrinsics_vec128_rotate_left32_8(x0) : \ + ((x1) == 16? Lib_IntVector_Intrinsics_vec128_rotate_left32_16(x0) : \ + ((x1) == 24? Lib_IntVector_Intrinsics_vec128_rotate_left32_24(x0) : \ + _mm_xor_si128(_mm_slli_epi32(x0,x1),_mm_srli_epi32(x0,32-(x1))))))) + +#define Lib_IntVector_Intrinsics_vec128_rotate_right32(x0,x1) \ + (Lib_IntVector_Intrinsics_vec128_rotate_left32(x0,32-(x1))) + +#define Lib_IntVector_Intrinsics_vec128_shuffle32(x0, x1, x2, x3, x4) \ + (_mm_shuffle_epi32(x0, _MM_SHUFFLE(x4,x3,x2,x1))) + +#define Lib_IntVector_Intrinsics_vec128_shuffle64(x0, x1, x2) \ + (_mm_shuffle_epi32(x0, _MM_SHUFFLE(2*x1+1,2*x1,2*x2+1,2*x2))) + +#define Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(x0, x1) \ + (_mm_shuffle_epi32(x0, _MM_SHUFFLE((x1+3)%4,(x1+2)%4,(x1+1)%4,x1%4))) + +#define Lib_IntVector_Intrinsics_vec128_rotate_right_lanes64(x0, x1) \ + (_mm_shuffle_epi32(x0, _MM_SHUFFLE((2*x1+3)%4,(2*x1+2)%4,(2*x1+1)%4,(2*x1)%4))) + +#define Lib_IntVector_Intrinsics_vec128_load32_le(x0) \ + (_mm_loadu_si128((__m128i*)(x0))) + +#define Lib_IntVector_Intrinsics_vec128_load64_le(x0) \ + (_mm_loadu_si128((__m128i*)(x0))) + +#define Lib_IntVector_Intrinsics_vec128_store32_le(x0, x1) \ + (_mm_storeu_si128((__m128i*)(x0), x1)) + +#define Lib_IntVector_Intrinsics_vec128_store64_le(x0, x1) \ + (_mm_storeu_si128((__m128i*)(x0), x1)) + +#define Lib_IntVector_Intrinsics_vec128_load_be(x0) \ + (_mm_shuffle_epi8(_mm_loadu_si128((__m128i*)(x0)), _mm_set_epi8(0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15))) + +#define Lib_IntVector_Intrinsics_vec128_load32_be(x0) \ + (_mm_shuffle_epi8(_mm_loadu_si128((__m128i*)(x0)), _mm_set_epi8(12, 13, 14, 15, 8, 9, 10, 11, 4, 5, 6, 7, 0, 1, 2, 3))) + +#define Lib_IntVector_Intrinsics_vec128_load64_be(x0) \ + (_mm_shuffle_epi8(_mm_loadu_si128((__m128i*)(x0)), _mm_set_epi8(8, 9, 10, 11, 12, 13, 14, 15, 0, 1, 2, 3, 4, 5, 6, 7))) + +#define Lib_IntVector_Intrinsics_vec128_store_be(x0, x1) \ + (_mm_storeu_si128((__m128i*)(x0), _mm_shuffle_epi8(x1, _mm_set_epi8(0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)))) + + +#define Lib_IntVector_Intrinsics_vec128_store32_be(x0, x1) \ + (_mm_storeu_si128((__m128i*)(x0), _mm_shuffle_epi8(x1, _mm_set_epi8(12, 13, 14, 15, 8, 9, 10, 11, 4, 5, 6, 7, 0, 1, 2, 3)))) + +#define Lib_IntVector_Intrinsics_vec128_store64_be(x0, x1) \ + (_mm_storeu_si128((__m128i*)(x0), _mm_shuffle_epi8(x1, _mm_set_epi8(8, 9, 10, 11, 12, 13, 14, 15, 0, 1, 2, 3, 4, 5, 6, 7)))) + + + +#define Lib_IntVector_Intrinsics_vec128_insert8(x0, x1, x2) \ + (_mm_insert_epi8(x0, x1, x2)) + +#define Lib_IntVector_Intrinsics_vec128_insert32(x0, x1, x2) \ + (_mm_insert_epi32(x0, x1, x2)) + +#define Lib_IntVector_Intrinsics_vec128_insert64(x0, x1, x2) \ + (_mm_insert_epi64(x0, x1, x2)) + +#define Lib_IntVector_Intrinsics_vec128_extract8(x0, x1) \ + (_mm_extract_epi8(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_extract32(x0, x1) \ + (_mm_extract_epi32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_extract64(x0, x1) \ + (_mm_extract_epi64(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_zero \ + (_mm_setzero_si128()) + + +#define Lib_IntVector_Intrinsics_vec128_add64(x0, x1) \ + (_mm_add_epi64(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_sub64(x0, x1) \ + (_mm_sub_epi64(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_mul64(x0, x1) \ + (_mm_mul_epu32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_smul64(x0, x1) \ + (_mm_mul_epu32(x0, _mm_set1_epi64x(x1))) + +#define Lib_IntVector_Intrinsics_vec128_add32(x0, x1) \ + (_mm_add_epi32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_sub32(x0, x1) \ + (_mm_sub_epi32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_mul32(x0, x1) \ + (_mm_mullo_epi32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_smul32(x0, x1) \ + (_mm_mullo_epi32(x0, _mm_set1_epi32(x1))) + +#define Lib_IntVector_Intrinsics_vec128_load128(x) \ + ((__m128i)x) + +#define Lib_IntVector_Intrinsics_vec128_load64(x) \ + (_mm_set1_epi64x(x)) /* hi lo */ + +#define Lib_IntVector_Intrinsics_vec128_load64s(x0, x1) \ + (_mm_set_epi64x(x1, x0)) /* hi lo */ + +#define Lib_IntVector_Intrinsics_vec128_load32(x) \ + (_mm_set1_epi32(x)) + +#define Lib_IntVector_Intrinsics_vec128_load32s(x0, x1, x2, x3) \ + (_mm_set_epi32(x3, x2, x1, x0)) /* hi lo */ + +#define Lib_IntVector_Intrinsics_vec128_interleave_low32(x1, x2) \ + (_mm_unpacklo_epi32(x1, x2)) + +#define Lib_IntVector_Intrinsics_vec128_interleave_high32(x1, x2) \ + (_mm_unpackhi_epi32(x1, x2)) + +#define Lib_IntVector_Intrinsics_vec128_interleave_low64(x1, x2) \ + (_mm_unpacklo_epi64(x1, x2)) + +#define Lib_IntVector_Intrinsics_vec128_interleave_high64(x1, x2) \ + (_mm_unpackhi_epi64(x1, x2)) + +#endif /* HACL_CAN_COMPILE_VEC128 */ + +#if defined(HACL_CAN_COMPILE_VEC256) + +#include +#include + +typedef __m256i Lib_IntVector_Intrinsics_vec256; + + +#define Lib_IntVector_Intrinsics_vec256_eq64(x0, x1) \ + (_mm256_cmpeq_epi64(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec256_eq32(x0, x1) \ + (_mm256_cmpeq_epi32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec256_gt64(x0, x1) \ + (_mm256_cmpgt_epi64(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec256_gt32(x0, x1) \ + (_mm256_cmpgt_epi32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec256_xor(x0, x1) \ + (_mm256_xor_si256(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec256_or(x0, x1) \ + (_mm256_or_si256(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec256_and(x0, x1) \ + (_mm256_and_si256(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec256_lognot(x0) \ + (_mm256_xor_si256(x0, _mm256_set1_epi32(-1))) + +#define Lib_IntVector_Intrinsics_vec256_shift_left(x0, x1) \ + (_mm256_slli_si256(x0, (x1)/8)) + +#define Lib_IntVector_Intrinsics_vec256_shift_right(x0, x1) \ + (_mm256_srli_si256(x0, (x1)/8)) + +#define Lib_IntVector_Intrinsics_vec256_shift_left64(x0, x1) \ + (_mm256_slli_epi64(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec256_shift_right64(x0, x1) \ + (_mm256_srli_epi64(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec256_shift_left32(x0, x1) \ + (_mm256_slli_epi32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec256_shift_right32(x0, x1) \ + (_mm256_srli_epi32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec256_rotate_left32_8(x0) \ + (_mm256_shuffle_epi8(x0, _mm256_set_epi8(14,13,12,15,10,9,8,11,6,5,4,7,2,1,0,3,14,13,12,15,10,9,8,11,6,5,4,7,2,1,0,3))) + +#define Lib_IntVector_Intrinsics_vec256_rotate_left32_16(x0) \ + (_mm256_shuffle_epi8(x0, _mm256_set_epi8(13,12,15,14,9,8,11,10,5,4,7,6,1,0,3,2,13,12,15,14,9,8,11,10,5,4,7,6,1,0,3,2))) + +#define Lib_IntVector_Intrinsics_vec256_rotate_left32_24(x0) \ + (_mm256_shuffle_epi8(x0, _mm256_set_epi8(12,15,14,13,8,11,10,9,4,7,6,5,0,3,2,1,12,15,14,13,8,11,10,9,4,7,6,5,0,3,2,1))) + +#define Lib_IntVector_Intrinsics_vec256_rotate_left32(x0,x1) \ + ((x1 == 8? Lib_IntVector_Intrinsics_vec256_rotate_left32_8(x0) : \ + (x1 == 16? Lib_IntVector_Intrinsics_vec256_rotate_left32_16(x0) : \ + (x1 == 24? Lib_IntVector_Intrinsics_vec256_rotate_left32_24(x0) : \ + _mm256_or_si256(_mm256_slli_epi32(x0,x1),_mm256_srli_epi32(x0,32-(x1))))))) + +#define Lib_IntVector_Intrinsics_vec256_rotate_right32(x0,x1) \ + (Lib_IntVector_Intrinsics_vec256_rotate_left32(x0,32-(x1))) + +#define Lib_IntVector_Intrinsics_vec256_rotate_right64_8(x0) \ + (_mm256_shuffle_epi8(x0, _mm256_set_epi8(8,15,14,13,12,11,10,9,0,7,6,5,4,3,2,1,8,15,14,13,12,11,10,9,0,7,6,5,4,3,2,1))) + +#define Lib_IntVector_Intrinsics_vec256_rotate_right64_16(x0) \ + (_mm256_shuffle_epi8(x0, _mm256_set_epi8(9,8,15,14,13,12,11,10,1,0,7,6,5,4,3,2,9,8,15,14,13,12,11,10,1,0,7,6,5,4,3,2))) + +#define Lib_IntVector_Intrinsics_vec256_rotate_right64_24(x0) \ + (_mm256_shuffle_epi8(x0, _mm256_set_epi8(10,9,8,15,14,13,12,11,2,1,0,7,6,5,4,3,10,9,8,15,14,13,12,11,2,1,0,7,6,5,4,3))) + +#define Lib_IntVector_Intrinsics_vec256_rotate_right64_32(x0) \ + (_mm256_shuffle_epi8(x0, _mm256_set_epi8(11,10,9,8,15,14,13,12,3,2,1,0,7,6,5,4,11,10,9,8,15,14,13,12,3,2,1,0,7,6,5,4))) + +#define Lib_IntVector_Intrinsics_vec256_rotate_right64_40(x0) \ + (_mm256_shuffle_epi8(x0, _mm256_set_epi8(12,11,10,9,8,15,14,13,4,3,2,1,0,7,6,5,12,11,10,9,8,15,14,13,4,3,2,1,0,7,6,5))) + +#define Lib_IntVector_Intrinsics_vec256_rotate_right64_48(x0) \ + (_mm256_shuffle_epi8(x0, _mm256_set_epi8(13,12,11,10,9,8,15,14,5,4,3,2,1,0,7,6,13,12,11,10,9,8,15,14,5,4,3,2,1,0,7,6))) + +#define Lib_IntVector_Intrinsics_vec256_rotate_right64_56(x0) \ + (_mm256_shuffle_epi8(x0, _mm256_set_epi8(14,13,12,11,10,9,8,15,6,5,4,3,2,1,0,7,14,13,12,11,10,9,8,15,6,5,4,3,2,1,0,7))) + +#define Lib_IntVector_Intrinsics_vec256_rotate_right64(x0,x1) \ + ((x1 == 8? Lib_IntVector_Intrinsics_vec256_rotate_right64_8(x0) : \ + (x1 == 16? Lib_IntVector_Intrinsics_vec256_rotate_right64_16(x0) : \ + (x1 == 24? Lib_IntVector_Intrinsics_vec256_rotate_right64_24(x0) : \ + (x1 == 32? Lib_IntVector_Intrinsics_vec256_rotate_right64_32(x0) : \ + (x1 == 40? Lib_IntVector_Intrinsics_vec256_rotate_right64_40(x0) : \ + (x1 == 48? Lib_IntVector_Intrinsics_vec256_rotate_right64_48(x0) : \ + (x1 == 56? Lib_IntVector_Intrinsics_vec256_rotate_right64_56(x0) : \ + _mm256_xor_si256(_mm256_srli_epi64((x0),(x1)),_mm256_slli_epi64((x0),(64-(x1)))))))))))) + +#define Lib_IntVector_Intrinsics_vec256_rotate_left64(x0,x1) \ + (Lib_IntVector_Intrinsics_vec256_rotate_right64(x0,64-(x1))) + +#define Lib_IntVector_Intrinsics_vec256_shuffle64(x0, x1, x2, x3, x4) \ + (_mm256_permute4x64_epi64(x0, _MM_SHUFFLE(x4,x3,x2,x1))) + +#define Lib_IntVector_Intrinsics_vec256_shuffle32(x0, x1, x2, x3, x4, x5, x6, x7, x8) \ + (_mm256_permutevar8x32_epi32(x0, _mm256_set_epi32(x8,x7,x6,x5,x4,x3,x2,x1))) + +#define Lib_IntVector_Intrinsics_vec256_rotate_right_lanes32(x0, x1) \ + (_mm256_permutevar8x32_epi32(x0, _mm256_set_epi32((x1+7)%8,(x1+6)%8,(x1+5)%8,(x1+4)%8,(x1+3%8),(x1+2)%8,(x1+1)%8,x1%8))) + +#define Lib_IntVector_Intrinsics_vec256_rotate_right_lanes64(x0, x1) \ + (_mm256_permute4x64_epi64(x0, _MM_SHUFFLE((x1+3)%4,(x1+2)%4,(x1+1)%4,x1%4))) + +#define Lib_IntVector_Intrinsics_vec256_load32_le(x0) \ + (_mm256_loadu_si256((__m256i*)(x0))) + +#define Lib_IntVector_Intrinsics_vec256_load64_le(x0) \ + (_mm256_loadu_si256((__m256i*)(x0))) + +#define Lib_IntVector_Intrinsics_vec256_load32_be(x0) \ + (_mm256_shuffle_epi8(_mm256_loadu_si256((__m256i*)(x0)), _mm256_set_epi8(12, 13, 14, 15, 8, 9, 10, 11, 4, 5, 6, 7, 0, 1, 2, 3, 12, 13, 14, 15, 8, 9, 10, 11, 4, 5, 6, 7, 0, 1, 2, 3))) + +#define Lib_IntVector_Intrinsics_vec256_load64_be(x0) \ + (_mm256_shuffle_epi8(_mm256_loadu_si256((__m256i*)(x0)), _mm256_set_epi8(8, 9, 10, 11, 12, 13, 14, 15, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 0, 1, 2, 3, 4, 5, 6, 7))) + + +#define Lib_IntVector_Intrinsics_vec256_store32_le(x0, x1) \ + (_mm256_storeu_si256((__m256i*)(x0), x1)) + +#define Lib_IntVector_Intrinsics_vec256_store64_le(x0, x1) \ + (_mm256_storeu_si256((__m256i*)(x0), x1)) + +#define Lib_IntVector_Intrinsics_vec256_store32_be(x0, x1) \ + (_mm256_storeu_si256((__m256i*)(x0), _mm256_shuffle_epi8(x1, _mm256_set_epi8(12, 13, 14, 15, 8, 9, 10, 11, 4, 5, 6, 7, 0, 1, 2, 3, 12, 13, 14, 15, 8, 9, 10, 11, 4, 5, 6, 7, 0, 1, 2, 3)))) + +#define Lib_IntVector_Intrinsics_vec256_store64_be(x0, x1) \ + (_mm256_storeu_si256((__m256i*)(x0), _mm256_shuffle_epi8(x1, _mm256_set_epi8(8, 9, 10, 11, 12, 13, 14, 15, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 0, 1, 2, 3, 4, 5, 6, 7)))) + + +#define Lib_IntVector_Intrinsics_vec256_insert8(x0, x1, x2) \ + (_mm256_insert_epi8(x0, x1, x2)) + +#define Lib_IntVector_Intrinsics_vec256_insert32(x0, x1, x2) \ + (_mm256_insert_epi32(x0, x1, x2)) + +#define Lib_IntVector_Intrinsics_vec256_insert64(x0, x1, x2) \ + (_mm256_insert_epi64(x0, x1, x2)) + +#define Lib_IntVector_Intrinsics_vec256_extract8(x0, x1) \ + (_mm256_extract_epi8(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec256_extract32(x0, x1) \ + (_mm256_extract_epi32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec256_extract64(x0, x1) \ + (_mm256_extract_epi64(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec256_zero \ + (_mm256_setzero_si256()) + +#define Lib_IntVector_Intrinsics_vec256_add64(x0, x1) \ + (_mm256_add_epi64(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec256_sub64(x0, x1) \ + (_mm256_sub_epi64(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec256_mul64(x0, x1) \ + (_mm256_mul_epu32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec256_smul64(x0, x1) \ + (_mm256_mul_epu32(x0, _mm256_set1_epi64x(x1))) + + +#define Lib_IntVector_Intrinsics_vec256_add32(x0, x1) \ + (_mm256_add_epi32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec256_sub32(x0, x1) \ + (_mm256_sub_epi32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec256_mul32(x0, x1) \ + (_mm256_mullo_epi32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec256_smul32(x0, x1) \ + (_mm256_mullo_epi32(x0, _mm256_set1_epi32(x1))) + + +#define Lib_IntVector_Intrinsics_vec256_load64(x1) \ + (_mm256_set1_epi64x(x1)) /* hi lo */ + +#define Lib_IntVector_Intrinsics_vec256_load64s(x0, x1, x2, x3) \ + (_mm256_set_epi64x(x3,x2,x1,x0)) /* hi lo */ + +#define Lib_IntVector_Intrinsics_vec256_load32(x) \ + (_mm256_set1_epi32(x)) + +#define Lib_IntVector_Intrinsics_vec256_load32s(x0,x1,x2,x3,x4, x5, x6, x7) \ + (_mm256_set_epi32(x7, x6, x5, x4, x3, x2, x1, x0)) /* hi lo */ + +#define Lib_IntVector_Intrinsics_vec256_load128(x) \ + (_mm256_set_m128i((__m128i)x)) + +#define Lib_IntVector_Intrinsics_vec256_load128s(x0,x1) \ + (_mm256_set_m128i((__m128i)x1,(__m128i)x0)) + +#define Lib_IntVector_Intrinsics_vec256_interleave_low32(x1, x2) \ + (_mm256_unpacklo_epi32(x1, x2)) + +#define Lib_IntVector_Intrinsics_vec256_interleave_high32(x1, x2) \ + (_mm256_unpackhi_epi32(x1, x2)) + +#define Lib_IntVector_Intrinsics_vec256_interleave_low64(x1, x2) \ + (_mm256_unpacklo_epi64(x1, x2)) + +#define Lib_IntVector_Intrinsics_vec256_interleave_high64(x1, x2) \ + (_mm256_unpackhi_epi64(x1, x2)) + +#define Lib_IntVector_Intrinsics_vec256_interleave_low128(x1, x2) \ + (_mm256_permute2x128_si256(x1, x2, 0x20)) + +#define Lib_IntVector_Intrinsics_vec256_interleave_high128(x1, x2) \ + (_mm256_permute2x128_si256(x1, x2, 0x31)) + +#endif /* HACL_CAN_COMPILE_VEC256 */ + +#elif (defined(__aarch64__) || defined(_M_ARM64) || defined(__arm__) || defined(_M_ARM)) \ + && !defined(__ARM_32BIT_STATE) + +#if defined(HACL_CAN_COMPILE_VEC128) + +#include + +typedef uint32x4_t Lib_IntVector_Intrinsics_vec128; + +#define Lib_IntVector_Intrinsics_vec128_xor(x0, x1) \ + (veorq_u32(x0,x1)) + +#define Lib_IntVector_Intrinsics_vec128_eq64(x0, x1) \ + (vceqq_u32(x0,x1)) + +#define Lib_IntVector_Intrinsics_vec128_eq32(x0, x1) \ + (vceqq_u32(x0,x1)) + +#define Lib_IntVector_Intrinsics_vec128_gt32(x0, x1) \ + (vcgtq_u32(x0, x1)) + +#define high32(x0) \ + (vmovn_u64(vshrq_n_u64(vreinterpretq_u64_u32(x0),32))) + +#define low32(x0) \ + (vmovn_u64(vreinterpretq_u64_u32(x0))) + +#define Lib_IntVector_Intrinsics_vec128_gt64(x0, x1) \ + (vreinterpretq_u32_u64(vmovl_u32(vorr_u32(vcgt_u32(high32(x0),high32(x1)),vand_u32(vceq_u32(high32(x0),high32(x1)),vcgt_u32(low32(x0),low32(x1))))))) + +#define Lib_IntVector_Intrinsics_vec128_or(x0, x1) \ + (vorrq_u32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_and(x0, x1) \ + (vandq_u32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_lognot(x0) \ + (vmvnq_u32(x0)) + + +#define Lib_IntVector_Intrinsics_vec128_shift_left(x0, x1) \ + (vextq_u32(x0, vdupq_n_u8(0), 16-(x1)/8)) + +#define Lib_IntVector_Intrinsics_vec128_shift_right(x0, x1) \ + (vextq_u32(x0, vdupq_n_u8(0), (x1)/8)) + +#define Lib_IntVector_Intrinsics_vec128_shift_left64(x0, x1) \ + (vreinterpretq_u32_u64(vshlq_n_u64(vreinterpretq_u64_u32(x0), x1))) + +#define Lib_IntVector_Intrinsics_vec128_shift_right64(x0, x1) \ + (vreinterpretq_u32_u64(vshrq_n_u64(vreinterpretq_u64_u32(x0), x1))) + +#define Lib_IntVector_Intrinsics_vec128_shift_left32(x0, x1) \ + (vshlq_n_u32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_shift_right32(x0, x1) \ + (vshrq_n_u32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_rotate_left32_16(x1) \ + (vreinterpretq_u32_u16(vrev32q_u16(vreinterpretq_u16_u32(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_rotate_left32(x0,x1) \ + (((x1) == 16? Lib_IntVector_Intrinsics_vec128_rotate_left32_16(x0) : \ + vsriq_n_u32(vshlq_n_u32((x0),(x1)),(x0),32-(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_rotate_right32_16(x1) \ + (vreinterpretq_u32_u16(vrev32q_u16(vreinterpretq_u16_u32(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_rotate_right32(x0,x1) \ + (((x1) == 16? Lib_IntVector_Intrinsics_vec128_rotate_right32_16(x0) : \ + vsriq_n_u32(vshlq_n_u32((x0),32-(x1)),(x0),(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(x0, x1) \ + (vextq_u32(x0,x0,x1)) + +#define Lib_IntVector_Intrinsics_vec128_rotate_right_lanes64(x0, x1) \ + (vextq_u64(x0,x0,x1)) + + +/* +#define Lib_IntVector_Intrinsics_vec128_shuffle32(x0, x1, x2, x3, x4) \ + (_mm_shuffle_epi32(x0, _MM_SHUFFLE(x1,x2,x3,x4))) + +#define Lib_IntVector_Intrinsics_vec128_shuffle64(x0, x1, x2) \ + (_mm_shuffle_epi32(x0, _MM_SHUFFLE(2*x1+1,2*x1,2*x2+1,2*x2))) +*/ + +#define Lib_IntVector_Intrinsics_vec128_load32_le(x0) \ + (vld1q_u32((const uint32_t*) (x0))) + +#define Lib_IntVector_Intrinsics_vec128_load64_le(x0) \ + (vld1q_u32((const uint32_t*) (x0))) + +#define Lib_IntVector_Intrinsics_vec128_store32_le(x0, x1) \ + (vst1q_u32((uint32_t*)(x0),(x1))) + +#define Lib_IntVector_Intrinsics_vec128_store64_le(x0, x1) \ + (vst1q_u32((uint32_t*)(x0),(x1))) + +/* +#define Lib_IntVector_Intrinsics_vec128_load_be(x0) \ + ( Lib_IntVector_Intrinsics_vec128 l = vrev64q_u8(vld1q_u32((uint32_t*)(x0))); + +*/ + +#define Lib_IntVector_Intrinsics_vec128_load32_be(x0) \ + (vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(vld1q_u32((const uint32_t*)(x0)))))) + +#define Lib_IntVector_Intrinsics_vec128_load64_be(x0) \ + (vreinterpretq_u32_u8(vrev64q_u8(vreinterpretq_u8_u32(vld1q_u32((const uint32_t*)(x0)))))) + +/* +#define Lib_IntVector_Intrinsics_vec128_store_be(x0, x1) \ + (_mm_storeu_si128((__m128i*)(x0), _mm_shuffle_epi8(x1, _mm_set_epi8(0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)))) +*/ + +#define Lib_IntVector_Intrinsics_vec128_store32_be(x0, x1) \ + (vst1q_u32((uint32_t*)(x0),(vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(x1)))))) + +#define Lib_IntVector_Intrinsics_vec128_store64_be(x0, x1) \ + (vst1q_u32((uint32_t*)(x0),(vreinterpretq_u32_u8(vrev64q_u8(vreinterpretq_u8_u32(x1)))))) + +#define Lib_IntVector_Intrinsics_vec128_insert8(x0, x1, x2) \ + (vsetq_lane_u8(x1,x0,x2)) + +#define Lib_IntVector_Intrinsics_vec128_insert32(x0, x1, x2) \ + (vsetq_lane_u32(x1,x0,x2)) + +#define Lib_IntVector_Intrinsics_vec128_insert64(x0, x1, x2) \ + (vreinterpretq_u32_u64(vsetq_lane_u64(x1,vreinterpretq_u64_u32(x0),x2))) + +#define Lib_IntVector_Intrinsics_vec128_extract8(x0, x1) \ + (vgetq_lane_u8(x0,x1)) + +#define Lib_IntVector_Intrinsics_vec128_extract32(x0, x1) \ + (vgetq_lane_u32(x0,x1)) + +#define Lib_IntVector_Intrinsics_vec128_extract64(x0, x1) \ + (vgetq_lane_u64(vreinterpretq_u64_u32(x0),x1)) + +#define Lib_IntVector_Intrinsics_vec128_zero \ + (vdupq_n_u32(0)) + +#define Lib_IntVector_Intrinsics_vec128_add64(x0, x1) \ + (vreinterpretq_u32_u64(vaddq_u64(vreinterpretq_u64_u32(x0), vreinterpretq_u64_u32(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_sub64(x0, x1) \ + (vreinterpretq_u32_u64(vsubq_u64(vreinterpretq_u64_u32(x0), vreinterpretq_u64_u32(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_mul64(x0, x1) \ + (vreinterpretq_u32_u64(vmull_u32(vmovn_u64(vreinterpretq_u64_u32(x0)), vmovn_u64(vreinterpretq_u64_u32(x1))))) + +#define Lib_IntVector_Intrinsics_vec128_smul64(x0, x1) \ + (vreinterpretq_u32_u64(vmull_n_u32(vmovn_u64(vreinterpretq_u64_u32(x0)), (uint32_t)x1))) + +#define Lib_IntVector_Intrinsics_vec128_add32(x0, x1) \ + (vaddq_u32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_sub32(x0, x1) \ + (vsubq_u32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_mul32(x0, x1) \ + (vmulq_lane_u32(x0, x1)) + +#define Lib_IntVector_Intrinsics_vec128_smul32(x0, x1) \ + (vmulq_lane_u32(x0, vdupq_n_u32(x1))) + +#define Lib_IntVector_Intrinsics_vec128_load128(x) \ + ((uint32x4_t)(x)) + +#define Lib_IntVector_Intrinsics_vec128_load64(x) \ + (vreinterpretq_u32_u64(vdupq_n_u64(x))) /* hi lo */ + +#define Lib_IntVector_Intrinsics_vec128_load32(x) \ + (vdupq_n_u32(x)) /* hi lo */ + +static inline Lib_IntVector_Intrinsics_vec128 Lib_IntVector_Intrinsics_vec128_load64s(uint64_t x1, uint64_t x2){ + const uint64_t a[2] = {x1,x2}; + return vreinterpretq_u32_u64(vld1q_u64(a)); +} + +static inline Lib_IntVector_Intrinsics_vec128 Lib_IntVector_Intrinsics_vec128_load32s(uint32_t x1, uint32_t x2, uint32_t x3, uint32_t x4){ + const uint32_t a[4] = {x1,x2,x3,x4}; + return vld1q_u32(a); +} + +#define Lib_IntVector_Intrinsics_vec128_interleave_low32(x1, x2) \ + (vzip1q_u32(x1,x2)) + +#define Lib_IntVector_Intrinsics_vec128_interleave_high32(x1, x2) \ + (vzip2q_u32(x1,x2)) + +#define Lib_IntVector_Intrinsics_vec128_interleave_low64(x1,x2) \ + (vreinterpretq_u32_u64(vzip1q_u64(vreinterpretq_u64_u32(x1),vreinterpretq_u64_u32(x2)))) + +#define Lib_IntVector_Intrinsics_vec128_interleave_high64(x1,x2) \ + (vreinterpretq_u32_u64(vzip2q_u64(vreinterpretq_u64_u32(x1),vreinterpretq_u64_u32(x2)))) + +#endif /* HACL_CAN_COMPILE_VEC128 */ + +/* IBM z architecture */ +#elif defined(__s390x__) /* this flag is for GCC only */ + +#if defined(HACL_CAN_COMPILE_VEC128) + +#include +#include + +/* The main vector 128 type + * We can't use uint8_t, uint32_t, uint64_t... instead of unsigned char, + * unsigned int, unsigned long long: the compiler complains that the parameter + * combination is invalid. */ +typedef unsigned char vector128_8 __attribute__ ((vector_size(16))); +typedef unsigned int vector128_32 __attribute__ ((vector_size(16))); +typedef unsigned long long vector128_64 __attribute__ ((vector_size(16))); + +typedef vector128_8 Lib_IntVector_Intrinsics_vec128; +typedef vector128_8 vector128; + +#define Lib_IntVector_Intrinsics_vec128_load32_le(x) \ + (vector128) ((vector128_32) vec_revb(*((vector128_32*) (const uint8_t*)(x)))) + +#define Lib_IntVector_Intrinsics_vec128_load32_be(x) \ + (vector128) (*((vector128_32*) (const uint8_t*)(x))) + +#define Lib_IntVector_Intrinsics_vec128_load64_le(x) \ + (vector128) ((vector128_64) vec_revb(*((vector128_64*) (const uint8_t*)(x)))) + +static inline +void Lib_IntVector_Intrinsics_vec128_store32_le(const uint8_t *x0, vector128 x1) { + *((vector128_32*)x0) = vec_revb((vector128_32) x1); +} + +static inline +void Lib_IntVector_Intrinsics_vec128_store32_be(const uint8_t *x0, vector128 x1) { + *((vector128_32*)x0) = (vector128_32) x1; +} + +static inline +void Lib_IntVector_Intrinsics_vec128_store64_le(const uint8_t *x0, vector128 x1) { + *((vector128_64*)x0) = vec_revb((vector128_64) x1); +} + +#define Lib_IntVector_Intrinsics_vec128_add32(x0,x1) \ + ((vector128)((vector128_32)(((vector128_32)(x0)) + ((vector128_32)(x1))))) + +#define Lib_IntVector_Intrinsics_vec128_add64(x0, x1) \ + ((vector128)((vector128_64)(((vector128_64)(x0)) + ((vector128_64)(x1))))) + +#define Lib_IntVector_Intrinsics_vec128_and(x0, x1) \ + ((vector128)(vec_and((vector128)(x0),(vector128)(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_eq32(x0, x1) \ + ((vector128)(vec_cmpeq(((vector128_32)(x0)),((vector128_32)(x1))))) + +#define Lib_IntVector_Intrinsics_vec128_eq64(x0, x1) \ + ((vector128)(vec_cmpeq(((vector128_64)(x0)),((vector128_64)(x1))))) + +#define Lib_IntVector_Intrinsics_vec128_extract32(x0, x1) \ + ((unsigned int)(vec_extract((vector128_32)(x0), x1))) + +#define Lib_IntVector_Intrinsics_vec128_extract64(x0, x1) \ + ((unsigned long long)(vec_extract((vector128_64)(x0), x1))) + +#define Lib_IntVector_Intrinsics_vec128_gt32(x0, x1) \ + ((vector128)((vector128_32)(((vector128_32)(x0)) > ((vector128_32)(x1))))) + +#define Lib_IntVector_Intrinsics_vec128_gt64(x0, x1) \ + ((vector128)((vector128_64)(((vector128_64)(x0)) > ((vector128_64)(x1))))) + +#define Lib_IntVector_Intrinsics_vec128_insert32(x0, x1, x2) \ + ((vector128)((vector128_32)vec_insert((unsigned int)(x1), (vector128_32)(x0), x2))) + +#define Lib_IntVector_Intrinsics_vec128_insert64(x0, x1, x2) \ + ((vector128)((vector128_64)vec_insert((unsigned long long)(x1), (vector128_64)(x0), x2))) + +#define Lib_IntVector_Intrinsics_vec128_interleave_high32(x0, x1) \ + ((vector128)((vector128_32)vec_mergel((vector128_32)(x0), (vector128_32)(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_interleave_high64(x0, x1) \ + ((vector128)((vector128_64)vec_mergel((vector128_64)(x0), (vector128_64)(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_interleave_low32(x0, x1) \ + ((vector128)((vector128_32)vec_mergeh((vector128_32)(x0), (vector128_32)(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_interleave_low64(x0, x1) \ + ((vector128)((vector128_64)vec_mergeh((vector128_64)(x0), (vector128_64)(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_load32(x) \ + ((vector128)((vector128_32){(unsigned int)(x), (unsigned int)(x), \ + (unsigned int)(x), (unsigned int)(x)})) + +#define Lib_IntVector_Intrinsics_vec128_load32s(x0, x1, x2, x3) \ + ((vector128)((vector128_32){(unsigned int)(x0),(unsigned int)(x1),(unsigned int)(x2),(unsigned int)(x3)})) + +#define Lib_IntVector_Intrinsics_vec128_load64(x) \ + ((vector128)((vector128_64)vec_load_pair((unsigned long long)(x),(unsigned long long)(x)))) + +#define Lib_IntVector_Intrinsics_vec128_lognot(x0) \ + ((vector128)(vec_xor((vector128)(x0), (vector128)vec_splat_u32(-1)))) + +#define Lib_IntVector_Intrinsics_vec128_mul64(x0, x1) \ + ((vector128)(vec_mulo((vector128_32)(x0), \ + (vector128_32)(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_or(x0, x1) \ + ((vector128)(vec_or((vector128)(x0),(vector128)(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_rotate_left32(x0, x1) \ + ((vector128)(vec_rli((vector128_32)(x0), (unsigned long)(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_rotate_right32(x0, x1) \ + (Lib_IntVector_Intrinsics_vec128_rotate_left32(x0,(uint32_t)(32-(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(x0, x1) \ + ((vector128)(vec_sld((vector128)(x0), (vector128)(x0), (x1%4)*4))) + +#define Lib_IntVector_Intrinsics_vec128_shift_left64(x0, x1) \ + (((vector128)((vector128_64)vec_rli((vector128_64)(x0), (unsigned long)(x1)))) & \ + ((vector128)((vector128_64){0xffffffffffffffff << (x1), 0xffffffffffffffff << (x1)}))) + +#define Lib_IntVector_Intrinsics_vec128_shift_right64(x0, x1) \ + (((vector128)((vector128_64)vec_rli((vector128_64)(x0), (unsigned long)(64-(x1))))) & \ + ((vector128)((vector128_64){0xffffffffffffffff >> (x1), 0xffffffffffffffff >> (x1)}))) + +#define Lib_IntVector_Intrinsics_vec128_shift_right32(x0, x1) \ + (((vector128)((vector128_32)vec_rli((vector128_32)(x0), (unsigned int)(32-(x1))))) & \ + ((vector128)((vector128_32){0xffffffff >> (x1), 0xffffffff >> (x1), \ + 0xffffffff >> (x1), 0xffffffff >> (x1)}))) + +/* Doesn't work with vec_splat_u64 */ +#define Lib_IntVector_Intrinsics_vec128_smul64(x0, x1) \ + ((vector128)(Lib_IntVector_Intrinsics_vec128_mul64(x0,((vector128_64){(unsigned long long)(x1),(unsigned long long)(x1)})))) + +#define Lib_IntVector_Intrinsics_vec128_sub64(x0, x1) \ + ((vector128)((vector128_64)(x0) - (vector128_64)(x1))) + +static inline +vector128 Lib_IntVector_Intrinsics_vec128_xor(vector128 x0, vector128 x1) { + return ((vector128)(vec_xor((vector128)(x0), (vector128)(x1)))); +} + + +#define Lib_IntVector_Intrinsics_vec128_zero \ + ((vector128){}) + +#endif /* HACL_CAN_COMPILE_VEC128 */ + +#elif defined(__powerpc64__) // PowerPC 64 - this flag is for GCC only + +#if defined(HACL_CAN_COMPILE_VEC128) + +#include +#include // for memcpy +#include + +// The main vector 128 type +// We can't use uint8_t, uint32_t, uint64_t... instead of unsigned char, +// unsigned int, unsigned long long: the compiler complains that the parameter +// combination is invalid. +typedef vector unsigned char vector128_8; +typedef vector unsigned int vector128_32; +typedef vector unsigned long long vector128_64; + +typedef vector128_8 Lib_IntVector_Intrinsics_vec128; +typedef vector128_8 vector128; + +#define Lib_IntVector_Intrinsics_vec128_load32_le(x) \ + ((vector128)((vector128_32)(vec_xl(0, (const unsigned int*) ((const uint8_t*)(x)))))) + +#define Lib_IntVector_Intrinsics_vec128_load64_le(x) \ + ((vector128)((vector128_64)(vec_xl(0, (const unsigned long long*) ((const uint8_t*)(x)))))) + +#define Lib_IntVector_Intrinsics_vec128_store32_le(x0, x1) \ + (vec_xst((vector128_32)(x1), 0, (unsigned int*) ((uint8_t*)(x0)))) + +#define Lib_IntVector_Intrinsics_vec128_store64_le(x0, x1) \ + (vec_xst((vector128_64)(x1), 0, (unsigned long long*) ((uint8_t*)(x0)))) + +#define Lib_IntVector_Intrinsics_vec128_add32(x0,x1) \ + ((vector128)((vector128_32)(((vector128_32)(x0)) + ((vector128_32)(x1))))) + +#define Lib_IntVector_Intrinsics_vec128_add64(x0, x1) \ + ((vector128)((vector128_64)(((vector128_64)(x0)) + ((vector128_64)(x1))))) + +#define Lib_IntVector_Intrinsics_vec128_and(x0, x1) \ + ((vector128)(vec_and((vector128)(x0),(vector128)(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_eq32(x0, x1) \ + ((vector128)(vec_cmpeq(((vector128_32)(x0)),((vector128_32)(x1))))) + +#define Lib_IntVector_Intrinsics_vec128_eq64(x0, x1) \ + ((vector128)(vec_cmpeq(((vector128_64)(x0)),((vector128_64)(x1))))) + +#define Lib_IntVector_Intrinsics_vec128_extract32(x0, x1) \ + ((unsigned int)(vec_extract((vector128_32)(x0), x1))) + +#define Lib_IntVector_Intrinsics_vec128_extract64(x0, x1) \ + ((unsigned long long)(vec_extract((vector128_64)(x0), x1))) + +#define Lib_IntVector_Intrinsics_vec128_gt32(x0, x1) \ + ((vector128)((vector128_32)(((vector128_32)(x0)) > ((vector128_32)(x1))))) + +#define Lib_IntVector_Intrinsics_vec128_gt64(x0, x1) \ + ((vector128)((vector128_64)(((vector128_64)(x0)) > ((vector128_64)(x1))))) + +#define Lib_IntVector_Intrinsics_vec128_insert32(x0, x1, x2) \ + ((vector128)((vector128_32)vec_insert((unsigned int)(x1), (vector128_32)(x0), x2))) + +#define Lib_IntVector_Intrinsics_vec128_insert64(x0, x1, x2) \ + ((vector128)((vector128_64)vec_insert((unsigned long long)(x1), (vector128_64)(x0), x2))) + +#define Lib_IntVector_Intrinsics_vec128_interleave_high32(x0, x1) \ + ((vector128)((vector128_32)vec_mergel((vector128_32)(x0), (vector128_32)(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_interleave_high64(x0, x1) \ + ((vector128)((vector128_64)vec_mergel((vector128_64)(x0), (vector128_64)(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_interleave_low32(x0, x1) \ + ((vector128)((vector128_32)vec_mergeh((vector128_32)(x0), (vector128_32)(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_interleave_low64(x0, x1) \ + ((vector128)((vector128_64)vec_mergeh((vector128_64)(x0), (vector128_64)(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_load32(x) \ + ((vector128)((vector128_32){(unsigned int)(x), (unsigned int)(x), \ + (unsigned int)(x), (unsigned int)(x)})) + +#define Lib_IntVector_Intrinsics_vec128_load32s(x0, x1, x2, x3) \ + ((vector128)((vector128_32){(unsigned int)(x0),(unsigned int)(x1),(unsigned int)(x2),(unsigned int)(x3)})) + +#define Lib_IntVector_Intrinsics_vec128_load64(x) \ + ((vector128)((vector128_64){(unsigned long long)(x),(unsigned long long)(x)})) + +#define Lib_IntVector_Intrinsics_vec128_lognot(x0) \ + ((vector128)(vec_xor((vector128)(x0), (vector128)vec_splat_u32(-1)))) + +#define Lib_IntVector_Intrinsics_vec128_mul64(x0, x1) \ + ((vector128)(vec_mule((vector128_32)(x0), \ + (vector128_32)(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_or(x0, x1) \ + ((vector128)(vec_or((vector128)(x0),(vector128)(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_rotate_left32(x0, x1) \ + ((vector128)(vec_rl((vector128_32)(x0), (vector128_32){(unsigned int)(x1),(unsigned int)(x1),(unsigned int)(x1),(unsigned int)(x1)}))) + +#define Lib_IntVector_Intrinsics_vec128_rotate_right32(x0, x1) \ + (Lib_IntVector_Intrinsics_vec128_rotate_left32(x0,(uint32_t)(32-(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(x0, x1) \ + ((vector128)(vec_sld((vector128)(x0), (vector128)(x0), ((4-(x1))%4)*4))) + +#define Lib_IntVector_Intrinsics_vec128_shift_left64(x0, x1) \ + ((vector128)((vector128_64)vec_sl((vector128_64)(x0), (vector128_64){(unsigned long)(x1),(unsigned long)(x1)}))) + +#define Lib_IntVector_Intrinsics_vec128_shift_right64(x0, x1) \ + ((vector128)((vector128_64)vec_sr((vector128_64)(x0), (vector128_64){(unsigned long)(x1),(unsigned long)(x1)}))) + +// Doesn't work with vec_splat_u64 +#define Lib_IntVector_Intrinsics_vec128_smul64(x0, x1) \ + ((vector128)(Lib_IntVector_Intrinsics_vec128_mul64(x0,((vector128_64){(unsigned long long)(x1),(unsigned long long)(x1)})))) + +#define Lib_IntVector_Intrinsics_vec128_sub64(x0, x1) \ + ((vector128)((vector128_64)(x0) - (vector128_64)(x1))) + +#define Lib_IntVector_Intrinsics_vec128_xor(x0, x1) \ + ((vector128)(vec_xor((vector128)(x0), (vector128)(x1)))) + +#define Lib_IntVector_Intrinsics_vec128_zero \ + ((vector128){}) + +#endif /* HACL_CAN_COMPILE_VEC128 */ + +#endif // PowerPC64 + +// DEBUGGING: +// If libintvector_debug.h exists, use it to debug the current implementations. +// Note that some flags must be enabled for the debugging to be effective: +// see libintvector_debug.h for more details. +#if defined(__has_include) +#if __has_include("libintvector_debug.h") +#include "libintvector_debug.h" +#endif +#endif + +#endif // __Vec_Intrin_H diff --git a/kremlin/include/kremlib.h b/kremlin/include/kremlib.h new file mode 100644 index 00000000..a12df696 --- /dev/null +++ b/kremlin/include/kremlib.h @@ -0,0 +1,28 @@ +#ifndef __KREMLIB_H +#define __KREMLIB_H + +/******************************************************************************/ +/* The all-in-one kremlib.h header */ +/******************************************************************************/ + +/* This is a meta-header that is included by default in KreMLin generated + * programs. If you wish to have a more lightweight set of headers, or are + * targeting an environment where controlling these macros yourself is + * important, consider using: + * + * krml -minimal + * + * to disable the inclusion of this file (note: this also disables the default + * argument "-bundle FStar.*"). You can then include the headers of your choice + * one by one, using -add-early-include. */ + +#include "kremlin/internal/target.h" +#include "kremlin/internal/callconv.h" +#include "kremlin/internal/builtin.h" +#include "kremlin/internal/debug.h" +#include "kremlin/internal/types.h" + +#include "kremlin/lowstar_endianness.h" +#include "kremlin/fstar_int.h" + +#endif /* __KREMLIB_H */ diff --git a/kremlin/include/kremlin/c_endianness.h b/kremlin/include/kremlin/c_endianness.h new file mode 100644 index 00000000..21a0f611 --- /dev/null +++ b/kremlin/include/kremlin/c_endianness.h @@ -0,0 +1,13 @@ +/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved. + Licensed under the Apache 2.0 License. */ + +#ifndef __KREMLIN_ENDIAN_H +#define __KREMLIN_ENDIAN_H + +#ifdef __GNUC__ +#warning "c_endianness.h is deprecated, include lowstar_endianness.h instead" +#endif + +#include "lowstar_endianness.h" + +#endif diff --git a/kremlin/include/kremlin/fstar_int.h b/kremlin/include/kremlin/fstar_int.h new file mode 100644 index 00000000..174ae59e --- /dev/null +++ b/kremlin/include/kremlin/fstar_int.h @@ -0,0 +1,81 @@ +#ifndef __FSTAR_INT_H +#define __FSTAR_INT_H + +#include "internal/types.h" + +/* + * Arithmetic Shift Right operator + * + * In all C standards, a >> b is implementation-defined when a has a signed + * type and a negative value. See e.g. 6.5.7 in + * http://www.open-std.org/jtc1/sc22/wg14/www/docs/n2310.pdf + * + * GCC, MSVC, and Clang implement a >> b as an arithmetic shift. + * + * GCC: https://gcc.gnu.org/onlinedocs/gcc-9.1.0/gcc/Integers-implementation.html#Integers-implementation + * MSVC: https://docs.microsoft.com/en-us/cpp/cpp/left-shift-and-right-shift-operators-input-and-output?view=vs-2019#right-shifts + * Clang: tested that Clang 7, 8 and 9 compile this to an arithmetic shift + * + * We implement arithmetic shift right simply as >> in these compilers + * and bail out in others. + */ + +#if !(defined(_MSC_VER) || defined(__GNUC__) || (defined(__clang__) && (__clang_major__ >= 7))) + +static inline +int8_t FStar_Int8_shift_arithmetic_right(int8_t a, uint32_t b) { + do { + KRML_HOST_EPRINTF("Could not identify compiler so could not provide an implementation of signed arithmetic shift right.\n"); + KRML_HOST_EXIT(255); + } while (0); +} + +static inline +int16_t FStar_Int16_shift_arithmetic_right(int16_t a, uint32_t b) { + do { + KRML_HOST_EPRINTF("Could not identify compiler so could not provide an implementation of signed arithmetic shift right.\n"); + KRML_HOST_EXIT(255); + } while (0); +} + +static inline +int32_t FStar_Int32_shift_arithmetic_right(int32_t a, uint32_t b) { + do { + KRML_HOST_EPRINTF("Could not identify compiler so could not provide an implementation of signed arithmetic shift right.\n"); + KRML_HOST_EXIT(255); + } while (0); +} + +static inline +int64_t FStar_Int64_shift_arithmetic_right(int64_t a, uint32_t b) { + do { + KRML_HOST_EPRINTF("Could not identify compiler so could not provide an implementation of signed arithmetic shift right.\n"); + KRML_HOST_EXIT(255); + } while (0); +} + +#else + +static inline +int8_t FStar_Int8_shift_arithmetic_right(int8_t a, uint32_t b) { + return (a >> b); +} + +static inline +int16_t FStar_Int16_shift_arithmetic_right(int16_t a, uint32_t b) { + return (a >> b); +} + +static inline +int32_t FStar_Int32_shift_arithmetic_right(int32_t a, uint32_t b) { + return (a >> b); +} + +static inline +int64_t FStar_Int64_shift_arithmetic_right(int64_t a, uint32_t b) { + return (a >> b); +} + +#endif /* !(defined(_MSC_VER) ... ) */ + +#endif /* __FSTAR_INT_H */ diff --git a/kremlin/include/kremlin/internal/builtin.h b/kremlin/include/kremlin/internal/builtin.h new file mode 100644 index 00000000..219b2668 --- /dev/null +++ b/kremlin/include/kremlin/internal/builtin.h @@ -0,0 +1,16 @@ +/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved. + Licensed under the Apache 2.0 License. */ + +#ifndef __KREMLIN_BUILTIN_H +#define __KREMLIN_BUILTIN_H + +/* For alloca, when using KreMLin's -falloca */ +#if (defined(_WIN32) || defined(_WIN64)) +# include +#endif + +/* If some globals need to be initialized before the main, then kremlin will + * generate and try to link last a function with this type: */ +void kremlinit_globals(void); + +#endif diff --git a/kremlin/include/kremlin/internal/callconv.h b/kremlin/include/kremlin/internal/callconv.h new file mode 100644 index 00000000..bf631ff4 --- /dev/null +++ b/kremlin/include/kremlin/internal/callconv.h @@ -0,0 +1,46 @@ +/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved. + Licensed under the Apache 2.0 License. */ + +#ifndef __KREMLIN_CALLCONV_H +#define __KREMLIN_CALLCONV_H + +/******************************************************************************/ +/* Some macros to ease compatibility */ +/******************************************************************************/ + +/* We want to generate __cdecl safely without worrying about it being undefined. + * When using MSVC, these are always defined. When using MinGW, these are + * defined too. They have no meaning for other platforms, so we define them to + * be empty macros in other situations. */ +#ifndef _MSC_VER +#ifndef __cdecl +#define __cdecl +#endif +#ifndef __stdcall +#define __stdcall +#endif +#ifndef __fastcall +#define __fastcall +#endif +#endif + +/* Since KreMLin emits the inline keyword unconditionally, we follow the + * guidelines at https://gcc.gnu.org/onlinedocs/gcc/Inline.html and make this + * __inline__ to ensure the code compiles with -std=c90 and earlier. */ +#ifdef __GNUC__ +# define inline __inline__ +#endif + +/* GCC-specific attribute syntax; everyone else gets the standard C inline + * attribute. */ +#ifdef __GNU_C__ +# ifndef __clang__ +# define force_inline inline __attribute__((always_inline)) +# else +# define force_inline inline +# endif +#else +# define force_inline inline +#endif + +#endif diff --git a/kremlin/include/kremlin/internal/compat.h b/kremlin/include/kremlin/internal/compat.h new file mode 100644 index 00000000..b557bbc1 --- /dev/null +++ b/kremlin/include/kremlin/internal/compat.h @@ -0,0 +1,32 @@ +/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved. + Licensed under the Apache 2.0 License. */ + +#ifndef KRML_COMPAT_H +#define KRML_COMPAT_H + +#include + +/* A series of macros that define C implementations of types that are not Low*, + * to facilitate porting programs to Low*. */ + +typedef struct { + uint32_t length; + const char *data; +} FStar_Bytes_bytes; + +typedef int32_t Prims_pos, Prims_nat, Prims_nonzero, Prims_int, + krml_checked_int_t; + +#define RETURN_OR(x) \ + do { \ + int64_t __ret = x; \ + if (__ret < INT32_MIN || INT32_MAX < __ret) { \ + KRML_HOST_PRINTF( \ + "Prims.{int,nat,pos} integer overflow at %s:%d\n", __FILE__, \ + __LINE__); \ + KRML_HOST_EXIT(252); \ + } \ + return (int32_t)__ret; \ + } while (0) + +#endif diff --git a/kremlin/include/kremlin/internal/debug.h b/kremlin/include/kremlin/internal/debug.h new file mode 100644 index 00000000..44ac22cd --- /dev/null +++ b/kremlin/include/kremlin/internal/debug.h @@ -0,0 +1,57 @@ +/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved. + Licensed under the Apache 2.0 License. */ + +#ifndef __KREMLIN_DEBUG_H +#define __KREMLIN_DEBUG_H + +#include + +#include "kremlin/internal/target.h" + +/******************************************************************************/ +/* Debugging helpers - intended only for KreMLin developers */ +/******************************************************************************/ + +/* In support of "-wasm -d force-c": we might need this function to be + * forward-declared, because the dependency on WasmSupport appears very late, + * after SimplifyWasm, and sadly, after the topological order has been done. */ +void WasmSupport_check_buffer_size(uint32_t s); + +/* A series of GCC atrocities to trace function calls (kremlin's [-d c-calls] + * option). Useful when trying to debug, say, Wasm, to compare traces. */ +/* clang-format off */ +#ifdef __GNUC__ +#define KRML_FORMAT(X) _Generic((X), \ + uint8_t : "0x%08" PRIx8, \ + uint16_t: "0x%08" PRIx16, \ + uint32_t: "0x%08" PRIx32, \ + uint64_t: "0x%08" PRIx64, \ + int8_t : "0x%08" PRIx8, \ + int16_t : "0x%08" PRIx16, \ + int32_t : "0x%08" PRIx32, \ + int64_t : "0x%08" PRIx64, \ + default : "%s") + +#define KRML_FORMAT_ARG(X) _Generic((X), \ + uint8_t : X, \ + uint16_t: X, \ + uint32_t: X, \ + uint64_t: X, \ + int8_t : X, \ + int16_t : X, \ + int32_t : X, \ + int64_t : X, \ + default : "unknown") +/* clang-format on */ + +# define KRML_DEBUG_RETURN(X) \ + ({ \ + __auto_type _ret = (X); \ + KRML_HOST_PRINTF("returning: "); \ + KRML_HOST_PRINTF(KRML_FORMAT(_ret), KRML_FORMAT_ARG(_ret)); \ + KRML_HOST_PRINTF(" \n"); \ + _ret; \ + }) +#endif + +#endif diff --git a/kremlin/include/kremlin/internal/target.h b/kremlin/include/kremlin/internal/target.h new file mode 100644 index 00000000..2b357053 --- /dev/null +++ b/kremlin/include/kremlin/internal/target.h @@ -0,0 +1,113 @@ +/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved. + Licensed under the Apache 2.0 License. */ + +#ifndef __KREMLIN_TARGET_H +#define __KREMLIN_TARGET_H + +#include +#include +#include +#include +#include + +#include "kremlin/internal/callconv.h" + +/******************************************************************************/ +/* Macros that KreMLin will generate. */ +/******************************************************************************/ + +/* For "bare" targets that do not have a C stdlib, the user might want to use + * [-add-early-include '"mydefinitions.h"'] and override these. */ +#ifndef KRML_HOST_PRINTF +# define KRML_HOST_PRINTF printf +#endif + +#if ( \ + (defined __STDC_VERSION__) && (__STDC_VERSION__ >= 199901L) && \ + (!(defined KRML_HOST_EPRINTF))) +# define KRML_HOST_EPRINTF(...) fprintf(stderr, __VA_ARGS__) +#elif !(defined KRML_HOST_EPRINTF) && defined(_MSC_VER) +# define KRML_HOST_EPRINTF(...) fprintf(stderr, __VA_ARGS__) +#endif + +#ifndef KRML_HOST_EXIT +# define KRML_HOST_EXIT exit +#endif + +#ifndef KRML_HOST_MALLOC +# define KRML_HOST_MALLOC malloc +#endif + +#ifndef KRML_HOST_CALLOC +# define KRML_HOST_CALLOC calloc +#endif + +#ifndef KRML_HOST_FREE +# define KRML_HOST_FREE free +#endif + +#ifndef KRML_HOST_TIME + +# include + +/* Prims_nat not yet in scope */ +inline static int32_t krml_time() { + return (int32_t)time(NULL); +} + +# define KRML_HOST_TIME krml_time +#endif + +/* In statement position, exiting is easy. */ +#define KRML_EXIT \ + do { \ + KRML_HOST_PRINTF("Unimplemented function at %s:%d\n", __FILE__, __LINE__); \ + KRML_HOST_EXIT(254); \ + } while (0) + +/* In expression position, use the comma-operator and a malloc to return an + * expression of the right size. KreMLin passes t as the parameter to the macro. + */ +#define KRML_EABORT(t, msg) \ + (KRML_HOST_PRINTF("KreMLin abort at %s:%d\n%s\n", __FILE__, __LINE__, msg), \ + KRML_HOST_EXIT(255), *((t *)KRML_HOST_MALLOC(sizeof(t)))) + +/* In FStar.Buffer.fst, the size of arrays is uint32_t, but it's a number of + * *elements*. Do an ugly, run-time check (some of which KreMLin can eliminate). + */ + +#ifdef __GNUC__ +# define _KRML_CHECK_SIZE_PRAGMA \ + _Pragma("GCC diagnostic ignored \"-Wtype-limits\"") +#else +# define _KRML_CHECK_SIZE_PRAGMA +#endif + +#define KRML_CHECK_SIZE(size_elt, sz) \ + do { \ + _KRML_CHECK_SIZE_PRAGMA \ + if (((size_t)(sz)) > ((size_t)(SIZE_MAX / (size_elt)))) { \ + KRML_HOST_PRINTF( \ + "Maximum allocatable size exceeded, aborting before overflow at " \ + "%s:%d\n", \ + __FILE__, __LINE__); \ + KRML_HOST_EXIT(253); \ + } \ + } while (0) + +#if defined(_MSC_VER) && _MSC_VER < 1900 +# define KRML_HOST_SNPRINTF(buf, sz, fmt, arg) _snprintf_s(buf, sz, _TRUNCATE, fmt, arg) +#else +# define KRML_HOST_SNPRINTF(buf, sz, fmt, arg) snprintf(buf, sz, fmt, arg) +#endif + +#if defined(__GNUC__) && __GNUC__ >= 4 && __GNUC_MINOR__ > 4 +# define KRML_DEPRECATED(x) __attribute__((deprecated(x))) +#elif defined(__GNUC__) +/* deprecated attribute is not defined in GCC < 4.5. */ +# define KRML_DEPRECATED(x) +#elif defined(_MSC_VER) +# define KRML_DEPRECATED(x) __declspec(deprecated(x)) +#endif + +#endif diff --git a/kremlin/include/kremlin/internal/types.h b/kremlin/include/kremlin/internal/types.h new file mode 100644 index 00000000..acd44555 --- /dev/null +++ b/kremlin/include/kremlin/internal/types.h @@ -0,0 +1,105 @@ +/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved. + Licensed under the Apache 2.0 License. */ + +#ifndef KRML_TYPES_H +#define KRML_TYPES_H + +#include +#include +#include +#include + +/* Types which are either abstract, meaning that have to be implemented in C, or + * which are models, meaning that they are swapped out at compile-time for + * hand-written C types (in which case they're marked as noextract). */ + +typedef uint64_t FStar_UInt64_t, FStar_UInt64_t_; +typedef int64_t FStar_Int64_t, FStar_Int64_t_; +typedef uint32_t FStar_UInt32_t, FStar_UInt32_t_; +typedef int32_t FStar_Int32_t, FStar_Int32_t_; +typedef uint16_t FStar_UInt16_t, FStar_UInt16_t_; +typedef int16_t FStar_Int16_t, FStar_Int16_t_; +typedef uint8_t FStar_UInt8_t, FStar_UInt8_t_; +typedef int8_t FStar_Int8_t, FStar_Int8_t_; + +/* Only useful when building Kremlib, because it's in the dependency graph of + * FStar.Int.Cast. */ +typedef uint64_t FStar_UInt63_t, FStar_UInt63_t_; +typedef int64_t FStar_Int63_t, FStar_Int63_t_; + +typedef double FStar_Float_float; +typedef uint32_t FStar_Char_char; +typedef FILE *FStar_IO_fd_read, *FStar_IO_fd_write; + +typedef void *FStar_Dyn_dyn; + +typedef const char *C_String_t, *C_String_t_, *C_Compat_String_t, *C_Compat_String_t_; + +typedef int exit_code; +typedef FILE *channel; + +typedef unsigned long long TestLib_cycles; + +typedef uint64_t FStar_Date_dateTime, FStar_Date_timeSpan; + +/* Now Prims.string is no longer illegal with the new model in LowStar.Printf; + * it's operations that produce Prims_string which are illegal. Bring the + * definition into scope by default. */ +typedef const char *Prims_string; + +#if (defined(_MSC_VER) && defined(_M_X64) && !defined(__clang__)) +#define IS_MSVC64 1 +#endif + +/* This code makes a number of assumptions and should be refined. In particular, + * it assumes that: any non-MSVC amd64 compiler supports int128. Maybe it would + * be easier to just test for defined(__SIZEOF_INT128__) only? */ +#if (defined(__x86_64__) || \ + defined(__x86_64) || \ + defined(__aarch64__) || \ + (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)) || \ + defined(__s390x__) || \ + (defined(_MSC_VER) && defined(_M_X64) && defined(__clang__)) || \ + (defined(__mips__) && defined(__LP64__)) || \ + (defined(__riscv) && __riscv_xlen == 64) || \ + defined(__SIZEOF_INT128__)) +#define HAS_INT128 1 +#endif + +/* The uint128 type is a special case since we offer several implementations of + * it, depending on the compiler and whether the user wants the verified + * implementation or not. */ +#if !defined(KRML_VERIFIED_UINT128) && defined(IS_MSVC64) +# include +typedef __m128i FStar_UInt128_uint128; +#elif !defined(KRML_VERIFIED_UINT128) && defined(HAS_INT128) +typedef unsigned __int128 FStar_UInt128_uint128; +#else +typedef struct FStar_UInt128_uint128_s { + uint64_t low; + uint64_t high; +} FStar_UInt128_uint128; +#endif + +/* The former is defined once, here (otherwise, conflicts for test-c89. The + * latter is for internal use. */ +typedef FStar_UInt128_uint128 FStar_UInt128_t, uint128_t; + +#include "kremlin/lowstar_endianness.h" + +#endif + +/* Avoid a circular loop: if this header is included via FStar_UInt8_16_32_64, + * then don't bring the uint128 definitions into scope. */ +#ifndef __FStar_UInt_8_16_32_64_H + +#if !defined(KRML_VERIFIED_UINT128) && defined(IS_MSVC64) +#include "fstar_uint128_msvc.h" +#elif !defined(KRML_VERIFIED_UINT128) && defined(HAS_INT128) +#include "fstar_uint128_gcc64.h" +#else +#include "FStar_UInt128_Verified.h" +#include "fstar_uint128_struct_endianness.h" +#endif + +#endif diff --git a/kremlin/include/kremlin/internal/wasmsupport.h b/kremlin/include/kremlin/internal/wasmsupport.h new file mode 100644 index 00000000..b44fa3f7 --- /dev/null +++ b/kremlin/include/kremlin/internal/wasmsupport.h @@ -0,0 +1,5 @@ +/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved. + Licensed under the Apache 2.0 License. */ + +/* This file is automatically included when compiling with -wasm -d force-c */ +#define WasmSupport_check_buffer_size(X) diff --git a/kremlin/include/kremlin/lowstar_endianness.h b/kremlin/include/kremlin/lowstar_endianness.h new file mode 100644 index 00000000..3b120c7f --- /dev/null +++ b/kremlin/include/kremlin/lowstar_endianness.h @@ -0,0 +1,230 @@ +/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved. + Licensed under the Apache 2.0 License. */ + +#ifndef __LOWSTAR_ENDIANNESS_H +#define __LOWSTAR_ENDIANNESS_H + +#include +#include + +/******************************************************************************/ +/* Implementing C.fst (part 2: endian-ness macros) */ +/******************************************************************************/ + +/* ... for Linux */ +#if defined(__linux__) || defined(__CYGWIN__) || defined (__USE_SYSTEM_ENDIAN_H__) +# include + +/* ... for OSX */ +#elif defined(__APPLE__) +# include +# define htole64(x) OSSwapHostToLittleInt64(x) +# define le64toh(x) OSSwapLittleToHostInt64(x) +# define htobe64(x) OSSwapHostToBigInt64(x) +# define be64toh(x) OSSwapBigToHostInt64(x) + +# define htole16(x) OSSwapHostToLittleInt16(x) +# define le16toh(x) OSSwapLittleToHostInt16(x) +# define htobe16(x) OSSwapHostToBigInt16(x) +# define be16toh(x) OSSwapBigToHostInt16(x) + +# define htole32(x) OSSwapHostToLittleInt32(x) +# define le32toh(x) OSSwapLittleToHostInt32(x) +# define htobe32(x) OSSwapHostToBigInt32(x) +# define be32toh(x) OSSwapBigToHostInt32(x) + +/* ... for Solaris */ +#elif defined(__sun__) +# include +# define htole64(x) LE_64(x) +# define le64toh(x) LE_64(x) +# define htobe64(x) BE_64(x) +# define be64toh(x) BE_64(x) + +# define htole16(x) LE_16(x) +# define le16toh(x) LE_16(x) +# define htobe16(x) BE_16(x) +# define be16toh(x) BE_16(x) + +# define htole32(x) LE_32(x) +# define le32toh(x) LE_32(x) +# define htobe32(x) BE_32(x) +# define be32toh(x) BE_32(x) + +/* ... for the BSDs */ +#elif defined(__FreeBSD__) || defined(__NetBSD__) || defined(__DragonFly__) +# include +#elif defined(__OpenBSD__) +# include + +/* ... for Windows (MSVC)... not targeting XBOX 360! */ +#elif defined(_MSC_VER) + +# include +# define htobe16(x) _byteswap_ushort(x) +# define htole16(x) (x) +# define be16toh(x) _byteswap_ushort(x) +# define le16toh(x) (x) + +# define htobe32(x) _byteswap_ulong(x) +# define htole32(x) (x) +# define be32toh(x) _byteswap_ulong(x) +# define le32toh(x) (x) + +# define htobe64(x) _byteswap_uint64(x) +# define htole64(x) (x) +# define be64toh(x) _byteswap_uint64(x) +# define le64toh(x) (x) + +/* ... for Windows (GCC-like, e.g. mingw or clang) */ +#elif (defined(_WIN32) || defined(_WIN64)) && \ + (defined(__GNUC__) || defined(__clang__)) + +# define htobe16(x) __builtin_bswap16(x) +# define htole16(x) (x) +# define be16toh(x) __builtin_bswap16(x) +# define le16toh(x) (x) + +# define htobe32(x) __builtin_bswap32(x) +# define htole32(x) (x) +# define be32toh(x) __builtin_bswap32(x) +# define le32toh(x) (x) + +# define htobe64(x) __builtin_bswap64(x) +# define htole64(x) (x) +# define be64toh(x) __builtin_bswap64(x) +# define le64toh(x) (x) + +/* ... generic big-endian fallback code */ +#elif defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + +/* byte swapping code inspired by: + * https://github.com/rweather/arduinolibs/blob/master/libraries/Crypto/utility/EndianUtil.h + * */ + +# define htobe32(x) (x) +# define be32toh(x) (x) +# define htole32(x) \ + (__extension__({ \ + uint32_t _temp = (x); \ + ((_temp >> 24) & 0x000000FF) | ((_temp >> 8) & 0x0000FF00) | \ + ((_temp << 8) & 0x00FF0000) | ((_temp << 24) & 0xFF000000); \ + })) +# define le32toh(x) (htole32((x))) + +# define htobe64(x) (x) +# define be64toh(x) (x) +# define htole64(x) \ + (__extension__({ \ + uint64_t __temp = (x); \ + uint32_t __low = htobe32((uint32_t)__temp); \ + uint32_t __high = htobe32((uint32_t)(__temp >> 32)); \ + (((uint64_t)__low) << 32) | __high; \ + })) +# define le64toh(x) (htole64((x))) + +/* ... generic little-endian fallback code */ +#elif defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ + +# define htole32(x) (x) +# define le32toh(x) (x) +# define htobe32(x) \ + (__extension__({ \ + uint32_t _temp = (x); \ + ((_temp >> 24) & 0x000000FF) | ((_temp >> 8) & 0x0000FF00) | \ + ((_temp << 8) & 0x00FF0000) | ((_temp << 24) & 0xFF000000); \ + })) +# define be32toh(x) (htobe32((x))) + +# define htole64(x) (x) +# define le64toh(x) (x) +# define htobe64(x) \ + (__extension__({ \ + uint64_t __temp = (x); \ + uint32_t __low = htobe32((uint32_t)__temp); \ + uint32_t __high = htobe32((uint32_t)(__temp >> 32)); \ + (((uint64_t)__low) << 32) | __high; \ + })) +# define be64toh(x) (htobe64((x))) + +/* ... couldn't determine endian-ness of the target platform */ +#else +# error "Please define __BYTE_ORDER__!" + +#endif /* defined(__linux__) || ... */ + +/* Loads and stores. These avoid undefined behavior due to unaligned memory + * accesses, via memcpy. */ + +inline static uint16_t load16(uint8_t *b) { + uint16_t x; + memcpy(&x, b, 2); + return x; +} + +inline static uint32_t load32(uint8_t *b) { + uint32_t x; + memcpy(&x, b, 4); + return x; +} + +inline static uint64_t load64(uint8_t *b) { + uint64_t x; + memcpy(&x, b, 8); + return x; +} + +inline static void store16(uint8_t *b, uint16_t i) { + memcpy(b, &i, 2); +} + +inline static void store32(uint8_t *b, uint32_t i) { + memcpy(b, &i, 4); +} + +inline static void store64(uint8_t *b, uint64_t i) { + memcpy(b, &i, 8); +} + +/* Legacy accessors so that this header can serve as an implementation of + * C.Endianness */ +#define load16_le(b) (le16toh(load16(b))) +#define store16_le(b, i) (store16(b, htole16(i))) +#define load16_be(b) (be16toh(load16(b))) +#define store16_be(b, i) (store16(b, htobe16(i))) + +#define load32_le(b) (le32toh(load32(b))) +#define store32_le(b, i) (store32(b, htole32(i))) +#define load32_be(b) (be32toh(load32(b))) +#define store32_be(b, i) (store32(b, htobe32(i))) + +#define load64_le(b) (le64toh(load64(b))) +#define store64_le(b, i) (store64(b, htole64(i))) +#define load64_be(b) (be64toh(load64(b))) +#define store64_be(b, i) (store64(b, htobe64(i))) + +/* Co-existence of LowStar.Endianness and FStar.Endianness generates name + * conflicts, because of course both insist on having no prefixes. Until a + * prefix is added, or until we truly retire FStar.Endianness, solve this issue + * in an elegant way. */ +#define load16_le0 load16_le +#define store16_le0 store16_le +#define load16_be0 load16_be +#define store16_be0 store16_be + +#define load32_le0 load32_le +#define store32_le0 store32_le +#define load32_be0 load32_be +#define store32_be0 store32_be + +#define load64_le0 load64_le +#define store64_le0 store64_le +#define load64_be0 load64_be +#define store64_be0 store64_be + +#define load128_le0 load128_le +#define store128_le0 store128_le +#define load128_be0 load128_be +#define store128_be0 store128_be + +#endif diff --git a/kremlin/kremlib/dist/minimal/FStar_UInt128.h b/kremlin/kremlib/dist/minimal/FStar_UInt128.h new file mode 100644 index 00000000..2e9f00fe --- /dev/null +++ b/kremlin/kremlib/dist/minimal/FStar_UInt128.h @@ -0,0 +1,80 @@ +/* + Copyright (c) INRIA and Microsoft Corporation. All rights reserved. + Licensed under the Apache 2.0 License. +*/ + + +#ifndef __FStar_UInt128_H +#define __FStar_UInt128_H +#include +#include +#include "kremlin/internal/compat.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/types.h" +#include "kremlin/internal/target.h" + + + + +static inline FStar_UInt128_uint128 +FStar_UInt128_add(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); + +static inline FStar_UInt128_uint128 +FStar_UInt128_add_underspec(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); + +static inline FStar_UInt128_uint128 +FStar_UInt128_add_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); + +static inline FStar_UInt128_uint128 +FStar_UInt128_sub(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); + +static inline FStar_UInt128_uint128 +FStar_UInt128_sub_underspec(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); + +static inline FStar_UInt128_uint128 +FStar_UInt128_sub_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); + +static inline FStar_UInt128_uint128 +FStar_UInt128_logand(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); + +static inline FStar_UInt128_uint128 +FStar_UInt128_logxor(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); + +static inline FStar_UInt128_uint128 +FStar_UInt128_logor(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); + +static inline FStar_UInt128_uint128 FStar_UInt128_lognot(FStar_UInt128_uint128 a); + +static inline FStar_UInt128_uint128 +FStar_UInt128_shift_left(FStar_UInt128_uint128 a, uint32_t s); + +static inline FStar_UInt128_uint128 +FStar_UInt128_shift_right(FStar_UInt128_uint128 a, uint32_t s); + +static inline bool FStar_UInt128_eq(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); + +static inline bool FStar_UInt128_gt(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); + +static inline bool FStar_UInt128_lt(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); + +static inline bool FStar_UInt128_gte(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); + +static inline bool FStar_UInt128_lte(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); + +static inline FStar_UInt128_uint128 +FStar_UInt128_eq_mask(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); + +static inline FStar_UInt128_uint128 +FStar_UInt128_gte_mask(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); + +static inline FStar_UInt128_uint128 FStar_UInt128_uint64_to_uint128(uint64_t a); + +static inline uint64_t FStar_UInt128_uint128_to_uint64(FStar_UInt128_uint128 a); + +static inline FStar_UInt128_uint128 FStar_UInt128_mul32(uint64_t x, uint32_t y); + +static inline FStar_UInt128_uint128 FStar_UInt128_mul_wide(uint64_t x, uint64_t y); + + +#define __FStar_UInt128_H_DEFINED +#endif diff --git a/kremlin/kremlib/dist/minimal/FStar_UInt128_Verified.h b/kremlin/kremlib/dist/minimal/FStar_UInt128_Verified.h new file mode 100644 index 00000000..45e3c111 --- /dev/null +++ b/kremlin/kremlib/dist/minimal/FStar_UInt128_Verified.h @@ -0,0 +1,347 @@ +/* + Copyright (c) INRIA and Microsoft Corporation. All rights reserved. + Licensed under the Apache 2.0 License. +*/ + + +#ifndef __FStar_UInt128_Verified_H +#define __FStar_UInt128_Verified_H +#include +#include +#include "kremlin/internal/types.h" +#include "kremlin/internal/target.h" + + +#include "FStar_UInt_8_16_32_64.h" + +static inline uint64_t FStar_UInt128_constant_time_carry(uint64_t a, uint64_t b) +{ + return (a ^ ((a ^ b) | ((a - b) ^ b))) >> (uint32_t)63U; +} + +static inline uint64_t FStar_UInt128_carry(uint64_t a, uint64_t b) +{ + return FStar_UInt128_constant_time_carry(a, b); +} + +static inline FStar_UInt128_uint128 +FStar_UInt128_add(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) +{ + FStar_UInt128_uint128 lit; + lit.low = a.low + b.low; + lit.high = a.high + b.high + FStar_UInt128_carry(a.low + b.low, b.low); + return lit; +} + +static inline FStar_UInt128_uint128 +FStar_UInt128_add_underspec(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) +{ + FStar_UInt128_uint128 lit; + lit.low = a.low + b.low; + lit.high = a.high + b.high + FStar_UInt128_carry(a.low + b.low, b.low); + return lit; +} + +static inline FStar_UInt128_uint128 +FStar_UInt128_add_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) +{ + FStar_UInt128_uint128 lit; + lit.low = a.low + b.low; + lit.high = a.high + b.high + FStar_UInt128_carry(a.low + b.low, b.low); + return lit; +} + +static inline FStar_UInt128_uint128 +FStar_UInt128_sub(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) +{ + FStar_UInt128_uint128 lit; + lit.low = a.low - b.low; + lit.high = a.high - b.high - FStar_UInt128_carry(a.low, a.low - b.low); + return lit; +} + +static inline FStar_UInt128_uint128 +FStar_UInt128_sub_underspec(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) +{ + FStar_UInt128_uint128 lit; + lit.low = a.low - b.low; + lit.high = a.high - b.high - FStar_UInt128_carry(a.low, a.low - b.low); + return lit; +} + +static inline FStar_UInt128_uint128 +FStar_UInt128_sub_mod_impl(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) +{ + FStar_UInt128_uint128 lit; + lit.low = a.low - b.low; + lit.high = a.high - b.high - FStar_UInt128_carry(a.low, a.low - b.low); + return lit; +} + +static inline FStar_UInt128_uint128 +FStar_UInt128_sub_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) +{ + return FStar_UInt128_sub_mod_impl(a, b); +} + +static inline FStar_UInt128_uint128 +FStar_UInt128_logand(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) +{ + FStar_UInt128_uint128 lit; + lit.low = a.low & b.low; + lit.high = a.high & b.high; + return lit; +} + +static inline FStar_UInt128_uint128 +FStar_UInt128_logxor(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) +{ + FStar_UInt128_uint128 lit; + lit.low = a.low ^ b.low; + lit.high = a.high ^ b.high; + return lit; +} + +static inline FStar_UInt128_uint128 +FStar_UInt128_logor(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) +{ + FStar_UInt128_uint128 lit; + lit.low = a.low | b.low; + lit.high = a.high | b.high; + return lit; +} + +static inline FStar_UInt128_uint128 FStar_UInt128_lognot(FStar_UInt128_uint128 a) +{ + FStar_UInt128_uint128 lit; + lit.low = ~a.low; + lit.high = ~a.high; + return lit; +} + +static uint32_t FStar_UInt128_u32_64 = (uint32_t)64U; + +static inline uint64_t FStar_UInt128_add_u64_shift_left(uint64_t hi, uint64_t lo, uint32_t s) +{ + return (hi << s) + (lo >> (FStar_UInt128_u32_64 - s)); +} + +static inline uint64_t +FStar_UInt128_add_u64_shift_left_respec(uint64_t hi, uint64_t lo, uint32_t s) +{ + return FStar_UInt128_add_u64_shift_left(hi, lo, s); +} + +static inline FStar_UInt128_uint128 +FStar_UInt128_shift_left_small(FStar_UInt128_uint128 a, uint32_t s) +{ + if (s == (uint32_t)0U) + { + return a; + } + else + { + FStar_UInt128_uint128 lit; + lit.low = a.low << s; + lit.high = FStar_UInt128_add_u64_shift_left_respec(a.high, a.low, s); + return lit; + } +} + +static inline FStar_UInt128_uint128 +FStar_UInt128_shift_left_large(FStar_UInt128_uint128 a, uint32_t s) +{ + FStar_UInt128_uint128 lit; + lit.low = (uint64_t)0U; + lit.high = a.low << (s - FStar_UInt128_u32_64); + return lit; +} + +static inline FStar_UInt128_uint128 +FStar_UInt128_shift_left(FStar_UInt128_uint128 a, uint32_t s) +{ + if (s < FStar_UInt128_u32_64) + { + return FStar_UInt128_shift_left_small(a, s); + } + else + { + return FStar_UInt128_shift_left_large(a, s); + } +} + +static inline uint64_t FStar_UInt128_add_u64_shift_right(uint64_t hi, uint64_t lo, uint32_t s) +{ + return (lo >> s) + (hi << (FStar_UInt128_u32_64 - s)); +} + +static inline uint64_t +FStar_UInt128_add_u64_shift_right_respec(uint64_t hi, uint64_t lo, uint32_t s) +{ + return FStar_UInt128_add_u64_shift_right(hi, lo, s); +} + +static inline FStar_UInt128_uint128 +FStar_UInt128_shift_right_small(FStar_UInt128_uint128 a, uint32_t s) +{ + if (s == (uint32_t)0U) + { + return a; + } + else + { + FStar_UInt128_uint128 lit; + lit.low = FStar_UInt128_add_u64_shift_right_respec(a.high, a.low, s); + lit.high = a.high >> s; + return lit; + } +} + +static inline FStar_UInt128_uint128 +FStar_UInt128_shift_right_large(FStar_UInt128_uint128 a, uint32_t s) +{ + FStar_UInt128_uint128 lit; + lit.low = a.high >> (s - FStar_UInt128_u32_64); + lit.high = (uint64_t)0U; + return lit; +} + +static inline FStar_UInt128_uint128 +FStar_UInt128_shift_right(FStar_UInt128_uint128 a, uint32_t s) +{ + if (s < FStar_UInt128_u32_64) + { + return FStar_UInt128_shift_right_small(a, s); + } + else + { + return FStar_UInt128_shift_right_large(a, s); + } +} + +static inline bool FStar_UInt128_eq(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) +{ + return a.low == b.low && a.high == b.high; +} + +static inline bool FStar_UInt128_gt(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) +{ + return a.high > b.high || (a.high == b.high && a.low > b.low); +} + +static inline bool FStar_UInt128_lt(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) +{ + return a.high < b.high || (a.high == b.high && a.low < b.low); +} + +static inline bool FStar_UInt128_gte(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) +{ + return a.high > b.high || (a.high == b.high && a.low >= b.low); +} + +static inline bool FStar_UInt128_lte(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) +{ + return a.high < b.high || (a.high == b.high && a.low <= b.low); +} + +static inline FStar_UInt128_uint128 +FStar_UInt128_eq_mask(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) +{ + FStar_UInt128_uint128 lit; + lit.low = FStar_UInt64_eq_mask(a.low, b.low) & FStar_UInt64_eq_mask(a.high, b.high); + lit.high = FStar_UInt64_eq_mask(a.low, b.low) & FStar_UInt64_eq_mask(a.high, b.high); + return lit; +} + +static inline FStar_UInt128_uint128 +FStar_UInt128_gte_mask(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) +{ + FStar_UInt128_uint128 lit; + lit.low = + (FStar_UInt64_gte_mask(a.high, b.high) & ~FStar_UInt64_eq_mask(a.high, b.high)) + | (FStar_UInt64_eq_mask(a.high, b.high) & FStar_UInt64_gte_mask(a.low, b.low)); + lit.high = + (FStar_UInt64_gte_mask(a.high, b.high) & ~FStar_UInt64_eq_mask(a.high, b.high)) + | (FStar_UInt64_eq_mask(a.high, b.high) & FStar_UInt64_gte_mask(a.low, b.low)); + return lit; +} + +static inline FStar_UInt128_uint128 FStar_UInt128_uint64_to_uint128(uint64_t a) +{ + FStar_UInt128_uint128 lit; + lit.low = a; + lit.high = (uint64_t)0U; + return lit; +} + +static inline uint64_t FStar_UInt128_uint128_to_uint64(FStar_UInt128_uint128 a) +{ + return a.low; +} + +static inline uint64_t FStar_UInt128_u64_mod_32(uint64_t a) +{ + return a & (uint64_t)0xffffffffU; +} + +static uint32_t FStar_UInt128_u32_32 = (uint32_t)32U; + +static inline uint64_t FStar_UInt128_u32_combine(uint64_t hi, uint64_t lo) +{ + return lo + (hi << FStar_UInt128_u32_32); +} + +static inline FStar_UInt128_uint128 FStar_UInt128_mul32(uint64_t x, uint32_t y) +{ + FStar_UInt128_uint128 lit; + lit.low = + FStar_UInt128_u32_combine((x >> FStar_UInt128_u32_32) + * (uint64_t)y + + (FStar_UInt128_u64_mod_32(x) * (uint64_t)y >> FStar_UInt128_u32_32), + FStar_UInt128_u64_mod_32(FStar_UInt128_u64_mod_32(x) * (uint64_t)y)); + lit.high = + ((x >> FStar_UInt128_u32_32) + * (uint64_t)y + + (FStar_UInt128_u64_mod_32(x) * (uint64_t)y >> FStar_UInt128_u32_32)) + >> FStar_UInt128_u32_32; + return lit; +} + +static inline uint64_t FStar_UInt128_u32_combine_(uint64_t hi, uint64_t lo) +{ + return lo + (hi << FStar_UInt128_u32_32); +} + +static inline FStar_UInt128_uint128 FStar_UInt128_mul_wide(uint64_t x, uint64_t y) +{ + FStar_UInt128_uint128 lit; + lit.low = + FStar_UInt128_u32_combine_(FStar_UInt128_u64_mod_32(x) + * (y >> FStar_UInt128_u32_32) + + + FStar_UInt128_u64_mod_32((x >> FStar_UInt128_u32_32) + * FStar_UInt128_u64_mod_32(y) + + (FStar_UInt128_u64_mod_32(x) * FStar_UInt128_u64_mod_32(y) >> FStar_UInt128_u32_32)), + FStar_UInt128_u64_mod_32(FStar_UInt128_u64_mod_32(x) * FStar_UInt128_u64_mod_32(y))); + lit.high = + (x >> FStar_UInt128_u32_32) + * (y >> FStar_UInt128_u32_32) + + + (((x >> FStar_UInt128_u32_32) + * FStar_UInt128_u64_mod_32(y) + + (FStar_UInt128_u64_mod_32(x) * FStar_UInt128_u64_mod_32(y) >> FStar_UInt128_u32_32)) + >> FStar_UInt128_u32_32) + + + ((FStar_UInt128_u64_mod_32(x) + * (y >> FStar_UInt128_u32_32) + + + FStar_UInt128_u64_mod_32((x >> FStar_UInt128_u32_32) + * FStar_UInt128_u64_mod_32(y) + + (FStar_UInt128_u64_mod_32(x) * FStar_UInt128_u64_mod_32(y) >> FStar_UInt128_u32_32))) + >> FStar_UInt128_u32_32); + return lit; +} + + +#define __FStar_UInt128_Verified_H_DEFINED +#endif diff --git a/kremlin/kremlib/dist/minimal/FStar_UInt_8_16_32_64.h b/kremlin/kremlib/dist/minimal/FStar_UInt_8_16_32_64.h new file mode 100644 index 00000000..b16d0d82 --- /dev/null +++ b/kremlin/kremlib/dist/minimal/FStar_UInt_8_16_32_64.h @@ -0,0 +1,215 @@ +/* + Copyright (c) INRIA and Microsoft Corporation. All rights reserved. + Licensed under the Apache 2.0 License. +*/ + + +#ifndef __FStar_UInt_8_16_32_64_H +#define __FStar_UInt_8_16_32_64_H +#include +#include +#include "kremlin/internal/compat.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/types.h" +#include "kremlin/internal/target.h" + + + + +extern Prims_int FStar_UInt64_n; + +extern bool FStar_UInt64_uu___is_Mk(uint64_t projectee); + +extern Prims_int FStar_UInt64___proj__Mk__item__v(uint64_t projectee); + +extern Prims_int FStar_UInt64_v(uint64_t x); + +extern uint64_t FStar_UInt64_uint_to_t(Prims_int x); + +extern uint64_t FStar_UInt64_zero; + +extern uint64_t FStar_UInt64_one; + +extern uint64_t FStar_UInt64_minus(uint64_t a); + +extern uint32_t FStar_UInt64_n_minus_one; + +static inline uint64_t FStar_UInt64_eq_mask(uint64_t a, uint64_t b) +{ + uint64_t x = a ^ b; + uint64_t minus_x = ~x + (uint64_t)1U; + uint64_t x_or_minus_x = x | minus_x; + uint64_t xnx = x_or_minus_x >> (uint32_t)63U; + return xnx - (uint64_t)1U; +} + +static inline uint64_t FStar_UInt64_gte_mask(uint64_t a, uint64_t b) +{ + uint64_t x = a; + uint64_t y = b; + uint64_t x_xor_y = x ^ y; + uint64_t x_sub_y = x - y; + uint64_t x_sub_y_xor_y = x_sub_y ^ y; + uint64_t q = x_xor_y | x_sub_y_xor_y; + uint64_t x_xor_q = x ^ q; + uint64_t x_xor_q_ = x_xor_q >> (uint32_t)63U; + return x_xor_q_ - (uint64_t)1U; +} + +extern Prims_string FStar_UInt64_to_string(uint64_t uu___); + +extern Prims_string FStar_UInt64_to_string_hex(uint64_t uu___); + +extern Prims_string FStar_UInt64_to_string_hex_pad(uint64_t uu___); + +extern uint64_t FStar_UInt64_of_string(Prims_string uu___); + +extern Prims_int FStar_UInt32_n; + +extern bool FStar_UInt32_uu___is_Mk(uint32_t projectee); + +extern Prims_int FStar_UInt32___proj__Mk__item__v(uint32_t projectee); + +extern Prims_int FStar_UInt32_v(uint32_t x); + +extern uint32_t FStar_UInt32_uint_to_t(Prims_int x); + +extern uint32_t FStar_UInt32_zero; + +extern uint32_t FStar_UInt32_one; + +extern uint32_t FStar_UInt32_minus(uint32_t a); + +extern uint32_t FStar_UInt32_n_minus_one; + +static inline uint32_t FStar_UInt32_eq_mask(uint32_t a, uint32_t b) +{ + uint32_t x = a ^ b; + uint32_t minus_x = ~x + (uint32_t)1U; + uint32_t x_or_minus_x = x | minus_x; + uint32_t xnx = x_or_minus_x >> (uint32_t)31U; + return xnx - (uint32_t)1U; +} + +static inline uint32_t FStar_UInt32_gte_mask(uint32_t a, uint32_t b) +{ + uint32_t x = a; + uint32_t y = b; + uint32_t x_xor_y = x ^ y; + uint32_t x_sub_y = x - y; + uint32_t x_sub_y_xor_y = x_sub_y ^ y; + uint32_t q = x_xor_y | x_sub_y_xor_y; + uint32_t x_xor_q = x ^ q; + uint32_t x_xor_q_ = x_xor_q >> (uint32_t)31U; + return x_xor_q_ - (uint32_t)1U; +} + +extern Prims_string FStar_UInt32_to_string(uint32_t uu___); + +extern Prims_string FStar_UInt32_to_string_hex(uint32_t uu___); + +extern Prims_string FStar_UInt32_to_string_hex_pad(uint32_t uu___); + +extern uint32_t FStar_UInt32_of_string(Prims_string uu___); + +extern Prims_int FStar_UInt16_n; + +extern bool FStar_UInt16_uu___is_Mk(uint16_t projectee); + +extern Prims_int FStar_UInt16___proj__Mk__item__v(uint16_t projectee); + +extern Prims_int FStar_UInt16_v(uint16_t x); + +extern uint16_t FStar_UInt16_uint_to_t(Prims_int x); + +extern uint16_t FStar_UInt16_zero; + +extern uint16_t FStar_UInt16_one; + +extern uint16_t FStar_UInt16_minus(uint16_t a); + +extern uint32_t FStar_UInt16_n_minus_one; + +static inline uint16_t FStar_UInt16_eq_mask(uint16_t a, uint16_t b) +{ + uint16_t x = a ^ b; + uint16_t minus_x = ~x + (uint16_t)1U; + uint16_t x_or_minus_x = x | minus_x; + uint16_t xnx = x_or_minus_x >> (uint32_t)15U; + return xnx - (uint16_t)1U; +} + +static inline uint16_t FStar_UInt16_gte_mask(uint16_t a, uint16_t b) +{ + uint16_t x = a; + uint16_t y = b; + uint16_t x_xor_y = x ^ y; + uint16_t x_sub_y = x - y; + uint16_t x_sub_y_xor_y = x_sub_y ^ y; + uint16_t q = x_xor_y | x_sub_y_xor_y; + uint16_t x_xor_q = x ^ q; + uint16_t x_xor_q_ = x_xor_q >> (uint32_t)15U; + return x_xor_q_ - (uint16_t)1U; +} + +extern Prims_string FStar_UInt16_to_string(uint16_t uu___); + +extern Prims_string FStar_UInt16_to_string_hex(uint16_t uu___); + +extern Prims_string FStar_UInt16_to_string_hex_pad(uint16_t uu___); + +extern uint16_t FStar_UInt16_of_string(Prims_string uu___); + +extern Prims_int FStar_UInt8_n; + +extern bool FStar_UInt8_uu___is_Mk(uint8_t projectee); + +extern Prims_int FStar_UInt8___proj__Mk__item__v(uint8_t projectee); + +extern Prims_int FStar_UInt8_v(uint8_t x); + +extern uint8_t FStar_UInt8_uint_to_t(Prims_int x); + +extern uint8_t FStar_UInt8_zero; + +extern uint8_t FStar_UInt8_one; + +extern uint8_t FStar_UInt8_minus(uint8_t a); + +extern uint32_t FStar_UInt8_n_minus_one; + +static inline uint8_t FStar_UInt8_eq_mask(uint8_t a, uint8_t b) +{ + uint8_t x = a ^ b; + uint8_t minus_x = ~x + (uint8_t)1U; + uint8_t x_or_minus_x = x | minus_x; + uint8_t xnx = x_or_minus_x >> (uint32_t)7U; + return xnx - (uint8_t)1U; +} + +static inline uint8_t FStar_UInt8_gte_mask(uint8_t a, uint8_t b) +{ + uint8_t x = a; + uint8_t y = b; + uint8_t x_xor_y = x ^ y; + uint8_t x_sub_y = x - y; + uint8_t x_sub_y_xor_y = x_sub_y ^ y; + uint8_t q = x_xor_y | x_sub_y_xor_y; + uint8_t x_xor_q = x ^ q; + uint8_t x_xor_q_ = x_xor_q >> (uint32_t)7U; + return x_xor_q_ - (uint8_t)1U; +} + +extern Prims_string FStar_UInt8_to_string(uint8_t uu___); + +extern Prims_string FStar_UInt8_to_string_hex(uint8_t uu___); + +extern Prims_string FStar_UInt8_to_string_hex_pad(uint8_t uu___); + +extern uint8_t FStar_UInt8_of_string(Prims_string uu___); + +typedef uint8_t FStar_UInt8_byte; + + +#define __FStar_UInt_8_16_32_64_H_DEFINED +#endif diff --git a/kremlin/kremlib/dist/minimal/LowStar_Endianness.h b/kremlin/kremlib/dist/minimal/LowStar_Endianness.h new file mode 100644 index 00000000..9e865a9c --- /dev/null +++ b/kremlin/kremlib/dist/minimal/LowStar_Endianness.h @@ -0,0 +1,29 @@ +/* + Copyright (c) INRIA and Microsoft Corporation. All rights reserved. + Licensed under the Apache 2.0 License. +*/ + + +#ifndef __LowStar_Endianness_H +#define __LowStar_Endianness_H +#include +#include +#include "kremlin/internal/compat.h" +#include "kremlin/lowstar_endianness.h" +#include "kremlin/internal/types.h" +#include "kremlin/internal/target.h" + + +#include "FStar_UInt128.h" + +static inline void store128_le(uint8_t *x0, FStar_UInt128_uint128 x1); + +static inline FStar_UInt128_uint128 load128_le(uint8_t *x0); + +static inline void store128_be(uint8_t *x0, FStar_UInt128_uint128 x1); + +static inline FStar_UInt128_uint128 load128_be(uint8_t *x0); + + +#define __LowStar_Endianness_H_DEFINED +#endif diff --git a/kremlin/kremlib/dist/minimal/Makefile.basic b/kremlin/kremlib/dist/minimal/Makefile.basic new file mode 100644 index 00000000..1061fd85 --- /dev/null +++ b/kremlin/kremlib/dist/minimal/Makefile.basic @@ -0,0 +1,56 @@ +# A basic Makefile that KreMLin copies in the output directory; this is not +# guaranteed to work and will only work well for very simple projects. This +# Makefile uses: +# - the custom C files passed to your krml invocation +# - the custom C flags passed to your krml invocation +# - the -o option passed to your krml invocation + +include Makefile.include + +ifeq (,$(KREMLIN_HOME)) + $(error please define KREMLIN_HOME to point to the root of your KReMLin git checkout) +endif + +CFLAGS += -I. -I $(KREMLIN_HOME)/include -I $(KREMLIN_HOME)/kremlib/dist/minimal +CFLAGS += -Wall -Wextra -Werror -std=c11 -Wno-unused-variable \ + -Wno-unknown-warning-option -Wno-unused-but-set-variable \ + -Wno-unused-parameter -Wno-infinite-recursion \ + -g -fwrapv -D_BSD_SOURCE -D_DEFAULT_SOURCE +ifeq ($(OS),Windows_NT) +CFLAGS += -D__USE_MINGW_ANSI_STDIO +else +CFLAGS += -fPIC +endif +CFLAGS += $(USER_CFLAGS) + +SOURCES += $(ALL_C_FILES) $(USER_C_FILES) +ifneq (,$(BLACKLIST)) + SOURCES := $(filter-out $(BLACKLIST),$(SOURCES)) +endif +OBJS += $(patsubst %.c,%.o,$(SOURCES)) + +all: $(USER_TARGET) + +$(USER_TARGET): $(OBJS) + +AR ?= ar + +%.a: + $(AR) cr $@ $^ + +%.exe: + $(CC) $(CFLAGS) -o $@ $^ $(KREMLIN_HOME)/kremlib/dist/generic/libkremlib.a + +%.so: + $(CC) $(CFLAGS) -shared -o $@ $^ + +%.d: %.c + @set -e; rm -f $@; \ + $(CC) -MM $(CFLAGS) $< > $@.$$$$; \ + sed 's,\($(notdir $*)\)\.o[ :]*,$(dir $@)\1.o $@ : ,g' < $@.$$$$ > $@; \ + rm -f $@.$$$$ + +include $(patsubst %.c,%.d,$(SOURCES)) + +clean: + rm -rf *.o *.d $(USER_TARGET) diff --git a/kremlin/kremlib/dist/minimal/Makefile.include b/kremlin/kremlib/dist/minimal/Makefile.include new file mode 100644 index 00000000..44cc9955 --- /dev/null +++ b/kremlin/kremlib/dist/minimal/Makefile.include @@ -0,0 +1,5 @@ +USER_TARGET=libkremlib.a +USER_CFLAGS= +USER_C_FILES=fstar_uint128.c +ALL_C_FILES= +ALL_H_FILES=FStar_UInt_8_16_32_64.h FStar_UInt128.h LowStar_Endianness.h diff --git a/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h b/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h new file mode 100644 index 00000000..aae6a7dc --- /dev/null +++ b/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h @@ -0,0 +1,165 @@ +/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved. + Licensed under the Apache 2.0 License. */ + +/******************************************************************************/ +/* Machine integers (128-bit arithmetic) */ +/******************************************************************************/ + +/* This header contains two things. + * + * First, an implementation of 128-bit arithmetic suitable for 64-bit GCC and + * Clang, i.e. all the operations from FStar.UInt128. + * + * Second, 128-bit operations from C.Endianness (or LowStar.Endianness), + * suitable for any compiler and platform (via a series of ifdefs). This second + * part is unfortunate, and should be fixed by moving {load,store}128_{be,le} to + * FStar.UInt128 to avoid a maze of preprocessor guards and hand-written code. + * */ + +/* This file is used for both the minimal and generic kremlib distributions. As + * such, it assumes that the machine integers have been bundled the exact same + * way in both cases. */ + +#ifndef FSTAR_UINT128_GCC64 +#define FSTAR_UINT128_GCC64 + +#include "FStar_UInt128.h" +#include "FStar_UInt_8_16_32_64.h" +#include "LowStar_Endianness.h" + +/* GCC + using native unsigned __int128 support */ + +inline static uint128_t load128_le(uint8_t *b) { + uint128_t l = (uint128_t)load64_le(b); + uint128_t h = (uint128_t)load64_le(b + 8); + return (h << 64 | l); +} + +inline static void store128_le(uint8_t *b, uint128_t n) { + store64_le(b, (uint64_t)n); + store64_le(b + 8, (uint64_t)(n >> 64)); +} + +inline static uint128_t load128_be(uint8_t *b) { + uint128_t h = (uint128_t)load64_be(b); + uint128_t l = (uint128_t)load64_be(b + 8); + return (h << 64 | l); +} + +inline static void store128_be(uint8_t *b, uint128_t n) { + store64_be(b, (uint64_t)(n >> 64)); + store64_be(b + 8, (uint64_t)n); +} + +inline static uint128_t FStar_UInt128_add(uint128_t x, uint128_t y) { + return x + y; +} + +inline static uint128_t FStar_UInt128_mul(uint128_t x, uint128_t y) { + return x * y; +} + +inline static uint128_t FStar_UInt128_add_mod(uint128_t x, uint128_t y) { + return x + y; +} + +inline static uint128_t FStar_UInt128_sub(uint128_t x, uint128_t y) { + return x - y; +} + +inline static uint128_t FStar_UInt128_sub_mod(uint128_t x, uint128_t y) { + return x - y; +} + +inline static uint128_t FStar_UInt128_logand(uint128_t x, uint128_t y) { + return x & y; +} + +inline static uint128_t FStar_UInt128_logor(uint128_t x, uint128_t y) { + return x | y; +} + +inline static uint128_t FStar_UInt128_logxor(uint128_t x, uint128_t y) { + return x ^ y; +} + +inline static uint128_t FStar_UInt128_lognot(uint128_t x) { + return ~x; +} + +inline static uint128_t FStar_UInt128_shift_left(uint128_t x, uint32_t y) { + return x << y; +} + +inline static uint128_t FStar_UInt128_shift_right(uint128_t x, uint32_t y) { + return x >> y; +} + +inline static uint128_t FStar_UInt128_uint64_to_uint128(uint64_t x) { + return (uint128_t)x; +} + +inline static uint64_t FStar_UInt128_uint128_to_uint64(uint128_t x) { + return (uint64_t)x; +} + +inline static uint128_t FStar_UInt128_mul_wide(uint64_t x, uint64_t y) { + return ((uint128_t) x) * y; +} + +inline static uint128_t FStar_UInt128_eq_mask(uint128_t x, uint128_t y) { + uint64_t mask = + FStar_UInt64_eq_mask((uint64_t)(x >> 64), (uint64_t)(y >> 64)) & + FStar_UInt64_eq_mask(x, y); + return ((uint128_t)mask) << 64 | mask; +} + +inline static uint128_t FStar_UInt128_gte_mask(uint128_t x, uint128_t y) { + uint64_t mask = + (FStar_UInt64_gte_mask(x >> 64, y >> 64) & + ~(FStar_UInt64_eq_mask(x >> 64, y >> 64))) | + (FStar_UInt64_eq_mask(x >> 64, y >> 64) & FStar_UInt64_gte_mask(x, y)); + return ((uint128_t)mask) << 64 | mask; +} + +inline static uint64_t FStar_UInt128___proj__Mkuint128__item__low(uint128_t x) { + return (uint64_t) x; +} + +inline static uint64_t FStar_UInt128___proj__Mkuint128__item__high(uint128_t x) { + return (uint64_t) (x >> 64); +} + +inline static uint128_t FStar_UInt128_add_underspec(uint128_t x, uint128_t y) { + return x + y; +} + +inline static uint128_t FStar_UInt128_sub_underspec(uint128_t x, uint128_t y) { + return x - y; +} + +inline static bool FStar_UInt128_eq(uint128_t x, uint128_t y) { + return x == y; +} + +inline static bool FStar_UInt128_gt(uint128_t x, uint128_t y) { + return x > y; +} + +inline static bool FStar_UInt128_lt(uint128_t x, uint128_t y) { + return x < y; +} + +inline static bool FStar_UInt128_gte(uint128_t x, uint128_t y) { + return x >= y; +} + +inline static bool FStar_UInt128_lte(uint128_t x, uint128_t y) { + return x <= y; +} + +inline static uint128_t FStar_UInt128_mul32(uint64_t x, uint32_t y) { + return (uint128_t) x * (uint128_t) y; +} + +#endif diff --git a/kremlin/kremlib/dist/minimal/fstar_uint128_msvc.h b/kremlin/kremlib/dist/minimal/fstar_uint128_msvc.h new file mode 100644 index 00000000..32111b10 --- /dev/null +++ b/kremlin/kremlib/dist/minimal/fstar_uint128_msvc.h @@ -0,0 +1,510 @@ +/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved. + Licensed under the Apache 2.0 License. */ + +/* This file was generated by KreMLin + * then hand-edited to use MSVC intrinsics KreMLin invocation: + * C:\users\barrybo\mitls2c\kremlin\_build\src\Kremlin.native -minimal -fnouint128 C:/users/barrybo/mitls2c/FStar/ulib/FStar.UInt128.fst -tmpdir ../secure_api/out/runtime_switch/uint128 -skip-compilation -add-include "kremlib0.h" -drop FStar.Int.Cast.Full -bundle FStar.UInt128=FStar.*,Prims + * F* version: 15104ff8 + * KreMLin version: 318b7fa8 + */ + +#ifndef FSTAR_UINT128_MSVC +#define FSTAR_UINT128_MSVC + +#include "kremlin/internal/types.h" +#include "FStar_UInt128.h" +#include "FStar_UInt_8_16_32_64.h" + +#ifndef _MSC_VER +# error This file only works with the MSVC compiler +#endif + +/* JP: need to rip out HAS_OPTIMIZED since the header guards in types.h are now + * done properly and only include this file when we know for sure we are on + * 64-bit MSVC. */ + +#if defined(_M_X64) && !defined(KRML_VERIFIED_UINT128) +#define HAS_OPTIMIZED 1 +#else +#define HAS_OPTIMIZED 0 +#endif + +// Define .low and .high in terms of the __m128i fields, to reduce +// the amount of churn in this file. +#if HAS_OPTIMIZED +#include +#include +#define low m128i_u64[0] +#define high m128i_u64[1] +#endif + +inline static FStar_UInt128_uint128 load128_le(uint8_t *b) { +#if HAS_OPTIMIZED + return _mm_loadu_si128((__m128i *)b); +#else + FStar_UInt128_uint128 lit; + lit.low = load64_le(b); + lit.high = load64_le(b + 8); + return lit; +#endif +} + +inline static void store128_le(uint8_t *b, FStar_UInt128_uint128 n) { + store64_le(b, n.low); + store64_le(b + 8, n.high); +} + +inline static FStar_UInt128_uint128 load128_be(uint8_t *b) { + uint64_t l = load64_be(b + 8); + uint64_t h = load64_be(b); +#if HAS_OPTIMIZED + return _mm_set_epi64x(h, l); +#else + FStar_UInt128_uint128 lit; + lit.low = l; + lit.high = h; + return lit; +#endif +} + +inline static void store128_be(uint8_t *b, uint128_t n) { + store64_be(b, n.high); + store64_be(b + 8, n.low); +} + +inline static uint64_t FStar_UInt128_constant_time_carry(uint64_t a, uint64_t b) { + return (a ^ (a ^ b | a - b ^ b)) >> (uint32_t)63U; +} + +inline static uint64_t FStar_UInt128_carry(uint64_t a, uint64_t b) { + return FStar_UInt128_constant_time_carry(a, b); +} + +inline static FStar_UInt128_uint128 +FStar_UInt128_add(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { +#if HAS_OPTIMIZED + uint64_t l, h; + + unsigned char carry = + _addcarry_u64(0, a.low, b.low, &l); // low/CF = a.low+b.low+0 + _addcarry_u64(carry, a.high, b.high, &h); // high = a.high+b.high+CF + return _mm_set_epi64x(h, l); +#else + FStar_UInt128_uint128 lit; + lit.low = a.low + b.low; + lit.high = a.high + b.high + FStar_UInt128_carry(a.low + b.low, b.low); + return lit; +#endif +} + +inline static FStar_UInt128_uint128 +FStar_UInt128_add_underspec(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { +#if HAS_OPTIMIZED + return FStar_UInt128_add(a, b); +#else + FStar_UInt128_uint128 lit; + lit.low = a.low + b.low; + lit.high = a.high + b.high + FStar_UInt128_carry(a.low + b.low, b.low; + return lit; +#endif +} + +inline static FStar_UInt128_uint128 +FStar_UInt128_add_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { +#if HAS_OPTIMIZED + return FStar_UInt128_add(a, b); +#else + FStar_UInt128_uint128 lit; + lit.low = a.low + b.low; + lit.high = a.high + b.high + FStar_UInt128_carry(a.low + b.low, b.low); + return lit; +#endif +} + +inline static FStar_UInt128_uint128 +FStar_UInt128_sub(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { +#if HAS_OPTIMIZED + uint64_t l, h; + + unsigned char borrow = _subborrow_u64(0, a.low, b.low, &l); + _subborrow_u64(borrow, a.high, b.high, &h); + return _mm_set_epi64x(h, l); +#else + FStar_UInt128_uint128 lit; + lit.low = a.low - b.low; + lit.high = a.high - b.high - FStar_UInt128_carry(a.low, a.low - b.low); + return lit; +#endif +} + +inline static FStar_UInt128_uint128 +FStar_UInt128_sub_underspec(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { +#if HAS_OPTIMIZED + return FStar_UInt128_sub(a, b); +#else + FStar_UInt128_uint128 lit; + lit.low = a.low - b.low; + lit.high = a.high - b.high - FStar_UInt128_carry(a.low, a.low - b.low); + return lit; +#endif +} + +inline static FStar_UInt128_uint128 +FStar_UInt128_sub_mod_impl(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { + FStar_UInt128_uint128 lit; + lit.low = a.low - b.low; + lit.high = a.high - b.high - FStar_UInt128_carry(a.low, a.low - b.low); + return lit; +} + +inline static FStar_UInt128_uint128 +FStar_UInt128_sub_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { +#if HAS_OPTIMIZED + return FStar_UInt128_sub(a, b); +#else + return FStar_UInt128_sub_mod_impl(a, b); +#endif +} + +inline static FStar_UInt128_uint128 +FStar_UInt128_logand(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { +#if HAS_OPTIMIZED + return _mm_and_si128(a, b); +#else + FStar_UInt128_uint128 lit; + lit.low = a.low & b.low; + lit.high = a.high & b.high; + return lit; +#endif +} + +inline static FStar_UInt128_uint128 +FStar_UInt128_logxor(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { +#if HAS_OPTIMIZED + return _mm_xor_si128(a, b); +#else + FStar_UInt128_uint128 lit; + lit.low = a.low ^ b.low; + lit.high = a.high ^ b.high; + return lit; +#endif +} + +inline static FStar_UInt128_uint128 +FStar_UInt128_logor(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { +#if HAS_OPTIMIZED + return _mm_or_si128(a, b); +#else + FStar_UInt128_uint128 lit; + lit.low = a.low | b.low; + lit.high = a.high | b.high; + return lit; +#endif +} + +inline static FStar_UInt128_uint128 FStar_UInt128_lognot(FStar_UInt128_uint128 a) { +#if HAS_OPTIMIZED + return _mm_andnot_si128(a, a); +#else + FStar_UInt128_uint128 lit; + lit.low = ~a.low; + lit.high = ~a.high; + return lit; +#endif +} + +static const uint32_t FStar_UInt128_u32_64 = (uint32_t)64U; + +inline static uint64_t +FStar_UInt128_add_u64_shift_left(uint64_t hi, uint64_t lo, uint32_t s) { + return (hi << s) + (lo >> FStar_UInt128_u32_64 - s); +} + +inline static uint64_t +FStar_UInt128_add_u64_shift_left_respec(uint64_t hi, uint64_t lo, uint32_t s) { + return FStar_UInt128_add_u64_shift_left(hi, lo, s); +} + +inline static FStar_UInt128_uint128 +FStar_UInt128_shift_left_small(FStar_UInt128_uint128 a, uint32_t s) { + if (s == (uint32_t)0U) + return a; + else { + FStar_UInt128_uint128 lit; + lit.low = a.low << s; + lit.high = FStar_UInt128_add_u64_shift_left_respec(a.high, a.low, s); + return lit; + } +} + +inline static FStar_UInt128_uint128 +FStar_UInt128_shift_left_large(FStar_UInt128_uint128 a, uint32_t s) { + FStar_UInt128_uint128 lit; + lit.low = (uint64_t)0U; + lit.high = a.low << s - FStar_UInt128_u32_64; + return lit; +} + +inline static FStar_UInt128_uint128 +FStar_UInt128_shift_left(FStar_UInt128_uint128 a, uint32_t s) { +#if HAS_OPTIMIZED + if (s == 0) { + return a; + } else if (s < FStar_UInt128_u32_64) { + uint64_t l = a.low << s; + uint64_t h = __shiftleft128(a.low, a.high, (unsigned char)s); + return _mm_set_epi64x(h, l); + } else { + return _mm_set_epi64x(a.low << (s - FStar_UInt128_u32_64), 0); + } +#else + if (s < FStar_UInt128_u32_64) + return FStar_UInt128_shift_left_small(a, s); + else + return FStar_UInt128_shift_left_large(a, s); +#endif +} + +inline static uint64_t +FStar_UInt128_add_u64_shift_right(uint64_t hi, uint64_t lo, uint32_t s) { + return (lo >> s) + (hi << FStar_UInt128_u32_64 - s); +} + +inline static uint64_t +FStar_UInt128_add_u64_shift_right_respec(uint64_t hi, uint64_t lo, uint32_t s) { + return FStar_UInt128_add_u64_shift_right(hi, lo, s); +} + +inline static FStar_UInt128_uint128 +FStar_UInt128_shift_right_small(FStar_UInt128_uint128 a, uint32_t s) { + if (s == (uint32_t)0U) + return a; + else { + FStar_UInt128_uint128 lit; + lit.low = FStar_UInt128_add_u64_shift_right_respec(a.high, a.low, s); + lit.high = a.high >> s; + return lit; + } +} + +inline static FStar_UInt128_uint128 +FStar_UInt128_shift_right_large(FStar_UInt128_uint128 a, uint32_t s) { + FStar_UInt128_uint128 lit; + lit.low = a.high >> s - FStar_UInt128_u32_64; + lit.high = (uint64_t)0U; + return lit; +} + +inline static FStar_UInt128_uint128 +FStar_UInt128_shift_right(FStar_UInt128_uint128 a, uint32_t s) { +#if HAS_OPTIMIZED + if (s == 0) { + return a; + } else if (s < FStar_UInt128_u32_64) { + uint64_t l = __shiftright128(a.low, a.high, (unsigned char)s); + uint64_t h = a.high >> s; + return _mm_set_epi64x(h, l); + } else { + return _mm_set_epi64x(0, a.high >> (s - FStar_UInt128_u32_64)); + } +#else + if (s < FStar_UInt128_u32_64) + return FStar_UInt128_shift_right_small(a, s); + else + return FStar_UInt128_shift_right_large(a, s); +#endif +} + +inline static bool FStar_UInt128_eq(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { + return a.low == b.low && a.high == b.high; +} + +inline static bool FStar_UInt128_gt(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { + return a.high > b.high || a.high == b.high && a.low > b.low; +} + +inline static bool FStar_UInt128_lt(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { + return a.high < b.high || a.high == b.high && a.low < b.low; +} + +inline static bool FStar_UInt128_gte(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { + return a.high > b.high || a.high == b.high && a.low >= b.low; +} + +inline static bool FStar_UInt128_lte(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { + return a.high < b.high || a.high == b.high && a.low <= b.low; +} + +inline static FStar_UInt128_uint128 +FStar_UInt128_eq_mask(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { +#if HAS_OPTIMIZED + // PCMPW to produce 4 32-bit values, all either 0x0 or 0xffffffff + __m128i r32 = _mm_cmpeq_epi32(a, b); + // Shuffle 3,2,1,0 into 2,3,0,1 (swapping dwords inside each half) + __m128i s32 = _mm_shuffle_epi32(r32, _MM_SHUFFLE(2, 3, 0, 1)); + // Bitwise and to compute (3&2),(2&3),(1&0),(0&1) + __m128i ret64 = _mm_and_si128(r32, s32); + // Swap the two 64-bit values to form s64 + __m128i s64 = + _mm_shuffle_epi32(ret64, _MM_SHUFFLE(1, 0, 3, 2)); // 3,2,1,0 -> 1,0,3,2 + // And them together + return _mm_and_si128(ret64, s64); +#else + FStar_UInt128_uint128 lit; + lit.low = FStar_UInt64_eq_mask(a.low, b.low) & FStar_UInt64_eq_mask(a.high, b.high); + lit.high = FStar_UInt64_eq_mask(a.low, b.low) & FStar_UInt64_eq_mask(a.high, b.high); + return lit; +#endif +} + +inline static FStar_UInt128_uint128 +FStar_UInt128_gte_mask(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { +#if HAS_OPTIMIZED && 0 + // ge - compare 3,2,1,0 for >= and generating 0 or 0xffffffff for each + // eq - compare 3,2,1,0 for == and generating 0 or 0xffffffff for each + // slot 0 = ge0 | (eq0 & ge1) | (eq0 & eq1 & ge2) | (eq0 & eq1 & eq2 & ge3) + // then splat slot 0 to 3,2,1,0 + __m128i gt = _mm_cmpgt_epi32(a, b); + __m128i eq = _mm_cmpeq_epi32(a, b); + __m128i ge = _mm_or_si128(gt, eq); + __m128i ge0 = ge; + __m128i eq0 = eq; + __m128i ge1 = _mm_srli_si128(ge, 4); // shift ge from 3,2,1,0 to 0x0,3,2,1 + __m128i t1 = _mm_and_si128(eq0, ge1); + __m128i ret = _mm_or_si128(ge, t1); // ge0 | (eq0 & ge1) is now in 0 + __m128i eq1 = _mm_srli_si128(eq, 4); // shift eq from 3,2,1,0 to 0x0,3,2,1 + __m128i ge2 = + _mm_srli_si128(ge1, 4); // shift original ge from 3,2,1,0 to 0x0,0x0,3,2 + __m128i t2 = + _mm_and_si128(eq0, _mm_and_si128(eq1, ge2)); // t2 = (eq0 & eq1 & ge2) + ret = _mm_or_si128(ret, t2); + __m128i eq2 = _mm_srli_si128(eq1, 4); // shift eq from 3,2,1,0 to 0x0,00,00,3 + __m128i ge3 = + _mm_srli_si128(ge2, 4); // shift original ge from 3,2,1,0 to 0x0,0x0,0x0,3 + __m128i t3 = _mm_and_si128( + eq0, _mm_and_si128( + eq1, _mm_and_si128(eq2, ge3))); // t3 = (eq0 & eq1 & eq2 & ge3) + ret = _mm_or_si128(ret, t3); + return _mm_shuffle_epi32( + ret, + _MM_SHUFFLE(0, 0, 0, 0)); // the result is in 0. Shuffle into all dwords. +#else + FStar_UInt128_uint128 lit; + lit.low = FStar_UInt64_gte_mask(a.high, b.high) & + ~FStar_UInt64_eq_mask(a.high, b.high) | + FStar_UInt64_eq_mask(a.high, b.high) & + FStar_UInt64_gte_mask(a.low, b.low); + lit.high = FStar_UInt64_gte_mask(a.high, b.high) & + ~FStar_UInt64_eq_mask(a.high, b.high) | + FStar_UInt64_eq_mask(a.high, b.high) & + FStar_UInt64_gte_mask(a.low, b.low); + return lit; +#endif +} + +inline static FStar_UInt128_uint128 FStar_UInt128_uint64_to_uint128(uint64_t a) { +#if HAS_OPTIMIZED + return _mm_set_epi64x(0, a); +#else + FStar_UInt128_uint128 lit; + lit.low = a; + lit.high = (uint64_t)0U; + return lit; +#endif +} + +inline static uint64_t FStar_UInt128_uint128_to_uint64(FStar_UInt128_uint128 a) { + return a.low; +} + +inline static uint64_t FStar_UInt128_u64_mod_32(uint64_t a) { + return a & (uint64_t)0xffffffffU; +} + +static uint32_t FStar_UInt128_u32_32 = (uint32_t)32U; + +inline static uint64_t FStar_UInt128_u32_combine(uint64_t hi, uint64_t lo) { + return lo + (hi << FStar_UInt128_u32_32); +} + +inline static FStar_UInt128_uint128 FStar_UInt128_mul32(uint64_t x, uint32_t y) { +#if HAS_OPTIMIZED + uint64_t l, h; + l = _umul128(x, (uint64_t)y, &h); + return _mm_set_epi64x(h, l); +#else + FStar_UInt128_uint128 lit; + lit.low = FStar_UInt128_u32_combine( + (x >> FStar_UInt128_u32_32) * (uint64_t)y + + (FStar_UInt128_u64_mod_32(x) * (uint64_t)y >> + FStar_UInt128_u32_32), + FStar_UInt128_u64_mod_32(FStar_UInt128_u64_mod_32(x) * (uint64_t)y)); + lit.high = (x >> FStar_UInt128_u32_32) * (uint64_t)y + + (FStar_UInt128_u64_mod_32(x) * (uint64_t)y >> + FStar_UInt128_u32_32) >> + FStar_UInt128_u32_32; + return lit; +#endif +} + +/* Note: static headers bring scope collision issues when they define types! + * Because now client (kremlin-generated) code will include this header and + * there might be type collisions if the client code uses quadruples of uint64s. + * So, we cannot use the kremlin-generated name. */ +typedef struct K_quad_s { + uint64_t fst; + uint64_t snd; + uint64_t thd; + uint64_t f3; +} K_quad; + +inline static K_quad +FStar_UInt128_mul_wide_impl_t_(uint64_t x, uint64_t y) { + K_quad tmp; + tmp.fst = FStar_UInt128_u64_mod_32(x); + tmp.snd = FStar_UInt128_u64_mod_32( + FStar_UInt128_u64_mod_32(x) * FStar_UInt128_u64_mod_32(y)); + tmp.thd = x >> FStar_UInt128_u32_32; + tmp.f3 = (x >> FStar_UInt128_u32_32) * FStar_UInt128_u64_mod_32(y) + + (FStar_UInt128_u64_mod_32(x) * FStar_UInt128_u64_mod_32(y) >> + FStar_UInt128_u32_32); + return tmp; +} + +static uint64_t FStar_UInt128_u32_combine_(uint64_t hi, uint64_t lo) { + return lo + (hi << FStar_UInt128_u32_32); +} + +inline static FStar_UInt128_uint128 +FStar_UInt128_mul_wide_impl(uint64_t x, uint64_t y) { + K_quad scrut = + FStar_UInt128_mul_wide_impl_t_(x, y); + uint64_t u1 = scrut.fst; + uint64_t w3 = scrut.snd; + uint64_t x_ = scrut.thd; + uint64_t t_ = scrut.f3; + FStar_UInt128_uint128 lit; + lit.low = FStar_UInt128_u32_combine_( + u1 * (y >> FStar_UInt128_u32_32) + FStar_UInt128_u64_mod_32(t_), w3); + lit.high = + x_ * (y >> FStar_UInt128_u32_32) + (t_ >> FStar_UInt128_u32_32) + + (u1 * (y >> FStar_UInt128_u32_32) + FStar_UInt128_u64_mod_32(t_) >> + FStar_UInt128_u32_32); + return lit; +} + +inline static +FStar_UInt128_uint128 FStar_UInt128_mul_wide(uint64_t x, uint64_t y) { +#if HAS_OPTIMIZED + uint64_t l, h; + l = _umul128(x, y, &h); + return _mm_set_epi64x(h, l); +#else + return FStar_UInt128_mul_wide_impl(x, y); +#endif +} + +#undef low +#undef high + +#endif diff --git a/kremlin/kremlib/dist/minimal/fstar_uint128_struct_endianness.h b/kremlin/kremlib/dist/minimal/fstar_uint128_struct_endianness.h new file mode 100644 index 00000000..e2b6d628 --- /dev/null +++ b/kremlin/kremlib/dist/minimal/fstar_uint128_struct_endianness.h @@ -0,0 +1,68 @@ +/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved. + Licensed under the Apache 2.0 License. */ + +#ifndef FSTAR_UINT128_STRUCT_ENDIANNESS_H +#define FSTAR_UINT128_STRUCT_ENDIANNESS_H + +/* Hand-written implementation of endianness-related uint128 functions + * for the extracted uint128 implementation */ + +/* Access 64-bit fields within the int128. */ +#define HIGH64_OF(x) ((x)->high) +#define LOW64_OF(x) ((x)->low) + +/* A series of definitions written using pointers. */ + +inline static void load128_le_(uint8_t *b, uint128_t *r) { + LOW64_OF(r) = load64_le(b); + HIGH64_OF(r) = load64_le(b + 8); +} + +inline static void store128_le_(uint8_t *b, uint128_t *n) { + store64_le(b, LOW64_OF(n)); + store64_le(b + 8, HIGH64_OF(n)); +} + +inline static void load128_be_(uint8_t *b, uint128_t *r) { + HIGH64_OF(r) = load64_be(b); + LOW64_OF(r) = load64_be(b + 8); +} + +inline static void store128_be_(uint8_t *b, uint128_t *n) { + store64_be(b, HIGH64_OF(n)); + store64_be(b + 8, LOW64_OF(n)); +} + +#ifndef KRML_NOSTRUCT_PASSING + +inline static uint128_t load128_le(uint8_t *b) { + uint128_t r; + load128_le_(b, &r); + return r; +} + +inline static void store128_le(uint8_t *b, uint128_t n) { + store128_le_(b, &n); +} + +inline static uint128_t load128_be(uint8_t *b) { + uint128_t r; + load128_be_(b, &r); + return r; +} + +inline static void store128_be(uint8_t *b, uint128_t n) { + store128_be_(b, &n); +} + +#else /* !defined(KRML_STRUCT_PASSING) */ + +# define print128 print128_ +# define load128_le load128_le_ +# define store128_le store128_le_ +# define load128_be load128_be_ +# define store128_be store128_be_ + +#endif /* KRML_STRUCT_PASSING */ + +#endif diff --git a/kremlin/kremlib/dist/minimal/libkremlib.def b/kremlin/kremlib/dist/minimal/libkremlib.def new file mode 100644 index 00000000..cfc35a92 --- /dev/null +++ b/kremlin/kremlib/dist/minimal/libkremlib.def @@ -0,0 +1,11 @@ +LIBRARY libkremlib + +EXPORTS + FStar_UInt64_eq_mask + FStar_UInt64_gte_mask + FStar_UInt32_eq_mask + FStar_UInt32_gte_mask + FStar_UInt16_eq_mask + FStar_UInt16_gte_mask + FStar_UInt8_eq_mask + FStar_UInt8_gte_mask diff --git a/mach b/mach new file mode 100755 index 00000000..72d2618e --- /dev/null +++ b/mach @@ -0,0 +1,352 @@ +#!/usr/bin/env python3 +# +# Copyright 2022 Cryspen Sarl +# +# Licensed under the Apache License, Version 2.0 or MIT. +# * http://www.apache.org/licenses/LICENSE-2.0 +# * http://opensource.org/licenses/MIT +# +# The mach driver for HACL. + + +import pathlib +import subprocess +import re +import sys +import os +import shutil +from tools.configure import Config + +from tools.utils import config_cache, subcommand, argument, json_config, dep_config, cmake_config, cli, subparsers, mprint as print, check_cmd +from tools.test import run_tests +from tools.macos import ios_sysroot +from tools.ocaml import build_ocaml, clean_ocaml + +# === SUBCOMMANDS === # + + +def _install(prefix=None, config=None): + configuration = "Debug" + if config: + configuration = config + cmake_cmd = ['cmake', '--install', 'build', '--config', configuration] + if prefix: + cmake_cmd.extend(['--prefix', prefix]) + subprocess.run(cmake_cmd, check=True) + + +@subcommand([argument("-p", "--prefix", + help="The path prefix to install into.", type=str), + argument("-c", "--config", + help="The config to install, i.e. Debug or Release.", type=str)]) +def install(args): + _install(prefix=args.prefix, config=args.config) + + +@subcommand([argument("-c", "--clean", help="Clean before building.", action='store_true'), + argument("--tests", help="Build tests.", action='store_true'), + argument("--test", help="Build and run tests.", + action='store_true'), + argument("-r", "--release", help="Build in release mode.", + action='store_true'), + argument("-a", "--algorithms", + help="A list of algorithms to enable. Defaults to all.", type=str), + argument( + "-p", "--target", help="Define compile target for cross compilation.", type=str), + argument( + "-d", "--disable", help="Disable (hardware) features even if available.", type=str), + argument( + "-s", "--sanitizer", help="Enable sanitizers.", type=str), + argument( + "--ndk", help="Path to the Android NDK.", type=str), + argument( + "--msvc", help="Use MSVC on Windows (default is clang-cl).", action='store_true'), + argument( + "-e", "--edition", help="Choose a different HACL* edition.", type=str), + argument( + "-l", "--language", help="Build language bindings for the given language.", type=str), + argument("-v", "--verbose", help="Make builds verbose.", + action='store_true'), + argument("-m32", help="Build for 32-bit (even when on 64-bit).", action='store_true'), ]) +def build(args): + """Main entry point for building HACL + + For convenience it is possible to run tests right after building using --test. + + Supported cross compilation targets: + - x86_64-apple-darwin (macOS aarch64 only) + - s390x + - aarch64-apple-ios (macOS only) + - aarch64-apple-darwin (macOS x64 only) + - aarch64-linux-android + + Features that can be disabled (TBD): + - vec128 (avx/neon) + - vec256 (avx2) + - vale (x64 assembly) + + Supported sanitizers: + - asan + - ubsan + + Use an edition if you want a different build. Note that this build will + use the MSVC version by default on Windows. + Supported editions: + - c89 + + HACL can be built for another language than C. + Note that bindings will always require the full C library such that the + algorithm flag will be ignored. + - rust + - ocaml + - wasm (TBD) + + 💡 Windows builds are limited. The following arguments are not supported: + - algorithms + - sanitizer + - edition + - disable + """ + cmake_args = [] + # Verbosity + verbose = False + if args.verbose: + verbose = True + + def vprint(*args, **kwargs): + print(args, kwargs) + else: + vprint = lambda *a, **k: None + # Set config + build_config = "Debug" + if args.release: + build_config = "Release" + + # Clean if requested + if args.clean: + print("Cleaning ...") + try: + shutil.rmtree("build") + os.remove(cmake_config()) + os.remove(config_cache()) + clean_ocaml() + except: + pass # We don't really care + try: + os.mkdir("build") + except: + pass # We ignore the error if the directory exists already + + # Check if the config has been run before. + # In future we might want to put content in there. + cache = False + if os.path.exists(config_cache()): + cache = True + + bindings = args.language is not None + if bindings and args.language == 'ocaml': + # OCaml always gets release builds for now + build_config = "Release" + + cflags = [] + cxxflags = [] + + # We want to build for a 32-bit platform. + m32 = False + if args.m32: + cflags.append("-m32") + cxxflags.append("-m32") + m32 = True + + # Our default compiler is clang. + compiler = os.getenv('CC', 'clang') + windows = False + + # Select the source folder to use (regular, c89, msvc) + source_dir = "src" + include_dir = "include" + if args.edition == "c89": + source_dir = os.path.join(source_dir, "c89") + include_dir = os.path.join(include_dir, "c89") + cmake_args.append("-DCMAKE_C_STANDARD=90") + # Set MSVC if detecting Windows. + if sys.platform == "win32": + windows = True + source_dir = os.path.join(source_dir, "msvc") + include_dir = os.path.join(include_dir, "msvc") + # get msvc in the path (only x64 for now) + vswhere_cmd = ['tools\\vcbuild.cmd'] + subprocess.run(vswhere_cmd, check=True) + + # We use the ninja multi config generator. + cmake_args.append("-GNinja Multi-Config") + + # Use MSVC on Windows if requested. + if windows and args.msvc: + cmake_args.append("-DUSE_MSVC=1") + + # Set target toolchain if cross compiling + if args.target: + if windows: + print("! Cross-compilation is not supporte on Windows.") + exit(1) + if m32: + print("! Cross-compilation is not supported when --m32 is set.") + exit(1) + if args.target == "x86_64-apple-darwin": + cmake_args.extend( + ["-DCMAKE_TOOLCHAIN_FILE=config/x64-darwin.cmake"]) + elif args.target == "s390x": + cmake_args.extend( + ["-DCMAKE_TOOLCHAIN_FILE=config/s390x.cmake", "-DCMAKE_C_COMPILER=s390x-linux-gnu-gcc-10", "-DCMAKE_CXX_COMPILER=s390x-linux-gnu-g++-10"]) + elif args.target == "aarch64-apple-ios": + cmake_args.extend( + ["-DCMAKE_TOOLCHAIN_FILE=config/aarch64-ios.cmake"]) + cmake_args.extend( + ["-DCMAKE_OSX_SYSROOT="+ios_sysroot()] + ) + elif args.target == "aarch64-apple-darwin": + cmake_args.extend( + ["-DCMAKE_TOOLCHAIN_FILE=config/aarch64-darwin.cmake"]) + elif args.target == "aarch64-linux-android": + if args.ndk: + cmake_args.append("-DANDROID_NDK_PATH="+args.ndk) + else: + print( + "! Compiling for \"%s\" requires an NDK. \n\t Use --ndk to specify the path." % args.target) + print(" See help for more information.") + exit(1) + cmake_args.extend( + ["-DCMAKE_TOOLCHAIN_FILE=config/aarch64-android.cmake"]) + else: + print("! Unknown cross-compilation target \"%s\"" % args.target) + print(" See help for available targets.") + exit(1) + if args.disable: + if windows: + print("! Disabling features is not supporte on Windows.") + exit(1) + features_to_disable = list( + map(lambda f: "-DDISABLE_"+f.upper()+"=ON", re.split(r"\W+", args.disable))) + cmake_args.extend(features_to_disable) + if args.tests or args.test: + cmake_args.append("-DENABLE_TESTS=ON") + if args.sanitizer: + if windows: + print("! Sanitizers are not supporte on Windows.") + exit(1) + sanitizers = list( + map(lambda f: "-DENABLE_"+f.upper()+"=ON", re.split(r"\W+", args.sanitizer))) + cmake_args.extend(sanitizers) + + # if verbose: + # cmake_args.extend(["--debug-output", "--trace"]) + + if len(cflags) != 0: + cmake_args.append("-DCMAKE_C_FLAGS=" + ' '.join(cflags)) + if len(cxxflags) != 0: + cmake_args.append("-DCMAKE_CXX_FLAGS=" + ' '.join(cxxflags)) + + # In order to perform correct dependency analysis we have to first get a + # correct config.h. The config.h is generated by cmake, which requires the + # config.cmake generated by this script. + # We therefore have to + # - run the mach configuration to generate a (incorrect) config.cmake + # - run cmake to generate config.h + # - run the mach configuration again to generate the correct config.cmake + # - run cmake to generate the ninja build files + # + # If this has been run on this system before, only the last cmake invocation + # is performed. + # '--debug-trycompile' + if not cache: + print("Running config to write config.cmake and config.h ...") + config = Config(json_config(), source_dir, + include_dir, compiler=compiler) + config.write_cmake_config(cmake_config()) + config.write_dep_config(dep_config()) + + cmake_cmd = ['cmake', '-B', 'build'] + cmake_cmd.extend(cmake_args) + vprint(str(cmake_cmd)) + subprocess.run(cmake_cmd, check=True) + + pathlib.Path(config_cache()).touch() + + if not cache or (args.algorithms and not bindings) or args.test: + algorithms = [] + if args.algorithms and not bindings: + algorithms = re.split(r"\W+", args.algorithms) + config = Config(json_config(), source_dir, + include_dir, algorithms=algorithms, compiler=compiler) + config.write_cmake_config(cmake_config()) + config.write_dep_config(dep_config()) + + cmake_cmd = ['cmake', '-B', 'build'] + cmake_cmd.extend(cmake_args) + vprint(str(cmake_cmd)) + subprocess.run(cmake_cmd, check=True) + + # Set ninja arguments + ninja_args = [] + if verbose: + ninja_args.append('-v') + + # build C library + ninja_cmd = ['ninja', '-f', 'build-%s.ninja' % build_config, '-C', 'build'] + ninja_cmd.extend(ninja_args) + vprint(str(ninja_cmd)) + subprocess.run(ninja_cmd, check=True) + + # build bindings if requested + if bindings: + if args.language == 'rust': + check_cmd('cargo') + _install(prefix='build/installed', config=build_config) + cargo_cmd = 'cargo build --manifest-path rust/Cargo.toml' + if verbose: + cargo_cmd += ' -v' + env = { + **os.environ, + "MACH_BUILD": "1" + } + if windows: + subprocess.Popen('setx MACH_BUILD 1', shell=True).wait() + subprocess.run(cargo_cmd, check=True, shell=True, env=env) + elif args.language == 'ocaml': + check_cmd('make') + check_cmd('ocaml') + print() + build_ocaml() + else: + print("Unknown language binding %s. Please see --help for supported bindings" % + (args.language)) + exit(1) + + print("Build finished.") + + # test if requested + if args.test: + run_tests(config.tests, build_config) + + +@subcommand() +def clean(args): + """Remove all build and config artifacts""" + shutil.rmtree("build") + os.remove(cmake_config()) + os.remove(config_cache()) + +# === Boiler plate === # + + +def main(): + args = cli.parse_args() + if args.subcommand is None: + cli.print_help() + else: + args.func(args) + + +if __name__ == '__main__': + main() diff --git a/ocaml/.gitignore b/ocaml/.gitignore new file mode 100644 index 00000000..961c15d3 --- /dev/null +++ b/ocaml/.gitignore @@ -0,0 +1,15 @@ +.*depend* +*.so +*.a +*.o +*.d +*.d.* +*.cm* +*.exe +lib/*_stubs.ml +lib/*_c_stubs.c +c/ +hacl-packages/ +__pycache__/ +config.h +*.dylib diff --git a/ocaml/META b/ocaml/META new file mode 100644 index 00000000..f4a8651c --- /dev/null +++ b/ocaml/META @@ -0,0 +1,6 @@ +name="hacl-star-raw" +version="0.4.5" +description="EverCrypt with Ctypes bindings" +requires="ctypes" +archive(native)="ocamlevercrypt.cmxa" +archive(byte)="ocamlevercrypt.cma" diff --git a/ocaml/Makefile b/ocaml/Makefile new file mode 100644 index 00000000..5fa20f78 --- /dev/null +++ b/ocaml/Makefile @@ -0,0 +1,156 @@ +# Copyright 2022 Cryspen Sarl +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# This file is adapted from the project-everest/hacl-star/ Makefile. + +.PRECIOUS: %.cmx +.PHONY: build test clean install-hacl-star-raw setup + +all: ocamlevercrypt.cmxa build + +UNAME ?= $(shell uname) +ifeq ($(UNAME),Darwin) + SO = dylib + OCAML_SO = so +else ifeq ($(UNAME),Linux) + SO = so + OCAML_SO = so + CFLAGS += -fPIC +else ifeq ($(OS),Windows_NT) + $(error "Windows is not supported at the moment.") +else ifeq ($(UNAME),FreeBSD) + SO = so + OCAML_SO = so + CFLAGS += -fPIC +endif + +# Config +include $(HACL_MAKE_CONFIG) +STATIC_C_LIB_NAME=hacl_static +DYNAMIC_C_LIB_NAME=hacl +BLOCKLIST= Hacl_HPKE_Curve64_CP128_SHA256.c Hacl_HPKE_Curve64_CP128_SHA512.c \ + Hacl_HPKE_Curve64_CP256_SHA256.c Hacl_HPKE_Curve64_CP256_SHA512.c \ + Hacl_HPKE_Curve64_CP32_SHA256.c Hacl_HPKE_Curve64_CP32_SHA512.c \ + Hacl_HPKE_Curve51_CP256_SHA256.c Hacl_HPKE_Curve51_CP256_SHA512.c \ + Hacl_HPKE_Curve64_CP256_SHA256.c Hacl_HPKE_Curve64_CP256_SHA512.c \ + Hacl_HPKE_P256_CP256_SHA256.c +ifeq (,$(TOOLCHAIN_CAN_COMPILE_VEC128)) +BLOCKLIST+=Hacl_Chacha20Poly1305_128.c Hacl_Poly1305_128.c \ + Hacl_Hash_Blake2s_128.c Hacl_Streaming_Blake2s_128.c \ + Hacl_Bignum4096.c Hacl_Bignum64.c Hacl_GenericField64.c +endif +ifeq (,$(TOOLCHAIN_CAN_COMPILE_VEC256)) +BLOCKLIST+=Hacl_Bignum256.c Hacl_Chacha20Poly1305_256.c Hacl_Chacha20_Vec256.c \ + Hacl_HKDF_Blake2b_256.c Hacl_HMAC_Blake2b_256.c \ + Hacl_Hash_Blake2b_256.c Hacl_Poly1305_256.c Hacl_SHA2_Vec256.c \ + Hacl_Streaming_Blake2b_256.c Hacl_Streaming_Poly1305_256.c +endif +ifeq (,$(TOOLCHAIN_CAN_COMPILE_VALE)) +BLOCKLIST+=Hacl_Curve25519_64.c evercrypt_vale_stubs.c EverCrypt_Vale.c +endif +C_PATH?=c +C_LIB?=lib$(STATIC_C_LIB_NAME).a +C_DYN_LIB?=lib$(DYNAMIC_C_LIB_NAME).$(SO) +C_INCLUDES?=-I$(C_PATH)/include/ +KARAMEL_INCLUDES?=-I$(C_PATH)/kremlin/include \ + -I$(C_PATH)/kremlin/kremlib/dist/minimal/ + +OCAMLOPT=ocamlfind opt -package ctypes,ctypes.stubs -linkpkg -I lib +OCAMLDEP=ocamlfind dep -I lib -slash + +OCAMLC=ocamlfind c -g -package ctypes,ctypes.stubs -linkpkg -I lib + +CFLAGS += -I "$(shell ocamlfind query ctypes)" -I "$(shell ocamlfind c -where)" \ + $(C_INCLUDES) $(KARAMEL_INCLUDES) + +# Don't include bindings for files that cannot be compiled. +BLOCKLIST_ML=$(patsubst %.c,%,$(BLOCKLIST)) +ALL_OCAML=$(filter-out $(BLOCKLIST_ML),$(patsubst lib_gen/%_gen.ml,%,$(wildcard lib_gen/*_gen.ml))) + +# File names. +ALL_BINDINGS=$(patsubst %,lib/%_bindings.cmx,$(ALL_OCAML)) +ALL_GENERATORS=$(patsubst %,lib_gen/%_gen.exe, $(ALL_OCAML)) +ALL_ML_STUBS=$(patsubst %,lib/%_stubs.cmx,$(ALL_OCAML)) +ALL_C_STUBS=$(patsubst %,lib/%_c_stubs.o,$(ALL_OCAML)) + +include .depend.ocaml +include ctypes.depend + +lib_gen/Lib_RandomBuffer_System_gen.cmx: lib/Lib_RandomBuffer_System_bindings.cmx +lib_gen/Lib_RandomBuffer_System_gen.exe: lib/Lib_RandomBuffer_System_bindings.cmx lib_gen/Lib_RandomBuffer_System_gen.cmx + +.depend.ocaml: + $(OCAMLDEP) $(wildcard lib/*.ml) $(wildcard lib_gen/*.ml) > $@ + +%.exe: + +lib_gen/%_gen.exe: + $(OCAMLOPT) $(filter-out %.a,$^) $(C_LIB) -o $@ + +%.cmx: %.ml + $(OCAMLOPT) -c $^ -o $@ + +%.cmo: %.ml + $(OCAMLC) -c $^ -o $@ + + +.PRECIOUS: lib/%_stubs.ml +lib/%_stubs.ml: lib/%_c_stubs.c + +lib/%_stubs.ml lib/%_c_stubs.c: lib_gen/%_gen.exe + $< + +BLOCKLIST_CMX = $(patsubst %,lib/%_stubs.cmx,$(BLOCKLIST_ML)) +BLOCKLIST_CMX += $(patsubst %,lib/%_bindings.cmx,$(BLOCKLIST_ML)) +CTYPES_CMX = $(filter-out $(BLOCKLIST_CMX),$(CTYPES_DEPS)) +CTYPES_CMX += lib/Lib_RandomBuffer_System_stubs.cmx lib/Lib_RandomBuffer_System_bindings.cmx +CTYPES_ML = $(patsubst %.cmx,%.ml,$(CTYPES_CMX)) +CTYPES_CMI = $(patsubst %.cmx,%.cmi,$(CTYPES_CMX)) +CTYPES_CMO = $(patsubst %.cmx,%.cmo,$(CTYPES_CMX)) + + +ocamlevercrypt.cma: $(ALL_BINDINGS) $(CTYPES_CMO) $(ALL_C_STUBS) $(CTYPES_CMX) + ocamlmklib -o ocamlevercrypt $(CTYPES_CMO) -L. -l$(STATIC_C_LIB_NAME) + +ocamlevercrypt.cmxa: $(ALL_BINDINGS) $(ALL_ML_STUBS) $(ALL_C_STUBS) + ocamlmklib -o ocamlevercrypt $(CTYPES_CMX) -L. -l$(STATIC_C_LIB_NAME) + +STUBLIBS_PATH=$(OPAM_SWITCH_PREFIX)/lib/stublibs + +dllocamlevercrypt.$(OCAML_SO): ocamlevercrypt.cmxa ocamlevercrypt.cma + ocamlmklib -o ocamlevercrypt $(ALL_C_STUBS) -L. -L$(STUBLIBS_PATH) -l$(STATIC_C_LIB_NAME) + +clean: + rm -rf *.$(SO) *.$(OCAML_SO) *.a .depend.ocaml *.cmxa *.cma \ + **/*.cma **/*.cmo **/*.cmx **/*.cmxa* **/*.o **/*.c **/*.cmi **/*.exe **/*.o **/*.d \ + rm -rf c rm -rf hacl-star/_build + +# Install hacl-star-raw locally. +install-hacl-star-raw: dllocamlevercrypt.$(OCAML_SO) + ocamlfind remove hacl-star-raw || true + ocamlfind install hacl-star-raw META + ocamlfind install -add hacl-star-raw $(CTYPES_ML) + ocamlfind install -add hacl-star-raw $(CTYPES_CMX) + ocamlfind install -add hacl-star-raw $(CTYPES_CMO) + ocamlfind install -add hacl-star-raw $(CTYPES_CMI) + ocamlfind install -add hacl-star-raw \ + $(C_LIB) $(C_DYN_LIB) \ + ocamlevercrypt.cma ocamlevercrypt.cmxa ocamlevercrypt.a \ + libocamlevercrypt.a dllocamlevercrypt.$(OCAML_SO) $(C_PATH)/include/config.h + +build: install-hacl-star-raw + cd hacl-star && dune build + +test: build + cd hacl-star && dune test diff --git a/ocaml/__init__.py b/ocaml/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/ocaml/ctypes.depend b/ocaml/ctypes.depend new file mode 100644 index 00000000..30abd4b5 --- /dev/null +++ b/ocaml/ctypes.depend @@ -0,0 +1,277 @@ +CTYPES_DEPS=lib/Hacl_Spec_stubs.cmx lib/Hacl_Spec_bindings.cmx lib/Hacl_Hash_Base_stubs.cmx lib/Hacl_Hash_Base_bindings.cmx lib/Hacl_Hash_Blake2_stubs.cmx lib/Hacl_Hash_Blake2_bindings.cmx lib/Hacl_Hash_Blake2b_256_stubs.cmx lib/Hacl_Hash_Blake2b_256_bindings.cmx lib/Hacl_Hash_Blake2s_128_stubs.cmx lib/Hacl_Hash_Blake2s_128_bindings.cmx lib/Hacl_Hash_MD5_stubs.cmx lib/Hacl_Hash_MD5_bindings.cmx lib/Hacl_Hash_SHA1_stubs.cmx lib/Hacl_Hash_SHA1_bindings.cmx lib/Hacl_Hash_SHA2_stubs.cmx lib/Hacl_Hash_SHA2_bindings.cmx lib/EverCrypt_AutoConfig2_stubs.cmx lib/EverCrypt_AutoConfig2_bindings.cmx lib/EverCrypt_Hash_stubs.cmx lib/EverCrypt_Hash_bindings.cmx lib/Hacl_SHA3_stubs.cmx lib/Hacl_SHA3_bindings.cmx lib/Hacl_Chacha20_stubs.cmx lib/Hacl_Chacha20_bindings.cmx lib/Hacl_Salsa20_stubs.cmx lib/Hacl_Salsa20_bindings.cmx lib/Hacl_Bignum_Base_stubs.cmx lib/Hacl_Bignum_Base_bindings.cmx lib/Hacl_Bignum_stubs.cmx lib/Hacl_Bignum_bindings.cmx lib/Hacl_Curve25519_64_Slow_stubs.cmx lib/Hacl_Curve25519_64_Slow_bindings.cmx lib/Hacl_Curve25519_64_stubs.cmx lib/Hacl_Curve25519_64_bindings.cmx lib/Hacl_Bignum25519_51_stubs.cmx lib/Hacl_Bignum25519_51_bindings.cmx lib/Hacl_Curve25519_51_stubs.cmx lib/Hacl_Curve25519_51_bindings.cmx lib/Hacl_Streaming_SHA2_stubs.cmx lib/Hacl_Streaming_SHA2_bindings.cmx lib/Hacl_Ed25519_stubs.cmx lib/Hacl_Ed25519_bindings.cmx lib/Hacl_Poly1305_32_stubs.cmx lib/Hacl_Poly1305_32_bindings.cmx lib/Hacl_Poly1305_128_stubs.cmx lib/Hacl_Poly1305_128_bindings.cmx lib/Hacl_Poly1305_256_stubs.cmx lib/Hacl_Poly1305_256_bindings.cmx lib/Hacl_NaCl_stubs.cmx lib/Hacl_NaCl_bindings.cmx lib/EverCrypt_Error_stubs.cmx lib/EverCrypt_Error_bindings.cmx lib/EverCrypt_CTR_stubs.cmx lib/EverCrypt_CTR_bindings.cmx lib/Hacl_P256_stubs.cmx lib/Hacl_P256_bindings.cmx lib/Hacl_Frodo_KEM_stubs.cmx lib/Hacl_Frodo_KEM_bindings.cmx lib/Hacl_IntTypes_Intrinsics_stubs.cmx lib/Hacl_IntTypes_Intrinsics_bindings.cmx lib/Hacl_IntTypes_Intrinsics_128_stubs.cmx lib/Hacl_IntTypes_Intrinsics_128_bindings.cmx lib/Hacl_RSAPSS_stubs.cmx lib/Hacl_RSAPSS_bindings.cmx lib/Hacl_FFDHE_stubs.cmx lib/Hacl_FFDHE_bindings.cmx lib/Hacl_Streaming_Blake2_stubs.cmx lib/Hacl_Streaming_Blake2_bindings.cmx lib/Hacl_Frodo640_stubs.cmx lib/Hacl_Frodo640_bindings.cmx lib/Hacl_Chacha20_Vec128_stubs.cmx lib/Hacl_Chacha20_Vec128_bindings.cmx lib/Hacl_Chacha20Poly1305_128_stubs.cmx lib/Hacl_Chacha20Poly1305_128_bindings.cmx lib/Hacl_HMAC_stubs.cmx lib/Hacl_HMAC_bindings.cmx lib/Hacl_HKDF_stubs.cmx lib/Hacl_HKDF_bindings.cmx lib/Hacl_HPKE_Curve51_CP128_SHA512_stubs.cmx lib/Hacl_HPKE_Curve51_CP128_SHA512_bindings.cmx lib/Hacl_GenericField32_stubs.cmx lib/Hacl_GenericField32_bindings.cmx lib/Hacl_Bignum256_stubs.cmx lib/Hacl_Bignum256_bindings.cmx lib/Hacl_SHA2_Vec256_stubs.cmx lib/Hacl_SHA2_Vec256_bindings.cmx lib/Hacl_Bignum4096_stubs.cmx lib/Hacl_Bignum4096_bindings.cmx lib/Hacl_Chacha20_Vec32_stubs.cmx lib/Hacl_Chacha20_Vec32_bindings.cmx lib/EverCrypt_Ed25519_stubs.cmx lib/EverCrypt_Ed25519_bindings.cmx lib/Hacl_Bignum4096_32_stubs.cmx lib/Hacl_Bignum4096_32_bindings.cmx lib/Hacl_HPKE_Curve64_CP128_SHA512_stubs.cmx lib/Hacl_HPKE_Curve64_CP128_SHA512_bindings.cmx lib/Hacl_HPKE_P256_CP128_SHA256_stubs.cmx lib/Hacl_HPKE_P256_CP128_SHA256_bindings.cmx lib/Hacl_Chacha20_Vec256_stubs.cmx lib/Hacl_Chacha20_Vec256_bindings.cmx lib/Hacl_Chacha20Poly1305_256_stubs.cmx lib/Hacl_Chacha20Poly1305_256_bindings.cmx lib/Hacl_HPKE_Curve51_CP256_SHA512_stubs.cmx lib/Hacl_HPKE_Curve51_CP256_SHA512_bindings.cmx lib/Hacl_SHA2_Scalar32_stubs.cmx lib/Hacl_SHA2_Scalar32_bindings.cmx lib/Hacl_Frodo976_stubs.cmx lib/Hacl_Frodo976_bindings.cmx lib/Hacl_HMAC_Blake2s_128_stubs.cmx lib/Hacl_HMAC_Blake2s_128_bindings.cmx lib/Hacl_HKDF_Blake2s_128_stubs.cmx lib/Hacl_HKDF_Blake2s_128_bindings.cmx lib/Hacl_GenericField64_stubs.cmx lib/Hacl_GenericField64_bindings.cmx lib/Hacl_Frodo1344_stubs.cmx lib/Hacl_Frodo1344_bindings.cmx lib/Hacl_HPKE_Curve64_CP256_SHA512_stubs.cmx lib/Hacl_HPKE_Curve64_CP256_SHA512_bindings.cmx lib/Hacl_Bignum32_stubs.cmx lib/Hacl_Bignum32_bindings.cmx lib/Hacl_HPKE_Curve51_CP128_SHA256_stubs.cmx lib/Hacl_HPKE_Curve51_CP128_SHA256_bindings.cmx lib/Hacl_HPKE_Curve64_CP128_SHA256_stubs.cmx lib/Hacl_HPKE_Curve64_CP128_SHA256_bindings.cmx lib/Hacl_Bignum256_32_stubs.cmx lib/Hacl_Bignum256_32_bindings.cmx lib/Hacl_SHA2_Vec128_stubs.cmx lib/Hacl_SHA2_Vec128_bindings.cmx lib/Hacl_Chacha20Poly1305_32_stubs.cmx lib/Hacl_Chacha20Poly1305_32_bindings.cmx lib/Hacl_HPKE_Curve51_CP32_SHA256_stubs.cmx lib/Hacl_HPKE_Curve51_CP32_SHA256_bindings.cmx lib/Hacl_HPKE_Curve64_CP256_SHA256_stubs.cmx lib/Hacl_HPKE_Curve64_CP256_SHA256_bindings.cmx lib/Hacl_Streaming_Poly1305_32_stubs.cmx lib/Hacl_Streaming_Poly1305_32_bindings.cmx lib/Hacl_HPKE_Curve51_CP32_SHA512_stubs.cmx lib/Hacl_HPKE_Curve51_CP32_SHA512_bindings.cmx lib/Hacl_HPKE_P256_CP256_SHA256_stubs.cmx lib/Hacl_HPKE_P256_CP256_SHA256_bindings.cmx lib/Hacl_HPKE_P256_CP32_SHA256_stubs.cmx lib/Hacl_HPKE_P256_CP32_SHA256_bindings.cmx lib/Hacl_Bignum64_stubs.cmx lib/Hacl_Bignum64_bindings.cmx lib/Hacl_Frodo64_stubs.cmx lib/Hacl_Frodo64_bindings.cmx lib/Hacl_Streaming_SHA1_stubs.cmx lib/Hacl_Streaming_SHA1_bindings.cmx lib/Hacl_Streaming_MD5_stubs.cmx lib/Hacl_Streaming_MD5_bindings.cmx lib/Hacl_HMAC_Blake2b_256_stubs.cmx lib/Hacl_HMAC_Blake2b_256_bindings.cmx lib/Hacl_HKDF_Blake2b_256_stubs.cmx lib/Hacl_HKDF_Blake2b_256_bindings.cmx lib/Hacl_HPKE_Curve64_CP32_SHA256_stubs.cmx lib/Hacl_HPKE_Curve64_CP32_SHA256_bindings.cmx lib/Hacl_HPKE_Curve64_CP32_SHA512_stubs.cmx lib/Hacl_HPKE_Curve64_CP32_SHA512_bindings.cmx lib/Hacl_EC_Ed25519_stubs.cmx lib/Hacl_EC_Ed25519_bindings.cmx lib/Hacl_HPKE_Curve51_CP256_SHA256_stubs.cmx lib/Hacl_HPKE_Curve51_CP256_SHA256_bindings.cmx lib/EverCrypt_Chacha20Poly1305_stubs.cmx lib/EverCrypt_Chacha20Poly1305_bindings.cmx lib/EverCrypt_AEAD_stubs.cmx lib/EverCrypt_AEAD_bindings.cmx lib/EverCrypt_HMAC_stubs.cmx lib/EverCrypt_HMAC_bindings.cmx lib/EverCrypt_HKDF_stubs.cmx lib/EverCrypt_HKDF_bindings.cmx lib/Hacl_HMAC_DRBG_stubs.cmx lib/Hacl_HMAC_DRBG_bindings.cmx lib/EverCrypt_DRBG_stubs.cmx lib/EverCrypt_DRBG_bindings.cmx lib/EverCrypt_Poly1305_stubs.cmx lib/EverCrypt_Poly1305_bindings.cmx lib/EverCrypt_Curve25519_stubs.cmx lib/EverCrypt_Curve25519_bindings.cmx lib/EverCrypt_Cipher_stubs.cmx lib/EverCrypt_Cipher_bindings.cmx lib/EverCrypt_Vale_stubs.cmx lib/EverCrypt_Vale_bindings.cmx lib/EverCrypt_StaticConfig_stubs.cmx lib/EverCrypt_StaticConfig_bindings.cmx +lib/Hacl_Spec_bindings.cmx: +lib_gen/Hacl_Spec_gen.cmx: lib/Hacl_Spec_bindings.cmx +lib_gen/Hacl_Spec_gen.exe: lib/Hacl_Spec_bindings.cmx lib_gen/Hacl_Spec_gen.cmx +lib/Hacl_Hash_Base_bindings.cmx: lib/Hacl_Spec_bindings.cmx lib/Hacl_Spec_stubs.cmx +lib_gen/Hacl_Hash_Base_gen.cmx: lib/Hacl_Hash_Base_bindings.cmx +lib_gen/Hacl_Hash_Base_gen.exe: lib/Hacl_Spec_bindings.cmx lib/Hacl_Spec_stubs.cmx lib/Hacl_Spec_c_stubs.o lib/Hacl_Hash_Base_bindings.cmx lib_gen/Hacl_Hash_Base_gen.cmx +lib/Hacl_Hash_Blake2_bindings.cmx: +lib_gen/Hacl_Hash_Blake2_gen.cmx: lib/Hacl_Hash_Blake2_bindings.cmx +lib_gen/Hacl_Hash_Blake2_gen.exe: lib/Hacl_Hash_Blake2_bindings.cmx lib_gen/Hacl_Hash_Blake2_gen.cmx +lib/Hacl_Hash_Blake2b_256_bindings.cmx: +lib_gen/Hacl_Hash_Blake2b_256_gen.cmx: lib/Hacl_Hash_Blake2b_256_bindings.cmx +lib_gen/Hacl_Hash_Blake2b_256_gen.exe: lib/Hacl_Hash_Blake2b_256_bindings.cmx lib_gen/Hacl_Hash_Blake2b_256_gen.cmx +lib/Hacl_Hash_Blake2s_128_bindings.cmx: +lib_gen/Hacl_Hash_Blake2s_128_gen.cmx: lib/Hacl_Hash_Blake2s_128_bindings.cmx +lib_gen/Hacl_Hash_Blake2s_128_gen.exe: lib/Hacl_Hash_Blake2s_128_bindings.cmx lib_gen/Hacl_Hash_Blake2s_128_gen.cmx +lib/Hacl_Hash_MD5_bindings.cmx: +lib_gen/Hacl_Hash_MD5_gen.cmx: lib/Hacl_Hash_MD5_bindings.cmx +lib_gen/Hacl_Hash_MD5_gen.exe: lib/Hacl_Hash_MD5_bindings.cmx lib_gen/Hacl_Hash_MD5_gen.cmx +lib/Hacl_Hash_SHA1_bindings.cmx: +lib_gen/Hacl_Hash_SHA1_gen.cmx: lib/Hacl_Hash_SHA1_bindings.cmx +lib_gen/Hacl_Hash_SHA1_gen.exe: lib/Hacl_Hash_SHA1_bindings.cmx lib_gen/Hacl_Hash_SHA1_gen.cmx +lib/Hacl_Hash_SHA2_bindings.cmx: +lib_gen/Hacl_Hash_SHA2_gen.cmx: lib/Hacl_Hash_SHA2_bindings.cmx +lib_gen/Hacl_Hash_SHA2_gen.exe: lib/Hacl_Hash_SHA2_bindings.cmx lib_gen/Hacl_Hash_SHA2_gen.cmx +lib/EverCrypt_AutoConfig2_bindings.cmx: +lib_gen/EverCrypt_AutoConfig2_gen.cmx: lib/EverCrypt_AutoConfig2_bindings.cmx +lib_gen/EverCrypt_AutoConfig2_gen.exe: lib/EverCrypt_AutoConfig2_bindings.cmx lib_gen/EverCrypt_AutoConfig2_gen.cmx +lib/EverCrypt_Hash_bindings.cmx: lib/Hacl_Spec_bindings.cmx lib/Hacl_Spec_stubs.cmx +lib_gen/EverCrypt_Hash_gen.cmx: lib/EverCrypt_Hash_bindings.cmx +lib_gen/EverCrypt_Hash_gen.exe: lib/Hacl_Spec_bindings.cmx lib/Hacl_Spec_stubs.cmx lib/Hacl_Spec_c_stubs.o lib/EverCrypt_Hash_bindings.cmx lib_gen/EverCrypt_Hash_gen.cmx +lib/Hacl_SHA3_bindings.cmx: +lib_gen/Hacl_SHA3_gen.cmx: lib/Hacl_SHA3_bindings.cmx +lib_gen/Hacl_SHA3_gen.exe: lib/Hacl_SHA3_bindings.cmx lib_gen/Hacl_SHA3_gen.cmx +lib/Hacl_Chacha20_bindings.cmx: +lib_gen/Hacl_Chacha20_gen.cmx: lib/Hacl_Chacha20_bindings.cmx +lib_gen/Hacl_Chacha20_gen.exe: lib/Hacl_Chacha20_bindings.cmx lib_gen/Hacl_Chacha20_gen.cmx +lib/Hacl_Salsa20_bindings.cmx: +lib_gen/Hacl_Salsa20_gen.cmx: lib/Hacl_Salsa20_bindings.cmx +lib_gen/Hacl_Salsa20_gen.exe: lib/Hacl_Salsa20_bindings.cmx lib_gen/Hacl_Salsa20_gen.cmx +lib/Hacl_Bignum_Base_bindings.cmx: +lib_gen/Hacl_Bignum_Base_gen.cmx: lib/Hacl_Bignum_Base_bindings.cmx +lib_gen/Hacl_Bignum_Base_gen.exe: lib/Hacl_Bignum_Base_bindings.cmx lib_gen/Hacl_Bignum_Base_gen.cmx +lib/Hacl_Bignum_bindings.cmx: +lib_gen/Hacl_Bignum_gen.cmx: lib/Hacl_Bignum_bindings.cmx +lib_gen/Hacl_Bignum_gen.exe: lib/Hacl_Bignum_bindings.cmx lib_gen/Hacl_Bignum_gen.cmx +lib/Hacl_Curve25519_64_Slow_bindings.cmx: +lib_gen/Hacl_Curve25519_64_Slow_gen.cmx: lib/Hacl_Curve25519_64_Slow_bindings.cmx +lib_gen/Hacl_Curve25519_64_Slow_gen.exe: lib/Hacl_Curve25519_64_Slow_bindings.cmx lib_gen/Hacl_Curve25519_64_Slow_gen.cmx +lib/Hacl_Curve25519_64_bindings.cmx: +lib_gen/Hacl_Curve25519_64_gen.cmx: lib/Hacl_Curve25519_64_bindings.cmx +lib_gen/Hacl_Curve25519_64_gen.exe: lib/Hacl_Curve25519_64_bindings.cmx lib_gen/Hacl_Curve25519_64_gen.cmx +lib/Hacl_Bignum25519_51_bindings.cmx: +lib_gen/Hacl_Bignum25519_51_gen.cmx: lib/Hacl_Bignum25519_51_bindings.cmx +lib_gen/Hacl_Bignum25519_51_gen.exe: lib/Hacl_Bignum25519_51_bindings.cmx lib_gen/Hacl_Bignum25519_51_gen.cmx +lib/Hacl_Curve25519_51_bindings.cmx: +lib_gen/Hacl_Curve25519_51_gen.cmx: lib/Hacl_Curve25519_51_bindings.cmx +lib_gen/Hacl_Curve25519_51_gen.exe: lib/Hacl_Curve25519_51_bindings.cmx lib_gen/Hacl_Curve25519_51_gen.cmx +lib/Hacl_Streaming_SHA2_bindings.cmx: +lib_gen/Hacl_Streaming_SHA2_gen.cmx: lib/Hacl_Streaming_SHA2_bindings.cmx +lib_gen/Hacl_Streaming_SHA2_gen.exe: lib/Hacl_Streaming_SHA2_bindings.cmx lib_gen/Hacl_Streaming_SHA2_gen.cmx +lib/Hacl_Ed25519_bindings.cmx: +lib_gen/Hacl_Ed25519_gen.cmx: lib/Hacl_Ed25519_bindings.cmx +lib_gen/Hacl_Ed25519_gen.exe: lib/Hacl_Ed25519_bindings.cmx lib_gen/Hacl_Ed25519_gen.cmx +lib/Hacl_Poly1305_32_bindings.cmx: +lib_gen/Hacl_Poly1305_32_gen.cmx: lib/Hacl_Poly1305_32_bindings.cmx +lib_gen/Hacl_Poly1305_32_gen.exe: lib/Hacl_Poly1305_32_bindings.cmx lib_gen/Hacl_Poly1305_32_gen.cmx +lib/Hacl_Poly1305_128_bindings.cmx: +lib_gen/Hacl_Poly1305_128_gen.cmx: lib/Hacl_Poly1305_128_bindings.cmx +lib_gen/Hacl_Poly1305_128_gen.exe: lib/Hacl_Poly1305_128_bindings.cmx lib_gen/Hacl_Poly1305_128_gen.cmx +lib/Hacl_Poly1305_256_bindings.cmx: +lib_gen/Hacl_Poly1305_256_gen.cmx: lib/Hacl_Poly1305_256_bindings.cmx +lib_gen/Hacl_Poly1305_256_gen.exe: lib/Hacl_Poly1305_256_bindings.cmx lib_gen/Hacl_Poly1305_256_gen.cmx +lib/Hacl_NaCl_bindings.cmx: +lib_gen/Hacl_NaCl_gen.cmx: lib/Hacl_NaCl_bindings.cmx +lib_gen/Hacl_NaCl_gen.exe: lib/Hacl_NaCl_bindings.cmx lib_gen/Hacl_NaCl_gen.cmx +lib/EverCrypt_Error_bindings.cmx: +lib_gen/EverCrypt_Error_gen.cmx: lib/EverCrypt_Error_bindings.cmx +lib_gen/EverCrypt_Error_gen.exe: lib/EverCrypt_Error_bindings.cmx lib_gen/EverCrypt_Error_gen.cmx +lib/EverCrypt_CTR_bindings.cmx: lib/Hacl_Spec_bindings.cmx lib/Hacl_Spec_stubs.cmx lib/EverCrypt_Error_bindings.cmx lib/EverCrypt_Error_stubs.cmx +lib_gen/EverCrypt_CTR_gen.cmx: lib/EverCrypt_CTR_bindings.cmx +lib_gen/EverCrypt_CTR_gen.exe: lib/Hacl_Spec_bindings.cmx lib/Hacl_Spec_stubs.cmx lib/Hacl_Spec_c_stubs.o lib/EverCrypt_Error_bindings.cmx lib/EverCrypt_Error_stubs.cmx lib/EverCrypt_Error_c_stubs.o lib/EverCrypt_CTR_bindings.cmx lib_gen/EverCrypt_CTR_gen.cmx +lib/Hacl_P256_bindings.cmx: +lib_gen/Hacl_P256_gen.cmx: lib/Hacl_P256_bindings.cmx +lib_gen/Hacl_P256_gen.exe: lib/Hacl_P256_bindings.cmx lib_gen/Hacl_P256_gen.cmx +lib/Hacl_Frodo_KEM_bindings.cmx: lib/Hacl_Spec_bindings.cmx lib/Hacl_Spec_stubs.cmx +lib_gen/Hacl_Frodo_KEM_gen.cmx: lib/Hacl_Frodo_KEM_bindings.cmx +lib_gen/Hacl_Frodo_KEM_gen.exe: lib/Hacl_Spec_bindings.cmx lib/Hacl_Spec_stubs.cmx lib/Hacl_Spec_c_stubs.o lib/Hacl_Frodo_KEM_bindings.cmx lib_gen/Hacl_Frodo_KEM_gen.cmx +lib/Hacl_IntTypes_Intrinsics_bindings.cmx: +lib_gen/Hacl_IntTypes_Intrinsics_gen.cmx: lib/Hacl_IntTypes_Intrinsics_bindings.cmx +lib_gen/Hacl_IntTypes_Intrinsics_gen.exe: lib/Hacl_IntTypes_Intrinsics_bindings.cmx lib_gen/Hacl_IntTypes_Intrinsics_gen.cmx +lib/Hacl_IntTypes_Intrinsics_128_bindings.cmx: +lib_gen/Hacl_IntTypes_Intrinsics_128_gen.cmx: lib/Hacl_IntTypes_Intrinsics_128_bindings.cmx +lib_gen/Hacl_IntTypes_Intrinsics_128_gen.exe: lib/Hacl_IntTypes_Intrinsics_128_bindings.cmx lib_gen/Hacl_IntTypes_Intrinsics_128_gen.cmx +lib/Hacl_RSAPSS_bindings.cmx: lib/Hacl_Spec_bindings.cmx lib/Hacl_Spec_stubs.cmx +lib_gen/Hacl_RSAPSS_gen.cmx: lib/Hacl_RSAPSS_bindings.cmx +lib_gen/Hacl_RSAPSS_gen.exe: lib/Hacl_Spec_bindings.cmx lib/Hacl_Spec_stubs.cmx lib/Hacl_Spec_c_stubs.o lib/Hacl_RSAPSS_bindings.cmx lib_gen/Hacl_RSAPSS_gen.cmx +lib/Hacl_FFDHE_bindings.cmx: lib/Hacl_Spec_bindings.cmx lib/Hacl_Spec_stubs.cmx +lib_gen/Hacl_FFDHE_gen.cmx: lib/Hacl_FFDHE_bindings.cmx +lib_gen/Hacl_FFDHE_gen.exe: lib/Hacl_Spec_bindings.cmx lib/Hacl_Spec_stubs.cmx lib/Hacl_Spec_c_stubs.o lib/Hacl_FFDHE_bindings.cmx lib_gen/Hacl_FFDHE_gen.cmx +lib/Hacl_Streaming_Blake2_bindings.cmx: lib/Hacl_Spec_bindings.cmx lib/Hacl_Spec_stubs.cmx lib/Hacl_Hash_Blake2_bindings.cmx lib/Hacl_Hash_Blake2_stubs.cmx +lib_gen/Hacl_Streaming_Blake2_gen.cmx: lib/Hacl_Streaming_Blake2_bindings.cmx +lib_gen/Hacl_Streaming_Blake2_gen.exe: lib/Hacl_Spec_bindings.cmx lib/Hacl_Spec_stubs.cmx lib/Hacl_Spec_c_stubs.o lib/Hacl_Hash_Blake2_bindings.cmx lib/Hacl_Hash_Blake2_stubs.cmx lib/Hacl_Hash_Blake2_c_stubs.o lib/Hacl_Streaming_Blake2_bindings.cmx lib_gen/Hacl_Streaming_Blake2_gen.cmx +lib/Hacl_Frodo640_bindings.cmx: +lib_gen/Hacl_Frodo640_gen.cmx: lib/Hacl_Frodo640_bindings.cmx +lib_gen/Hacl_Frodo640_gen.exe: lib/Hacl_Frodo640_bindings.cmx lib_gen/Hacl_Frodo640_gen.cmx +lib/Hacl_Chacha20_Vec128_bindings.cmx: +lib_gen/Hacl_Chacha20_Vec128_gen.cmx: lib/Hacl_Chacha20_Vec128_bindings.cmx +lib_gen/Hacl_Chacha20_Vec128_gen.exe: lib/Hacl_Chacha20_Vec128_bindings.cmx lib_gen/Hacl_Chacha20_Vec128_gen.cmx +lib/Hacl_Chacha20Poly1305_128_bindings.cmx: +lib_gen/Hacl_Chacha20Poly1305_128_gen.cmx: lib/Hacl_Chacha20Poly1305_128_bindings.cmx +lib_gen/Hacl_Chacha20Poly1305_128_gen.exe: lib/Hacl_Chacha20Poly1305_128_bindings.cmx lib_gen/Hacl_Chacha20Poly1305_128_gen.cmx +lib/Hacl_HMAC_bindings.cmx: +lib_gen/Hacl_HMAC_gen.cmx: lib/Hacl_HMAC_bindings.cmx +lib_gen/Hacl_HMAC_gen.exe: lib/Hacl_HMAC_bindings.cmx lib_gen/Hacl_HMAC_gen.cmx +lib/Hacl_HKDF_bindings.cmx: +lib_gen/Hacl_HKDF_gen.cmx: lib/Hacl_HKDF_bindings.cmx +lib_gen/Hacl_HKDF_gen.exe: lib/Hacl_HKDF_bindings.cmx lib_gen/Hacl_HKDF_gen.cmx +lib/Hacl_HPKE_Curve51_CP128_SHA512_bindings.cmx: +lib_gen/Hacl_HPKE_Curve51_CP128_SHA512_gen.cmx: lib/Hacl_HPKE_Curve51_CP128_SHA512_bindings.cmx +lib_gen/Hacl_HPKE_Curve51_CP128_SHA512_gen.exe: lib/Hacl_HPKE_Curve51_CP128_SHA512_bindings.cmx lib_gen/Hacl_HPKE_Curve51_CP128_SHA512_gen.cmx +lib/Hacl_GenericField32_bindings.cmx: +lib_gen/Hacl_GenericField32_gen.cmx: lib/Hacl_GenericField32_bindings.cmx +lib_gen/Hacl_GenericField32_gen.exe: lib/Hacl_GenericField32_bindings.cmx lib_gen/Hacl_GenericField32_gen.cmx +lib/Hacl_Bignum256_bindings.cmx: +lib_gen/Hacl_Bignum256_gen.cmx: lib/Hacl_Bignum256_bindings.cmx +lib_gen/Hacl_Bignum256_gen.exe: lib/Hacl_Bignum256_bindings.cmx lib_gen/Hacl_Bignum256_gen.cmx +lib/Hacl_SHA2_Vec256_bindings.cmx: +lib_gen/Hacl_SHA2_Vec256_gen.cmx: lib/Hacl_SHA2_Vec256_bindings.cmx +lib_gen/Hacl_SHA2_Vec256_gen.exe: lib/Hacl_SHA2_Vec256_bindings.cmx lib_gen/Hacl_SHA2_Vec256_gen.cmx +lib/Hacl_Bignum4096_bindings.cmx: lib/Hacl_Bignum256_bindings.cmx lib/Hacl_Bignum256_stubs.cmx +lib_gen/Hacl_Bignum4096_gen.cmx: lib/Hacl_Bignum4096_bindings.cmx +lib_gen/Hacl_Bignum4096_gen.exe: lib/Hacl_Bignum256_bindings.cmx lib/Hacl_Bignum256_stubs.cmx lib/Hacl_Bignum256_c_stubs.o lib/Hacl_Bignum4096_bindings.cmx lib_gen/Hacl_Bignum4096_gen.cmx +lib/Hacl_Chacha20_Vec32_bindings.cmx: +lib_gen/Hacl_Chacha20_Vec32_gen.cmx: lib/Hacl_Chacha20_Vec32_bindings.cmx +lib_gen/Hacl_Chacha20_Vec32_gen.exe: lib/Hacl_Chacha20_Vec32_bindings.cmx lib_gen/Hacl_Chacha20_Vec32_gen.cmx +lib/EverCrypt_Ed25519_bindings.cmx: +lib_gen/EverCrypt_Ed25519_gen.cmx: lib/EverCrypt_Ed25519_bindings.cmx +lib_gen/EverCrypt_Ed25519_gen.exe: lib/EverCrypt_Ed25519_bindings.cmx lib_gen/EverCrypt_Ed25519_gen.cmx +lib/Hacl_Bignum4096_32_bindings.cmx: lib/Hacl_GenericField32_bindings.cmx lib/Hacl_GenericField32_stubs.cmx +lib_gen/Hacl_Bignum4096_32_gen.cmx: lib/Hacl_Bignum4096_32_bindings.cmx +lib_gen/Hacl_Bignum4096_32_gen.exe: lib/Hacl_GenericField32_bindings.cmx lib/Hacl_GenericField32_stubs.cmx lib/Hacl_GenericField32_c_stubs.o lib/Hacl_Bignum4096_32_bindings.cmx lib_gen/Hacl_Bignum4096_32_gen.cmx +lib/Hacl_HPKE_Curve64_CP128_SHA512_bindings.cmx: +lib_gen/Hacl_HPKE_Curve64_CP128_SHA512_gen.cmx: lib/Hacl_HPKE_Curve64_CP128_SHA512_bindings.cmx +lib_gen/Hacl_HPKE_Curve64_CP128_SHA512_gen.exe: lib/Hacl_HPKE_Curve64_CP128_SHA512_bindings.cmx lib_gen/Hacl_HPKE_Curve64_CP128_SHA512_gen.cmx +lib/Hacl_HPKE_P256_CP128_SHA256_bindings.cmx: +lib_gen/Hacl_HPKE_P256_CP128_SHA256_gen.cmx: lib/Hacl_HPKE_P256_CP128_SHA256_bindings.cmx +lib_gen/Hacl_HPKE_P256_CP128_SHA256_gen.exe: lib/Hacl_HPKE_P256_CP128_SHA256_bindings.cmx lib_gen/Hacl_HPKE_P256_CP128_SHA256_gen.cmx +lib/Hacl_Chacha20_Vec256_bindings.cmx: +lib_gen/Hacl_Chacha20_Vec256_gen.cmx: lib/Hacl_Chacha20_Vec256_bindings.cmx +lib_gen/Hacl_Chacha20_Vec256_gen.exe: lib/Hacl_Chacha20_Vec256_bindings.cmx lib_gen/Hacl_Chacha20_Vec256_gen.cmx +lib/Hacl_Chacha20Poly1305_256_bindings.cmx: +lib_gen/Hacl_Chacha20Poly1305_256_gen.cmx: lib/Hacl_Chacha20Poly1305_256_bindings.cmx +lib_gen/Hacl_Chacha20Poly1305_256_gen.exe: lib/Hacl_Chacha20Poly1305_256_bindings.cmx lib_gen/Hacl_Chacha20Poly1305_256_gen.cmx +lib/Hacl_HPKE_Curve51_CP256_SHA512_bindings.cmx: +lib_gen/Hacl_HPKE_Curve51_CP256_SHA512_gen.cmx: lib/Hacl_HPKE_Curve51_CP256_SHA512_bindings.cmx +lib_gen/Hacl_HPKE_Curve51_CP256_SHA512_gen.exe: lib/Hacl_HPKE_Curve51_CP256_SHA512_bindings.cmx lib_gen/Hacl_HPKE_Curve51_CP256_SHA512_gen.cmx +lib/Hacl_SHA2_Scalar32_bindings.cmx: +lib_gen/Hacl_SHA2_Scalar32_gen.cmx: lib/Hacl_SHA2_Scalar32_bindings.cmx +lib_gen/Hacl_SHA2_Scalar32_gen.exe: lib/Hacl_SHA2_Scalar32_bindings.cmx lib_gen/Hacl_SHA2_Scalar32_gen.cmx +lib/Hacl_Frodo976_bindings.cmx: +lib_gen/Hacl_Frodo976_gen.cmx: lib/Hacl_Frodo976_bindings.cmx +lib_gen/Hacl_Frodo976_gen.exe: lib/Hacl_Frodo976_bindings.cmx lib_gen/Hacl_Frodo976_gen.cmx +lib/Hacl_HMAC_Blake2s_128_bindings.cmx: +lib_gen/Hacl_HMAC_Blake2s_128_gen.cmx: lib/Hacl_HMAC_Blake2s_128_bindings.cmx +lib_gen/Hacl_HMAC_Blake2s_128_gen.exe: lib/Hacl_HMAC_Blake2s_128_bindings.cmx lib_gen/Hacl_HMAC_Blake2s_128_gen.cmx +lib/Hacl_HKDF_Blake2s_128_bindings.cmx: +lib_gen/Hacl_HKDF_Blake2s_128_gen.cmx: lib/Hacl_HKDF_Blake2s_128_bindings.cmx +lib_gen/Hacl_HKDF_Blake2s_128_gen.exe: lib/Hacl_HKDF_Blake2s_128_bindings.cmx lib_gen/Hacl_HKDF_Blake2s_128_gen.cmx +lib/Hacl_GenericField64_bindings.cmx: lib/Hacl_Bignum256_bindings.cmx lib/Hacl_Bignum256_stubs.cmx +lib_gen/Hacl_GenericField64_gen.cmx: lib/Hacl_GenericField64_bindings.cmx +lib_gen/Hacl_GenericField64_gen.exe: lib/Hacl_Bignum256_bindings.cmx lib/Hacl_Bignum256_stubs.cmx lib/Hacl_Bignum256_c_stubs.o lib/Hacl_GenericField64_bindings.cmx lib_gen/Hacl_GenericField64_gen.cmx +lib/Hacl_Frodo1344_bindings.cmx: +lib_gen/Hacl_Frodo1344_gen.cmx: lib/Hacl_Frodo1344_bindings.cmx +lib_gen/Hacl_Frodo1344_gen.exe: lib/Hacl_Frodo1344_bindings.cmx lib_gen/Hacl_Frodo1344_gen.cmx +lib/Hacl_HPKE_Curve64_CP256_SHA512_bindings.cmx: +lib_gen/Hacl_HPKE_Curve64_CP256_SHA512_gen.cmx: lib/Hacl_HPKE_Curve64_CP256_SHA512_bindings.cmx +lib_gen/Hacl_HPKE_Curve64_CP256_SHA512_gen.exe: lib/Hacl_HPKE_Curve64_CP256_SHA512_bindings.cmx lib_gen/Hacl_HPKE_Curve64_CP256_SHA512_gen.cmx +lib/Hacl_Bignum32_bindings.cmx: lib/Hacl_GenericField32_bindings.cmx lib/Hacl_GenericField32_stubs.cmx +lib_gen/Hacl_Bignum32_gen.cmx: lib/Hacl_Bignum32_bindings.cmx +lib_gen/Hacl_Bignum32_gen.exe: lib/Hacl_GenericField32_bindings.cmx lib/Hacl_GenericField32_stubs.cmx lib/Hacl_GenericField32_c_stubs.o lib/Hacl_Bignum32_bindings.cmx lib_gen/Hacl_Bignum32_gen.cmx +lib/Hacl_HPKE_Curve51_CP128_SHA256_bindings.cmx: +lib_gen/Hacl_HPKE_Curve51_CP128_SHA256_gen.cmx: lib/Hacl_HPKE_Curve51_CP128_SHA256_bindings.cmx +lib_gen/Hacl_HPKE_Curve51_CP128_SHA256_gen.exe: lib/Hacl_HPKE_Curve51_CP128_SHA256_bindings.cmx lib_gen/Hacl_HPKE_Curve51_CP128_SHA256_gen.cmx +lib/Hacl_HPKE_Curve64_CP128_SHA256_bindings.cmx: +lib_gen/Hacl_HPKE_Curve64_CP128_SHA256_gen.cmx: lib/Hacl_HPKE_Curve64_CP128_SHA256_bindings.cmx +lib_gen/Hacl_HPKE_Curve64_CP128_SHA256_gen.exe: lib/Hacl_HPKE_Curve64_CP128_SHA256_bindings.cmx lib_gen/Hacl_HPKE_Curve64_CP128_SHA256_gen.cmx +lib/Hacl_Bignum256_32_bindings.cmx: lib/Hacl_GenericField32_bindings.cmx lib/Hacl_GenericField32_stubs.cmx +lib_gen/Hacl_Bignum256_32_gen.cmx: lib/Hacl_Bignum256_32_bindings.cmx +lib_gen/Hacl_Bignum256_32_gen.exe: lib/Hacl_GenericField32_bindings.cmx lib/Hacl_GenericField32_stubs.cmx lib/Hacl_GenericField32_c_stubs.o lib/Hacl_Bignum256_32_bindings.cmx lib_gen/Hacl_Bignum256_32_gen.cmx +lib/Hacl_SHA2_Vec128_bindings.cmx: +lib_gen/Hacl_SHA2_Vec128_gen.cmx: lib/Hacl_SHA2_Vec128_bindings.cmx +lib_gen/Hacl_SHA2_Vec128_gen.exe: lib/Hacl_SHA2_Vec128_bindings.cmx lib_gen/Hacl_SHA2_Vec128_gen.cmx +lib/Hacl_Chacha20Poly1305_32_bindings.cmx: +lib_gen/Hacl_Chacha20Poly1305_32_gen.cmx: lib/Hacl_Chacha20Poly1305_32_bindings.cmx +lib_gen/Hacl_Chacha20Poly1305_32_gen.exe: lib/Hacl_Chacha20Poly1305_32_bindings.cmx lib_gen/Hacl_Chacha20Poly1305_32_gen.cmx +lib/Hacl_HPKE_Curve51_CP32_SHA256_bindings.cmx: +lib_gen/Hacl_HPKE_Curve51_CP32_SHA256_gen.cmx: lib/Hacl_HPKE_Curve51_CP32_SHA256_bindings.cmx +lib_gen/Hacl_HPKE_Curve51_CP32_SHA256_gen.exe: lib/Hacl_HPKE_Curve51_CP32_SHA256_bindings.cmx lib_gen/Hacl_HPKE_Curve51_CP32_SHA256_gen.cmx +lib/Hacl_HPKE_Curve64_CP256_SHA256_bindings.cmx: +lib_gen/Hacl_HPKE_Curve64_CP256_SHA256_gen.cmx: lib/Hacl_HPKE_Curve64_CP256_SHA256_bindings.cmx +lib_gen/Hacl_HPKE_Curve64_CP256_SHA256_gen.exe: lib/Hacl_HPKE_Curve64_CP256_SHA256_bindings.cmx lib_gen/Hacl_HPKE_Curve64_CP256_SHA256_gen.cmx +lib/Hacl_Streaming_Poly1305_32_bindings.cmx: +lib_gen/Hacl_Streaming_Poly1305_32_gen.cmx: lib/Hacl_Streaming_Poly1305_32_bindings.cmx +lib_gen/Hacl_Streaming_Poly1305_32_gen.exe: lib/Hacl_Streaming_Poly1305_32_bindings.cmx lib_gen/Hacl_Streaming_Poly1305_32_gen.cmx +lib/Hacl_HPKE_Curve51_CP32_SHA512_bindings.cmx: +lib_gen/Hacl_HPKE_Curve51_CP32_SHA512_gen.cmx: lib/Hacl_HPKE_Curve51_CP32_SHA512_bindings.cmx +lib_gen/Hacl_HPKE_Curve51_CP32_SHA512_gen.exe: lib/Hacl_HPKE_Curve51_CP32_SHA512_bindings.cmx lib_gen/Hacl_HPKE_Curve51_CP32_SHA512_gen.cmx +lib/Hacl_HPKE_P256_CP256_SHA256_bindings.cmx: +lib_gen/Hacl_HPKE_P256_CP256_SHA256_gen.cmx: lib/Hacl_HPKE_P256_CP256_SHA256_bindings.cmx +lib_gen/Hacl_HPKE_P256_CP256_SHA256_gen.exe: lib/Hacl_HPKE_P256_CP256_SHA256_bindings.cmx lib_gen/Hacl_HPKE_P256_CP256_SHA256_gen.cmx +lib/Hacl_HPKE_P256_CP32_SHA256_bindings.cmx: +lib_gen/Hacl_HPKE_P256_CP32_SHA256_gen.cmx: lib/Hacl_HPKE_P256_CP32_SHA256_bindings.cmx +lib_gen/Hacl_HPKE_P256_CP32_SHA256_gen.exe: lib/Hacl_HPKE_P256_CP32_SHA256_bindings.cmx lib_gen/Hacl_HPKE_P256_CP32_SHA256_gen.cmx +lib/Hacl_Bignum64_bindings.cmx: lib/Hacl_Bignum256_bindings.cmx lib/Hacl_Bignum256_stubs.cmx +lib_gen/Hacl_Bignum64_gen.cmx: lib/Hacl_Bignum64_bindings.cmx +lib_gen/Hacl_Bignum64_gen.exe: lib/Hacl_Bignum256_bindings.cmx lib/Hacl_Bignum256_stubs.cmx lib/Hacl_Bignum256_c_stubs.o lib/Hacl_Bignum64_bindings.cmx lib_gen/Hacl_Bignum64_gen.cmx +lib/Hacl_Frodo64_bindings.cmx: +lib_gen/Hacl_Frodo64_gen.cmx: lib/Hacl_Frodo64_bindings.cmx +lib_gen/Hacl_Frodo64_gen.exe: lib/Hacl_Frodo64_bindings.cmx lib_gen/Hacl_Frodo64_gen.cmx +lib/Hacl_Streaming_SHA1_bindings.cmx: lib/Hacl_Streaming_SHA2_bindings.cmx lib/Hacl_Streaming_SHA2_stubs.cmx +lib_gen/Hacl_Streaming_SHA1_gen.cmx: lib/Hacl_Streaming_SHA1_bindings.cmx +lib_gen/Hacl_Streaming_SHA1_gen.exe: lib/Hacl_Streaming_SHA2_bindings.cmx lib/Hacl_Streaming_SHA2_stubs.cmx lib/Hacl_Streaming_SHA2_c_stubs.o lib/Hacl_Streaming_SHA1_bindings.cmx lib_gen/Hacl_Streaming_SHA1_gen.cmx +lib/Hacl_Streaming_MD5_bindings.cmx: lib/Hacl_Streaming_SHA2_bindings.cmx lib/Hacl_Streaming_SHA2_stubs.cmx +lib_gen/Hacl_Streaming_MD5_gen.cmx: lib/Hacl_Streaming_MD5_bindings.cmx +lib_gen/Hacl_Streaming_MD5_gen.exe: lib/Hacl_Streaming_SHA2_bindings.cmx lib/Hacl_Streaming_SHA2_stubs.cmx lib/Hacl_Streaming_SHA2_c_stubs.o lib/Hacl_Streaming_MD5_bindings.cmx lib_gen/Hacl_Streaming_MD5_gen.cmx +lib/Hacl_HMAC_Blake2b_256_bindings.cmx: +lib_gen/Hacl_HMAC_Blake2b_256_gen.cmx: lib/Hacl_HMAC_Blake2b_256_bindings.cmx +lib_gen/Hacl_HMAC_Blake2b_256_gen.exe: lib/Hacl_HMAC_Blake2b_256_bindings.cmx lib_gen/Hacl_HMAC_Blake2b_256_gen.cmx +lib/Hacl_HKDF_Blake2b_256_bindings.cmx: +lib_gen/Hacl_HKDF_Blake2b_256_gen.cmx: lib/Hacl_HKDF_Blake2b_256_bindings.cmx +lib_gen/Hacl_HKDF_Blake2b_256_gen.exe: lib/Hacl_HKDF_Blake2b_256_bindings.cmx lib_gen/Hacl_HKDF_Blake2b_256_gen.cmx +lib/Hacl_HPKE_Curve64_CP32_SHA256_bindings.cmx: +lib_gen/Hacl_HPKE_Curve64_CP32_SHA256_gen.cmx: lib/Hacl_HPKE_Curve64_CP32_SHA256_bindings.cmx +lib_gen/Hacl_HPKE_Curve64_CP32_SHA256_gen.exe: lib/Hacl_HPKE_Curve64_CP32_SHA256_bindings.cmx lib_gen/Hacl_HPKE_Curve64_CP32_SHA256_gen.cmx +lib/Hacl_HPKE_Curve64_CP32_SHA512_bindings.cmx: +lib_gen/Hacl_HPKE_Curve64_CP32_SHA512_gen.cmx: lib/Hacl_HPKE_Curve64_CP32_SHA512_bindings.cmx +lib_gen/Hacl_HPKE_Curve64_CP32_SHA512_gen.exe: lib/Hacl_HPKE_Curve64_CP32_SHA512_bindings.cmx lib_gen/Hacl_HPKE_Curve64_CP32_SHA512_gen.cmx +lib/Hacl_EC_Ed25519_bindings.cmx: +lib_gen/Hacl_EC_Ed25519_gen.cmx: lib/Hacl_EC_Ed25519_bindings.cmx +lib_gen/Hacl_EC_Ed25519_gen.exe: lib/Hacl_EC_Ed25519_bindings.cmx lib_gen/Hacl_EC_Ed25519_gen.cmx +lib/Hacl_HPKE_Curve51_CP256_SHA256_bindings.cmx: +lib_gen/Hacl_HPKE_Curve51_CP256_SHA256_gen.cmx: lib/Hacl_HPKE_Curve51_CP256_SHA256_bindings.cmx +lib_gen/Hacl_HPKE_Curve51_CP256_SHA256_gen.exe: lib/Hacl_HPKE_Curve51_CP256_SHA256_bindings.cmx lib_gen/Hacl_HPKE_Curve51_CP256_SHA256_gen.cmx +lib/EverCrypt_Chacha20Poly1305_bindings.cmx: +lib_gen/EverCrypt_Chacha20Poly1305_gen.cmx: lib/EverCrypt_Chacha20Poly1305_bindings.cmx +lib_gen/EverCrypt_Chacha20Poly1305_gen.exe: lib/EverCrypt_Chacha20Poly1305_bindings.cmx lib_gen/EverCrypt_Chacha20Poly1305_gen.cmx +lib/EverCrypt_AEAD_bindings.cmx: lib/Hacl_Spec_bindings.cmx lib/Hacl_Spec_stubs.cmx lib/EverCrypt_Error_bindings.cmx lib/EverCrypt_Error_stubs.cmx +lib_gen/EverCrypt_AEAD_gen.cmx: lib/EverCrypt_AEAD_bindings.cmx +lib_gen/EverCrypt_AEAD_gen.exe: lib/Hacl_Spec_bindings.cmx lib/Hacl_Spec_stubs.cmx lib/Hacl_Spec_c_stubs.o lib/EverCrypt_Error_bindings.cmx lib/EverCrypt_Error_stubs.cmx lib/EverCrypt_Error_c_stubs.o lib/EverCrypt_AEAD_bindings.cmx lib_gen/EverCrypt_AEAD_gen.cmx +lib/EverCrypt_HMAC_bindings.cmx: lib/Hacl_Spec_bindings.cmx lib/Hacl_Spec_stubs.cmx +lib_gen/EverCrypt_HMAC_gen.cmx: lib/EverCrypt_HMAC_bindings.cmx +lib_gen/EverCrypt_HMAC_gen.exe: lib/Hacl_Spec_bindings.cmx lib/Hacl_Spec_stubs.cmx lib/Hacl_Spec_c_stubs.o lib/EverCrypt_HMAC_bindings.cmx lib_gen/EverCrypt_HMAC_gen.cmx +lib/EverCrypt_HKDF_bindings.cmx: lib/Hacl_Spec_bindings.cmx lib/Hacl_Spec_stubs.cmx +lib_gen/EverCrypt_HKDF_gen.cmx: lib/EverCrypt_HKDF_bindings.cmx +lib_gen/EverCrypt_HKDF_gen.exe: lib/Hacl_Spec_bindings.cmx lib/Hacl_Spec_stubs.cmx lib/Hacl_Spec_c_stubs.o lib/EverCrypt_HKDF_bindings.cmx lib_gen/EverCrypt_HKDF_gen.cmx +lib/Hacl_HMAC_DRBG_bindings.cmx: lib/Hacl_Spec_bindings.cmx lib/Hacl_Spec_stubs.cmx +lib_gen/Hacl_HMAC_DRBG_gen.cmx: lib/Hacl_HMAC_DRBG_bindings.cmx +lib_gen/Hacl_HMAC_DRBG_gen.exe: lib/Hacl_Spec_bindings.cmx lib/Hacl_Spec_stubs.cmx lib/Hacl_Spec_c_stubs.o lib/Hacl_HMAC_DRBG_bindings.cmx lib_gen/Hacl_HMAC_DRBG_gen.cmx +lib/EverCrypt_DRBG_bindings.cmx: lib/Hacl_Spec_bindings.cmx lib/Hacl_Spec_stubs.cmx +lib_gen/EverCrypt_DRBG_gen.cmx: lib/EverCrypt_DRBG_bindings.cmx +lib_gen/EverCrypt_DRBG_gen.exe: lib/Hacl_Spec_bindings.cmx lib/Hacl_Spec_stubs.cmx lib/Hacl_Spec_c_stubs.o lib/EverCrypt_DRBG_bindings.cmx lib_gen/EverCrypt_DRBG_gen.cmx +lib/EverCrypt_Poly1305_bindings.cmx: +lib_gen/EverCrypt_Poly1305_gen.cmx: lib/EverCrypt_Poly1305_bindings.cmx +lib_gen/EverCrypt_Poly1305_gen.exe: lib/EverCrypt_Poly1305_bindings.cmx lib_gen/EverCrypt_Poly1305_gen.cmx +lib/EverCrypt_Curve25519_bindings.cmx: +lib_gen/EverCrypt_Curve25519_gen.cmx: lib/EverCrypt_Curve25519_bindings.cmx +lib_gen/EverCrypt_Curve25519_gen.exe: lib/EverCrypt_Curve25519_bindings.cmx lib_gen/EverCrypt_Curve25519_gen.cmx +lib/EverCrypt_Cipher_bindings.cmx: +lib_gen/EverCrypt_Cipher_gen.cmx: lib/EverCrypt_Cipher_bindings.cmx +lib_gen/EverCrypt_Cipher_gen.exe: lib/EverCrypt_Cipher_bindings.cmx lib_gen/EverCrypt_Cipher_gen.cmx +lib/EverCrypt_Vale_bindings.cmx: +lib_gen/EverCrypt_Vale_gen.cmx: lib/EverCrypt_Vale_bindings.cmx +lib_gen/EverCrypt_Vale_gen.exe: lib/EverCrypt_Vale_bindings.cmx lib_gen/EverCrypt_Vale_gen.cmx +lib/EverCrypt_StaticConfig_bindings.cmx: +lib_gen/EverCrypt_StaticConfig_gen.cmx: lib/EverCrypt_StaticConfig_bindings.cmx +lib_gen/EverCrypt_StaticConfig_gen.exe: lib/EverCrypt_StaticConfig_bindings.cmx lib_gen/EverCrypt_StaticConfig_gen.cmx diff --git a/ocaml/hacl-star-raw.opam b/ocaml/hacl-star-raw.opam new file mode 100644 index 00000000..d6751a03 --- /dev/null +++ b/ocaml/hacl-star-raw.opam @@ -0,0 +1,37 @@ +opam-version: "2.0" +name: "hacl-star-raw" +version: "0.4.5" +synopsis: "Auto-generated low-level OCaml bindings for EverCrypt/HACL*" +description: """ +This package contains a snapshot of the EverCrypt crypto provider and +the HACL* library, along with automatically generated Ctypes bindings. +For a higher-level idiomatic API see the `hacl-star` package, of +which `hacl-star-raw` is a dependency. +""" +maintainer: "Victor Dumitrescu " +authors: [ "Project Everest" ] +license: "Apache-2.0" +homepage: "https://hacl-star.github.io/" +bug-reports: "https://github.com/project-everest/hacl-star/issues" +depends: [ + "ocaml" { >= "4.08.0" } + "ocamlfind" {build} + "ctypes" { >= "0.18.0" } + "conf-which" {build} +] +available: [ + arch != "ppc64" & arch != "ppc32" & + (os = "freebsd" | os-family != "bsd") +] +x-ci-accept-failures: [ + "centos-7" # Default C compiler is too old + "oraclelinux-7" # Default C compiler is too old +] +build: [ + ["./configure"] + [make] +] +install: [ + make "install-hacl-star-raw" +] +dev-repo: "git+https://github.com/project-everest/hacl-star.git" diff --git a/ocaml/hacl-star/.gitignore b/ocaml/hacl-star/.gitignore new file mode 100644 index 00000000..3bf3657e --- /dev/null +++ b/ocaml/hacl-star/.gitignore @@ -0,0 +1,5 @@ +_build/ +*.native +*.install +.merlin + diff --git a/ocaml/hacl-star/AutoConfig2.ml b/ocaml/hacl-star/AutoConfig2.ml new file mode 100644 index 00000000..6e55c6fd --- /dev/null +++ b/ocaml/hacl-star/AutoConfig2.ml @@ -0,0 +1,28 @@ +module EverCrypt_AutoConfig2 = EverCrypt_AutoConfig2_bindings.Bindings(EverCrypt_AutoConfig2_stubs) + +open EverCrypt_AutoConfig2 +type feature = + | SHAEXT + | AES_NI + | PCLMULQDQ + | VEC128 + | VEC256 + | BMI2 + | ADX + | SSE + | MOVBE + | RDRAND +let init () = everCrypt_AutoConfig2_init () +let has_feature = function + | SHAEXT -> everCrypt_AutoConfig2_has_shaext () + | AES_NI -> everCrypt_AutoConfig2_has_aesni () + | PCLMULQDQ -> everCrypt_AutoConfig2_has_pclmulqdq () + | VEC128 -> everCrypt_AutoConfig2_has_vec128 () + | VEC256 -> everCrypt_AutoConfig2_has_vec256 () + | BMI2 -> everCrypt_AutoConfig2_has_bmi2 () + | ADX -> everCrypt_AutoConfig2_has_adx () + | SSE -> everCrypt_AutoConfig2_has_sse () + | MOVBE -> everCrypt_AutoConfig2_has_movbe () + | RDRAND -> everCrypt_AutoConfig2_has_rdrand () + +let () = init () diff --git a/ocaml/hacl-star/CHANGES.md b/ocaml/hacl-star/CHANGES.md new file mode 100644 index 00000000..5a754974 --- /dev/null +++ b/ocaml/hacl-star/CHANGES.md @@ -0,0 +1,46 @@ +## 0.4.5 +- Faster fallback implementations for certain intrinsics, leading to improved + performance, notably on ARMv8 + +## 0.4.4 +- Build fixes (#494) + +## 0.4.3 +- Improved performance for Ed25519 (#486) + +## 0.4.2 +- Fix for bug impacting performance + +## 0.4.1 +- Support for FreeBSD +- Build fixes + +## 0.4.0 +- Complete documentation +- Redesigned API: + * by default, functions return result buffer instead of taking them as arguments + * arguments are now labeled +- Improvements to runtime checks, unit tests + +## 0.3.2 +- Build fixes addressing performance and compatibility issues + +## 0.3.0 +- Updates to P-256 API +- Build fixes + +## 0.2.2 +- Fix for bug impacting performance + +## 0.2.1 +- Minor fixes + +## 0.2.0 +- Updated bindings for P-256 +- Bytecode files provided in hacl-star-raw to ease debugging + +## 0.1.1 +- Support for ARM + +## 0.1 +The first release of the OCaml API for HACL* diff --git a/ocaml/hacl-star/EverCrypt.ml b/ocaml/hacl-star/EverCrypt.ml new file mode 100644 index 00000000..456aabf9 --- /dev/null +++ b/ocaml/hacl-star/EverCrypt.ml @@ -0,0 +1,311 @@ +open Ctypes +open Unsigned + +open SharedDefs +open SharedFunctors +module C = CBytes + +type bytes = CBytes.t + +module Hacl_Spec = Hacl_Spec_bindings.Bindings(Hacl_Spec_stubs) + +module EverCrypt_AEAD = EverCrypt_AEAD_bindings.Bindings(EverCrypt_AEAD_stubs) +module EverCrypt_Chacha20Poly1305 = EverCrypt_Chacha20Poly1305_bindings.Bindings(EverCrypt_Chacha20Poly1305_stubs) +module EverCrypt_Curve25519 = EverCrypt_Curve25519_bindings.Bindings(EverCrypt_Curve25519_stubs) +module EverCrypt_Hash = EverCrypt_Hash_bindings.Bindings(EverCrypt_Hash_stubs) +module EverCrypt_HMAC = EverCrypt_HMAC_bindings.Bindings(EverCrypt_HMAC_stubs) +module EverCrypt_Poly1305 = EverCrypt_Poly1305_bindings.Bindings(EverCrypt_Poly1305_stubs) +module EverCrypt_HKDF = EverCrypt_HKDF_bindings.Bindings(EverCrypt_HKDF_stubs) +module EverCrypt_DRBG = EverCrypt_DRBG_bindings.Bindings(EverCrypt_DRBG_stubs) +module EverCrypt_Ed25519 = EverCrypt_Ed25519_bindings.Bindings(EverCrypt_Ed25519_stubs) + + +module Error = struct + type error_code = + | UnsupportedAlgorithm + | InvalidKey + | AuthenticationFailure + | InvalidIVLength + | DecodeError + type 'a result = + | Success of 'a + | Error of error_code + let error n = + let err = match n with + | 1 -> UnsupportedAlgorithm + | 2 -> InvalidKey + | 3 -> AuthenticationFailure + | 4 -> InvalidIVLength + | 5 -> DecodeError + | _ -> failwith "Impossible" + in + Error err + let get_result r = match UInt8.to_int r with + | 0 -> Success () + | n -> error n +end + +let at_exit_full_major = lazy (at_exit Gc.full_major) + +module AEAD = struct + open Error + open SharedDefs.AEADDefs + open EverCrypt_AEAD + + type t = alg * (everCrypt_AEAD_state_s ptr) ptr + + let init ~alg ~key : t result = + Lazy.force at_exit_full_major; + assert (C.size key = key_length alg); + let st = allocate + ~finalise:(fun st -> everCrypt_AEAD_free (!@ st)) + (ptr everCrypt_AEAD_state_s) + (from_voidp everCrypt_AEAD_state_s null) + in + match UInt8.to_int (everCrypt_AEAD_create_in (alg_definition alg) st (C.ctypes_buf key)) with + | 0 -> Success (alg, st) + | n -> error n + + module Noalloc = struct + let encrypt ~st:(alg, st) ~iv ~ad ~pt ~ct ~tag : unit result = + (* providers/EverCrypt.AEAD.encrypt_pre *) + check_sizes ~alg ~iv_len:(C.size iv) ~tag_len:(C.size tag) + ~ad_len:(C.size ad)~pt_len:(C.size pt) ~ct_len:(C.size ct); + assert (C.disjoint ct tag); + assert (C.disjoint iv ct); + assert (C.disjoint iv tag); + assert (C.disjoint pt tag); + assert (C.disjoint pt ad); + assert (C.disjoint ad ct); + assert (C.disjoint ad tag); + get_result (everCrypt_AEAD_encrypt (!@st) + (C.ctypes_buf iv) (C.size_uint32 iv) (C.ctypes_buf ad) (C.size_uint32 ad) + (C.ctypes_buf pt) (C.size_uint32 pt) (C.ctypes_buf ct) (C.ctypes_buf tag)) + let decrypt ~st:(alg, st) ~iv ~ad ~ct ~tag ~pt : unit result = + (* EverCrypt.AEAD.decrypt_st *) + check_sizes ~alg ~iv_len:(C.size iv) ~tag_len:(C.size tag) + ~ad_len:(C.size ad)~pt_len:(C.size pt) ~ct_len:(C.size ct); + assert (C.disjoint tag pt); + assert (C.disjoint tag ct); + assert (C.disjoint tag ad); + assert (C.disjoint ct ad); + assert (C.disjoint pt ad); + get_result (everCrypt_AEAD_decrypt (!@st) + (C.ctypes_buf iv) (C.size_uint32 iv) (C.ctypes_buf ad) (C.size_uint32 ad) + (C.ctypes_buf ct) (C.size_uint32 ct) (C.ctypes_buf tag) (C.ctypes_buf pt)) + end + let encrypt ~st:(alg, st) ~iv ~ad ~pt = + let ct = C.make (C.size pt) in + let tag = C.make (tag_length alg) in + match Noalloc.encrypt ~st:(alg, st) ~iv ~ad ~pt ~ct ~tag with + | Success () -> Success (ct, tag) + | Error n -> Error n + let decrypt ~st:(alg, st) ~iv ~ad ~ct ~tag = + let pt = C.make (C.size ct) in + match Noalloc.decrypt ~st:(alg, st) ~iv ~ad ~ct ~tag ~pt with + | Success () -> Success pt + | Error n -> Error n +end + +module Chacha20_Poly1305 : Chacha20_Poly1305 = + Make_Chacha20_Poly1305 (struct + (* EverCrypt already performs these runtime checks so all `reqs` attributes in + * this file are empty since there is no need to do them here. *) + let reqs = [] + let encrypt = EverCrypt_Chacha20Poly1305.everCrypt_Chacha20Poly1305_aead_encrypt + let decrypt = EverCrypt_Chacha20Poly1305.everCrypt_Chacha20Poly1305_aead_decrypt + end) + +module Curve25519 : Curve25519 = + Make_Curve25519 (struct + let reqs = [] + let secret_to_public = EverCrypt_Curve25519.everCrypt_Curve25519_secret_to_public + let scalarmult = EverCrypt_Curve25519.everCrypt_Curve25519_scalarmult + let ecdh = EverCrypt_Curve25519.everCrypt_Curve25519_ecdh + end) + +module Ed25519 : EdDSA = + Make_EdDSA (struct + let secret_to_public = EverCrypt_Ed25519.everCrypt_Ed25519_secret_to_public + let sign = EverCrypt_Ed25519.everCrypt_Ed25519_sign + let verify = EverCrypt_Ed25519.everCrypt_Ed25519_verify + let expand_keys = EverCrypt_Ed25519.everCrypt_Ed25519_expand_keys + let sign_expanded = EverCrypt_Ed25519.everCrypt_Ed25519_sign_expanded + end) + +module Hash = struct + open HashDefs + open EverCrypt_Hash + module Noalloc = struct + let hash ~alg ~msg ~digest = + check_max_input_len alg (C.size msg); + assert (C.size digest = digest_len alg); + assert (C.disjoint digest msg); + everCrypt_Hash_hash (alg_definition alg) (C.ctypes_buf digest) (C.ctypes_buf msg) (C.size_uint32 msg) + let finish ~st:(alg, _, t) ~digest = + assert (C.size digest = digest_len alg); + everCrypt_Hash_Incremental_finish t (C.ctypes_buf digest) + end + type t = alg * Z.t ref * hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ ptr + let init ~alg = + Lazy.force at_exit_full_major; + let alg_spec = alg_definition alg in + let st = everCrypt_Hash_Incremental_create_in alg_spec in + everCrypt_Hash_Incremental_init st; + let incr_len = ref Z.zero in + Gc.finalise everCrypt_Hash_Incremental_free st; + (alg, incr_len, st) + let update ~st:(alg, incr_len, t) ~msg = + check_max_input_len alg (C.size msg); + incr_len := Z.add !incr_len (Z.of_int (C.size msg)); + assert (Z.lt !incr_len (max_input_len alg)); + everCrypt_Hash_Incremental_update t (C.ctypes_buf msg) (C.size_uint32 msg) + let finish ~st:(alg, incr_len, t) = + let digest = C.make (digest_len alg) in + Noalloc.finish ~st:(alg, incr_len, t) ~digest; + digest + let hash ~alg ~msg = + let digest = C.make (digest_len alg) in + Noalloc.hash ~alg ~msg ~digest; + digest +end + +module SHA2_224 : HashFunction = + Make_HashFunction (struct + let hash_alg = Agile HashDefs.SHA2_224 + let hash = EverCrypt_Hash.everCrypt_Hash_hash_224 +end) + +module SHA2_256 : HashFunction = + Make_HashFunction (struct + let hash_alg = Agile HashDefs.SHA2_256 + let hash = EverCrypt_Hash.everCrypt_Hash_hash_256 +end) + +module HMAC = struct + open EverCrypt_HMAC + let is_supported_alg ~alg = + everCrypt_HMAC_is_supported_alg (HashDefs.alg_definition alg) + module Noalloc = struct + let mac ~alg ~key ~msg ~tag= + (* Hacl.HMAC.compute_st *) + assert (C.size tag = HashDefs.digest_len alg); + assert (C.disjoint msg tag); + HashDefs.check_key_len alg (C.size key); + HashDefs.check_key_len alg (C.size msg); + everCrypt_HMAC_compute (HashDefs.alg_definition alg) (C.ctypes_buf tag) (C.ctypes_buf key) (C.size_uint32 key) (C.ctypes_buf msg) (C.size_uint32 msg) + end + let mac ~alg ~key ~msg = + let tag = C.make (HashDefs.digest_len alg) in + Noalloc.mac ~alg ~key ~msg ~tag; + tag +end + +module HMAC_SHA2_256 : MAC = + Make_HMAC (struct + let hash_alg = HashDefs.SHA2_256 + let mac = EverCrypt_HMAC.everCrypt_HMAC_compute_sha2_256 +end) + +module HMAC_SHA2_384 : MAC = + Make_HMAC (struct + let hash_alg = HashDefs.SHA2_384 + let mac = EverCrypt_HMAC.everCrypt_HMAC_compute_sha2_384 +end) + +module HMAC_SHA2_512 : MAC = + Make_HMAC (struct + let hash_alg = HashDefs.SHA2_512 + let mac = EverCrypt_HMAC.everCrypt_HMAC_compute_sha2_512 +end) + +module Poly1305 : MAC = + Make_Poly1305 (struct + let reqs = [] + let mac dst data_len data key = EverCrypt_Poly1305.everCrypt_Poly1305_poly1305 dst data data_len key +end) + +module HKDF = struct + open EverCrypt_HKDF + module Noalloc = struct + let extract ~alg ~salt ~ikm ~prk = + (* Hacl.HKDF.extract_st *) + assert (C.size prk = HashDefs.digest_len alg); + assert (C.disjoint salt prk); + assert (C.disjoint ikm prk); + HashDefs.check_key_len alg (C.size salt); + HashDefs.check_key_len alg (C.size ikm); + everCrypt_HKDF_extract (HashDefs.alg_definition alg) (C.ctypes_buf prk) (C.ctypes_buf salt) (C.size_uint32 salt) (C.ctypes_buf ikm) (C.size_uint32 ikm) + let expand ~alg ~prk ~info ~okm = + (* Hacl.HKDF.expand_st *) + assert (C.size okm <= 255 * HashDefs.digest_len alg); + assert (C.disjoint okm prk); + assert (HashDefs.digest_len alg <= C.size prk); + HashDefs.(check_max_input_len alg (digest_len alg + block_len alg + C.size info + 1)); + HashDefs.check_key_len alg (C.size prk); + everCrypt_HKDF_expand (HashDefs.alg_definition alg) (C.ctypes_buf okm) (C.ctypes_buf prk) (C.size_uint32 prk) (C.ctypes_buf info) (C.size_uint32 info) (C.size_uint32 okm) + end + let extract ~alg ~salt ~ikm = + let prk = C.make (HashDefs.digest_len alg) in + Noalloc.extract ~alg ~salt ~ikm ~prk; + prk + let expand ~alg ~prk ~info ~size = + let okm = C.make size in + Noalloc.expand ~alg ~prk ~info ~okm; + okm +end + +module HKDF_SHA2_256 : HKDF = + Make_HKDF (struct + let hash_alg = HashDefs.SHA2_256 + let expand = EverCrypt_HKDF.everCrypt_HKDF_expand_sha2_256 + let extract = EverCrypt_HKDF.everCrypt_HKDF_extract_sha2_256 + end) + +module HKDF_SHA2_384 : HKDF = + Make_HKDF (struct + let hash_alg = HashDefs.SHA2_384 + let expand = EverCrypt_HKDF.everCrypt_HKDF_expand_sha2_384 + let extract = EverCrypt_HKDF.everCrypt_HKDF_extract_sha2_384 + end) + +module HKDF_SHA2_512 : HKDF = + Make_HKDF (struct + let hash_alg = HashDefs.SHA2_512 + let expand = EverCrypt_HKDF.everCrypt_HKDF_expand_sha2_512 + let extract = EverCrypt_HKDF.everCrypt_HKDF_extract_sha2_512 + end) + +module DRBG = struct + open EverCrypt_DRBG + type t = everCrypt_DRBG_state_s ptr + module Noalloc = struct + let generate ?(additional_input=Bytes.empty) st output = + (* EverCrypt.DRBG.generate_st *) + assert (C.disjoint output additional_input); + everCrypt_DRBG_generate (C.ctypes_buf output) st (C.size_uint32 output) (C.ctypes_buf additional_input) (C.size_uint32 additional_input) + end + let is_supported_alg alg = + (* as defined in Spec.HMAC_DRBG, excluding SHA-1 *) + alg = HashDefs.SHA2_256 || alg = HashDefs.SHA2_384 || alg = HashDefs.SHA2_512 + let instantiate ?(personalization_string=Bytes.empty) alg = + (* EverCrypt.DRBG.instantiate_st *) + if is_supported_alg alg then + let st = everCrypt_DRBG_create (HashDefs.alg_definition alg) in + if everCrypt_DRBG_instantiate st (C.ctypes_buf personalization_string) (C.size_uint32 personalization_string) then begin + Gc.finalise everCrypt_DRBG_uninstantiate st; + Some st + end else + None + else + None + let generate ?(additional_input=Bytes.empty) st size = + let output = C.make size in + if Noalloc.generate ~additional_input st output then + Some output + else + None + let reseed ?(additional_input=Bytes.empty) st = + (* EverCrypt.DRBG.reseed_st *) + everCrypt_DRBG_reseed st (C.ctypes_buf additional_input) (C.size_uint32 additional_input) +end diff --git a/ocaml/hacl-star/EverCrypt.mli b/ocaml/hacl-star/EverCrypt.mli new file mode 100644 index 00000000..a96c1108 --- /dev/null +++ b/ocaml/hacl-star/EverCrypt.mli @@ -0,0 +1,331 @@ +(** This module exposes the EverCrypt cryptographic provider, which offers + agile and multiplexing interfaces for HACL* primitives. *) + +open SharedDefs + +type bytes = CBytes.t +(** [bytes] is ultimately an alias for [Stdlib.Bytes.t], the type of buffers currently used + throughout the library *) + +module Error : sig + type error_code = + | UnsupportedAlgorithm + | InvalidKey + | AuthenticationFailure + | InvalidIVLength + | DecodeError + type 'a result = + | Success of 'a + | Error of error_code +end +(** Return type used for {!AEAD} functions *) + + +(** {1 AEAD} + Algorithms for AEAD (authenticated encryption with additional data) *) + +(** {2 Agile interface } *) + +module AEAD : sig +(** Agile, multiplexing AEAD interface exposing AES128-GCM, AES256-GCM, and Chacha20-Poly1305 + + To use the agile AEAD interface, users first need to initialise an internal state + using {!init}. This state will then need to be passed to every call to {!encrypt} + and {!decrypt}. It can be reused as many times as needed. + Users are not required to manually free the state. + + The [tag] buffer must be 16 bytes long. For [key] and [iv], each algorithm + has different constraints: + - AES128-GCM: [key] = 16 bytes , [iv] > 0 bytes + - AES256-GCM: [key] = 32 bytes, [iv] > 0 bytes + - Chacha20-Poly1305: [key] = 32 bytes, [iv] = 12 bytes +*) + + type t + + val init : alg:AEADDefs.alg -> key:bytes -> t Error.result + (** [init alg key] tries to allocate the internal state for algorithm [alg] with [key] + and returns a {!t} if successful or an {!Error.error_code} otherwise. *) + + val encrypt : st:t -> iv:bytes -> ad:bytes -> pt:bytes -> (bytes * bytes) Error.result + (** [encrypt key iv ad pt] takes a [key], an initial value [iv], additional data + [ad], and plaintext [pt] and, if successful, returns a tuple containing the encrypted [pt] and the + authentication tag for the plaintext and the associated data. *) + + val decrypt : st:t -> iv:bytes -> ad:bytes -> ct:bytes -> tag:bytes -> bytes Error.result + (** [decrypt key iv ad ct tag] takes a [key], the initial value [iv], additional + data [ad], ciphertext [ct], and authentication tag [tag], and, if successful, + returns the decrypted [ct]. *) + + (** Versions of these functions which write their output in a buffer passed in as + an argument *) + module Noalloc : sig + val encrypt : st:t -> iv:bytes -> ad:bytes -> pt:bytes -> ct:bytes -> tag:bytes -> unit Error.result + (** [encrypt st iv ad pt ct tag] takes a state [st], an initial value [iv], additional data + [ad], and plaintext [pt], as well as output buffers [ct], which, if successful, will + contain the encrypted [pt], and [tag], which will contain the authentication tag for + the plaintext and the associated data. *) + + val decrypt : st:t -> iv:bytes -> ad:bytes -> ct:bytes -> tag:bytes -> pt:bytes -> unit Error.result + (** [decrypt st iv ad ct tag pt] takes a state [st], the initial value [iv], additional + data [ad], ciphertext [ct], and authentication tag [tag], as well as output buffer [pt], + which, if successful, will contain the decrypted [ct]. *) + end +end + + +(** {2 Chacha20-Poly1305} *) + +module Chacha20_Poly1305 : Chacha20_Poly1305 +(** Multiplexing interface for Chacha20-Poly1305 *) + +(** {1 ECDH and EdDSA } + Algorithms for digital signatures and key agreement *) + +(** {2 Curve25519} *) + +module Curve25519 : Curve25519 +(** Multiplexing interface for ECDH using Curve25519 *) + +(** {2 Ed25519} *) + +module Ed25519 : EdDSA +(** This interface does not yet support multiplexing and is + identical to the one in {!Hacl.Ed25519} *) + + +(** {1 Hashing } *) +(** {2 Agile interface } *) + +module Hash : sig + +(** {1 Direct interface} *) + + val hash : alg:HashDefs.alg -> msg:bytes -> bytes + (** [hash alg msg] hashes [msg] using algorithm [alg] and returns the digest. *) + +(** {1 Streaming interface} + + To use the agile streaming interface, users first need to initialise an internal state using {!init}. + The state will then need to be passed to every call to {!update} and {!finish}. Both {!update} and + {!finish} can be called as many times as needed without invalidating the state. + Users are not required to manually free the state. + + When using the streaming interface, the total number of bytes passed through {!update} must not exceed + - 2{^61} for SHA-224, SHA-256, and the legacy algorithms + - 2{^125} for SHA-384 and SHA-512 +*) + + type t + val init : alg:HashDefs.alg -> t + (** [init alg] allocates the internal state for algorithm [alg] and + returns a {!t}. *) + + val update : st:t -> msg:bytes -> unit + (** [update st msg] updates the internal state [st] with the contents of [msg]. *) + + val finish : st:t -> bytes + (** [finish st] returns the digest without invalidating the internal state [st]. *) + + (** Versions of these functions which write their output in a buffer passed in as + an argument *) + module Noalloc : sig + + (** {1 Direct interface} *) + + val hash : alg:HashDefs.alg -> msg:bytes -> digest:bytes -> unit + (** [hash alg msg digest] hashes [msg] using algorithm [alg] and outputs the + result in [digest]. *) + + (** {1 Streaming interface} *) + + val finish : st:t -> digest:bytes -> unit + (** [finish st digest] writes a digest in [digest], without invalidating the + internal state [st]. *) + end +end +(** Agile, multiplexing hashing interface, exposing 4 variants of SHA-2 + (SHA-224, SHA-256, SHA-384, SHA-512), BLAKE2, and 2 legacy algorithms (SHA-1, MD5). + It offers both direct hashing and a streaming interface. + + {i Note:} The agile BLAKE2 interface is NOT currently multiplexing and it only exposes the portable C + implementations of BLAKE2b and BLAKE2s. Optimised, platform-specific versions are aviailable + in {{!Hacl.blake2}Hacl}. + + For [digest], its size must match the size of the digest produced by the algorithm being used: + - SHA-224: 28 bytes + - SHA-256: 32 bytes + - SHA-384: 48 bytes + - SHA-512: 64 bytes + - BLAKE2b: <= 64 bytes + - BLAKE2s: <= 32 bytes + + {b The {{!SharedDefs.HashDefs.deprecated_alg}legacy algorithms} (marked [deprecated]) should NOT be used for cryptographic purposes. } + For these, the size of the digest is: + - SHA-1: 20 bytes + - MD5: 16 bytes +*) + +(** {2:sha2 SHA-2} +Multiplexing interfaces for SHA-224 and SHA-256 which use {{!AutoConfig2.SHAEXT}Intel SHA extensions} when available. +*) + +module SHA2_224 : HashFunction +(** Direct hashing with SHA-224 + +The [digest] buffer must match the digest size of SHA-224, which is 28 bytes. +*) + +module SHA2_256 : HashFunction +(** Direct hashing with SHA-256 + +The [digest] buffer must match the digest size of SHA-256, which is 32 bytes. +*) + + +(** {1:mac MACs} +Message authentication codes *) + +(** {2 HMAC} + Portable HMAC implementations. They can use optimised assembly implementations for the + underlying hash function, if such an implementation exists and + {{!AutoConfig2.SHAEXT}Intel SHA extensions} are available (see {!sha2}). +*) + +module HMAC : sig + val is_supported_alg : alg:HashDefs.alg -> bool + (** [is_supported_alg alg] returns true if the hashing algorithm [alg] is supported + in the agile HMAC interface. *) + + val mac : alg:HashDefs.alg -> key:bytes -> msg:bytes -> bytes + (** [mac alg key msg] computes the HMAC of [msg] based on hashing algorithm [alg] + using key [key]. *) + + (** Versions of these functions which write their output in a buffer passed in as + an argument *) + module Noalloc : sig + val mac : alg:HashDefs.alg -> key:bytes -> msg:bytes -> tag:bytes -> unit + (** [mac alg key msg tag] computes the HMAC of [msg] based on hashing algorithm [alg] + using key [key] and writes the result in [tag]. The `tag` buffer needs to satisfy + the size requirements for the output buffer. *) + end +end +(** Agile, multiplexing interface for HMAC + +The hashing algorithms currently supported are the same as for the {{!EverCrypt.Hash}agile hashing interface}: + - SHA-2 (SHA-256, SHA-384, SHA-512) + - BLAKE2 (BLAKE2b, BLAKE2s) + + For HMAC with SHA2, the output buffer is the same size as the digest size of + the corresponding hash function (see {{!EverCrypt.Hash} here}). For HMAC with BLAKE2, + the output buffer is 64 bytes for BLAKE2b and 32 bytes for BLAKE2s. +*) + + +(** Non-agile, multiplexing interfaces for each version of HMAC are also available. *) + +module HMAC_SHA2_256 : MAC +(** Multiplexing interface for HMAC-SHA-256 *) + +module HMAC_SHA2_384 : MAC +(** Multiplexing interface for HMAC-SHA-384 *) + +module HMAC_SHA2_512 : MAC +(** Multiplexing interface for HMAC-SHA-512 *) + +(** {2 Poly1305} *) + +module Poly1305 : MAC +(** Multiplexing interface for Poly1305 *) + + +(** {1 Key derivation} *) +(** {2:hkdf HKDF} + HMAC-based key derivation function + + Portable HKDF implementations. They can use optimised assembly implementations for the + underlying hash function, if such an implementation exists and + {{!AutoConfig2.SHAEXT}Intel SHA extensions} are available (see {!sha2}). +*) + +module HKDF : sig + val extract : alg:HashDefs.alg -> salt:bytes -> ikm:bytes -> bytes + (** [extract alg salt ikm] computes a pseudorandom key using hashing algorithm [alg] with + input key material [ikm] and salt [salt]. *) + + val expand : alg:HashDefs.alg -> prk:bytes -> info:bytes -> size:int -> bytes + (** [expand alg prk info size] expands the pseudorandom key [prk] using hashing + algorithm [alg], taking the info string [info] into account and + returns a buffer of [size] bytes. *) + + (** Versions of these functions which write their output in a buffer passed in as + an argument *) + module Noalloc : sig + val extract : alg:HashDefs.alg -> salt:bytes -> ikm:bytes -> prk:bytes -> unit + (** [extract alg salt ikm prk] computes a pseudorandom key [prk] using + hashing algorithm [alg] with input key material [ikm] and salt [salt]. *) + + val expand : alg:HashDefs.alg -> prk:bytes -> info:bytes -> okm:bytes -> unit + (** [expand alg prk info okm] expands the pseudorandom key [prk] using + hashing algorithm [alg], taking the info string [info] into account, + and writes the output key material in [okm]. *) + end +end +(** Agile, multiplexing interface for HKDF + + Supports the same hashing algorithms as {!EverCrypt.HMAC}. +*) + +module HKDF_SHA2_256 : HKDF +(** Multiplexing interface for HKDF using SHA2-256 *) + +module HKDF_SHA2_384 : HKDF +(** Multiplexing interface for HKDF using SHA2-384 *) + +module HKDF_SHA2_512 : HKDF +(** Multiplexing interface for HKDF using SHA2-512 *) + +(** {1 DRBG} + +Deterministic random bit generator +*) + +(** {2 HMAC-DRBG} *) + +module DRBG : sig + type t + + val is_supported_alg : HashDefs.alg -> bool + (** [is_supported_alg alg] returns true if the hashing algorithm [alg] is supported + in the agile HMAC-DRBG interface. *) + + val instantiate : ?personalization_string: bytes -> HashDefs.alg -> t option + (** [instantiate ?personalization_string alg] allocates the internal state for algorithm [alg] + using the optional [personalization_string] and returns a {!t}. *) + + val generate : ?additional_input: bytes -> t -> int -> bytes option + (** [generate ?additional_input st size] takes optional [additional_input], a state [st] and + [size], the desired number of random bytes, and returns such a buffer if successful. *) + + val reseed : ?additional_input: bytes -> t -> bool + (** [reseed ?additional_input st] attempts to reseed [st], using the optional [additional_input] + and returns true if successful. *) + + (** Versions of these functions which write their output in a buffer passed in as + an argument *) + module Noalloc : sig + val generate : ?additional_input: bytes -> t -> bytes -> bool + (** [generate ?additional_input st output] takes an optional [additional_input], a state [st] and + an output buffer [output], which will be filled with random bytes if successful. *) + end +end +(** Agile, multiplexing interface for HMAC-DRBG + + The supported hashing algorithms are SHA2-256, SHA2-384, SHA2-512. + + Users first need to instantiate an internal state with a compatible hashing algorithm and an + optional but recommended personalization string. The [generate] or [Noalloc.generate] functions + can then be called any number of times. + + Users have the possibility to reseed, but it is not required. +*) diff --git a/ocaml/hacl-star/Hacl.ml b/ocaml/hacl-star/Hacl.ml new file mode 100644 index 00000000..b2d33560 --- /dev/null +++ b/ocaml/hacl-star/Hacl.ml @@ -0,0 +1,582 @@ +#include "config.h" + +open Unsigned + +open AutoConfig2 +open SharedDefs +open SharedFunctors +module C = CBytes + +type bytes = CBytes.t + +module Lib_RandomBuffer_System = Lib_RandomBuffer_System_bindings.Bindings(Lib_RandomBuffer_System_stubs) +module Hacl_Chacha20Poly1305_32 = Hacl_Chacha20Poly1305_32_bindings.Bindings(Hacl_Chacha20Poly1305_32_stubs) +module Hacl_Curve25519_51 = Hacl_Curve25519_51_bindings.Bindings(Hacl_Curve25519_51_stubs) +module Hacl_Ed25519 = Hacl_Ed25519_bindings.Bindings(Hacl_Ed25519_stubs) +module Hacl_SHA3 = Hacl_SHA3_bindings.Bindings(Hacl_SHA3_stubs) +module Hacl_HMAC = Hacl_HMAC_bindings.Bindings(Hacl_HMAC_stubs) +module Hacl_Poly1305_32 = Hacl_Poly1305_32_bindings.Bindings(Hacl_Poly1305_32_stubs) +module Hacl_HKDF = Hacl_HKDF_bindings.Bindings(Hacl_HKDF_stubs) +module Hacl_NaCl = Hacl_NaCl_bindings.Bindings(Hacl_NaCl_stubs) +module Hacl_Hash_Blake2 = Hacl_Hash_Blake2_bindings.Bindings(Hacl_Hash_Blake2_stubs) +module Hacl_Blake2b_32 = Hacl_Hash_Blake2 +module Hacl_Blake2s_32 = Hacl_Hash_Blake2 +module Hacl_P256 = Hacl_P256_bindings.Bindings(Hacl_P256_stubs) + +#ifdef HACL_CAN_COMPILE_VEC128 +module Hacl_Chacha20Poly1305_128 = Hacl_Chacha20Poly1305_128_bindings.Bindings(Hacl_Chacha20Poly1305_128_stubs) +module Hacl_Poly1305_128 = Hacl_Poly1305_128_bindings.Bindings(Hacl_Poly1305_128_stubs) +module Hacl_Blake2s_128 = Hacl_Hash_Blake2s_128_bindings.Bindings(Hacl_Hash_Blake2s_128_stubs) +#endif + +#ifdef HACL_CAN_COMPILE_VEC256 +module Hacl_Chacha20Poly1305_256 = Hacl_Chacha20Poly1305_256_bindings.Bindings(Hacl_Chacha20Poly1305_256_stubs) +module Hacl_Poly1305_256 = Hacl_Poly1305_256_bindings.Bindings(Hacl_Poly1305_256_stubs) +module Hacl_Blake2b_256 = Hacl_Hash_Blake2b_256_bindings.Bindings(Hacl_Hash_Blake2b_256_stubs) +#endif + +#ifdef HACL_CAN_COMPILE_VALE +module Hacl_Curve25519_64 = Hacl_Curve25519_64_bindings.Bindings(Hacl_Curve25519_64_stubs) +#endif + +module RandomBuffer = struct + module Noalloc = struct + let randombytes ~out = + Lib_RandomBuffer_System.randombytes (C.ctypes_buf out) (C.size_uint32 out) + end + let randombytes ~size = + let out = C.make size in + if Noalloc.randombytes ~out then + Some out + else + None +end + +module Chacha20_Poly1305_32 : Chacha20_Poly1305 = + Make_Chacha20_Poly1305 (struct + let reqs = [] + let encrypt = Hacl_Chacha20Poly1305_32.hacl_Chacha20Poly1305_32_aead_encrypt + let decrypt = Hacl_Chacha20Poly1305_32.hacl_Chacha20Poly1305_32_aead_decrypt + end) + +module Curve25519_51 : Curve25519 = + Make_Curve25519 (struct + let reqs = [] + let secret_to_public = Hacl_Curve25519_51.hacl_Curve25519_51_secret_to_public + let scalarmult = Hacl_Curve25519_51.hacl_Curve25519_51_scalarmult + let ecdh = Hacl_Curve25519_51.hacl_Curve25519_51_ecdh + end) + +module Ed25519 : EdDSA = + Make_EdDSA (struct + let secret_to_public = Hacl_Ed25519.hacl_Ed25519_secret_to_public + let sign = Hacl_Ed25519.hacl_Ed25519_sign + let verify = Hacl_Ed25519.hacl_Ed25519_verify + let expand_keys = Hacl_Ed25519.hacl_Ed25519_expand_keys + let sign_expanded = Hacl_Ed25519.hacl_Ed25519_sign_expanded + end) + +module SHA2_224 : HashFunction = + Make_HashFunction (struct + let hash_alg = Agile HashDefs.SHA2_224 + let hash = Hacl_Hash.hacl_Hash_SHA2_hash_224 +end) + +module SHA2_256 : HashFunction = + Make_HashFunction (struct + let hash_alg = Agile HashDefs.SHA2_256 + let hash = Hacl_Hash.hacl_Hash_SHA2_hash_256 +end) + +module SHA2_384 : HashFunction = + Make_HashFunction (struct + let hash_alg = Agile HashDefs.SHA2_384 + let hash = Hacl_Hash.hacl_Hash_SHA2_hash_384 +end) + +module SHA2_512 : HashFunction = + Make_HashFunction (struct + let hash_alg = Agile HashDefs.SHA2_512 + let hash = Hacl_Hash.hacl_Hash_SHA2_hash_512 +end) + +module SHA3_224 : HashFunction = + Make_HashFunction (struct + let hash_alg = SHA3_224 + let hash input input_len output = Hacl_SHA3.hacl_SHA3_sha3_224 input_len input output +end) + +module SHA3_256 : HashFunction = + Make_HashFunction (struct + let hash_alg = SHA3_256 + let hash input input_len output = Hacl_SHA3.hacl_SHA3_sha3_256 input_len input output +end) + +module SHA3_384 : HashFunction = + Make_HashFunction (struct + let hash_alg = SHA3_384 + let hash input input_len output = Hacl_SHA3.hacl_SHA3_sha3_384 input_len input output +end) + +module SHA3_512 : HashFunction = + Make_HashFunction (struct + let hash_alg = SHA3_512 + let hash input input_len output = Hacl_SHA3.hacl_SHA3_sha3_512 input_len input output +end) + +module Keccak = struct + module Noalloc = struct + let shake128 ~msg ~digest = + (* Hacl.SHA3.shake128_hacl *) + assert (C.disjoint msg digest); + Hacl_SHA3.hacl_SHA3_shake128_hacl (C.size_uint32 msg) (C.ctypes_buf msg) (C.size_uint32 digest) (C.ctypes_buf digest) + let shake256 ~msg ~digest = + (* Hacl.SHA3.shake256_hacl *) + assert (C.disjoint msg digest); + Hacl_SHA3.hacl_SHA3_shake256_hacl (C.size_uint32 msg) (C.ctypes_buf msg) (C.size_uint32 digest) (C.ctypes_buf digest) + let keccak ~rate ~capacity ~suffix ~msg ~digest = + (* Hacl.Impl.SHA3.keccak *) + assert (rate mod 8 = 0 && rate / 8 > 0 && rate <= 1600); + assert (capacity + rate = 1600); + assert (C.disjoint msg digest); + Hacl_SHA3.hacl_Impl_SHA3_keccak (UInt32.of_int rate) (UInt32.of_int capacity) (C.size_uint32 msg) (C.ctypes_buf msg) (UInt8.of_int suffix) (C.size_uint32 digest) (C.ctypes_buf digest) + end + let shake128 ~msg ~size = + let digest = C.make size in + Noalloc.shake128 ~msg ~digest; + digest + let shake256 ~msg ~size = + let digest = C.make size in + Noalloc.shake256 ~msg ~digest; + digest + let keccak ~rate ~capacity ~suffix ~msg ~size = + let digest = C.make size in + Noalloc.keccak ~rate ~capacity ~suffix ~msg ~digest; + digest +end + +module SHA1 : HashFunction = + Make_HashFunction (struct + let hash_alg = Agile HashDefs.(Legacy SHA1) + let hash = Hacl_Hash.hacl_Hash_SHA1_legacy_hash +end) [@@deprecated] + +module MD5 : HashFunction = + Make_HashFunction (struct + let hash_alg = Agile HashDefs.(Legacy MD5) + let hash = Hacl_Hash.hacl_Hash_MD5_legacy_hash +end) [@@deprecated] + +module HMAC_SHA2_256 : MAC = + Make_HMAC (struct + let hash_alg = HashDefs.SHA2_256 + let mac = Hacl_HMAC.hacl_HMAC_compute_sha2_256 +end) + +module HMAC_SHA2_384 : MAC = + Make_HMAC (struct + let hash_alg = HashDefs.SHA2_384 + let mac = Hacl_HMAC.hacl_HMAC_compute_sha2_384 +end) + +module HMAC_SHA2_512 : MAC = + Make_HMAC (struct + let hash_alg = HashDefs.SHA2_512 + let mac = Hacl_HMAC.hacl_HMAC_compute_sha2_512 +end) + +module HMAC_BLAKE2b : MAC = + Make_HMAC (struct + let hash_alg = HashDefs.BLAKE2b + let mac = Hacl_HMAC.hacl_HMAC_compute_blake2b_32 +end) + +module HMAC_BLAKE2s : MAC = + Make_HMAC (struct + let hash_alg = HashDefs.BLAKE2s + let mac = Hacl_HMAC.hacl_HMAC_compute_blake2s_32 +end) + +module Poly1305_32 : MAC = + Make_Poly1305 (struct + let reqs = [] + let mac = Hacl_Poly1305_32.hacl_Poly1305_32_poly1305_mac +end) + +module HKDF_SHA2_256 : HKDF = + Make_HKDF (struct + let hash_alg = HashDefs.SHA2_256 + let expand = Hacl_HKDF.hacl_HKDF_expand_sha2_256 + let extract = Hacl_HKDF.hacl_HKDF_extract_sha2_256 + end) + +module HKDF_SHA2_512 : HKDF = + Make_HKDF (struct + let hash_alg = HashDefs.SHA2_512 + let expand = Hacl_HKDF.hacl_HKDF_expand_sha2_512 + let extract = Hacl_HKDF.hacl_HKDF_extract_sha2_512 + end) + +module HKDF_BLAKE2b : HKDF = + Make_HKDF (struct + let hash_alg = HashDefs.BLAKE2b + let expand = Hacl_HKDF.hacl_HKDF_expand_blake2b_32 + let extract = Hacl_HKDF.hacl_HKDF_extract_blake2b_32 + end) + +module HKDF_BLAKE2s : HKDF = + Make_HKDF (struct + let hash_alg = HashDefs.BLAKE2s + let expand = Hacl_HKDF.hacl_HKDF_expand_blake2s_32 + let extract = Hacl_HKDF.hacl_HKDF_extract_blake2s_32 + end) + +module NaCl = struct + open Hacl_NaCl + + let get_result r = + if r = UInt32.zero then + true + else + if r = UInt32.max_int then + false + else + failwith "Unknown return value" + let check_key_sizes pk sk = + assert (C.size pk = 32); + assert (C.size sk = 32) + let check_easy pt ct n = + assert (C.size ct = C.size pt + 16); + assert (C.size n = 24); + assert (C.disjoint pt ct); + assert (C.disjoint n pt); + assert (C.disjoint n ct) + let check_detached pt ct tag n = + assert (C.size ct = C.size pt); + assert (C.size tag = 16); + assert (C.size n = 24); + assert (C.disjoint tag ct); + assert (C.disjoint tag pt); + assert (C.disjoint n pt); + assert (C.disjoint n ct) + module Noalloc = struct + let box_beforenm ~pk ~sk ~ck = + check_key_sizes pk sk; + assert (C.size ck = 32); + assert (C.disjoint ck pk); + assert (C.disjoint ck sk); + get_result @@ hacl_NaCl_crypto_box_beforenm (C.ctypes_buf ck) (C.ctypes_buf pk) (C.ctypes_buf sk) + module Easy = struct + let box ~pt ~n ~pk ~sk ~ct = + check_key_sizes pk sk; + check_easy pt ct n; + get_result @@ hacl_NaCl_crypto_box_easy (C.ctypes_buf ct) (C.ctypes_buf pt) (C.size_uint32 pt) (C.ctypes_buf n) (C.ctypes_buf pk) (C.ctypes_buf sk) + let box_open ~ct ~n ~pk ~sk ~pt = + check_key_sizes pk sk; + check_easy pt ct n; + get_result @@ hacl_NaCl_crypto_box_open_easy (C.ctypes_buf pt) (C.ctypes_buf ct) (C.size_uint32 ct) (C.ctypes_buf n) (C.ctypes_buf pk) (C.ctypes_buf sk) + let box_afternm ~pt ~n ~ck ~ct = + assert (C.size ck = 32); + check_easy pt ct n; + get_result @@ hacl_NaCl_crypto_box_easy_afternm (C.ctypes_buf ct) (C.ctypes_buf pt) (C.size_uint32 pt) (C.ctypes_buf n) (C.ctypes_buf ck) + let box_open_afternm ~ct ~n ~ck ~pt = + assert (C.size ck = 32); + check_easy pt ct n; + get_result @@ hacl_NaCl_crypto_box_open_easy_afternm (C.ctypes_buf pt) (C.ctypes_buf ct) (C.size_uint32 ct) (C.ctypes_buf n) (C.ctypes_buf ck) + let secretbox ~pt ~n ~key ~ct = + assert (C.size key = 32); + check_easy pt ct n; + get_result @@ hacl_NaCl_crypto_secretbox_easy (C.ctypes_buf ct) (C.ctypes_buf pt) (C.size_uint32 pt) (C.ctypes_buf n) (C.ctypes_buf key) + let secretbox_open ~ct ~n ~key ~pt = + assert (C.size key = 32); + check_easy pt ct n; + get_result @@ hacl_NaCl_crypto_secretbox_open_easy (C.ctypes_buf pt) (C.ctypes_buf ct) (C.size_uint32 ct) (C.ctypes_buf n) (C.ctypes_buf key) + end + module Detached = struct + let box ~pt ~n ~pk ~sk ~ct ~tag = + check_key_sizes pk sk; + check_detached pt ct tag n; + get_result @@ hacl_NaCl_crypto_box_detached (C.ctypes_buf ct) (C.ctypes_buf tag) (C.ctypes_buf pt) (C.size_uint32 pt) (C.ctypes_buf n) (C.ctypes_buf pk) (C.ctypes_buf sk) + let box_open ~ct ~tag ~n ~pk ~sk ~pt = + check_key_sizes pk sk; + check_detached pt ct tag n; + get_result @@ hacl_NaCl_crypto_box_open_detached (C.ctypes_buf pt) (C.ctypes_buf ct) (C.ctypes_buf tag) (C.size_uint32 ct) (C.ctypes_buf n) (C.ctypes_buf pk) (C.ctypes_buf sk) + let box_afternm ~pt ~n ~ck ~ct ~tag = + assert (C.size ck = 32); + check_detached pt ct tag n; + get_result @@ hacl_NaCl_crypto_box_detached_afternm (C.ctypes_buf ct) (C.ctypes_buf tag) (C.ctypes_buf pt) (C.size_uint32 pt) (C.ctypes_buf n) (C.ctypes_buf ck) + let box_open_afternm ~ct ~tag ~n ~ck ~pt = + assert (C.size ck = 32); + check_detached pt ct tag n; + get_result @@ hacl_NaCl_crypto_box_open_detached_afternm (C.ctypes_buf pt) (C.ctypes_buf ct) (C.ctypes_buf tag) (C.size_uint32 ct) (C.ctypes_buf n) (C.ctypes_buf ck) + let secretbox ~pt ~n ~key ~ct ~tag = + assert (C.size key = 32); + check_detached pt ct tag n; + get_result @@ hacl_NaCl_crypto_secretbox_detached (C.ctypes_buf ct) (C.ctypes_buf tag) (C.ctypes_buf pt) (C.size_uint32 pt) (C.ctypes_buf n) (C.ctypes_buf key) + let secretbox_open ~ct ~tag ~n ~key ~pt = + assert (C.size key = 32); + check_detached pt ct tag n; + get_result @@ hacl_NaCl_crypto_secretbox_open_detached (C.ctypes_buf pt) (C.ctypes_buf ct) (C.ctypes_buf tag) (C.size_uint32 ct) (C.ctypes_buf n) (C.ctypes_buf key) + end + end + let box ~pt ~n ~pk ~sk = + let ct = C.make (C.size pt + 16) in + if Noalloc.Easy.box ~pt ~n ~pk ~sk ~ct then + Some ct + else + None + let box_open ~ct ~n ~pk ~sk = + assert (C.size ct >= 16); + let pt = C.make (C.size ct - 16) in + if Noalloc.Easy.box_open ~ct ~n ~pk ~sk ~pt then + Some pt + else + None + let box_beforenm ~pk ~sk = + let ck = C.make 32 in + if Noalloc.box_beforenm ~pk ~sk ~ck then + Some ck + else + None + let box_afternm ~pt ~n ~ck = + let ct = C.make (C.size pt + 16) in + if Noalloc.Easy.box_afternm ~pt ~n ~ck ~ct then + Some ct + else + None + let box_open_afternm ~ct ~n ~ck = + assert (C.size ct >= 16); + let pt = C.make (C.size ct - 16) in + if Noalloc.Easy.box_open_afternm ~ct ~n ~ck ~pt then + Some pt + else + None + let secretbox ~pt ~n ~key = + let ct = C.make (C.size pt + 16) in + if Noalloc.Easy.secretbox ~pt ~n ~key ~ct then + Some ct + else + None + let secretbox_open ~ct ~n ~key = + assert (C.size ct >= 16); + let pt = C.make (C.size ct - 16) in + if Noalloc.Easy.secretbox_open ~ct ~n ~key ~pt then + Some pt + else + None +end + +module P256 = struct + module NoHash = Make_ECDSA (struct + let min_msg_size = 32 + let sign = Hacl_P256.hacl_P256_ecdsa_sign_p256_without_hash + let verify = Hacl_P256.hacl_P256_ecdsa_verif_without_hash + end) + module Noalloc = struct + let raw_to_compressed ~p ~result = + (* Hacl.P256.raw_to_compressed *) + assert (C.size p = 64); + assert (C.size result = 33); + Hacl_P256.hacl_P256_raw_to_compressed (C.ctypes_buf p) (C.ctypes_buf result) + let raw_to_uncompressed ~p ~result = + (* Hacl.P256.raw_to_uncompressed *) + assert (C.size p = 64); + assert (C.size result = 65); + Hacl_P256.hacl_P256_raw_to_uncompressed (C.ctypes_buf p) (C.ctypes_buf result) + let compressed_to_raw ~p ~result = + (* Hacl.P256.compressed_to_raw *) + assert (C.size p = 33); + assert (C.size result = 64); + Hacl_P256.hacl_P256_compressed_to_raw (C.ctypes_buf p) (C.ctypes_buf result) + let uncompressed_to_raw ~p ~result = + (* Hacl.P256.uncompressed_to_raw *) + assert (C.size p = 65); + assert (C.size result = 64); + Hacl_P256.hacl_P256_uncompressed_to_raw (C.ctypes_buf p) (C.ctypes_buf result) + let dh_initiator ~sk ~pk = + (* Hacl.P256.dh_initiator *) + assert (C.size pk = 64); + assert (C.size sk = 32); + assert (C.disjoint pk sk); + Hacl_P256.hacl_P256_dh_initiator (C.ctypes_buf pk) (C.ctypes_buf sk) + let dh_responder ~sk ~pk ~shared = + (* Hacl.P256.dh_responder *) + assert (C.size shared = 64); + assert (C.size pk = 64); + assert (C.size sk = 32); + assert (C.disjoint shared sk); + assert (C.disjoint shared pk); + Hacl_P256.hacl_P256_dh_responder (C.ctypes_buf shared) (C.ctypes_buf pk) (C.ctypes_buf sk) + let sign = NoHash.Noalloc.sign + end + let raw_to_compressed p = + let result = C.make 33 in + Noalloc.raw_to_compressed ~p ~result; + result + let raw_to_uncompressed p = + let result = C.make 65 in + Noalloc.raw_to_uncompressed ~p ~result; + result + let compressed_to_raw p = + let result = C.make 64 in + if Noalloc.compressed_to_raw ~p ~result then + Some result + else + None + let uncompressed_to_raw p = + let result = C.make 64 in + if Noalloc.uncompressed_to_raw ~p ~result then + Some result + else + None + let dh_initiator ~sk = + let pk = C.make 64 in + if Noalloc.dh_initiator ~sk ~pk then + Some pk + else + None + let dh_responder ~sk ~pk = + let shared = C.make 64 in + if Noalloc.dh_responder ~sk ~pk ~shared then + Some shared + else + None + let valid_sk ~sk = + (* Hacl.P256.validate_private_key *) + assert (C.size sk = 32); + Hacl_P256.hacl_P256_validate_private_key (C.ctypes_buf sk) + let valid_pk ~pk = + (* Hacl.P256.validate_public_key *) + assert (C.size pk = 64); + Hacl_P256.hacl_P256_validate_public_key (C.ctypes_buf pk) + let sign = NoHash.sign + let verify = NoHash.verify + module SHA2_256 = Make_ECDSA (struct + let min_msg_size = 0 + let sign = Hacl_P256.hacl_P256_ecdsa_sign_p256_sha2 + let verify = Hacl_P256.hacl_P256_ecdsa_verif_p256_sha2 + end) + module SHA2_384 = Make_ECDSA (struct + let min_msg_size = 0 + let sign = Hacl_P256.hacl_P256_ecdsa_sign_p256_sha384 + let verify = Hacl_P256.hacl_P256_ecdsa_verif_p256_sha384 + end) + module SHA2_512 = Make_ECDSA (struct + let min_msg_size = 0 + let sign = Hacl_P256.hacl_P256_ecdsa_sign_p256_sha512 + let verify = Hacl_P256.hacl_P256_ecdsa_verif_p256_sha512 + end) +end + +module Blake2b_32 : Blake2 = + Make_Blake2b (struct + let reqs = [] + let blake2b = Hacl_Blake2b_32.hacl_Blake2b_32_blake2b + end) + +module Blake2s_32 : Blake2 = + Make_Blake2s (struct + let reqs = [] + let blake2s = Hacl_Blake2s_32.hacl_Blake2s_32_blake2s + end) + +#ifdef HACL_CAN_COMPILE_VEC128 +module Chacha20_Poly1305_128 : Chacha20_Poly1305 = + Make_Chacha20_Poly1305 (struct + let reqs = [VEC128] + let encrypt = Hacl_Chacha20Poly1305_128.hacl_Chacha20Poly1305_128_aead_encrypt + let decrypt = Hacl_Chacha20Poly1305_128.hacl_Chacha20Poly1305_128_aead_decrypt + end) + +module Poly1305_128 : MAC = + Make_Poly1305 (struct + let reqs = [VEC128] + let mac = Hacl_Poly1305_128.hacl_Poly1305_128_poly1305_mac +end) + +module Blake2s_128 : Blake2 = + Make_Blake2s (struct + let reqs = [VEC128] + let blake2s = Hacl_Blake2s_128.hacl_Blake2s_128_blake2s + end) +#else +module Chacha20_Poly1305_128 : Chacha20_Poly1305 = + Make_Chacha20_Poly1305 (struct + let reqs = [VEC128] + let encrypt _ _ _ _ _ _ = failwith "Not implemented on this platform" + let decrypt _ _ _ _ _ _ = failwith "Not implemented on this platform" + end) + +module Poly1305_128 : MAC = + Make_Poly1305 (struct + let reqs = [VEC128] + let mac _ _ _ = failwith "Not implemented on this platform" +end) + +module Blake2s_128 : Blake2 = + Make_Blake2s (struct + let reqs = [VEC128] + let blake2s _ _ _ = failwith "Not implemented on this platform" + end) +#endif + +#ifdef HACL_CAN_COMPILE_VEC256 +module Chacha20_Poly1305_256 : Chacha20_Poly1305 = + Make_Chacha20_Poly1305 (struct + let reqs = [VEC256] + let encrypt = Hacl_Chacha20Poly1305_256.hacl_Chacha20Poly1305_256_aead_encrypt + let decrypt = Hacl_Chacha20Poly1305_256.hacl_Chacha20Poly1305_256_aead_decrypt + end) + +module Poly1305_256 : MAC = + Make_Poly1305 (struct + let reqs = [VEC256] + let mac = Hacl_Poly1305_256.hacl_Poly1305_256_poly1305_mac +end) + +module Blake2b_256 : Blake2 = + Make_Blake2b (struct + let reqs = [VEC256] + let blake2b = Hacl_Blake2b_256.hacl_Blake2b_256_blake2b + end) +#else +module Chacha20_Poly1305_256 : Chacha20_Poly1305 = + Make_Chacha20_Poly1305 (struct + let reqs = [VEC256] + let encrypt _ _ _ _ _ _ = failwith "Not implemented on this platform" + let decrypt _ _ _ _ _ _ = failwith "Not implemented on this platform" + end) + +module Poly1305_256 : MAC = + Make_Poly1305 (struct + let reqs = [VEC256] + let mac _ _ _ = failwith "Not implemented on this platform" +end) + +module Blake2b_256 : Blake2 = + Make_Blake2b (struct + let reqs = [VEC256] + let blake2b _ _ _ = failwith "Not implemented on this platform" + end) +#endif + +#ifdef HACL_CAN_COMPILE_VALE + +module Curve25519_64 : Curve25519 = + Make_Curve25519 (struct + let reqs = [BMI2; ADX] + let secret_to_public = Hacl_Curve25519_64.hacl_Curve25519_64_secret_to_public + let scalarmult = Hacl_Curve25519_64.hacl_Curve25519_64_scalarmult + let ecdh = Hacl_Curve25519_64.hacl_Curve25519_64_ecdh + end) +#else + +module Curve25519_64 : Curve25519 = + Make_Curve25519 (struct + let reqs = [BMI2; ADX] + let secret_to_public _ _ = failwith "Not implemented on this platform" + let scalarmult _ _ _ = failwith "Not implemented on this platform" + let ecdh _ _ _ = failwith "Not implemented on this platform" + end) + +#endif diff --git a/ocaml/hacl-star/Hacl.mli b/ocaml/hacl-star/Hacl.mli new file mode 100644 index 00000000..6a992eb6 --- /dev/null +++ b/ocaml/hacl-star/Hacl.mli @@ -0,0 +1,554 @@ +(** This module provides direct access to all HACL* implementations *) + +open SharedDefs + +type bytes = CBytes.t +(** [bytes] is ultimately an alias for [Stdlib.Bytes.t], the type of buffers currently used + throughout the library *) + +(** {1 AEAD} *) +(** {2 Chacha20-Poly1305} + Different implementations of Chacha20-Poly1305. A {{!EverCrypt.Chacha20_Poly1305} + multiplexing interface} is also available. +*) + +module Chacha20_Poly1305_32 : Chacha20_Poly1305 +(** Portable C implementation of Chacha20-Poly1305 that runs on any 32-bit platform *) + +module Chacha20_Poly1305_128 : Chacha20_Poly1305 +(** 128-bit vectorized C implementation of Chacha20-Poly1305 that runs on platforms with {{!AutoConfig2.VEC128} 128-bit vector support} *) + +module Chacha20_Poly1305_256 : Chacha20_Poly1305 +(** 256-bit vectorized C implementation of Chacha20-Poly1305 that runs on platforms with {{!AutoConfig2.VEC256} 256-bit vector support} *) + +(** {1 ECDH, EdDSA, and ECDSA} *) +(** {2:curve Curve25519} + Different implementations of ECDH using Curve25519. A {{!EverCrypt.Curve25519} + multiplexing interface} is also available. +*) + +module Curve25519_51 : Curve25519 +(** Portable C implementation that is optimized for use on 64-bit platforms that + support 128-bit arithmetic, will still compile and execute on 32-bit platforms *) + +module Curve25519_64 : Curve25519 +(** Hybrid C/assembly implementation: the field arithmetic functions are in Intel assembly + (generated by Vale) and rely on the {{!AutoConfig2.ADX} Intel ADX} and {{!AutoConfig2.BMI2} BMI2} instruction sets; the elliptic + curve functions and the main API are in portable C *) + +(** {2 Ed25519} + EdDSA using Curve25519*) + +module Ed25519 : EdDSA +(** Portable implementation *) + +(** {2 P-256} *) + +module P256 : sig + + (** Buffers have the following size constraints: + - [pk]: 64 bytes, corresponding to the "raw" representation of an elliptic curve point (see {!section:points}) + - [sk], [k]: 32 bytes + - [signature]: 64 bytes + - [msg]: depends on which hash function is being used (see {!section:ecdsa}) + *) + + (** {1:points Point representation and conversions} + Elliptic curve points have 2 32-byte coordinates {i (x, y)} and can be represented in 3 ways: + - "raw" form (64 bytes): the concatenation of the 2 coordinates + - "compressed" form (33 bytes): the first byte is equal to {0x2 + (y % 2)}, followed + by {i x} + - "uncompressed" form (65 bytes): the first byte is always [\04], followed by the "raw" form + + These functions convert points between these representations: +*) + + val raw_to_compressed : bytes -> bytes + (** [raw_to_compressed p] converts a "raw" point [p] (64 bytes) to a "compressed" point (33 bytes) *) + + val raw_to_uncompressed : bytes -> bytes + (** [raw_to_uncompressed p] converts a "raw" point [p] (64 bytes) to an "uncompressed" point (65 bytes) *) + + val compressed_to_raw : bytes -> bytes option + (** [compressed_to_raw p] attempts to convert a "compressed" point [p] (33 bytes) to a "raw" point (64 bytes) + and returns it if successful. *) + + val uncompressed_to_raw : bytes -> bytes option + (** [uncompressed_to_raw p] attempts to convert an "uncompressed" point [p] (65 bytes) to a "raw" point (64 bytes) + and returns it if successful. *) + + (** {1 Point validation} *) + + val valid_sk : sk:bytes -> bool + (** [valid_sk sk] checks if the contents of [sk] can be used as a secret key or as a signing secret. + This is the case if 0 < [sk] < the order of the curve. *) + + val valid_pk : pk:bytes -> bool + (** [valid_pk pk] checks if the contents of [pk] is a valid public key, as specified in {{: https://csrc.nist.gov/publications/detail/sp/800-56a/rev-3/final}NIST SP 800-56A}. *) + + (** {1 ECDH} + ECDH key agreement protocol + *) + + val dh_initiator : sk:bytes -> bytes option + (** [dh_initiator sk] takes a 32-byte secret key [sk] and returns the corresponding + 64-byte public key. *) + + val dh_responder : sk:bytes -> pk:bytes -> bytes option + (** [dh_responder sk pk] takes a 32-byte secret key [sk] and another party's 64-byte public + key and returns the 64-byte ECDH shared key. *) + + (** {1:ecdsa ECDSA} + ECDSA signing and signature verification functions + + For the [sign] and [verify] functions included in this module + [msg] is the digest of the message to be signed, requiring users to use a cryptographic hash function + of their choosing before calling them. In this case, [msg] needs to be at least 32 bytes long. + *) + + val sign : sk:bytes -> msg:bytes -> k:bytes -> bytes option + (** [sign sk msg k] attempts to sign the message [msg] with secret key [sk] and + signing secret [k] and returns the signature if successful. *) + + val verify : pk:bytes -> msg:bytes -> signature:bytes -> bool + (** [verify pk msg signature] checks the [signature] of [msg] using public key [pk] and returns + true if it is valid. *) + + (** The functions in the other submodules take the unhashed message [msg] and first hash it using their corresponding + version of the SHA-2 hash function. In this case, there is no minimum size requirement for [msg]. *) + + module SHA2_256 : ECDSA + module SHA2_384 : ECDSA + module SHA2_512 : ECDSA + + (** Versions of these functions which write their output in a buffer passed in as + an argument *) + module Noalloc : sig + + (** {1 Point representation and conversions} *) + + val raw_to_compressed : p:bytes -> result:bytes -> unit + (** [raw_to_compressed p result] converts a "raw" point [p] (64 bytes) to a "compressed" point [result] (33 bytes) *) + + val raw_to_uncompressed : p:bytes -> result:bytes -> unit + (** [raw_to_uncompressed p result] converts a "raw" point [p] (64 bytes) to an "uncompressed" point [result] (65 bytes) *) + + val compressed_to_raw : p:bytes -> result:bytes -> bool + (** [compressed_to_raw p result] converts a "compressed" point [p] (33 bytes) to a "raw" point [result] (64 bytes). + Returns true if successful. *) + + val uncompressed_to_raw : p:bytes -> result:bytes -> bool + (** [uncompressed_to_raw p result] converts an "uncompressed" point [p] (65 bytes) to a "raw" point [result] (64 bytes). + Returns true if successful. *) + + (** {1 ECDH} + ECDH key agreement protocol + *) + + val dh_initiator : sk:bytes -> pk:bytes -> bool + (** [dh_initiator sk pk] takes a 32-byte secret key [sk] and writes the corresponding + 64-byte public key in [pk]. *) + + val dh_responder : sk:bytes -> pk:bytes -> shared:bytes -> bool + (** [dh_responder sk pk shared] takes a 32-byte secret key [sk] and another party's 64-byte public + key and writes the 64-byte ECDH shared key in [shared]. Buffer [shared] must be distinct from + [pk]. *) + + (** {1:ecdsa ECDSA} *) + + val sign : sk:bytes -> msg:bytes -> k:bytes -> signature:bytes -> bool + (** [sign sk msg k signature] attempts to sign the message [msg] with secret key [sk] and + signing secret [k]. If successful, the signature is written in [signature] and the + function returns true. *) + end +end +(** ECDSA and ECDH functions using P-256 *) + + +(** {1 Hashing } *) +(** {2 SHA-2} + + Portable C implementations of SHA-2. + Multiplexing interfaces for {{!EverCrypt.SHA2_224}SHA-224} and {{!EverCrypt.SHA2_256}SHA-256} are also available. +*) + +module SHA2_224 : HashFunction +(** Direct hashing with SHA-224 + +The [digest] buffer must match the digest size of SHA-224, which is 28 bytes. +*) + +module SHA2_256 : HashFunction +(** Direct hashing with SHA-256 + +The [digest] buffer must match the digest size of SHA-256, which is 32 bytes. +*) + + +module SHA2_384 : HashFunction +(** Direct hashing with SHA-384 + +The [digest] buffer must match the digest size of SHA-384, which is 48 bytes. +*) + + +module SHA2_512 : HashFunction +(** Direct hashing with SHA-512 + +The [digest] buffer must match the digest size of SHA-512, which is 64 bytes. +*) + + + +(** {2 SHA-3} + + Portable C implementations of SHA-3 +*) + +module SHA3_224 : HashFunction +(** Direct hashing with SHA3-224 + +The [digest] buffer must match the digest size of SHA3-224, which is 28 bytes. +*) + +module SHA3_256 : HashFunction +(** Direct hashing with SHA3-256 + +The [digest] buffer must match the digest size of SHA3-256, which is 32 bytes. +*) + +module SHA3_384 : HashFunction +(** Direct hashing with SHA3-384 + +The [digest] buffer must match the digest size of SHA3-384, which is 48 bytes. +*) + +module SHA3_512 : HashFunction +(** Direct hashing with SHA3-512 + +The [digest] buffer must match the digest size of SHA3-512, which is 64 bytes. +*) + +module Keccak : sig + val shake128 : msg:bytes -> size:int -> bytes + (** [shake128 msg size] hashes [msg] using SHAKE-128 and returns a digest of [size] bytes. *) + + val shake256 : msg:bytes -> size:int -> bytes + (** [shake256 msg size] hashes [msg] using SHAKE-256 and returns a digest of [size] bytes. *) + + val keccak : rate:int -> capacity:int -> suffix:int -> msg:bytes -> size:int -> bytes + (** Direct access to the general Keccak function, of which all the SHA-3 and SHAKE functions + are {{:https://en.wikipedia.org/wiki/SHA-3#Instances}instances}. While the library + does run some sanity checks for the parameters, users should be extremely careful + if using the Keccak function directly. *) + + (** Versions of these functions which write their output in a buffer passed in as + an argument *) + module Noalloc : sig + val shake128 : msg:bytes -> digest:bytes -> unit + (** [shake128 msg size] hashes [msg] using SHAKE-128 and returns a digest of [size] bytes. *) + + val shake256 : msg:bytes -> digest:bytes -> unit + (** [shake256 msg digest] hashes [msg] using SHAKE-256 and outputs the result in [digest]. *) + + val keccak : rate:int -> capacity:int -> suffix:int -> msg:bytes -> digest:bytes -> unit + (** Direct access to the general Keccak function, of which all the SHA-3 and SHAKE functions + are {{:https://en.wikipedia.org/wiki/SHA-3#Instances}instances}. While the library + does run some sanity checks for the parameters, users should be extremely careful + if using the Keccak function directly. *) + end +end +(** SHAKE-128, SHAKE-256, and the general Keccak function + + Contrary to other Keccak/SHA-3 variants, SHAKE-128 and SHAKE-256 produce digests of + any size. When calling these functions, it will correspond to the size of the [digest] buffer. +*) + +(** {2:blake2 BLAKE2} + The BLAKE2 hash function has 2 variants: + - BLAKE2b, optimised for 64-bit architectures + - BLAKE2s, optimised for 8- to 32-bit architectures +*) + +module Blake2b_32 : Blake2 +(** Portable BLAKE2b implementation *) + +module Blake2b_256 : Blake2 +(** Vectorized BLAKE2b implementation, requiring {{!AutoConfig2.VEC256} 256-bit vector support} *) + +module Blake2s_32 : Blake2 +(** Portable BLAKE2s implementation *) + +module Blake2s_128 : Blake2 +(** Vectorized BLAKE2s implementation, requiring {{!AutoConfig2.VEC128} 128-bit vector support} *) + +(** {2 Legacy (deprecated)} +Legacy algorithms, which are {b not suitable for cryptographic applications.} *) + +module MD5 : HashFunction [@@deprecated] +(** Direct hashing with MD5 + +{b This function should not be used for cryptographic applications!} + +The [digest] buffer must match the digest size of MD5, which is 16 bytes. *) + +module SHA1 : HashFunction [@@deprecated] +(** Direct hashing with SHA-1 + +{b This function should not be used for cryptographic applications!} + +The [digest] buffer must match the digest size of SHA-1, which is 20 bytes. *) + + +(** {1 MACs} +Message authentication codes + +{{!EverCrypt.mac}Multiplexing interfaces} for these algorithms are also available. +*) + +(** {2 HMAC} *) + +module HMAC_SHA2_256 : MAC +(** Portable C implementation of HMAC-SHA-256 *) + +module HMAC_SHA2_384 : MAC +(** Portable C implementation of HMAC-SHA-384 *) + +module HMAC_SHA2_512 : MAC +(** Portable C implementation of HMAC-SHA-512 *) + +module HMAC_BLAKE2b : MAC +(** Portable C implementation of HMAC-BLAKE2b *) + +module HMAC_BLAKE2s : MAC +(** Portable C implementation of HMAC-BLAKE2s *) + + +(** {2 Poly1305} *) + +module Poly1305_32 : MAC +(** Portable C implementation of Poly1305 *) + +module Poly1305_128 : MAC +(** Vectorized C implementation of Poly1305 that runs on platforms with {{!AutoConfig2.VEC128} 128-bit vector support} *) + +module Poly1305_256 : MAC +(** Vectorized C implementation of Poly1305 that runs on platforms with {{!AutoConfig2.VEC256} 256-bit vector support} *) + + +(** {1 NaCl } *) + +module NaCl : sig + (** {1 Box} + {2 One-shot interface} *) + + val box : pt:bytes -> n:bytes -> pk:bytes -> sk:bytes -> bytes option + (** [box pt n pk sk] authenticates and encrypts plaintext [pt] using public key [pk], + secret key [sk], and nonce [n] and returns both the message authentication tag + and the ciphertext in a single buffer if successful. *) + + val box_open : ct:bytes -> n:bytes -> pk:bytes -> sk:bytes -> bytes option + (** [box_open ct n pk sk] attempts to verify and decrypt ciphertext [ct] using public key [pk], + secret key [sk], and nonce [n] and returns the plaintext if successful. *) + + (** {2 Precomputation interface } + A shared key [ck] is first obtained using {!NaCl.box_beforenm}. This is useful + when calling the functions repeatedly, as it avoids computing the shared key + on every function call. *) + + val box_beforenm : pk:bytes -> sk:bytes -> bytes option + (** [box_beforenm pk sk] precomputes a 32-byte {{!section:curve}X25519 shared key} [ck] + using one party's 32-byte public key [pk] and the other party's 32-byte secret key [sk]. + The shared key can then be used in the Box precomputation interface: {!box_afternm} and + {!box_open_afternm}, or their equivalent functions in {!module-Noalloc.Easy} and + {!module-Noalloc.Detached}). *) + + val box_afternm : pt:bytes -> n:bytes -> ck:bytes -> bytes option + (** [box_afternm pt n ck] authenticates and encrypts [pt] using shared key [ck] and + nonce [n] and returns both the message authentication tag and the ciphertext + in a single buffer if successful. *) + + val box_open_afternm : ct:bytes -> n:bytes -> ck:bytes -> bytes option + (** [box_open ct n pk sk] attempts to verify and decrypt ciphertext [ct] using + shared key [ck] and nonce [n] and returns the plaintext if successful. *) + + (** {1 Secretbox} *) + + val secretbox : pt:bytes -> n:bytes -> key:bytes -> bytes option + (** [secretbox pt n key] authenticates and encrypts plaintext [pt] using + secret key [key] and nonce [n] and returns both the message authentication tag + and the ciphertext in a single buffer if successful. *) + + val secretbox_open : ct:bytes -> n:bytes -> key:bytes -> bytes option + (** [secretbox_open ct n key] attempts to verify and decrypt ciphertext [ct] using + secret key [key] and nonce [n] and returns the plaintext if successful. *) + + (** Versions of these functions which write their output in a buffer passed in as + an argument + + Buffers have the following size requirements: + - [ct] must be 16 bytes longer than [pt] to also include the message + authentication tag + - [pk], [sk], [ck]: 32 bytes + - [n]: 24 bytes + *) + module Noalloc : sig + + val box_beforenm : pk:bytes -> sk:bytes -> ck:bytes -> bool + (** [box_beforenm pk sk ck] is a version of {!NaCl.box_beforenm} which takes an additional argument [ck] + where the result is written, returning `true` if it is successful. + + Buffers [pk], [sk], and [ck] must be distinct. + *) + + module Easy : sig + (** {1 Box} + {2 One-shot interface} *) + + val box : pt:bytes -> n:bytes -> pk:bytes -> sk:bytes -> ct:bytes -> bool + (** [box pt n pk sk ct] authenticates and encrypts plaintext [pt] using public key [pk], + secret key [sk], and nonce [n] and writes both the message authentication tag + and the ciphertext in [ct]. + Returns true if successful. *) + + val box_open : ct:bytes -> n:bytes -> pk:bytes -> sk:bytes -> pt:bytes -> bool + (** [box_open ct n pk sk pt] attempts to verify and decrypt ciphertext [ct] using public key [pk], + secret key [sk], and nonce [n] and if successful writes the plaintext in [pt] + and returns true. *) + + (** {2 Precomputation interface } + The shared key [ck] is obtained using {!NaCl.box_beforenm} or {!NaCl.Noalloc.box_beforenm}. *) + + val box_afternm : pt:bytes -> n:bytes -> ck:bytes -> ct:bytes -> bool + (** [box_afternm pt n ck ct] authenticates and encrypts [pt] using shared key [ck] and + nonce [n] and writes both the message authentication tag and the ciphertext in [ct]. + Returns true if successful. *) + + val box_open_afternm : ct:bytes -> n:bytes -> ck:bytes -> pt:bytes -> bool + (** [box_open ct n pk sk pt] attempts to verify and decrypt ciphertext [ct] using + shared key [ck] and nonce [n] and if successful writes the plaintext in [pt] + and returns true. *) + + (** {1 Secretbox} *) + + val secretbox : pt:bytes -> n:bytes -> key:bytes -> ct:bytes -> bool + (** [secretbox pt n key ct] authenticates and encrypts plaintext [pt] using + secret key [key] and nonce [n] and writes both the message authentication tag + and the ciphertext in [ct]. + Returns true if successful. *) + + val secretbox_open : ct:bytes -> n:bytes -> key:bytes -> pt:bytes -> bool + (** [secretbox_open ct n key pt] attempts to verify and decrypt ciphertext [ct] using + secret key [key] and nonce [n] and if successful writes the plaintext in [pt] + and returns true. *) + end + (** The {i easy} interface concatenates the ciphertext and the 16-byte long message + authentication tag into a single buffer. + + Buffers have the following size requirements: + - [ct]: at least 16 bytes + - [pk], [sk], [ck]: 32 bytes + - [n]: 24 bytes + *) + + module Detached : sig + (** {1 Box} + {2 One-shot interface} *) + + val box : pt:bytes -> n:bytes -> pk:bytes -> sk:bytes -> ct:bytes -> tag:bytes -> bool + (** [box pt n pk sk ct tag] authenticates and encrypts plaintext [pt] using public key [pk], + secret key [sk], and nonce [n] and writes the ciphertext in [ct] and + the message authentication tag in [tag]. + Returns true if successful. *) + + val box_open : ct:bytes -> tag:bytes -> n:bytes -> pk:bytes -> sk:bytes -> pt:bytes -> bool + (** [box_open ct tag n pk sk pt] attempts to verify and decrypt ciphertext [ct] and + message authentication tag [tag] using public key [pk], + secret key [sk], and nonce [n] and if successful writes the plaintext in [pt] + and returns true. *) + + (** {2 Precomputation interface } + The shared key [ck] is obtained using {!NaCl.box_beforenm} or {!NaCl.Noalloc.box_beforenm}. *) + + val box_afternm : pt:bytes -> n:bytes -> ck:bytes -> ct:bytes -> tag:bytes -> bool + (** [box_afternm pt n ck ct tag] authenticates and encrypts [pt] using shared key [ck] and + nonce [n] and writes the ciphertext in [ct] and the message authentication tag in [tag]. + Returns true if successful. *) + + val box_open_afternm : ct:bytes -> tag:bytes -> n:bytes -> ck:bytes -> pt:bytes -> bool + (** [box_open_afternm ct tag n ck pt] attempts to verify and decrypt ciphertext [ct] and + message authentication tag [tag] using + shared key [ck] and nonce [n] and if successful writes the plaintext in [pt] + and returns true. *) + + (** {1 Secretbox} *) + + val secretbox : pt:bytes -> n:bytes -> key:bytes -> ct:bytes -> tag:bytes -> bool + (** [secretbox pt n key ct tag] authenticates and encrypts plaintext [pt] using + secret key [key] and nonce [n] and writes the ciphertext in [ct] + and the message authentication tag in [tag]. + Returns true if successful. *) + + val secretbox_open : ct:bytes -> tag:bytes -> n:bytes -> key:bytes -> pt:bytes -> bool + (** [secretbox_open ct tag n key pt] attempts to verify and decrypt ciphertext [ct] and + message authentication tag [tag] using + secret key [key] and nonce [n] and if successful writes the plaintext in [pt] + and returns true. *) + end + (** The {i detached} interface uses 2 separate buffers for the ciphertext and + the message authentication tag. This allows users to encrypt and decrypt data in-place, + by passing the same buffer for both plaintext and ciphertext. + + Buffers have the following size requirements: + - [tag]: 16 bytes + - [pk], [sk], [ck]: 32 bytes + - [n]: 24 bytes + *) + end +end +(** Box (public-key authenticated encryption) and Secretbox (secret-key authenticated encryption) + + Portable C implementations offering both the {i easy} and {i detached} interfaces of Box and Secretbox + (see {!NaCl.Noalloc}). + For Box, the {i precomputation interface} is also supported. +*) + +(** {1 Key derivation} *) +(** {2 HKDF} + HMAC-based key derivation function + + Portable implementations of HKDF. + {{!EverCrypt.hkdf} Agile and multiplexing interfaces} are also available. +*) + +module HKDF_SHA2_256 : HKDF +(** Portable C implementation of HKDF using SHA2-256 *) + +module HKDF_SHA2_512 : HKDF +(** Portable C implementation of HKDF using SHA2-512 *) + +module HKDF_BLAKE2b : HKDF +(** Portable C implementation of HKDF using BLAKE2b *) + +module HKDF_BLAKE2s : HKDF +(** Portable C implementation of HKDF using BLAKE2s *) + +(** {1 Randomness (not verified)} *) + +module RandomBuffer : sig + val randombytes : size:int -> bytes option + (** [randombytes size] attempts to create a buffer containing [size] random bytes *) + + (** Version of this function which writes its output in a buffer passed in as + an argument *) + module Noalloc : sig + val randombytes : out:bytes -> bool + (** [randombytes out] attempts to fill [out] with random bytes and returns true if successful. *) + end +end +(** A randomness function implemented with platform-dependent code for Unix and Windows + + The [randombytes] function is handwritten, unverified C code. + In Unix, it is implemented using the {{: https://man7.org/linux/man-pages/man2/getrandom.2.html} [getrandom]} syscall, with a fallback to [/dev/urandom]. + In Windows, it is implemented using {{: https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptgenrandom} [CryptGenRandom]}. +*) diff --git a/ocaml/hacl-star/SharedDefs.ml b/ocaml/hacl-star/SharedDefs.ml new file mode 100644 index 00000000..69850118 --- /dev/null +++ b/ocaml/hacl-star/SharedDefs.ml @@ -0,0 +1,384 @@ +open Unsigned + +(* We keep the API abstract over the type of buffer used in order to keep the + * possibility of swapping this implementation in the future or offering + * multiple such implementations. A past version of the library was + * built using Bigstring instead of Bytes. *) +module type Buffer = sig + type t + type buf + val empty: bytes + val size_uint32 : bytes -> uint32 + val ctypes_buf : bytes -> buf + val size : bytes -> int + val equal : bytes -> bytes -> bool + val make : int -> bytes + val disjoint : bytes -> bytes -> bool + val sub : bytes -> int -> int -> bytes + val z_compare : bytes -> Z.t -> int +end +(** Abstract representation of buffers *) + +module CBytes : Buffer with type t = Bytes.t and type buf = Bytes.t Ctypes.ocaml = struct + type t = Bytes.t + type buf = Bytes.t Ctypes.ocaml + let empty = Bytes.empty + let size_uint32 b = Unsigned.UInt32.of_int (Bytes.length b) + let ctypes_buf = Ctypes.ocaml_bytes_start + let size = Bytes.length + let equal = Bytes.equal + let make l = Bytes.make l '\x00' + let disjoint b1 b2 = b1 != b2 + let sub = Bytes.sub + let z_compare b z = Z.compare (Z.of_bits (Bytes.to_string b)) z +end +(** Representation of [Bytes.t] buffers *) + +module Hacl_Hash = struct + include Hacl_Hash_Base_bindings.Bindings(Hacl_Hash_Base_stubs) + include Hacl_Hash_MD5_bindings.Bindings(Hacl_Hash_MD5_stubs) + include Hacl_Hash_SHA1_bindings.Bindings(Hacl_Hash_SHA1_stubs) + include Hacl_Hash_SHA2_bindings.Bindings(Hacl_Hash_SHA2_stubs) + include Hacl_Hash_Blake2_bindings.Bindings(Hacl_Hash_Blake2_stubs) +end +module Hacl_Spec = Hacl_Spec_bindings.Bindings(Hacl_Spec_stubs) + +let pow2 n = Z.(pow ~$2) n + +module AEADDefs = struct + open Hacl_Spec + type alg = + | AES128_GCM + | AES256_GCM + | CHACHA20_POLY1305 + let alg_definition = function + | AES128_GCM -> spec_Agile_AEAD_alg_Spec_Agile_AEAD_AES128_GCM + | AES256_GCM -> spec_Agile_AEAD_alg_Spec_Agile_AEAD_AES256_GCM + | CHACHA20_POLY1305 -> spec_Agile_AEAD_alg_Spec_Agile_AEAD_CHACHA20_POLY1305 + let key_length = function + (* specs/Spec.Agile.AEAD.key_length *) + | AES128_GCM -> 16 + | AES256_GCM -> 32 + | CHACHA20_POLY1305 -> 32 + let tag_length = function + (* specs/Spec.Agile.AEAD.tag_length *) + | AES128_GCM + | AES256_GCM + | CHACHA20_POLY1305 -> 16 + let check_iv_length len = function + (* specs/Spec.Agile.AEAD.iv_length *) + | AES128_GCM + | AES256_GCM -> len > 0 && Z.((of_int 8) * (of_int len) < pow2 64) + | CHACHA20_POLY1305 -> len = 12 + let check_max_pt_length len = function + (* specs/Spec.Agile.AEAD.max_length *) + | AES128_GCM + | AES256_GCM -> Z.(of_int len < pow2 32) + | CHACHA20_POLY1305 -> Z.(of_int len < pow2 32 - of_int 16) + let check_sizes ~alg ~iv_len ~tag_len ~ad_len ~pt_len ~ct_len = + (* providers/EverCrypt.AEAD.encrypt_st *) + assert (check_iv_length iv_len alg); + assert (tag_len = tag_length alg); + assert (check_max_pt_length pt_len alg); + assert Z.(of_int ad_len <= pow2 31); + assert (pt_len = ct_len) +end + +module HashDefs = struct + open Hacl_Spec + type deprecated_alg = + | SHA1 + | MD5 [@@deprecated] + type alg = + | SHA2_224 + | SHA2_256 + | SHA2_384 + | SHA2_512 + | BLAKE2b + | BLAKE2s + | Legacy of deprecated_alg + let alg_definition = function + | SHA2_224 -> spec_Hash_Definitions_hash_alg_Spec_Hash_Definitions_SHA2_224 + | SHA2_256 -> spec_Hash_Definitions_hash_alg_Spec_Hash_Definitions_SHA2_256 + | SHA2_384 -> spec_Hash_Definitions_hash_alg_Spec_Hash_Definitions_SHA2_384 + | SHA2_512 -> spec_Hash_Definitions_hash_alg_Spec_Hash_Definitions_SHA2_512 + | BLAKE2b -> spec_Hash_Definitions_hash_alg_Spec_Hash_Definitions_Blake2B + | BLAKE2s -> spec_Hash_Definitions_hash_alg_Spec_Hash_Definitions_Blake2S + | Legacy SHA1 -> spec_Hash_Definitions_hash_alg_Spec_Hash_Definitions_SHA1 + | Legacy MD5 -> spec_Hash_Definitions_hash_alg_Spec_Hash_Definitions_MD5 + let digest_len alg = + UInt32.to_int (Hacl_Hash.hacl_Hash_Definitions_hash_len (alg_definition alg)) + let check_digest_len alg len = + assert (len = digest_len alg) + let max_input_len = function + (* specs/Spec.Hash.Definitions.max_input_length *) + | Legacy SHA1 + | Legacy MD5 + | SHA2_224 + | SHA2_256 -> pow2 61 + | SHA2_384 + | SHA2_512 -> pow2 125 + | BLAKE2b -> pow2 128 + | BLAKE2s -> pow2 64 + let check_max_input_len alg len = + assert Z.(of_int len < max_input_len alg) + let block_len alg = + UInt32.to_int (Hacl_Hash.hacl_Hash_Definitions_block_len (alg_definition alg)) + let check_key_len alg len = + assert Z.(of_int len + of_int (block_len alg) < max_input_len alg) +end + +module type Chacha20_Poly1305_generic = sig + type bytes + val encrypt: key:bytes -> iv:bytes -> ad:bytes -> pt:bytes -> bytes * bytes + (** [encrypt key iv ad pt] takes a [key], an initial value [iv], additional data + [ad], and plaintext [pt] and returns a tuple containing the encrypted [pt] and the + authentication tag for the plaintext and the associated data. *) + + val decrypt: key:bytes -> iv:bytes -> ad:bytes -> ct:bytes -> tag:bytes -> bytes option + (** [decrypt key iv ad ct tag] takes a [key], the initial value [iv], additional + data [ad], ciphertext [ct], and authentication tag [tag], and, if successful, + returns the decrypted [ct]. *) + + (** Versions of these functions which write their output in a buffer passed in as + an argument *) + module Noalloc : sig + val encrypt: key:bytes -> iv:bytes -> ad:bytes -> pt:bytes -> ct:bytes -> tag:bytes -> unit + (** [encrypt key iv ad pt ct tag] takes a [key], an initial value [iv], additional data + [ad], and plaintext [pt], as well as output buffers [ct], which will + contain the encrypted [pt], and [tag], which will contain the authentication tag for + the plaintext and the associated data. *) + + val decrypt: key:bytes -> iv:bytes -> ad:bytes -> ct:bytes -> tag:bytes -> pt:bytes -> bool + (** [decrypt key iv ad ct tag pt] takes a [key], the initial value [iv], additional + data [ad], ciphertext [ct], and authentication tag [tag], as well as output buffer [pt], + which, if successful, will contain the decrypted [ct]. *) + end +end + +module type Curve25519_generic = sig +(** See {{:https://hacl-star.github.io/HaclECDH.html#hacl-curve25519} here} for detailed + usage instructions. +*) + + type bytes + val secret_to_public : sk:bytes -> bytes + (** [secret_to_public sk] takes a 32-byte secret key [sk] and returns the corresponding + 32-byte ECDH public key. *) + + val ecdh : sk:bytes -> pk:bytes -> bytes option + (** [ecdh sk pk] takes a 32-byte secret key [sk] and another party's 32-byte public + key and returns the 32-byte ECDH shared key. *) + + val scalarmult : scalar:bytes -> point:bytes -> bytes + (** [scalarmult scalar point] performs scalar multiplication over the curve. Buffers + are 32-byte long and must be distinct. *) + + (** Versions of these functions which write their output in a buffer passed in as + an argument *) + module Noalloc : sig + val secret_to_public : sk:bytes -> pk:bytes -> unit + (** [secret_to_public sk pk] takes a 32-byte secret key [sk] and writes the corresponding + 32-byte ECDH public key in [pk]. Buffers [pk] and [sk] must be distinct. *) + + val ecdh : sk:bytes -> pk:bytes -> shared:bytes -> bool + (** [ecdh sk pk shared] takes a 32-byte secret key [sk] and another party's 32-byte public + key and writes the 32-byte ECDH shared key in [shared]. Buffer [shared] must be distinct from + [pk] and [sk]. *) + + val scalarmult : scalar:bytes -> point:bytes -> result:bytes -> unit + (** [scalarmult scalar point] performs scalar multiplication over the curve. Buffers + are 32-byte long and must be distinct. *) + end +end + +module type EdDSA_generic = sig +(** See {{:https://hacl-star.github.io/HaclSig.html} here} for detailed + usage instructions. +*) + + type bytes + + (** {1 EdDSA} *) + + val secret_to_public : sk:bytes -> bytes + (** [secret_to_public sk] takes a secret key [sk] and returns the corresponding + public key. *) + + val sign : sk:bytes -> msg:bytes -> bytes + (** [sign sk msg] takes secret key [sk] and message [msg] and returns + the Ed25519 signature. *) + + val verify : pk:bytes -> msg:bytes -> signature:bytes -> bool + (** [verify pk msg signature] takes public key [pk], message [msg] and verifies the + Ed25519 signature, returning true if valid. *) + + (** {1 EdDSA Expanded Signing} *) + + val expand_keys : sk:bytes -> bytes + (** [expand_keys sk] takes secret key [sk] and returns the expanded secret key. *) + + val sign_expanded : ks:bytes -> msg:bytes -> bytes + (** [sign_expanded ks msg signature] takes expanded secret key [ks] and message [msg] and + returns the Ed25519 signature. *) + + (** Versions of these functions which write their output in a buffer passed in as + an argument *) + module Noalloc : sig + + (** Buffers have the following size constraints: + - [sk], [pk]: 32 bytes + - [signature]: 64 bytes + + {1 EdDSA} + + Note: The [verify] function does not return a buffer so it has no been duplicated here. + *) + + val secret_to_public : sk:bytes -> pk:bytes -> unit + (** [secret_to_public sk pk] takes a secret key [sk] and writes the corresponding + public key in [pk]. Buffers [pk] and [sk] must be distinct. *) + + val sign : sk:bytes -> msg:bytes -> signature:bytes -> unit + (** [sign sk msg signature] takes secret key [sk] and message [msg] and writes + the Ed25519 signature in [signature]. *) + + (** {1 EdDSA Expanded Signing} + + The buffer [ks] containing the expanded secret key must be 96 bytes long. + *) + + val expand_keys : sk:bytes -> ks:bytes -> unit + (** [expand_keys sk ks] takes secret key [sk] and writes the expanded secret key in [ks]. *) + + val sign_expanded : ks:bytes -> msg:bytes -> signature:bytes -> unit + (** [sign_expanded ks msg signature] takes expanded secret key [ks] and message [msg] and writes + the Ed25519 signature in [signature]. *) + end +end + +module type HashFunction_generic = sig + + type bytes + + val hash : bytes -> bytes + (** [hash msg] returns the hash of [msg]. *) + + (** Version of this function which writes its output in a buffer passed in as + an argument *) + module Noalloc : sig + val hash : msg:bytes -> digest:bytes -> unit + (** [hash msg digest] hashes [msg] and outputs the result in [digest]. *) + end +end + +module type MAC_generic = sig + (** For Poly1305, buffers have the following size constraints: + - [key]: 32 bytes + - output buffer: 16 bytes + + For HMAC with SHA-2, the output buffer is the same size as the digest size of + the corresponding hash function (see {{!EverCrypt.Hash} here}). For HMAC with BLAKE2, + the output buffer is 64 bytes for BLAKE2b and 32 bytes for BLAKE2s. +*) + + type bytes + + val mac : key:bytes -> msg:bytes -> bytes + (** [mac key msg] computes the MAC of [msg] using key [key]. *) + + (** Version of this function which writes its output in a buffer passed in as + an argument *) + module Noalloc : sig + val mac : key:bytes -> msg:bytes -> tag:bytes -> unit + (** [mac key msg tag] computes the MAC of [msg] using key [key] and writes the result in [tag]. + The `tag` buffer needs to satisfy the size requirements for the output buffer. *) + end +end + +module type HKDF_generic = sig + (** Buffers have the following size constraints with respect to the digest size of the underlying + hash function, [digest_len]: + - [prk]: = [digest_len] + - [okm]: <= 255 * [digest_len] +*) + + type bytes + + val extract: salt:bytes -> ikm:bytes -> bytes + (** [extract salt ikm] computes a pseudorandom key using input key material [ikm] and + salt [salt]. *) + + val expand: prk:bytes -> info:bytes -> size:int -> bytes + (** [expand prk info size] expands the pseudorandom key [prk], taking the info string [info] into + account and returns a buffer of [size] bytes. *) + + (** Versions of these functions which write their output in a buffer passed in as + an argument *) + module Noalloc : sig + val extract: salt:bytes -> ikm:bytes -> prk:bytes -> unit + (** [extract salt ikm prk] computes a pseudorandom key [prk] using input key material [ikm] and + salt [salt]. *) + + val expand: prk:bytes -> info:bytes -> okm:bytes -> unit + (** [expand prk info okm] expands the pseudorandom key [prk], taking the info string [info] into + account, and writes the output key material in [okm]. *) + end +end + +module type ECDSA_generic = sig + (** Buffers have the following size constraints: + - [pk]: 64 bytes, corresponding to the "raw" representation of an elliptic curve point (see {!section:points}) + - [sk], [k]: 32 bytes + - [signature]: 64 bytes + - [msg]: no size requirement for variants using SHA-2 hashing (see {!section:ecdsa}) + *) + + type bytes + + val sign : sk:bytes -> msg:bytes -> k:bytes -> bytes option + (** [sign sk msg k] attempts to sign the message [msg] with secret key [sk] and + signing secret [k] and returns the signature if successful. *) + + val verify : pk:bytes -> msg:bytes -> signature:bytes -> bool + (** [verify pk msg signature] checks the [signature] of [msg] using public key [pk] and returns + true if it is valid. *) + + (** Versions of these functions which write their output in a buffer passed in as + an argument *) + module Noalloc : sig + val sign : sk:bytes -> msg:bytes -> k:bytes -> signature:bytes -> bool + (** [sign sk msg k signature] attempts to sign the message [msg] with secret key [sk] and + signing secret [k]. If successful, the signature is written in [signature] and the + function returns true. *) + end +end + +module type Blake2_generic = sig +(** Buffers have the following size constraints: + - [key]: <= 64 bytes for BLAKE2b, <= 32 bytes for BLAKE2s + - [digest]: non-zero, <= 64 bytes for BLAKE2b, <= 32 bytes for BLAKE2s *) + + type bytes + + val hash : ?key:bytes -> bytes -> int -> bytes + (** [hash ?key msg size] hashes [msg] and returns a digest of length [size]. + An optional [key] argument can be passed for keyed hashing. *) + + (** Version of this function which writes its output in a buffer passed in as + an argument *) + module Noalloc : sig + val hash : key:bytes -> msg:bytes -> digest:bytes -> unit + (** [hash key msg digest] hashes [msg] and outputs the result in [digest]. + A non-empty [key] can be passed for keyed hashing. *) + end +end + +module type Chacha20_Poly1305 = Chacha20_Poly1305_generic with type bytes = CBytes.t +module type Curve25519 = Curve25519_generic with type bytes = CBytes.t +module type EdDSA = EdDSA_generic with type bytes = CBytes.t +module type HashFunction = HashFunction_generic with type bytes = CBytes.t +module type MAC = MAC_generic with type bytes = CBytes.t +module type HKDF = HKDF_generic with type bytes = CBytes.t +module type ECDSA = ECDSA_generic with type bytes = CBytes.t +module type Blake2 = Blake2_generic with type bytes = CBytes.t diff --git a/ocaml/hacl-star/SharedFunctors.ml b/ocaml/hacl-star/SharedFunctors.ml new file mode 100644 index 00000000..9b285558 --- /dev/null +++ b/ocaml/hacl-star/SharedFunctors.ml @@ -0,0 +1,402 @@ +open Unsigned + +open SharedDefs +open AutoConfig2 + +let check_reqs = List.iter (fun x -> assert (has_feature x)) + +module Make_Chacha20_Poly1305_generic (C: Buffer) + (Impl : sig + val reqs : feature list + val encrypt : C.buf -> C.buf -> uint32 -> C.buf -> uint32 -> C.buf -> C.buf -> C.buf -> unit + val decrypt : C.buf -> C.buf -> uint32 -> C.buf -> uint32 -> C.buf -> C.buf -> C.buf -> uint32 + end) += struct + type bytes = C.t + open AEADDefs + let alg = CHACHA20_POLY1305 + + module Noalloc = struct + let encrypt ~key ~iv ~ad ~pt ~ct ~tag = + check_reqs Impl.reqs; + (* code/chacha20poly1305/Hacl.Impl.Chacha20Poly1305.aead_encrypt_st *) + check_sizes ~alg ~iv_len:(C.size iv) ~tag_len:(C.size tag) + ~ad_len:(C.size ad)~pt_len:(C.size pt) ~ct_len:(C.size ct); + assert (C.disjoint key ct); + assert (C.disjoint iv ct); + assert (C.disjoint key tag); + assert (C.disjoint iv tag); + assert (C.disjoint ct tag); + assert (C.disjoint ad ct); + Impl.encrypt (C.ctypes_buf key) (C.ctypes_buf iv) (C.size_uint32 ad) (C.ctypes_buf ad) + (C.size_uint32 pt) (C.ctypes_buf pt) (C.ctypes_buf ct) (C.ctypes_buf tag) + let decrypt ~key ~iv ~ad ~ct ~tag ~pt = + check_reqs Impl.reqs; + (* code/chacha20poly1305/Hacl.Impl.Chacha20Poly1305.aead_decrypt_st *) + check_sizes ~alg ~iv_len:(C.size iv) ~tag_len:(C.size tag) + ~ad_len:(C.size ad)~pt_len:(C.size pt) ~ct_len:(C.size ct); + let result = Impl.decrypt (C.ctypes_buf key) (C.ctypes_buf iv) (C.size_uint32 ad) (C.ctypes_buf ad) + (C.size_uint32 pt) (C.ctypes_buf pt) (C.ctypes_buf ct) (C.ctypes_buf tag) + in + UInt32.to_int result = 0 + end + let encrypt ~key ~iv ~ad ~pt = + let ct = C.make (C.size pt) in + let tag = C.make (tag_length alg) in + Noalloc.encrypt ~key ~iv ~ad ~pt ~ct ~tag; + (ct, tag) + let decrypt ~key ~iv ~ad ~ct ~tag = + let pt = C.make (C.size ct) in + if Noalloc.decrypt ~key ~iv ~ad ~ct ~tag ~pt then + Some pt + else + None +end + +module Make_Curve25519_generic (C: Buffer) + (Impl : sig + val reqs : feature list + val secret_to_public : C.buf -> C.buf -> unit + val scalarmult : C.buf -> C.buf -> C.buf -> unit + val ecdh : C.buf -> C.buf -> C.buf -> bool + end) += struct + type bytes = C.t + module Noalloc = struct + let secret_to_public ~sk ~pk = + check_reqs Impl.reqs; + (* Hacl.Impl.Curve25519.Generic.secret_to_public_st *) + assert (C.disjoint pk sk); + assert (C.size pk = 32); + assert (C.size sk = 32); + Impl.secret_to_public (C.ctypes_buf pk) (C.ctypes_buf sk) + let scalarmult ~scalar ~point ~result = + check_reqs Impl.reqs; + (* Hacl.Impl.Curve25519.Generic.scalarmult_st *) + assert (C.disjoint result scalar); + assert (C.disjoint result point); + assert (C.size result = 32); + assert (C.size scalar = 32); + assert (C.size point = 32); + Impl.scalarmult (C.ctypes_buf result) (C.ctypes_buf scalar) (C.ctypes_buf point) + let ecdh ~sk ~pk ~shared = + check_reqs Impl.reqs; + (* Hacl.Impl.Curve25519.Generic.ecdh_st *) + assert (C.disjoint shared sk); + assert (C.disjoint shared pk); + assert (C.size shared = 32); + assert (C.size sk = 32); + assert (C.size pk = 32); + Impl.ecdh (C.ctypes_buf shared) (C.ctypes_buf sk) (C.ctypes_buf pk) + end + let secret_to_public ~sk = + let pk = C.make 32 in + Noalloc.secret_to_public ~sk ~pk; + pk + let scalarmult ~scalar ~point = + let result = C.make 32 in + Noalloc.scalarmult ~scalar ~point ~result; + result + let ecdh ~sk ~pk = + let shared = C.make 32 in + if Noalloc.ecdh ~sk ~pk ~shared then + Some shared + else + None +end + +module Make_EdDSA_generic (C: Buffer) + (Impl : sig + val secret_to_public : C.buf -> C.buf -> unit + val sign : C.buf -> C.buf -> uint32 -> C.buf -> unit + val verify : C.buf -> uint32 -> C.buf -> C.buf -> bool + val expand_keys : C.buf -> C.buf -> unit + val sign_expanded : C.buf -> C.buf -> uint32 -> C.buf -> unit + end) += struct + type bytes = C.t + let max_size_t = pow2 32 + let verify ~pk ~msg ~signature = + (* Hacl.Ed25519.verify *) + assert (C.size pk = 32); + assert (C.size signature = 64); + assert Z.(of_int (C.size msg) + ~$64 <= max_size_t); + Impl.verify (C.ctypes_buf pk) (C.size_uint32 msg) (C.ctypes_buf msg) (C.ctypes_buf signature) + module Noalloc = struct + let secret_to_public ~sk ~pk = + (* Hacl.Ed25519.secret_to_public *) + assert (C.size pk = 32); + assert (C.size sk = 32); + assert (C.disjoint pk sk); + Impl.secret_to_public (C.ctypes_buf pk) (C.ctypes_buf sk) + let sign ~sk ~msg ~signature = + (* Hacl.Ed25519.sign *) + assert (C.size sk = 32); + assert (C.size signature = 64); + assert Z.(of_int (C.size msg) + ~$64 <= max_size_t); + Impl.sign (C.ctypes_buf signature) (C.ctypes_buf sk) (C.size_uint32 msg) (C.ctypes_buf msg) + let expand_keys ~sk ~ks = + (* Hacl.Ed25519.expand_keys *) + assert (C.size ks = 96); + assert (C.size sk = 32); + assert (C.disjoint ks sk); (* VD: redundant for Bytes, since size is different *) + Impl.expand_keys (C.ctypes_buf ks) (C.ctypes_buf sk) + let sign_expanded ~ks ~msg ~signature = + (* Hacl.Ed25519.sign_expanded *) + assert (C.size ks = 96); + assert (C.size signature = 64); + assert Z.(of_int (C.size msg) + ~$64 <= max_size_t); + Impl.sign_expanded (C.ctypes_buf signature) (C.ctypes_buf ks) (C.size_uint32 msg) (C.ctypes_buf msg) + end + let secret_to_public ~sk = + let pk = C.make 32 in + Noalloc.secret_to_public ~sk ~pk; + pk + let sign ~sk ~msg = + let signature = C.make 64 in + Noalloc.sign ~sk ~msg ~signature; + signature + let expand_keys ~sk = + let ks = C.make 96 in + Noalloc.expand_keys ~sk ~ks; + ks + let sign_expanded ~ks ~msg = + let signature = C.make 64 in + Noalloc.sign_expanded ~ks ~msg ~signature; + signature +end + +(* HashDefs only defines algorithms that are included in the EverCrypt agile hashing interface. + In addition to these, HACL* also includes SHA-3. We extend the `hash_alg` type so we can + use the same functor for all hash functions. *) +type all_hash_alg = + | Agile of HashDefs.alg + | SHA3_224 + | SHA3_256 + | SHA3_384 + | SHA3_512 + +module Make_HashFunction_generic (C: Buffer) + (Impl : sig + val hash_alg : all_hash_alg + val hash : C.buf -> uint32 -> C.buf -> unit + end) += struct + type bytes = C.t + let digest_len = function + | SHA3_224 -> 28 + | SHA3_256 -> 32 + | SHA3_384 -> 48 + | SHA3_512 -> 64 + | Agile alg -> HashDefs.digest_len alg + let check_max_input_len alg len = + match alg with + | Agile alg -> HashDefs.check_max_input_len alg len + | _ -> () + module Noalloc = struct + let hash ~msg ~digest = + check_max_input_len Impl.hash_alg (C.size msg); + assert (C.size digest = digest_len Impl.hash_alg); + assert (C.disjoint msg digest); + Impl.hash (C.ctypes_buf msg) (C.size_uint32 msg) (C.ctypes_buf digest) + end + let hash msg = + let digest = C.make (digest_len Impl.hash_alg) in + Noalloc.hash ~msg ~digest; + digest +end + +module Make_Poly1305_generic (C: Buffer) + (Impl : sig + val reqs : feature list + val mac : C.buf -> uint32 -> C.buf -> C.buf -> unit + end) += struct + type bytes = C.t + module Noalloc = struct + let mac ~key ~msg ~tag = + check_reqs Impl.reqs; + (* Hacl.Impl.Poly1305.poly1305_mac_st *) + assert (C.size tag = 16); + assert (C.size key = 32); + assert (C.disjoint tag msg); + assert (C.disjoint key msg); + Impl.mac (C.ctypes_buf tag) (C.size_uint32 msg) (C.ctypes_buf msg) (C.ctypes_buf key) + end + let mac ~key ~msg = + let tag = C.make 16 in + Noalloc.mac ~key ~msg ~tag; + tag +end + +module Make_HMAC_generic (C: Buffer) + (Impl : sig + val hash_alg : HashDefs.alg + val mac : C.buf -> C.buf -> uint32 -> C.buf -> uint32 -> unit + end) += struct + type bytes = C.t + module Noalloc = struct + let mac ~key ~msg ~tag = + (* Hacl.HMAC.compute_st *) + assert (HashDefs.digest_len Impl.hash_alg = C.size tag); + assert (C.disjoint tag key); + HashDefs.check_key_len Impl.hash_alg (C.size key); + HashDefs.check_key_len Impl.hash_alg (C.size msg); + Impl.mac (C.ctypes_buf tag) (C.ctypes_buf key) (C.size_uint32 key) (C.ctypes_buf msg) (C.size_uint32 msg) + end + let mac ~key ~msg = + let tag = C.make (HashDefs.digest_len Impl.hash_alg) in + Noalloc.mac ~key ~msg ~tag; + tag +end + +module Make_HKDF_generic (C: Buffer) + (Impl: sig + val hash_alg : HashDefs.alg + val extract : C.buf -> C.buf -> uint32 -> C.buf -> uint32 -> unit + val expand : C.buf -> C.buf -> uint32 -> C.buf -> uint32 -> uint32 -> unit + end) += struct + type bytes = C.t + module Noalloc = struct + let extract ~salt ~ikm ~prk = + (* Hacl.HKDF.extract_st *) + assert (C.size prk = HashDefs.digest_len Impl.hash_alg); + assert (C.disjoint salt prk); + assert (C.disjoint ikm prk); + HashDefs.check_key_len Impl.hash_alg (C.size salt); + HashDefs.check_key_len Impl.hash_alg (C.size ikm); + Impl.extract (C.ctypes_buf prk) (C.ctypes_buf salt) (C.size_uint32 salt) (C.ctypes_buf ikm) (C.size_uint32 ikm) + let expand ~prk ~info ~okm = + (* Hacl.HKDF.expand_st *) + assert (C.size okm <= 255 * HashDefs.digest_len Impl.hash_alg); + assert (C.disjoint okm prk); + assert (HashDefs.digest_len Impl.hash_alg <= C.size prk); + HashDefs.(check_max_input_len Impl.hash_alg (digest_len Impl.hash_alg + block_len Impl.hash_alg + C.size info + 1)); + HashDefs.check_key_len Impl.hash_alg (C.size prk); + Impl.expand (C.ctypes_buf okm) (C.ctypes_buf prk) (C.size_uint32 prk) (C.ctypes_buf info) (C.size_uint32 info) (C.size_uint32 okm) + end + let extract ~salt ~ikm = + let prk = C.make (HashDefs.digest_len Impl.hash_alg) in + Noalloc.extract ~salt ~ikm ~prk; + prk + let expand ~prk ~info ~size = + let okm = C.make size in + Noalloc.expand ~prk ~info ~okm; + okm +end + +module Make_ECDSA_generic (C: Buffer) + (Impl : sig + val min_msg_size : int + val sign : C.buf -> uint32 -> C.buf -> C.buf -> C.buf -> bool + val verify : uint32 -> C.buf -> C.buf -> C.buf -> C.buf -> bool + end) += struct + type bytes = C.t + let get_result r = + if r = UInt64.zero then + true + else + if r = UInt64.max_int then + false + else + failwith "Unknown return value" + let prime_p256_order = Z.of_string "115792089210356248762697446949407573529996955224135760342422259061068512044369" + module Noalloc = struct + let sign ~sk ~msg ~k ~signature = + (* Hacl.Interface.P256.ECDSA.ecdsa_sign_p256_without_hash/sha2/sha384 *) + assert (C.size signature = 64); + assert (C.size sk = 32); + assert (C.size k = 32); + assert (C.size msg >= Impl.min_msg_size); + assert (C.disjoint signature msg); + assert (C.z_compare sk prime_p256_order < 0); + assert (C.z_compare k prime_p256_order < 0); + Impl.sign (C.ctypes_buf signature) (C.size_uint32 msg) (C.ctypes_buf msg) (C.ctypes_buf sk) (C.ctypes_buf k) + end + let sign ~sk ~msg ~k = + let signature = C.make 64 in + if Noalloc.sign ~sk ~msg ~k ~signature then + Some signature + else + None + let verify ~pk ~msg ~signature = + (* Hacl.Interface.P256.ECDSA.ecdsa_verif_without_hash/sha2/sha384 *) + assert (C.size signature = 64); + assert (C.size pk = 64); + assert (C.size msg >= Impl.min_msg_size); + let r, s = C.sub signature 0 32, C.sub signature 32 32 in + Impl.verify (C.size_uint32 msg) (C.ctypes_buf msg) (C.ctypes_buf pk) (C.ctypes_buf r) (C.ctypes_buf s) +end + + +module Make_Blake2b_generic (C: Buffer) + (Impl : sig + val reqs : feature list + val blake2b : uint32 -> C.buf -> uint32 -> C.buf -> uint32 -> C.buf -> unit + end) += struct + type bytes = C.t + module Noalloc = struct + let hash ~key ~msg ~digest = + check_reqs Impl.reqs; + (* specs/Spec.Blake2.blake2b *) + assert (C.size digest > 0 && C.size digest <= 64); + assert (C.size key <= 64); + if C.size key = 0 then + assert Z.(of_int (C.size msg) < pow2 128) + else + assert Z.(of_int (C.size msg) + ~$128 < pow2 128); + assert (C.disjoint key msg); + assert (C.disjoint key digest); + assert (C.disjoint msg digest); + Impl.blake2b (C.size_uint32 digest) (C.ctypes_buf digest) (C.size_uint32 msg) (C.ctypes_buf msg) (C.size_uint32 key) (C.ctypes_buf key) + end + let hash ?(key = C.empty) msg size = + assert (size > 0 && size <= 64); + let digest = C.make size in + Noalloc.hash ~key ~msg ~digest; + digest +end + +module Make_Blake2s_generic (C: Buffer) + (Impl : sig + val reqs : feature list + val blake2s : uint32 -> C.buf -> uint32 -> C.buf -> uint32 -> C.buf -> unit + end) += struct + type bytes = C.t + module Noalloc = struct + let hash ~key ~msg ~digest = + check_reqs Impl.reqs; + (* specs/Spec.Blake2.blake2s *) + assert (C.size digest > 0 && C.size digest <= 32); + assert (C.size key <= 32); + if C.size key = 0 then + assert Z.(of_int (C.size msg) < pow2 64) + else + assert Z.(of_int (C.size msg) + ~$64 < pow2 64); + assert (C.disjoint key msg); + assert (C.disjoint key digest); + assert (C.disjoint msg digest); + Impl.blake2s (C.size_uint32 digest) (C.ctypes_buf digest) (C.size_uint32 msg) (C.ctypes_buf msg) (C.size_uint32 key) (C.ctypes_buf key) + end + let hash ?(key = C.empty) msg size = + assert (size > 0 && size <= 32); + let digest = C.make size in + Noalloc.hash ~key ~msg ~digest; + digest +end + +module Make_Chacha20_Poly1305 = Make_Chacha20_Poly1305_generic (CBytes) +module Make_Curve25519 = Make_Curve25519_generic (CBytes) +module Make_EdDSA = Make_EdDSA_generic (CBytes) +module Make_HashFunction = Make_HashFunction_generic (CBytes) +module Make_Poly1305 = Make_Poly1305_generic (CBytes) +module Make_HMAC = Make_HMAC_generic (CBytes) +module Make_HKDF = Make_HKDF_generic (CBytes) +module Make_ECDSA = Make_ECDSA_generic (CBytes) +module Make_Blake2b = Make_Blake2b_generic (CBytes) +module Make_Blake2s = Make_Blake2s_generic (CBytes) diff --git a/ocaml/hacl-star/dune b/ocaml/hacl-star/dune new file mode 100644 index 00000000..0040c073 --- /dev/null +++ b/ocaml/hacl-star/dune @@ -0,0 +1,16 @@ +(library + (name hacl_star) + (public_name hacl-star) + (libraries hacl-star-raw + zarith) + (preprocessor_deps config.h) + (preprocess (action (run %{bin:cppo} %{input-file}))) + (flags (:standard -warn-error -3))) + +(documentation + (package hacl-star) + (mld_files index)) + +(rule (targets config.h) (deps) + (action + (bash "cp $(ocamlfind query hacl-star-raw)/config.h ."))) diff --git a/ocaml/hacl-star/dune-project b/ocaml/hacl-star/dune-project new file mode 100644 index 00000000..f64e6e93 --- /dev/null +++ b/ocaml/hacl-star/dune-project @@ -0,0 +1,2 @@ +(lang dune 1.2) +(name hacl-star) diff --git a/ocaml/hacl-star/hacl-star.opam b/ocaml/hacl-star/hacl-star.opam new file mode 100644 index 00000000..17105dca --- /dev/null +++ b/ocaml/hacl-star/hacl-star.opam @@ -0,0 +1,35 @@ +opam-version: "2.0" +name: "hacl-star" +version: "0.4.5" +synopsis: "OCaml API for EverCrypt/HACL*" +description: """ +Documentation for this library can be found +[here](https://hacl-star.github.io/ocaml_doc/hacl-star/index.html). +""" +maintainer: "Victor Dumitrescu " +authors: [ "Project Everest" ] +license: "Apache-2.0" +homepage: "https://hacl-star.github.io/" +doc: "https://hacl-star.github.io/ocaml_doc" +bug-reports: "https://github.com/project-everest/hacl-star/issues" +depends: [ + "ocaml" { >= "4.08.0" } + "dune" {>= "1.2"} + "hacl-star-raw" {= version} + "zarith" + "cppo" {build} + "odoc" {with-doc} +] +available: [ + os = "freebsd" | os-family != "bsd" +] +build: [ + [ + "dune" "build" "-p" name "-j" jobs + "@doc" {with-doc} + ] +] +run-test: [ + ["dune" "runtest" "-p" name "-j" jobs] +] +dev-repo: "git+https://github.com/project-everest/hacl-star.git" diff --git a/ocaml/hacl-star/index.mld b/ocaml/hacl-star/index.mld new file mode 100644 index 00000000..c5b12db9 --- /dev/null +++ b/ocaml/hacl-star/index.mld @@ -0,0 +1,5 @@ +{0 OCaml API for HACL* and EverCrypt} + +{{!Hacl_star.EverCrypt}EverCrypt} + +{{!Hacl_star.Hacl}Hacl} diff --git a/ocaml/hacl-star/tests/aead_test.ml b/ocaml/hacl-star/tests/aead_test.ml new file mode 100644 index 00000000..5491a836 --- /dev/null +++ b/ocaml/hacl-star/tests/aead_test.ml @@ -0,0 +1,147 @@ +open EverCrypt.Error +open AutoConfig2 + +open SharedDefs +open Test_utils + +type 'a aead_test = + { alg: AEADDefs.alg; + key_len: int; msg_len: int; iv_len: int ; ad_len: int; tag_len: int; + test_key: 'a; test_iv: 'a; test_ad: 'a; + test_pt: 'a; test_ct: 'a; test_tag: 'a + } + +(* TODO: add tests for AES128_GCM, AES256_GCM *) +let chacha20poly1305_test = + { alg = AEADDefs.CHACHA20_POLY1305; key_len = 32; msg_len = 114; iv_len = 12; ad_len = 12; tag_len = 16; + test_key = Bytes.of_string "\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f"; + test_iv = Bytes.of_string "\x07\x00\x00\x00\x40\x41\x42\x43\x44\x45\x46\x47"; + test_ad = Bytes.of_string "\x50\x51\x52\x53\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7"; + test_pt = Bytes.of_string "\x4c\x61\x64\x69\x65\x73\x20\x61\x6e\x64\x20\x47\x65\x6e\x74\x6c\x65\x6d\x65\x6e\x20\x6f\x66\x20\x74\x68\x65\x20\x63\x6c\x61\x73\x73\x20\x6f\x66\x20\x27\x39\x39\x3a\x20\x49\x66\x20\x49\x20\x63\x6f\x75\x6c\x64\x20\x6f\x66\x66\x65\x72\x20\x79\x6f\x75\x20\x6f\x6e\x6c\x79\x20\x6f\x6e\x65\x20\x74\x69\x70\x20\x66\x6f\x72\x20\x74\x68\x65\x20\x66\x75\x74\x75\x72\x65\x2c\x20\x73\x75\x6e\x73\x63\x72\x65\x65\x6e\x20\x77\x6f\x75\x6c\x64\x20\x62\x65\x20\x69\x74\x2e"; + test_ct = Bytes.of_string "\xd3\x1a\x8d\x34\x64\x8e\x60\xdb\x7b\x86\xaf\xbc\x53\xef\x7e\xc2\xa4\xad\xed\x51\x29\x6e\x08\xfe\xa9\xe2\xb5\xa7\x36\xee\x62\xd6\x3d\xbe\xa4\x5e\x8c\xa9\x67\x12\x82\xfa\xfb\x69\xda\x92\x72\x8b\x1a\x71\xde\x0a\x9e\x06\x0b\x29\x05\xd6\xa5\xb6\x7e\xcd\x3b\x36\x92\xdd\xbd\x7f\x2d\x77\x8b\x8c\x98\x03\xae\xe3\x28\x09\x1b\x58\xfa\xb3\x24\xe4\xfa\xd6\x75\x94\x55\x85\x80\x8b\x48\x31\xd7\xbc\x3f\xf4\xde\xf0\x8e\x4b\x7a\x9d\xe5\x76\xd2\x65\x86\xce\xc6\x4b\x61\x16"; + test_tag = Bytes.of_string "\x1a\xe1\x0b\x59\x4f\x09\xe2\x6a\x7e\x90\x2e\xcb\xd0\x60\x06\x91" + } + + +let validate_test (v: Bytes.t aead_test) = + assert (Bytes.length v.test_key = v.key_len); + assert (Bytes.length v.test_iv = v.iv_len); + assert (Bytes.length v.test_ad = v.ad_len); + assert (Bytes.length v.test_pt = v.msg_len); + assert (Bytes.length v.test_ct = v.msg_len); + assert (Bytes.length v.test_tag = v.tag_len) + +let test_agile_noalloc (v: Bytes.t aead_test) = + let open EverCrypt.AEAD in + let test_result = test_result "EverCrypt.AEAD.Noalloc" in + + validate_test v; + let ct = Test_utils.init_bytes v.msg_len in + let tag = Test_utils.init_bytes v.tag_len in + + match init ~alg:v.alg ~key:v.test_key with + | Success st -> begin + match Noalloc.encrypt ~st ~iv:v.test_iv ~ad:v.test_ad ~pt:v.test_pt ~ct ~tag with + | Success () -> begin + if Bytes.equal tag v.test_tag && Bytes.equal ct v.test_ct then + test_result Success "Encryption succeeded" + else + test_result Failure "Wrong ciphertext/mac"; + let pt = Test_utils.init_bytes v.msg_len in + match Noalloc.decrypt ~st ~iv:v.test_iv ~ad:v.test_ad ~ct ~tag:v.test_tag ~pt with + | Success () -> + if Bytes.equal v.test_pt pt then + test_result Success "Decryption succeeded" + else + test_result Failure "Decrypted and plaintext do not match" + | Error err -> test_result Failure (Printf.sprintf "Decryption error: %s" (print_error err)) + end + | Error err -> test_result Failure (Printf.sprintf "Encryption error: %s" (print_error err)) + end + | Error err -> test_result Failure (Printf.sprintf "Init error: %s" (print_error err)) + +let test_agile (v: Bytes.t aead_test) = + let open EverCrypt.AEAD in + let test_result = test_result "EverCrypt.AEAD.Noalloc" in + + match init ~alg:v.alg ~key:v.test_key with + | Success st -> begin + match encrypt ~st ~iv:v.test_iv ~ad:v.test_ad ~pt:v.test_pt with + | Success (ct, tag) -> begin + if Bytes.equal tag v.test_tag && Bytes.equal ct v.test_ct then + test_result Success "Encryption succeeded" + else + test_result Failure "Wrong ciphertext/mac"; + match decrypt ~st ~iv:v.test_iv ~ad:v.test_ad ~ct ~tag:v.test_tag with + | Success pt -> + if Bytes.equal v.test_pt pt then + test_result Success "Decryption succeeded" + else + test_result Failure "Decrypted and plaintext do not match" + | Error err -> test_result Failure (Printf.sprintf "Decryption error: %s" (print_error err)) + end + | Error err -> test_result Failure (Printf.sprintf "Encryption error: %s" (print_error err)) + end + | Error err -> test_result Failure (Printf.sprintf "Init error: %s" (print_error err)) + +module MakeTests (M: Chacha20_Poly1305) = struct + let test_nonagile_noalloc (v: Bytes.t aead_test) t reqs = + let test_result = test_result (t ^ ".Noalloc") in + if supports reqs then begin + let ct = Test_utils.init_bytes v.msg_len in + let tag = Test_utils.init_bytes v.tag_len in + M.Noalloc.encrypt ~key:v.test_key ~iv:v.test_iv ~ad:v.test_ad ~pt:v.test_pt ~ct ~tag; + if Bytes.equal tag v.test_tag && Bytes.equal ct v.test_ct then + test_result Success "Encryption succeeded" + else + test_result Failure "Wrong ciphertext/mac"; + let pt = Test_utils.init_bytes v.msg_len in + if M.Noalloc.decrypt ~key:v.test_key ~iv:v.test_iv ~ad:v.test_ad ~ct ~tag ~pt then + if Bytes.equal v.test_pt pt then + test_result Success "Decryption succeeded" + else + test_result Failure "Decrypted and plaintext do not match" + else test_result Failure "Decryption error" + end else + test_result Skipped "Required CPU feature not detected" + + let test_nonagile (v: Bytes.t aead_test) t reqs = + let test_result = test_result t in + if supports reqs then begin + let ct, tag = M.encrypt ~key:v.test_key ~iv:v.test_iv ~ad:v.test_ad ~pt:v.test_pt in + if Bytes.equal tag v.test_tag && Bytes.equal ct v.test_ct then + test_result Success "Encryption succeeded" + else + test_result Failure "Wrong ciphertext/mac"; + match M.decrypt ~key:v.test_key ~iv:v.test_iv ~ad:v.test_ad ~ct ~tag with + | Some pt -> + if Bytes.equal v.test_pt pt then + test_result Success "Decryption succeeded" + else + test_result Failure "Decrypted and plaintext do not match" + | None -> + test_result Failure "Decryption error" + end else + test_result Skipped "Required CPU feature not detected" + + let run_tests name reqs = + test_nonagile_noalloc chacha20poly1305_test name reqs; + test_nonagile chacha20poly1305_test name reqs +end + + +let _ = + test_agile_noalloc chacha20poly1305_test; + test_agile chacha20poly1305_test; + + let module Tests = MakeTests (EverCrypt.Chacha20_Poly1305) in + Tests.run_tests "EverCrypt.Chacha20_Poly1305" []; + + let module Tests = MakeTests (Hacl.Chacha20_Poly1305_32) in + Tests.run_tests "Hacl.Chacha20_Poly1305_32" []; + + let module Tests = MakeTests (Hacl.Chacha20_Poly1305_128) in + Tests.run_tests "Hacl.Chacha20_Poly1305_128" [VEC128]; + + let module Tests = MakeTests (Hacl.Chacha20_Poly1305_256) in + Tests.run_tests "Hacl.Chacha20_Poly1305_256" [VEC256] diff --git a/ocaml/hacl-star/tests/config_test.ml b/ocaml/hacl-star/tests/config_test.ml new file mode 100644 index 00000000..eb6eb264 --- /dev/null +++ b/ocaml/hacl-star/tests/config_test.ml @@ -0,0 +1,33 @@ +open AutoConfig2 + +open Test_utils + +let test_random_noalloc () = + let test_result = test_result "Hacl.RandomBuffer.randombytes_noalloc" in + let buf = Test_utils.init_bytes 256 in + if Hacl.RandomBuffer.Noalloc.randombytes ~out:buf then + test_result Success "" + else + test_result Failure "" + +let test_random () = + let test_result = test_result "Hacl.RandomBuffer.randombytes" in + if Option.is_some (Hacl.RandomBuffer.randombytes ~size:128) then + test_result Success "" + else + test_result Failure "" + +let _ = + Printf.printf "SHAEXT: %b\n" (has_feature SHAEXT); + Printf.printf "AES_NI: %b\n" (has_feature AES_NI); + Printf.printf "PCLMULQDQ: %b\n" (has_feature PCLMULQDQ); + Printf.printf "VEC256: %b\n" (has_feature VEC256); + Printf.printf "VEC128: %b\n" (has_feature VEC128); + Printf.printf "BMI2: %b\n" (has_feature BMI2); + Printf.printf "ADX: %b\n" (has_feature ADX); + Printf.printf "SSE: %b\n" (has_feature SSE); + Printf.printf "MOVBE: %b\n" (has_feature MOVBE); + Printf.printf "RDRAND: %b\n" (has_feature RDRAND); + + test_random_noalloc (); + test_random () diff --git a/ocaml/hacl-star/tests/curve25519_test.ml b/ocaml/hacl-star/tests/curve25519_test.ml new file mode 100644 index 00000000..5e10c78f --- /dev/null +++ b/ocaml/hacl-star/tests/curve25519_test.ml @@ -0,0 +1,82 @@ +open Test_utils +open AutoConfig2 + +type 'a curve25519_test = + { name : string ; scalar: 'a ; point : 'a ; expected : 'a } + +let tests = [ + { + name = "Test 1"; + scalar = Bytes.of_string "\xa5\x46\xe3\x6b\xf0\x52\x7c\x9d\x3b\x16\x15\x4b\x82\x46\x5e\xdd\x62\x14\x4c\x0a\xc1\xfc\x5a\x18\x50\x6a\x22\x44\xba\x44\x9a\xc4"; + point = Bytes.of_string "\xe6\xdb\x68\x67\x58\x30\x30\xdb\x35\x94\xc1\xa4\x24\xb1\x5f\x7c\x72\x66\x24\xec\x26\xb3\x35\x3b\x10\xa9\x03\xa6\xd0\xab\x1c\x4c"; + expected = Bytes.of_string "\xc3\xda\x55\x37\x9d\xe9\xc6\x90\x8e\x94\xea\x4d\xf2\x8d\x08\x4f\x32\xec\xcf\x03\x49\x1c\x71\xf7\x54\xb4\x07\x55\x77\xa2\x85\x52" + }; + { + name = "Test 2"; + scalar = Bytes.of_string "\x4b\x66\xe9\xd4\xd1\xb4\x67\x3c\x5a\xd2\x26\x91\x95\x7d\x6a\xf5\xc1\x1b\x64\x21\xe0\xea\x01\xd4\x2c\xa4\x16\x9e\x79\x18\xba\x0d"; + point = Bytes.of_string "\xe5\x21\x0f\x12\x78\x68\x11\xd3\xf4\xb7\x95\x9d\x05\x38\xae\x2c\x31\xdb\xe7\x10\x6f\xc0\x3c\x3e\xfc\x4c\xd5\x49\xc7\x15\xa4\x93"; + expected = Bytes.of_string "\x95\xcb\xde\x94\x76\xe8\x90\x7d\x7a\xad\xe4\x5c\xb4\xb8\x73\xf8\x8b\x59\x5a\x68\x79\x9f\xa1\x52\xe6\xf8\xf7\x64\x7a\xac\x79\x57" + } +] + +let basepoint = Bytes.init 32 (function 0 -> '\x09' | _ -> '\x00') + +module MakeTests (M: SharedDefs.Curve25519) = struct + let test_noalloc v t reqs = + let test_result = test_result (t ^ ".Noalloc " ^ v.name) in + if supports reqs then begin + let out_scalarmult = Test_utils.init_bytes 32 in + let out_ecdh = Test_utils.init_bytes 32 in + + let pk = Test_utils.init_bytes 32 in + M.Noalloc.scalarmult ~scalar:v.scalar ~point:basepoint ~result:pk; + let pk2 = Test_utils.init_bytes 32 in + M.Noalloc.secret_to_public ~sk:v.scalar ~pk:pk2; + if not (Bytes.equal pk pk2) then + test_result Failure "secret_to_public failure"; + + M.Noalloc.scalarmult ~scalar:v.scalar ~point:v.point ~result:out_scalarmult; + if M.Noalloc.ecdh ~sk:v.scalar ~pk:v.point ~shared:out_ecdh then + if Bytes.equal out_scalarmult v.expected && Bytes.equal out_ecdh v.expected then + test_result Success "" + else + test_result Failure "ECDH shared scret mismatch" + else + test_result Failure "ECDH failure" + end else + test_result Skipped "Required CPU feature not detected" + + let test v t reqs = + let test_result = test_result (t ^ " " ^ v.name) in + if supports reqs then begin + let pk = M.scalarmult ~scalar:v.scalar ~point:basepoint in + let pk2 = M.secret_to_public ~sk:v.scalar in + if not (Bytes.equal pk pk2) then + test_result Failure "secret_to_public failure"; + + let out_scalarmult = M.scalarmult ~scalar:v.scalar ~point:v.point in + match M.ecdh ~sk:v.scalar ~pk:v.point with + | Some out_ecdh -> + if Bytes.equal out_scalarmult v.expected && Bytes.equal out_ecdh v.expected then + test_result Success "" + else + test_result Failure "ECDH shared scret mismatch" + | None -> + test_result Failure "ECDH failure" + end else + test_result Skipped "Required CPU feature not detected" + + let run_tests name reqs = + List.iter (fun v -> test_noalloc v name reqs) tests; + List.iter (fun v -> test v name reqs) tests +end + +let _ = + let module Tests = MakeTests (EverCrypt.Curve25519) in + Tests.run_tests "EverCrypt.Curve25519" []; + + let module Tests = MakeTests (Hacl.Curve25519_51) in + Tests.run_tests "Hacl.Curve25519_51" []; + + let module Tests = MakeTests (Hacl.Curve25519_64) in + Tests.run_tests "Hacl.Curve25519_64" [BMI2; ADX] diff --git a/ocaml/hacl-star/tests/drbg_test.ml b/ocaml/hacl-star/tests/drbg_test.ml new file mode 100644 index 00000000..19b64fce --- /dev/null +++ b/ocaml/hacl-star/tests/drbg_test.ml @@ -0,0 +1,31 @@ +open Test_utils +open SharedDefs.HashDefs + +let test name alg = + let test_result = test_result ("EverCrypt.DRBG with " ^ name) in + assert (EverCrypt.DRBG.is_supported_alg alg); + match EverCrypt.DRBG.instantiate alg ~personalization_string:(init_bytes 128) with + | Some st -> + (* reseeding is optional, it is included here for testing purposes *) + if EverCrypt.DRBG.reseed st ~additional_input:(init_bytes 128) then + let output1 = init_bytes 1024 in + let output2 = init_bytes 1024 in + if EverCrypt.DRBG.Noalloc.generate st output1 ~additional_input:(init_bytes 128) && + EverCrypt.DRBG.Noalloc.generate st output2 then + assert (output1 <> output2) + else + test_result Failure "Generation failure (noalloc)" + else + test_result Failure "Reseed failure"; + (match EverCrypt.DRBG.generate st 512 with + | Some output -> + assert (Bytes.length output = 512) + | None -> + test_result Failure "Generation failure"); + test_result Success "" + | None -> test_result Failure "Initialization failure" + +let _ = + test "SHA2_256" SHA2_256; + test "SHA2_384" SHA2_384; + test "SHA2_512" SHA2_512 diff --git a/ocaml/hacl-star/tests/dune b/ocaml/hacl-star/tests/dune new file mode 100644 index 00000000..08669d66 --- /dev/null +++ b/ocaml/hacl-star/tests/dune @@ -0,0 +1,20 @@ +(tests + (names config_test + aead_test + curve25519_test + ed25519_test + hash_test + poly1305_test + hmac_test + hkdf_test + nacl_test + drbg_test + p256_test) + (libraries hacl-star) + (preprocessor_deps config.h) + (preprocess (action (run %{bin:cppo} %{input-file}))) + (flags (:standard -open Hacl_star -warn-error -3))) + +(rule (targets config.h) (deps) + (action + (bash "cp $(ocamlfind query hacl-star-raw)/config.h ."))) diff --git a/ocaml/hacl-star/tests/ed25519_test.ml b/ocaml/hacl-star/tests/ed25519_test.ml new file mode 100644 index 00000000..970e0783 --- /dev/null +++ b/ocaml/hacl-star/tests/ed25519_test.ml @@ -0,0 +1,74 @@ +open Test_utils + +type 'a ed25519_test = + { name: string ; sk: 'a ; pk: 'a ; msg: 'a ; expected_sig: 'a } + + +let tests = [ + { + name = "Test 1"; + sk = Bytes.of_string "\x9d\x61\xb1\x9d\xef\xfd\x5a\x60\xba\x84\x4a\xf4\x92\xec\x2c\xc4\x44\x49\xc5\x69\x7b\x32\x69\x19\x70\x3b\xac\x03\x1c\xae\x7f\x60"; + pk = Bytes.of_string "\xd7\x5a\x98\x01\x82\xb1\x0a\xb7\xd5\x4b\xfe\xd3\xc9\x64\x07\x3a\x0e\xe1\x72\xf3\xda\xa6\x23\x25\xaf\x02\x1a\x68\xf7\x07\x51\x1a"; + msg = Bytes.of_string ""; + expected_sig = Bytes.of_string "\xe5\x56\x43\x00\xc3\x60\xac\x72\x90\x86\xe2\xcc\x80\x6e\x82\x8a\x84\x87\x7f\x1e\xb8\xe5\xd9\x74\xd8\x73\xe0\x65\x22\x49\x01\x55\x5f\xb8\x82\x15\x90\xa3\x3b\xac\xc6\x1e\x39\x70\x1c\xf9\xb4\x6b\xd2\x5b\xf5\xf0\x59\x5b\xbe\x24\x65\x51\x41\x43\x8e\x7a\x10\x0b" + }; + { + name = "Test 2"; + sk = Bytes.of_string "\x4c\xcd\x08\x9b\x28\xff\x96\xda\x9d\xb6\xc3\x46\xec\x11\x4e\x0f\x5b\x8a\x31\x9f\x35\xab\xa6\x24\xda\x8c\xf6\xed\x4f\xb8\xa6\xfb"; + pk = Bytes.of_string "\x3d\x40\x17\xc3\xe8\x43\x89\x5a\x92\xb7\x0a\xa7\x4d\x1b\x7e\xbc\x9c\x98\x2c\xcf\x2e\xc4\x96\x8c\xc0\xcd\x55\xf1\x2a\xf4\x66\x0c"; + msg = Bytes.of_string "\x72"; + expected_sig = Bytes.of_string "\x92\xa0\x09\xa9\xf0\xd4\xca\xb8\x72\x0e\x82\x0b\x5f\x64\x25\x40\xa2\xb2\x7b\x54\x16\x50\x3f\x8f\xb3\x76\x22\x23\xeb\xdb\x69\xda\x08\x5a\xc1\xe4\x3e\x15\x99\x6e\x45\x8f\x36\x13\xd0\xf1\x1d\x8c\x38\x7b\x2e\xae\xb4\x30\x2a\xee\xb0\x0d\x29\x16\x12\xbb\x0c\x00" + } +] + +module MakeTests (M: SharedDefs.EdDSA) = struct + let test_noalloc (v: Bytes.t ed25519_test) t = + let test_result = test_result (t ^ ".Noalloc " ^ v.name) in + + let signature = Test_utils.init_bytes 64 in + let pk = Test_utils.init_bytes 32 in + M.Noalloc.secret_to_public ~sk:v.sk ~pk; + if not (Bytes.equal pk v.pk) then + test_result Failure "secret_to_public failure"; + + M.Noalloc.sign ~sk:v.sk ~msg:v.msg ~signature; + if Bytes.equal signature v.expected_sig then + begin + if M.verify ~pk:v.pk ~msg:v.msg ~signature then + test_result Success "" + else + test_result Failure "verification" + end + else + test_result Failure "signing" + + let test (v: Bytes.t ed25519_test) t = + let test_result = test_result (t ^ " " ^ v.name) in + + let pk = M.secret_to_public ~sk:v.sk in + if not (Bytes.equal pk v.pk) then + test_result Failure "secret_to_public failure"; + + let signature = M.sign ~sk:v.sk ~msg:v.msg in + if Bytes.equal signature v.expected_sig then + begin + if M.verify ~pk:v.pk ~msg:v.msg ~signature then + test_result Success "" + else + test_result Failure "verification" + end + else + test_result Failure "signing" + + let run_tests name = + List.iter (fun v -> test_noalloc v name) tests; + List.iter (fun v -> test v name) tests +end + +(* TODO: tests for expand_keys, sign_expanded *) +let _ = + let module Tests = MakeTests (EverCrypt.Ed25519) in + Tests.run_tests "EverCrypt.Ed25519"; + + let module Tests = MakeTests (Hacl.Ed25519) in + Tests.run_tests "Hacl.Ed25519" diff --git a/ocaml/hacl-star/tests/hash_test.ml b/ocaml/hacl-star/tests/hash_test.ml new file mode 100644 index 00000000..167b960f --- /dev/null +++ b/ocaml/hacl-star/tests/hash_test.ml @@ -0,0 +1,349 @@ +open EverCrypt +open SharedDefs +open AutoConfig2 + +open Test_utils + +type alg = + | SHA2_224 + | SHA2_256 + | SHA2_384 + | SHA2_512 + | SHA3_224 + | SHA3_256 + | SHA3_384 + | SHA3_512 + | Keccak_256 + | BLAKE2b + | BLAKE2s + | SHA1 + | MD5 + +type 'a hash_test = + { name: string; alg: alg; msg: 'a; expected: 'a } + +let test_sha2_224 : Bytes.t hash_test = + { + name = "SHA2_224 Test 1"; + alg = SHA2_224; + msg = Bytes.of_string "\x61\x62\x63"; + expected = Bytes.of_string "\x23\x09\x7d\x22\x34\x05\xd8\x22\x86\x42\xa4\x77\xbd\xa2\x55\xb3\x2a\xad\xbc\xe4\xbd\xa0\xb3\xf7\xe3\x6c\x9d\xa7" +} + +let test_sha2_256 : Bytes.t hash_test = + { + name = "SHA2_256 Test 1"; + alg = SHA2_256; + msg = Bytes.of_string "\x61\x62\x63"; + expected = Bytes.of_string "\xba\x78\x16\xbf\x8f\x01\xcf\xea\x41\x41\x40\xde\x5d\xae\x22\x23\xb0\x03\x61\xa3\x96\x17\x7a\x9c\xb4\x10\xff\x61\xf2\x00\x15\xad" +} + +let test_sha2_384 : Bytes.t hash_test = + { + name = "SHA2_384 Test 1"; + alg = SHA2_384; + msg = Bytes.of_string "\x61\x62\x63"; + expected = Bytes.of_string "\xcb\x00\x75\x3f\x45\xa3\x5e\x8b\xb5\xa0\x3d\x69\x9a\xc6\x50\x07\x27\x2c\x32\xab\x0e\xde\xd1\x63\x1a\x8b\x60\x5a\x43\xff\x5b\xed\x80\x86\x07\x2b\xa1\xe7\xcc\x23\x58\xba\xec\xa1\x34\xc8\x25\xa7" +} + +let test_sha2_512 : Bytes.t hash_test = + { + name = "SHA2_512 Test 1"; + alg = SHA2_512; + msg = Bytes.of_string "\x61\x62\x63"; + expected = Bytes.of_string "\xdd\xaf\x35\xa1\x93\x61\x7a\xba\xcc\x41\x73\x49\xae\x20\x41\x31\x12\xe6\xfa\x4e\x89\xa9\x7e\xa2\x0a\x9e\xee\xe6\x4b\x55\xd3\x9a\x21\x92\x99\x2a\x27\x4f\xc1\xa8\x36\xba\x3c\x23\xa3\xfe\xeb\xbd\x45\x4d\x44\x23\x64\x3c\xe8\x0e\x2a\x9a\xc9\x4f\xa5\x4c\xa4\x9f" +} + +let test_sha3_224 : Bytes.t hash_test = + { + name = "SHA3_224 Test 1"; + alg = SHA3_224; + msg = Bytes.of_string "\x61\x62\x63"; + expected = Bytes.of_string "\xe6\x42\x82\x4c\x3f\x8c\xf2\x4a\xd0\x92\x34\xee\x7d\x3c\x76\x6f\xc9\xa3\xa5\x16\x8d\x0c\x94\xad\x73\xb4\x6f\xdf" +} + +let test_sha3_256 : Bytes.t hash_test = + { + name = "SHA3_256 Test 1"; + alg = SHA3_256; + msg = Bytes.of_string "\x61\x62\x63"; + expected = Bytes.of_string "\x3a\x98\x5d\xa7\x4f\xe2\x25\xb2\x04\x5c\x17\x2d\x6b\xd3\x90\xbd\x85\x5f\x08\x6e\x3e\x9d\x52\x5b\x46\xbf\xe2\x45\x11\x43\x15\x32" +} + +let test_sha3_384 : Bytes.t hash_test = + { + name = "SHA3_384 Test 1"; + alg = SHA3_384; + msg = Bytes.of_string "\x61\x62\x63"; + expected = Bytes.of_string "\xec\x01\x49\x82\x88\x51\x6f\xc9\x26\x45\x9f\x58\xe2\xc6\xad\x8d\xf9\xb4\x73\xcb\x0f\xc0\x8c\x25\x96\xda\x7c\xf0\xe4\x9b\xe4\xb2\x98\xd8\x8c\xea\x92\x7a\xc7\xf5\x39\xf1\xed\xf2\x28\x37\x6d\x25" +} + +let test_sha3_512 : Bytes.t hash_test = + { + name = "SHA3_512 Test 1"; + alg = SHA3_512; + msg = Bytes.of_string "\x61\x62\x63"; + expected = Bytes.of_string "\xb7\x51\x85\x0b\x1a\x57\x16\x8a\x56\x93\xcd\x92\x4b\x6b\x09\x6e\x08\xf6\x21\x82\x74\x44\xf7\x0d\x88\x4f\x5d\x02\x40\xd2\x71\x2e\x10\xe1\x16\xe9\x19\x2a\xf3\xc9\x1a\x7e\xc5\x76\x47\xe3\x93\x40\x57\x34\x0b\x4c\xf4\x08\xd5\xa5\x65\x92\xf8\x27\x4e\xec\x53\xf0" +} + +let test_blake2b : Bytes.t hash_test = + { + name = "BLAKE2b Test 1"; + alg = BLAKE2b; + msg = Bytes.of_string "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f"; + expected = Bytes.of_string "\x1c\x07\x7e\x27\x9d\xe6\x54\x85\x23\x50\x2b\x6d\xf8\x00\xff\xda\xb5\xe2\xc3\xe9\x44\x2e\xb8\x38\xf5\x8c\x29\x5f\x3b\x14\x7c\xef\x9d\x70\x1c\x41\xc3\x21\x28\x3f\x00\xc7\x1a\xff\xa0\x61\x93\x10\x39\x91\x26\x29\x5b\x78\xdd\x4d\x1a\x74\x57\x2e\xf9\xed\x51\x35" + } + +let test_blake2s : Bytes.t hash_test = + { + name = "BLAKE2s Test 1"; + alg = BLAKE2s; + msg = Bytes.of_string "\x61\x62\x63"; + expected = Bytes.of_string "\x50\x8C\x5E\x8C\x32\x7C\x14\xE2\xE1\xA7\x2B\xA3\x4E\xEB\x45\x2F\x37\x45\x8B\x20\x9E\xD6\x3A\x29\x4D\x99\x9B\x4C\x86\x67\x59\x82" + } + +let test_sha1 : Bytes.t hash_test = + { + name = "SHA1 Test 1"; + alg = SHA1; + msg = Bytes.of_string "\x54\x9e\x95\x9e"; + expected = Bytes.of_string "\xb7\x8b\xae\x6d\x14\x33\x8f\xfc\xcf\xd5\xd5\xb5\x67\x4a\x27\x5f\x6e\xf9\xc7\x17" +} + +let test_md5 : Bytes.t hash_test = + { + name = "MD5 Test 1"; + alg = MD5; + msg = Bytes.of_string "\x6d\x65\x73\x73\x61\x67\x65\x20\x64\x69\x67\x65\x73\x74"; + expected = Bytes.of_string "\xf9\x6b\x69\x7d\x7c\xb7\x93\x8d\x52\x5a\x2f\x31\xaa\xf1\x61\xd0" +} + +type 'a blake2_keyed_test = + { name: string; msg: 'a; key: 'a; expected: 'a } + +let blake2b_keyed_tests = [ + { + name = "Test 1"; + msg = Bytes.of_string "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b"; + key = Bytes.of_string "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f"; + expected = Bytes.of_string "\xc8\xf6\x8e\x69\x6e\xd2\x82\x42\xbf\x99\x7f\x5b\x3b\x34\x95\x95\x08\xe4\x2d\x61\x38\x10\xf1\xe2\xa4\x35\xc9\x6e\xd2\xff\x56\x0c\x70\x22\xf3\x61\xa9\x23\x4b\x98\x37\xfe\xee\x90\xbf\x47\x92\x2e\xe0\xfd\x5f\x8d\xdf\x82\x37\x18\xd8\x6d\x1e\x16\xc6\x09\x00\x71" + } +] + +let blake2s_keyed_tests = [ + { + name = "Test 1"; + msg = Bytes.of_string "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e"; + key = Bytes.of_string "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"; + expected = Bytes.of_string "\xc6\x53\x82\x51\x3f\x07\x46\x0d\xa3\x98\x33\xcb\x66\x6c\x5e\xd8\x2e\x61\xb9\xe9\x98\xf4\xb0\xc4\x28\x7c\xee\x56\xc3\xcc\x9b\xcd" + } +] + +(* Source: https://bob.nem.ninja/test-vectors.html *) +let keccak256_test = + { + name = "Test 1"; + alg = Keccak_256; + msg = Bytes.of_string "\xcc"; + expected = Bytes.of_string "\xee\xad\x6d\xbf\xc7\x34\x0a\x56\xca\xed\xc0\x44\x69\x6a\x16\x88\x70\x54\x9a\x6a\x7f\x6f\x56\x96\x1e\x84\xa5\x4b\xd9\x97\x0b\x8a" + } + + +let alg_definition = function + | SHA2_224 -> HashDefs.SHA2_224 + | SHA2_256 -> HashDefs.SHA2_256 + | SHA2_384 -> HashDefs.SHA2_384 + | SHA2_512 -> HashDefs.SHA2_512 + | BLAKE2b -> HashDefs.BLAKE2b + | BLAKE2s -> HashDefs.BLAKE2s + | SHA1 -> HashDefs.Legacy HashDefs.SHA1 + | MD5 -> HashDefs.Legacy HashDefs.MD5 + | _ -> failwith "Algorithm not supported in agile Hashing API" + + +let output_len = function + | SHA2_224 + | SHA3_224 -> 28 + | SHA2_256 + | SHA3_256 + | BLAKE2s -> 32 + | SHA2_384 + | SHA3_384 -> 48 + | SHA2_512 + | SHA3_512 + | BLAKE2b -> 64 + | Keccak_256 -> 32 + | SHA1 -> 20 + | MD5 -> 16 + + +let test_agile (v: Bytes.t hash_test) = + let test_result = test_result ("EverCrypt.Hash " ^ v.name) in + let alg = alg_definition v.alg in + let digest = Test_utils.init_bytes (output_len v.alg) in + + Hash.Noalloc.hash ~alg ~msg:v.msg ~digest; + let digest2 = Hash.hash ~alg ~msg:v.msg in + if Bytes.equal digest v.expected && + Bytes.equal digest2 v.expected then + test_result Success "one-shot hash" + else + test_result Failure "one-shot hash"; + + let st = Hash.init ~alg:(alg_definition v.alg) in + Hash.update ~st ~msg:v.msg; + Hash.Noalloc.finish ~st ~digest; + let digest2 = Hash.finish ~st in + if Bytes.equal digest v.expected && + Bytes.equal digest2 v.expected then + test_result Success "incremental hash" + else + test_result Failure "incremental hash" + + +let test_nonagile (n: string) (v: Bytes.t hash_test) hash hash_noalloc = + let test_result = test_result (n ^ "." ^ v.name) in + let digest = Test_utils.init_bytes (output_len v.alg) in + hash_noalloc ~msg:v.msg ~digest; + let digest2 = hash v.msg in + if Bytes.equal digest v.expected && + Bytes.equal digest2 v.expected then + test_result Success "" + else + test_result Failure "" + + +module MakeBlake2Tests (M: Blake2) = struct + let test_nonagile_noalloc (v: Bytes.t blake2_keyed_test) t reqs = + let test_result = test_result (t ^ " (noalloc) " ^ v.name) in + if supports reqs then begin + let output = Test_utils.init_bytes (Bytes.length v.expected) in + M.Noalloc.hash ~key:v.key ~msg:v.msg ~digest:output; + if Bytes.equal output v.expected then + test_result Success "" + else + test_result Failure "Output mismatch" + end else + test_result Skipped "Required CPU feature not detected" + + let test_nonagile (v: Bytes.t blake2_keyed_test) t reqs = + let test_result = test_result (t ^ " " ^ v.name) in + if supports reqs then begin + let size = Bytes.length v.expected in + let digest = M.hash ~key:v.key v.msg size in + if Bytes.equal digest v.expected then + test_result Success "" + else + test_result Failure "Output mismatch" + end else + test_result Skipped "Required CPU feature not detected" + + let run_tests name tests reqs = + List.iter (fun v -> test_nonagile_noalloc v name reqs) tests; + List.iter (fun v -> test_nonagile v name reqs) tests +end + + +let test_keccak () = + let v = test_sha3_256 in + let test_result = test_result "Keccak/SHAKE" in + let sha3_256 = Hacl.Keccak.keccak ~rate:1088 ~capacity:512 ~suffix:6 in + let digest = sha3_256 ~msg:v.msg ~size:32 in + + let output_shake128 = Hacl.Keccak.shake128 ~msg:v.msg ~size:16 in + + let keccak_shake_128 = Hacl.Keccak.keccak ~rate:1344 ~capacity:256 ~suffix:31 in + let output_keccak_shake_128 = keccak_shake_128 ~msg:v.msg ~size:16 in + + let output_shake256 = Hacl.Keccak.shake256 ~msg:v.msg ~size:32 in + + let keccak_shake_256 = Hacl.Keccak.keccak ~rate:1088 ~capacity:512 ~suffix:31 in + let output_keccak_shake_256 = keccak_shake_256 ~msg:v.msg ~size:32 in + + let keccak_256 = Hacl.Keccak.keccak ~rate:1088 ~capacity:512 ~suffix:1 in + let output_keccak_256 = keccak_256 ~msg:keccak256_test.msg ~size:32 in + + if Bytes.equal digest v.expected && + Bytes.equal output_shake128 output_keccak_shake_128 && + Bytes.equal output_shake256 output_keccak_shake_256 && + Bytes.equal output_keccak_256 keccak256_test.expected then + test_result Success "" + else + test_result Failure "" + + +let test_keccak_noalloc () = + let v = test_sha3_256 in + let test_result = test_result "Keccak/SHAKE (noalloc)" in + let sha3_256 = Hacl.Keccak.Noalloc.keccak ~rate:1088 ~capacity:512 ~suffix:6 in + let digest = Test_utils.init_bytes 32 in + sha3_256 ~msg:v.msg ~digest; + + let output_shake128 = Test_utils.init_bytes 16 in + Hacl.Keccak.Noalloc.shake128 ~msg:v.msg ~digest:output_shake128; + + let keccak_shake_128 = Hacl.Keccak.Noalloc.keccak ~rate:1344 ~capacity:256 ~suffix:31 in + let output_keccak_shake_128 = Test_utils.init_bytes 16 in + keccak_shake_128 ~msg:v.msg ~digest:output_keccak_shake_128; + + let output_shake256 = Test_utils.init_bytes 32 in + Hacl.Keccak.Noalloc.shake256 ~msg:v.msg ~digest:output_shake256; + + let keccak_shake_256 = Hacl.Keccak.Noalloc.keccak ~rate:1088 ~capacity:512 ~suffix:31 in + let output_keccak_shake_256 = Test_utils.init_bytes 32 in + keccak_shake_256 ~msg:v.msg ~digest:output_keccak_shake_256; + + let keccak_256 = Hacl.Keccak.Noalloc.keccak ~rate:1088 ~capacity:512 ~suffix:1 in + let output_keccak_256 = Test_utils.init_bytes 32 in + keccak_256 ~msg:keccak256_test.msg ~digest:output_keccak_256; + + if Bytes.equal digest v.expected && + Bytes.equal output_shake128 output_keccak_shake_128 && + Bytes.equal output_shake256 output_keccak_shake_256 && + Bytes.equal output_keccak_256 keccak256_test.expected then + test_result Success "" + else + test_result Failure "" + + +let _ = + test_agile test_sha2_224; + test_agile test_sha2_256; + test_agile test_sha2_384; + test_agile test_sha2_512; + test_agile test_blake2b; + test_agile test_blake2s; + + test_nonagile "Hacl" test_sha2_224 Hacl.SHA2_224.hash Hacl.SHA2_224.Noalloc.hash; + test_nonagile "Hacl" test_sha2_256 Hacl.SHA2_256.hash Hacl.SHA2_256.Noalloc.hash; + test_nonagile "Hacl" test_sha2_384 Hacl.SHA2_384.hash Hacl.SHA2_384.Noalloc.hash; + test_nonagile "Hacl" test_sha2_512 Hacl.SHA2_512.hash Hacl.SHA2_512.Noalloc.hash; + + test_nonagile "Hacl" test_sha3_224 Hacl.SHA3_224.hash Hacl.SHA3_224.Noalloc.hash; + test_nonagile "Hacl" test_sha3_256 Hacl.SHA3_256.hash Hacl.SHA3_256.Noalloc.hash; + test_nonagile "Hacl" test_sha3_384 Hacl.SHA3_384.hash Hacl.SHA3_384.Noalloc.hash; + test_nonagile "Hacl" test_sha3_512 Hacl.SHA3_512.hash Hacl.SHA3_512.Noalloc.hash; + + test_nonagile "EverCrypt" test_sha2_224 EverCrypt.SHA2_224.hash EverCrypt.SHA2_224.Noalloc.hash; + test_nonagile "EverCrypt" test_sha2_256 EverCrypt.SHA2_256.hash EverCrypt.SHA2_256.Noalloc.hash; + + test_agile test_sha1; + test_agile test_md5; + + test_nonagile "Hacl" test_sha1 Hacl.SHA1.hash Hacl.SHA1.Noalloc.hash; + test_nonagile "Hacl" test_md5 Hacl.MD5.hash Hacl.MD5.Noalloc.hash; + + let module Tests = MakeBlake2Tests (Hacl.Blake2b_32) in + Tests.run_tests "BLAKE2b_32" blake2b_keyed_tests []; + + let module Tests = MakeBlake2Tests (Hacl.Blake2b_256) in + Tests.run_tests "BLAKE2b_256" blake2b_keyed_tests [VEC256]; + + let module Tests = MakeBlake2Tests (Hacl.Blake2s_32) in + Tests.run_tests "BLAKE2s_32" blake2s_keyed_tests []; + + let module Tests = MakeBlake2Tests (Hacl.Blake2s_128) in + Tests.run_tests "BLAKE2s_128" blake2s_keyed_tests [VEC128]; + + test_keccak (); + test_keccak_noalloc () diff --git a/ocaml/hacl-star/tests/hkdf_test.ml b/ocaml/hacl-star/tests/hkdf_test.ml new file mode 100644 index 00000000..1434cec2 --- /dev/null +++ b/ocaml/hacl-star/tests/hkdf_test.ml @@ -0,0 +1,104 @@ +open SharedDefs + +open Test_utils + +type 'a hkdf_test = + { alg: HashDefs.alg; name: string ; ikm: 'a; salt: 'a; info: 'a; expected_prk: 'a; expected_okm: 'a } + +let tests = [ + { + alg = SHA2_256; + name = "Test 1"; + ikm = Bytes.of_string "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"; + salt = Bytes.of_string "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c"; + info = Bytes.of_string "\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9"; + expected_prk = Bytes.of_string "\x07\x77\x09\x36\x2c\x2e\x32\xdf\x0d\xdc\x3f\x0d\xc4\x7b\xba\x63\x90\xb6\xc7\x3b\xb5\x0f\x9c\x31\x22\xec\x84\x4a\xd7\xc2\xb3\xe5"; + expected_okm = Bytes.of_string "\x3c\xb2\x5f\x25\xfa\xac\xd5\x7a\x90\x43\x4f\x64\xd0\x36\x2f\x2a\x2d\x2d\x0a\x90\xcf\x1a\x5a\x4c\x5d\xb0\x2d\x56\xec\xc4\xc5\xbf\x34\x00\x72\x08\xd5\xb8\x87\x18\x58\x65" + } +] + +module MakeTests (M: SharedDefs.HKDF) = struct + let test_noalloc (v: Bytes.t hkdf_test) name alg = + if v.alg = alg then + let test_result = test_result (name ^ " (noalloc) " ^ v.name) in + let prk = Test_utils.init_bytes (Bytes.length v.expected_prk) in + let okm = Test_utils.init_bytes (Bytes.length v.expected_okm) in + M.Noalloc.extract ~salt:v.salt ~ikm:v.ikm ~prk; + if not (Bytes.equal prk v.expected_prk) then + test_result Failure "PRK mismatch"; + M.Noalloc.expand ~prk ~info:v.info ~okm; + if not (Bytes.equal okm v.expected_okm) then + test_result Failure "OKM mismatch"; + if Bytes.equal prk v.expected_prk && + Bytes.equal okm v.expected_okm then + test_result Success "" + + let test (v: Bytes.t hkdf_test) name alg = + let test_result = test_result (name ^ " " ^ v.name) in + let prk = M.extract ~salt:v.salt ~ikm:v.ikm in + let okm = M.expand ~prk ~info:v.info ~size:(Bytes.length v.expected_okm) in + if alg = v.alg then begin + if not (Bytes.equal prk v.expected_prk) then + test_result Failure "PRK mismatch"; + if not (Bytes.equal okm v.expected_okm) then + test_result Failure "OKM mismatch"; + if Bytes.equal prk v.expected_prk && + Bytes.equal okm v.expected_okm then + test_result Success "" + end else + test_result Success "function calls" + + let run_tests name alg = + List.iter (fun v -> test v name alg) tests; + List.iter (fun v -> test_noalloc v name alg) tests +end + +let test_agile (v: Bytes.t hkdf_test) = + let test_result = test_result ("Agile EverCrypt.HKDF with " ^ v.name) in + + let prk = Test_utils.init_bytes (Bytes.length v.expected_prk) in + let okm = Test_utils.init_bytes (Bytes.length v.expected_okm) in + + if EverCrypt.HMAC.is_supported_alg ~alg:v.alg then begin + EverCrypt.HKDF.Noalloc.extract ~alg:v.alg ~salt:v.salt ~ikm:v.ikm ~prk; + if not (Bytes.equal prk v.expected_prk) then + test_result Failure "PRK mismatch"; + EverCrypt.HKDF.Noalloc.expand ~alg:v.alg ~prk ~info:v.info ~okm; + if not (Bytes.equal okm v.expected_okm) then + test_result Failure "OKM mismatch"; + if Bytes.equal prk v.expected_prk && + Bytes.equal okm v.expected_okm then + test_result Success "" + end + else + test_result Failure "hash algorithm reported as not supported" + + +(* TODO: find tests for the other hash functions + Only HKDF_SHA2_256 is currently covered by a unit tests. As a sanity check, + function calls for all the other versions are being exercised, but + their output is not checked. +*) +let _ = + List.iter test_agile tests; + + let module Tests = MakeTests (EverCrypt.HKDF_SHA2_256) in + Tests.run_tests "EverCrypt.HKDF_SHA2_256" SHA2_256; + + let module Tests = MakeTests (EverCrypt.HKDF_SHA2_384) in + Tests.run_tests "EverCrypt.HKDF_SHA2_384" SHA2_384; + + let module Tests = MakeTests (EverCrypt.HKDF_SHA2_512) in + Tests.run_tests "EverCrypt.HKDF_SHA2_512" SHA2_512; + + let module Tests = MakeTests (Hacl.HKDF_SHA2_256) in + Tests.run_tests "Hacl.HKDF_SHA2_256" SHA2_256; + + let module Tests = MakeTests (Hacl.HKDF_SHA2_512) in + Tests.run_tests "Hacl.HKDF_SHA2_512" SHA2_512; + + let module Tests = MakeTests (Hacl.HKDF_BLAKE2b) in + Tests.run_tests "Hacl.HKDF_BLAKE2b" BLAKE2b; + + let module Tests = MakeTests (Hacl.HKDF_BLAKE2s) in + Tests.run_tests "Hacl.HKDF_BLAKE2s" BLAKE2s diff --git a/ocaml/hacl-star/tests/hmac_test.ml b/ocaml/hacl-star/tests/hmac_test.ml new file mode 100644 index 00000000..6da8e52e --- /dev/null +++ b/ocaml/hacl-star/tests/hmac_test.ml @@ -0,0 +1,105 @@ +open SharedDefs + +open Test_utils + +type 'a hmac_test = + { alg: HashDefs.alg; name: string ; key: 'a ; msg: 'a ; expected: 'a } + +let tests = [ + { + alg = SHA2_256; name = "SHA2_256 Test 1"; + key = Bytes.of_string "\x4a\x65\x66\x65"; + msg = Bytes.of_string "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f"; + expected = Bytes.of_string "\x5b\xdc\xc1\x46\xbf\x60\x75\x4e\x6a\x04\x24\x26\x08\x95\x75\xc7\x5a\x00\x3f\x08\x9d\x27\x39\x83\x9d\xec\x58\xb9\x64\xec\x38\x43" + }; + { + alg = SHA2_384; name = "SHA2_384 Test 1"; + key = Bytes.of_string "\x4a\x65\x66\x65"; + msg = Bytes.of_string "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f"; + expected = Bytes.of_string "\xaf\x45\xd2\xe3\x76\x48\x40\x31\x61\x7f\x78\xd2\xb5\x8a\x6b\x1b\x9c\x7e\xf4\x64\xf5\xa0\x1b\x47\xe4\x2e\xc3\x73\x63\x22\x44\x5e\x8e\x22\x40\xca\x5e\x69\xe2\xc7\x8b\x32\x39\xec\xfa\xb2\x16\x49" + }; + { + alg = SHA2_512; name = "SHA2_512 Test 1"; + key = Bytes.of_string "\x4a\x65\x66\x65"; + msg = Bytes.of_string "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f"; + expected = Bytes.of_string "\x16\x4b\x7a\x7b\xfc\xf8\x19\xe2\xe3\x95\xfb\xe7\x3b\x56\xe0\xa3\x87\xbd\x64\x22\x2e\x83\x1f\xd6\x10\x27\x0c\xd7\xea\x25\x05\x54\x97\x58\xbf\x75\xc0\x5a\x99\x4a\x6d\x03\x4f\x65\xf8\xf0\xe6\xfd\xca\xea\xb1\xa3\x4d\x4a\x6b\x4b\x63\x6e\x07\x0a\x38\xbc\xe7\x37" + }; + { + alg = SHA2_256; name = "SHA2_256 Test 2"; + key = Bytes.of_string "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19"; + msg = Bytes.of_string "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"; + expected = Bytes.of_string "\x82\x55\x8a\x38\x9a\x44\x3c\x0e\xa4\xcc\x81\x98\x99\xf2\x08\x3a\x85\xf0\xfa\xa3\xe5\x78\xf8\x07\x7a\x2e\x3f\xf4\x67\x29\x66\x5b" + }; + { + alg = SHA2_384; name = "SHA2_384 Test 2"; + key = Bytes.of_string "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19"; + msg = Bytes.of_string "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"; + expected = Bytes.of_string "\x3e\x8a\x69\xb7\x78\x3c\x25\x85\x19\x33\xab\x62\x90\xaf\x6c\xa7\x7a\x99\x81\x48\x08\x50\x00\x9c\xc5\x57\x7c\x6e\x1f\x57\x3b\x4e\x68\x01\xdd\x23\xc4\xa7\xd6\x79\xcc\xf8\xa3\x86\xc6\x74\xcf\xfb" + }; + { + alg = SHA2_512; name = "SHA2_512 Test 2"; + key = Bytes.of_string "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19"; + msg = Bytes.of_string "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"; + expected = Bytes.of_string "\xb0\xba\x46\x56\x37\x45\x8c\x69\x90\xe5\xa8\xc5\xf6\x1d\x4a\xf7\xe5\x76\xd9\x7f\xf9\x4b\x87\x2d\xe7\x6f\x80\x50\x36\x1e\xe3\xdb\xa9\x1c\xa5\xc1\x1a\xa2\x5e\xb4\xd6\x79\x27\x5c\xc5\x78\x80\x63\xa5\xf1\x97\x41\x12\x0c\x4f\x2d\xe2\xad\xeb\xeb\x10\xa2\x98\xdd" + } +] + +module MakeTests (M: SharedDefs.MAC) = struct + let test_noalloc (v: Bytes.t hmac_test) name = + let test_result = test_result (name ^ " (noalloc) " ^ v.name) in + let tag = Test_utils.init_bytes (Bytes.length v.expected) in + M.Noalloc.mac ~key:v.key ~msg:v.msg ~tag; + if Bytes.equal tag v.expected then + test_result Success "" + else + test_result Failure "MAC mismatch" + + let test (v: Bytes.t hmac_test) name = + let test_result = test_result (name ^ " " ^ v.name) in + let tag = M.mac ~key:v.key ~msg:v.msg in + if Bytes.equal tag v.expected then + test_result Success "" + else + test_result Failure "MAC mismatch" + + let run_tests name alg = + List.iter (fun v -> if v.alg = alg then test v name) tests; + List.iter (fun v -> if v.alg = alg then test_noalloc v name) tests +end + +let test_agile (v: Bytes.t hmac_test) = + let test_result = test_result ("Agile EverCrypt.HMAC with " ^ v.name) in + + let tag = Test_utils.init_bytes (Bytes.length v.expected) in + + if EverCrypt.HMAC.is_supported_alg ~alg:v.alg then begin + EverCrypt.HMAC.Noalloc.mac ~alg:v.alg ~key:v.key ~msg:v.msg ~tag; + if Bytes.equal tag v.expected then + test_result Success "" + else + test_result Failure "MAC mismatch" + end + else + test_result Failure "hash algorithm reported as not supported" + + +let _ = + List.iter test_agile tests; + + let module Tests = MakeTests (EverCrypt.HMAC_SHA2_256) in + Tests.run_tests "EverCrypt.HMAC_SHA2_256" SHA2_256; + + let module Tests = MakeTests (EverCrypt.HMAC_SHA2_384) in + Tests.run_tests "EverCrypt.HMAC_SHA2_384" SHA2_384; + + let module Tests = MakeTests (EverCrypt.HMAC_SHA2_512) in + Tests.run_tests "EverCrypt.HMAC_SHA2_512" SHA2_512; + + let module Tests = MakeTests (Hacl.HMAC_SHA2_256) in + Tests.run_tests "Hacl.HMAC_SHA2_256" SHA2_256; + + let module Tests = MakeTests (Hacl.HMAC_SHA2_384) in + Tests.run_tests "Hacl.HMAC_SHA2_384" SHA2_384; + + let module Tests = MakeTests (Hacl.HMAC_SHA2_512) in + Tests.run_tests "Hacl.HMAC_SHA2_512" SHA2_512 diff --git a/ocaml/hacl-star/tests/nacl_test.ml b/ocaml/hacl-star/tests/nacl_test.ml new file mode 100644 index 00000000..5a8a10d3 --- /dev/null +++ b/ocaml/hacl-star/tests/nacl_test.ml @@ -0,0 +1,229 @@ +open Test_utils + +type 'a box_test = + { name: string ; pk: 'a ; sk: 'a ; n: 'a ; pt: 'a ; expected_ct: 'a } + +type 'a secretbox_test = + { name: string; key: 'a ; n: 'a ; pt: 'a; expected_ct: 'a } + +let box_tests = [ + { name = "Test 1"; + pk = Bytes.of_string "\xfe\x38\x04\x02\x70\x14\xcf\x0c\x89\x68\x11\xd5\x23\x40\x32\xe5\xeb\x6c\xa1\x78\x6f\x64\x8c\x64\x86\xf3\xfa\xdd\x26\x4d\x17\x41"; + sk = Bytes.of_string "\xd5\x7d\xff\xb8\x10\xeb\x32\xff\xaa\x87\x93\x24\x46\xa0\xc6\xe3\x6e\xb9\x54\xa7\x37\xe9\xcc\x3a\xc0\xd9\x80\x34\x41\xe2\xbe\xac"; + n = init_bytes 24; + pt = Bytes.of_string "\x17\x8c\xb3\x11\xd2\x0f\x0a"; + expected_ct = Bytes.of_string "\x06\x2f\x0c\x61\x1b\x5a\xd3\x2d\xf8\xd4\x2f\xea\x32\x6e\xb9\xc5\xb9\x2a\xda\x4d\x98\xea\x08" + }; + { name = "Test 2"; + pk = Bytes.of_string "\xc7\x99\xe1\xb6\xa1\x0c\x60\x9e\x44\x9b\xa3\x48\x38\xec\xc7\x94\x04\x98\x9c\x69\xac\xb3\x63\xd9\x52\x7f\x78\x66\xe5\x7b\xa6\x4a"; + sk = Bytes.of_string "\x07\xbb\x38\xf5\xb2\xdb\x98\xae\xe6\x02\x1b\x5e\xb1\xe8\x08\xe3\xe4\x67\x70\x20\xa2\x60\x9f\xa7\xd0\x89\xb5\x23\xc1\x35\xf5\xdf"; + n = init_bytes 24; + pt = Bytes.of_string "\x93\xc6\x9d\x5b\xce\xea\xd5\x24\x03\x4e\x5c\x50"; + expected_ct = Bytes.of_string "\x77\x87\x8b\x2b\xce\x5a\xbf\x2f\xac\x5a\x14\xec\xd9\x58\x09\x68\xa6\x97\x6a\x8a\xf3\x41\x15\xce\x02\x3c\x95\x0e" + } +] + +let secretbox_tests = [ + { name = "Test 1"; + key = Bytes.of_string "\x82\x2b\xca\x3c\x7e\x05\xfd\xe0\xdc\x20\x45\x19\x73\x0b\x35\xf8\x12\x16\xa9\xc9\xf1\xdf\x95\x25\xe2\xa9\x00\xec\x89\x71\x8f\x57"; + n = Bytes.of_string "\x72\xb9\x02\x08\xd2\x80\x0e\x36\xad\x16\xc7\x30\x94\x1a\x03\x8d\x7c\x3a\xd9\xd8\x70\x30\xd3\x29"; + pt = Bytes.of_string ""; + expected_ct =Bytes.of_string "\x79\xb3\x45\x51\xed\x22\x4f\xa1\x7c\xb6\x46\x0c\xcb\x90\xa0\xd9" + }; + { name = "Test 2"; + key = Bytes.of_string "\x49\xd1\x3a\x96\x6a\x76\x1a\x6a\xcf\xfe\xd8\x92\x3b\x5e\xe5\x0c\x29\x71\xba\x7e\x12\xc0\x1f\xd9\x9e\x0d\x70\xde\x91\x32\xf6\xd7"; + n = Bytes.of_string "\x66\x1d\x42\xc4\x8f\x71\xb3\x1c\x30\xd5\xc2\x65\xb1\x68\x51\x1a\xfd\x58\xb8\x70\xbf\x35\x4f\x4f"; + pt = Bytes.of_string "\xa9\x4d\x36\x5d\x0f\x3a\x0a\x50\x4c\x8c\x12\x76\x25\x31"; + expected_ct = Bytes.of_string "\x00\x21\xf4\x17\x24\xbe\x3a\xc9\xa4\x6b\xd5\x6c\x19\x64\x4d\x32\x0e\xb9\xcb\x66\x30\x3b\x98\xed\xa2\x9e\x22\x81\xed\x5e" + } +] + + +let test_box (v: Bytes.t box_test) = + let test_result = Test_utils.test_result ("Hacl.NaCl.Easy box " ^ v.name) in + (match Hacl.NaCl.box ~pt:v.pt ~n:v.n ~pk:v.pk ~sk:v.sk with + | Some ct -> ( + if not (Bytes.equal ct v.expected_ct) then + test_result Failure "Ciphertext mismatch" + else + match Hacl.NaCl.box_open ~ct ~n:v.n ~pk:v.pk ~sk:v.sk with + | Some pt -> + if not (Bytes.equal pt v.pt) then + test_result Failure "Decrypted plaintext mismatch" + else + test_result Success "" + | None -> + test_result Failure "Decryption failed" + ) + | None -> + test_result Failure "Encryption failed"); + + let test_result = Test_utils.test_result ("Hacl.NaCl.box_beforenm " ^ v.name) in + match Hacl.NaCl.box_beforenm ~pk:v.pk ~sk:v.sk with + | Some ck -> ( + test_result Success ""; + let test_result = Test_utils.test_result ("Hacl.NaCl.Easy box_afternm " ^ v.name) in + match Hacl.NaCl.box_afternm ~pt:v.pt ~n:v.n ~ck with + | Some ct -> ( + if not (Bytes.equal ct v.expected_ct) then + test_result Failure "Ciphertext mismatch" + else + match Hacl.NaCl.box_open_afternm ~ct ~n:v.n ~ck with + | Some pt -> + if not (Bytes.equal pt v.pt) then + test_result Failure "Decrypted plaintext mismatch" + else + test_result Success "" + | None -> + test_result Failure "Decryption failed" + ) + | None -> + test_result Failure "Encryption failed" + ) + | None -> + test_result Failure "" + + +let test_box_noalloc (v: Bytes.t box_test) = + let test_result = Test_utils.test_result ("Hacl.NaCl.Easy.Noalloc box " ^ v.name) in + let ct = Test_utils.init_bytes (Bytes.length v.pt + 16) in + let pt = Test_utils.init_bytes (Bytes.length v.pt) in + if Hacl.NaCl.Noalloc.Easy.box ~pt:v.pt ~n:v.n ~pk:v.pk ~sk:v.sk ~ct then + if not (Bytes.equal ct v.expected_ct) then + test_result Failure "ciphertext mismatch" + else + if Hacl.NaCl.Noalloc.Easy.box_open ~ct ~n:v.n ~pk:v.pk ~sk:v.sk ~pt then + if not (Bytes.equal pt v.pt) then + test_result Failure "decrypted plaintext mismatch" + else + test_result Success "" + else + test_result Failure "Decryption failed" + else + test_result Failure "Encryption failed"; + + let test_result = Test_utils.test_result ("Hacl.NaCl.Noalloc.Detached box " ^ v.name) in + let pt = Test_utils.init_bytes (Bytes.length v.pt) in + let ct_detached = Test_utils.init_bytes (Bytes.length v.pt) in + let tag = Test_utils.init_bytes 16 in + if Hacl.NaCl.Noalloc.Detached.box ~pt:v.pt ~n:v.n ~pk:v.pk ~sk:v.sk ~ct:ct_detached ~tag then + let combined_ct = Bytes.of_string @@ (Bytes.to_string tag) ^ (Bytes.to_string ct_detached) in + if not (Bytes.equal combined_ct v.expected_ct) then + test_result Failure "ciphertext mismatch" + else + if Hacl.NaCl.Noalloc.Detached.box_open ~ct:ct_detached ~tag ~n:v.n ~pk:v.pk ~sk:v.sk ~pt then + if not (Bytes.equal pt v.pt) then + test_result Failure "decrypted plaintext mismatch" + else + test_result Success "" + else + test_result Failure "Decryption failed" + else + test_result Failure "Encryption failed"; + + let test_result = Test_utils.test_result ("Hacl.NaCl.box_beforenm_noalloc " ^ v.name) in + let ck = Test_utils.init_bytes 32 in + if Hacl.NaCl.Noalloc.box_beforenm ~pk:v.pk ~sk:v.sk ~ck then + test_result Success "" + else + test_result Failure ""; + + let test_result = Test_utils.test_result ("Hacl.NaCl.Easy.Noalloc box_afternm " ^ v.name) in + Bytes.fill ct 0 (Bytes.length ct) '\x00'; + Bytes.fill pt 0 (Bytes.length pt) '\x00'; + if Hacl.NaCl.Noalloc.Easy.box_afternm ~pt:v.pt ~n:v.n ~ck ~ct then + if not (Bytes.equal ct v.expected_ct) then + test_result Failure "ciphertext mismatch" + else + if Hacl.NaCl.Noalloc.Easy.box_open_afternm ~ct ~n:v.n ~ck ~pt then + if not (Bytes.equal pt v.pt) then + test_result Failure "decrypted plaintext mismatch" + else + test_result Success "" + else + test_result Failure "Decryption failed" + else + test_result Failure "Encryption failed"; + + let test_result = Test_utils.test_result ("Hacl.NaCl.Noalloc.Detached box_afternm " ^ v.name) in + Bytes.fill ct_detached 0 (Bytes.length ct_detached) '\x00'; + Bytes.fill tag 0 (Bytes.length tag) '\x00'; + Bytes.fill pt 0 (Bytes.length pt) '\x00'; + if Hacl.NaCl.Noalloc.Detached.box_afternm ~pt:v.pt ~n:v.n ~ck ~ct:ct_detached ~tag then + let combined_ct = Bytes.of_string @@ (Bytes.to_string tag) ^ (Bytes.to_string ct_detached) in + if not (Bytes.equal combined_ct v.expected_ct) then + test_result Failure "ciphertext mismatch" + else + if Hacl.NaCl.Noalloc.Detached.box_open_afternm ~ct:ct_detached ~tag ~n:v.n ~ck ~pt then + if not (Bytes.equal pt v.pt) then + test_result Failure "decrypted plaintext mismatch" + else + test_result Success "" + else + test_result Failure "Decryption failed" + else + test_result Failure "Encryption failed" + + +let test_secretbox (v: Bytes.t secretbox_test) = + let test_result = Test_utils.test_result ("Hacl.NaCl.Easy secretbox " ^ v.name) in + match Hacl.NaCl.secretbox ~pt:v.pt ~n:v.n ~key:v.key with + | Some ct -> ( + if not (Bytes.equal ct v.expected_ct) then + test_result Failure "ciphertext mismatch" + else + match Hacl.NaCl.secretbox_open ~ct ~n:v.n ~key:v.key with + | Some pt -> + if not (Bytes.equal pt v.pt) then + test_result Failure "decrypted plaintext mismatch" + else + test_result Success "" + | None -> + test_result Failure "Decryption failed" + ) + | None -> + test_result Failure "Encryption failed" + + +let test_secretbox_noalloc (v: Bytes.t secretbox_test) = + let test_result = Test_utils.test_result ("Hacl.NaCl.Easy.Noalloc secretbox " ^ v.name) in + let ct = Test_utils.init_bytes (Bytes.length v.pt + 16) in + let pt = Test_utils.init_bytes (Bytes.length v.pt) in + if Hacl.NaCl.Noalloc.Easy.secretbox ~pt:v.pt ~n:v.n ~key:v.key ~ct then + if not (Bytes.equal ct v.expected_ct) then + test_result Failure "ciphertext mismatch" + else + if Hacl.NaCl.Noalloc.Easy.secretbox_open ~ct ~n:v.n ~key:v.key ~pt then + if not (Bytes.equal pt v.pt) then + test_result Failure "decrypted plaintext mismatch" + else + test_result Success "" + else + test_result Failure "Decryption failed" + else + test_result Failure "Encryption failed"; + + let test_result = Test_utils.test_result ("Hacl.NaCl.Noalloc.Detached secretbox " ^ v.name) in + let ct_detached = Test_utils.init_bytes (Bytes.length v.pt) in + let tag = Test_utils.init_bytes 16 in + if Hacl.NaCl.Noalloc.Detached.secretbox ~pt:v.pt ~n:v.n ~key:v.key ~ct:ct_detached ~tag then + let combined_ct = Bytes.of_string @@ (Bytes.to_string tag) ^ (Bytes.to_string ct_detached) in + if not (Bytes.equal combined_ct v.expected_ct) then + test_result Failure "ciphertext mismatch" + else + if Hacl.NaCl.Noalloc.Detached.secretbox_open ~ct:ct_detached ~tag ~n:v.n ~key:v.key ~pt then + if not (Bytes.equal pt v.pt) then + test_result Failure "decrypted plaintext mismatch" + else + test_result Success "" + else + test_result Failure "Decryption failed" + else + test_result Failure "Encryption failed" + + +let _ = + List.iter test_box box_tests; + List.iter test_box_noalloc box_tests; + List.iter test_secretbox secretbox_tests; + List.iter test_secretbox_noalloc secretbox_tests; diff --git a/ocaml/hacl-star/tests/p256_test.ml b/ocaml/hacl-star/tests/p256_test.ml new file mode 100644 index 00000000..16503c87 --- /dev/null +++ b/ocaml/hacl-star/tests/p256_test.ml @@ -0,0 +1,183 @@ +open Test_utils + +type 'a ecdsa_test = + { name : string ; sk : 'a ; pk : 'a ; msg : 'a ; k : 'a ; expected_sig : 'a } + +type 'a compression_test = + { name : string; raw : 'a; compressed : 'a; uncompressed : 'a } + +let tests = [ + {name = "Test 1"; + msg = Bytes.of_string "\x1c\xcb\xe9\x1c\x07\x5f\xc7\xf4\xf0\x33\xbf\xa2\x48\xdb\x8f\xcc\xd3\x56\x5d\xe9\x4b\xbf\xb1\x2f\x3c\x59\xff\x46\xc2\x71\xbf\x83"; + sk = Bytes.of_string "\x51\x9b\x42\x3d\x71\x5f\x8b\x58\x1f\x4f\xa8\xee\x59\xf4\x77\x1a\x5b\x44\xc8\x13\x0b\x4e\x3e\xac\xca\x54\xa5\x6d\xda\x72\xb4\x64"; + pk = Bytes.of_string "\x1c\xcb\xe9\x1c\x07\x5f\xc7\xf4\xf0\x33\xbf\xa2\x48\xdb\x8f\xcc\xd3\x56\x5d\xe9\x4b\xbf\xb1\x2f\x3c\x59\xff\x46\xc2\x71\xbf\x83\xce\x40\x14\xc6\x88\x11\xf9\xa2\x1a\x1f\xdb\x2c\x0e\x61\x13\xe0\x6d\xb7\xca\x93\xb7\x40\x4e\x78\xdc\x7c\xcd\x5c\xa8\x9a\x4c\xa9"; + k = Bytes.of_string "\x94\xa1\xbb\xb1\x4b\x90\x6a\x61\xa2\x80\xf2\x45\xf9\xe9\x3c\x7f\x3b\x4a\x62\x47\x82\x4f\x5d\x33\xb9\x67\x07\x87\x64\x2a\x68\xde"; + expected_sig = Bytes.of_string "\xf3\xac\x80\x61\xb5\x14\x79\x5b\x88\x43\xe3\xd6\x62\x95\x27\xed\x2a\xfd\x6b\x1f\x6a\x55\x5a\x7a\xca\xbb\x5e\x6f\x79\xc8\xc2\xac\xcf\xa7\x40\xfe\xc7\x67\x96\xd2\xe3\x92\x16\xbe\x7e\xbf\x58\x0e\xa3\xc0\xef\x4b\xb0\x0a\xb2\xe7\xe4\x20\x84\x34\xf4\x5f\x8c\x9c" + } +] + +let tests_sha256 = [ + { name = "Test 1"; + msg = Bytes.of_string "\x59\x05\x23\x88\x77\xc7\x74\x21\xf7\x3e\x43\xee\x3d\xa6\xf2\xd9\xe2\xcc\xad\x5f\xc9\x42\xdc\xec\x0c\xbd\x25\x48\x29\x35\xfa\xaf\x41\x69\x83\xfe\x16\x5b\x1a\x04\x5e\xe2\xbc\xd2\xe6\xdc\xa3\xbd\xf4\x6c\x43\x10\xa7\x46\x1f\x9a\x37\x96\x0c\xa6\x72\xd3\xfe\xb5\x47\x3e\x25\x36\x05\xfb\x1d\xdf\xd2\x80\x65\xb5\x3c\xb5\x85\x8a\x8a\xd2\x81\x75\xbf\x9b\xd3\x86\xa5\xe4\x71\xea\x7a\x65\xc1\x7c\xc9\x34\xa9\xd7\x91\xe9\x14\x91\xeb\x37\x54\xd0\x37\x99\x79\x0f\xe2\xd3\x08\xd1\x61\x46\xd5\xc9\xb0\xd0\xde\xbd\x97\xd7\x9c\xe8"; + sk = Bytes.of_string "\x51\x9b\x42\x3d\x71\x5f\x8b\x58\x1f\x4f\xa8\xee\x59\xf4\x77\x1a\x5b\x44\xc8\x13\x0b\x4e\x3e\xac\xca\x54\xa5\x6d\xda\x72\xb4\x64"; + pk = Bytes.of_string "\x1c\xcb\xe9\x1c\x07\x5f\xc7\xf4\xf0\x33\xbf\xa2\x48\xdb\x8f\xcc\xd3\x56\x5d\xe9\x4b\xbf\xb1\x2f\x3c\x59\xff\x46\xc2\x71\xbf\x83\xce\x40\x14\xc6\x88\x11\xf9\xa2\x1a\x1f\xdb\x2c\x0e\x61\x13\xe0\x6d\xb7\xca\x93\xb7\x40\x4e\x78\xdc\x7c\xcd\x5c\xa8\x9a\x4c\xa9"; + k = Bytes.of_string "\x94\xa1\xbb\xb1\x4b\x90\x6a\x61\xa2\x80\xf2\x45\xf9\xe9\x3c\x7f\x3b\x4a\x62\x47\x82\x4f\x5d\x33\xb9\x67\x07\x87\x64\x2a\x68\xde"; + expected_sig = Bytes.of_string "\xf3\xac\x80\x61\xb5\x14\x79\x5b\x88\x43\xe3\xd6\x62\x95\x27\xed\x2a\xfd\x6b\x1f\x6a\x55\x5a\x7a\xca\xbb\x5e\x6f\x79\xc8\xc2\xac\x8b\xf7\x78\x19\xca\x05\xa6\xb2\x78\x6c\x76\x26\x2b\xf7\x37\x1c\xef\x97\xb2\x18\xe9\x6f\x17\x5a\x3c\xcd\xda\x2a\xcc\x05\x89\x03"; + }; + { name = "Test 2"; + msg = Bytes.of_string "\xc3\x5e\x2f\x09\x25\x53\xc5\x57\x72\x92\x6b\xdb\xe8\x7c\x97\x96\x82\x7d\x17\x02\x4d\xbb\x92\x33\xa5\x45\x36\x6e\x2e\x59\x87\xdd\x34\x4d\xeb\x72\xdf\x98\x71\x44\xb8\xc6\xc4\x3b\xc4\x1b\x65\x4b\x94\xcc\x85\x6e\x16\xb9\x6d\x7a\x82\x1c\x8e\xc0\x39\xb5\x03\xe3\xd8\x67\x28\xc4\x94\xa9\x67\xd8\x30\x11\xa0\xe0\x90\xb5\xd5\x4c\xd4\x7f\x4e\x36\x6c\x09\x12\xbc\x80\x8f\xbb\x2e\xa9\x6e\xfa\xc8\x8f\xb3\xeb\xec\x93\x42\x73\x8e\x22\x5f\x7c\x7c\x2b\x01\x1c\xe3\x75\xb5\x66\x21\xa2\x06\x42\xb4\xd3\x6e\x06\x0d\xb4\x52\x4a\xf1"; + sk = Bytes.of_string "\x0f\x56\xdb\x78\xca\x46\x0b\x05\x5c\x50\x00\x64\x82\x4b\xed\x99\x9a\x25\xaa\xf4\x8e\xbb\x51\x9a\xc2\x01\x53\x7b\x85\x47\x98\x13"; + pk = Bytes.of_string "\xe2\x66\xdd\xfd\xc1\x26\x68\xdb\x30\xd4\xca\x3e\x8f\x77\x49\x43\x2c\x41\x60\x44\xf2\xd2\xb8\xc1\x0b\xf3\xd4\x01\x2a\xef\xfa\x8a\xbf\xa8\x64\x04\xa2\xe9\xff\xe6\x7d\x47\xc5\x87\xef\x7a\x97\xa7\xf4\x56\xb8\x63\xb4\xd0\x2c\xfc\x69\x28\x97\x3a\xb5\xb1\xcb\x39"; + k = Bytes.of_string "\x6d\x3e\x71\x88\x2c\x3b\x83\xb1\x56\xbb\x14\xe0\xab\x18\x4a\xa9\xfb\x72\x80\x68\xd3\xae\x9f\xac\x42\x11\x87\xae\x0b\x2f\x34\xc6"; + expected_sig = Bytes.of_string "\x97\x6d\x3a\x4e\x9d\x23\x32\x6d\xc0\xba\xa9\xfa\x56\x0b\x7c\x4e\x53\xf4\x28\x64\xf5\x08\x48\x3a\x64\x73\xb6\xa1\x10\x79\xb2\xdb\x1b\x76\x6e\x9c\xeb\x71\xba\x6c\x01\xdc\xd4\x6e\x0a\xf4\x62\xcd\x4c\xfa\x65\x2a\xe5\x01\x7d\x45\x55\xb8\xee\xef\xe3\x6e\x19\x32"; + } +] + +let tests_compression = [ + { name = "Test 1"; + raw = Bytes.of_string "\x70\x0c\x48\xf7\x7f\x56\x58\x4c\x5c\xc6\x32\xca\x65\x64\x0d\xb9\x1b\x6b\xac\xce\x3a\x4d\xf6\xb4\x2c\xe7\xcc\x83\x88\x33\xd2\x87\xdb\x71\xe5\x09\xe3\xfd\x9b\x06\x0d\xdb\x20\xba\x5c\x51\xdc\xc5\x94\x8d\x46\xfb\xf6\x40\xdf\xe0\x44\x17\x82\xca\xb8\x5f\xa4\xac"; + compressed = Bytes.of_string "\x02\x70\x0c\x48\xf7\x7f\x56\x58\x4c\x5c\xc6\x32\xca\x65\x64\x0d\xb9\x1b\x6b\xac\xce\x3a\x4d\xf6\xb4\x2c\xe7\xcc\x83\x88\x33\xd2\x87"; + uncompressed = Bytes.of_string "\x04\x70\x0c\x48\xf7\x7f\x56\x58\x4c\x5c\xc6\x32\xca\x65\x64\x0d\xb9\x1b\x6b\xac\xce\x3a\x4d\xf6\xb4\x2c\xe7\xcc\x83\x88\x33\xd2\x87\xdb\x71\xe5\x09\xe3\xfd\x9b\x06\x0d\xdb\x20\xba\x5c\x51\xdc\xc5\x94\x8d\x46\xfb\xf6\x40\xdf\xe0\x44\x17\x82\xca\xb8\x5f\xa4\xac"; + } +] + +let test_noalloc (v: Bytes.t ecdsa_test) t = + let test_result = test_result (t ^ " (noalloc) " ^ v.name) in + let pk = Test_utils.init_bytes 64 in + assert (Hacl.P256.valid_sk ~sk:v.sk); + if not (Hacl.P256.Noalloc.dh_initiator ~sk:v.sk ~pk) then + test_result Failure "DH initiator"; + assert (Hacl.P256.valid_pk ~pk); + if not (Bytes.equal pk v.pk) then + test_result Failure "Key generation"; + let signature = Test_utils.init_bytes 64 in + assert (Hacl.P256.Noalloc.sign ~sk:v.sk ~msg:v.msg ~k:v.k ~signature); + if Bytes.equal signature v.expected_sig then + begin + if Hacl.P256.verify ~pk:v.pk ~msg:v.msg ~signature then + test_result Success "" + else + test_result Failure "Verification" + end + else + test_result Failure "Signing" + + +let test (v: Bytes.t ecdsa_test) t = + let test_result = test_result (t ^ " " ^ v.name) in + assert (Hacl.P256.valid_sk ~sk:v.sk); + match Hacl.P256.dh_initiator ~sk:v.sk with + | Some pk -> begin + assert (Hacl.P256.valid_pk ~pk); + if not (Bytes.equal pk v.pk) then + test_result Failure "Key generation"; + match Hacl.P256.sign ~sk:v.sk ~msg:v.msg ~k:v.k with + | Some signature -> + if Bytes.equal signature v.expected_sig then + begin + if Hacl.P256.verify ~pk:v.pk ~msg:v.msg ~signature then + test_result Success "" + else + test_result Failure "Verification" + end + | None -> + test_result Failure "Signing" + end + | None -> test_result Failure "DH initiator" + +module MakeTests (M: SharedDefs.ECDSA) = struct + let test_noalloc (v: Bytes.t ecdsa_test) t = + let test_result = test_result (t ^ " (noalloc) " ^ v.name) in + let signature = Test_utils.init_bytes 64 in + assert (M.Noalloc.sign ~sk:v.sk ~msg:v.msg ~k:v.k ~signature); + if Bytes.equal signature v.expected_sig then + begin + if M.verify ~pk:v.pk ~msg:v.msg ~signature then + test_result Success "" + else + test_result Failure "Verification" + end + else + test_result Failure "Signing" + + let test (v: Bytes.t ecdsa_test) t = + let test_result = test_result (t ^ " " ^ v.name) in + match M.sign ~sk:v.sk ~msg:v.msg ~k:v.k with + | Some signature -> + if Bytes.equal signature v.expected_sig then + begin + if M.verify ~pk:v.pk ~msg:v.msg ~signature then + test_result Success "" + else + test_result Failure "Verification" + end + | None -> + test_result Failure "Signing" + +let run_tests name tests = + List.iter (fun v -> test_noalloc v name) tests; + List.iter (fun v -> test v name) tests +end + +let test_p256_compression_noalloc (v: Bytes.t compression_test) = + let test_result = test_result ("P-256 compression (noalloc) " ^ v.name) in + + let result = Test_utils.init_bytes 33 in + Hacl.P256.Noalloc.raw_to_compressed ~p:v.raw ~result; + if not (Bytes.equal result v.compressed) then + test_result Failure "Hacl.P256.Noalloc.raw_to_compressed"; + + let result = Test_utils.init_bytes 65 in + Hacl.P256.Noalloc.raw_to_uncompressed ~p:v.raw ~result; + if not (Bytes.equal result v.uncompressed) then + test_result Failure "Hacl.P256.Noalloc.raw_to_uncompressed"; + + let result = Test_utils.init_bytes 64 in + assert (Hacl.P256.Noalloc.compressed_to_raw ~p:v.compressed ~result); + if not (Bytes.equal result v.raw) then + test_result Failure "Hacl.P256.Noalloc.compressed_to_raw"; + + let result = Test_utils.init_bytes 64 in + assert (Hacl.P256.Noalloc.uncompressed_to_raw ~p:v.uncompressed ~result); + if not (Bytes.equal result v.raw) then + test_result Failure "Hacl.P256.Noalloc.uncompressed_to_raw"; + + test_result Success "P256 point compression/decompression" + +let test_p256_compression (v: Bytes.t compression_test) = + let test_result = test_result ("P-256 compression " ^ v.name) in + + let result = Hacl.P256.raw_to_compressed v.raw in + if not (Bytes.equal result v.compressed) then + test_result Failure "Hacl.P256.raw_to_compressed"; + + let result = Hacl.P256.raw_to_uncompressed v.raw in + if not (Bytes.equal result v.uncompressed) then + test_result Failure "Hacl.P256.raw_to_uncompressed"; + + (match Hacl.P256.compressed_to_raw v.compressed with + | Some result -> + if not (Bytes.equal result v.raw) then + test_result Failure "Hacl.P256.compressed_to_raw" + | None -> + test_result Failure "Hacl.P256.compressed_to_raw"); + + (match Hacl.P256.uncompressed_to_raw v.uncompressed with + | Some result -> + if not (Bytes.equal result v.raw) then + test_result Failure "Hacl.P256.uncompressed_to_raw" + | None -> + test_result Failure "Hacl.P256.uncompressed_to_raw"); + + test_result Success "P256 point compression/decompression" + + +let _ = + let module Tests = MakeTests (Hacl.P256.SHA2_256) in + Tests.run_tests "Hacl.P256_SHA_256" tests_sha256; + + List.iter (fun v -> test_noalloc v "Hacl.P256 (noalloc)") tests; + List.iter (fun v -> test v "Hacl.P256") tests; + + List.iter test_p256_compression_noalloc tests_compression; + List.iter test_p256_compression tests_compression diff --git a/ocaml/hacl-star/tests/poly1305_test.ml b/ocaml/hacl-star/tests/poly1305_test.ml new file mode 100644 index 00000000..dc6e4b61 --- /dev/null +++ b/ocaml/hacl-star/tests/poly1305_test.ml @@ -0,0 +1,65 @@ +open Test_utils + +type 'a poly1305_test = + { name: string ; msg: 'a ; key: 'a ; expected: 'a } + + +(* Poly1305: key=32, tag=16 *) +let tests = [ + { name = "Test 1"; + msg = Bytes.of_string "\x43\x72\x79\x70\x74\x6f\x67\x72\x61\x70\x68\x69\x63\x20\x46\x6f\x72\x75\x6d\x20\x52\x65\x73\x65\x61\x72\x63\x68\x20\x47\x72\x6f\x75\x70"; + key = Bytes.of_string "\x85\xd6\xbe\x78\x57\x55\x6d\x33\x7f\x44\x52\xfe\x42\xd5\x06\xa8\x01\x03\x80\x8a\xfb\x0d\xb2\xfd\x4a\xbf\xf6\xaf\x41\x49\xf5\x1b"; + expected = Bytes.of_string "\xa8\x06\x1d\xc1\x30\x51\x36\xc6\xc2\x2b\x8b\xaf\x0c\x01\x27\xa9" + } +] + + +let validate_test (v: Bytes.t poly1305_test) = + assert (Bytes.length v.key = 32); + assert (Bytes.length v.expected = 16) + + +module MakeTests (M: SharedDefs.MAC) = struct + let test_noalloc (v: Bytes.t poly1305_test) name reqs = + let test_result = test_result (name ^ " (noalloc) " ^ v.name) in + if supports reqs then begin + let tag = Test_utils.init_bytes 16 in + M.Noalloc.mac ~key:v.key ~msg:v.msg ~tag; + if Bytes.equal tag v.expected then + test_result Success "" + else + test_result Failure "MAC mismatch" + end else + test_result Skipped "Required CPU feature not detected" + + let test (v: Bytes.t poly1305_test) name reqs = + let test_result = test_result (name ^ " " ^ v.name) in + if supports reqs then begin + let tag = M.mac ~key:v.key ~msg:v.msg in + if Bytes.equal tag v.expected then + test_result Success "" + else + test_result Failure "MAC mismatch" + end else + test_result Skipped "Required CPU feature not detected" + + let run_tests name reqs = + List.iter (fun v -> test v name reqs) tests; + List.iter (fun v -> test_noalloc v name reqs) tests +end + + +let _ = + List.iter validate_test tests; + + let module Tests = MakeTests (Hacl.Poly1305_32) in + Tests.run_tests "Hacl.Poly1305_32" []; + + let module Tests = MakeTests (Hacl.Poly1305_128) in + Tests.run_tests "Hacl.Poly1305_128" [VEC128]; + + let module Tests = MakeTests (Hacl.Poly1305_256) in + Tests.run_tests "Hacl.Poly1305_256" [VEC256]; + + let module Tests = MakeTests (EverCrypt.Poly1305) in + Tests.run_tests "EverCrypt.Poly1305" [] diff --git a/ocaml/hacl-star/tests/test_utils.ml b/ocaml/hacl-star/tests/test_utils.ml new file mode 100644 index 00000000..bd4f1926 --- /dev/null +++ b/ocaml/hacl-star/tests/test_utils.ml @@ -0,0 +1,33 @@ +open EverCrypt.Error + +type result = + | Success + | Failure + | Skipped + +let test_result t res r = + let r = if r <> "" then + Printf.sprintf ": %s" r + else + "" + in + match res with + | Success -> Printf.printf "[%s] Success%s\n" t r + | Failure -> failwith (Printf.sprintf "[%s] Failure%s" t r) + | Skipped -> Printf.printf "[%s] Skipped%s\n" t r + +let print_error = function + | UnsupportedAlgorithm -> "Unsupported algorithm" + | InvalidKey -> "Invalid key" + | AuthenticationFailure -> "Authentication failure" + | InvalidIVLength -> "Invalid IV length" + | DecodeError -> "Decode error" + +let init_bytes len = + let buf = Bytes.create len in + Bytes.fill buf 0 len '\x00'; + buf + +let rec supports = function + | [] -> true + | f::fs -> AutoConfig2.has_feature f && supports fs diff --git a/ocaml/lib/EverCrypt_AEAD_bindings.ml b/ocaml/lib/EverCrypt_AEAD_bindings.ml new file mode 100644 index 00000000..a85730f6 --- /dev/null +++ b/ocaml/lib/EverCrypt_AEAD_bindings.ml @@ -0,0 +1,194 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + module Hacl_Spec_applied = (Hacl_Spec_bindings.Bindings)(Hacl_Spec_stubs) + open Hacl_Spec_applied + module EverCrypt_Error_applied = + (EverCrypt_Error_bindings.Bindings)(EverCrypt_Error_stubs) + open EverCrypt_Error_applied + type everCrypt_AEAD_state_s = [ `everCrypt_AEAD_state_s ] structure + let (everCrypt_AEAD_state_s : [ `everCrypt_AEAD_state_s ] structure typ) + = structure "EverCrypt_AEAD_state_s_s" + let everCrypt_AEAD_alg_of_state = + foreign "EverCrypt_AEAD_alg_of_state" + ((ptr everCrypt_AEAD_state_s) @-> (returning spec_Agile_AEAD_alg)) + let everCrypt_AEAD_create_in = + foreign "EverCrypt_AEAD_create_in" + (spec_Agile_AEAD_alg @-> + ((ptr (ptr everCrypt_AEAD_state_s)) @-> + (ocaml_bytes @-> (returning everCrypt_Error_error_code)))) + let everCrypt_AEAD_encrypt = + foreign "EverCrypt_AEAD_encrypt" + ((ptr everCrypt_AEAD_state_s) @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (returning everCrypt_Error_error_code)))))))))) + let everCrypt_AEAD_encrypt_expand_aes128_gcm_no_check = + foreign "EverCrypt_AEAD_encrypt_expand_aes128_gcm_no_check" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (returning everCrypt_Error_error_code)))))))))) + let everCrypt_AEAD_encrypt_expand_aes256_gcm_no_check = + foreign "EverCrypt_AEAD_encrypt_expand_aes256_gcm_no_check" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (returning everCrypt_Error_error_code)))))))))) + let everCrypt_AEAD_encrypt_expand_aes128_gcm = + foreign "EverCrypt_AEAD_encrypt_expand_aes128_gcm" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (returning everCrypt_Error_error_code)))))))))) + let everCrypt_AEAD_encrypt_expand_aes256_gcm = + foreign "EverCrypt_AEAD_encrypt_expand_aes256_gcm" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (returning everCrypt_Error_error_code)))))))))) + let everCrypt_AEAD_encrypt_expand_chacha20_poly1305 = + foreign "EverCrypt_AEAD_encrypt_expand_chacha20_poly1305" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (returning everCrypt_Error_error_code)))))))))) + let everCrypt_AEAD_encrypt_expand = + foreign "EverCrypt_AEAD_encrypt_expand" + (spec_Agile_AEAD_alg @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (returning everCrypt_Error_error_code))))))))))) + let everCrypt_AEAD_decrypt = + foreign "EverCrypt_AEAD_decrypt" + ((ptr everCrypt_AEAD_state_s) @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (returning everCrypt_Error_error_code)))))))))) + let everCrypt_AEAD_decrypt_expand_aes128_gcm_no_check = + foreign "EverCrypt_AEAD_decrypt_expand_aes128_gcm_no_check" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (returning everCrypt_Error_error_code)))))))))) + let everCrypt_AEAD_decrypt_expand_aes256_gcm_no_check = + foreign "EverCrypt_AEAD_decrypt_expand_aes256_gcm_no_check" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (returning everCrypt_Error_error_code)))))))))) + let everCrypt_AEAD_decrypt_expand_aes128_gcm = + foreign "EverCrypt_AEAD_decrypt_expand_aes128_gcm" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (returning everCrypt_Error_error_code)))))))))) + let everCrypt_AEAD_decrypt_expand_aes256_gcm = + foreign "EverCrypt_AEAD_decrypt_expand_aes256_gcm" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (returning everCrypt_Error_error_code)))))))))) + let everCrypt_AEAD_decrypt_expand_chacha20_poly1305 = + foreign "EverCrypt_AEAD_decrypt_expand_chacha20_poly1305" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (returning everCrypt_Error_error_code)))))))))) + let everCrypt_AEAD_decrypt_expand = + foreign "EverCrypt_AEAD_decrypt_expand" + (spec_Agile_AEAD_alg @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (returning everCrypt_Error_error_code))))))))))) + let everCrypt_AEAD_free = + foreign "EverCrypt_AEAD_free" + ((ptr everCrypt_AEAD_state_s) @-> (returning void)) + end \ No newline at end of file diff --git a/ocaml/lib/EverCrypt_AutoConfig2_bindings.ml b/ocaml/lib/EverCrypt_AutoConfig2_bindings.ml new file mode 100644 index 00000000..cc20c44c --- /dev/null +++ b/ocaml/lib/EverCrypt_AutoConfig2_bindings.ml @@ -0,0 +1,88 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let everCrypt_AutoConfig2_has_shaext = + foreign "EverCrypt_AutoConfig2_has_shaext" (void @-> (returning bool)) + let everCrypt_AutoConfig2_has_aesni = + foreign "EverCrypt_AutoConfig2_has_aesni" (void @-> (returning bool)) + let everCrypt_AutoConfig2_has_pclmulqdq = + foreign "EverCrypt_AutoConfig2_has_pclmulqdq" + (void @-> (returning bool)) + let everCrypt_AutoConfig2_has_avx2 = + foreign "EverCrypt_AutoConfig2_has_avx2" (void @-> (returning bool)) + let everCrypt_AutoConfig2_has_avx = + foreign "EverCrypt_AutoConfig2_has_avx" (void @-> (returning bool)) + let everCrypt_AutoConfig2_has_bmi2 = + foreign "EverCrypt_AutoConfig2_has_bmi2" (void @-> (returning bool)) + let everCrypt_AutoConfig2_has_adx = + foreign "EverCrypt_AutoConfig2_has_adx" (void @-> (returning bool)) + let everCrypt_AutoConfig2_has_sse = + foreign "EverCrypt_AutoConfig2_has_sse" (void @-> (returning bool)) + let everCrypt_AutoConfig2_has_movbe = + foreign "EverCrypt_AutoConfig2_has_movbe" (void @-> (returning bool)) + let everCrypt_AutoConfig2_has_rdrand = + foreign "EverCrypt_AutoConfig2_has_rdrand" (void @-> (returning bool)) + let everCrypt_AutoConfig2_has_avx512 = + foreign "EverCrypt_AutoConfig2_has_avx512" (void @-> (returning bool)) + let everCrypt_AutoConfig2_wants_vale = + foreign "EverCrypt_AutoConfig2_wants_vale" (void @-> (returning bool)) + let everCrypt_AutoConfig2_wants_hacl = + foreign "EverCrypt_AutoConfig2_wants_hacl" (void @-> (returning bool)) + let everCrypt_AutoConfig2_wants_openssl = + foreign "EverCrypt_AutoConfig2_wants_openssl" + (void @-> (returning bool)) + let everCrypt_AutoConfig2_wants_bcrypt = + foreign "EverCrypt_AutoConfig2_wants_bcrypt" + (void @-> (returning bool)) + let everCrypt_AutoConfig2_recall = + foreign "EverCrypt_AutoConfig2_recall" (void @-> (returning void)) + let everCrypt_AutoConfig2_init = + foreign "EverCrypt_AutoConfig2_init" (void @-> (returning void)) + let everCrypt_AutoConfig2_disable_avx2 = + foreign "EverCrypt_AutoConfig2_disable_avx2" + (void @-> (returning void)) + let everCrypt_AutoConfig2_disable_avx = + foreign "EverCrypt_AutoConfig2_disable_avx" (void @-> (returning void)) + let everCrypt_AutoConfig2_disable_bmi2 = + foreign "EverCrypt_AutoConfig2_disable_bmi2" + (void @-> (returning void)) + let everCrypt_AutoConfig2_disable_adx = + foreign "EverCrypt_AutoConfig2_disable_adx" (void @-> (returning void)) + let everCrypt_AutoConfig2_disable_shaext = + foreign "EverCrypt_AutoConfig2_disable_shaext" + (void @-> (returning void)) + let everCrypt_AutoConfig2_disable_aesni = + foreign "EverCrypt_AutoConfig2_disable_aesni" + (void @-> (returning void)) + let everCrypt_AutoConfig2_disable_pclmulqdq = + foreign "EverCrypt_AutoConfig2_disable_pclmulqdq" + (void @-> (returning void)) + let everCrypt_AutoConfig2_disable_sse = + foreign "EverCrypt_AutoConfig2_disable_sse" (void @-> (returning void)) + let everCrypt_AutoConfig2_disable_movbe = + foreign "EverCrypt_AutoConfig2_disable_movbe" + (void @-> (returning void)) + let everCrypt_AutoConfig2_disable_rdrand = + foreign "EverCrypt_AutoConfig2_disable_rdrand" + (void @-> (returning void)) + let everCrypt_AutoConfig2_disable_avx512 = + foreign "EverCrypt_AutoConfig2_disable_avx512" + (void @-> (returning void)) + let everCrypt_AutoConfig2_disable_vale = + foreign "EverCrypt_AutoConfig2_disable_vale" + (void @-> (returning void)) + let everCrypt_AutoConfig2_disable_hacl = + foreign "EverCrypt_AutoConfig2_disable_hacl" + (void @-> (returning void)) + let everCrypt_AutoConfig2_disable_openssl = + foreign "EverCrypt_AutoConfig2_disable_openssl" + (void @-> (returning void)) + let everCrypt_AutoConfig2_disable_bcrypt = + foreign "EverCrypt_AutoConfig2_disable_bcrypt" + (void @-> (returning void)) + let everCrypt_AutoConfig2_has_vec128 = + foreign "EverCrypt_AutoConfig2_has_vec128" (void @-> (returning bool)) + let everCrypt_AutoConfig2_has_vec256 = + foreign "EverCrypt_AutoConfig2_has_vec256" (void @-> (returning bool)) + end \ No newline at end of file diff --git a/ocaml/lib/EverCrypt_CTR_bindings.ml b/ocaml/lib/EverCrypt_CTR_bindings.ml new file mode 100644 index 00000000..7f13c249 --- /dev/null +++ b/ocaml/lib/EverCrypt_CTR_bindings.ml @@ -0,0 +1,40 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + module Hacl_Spec_applied = (Hacl_Spec_bindings.Bindings)(Hacl_Spec_stubs) + open Hacl_Spec_applied + module EverCrypt_Error_applied = + (EverCrypt_Error_bindings.Bindings)(EverCrypt_Error_stubs) + open EverCrypt_Error_applied + type everCrypt_CTR_state_s = [ `everCrypt_CTR_state_s ] structure + let (everCrypt_CTR_state_s : [ `everCrypt_CTR_state_s ] structure typ) = + structure "EverCrypt_CTR_state_s_s" + let everCrypt_CTR_xor8 = + foreign "EverCrypt_CTR_xor8" + (uint8_t @-> (uint8_t @-> (returning uint8_t))) + let everCrypt_CTR_alg_of_state = + foreign "EverCrypt_CTR_alg_of_state" + ((ptr everCrypt_CTR_state_s) @-> + (returning spec_Agile_Cipher_cipher_alg)) + let everCrypt_CTR_create_in = + foreign "EverCrypt_CTR_create_in" + (spec_Agile_Cipher_cipher_alg @-> + ((ptr (ptr everCrypt_CTR_state_s)) @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (uint32_t @-> (returning everCrypt_Error_error_code))))))) + let everCrypt_CTR_init = + foreign "EverCrypt_CTR_init" + ((ptr everCrypt_CTR_state_s) @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (uint32_t @-> (uint32_t @-> (returning void)))))) + let everCrypt_CTR_update_block = + foreign "EverCrypt_CTR_update_block" + ((ptr everCrypt_CTR_state_s) @-> + (ocaml_bytes @-> (ocaml_bytes @-> (returning void)))) + let everCrypt_CTR_free = + foreign "EverCrypt_CTR_free" + ((ptr everCrypt_CTR_state_s) @-> (returning void)) + end \ No newline at end of file diff --git a/ocaml/lib/EverCrypt_Chacha20Poly1305_bindings.ml b/ocaml/lib/EverCrypt_Chacha20Poly1305_bindings.ml new file mode 100644 index 00000000..6279f017 --- /dev/null +++ b/ocaml/lib/EverCrypt_Chacha20Poly1305_bindings.ml @@ -0,0 +1,24 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let everCrypt_Chacha20Poly1305_aead_encrypt = + foreign "EverCrypt_Chacha20Poly1305_aead_encrypt" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (ocaml_bytes @-> (returning void))))))))) + let everCrypt_Chacha20Poly1305_aead_decrypt = + foreign "EverCrypt_Chacha20Poly1305_aead_decrypt" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (returning uint32_t))))))))) + end \ No newline at end of file diff --git a/ocaml/lib/EverCrypt_Cipher_bindings.ml b/ocaml/lib/EverCrypt_Cipher_bindings.ml new file mode 100644 index 00000000..1e8b5d78 --- /dev/null +++ b/ocaml/lib/EverCrypt_Cipher_bindings.ml @@ -0,0 +1,12 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let everCrypt_Cipher_chacha20 = + foreign "EverCrypt_Cipher_chacha20" + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (uint32_t @-> (returning void))))))) + end \ No newline at end of file diff --git a/ocaml/lib/EverCrypt_Curve25519_bindings.ml b/ocaml/lib/EverCrypt_Curve25519_bindings.ml new file mode 100644 index 00000000..aae9ef10 --- /dev/null +++ b/ocaml/lib/EverCrypt_Curve25519_bindings.ml @@ -0,0 +1,14 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let everCrypt_Curve25519_secret_to_public = + foreign "EverCrypt_Curve25519_secret_to_public" + (ocaml_bytes @-> (ocaml_bytes @-> (returning void))) + let everCrypt_Curve25519_scalarmult = + foreign "EverCrypt_Curve25519_scalarmult" + (ocaml_bytes @-> (ocaml_bytes @-> (ocaml_bytes @-> (returning void)))) + let everCrypt_Curve25519_ecdh = + foreign "EverCrypt_Curve25519_ecdh" + (ocaml_bytes @-> (ocaml_bytes @-> (ocaml_bytes @-> (returning bool)))) + end \ No newline at end of file diff --git a/ocaml/lib/EverCrypt_DRBG_bindings.ml b/ocaml/lib/EverCrypt_DRBG_bindings.ml new file mode 100644 index 00000000..e4ea9558 --- /dev/null +++ b/ocaml/lib/EverCrypt_DRBG_bindings.ml @@ -0,0 +1,122 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + module Hacl_Spec_applied = (Hacl_Spec_bindings.Bindings)(Hacl_Spec_stubs) + open Hacl_Spec_applied + type everCrypt_DRBG_supported_alg = spec_Hash_Definitions_hash_alg + let everCrypt_DRBG_supported_alg = + typedef spec_Hash_Definitions_hash_alg "EverCrypt_DRBG_supported_alg" + let everCrypt_DRBG_reseed_interval = + foreign_value "EverCrypt_DRBG_reseed_interval" uint32_t + let everCrypt_DRBG_max_output_length = + foreign_value "EverCrypt_DRBG_max_output_length" uint32_t + let everCrypt_DRBG_max_length = + foreign_value "EverCrypt_DRBG_max_length" uint32_t + let everCrypt_DRBG_max_personalization_string_length = + foreign_value "EverCrypt_DRBG_max_personalization_string_length" + uint32_t + let everCrypt_DRBG_max_additional_input_length = + foreign_value "EverCrypt_DRBG_max_additional_input_length" uint32_t + let everCrypt_DRBG_min_length = + foreign "EverCrypt_DRBG_min_length" + (spec_Hash_Definitions_hash_alg @-> (returning uint32_t)) + type everCrypt_DRBG_state_s_tags = Unsigned.UInt8.t + let everCrypt_DRBG_state_s_tags = + typedef uint8_t "EverCrypt_DRBG_state_s_tags" + let everCrypt_DRBG_state_s_tags_EverCrypt_DRBG_SHA1_s = + Unsigned.UInt8.of_int 0 + let everCrypt_DRBG_state_s_tags_EverCrypt_DRBG_SHA2_256_s = + Unsigned.UInt8.of_int 1 + let everCrypt_DRBG_state_s_tags_EverCrypt_DRBG_SHA2_384_s = + Unsigned.UInt8.of_int 2 + let everCrypt_DRBG_state_s_tags_EverCrypt_DRBG_SHA2_512_s = + Unsigned.UInt8.of_int 3 + type everCrypt_DRBG_state_s = [ `everCrypt_DRBG_state_s ] structure + let (everCrypt_DRBG_state_s : [ `everCrypt_DRBG_state_s ] structure typ) + = structure "EverCrypt_DRBG_state_s_s" + let everCrypt_DRBG_create = + foreign "EverCrypt_DRBG_create" + (spec_Hash_Definitions_hash_alg @-> + (returning (ptr everCrypt_DRBG_state_s))) + let everCrypt_DRBG_instantiate_sha1 = + foreign "EverCrypt_DRBG_instantiate_sha1" + ((ptr everCrypt_DRBG_state_s) @-> + (ocaml_bytes @-> (uint32_t @-> (returning bool)))) + let everCrypt_DRBG_instantiate_sha2_256 = + foreign "EverCrypt_DRBG_instantiate_sha2_256" + ((ptr everCrypt_DRBG_state_s) @-> + (ocaml_bytes @-> (uint32_t @-> (returning bool)))) + let everCrypt_DRBG_instantiate_sha2_384 = + foreign "EverCrypt_DRBG_instantiate_sha2_384" + ((ptr everCrypt_DRBG_state_s) @-> + (ocaml_bytes @-> (uint32_t @-> (returning bool)))) + let everCrypt_DRBG_instantiate_sha2_512 = + foreign "EverCrypt_DRBG_instantiate_sha2_512" + ((ptr everCrypt_DRBG_state_s) @-> + (ocaml_bytes @-> (uint32_t @-> (returning bool)))) + let everCrypt_DRBG_reseed_sha1 = + foreign "EverCrypt_DRBG_reseed_sha1" + ((ptr everCrypt_DRBG_state_s) @-> + (ocaml_bytes @-> (uint32_t @-> (returning bool)))) + let everCrypt_DRBG_reseed_sha2_256 = + foreign "EverCrypt_DRBG_reseed_sha2_256" + ((ptr everCrypt_DRBG_state_s) @-> + (ocaml_bytes @-> (uint32_t @-> (returning bool)))) + let everCrypt_DRBG_reseed_sha2_384 = + foreign "EverCrypt_DRBG_reseed_sha2_384" + ((ptr everCrypt_DRBG_state_s) @-> + (ocaml_bytes @-> (uint32_t @-> (returning bool)))) + let everCrypt_DRBG_reseed_sha2_512 = + foreign "EverCrypt_DRBG_reseed_sha2_512" + ((ptr everCrypt_DRBG_state_s) @-> + (ocaml_bytes @-> (uint32_t @-> (returning bool)))) + let everCrypt_DRBG_generate_sha1 = + foreign "EverCrypt_DRBG_generate_sha1" + (ocaml_bytes @-> + ((ptr everCrypt_DRBG_state_s) @-> + (uint32_t @-> (ocaml_bytes @-> (uint32_t @-> (returning bool)))))) + let everCrypt_DRBG_generate_sha2_256 = + foreign "EverCrypt_DRBG_generate_sha2_256" + (ocaml_bytes @-> + ((ptr everCrypt_DRBG_state_s) @-> + (uint32_t @-> (ocaml_bytes @-> (uint32_t @-> (returning bool)))))) + let everCrypt_DRBG_generate_sha2_384 = + foreign "EverCrypt_DRBG_generate_sha2_384" + (ocaml_bytes @-> + ((ptr everCrypt_DRBG_state_s) @-> + (uint32_t @-> (ocaml_bytes @-> (uint32_t @-> (returning bool)))))) + let everCrypt_DRBG_generate_sha2_512 = + foreign "EverCrypt_DRBG_generate_sha2_512" + (ocaml_bytes @-> + ((ptr everCrypt_DRBG_state_s) @-> + (uint32_t @-> (ocaml_bytes @-> (uint32_t @-> (returning bool)))))) + let everCrypt_DRBG_uninstantiate_sha1 = + foreign "EverCrypt_DRBG_uninstantiate_sha1" + ((ptr everCrypt_DRBG_state_s) @-> (returning void)) + let everCrypt_DRBG_uninstantiate_sha2_256 = + foreign "EverCrypt_DRBG_uninstantiate_sha2_256" + ((ptr everCrypt_DRBG_state_s) @-> (returning void)) + let everCrypt_DRBG_uninstantiate_sha2_384 = + foreign "EverCrypt_DRBG_uninstantiate_sha2_384" + ((ptr everCrypt_DRBG_state_s) @-> (returning void)) + let everCrypt_DRBG_uninstantiate_sha2_512 = + foreign "EverCrypt_DRBG_uninstantiate_sha2_512" + ((ptr everCrypt_DRBG_state_s) @-> (returning void)) + let everCrypt_DRBG_instantiate = + foreign "EverCrypt_DRBG_instantiate" + ((ptr everCrypt_DRBG_state_s) @-> + (ocaml_bytes @-> (uint32_t @-> (returning bool)))) + let everCrypt_DRBG_reseed = + foreign "EverCrypt_DRBG_reseed" + ((ptr everCrypt_DRBG_state_s) @-> + (ocaml_bytes @-> (uint32_t @-> (returning bool)))) + let everCrypt_DRBG_generate = + foreign "EverCrypt_DRBG_generate" + (ocaml_bytes @-> + ((ptr everCrypt_DRBG_state_s) @-> + (uint32_t @-> (ocaml_bytes @-> (uint32_t @-> (returning bool)))))) + let everCrypt_DRBG_uninstantiate = + foreign "EverCrypt_DRBG_uninstantiate" + ((ptr everCrypt_DRBG_state_s) @-> (returning void)) + end \ No newline at end of file diff --git a/ocaml/lib/EverCrypt_Ed25519_bindings.ml b/ocaml/lib/EverCrypt_Ed25519_bindings.ml new file mode 100644 index 00000000..d84bce04 --- /dev/null +++ b/ocaml/lib/EverCrypt_Ed25519_bindings.ml @@ -0,0 +1,23 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let everCrypt_Ed25519_sign = + foreign "EverCrypt_Ed25519_sign" + (ocaml_bytes @-> + (ocaml_bytes @-> (uint32_t @-> (ocaml_bytes @-> (returning void))))) + let everCrypt_Ed25519_verify = + foreign "EverCrypt_Ed25519_verify" + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (ocaml_bytes @-> (returning bool))))) + let everCrypt_Ed25519_secret_to_public = + foreign "EverCrypt_Ed25519_secret_to_public" + (ocaml_bytes @-> (ocaml_bytes @-> (returning void))) + let everCrypt_Ed25519_expand_keys = + foreign "EverCrypt_Ed25519_expand_keys" + (ocaml_bytes @-> (ocaml_bytes @-> (returning void))) + let everCrypt_Ed25519_sign_expanded = + foreign "EverCrypt_Ed25519_sign_expanded" + (ocaml_bytes @-> + (ocaml_bytes @-> (uint32_t @-> (ocaml_bytes @-> (returning void))))) + end \ No newline at end of file diff --git a/ocaml/lib/EverCrypt_Error_bindings.ml b/ocaml/lib/EverCrypt_Error_bindings.ml new file mode 100644 index 00000000..e3f44a20 --- /dev/null +++ b/ocaml/lib/EverCrypt_Error_bindings.ml @@ -0,0 +1,20 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + type everCrypt_Error_error_code = Unsigned.UInt8.t + let everCrypt_Error_error_code = + typedef uint8_t "EverCrypt_Error_error_code" + let everCrypt_Error_error_code_EverCrypt_Error_Success = + Unsigned.UInt8.of_int 0 + let everCrypt_Error_error_code_EverCrypt_Error_UnsupportedAlgorithm = + Unsigned.UInt8.of_int 1 + let everCrypt_Error_error_code_EverCrypt_Error_InvalidKey = + Unsigned.UInt8.of_int 2 + let everCrypt_Error_error_code_EverCrypt_Error_AuthenticationFailure = + Unsigned.UInt8.of_int 3 + let everCrypt_Error_error_code_EverCrypt_Error_InvalidIVLength = + Unsigned.UInt8.of_int 4 + let everCrypt_Error_error_code_EverCrypt_Error_DecodeError = + Unsigned.UInt8.of_int 5 + end \ No newline at end of file diff --git a/ocaml/lib/EverCrypt_HKDF_bindings.ml b/ocaml/lib/EverCrypt_HKDF_bindings.ml new file mode 100644 index 00000000..17941f0f --- /dev/null +++ b/ocaml/lib/EverCrypt_HKDF_bindings.ml @@ -0,0 +1,109 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + module Hacl_Spec_applied = (Hacl_Spec_bindings.Bindings)(Hacl_Spec_stubs) + open Hacl_Spec_applied + let everCrypt_HKDF_expand_sha1 = + foreign "EverCrypt_HKDF_expand_sha1" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> (uint32_t @-> (returning void))))))) + let everCrypt_HKDF_extract_sha1 = + foreign "EverCrypt_HKDF_extract_sha1" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (uint32_t @-> (returning void)))))) + let everCrypt_HKDF_expand_sha2_256 = + foreign "EverCrypt_HKDF_expand_sha2_256" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> (uint32_t @-> (returning void))))))) + let everCrypt_HKDF_extract_sha2_256 = + foreign "EverCrypt_HKDF_extract_sha2_256" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (uint32_t @-> (returning void)))))) + let everCrypt_HKDF_expand_sha2_384 = + foreign "EverCrypt_HKDF_expand_sha2_384" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> (uint32_t @-> (returning void))))))) + let everCrypt_HKDF_extract_sha2_384 = + foreign "EverCrypt_HKDF_extract_sha2_384" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (uint32_t @-> (returning void)))))) + let everCrypt_HKDF_expand_sha2_512 = + foreign "EverCrypt_HKDF_expand_sha2_512" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> (uint32_t @-> (returning void))))))) + let everCrypt_HKDF_extract_sha2_512 = + foreign "EverCrypt_HKDF_extract_sha2_512" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (uint32_t @-> (returning void)))))) + let everCrypt_HKDF_expand_blake2s = + foreign "EverCrypt_HKDF_expand_blake2s" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> (uint32_t @-> (returning void))))))) + let everCrypt_HKDF_extract_blake2s = + foreign "EverCrypt_HKDF_extract_blake2s" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (uint32_t @-> (returning void)))))) + let everCrypt_HKDF_expand_blake2b = + foreign "EverCrypt_HKDF_expand_blake2b" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> (uint32_t @-> (returning void))))))) + let everCrypt_HKDF_extract_blake2b = + foreign "EverCrypt_HKDF_extract_blake2b" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (uint32_t @-> (returning void)))))) + let everCrypt_HKDF_expand = + foreign "EverCrypt_HKDF_expand" + (spec_Hash_Definitions_hash_alg @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> (uint32_t @-> (returning void)))))))) + let everCrypt_HKDF_extract = + foreign "EverCrypt_HKDF_extract" + (spec_Hash_Definitions_hash_alg @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> (uint32_t @-> (returning void))))))) + let everCrypt_HKDF_hkdf_expand = + foreign "EverCrypt_HKDF_hkdf_expand" + (spec_Hash_Definitions_hash_alg @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> (uint32_t @-> (returning void)))))))) + let everCrypt_HKDF_hkdf_extract = + foreign "EverCrypt_HKDF_hkdf_extract" + (spec_Hash_Definitions_hash_alg @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> (uint32_t @-> (returning void))))))) + end \ No newline at end of file diff --git a/ocaml/lib/EverCrypt_HMAC_bindings.ml b/ocaml/lib/EverCrypt_HMAC_bindings.ml new file mode 100644 index 00000000..28f62413 --- /dev/null +++ b/ocaml/lib/EverCrypt_HMAC_bindings.ml @@ -0,0 +1,50 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + module Hacl_Spec_applied = (Hacl_Spec_bindings.Bindings)(Hacl_Spec_stubs) + open Hacl_Spec_applied + let everCrypt_HMAC_compute_sha1 = + foreign "EverCrypt_HMAC_compute_sha1" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (uint32_t @-> (returning void)))))) + let everCrypt_HMAC_compute_sha2_256 = + foreign "EverCrypt_HMAC_compute_sha2_256" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (uint32_t @-> (returning void)))))) + let everCrypt_HMAC_compute_sha2_384 = + foreign "EverCrypt_HMAC_compute_sha2_384" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (uint32_t @-> (returning void)))))) + let everCrypt_HMAC_compute_sha2_512 = + foreign "EverCrypt_HMAC_compute_sha2_512" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (uint32_t @-> (returning void)))))) + let everCrypt_HMAC_compute_blake2s = + foreign "EverCrypt_HMAC_compute_blake2s" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (uint32_t @-> (returning void)))))) + let everCrypt_HMAC_compute_blake2b = + foreign "EverCrypt_HMAC_compute_blake2b" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (uint32_t @-> (returning void)))))) + let everCrypt_HMAC_is_supported_alg = + foreign "EverCrypt_HMAC_is_supported_alg" + (spec_Hash_Definitions_hash_alg @-> (returning bool)) + type everCrypt_HMAC_supported_alg = spec_Hash_Definitions_hash_alg + let everCrypt_HMAC_supported_alg = + typedef spec_Hash_Definitions_hash_alg "EverCrypt_HMAC_supported_alg" + let everCrypt_HMAC_compute = + foreign "EverCrypt_HMAC_compute" + (spec_Hash_Definitions_hash_alg @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> (uint32_t @-> (returning void))))))) + end \ No newline at end of file diff --git a/ocaml/lib/EverCrypt_Hash_bindings.ml b/ocaml/lib/EverCrypt_Hash_bindings.ml new file mode 100644 index 00000000..87011c5e --- /dev/null +++ b/ocaml/lib/EverCrypt_Hash_bindings.ml @@ -0,0 +1,215 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + module Hacl_Spec_applied = (Hacl_Spec_bindings.Bindings)(Hacl_Spec_stubs) + open Hacl_Spec_applied + type everCrypt_Hash_alg = spec_Hash_Definitions_hash_alg + let everCrypt_Hash_alg = + typedef spec_Hash_Definitions_hash_alg "EverCrypt_Hash_alg" + let constant everCrypt_Hash_string_of_alg = + foreign "EverCrypt_Hash_string_of_alg" + (spec_Hash_Definitions_hash_alg @-> (returning string)) + type everCrypt_Hash_broken_alg = spec_Hash_Definitions_hash_alg + let everCrypt_Hash_broken_alg = + typedef spec_Hash_Definitions_hash_alg "EverCrypt_Hash_broken_alg" + type everCrypt_Hash_alg13 = spec_Hash_Definitions_hash_alg + let everCrypt_Hash_alg13 = + typedef spec_Hash_Definitions_hash_alg "EverCrypt_Hash_alg13" + type everCrypt_Hash_state_s_tags = Unsigned.UInt8.t + let everCrypt_Hash_state_s_tags = + typedef uint8_t "EverCrypt_Hash_state_s_tags" + let everCrypt_Hash_state_s_tags_EverCrypt_Hash_MD5_s = + Unsigned.UInt8.of_int 0 + let everCrypt_Hash_state_s_tags_EverCrypt_Hash_SHA1_s = + Unsigned.UInt8.of_int 1 + let everCrypt_Hash_state_s_tags_EverCrypt_Hash_SHA2_224_s = + Unsigned.UInt8.of_int 2 + let everCrypt_Hash_state_s_tags_EverCrypt_Hash_SHA2_256_s = + Unsigned.UInt8.of_int 3 + let everCrypt_Hash_state_s_tags_EverCrypt_Hash_SHA2_384_s = + Unsigned.UInt8.of_int 4 + let everCrypt_Hash_state_s_tags_EverCrypt_Hash_SHA2_512_s = + Unsigned.UInt8.of_int 5 + let everCrypt_Hash_state_s_tags_EverCrypt_Hash_Blake2S_s = + Unsigned.UInt8.of_int 6 + let everCrypt_Hash_state_s_tags_EverCrypt_Hash_Blake2B_s = + Unsigned.UInt8.of_int 7 + type everCrypt_Hash_state_s = [ `everCrypt_Hash_state_s ] structure + let (everCrypt_Hash_state_s : [ `everCrypt_Hash_state_s ] structure typ) + = structure "EverCrypt_Hash_state_s_s" + let everCrypt_Hash_state_s_tag = + field everCrypt_Hash_state_s "tag" everCrypt_Hash_state_s_tags + type everCrypt_Hash_state_s_val = [ `anonymous ] union + let (everCrypt_Hash_state_s_val : [ `anonymous ] union typ) = union "" + let everCrypt_Hash_state_s_val_case_MD5_s = + field everCrypt_Hash_state_s_val "case_MD5_s" (ptr uint32_t) + let everCrypt_Hash_state_s_val_case_SHA1_s = + field everCrypt_Hash_state_s_val "case_SHA1_s" (ptr uint32_t) + let everCrypt_Hash_state_s_val_case_SHA2_224_s = + field everCrypt_Hash_state_s_val "case_SHA2_224_s" (ptr uint32_t) + let everCrypt_Hash_state_s_val_case_SHA2_256_s = + field everCrypt_Hash_state_s_val "case_SHA2_256_s" (ptr uint32_t) + let everCrypt_Hash_state_s_val_case_SHA2_384_s = + field everCrypt_Hash_state_s_val "case_SHA2_384_s" (ptr uint64_t) + let everCrypt_Hash_state_s_val_case_SHA2_512_s = + field everCrypt_Hash_state_s_val "case_SHA2_512_s" (ptr uint64_t) + let everCrypt_Hash_state_s_val_case_Blake2S_s = + field everCrypt_Hash_state_s_val "case_Blake2S_s" (ptr uint32_t) + let everCrypt_Hash_state_s_val_case_Blake2B_s = + field everCrypt_Hash_state_s_val "case_Blake2B_s" (ptr uint64_t) + let _ = seal everCrypt_Hash_state_s_val + let everCrypt_Hash_state_s_u = + field everCrypt_Hash_state_s "" everCrypt_Hash_state_s_val + let _ = seal everCrypt_Hash_state_s + let everCrypt_Hash_alg_of_state = + foreign "EverCrypt_Hash_alg_of_state" + ((ptr everCrypt_Hash_state_s) @-> + (returning spec_Hash_Definitions_hash_alg)) + let everCrypt_Hash_create_in = + foreign "EverCrypt_Hash_create_in" + (spec_Hash_Definitions_hash_alg @-> + (returning (ptr everCrypt_Hash_state_s))) + let everCrypt_Hash_create = + foreign "EverCrypt_Hash_create" + (spec_Hash_Definitions_hash_alg @-> + (returning (ptr everCrypt_Hash_state_s))) + let everCrypt_Hash_init = + foreign "EverCrypt_Hash_init" + ((ptr everCrypt_Hash_state_s) @-> (returning void)) + let everCrypt_Hash_update_multi_256 = + foreign "EverCrypt_Hash_update_multi_256" + ((ptr uint32_t) @-> (ocaml_bytes @-> (uint32_t @-> (returning void)))) + let everCrypt_Hash_update2 = + foreign "EverCrypt_Hash_update2" + ((ptr everCrypt_Hash_state_s) @-> + (uint64_t @-> (ocaml_bytes @-> (returning void)))) + let everCrypt_Hash_update = + foreign "EverCrypt_Hash_update" + ((ptr everCrypt_Hash_state_s) @-> (ocaml_bytes @-> (returning void))) + let everCrypt_Hash_update_multi2 = + foreign "EverCrypt_Hash_update_multi2" + ((ptr everCrypt_Hash_state_s) @-> + (uint64_t @-> (ocaml_bytes @-> (uint32_t @-> (returning void))))) + let everCrypt_Hash_update_multi = + foreign "EverCrypt_Hash_update_multi" + ((ptr everCrypt_Hash_state_s) @-> + (ocaml_bytes @-> (uint32_t @-> (returning void)))) + let everCrypt_Hash_update_last_256 = + foreign "EverCrypt_Hash_update_last_256" + ((ptr uint32_t) @-> + (uint64_t @-> (ocaml_bytes @-> (uint32_t @-> (returning void))))) + let everCrypt_Hash_update_last2 = + foreign "EverCrypt_Hash_update_last2" + ((ptr everCrypt_Hash_state_s) @-> + (uint64_t @-> (ocaml_bytes @-> (uint32_t @-> (returning void))))) + let everCrypt_Hash_update_last = + foreign "EverCrypt_Hash_update_last" + ((ptr everCrypt_Hash_state_s) @-> + (ocaml_bytes @-> (uint64_t @-> (returning void)))) + let everCrypt_Hash_finish = + foreign "EverCrypt_Hash_finish" + ((ptr everCrypt_Hash_state_s) @-> (ocaml_bytes @-> (returning void))) + let everCrypt_Hash_free = + foreign "EverCrypt_Hash_free" + ((ptr everCrypt_Hash_state_s) @-> (returning void)) + let everCrypt_Hash_copy = + foreign "EverCrypt_Hash_copy" + ((ptr everCrypt_Hash_state_s) @-> + ((ptr everCrypt_Hash_state_s) @-> (returning void))) + let everCrypt_Hash_hash_256 = + foreign "EverCrypt_Hash_hash_256" + (ocaml_bytes @-> (uint32_t @-> (ocaml_bytes @-> (returning void)))) + let everCrypt_Hash_hash_224 = + foreign "EverCrypt_Hash_hash_224" + (ocaml_bytes @-> (uint32_t @-> (ocaml_bytes @-> (returning void)))) + let everCrypt_Hash_hash = + foreign "EverCrypt_Hash_hash" + (spec_Hash_Definitions_hash_alg @-> + (ocaml_bytes @-> (ocaml_bytes @-> (uint32_t @-> (returning void))))) + let everCrypt_Hash_Incremental_hash_len = + foreign "EverCrypt_Hash_Incremental_hash_len" + (spec_Hash_Definitions_hash_alg @-> (returning uint32_t)) + let everCrypt_Hash_Incremental_block_len = + foreign "EverCrypt_Hash_Incremental_block_len" + (spec_Hash_Definitions_hash_alg @-> (returning uint32_t)) + type hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ = + [ `hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ ] + structure + let (hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ : + [ `hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ ] + structure typ) + = + structure + "Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s_____s" + let hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s_____block_state + = + field hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ + "block_state" (ptr everCrypt_Hash_state_s) + let hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s_____buf = + field hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ "buf" + (ptr uint8_t) + let hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s_____total_len + = + field hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ + "total_len" uint64_t + let _ = seal hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ + let everCrypt_Hash_Incremental_create_in = + foreign "EverCrypt_Hash_Incremental_create_in" + (spec_Hash_Definitions_hash_alg @-> + (returning + (ptr + hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____))) + let everCrypt_Hash_Incremental_init = + foreign "EverCrypt_Hash_Incremental_init" + ((ptr hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____) + @-> (returning void)) + let everCrypt_Hash_Incremental_update = + foreign "EverCrypt_Hash_Incremental_update" + ((ptr hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____) + @-> (ocaml_bytes @-> (uint32_t @-> (returning void)))) + let everCrypt_Hash_Incremental_finish_md5 = + foreign "EverCrypt_Hash_Incremental_finish_md5" + ((ptr hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____) + @-> (ocaml_bytes @-> (returning void))) + let everCrypt_Hash_Incremental_finish_sha1 = + foreign "EverCrypt_Hash_Incremental_finish_sha1" + ((ptr hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____) + @-> (ocaml_bytes @-> (returning void))) + let everCrypt_Hash_Incremental_finish_sha224 = + foreign "EverCrypt_Hash_Incremental_finish_sha224" + ((ptr hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____) + @-> (ocaml_bytes @-> (returning void))) + let everCrypt_Hash_Incremental_finish_sha256 = + foreign "EverCrypt_Hash_Incremental_finish_sha256" + ((ptr hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____) + @-> (ocaml_bytes @-> (returning void))) + let everCrypt_Hash_Incremental_finish_sha384 = + foreign "EverCrypt_Hash_Incremental_finish_sha384" + ((ptr hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____) + @-> (ocaml_bytes @-> (returning void))) + let everCrypt_Hash_Incremental_finish_sha512 = + foreign "EverCrypt_Hash_Incremental_finish_sha512" + ((ptr hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____) + @-> (ocaml_bytes @-> (returning void))) + let everCrypt_Hash_Incremental_finish_blake2s = + foreign "EverCrypt_Hash_Incremental_finish_blake2s" + ((ptr hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____) + @-> (ocaml_bytes @-> (returning void))) + let everCrypt_Hash_Incremental_finish_blake2b = + foreign "EverCrypt_Hash_Incremental_finish_blake2b" + ((ptr hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____) + @-> (ocaml_bytes @-> (returning void))) + let everCrypt_Hash_Incremental_alg_of_state = + foreign "EverCrypt_Hash_Incremental_alg_of_state" + ((ptr hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____) + @-> (returning spec_Hash_Definitions_hash_alg)) + let everCrypt_Hash_Incremental_finish = + foreign "EverCrypt_Hash_Incremental_finish" + ((ptr hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____) + @-> (ocaml_bytes @-> (returning void))) + let everCrypt_Hash_Incremental_free = + foreign "EverCrypt_Hash_Incremental_free" + ((ptr hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____) + @-> (returning void)) + end \ No newline at end of file diff --git a/ocaml/lib/EverCrypt_Poly1305_bindings.ml b/ocaml/lib/EverCrypt_Poly1305_bindings.ml new file mode 100644 index 00000000..9323b58e --- /dev/null +++ b/ocaml/lib/EverCrypt_Poly1305_bindings.ml @@ -0,0 +1,9 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let everCrypt_Poly1305_poly1305 = + foreign "EverCrypt_Poly1305_poly1305" + (ocaml_bytes @-> + (ocaml_bytes @-> (uint32_t @-> (ocaml_bytes @-> (returning void))))) + end \ No newline at end of file diff --git a/ocaml/lib/EverCrypt_StaticConfig_bindings.ml b/ocaml/lib/EverCrypt_StaticConfig_bindings.ml new file mode 100644 index 00000000..71fb1584 --- /dev/null +++ b/ocaml/lib/EverCrypt_StaticConfig_bindings.ml @@ -0,0 +1,13 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let everCrypt_StaticConfig_hacl = + foreign_value "EverCrypt_StaticConfig_hacl" bool + let everCrypt_StaticConfig_vale = + foreign_value "EverCrypt_StaticConfig_vale" bool + let everCrypt_StaticConfig_openssl = + foreign_value "EverCrypt_StaticConfig_openssl" bool + let everCrypt_StaticConfig_bcrypt = + foreign_value "EverCrypt_StaticConfig_bcrypt" bool + end \ No newline at end of file diff --git a/ocaml/lib/EverCrypt_Vale_bindings.ml b/ocaml/lib/EverCrypt_Vale_bindings.ml new file mode 100644 index 00000000..0584ba45 --- /dev/null +++ b/ocaml/lib/EverCrypt_Vale_bindings.ml @@ -0,0 +1,16 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + type gcm_args = [ `gcm_args ] structure + let (gcm_args : [ `gcm_args ] structure typ) = structure "gcm_args_s" + let gcm_args_plain = field gcm_args "plain" (ptr uint8_t) + let gcm_args_plain_len = field gcm_args "plain_len" uint64_t + let gcm_args_aad = field gcm_args "aad" (ptr uint8_t) + let gcm_args_aad_len = field gcm_args "aad_len" uint64_t + let gcm_args_iv = field gcm_args "iv" (ptr uint8_t) + let gcm_args_expanded_key = field gcm_args "expanded_key" (ptr uint8_t) + let gcm_args_cipher = field gcm_args "cipher" (ptr uint8_t) + let gcm_args_tag = field gcm_args "tag" (ptr uint8_t) + let _ = seal gcm_args + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_Bignum25519_51_bindings.ml b/ocaml/lib/Hacl_Bignum25519_51_bindings.ml new file mode 100644 index 00000000..ebb0f541 --- /dev/null +++ b/ocaml/lib/Hacl_Bignum25519_51_bindings.ml @@ -0,0 +1,24 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let hacl_Impl_Curve25519_Field51_fadd = + foreign "Hacl_Impl_Curve25519_Field51_fadd" + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning void)))) + let hacl_Impl_Curve25519_Field51_fsub = + foreign "Hacl_Impl_Curve25519_Field51_fsub" + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning void)))) + let hacl_Impl_Curve25519_Field51_fmul1 = + foreign "Hacl_Impl_Curve25519_Field51_fmul1" + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> (uint64_t @-> (returning void)))) + let hacl_Impl_Curve25519_Field51_store_felem = + foreign "Hacl_Impl_Curve25519_Field51_store_felem" + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning void))) + let hacl_Impl_Curve25519_Field51_cswap2 = + foreign "Hacl_Impl_Curve25519_Field51_cswap2" + (uint64_t @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning void)))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_Bignum256_32_bindings.ml b/ocaml/lib/Hacl_Bignum256_32_bindings.ml new file mode 100644 index 00000000..d69954b1 --- /dev/null +++ b/ocaml/lib/Hacl_Bignum256_32_bindings.ml @@ -0,0 +1,99 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + module Hacl_GenericField32_applied = + (Hacl_GenericField32_bindings.Bindings)(Hacl_GenericField32_stubs) + open Hacl_GenericField32_applied + let hacl_Bignum256_32_add = + foreign "Hacl_Bignum256_32_add" + ((ptr uint32_t) @-> + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning uint32_t)))) + let hacl_Bignum256_32_sub = + foreign "Hacl_Bignum256_32_sub" + ((ptr uint32_t) @-> + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning uint32_t)))) + let hacl_Bignum256_32_add_mod = + foreign "Hacl_Bignum256_32_add_mod" + ((ptr uint32_t) @-> + ((ptr uint32_t) @-> + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning void))))) + let hacl_Bignum256_32_sub_mod = + foreign "Hacl_Bignum256_32_sub_mod" + ((ptr uint32_t) @-> + ((ptr uint32_t) @-> + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning void))))) + let hacl_Bignum256_32_mul = + foreign "Hacl_Bignum256_32_mul" + ((ptr uint32_t) @-> + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning void)))) + let hacl_Bignum256_32_sqr = + foreign "Hacl_Bignum256_32_sqr" + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning void))) + let hacl_Bignum256_32_mod = + foreign "Hacl_Bignum256_32_mod" + ((ptr uint32_t) @-> + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning bool)))) + let hacl_Bignum256_32_mod_exp_vartime = + foreign "Hacl_Bignum256_32_mod_exp_vartime" + ((ptr uint32_t) @-> + ((ptr uint32_t) @-> + (uint32_t @-> + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning bool)))))) + let hacl_Bignum256_32_mod_exp_consttime = + foreign "Hacl_Bignum256_32_mod_exp_consttime" + ((ptr uint32_t) @-> + ((ptr uint32_t) @-> + (uint32_t @-> + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning bool)))))) + let hacl_Bignum256_32_mod_inv_prime_vartime = + foreign "Hacl_Bignum256_32_mod_inv_prime_vartime" + ((ptr uint32_t) @-> + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning bool)))) + let hacl_Bignum256_32_mont_ctx_init = + foreign "Hacl_Bignum256_32_mont_ctx_init" + ((ptr uint32_t) @-> + (returning (ptr hacl_Bignum_MontArithmetic_bn_mont_ctx_u32))) + let hacl_Bignum256_32_mont_ctx_free = + foreign "Hacl_Bignum256_32_mont_ctx_free" + ((ptr hacl_Bignum_MontArithmetic_bn_mont_ctx_u32) @-> + (returning void)) + let hacl_Bignum256_32_mod_precomp = + foreign "Hacl_Bignum256_32_mod_precomp" + ((ptr hacl_Bignum_MontArithmetic_bn_mont_ctx_u32) @-> + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning void)))) + let hacl_Bignum256_32_mod_exp_vartime_precomp = + foreign "Hacl_Bignum256_32_mod_exp_vartime_precomp" + ((ptr hacl_Bignum_MontArithmetic_bn_mont_ctx_u32) @-> + ((ptr uint32_t) @-> + (uint32_t @-> + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning void)))))) + let hacl_Bignum256_32_mod_exp_consttime_precomp = + foreign "Hacl_Bignum256_32_mod_exp_consttime_precomp" + ((ptr hacl_Bignum_MontArithmetic_bn_mont_ctx_u32) @-> + ((ptr uint32_t) @-> + (uint32_t @-> + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning void)))))) + let hacl_Bignum256_32_mod_inv_prime_vartime_precomp = + foreign "Hacl_Bignum256_32_mod_inv_prime_vartime_precomp" + ((ptr hacl_Bignum_MontArithmetic_bn_mont_ctx_u32) @-> + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning void)))) + let hacl_Bignum256_32_new_bn_from_bytes_be = + foreign "Hacl_Bignum256_32_new_bn_from_bytes_be" + (uint32_t @-> (ocaml_bytes @-> (returning (ptr uint32_t)))) + let hacl_Bignum256_32_new_bn_from_bytes_le = + foreign "Hacl_Bignum256_32_new_bn_from_bytes_le" + (uint32_t @-> (ocaml_bytes @-> (returning (ptr uint32_t)))) + let hacl_Bignum256_32_bn_to_bytes_be = + foreign "Hacl_Bignum256_32_bn_to_bytes_be" + ((ptr uint32_t) @-> (ocaml_bytes @-> (returning void))) + let hacl_Bignum256_32_bn_to_bytes_le = + foreign "Hacl_Bignum256_32_bn_to_bytes_le" + ((ptr uint32_t) @-> (ocaml_bytes @-> (returning void))) + let hacl_Bignum256_32_lt_mask = + foreign "Hacl_Bignum256_32_lt_mask" + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning uint32_t))) + let hacl_Bignum256_32_eq_mask = + foreign "Hacl_Bignum256_32_eq_mask" + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning uint32_t))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_Bignum256_bindings.ml b/ocaml/lib/Hacl_Bignum256_bindings.ml new file mode 100644 index 00000000..0bf7250c --- /dev/null +++ b/ocaml/lib/Hacl_Bignum256_bindings.ml @@ -0,0 +1,110 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let hacl_Bignum256_add = + foreign "Hacl_Bignum256_add" + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning uint64_t)))) + let hacl_Bignum256_sub = + foreign "Hacl_Bignum256_sub" + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning uint64_t)))) + let hacl_Bignum256_add_mod = + foreign "Hacl_Bignum256_add_mod" + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning void))))) + let hacl_Bignum256_sub_mod = + foreign "Hacl_Bignum256_sub_mod" + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning void))))) + let hacl_Bignum256_mul = + foreign "Hacl_Bignum256_mul" + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning void)))) + let hacl_Bignum256_sqr = + foreign "Hacl_Bignum256_sqr" + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning void))) + let hacl_Bignum256_mod = + foreign "Hacl_Bignum256_mod" + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning bool)))) + let hacl_Bignum256_mod_exp_vartime = + foreign "Hacl_Bignum256_mod_exp_vartime" + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> + (uint32_t @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning bool)))))) + let hacl_Bignum256_mod_exp_consttime = + foreign "Hacl_Bignum256_mod_exp_consttime" + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> + (uint32_t @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning bool)))))) + let hacl_Bignum256_mod_inv_prime_vartime = + foreign "Hacl_Bignum256_mod_inv_prime_vartime" + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning bool)))) + type hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 = + [ `hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 ] structure + let (hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 : + [ `hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 ] structure typ) = + structure "Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64_s" + let hacl_Bignum_MontArithmetic_bn_mont_ctx_u64_len = + field hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 "len" uint32_t + let hacl_Bignum_MontArithmetic_bn_mont_ctx_u64_n = + field hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 "n" (ptr uint64_t) + let hacl_Bignum_MontArithmetic_bn_mont_ctx_u64_mu = + field hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 "mu" uint64_t + let hacl_Bignum_MontArithmetic_bn_mont_ctx_u64_r2 = + field hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 "r2" (ptr uint64_t) + let _ = seal hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 + let hacl_Bignum256_mont_ctx_init = + foreign "Hacl_Bignum256_mont_ctx_init" + ((ptr uint64_t) @-> + (returning (ptr hacl_Bignum_MontArithmetic_bn_mont_ctx_u64))) + let hacl_Bignum256_mont_ctx_free = + foreign "Hacl_Bignum256_mont_ctx_free" + ((ptr hacl_Bignum_MontArithmetic_bn_mont_ctx_u64) @-> + (returning void)) + let hacl_Bignum256_mod_precomp = + foreign "Hacl_Bignum256_mod_precomp" + ((ptr hacl_Bignum_MontArithmetic_bn_mont_ctx_u64) @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning void)))) + let hacl_Bignum256_mod_exp_vartime_precomp = + foreign "Hacl_Bignum256_mod_exp_vartime_precomp" + ((ptr hacl_Bignum_MontArithmetic_bn_mont_ctx_u64) @-> + ((ptr uint64_t) @-> + (uint32_t @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning void)))))) + let hacl_Bignum256_mod_exp_consttime_precomp = + foreign "Hacl_Bignum256_mod_exp_consttime_precomp" + ((ptr hacl_Bignum_MontArithmetic_bn_mont_ctx_u64) @-> + ((ptr uint64_t) @-> + (uint32_t @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning void)))))) + let hacl_Bignum256_mod_inv_prime_vartime_precomp = + foreign "Hacl_Bignum256_mod_inv_prime_vartime_precomp" + ((ptr hacl_Bignum_MontArithmetic_bn_mont_ctx_u64) @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning void)))) + let hacl_Bignum256_new_bn_from_bytes_be = + foreign "Hacl_Bignum256_new_bn_from_bytes_be" + (uint32_t @-> (ocaml_bytes @-> (returning (ptr uint64_t)))) + let hacl_Bignum256_new_bn_from_bytes_le = + foreign "Hacl_Bignum256_new_bn_from_bytes_le" + (uint32_t @-> (ocaml_bytes @-> (returning (ptr uint64_t)))) + let hacl_Bignum256_bn_to_bytes_be = + foreign "Hacl_Bignum256_bn_to_bytes_be" + ((ptr uint64_t) @-> (ocaml_bytes @-> (returning void))) + let hacl_Bignum256_bn_to_bytes_le = + foreign "Hacl_Bignum256_bn_to_bytes_le" + ((ptr uint64_t) @-> (ocaml_bytes @-> (returning void))) + let hacl_Bignum256_lt_mask = + foreign "Hacl_Bignum256_lt_mask" + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning uint64_t))) + let hacl_Bignum256_eq_mask = + foreign "Hacl_Bignum256_eq_mask" + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning uint64_t))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_Bignum32_bindings.ml b/ocaml/lib/Hacl_Bignum32_bindings.ml new file mode 100644 index 00000000..c9d56a5f --- /dev/null +++ b/ocaml/lib/Hacl_Bignum32_bindings.ml @@ -0,0 +1,112 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + module Hacl_GenericField32_applied = + (Hacl_GenericField32_bindings.Bindings)(Hacl_GenericField32_stubs) + open Hacl_GenericField32_applied + let hacl_Bignum32_add = + foreign "Hacl_Bignum32_add" + (uint32_t @-> + ((ptr uint32_t) @-> + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning uint32_t))))) + let hacl_Bignum32_sub = + foreign "Hacl_Bignum32_sub" + (uint32_t @-> + ((ptr uint32_t) @-> + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning uint32_t))))) + let hacl_Bignum32_add_mod = + foreign "Hacl_Bignum32_add_mod" + (uint32_t @-> + ((ptr uint32_t) @-> + ((ptr uint32_t) @-> + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning void)))))) + let hacl_Bignum32_sub_mod = + foreign "Hacl_Bignum32_sub_mod" + (uint32_t @-> + ((ptr uint32_t) @-> + ((ptr uint32_t) @-> + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning void)))))) + let hacl_Bignum32_mul = + foreign "Hacl_Bignum32_mul" + (uint32_t @-> + ((ptr uint32_t) @-> + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning void))))) + let hacl_Bignum32_sqr = + foreign "Hacl_Bignum32_sqr" + (uint32_t @-> + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning void)))) + let hacl_Bignum32_mod = + foreign "Hacl_Bignum32_mod" + (uint32_t @-> + ((ptr uint32_t) @-> + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning bool))))) + let hacl_Bignum32_mod_exp_vartime = + foreign "Hacl_Bignum32_mod_exp_vartime" + (uint32_t @-> + ((ptr uint32_t) @-> + ((ptr uint32_t) @-> + (uint32_t @-> + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning bool))))))) + let hacl_Bignum32_mod_exp_consttime = + foreign "Hacl_Bignum32_mod_exp_consttime" + (uint32_t @-> + ((ptr uint32_t) @-> + ((ptr uint32_t) @-> + (uint32_t @-> + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning bool))))))) + let hacl_Bignum32_mod_inv_prime_vartime = + foreign "Hacl_Bignum32_mod_inv_prime_vartime" + (uint32_t @-> + ((ptr uint32_t) @-> + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning bool))))) + let hacl_Bignum32_mont_ctx_init = + foreign "Hacl_Bignum32_mont_ctx_init" + (uint32_t @-> + ((ptr uint32_t) @-> + (returning (ptr hacl_Bignum_MontArithmetic_bn_mont_ctx_u32)))) + let hacl_Bignum32_mont_ctx_free = + foreign "Hacl_Bignum32_mont_ctx_free" + ((ptr hacl_Bignum_MontArithmetic_bn_mont_ctx_u32) @-> + (returning void)) + let hacl_Bignum32_mod_precomp = + foreign "Hacl_Bignum32_mod_precomp" + ((ptr hacl_Bignum_MontArithmetic_bn_mont_ctx_u32) @-> + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning void)))) + let hacl_Bignum32_mod_exp_vartime_precomp = + foreign "Hacl_Bignum32_mod_exp_vartime_precomp" + ((ptr hacl_Bignum_MontArithmetic_bn_mont_ctx_u32) @-> + ((ptr uint32_t) @-> + (uint32_t @-> + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning void)))))) + let hacl_Bignum32_mod_exp_consttime_precomp = + foreign "Hacl_Bignum32_mod_exp_consttime_precomp" + ((ptr hacl_Bignum_MontArithmetic_bn_mont_ctx_u32) @-> + ((ptr uint32_t) @-> + (uint32_t @-> + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning void)))))) + let hacl_Bignum32_mod_inv_prime_vartime_precomp = + foreign "Hacl_Bignum32_mod_inv_prime_vartime_precomp" + ((ptr hacl_Bignum_MontArithmetic_bn_mont_ctx_u32) @-> + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning void)))) + let hacl_Bignum32_new_bn_from_bytes_be = + foreign "Hacl_Bignum32_new_bn_from_bytes_be" + (uint32_t @-> (ocaml_bytes @-> (returning (ptr uint32_t)))) + let hacl_Bignum32_new_bn_from_bytes_le = + foreign "Hacl_Bignum32_new_bn_from_bytes_le" + (uint32_t @-> (ocaml_bytes @-> (returning (ptr uint32_t)))) + let hacl_Bignum32_bn_to_bytes_be = + foreign "Hacl_Bignum32_bn_to_bytes_be" + (uint32_t @-> ((ptr uint32_t) @-> (ocaml_bytes @-> (returning void)))) + let hacl_Bignum32_bn_to_bytes_le = + foreign "Hacl_Bignum32_bn_to_bytes_le" + (uint32_t @-> ((ptr uint32_t) @-> (ocaml_bytes @-> (returning void)))) + let hacl_Bignum32_lt_mask = + foreign "Hacl_Bignum32_lt_mask" + (uint32_t @-> + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning uint32_t)))) + let hacl_Bignum32_eq_mask = + foreign "Hacl_Bignum32_eq_mask" + (uint32_t @-> + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning uint32_t)))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_Bignum4096_32_bindings.ml b/ocaml/lib/Hacl_Bignum4096_32_bindings.ml new file mode 100644 index 00000000..cf42e29f --- /dev/null +++ b/ocaml/lib/Hacl_Bignum4096_32_bindings.ml @@ -0,0 +1,99 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + module Hacl_GenericField32_applied = + (Hacl_GenericField32_bindings.Bindings)(Hacl_GenericField32_stubs) + open Hacl_GenericField32_applied + let hacl_Bignum4096_32_add = + foreign "Hacl_Bignum4096_32_add" + ((ptr uint32_t) @-> + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning uint32_t)))) + let hacl_Bignum4096_32_sub = + foreign "Hacl_Bignum4096_32_sub" + ((ptr uint32_t) @-> + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning uint32_t)))) + let hacl_Bignum4096_32_add_mod = + foreign "Hacl_Bignum4096_32_add_mod" + ((ptr uint32_t) @-> + ((ptr uint32_t) @-> + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning void))))) + let hacl_Bignum4096_32_sub_mod = + foreign "Hacl_Bignum4096_32_sub_mod" + ((ptr uint32_t) @-> + ((ptr uint32_t) @-> + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning void))))) + let hacl_Bignum4096_32_mul = + foreign "Hacl_Bignum4096_32_mul" + ((ptr uint32_t) @-> + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning void)))) + let hacl_Bignum4096_32_sqr = + foreign "Hacl_Bignum4096_32_sqr" + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning void))) + let hacl_Bignum4096_32_mod = + foreign "Hacl_Bignum4096_32_mod" + ((ptr uint32_t) @-> + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning bool)))) + let hacl_Bignum4096_32_mod_exp_vartime = + foreign "Hacl_Bignum4096_32_mod_exp_vartime" + ((ptr uint32_t) @-> + ((ptr uint32_t) @-> + (uint32_t @-> + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning bool)))))) + let hacl_Bignum4096_32_mod_exp_consttime = + foreign "Hacl_Bignum4096_32_mod_exp_consttime" + ((ptr uint32_t) @-> + ((ptr uint32_t) @-> + (uint32_t @-> + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning bool)))))) + let hacl_Bignum4096_32_mod_inv_prime_vartime = + foreign "Hacl_Bignum4096_32_mod_inv_prime_vartime" + ((ptr uint32_t) @-> + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning bool)))) + let hacl_Bignum4096_32_mont_ctx_init = + foreign "Hacl_Bignum4096_32_mont_ctx_init" + ((ptr uint32_t) @-> + (returning (ptr hacl_Bignum_MontArithmetic_bn_mont_ctx_u32))) + let hacl_Bignum4096_32_mont_ctx_free = + foreign "Hacl_Bignum4096_32_mont_ctx_free" + ((ptr hacl_Bignum_MontArithmetic_bn_mont_ctx_u32) @-> + (returning void)) + let hacl_Bignum4096_32_mod_precomp = + foreign "Hacl_Bignum4096_32_mod_precomp" + ((ptr hacl_Bignum_MontArithmetic_bn_mont_ctx_u32) @-> + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning void)))) + let hacl_Bignum4096_32_mod_exp_vartime_precomp = + foreign "Hacl_Bignum4096_32_mod_exp_vartime_precomp" + ((ptr hacl_Bignum_MontArithmetic_bn_mont_ctx_u32) @-> + ((ptr uint32_t) @-> + (uint32_t @-> + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning void)))))) + let hacl_Bignum4096_32_mod_exp_consttime_precomp = + foreign "Hacl_Bignum4096_32_mod_exp_consttime_precomp" + ((ptr hacl_Bignum_MontArithmetic_bn_mont_ctx_u32) @-> + ((ptr uint32_t) @-> + (uint32_t @-> + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning void)))))) + let hacl_Bignum4096_32_mod_inv_prime_vartime_precomp = + foreign "Hacl_Bignum4096_32_mod_inv_prime_vartime_precomp" + ((ptr hacl_Bignum_MontArithmetic_bn_mont_ctx_u32) @-> + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning void)))) + let hacl_Bignum4096_32_new_bn_from_bytes_be = + foreign "Hacl_Bignum4096_32_new_bn_from_bytes_be" + (uint32_t @-> (ocaml_bytes @-> (returning (ptr uint32_t)))) + let hacl_Bignum4096_32_new_bn_from_bytes_le = + foreign "Hacl_Bignum4096_32_new_bn_from_bytes_le" + (uint32_t @-> (ocaml_bytes @-> (returning (ptr uint32_t)))) + let hacl_Bignum4096_32_bn_to_bytes_be = + foreign "Hacl_Bignum4096_32_bn_to_bytes_be" + ((ptr uint32_t) @-> (ocaml_bytes @-> (returning void))) + let hacl_Bignum4096_32_bn_to_bytes_le = + foreign "Hacl_Bignum4096_32_bn_to_bytes_le" + ((ptr uint32_t) @-> (ocaml_bytes @-> (returning void))) + let hacl_Bignum4096_32_lt_mask = + foreign "Hacl_Bignum4096_32_lt_mask" + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning uint32_t))) + let hacl_Bignum4096_32_eq_mask = + foreign "Hacl_Bignum4096_32_eq_mask" + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning uint32_t))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_Bignum4096_bindings.ml b/ocaml/lib/Hacl_Bignum4096_bindings.ml new file mode 100644 index 00000000..14821349 --- /dev/null +++ b/ocaml/lib/Hacl_Bignum4096_bindings.ml @@ -0,0 +1,99 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + module Hacl_Bignum256_applied = + (Hacl_Bignum256_bindings.Bindings)(Hacl_Bignum256_stubs) + open Hacl_Bignum256_applied + let hacl_Bignum4096_add = + foreign "Hacl_Bignum4096_add" + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning uint64_t)))) + let hacl_Bignum4096_sub = + foreign "Hacl_Bignum4096_sub" + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning uint64_t)))) + let hacl_Bignum4096_add_mod = + foreign "Hacl_Bignum4096_add_mod" + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning void))))) + let hacl_Bignum4096_sub_mod = + foreign "Hacl_Bignum4096_sub_mod" + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning void))))) + let hacl_Bignum4096_mul = + foreign "Hacl_Bignum4096_mul" + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning void)))) + let hacl_Bignum4096_sqr = + foreign "Hacl_Bignum4096_sqr" + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning void))) + let hacl_Bignum4096_mod = + foreign "Hacl_Bignum4096_mod" + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning bool)))) + let hacl_Bignum4096_mod_exp_vartime = + foreign "Hacl_Bignum4096_mod_exp_vartime" + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> + (uint32_t @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning bool)))))) + let hacl_Bignum4096_mod_exp_consttime = + foreign "Hacl_Bignum4096_mod_exp_consttime" + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> + (uint32_t @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning bool)))))) + let hacl_Bignum4096_mod_inv_prime_vartime = + foreign "Hacl_Bignum4096_mod_inv_prime_vartime" + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning bool)))) + let hacl_Bignum4096_mont_ctx_init = + foreign "Hacl_Bignum4096_mont_ctx_init" + ((ptr uint64_t) @-> + (returning (ptr hacl_Bignum_MontArithmetic_bn_mont_ctx_u64))) + let hacl_Bignum4096_mont_ctx_free = + foreign "Hacl_Bignum4096_mont_ctx_free" + ((ptr hacl_Bignum_MontArithmetic_bn_mont_ctx_u64) @-> + (returning void)) + let hacl_Bignum4096_mod_precomp = + foreign "Hacl_Bignum4096_mod_precomp" + ((ptr hacl_Bignum_MontArithmetic_bn_mont_ctx_u64) @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning void)))) + let hacl_Bignum4096_mod_exp_vartime_precomp = + foreign "Hacl_Bignum4096_mod_exp_vartime_precomp" + ((ptr hacl_Bignum_MontArithmetic_bn_mont_ctx_u64) @-> + ((ptr uint64_t) @-> + (uint32_t @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning void)))))) + let hacl_Bignum4096_mod_exp_consttime_precomp = + foreign "Hacl_Bignum4096_mod_exp_consttime_precomp" + ((ptr hacl_Bignum_MontArithmetic_bn_mont_ctx_u64) @-> + ((ptr uint64_t) @-> + (uint32_t @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning void)))))) + let hacl_Bignum4096_mod_inv_prime_vartime_precomp = + foreign "Hacl_Bignum4096_mod_inv_prime_vartime_precomp" + ((ptr hacl_Bignum_MontArithmetic_bn_mont_ctx_u64) @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning void)))) + let hacl_Bignum4096_new_bn_from_bytes_be = + foreign "Hacl_Bignum4096_new_bn_from_bytes_be" + (uint32_t @-> (ocaml_bytes @-> (returning (ptr uint64_t)))) + let hacl_Bignum4096_new_bn_from_bytes_le = + foreign "Hacl_Bignum4096_new_bn_from_bytes_le" + (uint32_t @-> (ocaml_bytes @-> (returning (ptr uint64_t)))) + let hacl_Bignum4096_bn_to_bytes_be = + foreign "Hacl_Bignum4096_bn_to_bytes_be" + ((ptr uint64_t) @-> (ocaml_bytes @-> (returning void))) + let hacl_Bignum4096_bn_to_bytes_le = + foreign "Hacl_Bignum4096_bn_to_bytes_le" + ((ptr uint64_t) @-> (ocaml_bytes @-> (returning void))) + let hacl_Bignum4096_lt_mask = + foreign "Hacl_Bignum4096_lt_mask" + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning uint64_t))) + let hacl_Bignum4096_eq_mask = + foreign "Hacl_Bignum4096_eq_mask" + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning uint64_t))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_Bignum64_bindings.ml b/ocaml/lib/Hacl_Bignum64_bindings.ml new file mode 100644 index 00000000..c90dce17 --- /dev/null +++ b/ocaml/lib/Hacl_Bignum64_bindings.ml @@ -0,0 +1,112 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + module Hacl_Bignum256_applied = + (Hacl_Bignum256_bindings.Bindings)(Hacl_Bignum256_stubs) + open Hacl_Bignum256_applied + let hacl_Bignum64_add = + foreign "Hacl_Bignum64_add" + (uint32_t @-> + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning uint64_t))))) + let hacl_Bignum64_sub = + foreign "Hacl_Bignum64_sub" + (uint32_t @-> + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning uint64_t))))) + let hacl_Bignum64_add_mod = + foreign "Hacl_Bignum64_add_mod" + (uint32_t @-> + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning void)))))) + let hacl_Bignum64_sub_mod = + foreign "Hacl_Bignum64_sub_mod" + (uint32_t @-> + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning void)))))) + let hacl_Bignum64_mul = + foreign "Hacl_Bignum64_mul" + (uint32_t @-> + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning void))))) + let hacl_Bignum64_sqr = + foreign "Hacl_Bignum64_sqr" + (uint32_t @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning void)))) + let hacl_Bignum64_mod = + foreign "Hacl_Bignum64_mod" + (uint32_t @-> + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning bool))))) + let hacl_Bignum64_mod_exp_vartime = + foreign "Hacl_Bignum64_mod_exp_vartime" + (uint32_t @-> + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> + (uint32_t @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning bool))))))) + let hacl_Bignum64_mod_exp_consttime = + foreign "Hacl_Bignum64_mod_exp_consttime" + (uint32_t @-> + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> + (uint32_t @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning bool))))))) + let hacl_Bignum64_mod_inv_prime_vartime = + foreign "Hacl_Bignum64_mod_inv_prime_vartime" + (uint32_t @-> + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning bool))))) + let hacl_Bignum64_mont_ctx_init = + foreign "Hacl_Bignum64_mont_ctx_init" + (uint32_t @-> + ((ptr uint64_t) @-> + (returning (ptr hacl_Bignum_MontArithmetic_bn_mont_ctx_u64)))) + let hacl_Bignum64_mont_ctx_free = + foreign "Hacl_Bignum64_mont_ctx_free" + ((ptr hacl_Bignum_MontArithmetic_bn_mont_ctx_u64) @-> + (returning void)) + let hacl_Bignum64_mod_precomp = + foreign "Hacl_Bignum64_mod_precomp" + ((ptr hacl_Bignum_MontArithmetic_bn_mont_ctx_u64) @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning void)))) + let hacl_Bignum64_mod_exp_vartime_precomp = + foreign "Hacl_Bignum64_mod_exp_vartime_precomp" + ((ptr hacl_Bignum_MontArithmetic_bn_mont_ctx_u64) @-> + ((ptr uint64_t) @-> + (uint32_t @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning void)))))) + let hacl_Bignum64_mod_exp_consttime_precomp = + foreign "Hacl_Bignum64_mod_exp_consttime_precomp" + ((ptr hacl_Bignum_MontArithmetic_bn_mont_ctx_u64) @-> + ((ptr uint64_t) @-> + (uint32_t @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning void)))))) + let hacl_Bignum64_mod_inv_prime_vartime_precomp = + foreign "Hacl_Bignum64_mod_inv_prime_vartime_precomp" + ((ptr hacl_Bignum_MontArithmetic_bn_mont_ctx_u64) @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning void)))) + let hacl_Bignum64_new_bn_from_bytes_be = + foreign "Hacl_Bignum64_new_bn_from_bytes_be" + (uint32_t @-> (ocaml_bytes @-> (returning (ptr uint64_t)))) + let hacl_Bignum64_new_bn_from_bytes_le = + foreign "Hacl_Bignum64_new_bn_from_bytes_le" + (uint32_t @-> (ocaml_bytes @-> (returning (ptr uint64_t)))) + let hacl_Bignum64_bn_to_bytes_be = + foreign "Hacl_Bignum64_bn_to_bytes_be" + (uint32_t @-> ((ptr uint64_t) @-> (ocaml_bytes @-> (returning void)))) + let hacl_Bignum64_bn_to_bytes_le = + foreign "Hacl_Bignum64_bn_to_bytes_le" + (uint32_t @-> ((ptr uint64_t) @-> (ocaml_bytes @-> (returning void)))) + let hacl_Bignum64_lt_mask = + foreign "Hacl_Bignum64_lt_mask" + (uint32_t @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning uint64_t)))) + let hacl_Bignum64_eq_mask = + foreign "Hacl_Bignum64_eq_mask" + (uint32_t @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning uint64_t)))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_Bignum_Base_bindings.ml b/ocaml/lib/Hacl_Bignum_Base_bindings.ml new file mode 100644 index 00000000..1992e425 --- /dev/null +++ b/ocaml/lib/Hacl_Bignum_Base_bindings.ml @@ -0,0 +1,20 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let hacl_Bignum_Base_mul_wide_add_u64 = + foreign "Hacl_Bignum_Base_mul_wide_add_u64" + (uint64_t @-> + (uint64_t @-> + (uint64_t @-> ((ptr uint64_t) @-> (returning uint64_t))))) + let hacl_Bignum_Base_mul_wide_add2_u32 = + foreign "Hacl_Bignum_Base_mul_wide_add2_u32" + (uint32_t @-> + (uint32_t @-> + (uint32_t @-> ((ptr uint32_t) @-> (returning uint32_t))))) + let hacl_Bignum_Base_mul_wide_add2_u64 = + foreign "Hacl_Bignum_Base_mul_wide_add2_u64" + (uint64_t @-> + (uint64_t @-> + (uint64_t @-> ((ptr uint64_t) @-> (returning uint64_t))))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_Bignum_bindings.ml b/ocaml/lib/Hacl_Bignum_bindings.ml new file mode 100644 index 00000000..f83d9fa4 --- /dev/null +++ b/ocaml/lib/Hacl_Bignum_bindings.ml @@ -0,0 +1,257 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let hacl_Bignum_Convert_bn_from_bytes_be_uint64 = + foreign "Hacl_Bignum_Convert_bn_from_bytes_be_uint64" + (uint32_t @-> (ocaml_bytes @-> ((ptr uint64_t) @-> (returning void)))) + let hacl_Bignum_Convert_bn_to_bytes_be_uint64 = + foreign "Hacl_Bignum_Convert_bn_to_bytes_be_uint64" + (uint32_t @-> ((ptr uint64_t) @-> (ocaml_bytes @-> (returning void)))) + let hacl_Bignum_Lib_bn_get_top_index_u32 = + foreign "Hacl_Bignum_Lib_bn_get_top_index_u32" + (uint32_t @-> ((ptr uint32_t) @-> (returning uint32_t))) + let hacl_Bignum_Lib_bn_get_top_index_u64 = + foreign "Hacl_Bignum_Lib_bn_get_top_index_u64" + (uint32_t @-> ((ptr uint64_t) @-> (returning uint64_t))) + let hacl_Bignum_Addition_bn_sub_eq_len_u32 = + foreign "Hacl_Bignum_Addition_bn_sub_eq_len_u32" + (uint32_t @-> + ((ptr uint32_t) @-> + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning uint32_t))))) + let hacl_Bignum_Addition_bn_sub_eq_len_u64 = + foreign "Hacl_Bignum_Addition_bn_sub_eq_len_u64" + (uint32_t @-> + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning uint64_t))))) + let hacl_Bignum_Addition_bn_add_eq_len_u32 = + foreign "Hacl_Bignum_Addition_bn_add_eq_len_u32" + (uint32_t @-> + ((ptr uint32_t) @-> + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning uint32_t))))) + let hacl_Bignum_Addition_bn_add_eq_len_u64 = + foreign "Hacl_Bignum_Addition_bn_add_eq_len_u64" + (uint32_t @-> + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning uint64_t))))) + let hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint32 = + foreign "Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint32" + (uint32_t @-> + ((ptr uint32_t) @-> + ((ptr uint32_t) @-> + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning void)))))) + let hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint64 = + foreign "Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint64" + (uint32_t @-> + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning void)))))) + let hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint32 = + foreign "Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint32" + (uint32_t @-> + ((ptr uint32_t) @-> + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning void))))) + let hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint64 = + foreign "Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint64" + (uint32_t @-> + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning void))))) + let hacl_Bignum_bn_add_mod_n_u32 = + foreign "Hacl_Bignum_bn_add_mod_n_u32" + (uint32_t @-> + ((ptr uint32_t) @-> + ((ptr uint32_t) @-> + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning void)))))) + let hacl_Bignum_bn_add_mod_n_u64 = + foreign "Hacl_Bignum_bn_add_mod_n_u64" + (uint32_t @-> + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning void)))))) + let hacl_Bignum_bn_sub_mod_n_u32 = + foreign "Hacl_Bignum_bn_sub_mod_n_u32" + (uint32_t @-> + ((ptr uint32_t) @-> + ((ptr uint32_t) @-> + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning void)))))) + let hacl_Bignum_bn_sub_mod_n_u64 = + foreign "Hacl_Bignum_bn_sub_mod_n_u64" + (uint32_t @-> + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning void)))))) + let hacl_Bignum_ModInvLimb_mod_inv_uint32 = + foreign "Hacl_Bignum_ModInvLimb_mod_inv_uint32" + (uint32_t @-> (returning uint32_t)) + let hacl_Bignum_ModInvLimb_mod_inv_uint64 = + foreign "Hacl_Bignum_ModInvLimb_mod_inv_uint64" + (uint64_t @-> (returning uint64_t)) + let hacl_Bignum_Montgomery_bn_check_modulus_u32 = + foreign "Hacl_Bignum_Montgomery_bn_check_modulus_u32" + (uint32_t @-> ((ptr uint32_t) @-> (returning uint32_t))) + let hacl_Bignum_Montgomery_bn_precomp_r2_mod_n_u32 = + foreign "Hacl_Bignum_Montgomery_bn_precomp_r2_mod_n_u32" + (uint32_t @-> + (uint32_t @-> + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning void))))) + let hacl_Bignum_Montgomery_bn_mont_reduction_u32 = + foreign "Hacl_Bignum_Montgomery_bn_mont_reduction_u32" + (uint32_t @-> + ((ptr uint32_t) @-> + (uint32_t @-> + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning void)))))) + let hacl_Bignum_Montgomery_bn_to_mont_u32 = + foreign "Hacl_Bignum_Montgomery_bn_to_mont_u32" + (uint32_t @-> + ((ptr uint32_t) @-> + (uint32_t @-> + ((ptr uint32_t) @-> + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning void))))))) + let hacl_Bignum_Montgomery_bn_from_mont_u32 = + foreign "Hacl_Bignum_Montgomery_bn_from_mont_u32" + (uint32_t @-> + ((ptr uint32_t) @-> + (uint32_t @-> + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning void)))))) + let hacl_Bignum_Montgomery_bn_mont_mul_u32 = + foreign "Hacl_Bignum_Montgomery_bn_mont_mul_u32" + (uint32_t @-> + ((ptr uint32_t) @-> + (uint32_t @-> + ((ptr uint32_t) @-> + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning void))))))) + let hacl_Bignum_Montgomery_bn_mont_sqr_u32 = + foreign "Hacl_Bignum_Montgomery_bn_mont_sqr_u32" + (uint32_t @-> + ((ptr uint32_t) @-> + (uint32_t @-> + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning void)))))) + let hacl_Bignum_Montgomery_bn_check_modulus_u64 = + foreign "Hacl_Bignum_Montgomery_bn_check_modulus_u64" + (uint32_t @-> ((ptr uint64_t) @-> (returning uint64_t))) + let hacl_Bignum_Montgomery_bn_precomp_r2_mod_n_u64 = + foreign "Hacl_Bignum_Montgomery_bn_precomp_r2_mod_n_u64" + (uint32_t @-> + (uint32_t @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning void))))) + let hacl_Bignum_Montgomery_bn_mont_reduction_u64 = + foreign "Hacl_Bignum_Montgomery_bn_mont_reduction_u64" + (uint32_t @-> + ((ptr uint64_t) @-> + (uint64_t @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning void)))))) + let hacl_Bignum_Montgomery_bn_to_mont_u64 = + foreign "Hacl_Bignum_Montgomery_bn_to_mont_u64" + (uint32_t @-> + ((ptr uint64_t) @-> + (uint64_t @-> + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning void))))))) + let hacl_Bignum_Montgomery_bn_from_mont_u64 = + foreign "Hacl_Bignum_Montgomery_bn_from_mont_u64" + (uint32_t @-> + ((ptr uint64_t) @-> + (uint64_t @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning void)))))) + let hacl_Bignum_Montgomery_bn_mont_mul_u64 = + foreign "Hacl_Bignum_Montgomery_bn_mont_mul_u64" + (uint32_t @-> + ((ptr uint64_t) @-> + (uint64_t @-> + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning void))))))) + let hacl_Bignum_Montgomery_bn_mont_sqr_u64 = + foreign "Hacl_Bignum_Montgomery_bn_mont_sqr_u64" + (uint32_t @-> + ((ptr uint64_t) @-> + (uint64_t @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning void)))))) + let hacl_Bignum_Exponentiation_bn_check_mod_exp_u32 = + foreign "Hacl_Bignum_Exponentiation_bn_check_mod_exp_u32" + (uint32_t @-> + ((ptr uint32_t) @-> + ((ptr uint32_t) @-> + (uint32_t @-> ((ptr uint32_t) @-> (returning uint32_t)))))) + let hacl_Bignum_Exponentiation_bn_mod_exp_vartime_precomp_u32 = + foreign "Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_precomp_u32" + (uint32_t @-> + ((ptr uint32_t) @-> + (uint32_t @-> + ((ptr uint32_t) @-> + ((ptr uint32_t) @-> + (uint32_t @-> + ((ptr uint32_t) @-> + ((ptr uint32_t) @-> (returning void))))))))) + let hacl_Bignum_Exponentiation_bn_mod_exp_consttime_precomp_u32 = + foreign "Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_precomp_u32" + (uint32_t @-> + ((ptr uint32_t) @-> + (uint32_t @-> + ((ptr uint32_t) @-> + ((ptr uint32_t) @-> + (uint32_t @-> + ((ptr uint32_t) @-> + ((ptr uint32_t) @-> (returning void))))))))) + let hacl_Bignum_Exponentiation_bn_mod_exp_vartime_u32 = + foreign "Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_u32" + (uint32_t @-> + (uint32_t @-> + ((ptr uint32_t) @-> + ((ptr uint32_t) @-> + (uint32_t @-> + ((ptr uint32_t) @-> + ((ptr uint32_t) @-> (returning void)))))))) + let hacl_Bignum_Exponentiation_bn_mod_exp_consttime_u32 = + foreign "Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_u32" + (uint32_t @-> + (uint32_t @-> + ((ptr uint32_t) @-> + ((ptr uint32_t) @-> + (uint32_t @-> + ((ptr uint32_t) @-> + ((ptr uint32_t) @-> (returning void)))))))) + let hacl_Bignum_Exponentiation_bn_check_mod_exp_u64 = + foreign "Hacl_Bignum_Exponentiation_bn_check_mod_exp_u64" + (uint32_t @-> + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> + (uint32_t @-> ((ptr uint64_t) @-> (returning uint64_t)))))) + let hacl_Bignum_Exponentiation_bn_mod_exp_vartime_precomp_u64 = + foreign "Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_precomp_u64" + (uint32_t @-> + ((ptr uint64_t) @-> + (uint64_t @-> + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> + (uint32_t @-> + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> (returning void))))))))) + let hacl_Bignum_Exponentiation_bn_mod_exp_consttime_precomp_u64 = + foreign "Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_precomp_u64" + (uint32_t @-> + ((ptr uint64_t) @-> + (uint64_t @-> + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> + (uint32_t @-> + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> (returning void))))))))) + let hacl_Bignum_Exponentiation_bn_mod_exp_vartime_u64 = + foreign "Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_u64" + (uint32_t @-> + (uint32_t @-> + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> + (uint32_t @-> + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> (returning void)))))))) + let hacl_Bignum_Exponentiation_bn_mod_exp_consttime_u64 = + foreign "Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_u64" + (uint32_t @-> + (uint32_t @-> + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> + (uint32_t @-> + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> (returning void)))))))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_Chacha20Poly1305_128_bindings.ml b/ocaml/lib/Hacl_Chacha20Poly1305_128_bindings.ml new file mode 100644 index 00000000..5ec259bc --- /dev/null +++ b/ocaml/lib/Hacl_Chacha20Poly1305_128_bindings.ml @@ -0,0 +1,24 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let hacl_Chacha20Poly1305_128_aead_encrypt = + foreign "Hacl_Chacha20Poly1305_128_aead_encrypt" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (ocaml_bytes @-> (returning void))))))))) + let hacl_Chacha20Poly1305_128_aead_decrypt = + foreign "Hacl_Chacha20Poly1305_128_aead_decrypt" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (returning uint32_t))))))))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_Chacha20Poly1305_256_bindings.ml b/ocaml/lib/Hacl_Chacha20Poly1305_256_bindings.ml new file mode 100644 index 00000000..04c58d4e --- /dev/null +++ b/ocaml/lib/Hacl_Chacha20Poly1305_256_bindings.ml @@ -0,0 +1,24 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let hacl_Chacha20Poly1305_256_aead_encrypt = + foreign "Hacl_Chacha20Poly1305_256_aead_encrypt" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (ocaml_bytes @-> (returning void))))))))) + let hacl_Chacha20Poly1305_256_aead_decrypt = + foreign "Hacl_Chacha20Poly1305_256_aead_decrypt" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (returning uint32_t))))))))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_Chacha20Poly1305_32_bindings.ml b/ocaml/lib/Hacl_Chacha20Poly1305_32_bindings.ml new file mode 100644 index 00000000..c90e1be4 --- /dev/null +++ b/ocaml/lib/Hacl_Chacha20Poly1305_32_bindings.ml @@ -0,0 +1,24 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let hacl_Chacha20Poly1305_32_aead_encrypt = + foreign "Hacl_Chacha20Poly1305_32_aead_encrypt" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (ocaml_bytes @-> (returning void))))))))) + let hacl_Chacha20Poly1305_32_aead_decrypt = + foreign "Hacl_Chacha20Poly1305_32_aead_decrypt" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (returning uint32_t))))))))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_Chacha20_Vec128_bindings.ml b/ocaml/lib/Hacl_Chacha20_Vec128_bindings.ml new file mode 100644 index 00000000..c8998422 --- /dev/null +++ b/ocaml/lib/Hacl_Chacha20_Vec128_bindings.ml @@ -0,0 +1,19 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let hacl_Chacha20_Vec128_chacha20_encrypt_128 = + foreign "Hacl_Chacha20_Vec128_chacha20_encrypt_128" + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (uint32_t @-> (returning void))))))) + let hacl_Chacha20_Vec128_chacha20_decrypt_128 = + foreign "Hacl_Chacha20_Vec128_chacha20_decrypt_128" + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (uint32_t @-> (returning void))))))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_Chacha20_Vec256_bindings.ml b/ocaml/lib/Hacl_Chacha20_Vec256_bindings.ml new file mode 100644 index 00000000..d5b45659 --- /dev/null +++ b/ocaml/lib/Hacl_Chacha20_Vec256_bindings.ml @@ -0,0 +1,19 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let hacl_Chacha20_Vec256_chacha20_encrypt_256 = + foreign "Hacl_Chacha20_Vec256_chacha20_encrypt_256" + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (uint32_t @-> (returning void))))))) + let hacl_Chacha20_Vec256_chacha20_decrypt_256 = + foreign "Hacl_Chacha20_Vec256_chacha20_decrypt_256" + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (uint32_t @-> (returning void))))))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_Chacha20_Vec32_bindings.ml b/ocaml/lib/Hacl_Chacha20_Vec32_bindings.ml new file mode 100644 index 00000000..d52c6fb3 --- /dev/null +++ b/ocaml/lib/Hacl_Chacha20_Vec32_bindings.ml @@ -0,0 +1,19 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let hacl_Chacha20_Vec32_chacha20_encrypt_32 = + foreign "Hacl_Chacha20_Vec32_chacha20_encrypt_32" + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (uint32_t @-> (returning void))))))) + let hacl_Chacha20_Vec32_chacha20_decrypt_32 = + foreign "Hacl_Chacha20_Vec32_chacha20_decrypt_32" + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (uint32_t @-> (returning void))))))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_Chacha20_bindings.ml b/ocaml/lib/Hacl_Chacha20_bindings.ml new file mode 100644 index 00000000..6ee5b233 --- /dev/null +++ b/ocaml/lib/Hacl_Chacha20_bindings.ml @@ -0,0 +1,31 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let hacl_Impl_Chacha20_chacha20_init = + foreign "Hacl_Impl_Chacha20_chacha20_init" + ((ptr uint32_t) @-> + (ocaml_bytes @-> (ocaml_bytes @-> (uint32_t @-> (returning void))))) + let hacl_Impl_Chacha20_chacha20_encrypt_block = + foreign "Hacl_Impl_Chacha20_chacha20_encrypt_block" + ((ptr uint32_t) @-> + (ocaml_bytes @-> (uint32_t @-> (ocaml_bytes @-> (returning void))))) + let hacl_Impl_Chacha20_chacha20_update = + foreign "Hacl_Impl_Chacha20_chacha20_update" + ((ptr uint32_t) @-> + (uint32_t @-> (ocaml_bytes @-> (ocaml_bytes @-> (returning void))))) + let hacl_Chacha20_chacha20_encrypt = + foreign "Hacl_Chacha20_chacha20_encrypt" + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (uint32_t @-> (returning void))))))) + let hacl_Chacha20_chacha20_decrypt = + foreign "Hacl_Chacha20_chacha20_decrypt" + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (uint32_t @-> (returning void))))))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_Curve25519_51_bindings.ml b/ocaml/lib/Hacl_Curve25519_51_bindings.ml new file mode 100644 index 00000000..744be980 --- /dev/null +++ b/ocaml/lib/Hacl_Curve25519_51_bindings.ml @@ -0,0 +1,14 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let hacl_Curve25519_51_scalarmult = + foreign "Hacl_Curve25519_51_scalarmult" + (ocaml_bytes @-> (ocaml_bytes @-> (ocaml_bytes @-> (returning void)))) + let hacl_Curve25519_51_secret_to_public = + foreign "Hacl_Curve25519_51_secret_to_public" + (ocaml_bytes @-> (ocaml_bytes @-> (returning void))) + let hacl_Curve25519_51_ecdh = + foreign "Hacl_Curve25519_51_ecdh" + (ocaml_bytes @-> (ocaml_bytes @-> (ocaml_bytes @-> (returning bool)))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_Curve25519_64_Slow_bindings.ml b/ocaml/lib/Hacl_Curve25519_64_Slow_bindings.ml new file mode 100644 index 00000000..1948ce19 --- /dev/null +++ b/ocaml/lib/Hacl_Curve25519_64_Slow_bindings.ml @@ -0,0 +1,14 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let hacl_Curve25519_64_Slow_scalarmult = + foreign "Hacl_Curve25519_64_Slow_scalarmult" + (ocaml_bytes @-> (ocaml_bytes @-> (ocaml_bytes @-> (returning void)))) + let hacl_Curve25519_64_Slow_secret_to_public = + foreign "Hacl_Curve25519_64_Slow_secret_to_public" + (ocaml_bytes @-> (ocaml_bytes @-> (returning void))) + let hacl_Curve25519_64_Slow_ecdh = + foreign "Hacl_Curve25519_64_Slow_ecdh" + (ocaml_bytes @-> (ocaml_bytes @-> (ocaml_bytes @-> (returning bool)))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_Curve25519_64_bindings.ml b/ocaml/lib/Hacl_Curve25519_64_bindings.ml new file mode 100644 index 00000000..93c08487 --- /dev/null +++ b/ocaml/lib/Hacl_Curve25519_64_bindings.ml @@ -0,0 +1,14 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let hacl_Curve25519_64_scalarmult = + foreign "Hacl_Curve25519_64_scalarmult" + (ocaml_bytes @-> (ocaml_bytes @-> (ocaml_bytes @-> (returning void)))) + let hacl_Curve25519_64_secret_to_public = + foreign "Hacl_Curve25519_64_secret_to_public" + (ocaml_bytes @-> (ocaml_bytes @-> (returning void))) + let hacl_Curve25519_64_ecdh = + foreign "Hacl_Curve25519_64_ecdh" + (ocaml_bytes @-> (ocaml_bytes @-> (ocaml_bytes @-> (returning bool)))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_EC_Ed25519_bindings.ml b/ocaml/lib/Hacl_EC_Ed25519_bindings.ml new file mode 100644 index 00000000..2e684dbc --- /dev/null +++ b/ocaml/lib/Hacl_EC_Ed25519_bindings.ml @@ -0,0 +1,58 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let hacl_EC_Ed25519_mk_felem_zero = + foreign "Hacl_EC_Ed25519_mk_felem_zero" + ((ptr uint64_t) @-> (returning void)) + let hacl_EC_Ed25519_mk_felem_one = + foreign "Hacl_EC_Ed25519_mk_felem_one" + ((ptr uint64_t) @-> (returning void)) + let hacl_EC_Ed25519_felem_add = + foreign "Hacl_EC_Ed25519_felem_add" + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning void)))) + let hacl_EC_Ed25519_felem_sub = + foreign "Hacl_EC_Ed25519_felem_sub" + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning void)))) + let hacl_EC_Ed25519_felem_mul = + foreign "Hacl_EC_Ed25519_felem_mul" + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning void)))) + let hacl_EC_Ed25519_felem_inv = + foreign "Hacl_EC_Ed25519_felem_inv" + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning void))) + let hacl_EC_Ed25519_felem_load = + foreign "Hacl_EC_Ed25519_felem_load" + (ocaml_bytes @-> ((ptr uint64_t) @-> (returning void))) + let hacl_EC_Ed25519_felem_store = + foreign "Hacl_EC_Ed25519_felem_store" + ((ptr uint64_t) @-> (ocaml_bytes @-> (returning void))) + let hacl_EC_Ed25519_mk_point_at_inf = + foreign "Hacl_EC_Ed25519_mk_point_at_inf" + ((ptr uint64_t) @-> (returning void)) + let hacl_EC_Ed25519_mk_base_point = + foreign "Hacl_EC_Ed25519_mk_base_point" + ((ptr uint64_t) @-> (returning void)) + let hacl_EC_Ed25519_point_negate = + foreign "Hacl_EC_Ed25519_point_negate" + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning void))) + let hacl_EC_Ed25519_point_add = + foreign "Hacl_EC_Ed25519_point_add" + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning void)))) + let hacl_EC_Ed25519_point_mul = + foreign "Hacl_EC_Ed25519_point_mul" + (ocaml_bytes @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning void)))) + let hacl_EC_Ed25519_point_eq = + foreign "Hacl_EC_Ed25519_point_eq" + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning bool))) + let hacl_EC_Ed25519_point_compress = + foreign "Hacl_EC_Ed25519_point_compress" + ((ptr uint64_t) @-> (ocaml_bytes @-> (returning void))) + let hacl_EC_Ed25519_point_decompress = + foreign "Hacl_EC_Ed25519_point_decompress" + (ocaml_bytes @-> ((ptr uint64_t) @-> (returning bool))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_Ed25519_bindings.ml b/ocaml/lib/Hacl_Ed25519_bindings.ml new file mode 100644 index 00000000..af50bb3d --- /dev/null +++ b/ocaml/lib/Hacl_Ed25519_bindings.ml @@ -0,0 +1,55 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let hacl_Bignum25519_reduce_513 = + foreign "Hacl_Bignum25519_reduce_513" + ((ptr uint64_t) @-> (returning void)) + let hacl_Bignum25519_inverse = + foreign "Hacl_Bignum25519_inverse" + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning void))) + let hacl_Bignum25519_load_51 = + foreign "Hacl_Bignum25519_load_51" + ((ptr uint64_t) @-> (ocaml_bytes @-> (returning void))) + let hacl_Bignum25519_store_51 = + foreign "Hacl_Bignum25519_store_51" + (ocaml_bytes @-> ((ptr uint64_t) @-> (returning void))) + let hacl_Impl_Ed25519_PointAdd_point_add = + foreign "Hacl_Impl_Ed25519_PointAdd_point_add" + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning void)))) + let hacl_Impl_Ed25519_Ladder_point_mul = + foreign "Hacl_Impl_Ed25519_Ladder_point_mul" + ((ptr uint64_t) @-> + (ocaml_bytes @-> ((ptr uint64_t) @-> (returning void)))) + let hacl_Impl_Ed25519_PointCompress_point_compress = + foreign "Hacl_Impl_Ed25519_PointCompress_point_compress" + (ocaml_bytes @-> ((ptr uint64_t) @-> (returning void))) + let hacl_Impl_Ed25519_PointDecompress_point_decompress = + foreign "Hacl_Impl_Ed25519_PointDecompress_point_decompress" + ((ptr uint64_t) @-> (ocaml_bytes @-> (returning bool))) + let hacl_Impl_Ed25519_PointEqual_point_equal = + foreign "Hacl_Impl_Ed25519_PointEqual_point_equal" + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning bool))) + let hacl_Impl_Ed25519_PointNegate_point_negate = + foreign "Hacl_Impl_Ed25519_PointNegate_point_negate" + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning void))) + let hacl_Ed25519_sign = + foreign "Hacl_Ed25519_sign" + (ocaml_bytes @-> + (ocaml_bytes @-> (uint32_t @-> (ocaml_bytes @-> (returning void))))) + let hacl_Ed25519_verify = + foreign "Hacl_Ed25519_verify" + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (ocaml_bytes @-> (returning bool))))) + let hacl_Ed25519_secret_to_public = + foreign "Hacl_Ed25519_secret_to_public" + (ocaml_bytes @-> (ocaml_bytes @-> (returning void))) + let hacl_Ed25519_expand_keys = + foreign "Hacl_Ed25519_expand_keys" + (ocaml_bytes @-> (ocaml_bytes @-> (returning void))) + let hacl_Ed25519_sign_expanded = + foreign "Hacl_Ed25519_sign_expanded" + (ocaml_bytes @-> + (ocaml_bytes @-> (uint32_t @-> (ocaml_bytes @-> (returning void))))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_FFDHE_bindings.ml b/ocaml/lib/Hacl_FFDHE_bindings.ml new file mode 100644 index 00000000..ec980af7 --- /dev/null +++ b/ocaml/lib/Hacl_FFDHE_bindings.ml @@ -0,0 +1,33 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + module Hacl_Spec_applied = (Hacl_Spec_bindings.Bindings)(Hacl_Spec_stubs) + open Hacl_Spec_applied + let hacl_FFDHE_ffdhe_len = + foreign "Hacl_FFDHE_ffdhe_len" + (spec_FFDHE_ffdhe_alg @-> (returning uint32_t)) + let hacl_FFDHE_new_ffdhe_precomp_p = + foreign "Hacl_FFDHE_new_ffdhe_precomp_p" + (spec_FFDHE_ffdhe_alg @-> (returning (ptr uint64_t))) + let hacl_FFDHE_ffdhe_secret_to_public_precomp = + foreign "Hacl_FFDHE_ffdhe_secret_to_public_precomp" + (spec_FFDHE_ffdhe_alg @-> + ((ptr uint64_t) @-> + (ocaml_bytes @-> (ocaml_bytes @-> (returning void))))) + let hacl_FFDHE_ffdhe_secret_to_public = + foreign "Hacl_FFDHE_ffdhe_secret_to_public" + (spec_FFDHE_ffdhe_alg @-> + (ocaml_bytes @-> (ocaml_bytes @-> (returning void)))) + let hacl_FFDHE_ffdhe_shared_secret_precomp = + foreign "Hacl_FFDHE_ffdhe_shared_secret_precomp" + (spec_FFDHE_ffdhe_alg @-> + ((ptr uint64_t) @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (ocaml_bytes @-> (returning uint64_t)))))) + let hacl_FFDHE_ffdhe_shared_secret = + foreign "Hacl_FFDHE_ffdhe_shared_secret" + (spec_FFDHE_ffdhe_alg @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (ocaml_bytes @-> (returning uint64_t))))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_Frodo1344_bindings.ml b/ocaml/lib/Hacl_Frodo1344_bindings.ml new file mode 100644 index 00000000..1c21eba4 --- /dev/null +++ b/ocaml/lib/Hacl_Frodo1344_bindings.ml @@ -0,0 +1,24 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let hacl_Frodo1344_crypto_bytes = + foreign_value "Hacl_Frodo1344_crypto_bytes" uint32_t + let hacl_Frodo1344_crypto_publickeybytes = + foreign_value "Hacl_Frodo1344_crypto_publickeybytes" uint32_t + let hacl_Frodo1344_crypto_secretkeybytes = + foreign_value "Hacl_Frodo1344_crypto_secretkeybytes" uint32_t + let hacl_Frodo1344_crypto_ciphertextbytes = + foreign_value "Hacl_Frodo1344_crypto_ciphertextbytes" uint32_t + let hacl_Frodo1344_crypto_kem_keypair = + foreign "Hacl_Frodo1344_crypto_kem_keypair" + (ocaml_bytes @-> (ocaml_bytes @-> (returning uint32_t))) + let hacl_Frodo1344_crypto_kem_enc = + foreign "Hacl_Frodo1344_crypto_kem_enc" + (ocaml_bytes @-> + (ocaml_bytes @-> (ocaml_bytes @-> (returning uint32_t)))) + let hacl_Frodo1344_crypto_kem_dec = + foreign "Hacl_Frodo1344_crypto_kem_dec" + (ocaml_bytes @-> + (ocaml_bytes @-> (ocaml_bytes @-> (returning uint32_t)))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_Frodo640_bindings.ml b/ocaml/lib/Hacl_Frodo640_bindings.ml new file mode 100644 index 00000000..b397ba84 --- /dev/null +++ b/ocaml/lib/Hacl_Frodo640_bindings.ml @@ -0,0 +1,24 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let hacl_Frodo640_crypto_bytes = + foreign_value "Hacl_Frodo640_crypto_bytes" uint32_t + let hacl_Frodo640_crypto_publickeybytes = + foreign_value "Hacl_Frodo640_crypto_publickeybytes" uint32_t + let hacl_Frodo640_crypto_secretkeybytes = + foreign_value "Hacl_Frodo640_crypto_secretkeybytes" uint32_t + let hacl_Frodo640_crypto_ciphertextbytes = + foreign_value "Hacl_Frodo640_crypto_ciphertextbytes" uint32_t + let hacl_Frodo640_crypto_kem_keypair = + foreign "Hacl_Frodo640_crypto_kem_keypair" + (ocaml_bytes @-> (ocaml_bytes @-> (returning uint32_t))) + let hacl_Frodo640_crypto_kem_enc = + foreign "Hacl_Frodo640_crypto_kem_enc" + (ocaml_bytes @-> + (ocaml_bytes @-> (ocaml_bytes @-> (returning uint32_t)))) + let hacl_Frodo640_crypto_kem_dec = + foreign "Hacl_Frodo640_crypto_kem_dec" + (ocaml_bytes @-> + (ocaml_bytes @-> (ocaml_bytes @-> (returning uint32_t)))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_Frodo64_bindings.ml b/ocaml/lib/Hacl_Frodo64_bindings.ml new file mode 100644 index 00000000..0f5d3493 --- /dev/null +++ b/ocaml/lib/Hacl_Frodo64_bindings.ml @@ -0,0 +1,24 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let hacl_Frodo64_crypto_bytes = + foreign_value "Hacl_Frodo64_crypto_bytes" uint32_t + let hacl_Frodo64_crypto_publickeybytes = + foreign_value "Hacl_Frodo64_crypto_publickeybytes" uint32_t + let hacl_Frodo64_crypto_secretkeybytes = + foreign_value "Hacl_Frodo64_crypto_secretkeybytes" uint32_t + let hacl_Frodo64_crypto_ciphertextbytes = + foreign_value "Hacl_Frodo64_crypto_ciphertextbytes" uint32_t + let hacl_Frodo64_crypto_kem_keypair = + foreign "Hacl_Frodo64_crypto_kem_keypair" + (ocaml_bytes @-> (ocaml_bytes @-> (returning uint32_t))) + let hacl_Frodo64_crypto_kem_enc = + foreign "Hacl_Frodo64_crypto_kem_enc" + (ocaml_bytes @-> + (ocaml_bytes @-> (ocaml_bytes @-> (returning uint32_t)))) + let hacl_Frodo64_crypto_kem_dec = + foreign "Hacl_Frodo64_crypto_kem_dec" + (ocaml_bytes @-> + (ocaml_bytes @-> (ocaml_bytes @-> (returning uint32_t)))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_Frodo976_bindings.ml b/ocaml/lib/Hacl_Frodo976_bindings.ml new file mode 100644 index 00000000..636f83c1 --- /dev/null +++ b/ocaml/lib/Hacl_Frodo976_bindings.ml @@ -0,0 +1,24 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let hacl_Frodo976_crypto_bytes = + foreign_value "Hacl_Frodo976_crypto_bytes" uint32_t + let hacl_Frodo976_crypto_publickeybytes = + foreign_value "Hacl_Frodo976_crypto_publickeybytes" uint32_t + let hacl_Frodo976_crypto_secretkeybytes = + foreign_value "Hacl_Frodo976_crypto_secretkeybytes" uint32_t + let hacl_Frodo976_crypto_ciphertextbytes = + foreign_value "Hacl_Frodo976_crypto_ciphertextbytes" uint32_t + let hacl_Frodo976_crypto_kem_keypair = + foreign "Hacl_Frodo976_crypto_kem_keypair" + (ocaml_bytes @-> (ocaml_bytes @-> (returning uint32_t))) + let hacl_Frodo976_crypto_kem_enc = + foreign "Hacl_Frodo976_crypto_kem_enc" + (ocaml_bytes @-> + (ocaml_bytes @-> (ocaml_bytes @-> (returning uint32_t)))) + let hacl_Frodo976_crypto_kem_dec = + foreign "Hacl_Frodo976_crypto_kem_dec" + (ocaml_bytes @-> + (ocaml_bytes @-> (ocaml_bytes @-> (returning uint32_t)))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_Frodo_KEM_bindings.ml b/ocaml/lib/Hacl_Frodo_KEM_bindings.ml new file mode 100644 index 00000000..ecaa597c --- /dev/null +++ b/ocaml/lib/Hacl_Frodo_KEM_bindings.ml @@ -0,0 +1,117 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + module Hacl_Spec_applied = (Hacl_Spec_bindings.Bindings)(Hacl_Spec_stubs) + open Hacl_Spec_applied + let hacl_Keccak_shake128_4x = + foreign "Hacl_Keccak_shake128_4x" + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (returning void))))))))))) + let hacl_Impl_Matrix_mod_pow2 = + foreign "Hacl_Impl_Matrix_mod_pow2" + (uint32_t @-> + (uint32_t @-> (uint32_t @-> ((ptr uint16_t) @-> (returning void))))) + let hacl_Impl_Matrix_matrix_add = + foreign "Hacl_Impl_Matrix_matrix_add" + (uint32_t @-> + (uint32_t @-> + ((ptr uint16_t) @-> ((ptr uint16_t) @-> (returning void))))) + let hacl_Impl_Matrix_matrix_sub = + foreign "Hacl_Impl_Matrix_matrix_sub" + (uint32_t @-> + (uint32_t @-> + ((ptr uint16_t) @-> ((ptr uint16_t) @-> (returning void))))) + let hacl_Impl_Matrix_matrix_mul = + foreign "Hacl_Impl_Matrix_matrix_mul" + (uint32_t @-> + (uint32_t @-> + (uint32_t @-> + ((ptr uint16_t) @-> + ((ptr uint16_t) @-> ((ptr uint16_t) @-> (returning void))))))) + let hacl_Impl_Matrix_matrix_mul_s = + foreign "Hacl_Impl_Matrix_matrix_mul_s" + (uint32_t @-> + (uint32_t @-> + (uint32_t @-> + ((ptr uint16_t) @-> + ((ptr uint16_t) @-> ((ptr uint16_t) @-> (returning void))))))) + let hacl_Impl_Matrix_matrix_eq = + foreign "Hacl_Impl_Matrix_matrix_eq" + (uint32_t @-> + (uint32_t @-> + ((ptr uint16_t) @-> ((ptr uint16_t) @-> (returning uint16_t))))) + let hacl_Impl_Matrix_matrix_to_lbytes = + foreign "Hacl_Impl_Matrix_matrix_to_lbytes" + (uint32_t @-> + (uint32_t @-> + ((ptr uint16_t) @-> (ocaml_bytes @-> (returning void))))) + let hacl_Impl_Matrix_matrix_from_lbytes = + foreign "Hacl_Impl_Matrix_matrix_from_lbytes" + (uint32_t @-> + (uint32_t @-> + (ocaml_bytes @-> ((ptr uint16_t) @-> (returning void))))) + let hacl_Impl_Frodo_Gen_frodo_gen_matrix_shake_4x = + foreign "Hacl_Impl_Frodo_Gen_frodo_gen_matrix_shake_4x" + (uint32_t @-> (ocaml_bytes @-> ((ptr uint16_t) @-> (returning void)))) + let hacl_Impl_Frodo_Params_frodo_gen_matrix = + foreign "Hacl_Impl_Frodo_Params_frodo_gen_matrix" + (spec_Frodo_Params_frodo_gen_a @-> + (uint32_t @-> + (ocaml_bytes @-> ((ptr uint16_t) @-> (returning void))))) + let hacl_Impl_Frodo_Sample_frodo_sample_matrix64 = + foreign "Hacl_Impl_Frodo_Sample_frodo_sample_matrix64" + (uint32_t @-> + (uint32_t @-> + (ocaml_bytes @-> ((ptr uint16_t) @-> (returning void))))) + let hacl_Impl_Frodo_Sample_frodo_sample_matrix640 = + foreign "Hacl_Impl_Frodo_Sample_frodo_sample_matrix640" + (uint32_t @-> + (uint32_t @-> + (ocaml_bytes @-> ((ptr uint16_t) @-> (returning void))))) + let hacl_Impl_Frodo_Sample_frodo_sample_matrix976 = + foreign "Hacl_Impl_Frodo_Sample_frodo_sample_matrix976" + (uint32_t @-> + (uint32_t @-> + (ocaml_bytes @-> ((ptr uint16_t) @-> (returning void))))) + let hacl_Impl_Frodo_Sample_frodo_sample_matrix1344 = + foreign "Hacl_Impl_Frodo_Sample_frodo_sample_matrix1344" + (uint32_t @-> + (uint32_t @-> + (ocaml_bytes @-> ((ptr uint16_t) @-> (returning void))))) + let randombytes_ = + foreign "randombytes_" + (uint32_t @-> (ocaml_bytes @-> (returning void))) + let hacl_Impl_Frodo_Pack_frodo_pack = + foreign "Hacl_Impl_Frodo_Pack_frodo_pack" + (uint32_t @-> + (uint32_t @-> + (uint32_t @-> + ((ptr uint16_t) @-> (ocaml_bytes @-> (returning void)))))) + let hacl_Impl_Frodo_Pack_frodo_unpack = + foreign "Hacl_Impl_Frodo_Pack_frodo_unpack" + (uint32_t @-> + (uint32_t @-> + (uint32_t @-> + (ocaml_bytes @-> ((ptr uint16_t) @-> (returning void)))))) + let hacl_Impl_Frodo_Encode_frodo_key_encode = + foreign "Hacl_Impl_Frodo_Encode_frodo_key_encode" + (uint32_t @-> + (uint32_t @-> + (uint32_t @-> + (ocaml_bytes @-> ((ptr uint16_t) @-> (returning void)))))) + let hacl_Impl_Frodo_Encode_frodo_key_decode = + foreign "Hacl_Impl_Frodo_Encode_frodo_key_decode" + (uint32_t @-> + (uint32_t @-> + (uint32_t @-> + ((ptr uint16_t) @-> (ocaml_bytes @-> (returning void)))))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_GenericField32_bindings.ml b/ocaml/lib/Hacl_GenericField32_bindings.ml new file mode 100644 index 00000000..4f8f6108 --- /dev/null +++ b/ocaml/lib/Hacl_GenericField32_bindings.ml @@ -0,0 +1,82 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + type hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 = + [ `hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 ] structure + let (hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 : + [ `hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 ] structure typ) = + structure "Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32_s" + let hacl_Bignum_MontArithmetic_bn_mont_ctx_u32_len = + field hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 "len" uint32_t + let hacl_Bignum_MontArithmetic_bn_mont_ctx_u32_n = + field hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 "n" (ptr uint32_t) + let hacl_Bignum_MontArithmetic_bn_mont_ctx_u32_mu = + field hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 "mu" uint32_t + let hacl_Bignum_MontArithmetic_bn_mont_ctx_u32_r2 = + field hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 "r2" (ptr uint32_t) + let _ = seal hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 + let hacl_GenericField32_field_modulus_check = + foreign "Hacl_GenericField32_field_modulus_check" + (uint32_t @-> ((ptr uint32_t) @-> (returning bool))) + let hacl_GenericField32_field_init = + foreign "Hacl_GenericField32_field_init" + (uint32_t @-> + ((ptr uint32_t) @-> + (returning (ptr hacl_Bignum_MontArithmetic_bn_mont_ctx_u32)))) + let hacl_GenericField32_field_free = + foreign "Hacl_GenericField32_field_free" + ((ptr hacl_Bignum_MontArithmetic_bn_mont_ctx_u32) @-> + (returning void)) + let hacl_GenericField32_field_get_len = + foreign "Hacl_GenericField32_field_get_len" + ((ptr hacl_Bignum_MontArithmetic_bn_mont_ctx_u32) @-> + (returning uint32_t)) + let hacl_GenericField32_to_field = + foreign "Hacl_GenericField32_to_field" + ((ptr hacl_Bignum_MontArithmetic_bn_mont_ctx_u32) @-> + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning void)))) + let hacl_GenericField32_from_field = + foreign "Hacl_GenericField32_from_field" + ((ptr hacl_Bignum_MontArithmetic_bn_mont_ctx_u32) @-> + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning void)))) + let hacl_GenericField32_add = + foreign "Hacl_GenericField32_add" + ((ptr hacl_Bignum_MontArithmetic_bn_mont_ctx_u32) @-> + ((ptr uint32_t) @-> + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning void))))) + let hacl_GenericField32_sub = + foreign "Hacl_GenericField32_sub" + ((ptr hacl_Bignum_MontArithmetic_bn_mont_ctx_u32) @-> + ((ptr uint32_t) @-> + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning void))))) + let hacl_GenericField32_mul = + foreign "Hacl_GenericField32_mul" + ((ptr hacl_Bignum_MontArithmetic_bn_mont_ctx_u32) @-> + ((ptr uint32_t) @-> + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning void))))) + let hacl_GenericField32_sqr = + foreign "Hacl_GenericField32_sqr" + ((ptr hacl_Bignum_MontArithmetic_bn_mont_ctx_u32) @-> + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning void)))) + let hacl_GenericField32_one = + foreign "Hacl_GenericField32_one" + ((ptr hacl_Bignum_MontArithmetic_bn_mont_ctx_u32) @-> + ((ptr uint32_t) @-> (returning void))) + let hacl_GenericField32_exp_consttime = + foreign "Hacl_GenericField32_exp_consttime" + ((ptr hacl_Bignum_MontArithmetic_bn_mont_ctx_u32) @-> + ((ptr uint32_t) @-> + (uint32_t @-> + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning void)))))) + let hacl_GenericField32_exp_vartime = + foreign "Hacl_GenericField32_exp_vartime" + ((ptr hacl_Bignum_MontArithmetic_bn_mont_ctx_u32) @-> + ((ptr uint32_t) @-> + (uint32_t @-> + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning void)))))) + let hacl_GenericField32_inverse = + foreign "Hacl_GenericField32_inverse" + ((ptr hacl_Bignum_MontArithmetic_bn_mont_ctx_u32) @-> + ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning void)))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_GenericField64_bindings.ml b/ocaml/lib/Hacl_GenericField64_bindings.ml new file mode 100644 index 00000000..63127bf7 --- /dev/null +++ b/ocaml/lib/Hacl_GenericField64_bindings.ml @@ -0,0 +1,71 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + module Hacl_Bignum256_applied = + (Hacl_Bignum256_bindings.Bindings)(Hacl_Bignum256_stubs) + open Hacl_Bignum256_applied + let hacl_GenericField64_field_modulus_check = + foreign "Hacl_GenericField64_field_modulus_check" + (uint32_t @-> ((ptr uint64_t) @-> (returning bool))) + let hacl_GenericField64_field_init = + foreign "Hacl_GenericField64_field_init" + (uint32_t @-> + ((ptr uint64_t) @-> + (returning (ptr hacl_Bignum_MontArithmetic_bn_mont_ctx_u64)))) + let hacl_GenericField64_field_free = + foreign "Hacl_GenericField64_field_free" + ((ptr hacl_Bignum_MontArithmetic_bn_mont_ctx_u64) @-> + (returning void)) + let hacl_GenericField64_field_get_len = + foreign "Hacl_GenericField64_field_get_len" + ((ptr hacl_Bignum_MontArithmetic_bn_mont_ctx_u64) @-> + (returning uint32_t)) + let hacl_GenericField64_to_field = + foreign "Hacl_GenericField64_to_field" + ((ptr hacl_Bignum_MontArithmetic_bn_mont_ctx_u64) @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning void)))) + let hacl_GenericField64_from_field = + foreign "Hacl_GenericField64_from_field" + ((ptr hacl_Bignum_MontArithmetic_bn_mont_ctx_u64) @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning void)))) + let hacl_GenericField64_add = + foreign "Hacl_GenericField64_add" + ((ptr hacl_Bignum_MontArithmetic_bn_mont_ctx_u64) @-> + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning void))))) + let hacl_GenericField64_sub = + foreign "Hacl_GenericField64_sub" + ((ptr hacl_Bignum_MontArithmetic_bn_mont_ctx_u64) @-> + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning void))))) + let hacl_GenericField64_mul = + foreign "Hacl_GenericField64_mul" + ((ptr hacl_Bignum_MontArithmetic_bn_mont_ctx_u64) @-> + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning void))))) + let hacl_GenericField64_sqr = + foreign "Hacl_GenericField64_sqr" + ((ptr hacl_Bignum_MontArithmetic_bn_mont_ctx_u64) @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning void)))) + let hacl_GenericField64_one = + foreign "Hacl_GenericField64_one" + ((ptr hacl_Bignum_MontArithmetic_bn_mont_ctx_u64) @-> + ((ptr uint64_t) @-> (returning void))) + let hacl_GenericField64_exp_consttime = + foreign "Hacl_GenericField64_exp_consttime" + ((ptr hacl_Bignum_MontArithmetic_bn_mont_ctx_u64) @-> + ((ptr uint64_t) @-> + (uint32_t @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning void)))))) + let hacl_GenericField64_exp_vartime = + foreign "Hacl_GenericField64_exp_vartime" + ((ptr hacl_Bignum_MontArithmetic_bn_mont_ctx_u64) @-> + ((ptr uint64_t) @-> + (uint32_t @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning void)))))) + let hacl_GenericField64_inverse = + foreign "Hacl_GenericField64_inverse" + ((ptr hacl_Bignum_MontArithmetic_bn_mont_ctx_u64) @-> + ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning void)))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_HKDF_Blake2b_256_bindings.ml b/ocaml/lib/Hacl_HKDF_Blake2b_256_bindings.ml new file mode 100644 index 00000000..19908dab --- /dev/null +++ b/ocaml/lib/Hacl_HKDF_Blake2b_256_bindings.ml @@ -0,0 +1,17 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let hacl_HKDF_Blake2b_256_expand_blake2b_256 = + foreign "Hacl_HKDF_Blake2b_256_expand_blake2b_256" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> (uint32_t @-> (returning void))))))) + let hacl_HKDF_Blake2b_256_extract_blake2b_256 = + foreign "Hacl_HKDF_Blake2b_256_extract_blake2b_256" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (uint32_t @-> (returning void)))))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_HKDF_Blake2s_128_bindings.ml b/ocaml/lib/Hacl_HKDF_Blake2s_128_bindings.ml new file mode 100644 index 00000000..58f15019 --- /dev/null +++ b/ocaml/lib/Hacl_HKDF_Blake2s_128_bindings.ml @@ -0,0 +1,17 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let hacl_HKDF_Blake2s_128_expand_blake2s_128 = + foreign "Hacl_HKDF_Blake2s_128_expand_blake2s_128" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> (uint32_t @-> (returning void))))))) + let hacl_HKDF_Blake2s_128_extract_blake2s_128 = + foreign "Hacl_HKDF_Blake2s_128_extract_blake2s_128" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (uint32_t @-> (returning void)))))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_HKDF_bindings.ml b/ocaml/lib/Hacl_HKDF_bindings.ml new file mode 100644 index 00000000..d1c9e9dd --- /dev/null +++ b/ocaml/lib/Hacl_HKDF_bindings.ml @@ -0,0 +1,53 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let hacl_HKDF_expand_sha2_256 = + foreign "Hacl_HKDF_expand_sha2_256" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> (uint32_t @-> (returning void))))))) + let hacl_HKDF_extract_sha2_256 = + foreign "Hacl_HKDF_extract_sha2_256" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (uint32_t @-> (returning void)))))) + let hacl_HKDF_expand_sha2_512 = + foreign "Hacl_HKDF_expand_sha2_512" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> (uint32_t @-> (returning void))))))) + let hacl_HKDF_extract_sha2_512 = + foreign "Hacl_HKDF_extract_sha2_512" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (uint32_t @-> (returning void)))))) + let hacl_HKDF_expand_blake2s_32 = + foreign "Hacl_HKDF_expand_blake2s_32" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> (uint32_t @-> (returning void))))))) + let hacl_HKDF_extract_blake2s_32 = + foreign "Hacl_HKDF_extract_blake2s_32" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (uint32_t @-> (returning void)))))) + let hacl_HKDF_expand_blake2b_32 = + foreign "Hacl_HKDF_expand_blake2b_32" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> (uint32_t @-> (returning void))))))) + let hacl_HKDF_extract_blake2b_32 = + foreign "Hacl_HKDF_extract_blake2b_32" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (uint32_t @-> (returning void)))))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_HMAC_Blake2b_256_bindings.ml b/ocaml/lib/Hacl_HMAC_Blake2b_256_bindings.ml new file mode 100644 index 00000000..aac64b56 --- /dev/null +++ b/ocaml/lib/Hacl_HMAC_Blake2b_256_bindings.ml @@ -0,0 +1,10 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let hacl_HMAC_Blake2b_256_compute_blake2b_256 = + foreign "Hacl_HMAC_Blake2b_256_compute_blake2b_256" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (uint32_t @-> (returning void)))))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_HMAC_Blake2s_128_bindings.ml b/ocaml/lib/Hacl_HMAC_Blake2s_128_bindings.ml new file mode 100644 index 00000000..1d87caf4 --- /dev/null +++ b/ocaml/lib/Hacl_HMAC_Blake2s_128_bindings.ml @@ -0,0 +1,10 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let hacl_HMAC_Blake2s_128_compute_blake2s_128 = + foreign "Hacl_HMAC_Blake2s_128_compute_blake2s_128" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (uint32_t @-> (returning void)))))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_HMAC_DRBG_bindings.ml b/ocaml/lib/Hacl_HMAC_DRBG_bindings.ml new file mode 100644 index 00000000..0b9b8f1b --- /dev/null +++ b/ocaml/lib/Hacl_HMAC_DRBG_bindings.ml @@ -0,0 +1,58 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + module Hacl_Spec_applied = (Hacl_Spec_bindings.Bindings)(Hacl_Spec_stubs) + open Hacl_Spec_applied + type hacl_HMAC_DRBG_supported_alg = spec_Hash_Definitions_hash_alg + let hacl_HMAC_DRBG_supported_alg = + typedef spec_Hash_Definitions_hash_alg "Hacl_HMAC_DRBG_supported_alg" + let hacl_HMAC_DRBG_reseed_interval = + foreign_value "Hacl_HMAC_DRBG_reseed_interval" uint32_t + let hacl_HMAC_DRBG_max_output_length = + foreign_value "Hacl_HMAC_DRBG_max_output_length" uint32_t + let hacl_HMAC_DRBG_max_length = + foreign_value "Hacl_HMAC_DRBG_max_length" uint32_t + let hacl_HMAC_DRBG_max_personalization_string_length = + foreign_value "Hacl_HMAC_DRBG_max_personalization_string_length" + uint32_t + let hacl_HMAC_DRBG_max_additional_input_length = + foreign_value "Hacl_HMAC_DRBG_max_additional_input_length" uint32_t + let hacl_HMAC_DRBG_min_length = + foreign "Hacl_HMAC_DRBG_min_length" + (spec_Hash_Definitions_hash_alg @-> (returning uint32_t)) + type hacl_HMAC_DRBG_state = [ `hacl_HMAC_DRBG_state ] structure + let (hacl_HMAC_DRBG_state : [ `hacl_HMAC_DRBG_state ] structure typ) = + structure "Hacl_HMAC_DRBG_state_s" + let hacl_HMAC_DRBG_state_k = field hacl_HMAC_DRBG_state "k" (ptr uint8_t) + let hacl_HMAC_DRBG_state_v = field hacl_HMAC_DRBG_state "v" (ptr uint8_t) + let hacl_HMAC_DRBG_state_reseed_counter = + field hacl_HMAC_DRBG_state "reseed_counter" (ptr uint32_t) + let _ = seal hacl_HMAC_DRBG_state + let hacl_HMAC_DRBG_create_in = + foreign "Hacl_HMAC_DRBG_create_in" + (spec_Hash_Definitions_hash_alg @-> (returning hacl_HMAC_DRBG_state)) + let hacl_HMAC_DRBG_instantiate = + foreign "Hacl_HMAC_DRBG_instantiate" + (spec_Hash_Definitions_hash_alg @-> + (hacl_HMAC_DRBG_state @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (returning void))))))))) + let hacl_HMAC_DRBG_reseed = + foreign "Hacl_HMAC_DRBG_reseed" + (spec_Hash_Definitions_hash_alg @-> + (hacl_HMAC_DRBG_state @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (returning void))))))) + let hacl_HMAC_DRBG_generate = + foreign "Hacl_HMAC_DRBG_generate" + (spec_Hash_Definitions_hash_alg @-> + (ocaml_bytes @-> + (hacl_HMAC_DRBG_state @-> + (uint32_t @-> + (uint32_t @-> (ocaml_bytes @-> (returning bool))))))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_HMAC_bindings.ml b/ocaml/lib/Hacl_HMAC_bindings.ml new file mode 100644 index 00000000..de5eb1aa --- /dev/null +++ b/ocaml/lib/Hacl_HMAC_bindings.ml @@ -0,0 +1,35 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let hacl_HMAC_legacy_compute_sha1 = + foreign "Hacl_HMAC_legacy_compute_sha1" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (uint32_t @-> (returning void)))))) + let hacl_HMAC_compute_sha2_256 = + foreign "Hacl_HMAC_compute_sha2_256" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (uint32_t @-> (returning void)))))) + let hacl_HMAC_compute_sha2_384 = + foreign "Hacl_HMAC_compute_sha2_384" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (uint32_t @-> (returning void)))))) + let hacl_HMAC_compute_sha2_512 = + foreign "Hacl_HMAC_compute_sha2_512" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (uint32_t @-> (returning void)))))) + let hacl_HMAC_compute_blake2s_32 = + foreign "Hacl_HMAC_compute_blake2s_32" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (uint32_t @-> (returning void)))))) + let hacl_HMAC_compute_blake2b_32 = + foreign "Hacl_HMAC_compute_blake2b_32" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (uint32_t @-> (returning void)))))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_HPKE_Curve51_CP128_SHA256_bindings.ml b/ocaml/lib/Hacl_HPKE_Curve51_CP128_SHA256_bindings.ml new file mode 100644 index 00000000..da412a20 --- /dev/null +++ b/ocaml/lib/Hacl_HPKE_Curve51_CP128_SHA256_bindings.ml @@ -0,0 +1,38 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let hacl_HPKE_Curve51_CP128_SHA256_setupBaseI = + foreign "Hacl_HPKE_Curve51_CP128_SHA256_setupBaseI" + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (returning uint32_t)))))))) + let hacl_HPKE_Curve51_CP128_SHA256_setupBaseR = + foreign "Hacl_HPKE_Curve51_CP128_SHA256_setupBaseR" + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (returning uint32_t))))))) + let hacl_HPKE_Curve51_CP128_SHA256_sealBase = + foreign "Hacl_HPKE_Curve51_CP128_SHA256_sealBase" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (returning uint32_t)))))))) + let hacl_HPKE_Curve51_CP128_SHA256_openBase = + foreign "Hacl_HPKE_Curve51_CP128_SHA256_openBase" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (returning uint32_t)))))))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_HPKE_Curve51_CP128_SHA512_bindings.ml b/ocaml/lib/Hacl_HPKE_Curve51_CP128_SHA512_bindings.ml new file mode 100644 index 00000000..5bfa3f77 --- /dev/null +++ b/ocaml/lib/Hacl_HPKE_Curve51_CP128_SHA512_bindings.ml @@ -0,0 +1,38 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let hacl_HPKE_Curve51_CP128_SHA512_setupBaseI = + foreign "Hacl_HPKE_Curve51_CP128_SHA512_setupBaseI" + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (returning uint32_t)))))))) + let hacl_HPKE_Curve51_CP128_SHA512_setupBaseR = + foreign "Hacl_HPKE_Curve51_CP128_SHA512_setupBaseR" + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (returning uint32_t))))))) + let hacl_HPKE_Curve51_CP128_SHA512_sealBase = + foreign "Hacl_HPKE_Curve51_CP128_SHA512_sealBase" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (returning uint32_t)))))))) + let hacl_HPKE_Curve51_CP128_SHA512_openBase = + foreign "Hacl_HPKE_Curve51_CP128_SHA512_openBase" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (returning uint32_t)))))))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_HPKE_Curve51_CP256_SHA256_bindings.ml b/ocaml/lib/Hacl_HPKE_Curve51_CP256_SHA256_bindings.ml new file mode 100644 index 00000000..e9c9f0f2 --- /dev/null +++ b/ocaml/lib/Hacl_HPKE_Curve51_CP256_SHA256_bindings.ml @@ -0,0 +1,38 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let hacl_HPKE_Curve51_CP256_SHA256_setupBaseI = + foreign "Hacl_HPKE_Curve51_CP256_SHA256_setupBaseI" + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (returning uint32_t)))))))) + let hacl_HPKE_Curve51_CP256_SHA256_setupBaseR = + foreign "Hacl_HPKE_Curve51_CP256_SHA256_setupBaseR" + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (returning uint32_t))))))) + let hacl_HPKE_Curve51_CP256_SHA256_sealBase = + foreign "Hacl_HPKE_Curve51_CP256_SHA256_sealBase" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (returning uint32_t)))))))) + let hacl_HPKE_Curve51_CP256_SHA256_openBase = + foreign "Hacl_HPKE_Curve51_CP256_SHA256_openBase" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (returning uint32_t)))))))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_HPKE_Curve51_CP256_SHA512_bindings.ml b/ocaml/lib/Hacl_HPKE_Curve51_CP256_SHA512_bindings.ml new file mode 100644 index 00000000..d737b62e --- /dev/null +++ b/ocaml/lib/Hacl_HPKE_Curve51_CP256_SHA512_bindings.ml @@ -0,0 +1,38 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let hacl_HPKE_Curve51_CP256_SHA512_setupBaseI = + foreign "Hacl_HPKE_Curve51_CP256_SHA512_setupBaseI" + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (returning uint32_t)))))))) + let hacl_HPKE_Curve51_CP256_SHA512_setupBaseR = + foreign "Hacl_HPKE_Curve51_CP256_SHA512_setupBaseR" + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (returning uint32_t))))))) + let hacl_HPKE_Curve51_CP256_SHA512_sealBase = + foreign "Hacl_HPKE_Curve51_CP256_SHA512_sealBase" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (returning uint32_t)))))))) + let hacl_HPKE_Curve51_CP256_SHA512_openBase = + foreign "Hacl_HPKE_Curve51_CP256_SHA512_openBase" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (returning uint32_t)))))))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_HPKE_Curve51_CP32_SHA256_bindings.ml b/ocaml/lib/Hacl_HPKE_Curve51_CP32_SHA256_bindings.ml new file mode 100644 index 00000000..6cf78147 --- /dev/null +++ b/ocaml/lib/Hacl_HPKE_Curve51_CP32_SHA256_bindings.ml @@ -0,0 +1,38 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let hacl_HPKE_Curve51_CP32_SHA256_setupBaseI = + foreign "Hacl_HPKE_Curve51_CP32_SHA256_setupBaseI" + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (returning uint32_t)))))))) + let hacl_HPKE_Curve51_CP32_SHA256_setupBaseR = + foreign "Hacl_HPKE_Curve51_CP32_SHA256_setupBaseR" + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (returning uint32_t))))))) + let hacl_HPKE_Curve51_CP32_SHA256_sealBase = + foreign "Hacl_HPKE_Curve51_CP32_SHA256_sealBase" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (returning uint32_t)))))))) + let hacl_HPKE_Curve51_CP32_SHA256_openBase = + foreign "Hacl_HPKE_Curve51_CP32_SHA256_openBase" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (returning uint32_t)))))))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_HPKE_Curve51_CP32_SHA512_bindings.ml b/ocaml/lib/Hacl_HPKE_Curve51_CP32_SHA512_bindings.ml new file mode 100644 index 00000000..47bc3b58 --- /dev/null +++ b/ocaml/lib/Hacl_HPKE_Curve51_CP32_SHA512_bindings.ml @@ -0,0 +1,38 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let hacl_HPKE_Curve51_CP32_SHA512_setupBaseI = + foreign "Hacl_HPKE_Curve51_CP32_SHA512_setupBaseI" + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (returning uint32_t)))))))) + let hacl_HPKE_Curve51_CP32_SHA512_setupBaseR = + foreign "Hacl_HPKE_Curve51_CP32_SHA512_setupBaseR" + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (returning uint32_t))))))) + let hacl_HPKE_Curve51_CP32_SHA512_sealBase = + foreign "Hacl_HPKE_Curve51_CP32_SHA512_sealBase" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (returning uint32_t)))))))) + let hacl_HPKE_Curve51_CP32_SHA512_openBase = + foreign "Hacl_HPKE_Curve51_CP32_SHA512_openBase" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (returning uint32_t)))))))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_HPKE_Curve64_CP128_SHA256_bindings.ml b/ocaml/lib/Hacl_HPKE_Curve64_CP128_SHA256_bindings.ml new file mode 100644 index 00000000..863b392b --- /dev/null +++ b/ocaml/lib/Hacl_HPKE_Curve64_CP128_SHA256_bindings.ml @@ -0,0 +1,38 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let hacl_HPKE_Curve64_CP128_SHA256_setupBaseI = + foreign "Hacl_HPKE_Curve64_CP128_SHA256_setupBaseI" + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (returning uint32_t)))))))) + let hacl_HPKE_Curve64_CP128_SHA256_setupBaseR = + foreign "Hacl_HPKE_Curve64_CP128_SHA256_setupBaseR" + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (returning uint32_t))))))) + let hacl_HPKE_Curve64_CP128_SHA256_sealBase = + foreign "Hacl_HPKE_Curve64_CP128_SHA256_sealBase" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (returning uint32_t)))))))) + let hacl_HPKE_Curve64_CP128_SHA256_openBase = + foreign "Hacl_HPKE_Curve64_CP128_SHA256_openBase" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (returning uint32_t)))))))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_HPKE_Curve64_CP128_SHA512_bindings.ml b/ocaml/lib/Hacl_HPKE_Curve64_CP128_SHA512_bindings.ml new file mode 100644 index 00000000..e81f8999 --- /dev/null +++ b/ocaml/lib/Hacl_HPKE_Curve64_CP128_SHA512_bindings.ml @@ -0,0 +1,38 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let hacl_HPKE_Curve64_CP128_SHA512_setupBaseI = + foreign "Hacl_HPKE_Curve64_CP128_SHA512_setupBaseI" + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (returning uint32_t)))))))) + let hacl_HPKE_Curve64_CP128_SHA512_setupBaseR = + foreign "Hacl_HPKE_Curve64_CP128_SHA512_setupBaseR" + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (returning uint32_t))))))) + let hacl_HPKE_Curve64_CP128_SHA512_sealBase = + foreign "Hacl_HPKE_Curve64_CP128_SHA512_sealBase" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (returning uint32_t)))))))) + let hacl_HPKE_Curve64_CP128_SHA512_openBase = + foreign "Hacl_HPKE_Curve64_CP128_SHA512_openBase" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (returning uint32_t)))))))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_HPKE_Curve64_CP256_SHA256_bindings.ml b/ocaml/lib/Hacl_HPKE_Curve64_CP256_SHA256_bindings.ml new file mode 100644 index 00000000..44d04403 --- /dev/null +++ b/ocaml/lib/Hacl_HPKE_Curve64_CP256_SHA256_bindings.ml @@ -0,0 +1,38 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let hacl_HPKE_Curve64_CP256_SHA256_setupBaseI = + foreign "Hacl_HPKE_Curve64_CP256_SHA256_setupBaseI" + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (returning uint32_t)))))))) + let hacl_HPKE_Curve64_CP256_SHA256_setupBaseR = + foreign "Hacl_HPKE_Curve64_CP256_SHA256_setupBaseR" + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (returning uint32_t))))))) + let hacl_HPKE_Curve64_CP256_SHA256_sealBase = + foreign "Hacl_HPKE_Curve64_CP256_SHA256_sealBase" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (returning uint32_t)))))))) + let hacl_HPKE_Curve64_CP256_SHA256_openBase = + foreign "Hacl_HPKE_Curve64_CP256_SHA256_openBase" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (returning uint32_t)))))))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_HPKE_Curve64_CP256_SHA512_bindings.ml b/ocaml/lib/Hacl_HPKE_Curve64_CP256_SHA512_bindings.ml new file mode 100644 index 00000000..46e88117 --- /dev/null +++ b/ocaml/lib/Hacl_HPKE_Curve64_CP256_SHA512_bindings.ml @@ -0,0 +1,38 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let hacl_HPKE_Curve64_CP256_SHA512_setupBaseI = + foreign "Hacl_HPKE_Curve64_CP256_SHA512_setupBaseI" + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (returning uint32_t)))))))) + let hacl_HPKE_Curve64_CP256_SHA512_setupBaseR = + foreign "Hacl_HPKE_Curve64_CP256_SHA512_setupBaseR" + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (returning uint32_t))))))) + let hacl_HPKE_Curve64_CP256_SHA512_sealBase = + foreign "Hacl_HPKE_Curve64_CP256_SHA512_sealBase" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (returning uint32_t)))))))) + let hacl_HPKE_Curve64_CP256_SHA512_openBase = + foreign "Hacl_HPKE_Curve64_CP256_SHA512_openBase" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (returning uint32_t)))))))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_HPKE_Curve64_CP32_SHA256_bindings.ml b/ocaml/lib/Hacl_HPKE_Curve64_CP32_SHA256_bindings.ml new file mode 100644 index 00000000..c3e7c33f --- /dev/null +++ b/ocaml/lib/Hacl_HPKE_Curve64_CP32_SHA256_bindings.ml @@ -0,0 +1,38 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let hacl_HPKE_Curve64_CP32_SHA256_setupBaseI = + foreign "Hacl_HPKE_Curve64_CP32_SHA256_setupBaseI" + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (returning uint32_t)))))))) + let hacl_HPKE_Curve64_CP32_SHA256_setupBaseR = + foreign "Hacl_HPKE_Curve64_CP32_SHA256_setupBaseR" + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (returning uint32_t))))))) + let hacl_HPKE_Curve64_CP32_SHA256_sealBase = + foreign "Hacl_HPKE_Curve64_CP32_SHA256_sealBase" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (returning uint32_t)))))))) + let hacl_HPKE_Curve64_CP32_SHA256_openBase = + foreign "Hacl_HPKE_Curve64_CP32_SHA256_openBase" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (returning uint32_t)))))))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_HPKE_Curve64_CP32_SHA512_bindings.ml b/ocaml/lib/Hacl_HPKE_Curve64_CP32_SHA512_bindings.ml new file mode 100644 index 00000000..ccb202c5 --- /dev/null +++ b/ocaml/lib/Hacl_HPKE_Curve64_CP32_SHA512_bindings.ml @@ -0,0 +1,38 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let hacl_HPKE_Curve64_CP32_SHA512_setupBaseI = + foreign "Hacl_HPKE_Curve64_CP32_SHA512_setupBaseI" + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (returning uint32_t)))))))) + let hacl_HPKE_Curve64_CP32_SHA512_setupBaseR = + foreign "Hacl_HPKE_Curve64_CP32_SHA512_setupBaseR" + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (returning uint32_t))))))) + let hacl_HPKE_Curve64_CP32_SHA512_sealBase = + foreign "Hacl_HPKE_Curve64_CP32_SHA512_sealBase" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (returning uint32_t)))))))) + let hacl_HPKE_Curve64_CP32_SHA512_openBase = + foreign "Hacl_HPKE_Curve64_CP32_SHA512_openBase" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (returning uint32_t)))))))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_HPKE_P256_CP128_SHA256_bindings.ml b/ocaml/lib/Hacl_HPKE_P256_CP128_SHA256_bindings.ml new file mode 100644 index 00000000..e1f5f34b --- /dev/null +++ b/ocaml/lib/Hacl_HPKE_P256_CP128_SHA256_bindings.ml @@ -0,0 +1,38 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let hacl_HPKE_P256_CP128_SHA256_setupBaseI = + foreign "Hacl_HPKE_P256_CP128_SHA256_setupBaseI" + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (returning uint32_t)))))))) + let hacl_HPKE_P256_CP128_SHA256_setupBaseR = + foreign "Hacl_HPKE_P256_CP128_SHA256_setupBaseR" + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (returning uint32_t))))))) + let hacl_HPKE_P256_CP128_SHA256_sealBase = + foreign "Hacl_HPKE_P256_CP128_SHA256_sealBase" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (returning uint32_t)))))))) + let hacl_HPKE_P256_CP128_SHA256_openBase = + foreign "Hacl_HPKE_P256_CP128_SHA256_openBase" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (returning uint32_t)))))))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_HPKE_P256_CP256_SHA256_bindings.ml b/ocaml/lib/Hacl_HPKE_P256_CP256_SHA256_bindings.ml new file mode 100644 index 00000000..5659de49 --- /dev/null +++ b/ocaml/lib/Hacl_HPKE_P256_CP256_SHA256_bindings.ml @@ -0,0 +1,38 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let hacl_HPKE_P256_CP256_SHA256_setupBaseI = + foreign "Hacl_HPKE_P256_CP256_SHA256_setupBaseI" + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (returning uint32_t)))))))) + let hacl_HPKE_P256_CP256_SHA256_setupBaseR = + foreign "Hacl_HPKE_P256_CP256_SHA256_setupBaseR" + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (returning uint32_t))))))) + let hacl_HPKE_P256_CP256_SHA256_sealBase = + foreign "Hacl_HPKE_P256_CP256_SHA256_sealBase" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (returning uint32_t)))))))) + let hacl_HPKE_P256_CP256_SHA256_openBase = + foreign "Hacl_HPKE_P256_CP256_SHA256_openBase" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (returning uint32_t)))))))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_HPKE_P256_CP32_SHA256_bindings.ml b/ocaml/lib/Hacl_HPKE_P256_CP32_SHA256_bindings.ml new file mode 100644 index 00000000..f463d39e --- /dev/null +++ b/ocaml/lib/Hacl_HPKE_P256_CP32_SHA256_bindings.ml @@ -0,0 +1,38 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let hacl_HPKE_P256_CP32_SHA256_setupBaseI = + foreign "Hacl_HPKE_P256_CP32_SHA256_setupBaseI" + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (returning uint32_t)))))))) + let hacl_HPKE_P256_CP32_SHA256_setupBaseR = + foreign "Hacl_HPKE_P256_CP32_SHA256_setupBaseR" + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (returning uint32_t))))))) + let hacl_HPKE_P256_CP32_SHA256_sealBase = + foreign "Hacl_HPKE_P256_CP32_SHA256_sealBase" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (returning uint32_t)))))))) + let hacl_HPKE_P256_CP32_SHA256_openBase = + foreign "Hacl_HPKE_P256_CP32_SHA256_openBase" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (returning uint32_t)))))))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_Hash_Base_bindings.ml b/ocaml/lib/Hacl_Hash_Base_bindings.ml new file mode 100644 index 00000000..98d7eadd --- /dev/null +++ b/ocaml/lib/Hacl_Hash_Base_bindings.ml @@ -0,0 +1,19 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + module Hacl_Spec_applied = (Hacl_Spec_bindings.Bindings)(Hacl_Spec_stubs) + open Hacl_Spec_applied + let hacl_Hash_Definitions_word_len = + foreign "Hacl_Hash_Definitions_word_len" + (spec_Hash_Definitions_hash_alg @-> (returning uint32_t)) + let hacl_Hash_Definitions_block_len = + foreign "Hacl_Hash_Definitions_block_len" + (spec_Hash_Definitions_hash_alg @-> (returning uint32_t)) + let hacl_Hash_Definitions_hash_word_len = + foreign "Hacl_Hash_Definitions_hash_word_len" + (spec_Hash_Definitions_hash_alg @-> (returning uint32_t)) + let hacl_Hash_Definitions_hash_len = + foreign "Hacl_Hash_Definitions_hash_len" + (spec_Hash_Definitions_hash_alg @-> (returning uint32_t)) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_Hash_Blake2_bindings.ml b/ocaml/lib/Hacl_Hash_Blake2_bindings.ml new file mode 100644 index 00000000..1265c862 --- /dev/null +++ b/ocaml/lib/Hacl_Hash_Blake2_bindings.ml @@ -0,0 +1,88 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + type hacl_Impl_Blake2_Core_m_spec = Unsigned.UInt8.t + let hacl_Impl_Blake2_Core_m_spec = + typedef uint8_t "Hacl_Impl_Blake2_Core_m_spec" + let hacl_Impl_Blake2_Core_m_spec_Hacl_Impl_Blake2_Core_M32 = + Unsigned.UInt8.of_int 0 + let hacl_Impl_Blake2_Core_m_spec_Hacl_Impl_Blake2_Core_M128 = + Unsigned.UInt8.of_int 1 + let hacl_Impl_Blake2_Core_m_spec_Hacl_Impl_Blake2_Core_M256 = + Unsigned.UInt8.of_int 2 + let hacl_Hash_Core_Blake2_update_blake2s_32 = + foreign "Hacl_Hash_Core_Blake2_update_blake2s_32" + ((ptr uint32_t) @-> + (uint64_t @-> (ocaml_bytes @-> (returning uint64_t)))) + let hacl_Hash_Core_Blake2_finish_blake2s_32 = + foreign "Hacl_Hash_Core_Blake2_finish_blake2s_32" + ((ptr uint32_t) @-> (uint64_t @-> (ocaml_bytes @-> (returning void)))) + let hacl_Hash_Blake2_update_multi_blake2s_32 = + foreign "Hacl_Hash_Blake2_update_multi_blake2s_32" + ((ptr uint32_t) @-> + (uint64_t @-> + (ocaml_bytes @-> (uint32_t @-> (returning uint64_t))))) + let hacl_Hash_Blake2_update_last_blake2s_32 = + foreign "Hacl_Hash_Blake2_update_last_blake2s_32" + ((ptr uint32_t) @-> + (uint64_t @-> + (uint64_t @-> + (ocaml_bytes @-> (uint32_t @-> (returning uint64_t)))))) + let hacl_Hash_Blake2_hash_blake2s_32 = + foreign "Hacl_Hash_Blake2_hash_blake2s_32" + (ocaml_bytes @-> (uint32_t @-> (ocaml_bytes @-> (returning void)))) + let hacl_Hash_Blake2_hash_blake2b_32 = + foreign "Hacl_Hash_Blake2_hash_blake2b_32" + (ocaml_bytes @-> (uint32_t @-> (ocaml_bytes @-> (returning void)))) + let hacl_Blake2b_32_blake2b_init = + foreign "Hacl_Blake2b_32_blake2b_init" + ((ptr uint64_t) @-> (uint32_t @-> (uint32_t @-> (returning void)))) + let hacl_Blake2b_32_blake2b_update_key = + foreign "Hacl_Blake2b_32_blake2b_update_key" + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> + (uint32_t @-> (ocaml_bytes @-> (uint32_t @-> (returning void)))))) + let hacl_Blake2b_32_blake2b_finish = + foreign "Hacl_Blake2b_32_blake2b_finish" + (uint32_t @-> (ocaml_bytes @-> ((ptr uint64_t) @-> (returning void)))) + let hacl_Blake2b_32_blake2b = + foreign "Hacl_Blake2b_32_blake2b" + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (returning void))))))) + let hacl_Blake2s_32_blake2s_init = + foreign "Hacl_Blake2s_32_blake2s_init" + ((ptr uint32_t) @-> (uint32_t @-> (uint32_t @-> (returning void)))) + let hacl_Blake2s_32_blake2s_update_key = + foreign "Hacl_Blake2s_32_blake2s_update_key" + ((ptr uint32_t) @-> + ((ptr uint32_t) @-> + (uint32_t @-> (ocaml_bytes @-> (uint32_t @-> (returning void)))))) + let hacl_Blake2s_32_blake2s_update_multi = + foreign "Hacl_Blake2s_32_blake2s_update_multi" + (uint32_t @-> + ((ptr uint32_t) @-> + ((ptr uint32_t) @-> + (uint64_t @-> + (ocaml_bytes @-> (uint32_t @-> (returning void))))))) + let hacl_Blake2s_32_blake2s_update_last = + foreign "Hacl_Blake2s_32_blake2s_update_last" + (uint32_t @-> + ((ptr uint32_t) @-> + ((ptr uint32_t) @-> + (uint64_t @-> + (uint32_t @-> (ocaml_bytes @-> (returning void))))))) + let hacl_Blake2s_32_blake2s_finish = + foreign "Hacl_Blake2s_32_blake2s_finish" + (uint32_t @-> (ocaml_bytes @-> ((ptr uint32_t) @-> (returning void)))) + let hacl_Blake2s_32_blake2s = + foreign "Hacl_Blake2s_32_blake2s" + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (returning void))))))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_Hash_Blake2b_256_bindings.ml b/ocaml/lib/Hacl_Hash_Blake2b_256_bindings.ml new file mode 100644 index 00000000..e013fd5f --- /dev/null +++ b/ocaml/lib/Hacl_Hash_Blake2b_256_bindings.ml @@ -0,0 +1,15 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let hacl_Hash_Blake2b_256_hash_blake2b_256 = + foreign "Hacl_Hash_Blake2b_256_hash_blake2b_256" + (ocaml_bytes @-> (uint32_t @-> (ocaml_bytes @-> (returning void)))) + let hacl_Blake2b_256_blake2b = + foreign "Hacl_Blake2b_256_blake2b" + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (returning void))))))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_Hash_Blake2s_128_bindings.ml b/ocaml/lib/Hacl_Hash_Blake2s_128_bindings.ml new file mode 100644 index 00000000..76b08076 --- /dev/null +++ b/ocaml/lib/Hacl_Hash_Blake2s_128_bindings.ml @@ -0,0 +1,15 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let hacl_Hash_Blake2s_128_hash_blake2s_128 = + foreign "Hacl_Hash_Blake2s_128_hash_blake2s_128" + (ocaml_bytes @-> (uint32_t @-> (ocaml_bytes @-> (returning void)))) + let hacl_Blake2s_128_blake2s = + foreign "Hacl_Blake2s_128_blake2s" + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (returning void))))))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_Hash_MD5_bindings.ml b/ocaml/lib/Hacl_Hash_MD5_bindings.ml new file mode 100644 index 00000000..6bd1a1e2 --- /dev/null +++ b/ocaml/lib/Hacl_Hash_MD5_bindings.ml @@ -0,0 +1,24 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let hacl_Hash_Core_MD5_legacy_init = + foreign "Hacl_Hash_Core_MD5_legacy_init" + ((ptr uint32_t) @-> (returning void)) + let hacl_Hash_Core_MD5_legacy_update = + foreign "Hacl_Hash_Core_MD5_legacy_update" + ((ptr uint32_t) @-> (ocaml_bytes @-> (returning void))) + let hacl_Hash_Core_MD5_legacy_finish = + foreign "Hacl_Hash_Core_MD5_legacy_finish" + ((ptr uint32_t) @-> (ocaml_bytes @-> (returning void))) + let hacl_Hash_MD5_legacy_update_multi = + foreign "Hacl_Hash_MD5_legacy_update_multi" + ((ptr uint32_t) @-> (ocaml_bytes @-> (uint32_t @-> (returning void)))) + let hacl_Hash_MD5_legacy_update_last = + foreign "Hacl_Hash_MD5_legacy_update_last" + ((ptr uint32_t) @-> + (uint64_t @-> (ocaml_bytes @-> (uint32_t @-> (returning void))))) + let hacl_Hash_MD5_legacy_hash = + foreign "Hacl_Hash_MD5_legacy_hash" + (ocaml_bytes @-> (uint32_t @-> (ocaml_bytes @-> (returning void)))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_Hash_SHA1_bindings.ml b/ocaml/lib/Hacl_Hash_SHA1_bindings.ml new file mode 100644 index 00000000..a021cecf --- /dev/null +++ b/ocaml/lib/Hacl_Hash_SHA1_bindings.ml @@ -0,0 +1,24 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let hacl_Hash_Core_SHA1_legacy_init = + foreign "Hacl_Hash_Core_SHA1_legacy_init" + ((ptr uint32_t) @-> (returning void)) + let hacl_Hash_Core_SHA1_legacy_update = + foreign "Hacl_Hash_Core_SHA1_legacy_update" + ((ptr uint32_t) @-> (ocaml_bytes @-> (returning void))) + let hacl_Hash_Core_SHA1_legacy_finish = + foreign "Hacl_Hash_Core_SHA1_legacy_finish" + ((ptr uint32_t) @-> (ocaml_bytes @-> (returning void))) + let hacl_Hash_SHA1_legacy_update_multi = + foreign "Hacl_Hash_SHA1_legacy_update_multi" + ((ptr uint32_t) @-> (ocaml_bytes @-> (uint32_t @-> (returning void)))) + let hacl_Hash_SHA1_legacy_update_last = + foreign "Hacl_Hash_SHA1_legacy_update_last" + ((ptr uint32_t) @-> + (uint64_t @-> (ocaml_bytes @-> (uint32_t @-> (returning void))))) + let hacl_Hash_SHA1_legacy_hash = + foreign "Hacl_Hash_SHA1_legacy_hash" + (ocaml_bytes @-> (uint32_t @-> (ocaml_bytes @-> (returning void)))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_Hash_SHA2_bindings.ml b/ocaml/lib/Hacl_Hash_SHA2_bindings.ml new file mode 100644 index 00000000..ba007319 --- /dev/null +++ b/ocaml/lib/Hacl_Hash_SHA2_bindings.ml @@ -0,0 +1,70 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let hacl_Hash_Core_SHA2_init_224 = + foreign "Hacl_Hash_Core_SHA2_init_224" + ((ptr uint32_t) @-> (returning void)) + let hacl_Hash_Core_SHA2_init_256 = + foreign "Hacl_Hash_Core_SHA2_init_256" + ((ptr uint32_t) @-> (returning void)) + let hacl_Hash_Core_SHA2_init_384 = + foreign "Hacl_Hash_Core_SHA2_init_384" + ((ptr uint64_t) @-> (returning void)) + let hacl_Hash_Core_SHA2_init_512 = + foreign "Hacl_Hash_Core_SHA2_init_512" + ((ptr uint64_t) @-> (returning void)) + let hacl_Hash_Core_SHA2_update_384 = + foreign "Hacl_Hash_Core_SHA2_update_384" + ((ptr uint64_t) @-> (ocaml_bytes @-> (returning void))) + let hacl_Hash_Core_SHA2_update_512 = + foreign "Hacl_Hash_Core_SHA2_update_512" + ((ptr uint64_t) @-> (ocaml_bytes @-> (returning void))) + let hacl_Hash_Core_SHA2_pad_256 = + foreign "Hacl_Hash_Core_SHA2_pad_256" + (uint64_t @-> (ocaml_bytes @-> (returning void))) + let hacl_Hash_Core_SHA2_finish_224 = + foreign "Hacl_Hash_Core_SHA2_finish_224" + ((ptr uint32_t) @-> (ocaml_bytes @-> (returning void))) + let hacl_Hash_Core_SHA2_finish_256 = + foreign "Hacl_Hash_Core_SHA2_finish_256" + ((ptr uint32_t) @-> (ocaml_bytes @-> (returning void))) + let hacl_Hash_Core_SHA2_finish_384 = + foreign "Hacl_Hash_Core_SHA2_finish_384" + ((ptr uint64_t) @-> (ocaml_bytes @-> (returning void))) + let hacl_Hash_Core_SHA2_finish_512 = + foreign "Hacl_Hash_Core_SHA2_finish_512" + ((ptr uint64_t) @-> (ocaml_bytes @-> (returning void))) + let hacl_Hash_SHA2_update_multi_224 = + foreign "Hacl_Hash_SHA2_update_multi_224" + ((ptr uint32_t) @-> (ocaml_bytes @-> (uint32_t @-> (returning void)))) + let hacl_Hash_SHA2_update_multi_256 = + foreign "Hacl_Hash_SHA2_update_multi_256" + ((ptr uint32_t) @-> (ocaml_bytes @-> (uint32_t @-> (returning void)))) + let hacl_Hash_SHA2_update_multi_384 = + foreign "Hacl_Hash_SHA2_update_multi_384" + ((ptr uint64_t) @-> (ocaml_bytes @-> (uint32_t @-> (returning void)))) + let hacl_Hash_SHA2_update_multi_512 = + foreign "Hacl_Hash_SHA2_update_multi_512" + ((ptr uint64_t) @-> (ocaml_bytes @-> (uint32_t @-> (returning void)))) + let hacl_Hash_SHA2_update_last_224 = + foreign "Hacl_Hash_SHA2_update_last_224" + ((ptr uint32_t) @-> + (uint64_t @-> (ocaml_bytes @-> (uint32_t @-> (returning void))))) + let hacl_Hash_SHA2_update_last_256 = + foreign "Hacl_Hash_SHA2_update_last_256" + ((ptr uint32_t) @-> + (uint64_t @-> (ocaml_bytes @-> (uint32_t @-> (returning void))))) + let hacl_Hash_SHA2_hash_224 = + foreign "Hacl_Hash_SHA2_hash_224" + (ocaml_bytes @-> (uint32_t @-> (ocaml_bytes @-> (returning void)))) + let hacl_Hash_SHA2_hash_256 = + foreign "Hacl_Hash_SHA2_hash_256" + (ocaml_bytes @-> (uint32_t @-> (ocaml_bytes @-> (returning void)))) + let hacl_Hash_SHA2_hash_384 = + foreign "Hacl_Hash_SHA2_hash_384" + (ocaml_bytes @-> (uint32_t @-> (ocaml_bytes @-> (returning void)))) + let hacl_Hash_SHA2_hash_512 = + foreign "Hacl_Hash_SHA2_hash_512" + (ocaml_bytes @-> (uint32_t @-> (ocaml_bytes @-> (returning void)))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_IntTypes_Intrinsics_128_bindings.ml b/ocaml/lib/Hacl_IntTypes_Intrinsics_128_bindings.ml new file mode 100644 index 00000000..70683802 --- /dev/null +++ b/ocaml/lib/Hacl_IntTypes_Intrinsics_128_bindings.ml @@ -0,0 +1,15 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let hacl_IntTypes_Intrinsics_128_add_carry_u64 = + foreign "Hacl_IntTypes_Intrinsics_128_add_carry_u64" + (uint64_t @-> + (uint64_t @-> + (uint64_t @-> ((ptr uint64_t) @-> (returning uint64_t))))) + let hacl_IntTypes_Intrinsics_128_sub_borrow_u64 = + foreign "Hacl_IntTypes_Intrinsics_128_sub_borrow_u64" + (uint64_t @-> + (uint64_t @-> + (uint64_t @-> ((ptr uint64_t) @-> (returning uint64_t))))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_IntTypes_Intrinsics_bindings.ml b/ocaml/lib/Hacl_IntTypes_Intrinsics_bindings.ml new file mode 100644 index 00000000..71f2605d --- /dev/null +++ b/ocaml/lib/Hacl_IntTypes_Intrinsics_bindings.ml @@ -0,0 +1,25 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let hacl_IntTypes_Intrinsics_add_carry_u32 = + foreign "Hacl_IntTypes_Intrinsics_add_carry_u32" + (uint32_t @-> + (uint32_t @-> + (uint32_t @-> ((ptr uint32_t) @-> (returning uint32_t))))) + let hacl_IntTypes_Intrinsics_sub_borrow_u32 = + foreign "Hacl_IntTypes_Intrinsics_sub_borrow_u32" + (uint32_t @-> + (uint32_t @-> + (uint32_t @-> ((ptr uint32_t) @-> (returning uint32_t))))) + let hacl_IntTypes_Intrinsics_add_carry_u64 = + foreign "Hacl_IntTypes_Intrinsics_add_carry_u64" + (uint64_t @-> + (uint64_t @-> + (uint64_t @-> ((ptr uint64_t) @-> (returning uint64_t))))) + let hacl_IntTypes_Intrinsics_sub_borrow_u64 = + foreign "Hacl_IntTypes_Intrinsics_sub_borrow_u64" + (uint64_t @-> + (uint64_t @-> + (uint64_t @-> ((ptr uint64_t) @-> (returning uint64_t))))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_NaCl_bindings.ml b/ocaml/lib/Hacl_NaCl_bindings.ml new file mode 100644 index 00000000..5323c445 --- /dev/null +++ b/ocaml/lib/Hacl_NaCl_bindings.ml @@ -0,0 +1,93 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let hacl_NaCl_crypto_secretbox_detached = + foreign "Hacl_NaCl_crypto_secretbox_detached" + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> (ocaml_bytes @-> (returning uint32_t))))))) + let hacl_NaCl_crypto_secretbox_open_detached = + foreign "Hacl_NaCl_crypto_secretbox_open_detached" + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> (ocaml_bytes @-> (returning uint32_t))))))) + let hacl_NaCl_crypto_secretbox_easy = + foreign "Hacl_NaCl_crypto_secretbox_easy" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> (ocaml_bytes @-> (returning uint32_t)))))) + let hacl_NaCl_crypto_secretbox_open_easy = + foreign "Hacl_NaCl_crypto_secretbox_open_easy" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> (ocaml_bytes @-> (returning uint32_t)))))) + let hacl_NaCl_crypto_box_beforenm = + foreign "Hacl_NaCl_crypto_box_beforenm" + (ocaml_bytes @-> + (ocaml_bytes @-> (ocaml_bytes @-> (returning uint32_t)))) + let hacl_NaCl_crypto_box_detached_afternm = + foreign "Hacl_NaCl_crypto_box_detached_afternm" + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> (ocaml_bytes @-> (returning uint32_t))))))) + let hacl_NaCl_crypto_box_detached = + foreign "Hacl_NaCl_crypto_box_detached" + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (returning uint32_t)))))))) + let hacl_NaCl_crypto_box_open_detached_afternm = + foreign "Hacl_NaCl_crypto_box_open_detached_afternm" + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> (ocaml_bytes @-> (returning uint32_t))))))) + let hacl_NaCl_crypto_box_open_detached = + foreign "Hacl_NaCl_crypto_box_open_detached" + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (returning uint32_t)))))))) + let hacl_NaCl_crypto_box_easy_afternm = + foreign "Hacl_NaCl_crypto_box_easy_afternm" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> (ocaml_bytes @-> (returning uint32_t)))))) + let hacl_NaCl_crypto_box_easy = + foreign "Hacl_NaCl_crypto_box_easy" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (ocaml_bytes @-> (returning uint32_t))))))) + let hacl_NaCl_crypto_box_open_easy_afternm = + foreign "Hacl_NaCl_crypto_box_open_easy_afternm" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> (ocaml_bytes @-> (returning uint32_t)))))) + let hacl_NaCl_crypto_box_open_easy = + foreign "Hacl_NaCl_crypto_box_open_easy" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (ocaml_bytes @-> (returning uint32_t))))))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_P256_bindings.ml b/ocaml/lib/Hacl_P256_bindings.ml new file mode 100644 index 00000000..bb34979f --- /dev/null +++ b/ocaml/lib/Hacl_P256_bindings.ml @@ -0,0 +1,97 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let hacl_Impl_P256_LowLevel_toUint8 = + foreign "Hacl_Impl_P256_LowLevel_toUint8" + ((ptr uint64_t) @-> (ocaml_bytes @-> (returning void))) + let hacl_Impl_P256_LowLevel_changeEndian = + foreign "Hacl_Impl_P256_LowLevel_changeEndian" + ((ptr uint64_t) @-> (returning void)) + let hacl_Impl_P256_LowLevel_toUint64ChangeEndian = + foreign "Hacl_Impl_P256_LowLevel_toUint64ChangeEndian" + (ocaml_bytes @-> ((ptr uint64_t) @-> (returning void))) + let hacl_Impl_P256_Core_isPointAtInfinityPrivate = + foreign "Hacl_Impl_P256_Core_isPointAtInfinityPrivate" + ((ptr uint64_t) @-> (returning uint64_t)) + let hacl_Impl_P256_Core_secretToPublic = + foreign "Hacl_Impl_P256_Core_secretToPublic" + ((ptr uint64_t) @-> + (ocaml_bytes @-> ((ptr uint64_t) @-> (returning void)))) + let hacl_Impl_P256_DH__ecp256dh_r = + foreign "Hacl_Impl_P256_DH__ecp256dh_r" + ((ptr uint64_t) @-> + ((ptr uint64_t) @-> (ocaml_bytes @-> (returning uint64_t)))) + let hacl_P256_ecdsa_sign_p256_sha2 = + foreign "Hacl_P256_ecdsa_sign_p256_sha2" + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (ocaml_bytes @-> (returning bool)))))) + let hacl_P256_ecdsa_sign_p256_sha384 = + foreign "Hacl_P256_ecdsa_sign_p256_sha384" + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (ocaml_bytes @-> (returning bool)))))) + let hacl_P256_ecdsa_sign_p256_sha512 = + foreign "Hacl_P256_ecdsa_sign_p256_sha512" + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (ocaml_bytes @-> (returning bool)))))) + let hacl_P256_ecdsa_sign_p256_without_hash = + foreign "Hacl_P256_ecdsa_sign_p256_without_hash" + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (ocaml_bytes @-> (returning bool)))))) + let hacl_P256_ecdsa_verif_p256_sha2 = + foreign "Hacl_P256_ecdsa_verif_p256_sha2" + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (ocaml_bytes @-> (returning bool)))))) + let hacl_P256_ecdsa_verif_p256_sha384 = + foreign "Hacl_P256_ecdsa_verif_p256_sha384" + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (ocaml_bytes @-> (returning bool)))))) + let hacl_P256_ecdsa_verif_p256_sha512 = + foreign "Hacl_P256_ecdsa_verif_p256_sha512" + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (ocaml_bytes @-> (returning bool)))))) + let hacl_P256_ecdsa_verif_without_hash = + foreign "Hacl_P256_ecdsa_verif_without_hash" + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (ocaml_bytes @-> (returning bool)))))) + let hacl_P256_validate_public_key = + foreign "Hacl_P256_validate_public_key" + (ocaml_bytes @-> (returning bool)) + let hacl_P256_validate_private_key = + foreign "Hacl_P256_validate_private_key" + (ocaml_bytes @-> (returning bool)) + let hacl_P256_uncompressed_to_raw = + foreign "Hacl_P256_uncompressed_to_raw" + (ocaml_bytes @-> (ocaml_bytes @-> (returning bool))) + let hacl_P256_compressed_to_raw = + foreign "Hacl_P256_compressed_to_raw" + (ocaml_bytes @-> (ocaml_bytes @-> (returning bool))) + let hacl_P256_raw_to_uncompressed = + foreign "Hacl_P256_raw_to_uncompressed" + (ocaml_bytes @-> (ocaml_bytes @-> (returning void))) + let hacl_P256_raw_to_compressed = + foreign "Hacl_P256_raw_to_compressed" + (ocaml_bytes @-> (ocaml_bytes @-> (returning void))) + let hacl_P256_dh_initiator = + foreign "Hacl_P256_dh_initiator" + (ocaml_bytes @-> (ocaml_bytes @-> (returning bool))) + let hacl_P256_dh_responder = + foreign "Hacl_P256_dh_responder" + (ocaml_bytes @-> (ocaml_bytes @-> (ocaml_bytes @-> (returning bool)))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_Poly1305_128_bindings.ml b/ocaml/lib/Hacl_Poly1305_128_bindings.ml new file mode 100644 index 00000000..adbd7fab --- /dev/null +++ b/ocaml/lib/Hacl_Poly1305_128_bindings.ml @@ -0,0 +1,11 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let hacl_Poly1305_128_blocklen = + foreign_value "Hacl_Poly1305_128_blocklen" uint32_t + let hacl_Poly1305_128_poly1305_mac = + foreign "Hacl_Poly1305_128_poly1305_mac" + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (ocaml_bytes @-> (returning void))))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_Poly1305_256_bindings.ml b/ocaml/lib/Hacl_Poly1305_256_bindings.ml new file mode 100644 index 00000000..0bc7711d --- /dev/null +++ b/ocaml/lib/Hacl_Poly1305_256_bindings.ml @@ -0,0 +1,11 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let hacl_Poly1305_256_blocklen = + foreign_value "Hacl_Poly1305_256_blocklen" uint32_t + let hacl_Poly1305_256_poly1305_mac = + foreign "Hacl_Poly1305_256_poly1305_mac" + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (ocaml_bytes @-> (returning void))))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_Poly1305_32_bindings.ml b/ocaml/lib/Hacl_Poly1305_32_bindings.ml new file mode 100644 index 00000000..3e8907a2 --- /dev/null +++ b/ocaml/lib/Hacl_Poly1305_32_bindings.ml @@ -0,0 +1,24 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let hacl_Poly1305_32_blocklen = + foreign_value "Hacl_Poly1305_32_blocklen" uint32_t + let hacl_Poly1305_32_poly1305_init = + foreign "Hacl_Poly1305_32_poly1305_init" + ((ptr uint64_t) @-> (ocaml_bytes @-> (returning void))) + let hacl_Poly1305_32_poly1305_update1 = + foreign "Hacl_Poly1305_32_poly1305_update1" + ((ptr uint64_t) @-> (ocaml_bytes @-> (returning void))) + let hacl_Poly1305_32_poly1305_update = + foreign "Hacl_Poly1305_32_poly1305_update" + ((ptr uint64_t) @-> (uint32_t @-> (ocaml_bytes @-> (returning void)))) + let hacl_Poly1305_32_poly1305_finish = + foreign "Hacl_Poly1305_32_poly1305_finish" + (ocaml_bytes @-> + (ocaml_bytes @-> ((ptr uint64_t) @-> (returning void)))) + let hacl_Poly1305_32_poly1305_mac = + foreign "Hacl_Poly1305_32_poly1305_mac" + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (ocaml_bytes @-> (returning void))))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_RSAPSS_bindings.ml b/ocaml/lib/Hacl_RSAPSS_bindings.ml new file mode 100644 index 00000000..7bf9c6d3 --- /dev/null +++ b/ocaml/lib/Hacl_RSAPSS_bindings.ml @@ -0,0 +1,68 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + module Hacl_Spec_applied = (Hacl_Spec_bindings.Bindings)(Hacl_Spec_stubs) + open Hacl_Spec_applied + let hacl_RSAPSS_rsapss_sign = + foreign "Hacl_RSAPSS_rsapss_sign" + (spec_Hash_Definitions_hash_alg @-> + (uint32_t @-> + (uint32_t @-> + (uint32_t @-> + ((ptr uint64_t) @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (returning bool))))))))))) + let hacl_RSAPSS_rsapss_verify = + foreign "Hacl_RSAPSS_rsapss_verify" + (spec_Hash_Definitions_hash_alg @-> + (uint32_t @-> + (uint32_t @-> + ((ptr uint64_t) @-> + (uint32_t @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (returning bool)))))))))) + let hacl_RSAPSS_new_rsapss_load_pkey = + foreign "Hacl_RSAPSS_new_rsapss_load_pkey" + (uint32_t @-> + (uint32_t @-> + (ocaml_bytes @-> (ocaml_bytes @-> (returning (ptr uint64_t)))))) + let hacl_RSAPSS_new_rsapss_load_skey = + foreign "Hacl_RSAPSS_new_rsapss_load_skey" + (uint32_t @-> + (uint32_t @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (returning (ptr uint64_t)))))))) + let hacl_RSAPSS_rsapss_skey_sign = + foreign "Hacl_RSAPSS_rsapss_skey_sign" + (spec_Hash_Definitions_hash_alg @-> + (uint32_t @-> + (uint32_t @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (returning bool))))))))))))) + let hacl_RSAPSS_rsapss_pkey_verify = + foreign "Hacl_RSAPSS_rsapss_pkey_verify" + (spec_Hash_Definitions_hash_alg @-> + (uint32_t @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> (returning bool))))))))))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_SHA2_Scalar32_bindings.ml b/ocaml/lib/Hacl_SHA2_Scalar32_bindings.ml new file mode 100644 index 00000000..554cfd32 --- /dev/null +++ b/ocaml/lib/Hacl_SHA2_Scalar32_bindings.ml @@ -0,0 +1,17 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let hacl_SHA2_Scalar32_sha224 = + foreign "Hacl_SHA2_Scalar32_sha224" + (ocaml_bytes @-> (uint32_t @-> (ocaml_bytes @-> (returning void)))) + let hacl_SHA2_Scalar32_sha256 = + foreign "Hacl_SHA2_Scalar32_sha256" + (ocaml_bytes @-> (uint32_t @-> (ocaml_bytes @-> (returning void)))) + let hacl_SHA2_Scalar32_sha384 = + foreign "Hacl_SHA2_Scalar32_sha384" + (ocaml_bytes @-> (uint32_t @-> (ocaml_bytes @-> (returning void)))) + let hacl_SHA2_Scalar32_sha512 = + foreign "Hacl_SHA2_Scalar32_sha512" + (ocaml_bytes @-> (uint32_t @-> (ocaml_bytes @-> (returning void)))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_SHA2_Vec128_bindings.ml b/ocaml/lib/Hacl_SHA2_Vec128_bindings.ml new file mode 100644 index 00000000..048f6523 --- /dev/null +++ b/ocaml/lib/Hacl_SHA2_Vec128_bindings.ml @@ -0,0 +1,27 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let hacl_SHA2_Vec128_sha224_4 = + foreign "Hacl_SHA2_Vec128_sha224_4" + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (returning void)))))))))) + let hacl_SHA2_Vec128_sha256_4 = + foreign "Hacl_SHA2_Vec128_sha256_4" + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (returning void)))))))))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_SHA2_Vec256_bindings.ml b/ocaml/lib/Hacl_SHA2_Vec256_bindings.ml new file mode 100644 index 00000000..4249481b --- /dev/null +++ b/ocaml/lib/Hacl_SHA2_Vec256_bindings.ml @@ -0,0 +1,67 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let hacl_SHA2_Vec256_sha224_8 = + foreign "Hacl_SHA2_Vec256_sha224_8" + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (returning void)))))))))))))))))) + let hacl_SHA2_Vec256_sha256_8 = + foreign "Hacl_SHA2_Vec256_sha256_8" + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (returning void)))))))))))))))))) + let hacl_SHA2_Vec256_sha384_4 = + foreign "Hacl_SHA2_Vec256_sha384_4" + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (returning void)))))))))) + let hacl_SHA2_Vec256_sha512_4 = + foreign "Hacl_SHA2_Vec256_sha512_4" + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (returning void)))))))))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_SHA3_bindings.ml b/ocaml/lib/Hacl_SHA3_bindings.ml new file mode 100644 index 00000000..60f7e127 --- /dev/null +++ b/ocaml/lib/Hacl_SHA3_bindings.ml @@ -0,0 +1,54 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let hacl_Impl_SHA3_rotl = + foreign "Hacl_Impl_SHA3_rotl" + (uint64_t @-> (uint32_t @-> (returning uint64_t))) + let hacl_Impl_SHA3_state_permute = + foreign "Hacl_Impl_SHA3_state_permute" + ((ptr uint64_t) @-> (returning void)) + let hacl_Impl_SHA3_loadState = + foreign "Hacl_Impl_SHA3_loadState" + (uint32_t @-> (ocaml_bytes @-> ((ptr uint64_t) @-> (returning void)))) + let hacl_Impl_SHA3_storeState = + foreign "Hacl_Impl_SHA3_storeState" + (uint32_t @-> ((ptr uint64_t) @-> (ocaml_bytes @-> (returning void)))) + let hacl_Impl_SHA3_absorb = + foreign "Hacl_Impl_SHA3_absorb" + ((ptr uint64_t) @-> + (uint32_t @-> + (uint32_t @-> (ocaml_bytes @-> (uint8_t @-> (returning void)))))) + let hacl_Impl_SHA3_squeeze = + foreign "Hacl_Impl_SHA3_squeeze" + ((ptr uint64_t) @-> + (uint32_t @-> (uint32_t @-> (ocaml_bytes @-> (returning void))))) + let hacl_Impl_SHA3_keccak = + foreign "Hacl_Impl_SHA3_keccak" + (uint32_t @-> + (uint32_t @-> + (uint32_t @-> + (ocaml_bytes @-> + (uint8_t @-> + (uint32_t @-> (ocaml_bytes @-> (returning void)))))))) + let hacl_SHA3_shake128_hacl = + foreign "Hacl_SHA3_shake128_hacl" + (uint32_t @-> + (ocaml_bytes @-> (uint32_t @-> (ocaml_bytes @-> (returning void))))) + let hacl_SHA3_shake256_hacl = + foreign "Hacl_SHA3_shake256_hacl" + (uint32_t @-> + (ocaml_bytes @-> (uint32_t @-> (ocaml_bytes @-> (returning void))))) + let hacl_SHA3_sha3_224 = + foreign "Hacl_SHA3_sha3_224" + (uint32_t @-> (ocaml_bytes @-> (ocaml_bytes @-> (returning void)))) + let hacl_SHA3_sha3_256 = + foreign "Hacl_SHA3_sha3_256" + (uint32_t @-> (ocaml_bytes @-> (ocaml_bytes @-> (returning void)))) + let hacl_SHA3_sha3_384 = + foreign "Hacl_SHA3_sha3_384" + (uint32_t @-> (ocaml_bytes @-> (ocaml_bytes @-> (returning void)))) + let hacl_SHA3_sha3_512 = + foreign "Hacl_SHA3_sha3_512" + (uint32_t @-> (ocaml_bytes @-> (ocaml_bytes @-> (returning void)))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_Salsa20_bindings.ml b/ocaml/lib/Hacl_Salsa20_bindings.ml new file mode 100644 index 00000000..07045fc4 --- /dev/null +++ b/ocaml/lib/Hacl_Salsa20_bindings.ml @@ -0,0 +1,25 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let hacl_Salsa20_salsa20_encrypt = + foreign "Hacl_Salsa20_salsa20_encrypt" + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (uint32_t @-> (returning void))))))) + let hacl_Salsa20_salsa20_decrypt = + foreign "Hacl_Salsa20_salsa20_decrypt" + (uint32_t @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> + (ocaml_bytes @-> (uint32_t @-> (returning void))))))) + let hacl_Salsa20_salsa20_key_block0 = + foreign "Hacl_Salsa20_salsa20_key_block0" + (ocaml_bytes @-> (ocaml_bytes @-> (ocaml_bytes @-> (returning void)))) + let hacl_Salsa20_hsalsa20 = + foreign "Hacl_Salsa20_hsalsa20" + (ocaml_bytes @-> (ocaml_bytes @-> (ocaml_bytes @-> (returning void)))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_Spec_bindings.ml b/ocaml/lib/Hacl_Spec_bindings.ml new file mode 100644 index 00000000..0b9a3f68 --- /dev/null +++ b/ocaml/lib/Hacl_Spec_bindings.ml @@ -0,0 +1,76 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + type spec_Hash_Definitions_hash_alg = Unsigned.UInt8.t + let spec_Hash_Definitions_hash_alg = + typedef uint8_t "Spec_Hash_Definitions_hash_alg" + let spec_Hash_Definitions_hash_alg_Spec_Hash_Definitions_SHA2_224 = + Unsigned.UInt8.of_int 0 + let spec_Hash_Definitions_hash_alg_Spec_Hash_Definitions_SHA2_256 = + Unsigned.UInt8.of_int 1 + let spec_Hash_Definitions_hash_alg_Spec_Hash_Definitions_SHA2_384 = + Unsigned.UInt8.of_int 2 + let spec_Hash_Definitions_hash_alg_Spec_Hash_Definitions_SHA2_512 = + Unsigned.UInt8.of_int 3 + let spec_Hash_Definitions_hash_alg_Spec_Hash_Definitions_SHA1 = + Unsigned.UInt8.of_int 4 + let spec_Hash_Definitions_hash_alg_Spec_Hash_Definitions_MD5 = + Unsigned.UInt8.of_int 5 + let spec_Hash_Definitions_hash_alg_Spec_Hash_Definitions_Blake2S = + Unsigned.UInt8.of_int 6 + let spec_Hash_Definitions_hash_alg_Spec_Hash_Definitions_Blake2B = + Unsigned.UInt8.of_int 7 + type spec_Cipher_Expansion_impl = Unsigned.UInt8.t + let spec_Cipher_Expansion_impl = + typedef uint8_t "Spec_Cipher_Expansion_impl" + let spec_Cipher_Expansion_impl_Spec_Cipher_Expansion_Hacl_CHACHA20 = + Unsigned.UInt8.of_int 0 + let spec_Cipher_Expansion_impl_Spec_Cipher_Expansion_Vale_AES128 = + Unsigned.UInt8.of_int 1 + let spec_Cipher_Expansion_impl_Spec_Cipher_Expansion_Vale_AES256 = + Unsigned.UInt8.of_int 2 + type spec_Agile_Cipher_cipher_alg = Unsigned.UInt8.t + let spec_Agile_Cipher_cipher_alg = + typedef uint8_t "Spec_Agile_Cipher_cipher_alg" + let spec_Agile_Cipher_cipher_alg_Spec_Agile_Cipher_AES128 = + Unsigned.UInt8.of_int 0 + let spec_Agile_Cipher_cipher_alg_Spec_Agile_Cipher_AES256 = + Unsigned.UInt8.of_int 1 + let spec_Agile_Cipher_cipher_alg_Spec_Agile_Cipher_CHACHA20 = + Unsigned.UInt8.of_int 2 + type spec_Frodo_Params_frodo_gen_a = Unsigned.UInt8.t + let spec_Frodo_Params_frodo_gen_a = + typedef uint8_t "Spec_Frodo_Params_frodo_gen_a" + let spec_Frodo_Params_frodo_gen_a_Spec_Frodo_Params_SHAKE128 = + Unsigned.UInt8.of_int 0 + let spec_Frodo_Params_frodo_gen_a_Spec_Frodo_Params_AES128 = + Unsigned.UInt8.of_int 1 + type spec_FFDHE_ffdhe_alg = Unsigned.UInt8.t + let spec_FFDHE_ffdhe_alg = typedef uint8_t "Spec_FFDHE_ffdhe_alg" + let spec_FFDHE_ffdhe_alg_Spec_FFDHE_FFDHE2048 = Unsigned.UInt8.of_int 0 + let spec_FFDHE_ffdhe_alg_Spec_FFDHE_FFDHE3072 = Unsigned.UInt8.of_int 1 + let spec_FFDHE_ffdhe_alg_Spec_FFDHE_FFDHE4096 = Unsigned.UInt8.of_int 2 + let spec_FFDHE_ffdhe_alg_Spec_FFDHE_FFDHE6144 = Unsigned.UInt8.of_int 3 + let spec_FFDHE_ffdhe_alg_Spec_FFDHE_FFDHE8192 = Unsigned.UInt8.of_int 4 + type spec_Blake2_alg = Unsigned.UInt8.t + let spec_Blake2_alg = typedef uint8_t "Spec_Blake2_alg" + let spec_Blake2_alg_Spec_Blake2_Blake2S = Unsigned.UInt8.of_int 0 + let spec_Blake2_alg_Spec_Blake2_Blake2B = Unsigned.UInt8.of_int 1 + type spec_Agile_AEAD_alg = Unsigned.UInt8.t + let spec_Agile_AEAD_alg = typedef uint8_t "Spec_Agile_AEAD_alg" + let spec_Agile_AEAD_alg_Spec_Agile_AEAD_AES128_GCM = + Unsigned.UInt8.of_int 0 + let spec_Agile_AEAD_alg_Spec_Agile_AEAD_AES256_GCM = + Unsigned.UInt8.of_int 1 + let spec_Agile_AEAD_alg_Spec_Agile_AEAD_CHACHA20_POLY1305 = + Unsigned.UInt8.of_int 2 + let spec_Agile_AEAD_alg_Spec_Agile_AEAD_AES128_CCM = + Unsigned.UInt8.of_int 3 + let spec_Agile_AEAD_alg_Spec_Agile_AEAD_AES256_CCM = + Unsigned.UInt8.of_int 4 + let spec_Agile_AEAD_alg_Spec_Agile_AEAD_AES128_CCM8 = + Unsigned.UInt8.of_int 5 + let spec_Agile_AEAD_alg_Spec_Agile_AEAD_AES256_CCM8 = + Unsigned.UInt8.of_int 6 + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_Streaming_Blake2_bindings.ml b/ocaml/lib/Hacl_Streaming_Blake2_bindings.ml new file mode 100644 index 00000000..ca44d385 --- /dev/null +++ b/ocaml/lib/Hacl_Streaming_Blake2_bindings.ml @@ -0,0 +1,94 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + module Hacl_Spec_applied = (Hacl_Spec_bindings.Bindings)(Hacl_Spec_stubs) + open Hacl_Spec_applied + module Hacl_Hash_Blake2_applied = + (Hacl_Hash_Blake2_bindings.Bindings)(Hacl_Hash_Blake2_stubs) + open Hacl_Hash_Blake2_applied + let hacl_Streaming_Blake2_blocks_state_len = + foreign "Hacl_Streaming_Blake2_blocks_state_len" + (spec_Blake2_alg @-> + (hacl_Impl_Blake2_Core_m_spec @-> (returning uint32_t))) + type hacl_Streaming_Blake2_blake2s_32_block_state = + [ `hacl_Streaming_Blake2_blake2s_32_block_state ] structure + let (hacl_Streaming_Blake2_blake2s_32_block_state : + [ `hacl_Streaming_Blake2_blake2s_32_block_state ] structure typ) = + structure "Hacl_Streaming_Blake2_blake2s_32_block_state_s" + let hacl_Streaming_Blake2_blake2s_32_block_state_fst = + field hacl_Streaming_Blake2_blake2s_32_block_state "fst" (ptr uint32_t) + let hacl_Streaming_Blake2_blake2s_32_block_state_snd = + field hacl_Streaming_Blake2_blake2s_32_block_state "snd" (ptr uint32_t) + let _ = seal hacl_Streaming_Blake2_blake2s_32_block_state + type hacl_Streaming_Blake2_blake2s_32_state = + [ `hacl_Streaming_Blake2_blake2s_32_state ] structure + let (hacl_Streaming_Blake2_blake2s_32_state : + [ `hacl_Streaming_Blake2_blake2s_32_state ] structure typ) = + structure "Hacl_Streaming_Blake2_blake2s_32_state_s" + let hacl_Streaming_Blake2_blake2s_32_state_block_state = + field hacl_Streaming_Blake2_blake2s_32_state "block_state" + hacl_Streaming_Blake2_blake2s_32_block_state + let hacl_Streaming_Blake2_blake2s_32_state_buf = + field hacl_Streaming_Blake2_blake2s_32_state "buf" (ptr uint8_t) + let hacl_Streaming_Blake2_blake2s_32_state_total_len = + field hacl_Streaming_Blake2_blake2s_32_state "total_len" uint64_t + let _ = seal hacl_Streaming_Blake2_blake2s_32_state + let hacl_Streaming_Blake2_blake2s_32_no_key_create_in = + foreign "Hacl_Streaming_Blake2_blake2s_32_no_key_create_in" + (void @-> (returning (ptr hacl_Streaming_Blake2_blake2s_32_state))) + let hacl_Streaming_Blake2_blake2s_32_no_key_init = + foreign "Hacl_Streaming_Blake2_blake2s_32_no_key_init" + ((ptr hacl_Streaming_Blake2_blake2s_32_state) @-> (returning void)) + let hacl_Streaming_Blake2_blake2s_32_no_key_update = + foreign "Hacl_Streaming_Blake2_blake2s_32_no_key_update" + ((ptr hacl_Streaming_Blake2_blake2s_32_state) @-> + (ocaml_bytes @-> (uint32_t @-> (returning void)))) + let hacl_Streaming_Blake2_blake2s_32_no_key_finish = + foreign "Hacl_Streaming_Blake2_blake2s_32_no_key_finish" + ((ptr hacl_Streaming_Blake2_blake2s_32_state) @-> + (ocaml_bytes @-> (returning void))) + let hacl_Streaming_Blake2_blake2s_32_no_key_free = + foreign "Hacl_Streaming_Blake2_blake2s_32_no_key_free" + ((ptr hacl_Streaming_Blake2_blake2s_32_state) @-> (returning void)) + type hacl_Streaming_Blake2_blake2b_32_block_state = + [ `hacl_Streaming_Blake2_blake2b_32_block_state ] structure + let (hacl_Streaming_Blake2_blake2b_32_block_state : + [ `hacl_Streaming_Blake2_blake2b_32_block_state ] structure typ) = + structure "Hacl_Streaming_Blake2_blake2b_32_block_state_s" + let hacl_Streaming_Blake2_blake2b_32_block_state_fst = + field hacl_Streaming_Blake2_blake2b_32_block_state "fst" (ptr uint64_t) + let hacl_Streaming_Blake2_blake2b_32_block_state_snd = + field hacl_Streaming_Blake2_blake2b_32_block_state "snd" (ptr uint64_t) + let _ = seal hacl_Streaming_Blake2_blake2b_32_block_state + type hacl_Streaming_Blake2_blake2b_32_state = + [ `hacl_Streaming_Blake2_blake2b_32_state ] structure + let (hacl_Streaming_Blake2_blake2b_32_state : + [ `hacl_Streaming_Blake2_blake2b_32_state ] structure typ) = + structure "Hacl_Streaming_Blake2_blake2b_32_state_s" + let hacl_Streaming_Blake2_blake2b_32_state_block_state = + field hacl_Streaming_Blake2_blake2b_32_state "block_state" + hacl_Streaming_Blake2_blake2b_32_block_state + let hacl_Streaming_Blake2_blake2b_32_state_buf = + field hacl_Streaming_Blake2_blake2b_32_state "buf" (ptr uint8_t) + let hacl_Streaming_Blake2_blake2b_32_state_total_len = + field hacl_Streaming_Blake2_blake2b_32_state "total_len" uint64_t + let _ = seal hacl_Streaming_Blake2_blake2b_32_state + let hacl_Streaming_Blake2_blake2b_32_no_key_create_in = + foreign "Hacl_Streaming_Blake2_blake2b_32_no_key_create_in" + (void @-> (returning (ptr hacl_Streaming_Blake2_blake2b_32_state))) + let hacl_Streaming_Blake2_blake2b_32_no_key_init = + foreign "Hacl_Streaming_Blake2_blake2b_32_no_key_init" + ((ptr hacl_Streaming_Blake2_blake2b_32_state) @-> (returning void)) + let hacl_Streaming_Blake2_blake2b_32_no_key_update = + foreign "Hacl_Streaming_Blake2_blake2b_32_no_key_update" + ((ptr hacl_Streaming_Blake2_blake2b_32_state) @-> + (ocaml_bytes @-> (uint32_t @-> (returning void)))) + let hacl_Streaming_Blake2_blake2b_32_no_key_finish = + foreign "Hacl_Streaming_Blake2_blake2b_32_no_key_finish" + ((ptr hacl_Streaming_Blake2_blake2b_32_state) @-> + (ocaml_bytes @-> (returning void))) + let hacl_Streaming_Blake2_blake2b_32_no_key_free = + foreign "Hacl_Streaming_Blake2_blake2b_32_no_key_free" + ((ptr hacl_Streaming_Blake2_blake2b_32_state) @-> (returning void)) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_Streaming_MD5_bindings.ml b/ocaml/lib/Hacl_Streaming_MD5_bindings.ml new file mode 100644 index 00000000..8b9bdec1 --- /dev/null +++ b/ocaml/lib/Hacl_Streaming_MD5_bindings.ml @@ -0,0 +1,29 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + module Hacl_Streaming_SHA2_applied = + (Hacl_Streaming_SHA2_bindings.Bindings)(Hacl_Streaming_SHA2_stubs) + open Hacl_Streaming_SHA2_applied + type hacl_Streaming_MD5_state_md5 = hacl_Streaming_SHA2_state_sha2_224 + let hacl_Streaming_MD5_state_md5 = + typedef hacl_Streaming_SHA2_state_sha2_224 + "Hacl_Streaming_MD5_state_md5" + let hacl_Streaming_MD5_legacy_create_in_md5 = + foreign "Hacl_Streaming_MD5_legacy_create_in_md5" + (void @-> (returning (ptr hacl_Streaming_SHA2_state_sha2_224))) + let hacl_Streaming_MD5_legacy_init_md5 = + foreign "Hacl_Streaming_MD5_legacy_init_md5" + ((ptr hacl_Streaming_SHA2_state_sha2_224) @-> (returning void)) + let hacl_Streaming_MD5_legacy_update_md5 = + foreign "Hacl_Streaming_MD5_legacy_update_md5" + ((ptr hacl_Streaming_SHA2_state_sha2_224) @-> + (ocaml_bytes @-> (uint32_t @-> (returning void)))) + let hacl_Streaming_MD5_legacy_finish_md5 = + foreign "Hacl_Streaming_MD5_legacy_finish_md5" + ((ptr hacl_Streaming_SHA2_state_sha2_224) @-> + (ocaml_bytes @-> (returning void))) + let hacl_Streaming_MD5_legacy_free_md5 = + foreign "Hacl_Streaming_MD5_legacy_free_md5" + ((ptr hacl_Streaming_SHA2_state_sha2_224) @-> (returning void)) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_Streaming_Poly1305_32_bindings.ml b/ocaml/lib/Hacl_Streaming_Poly1305_32_bindings.ml new file mode 100644 index 00000000..4256f424 --- /dev/null +++ b/ocaml/lib/Hacl_Streaming_Poly1305_32_bindings.ml @@ -0,0 +1,42 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + type hacl_Streaming_Poly1305_32_poly1305_32_state = + [ `hacl_Streaming_Poly1305_32_poly1305_32_state ] structure + let (hacl_Streaming_Poly1305_32_poly1305_32_state : + [ `hacl_Streaming_Poly1305_32_poly1305_32_state ] structure typ) = + structure "Hacl_Streaming_Poly1305_32_poly1305_32_state_s" + let hacl_Streaming_Poly1305_32_poly1305_32_state_block_state = + field hacl_Streaming_Poly1305_32_poly1305_32_state "block_state" + (ptr uint64_t) + let hacl_Streaming_Poly1305_32_poly1305_32_state_buf = + field hacl_Streaming_Poly1305_32_poly1305_32_state "buf" (ptr uint8_t) + let hacl_Streaming_Poly1305_32_poly1305_32_state_total_len = + field hacl_Streaming_Poly1305_32_poly1305_32_state "total_len" uint64_t + let hacl_Streaming_Poly1305_32_poly1305_32_state_p_key = + field hacl_Streaming_Poly1305_32_poly1305_32_state "p_key" + (ptr uint8_t) + let _ = seal hacl_Streaming_Poly1305_32_poly1305_32_state + let hacl_Streaming_Poly1305_32_create_in = + foreign "Hacl_Streaming_Poly1305_32_create_in" + (ocaml_bytes @-> + (returning (ptr hacl_Streaming_Poly1305_32_poly1305_32_state))) + let hacl_Streaming_Poly1305_32_init = + foreign "Hacl_Streaming_Poly1305_32_init" + (ocaml_bytes @-> + ((ptr hacl_Streaming_Poly1305_32_poly1305_32_state) @-> + (returning void))) + let hacl_Streaming_Poly1305_32_update = + foreign "Hacl_Streaming_Poly1305_32_update" + ((ptr hacl_Streaming_Poly1305_32_poly1305_32_state) @-> + (ocaml_bytes @-> (uint32_t @-> (returning void)))) + let hacl_Streaming_Poly1305_32_finish = + foreign "Hacl_Streaming_Poly1305_32_finish" + ((ptr hacl_Streaming_Poly1305_32_poly1305_32_state) @-> + (ocaml_bytes @-> (returning void))) + let hacl_Streaming_Poly1305_32_free = + foreign "Hacl_Streaming_Poly1305_32_free" + ((ptr hacl_Streaming_Poly1305_32_poly1305_32_state) @-> + (returning void)) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_Streaming_SHA1_bindings.ml b/ocaml/lib/Hacl_Streaming_SHA1_bindings.ml new file mode 100644 index 00000000..b6afefdd --- /dev/null +++ b/ocaml/lib/Hacl_Streaming_SHA1_bindings.ml @@ -0,0 +1,29 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + module Hacl_Streaming_SHA2_applied = + (Hacl_Streaming_SHA2_bindings.Bindings)(Hacl_Streaming_SHA2_stubs) + open Hacl_Streaming_SHA2_applied + type hacl_Streaming_SHA1_state_sha1 = hacl_Streaming_SHA2_state_sha2_224 + let hacl_Streaming_SHA1_state_sha1 = + typedef hacl_Streaming_SHA2_state_sha2_224 + "Hacl_Streaming_SHA1_state_sha1" + let hacl_Streaming_SHA1_legacy_create_in_sha1 = + foreign "Hacl_Streaming_SHA1_legacy_create_in_sha1" + (void @-> (returning (ptr hacl_Streaming_SHA2_state_sha2_224))) + let hacl_Streaming_SHA1_legacy_init_sha1 = + foreign "Hacl_Streaming_SHA1_legacy_init_sha1" + ((ptr hacl_Streaming_SHA2_state_sha2_224) @-> (returning void)) + let hacl_Streaming_SHA1_legacy_update_sha1 = + foreign "Hacl_Streaming_SHA1_legacy_update_sha1" + ((ptr hacl_Streaming_SHA2_state_sha2_224) @-> + (ocaml_bytes @-> (uint32_t @-> (returning void)))) + let hacl_Streaming_SHA1_legacy_finish_sha1 = + foreign "Hacl_Streaming_SHA1_legacy_finish_sha1" + ((ptr hacl_Streaming_SHA2_state_sha2_224) @-> + (ocaml_bytes @-> (returning void))) + let hacl_Streaming_SHA1_legacy_free_sha1 = + foreign "Hacl_Streaming_SHA1_legacy_free_sha1" + ((ptr hacl_Streaming_SHA2_state_sha2_224) @-> (returning void)) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_Streaming_SHA2_bindings.ml b/ocaml/lib/Hacl_Streaming_SHA2_bindings.ml new file mode 100644 index 00000000..4ef2b238 --- /dev/null +++ b/ocaml/lib/Hacl_Streaming_SHA2_bindings.ml @@ -0,0 +1,107 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + type hacl_Streaming_SHA2_state_sha2_224 = + [ `hacl_Streaming_SHA2_state_sha2_224 ] structure + let (hacl_Streaming_SHA2_state_sha2_224 : + [ `hacl_Streaming_SHA2_state_sha2_224 ] structure typ) = + structure "Hacl_Streaming_SHA2_state_sha2_224_s" + let hacl_Streaming_SHA2_state_sha2_224_block_state = + field hacl_Streaming_SHA2_state_sha2_224 "block_state" (ptr uint32_t) + let hacl_Streaming_SHA2_state_sha2_224_buf = + field hacl_Streaming_SHA2_state_sha2_224 "buf" (ptr uint8_t) + let hacl_Streaming_SHA2_state_sha2_224_total_len = + field hacl_Streaming_SHA2_state_sha2_224 "total_len" uint64_t + let _ = seal hacl_Streaming_SHA2_state_sha2_224 + type hacl_Streaming_SHA2_state_sha2_256 = + hacl_Streaming_SHA2_state_sha2_224 + let hacl_Streaming_SHA2_state_sha2_256 = + typedef hacl_Streaming_SHA2_state_sha2_224 + "Hacl_Streaming_SHA2_state_sha2_256" + type hacl_Streaming_SHA2_state_sha2_384 = + [ `hacl_Streaming_SHA2_state_sha2_384 ] structure + let (hacl_Streaming_SHA2_state_sha2_384 : + [ `hacl_Streaming_SHA2_state_sha2_384 ] structure typ) = + structure "Hacl_Streaming_SHA2_state_sha2_384_s" + let hacl_Streaming_SHA2_state_sha2_384_block_state = + field hacl_Streaming_SHA2_state_sha2_384 "block_state" (ptr uint64_t) + let hacl_Streaming_SHA2_state_sha2_384_buf = + field hacl_Streaming_SHA2_state_sha2_384 "buf" (ptr uint8_t) + let hacl_Streaming_SHA2_state_sha2_384_total_len = + field hacl_Streaming_SHA2_state_sha2_384 "total_len" uint64_t + let _ = seal hacl_Streaming_SHA2_state_sha2_384 + type hacl_Streaming_SHA2_state_sha2_512 = + hacl_Streaming_SHA2_state_sha2_384 + let hacl_Streaming_SHA2_state_sha2_512 = + typedef hacl_Streaming_SHA2_state_sha2_384 + "Hacl_Streaming_SHA2_state_sha2_512" + let hacl_Streaming_SHA2_create_in_224 = + foreign "Hacl_Streaming_SHA2_create_in_224" + (void @-> (returning (ptr hacl_Streaming_SHA2_state_sha2_224))) + let hacl_Streaming_SHA2_init_224 = + foreign "Hacl_Streaming_SHA2_init_224" + ((ptr hacl_Streaming_SHA2_state_sha2_224) @-> (returning void)) + let hacl_Streaming_SHA2_update_224 = + foreign "Hacl_Streaming_SHA2_update_224" + ((ptr hacl_Streaming_SHA2_state_sha2_224) @-> + (ocaml_bytes @-> (uint32_t @-> (returning void)))) + let hacl_Streaming_SHA2_finish_224 = + foreign "Hacl_Streaming_SHA2_finish_224" + ((ptr hacl_Streaming_SHA2_state_sha2_224) @-> + (ocaml_bytes @-> (returning void))) + let hacl_Streaming_SHA2_free_224 = + foreign "Hacl_Streaming_SHA2_free_224" + ((ptr hacl_Streaming_SHA2_state_sha2_224) @-> (returning void)) + let hacl_Streaming_SHA2_create_in_256 = + foreign "Hacl_Streaming_SHA2_create_in_256" + (void @-> (returning (ptr hacl_Streaming_SHA2_state_sha2_224))) + let hacl_Streaming_SHA2_init_256 = + foreign "Hacl_Streaming_SHA2_init_256" + ((ptr hacl_Streaming_SHA2_state_sha2_224) @-> (returning void)) + let hacl_Streaming_SHA2_update_256 = + foreign "Hacl_Streaming_SHA2_update_256" + ((ptr hacl_Streaming_SHA2_state_sha2_224) @-> + (ocaml_bytes @-> (uint32_t @-> (returning void)))) + let hacl_Streaming_SHA2_finish_256 = + foreign "Hacl_Streaming_SHA2_finish_256" + ((ptr hacl_Streaming_SHA2_state_sha2_224) @-> + (ocaml_bytes @-> (returning void))) + let hacl_Streaming_SHA2_free_256 = + foreign "Hacl_Streaming_SHA2_free_256" + ((ptr hacl_Streaming_SHA2_state_sha2_224) @-> (returning void)) + let hacl_Streaming_SHA2_create_in_384 = + foreign "Hacl_Streaming_SHA2_create_in_384" + (void @-> (returning (ptr hacl_Streaming_SHA2_state_sha2_384))) + let hacl_Streaming_SHA2_init_384 = + foreign "Hacl_Streaming_SHA2_init_384" + ((ptr hacl_Streaming_SHA2_state_sha2_384) @-> (returning void)) + let hacl_Streaming_SHA2_update_384 = + foreign "Hacl_Streaming_SHA2_update_384" + ((ptr hacl_Streaming_SHA2_state_sha2_384) @-> + (ocaml_bytes @-> (uint32_t @-> (returning void)))) + let hacl_Streaming_SHA2_finish_384 = + foreign "Hacl_Streaming_SHA2_finish_384" + ((ptr hacl_Streaming_SHA2_state_sha2_384) @-> + (ocaml_bytes @-> (returning void))) + let hacl_Streaming_SHA2_free_384 = + foreign "Hacl_Streaming_SHA2_free_384" + ((ptr hacl_Streaming_SHA2_state_sha2_384) @-> (returning void)) + let hacl_Streaming_SHA2_create_in_512 = + foreign "Hacl_Streaming_SHA2_create_in_512" + (void @-> (returning (ptr hacl_Streaming_SHA2_state_sha2_384))) + let hacl_Streaming_SHA2_init_512 = + foreign "Hacl_Streaming_SHA2_init_512" + ((ptr hacl_Streaming_SHA2_state_sha2_384) @-> (returning void)) + let hacl_Streaming_SHA2_update_512 = + foreign "Hacl_Streaming_SHA2_update_512" + ((ptr hacl_Streaming_SHA2_state_sha2_384) @-> + (ocaml_bytes @-> (uint32_t @-> (returning void)))) + let hacl_Streaming_SHA2_finish_512 = + foreign "Hacl_Streaming_SHA2_finish_512" + ((ptr hacl_Streaming_SHA2_state_sha2_384) @-> + (ocaml_bytes @-> (returning void))) + let hacl_Streaming_SHA2_free_512 = + foreign "Hacl_Streaming_SHA2_free_512" + ((ptr hacl_Streaming_SHA2_state_sha2_384) @-> (returning void)) + end \ No newline at end of file diff --git a/ocaml/lib/Lib_RandomBuffer_System_bindings.ml b/ocaml/lib/Lib_RandomBuffer_System_bindings.ml new file mode 100644 index 00000000..a738bad1 --- /dev/null +++ b/ocaml/lib/Lib_RandomBuffer_System_bindings.ml @@ -0,0 +1,8 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = +struct + open F + let randombytes = + foreign "Lib_RandomBuffer_System_randombytes" + (ocaml_bytes @-> uint32_t @-> returning bool) +end diff --git a/ocaml/lib_gen/EverCrypt_AEAD_gen.ml b/ocaml/lib_gen/EverCrypt_AEAD_gen.ml new file mode 100644 index 00000000..714911c1 --- /dev/null +++ b/ocaml/lib_gen/EverCrypt_AEAD_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/EverCrypt_AEAD_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module EverCrypt_AEAD_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/EverCrypt_AEAD_c_stubs.c")); + Format.printf "#include \"EverCrypt_AEAD.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module EverCrypt_AEAD_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/EverCrypt_AutoConfig2_gen.ml b/ocaml/lib_gen/EverCrypt_AutoConfig2_gen.ml new file mode 100644 index 00000000..f378eeb7 --- /dev/null +++ b/ocaml/lib_gen/EverCrypt_AutoConfig2_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/EverCrypt_AutoConfig2_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module EverCrypt_AutoConfig2_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/EverCrypt_AutoConfig2_c_stubs.c")); + Format.printf "#include \"EverCrypt_AutoConfig2.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module EverCrypt_AutoConfig2_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/EverCrypt_CTR_gen.ml b/ocaml/lib_gen/EverCrypt_CTR_gen.ml new file mode 100644 index 00000000..aca82d99 --- /dev/null +++ b/ocaml/lib_gen/EverCrypt_CTR_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/EverCrypt_CTR_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module EverCrypt_CTR_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/EverCrypt_CTR_c_stubs.c")); + Format.printf "#include \"EverCrypt_CTR.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module EverCrypt_CTR_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/EverCrypt_Chacha20Poly1305_gen.ml b/ocaml/lib_gen/EverCrypt_Chacha20Poly1305_gen.ml new file mode 100644 index 00000000..70aa1894 --- /dev/null +++ b/ocaml/lib_gen/EverCrypt_Chacha20Poly1305_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/EverCrypt_Chacha20Poly1305_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module EverCrypt_Chacha20Poly1305_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/EverCrypt_Chacha20Poly1305_c_stubs.c")); + Format.printf "#include \"EverCrypt_Chacha20Poly1305.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module EverCrypt_Chacha20Poly1305_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/EverCrypt_Cipher_gen.ml b/ocaml/lib_gen/EverCrypt_Cipher_gen.ml new file mode 100644 index 00000000..6817be21 --- /dev/null +++ b/ocaml/lib_gen/EverCrypt_Cipher_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/EverCrypt_Cipher_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module EverCrypt_Cipher_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/EverCrypt_Cipher_c_stubs.c")); + Format.printf "#include \"EverCrypt_Cipher.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module EverCrypt_Cipher_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/EverCrypt_Curve25519_gen.ml b/ocaml/lib_gen/EverCrypt_Curve25519_gen.ml new file mode 100644 index 00000000..30ec442b --- /dev/null +++ b/ocaml/lib_gen/EverCrypt_Curve25519_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/EverCrypt_Curve25519_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module EverCrypt_Curve25519_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/EverCrypt_Curve25519_c_stubs.c")); + Format.printf "#include \"EverCrypt_Curve25519.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module EverCrypt_Curve25519_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/EverCrypt_DRBG_gen.ml b/ocaml/lib_gen/EverCrypt_DRBG_gen.ml new file mode 100644 index 00000000..8c38844e --- /dev/null +++ b/ocaml/lib_gen/EverCrypt_DRBG_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/EverCrypt_DRBG_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module EverCrypt_DRBG_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/EverCrypt_DRBG_c_stubs.c")); + Format.printf "#include \"EverCrypt_DRBG.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module EverCrypt_DRBG_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/EverCrypt_Ed25519_gen.ml b/ocaml/lib_gen/EverCrypt_Ed25519_gen.ml new file mode 100644 index 00000000..8a5d4b4f --- /dev/null +++ b/ocaml/lib_gen/EverCrypt_Ed25519_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/EverCrypt_Ed25519_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module EverCrypt_Ed25519_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/EverCrypt_Ed25519_c_stubs.c")); + Format.printf "#include \"EverCrypt_Ed25519.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module EverCrypt_Ed25519_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/EverCrypt_Error_gen.ml b/ocaml/lib_gen/EverCrypt_Error_gen.ml new file mode 100644 index 00000000..b6326d2a --- /dev/null +++ b/ocaml/lib_gen/EverCrypt_Error_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/EverCrypt_Error_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module EverCrypt_Error_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/EverCrypt_Error_c_stubs.c")); + Format.printf "#include \"EverCrypt_Error.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module EverCrypt_Error_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/EverCrypt_HKDF_gen.ml b/ocaml/lib_gen/EverCrypt_HKDF_gen.ml new file mode 100644 index 00000000..c2cb5660 --- /dev/null +++ b/ocaml/lib_gen/EverCrypt_HKDF_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/EverCrypt_HKDF_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module EverCrypt_HKDF_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/EverCrypt_HKDF_c_stubs.c")); + Format.printf "#include \"EverCrypt_HKDF.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module EverCrypt_HKDF_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/EverCrypt_HMAC_gen.ml b/ocaml/lib_gen/EverCrypt_HMAC_gen.ml new file mode 100644 index 00000000..a7c5edcd --- /dev/null +++ b/ocaml/lib_gen/EverCrypt_HMAC_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/EverCrypt_HMAC_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module EverCrypt_HMAC_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/EverCrypt_HMAC_c_stubs.c")); + Format.printf "#include \"EverCrypt_HMAC.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module EverCrypt_HMAC_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/EverCrypt_Hash_gen.ml b/ocaml/lib_gen/EverCrypt_Hash_gen.ml new file mode 100644 index 00000000..584e5dbd --- /dev/null +++ b/ocaml/lib_gen/EverCrypt_Hash_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/EverCrypt_Hash_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module EverCrypt_Hash_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/EverCrypt_Hash_c_stubs.c")); + Format.printf "#include \"EverCrypt_Hash.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module EverCrypt_Hash_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/EverCrypt_Poly1305_gen.ml b/ocaml/lib_gen/EverCrypt_Poly1305_gen.ml new file mode 100644 index 00000000..5608fd82 --- /dev/null +++ b/ocaml/lib_gen/EverCrypt_Poly1305_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/EverCrypt_Poly1305_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module EverCrypt_Poly1305_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/EverCrypt_Poly1305_c_stubs.c")); + Format.printf "#include \"EverCrypt_Poly1305.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module EverCrypt_Poly1305_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/EverCrypt_StaticConfig_gen.ml b/ocaml/lib_gen/EverCrypt_StaticConfig_gen.ml new file mode 100644 index 00000000..2118b6c5 --- /dev/null +++ b/ocaml/lib_gen/EverCrypt_StaticConfig_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/EverCrypt_StaticConfig_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module EverCrypt_StaticConfig_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/EverCrypt_StaticConfig_c_stubs.c")); + Format.printf "#include \"EverCrypt_StaticConfig.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module EverCrypt_StaticConfig_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/EverCrypt_Vale_gen.ml b/ocaml/lib_gen/EverCrypt_Vale_gen.ml new file mode 100644 index 00000000..905e211c --- /dev/null +++ b/ocaml/lib_gen/EverCrypt_Vale_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/EverCrypt_Vale_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module EverCrypt_Vale_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/EverCrypt_Vale_c_stubs.c")); + Format.printf "#include \"EverCrypt_Vale.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module EverCrypt_Vale_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_Bignum25519_51_gen.ml b/ocaml/lib_gen/Hacl_Bignum25519_51_gen.ml new file mode 100644 index 00000000..93764a84 --- /dev/null +++ b/ocaml/lib_gen/Hacl_Bignum25519_51_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Bignum25519_51_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_Bignum25519_51_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Bignum25519_51_c_stubs.c")); + Format.printf "#include \"Hacl_Bignum25519_51.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_Bignum25519_51_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_Bignum256_32_gen.ml b/ocaml/lib_gen/Hacl_Bignum256_32_gen.ml new file mode 100644 index 00000000..eefddbad --- /dev/null +++ b/ocaml/lib_gen/Hacl_Bignum256_32_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Bignum256_32_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_Bignum256_32_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Bignum256_32_c_stubs.c")); + Format.printf "#include \"Hacl_Bignum256_32.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_Bignum256_32_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_Bignum256_gen.ml b/ocaml/lib_gen/Hacl_Bignum256_gen.ml new file mode 100644 index 00000000..bd350c4f --- /dev/null +++ b/ocaml/lib_gen/Hacl_Bignum256_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Bignum256_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_Bignum256_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Bignum256_c_stubs.c")); + Format.printf "#include \"Hacl_Bignum256.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_Bignum256_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_Bignum32_gen.ml b/ocaml/lib_gen/Hacl_Bignum32_gen.ml new file mode 100644 index 00000000..5a769b75 --- /dev/null +++ b/ocaml/lib_gen/Hacl_Bignum32_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Bignum32_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_Bignum32_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Bignum32_c_stubs.c")); + Format.printf "#include \"Hacl_Bignum32.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_Bignum32_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_Bignum4096_32_gen.ml b/ocaml/lib_gen/Hacl_Bignum4096_32_gen.ml new file mode 100644 index 00000000..f2a357cb --- /dev/null +++ b/ocaml/lib_gen/Hacl_Bignum4096_32_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Bignum4096_32_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_Bignum4096_32_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Bignum4096_32_c_stubs.c")); + Format.printf "#include \"Hacl_Bignum4096_32.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_Bignum4096_32_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_Bignum4096_gen.ml b/ocaml/lib_gen/Hacl_Bignum4096_gen.ml new file mode 100644 index 00000000..38fb7392 --- /dev/null +++ b/ocaml/lib_gen/Hacl_Bignum4096_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Bignum4096_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_Bignum4096_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Bignum4096_c_stubs.c")); + Format.printf "#include \"Hacl_Bignum4096.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_Bignum4096_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_Bignum64_gen.ml b/ocaml/lib_gen/Hacl_Bignum64_gen.ml new file mode 100644 index 00000000..4f11373c --- /dev/null +++ b/ocaml/lib_gen/Hacl_Bignum64_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Bignum64_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_Bignum64_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Bignum64_c_stubs.c")); + Format.printf "#include \"Hacl_Bignum64.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_Bignum64_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_Bignum_Base_gen.ml b/ocaml/lib_gen/Hacl_Bignum_Base_gen.ml new file mode 100644 index 00000000..e2f9fa5c --- /dev/null +++ b/ocaml/lib_gen/Hacl_Bignum_Base_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Bignum_Base_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_Bignum_Base_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Bignum_Base_c_stubs.c")); + Format.printf "#include \"Hacl_Bignum_Base.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_Bignum_Base_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_Bignum_gen.ml b/ocaml/lib_gen/Hacl_Bignum_gen.ml new file mode 100644 index 00000000..f711c63a --- /dev/null +++ b/ocaml/lib_gen/Hacl_Bignum_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Bignum_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_Bignum_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Bignum_c_stubs.c")); + Format.printf "#include \"internal/Hacl_Bignum.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_Bignum_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_Chacha20Poly1305_128_gen.ml b/ocaml/lib_gen/Hacl_Chacha20Poly1305_128_gen.ml new file mode 100644 index 00000000..c1173562 --- /dev/null +++ b/ocaml/lib_gen/Hacl_Chacha20Poly1305_128_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Chacha20Poly1305_128_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_Chacha20Poly1305_128_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Chacha20Poly1305_128_c_stubs.c")); + Format.printf "#include \"Hacl_Chacha20Poly1305_128.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_Chacha20Poly1305_128_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_Chacha20Poly1305_256_gen.ml b/ocaml/lib_gen/Hacl_Chacha20Poly1305_256_gen.ml new file mode 100644 index 00000000..7fdddf83 --- /dev/null +++ b/ocaml/lib_gen/Hacl_Chacha20Poly1305_256_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Chacha20Poly1305_256_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_Chacha20Poly1305_256_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Chacha20Poly1305_256_c_stubs.c")); + Format.printf "#include \"Hacl_Chacha20Poly1305_256.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_Chacha20Poly1305_256_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_Chacha20Poly1305_32_gen.ml b/ocaml/lib_gen/Hacl_Chacha20Poly1305_32_gen.ml new file mode 100644 index 00000000..9f5ef8dd --- /dev/null +++ b/ocaml/lib_gen/Hacl_Chacha20Poly1305_32_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Chacha20Poly1305_32_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_Chacha20Poly1305_32_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Chacha20Poly1305_32_c_stubs.c")); + Format.printf "#include \"Hacl_Chacha20Poly1305_32.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_Chacha20Poly1305_32_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_Chacha20_Vec128_gen.ml b/ocaml/lib_gen/Hacl_Chacha20_Vec128_gen.ml new file mode 100644 index 00000000..2cc61c7d --- /dev/null +++ b/ocaml/lib_gen/Hacl_Chacha20_Vec128_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Chacha20_Vec128_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_Chacha20_Vec128_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Chacha20_Vec128_c_stubs.c")); + Format.printf "#include \"Hacl_Chacha20_Vec128.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_Chacha20_Vec128_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_Chacha20_Vec256_gen.ml b/ocaml/lib_gen/Hacl_Chacha20_Vec256_gen.ml new file mode 100644 index 00000000..9383b417 --- /dev/null +++ b/ocaml/lib_gen/Hacl_Chacha20_Vec256_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Chacha20_Vec256_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_Chacha20_Vec256_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Chacha20_Vec256_c_stubs.c")); + Format.printf "#include \"Hacl_Chacha20_Vec256.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_Chacha20_Vec256_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_Chacha20_Vec32_gen.ml b/ocaml/lib_gen/Hacl_Chacha20_Vec32_gen.ml new file mode 100644 index 00000000..2820f869 --- /dev/null +++ b/ocaml/lib_gen/Hacl_Chacha20_Vec32_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Chacha20_Vec32_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_Chacha20_Vec32_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Chacha20_Vec32_c_stubs.c")); + Format.printf "#include \"Hacl_Chacha20_Vec32.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_Chacha20_Vec32_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_Chacha20_gen.ml b/ocaml/lib_gen/Hacl_Chacha20_gen.ml new file mode 100644 index 00000000..9f3da6be --- /dev/null +++ b/ocaml/lib_gen/Hacl_Chacha20_gen.ml @@ -0,0 +1,11 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Chacha20_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_Chacha20_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Chacha20_c_stubs.c")); + Format.printf + "#include \"Hacl_Chacha20.h\"\n#include \"internal/Hacl_Chacha20.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_Chacha20_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_Curve25519_51_gen.ml b/ocaml/lib_gen/Hacl_Curve25519_51_gen.ml new file mode 100644 index 00000000..e488a4ad --- /dev/null +++ b/ocaml/lib_gen/Hacl_Curve25519_51_gen.ml @@ -0,0 +1,11 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Curve25519_51_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_Curve25519_51_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Curve25519_51_c_stubs.c")); + Format.printf + "#include \"Hacl_Curve25519_51.h\"\n#include \"internal/Hacl_Curve25519_51.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_Curve25519_51_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_Curve25519_64_Slow_gen.ml b/ocaml/lib_gen/Hacl_Curve25519_64_Slow_gen.ml new file mode 100644 index 00000000..b28ed846 --- /dev/null +++ b/ocaml/lib_gen/Hacl_Curve25519_64_Slow_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Curve25519_64_Slow_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_Curve25519_64_Slow_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Curve25519_64_Slow_c_stubs.c")); + Format.printf "#include \"Hacl_Curve25519_64_Slow.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_Curve25519_64_Slow_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_Curve25519_64_gen.ml b/ocaml/lib_gen/Hacl_Curve25519_64_gen.ml new file mode 100644 index 00000000..528dc860 --- /dev/null +++ b/ocaml/lib_gen/Hacl_Curve25519_64_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Curve25519_64_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_Curve25519_64_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Curve25519_64_c_stubs.c")); + Format.printf "#include \"Hacl_Curve25519_64.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_Curve25519_64_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_EC_Ed25519_gen.ml b/ocaml/lib_gen/Hacl_EC_Ed25519_gen.ml new file mode 100644 index 00000000..d8ce4761 --- /dev/null +++ b/ocaml/lib_gen/Hacl_EC_Ed25519_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_EC_Ed25519_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_EC_Ed25519_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_EC_Ed25519_c_stubs.c")); + Format.printf "#include \"Hacl_EC_Ed25519.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_EC_Ed25519_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_Ed25519_gen.ml b/ocaml/lib_gen/Hacl_Ed25519_gen.ml new file mode 100644 index 00000000..e111ed4a --- /dev/null +++ b/ocaml/lib_gen/Hacl_Ed25519_gen.ml @@ -0,0 +1,11 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Ed25519_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_Ed25519_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Ed25519_c_stubs.c")); + Format.printf + "#include \"Hacl_Ed25519.h\"\n#include \"internal/Hacl_Ed25519.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_Ed25519_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_FFDHE_gen.ml b/ocaml/lib_gen/Hacl_FFDHE_gen.ml new file mode 100644 index 00000000..97e50506 --- /dev/null +++ b/ocaml/lib_gen/Hacl_FFDHE_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_FFDHE_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_FFDHE_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_FFDHE_c_stubs.c")); + Format.printf "#include \"Hacl_FFDHE.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_FFDHE_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_Frodo1344_gen.ml b/ocaml/lib_gen/Hacl_Frodo1344_gen.ml new file mode 100644 index 00000000..8bd57f87 --- /dev/null +++ b/ocaml/lib_gen/Hacl_Frodo1344_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Frodo1344_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_Frodo1344_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Frodo1344_c_stubs.c")); + Format.printf "#include \"Hacl_Frodo1344.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_Frodo1344_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_Frodo640_gen.ml b/ocaml/lib_gen/Hacl_Frodo640_gen.ml new file mode 100644 index 00000000..70d743aa --- /dev/null +++ b/ocaml/lib_gen/Hacl_Frodo640_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Frodo640_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_Frodo640_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Frodo640_c_stubs.c")); + Format.printf "#include \"Hacl_Frodo640.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_Frodo640_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_Frodo64_gen.ml b/ocaml/lib_gen/Hacl_Frodo64_gen.ml new file mode 100644 index 00000000..2c29dfce --- /dev/null +++ b/ocaml/lib_gen/Hacl_Frodo64_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Frodo64_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_Frodo64_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Frodo64_c_stubs.c")); + Format.printf "#include \"Hacl_Frodo64.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_Frodo64_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_Frodo976_gen.ml b/ocaml/lib_gen/Hacl_Frodo976_gen.ml new file mode 100644 index 00000000..6dc18636 --- /dev/null +++ b/ocaml/lib_gen/Hacl_Frodo976_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Frodo976_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_Frodo976_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Frodo976_c_stubs.c")); + Format.printf "#include \"Hacl_Frodo976.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_Frodo976_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_Frodo_KEM_gen.ml b/ocaml/lib_gen/Hacl_Frodo_KEM_gen.ml new file mode 100644 index 00000000..7d1cec95 --- /dev/null +++ b/ocaml/lib_gen/Hacl_Frodo_KEM_gen.ml @@ -0,0 +1,11 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Frodo_KEM_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_Frodo_KEM_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Frodo_KEM_c_stubs.c")); + Format.printf + "#include \"Hacl_Frodo_KEM.h\"\n#include \"internal/Hacl_Frodo_KEM.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_Frodo_KEM_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_GenericField32_gen.ml b/ocaml/lib_gen/Hacl_GenericField32_gen.ml new file mode 100644 index 00000000..8c551431 --- /dev/null +++ b/ocaml/lib_gen/Hacl_GenericField32_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_GenericField32_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_GenericField32_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_GenericField32_c_stubs.c")); + Format.printf "#include \"Hacl_GenericField32.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_GenericField32_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_GenericField64_gen.ml b/ocaml/lib_gen/Hacl_GenericField64_gen.ml new file mode 100644 index 00000000..ab89d51d --- /dev/null +++ b/ocaml/lib_gen/Hacl_GenericField64_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_GenericField64_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_GenericField64_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_GenericField64_c_stubs.c")); + Format.printf "#include \"Hacl_GenericField64.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_GenericField64_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_HKDF_Blake2b_256_gen.ml b/ocaml/lib_gen/Hacl_HKDF_Blake2b_256_gen.ml new file mode 100644 index 00000000..b1f168e1 --- /dev/null +++ b/ocaml/lib_gen/Hacl_HKDF_Blake2b_256_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_HKDF_Blake2b_256_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_HKDF_Blake2b_256_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_HKDF_Blake2b_256_c_stubs.c")); + Format.printf "#include \"Hacl_HKDF_Blake2b_256.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_HKDF_Blake2b_256_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_HKDF_Blake2s_128_gen.ml b/ocaml/lib_gen/Hacl_HKDF_Blake2s_128_gen.ml new file mode 100644 index 00000000..acdd62db --- /dev/null +++ b/ocaml/lib_gen/Hacl_HKDF_Blake2s_128_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_HKDF_Blake2s_128_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_HKDF_Blake2s_128_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_HKDF_Blake2s_128_c_stubs.c")); + Format.printf "#include \"Hacl_HKDF_Blake2s_128.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_HKDF_Blake2s_128_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_HKDF_gen.ml b/ocaml/lib_gen/Hacl_HKDF_gen.ml new file mode 100644 index 00000000..066c1236 --- /dev/null +++ b/ocaml/lib_gen/Hacl_HKDF_gen.ml @@ -0,0 +1,8 @@ +let _ = + (((Format.set_formatter_out_channel (open_out_bin "lib/Hacl_HKDF_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_HKDF_bindings.Bindings)); + Format.set_formatter_out_channel (open_out_bin "lib/Hacl_HKDF_c_stubs.c")); + Format.printf "#include \"Hacl_HKDF.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_HKDF_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_HMAC_Blake2b_256_gen.ml b/ocaml/lib_gen/Hacl_HMAC_Blake2b_256_gen.ml new file mode 100644 index 00000000..5a3f3ee0 --- /dev/null +++ b/ocaml/lib_gen/Hacl_HMAC_Blake2b_256_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_HMAC_Blake2b_256_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_HMAC_Blake2b_256_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_HMAC_Blake2b_256_c_stubs.c")); + Format.printf "#include \"Hacl_HMAC_Blake2b_256.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_HMAC_Blake2b_256_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_HMAC_Blake2s_128_gen.ml b/ocaml/lib_gen/Hacl_HMAC_Blake2s_128_gen.ml new file mode 100644 index 00000000..00667c27 --- /dev/null +++ b/ocaml/lib_gen/Hacl_HMAC_Blake2s_128_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_HMAC_Blake2s_128_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_HMAC_Blake2s_128_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_HMAC_Blake2s_128_c_stubs.c")); + Format.printf "#include \"Hacl_HMAC_Blake2s_128.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_HMAC_Blake2s_128_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_HMAC_DRBG_gen.ml b/ocaml/lib_gen/Hacl_HMAC_DRBG_gen.ml new file mode 100644 index 00000000..7851dd7b --- /dev/null +++ b/ocaml/lib_gen/Hacl_HMAC_DRBG_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_HMAC_DRBG_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_HMAC_DRBG_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_HMAC_DRBG_c_stubs.c")); + Format.printf "#include \"Hacl_HMAC_DRBG.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_HMAC_DRBG_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_HMAC_gen.ml b/ocaml/lib_gen/Hacl_HMAC_gen.ml new file mode 100644 index 00000000..51dcf35a --- /dev/null +++ b/ocaml/lib_gen/Hacl_HMAC_gen.ml @@ -0,0 +1,9 @@ +let _ = + (((Format.set_formatter_out_channel (open_out_bin "lib/Hacl_HMAC_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_HMAC_bindings.Bindings)); + Format.set_formatter_out_channel (open_out_bin "lib/Hacl_HMAC_c_stubs.c")); + Format.printf + "#include \"Hacl_HMAC.h\"\n#include \"internal/Hacl_HMAC.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_HMAC_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_HPKE_Curve51_CP128_SHA256_gen.ml b/ocaml/lib_gen/Hacl_HPKE_Curve51_CP128_SHA256_gen.ml new file mode 100644 index 00000000..8824dedf --- /dev/null +++ b/ocaml/lib_gen/Hacl_HPKE_Curve51_CP128_SHA256_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_HPKE_Curve51_CP128_SHA256_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_HPKE_Curve51_CP128_SHA256_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_HPKE_Curve51_CP128_SHA256_c_stubs.c")); + Format.printf "#include \"Hacl_HPKE_Curve51_CP128_SHA256.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_HPKE_Curve51_CP128_SHA256_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_HPKE_Curve51_CP128_SHA512_gen.ml b/ocaml/lib_gen/Hacl_HPKE_Curve51_CP128_SHA512_gen.ml new file mode 100644 index 00000000..c689008b --- /dev/null +++ b/ocaml/lib_gen/Hacl_HPKE_Curve51_CP128_SHA512_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_HPKE_Curve51_CP128_SHA512_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_HPKE_Curve51_CP128_SHA512_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_HPKE_Curve51_CP128_SHA512_c_stubs.c")); + Format.printf "#include \"Hacl_HPKE_Curve51_CP128_SHA512.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_HPKE_Curve51_CP128_SHA512_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_HPKE_Curve51_CP256_SHA256_gen.ml b/ocaml/lib_gen/Hacl_HPKE_Curve51_CP256_SHA256_gen.ml new file mode 100644 index 00000000..94a0e243 --- /dev/null +++ b/ocaml/lib_gen/Hacl_HPKE_Curve51_CP256_SHA256_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_HPKE_Curve51_CP256_SHA256_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_HPKE_Curve51_CP256_SHA256_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_HPKE_Curve51_CP256_SHA256_c_stubs.c")); + Format.printf "#include \"Hacl_HPKE_Curve51_CP256_SHA256.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_HPKE_Curve51_CP256_SHA256_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_HPKE_Curve51_CP256_SHA512_gen.ml b/ocaml/lib_gen/Hacl_HPKE_Curve51_CP256_SHA512_gen.ml new file mode 100644 index 00000000..1021191a --- /dev/null +++ b/ocaml/lib_gen/Hacl_HPKE_Curve51_CP256_SHA512_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_HPKE_Curve51_CP256_SHA512_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_HPKE_Curve51_CP256_SHA512_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_HPKE_Curve51_CP256_SHA512_c_stubs.c")); + Format.printf "#include \"Hacl_HPKE_Curve51_CP256_SHA512.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_HPKE_Curve51_CP256_SHA512_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_HPKE_Curve51_CP32_SHA256_gen.ml b/ocaml/lib_gen/Hacl_HPKE_Curve51_CP32_SHA256_gen.ml new file mode 100644 index 00000000..bbcd26bb --- /dev/null +++ b/ocaml/lib_gen/Hacl_HPKE_Curve51_CP32_SHA256_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_HPKE_Curve51_CP32_SHA256_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_HPKE_Curve51_CP32_SHA256_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_HPKE_Curve51_CP32_SHA256_c_stubs.c")); + Format.printf "#include \"Hacl_HPKE_Curve51_CP32_SHA256.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_HPKE_Curve51_CP32_SHA256_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_HPKE_Curve51_CP32_SHA512_gen.ml b/ocaml/lib_gen/Hacl_HPKE_Curve51_CP32_SHA512_gen.ml new file mode 100644 index 00000000..3214edcc --- /dev/null +++ b/ocaml/lib_gen/Hacl_HPKE_Curve51_CP32_SHA512_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_HPKE_Curve51_CP32_SHA512_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_HPKE_Curve51_CP32_SHA512_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_HPKE_Curve51_CP32_SHA512_c_stubs.c")); + Format.printf "#include \"Hacl_HPKE_Curve51_CP32_SHA512.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_HPKE_Curve51_CP32_SHA512_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_HPKE_Curve64_CP128_SHA256_gen.ml b/ocaml/lib_gen/Hacl_HPKE_Curve64_CP128_SHA256_gen.ml new file mode 100644 index 00000000..e83872e5 --- /dev/null +++ b/ocaml/lib_gen/Hacl_HPKE_Curve64_CP128_SHA256_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_HPKE_Curve64_CP128_SHA256_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_HPKE_Curve64_CP128_SHA256_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_HPKE_Curve64_CP128_SHA256_c_stubs.c")); + Format.printf "#include \"Hacl_HPKE_Curve64_CP128_SHA256.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_HPKE_Curve64_CP128_SHA256_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_HPKE_Curve64_CP128_SHA512_gen.ml b/ocaml/lib_gen/Hacl_HPKE_Curve64_CP128_SHA512_gen.ml new file mode 100644 index 00000000..de4ce3bb --- /dev/null +++ b/ocaml/lib_gen/Hacl_HPKE_Curve64_CP128_SHA512_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_HPKE_Curve64_CP128_SHA512_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_HPKE_Curve64_CP128_SHA512_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_HPKE_Curve64_CP128_SHA512_c_stubs.c")); + Format.printf "#include \"Hacl_HPKE_Curve64_CP128_SHA512.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_HPKE_Curve64_CP128_SHA512_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_HPKE_Curve64_CP256_SHA256_gen.ml b/ocaml/lib_gen/Hacl_HPKE_Curve64_CP256_SHA256_gen.ml new file mode 100644 index 00000000..2d8a0209 --- /dev/null +++ b/ocaml/lib_gen/Hacl_HPKE_Curve64_CP256_SHA256_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_HPKE_Curve64_CP256_SHA256_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_HPKE_Curve64_CP256_SHA256_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_HPKE_Curve64_CP256_SHA256_c_stubs.c")); + Format.printf "#include \"Hacl_HPKE_Curve64_CP256_SHA256.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_HPKE_Curve64_CP256_SHA256_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_HPKE_Curve64_CP256_SHA512_gen.ml b/ocaml/lib_gen/Hacl_HPKE_Curve64_CP256_SHA512_gen.ml new file mode 100644 index 00000000..64523ad7 --- /dev/null +++ b/ocaml/lib_gen/Hacl_HPKE_Curve64_CP256_SHA512_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_HPKE_Curve64_CP256_SHA512_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_HPKE_Curve64_CP256_SHA512_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_HPKE_Curve64_CP256_SHA512_c_stubs.c")); + Format.printf "#include \"Hacl_HPKE_Curve64_CP256_SHA512.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_HPKE_Curve64_CP256_SHA512_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_HPKE_Curve64_CP32_SHA256_gen.ml b/ocaml/lib_gen/Hacl_HPKE_Curve64_CP32_SHA256_gen.ml new file mode 100644 index 00000000..96821048 --- /dev/null +++ b/ocaml/lib_gen/Hacl_HPKE_Curve64_CP32_SHA256_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_HPKE_Curve64_CP32_SHA256_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_HPKE_Curve64_CP32_SHA256_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_HPKE_Curve64_CP32_SHA256_c_stubs.c")); + Format.printf "#include \"Hacl_HPKE_Curve64_CP32_SHA256.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_HPKE_Curve64_CP32_SHA256_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_HPKE_Curve64_CP32_SHA512_gen.ml b/ocaml/lib_gen/Hacl_HPKE_Curve64_CP32_SHA512_gen.ml new file mode 100644 index 00000000..e2d9c388 --- /dev/null +++ b/ocaml/lib_gen/Hacl_HPKE_Curve64_CP32_SHA512_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_HPKE_Curve64_CP32_SHA512_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_HPKE_Curve64_CP32_SHA512_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_HPKE_Curve64_CP32_SHA512_c_stubs.c")); + Format.printf "#include \"Hacl_HPKE_Curve64_CP32_SHA512.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_HPKE_Curve64_CP32_SHA512_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_HPKE_P256_CP128_SHA256_gen.ml b/ocaml/lib_gen/Hacl_HPKE_P256_CP128_SHA256_gen.ml new file mode 100644 index 00000000..9d0a36b3 --- /dev/null +++ b/ocaml/lib_gen/Hacl_HPKE_P256_CP128_SHA256_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_HPKE_P256_CP128_SHA256_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_HPKE_P256_CP128_SHA256_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_HPKE_P256_CP128_SHA256_c_stubs.c")); + Format.printf "#include \"Hacl_HPKE_P256_CP128_SHA256.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_HPKE_P256_CP128_SHA256_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_HPKE_P256_CP256_SHA256_gen.ml b/ocaml/lib_gen/Hacl_HPKE_P256_CP256_SHA256_gen.ml new file mode 100644 index 00000000..a1a06f77 --- /dev/null +++ b/ocaml/lib_gen/Hacl_HPKE_P256_CP256_SHA256_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_HPKE_P256_CP256_SHA256_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_HPKE_P256_CP256_SHA256_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_HPKE_P256_CP256_SHA256_c_stubs.c")); + Format.printf "#include \"Hacl_HPKE_P256_CP256_SHA256.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_HPKE_P256_CP256_SHA256_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_HPKE_P256_CP32_SHA256_gen.ml b/ocaml/lib_gen/Hacl_HPKE_P256_CP32_SHA256_gen.ml new file mode 100644 index 00000000..ffd63b8a --- /dev/null +++ b/ocaml/lib_gen/Hacl_HPKE_P256_CP32_SHA256_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_HPKE_P256_CP32_SHA256_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_HPKE_P256_CP32_SHA256_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_HPKE_P256_CP32_SHA256_c_stubs.c")); + Format.printf "#include \"Hacl_HPKE_P256_CP32_SHA256.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_HPKE_P256_CP32_SHA256_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_Hash_Base_gen.ml b/ocaml/lib_gen/Hacl_Hash_Base_gen.ml new file mode 100644 index 00000000..c1fc8c18 --- /dev/null +++ b/ocaml/lib_gen/Hacl_Hash_Base_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Hash_Base_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_Hash_Base_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Hash_Base_c_stubs.c")); + Format.printf "#include \"Hacl_Hash_Base.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_Hash_Base_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_Hash_Blake2_gen.ml b/ocaml/lib_gen/Hacl_Hash_Blake2_gen.ml new file mode 100644 index 00000000..7e335472 --- /dev/null +++ b/ocaml/lib_gen/Hacl_Hash_Blake2_gen.ml @@ -0,0 +1,11 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Hash_Blake2_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_Hash_Blake2_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Hash_Blake2_c_stubs.c")); + Format.printf + "#include \"Hacl_Hash_Blake2.h\"\n#include \"internal/Hacl_Hash_Blake2.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_Hash_Blake2_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_Hash_Blake2b_256_gen.ml b/ocaml/lib_gen/Hacl_Hash_Blake2b_256_gen.ml new file mode 100644 index 00000000..f945c36b --- /dev/null +++ b/ocaml/lib_gen/Hacl_Hash_Blake2b_256_gen.ml @@ -0,0 +1,11 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Hash_Blake2b_256_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_Hash_Blake2b_256_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Hash_Blake2b_256_c_stubs.c")); + Format.printf + "#include \"Hacl_Hash_Blake2b_256.h\"\n#include \"internal/Hacl_Hash_Blake2b_256.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_Hash_Blake2b_256_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_Hash_Blake2s_128_gen.ml b/ocaml/lib_gen/Hacl_Hash_Blake2s_128_gen.ml new file mode 100644 index 00000000..decf7229 --- /dev/null +++ b/ocaml/lib_gen/Hacl_Hash_Blake2s_128_gen.ml @@ -0,0 +1,11 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Hash_Blake2s_128_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_Hash_Blake2s_128_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Hash_Blake2s_128_c_stubs.c")); + Format.printf + "#include \"Hacl_Hash_Blake2s_128.h\"\n#include \"internal/Hacl_Hash_Blake2s_128.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_Hash_Blake2s_128_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_Hash_MD5_gen.ml b/ocaml/lib_gen/Hacl_Hash_MD5_gen.ml new file mode 100644 index 00000000..8569ec9c --- /dev/null +++ b/ocaml/lib_gen/Hacl_Hash_MD5_gen.ml @@ -0,0 +1,11 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Hash_MD5_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_Hash_MD5_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Hash_MD5_c_stubs.c")); + Format.printf + "#include \"Hacl_Hash_MD5.h\"\n#include \"internal/Hacl_Hash_MD5.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_Hash_MD5_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_Hash_SHA1_gen.ml b/ocaml/lib_gen/Hacl_Hash_SHA1_gen.ml new file mode 100644 index 00000000..068a6601 --- /dev/null +++ b/ocaml/lib_gen/Hacl_Hash_SHA1_gen.ml @@ -0,0 +1,11 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Hash_SHA1_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_Hash_SHA1_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Hash_SHA1_c_stubs.c")); + Format.printf + "#include \"Hacl_Hash_SHA1.h\"\n#include \"internal/Hacl_Hash_SHA1.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_Hash_SHA1_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_Hash_SHA2_gen.ml b/ocaml/lib_gen/Hacl_Hash_SHA2_gen.ml new file mode 100644 index 00000000..4b506703 --- /dev/null +++ b/ocaml/lib_gen/Hacl_Hash_SHA2_gen.ml @@ -0,0 +1,11 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Hash_SHA2_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_Hash_SHA2_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Hash_SHA2_c_stubs.c")); + Format.printf + "#include \"Hacl_Hash_SHA2.h\"\n#include \"internal/Hacl_Hash_SHA2.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_Hash_SHA2_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_IntTypes_Intrinsics_128_gen.ml b/ocaml/lib_gen/Hacl_IntTypes_Intrinsics_128_gen.ml new file mode 100644 index 00000000..8f6a8d86 --- /dev/null +++ b/ocaml/lib_gen/Hacl_IntTypes_Intrinsics_128_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_IntTypes_Intrinsics_128_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_IntTypes_Intrinsics_128_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_IntTypes_Intrinsics_128_c_stubs.c")); + Format.printf "#include \"Hacl_IntTypes_Intrinsics_128.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_IntTypes_Intrinsics_128_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_IntTypes_Intrinsics_gen.ml b/ocaml/lib_gen/Hacl_IntTypes_Intrinsics_gen.ml new file mode 100644 index 00000000..5f609ea1 --- /dev/null +++ b/ocaml/lib_gen/Hacl_IntTypes_Intrinsics_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_IntTypes_Intrinsics_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_IntTypes_Intrinsics_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_IntTypes_Intrinsics_c_stubs.c")); + Format.printf "#include \"Hacl_IntTypes_Intrinsics.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_IntTypes_Intrinsics_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_NaCl_gen.ml b/ocaml/lib_gen/Hacl_NaCl_gen.ml new file mode 100644 index 00000000..0defd8e0 --- /dev/null +++ b/ocaml/lib_gen/Hacl_NaCl_gen.ml @@ -0,0 +1,8 @@ +let _ = + (((Format.set_formatter_out_channel (open_out_bin "lib/Hacl_NaCl_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_NaCl_bindings.Bindings)); + Format.set_formatter_out_channel (open_out_bin "lib/Hacl_NaCl_c_stubs.c")); + Format.printf "#include \"Hacl_NaCl.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_NaCl_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_P256_gen.ml b/ocaml/lib_gen/Hacl_P256_gen.ml new file mode 100644 index 00000000..58c14e09 --- /dev/null +++ b/ocaml/lib_gen/Hacl_P256_gen.ml @@ -0,0 +1,9 @@ +let _ = + (((Format.set_formatter_out_channel (open_out_bin "lib/Hacl_P256_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_P256_bindings.Bindings)); + Format.set_formatter_out_channel (open_out_bin "lib/Hacl_P256_c_stubs.c")); + Format.printf + "#include \"Hacl_P256.h\"\n#include \"internal/Hacl_P256.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_P256_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_Poly1305_128_gen.ml b/ocaml/lib_gen/Hacl_Poly1305_128_gen.ml new file mode 100644 index 00000000..baeebf3a --- /dev/null +++ b/ocaml/lib_gen/Hacl_Poly1305_128_gen.ml @@ -0,0 +1,11 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Poly1305_128_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_Poly1305_128_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Poly1305_128_c_stubs.c")); + Format.printf + "#include \"Hacl_Poly1305_128.h\"\n#include \"internal/Hacl_Poly1305_128.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_Poly1305_128_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_Poly1305_256_gen.ml b/ocaml/lib_gen/Hacl_Poly1305_256_gen.ml new file mode 100644 index 00000000..8eedeae7 --- /dev/null +++ b/ocaml/lib_gen/Hacl_Poly1305_256_gen.ml @@ -0,0 +1,11 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Poly1305_256_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_Poly1305_256_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Poly1305_256_c_stubs.c")); + Format.printf + "#include \"Hacl_Poly1305_256.h\"\n#include \"internal/Hacl_Poly1305_256.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_Poly1305_256_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_Poly1305_32_gen.ml b/ocaml/lib_gen/Hacl_Poly1305_32_gen.ml new file mode 100644 index 00000000..5b31ff8c --- /dev/null +++ b/ocaml/lib_gen/Hacl_Poly1305_32_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Poly1305_32_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_Poly1305_32_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Poly1305_32_c_stubs.c")); + Format.printf "#include \"Hacl_Poly1305_32.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_Poly1305_32_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_RSAPSS_gen.ml b/ocaml/lib_gen/Hacl_RSAPSS_gen.ml new file mode 100644 index 00000000..78b760c6 --- /dev/null +++ b/ocaml/lib_gen/Hacl_RSAPSS_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_RSAPSS_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_RSAPSS_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_RSAPSS_c_stubs.c")); + Format.printf "#include \"Hacl_RSAPSS.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_RSAPSS_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_SHA2_Scalar32_gen.ml b/ocaml/lib_gen/Hacl_SHA2_Scalar32_gen.ml new file mode 100644 index 00000000..ace478d3 --- /dev/null +++ b/ocaml/lib_gen/Hacl_SHA2_Scalar32_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_SHA2_Scalar32_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_SHA2_Scalar32_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_SHA2_Scalar32_c_stubs.c")); + Format.printf "#include \"Hacl_SHA2_Scalar32.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_SHA2_Scalar32_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_SHA2_Vec128_gen.ml b/ocaml/lib_gen/Hacl_SHA2_Vec128_gen.ml new file mode 100644 index 00000000..e7741fa6 --- /dev/null +++ b/ocaml/lib_gen/Hacl_SHA2_Vec128_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_SHA2_Vec128_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_SHA2_Vec128_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_SHA2_Vec128_c_stubs.c")); + Format.printf "#include \"Hacl_SHA2_Vec128.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_SHA2_Vec128_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_SHA2_Vec256_gen.ml b/ocaml/lib_gen/Hacl_SHA2_Vec256_gen.ml new file mode 100644 index 00000000..99da7c4c --- /dev/null +++ b/ocaml/lib_gen/Hacl_SHA2_Vec256_gen.ml @@ -0,0 +1,11 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_SHA2_Vec256_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_SHA2_Vec256_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_SHA2_Vec256_c_stubs.c")); + Format.printf + "#include \"Hacl_SHA2_Vec256.h\"\n#include \"internal/Hacl_SHA2_Vec256.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_SHA2_Vec256_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_SHA3_gen.ml b/ocaml/lib_gen/Hacl_SHA3_gen.ml new file mode 100644 index 00000000..3e672b4a --- /dev/null +++ b/ocaml/lib_gen/Hacl_SHA3_gen.ml @@ -0,0 +1,8 @@ +let _ = + (((Format.set_formatter_out_channel (open_out_bin "lib/Hacl_SHA3_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_SHA3_bindings.Bindings)); + Format.set_formatter_out_channel (open_out_bin "lib/Hacl_SHA3_c_stubs.c")); + Format.printf "#include \"Hacl_SHA3.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_SHA3_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_Salsa20_gen.ml b/ocaml/lib_gen/Hacl_Salsa20_gen.ml new file mode 100644 index 00000000..079ea32b --- /dev/null +++ b/ocaml/lib_gen/Hacl_Salsa20_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Salsa20_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_Salsa20_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Salsa20_c_stubs.c")); + Format.printf "#include \"Hacl_Salsa20.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_Salsa20_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_Spec_gen.ml b/ocaml/lib_gen/Hacl_Spec_gen.ml new file mode 100644 index 00000000..e52ccc53 --- /dev/null +++ b/ocaml/lib_gen/Hacl_Spec_gen.ml @@ -0,0 +1,9 @@ +let _ = + (((Format.set_formatter_out_channel (open_out_bin "lib/Hacl_Spec_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_Spec_bindings.Bindings)); + Format.set_formatter_out_channel (open_out_bin "lib/Hacl_Spec_c_stubs.c")); + Format.printf + "#include \"Hacl_Spec.h\"\n#include \"internal/Hacl_Spec.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_Spec_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_Streaming_Blake2_gen.ml b/ocaml/lib_gen/Hacl_Streaming_Blake2_gen.ml new file mode 100644 index 00000000..037a92bd --- /dev/null +++ b/ocaml/lib_gen/Hacl_Streaming_Blake2_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Streaming_Blake2_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_Streaming_Blake2_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Streaming_Blake2_c_stubs.c")); + Format.printf "#include \"Hacl_Streaming_Blake2.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_Streaming_Blake2_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_Streaming_MD5_gen.ml b/ocaml/lib_gen/Hacl_Streaming_MD5_gen.ml new file mode 100644 index 00000000..650a532e --- /dev/null +++ b/ocaml/lib_gen/Hacl_Streaming_MD5_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Streaming_MD5_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_Streaming_MD5_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Streaming_MD5_c_stubs.c")); + Format.printf "#include \"Hacl_Streaming_MD5.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_Streaming_MD5_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_Streaming_Poly1305_32_gen.ml b/ocaml/lib_gen/Hacl_Streaming_Poly1305_32_gen.ml new file mode 100644 index 00000000..8ffcc67f --- /dev/null +++ b/ocaml/lib_gen/Hacl_Streaming_Poly1305_32_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Streaming_Poly1305_32_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_Streaming_Poly1305_32_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Streaming_Poly1305_32_c_stubs.c")); + Format.printf "#include \"Hacl_Streaming_Poly1305_32.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_Streaming_Poly1305_32_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_Streaming_SHA1_gen.ml b/ocaml/lib_gen/Hacl_Streaming_SHA1_gen.ml new file mode 100644 index 00000000..91e7741a --- /dev/null +++ b/ocaml/lib_gen/Hacl_Streaming_SHA1_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Streaming_SHA1_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_Streaming_SHA1_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Streaming_SHA1_c_stubs.c")); + Format.printf "#include \"Hacl_Streaming_SHA1.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_Streaming_SHA1_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_Streaming_SHA2_gen.ml b/ocaml/lib_gen/Hacl_Streaming_SHA2_gen.ml new file mode 100644 index 00000000..de38ea91 --- /dev/null +++ b/ocaml/lib_gen/Hacl_Streaming_SHA2_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Streaming_SHA2_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_Streaming_SHA2_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Streaming_SHA2_c_stubs.c")); + Format.printf "#include \"Hacl_Streaming_SHA2.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_Streaming_SHA2_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Lib_RandomBuffer_System_gen.ml b/ocaml/lib_gen/Lib_RandomBuffer_System_gen.ml new file mode 100644 index 00000000..7af01c60 --- /dev/null +++ b/ocaml/lib_gen/Lib_RandomBuffer_System_gen.ml @@ -0,0 +1,9 @@ +let _ = + Format.set_formatter_out_channel (open_out_bin "lib/Lib_RandomBuffer_System_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Lib_RandomBuffer_System_bindings.Bindings); + Format.set_formatter_out_channel (open_out_bin "lib/Lib_RandomBuffer_System_c_stubs.c"); + Format.printf "#include \"Lib_RandomBuffer_System.h\"\n"; + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Lib_RandomBuffer_System_bindings.Bindings) + diff --git a/ocaml/setup.py b/ocaml/setup.py new file mode 100755 index 00000000..91a30a07 --- /dev/null +++ b/ocaml/setup.py @@ -0,0 +1,112 @@ +#!/usr/bin/env python3 +# +# Copyright 2022 Cryspen Sarl +# +# Licensed under the Apache License, Version 2.0 or MIT. +# * http://www.apache.org/licenses/LICENSE-2.0 +# * http://opensource.org/licenses/MIT +# +# Setting up the HACL C library for the OCaml bindings. +# There are two different ways to do this +# +# ## mach build +# When working on the library, the preferred way to build the OCaml bindings is +# to use the top level mach script (`./mach build -l ocaml`). +# This uses the the local HACL C library. +# +# ## packaging +# For packaging the ocaml build needs to work "as is" without the super level +# C library. +# In this case this script pulls the HACL C library from the hacl-packages git +# repository and builds it locally. + +import os +import pathlib +from os.path import join as path_join +import re +import shutil +import subprocess +import sys + + +def change_config(src_config, dst_config): + '''Remove all comments from config.h so cppo can read it''' + with open(src_config, "r") as src: + lines = src.readlines() + with open(dst_config, "w") as dst: + for line in lines: + dst.write(re.sub(r'(\/\/.*)|(\/\*.*\*\/)', '', line)) + + +def copy_lib(include_path, vale_include_path, lib_path, karamel_path, config_path, + static_lib, dynamic_lib, config_name, dest_path): + '''Setup the C library to be usable by the bindings + This expects the C library in lib_path and the includes in include_path. + Note that we need to take all includes because the OCaml build doesn't + respect library boundaries and uses internals. + ''' + # Always remove whatever's in here. + include_dst = path_join(dest_path, 'include') + internal_include_dst = path_join(include_dst, "internal") + shutil.rmtree(dest_path, ignore_errors=True) + pathlib.Path(include_dst).mkdir(parents=True, exist_ok=True) + pathlib.Path(internal_include_dst).mkdir(parents=True, exist_ok=True) + + # Get the include and lib. + # Note that the library needs to be sitting here next to the Makefile + includes = os.listdir(include_path) + for file in includes: + file = path_join(include_path, file) + if os.path.isfile(file): + shutil.copy(file, include_dst) + vale_includes = os.listdir(vale_include_path) + for file in vale_includes: + file = path_join(vale_include_path, file) + if os.path.isfile(file): + shutil.copy(file, include_dst) + internal_include_path = path_join(include_path, "internal") + internal_includes = os.listdir(internal_include_path) + for file in internal_includes: + file = path_join(internal_include_path, file) + if os.path.isfile(file): + shutil.copy(file, internal_include_dst) + shutil.copytree(karamel_path, path_join(dest_path, "kremlin")) + cwd = os.path.dirname(os.path.realpath(__file__)) + shutil.copy(path_join(lib_path, static_lib), cwd) + shutil.copy(path_join(lib_path, dynamic_lib), cwd) + + # Get the config.h, modify it, and put it into the include dir + change_config(path_join(config_path, config_name), + path_join(include_dst, config_name)) + + +def setup_pkg(static_lib, dynamic_lib, config_name, dest_path): + '''Get the HACL C lib from the git repo for packaing''' + shutil.rmtree('hacl-packages', ignore_errors=True) + subprocess.run( + ['git', 'clone', '-b', 'franziskus/dev-cleanup', + 'https://github.com/cryspen/hacl-packages', '--depth=1'], + check=True) + subprocess.run( + ['./mach', 'build', '--release'], + check=True, cwd='./hacl-packages') + copy_lib(path_join('hacl-packages', 'include'), + path_join('hacl-packages', 'vale', 'include'), + path_join('hacl-packages', 'build', 'Release'), + path_join('hacl-packages', 'kremlin'), + path_join('hacl-packages', 'build'), + static_lib, dynamic_lib, + config_name, dest_path) + + +def main(): + # XXX: Windows is not supported + if sys.platform == 'darwin': + so = 'dylib' + else: + so = 'so' + setup_pkg("libhacl_static.a", "libhacl."+so, "config.h", "./c/") + + +if __name__ == '__main__': + main() diff --git a/rust/.gitignore b/rust/.gitignore new file mode 100644 index 00000000..594ce530 --- /dev/null +++ b/rust/.gitignore @@ -0,0 +1,4 @@ +/target +Cargo.lock +/hacl-rust-sys/Cargo.lock +/hacl-rust-sys/target diff --git a/rust/Cargo.toml b/rust/Cargo.toml new file mode 100644 index 00000000..327c9372 --- /dev/null +++ b/rust/Cargo.toml @@ -0,0 +1,39 @@ +[package] +name = "hacl-rust" +version = "0.0.0" +authors = ["Franziskus Kiefer "] +edition = "2021" +license = "GPLv3" +documentation = "https://docs.rs/hacl-rust/" +description = "Crypto library using formally verified code from the HACL project" +readme = "README.md" +repository = "https://github.com/cryspen/hacl-packages/rust" + +[lib] +crate-type = ["staticlib", "cdylib", "lib"] + +[features] +default = ["random"] +random = ["rand", "rand_core"] +serialization = ["serde", "serde_json"] + +[dependencies] +hacl-rust-sys = { version = "0.0.0", path = "hacl-rust-sys" } +rand = { version = "0.8", optional = true } +rand_core = { version = "0.6", optional = true } +serde_json = { version = "1.0", optional = true } +serde = { version = "1.0", features = ["derive"], optional = true } + +[dev-dependencies] +serde_json = "1.0" +serde = {version = "1.0", features = ["derive"]} +criterion = "^0.3" +rand = "0.8" + +[[bench]] +name = "benchmark" +harness = false + +[[bench]] +name = "aead" +harness = false diff --git a/rust/README.md b/rust/README.md new file mode 100644 index 00000000..7351fc5d --- /dev/null +++ b/rust/README.md @@ -0,0 +1,63 @@ +# HACL Rust bindings + +![Maturity Level][maturity-badge] +[![Build & Test][github-actions-badge]][github-actions-link] +[![ARM Build][drone-badge]][drone-link] + +This is the `hacl-rust` crate that provides Rust bindings for the HACL C package. +The FFI bindings are in the [hacl-rust-sys](hacl-rust-sys/) crates. + +**⚠️ Note:** This crate is still work in progress. +Don't use in production just yet. + +| Platform | Supported | +| :---------- | :-------: | +| MacOS | ✅ | +| MacOS Arm64 | ✅ | +| iOS | ✅ | +| Linux x64 | ✅ | +| Linux x86 | ✅ | +| Windows x64 | ✅ | +| Arm64 Linux | ✅ | +| Arm32 Linux | ✅ | + +## Crates + +| Name | Crates.io | Docs | +| :------------ | :-------------------------------------------------------------------------------- | :----------------------------------------------------------------------------------------------: | +| hacl-rust-sys | [![crates.io][hacl-rust-sys-crate-badge]](https://crates.io/crates/hacl-rust-sys) | [![Docs][docs-main-badge]](https://tech.cryspen.com/hacl-packages/rust/hacl-rust-sys/index.html) | +| hacl-rust | [![crates.io][hacl-rust-crate-badge]](https://crates.io/crates/hacl-rust) | [![Docs][docs-main-badge]](https://tech.cryspen.com/hacl-packages/rust/hacl-rust/index.html) | + +## Features + +By default the hacl-rust crate includes the `random` feature that allows generating random values (keys, nonces, etc.). +But this is not verified code and uses the [rand](https://crates.io/crates/rand) crate. It can be disabled with `--no-default-features`. +Please bring your own randomness if you want to be safe. + +## Platforms + +See above for a list of supported platforms. + +### Building + +Please see the [top level readme] for how to build. + +## Benchmarks + +To run benchmarks use `cargo bench`. + +## Tests + +All primitives are tested against the [Wycheproof](https://github.com/google/wycheproof) test vectors. +They can be run with `cargo test`. +This will also run automatically generated binding tests from bindgen. + +[maturity-badge]: https://img.shields.io/badge/maturity-beta-orange.svg?style=for-the-badge +[github-actions-badge]: https://img.shields.io/github/workflow/status/franziskuskiefer/evercrypt-rust/Build%20&%20Test?label=build%20%26%20tests&logo=github&style=for-the-badge +[github-actions-link]: https://github.com/franziskuskiefer/evercrypt-rust/actions/workflows/hacl-rust.yml?query=branch%3Amain +[drone-badge]: https://img.shields.io/drone/build/franziskuskiefer/evercrypt-rust?label=ARM%20BUILD&style=for-the-badge +[drone-link]: https://cloud.drone.io/franziskuskiefer/evercrypt-rust +[evercrypt-crate-badge]: https://img.shields.io/crates/v/hacl-rust-sys.svg?style=for-the-badge +[hacl-rust-sys-crate-badge]: https://img.shields.io/crates/v/evercrypt.svg?style=for-the-badge +[docs-main-badge]: https://img.shields.io/badge/docs-main-blue.svg?style=for-the-badge +[top level readme]: https://github.com/cryspen/hacl-packages#readme diff --git a/rust/benches/aead.rs b/rust/benches/aead.rs new file mode 100644 index 00000000..103d1d79 --- /dev/null +++ b/rust/benches/aead.rs @@ -0,0 +1,116 @@ +use std::time::{Duration, Instant}; + +fn randombytes(n: usize) -> Vec { + use rand::rngs::OsRng; + use rand::RngCore; + + let mut bytes = vec![0u8; n]; + OsRng.fill_bytes(&mut bytes); + bytes +} + +fn duration(d: Duration) -> f64 { + (d.as_secs() as f64) + (d.subsec_nanos() as f64 * 1e-9) +} + +fn aead_keys() { + use hacl_rust::aead::{self, Aead, Algorithm}; + const ONE_MB: usize = 0x100000; + + fn run(chunks: usize, payload_size: usize) { + let payload_mb: f64 = (payload_size as f64) / 1024. / 1024.; + let total_mb: f64 = payload_mb * chunks as f64; + let aead = match Aead::init(Algorithm::Aes128Gcm) { + Ok(aead) => aead, + Err(_) => { + println!("{:?} is not available.", Algorithm::Aes128Gcm); + return; + } + }; + let key = aead::key_gen(Algorithm::Aes128Gcm); + let mut nonce = Vec::new(); + let mut data = Vec::new(); + for _ in 0..chunks { + data.push(randombytes(payload_size)); + nonce.push(aead.nonce_gen()); + } + let aad = randombytes(1_000); + + println!("Warmup ..."); + for (chunk, chunk_nonce) in data.iter().zip(nonce.iter()) { + aead::encrypt_combined(Algorithm::Aes128Gcm, &key, chunk, chunk_nonce, &aad).unwrap(); + } + + // Stateful + let name = format!("AES128 GCM encrypt stateful {}x{}MB", chunks, payload_mb); + println!("{}", name); + + let start = Instant::now(); + let aead = aead.set_key(&key).unwrap(); + let end = Instant::now(); + let time = duration(end.duration_since(start)); + println!("\t{}s key expansion", time); + + let mut ct1 = vec![]; + let start = Instant::now(); + for (chunk, chunk_nonce) in data.iter().zip(nonce.iter()) { + ct1 = aead.encrypt_combined(chunk, chunk_nonce, &aad).unwrap(); + } + let end = Instant::now(); + let time = duration(end.duration_since(start)); + println!("\t{} MB/s", total_mb / time); + + // Stateless + let name = format!("AES128 GCM encrypt single-shot {}x{}MB", chunks, payload_mb); + println!("{}", name); + let mut ct2 = vec![]; + let start = Instant::now(); + for (chunk, chunk_nonce) in data.iter().zip(nonce.iter()) { + ct2 = aead::encrypt_combined(Algorithm::Aes128Gcm, &key, chunk, chunk_nonce, &aad) + .unwrap(); + } + let end = Instant::now(); + assert_eq!(&ct1, &ct2); + let time = duration(end.duration_since(start)); + println!("\t{} MB/s", total_mb / time); + + // Stateless in place + let name = format!( + "AES128 GCM encrypt single-shot in place {}x{}MB", + chunks, payload_mb + ); + println!("{}", name); + let mut in_place_tag = vec![]; + let start = Instant::now(); + for (chunk, chunk_nonce) in data.iter_mut().zip(nonce.iter()) { + in_place_tag = aead::encrypt_in_place( + Algorithm::Aes128Gcm, + &key, + chunk.as_mut_slice(), + chunk_nonce, + &aad, + ) + .unwrap(); + } + let end = Instant::now(); + assert_eq!(&ct1[ct1.len() - 16..], &in_place_tag); + let time = duration(end.duration_since(start)); + println!("\t{} MB/s", total_mb / time); + } + + for num_mb in 1..2 { + for chunks in 1..2 { + let payload_size = num_mb * ONE_MB; + run(chunks, payload_size); + } + } + + // 64 x 16KB + let chunks = 64; + let payload_size = 1024 * 16; + run(chunks, payload_size); +} + +fn main() { + aead_keys(); +} diff --git a/rust/benches/benchmark.rs b/rust/benches/benchmark.rs new file mode 100644 index 00000000..e70e29a3 --- /dev/null +++ b/rust/benches/benchmark.rs @@ -0,0 +1,766 @@ +#[macro_use] +extern crate criterion; +extern crate hacl_rust; +extern crate rand; + +use criterion::{BatchSize, Criterion}; + +// 1 MB +const PAYLOAD_SIZE: usize = 0x100000; + +fn clone_into_array(slice: &[T]) -> A +where + A: Default + AsMut<[T]>, + T: Clone, +{ + let mut a = Default::default(); + A::as_mut(&mut a).clone_from_slice(slice); + a +} + +fn randombytes(n: usize) -> Vec { + use rand::rngs::OsRng; + use rand::RngCore; + + let mut bytes = vec![0u8; n]; + OsRng.fill_bytes(&mut bytes); + bytes +} + +fn hex_to_bytes(hex: &str) -> Vec { + let mut bytes = Vec::new(); + for i in 0..(hex.len() / 2) { + let b = u8::from_str_radix(&hex[2 * i..2 * i + 2], 16).unwrap(); + bytes.push(b); + } + bytes +} + +fn criterion_digest(c: &mut Criterion) { + use hacl_rust::digest::{self, Algorithm}; + c.bench_function("SHA1", |b| { + b.iter_batched( + || randombytes(PAYLOAD_SIZE), + |data| { + let _d = digest::hash(Algorithm::Sha1, &data); + }, + BatchSize::SmallInput, + ) + }); + c.bench_function("SHA224", |b| { + b.iter_batched( + || randombytes(PAYLOAD_SIZE), + |data| { + let _d = digest::hash(Algorithm::Sha224, &data); + }, + BatchSize::SmallInput, + ) + }); + c.bench_function("SHA256", |b| { + b.iter_batched( + || randombytes(PAYLOAD_SIZE), + |data| { + let _d = digest::hash(Algorithm::Sha256, &data); + }, + BatchSize::SmallInput, + ) + }); + c.bench_function("SHA384", |b| { + b.iter_batched( + || randombytes(PAYLOAD_SIZE), + |data| { + let _d = digest::hash(Algorithm::Sha384, &data); + }, + BatchSize::SmallInput, + ) + }); + c.bench_function("SHA512", |b| { + b.iter_batched( + || randombytes(PAYLOAD_SIZE), + |data| { + let _d = digest::hash(Algorithm::Sha512, &data); + }, + BatchSize::SmallInput, + ) + }); + c.bench_function("SHA3 224", |b| { + b.iter_batched( + || randombytes(PAYLOAD_SIZE), + |data| { + let _d = digest::hash(Algorithm::Sha3_224, &data); + }, + BatchSize::SmallInput, + ) + }); + c.bench_function("SHA3 256", |b| { + b.iter_batched( + || randombytes(PAYLOAD_SIZE), + |data| { + let _d = digest::hash(Algorithm::Sha3_256, &data); + }, + BatchSize::SmallInput, + ) + }); + c.bench_function("SHA3 384", |b| { + b.iter_batched( + || randombytes(PAYLOAD_SIZE), + |data| { + let _d = digest::hash(Algorithm::Sha3_384, &data); + }, + BatchSize::SmallInput, + ) + }); + c.bench_function("SHA3 512", |b| { + b.iter_batched( + || randombytes(PAYLOAD_SIZE), + |data| { + let _d = digest::hash(Algorithm::Sha3_512, &data); + }, + BatchSize::SmallInput, + ) + }); + c.bench_function("SHAKE 128", |b| { + b.iter_batched( + || randombytes(PAYLOAD_SIZE), + |data| { + let _d = digest::shake128(&data, 64); + }, + BatchSize::SmallInput, + ) + }); + c.bench_function("SHAKE 256", |b| { + b.iter_batched( + || randombytes(PAYLOAD_SIZE), + |data| { + let _d = digest::shake256(&data, 64); + }, + BatchSize::SmallInput, + ) + }); + c.bench_function("Blake2s", |b| { + b.iter_batched( + || randombytes(PAYLOAD_SIZE), + |data| { + let _d = digest::hash(Algorithm::Blake2s, &data); + }, + BatchSize::SmallInput, + ) + }); + c.bench_function("Blake2b", |b| { + b.iter_batched( + || randombytes(PAYLOAD_SIZE), + |data| { + let _d = digest::hash(Algorithm::Blake2b, &data); + }, + BatchSize::SmallInput, + ) + }); +} + +fn criterion_aead(c: &mut Criterion) { + use hacl_rust::aead::{Aead, Algorithm}; + + fn bench_encrypt(c: &mut Criterion, id: &str, mode: Algorithm, mut fun: F) + where + F: FnMut(&[u8], &[u8], &[u8], Aead), + { + if Aead::init(mode).is_err() { + println!("{:?} is not available.", mode); + return; + } + c.bench_function(id, |b| { + b.iter_batched( + || { + let mut aead = Aead::init(mode).unwrap(); + aead.set_random_key().unwrap(); + let nonce = aead.nonce_gen(); + let data = randombytes(PAYLOAD_SIZE); + let aad = randombytes(1_000); + (data, nonce, aad, aead) + }, + |(data, nonce, aad, aead)| { + fun(&data, &nonce, &aad, aead); + }, + BatchSize::SmallInput, + ) + }); + } + + fn bench_decrypt(c: &mut Criterion, id: &str, mode: Algorithm, mut fun: F) + where + F: FnMut(Vec, Vec, Vec, Vec, Vec, Vec), + { + if Aead::init(mode).is_err() { + println!("{:?} is not available.", mode); + return; + } + c.bench_function(id, |b| { + b.iter_batched( + || { + let aead = Aead::init(mode).unwrap(); + let key = aead.key_gen(); + let aead = aead.set_key(&key).unwrap(); + let nonce = aead.nonce_gen(); + let data = randombytes(PAYLOAD_SIZE); + let aad = randombytes(1_000); + let (ct, tag) = aead.encrypt(&data, &nonce, &aad).unwrap(); + let mut ct_tag = ct.clone(); + ct_tag.extend(tag.clone()); + (key, nonce, ct, tag, ct_tag, aad) + }, + |(key, nonce, ct, tag, ct_tag, aad)| { + fun(key, nonce, ct, tag, ct_tag, aad); + }, + BatchSize::SmallInput, + ) + }); + } + + let payload_mb = PAYLOAD_SIZE / 1024 / 1024; + bench_encrypt( + c, + &format!("AES128 GCM encrypt {}MB", payload_mb), + Algorithm::Aes128Gcm, + |data, nonce, aad, aead| { + let (_ct, _tag) = aead.encrypt(&data, &nonce, &aad).unwrap(); + }, + ); + bench_encrypt( + c, + &format!("AES128 GCM encrypt (combine ctxt || tag) {}MB", payload_mb), + Algorithm::Aes128Gcm, + |data, nonce, aad, aead| { + let (mut ct, mut tag) = aead.encrypt(&data, &nonce, &aad).unwrap(); + ct.append(&mut tag); + }, + ); + bench_encrypt( + c, + &format!("AES128 GCM encrypt (combined ctxt || tag) {}MB", payload_mb), + Algorithm::Aes128Gcm, + |data, nonce, aad, aead| { + let _ct = aead.encrypt_combined(&data, &nonce, &aad).unwrap(); + }, + ); + + bench_decrypt( + c, + &format!("AES128 GCM decrypt {}MB", payload_mb), + Algorithm::Aes128Gcm, + |key, nonce, ct, tag, _ct_tag, aad| { + let aead = Aead::new(Algorithm::Aes128Gcm, &key).unwrap(); + let _decrypted = aead.decrypt(&ct, &tag, &nonce, &aad).unwrap(); + }, + ); + bench_decrypt( + c, + &format!("AES128 GCM decrypt (combined ctxt || tag) {}MB", payload_mb), + Algorithm::Aes128Gcm, + |key, nonce, _ct, _tag, ct_tag, aad| { + let aead = Aead::new(Algorithm::Aes128Gcm, &key).unwrap(); + let _decrypted = aead.decrypt_combined(&ct_tag, &nonce, &aad).unwrap(); + }, + ); + + bench_encrypt( + c, + &format!("AES256 GCM encrypt {}MB", payload_mb), + Algorithm::Aes256Gcm, + |data, nonce, aad, aead| { + let (_ct, _tag) = aead.encrypt(&data, &nonce, &aad).unwrap(); + }, + ); + bench_encrypt( + c, + &format!("AES256 GCM encrypt (combine ctxt || tag) {}MB", payload_mb), + Algorithm::Aes256Gcm, + |data, nonce, aad, aead| { + let (mut ct, mut tag) = aead.encrypt(&data, &nonce, &aad).unwrap(); + ct.append(&mut tag); + }, + ); + bench_encrypt( + c, + &format!("AES256 GCM encrypt (combined ctxt || tag) {}MB", payload_mb), + Algorithm::Aes256Gcm, + |data, nonce, aad, aead| { + let _ct = aead.encrypt_combined(&data, &nonce, &aad).unwrap(); + }, + ); + + bench_decrypt( + c, + &format!("AES256 GCM decrypt {}MB", payload_mb), + Algorithm::Aes128Gcm, + |key, nonce, ct, tag, _ct_tag, aad| { + let aead = Aead::new(Algorithm::Aes128Gcm, &key).unwrap(); + let _decrypted = aead.decrypt(&ct, &tag, &nonce, &aad).unwrap(); + }, + ); + bench_decrypt( + c, + &format!("AES256 GCM decrypt (combined ctxt || tag) {}MB", payload_mb), + Algorithm::Aes256Gcm, + |key, nonce, _ct, _tag, ct_tag, aad| { + let aead = Aead::new(Algorithm::Aes256Gcm, &key).unwrap(); + let _decrypted = aead.decrypt_combined(&ct_tag, &nonce, &aad).unwrap(); + }, + ); + + bench_encrypt( + c, + &format!("ChaCha20Poly1305 encrypt {}MB", payload_mb), + Algorithm::Chacha20Poly1305, + |data, nonce, aad, aead| { + let (_ct, _tag) = aead.encrypt(&data, &nonce, &aad).unwrap(); + }, + ); + bench_encrypt( + c, + &format!( + "ChaCha20Poly1305 encrypt (combine ctxt || tag) {}MB", + payload_mb + ), + Algorithm::Chacha20Poly1305, + |data, nonce, aad, aead| { + let (mut ct, mut tag) = aead.encrypt(&data, &nonce, &aad).unwrap(); + ct.append(&mut tag); + }, + ); + bench_encrypt( + c, + &format!( + "ChaCha20Poly1305 encrypt (combined ctxt || tag) {}MB", + payload_mb + ), + Algorithm::Chacha20Poly1305, + |data, nonce, aad, aead| { + let _ct = aead.encrypt_combined(&data, &nonce, &aad).unwrap(); + }, + ); + + bench_decrypt( + c, + &format!("ChaCha20Poly1305 decrypt {}MB", payload_mb), + Algorithm::Chacha20Poly1305, + |key, nonce, ct, tag, _ct_tag, aad| { + let aead = Aead::new(Algorithm::Chacha20Poly1305, &key).unwrap(); + let _decrypted = aead.decrypt(&ct, &tag, &nonce, &aad).unwrap(); + }, + ); + bench_decrypt( + c, + &format!( + "ChaCha20Poly1305 decrypt (combined ctxt || tag) {}MB", + payload_mb + ), + Algorithm::Chacha20Poly1305, + |key, nonce, _ct, _tag, ct_tag, aad| { + let aead = Aead::new(Algorithm::Chacha20Poly1305, &key).unwrap(); + let _decrypted = aead.decrypt_combined(&ct_tag, &nonce, &aad).unwrap(); + }, + ); +} + +fn criterion_aead_keys(c: &mut Criterion) { + use hacl_rust::aead::{self, Aead, Algorithm}; + + const PAYLOAD_MB: usize = PAYLOAD_SIZE / 1024 / 1024; + const CHUNKS: usize = 100; + + if Aead::init(Algorithm::Aes128Gcm).is_err() { + println!("{:?} is not available.", Algorithm::Aes128Gcm); + return; + } + + c.bench_function( + &format!("AES128 GCM encrypt stateful {}x{}MB", CHUNKS, PAYLOAD_MB), + |b| { + b.iter_batched( + || { + let mut aead = Aead::init(Algorithm::Aes128Gcm).unwrap(); + aead.set_random_key().unwrap(); + let mut nonce = Vec::new(); + let mut data = Vec::new(); + for _ in 0..CHUNKS { + data.push(randombytes(PAYLOAD_SIZE)); + nonce.push(aead.nonce_gen()); + } + let aad = randombytes(1_000); + (data, nonce, aad, aead) + }, + |(data, nonce, aad, aead)| { + let mut ct = Vec::with_capacity(CHUNKS * PAYLOAD_SIZE); + for (chunk, chunk_nonce) in data.iter().zip(nonce.iter()) { + ct.push(aead.encrypt_combined(chunk, chunk_nonce, &aad).unwrap()); + } + }, + BatchSize::SmallInput, + ) + }, + ); + c.bench_function( + &format!("AES128 GCM encrypt single-shot {}x{}MB", CHUNKS, PAYLOAD_MB), + |b| { + b.iter_batched( + || { + let key = aead::key_gen(Algorithm::Aes128Gcm); + let mut nonce = Vec::new(); + let mut data = Vec::new(); + for _ in 0..CHUNKS { + data.push(randombytes(PAYLOAD_SIZE)); + nonce.push(aead::nonce_gen(Algorithm::Aes128Gcm)); + } + let aad = randombytes(1_000); + (data, nonce, aad, key) + }, + |(data, nonce, aad, key)| { + let mut ct = Vec::with_capacity(CHUNKS * PAYLOAD_SIZE); + for (chunk, chunk_nonce) in data.iter().zip(nonce.iter()) { + ct.push( + aead::encrypt_combined( + Algorithm::Aes128Gcm, + &key, + chunk, + chunk_nonce, + &aad, + ) + .unwrap(), + ); + } + }, + BatchSize::SmallInput, + ) + }, + ); +} + +fn criterion_x25519(c: &mut Criterion) { + use hacl_rust::prelude::*; + c.bench_function("X25519 base", |b| { + b.iter_batched( + || clone_into_array(&randombytes(32)), + |sk| { + let _pk = x25519_base(&sk); + }, + BatchSize::SmallInput, + ) + }); + c.bench_function("X25519 DH", |b| { + b.iter_batched( + || { + let sk1 = clone_into_array(&randombytes(32)); + let pk1 = x25519_base(&sk1); + let sk2 = clone_into_array(&randombytes(32)); + (pk1, sk2) + }, + |(pk1, sk2)| { + let _zz = x25519(&pk1, &sk2).unwrap(); + }, + BatchSize::SmallInput, + ) + }); +} + +macro_rules! p256_signature_bench { + ($c:expr, $name_sign:literal, $name_verify:literal, $name_sign_gen:literal, + $name_verify_gen:literal, $sm:expr, $m:expr) => { + $c.bench_function($name_sign, |b| { + let sk1 = clone_into_array(&hex_to_bytes(SK1_HEX)); + let nonce = clone_into_array(&hex_to_bytes(NONCE)); + b.iter_batched( + || randombytes(PAYLOAD_SIZE), + |data| { + let _sig = p256::ecdsa_sign($m, &data, &sk1, &nonce).unwrap(); + }, + BatchSize::SmallInput, + ); + }); + $c.bench_function($name_verify, |b| { + let pk1 = hex_to_bytes(PK1_HEX); + let sk1 = clone_into_array(&hex_to_bytes(SK1_HEX)); + let nonce = clone_into_array(&hex_to_bytes(NONCE)); + b.iter_batched( + || { + let data = randombytes(PAYLOAD_SIZE); + let sig = p256::ecdsa_sign($m, &data, &sk1, &nonce).unwrap(); + (data, sig) + }, + |(data, sig)| { + let _valid = p256::ecdsa_verify($m, &data, &pk1, &sig).unwrap(); + }, + BatchSize::SmallInput, + ); + }); + $c.bench_function($name_sign_gen, |b| { + let sk1 = hex_to_bytes(SK1_HEX); + let nonce = clone_into_array(&hex_to_bytes(NONCE)); + b.iter_batched( + || randombytes(PAYLOAD_SIZE), + |data| { + let _sig = signature::sign($sm, Some($m), &sk1, &data, Some(&nonce)).unwrap(); + }, + BatchSize::SmallInput, + ); + }); + $c.bench_function($name_verify_gen, |b| { + let pk1 = hex_to_bytes(PK1_HEX); + let sk1 = hex_to_bytes(SK1_HEX); + let nonce = clone_into_array(&hex_to_bytes(NONCE)); + b.iter_batched( + || { + let data = randombytes(PAYLOAD_SIZE); + let sig = signature::sign($sm, Some($m), &sk1, &data, Some(&nonce)).unwrap(); + (data, sig) + }, + |(data, sig)| { + let _valid = signature::verify($sm, Some($m), &pk1, &sig, &data).unwrap(); + }, + BatchSize::SmallInput, + ); + }); + }; +} + +fn criterion_p256(c: &mut Criterion) { + use hacl_rust::prelude::*; + + const PK1_HEX: &str = "0462d5bd3372af75fe85a040715d0f502428e07046868b0bfdfa61d731afe44f26ac333a93a9e70a81cd5a95b5bf8d13990eb741c8c38872b4a07d275a014e30cf"; + const SK1_HEX: &str = "0612465c89a023ab17855b0a6bcebfd3febb53aef84138647b5352e02c10c346"; + const _PK2_HEX: &str = "04bd07bd4326cdcabf42905efa4559a30e68cb215d40c9afb60ce02d4fda617579b927b5cba02d24fb9aafe1d429351e48bae9dd92d7bc7be15e5b8a30a86be13d"; + const SK2_HEX: &str = "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff"; + const NONCE: &str = "A6E3C57DD01ABE90086538398355DD4C3B17AA873382B0F24D6129493D8AAD60"; + + c.bench_function("P256 base", |b| { + let sk1 = hex_to_bytes(SK1_HEX); + b.iter(|| { + let _pk = p256::dh_base(&sk1).unwrap(); + }); + }); + c.bench_function("P256 DH", |b| { + let pk1 = hex_to_bytes(PK1_HEX); + let sk2 = hex_to_bytes(SK2_HEX); + b.iter(|| { + let _zz = p256::dh(&pk1, &sk2).unwrap(); + }); + }); + c.bench_function("P256 base Agile", |b| { + let sk1 = hex_to_bytes(SK1_HEX); + b.iter(|| { + let _pk = ecdh::derive_base(EcdhMode::P256, &sk1).unwrap(); + }); + }); + c.bench_function("P256 DH Agile", |b| { + let pk1 = hex_to_bytes(PK1_HEX); + let sk2 = hex_to_bytes(SK2_HEX); + b.iter(|| { + let _zz = ecdh::derive(EcdhMode::P256, &pk1, &sk2).unwrap(); + }); + }); + + p256_signature_bench!( + c, + "P256 ECDSA Sign SHA-256", + "P256 ECDSA Verify SHA-256", + "P256 ECDSA Sign Agile SHA-256", + "P256 ECDSA Verify Agile SHA-256", + SignatureMode::P256, + DigestAlgorithm::Sha256 + ); + + p256_signature_bench!( + c, + "P256 ECDSA Sign SHA-384", + "P256 ECDSA Verify SHA-384", + "P256 ECDSA Sign Agile SHA-384", + "P256 ECDSA Verify Agile SHA-384", + SignatureMode::P256, + DigestAlgorithm::Sha384 + ); + + p256_signature_bench!( + c, + "P256 ECDSA Sign SHA-512", + "P256 ECDSA Verify SHA-512", + "P256 ECDSA Sign Agile SHA-512", + "P256 ECDSA Verify Agile SHA-512", + SignatureMode::P256, + DigestAlgorithm::Sha512 + ); +} + +fn criterion_ed25519(c: &mut Criterion) { + use hacl_rust::ed25519; + c.bench_function("ed25519 key gen", |b| { + b.iter_batched( + || clone_into_array(&randombytes(32)), + |sk| { + let _pk = ed25519::sk2pk(&sk); + }, + BatchSize::SmallInput, + ) + }); + c.bench_function("ed25519 sign", |b| { + b.iter_batched( + || { + let sk = clone_into_array(&randombytes(32)); + let data = randombytes(0x10000); + (sk, data) + }, + |(sk, data)| { + let _sig = ed25519::eddsa_sign(&sk, &data); + }, + BatchSize::SmallInput, + ) + }); + c.bench_function("ed25519 verify", |b| { + b.iter_batched( + || { + let sk = clone_into_array(&randombytes(32)); + let pk = ed25519::sk2pk(&sk); + let data = randombytes(0x10000); + let sig = ed25519::eddsa_sign(&pk, &data); + (pk, data, sig) + }, + |(pk, data, sig)| { + let _valid = ed25519::eddsa_verify(&pk, &sig, &data); + }, + BatchSize::SmallInput, + ) + }); +} + +fn criterion_hmac(c: &mut Criterion) { + use hacl_rust::hmac::{hmac, Algorithm}; + const KEY: [u8; 10] = [0u8, 1, 2, 3, 4, 5, 6, 7, 8, 9]; + c.bench_function("HMAC SHA1", |b| { + b.iter_batched( + || randombytes(PAYLOAD_SIZE), + |data| { + let _hmac = hmac(Algorithm::Sha1, &KEY, &data, None); + }, + BatchSize::SmallInput, + ) + }); + c.bench_function("HMAC SHA256", |b| { + b.iter_batched( + || randombytes(PAYLOAD_SIZE), + |data| { + let _hmac = hmac(Algorithm::Sha256, &KEY, &data, None); + }, + BatchSize::SmallInput, + ) + }); + c.bench_function("HMAC SHA384", |b| { + b.iter_batched( + || randombytes(PAYLOAD_SIZE), + |data| { + let _hmac = hmac(Algorithm::Sha384, &KEY, &data, None); + }, + BatchSize::SmallInput, + ) + }); + c.bench_function("HMAC SHA512", |b| { + b.iter_batched( + || randombytes(PAYLOAD_SIZE), + |data| { + let _hmac = hmac(Algorithm::Sha512, &KEY, &data, None); + }, + BatchSize::SmallInput, + ) + }); +} + +fn criterion_hkdf(c: &mut Criterion) { + use hacl_rust::prelude::*; + + macro_rules! hkdf_expand_bench { + ($c:expr, $name_expand:literal, $name_extract:literal, $m:expr) => { + c.bench_function($name_expand, |b| { + b.iter_batched( + || { + let ikm = hex_to_bytes("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b"); + let salt = hex_to_bytes("000102030405060708090a0b0c"); + let len = 32; + let prk = hkdf_extract(HmacAlgorithm::Sha1, &salt, &ikm); + let data = randombytes(0x10000); + (len, prk, data) + }, + |(len, prk, data)| { + let _okm = hkdf_expand($m, &prk, &data, len); + }, + BatchSize::SmallInput, + ) + }); + c.bench_function($name_extract, |b| { + let ikm = hex_to_bytes("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b"); + let salt = hex_to_bytes("000102030405060708090a0b0c"); + b.iter(|| { + let _prk = hkdf_extract($m, &salt, &ikm); + }); + }); + }; + } + hkdf_expand_bench!( + c, + "HKDF Expand SHA1", + "HKDF Extract SHA1", + HmacAlgorithm::Sha1 + ); + hkdf_expand_bench!( + c, + "HKDF Expand SHA256", + "HKDF Extract SHA256", + HmacAlgorithm::Sha256 + ); + hkdf_expand_bench!( + c, + "HKDF Expand SHA384", + "HKDF Extract SHA384", + HmacAlgorithm::Sha384 + ); + hkdf_expand_bench!( + c, + "HKDF Expand SHA512", + "HKDF Extract SHA512", + HmacAlgorithm::Sha512 + ); + + macro_rules! hkdf_bench { + ($c:expr, $name:literal, $m:expr) => { + c.bench_function($name, |b| { + b.iter_batched( + || { + let ikm = hex_to_bytes("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b"); + let salt = hex_to_bytes("000102030405060708090a0b0c"); + let len = 32; + let data = randombytes(0x10000); + (ikm, salt, len, data) + }, + |(ikm, salt, len, data)| { + let _hkdf = hkdf($m, &salt, &ikm, &data, len); + }, + BatchSize::SmallInput, + ) + }); + }; + } + hkdf_bench!(c, "HKDF SHA1", HmacAlgorithm::Sha1); + hkdf_bench!(c, "HKDF SHA256", HmacAlgorithm::Sha256); + hkdf_bench!(c, "HKDF SHA384", HmacAlgorithm::Sha384); + hkdf_bench!(c, "HKDF SHA512", HmacAlgorithm::Sha512); +} + +fn criterion_benchmark(c: &mut Criterion) { + criterion_digest(c); + criterion_aead(c); + criterion_aead_keys(c); + criterion_x25519(c); + criterion_p256(c); + criterion_ed25519(c); + criterion_hmac(c); + criterion_hkdf(c); +} + +criterion_group!(benches, criterion_benchmark); +criterion_main!(benches); diff --git a/rust/fuzz/.gitignore b/rust/fuzz/.gitignore new file mode 100644 index 00000000..572e03bd --- /dev/null +++ b/rust/fuzz/.gitignore @@ -0,0 +1,4 @@ + +target +corpus +artifacts diff --git a/rust/fuzz/Cargo.toml b/rust/fuzz/Cargo.toml new file mode 100644 index 00000000..596b7a99 --- /dev/null +++ b/rust/fuzz/Cargo.toml @@ -0,0 +1,41 @@ + +[package] +name = "evercrypt-fuzz" +version = "0.0.0" +authors = ["Automatically generated"] +publish = false +edition = "2018" + +[package.metadata] +cargo-fuzz = true + +[dependencies] +libfuzzer-sys = "0.3" + +[dependencies.evercrypt] +path = ".." + +[patch.crates-io] +evercrypt-sys = { path = "../../evercrypt-sys" } + +# Prevent this from interfering with workspaces +[workspace] +members = ["."] + +[[bin]] +name = "ecdh" +path = "fuzz_targets/ecdh.rs" +test = false +doc = false + +[[bin]] +name = "aead" +path = "fuzz_targets/aead.rs" +test = false +doc = false + +[[bin]] +name = "ed25519" +path = "fuzz_targets/ed25519.rs" +test = false +doc = false diff --git a/rust/fuzz/fuzz_targets/aead.rs b/rust/fuzz/fuzz_targets/aead.rs new file mode 100644 index 00000000..4bb4e6ab --- /dev/null +++ b/rust/fuzz/fuzz_targets/aead.rs @@ -0,0 +1,62 @@ +#![no_main] +use libfuzzer_sys::fuzz_target; + +use hacl_rust_sys::prelude::*; + +fuzz_target!(|data: &[u8]| { + let modes = [ + AeadMode::Aes128Gcm, + AeadMode::Aes256Gcm, + AeadMode::Chacha20Poly1305, + ]; + for &mode in modes.iter() { + let aead = match Aead::init(mode) { + Ok(aead) => aead, + Err(_) => { + println!("{:?} is not available.", mode); + continue; + } + }; + let k = if data.len() >= aead.key_size() { + data[0..aead.key_size()].to_vec() + } else { + aead.key_gen() + }; + let nonce = if data.len() >= aead.key_size() + aead.nonce_size() { + data[aead.key_size()..aead.key_size() + aead.nonce_size()].to_vec() + } else { + aead.nonce_gen() + }; + let aead = aead.set_key(&k).unwrap(); + let (c, t) = aead.encrypt(data, &nonce, &[]).expect("Error encrypting"); + let dec_result = aead.decrypt(&c, &t, &nonce, &[]); + if let Ok(ptxt) = dec_result { + assert_eq!(ptxt, data); + } + } + + // Check keys + for &mode in modes.iter() { + let aead = match Aead::init(mode) { + Ok(aead) => aead, + Err(_) => { + println!("{:?} is not available.", mode); + continue; + } + }; + let _aead = aead.set_key(data); + } + + // Check nonce + for &mode in modes.iter() { + let mut aead = match Aead::init(mode) { + Ok(aead) => aead, + Err(_) => { + println!("{:?} is not available.", mode); + continue; + } + }; + aead.set_random_key().unwrap(); + let _enc = aead.encrypt(data, data, &[]); + } +}); diff --git a/rust/fuzz/fuzz_targets/ecdh.rs b/rust/fuzz/fuzz_targets/ecdh.rs new file mode 100644 index 00000000..93449d9b --- /dev/null +++ b/rust/fuzz/fuzz_targets/ecdh.rs @@ -0,0 +1,20 @@ +#![no_main] +use libfuzzer_sys::fuzz_target; + +use hacl_rust_sys::prelude::*; + +fuzz_target!(|data: &[u8]| { + let _ = ecdh_derive(EcdhMode::X25519, data, data); + let _ = ecdh_derive_base(EcdhMode::X25519, data); + if data.len() >= 32 { + let mut data32 = [0u8; 32]; + data32.clone_from_slice(&data[0..32]); + let _ = x25519(&data32, &data32); + let _ = x25519_base(&data32); + } + + let _ = ecdh_derive(EcdhMode::P256, data, data); + let _ = ecdh_derive_base(EcdhMode::P256, data); + let _ = p256(data, data); + let _ = p256_base(data); +}); diff --git a/rust/fuzz/fuzz_targets/ed25519.rs b/rust/fuzz/fuzz_targets/ed25519.rs new file mode 100644 index 00000000..57dbd201 --- /dev/null +++ b/rust/fuzz/fuzz_targets/ed25519.rs @@ -0,0 +1,31 @@ +#![no_main] +use libfuzzer_sys::fuzz_target; + +use hacl_rust_sys::prelude::*; + +fuzz_target!(|data: &[u8]| { + if data.len() >= 32 { + let mut data32 = [0u8; 32]; + data32.clone_from_slice(&data[0..32]); + let _pk = ed25519::sk2pk(&data32); + } + + let sk = ed25519::key_gen(); + let pk = ed25519::sk2pk(&sk); + let sig = ed25519::eddsa_sign(&sk, &data); + let _sig_verified = ed25519::eddsa_verify(&pk, &sig, data); + if data.len() >= 64 { + let mut data32 = [0u8; 32]; + data32.clone_from_slice(&data[0..32]); + let mut data64 = [0u8; 64]; + data64.clone_from_slice(&data[0..64]); + let _sig_verified = ed25519::eddsa_verify(&data32, &sig, data); + let _sig_verified = ed25519::eddsa_verify(&pk, &data64, data); + } + let sig = signature::sign(SignatureMode::Ed25519, None, &sk, &data, None); + if let Ok(sig) = sig { + let _sig_verified = signature::verify(SignatureMode::Ed25519, None, &pk, &sig, data); + let _sig_verified = signature::verify(SignatureMode::Ed25519, None, data, &sig, data); + let _sig_verified = signature::verify(SignatureMode::Ed25519, None, &pk, data, data); + } +}); diff --git a/rust/hacl-rust-sys/Cargo.toml b/rust/hacl-rust-sys/Cargo.toml new file mode 100644 index 00000000..3fe67178 --- /dev/null +++ b/rust/hacl-rust-sys/Cargo.toml @@ -0,0 +1,22 @@ +[package] +name = "hacl-rust-sys" +version = "0.0.0" +authors = ["Franziskus Kiefer "] +edition = "2021" +build = "build.rs" +categories = ["cryptography", "api-bindings"] +links = "evercrypt" +license = "GPLv3" +documentation = "https://docs.rs/hacl-rust-sys/" +description = "FFI bindings for the HACL C package" +readme = "README.md" +repository = "https://github.com/cryspen/hacl-packages/rust" + +[dependencies] + +[build-dependencies] +libc = { version = "0.2", default-features = false } +fs_extra = "1.2" + +[target.'cfg(not(windows))'.build-dependencies] +bindgen = "0.59" diff --git a/rust/hacl-rust-sys/README.md b/rust/hacl-rust-sys/README.md new file mode 100644 index 00000000..1772bdac --- /dev/null +++ b/rust/hacl-rust-sys/README.md @@ -0,0 +1,41 @@ +# evercrypt-sys + +![Maturity Level][maturity-badge] +[![Build & Test][github-actions-badge]][github-actions-link] +[![ARM Build][drone-badge]][drone-link] +![Rust Version][rustc-image] + +Rust wrapper for [hacl-star and evercrypt](https://github.com/project-everest/hacl-star/). + +## Build + +When building this `*-sys` crate make sure to get the hacl-star git submodule (`git submodule update --init --recursive`). +The hacl/evercrypt build is currently not part of the `cargo build`. +Run `build-evercrypt.sh` in order to build the `gcc-compatible` dist (this requires OCAML to be set up.). + +### Platforms + +| Platform | Supported | +| :------------------- | :-------: | +| MacOS | ✅ | +| MacOS Arm64 | ✅ | +| iOS | ✅ | +| iOS Simulator x86_64 | ❌ | +| Linux x64 | ✅ | +| Linux x86 | ✅ | +| Windows x64 | ✅ | +| Arm64 Linux | ✅ | +| Arm32 Linux | ✅ | + +#### Building on Windows + +To build `evercrypt` and `evercrypt-sys` on Windows ensure path for the `VsDevCmd.bat` +called in in `hacl-build.bat` is correct on your system. +The build has only been tested with VisualStudio 2019. + +[maturity-badge]: https://img.shields.io/badge/maturity-beta-orange.svg?style=for-the-badge +[github-actions-badge]: https://img.shields.io/github/workflow/status/franziskuskiefer/evercrypt-rust/Build%20&%20Test?label=build%20%26%20tests&logo=github&style=for-the-badge +[github-actions-link]: https://github.com/franziskuskiefer/evercrypt-rust/actions/workflows/evercrypt-rs.yml?query=branch%3Amain +[drone-badge]: https://img.shields.io/drone/build/franziskuskiefer/evercrypt-rust?label=ARM%20BUILD&style=for-the-badge +[drone-link]: https://cloud.drone.io/franziskuskiefer/evercrypt-rust +[rustc-image]: https://img.shields.io/badge/rustc-1.56+-blue.svg?style=for-the-badge diff --git a/rust/hacl-rust-sys/build.rs b/rust/hacl-rust-sys/build.rs new file mode 100644 index 00000000..986c53df --- /dev/null +++ b/rust/hacl-rust-sys/build.rs @@ -0,0 +1,159 @@ +#[cfg(not(windows))] +extern crate bindgen; + +use std::{env, path::Path, process::Command}; + +#[cfg(not(windows))] +fn create_bindings(include_path: &Path, home_dir: &Path) { + // Include paths + let hacl_includes = vec![ + format!("-I{}", include_path.display()), + format!("-I{}", include_path.join("hacl").display()), + format!("-I{}", include_path.join("kremlin").display()), + format!("-I{}", include_path.join("vale").display()), + ]; + + let bindings = bindgen::Builder::default() + // Header to wrap HACL/Evercrypt headers + .header("wrapper.h") + // Set include paths for HACL/Evercrypt headers + .clang_args(hacl_includes.iter()) + // Allow function we want to have in + .allowlist_function("EverCrypt_AutoConfig2_.*") + .allowlist_function("EverCrypt_AEAD_.*") + .allowlist_function("EverCrypt_Curve25519_.*") + .allowlist_function("EverCrypt_Ed25519_.*") + .allowlist_function("EverCrypt_Hash_.*") + .allowlist_function("EverCrypt_HKDF_.*") + .allowlist_function("EverCrypt_HMAC_.*") + .allowlist_function("Hacl_P256_.*") + .allowlist_function("Hacl_SHA3_.*") + .allowlist_var("EverCrypt_Error_.*") + .allowlist_var("Spec_.*") + .allowlist_type("Spec_.*") + // Block everything we don't need or define ourselves. + .blocklist_type("Hacl_Streaming_.*") + .blocklist_type("EverCrypt_AEAD_state_s.*") + // Disable tests to avoid warnings and keep it portable + .layout_tests(false) + // Generate bindings + .parse_callbacks(Box::new(bindgen::CargoCallbacks)) + .generate() + .expect("Unable to generate bindings"); + + // let bindings_path = out_path.join("bindings.rs"); + let home_bindings = home_dir.join("src/bindings/bindings.rs"); + bindings + .write_to_file(home_bindings) + .expect("Couldn't write bindings!"); +} + +#[cfg(windows)] +fn create_bindings(_: &Path, _: &Path) {} + +fn get_hacl_c(out_path: &Path) { + // git clone the repo + if out_path.join("hacl-packages").exists() { + // Only clone if we didn't do so already. + return; + } + let mut mach_cmd = Command::new("git"); + let mach_status = mach_cmd + .current_dir(out_path) + .args(&[ + "clone", + "-b", + "franziskus/dev-cleanup", + "https://github.com/cryspen/hacl-packages", + "--depth=1", + ]) + .status() + .expect("Failed to run git clone."); + if !mach_status.success() { + panic!("Failed to run git clone.") + } + println!(" >>> Cloned hacl-packages into {}", out_path.display()) +} + +fn build_hacl_c(path: &Path) { + println!(" >>> Building HACL C in {}", path.display()); + let canon_mach = std::fs::canonicalize(path.join("mach")).expect("Failed to find mach script!"); + let mut mach_cmd = Command::new(canon_mach.clone()); + let mach_status = mach_cmd + .current_dir(path) + // We always build the release version here. + // For debugging don't use this. + .args(&["build", "--release"]) + .status() + .expect("Failed to run mach build."); + if !mach_status.success() { + panic!("Failed to run mach build.") + } + let install_path = path.join("build").join("installed"); + println!(" >>> Installing HACL C into {}", install_path.display()); + let mut mach_cmd = Command::new(canon_mach); + let mach_status = mach_cmd + .current_dir(path) + .args(&[ + "install", + "--prefix", + install_path.to_str().unwrap(), + "-c", + "release", + ]) + .status() + .expect("Failed to run mach install."); + if !mach_status.success() { + panic!("Failed to run mach install.") + } +} + +fn main() { + // Get ENV variables + let home_dir = env::var("CARGO_MANIFEST_DIR").unwrap(); + let home_dir = Path::new(&home_dir); + let out_dir = env::var("OUT_DIR").unwrap(); + let out_path = Path::new(&out_dir); + let mach_build = env::var("MACH_BUILD").ok().is_some(); + println!("mach_build: {}", mach_build); + + // Get the C library and build it first. + // This is the default behaviour. It can be disabled when working on this + // to pick up the local version. This is what the global mach script does. + let hacl_path = if !mach_build { + get_hacl_c(&out_path); + let hacl_packages_path = out_path.join("hacl-packages"); + build_hacl_c(&hacl_packages_path); + hacl_packages_path.join("build").join("installed") + } else { + // Use the higher level install directory. + home_dir + .join("..") + .join("..") + .join("build") + .join("installed") + }; + let hacl_lib_path = hacl_path.join("lib"); + let hacl_include_path = hacl_path.join("include"); + + // Set library name to look up + let library_name = "hacl_static"; + + // Set re-run trigger + println!("cargo:rerun-if-changed=wrapper.h"); + // We should re-run if the library changed. But this triggers the build + // to re-run every time right now. + // println!( + // "cargo:rerun-if-changed={}", + // hacl_lib_path.join(library_name).display() + // ); + + // Generate new bindings. This is a no-op on Windows. + create_bindings(&hacl_include_path, home_dir); + + // Link hacl library. + let mode = "static"; + println!("cargo:rustc-link-lib={}={}", mode, library_name); + println!("cargo:rustc-link-search=native={}", hacl_lib_path.display()); + println!("cargo:lib={}", hacl_lib_path.display()); +} diff --git a/rust/hacl-rust-sys/metadata.json b/rust/hacl-rust-sys/metadata.json new file mode 100644 index 00000000..05ecdd21 --- /dev/null +++ b/rust/hacl-rust-sys/metadata.json @@ -0,0 +1,6864 @@ +{ + "packages": [ + { + "name": "aho-corasick", + "version": "0.7.18", + "id": "aho-corasick 0.7.18 (registry+https://github.com/rust-lang/crates.io-index)", + "license": "Unlicense/MIT", + "license_file": null, + "description": "Fast multiple substring searching.", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "dependencies": [ + { + "name": "memchr", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^2.4.0", + "kind": null, + "rename": null, + "optional": false, + "uses_default_features": false, + "features": [], + "target": null, + "registry": null + } + ], + "targets": [ + { + "kind": [ + "lib" + ], + "crate_types": [ + "lib" + ], + "name": "aho_corasick", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/aho-corasick-0.7.18/src/lib.rs", + "edition": "2018", + "doc": true, + "doctest": true, + "test": true + } + ], + "features": { + "default": [ + "std" + ], + "std": [ + "memchr/std" + ] + }, + "manifest_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/aho-corasick-0.7.18/Cargo.toml", + "metadata": null, + "publish": null, + "authors": [ + "Andrew Gallant " + ], + "categories": [ + "text-processing" + ], + "keywords": [ + "string", + "search", + "text", + "aho", + "multi" + ], + "readme": "README.md", + "repository": "https://github.com/BurntSushi/aho-corasick", + "homepage": "https://github.com/BurntSushi/aho-corasick", + "documentation": null, + "edition": "2018", + "links": null, + "default_run": null + }, + { + "name": "ansi_term", + "version": "0.12.1", + "id": "ansi_term 0.12.1 (registry+https://github.com/rust-lang/crates.io-index)", + "license": "MIT", + "license_file": null, + "description": "Library for ANSI terminal colours and styles (bold, underline)", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "dependencies": [ + { + "name": "serde", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^1.0.90", + "kind": null, + "rename": null, + "optional": true, + "uses_default_features": true, + "features": [ + "derive" + ], + "target": null, + "registry": null + }, + { + "name": "doc-comment", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.3", + "kind": "dev", + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "regex", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^1.1.9", + "kind": "dev", + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "serde_json", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^1.0.39", + "kind": "dev", + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "winapi", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.3.4", + "kind": null, + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [ + "consoleapi", + "errhandlingapi", + "fileapi", + "handleapi", + "processenv" + ], + "target": "cfg(target_os = \"windows\")", + "registry": null + } + ], + "targets": [ + { + "kind": [ + "lib" + ], + "crate_types": [ + "lib" + ], + "name": "ansi_term", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/ansi_term-0.12.1/src/lib.rs", + "edition": "2015", + "doc": true, + "doctest": true, + "test": true + }, + { + "kind": [ + "example" + ], + "crate_types": [ + "bin" + ], + "name": "basic_colours", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/ansi_term-0.12.1/examples/basic_colours.rs", + "edition": "2015", + "doc": false, + "doctest": false, + "test": false + }, + { + "kind": [ + "example" + ], + "crate_types": [ + "bin" + ], + "name": "rgb_colours", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/ansi_term-0.12.1/examples/rgb_colours.rs", + "edition": "2015", + "doc": false, + "doctest": false, + "test": false + }, + { + "kind": [ + "example" + ], + "crate_types": [ + "bin" + ], + "name": "256_colours", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/ansi_term-0.12.1/examples/256_colours.rs", + "edition": "2015", + "doc": false, + "doctest": false, + "test": false + } + ], + "features": { + "derive_serde_style": [ + "serde" + ] + }, + "manifest_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/ansi_term-0.12.1/Cargo.toml", + "metadata": null, + "publish": null, + "authors": [ + "ogham@bsago.me", + "Ryan Scheel (Havvy) ", + "Josh Triplett " + ], + "categories": [], + "keywords": [], + "readme": "README.md", + "repository": "https://github.com/ogham/rust-ansi-term", + "homepage": "https://github.com/ogham/rust-ansi-term", + "documentation": "https://docs.rs/ansi_term", + "edition": "2015", + "links": null, + "default_run": null + }, + { + "name": "atty", + "version": "0.2.14", + "id": "atty 0.2.14 (registry+https://github.com/rust-lang/crates.io-index)", + "license": "MIT", + "license_file": null, + "description": "A simple interface for querying atty", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "dependencies": [ + { + "name": "hermit-abi", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.1.6", + "kind": null, + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [], + "target": "cfg(target_os = \"hermit\")", + "registry": null + }, + { + "name": "libc", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.2", + "kind": null, + "rename": null, + "optional": false, + "uses_default_features": false, + "features": [], + "target": "cfg(unix)", + "registry": null + }, + { + "name": "winapi", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.3", + "kind": null, + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [ + "consoleapi", + "processenv", + "minwinbase", + "minwindef", + "winbase" + ], + "target": "cfg(windows)", + "registry": null + } + ], + "targets": [ + { + "kind": [ + "lib" + ], + "crate_types": [ + "lib" + ], + "name": "atty", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/atty-0.2.14/src/lib.rs", + "edition": "2015", + "doc": true, + "doctest": true, + "test": true + }, + { + "kind": [ + "example" + ], + "crate_types": [ + "bin" + ], + "name": "atty", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/atty-0.2.14/examples/atty.rs", + "edition": "2015", + "doc": false, + "doctest": false, + "test": false + } + ], + "features": {}, + "manifest_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/atty-0.2.14/Cargo.toml", + "metadata": null, + "publish": null, + "authors": [ + "softprops " + ], + "categories": [], + "keywords": [ + "terminal", + "tty", + "isatty" + ], + "readme": "README.md", + "repository": "https://github.com/softprops/atty", + "homepage": "https://github.com/softprops/atty", + "documentation": "http://softprops.github.io/atty", + "edition": "2015", + "links": null, + "default_run": null + }, + { + "name": "bindgen", + "version": "0.58.1", + "id": "bindgen 0.58.1 (registry+https://github.com/rust-lang/crates.io-index)", + "license": "BSD-3-Clause", + "license_file": null, + "description": "Automatically generates Rust FFI bindings to C and C++ libraries.", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "dependencies": [ + { + "name": "bitflags", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^1.0.3", + "kind": null, + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "cexpr", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.4", + "kind": null, + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "clang-sys", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^1", + "kind": null, + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [ + "clang_6_0" + ], + "target": null, + "registry": null + }, + { + "name": "clap", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^2", + "kind": null, + "rename": null, + "optional": true, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "env_logger", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.8", + "kind": null, + "rename": null, + "optional": true, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "lazy_static", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^1", + "kind": null, + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "lazycell", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^1", + "kind": null, + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "log", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.4", + "kind": null, + "rename": null, + "optional": true, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "peeking_take_while", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.1.2", + "kind": null, + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "proc-macro2", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^1", + "kind": null, + "rename": null, + "optional": false, + "uses_default_features": false, + "features": [], + "target": null, + "registry": null + }, + { + "name": "quote", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^1", + "kind": null, + "rename": null, + "optional": false, + "uses_default_features": false, + "features": [], + "target": null, + "registry": null + }, + { + "name": "regex", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^1.0", + "kind": null, + "rename": null, + "optional": false, + "uses_default_features": false, + "features": [ + "std", + "unicode" + ], + "target": null, + "registry": null + }, + { + "name": "rustc-hash", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^1.0.1", + "kind": null, + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "shlex", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^1", + "kind": null, + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "which", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^3.0", + "kind": null, + "rename": null, + "optional": true, + "uses_default_features": false, + "features": [], + "target": null, + "registry": null + }, + { + "name": "clap", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^2", + "kind": "dev", + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "diff", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.1", + "kind": "dev", + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "shlex", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^1", + "kind": "dev", + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + } + ], + "targets": [ + { + "kind": [ + "lib" + ], + "crate_types": [ + "lib" + ], + "name": "bindgen", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/bindgen-0.58.1/src/lib.rs", + "edition": "2018", + "doc": true, + "doctest": true, + "test": true + }, + { + "kind": [ + "bin" + ], + "crate_types": [ + "bin" + ], + "name": "bindgen", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/bindgen-0.58.1/src/main.rs", + "edition": "2018", + "required-features": [ + "clap" + ], + "doc": false, + "doctest": false, + "test": true + }, + { + "kind": [ + "custom-build" + ], + "crate_types": [ + "bin" + ], + "name": "build-script-build", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/bindgen-0.58.1/build.rs", + "edition": "2018", + "doc": false, + "doctest": false, + "test": false + } + ], + "features": { + "default": [ + "logging", + "clap", + "runtime", + "which-rustfmt" + ], + "logging": [ + "env_logger", + "log" + ], + "runtime": [ + "clang-sys/runtime" + ], + "static": [ + "clang-sys/static" + ], + "testing_only_docs": [], + "testing_only_extra_assertions": [], + "testing_only_libclang_3_9": [], + "testing_only_libclang_4": [], + "testing_only_libclang_5": [], + "testing_only_libclang_9": [], + "which-rustfmt": [ + "which" + ] + }, + "manifest_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/bindgen-0.58.1/Cargo.toml", + "metadata": null, + "publish": null, + "authors": [ + "Jyun-Yan You ", + "Emilio Cobos Álvarez ", + "Nick Fitzgerald ", + "The Servo project developers" + ], + "categories": [ + "external-ffi-bindings", + "development-tools::ffi" + ], + "keywords": [ + "bindings", + "ffi", + "code-generation" + ], + "readme": "README.md", + "repository": "https://github.com/rust-lang/rust-bindgen", + "homepage": "https://rust-lang.github.io/rust-bindgen/", + "documentation": "https://docs.rs/bindgen", + "edition": "2018", + "links": null, + "default_run": null + }, + { + "name": "bitflags", + "version": "1.3.2", + "id": "bitflags 1.3.2 (registry+https://github.com/rust-lang/crates.io-index)", + "license": "MIT/Apache-2.0", + "license_file": null, + "description": "A macro to generate structures which behave like bitflags.\n", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "dependencies": [ + { + "name": "compiler_builtins", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.1.2", + "kind": null, + "rename": null, + "optional": true, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "rustc-std-workspace-core", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^1.0.0", + "kind": null, + "rename": "core", + "optional": true, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "rustversion", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^1.0", + "kind": "dev", + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "serde", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^1.0", + "kind": "dev", + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "serde_derive", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^1.0", + "kind": "dev", + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "serde_json", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^1.0", + "kind": "dev", + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "trybuild", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^1.0", + "kind": "dev", + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "walkdir", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^2.3", + "kind": "dev", + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + } + ], + "targets": [ + { + "kind": [ + "lib" + ], + "crate_types": [ + "lib" + ], + "name": "bitflags", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/bitflags-1.3.2/src/lib.rs", + "edition": "2018", + "doc": true, + "doctest": true, + "test": true + }, + { + "kind": [ + "test" + ], + "crate_types": [ + "bin" + ], + "name": "compile", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/bitflags-1.3.2/tests/compile.rs", + "edition": "2018", + "doc": false, + "doctest": false, + "test": true + }, + { + "kind": [ + "test" + ], + "crate_types": [ + "bin" + ], + "name": "basic", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/bitflags-1.3.2/tests/basic.rs", + "edition": "2018", + "doc": false, + "doctest": false, + "test": true + } + ], + "features": { + "default": [], + "example_generated": [], + "rustc-dep-of-std": [ + "core", + "compiler_builtins" + ] + }, + "manifest_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/bitflags-1.3.2/Cargo.toml", + "metadata": { + "docs": { + "rs": { + "features": [ + "example_generated" + ] + } + } + }, + "publish": null, + "authors": [ + "The Rust Project Developers" + ], + "categories": [ + "no-std" + ], + "keywords": [ + "bit", + "bitmask", + "bitflags", + "flags" + ], + "readme": "README.md", + "repository": "https://github.com/bitflags/bitflags", + "homepage": "https://github.com/bitflags/bitflags", + "documentation": "https://docs.rs/bitflags", + "edition": "2018", + "links": null, + "default_run": null + }, + { + "name": "cexpr", + "version": "0.4.0", + "id": "cexpr 0.4.0 (registry+https://github.com/rust-lang/crates.io-index)", + "license": "Apache-2.0/MIT", + "license_file": null, + "description": "A C expression parser and evaluator", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "dependencies": [ + { + "name": "nom", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^5", + "kind": null, + "rename": null, + "optional": false, + "uses_default_features": false, + "features": [ + "std" + ], + "target": null, + "registry": null + }, + { + "name": "clang-sys", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": ">=0.13.0, <0.29.0", + "kind": "dev", + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + } + ], + "targets": [ + { + "kind": [ + "lib" + ], + "crate_types": [ + "lib" + ], + "name": "cexpr", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/cexpr-0.4.0/src/lib.rs", + "edition": "2018", + "doc": true, + "doctest": true, + "test": true + }, + { + "kind": [ + "test" + ], + "crate_types": [ + "bin" + ], + "name": "clang", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/cexpr-0.4.0/tests/clang.rs", + "edition": "2018", + "doc": false, + "doctest": false, + "test": true + } + ], + "features": {}, + "manifest_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/cexpr-0.4.0/Cargo.toml", + "metadata": null, + "publish": null, + "authors": [ + "Jethro Beekman " + ], + "categories": [], + "keywords": [ + "C", + "expression", + "parser" + ], + "readme": null, + "repository": "https://github.com/jethrogb/rust-cexpr", + "homepage": null, + "documentation": "https://docs.rs/cexpr/", + "edition": "2018", + "links": null, + "default_run": null + }, + { + "name": "cfg-if", + "version": "1.0.0", + "id": "cfg-if 1.0.0 (registry+https://github.com/rust-lang/crates.io-index)", + "license": "MIT/Apache-2.0", + "license_file": null, + "description": "A macro to ergonomically define an item depending on a large number of #[cfg]\nparameters. Structured like an if-else chain, the first matching branch is the\nitem that gets emitted.\n", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "dependencies": [ + { + "name": "compiler_builtins", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.1.2", + "kind": null, + "rename": null, + "optional": true, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "rustc-std-workspace-core", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^1.0.0", + "kind": null, + "rename": "core", + "optional": true, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + } + ], + "targets": [ + { + "kind": [ + "lib" + ], + "crate_types": [ + "lib" + ], + "name": "cfg-if", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/cfg-if-1.0.0/src/lib.rs", + "edition": "2018", + "doc": true, + "doctest": true, + "test": true + }, + { + "kind": [ + "test" + ], + "crate_types": [ + "bin" + ], + "name": "xcrate", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/cfg-if-1.0.0/tests/xcrate.rs", + "edition": "2018", + "doc": false, + "doctest": false, + "test": true + } + ], + "features": { + "rustc-dep-of-std": [ + "core", + "compiler_builtins" + ] + }, + "manifest_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/cfg-if-1.0.0/Cargo.toml", + "metadata": null, + "publish": null, + "authors": [ + "Alex Crichton " + ], + "categories": [], + "keywords": [], + "readme": "README.md", + "repository": "https://github.com/alexcrichton/cfg-if", + "homepage": "https://github.com/alexcrichton/cfg-if", + "documentation": "https://docs.rs/cfg-if", + "edition": "2018", + "links": null, + "default_run": null + }, + { + "name": "clang-sys", + "version": "1.3.0", + "id": "clang-sys 1.3.0 (registry+https://github.com/rust-lang/crates.io-index)", + "license": "Apache-2.0", + "license_file": null, + "description": "Rust bindings for libclang.", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "dependencies": [ + { + "name": "glob", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.3", + "kind": null, + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "libc", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.2.39", + "kind": null, + "rename": null, + "optional": false, + "uses_default_features": false, + "features": [], + "target": null, + "registry": null + }, + { + "name": "libloading", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.7", + "kind": null, + "rename": null, + "optional": true, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "glob", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.3", + "kind": "build", + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + } + ], + "targets": [ + { + "kind": [ + "lib" + ], + "crate_types": [ + "lib" + ], + "name": "clang-sys", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/clang-sys-1.3.0/src/lib.rs", + "edition": "2015", + "doc": true, + "doctest": true, + "test": true + }, + { + "kind": [ + "test" + ], + "crate_types": [ + "bin" + ], + "name": "lib", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/clang-sys-1.3.0/tests/lib.rs", + "edition": "2015", + "doc": false, + "doctest": false, + "test": true + }, + { + "kind": [ + "custom-build" + ], + "crate_types": [ + "bin" + ], + "name": "build-script-build", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/clang-sys-1.3.0/build.rs", + "edition": "2015", + "doc": false, + "doctest": false, + "test": false + } + ], + "features": { + "clang_10_0": [ + "clang_9_0" + ], + "clang_11_0": [ + "clang_10_0" + ], + "clang_12_0": [ + "clang_11_0" + ], + "clang_13_0": [ + "clang_12_0" + ], + "clang_3_5": [], + "clang_3_6": [ + "clang_3_5" + ], + "clang_3_7": [ + "clang_3_6" + ], + "clang_3_8": [ + "clang_3_7" + ], + "clang_3_9": [ + "clang_3_8" + ], + "clang_4_0": [ + "clang_3_9" + ], + "clang_5_0": [ + "clang_4_0" + ], + "clang_6_0": [ + "clang_5_0" + ], + "clang_7_0": [ + "clang_6_0" + ], + "clang_8_0": [ + "clang_7_0" + ], + "clang_9_0": [ + "clang_8_0" + ], + "runtime": [ + "libloading" + ], + "static": [] + }, + "manifest_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/clang-sys-1.3.0/Cargo.toml", + "metadata": { + "docs": { + "rs": { + "features": [ + "clang_11_0", + "runtime" + ] + } + } + }, + "publish": null, + "authors": [ + "Kyle Mayes " + ], + "categories": [], + "keywords": [], + "readme": "README.md", + "repository": "https://github.com/KyleMayes/clang-sys", + "homepage": null, + "documentation": "https://docs.rs/clang-sys", + "edition": "2015", + "links": "clang", + "default_run": null + }, + { + "name": "clap", + "version": "2.34.0", + "id": "clap 2.34.0 (registry+https://github.com/rust-lang/crates.io-index)", + "license": "MIT", + "license_file": null, + "description": "A simple to use, efficient, and full-featured Command Line Argument Parser\n", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "dependencies": [ + { + "name": "atty", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.2.2", + "kind": null, + "rename": null, + "optional": true, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "bitflags", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^1.0", + "kind": null, + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "clippy", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "~0.0.166", + "kind": null, + "rename": null, + "optional": true, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "strsim", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.8", + "kind": null, + "rename": null, + "optional": true, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "term_size", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.3.0", + "kind": null, + "rename": null, + "optional": true, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "textwrap", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.11.0", + "kind": null, + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "unicode-width", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.1.4", + "kind": null, + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "vec_map", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.8", + "kind": null, + "rename": null, + "optional": true, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "yaml-rust", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.3.5", + "kind": null, + "rename": null, + "optional": true, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "lazy_static", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^1.3", + "kind": "dev", + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "regex", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^1", + "kind": "dev", + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "version-sync", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.8", + "kind": "dev", + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "ansi_term", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.12", + "kind": null, + "rename": null, + "optional": true, + "uses_default_features": true, + "features": [], + "target": "cfg(not(windows))", + "registry": null + } + ], + "targets": [ + { + "kind": [ + "lib" + ], + "crate_types": [ + "lib" + ], + "name": "clap", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/clap-2.34.0/src/lib.rs", + "edition": "2018", + "doc": true, + "doctest": true, + "test": true + } + ], + "features": { + "color": [ + "ansi_term", + "atty" + ], + "debug": [], + "default": [ + "suggestions", + "color", + "vec_map" + ], + "doc": [ + "yaml" + ], + "nightly": [], + "no_cargo": [], + "suggestions": [ + "strsim" + ], + "unstable": [], + "wrap_help": [ + "term_size", + "textwrap/term_size" + ], + "yaml": [ + "yaml-rust" + ] + }, + "manifest_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/clap-2.34.0/Cargo.toml", + "metadata": { + "docs": { + "rs": { + "features": [ + "doc" + ] + } + } + }, + "publish": null, + "authors": [ + "Kevin K. " + ], + "categories": [ + "command-line-interface" + ], + "keywords": [ + "argument", + "cli", + "arg", + "parser", + "parse" + ], + "readme": "README.md", + "repository": "https://github.com/clap-rs/clap", + "homepage": "https://clap.rs/", + "documentation": "https://docs.rs/clap/", + "edition": "2018", + "links": null, + "default_run": null + }, + { + "name": "env_logger", + "version": "0.8.4", + "id": "env_logger 0.8.4 (registry+https://github.com/rust-lang/crates.io-index)", + "license": "MIT/Apache-2.0", + "license_file": null, + "description": "A logging implementation for `log` which is configured via an environment\nvariable.\n", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "dependencies": [ + { + "name": "atty", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.2.5", + "kind": null, + "rename": null, + "optional": true, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "humantime", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^2.0.0", + "kind": null, + "rename": null, + "optional": true, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "log", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.4.8", + "kind": null, + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [ + "std" + ], + "target": null, + "registry": null + }, + { + "name": "regex", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^1.0.3", + "kind": null, + "rename": null, + "optional": true, + "uses_default_features": false, + "features": [ + "std", + "perf" + ], + "target": null, + "registry": null + }, + { + "name": "termcolor", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^1.0.2", + "kind": null, + "rename": null, + "optional": true, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + } + ], + "targets": [ + { + "kind": [ + "lib" + ], + "crate_types": [ + "lib" + ], + "name": "env_logger", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/env_logger-0.8.4/src/lib.rs", + "edition": "2018", + "doc": true, + "doctest": true, + "test": true + }, + { + "kind": [ + "test" + ], + "crate_types": [ + "bin" + ], + "name": "regexp_filter", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/env_logger-0.8.4/tests/regexp_filter.rs", + "edition": "2018", + "doc": false, + "doctest": false, + "test": true + }, + { + "kind": [ + "test" + ], + "crate_types": [ + "bin" + ], + "name": "log-in-log", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/env_logger-0.8.4/tests/log-in-log.rs", + "edition": "2018", + "doc": false, + "doctest": false, + "test": true + }, + { + "kind": [ + "test" + ], + "crate_types": [ + "bin" + ], + "name": "log_tls_dtors", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/env_logger-0.8.4/tests/log_tls_dtors.rs", + "edition": "2018", + "doc": false, + "doctest": false, + "test": true + }, + { + "kind": [ + "test" + ], + "crate_types": [ + "bin" + ], + "name": "init-twice-retains-filter", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/env_logger-0.8.4/tests/init-twice-retains-filter.rs", + "edition": "2018", + "doc": false, + "doctest": false, + "test": true + } + ], + "features": { + "default": [ + "termcolor", + "atty", + "humantime", + "regex" + ] + }, + "manifest_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/env_logger-0.8.4/Cargo.toml", + "metadata": null, + "publish": null, + "authors": [ + "The Rust Project Developers" + ], + "categories": [ + "development-tools::debugging" + ], + "keywords": [ + "logging", + "log", + "logger" + ], + "readme": "README.md", + "repository": "https://github.com/env-logger-rs/env_logger/", + "homepage": null, + "documentation": "https://docs.rs/env_logger", + "edition": "2018", + "links": null, + "default_run": null + }, + { + "name": "evercrypt-sys", + "version": "0.0.9", + "id": "evercrypt-sys 0.0.9 (path+file:///Users/franziskus/repos/evercrypt-cmake-c/rust/evercrypt-sys)", + "license": "MPL-2.0", + "license_file": null, + "description": "FFI binding to HACL/Evercrypt", + "source": null, + "dependencies": [ + { + "name": "libc", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.2", + "kind": null, + "rename": null, + "optional": false, + "uses_default_features": false, + "features": [], + "target": null, + "registry": null + }, + { + "name": "bindgen", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.58", + "kind": "build", + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [], + "target": "cfg(not(windows))", + "registry": null + } + ], + "targets": [ + { + "kind": [ + "lib" + ], + "crate_types": [ + "lib" + ], + "name": "evercrypt-sys", + "src_path": "/Users/franziskus/repos/evercrypt-cmake-c/rust/evercrypt-sys/src/lib.rs", + "edition": "2021", + "doc": true, + "doctest": true, + "test": true + }, + { + "kind": [ + "custom-build" + ], + "crate_types": [ + "bin" + ], + "name": "build-script-build", + "src_path": "/Users/franziskus/repos/evercrypt-cmake-c/rust/evercrypt-sys/build.rs", + "edition": "2021", + "doc": false, + "doctest": false, + "test": false + } + ], + "features": {}, + "manifest_path": "/Users/franziskus/repos/evercrypt-cmake-c/rust/evercrypt-sys/Cargo.toml", + "metadata": null, + "publish": null, + "authors": [ + "Franziskus Kiefer " + ], + "categories": [ + "cryptography", + "api-bindings" + ], + "keywords": [], + "readme": "README.md", + "repository": "https://github.com/franziskuskiefer/evercrypt-rust/", + "homepage": null, + "documentation": "https://www.franziskuskiefer.de/evercrypt-rust", + "edition": "2021", + "links": "evercrypt", + "default_run": null + }, + { + "name": "glob", + "version": "0.3.0", + "id": "glob 0.3.0 (registry+https://github.com/rust-lang/crates.io-index)", + "license": "MIT/Apache-2.0", + "license_file": null, + "description": "Support for matching file paths against Unix shell style patterns.\n", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "dependencies": [ + { + "name": "tempdir", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.3", + "kind": "dev", + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + } + ], + "targets": [ + { + "kind": [ + "lib" + ], + "crate_types": [ + "lib" + ], + "name": "glob", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/glob-0.3.0/src/lib.rs", + "edition": "2015", + "doc": true, + "doctest": true, + "test": true + }, + { + "kind": [ + "test" + ], + "crate_types": [ + "bin" + ], + "name": "glob-std", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/glob-0.3.0/tests/glob-std.rs", + "edition": "2015", + "doc": false, + "doctest": false, + "test": true + } + ], + "features": {}, + "manifest_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/glob-0.3.0/Cargo.toml", + "metadata": null, + "publish": null, + "authors": [ + "The Rust Project Developers" + ], + "categories": [ + "filesystem" + ], + "keywords": [], + "readme": "README.md", + "repository": "https://github.com/rust-lang/glob", + "homepage": "https://github.com/rust-lang/glob", + "documentation": "https://docs.rs/glob/0.3.0", + "edition": "2015", + "links": null, + "default_run": null + }, + { + "name": "hermit-abi", + "version": "0.1.19", + "id": "hermit-abi 0.1.19 (registry+https://github.com/rust-lang/crates.io-index)", + "license": "MIT/Apache-2.0", + "license_file": null, + "description": "hermit-abi is small interface to call functions from the unikernel RustyHermit.\nIt is used to build the target `x86_64-unknown-hermit`.\n", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "dependencies": [ + { + "name": "compiler_builtins", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.1", + "kind": null, + "rename": null, + "optional": true, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "rustc-std-workspace-core", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^1.0.0", + "kind": null, + "rename": "core", + "optional": true, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "libc", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.2.51", + "kind": null, + "rename": null, + "optional": false, + "uses_default_features": false, + "features": [], + "target": null, + "registry": null + } + ], + "targets": [ + { + "kind": [ + "lib" + ], + "crate_types": [ + "lib" + ], + "name": "hermit-abi", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/hermit-abi-0.1.19/src/lib.rs", + "edition": "2018", + "doc": true, + "doctest": true, + "test": true + } + ], + "features": { + "default": [], + "docs": [], + "rustc-dep-of-std": [ + "core", + "compiler_builtins/rustc-dep-of-std", + "libc/rustc-dep-of-std" + ] + }, + "manifest_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/hermit-abi-0.1.19/Cargo.toml", + "metadata": { + "docs": { + "rs": { + "default-target": "x86_64-unknown-hermit", + "features": [ + "docs" + ] + } + } + }, + "publish": null, + "authors": [ + "Stefan Lankes" + ], + "categories": [ + "os" + ], + "keywords": [ + "unikernel", + "libos" + ], + "readme": "README.md", + "repository": "https://github.com/hermitcore/libhermit-rs", + "homepage": null, + "documentation": "https://hermitcore.github.io/rusty-hermit/hermit_abi", + "edition": "2018", + "links": null, + "default_run": null + }, + { + "name": "humantime", + "version": "2.1.0", + "id": "humantime 2.1.0 (registry+https://github.com/rust-lang/crates.io-index)", + "license": "MIT/Apache-2.0", + "license_file": null, + "description": " A parser and formatter for std::time::{Duration, SystemTime}\n", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "dependencies": [ + { + "name": "chrono", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.4", + "kind": "dev", + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "rand", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.6", + "kind": "dev", + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "time", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.1", + "kind": "dev", + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + } + ], + "targets": [ + { + "kind": [ + "lib" + ], + "crate_types": [ + "lib" + ], + "name": "humantime", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/humantime-2.1.0/src/lib.rs", + "edition": "2018", + "doc": true, + "doctest": true, + "test": true + }, + { + "kind": [ + "bench" + ], + "crate_types": [ + "bin" + ], + "name": "datetime_format", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/humantime-2.1.0/benches/datetime_format.rs", + "edition": "2018", + "doc": false, + "doctest": false, + "test": false + }, + { + "kind": [ + "bench" + ], + "crate_types": [ + "bin" + ], + "name": "datetime_parse", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/humantime-2.1.0/benches/datetime_parse.rs", + "edition": "2018", + "doc": false, + "doctest": false, + "test": false + } + ], + "features": {}, + "manifest_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/humantime-2.1.0/Cargo.toml", + "metadata": null, + "publish": null, + "authors": [ + "Paul Colomiets " + ], + "categories": [ + "date-and-time" + ], + "keywords": [ + "time", + "human", + "human-friendly", + "parser", + "duration" + ], + "readme": "README.md", + "repository": "https://github.com/tailhook/humantime", + "homepage": "https://github.com/tailhook/humantime", + "documentation": "https://docs.rs/humantime", + "edition": "2018", + "links": null, + "default_run": null + }, + { + "name": "lazy_static", + "version": "1.4.0", + "id": "lazy_static 1.4.0 (registry+https://github.com/rust-lang/crates.io-index)", + "license": "MIT/Apache-2.0", + "license_file": null, + "description": "A macro for declaring lazily evaluated statics in Rust.", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "dependencies": [ + { + "name": "spin", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.5.0", + "kind": null, + "rename": null, + "optional": true, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "doc-comment", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.3.1", + "kind": "dev", + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + } + ], + "targets": [ + { + "kind": [ + "lib" + ], + "crate_types": [ + "lib" + ], + "name": "lazy_static", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/lazy_static-1.4.0/src/lib.rs", + "edition": "2015", + "doc": true, + "doctest": true, + "test": true + }, + { + "kind": [ + "test" + ], + "crate_types": [ + "bin" + ], + "name": "test", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/lazy_static-1.4.0/tests/test.rs", + "edition": "2015", + "doc": false, + "doctest": false, + "test": true + }, + { + "kind": [ + "test" + ], + "crate_types": [ + "bin" + ], + "name": "no_std", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/lazy_static-1.4.0/tests/no_std.rs", + "edition": "2015", + "doc": false, + "doctest": false, + "test": true + } + ], + "features": { + "spin_no_std": [ + "spin" + ] + }, + "manifest_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/lazy_static-1.4.0/Cargo.toml", + "metadata": null, + "publish": null, + "authors": [ + "Marvin Löbel " + ], + "categories": [ + "no-std", + "rust-patterns", + "memory-management" + ], + "keywords": [ + "macro", + "lazy", + "static" + ], + "readme": "README.md", + "repository": "https://github.com/rust-lang-nursery/lazy-static.rs", + "homepage": null, + "documentation": "https://docs.rs/lazy_static", + "edition": "2015", + "links": null, + "default_run": null + }, + { + "name": "lazycell", + "version": "1.3.0", + "id": "lazycell 1.3.0 (registry+https://github.com/rust-lang/crates.io-index)", + "license": "MIT/Apache-2.0", + "license_file": null, + "description": "A library providing a lazily filled Cell struct", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "dependencies": [ + { + "name": "clippy", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.0", + "kind": null, + "rename": null, + "optional": true, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "serde", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^1", + "kind": null, + "rename": null, + "optional": true, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + } + ], + "targets": [ + { + "kind": [ + "lib" + ], + "crate_types": [ + "lib" + ], + "name": "lazycell", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/lazycell-1.3.0/src/lib.rs", + "edition": "2015", + "doc": true, + "doctest": true, + "test": true + } + ], + "features": { + "nightly": [], + "nightly-testing": [ + "clippy", + "nightly" + ] + }, + "manifest_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/lazycell-1.3.0/Cargo.toml", + "metadata": null, + "publish": null, + "authors": [ + "Alex Crichton ", + "Nikita Pekin " + ], + "categories": [], + "keywords": [ + "lazycell", + "lazy", + "cell", + "library" + ], + "readme": "README.md", + "repository": "https://github.com/indiv0/lazycell", + "homepage": null, + "documentation": "http://indiv0.github.io/lazycell/lazycell/", + "edition": "2015", + "links": null, + "default_run": null + }, + { + "name": "libc", + "version": "0.2.112", + "id": "libc 0.2.112 (registry+https://github.com/rust-lang/crates.io-index)", + "license": "MIT OR Apache-2.0", + "license_file": null, + "description": "Raw FFI bindings to platform libraries like libc.\n", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "dependencies": [ + { + "name": "rustc-std-workspace-core", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^1.0.0", + "kind": null, + "rename": null, + "optional": true, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + } + ], + "targets": [ + { + "kind": [ + "lib" + ], + "crate_types": [ + "lib" + ], + "name": "libc", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/libc-0.2.112/src/lib.rs", + "edition": "2015", + "doc": true, + "doctest": true, + "test": true + }, + { + "kind": [ + "test" + ], + "crate_types": [ + "bin" + ], + "name": "const_fn", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/libc-0.2.112/tests/const_fn.rs", + "edition": "2015", + "doc": false, + "doctest": false, + "test": true + }, + { + "kind": [ + "custom-build" + ], + "crate_types": [ + "bin" + ], + "name": "build-script-build", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/libc-0.2.112/build.rs", + "edition": "2015", + "doc": false, + "doctest": false, + "test": false + } + ], + "features": { + "align": [], + "const-extern-fn": [], + "default": [ + "std" + ], + "extra_traits": [], + "rustc-dep-of-std": [ + "align", + "rustc-std-workspace-core" + ], + "std": [], + "use_std": [ + "std" + ] + }, + "manifest_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/libc-0.2.112/Cargo.toml", + "metadata": { + "docs": { + "rs": { + "features": [ + "const-extern-fn", + "extra_traits" + ] + } + } + }, + "publish": null, + "authors": [ + "The Rust Project Developers" + ], + "categories": [ + "external-ffi-bindings", + "no-std", + "os" + ], + "keywords": [ + "libc", + "ffi", + "bindings", + "operating", + "system" + ], + "readme": "README.md", + "repository": "https://github.com/rust-lang/libc", + "homepage": "https://github.com/rust-lang/libc", + "documentation": "https://docs.rs/libc/", + "edition": "2015", + "links": null, + "default_run": null + }, + { + "name": "libloading", + "version": "0.7.2", + "id": "libloading 0.7.2 (registry+https://github.com/rust-lang/crates.io-index)", + "license": "ISC", + "license_file": null, + "description": "Bindings around the platform's dynamic library loading primitives with greatly improved memory safety.", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "dependencies": [ + { + "name": "libc", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.2", + "kind": "dev", + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "static_assertions", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^1.1", + "kind": "dev", + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "cfg-if", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^1", + "kind": null, + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [], + "target": "cfg(unix)", + "registry": null + }, + { + "name": "winapi", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.3", + "kind": null, + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [ + "errhandlingapi", + "libloaderapi" + ], + "target": "cfg(windows)", + "registry": null + } + ], + "targets": [ + { + "kind": [ + "lib" + ], + "crate_types": [ + "lib" + ], + "name": "libloading", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/libloading-0.7.2/src/lib.rs", + "edition": "2015", + "doc": true, + "doctest": true, + "test": true + }, + { + "kind": [ + "test" + ], + "crate_types": [ + "bin" + ], + "name": "constants", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/libloading-0.7.2/tests/constants.rs", + "edition": "2015", + "doc": false, + "doctest": false, + "test": true + }, + { + "kind": [ + "test" + ], + "crate_types": [ + "bin" + ], + "name": "functions", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/libloading-0.7.2/tests/functions.rs", + "edition": "2015", + "doc": false, + "doctest": false, + "test": true + }, + { + "kind": [ + "test" + ], + "crate_types": [ + "bin" + ], + "name": "library_filename", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/libloading-0.7.2/tests/library_filename.rs", + "edition": "2015", + "doc": false, + "doctest": false, + "test": true + }, + { + "kind": [ + "test" + ], + "crate_types": [ + "bin" + ], + "name": "windows", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/libloading-0.7.2/tests/windows.rs", + "edition": "2015", + "doc": false, + "doctest": false, + "test": true + }, + { + "kind": [ + "test" + ], + "crate_types": [ + "bin" + ], + "name": "markers", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/libloading-0.7.2/tests/markers.rs", + "edition": "2015", + "doc": false, + "doctest": false, + "test": true + } + ], + "features": {}, + "manifest_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/libloading-0.7.2/Cargo.toml", + "metadata": { + "docs": { + "rs": { + "all-features": true, + "rustdoc-args": [ + "--cfg", + "docsrs" + ] + } + } + }, + "publish": null, + "authors": [ + "Simonas Kazlauskas " + ], + "categories": [ + "api-bindings" + ], + "keywords": [ + "dlopen", + "load", + "shared", + "dylib" + ], + "readme": "README.mkd", + "repository": "https://github.com/nagisa/rust_libloading/", + "homepage": null, + "documentation": "https://docs.rs/libloading/", + "edition": "2015", + "links": null, + "default_run": null + }, + { + "name": "log", + "version": "0.4.14", + "id": "log 0.4.14 (registry+https://github.com/rust-lang/crates.io-index)", + "license": "MIT OR Apache-2.0", + "license_file": null, + "description": "A lightweight logging facade for Rust\n", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "dependencies": [ + { + "name": "cfg-if", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^1.0", + "kind": null, + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "serde", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^1.0", + "kind": null, + "rename": null, + "optional": true, + "uses_default_features": false, + "features": [], + "target": null, + "registry": null + }, + { + "name": "sval", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^1.0.0-alpha.5", + "kind": null, + "rename": null, + "optional": true, + "uses_default_features": false, + "features": [], + "target": null, + "registry": null + }, + { + "name": "value-bag", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^1.0.0-alpha.6", + "kind": null, + "rename": null, + "optional": true, + "uses_default_features": false, + "features": [], + "target": null, + "registry": null + }, + { + "name": "serde", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^1.0", + "kind": "dev", + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [ + "derive" + ], + "target": null, + "registry": null + }, + { + "name": "serde_test", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^1.0", + "kind": "dev", + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "sval", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^1.0.0-alpha.5", + "kind": "dev", + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [ + "derive" + ], + "target": null, + "registry": null + }, + { + "name": "value-bag", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^1.0.0-alpha.6", + "kind": "dev", + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [ + "test" + ], + "target": null, + "registry": null + } + ], + "targets": [ + { + "kind": [ + "lib" + ], + "crate_types": [ + "lib" + ], + "name": "log", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/log-0.4.14/src/lib.rs", + "edition": "2015", + "doc": true, + "doctest": true, + "test": true + }, + { + "kind": [ + "test" + ], + "crate_types": [ + "bin" + ], + "name": "filters", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/log-0.4.14/tests/filters.rs", + "edition": "2015", + "doc": false, + "doctest": false, + "test": true + }, + { + "kind": [ + "test" + ], + "crate_types": [ + "bin" + ], + "name": "macros", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/log-0.4.14/tests/macros.rs", + "edition": "2015", + "doc": false, + "doctest": false, + "test": true + }, + { + "kind": [ + "bench" + ], + "crate_types": [ + "bin" + ], + "name": "value", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/log-0.4.14/benches/value.rs", + "edition": "2015", + "doc": false, + "doctest": false, + "test": false + }, + { + "kind": [ + "custom-build" + ], + "crate_types": [ + "bin" + ], + "name": "build-script-build", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/log-0.4.14/build.rs", + "edition": "2015", + "doc": false, + "doctest": false, + "test": false + } + ], + "features": { + "kv_unstable": [ + "value-bag" + ], + "kv_unstable_serde": [ + "kv_unstable_std", + "value-bag/serde", + "serde" + ], + "kv_unstable_std": [ + "std", + "kv_unstable", + "value-bag/error" + ], + "kv_unstable_sval": [ + "kv_unstable", + "value-bag/sval", + "sval" + ], + "max_level_debug": [], + "max_level_error": [], + "max_level_info": [], + "max_level_off": [], + "max_level_trace": [], + "max_level_warn": [], + "release_max_level_debug": [], + "release_max_level_error": [], + "release_max_level_info": [], + "release_max_level_off": [], + "release_max_level_trace": [], + "release_max_level_warn": [], + "std": [] + }, + "manifest_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/log-0.4.14/Cargo.toml", + "metadata": { + "docs": { + "rs": { + "features": [ + "std", + "serde", + "kv_unstable_std", + "kv_unstable_sval", + "kv_unstable_serde" + ] + } + } + }, + "publish": null, + "authors": [ + "The Rust Project Developers" + ], + "categories": [ + "development-tools::debugging" + ], + "keywords": [ + "logging" + ], + "readme": "README.md", + "repository": "https://github.com/rust-lang/log", + "homepage": null, + "documentation": "https://docs.rs/log", + "edition": "2015", + "links": null, + "default_run": null + }, + { + "name": "memchr", + "version": "2.4.1", + "id": "memchr 2.4.1 (registry+https://github.com/rust-lang/crates.io-index)", + "license": "Unlicense/MIT", + "license_file": null, + "description": "Safe interface to memchr.", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "dependencies": [ + { + "name": "compiler_builtins", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.1.2", + "kind": null, + "rename": null, + "optional": true, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "rustc-std-workspace-core", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^1.0.0", + "kind": null, + "rename": "core", + "optional": true, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "libc", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.2.18", + "kind": null, + "rename": null, + "optional": true, + "uses_default_features": false, + "features": [], + "target": null, + "registry": null + }, + { + "name": "quickcheck", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^1.0.3", + "kind": "dev", + "rename": null, + "optional": false, + "uses_default_features": false, + "features": [], + "target": null, + "registry": null + } + ], + "targets": [ + { + "kind": [ + "lib" + ], + "crate_types": [ + "lib" + ], + "name": "memchr", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/memchr-2.4.1/src/lib.rs", + "edition": "2018", + "doc": true, + "doctest": true, + "test": true + }, + { + "kind": [ + "custom-build" + ], + "crate_types": [ + "bin" + ], + "name": "build-script-build", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/memchr-2.4.1/build.rs", + "edition": "2018", + "doc": false, + "doctest": false, + "test": false + } + ], + "features": { + "default": [ + "std" + ], + "rustc-dep-of-std": [ + "core", + "compiler_builtins" + ], + "std": [], + "use_std": [ + "std" + ] + }, + "manifest_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/memchr-2.4.1/Cargo.toml", + "metadata": null, + "publish": null, + "authors": [ + "Andrew Gallant ", + "bluss" + ], + "categories": [], + "keywords": [ + "memchr", + "char", + "scan", + "strchr", + "string" + ], + "readme": "README.md", + "repository": "https://github.com/BurntSushi/memchr", + "homepage": "https://github.com/BurntSushi/memchr", + "documentation": "https://docs.rs/memchr/", + "edition": "2018", + "links": null, + "default_run": null + }, + { + "name": "nom", + "version": "5.1.2", + "id": "nom 5.1.2 (registry+https://github.com/rust-lang/crates.io-index)", + "license": "MIT", + "license_file": null, + "description": "A byte-oriented, zero-copy, parser combinators library", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "dependencies": [ + { + "name": "lazy_static", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^1.0", + "kind": null, + "rename": null, + "optional": true, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "lexical-core", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": ">=0.6, <0.8", + "kind": null, + "rename": null, + "optional": true, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "memchr", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^2.0", + "kind": null, + "rename": null, + "optional": false, + "uses_default_features": false, + "features": [], + "target": null, + "registry": null + }, + { + "name": "regex", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^1.0", + "kind": null, + "rename": null, + "optional": true, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "criterion", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.2", + "kind": "dev", + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "doc-comment", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.3", + "kind": "dev", + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "jemallocator", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.1", + "kind": "dev", + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "version_check", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.9", + "kind": "build", + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + } + ], + "targets": [ + { + "kind": [ + "lib" + ], + "crate_types": [ + "lib" + ], + "name": "nom", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/nom-5.1.2/src/lib.rs", + "edition": "2018", + "doc": true, + "doctest": true, + "test": true + }, + { + "kind": [ + "example" + ], + "crate_types": [ + "bin" + ], + "name": "json", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/nom-5.1.2/examples/json.rs", + "edition": "2018", + "required-features": [ + "alloc" + ], + "doc": false, + "doctest": false, + "test": false + }, + { + "kind": [ + "example" + ], + "crate_types": [ + "bin" + ], + "name": "s_expression", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/nom-5.1.2/examples/s_expression.rs", + "edition": "2018", + "required-features": [ + "alloc" + ], + "doc": false, + "doctest": false, + "test": false + }, + { + "kind": [ + "example" + ], + "crate_types": [ + "bin" + ], + "name": "string", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/nom-5.1.2/examples/string.rs", + "edition": "2018", + "required-features": [ + "alloc" + ], + "doc": false, + "doctest": false, + "test": false + }, + { + "kind": [ + "test" + ], + "crate_types": [ + "bin" + ], + "name": "arithmetic", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/nom-5.1.2/tests/arithmetic.rs", + "edition": "2018", + "doc": false, + "doctest": false, + "test": true + }, + { + "kind": [ + "test" + ], + "crate_types": [ + "bin" + ], + "name": "arithmetic_ast", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/nom-5.1.2/tests/arithmetic_ast.rs", + "edition": "2018", + "required-features": [ + "alloc" + ], + "doc": false, + "doctest": false, + "test": true + }, + { + "kind": [ + "test" + ], + "crate_types": [ + "bin" + ], + "name": "blockbuf-arithmetic", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/nom-5.1.2/tests/blockbuf-arithmetic.rs", + "edition": "2018", + "doc": false, + "doctest": false, + "test": true + }, + { + "kind": [ + "test" + ], + "crate_types": [ + "bin" + ], + "name": "css", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/nom-5.1.2/tests/css.rs", + "edition": "2018", + "doc": false, + "doctest": false, + "test": true + }, + { + "kind": [ + "test" + ], + "crate_types": [ + "bin" + ], + "name": "custom_errors", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/nom-5.1.2/tests/custom_errors.rs", + "edition": "2018", + "doc": false, + "doctest": false, + "test": true + }, + { + "kind": [ + "test" + ], + "crate_types": [ + "bin" + ], + "name": "float", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/nom-5.1.2/tests/float.rs", + "edition": "2018", + "doc": false, + "doctest": false, + "test": true + }, + { + "kind": [ + "test" + ], + "crate_types": [ + "bin" + ], + "name": "inference", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/nom-5.1.2/tests/inference.rs", + "edition": "2018", + "doc": false, + "doctest": false, + "test": true + }, + { + "kind": [ + "test" + ], + "crate_types": [ + "bin" + ], + "name": "ini", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/nom-5.1.2/tests/ini.rs", + "edition": "2018", + "required-features": [ + "alloc" + ], + "doc": false, + "doctest": false, + "test": true + }, + { + "kind": [ + "test" + ], + "crate_types": [ + "bin" + ], + "name": "ini_str", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/nom-5.1.2/tests/ini_str.rs", + "edition": "2018", + "required-features": [ + "alloc" + ], + "doc": false, + "doctest": false, + "test": true + }, + { + "kind": [ + "test" + ], + "crate_types": [ + "bin" + ], + "name": "issues", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/nom-5.1.2/tests/issues.rs", + "edition": "2018", + "required-features": [ + "alloc", + "regexp_macros" + ], + "doc": false, + "doctest": false, + "test": true + }, + { + "kind": [ + "test" + ], + "crate_types": [ + "bin" + ], + "name": "json", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/nom-5.1.2/tests/json.rs", + "edition": "2018", + "doc": false, + "doctest": false, + "test": true + }, + { + "kind": [ + "test" + ], + "crate_types": [ + "bin" + ], + "name": "mp4", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/nom-5.1.2/tests/mp4.rs", + "edition": "2018", + "required-features": [ + "alloc" + ], + "doc": false, + "doctest": false, + "test": true + }, + { + "kind": [ + "test" + ], + "crate_types": [ + "bin" + ], + "name": "multiline", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/nom-5.1.2/tests/multiline.rs", + "edition": "2018", + "required-features": [ + "alloc" + ], + "doc": false, + "doctest": false, + "test": true + }, + { + "kind": [ + "test" + ], + "crate_types": [ + "bin" + ], + "name": "named_args", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/nom-5.1.2/tests/named_args.rs", + "edition": "2018", + "doc": false, + "doctest": false, + "test": true + }, + { + "kind": [ + "test" + ], + "crate_types": [ + "bin" + ], + "name": "overflow", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/nom-5.1.2/tests/overflow.rs", + "edition": "2018", + "doc": false, + "doctest": false, + "test": true + }, + { + "kind": [ + "test" + ], + "crate_types": [ + "bin" + ], + "name": "reborrow_fold", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/nom-5.1.2/tests/reborrow_fold.rs", + "edition": "2018", + "doc": false, + "doctest": false, + "test": true + }, + { + "kind": [ + "test" + ], + "crate_types": [ + "bin" + ], + "name": "test1", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/nom-5.1.2/tests/test1.rs", + "edition": "2018", + "doc": false, + "doctest": false, + "test": true + }, + { + "kind": [ + "test" + ], + "crate_types": [ + "bin" + ], + "name": "escaped", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/nom-5.1.2/tests/escaped.rs", + "edition": "2018", + "doc": false, + "doctest": false, + "test": true + }, + { + "kind": [ + "bench" + ], + "crate_types": [ + "bin" + ], + "name": "arithmetic", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/nom-5.1.2/benches/arithmetic.rs", + "edition": "2018", + "doc": false, + "doctest": false, + "test": false + }, + { + "kind": [ + "bench" + ], + "crate_types": [ + "bin" + ], + "name": "http", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/nom-5.1.2/benches/http.rs", + "edition": "2018", + "doc": false, + "doctest": false, + "test": false + }, + { + "kind": [ + "bench" + ], + "crate_types": [ + "bin" + ], + "name": "ini", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/nom-5.1.2/benches/ini.rs", + "edition": "2018", + "doc": false, + "doctest": false, + "test": false + }, + { + "kind": [ + "bench" + ], + "crate_types": [ + "bin" + ], + "name": "ini_complete", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/nom-5.1.2/benches/ini_complete.rs", + "edition": "2018", + "doc": false, + "doctest": false, + "test": false + }, + { + "kind": [ + "bench" + ], + "crate_types": [ + "bin" + ], + "name": "ini_str", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/nom-5.1.2/benches/ini_str.rs", + "edition": "2018", + "doc": false, + "doctest": false, + "test": false + }, + { + "kind": [ + "bench" + ], + "crate_types": [ + "bin" + ], + "name": "json", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/nom-5.1.2/benches/json.rs", + "edition": "2018", + "doc": false, + "doctest": false, + "test": false + }, + { + "kind": [ + "custom-build" + ], + "crate_types": [ + "bin" + ], + "name": "build-script-build", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/nom-5.1.2/build.rs", + "edition": "2018", + "doc": false, + "doctest": false, + "test": false + } + ], + "features": { + "alloc": [], + "default": [ + "std", + "lexical" + ], + "lexical": [ + "lexical-core" + ], + "regexp": [ + "regex" + ], + "regexp_macros": [ + "regexp", + "lazy_static" + ], + "std": [ + "alloc", + "memchr/use_std" + ] + }, + "manifest_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/nom-5.1.2/Cargo.toml", + "metadata": { + "docs": { + "rs": { + "all-features": true, + "features": [ + "alloc", + "std", + "regexp", + "regexp_macros", + "lexical" + ] + } + } + }, + "publish": null, + "authors": [ + "contact@geoffroycouprie.com" + ], + "categories": [ + "parsing" + ], + "keywords": [ + "parser", + "parser-combinators", + "parsing", + "streaming", + "bit" + ], + "readme": "README.md", + "repository": "https://github.com/Geal/nom", + "homepage": null, + "documentation": "https://docs.rs/nom", + "edition": "2018", + "links": null, + "default_run": null + }, + { + "name": "peeking_take_while", + "version": "0.1.2", + "id": "peeking_take_while 0.1.2 (registry+https://github.com/rust-lang/crates.io-index)", + "license": "Apache-2.0/MIT", + "license_file": null, + "description": "Like `Iterator::take_while`, but calls the predicate on a peeked value. This allows you to use `Iterator::by_ref` and `Iterator::take_while` together, and still get the first value for which the `take_while` predicate returned false after dropping the `by_ref`.", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "dependencies": [], + "targets": [ + { + "kind": [ + "lib" + ], + "crate_types": [ + "lib" + ], + "name": "peeking_take_while", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/peeking_take_while-0.1.2/src/lib.rs", + "edition": "2015", + "doc": true, + "doctest": true, + "test": true + } + ], + "features": {}, + "manifest_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/peeking_take_while-0.1.2/Cargo.toml", + "metadata": null, + "publish": null, + "authors": [ + "Nick Fitzgerald " + ], + "categories": [ + "rust-patterns" + ], + "keywords": [ + "iterator", + "take_while", + "peek", + "by_ref" + ], + "readme": "./README.md", + "repository": "https://github.com/fitzgen/peeking_take_while", + "homepage": null, + "documentation": null, + "edition": "2015", + "links": null, + "default_run": null + }, + { + "name": "proc-macro2", + "version": "1.0.36", + "id": "proc-macro2 1.0.36 (registry+https://github.com/rust-lang/crates.io-index)", + "license": "MIT OR Apache-2.0", + "license_file": null, + "description": "A substitute implementation of the compiler's `proc_macro` API to decouple\ntoken-based libraries from the procedural macro use case.\n", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "dependencies": [ + { + "name": "unicode-xid", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.2", + "kind": null, + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "quote", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^1.0", + "kind": "dev", + "rename": null, + "optional": false, + "uses_default_features": false, + "features": [], + "target": null, + "registry": null + } + ], + "targets": [ + { + "kind": [ + "lib" + ], + "crate_types": [ + "lib" + ], + "name": "proc-macro2", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/proc-macro2-1.0.36/src/lib.rs", + "edition": "2018", + "doc": true, + "doctest": true, + "test": true + }, + { + "kind": [ + "test" + ], + "crate_types": [ + "bin" + ], + "name": "features", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/proc-macro2-1.0.36/tests/features.rs", + "edition": "2018", + "doc": false, + "doctest": false, + "test": true + }, + { + "kind": [ + "test" + ], + "crate_types": [ + "bin" + ], + "name": "test", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/proc-macro2-1.0.36/tests/test.rs", + "edition": "2018", + "doc": false, + "doctest": false, + "test": true + }, + { + "kind": [ + "test" + ], + "crate_types": [ + "bin" + ], + "name": "test_fmt", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/proc-macro2-1.0.36/tests/test_fmt.rs", + "edition": "2018", + "doc": false, + "doctest": false, + "test": true + }, + { + "kind": [ + "test" + ], + "crate_types": [ + "bin" + ], + "name": "comments", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/proc-macro2-1.0.36/tests/comments.rs", + "edition": "2018", + "doc": false, + "doctest": false, + "test": true + }, + { + "kind": [ + "test" + ], + "crate_types": [ + "bin" + ], + "name": "marker", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/proc-macro2-1.0.36/tests/marker.rs", + "edition": "2018", + "doc": false, + "doctest": false, + "test": true + }, + { + "kind": [ + "custom-build" + ], + "crate_types": [ + "bin" + ], + "name": "build-script-build", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/proc-macro2-1.0.36/build.rs", + "edition": "2018", + "doc": false, + "doctest": false, + "test": false + } + ], + "features": { + "default": [ + "proc-macro" + ], + "nightly": [], + "proc-macro": [], + "span-locations": [] + }, + "manifest_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/proc-macro2-1.0.36/Cargo.toml", + "metadata": { + "docs": { + "rs": { + "rustc-args": [ + "--cfg", + "procmacro2_semver_exempt" + ], + "rustdoc-args": [ + "--cfg", + "procmacro2_semver_exempt", + "--cfg", + "doc_cfg" + ], + "targets": [ + "x86_64-unknown-linux-gnu" + ] + } + }, + "playground": { + "features": [ + "span-locations" + ] + } + }, + "publish": null, + "authors": [ + "David Tolnay ", + "Alex Crichton " + ], + "categories": [ + "development-tools::procedural-macro-helpers" + ], + "keywords": [ + "macros" + ], + "readme": "README.md", + "repository": "https://github.com/dtolnay/proc-macro2", + "homepage": null, + "documentation": "https://docs.rs/proc-macro2", + "edition": "2018", + "links": null, + "default_run": null + }, + { + "name": "quote", + "version": "1.0.14", + "id": "quote 1.0.14 (registry+https://github.com/rust-lang/crates.io-index)", + "license": "MIT OR Apache-2.0", + "license_file": null, + "description": "Quasi-quoting macro quote!(...)", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "dependencies": [ + { + "name": "proc-macro2", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^1.0.36", + "kind": null, + "rename": null, + "optional": false, + "uses_default_features": false, + "features": [], + "target": null, + "registry": null + }, + { + "name": "rustversion", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^1.0", + "kind": "dev", + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "trybuild", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^1.0.52", + "kind": "dev", + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [ + "diff" + ], + "target": null, + "registry": null + } + ], + "targets": [ + { + "kind": [ + "lib" + ], + "crate_types": [ + "lib" + ], + "name": "quote", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/quote-1.0.14/src/lib.rs", + "edition": "2018", + "doc": true, + "doctest": true, + "test": true + }, + { + "kind": [ + "test" + ], + "crate_types": [ + "bin" + ], + "name": "test", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/quote-1.0.14/tests/test.rs", + "edition": "2018", + "doc": false, + "doctest": false, + "test": true + }, + { + "kind": [ + "test" + ], + "crate_types": [ + "bin" + ], + "name": "compiletest", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/quote-1.0.14/tests/compiletest.rs", + "edition": "2018", + "doc": false, + "doctest": false, + "test": true + } + ], + "features": { + "default": [ + "proc-macro" + ], + "proc-macro": [ + "proc-macro2/proc-macro" + ] + }, + "manifest_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/quote-1.0.14/Cargo.toml", + "metadata": { + "docs": { + "rs": { + "targets": [ + "x86_64-unknown-linux-gnu" + ] + } + } + }, + "publish": null, + "authors": [ + "David Tolnay " + ], + "categories": [ + "development-tools::procedural-macro-helpers" + ], + "keywords": [ + "syn" + ], + "readme": "README.md", + "repository": "https://github.com/dtolnay/quote", + "homepage": null, + "documentation": "https://docs.rs/quote/", + "edition": "2018", + "links": null, + "default_run": null + }, + { + "name": "regex", + "version": "1.5.4", + "id": "regex 1.5.4 (registry+https://github.com/rust-lang/crates.io-index)", + "license": "MIT OR Apache-2.0", + "license_file": null, + "description": "An implementation of regular expressions for Rust. This implementation uses\nfinite automata and guarantees linear time matching on all inputs.\n", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "dependencies": [ + { + "name": "aho-corasick", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.7.18", + "kind": null, + "rename": null, + "optional": true, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "memchr", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^2.4.0", + "kind": null, + "rename": null, + "optional": true, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "regex-syntax", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.6.25", + "kind": null, + "rename": null, + "optional": false, + "uses_default_features": false, + "features": [], + "target": null, + "registry": null + }, + { + "name": "lazy_static", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^1", + "kind": "dev", + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "quickcheck", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^1.0.3", + "kind": "dev", + "rename": null, + "optional": false, + "uses_default_features": false, + "features": [], + "target": null, + "registry": null + }, + { + "name": "rand", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.8.3", + "kind": "dev", + "rename": null, + "optional": false, + "uses_default_features": false, + "features": [ + "getrandom", + "small_rng" + ], + "target": null, + "registry": null + } + ], + "targets": [ + { + "kind": [ + "lib" + ], + "crate_types": [ + "lib" + ], + "name": "regex", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/regex-1.5.4/src/lib.rs", + "edition": "2018", + "doc": true, + "doctest": false, + "test": true + }, + { + "kind": [ + "example" + ], + "crate_types": [ + "bin" + ], + "name": "shootout-regex-dna-bytes", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/regex-1.5.4/examples/shootout-regex-dna-bytes.rs", + "edition": "2018", + "doc": false, + "doctest": false, + "test": false + }, + { + "kind": [ + "example" + ], + "crate_types": [ + "bin" + ], + "name": "shootout-regex-dna-cheat", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/regex-1.5.4/examples/shootout-regex-dna-cheat.rs", + "edition": "2018", + "doc": false, + "doctest": false, + "test": false + }, + { + "kind": [ + "example" + ], + "crate_types": [ + "bin" + ], + "name": "shootout-regex-dna", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/regex-1.5.4/examples/shootout-regex-dna.rs", + "edition": "2018", + "doc": false, + "doctest": false, + "test": false + }, + { + "kind": [ + "example" + ], + "crate_types": [ + "bin" + ], + "name": "shootout-regex-dna-replace", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/regex-1.5.4/examples/shootout-regex-dna-replace.rs", + "edition": "2018", + "doc": false, + "doctest": false, + "test": false + }, + { + "kind": [ + "example" + ], + "crate_types": [ + "bin" + ], + "name": "shootout-regex-dna-single-cheat", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/regex-1.5.4/examples/shootout-regex-dna-single-cheat.rs", + "edition": "2018", + "doc": false, + "doctest": false, + "test": false + }, + { + "kind": [ + "example" + ], + "crate_types": [ + "bin" + ], + "name": "shootout-regex-dna-single", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/regex-1.5.4/examples/shootout-regex-dna-single.rs", + "edition": "2018", + "doc": false, + "doctest": false, + "test": false + }, + { + "kind": [ + "test" + ], + "crate_types": [ + "bin" + ], + "name": "default", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/regex-1.5.4/tests/test_default.rs", + "edition": "2018", + "doc": false, + "doctest": false, + "test": true + }, + { + "kind": [ + "test" + ], + "crate_types": [ + "bin" + ], + "name": "default-bytes", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/regex-1.5.4/tests/test_default_bytes.rs", + "edition": "2018", + "doc": false, + "doctest": false, + "test": true + }, + { + "kind": [ + "test" + ], + "crate_types": [ + "bin" + ], + "name": "nfa", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/regex-1.5.4/tests/test_nfa.rs", + "edition": "2018", + "doc": false, + "doctest": false, + "test": true + }, + { + "kind": [ + "test" + ], + "crate_types": [ + "bin" + ], + "name": "nfa-utf8bytes", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/regex-1.5.4/tests/test_nfa_utf8bytes.rs", + "edition": "2018", + "doc": false, + "doctest": false, + "test": true + }, + { + "kind": [ + "test" + ], + "crate_types": [ + "bin" + ], + "name": "nfa-bytes", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/regex-1.5.4/tests/test_nfa_bytes.rs", + "edition": "2018", + "doc": false, + "doctest": false, + "test": true + }, + { + "kind": [ + "test" + ], + "crate_types": [ + "bin" + ], + "name": "backtrack", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/regex-1.5.4/tests/test_backtrack.rs", + "edition": "2018", + "doc": false, + "doctest": false, + "test": true + }, + { + "kind": [ + "test" + ], + "crate_types": [ + "bin" + ], + "name": "backtrack-utf8bytes", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/regex-1.5.4/tests/test_backtrack_utf8bytes.rs", + "edition": "2018", + "doc": false, + "doctest": false, + "test": true + }, + { + "kind": [ + "test" + ], + "crate_types": [ + "bin" + ], + "name": "backtrack-bytes", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/regex-1.5.4/tests/test_backtrack_bytes.rs", + "edition": "2018", + "doc": false, + "doctest": false, + "test": true + }, + { + "kind": [ + "test" + ], + "crate_types": [ + "bin" + ], + "name": "crates-regex", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/regex-1.5.4/tests/test_crates_regex.rs", + "edition": "2018", + "doc": false, + "doctest": false, + "test": true + } + ], + "features": { + "default": [ + "std", + "perf", + "unicode", + "regex-syntax/default" + ], + "pattern": [], + "perf": [ + "perf-cache", + "perf-dfa", + "perf-inline", + "perf-literal" + ], + "perf-cache": [], + "perf-dfa": [], + "perf-inline": [], + "perf-literal": [ + "aho-corasick", + "memchr" + ], + "std": [], + "unicode": [ + "unicode-age", + "unicode-bool", + "unicode-case", + "unicode-gencat", + "unicode-perl", + "unicode-script", + "unicode-segment", + "regex-syntax/unicode" + ], + "unicode-age": [ + "regex-syntax/unicode-age" + ], + "unicode-bool": [ + "regex-syntax/unicode-bool" + ], + "unicode-case": [ + "regex-syntax/unicode-case" + ], + "unicode-gencat": [ + "regex-syntax/unicode-gencat" + ], + "unicode-perl": [ + "regex-syntax/unicode-perl" + ], + "unicode-script": [ + "regex-syntax/unicode-script" + ], + "unicode-segment": [ + "regex-syntax/unicode-segment" + ], + "unstable": [ + "pattern" + ], + "use_std": [ + "std" + ] + }, + "manifest_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/regex-1.5.4/Cargo.toml", + "metadata": null, + "publish": null, + "authors": [ + "The Rust Project Developers" + ], + "categories": [ + "text-processing" + ], + "keywords": [], + "readme": "README.md", + "repository": "https://github.com/rust-lang/regex", + "homepage": "https://github.com/rust-lang/regex", + "documentation": "https://docs.rs/regex", + "edition": "2018", + "links": null, + "default_run": null + }, + { + "name": "regex-syntax", + "version": "0.6.25", + "id": "regex-syntax 0.6.25 (registry+https://github.com/rust-lang/crates.io-index)", + "license": "MIT/Apache-2.0", + "license_file": null, + "description": "A regular expression parser.", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "dependencies": [], + "targets": [ + { + "kind": [ + "lib" + ], + "crate_types": [ + "lib" + ], + "name": "regex-syntax", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/regex-syntax-0.6.25/src/lib.rs", + "edition": "2018", + "doc": true, + "doctest": true, + "test": true + }, + { + "kind": [ + "bench" + ], + "crate_types": [ + "bin" + ], + "name": "bench", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/regex-syntax-0.6.25/benches/bench.rs", + "edition": "2018", + "doc": false, + "doctest": false, + "test": false + } + ], + "features": { + "default": [ + "unicode" + ], + "unicode": [ + "unicode-age", + "unicode-bool", + "unicode-case", + "unicode-gencat", + "unicode-perl", + "unicode-script", + "unicode-segment" + ], + "unicode-age": [], + "unicode-bool": [], + "unicode-case": [], + "unicode-gencat": [], + "unicode-perl": [], + "unicode-script": [], + "unicode-segment": [] + }, + "manifest_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/regex-syntax-0.6.25/Cargo.toml", + "metadata": null, + "publish": null, + "authors": [ + "The Rust Project Developers" + ], + "categories": [], + "keywords": [], + "readme": "README.md", + "repository": "https://github.com/rust-lang/regex", + "homepage": "https://github.com/rust-lang/regex", + "documentation": "https://docs.rs/regex-syntax", + "edition": "2018", + "links": null, + "default_run": null + }, + { + "name": "rustc-hash", + "version": "1.1.0", + "id": "rustc-hash 1.1.0 (registry+https://github.com/rust-lang/crates.io-index)", + "license": "Apache-2.0/MIT", + "license_file": null, + "description": "speed, non-cryptographic hash used in rustc", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "dependencies": [], + "targets": [ + { + "kind": [ + "lib" + ], + "crate_types": [ + "lib" + ], + "name": "rustc-hash", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/rustc-hash-1.1.0/src/lib.rs", + "edition": "2015", + "doc": true, + "doctest": true, + "test": true + } + ], + "features": { + "default": [ + "std" + ], + "std": [] + }, + "manifest_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/rustc-hash-1.1.0/Cargo.toml", + "metadata": null, + "publish": null, + "authors": [ + "The Rust Project Developers" + ], + "categories": [], + "keywords": [ + "hash", + "fxhash", + "rustc" + ], + "readme": "README.md", + "repository": "https://github.com/rust-lang-nursery/rustc-hash", + "homepage": null, + "documentation": null, + "edition": "2015", + "links": null, + "default_run": null + }, + { + "name": "shlex", + "version": "1.1.0", + "id": "shlex 1.1.0 (registry+https://github.com/rust-lang/crates.io-index)", + "license": "MIT OR Apache-2.0", + "license_file": null, + "description": "Split a string into shell words, like Python's shlex.", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "dependencies": [], + "targets": [ + { + "kind": [ + "lib" + ], + "crate_types": [ + "lib" + ], + "name": "shlex", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/shlex-1.1.0/src/lib.rs", + "edition": "2015", + "doc": true, + "doctest": true, + "test": true + } + ], + "features": { + "default": [ + "std" + ], + "std": [] + }, + "manifest_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/shlex-1.1.0/Cargo.toml", + "metadata": null, + "publish": null, + "authors": [ + "comex ", + "Fenhl " + ], + "categories": [ + "command-line-interface", + "parser-implementations" + ], + "keywords": [], + "readme": "README.md", + "repository": "https://github.com/comex/rust-shlex", + "homepage": null, + "documentation": null, + "edition": "2015", + "links": null, + "default_run": null + }, + { + "name": "strsim", + "version": "0.8.0", + "id": "strsim 0.8.0 (registry+https://github.com/rust-lang/crates.io-index)", + "license": "MIT", + "license_file": null, + "description": "Implementations of string similarity metrics.\nIncludes Hamming, Levenshtein, OSA, Damerau-Levenshtein, Jaro, and Jaro-Winkler.\n", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "dependencies": [], + "targets": [ + { + "kind": [ + "lib" + ], + "crate_types": [ + "lib" + ], + "name": "strsim", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/strsim-0.8.0/src/lib.rs", + "edition": "2015", + "doc": true, + "doctest": true, + "test": true + }, + { + "kind": [ + "test" + ], + "crate_types": [ + "bin" + ], + "name": "lib", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/strsim-0.8.0/tests/lib.rs", + "edition": "2015", + "doc": false, + "doctest": false, + "test": true + }, + { + "kind": [ + "bench" + ], + "crate_types": [ + "bin" + ], + "name": "benches", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/strsim-0.8.0/benches/benches.rs", + "edition": "2015", + "doc": false, + "doctest": false, + "test": false + } + ], + "features": {}, + "manifest_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/strsim-0.8.0/Cargo.toml", + "metadata": null, + "publish": null, + "authors": [ + "Danny Guo " + ], + "categories": [], + "keywords": [ + "string", + "similarity", + "Hamming", + "Levenshtein", + "Jaro" + ], + "readme": "README.md", + "repository": "https://github.com/dguo/strsim-rs", + "homepage": "https://github.com/dguo/strsim-rs", + "documentation": "https://docs.rs/strsim/", + "edition": "2015", + "links": null, + "default_run": null + }, + { + "name": "termcolor", + "version": "1.1.2", + "id": "termcolor 1.1.2 (registry+https://github.com/rust-lang/crates.io-index)", + "license": "Unlicense OR MIT", + "license_file": null, + "description": "A simple cross platform library for writing colored text to a terminal.\n", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "dependencies": [ + { + "name": "winapi-util", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.1.3", + "kind": null, + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [], + "target": "cfg(windows)", + "registry": null + } + ], + "targets": [ + { + "kind": [ + "lib" + ], + "crate_types": [ + "lib" + ], + "name": "termcolor", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/termcolor-1.1.2/src/lib.rs", + "edition": "2018", + "doc": true, + "doctest": true, + "test": true + } + ], + "features": {}, + "manifest_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/termcolor-1.1.2/Cargo.toml", + "metadata": null, + "publish": null, + "authors": [ + "Andrew Gallant " + ], + "categories": [], + "keywords": [ + "windows", + "win", + "color", + "ansi", + "console" + ], + "readme": "README.md", + "repository": "https://github.com/BurntSushi/termcolor", + "homepage": "https://github.com/BurntSushi/termcolor", + "documentation": "https://docs.rs/termcolor", + "edition": "2018", + "links": null, + "default_run": null + }, + { + "name": "textwrap", + "version": "0.11.0", + "id": "textwrap 0.11.0 (registry+https://github.com/rust-lang/crates.io-index)", + "license": "MIT", + "license_file": null, + "description": "Textwrap is a small library for word wrapping, indenting, and\ndedenting strings.\n\nYou can use it to format strings (such as help and error messages) for\ndisplay in commandline applications. It is designed to be efficient\nand handle Unicode characters correctly.\n", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "dependencies": [ + { + "name": "hyphenation", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.7.1", + "kind": null, + "rename": null, + "optional": true, + "uses_default_features": true, + "features": [ + "embed_all" + ], + "target": null, + "registry": null + }, + { + "name": "term_size", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.3.0", + "kind": null, + "rename": null, + "optional": true, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "unicode-width", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.1.3", + "kind": null, + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "lipsum", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.6", + "kind": "dev", + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "rand", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.6", + "kind": "dev", + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "rand_xorshift", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.1", + "kind": "dev", + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "version-sync", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.6", + "kind": "dev", + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + } + ], + "targets": [ + { + "kind": [ + "lib" + ], + "crate_types": [ + "lib" + ], + "name": "textwrap", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/textwrap-0.11.0/src/lib.rs", + "edition": "2015", + "doc": true, + "doctest": true, + "test": true + }, + { + "kind": [ + "example" + ], + "crate_types": [ + "bin" + ], + "name": "layout", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/textwrap-0.11.0/examples/layout.rs", + "edition": "2015", + "doc": false, + "doctest": false, + "test": false + }, + { + "kind": [ + "example" + ], + "crate_types": [ + "bin" + ], + "name": "termwidth", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/textwrap-0.11.0/examples/termwidth.rs", + "edition": "2015", + "doc": false, + "doctest": false, + "test": false + }, + { + "kind": [ + "test" + ], + "crate_types": [ + "bin" + ], + "name": "version-numbers", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/textwrap-0.11.0/tests/version-numbers.rs", + "edition": "2015", + "doc": false, + "doctest": false, + "test": true + }, + { + "kind": [ + "bench" + ], + "crate_types": [ + "bin" + ], + "name": "linear", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/textwrap-0.11.0/benches/linear.rs", + "edition": "2015", + "doc": false, + "doctest": false, + "test": false + } + ], + "features": {}, + "manifest_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/textwrap-0.11.0/Cargo.toml", + "metadata": { + "docs": { + "rs": { + "all-features": true + } + } + }, + "publish": null, + "authors": [ + "Martin Geisler " + ], + "categories": [ + "text-processing", + "command-line-interface" + ], + "keywords": [ + "text", + "formatting", + "wrap", + "typesetting", + "hyphenation" + ], + "readme": "README.md", + "repository": "https://github.com/mgeisler/textwrap", + "homepage": null, + "documentation": "https://docs.rs/textwrap/", + "edition": "2015", + "links": null, + "default_run": null + }, + { + "name": "unicode-width", + "version": "0.1.9", + "id": "unicode-width 0.1.9 (registry+https://github.com/rust-lang/crates.io-index)", + "license": "MIT/Apache-2.0", + "license_file": null, + "description": "Determine displayed width of `char` and `str` types\naccording to Unicode Standard Annex #11 rules.\n", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "dependencies": [ + { + "name": "compiler_builtins", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.1", + "kind": null, + "rename": null, + "optional": true, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "rustc-std-workspace-core", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^1.0", + "kind": null, + "rename": "core", + "optional": true, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "rustc-std-workspace-std", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^1.0", + "kind": null, + "rename": "std", + "optional": true, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + } + ], + "targets": [ + { + "kind": [ + "lib" + ], + "crate_types": [ + "lib" + ], + "name": "unicode-width", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/unicode-width-0.1.9/src/lib.rs", + "edition": "2015", + "doc": true, + "doctest": true, + "test": true + } + ], + "features": { + "bench": [], + "default": [], + "no_std": [], + "rustc-dep-of-std": [ + "std", + "core", + "compiler_builtins" + ] + }, + "manifest_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/unicode-width-0.1.9/Cargo.toml", + "metadata": null, + "publish": null, + "authors": [ + "kwantam ", + "Manish Goregaokar " + ], + "categories": [], + "keywords": [ + "text", + "width", + "unicode" + ], + "readme": "README.md", + "repository": "https://github.com/unicode-rs/unicode-width", + "homepage": "https://github.com/unicode-rs/unicode-width", + "documentation": "https://unicode-rs.github.io/unicode-width", + "edition": "2015", + "links": null, + "default_run": null + }, + { + "name": "unicode-xid", + "version": "0.2.2", + "id": "unicode-xid 0.2.2 (registry+https://github.com/rust-lang/crates.io-index)", + "license": "MIT OR Apache-2.0", + "license_file": null, + "description": "Determine whether characters have the XID_Start\nor XID_Continue properties according to\nUnicode Standard Annex #31.\n", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "dependencies": [ + { + "name": "criterion", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.3", + "kind": "dev", + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + } + ], + "targets": [ + { + "kind": [ + "lib" + ], + "crate_types": [ + "lib" + ], + "name": "unicode-xid", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/unicode-xid-0.2.2/src/lib.rs", + "edition": "2015", + "doc": true, + "doctest": true, + "test": true + }, + { + "kind": [ + "test" + ], + "crate_types": [ + "bin" + ], + "name": "exhaustive_tests", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/unicode-xid-0.2.2/tests/exhaustive_tests.rs", + "edition": "2015", + "doc": false, + "doctest": false, + "test": true + }, + { + "kind": [ + "bench" + ], + "crate_types": [ + "bin" + ], + "name": "xid", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/unicode-xid-0.2.2/benches/xid.rs", + "edition": "2015", + "doc": false, + "doctest": false, + "test": false + } + ], + "features": { + "bench": [], + "default": [], + "no_std": [] + }, + "manifest_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/unicode-xid-0.2.2/Cargo.toml", + "metadata": null, + "publish": null, + "authors": [ + "erick.tryzelaar ", + "kwantam ", + "Manish Goregaokar " + ], + "categories": [], + "keywords": [ + "text", + "unicode", + "xid" + ], + "readme": "README.md", + "repository": "https://github.com/unicode-rs/unicode-xid", + "homepage": "https://github.com/unicode-rs/unicode-xid", + "documentation": "https://unicode-rs.github.io/unicode-xid", + "edition": "2015", + "links": null, + "default_run": null + }, + { + "name": "vec_map", + "version": "0.8.2", + "id": "vec_map 0.8.2 (registry+https://github.com/rust-lang/crates.io-index)", + "license": "MIT/Apache-2.0", + "license_file": null, + "description": "A simple map based on a vector for small integer keys", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "dependencies": [ + { + "name": "serde", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^1.0", + "kind": null, + "rename": null, + "optional": true, + "uses_default_features": true, + "features": [ + "derive" + ], + "target": null, + "registry": null + } + ], + "targets": [ + { + "kind": [ + "lib" + ], + "crate_types": [ + "lib" + ], + "name": "vec_map", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/vec_map-0.8.2/src/lib.rs", + "edition": "2015", + "doc": true, + "doctest": true, + "test": true + } + ], + "features": { + "eders": [ + "serde" + ] + }, + "manifest_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/vec_map-0.8.2/Cargo.toml", + "metadata": null, + "publish": null, + "authors": [ + "Alex Crichton ", + "Jorge Aparicio ", + "Alexis Beingessner ", + "Brian Anderson <>", + "tbu- <>", + "Manish Goregaokar <>", + "Aaron Turon ", + "Adolfo Ochagavía <>", + "Niko Matsakis <>", + "Steven Fackler <>", + "Chase Southwood ", + "Eduard Burtescu <>", + "Florian Wilkens <>", + "Félix Raimundo <>", + "Tibor Benke <>", + "Markus Siemens ", + "Josh Branchaud ", + "Huon Wilson ", + "Corey Farwell ", + "Aaron Liblong <>", + "Nick Cameron ", + "Patrick Walton ", + "Felix S Klock II <>", + "Andrew Paseltiner ", + "Sean McArthur ", + "Vadim Petrochenkov <>" + ], + "categories": [], + "keywords": [ + "data-structures", + "collections", + "vecmap", + "vec_map", + "contain-rs" + ], + "readme": "README.md", + "repository": "https://github.com/contain-rs/vec-map", + "homepage": "https://github.com/contain-rs/vec-map", + "documentation": "https://contain-rs.github.io/vec-map/vec_map", + "edition": "2015", + "links": null, + "default_run": null + }, + { + "name": "version_check", + "version": "0.9.4", + "id": "version_check 0.9.4 (registry+https://github.com/rust-lang/crates.io-index)", + "license": "MIT/Apache-2.0", + "license_file": null, + "description": "Tiny crate to check the version of the installed/running rustc.", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "dependencies": [], + "targets": [ + { + "kind": [ + "lib" + ], + "crate_types": [ + "lib" + ], + "name": "version_check", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/version_check-0.9.4/src/lib.rs", + "edition": "2015", + "doc": true, + "doctest": true, + "test": true + } + ], + "features": {}, + "manifest_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/version_check-0.9.4/Cargo.toml", + "metadata": null, + "publish": null, + "authors": [ + "Sergio Benitez " + ], + "categories": [], + "keywords": [ + "version", + "rustc", + "minimum", + "check" + ], + "readme": "README.md", + "repository": "https://github.com/SergioBenitez/version_check", + "homepage": null, + "documentation": "https://docs.rs/version_check/", + "edition": "2015", + "links": null, + "default_run": null + }, + { + "name": "which", + "version": "3.1.1", + "id": "which 3.1.1 (registry+https://github.com/rust-lang/crates.io-index)", + "license": "MIT", + "license_file": null, + "description": "A Rust equivalent of Unix command \"which\". Locate installed executable in cross platforms.", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "dependencies": [ + { + "name": "failure", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.1.7", + "kind": null, + "rename": null, + "optional": true, + "uses_default_features": false, + "features": [ + "std" + ], + "target": null, + "registry": null + }, + { + "name": "libc", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.2.65", + "kind": null, + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + }, + { + "name": "tempdir", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.3.7", + "kind": "dev", + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [], + "target": null, + "registry": null + } + ], + "targets": [ + { + "kind": [ + "lib" + ], + "crate_types": [ + "lib" + ], + "name": "which", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/which-3.1.1/src/lib.rs", + "edition": "2015", + "doc": true, + "doctest": true, + "test": true + }, + { + "kind": [ + "test" + ], + "crate_types": [ + "bin" + ], + "name": "basic", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/which-3.1.1/tests/basic.rs", + "edition": "2015", + "doc": false, + "doctest": false, + "test": true + } + ], + "features": { + "default": [ + "failure" + ] + }, + "manifest_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/which-3.1.1/Cargo.toml", + "metadata": null, + "publish": null, + "authors": [ + "Harry Fei " + ], + "categories": [ + "os", + "filesystem" + ], + "keywords": [ + "which", + "which-rs", + "unix", + "command" + ], + "readme": "README.md", + "repository": "https://github.com/harryfei/which-rs.git", + "homepage": null, + "documentation": "https://docs.rs/which/", + "edition": "2015", + "links": null, + "default_run": null + }, + { + "name": "winapi", + "version": "0.3.9", + "id": "winapi 0.3.9 (registry+https://github.com/rust-lang/crates.io-index)", + "license": "MIT/Apache-2.0", + "license_file": null, + "description": "Raw FFI bindings for all of Windows API.", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "dependencies": [ + { + "name": "winapi-i686-pc-windows-gnu", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.4", + "kind": null, + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [], + "target": "i686-pc-windows-gnu", + "registry": null + }, + { + "name": "winapi-x86_64-pc-windows-gnu", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.4", + "kind": null, + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [], + "target": "x86_64-pc-windows-gnu", + "registry": null + } + ], + "targets": [ + { + "kind": [ + "lib" + ], + "crate_types": [ + "lib" + ], + "name": "winapi", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/winapi-0.3.9/src/lib.rs", + "edition": "2015", + "doc": true, + "doctest": true, + "test": true + }, + { + "kind": [ + "custom-build" + ], + "crate_types": [ + "bin" + ], + "name": "build-script-build", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/winapi-0.3.9/build.rs", + "edition": "2015", + "doc": false, + "doctest": false, + "test": false + } + ], + "features": { + "accctrl": [], + "aclapi": [], + "activation": [], + "adhoc": [], + "appmgmt": [], + "audioclient": [], + "audiosessiontypes": [], + "avrt": [], + "basetsd": [], + "bcrypt": [], + "bits": [], + "bits10_1": [], + "bits1_5": [], + "bits2_0": [], + "bits2_5": [], + "bits3_0": [], + "bits4_0": [], + "bits5_0": [], + "bitscfg": [], + "bitsmsg": [], + "bluetoothapis": [], + "bluetoothleapis": [], + "bthdef": [], + "bthioctl": [], + "bthledef": [], + "bthsdpdef": [], + "bugcodes": [], + "cderr": [], + "cfg": [], + "cfgmgr32": [], + "cguid": [], + "combaseapi": [], + "coml2api": [], + "commapi": [], + "commctrl": [], + "commdlg": [], + "commoncontrols": [], + "consoleapi": [], + "corecrt": [], + "corsym": [], + "d2d1": [], + "d2d1_1": [], + "d2d1_2": [], + "d2d1_3": [], + "d2d1effectauthor": [], + "d2d1effects": [], + "d2d1effects_1": [], + "d2d1effects_2": [], + "d2d1svg": [], + "d2dbasetypes": [], + "d3d": [], + "d3d10": [], + "d3d10_1": [], + "d3d10_1shader": [], + "d3d10effect": [], + "d3d10misc": [], + "d3d10sdklayers": [], + "d3d10shader": [], + "d3d11": [], + "d3d11_1": [], + "d3d11_2": [], + "d3d11_3": [], + "d3d11_4": [], + "d3d11on12": [], + "d3d11sdklayers": [], + "d3d11shader": [], + "d3d11tokenizedprogramformat": [], + "d3d12": [], + "d3d12sdklayers": [], + "d3d12shader": [], + "d3d9": [], + "d3d9caps": [], + "d3d9types": [], + "d3dcommon": [], + "d3dcompiler": [], + "d3dcsx": [], + "d3dkmdt": [], + "d3dkmthk": [], + "d3dukmdt": [], + "d3dx10core": [], + "d3dx10math": [], + "d3dx10mesh": [], + "datetimeapi": [], + "davclnt": [], + "dbghelp": [], + "dbt": [], + "dcommon": [], + "dcomp": [], + "dcompanimation": [], + "dcomptypes": [], + "dde": [], + "ddraw": [], + "ddrawi": [], + "ddrawint": [], + "debug": [ + "impl-debug" + ], + "debugapi": [], + "devguid": [], + "devicetopology": [], + "devpkey": [], + "devpropdef": [], + "dinput": [], + "dinputd": [], + "dispex": [], + "dmksctl": [], + "dmusicc": [], + "docobj": [], + "documenttarget": [], + "dot1x": [], + "dpa_dsa": [], + "dpapi": [], + "dsgetdc": [], + "dsound": [], + "dsrole": [], + "dvp": [], + "dwmapi": [], + "dwrite": [], + "dwrite_1": [], + "dwrite_2": [], + "dwrite_3": [], + "dxdiag": [], + "dxfile": [], + "dxgi": [], + "dxgi1_2": [], + "dxgi1_3": [], + "dxgi1_4": [], + "dxgi1_5": [], + "dxgi1_6": [], + "dxgidebug": [], + "dxgiformat": [], + "dxgitype": [], + "dxva2api": [], + "dxvahd": [], + "eaptypes": [], + "enclaveapi": [], + "endpointvolume": [], + "errhandlingapi": [], + "everything": [], + "evntcons": [], + "evntprov": [], + "evntrace": [], + "excpt": [], + "exdisp": [], + "fibersapi": [], + "fileapi": [], + "functiondiscoverykeys_devpkey": [], + "gl-gl": [], + "guiddef": [], + "handleapi": [], + "heapapi": [], + "hidclass": [], + "hidpi": [], + "hidsdi": [], + "hidusage": [], + "highlevelmonitorconfigurationapi": [], + "hstring": [], + "http": [], + "ifdef": [], + "ifmib": [], + "imm": [], + "impl-debug": [], + "impl-default": [], + "in6addr": [], + "inaddr": [], + "inspectable": [], + "interlockedapi": [], + "intsafe": [], + "ioapiset": [], + "ipexport": [], + "iphlpapi": [], + "ipifcons": [], + "ipmib": [], + "iprtrmib": [], + "iptypes": [], + "jobapi": [], + "jobapi2": [], + "knownfolders": [], + "ks": [], + "ksmedia": [], + "ktmtypes": [], + "ktmw32": [], + "l2cmn": [], + "libloaderapi": [], + "limits": [], + "lmaccess": [], + "lmalert": [], + "lmapibuf": [], + "lmat": [], + "lmcons": [], + "lmdfs": [], + "lmerrlog": [], + "lmjoin": [], + "lmmsg": [], + "lmremutl": [], + "lmrepl": [], + "lmserver": [], + "lmshare": [], + "lmstats": [], + "lmsvc": [], + "lmuse": [], + "lmwksta": [], + "lowlevelmonitorconfigurationapi": [], + "lsalookup": [], + "memoryapi": [], + "minschannel": [], + "minwinbase": [], + "minwindef": [], + "mmdeviceapi": [], + "mmeapi": [], + "mmreg": [], + "mmsystem": [], + "mprapidef": [], + "msaatext": [], + "mscat": [], + "mschapp": [], + "mssip": [], + "mstcpip": [], + "mswsock": [], + "mswsockdef": [], + "namedpipeapi": [], + "namespaceapi": [], + "nb30": [], + "ncrypt": [], + "netioapi": [], + "nldef": [], + "ntddndis": [], + "ntddscsi": [], + "ntddser": [], + "ntdef": [], + "ntlsa": [], + "ntsecapi": [], + "ntstatus": [], + "oaidl": [], + "objbase": [], + "objidl": [], + "objidlbase": [], + "ocidl": [], + "ole2": [], + "oleauto": [], + "olectl": [], + "oleidl": [], + "opmapi": [], + "pdh": [], + "perflib": [], + "physicalmonitorenumerationapi": [], + "playsoundapi": [], + "portabledevice": [], + "portabledeviceapi": [], + "portabledevicetypes": [], + "powerbase": [], + "powersetting": [], + "powrprof": [], + "processenv": [], + "processsnapshot": [], + "processthreadsapi": [], + "processtopologyapi": [], + "profileapi": [], + "propidl": [], + "propkey": [], + "propkeydef": [], + "propsys": [], + "prsht": [], + "psapi": [], + "qos": [], + "realtimeapiset": [], + "reason": [], + "restartmanager": [], + "restrictederrorinfo": [], + "rmxfguid": [], + "roapi": [], + "robuffer": [], + "roerrorapi": [], + "rpc": [], + "rpcdce": [], + "rpcndr": [], + "rtinfo": [], + "sapi": [], + "sapi51": [], + "sapi53": [], + "sapiddk": [], + "sapiddk51": [], + "schannel": [], + "sddl": [], + "securityappcontainer": [], + "securitybaseapi": [], + "servprov": [], + "setupapi": [], + "shellapi": [], + "shellscalingapi": [], + "shlobj": [], + "shobjidl": [], + "shobjidl_core": [], + "shtypes": [], + "softpub": [], + "spapidef": [], + "spellcheck": [], + "sporder": [], + "sql": [], + "sqlext": [], + "sqltypes": [], + "sqlucode": [], + "sspi": [], + "std": [], + "stralign": [], + "stringapiset": [], + "strmif": [], + "subauth": [], + "synchapi": [], + "sysinfoapi": [], + "systemtopologyapi": [], + "taskschd": [], + "tcpestats": [], + "tcpmib": [], + "textstor": [], + "threadpoolapiset": [], + "threadpoollegacyapiset": [], + "timeapi": [], + "timezoneapi": [], + "tlhelp32": [], + "transportsettingcommon": [], + "tvout": [], + "udpmib": [], + "unknwnbase": [], + "urlhist": [], + "urlmon": [], + "usb": [], + "usbioctl": [], + "usbiodef": [], + "usbscan": [], + "usbspec": [], + "userenv": [], + "usp10": [], + "utilapiset": [], + "uxtheme": [], + "vadefs": [], + "vcruntime": [], + "vsbackup": [], + "vss": [], + "vsserror": [], + "vswriter": [], + "wbemads": [], + "wbemcli": [], + "wbemdisp": [], + "wbemprov": [], + "wbemtran": [], + "wct": [], + "werapi": [], + "winbase": [], + "wincodec": [], + "wincodecsdk": [], + "wincon": [], + "wincontypes": [], + "wincred": [], + "wincrypt": [], + "windef": [], + "windot11": [], + "windowsceip": [], + "windowsx": [], + "winefs": [], + "winerror": [], + "winevt": [], + "wingdi": [], + "winhttp": [], + "wininet": [], + "winineti": [], + "winioctl": [], + "winnetwk": [], + "winnls": [], + "winnt": [], + "winreg": [], + "winsafer": [], + "winscard": [], + "winsmcrd": [], + "winsock2": [], + "winspool": [], + "winstring": [], + "winsvc": [], + "wintrust": [], + "winusb": [], + "winusbio": [], + "winuser": [], + "winver": [], + "wlanapi": [], + "wlanihv": [], + "wlanihvtypes": [], + "wlantypes": [], + "wlclient": [], + "wmistr": [], + "wnnc": [], + "wow64apiset": [], + "wpdmtpextensions": [], + "ws2bth": [], + "ws2def": [], + "ws2ipdef": [], + "ws2spi": [], + "ws2tcpip": [], + "wtsapi32": [], + "wtypes": [], + "wtypesbase": [], + "xinput": [] + }, + "manifest_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/winapi-0.3.9/Cargo.toml", + "metadata": { + "docs": { + "rs": { + "default-target": "x86_64-pc-windows-msvc", + "features": [ + "everything", + "impl-debug", + "impl-default" + ], + "targets": [ + "aarch64-pc-windows-msvc", + "i686-pc-windows-msvc", + "x86_64-pc-windows-msvc" + ] + } + } + }, + "publish": null, + "authors": [ + "Peter Atashian " + ], + "categories": [ + "external-ffi-bindings", + "no-std", + "os::windows-apis" + ], + "keywords": [ + "windows", + "ffi", + "win32", + "com", + "directx" + ], + "readme": "README.md", + "repository": "https://github.com/retep998/winapi-rs", + "homepage": null, + "documentation": "https://docs.rs/winapi/", + "edition": "2015", + "links": null, + "default_run": null + }, + { + "name": "winapi-i686-pc-windows-gnu", + "version": "0.4.0", + "id": "winapi-i686-pc-windows-gnu 0.4.0 (registry+https://github.com/rust-lang/crates.io-index)", + "license": "MIT/Apache-2.0", + "license_file": null, + "description": "Import libraries for the i686-pc-windows-gnu target. Please don't use this crate directly, depend on winapi instead.", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "dependencies": [], + "targets": [ + { + "kind": [ + "lib" + ], + "crate_types": [ + "lib" + ], + "name": "winapi-i686-pc-windows-gnu", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/winapi-i686-pc-windows-gnu-0.4.0/src/lib.rs", + "edition": "2015", + "doc": true, + "doctest": true, + "test": true + }, + { + "kind": [ + "custom-build" + ], + "crate_types": [ + "bin" + ], + "name": "build-script-build", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/winapi-i686-pc-windows-gnu-0.4.0/build.rs", + "edition": "2015", + "doc": false, + "doctest": false, + "test": false + } + ], + "features": {}, + "manifest_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/winapi-i686-pc-windows-gnu-0.4.0/Cargo.toml", + "metadata": null, + "publish": null, + "authors": [ + "Peter Atashian " + ], + "categories": [], + "keywords": [ + "windows" + ], + "readme": null, + "repository": "https://github.com/retep998/winapi-rs", + "homepage": null, + "documentation": null, + "edition": "2015", + "links": null, + "default_run": null + }, + { + "name": "winapi-util", + "version": "0.1.5", + "id": "winapi-util 0.1.5 (registry+https://github.com/rust-lang/crates.io-index)", + "license": "Unlicense/MIT", + "license_file": null, + "description": "A dumping ground for high level safe wrappers over winapi.", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "dependencies": [ + { + "name": "winapi", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "req": "^0.3", + "kind": null, + "rename": null, + "optional": false, + "uses_default_features": true, + "features": [ + "std", + "consoleapi", + "errhandlingapi", + "fileapi", + "minwindef", + "processenv", + "winbase", + "wincon", + "winerror", + "winnt" + ], + "target": "cfg(windows)", + "registry": null + } + ], + "targets": [ + { + "kind": [ + "lib" + ], + "crate_types": [ + "lib" + ], + "name": "winapi-util", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/winapi-util-0.1.5/src/lib.rs", + "edition": "2018", + "doc": true, + "doctest": true, + "test": true + } + ], + "features": {}, + "manifest_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/winapi-util-0.1.5/Cargo.toml", + "metadata": { + "docs": { + "rs": { + "targets": [ + "x86_64-pc-windows-msvc" + ] + } + } + }, + "publish": null, + "authors": [ + "Andrew Gallant " + ], + "categories": [ + "os::windows-apis", + "external-ffi-bindings" + ], + "keywords": [ + "windows", + "winapi", + "util", + "win" + ], + "readme": "README.md", + "repository": "https://github.com/BurntSushi/winapi-util", + "homepage": "https://github.com/BurntSushi/winapi-util", + "documentation": "https://docs.rs/winapi-util", + "edition": "2018", + "links": null, + "default_run": null + }, + { + "name": "winapi-x86_64-pc-windows-gnu", + "version": "0.4.0", + "id": "winapi-x86_64-pc-windows-gnu 0.4.0 (registry+https://github.com/rust-lang/crates.io-index)", + "license": "MIT/Apache-2.0", + "license_file": null, + "description": "Import libraries for the x86_64-pc-windows-gnu target. Please don't use this crate directly, depend on winapi instead.", + "source": "registry+https://github.com/rust-lang/crates.io-index", + "dependencies": [], + "targets": [ + { + "kind": [ + "lib" + ], + "crate_types": [ + "lib" + ], + "name": "winapi-x86_64-pc-windows-gnu", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/winapi-x86_64-pc-windows-gnu-0.4.0/src/lib.rs", + "edition": "2015", + "doc": true, + "doctest": true, + "test": true + }, + { + "kind": [ + "custom-build" + ], + "crate_types": [ + "bin" + ], + "name": "build-script-build", + "src_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/winapi-x86_64-pc-windows-gnu-0.4.0/build.rs", + "edition": "2015", + "doc": false, + "doctest": false, + "test": false + } + ], + "features": {}, + "manifest_path": "/Users/franziskus/.cargo/registry/src/github.com-1ecc6299db9ec823/winapi-x86_64-pc-windows-gnu-0.4.0/Cargo.toml", + "metadata": null, + "publish": null, + "authors": [ + "Peter Atashian " + ], + "categories": [], + "keywords": [ + "windows" + ], + "readme": null, + "repository": "https://github.com/retep998/winapi-rs", + "homepage": null, + "documentation": null, + "edition": "2015", + "links": null, + "default_run": null + } + ], + "workspace_members": [ + "evercrypt-sys 0.0.9 (path+file:///Users/franziskus/repos/evercrypt-cmake-c/rust/evercrypt-sys)" + ], + "resolve": { + "nodes": [ + { + "id": "aho-corasick 0.7.18 (registry+https://github.com/rust-lang/crates.io-index)", + "dependencies": [ + "memchr 2.4.1 (registry+https://github.com/rust-lang/crates.io-index)" + ], + "deps": [ + { + "name": "memchr", + "pkg": "memchr 2.4.1 (registry+https://github.com/rust-lang/crates.io-index)", + "dep_kinds": [ + { + "kind": null, + "target": null + } + ] + } + ], + "features": [ + "default", + "std" + ] + }, + { + "id": "ansi_term 0.12.1 (registry+https://github.com/rust-lang/crates.io-index)", + "dependencies": [ + "winapi 0.3.9 (registry+https://github.com/rust-lang/crates.io-index)" + ], + "deps": [ + { + "name": "winapi", + "pkg": "winapi 0.3.9 (registry+https://github.com/rust-lang/crates.io-index)", + "dep_kinds": [ + { + "kind": null, + "target": "cfg(target_os = \"windows\")" + } + ] + } + ], + "features": [] + }, + { + "id": "atty 0.2.14 (registry+https://github.com/rust-lang/crates.io-index)", + "dependencies": [ + "hermit-abi 0.1.19 (registry+https://github.com/rust-lang/crates.io-index)", + "libc 0.2.112 (registry+https://github.com/rust-lang/crates.io-index)", + "winapi 0.3.9 (registry+https://github.com/rust-lang/crates.io-index)" + ], + "deps": [ + { + "name": "hermit_abi", + "pkg": "hermit-abi 0.1.19 (registry+https://github.com/rust-lang/crates.io-index)", + "dep_kinds": [ + { + "kind": null, + "target": "cfg(target_os = \"hermit\")" + } + ] + }, + { + "name": "libc", + "pkg": "libc 0.2.112 (registry+https://github.com/rust-lang/crates.io-index)", + "dep_kinds": [ + { + "kind": null, + "target": "cfg(unix)" + } + ] + }, + { + "name": "winapi", + "pkg": "winapi 0.3.9 (registry+https://github.com/rust-lang/crates.io-index)", + "dep_kinds": [ + { + "kind": null, + "target": "cfg(windows)" + } + ] + } + ], + "features": [] + }, + { + "id": "bindgen 0.58.1 (registry+https://github.com/rust-lang/crates.io-index)", + "dependencies": [ + "bitflags 1.3.2 (registry+https://github.com/rust-lang/crates.io-index)", + "cexpr 0.4.0 (registry+https://github.com/rust-lang/crates.io-index)", + "clang-sys 1.3.0 (registry+https://github.com/rust-lang/crates.io-index)", + "clap 2.34.0 (registry+https://github.com/rust-lang/crates.io-index)", + "env_logger 0.8.4 (registry+https://github.com/rust-lang/crates.io-index)", + "lazy_static 1.4.0 (registry+https://github.com/rust-lang/crates.io-index)", + "lazycell 1.3.0 (registry+https://github.com/rust-lang/crates.io-index)", + "log 0.4.14 (registry+https://github.com/rust-lang/crates.io-index)", + "peeking_take_while 0.1.2 (registry+https://github.com/rust-lang/crates.io-index)", + "proc-macro2 1.0.36 (registry+https://github.com/rust-lang/crates.io-index)", + "quote 1.0.14 (registry+https://github.com/rust-lang/crates.io-index)", + "regex 1.5.4 (registry+https://github.com/rust-lang/crates.io-index)", + "rustc-hash 1.1.0 (registry+https://github.com/rust-lang/crates.io-index)", + "shlex 1.1.0 (registry+https://github.com/rust-lang/crates.io-index)", + "which 3.1.1 (registry+https://github.com/rust-lang/crates.io-index)" + ], + "deps": [ + { + "name": "bitflags", + "pkg": "bitflags 1.3.2 (registry+https://github.com/rust-lang/crates.io-index)", + "dep_kinds": [ + { + "kind": null, + "target": null + } + ] + }, + { + "name": "cexpr", + "pkg": "cexpr 0.4.0 (registry+https://github.com/rust-lang/crates.io-index)", + "dep_kinds": [ + { + "kind": null, + "target": null + } + ] + }, + { + "name": "clang_sys", + "pkg": "clang-sys 1.3.0 (registry+https://github.com/rust-lang/crates.io-index)", + "dep_kinds": [ + { + "kind": null, + "target": null + } + ] + }, + { + "name": "clap", + "pkg": "clap 2.34.0 (registry+https://github.com/rust-lang/crates.io-index)", + "dep_kinds": [ + { + "kind": null, + "target": null + } + ] + }, + { + "name": "env_logger", + "pkg": "env_logger 0.8.4 (registry+https://github.com/rust-lang/crates.io-index)", + "dep_kinds": [ + { + "kind": null, + "target": null + } + ] + }, + { + "name": "lazy_static", + "pkg": "lazy_static 1.4.0 (registry+https://github.com/rust-lang/crates.io-index)", + "dep_kinds": [ + { + "kind": null, + "target": null + } + ] + }, + { + "name": "lazycell", + "pkg": "lazycell 1.3.0 (registry+https://github.com/rust-lang/crates.io-index)", + "dep_kinds": [ + { + "kind": null, + "target": null + } + ] + }, + { + "name": "log", + "pkg": "log 0.4.14 (registry+https://github.com/rust-lang/crates.io-index)", + "dep_kinds": [ + { + "kind": null, + "target": null + } + ] + }, + { + "name": "peeking_take_while", + "pkg": "peeking_take_while 0.1.2 (registry+https://github.com/rust-lang/crates.io-index)", + "dep_kinds": [ + { + "kind": null, + "target": null + } + ] + }, + { + "name": "proc_macro2", + "pkg": "proc-macro2 1.0.36 (registry+https://github.com/rust-lang/crates.io-index)", + "dep_kinds": [ + { + "kind": null, + "target": null + } + ] + }, + { + "name": "quote", + "pkg": "quote 1.0.14 (registry+https://github.com/rust-lang/crates.io-index)", + "dep_kinds": [ + { + "kind": null, + "target": null + } + ] + }, + { + "name": "regex", + "pkg": "regex 1.5.4 (registry+https://github.com/rust-lang/crates.io-index)", + "dep_kinds": [ + { + "kind": null, + "target": null + } + ] + }, + { + "name": "rustc_hash", + "pkg": "rustc-hash 1.1.0 (registry+https://github.com/rust-lang/crates.io-index)", + "dep_kinds": [ + { + "kind": null, + "target": null + } + ] + }, + { + "name": "shlex", + "pkg": "shlex 1.1.0 (registry+https://github.com/rust-lang/crates.io-index)", + "dep_kinds": [ + { + "kind": null, + "target": null + } + ] + }, + { + "name": "which", + "pkg": "which 3.1.1 (registry+https://github.com/rust-lang/crates.io-index)", + "dep_kinds": [ + { + "kind": null, + "target": null + } + ] + } + ], + "features": [ + "clap", + "default", + "env_logger", + "log", + "logging", + "runtime", + "which", + "which-rustfmt" + ] + }, + { + "id": "bitflags 1.3.2 (registry+https://github.com/rust-lang/crates.io-index)", + "dependencies": [], + "deps": [], + "features": [ + "default" + ] + }, + { + "id": "cexpr 0.4.0 (registry+https://github.com/rust-lang/crates.io-index)", + "dependencies": [ + "nom 5.1.2 (registry+https://github.com/rust-lang/crates.io-index)" + ], + "deps": [ + { + "name": "nom", + "pkg": "nom 5.1.2 (registry+https://github.com/rust-lang/crates.io-index)", + "dep_kinds": [ + { + "kind": null, + "target": null + } + ] + } + ], + "features": [] + }, + { + "id": "cfg-if 1.0.0 (registry+https://github.com/rust-lang/crates.io-index)", + "dependencies": [], + "deps": [], + "features": [] + }, + { + "id": "clang-sys 1.3.0 (registry+https://github.com/rust-lang/crates.io-index)", + "dependencies": [ + "glob 0.3.0 (registry+https://github.com/rust-lang/crates.io-index)", + "libc 0.2.112 (registry+https://github.com/rust-lang/crates.io-index)", + "libloading 0.7.2 (registry+https://github.com/rust-lang/crates.io-index)" + ], + "deps": [ + { + "name": "glob", + "pkg": "glob 0.3.0 (registry+https://github.com/rust-lang/crates.io-index)", + "dep_kinds": [ + { + "kind": null, + "target": null + }, + { + "kind": "build", + "target": null + } + ] + }, + { + "name": "libc", + "pkg": "libc 0.2.112 (registry+https://github.com/rust-lang/crates.io-index)", + "dep_kinds": [ + { + "kind": null, + "target": null + } + ] + }, + { + "name": "libloading", + "pkg": "libloading 0.7.2 (registry+https://github.com/rust-lang/crates.io-index)", + "dep_kinds": [ + { + "kind": null, + "target": null + } + ] + } + ], + "features": [ + "clang_3_5", + "clang_3_6", + "clang_3_7", + "clang_3_8", + "clang_3_9", + "clang_4_0", + "clang_5_0", + "clang_6_0", + "libloading", + "runtime" + ] + }, + { + "id": "clap 2.34.0 (registry+https://github.com/rust-lang/crates.io-index)", + "dependencies": [ + "ansi_term 0.12.1 (registry+https://github.com/rust-lang/crates.io-index)", + "atty 0.2.14 (registry+https://github.com/rust-lang/crates.io-index)", + "bitflags 1.3.2 (registry+https://github.com/rust-lang/crates.io-index)", + "strsim 0.8.0 (registry+https://github.com/rust-lang/crates.io-index)", + "textwrap 0.11.0 (registry+https://github.com/rust-lang/crates.io-index)", + "unicode-width 0.1.9 (registry+https://github.com/rust-lang/crates.io-index)", + "vec_map 0.8.2 (registry+https://github.com/rust-lang/crates.io-index)" + ], + "deps": [ + { + "name": "ansi_term", + "pkg": "ansi_term 0.12.1 (registry+https://github.com/rust-lang/crates.io-index)", + "dep_kinds": [ + { + "kind": null, + "target": "cfg(not(windows))" + } + ] + }, + { + "name": "atty", + "pkg": "atty 0.2.14 (registry+https://github.com/rust-lang/crates.io-index)", + "dep_kinds": [ + { + "kind": null, + "target": null + } + ] + }, + { + "name": "bitflags", + "pkg": "bitflags 1.3.2 (registry+https://github.com/rust-lang/crates.io-index)", + "dep_kinds": [ + { + "kind": null, + "target": null + } + ] + }, + { + "name": "strsim", + "pkg": "strsim 0.8.0 (registry+https://github.com/rust-lang/crates.io-index)", + "dep_kinds": [ + { + "kind": null, + "target": null + } + ] + }, + { + "name": "textwrap", + "pkg": "textwrap 0.11.0 (registry+https://github.com/rust-lang/crates.io-index)", + "dep_kinds": [ + { + "kind": null, + "target": null + } + ] + }, + { + "name": "unicode_width", + "pkg": "unicode-width 0.1.9 (registry+https://github.com/rust-lang/crates.io-index)", + "dep_kinds": [ + { + "kind": null, + "target": null + } + ] + }, + { + "name": "vec_map", + "pkg": "vec_map 0.8.2 (registry+https://github.com/rust-lang/crates.io-index)", + "dep_kinds": [ + { + "kind": null, + "target": null + } + ] + } + ], + "features": [ + "ansi_term", + "atty", + "color", + "default", + "strsim", + "suggestions", + "vec_map" + ] + }, + { + "id": "env_logger 0.8.4 (registry+https://github.com/rust-lang/crates.io-index)", + "dependencies": [ + "atty 0.2.14 (registry+https://github.com/rust-lang/crates.io-index)", + "humantime 2.1.0 (registry+https://github.com/rust-lang/crates.io-index)", + "log 0.4.14 (registry+https://github.com/rust-lang/crates.io-index)", + "regex 1.5.4 (registry+https://github.com/rust-lang/crates.io-index)", + "termcolor 1.1.2 (registry+https://github.com/rust-lang/crates.io-index)" + ], + "deps": [ + { + "name": "atty", + "pkg": "atty 0.2.14 (registry+https://github.com/rust-lang/crates.io-index)", + "dep_kinds": [ + { + "kind": null, + "target": null + } + ] + }, + { + "name": "humantime", + "pkg": "humantime 2.1.0 (registry+https://github.com/rust-lang/crates.io-index)", + "dep_kinds": [ + { + "kind": null, + "target": null + } + ] + }, + { + "name": "log", + "pkg": "log 0.4.14 (registry+https://github.com/rust-lang/crates.io-index)", + "dep_kinds": [ + { + "kind": null, + "target": null + } + ] + }, + { + "name": "regex", + "pkg": "regex 1.5.4 (registry+https://github.com/rust-lang/crates.io-index)", + "dep_kinds": [ + { + "kind": null, + "target": null + } + ] + }, + { + "name": "termcolor", + "pkg": "termcolor 1.1.2 (registry+https://github.com/rust-lang/crates.io-index)", + "dep_kinds": [ + { + "kind": null, + "target": null + } + ] + } + ], + "features": [ + "atty", + "default", + "humantime", + "regex", + "termcolor" + ] + }, + { + "id": "evercrypt-sys 0.0.9 (path+file:///Users/franziskus/repos/evercrypt-cmake-c/rust/evercrypt-sys)", + "dependencies": [ + "bindgen 0.58.1 (registry+https://github.com/rust-lang/crates.io-index)", + "libc 0.2.112 (registry+https://github.com/rust-lang/crates.io-index)" + ], + "deps": [ + { + "name": "bindgen", + "pkg": "bindgen 0.58.1 (registry+https://github.com/rust-lang/crates.io-index)", + "dep_kinds": [ + { + "kind": "build", + "target": "cfg(not(windows))" + } + ] + }, + { + "name": "libc", + "pkg": "libc 0.2.112 (registry+https://github.com/rust-lang/crates.io-index)", + "dep_kinds": [ + { + "kind": null, + "target": null + } + ] + } + ], + "features": [] + }, + { + "id": "glob 0.3.0 (registry+https://github.com/rust-lang/crates.io-index)", + "dependencies": [], + "deps": [], + "features": [] + }, + { + "id": "hermit-abi 0.1.19 (registry+https://github.com/rust-lang/crates.io-index)", + "dependencies": [ + "libc 0.2.112 (registry+https://github.com/rust-lang/crates.io-index)" + ], + "deps": [ + { + "name": "libc", + "pkg": "libc 0.2.112 (registry+https://github.com/rust-lang/crates.io-index)", + "dep_kinds": [ + { + "kind": null, + "target": null + } + ] + } + ], + "features": [ + "default" + ] + }, + { + "id": "humantime 2.1.0 (registry+https://github.com/rust-lang/crates.io-index)", + "dependencies": [], + "deps": [], + "features": [] + }, + { + "id": "lazy_static 1.4.0 (registry+https://github.com/rust-lang/crates.io-index)", + "dependencies": [], + "deps": [], + "features": [] + }, + { + "id": "lazycell 1.3.0 (registry+https://github.com/rust-lang/crates.io-index)", + "dependencies": [], + "deps": [], + "features": [] + }, + { + "id": "libc 0.2.112 (registry+https://github.com/rust-lang/crates.io-index)", + "dependencies": [], + "deps": [], + "features": [ + "default", + "std" + ] + }, + { + "id": "libloading 0.7.2 (registry+https://github.com/rust-lang/crates.io-index)", + "dependencies": [ + "cfg-if 1.0.0 (registry+https://github.com/rust-lang/crates.io-index)", + "winapi 0.3.9 (registry+https://github.com/rust-lang/crates.io-index)" + ], + "deps": [ + { + "name": "cfg_if", + "pkg": "cfg-if 1.0.0 (registry+https://github.com/rust-lang/crates.io-index)", + "dep_kinds": [ + { + "kind": null, + "target": "cfg(unix)" + } + ] + }, + { + "name": "winapi", + "pkg": "winapi 0.3.9 (registry+https://github.com/rust-lang/crates.io-index)", + "dep_kinds": [ + { + "kind": null, + "target": "cfg(windows)" + } + ] + } + ], + "features": [] + }, + { + "id": "log 0.4.14 (registry+https://github.com/rust-lang/crates.io-index)", + "dependencies": [ + "cfg-if 1.0.0 (registry+https://github.com/rust-lang/crates.io-index)" + ], + "deps": [ + { + "name": "cfg_if", + "pkg": "cfg-if 1.0.0 (registry+https://github.com/rust-lang/crates.io-index)", + "dep_kinds": [ + { + "kind": null, + "target": null + } + ] + } + ], + "features": [ + "std" + ] + }, + { + "id": "memchr 2.4.1 (registry+https://github.com/rust-lang/crates.io-index)", + "dependencies": [], + "deps": [], + "features": [ + "default", + "std", + "use_std" + ] + }, + { + "id": "nom 5.1.2 (registry+https://github.com/rust-lang/crates.io-index)", + "dependencies": [ + "memchr 2.4.1 (registry+https://github.com/rust-lang/crates.io-index)", + "version_check 0.9.4 (registry+https://github.com/rust-lang/crates.io-index)" + ], + "deps": [ + { + "name": "memchr", + "pkg": "memchr 2.4.1 (registry+https://github.com/rust-lang/crates.io-index)", + "dep_kinds": [ + { + "kind": null, + "target": null + } + ] + }, + { + "name": "version_check", + "pkg": "version_check 0.9.4 (registry+https://github.com/rust-lang/crates.io-index)", + "dep_kinds": [ + { + "kind": "build", + "target": null + } + ] + } + ], + "features": [ + "alloc", + "std" + ] + }, + { + "id": "peeking_take_while 0.1.2 (registry+https://github.com/rust-lang/crates.io-index)", + "dependencies": [], + "deps": [], + "features": [] + }, + { + "id": "proc-macro2 1.0.36 (registry+https://github.com/rust-lang/crates.io-index)", + "dependencies": [ + "unicode-xid 0.2.2 (registry+https://github.com/rust-lang/crates.io-index)" + ], + "deps": [ + { + "name": "unicode_xid", + "pkg": "unicode-xid 0.2.2 (registry+https://github.com/rust-lang/crates.io-index)", + "dep_kinds": [ + { + "kind": null, + "target": null + } + ] + } + ], + "features": [] + }, + { + "id": "quote 1.0.14 (registry+https://github.com/rust-lang/crates.io-index)", + "dependencies": [ + "proc-macro2 1.0.36 (registry+https://github.com/rust-lang/crates.io-index)" + ], + "deps": [ + { + "name": "proc_macro2", + "pkg": "proc-macro2 1.0.36 (registry+https://github.com/rust-lang/crates.io-index)", + "dep_kinds": [ + { + "kind": null, + "target": null + } + ] + } + ], + "features": [] + }, + { + "id": "regex 1.5.4 (registry+https://github.com/rust-lang/crates.io-index)", + "dependencies": [ + "aho-corasick 0.7.18 (registry+https://github.com/rust-lang/crates.io-index)", + "memchr 2.4.1 (registry+https://github.com/rust-lang/crates.io-index)", + "regex-syntax 0.6.25 (registry+https://github.com/rust-lang/crates.io-index)" + ], + "deps": [ + { + "name": "aho_corasick", + "pkg": "aho-corasick 0.7.18 (registry+https://github.com/rust-lang/crates.io-index)", + "dep_kinds": [ + { + "kind": null, + "target": null + } + ] + }, + { + "name": "memchr", + "pkg": "memchr 2.4.1 (registry+https://github.com/rust-lang/crates.io-index)", + "dep_kinds": [ + { + "kind": null, + "target": null + } + ] + }, + { + "name": "regex_syntax", + "pkg": "regex-syntax 0.6.25 (registry+https://github.com/rust-lang/crates.io-index)", + "dep_kinds": [ + { + "kind": null, + "target": null + } + ] + } + ], + "features": [ + "aho-corasick", + "memchr", + "perf", + "perf-cache", + "perf-dfa", + "perf-inline", + "perf-literal", + "std", + "unicode", + "unicode-age", + "unicode-bool", + "unicode-case", + "unicode-gencat", + "unicode-perl", + "unicode-script", + "unicode-segment" + ] + }, + { + "id": "regex-syntax 0.6.25 (registry+https://github.com/rust-lang/crates.io-index)", + "dependencies": [], + "deps": [], + "features": [ + "unicode", + "unicode-age", + "unicode-bool", + "unicode-case", + "unicode-gencat", + "unicode-perl", + "unicode-script", + "unicode-segment" + ] + }, + { + "id": "rustc-hash 1.1.0 (registry+https://github.com/rust-lang/crates.io-index)", + "dependencies": [], + "deps": [], + "features": [ + "default", + "std" + ] + }, + { + "id": "shlex 1.1.0 (registry+https://github.com/rust-lang/crates.io-index)", + "dependencies": [], + "deps": [], + "features": [ + "default", + "std" + ] + }, + { + "id": "strsim 0.8.0 (registry+https://github.com/rust-lang/crates.io-index)", + "dependencies": [], + "deps": [], + "features": [] + }, + { + "id": "termcolor 1.1.2 (registry+https://github.com/rust-lang/crates.io-index)", + "dependencies": [ + "winapi-util 0.1.5 (registry+https://github.com/rust-lang/crates.io-index)" + ], + "deps": [ + { + "name": "winapi_util", + "pkg": "winapi-util 0.1.5 (registry+https://github.com/rust-lang/crates.io-index)", + "dep_kinds": [ + { + "kind": null, + "target": "cfg(windows)" + } + ] + } + ], + "features": [] + }, + { + "id": "textwrap 0.11.0 (registry+https://github.com/rust-lang/crates.io-index)", + "dependencies": [ + "unicode-width 0.1.9 (registry+https://github.com/rust-lang/crates.io-index)" + ], + "deps": [ + { + "name": "unicode_width", + "pkg": "unicode-width 0.1.9 (registry+https://github.com/rust-lang/crates.io-index)", + "dep_kinds": [ + { + "kind": null, + "target": null + } + ] + } + ], + "features": [] + }, + { + "id": "unicode-width 0.1.9 (registry+https://github.com/rust-lang/crates.io-index)", + "dependencies": [], + "deps": [], + "features": [ + "default" + ] + }, + { + "id": "unicode-xid 0.2.2 (registry+https://github.com/rust-lang/crates.io-index)", + "dependencies": [], + "deps": [], + "features": [ + "default" + ] + }, + { + "id": "vec_map 0.8.2 (registry+https://github.com/rust-lang/crates.io-index)", + "dependencies": [], + "deps": [], + "features": [] + }, + { + "id": "version_check 0.9.4 (registry+https://github.com/rust-lang/crates.io-index)", + "dependencies": [], + "deps": [], + "features": [] + }, + { + "id": "which 3.1.1 (registry+https://github.com/rust-lang/crates.io-index)", + "dependencies": [ + "libc 0.2.112 (registry+https://github.com/rust-lang/crates.io-index)" + ], + "deps": [ + { + "name": "libc", + "pkg": "libc 0.2.112 (registry+https://github.com/rust-lang/crates.io-index)", + "dep_kinds": [ + { + "kind": null, + "target": null + } + ] + } + ], + "features": [] + }, + { + "id": "winapi 0.3.9 (registry+https://github.com/rust-lang/crates.io-index)", + "dependencies": [ + "winapi-i686-pc-windows-gnu 0.4.0 (registry+https://github.com/rust-lang/crates.io-index)", + "winapi-x86_64-pc-windows-gnu 0.4.0 (registry+https://github.com/rust-lang/crates.io-index)" + ], + "deps": [ + { + "name": "winapi_i686_pc_windows_gnu", + "pkg": "winapi-i686-pc-windows-gnu 0.4.0 (registry+https://github.com/rust-lang/crates.io-index)", + "dep_kinds": [ + { + "kind": null, + "target": "i686-pc-windows-gnu" + } + ] + }, + { + "name": "winapi_x86_64_pc_windows_gnu", + "pkg": "winapi-x86_64-pc-windows-gnu 0.4.0 (registry+https://github.com/rust-lang/crates.io-index)", + "dep_kinds": [ + { + "kind": null, + "target": "x86_64-pc-windows-gnu" + } + ] + } + ], + "features": [ + "consoleapi", + "errhandlingapi", + "fileapi", + "handleapi", + "libloaderapi", + "minwinbase", + "minwindef", + "processenv", + "std", + "winbase", + "wincon", + "winerror", + "winnt" + ] + }, + { + "id": "winapi-i686-pc-windows-gnu 0.4.0 (registry+https://github.com/rust-lang/crates.io-index)", + "dependencies": [], + "deps": [], + "features": [] + }, + { + "id": "winapi-util 0.1.5 (registry+https://github.com/rust-lang/crates.io-index)", + "dependencies": [ + "winapi 0.3.9 (registry+https://github.com/rust-lang/crates.io-index)" + ], + "deps": [ + { + "name": "winapi", + "pkg": "winapi 0.3.9 (registry+https://github.com/rust-lang/crates.io-index)", + "dep_kinds": [ + { + "kind": null, + "target": "cfg(windows)" + } + ] + } + ], + "features": [] + }, + { + "id": "winapi-x86_64-pc-windows-gnu 0.4.0 (registry+https://github.com/rust-lang/crates.io-index)", + "dependencies": [], + "deps": [], + "features": [] + } + ], + "root": "evercrypt-sys 0.0.9 (path+file:///Users/franziskus/repos/evercrypt-cmake-c/rust/evercrypt-sys)" + }, + "target_directory": "/Users/franziskus/repos/evercrypt-cmake-c/rust/evercrypt-sys/target", + "version": 1, + "workspace_root": "/Users/franziskus/repos/evercrypt-cmake-c/rust/evercrypt-sys", + "metadata": null +} \ No newline at end of file diff --git a/rust/hacl-rust-sys/src/bindings/bindings.rs b/rust/hacl-rust-sys/src/bindings/bindings.rs new file mode 100644 index 00000000..ef59f6c7 --- /dev/null +++ b/rust/hacl-rust-sys/src/bindings/bindings.rs @@ -0,0 +1,972 @@ +/* automatically generated by rust-bindgen 0.59.2 */ + +pub const Spec_Blake2_Blake2S: u32 = 0; +pub const Spec_Blake2_Blake2B: u32 = 1; +pub const Spec_Hash_Definitions_SHA2_224: u32 = 0; +pub const Spec_Hash_Definitions_SHA2_256: u32 = 1; +pub const Spec_Hash_Definitions_SHA2_384: u32 = 2; +pub const Spec_Hash_Definitions_SHA2_512: u32 = 3; +pub const Spec_Hash_Definitions_SHA1: u32 = 4; +pub const Spec_Hash_Definitions_MD5: u32 = 5; +pub const Spec_Hash_Definitions_Blake2S: u32 = 6; +pub const Spec_Hash_Definitions_Blake2B: u32 = 7; +pub const Spec_FFDHE_FFDHE2048: u32 = 0; +pub const Spec_FFDHE_FFDHE3072: u32 = 1; +pub const Spec_FFDHE_FFDHE4096: u32 = 2; +pub const Spec_FFDHE_FFDHE6144: u32 = 3; +pub const Spec_FFDHE_FFDHE8192: u32 = 4; +pub const Spec_Agile_Cipher_AES128: u32 = 0; +pub const Spec_Agile_Cipher_AES256: u32 = 1; +pub const Spec_Agile_Cipher_CHACHA20: u32 = 2; +pub const Spec_Cipher_Expansion_Hacl_CHACHA20: u32 = 0; +pub const Spec_Cipher_Expansion_Vale_AES128: u32 = 1; +pub const Spec_Cipher_Expansion_Vale_AES256: u32 = 2; +pub const Spec_Agile_AEAD_AES128_GCM: u32 = 0; +pub const Spec_Agile_AEAD_AES256_GCM: u32 = 1; +pub const Spec_Agile_AEAD_CHACHA20_POLY1305: u32 = 2; +pub const Spec_Agile_AEAD_AES128_CCM: u32 = 3; +pub const Spec_Agile_AEAD_AES256_CCM: u32 = 4; +pub const Spec_Agile_AEAD_AES128_CCM8: u32 = 5; +pub const Spec_Agile_AEAD_AES256_CCM8: u32 = 6; +pub const Spec_Frodo_Params_SHAKE128: u32 = 0; +pub const Spec_Frodo_Params_AES128: u32 = 1; +pub const EverCrypt_Error_Success: u32 = 0; +pub const EverCrypt_Error_UnsupportedAlgorithm: u32 = 1; +pub const EverCrypt_Error_InvalidKey: u32 = 2; +pub const EverCrypt_Error_AuthenticationFailure: u32 = 3; +pub const EverCrypt_Error_InvalidIVLength: u32 = 4; +pub const EverCrypt_Error_DecodeError: u32 = 5; +pub type C_String_t = *const ::std::os::raw::c_char; +pub type Spec_Blake2_alg = u8; +pub type Spec_Hash_Definitions_hash_alg = u8; +pub type Spec_FFDHE_ffdhe_alg = u8; +pub type Spec_Agile_Cipher_cipher_alg = u8; +pub type Spec_Cipher_Expansion_impl = u8; +pub type Spec_Agile_AEAD_alg = u8; +pub type Spec_Frodo_Params_frodo_gen_a = u8; +pub type EverCrypt_Error_error_code = u8; +extern "C" { + pub fn EverCrypt_AutoConfig2_has_shaext() -> bool; +} +extern "C" { + pub fn EverCrypt_AutoConfig2_has_aesni() -> bool; +} +extern "C" { + pub fn EverCrypt_AutoConfig2_has_pclmulqdq() -> bool; +} +extern "C" { + pub fn EverCrypt_AutoConfig2_has_avx2() -> bool; +} +extern "C" { + pub fn EverCrypt_AutoConfig2_has_avx() -> bool; +} +extern "C" { + pub fn EverCrypt_AutoConfig2_has_bmi2() -> bool; +} +extern "C" { + pub fn EverCrypt_AutoConfig2_has_adx() -> bool; +} +extern "C" { + pub fn EverCrypt_AutoConfig2_has_sse() -> bool; +} +extern "C" { + pub fn EverCrypt_AutoConfig2_has_movbe() -> bool; +} +extern "C" { + pub fn EverCrypt_AutoConfig2_has_rdrand() -> bool; +} +extern "C" { + pub fn EverCrypt_AutoConfig2_has_avx512() -> bool; +} +extern "C" { + pub fn EverCrypt_AutoConfig2_wants_vale() -> bool; +} +extern "C" { + pub fn EverCrypt_AutoConfig2_wants_hacl() -> bool; +} +extern "C" { + pub fn EverCrypt_AutoConfig2_wants_openssl() -> bool; +} +extern "C" { + pub fn EverCrypt_AutoConfig2_wants_bcrypt() -> bool; +} +extern "C" { + pub fn EverCrypt_AutoConfig2_recall(); +} +extern "C" { + pub fn EverCrypt_AutoConfig2_init(); +} +extern "C" { + pub fn EverCrypt_AutoConfig2_disable_avx2(); +} +extern "C" { + pub fn EverCrypt_AutoConfig2_disable_avx(); +} +extern "C" { + pub fn EverCrypt_AutoConfig2_disable_bmi2(); +} +extern "C" { + pub fn EverCrypt_AutoConfig2_disable_adx(); +} +extern "C" { + pub fn EverCrypt_AutoConfig2_disable_shaext(); +} +extern "C" { + pub fn EverCrypt_AutoConfig2_disable_aesni(); +} +extern "C" { + pub fn EverCrypt_AutoConfig2_disable_pclmulqdq(); +} +extern "C" { + pub fn EverCrypt_AutoConfig2_disable_sse(); +} +extern "C" { + pub fn EverCrypt_AutoConfig2_disable_movbe(); +} +extern "C" { + pub fn EverCrypt_AutoConfig2_disable_rdrand(); +} +extern "C" { + pub fn EverCrypt_AutoConfig2_disable_avx512(); +} +extern "C" { + pub fn EverCrypt_AutoConfig2_disable_vale(); +} +extern "C" { + pub fn EverCrypt_AutoConfig2_disable_hacl(); +} +extern "C" { + pub fn EverCrypt_AutoConfig2_disable_openssl(); +} +extern "C" { + pub fn EverCrypt_AutoConfig2_disable_bcrypt(); +} +extern "C" { + pub fn EverCrypt_AutoConfig2_has_vec128() -> bool; +} +extern "C" { + pub fn EverCrypt_AutoConfig2_has_vec256() -> bool; +} +extern "C" { + pub fn EverCrypt_AEAD_uu___is_Ek( + a: Spec_Agile_AEAD_alg, + projectee: EverCrypt_AEAD_state_s, + ) -> bool; +} +extern "C" { + pub fn EverCrypt_AEAD_alg_of_state(s: *mut EverCrypt_AEAD_state_s) -> Spec_Agile_AEAD_alg; +} +extern "C" { + pub fn EverCrypt_AEAD_create_in( + a: Spec_Agile_AEAD_alg, + dst: *mut *mut EverCrypt_AEAD_state_s, + k: *mut u8, + ) -> EverCrypt_Error_error_code; +} +extern "C" { + pub fn EverCrypt_AEAD_encrypt( + s: *mut EverCrypt_AEAD_state_s, + iv: *mut u8, + iv_len: u32, + ad: *mut u8, + ad_len: u32, + plain: *mut u8, + plain_len: u32, + cipher: *mut u8, + tag: *mut u8, + ) -> EverCrypt_Error_error_code; +} +extern "C" { + pub fn EverCrypt_AEAD_encrypt_expand_aes128_gcm_no_check( + k: *mut u8, + iv: *mut u8, + iv_len: u32, + ad: *mut u8, + ad_len: u32, + plain: *mut u8, + plain_len: u32, + cipher: *mut u8, + tag: *mut u8, + ) -> EverCrypt_Error_error_code; +} +extern "C" { + pub fn EverCrypt_AEAD_encrypt_expand_aes256_gcm_no_check( + k: *mut u8, + iv: *mut u8, + iv_len: u32, + ad: *mut u8, + ad_len: u32, + plain: *mut u8, + plain_len: u32, + cipher: *mut u8, + tag: *mut u8, + ) -> EverCrypt_Error_error_code; +} +extern "C" { + pub fn EverCrypt_AEAD_encrypt_expand_aes128_gcm( + k: *mut u8, + iv: *mut u8, + iv_len: u32, + ad: *mut u8, + ad_len: u32, + plain: *mut u8, + plain_len: u32, + cipher: *mut u8, + tag: *mut u8, + ) -> EverCrypt_Error_error_code; +} +extern "C" { + pub fn EverCrypt_AEAD_encrypt_expand_aes256_gcm( + k: *mut u8, + iv: *mut u8, + iv_len: u32, + ad: *mut u8, + ad_len: u32, + plain: *mut u8, + plain_len: u32, + cipher: *mut u8, + tag: *mut u8, + ) -> EverCrypt_Error_error_code; +} +extern "C" { + pub fn EverCrypt_AEAD_encrypt_expand_chacha20_poly1305( + k: *mut u8, + iv: *mut u8, + iv_len: u32, + ad: *mut u8, + ad_len: u32, + plain: *mut u8, + plain_len: u32, + cipher: *mut u8, + tag: *mut u8, + ) -> EverCrypt_Error_error_code; +} +extern "C" { + pub fn EverCrypt_AEAD_encrypt_expand( + a: Spec_Agile_AEAD_alg, + k: *mut u8, + iv: *mut u8, + iv_len: u32, + ad: *mut u8, + ad_len: u32, + plain: *mut u8, + plain_len: u32, + cipher: *mut u8, + tag: *mut u8, + ) -> EverCrypt_Error_error_code; +} +extern "C" { + pub fn EverCrypt_AEAD_decrypt( + s: *mut EverCrypt_AEAD_state_s, + iv: *mut u8, + iv_len: u32, + ad: *mut u8, + ad_len: u32, + cipher: *mut u8, + cipher_len: u32, + tag: *mut u8, + dst: *mut u8, + ) -> EverCrypt_Error_error_code; +} +extern "C" { + pub fn EverCrypt_AEAD_decrypt_expand_aes128_gcm_no_check( + k: *mut u8, + iv: *mut u8, + iv_len: u32, + ad: *mut u8, + ad_len: u32, + cipher: *mut u8, + cipher_len: u32, + tag: *mut u8, + dst: *mut u8, + ) -> EverCrypt_Error_error_code; +} +extern "C" { + pub fn EverCrypt_AEAD_decrypt_expand_aes256_gcm_no_check( + k: *mut u8, + iv: *mut u8, + iv_len: u32, + ad: *mut u8, + ad_len: u32, + cipher: *mut u8, + cipher_len: u32, + tag: *mut u8, + dst: *mut u8, + ) -> EverCrypt_Error_error_code; +} +extern "C" { + pub fn EverCrypt_AEAD_decrypt_expand_aes128_gcm( + k: *mut u8, + iv: *mut u8, + iv_len: u32, + ad: *mut u8, + ad_len: u32, + cipher: *mut u8, + cipher_len: u32, + tag: *mut u8, + dst: *mut u8, + ) -> EverCrypt_Error_error_code; +} +extern "C" { + pub fn EverCrypt_AEAD_decrypt_expand_aes256_gcm( + k: *mut u8, + iv: *mut u8, + iv_len: u32, + ad: *mut u8, + ad_len: u32, + cipher: *mut u8, + cipher_len: u32, + tag: *mut u8, + dst: *mut u8, + ) -> EverCrypt_Error_error_code; +} +extern "C" { + pub fn EverCrypt_AEAD_decrypt_expand_chacha20_poly1305( + k: *mut u8, + iv: *mut u8, + iv_len: u32, + ad: *mut u8, + ad_len: u32, + cipher: *mut u8, + cipher_len: u32, + tag: *mut u8, + dst: *mut u8, + ) -> EverCrypt_Error_error_code; +} +extern "C" { + pub fn EverCrypt_AEAD_decrypt_expand( + a: Spec_Agile_AEAD_alg, + k: *mut u8, + iv: *mut u8, + iv_len: u32, + ad: *mut u8, + ad_len: u32, + cipher: *mut u8, + cipher_len: u32, + tag: *mut u8, + dst: *mut u8, + ) -> EverCrypt_Error_error_code; +} +extern "C" { + pub fn EverCrypt_AEAD_free(s: *mut EverCrypt_AEAD_state_s); +} +extern "C" { + pub fn EverCrypt_Curve25519_secret_to_public(pub_: *mut u8, priv_: *mut u8); +} +extern "C" { + pub fn EverCrypt_Curve25519_scalarmult(shared: *mut u8, my_priv: *mut u8, their_pub: *mut u8); +} +extern "C" { + pub fn EverCrypt_Curve25519_ecdh(shared: *mut u8, my_priv: *mut u8, their_pub: *mut u8) + -> bool; +} +extern "C" { + pub fn EverCrypt_Ed25519_sign(signature: *mut u8, secret: *mut u8, len: u32, msg: *mut u8); +} +extern "C" { + pub fn EverCrypt_Ed25519_verify( + pubkey: *mut u8, + len: u32, + msg: *mut u8, + signature: *mut u8, + ) -> bool; +} +extern "C" { + pub fn EverCrypt_Ed25519_secret_to_public(output: *mut u8, secret: *mut u8); +} +extern "C" { + pub fn EverCrypt_Ed25519_expand_keys(ks: *mut u8, secret: *mut u8); +} +extern "C" { + pub fn EverCrypt_Ed25519_sign_expanded(signature: *mut u8, ks: *mut u8, len: u32, msg: *mut u8); +} +extern "C" { + pub fn EverCrypt_Hash_string_of_alg(uu___: Spec_Hash_Definitions_hash_alg) -> C_String_t; +} +pub type EverCrypt_Hash_state_s_tags = u8; +#[repr(C)] +#[derive(Copy, Clone)] +pub struct EverCrypt_Hash_state_s_s { + pub tag: EverCrypt_Hash_state_s_tags, + pub __bindgen_anon_1: EverCrypt_Hash_state_s_s__bindgen_ty_1, +} +#[repr(C)] +#[derive(Copy, Clone)] +pub union EverCrypt_Hash_state_s_s__bindgen_ty_1 { + pub case_MD5_s: *mut u32, + pub case_SHA1_s: *mut u32, + pub case_SHA2_224_s: *mut u32, + pub case_SHA2_256_s: *mut u32, + pub case_SHA2_384_s: *mut u64, + pub case_SHA2_512_s: *mut u64, + pub case_Blake2S_s: *mut u32, + pub case_Blake2B_s: *mut u64, +} +pub type EverCrypt_Hash_state_s = EverCrypt_Hash_state_s_s; +extern "C" { + pub fn EverCrypt_Hash_uu___is_MD5_s( + uu___: Spec_Hash_Definitions_hash_alg, + projectee: EverCrypt_Hash_state_s, + ) -> bool; +} +extern "C" { + pub fn EverCrypt_Hash_uu___is_SHA1_s( + uu___: Spec_Hash_Definitions_hash_alg, + projectee: EverCrypt_Hash_state_s, + ) -> bool; +} +extern "C" { + pub fn EverCrypt_Hash_uu___is_SHA2_224_s( + uu___: Spec_Hash_Definitions_hash_alg, + projectee: EverCrypt_Hash_state_s, + ) -> bool; +} +extern "C" { + pub fn EverCrypt_Hash_uu___is_SHA2_256_s( + uu___: Spec_Hash_Definitions_hash_alg, + projectee: EverCrypt_Hash_state_s, + ) -> bool; +} +extern "C" { + pub fn EverCrypt_Hash_uu___is_SHA2_384_s( + uu___: Spec_Hash_Definitions_hash_alg, + projectee: EverCrypt_Hash_state_s, + ) -> bool; +} +extern "C" { + pub fn EverCrypt_Hash_uu___is_SHA2_512_s( + uu___: Spec_Hash_Definitions_hash_alg, + projectee: EverCrypt_Hash_state_s, + ) -> bool; +} +extern "C" { + pub fn EverCrypt_Hash_uu___is_Blake2S_s( + uu___: Spec_Hash_Definitions_hash_alg, + projectee: EverCrypt_Hash_state_s, + ) -> bool; +} +extern "C" { + pub fn EverCrypt_Hash_uu___is_Blake2B_s( + uu___: Spec_Hash_Definitions_hash_alg, + projectee: EverCrypt_Hash_state_s, + ) -> bool; +} +extern "C" { + pub fn EverCrypt_Hash_alg_of_state( + s: *mut EverCrypt_Hash_state_s, + ) -> Spec_Hash_Definitions_hash_alg; +} +extern "C" { + pub fn EverCrypt_Hash_create_in( + a: Spec_Hash_Definitions_hash_alg, + ) -> *mut EverCrypt_Hash_state_s; +} +extern "C" { + pub fn EverCrypt_Hash_create(a: Spec_Hash_Definitions_hash_alg) -> *mut EverCrypt_Hash_state_s; +} +extern "C" { + pub fn EverCrypt_Hash_init(s: *mut EverCrypt_Hash_state_s); +} +extern "C" { + pub fn EverCrypt_Hash_update_multi_256(s: *mut u32, blocks: *mut u8, n: u32); +} +extern "C" { + pub fn EverCrypt_Hash_update2(s: *mut EverCrypt_Hash_state_s, prevlen: u64, block: *mut u8); +} +extern "C" { + pub fn EverCrypt_Hash_update(s: *mut EverCrypt_Hash_state_s, block: *mut u8); +} +extern "C" { + pub fn EverCrypt_Hash_update_multi2( + s: *mut EverCrypt_Hash_state_s, + prevlen: u64, + blocks: *mut u8, + len: u32, + ); +} +extern "C" { + pub fn EverCrypt_Hash_update_multi(s: *mut EverCrypt_Hash_state_s, blocks: *mut u8, len: u32); +} +extern "C" { + pub fn EverCrypt_Hash_update_last_256( + s: *mut u32, + input: u64, + input_len: *mut u8, + input_len1: u32, + ); +} +extern "C" { + pub fn EverCrypt_Hash_update_last2( + s: *mut EverCrypt_Hash_state_s, + prev_len: u64, + last: *mut u8, + last_len: u32, + ); +} +extern "C" { + pub fn EverCrypt_Hash_update_last( + s: *mut EverCrypt_Hash_state_s, + last: *mut u8, + total_len: u64, + ); +} +extern "C" { + pub fn EverCrypt_Hash_finish(s: *mut EverCrypt_Hash_state_s, dst: *mut u8); +} +extern "C" { + pub fn EverCrypt_Hash_free(s: *mut EverCrypt_Hash_state_s); +} +extern "C" { + pub fn EverCrypt_Hash_copy( + s_src: *mut EverCrypt_Hash_state_s, + s_dst: *mut EverCrypt_Hash_state_s, + ); +} +extern "C" { + pub fn EverCrypt_Hash_hash_256(input: *mut u8, input_len: u32, dst: *mut u8); +} +extern "C" { + pub fn EverCrypt_Hash_hash_224(input: *mut u8, input_len: u32, dst: *mut u8); +} +extern "C" { + pub fn EverCrypt_Hash_hash( + a: Spec_Hash_Definitions_hash_alg, + dst: *mut u8, + input: *mut u8, + len: u32, + ); +} +extern "C" { + pub fn EverCrypt_Hash_Incremental_hash_len(a: Spec_Hash_Definitions_hash_alg) -> u32; +} +extern "C" { + pub fn EverCrypt_Hash_Incremental_block_len(a: Spec_Hash_Definitions_hash_alg) -> u32; +} +extern "C" { + pub fn EverCrypt_Hash_Incremental_create_in( + a: Spec_Hash_Definitions_hash_alg, + ) -> *mut Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____; +} +extern "C" { + pub fn EverCrypt_Hash_Incremental_init( + s: *mut Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____, + ); +} +extern "C" { + pub fn EverCrypt_Hash_Incremental_update( + p: *mut Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____, + data: *mut u8, + len: u32, + ); +} +extern "C" { + pub fn EverCrypt_Hash_Incremental_finish_md5( + p: *mut Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____, + dst: *mut u8, + ); +} +extern "C" { + pub fn EverCrypt_Hash_Incremental_finish_sha1( + p: *mut Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____, + dst: *mut u8, + ); +} +extern "C" { + pub fn EverCrypt_Hash_Incremental_finish_sha224( + p: *mut Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____, + dst: *mut u8, + ); +} +extern "C" { + pub fn EverCrypt_Hash_Incremental_finish_sha256( + p: *mut Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____, + dst: *mut u8, + ); +} +extern "C" { + pub fn EverCrypt_Hash_Incremental_finish_sha384( + p: *mut Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____, + dst: *mut u8, + ); +} +extern "C" { + pub fn EverCrypt_Hash_Incremental_finish_sha512( + p: *mut Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____, + dst: *mut u8, + ); +} +extern "C" { + pub fn EverCrypt_Hash_Incremental_finish_blake2s( + p: *mut Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____, + dst: *mut u8, + ); +} +extern "C" { + pub fn EverCrypt_Hash_Incremental_finish_blake2b( + p: *mut Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____, + dst: *mut u8, + ); +} +extern "C" { + pub fn EverCrypt_Hash_Incremental_alg_of_state( + s: *mut Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____, + ) -> Spec_Hash_Definitions_hash_alg; +} +extern "C" { + pub fn EverCrypt_Hash_Incremental_finish( + s: *mut Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____, + dst: *mut u8, + ); +} +extern "C" { + pub fn EverCrypt_Hash_Incremental_free( + s: *mut Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____, + ); +} +extern "C" { + pub fn EverCrypt_HMAC_compute_sha1( + dst: *mut u8, + key: *mut u8, + key_len: u32, + data: *mut u8, + data_len: u32, + ); +} +extern "C" { + pub fn EverCrypt_HMAC_compute_sha2_256( + dst: *mut u8, + key: *mut u8, + key_len: u32, + data: *mut u8, + data_len: u32, + ); +} +extern "C" { + pub fn EverCrypt_HMAC_compute_sha2_384( + dst: *mut u8, + key: *mut u8, + key_len: u32, + data: *mut u8, + data_len: u32, + ); +} +extern "C" { + pub fn EverCrypt_HMAC_compute_sha2_512( + dst: *mut u8, + key: *mut u8, + key_len: u32, + data: *mut u8, + data_len: u32, + ); +} +extern "C" { + pub fn EverCrypt_HMAC_compute_blake2s( + dst: *mut u8, + key: *mut u8, + key_len: u32, + data: *mut u8, + data_len: u32, + ); +} +extern "C" { + pub fn EverCrypt_HMAC_compute_blake2b( + dst: *mut u8, + key: *mut u8, + key_len: u32, + data: *mut u8, + data_len: u32, + ); +} +extern "C" { + pub fn EverCrypt_HMAC_is_supported_alg(uu___: Spec_Hash_Definitions_hash_alg) -> bool; +} +extern "C" { + pub fn EverCrypt_HMAC_compute( + a: Spec_Hash_Definitions_hash_alg, + mac: *mut u8, + key: *mut u8, + keylen: u32, + data: *mut u8, + datalen: u32, + ); +} +extern "C" { + pub fn EverCrypt_HKDF_expand_sha1( + okm: *mut u8, + prk: *mut u8, + prklen: u32, + info: *mut u8, + infolen: u32, + len: u32, + ); +} +extern "C" { + pub fn EverCrypt_HKDF_extract_sha1( + prk: *mut u8, + salt: *mut u8, + saltlen: u32, + ikm: *mut u8, + ikmlen: u32, + ); +} +extern "C" { + pub fn EverCrypt_HKDF_expand_sha2_256( + okm: *mut u8, + prk: *mut u8, + prklen: u32, + info: *mut u8, + infolen: u32, + len: u32, + ); +} +extern "C" { + pub fn EverCrypt_HKDF_extract_sha2_256( + prk: *mut u8, + salt: *mut u8, + saltlen: u32, + ikm: *mut u8, + ikmlen: u32, + ); +} +extern "C" { + pub fn EverCrypt_HKDF_expand_sha2_384( + okm: *mut u8, + prk: *mut u8, + prklen: u32, + info: *mut u8, + infolen: u32, + len: u32, + ); +} +extern "C" { + pub fn EverCrypt_HKDF_extract_sha2_384( + prk: *mut u8, + salt: *mut u8, + saltlen: u32, + ikm: *mut u8, + ikmlen: u32, + ); +} +extern "C" { + pub fn EverCrypt_HKDF_expand_sha2_512( + okm: *mut u8, + prk: *mut u8, + prklen: u32, + info: *mut u8, + infolen: u32, + len: u32, + ); +} +extern "C" { + pub fn EverCrypt_HKDF_extract_sha2_512( + prk: *mut u8, + salt: *mut u8, + saltlen: u32, + ikm: *mut u8, + ikmlen: u32, + ); +} +extern "C" { + pub fn EverCrypt_HKDF_expand_blake2s( + okm: *mut u8, + prk: *mut u8, + prklen: u32, + info: *mut u8, + infolen: u32, + len: u32, + ); +} +extern "C" { + pub fn EverCrypt_HKDF_extract_blake2s( + prk: *mut u8, + salt: *mut u8, + saltlen: u32, + ikm: *mut u8, + ikmlen: u32, + ); +} +extern "C" { + pub fn EverCrypt_HKDF_expand_blake2b( + okm: *mut u8, + prk: *mut u8, + prklen: u32, + info: *mut u8, + infolen: u32, + len: u32, + ); +} +extern "C" { + pub fn EverCrypt_HKDF_extract_blake2b( + prk: *mut u8, + salt: *mut u8, + saltlen: u32, + ikm: *mut u8, + ikmlen: u32, + ); +} +extern "C" { + pub fn EverCrypt_HKDF_expand( + a: Spec_Hash_Definitions_hash_alg, + okm: *mut u8, + prk: *mut u8, + prklen: u32, + info: *mut u8, + infolen: u32, + len: u32, + ); +} +extern "C" { + pub fn EverCrypt_HKDF_extract( + a: Spec_Hash_Definitions_hash_alg, + prk: *mut u8, + salt: *mut u8, + saltlen: u32, + ikm: *mut u8, + ikmlen: u32, + ); +} +extern "C" { + pub fn EverCrypt_HKDF_hkdf_expand( + a: Spec_Hash_Definitions_hash_alg, + okm: *mut u8, + prk: *mut u8, + prklen: u32, + info: *mut u8, + infolen: u32, + len: u32, + ); +} +extern "C" { + pub fn EverCrypt_HKDF_hkdf_extract( + a: Spec_Hash_Definitions_hash_alg, + prk: *mut u8, + salt: *mut u8, + saltlen: u32, + ikm: *mut u8, + ikmlen: u32, + ); +} +extern "C" { + pub fn Hacl_P256_ecdsa_sign_p256_sha2( + result: *mut u8, + mLen: u32, + m: *mut u8, + privKey: *mut u8, + k: *mut u8, + ) -> bool; +} +extern "C" { + pub fn Hacl_P256_ecdsa_sign_p256_sha384( + result: *mut u8, + mLen: u32, + m: *mut u8, + privKey: *mut u8, + k: *mut u8, + ) -> bool; +} +extern "C" { + pub fn Hacl_P256_ecdsa_sign_p256_sha512( + result: *mut u8, + mLen: u32, + m: *mut u8, + privKey: *mut u8, + k: *mut u8, + ) -> bool; +} +extern "C" { + pub fn Hacl_P256_ecdsa_sign_p256_without_hash( + result: *mut u8, + mLen: u32, + m: *mut u8, + privKey: *mut u8, + k: *mut u8, + ) -> bool; +} +extern "C" { + pub fn Hacl_P256_ecdsa_verif_p256_sha2( + mLen: u32, + m: *mut u8, + pubKey: *mut u8, + r: *mut u8, + s: *mut u8, + ) -> bool; +} +extern "C" { + pub fn Hacl_P256_ecdsa_verif_p256_sha384( + mLen: u32, + m: *mut u8, + pubKey: *mut u8, + r: *mut u8, + s: *mut u8, + ) -> bool; +} +extern "C" { + pub fn Hacl_P256_ecdsa_verif_p256_sha512( + mLen: u32, + m: *mut u8, + pubKey: *mut u8, + r: *mut u8, + s: *mut u8, + ) -> bool; +} +extern "C" { + pub fn Hacl_P256_ecdsa_verif_without_hash( + mLen: u32, + m: *mut u8, + pubKey: *mut u8, + r: *mut u8, + s: *mut u8, + ) -> bool; +} +extern "C" { + pub fn Hacl_P256_validate_public_key(pubKey: *mut u8) -> bool; +} +extern "C" { + pub fn Hacl_P256_validate_private_key(x: *mut u8) -> bool; +} +extern "C" { + pub fn Hacl_P256_uncompressed_to_raw(b: *mut u8, result: *mut u8) -> bool; +} +extern "C" { + pub fn Hacl_P256_compressed_to_raw(b: *mut u8, result: *mut u8) -> bool; +} +extern "C" { + pub fn Hacl_P256_raw_to_uncompressed(b: *mut u8, result: *mut u8); +} +extern "C" { + pub fn Hacl_P256_raw_to_compressed(b: *mut u8, result: *mut u8); +} +extern "C" { + pub fn Hacl_P256_dh_initiator(result: *mut u8, scalar: *mut u8) -> bool; +} +extern "C" { + pub fn Hacl_P256_dh_responder(result: *mut u8, pubKey: *mut u8, scalar: *mut u8) -> bool; +} +extern "C" { + pub fn Hacl_SHA3_shake128_hacl( + inputByteLen: u32, + input: *mut u8, + outputByteLen: u32, + output: *mut u8, + ); +} +extern "C" { + pub fn Hacl_SHA3_shake256_hacl( + inputByteLen: u32, + input: *mut u8, + outputByteLen: u32, + output: *mut u8, + ); +} +extern "C" { + pub fn Hacl_SHA3_sha3_224(inputByteLen: u32, input: *mut u8, output: *mut u8); +} +extern "C" { + pub fn Hacl_SHA3_sha3_256(inputByteLen: u32, input: *mut u8, output: *mut u8); +} +extern "C" { + pub fn Hacl_SHA3_sha3_384(inputByteLen: u32, input: *mut u8, output: *mut u8); +} +extern "C" { + pub fn Hacl_SHA3_sha3_512(inputByteLen: u32, input: *mut u8, output: *mut u8); +} diff --git a/rust/hacl-rust-sys/src/hacl_bindings.rs b/rust/hacl-rust-sys/src/hacl_bindings.rs new file mode 100644 index 00000000..6381ee76 --- /dev/null +++ b/rust/hacl-rust-sys/src/hacl_bindings.rs @@ -0,0 +1,21 @@ +#![allow(dead_code)] + +// Include bindgen output +// The bindings are freshly generated on Linux and MacOS builds. +// For Windows the prebuilt bindings.rs from the repository are used. +include!("bindings/bindings.rs"); + +#[repr(C)] +#[derive(Copy, Clone, Debug)] +pub struct EverCrypt_AEAD_state_s { + r#impl: Spec_Cipher_Expansion_impl, + ek: *mut u8, +} + +#[repr(C)] +#[derive(Copy, Clone, Debug)] +pub struct Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ { + block_state: *mut EverCrypt_Hash_state_s, + buf: *mut u8, + total_len: u64, +} diff --git a/rust/hacl-rust-sys/src/lib.rs b/rust/hacl-rust-sys/src/lib.rs new file mode 100644 index 00000000..31252a81 --- /dev/null +++ b/rust/hacl-rust-sys/src/lib.rs @@ -0,0 +1,7 @@ +#![allow(non_upper_case_globals)] +#![allow(non_camel_case_types)] +#![allow(non_snake_case)] +#![doc = include_str!("../README.md")] + +mod hacl_bindings; +pub use hacl_bindings::*; diff --git a/rust/hacl-rust-sys/wrapper.h b/rust/hacl-rust-sys/wrapper.h new file mode 100644 index 00000000..95c5855a --- /dev/null +++ b/rust/hacl-rust-sys/wrapper.h @@ -0,0 +1,8 @@ +#include "hacl/EverCrypt_AEAD.h" +#include "hacl/EverCrypt_Curve25519.h" +#include "hacl/EverCrypt_AutoConfig2.h" +#include "hacl/EverCrypt_Ed25519.h" +#include "hacl/EverCrypt_HKDF.h" +#include "hacl/Hacl_P256.h" +#include "hacl/Hacl_Spec.h" +#include "hacl/Hacl_SHA3.h" diff --git a/rust/src/aead.rs b/rust/src/aead.rs new file mode 100644 index 00000000..d55a1da1 --- /dev/null +++ b/rust/src/aead.rs @@ -0,0 +1,555 @@ +//! Authenticated Encryption with Associated Data (AEAD) +//! +//! This module implements AES-GCM 128 and 256, and Chacha20Poly1305. +//! +//! # Usage +//! This module provides two APIs +//! +//! ## Aead with key state +//! ```rust +//! use hacl_rust::aead::{Aead, Algorithm, Error}; +//! +//! let key = [0x5b, 0x96, 0x04, 0xfe, 0x14, 0xea, 0xdb, 0xa9, 0x31, 0xb0, 0xcc, +//! 0xf3, 0x48, 0x43, 0xda, 0xb9, 0x5b, 0x96, 0x04, 0xfe, 0x14, 0xea, +//! 0xdb, 0xa9, 0x31, 0xb0, 0xcc, 0xf3, 0x48, 0x43, 0xda, 0xb9]; +//! let cipher = match Aead::new(Algorithm::Chacha20Poly1305, &key) { +//! Ok(c) => c, +//! Err(e) => panic!("Error instantiating AEAD.\n{:?}", e), +//! }; +//! +//! let iv = [0x02, 0x83, 0x18, 0xab, 0xc1, 0x82, 0x40, 0x29, 0x13, 0x81, 0x41, 0xa2]; +//! let msg = [0x00, 0x1d, 0x0c, 0x23, 0x12, 0x87, 0xc1, 0x18, 0x27, 0x84, 0x55, 0x4c, 0xa3, 0xa2, 0x19, 0x08]; +//! let aad = []; +//! +//! let (ciphertext, tag) = match cipher.encrypt(&msg, &iv, &aad) { +//! Ok(r) => r, +//! Err(e) => panic!("Error encrypting.\n{:?}", e), +//! }; +//! +//! let msg_ = match cipher.decrypt(&ciphertext, &tag, &iv, &aad) { +//! Ok(r) => r, +//! Err(e) => panic!("Error decrypting.\n{:?}", e), +//! }; +//! +//! assert_eq!(&msg[..], &msg_[..]); +//! ``` +//! +//! ## Single-shot API +//! ```rust +//! use hacl_rust::aead::{self, Algorithm}; +//! +//! let key = [0x5b, 0x96, 0x04, 0xfe, 0x14, 0xea, 0xdb, 0xa9, 0x31, 0xb0, 0xcc, +//! 0xf3, 0x48, 0x43, 0xda, 0xb9, 0x5b, 0x96, 0x04, 0xfe, 0x14, 0xea, +//! 0xdb, 0xa9, 0x31, 0xb0, 0xcc, 0xf3, 0x48, 0x43, 0xda, 0xb9]; +//! let iv = [0x02, 0x83, 0x18, 0xab, 0xc1, 0x82, 0x40, 0x29, 0x13, 0x81, 0x41, 0xa2]; +//! let msg = [0x00, 0x1d, 0x0c, 0x23, 0x12, 0x87, 0xc1, 0x18, 0x27, 0x84, 0x55, 0x4c, 0xa3, 0xa2, 0x19, 0x08]; +//! let aad = []; +//! +//! let (ciphertext, tag) = match aead::encrypt(Algorithm::Chacha20Poly1305, &key, &msg, &iv, &aad) { +//! Ok(r) => r, +//! Err(e) => panic!("Error encrypting.\n{:?}", e), +//! }; +//! +//! let msg_ = match aead::decrypt(Algorithm::Chacha20Poly1305, &key, &ciphertext, &tag, &iv, &aad) { +//! Ok(r) => r, +//! Err(e) => panic!("Error decrypting.\n{:?}", e), +//! }; +//! +//! assert_eq!(&msg[..], &msg_[..]); +//! ``` +//! + +use std::convert::TryInto; + +#[cfg(feature = "serialization")] +use serde::{Deserialize, Serialize}; + +use hacl_rust_sys::*; + +/// The AEAD Algorithm Identifier. +#[derive(Clone, Copy, PartialEq, Debug)] +#[cfg_attr(feature = "serialization", derive(Serialize, Deserialize))] +#[repr(u32)] +// ANCHOR: aead_algorithm +pub enum Algorithm { + /// AES GCM 128 + Aes128Gcm = Spec_Agile_AEAD_AES128_GCM, + + /// AES GCM 256 + Aes256Gcm = Spec_Agile_AEAD_AES256_GCM, + + /// ChaCha20 Poly1305 + Chacha20Poly1305 = Spec_Agile_AEAD_CHACHA20_POLY1305, +} +// ANCHOR_END: aead_algorithm + +impl From for Algorithm { + fn from(v: u8) -> Algorithm { + match v { + 0 => Algorithm::Aes128Gcm, + 1 => Algorithm::Aes256Gcm, + 2 => Algorithm::Chacha20Poly1305, + _ => panic!("Unknown AEAD mode {}", v), + } + } +} + +impl From for Spec_Agile_AEAD_alg { + fn from(v: Algorithm) -> Spec_Agile_AEAD_alg { + match v { + Algorithm::Aes128Gcm => Spec_Agile_AEAD_AES128_GCM as Spec_Agile_AEAD_alg, + Algorithm::Aes256Gcm => Spec_Agile_AEAD_AES256_GCM as Spec_Agile_AEAD_alg, + Algorithm::Chacha20Poly1305 => Spec_Agile_AEAD_CHACHA20_POLY1305 as Spec_Agile_AEAD_alg, + } + } +} + +impl Algorithm { + /// Get the key size of the `Algorithm` in bytes. + #[inline] + pub const fn key_size(self) -> usize { + match self { + Algorithm::Aes128Gcm => 16, + Algorithm::Aes256Gcm => 32, + Algorithm::Chacha20Poly1305 => 32, + } + } + + /// Get the tag size of the `Algorithm` in bytes. + #[inline] + pub const fn tag_size(self) -> usize { + match self { + Algorithm::Aes128Gcm => 16, + Algorithm::Aes256Gcm => 16, + Algorithm::Chacha20Poly1305 => 16, + } + } + + /// Get the nonce size of the `Algorithm` in bytes. + #[inline] + pub const fn nonce_size(self) -> usize { + match self { + Algorithm::Aes128Gcm => 12, + Algorithm::Aes256Gcm => 12, + Algorithm::Chacha20Poly1305 => 12, + } + } +} + +/// AEAD Errors +#[derive(Debug, PartialEq)] +pub enum Error { + InvalidInit = 0, + InvalidAlgorithm = 1, + InvalidCiphertext = 2, + InvalidNonce = 3, + UnsupportedConfig = 4, + Encrypting = 5, + Decrypting = 6, + InvalidKeySize = 7, + InvalidTagSize = 8, +} + +/// The Aead struct allows to re-use a key without having to initialize it +/// every time. +pub struct Aead { + alg: Algorithm, + c_state: Option<*mut EverCrypt_AEAD_state_s>, +} + +/// Ciphertexts are byte vectors. +pub type Ciphertext = Vec; + +pub type Aes128Key = [u8; Algorithm::key_size(Algorithm::Aes128Gcm)]; +pub type Aes256Key = [u8; Algorithm::key_size(Algorithm::Aes256Gcm)]; +pub type Chacha20Key = [u8; Algorithm::key_size(Algorithm::Chacha20Poly1305)]; +pub type Tag = [u8; 16]; + +/// Associated data are byte arrays. +pub type Aad = [u8]; + +// Check hardware support for HACL* AES implementation. +pub unsafe fn hacl_aes_available() -> bool { + EverCrypt_AutoConfig2_has_pclmulqdq() + && EverCrypt_AutoConfig2_has_avx() + && EverCrypt_AutoConfig2_has_sse() + && EverCrypt_AutoConfig2_has_movbe() + && EverCrypt_AutoConfig2_has_aesni() +} + +impl Aead { + fn set_key_(&mut self, k: &[u8]) -> Result<(), Error> { + let state = unsafe { + let mut state_ptr: *mut EverCrypt_AEAD_state_s = std::ptr::null_mut(); + let e = EverCrypt_AEAD_create_in(self.alg.into(), &mut state_ptr, k.as_ptr() as _); + if e != 0 { + return Err(Error::InvalidInit); + } + state_ptr + }; + self.c_state = Some(state); + Ok(()) + } + + /// Create a new Aead cipher with the given Algorithm `alg` and key `k`. + /// If the algorithm is not supported or the state generation fails, this + /// function returns an `Error`. + /// + /// To get an Aead instance without setting a key immediately see `init`. + pub fn new(alg: Algorithm, k: &[u8]) -> Result { + // Check key lengths. Evercrypt is not doing this. + if k.len() != alg.key_size() { + return Err(Error::InvalidKeySize); + } + + unsafe { + // Make sure this happened. + EverCrypt_AutoConfig2_init(); + } + let mut out = Self::init(alg)?; + out.set_key_(k)?; + Ok(out) + } + + /// Initialize a new Aead object without a key. + /// Use `set_key` to do so later. + pub fn init(mode: Algorithm) -> Result { + if unsafe { + // Make sure this happened. + EverCrypt_AutoConfig2_init(); + + // Make sure the algorithm is supported + (mode == Algorithm::Aes128Gcm || mode == Algorithm::Aes256Gcm) && !hacl_aes_available() + } { + return Err(Error::UnsupportedConfig); + } + Ok(Self { + alg: mode, + c_state: None, + }) + } + + /// Set the key for this instance. + /// This consumes the Aead and returns a new instance with the key. + pub fn set_key(self, k: &[u8]) -> Result { + Self::new(self.alg, k) + } + + /// Generate a new random key for this instance. + /// This consumes the Aead and returns a new instance with the key. + pub fn set_random_key(&mut self) -> Result<(), Error> { + self.set_key_(&self.key_gen()) + } + + /// Generate a random key. + pub fn key_gen(&self) -> Vec { + key_gen(self.alg) + } + + /// Generate a nonce. + pub fn nonce_gen(&self) -> Vec { + nonce_gen(self.alg) + } + + /// Get the nonce size of this Aead in bytes. + pub const fn nonce_size(&self) -> usize { + self.alg.nonce_size() + } + + /// Get the key size of this Aead in bytes. + pub const fn key_size(&self) -> usize { + self.alg.key_size() + } + + /// Get the tag size of this Aead in bytes. + pub const fn tag_size(&self) -> usize { + self.alg.tag_size() + } + + /// Encrypt with the algorithm and key of this Aead. + /// Returns `(ctxt, tag)` or an `Error`. + pub fn encrypt( + &self, + msg: &[u8], + iv: &[u8], + aad: &Aad, + ) -> Result<(Ciphertext, Vec), Error> { + if iv.len() != self.nonce_size() { + return Err(Error::InvalidNonce); + } + + let mut ctxt = vec![0u8; msg.len()]; + let mut tag = vec![0u8; self.tag_size()]; + unsafe { + EverCrypt_AEAD_encrypt( + self.c_state.unwrap(), + iv.as_ptr() as _, + self.nonce_size().try_into().unwrap(), + aad.as_ptr() as _, + aad.len() as u32, + msg.as_ptr() as _, + msg.len() as u32, + ctxt.as_mut_ptr(), + tag.as_mut_ptr(), + ); + } + Ok((ctxt, tag)) + } + + /// Encrypt with the algorithm and key of this Aead. + /// Returns `(ctxt || tag)` or an `Error`. + /// This is more efficient if the tag needs to be appended to the cipher text. + // ANCHOR: aead_encrypt_combined + pub fn encrypt_combined(&self, msg: &[u8], iv: &[u8], aad: &Aad) -> Result { + // ANCHOR_END: aead_encrypt_combined + if iv.len() != self.nonce_size() { + return Err(Error::InvalidNonce); + } + + // combined cipher text and tag + let mut ctxt = vec![0u8; msg.len() + self.tag_size()]; + unsafe { + EverCrypt_AEAD_encrypt( + self.c_state.unwrap(), + iv.as_ptr() as _, + self.nonce_size().try_into().unwrap(), + aad.as_ptr() as _, + aad.len() as u32, + msg.as_ptr() as _, + msg.len() as u32, + ctxt.as_mut_ptr(), + ctxt.as_mut_ptr().offset(msg.len().try_into().unwrap()), + ); + } + Ok(ctxt) + } + + /// Encrypt with the algorithm and key of this Aead. + /// Returns the cipher text in the `payload` and a `tag` or an `Error`. + // ANCHOR: aead_encrypt_in_place + pub fn encrypt_in_place( + &self, + payload: &mut [u8], + iv: &[u8], + aad: &Aad, + ) -> Result, Error> { + // ANCHOR_END: aead_encrypt_in_place + if iv.len() != self.nonce_size() { + return Err(Error::InvalidNonce); + } + + // The tag + let mut tag = vec![0u8; self.tag_size()]; + unsafe { + EverCrypt_AEAD_encrypt( + self.c_state.unwrap(), + iv.as_ptr() as _, + self.nonce_size().try_into().unwrap(), + aad.as_ptr() as _, + aad.len() as u32, + payload.as_ptr() as _, + payload.len() as u32, + payload.as_ptr() as _, + tag.as_mut_ptr(), + ); + } + Ok(tag) + } + + #[inline] + fn _decrypt_checks(&self, tag: &[u8], iv: &[u8]) -> Result<(), Error> { + if iv.len() != 12 { + return Err(Error::InvalidNonce); + } + if tag.len() != self.tag_size() { + return Err(Error::InvalidTagSize); + } + Ok(()) + } + + #[inline] + fn _decrypt(&self, ctxt: &[u8], tag: &[u8], iv: &[u8], aad: &Aad) -> Result, Error> { + self._decrypt_checks(tag, iv)?; + + let mut msg = vec![0u8; ctxt.len()]; + let r = unsafe { + EverCrypt_AEAD_decrypt( + self.c_state.unwrap(), + iv.as_ptr() as _, + self.nonce_size().try_into().unwrap(), + aad.as_ptr() as _, + aad.len() as u32, + ctxt.as_ptr() as _, + ctxt.len() as u32, + tag.as_ptr() as _, + msg.as_mut_ptr(), + ) + }; + if r as u32 != EverCrypt_Error_Success { + Err(Error::InvalidCiphertext) + } else { + Ok(msg) + } + } + + /// Decrypt with the algorithm and key of this Aead. + /// Returns `msg` or an `Error`. + pub fn decrypt(&self, ctxt: &[u8], tag: &[u8], iv: &[u8], aad: &Aad) -> Result, Error> { + self._decrypt(ctxt, tag, iv, aad) + } + + /// Decrypt with the algorithm and key of this Aead. + /// Returns `msg` or an `Error`. + /// This takes the combined ctxt || tag as input and might be more efficient + /// than `decrypt`. + // ANCHOR: aead_decrypt_combined + pub fn decrypt_combined(&self, ctxt: &[u8], iv: &[u8], aad: &Aad) -> Result, Error> { + // ANCHOR_END: aead_decrypt_combined + if ctxt.len() < self.tag_size() { + return Err(Error::InvalidTagSize); + } + let msg_len = ctxt.len() - self.tag_size(); + let tag = &ctxt[msg_len..]; + let ctxt = &ctxt[..msg_len]; + self._decrypt(ctxt, tag, iv, aad) + } + + /// Decrypt with the algorithm and key of this Aead. + /// + /// Returns an `Error` if decryption failed. The decrypted `payload` is written + /// into `payload`. + // ANCHOR: aead_decrypt_in_place + pub fn decrypt_in_place( + &self, + payload: &mut [u8], + tag: &[u8], + iv: &[u8], + aad: &Aad, + ) -> Result<(), Error> { + // ANCHOR_END: aead_decrypt_in_place + self._decrypt_checks(tag, iv)?; + + let r = unsafe { + EverCrypt_AEAD_decrypt( + self.c_state.unwrap(), + iv.as_ptr() as _, + self.nonce_size().try_into().unwrap(), + aad.as_ptr() as _, + aad.len() as u32, + payload.as_ptr() as _, + payload.len() as u32, + tag.as_ptr() as _, + payload.as_mut_ptr(), + ) + }; + if r as u32 != EverCrypt_Error_Success { + Err(Error::InvalidCiphertext) + } else { + Ok(()) + } + } +} + +impl Drop for Aead { + fn drop(&mut self) { + if let Some(c_state) = self.c_state { + unsafe { EverCrypt_AEAD_free(c_state) } + } + } +} + +// Single-shot APIs + +/// Single-shot API for AEAD encryption. +pub fn encrypt( + alg: Algorithm, + k: &[u8], + msg: &[u8], + iv: &[u8], + aad: &Aad, +) -> Result<(Ciphertext, Vec), Error> { + let cipher = Aead::new(alg, k)?; + cipher.encrypt(msg, iv, aad) +} + +/// Single-shot API for combined AEAD encryption. +pub fn encrypt_combined( + alg: Algorithm, + k: &[u8], + msg: &[u8], + iv: &[u8], + aad: &Aad, +) -> Result { + let cipher = Aead::new(alg, k)?; + cipher.encrypt_combined(msg, iv, aad) +} + +/// Single-shot API for in place AEAD encryption. +pub fn encrypt_in_place( + alg: Algorithm, + k: &[u8], + payload: &mut [u8], + iv: &[u8], + aad: &Aad, +) -> Result, Error> { + let cipher = Aead::new(alg, k)?; + cipher.encrypt_in_place(payload, iv, aad) +} + +/// Single-shot API for AEAD decryption. +pub fn decrypt( + alg: Algorithm, + k: &[u8], + ctxt: &[u8], + tag: &[u8], + iv: &[u8], + aad: &Aad, +) -> Result, Error> { + let cipher = Aead::new(alg, k)?; + cipher.decrypt(ctxt, tag, iv, aad) +} + +/// Single-shot API for combined AEAD decryption. +pub fn decrypt_combined( + alg: Algorithm, + k: &[u8], + ctxt: &[u8], + iv: &[u8], + aad: &Aad, +) -> Result, Error> { + let cipher = Aead::new(alg, k)?; + cipher.decrypt_combined(ctxt, iv, aad) +} + +/// Single-shot API for AEAD decryption in place. +pub fn decrypt_in_place( + alg: Algorithm, + k: &[u8], + payload: &mut [u8], + tag: &[u8], + iv: &[u8], + aad: &Aad, +) -> Result<(), Error> { + let cipher = Aead::new(alg, k)?; + cipher.decrypt_in_place(payload, tag, iv, aad) +} + +/// Generate a random key. +pub fn key_gen(alg: Algorithm) -> Vec { + crate::rand_util::random_vec(alg.key_size()) +} + +/// Generate a nonce. +pub fn nonce_gen(alg: Algorithm) -> Vec { + crate::rand_util::random_vec(alg.nonce_size()) +} + +// /// Generate a random key. +// pub fn key_gen() -> [u8; L] { +// crate::rand_util::random_array() +// } + +// /// Generate a nonce. +// pub fn nonce_gen() -> [u8; L] { +// crate::rand_util::random_array() +// } diff --git a/rust/src/digest.rs b/rust/src/digest.rs new file mode 100644 index 00000000..e98f689e --- /dev/null +++ b/rust/src/digest.rs @@ -0,0 +1,425 @@ +//! Hashing +//! +//! This module implements the SHA 1 and SHA 2 hash functions. +//! +//! # Usage +//! This module provides two APIs +//! +//! ## Stateful Hashing +//! ```rust +//! use hacl_rust::digest::{Digest, Algorithm}; +//! +//! let expected_digest_256 = [ +//! 0xa5, 0x35, 0xf2, 0x6a, 0xff, 0xbc, 0x1f, 0x08, 0x73, 0xdb, 0x15, 0x15, 0x9d, 0xce, 0xbf, +//! 0x25, 0x99, 0x64, 0xbe, 0x42, 0xde, 0xa8, 0x4d, 0x29, 0x00, 0x38, 0x4b, 0xee, 0x15, 0x09, +//! 0xe4, 0x00, +//! ]; +//! let expected_digest_512 = [ +//! 0x36, 0x97, 0x36, 0x7c, 0xc9, 0x1e, 0xda, 0xa7, 0x6d, 0xb8, 0x03, 0x39, 0x61, 0x5f, 0xc2, +//! 0x12, 0xe1, 0x5e, 0x64, 0x3e, 0x31, 0x30, 0xf7, 0x1f, 0x28, 0xd0, 0x3f, 0x34, 0x3d, 0xf4, +//! 0x88, 0x0a, 0xd3, 0x6c, 0x63, 0xe5, 0x35, 0x1f, 0x56, 0xe0, 0xf7, 0xe0, 0x4c, 0x24, 0x96, +//! 0xc0, 0xb3, 0x6b, 0xcf, 0x7c, 0x5d, 0xcb, 0xf3, 0x5e, 0x38, 0xe9, 0xbb, 0x44, 0xf8, 0xa0, +//! 0xc2, 0x83, 0x42, 0x4e, +//! ]; +//! +//! let data = b"evercrypt-rust bindings"; +//! +//! let mut digest_256 = Digest::new(Algorithm::Sha256).unwrap(); +//! if digest_256.update(data).is_err() { +//! panic!("Error hashing."); +//! } +//! let digest_256_result = match digest_256.finish() { +//! Ok(d) => d, +//! Err(e) => panic!("Finish digest failed.\n{:?}", e), +//! }; +//! +//! let mut digest_512 = Digest::new(Algorithm::Sha512).unwrap(); +//! if digest_512.update(data).is_err() { +//! panic!("Error hashing."); +//! } +//! let digest_512_result = match digest_512.finish() { +//! Ok(d) => d, +//! Err(e) => panic!("Finish digest failed.\n{:?}", e), +//! }; +//! +//! assert_eq!(&digest_256_result[..], &expected_digest_256[..]); +//! assert_eq!(&digest_512_result[..], &expected_digest_512[..]); +//! ``` +//! +//! ## Single-shot API +//! ```rust +//! use hacl_rust::digest::{self, Algorithm}; +//! +//! let expected_digest_256 = [ +//! 0xa5, 0x35, 0xf2, 0x6a, 0xff, 0xbc, 0x1f, 0x08, 0x73, 0xdb, 0x15, 0x15, 0x9d, 0xce, 0xbf, +//! 0x25, 0x99, 0x64, 0xbe, 0x42, 0xde, 0xa8, 0x4d, 0x29, 0x00, 0x38, 0x4b, 0xee, 0x15, 0x09, +//! 0xe4, 0x00, +//! ]; +//! let expected_digest_512 = [ +//! 0x36, 0x97, 0x36, 0x7c, 0xc9, 0x1e, 0xda, 0xa7, 0x6d, 0xb8, 0x03, 0x39, 0x61, 0x5f, 0xc2, +//! 0x12, 0xe1, 0x5e, 0x64, 0x3e, 0x31, 0x30, 0xf7, 0x1f, 0x28, 0xd0, 0x3f, 0x34, 0x3d, 0xf4, +//! 0x88, 0x0a, 0xd3, 0x6c, 0x63, 0xe5, 0x35, 0x1f, 0x56, 0xe0, 0xf7, 0xe0, 0x4c, 0x24, 0x96, +//! 0xc0, 0xb3, 0x6b, 0xcf, 0x7c, 0x5d, 0xcb, 0xf3, 0x5e, 0x38, 0xe9, 0xbb, 0x44, 0xf8, 0xa0, +//! 0xc2, 0x83, 0x42, 0x4e, +//! ]; +//! +//! let data = b"evercrypt-rust bindings"; +//! +//! let digest_256 = digest::hash(Algorithm::Sha256, data); +//! let digest_512 = digest::hash(Algorithm::Sha512, data); +//! +//! assert_eq!(&digest_256[..], &expected_digest_256[..]); +//! assert_eq!(&digest_512[..], &expected_digest_512[..]); +//! +//! let digest_256 = digest::sha256(data); +//! let digest_512 = digest::sha512(data); +//! +//! assert_eq!(&digest_256[..], &expected_digest_256[..]); +//! assert_eq!(&digest_512[..], &expected_digest_512[..]); +//! ``` +//! +//! ## SHA 3 +//! ```rust +//! use hacl_rust::digest::{self, Algorithm}; +//! +//! let data = b"evercrypt-rust bindings"; +//! let expected_digest_3_256 = [ +//! 0x49, 0x4b, 0xc2, 0xea, 0x73, 0x43, 0x4f, 0x88, 0x62, 0x56, 0x13, 0x39, 0xda, 0x1a, 0x6d, +//! 0x58, 0x05, 0xee, 0x34, 0x4b, 0x67, 0x5d, 0x18, 0xfb, 0x9a, 0x81, 0xca, 0x65, 0xa7, 0x8f, +//! 0xeb, 0x6e, +//! ]; +//! let expected_digest_3_512 = [ +//! 0x7a, 0xaa, 0x97, 0x5c, 0x6b, 0x15, 0x5b, 0x55, 0xd3, 0x7b, 0xa6, 0x99, 0x3f, 0x7e, 0x14, +//! 0xd9, 0x8c, 0x28, 0x0d, 0x2b, 0x2f, 0xc2, 0x4a, 0xa7, 0x84, 0x07, 0xcf, 0x15, 0x2d, 0x0a, +//! 0xca, 0xbc, 0x32, 0xf2, 0x11, 0xf4, 0x64, 0x30, 0x19, 0x0a, 0x35, 0x26, 0x94, 0x76, 0x84, +//! 0x2a, 0x1f, 0x17, 0x41, 0xad, 0x46, 0x06, 0xf6, 0xc8, 0xc6, 0xad, 0x8d, 0x02, 0x2e, 0x85, +//! 0xb4, 0x9d, 0x6b, 0xd7, +//! ]; +//! +//! assert_eq!(digest::hash(Algorithm::Sha3_256, data), expected_digest_3_256); +//! assert_eq!( +//! digest::hash(Algorithm::Sha3_512, data)[..], +//! expected_digest_3_512[..] +//! ); +//! ``` +//! +//! ## SHAKE +//! ```rust +//! use hacl_rust::digest::{self, Algorithm}; +//! +//! let data = b"evercrypt-rust bindings"; +//! let expected_digest_128 = [ +//! 0xfd, 0x3b, 0x31, 0x35, 0x35, 0x05, 0x87, 0xd5, 0x36, 0x2a, 0xae, 0x4d, 0x1c, 0x8a, 0x25, +//! 0xba, 0xa4, 0xec, 0x82, 0xef, 0xff, 0xb8, 0x27, 0x1c, 0x91, 0x20, 0xa2, 0xed, 0x53, 0x17, +//! 0x2a, 0xcc, 0x97, 0x97, 0x34, 0x65, 0x1e, 0x69, 0xb3, 0xb3, 0x27, 0x09, 0x4c, 0xc0, 0x5e, +//! 0xde, 0x3b, 0x5d, 0xf9, 0x98, 0xe6, 0x37, 0xce, 0x06, 0xb3, 0xa0, 0x53, 0xdf, 0x81, 0x80, +//! 0x99, 0x8c, 0xfc, 0x95, +//! ]; +//! let expected_digest_256 = [ +//! 0xf0, 0x85, 0x60, 0x6b, 0xed, 0xca, 0x25, 0xe4, 0x3c, 0x97, 0x05, 0x0f, 0xf2, 0x3e, 0xe0, +//! 0xd9, 0xe5, 0x89, 0x14, 0xff, 0xbb, 0x30, 0x5a, 0x00, 0x26, 0x30, 0x1c, 0x25, 0x7a, 0x5a, +//! 0xeb, 0x50, 0x7e, 0x4b, 0x21, 0x19, 0x53, 0x3f, 0xf7, 0x23, 0xc7, 0xe1, 0xad, 0xc5, 0xdf, +//! 0x2a, 0x62, 0x1d, 0xad, 0x18, 0xa4, 0x46, 0xaf, 0xeb, 0x2a, 0x54, 0xb3, 0xad, 0xfe, 0xc7, +//! 0x8e, 0x08, 0x6a, 0x6f, +//! ]; +//! +//! assert_eq!(digest::shake128(data, 64)[..], expected_digest_128[..]); +//! assert_eq!(digest::shake256(data, 64)[..], expected_digest_256[..]); +//! ``` +//! +//! ## Blake2b +//! ```rust +//! use hacl_rust::digest::{self, Algorithm}; +//! +//! let data = [ +//! 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, +//! 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, +//! 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, +//! 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3a, 0x3b, +//! 0x3c, 0x3d, 0x3e, 0x3f, 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4a, +//! 0x4b, 0x4c, 0x4d, 0x4e, 0x4f, 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58, 0x59, +//! 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f, 0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, +//! 0x69, 0x6a, +//! ]; +//! let expected_digest = [ +//! 0x22, 0xef, 0xf8, 0xe6, 0xdd, 0x52, 0x36, 0xf5, 0xf5, 0x7d, 0x94, 0xed, 0xe8, 0x74, 0xd6, +//! 0xc9, 0x42, 0x8e, 0x8f, 0x5d, 0x56, 0x6f, 0x17, 0xcd, 0x6d, 0x18, 0x48, 0xcd, 0x75, 0x2f, +//! 0xe1, 0x3c, 0x65, 0x5c, 0xb1, 0x0f, 0xba, 0xaf, 0xf7, 0x68, 0x72, 0xf2, 0xbf, 0x2d, 0xa9, +//! 0x9e, 0x15, 0xdc, 0x62, 0x40, 0x75, 0xe1, 0xec, 0x2f, 0x58, 0xa3, 0xf6, 0x40, 0x72, 0x12, +//! 0x18, 0x38, 0x56, 0x9e, +//! ]; +//! +//! assert_eq!(digest::hash(Algorithm::Blake2b, &data)[..], expected_digest[..]); +//! ``` +//! +//! ## Blake2s +//! ```rust +//! use hacl_rust::digest::{self, Algorithm}; +//! +//! let data = [ +//! 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, +//! 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, +//! 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, +//! 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, +//! ]; +//! let expected_digest = [ +//! 0xe2, 0x90, 0xdd, 0x27, 0x0b, 0x46, 0x7f, 0x34, 0xab, 0x1c, 0x00, 0x2d, 0x34, 0x0f, 0xa0, +//! 0x16, 0x25, 0x7f, 0xf1, 0x9e, 0x58, 0x33, 0xfd, 0xbb, 0xf2, 0xcb, 0x40, 0x1c, 0x3b, 0x28, +//! 0x17, 0xde, +//! ]; +//! +//! assert_eq!(digest::hash(Algorithm::Blake2s, &data), expected_digest); +//! ``` + +#[cfg(feature = "serialization")] +use serde::{Deserialize, Serialize}; + +use hacl_rust_sys::*; + +#[derive(Debug)] +pub enum Error { + InvalidStateFinished, + ModeUnsupportedForStreaming, +} + +/// The Digest Algorithm. +#[derive(Copy, Clone, Debug, PartialEq)] +#[cfg_attr(feature = "serialization", derive(Serialize, Deserialize))] +pub enum Algorithm { + Sha1 = Spec_Hash_Definitions_SHA1 as isize, + Sha224 = Spec_Hash_Definitions_SHA2_224 as isize, + Sha256 = Spec_Hash_Definitions_SHA2_256 as isize, + Sha384 = Spec_Hash_Definitions_SHA2_384 as isize, + Sha512 = Spec_Hash_Definitions_SHA2_512 as isize, + Blake2s = Spec_Hash_Definitions_Blake2S as isize, + Blake2b = Spec_Hash_Definitions_Blake2B as isize, + // XXX: The following is not in evercrypt (agile API) so we define something here. + Sha3_224 = 8, + Sha3_256 = 9, + Sha3_384 = 10, + Sha3_512 = 11, +} + +#[allow(non_upper_case_globals)] +impl From for Algorithm { + fn from(v: u32) -> Algorithm { + match v { + Spec_Hash_Definitions_SHA1 => Algorithm::Sha1, + Spec_Hash_Definitions_SHA2_224 => Algorithm::Sha224, + Spec_Hash_Definitions_SHA2_256 => Algorithm::Sha256, + Spec_Hash_Definitions_SHA2_384 => Algorithm::Sha384, + Spec_Hash_Definitions_SHA2_512 => Algorithm::Sha512, + Spec_Hash_Definitions_Blake2S => Algorithm::Blake2s, + Spec_Hash_Definitions_Blake2B => Algorithm::Blake2b, + 8 => Algorithm::Sha3_224, + 9 => Algorithm::Sha3_256, + 10 => Algorithm::Sha3_384, + 11 => Algorithm::Sha3_512, + _ => panic!("Unknown Digest mode {}", v), + } + } +} + +impl From for Spec_Hash_Definitions_hash_alg { + fn from(v: Algorithm) -> Spec_Hash_Definitions_hash_alg { + match v { + Algorithm::Sha1 => Spec_Hash_Definitions_SHA1 as Spec_Hash_Definitions_hash_alg, + Algorithm::Sha224 => Spec_Hash_Definitions_SHA2_224 as Spec_Hash_Definitions_hash_alg, + Algorithm::Sha256 => Spec_Hash_Definitions_SHA2_256 as Spec_Hash_Definitions_hash_alg, + Algorithm::Sha384 => Spec_Hash_Definitions_SHA2_384 as Spec_Hash_Definitions_hash_alg, + Algorithm::Sha512 => Spec_Hash_Definitions_SHA2_512 as Spec_Hash_Definitions_hash_alg, + Algorithm::Blake2s => Spec_Hash_Definitions_Blake2S as Spec_Hash_Definitions_hash_alg, + Algorithm::Blake2b => Spec_Hash_Definitions_Blake2B as Spec_Hash_Definitions_hash_alg, + Algorithm::Sha3_224 => 8, + Algorithm::Sha3_256 => 9, + Algorithm::Sha3_384 => 10, + Algorithm::Sha3_512 => 11, + } + } +} + +#[deprecated( + since = "0.0.10", + note = "Please use digest_size instead. This alias will be removed with the first stable 0.1 release." +)] +pub fn get_digest_size(mode: Algorithm) -> usize { + digest_size(mode) +} + +/// Returns the output size of a digest. +pub const fn digest_size(mode: Algorithm) -> usize { + match mode { + Algorithm::Sha1 => 20, + Algorithm::Sha224 => 28, + Algorithm::Sha256 => 32, + Algorithm::Sha384 => 48, + Algorithm::Sha512 => 64, + Algorithm::Blake2s => 32, + Algorithm::Blake2b => 64, + Algorithm::Sha3_224 => 28, + Algorithm::Sha3_256 => 32, + Algorithm::Sha3_384 => 48, + Algorithm::Sha3_512 => 64, + } +} + +/// Check if we do SHA3, which is not in the agile API and hence has to be +/// handled differently. +const fn is_sha3(alg: Algorithm) -> bool { + matches!( + alg, + Algorithm::Sha3_224 | Algorithm::Sha3_256 | Algorithm::Sha3_384 | Algorithm::Sha3_512 + ) +} + +/// The digest struct for stateful hashing. +pub struct Digest { + mode: Algorithm, + finished: bool, + c_state: *mut Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____, +} + +impl Digest { + /// Create a new digest for the given mode `alg`. + pub fn new(alg: Algorithm) -> Result { + if is_sha3(alg) { + return Err(Error::ModeUnsupportedForStreaming); + } + + let c_state: *mut Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ = + unsafe { EverCrypt_Hash_Incremental_create_in(alg.into()) }; + Ok(Self { + mode: alg, + finished: false, + c_state, + }) + } + + /// Update the hash state. + /// Modifies `self` and doesn't return anything but an `Error` in case the + /// update fails. + pub fn update(&mut self, data: &[u8]) -> Result<(), Error> { + if self.finished { + return Err(Error::InvalidStateFinished); + } + unsafe { + EverCrypt_Hash_Incremental_update(self.c_state, data.as_ptr() as _, data.len() as u32); + } + Ok(()) + } + + /// Finish the hash computation. + /// Returns the digest or an `Error`. + /// + /// **The struct can not be re-used after this!** + pub fn finish(&mut self) -> Result, Error> { + if self.finished { + return Err(Error::InvalidStateFinished); + } + let mut out = vec![0u8; digest_size(self.mode)]; + unsafe { + EverCrypt_Hash_Incremental_finish(self.c_state, out.as_mut_ptr()); + EverCrypt_Hash_Incremental_free(self.c_state); + } + self.finished = true; + Ok(out) + } +} + +// Single-shot API with array returns. + +macro_rules! define_plain_digest { + ($name:ident, $version:expr, $l:literal) => { + /// Single-shot API with a fixed length output. + pub fn $name(data: &[u8]) -> [u8; $l] { + let mut out = [0u8; $l]; + + match $version { + Algorithm::Sha3_224 => unsafe { + Hacl_SHA3_sha3_224(data.len() as u32, data.as_ptr() as _, out.as_mut_ptr()) + }, + Algorithm::Sha3_256 => unsafe { + Hacl_SHA3_sha3_256(data.len() as u32, data.as_ptr() as _, out.as_mut_ptr()) + }, + Algorithm::Sha3_384 => unsafe { + Hacl_SHA3_sha3_384(data.len() as u32, data.as_ptr() as _, out.as_mut_ptr()) + }, + Algorithm::Sha3_512 => unsafe { + Hacl_SHA3_sha3_512(data.len() as u32, data.as_ptr() as _, out.as_mut_ptr()) + }, + _ => unsafe { + EverCrypt_Hash_hash( + $version.into(), + out.as_mut_ptr(), + data.as_ptr() as _, + data.len() as u32, + ); + }, + } + + out + } + }; +} + +define_plain_digest!(sha1, Algorithm::Sha1, 20); +define_plain_digest!(sha224, Algorithm::Sha224, 28); +define_plain_digest!(sha256, Algorithm::Sha256, 32); +define_plain_digest!(sha384, Algorithm::Sha384, 48); +define_plain_digest!(sha512, Algorithm::Sha512, 64); +define_plain_digest!(sha3_224, Algorithm::Sha3_224, 28); +define_plain_digest!(sha3_256, Algorithm::Sha3_256, 32); +define_plain_digest!(sha3_384, Algorithm::Sha3_384, 48); +define_plain_digest!(sha3_512, Algorithm::Sha3_512, 64); +define_plain_digest!(blake2s, Algorithm::Blake2s, 32); +define_plain_digest!(blake2b, Algorithm::Blake2b, 64); + +// Single-shot API + +/// Create the digest for the given `data` and mode `alg`. +/// The output has length `get_digest_size(alg)`. +pub fn hash(alg: Algorithm, data: &[u8]) -> Vec { + match alg { + Algorithm::Sha1 => sha1(data).to_vec(), + Algorithm::Sha224 => sha224(data).to_vec(), + Algorithm::Sha256 => sha256(data).to_vec(), + Algorithm::Sha384 => sha384(data).to_vec(), + Algorithm::Sha512 => sha512(data).to_vec(), + Algorithm::Sha3_224 => sha3_224(data).to_vec(), + Algorithm::Sha3_256 => sha3_256(data).to_vec(), + Algorithm::Sha3_384 => sha3_384(data).to_vec(), + Algorithm::Sha3_512 => sha3_512(data).to_vec(), + Algorithm::Blake2s => blake2s(data).to_vec(), + Algorithm::Blake2b => blake2b(data).to_vec(), + } +} + +// SHAKE messages from SHA 3 + +/// SHAKE 128 +pub fn shake128(data: &[u8], out_len: usize) -> Vec { + let mut out = vec![0u8; out_len]; + unsafe { + Hacl_SHA3_shake128_hacl( + data.len() as u32, + data.as_ptr() as _, + out_len as u32, + out.as_mut_ptr(), + ); + } + out +} + +/// SHAKE 256 +pub fn shake256(data: &[u8], out_len: usize) -> Vec { + let mut out = vec![0u8; out_len]; + unsafe { + Hacl_SHA3_shake256_hacl( + data.len() as u32, + data.as_ptr() as _, + out_len as u32, + out.as_mut_ptr(), + ); + } + out +} diff --git a/rust/src/ecdh.rs b/rust/src/ecdh.rs new file mode 100644 index 00000000..bf8060a5 --- /dev/null +++ b/rust/src/ecdh.rs @@ -0,0 +1,122 @@ +//! ECDH +//! +//! This module implements an agile API for ECDH on P256 and x25519. +//! +//! # Usage +//! ```rust +//! use hacl_rust::ecdh::{self, Mode}; +//! +//! // P256 +//! let public = [0x04, 0x62, 0xd5, 0xbd, 0x33, 0x72, 0xaf, 0x75, 0xfe, 0x85, 0xa0, 0x40, 0x71, 0x5d, 0x0f, 0x50, 0x24, 0x28, 0xe0, 0x70, 0x46, 0x86, 0x8b, 0x0b, 0xfd, 0xfa, 0x61, 0xd7, 0x31, 0xaf, 0xe4, 0x4f, 0x26, 0xac, 0x33, 0x3a, 0x93, 0xa9, 0xe7, 0x0a, 0x81, 0xcd, 0x5a, 0x95, 0xb5, 0xbf, 0x8d, 0x13, 0x99, 0x0e, 0xb7, 0x41, 0xc8, 0xc3, 0x88, 0x72, 0xb4, 0xa0, 0x7d, 0x27, 0x5a, 0x01, 0x4e, 0x30, 0xcf]; +//! let private = [0x06, 0x12, 0x46, 0x5c, 0x89, 0xa0, 0x23, 0xab, 0x17, 0x85, 0x5b, 0x0a, 0x6b, 0xce, 0xbf, 0xd3, 0xfe, 0xbb, 0x53, 0xae, 0xf8, 0x41, 0x38, 0x64, 0x7b, 0x53, 0x52, 0xe0, 0x2c, 0x10, 0xc3, 0x46]; +//! let expected_result = [0x53, 0x02, 0x0d, 0x90, 0x8b, 0x02, 0x19, 0x32, 0x8b, 0x65, 0x8b, 0x52, 0x5f, 0x26, 0x78, 0x0e, 0x3a, 0xe1, 0x2b, 0xcd, 0x95, 0x2b, 0xb2, 0x5a, 0x93, 0xbc, 0x08, 0x95, 0xe1, 0x71, 0x42, 0x85]; +//! +//! let result = match ecdh::derive(Mode::P256, &public, &private) { +//! Ok(r) => r, +//! Err(e) => panic!("P256 derive failed.\n{:?}", e), +//! }; +//! assert_eq!(expected_result[..], result[..32]); +//! +//! let _result = match ecdh::derive_base(Mode::P256, &private) { +//! Ok(r) => r, +//! Err(e) => panic!("P256 derive failed.\n{:?}", e), +//! }; +//! +//! // x25519 +//! let public = [0x50, 0x4a, 0x36, 0x99, 0x9f, 0x48, 0x9c, 0xd2, 0xfd, 0xbc, 0x08, 0xba, 0xff, 0x3d, 0x88, 0xfa, 0x00, 0x56, 0x9b, 0xa9, 0x86, 0xcb, 0xa2, 0x25, 0x48, 0xff, 0xde, 0x80, 0xf9, 0x80, 0x68, 0x29]; +//! let private = [0xc8, 0xa9, 0xd5, 0xa9, 0x10, 0x91, 0xad, 0x85, 0x1c, 0x66, 0x8b, 0x07, 0x36, 0xc1, 0xc9, 0xa0, 0x29, 0x36, 0xc0, 0xd3, 0xad, 0x62, 0x67, 0x08, 0x58, 0x08, 0x80, 0x47, 0xba, 0x05, 0x74, 0x75]; +//! let expected_result = [0x43, 0x6a, 0x2c, 0x04, 0x0c, 0xf4, 0x5f, 0xea, 0x9b, 0x29, 0xa0, 0xcb, 0x81, 0xb1, 0xf4, 0x14, 0x58, 0xf8, 0x63, 0xd0, 0xd6, 0x1b, 0x45, 0x3d, 0x0a, 0x98, 0x27, 0x20, 0xd6, 0xd6, 0x13, 0x20]; +//! +//! let result = match ecdh::derive(Mode::X25519, &public, &private) { +//! Ok(r) => r, +//! Err(e) => panic!("x25519 derive failed.\n{:?}", e), +//! }; +//! assert_eq!(expected_result[..], result[..]); +//! +//! let _result = match ecdh::derive_base(Mode::X25519, &private) { +//! Ok(r) => r, +//! Err(e) => panic!("x25519 derive failed.\n{:?}", e), +//! }; +//! ``` + +#[cfg(feature = "serialization")] +use serde::{Deserialize, Serialize}; + +use crate::p256; +use crate::x25519; + +#[derive(Debug, PartialEq)] +pub enum Error { + InvalidPoint, + InvalidScalar, + UnknownAlgorithm, + KeyGenError, +} + +/// ECDH algorithm. +#[derive(Debug, PartialEq, Clone, Copy)] +#[cfg_attr(feature = "serialization", derive(Serialize, Deserialize))] +pub enum Mode { + X25519, + P256, +} + +/// Derive the ECDH shared secret. +/// Returns `Ok(p * s)` on the provided curve (`mode`) or an error. +pub fn derive(mode: Mode, p: &[u8], s: &[u8]) -> Result, Error> { + match mode { + Mode::X25519 => { + if p.len() != 32 { + return Err(Error::InvalidPoint); + } + if s.len() != 32 { + return Err(Error::InvalidScalar); + } + let mut point = [0u8; 32]; + point.clone_from_slice(p); + let mut scalar = [0u8; 32]; + scalar.clone_from_slice(s); + + match x25519::dh(&point, &scalar) { + Ok(r) => Ok(r.to_vec()), + Err(_) => Err(Error::InvalidPoint), + } + } + Mode::P256 => match p256::dh(p, s) { + Ok(r) => Ok(r.to_vec()), + Err(_) => Err(Error::InvalidPoint), + }, + } +} + +/// Returns `Ok(base_point * s)` on the provided curve (`mode`) or an error. +pub fn derive_base(mode: Mode, s: &[u8]) -> Result, Error> { + match mode { + Mode::X25519 => { + if s.len() != 32 { + return Err(Error::InvalidScalar); + } + let mut scalar = [0u8; 32]; + scalar.clone_from_slice(s); + + Ok(x25519::dh_base(&scalar).to_vec()) + } + Mode::P256 => match p256::dh_base(s) { + Ok(r) => Ok(r.to_vec()), + Err(_) => Err(Error::InvalidPoint), + }, + } +} + +/// Generate a random `Scalar` on the given curve. +/// +/// Returns the scalar key bytes as `u8` vector. +#[cfg(feature = "random")] +pub fn key_gen(mode: Mode) -> Result, Error> { + match mode { + Mode::X25519 => Ok(x25519::key_gen().to_vec()), + Mode::P256 => p256::key_gen() + .map_err(|_| Error::KeyGenError) + .map(|v| v.to_vec()), + } +} diff --git a/rust/src/ed25519.rs b/rust/src/ed25519.rs new file mode 100644 index 00000000..2d24a3f1 --- /dev/null +++ b/rust/src/ed25519.rs @@ -0,0 +1,84 @@ +//! Ed25519 +//! +//! This module implements EdDSA on edwards25519. +//! +//! # Usage +//! ```rust +//! use hacl_rust::ed25519; +//! +//! let public = [0x7d, 0x4d, 0x0e, 0x7f, 0x61, 0x53, 0xa6, 0x9b, 0x62, 0x42, 0xb5, 0x22, 0xab, 0xbe, 0xe6, 0x85, 0xfd, 0xa4, 0x42, 0x0f, 0x88, 0x34, 0xb1, 0x08, 0xc3, 0xbd, 0xae, 0x36, 0x9e, 0xf5, 0x49, 0xfa]; +//! let private = [0xad, 0xd4, 0xbb, 0x81, 0x03, 0x78, 0x5b, 0xaf, 0x9a, 0xc5, 0x34, 0x25, 0x8e, 0x8a, 0xaf, 0x65, 0xf5, 0xf1, 0xad, 0xb5, 0xef, 0x5f, 0x3d, 0xf1, 0x9b, 0xb8, 0x0a, 0xb9, 0x89, 0xc4, 0xd6, 0x4b]; +//! let msg = [0x78]; +//! let expected_result = [0xd8, 0x07, 0x37, 0x35, 0x8e, 0xde, 0x54, 0x8a, 0xcb, 0x17, 0x3e, 0xf7, 0xe0, 0x39, 0x9f, 0x83, 0x39, 0x2f, 0xe8, 0x12, 0x5b, 0x2c, 0xe8, 0x77, 0xde, 0x79, 0x75, 0xd8, 0xb7, 0x26, 0xef, 0x5b, 0x1e, 0x76, 0x63, 0x22, 0x80, 0xee, 0x38, 0xaf, 0xad, 0x12, 0x12, 0x5e, 0xa4, 0x4b, 0x96, 0x1b, 0xf9, 0x2f, 0x11, 0x78, 0xc9, 0xfa, 0x81, 0x9d, 0x02, 0x08, 0x69, 0x97, 0x5b, 0xcb, 0xe1, 0x09]; +//! +//! let my_pk = ed25519::sk2pk(&private); +//! assert_eq!(&public[..], &my_pk[..]); +//! +//! let signature = ed25519::eddsa_sign(&private, &msg); +//! assert_eq!(expected_result[..], signature[..]); +//! +//! let result = ed25519::eddsa_verify(&public, &signature, &msg); +//! assert!(result); +//! +//! let sk = ed25519::key_gen(); +//! let pk = ed25519::sk2pk(&sk); +//! let signature = ed25519::eddsa_sign(&sk, &msg); +//! assert!(ed25519::eddsa_verify(&pk, &signature, &msg)); +//! ``` + +use hacl_rust_sys::*; + +#[derive(Debug, PartialEq)] +pub enum Error { + InvalidPoint, +} + +/// Points are 32 byte arrays. +pub type Point = [u8; 32]; +/// Scalars are 32 byte arrays. +pub type Scalar = [u8; 32]; +/// Signatures are 64 byte arrays. +pub type Signature = [u8; 64]; + +/// Sign message `msg` with secret key `sk`. +/// Returns a `Signature`. +pub fn eddsa_sign(sk: &Scalar, msg: &[u8]) -> Signature { + let mut out = [0u8; 64]; + unsafe { + EverCrypt_Ed25519_sign( + out.as_mut_ptr(), + sk.as_ptr() as _, + msg.len() as u32, + msg.as_ptr() as _, + ); + } + out +} + +/// Verify signature `signature` on message `msg` with public key `pk`. +/// Returns `true` if the signature is valid and `false` otherwise. +pub fn eddsa_verify(pk: &Point, signature: &Signature, msg: &[u8]) -> bool { + unsafe { + EverCrypt_Ed25519_verify( + pk.as_ptr() as _, + msg.len() as u32, + msg.as_ptr() as _, + signature.as_ptr() as _, + ) + } +} + +/// Compute the public `Point` for the given secret key `sk`. +pub fn sk2pk(sk: &Scalar) -> Point { + let mut out = [0u8; 32]; + unsafe { + EverCrypt_Ed25519_secret_to_public(out.as_mut_ptr(), sk.as_ptr() as _); + } + out +} + +/// Generate a random `Scalar`. +#[cfg(feature = "random")] +pub fn key_gen() -> Scalar { + crate::rand_util::random_array() +} diff --git a/rust/src/hkdf.rs b/rust/src/hkdf.rs new file mode 100644 index 00000000..944f0dac --- /dev/null +++ b/rust/src/hkdf.rs @@ -0,0 +1,68 @@ +//! HKDF +//! +//! This module implements HKDF on SHA 1 and SHA 2 (except for SHA 224). +//! +//! # Usage +//! +//! ```rust +//! use hacl_rust::prelude::*; +//! +//! let key = [0x85, 0xa7, 0xcb, 0xaa, 0xe8, 0x25, 0xbb, 0x82, 0xc9, 0xb6, 0xf6, 0xc5, 0xc2, 0xaf, 0x5a, 0xc0, 0x3d, 0x1f, 0x6d, 0xaa, 0x63, 0xd2, 0xa9, 0x3c, 0x18, 0x99, 0x48, 0xec, 0x41, 0xb9, 0xde, 0xd9]; +//! let data = [0xa5, 0x9b]; +//! let expected_tag = [0x0f, 0xe2, 0xf1, 0x3b, 0xba, 0x21, 0x98, 0xf6, 0xdd, 0xa1, 0xa0, 0x84, 0xbe, 0x92, 0x8e, 0x30, 0x4e, 0x9c, 0xb1, 0x6a, 0x56, 0xbc, 0x0b, 0x7b, 0x93, 0x9a, 0x07, 0x32, 0x80, 0x24, 0x43, 0x73]; +//! let len = 32; +//! +//! let tag = hmac(HmacAlgorithm::Sha256, &key, &data, Some(len)); +//! assert_eq!(expected_tag[..], tag[..]); +//! ``` + +use hacl_rust_sys::*; + +use crate::hmac::{tag_size, Algorithm}; + +/// HKDF extract using hash function `mode`, `salt`, and the input key material `ikm`. +/// Returns the pre-key material in a vector of tag length. +pub fn extract(mode: Algorithm, salt: &[u8], ikm: &[u8]) -> Vec { + let mut prk = vec![0u8; tag_size(mode)]; + unsafe { + EverCrypt_HKDF_extract( + mode as u8, + prk.as_mut_ptr(), + salt.as_ptr() as _, + salt.len() as u32, + ikm.as_ptr() as _, + ikm.len() as u32, + ); + } + prk +} + +/// HKDF expand using hash function `mode`, pre-key material `prk`, `info`, and output length `okm_len`. +/// Returns the key material in a vector of length `okm_len`. +pub fn expand(mode: Algorithm, prk: &[u8], info: &[u8], okm_len: usize) -> Vec { + if okm_len > 255 * tag_size(mode) { + // Output size is too large. HACL doesn't catch this. + return Vec::new(); + } + let mut okm = vec![0u8; okm_len]; + unsafe { + EverCrypt_HKDF_expand( + mode as u8, + okm.as_mut_ptr(), + prk.as_ptr() as _, + prk.len() as u32, + info.as_ptr() as _, + info.len() as u32, + okm_len as u32, + ); + } + okm +} + +/// HKDF using hash function `mode`, `salt`, input key material `ikm`, `info`, and output length `okm_len`. +/// Calls `extract` and `expand` with the given input. +/// Returns the key material in a vector of length `okm_len`. +pub fn hkdf(mode: Algorithm, salt: &[u8], ikm: &[u8], info: &[u8], okm_len: usize) -> Vec { + let prk = extract(mode, salt, ikm); + expand(mode, &prk, info, okm_len) +} diff --git a/rust/src/hmac.rs b/rust/src/hmac.rs new file mode 100644 index 00000000..7041a921 --- /dev/null +++ b/rust/src/hmac.rs @@ -0,0 +1,76 @@ +//! HMAC +//! +//! This module implements HMAC on SHA 1 and SHA 2 (except for SHA 224). +//! +//! # Usage +//! +//! ```rust +//! use hacl_rust::prelude::*; +//! +//! let key = [0x85, 0xa7, 0xcb, 0xaa, 0xe8, 0x25, 0xbb, 0x82, 0xc9, 0xb6, 0xf6, 0xc5, 0xc2, 0xaf, 0x5a, 0xc0, 0x3d, 0x1f, 0x6d, 0xaa, 0x63, 0xd2, 0xa9, 0x3c, 0x18, 0x99, 0x48, 0xec, 0x41, 0xb9, 0xde, 0xd9]; +//! let data = [0xa5, 0x9b]; +//! let expected_tag = [0x0f, 0xe2, 0xf1, 0x3b, 0xba, 0x21, 0x98, 0xf6, 0xdd, 0xa1, 0xa0, 0x84, 0xbe, 0x92, 0x8e, 0x30, 0x4e, 0x9c, 0xb1, 0x6a, 0x56, 0xbc, 0x0b, 0x7b, 0x93, 0x9a, 0x07, 0x32, 0x80, 0x24, 0x43, 0x73]; +//! let len = 32; +//! +//! let tag = hmac(HmacAlgorithm::Sha256, &key, &data, Some(len)); +//! assert_eq!(expected_tag[..], tag[..]); +//! ``` + +#[cfg(feature = "serialization")] +use serde::{Deserialize, Serialize}; + +use hacl_rust_sys::*; + +/// The HMAC mode defining the used hash function. +#[derive(Copy, Clone, Debug, PartialEq)] +#[cfg_attr(feature = "serialization", derive(Serialize, Deserialize))] +pub enum Algorithm { + Sha1 = Spec_Hash_Definitions_SHA1 as isize, + // Not implemented + // Sha224 = Spec_Hash_Definitions_SHA2_224 as isize, + Sha256 = Spec_Hash_Definitions_SHA2_256 as isize, + Sha384 = Spec_Hash_Definitions_SHA2_384 as isize, + Sha512 = Spec_Hash_Definitions_SHA2_512 as isize, +} + +#[deprecated( + since = "0.0.10", + note = "Please use tag_size instead. This alias will be removed with the first stable 0.1 release." +)] +pub fn get_tag_size(mode: Algorithm) -> usize { + tag_size(mode) +} + +/// Get the tag size for a given mode. +pub const fn tag_size(mode: Algorithm) -> usize { + match mode { + Algorithm::Sha1 => 20, + Algorithm::Sha256 => 32, + Algorithm::Sha384 => 48, + Algorithm::Sha512 => 64, + } +} + +/// Compute the HMAC value with the given `mode` and `key` on `data` with an +/// output tag length of `tag_length`. +/// Returns a vector of length `tag_length`. +pub fn hmac(mode: Algorithm, key: &[u8], data: &[u8], tag_length: Option) -> Vec { + let native_tag_length = tag_size(mode); + let tag_length = match tag_length { + Some(v) => v, + None => native_tag_length, + }; + let mut dst = vec![0u8; native_tag_length]; + unsafe { + EverCrypt_HMAC_compute( + mode as u8, + dst.as_mut_ptr(), + key.as_ptr() as _, + key.len() as u32, + data.as_ptr() as _, + data.len() as u32, + ); + } + dst.truncate(tag_length); + dst +} diff --git a/rust/src/lib.rs b/rust/src/lib.rs new file mode 100644 index 00000000..a105e8a6 --- /dev/null +++ b/rust/src/lib.rs @@ -0,0 +1,18 @@ +#![doc = include_str!("../README.md")] + +pub mod aead; +pub mod digest; +pub mod ecdh; +pub mod ed25519; +pub mod hkdf; +pub mod hmac; +pub mod p256; +pub mod signature; +pub mod x25519; + +mod util; + +#[cfg(feature = "random")] +pub mod rand_util; + +pub mod prelude; diff --git a/rust/src/p256.rs b/rust/src/p256.rs new file mode 100644 index 00000000..80c6f1ab --- /dev/null +++ b/rust/src/p256.rs @@ -0,0 +1,312 @@ +use hacl_rust_sys::*; + +use crate::digest::Algorithm; + +#[derive(Debug, PartialEq)] +/// P256 errors +pub enum Error { + InvalidPoint, + InvalidScalar, + CompressedPoint, + InvalidConfig, + SigningFailed, + InvalidSignature, + KeyGenError, +} + +pub fn validate_pk(pk: &[u8]) -> Result { + if pk.is_empty() { + return Err(Error::InvalidPoint); + } + + // Parse the public key. + let mut public = [0u8; 64]; + let uncompressed_point = if pk.len() < 65 { + false + } else { + unsafe { Hacl_P256_uncompressed_to_raw(pk.as_ptr() as _, public.as_mut_ptr()) } + }; + let compressed_point = if !uncompressed_point && pk.len() >= 33 { + unsafe { Hacl_P256_compressed_to_raw(pk.as_ptr() as _, public.as_mut_ptr()) } + } else { + false + }; + if !compressed_point && !uncompressed_point { + // We might simply have concatenated points (uncompressed without the marker). + if pk.len() == 64 { + public.clone_from_slice(pk); + } + } + let valid = unsafe { Hacl_P256_validate_public_key(public.as_ptr() as _) }; + if !uncompressed_point && !compressed_point && !valid { + return Err(Error::InvalidPoint); + } + + Ok(public) +} + +/// Validate a P256 secret key. +pub fn validate_sk(sk: &[u8]) -> Result { + if sk.is_empty() { + return Err(Error::InvalidScalar); + } + + let mut private = [0u8; 32]; + let sk_len = if sk.len() >= 32 { 32 } else { sk.len() }; + for i in 0..sk_len { + private[31 - i] = sk[sk.len() - 1 - i]; + } + + // Ensure that the key is in range [1, p-1] + let valid = unsafe { Hacl_P256_validate_private_key(private.as_ptr() as _) }; + if !valid { + return Err(Error::InvalidScalar); + } + + Ok(private) +} + +/// Return base * s +pub fn dh_base(s: &[u8]) -> Result<[u8; 64], Error> { + let private = validate_sk(s)?; + + let mut out = [0u8; 64]; + let success = unsafe { Hacl_P256_dh_initiator(out.as_mut_ptr(), private.as_ptr() as _) }; + if success { + Ok(out) + } else { + Err(Error::InvalidPoint) + } +} + +/// Return p * s +/// +/// The public key `p` can be in uncompressed or compressed form or a concatenation +/// of the two 32 byte values. +pub fn dh(p: &[u8], s: &[u8]) -> Result<[u8; 64], Error> { + let public = validate_pk(p)?; + let private = validate_sk(s)?; + + let mut out = [0u8; 64]; + let success = unsafe { + Hacl_P256_dh_responder( + out.as_mut_ptr(), + public.as_ptr() as _, + private.as_ptr() as _, + ) + }; + if success { + Ok(out) + } else { + Err(Error::InvalidPoint) + } +} + +/// P256 public keys are 64-byte arrays containing the 32-byte X and 32-byte Y +/// coordinate. +pub type PublicKey = [u8; 64]; +/// Nonces are 32 byte arrays. +pub type Nonce = [u8; 32]; +/// Scalars are 32 byte arrays. +pub type Scalar = [u8; 32]; + +/// An ECDSA signature holding `r` and `s`. +#[derive(Clone, Copy, Debug)] +pub struct Signature { + r: Scalar, + s: Scalar, +} + +/// Convert bytes to signatures and vice versa. +impl Signature { + /// Build a new signature from `r` and `s`. + pub fn new(r: &Scalar, s: &Scalar) -> Self { + Self { r: *r, s: *s } + } + + /// Generate a new signature from a byte array holding `r||s`. + pub fn from_bytes(combined: &[u8; 64]) -> Self { + let mut r = [0u8; 32]; + r.clone_from_slice(&combined[..32]); + let mut s = [0u8; 32]; + s.clone_from_slice(&combined[32..]); + + Self { r, s } + } + + /// Unsafe version of `from_bytes` taking a slice. + /// This function can fail when the slice has the wrong length. + pub(crate) fn from_byte_slice(combined: &[u8]) -> Result { + if combined.len() != 64 { + return Err(Error::InvalidSignature); + } + + let mut r = [0u8; 32]; + r.clone_from_slice(&combined[..32]); + let mut s = [0u8; 32]; + s.clone_from_slice(&combined[32..]); + + Ok(Self { r, s }) + } + + /// Get the raw signature bytes. + /// Returns a 64 byte array containing `r||s`. + pub fn raw(&self) -> [u8; 64] { + let mut out = [0u8; 64]; + for (i, &b) in self.r.iter().enumerate() { + out[i] = b; + } + for (i, &b) in self.s.iter().enumerate() { + out[i + 32] = b; + } + out + } +} + +/// Sign `msg` with `sk` and `nonce` using `hash` with EcDSA on P256. +pub fn ecdsa_sign( + hash: Algorithm, + msg: &[u8], + sk: &Scalar, + nonce: &Nonce, +) -> Result { + let private = validate_sk(sk)?; + let nonce = validate_sk(nonce)?; + + let mut signature = [0u8; 64]; + let success = match hash { + Algorithm::Sha256 => unsafe { + Hacl_P256_ecdsa_sign_p256_sha2( + signature.as_mut_ptr(), + msg.len() as u32, + msg.as_ptr() as _, + private.as_ptr() as _, + nonce.as_ptr() as _, + ) + }, + Algorithm::Sha384 => unsafe { + Hacl_P256_ecdsa_sign_p256_sha384( + signature.as_mut_ptr(), + msg.len() as u32, + msg.as_ptr() as _, + private.as_ptr() as _, + nonce.as_ptr() as _, + ) + }, + Algorithm::Sha512 => unsafe { + Hacl_P256_ecdsa_sign_p256_sha512( + signature.as_mut_ptr(), + msg.len() as u32, + msg.as_ptr() as _, + private.as_ptr() as _, + nonce.as_ptr() as _, + ) + }, + _ => return Err(Error::InvalidConfig), + }; + + if !success { + return Err(Error::SigningFailed); + } + + let mut r = [0u8; 32]; + r.clone_from_slice(&signature[..32]); + let mut s = [0u8; 32]; + s.clone_from_slice(&signature[32..]); + Ok(Signature { r, s }) +} + +/// Verify EcDSA `signature` over P256 on `msg` with `pk` using `hash`. +/// Note that the public key `pk` must be a compressed or uncompressed point. +pub fn ecdsa_verify( + hash: Algorithm, + msg: &[u8], + pk: &[u8], + signature: &Signature, +) -> Result { + let public = validate_pk(pk)?; + match hash { + Algorithm::Sha256 => unsafe { + Ok(Hacl_P256_ecdsa_verif_p256_sha2( + msg.len() as u32, + msg.as_ptr() as _, + public.as_ptr() as _, + signature.r.as_ptr() as _, + signature.s.as_ptr() as _, + )) + }, + Algorithm::Sha384 => unsafe { + Ok(Hacl_P256_ecdsa_verif_p256_sha384( + msg.len() as u32, + msg.as_ptr() as _, + public.as_ptr() as _, + signature.r.as_ptr() as _, + signature.s.as_ptr() as _, + )) + }, + Algorithm::Sha512 => unsafe { + Ok(Hacl_P256_ecdsa_verif_p256_sha512( + msg.len() as u32, + msg.as_ptr() as _, + public.as_ptr() as _, + signature.r.as_ptr() as _, + signature.s.as_ptr() as _, + )) + }, + _ => Err(Error::InvalidConfig), + } +} + +#[cfg(feature = "random")] +/// Generate a random nonce for ECDSA. +pub fn random_nonce() -> Result { + const LIMIT: usize = 100; + for _ in 0..LIMIT { + let out: Scalar = crate::rand_util::random_array(); + match validate_sk(&out) { + Ok(v) => return Ok(v), + Err(_) => continue, + } + } + Err(Error::KeyGenError) +} + +#[cfg(feature = "random")] +/// Generate a new P256 scalar (private key). +pub fn key_gen() -> Result { + const LIMIT: usize = 100; + for _ in 0..LIMIT { + let out: Scalar = crate::rand_util::random_array(); + match validate_sk(&out) { + Ok(v) => return Ok(v), + Err(_) => continue, + } + } + Err(Error::KeyGenError) +} + +// === Unit tests === // + +#[test] +fn scalar_checks() { + let s: Scalar = [ + 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xBC, 0xE6, 0xFA, 0xAD, 0xA7, 0x17, 0x9E, 0x84, 0xF3, 0xB9, 0xCA, 0xC2, 0xFC, 0x63, + 0x25, 0x50, + ]; // order - 1 + assert!(validate_sk(&s).is_ok()); + + let s: Scalar = [ + 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xBC, 0xE6, 0xFA, 0xAD, 0xA7, 0x17, 0x9E, 0x84, 0xF3, 0xB9, 0xCA, 0xC2, 0xFC, 0x63, + 0x25, 0x51, + ]; // order + assert!(validate_sk(&s).is_err()); + + let s: Scalar = [ + 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xBC, 0xE6, 0xFA, 0xAD, 0xA7, 0x17, 0x9E, 0x84, 0xF3, 0xB9, 0xCA, 0xC2, 0xFC, 0x63, + 0x25, 0x52, + ]; // order + 1 + assert!(validate_sk(&s).is_err()); +} diff --git a/rust/src/prelude.rs b/rust/src/prelude.rs new file mode 100644 index 00000000..6ffb5b53 --- /dev/null +++ b/rust/src/prelude.rs @@ -0,0 +1,44 @@ +//! Prelude for hacl-rust. +//! +//! Include this to get access to all the commonly used public functions of +//! hacl-rust. + +pub use crate::aead::{ + self, decrypt as aead_decrypt, decrypt_combined as aead_decrypt_combined, + encrypt as aead_encrypt, encrypt_combined as aead_encrypt_combined, Aead, + Algorithm as AeadMode, Error as AeadError, +}; +pub use crate::digest::{ + self, digest_size, hash, Algorithm as DigestAlgorithm, Digest, Error as DigestError, +}; +pub use crate::ecdh::{ + self, derive as ecdh_derive, derive_base as ecdh_derive_base, Error as EcdhError, + Mode as EcdhMode, +}; +pub use crate::ed25519::{ + self, eddsa_sign as ed25519_sign, eddsa_verify as ed25519_verify, sk2pk as ed25519_sk2pk, + Error as Ed25519Error, Point as Ed25519Point, Scalar as Ed25519Scalar, + Signature as Ed25519Signature, +}; +pub use crate::hkdf::{self, expand as hkdf_expand, extract as hkdf_extract, hkdf}; +pub use crate::hmac::{self, hmac, tag_size, Algorithm as HmacAlgorithm}; +pub use crate::p256::{ + self, dh as p256, dh_base as p256_base, ecdsa_sign as p256_sign, ecdsa_verify as p256_verify, + validate_pk as p256_validate_pk, validate_sk as p256_validate_sk, Error as P256Error, + Nonce as P256Nonce, Scalar as P256Scalar, Signature as EcdsaSignature, +}; +pub use crate::signature::{self, sign, verify, Error as SignatureError, Mode as SignatureMode}; +pub use crate::x25519::{ + self, dh as x25519, dh_base as x25519_base, Error as X25519Error, Point as X25519Point, + Scalar as X25519Scalar, +}; +#[cfg(feature = "random")] +pub use crate::{ + aead::{key_gen as aead_key_gen, nonce_gen as aead_nonce_gen}, + ecdh::key_gen as ecdh_key_gen, + ed25519::key_gen as ed25519_key_gen, + p256::random_nonce as p256_ecdsa_random_nonce, + rand_util::{random_array, random_vec}, + signature::key_gen as signature_key_gen, + x25519::key_gen as x25519_key_gen, +}; diff --git a/rust/src/rand_util.rs b/rust/src/rand_util.rs new file mode 100644 index 00000000..5bfd4a88 --- /dev/null +++ b/rust/src/rand_util.rs @@ -0,0 +1,23 @@ +//! Utilities that provide randomness. +//! Note that this currently uses the rand crate and should be moved to a more +//! secure alternative. +//! + +use rand::{self, thread_rng, Fill, RngCore}; +use rand_core::OsRng; + +/// Generate a random byte vector of length `len`. +/// *PANICS* if randomness generation fails. +pub fn random_vec(len: usize) -> Vec { + let mut out = vec![0u8; len]; + out.try_fill(&mut thread_rng()).unwrap(); + out +} + +/// Generate a random array. +/// *PANICS* if randomness generation fails. +pub fn random_array() -> [u8; N] { + let mut out = [0u8; N]; + OsRng.fill_bytes(&mut out); + out +} diff --git a/rust/src/signature.rs b/rust/src/signature.rs new file mode 100644 index 00000000..06d1b7a7 --- /dev/null +++ b/rust/src/signature.rs @@ -0,0 +1,132 @@ +#[cfg(feature = "serialization")] +use serde::{Deserialize, Serialize}; + +use crate::digest; +use crate::ed25519; +use crate::p256; + +#[derive(Debug, PartialEq)] +/// Signature errors. +pub enum Error { + InvalidPoint, + UnknownAlgorithm, + NonceMissing, + HashAlgorithmMissing, + InvalidSignature, + KeyGenError, +} + +#[derive(Debug, PartialEq, Clone, Copy)] +#[cfg_attr(feature = "serialization", derive(Serialize, Deserialize))] +/// Supported signature schemes. +pub enum Mode { + /// EdDSA on curve 25519 + Ed25519, + + /// EcDSA on P256 + P256, +} + +#[cfg(feature = "random")] +/// Generate a new key pair for the given `mode`. +/// The function throws an error for P256 keys if no valid key can be generated +/// in a reasonable time. +pub fn key_gen(mode: Mode) -> Result<(Vec, Vec), Error> { + match mode { + Mode::Ed25519 => { + let sk = ed25519::key_gen(); + let pk = ed25519::sk2pk(&sk); + Ok((sk.to_vec(), pk.to_vec())) + } + Mode::P256 => { + let sk = p256::key_gen().map_err(|_| Error::KeyGenError)?; + let pk = match p256::dh_base(&sk) { + Ok(k) => { + let mut pk = vec![0x04]; + pk.extend_from_slice(&k); + pk + } + Err(_) => return Err(Error::InvalidPoint), + }; + Ok((sk.to_vec(), pk)) + } + } +} + +/// Sign a message `msg` with the secret key `sk` and the given signature scheme (`mode`). +/// For ECDSA the `hash` algorithm and a `nonce` have to be passed in as well. +pub fn sign<'a>( + mode: Mode, + hash: impl Into>, + sk: &[u8], + msg: &[u8], + nonce: impl Into>, +) -> Result, Error> { + match mode { + Mode::Ed25519 => { + let mut key = [0u8; 32]; + key.clone_from_slice(sk); + + Ok(ed25519::eddsa_sign(&key, msg).to_vec()) + } + Mode::P256 => { + let nonce = match nonce.into() { + Some(n) => n, + None => return Err(Error::NonceMissing), + }; + let hash = match hash.into() { + Some(h) => h, + None => return Err(Error::HashAlgorithmMissing), + }; + let mut key = [0u8; 32]; + key.clone_from_slice(sk); + match p256::ecdsa_sign(hash, msg, &key, nonce) { + Ok(r) => Ok(r.raw().to_vec()), + Err(_) => Err(Error::InvalidPoint), + } + } + } +} + +/// Verify a signature. +/// Depending on the `Mode`, a `hash` mode has to be passed in. +/// The public key `pk`, `signature`, and message `msg` are passed in as byte +/// slices. +pub fn verify( + mode: Mode, + hash: impl Into>, + pk: &[u8], + signature: &[u8], + msg: &[u8], +) -> Result { + match mode { + Mode::Ed25519 => { + if signature.len() != 64 { + return Err(Error::InvalidSignature); + } + if pk.len() != 32 { + return Err(Error::InvalidPoint); + } + let mut key = [0u8; 32]; + key.clone_from_slice(pk); + let mut sig = [0u8; 64]; + sig.clone_from_slice(signature); + + Ok(ed25519::eddsa_verify(&key, &sig, msg)) + } + Mode::P256 => { + let hash = match hash.into() { + Some(h) => h, + None => return Err(Error::HashAlgorithmMissing), + }; + let sig = match p256::Signature::from_byte_slice(signature) { + Ok(s) => s, + Err(_) => return Err(Error::InvalidSignature), + }; + match p256::ecdsa_verify(hash, msg, pk, &sig) { + Ok(r) => Ok(r), + Err(_) => Err(Error::InvalidPoint), + } + } + } +} diff --git a/rust/src/util.rs b/rust/src/util.rs new file mode 100644 index 00000000..dbf211ed --- /dev/null +++ b/rust/src/util.rs @@ -0,0 +1,10 @@ +#[allow(dead_code)] +pub(crate) fn clone_into_array(slice: &[T]) -> A +where + A: Default + AsMut<[T]>, + T: Clone, +{ + let mut a = Default::default(); + A::as_mut(&mut a).clone_from_slice(slice); + a +} diff --git a/rust/src/x25519.rs b/rust/src/x25519.rs new file mode 100644 index 00000000..9c539e90 --- /dev/null +++ b/rust/src/x25519.rs @@ -0,0 +1,69 @@ +//! x25519 +//! +//! This module implements ECDH on curve25519. +//! +//! # Usage +//! ```rust +//! use hacl_rust::prelude::*; +//! +//! let public = [0x50, 0x4a, 0x36, 0x99, 0x9f, 0x48, 0x9c, 0xd2, 0xfd, 0xbc, 0x08, 0xba, 0xff, 0x3d, 0x88, 0xfa, 0x00, 0x56, 0x9b, 0xa9, 0x86, 0xcb, 0xa2, 0x25, 0x48, 0xff, 0xde, 0x80, 0xf9, 0x80, 0x68, 0x29]; +//! let private = [0xc8, 0xa9, 0xd5, 0xa9, 0x10, 0x91, 0xad, 0x85, 0x1c, 0x66, 0x8b, 0x07, 0x36, 0xc1, 0xc9, 0xa0, 0x29, 0x36, 0xc0, 0xd3, 0xad, 0x62, 0x67, 0x08, 0x58, 0x08, 0x80, 0x47, 0xba, 0x05, 0x74, 0x75]; +//! let expected_result = [0x43, 0x6a, 0x2c, 0x04, 0x0c, 0xf4, 0x5f, 0xea, 0x9b, 0x29, 0xa0, 0xcb, 0x81, 0xb1, 0xf4, 0x14, 0x58, 0xf8, 0x63, 0xd0, 0xd6, 0x1b, 0x45, 0x3d, 0x0a, 0x98, 0x27, 0x20, 0xd6, 0xd6, 0x13, 0x20]; +//! +//! let my_pk = match x25519(&public, &private) { +//! Ok(k) => k, +//! Err(e) => panic!("Error x25519 {:?}", e), +//! }; +//! assert_eq!(&expected_result[..], &my_pk[..]); +//! +//! let sk_a = x25519::key_gen(); +//! let pk_a = x25519::dh_base(&sk_a); +//! +//! let sk_b = x25519::key_gen(); +//! let pk_b = x25519::dh_base(&sk_b); +//! +//! let shared_a = x25519::dh(&pk_b, &sk_a); +//! let shared_b = x25519::dh(&pk_a, &sk_b); +//! assert_eq!(shared_a, shared_b); +//! ``` + +use hacl_rust_sys::*; + +#[derive(Debug, PartialEq)] +/// Curve 25519 errors +pub enum Error { + /// The computed or provided point is not on the curve. + InvalidPoint, +} + +/// Points are 32 byte arrays. +pub type Point = [u8; 32]; +/// Scalars are 32 byte arrays. +pub type Scalar = [u8; 32]; + +/// Return base * s +pub fn dh_base(s: &Scalar) -> Point { + let mut out = [0u8; 32]; + unsafe { + EverCrypt_Curve25519_secret_to_public(out.as_mut_ptr(), s.as_ptr() as _); + } + out +} + +/// Return p * s +pub fn dh(p: &Point, s: &Scalar) -> Result { + let mut out = [0u8; 32]; + let r = + unsafe { EverCrypt_Curve25519_ecdh(out.as_mut_ptr(), s.as_ptr() as _, p.as_ptr() as _) }; + if !r { + Err(Error::InvalidPoint) + } else { + Ok(out) + } +} + +/// Generate a random `Scalar`. +#[cfg(feature = "random")] +pub fn key_gen() -> Scalar { + crate::rand_util::random_array() +} diff --git a/rust/tests/aead-book.rs b/rust/tests/aead-book.rs new file mode 100644 index 00000000..1719a233 --- /dev/null +++ b/rust/tests/aead-book.rs @@ -0,0 +1,68 @@ +use hacl_rust::aead::{self, Aead, Algorithm}; +#[test] +fn stateful() { + // ANCHOR: stateful + let key = [ + 0x5b, 0x96, 0x04, 0xfe, 0x14, 0xea, 0xdb, 0xa9, 0x31, 0xb0, 0xcc, 0xf3, 0x48, 0x43, 0xda, + 0xb9, 0x5b, 0x96, 0x04, 0xfe, 0x14, 0xea, 0xdb, 0xa9, 0x31, 0xb0, 0xcc, 0xf3, 0x48, 0x43, + 0xda, 0xb9, + ]; + // ANCHOR: stateful_cipher + let cipher = Aead::new(Algorithm::Chacha20Poly1305, &key).unwrap(); + // ANCHOR_END: stateful_cipher + + let iv = [ + 0x02, 0x83, 0x18, 0xab, 0xc1, 0x82, 0x40, 0x29, 0x13, 0x81, 0x41, 0xa2, + ]; + let msg = [ + 0x00, 0x1d, 0x0c, 0x23, 0x12, 0x87, 0xc1, 0x18, 0x27, 0x84, 0x55, 0x4c, 0xa3, 0xa2, 0x19, + 0x08, + ]; + let aad = []; + + // ANCHOR: stateful_encrypt + let (ciphertext, tag) = cipher.encrypt(&msg, &iv, &aad).unwrap(); + let msg_ = cipher.decrypt(&ciphertext, &tag, &iv, &aad).unwrap(); + // ANCHOR_END: stateful_encrypt + + assert_eq!(&msg[..], &msg_[..]); + // ANCHOR_END: stateful +} + +#[test] +fn single_shot() { + // ANCHOR: single_shot + let key = [ + 0x5b, 0x96, 0x04, 0xfe, 0x14, 0xea, 0xdb, 0xa9, 0x31, 0xb0, 0xcc, 0xf3, 0x48, 0x43, 0xda, + 0xb9, 0x5b, 0x96, 0x04, 0xfe, 0x14, 0xea, 0xdb, 0xa9, 0x31, 0xb0, 0xcc, 0xf3, 0x48, 0x43, + 0xda, 0xb9, + ]; + let iv = [ + 0x02, 0x83, 0x18, 0xab, 0xc1, 0x82, 0x40, 0x29, 0x13, 0x81, 0x41, 0xa2, + ]; + let msg = [ + 0x00, 0x1d, 0x0c, 0x23, 0x12, 0x87, 0xc1, 0x18, 0x27, 0x84, 0x55, 0x4c, 0xa3, 0xa2, 0x19, + 0x08, + ]; + let aad = []; + + // ANCHOR: single_shot_encrypt + let (ciphertext, tag) = + aead::encrypt(Algorithm::Chacha20Poly1305, &key, &msg, &iv, &aad).unwrap(); + // ANCHOR_END: single_shot_encrypt + + // ANCHOR: single_shot_decrypt + let msg_ = aead::decrypt( + Algorithm::Chacha20Poly1305, + &key, + &ciphertext, + &tag, + &iv, + &aad, + ) + .unwrap(); + // ANCHOR_END: single_shot_decrypt + + assert_eq!(&msg[..], &msg_[..]); + // ANCHOR_END: single_shot +} diff --git a/rust/tests/test_aead.rs b/rust/tests/test_aead.rs new file mode 100644 index 00000000..ba850005 --- /dev/null +++ b/rust/tests/test_aead.rs @@ -0,0 +1,213 @@ +mod test_util; +use test_util::*; + +use hacl_rust::aead::{hacl_aes_available, Aead, Algorithm, Error}; + +#[derive(Serialize, Deserialize, Debug, Clone)] +#[allow(non_snake_case)] +struct AeadTestVector { + algorithm: String, + generatorVersion: String, + numberOfTests: usize, + notes: Option, // text notes (might not be present), keys correspond to flags + header: Vec, // not used + testGroups: Vec, +} + +#[derive(Serialize, Deserialize, Debug, Clone)] +#[allow(non_snake_case)] +struct TestGroup { + ivSize: usize, + keySize: usize, + tagSize: usize, + r#type: String, + tests: Vec, +} + +#[derive(Serialize, Deserialize, Debug, Clone)] +#[allow(non_snake_case)] +struct Test { + tcId: usize, + comment: String, + key: String, + iv: String, + aad: String, + msg: String, + ct: String, + tag: String, + result: String, + flags: Vec, +} + +impl ReadFromFile for AeadTestVector {} + +#[allow(non_snake_case)] +#[test] +fn test_wycheproof() { + let aes_gcm_tests: AeadTestVector = + AeadTestVector::from_file("tests/wycheproof/aes_gcm_test.json"); + let chacha_poly_tests: AeadTestVector = + AeadTestVector::from_file("tests/wycheproof/chacha20_poly1305_test.json"); + + let num_tests = aes_gcm_tests.numberOfTests + chacha_poly_tests.numberOfTests; + let mut skipped_tests = 0; + let mut tests_run = 0; + assert_eq!(aes_gcm_tests.algorithm, "AES-GCM"); + assert_eq!(chacha_poly_tests.algorithm, "CHACHA20-POLY1305"); + + test_group(aes_gcm_tests, &mut skipped_tests, &mut tests_run); + test_group(chacha_poly_tests, &mut skipped_tests, &mut tests_run); + + fn test_group(test_vec: AeadTestVector, skipped_tests: &mut usize, tests_run: &mut usize) { + for testGroup in test_vec.testGroups.iter() { + assert_eq!(testGroup.r#type, "AeadTest"); + let algorithm = match test_vec.algorithm.as_str() { + "AES-GCM" => match testGroup.keySize { + 128 => Algorithm::Aes128Gcm, + 256 => Algorithm::Aes256Gcm, + _ => { + // not implemented + println!("Only AES 128 and 256 are implemented."); + *skipped_tests += testGroup.tests.len(); + continue; + } + }, + "CHACHA20-POLY1305" => { + assert_eq!(testGroup.keySize, 256); + Algorithm::Chacha20Poly1305 + } + _ => panic!("Unknown algorithm {:?}", test_vec.algorithm), + }; + if !unsafe { hacl_aes_available() } + && (algorithm == Algorithm::Aes128Gcm || algorithm == Algorithm::Aes256Gcm) + { + println!("⚠️ AES NOT AVAILABLE ON THIS PLATFORM!"); + *skipped_tests += testGroup.tests.len(); + continue; + } + let invalid_iv = if testGroup.ivSize != 96 { true } else { false }; + + for test in testGroup.tests.iter() { + let valid = test.result.eq("valid"); + if invalid_iv { + // AEAD requires input of a 12-byte nonce. + let nonce = hex_str_to_bytes(&test.iv); + assert!(nonce.len() != 12); + *skipped_tests += 1; + continue; + } + let invalid_iv = if test.comment == "invalid nonce size" || invalid_iv { + true + } else { + false + }; + println!("Test {:?}: {:?}", test.tcId, test.comment); + let nonce = hex_str_to_bytes(&test.iv); + let msg = hex_str_to_bytes(&test.msg); + let aad = hex_str_to_bytes(&test.aad); + let exp_cipher = hex_str_to_bytes(&test.ct); + let exp_tag = hex_str_to_bytes(&test.tag); + let key = hex_str_to_bytes(&test.key); + + let cipher = match Aead::new(algorithm, &key) { + Ok(c) => c, + Err(_) => { + println!("⚠️ Skipping {:?} because it's not available.", algorithm); + *skipped_tests += 1; + continue; + } + }; + let (ctxt, tag) = match cipher.encrypt(&msg, &nonce, &aad) { + Ok(v) => v, + Err(e) => { + if invalid_iv { + assert_eq!(e, Error::InvalidNonce); + } else { + println!("Encrypt failed unexpectedly {:?}", e); + assert!(false); + } + *tests_run += 1; + continue; + } + }; + if valid { + assert_eq!(tag, exp_tag); + } else { + assert_ne!(tag, exp_tag); + } + assert_eq!(ctxt, exp_cipher); + let ctxt_comb = cipher.encrypt_combined(&msg, &nonce, &aad).unwrap(); + assert_eq!( + ctxt_comb.split_at(ctxt_comb.len() - cipher.tag_size()), + (&ctxt[..], &tag[..]) + ); + let mut in_place_payload = msg.clone(); + let tag_in_place = cipher + .encrypt_in_place(&mut in_place_payload, &nonce, &aad) + .unwrap(); + assert_eq!( + (&in_place_payload[..], &tag_in_place[..]), + (&ctxt[..], &tag[..]) + ); + let msg_decrypted = match cipher.decrypt(&ctxt, &tag, &nonce, &aad) { + Ok(m) => m, + Err(_) => { + assert!(!valid); + msg.clone() + } + }; + assert_eq!(msg, msg_decrypted); + let msg_decrypted_comb = cipher.decrypt_combined(&ctxt_comb, &nonce, &aad).unwrap(); + assert_eq!(msg, msg_decrypted_comb); + cipher + .decrypt_in_place(in_place_payload.as_mut_slice(), &tag_in_place, &nonce, &aad) + .unwrap(); + assert_eq!(msg, in_place_payload); + *tests_run += 1; + } + } + } + // Check that we ran all tests. + println!( + "Ran {} out of {} tests and skipped {}.", + tests_run, num_tests, skipped_tests + ); + assert_eq!(num_tests - skipped_tests, tests_run); +} + +#[cfg(feature = "random")] +#[test] +fn key_gen_self_test() { + fn run(algorithm: Algorithm) { + let msg = b"Evercrypt rulez"; + let aad = b"associated data"; + let cipher = match Aead::init(algorithm) { + Ok(c) => c, + Err(_) => { + println!("⚠️ Skipping {:?} because it's not available.", algorithm); + return; + } + }; + let key = cipher.key_gen(); + let nonce = cipher.nonce_gen(); + let cipher = cipher.set_key(&key).unwrap(); + let (ctxt, tag) = match cipher.encrypt(msg, &nonce, aad) { + Ok(v) => v, + Err(e) => { + panic!("Encrypt failed unexpectedly {:?}", e); + } + }; + let msg_decrypted = match cipher.decrypt(&ctxt, &tag, &nonce, aad) { + Ok(m) => m, + Err(_) => msg.to_vec(), + }; + assert_eq!(msg[..], msg_decrypted[..]); + } + if unsafe { hacl_aes_available() } { + run(Algorithm::Aes128Gcm); + run(Algorithm::Aes256Gcm); + } else { + println!("⚠️ AES NOT AVAILABLE ON THIS PLATFORM!") + } + run(Algorithm::Chacha20Poly1305); +} diff --git a/rust/tests/test_blake2.rs b/rust/tests/test_blake2.rs new file mode 100644 index 00000000..e9b66c2f --- /dev/null +++ b/rust/tests/test_blake2.rs @@ -0,0 +1,46 @@ +use hacl_rust::digest::{self, Algorithm}; + +// Tests from https://raw.githubusercontent.com/BLAKE2/BLAKE2/master/testvectors/blake2-kat.json + +#[test] +fn test_blake2s() { + let data = [ + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, + 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, + 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, + 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, + ]; + let expected_digest = [ + 0xe2, 0x90, 0xdd, 0x27, 0x0b, 0x46, 0x7f, 0x34, 0xab, 0x1c, 0x00, 0x2d, 0x34, 0x0f, 0xa0, + 0x16, 0x25, 0x7f, 0xf1, 0x9e, 0x58, 0x33, 0xfd, 0xbb, 0xf2, 0xcb, 0x40, 0x1c, 0x3b, 0x28, + 0x17, 0xde, + ]; + + assert_eq!(digest::hash(Algorithm::Blake2s, &data), expected_digest); +} + +#[test] +fn test_blake2b() { + let data = [ + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, + 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, + 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, + 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3a, 0x3b, + 0x3c, 0x3d, 0x3e, 0x3f, 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4a, + 0x4b, 0x4c, 0x4d, 0x4e, 0x4f, 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58, 0x59, + 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f, 0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, + 0x69, 0x6a, + ]; + let expected_digest = [ + 0x22, 0xef, 0xf8, 0xe6, 0xdd, 0x52, 0x36, 0xf5, 0xf5, 0x7d, 0x94, 0xed, 0xe8, 0x74, 0xd6, + 0xc9, 0x42, 0x8e, 0x8f, 0x5d, 0x56, 0x6f, 0x17, 0xcd, 0x6d, 0x18, 0x48, 0xcd, 0x75, 0x2f, + 0xe1, 0x3c, 0x65, 0x5c, 0xb1, 0x0f, 0xba, 0xaf, 0xf7, 0x68, 0x72, 0xf2, 0xbf, 0x2d, 0xa9, + 0x9e, 0x15, 0xdc, 0x62, 0x40, 0x75, 0xe1, 0xec, 0x2f, 0x58, 0xa3, 0xf6, 0x40, 0x72, 0x12, + 0x18, 0x38, 0x56, 0x9e, + ]; + + assert_eq!( + digest::hash(Algorithm::Blake2b, &data)[..], + expected_digest[..] + ); +} diff --git a/rust/tests/test_ed25519.rs b/rust/tests/test_ed25519.rs new file mode 100644 index 00000000..a5ee95d4 --- /dev/null +++ b/rust/tests/test_ed25519.rs @@ -0,0 +1,103 @@ +mod test_util; +use test_util::*; + +use hacl_rust::ed25519::{self, Point, Scalar}; +use hacl_rust::signature::{self, Mode}; + +#[derive(Serialize, Deserialize, Debug, Clone)] +#[allow(non_snake_case)] +struct Ed25519TestVector { + algorithm: String, + generatorVersion: String, + numberOfTests: usize, + notes: Option, // text notes (might not be present), keys correspond to flags + header: Vec, // not used + testGroups: Vec, +} + +#[derive(Serialize, Deserialize, Debug, Clone)] +#[allow(non_snake_case)] +struct TestGroup { + jwk: Value, // not used here + key: EdDsaKey, + keyDer: String, + keyPem: String, + r#type: String, + tests: Vec, +} + +#[derive(Serialize, Deserialize, Debug, Clone)] +#[allow(non_snake_case)] +struct EdDsaKey { + curve: String, + keySize: usize, + pk: String, + sk: String, + r#type: String, +} + +#[derive(Serialize, Deserialize, Debug, Clone)] +#[allow(non_snake_case)] +struct Test { + tcId: usize, + comment: String, + msg: String, + sig: String, + result: String, + flags: Vec, +} + +impl ReadFromFile for Ed25519TestVector {} + +#[allow(non_snake_case)] +#[test] +fn test_wycheproof() { + let tests: Ed25519TestVector = Ed25519TestVector::from_file("tests/wycheproof/eddsa_test.json"); + + assert_eq!(tests.algorithm, "EDDSA"); + + let num_tests = tests.numberOfTests; + let mut tests_run = 0; + + for testGroup in tests.testGroups.iter() { + assert_eq!(testGroup.key.curve, "edwards25519"); + assert_eq!(testGroup.r#type, "EddsaVerify"); + assert_eq!(testGroup.key.keySize, 255); + + let pk: Point = hex_str_to_array(&testGroup.key.pk); + let sk: Scalar = hex_str_to_array(&testGroup.key.sk); + + let my_pk = ed25519::sk2pk(&sk); + assert_eq!(&pk[..], &my_pk[..]); + for test in testGroup.tests.iter() { + let valid = test.result.eq("valid"); + println!("Test {:?}: {:?}", test.tcId, test.comment); + let msg = hex_str_to_bytes(&test.msg); + let sig = hex_str_to_bytes(&test.sig); // Can't use to_array because it's too large + if sig.len() != 64 { + assert!(!valid); + tests_run += 1; + continue; + } + let mut signature = [0u8; 64]; + signature.clone_from_slice(&sig); + + let my_sig = ed25519::eddsa_sign(&sk, &msg); + let my_sig_ = signature::sign(Mode::Ed25519, None, &sk, &msg, None); + assert_eq!(&my_sig[..], &my_sig_.unwrap()[..]); + if valid { + assert_eq!(&my_sig[..], &signature[..]); + } + let sig_verified = ed25519::eddsa_verify(&pk, &signature, &msg); + let sig_verified_ = signature::verify(Mode::Ed25519, None, &pk, &sig, &msg); + assert_eq!(sig_verified, sig_verified_.unwrap()); + if valid { + assert!(sig_verified); + } + tests_run += 1; + } + } + // Check that we ran all tests. + println!("Ran {} out of {} tests.", tests_run, num_tests); + assert_eq!(num_tests, tests_run); +} diff --git a/rust/tests/test_hkdf.rs b/rust/tests/test_hkdf.rs new file mode 100644 index 00000000..2b8533ee --- /dev/null +++ b/rust/tests/test_hkdf.rs @@ -0,0 +1,112 @@ +mod test_util; +use test_util::*; + +use hacl_rust::prelude::*; + +#[derive(Serialize, Deserialize, Debug, Clone)] +#[allow(non_snake_case)] +struct HkdfTestVector { + algorithm: String, + generatorVersion: String, + numberOfTests: usize, + notes: Option, // text notes (might not be present), keys correspond to flags + header: Vec, // not used + testGroups: Vec, +} + +#[derive(Serialize, Deserialize, Debug, Clone)] +#[allow(non_snake_case)] +struct TestGroup { + keySize: usize, + r#type: String, + tests: Vec, +} + +#[derive(Serialize, Deserialize, Debug, Clone)] +#[allow(non_snake_case)] +struct Test { + tcId: usize, + comment: String, + ikm: String, + salt: String, + info: String, + size: usize, + okm: String, + result: String, + flags: Vec, +} + +impl ReadFromFile for HkdfTestVector {} + +#[allow(non_snake_case)] +#[test] +fn test_wycheproof() { + let sha1_tests: HkdfTestVector = + HkdfTestVector::from_file("tests/wycheproof/hkdf_sha1_test.json"); + let sha256_tests: HkdfTestVector = + HkdfTestVector::from_file("tests/wycheproof/hkdf_sha256_test.json"); + let sha384_tests: HkdfTestVector = + HkdfTestVector::from_file("tests/wycheproof/hkdf_sha384_test.json"); + let sha512_tests: HkdfTestVector = + HkdfTestVector::from_file("tests/wycheproof/hkdf_sha512_test.json"); + + let test_vectors = [sha1_tests, sha256_tests, sha384_tests, sha512_tests]; + + for tests in test_vectors.iter() { + let algorithm = match tests.algorithm.as_str() { + "HKDF-SHA-1" => HmacAlgorithm::Sha1, + "HKDF-SHA-256" => HmacAlgorithm::Sha256, + "HKDF-SHA-384" => HmacAlgorithm::Sha384, + "HKDF-SHA-512" => HmacAlgorithm::Sha512, + _ => panic!("Unknown HKDF algorithm {}", tests.algorithm), + }; + println!("Testing {:?}", algorithm); + + let num_tests = tests.numberOfTests; + let mut tests_run = 0; + + for testGroup in tests.testGroups.iter() { + assert_eq!(testGroup.r#type, "HkdfTest"); + let _key_size = testGroup.keySize; + for test in testGroup.tests.iter() { + let _valid = test.result.eq("valid"); + println!("Test {:?}: {:?}", test.tcId, test.comment); + let ikm = hex_str_to_bytes(&test.ikm); + let salt = hex_str_to_bytes(&test.salt); + let info = hex_str_to_bytes(&test.info); + let size = test.size; + let okm = hex_str_to_bytes(&test.okm); + + // Single-shot + let r = hkdf(algorithm, &salt, &ikm, &info, size); + + // Extract & Expand + let prk = hkdf_extract(algorithm, &salt, &ikm); + let r_expand = hkdf_expand(algorithm, &prk, &info, size); + + assert_eq!(r[..], okm[..]); + assert_eq!(r_expand[..], okm[..]); + + tests_run += 1; + } + } + // Check that we ran all tests. + println!("Ran {} out of {} tests.", tests_run, num_tests); + assert_eq!(num_tests, tests_run); + } +} + +#[test] +fn test_empty_salt() { + let algorithm = HmacAlgorithm::Sha1; + let ikm = hex_str_to_bytes("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b"); + let okm = hex_str_to_bytes( + "0ac1af7002b3d761d1e55298da9d0506b9ae52057220a306e07b6b87e8df21d0ea00033de03984d34918", + ); + let prk = hkdf_extract(algorithm, &vec![0u8; tag_size(algorithm)], &ikm); + let r_expand = hkdf_expand(algorithm, &prk, &[], 42); + assert_eq!(r_expand[..], okm[..]); + let prk = hkdf_extract(algorithm, &[], &ikm); + let r_expand = hkdf_expand(algorithm, &prk, &[], 42); + assert_eq!(r_expand[..], okm[..]); +} diff --git a/rust/tests/test_hmac.rs b/rust/tests/test_hmac.rs new file mode 100644 index 00000000..65aeca63 --- /dev/null +++ b/rust/tests/test_hmac.rs @@ -0,0 +1,89 @@ +mod test_util; +use test_util::*; + +use hacl_rust::hmac::{hmac, Algorithm}; + +#[derive(Serialize, Deserialize, Debug, Clone)] +#[allow(non_snake_case)] +struct HmacTestVector { + algorithm: String, + generatorVersion: String, + numberOfTests: usize, + notes: Option, // text notes (might not be present), keys correspond to flags + header: Vec, // not used + testGroups: Vec, +} + +#[derive(Serialize, Deserialize, Debug, Clone)] +#[allow(non_snake_case)] +struct TestGroup { + keySize: usize, + tagSize: usize, + r#type: String, + tests: Vec, +} + +#[derive(Serialize, Deserialize, Debug, Clone)] +#[allow(non_snake_case)] +struct Test { + tcId: usize, + comment: String, + key: String, + msg: String, + tag: String, + result: String, + flags: Vec, +} + +impl ReadFromFile for HmacTestVector {} + +#[allow(non_snake_case)] +#[test] +fn test_wycheproof() { + let sha1_tests: HmacTestVector = + HmacTestVector::from_file("tests/wycheproof/hmac_sha1_test.json"); + let sha256_tests: HmacTestVector = + HmacTestVector::from_file("tests/wycheproof/hmac_sha256_test.json"); + let sha384_tests: HmacTestVector = + HmacTestVector::from_file("tests/wycheproof/hmac_sha384_test.json"); + let sha512_tests: HmacTestVector = + HmacTestVector::from_file("tests/wycheproof/hmac_sha512_test.json"); + + let test_vectors = [sha1_tests, sha256_tests, sha384_tests, sha512_tests]; + + for tests in test_vectors.iter() { + let algorithm = match tests.algorithm.as_str() { + "HMACSHA1" => Algorithm::Sha1, + "HMACSHA256" => Algorithm::Sha256, + "HMACSHA384" => Algorithm::Sha384, + "HMACSHA512" => Algorithm::Sha512, + _ => panic!("Unknown HMAC algorithm {}", tests.algorithm), + }; + println!("Testing {:?}", algorithm); + + let num_tests = tests.numberOfTests; + let mut tests_run = 0; + + for testGroup in tests.testGroups.iter() { + assert_eq!(testGroup.r#type, "MacTest"); + let _key_size = testGroup.keySize; + let tag_size = testGroup.tagSize; + for test in testGroup.tests.iter() { + let valid = test.result.eq("valid"); + println!("Test {:?}: {:?}", test.tcId, test.comment); + let key = hex_str_to_bytes(&test.key); + let msg = hex_str_to_bytes(&test.msg); + let tag = hex_str_to_bytes(&test.tag); + + let r = hmac(algorithm, &key, &msg, Some(tag_size >> 3)); + if valid { + assert_eq!(r[..], tag[..]); + } + tests_run += 1; + } + } + // Check that we ran all tests. + println!("Ran {} out of {} tests.", tests_run, num_tests); + assert_eq!(num_tests, tests_run); + } +} diff --git a/rust/tests/test_p256_ecdh.rs b/rust/tests/test_p256_ecdh.rs new file mode 100644 index 00000000..f7ce0cbd --- /dev/null +++ b/rust/tests/test_p256_ecdh.rs @@ -0,0 +1,86 @@ +mod test_util; +use test_util::*; + +use hacl_rust::ecdh::{self, Mode}; +use hacl_rust::p256::{self, Error}; + +#[derive(Serialize, Deserialize, Debug, Clone)] +#[allow(non_snake_case)] +struct P256TestVector { + algorithm: String, + generatorVersion: String, + numberOfTests: usize, + notes: Option, // text notes (might not be present), keys correspond to flags + header: Vec, // not used + testGroups: Vec, +} + +#[derive(Serialize, Deserialize, Debug, Clone)] +#[allow(non_snake_case)] +struct TestGroup { + curve: String, + r#type: String, + encoding: String, + tests: Vec, +} + +#[derive(Serialize, Deserialize, Debug, Clone)] +#[allow(non_snake_case)] +struct Test { + tcId: usize, + comment: String, + public: String, + private: String, + shared: String, + result: String, + flags: Vec, +} + +impl ReadFromFile for P256TestVector {} + +#[allow(non_snake_case)] +#[test] +fn test_wycheproof() { + let tests: P256TestVector = + P256TestVector::from_file("tests/wycheproof/ecdh_secp256r1_ecpoint_test.json"); + + assert_eq!(tests.algorithm, "ECDH"); + + let num_tests = tests.numberOfTests; + let mut tests_run = 0; + + for testGroup in tests.testGroups.iter() { + assert_eq!(testGroup.curve, "secp256r1"); + assert_eq!(testGroup.r#type, "EcdhEcpointTest"); + assert_eq!(testGroup.encoding, "ecpoint"); + for test in testGroup.tests.iter() { + println!("Test {:?}: {:?}", test.tcId, test.comment); + + let valid = test.result.eq("valid") || test.result.eq("acceptable"); + let public = hex_str_to_bytes(&test.public); + let private = hex_str_to_bytes(&test.private); + let shared = hex_str_to_bytes(&test.shared); + + let result = p256::dh(&public, &private); + let result_ = ecdh::derive(Mode::P256, &public, &private); + match result { + Ok(r) => { + assert!(valid); + assert_eq!(r[..], result_.unwrap()[..]); + // r holds the entire point. We only care about X + assert_eq!(r[..32], shared[..]); + } + Err(e) => { + println!("Error case"); + println!("test: {:?}", test); + assert!(!valid); + assert_eq!(e, Error::InvalidPoint); + } + } + tests_run += 1; + } + } + // Check that we ran all tests. + println!("Ran {} out of {} tests.", tests_run, num_tests); + assert_eq!(num_tests, tests_run); +} diff --git a/rust/tests/test_p256_ecdsa.rs b/rust/tests/test_p256_ecdsa.rs new file mode 100644 index 00000000..59c29ce7 --- /dev/null +++ b/rust/tests/test_p256_ecdsa.rs @@ -0,0 +1,198 @@ +mod test_util; +use test_util::*; + +use hacl_rust::digest::Algorithm; +use hacl_rust::p256::{self, Error}; +use hacl_rust::signature::{self, Mode as SignatureMode}; + +#[derive(Serialize, Deserialize, Debug, Clone)] +#[allow(non_snake_case)] +struct P256TestVector { + algorithm: String, + generatorVersion: String, + numberOfTests: usize, + notes: Option, // text notes (might not be present), keys correspond to flags + header: Vec, // not used + testGroups: Vec, +} + +#[derive(Serialize, Deserialize, Debug, Clone)] +#[allow(non_snake_case)] +struct TestGroup { + key: Key, + keyDer: String, + keyPem: String, + sha: String, + r#type: String, + tests: Vec, +} + +#[derive(Serialize, Deserialize, Debug, Clone)] +#[allow(non_snake_case)] +struct Key { + curve: String, + r#type: String, + keySize: usize, + uncompressed: String, + wx: String, + wy: String, +} + +#[derive(Serialize, Deserialize, Debug, Clone)] +#[allow(non_snake_case)] +struct Test { + tcId: usize, + comment: String, + msg: String, + sig: String, + result: String, + flags: Vec, +} + +impl ReadFromFile for P256TestVector {} + +fn make_fixed_length(b: &[u8]) -> [u8; 32] { + let mut out = [0u8; 32]; + let b_len = if b.len() >= 32 { 32 } else { b.len() }; + for i in 0..b_len { + out[31 - i] = b[b.len() - 1 - i]; + } + out +} + +// A very simple ASN1 parser for ecdsa signatures. +fn decode_signature(sig: &[u8]) -> p256::Signature { + let mut index = 0; + let (seq, seq_len) = (sig[index], sig[index + 1] as usize); + assert_eq!(0x30, seq); + assert_eq!(seq_len, sig.len() - 2); + index += 2; + + let (x_int, x_int_len) = (sig[index], sig[index + 1] as usize); + assert_eq!(0x02, x_int); + assert!(index + x_int_len + 2 < sig.len()); + index += 2; + let r = &sig[index..index + x_int_len]; + index += x_int_len; + + let (y_int, y_int_len) = (sig[index], sig[index + 1] as usize); + assert_eq!(0x02, y_int); + assert!(index + y_int_len + 2 == sig.len()); + index += 2; + let s = &sig[index..index + y_int_len as usize]; + index += y_int_len; + assert_eq!(sig.len(), index); + + p256::Signature::new(&make_fixed_length(r), &make_fixed_length(s)) +} + +#[allow(non_snake_case)] +#[test] +fn test_wycheproof() { + let tests: P256TestVector = + P256TestVector::from_file("tests/wycheproof/ecdsa_secp256r1_sha256_test.json"); + // TODO: add SHA512 tests + + assert_eq!(tests.algorithm, "ECDSA"); + + let num_tests = tests.numberOfTests; + let mut tests_run = 0; + let mut tests_skipped = 0; + + for testGroup in tests.testGroups.iter() { + assert_eq!(testGroup.key.curve, "secp256r1"); + assert_eq!(testGroup.key.r#type, "EcPublicKey"); + assert_eq!(testGroup.r#type, "EcdsaVerify"); + + assert_eq!(testGroup.sha, "SHA-256"); + + let pk = hex_str_to_bytes(&testGroup.key.uncompressed); + + for test in testGroup.tests.iter() { + println!("Test {:?}: {:?}", test.tcId, test.comment); + + let valid = test.result.eq("valid") || test.result.eq("acceptable"); + let hash = Algorithm::Sha256; + + // Skip invalid for now + if !valid { + tests_skipped += 1; + continue; + } + + let msg = hex_str_to_bytes(&test.msg); + let sig = hex_str_to_bytes(&test.sig); + + // The signature is ASN.1 encoded. + let signature = decode_signature(&sig); + + match p256::ecdsa_verify(hash, &msg, &pk, &signature) { + Ok(r) => { + assert!(valid); + assert!(r); + assert!(signature::verify( + SignatureMode::P256, + Some(hash), + &pk, + &signature.raw(), + &msg, + ) + .unwrap()); + } + Err(e) => { + println!("Error case"); + assert!(!valid); + assert_eq!(e, Error::InvalidConfig); + } + } + + tests_run += 1; + } + } + // Check that we ran all tests. + println!( + "Ran {} out of {} tests and skipped {}.", + tests_run, num_tests, tests_skipped + ); + assert_eq!(num_tests - tests_skipped, tests_run); +} + +#[test] +fn test_self() { + // From https://tools.ietf.org/html/rfc6979#appendix-A.2.5 + const PK_HEX: &str = "0460FED4BA255A9D31C961EB74C6356D68C049B8923B61FA6CE669622E60F29FB67903FE1008B8BC99A41AE9E95628BC64F2F1B20C2D7E9F5177A3C294D4462299"; + const SK_HEX: &str = "C9AFA9D845BA75166B5C215767B1D6934E50C3DB36E89B127B8A622B120F6721"; + + let pk = hex_str_to_bytes(PK_HEX); + let sk = hex_str_to_array(SK_HEX); + let nonce = p256::random_nonce().unwrap(); + let msg = b"sample"; + + let sig = p256::ecdsa_sign(Algorithm::Sha256, &msg[..], &sk, &nonce).unwrap(); + let sig_ = signature::sign( + SignatureMode::P256, + Some(Algorithm::Sha256), + &sk, + &msg[..], + &nonce, + ); + assert_eq!(&sig.raw()[..], &sig_.unwrap()[..]); + let verified = p256::ecdsa_verify(Algorithm::Sha256, &msg[..], &pk, &sig).unwrap(); + let verified_ = signature::verify( + SignatureMode::P256, + Some(Algorithm::Sha256), + &pk, + &sig.raw(), + &msg[..], + ); + assert_eq!(verified, verified_.unwrap()); + assert!(verified); + + let sig = p256::ecdsa_sign(Algorithm::Sha384, &msg[..], &sk, &nonce).unwrap(); + let verified = p256::ecdsa_verify(Algorithm::Sha384, &msg[..], &pk, &sig).unwrap(); + assert!(verified); + + let sig = p256::ecdsa_sign(Algorithm::Sha512, &msg[..], &sk, &nonce).unwrap(); + let verified = p256::ecdsa_verify(Algorithm::Sha512, &msg[..], &pk, &sig).unwrap(); + assert!(verified); +} diff --git a/rust/tests/test_sha.rs b/rust/tests/test_sha.rs new file mode 100644 index 00000000..e3eeafb6 --- /dev/null +++ b/rust/tests/test_sha.rs @@ -0,0 +1,96 @@ +use hacl_rust::digest::{self, Algorithm, Digest}; + +#[test] +fn test_sha2() { + let data = b"evercrypt-rust bindings"; + let d = digest::hash(Algorithm::Sha256, data); + let expected_digest_256 = [ + 0xa5, 0x35, 0xf2, 0x6a, 0xff, 0xbc, 0x1f, 0x08, 0x73, 0xdb, 0x15, 0x15, 0x9d, 0xce, 0xbf, + 0x25, 0x99, 0x64, 0xbe, 0x42, 0xde, 0xa8, 0x4d, 0x29, 0x00, 0x38, 0x4b, 0xee, 0x15, 0x09, + 0xe4, 0x00, + ]; + let expected_digest_512 = [ + 0x36, 0x97, 0x36, 0x7c, 0xc9, 0x1e, 0xda, 0xa7, 0x6d, 0xb8, 0x03, 0x39, 0x61, 0x5f, 0xc2, + 0x12, 0xe1, 0x5e, 0x64, 0x3e, 0x31, 0x30, 0xf7, 0x1f, 0x28, 0xd0, 0x3f, 0x34, 0x3d, 0xf4, + 0x88, 0x0a, 0xd3, 0x6c, 0x63, 0xe5, 0x35, 0x1f, 0x56, 0xe0, 0xf7, 0xe0, 0x4c, 0x24, 0x96, + 0xc0, 0xb3, 0x6b, 0xcf, 0x7c, 0x5d, 0xcb, 0xf3, 0x5e, 0x38, 0xe9, 0xbb, 0x44, 0xf8, 0xa0, + 0xc2, 0x83, 0x42, 0x4e, + ]; + assert_eq!(d, expected_digest_256); + assert_eq!( + digest::hash(Algorithm::Sha512, data)[..], + expected_digest_512[..] + ); + + let mut digest = Digest::new(Algorithm::Sha256).unwrap(); + assert!(digest.update(data).is_ok()); + match digest.finish() { + Ok(d) => assert_eq!(d, expected_digest_256), + Err(r) => panic!("Got error in finish {:?}", r), + } + assert!(digest.finish().is_err()); + assert!(digest.update(&[]).is_err()); + + let mut digest = Digest::new(Algorithm::Sha512).unwrap(); + assert!(digest.update(data).is_ok()); + match digest.finish() { + Ok(d) => assert_eq!(d[..], expected_digest_512[..]), + Err(r) => panic!("Got error in finish {:?}", r), + } + assert!(digest.finish().is_err()); + assert!(digest.update(&[]).is_err()); +} + +#[test] +#[should_panic] +fn invalid_sha3() { + Digest::new(Algorithm::Sha3_224).unwrap(); + Digest::new(Algorithm::Sha3_256).unwrap(); + Digest::new(Algorithm::Sha3_384).unwrap(); + Digest::new(Algorithm::Sha3_512).unwrap(); +} + +#[test] +fn test_sha3() { + let data = b"evercrypt-rust bindings"; + let expected_digest_256 = [ + 0x49, 0x4b, 0xc2, 0xea, 0x73, 0x43, 0x4f, 0x88, 0x62, 0x56, 0x13, 0x39, 0xda, 0x1a, 0x6d, + 0x58, 0x05, 0xee, 0x34, 0x4b, 0x67, 0x5d, 0x18, 0xfb, 0x9a, 0x81, 0xca, 0x65, 0xa7, 0x8f, + 0xeb, 0x6e, + ]; + let expected_digest_512 = [ + 0x7a, 0xaa, 0x97, 0x5c, 0x6b, 0x15, 0x5b, 0x55, 0xd3, 0x7b, 0xa6, 0x99, 0x3f, 0x7e, 0x14, + 0xd9, 0x8c, 0x28, 0x0d, 0x2b, 0x2f, 0xc2, 0x4a, 0xa7, 0x84, 0x07, 0xcf, 0x15, 0x2d, 0x0a, + 0xca, 0xbc, 0x32, 0xf2, 0x11, 0xf4, 0x64, 0x30, 0x19, 0x0a, 0x35, 0x26, 0x94, 0x76, 0x84, + 0x2a, 0x1f, 0x17, 0x41, 0xad, 0x46, 0x06, 0xf6, 0xc8, 0xc6, 0xad, 0x8d, 0x02, 0x2e, 0x85, + 0xb4, 0x9d, 0x6b, 0xd7, + ]; + + assert_eq!(digest::hash(Algorithm::Sha3_256, data), expected_digest_256); + assert_eq!( + digest::hash(Algorithm::Sha3_512, data)[..], + expected_digest_512[..] + ); +} + +#[test] +fn test_shake() { + let data = b"evercrypt-rust bindings"; + let expected_digest_128 = [ + 0xfd, 0x3b, 0x31, 0x35, 0x35, 0x05, 0x87, 0xd5, 0x36, 0x2a, 0xae, 0x4d, 0x1c, 0x8a, 0x25, + 0xba, 0xa4, 0xec, 0x82, 0xef, 0xff, 0xb8, 0x27, 0x1c, 0x91, 0x20, 0xa2, 0xed, 0x53, 0x17, + 0x2a, 0xcc, 0x97, 0x97, 0x34, 0x65, 0x1e, 0x69, 0xb3, 0xb3, 0x27, 0x09, 0x4c, 0xc0, 0x5e, + 0xde, 0x3b, 0x5d, 0xf9, 0x98, 0xe6, 0x37, 0xce, 0x06, 0xb3, 0xa0, 0x53, 0xdf, 0x81, 0x80, + 0x99, 0x8c, 0xfc, 0x95, + ]; + let expected_digest_256 = [ + 0xf0, 0x85, 0x60, 0x6b, 0xed, 0xca, 0x25, 0xe4, 0x3c, 0x97, 0x05, 0x0f, 0xf2, 0x3e, 0xe0, + 0xd9, 0xe5, 0x89, 0x14, 0xff, 0xbb, 0x30, 0x5a, 0x00, 0x26, 0x30, 0x1c, 0x25, 0x7a, 0x5a, + 0xeb, 0x50, 0x7e, 0x4b, 0x21, 0x19, 0x53, 0x3f, 0xf7, 0x23, 0xc7, 0xe1, 0xad, 0xc5, 0xdf, + 0x2a, 0x62, 0x1d, 0xad, 0x18, 0xa4, 0x46, 0xaf, 0xeb, 0x2a, 0x54, 0xb3, 0xad, 0xfe, 0xc7, + 0x8e, 0x08, 0x6a, 0x6f, + ]; + + assert_eq!(digest::shake128(data, 64)[..], expected_digest_128[..]); + assert_eq!(digest::shake256(data, 64)[..], expected_digest_256[..]); +} diff --git a/rust/tests/test_signatures.rs b/rust/tests/test_signatures.rs new file mode 100644 index 00000000..3c528caf --- /dev/null +++ b/rust/tests/test_signatures.rs @@ -0,0 +1,17 @@ +use hacl_rust::prelude::*; + +#[test] +fn test_p256_signature() { + let msg = b"Message to sign"; + let (sk, pk) = signature_key_gen(SignatureMode::P256).unwrap(); + let sig = sign( + SignatureMode::P256, + DigestAlgorithm::Sha256, + &sk, + msg, + &p256_ecdsa_random_nonce().unwrap(), + ) + .unwrap(); + let verified = verify(SignatureMode::P256, DigestAlgorithm::Sha256, &pk, &sig, msg).unwrap(); + assert!(verified); +} diff --git a/rust/tests/test_util.rs b/rust/tests/test_util.rs new file mode 100644 index 00000000..c87cf6d5 --- /dev/null +++ b/rust/tests/test_util.rs @@ -0,0 +1,49 @@ +#![allow(dead_code)] + +pub use serde::{self, de::DeserializeOwned, Deserialize, Serialize}; +pub use serde_json::Value; +pub use std::fs::File; +pub use std::io::{prelude::*, BufReader}; + +use std::num::ParseIntError; + +// use hacl_rust::aead::Nonce; + +pub(crate) trait ReadFromFile { + fn from_file(file: &'static str) -> T { + let file = match File::open(file) { + Ok(f) => f, + Err(_) => panic!("Couldn't open file {}.", file), + }; + let reader = BufReader::new(file); + match serde_json::from_reader(reader) { + Ok(r) => r, + Err(e) => { + println!("{:?}", e); + panic!("Error reading file.") + } + } + } +} + +pub(crate) fn hex_str_to_bytes(val: &str) -> Vec { + let b: Result, ParseIntError> = (0..val.len()) + .step_by(2) + .map(|i| u8::from_str_radix(&val[i..i + 2], 16)) + .collect(); + b.expect("Error parsing hex string") +} + +pub(crate) fn hex_str_to_array(val: &str) -> A +where + A: Default + AsMut<[u8]>, +{ + let b: Result, ParseIntError> = (0..val.len()) + .step_by(2) + .map(|i| u8::from_str_radix(&val[i..i + 2], 16)) + .collect(); + let b = b.expect("Error parsing hex string"); + let mut out = A::default(); + A::as_mut(&mut out).clone_from_slice(&b); + out +} diff --git a/rust/tests/test_x25519.rs b/rust/tests/test_x25519.rs new file mode 100644 index 00000000..e9689ade --- /dev/null +++ b/rust/tests/test_x25519.rs @@ -0,0 +1,130 @@ +mod test_util; +use test_util::*; + +use hacl_rust::x25519::{self, Error, Point, Scalar}; + +#[derive(Serialize, Deserialize, Debug, Clone)] +#[allow(non_snake_case)] +struct X25519TestVector { + algorithm: String, + generatorVersion: String, + numberOfTests: usize, + notes: Option, // text notes (might not be present), keys correspond to flags + header: Vec, // not used + testGroups: Vec, +} + +#[derive(Serialize, Deserialize, Debug, Clone)] +#[allow(non_snake_case)] +struct TestGroup { + curve: String, + r#type: String, + tests: Vec, +} + +#[derive(Serialize, Deserialize, Debug, Clone)] +#[allow(non_snake_case)] +struct Test { + tcId: usize, + comment: String, + public: String, + private: String, + shared: String, + result: String, + flags: Vec, +} + +impl ReadFromFile for X25519TestVector {} + +#[allow(non_snake_case)] +#[test] +fn test_wycheproof() { + let tests: X25519TestVector = X25519TestVector::from_file("tests/wycheproof/x25519_test.json"); + + assert_eq!(tests.algorithm, "XDH"); + + let num_tests = tests.numberOfTests; + let mut tests_run = 0; + + for testGroup in tests.testGroups.iter() { + assert_eq!(testGroup.curve, "curve25519"); + assert_eq!(testGroup.r#type, "XdhComp"); + for test in testGroup.tests.iter() { + let valid = test.result.eq("valid") || test.result.eq("acceptable"); + // Mark some test cases as invalid because HACL doesn't allow them + let valid = match test.comment.as_str() { + "public key = 0" => false, + "public key = 1" => false, + "public key with low order" => false, + "public key = 57896044618658097711785492504343953926634992332820282019728792003956564819949" => false, + "public key = 57896044618658097711785492504343953926634992332820282019728792003956564819950" => false, + "public key = 57896044618658097711785492504343953926634992332820282019728792003956564819968" => false, + "public key = 57896044618658097711785492504343953926634992332820282019728792003956564819969" => false, + "special case public key" => { + if (test.flags.contains(&"Twist".to_owned()) && test.tcId != 154) + || test.tcId == 120 + || test.tcId == 122 + || test.tcId == 123 + || test.tcId == 125 + || test.tcId == 128 + || test.tcId == 131 + || test.tcId == 132 + || test.tcId == 134 + || test.tcId == 135 + || test.tcId == 137 + || test.tcId == 138 + || test.tcId == 141 + || test.tcId == 142 + || test.tcId == 143 + || test.tcId == 144 + || test.tcId == 145 + || test.tcId == 146 + || test.tcId == 149 + || test.tcId == 150 + || test.tcId == 151 + || test.tcId == 152 + || test.tcId == 153 { + true + } else { + false + } + }, + "D = 0 in multiplication by 2" => false, + _ => valid, + }; + println!("Test {:?}: {:?}", test.tcId, test.comment); + let public: Point = hex_str_to_array(&test.public); + let private: Scalar = hex_str_to_array(&test.private); + let shared: Point = hex_str_to_array(&test.shared); + + match x25519::dh(&public, &private) { + Ok(r) => { + assert!(valid); + assert_eq!(r[..], shared[..]); + } + Err(e) => { + assert!(!valid); + assert_eq!(e, Error::InvalidPoint); + } + } + tests_run += 1; + } + } + // Check that we ran all tests. + println!("Ran {} out of {} tests.", tests_run, num_tests); + assert_eq!(num_tests, tests_run); +} + +#[cfg(feature = "random")] +#[test] +fn key_gen_self_test() { + let sk_a = x25519::key_gen(); + let pk_a = x25519::dh_base(&sk_a); + + let sk_b = x25519::key_gen(); + let pk_b = x25519::dh_base(&sk_b); + + let shared_a = x25519::dh(&pk_b, &sk_a); + let shared_b = x25519::dh(&pk_a, &sk_b); + assert_eq!(shared_a, shared_b); +} diff --git a/rust/tests/wycheproof/aes_gcm_test.json b/rust/tests/wycheproof/aes_gcm_test.json new file mode 100644 index 00000000..50923f1b --- /dev/null +++ b/rust/tests/wycheproof/aes_gcm_test.json @@ -0,0 +1,3570 @@ +{ + "algorithm" : "AES-GCM", + "generatorVersion" : "0.8r12", + "numberOfTests" : 256, + "header" : [ + "Test vectors of type AeadTest test authenticated encryption with", + "additional data. The test vectors are intended for testing both", + "encryption and decryption." + ], + "notes" : { + "ConstructedIv" : "The counter for AES-GCM is reduced modulo 2**32. This test vector was constructed to test for correct wrapping of the counter.", + "SmallIv" : "AES-GCM leaks the authentication key if the same IV is used twice. Hence short IV sizes are typically discouraged. This test vector uses an IV smaller than 12 bytes", + "ZeroLengthIv" : "AES-GCM does not allow an IV of length 0. Encrypting with such an IV leaks the authentication key. Hence using an IV of length 0 is insecure even if the key itself is only used for a single encryption." + }, + "schema" : "aead_test_schema.json", + "testGroups" : [ + { + "ivSize" : 96, + "keySize" : 128, + "tagSize" : 128, + "type" : "AeadTest", + "tests" : [ + { + "tcId" : 1, + "comment" : "", + "key" : "5b9604fe14eadba931b0ccf34843dab9", + "iv" : "028318abc1824029138141a2", + "aad" : "", + "msg" : "001d0c231287c1182784554ca3a21908", + "ct" : "26073cc1d851beff176384dc9896d5ff", + "tag" : "0a3ea7a5487cb5f7d70fb6c58d038554", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 2, + "comment" : "", + "key" : "5b9604fe14eadba931b0ccf34843dab9", + "iv" : "921d2507fa8007b7bd067d34", + "aad" : "00112233445566778899aabbccddeeff", + "msg" : "001d0c231287c1182784554ca3a21908", + "ct" : "49d8b9783e911913d87094d1f63cc765", + "tag" : "1e348ba07cca2cf04c618cb4d43a5b92", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 3, + "comment" : "", + "key" : "aa023d0478dcb2b2312498293d9a9129", + "iv" : "0432bc49ac34412081288127", + "aad" : "aac39231129872a2", + "msg" : "2035af313d1346ab00154fea78322105", + "ct" : "eea945f3d0f98cc0fbab472a0cf24e87", + "tag" : "4bb9b4812519dadf9e1232016d068133", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 4, + "comment" : "", + "key" : "bedcfb5a011ebc84600fcb296c15af0d", + "iv" : "438a547a94ea88dce46c6c85", + "aad" : "", + "msg" : "", + "ct" : "", + "tag" : "960247ba5cde02e41a313c4c0136edc3", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 5, + "comment" : "", + "key" : "384ea416ac3c2f51a76e7d8226346d4e", + "iv" : "b30c084727ad1c592ac21d12", + "aad" : "", + "msg" : "35", + "ct" : "54", + "tag" : "7c1e4ae88bb27e5638343cb9fd3f6337", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 6, + "comment" : "", + "key" : "cae31cd9f55526eb038241fc44cac1e5", + "iv" : "b5e006ded553110e6dc56529", + "aad" : "", + "msg" : "d10989f2c52e94ad", + "ct" : "a036ead03193903f", + "tag" : "3b626940e0e9f0cbea8e18c437fd6011", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 7, + "comment" : "", + "key" : "dd6197cd63c963919cf0c273ef6b28bf", + "iv" : "ecb0c42f7000ef0e6f95f24d", + "aad" : "", + "msg" : "4dcc1485365866e25ac3f2ca6aba97", + "ct" : "8a9992388e735f80ee18f4a63c10ad", + "tag" : "1486a91cccf92c9a5b00f7b0e034891c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 8, + "comment" : "", + "key" : "ffdf4228361ea1f8165852136b3480f7", + "iv" : "0e1666f2dc652f7708fb8f0d", + "aad" : "", + "msg" : "25b12e28ac0ef6ead0226a3b2288c800", + "ct" : "f7bd379d130477176b8bb3cb23dbbbaa", + "tag" : "1ee6513ce30c7873f59dd4350a588f42", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 9, + "comment" : "", + "key" : "c15ed227dd2e237ecd087eaaaad19ea4", + "iv" : "965ff6643116ac1443a2dec7", + "aad" : "", + "msg" : "fee62fde973fe025ad6b322dcdf3c63fc7", + "ct" : "0de51fe4f7f2d1f0f917569f5c6d1b009c", + "tag" : "6cd8521422c0177e83ef1b7a845d97db", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 10, + "comment" : "", + "key" : "a8ee11b26d7ceb7f17eaa1e4b83a2cf6", + "iv" : "fbbc04fd6e025b7193eb57f6", + "aad" : "", + "msg" : "c08f085e6a9e0ef3636280c11ecfadf0c1e72919ffc17eaf", + "ct" : "7cd9f4e4f365704fff3b9900aa93ba54b672bac554275650", + "tag" : "f4eb193241226db017b32ec38ca47217", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 11, + "comment" : "", + "key" : "28ff3def08179311e2734c6d1c4e2871", + "iv" : "32bcb9b569e3b852d37c766a", + "aad" : "c3", + "msg" : "dfc61a20df8505b53e3cd59f25770d5018add3d6", + "ct" : "f58d453212c2c8a436e9283672f579f119122978", + "tag" : "5901131d0760c8715901d881fdfd3bc0", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 12, + "comment" : "", + "key" : "e63a43216c08867210e248859eb5e99c", + "iv" : "9c3a4263d983456658aad4b1", + "aad" : "834afdc5c737186b", + "msg" : "b14da56b0462dc05b871fc815273ff4810f92f4b", + "ct" : "bf864616c2347509ca9b10446379b9bdbb3b8f64", + "tag" : "a97d25b490390b53c5db91f6ee2a15b8", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 13, + "comment" : "", + "key" : "38449890234eb8afab0bbf82e2385454", + "iv" : "33e90658416e7c1a7c005f11", + "aad" : "4020855c66ac4595058395f367201c4c", + "msg" : "f762776bf83163b323ca63a6b3adeac1e1357262", + "ct" : "a6f2ef3c7ef74a126dd2d5f6673964e27d5b34b6", + "tag" : "b8bbdc4f5014bc752c8b4e9b87f650a3", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 14, + "comment" : "", + "key" : "6a68671dfe323d419894381f85eb63fd", + "iv" : "9f0d85b605711f34cd2a35ba", + "aad" : "76eb5f147250fa3c12bff0a6e3934a0b16860cf11646773b", + "msg" : "0fc67899c3f1bbe196d90f1eca3797389230aa37", + "ct" : "bd64802cfebaeb487d3a8f76ce943a37b3472dd5", + "tag" : "fce9a5b530c7d7af718be1ec0ae9ed4d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 15, + "comment" : "", + "key" : "e12260fcd355a51a0d01bb1f6fa538c2", + "iv" : "5dfc37366f5688275147d3f9", + "aad" : "", + "msg" : "d902deeab175c008329a33bfaccd5c0eb3a6a152a1510e7db04fa0aff7ce4288530db6a80fa7fea582aa7d46d7d56e708d2bb0c5edd3d26648d336c3620ea55e", + "ct" : "d33bf6722fc29384fad75f990248b9528e0959aa67ec66869dc3996c67a2d559e7d77ce5955f8cad2a4df5fdc3acccafa7bc0def53d848111256903e5add0420", + "tag" : "8bc833de510863b4b432c3cbf45aa7cc", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 16, + "comment" : "", + "key" : "3c55f88e9faa0d68ab50d02b47161276", + "iv" : "d767c48d2037b4bd2c231bbd", + "aad" : "", + "msg" : "5d6add48e7a5704e54f9c2829a9b4283dce0d3a65b133eba3793c4fbfa1d8e3a2539d0d4f3de381598ce5b2360173fbd149476c31692c5d6e872fce40219378949c2e70b5f1b9f0a1d5f38352ad814b2a035bb3f3f26425d831a2f7a5e65c5dfcd91a315c2b24f53a662605ea40857dd980e9be5cdad000c569f2d204d4bd3b0", + "ct" : "17d72d90bd23e076d8364a87ecb9ac58acc5de4629bfd590409b8bf1fcd3a2f602731b4614cec15e773ea65a65e7210994256bf5450a25acb527269c065f2e2f2279d1fe8b3eda98dcf87b348f1528377bbdd258355d46e035330483d8097e80c7de9bbb606ddf723f2909217ffdd18e8bdbd7b08062f1dcba960e5c0d290f5f", + "tag" : "090b8c2ec98e4116186d0e5fbefeb9c2", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 17, + "comment" : "", + "key" : "a294e70fa2ac10a1fb00c588b888b673", + "iv" : "dfe20d1c4350e6235d987af1", + "aad" : "", + "msg" : "6ed1d7d618d158741f52078006f28494ba72a2454f27160ae8722793fcebc538ebc2f67c3ace3e0fe7c47b9e74e081182b47c930144e3fc80d0ad50611c3afcfe2dbc5279edbbba087c0e390355f3daffcd25ad4dea007c284ad92e7fcbecb438fb60623ff89a599dca2aac141b26651386ca55b739b94901ef6db609c344d8acf4544568e31bb09361112754b1c0c6a3c875bd9453b0ee0081412151398a294ecad75add521611db5288b60ac3c0128f6e94366b69e659e6aa66f058a3a3571064edbb0f05c11e5dde938fb46c3935dd5193a4e5664688f0ae67c29b7cc49a7963140f82e311a20c98cd34fbcab7b4b515ae86557e62099e3fc37b9595c85a75c", + "ct" : "5bc6dbafc401101c7a08c81d6c2791aa147ce093aad172be18379c747384a54a41a747ba955cade8fdfb8967aa808b43fee3d757cc80f11163b800e5e59df932757f76c40b3d9cba449aaf11e4f80e003b1f384eafa4f76e81b13c09ec1ad88e7650c750d442fe46d225a373e8a1b564b4915a5c6c513cfdfa22d929d5741ca5ebefaedcba636c7c3bbef18863fdc126b4b451611049c35d814fc2eb7e4b8f1a8995ecb4a3c86652a068c0b2a3e1c5941d59c210b458d5d5d3b06420ec2053465ccceca7c20f67404985460379e2ee806a46e8409dfab2e0dd67ea3cf46d5ad4eb78756827358c3ef1fdbd07c33834f3d9eca3ff13b744a01059a6c17a315a8fd4", + "tag" : "c7587e7da41bed682c37377ea4324029", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 18, + "comment" : "", + "key" : "c4b03435b91fc52e09eff27e4dc3fb42", + "iv" : "5046e7e08f0747e1efccb09e", + "aad" : "75fc9078b488e9503dcb568c882c9eec24d80b04f0958c82aac8484f025c90434148db8e9bfe29c7e071b797457cb1695a5e5a6317b83690ba0538fb11e325ca", + "msg" : "8e887b224e8b89c82e9a641cf579e6879e1111c7", + "ct" : "b6786812574a254eb43b1cb1d1753564c6b520e9", + "tag" : "ad8c09610d508f3d0f03cc523c0d5fcc", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 19, + "comment" : "", + "key" : "7e37d56e6b1d0172d40d64d6111dd424", + "iv" : "517c55c2ec9bfea90addc2bd", + "aad" : "8ed8a9be4c3d32a5098434ee5c0c4fc20f78ef5e25ed8b72a840a463e36b67b881e048b5e49f515b2541ad5ce4ebb3a917c16bcdc0dc3cb52bb4ed5a1dffcf1e1866544e8db103b2ad99c6fa6e7de1d8b45bff57ec872f1cfc78b0e4870f6f200ff1291cae033defc3327ba82792ba438e35c4bfbb684fec5ce5e3ae167d01d7", + "msg" : "6a7dea03c1bba70be8c73da47d5ee06d72a27430", + "ct" : "cfb631790767d0645d8ec6f23bf7fa8b19ce79ee", + "tag" : "c5767ddaa747158446231766bd20490c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 20, + "comment" : "", + "key" : "3076741408f734ce25d48f982e8b844b", + "iv" : "a2712eac5e06d3cc2864aa8b", + "aad" : "18526e4efd995a0bf6405d9f906725c290278958d49554974d8fe025e7860daa225c1285b0573916a4b6741f7cc2e29ce4e525e12f436cb7ce0ad47df3d0f5bd80fb27e47635a4985fdaedf0e821f1c8959985cac49c97a4a02438d92b4afd4c855dcc7ef41ecfc36866334fcc05b2bb93ef13f00c5ea9b921e8a519d77f648e0efe9b5a62305a2ecf7d4999663a6ddfca517f1f36f0899b0bdef9f433c4bb2663c0cc1bb616e7d1949e522bec85485d371d1134c90eede75e865dc7be405b54c33f0acbace6cf780c78035b8035b6ea3f562a8d30a156c199fdafd25be06ee895581195ef125cb4e629e4f18e0bee979d31513896db8466e448e6b4600a316757", + "msg" : "414ec6b149e54735302dada888b98b7fdb4c127c", + "ct" : "e4d3f4898cb3d9732641d1f8d9d889b2c98af930", + "tag" : "76d4fbb69d529b64175b328be00b1068", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 21, + "comment" : "special case", + "key" : "00112233445566778899aabbccddeeff", + "iv" : "000000000000000000000000", + "aad" : "", + "msg" : "ebd4a3e10cf6d41c50aeae007563b072", + "ct" : "f62d84d649e56bc8cfedc5d74a51e2f7", + "tag" : "ffffffffffffffffffffffffffffffff", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 22, + "comment" : "special case", + "key" : "00112233445566778899aabbccddeeff", + "iv" : "ffffffffffffffffffffffff", + "aad" : "", + "msg" : "d593c4d8224f1b100c35e4f6c4006543", + "ct" : "431f31e6840931fd95f94bf88296ff69", + "tag" : "00000000000000000000000000000000", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 23, + "comment" : "Flipped bit 0 in tag", + "key" : "000102030405060708090a0b0c0d0e0f", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "eb156d081ed6b6b55f4612f021d87b39", + "tag" : "d9847dbc326a06e988c77ad3863e6083", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 24, + "comment" : "Flipped bit 1 in tag", + "key" : "000102030405060708090a0b0c0d0e0f", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "eb156d081ed6b6b55f4612f021d87b39", + "tag" : "da847dbc326a06e988c77ad3863e6083", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 25, + "comment" : "Flipped bit 7 in tag", + "key" : "000102030405060708090a0b0c0d0e0f", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "eb156d081ed6b6b55f4612f021d87b39", + "tag" : "58847dbc326a06e988c77ad3863e6083", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 26, + "comment" : "Flipped bit 8 in tag", + "key" : "000102030405060708090a0b0c0d0e0f", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "eb156d081ed6b6b55f4612f021d87b39", + "tag" : "d8857dbc326a06e988c77ad3863e6083", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 27, + "comment" : "Flipped bit 31 in tag", + "key" : "000102030405060708090a0b0c0d0e0f", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "eb156d081ed6b6b55f4612f021d87b39", + "tag" : "d8847d3c326a06e988c77ad3863e6083", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 28, + "comment" : "Flipped bit 32 in tag", + "key" : "000102030405060708090a0b0c0d0e0f", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "eb156d081ed6b6b55f4612f021d87b39", + "tag" : "d8847dbc336a06e988c77ad3863e6083", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 29, + "comment" : "Flipped bit 33 in tag", + "key" : "000102030405060708090a0b0c0d0e0f", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "eb156d081ed6b6b55f4612f021d87b39", + "tag" : "d8847dbc306a06e988c77ad3863e6083", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 30, + "comment" : "Flipped bit 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "eb156d081ed6b6b55f4612f021d87b39", + "tag" : "d8847dbc326a066988c77ad3863e6083", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 31, + "comment" : "Flipped bit 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "eb156d081ed6b6b55f4612f021d87b39", + "tag" : "d8847dbc326a06e989c77ad3863e6083", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 32, + "comment" : "Flipped bit 71 in tag", + "key" : "000102030405060708090a0b0c0d0e0f", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "eb156d081ed6b6b55f4612f021d87b39", + "tag" : "d8847dbc326a06e908c77ad3863e6083", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 33, + "comment" : "Flipped bit 77 in tag", + "key" : "000102030405060708090a0b0c0d0e0f", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "eb156d081ed6b6b55f4612f021d87b39", + "tag" : "d8847dbc326a06e988e77ad3863e6083", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 34, + "comment" : "Flipped bit 80 in tag", + "key" : "000102030405060708090a0b0c0d0e0f", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "eb156d081ed6b6b55f4612f021d87b39", + "tag" : "d8847dbc326a06e988c77bd3863e6083", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 35, + "comment" : "Flipped bit 96 in tag", + "key" : "000102030405060708090a0b0c0d0e0f", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "eb156d081ed6b6b55f4612f021d87b39", + "tag" : "d8847dbc326a06e988c77ad3873e6083", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 36, + "comment" : "Flipped bit 97 in tag", + "key" : "000102030405060708090a0b0c0d0e0f", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "eb156d081ed6b6b55f4612f021d87b39", + "tag" : "d8847dbc326a06e988c77ad3843e6083", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 37, + "comment" : "Flipped bit 103 in tag", + "key" : "000102030405060708090a0b0c0d0e0f", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "eb156d081ed6b6b55f4612f021d87b39", + "tag" : "d8847dbc326a06e988c77ad3063e6083", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 38, + "comment" : "Flipped bit 120 in tag", + "key" : "000102030405060708090a0b0c0d0e0f", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "eb156d081ed6b6b55f4612f021d87b39", + "tag" : "d8847dbc326a06e988c77ad3863e6082", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 39, + "comment" : "Flipped bit 121 in tag", + "key" : "000102030405060708090a0b0c0d0e0f", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "eb156d081ed6b6b55f4612f021d87b39", + "tag" : "d8847dbc326a06e988c77ad3863e6081", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 40, + "comment" : "Flipped bit 126 in tag", + "key" : "000102030405060708090a0b0c0d0e0f", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "eb156d081ed6b6b55f4612f021d87b39", + "tag" : "d8847dbc326a06e988c77ad3863e60c3", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 41, + "comment" : "Flipped bit 127 in tag", + "key" : "000102030405060708090a0b0c0d0e0f", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "eb156d081ed6b6b55f4612f021d87b39", + "tag" : "d8847dbc326a06e988c77ad3863e6003", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 42, + "comment" : "Flipped bits 0 and 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "eb156d081ed6b6b55f4612f021d87b39", + "tag" : "d9847dbc326a06e989c77ad3863e6083", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 43, + "comment" : "Flipped bits 31 and 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "eb156d081ed6b6b55f4612f021d87b39", + "tag" : "d8847d3c326a066988c77ad3863e6083", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 44, + "comment" : "Flipped bits 63 and 127 in tag", + "key" : "000102030405060708090a0b0c0d0e0f", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "eb156d081ed6b6b55f4612f021d87b39", + "tag" : "d8847dbc326a066988c77ad3863e6003", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 45, + "comment" : "all bits of tag flipped", + "key" : "000102030405060708090a0b0c0d0e0f", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "eb156d081ed6b6b55f4612f021d87b39", + "tag" : "277b8243cd95f9167738852c79c19f7c", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 46, + "comment" : "Tag changed to all zero", + "key" : "000102030405060708090a0b0c0d0e0f", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "eb156d081ed6b6b55f4612f021d87b39", + "tag" : "00000000000000000000000000000000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 47, + "comment" : "tag changed to all 1", + "key" : "000102030405060708090a0b0c0d0e0f", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "eb156d081ed6b6b55f4612f021d87b39", + "tag" : "ffffffffffffffffffffffffffffffff", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 48, + "comment" : "msbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "eb156d081ed6b6b55f4612f021d87b39", + "tag" : "5804fd3cb2ea86690847fa5306bee003", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 49, + "comment" : "lsbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "eb156d081ed6b6b55f4612f021d87b39", + "tag" : "d9857cbd336b07e889c67bd2873f6182", + "result" : "invalid", + "flags" : [] + } + ] + }, + { + "ivSize" : 64, + "keySize" : 128, + "tagSize" : 128, + "type" : "AeadTest", + "tests" : [ + { + "tcId" : 50, + "comment" : "", + "key" : "aa023d0478dcb2b2312498293d9a9129", + "iv" : "0432bc49ac344120", + "aad" : "aac39231129872a2", + "msg" : "2035af313d1346ab00154fea78322105", + "ct" : "64c36bb3b732034e3a7d04efc5197785", + "tag" : "b7d0dd70b00d65b97cfd080ff4b819d1", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 51, + "comment" : "small IV sizes", + "key" : "f3434725c82a7f8bb07df1f8122fb6c9", + "iv" : "28e9b7851724bae3", + "aad" : "", + "msg" : "", + "ct" : "", + "tag" : "44aca00f42e4199b829a55e69b073d9e", + "result" : "acceptable", + "flags" : [ + "SmallIv" + ] + }, + { + "tcId" : 52, + "comment" : "small IV sizes", + "key" : "deb62233559b57476602b5adac57c77f", + "iv" : "d084547de55bbc15", + "aad" : "", + "msg" : "d8986df0241ed3297582c0c239c724cb", + "ct" : "03e1a168a7e377a913879b296a1b5f9c", + "tag" : "3290aa95af505a742f517fabcc9b2094", + "result" : "acceptable", + "flags" : [ + "SmallIv" + ] + } + ] + }, + { + "ivSize" : 128, + "keySize" : 128, + "tagSize" : 128, + "type" : "AeadTest", + "tests" : [ + { + "tcId" : 53, + "comment" : "", + "key" : "2034a82547276c83dd3212a813572bce", + "iv" : "3254202d854734812398127a3d134421", + "aad" : "1a0293d8f90219058902139013908190bc490890d3ff12a3", + "msg" : "02efd2e5782312827ed5d230189a2a342b277ce048462193", + "ct" : "64069c2d58690561f27ee199e6b479b6369eec688672bde9", + "tag" : "9b7abadd6e69c1d9ec925786534f5075", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 54, + "comment" : "", + "key" : "b67b1a6efdd40d37080fbe8f8047aeb9", + "iv" : "fa294b129972f7fc5bbd5b96bba837c9", + "aad" : "", + "msg" : "", + "ct" : "", + "tag" : "a2cf26481517ec25085c5b17d0786183", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 55, + "comment" : "", + "key" : "209e6dbf2ad26a105445fc0207cd9e9a", + "iv" : "9477849d6ccdfca112d92e53fae4a7ca", + "aad" : "", + "msg" : "01", + "ct" : "fd", + "tag" : "032df7bba5d8ea1a14f16f70bd0e14ec", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 56, + "comment" : "", + "key" : "a549442e35154032d07c8666006aa6a2", + "iv" : "5171524568e81d97e8c4de4ba56c10a0", + "aad" : "", + "msg" : "1182e93596cac5608946400bc73f3a", + "ct" : "2f333087bdca58219f9bfc273e45cc", + "tag" : "e06d1ef473132957ad37eaef29733ca0", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 57, + "comment" : "", + "key" : "cfb4c26f126f6a0acb8e4e220f6c56cd", + "iv" : "1275115499ae722268515bf0c164b49c", + "aad" : "", + "msg" : "09dfd7f080275257cf97e76f966b1ad9", + "ct" : "a780bd01c80885156c88a973264c8ee5", + "tag" : "2adeffa682c8d8a81fada7d9fcdd2ee2", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 58, + "comment" : "", + "key" : "0b11ef3a08c02970f74281c860691c75", + "iv" : "95c1dd8c0f1705ece68937901f7add7b", + "aad" : "", + "msg" : "f693d4edd825dbb0618d91113128880dbebb23e25d00ed1f077d870be9cc7536", + "ct" : "7e47e10fe3c6fbfa381770eaf5d48d1482e71e0c44dff1e30ca6f95d92052084", + "tag" : "d01444fa5d9c499629d174ff3927a1ac", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 59, + "comment" : "J0:000102030405060708090a0b0c0d0e0f", + "key" : "00112233445566778899aabbccddeeff", + "iv" : "f95fde4a751913202aeeee32a0b55753", + "aad" : "", + "msg" : "00000000000000000000000000000000000000000000000000000000000000000000000000000000", + "ct" : "00078d109d92143fcd5df56721b884fac64ac7762cc09eea2a3c68e92a17bdb575f87bda18be564e", + "tag" : "152a65045fe674f97627427af5be22da", + "result" : "valid", + "flags" : [ + "ConstructedIv" + ] + }, + { + "tcId" : 60, + "comment" : "J0:00000000000000000000000000000000", + "key" : "00112233445566778899aabbccddeeff", + "iv" : "7b95b8c356810a84711d68150a1b7750", + "aad" : "", + "msg" : "00000000000000000000000000000000000000000000000000000000000000000000000000000000", + "ct" : "84d4c9c08b4f482861e3a9c6c35bc4d91df927374513bfd49f436bd73f325285daef4ff7e13d46a6", + "tag" : "213a3cb93855d18e69337eee66aeec07", + "result" : "valid", + "flags" : [ + "ConstructedIv" + ] + }, + { + "tcId" : 61, + "comment" : "J0:ffffffffffffffffffffffffffffffff", + "key" : "00112233445566778899aabbccddeeff", + "iv" : "1a552e67cdc4dc1a33b824874ebf0bed", + "aad" : "", + "msg" : "00000000000000000000000000000000000000000000000000000000000000000000000000000000", + "ct" : "948ca37a8e6649e88aeffb1c598f3607007702417ea0e0bc3c60ad5a949886de968cf53ea6462aed", + "tag" : "99b381bfa2af9751c39d1b6e86d1be6a", + "result" : "valid", + "flags" : [ + "ConstructedIv" + ] + }, + { + "tcId" : 62, + "comment" : "J0:fffffffffffffffffffffffffffffffe", + "key" : "00112233445566778899aabbccddeeff", + "iv" : "dd9d0b4a0c3d681524bffca31d907661", + "aad" : "", + "msg" : "00000000000000000000000000000000000000000000000000000000000000000000000000000000", + "ct" : "64b19314c31af45accdf7e3c4db79f0d948ca37a8e6649e88aeffb1c598f3607007702417ea0e0bc", + "tag" : "5281efc7f13ac8e14ccf5dca7bfbfdd1", + "result" : "valid", + "flags" : [ + "ConstructedIv" + ] + }, + { + "tcId" : 63, + "comment" : "J0:fffffffffffffffffffffffffffffffd", + "key" : "00112233445566778899aabbccddeeff", + "iv" : "57c5643c4e37b4041db794cfe8e1f0f4", + "aad" : "", + "msg" : "00000000000000000000000000000000000000000000000000000000000000000000000000000000", + "ct" : "2bb69c3e5d1f91815c6b87a0d5bbea7164b19314c31af45accdf7e3c4db79f0d948ca37a8e6649e8", + "tag" : "a3ea2c09ee4f8c8a12f45cddf9aeff81", + "result" : "valid", + "flags" : [ + "ConstructedIv" + ] + }, + { + "tcId" : 64, + "comment" : "J0:000102030405060708090a0bffffffff", + "key" : "00112233445566778899aabbccddeeff", + "iv" : "99821c2dd5daecded07300f577f7aff1", + "aad" : "", + "msg" : "00000000000000000000000000000000000000000000000000000000000000000000000000000000", + "ct" : "127af9b39ecdfc57bb11a2847c7c2d3d8f938f40f877e0c4af37d0fe9af033052bd537c4ae978f60", + "tag" : "07eb2fe4a958f8434d40684899507c7c", + "result" : "valid", + "flags" : [ + "ConstructedIv" + ] + }, + { + "tcId" : 65, + "comment" : "J0:000102030405060708090a0bfffffffe", + "key" : "00112233445566778899aabbccddeeff", + "iv" : "5e4a3900142358d1c774d8d124d8d27d", + "aad" : "", + "msg" : "00000000000000000000000000000000000000000000000000000000000000000000000000000000", + "ct" : "0cf6ae47156b14dce03c8a07a2e172b1127af9b39ecdfc57bb11a2847c7c2d3d8f938f40f877e0c4", + "tag" : "f145c2dcaf339eede427be934357eac0", + "result" : "valid", + "flags" : [ + "ConstructedIv" + ] + }, + { + "tcId" : 66, + "comment" : "J0:000102030405060708090a0bfffffffd", + "key" : "00112233445566778899aabbccddeeff", + "iv" : "d4125676562984c0fe7cb0bdd1a954e8", + "aad" : "", + "msg" : "00000000000000000000000000000000000000000000000000000000000000000000000000000000", + "ct" : "f0c6ffc18bd46df5569185a9afd169eb0cf6ae47156b14dce03c8a07a2e172b1127af9b39ecdfc57", + "tag" : "facd0bfe8701b7b4a2ba96d98af52bd9", + "result" : "valid", + "flags" : [ + "ConstructedIv" + ] + }, + { + "tcId" : 67, + "comment" : "J0:000102030405060708090a0b7fffffff", + "key" : "00112233445566778899aabbccddeeff", + "iv" : "b97ec62a5e5900ccf9e4be332e336091", + "aad" : "", + "msg" : "00000000000000000000000000000000000000000000000000000000000000000000000000000000", + "ct" : "d6928e094c06e0a7c4db42184cf7529e95de88b767edebe9b343000be3dab47ea08b744293eed698", + "tag" : "a03e729dcfd7a03155655fece8affd7e", + "result" : "valid", + "flags" : [ + "ConstructedIv" + ] + }, + { + "tcId" : 68, + "comment" : "J0:000102030405060708090a0b7ffffffe", + "key" : "00112233445566778899aabbccddeeff", + "iv" : "7eb6e3079fa0b4c3eee366177d1c1d1d", + "aad" : "", + "msg" : "00000000000000000000000000000000000000000000000000000000000000000000000000000000", + "ct" : "d82ce58771bf6487116bf8e96421877ed6928e094c06e0a7c4db42184cf7529e95de88b767edebe9", + "tag" : "1e43926828bc9a1614c7b1639096c195", + "result" : "valid", + "flags" : [ + "ConstructedIv" + ] + }, + { + "tcId" : 69, + "comment" : "J0:000102030405060708090a0bffff7fff", + "key" : "00112233445566778899aabbccddeeff", + "iv" : "0314fcd10fdd675d3c612962c931f635", + "aad" : "", + "msg" : "00000000000000000000000000000000000000000000000000000000000000000000000000000000", + "ct" : "a197a37a5d79697078536bc27fe46cd8d475526d9044aa94f088a054f8e380c64f79414795c61480", + "tag" : "f08baddf0b5285c91fc06a67fe4708ca", + "result" : "valid", + "flags" : [ + "ConstructedIv" + ] + }, + { + "tcId" : 70, + "comment" : "J0:000102030405060708090a0bffff7ffe", + "key" : "00112233445566778899aabbccddeeff", + "iv" : "c4dcd9fcce24d3522b66f1469a1e8bb9", + "aad" : "", + "msg" : "00000000000000000000000000000000000000000000000000000000000000000000000000000000", + "ct" : "149fde9abbd3a43c2548575e0db9fb84a197a37a5d79697078536bc27fe46cd8d475526d9044aa94", + "tag" : "62a4b6875c288345d6a454399eac1afa", + "result" : "valid", + "flags" : [ + "ConstructedIv" + ] + }, + { + "tcId" : 71, + "comment" : "special case", + "key" : "00112233445566778899aabbccddeeff", + "iv" : "00000000000000000000000000000000", + "aad" : "", + "msg" : "bec6fa05c1718b9b84c47345bbed7dcb", + "ct" : "45a3f89d02918bfd0c8161658ccc9795", + "tag" : "00000000000000000000000000000000", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 72, + "comment" : "special case", + "key" : "00112233445566778899aabbccddeeff", + "iv" : "ffffffffffffffffffffffffffffffff", + "aad" : "", + "msg" : "4d82639c39d3f3490ee903dd0be7afcf", + "ct" : "1cd5a06214235ceb044d4bad7b047312", + "tag" : "ffffffffffffffffffffffffffffffff", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "ivSize" : 96, + "keySize" : 256, + "tagSize" : 128, + "type" : "AeadTest", + "tests" : [ + { + "tcId" : 73, + "comment" : "", + "key" : "92ace3e348cd821092cd921aa3546374299ab46209691bc28b8752d17f123c20", + "iv" : "00112233445566778899aabb", + "aad" : "00000000ffffffff", + "msg" : "00010203040506070809", + "ct" : "e27abdd2d2a53d2f136b", + "tag" : "9a4a2579529301bcfb71c78d4060f52c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 74, + "comment" : "", + "key" : "29d3a44f8723dc640239100c365423a312934ac80239212ac3df3421a2098123", + "iv" : "00112233445566778899aabb", + "aad" : "aabbccddeeff", + "msg" : "", + "ct" : "", + "tag" : "2a7d77fa526b8250cb296078926b5020", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 75, + "comment" : "", + "key" : "80ba3192c803ce965ea371d5ff073cf0f43b6a2ab576b208426e11409c09b9b0", + "iv" : "4da5bf8dfd5852c1ea12379d", + "aad" : "", + "msg" : "", + "ct" : "", + "tag" : "4771a7c404a472966cea8f73c8bfe17a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 76, + "comment" : "", + "key" : "cc56b680552eb75008f5484b4cb803fa5063ebd6eab91f6ab6aef4916a766273", + "iv" : "99e23ec48985bccdeeab60f1", + "aad" : "", + "msg" : "2a", + "ct" : "06", + "tag" : "633c1e9703ef744ffffb40edf9d14355", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 77, + "comment" : "", + "key" : "51e4bf2bad92b7aff1a4bc05550ba81df4b96fabf41c12c7b00e60e48db7e152", + "iv" : "4f07afedfdc3b6c2361823d3", + "aad" : "", + "msg" : "be3308f72a2c6aed", + "ct" : "cf332a12fdee800b", + "tag" : "602e8d7c4799d62c140c9bb834876b09", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 78, + "comment" : "", + "key" : "67119627bd988eda906219e08c0d0d779a07d208ce8a4fe0709af755eeec6dcb", + "iv" : "68ab7fdbf61901dad461d23c", + "aad" : "", + "msg" : "51f8c1f731ea14acdb210a6d973e07", + "ct" : "43fc101bff4b32bfadd3daf57a590e", + "tag" : "ec04aacb7148a8b8be44cb7eaf4efa69", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 79, + "comment" : "", + "key" : "59d4eafb4de0cfc7d3db99a8f54b15d7b39f0acc8da69763b019c1699f87674a", + "iv" : "2fcb1b38a99e71b84740ad9b", + "aad" : "", + "msg" : "549b365af913f3b081131ccb6b825588", + "ct" : "f58c16690122d75356907fd96b570fca", + "tag" : "28752c20153092818faba2a334640d6e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 80, + "comment" : "", + "key" : "3b2458d8176e1621c0cc24c0c0e24c1e80d72f7ee9149a4b166176629616d011", + "iv" : "45aaa3e5d16d2d42dc03445d", + "aad" : "", + "msg" : "3ff1514b1c503915918f0c0c31094a6e1f", + "ct" : "73a6b6f45f6ccc5131e07f2caa1f2e2f56", + "tag" : "2d7379ec1db5952d4e95d30c340b1b1d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 81, + "comment" : "", + "key" : "0212a8de5007ed87b33f1a7090b6114f9e08cefd9607f2c276bdcfdbc5ce9cd7", + "iv" : "e6b1adf2fd58a8762c65f31b", + "aad" : "", + "msg" : "10f1ecf9c60584665d9ae5efe279e7f7377eea6916d2b111", + "ct" : "0843fff52d934fc7a071ea62c0bd351ce85678cde3ea2c9e", + "tag" : "7355fde599006715053813ce696237a8", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 82, + "comment" : "", + "key" : "b279f57e19c8f53f2f963f5f2519fdb7c1779be2ca2b3ae8e1128b7d6c627fc4", + "iv" : "98bc2c7438d5cd7665d76f6e", + "aad" : "c0", + "msg" : "fcc515b294408c8645c9183e3f4ecee5127846d1", + "ct" : "eb5500e3825952866d911253f8de860c00831c81", + "tag" : "ecb660e1fb0541ec41e8d68a64141b3a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 83, + "comment" : "", + "key" : "cdccfe3f46d782ef47df4e72f0c02d9c7f774def970d23486f11a57f54247f17", + "iv" : "376187894605a8d45e30de51", + "aad" : "956846a209e087ed", + "msg" : "e28e0e9f9d22463ac0e42639b530f42102fded75", + "ct" : "feca44952447015b5df1f456df8ca4bb4eee2ce2", + "tag" : "082e91924deeb77880e1b1c84f9b8d30", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 84, + "comment" : "", + "key" : "f32364b1d339d82e4f132d8f4a0ec1ff7e746517fa07ef1a7f422f4e25a48194", + "iv" : "5a86a50a0e8a179c734b996d", + "aad" : "ab2ac7c44c60bdf8228c7884adb20184", + "msg" : "43891bccb522b1e72a6b53cf31c074e9d6c2df8e", + "ct" : "43dda832e942e286da314daa99bef5071d9d2c78", + "tag" : "c3922583476ced575404ddb85dd8cd44", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 85, + "comment" : "", + "key" : "ff0089ee870a4a39f645b0a5da774f7a5911e9696fc9cad646452c2aa8595a12", + "iv" : "bc2a7757d0ce2d8b1f14ccd9", + "aad" : "972ab4e06390caae8f99dd6e2187be6c7ff2c08a24be16ef", + "msg" : "748b28031621d95ee61812b4b4f47d04c6fc2ff3", + "ct" : "a929ee7e67c7a2f91bbcec6389a3caf43ab49305", + "tag" : "ebec6774b955e789591c822dab739e12", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 86, + "comment" : "", + "key" : "5b1d1035c0b17ee0b0444767f80a25b8c1b741f4b50a4d3052226baa1c6fb701", + "iv" : "d61040a313ed492823cc065b", + "aad" : "", + "msg" : "d096803181beef9e008ff85d5ddc38ddacf0f09ee5f7e07f1e4079cb64d0dc8f5e6711cd4921a7887de76e2678fdc67618f1185586bfea9d4c685d50e4bb9a82", + "ct" : "c7d191b601f86c28b6a1bdef6a57b4f6ee3ae417bc125c381cdf1c4dac184ed1d84f1196206d62cad112b038845720e02c061179a8836f02b93fa7008379a6bf", + "tag" : "f15612f6c40f2e0db6dc76fc4822fcfe", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 87, + "comment" : "", + "key" : "d7addd3889fadf8c893eee14ba2b7ea5bf56b449904869615bd05d5f114cf377", + "iv" : "8a3ad26b28cd13ba6504e260", + "aad" : "", + "msg" : "c877a76bf595560772167c6e3bcc705305db9c6fcbeb90f4fea85116038bc53c3fa5b4b4ea0de5cc534fbe1cf9ae44824c6c2c0a5c885bd8c3cdc906f12675737e434b983e1e231a52a275db5fb1a0cac6a07b3b7dcb19482a5d3b06a9317a54826cea6b36fce452fa9b5475e2aaf25499499d8a8932a19eb987c903bd8502fe", + "ct" : "53cc8c920a85d1accb88636d08bbe4869bfdd96f437b2ec944512173a9c0fe7a47f8434133989ba77dda561b7e3701b9a83c3ba7660c666ba59fef96598eb621544c63806d509ac47697412f9564eb0a2e1f72f6599f5666af34cffca06573ffb4f47b02f59f21c64363daecb977b4415f19fdda3c9aae5066a57b669ffaa257", + "tag" : "5e63374b519e6c3608321943d790cf9a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 88, + "comment" : "", + "key" : "317ba331307f3a3d3d82ee1fdab70f62a155af14daf631307a61b187d413e533", + "iv" : "a6687cf508356b174625deaa", + "aad" : "", + "msg" : "32c1d09107c599d3cce4e782179c966c6ef963689d45351dbe0f6f881db273e54db76fc48fdc5d30f089da838301a5f924bba3c044e19b3ed5aa6be87118554004ca30e0324337d987839412bf8f8bbdd537205d4b0e2120e965373235d6cbd2fb3776ba0a384ec1d9b7c631a0379ff997c3f974a6f7bbf4fd23016211f5fc10acadb5e400d2ff0fdfd193f5c6fc6d4f7271dfd1349ed80fbedaebb155b9b02fb3074495d55f9a2455f59bf6f113191a029c6b0ba75d97cdc0c84f131836337f29f9d96ca448eec0cc46d1ca8b3735661979d83302fec08fffcf5e58f12b1e7050657b1b97c64a4e07e317f554f8310b6ccb49f36d48c57816d24952aada711d4f", + "ct" : "d7eebc9587aa21136fa38b41cf0e2db03a7ea2ba9eaddf83d33f781093617bf50f49b2bfe2f7173b113912e2e1775f40edfed8b3b0099b9e1c220dd103be6166210b01029feb24ed9e20614eddc3cebe41b0079a9a8c117b596c90288effd3796fbd0c7e8eab00609a64be3ad9597cdbf3a818c260cd938bdf232e4059ae35a2571a838887fc196912179486e046a62227a4caddce38cbbc37587bb9439ec637602b6818c5cbe3c71a7c4143960533dc74174bd315c8db227b69b55bb7fc30ba1d5213a752ec33925043cefbc1a62943ee5f34d5da01799e69094d732aef52f8e036980d0070e22e173c67c4bbcca61cc1eedbd6016516c592144819df13204dee", + "tag" : "bf0540d34b20f761101bc608b02458f2", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 89, + "comment" : "", + "key" : "2ce6b4c15f85fb2da5cc6c269491eef281980309181249ebf2832bd6d0732d0b", + "iv" : "c064fae9173b173fd6f11f34", + "aad" : "498d3075b09fed998280583d61bb36b6ce41f130063b80824d1586e143d349b126b16aa10fe57343ed223d6364ee602257fe313a7fc9bf9088f027795b8dc1d3", + "msg" : "f8a27a4baf00dc0555d222f2fa4fb42dc666ea3c", + "ct" : "aed58d8a252f740dba4bf6d36773bd5b41234bba", + "tag" : "01f93d7456aa184ebb49bea472b6d65d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 90, + "comment" : "", + "key" : "44c8d0cdb8f7e736cfd997c872a5d9c5ef30afbe44b6566606b90aa5e3e8b797", + "iv" : "6f39afba021e4c36eb92962e", + "aad" : "98d1ca1788cbeb300ea5c6b1eec95eb2347177201400913d45225622b6273eec8a74c3f12c8d5248dabee586229786ff192c4df0c79547f7ad6a92d78d9f8952758635783add2a5977d386e0aef76482211d2c3ae98de4baadb3f8b35b510464755dc75ceb2bf25b233317523f399a6c507db214f085fa2818f0d3702b10952b", + "msg" : "2e6f40f9d3725836ac0c858177938fd67be19432", + "ct" : "b42428f8094ef7e65c9e8c45ef3e95c28ce07d72", + "tag" : "32b25dfbb896d0f9d79c823bdd8e5d06", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 91, + "comment" : "", + "key" : "e40003d6e08ab80b4bfc8400ef112945a901ec64a1b6536ca92665090d608bc4", + "iv" : "9f095dafe6f6e0fbafbbe02e", + "aad" : "422d5efcffe364905984533f0a579d80b18bda7b29e6e46498effba53c350112c0bbb8dc4ce03bb0c69e1d0baa19f0637108aa4a16b09a281f232839d87b6d0e42be1baa7c67f1be970ea169d3960b9fe0a61f11cd2eb7398c19e641feb43f778e257a397063db5b3a6707e9db62387054f9f9d44f143583e63edad45a00251e5173d7505f22a8bce232e56c2c276a58033ae30d5dbf4e35a862e42af573be38c6406d9b4c7acbf275fe36c0ecf2c4642898a30e6146fac992a16405f98312126b7a3722f5dfb7dd4e4911c1426b2e01d04e9be6db3771100f7d7d4282e4ea585f3646241e807ca64f06a7fa9b7003d710b801d66f517d2d5ebd740872deba13d0", + "msg" : "38c3f44bc5765de1f3d1c3684cd09cddefaf298d", + "ct" : "d4a79f729487935950ec032e690ab8fe25c4158e", + "tag" : "876d2f334f47968b10c103859d436db8", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 92, + "comment" : "special case", + "key" : "00112233445566778899aabbccddeeff102132435465768798a9bacbdcedfe0f", + "iv" : "000000000000000000000000", + "aad" : "", + "msg" : "561008fa07a68f5c61285cd013464eaf", + "ct" : "23293e9b07ca7d1b0cae7cc489a973b3", + "tag" : "ffffffffffffffffffffffffffffffff", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 93, + "comment" : "special case", + "key" : "00112233445566778899aabbccddeeff102132435465768798a9bacbdcedfe0f", + "iv" : "ffffffffffffffffffffffff", + "aad" : "", + "msg" : "c6152244cea1978d3e0bc274cf8c0b3b", + "ct" : "7cb6fc7c6abc009efe9551a99f36a421", + "tag" : "00000000000000000000000000000000", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 94, + "comment" : "Flipped bit 0 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "b2061457c0759fc1749f174ee1ccadfa", + "tag" : "9de8fef6d8ab1bf1bf887232eab590dd", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 95, + "comment" : "Flipped bit 1 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "b2061457c0759fc1749f174ee1ccadfa", + "tag" : "9ee8fef6d8ab1bf1bf887232eab590dd", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 96, + "comment" : "Flipped bit 7 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "b2061457c0759fc1749f174ee1ccadfa", + "tag" : "1ce8fef6d8ab1bf1bf887232eab590dd", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 97, + "comment" : "Flipped bit 8 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "b2061457c0759fc1749f174ee1ccadfa", + "tag" : "9ce9fef6d8ab1bf1bf887232eab590dd", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 98, + "comment" : "Flipped bit 31 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "b2061457c0759fc1749f174ee1ccadfa", + "tag" : "9ce8fe76d8ab1bf1bf887232eab590dd", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 99, + "comment" : "Flipped bit 32 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "b2061457c0759fc1749f174ee1ccadfa", + "tag" : "9ce8fef6d9ab1bf1bf887232eab590dd", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 100, + "comment" : "Flipped bit 33 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "b2061457c0759fc1749f174ee1ccadfa", + "tag" : "9ce8fef6daab1bf1bf887232eab590dd", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 101, + "comment" : "Flipped bit 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "b2061457c0759fc1749f174ee1ccadfa", + "tag" : "9ce8fef6d8ab1b71bf887232eab590dd", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 102, + "comment" : "Flipped bit 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "b2061457c0759fc1749f174ee1ccadfa", + "tag" : "9ce8fef6d8ab1bf1be887232eab590dd", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 103, + "comment" : "Flipped bit 71 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "b2061457c0759fc1749f174ee1ccadfa", + "tag" : "9ce8fef6d8ab1bf13f887232eab590dd", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 104, + "comment" : "Flipped bit 77 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "b2061457c0759fc1749f174ee1ccadfa", + "tag" : "9ce8fef6d8ab1bf1bfa87232eab590dd", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 105, + "comment" : "Flipped bit 80 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "b2061457c0759fc1749f174ee1ccadfa", + "tag" : "9ce8fef6d8ab1bf1bf887332eab590dd", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 106, + "comment" : "Flipped bit 96 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "b2061457c0759fc1749f174ee1ccadfa", + "tag" : "9ce8fef6d8ab1bf1bf887232ebb590dd", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 107, + "comment" : "Flipped bit 97 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "b2061457c0759fc1749f174ee1ccadfa", + "tag" : "9ce8fef6d8ab1bf1bf887232e8b590dd", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 108, + "comment" : "Flipped bit 103 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "b2061457c0759fc1749f174ee1ccadfa", + "tag" : "9ce8fef6d8ab1bf1bf8872326ab590dd", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 109, + "comment" : "Flipped bit 120 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "b2061457c0759fc1749f174ee1ccadfa", + "tag" : "9ce8fef6d8ab1bf1bf887232eab590dc", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 110, + "comment" : "Flipped bit 121 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "b2061457c0759fc1749f174ee1ccadfa", + "tag" : "9ce8fef6d8ab1bf1bf887232eab590df", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 111, + "comment" : "Flipped bit 126 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "b2061457c0759fc1749f174ee1ccadfa", + "tag" : "9ce8fef6d8ab1bf1bf887232eab5909d", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 112, + "comment" : "Flipped bit 127 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "b2061457c0759fc1749f174ee1ccadfa", + "tag" : "9ce8fef6d8ab1bf1bf887232eab5905d", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 113, + "comment" : "Flipped bits 0 and 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "b2061457c0759fc1749f174ee1ccadfa", + "tag" : "9de8fef6d8ab1bf1be887232eab590dd", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 114, + "comment" : "Flipped bits 31 and 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "b2061457c0759fc1749f174ee1ccadfa", + "tag" : "9ce8fe76d8ab1b71bf887232eab590dd", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 115, + "comment" : "Flipped bits 63 and 127 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "b2061457c0759fc1749f174ee1ccadfa", + "tag" : "9ce8fef6d8ab1b71bf887232eab5905d", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 116, + "comment" : "all bits of tag flipped", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "b2061457c0759fc1749f174ee1ccadfa", + "tag" : "631701092754e40e40778dcd154a6f22", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 117, + "comment" : "Tag changed to all zero", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "b2061457c0759fc1749f174ee1ccadfa", + "tag" : "00000000000000000000000000000000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 118, + "comment" : "tag changed to all 1", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "b2061457c0759fc1749f174ee1ccadfa", + "tag" : "ffffffffffffffffffffffffffffffff", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 119, + "comment" : "msbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "b2061457c0759fc1749f174ee1ccadfa", + "tag" : "1c687e76582b9b713f08f2b26a35105d", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 120, + "comment" : "lsbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "b2061457c0759fc1749f174ee1ccadfa", + "tag" : "9de9fff7d9aa1af0be897333ebb491dc", + "result" : "invalid", + "flags" : [] + } + ] + }, + { + "ivSize" : 128, + "keySize" : 192, + "tagSize" : 128, + "type" : "AeadTest", + "tests" : [ + { + "tcId" : 121, + "comment" : "J0:000102030405060708090a0b0c0d0e0f", + "key" : "00112233445566778899aabbccddeeff1021324354657687", + "iv" : "029e0e777db092b12535d043012f09ba", + "aad" : "", + "msg" : "00000000000000000000000000000000000000000000000000000000000000000000000000000000", + "ct" : "f83cee467336e1a09b75f24e9b4385c99c13e6af722256a66129ece961fe803b167bad206f5017fb", + "tag" : "09338a42f0acc14f97c064f52f5f1688", + "result" : "valid", + "flags" : [ + "ConstructedIv" + ] + }, + { + "tcId" : 122, + "comment" : "J0:00000000000000000000000000000000", + "key" : "00112233445566778899aabbccddeeff1021324354657687", + "iv" : "f1be3b06b7feac07e7eab629f556047b", + "aad" : "", + "msg" : "00000000000000000000000000000000000000000000000000000000000000000000000000000000", + "ct" : "0b32b648a2c28e9edd7cee08eeeb900034cae7215e5ab1e201bd2eed1032c5a97866ba582a3458a4", + "tag" : "90be3606de58bd778fa5beff4a4102bd", + "result" : "valid", + "flags" : [ + "ConstructedIv" + ] + }, + { + "tcId" : 123, + "comment" : "J0:ffffffffffffffffffffffffffffffff", + "key" : "00112233445566778899aabbccddeeff1021324354657687", + "iv" : "de9eb63b1daed321a11b7547cc9e223c", + "aad" : "", + "msg" : "00000000000000000000000000000000000000000000000000000000000000000000000000000000", + "ct" : "575e2ecec2b3c72d4e80830d0d859ad9e42c29c4a68d8d9d8d23434de2cd07733be49d62ac1ae085", + "tag" : "6e4d6396125a10df5443bd0cbc8566d1", + "result" : "valid", + "flags" : [ + "ConstructedIv" + ] + }, + { + "tcId" : 124, + "comment" : "J0:fffffffffffffffffffffffffffffffe", + "key" : "00112233445566778899aabbccddeeff1021324354657687", + "iv" : "40bb0abebc483ff6d5671241ff5d66c6", + "aad" : "", + "msg" : "00000000000000000000000000000000000000000000000000000000000000000000000000000000", + "ct" : "2a818888d1f09f32aa7beedd2869b446575e2ecec2b3c72d4e80830d0d859ad9e42c29c4a68d8d9d", + "tag" : "dc481f172545268eff63ab0490403dc3", + "result" : "valid", + "flags" : [ + "ConstructedIv" + ] + }, + { + "tcId" : 125, + "comment" : "J0:fffffffffffffffffffffffffffffffd", + "key" : "00112233445566778899aabbccddeeff1021324354657687", + "iv" : "20d5cf305e630a8f49e3bb4bab18abc9", + "aad" : "", + "msg" : "00000000000000000000000000000000000000000000000000000000000000000000000000000000", + "ct" : "96d36b795f8e7edf6a8e0dbcd20d6c072a818888d1f09f32aa7beedd2869b446575e2ecec2b3c72d", + "tag" : "8a3a22bf2592958b930292aa47f590e8", + "result" : "valid", + "flags" : [ + "ConstructedIv" + ] + }, + { + "tcId" : 126, + "comment" : "J0:000102030405060708090a0bffffffff", + "key" : "00112233445566778899aabbccddeeff1021324354657687", + "iv" : "255358a71a0e5731f6dd6ce28e158ae6", + "aad" : "", + "msg" : "00000000000000000000000000000000000000000000000000000000000000000000000000000000", + "ct" : "cfce3d920f0e01f0bb49a751955b236d1b887baefd25c47f41303c46d5c7bf9ca4c2c45a8f1e6656", + "tag" : "2db9dc1b7fd315df1c95432432fcf474", + "result" : "valid", + "flags" : [ + "ConstructedIv" + ] + }, + { + "tcId" : 127, + "comment" : "J0:000102030405060708090a0bfffffffe", + "key" : "00112233445566778899aabbccddeeff1021324354657687", + "iv" : "bb76e422bbe8bbe682a10be4bdd6ce1c", + "aad" : "", + "msg" : "00000000000000000000000000000000000000000000000000000000000000000000000000000000", + "ct" : "69a24169792e9a07f6e6f4736fa972dccfce3d920f0e01f0bb49a751955b236d1b887baefd25c47f", + "tag" : "82ad967f7ac19084354f69a751443fb2", + "result" : "valid", + "flags" : [ + "ConstructedIv" + ] + }, + { + "tcId" : 128, + "comment" : "J0:000102030405060708090a0bfffffffd", + "key" : "00112233445566778899aabbccddeeff1021324354657687", + "iv" : "db1821ac59c38e9f1e25a2eee9930313", + "aad" : "", + "msg" : "00000000000000000000000000000000000000000000000000000000000000000000000000000000", + "ct" : "4e4417a83beac1eb7e24456a05f6ba5569a24169792e9a07f6e6f4736fa972dccfce3d920f0e01f0", + "tag" : "472d5dd582dc05ef5fc496b612023cb2", + "result" : "valid", + "flags" : [ + "ConstructedIv" + ] + }, + { + "tcId" : 129, + "comment" : "J0:000102030405060708090a0b7fffffff", + "key" : "00112233445566778899aabbccddeeff1021324354657687", + "iv" : "f7a02ecca03064b2ef3cce9feab79f07", + "aad" : "", + "msg" : "00000000000000000000000000000000000000000000000000000000000000000000000000000000", + "ct" : "6f8e174efca3097299f784efd4caff0bf168c3e5165b9ad3d20062009848044eef8f31f7d2fead05", + "tag" : "caff723826df150934aee3201ba175e7", + "result" : "valid", + "flags" : [ + "ConstructedIv" + ] + }, + { + "tcId" : 130, + "comment" : "J0:000102030405060708090a0b7ffffffe", + "key" : "00112233445566778899aabbccddeeff1021324354657687", + "iv" : "6985924901d688659b40a999d974dbfd", + "aad" : "", + "msg" : "00000000000000000000000000000000000000000000000000000000000000000000000000000000", + "ct" : "af193090ce3d43a388a1d294a09616906f8e174efca3097299f784efd4caff0bf168c3e5165b9ad3", + "tag" : "3b08958be1286c2b4acba02b3674adb2", + "result" : "valid", + "flags" : [ + "ConstructedIv" + ] + }, + { + "tcId" : 131, + "comment" : "J0:000102030405060708090a0bffff7fff", + "key" : "00112233445566778899aabbccddeeff1021324354657687", + "iv" : "3f1188546c65ed0fc55e75032c68ee44", + "aad" : "", + "msg" : "00000000000000000000000000000000000000000000000000000000000000000000000000000000", + "ct" : "5deccf838b2cf5f869c90d2a611160b1e578ab8121b93735cba4a1930647b8c4c84bf776333ee45a", + "tag" : "c14d52208f0f51b816a48971eaf8ff7e", + "result" : "valid", + "flags" : [ + "ConstructedIv" + ] + }, + { + "tcId" : 132, + "comment" : "J0:000102030405060708090a0bffff7ffe", + "key" : "00112233445566778899aabbccddeeff1021324354657687", + "iv" : "a13434d1cd8301d8b12212051fabaabe", + "aad" : "", + "msg" : "00000000000000000000000000000000000000000000000000000000000000000000000000000000", + "ct" : "d2cae1684aa407a13a2e2da5357e29f55deccf838b2cf5f869c90d2a611160b1e578ab8121b93735", + "tag" : "ea2d018099cd7925c507cef0ceddb0ae", + "result" : "valid", + "flags" : [ + "ConstructedIv" + ] + }, + { + "tcId" : 133, + "comment" : "special case", + "key" : "00112233445566778899aabbccddeeff1021324354657687", + "iv" : "00000000000000000000000000000000", + "aad" : "", + "msg" : "5c7d3f81d4b5055ed6f8db53614587a4", + "ct" : "541b835dc828d541073f7d7d7504ebf5", + "tag" : "00000000000000000000000000000000", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 134, + "comment" : "special case", + "key" : "00112233445566778899aabbccddeeff1021324354657687", + "iv" : "ffffffffffffffffffffffffffffffff", + "aad" : "", + "msg" : "6a347ad1190e72ede611044e7475f0eb", + "ct" : "a3f36154331c196624564bc395e49c3b", + "tag" : "ffffffffffffffffffffffffffffffff", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 135, + "comment" : "", + "key" : "fae2a14197c7d1140061fe7c3d11d9f77c79562e3593a99b", + "iv" : "bc28433953772d57bbd933100cd47a56", + "aad" : "", + "msg" : "", + "ct" : "", + "tag" : "1bb94331f26cad24036cfeff34b89aaf", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 136, + "comment" : "", + "key" : "cee9abbc26b63e169f0ced621fe21d95904e75b881d93e6b", + "iv" : "1e8259e0a43e571068f701cd2064fc0c", + "aad" : "", + "msg" : "46", + "ct" : "dc", + "tag" : "af1f5535b125b34fc466902ea40cb3a2", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 137, + "comment" : "", + "key" : "189f0bd390ba40632586a45c39735c2b87113329c800f394", + "iv" : "c84442d6975f0359737de0fa828f958e", + "aad" : "", + "msg" : "b4bcd7b8eeca3050dd17682c6a914e", + "ct" : "2aab5c87dcb4a4dae4e975ddb65aab", + "tag" : "6b03b7557c7131e2352e495d54e61aef", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 138, + "comment" : "", + "key" : "b0724f15df5b792c2f49bc51df0ac5aad69be0030981613c", + "iv" : "13cd526ec77b58f62d48d03f8b88f2b8", + "aad" : "", + "msg" : "8da3ab9c3d195b04df452ad23953da4d", + "ct" : "d127fd2e67c0887d90eb92b91f357d97", + "tag" : "eb05bda937faeed27f8833295d4ba559", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 139, + "comment" : "", + "key" : "998750ba784841e40a7c5b03985732b6397e5459a3843954", + "iv" : "1d3d62eccd8ac5e896f2654a7f606fc9", + "aad" : "", + "msg" : "2f60ca3494a958dc3e6ebeb5d0b4e6dda0d0c4331ab9c957f6422a5100878ebf", + "ct" : "344c2cea17b06cb3da272e22a22a3a71ee0eaa1959a7facfff464660ddccedd1", + "tag" : "bab7fbf499ff06aad5f757b1c1a4fcc0", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "ivSize" : 96, + "keySize" : 192, + "tagSize" : 128, + "type" : "AeadTest", + "tests" : [ + { + "tcId" : 140, + "comment" : "special case", + "key" : "00112233445566778899aabbccddeeff1021324354657687", + "iv" : "000000000000000000000000", + "aad" : "", + "msg" : "0b4dbbba8982e0f649f8ba85f3aa061b", + "ct" : "3f875c9bd7d8511448459468e398c3b2", + "tag" : "ffffffffffffffffffffffffffffffff", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 141, + "comment" : "special case", + "key" : "00112233445566778899aabbccddeeff1021324354657687", + "iv" : "ffffffffffffffffffffffff", + "aad" : "", + "msg" : "1ae93688ef7e2650a9342ad4718b2780", + "ct" : "210dabea4364c6d5b3429e7743322936", + "tag" : "00000000000000000000000000000000", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 142, + "comment" : "", + "key" : "5019eb9fef82e5750b631758f0213e3e5fcca12748b40eb4", + "iv" : "ff0ddb0a0d7b36d219da12b5", + "aad" : "", + "msg" : "", + "ct" : "", + "tag" : "7971284e6c9e6aac346fe2b7a0a064c2", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 143, + "comment" : "", + "key" : "21218af790428f8024d3e7e1428c9fcf578c216636d60e73", + "iv" : "34047bc39b9c608384dff5b8", + "aad" : "", + "msg" : "e3", + "ct" : "fe", + "tag" : "2e982e24b81cd120d35a70fe6935e665", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 144, + "comment" : "", + "key" : "3a8bf543c480925632118245bcbf5d01522b987a31a33da3", + "iv" : "4ebc13cf4636cc7c45e560a7", + "aad" : "", + "msg" : "53fc72e71b59eeb3", + "ct" : "99f2ff1c8a44e5f2", + "tag" : "6870f104ddc514477b400336fb01860e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 145, + "comment" : "", + "key" : "92f4d2672fceec43963ccffb17e6ea7578b11418b06a3b82", + "iv" : "6e7ff7f0797685cfc44b05ff", + "aad" : "", + "msg" : "c3ec16adb184affa8ae9738bffb916", + "ct" : "afe8ef41591bfcc00db3c880ceb186", + "tag" : "29fff7f285768645c9c8bf7a471c9393", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 146, + "comment" : "", + "key" : "bcb6bc5ee6743df1396a34639327b25809ec9c81dd6a0c0e", + "iv" : "be0326d23bdc2c64648d13f4", + "aad" : "", + "msg" : "80474a3a3b809560eee2ce7a7a33ea07", + "ct" : "90339dca02ef717f1603994aee6cf6d2", + "tag" : "e3d33e01ce64f271783147de226228bc", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 147, + "comment" : "", + "key" : "5e1d28213e092536525bbae09e214af4c891e202b2b4fa4f", + "iv" : "b6be6cd0681235d826aa28ea", + "aad" : "", + "msg" : "53d59433a7db7f41b31ccb6d4a2d789965", + "ct" : "b98ed6321679941a3e521834296686ad98", + "tag" : "9f50c03e055e519712c582ec9db3235b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 148, + "comment" : "", + "key" : "7f672d85e151aa490bc0eec8f66b5e5bee74af11642be3ff", + "iv" : "b022067048505b20946216ef", + "aad" : "", + "msg" : "ef6412c72b03c643fa02565a0ae2378a9311c11a84065f80", + "ct" : "addd303651119e52f6170dfc7a915064253d57532987b9ab", + "tag" : "fa0484f8baa95f5b7a31c56d1b34c58b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 149, + "comment" : "", + "key" : "969fed5068541d65418c2c1de8fe1f845e036030496e1272", + "iv" : "817fe51c31f2879141a34335", + "aad" : "cb", + "msg" : "3d8233191a2823bf767e99167b1d4af4f4848458", + "ct" : "0d2c3a3c0cc4b40e70ed45e188e356a0e1533b31", + "tag" : "92909a80e90540e1878ab59ef300072b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 150, + "comment" : "", + "key" : "fa5b9b41f93f8b682c04ba816c3fecc24eec095b04dd7497", + "iv" : "62b9cf1e923bc1138d05d205", + "aad" : "2ed8487153e21b12", + "msg" : "18159841813a69fc0f8f4229e1678da7c9016711", + "ct" : "c7c1cbb85ce2a0a3f32cb9ef01ad45ec1118b66d", + "tag" : "253317f98bdab87531ece20475cd9ebb", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 151, + "comment" : "", + "key" : "fbfb395662787e2d25a2e7510f818e825936a35114e237c9", + "iv" : "3f1a1e02e90a4ba7a1db9df2", + "aad" : "74318d8876528243f1944b73eb77e96e", + "msg" : "2952a3d64107d5cbb9602239d05a5c5c222cf72b", + "ct" : "ecf5e403f19c007c8da7a456caf0a6d75762829b", + "tag" : "e0877a100f9dd9d6795f0e74c56a9fab", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 152, + "comment" : "", + "key" : "5d8e9c2222316c9ed5ff94513cc957436ae447a6e1a73a29", + "iv" : "0802ae86c75a73bf79561521", + "aad" : "5ca354a4cb8e4fc9798aa209ad4f739dc7c232fdd1f22584", + "msg" : "42b4439e1d2116f834b91c516a26299df279956b", + "ct" : "94d844d98b9467daa7e8dde7f4290037354d7fb2", + "tag" : "62196638590cef429d6b1d1a59839c02", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 153, + "comment" : "", + "key" : "ccbd0f509825a5f358a14aac044ae2826bb2c9eaaaaa077f", + "iv" : "9189a71ac359b73c8c08df22", + "aad" : "", + "msg" : "a1ed1007b52e36ec0f70109c68da72ee7b675c855e3e4956d2dcf9d12f675d6933f677ddcc58face857699d2e3d90adcb8c6c57c9d88b5dfcf356de4c0b63f0e", + "ct" : "e9915bc5aea63c8bc014f2ae6a4986b03115ff1f34ad6c0acd74ffca07c453ec3f3ce6902d5ff338c588a34a1c3b30ef753ec7001572cbfeafe690fd00f59b02", + "tag" : "fbf19b6b90e2d9df7ead0c3bc6e375a2", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 154, + "comment" : "", + "key" : "d045c6eb173f440843faec3e9374602a94ee3f7176312208", + "iv" : "98e9153daca2522e3162cb15", + "aad" : "", + "msg" : "3f0b30dc963a82d182c035b5a823060f07c4123792e6cee6bf91fea3c52fa66bb6a93ea6cce9f4813eb95bf18f816c00ad4fb56932827a39efb2fe56804e604a606774ee92ad46cd8c172a0d2bdea2fc99f67cd82c6024c315cfee6dbb8d27f745c9d0ce9bf5d09724f4bed003cf39478348b3304baa4ecc9974fc4f3ff93f95", + "ct" : "9663e6f98b2768448e6dd0dd780e145668af5b002257e353213868c9cd9fd3a1e9427530327541775a093123076d34985db3aa248cd55e532609d1a39274c49216ea20fbab719b9c7e310b27877b9a33d1b69ab747afac944d1e97ea789367821c331f00b5d618402bfc57884d18edbd60c4dfe218c08080b8e3479ff84bdfb5", + "tag" : "fc2ff62a41bdb79afc369842e4eccabf", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 155, + "comment" : "", + "key" : "e602188abf6a91f3e258838cea6befeffcf6257a509c3e95", + "iv" : "9e35d3ef1897c5fe3f647204", + "aad" : "", + "msg" : "3b9a6edc44848c072341fd4af51ec116ac328f69cc5a3354e49299fb2e5d22fa0084e30b36ecaf54309397b2b498d686087f3457698c3639e73ca18c78c3e021d673986cfc2ceb4d07e66971e976f58f0336f82c7fc0d52d66610f26ca3bfe53c0b01cf7c207306db904c1ad300ab95c56fde820a8edd256f2b9906b312bf7af5ef4a806f618ddfcb67179b03fff80a245c38d8f4cff2875b71a0bf69129caf97121462e0501ec6574ede94706f4a04d2fb301d415c22ea12157d2e919bc7a0169a5ad5c7bb5761a8531abbe77d66a4871b3f27a7170f099044b9fdc50a8cb3b894252a501cc896ac4793bdb478bb1cb99c02341d7238dd8d593cfda02f7d520d7", + "ct" : "167183661675677625bed2d5f55f728dab80d7f06f629d99e58b45069fe9d7428e8961561b11245c709ac9ebb5c59ac2a89d8375d8a01d849c7733a1b482529927e3f1a1a53f63a4be08a11c941c634cd40373c42ffb2449c641bc9e39eafbcf9c0fba677e36496f73fc70aa0972224901ab04b0a196ab745262021b2313a8464187fecec43adb406258bddcd8c9d04dc2ae29e65d54a89dd0f1752d6d950dbf7da4dea0a7b9465579503fc8ec4451f4b39878ac4754a1aaf7b0b73fee11213cb8e601fc6039393f72e0e079ee97ecc610241757da2db2f51d5ed121481540eff47287744dac43375c4f48a46af70190453a17c3c78d735ba1d1fc76a330e6cbed", + "tag" : "c72035314f43d256f8d845eb696bd943", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 156, + "comment" : "", + "key" : "55a4ca526443357ac7c896d9a67cf7d467f6921d69002d3a", + "iv" : "dba233ccbc7992e64e82cfa3", + "aad" : "df737cd77d31eb9097a17c31b4c92889ef1f32b7464e2620e9007192ea675b9ad6910527ffecee2452be0248fab75608c7fdca08e86580322aac1d6a11b96ecf", + "msg" : "4e56d1ea538cf49cad49959e884eb540c846556c", + "ct" : "3f57ec1b414f74818fead9f35aa1679402c3e750", + "tag" : "97b89b291419e32cf654ea630a3ad014", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 157, + "comment" : "", + "key" : "f381d0ffd3373a1aa02edd1d7fa748e91908fe534bef73d2", + "iv" : "10aaec0de4ad75376be9fd41", + "aad" : "7739aad7399d9c0f0a3c95b403888f0072d94acb76ff576e05f4a063120b84e722b4d5cd43a58e4abab444cb8ced112f3dbd8993b831c39b4edb76e92eb33ee24c5922b56552685f3b0f4cf22e0e11628f6a3d33eff9def7ec527112dfafcf122814e3d1aaf66c3f970526511088bffef8101d1cef833268ff80387df30557f7", + "msg" : "653a3f033c2775e08fef73cf80f5e2699fb360cb", + "ct" : "5565c6d09c4c924d61c0ef808fb0ea144ffb4738", + "tag" : "12b72ec1d9c32fb22c13c40b33796fa9", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 158, + "comment" : "", + "key" : "8f27b1c3b3d7023c76ee66c768a3e92d4971e25f729d8788", + "iv" : "12444040caede67285e490d7", + "aad" : "58fd02ac23ec7fa5b9460f60bfc85b4bebba70039a8f83261d6cc4f560107c10bc69548a5d6152882fb465fd59fb8164d7c94523c3dd4206d33064f5191bd31f0c48fe03d7460e995c93175b57cb03f58711adc94632031c4305272367b4289c725d9cb7ae9ba996b3a079174508c1eae8162a0bac446c1e53fe0c402b6912dfd6702addccada30a5c010fc22c2c75e43226378ec7f4b3b71ccc71f32ab1adc877cc7b0a180c75d385c0f71a0b291a1cccf4be47e272249d61ffbf059c4f7be74eba07d5e1be3a7438458a611fe58cee4f946e25dee03e6485235566f20ed555be32cd57a94e522d2168eae23c4587371a2d145f418c59e7bbc464a3bd88b8919b", + "msg" : "0df6e750092b9ac576dde66006a4cab2116eee21", + "ct" : "c6877b03552e97d9a1e6557f90dc7adde15a2f43", + "tag" : "2536272bee7446820041854e10b49a03", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 159, + "comment" : "Flipped bit 0 in tag", + "key" : "000102030405060708090a0b0c0d0e0f1011121314151617", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "458256842dfd297f30bd2f8f15c92db0", + "tag" : "b5e44c5b2fe90e4c78f358da0d99cb64", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 160, + "comment" : "Flipped bit 1 in tag", + "key" : "000102030405060708090a0b0c0d0e0f1011121314151617", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "458256842dfd297f30bd2f8f15c92db0", + "tag" : "b6e44c5b2fe90e4c78f358da0d99cb64", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 161, + "comment" : "Flipped bit 7 in tag", + "key" : "000102030405060708090a0b0c0d0e0f1011121314151617", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "458256842dfd297f30bd2f8f15c92db0", + "tag" : "34e44c5b2fe90e4c78f358da0d99cb64", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 162, + "comment" : "Flipped bit 8 in tag", + "key" : "000102030405060708090a0b0c0d0e0f1011121314151617", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "458256842dfd297f30bd2f8f15c92db0", + "tag" : "b4e54c5b2fe90e4c78f358da0d99cb64", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 163, + "comment" : "Flipped bit 31 in tag", + "key" : "000102030405060708090a0b0c0d0e0f1011121314151617", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "458256842dfd297f30bd2f8f15c92db0", + "tag" : "b4e44cdb2fe90e4c78f358da0d99cb64", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 164, + "comment" : "Flipped bit 32 in tag", + "key" : "000102030405060708090a0b0c0d0e0f1011121314151617", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "458256842dfd297f30bd2f8f15c92db0", + "tag" : "b4e44c5b2ee90e4c78f358da0d99cb64", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 165, + "comment" : "Flipped bit 33 in tag", + "key" : "000102030405060708090a0b0c0d0e0f1011121314151617", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "458256842dfd297f30bd2f8f15c92db0", + "tag" : "b4e44c5b2de90e4c78f358da0d99cb64", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 166, + "comment" : "Flipped bit 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f1011121314151617", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "458256842dfd297f30bd2f8f15c92db0", + "tag" : "b4e44c5b2fe90ecc78f358da0d99cb64", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 167, + "comment" : "Flipped bit 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f1011121314151617", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "458256842dfd297f30bd2f8f15c92db0", + "tag" : "b4e44c5b2fe90e4c79f358da0d99cb64", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 168, + "comment" : "Flipped bit 71 in tag", + "key" : "000102030405060708090a0b0c0d0e0f1011121314151617", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "458256842dfd297f30bd2f8f15c92db0", + "tag" : "b4e44c5b2fe90e4cf8f358da0d99cb64", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 169, + "comment" : "Flipped bit 77 in tag", + "key" : "000102030405060708090a0b0c0d0e0f1011121314151617", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "458256842dfd297f30bd2f8f15c92db0", + "tag" : "b4e44c5b2fe90e4c78d358da0d99cb64", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 170, + "comment" : "Flipped bit 80 in tag", + "key" : "000102030405060708090a0b0c0d0e0f1011121314151617", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "458256842dfd297f30bd2f8f15c92db0", + "tag" : "b4e44c5b2fe90e4c78f359da0d99cb64", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 171, + "comment" : "Flipped bit 96 in tag", + "key" : "000102030405060708090a0b0c0d0e0f1011121314151617", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "458256842dfd297f30bd2f8f15c92db0", + "tag" : "b4e44c5b2fe90e4c78f358da0c99cb64", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 172, + "comment" : "Flipped bit 97 in tag", + "key" : "000102030405060708090a0b0c0d0e0f1011121314151617", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "458256842dfd297f30bd2f8f15c92db0", + "tag" : "b4e44c5b2fe90e4c78f358da0f99cb64", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 173, + "comment" : "Flipped bit 103 in tag", + "key" : "000102030405060708090a0b0c0d0e0f1011121314151617", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "458256842dfd297f30bd2f8f15c92db0", + "tag" : "b4e44c5b2fe90e4c78f358da8d99cb64", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 174, + "comment" : "Flipped bit 120 in tag", + "key" : "000102030405060708090a0b0c0d0e0f1011121314151617", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "458256842dfd297f30bd2f8f15c92db0", + "tag" : "b4e44c5b2fe90e4c78f358da0d99cb65", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 175, + "comment" : "Flipped bit 121 in tag", + "key" : "000102030405060708090a0b0c0d0e0f1011121314151617", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "458256842dfd297f30bd2f8f15c92db0", + "tag" : "b4e44c5b2fe90e4c78f358da0d99cb66", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 176, + "comment" : "Flipped bit 126 in tag", + "key" : "000102030405060708090a0b0c0d0e0f1011121314151617", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "458256842dfd297f30bd2f8f15c92db0", + "tag" : "b4e44c5b2fe90e4c78f358da0d99cb24", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 177, + "comment" : "Flipped bit 127 in tag", + "key" : "000102030405060708090a0b0c0d0e0f1011121314151617", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "458256842dfd297f30bd2f8f15c92db0", + "tag" : "b4e44c5b2fe90e4c78f358da0d99cbe4", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 178, + "comment" : "Flipped bits 0 and 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f1011121314151617", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "458256842dfd297f30bd2f8f15c92db0", + "tag" : "b5e44c5b2fe90e4c79f358da0d99cb64", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 179, + "comment" : "Flipped bits 31 and 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f1011121314151617", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "458256842dfd297f30bd2f8f15c92db0", + "tag" : "b4e44cdb2fe90ecc78f358da0d99cb64", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 180, + "comment" : "Flipped bits 63 and 127 in tag", + "key" : "000102030405060708090a0b0c0d0e0f1011121314151617", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "458256842dfd297f30bd2f8f15c92db0", + "tag" : "b4e44c5b2fe90ecc78f358da0d99cbe4", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 181, + "comment" : "all bits of tag flipped", + "key" : "000102030405060708090a0b0c0d0e0f1011121314151617", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "458256842dfd297f30bd2f8f15c92db0", + "tag" : "4b1bb3a4d016f1b3870ca725f266349b", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 182, + "comment" : "Tag changed to all zero", + "key" : "000102030405060708090a0b0c0d0e0f1011121314151617", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "458256842dfd297f30bd2f8f15c92db0", + "tag" : "00000000000000000000000000000000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 183, + "comment" : "tag changed to all 1", + "key" : "000102030405060708090a0b0c0d0e0f1011121314151617", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "458256842dfd297f30bd2f8f15c92db0", + "tag" : "ffffffffffffffffffffffffffffffff", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 184, + "comment" : "msbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f1011121314151617", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "458256842dfd297f30bd2f8f15c92db0", + "tag" : "3464ccdbaf698eccf873d85a8d194be4", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 185, + "comment" : "lsbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f1011121314151617", + "iv" : "505152535455565758595a5b", + "aad" : "", + "msg" : "202122232425262728292a2b2c2d2e2f", + "ct" : "458256842dfd297f30bd2f8f15c92db0", + "tag" : "b5e54d5a2ee80f4d79f259db0c98ca65", + "result" : "invalid", + "flags" : [] + } + ] + }, + { + "ivSize" : 128, + "keySize" : 256, + "tagSize" : 128, + "type" : "AeadTest", + "tests" : [ + { + "tcId" : 186, + "comment" : "J0:000102030405060708090a0b0c0d0e0f", + "key" : "00112233445566778899aabbccddeeff102132435465768798a9bacbdcedfe0f", + "iv" : "5c2ea9b695fcf6e264b96074d6bfa572", + "aad" : "", + "msg" : "00000000000000000000000000000000000000000000000000000000000000000000000000000000", + "ct" : "28e1c5232f4ee8161dbe4c036309e0b3254e9212bef0a93431ce5e5604c8f6a73c18a3183018b770", + "tag" : "d5808a1bd11a01129bf3c6919aff2339", + "result" : "valid", + "flags" : [ + "ConstructedIv" + ] + }, + { + "tcId" : 187, + "comment" : "J0:00000000000000000000000000000000", + "key" : "00112233445566778899aabbccddeeff102132435465768798a9bacbdcedfe0f", + "iv" : "57b3a81f2c36b6b06577ca0fbab8fa8e", + "aad" : "", + "msg" : "00000000000000000000000000000000000000000000000000000000000000000000000000000000", + "ct" : "cceebeb4fe4cd90c514e52d2327a2ecd75393661006cf2476d8620149aef3d1cdce491fff3e7a7a3", + "tag" : "8132e865b69d64ef37db261f80cbbe24", + "result" : "valid", + "flags" : [ + "ConstructedIv" + ] + }, + { + "tcId" : 188, + "comment" : "J0:ffffffffffffffffffffffffffffffff", + "key" : "00112233445566778899aabbccddeeff102132435465768798a9bacbdcedfe0f", + "iv" : "ce20a7e870696a5e68533c465bad2ba1", + "aad" : "", + "msg" : "00000000000000000000000000000000000000000000000000000000000000000000000000000000", + "ct" : "4f4350565d91d9aa8c5f4048550492ad6d6fdabf66da5d1e2af7bfe1a8aadaa0baa3de38a41d9713", + "tag" : "155da6441ec071ef2d8e6cffbacc1c7c", + "result" : "valid", + "flags" : [ + "ConstructedIv" + ] + }, + { + "tcId" : 189, + "comment" : "J0:fffffffffffffffffffffffffffffffe", + "key" : "00112233445566778899aabbccddeeff102132435465768798a9bacbdcedfe0f", + "iv" : "918e3c19dbdfee2db18156c5b93f3d75", + "aad" : "", + "msg" : "00000000000000000000000000000000000000000000000000000000000000000000000000000000", + "ct" : "8316a53167b6de1a7575700693ffef274f4350565d91d9aa8c5f4048550492ad6d6fdabf66da5d1e", + "tag" : "6c574aa6a2490cc3b2f2f8f0ffbc56c4", + "result" : "valid", + "flags" : [ + "ConstructedIv" + ] + }, + { + "tcId" : 190, + "comment" : "J0:fffffffffffffffffffffffffffffffd", + "key" : "00112233445566778899aabbccddeeff102132435465768798a9bacbdcedfe0f", + "iv" : "717d900b270462b9dbf7e9419e890609", + "aad" : "", + "msg" : "00000000000000000000000000000000000000000000000000000000000000000000000000000000", + "ct" : "5175927513e751eb309f45bc2ef225f28316a53167b6de1a7575700693ffef274f4350565d91d9aa", + "tag" : "8082a761e1d755344bf29622144e7d39", + "result" : "valid", + "flags" : [ + "ConstructedIv" + ] + }, + { + "tcId" : 191, + "comment" : "J0:000102030405060708090a0bffffffff", + "key" : "00112233445566778899aabbccddeeff102132435465768798a9bacbdcedfe0f", + "iv" : "ecd52120af240e9b4bf3b9d1eeb49434", + "aad" : "", + "msg" : "00000000000000000000000000000000000000000000000000000000000000000000000000000000", + "ct" : "36b3fbecd09178d04527fb37544f5579d20d60a41266f685c48098e1a52804ca387d90709d3268dd", + "tag" : "033e0ef2953ebfd8425737c7d393f89a", + "result" : "valid", + "flags" : [ + "ConstructedIv" + ] + }, + { + "tcId" : 192, + "comment" : "J0:000102030405060708090a0bfffffffe", + "key" : "00112233445566778899aabbccddeeff102132435465768798a9bacbdcedfe0f", + "iv" : "b37bbad104928ae89221d3520c2682e0", + "aad" : "", + "msg" : "00000000000000000000000000000000000000000000000000000000000000000000000000000000", + "ct" : "16929b773051f12b0adac95f65e21a7f36b3fbecd09178d04527fb37544f5579d20d60a41266f685", + "tag" : "ca448bb7e52e897eca234ef343d057d0", + "result" : "valid", + "flags" : [ + "ConstructedIv" + ] + }, + { + "tcId" : 193, + "comment" : "J0:000102030405060708090a0bfffffffd", + "key" : "00112233445566778899aabbccddeeff102132435465768798a9bacbdcedfe0f", + "iv" : "538816c3f849067cf8576cd62b90b99c", + "aad" : "", + "msg" : "00000000000000000000000000000000000000000000000000000000000000000000000000000000", + "ct" : "6d3faefaf691d58163846f8d4b9ffd5916929b773051f12b0adac95f65e21a7f36b3fbecd09178d0", + "tag" : "84f49740e6757f63dd0df7cb7656d0ef", + "result" : "valid", + "flags" : [ + "ConstructedIv" + ] + }, + { + "tcId" : 194, + "comment" : "J0:000102030405060708090a0b7fffffff", + "key" : "00112233445566778899aabbccddeeff102132435465768798a9bacbdcedfe0f", + "iv" : "d10e631943cd3bdababab2bbd13951c0", + "aad" : "", + "msg" : "00000000000000000000000000000000000000000000000000000000000000000000000000000000", + "ct" : "d60196c2d14fcf30c0991d2721ddc52d385f407a16691dade82c9023c855fd8e2e8fbb562102f018", + "tag" : "877e15d9889e69a99fcc6d727465c391", + "result" : "valid", + "flags" : [ + "ConstructedIv" + ] + }, + { + "tcId" : 195, + "comment" : "J0:000102030405060708090a0b7ffffffe", + "key" : "00112233445566778899aabbccddeeff102132435465768798a9bacbdcedfe0f", + "iv" : "8ea0f8e8e87bbfa96368d83833ab4714", + "aad" : "", + "msg" : "00000000000000000000000000000000000000000000000000000000000000000000000000000000", + "ct" : "948fbceca12a6e4fabb79b6d965e336fd60196c2d14fcf30c0991d2721ddc52d385f407a16691dad", + "tag" : "cd5757626945976ba9f0264bd6bee894", + "result" : "valid", + "flags" : [ + "ConstructedIv" + ] + }, + { + "tcId" : 196, + "comment" : "J0:000102030405060708090a0bffff7fff", + "key" : "00112233445566778899aabbccddeeff102132435465768798a9bacbdcedfe0f", + "iv" : "7b2df4fbed1de2727eb24898e5deabb9", + "aad" : "", + "msg" : "00000000000000000000000000000000000000000000000000000000000000000000000000000000", + "ct" : "a1a0120660ff52e6b1700b12c54d2d33b94b00cd7882d8857d84e6e183a1dea6ee85a7da84fbc35d", + "tag" : "b015d72da62c81cb4d267253b20db9e5", + "result" : "valid", + "flags" : [ + "ConstructedIv" + ] + }, + { + "tcId" : 197, + "comment" : "J0:000102030405060708090a0bffff7ffe", + "key" : "00112233445566778899aabbccddeeff102132435465768798a9bacbdcedfe0f", + "iv" : "24836f0a46ab6601a760221b074cbd6d", + "aad" : "", + "msg" : "00000000000000000000000000000000000000000000000000000000000000000000000000000000", + "ct" : "5e3434b45edbf0d1f6e02d1144dbf867a1a0120660ff52e6b1700b12c54d2d33b94b00cd7882d885", + "tag" : "ee74ccb30d649ebf6916d05a7dbe5696", + "result" : "valid", + "flags" : [ + "ConstructedIv" + ] + }, + { + "tcId" : 198, + "comment" : "special case", + "key" : "00112233445566778899aabbccddeeff102132435465768798a9bacbdcedfe0f", + "iv" : "00000000000000000000000000000000", + "aad" : "", + "msg" : "8d74f1c97243d362577ff376c393d2dc", + "ct" : "265c42e2b96ea1de9c24f7182e337390", + "tag" : "00000000000000000000000000000000", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 199, + "comment" : "special case", + "key" : "00112233445566778899aabbccddeeff102132435465768798a9bacbdcedfe0f", + "iv" : "ffffffffffffffffffffffffffffffff", + "aad" : "", + "msg" : "884df0e76f3ce227bf9595d103825a46", + "ct" : "988f47668ea650cbaa6714711abe268d", + "tag" : "ffffffffffffffffffffffffffffffff", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 200, + "comment" : "", + "key" : "b4cd11db0b3e0b9b34eafd9fe027746976379155e76116afde1b96d21298e34f", + "iv" : "00c49f4ebb07393f07ebc3825f7b0830", + "aad" : "", + "msg" : "", + "ct" : "", + "tag" : "306fe8c9645cc849823e333a685b90b2", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 201, + "comment" : "", + "key" : "b7797eb0c1a6089ad5452d81fdb14828c040ddc4589c32b565aad8cb4de3e4a0", + "iv" : "0ad570d8863918fe89124e09d125a271", + "aad" : "", + "msg" : "ed", + "ct" : "3f", + "tag" : "fd8f593b83314e33c5a72efbeb7095e8", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 202, + "comment" : "", + "key" : "4c010d9561c7234c308c01cea3040c925a9f324dc958ff904ae39b37e60e1e03", + "iv" : "2a55caa137c5b0b66cf3809eb8f730c4", + "aad" : "", + "msg" : "2a093c9ed72b8ff4994201e9f9e010", + "ct" : "041341078f0439e50b43c991635117", + "tag" : "5b8a2f2da20ef657c903da88ef5f57bb", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 203, + "comment" : "", + "key" : "e7f7a48df99edd92b81f508618aa96526b279debd9ddb292d385ddbae80b2259", + "iv" : "7ee376910f08f497aa6c3aa7113697fd", + "aad" : "", + "msg" : "5e51dbbb861b5ec60751c0996e00527f", + "ct" : "469478d448f7e97d755541aa09ad95b0", + "tag" : "254ada5cf662d90c5e11b2bd9c4db4c4", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 204, + "comment" : "", + "key" : "4f84782bfbb64a973c3de3dcfa3430367fd68bc0b4c3b31e5d7c8141ba3e6a67", + "iv" : "5d1bde6fa0994b33efd8f23f531248a7", + "aad" : "", + "msg" : "78cb6650a1908a842101ea85804fed00cc56fbdafafba0ef4d1ca607dcae57b6", + "ct" : "cb960201fa5ad41d41d1c2c8037c71d52b72e76b16b589d71b976627c9734c9d", + "tag" : "8dfce16467c3a6ebb3e7242c9a551962", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "ivSize" : 120, + "keySize" : 128, + "tagSize" : 128, + "type" : "AeadTest", + "tests" : [ + { + "tcId" : 205, + "comment" : "unusual IV size", + "key" : "34c74e28182948e03af02a01f46eb4f7", + "iv" : "b0a73119a97d623806b49d45ddf4c7", + "aad" : "", + "msg" : "fe82ba66cf2e265741f2c86c", + "ct" : "2bc3ef8e7402b4631f48e9be", + "tag" : "4b6f6f5be291a90b9e93a8a82ddbc8d8", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "ivSize" : 160, + "keySize" : 128, + "tagSize" : 128, + "type" : "AeadTest", + "tests" : [ + { + "tcId" : 206, + "comment" : "unusual IV size", + "key" : "55cb7cac77efe18a1ea3b30c65f3f346", + "iv" : "e22b6b144ab26b5781316e7a42a76202ac4b2278", + "aad" : "", + "msg" : "2f3d11ea32bf5bc72cbe2b8d", + "ct" : "4fe13ef29f118f85a63188f8", + "tag" : "05975b175316df8045889f43e0c857e0", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "ivSize" : 120, + "keySize" : 192, + "tagSize" : 128, + "type" : "AeadTest", + "tests" : [ + { + "tcId" : 207, + "comment" : "unusual IV size", + "key" : "66f75acbd8d3acf7af47d13e8384c2809d6b91503a7f294b", + "iv" : "edf93e16294f15eded83808f09320e", + "aad" : "", + "msg" : "a900c86b6b7e0e5563f8f826", + "ct" : "9af1a022c61c4315aa0e923e", + "tag" : "20529bff3c59222ec33353af337b1d40", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "ivSize" : 160, + "keySize" : 192, + "tagSize" : 128, + "type" : "AeadTest", + "tests" : [ + { + "tcId" : 208, + "comment" : "unusual IV size", + "key" : "ef2e299dd4ecd7e3b9cc62780922cc2c89f78840564d1276", + "iv" : "130c14c839e35b7d56b3350b194b0da342e6b65d", + "aad" : "", + "msg" : "03f59579b14437199583270e", + "ct" : "073a5291b11df379f31b4f16", + "tag" : "17205999491bd4c1d6c7ec3e56779c32", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "ivSize" : 120, + "keySize" : 256, + "tagSize" : 128, + "type" : "AeadTest", + "tests" : [ + { + "tcId" : 209, + "comment" : "unusual IV size", + "key" : "e98b0669a645eb14cd06df6968fc5f10edc9f54feed264e3d410cdc61b72ef51", + "iv" : "17ca250fb733877556263223eadde1", + "aad" : "", + "msg" : "f384b3ed7b274641f5db60cf", + "ct" : "fc213602aa423b87d7c2a874", + "tag" : "36b15bab6923b17218fe1c24048e2391", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "ivSize" : 160, + "keySize" : 256, + "tagSize" : 128, + "type" : "AeadTest", + "tests" : [ + { + "tcId" : 210, + "comment" : "unusual IV size", + "key" : "849b3e6b8cdd85bdcfb8eb701aa5522ae2340fbe5214e389622cef76979225c4", + "iv" : "0f9d6ed7eef362dfa4a7dfa5c0f74c5b27bd4ebf", + "aad" : "", + "msg" : "8c5564e53051c0de273199b4", + "ct" : "c1d76233e8c5042e92bf8d32", + "tag" : "7cf036d235d3b2dd349a8c804b65144a", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "ivSize" : 256, + "keySize" : 128, + "tagSize" : 128, + "type" : "AeadTest", + "tests" : [ + { + "tcId" : 211, + "comment" : "long IV size", + "key" : "5927bae748bb69d81b5a724e0a165652", + "iv" : "365e0b96932b13306f92e9bb23847165bcbf5d35e45a83d75c86ecca70131f4c", + "aad" : "", + "msg" : "316bf99bfafc76f1bfc0b03c", + "ct" : "5348af57fafe2485b43f2bc4", + "tag" : "019a96c5373c031626b6c0300d4cf78b", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "ivSize" : 512, + "keySize" : 128, + "tagSize" : 128, + "type" : "AeadTest", + "tests" : [ + { + "tcId" : 212, + "comment" : "long IV size", + "key" : "dbd3676f293409273f27b375e03793a3", + "iv" : "967fa7c990eb2becbd450835e28ea3a9000c7216285cfa7696e8c3dac3ce952a1fe638d7c8c73e1d708dce01b5a20fcc9aa011949d2a835f777423c172fa3aa0", + "aad" : "", + "msg" : "625efedb8b7f1aa62238a8f2", + "ct" : "f559b70fe1149cb34406a2c7", + "tag" : "94180ddb7bb1995abe0219eab5ce232f", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "ivSize" : 1024, + "keySize" : 128, + "tagSize" : 128, + "type" : "AeadTest", + "tests" : [ + { + "tcId" : 213, + "comment" : "long IV size", + "key" : "7e5a39dcda7e066988f19adf4de4d501", + "iv" : "494356c3459d60e3a83433c9bcf2c0454a763e496e4ec99bfbe4bbb83a4fda76b542213899dcf5521cd9bbbe5d11545bda44a3f4a681ce2843acea730d83d3930ea30991ee1a68ebf6d1a5a40f9b02a1aab091298df8dd689dc7613bcbff94d35f2ca43377d81618562bcf6573411ec9bc97c5a6276b554054c0fa787073d067", + "aad" : "", + "msg" : "b04729b4adbaac63c2aaf8d8", + "ct" : "5291dd4da91ccc2e77306d83", + "tag" : "a7f7b21a3b7ece509e922647fd905f06", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "ivSize" : 2056, + "keySize" : 128, + "tagSize" : 128, + "type" : "AeadTest", + "tests" : [ + { + "tcId" : 214, + "comment" : "long IV size", + "key" : "eac3f28cd937ff29eb6158a3721b5145", + "iv" : "6fd260bba87339539c37dc68fdc3656f63c83028cb8adcb531085e98bd570c6b735d0cc4b4b924696000a2d893621ae64dcce992b562b89a5285643a08febccbc52243cbfc8d45212e047b00c87c6b6bf175f8bb678ec55c1091315cbecb8b85700f4a4653623fb78e63cfff7d6235e48e9832c9f0716d10992fc5b0ad4e6972bbeeb1ad670cd7ec8fac82e07ea5a64f9761a39714aaa73affd2cb190a7ac2df5e5dcea6812ae2c872c7ac70453c5e7ec4d0b5b18c6ff3bfb9ae15fea44cf392615b80034edae596b8821f97fca58d167fb44a093b0c009a0bd5631355b0cb25d93ba9b79b006301d99db657e801933fc2764a0ce650eaf5a1299efe60cb53b634", + "aad" : "", + "msg" : "098912a302773377b9c26ac3", + "ct" : "e3be947153a26a3a54e3015c", + "tag" : "fd042bdde22f67c4fd298d5dc0867606", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "ivSize" : 256, + "keySize" : 192, + "tagSize" : 128, + "type" : "AeadTest", + "tests" : [ + { + "tcId" : 215, + "comment" : "long IV size", + "key" : "8f9ebc67a9a6430c2b0ceeaf983e1356964bb928635b9ca4", + "iv" : "36e4b381574d171c7769a788cbc147224fabd8b773f16b8ae84d8f2603aaa440", + "aad" : "", + "msg" : "a3a96ee94f94caa81ebcd66d", + "ct" : "8c2a9823a3b3d413be696387", + "tag" : "faaf01ceb40a7e145e8fe65aa9af58c0", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "ivSize" : 512, + "keySize" : 192, + "tagSize" : 128, + "type" : "AeadTest", + "tests" : [ + { + "tcId" : 216, + "comment" : "long IV size", + "key" : "f4bbdfd06f7fb1434880e4166d38d56e02a3f0df0d5301ce", + "iv" : "90743bd5d794d52ac848b7e2384545a25846acf143be84c0ead0432fcf3172631cf58d0ca78571c03053c1e1b85ed79cb5303d0e3a98ff4f56c4f0a5eb4f0eac", + "aad" : "", + "msg" : "39d2abe6697f17ec27f2a39c", + "ct" : "a660ea5bf07a78fea0120173", + "tag" : "7404fc7b7354694428236f203c130244", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "ivSize" : 1024, + "keySize" : 192, + "tagSize" : 128, + "type" : "AeadTest", + "tests" : [ + { + "tcId" : 217, + "comment" : "long IV size", + "key" : "1761c77798ef9cdfa40553f34614fe7402212087f0509411", + "iv" : "fbb3eab379c9b8689dc30b0713690e55d51c956ca36fbcc73eeeee16a46d7c41a7a9626e68e25d685c008c19d3b2b1792bdc99c35441a6fcac35e0d6446dd914f543abd9ecd6b0cb5201c243026c4f13641d67c8d8cd5114b6e11ebbc6b1dee2a18db2150a5a575dcd21648e0337dadbccd3deffd6d979e03e6b9ddfee0abdc2", + "aad" : "", + "msg" : "35ca4eb463a2000138210b4d", + "ct" : "f400132ff38c04ed747dde34", + "tag" : "ca1534e7dd0336bbb32a79830c71a447", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "ivSize" : 2056, + "keySize" : 192, + "tagSize" : 128, + "type" : "AeadTest", + "tests" : [ + { + "tcId" : 218, + "comment" : "long IV size", + "key" : "f795ece7de1881fbc6843eb740f812e41e3fc49ff6c7b940", + "iv" : "3569fca7c9d06e2a03fed1aac2484fd4416ca07d55ecbb333ec674f0ea5c6e75a10dfb9c738b69dab2eda10ada721a61c7f02b7e7f79e8a9e2dc36b3fdf609e436054c82a774ec617dceec84a577037ff1a3f120d9818d042063acb36c9584e81ec94f11f1ee240f2e45e944694a9c8e535acbb01d93958411cff68e3d32f8931746a4a0cece65e93c51c70b3111034b6867b407e0147f97c576d3ed8cec7e8ec26e95643e46e97ea3595c9c3172b4856f2d2b6dc8564666ddac92c794ffb2d4dc7f461761f0e326650f48d327604e095bd8754072116c96360d09f010ac2f39eb96b227f3d738deb756c8699460d88cf716170ae15267b14f4a89164720f1c602", + "aad" : "", + "msg" : "22dbd8037aa05b14cf81dd23", + "ct" : "13a95a06c1bed4845af9c701", + "tag" : "03379836b0c82f64a1bccdcd763acbbc", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "ivSize" : 256, + "keySize" : 256, + "tagSize" : 128, + "type" : "AeadTest", + "tests" : [ + { + "tcId" : 219, + "comment" : "long IV size", + "key" : "ee4171917d2337496812a2784d6a71300e6b8c1ac3b1ef58cee77c229aeaf2c5", + "iv" : "e826a79361f9d582b64450e3edc82589487853d5b22feaa0c889875bd0d87cd4", + "aad" : "", + "msg" : "94d2f8697facaaa191ba617a", + "ct" : "a295c2cb27ce23d26874ade1", + "tag" : "04650a78bbb61db337c9c32aa3e7b6fa", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "ivSize" : 512, + "keySize" : 256, + "tagSize" : 128, + "type" : "AeadTest", + "tests" : [ + { + "tcId" : 220, + "comment" : "long IV size", + "key" : "132c59b4bcb8afb31637734a81105bb2c9878f320ace9076d5fd7c5d216c8d12", + "iv" : "ec51ee18cfb46897d3666c7df35c29ca5d898241c4a34f893eb1db5d5c6b76e24617459d1153868154437a0e95aa3c26e956b494a52dd5ac3b9331116c7c775f", + "aad" : "", + "msg" : "12c7be00facda49596e19134", + "ct" : "9cdcfc3aaa8d466f25588e4b", + "tag" : "7e80f51e7180f1cd3ba84349888fcd5c", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "ivSize" : 1024, + "keySize" : 256, + "tagSize" : 128, + "type" : "AeadTest", + "tests" : [ + { + "tcId" : 221, + "comment" : "long IV size", + "key" : "7b0b12491901d62d097fa26dc71e15cfacafa3226719e47126d99c79d98ec222", + "iv" : "7d08b226b4a5d03f6f8cb3a3cb8d1ce31b059dc5112385275e38a15c97e0f24022b249a5f7019ea577198cb26ac64e82b2b04681537c4198775a523b0e6494b84febaef3399b35c27b0969fa43572bf5827a763aac1af69526f37e38acb5d354f2b68487f275f4361ed39073f7dd6653ac17c0794118a0cf143293ac0be66229", + "aad" : "", + "msg" : "c80312590700c3bbfacd1a40", + "ct" : "3f3c151e984d059462f9e5a0", + "tag" : "e559f5f755aa292171cc35fbf911a64f", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "ivSize" : 2056, + "keySize" : 256, + "tagSize" : 128, + "type" : "AeadTest", + "tests" : [ + { + "tcId" : 222, + "comment" : "long IV size", + "key" : "3bc3bf39d0d5ffd94cca2b45c678a2d049151ed2babc713be53cb66f54a16337", + "iv" : "92c2cee7e9138b186da51f146fb21fd5b491f1a19eef61d4ed14ce6b21b04fdb6ff8ebb60fddc55926e7bda2a8f35c610bb795232412739d6c2d74458ef5a1a1cde9bf17e47e3b00db0b0504d56dc8b8d3de23f7c3a5d52e8d0aab1e64405aaa852ec2dd667ed9c1fd8dc1fdbbc8712c7a38f30faeab594f33897b41b1720f3c2f954ed91ca450d82c3dcd35858c608ad42f36832e56b04821a132f72e0da7b62cbd3925250f64fbb3f5c4783495893097adc09a32d776e04bf72558d37830b372341f6536d8ee9df4a82e4074e7774ab6917a04fa8c499eb4b46a92def365da8b5eb1e0b438779507d1f5272a6e8629a3f9c7bd4862c5691ee8b56bfe292deb4e", + "aad" : "", + "msg" : "8125ee7637d7d0e03bbacf35", + "ct" : "5496ae94c3322ebf959ea9a9", + "tag" : "70717cc00fd1ffa59bb04329226a0c0a", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "ivSize" : 0, + "keySize" : 128, + "tagSize" : 128, + "type" : "AeadTest", + "tests" : [ + { + "tcId" : 223, + "comment" : "0 size IV is not valid", + "key" : "8f3f52e3c75c58f5cb261f518f4ad30a", + "iv" : "", + "aad" : "", + "msg" : "", + "ct" : "", + "tag" : "cf71978ffcc778f3c85ac9c31b6fe191", + "result" : "invalid", + "flags" : [ + "ZeroLengthIv" + ] + }, + { + "tcId" : 224, + "comment" : "0 size IV is not valid", + "key" : "2a4bf90e56b70fdd8649d775c089de3b", + "iv" : "", + "aad" : "", + "msg" : "324ced6cd15ecc5b3741541e22c18ad9", + "ct" : "00a29f0a5e2e7490279d1faf8b881c7b", + "tag" : "a2c7e8d7a19b884f742dfec3e76c75ee", + "result" : "invalid", + "flags" : [ + "ZeroLengthIv" + ] + } + ] + }, + { + "ivSize" : 0, + "keySize" : 192, + "tagSize" : 128, + "type" : "AeadTest", + "tests" : [ + { + "tcId" : 225, + "comment" : "0 size IV is not valid", + "key" : "0b18d21337035c7baa08211b702fa780ac7c09be8f9ed11f", + "iv" : "", + "aad" : "", + "msg" : "", + "ct" : "", + "tag" : "ca69a2eb3a096ea36b1015d5dffff532", + "result" : "invalid", + "flags" : [ + "ZeroLengthIv" + ] + }, + { + "tcId" : 226, + "comment" : "0 size IV is not valid", + "key" : "ba76d594a6df915bb7ab7e6d1a8d024b2796336c1b8328a9", + "iv" : "", + "aad" : "", + "msg" : "d62f302742d61d823ea991b93430d589", + "ct" : "509b0658d09f7a5bb9db43b70c8387f7", + "tag" : "2c9488d53a0b2b5308c2757dfac7219f", + "result" : "invalid", + "flags" : [ + "ZeroLengthIv" + ] + } + ] + }, + { + "ivSize" : 0, + "keySize" : 256, + "tagSize" : 128, + "type" : "AeadTest", + "tests" : [ + { + "tcId" : 227, + "comment" : "0 size IV is not valid", + "key" : "3f8ca47b9a940582644e8ecf9c2d44e8138377a8379c5c11aafe7fec19856cf1", + "iv" : "", + "aad" : "", + "msg" : "", + "ct" : "", + "tag" : "1726aa695fbaa21a1db88455c670a4b0", + "result" : "invalid", + "flags" : [ + "ZeroLengthIv" + ] + }, + { + "tcId" : 228, + "comment" : "0 size IV is not valid", + "key" : "7660d10966c6503903a552dde2a809ede9da490e5e5cc3e349da999671809883", + "iv" : "", + "aad" : "", + "msg" : "c314235341debfafa1526bb61044a7f1", + "ct" : "7772ea358901f571d3d35c19497639d9", + "tag" : "8fe0520ad744a11f0ccfd228454363fa", + "result" : "invalid", + "flags" : [ + "ZeroLengthIv" + ] + } + ] + }, + { + "ivSize" : 8, + "keySize" : 128, + "tagSize" : 128, + "type" : "AeadTest", + "tests" : [ + { + "tcId" : 229, + "comment" : "small IV sizes", + "key" : "59a284f50aedd8d3e2a91637d3815579", + "iv" : "80", + "aad" : "", + "msg" : "", + "ct" : "", + "tag" : "af498f701d2470695f6e7c8327a2398b", + "result" : "acceptable", + "flags" : [ + "SmallIv" + ] + }, + { + "tcId" : 230, + "comment" : "small IV sizes", + "key" : "fec58aa8cf06bfe05de829f27ec77693", + "iv" : "9d", + "aad" : "", + "msg" : "f2d99a9f893378e0757d27c2e3a3101b", + "ct" : "0a24612a9d1cbe967dbfe804bf8440e5", + "tag" : "96e6fd2cdc707e3ee0a1c90d34c9c36c", + "result" : "acceptable", + "flags" : [ + "SmallIv" + ] + } + ] + }, + { + "ivSize" : 16, + "keySize" : 128, + "tagSize" : 128, + "type" : "AeadTest", + "tests" : [ + { + "tcId" : 231, + "comment" : "small IV sizes", + "key" : "88a972cce9eaf5a7813ce8149d0c1d0e", + "iv" : "0f2f", + "aad" : "", + "msg" : "", + "ct" : "", + "tag" : "4ccf1efb4da05b4ae4452aea42f5424b", + "result" : "acceptable", + "flags" : [ + "SmallIv" + ] + }, + { + "tcId" : 232, + "comment" : "small IV sizes", + "key" : "b43967ee933e4632bd6562ba1201bf83", + "iv" : "8760", + "aad" : "", + "msg" : "5a6ad6db70591d1e520b0122f05021a0", + "ct" : "ba3e7f8b2999995c7fc4006ca4f475ff", + "tag" : "98f47a5279cebbcac214515710f6cd8a", + "result" : "acceptable", + "flags" : [ + "SmallIv" + ] + } + ] + }, + { + "ivSize" : 32, + "keySize" : 128, + "tagSize" : 128, + "type" : "AeadTest", + "tests" : [ + { + "tcId" : 233, + "comment" : "small IV sizes", + "key" : "4e9a97d3ed54c7b54610793ab05052e1", + "iv" : "cc851957", + "aad" : "", + "msg" : "", + "ct" : "", + "tag" : "e574b355bda2980e047e584feb1676ca", + "result" : "acceptable", + "flags" : [ + "SmallIv" + ] + }, + { + "tcId" : 234, + "comment" : "small IV sizes", + "key" : "d83c1d7a97c43f182409a4aa5609c1b1", + "iv" : "7b5faeb2", + "aad" : "", + "msg" : "c8f07ba1d65554a9bd40390c30c5529c", + "ct" : "1b84baea9df1e65bee7b49e4a8cda1ec", + "tag" : "5c0bb79d8240041edce0f94bd4bb384f", + "result" : "acceptable", + "flags" : [ + "SmallIv" + ] + } + ] + }, + { + "ivSize" : 48, + "keySize" : 128, + "tagSize" : 128, + "type" : "AeadTest", + "tests" : [ + { + "tcId" : 235, + "comment" : "small IV sizes", + "key" : "c6a705677affb49e276d9511caa46145", + "iv" : "4ad80c2854fb", + "aad" : "", + "msg" : "", + "ct" : "", + "tag" : "1e2ed72af590cafb8647d185865f5463", + "result" : "acceptable", + "flags" : [ + "SmallIv" + ] + }, + { + "tcId" : 236, + "comment" : "small IV sizes", + "key" : "eba7699b56cc0aa2f66a2a5be9944413", + "iv" : "d1dafc8de3e3", + "aad" : "", + "msg" : "d021e53d9098a2df3d6b903cdad0cd9c", + "ct" : "18291aa8dc7b07448aa8f71bb8e380bf", + "tag" : "9c0e22e5c41b1039ff5661ffaefa8e0f", + "result" : "acceptable", + "flags" : [ + "SmallIv" + ] + } + ] + }, + { + "ivSize" : 8, + "keySize" : 192, + "tagSize" : 128, + "type" : "AeadTest", + "tests" : [ + { + "tcId" : 237, + "comment" : "small IV sizes", + "key" : "c70ce38e84e5f53ed41c3f0d2ca493412ad32cb04c6e2efa", + "iv" : "cb", + "aad" : "", + "msg" : "", + "ct" : "", + "tag" : "08d96edb5e22874cd10cb2256ca04bc6", + "result" : "acceptable", + "flags" : [ + "SmallIv" + ] + }, + { + "tcId" : 238, + "comment" : "small IV sizes", + "key" : "74c816b83dfd287210a3e2c6da8d3053bbfbd9b156d3fdd8", + "iv" : "0f", + "aad" : "", + "msg" : "f2b7b2c9b312cf2af78f003df15c8e19", + "ct" : "6c5e796ba9a3ddc64f401e68d135101d", + "tag" : "96a132ed43924e98feb888ff682bdaef", + "result" : "acceptable", + "flags" : [ + "SmallIv" + ] + } + ] + }, + { + "ivSize" : 16, + "keySize" : 192, + "tagSize" : 128, + "type" : "AeadTest", + "tests" : [ + { + "tcId" : 239, + "comment" : "small IV sizes", + "key" : "cbf45ba488932aea1a10e5862f92e4a7e277bda9f34af6d0", + "iv" : "75e5", + "aad" : "", + "msg" : "", + "ct" : "", + "tag" : "1f0d23070fcd748e25bf6454f5c9136e", + "result" : "acceptable", + "flags" : [ + "SmallIv" + ] + }, + { + "tcId" : 240, + "comment" : "small IV sizes", + "key" : "e1c0446f11ae6aa4fa254f9a846fc6e13e45e537e47f2042", + "iv" : "8989", + "aad" : "", + "msg" : "3a2f5ad0eb216e546e0bcaa377b6cbc7", + "ct" : "550b48a43e821fd76f49f0f1a897aead", + "tag" : "f6e0a979481f9957ddad0f21a777a73a", + "result" : "acceptable", + "flags" : [ + "SmallIv" + ] + } + ] + }, + { + "ivSize" : 32, + "keySize" : 192, + "tagSize" : 128, + "type" : "AeadTest", + "tests" : [ + { + "tcId" : 241, + "comment" : "small IV sizes", + "key" : "567563bf4cf154902275a53bc57cd6dd7b370d27011bdac8", + "iv" : "68d7fc38", + "aad" : "", + "msg" : "", + "ct" : "", + "tag" : "1475563e3212f3b5e40062569afd71e3", + "result" : "acceptable", + "flags" : [ + "SmallIv" + ] + }, + { + "tcId" : 242, + "comment" : "small IV sizes", + "key" : "834d0bb601170865a78139428a1503695a6a291ebd747cd1", + "iv" : "bb9d2aa3", + "aad" : "", + "msg" : "6f79e18b4acd5a03d3a5f7e1a8d0f183", + "ct" : "309133e76159fe8a41b20843486511ab", + "tag" : "03ab26993b701910a2e8ecccd2ba9e52", + "result" : "acceptable", + "flags" : [ + "SmallIv" + ] + } + ] + }, + { + "ivSize" : 48, + "keySize" : 192, + "tagSize" : 128, + "type" : "AeadTest", + "tests" : [ + { + "tcId" : 243, + "comment" : "small IV sizes", + "key" : "99fb18f5ba430bb9ea942968ecb799b43406e1af4b6425a1", + "iv" : "a984bdcdcae2", + "aad" : "", + "msg" : "", + "ct" : "", + "tag" : "d7b9a6b58a97982916e83219fbf71b1e", + "result" : "acceptable", + "flags" : [ + "SmallIv" + ] + }, + { + "tcId" : 244, + "comment" : "small IV sizes", + "key" : "b77b242aa0d51c92fda013e0cb0ef2437399ace5d3f507e4", + "iv" : "52aa01e0d0d6", + "aad" : "", + "msg" : "4ba541a9914729216153801340ab1779", + "ct" : "e08261e46eaf90d978ea8f7889bccd4f", + "tag" : "c052a55df3926a50990a532efe3d80ec", + "result" : "acceptable", + "flags" : [ + "SmallIv" + ] + } + ] + }, + { + "ivSize" : 64, + "keySize" : 192, + "tagSize" : 128, + "type" : "AeadTest", + "tests" : [ + { + "tcId" : 245, + "comment" : "small IV sizes", + "key" : "d74599b3d2db81653de43b52fc994c50d0be759fab87c33a", + "iv" : "d1c61cf8532531b5", + "aad" : "", + "msg" : "", + "ct" : "", + "tag" : "f94f2049a6560c470b3a7ca7bbc31a3d", + "result" : "acceptable", + "flags" : [ + "SmallIv" + ] + }, + { + "tcId" : 246, + "comment" : "small IV sizes", + "key" : "0b177198c8b419bf74acc3bc65b5fb3d09a915ff71add754", + "iv" : "8f075cbcda9831c3", + "aad" : "", + "msg" : "c4b1e05ca3d591f9543e64de3fc682ac", + "ct" : "3c6ec0ab1b827bf238a5384fb7e212ce", + "tag" : "7db7402224fd583e312bc0e61cf11366", + "result" : "acceptable", + "flags" : [ + "SmallIv" + ] + } + ] + }, + { + "ivSize" : 8, + "keySize" : 256, + "tagSize" : 128, + "type" : "AeadTest", + "tests" : [ + { + "tcId" : 247, + "comment" : "small IV sizes", + "key" : "8f9a38c1014966e4d9ae736139c5e79b99345874f42d4c7d2c81aa6797c417c0", + "iv" : "a9", + "aad" : "", + "msg" : "", + "ct" : "", + "tag" : "2a268bf3a75fd7b00ba230b904bbb014", + "result" : "acceptable", + "flags" : [ + "SmallIv" + ] + }, + { + "tcId" : 248, + "comment" : "small IV sizes", + "key" : "144cd8279229e8bb2de99d24e615306663913fe9177fcd270fafec493d43bca1", + "iv" : "b3", + "aad" : "", + "msg" : "976229f5538f9636476d69f0c328e29d", + "ct" : "7bea30ecc2f73f8e121263b37966954c", + "tag" : "8bbad4adc54b37a2b2f0f6e8617548c9", + "result" : "acceptable", + "flags" : [ + "SmallIv" + ] + } + ] + }, + { + "ivSize" : 16, + "keySize" : 256, + "tagSize" : 128, + "type" : "AeadTest", + "tests" : [ + { + "tcId" : 249, + "comment" : "small IV sizes", + "key" : "7d31861f9d3536e14016a3216b1042e0d2f7d4614314268b6f834ec7f38bbb65", + "iv" : "c332", + "aad" : "", + "msg" : "", + "ct" : "", + "tag" : "1d978a693120c11f6d51a3ed88cd4ace", + "result" : "acceptable", + "flags" : [ + "SmallIv" + ] + }, + { + "tcId" : 250, + "comment" : "small IV sizes", + "key" : "22b35fe9623ee11f8b60b6d22db3765b666ed972fa7ccd92b45f22deee02cab1", + "iv" : "da6c", + "aad" : "", + "msg" : "5341c78e4ce5bf8fbc3e077d1990dd5d", + "ct" : "9c39f5b110361e9a770cc5e8b0f444bb", + "tag" : "b63ff43c12073ec5572b1be70f17e231", + "result" : "acceptable", + "flags" : [ + "SmallIv" + ] + } + ] + }, + { + "ivSize" : 32, + "keySize" : 256, + "tagSize" : 128, + "type" : "AeadTest", + "tests" : [ + { + "tcId" : 251, + "comment" : "small IV sizes", + "key" : "c224e0bba3d7a99165f7996b67a0fce3e12f2c01179b197b69b7e628bca92096", + "iv" : "6b30145e", + "aad" : "", + "msg" : "", + "ct" : "", + "tag" : "ae6f7c9a29f0d8204ca50b14a1e0dcf2", + "result" : "acceptable", + "flags" : [ + "SmallIv" + ] + }, + { + "tcId" : 252, + "comment" : "small IV sizes", + "key" : "093eb12343537ee8e91c1f715b862603f8daf9d4e1d7d67212a9d68e5aac9358", + "iv" : "5110604c", + "aad" : "", + "msg" : "33efb58c91e8c70271870ec00fe2e202", + "ct" : "f73f72f976a296ba3ca94bc6eb08cd46", + "tag" : "b824c33c13f289429659aa017c632f71", + "result" : "acceptable", + "flags" : [ + "SmallIv" + ] + } + ] + }, + { + "ivSize" : 48, + "keySize" : 256, + "tagSize" : 128, + "type" : "AeadTest", + "tests" : [ + { + "tcId" : 253, + "comment" : "small IV sizes", + "key" : "98e6f8ab673e804e865e32403a6551bf807a959343c60d34559360bc295ecb5b", + "iv" : "d4d857510888", + "aad" : "", + "msg" : "", + "ct" : "", + "tag" : "3db16725fafc828d414ab61c16a6c38f", + "result" : "acceptable", + "flags" : [ + "SmallIv" + ] + }, + { + "tcId" : 254, + "comment" : "small IV sizes", + "key" : "0bd0e8e7781166e1d876dec8fad34ba95b032a27cac0551595116091005947b7", + "iv" : "1bdcd44b663e", + "aad" : "", + "msg" : "91222263b12cf5616a049cbe29ab9b5b", + "ct" : "ed463f4f43336af3f4d7e08770201145", + "tag" : "c8fc39906aca0c64e14a43ff750abd8a", + "result" : "acceptable", + "flags" : [ + "SmallIv" + ] + } + ] + }, + { + "ivSize" : 64, + "keySize" : 256, + "tagSize" : 128, + "type" : "AeadTest", + "tests" : [ + { + "tcId" : 255, + "comment" : "small IV sizes", + "key" : "61ba694897925d1b4174d40401469c3ef267cdb9f829edb1a10618c16d666059", + "iv" : "0d10c5c84b88d688", + "aad" : "", + "msg" : "", + "ct" : "", + "tag" : "1311f9f830d729c189b74ec4f9080fa1", + "result" : "acceptable", + "flags" : [ + "SmallIv" + ] + }, + { + "tcId" : 256, + "comment" : "small IV sizes", + "key" : "115884f693b155563e9bfb3b07cacb2f7f7caa9bfe51f89e23feb5a9468bfdd0", + "iv" : "04102199ef21e1df", + "aad" : "", + "msg" : "82e3e604d2be8fcab74f638d1e70f24c", + "ct" : "7e0dd6c72aec49f89cc6a80060c0b170", + "tag" : "af68a37cfefecc4ab99ba50a5353edca", + "result" : "acceptable", + "flags" : [ + "SmallIv" + ] + } + ] + } + ] +} diff --git a/rust/tests/wycheproof/chacha20_poly1305_test.json b/rust/tests/wycheproof/chacha20_poly1305_test.json new file mode 100644 index 00000000..49ebedc9 --- /dev/null +++ b/rust/tests/wycheproof/chacha20_poly1305_test.json @@ -0,0 +1,3679 @@ +{ + "algorithm" : "CHACHA20-POLY1305", + "generatorVersion" : "0.8r12", + "numberOfTests" : 300, + "header" : [ + "Test vectors of type AeadTest test authenticated encryption with", + "additional data. The test vectors are intended for testing both", + "encryption and decryption." + ], + "notes" : { + }, + "schema" : "aead_test_schema.json", + "testGroups" : [ + { + "ivSize" : 96, + "keySize" : 256, + "tagSize" : 128, + "type" : "AeadTest", + "tests" : [ + { + "tcId" : 1, + "comment" : "RFC 7539", + "key" : "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f", + "iv" : "070000004041424344454647", + "aad" : "50515253c0c1c2c3c4c5c6c7", + "msg" : "4c616469657320616e642047656e746c656d656e206f662074686520636c617373206f66202739393a204966204920636f756c64206f6666657220796f75206f6e6c79206f6e652074697020666f7220746865206675747572652c2073756e73637265656e20776f756c642062652069742e", + "ct" : "d31a8d34648e60db7b86afbc53ef7ec2a4aded51296e08fea9e2b5a736ee62d63dbea45e8ca9671282fafb69da92728b1a71de0a9e060b2905d6a5b67ecd3b3692ddbd7f2d778b8c9803aee328091b58fab324e4fad675945585808b4831d7bc3ff4def08e4b7a9de576d26586cec64b6116", + "tag" : "1ae10b594f09e26a7e902ecbd0600691", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 2, + "comment" : "", + "key" : "80ba3192c803ce965ea371d5ff073cf0f43b6a2ab576b208426e11409c09b9b0", + "iv" : "4da5bf8dfd5852c1ea12379d", + "aad" : "", + "msg" : "", + "ct" : "", + "tag" : "76acb342cf3166a5b63c0c0ea1383c8d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 3, + "comment" : "", + "key" : "7a4cd759172e02eb204db2c3f5c746227df584fc1345196391dbb9577a250742", + "iv" : "a92ef0ac991dd516a3c6f689", + "aad" : "bd506764f2d2c410", + "msg" : "", + "ct" : "", + "tag" : "906fa6284b52f87b7359cbaa7563c709", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 4, + "comment" : "", + "key" : "cc56b680552eb75008f5484b4cb803fa5063ebd6eab91f6ab6aef4916a766273", + "iv" : "99e23ec48985bccdeeab60f1", + "aad" : "", + "msg" : "2a", + "ct" : "3a", + "tag" : "cac27dec0968801e9f6eded69d807522", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 5, + "comment" : "", + "key" : "46f0254965f769d52bdb4a70b443199f8ef207520d1220c55e4b70f0fda620ee", + "iv" : "ab0dca716ee051d2782f4403", + "aad" : "91ca6c592cbcca53", + "msg" : "51", + "ct" : "c4", + "tag" : "168310ca45b1f7c66cad4e99e43f72b9", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 6, + "comment" : "", + "key" : "2f7f7e4f592bb389194989743507bf3ee9cbde1786b6695fe6c025fd9ba4c100", + "iv" : "461af122e9f2e0347e03f2db", + "aad" : "", + "msg" : "5c60", + "ct" : "4d13", + "tag" : "91e8b61efb39c122195453077b22e5e2", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 7, + "comment" : "", + "key" : "c8833dce5ea9f248aa2030eacfe72bffe69a620caf793344e5718fe0d7ab1a58", + "iv" : "61546ba5f1720590b6040ac6", + "aad" : "88364fc8060518bf", + "msg" : "ddf2", + "ct" : "b60d", + "tag" : "ead0fd4697ec2e5558237719d02437a2", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 8, + "comment" : "", + "key" : "bd8ed7fb0d607522f04d0b12d42c92570bccc5ba2486953d70ba2e8193f6225a", + "iv" : "d2ab0abb50a8e9fba25429e1", + "aad" : "", + "msg" : "201221", + "ct" : "3cf470", + "tag" : "a27a69c9d7ee84586f11388c6884e63a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 9, + "comment" : "", + "key" : "1c8b59b17a5ceced31bde97d4cefd9aaaa63362e096e863ec1c89580bca79b7a", + "iv" : "94f32a6dff588f2b5a2ead45", + "aad" : "6c8cf2ab3820b695", + "msg" : "453f95", + "ct" : "610925", + "tag" : "a8a7883eb7e40bc40e2e5922ae95ddc3", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 10, + "comment" : "", + "key" : "e4912cb75a1174345f1a457366f18885fe8460b06478e04be2f7fb4ec9c113e5", + "iv" : "7aa5ad8bf5254762171ec869", + "aad" : "", + "msg" : "9e4c1d03", + "ct" : "fe6849aa", + "tag" : "99ad07871b25c27defc31a541bd5c418", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 11, + "comment" : "", + "key" : "e05777ef3d989ace7d2abfba452bfded54801dbd5c66e91c0c2ef00479d85572", + "iv" : "b7f526e3fd71cf5720961aec", + "aad" : "15d93a96d0e6c5a9", + "msg" : "17bfda03", + "ct" : "f4710e51", + "tag" : "b957c6a37b6a4c94996c002186d63b2b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 12, + "comment" : "", + "key" : "1a4c4f39abe890e62345c947bcf7de7c2e33bd5ceeda0a0abf0e7ef935ddf3ee", + "iv" : "9447bf85d5b97d8aee0f8e51", + "aad" : "", + "msg" : "c15a593bd0", + "ct" : "f711647ff1", + "tag" : "22b12dc38cb79629f84cdbdc2425c09d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 13, + "comment" : "", + "key" : "800e9a24791700c9609736695ba2a8b99b2d57f1c3bfb61ed49db1c6c5219583", + "iv" : "3dbe876bd880ec8ea2017043", + "aad" : "96224835610b782b", + "msg" : "a7bfd041e3", + "ct" : "d171f046ea", + "tag" : "d179b1b9c4184378df009019dbb8c249", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 14, + "comment" : "", + "key" : "208c2c376c9430433db20e1a6b7ba817f8ffbfa6827f26759ccede42e591d3ec", + "iv" : "27fb58ec6a21e84696cb8830", + "aad" : "", + "msg" : "af104b5ccd0e", + "ct" : "9351b1b1b082", + "tag" : "560785509f60f26b681933d9cdbfd29f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 15, + "comment" : "", + "key" : "2eb168e53b07ab04355ea792fe11a6be2ce9c39cfe15a997076b1e38c17ad620", + "iv" : "b5965470c383fd29fe7eaee7", + "aad" : "6d52feb2509f7fbf", + "msg" : "6fdf2927e169", + "ct" : "41abff7b71cc", + "tag" : "9b5174297c03cf8902d1f706fd008902", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 16, + "comment" : "", + "key" : "55568158d3a6483f1f7021eab69b703f614251cadc1af5d34a374fdbfc5adac7", + "iv" : "3c4e654d663fa4596dc55bb7", + "aad" : "", + "msg" : "ab85e9c1571731", + "ct" : "5dfe3440dbb3c3", + "tag" : "ed7a434e2602d394281e0afa9fb7aa42", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 17, + "comment" : "", + "key" : "e3c09e7fab1aefb516da6a33022a1dd4eb272c80d540c5da52a730f34d840d7f", + "iv" : "58389375c69ee398de948396", + "aad" : "84e46be8c0919053", + "msg" : "4ee5cda20d4290", + "ct" : "4bd47212941ce3", + "tag" : "185f1408ee7fbf18f5abad6e2253a1ba", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 18, + "comment" : "", + "key" : "51e4bf2bad92b7aff1a4bc05550ba81df4b96fabf41c12c7b00e60e48db7e152", + "iv" : "4f07afedfdc3b6c2361823d3", + "aad" : "", + "msg" : "be3308f72a2c6aed", + "ct" : "8e9439a56eeec817", + "tag" : "fbe8a6ed8fabb1937539dd6c00e90021", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 19, + "comment" : "", + "key" : "1131c1418577a054de7a4ac551950f1a053f9ae46e5b75fe4abd5608d7cddadd", + "iv" : "b4ea666ee119563366484a78", + "aad" : "66c0ae70076cb14d", + "msg" : "a4c9c2801b71f7df", + "ct" : "b9b910433af052b0", + "tag" : "4530f51aeee024e0a445a6328fa67a18", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 20, + "comment" : "", + "key" : "e1094967f86d893cdfe2e2e6d5c7ee4dfef67da3c9c5d64e6ad7c1577dcb38c5", + "iv" : "8092fc245b3326cddbd1424c", + "aad" : "", + "msg" : "c37aa791ddd6accf91", + "ct" : "d9d897a9c1c5bb9f01", + "tag" : "085a430373058f1a12a0d589fd5be68b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 21, + "comment" : "", + "key" : "236f9baee4f9da15beeca40ff4af7c760f254a64bc3a3d7f4fad557e61b68586", + "iv" : "f1ca81338629587acf9372bf", + "aad" : "8c32f47a386152ec", + "msg" : "d7f26d5252e1765f5b", + "ct" : "8fdb429d47761cbf8e", + "tag" : "8ef647ed334fdebbc2bef80be02884e0", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 22, + "comment" : "", + "key" : "4de207a3b70c51e5f23048eed5a5da9bb65e917a69aa93e7c8b4a815cd9724de", + "iv" : "4c15a71dc6791a8c005ad502", + "aad" : "", + "msg" : "f2c54b6b5e490da18659", + "ct" : "700d35adf5100a22a1de", + "tag" : "102d992ffaff599b5bddddeb2dfb399b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 23, + "comment" : "", + "key" : "6d667fd79e5fb725f50343dccc4863227c75ee3f7a578476e3e9f32598d81559", + "iv" : "6220527aba88e27f766658b2", + "aad" : "e1e27ccddb3cb407", + "msg" : "0c8c5a252681f2b5b4c0", + "ct" : "04aad66c60e0bf8ebba9", + "tag" : "c15f69a4d2aef97d7748756ff49d894b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 24, + "comment" : "", + "key" : "8f4bd94ef73e75d1e068c30b37ead576c5344e093ece1330e9101c82f793cf05", + "iv" : "ec1e2967f0f6979e5f5b07fb", + "aad" : "", + "msg" : "b89812b34d9bced4a0ba07", + "ct" : "1c3d53baaa36eaa1d8ec4d", + "tag" : "4d94ebf960f12433bec43aa86d7e6e6d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 25, + "comment" : "", + "key" : "2aa3bc7033351cac51364cdaf6ffac2c20f64046e1550a7b1c65f41800599019", + "iv" : "28cce57a5db2cd206321e340", + "aad" : "a9bc350eaf2e6e3d", + "msg" : "83016823123484b56095b0", + "ct" : "1c8578f8e75203d0336a52", + "tag" : "5910f7a9d5e4df05d7248bd7a8d65e63", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 26, + "comment" : "", + "key" : "99b62bd5afbe3fb015bde93f0abf483957a1c3eb3ca59cb50b39f7f8a9cc51be", + "iv" : "9a59fce26df0005e07538656", + "aad" : "", + "msg" : "42baae5978feaf5c368d14e0", + "ct" : "ff7dc203b26c467a6b50db33", + "tag" : "578c0f2758c2e14e36d4fc106dcb29b4", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 27, + "comment" : "", + "key" : "85f35b6282cff440bc1020c8136ff27031110fa63ec16f1e825118b006b91257", + "iv" : "58dbd4ad2c4ad35dd906e9ce", + "aad" : "a506e1a5c69093f9", + "msg" : "fdc85b94a4b2a6b759b1a0da", + "ct" : "9f8816de0994e938d9e53f95", + "tag" : "d086fc6c9d8fa915fd8423a7cf05072f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 28, + "comment" : "", + "key" : "faf4bfe8019a891c74901b17f4f48cee5cd065d55fdea60118aaf6c4319a0ea5", + "iv" : "b776c3fddba7c81362ce6e1b", + "aad" : "", + "msg" : "8dadff8d60c8e88f604f274833", + "ct" : "e6b33a74a4ac443bd93f9c1b94", + "tag" : "0c115172bdb02bbad3130fff22790d60", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 29, + "comment" : "", + "key" : "841020d1606edcfc536abfb1a638a7b958e21efc10c386ac45a18493450afd5f", + "iv" : "6d62f159731b140eb18ce074", + "aad" : "5a8e1c7aa39810d5", + "msg" : "d6af138f701b801e60c85ffd5c", + "ct" : "b0a7500aca45bb15f01ece4389", + "tag" : "0160e83adbec7f6a2ee2ff0215f9ef00", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 30, + "comment" : "", + "key" : "470f9ce3d2250bd60cbbefdb2e6a1178c012299b5590639c7797b6024fa703d8", + "iv" : "a9ea4d619fe405d04cba7d7a", + "aad" : "", + "msg" : "6ca67dd023fba6507b9f9a1f667e", + "ct" : "d3017e0bb1705b380b34cc333450", + "tag" : "5708e72ca2bd354f487f82f67fbc3acb", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 31, + "comment" : "", + "key" : "e4b97e91e4c8e85eb7ce0a7f30bf8a0abf4468251e4c6386c0e7aacb8e879aa8", + "iv" : "0e23c942a0c9fb526586eead", + "aad" : "eaaaeab26957f9a1", + "msg" : "b84b3f74cd23064bb426fe2ced2b", + "ct" : "52e9672b416d84d97033796072d0", + "tag" : "e83839dc1fd9b8b9d1444c40e488d493", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 32, + "comment" : "", + "key" : "67119627bd988eda906219e08c0d0d779a07d208ce8a4fe0709af755eeec6dcb", + "iv" : "68ab7fdbf61901dad461d23c", + "aad" : "", + "msg" : "51f8c1f731ea14acdb210a6d973e07", + "ct" : "0b29638e1fbdd6df53970be2210042", + "tag" : "2a9134087d67a46e79178d0a93f5e1d2", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 33, + "comment" : "", + "key" : "e6f1118d41e4b43fb58221b7ed79673834e0d8ac5c4fa60bbc8bc4893a58894d", + "iv" : "d95b3243afaef714c5035b6a", + "aad" : "6453a53384632212", + "msg" : "97469da667d6110f9cbda1d1a20673", + "ct" : "32db66c4a3819d81557455e5980fed", + "tag" : "feae30dec94e6ad3a9eea06a0d703917", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 34, + "comment" : "", + "key" : "59d4eafb4de0cfc7d3db99a8f54b15d7b39f0acc8da69763b019c1699f87674a", + "iv" : "2fcb1b38a99e71b84740ad9b", + "aad" : "", + "msg" : "549b365af913f3b081131ccb6b825588", + "ct" : "e9110e9f56ab3ca483500ceabab67a13", + "tag" : "836ccabf15a6a22a51c1071cfa68fa0c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 35, + "comment" : "", + "key" : "b907a45075513fe8a8019edee3f2591487b2a030b03c6e1d771c862571d2ea1e", + "iv" : "118a6964c2d3e380071f5266", + "aad" : "034585621af8d7ff", + "msg" : "55a465644f5b650928cbee7c063214d6", + "ct" : "e4b113cb775945f3d3a8ae9ec141c00c", + "tag" : "7c43f16ce096d0dc27c95849dc383b7d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 36, + "comment" : "", + "key" : "3b2458d8176e1621c0cc24c0c0e24c1e80d72f7ee9149a4b166176629616d011", + "iv" : "45aaa3e5d16d2d42dc03445d", + "aad" : "", + "msg" : "3ff1514b1c503915918f0c0c31094a6e1f", + "ct" : "02cc3acb5ee1fcdd12a03bb857976474d3", + "tag" : "d83b7463a2c3800fe958c28eaa290813", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 37, + "comment" : "", + "key" : "f60c6a1b625725f76c7037b48fe3577fa7f7b87b1bd5a982176d182306ffb870", + "iv" : "f0384fb876121410633d993d", + "aad" : "9aaf299eeea78f79", + "msg" : "63858ca3e2ce69887b578a3c167b421c9c", + "ct" : "35766488d2bc7c2b8d17cbbb9abfad9e6d", + "tag" : "1f391e657b2738dda08448cba2811ceb", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 38, + "comment" : "", + "key" : "37ceb574ccb0b701dd11369388ca27101732339f49d8d908ace4b23af0b7ce89", + "iv" : "37270b368f6b1e3e2ca51744", + "aad" : "", + "msg" : "f26991537257378151f4776aad28ae8bd16b", + "ct" : "b621d76a8dacff00b3f840cdf26c894cc5d1", + "tag" : "e0a21716ed94c0382fa9b0903d15bb68", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 39, + "comment" : "", + "key" : "68888361919bc10622f45df168e5f6a03bd8e884c0611bea2f34c1882ed9832b", + "iv" : "bfd6ff40f2df8ca7845980cc", + "aad" : "b8373438ddb2d6c3", + "msg" : "ff97f2eefb3401ac31fc8dc1590d1a92cbc1", + "ct" : "e0a745186c1a7b147f74faff2a715df5c19d", + "tag" : "917baf703e355d4d950e6c05fe8f349f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 40, + "comment" : "", + "key" : "1b35b856b5a86d3403d28fc2103a631d42deca5175cdb0669a5e5d90b2caafc5", + "iv" : "2343de88be6c7196d33b8694", + "aad" : "", + "msg" : "21ef185c3ae9a96fa5eb473878f4d0b242781d", + "ct" : "d6e0ed54fccef30bd605d72da3320e249a9cb5", + "tag" : "c68bc6724ec803c43984ce42f6bd09ff", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 41, + "comment" : "", + "key" : "d6484e3973f6be8c83ed3208d5be5cfa06fda72fbfdc5b19d09be3f4e4eba29d", + "iv" : "1af1d90e877e11a496efa3df", + "aad" : "cc4efd8364fb114a", + "msg" : "7335ab04b03e706109ec3ee835db9a246ea0ad", + "ct" : "29e54d608237c3c3609dba16e6edf43842d72f", + "tag" : "d3365fdcd506aaaa5368661e80e9d99b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 42, + "comment" : "", + "key" : "422add37849d6e4c3dfd8020dc6a07e8a249788f3d6a83b9cb4d802362c97542", + "iv" : "1e7e67be948de7352ffdb727", + "aad" : "", + "msg" : "d7f5e611dd3a2750fb843fc1b6b93087310dc87d", + "ct" : "7fe606652d858f595ec2e706754fa3d933fcc834", + "tag" : "78d59235aa5d03a4c32590e590c04d22", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 43, + "comment" : "", + "key" : "cdccfe3f46d782ef47df4e72f0c02d9c7f774def970d23486f11a57f54247f17", + "iv" : "376187894605a8d45e30de51", + "aad" : "956846a209e087ed", + "msg" : "e28e0e9f9d22463ac0e42639b530f42102fded75", + "ct" : "14f707c446988a4903775ec7acec6da114d43112", + "tag" : "987d4b147c490d43d376a198cab383f0", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 44, + "comment" : "", + "key" : "e79dfc6d2fc465b8439e1c5baccb5d8ef2853899fc19753b397e6c25b35e977e", + "iv" : "f9d6320d7ce51d8ed0677d3a", + "aad" : "", + "msg" : "4f543e7938d1b878dacaeec81dce4899974816813b", + "ct" : "1003f13ea1329cbb187316f64c3ff3a87cf5b96661", + "tag" : "d2323ad625094bec84790d7958d5583f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 45, + "comment" : "", + "key" : "1d7b8f1d96a1424923aef8a984869d4a777a110990ba465627acf80396c7f376", + "iv" : "50ba1962cdc32a5a2d36e640", + "aad" : "093053e20261daab", + "msg" : "5d3efd5767f3c12efd08af9a44e028ae68c9eff843", + "ct" : "2d48b0834e9ffe3046103ef7a214f02e8e4d33360e", + "tag" : "d533ad089be229ea606ec0f3fa22eb33", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 46, + "comment" : "", + "key" : "dd433e28cfbcb5de4ab36a02bf38686d83208771a0e63dcd08b4df1a07ac47a1", + "iv" : "c9cc0a1afc38ec6c30c38c68", + "aad" : "", + "msg" : "8a3e17aba9606dd49e3b1a4d9e5e42f1742373632489", + "ct" : "e9917ff3e64bbe1783579375e75ea823976b35539949", + "tag" : "074a890669b25105434c75beed3248db", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 47, + "comment" : "", + "key" : "a60924101b42ac24154a88de42142b2334cf599176caf4d1226f712dd9172930", + "iv" : "8ba77644b08d65d5e9f31942", + "aad" : "b2a4e12a19a61c75", + "msg" : "c949957e66439deee4b2ac1d4a6c98a6c527b90f52ab", + "ct" : "db4c700513818972b0dc0e531b1c281ca03e40c60dea", + "tag" : "63f4478bba2af469a7a4dc3b4f141360", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 48, + "comment" : "", + "key" : "1aa42027836965b1e6086fa137f9cf7f1ff48676696829bd281ff81c8ea0a4a9", + "iv" : "4b3dca84ecc407f424f281a9", + "aad" : "", + "msg" : "37252a3eb5c8960f0567e503a9035783b3d0a19a4b9a47", + "ct" : "b5f14617491fc923b683e2cc9562d043dd5986b97dbdbd", + "tag" : "972ce54713c05c4bb4d088c0a30cacd3", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 49, + "comment" : "", + "key" : "5d40db0cc18ef2e42815d3b6245a466a0b30a0f93e318ac10edde3bf8ad98160", + "iv" : "acad618039b317470d21621b", + "aad" : "413036411af75745", + "msg" : "959dde1ef3129b27702c558849e466f2baca1a45bdf4b2", + "ct" : "b7ca3879f95140bf6a97b3212218b7bf864a51e5bb0b3e", + "tag" : "fe558fb570145470ea693eb76eb73171", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 50, + "comment" : "", + "key" : "0212a8de5007ed87b33f1a7090b6114f9e08cefd9607f2c276bdcfdbc5ce9cd7", + "iv" : "e6b1adf2fd58a8762c65f31b", + "aad" : "", + "msg" : "10f1ecf9c60584665d9ae5efe279e7f7377eea6916d2b111", + "ct" : "42f26c56cb4be21d9d8d0c80fc99dde00d75f38074bfe764", + "tag" : "54aa7e13d48fff7d7557039457040a3a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 51, + "comment" : "", + "key" : "c5bc09565646e7edda954f1f739223dada20b95c44ab033d0fae4b0283d18be3", + "iv" : "6b282ebecc541bcd7834ed55", + "aad" : "3e8bc5ade182ff08", + "msg" : "9222f9018e54fd6de1200806a9ee8e4cc904d29f25cba193", + "ct" : "123032437b4bfd6920e8f7e7e0087ae4889ebe7a0ad0e900", + "tag" : "3cf68f179550da63d3b96c2d55411865", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 52, + "comment" : "", + "key" : "9460b3c44ed86e70f3bda66385e1ca10b0c1677ef4f1360532830d17535f996f", + "iv" : "abfaf42e0dba884efcf07823", + "aad" : "", + "msg" : "5c5cce881b93fb7a1b7939af1ffc5f84d3280ada778cca0953", + "ct" : "1d218c9f1f9f02f248a6f976a7557057f37d9393d9f213c1f3", + "tag" : "bc88344c6fdc898feed394fb28511316", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 53, + "comment" : "", + "key" : "c111d6d5d78a071b15ab37cc8c3819199387ab7c1933aa97b1489f6584ba8e2a", + "iv" : "85f18ad8ff72cafee2452ab8", + "aad" : "84cdff939391c022", + "msg" : "6989c646a10b7c76f4d9f7d574da40e152013cf0dd78f5aa8a", + "ct" : "9715d344e8d3f3a3eaa98a9cea57c0cd717c6ef5076027c9ec", + "tag" : "3056ff5ee0aa8636bb639984edb5236b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 54, + "comment" : "", + "key" : "8a1b1e699a0c4a3e610b10902daedab1bf1ea0d505c47d7842cbcee0d3b1b6e6", + "iv" : "a6f9a8d335fa84c3b27dcd2a", + "aad" : "", + "msg" : "ee6a15fc183108f0877e7f2b8a9615f4b3fc36e1c83440f66aad", + "ct" : "9089bbdb8bcfd124e227bf75c4bfe1cba2004a274fc31aa32358", + "tag" : "fd2e21c64a019621c68594826cd7b1cd", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 55, + "comment" : "", + "key" : "74b384e6e013ec4172ed7a28a10fb9bb79b4be2a24f6999e3d3caa28e64a8656", + "iv" : "ebc19fc9ecb2339908ea3836", + "aad" : "85073f2edc13d3a1", + "msg" : "3aa9f7372f056e5a0729752d9a37132d6dd07c56792e1c7582a9", + "ct" : "796ffb70ab43e7fa79f95583e384524727bb3e47fc45b969f714", + "tag" : "c3322b4445de5f3c9f18dcc847cc94c3", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 56, + "comment" : "", + "key" : "77d824795d2029f0eb0e0baab5cfeb32f7e93474913a7f95c737a667a3c33314", + "iv" : "f3307430f492d2b8a72d3a81", + "aad" : "", + "msg" : "0c4179a497d8fdd72796fb725692b805d63b7c718359cf10518aee", + "ct" : "49c81d17d67d7ba9954f497d0b0ddc21f3f839c9d2cc198d30bc2c", + "tag" : "50009899e5b2a9726c8f3556cadfbe84", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 57, + "comment" : "", + "key" : "bec5eac68f893951cbd7d1ecd3ee6611130dd9c3f80cddf95111d07d5edd76d1", + "iv" : "342ada4f0c115124b222df80", + "aad" : "73365f6d80edb1d8", + "msg" : "481433d8b1cd38af4a750e13a64b7a4e8507682b3517595938a20e", + "ct" : "4c129fc13cbdd9d3fe81ac755bf4fbea2fdd7e0aca0505a6ee9637", + "tag" : "9cede1d30a03db5d55265d3648bc40d4", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 58, + "comment" : "", + "key" : "a59c1e13064df8f2b8df77a492b0ca2eae921b52a84b305a3a9a51408a9ecb69", + "iv" : "9544d41ece0c92ef01cfac2d", + "aad" : "", + "msg" : "1c35b898821ba55c2617c25df9e6df2a8002b384902186cd69dfd20e", + "ct" : "a6fa8f57ddc81d6099f667dd62402b6a5d5b7d05a329298029113169", + "tag" : "bb24e38b31dbbc3e575b9e3ee076af2a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 59, + "comment" : "", + "key" : "084b5d7365f1a8fec6365939ed741e6ea5893e0318d82ab47500a97d77aaa041", + "iv" : "829f005e980f0a6e2f983eaa", + "aad" : "770f6e6e89a3fe8e", + "msg" : "7510016efadc385a71ed689ceb590c8ea9cc1e81b793338bddf5f10c", + "ct" : "fd42cb5cf894f879e3cf751662aaa58a2288cc53548802becaf42359", + "tag" : "188329438afe1cd7225d0478aa90c773", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 60, + "comment" : "", + "key" : "5a7f850a1d9aafa77d59ae1b731965e8aaec6352280fc76a7b5e23ef3610cfe4", + "iv" : "4946a0d6adea93b82d4332e5", + "aad" : "", + "msg" : "3c161d791f624fb0388e808f0f69ed790dbe4cbd089ebac46627bcf01d", + "ct" : "402302b56140c4dcc39774732c55883de124ce4bf0a0261cfa1569e2cf", + "tag" : "e830bfe933a96786cff2dd72b82c4bd5", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 61, + "comment" : "", + "key" : "e6d5a4246f6f05618b59c8f9ec3ac8068cc0d3f351c571aa52b09cb251f9c2f6", + "iv" : "2f90a65e9e48725de6ffc727", + "aad" : "f2415377ad283fd8", + "msg" : "964fc9e0e8355947aa1c2caadd7b3dbef82a1024e623606fac436ef573", + "ct" : "d052932bad6e6c4f835f02019e52d7ff807dc2a5aac2040883c79dd3d5", + "tag" : "655f93396b4d755dc4475721665fed91", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 62, + "comment" : "", + "key" : "09e822123adbb1ed89b79a58619c64853992f8371d46338712f6c91ab11a68bb", + "iv" : "a797205a6cacdd7e47a4789d", + "aad" : "", + "msg" : "80b71bbe833629841bd3aeaeb9db6123e51d367b436fe9d2d3454b62cfad", + "ct" : "83f5c77396cabd28dfcc002cba0756d4ea5455e0261d847d5708aac21e8d", + "tag" : "705a05820a21f381d244d40e58d2f16b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 63, + "comment" : "", + "key" : "625735fe7f8fc81b0c1edc3d08a78b41268f87a3c68488b674222630c1d587a5", + "iv" : "9d8cdf289dddd09afdc1b02f", + "aad" : "200a9c95946ff05c", + "msg" : "67ae1882d0b1c1b2485bec98115ecf53b9b438deb1d0400531705038873a", + "ct" : "209b7539385c8b19ecd0fd8b5011b2996e316f1942064e68edfa363acbcd", + "tag" : "fa2f454b9fa2608f780f7c6f9b780fe1", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 64, + "comment" : "", + "key" : "2eb51c469aa8eb9e6c54a8349bae50a20f0e382711bba1152c424f03b6671d71", + "iv" : "04a9be03508a5f31371a6fd2", + "aad" : "", + "msg" : "b053999286a2824f42cc8c203ab24e2c97a685adcc2ad32662558e55a5c729", + "ct" : "45c7d6b53acad4abb68876a6e96a48fb59524d2c92c9d8a189c9fd2db91746", + "tag" : "566d3ca10e311b695f3eae1551652493", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 65, + "comment" : "", + "key" : "7f5b74c07ed1b40fd14358fe2ff2a740c116c7706510e6a437f19ea49911cec4", + "iv" : "470a339ecb3219b8b81a1f8b", + "aad" : "374618a06ea98a48", + "msg" : "f45206abc25552b2abc9ab7fa243035fedaaddc3b2293956f1ea6e7156e7eb", + "ct" : "46a80c4187024720084627580080dde5a3f4a11093a7076ed6f3d326bc7b70", + "tag" : "534d4aa2835a52e72d14df0e4f47f25f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 66, + "comment" : "", + "key" : "e1731d5854e1b70cb3ffe8b786a2b3ebf0994370954757b9dc8c7bc5354634a3", + "iv" : "72cfd90ef3026ca22b7e6e6a", + "aad" : "", + "msg" : "b9c554cbc36ac18ae897df7beecac1dbeb4eafa156bb60ce2e5d48f05715e678", + "ct" : "ea29afa49d36e8760f5fe19723b9811ed5d519934a440f5081ac430b953b0e21", + "tag" : "222541af46b86533c6b68d2ff108a7ea", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 67, + "comment" : "", + "key" : "27d860631b0485a410702fea61bc873f3442260caded4abde25b786a2d97f145", + "iv" : "262880d475f3dac5340dd1b8", + "aad" : "2333e5ce0f93b059", + "msg" : "6b2604996cd30c14a13a5257ed6cffd3bc5e29d6b97eb1799eb335e281ea451e", + "ct" : "6dad637897544d8bf6be9507ed4d1bb2e954bc427e5de729daf50762846ff2f4", + "tag" : "7b997d93c982189d7095dc794c746232", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 68, + "comment" : "", + "key" : "5155dee9aade1cc61ee7e3f92660f7590f5e5ba82f1b59b850e3fa453d2fa6b3", + "iv" : "c26c4b3bfdb97ee6b0f63ca1", + "aad" : "", + "msg" : "2734e08eff8f5c4f84fa0c207f49c7fd78af1ad5123ff81f83f500edf4eda09edf", + "ct" : "f5982b601c7a18fc72a65b218c44974dc564d8314cbe6f87fcf6c6cfbe618b34b1", + "tag" : "c43632f55760b5d1ed37556a94d049b5", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 69, + "comment" : "", + "key" : "573f08ebbe0cce4ac9618e8c3b224bea0a32f055c6996838a32f527ca3c3b695", + "iv" : "ad8050dc6d122dce3e5639ed", + "aad" : "e99698241c599b5f", + "msg" : "668d5e3f95fe030daf432a5fc5837af3a79c81e94b28d8204c5ee262ab3c9908a7", + "ct" : "eaf6810e6ec1cb7a2918856257d1aa3d51a827879146c6337ecf535e9c89b149c5", + "tag" : "a2950c2f394a3466c345f796323c1aa7", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 70, + "comment" : "", + "key" : "cf0d40a4644e5f51815165d5301b22631f4544c49a1878e3a0a5e8e1aae0f264", + "iv" : "e74a515e7e2102b90bef55d2", + "aad" : "", + "msg" : "973d0c753826bae466cf9abb3493152e9de7819e2bd0c71171346b4d2cebf8041aa3cedc0dfd7b467e26228bc86c9a", + "ct" : "fba78ae4f9d808a62e3da40be2cb7700c3613d9eb2c529c652e76a432c658d27095f0eb8f940c324981ea935e507f9", + "tag" : "8f046956db3a512908bd7afc8f2ab0a9", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 71, + "comment" : "", + "key" : "6cbfd71c645d184cf5d23c402bdb0d25ec54898c8a0273d42eb5be109fdcb2ac", + "iv" : "d4d807341683825b31cd4d95", + "aad" : "b3e4064683b02d84", + "msg" : "a98995504df16f748bfb7785ff91eeb3b660ea9ed3450c3d5e7b0e79ef653659a9978d75542ef91c456762215640b9", + "ct" : "a1ffed80761829ecce242e0e88b138049016bca018da2b6e19986b3e318cae8d806198fb4c527cc39350ebddeac573", + "tag" : "c4cbf0befda0b70242c640d7cd02d7a3", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 72, + "comment" : "", + "key" : "5b1d1035c0b17ee0b0444767f80a25b8c1b741f4b50a4d3052226baa1c6fb701", + "iv" : "d61040a313ed492823cc065b", + "aad" : "", + "msg" : "d096803181beef9e008ff85d5ddc38ddacf0f09ee5f7e07f1e4079cb64d0dc8f5e6711cd4921a7887de76e2678fdc67618f1185586bfea9d4c685d50e4bb9a82", + "ct" : "9a4ef22b181677b5755c08f747c0f8d8e8d4c18a9cc2405c12bb51bb1872c8e8b877678bec442cfcbb0ff464a64b74332cf072898c7e0eddf6232ea6e27efe50", + "tag" : "9ff3427a0f32fa566d9ca0a78aefc013", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 73, + "comment" : "", + "key" : "97d635c4f47574d9998a90875da1d3a284b755b2d39297a5725235190e10a97e", + "iv" : "d31c21aba175b70de4ebb19c", + "aad" : "7193f623663321a2", + "msg" : "94ee166d6d6ecf8832437136b4ae805d428864359586d9193a25016293edba443c58e07e7b7195ec5bd84582a9d56c8d4a108c7d7ce34e6c6f8ea1bec0567317", + "ct" : "5fbbdecc34be201614f636031eeb42f1cace3c79a12cffd871ee8e73820c829749f1abb4294367849fb6c2aa56bda8a3078f723d7c1c852024b017b58973fb1e", + "tag" : "09263da7b4cb921452f97dca40f580ec", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 74, + "comment" : "", + "key" : "fe6e55bdaed1f7284ca5fc0f8c5f2b8df56dc0f49e8ca66a41995e783351f901", + "iv" : "17c86a8abbb7e003acde2799", + "aad" : "", + "msg" : "b429eb80fb8fe8baeda0c85b9c333458e7c2992e558475069d12d45c22217564121588032297eff56783742a5fc22d7410ffb29d66098661d76f126c3c27689e43b37267cac5a3a6d3ab49e391da29cd3054a5692e2807e4c3ea46c8761d50f592", + "ct" : "d0102f6c258bf49742cec34cf2d0fedf23d105fb4c84cf98515e1bc9a64f8ad5be8f0721bde50645d00083c3a263a31053b760245f52ae2866a5ec83b19f61be1d30d5c5d9fecc4cbbe08fd385813a2aa39a00ff9c10f7f23702add1e4b2ffa31c", + "tag" : "41865fc71de12b19612127ce49993bb0", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 75, + "comment" : "", + "key" : "aabc063474e65c4c3e9bdc480dea97b45110c8618846ff6b15bdd2a4a5682c4e", + "iv" : "46362f45d6379e63e5229460", + "aad" : "a11c40b603767330", + "msg" : "ceb534ce50dc23ff638ace3ef63ab2cc2973eeada80785fc165d06c2f5100ff5e8ab2882c475afcd05ccd49f2e7d8f55ef3a72e3dc51d6852b8e6b9e7aece57be6556b0b6d9413e33fc5fc24a9a205ad59574bb39d944a92dc47970d84a6ad3176", + "ct" : "7545391b51de01d5c53dfaca777909063e58edee4bb1227e7110ac4d2620c2aec2f848f56deeb037a8dced75afa8a6c890e2dee42f950bb33d9e2424d08a505d899563973ed38870f3de6ee2adc7fe072c366c14e2cf7ca62fb3d36bee11685461", + "tag" : "b70d44ef8c66c5c7bbf10dcadd7facf6", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 76, + "comment" : "", + "key" : "d7addd3889fadf8c893eee14ba2b7ea5bf56b449904869615bd05d5f114cf377", + "iv" : "8a3ad26b28cd13ba6504e260", + "aad" : "", + "msg" : "c877a76bf595560772167c6e3bcc705305db9c6fcbeb90f4fea85116038bc53c3fa5b4b4ea0de5cc534fbe1cf9ae44824c6c2c0a5c885bd8c3cdc906f12675737e434b983e1e231a52a275db5fb1a0cac6a07b3b7dcb19482a5d3b06a9317a54826cea6b36fce452fa9b5475e2aaf25499499d8a8932a19eb987c903bd8502fe", + "ct" : "294a764c03353f5f4f6e93cd7e977480d6c343071db0b7c1f0db1e95b85e6053f0423168a9c7533268db9a194e7665359d14489bc47172a9f21370e89b0bd0e5ef9661738de282572bcc3e541247626e57e75dec0f91ac5c530bd1a53271842996dcd04d865321b1ecb6e7630114fe780291b8dc3e5d0abc8e65b1c5493e9af0", + "tag" : "f2b974ca0f14fb9f92014bff18573cff", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 77, + "comment" : "", + "key" : "80be86fb6fc49bc73428cab576f6ad72ff6aca04001b8b1c57a7128be73900aa", + "iv" : "903188433c1ce8971aa19b9d", + "aad" : "0587af8530ad0547", + "msg" : "67ce499cd8ed68bd717dfe61c60f27d260b1c163a72e8cc8597253d3d987c2dbe1bff2e44d9bd4765d3e53d9c3f8eb3b90e751f47c7157bdc1142bc33f5833ac1cd1262cbb239066b334a4ed99ae82c74f2b49540f1a614bc239d8fc5add8c178184e41281f6e66c5c3117fd953547f7c829425b5082aa69686847eaf5784692", + "ct" : "2b90b4f3de280c44913d1984bdd5dfa0566c6a14a058659a9b623277b0bb6e82101e79395d12e643f62d9a822bae497907493e4f8213fcf99da8a78fdf867af36bc8b0931c1886b4f0ae5729986494dbd59737e956cd8f226c7c522689d082f023894d54acab0c4d609f3746a67369bb8876008f7fd3dc6681c5fb9d728c5911", + "tag" : "f005ebe1c1ada75a9cee8d630881d5b8", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 78, + "comment" : "", + "key" : "7d00b48095adfa3272050607b264185002ba99957c498be022770f2ce2f3143c", + "iv" : "87345f1055fd9e2102d50656", + "aad" : "02", + "msg" : "e5ccaa441bc814688f8f6e8f28b500b2", + "ct" : "7e72f5a185af16a611921b438f749f0b", + "tag" : "1242c670732334029adfe1c5001651e4", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 79, + "comment" : "", + "key" : "6432717f1db85e41ac7836bce25185a080d5762b9e2b18444b6ec72c3bd8e4dc", + "iv" : "87a3163ec0598ad95b3aa713", + "aad" : "b648", + "msg" : "02cde168fba3f544bbd0332f7adeada8", + "ct" : "85f29a719557cdd14d1f8fffab6d9e60", + "tag" : "732ca32becd515a1ed353f542e999858", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 80, + "comment" : "", + "key" : "7afa0f59dfcb5ad3a76490c5c804327c8d052be737a60fa8bcbf0a2c36630a43", + "iv" : "25b7bdf4a6dcbf7c9a3ec2b3", + "aad" : "8b71ac", + "msg" : "623e6ba6d3166a338bfcc7af90a230c8", + "ct" : "d46e8265a8c6a25393dd956bb44397ad", + "tag" : "e28f3ad9e3ef4a3d94ee07bf538eaafb", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 81, + "comment" : "", + "key" : "2ec25b0ec7ac244224e9c7fc2fa5d3ef17809e19fd6e954158dd0d72738a4cc8", + "iv" : "6fb0d1417cdfff4df37db08c", + "aad" : "3a5ddf40", + "msg" : "a1c933768a6d573ebf68a99e5e18dae8", + "ct" : "2d3cb2d9303491e264f2904f0e0753f4", + "tag" : "6c1db959362d217b2322b466536bfea0", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 82, + "comment" : "", + "key" : "0a2cf52371cf9d9f95b10108fc82b4fd6110a8ba9a88a26083685ad29826891a", + "iv" : "2538fc67afb9eab333f83290", + "aad" : "9eec540bb0", + "msg" : "0d8c691d044a3978d790432dc71d69f8", + "ct" : "a988c03c71b956ff086d0470d706bd34", + "tag" : "b35d7cbf2beb894b0c746e0730429e15", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 83, + "comment" : "", + "key" : "307e886b38bb18b445f8a2c6d6f8932492a9cea8d041ba72eb5efdfa70d0b8d2", + "iv" : "a071be999151e2a1c41c81e9", + "aad" : "56e014d97c74", + "msg" : "9aba22b495cb7ec887ddaa62019aa14d", + "ct" : "32bf95d4c195dbaf58d9af4001c6e57d", + "tag" : "4393808703d67a90870578046cd8b525", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 84, + "comment" : "", + "key" : "dacd51a8a8e4d5905b4cbb947ef4013eb296889353f3c9ee35f5577b26737a51", + "iv" : "3fa378a1befdddd61ae68cf4", + "aad" : "bb5a3812f0aefd", + "msg" : "e148313883a77da121124d06b1c77dca", + "ct" : "2a207ca7e9da6b13a229604304d87eb1", + "tag" : "8a6b6afec87d93ec6e8dbe13d84c0f8c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 85, + "comment" : "", + "key" : "7b5fbbb202c16108fd13066446853a850d8b34e9da40519580da446a922f9162", + "iv" : "aa077a5ce9161bde8d8edc40", + "aad" : "f94bb92c1c668a695b", + "msg" : "da471cd6935a0ca8307ddedc6b959962", + "ct" : "548a5ca0ae49211cdf30bbdcb1352d31", + "tag" : "204dacb98f8c8908cc5ea22bb23f901f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 86, + "comment" : "", + "key" : "1ffd101eb97531f6faa821ec4d5c5702725dd033d3b830bb760c4ef27ba983df", + "iv" : "598114e8cf7fbdea8ad29683", + "aad" : "2155627ec15a978fbcb2", + "msg" : "28668ca8db535c7e8eb27491ad0fb7cb", + "ct" : "28cedac24f14caa326c7fe401f68a87c", + "tag" : "2bf1b2c43d3039f8f5ce359c1102f879", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 87, + "comment" : "", + "key" : "d2d0a973d5951af352cbee57ac9dab1c284c99af3b992ce015f219506f64888d", + "iv" : "9acd213570ce9bb9d886c6ef", + "aad" : "37ad668d4d4fe889949763", + "msg" : "3f3f0076250352e1b6b5c12cfa12625e", + "ct" : "7256e856872ad3a54b34a2a6bdca8838", + "tag" : "3b12e4586e45223f78a6eea811efb863", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 88, + "comment" : "", + "key" : "adcc520b381382237d05a6400a7dfbcd0771b6aa9edb7966131ddef6af21f1be", + "iv" : "9183cdf3a8ba7397b6b2d5d5", + "aad" : "b334375415f6215c0bf89a9a", + "msg" : "958295619cf1b36f0b474663c0bc79eb", + "ct" : "852c141b4239a31feeda03550d70a2be", + "tag" : "5fc59287b92d3fcf7d66f13defb11b0d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 89, + "comment" : "", + "key" : "bd534f7adeca466844fb3ba34658be807f15c5291ed6026860a24f179b712c89", + "iv" : "412c3e13ee1f7864bd15ce39", + "aad" : "2866afff0bcc6135dc63af88c8", + "msg" : "d92f8ce5d8d0ad2eb5f11af02ef63949", + "ct" : "89d6d089c4a255952aca11b24a01ff95", + "tag" : "f88fa4531204da315e7317970240ce9e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 90, + "comment" : "", + "key" : "910ade7d324d2c9688439e1f142e0e5f9d130ff832e507fe1985e5a26452a6d0", + "iv" : "9be090dba93deff27adf99ee", + "aad" : "ea2575f123268e936c8e4c8c1bb8", + "msg" : "6e356094ed9d9a7053c7906c48ba3d9f", + "ct" : "01ffb343c757b27843d8a900a36ce39d", + "tag" : "a315541b7d6313c6fddf64b303d71d60", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 91, + "comment" : "", + "key" : "8e34cf73d245a1082a920b86364eb896c4946467bcb3d58929fcb36690e6394f", + "iv" : "6f573aa86baa492ba46596df", + "aad" : "bd4cd02fc7502bbdbdf6c9a3cbe8f0", + "msg" : "16ddd23ff53f3d23c06334487040eb47", + "ct" : "c1b295936d56fadac03e5f742bff73a1", + "tag" : "39c457dbab66382babb3b55800cda5b8", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 92, + "comment" : "", + "key" : "cb5575f5c7c45c91cf320b139fb594237560d0a3e6f865a67d4f633f2c08f016", + "iv" : "1a6518f02ede1da6809266d9", + "aad" : "89cce9fb47441d07e0245a66fe8b778b", + "msg" : "623b7850c321e2cf0c6fbcc8dfd1aff2", + "ct" : "c84c9bb7c61c1bcb17772a1c500c5095", + "tag" : "dbadf7a5138ca03459a2cd65831e092f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 93, + "comment" : "", + "key" : "a5569e729a69b24ba6e0ff15c4627897436824c941e9d00b2e93fddc4ba77657", + "iv" : "564dee49ab00d240fc1068c3", + "aad" : "d19f2d989095f7ab03a5fde84416e00c0e", + "msg" : "87b3a4d7b26d8d3203a0de1d64ef82e3", + "ct" : "94bc80621ed1e71b1fd2b5c3a15e3568", + "tag" : "333511861796978401598b963722f5b3", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 94, + "comment" : "", + "key" : "56207465b4e48e6d04630f4a42f35cfc163ab289c22a2b4784f6f9290330bee0", + "iv" : "df8713e87ec3dbcfad14d53e", + "aad" : "5e6470facd99c1d81e37cd44015fe19480a2a4d3352a4ff560c0640fdbda", + "msg" : "e601b38557797da2f8a4106a089d1da6", + "ct" : "299b5d3f3d03c087209a16e285143111", + "tag" : "4b454ed198de117e83ec49fa8d8508d6", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 95, + "comment" : "", + "key" : "077433022ab34d380fc192fc24c2edc6301fec6f24442f572a1087ff2e05b39a", + "iv" : "28adcbc74364f26dd4b3108b", + "aad" : "e0100eb116cdc5e22a3b9f9b4126c149595e75107f6e237c69e82960052270", + "msg" : "03c874eeaaa6fa9f0da62c758fb0ad04", + "ct" : "1e9687b35fbc8eaa1825ed3847798f76", + "tag" : "0788bf70fd04030ecd1c96d0bc1fcd5d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 96, + "comment" : "", + "key" : "3937986af86dafc1ba0c4672d8abc46c207062682d9c264ab06d6c5807205130", + "iv" : "8df4b15a888c33286a7b7651", + "aad" : "ba446f6f9a0ced22450feb10737d9007fd69abc19b1d4d9049a5551e86ec2b37", + "msg" : "dc9e9eaf11e314182df6a4eba17aec9c", + "ct" : "605bbf90aeb974f6602bc778056f0dca", + "tag" : "38ea23d99054b46b42ffe004129d2204", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 97, + "comment" : "", + "key" : "36372abcdb78e0279646ac3d176b9674e9154eecf0d5469c651ec7e16b4c1199", + "iv" : "be40e5f1a11817a0a8fa8949", + "aad" : "d41a828d5e71829247021905402ea257dccbc3b80fcd5675056b68bb59e62e8873", + "msg" : "81ce84ede9b35859cc8c49a8f6be7dc6", + "ct" : "7b7ce0d824809a70de32562ccf2c2bbd", + "tag" : "15d44a00ce0d19b4231f921e22bc0a43", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 98, + "comment" : "", + "key" : "9f1479ed097d7fe529c11f2f5add9aaff4a1ca0b68997a2cb7f79749bd90aaf4", + "iv" : "84c87dae4eee27730ec35d12", + "aad" : "3f2dd49bbf09d69a78a3d80ea2566614fc379474196c1aae84583da73d7ff85c6f42ca42056a9792cc1b9fb3c7d261", + "msg" : "a66747c89e857af3a18e2c79500087ed", + "ct" : "ca82bff3e2f310ccc976672c4415e69b", + "tag" : "57638c62a5d85ded774f913c813ea032", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 99, + "comment" : "", + "key" : "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f", + "iv" : "000102030405060708090a0b", + "aad" : "00000000000000000000000000000000", + "msg" : "65b63bf074b7283992e24b1ac0df0d22b555dbe2254d94a43f1de748d3cc6f0d", + "ct" : "0000000000000000000000000000000000000000000000000000000000000000", + "tag" : "39f4fce3026d83789ffd1ee6f2cd7c4f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 100, + "comment" : "", + "key" : "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f", + "iv" : "000102030405060708090a0b", + "aad" : "00000000000000000000000000000000", + "msg" : "65b63bf074b7283992e24b1ac0df0d22b555dbe2254d94a43f1de748d3cc6f0d20c142fe898fbbe668d4324394434c1b18b58ead710aed9c31db1f2a8a1f1bb2", + "ct" : "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "tag" : "f5eaa804605c3a4785f9d7f13b6f67d6", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 101, + "comment" : "", + "key" : "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f", + "iv" : "000102030405060708090a0b", + "aad" : "00000000000000000000000000000000", + "msg" : "65b63bf074b7283992e24b1ac0df0d22b555dbe2254d94a43f1de748d3cc6f0d20c142fe898fbbe668d4324394434c1b18b58ead710aed9c31db1f2a8a1f1bb24405c183af94ee1ad630cd931158a6213d48c8fff10d0a1f9ef760188e658802aad55e41a1d99069a18db55c56af7c10a6f21ecc8af9b7ce0a7ea0b67426e925", + "ct" : "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "tag" : "9b5c43a78d954e8a3c659eebc13d5d55", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 102, + "comment" : "", + "key" : "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f", + "iv" : "000102030405060708090a0b", + "aad" : "ffffffffffffffffffffffffffffffff", + "msg" : "9a49c40f8b48d7c66d1db4e53f20f2dd4aaa241ddab26b5bc0e218b72c3390f2", + "ct" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "tag" : "37e3399d9ca696799f08f4f72bc0cdd8", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 103, + "comment" : "", + "key" : "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f", + "iv" : "000102030405060708090a0b", + "aad" : "ffffffffffffffffffffffffffffffff", + "msg" : "9a49c40f8b48d7c66d1db4e53f20f2dd4aaa241ddab26b5bc0e218b72c3390f2df3ebd0176704419972bcdbc6bbcb3e4e74a71528ef51263ce24e0d575e0e44d", + "ct" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "tag" : "3d52710bec86d4ea9fea2ff269549191", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 104, + "comment" : "", + "key" : "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f", + "iv" : "000102030405060708090a0b", + "aad" : "ffffffffffffffffffffffffffffffff", + "msg" : "9a49c40f8b48d7c66d1db4e53f20f2dd4aaa241ddab26b5bc0e218b72c3390f2df3ebd0176704419972bcdbc6bbcb3e4e74a71528ef51263ce24e0d575e0e44dbbfa3e7c506b11e529cf326ceea759dec2b737000ef2f5e061089fe7719a77fd552aa1be5e266f965e724aa3a95083ef590de13375064831f5815f498bd916da", + "ct" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "tag" : "51356329e280b12d55d3d98f0a580cbe", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 105, + "comment" : "", + "key" : "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f", + "iv" : "000102030405060708090a0b", + "aad" : "00000080000000800000008000000080", + "msg" : "65b63b7074b728b992e24b9ac0df0da2b555db62254d94243f1de7c8d3cc6f8d", + "ct" : "0000008000000080000000800000008000000080000000800000008000000080", + "tag" : "c152a4b90c548c71dc479edeaf9211bf", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 106, + "comment" : "", + "key" : "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f", + "iv" : "000102030405060708090a0b", + "aad" : "00000080000000800000008000000080", + "msg" : "65b63b7074b728b992e24b9ac0df0da2b555db62254d94243f1de7c8d3cc6f8d20c1427e898fbb6668d432c394434c9b18b58e2d710aed1c31db1faa8a1f1b32", + "ct" : "00000080000000800000008000000080000000800000008000000080000000800000008000000080000000800000008000000080000000800000008000000080", + "tag" : "40ef6383052d91c2e4b4611b0e32c5ff", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 107, + "comment" : "", + "key" : "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f", + "iv" : "000102030405060708090a0b", + "aad" : "00000080000000800000008000000080", + "msg" : "65b63b7074b728b992e24b9ac0df0da2b555db62254d94243f1de7c8d3cc6f8d20c1427e898fbb6668d432c394434c9b18b58e2d710aed1c31db1faa8a1f1b324405c103af94ee9ad630cd131158a6a13d48c87ff10d0a9f9ef760988e658882aad55ec1a1d990e9a18db5dc56af7c90a6f21e4c8af9b74e0a7ea0367426e9a5", + "ct" : "0000008000000080000000800000008000000080000000800000008000000080000000800000008000000080000000800000008000000080000000800000008000000080000000800000008000000080000000800000008000000080000000800000008000000080000000800000008000000080000000800000008000000080", + "tag" : "ae9b542541e84fc74542eed6be638fee", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 108, + "comment" : "", + "key" : "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f", + "iv" : "000102030405060708090a0b", + "aad" : "80000000800000008000000080000000", + "msg" : "e5b63bf0f4b7283912e24b1a40df0d223555dbe2a54d94a4bf1de74853cc6f0d", + "ct" : "8000000080000000800000008000000080000000800000008000000080000000", + "tag" : "10fee3ecfba9cdf797bae37a626ec83b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 109, + "comment" : "", + "key" : "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f", + "iv" : "000102030405060708090a0b", + "aad" : "80000000800000008000000080000000", + "msg" : "e5b63bf0f4b7283912e24b1a40df0d223555dbe2a54d94a4bf1de74853cc6f0da0c142fe098fbbe6e8d4324314434c1b98b58eadf10aed9cb1db1f2a0a1f1bb2", + "ct" : "80000000800000008000000080000000800000008000000080000000800000008000000080000000800000008000000080000000800000008000000080000000", + "tag" : "7490795bdbbbf5d0aecb9a4f65aa379f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 110, + "comment" : "", + "key" : "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f", + "iv" : "000102030405060708090a0b", + "aad" : "80000000800000008000000080000000", + "msg" : "e5b63bf0f4b7283912e24b1a40df0d223555dbe2a54d94a4bf1de74853cc6f0da0c142fe098fbbe6e8d4324314434c1b98b58eadf10aed9cb1db1f2a0a1f1bb2c405c1832f94ee1a5630cd939158a621bd48c8ff710d0a1f1ef760180e6588022ad55e4121d99069218db55cd6af7c1026f21ecc0af9b7ce8a7ea0b6f426e925", + "ct" : "8000000080000000800000008000000080000000800000008000000080000000800000008000000080000000800000008000000080000000800000008000000080000000800000008000000080000000800000008000000080000000800000008000000080000000800000008000000080000000800000008000000080000000", + "tag" : "1d1096a8ca9e2bda2762c41d5b16f62f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 111, + "comment" : "", + "key" : "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f", + "iv" : "000102030405060708090a0b", + "aad" : "ffffff7fffffff7fffffff7fffffff7f", + "msg" : "9a49c48f8b48d7466d1db4653f20f25d4aaa249ddab26bdbc0e218372c339072", + "ct" : "ffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7f", + "tag" : "af8492c792bf8d8062be74ff6efb3869", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 112, + "comment" : "", + "key" : "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f", + "iv" : "000102030405060708090a0b", + "aad" : "ffffff7fffffff7fffffff7fffffff7f", + "msg" : "9a49c48f8b48d7466d1db4653f20f25d4aaa249ddab26bdbc0e218372c339072df3ebd8176704499972bcd3c6bbcb364e74a71d28ef512e3ce24e05575e0e4cd", + "ct" : "ffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7f", + "tag" : "f24db68c46b67d6f402fa6c897913368", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 113, + "comment" : "", + "key" : "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f", + "iv" : "000102030405060708090a0b", + "aad" : "ffffff7fffffff7fffffff7fffffff7f", + "msg" : "9a49c48f8b48d7466d1db4653f20f25d4aaa249ddab26bdbc0e218372c339072df3ebd8176704499972bcd3c6bbcb364e74a71d28ef512e3ce24e05575e0e4cdbbfa3efc506b116529cf32eceea7595ec2b737800ef2f56061089f67719a777d552aa13e5e266f165e724a23a950836f590de1b3750648b1f5815fc98bd9165a", + "ct" : "ffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7f", + "tag" : "43f651ab2e2eb0f04bf689a40d32da24", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 114, + "comment" : "", + "key" : "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f", + "iv" : "000102030405060708090a0b", + "aad" : "7fffffff7fffffff7fffffff7fffffff", + "msg" : "1a49c40f0b48d7c6ed1db4e5bf20f2ddcaaa241d5ab26b5b40e218b7ac3390f2", + "ct" : "7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff", + "tag" : "60d95294a3694cfaa64b2f63bc1f82ec", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 115, + "comment" : "", + "key" : "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f", + "iv" : "000102030405060708090a0b", + "aad" : "7fffffff7fffffff7fffffff7fffffff", + "msg" : "1a49c40f0b48d7c6ed1db4e5bf20f2ddcaaa241d5ab26b5b40e218b7ac3390f25f3ebd01f6704419172bcdbcebbcb3e4674a71520ef512634e24e0d5f5e0e44d", + "ct" : "7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff", + "tag" : "beaca0b47027196176186d944019c1c8", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 116, + "comment" : "", + "key" : "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f", + "iv" : "000102030405060708090a0b", + "aad" : "7fffffff7fffffff7fffffff7fffffff", + "msg" : "1a49c40f0b48d7c6ed1db4e5bf20f2ddcaaa241d5ab26b5b40e218b7ac3390f25f3ebd01f6704419172bcdbcebbcb3e4674a71520ef512634e24e0d5f5e0e44d3bfa3e7cd06b11e5a9cf326c6ea759de42b737008ef2f5e0e1089fe7f19a77fdd52aa1bede266f96de724aa3295083efd90de133f506483175815f490bd916da", + "ct" : "7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff", + "tag" : "d4811028a577d4dd69d6b35d717f73e3", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 117, + "comment" : "", + "key" : "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f", + "iv" : "000102030405060708090a0b", + "aad" : "00000000ffffffff00000000ffffffff", + "msg" : "65b63bf08b48d7c692e24b1a3f20f2ddb555dbe2dab26b5b3f1de7482c3390f2", + "ct" : "00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff", + "tag" : "10fb61272b555bee104f5a71818716d6", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 118, + "comment" : "", + "key" : "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f", + "iv" : "000102030405060708090a0b", + "aad" : "00000000ffffffff00000000ffffffff", + "msg" : "65b63bf08b48d7c692e24b1a3f20f2ddb555dbe2dab26b5b3f1de7482c3390f220c142fe7670441968d432436bbcb3e418b58ead8ef5126331db1f2a75e0e44d", + "ct" : "00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff", + "tag" : "4756764e59583504182877d8c33120f0", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 119, + "comment" : "", + "key" : "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f", + "iv" : "000102030405060708090a0b", + "aad" : "00000000ffffffff00000000ffffffff", + "msg" : "65b63bf08b48d7c692e24b1a3f20f2ddb555dbe2dab26b5b3f1de7482c3390f220c142fe7670441968d432436bbcb3e418b58ead8ef5126331db1f2a75e0e44d4405c183506b11e5d630cd93eea759de3d48c8ff0ef2f5e09ef76018719a77fdaad55e415e266f96a18db55ca95083efa6f21ecc750648310a7ea0b68bd916da", + "ct" : "00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff", + "tag" : "95a2b12a4a280089d4bd4f904253e754", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 120, + "comment" : "", + "key" : "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f", + "iv" : "000102030405060708090a0b", + "aad" : "ffffffff00000000ffffffff00000000", + "msg" : "9a49c40f74b728396d1db4e5c0df0d224aaa241d254d94a4c0e218b7d3cc6f0d", + "ct" : "ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000", + "tag" : "60dcd45974bebe032eb7b86c9d063452", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 121, + "comment" : "", + "key" : "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f", + "iv" : "000102030405060708090a0b", + "aad" : "ffffffff00000000ffffffff00000000", + "msg" : "9a49c40f74b728396d1db4e5c0df0d224aaa241d254d94a4c0e218b7d3cc6f0ddf3ebd01898fbbe6972bcdbc94434c1be74a7152710aed9cce24e0d58a1f1bb2", + "ct" : "ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000", + "tag" : "f0e6a3c1f28ad92d0dbc900be291d877", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 122, + "comment" : "", + "key" : "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f", + "iv" : "000102030405060708090a0b", + "aad" : "ffffffff00000000ffffffff00000000", + "msg" : "9a49c40f74b728396d1db4e5c0df0d224aaa241d254d94a4c0e218b7d3cc6f0ddf3ebd01898fbbe6972bcdbc94434c1be74a7152710aed9cce24e0d58a1f1bb2bbfa3e7caf94ee1a29cf326c1158a621c2b73700f10d0a1f61089fe78e658802552aa1bea1d990695e724aa356af7c10590de1338af9b7cef5815f497426e925", + "ct" : "ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000", + "tag" : "57eff4a525eeff2ebd7a28eb894282be", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 123, + "comment" : "Flipped bit 0 in tag expected tag:f4409bb729039d0814ac514054323f44", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "", + "ct" : "", + "tag" : "f5409bb729039d0814ac514054323f44", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 124, + "comment" : "Flipped bit 1 in tag expected tag:f4409bb729039d0814ac514054323f44", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "", + "ct" : "", + "tag" : "f6409bb729039d0814ac514054323f44", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 125, + "comment" : "Flipped bit 7 in tag expected tag:f4409bb729039d0814ac514054323f44", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "", + "ct" : "", + "tag" : "74409bb729039d0814ac514054323f44", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 126, + "comment" : "Flipped bit 8 in tag expected tag:f4409bb729039d0814ac514054323f44", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "", + "ct" : "", + "tag" : "f4419bb729039d0814ac514054323f44", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 127, + "comment" : "Flipped bit 31 in tag expected tag:f4409bb729039d0814ac514054323f44", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "", + "ct" : "", + "tag" : "f4409b3729039d0814ac514054323f44", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 128, + "comment" : "Flipped bit 32 in tag expected tag:f4409bb729039d0814ac514054323f44", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "", + "ct" : "", + "tag" : "f4409bb728039d0814ac514054323f44", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 129, + "comment" : "Flipped bit 33 in tag expected tag:f4409bb729039d0814ac514054323f44", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "", + "ct" : "", + "tag" : "f4409bb72b039d0814ac514054323f44", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 130, + "comment" : "Flipped bit 63 in tag expected tag:f4409bb729039d0814ac514054323f44", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "", + "ct" : "", + "tag" : "f4409bb729039d8814ac514054323f44", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 131, + "comment" : "Flipped bit 64 in tag expected tag:f4409bb729039d0814ac514054323f44", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "", + "ct" : "", + "tag" : "f4409bb729039d0815ac514054323f44", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 132, + "comment" : "Flipped bit 77 in tag expected tag:f4409bb729039d0814ac514054323f44", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "", + "ct" : "", + "tag" : "f4409bb729039d08148c514054323f44", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 133, + "comment" : "Flipped bit 80 in tag expected tag:f4409bb729039d0814ac514054323f44", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "", + "ct" : "", + "tag" : "f4409bb729039d0814ac504054323f44", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 134, + "comment" : "Flipped bit 96 in tag expected tag:f4409bb729039d0814ac514054323f44", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "", + "ct" : "", + "tag" : "f4409bb729039d0814ac514055323f44", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 135, + "comment" : "Flipped bit 97 in tag expected tag:f4409bb729039d0814ac514054323f44", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "", + "ct" : "", + "tag" : "f4409bb729039d0814ac514056323f44", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 136, + "comment" : "Flipped bit 120 in tag expected tag:f4409bb729039d0814ac514054323f44", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "", + "ct" : "", + "tag" : "f4409bb729039d0814ac514054323f45", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 137, + "comment" : "Flipped bit 121 in tag expected tag:f4409bb729039d0814ac514054323f44", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "", + "ct" : "", + "tag" : "f4409bb729039d0814ac514054323f46", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 138, + "comment" : "Flipped bit 126 in tag expected tag:f4409bb729039d0814ac514054323f44", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "", + "ct" : "", + "tag" : "f4409bb729039d0814ac514054323f04", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 139, + "comment" : "Flipped bit 127 in tag expected tag:f4409bb729039d0814ac514054323f44", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "", + "ct" : "", + "tag" : "f4409bb729039d0814ac514054323fc4", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 140, + "comment" : "Flipped bit 63 and 127 in tag expected tag:f4409bb729039d0814ac514054323f44", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "", + "ct" : "", + "tag" : "f4409bb729039d8814ac514054323fc4", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 141, + "comment" : "Tag changed to all zero expected tag:f4409bb729039d0814ac514054323f44", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "", + "ct" : "", + "tag" : "00000000000000000000000000000000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 142, + "comment" : "tag change to all 1 expected tag:f4409bb729039d0814ac514054323f44", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "", + "ct" : "", + "tag" : "ffffffffffffffffffffffffffffffff", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 143, + "comment" : "Flipped bit 0 in tag expected tag:29914007a6119dd3f109bba21ce9a7d6", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995a", + "tag" : "28914007a6119dd3f109bba21ce9a7d6", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 144, + "comment" : "Flipped bit 1 in tag expected tag:29914007a6119dd3f109bba21ce9a7d6", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995a", + "tag" : "2b914007a6119dd3f109bba21ce9a7d6", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 145, + "comment" : "Flipped bit 7 in tag expected tag:29914007a6119dd3f109bba21ce9a7d6", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995a", + "tag" : "a9914007a6119dd3f109bba21ce9a7d6", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 146, + "comment" : "Flipped bit 8 in tag expected tag:29914007a6119dd3f109bba21ce9a7d6", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995a", + "tag" : "29904007a6119dd3f109bba21ce9a7d6", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 147, + "comment" : "Flipped bit 31 in tag expected tag:29914007a6119dd3f109bba21ce9a7d6", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995a", + "tag" : "29914087a6119dd3f109bba21ce9a7d6", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 148, + "comment" : "Flipped bit 32 in tag expected tag:29914007a6119dd3f109bba21ce9a7d6", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995a", + "tag" : "29914007a7119dd3f109bba21ce9a7d6", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 149, + "comment" : "Flipped bit 33 in tag expected tag:29914007a6119dd3f109bba21ce9a7d6", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995a", + "tag" : "29914007a4119dd3f109bba21ce9a7d6", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 150, + "comment" : "Flipped bit 63 in tag expected tag:29914007a6119dd3f109bba21ce9a7d6", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995a", + "tag" : "29914007a6119d53f109bba21ce9a7d6", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 151, + "comment" : "Flipped bit 64 in tag expected tag:29914007a6119dd3f109bba21ce9a7d6", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995a", + "tag" : "29914007a6119dd3f009bba21ce9a7d6", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 152, + "comment" : "Flipped bit 77 in tag expected tag:29914007a6119dd3f109bba21ce9a7d6", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995a", + "tag" : "29914007a6119dd3f129bba21ce9a7d6", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 153, + "comment" : "Flipped bit 80 in tag expected tag:29914007a6119dd3f109bba21ce9a7d6", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995a", + "tag" : "29914007a6119dd3f109baa21ce9a7d6", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 154, + "comment" : "Flipped bit 96 in tag expected tag:29914007a6119dd3f109bba21ce9a7d6", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995a", + "tag" : "29914007a6119dd3f109bba21de9a7d6", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 155, + "comment" : "Flipped bit 97 in tag expected tag:29914007a6119dd3f109bba21ce9a7d6", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995a", + "tag" : "29914007a6119dd3f109bba21ee9a7d6", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 156, + "comment" : "Flipped bit 120 in tag expected tag:29914007a6119dd3f109bba21ce9a7d6", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995a", + "tag" : "29914007a6119dd3f109bba21ce9a7d7", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 157, + "comment" : "Flipped bit 121 in tag expected tag:29914007a6119dd3f109bba21ce9a7d6", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995a", + "tag" : "29914007a6119dd3f109bba21ce9a7d4", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 158, + "comment" : "Flipped bit 126 in tag expected tag:29914007a6119dd3f109bba21ce9a7d6", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995a", + "tag" : "29914007a6119dd3f109bba21ce9a796", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 159, + "comment" : "Flipped bit 127 in tag expected tag:29914007a6119dd3f109bba21ce9a7d6", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995a", + "tag" : "29914007a6119dd3f109bba21ce9a756", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 160, + "comment" : "Flipped bit 63 and 127 in tag expected tag:29914007a6119dd3f109bba21ce9a7d6", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995a", + "tag" : "29914007a6119d53f109bba21ce9a756", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 161, + "comment" : "Tag changed to all zero expected tag:29914007a6119dd3f109bba21ce9a7d6", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995a", + "tag" : "00000000000000000000000000000000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 162, + "comment" : "tag change to all 1 expected tag:29914007a6119dd3f109bba21ce9a7d6", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995a", + "tag" : "ffffffffffffffffffffffffffffffff", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 163, + "comment" : "Flipped bit 0 in tag expected tag:66405a16e8b44eba92aa47f5cea52b7a", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f20", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995af1a0466a61bb386a2e12d189a2c4ea15e9", + "tag" : "67405a16e8b44eba92aa47f5cea52b7a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 164, + "comment" : "Flipped bit 1 in tag expected tag:66405a16e8b44eba92aa47f5cea52b7a", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f20", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995af1a0466a61bb386a2e12d189a2c4ea15e9", + "tag" : "64405a16e8b44eba92aa47f5cea52b7a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 165, + "comment" : "Flipped bit 7 in tag expected tag:66405a16e8b44eba92aa47f5cea52b7a", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f20", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995af1a0466a61bb386a2e12d189a2c4ea15e9", + "tag" : "e6405a16e8b44eba92aa47f5cea52b7a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 166, + "comment" : "Flipped bit 8 in tag expected tag:66405a16e8b44eba92aa47f5cea52b7a", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f20", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995af1a0466a61bb386a2e12d189a2c4ea15e9", + "tag" : "66415a16e8b44eba92aa47f5cea52b7a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 167, + "comment" : "Flipped bit 31 in tag expected tag:66405a16e8b44eba92aa47f5cea52b7a", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f20", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995af1a0466a61bb386a2e12d189a2c4ea15e9", + "tag" : "66405a96e8b44eba92aa47f5cea52b7a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 168, + "comment" : "Flipped bit 32 in tag expected tag:66405a16e8b44eba92aa47f5cea52b7a", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f20", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995af1a0466a61bb386a2e12d189a2c4ea15e9", + "tag" : "66405a16e9b44eba92aa47f5cea52b7a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 169, + "comment" : "Flipped bit 33 in tag expected tag:66405a16e8b44eba92aa47f5cea52b7a", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f20", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995af1a0466a61bb386a2e12d189a2c4ea15e9", + "tag" : "66405a16eab44eba92aa47f5cea52b7a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 170, + "comment" : "Flipped bit 63 in tag expected tag:66405a16e8b44eba92aa47f5cea52b7a", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f20", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995af1a0466a61bb386a2e12d189a2c4ea15e9", + "tag" : "66405a16e8b44e3a92aa47f5cea52b7a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 171, + "comment" : "Flipped bit 64 in tag expected tag:66405a16e8b44eba92aa47f5cea52b7a", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f20", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995af1a0466a61bb386a2e12d189a2c4ea15e9", + "tag" : "66405a16e8b44eba93aa47f5cea52b7a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 172, + "comment" : "Flipped bit 77 in tag expected tag:66405a16e8b44eba92aa47f5cea52b7a", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f20", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995af1a0466a61bb386a2e12d189a2c4ea15e9", + "tag" : "66405a16e8b44eba928a47f5cea52b7a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 173, + "comment" : "Flipped bit 80 in tag expected tag:66405a16e8b44eba92aa47f5cea52b7a", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f20", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995af1a0466a61bb386a2e12d189a2c4ea15e9", + "tag" : "66405a16e8b44eba92aa46f5cea52b7a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 174, + "comment" : "Flipped bit 96 in tag expected tag:66405a16e8b44eba92aa47f5cea52b7a", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f20", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995af1a0466a61bb386a2e12d189a2c4ea15e9", + "tag" : "66405a16e8b44eba92aa47f5cfa52b7a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 175, + "comment" : "Flipped bit 97 in tag expected tag:66405a16e8b44eba92aa47f5cea52b7a", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f20", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995af1a0466a61bb386a2e12d189a2c4ea15e9", + "tag" : "66405a16e8b44eba92aa47f5cca52b7a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 176, + "comment" : "Flipped bit 120 in tag expected tag:66405a16e8b44eba92aa47f5cea52b7a", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f20", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995af1a0466a61bb386a2e12d189a2c4ea15e9", + "tag" : "66405a16e8b44eba92aa47f5cea52b7b", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 177, + "comment" : "Flipped bit 121 in tag expected tag:66405a16e8b44eba92aa47f5cea52b7a", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f20", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995af1a0466a61bb386a2e12d189a2c4ea15e9", + "tag" : "66405a16e8b44eba92aa47f5cea52b78", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 178, + "comment" : "Flipped bit 126 in tag expected tag:66405a16e8b44eba92aa47f5cea52b7a", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f20", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995af1a0466a61bb386a2e12d189a2c4ea15e9", + "tag" : "66405a16e8b44eba92aa47f5cea52b3a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 179, + "comment" : "Flipped bit 127 in tag expected tag:66405a16e8b44eba92aa47f5cea52b7a", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f20", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995af1a0466a61bb386a2e12d189a2c4ea15e9", + "tag" : "66405a16e8b44eba92aa47f5cea52bfa", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 180, + "comment" : "Flipped bit 63 and 127 in tag expected tag:66405a16e8b44eba92aa47f5cea52b7a", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f20", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995af1a0466a61bb386a2e12d189a2c4ea15e9", + "tag" : "66405a16e8b44e3a92aa47f5cea52bfa", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 181, + "comment" : "Tag changed to all zero expected tag:66405a16e8b44eba92aa47f5cea52b7a", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f20", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995af1a0466a61bb386a2e12d189a2c4ea15e9", + "tag" : "00000000000000000000000000000000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 182, + "comment" : "tag change to all 1 expected tag:66405a16e8b44eba92aa47f5cea52b7a", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f20", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995af1a0466a61bb386a2e12d189a2c4ea15e9", + "tag" : "ffffffffffffffffffffffffffffffff", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 183, + "comment" : "edge case for poly1305 key:ffffffefeb344f6bc37ba77ea2ee06dfe8c7f4ae10810422124fc5e1bd7fe301", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060710abb165", + "aad" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "msg" : "dc8ce708bf26aab862d97e1b42f31ef38c382cf07174142ea564920612997b1c2e38aca2438b588d5459493e97e7fa330ff9bc3b9458297ba0967d86ed090b435103478f2869b93ee29c837e95fb6b9903f3b735b7345428eb93b3db1d9b5187cebb889aa177d83e4f63fc9a5c0596eed939883d06aacdfdea44fdecdf5cb7fc", + "ct" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "tag" : "c296436246c3a7c4b3ba09ab2a6a0889", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 184, + "comment" : "edge case for poly1305 key:278de313ffffffdfffe9acbf3ea59357c4e16a5bc120d346af4a8cf694a84374", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "0001020304050607051e9373", + "aad" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "msg" : "931227274a89d0b3aade7fac62c96262c1e77b8dafd248f10ad37c6ccb69cb7131b041593c8bb8c3db38f39dd8a124c424fce4389dede1d3cb9d46cf95970aea9856b6e313d756197baf4fcb58df275bca8a2188f9e8a1ad04354ede542ddc30e8b735b2f5905f5811799282be94ae842ec126c55d2e667235e9acf1d48798f0", + "ct" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "tag" : "99a3b0fff6fdcbcce9dc5820f2a64861", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 185, + "comment" : "edge case for poly1305 key:0050799fe9e74fcffcffffcfd21aa8b5cb5aa2c6ab347b6886eedaca4bfff3c0", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "0001020304050607048c3c5f", + "aad" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "msg" : "0df91f31230e8941e700a752fef08c897c511ed618fdf8a378a1f439013b40a48d4634c27d9ada7c0bb6f3fa92e341425903d7ecd0c49bee4c77e84b11f1c721922308642885b813fae364da32eaf120d6a43a74fb1632443667bfea6eef1be73eb1c3c0b5a57cee8dc4feed4a1fb9ae02f7b1695588c3c878451cb6ee0cb3dc", + "ct" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "tag" : "eaff8f47ef9268fd0d94e8a9c4b78d24", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 186, + "comment" : "edge case for poly1305 key:dc46b3c53be153ccd4986678ffffffafe484c316c93f64195da65a2742fd3fec", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060703e76f6f", + "aad" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "msg" : "1fde9b9ec8b247d42bbee2016d6715ba428a85431430eada56a2c5dc944b6aa6cef0b056a2eecc51d30838e640615e1458e0943e30f91ba41b4362fa9ed6037b21d14da7b4f76f9f68fa8903138d563ce2590af1201c7cfec2290cfce98a822ebb8d1ed9dc4e20d241755aff91cdfd10fdb69efa0d5c8082692601cbfbb955c7", + "ct" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "tag" : "86ed21fda080a7d13981078d86b3e3cd", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 187, + "comment" : "edge case for poly1305 key:946aff9f2a13f56f92a5f9cfee3cdb1fef6d98d5a55ab563cb28620cd57f19d2", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "00010203040506072dd4cd40", + "aad" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "msg" : "66115e67ecd3d4178c4c60e713ab4e5e66f8d1f971da17437a2b5e04fbca1671e847139a5f4e3f8e92d7a3b71eb4ff0e50354c0c1580af3662d5f8151e3f7e8264a0085c32ddfcbeb01a8be4c34d53319800ac4ef9d4e4014524bc7cd3387242e774f4d1a7a0521e42ec44844d0bd8b9d73fec959212fd7e8eacf4d984996d9b", + "ct" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "tag" : "34f9e0faa515eee0e784e6ef2678befa", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 188, + "comment" : "edge case for poly1305 key:0000003059ffce96438a246ff9536787d92bc40eafa0241a2972780ef6ca1ef8", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060726c6961b", + "aad" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "msg" : "e97244259af5a379238da0cad2a5f493655ec0e5024fd553bbb3deb66a94036d106c3d513407b2dd1cc5936c4c9c1e4f4b37b54dec261c601dc99e90680e23e2dc5c9a8d503d8bea49a8cdca3706bfd2a3daa0afb19a70fd3d355fc37c13f3f9e5c8d0864a5f80a780b36d4698ec2ce9ccc27b97ecbe672e41628ebd773acb81", + "ct" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "tag" : "3c94b9fe60bdb35c6b7b73b765083492", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 189, + "comment" : "edge case for poly1305 key:3fa0ea9c030000a036217d42e775ad189b96e24ee591952e2922ff151334b9ec", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "0001020304050607013da060", + "aad" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "msg" : "9453aa159c3d87f17e21e88adabc37e553b904d00eefc66b8e0905e23576fbdc9c7bea9777f3b8368481932534b3344d309e6307cddfe7b3549300dd9cda7efe9d43c8a115912a392904079ee92bcd33099f7022ea94c1e7353b89bfc54de3ceb56f529a1a608bb5a970e1359609d1f56806b37f8605f4c27451da6066fc557a", + "ct" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "tag" : "2b11cf9f8db8490d409fc62afd7379f3", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 190, + "comment" : "edge case for poly1305 key:a556cb502baf395b020000f03c5108fb1cf76df1b8a8f724e877bd3c588d3285", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060707db33de", + "aad" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "msg" : "2e1836640d810c2709fb83ccf1aef3a971085d1bbfb58a425abf75ccec70b3abde0e80539e83a82546e7372a19481547053308dd7842675e9c4f61302426da0d71c1da3102031030ed928152be009b15b52f71b5911991d39f68a8658d99729df2bbef31c8989f9604558df9f2aba4b3766c58aaef3548de545ec1f080225a88", + "ct" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "tag" : "c9c8366920f88381407712cec61e6607", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 191, + "comment" : "edge case for poly1305 key:0c327fbcc564555545d4fe75020000d0a65799f363ec51b1c5c427b4a04af190", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060702a11942", + "aad" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "msg" : "0ecb4d85c956b5268c9b35a8c63b4e9d3e5cb72b64ef98773841b947bd7d59ef7d0eb0e1c050d49a5424ce7deb527d76087e4746674c958965df32d9e5fb03b46501706128d481217aaeae2f78f9259273358a2954cac0bc2fbfe77447d1d387b9314c6541b69f1270b3438b1042b2b4663e62ba4d49c07ac6f163034afa80af", + "ct" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "tag" : "2373cfa2ab24446ad5a236167b8027fe", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 192, + "comment" : "edge case for poly1305 key:415f08302f210340240d0e903e2b01205ba43e106aebd7e2481016b31118b1ae", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "00010203040506073c0df637", + "aad" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "msg" : "2e8e45e903bfab32f2f0d49d9a3e449bef6f4093e2722cdab2cf935c1822b830fb5a4056516d560dfc8638c9a57d2927200a56f0b67153271d498e8f08dc888c61ef634f7ae40f4608f96f92fea5a1e5bd45131120098dc5de0378e58f2ddb46fa4aa5adb38fe006bb19b69146382f77a79e06214def547cfb5ce37a7008b9b6", + "ct" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "tag" : "5f93946478d8081e7247f414ad39a515", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 193, + "comment" : "edge case for poly1305 key:feffff1ff6b87403fd6435b09775bc92491a0ae62c5842a30e3b82710cc2dad1", + "key" : "9de836aa579585081f330a7c4036e20e38ef15eff3945184d231867f505fffdf", + "iv" : "00000000101112130bc672c3", + "aad" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "msg" : "3619cb470af86dceceb6940f2d9abb34c9a9131476053387445ffebbe240d4f9818377855652f46a8219c7f71c3554f8acef8258de4b7d17c0f3d353ac981cc6a13287be1e6b41dc6d133df4ababebdf43d665ce7a4a5c982a0b139cb8202eebc74173e3224a440e4c37d2b595f384290e939ba016df0d49b36cdb4bd91c39", + "ct" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "tag" : "133fe62391744d11ce44594b96c53baf", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 194, + "comment" : "edge case for poly1305 key:bf358f18ffffffbf4b62ed6e1f53790785c4dabdfc72e2a219d377a682c85f38", + "key" : "9de836aa579585081f330a7c4036e20e38ef15eff3945184d231867f505fffdf", + "iv" : "000000001011121303e9b9a4", + "aad" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "msg" : "af205bda819f7451be0f28667d4b01b59ff2daa8173cab52046c3c9e0d989889c5e021ef7afd06e9ce6cc30e3a6ebab509134ba10d10e570c55587c13eee53e73be54804c8539ffbf23b35922b1ca37b9e9bc24ee204837ca5a294ce05d12600c7eff6aee32270db2feff47dc5a04176169e15850628e6035f78994f9f5603", + "ct" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "tag" : "e3451adb9d23a7710a1aafba26f56387", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 195, + "comment" : "edge case for poly1305 key:d0b7b3a352a4010ffeffffbfe8cc66dc6e5e7451dc61762c5753174fed88e746", + "key" : "9de836aa579585081f330a7c4036e20e38ef15eff3945184d231867f505fffdf", + "iv" : "00000000101112130700b982", + "aad" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "msg" : "68c67272036fb652a0182eeb4781358e4704a4a702fd731bf3b3ea994717989e7d9104e0ae81732a8c7e9a82b3d31d541761a366b67c3396f1a6c67e293ddb65a59e42541dda144dc6c78388cfca982e23350958ac5b3d54a1722fd64733577862e1879c9e9445ebdec5315d1706db7ebbedd4c779935e72057e5b0ecde081", + "ct" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "tag" : "b0bb8a55ff5f52a5043c6e7795847557", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 196, + "comment" : "edge case for poly1305 key:7bee33931a4157a8cb701becfeffff4fbe7e69f19cd065313bb49a252628dd3d", + "key" : "9de836aa579585081f330a7c4036e20e38ef15eff3945184d231867f505fffdf", + "iv" : "0000000010111213019836bb", + "aad" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "msg" : "c483b7334ebe2e879b0c3f9db4fcd9f5219062360d6ce44cdae0f94e04c8345ea7e3ae33855118741dcafe0de4ae98c4e43af7b12b04ee8ab175625823ac040e5abac4403f1d45238adcb8c0cf44bd56917f9f5d93974c82b56951986a9c0450bd9047b5a616e814526ad0580e3ecd8189c9fef2cdb979a22ad3a01930fbd1", + "ct" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "tag" : "f4fc25f4c5543a9afee9819e2904fb68", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 197, + "comment" : "edge case for poly1305 key:7cb5fbdffb40ff5f3c7de74f655ffc1fac03013a7fe468440b861ebe0ab1650a", + "key" : "9de836aa579585081f330a7c4036e20e38ef15eff3945184d231867f505fffdf", + "iv" : "00000000101112131d59f288", + "aad" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "msg" : "bc7f4f15fd1e4c1399740836670abe39a05707be19956ce169b32321759e0f213ae19ad34aa612b3a29f02c4bbac9f785a55a3adfe419ab891bbe0acee9921322ea21002c9dd3dcdd13a7f8554dddc10f9b529ce94be7050937dab76557b7eb17c685aad8f0797e39d62553988989aab1d9764fe431cc1d4c595062ce93ce9", + "ct" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "tag" : "5e67a7b8733e0e4b01ac2178a205ae7e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 198, + "comment" : "edge case for poly1305 key:00000090e6e328c242cde5c83e3d8262d467f2bcd53d3755c781f3c6a2cb0648", + "key" : "9de836aa579585081f330a7c4036e20e38ef15eff3945184d231867f505fffdf", + "iv" : "00000000101112130552a411", + "aad" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "msg" : "eaccaa778935ef249e0900149dd889462d2a061486ba102b8caebe465f3959fb3119ebb5689676ffdd6d851a26739e772b54a2f5f473ea9c7e58ccbc4cfc953e8c420b2175d9dd519265630bb79bd87a601b113231a8b16ce54c331347ec04c2b1c9160f38207aa46e96feb06dee883eb422fa14908df300bb1a1ef758c408", + "ct" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "tag" : "177a77fce114a4349c4f8d5ec825d06f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 199, + "comment" : "edge case for poly1305 key:9e98d64e000000505a07183c5c68c63c14c9266dd37ff86aafc22ddbdb355617", + "key" : "9de836aa579585081f330a7c4036e20e38ef15eff3945184d231867f505fffdf", + "iv" : "00000000101112130c807a72", + "aad" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "msg" : "a76c330e015060a17e64cb7b6d753f201f75be8759fd7539fb92b22aef54c9d3029dba0c15cbf7c95135888319c6b2e6276da21e0c351fd522b29aabb5883a3291d6f427de773b124390ef6fd96621ffbc42dfbf7a34da272cbc9ccb1a498d078033d1ac3bf7e92715948b06d69d5c5039e9164ba9c3a02219ec5908206b3b", + "ct" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "tag" : "623c7d4424f5497aedfd1339cf8cecce", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 200, + "comment" : "edge case for poly1305 key:1048a92e65f5e63102000080d9ae08de4319a7c45fdbe707b9ec1b7e0d635161", + "key" : "9de836aa579585081f330a7c4036e20e38ef15eff3945184d231867f505fffdf", + "iv" : "00000000101112130397a143", + "aad" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "msg" : "228a7e15bcce13051de9145f77f7f4ff7921828b4f99efc4ff55ee0d9344955b69ec2d4798b0517f0273c4456ae5ffc5929cbe74ddb0da51d4f2b4df7578a31240c88ae922c3c5eca7b97d72d497062050a587447c562b343d5c71921944872f9fd06b8f34b3eb5d4341f5ff8a907dd7c2e1676b81252726ba54814da51eab", + "ct" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "tag" : "1c18b69354b189731a1a83fe8f0d57c9", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 201, + "comment" : "edge case for poly1305 key:01517a2ceb89bbfb5741f7d9000000401a65b132ad661072a00ffe7defbb18a5", + "key" : "9de836aa579585081f330a7c4036e20e38ef15eff3945184d231867f505fffdf", + "iv" : "000000001011121308cb0f3f", + "aad" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "msg" : "c7d843188ab193dfef5c4daf583f952cd4b195f240fa2e704d021723023c123371a41e87dfc6e6c3874a42f331cf035988a38c72ba2da854b1208f98bf8cc29948169481ab3a402d5fcc7ff78f9e31925576dc3938074b8c5b27960e3afc750ad686563688b7441787288d5256c1301d563b7744843bd1ab4eff5be6f1653d", + "ct" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "tag" : "2045815b8211b9a2995effe0b8ed9868", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 202, + "comment" : "edge case for poly1305 key:bc90156087e0125006d90c30babd0590427bff19de1f2e7d0757a79528731138", + "key" : "9de836aa579585081f330a7c4036e20e38ef15eff3945184d231867f505fffdf", + "iv" : "00000000101112130d8fcf4e", + "aad" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "msg" : "cfc3db8631c81c69023a3c8a9ad66c35053685144c4fa2a9510add72e211dad9ca5b982e4c194591fdb74116280311d1299ad81227258cb52f079bbcb12aff161d278dec33a326d71276b3de01a8327ee7f45f94179dff18a3fe643e56c30cfd03871c8110ab00f6612b9e17a4647360d7847bb63a3122613c2e7cdddd08ae", + "ct" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "tag" : "1ae2ed84ea9774d78d782bf8d972a8b8", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 203, + "comment" : "edge case for tag", + "key" : "404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f", + "iv" : "000102030405060708090a0b", + "aad" : "ffffffffffffffffffffffffffffffff415771fda4fbcc55c377f73203e60226", + "msg" : "e48caf8a76183327c9561a4651c07c822ccd1642c06607d0d4bc0afb4de15915dbfa3b0b422e77e15c64bf6247031f15fdb643117809821870000adf83834da5", + "ct" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "tag" : "000102030405060708090a0b0c0d0e0f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 204, + "comment" : "edge case for tag", + "key" : "404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f", + "iv" : "000102030405060708090a0b", + "aad" : "f1ffffffffffffffffffffffffffffff615af39eddb5fcd2519190d5507d3b06", + "msg" : "e48caf8a76183327c9561a4651c07c822ccd1642c06607d0d4bc0afb4de15915dbfa3b0b422e77e15c64bf6247031f15fdb643117809821870000adf83834da5", + "ct" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "tag" : "00000000000000000000000000000000", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 205, + "comment" : "edge case for tag", + "key" : "404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f", + "iv" : "000102030405060708090a0b", + "aad" : "b5ffffffffffffffffffffffffffffff764e5d82ce7da0d44148484fd96a6107", + "msg" : "e48caf8a76183327c9561a4651c07c822ccd1642c06607d0d4bc0afb4de15915dbfa3b0b422e77e15c64bf6247031f15fdb643117809821870000adf83834da5", + "ct" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "tag" : "ffffffffffffffffffffffffffffffff", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 206, + "comment" : "edge case for tag", + "key" : "404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f", + "iv" : "000102030405060708090a0b", + "aad" : "fdffffffffffffffffffffffffffffff2bdbf16d8ea4d39dab8dcb3d4bc4e104", + "msg" : "e48caf8a76183327c9561a4651c07c822ccd1642c06607d0d4bc0afb4de15915dbfa3b0b422e77e15c64bf6247031f15fdb643117809821870000adf83834da5", + "ct" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "tag" : "00000080000000800000008000000080", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 207, + "comment" : "edge case for tag", + "key" : "404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f", + "iv" : "000102030405060708090a0b", + "aad" : "a9ffffffffffffffffffffffffffffffaccd5eb31d8fc909e84b0de7de23bb08", + "msg" : "e48caf8a76183327c9561a4651c07c822ccd1642c06607d0d4bc0afb4de15915dbfa3b0b422e77e15c64bf6247031f15fdb643117809821870000adf83834da5", + "ct" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "tag" : "ffffff7fffffff7fffffff7fffffff7f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 208, + "comment" : "edge case for tag", + "key" : "404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f", + "iv" : "000102030405060708090a0b", + "aad" : "d2ffffffffffffffffffffffffffffffdd4b933e7b1a7ed93cc7c050db71dc03", + "msg" : "e48caf8a76183327c9561a4651c07c822ccd1642c06607d0d4bc0afb4de15915dbfa3b0b422e77e15c64bf6247031f15fdb643117809821870000adf83834da5", + "ct" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "tag" : "01000000010000000100000001000000", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 209, + "comment" : "edge case for tag", + "key" : "404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f", + "iv" : "000102030405060708090a0b", + "aad" : "ffffffffffffffffffffffffffffffffa08164425d7642e9e90fc8d5c32d2cf6", + "msg" : "e48caf8a76183327c9561a4651c07c822ccd1642c06607d0d4bc0afb4de15915dbfa3b0b422e77e15c64bf6247031f15fdb643117809821870000adf83834da5", + "ct" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "tag" : "ffffffff000000000000000000000000", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 210, + "comment" : "edge case intermediate sums in poly1305. poly_key:ffffffefeb344f6bc37ba77ea2ee06dfe8c7f4ae10810422124fc5e1bd7fe301", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060710abb165", + "aad" : "ffffffff", + "msg" : "c68ce708bf26aab862d97e1b42f31ef37bb66f8090c149e452ec7f20327eb2ea2e38aca2438b588d5459493e97e7fa330ff9bc23c897df6b00af86931d6c81555103478f2869b93ee29c837e95fb6b9903f3b72debfba2384baa48ceedfedb91", + "ct" : "e5ffffffffffffffffffffffffffffff0871bc8f1e4aa235087712d9df183609ffffffffffffffffffffffffffffffffffffffe7a33009ef5fc604ea0f9a75e9ffffffffffffffffffffffffffffffffffffffe7a33009ef5fc604ea0f9a75e9", + "tag" : "3572162777262c518eef573b720e8e64", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 211, + "comment" : "edge case intermediate sums in poly1305. poly_key:ffffffefeb344f6bc37ba77ea2ee06dfe8c7f4ae10810422124fc5e1bd7fe301", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060710abb165", + "aad" : "ffffffff", + "msg" : "c78ce708bf26aab862d97e1b42f31ef376209eef141691fba5d10eaf581affe62e38aca2438b588d5459493e97e7fa330e73d2dc3bbd954989cb8433b7d6597b5103478f2869b93ee29c837e95fb6b990279d9d218d1e81ac2ce4a6e474403bf", + "ct" : "e4ffffffffffffffffffffffffffffff05e74de09a9d7a2aff4a6356b57c7b05fffffffffffffffffffffffffffffffffe759118501a43cdd6a2064aa520adc7fffffffffffffffffffffffffffffffffe759118501a43cdd6a2064aa520adc7", + "tag" : "347216375f5b7b5c4e6bff4912fd9473", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 212, + "comment" : "edge case intermediate sums in poly1305. poly_key:ffffffefeb344f6bc37ba77ea2ee06dfe8c7f4ae10810422124fc5e1bd7fe301", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060710abb165", + "aad" : "ffffffff", + "msg" : "fc8ce708bf26aab862d97e1b42f31ef38b79403dfaabc0d8c18d23a3469c13e62e38aca2438b588d5459493e97e7fa330a4b941e6b66fcc2ed7d8cb3e8cc7ffc5103478f2869b93ee29c837e95fb6b9906419f10480a8191a67842ee185e2538", + "ct" : "dffffffffffffffffffffffffffffffff8be933274202b099b164e5aabfa9705fffffffffffffffffffffffffffffffffa4dd7da00c12a46b2140ecafa3a8b40fffffffffffffffffffffffffffffffffa4dd7da00c12a46b2140ecafa3a8b40", + "tag" : "30721677ff2eb8894e5a9d8492b7b0af", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 213, + "comment" : "edge case intermediate sums in poly1305. poly_key:ffffffefeb344f6bc37ba77ea2ee06dfe8c7f4ae10810422124fc5e1bd7fe301", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060710abb165", + "aad" : "ffffffff", + "msg" : "fa8ce708bf26aab862d97e1b42f31ef39bcbb8da477d580d772de4229bba7de22938aca2438b588d5459493e97e7fa331e9dedf9dd64a0681bac2969549425bc5603478f2869b93ee29c837e95fb6b991297e6f7fe08dd3b50a9e734a4067f78", + "ct" : "d9ffffffffffffffffffffffffffffffe80c6bd5c9f6b3dc2db689db76dcf901f8ffffffffffffffffffffffffffffffee9bae3db6c376ec44c5ab104662d100f8ffffffffffffffffffffffffffffffee9bae3db6c376ec44c5ab104662d100", + "tag" : "2b7216c7873744c20ec5e2cdb260d3fa", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 214, + "comment" : "edge case intermediate sums in poly1305. poly_key:ffffffefeb344f6bc37ba77ea2ee06dfe8c7f4ae10810422124fc5e1bd7fe301", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060710abb165", + "aad" : "ffffffff", + "msg" : "ee8ce708bf26aab862d97e1b42f31ef3b9f55bd56e0fd74b46063a96354cfbee3238aca2438b588d5459493e97e7fa3320c78886a6f6292d6cc5fbddb546a2b04d03478f2869b93ee29c837e95fb6b992ccd8388859a547e27c0358045d4f874", + "ct" : "cdffffffffffffffffffffffffffffffca3288dae0843c9a1c9d576fd82a7f0de3ffffffffffffffffffffffffffffffd0c1cb42cd51ffa933ac79a4a7b0560ce3ffffffffffffffffffffffffffffffd0c1cb42cd51ffa933ac79a4a7b0560c", + "tag" : "22721657b0130d28cf1ec65153c41182", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 215, + "comment" : "edge case intermediate sums in poly1305. poly_key:ffffffefeb344f6bc37ba77ea2ee06dfe8c7f4ae10810422124fc5e1bd7fe301", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060710abb165", + "aad" : "ffffffff", + "msg" : "ef8ce708bf26aab862d97e1b42f31ef3b46fca24d353ff5e49eac51540e840ea3038aca2438b588d5459493e97e7fa333d311e572202011a75e948586fe268b44f03478f2869b93ee29c837e95fb6b99313b1559016e7c493eec86059f703270", + "ct" : "ccffffffffffffffffffffffffffffffc7a8192b5dd8148f1371a8ecad8ec409e1ffffffffffffffffffffffffffffffcd375d9349a5d79e2a80ca217d149c08e1ffffffffffffffffffffffffffffffcd375d9349a5d79e2a80ca217d149c08", + "tag" : "2172166798485c338f9a6d60f3b21891", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 216, + "comment" : "edge case intermediate sums in poly1305. poly_key:ffffffefeb344f6bc37ba77ea2ee06dfe8c7f4ae10810422124fc5e1bd7fe301", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060710abb165", + "aad" : "ffffffff", + "msg" : "f59d56151de28bef83505f6d89c0b0f7f75b2fa8e6dce386075db283ec85ee62555baffad423af25f66069bb69fb6f4d", + "ct" : "d6ee4ee25d3bdea81e76de8934cc51fb849cfca7685708575dc6df7a01e36a81849cfca7685708575dc6df7a01e36a81", + "tag" : "831312cbb0f165dc3e8ff52125f48640", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 217, + "comment" : "edge case intermediate sums in poly1305. poly_key:ffffffefeb344f6bc37ba77ea2ee06dfe8c7f4ae10810422124fc5e1bd7fe301", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060710abb165", + "aad" : "ffffffff", + "msg" : "f717f8d5b28032d5c8e8061cd44d71e4f2d55de772fe7a91ce85e410db3e2d8d50d5ddb5400136323fb83f285e40aca2", + "ct" : "d464e022f259679255ce87f8694190e881128ee8fc759140941e89e93658a96e81128ee8fc759140941e89e93658a96e", + "tag" : "821312db9826b5e7fe0a9d30c5e28d4f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 218, + "comment" : "edge case intermediate sums in poly1305. poly_key:ffffffefeb344f6bc37ba77ea2ee06dfe8c7f4ae10810422124fc5e1bd7fe301", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060710abb165", + "aad" : "ffffffff", + "msg" : "f28ce708bf26aab862d97e1b42f31ef3e68a922c9219d30f07554d7d99f2bde92c38aca2438b588d5459493e97e7fa33e24c07dd98f9b253ab0c318d9b14f6b15303478f2869b93ee29c837e95fb6b99ee460cd3bb95cf00e009ffd06b86ac75", + "ct" : "d1ffffffffffffffffffffffffffffff954d41231c9238de5dce20847494390afdffffffffffffffffffffffffffffff124a4419f35e64d7f465b3f489e2020dfdffffffffffffffffffffffffffffff124a4419f35e64d7f465b3f489e2020d", + "tag" : "c1045769d487d545cef3f0d34b7a8733", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 219, + "comment" : "edge case intermediate sums in poly1305. poly_key:ffffffefeb344f6bc37ba77ea2ee06dfe8c7f4ae10810422124fc5e1bd7fe301", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060710abb165", + "aad" : "ffffffff", + "msg" : "dc8ce708bf26aab862d97e1b42f31ef32e6784d857df07543d0dc72f179935fbede8c8baf01ee2044b162cbb343b355acc29d82327cd93f2bfd918034ed5c42a", + "ct" : "ffffffffffffffffffffffffffffffff5da057d7d954ec856796aad6faffb1183c2f9be74c6a4576e0b09a7a5c2330963c2f9be74c6a4576e0b09a7a5c233096", + "tag" : "64e7efd24516a83e2c87e06a76e2dea3", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 220, + "comment" : "edge case intermediate sums in poly1305. poly_key:ffffffefeb344f6bc37ba77ea2ee06dfe8c7f4ae10810422124fc5e1bd7fe301", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060710abb165", + "aad" : "ffffffff", + "msg" : "f78ce708bf26aab862d97e1b42f31ef34c6ead26f84a0225d557745d32fc72e72c38aca2438b588d5459493e97e7fa3364db334b69bee579383e61ae742c71bb5303478f2869b93ee29c837e95fb6b9968d138454ad2982a733baff384be2b7f", + "ct" : "d4ffffffffffffffffffffffffffffff3fa97e2976c1e9f48fcc19a4df9af604fdffffffffffffffffffffffffffffff94dd708f021933fd6757e3d766da8507fdffffffffffffffffffffffffffffff94dd708f021933fd6757e3d766da8507", + "tag" : "e6cc6729d79ba558cd73b03cba54d660", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 221, + "comment" : "edge case intermediate sums in poly1305. poly_key:ffffffefeb344f6bc37ba77ea2ee06dfe8c7f4ae10810422124fc5e1bd7fe301", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060710abb165", + "aad" : "ffffffff", + "msg" : "f08ce708bf26aab862d97e1b42f31ef34fd8c3757c9f2938dc3b07d85898bfe22a38aca2438b588d5459493e97e7fa336155412415cbdd760142b62c2ec83fbf5503478f2869b93ee29c837e95fb6b996d5f4a2a36a7a0254a477871de5a657b", + "ct" : "d3ffffffffffffffffffffffffffffff3c1f107af214c2e986a06a21b5fe3b01fbffffffffffffffffffffffffffffff915302e07e6c0bf25e2b34553c3ecb03fbffffffffffffffffffffffffffffff915302e07e6c0bf25e2b34553c3ecb03", + "tag" : "e5cc6739bfd0f4638def574b5a43dd6f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 222, + "comment" : "edge case intermediate sums in poly1305. poly_key:ffffffefeb344f6bc37ba77ea2ee06dfe8c7f4ae10810422124fc5e1bd7fe301", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060710abb165", + "aad" : "ffffffff", + "msg" : "f28ce708bf26aab862d97e1b42f31ef3df03ca84082f7f70ad8e4004cabd2ce42b38aca2438b588d5459493e97e7fa3328fd413caab1d02bf1c65753aa2ad3b95403478f2869b93ee29c837e95fb6b9924f74a3289ddad78bac3990e5ab8897d", + "ct" : "d1ffffffffffffffffffffffffffffffacc4198b86a494a1f7152dfd27dba807faffffffffffffffffffffffffffffffd8fb02f8c11606afaeafd52ab8dc2705faffffffffffffffffffffffffffffffd8fb02f8c11606afaeafd52ab8dc2705", + "tag" : "0fca702228817d53ee64d142b192e665", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 223, + "comment" : "edge case intermediate sums in poly1305. poly_key:ffffffefeb344f6bc37ba77ea2ee06dfe8c7f4ae10810422124fc5e1bd7fe301", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060710abb165", + "aad" : "ffffffff", + "msg" : "f38ce708bf26aab862d97e1b42f31ef31ffc31ae69399394b8c338674c3dfde92938aca2438b588d5459493e97e7fa33477ec8cf3ea3d4d5d76d85ad2b7f0bb85603478f2869b93ee29c837e95fb6b994b74c3c11dcfa9869c684bf0dbed517c", + "ct" : "d0ffffffffffffffffffffffffffffff6c3be2a1e7b27845e258559ea15b790af8ffffffffffffffffffffffffffffffb7788b0b55040251880407d43989ff04f8ffffffffffffffffffffffffffffffb7788b0b55040251880407d43989ff04", + "tag" : "efc3b035ded6b460bfce6f494955e677", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 224, + "comment" : "edge case intermediate sums in poly1305. poly_key:ffffffefeb344f6bc37ba77ea2ee06dfe8c7f4ae10810422124fc5e1bd7fe301", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060710abb165", + "aad" : "ffffffff", + "msg" : "2bfd0d56ece98771756d60d9d9106cd0c6fc106936c7ef347c078fd71c54228164fc903b0438a3978d3a54ef992aa3ae", + "ct" : "088e15a1ac30d236e84be13d641c8ddcb53bc366b84c04e5269ce22ef132a662b53bc366b84c04e5269ce22ef132a662", + "tag" : "345fc9fe573c136c1be83730500ce662", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 225, + "comment" : "edge case intermediate sums in poly1305. poly_key:ffffffefeb344f6bc37ba77ea2ee06dfe8c7f4ae10810422124fc5e1bd7fe301", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060710abb165", + "aad" : "ffffffff", + "msg" : "f68ce708bf26aab862d97e1b42f31ef37cc2255decdf8e0fe1373591da0e28e42838aca2438b588d5459493e97e7fa33e291fb4838019c51dfb7141515bb53b15703478f2869b93ee29c837e95fb6b99ee9bf0461b6de10294b2da48e5290975", + "ct" : "d5ffffffffffffffffffffffffffffff0f05f652625465debbac58683768ac07f9ffffffffffffffffffffffffffffff1297b88c53a64ad580de966c074da70df9ffffffffffffffffffffffffffffff1297b88c53a64ad580de966c074da70d", + "tag" : "336f97a5faa995a2a03781b591588da8", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 226, + "comment" : "edge case intermediate sums in poly1305. poly_key:ffffffefeb344f6bc37ba77ea2ee06dfe8c7f4ae10810422124fc5e1bd7fe301", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060710abb165", + "aad" : "ffffffff", + "msg" : "c68ce708bf26aab862d97e1b42f31ef37ab66f8090c149e452ec7f20327eb2ea0438aca2438b588d5459493e97e7fa338d2613ea0ef8b656b247373ecec015bc7b03478f2869b93ee29c837e95fb6b99812c18e42d94cb05f942f9633e524f78", + "ct" : "e5ffffffffffffffffffffffffffffff0971bc8f1e4aa235087712d9df183609d5ffffffffffffffffffffffffffffff7d20502e655f60d2ed2eb547dc36e100d5ffffffffffffffffffffffffffffff7d20502e655f60d2ed2eb547dc36e100", + "tag" : "9351c680c8a5d34882d42145e89745c4", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 227, + "comment" : "edge case intermediate sums in poly1305. poly_key:ffffffefeb344f6bc37ba77ea2ee06dfe8c7f4ae10810422124fc5e1bd7fe301", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060710abb165", + "aad" : "ffffffff", + "msg" : "c68ce708bf26aab862d97e1b42f31ef374b66f8090c149e452ec7f20327eb2ea2e38aca2438b588d5459493e97e7fa33acd9ec859e0866620cc24c8a97d5d9f55103478f2869b93ee29c837e95fb6b99a0d3e78bbd641b3147c782d767478331", + "ct" : "e5ffffffffffffffffffffffffffffff0771bc8f1e4aa235087712d9df183609ffffffffffffffffffffffffffffffff5cdfaf41f5afb0e653abcef385232d49ffffffffffffffffffffffffffffffff5cdfaf41f5afb0e653abcef385232d49", + "tag" : "d79266cd25a784599a0a8e31fc84d604", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 228, + "comment" : "edge case intermediate sums in poly1305. poly_key:ffffffefeb344f6bc37ba77ea2ee06dfe8c7f4ae10810422124fc5e1bd7fe301", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060710abb165", + "aad" : "ffffffff", + "msg" : "f78ce708bf26aab862d97e1b42f31ef34251cd29b0aaa960557c9ea2828334e4e4e231db0a27fac9ec9e744886eb0133c5232142ddf48b3f185140f0fc05f043", + "ct" : "d4ffffffffffffffffffffffffffffff31961e263e2142b10fe7f35b6fe5b00735256286b6535dbb4738c289eef304ff35256286b6535dbb4738c289eef304ff", + "tag" : "9d671d407d7660459d5d582d83915efe", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 229, + "comment" : "edge case intermediate sums in poly1305. poly_key:ffffffefeb344f6bc37ba77ea2ee06dfe8c7f4ae10810422124fc5e1bd7fe301", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060710abb165", + "aad" : "ffffffff", + "msg" : "f58ce708bf26aab862d97e1b42f31ef373bd9f01bf3331b12e31dd14cf11feee1d38aca2438b588d5459493e97e7fa33625c6965f61a1c36118c747076d5b7b76203478f2869b93ee29c837e95fb6b996e56626bd57661655a89ba2d8647ed73", + "ct" : "d6ffffffffffffffffffffffffffffff007a4c0e31b8da6074aab0ed22777a0dccffffffffffffffffffffffffffffff925a2aa19dbdcab24ee5f6096423430bccffffffffffffffffffffffffffffff925a2aa19dbdcab24ee5f6096423430b", + "tag" : "7b207c2c3278c64f0d6b913fe371fe63", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 230, + "comment" : "edge case intermediate sums in poly1305. poly_key:ffffffefeb344f6bc37ba77ea2ee06dfe8c7f4ae10810422124fc5e1bd7fe301", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060710abb165", + "aad" : "ffffffff", + "msg" : "dc8ce708bf26aab862d97e1b42f31ef3ec0933f0bfb91218cea0d74e061f559e2d38aca2438b588d5459493e97e7fa338d5b67e0acee534ce2d9791487b1ecb25203478f2869b93ee29c837e95fb6b9981516cee8f822e1fa9dcb7497723b676", + "ct" : "ffffffffffffffffffffffffffffffff9fcee0ff3132f9c9943bbab7eb79d17dfcffffffffffffffffffffffffffffff7d5d2424c74985c8bdb0fb6d9547180efcffffffffffffffffffffffffffffff7d5d2424c74985c8bdb0fb6d9547180e", + "tag" : "3672162bb1f3ff537ece013f1aca4f68", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 231, + "comment" : "edge case intermediate sums in poly1305. poly_key:ffffffefeb344f6bc37ba77ea2ee06dfe8c7f4ae10810422124fc5e1bd7fe301", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060710abb165", + "aad" : "ffffffff", + "msg" : "dc8ce708bf26aab862d97e1b42f31ef3ee83a14f48db696291080edfcc898b882b38aca2438b588d5459493e97e7fa338ad5f6b0283a8b39ebedce92785da9b65403478f2869b93ee29c837e95fb6b9986dffdbe0b56f66aa0e800cf88cff372", + "ct" : "ffffffffffffffffffffffffffffffff9d447240c65082b3cb93632621ef0f6bfaffffffffffffffffffffffffffffff7ad3b574439d5dbdb4844ceb6aab5d0afaffffffffffffffffffffffffffffff7ad3b574439d5dbdb4844ceb6aab5d0a", + "tag" : "3572163b99284f5f3e4aa94dbab85677", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 232, + "comment" : "edge case intermediate sums in poly1305. poly_key:ffffffefeb344f6bc37ba77ea2ee06dfe8c7f4ae10810422124fc5e1bd7fe301", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060710abb165", + "aad" : "ffffffff", + "msg" : "dc8ce708bf26aab862d97e1b42f31ef3e87dd08ed4e4e04c5877616cbb02cabb2938aca2438b588d5459493e97e7fa33874f0401d457e336f4311f1152f957ba5603478f2869b93ee29c837e95fb6b998b450f0ff73b9e65bf34d14ca26b0d7e", + "ct" : "ffffffffffffffffffffffffffffffff9bba03815a6f0b9d02ec0c9556644e58f8ffffffffffffffffffffffffffffff774947c5bff035b2ab589d68400fa306f8ffffffffffffffffffffffffffffff774947c5bff035b2ab589d68400fa306", + "tag" : "3472164b815d9e6afec5505c5aa75d86", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 233, + "comment" : "edge case intermediate sums in poly1305. poly_key:ffffffefeb344f6bc37ba77ea2ee06dfe8c7f4ae10810422124fc5e1bd7fe301", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060710abb165", + "aad" : "ffffffff", + "msg" : "c88ce708bf26aab862d97e1b42f31ef36be436e346f8f2b32f4cbbaef95150ef0438aca2438b588d5459493e97e7fa332fb76b5132e930f6d0acf70875e977b57b03478f2869b93ee29c837e95fb6b9923bd605f11854da59ba93955857b2d71", + "ct" : "ebffffffffffffffffffffffffffffff1823e5ecc873196275d7d6571437d40cd5ffffffffffffffffffffffffffffffdfb12895594ee6728fc57571671f8309d5ffffffffffffffffffffffffffffffdfb12895594ee6728fc57571671f8309", + "tag" : "3a7216d7ee1da018ce8412f251656b19", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 234, + "comment" : "edge case intermediate sums in poly1305. poly_key:ffffffefeb344f6bc37ba77ea2ee06dfe8c7f4ae10810422124fc5e1bd7fe301", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060710abb165", + "aad" : "ffffffff", + "msg" : "c58ce708bf26aab862d97e1b42f31ef3783cf9302c7d22914b38aca2e7d374ef1d38aca2438b588d5459493e97e7fa33228f2d23597640d574f8e20c4f6b6bb56203478f2869b93ee29c837e95fb6b992e85262d7a1a3d863ffd2c51bff93171", + "ct" : "e6ffffffffffffffffffffffffffffff0bfb2a3fa2f6c94011a3c15b0ab5f00cccffffffffffffffffffffffffffffffd2896ee732d196512b9160755d9d9f09ccffffffffffffffffffffffffffffffd2896ee732d196512b9160755d9d9f09", + "tag" : "367216178ff1dc45ce73b02cd21f8755", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 235, + "comment" : "edge case intermediate sums in poly1305. poly_key:ffffffefeb344f6bc37ba77ea2ee06dfe8c7f4ae10810422124fc5e1bd7fe301", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060710abb165", + "aad" : "ffffffff", + "msg" : "dc8ce708bf26aab862d97e1b42f31ef35db72f89d1402b1a0373ff0a9c5cd44b6d67af40798f5455501792953248ec234ca6bfd9ae5c25a3a4d8a62d48a61d53", + "ct" : "ffffffffffffffffffffffffffffffff2e70fc865fcbc0cb59e892f3713a50a8bca0fc1dc5fbf327fbb124545a50e9efbca0fc1dc5fbf327fbb124545a50e9ef", + "tag" : "0b4961c9525ea2f2cdad6273e1c7824c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 236, + "comment" : "edge case intermediate sums in poly1305. poly_key:ffffffefeb344f6bc37ba77ea2ee06dfe8c7f4ae10810422124fc5e1bd7fe301", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060710abb165", + "aad" : "ffffffff", + "msg" : "dc8ce708bf26aab862d97e1b42f31ef35f215ec87d62a264cadb519b4ac90a7668d1dd03e56eda6399ac7803e7dd22114910cd9a32bdab956d634cbb9d33d361", + "ct" : "ffffffffffffffffffffffffffffffff2ce68dc7f3e949b590403c62a7af8e95b9168e5e591a7d11320acec28fc527ddb9168e5e591a7d11320acec28fc527dd", + "tag" : "0a4961d93a93f1fd8d290a8281b6895b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 237, + "comment" : "edge case intermediate sums in poly1305. poly_key:ffffffefeb344f6bc37ba77ea2ee06dfe8c7f4ae10810422124fc5e1bd7fe301", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060710abb165", + "aad" : "ffffffff", + "msg" : "dc8ce708bf26aab862d97e1b42f31ef3d15ad590dd0f40ba18acd168f6ac777a0f38aca2438b588d5459493e97e7fa33932a097f1d39a04ad30f1b6c650260bf7003478f2869b93ee29c837e95fb6b999f2002713e55dd19980ad53195903a7b", + "ct" : "ffffffffffffffffffffffffffffffffa29d069f5384ab6b4237bc911bcaf399deffffffffffffffffffffffffffffff632c4abb769e76ce8c66991577f49403deffffffffffffffffffffffffffffff632c4abb769e76ce8c66991577f49403", + "tag" : "3572161355240943de9406292a64c551", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 238, + "comment" : "edge case intermediate sums in poly1305. poly_key:946aff9f2a13f56f92a5f9cfee3cdb1fef6d98d5a55ab563cb28620cd57f19d2", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "00010203040506072dd4cd40", + "aad" : "ffffffff", + "msg" : "40115e67ecd3d4178c4c60e713ab4e5e390ef93aeb61aa307f141323c38e0685fa47139a5f4e3f8e92d7a3b71eb4ff0e259445f4ffc31bce540190edd6ad207876a0085c32ddfcbeb01a8be4c34d5331eda1a5b6139750f973f0d4841baa2cb8", + "ct" : "d9ffffffffffffffffffffffffffffffa009d73c6544428cfac0b2d8c7bbef0bedffffffffffffffffffffffffffffff8a5ef60715bc4b07c92b9707376da105edffffffffffffffffffffffffffffff8a5ef60715bc4b07c92b9707376da105", + "tag" : "19532d9fa0b5fbd582aaeda830602f1d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 239, + "comment" : "edge case intermediate sums in poly1305. poly_key:946aff9f2a13f56f92a5f9cfee3cdb1fef6d98d5a55ab563cb28620cd57f19d2", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "00010203040506072dd4cd40", + "aad" : "ffffffff", + "msg" : "49115e67ecd3d4178c4c60e713ab4e5ee02b87aeae8c3da8895f8cb0f6b9cc80f447139a5f4e3f8e92d7a3b71eb4ff0ecc4b7b803a5f8f4647df169080fe567a78a0085c32ddfcbeb01a8be4c34d5331047e9bc2d60bc471602e52f94df95aba", + "ct" : "d0ffffffffffffffffffffffffffffff792ca9a820a9d5140c8b2d4bf28c250ee3ffffffffffffffffffffffffffffff6381c873d020df8fdaf5117a613ed707e3ffffffffffffffffffffffffffffff6381c873d020df8fdaf5117a613ed707", + "tag" : "adbd2cafc8c8f0e51250e7b81c9d0a2d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 240, + "comment" : "edge case intermediate sums in poly1305. poly_key:946aff9f2a13f56f92a5f9cfee3cdb1fef6d98d5a55ab563cb28620cd57f19d2", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "00010203040506072dd4cd40", + "aad" : "ffffffff", + "msg" : "43eadae036f733ea9b5b7eb22aee395db6f51a4d10bc2460810c229651556acf384ad82e3e280cad69f0df25b42b83b0", + "ct" : "da047b7825db1802e8e8e1aac6ba88fc2ff2344b9e99ccdc04d8836d556083412ff2344b9e99ccdc04d8836d55608341", + "tag" : "973e270a7afcab75348e14dbe19c5156", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 241, + "comment" : "edge case intermediate sums in poly1305. poly_key:946aff9f2a13f56f92a5f9cfee3cdb1fef6d98d5a55ab563cb28620cd57f19d2", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "00010203040506072dd4cd40", + "aad" : "ffffffff", + "msg" : "66115e67ecd3d4178c4c60e713ab4e5e891b797521ba925b24090aaf6c4482bae847139a5f4e3f8e92d7a3b71eb4ff0e6d50c32d05a946cb8cea57c9f1442cb164a0085c32ddfcbeb01a8be4c34d5331a565236fe9fd0dfcab1b13a03c432071", + "ct" : "ffffffffffffffffffffffffffffffff101c5773af9f7ae7a1ddab5468716b34ffffffffffffffffffffffffffffffffc29a70deefd6160211c050231084adccffffffffffffffffffffffffffffffffc29a70deefd6160211c050231084adcc", + "tag" : "e17c273f31758e752322ae4869c1bfbb", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 242, + "comment" : "edge case intermediate sums in poly1305. poly_key:946aff9f2a13f56f92a5f9cfee3cdb1fef6d98d5a55ab563cb28620cd57f19d2", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "00010203040506072dd4cd40", + "aad" : "ffffffff", + "msg" : "6a115e67ecd3d4178c4c60e713ab4e5e519cccebf72573dbee8c12f74255d18c0add1035861ffc0b7f40079b969f8c63b2af4fa3ccd16cb38f425c3996140def", + "ct" : "f3ffffffffffffffffffffffffffffffc89be2ed79009b676b58b30c466038021d65fc5026ae3c7a12685bd377d48c921d65fc5026ae3c7a12685bd377d48c92", + "tag" : "a22390224c5db0f01696743d870725c5", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 243, + "comment" : "edge case intermediate sums in poly1305. poly_key:946aff9f2a13f56f92a5f9cfee3cdb1fef6d98d5a55ab563cb28620cd57f19d2", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "00010203040506072dd4cd40", + "aad" : "ffffffff", + "msg" : "e235b8c21384557085c3f2eb2a8fa36058cffd2af743dacf96b4ae4d51b4e488d6703f49d9d7f2027e4853feb4ca0df7", + "ct" : "7bdb195a00a87e98f6706df3c6db12c1c1c8d32c7966327313600fb655810d06c1c8d32c7966327313600fb655810d06", + "tag" : "437d1efad21b0865a541b5cab62e2a44", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 244, + "comment" : "edge case intermediate sums in poly1305. poly_key:946aff9f2a13f56f92a5f9cfee3cdb1fef6d98d5a55ab563cb28620cd57f19d2", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "00010203040506072dd4cd40", + "aad" : "ffffffff", + "msg" : "66115e67ecd3d4178c4c60e713ab4e5e8fab58574a322bac6f394474e4ce7eaec347139a5f4e3f8e92d7a3b71eb4ff0e71532dfb0e9141b00983394722829e7c4fa0085c32ddfcbeb01a8be4c34d5331b966cdb9e2c50a872e727d2eef8592bc", + "ct" : "ffffffffffffffffffffffffffffffff16ac7651c417c310eaede58fe0fb9720d4ffffffffffffffffffffffffffffffde999e08e4ee117994a93eadc3421f01d4ffffffffffffffffffffffffffffffde999e08e4ee117994a93eadc3421f01", + "tag" : "acf4ffa20c0d06d61a18e9a8d4c84d1d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 245, + "comment" : "edge case intermediate sums in poly1305. poly_key:946aff9f2a13f56f92a5f9cfee3cdb1fef6d98d5a55ab563cb28620cd57f19d2", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "00010203040506072dd4cd40", + "aad" : "ffffffff", + "msg" : "61115e67ecd3d4178c4c60e713ab4e5e5efe679ba17384c55eb8cc193666fe8d04608c3503d217aa3f90a9b0e1b3b313bc12d3a3491c8712cf92f212e138329f", + "ct" : "f8ffffffffffffffffffffffffffffffc7f9499d2f566c79db6c6de23253170313d86050a363d7db52b8f5f800f8b3e213d86050a363d7db52b8f5f800f8b3e2", + "tag" : "cd466d06e75b7fd18d5fe21d9227d9a7", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 246, + "comment" : "edge case intermediate sums in poly1305. poly_key:946aff9f2a13f56f92a5f9cfee3cdb1fef6d98d5a55ab563cb28620cd57f19d2", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "00010203040506072dd4cd40", + "aad" : "ffffffff", + "msg" : "9064b88a282052a1ee44df05ad213da679f8d1f971da17437a2b5e04fbca167151b2650ec945fec70588bc65a616a5f24f354c0c1580af3662d5f8151e3f7e82dd557ec8a4d63df7274594367bef09cd", + "ct" : "098a19123b0c79499df7401d41758c07e0ffffffffffffffffffffffffffffff460a896b69f43eb668a0e02d475da503e0ffffffffffffffffffffffffffffff460a896b69f43eb668a0e02d475da503", + "tag" : "ce8a3d4d887d95613d829b538ed01196", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 247, + "comment" : "edge case intermediate sums in poly1305. poly_key:946aff9f2a13f56f92a5f9cfee3cdb1fef6d98d5a55ab563cb28620cd57f19d2", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "00010203040506072dd4cd40", + "aad" : "ffffffff", + "msg" : "43115e67ecd3d4178c4c60e713ab4e5eeef67bd4795b74015a3493905d544a86e847139a5f4e3f8e92d7a3b71eb4ff0e3197be28eff843592bd8fc8d578421d664a0085c32ddfcbeb01a8be4c34d5331f9a25e6a03ac086e0c29b8e49a832d16", + "ct" : "daffffffffffffffffffffffffffffff77f155d2f77e9cbddfe0326b5961a308ffffffffffffffffffffffffffffffff9e5d0ddb05871390b6f2fb67b644a0abffffffffffffffffffffffffffffffff9e5d0ddb05871390b6f2fb67b644a0ab", + "tag" : "08289f5199df476fe90475cb95225566", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 248, + "comment" : "edge case intermediate sums in poly1305. poly_key:946aff9f2a13f56f92a5f9cfee3cdb1fef6d98d5a55ab563cb28620cd57f19d2", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "00010203040506072dd4cd40", + "aad" : "ffffffff", + "msg" : "6b115e67ecd3d4178c4c60e713ab4e5e1e34412ab0a056e809d5d4b92be1128a4b2a651a62aeab26cf437fb195407574f3583a8c28603b9e3f41241395cbf4f8", + "ct" : "f2ffffffffffffffffffffffffffffff87336f2c3e85be548c0175422fd4fb045c92897fc21f6b57a26b23f9740b75855c92897fc21f6b57a26b23f9740b7585", + "tag" : "06df93f651ea5cc56911f30d3e58f997", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 249, + "comment" : "edge case intermediate sums in poly1305. poly_key:946aff9f2a13f56f92a5f9cfee3cdb1fef6d98d5a55ab563cb28620cd57f19d2", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "00010203040506072dd4cd40", + "aad" : "ffffffff", + "msg" : "3fe606108f35869df4c7aa0128464a1265f8d1f971da17437a2b5e04fbca1671fdbe843a0ad9be25055992ab6dcbc9f153354c0c1580af3662d5f8151e3f7e8271599ffc674a7d152794baf8b03265ce", + "ct" : "a608a7889c19ad7587743519c412fbb3fcffffffffffffffffffffffffffffffea06685faa687e546871cee38c80c900fcffffffffffffffffffffffffffffffea06685faa687e546871cee38c80c900", + "tag" : "9264fc0f47febb30661254daf9a06189", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 250, + "comment" : "edge case intermediate sums in poly1305. poly_key:946aff9f2a13f56f92a5f9cfee3cdb1fef6d98d5a55ab563cb28620cd57f19d2", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "00010203040506072dd4cd40", + "aad" : "ffffffff", + "msg" : "6e8eb98cf7fffe4cd683568cf892991564f8d1f971da17437a2b5e04fbca1671c70f5d8b30c64bf2e6d1d613f40e0bf052354c0c1580af3662d5f8151e3f7e824be8464d5d5588c2c41cfe4029f7a7cf", + "ct" : "f7601814e4d3d5a4a530c99414c628b4fdffffffffffffffffffffffffffffffd0b7b1ee90778b838bf98a5b15450b01fdffffffffffffffffffffffffffffffd0b7b1ee90778b838bf98a5b15450b01", + "tag" : "69a124fc7f96e220d1a031ced5527279", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 251, + "comment" : "edge case intermediate sums in poly1305. poly_key:946aff9f2a13f56f92a5f9cfee3cdb1fef6d98d5a55ab563cb28620cd57f19d2", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "00010203040506072dd4cd40", + "aad" : "ffffffff", + "msg" : "4f115e67ecd3d4178c4c60e713ab4e5e4156269fe3da101eeb0abf8dda20fe8fff47139a5f4e3f8e92d7a3b71eb4ff0e6aece983e64f97e43ff5295bc884fa7773a0085c32ddfcbeb01a8be4c34d5331a2d909c10a1bdcd318046d320583f6b7", + "ct" : "d6ffffffffffffffffffffffffffffffd85108996dfff8a26ede1e76de151701e8ffffffffffffffffffffffffffffffc5265a700c30c72da2df2eb129447b0ae8ffffffffffffffffffffffffffffffc5265a700c30c72da2df2eb129447b0a", + "tag" : "3ea8f9b2012321e63d5fb5bc2c5d332d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 252, + "comment" : "edge case intermediate sums in poly1305. poly_key:946aff9f2a13f56f92a5f9cfee3cdb1fef6d98d5a55ab563cb28620cd57f19d2", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "00010203040506072dd4cd40", + "aad" : "ffffffff", + "msg" : "66115e67ecd3d4178c4c60e713ab4e5e18f125ef374c1454b680e23427e7dc69e447139a5f4e3f8e92d7a3b71eb4ff0e858b08eb1d581570a7cd1e48593b757568a0085c32ddfcbeb01a8be4c34d53314dbee8a9f10c5e47803c5a21943c79b5", + "ct" : "ffffffffffffffffffffffffffffffff81f60be9b969fce8335443cf23d235e7f3ffffffffffffffffffffffffffffff2a41bb18f72745b93ae719a2b8fbf408f3ffffffffffffffffffffffffffffff2a41bb18f72745b93ae719a2b8fbf408", + "tag" : "dfaf8a3a15d45e7f4c3430048d8589f0", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 253, + "comment" : "edge case intermediate sums in poly1305. poly_key:946aff9f2a13f56f92a5f9cfee3cdb1fef6d98d5a55ab563cb28620cd57f19d2", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "00010203040506072dd4cd40", + "aad" : "ffffffff", + "msg" : "b02ab747a310d6a3bbdb97018a3be8b341f8d1f971da17437a2b5e04fbca1671b7a338bc3423895f0fd96cdb27a787f277354c0c1580af3662d5f8151e3f7e823b44237a59b04a6f2d144488fa5e2bcd", + "ct" : "29c416dfb03cfd4bc8680819666f5912d8ffffffffffffffffffffffffffffffa01bd4d99492492e62f13093c6ec8703d8ffffffffffffffffffffffffffffffa01bd4d99492492e62f13093c6ec8703", + "tag" : "3408eb2b13a9b76befcedf699422d61f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 254, + "comment" : "edge case intermediate sums in poly1305. poly_key:946aff9f2a13f56f92a5f9cfee3cdb1fef6d98d5a55ab563cb28620cd57f19d2", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "00010203040506072dd4cd40", + "aad" : "ffffffff", + "msg" : "40115e67ecd3d4178c4c60e713ab4e5e380ef93aeb61aa307f141323c38e0685f647139a5f4e3f8e92d7a3b71eb4ff0e3f769a30e8951ff2fb365fa780fdde7e7aa0085c32ddfcbeb01a8be4c34d5331f7437a7204c154c5dcc71bce4dfad2be", + "ct" : "d9ffffffffffffffffffffffffffffffa109d73c6544428cfac0b2d8c7bbef0be1ffffffffffffffffffffffffffffff90bc29c302ea4f3b661c584d613d5f03e1ffffffffffffffffffffffffffffff90bc29c302ea4f3b661c584d613d5f03", + "tag" : "09f4f2a3936d7461a67ce022176bb8dd", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 255, + "comment" : "edge case intermediate sums in poly1305. poly_key:946aff9f2a13f56f92a5f9cfee3cdb1fef6d98d5a55ab563cb28620cd57f19d2", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "00010203040506072dd4cd40", + "aad" : "ffffffff", + "msg" : "40115e67ecd3d4178c4c60e713ab4e5e060ef93aeb61aa307f141323c38e0685ee47139a5f4e3f8e92d7a3b71eb4ff0e2bca70bfcdf1171ab611d12bed5d627a62a0085c32ddfcbeb01a8be4c34d5331e3ff90fd21a55c2d91e09542205a6eba", + "ct" : "d9ffffffffffffffffffffffffffffff9f09d73c6544428cfac0b2d8c7bbef0bf9ffffffffffffffffffffffffffffff8400c34c278e47d32b3bd6c10c9de307f9ffffffffffffffffffffffffffffff8400c34c278e47d32b3bd6c10c9de307", + "tag" : "2eb2679aadfd824a5fd8fa2e4a55a65c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 256, + "comment" : "edge case intermediate sums in poly1305. poly_key:946aff9f2a13f56f92a5f9cfee3cdb1fef6d98d5a55ab563cb28620cd57f19d2", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "00010203040506072dd4cd40", + "aad" : "ffffffff", + "msg" : "56115e67ecd3d4178c4c60e713ab4e5e6c7e1312c6774fae7d1e5d0cc609028ff547139a5f4e3f8e92d7a3b71eb4ff0e81c9e61cbeeed5546b1ce5d8fef21a7a79a0085c32ddfcbeb01a8be4c34d533149fc065e52ba9e634ceda1b133f516ba", + "ct" : "cffffffffffffffffffffffffffffffff5793d144852a712f8cafcf7c23ceb01e2ffffffffffffffffffffffffffffff2e0355ef5491859df636e2321f329b07e2ffffffffffffffffffffffffffffff2e0355ef5491859df636e2321f329b07", + "tag" : "5e89349f6b011cd6e24ee6ac2f590c21", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 257, + "comment" : "edge case intermediate sums in poly1305. poly_key:946aff9f2a13f56f92a5f9cfee3cdb1fef6d98d5a55ab563cb28620cd57f19d2", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "00010203040506072dd4cd40", + "aad" : "ffffffff", + "msg" : "2ea8410b4dca8c9d5369a033d8db61e46cf8d1f971da17437a2b5e04fbca1671f0f58e8bba6cf1a52146273d8fe0c4fc5a354c0c1580af3662d5f8151e3f7e827c12954dd7ff3295038b0f6e521968c3", + "ct" : "b746e0935ee6a77520da3f2b348fd045f5ffffffffffffffffffffffffffffffe74d62ee1add31d44c6e7b756eabc40df5ffffffffffffffffffffffffffffffe74d62ee1add31d44c6e7b756eabc40d", + "tag" : "b24537fcb0dcb6200b0285cafc9c3a7d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 258, + "comment" : "edge case intermediate sums in poly1305. poly_key:946aff9f2a13f56f92a5f9cfee3cdb1fef6d98d5a55ab563cb28620cd57f19d2", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "00010203040506072dd4cd40", + "aad" : "ffffffff", + "msg" : "17059a7c8883a28b90bd94ae44d1543662f8d1f971da17437a2b5e04fbca1671a23018bf8e68e413e99ac2d4ab3f8df154354c0c1580af3662d5f8151e3f7e822ed70379e3fb2723cb57ea8776c621ce", + "ct" : "8eeb3be49baf8963e30e0bb6a885e597fbffffffffffffffffffffffffffffffb588f4da2ed9246284b29e9c4a748d00fbffffffffffffffffffffffffffffffb588f4da2ed9246284b29e9c4a748d00", + "tag" : "43300400ea36e720361153ce0c5d637d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 259, + "comment" : "edge case intermediate sums in poly1305. poly_key:946aff9f2a13f56f92a5f9cfee3cdb1fef6d98d5a55ab563cb28620cd57f19d2", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "00010203040506072dd4cd40", + "aad" : "ffffffff", + "msg" : "aaa1b258fd4b54b497b520806a66d7aa68f8d1f971da17437a2b5e04fbca167199132a234a8c789bf8544547940ec3f35e354c0c1580af3662d5f8151e3f7e8215f431e5271fbbabda996d1449f76fcc", + "ct" : "334f13c0ee677f5ce406bf988632660bf1ffffffffffffffffffffffffffffff8eabc646ea3db8ea957c190f7545c302f1ffffffffffffffffffffffffffffff8eabc646ea3db8ea957c190f7545c302", + "tag" : "d79a0310124adc30c6b64cdef8993e8d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 260, + "comment" : "edge case intermediate sums in poly1305. poly_key:946aff9f2a13f56f92a5f9cfee3cdb1fef6d98d5a55ab563cb28620cd57f19d2", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "00010203040506072dd4cd40", + "aad" : "ffffffff", + "msg" : "4c115e67ecd3d4178c4c60e713ab4e5ebb5357ed314ad740b9910fad6f01d781f047139a5f4e3f8e92d7a3b71eb4ff0ec8042b414fdd1bba3a6c936b7ed678797ca0085c32ddfcbeb01a8be4c34d53310031cb03a389508d1d9dd702b3d174b9", + "ct" : "d5ffffffffffffffffffffffffffffff225479ebbf6f3ffc3c45ae566b343e0fe7ffffffffffffffffffffffffffffff67ce98b2a5a24b73a74694819f16f904e7ffffffffffffffffffffffffffffff67ce98b2a5a24b73a74694819f16f904", + "tag" : "e6022cc3ba20e3f9065fdfcc43a9dc40", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 261, + "comment" : "edge case intermediate sums in poly1305. poly_key:946aff9f2a13f56f92a5f9cfee3cdb1fef6d98d5a55ab563cb28620cd57f19d2", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "00010203040506072dd4cd40", + "aad" : "ffffffff", + "msg" : "66115e67ecd3d4178c4c60e713ab4e5ef64296975af7fced168181f76c6508e1c947139a5f4e3f8e92d7a3b71eb4ff0e4975060f7ddef4a098699333b30fbf7c45a0085c32ddfcbeb01a8be4c34d53318140e64d918abf97bf98d75a7e08b3bc", + "ct" : "ffffffffffffffffffffffffffffffff6f45b891d4d214519355200c6850e16fdeffffffffffffffffffffffffffffffe6bfb5fc97a1a469054394d952cf3e01deffffffffffffffffffffffffffffffe6bfb5fc97a1a469054394d952cf3e01", + "tag" : "353e304fd8553286b26e0d59942fe7cd", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 262, + "comment" : "edge case intermediate sums in poly1305. poly_key:946aff9f2a13f56f92a5f9cfee3cdb1fef6d98d5a55ab563cb28620cd57f19d2", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "00010203040506072dd4cd40", + "aad" : "ffffffff", + "msg" : "9841cfc927a57dc491ab35427ff935e66ef8d1f971da17437a2b5e04fbca1671a683c8f9f9e6780fda4940ddedd76bf258354c0c1580af3662d5f8151e3f7e822a64d33f9475bb3ff884688e302ec7cd", + "ct" : "01af6e513489562ce218aa5a93ad8447f7ffffffffffffffffffffffffffffffb13b249c5957b87eb7611c950c9c6b03f7ffffffffffffffffffffffffffffffb13b249c5957b87eb7611c950c9c6b03", + "tag" : "0aeb04ecf7def40c42025bbae5509169", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 263, + "comment" : "edge case intermediate sums in poly1305. poly_key:946aff9f2a13f56f92a5f9cfee3cdb1fef6d98d5a55ab563cb28620cd57f19d2", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "00010203040506072dd4cd40", + "aad" : "ffffffff", + "msg" : "42115e67ecd3d4178c4c60e713ab4e5e0b61bf9b7caf83cc34da625593514289e847139a5f4e3f8e92d7a3b71eb4ff0e696a5c7fb9da9cd4a39c8591086db42d64a0085c32ddfcbeb01a8be4c34d5331a15fbc3d558ed7e3846dc1f8c56ab8ed", + "ct" : "dbffffffffffffffffffffffffffffff9266919df28a6b70b10ec3ae9764ab07ffffffffffffffffffffffffffffffffc6a0ef8c53a5cc1d3eb6827be9ad3550ffffffffffffffffffffffffffffffffc6a0ef8c53a5cc1d3eb6827be9ad3550", + "tag" : "8fc4f77a6ee052a4c314780b8df9a2d0", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 264, + "comment" : "edge case intermediate sums in poly1305. poly_key:946aff9f2a13f56f92a5f9cfee3cdb1fef6d98d5a55ab563cb28620cd57f19d2", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "00010203040506072dd4cd40", + "aad" : "ffffffff", + "msg" : "4b115e67ecd3d4178c4c60e713ab4e5ef28e4d0f20ca1644470c9cdac6000887ed47139a5f4e3f8e92d7a3b71eb4ff0e1464775bacd5c69fe26e1a74968ea27e61a0085c32ddfcbeb01a8be4c34d5331dc51971940818da8c59f5e1d5b89aebe", + "ct" : "d2ffffffffffffffffffffffffffffff6b896309aeeffef8c2d83d21c235e109faffffffffffffffffffffffffffffffbbaec4a846aa96567f441d9e774e2303faffffffffffffffffffffffffffffffbbaec4a846aa96567f441d9e774e2303", + "tag" : "232ff78a96f347b453ba711b79367ee0", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 265, + "comment" : "edge case intermediate sums in poly1305. poly_key:946aff9f2a13f56f92a5f9cfee3cdb1fef6d98d5a55ab563cb28620cd57f19d2", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "00010203040506072dd4cd40", + "aad" : "ffffffff", + "msg" : "4d115e67ecd3d4178c4c60e713ab4e5e6ee628fc4b5830184cd293364a213e84fe47139a5f4e3f8e92d7a3b71eb4ff0e29db953ad5458fea61f013ea1854fe7572a0085c32ddfcbeb01a8be4c34d5331e1ee75783911c4dd46015783d553f2b5", + "ct" : "d4fffffffffffffffffffffffffffffff7e106fac57dd8a4c90632cd4e14d70ae9ffffffffffffffffffffffffffffff861126c93f3adf23fcda1400f9947f08e9ffffffffffffffffffffffffffffff861126c93f3adf23fcda1400f9947f08", + "tag" : "e00d2e8bae5d09c28e9bf59409545d09", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 266, + "comment" : "edge case intermediate sums in poly1305. poly_key:dc46b3c53be153ccd4986678ffffffafe484c316c93f64195da65a2742fd3fec", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060703e76f6f", + "aad" : "ffffffff", + "msg" : "19de9b9ec8b247d42bbee2016d6715babc286fd979807951b183a188930ad15edcf0b056a2eecc51d30838e640615e14890e659fd3028c904e65018fdfd6038333d14da7b4f76f9f68fa8903138d563c33b7fb50c3e7ebca970f6f89a88a82d6", + "ct" : "f9ffffffffffffffffffffffffffffff015d1565924f6c7418de9babf8be4407edffffffffffffffffffffffffffffff2e110e5e1c0468cbaad99c8abeffff07edffffffffffffffffffffffffffffff2e110e5e1c0468cbaad99c8abeffff07", + "tag" : "47e5d4294239db73b836c04070ff5b2d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 267, + "comment" : "edge case intermediate sums in poly1305. poly_key:dc46b3c53be153ccd4986678ffffffafe484c316c93f64195da65a2742fd3fec", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060703e76f6f", + "aad" : "ffffffff", + "msg" : "1fde9b9ec8b247d42bbee2016d6715ba839f811ad0310c77052f45320b0d9560c4f0b056a2eecc51d30838e640615e1470d6b14fd209fedf261fd1d250d3478d2bd14da7b4f76f9f68fa8903138d563cca6f2f80c2ec9985ff75bfd4278fc6d8", + "ct" : "ffffffffffffffffffffffffffffffff3eeafba63bfe1952ac727f1160b90039f5ffffffffffffffffffffffffffffffd7c9da8e1d0f1a84c2a34cd731fabb09f5ffffffffffffffffffffffffffffffd7c9da8e1d0f1a84c2a34cd731fabb09", + "tag" : "232c882f7a1a2f808ccf26496cff5b3d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 268, + "comment" : "edge case intermediate sums in poly1305. poly_key:dc46b3c53be153ccd4986678ffffffafe484c316c93f64195da65a2742fd3fec", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060703e76f6f", + "aad" : "ffffffff", + "msg" : "97311cd6e2d25a7b4eaa16f0a61ca6246b8a85431430eada56a2c5dc944b6aa695136310b6b6b5c17c9f8c02ba7d0aeb71e0943e30f91ba41b4362fa9ed6037b7a329ee1a0af160fc76d3de7e99102c3", + "ct" : "771078b7d59fe2509aeb0b0e34844c61d6ffffffffffffffffffffffffffffffa41c2cb9eba7866f50684b1b05e3ab00d6ffffffffffffffffffffffffffffffa41c2cb9eba7866f50684b1b05e3ab00", + "tag" : "d71bc70d5adc74e7dfd89406fc15f044", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 269, + "comment" : "edge case intermediate sums in poly1305. poly_key:dc46b3c53be153ccd4986678ffffffafe484c316c93f64195da65a2742fd3fec", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060703e76f6f", + "aad" : "ffffffff", + "msg" : "34de9b9ec8b247d42bbee2016d6715ba74cf7e9d82b7e8ed9ec965f6ea310951dc104940e08a4222556828eba459f65a4a006d28729d95d79d2372f77aeeab35", + "ct" : "d4ffffffffffffffffffffffffffffffc9ba04216978fdc837945fd581859c08ed1f06e9bd9b718c799feff21bc757b1ed1f06e9bd9b718c799feff21bc757b1", + "tag" : "21e63987d494673f3040ae9de2bc0da0", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 270, + "comment" : "edge case intermediate sums in poly1305. poly_key:dc46b3c53be153ccd4986678ffffffafe484c316c93f64195da65a2742fd3fec", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060703e76f6f", + "aad" : "ffffffff", + "msg" : "e72b83514e5e50509070359c1cac7e1c428a85431430eada56a2c5dc944b6aa6dad35950d8a9b55a472f9bb8860a526358e0943e30f91ba41b4362fa9ed6037b35f2a4a1ceb01694fcdd2a5dd5e65a4b", + "ct" : "070ae7307913e87b443128628e349459ffffffffffffffffffffffffffffffffebdc16f985b886f46bd85ca13994f388ffffffffffffffffffffffffffffffffebdc16f985b886f46bd85ca13994f388", + "tag" : "e4fb945d6a2d0b947834317cc415f024", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 271, + "comment" : "edge case intermediate sums in poly1305. poly_key:dc46b3c53be153ccd4986678ffffffafe484c316c93f64195da65a2742fd3fec", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060703e76f6f", + "aad" : "ffffffff", + "msg" : "8c6165f445443588041b6e044fb6baae728a85431430eada56a2c5dc944b6aa6881a54c09516a1f1cae7b9dd71130ee168e0943e30f91ba41b4362fa9ed6037b673ba931830f023f7115083822ff06c9", + "ct" : "6c40019572098da3d05a73fadd2e50ebcfffffffffffffffffffffffffffffffb9151b69c807925fe6107ec4ce8daf0acfffffffffffffffffffffffffffffffb9151b69c807925fe6107ec4ce8daf0a", + "tag" : "c0424863a20e5fa04ccd9784c015f034", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 272, + "comment" : "edge case intermediate sums in poly1305. poly_key:dc46b3c53be153ccd4986678ffffffafe484c316c93f64195da65a2742fd3fec", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060703e76f6f", + "aad" : "ffffffff", + "msg" : "18e36174545fa7ec9ea9f05d7057c5ca638a85431430eada56a2c5dc944b6aa6434e1c5e71005b690ca5cb8d580b89ed79e0943e30f91ba41b4362fa9ed6037bac6fe1af6719f8a7b7577a680be781c5", + "ct" : "f8c2051563121fc74ae8eda3e2cf2f8fdeffffffffffffffffffffffffffffff724153f72c1168c720520c94e7952806deffffffffffffffffffffffffffffff724153f72c1168c720520c94e7952806", + "tag" : "aa7293ffe5db30a31f2581e0e7ae56ed", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 273, + "comment" : "edge case intermediate sums in poly1305. poly_key:dc46b3c53be153ccd4986678ffffffafe484c316c93f64195da65a2742fd3fec", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060703e76f6f", + "aad" : "ffffffff", + "msg" : "12de9b9ec8b247d42bbee2016d6715ba54305dff6b61c40b775c352d025c1a56d7f0b056a2eecc51d30838e640615e14bce574e9e11afedbdca021e53bb9188338d14da7b4f76f9f68fa8903138d563c065cea26f1ff998105ca4fe34ce599d6", + "ct" : "f2ffffffffffffffffffffffffffffffe945274380aed12ede010f0e69e88f0fe6ffffffffffffffffffffffffffffff1bfa1f282e1c1a80381cbce05a90e407e6ffffffffffffffffffffffffffffff1bfa1f282e1c1a80381cbce05a90e407", + "tag" : "42e5d43d1e808e79f017144d4498c235", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 274, + "comment" : "edge case intermediate sums in poly1305. poly_key:dc46b3c53be153ccd4986678ffffffafe484c316c93f64195da65a2742fd3fec", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060703e76f6f", + "aad" : "ffffffff", + "msg" : "1fde9b9ec8b247d42bbee2016d6715badf0599194b0ce890cc1d8eb383b57f38dcf0b056a2eecc51d30838e640615e1435df81077d068077ce805ea592f6f88833d14da7b4f76f9f68fa8903138d563c8f661fc86de3e72d17ea30a3e5aa79dd", + "ct" : "ffffffffffffffffffffffffffffffff6270e3a5a0c3fdb56540b490e801ea61edffffffffffffffffffffffffffffff92c0eac6b200642c2a3cc3a0f3df040cedffffffffffffffffffffffffffffff92c0eac6b200642c2a3cc3a0f3df040c", + "tag" : "6cf2f9230af8679e7ecb19421362fce3", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 275, + "comment" : "edge case intermediate sums in poly1305. poly_key:dc46b3c53be153ccd4986678ffffffafe484c316c93f64195da65a2742fd3fec", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060703e76f6f", + "aad" : "ffffffff", + "msg" : "39de9b9ec8b247d42bbee2016d6715ba4092e1f9a22c8b18184d805c128ade57c7f0b056a2eecc51d30838e640615e1464fe8b9bdd215a620973affefe93398528d14da7b4f76f9f68fa8903138d563cde471554cdc43d38d019c1f889cfb8d0", + "ct" : "d9fffffffffffffffffffffffffffffffde79b4549e39e3db110ba7f793e4b0ef6ffffffffffffffffffffffffffffffc3e1e05a1227be39edcf32fb9fbac501f6ffffffffffffffffffffffffffffffc3e1e05a1227be39edcf32fb9fbac501", + "tag" : "6d46d2230a9848d518f9d94bb2c49caa", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 276, + "comment" : "edge case intermediate sums in poly1305. poly_key:dc46b3c53be153ccd4986678ffffffafe484c316c93f64195da65a2742fd3fec", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060703e76f6f", + "aad" : "ffffffff", + "msg" : "12de9b9ec8b247d42bbee2016d6715ba327f3a1befb4287c17450391ed0eb854d6f0b056a2eecc51d30838e640615e141460d3545c29ddc790711b8e7533698539d14da7b4f76f9f68fa8903138d563caed94d9b4cccba9d491b7588026fe8d0", + "ct" : "f2ffffffffffffffffffffffffffffff8f0a40a7047b3d59be1839b286ba2d0de7ffffffffffffffffffffffffffffffb37fb895932f399c74cd868b141a9501e7ffffffffffffffffffffffffffffffb37fb895932f399c74cd868b141a9501", + "tag" : "74dda12e0558877bc0e40c3eace0af29", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 277, + "comment" : "edge case intermediate sums in poly1305. poly_key:dc46b3c53be153ccd4986678ffffffafe484c316c93f64195da65a2742fd3fec", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060703e76f6f", + "aad" : "ffffffff", + "msg" : "1bde9b9ec8b247d42bbee2016d6715ba85b67664ee49fa347fbfd2dd92007c57def0b056a2eecc51d30838e640615e14fb27ee075b3c0f0f682babdde63dad8731d14da7b4f76f9f68fa8903138d563c419e70c84bd96855b141c5db91612cd2", + "ct" : "fbffffffffffffffffffffffffffffff38c30cd80586ef11d6e2e8fef9b4e90eefffffffffffffffffffffffffffffff5c3885c6943aeb548c9736d887145103efffffffffffffffffffffffffffffff5c3885c6943aeb548c9736d887145103", + "tag" : "502455343d39db87947d7346a8e0af39", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 278, + "comment" : "edge case intermediate sums in poly1305. poly_key:dc46b3c53be153ccd4986678ffffffafe484c316c93f64195da65a2742fd3fec", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060703e76f6f", + "aad" : "ffffffff", + "msg" : "36de9b9ec8b247d42bbee2016d6715ba1132811b2f18321ba99b12432c7f865aa3352cd2d7ac70b4c6f5419767926e20352508ba45bba7410ebe1b8bb925334f", + "ct" : "d6ffffffffffffffffffffffffffffffac47fba7c4d7273e00c6286047cb1303923a637b8abd431aea02868ed80ccfcb923a637b8abd431aea02868ed80ccfcb", + "tag" : "14fba149d1c0edc8aa665851126b5afd", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 279, + "comment" : "edge case intermediate sums in poly1305. poly_key:dc46b3c53be153ccd4986678ffffffafe484c316c93f64195da65a2742fd3fec", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060703e76f6f", + "aad" : "ffffffff", + "msg" : "1fde9b9ec8b247d42bbee2016d6715baf999461058f6d7733e5cd0d1639d9025cbf0b056a2eecc51d30838e640615e14520a0da50439db00e289e1791342068e24d14da7b4f76f9f68fa8903138d563ce8b3936a14dcbc5a3be38f7f641e87db", + "ct" : "ffffffffffffffffffffffffffffffff44ec3cacb339c2569701eaf20829057cfafffffffffffffffffffffffffffffff5156664cb3f3f5b06357c7c726bfa0afafffffffffffffffffffffffffffffff5156664cb3f3f5b06357c7c726bfa0a", + "tag" : "bf7fbd422cbf0e700fd1605be8fd212f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 280, + "comment" : "edge case intermediate sums in poly1305. poly_key:dc46b3c53be153ccd4986678ffffffafe484c316c93f64195da65a2742fd3fec", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060703e76f6f", + "aad" : "ffffffff", + "msg" : "15de9b9ec8b247d42bbee2016d6715bacc1629a40cd11eafdf04138b45afe458eff0b056a2eecc51d30838e640615e14340ac9b45a5896a418a8cee8032e078f00d14da7b4f76f9f68fa8903138d563c8eb3577b4abdf1fec1c2a0ee747286da", + "ct" : "f5ffffffffffffffffffffffffffffff71635318e71e0b8a765929a82e1b7101deffffffffffffffffffffffffffffff9315a275955e72fffc1453ed6207fb0bdeffffffffffffffffffffffffffffff9315a275955e72fffc1453ed6207fb0b", + "tag" : "c6f23204865b0adde0070037d6538dd3", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 281, + "comment" : "edge case intermediate sums in poly1305. poly_key:dc46b3c53be153ccd4986678ffffffafe484c316c93f64195da65a2742fd3fec", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060703e76f6f", + "aad" : "ffffffff", + "msg" : "31de9b9ec8b247d42bbee2016d6715baff746ef53ec3357cbc3c3ce4ab1d2d51ed9eb456dc9d9b59f656a5d2d974d26a7b8e903e4e8a4cac3e1dffce07c38f05", + "ct" : "d1ffffffffffffffffffffffffffffff42011449d50c2059156106c7c0a9b808dc91fbff818ca8f7daa162cb66ea7381dc91fbff818ca8f7daa162cb66ea7381", + "tag" : "8cff61b7b3919ed6bde72b36e0d31326", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 282, + "comment" : "edge case intermediate sums in poly1305. poly_key:dc46b3c53be153ccd4986678ffffffafe484c316c93f64195da65a2742fd3fec", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060703e76f6f", + "aad" : "ffffffff", + "msg" : "19de9b9ec8b247d42bbee2016d6715babf286fd979807951b183a188930ad15ecef0b056a2eecc51d30838e640615e1464413d71939b9cb0a4d32ef115da9e1021d14da7b4f76f9f68fa8903138d563cdef8a3be837efbea7db940f762861f45", + "ct" : "f9ffffffffffffffffffffffffffffff025d1565924f6c7418de9babf8be4407ffffffffffffffffffffffffffffffffc35e56b05c9d78eb406fb3f474f36294ffffffffffffffffffffffffffffffffc35e56b05c9d78eb406fb3f474f36294", + "tag" : "369cf17011cae47539e2723f010cf980", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 283, + "comment" : "edge case intermediate sums in poly1305. poly_key:dc46b3c53be153ccd4986678ffffffafe484c316c93f64195da65a2742fd3fec", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060703e76f6f", + "aad" : "ffffffff", + "msg" : "19de9b9ec8b247d42bbee2016d6715babd286fd979807951b183a188930ad15ee3f0b056a2eecc51d30838e640615e14f25e78fe1b53ae416d1fbc698522618f0cd14da7b4f76f9f68fa8903138d563c48e7e6310bb6c91bb475d26ff27ee0da", + "ct" : "f9ffffffffffffffffffffffffffffff005d1565924f6c7418de9babf8be4407d2ffffffffffffffffffffffffffffff5541133fd4554a1a89a3216ce40b9d0bd2ffffffffffffffffffffffffffffff5541133fd4554a1a89a3216ce40b9d0b", + "tag" : "532eb8e272a8d171378b0d42dff2bed9", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 284, + "comment" : "edge case intermediate sums in poly1305. poly_key:dc46b3c53be153ccd4986678ffffffafe484c316c93f64195da65a2742fd3fec", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060703e76f6f", + "aad" : "ffffffff", + "msg" : "32de9b9ec8b247d42bbee2016d6715ba258d5d3e441683f546beba2e23755f5ccef0b056a2eecc51d30838e640615e149d13fdf8fa899836fa5c410d4ccd25ea21d14da7b4f76f9f68fa8903138d563c27aa6337ea6cff6c23362f0b3b91a4bf", + "ct" : "d2ffffffffffffffffffffffffffffff98f82782afd996d0efe3800d48c1ca05ffffffffffffffffffffffffffffffff3a0c9639358f7c6d1ee0dc082de4d96effffffffffffffffffffffffffffffff3a0c9639358f7c6d1ee0dc082de4d96e", + "tag" : "d1be7426cd12446fe52e8d45331e0835", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 285, + "comment" : "edge case intermediate sums in poly1305. poly_key:dc46b3c53be153ccd4986678ffffffafe484c316c93f64195da65a2742fd3fec", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060703e76f6f", + "aad" : "ffffffff", + "msg" : "1fde9b9ec8b247d42bbee2016d6715bad64add2aa3c5a30a31d9e65e90f93ad1cbf0b056a2eecc51d30838e640615e14de9aeab86144d5464811b2373ba4cc8324d14da7b4f76f9f68fa8903138d563c6423747771a1b21c917bdc314cf84dd6", + "ct" : "ffffffffffffffffffffffffffffffff6b3fa796480ab62f9884dc7dfb4daf88faffffffffffffffffffffffffffffff79858179ae42311dacad2f325a8d3007faffffffffffffffffffffffffffffff79858179ae42311dacad2f325a8d3007", + "tag" : "62630c18de8c10876adb9f30f300963f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 286, + "comment" : "edge case intermediate sums in poly1305. poly_key:dc46b3c53be153ccd4986678ffffffafe484c316c93f64195da65a2742fd3fec", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060703e76f6f", + "aad" : "ffffffff", + "msg" : "1fde9b9ec8b247d42bbee2016d6715bacc3492272b8a4b112a4e7d7ccf092692cef0b056a2eecc51d30838e640615e1430ce678e9375b2af0b82c2d2fbd7928c21d14da7b4f76f9f68fa8903138d563c8a77f9418390d5f5d2e8acd48c8b13d9", + "ct" : "ffffffffffffffffffffffffffffffff7141e89bc0455e348313475fa4bdb3cbffffffffffffffffffffffffffffffff97d10c4f5c7356f4ef3e5fd79afe6e08ffffffffffffffffffffffffffffffff97d10c4f5c7356f4ef3e5fd79afe6e08", + "tag" : "feb6412b9031f076eddcd9426fff5b31", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 287, + "comment" : "edge case intermediate sums in poly1305. poly_key:dc46b3c53be153ccd4986678ffffffafe484c316c93f64195da65a2742fd3fec", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060703e76f6f", + "aad" : "ffffffff", + "msg" : "34de9b9ec8b247d42bbee2016d6715ba722b6549c9df0f4b04b5f7432203fa54cef0b056a2eecc51d30838e640615e1487de186cd28e43544c73de628fd1d60e21d14da7b4f76f9f68fa8903138d563c3d6786a3c26b240e9519b064f88d575b", + "ct" : "d4ffffffffffffffffffffffffffffffcf5e1ff522101a6eade8cd6049b76f0dffffffffffffffffffffffffffffffff20c173ad1d88a70fa8cf4367eef82a8affffffffffffffffffffffffffffffff20c173ad1d88a70fa8cf4367eef82a8a", + "tag" : "dafdf430c8124483c175404b6bff5b41", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 288, + "comment" : "edge case intermediate sums in poly1305. poly_key:dc46b3c53be153ccd4986678ffffffafe484c316c93f64195da65a2742fd3fec", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060703e76f6f", + "aad" : "ffffffff", + "msg" : "3dde9b9ec8b247d42bbee2016d6715bac5629699cfd4d9036cef478ed705be5650f575882c3800f757ea6e0f8c6d47acc6e551e0be2fd7029fa1341352da1ac3", + "ct" : "ddffffffffffffffffffffffffffffff7817ec25241bcc26c5b27dadbcb12b0f61fa3a21712933597b1da91633f3e64761fa3a21712933597b1da91633f3e647", + "tag" : "f8800c5b6283dddfc41f935c01bd0d24", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 289, + "comment" : "edge case intermediate sums in poly1305. poly_key:dc46b3c53be153ccd4986678ffffffafe484c316c93f64195da65a2742fd3fec", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060703e76f6f", + "aad" : "ffffffff", + "msg" : "1fde9b9ec8b247d42bbee2016d6715ba66d624f288f52941ca24865ce96f0d9736ff33a27c23f4976fc74f1fcd82f5cca0ef17caee342362a78c15031335a8a3", + "ct" : "ffffffffffffffffffffffffffffffffdba35e4e633a3c646379bc7f82db98ce07f07c0b2132c73943308806721c542707f07c0b2132c73943308806721c5427", + "tag" : "38bfb8318c627d86c34bab1f1ebd0db0", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 290, + "comment" : "edge case intermediate sums in poly1305. poly_key:dc46b3c53be153ccd4986678ffffffafe484c316c93f64195da65a2742fd3fec", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060703e76f6f", + "aad" : "ffffffff", + "msg" : "f4ebbe3fca96bc4885b35582c43e0eb3588a85431430eada56a2c5dc944b6aa6b4570e8446e886bcbff82a24f49be5ed42e0943e30f91ba41b4362fa9ed6037b5b76f37550f12572040a9bc1a777edc5", + "ct" : "14cada5efddb046351f2487c56a6e4f6e5ffffffffffffffffffffffffffffff8558412d1bf9b512930fed3d4b054406e5ffffffffffffffffffffffffffffff8558412d1bf9b512930fed3d4b054406", + "tag" : "af7293eb09957d9de7432dd41316f0e4", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 291, + "comment" : "edge case intermediate sums in poly1305. poly_key:dc46b3c53be153ccd4986678ffffffafe484c316c93f64195da65a2742fd3fec", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060703e76f6f", + "aad" : "ffffffff", + "msg" : "1ade9b9ec8b247d42bbee2016d6715ba571a3fca3cda7def4c93d4a382ca3a57eaf0b056a2eecc51d30838e640615e1476cddbee2f185776174f6df3bbe5b38105d14da7b4f76f9f68fa8903138d563ccc7445213ffd302cce2503f5ccb932d4", + "ct" : "faffffffffffffffffffffffffffffffea6f4576d71568cae5ceee80e97eaf0edbffffffffffffffffffffffffffffffd1d2b02fe01eb32df3f3f0f6dacc4f05dbffffffffffffffffffffffffffffffd1d2b02fe01eb32df3f3f0f6dacc4f05", + "tag" : "e178b0d5eb9bc551fa645c49f9f17667", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 292, + "comment" : "edge case intermediate sums in poly1305. poly_key:dc46b3c53be153ccd4986678ffffffafe484c316c93f64195da65a2742fd3fec", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060703e76f6f", + "aad" : "ffffffff", + "msg" : "1fde9b9ec8b247d42bbee2016d6715babe31a501536a7c91e4a102cc27cdfe09d2f0b056a2eecc51d30838e640615e14dd9416a12e2f81bdee023d462feef7833dd14da7b4f76f9f68fa8903138d563c672d886e3ecae6e73768534058b276d6", + "ct" : "ffffffffffffffffffffffffffffffff0344dfbdb8a569b44dfc38ef4c796b50e3ffffffffffffffffffffffffffffff7a8b7d60e12965e60abea0434ec70b07e3ffffffffffffffffffffffffffffff7a8b7d60e12965e60abea0434ec70b07", + "tag" : "bdbf63db237d195ecefdc251f5f17677", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 293, + "comment" : "edge case intermediate sums in poly1305. poly_key:dc46b3c53be153ccd4986678ffffffafe484c316c93f64195da65a2742fd3fec", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060703e76f6f", + "aad" : "ffffffff", + "msg" : "3ede9b9ec8b247d42bbee2016d6715ba8567a7fde812a3aa2f552a33c1718c58e2f0b056a2eecc51d30838e640615e14bb8729fd148f23b2a916b7f40f2f29810dd14da7b4f76f9f68fa8903138d563c013eb732046a44e8707cd9f27873a8d4", + "ct" : "deffffffffffffffffffffffffffffff3812dd4103ddb68f86081010aac51901d3ffffffffffffffffffffffffffffff1c98423cdb89c7e94daa2af16e06d505d3ffffffffffffffffffffffffffffff1c98423cdb89c7e94daa2af16e06d505", + "tag" : "b4ccb422bc5f7264aff73f3675ff5b19", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "ivSize" : 0, + "keySize" : 256, + "tagSize" : 128, + "type" : "AeadTest", + "tests" : [ + { + "tcId" : 294, + "comment" : "invalid nonce size", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "", + "aad" : "", + "msg" : "", + "ct" : "", + "tag" : "", + "result" : "invalid", + "flags" : [] + } + ] + }, + { + "ivSize" : 64, + "keySize" : 256, + "tagSize" : 128, + "type" : "AeadTest", + "tests" : [ + { + "tcId" : 295, + "comment" : "invalid nonce size", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "0001020304050607", + "aad" : "", + "msg" : "", + "ct" : "", + "tag" : "", + "result" : "invalid", + "flags" : [] + } + ] + }, + { + "ivSize" : 88, + "keySize" : 256, + "tagSize" : 128, + "type" : "AeadTest", + "tests" : [ + { + "tcId" : 296, + "comment" : "invalid nonce size", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a", + "aad" : "", + "msg" : "", + "ct" : "", + "tag" : "", + "result" : "invalid", + "flags" : [] + } + ] + }, + { + "ivSize" : 104, + "keySize" : 256, + "tagSize" : 128, + "type" : "AeadTest", + "tests" : [ + { + "tcId" : 297, + "comment" : "invalid nonce size", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b0c", + "aad" : "", + "msg" : "", + "ct" : "", + "tag" : "", + "result" : "invalid", + "flags" : [] + } + ] + }, + { + "ivSize" : 112, + "keySize" : 256, + "tagSize" : 128, + "type" : "AeadTest", + "tests" : [ + { + "tcId" : 298, + "comment" : "invalid nonce size", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b0c0d", + "aad" : "", + "msg" : "", + "ct" : "", + "tag" : "", + "result" : "invalid", + "flags" : [] + } + ] + }, + { + "ivSize" : 128, + "keySize" : 256, + "tagSize" : 128, + "type" : "AeadTest", + "tests" : [ + { + "tcId" : 299, + "comment" : "invalid nonce size", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b0c0d0e0f", + "aad" : "", + "msg" : "", + "ct" : "", + "tag" : "", + "result" : "invalid", + "flags" : [] + } + ] + }, + { + "ivSize" : 160, + "keySize" : 256, + "tagSize" : 128, + "type" : "AeadTest", + "tests" : [ + { + "tcId" : 300, + "comment" : "invalid nonce size", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b0c0d0e0f10111213", + "aad" : "", + "msg" : "", + "ct" : "", + "tag" : "", + "result" : "invalid", + "flags" : [] + } + ] + } + ] +} diff --git a/rust/tests/wycheproof/ecdh_secp256r1_ecpoint_test.json b/rust/tests/wycheproof/ecdh_secp256r1_ecpoint_test.json new file mode 100644 index 00000000..ec52db79 --- /dev/null +++ b/rust/tests/wycheproof/ecdh_secp256r1_ecpoint_test.json @@ -0,0 +1,1994 @@ +{ + "algorithm" : "ECDH", + "generatorVersion" : "0.8r12", + "numberOfTests" : 216, + "header" : [ + "Test vectors of type EcdhWebTest are intended for", + "testing an ECDH implementations where the public key", + "is just an ASN encoded point." + ], + "notes" : { + "AddSubChain" : "The private key has a special value. Implementations using addition subtraction chains for the point multiplication may get the point at infinity as an intermediate result. See CVE_2017_10176", + "CompressedPoint" : "The point in the public key is compressed. Not every library supports points in compressed format." + }, + "schema" : "ecdh_ecpoint_test_schema.json", + "testGroups" : [ + { + "curve" : "secp256r1", + "encoding" : "ecpoint", + "type" : "EcdhEcpointTest", + "tests" : [ + { + "tcId" : 1, + "comment" : "normal case", + "public" : "0462d5bd3372af75fe85a040715d0f502428e07046868b0bfdfa61d731afe44f26ac333a93a9e70a81cd5a95b5bf8d13990eb741c8c38872b4a07d275a014e30cf", + "private" : "0612465c89a023ab17855b0a6bcebfd3febb53aef84138647b5352e02c10c346", + "shared" : "53020d908b0219328b658b525f26780e3ae12bcd952bb25a93bc0895e1714285", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 2, + "comment" : "compressed public key", + "public" : "0362d5bd3372af75fe85a040715d0f502428e07046868b0bfdfa61d731afe44f26", + "private" : "0612465c89a023ab17855b0a6bcebfd3febb53aef84138647b5352e02c10c346", + "shared" : "53020d908b0219328b658b525f26780e3ae12bcd952bb25a93bc0895e1714285", + "result" : "acceptable", + "flags" : [ + "CompressedPoint" + ] + }, + { + "tcId" : 3, + "comment" : "edge case for shared secret", + "public" : "0458fd4168a87795603e2b04390285bdca6e57de6027fe211dd9d25e2212d29e62080d36bd224d7405509295eed02a17150e03b314f96da37445b0d1d29377d12c", + "private" : "0a0d622a47e48f6bc1038ace438c6f528aa00ad2bd1da5f13ee46bf5f633d71a", + "shared" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 4, + "comment" : "edge case for shared secret", + "public" : "040f6d20c04261ecc3e92846acad48dc8ec5ee35ae0883f0d2ea71216906ee1c47c042689a996dd12830ae459382e94aac56b717af2e2080215f9e41949b1f52be", + "private" : "0a0d622a47e48f6bc1038ace438c6f528aa00ad2bd1da5f13ee46bf5f633d71a", + "shared" : "00000000000000000000000000000000ffffffffffffffffffffffffffffffff", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 5, + "comment" : "edge case for shared secret", + "public" : "0400c7defeb1a16236738e9a1123ba621bc8e9a3f2485b3f8ffde7f9ce98f5a8a1cb338c3912b1792f60c2b06ec5231e2d84b0e596e9b76d419ce105ece3791dbc", + "private" : "0a0d622a47e48f6bc1038ace438c6f528aa00ad2bd1da5f13ee46bf5f633d71a", + "shared" : "0000000000000000ffffffffffffffff00000000000000010000000000000001", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 6, + "comment" : "edge case for shared secret", + "public" : "04e9b98fb2c0ac045f8c76125ffd99eb8a5157be1d7db3e85d655ec1d8210288cf218df24fd2c2746be59df41262ef3a97d986744b2836748a7486230a319ffec0", + "private" : "0a0d622a47e48f6bc1038ace438c6f528aa00ad2bd1da5f13ee46bf5f633d71a", + "shared" : "00000000ffffffff00000000ffffffff00000000ffffffff0000000100000000", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 7, + "comment" : "edge case for shared secret", + "public" : "04e9484e58f3331b66ffed6d90cb1c78065fa28cfba5c7dd4352013d3252ee4277bd7503b045a38b4b247b32c59593580f39e6abfa376c3dca20cf7f9cfb659e13", + "private" : "0a0d622a47e48f6bc1038ace438c6f528aa00ad2bd1da5f13ee46bf5f633d71a", + "shared" : "000003ffffff0000003ffffff0000003ffffff0000003ffffff0000003ffffff", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 8, + "comment" : "edge case for shared secret", + "public" : "04767d7fbb84aa6a4db1079372644e42ecb2fec200c178822392cb8b950ffdd0c91c86853cafd09b52ba2f287f0ebaa26415a3cfabaf92c6a617a19988563d9dea", + "private" : "0a0d622a47e48f6bc1038ace438c6f528aa00ad2bd1da5f13ee46bf5f633d71a", + "shared" : "0000ffff0000ffff0000ffff0000ffff0000ffff0000ffff0000ffff00010001", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 9, + "comment" : "edge case for shared secret", + "public" : "04c74d546f2fcc6dd392f85e5be167e358de908756b0c0bb01cb69d864ca083e1c93f959eece6e10ee11bd3934207d65ae28af68b092585a1509260eceb39b92ef", + "private" : "0a0d622a47e48f6bc1038ace438c6f528aa00ad2bd1da5f13ee46bf5f633d71a", + "shared" : "085ec5a4af40176b63189069aeffcb229c96d3e046e0283ed2f9dac21b15ad3c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 10, + "comment" : "edge case for shared secret", + "public" : "0434fc9f1e7a094cd29598d1841fa9613dbe82313d633a51d63fb6eff074cc9b9a4ecfd9f258c5c4d4210b49751213a24c596982bd1d54e0445443f21ef15492a5", + "private" : "0a0d622a47e48f6bc1038ace438c6f528aa00ad2bd1da5f13ee46bf5f633d71a", + "shared" : "190c25f88ad9ae3a098e6cffe6fd0b1bea42114eb0cedd5868a45c5fe277dff3", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 11, + "comment" : "edge case for shared secret", + "public" : "04d5c96efd1907fd48de2ad715acf82eae5c6690fe3efe16a78d61c68d3bfd10df03eac816b9e7b776192a3f5075887c0e225617505833ca997cda32fd0f673c5e", + "private" : "0a0d622a47e48f6bc1038ace438c6f528aa00ad2bd1da5f13ee46bf5f633d71a", + "shared" : "507442007322aa895340cba4abc2d730bfd0b16c2c79a46815f8780d2c55a2dd", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 12, + "comment" : "edge case for shared secret", + "public" : "04f475f503a770df72c45aedfe42c008f59aa57e72b232f26600bdd0353957cb20bdb8f6405b4918050a3549f44c07a8eba820cdce4ece699888c638df66f54f7c", + "private" : "0a0d622a47e48f6bc1038ace438c6f528aa00ad2bd1da5f13ee46bf5f633d71a", + "shared" : "5f177bfe19baaaee597e68b6a87a519e805e9d28a70cb72fd40f0fe5a754ba45", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 13, + "comment" : "edge case for shared secret", + "public" : "04f3cb6754b7e2a86d064dfb9f903185aaa4c92b481c2c1a1ff276303bbc4183e49c318599b0984c3563df339311fe143a7d921ee75b755a52c6f804f897b809f7", + "private" : "0a0d622a47e48f6bc1038ace438c6f528aa00ad2bd1da5f13ee46bf5f633d71a", + "shared" : "7fff0001fffc0007fff0001fffc0007fff0001fffc0007fff0001fffc0007fff", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 14, + "comment" : "edge case for shared secret", + "public" : "04cce13fbdc96a946dfb8c6d9ed762dbd1731630455689f57a437fee124dd54cecaef78026c653030cf2f314a67064236b0a354defebc5e90c94124e9bf5c4fc24", + "private" : "0a0d622a47e48f6bc1038ace438c6f528aa00ad2bd1da5f13ee46bf5f633d71a", + "shared" : "8000000000000000000000000000000000000000000000000000000000000004", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 15, + "comment" : "edge case for shared secret", + "public" : "047633dfd0ad06765097bc11bd5022b200df31f28c4ff0625421221ac7eeb6e6f4cb9c67693609ddd6f92343a5a1c635408240f4f8e27120c12554c7ff8c76e2fe", + "private" : "0a0d622a47e48f6bc1038ace438c6f528aa00ad2bd1da5f13ee46bf5f633d71a", + "shared" : "8000003ffffff0000007fffffe000000ffffffc000001ffffff8000004000000", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 16, + "comment" : "edge case for shared secret", + "public" : "04a386ace573f87558a68ead2a20088e3fe928bdae9e109446f93a078c15741f0421261e6db2bf12106e4c6bf85b9581b4c0302a526222f90abc5a549206b11011", + "private" : "0a0d622a47e48f6bc1038ace438c6f528aa00ad2bd1da5f13ee46bf5f633d71a", + "shared" : "ff00000001fffffffc00000007fffffff00000001fffffffc00000007fffffff", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 17, + "comment" : "edge case for shared secret", + "public" : "048e7b50f7d8c44d5d3496c43141a502f4a43f153d03ad43eda8e39597f1d477b8647f3da67969b7f989ff4addc393515af40c82085ce1f2ee195412c6f583774f", + "private" : "0a0d622a47e48f6bc1038ace438c6f528aa00ad2bd1da5f13ee46bf5f633d71a", + "shared" : "ffff00000003fffffff00000003fffffff00000003fffffff00000003fffffff", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 18, + "comment" : "edge case for shared secret", + "public" : "04c827fb930fd51d926086191b502af83abb5f717debc8de29897a3934b2571ca05990c0597b0b7a2e42febd56b13235d1d408d76ed2c93b3facf514d902f6910a", + "private" : "0a0d622a47e48f6bc1038ace438c6f528aa00ad2bd1da5f13ee46bf5f633d71a", + "shared" : "ffffffff00000000000000ffffffffffffff00000000000000ffffffffffffff", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 19, + "comment" : "y-coordinate of the public key is small", + "public" : "043cbc1b31b43f17dc200dd70c2944c04c6cb1b082820c234a300b05b7763844c74fde0a4ef93887469793270eb2ff148287da9265b0334f9e2609aac16e8ad503", + "private" : "0a0d622a47e48f6bc1038ace438c6f528aa00ad2bd1da5f13ee46bf5f633d71a", + "shared" : "7fffffffffffffffffffffffeecf2230ffffffffffffffffffffffffffffffff", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 20, + "comment" : "y-coordinate of the public key is small", + "public" : "042830d96489ae24b79cad425056e82746f9e3f419ab9aa21ca1fbb11c7325e7d318abe66f575ee8a2f1c4a80e35260ae82ad7d6f661d15f06967930a585097ef7", + "private" : "0a0d622a47e48f6bc1038ace438c6f528aa00ad2bd1da5f13ee46bf5f633d71a", + "shared" : "000000000000000000000000111124f400000000000000000000000000000000", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 21, + "comment" : "y-coordinate of the public key is small", + "public" : "04450b6b6e2097178e9d2850109518d28eb3b6ded2922a5452003bc2e4a4ec775c894e90f0df1b0e6cadb03b9de24f6a22d1bd0a4a58cd645c273cae1c619bfd61", + "private" : "0a0d622a47e48f6bc1038ace438c6f528aa00ad2bd1da5f13ee46bf5f633d71a", + "shared" : "000000000000000000000001ea77d449ffffffffffffffffffffffffffffffff", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 22, + "comment" : "y-coordinate of the public key is large", + "public" : "043cbc1b31b43f17dc200dd70c2944c04c6cb1b082820c234a300b05b7763844c7b021f5b006c778ba686cd8f14d00eb7d78256d9b4fccb061d9f6553e91752afc", + "private" : "0a0d622a47e48f6bc1038ace438c6f528aa00ad2bd1da5f13ee46bf5f633d71a", + "shared" : "7fffffffffffffffffffffffeecf2230ffffffffffffffffffffffffffffffff", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 23, + "comment" : "y-coordinate of the public key is large", + "public" : "042830d96489ae24b79cad425056e82746f9e3f419ab9aa21ca1fbb11c7325e7d3e754198fa8a1175e0e3b57f1cad9f517d528290a9e2ea0f96986cf5a7af68108", + "private" : "0a0d622a47e48f6bc1038ace438c6f528aa00ad2bd1da5f13ee46bf5f633d71a", + "shared" : "000000000000000000000000111124f400000000000000000000000000000000", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 24, + "comment" : "y-coordinate of the public key is large", + "public" : "04450b6b6e2097178e9d2850109518d28eb3b6ded2922a5452003bc2e4a4ec775c76b16f0e20e4f194524fc4621db095dd2e42f5b6a7329ba3d8c351e39e64029e", + "private" : "0a0d622a47e48f6bc1038ace438c6f528aa00ad2bd1da5f13ee46bf5f633d71a", + "shared" : "000000000000000000000001ea77d449ffffffffffffffffffffffffffffffff", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 25, + "comment" : "y-coordinate of the public key has many trailing 1's", + "public" : "049a0f0e3dd31417bbd9e298bc068ab6d5c36733af26ed67676f410c804b8b2ca1b02c82f3a61a376db795626e9400557112273a36cddb08caaa43953965454730", + "private" : "0a0d622a47e48f6bc1038ace438c6f528aa00ad2bd1da5f13ee46bf5f633d71a", + "shared" : "7fffffffffffffffffffffffca089011ffffffffffffffffffffffffffffffff", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 26, + "comment" : "y-coordinate of the public key has many trailing 1's", + "public" : "048e5d22d5e53ec797c55ecd68a08a7c3361cd99ca7fad1a68ea802a6a4cb58a918ea7a07023ef67677024bd3841e187c64b30a30a3750eb2ee873fbe58fa1357b", + "private" : "0a0d622a47e48f6bc1038ace438c6f528aa00ad2bd1da5f13ee46bf5f633d71a", + "shared" : "0000000000000000000000001f6bd1e500000000000000000000000000000000", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 27, + "comment" : "y-coordinate of the public key has many trailing 1's", + "public" : "04293aa349b934ab2c839cf54b8a737df2304ef9b20fa494e31ad62b315dd6a53c118182b85ef466eb9a8e87f9661f7d017984c15ea82043f536d1ee6a6d95b509", + "private" : "0a0d622a47e48f6bc1038ace438c6f528aa00ad2bd1da5f13ee46bf5f633d71a", + "shared" : "000000000000000000000002099f55d5ffffffffffffffffffffffffffffffff", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 28, + "comment" : "y-coordinate of the public key has many trailing 0's", + "public" : "049a0f0e3dd31417bbd9e298bc068ab6d5c36733af26ed67676f410c804b8b2ca14fd37d0b59e5c893486a9d916bffaa8eedd8c5ca3224f73555bc6ac69abab8cf", + "private" : "0a0d622a47e48f6bc1038ace438c6f528aa00ad2bd1da5f13ee46bf5f633d71a", + "shared" : "7fffffffffffffffffffffffca089011ffffffffffffffffffffffffffffffff", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 29, + "comment" : "y-coordinate of the public key has many trailing 0's", + "public" : "048e5d22d5e53ec797c55ecd68a08a7c3361cd99ca7fad1a68ea802a6a4cb58a9171585f8edc1098998fdb42c7be1e7839b4cf5cf6c8af14d1178c041a705eca84", + "private" : "0a0d622a47e48f6bc1038ace438c6f528aa00ad2bd1da5f13ee46bf5f633d71a", + "shared" : "0000000000000000000000001f6bd1e500000000000000000000000000000000", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 30, + "comment" : "y-coordinate of the public key has many trailing 0's", + "public" : "04293aa349b934ab2c839cf54b8a737df2304ef9b20fa494e31ad62b315dd6a53cee7e7d46a10b99156571780699e082fe867b3ea257dfbc0ac92e1195926a4af6", + "private" : "0a0d622a47e48f6bc1038ace438c6f528aa00ad2bd1da5f13ee46bf5f633d71a", + "shared" : "000000000000000000000002099f55d5ffffffffffffffffffffffffffffffff", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 31, + "comment" : "edge cases for ephemeral key", + "public" : "04000000000000000000000000000000000000000000000000000000000000000066485c780e2f83d72433bd5d84a06bb6541c2af31dae871728bf856a174f93f4", + "private" : "55d55f11bb8da1ea318bca7266f0376662441ea87270aa2077f1b770c4854a48", + "shared" : "cfe4077c8730b1c9384581d36bff5542bc417c9eff5c2afcb98cc8829b2ce848", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 32, + "comment" : "edge cases for ephemeral key", + "public" : "0400000000000000000000000000000000ffffffffffffffffffffffffffffffff4f2b92b4c596a5a47f8b041d2dea6043021ac77b9a80b1343ac9d778f4f8f733", + "private" : "55d55f11bb8da1ea318bca7266f0376662441ea87270aa2077f1b770c4854a48", + "shared" : "49ae50fe096a6cd26698b78356b2c8adf1f6a3490f14e364629f7a0639442509", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 33, + "comment" : "edge cases for ephemeral key", + "public" : "040000000000000000ffffffffffffffff0000000000000001000000000000000138120be6ab31edfa34768c4387d2f84fb4b0be8a9a985864a1575f4436bb37b0", + "private" : "55d55f11bb8da1ea318bca7266f0376662441ea87270aa2077f1b770c4854a48", + "shared" : "5a1334572b2a711ead8b4653eb310cd8d9fd114399379a8f6b872e3b8fdda2d9", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 34, + "comment" : "edge cases for ephemeral key", + "public" : "0400000000ffffffff00000000ffffffff00000000ffffffff0000000100000000462c0466e41802238d6c925ecbefc747cfe505ea196af9a2d11b62850fce946e", + "private" : "55d55f11bb8da1ea318bca7266f0376662441ea87270aa2077f1b770c4854a48", + "shared" : "c73755133b6b9b4b2a00631cbc7940ecbe6ec08f20448071422e3362f2556888", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 35, + "comment" : "edge cases for ephemeral key", + "public" : "04000003ffffff0000003ffffff0000003ffffff0000003ffffff0000003ffffff1582fa32e2d4a89dfcfb3d0b149f667dba3329490f4d64ee2ad586c0c9e8c508", + "private" : "55d55f11bb8da1ea318bca7266f0376662441ea87270aa2077f1b770c4854a48", + "shared" : "06fa1059935e47a9fd667e13f469614eb257cc9a7e3fc599bfb92780d59b146d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 36, + "comment" : "edge cases for ephemeral key", + "public" : "040000ffff0000ffff0000ffff0000ffff0000ffff0000ffff0000ffff00010001684c8a9586ed6f9cbe447058a7da2108bab1e5e0a60d1f73e4e2e713f0a3dfe0", + "private" : "55d55f11bb8da1ea318bca7266f0376662441ea87270aa2077f1b770c4854a48", + "shared" : "f237df4c10bd3e357971bb2b16b293566b7e355bdc8141d6c92cabc682983c45", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 37, + "comment" : "edge cases for ephemeral key", + "public" : "04085ec5a4af40176b63189069aeffcb229c96d3e046e0283ed2f9dac21b15ad3c7859f97cb6e203f46bf3438f61282325e94e681b60b5669788aeb0655bf19d38", + "private" : "55d55f11bb8da1ea318bca7266f0376662441ea87270aa2077f1b770c4854a48", + "shared" : "d874b55678d0a04d216c31b02f3ad1f30c92caaf168f34e3a743356d9276e993", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 38, + "comment" : "edge cases for ephemeral key", + "public" : "04190c25f88ad9ae3a098e6cffe6fd0b1bea42114eb0cedd5868a45c5fe277dff321b8342ef077bc6724112403eaee5a15b4c31a71589f02ded09cd99cc5db9c83", + "private" : "55d55f11bb8da1ea318bca7266f0376662441ea87270aa2077f1b770c4854a48", + "shared" : "11a8582057463fc76fda3ab8087eb0a420b0d601bb3134165a369646931e52a6", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 39, + "comment" : "edge cases for ephemeral key", + "public" : "04507442007322aa895340cba4abc2d730bfd0b16c2c79a46815f8780d2c55a2dd4619d69f9940f51663aa12381bc7cf678bd1a72a49fbc11b0b69cb22d1af9f2d", + "private" : "55d55f11bb8da1ea318bca7266f0376662441ea87270aa2077f1b770c4854a48", + "shared" : "4e173a80907f361fe5a5d335ba7685d5eba93e9dfc8d8fcdb1dcd2d2bde27507", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 40, + "comment" : "edge cases for ephemeral key", + "public" : "045f177bfe19baaaee597e68b6a87a519e805e9d28a70cb72fd40f0fe5a754ba4562ca1103f70a2006cd1f67f5f6a3580b29dc446abc90e0e910c1e05a9aa788cd", + "private" : "55d55f11bb8da1ea318bca7266f0376662441ea87270aa2077f1b770c4854a48", + "shared" : "73220471ec8bad99a297db488a34a259f9bc891ffaf09922e6b5001f5df67018", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 41, + "comment" : "edge cases for ephemeral key", + "public" : "047fff0001fffc0007fff0001fffc0007fff0001fffc0007fff0001fffc0007fff2e2213caf03033e0fd0f7951154f6e6c3a9244a72faca65e9ce9eeb5c8e1cea9", + "private" : "55d55f11bb8da1ea318bca7266f0376662441ea87270aa2077f1b770c4854a48", + "shared" : "55d0a203e22ffb523c8d2705060cee9d28308b51f184beefc518cff690bad346", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 42, + "comment" : "edge cases for ephemeral key", + "public" : "0480000000000000000000000000000000000000000000000000000000000000042be8789db81bb4870a9e60c5c18c80c83de464277281f1af1e640843a1a3148e", + "private" : "55d55f11bb8da1ea318bca7266f0376662441ea87270aa2077f1b770c4854a48", + "shared" : "2518d846e577d95e9e7bc766cde7997cb887fb266d3a6cb598a839fd54aa2f4f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 43, + "comment" : "edge cases for ephemeral key", + "public" : "048000003ffffff0000007fffffe000000ffffffc000001ffffff8000004000000722540f8a471c379083c600b58fde4d95c7dcad5095f4219fc5e9bdde3c5cd39", + "private" : "55d55f11bb8da1ea318bca7266f0376662441ea87270aa2077f1b770c4854a48", + "shared" : "bdb49f4bdf42ac64504e9ce677b3ec5c0a03828c5b3efad726005692d35c0f26", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 44, + "comment" : "edge cases for ephemeral key", + "public" : "04ff00000001fffffffc00000007fffffff00000001fffffffc00000007fffffff5df80fc6cae26b6c1952fbd00ed174ee1209d069335f5b48588e29e80b9191ad", + "private" : "55d55f11bb8da1ea318bca7266f0376662441ea87270aa2077f1b770c4854a48", + "shared" : "f503ac65637e0f17cb4408961cb882c875e4c6ef7a548d2d52d8c2f681838c55", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 45, + "comment" : "edge cases for ephemeral key", + "public" : "04ffff00000003fffffff00000003fffffff00000003fffffff00000003fffffff2c63650e6a5d332e2987dd09a79008e8faabbd37e49cb016bfb92c8cd0f5da77", + "private" : "55d55f11bb8da1ea318bca7266f0376662441ea87270aa2077f1b770c4854a48", + "shared" : "e3c18e7d7377dc540bc45c08d389bdbe255fa80ca8faf1ef6b94d52049987d21", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 46, + "comment" : "edge cases for ephemeral key", + "public" : "04ffffffff00000000000000ffffffffffffff00000000000000ffffffffffffff7a116c964a4cd60668bf89cffe157714a3ce21b93b3ca607c8a5b93ac54ffc0a", + "private" : "55d55f11bb8da1ea318bca7266f0376662441ea87270aa2077f1b770c4854a48", + "shared" : "516d6d329b095a7c7e93b4023d4d05020c1445ef1ddcb3347b3a27d7d7f57265", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 47, + "comment" : "edge cases for ephemeral key", + "public" : "047fffffffffffffffffffffffeecf2230ffffffffffffffffffffffffffffffff00000001c7c30643abed0af0a49fe352cb483ff9b97dccdf427c658e8793240d", + "private" : "55d55f11bb8da1ea318bca7266f0376662441ea87270aa2077f1b770c4854a48", + "shared" : "6fd26661851a8de3c6d06f834ef3acb8f2a5f9c136a985ffe10d5eeb51edcfa3", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 48, + "comment" : "edge cases for ephemeral key", + "public" : "047fffffffffffffffffffffffeecf2230fffffffffffffffffffffffffffffffffffffffd383cf9bd5412f50f5b601cad34b7c00746823320bd839a71786cdbf2", + "private" : "55d55f11bb8da1ea318bca7266f0376662441ea87270aa2077f1b770c4854a48", + "shared" : "6fd26661851a8de3c6d06f834ef3acb8f2a5f9c136a985ffe10d5eeb51edcfa3", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 49, + "comment" : "edge cases for ephemeral key", + "public" : "047fffffffffffffffffffffffca089011ffffffffffffffffffffffffffffffff267bfdf8a61148decd80283732dd4c1095e4bb40b9658408208dc1147fffffff", + "private" : "55d55f11bb8da1ea318bca7266f0376662441ea87270aa2077f1b770c4854a48", + "shared" : "44236c8b9505a19d48774a3903c0292759b0f826e6ac092ff898d87e53d353fc", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 50, + "comment" : "edge cases for ephemeral key", + "public" : "047fffffffffffffffffffffffca089011ffffffffffffffffffffffffffffffffd984020659eeb722327fd7c8cd22b3ef6a1b44c0469a7bf7df723eeb80000000", + "private" : "55d55f11bb8da1ea318bca7266f0376662441ea87270aa2077f1b770c4854a48", + "shared" : "44236c8b9505a19d48774a3903c0292759b0f826e6ac092ff898d87e53d353fc", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 51, + "comment" : "edge cases for ephemeral key", + "public" : "04000000000000000000000000111124f4000000000000000000000000000000000000000d12d381b0760b1c50be8acf859385052c7f53cde67ce13759de3123a0", + "private" : "55d55f11bb8da1ea318bca7266f0376662441ea87270aa2077f1b770c4854a48", + "shared" : "f1f0e43b374feb7e7f96d4ffe7519fa8bb6c3cfd25f6f87dab2623d2a2d33851", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 52, + "comment" : "edge cases for ephemeral key", + "public" : "04000000000000000000000000111124f400000000000000000000000000000000fffffff1ed2c7e5089f4e3af4175307a6c7afad480ac3219831ec8a621cedc5f", + "private" : "55d55f11bb8da1ea318bca7266f0376662441ea87270aa2077f1b770c4854a48", + "shared" : "f1f0e43b374feb7e7f96d4ffe7519fa8bb6c3cfd25f6f87dab2623d2a2d33851", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 53, + "comment" : "edge cases for ephemeral key", + "public" : "040000000000000000000000001f6bd1e5000000000000000000000000000000004096edd6871c320cb8a9f4531751105c97b4c257811bbc32963eaf39ffffffff", + "private" : "55d55f11bb8da1ea318bca7266f0376662441ea87270aa2077f1b770c4854a48", + "shared" : "3ebbace1098a81949d5605dd94a7aa88dc396c2c23e01a9c8cca5bb07bfbb6a1", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 54, + "comment" : "edge cases for ephemeral key", + "public" : "040000000000000000000000001f6bd1e500000000000000000000000000000000bf69122878e3cdf447560bace8aeefa3684b3da97ee443cd69c150c600000000", + "private" : "55d55f11bb8da1ea318bca7266f0376662441ea87270aa2077f1b770c4854a48", + "shared" : "3ebbace1098a81949d5605dd94a7aa88dc396c2c23e01a9c8cca5bb07bfbb6a1", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 55, + "comment" : "edge cases for ephemeral key", + "public" : "04000000000000000000000001ea77d449ffffffffffffffffffffffffffffffff000000007afbc0b325e820646dec622fb558a51c342aa257f4b6a8ec5ddf144f", + "private" : "55d55f11bb8da1ea318bca7266f0376662441ea87270aa2077f1b770c4854a48", + "shared" : "1b085213a9c89d353e1111af078c38c502b7b4771efba51f589b5be243417bdc", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 56, + "comment" : "edge cases for ephemeral key", + "public" : "04000000000000000000000001ea77d449fffffffffffffffffffffffffffffffffffffffe85043f4dda17df9b92139dd04aa75ae4cbd55da80b495713a220ebb0", + "private" : "55d55f11bb8da1ea318bca7266f0376662441ea87270aa2077f1b770c4854a48", + "shared" : "1b085213a9c89d353e1111af078c38c502b7b4771efba51f589b5be243417bdc", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 57, + "comment" : "edge cases for ephemeral key", + "public" : "04000000000000000000000002099f55d5ffffffffffffffffffffffffffffffff152c1a22d823a27855ed03f8e2ab5038bb1df4d87e43865f2daf6948ffffffff", + "private" : "55d55f11bb8da1ea318bca7266f0376662441ea87270aa2077f1b770c4854a48", + "shared" : "67cb63566c7ceb12fdd85ce9d2f77c359242bbaa0ea1bf3cf510a4a26591d1f1", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 58, + "comment" : "edge cases for ephemeral key", + "public" : "04000000000000000000000002099f55d5ffffffffffffffffffffffffffffffffead3e5dc27dc5d88aa12fc071d54afc744e20b2881bc79a0d25096b700000000", + "private" : "55d55f11bb8da1ea318bca7266f0376662441ea87270aa2077f1b770c4854a48", + "shared" : "67cb63566c7ceb12fdd85ce9d2f77c359242bbaa0ea1bf3cf510a4a26591d1f1", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 59, + "comment" : "point with coordinate x = 0", + "public" : "04000000000000000000000000000000000000000000000000000000000000000066485c780e2f83d72433bd5d84a06bb6541c2af31dae871728bf856a174f93f4", + "private" : "00e461c5b5e63d75b4c8c123bf8b9cd45e712af08f7e2e494a8f255ac9d80e058b", + "shared" : "d11c640b4382e60ec8d254ee76f09b8fac57651ab73b6dd3fdc935a61564a3e9", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 60, + "comment" : "point with coordinate x = 0", + "public" : "04100121f1a09443851c9aa2ab6ee6440e2ac5e1be648274bd5d26c12fb3ba3f7f032a1c219fa1457cb20588297e0513cfd4901f9a95414f7e914f9179f38567a6", + "private" : "00e461c5b5e63d75b4c8c123bf8b9cd45e712af08f7e2e494a8f255ac9d80e058b", + "shared" : "90e712e2afd14171c19467a2bfe7abf1c477d1f40f6675f00e622fd5604fa16a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 61, + "comment" : "point with coordinate x = 0", + "public" : "04cad02ab537c80831ccdd395129fc4bfe4a89ae0c866f6619a3e14146d3691694689d477065b40f140ed87b37ad041e28229b0f79a6b3c992689954c97f7336d0", + "private" : "00e461c5b5e63d75b4c8c123bf8b9cd45e712af08f7e2e494a8f255ac9d80e058b", + "shared" : "159583103d83f63538bd4e203607d7348990bb7f847ffbc9e5e509c7e34d392c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 62, + "comment" : "point with coordinate x = 0 in left to right addition chain", + "public" : "04abd12eed4d654baa7d968633770f4a582f173d6633906000ed8acf6233c6365f0912f30bb98e7cb525890d5ea1e217149d52a6c59f7802a9f307e80d2a9fee3a", + "private" : "00e461c5b5e63d75b4c8c123bf8b9cd45e712af08f7e2e494a8f255ac9d80e058b", + "shared" : "546a2dfadb1d60140becac2dc2e62d20c789037755ad5a49e37e48f2ca1b7680", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 63, + "comment" : "point with coordinate x = 0 in left to right addition chain", + "public" : "04a562c1ad9a72217df00147c7d2ceafc65a1620a1469c947e14fe43003ac5371b7ad1d33c01f0eb92b779ed6e460d0334447075a3cf66b2ffbdae31b438df6d7b", + "private" : "00e461c5b5e63d75b4c8c123bf8b9cd45e712af08f7e2e494a8f255ac9d80e058b", + "shared" : "e5859c7811c5c3aca6c236ab499ccad10301c7c5ee913ce91bb66428cde11e4d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 64, + "comment" : "point with coordinate x = 0 in left to right addition chain", + "public" : "048cdbebe9d07d2ebc4e41b1d72a9bac2974cfc4cf738d8b6de71a40ede9920d88dc2439ee0003fbde7b0a3ae41710c64b17b08a8841e97a390e482c9768fe01ea", + "private" : "00e461c5b5e63d75b4c8c123bf8b9cd45e712af08f7e2e494a8f255ac9d80e058b", + "shared" : "65754ab459a10471af00943f414f28de1bc37968b097ad2845fe111420855008", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 65, + "comment" : "point with coordinate x = 0 in left to right addition chain", + "public" : "04f0cd7cd8334678308cfeb785a68a1504a91418d4441c4d4c740c57488b9aafb079d8a8d29973eb502267eccf6eda326626fc6e025d532b85e9f711f8ce6971bb", + "private" : "00e461c5b5e63d75b4c8c123bf8b9cd45e712af08f7e2e494a8f255ac9d80e058b", + "shared" : "8631fedee6ceb3386ac42edf322c188824893d267d6108f0cf5de6964b88331b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 66, + "comment" : "point with coordinate x = 0 in left to right addition chain", + "public" : "048ad0af23b90e0341b4e2a5a963c8522fe011ace19b1b8610cbe7927a17a7249736b87ab9907289a23a0fb20ca4be42d421fe38d35af09d79cbe6e6a4e95a1a8b", + "private" : "00e461c5b5e63d75b4c8c123bf8b9cd45e712af08f7e2e494a8f255ac9d80e058b", + "shared" : "68c58599c123be6d37d343bd41b11cecc5f84b2635661163656f76d7fb04b426", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 67, + "comment" : "point with coordinate x = 0 in left to right addition chain", + "public" : "0459c9cc2d7297ddb0be6304c94cebf42d813e970c50f45287753b8e9cb0c6db45f571d986990897851fc8e1db67c99759e8979c3d9ddfd02f633cf1ea5b6c48ab", + "private" : "00e461c5b5e63d75b4c8c123bf8b9cd45e712af08f7e2e494a8f255ac9d80e058b", + "shared" : "b58d00525c4c4b4f46562852c15ce2e48dbe23a3be37541e048446eff5152ec6", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 68, + "comment" : "point with coordinate x = 0 in left to right addition chain", + "public" : "04e97080da7263a29c3072a65178b7b31587a5dffc19754c561e32fc53199234f04e0b9b70c97b60e940d5629f2266d1a8e242deb71eb7f0b2b2da2e3044738ab0", + "private" : "00e461c5b5e63d75b4c8c123bf8b9cd45e712af08f7e2e494a8f255ac9d80e058b", + "shared" : "4baa01c211af8f94aca89548902a71f7b53f7814bbceb3d4bef31b376e34b476", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 69, + "comment" : "point with coordinate x = 0 in left to right addition chain", + "public" : "0444f600da7160b975a0232cb6a4a9e72803fd77caac84352039ce9f4a67a1da77626045599381e599eb9cd03f282e267b8cfd3ba98dabbb0f29ab1c0944270f3f", + "private" : "00e461c5b5e63d75b4c8c123bf8b9cd45e712af08f7e2e494a8f255ac9d80e058b", + "shared" : "e19fe9d1294cca94a6388825249e6b37931a231eb917cfecb292792d0c18f1b8", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 70, + "comment" : "point with coordinate x = 0 in left to right addition chain", + "public" : "0471e3e9be0e0ee4449a19d2ef7919266814a0fafd04fb677edc32656e6a46e4d2bc5f404c5b54f03e294be22e8820a71b4d4ac04a708e13cd71fdb0041e7e9698", + "private" : "00e461c5b5e63d75b4c8c123bf8b9cd45e712af08f7e2e494a8f255ac9d80e058b", + "shared" : "ddc1f4663b928add06b1e57c48db98ea08c4d33c3c2106371407f3848a9d53f7", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 71, + "comment" : "point with coordinate x = 0 in left to right addition chain", + "public" : "0427b693610154d5b7f08094e46ff2a2ac1c01d3cd826e3208e5254436ed279960f2364e3a604f3b592e19262a1b22b1a148e38cd82c9e54f108ef8f833683f8b4", + "private" : "00e461c5b5e63d75b4c8c123bf8b9cd45e712af08f7e2e494a8f255ac9d80e058b", + "shared" : "91dfa95ed1eacbea419156471a8ddbb6cb93dd456433e18633d26817611b9c64", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 72, + "comment" : "point with coordinate x = 0 in left to right addition chain", + "public" : "04c32a52af6dac369b6a499a49d3e38e7c9534bb9139f57d4984b1d3c04ab8220653cdc2daefac83cf43c0d64604e5f9d85b55dde62b692cd36af99ebff4140c39", + "private" : "00e461c5b5e63d75b4c8c123bf8b9cd45e712af08f7e2e494a8f255ac9d80e058b", + "shared" : "9f91a9633daa4c56465e9fbef4431e13041f68910fb5ba89f8da9381d68a0dfe", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 73, + "comment" : "point with coordinate x = 0 in left to right addition chain", + "public" : "046f4e2f72f32ae66f1f4610966004c436aa0d90b7df07ce9c4aca52b02d46b4d0c6a3ec76bf321b7fe5203cf3d66e2d52e3ee0495ec766d579a4511175e01bc4d", + "private" : "00e461c5b5e63d75b4c8c123bf8b9cd45e712af08f7e2e494a8f255ac9d80e058b", + "shared" : "014ae81442f8cb6df58ff41e6db203db40ea951b91bebf86d42cda7be33fea64", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 74, + "comment" : "point with coordinate x = 0 in left to right addition chain", + "public" : "042e065975df642fcfdafe2fa5affc18b2c68371796f9d963d89c4f5ac5ccea28b990f31522fbb265c3f4d5c4bb82ebf5ddff5a8ea588db4d282acdca7a6ccf428", + "private" : "00e461c5b5e63d75b4c8c123bf8b9cd45e712af08f7e2e494a8f255ac9d80e058b", + "shared" : "78e81e8573c3ae6089df7db1fb29d7be12dc11f15bb25bff2af802e15ddc136e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 75, + "comment" : "point with coordinate x = 0 in left to right addition chain", + "public" : "04e1331eee03c50cc2b90944ddfc0d3a7dd8185e6c21c75fa92a0c14b0f1949ac9154d783f4547dcf5508bbd86c3dd8c3b17b61989f93db5490ec02a46a1005c2c", + "private" : "00e461c5b5e63d75b4c8c123bf8b9cd45e712af08f7e2e494a8f255ac9d80e058b", + "shared" : "ed67195a272c63c50205abf27439291134ffa1e8ec597f3b302716d93632e98d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 76, + "comment" : "point with coordinate x = 0 in left to right addition chain", + "public" : "04e0c56d486e9c01163ed6c3ff25de3cdf5744dbf9e0e00bdcf19965df4ba1f311bd5e44430665823d8c0b34ebec0a6aab5ea96cf239de214fd011e6f9ec501dd4", + "private" : "00e461c5b5e63d75b4c8c123bf8b9cd45e712af08f7e2e494a8f255ac9d80e058b", + "shared" : "50774347848828eeb6230f497cd181f8c57fbd18ffbf8328cd008321a1c37c43", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 77, + "comment" : "point with coordinate x = 0 in left to right addition chain", + "public" : "04885ead6c074f8d751a767e918c4e89210a587c4b19d42244ae07027e361831053e80772be57fbd744955a2e8523063cc6136f2bb37befbef7a681d3bbbc57788", + "private" : "00e461c5b5e63d75b4c8c123bf8b9cd45e712af08f7e2e494a8f255ac9d80e058b", + "shared" : "913da71044b8021a86c8fcaf4f634d0d625ff91ee1c8474d548bd10888964fb1", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 78, + "comment" : "point with coordinate x = 0 in precomputation or right to left addition chain", + "public" : "0441e9d4cfa8efe80b895a8cbcce2568e251db7ecdfd20a7ad710d4a4bf2addc6b5ec36a8339168a03f15b8c80f2a2a828f151d38791584853ba2ff44a2a0460a1", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "b48e119d29eef7dbb76b64218e728ddbf6ec600505ec7ced6ab6fb8763308da5", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 79, + "comment" : "point with coordinate x = 0 in precomputation or right to left addition chain", + "public" : "04776aef1acb82b628e132cc29440988f0a15d4cc2b4f328aecb063c9b86e5018e6e44dfc60444faa9c4e36bc217451f7ac2956cb3b2e9bbd655eba297163d1f34", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "28a88b6b258f233020ba6fa9c00d1d72831f4515b86966a9782f521315e18aa7", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 80, + "comment" : "point with coordinate x = 0 in precomputation or right to left addition chain", + "public" : "049ec06b0b08662c0e1dd9111696a63a1601cc83cee20695778adf84d43064fc90156001f084cd3c1df1a087f626533b6572584889bd3d5c2c99f0e311e22b41e6", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "c4ff865ff3dc4953ea78d92a02f3345a53bdb6050cfd8f41baa4395ecb6acab8", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 81, + "comment" : "point with coordinate x = 0 in precomputation or right to left addition chain", + "public" : "04fa51d128adc2000f09ff12c6fd8e25aa08556d708bf6b0ffff9e8eaad4783f0de22bf529e516e1f64b8e0d09f98fad4e501695a930a1b22076659da707e3ccd0", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "de1069f051637e10166559cef44688afc809341855261215c4f381d9d7da76ca", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 82, + "comment" : "point with coordinate x = 0 in precomputation or right to left addition chain", + "public" : "04614dcfbea4789a3f3eb4a8e2f111c887f0248d9316b99d0864c927a045d6941753a073befe08491a8050a4d96d08ba4790ae18db3ef7f0eaccf59ce1095afc54", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "4207bf4159faa0e50ed238b9c0ff46194a539a1ba03a5a4c8d68f369aecd31a5", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 83, + "comment" : "point with coordinate x = 0 in precomputation or right to left addition chain", + "public" : "04efe7754ed4c0b3c1dd301bc1ed69800aa2ff5d51fb85937715e60d2e7bcada8eb1581ab75fb3c797ef94a9dba3d82568c84617eaf3fa04f279fbfd898f704604", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "b5a0ec92aecc3010d27d2263d3da66e3d2f3395d23947024a3f4744454622027", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 84, + "comment" : "point with coordinate x = 0 in right to left addition chain", + "public" : "04d8e13fbd017f1f9a26be35c611d7b2299f5d10de3c8a26362273fffb85238f3ed1426b748c1f87e3afa2c1e7a0224310c980655e07399590d1494d6d6bea0396", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "d2a5bc66498c6036aecdfaad041cef732a893de190a0a5b42ff71e13f09280e7", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 85, + "comment" : "point with coordinate x = 0 in right to left addition chain", + "public" : "045a1027666a0e372481fec0b3901e058d60107c07b1115550ceb05789b55a6d35063d4c8ee66ed45ff3e1dfdcfd73ed96a9e83193884adbcaa574b2dd118a692b", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "1f812313ddcf36bc38071d0e51a74100d630c8e20cc414326eefa42ecb1b5f8e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 86, + "comment" : "point with coordinate x = 0 in right to left addition chain", + "public" : "047937b9c40986dd755a0656203089782583da7d8113a44190762ab474a20bcf60efcbc1525aed5b4ad8e687cb02c2ef8887095cadca56c765b41b4a9544ff2fe8", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "f284089bddd5e2e1be3f82640efa0658468fa1f10b281963a3ca190c3982fda6", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 87, + "comment" : "point with coordinate x = 0 in right to left addition chain", + "public" : "049368066a0748867a7b870244f5c9f82ea8bd51552959dd550bb7394497159a5d40764add1ae24c8e3f432ee011be97d3130718fe0a6a90ed8b1011b2034d09a0", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "4529f4b631c9984ab216a6801281fc4fd8731a58b65ca8d07bff07811116371f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 88, + "comment" : "point with coordinate x = 0 in right to left addition chain", + "public" : "04981d7449bdf0013f5eeddbb7e42c442f7ccdd9427bd26d7b388755aa5e26f46a1292b88fa6bf5dffca054dd42ed3594277b593dcc402d80340fb7816e4dcab37", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "64bbc9fdd73643eb2954f4ab640381b938c5e601846a0c6b6954966e0dc73e6f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 89, + "comment" : "point with coordinate y = 1", + "public" : "0409e78d4ef60d05f750f6636209092bc43cbdd6b47e11a9de20a9feb2a50bb96c0000000000000000000000000000000000000000000000000000000000000001", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "28f67757acc28b1684ba76ffd534aed42d45b8b3f10b82a5699416eff7199a74", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 90, + "comment" : "point with coordinate y = 1", + "public" : "045384d6c0def78960db967b8096d35477c5a5ce30ef0c6d8879a5568ca87e979401ee56c4581722610b43f3cbfcf3862c082a6e36baa36fd6f78403c0e399faa5", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "9ee653cda46db67612760ce35bac8450bbf48dbf74451ed93abb6db408a9fe10", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 91, + "comment" : "point with coordinate y = 1", + "public" : "044eca7641a4afd5eab0b214657ff3bdcbfc66f1551a53bb59493bc38ed78ff39614a0cadff14c14736edbdcdab510cba07a8924ffd0490ee514aedfaadb648b01", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "9736ad6b2a2ef17ec3f8c8dc2e35715fb1c06f28d82e4e26876f0214588165f1", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 92, + "comment" : "point with coordinate y = 1", + "public" : "048d0177ebab9c6e9e10db6dd095dbac0d6375e8a97b70f611875d877f0069d2c70000000000000000000000000000000000000000000000000000000000000001", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "748fa4f5a399320382dc920026938694c41a26fe2aaa318c5e710198dd71c793", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 93, + "comment" : "point with coordinate y = 1", + "public" : "045fdb7f0cffb8b5b1142d24698a4bda76bf9827d63b1a6bd85a4e2f9b59c510cfbcb35ba9c987108b6d4337ad5393f9f910ec92410c230869d66528ed88c1b98a", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "7f97db83b4d86f04fe286041ee21e80ec3d59f3ce82cdeeaf362016fc87a3e02", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 94, + "comment" : "point with coordinate y = 1", + "public" : "04530b2293e60c6b6f14c75c90b1ef8b9f9fa6b2151b8d9855792eb2b3dc69f07a0db42440e73fd7d6df04aed5022fbe21ceaec33c5fbade1bd6ad321ef2e10d0b", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "21794cf24f56273fa4463cc7ae4232fa34dbe0f18b73613b8ae9cbfb9c36abf0", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 95, + "comment" : "point with coordinate y = 1", + "public" : "046916fac45e568b6b9e2e2ecd611b282e5fcc40a3067d601057f879ce5a8a73cc0000000000000000000000000000000000000000000000000000000000000001", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "915106d07816e879e7643f00abf6d79fb8f1cb78bf64a6a3827f91a7b0ef0f41", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 96, + "comment" : "point with coordinate y = 1", + "public" : "04ed9568c85bc52a6b45733618c3602107c1fdacf23b1a38e486af95978a214e2efa0d71d5e737891c4276e247581ee6139011ca1460db9b1e20b364d9275683e2", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "2fcce552310819dd775ab7ba9ff0f96a1fcadd25a0c709703cef04bb6e1a7bd7", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 97, + "comment" : "point with coordinate y = 1", + "public" : "049ff7731c00f2aa88b3fc174aba907ad17595e602e768a5f1e9462a6d4b89b2d23f178a70b9bb3edce289118338a33df30c432c347f12a3de0a2b03b353878d96", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "757d926a2693bc8a3d2d8c0554a13579ef9e559186578911f37edc88b2f5e61a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 98, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "048270f8179d57436b34dfc0bdf7d417a5c895116b90cb51aec718614f864a635d174804e0c0e06e3d68d3149e0b956621c6aa2bde83f4d17d03d28ef8aa389fff", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "3db29ec6f978d2269e92e9c7eb5c8b5a8e56c2228a4fb9e483feca50aa3e451f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 99, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "04c61750e98abaf20225a881dbfd3510532cfc3df971bbbca4a2bd52f91acc9c59d0fe79342097f88ae78fc79a8032245fdd2c30cc64aceaaa9fd57b0825692531", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "72c57c2e10d77318b3a796097bbf768c6366142d80f98c90a93780a841075f32", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 100, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "049c5d3bb54650d9550e1ee2efa3ea43c14ab99d18bb049f37b42a6dac48232f0bd3a2760d83d33afe4ce6f1d1245489c509bd26b0251f308f8c996e80f7a3f8eb", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "a96b07944e9eb2b22a9a36575eff1f4f6363b4aa3a53b100b8518a67ba5405dd", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 101, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "04f1724efd481ad45a55795f06126b1f5ed28e7d9bb4fee910af2ad8c1373b18ff77edbc34da6c787ec73430347f4da86810032d88f7475f6c42f15914079d179e", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "855883316b6d097ae5eab6c67e8411a1397349a09b9d7d8f096b2ba1bd03ea31", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 102, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "04fc3680af52fa89ffcd193ecc0b0714466fe5db277ee5872846c520bf4e3721d927260a0e225a3d377e6723ecb6bef8d4493c2da78a22a307fcca8f88f4527208", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "5a75bb7a0c96b8340d0842bcccf11974e1a5a2c8f4bc22b333433cce646b6a8a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 103, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "04106b6f81e3482db18d74029291821ae448c38844ef783bf1d6999a404401f63f6a5753f0edc68a62cfd6a0b181bb2599e1f3bac5fa8824af160de79ed867c350", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "d96412e31cf4d26195920cac952fb79ea25f6c50abc79b5ed0ef8026a6e83319", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 104, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "04093cb5193a4f94cd18edaa20a973b87ff79b0c03684c79487ecfee347e5354eb04fcb5752539170777932be15cd84c97f03815ffee8b60b647c178eebb8e14d4", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "2b0eed9badc92a1068196dfec124fe8f9d3f451e294d322eb881cce02f286026", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 105, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "04d6c38f448b964e27b5b450cc38d3cf41ef9df83d8a959771eb9c21855cb36445df638aef46a2aeb13199281e1a26d12fe61b029ec7f68b90faa89f88c7a95942", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "ed0b1d8dfd27a61fce91dc6405bfc53b6d48a8c13ba541c96ef3dcf31d7cdb88", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 106, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "048a748d61f59c3b6a29b733b0d554b2492e7f76fad7cae1c17f2ac3de9e4a65d2eedbe6c26b6fd22bfc03c1687555d2f0a38e02adee5570686171abfec6681917", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "a796dd144f21ba3318f9e10828ecefc9c0f6ef2c427ae31351c16c2fbfa3cfa6", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 107, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "04f1052699d87e5677c75e26b2abe719310648d820a96e5b381fff58b392401581b1bb16ae8b68cbb76a3256870bad1ee5a30ff9fd662fd4f8d1fe5b5f1f98ff46", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "1f3a9615b0745046a972bad5d59794a0b60b032b4ac94fe85f77dfb380d1f32b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 108, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "041219af5230064ee9778667225f0e009cdb961330e386edb34e4fa9fddd0e5be7e2a12554227f613aaaa78938ddbbc99b923f9d181b8192dc4b816577e8f3b7e9", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "caf9141d1fca4d0f10683b5e86d2b41af5602f017991fe7348d44e8d7014115c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 109, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "0460def130f190e6dc44f5eb8a59e12e7efb27db968c7fa6cc6d31785f066b41b1f1bb556ac4cd77033e7aa6c5ba16f47ebafb14975a7fd72dd9b7fe23116bca55", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "6539ec1c98fa75197ba07c678b26300b3da1fe407dd4c68b89457ed669082e06", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 110, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "04f23f09bdb7d17289eb005975a757a39325b4df9b29e55ba2ca679b5ec0973ae918c881f3c7b6c12bed1ec54b837d08c5908e89bdcedd84b9177720378f789600", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "0b6619827cfa948d63f021e9eddb92f884fb5ce8a404bfe059e993fc23447a69", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 111, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "045dbec098c1b7de3e3e2e73d0b62cd49c877e1a0130a1b39eb2fd4dbd4426aa4ccbeee217591a8d76cc8deaf14dde52e3f401e53b30cbb9c1807910d827d0041d", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "2a53a561acf5caec6eb0d8aa40727942881a75d136899dfbff91528236926c39", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 112, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "041e70730dc4f39c8970182e1a29cc836b9e9d6cbd6fcaa8c0dc1062fed9a849693e7b9151f9c8a3345366f8221c8fb700e8c3a9aa7f0cc46a48864e1605592094", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "9b377716ff1d056dac8e392249eaec740d2f5aa62303f4baf6bb1b03b2a276c5", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 113, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "04f428c9ae3e23eaf9c2a5b9a7e41efd1cffbf35f881bfc35694d9c05d1e312b10ef6da9023cfd2dd0cb7b9e2a77d644affe62a63fb0f29d45291c6861aa063c5c", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "0c0c6867669743082547aa94451feb362fa29fbaf228dfb3eaf375f1a5ec2fb3", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 114, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "04b9a16d9a5b85a714e2bb2aa22b086a17404c7a3ff62452732347419c99e90bdad578b462f523994304b6afcf6944a9cc5d0ad1afad956475c8f2953c06b06b97", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "d11f9e32587fd3b6f4a2354812618b4b3b4a7539b8a223b388bb7437f8d138a5", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 115, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "048f659a163a58e9f900c1e9b34fb1cd61ffc9890267be3417c8afe79d57214da05cd5cb68a2b93da0dbe56c1cfc0dce8b6c3260e0c48379c6d2091f16b39221c0", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "4babf6368e0359b78614060241ece46facca3f52f5bbc47ac0b46a075b5dd3a0", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 116, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "04d257f133f00a079f4e6778ea4a9bf42b9f231290431b5b93d7e8b0e35b48010650d6c6b46574d1efce03510b8db4a0981ce138c5bd8fe0e54c988c40c5fc9200", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "9627cc5c8d8b72278be89c32b52210173e6f4b8e2f48e460c6429f46f9f469ae", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 117, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "045ef2ac57c4e93cf78d8f86c35d413b98dc1902dd245affde5c16034afc7ea45547b3e9f77fbc5075bad03c418094f1aec1d03edeafa167fa6af83526552f7034", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "d2b178bc9bb16b5a91a100bb72e15a9639e050c034346061413ec20c4fcc9bbc", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 118, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "04a7b513f96266414fa6ff439a35d8f09ab615db0bb6a3b1a120c217683f724b2342007a2c9feabcd6249a0d17acecd995e2a217fb5f07bec96938016e297efa52", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "6cdca0a731aff1ccfb1904a769cef79eba965fbab1cc64d2049d0df45dccd276", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 119, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "047743ab7248dae5f1a59ac6b0a136e9f1e51aff8bd45795ace5f8187a13edf9adbd9642078378bab5c6d484f9e1ce39675b72170bf39abc9be7942fc01fc435d7", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "bd15e97a7f49aa33e57b54140a75fffce71b788ce0faa334cf8b45623dcc818a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 120, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "040e3aa971bacdace350dc0957fa5bde0946324eb139939d7fc1997c701effd04a4e6c3625d9564168d3a752961221a1de8cf5f3d603752a8c2e6277ac3a918c25", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "c8b5e8e7488857a2dde62c5fc21e4525ebaba0e06b5be83ec6e7dd771e15a01a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 121, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "040f563e21bf9b24015a7cdbb6f000a692784ac2e4bc2715c76f684264a899c8240cab0d76e6b01cabe4f327429d11be115ed6dc0ca74f02c1b987a082f5af43a8", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "1c63a457509b148272687e6e442bde51982d41b0080d8c0c5eb714257af971e7", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 122, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "045da49f10249e4df3dbb4e31ece0b0ee9aa073f2588195aaae63e74f6567a774810b5dd61b6bf219e9eab30ef09c13fc184b3d09ff7a4e192bca8f5111c4163c7", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "73a1ac9ece354a930dfd9c77577b4f50acc0a78964ea0d7775631d64c709c4a2", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 123, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "046f72e6e5c6300679d3f14f0f6e590665643576ae8bbcb7c05b2f4a83e75e6ac3e712cb056ff034da340543c5da6997e65a3ab4cd39e997892bb92ee2c22b8167", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "fcaa406329bb74f995862cea7cecc7425c6bd4148ef1a9f46b5d42da5994556a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 124, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "046b544df9168e7787db282e2ae01dd72306d9c9bc80f5ab38ce594766c3d929e967493ff601ca60862b47d3a0785c917e44584044e36023a54424015e58be5040", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "e49ff11d46b6c4b5dde528b04132d15c040e79f9b7151fbc650030988028cb87", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 125, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "041c31385b9db9b374e92499939ab0fd7e7eda464561eba89fcd7b4769814a8638a4764cf8ce97b5d143bb8eeb9e1b27287f2b73942ecdbc6359aafb1ee7a152c2", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "fc8f64eac1c7e688c52c467185de21914e8b253056d9e4be010ed0128f92a889", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 126, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "04aabcf8b1443d6cbb1de129a0ffe09f60b23fd9d0a44b6bdf25bed7373fdbfd1db716bde7fe9f2f46de0b688e3025e029cff15244429ad4f83484f5dea4af8583", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "6b56d8a01a884319ab5fb9d890cacfc7aabd81ad938cb5eaae207c8c1aa06efb", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 127, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "04e7cd580bd957915d527056832e37793ab3b082ddfad9372412e1908e5c16bbb6208601a970d5844b780d9246e9583eb35918c42ed695c07d52244037f0e31db5", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "2f64b5c8046d41a4e1d631ff23846bff956a4925a47f8534490a20b4b1918b9c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 128, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "042a52db1fe246b71c79c0d0ac49a7d38de67b202995efbbd2a9cc525f6f36010368f494be27e0593e2d612f1fa10a9211437e6aa16e65d97735014072f0dcec94", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "63ac31e718b9a780a85f0670e1d3685bbe306e5f06fee282a8784700b503c124", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 129, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "041c50dc49fef708c4cdd62e766f9b60f784d51afee17a8fe9f3701b2fae55b7a5d10f0d9639d83dce8f26a869705a6d6d38e6d328f5685581142aec0dcd1f90e7", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "555c1917b770cebe6a98337a008ae3d8d04f571565327c93debf61ef90ddddd8", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 130, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "046d0aa1bc1cee6d07d045002c13290d0ca25ca3c8783343a525fac70472b92c62d6fba71174448b472cf172b0ca9e377f1a2603ba7ae1276d153b20c63e7d24bf", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "3a65a9200f8f96635912faa5e7859fa303a76a1c2a41ea97ef61aa39287700a9", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 131, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "04f07e3d8be2ba54c6084141e1fd2b29cfd00d4e6dd6ffb115ed839b10bd8a422f42992cb9a5243897d55408e9bb556043318d87349af35dcc0975ed805c8fa2c9", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "bb7bb52da570ba58e05fd322f82d556c2d65b365db30815879f67f233b089b51", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 132, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "0443a9b90274dbd5f36dd29046fc8390008dde74513ce4c3e8892b236efff80c9dc71547152a5897dbe16957bd15d1a87d770496f814fe2921c8f33df04393c7f8", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "e8cae9944233b867eedf5902fc49ecd07e4c81c46279531e89520b74ba5370b5", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 133, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "04e9af8e8c19da9d5c2f3b3c03b8e927c3cbe2d717f98f500972e56d82eb07c2b14e83fcaacadc26f8bb5e7b94741fe54f31275ebd6e1c969d7ec2fecead8a0dae", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "e72ad0cdb25f4307d1d834a5f792e9af64fd1b69a47041ec8fa46d526f419e4d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 134, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "0433d9582b567aadbe59606fa6ffc11848e4947b5179597317776317b2b4ff65d0b4d8568dc843319cc04f4bf110496dee7c9229fc68cb0958f3cbd37ecca6990f", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "000197fbc260a84dbcbf88136aeaa79b03bb8949aefd2416bef63929ef789bf3", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 135, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "04e21c0282adb1b2055fda744644c68612cfb0c68a70b9812d007f21a78f1adc4849f3e7644bc6633e2773a2f3cc5214fa7208e30afb3de992f077ee321569dc48", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "cdb18bf62670a853488ca510d8f55bab2918991424925bd9b74a821d2c6e7e3c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 136, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "04af27de0da6556e4e64588c9694afee9a84e1cbd0c388972df3a997f760bbcd903c5a02e161551f333d770559ab1af49bf8b68274896590939ce956d9913b676f", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "167303505d22cf9ef78c5b9687a5418fa9fb284f2b0ff68316288ecd7f2e2e09", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 137, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "040da41b82550b358ff474915d83104d41a83a12ef70589b9d392f0f30dc32429edc76163c8fe07a3f709cbd92da0bbfc5045f3db82aa5344cf1fd5b27fcd2f7a6", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "85600ff23c3cde26009fea9b6539664bf045056883728ab0d4498ea0a8f4a453", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 138, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "0419c844b8c7209026a0996a782983e1bd0f0de9255b86739be9bef08ea5475cc669a779ddf57747cf7d9a22f00ed8efc6e818af5827b750d665fee6d6d58a22e8", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "a3250a2bfb145ce86e706ac3ab2bf503a66486ac0b2f7522601c124b0e0f9c5b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 139, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "04bd07bd4326cdcabf42905efa4559a30e68cb215d40c9afb60ce02d4fda617579b927b5cba02d24fb9aafe1d429351e48bae9dd92d7bc7be15e5b8a30a86be13d", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "2d70cc8c8af01366051cc8359c2fc8f258757e2601fd8f3e08422a7b23bfeff5", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 140, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "040089dee27a60d071dabbaf58f3e56614dad3b7f9a8030769fd0463b3e6e0f03a147b4d6e7e7fd939b9b54dab458fd556ad8fdaf4da6c3909588c4e050ca74a67", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "cbe0c571d1080ea34ee20ad1bfd21ea5ecc442ead733fb4eee3c0d7b0cce9935", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 141, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "0442ede106cf85aef46df7e5dba8a8b00459317d9e766a7b77c299aa0e17dea142b6e9a86f4fc3e945d4323ba8e459f6b7b14c563a698c757a2d5f7b0bc301ede2", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "33320fc7917fe4e19280bfbfe16f223c037f7c2dc30c0fda98310740f57fe289", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 142, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "04974b4316c5e7d1348b28dbc4fd61d8d3470de744c30f5be237f85f29969dea77b5f00b58b83cfc7bc51655465b4a28abe1ed3dbec20c6b4643aec85b95a5bec6", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "35c726ead66c39414fe0c24604df7838e5725d2fc1bd0853261e1de3338ecb4f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 143, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "0459873d7523936a121b629e9870f930419f253a5767b9d0dc49716f2c50e17bd0163b71f2bf4318fbde1ceaa585450080eec28474cd18bf7c21d2d1bfde4ff677", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "66ea42fe6fd8741b37599bbdada3ec0e6b08c0b52ea67c29a33172f72742583c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 144, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "04bd85a79f81c4f9613e64fa347886437856c7358d1b69cf1e923d7742d82f9b6767d26918eaa8acb113a1daadaedc709742457303ebc23cdda5572613dc827703", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "2f8a502e4f440133e84fb625292cbeabe2cb79da73987c76d4fed864d1b1b762", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 145, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "043e6a4effc47c2f5926bb6b4acf2eac48b9524c47d511f816976796778600d6c5bfce593242a5985a977590f8d7485df3f953352957f3c17c13e94583d9c0e7b9", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "06436817d8928b77b73d16c5c3b35e243ad3ef2ab59ad047142c67a6d0923c84", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 146, + "comment" : "point with coordinate y = 1 in precomputation or right to left addition chain", + "public" : "049a4487fcfce8396688e7449e095fe803caa253d4bd7c66dbc6261cc9d9f883a50e5251bae29c5a5cdfa31bc61105671a88a018467398158d35b88829237c0bff", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "7e83fd2c3d713bc85d6d85d9078b3a0842824d410e8abde04da0fd71c7d94705", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 147, + "comment" : "point with coordinate y = 1 in precomputation or right to left addition chain", + "public" : "04fed6ce127290c1291ca5ce64acb4e0f2f8905654d1d25ba57c1f74ab52f21f42963d31671c06b802169929525c4a1fdeff5b1eafab919dc2df6c52be84dfaef3", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "0e3dfdab606ebdc6428282acd443f189c99b3b483aa101fd8d6bed38aec59e02", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 148, + "comment" : "point with coordinate y = 1 in precomputation or right to left addition chain", + "public" : "04f7cee5b55f1869f137dd707c8f8fb8965a2be5840c3149fb759695a4661b9c0d23c78c4e9647b0d6cb2f2602be73ff25cf3d09c96d892b5745fe5eca814aec91", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "f489f2bd93f76b8e41fc6b9f211bc599d49db1f17a38e95bab1d31b2a2b55829", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 149, + "comment" : "point with coordinate y = 1 in precomputation or right to left addition chain", + "public" : "042baaaec3b3e8d54a4e18f0960b947da2535e3cfcca2cfa8b7113aad8e3b6626f72f71e7c9e96042c1d39cc8f1139d5147c6f4fe62e23cf6df364b5f4d899f842", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "cc5738b49d30d5d02cf7e0c54a3de09b5b6f3c4dea91dd0679072a3562444c37", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 150, + "comment" : "point with coordinate y = 1 in precomputation or right to left addition chain", + "public" : "04a51ab1238bc1bed25247e7d179c83a61ae2d4a9fe2288c363ae0eb7a77de432a3c6d35d82ba8017e6ca9041cc785a30703f7bc4427506e624ac5979d715421dd", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "89a11177d6907a81d47467093bf6a3cc8ba55dee05239b160a31a3000f5d807b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 151, + "comment" : "point with coordinate y = 1 in precomputation or right to left addition chain", + "public" : "048b5ae8a0e55f30f509061315abae79ac480f88b44655f7269a385c81526884be262974a31a0e2322126c2d77b26b108abd81f8b952c458ccc95d46fb4924c7c0", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "2cb03c30b20037a5cf4d5b33574f3abac895bfab37867eb2ebed260e0929058d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 152, + "comment" : "point with coordinate y = 1 in precomputation or right to left addition chain", + "public" : "045f60c77e474dd66c8135ee3dafc75ba644649824c72737542091ad469adbb685312c09c69b629d0436bf3bd6c6083ff2a87be484a73ef3a5d2c3e06b5d9b21b3", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "e54d487d0c4b12fe522af3e663ce316e632ba9d63a1f02a36fc5a82bf82731a4", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 153, + "comment" : "point with coordinate y = 1 in precomputation or right to left addition chain", + "public" : "04e06eaa73f6feae45417d859bbad4bc404b2885bcd213ebace594e16f4970e0c411ed3323a3d7afc7076239884307f91849ed5f5e36b6171d309c81344c53e06d", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "ccea969d40fa42933f4fbdc4cabe2185f8a452996254c1f4e0dde5e14feeea8d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 154, + "comment" : "point with coordinate y = 1 in precomputation or right to left addition chain", + "public" : "040f1c1b89e9fc6fc0faefc9109fc4a1247d9f54c7497b6cc975e6a5455bef410836cb3818548ac9b41e2b8336c3eb8d97075ae47e1827fa1ff93d4341d43c0c1d", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "eaae0e188c9427bf3c8b3ded772122204c328d5941e389d808e2724638f9aff8", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 155, + "comment" : "point with coordinate y = 1 in precomputation or right to left addition chain", + "public" : "04577069e8284a95f51dcab919b0536657058971dab76217f8d3ae722a64092e26e51f68a722cc0397f4801401771e9a3d1988d4af76f14f9e2f9c36e0773e29c2", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "fea0cce1358f1ff40ffeaaffbf91b2e8d426d4e31e9627731ace3a122eab6b0d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 156, + "comment" : "point with coordinate y = 1 in precomputation or right to left addition chain", + "public" : "042406a2759050b925dd4f814c5033e355548f42bbf1afb791c110f0031f29f68099d5f4b005de3927f165abeff196a28c7217fab1be2b5209c324e7d62d2dd687", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "837621ea4827bba0376aaa8aa66cfe144a2ff1e359dc619a06441d3e055f9771", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 157, + "comment" : "point with coordinate y = 1 in precomputation or right to left addition chain", + "public" : "04ccaac61f35a27861183621642bc573af913356fb47cf582f0b5299099d6f6c6991f7272b83b738a7a5d30447c87f126a7d98ec72fa2609d0939d18db7ea7eb3a", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "63974ce6153762e5b364523cead93e8ce8bcc77dda56365d676136169fc4e39b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 158, + "comment" : "point with coordinate y = 1 in precomputation or right to left addition chain", + "public" : "0401415917272f1984e7217a36fb311fd2904d41a6b13973f92aae3b90e85e4d56d97c822eb7b21a84d0d1be4867404a80c34867f43139dadcc3619e10b222562b", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "0a0488144bc36d690b62148ac3076047d46d48f7adbb0f34fee9a636295fe737", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 159, + "comment" : "point with coordinate y = 1 in precomputation or right to left addition chain", + "public" : "04b2575d100c6fa056bcd137ab111b5315a8908c29243b84f3dc996d0e45764b9166cabeb41885588ec08b47257df58bd58f7dcd9e012e2669fa2f52e25767fc4c", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "1232165538a44268aa7c199c54d6d207c4ef3f5aa790c10c926a20752ca645ce", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 160, + "comment" : "point with coordinate y = 1 in precomputation or right to left addition chain", + "public" : "04c17355ed30ccd6427f9685709021b25c11ed176e9610c479bcc4cc7552a738e61f75114761dba0ec60cd264bbab763c5d5abcc75cd8fb5651d0645179988cc6d", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "dcab5e874e4fb76bc4312528e9d76dfae56145922533089734110bf5653f4d77", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 161, + "comment" : "point with coordinate y = 1 in right to left addition chain", + "public" : "04341592390ccce485de8880f3d727f664c381914a1becec383b35586751fc81c2add71852b87016e1019cae7a9080e75ce0b0b8aac175d692d5e7b4dad088f5cc", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "4ce2701b2be63a0083a4c53f7a0bf04cf871654f5edb6f625e3ea5e7d0bdcc90", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 162, + "comment" : "point with coordinate y = 1 in right to left addition chain", + "public" : "04fa764b6b76a86c3b762120825d353a24766208c1f5cc0fe3fe7998026a2ec5c43bb2f948fd94cdaa5869b1e0e73a4d97035cc49357fb7b74d7ed0a2c5b8d54eb", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "7abef9765cca721320fbf8edcbef6d2ba25d17b70ffa1776029bc38fe677a12c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 163, + "comment" : "point with coordinate y = 1 in right to left addition chain", + "public" : "04a71fbb617199bd585b4b66212ca33ca9e09370e6bf15c8ea0acefd9c8e945d06840f058863078e743e220ff99f23bbc1daa36835d4b1269f0a7536e63f06d853", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "5f61404dbbbc2867dff95c1f37ed44f4cb8fabcd223b03739d888308d13bc412", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 164, + "comment" : "point with coordinate y = 1 in right to left addition chain", + "public" : "0413c8292d854d39451c0c63a802b8c03e4fcb875ef01239896295ba1c0f386975f82df197086fd86032cb36b69a27876dd75a8e9679f36ffc2210edb128d4be13", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "8d673a577e35bf9d5d00676c08b2c739617c46a052188403aa06dc714af6acc1", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 165, + "comment" : "point with coordinate y = 1 in right to left addition chain", + "public" : "040cd9df415acc0c32fd4e3d6924ce53075b0452bf919a2ab2ebe26597570f1ecd5985d8d2c5df78fc100f87efb6dfa9543757bdffecf083dfcd1ecb38de6c23f8", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "a7835ffee0f2a69dfcf70d4e798dbe3ed32ba03cfddae5ddd11d8c0ac3d74f9b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 166, + "comment" : "point with coordinate y = 1 in right to left addition chain", + "public" : "04d2dbea4046b23fd2b233d1ce31dceddb89b25f26c0627a9d2db3c5605c9cc99535bdc8de7451c1e27e97aa91402cce3882c71269d9cbdcb5d7ac0ceb911b9b6d", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "e98ea22209cd397edb6c319648c1eb24bc4d39598ab11995571926684ce2ceca", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 167, + "comment" : "point with coordinate y = 1 in right to left addition chain", + "public" : "04888fb044fb2b6caa60366bfa662adba479b8365a6555a29887d580f587086ba8482f4ec24082a48d6402afa1622143f26e61d91b7e30d6a4b223630ee10f70fb", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "91b65733860b1bdb9541d9f55895a3dbb3f13c199251d33006b6dcf90ac349ed", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 168, + "comment" : "point with coordinate y = 1 in right to left addition chain", + "public" : "042e2bec134249379d57700301f3a58e4b395a4d28370d2a06e65e7ac89ed76ac697dc960bd795cdf4fbcfdd75149057b8e022331c7b5461f383ac589d764df333", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "1fdf7c5c48047a113e5e5d1b7ed593337e769231cca5c7110160e0c1b97f4256", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 169, + "comment" : "point with coordinate y = 1 in right to left addition chain", + "public" : "04c78cda7e3b9e1772ebed30b2b51dcf155a69a0fc504557836e25147cfb8127d2f8289cf38b033d3763c8f9f6c091787a3142fb83dff5719590282c6f852e0105", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "ba0abc3e71726cb51330489176357b81b8074d7690e4e82e9a3c00151e1fa318", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 170, + "comment" : "point with coordinate y = 1 in right to left addition chain", + "public" : "041e3df4dd7fb7718cb0aa0dd72f8a25c83c4e804e7cbd48c5e965651f9e23bf4ef0ff40dd9796e4a9a5eddd2c4ca4ebd10990d8fb8918d12d53c76001afa9de7f", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "16e632f9752d36602c95ec274b32ad594f39f6ac3bd4b0b20f8637392142cef4", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 171, + "comment" : "point with coordinate y = 1 in right to left addition chain", + "public" : "04e5c5dc3fd88d85668b3b709fd6b4232f1f80949cbccb5588363e6c217a2b3ed88dbd0d6e3cc97f3081d16602aa3d1b655ee0791c87fcb5abe6217d8c8513807e", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "9eed4b96569f604a4d3f5af97499807111fc9888c458ece2e3000e245c2c02b0", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 172, + "comment" : "point with coordinate y = 1 in right to left addition chain", + "public" : "04021c41eceec24e0fba894ad7415a9598cbcd14fa6ca46e25575268a1d8e5bbc63f846c6a185fa3f23bb92c14e7e2cba8c74047c09af766f55ef0c907c80d9451", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "21ac32013838812621dbb584965bded6fc851d3a029810679bc57b2381bb7a7d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 173, + "comment" : "point with coordinate y = 1 in right to left addition chain", + "public" : "048e24192cd33335a114f5070266c014cb0d8c704d16d6042e89c17597bcd4e77ebdb4c5171704c2c09275c22a310e0c4fe092e4084856da99b94abbfa9f469f48", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "fc5978da01ca83e127dddf989a0358871b3c4ce0755bfb020633db467e21a53c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 174, + "comment" : "point with coordinate y = 1 in right to left addition chain", + "public" : "0431c90ae47a93d09a2352b6f3677e7975ea62aadedb56c118eb8b9f771e2dd9f5f2601fb9cca2304e594423cf48064dbed17ae40452f18be6ae018321911e8cb3", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "9f417341261aa45d396b0ccf2a3dee7a466ca47e3ce86ecd2071d9c4db08820e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 175, + "comment" : "point with coordinate y = 1 in right to left addition chain", + "public" : "04d2f211cfab84e01c8e5544036234debe35ae103bb878d7abcea6825f753e03a385f7f1870e64f1262af67a25ef9880419f45608e7f9da6dee83f5f46ceb53dcb", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "f419febb32c254611adf569c2d583b17542b1538caa0001967f0a4bc34b8b789", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 176, + "comment" : "edge case private key", + "public" : "0431028f3377fc8f2b1967edaab90213acad0da9f50897f08f57537f78f116744743a1930189363bbde2ac4cbd1649cdc6f451add71dd2f16a8a867f2b17caa16b", + "private" : "03", + "shared" : "85a0b58519b28e70a694ec5198f72c4bfdabaa30a70f7143b5b1cd7536f716ca", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 177, + "comment" : "edge case private key", + "public" : "0431028f3377fc8f2b1967edaab90213acad0da9f50897f08f57537f78f116744743a1930189363bbde2ac4cbd1649cdc6f451add71dd2f16a8a867f2b17caa16b", + "private" : "00ffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "shared" : "a329a7d80424ea2d6c904393808e510dfbb28155092f1bac284dceda1f13afe5", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 178, + "comment" : "edge case private key", + "public" : "0431028f3377fc8f2b1967edaab90213acad0da9f50897f08f57537f78f116744743a1930189363bbde2ac4cbd1649cdc6f451add71dd2f16a8a867f2b17caa16b", + "private" : "0100000000000000000000000000000000000000000000000000000000000000", + "shared" : "bd26d0293e8851c51ebe0d426345683ae94026aca545282a4759faa85fde6687", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 179, + "comment" : "edge case private key", + "public" : "0431028f3377fc8f2b1967edaab90213acad0da9f50897f08f57537f78f116744743a1930189363bbde2ac4cbd1649cdc6f451add71dd2f16a8a867f2b17caa16b", + "private" : "7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "shared" : "ea9350b2490a2010c7abf43fb1a38be729a2de375ea7a6ac34ff58cc87e51b6c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 180, + "comment" : "edge case private key", + "public" : "0431028f3377fc8f2b1967edaab90213acad0da9f50897f08f57537f78f116744743a1930189363bbde2ac4cbd1649cdc6f451add71dd2f16a8a867f2b17caa16b", + "private" : "008000000000000000000000000000000000000000000000000000000000000000", + "shared" : "34eed3f6673d340b6f716913f6dfa36b5ac85fa667791e2d6a217b0c0b7ba807", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 181, + "comment" : "edge case private key", + "public" : "0431028f3377fc8f2b1967edaab90213acad0da9f50897f08f57537f78f116744743a1930189363bbde2ac4cbd1649cdc6f451add71dd2f16a8a867f2b17caa16b", + "private" : "00ffffffff00000000ffffffffffffffffbce6faada7179e83f3b9cac2fc632551", + "shared" : "1354ce6692c9df7b6fc3119d47c56338afbedccb62faa546c0fe6ed4959e41c3", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 182, + "comment" : "edge case private key", + "public" : "0431028f3377fc8f2b1967edaab90213acad0da9f50897f08f57537f78f116744743a1930189363bbde2ac4cbd1649cdc6f451add71dd2f16a8a867f2b17caa16b", + "private" : "00ffffffff00000000ffffffffffffffffbce6faada7179e84f3a9cac2fc632551", + "shared" : "fe7496c30d534995f0bf428b5471c21585aaafc81733916f0165597a55d12cb4", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 183, + "comment" : "edge case private key", + "public" : "0431028f3377fc8f2b1967edaab90213acad0da9f50897f08f57537f78f116744743a1930189363bbde2ac4cbd1649cdc6f451add71dd2f16a8a867f2b17caa16b", + "private" : "00ffffffff00000000ffffffffffffffffbce6faada7179e84f3b1cac2fc632551", + "shared" : "348bf8042e4edf1d03c8b36ab815156e77c201b764ed4562cfe2ee90638ffef5", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 184, + "comment" : "edge case private key", + "public" : "0431028f3377fc8f2b1967edaab90213acad0da9f50897f08f57537f78f116744743a1930189363bbde2ac4cbd1649cdc6f451add71dd2f16a8a867f2b17caa16b", + "private" : "00ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac1fc632551", + "shared" : "6e4ec5479a7c20a537501700484f6f433a8a8fe53c288f7a25c8e8c92d39e8dc", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 185, + "comment" : "edge case private key", + "public" : "0431028f3377fc8f2b1967edaab90213acad0da9f50897f08f57537f78f116744743a1930189363bbde2ac4cbd1649cdc6f451add71dd2f16a8a867f2b17caa16b", + "private" : "00ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc6324f3", + "shared" : "f7407d61fdf581be4f564621d590ca9b7ba37f31396150f9922f1501da8c83ef", + "result" : "valid", + "flags" : [ + "AddSubChain" + ] + }, + { + "tcId" : 186, + "comment" : "edge case private key", + "public" : "0431028f3377fc8f2b1967edaab90213acad0da9f50897f08f57537f78f116744743a1930189363bbde2ac4cbd1649cdc6f451add71dd2f16a8a867f2b17caa16b", + "private" : "00ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632533", + "shared" : "82236fd272208693e0574555ca465c6cc512163486084fa57f5e1bd2e2ccc0b3", + "result" : "valid", + "flags" : [ + "AddSubChain" + ] + }, + { + "tcId" : 187, + "comment" : "edge case private key", + "public" : "0431028f3377fc8f2b1967edaab90213acad0da9f50897f08f57537f78f116744743a1930189363bbde2ac4cbd1649cdc6f451add71dd2f16a8a867f2b17caa16b", + "private" : "00ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632543", + "shared" : "06537149664dba1a9924654cb7f787ed224851b0df25ef53fcf54f8f26cd5f3f", + "result" : "valid", + "flags" : [ + "AddSubChain" + ] + }, + { + "tcId" : 188, + "comment" : "edge case private key", + "public" : "0431028f3377fc8f2b1967edaab90213acad0da9f50897f08f57537f78f116744743a1930189363bbde2ac4cbd1649cdc6f451add71dd2f16a8a867f2b17caa16b", + "private" : "00ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc63254b", + "shared" : "f2b38539bce995d443c7bfeeefadc9e42cc2c89c60bf4e86eac95d51987bd112", + "result" : "valid", + "flags" : [ + "AddSubChain" + ] + }, + { + "tcId" : 189, + "comment" : "edge case private key", + "public" : "0431028f3377fc8f2b1967edaab90213acad0da9f50897f08f57537f78f116744743a1930189363bbde2ac4cbd1649cdc6f451add71dd2f16a8a867f2b17caa16b", + "private" : "00ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc63254e", + "shared" : "85a0b58519b28e70a694ec5198f72c4bfdabaa30a70f7143b5b1cd7536f716ca", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 190, + "comment" : "edge case private key", + "public" : "0431028f3377fc8f2b1967edaab90213acad0da9f50897f08f57537f78f116744743a1930189363bbde2ac4cbd1649cdc6f451add71dd2f16a8a867f2b17caa16b", + "private" : "00ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc63254f", + "shared" : "027b013a6f166db655d69d643c127ef8ace175311e667dff2520f5b5c75b7659", + "result" : "valid", + "flags" : [ + "AddSubChain" + ] + }, + { + "tcId" : 191, + "comment" : "CVE-2017-8932", + "public" : "04023819813ac969847059028ea88a1f30dfbcde03fc791d3a252c6b41211882eaf93e4ae433cc12cf2a43fc0ef26400c0e125508224cdb649380f25479148a4ad", + "private" : "2a265f8bcbdcaf94d58519141e578124cb40d64a501fba9c11847b28965bc737", + "shared" : "4d4de80f1534850d261075997e3049321a0864082d24a917863366c0724f5ae3", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 192, + "comment" : "CVE-2017-8932", + "public" : "04cc11887b2d66cbae8f4d306627192522932146b42f01d3c6f92bd5c8ba739b06a2f08a029cd06b46183085bae9248b0ed15b70280c7ef13a457f5af382426031", + "private" : "313f72ff9fe811bf573176231b286a3bdb6f1b14e05c40146590727a71c3bccd", + "shared" : "831c3f6b5f762d2f461901577af41354ac5f228c2591f84f8a6e51e2e3f17991", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 193, + "comment" : "point is not on curve", + "public" : "0400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "private" : "7e4aa54f714bf01df85c50269bea3a86721f84afe74f7b41ea58abcf3474e88d", + "shared" : "", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 194, + "comment" : "point is not on curve", + "public" : "0400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001", + "private" : "7e4aa54f714bf01df85c50269bea3a86721f84afe74f7b41ea58abcf3474e88d", + "shared" : "", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 195, + "comment" : "point is not on curve", + "public" : "040000000000000000000000000000000000000000000000000000000000000000ffffffff00000001000000000000000000000000fffffffffffffffffffffffe", + "private" : "7e4aa54f714bf01df85c50269bea3a86721f84afe74f7b41ea58abcf3474e88d", + "shared" : "", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 196, + "comment" : "point is not on curve", + "public" : "040000000000000000000000000000000000000000000000000000000000000000ffffffff00000001000000000000000000000000ffffffffffffffffffffffff", + "private" : "7e4aa54f714bf01df85c50269bea3a86721f84afe74f7b41ea58abcf3474e88d", + "shared" : "", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 197, + "comment" : "point is not on curve", + "public" : "0400000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000000", + "private" : "7e4aa54f714bf01df85c50269bea3a86721f84afe74f7b41ea58abcf3474e88d", + "shared" : "", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 198, + "comment" : "point is not on curve", + "public" : "0400000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000001", + "private" : "7e4aa54f714bf01df85c50269bea3a86721f84afe74f7b41ea58abcf3474e88d", + "shared" : "", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 199, + "comment" : "point is not on curve", + "public" : "040000000000000000000000000000000000000000000000000000000000000001ffffffff00000001000000000000000000000000fffffffffffffffffffffffe", + "private" : "7e4aa54f714bf01df85c50269bea3a86721f84afe74f7b41ea58abcf3474e88d", + "shared" : "", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 200, + "comment" : "point is not on curve", + "public" : "040000000000000000000000000000000000000000000000000000000000000001ffffffff00000001000000000000000000000000ffffffffffffffffffffffff", + "private" : "7e4aa54f714bf01df85c50269bea3a86721f84afe74f7b41ea58abcf3474e88d", + "shared" : "", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 201, + "comment" : "point is not on curve", + "public" : "04ffffffff00000001000000000000000000000000fffffffffffffffffffffffe0000000000000000000000000000000000000000000000000000000000000000", + "private" : "7e4aa54f714bf01df85c50269bea3a86721f84afe74f7b41ea58abcf3474e88d", + "shared" : "", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 202, + "comment" : "point is not on curve", + "public" : "04ffffffff00000001000000000000000000000000fffffffffffffffffffffffe0000000000000000000000000000000000000000000000000000000000000001", + "private" : "7e4aa54f714bf01df85c50269bea3a86721f84afe74f7b41ea58abcf3474e88d", + "shared" : "", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 203, + "comment" : "point is not on curve", + "public" : "04ffffffff00000001000000000000000000000000fffffffffffffffffffffffeffffffff00000001000000000000000000000000fffffffffffffffffffffffe", + "private" : "7e4aa54f714bf01df85c50269bea3a86721f84afe74f7b41ea58abcf3474e88d", + "shared" : "", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 204, + "comment" : "point is not on curve", + "public" : "04ffffffff00000001000000000000000000000000fffffffffffffffffffffffeffffffff00000001000000000000000000000000ffffffffffffffffffffffff", + "private" : "7e4aa54f714bf01df85c50269bea3a86721f84afe74f7b41ea58abcf3474e88d", + "shared" : "", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 205, + "comment" : "point is not on curve", + "public" : "04ffffffff00000001000000000000000000000000ffffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000000000", + "private" : "7e4aa54f714bf01df85c50269bea3a86721f84afe74f7b41ea58abcf3474e88d", + "shared" : "", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 206, + "comment" : "point is not on curve", + "public" : "04ffffffff00000001000000000000000000000000ffffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000000001", + "private" : "7e4aa54f714bf01df85c50269bea3a86721f84afe74f7b41ea58abcf3474e88d", + "shared" : "", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 207, + "comment" : "point is not on curve", + "public" : "04ffffffff00000001000000000000000000000000ffffffffffffffffffffffffffffffff00000001000000000000000000000000fffffffffffffffffffffffe", + "private" : "7e4aa54f714bf01df85c50269bea3a86721f84afe74f7b41ea58abcf3474e88d", + "shared" : "", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 208, + "comment" : "point is not on curve", + "public" : "04ffffffff00000001000000000000000000000000ffffffffffffffffffffffffffffffff00000001000000000000000000000000ffffffffffffffffffffffff", + "private" : "7e4aa54f714bf01df85c50269bea3a86721f84afe74f7b41ea58abcf3474e88d", + "shared" : "", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 209, + "comment" : "", + "public" : "", + "private" : "7e4aa54f714bf01df85c50269bea3a86721f84afe74f7b41ea58abcf3474e88d", + "shared" : "", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 210, + "comment" : "invalid public key", + "public" : "02fd4bf61763b46581fd9174d623516cf3c81edd40e29ffa2777fb6cb0ae3ce535", + "private" : "6f953faff3599e6c762d7f4cabfeed092de2add1df1bc5748c6cbb725cf35458", + "shared" : "", + "result" : "invalid", + "flags" : [ + "CompressedPoint" + ] + }, + { + "tcId" : 211, + "comment" : "public key is a low order point on twist", + "public" : "03efdde3b32872a9effcf3b94cbf73aa7b39f9683ece9121b9852167f4e3da609b", + "private" : "00d27edf0ff5b6b6b465753e7158370332c153b468a1be087ad0f490bdb99e5f02", + "shared" : "", + "result" : "invalid", + "flags" : [ + "CompressedPoint" + ] + }, + { + "tcId" : 212, + "comment" : "public key is a low order point on twist", + "public" : "02efdde3b32872a9effcf3b94cbf73aa7b39f9683ece9121b9852167f4e3da609b", + "private" : "00d27edf0ff5b6b6b465753e7158370332c153b468a1be087ad0f490bdb99e5f03", + "shared" : "", + "result" : "invalid", + "flags" : [ + "CompressedPoint" + ] + }, + { + "tcId" : 213, + "comment" : "public key is a low order point on twist", + "public" : "02c49524b2adfd8f5f972ef554652836e2efb2d306c6d3b0689234cec93ae73db5", + "private" : "0095ead84540c2d027aa3130ff1b47888cc1ed67e8dda46156e71ce0991791e835", + "shared" : "", + "result" : "invalid", + "flags" : [ + "CompressedPoint" + ] + }, + { + "tcId" : 214, + "comment" : "public key is a low order point on twist", + "public" : "0318f9bae7747cd844e98525b7ccd0daf6e1d20a818b2175a9a91e4eae5343bc98", + "private" : "00a8681ef67fb1f189647d95e8db00c52ceef6d41a85ba0a5bd74c44e8e62c8aa4", + "shared" : "", + "result" : "invalid", + "flags" : [ + "CompressedPoint" + ] + }, + { + "tcId" : 215, + "comment" : "public key is a low order point on twist", + "public" : "0218f9bae7747cd844e98525b7ccd0daf6e1d20a818b2175a9a91e4eae5343bc98", + "private" : "00a8681ef67fb1f189647d95e8db00c52ceef6d41a85ba0a5bd74c44e8e62c8aa5", + "shared" : "", + "result" : "invalid", + "flags" : [ + "CompressedPoint" + ] + }, + { + "tcId" : 216, + "comment" : "public key is a low order point on twist", + "public" : "03c49524b2adfd8f5f972ef554652836e2efb2d306c6d3b0689234cec93ae73db5", + "private" : "0095ead84540c2d027aa3130ff1b47888cc1ed67e8dda46156e71ce0991791e834", + "shared" : "", + "result" : "invalid", + "flags" : [ + "CompressedPoint" + ] + } + ] + } + ] +} diff --git a/rust/tests/wycheproof/ecdsa_secp256r1_sha256_test.json b/rust/tests/wycheproof/ecdsa_secp256r1_sha256_test.json new file mode 100644 index 00000000..0b8ab9f5 --- /dev/null +++ b/rust/tests/wycheproof/ecdsa_secp256r1_sha256_test.json @@ -0,0 +1,4578 @@ +{ + "algorithm" : "ECDSA", + "generatorVersion" : "0.8r12", + "numberOfTests" : 387, + "header" : [ + "Test vectors of type EcdsaVerify are meant for the verification", + "of ASN encoded ECDSA signatures." + ], + "notes" : { + "BER" : "This is a signature with correct values for (r, s) but using some alternative BER encoding instead of DER encoding. Implementations should not accept such signatures to limit signature malleability.", + "EdgeCase" : "Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA implementation does not check boundaries and computes s^(-1)==0.", + "MissingZero" : "Some implementations of ECDSA and DSA incorrectly encode r and s by not including leading zeros in the ASN encoding of integers when necessary. Hence, some implementations (e.g. jdk) allow signatures with incorrect ASN encodings assuming that the signature is otherwise valid.", + "PointDuplication" : "Some implementations of ECDSA do not handle duplication and points at infinity correctly. This is a test vector that has been specially crafted to check for such an omission." + }, + "schema" : "ecdsa_verify_schema.json", + "testGroups" : [ + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "042927b10512bae3eddcfe467828128bad2903269919f7086069c8c4df6c732838c7787964eaac00e5921fb1498a60f4606766b3d9685001558d1a974e7341513e", + "wx" : "2927b10512bae3eddcfe467828128bad2903269919f7086069c8c4df6c732838", + "wy" : "00c7787964eaac00e5921fb1498a60f4606766b3d9685001558d1a974e7341513e" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200042927b10512bae3eddcfe467828128bad2903269919f7086069c8c4df6c732838c7787964eaac00e5921fb1498a60f4606766b3d9685001558d1a974e7341513e", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEKSexBRK64+3c/kZ4KBKLrSkDJpkZ\n9whgacjE32xzKDjHeHlk6qwA5ZIfsUmKYPRgZ2az2WhQAVWNGpdOc0FRPg==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 1, + "comment" : "signature malleability", + "msg" : "313233343030", + "sig" : "304402202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e1802204cd60b855d442f5b3c7b11eb6c4e0ae7525fe710fab9aa7c77a67f79e6fadd76", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 2, + "comment" : "Legacy:ASN encoding of s misses leading 0", + "msg" : "313233343030", + "sig" : "304402202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e180220b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "acceptable", + "flags" : [ + "MissingZero" + ] + }, + { + "tcId" : 3, + "comment" : "valid", + "msg" : "313233343030", + "sig" : "304502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 4, + "comment" : "long form encoding of length of sequence", + "msg" : "313233343030", + "sig" : "30814502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [ + "BER" + ] + }, + { + "tcId" : 5, + "comment" : "length of sequence contains leading 0", + "msg" : "313233343030", + "sig" : "3082004502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [ + "BER" + ] + }, + { + "tcId" : 6, + "comment" : "wrong length of sequence", + "msg" : "313233343030", + "sig" : "304602202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 7, + "comment" : "wrong length of sequence", + "msg" : "313233343030", + "sig" : "304402202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 8, + "comment" : "uint32 overflow in length of sequence", + "msg" : "313233343030", + "sig" : "3085010000004502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 9, + "comment" : "uint64 overflow in length of sequence", + "msg" : "313233343030", + "sig" : "308901000000000000004502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 10, + "comment" : "length of sequence = 2**31 - 1", + "msg" : "313233343030", + "sig" : "30847fffffff02202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 11, + "comment" : "length of sequence = 2**32 - 1", + "msg" : "313233343030", + "sig" : "3084ffffffff02202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 12, + "comment" : "length of sequence = 2**40 - 1", + "msg" : "313233343030", + "sig" : "3085ffffffffff02202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 13, + "comment" : "length of sequence = 2**64 - 1", + "msg" : "313233343030", + "sig" : "3088ffffffffffffffff02202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 14, + "comment" : "incorrect length of sequence", + "msg" : "313233343030", + "sig" : "30ff02202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 15, + "comment" : "indefinite length without termination", + "msg" : "313233343030", + "sig" : "308002202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 16, + "comment" : "indefinite length without termination", + "msg" : "313233343030", + "sig" : "304502802ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 17, + "comment" : "indefinite length without termination", + "msg" : "313233343030", + "sig" : "304502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18028000b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 18, + "comment" : "removing sequence", + "msg" : "313233343030", + "sig" : "", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 19, + "comment" : "lonely sequence tag", + "msg" : "313233343030", + "sig" : "30", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 20, + "comment" : "appending 0's to sequence", + "msg" : "313233343030", + "sig" : "304702202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db0000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 21, + "comment" : "prepending 0's to sequence", + "msg" : "313233343030", + "sig" : "3047000002202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 22, + "comment" : "appending unused 0's to sequence", + "msg" : "313233343030", + "sig" : "304502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db0000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 23, + "comment" : "appending null value to sequence", + "msg" : "313233343030", + "sig" : "304702202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db0500", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 24, + "comment" : "including garbage", + "msg" : "313233343030", + "sig" : "304a498177304502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 25, + "comment" : "including garbage", + "msg" : "313233343030", + "sig" : "30492500304502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 26, + "comment" : "including garbage", + "msg" : "313233343030", + "sig" : "3047304502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db0004deadbeef", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 27, + "comment" : "including garbage", + "msg" : "313233343030", + "sig" : "304a222549817702202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 28, + "comment" : "including garbage", + "msg" : "313233343030", + "sig" : "30492224250002202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 29, + "comment" : "including garbage", + "msg" : "313233343030", + "sig" : "304d222202202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e180004deadbeef022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 30, + "comment" : "including garbage", + "msg" : "313233343030", + "sig" : "304a02202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e182226498177022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 31, + "comment" : "including garbage", + "msg" : "313233343030", + "sig" : "304902202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e1822252500022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 32, + "comment" : "including garbage", + "msg" : "313233343030", + "sig" : "304d02202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e182223022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db0004deadbeef", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 33, + "comment" : "including undefined tags", + "msg" : "313233343030", + "sig" : "304daa00bb00cd00304502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 34, + "comment" : "including undefined tags", + "msg" : "313233343030", + "sig" : "304baa02aabb304502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 35, + "comment" : "including undefined tags", + "msg" : "313233343030", + "sig" : "304d2228aa00bb00cd0002202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 36, + "comment" : "including undefined tags", + "msg" : "313233343030", + "sig" : "304b2226aa02aabb02202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 37, + "comment" : "including undefined tags", + "msg" : "313233343030", + "sig" : "304d02202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e182229aa00bb00cd00022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 38, + "comment" : "including undefined tags", + "msg" : "313233343030", + "sig" : "304b02202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e182227aa02aabb022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 39, + "comment" : "truncated length of sequence", + "msg" : "313233343030", + "sig" : "3081", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 40, + "comment" : "using composition with indefinite length", + "msg" : "313233343030", + "sig" : "3080304502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db0000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 41, + "comment" : "using composition with indefinite length", + "msg" : "313233343030", + "sig" : "3049228002202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e180000022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 42, + "comment" : "using composition with indefinite length", + "msg" : "313233343030", + "sig" : "304902202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e182280022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db0000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 43, + "comment" : "using composition with wrong tag", + "msg" : "313233343030", + "sig" : "3080314502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db0000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 44, + "comment" : "using composition with wrong tag", + "msg" : "313233343030", + "sig" : "3049228003202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e180000022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 45, + "comment" : "using composition with wrong tag", + "msg" : "313233343030", + "sig" : "304902202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e182280032100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db0000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 46, + "comment" : "Replacing sequence with NULL", + "msg" : "313233343030", + "sig" : "0500", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 47, + "comment" : "changing tag value of sequence", + "msg" : "313233343030", + "sig" : "2e4502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 48, + "comment" : "changing tag value of sequence", + "msg" : "313233343030", + "sig" : "2f4502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 49, + "comment" : "changing tag value of sequence", + "msg" : "313233343030", + "sig" : "314502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 50, + "comment" : "changing tag value of sequence", + "msg" : "313233343030", + "sig" : "324502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 51, + "comment" : "changing tag value of sequence", + "msg" : "313233343030", + "sig" : "ff4502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 52, + "comment" : "dropping value of sequence", + "msg" : "313233343030", + "sig" : "3000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 53, + "comment" : "using composition for sequence", + "msg" : "313233343030", + "sig" : "30493001023044202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 54, + "comment" : "truncated sequence", + "msg" : "313233343030", + "sig" : "304402202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 55, + "comment" : "truncated sequence", + "msg" : "313233343030", + "sig" : "3044202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 56, + "comment" : "indefinite length", + "msg" : "313233343030", + "sig" : "308002202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db0000", + "result" : "invalid", + "flags" : [ + "BER" + ] + }, + { + "tcId" : 57, + "comment" : "indefinite length with truncated delimiter", + "msg" : "313233343030", + "sig" : "308002202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db00", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 58, + "comment" : "indefinite length with additional element", + "msg" : "313233343030", + "sig" : "308002202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db05000000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 59, + "comment" : "indefinite length with truncated element", + "msg" : "313233343030", + "sig" : "308002202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db060811220000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 60, + "comment" : "indefinite length with garbage", + "msg" : "313233343030", + "sig" : "308002202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db0000fe02beef", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 61, + "comment" : "indefinite length with nonempty EOC", + "msg" : "313233343030", + "sig" : "308002202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db0002beef", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 62, + "comment" : "prepend empty sequence", + "msg" : "313233343030", + "sig" : "3047300002202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 63, + "comment" : "append empty sequence", + "msg" : "313233343030", + "sig" : "304702202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db3000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 64, + "comment" : "append garbage with high tag number", + "msg" : "313233343030", + "sig" : "304802202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847dbbf7f00", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 65, + "comment" : "sequence of sequence", + "msg" : "313233343030", + "sig" : "3047304502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 66, + "comment" : "truncated sequence: removed last 1 elements", + "msg" : "313233343030", + "sig" : "302202202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 67, + "comment" : "repeating element in sequence", + "msg" : "313233343030", + "sig" : "306802202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 68, + "comment" : "long form encoding of length of integer", + "msg" : "313233343030", + "sig" : "30460281202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [ + "BER" + ] + }, + { + "tcId" : 69, + "comment" : "long form encoding of length of integer", + "msg" : "313233343030", + "sig" : "304602202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e1802812100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [ + "BER" + ] + }, + { + "tcId" : 70, + "comment" : "length of integer contains leading 0", + "msg" : "313233343030", + "sig" : "3047028200202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [ + "BER" + ] + }, + { + "tcId" : 71, + "comment" : "length of integer contains leading 0", + "msg" : "313233343030", + "sig" : "304702202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e180282002100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [ + "BER" + ] + }, + { + "tcId" : 72, + "comment" : "wrong length of integer", + "msg" : "313233343030", + "sig" : "304502212ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 73, + "comment" : "wrong length of integer", + "msg" : "313233343030", + "sig" : "3045021f2ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 74, + "comment" : "wrong length of integer", + "msg" : "313233343030", + "sig" : "304502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022200b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 75, + "comment" : "wrong length of integer", + "msg" : "313233343030", + "sig" : "304502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022000b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 76, + "comment" : "uint32 overflow in length of integer", + "msg" : "313233343030", + "sig" : "304a028501000000202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 77, + "comment" : "uint32 overflow in length of integer", + "msg" : "313233343030", + "sig" : "304a02202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e180285010000002100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 78, + "comment" : "uint64 overflow in length of integer", + "msg" : "313233343030", + "sig" : "304e02890100000000000000202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 79, + "comment" : "uint64 overflow in length of integer", + "msg" : "313233343030", + "sig" : "304e02202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18028901000000000000002100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 80, + "comment" : "length of integer = 2**31 - 1", + "msg" : "313233343030", + "sig" : "304902847fffffff2ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 81, + "comment" : "length of integer = 2**31 - 1", + "msg" : "313233343030", + "sig" : "304902202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e1802847fffffff00b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 82, + "comment" : "length of integer = 2**32 - 1", + "msg" : "313233343030", + "sig" : "30490284ffffffff2ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 83, + "comment" : "length of integer = 2**32 - 1", + "msg" : "313233343030", + "sig" : "304902202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e180284ffffffff00b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 84, + "comment" : "length of integer = 2**40 - 1", + "msg" : "313233343030", + "sig" : "304a0285ffffffffff2ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 85, + "comment" : "length of integer = 2**40 - 1", + "msg" : "313233343030", + "sig" : "304a02202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e180285ffffffffff00b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 86, + "comment" : "length of integer = 2**64 - 1", + "msg" : "313233343030", + "sig" : "304d0288ffffffffffffffff2ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 87, + "comment" : "length of integer = 2**64 - 1", + "msg" : "313233343030", + "sig" : "304d02202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e180288ffffffffffffffff00b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 88, + "comment" : "incorrect length of integer", + "msg" : "313233343030", + "sig" : "304502ff2ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 89, + "comment" : "incorrect length of integer", + "msg" : "313233343030", + "sig" : "304502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e1802ff00b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 90, + "comment" : "removing integer", + "msg" : "313233343030", + "sig" : "3023022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 91, + "comment" : "lonely integer tag", + "msg" : "313233343030", + "sig" : "302402022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 92, + "comment" : "lonely integer tag", + "msg" : "313233343030", + "sig" : "302302202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e1802", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 93, + "comment" : "appending 0's to integer", + "msg" : "313233343030", + "sig" : "304702222ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e180000022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 94, + "comment" : "appending 0's to integer", + "msg" : "313233343030", + "sig" : "304702202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022300b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db0000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 95, + "comment" : "prepending 0's to integer", + "msg" : "313233343030", + "sig" : "3047022200002ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [ + "BER" + ] + }, + { + "tcId" : 96, + "comment" : "prepending 0's to integer", + "msg" : "313233343030", + "sig" : "304702202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e180223000000b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [ + "BER" + ] + }, + { + "tcId" : 97, + "comment" : "appending unused 0's to integer", + "msg" : "313233343030", + "sig" : "304702202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e180000022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 98, + "comment" : "appending null value to integer", + "msg" : "313233343030", + "sig" : "304702222ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e180500022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 99, + "comment" : "appending null value to integer", + "msg" : "313233343030", + "sig" : "304702202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022300b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db0500", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 100, + "comment" : "truncated length of integer", + "msg" : "313233343030", + "sig" : "30250281022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 101, + "comment" : "truncated length of integer", + "msg" : "313233343030", + "sig" : "302402202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e180281", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 102, + "comment" : "Replacing integer with NULL", + "msg" : "313233343030", + "sig" : "30250500022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 103, + "comment" : "Replacing integer with NULL", + "msg" : "313233343030", + "sig" : "302402202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e180500", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 104, + "comment" : "changing tag value of integer", + "msg" : "313233343030", + "sig" : "304500202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 105, + "comment" : "changing tag value of integer", + "msg" : "313233343030", + "sig" : "304501202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 106, + "comment" : "changing tag value of integer", + "msg" : "313233343030", + "sig" : "304503202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 107, + "comment" : "changing tag value of integer", + "msg" : "313233343030", + "sig" : "304504202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 108, + "comment" : "changing tag value of integer", + "msg" : "313233343030", + "sig" : "3045ff202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 109, + "comment" : "changing tag value of integer", + "msg" : "313233343030", + "sig" : "304502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18002100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 110, + "comment" : "changing tag value of integer", + "msg" : "313233343030", + "sig" : "304502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18012100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 111, + "comment" : "changing tag value of integer", + "msg" : "313233343030", + "sig" : "304502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18032100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 112, + "comment" : "changing tag value of integer", + "msg" : "313233343030", + "sig" : "304502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18042100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 113, + "comment" : "changing tag value of integer", + "msg" : "313233343030", + "sig" : "304502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18ff2100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 114, + "comment" : "dropping value of integer", + "msg" : "313233343030", + "sig" : "30250200022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 115, + "comment" : "dropping value of integer", + "msg" : "313233343030", + "sig" : "302402202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e180200", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 116, + "comment" : "using composition for integer", + "msg" : "313233343030", + "sig" : "3049222402012b021fa3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 117, + "comment" : "using composition for integer", + "msg" : "313233343030", + "sig" : "304902202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e1822250201000220b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 118, + "comment" : "modify first byte of integer", + "msg" : "313233343030", + "sig" : "3045022029a3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 119, + "comment" : "modify first byte of integer", + "msg" : "313233343030", + "sig" : "304502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022102b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 120, + "comment" : "modify last byte of integer", + "msg" : "313233343030", + "sig" : "304502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e98022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 121, + "comment" : "modify last byte of integer", + "msg" : "313233343030", + "sig" : "304502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b491568475b", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 122, + "comment" : "truncated integer", + "msg" : "313233343030", + "sig" : "3044021f2ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 123, + "comment" : "truncated integer", + "msg" : "313233343030", + "sig" : "3044021fa3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 124, + "comment" : "truncated integer", + "msg" : "313233343030", + "sig" : "304402202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022000b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 125, + "comment" : "leading ff in integer", + "msg" : "313233343030", + "sig" : "30460221ff2ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 126, + "comment" : "leading ff in integer", + "msg" : "313233343030", + "sig" : "304602202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e180222ff00b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 127, + "comment" : "replaced integer by infinity", + "msg" : "313233343030", + "sig" : "3026090180022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 128, + "comment" : "replaced integer by infinity", + "msg" : "313233343030", + "sig" : "302502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18090180", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 129, + "comment" : "replacing integer with zero", + "msg" : "313233343030", + "sig" : "3026020100022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 130, + "comment" : "replacing integer with zero", + "msg" : "313233343030", + "sig" : "302502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18020100", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 131, + "comment" : "Modified r or s, e.g. by adding or subtracting the order of the group", + "msg" : "313233343030", + "sig" : "30460221012ba3a8bd6b94d5ed80a6d9d1190a436ebccc0833490686deac8635bcb9bf5369022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 132, + "comment" : "Modified r or s, e.g. by adding or subtracting the order of the group", + "msg" : "313233343030", + "sig" : "30460221ff2ba3a8bf6b94d5eb80a6d9d1190a436f42fe12d7fad749d4c512a036c0f908c7022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 133, + "comment" : "Modified r or s, e.g. by adding or subtracting the order of the group", + "msg" : "313233343030", + "sig" : "30450220d45c5741946b2a137f59262ee6f5bc91001af27a5e1117a64733950642a3d1e8022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 134, + "comment" : "Modified r or s, e.g. by adding or subtracting the order of the group", + "msg" : "313233343030", + "sig" : "3046022100d45c5740946b2a147f59262ee6f5bc90bd01ed280528b62b3aed5fc93f06f739022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 135, + "comment" : "Modified r or s, e.g. by adding or subtracting the order of the group", + "msg" : "313233343030", + "sig" : "30460221fed45c5742946b2a127f59262ee6f5bc914333f7ccb6f979215379ca434640ac97022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 136, + "comment" : "Modified r or s, e.g. by adding or subtracting the order of the group", + "msg" : "313233343030", + "sig" : "30460221012ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 137, + "comment" : "Modified r or s, e.g. by adding or subtracting the order of the group", + "msg" : "313233343030", + "sig" : "3046022100d45c5741946b2a137f59262ee6f5bc91001af27a5e1117a64733950642a3d1e8022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 138, + "comment" : "Modified r or s, e.g. by adding or subtracting the order of the group", + "msg" : "313233343030", + "sig" : "304502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022101b329f478a2bbd0a6c384ee1493b1f518276e0e4a5375928d6fcd160c11cb6d2c", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 139, + "comment" : "Modified r or s, e.g. by adding or subtracting the order of the group", + "msg" : "313233343030", + "sig" : "304402202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e180220b329f47aa2bbd0a4c384ee1493b1f518ada018ef05465583885980861905228a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 140, + "comment" : "Modified r or s, e.g. by adding or subtracting the order of the group", + "msg" : "313233343030", + "sig" : "304502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e180221ff4cd60b865d442f5a3c7b11eb6c4e0ae79578ec6353a20bf783ecb4b6ea97b825", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 141, + "comment" : "Modified r or s, e.g. by adding or subtracting the order of the group", + "msg" : "313233343030", + "sig" : "304502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e180221fe4cd60b875d442f593c7b11eb6c4e0ae7d891f1b5ac8a6d729032e9f3ee3492d4", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 142, + "comment" : "Modified r or s, e.g. by adding or subtracting the order of the group", + "msg" : "313233343030", + "sig" : "304502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022101b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 143, + "comment" : "Modified r or s, e.g. by adding or subtracting the order of the group", + "msg" : "313233343030", + "sig" : "304402202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e1802204cd60b865d442f5a3c7b11eb6c4e0ae79578ec6353a20bf783ecb4b6ea97b825", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 144, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3006020100020100", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 145, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3006020100020101", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 146, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "30060201000201ff", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 147, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3026020100022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 148, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3026020100022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 149, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3026020100022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 150, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3026020100022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 151, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3026020100022100ffffffff00000001000000000000000000000001000000000000000000000000", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 152, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3008020100090380fe01", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 153, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3006020100090142", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 154, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3006020101020100", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 155, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3006020101020101", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 156, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "30060201010201ff", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 157, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3026020101022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 158, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3026020101022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 159, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3026020101022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 160, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3026020101022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 161, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3026020101022100ffffffff00000001000000000000000000000001000000000000000000000000", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 162, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3008020101090380fe01", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 163, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3006020101090142", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 164, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "30060201ff020100", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 165, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "30060201ff020101", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 166, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "30060201ff0201ff", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 167, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "30260201ff022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 168, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "30260201ff022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 169, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "30260201ff022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 170, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "30260201ff022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 171, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "30260201ff022100ffffffff00000001000000000000000000000001000000000000000000000000", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 172, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "30080201ff090380fe01", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 173, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "30060201ff090142", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 174, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3026022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551020100", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 175, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3026022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551020101", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 176, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3026022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc6325510201ff", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 177, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3046022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 178, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3046022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 179, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3046022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 180, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3046022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 181, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3046022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551022100ffffffff00000001000000000000000000000001000000000000000000000000", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 182, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3028022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551090380fe01", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 183, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3026022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551090142", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 184, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3026022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550020100", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 185, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3026022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550020101", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 186, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3026022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc6325500201ff", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 187, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3046022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 188, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3046022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 189, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3046022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 190, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3046022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 191, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3046022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550022100ffffffff00000001000000000000000000000001000000000000000000000000", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 192, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3028022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550090380fe01", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 193, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3026022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550090142", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 194, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3026022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552020100", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 195, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3026022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552020101", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 196, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3026022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc6325520201ff", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 197, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3046022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 198, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3046022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 199, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3046022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 200, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3046022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 201, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3046022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552022100ffffffff00000001000000000000000000000001000000000000000000000000", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 202, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3028022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552090380fe01", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 203, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3026022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552090142", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 204, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3026022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff020100", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 205, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3026022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff020101", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 206, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3026022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff0201ff", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 207, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3046022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 208, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3046022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 209, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3046022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 210, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3046022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 211, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3046022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff022100ffffffff00000001000000000000000000000001000000000000000000000000", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 212, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3028022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff090380fe01", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 213, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3026022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff090142", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 214, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3026022100ffffffff00000001000000000000000000000001000000000000000000000000020100", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 215, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3026022100ffffffff00000001000000000000000000000001000000000000000000000000020101", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 216, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3026022100ffffffff000000010000000000000000000000010000000000000000000000000201ff", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 217, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3046022100ffffffff00000001000000000000000000000001000000000000000000000000022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 218, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3046022100ffffffff00000001000000000000000000000001000000000000000000000000022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 219, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3046022100ffffffff00000001000000000000000000000001000000000000000000000000022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 220, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3046022100ffffffff00000001000000000000000000000001000000000000000000000000022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 221, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3046022100ffffffff00000001000000000000000000000001000000000000000000000000022100ffffffff00000001000000000000000000000001000000000000000000000000", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 222, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3028022100ffffffff00000001000000000000000000000001000000000000000000000000090380fe01", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 223, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3026022100ffffffff00000001000000000000000000000001000000000000000000000000090142", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 224, + "comment" : "Signature encoding contains wrong types.", + "msg" : "313233343030", + "sig" : "30060201010c0130", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 225, + "comment" : "Signature encoding contains wrong types.", + "msg" : "313233343030", + "sig" : "30050201010c00", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 226, + "comment" : "Signature encoding contains wrong types.", + "msg" : "313233343030", + "sig" : "30090c0225730c03732573", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 227, + "comment" : "Signature encoding contains wrong types.", + "msg" : "313233343030", + "sig" : "30080201013003020100", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 228, + "comment" : "Signature encoding contains wrong types.", + "msg" : "313233343030", + "sig" : "3003020101", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 229, + "comment" : "Signature encoding contains wrong types.", + "msg" : "313233343030", + "sig" : "3006020101010100", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 230, + "comment" : "Edge case for Shamir multiplication", + "msg" : "3639383139", + "sig" : "3044022064a1aab5000d0e804f3e2fc02bdee9be8ff312334e2ba16d11547c97711c898e02206af015971cc30be6d1a206d4e013e0997772a2f91d73286ffd683b9bb2cf4f1b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 231, + "comment" : "special case hash", + "msg" : "343236343739373234", + "sig" : "3044022016aea964a2f6506d6f78c81c91fc7e8bded7d397738448de1e19a0ec580bf2660220252cd762130c6667cfe8b7bc47d27d78391e8e80c578d1cd38c3ff033be928e9", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 232, + "comment" : "special case hash", + "msg" : "37313338363834383931", + "sig" : "30450221009cc98be2347d469bf476dfc26b9b733df2d26d6ef524af917c665baccb23c8820220093496459effe2d8d70727b82462f61d0ec1b7847929d10ea631dacb16b56c32", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 233, + "comment" : "special case hash", + "msg" : "3130333539333331363638", + "sig" : "3044022073b3c90ecd390028058164524dde892703dce3dea0d53fa8093999f07ab8aa4302202f67b0b8e20636695bb7d8bf0a651c802ed25a395387b5f4188c0c4075c88634", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 234, + "comment" : "special case hash", + "msg" : "33393439343031323135", + "sig" : "3046022100bfab3098252847b328fadf2f89b95c851a7f0eb390763378f37e90119d5ba3dd022100bdd64e234e832b1067c2d058ccb44d978195ccebb65c2aaf1e2da9b8b4987e3b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 235, + "comment" : "special case hash", + "msg" : "31333434323933303739", + "sig" : "30440220204a9784074b246d8bf8bf04a4ceb1c1f1c9aaab168b1596d17093c5cd21d2cd022051cce41670636783dc06a759c8847868a406c2506fe17975582fe648d1d88b52", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 236, + "comment" : "special case hash", + "msg" : "33373036323131373132", + "sig" : "3046022100ed66dc34f551ac82f63d4aa4f81fe2cb0031a91d1314f835027bca0f1ceeaa0302210099ca123aa09b13cd194a422e18d5fda167623c3f6e5d4d6abb8953d67c0c48c7", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 237, + "comment" : "special case hash", + "msg" : "333433363838373132", + "sig" : "30450220060b700bef665c68899d44f2356a578d126b062023ccc3c056bf0f60a237012b0221008d186c027832965f4fcc78a3366ca95dedbb410cbef3f26d6be5d581c11d3610", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 238, + "comment" : "special case hash", + "msg" : "31333531353330333730", + "sig" : "30460221009f6adfe8d5eb5b2c24d7aa7934b6cf29c93ea76cd313c9132bb0c8e38c96831d022100b26a9c9e40e55ee0890c944cf271756c906a33e66b5bd15e051593883b5e9902", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 239, + "comment" : "special case hash", + "msg" : "36353533323033313236", + "sig" : "3045022100a1af03ca91677b673ad2f33615e56174a1abf6da168cebfa8868f4ba273f16b7022020aa73ffe48afa6435cd258b173d0c2377d69022e7d098d75caf24c8c5e06b1c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 240, + "comment" : "special case hash", + "msg" : "31353634333436363033", + "sig" : "3045022100fdc70602766f8eed11a6c99a71c973d5659355507b843da6e327a28c11893db902203df5349688a085b137b1eacf456a9e9e0f6d15ec0078ca60a7f83f2b10d21350", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 241, + "comment" : "special case hash", + "msg" : "34343239353339313137", + "sig" : "3046022100b516a314f2fce530d6537f6a6c49966c23456f63c643cf8e0dc738f7b876e675022100d39ffd033c92b6d717dd536fbc5efdf1967c4bd80954479ba66b0120cd16fff2", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 242, + "comment" : "special case hash", + "msg" : "3130393533323631333531", + "sig" : "304402203b2cbf046eac45842ecb7984d475831582717bebb6492fd0a485c101e29ff0a802204c9b7b47a98b0f82de512bc9313aaf51701099cac5f76e68c8595fc1c1d99258", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 243, + "comment" : "special case hash", + "msg" : "35393837333530303431", + "sig" : "3044022030c87d35e636f540841f14af54e2f9edd79d0312cfa1ab656c3fb15bfde48dcf022047c15a5a82d24b75c85a692bd6ecafeb71409ede23efd08e0db9abf6340677ed", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 244, + "comment" : "special case hash", + "msg" : "33343633303036383738", + "sig" : "3044022038686ff0fda2cef6bc43b58cfe6647b9e2e8176d168dec3c68ff262113760f520220067ec3b651f422669601662167fa8717e976e2db5e6a4cf7c2ddabb3fde9d67d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 245, + "comment" : "special case hash", + "msg" : "39383137333230323837", + "sig" : "3044022044a3e23bf314f2b344fc25c7f2de8b6af3e17d27f5ee844b225985ab6e2775cf02202d48e223205e98041ddc87be532abed584f0411f5729500493c9cc3f4dd15e86", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 246, + "comment" : "special case hash", + "msg" : "33323232303431303436", + "sig" : "304402202ded5b7ec8e90e7bf11f967a3d95110c41b99db3b5aa8d330eb9d638781688e902207d5792c53628155e1bfc46fb1a67e3088de049c328ae1f44ec69238a009808f9", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 247, + "comment" : "special case hash", + "msg" : "36363636333037313034", + "sig" : "3046022100bdae7bcb580bf335efd3bc3d31870f923eaccafcd40ec2f605976f15137d8b8f022100f6dfa12f19e525270b0106eecfe257499f373a4fb318994f24838122ce7ec3c7", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 248, + "comment" : "special case hash", + "msg" : "31303335393531383938", + "sig" : "3045022050f9c4f0cd6940e162720957ffff513799209b78596956d21ece251c2401f1c6022100d7033a0a787d338e889defaaabb106b95a4355e411a59c32aa5167dfab244726", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 249, + "comment" : "special case hash", + "msg" : "31383436353937313935", + "sig" : "3045022100f612820687604fa01906066a378d67540982e29575d019aabe90924ead5c860d02203f9367702dd7dd4f75ea98afd20e328a1a99f4857b316525328230ce294b0fef", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 250, + "comment" : "special case hash", + "msg" : "33313336303436313839", + "sig" : "30460221009505e407657d6e8bc93db5da7aa6f5081f61980c1949f56b0f2f507da5782a7a022100c60d31904e3669738ffbeccab6c3656c08e0ed5cb92b3cfa5e7f71784f9c5021", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 251, + "comment" : "special case hash", + "msg" : "32363633373834323534", + "sig" : "3046022100bbd16fbbb656b6d0d83e6a7787cd691b08735aed371732723e1c68a40404517d0221009d8e35dba96028b7787d91315be675877d2d097be5e8ee34560e3e7fd25c0f00", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 252, + "comment" : "special case hash", + "msg" : "31363532313030353234", + "sig" : "304402202ec9760122db98fd06ea76848d35a6da442d2ceef7559a30cf57c61e92df327e02207ab271da90859479701fccf86e462ee3393fb6814c27b760c4963625c0a19878", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 253, + "comment" : "special case hash", + "msg" : "35373438303831363936", + "sig" : "3044022054e76b7683b6650baa6a7fc49b1c51eed9ba9dd463221f7a4f1005a89fe00c5902202ea076886c773eb937ec1cc8374b7915cfd11b1c1ae1166152f2f7806a31c8fd", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 254, + "comment" : "special case hash", + "msg" : "36333433393133343638", + "sig" : "304402205291deaf24659ffbbce6e3c26f6021097a74abdbb69be4fb10419c0c496c9466022065d6fcf336d27cc7cdb982bb4e4ecef5827f84742f29f10abf83469270a03dc3", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 255, + "comment" : "special case hash", + "msg" : "31353431313033353938", + "sig" : "30450220207a3241812d75d947419dc58efb05e8003b33fc17eb50f9d15166a88479f107022100cdee749f2e492b213ce80b32d0574f62f1c5d70793cf55e382d5caadf7592767", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 256, + "comment" : "special case hash", + "msg" : "3130343738353830313238", + "sig" : "304502206554e49f82a855204328ac94913bf01bbe84437a355a0a37c0dee3cf81aa7728022100aea00de2507ddaf5c94e1e126980d3df16250a2eaebc8be486effe7f22b4f929", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 257, + "comment" : "special case hash", + "msg" : "3130353336323835353638", + "sig" : "3046022100a54c5062648339d2bff06f71c88216c26c6e19b4d80a8c602990ac82707efdfc022100e99bbe7fcfafae3e69fd016777517aa01056317f467ad09aff09be73c9731b0d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 258, + "comment" : "special case hash", + "msg" : "393533393034313035", + "sig" : "3045022100975bd7157a8d363b309f1f444012b1a1d23096593133e71b4ca8b059cff37eaf02207faa7a28b1c822baa241793f2abc930bd4c69840fe090f2aacc46786bf919622", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 259, + "comment" : "special case hash", + "msg" : "393738383438303339", + "sig" : "304402205694a6f84b8f875c276afd2ebcfe4d61de9ec90305afb1357b95b3e0da43885e02200dffad9ffd0b757d8051dec02ebdf70d8ee2dc5c7870c0823b6ccc7c679cbaa4", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 260, + "comment" : "special case hash", + "msg" : "33363130363732343432", + "sig" : "3045022100a0c30e8026fdb2b4b4968a27d16a6d08f7098f1a98d21620d7454ba9790f1ba602205e470453a8a399f15baf463f9deceb53acc5ca64459149688bd2760c65424339", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 261, + "comment" : "special case hash", + "msg" : "31303534323430373035", + "sig" : "30440220614ea84acf736527dd73602cd4bb4eea1dfebebd5ad8aca52aa0228cf7b99a880220737cc85f5f2d2f60d1b8183f3ed490e4de14368e96a9482c2a4dd193195c902f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 262, + "comment" : "special case hash", + "msg" : "35313734343438313937", + "sig" : "3045022100bead6734ebe44b810d3fb2ea00b1732945377338febfd439a8d74dfbd0f942fa02206bb18eae36616a7d3cad35919fd21a8af4bbe7a10f73b3e036a46b103ef56e2a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 263, + "comment" : "special case hash", + "msg" : "31393637353631323531", + "sig" : "30440220499625479e161dacd4db9d9ce64854c98d922cbf212703e9654fae182df9bad2022042c177cf37b8193a0131108d97819edd9439936028864ac195b64fca76d9d693", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 264, + "comment" : "special case hash", + "msg" : "33343437323533333433", + "sig" : "3045022008f16b8093a8fb4d66a2c8065b541b3d31e3bfe694f6b89c50fb1aaa6ff6c9b20221009d6455e2d5d1779748573b611cb95d4a21f967410399b39b535ba3e5af81ca2e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 265, + "comment" : "special case hash", + "msg" : "333638323634333138", + "sig" : "3046022100be26231b6191658a19dd72ddb99ed8f8c579b6938d19bce8eed8dc2b338cb5f8022100e1d9a32ee56cffed37f0f22b2dcb57d5c943c14f79694a03b9c5e96952575c89", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 266, + "comment" : "special case hash", + "msg" : "33323631313938363038", + "sig" : "3045022015e76880898316b16204ac920a02d58045f36a229d4aa4f812638c455abe0443022100e74d357d3fcb5c8c5337bd6aba4178b455ca10e226e13f9638196506a1939123", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 267, + "comment" : "special case hash", + "msg" : "39363738373831303934", + "sig" : "30440220352ecb53f8df2c503a45f9846fc28d1d31e6307d3ddbffc1132315cc07f16dad02201348dfa9c482c558e1d05c5242ca1c39436726ecd28258b1899792887dd0a3c6", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 268, + "comment" : "special case hash", + "msg" : "34393538383233383233", + "sig" : "304402204a40801a7e606ba78a0da9882ab23c7677b8642349ed3d652c5bfa5f2a9558fb02203a49b64848d682ef7f605f2832f7384bdc24ed2925825bf8ea77dc5981725782", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 269, + "comment" : "special case hash", + "msg" : "383234363337383337", + "sig" : "3045022100eacc5e1a8304a74d2be412b078924b3bb3511bac855c05c9e5e9e44df3d61e9602207451cd8e18d6ed1885dd827714847f96ec4bb0ed4c36ce9808db8f714204f6d1", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 270, + "comment" : "special case hash", + "msg" : "3131303230383333373736", + "sig" : "304502202f7a5e9e5771d424f30f67fdab61e8ce4f8cd1214882adb65f7de94c31577052022100ac4e69808345809b44acb0b2bd889175fb75dd050c5a449ab9528f8f78daa10c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 271, + "comment" : "special case hash", + "msg" : "313333383731363438", + "sig" : "3045022100ffcda40f792ce4d93e7e0f0e95e1a2147dddd7f6487621c30a03d710b3300219022079938b55f8a17f7ed7ba9ade8f2065a1fa77618f0b67add8d58c422c2453a49a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 272, + "comment" : "special case hash", + "msg" : "333232313434313632", + "sig" : "304602210081f2359c4faba6b53d3e8c8c3fcc16a948350f7ab3a588b28c17603a431e39a8022100cd6f6a5cc3b55ead0ff695d06c6860b509e46d99fccefb9f7f9e101857f74300", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 273, + "comment" : "special case hash", + "msg" : "3130363836363535353436", + "sig" : "3045022100dfc8bf520445cbb8ee1596fb073ea283ea130251a6fdffa5c3f5f2aaf75ca8080220048e33efce147c9dd92823640e338e68bfd7d0dc7a4905b3a7ac711e577e90e7", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 274, + "comment" : "special case hash", + "msg" : "3632313535323436", + "sig" : "3046022100ad019f74c6941d20efda70b46c53db166503a0e393e932f688227688ba6a576202210093320eb7ca0710255346bdbb3102cdcf7964ef2e0988e712bc05efe16c199345", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 275, + "comment" : "special case hash", + "msg" : "37303330383138373734", + "sig" : "3046022100ac8096842e8add68c34e78ce11dd71e4b54316bd3ebf7fffdeb7bd5a3ebc1883022100f5ca2f4f23d674502d4caf85d187215d36e3ce9f0ce219709f21a3aac003b7a8", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 276, + "comment" : "special case hash", + "msg" : "35393234353233373434", + "sig" : "30440220677b2d3a59b18a5ff939b70ea002250889ddcd7b7b9d776854b4943693fb92f702206b4ba856ade7677bf30307b21f3ccda35d2f63aee81efd0bab6972cc0795db55", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 277, + "comment" : "special case hash", + "msg" : "31343935353836363231", + "sig" : "30450220479e1ded14bcaed0379ba8e1b73d3115d84d31d4b7c30e1f05e1fc0d5957cfb0022100918f79e35b3d89487cf634a4f05b2e0c30857ca879f97c771e877027355b2443", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 278, + "comment" : "special case hash", + "msg" : "34303035333134343036", + "sig" : "3044022043dfccd0edb9e280d9a58f01164d55c3d711e14b12ac5cf3b64840ead512a0a302201dbe33fa8ba84533cd5c4934365b3442ca1174899b78ef9a3199f49584389772", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 279, + "comment" : "special case hash", + "msg" : "33303936343537353132", + "sig" : "304402205b09ab637bd4caf0f4c7c7e4bca592fea20e9087c259d26a38bb4085f0bbff11022045b7eb467b6748af618e9d80d6fdcd6aa24964e5a13f885bca8101de08eb0d75", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 280, + "comment" : "special case hash", + "msg" : "32373834303235363230", + "sig" : "304502205e9b1c5a028070df5728c5c8af9b74e0667afa570a6cfa0114a5039ed15ee06f022100b1360907e2d9785ead362bb8d7bd661b6c29eeffd3c5037744edaeb9ad990c20", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 281, + "comment" : "special case hash", + "msg" : "32363138373837343138", + "sig" : "304502200671a0a85c2b72d54a2fb0990e34538b4890050f5a5712f6d1a7a5fb8578f32e022100db1846bab6b7361479ab9c3285ca41291808f27fd5bd4fdac720e5854713694c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 282, + "comment" : "special case hash", + "msg" : "31363432363235323632", + "sig" : "304402207673f8526748446477dbbb0590a45492c5d7d69859d301abbaedb35b2095103a02203dc70ddf9c6b524d886bed9e6af02e0e4dec0d417a414fed3807ef4422913d7c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 283, + "comment" : "special case hash", + "msg" : "36383234313839343336", + "sig" : "304402207f085441070ecd2bb21285089ebb1aa6450d1a06c36d3ff39dfd657a796d12b50220249712012029870a2459d18d47da9aa492a5e6cb4b2d8dafa9e4c5c54a2b9a8b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 284, + "comment" : "special case hash", + "msg" : "343834323435343235", + "sig" : "3046022100914c67fb61dd1e27c867398ea7322d5ab76df04bc5aa6683a8e0f30a5d287348022100fa07474031481dda4953e3ac1959ee8cea7e66ec412b38d6c96d28f6d37304ea", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "040ad99500288d466940031d72a9f5445a4d43784640855bf0a69874d2de5fe103c5011e6ef2c42dcd50d5d3d29f99ae6eba2c80c9244f4c5422f0979ff0c3ba5e", + "wx" : "0ad99500288d466940031d72a9f5445a4d43784640855bf0a69874d2de5fe103", + "wy" : "00c5011e6ef2c42dcd50d5d3d29f99ae6eba2c80c9244f4c5422f0979ff0c3ba5e" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200040ad99500288d466940031d72a9f5445a4d43784640855bf0a69874d2de5fe103c5011e6ef2c42dcd50d5d3d29f99ae6eba2c80c9244f4c5422f0979ff0c3ba5e", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAECtmVACiNRmlAAx1yqfVEWk1DeEZA\nhVvwpph00t5f4QPFAR5u8sQtzVDV09Kfma5uuiyAySRPTFQi8Jef8MO6Xg==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 285, + "comment" : "k*G has a large x-coordinate", + "msg" : "313233343030", + "sig" : "303502104319055358e8617b0c46353d039cdaab022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc63254e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 286, + "comment" : "r too large", + "msg" : "313233343030", + "sig" : "3046022100ffffffff00000001000000000000000000000000fffffffffffffffffffffffc022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc63254e", + "result" : "invalid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04ab05fd9d0de26b9ce6f4819652d9fc69193d0aa398f0fba8013e09c58220455419235271228c786759095d12b75af0692dd4103f19f6a8c32f49435a1e9b8d45", + "wx" : "00ab05fd9d0de26b9ce6f4819652d9fc69193d0aa398f0fba8013e09c582204554", + "wy" : "19235271228c786759095d12b75af0692dd4103f19f6a8c32f49435a1e9b8d45" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004ab05fd9d0de26b9ce6f4819652d9fc69193d0aa398f0fba8013e09c58220455419235271228c786759095d12b75af0692dd4103f19f6a8c32f49435a1e9b8d45", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEqwX9nQ3ia5zm9IGWUtn8aRk9CqOY\n8PuoAT4JxYIgRVQZI1JxIox4Z1kJXRK3WvBpLdQQPxn2qMMvSUNaHpuNRQ==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 287, + "comment" : "r,s are large", + "msg" : "313233343030", + "sig" : "3046022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc63254f022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc63254e", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "0480984f39a1ff38a86a68aa4201b6be5dfbfecf876219710b07badf6fdd4c6c5611feb97390d9826e7a06dfb41871c940d74415ed3cac2089f1445019bb55ed95", + "wx" : "0080984f39a1ff38a86a68aa4201b6be5dfbfecf876219710b07badf6fdd4c6c56", + "wy" : "11feb97390d9826e7a06dfb41871c940d74415ed3cac2089f1445019bb55ed95" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d0301070342000480984f39a1ff38a86a68aa4201b6be5dfbfecf876219710b07badf6fdd4c6c5611feb97390d9826e7a06dfb41871c940d74415ed3cac2089f1445019bb55ed95", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgJhPOaH/OKhqaKpCAba+Xfv+z4di\nGXELB7rfb91MbFYR/rlzkNmCbnoG37QYcclA10QV7TysIInxRFAZu1XtlQ==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 288, + "comment" : "r and s^-1 have a large Hamming weight", + "msg" : "313233343030", + "sig" : "304502207ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd022100909135bdb6799286170f5ead2de4f6511453fe50914f3df2de54a36383df8dd4", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "044201b4272944201c3294f5baa9a3232b6dd687495fcc19a70a95bc602b4f7c0595c37eba9ee8171c1bb5ac6feaf753bc36f463e3aef16629572c0c0a8fb0800e", + "wx" : "4201b4272944201c3294f5baa9a3232b6dd687495fcc19a70a95bc602b4f7c05", + "wy" : "0095c37eba9ee8171c1bb5ac6feaf753bc36f463e3aef16629572c0c0a8fb0800e" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200044201b4272944201c3294f5baa9a3232b6dd687495fcc19a70a95bc602b4f7c0595c37eba9ee8171c1bb5ac6feaf753bc36f463e3aef16629572c0c0a8fb0800e", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEQgG0JylEIBwylPW6qaMjK23Wh0lf\nzBmnCpW8YCtPfAWVw366nugXHBu1rG/q91O8NvRj467xZilXLAwKj7CADg==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 289, + "comment" : "r and s^-1 have a large Hamming weight", + "msg" : "313233343030", + "sig" : "304402207ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd022027b4577ca009376f71303fd5dd227dcef5deb773ad5f5a84360644669ca249a5", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04a71af64de5126a4a4e02b7922d66ce9415ce88a4c9d25514d91082c8725ac9575d47723c8fbe580bb369fec9c2665d8e30a435b9932645482e7c9f11e872296b", + "wx" : "00a71af64de5126a4a4e02b7922d66ce9415ce88a4c9d25514d91082c8725ac957", + "wy" : "5d47723c8fbe580bb369fec9c2665d8e30a435b9932645482e7c9f11e872296b" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004a71af64de5126a4a4e02b7922d66ce9415ce88a4c9d25514d91082c8725ac9575d47723c8fbe580bb369fec9c2665d8e30a435b9932645482e7c9f11e872296b", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEpxr2TeUSakpOAreSLWbOlBXOiKTJ\n0lUU2RCCyHJayVddR3I8j75YC7Np/snCZl2OMKQ1uZMmRUgufJ8R6HIpaw==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 290, + "comment" : "small r and s", + "msg" : "313233343030", + "sig" : "3006020105020101", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "046627cec4f0731ea23fc2931f90ebe5b7572f597d20df08fc2b31ee8ef16b15726170ed77d8d0a14fc5c9c3c4c9be7f0d3ee18f709bb275eaf2073e258fe694a5", + "wx" : "6627cec4f0731ea23fc2931f90ebe5b7572f597d20df08fc2b31ee8ef16b1572", + "wy" : "6170ed77d8d0a14fc5c9c3c4c9be7f0d3ee18f709bb275eaf2073e258fe694a5" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200046627cec4f0731ea23fc2931f90ebe5b7572f597d20df08fc2b31ee8ef16b15726170ed77d8d0a14fc5c9c3c4c9be7f0d3ee18f709bb275eaf2073e258fe694a5", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZifOxPBzHqI/wpMfkOvlt1cvWX0g\n3wj8KzHujvFrFXJhcO132NChT8XJw8TJvn8NPuGPcJuyderyBz4lj+aUpQ==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 291, + "comment" : "small r and s", + "msg" : "313233343030", + "sig" : "3006020105020103", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "045a7c8825e85691cce1f5e7544c54e73f14afc010cb731343262ca7ec5a77f5bfef6edf62a4497c1bd7b147fb6c3d22af3c39bfce95f30e13a16d3d7b2812f813", + "wx" : "5a7c8825e85691cce1f5e7544c54e73f14afc010cb731343262ca7ec5a77f5bf", + "wy" : "00ef6edf62a4497c1bd7b147fb6c3d22af3c39bfce95f30e13a16d3d7b2812f813" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200045a7c8825e85691cce1f5e7544c54e73f14afc010cb731343262ca7ec5a77f5bfef6edf62a4497c1bd7b147fb6c3d22af3c39bfce95f30e13a16d3d7b2812f813", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWnyIJehWkczh9edUTFTnPxSvwBDL\ncxNDJiyn7Fp39b/vbt9ipEl8G9exR/tsPSKvPDm/zpXzDhOhbT17KBL4Ew==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 292, + "comment" : "small r and s", + "msg" : "313233343030", + "sig" : "3006020105020105", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04cbe0c29132cd738364fedd603152990c048e5e2fff996d883fa6caca7978c73770af6a8ce44cb41224b2603606f4c04d188e80bff7cc31ad5189d4ab0d70e8c1", + "wx" : "00cbe0c29132cd738364fedd603152990c048e5e2fff996d883fa6caca7978c737", + "wy" : "70af6a8ce44cb41224b2603606f4c04d188e80bff7cc31ad5189d4ab0d70e8c1" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004cbe0c29132cd738364fedd603152990c048e5e2fff996d883fa6caca7978c73770af6a8ce44cb41224b2603606f4c04d188e80bff7cc31ad5189d4ab0d70e8c1", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEy+DCkTLNc4Nk/t1gMVKZDASOXi//\nmW2IP6bKynl4xzdwr2qM5Ey0EiSyYDYG9MBNGI6Av/fMMa1RidSrDXDowQ==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 293, + "comment" : "small r and s", + "msg" : "313233343030", + "sig" : "3006020105020106", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 294, + "comment" : "r is larger than n", + "msg" : "313233343030", + "sig" : "3026022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632556020106", + "result" : "invalid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "044be4178097002f0deab68f0d9a130e0ed33a6795d02a20796db83444b037e13920f13051e0eecdcfce4dacea0f50d1f247caa669f193c1b4075b51ae296d2d56", + "wx" : "4be4178097002f0deab68f0d9a130e0ed33a6795d02a20796db83444b037e139", + "wy" : "20f13051e0eecdcfce4dacea0f50d1f247caa669f193c1b4075b51ae296d2d56" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200044be4178097002f0deab68f0d9a130e0ed33a6795d02a20796db83444b037e13920f13051e0eecdcfce4dacea0f50d1f247caa669f193c1b4075b51ae296d2d56", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAES+QXgJcALw3qto8NmhMODtM6Z5XQ\nKiB5bbg0RLA34Tkg8TBR4O7Nz85NrOoPUNHyR8qmafGTwbQHW1GuKW0tVg==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 295, + "comment" : "s is larger than n", + "msg" : "313233343030", + "sig" : "3026020105022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc75fbd8", + "result" : "invalid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04d0f73792203716afd4be4329faa48d269f15313ebbba379d7783c97bf3e890d9971f4a3206605bec21782bf5e275c714417e8f566549e6bc68690d2363c89cc1", + "wx" : "00d0f73792203716afd4be4329faa48d269f15313ebbba379d7783c97bf3e890d9", + "wy" : "00971f4a3206605bec21782bf5e275c714417e8f566549e6bc68690d2363c89cc1" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004d0f73792203716afd4be4329faa48d269f15313ebbba379d7783c97bf3e890d9971f4a3206605bec21782bf5e275c714417e8f566549e6bc68690d2363c89cc1", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0Pc3kiA3Fq/UvkMp+qSNJp8VMT67\nujedd4PJe/PokNmXH0oyBmBb7CF4K/XidccUQX6PVmVJ5rxoaQ0jY8icwQ==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 296, + "comment" : "small r and s^-1", + "msg" : "313233343030", + "sig" : "3027020201000221008f1e3c7862c58b16bb76eddbb76eddbb516af4f63f2d74d76e0d28c9bb75ea88", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "044838b2be35a6276a80ef9e228140f9d9b96ce83b7a254f71ccdebbb8054ce05ffa9cbc123c919b19e00238198d04069043bd660a828814051fcb8aac738a6c6b", + "wx" : "4838b2be35a6276a80ef9e228140f9d9b96ce83b7a254f71ccdebbb8054ce05f", + "wy" : "00fa9cbc123c919b19e00238198d04069043bd660a828814051fcb8aac738a6c6b" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200044838b2be35a6276a80ef9e228140f9d9b96ce83b7a254f71ccdebbb8054ce05ffa9cbc123c919b19e00238198d04069043bd660a828814051fcb8aac738a6c6b", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAESDiyvjWmJ2qA754igUD52bls6Dt6\nJU9xzN67uAVM4F/6nLwSPJGbGeACOBmNBAaQQ71mCoKIFAUfy4qsc4psaw==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 297, + "comment" : "smallish r and s^-1", + "msg" : "313233343030", + "sig" : "302c02072d9b4d347952d6022100ef3043e7329581dbb3974497710ab11505ee1c87ff907beebadd195a0ffe6d7a", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "047393983ca30a520bbc4783dc9960746aab444ef520c0a8e771119aa4e74b0f64e9d7be1ab01a0bf626e709863e6a486dbaf32793afccf774e2c6cd27b1857526", + "wx" : "7393983ca30a520bbc4783dc9960746aab444ef520c0a8e771119aa4e74b0f64", + "wy" : "00e9d7be1ab01a0bf626e709863e6a486dbaf32793afccf774e2c6cd27b1857526" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200047393983ca30a520bbc4783dc9960746aab444ef520c0a8e771119aa4e74b0f64e9d7be1ab01a0bf626e709863e6a486dbaf32793afccf774e2c6cd27b1857526", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEc5OYPKMKUgu8R4PcmWB0aqtETvUg\nwKjncRGapOdLD2Tp174asBoL9ibnCYY+akhtuvMnk6/M93Tixs0nsYV1Jg==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 298, + "comment" : "100-bit r and small s^-1", + "msg" : "313233343030", + "sig" : "3032020d1033e67e37b32b445580bf4eff0221008b748b74000000008b748b748b748b7466e769ad4a16d3dcd87129b8e91d1b4d", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "045ac331a1103fe966697379f356a937f350588a05477e308851b8a502d5dfcdc5fe9993df4b57939b2b8da095bf6d794265204cfe03be995a02e65d408c871c0b", + "wx" : "5ac331a1103fe966697379f356a937f350588a05477e308851b8a502d5dfcdc5", + "wy" : "00fe9993df4b57939b2b8da095bf6d794265204cfe03be995a02e65d408c871c0b" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200045ac331a1103fe966697379f356a937f350588a05477e308851b8a502d5dfcdc5fe9993df4b57939b2b8da095bf6d794265204cfe03be995a02e65d408c871c0b", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWsMxoRA/6WZpc3nzVqk381BYigVH\nfjCIUbilAtXfzcX+mZPfS1eTmyuNoJW/bXlCZSBM/gO+mVoC5l1AjIccCw==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 299, + "comment" : "small r and 100 bit s^-1", + "msg" : "313233343030", + "sig" : "302702020100022100ef9f6ba4d97c09d03178fa20b4aaad83be3cf9cb824a879fec3270fc4b81ef5b", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "041d209be8de2de877095a399d3904c74cc458d926e27bb8e58e5eae5767c41509dd59e04c214f7b18dce351fc2a549893a6860e80163f38cc60a4f2c9d040d8c9", + "wx" : "1d209be8de2de877095a399d3904c74cc458d926e27bb8e58e5eae5767c41509", + "wy" : "00dd59e04c214f7b18dce351fc2a549893a6860e80163f38cc60a4f2c9d040d8c9" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200041d209be8de2de877095a399d3904c74cc458d926e27bb8e58e5eae5767c41509dd59e04c214f7b18dce351fc2a549893a6860e80163f38cc60a4f2c9d040d8c9", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEHSCb6N4t6HcJWjmdOQTHTMRY2Sbi\ne7jljl6uV2fEFQndWeBMIU97GNzjUfwqVJiTpoYOgBY/OMxgpPLJ0EDYyQ==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 300, + "comment" : "100-bit r and s^-1", + "msg" : "313233343030", + "sig" : "3032020d062522bbd3ecbe7c39e93e7c25022100ef9f6ba4d97c09d03178fa20b4aaad83be3cf9cb824a879fec3270fc4b81ef5b", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04083539fbee44625e3acaafa2fcb41349392cef0633a1b8fabecee0c133b10e99915c1ebe7bf00df8535196770a58047ae2a402f26326bb7d41d4d7616337911e", + "wx" : "083539fbee44625e3acaafa2fcb41349392cef0633a1b8fabecee0c133b10e99", + "wy" : "00915c1ebe7bf00df8535196770a58047ae2a402f26326bb7d41d4d7616337911e" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004083539fbee44625e3acaafa2fcb41349392cef0633a1b8fabecee0c133b10e99915c1ebe7bf00df8535196770a58047ae2a402f26326bb7d41d4d7616337911e", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAECDU5++5EYl46yq+i/LQTSTks7wYz\nobj6vs7gwTOxDpmRXB6+e/AN+FNRlncKWAR64qQC8mMmu31B1NdhYzeRHg==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 301, + "comment" : "r and s^-1 are close to n", + "msg" : "313233343030", + "sig" : "3045022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc6324d50220555555550000000055555555555555553ef7a8e48d07df81a693439654210c70", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "048aeb368a7027a4d64abdea37390c0c1d6a26f399e2d9734de1eb3d0e1937387405bd13834715e1dbae9b875cf07bd55e1b6691c7f7536aef3b19bf7a4adf576d", + "wx" : "008aeb368a7027a4d64abdea37390c0c1d6a26f399e2d9734de1eb3d0e19373874", + "wy" : "05bd13834715e1dbae9b875cf07bd55e1b6691c7f7536aef3b19bf7a4adf576d" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200048aeb368a7027a4d64abdea37390c0c1d6a26f399e2d9734de1eb3d0e1937387405bd13834715e1dbae9b875cf07bd55e1b6691c7f7536aef3b19bf7a4adf576d", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEius2inAnpNZKveo3OQwMHWom85ni\n2XNN4es9Dhk3OHQFvRODRxXh266bh1zwe9VeG2aRx/dTau87Gb96St9XbQ==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 302, + "comment" : "s == 1", + "msg" : "313233343030", + "sig" : "30250220555555550000000055555555555555553ef7a8e48d07df81a693439654210c70020101", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 303, + "comment" : "s == 0", + "msg" : "313233343030", + "sig" : "30250220555555550000000055555555555555553ef7a8e48d07df81a693439654210c70020100", + "result" : "invalid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04b533d4695dd5b8c5e07757e55e6e516f7e2c88fa0239e23f60e8ec07dd70f2871b134ee58cc583278456863f33c3a85d881f7d4a39850143e29d4eaf009afe47", + "wx" : "00b533d4695dd5b8c5e07757e55e6e516f7e2c88fa0239e23f60e8ec07dd70f287", + "wy" : "1b134ee58cc583278456863f33c3a85d881f7d4a39850143e29d4eaf009afe47" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004b533d4695dd5b8c5e07757e55e6e516f7e2c88fa0239e23f60e8ec07dd70f2871b134ee58cc583278456863f33c3a85d881f7d4a39850143e29d4eaf009afe47", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEtTPUaV3VuMXgd1flXm5Rb34siPoC\nOeI/YOjsB91w8ocbE07ljMWDJ4RWhj8zw6hdiB99SjmFAUPinU6vAJr+Rw==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 304, + "comment" : "point at infinity during verify", + "msg" : "313233343030", + "sig" : "304402207fffffff800000007fffffffffffffffde737d56d38bcf4279dce5617e3192a80220555555550000000055555555555555553ef7a8e48d07df81a693439654210c70", + "result" : "invalid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04f50d371b91bfb1d7d14e1323523bc3aa8cbf2c57f9e284de628c8b4536787b86f94ad887ac94d527247cd2e7d0c8b1291c553c9730405380b14cbb209f5fa2dd", + "wx" : "00f50d371b91bfb1d7d14e1323523bc3aa8cbf2c57f9e284de628c8b4536787b86", + "wy" : "00f94ad887ac94d527247cd2e7d0c8b1291c553c9730405380b14cbb209f5fa2dd" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004f50d371b91bfb1d7d14e1323523bc3aa8cbf2c57f9e284de628c8b4536787b86f94ad887ac94d527247cd2e7d0c8b1291c553c9730405380b14cbb209f5fa2dd", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE9Q03G5G/sdfRThMjUjvDqoy/LFf5\n4oTeYoyLRTZ4e4b5StiHrJTVJyR80ufQyLEpHFU8lzBAU4CxTLsgn1+i3Q==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 305, + "comment" : "edge case for signature malleability", + "msg" : "313233343030", + "sig" : "304402207fffffff800000007fffffffffffffffde737d56d38bcf4279dce5617e3192a902207fffffff800000007fffffffffffffffde737d56d38bcf4279dce5617e3192a8", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "0468ec6e298eafe16539156ce57a14b04a7047c221bafc3a582eaeb0d857c4d94697bed1af17850117fdb39b2324f220a5698ed16c426a27335bb385ac8ca6fb30", + "wx" : "68ec6e298eafe16539156ce57a14b04a7047c221bafc3a582eaeb0d857c4d946", + "wy" : "0097bed1af17850117fdb39b2324f220a5698ed16c426a27335bb385ac8ca6fb30" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d0301070342000468ec6e298eafe16539156ce57a14b04a7047c221bafc3a582eaeb0d857c4d94697bed1af17850117fdb39b2324f220a5698ed16c426a27335bb385ac8ca6fb30", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEaOxuKY6v4WU5FWzlehSwSnBHwiG6\n/DpYLq6w2FfE2UaXvtGvF4UBF/2zmyMk8iClaY7RbEJqJzNbs4WsjKb7MA==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 306, + "comment" : "edge case for signature malleability", + "msg" : "313233343030", + "sig" : "304402207fffffff800000007fffffffffffffffde737d56d38bcf4279dce5617e3192a902207fffffff800000007fffffffffffffffde737d56d38bcf4279dce5617e3192a9", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "0469da0364734d2e530fece94019265fefb781a0f1b08f6c8897bdf6557927c8b866d2d3c7dcd518b23d726960f069ad71a933d86ef8abbcce8b20f71e2a847002", + "wx" : "69da0364734d2e530fece94019265fefb781a0f1b08f6c8897bdf6557927c8b8", + "wy" : "66d2d3c7dcd518b23d726960f069ad71a933d86ef8abbcce8b20f71e2a847002" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d0301070342000469da0364734d2e530fece94019265fefb781a0f1b08f6c8897bdf6557927c8b866d2d3c7dcd518b23d726960f069ad71a933d86ef8abbcce8b20f71e2a847002", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEadoDZHNNLlMP7OlAGSZf77eBoPGw\nj2yIl732VXknyLhm0tPH3NUYsj1yaWDwaa1xqTPYbvirvM6LIPceKoRwAg==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 307, + "comment" : "u1 == 1", + "msg" : "313233343030", + "sig" : "30450220555555550000000055555555555555553ef7a8e48d07df81a693439654210c70022100bb5a52f42f9c9261ed4361f59422a1e30036e7c32b270c8807a419feca605023", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04d8adc00023a8edc02576e2b63e3e30621a471e2b2320620187bf067a1ac1ff3233e2b50ec09807accb36131fff95ed12a09a86b4ea9690aa32861576ba2362e1", + "wx" : "00d8adc00023a8edc02576e2b63e3e30621a471e2b2320620187bf067a1ac1ff32", + "wy" : "33e2b50ec09807accb36131fff95ed12a09a86b4ea9690aa32861576ba2362e1" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004d8adc00023a8edc02576e2b63e3e30621a471e2b2320620187bf067a1ac1ff3233e2b50ec09807accb36131fff95ed12a09a86b4ea9690aa32861576ba2362e1", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2K3AACOo7cAlduK2Pj4wYhpHHisj\nIGIBh78GehrB/zIz4rUOwJgHrMs2Ex//le0SoJqGtOqWkKoyhhV2uiNi4Q==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 308, + "comment" : "u1 == n - 1", + "msg" : "313233343030", + "sig" : "30440220555555550000000055555555555555553ef7a8e48d07df81a693439654210c70022044a5ad0ad0636d9f12bc9e0a6bdd5e1cbcb012ea7bf091fcec15b0c43202d52e", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "043623ac973ced0a56fa6d882f03a7d5c7edca02cfc7b2401fab3690dbe75ab7858db06908e64b28613da7257e737f39793da8e713ba0643b92e9bb3252be7f8fe", + "wx" : "3623ac973ced0a56fa6d882f03a7d5c7edca02cfc7b2401fab3690dbe75ab785", + "wy" : "008db06908e64b28613da7257e737f39793da8e713ba0643b92e9bb3252be7f8fe" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200043623ac973ced0a56fa6d882f03a7d5c7edca02cfc7b2401fab3690dbe75ab7858db06908e64b28613da7257e737f39793da8e713ba0643b92e9bb3252be7f8fe", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAENiOslzztClb6bYgvA6fVx+3KAs/H\nskAfqzaQ2+dat4WNsGkI5ksoYT2nJX5zfzl5PajnE7oGQ7kum7MlK+f4/g==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 309, + "comment" : "u2 == 1", + "msg" : "313233343030", + "sig" : "30440220555555550000000055555555555555553ef7a8e48d07df81a693439654210c700220555555550000000055555555555555553ef7a8e48d07df81a693439654210c70", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04cf04ea77e9622523d894b93ff52dc3027b31959503b6fa3890e5e04263f922f1e8528fb7c006b3983c8b8400e57b4ed71740c2f3975438821199bedeaecab2e9", + "wx" : "00cf04ea77e9622523d894b93ff52dc3027b31959503b6fa3890e5e04263f922f1", + "wy" : "00e8528fb7c006b3983c8b8400e57b4ed71740c2f3975438821199bedeaecab2e9" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004cf04ea77e9622523d894b93ff52dc3027b31959503b6fa3890e5e04263f922f1e8528fb7c006b3983c8b8400e57b4ed71740c2f3975438821199bedeaecab2e9", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEzwTqd+liJSPYlLk/9S3DAnsxlZUD\ntvo4kOXgQmP5IvHoUo+3wAazmDyLhADle07XF0DC85dUOIIRmb7ersqy6Q==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 310, + "comment" : "u2 == n - 1", + "msg" : "313233343030", + "sig" : "30450220555555550000000055555555555555553ef7a8e48d07df81a693439654210c70022100aaaaaaaa00000000aaaaaaaaaaaaaaaa7def51c91a0fbf034d26872ca84218e1", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04db7a2c8a1ab573e5929dc24077b508d7e683d49227996bda3e9f78dbeff773504f417f3bc9a88075c2e0aadd5a13311730cf7cc76a82f11a36eaf08a6c99a206", + "wx" : "00db7a2c8a1ab573e5929dc24077b508d7e683d49227996bda3e9f78dbeff77350", + "wy" : "4f417f3bc9a88075c2e0aadd5a13311730cf7cc76a82f11a36eaf08a6c99a206" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004db7a2c8a1ab573e5929dc24077b508d7e683d49227996bda3e9f78dbeff773504f417f3bc9a88075c2e0aadd5a13311730cf7cc76a82f11a36eaf08a6c99a206", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE23osihq1c+WSncJAd7UI1+aD1JIn\nmWvaPp942+/3c1BPQX87yaiAdcLgqt1aEzEXMM98x2qC8Ro26vCKbJmiBg==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 311, + "comment" : "edge case for u1", + "msg" : "313233343030", + "sig" : "304502207ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd022100e91e1ba60fdedb76a46bcb51dc0b8b4b7e019f0a28721885fa5d3a8196623397", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04dead11c7a5b396862f21974dc4752fadeff994efe9bbd05ab413765ea80b6e1f1de3f0640e8ac6edcf89cff53c40e265bb94078a343736df07aa0318fc7fe1ff", + "wx" : "00dead11c7a5b396862f21974dc4752fadeff994efe9bbd05ab413765ea80b6e1f", + "wy" : "1de3f0640e8ac6edcf89cff53c40e265bb94078a343736df07aa0318fc7fe1ff" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004dead11c7a5b396862f21974dc4752fadeff994efe9bbd05ab413765ea80b6e1f1de3f0640e8ac6edcf89cff53c40e265bb94078a343736df07aa0318fc7fe1ff", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE3q0Rx6WzloYvIZdNxHUvre/5lO/p\nu9BatBN2XqgLbh8d4/BkDorG7c+Jz/U8QOJlu5QHijQ3Nt8HqgMY/H/h/w==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 312, + "comment" : "edge case for u1", + "msg" : "313233343030", + "sig" : "304502207ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd022100fdea5843ffeb73af94313ba4831b53fe24f799e525b1e8e8c87b59b95b430ad9", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04d0bc472e0d7c81ebaed3a6ef96c18613bb1fea6f994326fbe80e00dfde67c7e9986c723ea4843d48389b946f64ad56c83ad70ff17ba85335667d1bb9fa619efd", + "wx" : "00d0bc472e0d7c81ebaed3a6ef96c18613bb1fea6f994326fbe80e00dfde67c7e9", + "wy" : "00986c723ea4843d48389b946f64ad56c83ad70ff17ba85335667d1bb9fa619efd" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004d0bc472e0d7c81ebaed3a6ef96c18613bb1fea6f994326fbe80e00dfde67c7e9986c723ea4843d48389b946f64ad56c83ad70ff17ba85335667d1bb9fa619efd", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0LxHLg18geuu06bvlsGGE7sf6m+Z\nQyb76A4A395nx+mYbHI+pIQ9SDiblG9krVbIOtcP8XuoUzVmfRu5+mGe/Q==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 313, + "comment" : "edge case for u1", + "msg" : "313233343030", + "sig" : "304402207ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd022003ffcabf2f1b4d2a65190db1680d62bb994e41c5251cd73b3c3dfc5e5bafc035", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04a0a44ca947d66a2acb736008b9c08d1ab2ad03776e02640f78495d458dd51c326337fe5cf8c4604b1f1c409dc2d872d4294a4762420df43a30a2392e40426add", + "wx" : "00a0a44ca947d66a2acb736008b9c08d1ab2ad03776e02640f78495d458dd51c32", + "wy" : "6337fe5cf8c4604b1f1c409dc2d872d4294a4762420df43a30a2392e40426add" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004a0a44ca947d66a2acb736008b9c08d1ab2ad03776e02640f78495d458dd51c326337fe5cf8c4604b1f1c409dc2d872d4294a4762420df43a30a2392e40426add", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEoKRMqUfWairLc2AIucCNGrKtA3du\nAmQPeEldRY3VHDJjN/5c+MRgSx8cQJ3C2HLUKUpHYkIN9DowojkuQEJq3Q==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 314, + "comment" : "edge case for u1", + "msg" : "313233343030", + "sig" : "304402207ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd02204dfbc401f971cd304b33dfdb17d0fed0fe4c1a88ae648e0d2847f74977534989", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04c9c2115290d008b45fb65fad0f602389298c25420b775019d42b62c3ce8a96b73877d25a8080dc02d987ca730f0405c2c9dbefac46f9e601cc3f06e9713973fd", + "wx" : "00c9c2115290d008b45fb65fad0f602389298c25420b775019d42b62c3ce8a96b7", + "wy" : "3877d25a8080dc02d987ca730f0405c2c9dbefac46f9e601cc3f06e9713973fd" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004c9c2115290d008b45fb65fad0f602389298c25420b775019d42b62c3ce8a96b73877d25a8080dc02d987ca730f0405c2c9dbefac46f9e601cc3f06e9713973fd", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEycIRUpDQCLRftl+tD2AjiSmMJUIL\nd1AZ1Ctiw86Klrc4d9JagIDcAtmHynMPBAXCydvvrEb55gHMPwbpcTlz/Q==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 315, + "comment" : "edge case for u1", + "msg" : "313233343030", + "sig" : "304502207ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd022100bc4024761cd2ffd43dfdb17d0fed112b988977055cd3a8e54971eba9cda5ca71", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "045eca1ef4c287dddc66b8bccf1b88e8a24c0018962f3c5e7efa83bc1a5ff6033e5e79c4cb2c245b8c45abdce8a8e4da758d92a607c32cd407ecaef22f1c934a71", + "wx" : "5eca1ef4c287dddc66b8bccf1b88e8a24c0018962f3c5e7efa83bc1a5ff6033e", + "wy" : "5e79c4cb2c245b8c45abdce8a8e4da758d92a607c32cd407ecaef22f1c934a71" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200045eca1ef4c287dddc66b8bccf1b88e8a24c0018962f3c5e7efa83bc1a5ff6033e5e79c4cb2c245b8c45abdce8a8e4da758d92a607c32cd407ecaef22f1c934a71", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEXsoe9MKH3dxmuLzPG4jookwAGJYv\nPF5++oO8Gl/2Az5eecTLLCRbjEWr3Oio5Np1jZKmB8Ms1AfsrvIvHJNKcQ==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 316, + "comment" : "edge case for u1", + "msg" : "313233343030", + "sig" : "304402207ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd0220788048ed39a5ffa77bfb62fa1fda2257742bf35d128fb3459f2a0c909ee86f91", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "045caaa030e7fdf0e4936bc7ab5a96353e0a01e4130c3f8bf22d473e317029a47adeb6adc462f7058f2a20d371e9702254e9b201642005b3ceda926b42b178bef9", + "wx" : "5caaa030e7fdf0e4936bc7ab5a96353e0a01e4130c3f8bf22d473e317029a47a", + "wy" : "00deb6adc462f7058f2a20d371e9702254e9b201642005b3ceda926b42b178bef9" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200045caaa030e7fdf0e4936bc7ab5a96353e0a01e4130c3f8bf22d473e317029a47adeb6adc462f7058f2a20d371e9702254e9b201642005b3ceda926b42b178bef9", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEXKqgMOf98OSTa8erWpY1PgoB5BMM\nP4vyLUc+MXAppHretq3EYvcFjyog03HpcCJU6bIBZCAFs87akmtCsXi++Q==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 317, + "comment" : "edge case for u1", + "msg" : "313233343030", + "sig" : "304402207ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd0220476d9131fd381bd917d0fed112bc9e0a5924b5ed5b11167edd8b23582b3cb15e", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04c2fd20bac06e555bb8ac0ce69eb1ea20f83a1fc3501c8a66469b1a31f619b0986237050779f52b615bd7b8d76a25fc95ca2ed32525c75f27ffc87ac397e6cbaf", + "wx" : "00c2fd20bac06e555bb8ac0ce69eb1ea20f83a1fc3501c8a66469b1a31f619b098", + "wy" : "6237050779f52b615bd7b8d76a25fc95ca2ed32525c75f27ffc87ac397e6cbaf" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004c2fd20bac06e555bb8ac0ce69eb1ea20f83a1fc3501c8a66469b1a31f619b0986237050779f52b615bd7b8d76a25fc95ca2ed32525c75f27ffc87ac397e6cbaf", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEwv0gusBuVVu4rAzmnrHqIPg6H8NQ\nHIpmRpsaMfYZsJhiNwUHefUrYVvXuNdqJfyVyi7TJSXHXyf/yHrDl+bLrw==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 318, + "comment" : "edge case for u1", + "msg" : "313233343030", + "sig" : "304502207ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd0221008374253e3e21bd154448d0a8f640fe46fafa8b19ce78d538f6cc0a19662d3601", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "043fd6a1ca7f77fb3b0bbe726c372010068426e11ea6ae78ce17bedae4bba86ced03ce5516406bf8cfaab8745eac1cd69018ad6f50b5461872ddfc56e0db3c8ff4", + "wx" : "3fd6a1ca7f77fb3b0bbe726c372010068426e11ea6ae78ce17bedae4bba86ced", + "wy" : "03ce5516406bf8cfaab8745eac1cd69018ad6f50b5461872ddfc56e0db3c8ff4" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200043fd6a1ca7f77fb3b0bbe726c372010068426e11ea6ae78ce17bedae4bba86ced03ce5516406bf8cfaab8745eac1cd69018ad6f50b5461872ddfc56e0db3c8ff4", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEP9ahyn93+zsLvnJsNyAQBoQm4R6m\nrnjOF77a5LuobO0DzlUWQGv4z6q4dF6sHNaQGK1vULVGGHLd/Fbg2zyP9A==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 319, + "comment" : "edge case for u1", + "msg" : "313233343030", + "sig" : "304402207ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd0220357cfd3be4d01d413c5b9ede36cba5452c11ee7fe14879e749ae6a2d897a52d6", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "049cb8e51e27a5ae3b624a60d6dc32734e4989db20e9bca3ede1edf7b086911114b4c104ab3c677e4b36d6556e8ad5f523410a19f2e277aa895fc57322b4427544", + "wx" : "009cb8e51e27a5ae3b624a60d6dc32734e4989db20e9bca3ede1edf7b086911114", + "wy" : "00b4c104ab3c677e4b36d6556e8ad5f523410a19f2e277aa895fc57322b4427544" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200049cb8e51e27a5ae3b624a60d6dc32734e4989db20e9bca3ede1edf7b086911114b4c104ab3c677e4b36d6556e8ad5f523410a19f2e277aa895fc57322b4427544", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEnLjlHielrjtiSmDW3DJzTkmJ2yDp\nvKPt4e33sIaRERS0wQSrPGd+SzbWVW6K1fUjQQoZ8uJ3qolfxXMitEJ1RA==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 320, + "comment" : "edge case for u1", + "msg" : "313233343030", + "sig" : "304402207ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd022029798c5c0ee287d4a5e8e6b799fd86b8df5225298e6ffc807cd2f2bc27a0a6d8", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04a3e52c156dcaf10502620b7955bc2b40bc78ef3d569e1223c262512d8f49602a4a2039f31c1097024ad3cc86e57321de032355463486164cf192944977df147f", + "wx" : "00a3e52c156dcaf10502620b7955bc2b40bc78ef3d569e1223c262512d8f49602a", + "wy" : "4a2039f31c1097024ad3cc86e57321de032355463486164cf192944977df147f" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004a3e52c156dcaf10502620b7955bc2b40bc78ef3d569e1223c262512d8f49602a4a2039f31c1097024ad3cc86e57321de032355463486164cf192944977df147f", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEo+UsFW3K8QUCYgt5VbwrQLx47z1W\nnhIjwmJRLY9JYCpKIDnzHBCXAkrTzIblcyHeAyNVRjSGFkzxkpRJd98Ufw==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 321, + "comment" : "edge case for u1", + "msg" : "313233343030", + "sig" : "304402207ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd02200b70f22c781092452dca1a5711fa3a5a1f72add1bf52c2ff7cae4820b30078dd", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04f19b78928720d5bee8e670fb90010fb15c37bf91b58a5157c3f3c059b2655e88cf701ec962fb4a11dcf273f5dc357e58468560c7cfeb942d074abd4329260509", + "wx" : "00f19b78928720d5bee8e670fb90010fb15c37bf91b58a5157c3f3c059b2655e88", + "wy" : "00cf701ec962fb4a11dcf273f5dc357e58468560c7cfeb942d074abd4329260509" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004f19b78928720d5bee8e670fb90010fb15c37bf91b58a5157c3f3c059b2655e88cf701ec962fb4a11dcf273f5dc357e58468560c7cfeb942d074abd4329260509", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8Zt4kocg1b7o5nD7kAEPsVw3v5G1\nilFXw/PAWbJlXojPcB7JYvtKEdzyc/XcNX5YRoVgx8/rlC0HSr1DKSYFCQ==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 322, + "comment" : "edge case for u1", + "msg" : "313233343030", + "sig" : "304402207ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd022016e1e458f021248a5b9434ae23f474b43ee55ba37ea585fef95c90416600f1ba", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "0483a744459ecdfb01a5cf52b27a05bb7337482d242f235d7b4cb89345545c90a8c05d49337b9649813287de9ffe90355fd905df5f3c32945828121f37cc50de6e", + "wx" : "0083a744459ecdfb01a5cf52b27a05bb7337482d242f235d7b4cb89345545c90a8", + "wy" : "00c05d49337b9649813287de9ffe90355fd905df5f3c32945828121f37cc50de6e" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d0301070342000483a744459ecdfb01a5cf52b27a05bb7337482d242f235d7b4cb89345545c90a8c05d49337b9649813287de9ffe90355fd905df5f3c32945828121f37cc50de6e", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEg6dERZ7N+wGlz1KyegW7czdILSQv\nI117TLiTRVRckKjAXUkze5ZJgTKH3p/+kDVf2QXfXzwylFgoEh83zFDebg==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 323, + "comment" : "edge case for u1", + "msg" : "313233343030", + "sig" : "304402207ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd02202252d6856831b6cf895e4f0535eeaf0e5e5809753df848fe760ad86219016a97", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04dd13c6b34c56982ddae124f039dfd23f4b19bbe88cee8e528ae51e5d6f3a21d7bfad4c2e6f263fe5eb59ca974d039fc0e4c3345692fb5320bdae4bd3b42a45ff", + "wx" : "00dd13c6b34c56982ddae124f039dfd23f4b19bbe88cee8e528ae51e5d6f3a21d7", + "wy" : "00bfad4c2e6f263fe5eb59ca974d039fc0e4c3345692fb5320bdae4bd3b42a45ff" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004dd13c6b34c56982ddae124f039dfd23f4b19bbe88cee8e528ae51e5d6f3a21d7bfad4c2e6f263fe5eb59ca974d039fc0e4c3345692fb5320bdae4bd3b42a45ff", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE3RPGs0xWmC3a4STwOd/SP0sZu+iM\n7o5SiuUeXW86Ide/rUwubyY/5etZypdNA5/A5MM0VpL7UyC9rkvTtCpF/w==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 324, + "comment" : "edge case for u1", + "msg" : "313233343030", + "sig" : "304502207ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd02210081ffe55f178da695b28c86d8b406b15dab1a9e39661a3ae017fbe390ac0972c3", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "0467e6f659cdde869a2f65f094e94e5b4dfad636bbf95192feeed01b0f3deb7460a37e0a51f258b7aeb51dfe592f5cfd5685bbe58712c8d9233c62886437c38ba0", + "wx" : "67e6f659cdde869a2f65f094e94e5b4dfad636bbf95192feeed01b0f3deb7460", + "wy" : "00a37e0a51f258b7aeb51dfe592f5cfd5685bbe58712c8d9233c62886437c38ba0" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d0301070342000467e6f659cdde869a2f65f094e94e5b4dfad636bbf95192feeed01b0f3deb7460a37e0a51f258b7aeb51dfe592f5cfd5685bbe58712c8d9233c62886437c38ba0", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZ+b2Wc3ehpovZfCU6U5bTfrWNrv5\nUZL+7tAbDz3rdGCjfgpR8li3rrUd/lkvXP1WhbvlhxLI2SM8YohkN8OLoA==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 325, + "comment" : "edge case for u2", + "msg" : "313233343030", + "sig" : "304402207ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd02207fffffffaaaaaaaaffffffffffffffffe9a2538f37b28a2c513dee40fecbb71a", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "042eb6412505aec05c6545f029932087e490d05511e8ec1f599617bb367f9ecaaf805f51efcc4803403f9b1ae0124890f06a43fedcddb31830f6669af292895cb0", + "wx" : "2eb6412505aec05c6545f029932087e490d05511e8ec1f599617bb367f9ecaaf", + "wy" : "00805f51efcc4803403f9b1ae0124890f06a43fedcddb31830f6669af292895cb0" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200042eb6412505aec05c6545f029932087e490d05511e8ec1f599617bb367f9ecaaf805f51efcc4803403f9b1ae0124890f06a43fedcddb31830f6669af292895cb0", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELrZBJQWuwFxlRfApkyCH5JDQVRHo\n7B9Zlhe7Nn+eyq+AX1HvzEgDQD+bGuASSJDwakP+3N2zGDD2ZprykolcsA==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 326, + "comment" : "edge case for u2", + "msg" : "313233343030", + "sig" : "304502207ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd022100b62f26b5f2a2b26f6de86d42ad8a13da3ab3cccd0459b201de009e526adf21f2", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "0484db645868eab35e3a9fd80e056e2e855435e3a6b68d75a50a854625fe0d7f356d2589ac655edc9a11ef3e075eddda9abf92e72171570ef7bf43a2ee39338cfe", + "wx" : "0084db645868eab35e3a9fd80e056e2e855435e3a6b68d75a50a854625fe0d7f35", + "wy" : "6d2589ac655edc9a11ef3e075eddda9abf92e72171570ef7bf43a2ee39338cfe" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d0301070342000484db645868eab35e3a9fd80e056e2e855435e3a6b68d75a50a854625fe0d7f356d2589ac655edc9a11ef3e075eddda9abf92e72171570ef7bf43a2ee39338cfe", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEhNtkWGjqs146n9gOBW4uhVQ146a2\njXWlCoVGJf4NfzVtJYmsZV7cmhHvPgde3dqav5LnIXFXDve/Q6LuOTOM/g==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 327, + "comment" : "edge case for u2", + "msg" : "313233343030", + "sig" : "304502207ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd022100bb1d9ac949dd748cd02bbbe749bd351cd57b38bb61403d700686aa7b4c90851e", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "0491b9e47c56278662d75c0983b22ca8ea6aa5059b7a2ff7637eb2975e386ad66349aa8ff283d0f77c18d6d11dc062165fd13c3c0310679c1408302a16854ecfbd", + "wx" : "0091b9e47c56278662d75c0983b22ca8ea6aa5059b7a2ff7637eb2975e386ad663", + "wy" : "49aa8ff283d0f77c18d6d11dc062165fd13c3c0310679c1408302a16854ecfbd" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d0301070342000491b9e47c56278662d75c0983b22ca8ea6aa5059b7a2ff7637eb2975e386ad66349aa8ff283d0f77c18d6d11dc062165fd13c3c0310679c1408302a16854ecfbd", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEkbnkfFYnhmLXXAmDsiyo6mqlBZt6\nL/djfrKXXjhq1mNJqo/yg9D3fBjW0R3AYhZf0Tw8AxBnnBQIMCoWhU7PvQ==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 328, + "comment" : "edge case for u2", + "msg" : "313233343030", + "sig" : "304402207ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd022066755a00638cdaec1c732513ca0234ece52545dac11f816e818f725b4f60aaf2", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04f3ec2f13caf04d0192b47fb4c5311fb6d4dc6b0a9e802e5327f7ec5ee8e4834df97e3e468b7d0db867d6ecfe81e2b0f9531df87efdb47c1338ac321fefe5a432", + "wx" : "00f3ec2f13caf04d0192b47fb4c5311fb6d4dc6b0a9e802e5327f7ec5ee8e4834d", + "wy" : "00f97e3e468b7d0db867d6ecfe81e2b0f9531df87efdb47c1338ac321fefe5a432" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004f3ec2f13caf04d0192b47fb4c5311fb6d4dc6b0a9e802e5327f7ec5ee8e4834df97e3e468b7d0db867d6ecfe81e2b0f9531df87efdb47c1338ac321fefe5a432", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8+wvE8rwTQGStH+0xTEfttTcawqe\ngC5TJ/fsXujkg035fj5Gi30NuGfW7P6B4rD5Ux34fv20fBM4rDIf7+WkMg==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 329, + "comment" : "edge case for u2", + "msg" : "313233343030", + "sig" : "304402207ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd022055a00c9fcdaebb6032513ca0234ecfffe98ebe492fdf02e48ca48e982beb3669", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04d92b200aefcab6ac7dafd9acaf2fa10b3180235b8f46b4503e4693c670fccc885ef2f3aebf5b317475336256768f7c19efb7352d27e4cccadc85b6b8ab922c72", + "wx" : "00d92b200aefcab6ac7dafd9acaf2fa10b3180235b8f46b4503e4693c670fccc88", + "wy" : "5ef2f3aebf5b317475336256768f7c19efb7352d27e4cccadc85b6b8ab922c72" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004d92b200aefcab6ac7dafd9acaf2fa10b3180235b8f46b4503e4693c670fccc885ef2f3aebf5b317475336256768f7c19efb7352d27e4cccadc85b6b8ab922c72", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2SsgCu/Ktqx9r9msry+hCzGAI1uP\nRrRQPkaTxnD8zIhe8vOuv1sxdHUzYlZ2j3wZ77c1LSfkzMrchba4q5Iscg==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 330, + "comment" : "edge case for u2", + "msg" : "313233343030", + "sig" : "304502207ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd022100ab40193f9b5d76c064a27940469d9fffd31d7c925fbe05c919491d3057d66cd2", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "040a88361eb92ecca2625b38e5f98bbabb96bf179b3d76fc48140a3bcd881523cde6bdf56033f84a5054035597375d90866aa2c96b86a41ccf6edebf47298ad489", + "wx" : "0a88361eb92ecca2625b38e5f98bbabb96bf179b3d76fc48140a3bcd881523cd", + "wy" : "00e6bdf56033f84a5054035597375d90866aa2c96b86a41ccf6edebf47298ad489" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200040a88361eb92ecca2625b38e5f98bbabb96bf179b3d76fc48140a3bcd881523cde6bdf56033f84a5054035597375d90866aa2c96b86a41ccf6edebf47298ad489", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAECog2HrkuzKJiWzjl+Yu6u5a/F5s9\ndvxIFAo7zYgVI83mvfVgM/hKUFQDVZc3XZCGaqLJa4akHM9u3r9HKYrUiQ==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 331, + "comment" : "edge case for u2", + "msg" : "313233343030", + "sig" : "304502207ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd022100ca0234ebb5fdcb13ca0234ecffffffffcb0dadbbc7f549f8a26b4408d0dc8600", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04d0fb17ccd8fafe827e0c1afc5d8d80366e2b20e7f14a563a2ba50469d84375e868612569d39e2bb9f554355564646de99ac602cc6349cf8c1e236a7de7637d93", + "wx" : "00d0fb17ccd8fafe827e0c1afc5d8d80366e2b20e7f14a563a2ba50469d84375e8", + "wy" : "68612569d39e2bb9f554355564646de99ac602cc6349cf8c1e236a7de7637d93" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004d0fb17ccd8fafe827e0c1afc5d8d80366e2b20e7f14a563a2ba50469d84375e868612569d39e2bb9f554355564646de99ac602cc6349cf8c1e236a7de7637d93", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0PsXzNj6/oJ+DBr8XY2ANm4rIOfx\nSlY6K6UEadhDdehoYSVp054rufVUNVVkZG3pmsYCzGNJz4weI2p952N9kw==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 332, + "comment" : "edge case for u2", + "msg" : "313233343030", + "sig" : "304502207ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd022100bfffffff3ea3677e082b9310572620ae19933a9e65b285598711c77298815ad3", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04836f33bbc1dc0d3d3abbcef0d91f11e2ac4181076c9af0a22b1e4309d3edb2769ab443ff6f901e30c773867582997c2bec2b0cb8120d760236f3a95bbe881f75", + "wx" : "00836f33bbc1dc0d3d3abbcef0d91f11e2ac4181076c9af0a22b1e4309d3edb276", + "wy" : "009ab443ff6f901e30c773867582997c2bec2b0cb8120d760236f3a95bbe881f75" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004836f33bbc1dc0d3d3abbcef0d91f11e2ac4181076c9af0a22b1e4309d3edb2769ab443ff6f901e30c773867582997c2bec2b0cb8120d760236f3a95bbe881f75", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEg28zu8HcDT06u87w2R8R4qxBgQds\nmvCiKx5DCdPtsnaatEP/b5AeMMdzhnWCmXwr7CsMuBINdgI286lbvogfdQ==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 333, + "comment" : "edge case for u2", + "msg" : "313233343030", + "sig" : "304402207ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd0220266666663bbbbbbbe6666666666666665b37902e023fab7c8f055d86e5cc41f4", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "0492f99fbe973ed4a299719baee4b432741237034dec8d72ba5103cb33e55feeb8033dd0e91134c734174889f3ebcf1b7a1ac05767289280ee7a794cebd6e69697", + "wx" : "0092f99fbe973ed4a299719baee4b432741237034dec8d72ba5103cb33e55feeb8", + "wy" : "033dd0e91134c734174889f3ebcf1b7a1ac05767289280ee7a794cebd6e69697" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d0301070342000492f99fbe973ed4a299719baee4b432741237034dec8d72ba5103cb33e55feeb8033dd0e91134c734174889f3ebcf1b7a1ac05767289280ee7a794cebd6e69697", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEkvmfvpc+1KKZcZuu5LQydBI3A03s\njXK6UQPLM+Vf7rgDPdDpETTHNBdIifPrzxt6GsBXZyiSgO56eUzr1uaWlw==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 334, + "comment" : "edge case for u2", + "msg" : "313233343030", + "sig" : "304502207ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd022100bfffffff36db6db7a492492492492492146c573f4c6dfc8d08a443e258970b09", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04d35ba58da30197d378e618ec0fa7e2e2d12cffd73ebbb2049d130bba434af09eff83986e6875e41ea432b7585a49b3a6c77cbb3c47919f8e82874c794635c1d2", + "wx" : "00d35ba58da30197d378e618ec0fa7e2e2d12cffd73ebbb2049d130bba434af09e", + "wy" : "00ff83986e6875e41ea432b7585a49b3a6c77cbb3c47919f8e82874c794635c1d2" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004d35ba58da30197d378e618ec0fa7e2e2d12cffd73ebbb2049d130bba434af09eff83986e6875e41ea432b7585a49b3a6c77cbb3c47919f8e82874c794635c1d2", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE01uljaMBl9N45hjsD6fi4tEs/9c+\nu7IEnRMLukNK8J7/g5huaHXkHqQyt1haSbOmx3y7PEeRn46Ch0x5RjXB0g==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 335, + "comment" : "edge case for u2", + "msg" : "313233343030", + "sig" : "304502207ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd022100bfffffff2aaaaaab7fffffffffffffffc815d0e60b3e596ecb1ad3a27cfd49c4", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "048651ce490f1b46d73f3ff475149be29136697334a519d7ddab0725c8d0793224e11c65bd8ca92dc8bc9ae82911f0b52751ce21dd9003ae60900bd825f590cc28", + "wx" : "008651ce490f1b46d73f3ff475149be29136697334a519d7ddab0725c8d0793224", + "wy" : "00e11c65bd8ca92dc8bc9ae82911f0b52751ce21dd9003ae60900bd825f590cc28" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200048651ce490f1b46d73f3ff475149be29136697334a519d7ddab0725c8d0793224e11c65bd8ca92dc8bc9ae82911f0b52751ce21dd9003ae60900bd825f590cc28", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEhlHOSQ8bRtc/P/R1FJvikTZpczSl\nGdfdqwclyNB5MiThHGW9jKktyLya6CkR8LUnUc4h3ZADrmCQC9gl9ZDMKA==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 336, + "comment" : "edge case for u2", + "msg" : "313233343030", + "sig" : "304402207ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd02207fffffff55555555ffffffffffffffffd344a71e6f651458a27bdc81fd976e37", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "046d8e1b12c831a0da8795650ff95f101ed921d9e2f72b15b1cdaca9826b9cfc6def6d63e2bc5c089570394a4bc9f892d5e6c7a6a637b20469a58c106ad486bf37", + "wx" : "6d8e1b12c831a0da8795650ff95f101ed921d9e2f72b15b1cdaca9826b9cfc6d", + "wy" : "00ef6d63e2bc5c089570394a4bc9f892d5e6c7a6a637b20469a58c106ad486bf37" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200046d8e1b12c831a0da8795650ff95f101ed921d9e2f72b15b1cdaca9826b9cfc6def6d63e2bc5c089570394a4bc9f892d5e6c7a6a637b20469a58c106ad486bf37", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEbY4bEsgxoNqHlWUP+V8QHtkh2eL3\nKxWxzaypgmuc/G3vbWPivFwIlXA5SkvJ+JLV5sempjeyBGmljBBq1Ia/Nw==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 337, + "comment" : "edge case for u2", + "msg" : "313233343030", + "sig" : "304402207ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd02203fffffff800000007fffffffffffffffde737d56d38bcf4279dce5617e3192aa", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "040ae580bae933b4ef2997cbdbb0922328ca9a410f627a0f7dff24cb4d920e15428911e7f8cc365a8a88eb81421a361ccc2b99e309d8dcd9a98ba83c3949d893e3", + "wx" : "0ae580bae933b4ef2997cbdbb0922328ca9a410f627a0f7dff24cb4d920e1542", + "wy" : "008911e7f8cc365a8a88eb81421a361ccc2b99e309d8dcd9a98ba83c3949d893e3" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200040ae580bae933b4ef2997cbdbb0922328ca9a410f627a0f7dff24cb4d920e15428911e7f8cc365a8a88eb81421a361ccc2b99e309d8dcd9a98ba83c3949d893e3", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAECuWAuukztO8pl8vbsJIjKMqaQQ9i\neg99/yTLTZIOFUKJEef4zDZaiojrgUIaNhzMK5njCdjc2amLqDw5SdiT4w==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 338, + "comment" : "edge case for u2", + "msg" : "313233343030", + "sig" : "304402207ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd02205d8ecd64a4eeba466815ddf3a4de9a8e6abd9c5db0a01eb80343553da648428f", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "045b812fd521aafa69835a849cce6fbdeb6983b442d2444fe70e134c027fc46963838a40f2a36092e9004e92d8d940cf5638550ce672ce8b8d4e15eba5499249e9", + "wx" : "5b812fd521aafa69835a849cce6fbdeb6983b442d2444fe70e134c027fc46963", + "wy" : "00838a40f2a36092e9004e92d8d940cf5638550ce672ce8b8d4e15eba5499249e9" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200045b812fd521aafa69835a849cce6fbdeb6983b442d2444fe70e134c027fc46963838a40f2a36092e9004e92d8d940cf5638550ce672ce8b8d4e15eba5499249e9", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEW4Ev1SGq+mmDWoSczm+962mDtELS\nRE/nDhNMAn/EaWODikDyo2CS6QBOktjZQM9WOFUM5nLOi41OFeulSZJJ6Q==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 339, + "comment" : "point duplication during verification", + "msg" : "313233343030", + "sig" : "304502206f2347cab7dd76858fe0555ac3bc99048c4aacafdfb6bcbe05ea6c42c4934569022100bb726660235793aa9957a61e76e00c2c435109cf9a15dd624d53f4301047856b", + "result" : "valid", + "flags" : [ + "PointDuplication" + ] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "045b812fd521aafa69835a849cce6fbdeb6983b442d2444fe70e134c027fc469637c75bf0c5c9f6d17ffb16d2726bf30a9c7aaf31a8d317472b1ea145ab66db616", + "wx" : "5b812fd521aafa69835a849cce6fbdeb6983b442d2444fe70e134c027fc46963", + "wy" : "7c75bf0c5c9f6d17ffb16d2726bf30a9c7aaf31a8d317472b1ea145ab66db616" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200045b812fd521aafa69835a849cce6fbdeb6983b442d2444fe70e134c027fc469637c75bf0c5c9f6d17ffb16d2726bf30a9c7aaf31a8d317472b1ea145ab66db616", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEW4Ev1SGq+mmDWoSczm+962mDtELS\nRE/nDhNMAn/EaWN8db8MXJ9tF/+xbScmvzCpx6rzGo0xdHKx6hRatm22Fg==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 340, + "comment" : "duplication bug", + "msg" : "313233343030", + "sig" : "304502206f2347cab7dd76858fe0555ac3bc99048c4aacafdfb6bcbe05ea6c42c4934569022100bb726660235793aa9957a61e76e00c2c435109cf9a15dd624d53f4301047856b", + "result" : "invalid", + "flags" : [ + "PointDuplication" + ] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "046adda82b90261b0f319faa0d878665a6b6da497f09c903176222c34acfef72a647e6f50dcc40ad5d9b59f7602bb222fad71a41bf5e1f9df4959a364c62e488d9", + "wx" : "6adda82b90261b0f319faa0d878665a6b6da497f09c903176222c34acfef72a6", + "wy" : "47e6f50dcc40ad5d9b59f7602bb222fad71a41bf5e1f9df4959a364c62e488d9" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200046adda82b90261b0f319faa0d878665a6b6da497f09c903176222c34acfef72a647e6f50dcc40ad5d9b59f7602bb222fad71a41bf5e1f9df4959a364c62e488d9", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEat2oK5AmGw8xn6oNh4ZlprbaSX8J\nyQMXYiLDSs/vcqZH5vUNzECtXZtZ92ArsiL61xpBv14fnfSVmjZMYuSI2Q==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 341, + "comment" : "point with x-coordinate 0", + "msg" : "313233343030", + "sig" : "30250201010220555555550000000055555555555555553ef7a8e48d07df81a693439654210c70", + "result" : "invalid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "042fca0d0a47914de77ed56e7eccc3276a601120c6df0069c825c8f6a01c9f382065f3450a1d17c6b24989a39beb1c7decfca8384fbdc294418e5d807b3c6ed7de", + "wx" : "2fca0d0a47914de77ed56e7eccc3276a601120c6df0069c825c8f6a01c9f3820", + "wy" : "65f3450a1d17c6b24989a39beb1c7decfca8384fbdc294418e5d807b3c6ed7de" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200042fca0d0a47914de77ed56e7eccc3276a601120c6df0069c825c8f6a01c9f382065f3450a1d17c6b24989a39beb1c7decfca8384fbdc294418e5d807b3c6ed7de", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEL8oNCkeRTed+1W5+zMMnamARIMbf\nAGnIJcj2oByfOCBl80UKHRfGskmJo5vrHH3s/Kg4T73ClEGOXYB7PG7X3g==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 342, + "comment" : "point with x-coordinate 0", + "msg" : "313233343030", + "sig" : "3045022101000000000000000000000000000000000000000000000000000000000000000002203333333300000000333333333333333325c7cbbc549e52e763f1f55a327a3aa9", + "result" : "invalid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04dd86d3b5f4a13e8511083b78002081c53ff467f11ebd98a51a633db76665d25045d5c8200c89f2fa10d849349226d21d8dfaed6ff8d5cb3e1b7e17474ebc18f7", + "wx" : "00dd86d3b5f4a13e8511083b78002081c53ff467f11ebd98a51a633db76665d250", + "wy" : "45d5c8200c89f2fa10d849349226d21d8dfaed6ff8d5cb3e1b7e17474ebc18f7" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004dd86d3b5f4a13e8511083b78002081c53ff467f11ebd98a51a633db76665d25045d5c8200c89f2fa10d849349226d21d8dfaed6ff8d5cb3e1b7e17474ebc18f7", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE3YbTtfShPoURCDt4ACCBxT/0Z/Ee\nvZilGmM9t2Zl0lBF1cggDIny+hDYSTSSJtIdjfrtb/jVyz4bfhdHTrwY9w==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 343, + "comment" : "comparison with point at infinity ", + "msg" : "313233343030", + "sig" : "30440220555555550000000055555555555555553ef7a8e48d07df81a693439654210c7002203333333300000000333333333333333325c7cbbc549e52e763f1f55a327a3aa9", + "result" : "invalid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "044fea55b32cb32aca0c12c4cd0abfb4e64b0f5a516e578c016591a93f5a0fbcc5d7d3fd10b2be668c547b212f6bb14c88f0fecd38a8a4b2c785ed3be62ce4b280", + "wx" : "4fea55b32cb32aca0c12c4cd0abfb4e64b0f5a516e578c016591a93f5a0fbcc5", + "wy" : "00d7d3fd10b2be668c547b212f6bb14c88f0fecd38a8a4b2c785ed3be62ce4b280" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200044fea55b32cb32aca0c12c4cd0abfb4e64b0f5a516e578c016591a93f5a0fbcc5d7d3fd10b2be668c547b212f6bb14c88f0fecd38a8a4b2c785ed3be62ce4b280", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAET+pVsyyzKsoMEsTNCr+05ksPWlFu\nV4wBZZGpP1oPvMXX0/0Qsr5mjFR7IS9rsUyI8P7NOKiksseF7TvmLOSygA==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 344, + "comment" : "extreme value for k and edgecase s", + "msg" : "313233343030", + "sig" : "304402207cf27b188d034f7e8a52380304b51ac3c08969e277f21b35a60b48fc476699780220555555550000000055555555555555553ef7a8e48d07df81a693439654210c70", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04c6a771527024227792170a6f8eee735bf32b7f98af669ead299802e32d7c3107bc3b4b5e65ab887bbd343572b3e5619261fe3a073e2ffd78412f726867db589e", + "wx" : "00c6a771527024227792170a6f8eee735bf32b7f98af669ead299802e32d7c3107", + "wy" : "00bc3b4b5e65ab887bbd343572b3e5619261fe3a073e2ffd78412f726867db589e" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004c6a771527024227792170a6f8eee735bf32b7f98af669ead299802e32d7c3107bc3b4b5e65ab887bbd343572b3e5619261fe3a073e2ffd78412f726867db589e", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExqdxUnAkIneSFwpvju5zW/Mrf5iv\nZp6tKZgC4y18MQe8O0teZauIe700NXKz5WGSYf46Bz4v/XhBL3JoZ9tYng==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 345, + "comment" : "extreme value for k and s^-1", + "msg" : "313233343030", + "sig" : "304502207cf27b188d034f7e8a52380304b51ac3c08969e277f21b35a60b48fc47669978022100b6db6db6249249254924924924924924625bd7a09bec4ca81bcdd9f8fd6b63cc", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04851c2bbad08e54ec7a9af99f49f03644d6ec6d59b207fec98de85a7d15b956efcee9960283045075684b410be8d0f7494b91aa2379f60727319f10ddeb0fe9d6", + "wx" : "00851c2bbad08e54ec7a9af99f49f03644d6ec6d59b207fec98de85a7d15b956ef", + "wy" : "00cee9960283045075684b410be8d0f7494b91aa2379f60727319f10ddeb0fe9d6" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004851c2bbad08e54ec7a9af99f49f03644d6ec6d59b207fec98de85a7d15b956efcee9960283045075684b410be8d0f7494b91aa2379f60727319f10ddeb0fe9d6", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEhRwrutCOVOx6mvmfSfA2RNbsbVmy\nB/7JjehafRW5Vu/O6ZYCgwRQdWhLQQvo0PdJS5GqI3n2BycxnxDd6w/p1g==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 346, + "comment" : "extreme value for k and s^-1", + "msg" : "313233343030", + "sig" : "304502207cf27b188d034f7e8a52380304b51ac3c08969e277f21b35a60b48fc47669978022100cccccccc00000000cccccccccccccccc971f2ef152794b9d8fc7d568c9e8eaa7", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04f6417c8a670584e388676949e53da7fc55911ff68318d1bf3061205acb19c48f8f2b743df34ad0f72674acb7505929784779cd9ac916c3669ead43026ab6d43f", + "wx" : "00f6417c8a670584e388676949e53da7fc55911ff68318d1bf3061205acb19c48f", + "wy" : "008f2b743df34ad0f72674acb7505929784779cd9ac916c3669ead43026ab6d43f" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004f6417c8a670584e388676949e53da7fc55911ff68318d1bf3061205acb19c48f8f2b743df34ad0f72674acb7505929784779cd9ac916c3669ead43026ab6d43f", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE9kF8imcFhOOIZ2lJ5T2n/FWRH/aD\nGNG/MGEgWssZxI+PK3Q980rQ9yZ0rLdQWSl4R3nNmskWw2aerUMCarbUPw==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 347, + "comment" : "extreme value for k and s^-1", + "msg" : "313233343030", + "sig" : "304402207cf27b188d034f7e8a52380304b51ac3c08969e277f21b35a60b48fc4766997802203333333300000000333333333333333325c7cbbc549e52e763f1f55a327a3aaa", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04501421277be45a5eefec6c639930d636032565af420cf3373f557faa7f8a06438673d6cb6076e1cfcdc7dfe7384c8e5cac08d74501f2ae6e89cad195d0aa1371", + "wx" : "501421277be45a5eefec6c639930d636032565af420cf3373f557faa7f8a0643", + "wy" : "008673d6cb6076e1cfcdc7dfe7384c8e5cac08d74501f2ae6e89cad195d0aa1371" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004501421277be45a5eefec6c639930d636032565af420cf3373f557faa7f8a06438673d6cb6076e1cfcdc7dfe7384c8e5cac08d74501f2ae6e89cad195d0aa1371", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEUBQhJ3vkWl7v7GxjmTDWNgMlZa9C\nDPM3P1V/qn+KBkOGc9bLYHbhz83H3+c4TI5crAjXRQHyrm6JytGV0KoTcQ==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 348, + "comment" : "extreme value for k and s^-1", + "msg" : "313233343030", + "sig" : "304402207cf27b188d034f7e8a52380304b51ac3c08969e277f21b35a60b48fc47669978022049249248db6db6dbb6db6db6db6db6db5a8b230d0b2b51dcd7ebf0c9fef7c185", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "040d935bf9ffc115a527735f729ca8a4ca23ee01a4894adf0e3415ac84e808bb343195a3762fea29ed38912bd9ea6c4fde70c3050893a4375850ce61d82eba33c5", + "wx" : "0d935bf9ffc115a527735f729ca8a4ca23ee01a4894adf0e3415ac84e808bb34", + "wy" : "3195a3762fea29ed38912bd9ea6c4fde70c3050893a4375850ce61d82eba33c5" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200040d935bf9ffc115a527735f729ca8a4ca23ee01a4894adf0e3415ac84e808bb343195a3762fea29ed38912bd9ea6c4fde70c3050893a4375850ce61d82eba33c5", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEDZNb+f/BFaUnc19ynKikyiPuAaSJ\nSt8ONBWshOgIuzQxlaN2L+op7TiRK9nqbE/ecMMFCJOkN1hQzmHYLrozxQ==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 349, + "comment" : "extreme value for k", + "msg" : "313233343030", + "sig" : "304402207cf27b188d034f7e8a52380304b51ac3c08969e277f21b35a60b48fc47669978022016a4502e2781e11ac82cbc9d1edd8c981584d13e18411e2f6e0478c34416e3bb", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "045e59f50708646be8a589355014308e60b668fb670196206c41e748e64e4dca215de37fee5c97bcaf7144d5b459982f52eeeafbdf03aacbafef38e213624a01de", + "wx" : "5e59f50708646be8a589355014308e60b668fb670196206c41e748e64e4dca21", + "wy" : "5de37fee5c97bcaf7144d5b459982f52eeeafbdf03aacbafef38e213624a01de" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200045e59f50708646be8a589355014308e60b668fb670196206c41e748e64e4dca215de37fee5c97bcaf7144d5b459982f52eeeafbdf03aacbafef38e213624a01de", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEXln1Bwhka+iliTVQFDCOYLZo+2cB\nliBsQedI5k5NyiFd43/uXJe8r3FE1bRZmC9S7ur73wOqy6/vOOITYkoB3g==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 350, + "comment" : "extreme value for k and edgecase s", + "msg" : "313233343030", + "sig" : "304402206b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c2960220555555550000000055555555555555553ef7a8e48d07df81a693439654210c70", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04169fb797325843faff2f7a5b5445da9e2fd6226f7ef90ef0bfe924104b02db8e7bbb8de662c7b9b1cf9b22f7a2e582bd46d581d68878efb2b861b131d8a1d667", + "wx" : "169fb797325843faff2f7a5b5445da9e2fd6226f7ef90ef0bfe924104b02db8e", + "wy" : "7bbb8de662c7b9b1cf9b22f7a2e582bd46d581d68878efb2b861b131d8a1d667" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004169fb797325843faff2f7a5b5445da9e2fd6226f7ef90ef0bfe924104b02db8e7bbb8de662c7b9b1cf9b22f7a2e582bd46d581d68878efb2b861b131d8a1d667", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFp+3lzJYQ/r/L3pbVEXani/WIm9+\n+Q7wv+kkEEsC2457u43mYse5sc+bIvei5YK9RtWB1oh477K4YbEx2KHWZw==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 351, + "comment" : "extreme value for k and s^-1", + "msg" : "313233343030", + "sig" : "304502206b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296022100b6db6db6249249254924924924924924625bd7a09bec4ca81bcdd9f8fd6b63cc", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04271cd89c000143096b62d4e9e4ca885aef2f7023d18affdaf8b7b548981487540a1c6e954e32108435b55fa385b0f76481a609b9149ccb4b02b2ca47fe8e4da5", + "wx" : "271cd89c000143096b62d4e9e4ca885aef2f7023d18affdaf8b7b54898148754", + "wy" : "0a1c6e954e32108435b55fa385b0f76481a609b9149ccb4b02b2ca47fe8e4da5" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004271cd89c000143096b62d4e9e4ca885aef2f7023d18affdaf8b7b548981487540a1c6e954e32108435b55fa385b0f76481a609b9149ccb4b02b2ca47fe8e4da5", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJxzYnAABQwlrYtTp5MqIWu8vcCPR\niv/a+Le1SJgUh1QKHG6VTjIQhDW1X6OFsPdkgaYJuRScy0sCsspH/o5NpQ==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 352, + "comment" : "extreme value for k and s^-1", + "msg" : "313233343030", + "sig" : "304502206b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296022100cccccccc00000000cccccccccccccccc971f2ef152794b9d8fc7d568c9e8eaa7", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "043d0bc7ed8f09d2cb7ddb46ebc1ed799ab1563a9ab84bf524587a220afe499c12e22dc3b3c103824a4f378d96adb0a408abf19ce7d68aa6244f78cb216fa3f8df", + "wx" : "3d0bc7ed8f09d2cb7ddb46ebc1ed799ab1563a9ab84bf524587a220afe499c12", + "wy" : "00e22dc3b3c103824a4f378d96adb0a408abf19ce7d68aa6244f78cb216fa3f8df" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200043d0bc7ed8f09d2cb7ddb46ebc1ed799ab1563a9ab84bf524587a220afe499c12e22dc3b3c103824a4f378d96adb0a408abf19ce7d68aa6244f78cb216fa3f8df", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEPQvH7Y8J0st920brwe15mrFWOpq4\nS/UkWHoiCv5JnBLiLcOzwQOCSk83jZatsKQIq/Gc59aKpiRPeMshb6P43w==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 353, + "comment" : "extreme value for k and s^-1", + "msg" : "313233343030", + "sig" : "304402206b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c29602203333333300000000333333333333333325c7cbbc549e52e763f1f55a327a3aaa", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04a6c885ade1a4c566f9bb010d066974abb281797fa701288c721bcbd23663a9b72e424b690957168d193a6096fc77a2b004a9c7d467e007e1f2058458f98af316", + "wx" : "00a6c885ade1a4c566f9bb010d066974abb281797fa701288c721bcbd23663a9b7", + "wy" : "2e424b690957168d193a6096fc77a2b004a9c7d467e007e1f2058458f98af316" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004a6c885ade1a4c566f9bb010d066974abb281797fa701288c721bcbd23663a9b72e424b690957168d193a6096fc77a2b004a9c7d467e007e1f2058458f98af316", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEpsiFreGkxWb5uwENBml0q7KBeX+n\nASiMchvL0jZjqbcuQktpCVcWjRk6YJb8d6KwBKnH1GfgB+HyBYRY+YrzFg==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 354, + "comment" : "extreme value for k and s^-1", + "msg" : "313233343030", + "sig" : "304402206b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296022049249248db6db6dbb6db6db6db6db6db5a8b230d0b2b51dcd7ebf0c9fef7c185", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "048d3c2c2c3b765ba8289e6ac3812572a25bf75df62d87ab7330c3bdbad9ebfa5c4c6845442d66935b238578d43aec54f7caa1621d1af241d4632e0b780c423f5d", + "wx" : "008d3c2c2c3b765ba8289e6ac3812572a25bf75df62d87ab7330c3bdbad9ebfa5c", + "wy" : "4c6845442d66935b238578d43aec54f7caa1621d1af241d4632e0b780c423f5d" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200048d3c2c2c3b765ba8289e6ac3812572a25bf75df62d87ab7330c3bdbad9ebfa5c4c6845442d66935b238578d43aec54f7caa1621d1af241d4632e0b780c423f5d", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEjTwsLDt2W6gonmrDgSVyolv3XfYt\nh6tzMMO9utnr+lxMaEVELWaTWyOFeNQ67FT3yqFiHRryQdRjLgt4DEI/XQ==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 355, + "comment" : "extreme value for k", + "msg" : "313233343030", + "sig" : "304402206b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296022016a4502e2781e11ac82cbc9d1edd8c981584d13e18411e2f6e0478c34416e3bb", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "046b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c2964fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5", + "wx" : "6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296", + "wy" : "4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200046b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c2964fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEaxfR8uEsQkf4vOblY6RA8ncDfYEt\n6zOg9KE5RdiYwpZP40Li/hp/m47n60p8D54WK84zV2sxXs7LtkBoN79R9Q==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 356, + "comment" : "testing point duplication", + "msg" : "313233343030", + "sig" : "3045022100bb5a52f42f9c9261ed4361f59422a1e30036e7c32b270c8807a419feca6050230220249249246db6db6ddb6db6db6db6db6dad4591868595a8ee6bf5f864ff7be0c2", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 357, + "comment" : "testing point duplication", + "msg" : "313233343030", + "sig" : "3044022044a5ad0ad0636d9f12bc9e0a6bdd5e1cbcb012ea7bf091fcec15b0c43202d52e0220249249246db6db6ddb6db6db6db6db6dad4591868595a8ee6bf5f864ff7be0c2", + "result" : "invalid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "046b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296b01cbd1c01e58065711814b583f061e9d431cca994cea1313449bf97c840ae0a", + "wx" : "6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296", + "wy" : "00b01cbd1c01e58065711814b583f061e9d431cca994cea1313449bf97c840ae0a" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200046b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296b01cbd1c01e58065711814b583f061e9d431cca994cea1313449bf97c840ae0a", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEaxfR8uEsQkf4vOblY6RA8ncDfYEt\n6zOg9KE5RdiYwpawHL0cAeWAZXEYFLWD8GHp1DHMqZTOoTE0Sb+XyECuCg==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 358, + "comment" : "testing point duplication", + "msg" : "313233343030", + "sig" : "3045022100bb5a52f42f9c9261ed4361f59422a1e30036e7c32b270c8807a419feca6050230220249249246db6db6ddb6db6db6db6db6dad4591868595a8ee6bf5f864ff7be0c2", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 359, + "comment" : "testing point duplication", + "msg" : "313233343030", + "sig" : "3044022044a5ad0ad0636d9f12bc9e0a6bdd5e1cbcb012ea7bf091fcec15b0c43202d52e0220249249246db6db6ddb6db6db6db6db6dad4591868595a8ee6bf5f864ff7be0c2", + "result" : "invalid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "0404aaec73635726f213fb8a9e64da3b8632e41495a944d0045b522eba7240fad587d9315798aaa3a5ba01775787ced05eaaf7b4e09fc81d6d1aa546e8365d525d", + "wx" : "04aaec73635726f213fb8a9e64da3b8632e41495a944d0045b522eba7240fad5", + "wy" : "0087d9315798aaa3a5ba01775787ced05eaaf7b4e09fc81d6d1aa546e8365d525d" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d0301070342000404aaec73635726f213fb8a9e64da3b8632e41495a944d0045b522eba7240fad587d9315798aaa3a5ba01775787ced05eaaf7b4e09fc81d6d1aa546e8365d525d", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEBKrsc2NXJvIT+4qeZNo7hjLkFJWp\nRNAEW1IuunJA+tWH2TFXmKqjpboBd1eHztBeqve04J/IHW0apUboNl1SXQ==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 360, + "comment" : "pseudorandom signature", + "msg" : "", + "sig" : "3045022100b292a619339f6e567a305c951c0dcbcc42d16e47f219f9e98e76e09d8770b34a02200177e60492c5a8242f76f07bfe3661bde59ec2a17ce5bd2dab2abebdf89a62e2", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 361, + "comment" : "pseudorandom signature", + "msg" : "4d7367", + "sig" : "30450220530bd6b0c9af2d69ba897f6b5fb59695cfbf33afe66dbadcf5b8d2a2a6538e23022100d85e489cb7a161fd55ededcedbf4cc0c0987e3e3f0f242cae934c72caa3f43e9", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 362, + "comment" : "pseudorandom signature", + "msg" : "313233343030", + "sig" : "3046022100a8ea150cb80125d7381c4c1f1da8e9de2711f9917060406a73d7904519e51388022100f3ab9fa68bd47973a73b2d40480c2ba50c22c9d76ec217257288293285449b86", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 363, + "comment" : "pseudorandom signature", + "msg" : "0000000000000000000000000000000000000000", + "sig" : "3045022100986e65933ef2ed4ee5aada139f52b70539aaf63f00a91f29c69178490d57fb7102203dafedfb8da6189d372308cbf1489bbbdabf0c0217d1c0ff0f701aaa7a694b9c", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "044f337ccfd67726a805e4f1600ae2849df3807eca117380239fbd816900000000ed9dea124cc8c396416411e988c30f427eb504af43a3146cd5df7ea60666d685", + "wx" : "4f337ccfd67726a805e4f1600ae2849df3807eca117380239fbd816900000000", + "wy" : "00ed9dea124cc8c396416411e988c30f427eb504af43a3146cd5df7ea60666d685" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200044f337ccfd67726a805e4f1600ae2849df3807eca117380239fbd816900000000ed9dea124cc8c396416411e988c30f427eb504af43a3146cd5df7ea60666d685", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAETzN8z9Z3JqgF5PFgCuKEnfOAfsoR\nc4Ajn72BaQAAAADtneoSTMjDlkFkEemIww9CfrUEr0OjFGzV336mBmbWhQ==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 364, + "comment" : "x-coordinate of the public key has many trailing 0's", + "msg" : "4d657373616765", + "sig" : "3046022100d434e262a49eab7781e353a3565e482550dd0fd5defa013c7f29745eff3569f10221009b0c0a93f267fb6052fd8077be769c2b98953195d7bc10de844218305c6ba17a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 365, + "comment" : "x-coordinate of the public key has many trailing 0's", + "msg" : "4d657373616765", + "sig" : "304402200fe774355c04d060f76d79fd7a772e421463489221bf0a33add0be9b1979110b0220500dcba1c69a8fbd43fa4f57f743ce124ca8b91a1f325f3fac6181175df55737", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 366, + "comment" : "x-coordinate of the public key has many trailing 0's", + "msg" : "4d657373616765", + "sig" : "3045022100bb40bf217bed3fb3950c7d39f03d36dc8e3b2cd79693f125bfd06595ee1135e30220541bf3532351ebb032710bdb6a1bf1bfc89a1e291ac692b3fa4780745bb55677", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "043cf03d614d8939cfd499a07873fac281618f06b8ff87e8015c3f49726500493584fa174d791c72bf2ce3880a8960dd2a7c7a1338a82f85a9e59cdbde80000000", + "wx" : "3cf03d614d8939cfd499a07873fac281618f06b8ff87e8015c3f497265004935", + "wy" : "0084fa174d791c72bf2ce3880a8960dd2a7c7a1338a82f85a9e59cdbde80000000" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200043cf03d614d8939cfd499a07873fac281618f06b8ff87e8015c3f49726500493584fa174d791c72bf2ce3880a8960dd2a7c7a1338a82f85a9e59cdbde80000000", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEPPA9YU2JOc/UmaB4c/rCgWGPBrj/\nh+gBXD9JcmUASTWE+hdNeRxyvyzjiAqJYN0qfHoTOKgvhanlnNvegAAAAA==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 367, + "comment" : "y-coordinate of the public key has many trailing 0's", + "msg" : "4d657373616765", + "sig" : "30440220664eb7ee6db84a34df3c86ea31389a5405badd5ca99231ff556d3e75a233e73a022059f3c752e52eca46137642490a51560ce0badc678754b8f72e51a2901426a1bd", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 368, + "comment" : "y-coordinate of the public key has many trailing 0's", + "msg" : "4d657373616765", + "sig" : "304502204cd0429bbabd2827009d6fcd843d4ce39c3e42e2d1631fd001985a79d1fd8b430221009638bf12dd682f60be7ef1d0e0d98f08b7bca77a1a2b869ae466189d2acdabe3", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 369, + "comment" : "y-coordinate of the public key has many trailing 0's", + "msg" : "4d657373616765", + "sig" : "3046022100e56c6ea2d1b017091c44d8b6cb62b9f460e3ce9aed5e5fd41e8added97c56c04022100a308ec31f281e955be20b457e463440b4fcf2b80258078207fc1378180f89b55", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "043cf03d614d8939cfd499a07873fac281618f06b8ff87e8015c3f4972650049357b05e8b186e38d41d31c77f5769f22d58385ecc857d07a561a6324217fffffff", + "wx" : "3cf03d614d8939cfd499a07873fac281618f06b8ff87e8015c3f497265004935", + "wy" : "7b05e8b186e38d41d31c77f5769f22d58385ecc857d07a561a6324217fffffff" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200043cf03d614d8939cfd499a07873fac281618f06b8ff87e8015c3f4972650049357b05e8b186e38d41d31c77f5769f22d58385ecc857d07a561a6324217fffffff", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEPPA9YU2JOc/UmaB4c/rCgWGPBrj/\nh+gBXD9JcmUASTV7BeixhuONQdMcd/V2nyLVg4XsyFfQelYaYyQhf////w==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 370, + "comment" : "y-coordinate of the public key has many trailing 1's", + "msg" : "4d657373616765", + "sig" : "304402201158a08d291500b4cabed3346d891eee57c176356a2624fb011f8fbbf34668300220228a8c486a736006e082325b85290c5bc91f378b75d487dda46798c18f285519", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 371, + "comment" : "y-coordinate of the public key has many trailing 1's", + "msg" : "4d657373616765", + "sig" : "3045022100b1db9289649f59410ea36b0c0fc8d6aa2687b29176939dd23e0dde56d309fa9d02203e1535e4280559015b0dbd987366dcf43a6d1af5c23c7d584e1c3f48a1251336", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 372, + "comment" : "y-coordinate of the public key has many trailing 1's", + "msg" : "4d657373616765", + "sig" : "3046022100b7b16e762286cb96446aa8d4e6e7578b0a341a79f2dd1a220ac6f0ca4e24ed86022100ddc60a700a139b04661c547d07bbb0721780146df799ccf55e55234ecb8f12bc", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "042829c31faa2e400e344ed94bca3fcd0545956ebcfe8ad0f6dfa5ff8effffffffa01aafaf000e52585855afa7676ade284113099052df57e7eb3bd37ebeb9222e", + "wx" : "2829c31faa2e400e344ed94bca3fcd0545956ebcfe8ad0f6dfa5ff8effffffff", + "wy" : "00a01aafaf000e52585855afa7676ade284113099052df57e7eb3bd37ebeb9222e" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200042829c31faa2e400e344ed94bca3fcd0545956ebcfe8ad0f6dfa5ff8effffffffa01aafaf000e52585855afa7676ade284113099052df57e7eb3bd37ebeb9222e", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEKCnDH6ouQA40TtlLyj/NBUWVbrz+\nitD236X/jv////+gGq+vAA5SWFhVr6dnat4oQRMJkFLfV+frO9N+vrkiLg==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 373, + "comment" : "x-coordinate of the public key has many trailing 1's", + "msg" : "4d657373616765", + "sig" : "3045022100d82a7c2717261187c8e00d8df963ff35d796edad36bc6e6bd1c91c670d9105b402203dcabddaf8fcaa61f4603e7cbac0f3c0351ecd5988efb23f680d07debd139929", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 374, + "comment" : "x-coordinate of the public key has many trailing 1's", + "msg" : "4d657373616765", + "sig" : "304402205eb9c8845de68eb13d5befe719f462d77787802baff30ce96a5cba063254af7802202c026ae9be2e2a5e7ca0ff9bbd92fb6e44972186228ee9a62b87ddbe2ef66fb5", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 375, + "comment" : "x-coordinate of the public key has many trailing 1's", + "msg" : "4d657373616765", + "sig" : "304602210096843dd03c22abd2f3b782b170239f90f277921becc117d0404a8e4e36230c28022100f2be378f526f74a543f67165976de9ed9a31214eb4d7e6db19e1ede123dd991d", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04fffffff948081e6a0458dd8f9e738f2665ff9059ad6aac0708318c4ca9a7a4f55a8abcba2dda8474311ee54149b973cae0c0fb89557ad0bf78e6529a1663bd73", + "wx" : "00fffffff948081e6a0458dd8f9e738f2665ff9059ad6aac0708318c4ca9a7a4f5", + "wy" : "5a8abcba2dda8474311ee54149b973cae0c0fb89557ad0bf78e6529a1663bd73" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004fffffff948081e6a0458dd8f9e738f2665ff9059ad6aac0708318c4ca9a7a4f55a8abcba2dda8474311ee54149b973cae0c0fb89557ad0bf78e6529a1663bd73", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE////+UgIHmoEWN2PnnOPJmX/kFmt\naqwHCDGMTKmnpPVairy6LdqEdDEe5UFJuXPK4MD7iVV60L945lKaFmO9cw==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 376, + "comment" : "x-coordinate of the public key is large", + "msg" : "4d657373616765", + "sig" : "30440220766456dce1857c906f9996af729339464d27e9d98edc2d0e3b760297067421f60220402385ecadae0d8081dccaf5d19037ec4e55376eced699e93646bfbbf19d0b41", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 377, + "comment" : "x-coordinate of the public key is large", + "msg" : "4d657373616765", + "sig" : "3046022100c605c4b2edeab20419e6518a11b2dbc2b97ed8b07cced0b19c34f777de7b9fd9022100edf0f612c5f46e03c719647bc8af1b29b2cde2eda700fb1cff5e159d47326dba", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 378, + "comment" : "x-coordinate of the public key is large", + "msg" : "4d657373616765", + "sig" : "3046022100d48b68e6cabfe03cf6141c9ac54141f210e64485d9929ad7b732bfe3b7eb8a84022100feedae50c61bd00e19dc26f9b7e2265e4508c389109ad2f208f0772315b6c941", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "0400000003fa15f963949d5f03a6f5c7f86f9e0015eeb23aebbff1173937ba748e1099872070e8e87c555fa13659cca5d7fadcfcb0023ea889548ca48af2ba7e71", + "wx" : "03fa15f963949d5f03a6f5c7f86f9e0015eeb23aebbff1173937ba748e", + "wy" : "1099872070e8e87c555fa13659cca5d7fadcfcb0023ea889548ca48af2ba7e71" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d0301070342000400000003fa15f963949d5f03a6f5c7f86f9e0015eeb23aebbff1173937ba748e1099872070e8e87c555fa13659cca5d7fadcfcb0023ea889548ca48af2ba7e71", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEAAAAA/oV+WOUnV8DpvXH+G+eABXu\nsjrrv/EXOTe6dI4QmYcgcOjofFVfoTZZzKXX+tz8sAI+qIlUjKSK8rp+cQ==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 379, + "comment" : "x-coordinate of the public key is small", + "msg" : "4d657373616765", + "sig" : "3046022100b7c81457d4aeb6aa65957098569f0479710ad7f6595d5874c35a93d12a5dd4c7022100b7961a0b652878c2d568069a432ca18a1a9199f2ca574dad4b9e3a05c0a1cdb3", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 380, + "comment" : "x-coordinate of the public key is small", + "msg" : "4d657373616765", + "sig" : "304402206b01332ddb6edfa9a30a1321d5858e1ee3cf97e263e669f8de5e9652e76ff3f702205939545fced457309a6a04ace2bd0f70139c8f7d86b02cb1cc58f9e69e96cd5a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 381, + "comment" : "x-coordinate of the public key is small", + "msg" : "4d657373616765", + "sig" : "3046022100efdb884720eaeadc349f9fc356b6c0344101cd2fd8436b7d0e6a4fb93f106361022100f24bee6ad5dc05f7613975473aadf3aacba9e77de7d69b6ce48cb60d8113385d", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04bcbb2914c79f045eaa6ecbbc612816b3be5d2d6796707d8125e9f851c18af015000000001352bb4a0fa2ea4cceb9ab63dd684ade5a1127bcf300a698a7193bc2", + "wx" : "00bcbb2914c79f045eaa6ecbbc612816b3be5d2d6796707d8125e9f851c18af015", + "wy" : "1352bb4a0fa2ea4cceb9ab63dd684ade5a1127bcf300a698a7193bc2" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004bcbb2914c79f045eaa6ecbbc612816b3be5d2d6796707d8125e9f851c18af015000000001352bb4a0fa2ea4cceb9ab63dd684ade5a1127bcf300a698a7193bc2", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEvLspFMefBF6qbsu8YSgWs75dLWeW\ncH2BJen4UcGK8BUAAAAAE1K7Sg+i6kzOuatj3WhK3loRJ7zzAKaYpxk7wg==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 382, + "comment" : "y-coordinate of the public key is small", + "msg" : "4d657373616765", + "sig" : "3044022031230428405560dcb88fb5a646836aea9b23a23dd973dcbe8014c87b8b20eb0702200f9344d6e812ce166646747694a41b0aaf97374e19f3c5fb8bd7ae3d9bd0beff", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 383, + "comment" : "y-coordinate of the public key is small", + "msg" : "4d657373616765", + "sig" : "3046022100caa797da65b320ab0d5c470cda0b36b294359c7db9841d679174db34c4855743022100cf543a62f23e212745391aaf7505f345123d2685ee3b941d3de6d9b36242e5a0", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 384, + "comment" : "y-coordinate of the public key is small", + "msg" : "4d657373616765", + "sig" : "304502207e5f0ab5d900d3d3d7867657e5d6d36519bc54084536e7d21c336ed8001859450221009450c07f201faec94b82dfb322e5ac676688294aad35aa72e727ff0b19b646aa", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04bcbb2914c79f045eaa6ecbbc612816b3be5d2d6796707d8125e9f851c18af015fffffffeecad44b6f05d15b33146549c2297b522a5eed8430cff596758e6c43d", + "wx" : "00bcbb2914c79f045eaa6ecbbc612816b3be5d2d6796707d8125e9f851c18af015", + "wy" : "00fffffffeecad44b6f05d15b33146549c2297b522a5eed8430cff596758e6c43d" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004bcbb2914c79f045eaa6ecbbc612816b3be5d2d6796707d8125e9f851c18af015fffffffeecad44b6f05d15b33146549c2297b522a5eed8430cff596758e6c43d", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEvLspFMefBF6qbsu8YSgWs75dLWeW\ncH2BJen4UcGK8BX////+7K1EtvBdFbMxRlScIpe1IqXu2EMM/1lnWObEPQ==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 385, + "comment" : "y-coordinate of the public key is large", + "msg" : "4d657373616765", + "sig" : "3046022100d7d70c581ae9e3f66dc6a480bf037ae23f8a1e4a2136fe4b03aa69f0ca25b35602210089c460f8a5a5c2bbba962c8a3ee833a413e85658e62a59e2af41d9127cc47224", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 386, + "comment" : "y-coordinate of the public key is large", + "msg" : "4d657373616765", + "sig" : "30440220341c1b9ff3c83dd5e0dfa0bf68bcdf4bb7aa20c625975e5eeee34bb396266b34022072b69f061b750fd5121b22b11366fad549c634e77765a017902a67099e0a4469", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 387, + "comment" : "y-coordinate of the public key is large", + "msg" : "4d657373616765", + "sig" : "3045022070bebe684cdcb5ca72a42f0d873879359bd1781a591809947628d313a3814f67022100aec03aca8f5587a4d535fa31027bbe9cc0e464b1c3577f4c2dcde6b2094798a9", + "result" : "valid", + "flags" : [] + } + ] + } + ] +} diff --git a/rust/tests/wycheproof/eddsa_test.json b/rust/tests/wycheproof/eddsa_test.json new file mode 100644 index 00000000..e2a1ae4f --- /dev/null +++ b/rust/tests/wycheproof/eddsa_test.json @@ -0,0 +1,2262 @@ +{ + "algorithm" : "EDDSA", + "generatorVersion" : "0.8rc16", + "numberOfTests" : 145, + "header" : [ + "Test vectors of type EddsaVerify are intended for testing", + "the verification of Eddsa signatures." + ], + "notes" : { + "SignatureMalleability" : "EdDSA signatures are non-malleable, if implemented accordingly. Failing to check the range of S allows to modify signatures. See RFC 8032, Section 5.2.7 and Section 8.4." + }, + "schema" : "eddsa_verify_schema.json", + "testGroups" : [ + { + "jwk" : { + "crv" : "Ed25519", + "d" : "rdS7gQN4W6-axTQljoqvZfXxrbXvXz3xm7gKuYnE1ks", + "kid" : "none", + "kty" : "OKP", + "x" : "fU0Of2FTpptiQrUiq77mhf2kQg-INLEIw72uNp71Sfo" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "7d4d0e7f6153a69b6242b522abbee685fda4420f8834b108c3bdae369ef549fa", + "sk" : "add4bb8103785baf9ac534258e8aaf65f5f1adb5ef5f3df19bb80ab989c4d64b", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b65700321007d4d0e7f6153a69b6242b522abbee685fda4420f8834b108c3bdae369ef549fa", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAfU0Of2FTpptiQrUiq77mhf2kQg+INLEIw72uNp71Sfo=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 1, + "comment" : "", + "msg" : "", + "sig" : "d4fbdb52bfa726b44d1786a8c0d171c3e62ca83c9e5bbe63de0bb2483f8fd6cc1429ab72cafc41ab56af02ff8fcc43b99bfe4c7ae940f60f38ebaa9d311c4007", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 2, + "comment" : "", + "msg" : "78", + "sig" : "d80737358ede548acb173ef7e0399f83392fe8125b2ce877de7975d8b726ef5b1e76632280ee38afad12125ea44b961bf92f1178c9fa819d020869975bcbe109", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 3, + "comment" : "", + "msg" : "54657374", + "sig" : "7c38e026f29e14aabd059a0f2db8b0cd783040609a8be684db12f82a27774ab07a9155711ecfaf7f99f277bad0c6ae7e39d4eef676573336a5c51eb6f946b30d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 4, + "comment" : "", + "msg" : "48656c6c6f", + "sig" : "1c1ad976cbaae3b31dee07971cf92c928ce2091a85f5899f5e11ecec90fc9f8e93df18c5037ec9b29c07195ad284e63d548cd0a6fe358cc775bd6c1608d2c905", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 5, + "comment" : "", + "msg" : "313233343030", + "sig" : "657c1492402ab5ce03e2c3a7f0384d051b9cf3570f1207fc78c1bcc98c281c2bf0cf5b3a289976458a1be6277a5055545253b45b07dcc1abd96c8b989c00f301", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 6, + "comment" : "", + "msg" : "000000000000000000000000", + "sig" : "d46543bfb892f84ec124dcdfc847034c19363bf3fc2fa89b1267833a14856e52e60736918783f950b6f1dd8d40dc343247cd43ce054c2d68ef974f7ed0f3c60f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 7, + "comment" : "", + "msg" : "6161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161", + "sig" : "879350045543bc14ed2c08939b68c30d22251d83e018cacbaf0c9d7a48db577e80bdf76ce99e5926762bc13b7b3483260a5ef63d07e34b58eb9c14621ac92f00", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 8, + "comment" : "", + "msg" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f60", + "sig" : "7bdc3f9919a05f1d5db4a3ada896094f6871c1f37afc75db82ec3147d84d6f237b7e5ecc26b59cfea0c7eaf1052dc427b0f724615be9c3d3e01356c65b9b5109", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 9, + "comment" : "", + "msg" : "ffffffffffffffffffffffffffffffff", + "sig" : "5dbd7360e55aa38e855d6ad48c34bd35b7871628508906861a7c4776765ed7d1e13d910faabd689ec8618b78295c8ab8f0e19c8b4b43eb8685778499e943ae04", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 10, + "comment" : "special values for r and s", + "msg" : "3f", + "sig" : "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 11, + "comment" : "special values for r and s", + "msg" : "3f", + "sig" : "00000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 12, + "comment" : "special values for r and s", + "msg" : "3f", + "sig" : "0000000000000000000000000000000000000000000000000000000000000000ecd3f55c1a631258d69cf7a2def9de1400000000000000000000000000000010", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 13, + "comment" : "special values for r and s", + "msg" : "3f", + "sig" : "0000000000000000000000000000000000000000000000000000000000000000edd3f55c1a631258d69cf7a2def9de1400000000000000000000000000000010", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 14, + "comment" : "special values for r and s", + "msg" : "3f", + "sig" : "0000000000000000000000000000000000000000000000000000000000000000edffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 15, + "comment" : "special values for r and s", + "msg" : "3f", + "sig" : "01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 16, + "comment" : "special values for r and s", + "msg" : "3f", + "sig" : "01000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 17, + "comment" : "special values for r and s", + "msg" : "3f", + "sig" : "0100000000000000000000000000000000000000000000000000000000000000ecd3f55c1a631258d69cf7a2def9de1400000000000000000000000000000010", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 18, + "comment" : "special values for r and s", + "msg" : "3f", + "sig" : "0100000000000000000000000000000000000000000000000000000000000000edd3f55c1a631258d69cf7a2def9de1400000000000000000000000000000010", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 19, + "comment" : "special values for r and s", + "msg" : "3f", + "sig" : "0100000000000000000000000000000000000000000000000000000000000000edffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 20, + "comment" : "special values for r and s", + "msg" : "3f", + "sig" : "edd3f55c1a631258d69cf7a2def9de14000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 21, + "comment" : "special values for r and s", + "msg" : "3f", + "sig" : "edd3f55c1a631258d69cf7a2def9de14000000000000000000000000000000100100000000000000000000000000000000000000000000000000000000000000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 22, + "comment" : "special values for r and s", + "msg" : "3f", + "sig" : "edd3f55c1a631258d69cf7a2def9de1400000000000000000000000000000010ecd3f55c1a631258d69cf7a2def9de1400000000000000000000000000000010", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 23, + "comment" : "special values for r and s", + "msg" : "3f", + "sig" : "edd3f55c1a631258d69cf7a2def9de1400000000000000000000000000000010edd3f55c1a631258d69cf7a2def9de1400000000000000000000000000000010", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 24, + "comment" : "special values for r and s", + "msg" : "3f", + "sig" : "edd3f55c1a631258d69cf7a2def9de1400000000000000000000000000000010edffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 25, + "comment" : "special values for r and s", + "msg" : "3f", + "sig" : "edffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f0000000000000000000000000000000000000000000000000000000000000000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 26, + "comment" : "special values for r and s", + "msg" : "3f", + "sig" : "edffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f0100000000000000000000000000000000000000000000000000000000000000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 27, + "comment" : "special values for r and s", + "msg" : "3f", + "sig" : "edffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7fecd3f55c1a631258d69cf7a2def9de1400000000000000000000000000000010", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 28, + "comment" : "special values for r and s", + "msg" : "3f", + "sig" : "edffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7fedd3f55c1a631258d69cf7a2def9de1400000000000000000000000000000010", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 29, + "comment" : "special values for r and s", + "msg" : "3f", + "sig" : "edffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7fedffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 30, + "comment" : "empty signature", + "msg" : "54657374", + "sig" : "", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 31, + "comment" : "s missing", + "msg" : "54657374", + "sig" : "7c38e026f29e14aabd059a0f2db8b0cd783040609a8be684db12f82a27774ab0", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 32, + "comment" : "signature too short", + "msg" : "54657374", + "sig" : "7c38e026f29e14aabd059a0f2db8b0cd783040609a8be684db12f82a27774ab07a9155711ecfaf7f99f277bad0c6ae7e39d4eef676573336a5c51eb6f946", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 33, + "comment" : "signature too long", + "msg" : "54657374", + "sig" : "7c38e026f29e14aabd059a0f2db8b0cd783040609a8be684db12f82a27774ab07a9155711ecfaf7f99f277bad0c6ae7e39d4eef676573336a5c51eb6f946b30d2020", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 34, + "comment" : "include pk in signature", + "msg" : "54657374", + "sig" : "7c38e026f29e14aabd059a0f2db8b0cd783040609a8be684db12f82a27774ab07a9155711ecfaf7f99f277bad0c6ae7e39d4eef676573336a5c51eb6f946b30d7d4d0e7f6153a69b6242b522abbee685fda4420f8834b108c3bdae369ef549fa", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 35, + "comment" : "prepending 0 byte to signature", + "msg" : "54657374", + "sig" : "007c38e026f29e14aabd059a0f2db8b0cd783040609a8be684db12f82a27774ab07a9155711ecfaf7f99f277bad0c6ae7e39d4eef676573336a5c51eb6f946b30d", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 36, + "comment" : "prepending 0 byte to s", + "msg" : "54657374", + "sig" : "7c38e026f29e14aabd059a0f2db8b0cd783040609a8be684db12f82a27774ab0007a9155711ecfaf7f99f277bad0c6ae7e39d4eef676573336a5c51eb6f946b30d", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 37, + "comment" : "appending 0 byte to signature", + "msg" : "54657374", + "sig" : "7c38e026f29e14aabd059a0f2db8b0cd783040609a8be684db12f82a27774ab07a9155711ecfaf7f99f277bad0c6ae7e39d4eef676573336a5c51eb6f946b30d00", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 38, + "comment" : "removing 0 byte from signature", + "msg" : "546573743137", + "sig" : "93de3ca252426c95f735cb9edd92e83321ac62372d5aa5b379786bae111ab6b17251330e8f9a7c30d6993137c596007d7b001409287535ac4804e662bc58a3", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 39, + "comment" : "removing 0 byte from signature", + "msg" : "54657374313236", + "sig" : "dffed33a7f420b62bb1731cfd03be805affd18a281ec02b1067ba6e9d20826569e742347df59c88ae96db1f1969fb189b0ec34381d85633e1889da48d95e0e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 40, + "comment" : "removing leading 0 byte from signature", + "msg" : "546573743530", + "sig" : "6e170c719577c25e0e1e8b8aa7a6346f8b109f37385cc2e85dc3b4c0f46a9c6bcafd67f52324c5dbaf40a1b673fb29c4a56052d2d6999d0838a8337bccb502", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 41, + "comment" : "dropping byte from signature", + "msg" : "54657374333437", + "sig" : "b0928b46e99fbbad3f5cb502d2cd309d94a7e86cfd4d84b1fcf4cea18075a9c36993c0582dba1e9e519fae5a8654f454201ae0c3cb397c37b8f4f8eef18400", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 42, + "comment" : "modified bit 0 in R", + "msg" : "313233343030", + "sig" : "647c1492402ab5ce03e2c3a7f0384d051b9cf3570f1207fc78c1bcc98c281c2b1d125e5538f38afbcc1c84e489521083041d24bc6240767029da063271a1ff0c", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 43, + "comment" : "modified bit 1 in R", + "msg" : "313233343030", + "sig" : "677c1492402ab5ce03e2c3a7f0384d051b9cf3570f1207fc78c1bcc98c281c2bc108ca4b87a49c9ed2cf383aecad8f54a962b2899da891e12004d7993a627e01", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 44, + "comment" : "modified bit 2 in R", + "msg" : "313233343030", + "sig" : "617c1492402ab5ce03e2c3a7f0384d051b9cf3570f1207fc78c1bcc98c281c2b9ce23fc6213ed5b87912e9bbf92f5e2c780eae26d15c50a112d1e97d2ea33c06", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 45, + "comment" : "modified bit 7 in R", + "msg" : "313233343030", + "sig" : "e57c1492402ab5ce03e2c3a7f0384d051b9cf3570f1207fc78c1bcc98c281c2bbb3eb51cd98dddb235a5f46f2bded6af184a58d09cce928bda43f41d69118a03", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 46, + "comment" : "modified bit 8 in R", + "msg" : "313233343030", + "sig" : "657d1492402ab5ce03e2c3a7f0384d051b9cf3570f1207fc78c1bcc98c281c2bcd237dda9a116501f67a5705a854b9adc304f34720803a91b324f2c13e0f5a09", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 47, + "comment" : "modified bit 16 in R", + "msg" : "313233343030", + "sig" : "657c1592402ab5ce03e2c3a7f0384d051b9cf3570f1207fc78c1bcc98c281c2b6b167bbdc0d881cc04d28905552c1876f3709851abc5007376940cc8a435c300", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 48, + "comment" : "modified bit 31 in R", + "msg" : "313233343030", + "sig" : "657c1412402ab5ce03e2c3a7f0384d051b9cf3570f1207fc78c1bcc98c281c2b7fd2ac7da14afffcceeb13f2a0d6b887941cb1a5eb57a52f3cb131a16cce7b0e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 49, + "comment" : "modified bit 32 in R", + "msg" : "313233343030", + "sig" : "657c1492412ab5ce03e2c3a7f0384d051b9cf3570f1207fc78c1bcc98c281c2b7373ba13ebbef99cd2a8ead55ce735c987d85a35320925a8e871702dc7c5c40d", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 50, + "comment" : "modified bit 63 in R", + "msg" : "313233343030", + "sig" : "657c1492402ab54e03e2c3a7f0384d051b9cf3570f1207fc78c1bcc98c281c2bd35bd331c03f0855504ca1cab87b83c36a028425a3cf007ede4f4254c261cb00", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 51, + "comment" : "modified bit 64 in R", + "msg" : "313233343030", + "sig" : "657c1492402ab5ce02e2c3a7f0384d051b9cf3570f1207fc78c1bcc98c281c2bcb35101f73cf467deac8c1a03b6c3dc35af544132734b7e57ab20c89b2e4750d", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 52, + "comment" : "modified bit 97 in R", + "msg" : "313233343030", + "sig" : "657c1492402ab5ce03e2c3a7f2384d051b9cf3570f1207fc78c1bcc98c281c2bb58d2e8878290bff8d3355fdd4ea381924ee578752354eb6dee678ab4011c301", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 53, + "comment" : "modified bit 127 in R", + "msg" : "313233343030", + "sig" : "657c1492402ab5ce03e2c3a7f0384d851b9cf3570f1207fc78c1bcc98c281c2bb978c866187ffb1cc7b29a0b4045aefc08768df65717194ff0c6e63f4dea0d02", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 54, + "comment" : "modified bit 240 in R", + "msg" : "313233343030", + "sig" : "657c1492402ab5ce03e2c3a7f0384d051b9cf3570f1207fc78c1bcc98c281d2b0576ecf8eaf675f00f3dfbe19f75b83b7607a6c96414f6821af920a2498d0305", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 55, + "comment" : "modified bit 247 in R", + "msg" : "313233343030", + "sig" : "657c1492402ab5ce03e2c3a7f0384d051b9cf3570f1207fc78c1bcc98c289c2be5241a345c7b5428054c74b7c382fa10d4a5f1e8f8b79a71d3fdea2254f1ff0e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 56, + "comment" : "modified bit 248 in R", + "msg" : "313233343030", + "sig" : "657c1492402ab5ce03e2c3a7f0384d051b9cf3570f1207fc78c1bcc98c281c2a63950c85cd6dc96364e768de50ff7732b538f8a0b1615d799190ab600849230e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 57, + "comment" : "modified bit 253 in R", + "msg" : "313233343030", + "sig" : "657c1492402ab5ce03e2c3a7f0384d051b9cf3570f1207fc78c1bcc98c281c0b543bd3da0a56a8c9c152f59c9fec12f31fa66434d48b817b30d90cb4efa8b501", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 58, + "comment" : "modified bit 254 in R", + "msg" : "313233343030", + "sig" : "657c1492402ab5ce03e2c3a7f0384d051b9cf3570f1207fc78c1bcc98c281c6b8da07efd07a6dafb015ed6a32fe136319a972ffbc341f3a0beae97ccf8136505", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 59, + "comment" : "modified bit 255 in R", + "msg" : "313233343030", + "sig" : "657c1492402ab5ce03e2c3a7f0384d051b9cf3570f1207fc78c1bcc98c281cab227aedf259f910f0f3a759a335062665217925d019173b88917eae294f75d40f", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 60, + "comment" : "R==0", + "msg" : "313233343030", + "sig" : "0000000000000000000000000000000000000000000000000000000000000000e0b8e7770d51c7a36375d006c5bffd6af43ff54aaf47e4330dc118c71d61ec02", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 61, + "comment" : "invalid R", + "msg" : "313233343030", + "sig" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff463a1908382e7eb7693acef9884f7cf931a215e0791876be22c631a59881fd0e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 62, + "comment" : "all bits flipped in R", + "msg" : "313233343030", + "sig" : "9a83eb6dbfd54a31fc1d3c580fc7b2fae4630ca8f0edf803873e433673d7e3d40e94254586cb6188c5386c3febed477cb9a6cb29e3979adc4cb27cf5278fb70a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 63, + "comment" : "checking malleability ", + "msg" : "54657374", + "sig" : "7c38e026f29e14aabd059a0f2db8b0cd783040609a8be684db12f82a27774ab067654bce3832c2d76f8f6f5dafc08d9339d4eef676573336a5c51eb6f946b31d", + "result" : "invalid", + "flags" : [ + "SignatureMalleability" + ] + }, + { + "tcId" : 64, + "comment" : "checking malleability ", + "msg" : "54657374", + "sig" : "7c38e026f29e14aabd059a0f2db8b0cd783040609a8be684db12f82a27774ab05439412b5395d42f462c67008eba6ca839d4eef676573336a5c51eb6f946b32d", + "result" : "invalid", + "flags" : [ + "SignatureMalleability" + ] + }, + { + "tcId" : 65, + "comment" : "checking malleability ", + "msg" : "54657374", + "sig" : "7c38e026f29e14aabd059a0f2db8b0cd783040609a8be684db12f82a27774ab02ee12ce5875bf9dff26556464bae2ad239d4eef676573336a5c51eb6f946b34d", + "result" : "invalid", + "flags" : [ + "SignatureMalleability" + ] + }, + { + "tcId" : 66, + "comment" : "checking malleability ", + "msg" : "54657374", + "sig" : "7c38e026f29e14aabd059a0f2db8b0cd783040609a8be684db12f82a27774ab0e2300459f1e742404cd934d2c595a6253ad4eef676573336a5c51eb6f946b38d", + "result" : "invalid", + "flags" : [ + "SignatureMalleability" + ] + }, + { + "tcId" : 67, + "comment" : "checking malleability ", + "msg" : "54657374", + "sig" : "7c38e026f29e14aabd059a0f2db8b0cd783040609a8be684db12f82a27774ab07a9155711ecfaf7f99f277bad0c6ae7e39d4eef676573336a5c51eb6f946b32d", + "result" : "invalid", + "flags" : [ + "SignatureMalleability" + ] + }, + { + "tcId" : 68, + "comment" : "checking malleability ", + "msg" : "54657374", + "sig" : "7c38e026f29e14aabd059a0f2db8b0cd783040609a8be684db12f82a27774ab07a9155711ecfaf7f99f277bad0c6ae7e39d4eef676573336a5c51eb6f946b34d", + "result" : "invalid", + "flags" : [ + "SignatureMalleability" + ] + }, + { + "tcId" : 69, + "comment" : "checking malleability ", + "msg" : "54657374", + "sig" : "7c38e026f29e14aabd059a0f2db8b0cd783040609a8be684db12f82a27774ab07a9155711ecfaf7f99f277bad0c6ae7e39d4eef676573336a5c51eb6f946b38d", + "result" : "invalid", + "flags" : [ + "SignatureMalleability" + ] + }, + { + "tcId" : 70, + "comment" : "checking malleability ", + "msg" : "54657374", + "sig" : "7c38e026f29e14aabd059a0f2db8b0cd783040609a8be684db12f82a27774ab0679155711ecfaf7f99f277bad0c6ae7e39d4eef676573336a5c51eb6f946b38d", + "result" : "invalid", + "flags" : [ + "SignatureMalleability" + ] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "CiOiAHKJEjeqCGS1dlE5UUkIeHh4zXcTWgBZiB0xPwA", + "kid" : "none", + "kty" : "OKP", + "x" : "oSwr63cmXyqslTtQCTSdlBVaA62kFqrUUTGUgOmDykw" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "a12c2beb77265f2aac953b5009349d94155a03ada416aad451319480e983ca4c", + "sk" : "0a23a20072891237aa0864b5765139514908787878cd77135a0059881d313f00", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b6570032100a12c2beb77265f2aac953b5009349d94155a03ada416aad451319480e983ca4c", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAoSwr63cmXyqslTtQCTSdlBVaA62kFqrUUTGUgOmDykw=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 71, + "comment" : "", + "msg" : "", + "sig" : "5056325d2ab440bf30bbf0f7173199aa8b4e6fbc091cf3eb6bc6cf87cd73d992ffc216c85e4ab5b8a0bbc7e9a6e9f8d33b7f6e5ac0ffdc22d9fcaf784af84302", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 72, + "comment" : "", + "msg" : "78", + "sig" : "481fafbf4364d7b682475282f517a3ac0538c9a6b6a562e99a3d8e5afb4f90a559b056b9f07af023905753b02d95eb329a35c77f154b79abbcd291615ce42f02", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 73, + "comment" : "", + "msg" : "54657374", + "sig" : "8a9bb4c465a3863abc9fd0dd35d80bb28f7d33d37d74679802d63f82b20da114b8d765a1206b3e9ad7cf2b2d8d778bb8651f1fa992db293c0039eacb6161480f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 74, + "comment" : "", + "msg" : "48656c6c6f", + "sig" : "d839c20abfda1fd429531831c64f813f84b913e9928540310cf060b44c3dbf9457d44a7721fdc0d67724ff81cb450dd39b10cfb65db15dda4b8bf09d26bd3801", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 75, + "comment" : "", + "msg" : "313233343030", + "sig" : "9bbb1052dcfa8ad2715c2eb716ae4f1902dea353d42ee09fd4c0b4fcb8b52b5219e2200016e1199d0061891c263e31b0bc3b55673c19610c4e0fa5408004160b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 76, + "comment" : "", + "msg" : "000000000000000000000000", + "sig" : "f63b5c0667c7897fc283296416f7f60e84bbde9cbd832e56be463ed9f568069702b17a2f7c341ebf590706a6388ac76ac613c1675ec0f2c7118f2573422a500b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 77, + "comment" : "", + "msg" : "6161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161", + "sig" : "1bc44d7001e6b5b9090fef34b2ca480f9786bbefa7d279353e5881e8dfb91b803ccd46500e270ef0109bfd741037558832120bc2a4f20fbe7b5fb3c3aaf23e08", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 78, + "comment" : "", + "msg" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f60", + "sig" : "ea8e22143b02372e76e99aece3ed36aec529768a27e2bb49bdc135d44378061e1f62d1ac518f33ebf37b2ee8cc6dde68a4bd7d4a2f4d6cb77f015f71ca9fc30d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 79, + "comment" : "", + "msg" : "ffffffffffffffffffffffffffffffff", + "sig" : "8acd679e1a914fc45d5fa83d3021f0509c805c8d271df54e52f43cfbd00cb6222bf81d58fe1de2de378df67ee9f453786626961fe50a9b05f12b6f0899ebdd0a", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "nWGxne_9WmC6hEr0kuwsxERJxWl7MmkZcDusAxyuf2A", + "kid" : "none", + "kty" : "OKP", + "x" : "11qYAYKxCrfVS_7TyWQHOg7hcvPapiMlrwIaaPcHURo" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a", + "sk" : "9d61b19deffd5a60ba844af492ec2cc44449c5697b326919703bac031cae7f60", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b6570032100d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEA11qYAYKxCrfVS/7TyWQHOg7hcvPapiMlrwIaaPcHURo=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 80, + "comment" : "draft-josefsson-eddsa-ed25519-02: Test 1", + "msg" : "", + "sig" : "e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e065224901555fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a100b", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "TM0Imyj_ltqdtsNG7BFOD1uKMZ81q6Yk2oz27U-4pvs", + "kid" : "none", + "kty" : "OKP", + "x" : "PUAXw-hDiVqStwqnTRt-vJyYLM8uxJaMwM1V8Sr0Zgw" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "3d4017c3e843895a92b70aa74d1b7ebc9c982ccf2ec4968cc0cd55f12af4660c", + "sk" : "4ccd089b28ff96da9db6c346ec114e0f5b8a319f35aba624da8cf6ed4fb8a6fb", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b65700321003d4017c3e843895a92b70aa74d1b7ebc9c982ccf2ec4968cc0cd55f12af4660c", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAPUAXw+hDiVqStwqnTRt+vJyYLM8uxJaMwM1V8Sr0Zgw=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 81, + "comment" : "draft-josefsson-eddsa-ed25519-02: Test 2", + "msg" : "72", + "sig" : "92a009a9f0d4cab8720e820b5f642540a2b27b5416503f8fb3762223ebdb69da085ac1e43e15996e458f3613d0f11d8c387b2eaeb4302aeeb00d291612bb0c00", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "xaqN9D-fg3vtt0QvMdy3sWbThTUHbwlLhc46LgtEWPc", + "kid" : "none", + "kty" : "OKP", + "x" : "_FHNjmIYoaONpH7QAjDwWAgW7RO6MwOsXeuRFUiQgCU" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "fc51cd8e6218a1a38da47ed00230f0580816ed13ba3303ac5deb911548908025", + "sk" : "c5aa8df43f9f837bedb7442f31dcb7b166d38535076f094b85ce3a2e0b4458f7", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b6570032100fc51cd8e6218a1a38da47ed00230f0580816ed13ba3303ac5deb911548908025", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEA/FHNjmIYoaONpH7QAjDwWAgW7RO6MwOsXeuRFUiQgCU=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 82, + "comment" : "draft-josefsson-eddsa-ed25519-02: Test 3", + "msg" : "af82", + "sig" : "6291d657deec24024827e69c3abe01a30ce548a284743a445e3680d7db5ac3ac18ff9b538d16f290ae67f760984dc6594a7c15e9716ed28dc027beceea1ec40a", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "9eV2fPFTMZUXYw8iaHa4bIFgzFg7wBN0TGvyVfXMDuU", + "kid" : "none", + "kty" : "OKP", + "x" : "J4EX_BRMcjQPZ9DyMW6Dhs7_vyskKMnFH-98WX8dQm4" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "278117fc144c72340f67d0f2316e8386ceffbf2b2428c9c51fef7c597f1d426e", + "sk" : "f5e5767cf153319517630f226876b86c8160cc583bc013744c6bf255f5cc0ee5", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b6570032100278117fc144c72340f67d0f2316e8386ceffbf2b2428c9c51fef7c597f1d426e", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAJ4EX/BRMcjQPZ9DyMW6Dhs7/vyskKMnFH+98WX8dQm4=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 83, + "comment" : "draft-josefsson-eddsa-ed25519-02: Test 1024", + "msg" : "08b8b2b733424243760fe426a4b54908632110a66c2f6591eabd3345e3e4eb98fa6e264bf09efe12ee50f8f54e9f77b1e355f6c50544e23fb1433ddf73be84d879de7c0046dc4996d9e773f4bc9efe5738829adb26c81b37c93a1b270b20329d658675fc6ea534e0810a4432826bf58c941efb65d57a338bbd2e26640f89ffbc1a858efcb8550ee3a5e1998bd177e93a7363c344fe6b199ee5d02e82d522c4feba15452f80288a821a579116ec6dad2b3b310da903401aa62100ab5d1a36553e06203b33890cc9b832f79ef80560ccb9a39ce767967ed628c6ad573cb116dbefefd75499da96bd68a8a97b928a8bbc103b6621fcde2beca1231d206be6cd9ec7aff6f6c94fcd7204ed3455c68c83f4a41da4af2b74ef5c53f1d8ac70bdcb7ed185ce81bd84359d44254d95629e9855a94a7c1958d1f8ada5d0532ed8a5aa3fb2d17ba70eb6248e594e1a2297acbbb39d502f1a8c6eb6f1ce22b3de1a1f40cc24554119a831a9aad6079cad88425de6bde1a9187ebb6092cf67bf2b13fd65f27088d78b7e883c8759d2c4f5c65adb7553878ad575f9fad878e80a0c9ba63bcbcc2732e69485bbc9c90bfbd62481d9089beccf80cfe2df16a2cf65bd92dd597b0707e0917af48bbb75fed413d238f5555a7a569d80c3414a8d0859dc65a46128bab27af87a71314f318c782b23ebfe808b82b0ce26401d2e22f04d83d1255dc51addd3b75a2b1ae0784504df543af8969be3ea7082ff7fc9888c144da2af58429ec96031dbcad3dad9af0dcbaaaf268cb8fcffead94f3c7ca495e056a9b47acdb751fb73e666c6c655ade8297297d07ad1ba5e43f1bca32301651339e22904cc8c42f58c30c04aafdb038dda0847dd988dcda6f3bfd15c4b4c4525004aa06eeff8ca61783aacec57fb3d1f92b0fe2fd1a85f6724517b65e614ad6808d6f6ee34dff7310fdc82aebfd904b01e1dc54b2927094b2db68d6f903b68401adebf5a7e08d78ff4ef5d63653a65040cf9bfd4aca7984a74d37145986780fc0b16ac451649de6188a7dbdf191f64b5fc5e2ab47b57f7f7276cd419c17a3ca8e1b939ae49e488acba6b965610b5480109c8b17b80e1b7b750dfc7598d5d5011fd2dcc5600a32ef5b52a1ecc820e308aa342721aac0943bf6686b64b2579376504ccc493d97e6aed3fb0f9cd71a43dd497f01f17c0e2cb3797aa2a2f256656168e6c496afc5fb93246f6b1116398a346f1a641f3b041e989f7914f90cc2c7fff357876e506b50d334ba77c225bc307ba537152f3f1610e4eafe595f6d9d90d11faa933a15ef1369546868a7f3a45a96768d40fd9d03412c091c6315cf4fde7cb68606937380db2eaaa707b4c4185c32eddcdd306705e4dc1ffc872eeee475a64dfac86aba41c0618983f8741c5ef68d3a101e8a3b8cac60c905c15fc910840b94c00a0b9d0", + "sig" : "0aab4c900501b3e24d7cdf4663326a3a87df5e4843b2cbdb67cbf6e460fec350aa5371b1508f9f4528ecea23c436d94b5e8fcd4f681e30a6ac00a9704a188a03", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "160_H2u-BHfDw1eoBqGetBrj-UAlA1vIfygfjun8DjQ", + "kid" : "none", + "kty" : "OKP", + "x" : "j9ZZt3tVjtk4gsEVdDhFCshuxi1CHVaOmO4jbzgQKVo" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "8fd659b77b558ed93882c1157438450ac86ec62d421d568e98ee236f3810295a", + "sk" : "d7ad3f1f6bbe0477c3c357a806a19eb41ae3f94025035bc87f281f8ee9fc0e34", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b65700321008fd659b77b558ed93882c1157438450ac86ec62d421d568e98ee236f3810295a", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAj9ZZt3tVjtk4gsEVdDhFCshuxi1CHVaOmO4jbzgQKVo=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 84, + "comment" : "Random test failure 1", + "msg" : "b0729a713593a92e46b56eaa66b9e435f7a09a8e7de03b078f6f282285276635f301e7aaafe42187c45d6f5b13f9f16b11195cc125c05b90d24dfe4c", + "sig" : "7db17557ac470c0eda4eedaabce99197ab62565653cf911f632ee8be0e5ffcfc88fb94276b42e0798fd3aa2f0318be7fc6a29fae75f70c3dcdc414a0ad866601", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "rZsieTM2_NrBDhNsTe6lmb4Yejju-Rwc98ek7IhN2gg", + "kid" : "none", + "kty" : "OKP", + "x" : "KmBr9nrHcMYHA4sAQQGzJe21ae_TQT0tHyw-a05uMII" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "2a606bf67ac770c607038b004101b325edb569efd3413d2d1f2c3e6b4e6e3082", + "sk" : "ad9b22793336fcdac10e136c4deea599be187a38eef91c1cf7c7a4ec884dda08", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b65700321002a606bf67ac770c607038b004101b325edb569efd3413d2d1f2c3e6b4e6e3082", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAKmBr9nrHcMYHA4sAQQGzJe21ae/TQT0tHyw+a05uMII=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 85, + "comment" : "Random test failure 2", + "msg" : "a8546e50ba31cae3234310d32672447be213fad91a227a19669c53d309b959782b0e6b71f8791fdb470043b58122003157d2d96a43a6cbd7d3a8d86bf4c97391883e268d50af80e1e6e12939c2bd50ca746cdadfad4edf1bda875299740724148efb1ebe73fb60088cda890317658627a5f7ab5a0c075d9d8f3f97b6492b35519e50ff6b38377432a7081f9176bb1c29a862deac1336ca20b097a47829cec10a6a7cec178eda2d12f6dc6c87f910454af0123555ba184e68804d9cced60fd5c8c90943e56599c8f0ba59a38491ba5e5a53460682474c07e40ca142983314fd762856bb1093f359da6eb0a756bd93a3160c10dd8feea6b97e7c6a17cb54bd5d7649c05c66d7bdee056671dfdaf689fa3945bb8e29a429f4bd5d355dce9687b06f01d5e33e3999f0e8", + "sig" : "67d84d4c3945aaf06e06d524be63acbfb5dbb1988c4aea96a5ee9f7a9b9eecc29df4f66b8aa1d9e8607a58fb1ef0c2ad69aac005b4f58e34103344a9c8871a09", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 86, + "comment" : "Random test failure 24", + "msg" : "b477b0480bb84642608b908d29a51cf2fce63f24ee95", + "sig" : "28fafbb62b4d688fa79e1ac92851f46e319b161f801d4dc09acc21fdd6780a2c4292b8c1003c61c2bcebe7f3f88ccc4bb26d407387c5f27cb8c94cf6ce810405", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "BKZVPWipuu94ohda83VFjqoBzbdzUMYeKC718McRZZk", + "kid" : "none", + "kty" : "OKP", + "x" : "yclGy8VUSsdO70kfB8WIHBb69-wxzkqpG7YK57RTkFE" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "c9c946cbc5544ac74eef491f07c5881c16faf7ec31ce4aa91bb60ae7b4539051", + "sk" : "04a6553d68a9baef78a2175af375458eaa01cdb77350c61e282ef5f0c7116599", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b6570032100c9c946cbc5544ac74eef491f07c5881c16faf7ec31ce4aa91bb60ae7b4539051", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAyclGy8VUSsdO70kfB8WIHBb69+wxzkqpG7YK57RTkFE=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 87, + "comment" : "Random test failure 3", + "msg" : "cd2212eddb0706f62c995cef958634f0cb7793444cbf4d30e81c27c41ebea6cb02607510131f9c015692dfd521b148841e9a2d3564d20ac401f6cb8e40f520fe0cafbeaa88840b83013369d879f013463fe52a13267aa0c8c59c45cde9399cd1e6be8cc64cf48315ac2eb31a1c567a4fb7d601746d1f63b5ac020712adbbe07519bded6f", + "sig" : "24087d47f3e20af51b9668ae0a88ce76586802d0ec75d8c0f28fc30962b5e1d1a1d509571a1624ed125a8df92a6e963728d6b5de99200b8e285f70feb6f05207", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 88, + "comment" : "Random test failure 20", + "msg" : "27d465bc632743522aefa23c", + "sig" : "c2656951e2a0285585a51ff0eda7e9a23c2dfd2ffa273aee7808f4604e8f9a8c8ea49e9fce4eb2d8d75d36b7238fe6fc13b6c5d9427dd58f8c6615d033c0bd0f", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "w2fI0uvu7NcMHomFtww4CLdWV_JDshuk8yJ5JUDpIlc", + "kid" : "none", + "kty" : "OKP", + "x" : "Mq0Cb2k9DSr-f0OI2RxMlkQm_LnjZlw-vYZQAJuBXI4" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "32ad026f693d0d2afe7f4388d91c4c964426fcb9e3665c3ebd8650009b815c8e", + "sk" : "c367c8d2ebeeecd70c1e8985b70c3808b75657f243b21ba4f322792540e92257", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b657003210032ad026f693d0d2afe7f4388d91c4c964426fcb9e3665c3ebd8650009b815c8e", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAMq0Cb2k9DSr+f0OI2RxMlkQm/LnjZlw+vYZQAJuBXI4=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 89, + "comment" : "Random test failure 4", + "msg" : "ec5c7cb078", + "sig" : "d920d421a5956b69bfe1ba834c025e2babb6c7a6d78c97de1d9bb1116dfdd1185147b2887e34e15578172e150774275ea2aad9e02106f7e8ca1caa669a066f0c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 90, + "comment" : "Random test failure 5", + "msg" : "4668c6a76f0e482190a7175b9f3806a5fe4314a004fa69f988373f7a", + "sig" : "4f62daf7f7c162038552ad7d306e195baa37ecf6ca7604142679d7d1128e1f8af52e4cb3545748c44ef1ff1c64e877e4f4d248259b7f6eb56e3ef72097dc8e0c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 91, + "comment" : "Random test failure 8", + "msg" : "5dc9bb87eb11621a93f92abe53515697d2611b2eef73", + "sig" : "deecafb6f2ede73fec91a6f10e45b9c1c61c4b9bfbe6b6147e2de0b1df6938971f7896c3ab83851fb5d9e537037bff0fca0ccb4a3cc38f056f91f7d7a0557e08", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 92, + "comment" : "Random test failure 10", + "msg" : "7dcfe60f881e1285676f35b68a1b2dbcdd7be6f719a288ababc28d36e3a42ac3010a1ca54b32760e74", + "sig" : "7f8663cf98cbd39d5ff553f00bcf3d0d520605794f8866ce75714d77cc51e66c91818b657d7b0dae430a68353506edc4a714c345f5ddb5c8b958ba3d035f7a01", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 93, + "comment" : "Random test failure 12", + "msg" : "58e456064dff471109def4ca27fa8310a1df32739655b624f27e6418d34b7f007173f3faa5", + "sig" : "6aab49e5c0bc309b783378ee03ffda282f0185cdf94c847701ff307a6ee8d0865411c44e0a8206f6a5f606107451940c2593af790ce1860f4c14ab25b2deae08", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 94, + "comment" : "Random test failure 15", + "msg" : "a1", + "sig" : "1a74ed2cbdc7d8f3827014e8e6ecf8fd2698ac8f86833acccdd400df710fe0d6b0543c9cfa00d52bf024ab7ce0d91981944097233ec134d5c7abbd44bfd32d0d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 95, + "comment" : "Random test failure 19", + "msg" : "11cb1eafa4c42a8402c4193c4696f7b2e6d4585e4b42dcf1a8b67a80b2da80bc9d4b649fb2f35eaf1f56c426fd0b", + "sig" : "14ceb2eaf4688d995d482f44852d71ad878cd7c77b41e60b0065fd01a59b054ee74759224187dbde9e59a763a70277c960892ef89fba997aba2576b2c54ba608", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 96, + "comment" : "Random test failure 25", + "msg" : "aa365b442d12b7f3c925", + "sig" : "83c40ce13d483cc58ff65844875862d93df4bd367af77efa469ec06a8ed9e6d7905a04879535708ddf225567a815c9b941d405c98e918fd0c151165cea7fb101", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 97, + "comment" : "Random test failure 28", + "msg" : "475f", + "sig" : "71a4a06a34075f2fd47bc3abf4714d46db7e97b08cb6180d3f1539ac50b18ce51f8af8ae95ed21d4fa0daab7235925631ecea1fd9d0d8a2ba7a7583fd04b900c", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "VsHiLWFsu23qhpKItLHAK7mGllg8L25lABOgPhcEnGI", + "kid" : "none", + "kty" : "OKP", + "x" : "wp7BiU4G0ntOQEhrT6UGPWanRsf5wyOxIgPAO3K4t4o" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "c29ec1894e06d27b4e40486b4fa5063d66a746c7f9c323b12203c03b72b8b78a", + "sk" : "56c1e22d616cbb6dea869288b4b1c02bb98696583c2f6e650013a03e17049c62", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b6570032100c29ec1894e06d27b4e40486b4fa5063d66a746c7f9c323b12203c03b72b8b78a", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAwp7BiU4G0ntOQEhrT6UGPWanRsf5wyOxIgPAO3K4t4o=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 98, + "comment" : "Random test failure 6", + "msg" : "0f325ffd87e58131ffa23c05ea4579513b287fdba87b44", + "sig" : "6669acf94667c5b541afe5307bde9476b13ae7e0e6058a772101ac8eb0a94331428eb4db0a2c68a9b6c1763b8624dab259b0876cdcfaeacc17b21a18e3fc010a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 99, + "comment" : "Random test failure 21", + "msg" : "5ffa", + "sig" : "931e5152fcef078c22cc5d6a3a65f06e396289f6f5f2d1efa6340254a53526ef5dc6874eeddf35c3f50991c53cd02bf06313e37d93ee1f7022128ffa3b8f300b", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "t9L2QnbfQX_tJ9jhW06Q9v2T2s5wcpTDOL0yvEu9j9s", + "kid" : "none", + "kty" : "OKP", + "x" : "z9pbiZ41dkxSKeWSlf4SIrfdzhdmQ2l8KeRuy7oQzxA" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "cfda5b899e35764c5229e59295fe1222b7ddce176643697c29e46ecbba10cf10", + "sk" : "b7d2f64276df417fed27d8e15b4e90f6fd93dace707294c338bd32bc4bbd8fdb", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b6570032100cfda5b899e35764c5229e59295fe1222b7ddce176643697c29e46ecbba10cf10", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAz9pbiZ41dkxSKeWSlf4SIrfdzhdmQ2l8KeRuy7oQzxA=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 100, + "comment" : "Random test failure 7", + "msg" : "ec5c7cb078", + "sig" : "30490c28f806298225df62103521dcee047153912c33ab8ab8bbdd1ffabd70fd4fdb360f05be535b067d1cf4e78c2cb432206bf280aab3bd21aaa1cb894c5b06", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 101, + "comment" : "Random test failure 9", + "msg" : "67484059b2490b1a0a4f8dee77979e26", + "sig" : "4cd4f77ed473a6647387f3163541c67a1708a3c3bd1673247cb87f0cb68b3c56f04bfa72970c8a483efe659c87009ab4020b590b6641316b3deddb5450544e02", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 102, + "comment" : "Random test failure 11", + "msg" : "a020a4381dc9141f47ee508871ab7a8b5a3648727c4281ae9932376f23a8e1bcda0626b7129197d864178631ec89c4332dbb18", + "sig" : "1e41a24fe732bd7cab14c2a2f5134ee8c87fcbd2e987e60957ed9239e5c32404d56977e1b4282871896cb10625a1937468e4dc266e16a9c1b8e9891177eca802", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 103, + "comment" : "Random test failure 14", + "msg" : "a25176b3afea318b2ec11ddacb10caf7179c0b3f8eabbfa2895581138d3c1e0e", + "sig" : "2a833aadecd9f28235cb5896bf3781521dc71f28af2e91dbe1735a61dce3e31ac15ca24b3fc47817a59d386bbbb2ce60a6adc0a2703bb2bdea8f70f91051f706", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 104, + "comment" : "Random test failure 18", + "msg" : "a9e6d94870a67a9fe1cf13b1e6f9150cdd407bf6480ec841ea586ae3935e9787163cf419c1", + "sig" : "c97e3190f83bae7729ba473ad46b420b8aad735f0808ea42c0f898ccfe6addd4fd9d9fa3355d5e67ee21ab7e1f805cd07f1fce980e307f4d7ad36cc924eef00c", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "fVl8O3KDkp0H7Y8B8x0lloI-XkarImx75CNNGp3K7zc", + "kid" : "none", + "kty" : "OKP", + "x" : "UpkZyceAmFqEHEK6bBgP8tZ6J2zPvigQgOR6txp1j1Y" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "529919c9c780985a841c42ba6c180ff2d67a276ccfbe281080e47ab71a758f56", + "sk" : "7d597c3b7283929d07ed8f01f31d2596823e5e46ab226c7be4234d1a9dcaef37", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b6570032100529919c9c780985a841c42ba6c180ff2d67a276ccfbe281080e47ab71a758f56", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAUpkZyceAmFqEHEK6bBgP8tZ6J2zPvigQgOR6txp1j1Y=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 105, + "comment" : "Random test failure 13", + "msg" : "e1cbf2d86827825613fb7a85811d", + "sig" : "01abfa4d6bbc726b196928ec84fd03f0c953a4fa2b228249562ff1442a4f63a7150b064f3712b51c2af768d2c2711a71aabf8d186833e941a0301b82f0502905", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 106, + "comment" : "Random test failure 22", + "msg" : "25", + "sig" : "e4ae21f7a8f4b3b325c161a8c6e53e2edd7005b9c2f8a2e3b0ac4ba94aa80be6f2ee22ac8d4a96b9a3eb73a825e7bb5aff4a3393bf5b4a38119e9c9b1b041106", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "9AHO5L-xcy8Om42Lp5RpVlwxFSlhQdvffpwxGgrBgjs", + "kid" : "none", + "kty" : "OKP", + "x" : "IlKz1Xx0y_i8Rg3C4IKEeSa8Ai8Jq2rpV1Y2K_0RZ8E" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "2252b3d57c74cbf8bc460dc2e082847926bc022f09ab6ae95756362bfd1167c1", + "sk" : "f401cee4bfb1732f0e9b8d8ba79469565c3115296141dbdf7e9c311a0ac1823b", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b65700321002252b3d57c74cbf8bc460dc2e082847926bc022f09ab6ae95756362bfd1167c1", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAIlKz1Xx0y/i8Rg3C4IKEeSa8Ai8Jq2rpV1Y2K/0RZ8E=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 107, + "comment" : "Random test failure 16", + "msg" : "975ef941710071a9e1e6325a0c860becd7c695b5117c3107b686e330e5", + "sig" : "af0fd9dda7e03e12313410d8d8844ebb6fe6b7f65141f22d7bcba5695a25414a9e54326fb44d59fb14707899a8aae70857b23d4080d7ab2c396ef3a36d45ce02", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 108, + "comment" : "Random test failure 23", + "msg" : "80fdd6218f29c8c8f6bd820945f9b0854e3a8824", + "sig" : "e097e0bd0370bff5bde359175a11b728ee9639095d5df8eda496395565616edfe079977f7d4dc8c75d6113a83d6a55e6e1676408c0967a2906339b43337dcb01", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "PWWJVkEDd9BkRnbSWZVCQSpPOw5Orft_P4NmFfQrGLw", + "kid" : "none", + "kty" : "OKP", + "x" : "wKdzEQ-XXeNzI1W7fsfwxBwJHAJSlmBwIFUWaTuZKko" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "c0a773110f975de3732355bb7ec7f0c41c091c0252966070205516693b992a4a", + "sk" : "3d658956410377d0644676d2599542412a4f3b0e4eadfb7f3f836615f42b18bc", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b6570032100c0a773110f975de3732355bb7ec7f0c41c091c0252966070205516693b992a4a", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAwKdzEQ+XXeNzI1W7fsfwxBwJHAJSlmBwIFUWaTuZKko=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 109, + "comment" : "Random test failure 17", + "msg" : "", + "sig" : "0280427e713378f49d478df6373c6cac847b622b567daa2376c839e7ac10e22c380ab0fa8617c9dcfe76c4d9db5459b21dc1413726e46cc8f387d359e344f407", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "vMthMjhAwqlvw29-VOpsjlX50iH38FeR7WACXgYGRDk", + "kid" : "none", + "kty" : "OKP", + "x" : "VM2mIyRXWa1tQ-YgpgaQi-_GM9YHkrx3mER6DvOOcxE" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "54cda623245759ad6d43e620a606908befc633d60792bc7798447a0ef38e7311", + "sk" : "bccb61323840c2a96fc36f7e54ea6c8e55f9d221f7f05791ed60025e06064439", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b657003210054cda623245759ad6d43e620a606908befc633d60792bc7798447a0ef38e7311", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAVM2mIyRXWa1tQ+YgpgaQi+/GM9YHkrx3mER6DvOOcxE=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 110, + "comment" : "Random test failure 26", + "msg" : "27e792b28b2f1702", + "sig" : "14d9b497c19b91d43481c55bb6f5056de252d9ecb637575c807e58e9b4c5eac8b284089d97e2192dc242014363208e2c9a3435edf8928fb1d893553e9be4c703", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "8tMCO5wZ4kF0i8QDmnpDxZVwHyNnVQUBUhOooqAnTBs", + "kid" : "none", + "kty" : "OKP", + "x" : "I2K6xRTV-tM4AmQul5oegt5utvG8v2pbME8rsCueV_4" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "2362bac514d5fad33802642e979a1e82de6eb6f1bcbf6a5b304f2bb02b9e57fe", + "sk" : "f2d3023b9c19e241748bc4039a7a43c595701f23675505015213a8a2a0274c1b", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b65700321002362bac514d5fad33802642e979a1e82de6eb6f1bcbf6a5b304f2bb02b9e57fe", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAI2K6xRTV+tM4AmQul5oegt5utvG8v2pbME8rsCueV/4=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 111, + "comment" : "Random test failure 27", + "msg" : "eef3bb0f617c17d0420c115c21c28e3762edc7b7fb048529b84a9c2bc6", + "sig" : "242ddb3a5d938d07af690b1b0ef0fa75842c5f9549bf39c8750f75614c712e7cbaf2e37cc0799db38b858d41aec5b9dd2fca6a3c8e082c10408e2cf3932b9d08", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "EvwxxA1aevceBUJGI7qXC2cM9uy0TNphICEOY3AkXds", + "kid" : "none", + "kty" : "OKP", + "x" : "A3tVtCfcjaoPgPzrrwhGkCMJ-KbPGLRlwM6bZTlimsg" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "037b55b427dc8daa0f80fcebaf0846902309f8a6cf18b465c0ce9b6539629ac8", + "sk" : "12fc31c40d5a7af71e05424623ba970b670cf6ecb44cda6120210e6370245ddb", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b6570032100037b55b427dc8daa0f80fcebaf0846902309f8a6cf18b465c0ce9b6539629ac8", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAA3tVtCfcjaoPgPzrrwhGkCMJ+KbPGLRlwM6bZTlimsg=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 112, + "comment" : "Test case for overflow in signature generation", + "msg" : "01234567", + "sig" : "c964e100033ce8888b23466677da4f4aea29923f642ae508f9d0888d788150636ab9b2c3765e91bbb05153801114d9e52dc700df377212222bb766be4b8c020d", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "5UvMTOldtIByx7SVdWF90flAOwchBSWcoG2NAVMNB_s", + "kid" : "none", + "kty" : "OKP", + "x" : "nAAHaY8XeZinZmx895c-K4jpxJRuM4BKe76JaNI5Sy4" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "9c0007698f177998a7666c7cf7973e2b88e9c4946e33804a7bbe8968d2394b2e", + "sk" : "e54bcc4ce95db48072c7b49575617dd1f9403b072105259ca06d8d01530d07fb", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b65700321009c0007698f177998a7666c7cf7973e2b88e9c4946e33804a7bbe8968d2394b2e", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAnAAHaY8XeZinZmx895c+K4jpxJRuM4BKe76JaNI5Sy4=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 113, + "comment" : "Test case for overflow in signature generation", + "msg" : "9399a6db9433d2a28d2b0c11c8794ab7d108c95b", + "sig" : "176065c6d64a136a2227687d77f61f3fca3b16122c966276fd9a8b14a1a2cea4c33b3533d11101717016684e3810efbea63bb23773f7cc480174199abd734f08", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "3n8rsSuHWnnMsFc0Syhnou2yXbwez8jLB8aeLdPfPgI", + "kid" : "none", + "kty" : "OKP", + "x" : "7TpvlyHclynB92Y1vPCA1wNuHC8CKGVMy74ec4wXuWM" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "ed3a6f9721dc9729c1f76635bcf080d7036e1c2f0228654ccbbe1e738c17b963", + "sk" : "de7f2bb12b875a79ccb057344b2867a2edb25dbc1ecfc8cb07c69e2dd3df3e02", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b6570032100ed3a6f9721dc9729c1f76635bcf080d7036e1c2f0228654ccbbe1e738c17b963", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEA7TpvlyHclynB92Y1vPCA1wNuHC8CKGVMy74ec4wXuWM=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 114, + "comment" : "Test case for overflow in signature generation", + "msg" : "7af783afbbd44c1833ab7237ecaf63b94ffdd003", + "sig" : "7ca69331eec8610d38f00e2cdbd46966cb359dcde98a257ac6f362cc00c8f4fe85c02285fe4d66e31a44cadb2bf474e1a7957609eb4fe95a71473fe6699aa70d", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "6nkrep1CC_dPaoKnjliizJTzqz65MScGEbH42nXD1gs", + "kid" : "none", + "kty" : "OKP", + "x" : "Sr-1NTE3BaZXABhEDN7Bo64z5R81IRL6asvQxrw-qFk" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "4abfb535313705a6570018440cdec1a3ae33e51f352112fa6acbd0c6bc3ea859", + "sk" : "ea792b7a9d420bf74f6a82a78e58a2cc94f3ab3eb931270611b1f8da75c3d60b", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b65700321004abfb535313705a6570018440cdec1a3ae33e51f352112fa6acbd0c6bc3ea859", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEASr+1NTE3BaZXABhEDN7Bo64z5R81IRL6asvQxrw+qFk=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 115, + "comment" : "Test case for overflow in signature generation", + "msg" : "321b5f663c19e30ee7bbb85e48ecf44db9d3f512", + "sig" : "f296715e855d8aecccba782b670163dedc4458fe4eb509a856bcac450920fd2e95a3a3eb212d2d9ccaf948c39ae46a2548af125f8e2ad9b77bd18f92d59f9200", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "7KKGRfY2Rlde4uS9s29Rg4FCziR0ZkwrZu8FSzevYSQ", + "kid" : "none", + "kty" : "OKP", + "x" : "TyFi5r8DpxLbDvpBi35wBuI4cdnX7FVaMTiFxK_ZY4U" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "4f2162e6bf03a712db0efa418b7e7006e23871d9d7ec555a313885c4afd96385", + "sk" : "eca28645f63646575ee2e4bdb36f51838142ce2474664c2b66ef054b37af6124", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b65700321004f2162e6bf03a712db0efa418b7e7006e23871d9d7ec555a313885c4afd96385", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEATyFi5r8DpxLbDvpBi35wBuI4cdnX7FVaMTiFxK/ZY4U=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 116, + "comment" : "Test case for overflow in signature generation", + "msg" : "c48890e92aeeb3af04858a8dc1d34f16a4347b91", + "sig" : "367d07253a9d5a77d054b9c1a82d3c0a448a51905343320b3559325ef41839608aa45564978da1b2968c556cfb23b0c98a9be83e594d5e769d69d1156e1b1506", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "coI4YCt-Z1Oz9J6w_EzeOMe7FKtY3crvJTcnWxPpndM", + "kid" : "none", + "kty" : "OKP", + "x" : "BxfXXOJ-oYHtWjDmRWxkm1z0U6a0wSzT-f0Wsx4MJc0" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "0717d75ce27ea181ed5a30e6456c649b5cf453a6b4c12cd3f9fd16b31e0c25cd", + "sk" : "728238602b7e6753b3f49eb0fc4cde38c7bb14ab58ddcaef2537275b13e99dd3", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b65700321000717d75ce27ea181ed5a30e6456c649b5cf453a6b4c12cd3f9fd16b31e0c25cd", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEABxfXXOJ+oYHtWjDmRWxkm1z0U6a0wSzT+f0Wsx4MJc0=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 117, + "comment" : "regression test for arithmetic error", + "msg" : "26d5f0631f49106db58c4cfc903691134811b33c", + "sig" : "9588e02bc815649d359ce710cdc69814556dd8c8bab1c468f40a49ebefb7f0de7ed49725edfd1b708fa1bad277c35d6c1b9c5ec25990997645780f9203d7dd08", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "3ECS14CcawcPKAjENCZ7ZpdCj0qx5GJqtWowWWQ75Dw", + "kid" : "none", + "kty" : "OKP", + "x" : "21ueq36E5aE1BYZfpxHJyJbImGCfwR_JvB5VAo-Ult8" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "db5b9eab7e84e5a13505865fa711c9c896c898609fc11fc9bc1e55028f9496df", + "sk" : "dc4092d7809c6b070f2808c434267b6697428f4ab1e4626ab56a3059643be43c", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b6570032100db5b9eab7e84e5a13505865fa711c9c896c898609fc11fc9bc1e55028f9496df", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEA21ueq36E5aE1BYZfpxHJyJbImGCfwR/JvB5VAo+Ult8=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 118, + "comment" : "regression test for arithmetic error", + "msg" : "2a71f064af982a3a1103a75cef898732d7881981", + "sig" : "2217a0be57dd0d6c0090641496bcb65e37213f02a0df50aff0368ee2808e1376504f37b37494132dfc4d4887f58b9e86eff924040db3925ee4f8e1428c4c500e", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "OHZbiexWg26kGQ_JV4ArakcWf5te-ULpJlKAO33mq_0", + "kid" : "none", + "kty" : "OKP", + "x" : "e6wY9tJiXTkV8jNDTNo4pXckenMypRcLNxQqNGRBReA" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "7bac18f6d2625d3915f233434cda38a577247a7332a5170b37142a34644145e0", + "sk" : "38765b89ec56836ea4190fc957802b6a47167f9b5ef942e92652803b7de6abfd", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b65700321007bac18f6d2625d3915f233434cda38a577247a7332a5170b37142a34644145e0", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAe6wY9tJiXTkV8jNDTNo4pXckenMypRcLNxQqNGRBReA=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 119, + "comment" : "regression test for arithmetic error", + "msg" : "bf26796cef4ddafcf5033c8d105057db0210b6ad", + "sig" : "1fda6dd4519fdbefb515bfa39e8e5911f4a0a8aa65f40ef0c542b8b34b87f9c249dc57f320718ff457ed5915c4d0fc352affc1287724d3f3a9de1ff777a02e01", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "l1dTCKSQrwwUVBHdFtUZoHPvA8LkoKHNa13i6IHl6r4", + "kid" : "none", + "kty" : "OKP", + "x" : "OOrTBGJKvr8-KzHiDlYpUx4_xlkAiIfJEG9eVa27xio" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "38ead304624abebf3e2b31e20e5629531e3fc659008887c9106f5e55adbbc62a", + "sk" : "97575308a490af0c145411dd16d519a073ef03c2e4a0a1cd6b5de2e881e5eabe", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b657003210038ead304624abebf3e2b31e20e5629531e3fc659008887c9106f5e55adbbc62a", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAOOrTBGJKvr8+KzHiDlYpUx4/xlkAiIfJEG9eVa27xio=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 120, + "comment" : "regression test for arithmetic error", + "msg" : "ae03da6997e40cea67935020152d3a9a365cc055", + "sig" : "068eafdc2f36b97f9bae7fbda88b530d16b0e35054d3a351e3a4c914b22854c711505e49682e1a447e10a69e3b04d0759c859897b64f71137acf355b63faf100", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "rRKeieDuyQjfUa3CJ8jEkIqAlddWIVNsiijcpLPDDbs", + "kid" : "none", + "kty" : "OKP", + "x" : "6byVBJr35IF7F8QCJpul52e3NIdXrIAC_sngg5DAqc8" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "e9bc95049af7e4817b17c402269ba5e767b7348757ac8002fec9e08390c0a9cf", + "sk" : "ad129e89e0eec908df51adc227c8c4908a8095d75621536c8a28dca4b3c30dbb", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b6570032100e9bc95049af7e4817b17c402269ba5e767b7348757ac8002fec9e08390c0a9cf", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEA6byVBJr35IF7F8QCJpul52e3NIdXrIAC/sngg5DAqc8=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 121, + "comment" : "regression test for arithmetic error", + "msg" : "489d473f7fb83c7f6823baf65482517bccd8f4ea", + "sig" : "43670abc9f09a8a415e76f4a21c6a46156f066b5a37b3c1e867cf67248c7b927e8d13a763e37abf936f5f27f7a8aa290539d21f740efd26b65fd5ad27085f400", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "A85kPW00G3BlvJ5w2oGTRRz4PKf_WoZA_QevCUZANlo", + "kid" : "none", + "kty" : "OKP", + "x" : "7oFVyk6P57xbylmSBE6rf4w8ahPbEXb0L0bCnaWwZPQ" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "ee8155ca4e8fe7bc5bca5992044eab7f8c3c6a13db1176f42f46c29da5b064f4", + "sk" : "03ce643d6d341b7065bc9e70da8193451cf83ca7ff5a8640fd07af094640365a", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b6570032100ee8155ca4e8fe7bc5bca5992044eab7f8c3c6a13db1176f42f46c29da5b064f4", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEA7oFVyk6P57xbylmSBE6rf4w8ahPbEXb0L0bCnaWwZPQ=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 122, + "comment" : "regression test for arithmetic error", + "msg" : "1b704d6692d60a07ad1e1d047b65e105a80d3459", + "sig" : "56388f2228893b14ce4f2a5e0cc626591061de3a57c50a5ecab7b9d5bb2caeea191560a1cf2344c75fdb4a085444aa68d727b39f498169eaa82cf64a31f59803", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "WB9ZOlzZRZTcD13RQgJqQ2qTDlczkbeu6mqCU-7vbOs", + "kid" : "none", + "kty" : "OKP", + "x" : "21B7_MlXY5P3FXuzYFMrBcX88udktpDMZpikow00kJU" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "db507bfcc9576393f7157bb360532b05c5fcf2e764b690cc6698a4a30d349095", + "sk" : "581f593a5cd94594dc0f5dd142026a436a930e573391b7aeea6a8253eeef6ceb", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b6570032100db507bfcc9576393f7157bb360532b05c5fcf2e764b690cc6698a4a30d349095", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEA21B7/MlXY5P3FXuzYFMrBcX88udktpDMZpikow00kJU=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 123, + "comment" : "regression test for arithmetic error", + "msg" : "dc87030862c4c32f56261e93a367caf458c6be27", + "sig" : "553e5845fc480a577da6544e602caadaa00ae3e5aa3dce9ef332b1541b6d5f21bdf1d01e98baf80b8435f9932f89b3eb70f02da24787aac8e77279e797d0bd0b", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "byB9yUuETU3HH5gtqNnzrgs3tGI-RB7KdbpiYhxSTZg", + "kid" : "none", + "kty" : "OKP", + "x" : "mU6vAzCdatnZWmVrwXROKIbwKQI6N1CzTzUIazxyJ_g" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "994eaf03309d6ad9d95a656bc1744e2886f029023a3750b34f35086b3c7227f8", + "sk" : "6f207dc94b844d4dc71f982da8d9f3ae0b37b4623e441eca75ba62621c524d98", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b6570032100994eaf03309d6ad9d95a656bc1744e2886f029023a3750b34f35086b3c7227f8", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAmU6vAzCdatnZWmVrwXROKIbwKQI6N1CzTzUIazxyJ/g=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 124, + "comment" : "regression test for arithmetic error", + "msg" : "7f41ef68508343ef18813cb2fb332445ec6480cd", + "sig" : "bc10f88081b7be1f2505b6e76c5c82e358cf21ec11b7df1f334fb587bada465b53d9f7b4d4fec964432ee91ead1bc32ed3c82f2167da1c834a37515df7fe130e", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "3qm7ufsgUS-mfuppav14bzkoJl9SCK6rpjjzF30Ntw4", + "kid" : "none", + "kty" : "OKP", + "x" : "En035Abg2D5LVaCeIej1D7iK9H5KQ_AYzev_wZSHV_A" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "127d37e406e0d83e4b55a09e21e8f50fb88af47e4a43f018cdebffc1948757f0", + "sk" : "dea9bbb9fb20512fa67eea696afd786f3928265f5208aeaba638f3177d0db70e", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b6570032100127d37e406e0d83e4b55a09e21e8f50fb88af47e4a43f018cdebffc1948757f0", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAEn035Abg2D5LVaCeIej1D7iK9H5KQ/AYzev/wZSHV/A=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 125, + "comment" : "regression test for arithmetic error", + "msg" : "e1ce107971534bc46a42ac609a1a37b4ca65791d", + "sig" : "00c11e76b5866b7c37528b0670188c1a0473fb93c33b72ae604a8865a7d6e094ff722e8ede3cb18389685ff3c4086c29006047466f81e71a329711e0b9294709", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "yZxSrh5h98eaFk7kkQ_cqgKUYlnqVEP2iyPXIdBHL2M", + "kid" : "none", + "kty" : "OKP", + "x" : "2DuoTt-0vsSfKb4x2Apkt8C1pQJDjNsdDdHg4-VXht4" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "d83ba84edfb4bec49f29be31d80a64b7c0b5a502438cdb1d0dd1e0e3e55786de", + "sk" : "c99c52ae1e61f7c79a164ee4910fdcaa02946259ea5443f68b23d721d0472f63", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b6570032100d83ba84edfb4bec49f29be31d80a64b7c0b5a502438cdb1d0dd1e0e3e55786de", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEA2DuoTt+0vsSfKb4x2Apkt8C1pQJDjNsdDdHg4+VXht4=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 126, + "comment" : "regression test for arithmetic error", + "msg" : "869a827397c585cf35acf88a8728833ab1c8c81e", + "sig" : "0a6f0ac47ea136cb3ff00f7a96638e4984048999ee2da0af6e5c86bffb0e70bb97406b6ad5a4b764f7c99ebb6ec0fd434b8efe253b0423ef876c037998e8ab07", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "2KqtB0nbFZVppotGBIs9PoJm4RAVAlHEKAbwdSqE6Vs", + "kid" : "none", + "kty" : "OKP", + "x" : "08mqLz1u8hehZuiuQD7UNsN_rLvjvs63jfbrQ5-PoEo" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "d3c9aa2f3d6ef217a166e8ae403ed436c37facbbe3beceb78df6eb439f8fa04a", + "sk" : "d8aaad0749db159569a68b46048b3d3e8266e110150251c42806f0752a84e95b", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b6570032100d3c9aa2f3d6ef217a166e8ae403ed436c37facbbe3beceb78df6eb439f8fa04a", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEA08mqLz1u8hehZuiuQD7UNsN/rLvjvs63jfbrQ5+PoEo=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 127, + "comment" : "regression test for arithmetic error", + "msg" : "619d8c4f2c93104be01cd574a385ceca08c33a9e", + "sig" : "b7cbb942a6661e2312f79548224f3e44f5841c6e880c68340756a00ce94a914e8404858265985e6bb97ef01d2d7e5e41340309606bfc43c8c6a8f925126b3d09", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "540mq1tybJ1N-x9jQIKr3tkEMqL9GAicfIUlOl0vx9A", + "kid" : "none", + "kty" : "OKP", + "x" : "1TKANnwcC5WsQRIhi5LGpxxR-2MSzmaN4ZbH1SoTYVU" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "d53280367c1c0b95ac4112218b92c6a71c51fb6312ce668de196c7d52a136155", + "sk" : "e78d26ab5b726c9d4dfb1f634082abded90432a2fd18089c7c85253a5d2fc7d0", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b6570032100d53280367c1c0b95ac4112218b92c6a71c51fb6312ce668de196c7d52a136155", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEA1TKANnwcC5WsQRIhi5LGpxxR+2MSzmaN4ZbH1SoTYVU=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 128, + "comment" : "regression test for arithmetic error", + "msg" : "5257a0bae8326d259a6ce97420c65e6c2794afe2", + "sig" : "27a4f24009e579173ff3064a6eff2a4d20224f8f85fdec982a9cf2e6a3b51537348a1d7851a3a932128a923a393ea84e6b35eb3473c32dceb9d7e9cab03a0f0d", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "jnylbgfxQ4rDYV_Z7HeuY2edDsBZtFlf6_QL5Z2XagU", + "kid" : "none", + "kty" : "OKP", + "x" : "lKwjNrqXpHb7TJ8rVWPkFnyiksbpnkIjUKkRrjFywxU" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "94ac2336ba97a476fb4c9f2b5563e4167ca292c6e99e422350a911ae3172c315", + "sk" : "8e7ca56e07f1438ac3615fd9ec77ae63679d0ec059b4595febf40be59d976a05", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b657003210094ac2336ba97a476fb4c9f2b5563e4167ca292c6e99e422350a911ae3172c315", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAlKwjNrqXpHb7TJ8rVWPkFnyiksbpnkIjUKkRrjFywxU=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 129, + "comment" : "regression test for arithmetic error", + "msg" : "5acb6afc9b368f7acac0e71f6a4831c72d628405", + "sig" : "985b605fe3f449f68081197a68c714da0bfbf6ac2ab9abb0508b6384ea4999cb8d79af98e86f589409e8d2609a8f8bd7e80aaa8d92a84e7737fbe8dcef41920a", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "53Ulr1hWq531q7ZOUxJXa0mMwn9h8mbiHzguBSbU5vs", + "kid" : "none", + "kty" : "OKP", + "x" : "4ecxbSMffydb30AzYDBNoVCf3xrx_SXKIU6qwKKJOY8" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "e1e7316d231f7f275bdf403360304da1509fdf1af1fd25ca214eaac0a289398f", + "sk" : "e77525af5856ab9df5abb64e5312576b498cc27f61f266e21f382e0526d4e6fb", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b6570032100e1e7316d231f7f275bdf403360304da1509fdf1af1fd25ca214eaac0a289398f", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEA4ecxbSMffydb30AzYDBNoVCf3xrx/SXKIU6qwKKJOY8=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 130, + "comment" : "regression test for arithmetic error", + "msg" : "3c87b3453277b353941591fc7eaa7dd37604b42a", + "sig" : "1c8fbda3d39e2b441f06da6071c13115cb4115c7c3341704cf6513324d4cf1ef4a1dd7678a048b0dde84e48994d080befcd70854079d44b6a0b0f9fa002d130c", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "H0MjWtcW8b63VKsPVG36k0SI_fdHK0k9fMPGA1MAXSQ", + "kid" : "none", + "kty" : "OKP", + "x" : "__vupxIV76-YiP7CzGjts3A_8Rpm_WKbU8vaXqvBh1A" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "fffbeea71215efaf9888fec2cc68edb3703ff11a66fd629b53cbda5eabc18750", + "sk" : "1f43235ad716f1beb754ab0f546dfa934488fdf7472b493d7cc3c60353005d24", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b6570032100fffbeea71215efaf9888fec2cc68edb3703ff11a66fd629b53cbda5eabc18750", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEA//vupxIV76+YiP7CzGjts3A/8Rpm/WKbU8vaXqvBh1A=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 131, + "comment" : "regression test for arithmetic error", + "msg" : "0a68e27ef6847bfd9e398b328a0ded3679d4649d", + "sig" : "59097233eb141ed948b4f3c28a9496b9a7eca77454ecfe7e46737d1449a0b76b15aacf77cf48af27a668aa4434cfa26c504d75a2bcc4feac46465446234c0508", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "OXd4W5-MUyDlGjoW-MwixPfmSFdhf5VQFH-jXWhco08", + "kid" : "none", + "kty" : "OKP", + "x" : "GczAUnWZywMuC0xNdOYPE5AXaKmd8EHDvBv2wO8nEWk" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "19ccc0527599cb032e0b4c4d74e60f13901768a99df041c3bc1bf6c0ef271169", + "sk" : "3977785b9f8c5320e51a3a16f8cc22c4f7e64857617f9550147fa35d685ca34f", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b657003210019ccc0527599cb032e0b4c4d74e60f13901768a99df041c3bc1bf6c0ef271169", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAGczAUnWZywMuC0xNdOYPE5AXaKmd8EHDvBv2wO8nEWk=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 132, + "comment" : "regression test for arithmetic error", + "msg" : "4e9bef60737c7d4dd10bd52567e1473a36d3573d", + "sig" : "519105608508fe2f1b6da4cc8b23e39798b1d18d25972beed0404cec722e01ba1b6a0f85e99e092cca8076b101b60d4ac5035684357f4d0daacdc642da742a06", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "GqRBXF2wExvsb6GI0MI9SaZb95VlcVP66Ud34_Gbz1Q", + "kid" : "none", + "kty" : "OKP", + "x" : "DnJuJwR1Y6oKGpwuCF2NJq8qy6Ep0IacZQMePmysMpo" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "0e726e27047563aa0a1a9c2e085d8d26af2acba129d0869c65031e3e6cac329a", + "sk" : "1aa4415c5db0131bec6fa188d0c23d49a65bf795657153fae94777e3f19bcf54", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b65700321000e726e27047563aa0a1a9c2e085d8d26af2acba129d0869c65031e3e6cac329a", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEADnJuJwR1Y6oKGpwuCF2NJq8qy6Ep0IacZQMePmysMpo=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 133, + "comment" : "regression test for arithmetic error", + "msg" : "cc82b3163efda3ba7e9240e765112caa69113694", + "sig" : "d8b03ee579e73f16477527fc9dc37a72eaac0748a733772c483ba013944f01ef64fb4ec5e3a95021dc22f4ae282baff6e9b9cc8433c6b6710d82e7397d72ef04", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "D7doClDT8pQAd-pN_LfrBAoSXE9LXc76FtOvlo_I5d4", + "kid" : "none", + "kty" : "OKP", + "x" : "53cXtUorXlvOW8y48MX9tf1993rCVAIPyRINwNTfQXg" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "e77717b54a2b5e5bce5bccb8f0c5fdb5fd7df77ac254020fc9120dc0d4df4178", + "sk" : "0fb7680a50d3f2940077ea4dfcb7eb040a125c4f4b5dcefa16d3af968fc8e5de", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b6570032100e77717b54a2b5e5bce5bccb8f0c5fdb5fd7df77ac254020fc9120dc0d4df4178", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEA53cXtUorXlvOW8y48MX9tf1993rCVAIPyRINwNTfQXg=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 134, + "comment" : "regression test for arithmetic error", + "msg" : "923a5c9e7b5635bb6c32c5a408a4a15b652450eb", + "sig" : "26da61fdfd38e6d01792813f27840c8b4766b0faaed39d0ee898cb450d94a5d5f57e58b6a003d7f9b56b20561954c6edcf66492d116b8b5e91f205a3a6449d0b", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "4iLERNa8ikeWoNWi1x0ZuYhFzFbjnKr4Iz6kxrBwTwk", + "kid" : "none", + "kty" : "OKP", + "x" : "YiCXLT99FQs2eQ19UiOEh21k1kDNmRMYaBXhYpWC7TY" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "6220972d3f7d150b36790d7d522384876d64d640cd9913186815e1629582ed36", + "sk" : "e222c444d6bc8a4796a0d5a2d71d19b98845cc56e39caaf8233ea4c6b0704f09", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b65700321006220972d3f7d150b36790d7d522384876d64d640cd9913186815e1629582ed36", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAYiCXLT99FQs2eQ19UiOEh21k1kDNmRMYaBXhYpWC7TY=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 135, + "comment" : "regression test for arithmetic error", + "msg" : "6f2f0245de4587062979d0422d349f93ccdc3af2", + "sig" : "4adeaff7a58c5010a5a067feea0ae504d37b0c6a76c6c153e222f13409dff2df0fab69bc5059b97d925dc1b89e9851d7c627cb82d65585f9fd976124553f8902", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "qJ6hhHa5rZDLFLix_yR3fk69AVvIEKYHhakVTazzvlI", + "kid" : "none", + "kty" : "OKP", + "x" : "e2SijFDsdnipDj4aIVIuMKydt7UhWuor-zO-oDfquYc" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "7b64a28c50ec7678a90e3e1a21522e30ac9db7b5215aea2bfb33bea037eab987", + "sk" : "a89ea18476b9ad90cb14b8b1ff24777e4ebd015bc810a60785a9154dacf3be52", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b65700321007b64a28c50ec7678a90e3e1a21522e30ac9db7b5215aea2bfb33bea037eab987", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAe2SijFDsdnipDj4aIVIuMKydt7UhWuor+zO+oDfquYc=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 136, + "comment" : "regression test for arithmetic error", + "msg" : "6e911edb27a170b983d4dee1110554f804330f41", + "sig" : "4204d620cde0c3008c0b2901f5d6b44f88f0e3cb4f4d62252bf6f3cb37c1fb150a9ccb296afe5e7c75f65b5c8edd13dc4910ffe1e1265b3707c59042cf9a5902", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "abHaVs3o0WdsKowOf5XH0L9gc579EwTdLMsCcp0Xoiw", + "kid" : "none", + "kty" : "OKP", + "x" : "ckRSIQqeTJlIGSKb8Sv4TpV2ijqXwI2Nj1-TmkytNMU" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "724452210a9e4c994819229bf12bf84e95768a3a97c08d8d8f5f939a4cad34c5", + "sk" : "69b1da56cde8d1676c2a8c0e7f95c7d0bf60739efd1304dd2ccb02729d17a22c", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b6570032100724452210a9e4c994819229bf12bf84e95768a3a97c08d8d8f5f939a4cad34c5", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAckRSIQqeTJlIGSKb8Sv4TpV2ijqXwI2Nj1+TmkytNMU=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 137, + "comment" : "regression test for arithmetic error", + "msg" : "b8cf807eea809aaf739aa091f3b7a3f2fd39fb51", + "sig" : "f8a69d3fd8c2ff0a9dec41e4c6b43675ce08366a35e220b1185ffc246c339e22c20ac661e866f52054015efd04f42eca2adcee6834c4df923b4a62576e4dff0e", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "szImXPlVlfDJAiFZO1orPFdNYNxjTd_2GG8O7XmAo4M", + "kid" : "none", + "kty" : "OKP", + "x" : "utJlspTtL0IstqFBaUCGI4-_6YdXGqdl2LTzokEFqgE" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "bad265b294ed2f422cb6a141694086238fbfe987571aa765d8b4f3a24105aa01", + "sk" : "b332265cf95595f0c90221593b5a2b3c574d60dc634ddff6186f0eed7980a383", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b6570032100bad265b294ed2f422cb6a141694086238fbfe987571aa765d8b4f3a24105aa01", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAutJlspTtL0IstqFBaUCGI4+/6YdXGqdl2LTzokEFqgE=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 138, + "comment" : "regression test for arithmetic error", + "msg" : "01a2b5f7fee813b4e9bd7fc25137648004795010", + "sig" : "61792c9442bc6338ac41fd42a40bee9b02ec1836503d60ff725128c63d72808880c36e6190b7da525cbee5d12900aa043547dd14a2709ef9e49d628f37f6b70c", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "-uyXZLNp3w7xCJDdAixQLlUaMiK0PoQpRVSWx2_upF0", + "kid" : "none", + "kty" : "OKP", + "x" : "Cq7ktyPbm1G6fSLrI-uKdqWsAvT8ndBvd76kLh037Fo" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "0aaee4b723db9b51ba7d22eb23eb8a76a5ac02f4fc9dd06f77bea42e1d37ec5a", + "sk" : "faec9764b369df0ef10890dd022c502e551a3222b43e8429455496c76feea45d", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b65700321000aaee4b723db9b51ba7d22eb23eb8a76a5ac02f4fc9dd06f77bea42e1d37ec5a", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEACq7ktyPbm1G6fSLrI+uKdqWsAvT8ndBvd76kLh037Fo=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 139, + "comment" : "regression test for arithmetic error", + "msg" : "0fbf5d47cb5d498feace8f98f1896208da38a885", + "sig" : "fa3cd41e3a8c00b19eecd404a63c3cb787cd30de0dfc936966cff2117f5aff18db6bef80fcfd8856f3fb2e9c3dc47593e9471103032af918feee638a33d40505", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "TrGeJ496MKBqfVXkLER3X0qBt6RcBRKq4CYmLnF3Daw", + "kid" : "none", + "kty" : "OKP", + "x" : "gSNErxWpG6g8LJHpbxcnrA88TEE4W5-oTvo5mtpRaL4" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "812344af15a91ba83c2c91e96f1727ac0f3c4c41385b9fa84efa399ada5168be", + "sk" : "4eb19e278f7a30a06a7d55e42c44775f4a81b7a45c0512aae026262e71770dac", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b6570032100812344af15a91ba83c2c91e96f1727ac0f3c4c41385b9fa84efa399ada5168be", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAgSNErxWpG6g8LJHpbxcnrA88TEE4W5+oTvo5mtpRaL4=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 140, + "comment" : "regression test for arithmetic error", + "msg" : "36e67c1939750bffb3e4ba6cb85562612275e862", + "sig" : "97fbbcd7a1d0eb42d2f8c42448ef35a2c2472740556b645547865330d6c57068af377fced08aaf810c08cd3c43d296f1975710312e9334c98b485f831efa4103", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "GZjVlJyrNloA-Cjn0XsGxwjTP-8AMdNTpOFb9yIqc7A", + "kid" : "none", + "kty" : "OKP", + "x" : "DuXLVZf7343MxIsBSF45szqhM7UtMNI3QCdyZ8_sPj4" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "0ee5cb5597fbdf8dccc48b01485e39b33aa133b52d30d23740277267cfec3e3e", + "sk" : "1998d5949cab365a00f828e7d17b06c708d33fef0031d353a4e15bf7222a73b0", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b65700321000ee5cb5597fbdf8dccc48b01485e39b33aa133b52d30d23740277267cfec3e3e", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEADuXLVZf7343MxIsBSF45szqhM7UtMNI3QCdyZ8/sPj4=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 141, + "comment" : "regression test for arithmetic error", + "msg" : "13945c894c1d3fe8562e8b20e5f0efaa26ade8e3", + "sig" : "d7dbaa337ffd2a5fd8d5fd8ad5aeccc0c0f83795c2c59fe62a40b87903b1ae62ed748a8df5af4d32f9f822a65d0e498b6f40eaf369a9342a1164ee7d08b58103", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "YWRnYRTGa9mIfaw0HGYgncWHzPDMXNm6_9-skpWgDEo", + "kid" : "none", + "kty" : "OKP", + "x" : "n7od6StgtbRwMIl2PQ1vkSXk3X765B8IoiiCrvloksQ" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "9fba1de92b60b5b4703089763d0d6f9125e4dd7efae41f08a22882aef96892c4", + "sk" : "6164676114c66bd9887dac341c66209dc587ccf0cc5cd9baffdfac9295a00c4a", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b65700321009fba1de92b60b5b4703089763d0d6f9125e4dd7efae41f08a22882aef96892c4", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAn7od6StgtbRwMIl2PQ1vkSXk3X765B8IoiiCrvloksQ=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 142, + "comment" : "regression test for arithmetic error", + "msg" : "4de142af4b8402f80a47fa812df84f42e283cee7", + "sig" : "09a2ed303a2fa7027a1dd7c3b0d25121eeed2b644a2fbc17aa0c8aea4524071ede7e7dd7a536d5497f8165d29e4e1b63200f74bbae39fbbbccb29889c62c1f09", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "SwvQOgOyAGnMvMIUp0SEc_TnpJH6fOtI3b4kyDxKpLs", + "kid" : "none", + "kty" : "OKP", + "x" : "dYKrG1LhMW5cE2cfQ7Oco2soEzzQgygxvN3QsPIzmMs" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "7582ab1b52e1316e5c13671f43b39ca36b28133cd0832831bcddd0b0f23398cb", + "sk" : "4b0bd03a03b20069ccbcc214a7448473f4e7a491fa7ceb48ddbe24c83c4aa4bb", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b65700321007582ab1b52e1316e5c13671f43b39ca36b28133cd0832831bcddd0b0f23398cb", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAdYKrG1LhMW5cE2cfQ7Oco2soEzzQgygxvN3QsPIzmMs=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 143, + "comment" : "regression test for arithmetic error", + "msg" : "563357f41b8b23b1d83f19f5667177a67da20b18", + "sig" : "e6884a6e6b2e60a0b5862251c001e7c79d581d777d6fc11d218d0aecd79f26a30e2ca22cc7c4674f8b72655bc4ee5cb5494ca07c05177656142ac55cc9d33e02", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "L854cL4fOS0h-x0jUOx4d9uKqZs1n-W91TOP81p5HRw", + "kid" : "none", + "kty" : "OKP", + "x" : "3S1ni64iLz-26CePCMyeGmYznJJsKawKFvlxf17hjNg" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "dd2d678bae222f3fb6e8278f08cc9e1a66339c926c29ac0a16f9717f5ee18cd8", + "sk" : "2fce7870be1f392d21fb1d2350ec7877db8aa99b359fe5bdd5338ff35a791d1c", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b6570032100dd2d678bae222f3fb6e8278f08cc9e1a66339c926c29ac0a16f9717f5ee18cd8", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEA3S1ni64iLz+26CePCMyeGmYznJJsKawKFvlxf17hjNg=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 144, + "comment" : "regression test for arithmetic error", + "msg" : "931bbf9c877a6571cf7d4609fc3eb867edd43f51", + "sig" : "6124c206d864507ea5d984b363b4cf583314db6856a45ded5e61eebff4d5e337e0b4c82b445ae2e52d549d2d961eace2ea01f81158e09a9686baa040db65ad08", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "qazkIZXduzoW82ayTdnTeooEPtLmAB9UZSKWdQN5Nn0", + "kid" : "none", + "kty" : "OKP", + "x" : "zL58suS8IVzuL4heHSL34NWCsru9eCwQTlSLFS0m_Gk" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "ccbe7cb2e4bc215cee2f885e1d22f7e0d582b2bbbd782c104e548b152d26fc69", + "sk" : "a9ace42195ddbb3a16f366b24dd9d37a8a043ed2e6001f54652296750379367d", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b6570032100ccbe7cb2e4bc215cee2f885e1d22f7e0d582b2bbbd782c104e548b152d26fc69", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAzL58suS8IVzuL4heHSL34NWCsru9eCwQTlSLFS0m/Gk=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 145, + "comment" : "regression test for arithmetic error", + "msg" : "44530b0b34f598767a7b875b0caee3c7b9c502d1", + "sig" : "cfbd450a2c83cb8436c348822fe3ee347d4ee937b7f2ea11ed755cc52852407c9eec2c1fa30d2f9aef90e89b2cc3bcef2b1b9ca59f712110d19894a9cf6a2802", + "result" : "valid", + "flags" : [] + } + ] + } + ] +} diff --git a/rust/tests/wycheproof/hkdf_sha1_test.json b/rust/tests/wycheproof/hkdf_sha1_test.json new file mode 100644 index 00000000..c25019a4 --- /dev/null +++ b/rust/tests/wycheproof/hkdf_sha1_test.json @@ -0,0 +1,1269 @@ +{ + "algorithm" : "HKDF-SHA-1", + "generatorVersion" : "0.8rc17", + "numberOfTests" : 106, + "header" : [ + "Test vector of type HkdfTest are intended for the verification of HKDF." + ], + "notes" : { + "EmptySalt" : "An empty salt is a valid input for HKDF. It is equivalent to a salt with n zero bytes, where n is the size of the underlying hash function.", + "SizeTooLarge" : "The output size of HKDF is limited to 255*size of the hash digest" + }, + "schema" : "hkdf_test_schema.json", + "testGroups" : [ + { + "type" : "HkdfTest", + "keySize" : 88, + "tests" : [ + { + "tcId" : 1, + "comment" : "RFC 5869", + "ikm" : "0b0b0b0b0b0b0b0b0b0b0b", + "salt" : "000102030405060708090a0b0c", + "info" : "f0f1f2f3f4f5f6f7f8f9", + "size" : 42, + "okm" : "085a01ea1b10f36933068b56efa5ad81a4f14b822f5b091568a9cdd4f155fda2c22e422478d305f3f896", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "type" : "HkdfTest", + "keySize" : 640, + "tests" : [ + { + "tcId" : 2, + "comment" : "RFC 5869", + "ikm" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f", + "salt" : "606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf", + "info" : "b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff", + "size" : 82, + "okm" : "0bd770a74d1160f7c9f12cd5912a06ebff6adcae899d92191fe4305673ba2ffe8fa3f1a4e5ad79f3f334b3b202b2173c486ea37ce3d397ed034c7f9dfeb15c5e927336d0441f4c4300e2cff0d0900b52d3b4", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "type" : "HkdfTest", + "keySize" : 176, + "tests" : [ + { + "tcId" : 3, + "comment" : "RFC 5869", + "ikm" : "0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b", + "salt" : "", + "info" : "", + "size" : 42, + "okm" : "0ac1af7002b3d761d1e55298da9d0506b9ae52057220a306e07b6b87e8df21d0ea00033de03984d34918", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 4, + "comment" : "RFC 5869", + "ikm" : "0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c", + "salt" : "", + "info" : "", + "size" : 42, + "okm" : "2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + } + ] + }, + { + "type" : "HkdfTest", + "keySize" : 128, + "tests" : [ + { + "tcId" : 5, + "comment" : "", + "ikm" : "60ab7f45b0ad534683b3a6c020d4f775", + "salt" : "", + "info" : "", + "size" : 20, + "okm" : "73bf325f0fcc78f15b6cee7c9e7d927d4016eafd", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 6, + "comment" : "", + "ikm" : "e3db76e02278cbd2adbcb4555803da11", + "salt" : "", + "info" : "", + "size" : 42, + "okm" : "a9382b2bb04ceb4fe0543cee88753df8cb90c9dc440f7e476e95150c82e1376e123f058875c00cff6f29", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 7, + "comment" : "", + "ikm" : "d4dcb92a769f57c8bab8a420ee0aa351", + "salt" : "", + "info" : "", + "size" : 64, + "okm" : "d10d4bd0ed723533adfceaa903f1ee8836e61cd085fd951dfc6a291edded082e8478c9f8bd1f7a2611a6a049761dfc2888a9e32be9c326833c6559487c33f6e1", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 8, + "comment" : "", + "ikm" : "2d43e54bf0c94c9cbff4300f4aa69ab8", + "salt" : "", + "info" : "d674da3bb47d5c7e38b501e5251d9348af601c44", + "size" : 20, + "okm" : "c1b8065a9ea8e79d404f882089cf423a99bde5ea", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 9, + "comment" : "", + "ikm" : "4055536896c406d5fe14a6cd6b999bff", + "salt" : "", + "info" : "2094768a8816f7df070d6e08b7ad93755dc9024b", + "size" : 42, + "okm" : "c7d3c9ab74081357d0f6ee3aef0442afee7325381090a2df642926a3e6e6a7e213f05ea5c39978d52165", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 10, + "comment" : "", + "ikm" : "5b01b2da3166f217cdd68de8af60078f", + "salt" : "", + "info" : "6884cfa7ffe8f27bf4ebc6e46a7e01488c79243a", + "size" : 64, + "okm" : "1535a41d6e8a94c5bd51b7447bbd9c2b8fa00ba05b92e7ab0da7d1fec7d348ee7d50a4bdbbde173dd6eeff83aba9e8b822823b339a76811d62771336f4e08f3d", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 11, + "comment" : "", + "ikm" : "467403c2ec02a235bf730ff37e8d8ff3", + "salt" : "41f0f173d307d40436c25856cf559f96", + "info" : "", + "size" : 20, + "okm" : "4ab2bf78f2678effaced317249e116862d3d9b8a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 12, + "comment" : "", + "ikm" : "3352f942aa93071da6d39cc5ed8dc460", + "salt" : "57a0db708b25a51afc4271803aa35204", + "info" : "", + "size" : 42, + "okm" : "bbcf63065c761017f229183e767683b98633a85f4d8f32236cfa0fd3f6b182a5f41c33506636d18c5eba", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 13, + "comment" : "", + "ikm" : "08867e76311126089356623ba5381e73", + "salt" : "0c164c443edcdfaedb1ab150f047951f", + "info" : "", + "size" : 64, + "okm" : "3084fee371179b60a4fd27ea2637a9b89a3dcf6ab45d4805c99880b26e5d73efed4b421f1fea4cabb60893241765b19554aa51689bf00d7d94a053a94bfec55e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 14, + "comment" : "", + "ikm" : "c55c41d69d2424a520414e3662aa7303", + "salt" : "fea9bfc92b74337e43a201a2dc199e27", + "info" : "3fdf20538063b76901d61bbf9b72b0c18749e00e", + "size" : 20, + "okm" : "3917a782fed4d7f525ca16ca1dfde0faa7207262", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 15, + "comment" : "", + "ikm" : "5d3db20e8238a90b62a600fa57fdb318", + "salt" : "1d6f3b38a1e607b5e6bcd4af1800a9d3", + "info" : "2bc5f39032b6fc87da69ba8711ce735b169646fd", + "size" : 42, + "okm" : "ca0903f17759fc29df761469e3b98a5b1476977706f3c87e9d39050e5b36c7ae6bbafeb3814037b12ca0", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 16, + "comment" : "", + "ikm" : "8677dc79233ef3480777c4c601ef4f0b", + "salt" : "ad88db718244e2cb60e35f874d7ad81f", + "info" : "a38f634d947819a9bfa792174b42baa20c9fce15", + "size" : 64, + "okm" : "1761915ac282909fbfd43ce31934e7a10951f901ad33f614a9394b6f5ca04e00906aa14b91132bf9e8ae0aa2102c3c7a67756e81b57d89192a62ca0cf907a3dc", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 17, + "comment" : "", + "ikm" : "0f602703d37943e0253bed3da331aff4", + "salt" : "ebdc8510499f69b2e188daab77cd819cccb95f276f46e6b2be11cbe72700", + "info" : "", + "size" : 20, + "okm" : "4a54220ecee20a84e1b7b6f5407af234b14938d1", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 18, + "comment" : "", + "ikm" : "9fe65737574c5c7aa67646adf8230ba8", + "salt" : "73a34648c152443586236abcb46a090ce55ef6c7f282ffce6342d694650a", + "info" : "", + "size" : 42, + "okm" : "741662ad515bf9d2661aa0731eebd674f7390bd20fa3bb7cb2e9d6ca953c2bd839929c44a6f0ba5ae614", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 19, + "comment" : "", + "ikm" : "e8f2b1c3e6a6c3d5ee0a20dd47aafa78", + "salt" : "3f5e162de91e0782cd189f3b7778cdc2ce6bfe9d3fe841cd3c70475d7b3c", + "info" : "", + "size" : 64, + "okm" : "695807f517ba39e33eadeb6a7b71d2016163e9f5e6aaad5f493bcbe24ac06f8a6770097da76b50338a4dcbd9fac4d3a545c45eb1e733f70e9e82ca03830d0ee9", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 20, + "comment" : "", + "ikm" : "a679521cdb56aafc5a4b76db0431a4dd", + "salt" : "123033b1ddaead83a4b9cfef8a660bd8e00fde01e67c35656c6d7607d456", + "info" : "44ec41ab4f4e64f4a36e5e30c9f0dc1d77ae4974", + "size" : 20, + "okm" : "e36789305dd2613dedd29e041afddf558d6fb8b6", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 21, + "comment" : "", + "ikm" : "49bf155ca102026f2a217ea1bc9843ac", + "salt" : "76776e3b4d75f8f43dce4bded71f3b1ae6bcb012d9c0d59f78248b9427b8", + "info" : "851bda4faa8f7add2a3cbf0acf9c2786f8f955b2", + "size" : 42, + "okm" : "6016f537e75e1aaf2e6920827d18aa25e9fc8742c607b0cd97a38cad0bed0a6622981f97b63b08f31ed9", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 22, + "comment" : "", + "ikm" : "6cf725e939e8824d4392233eeac75d30", + "salt" : "1e72f24b05a91a0093f34306ffced79e7003055b0833c6d0f27a4f33a1bd", + "info" : "495425d9727fee2e2b7e78899868c1c3e7735e1d", + "size" : 64, + "okm" : "b31f845aa6ad9b6803153872145a28617035e9b2d2a5c1ce8d0d2c6017f17403a67326cd06068af972eb8b734903d10b633d07de05f02fc70ed383a60bd82b48", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 23, + "comment" : "", + "ikm" : "a319ff7b5ba9b14ac72b681cecf0f742", + "salt" : "d7e3bc6daed343ce77ef793e15a8246e4bfcbaf83d2ac956d0661d1df7262b2e7311623dfe4152caddbfda8fa8ed7a82656ec00b72c5adf7c9d388e5b3bc8d24", + "info" : "", + "size" : 42, + "okm" : "d547c94891439eb7dc9e0c425adf20262d27fd9b55e7b0516e836db6b2f778c70296bc97c466e05ce2d5", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 24, + "comment" : "", + "ikm" : "34bae5a158c1678aa76a744417a70d7a", + "salt" : "1532075f363e061133780ac959bf653c7687d181b9431215d6f62dd2f1ec3019d61c50fa82c70ae25e624c849a276b0c57d7c02a4d753fe84a1a6621e9a5ef01", + "info" : "87ec30aa53acfc3d09ccc1d57d654fdbce403cd4", + "size" : 42, + "okm" : "c508b4bc7503440f3ee04c5b8c5832bf70b54a6caea8d2a0ade43a0ea72c08e474904587334d699ba2ce", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 25, + "comment" : "maximal output size", + "ikm" : "9ab09999adde788dc2bf82c7ec8fab03", + "salt" : "1aa93ccbc92e29d7016f71e7f806bae2027f62c4", + "info" : "60999543d9cec9d3", + "size" : 5100, + "okm" : "033293a76b1496c9619331f089d402d0deae28166bccf304bf25822f369479cf0aa1600b6ebcae43fd1f5d3389c55331b81cbe1e9f6ae29aa86d8a332d298d50516af4926f01691754981c9c92d743d0d26a94423120761a4d0d0e562368696ab78684e51a65b30cc4849a6a5a6c53a076c276db287b787dbb43d1e107f86bce19986cfcb86ec40fd74dfba08784219c2aea2152e21be5a87dacdd18b22ef23292623bcc64bd03a3a1b408a77fbbf4e18ae59a94cac72f43687190e358579d1b0a54d3f2df7f08b867af0b941deb9f7035a1a8f13c6d0da4f9e02f817ea0a92c02140ff5a7d7e398a7b410574d2e6ef7a710efbd1db628318650236ea02f1b617bc79087f5a6c3adeb7037176ef51fda844b2607a4960e3852107dd2703558a534a06ab5a1595d237fe3eb0c0ea3f14400332abb221784914e99fa5ca7a1f67338860283bf589a6b6ea0b32e2779e207fa8139dfeee954e762ebf6255250b1fc58c4c79b3d98fbbeaf786907b5fc7a8c34a25a642b7286a4b2ecdfd1dce041294322bc54b3c15ac44913dd1a3a4361e2d2a0e58c13f34ab2ead723fa01311a2659f74722a09f5b1837a7666da60728ae5cb4b837621961bf0278da749f79a47249ea0e361be3afd14ea9ead4e2f70d9941fa55862d86b53046de5dceec48a4b9f7b895693e328c59c0b2543ef2cd84b2c549a8e0013351703f7669b8346d2b32f7627b7df9ee746b1092f34033f69314a985ce2e948b9a98dabe9bf259f92b78b9a1de7285db617784001894af381618e9a2992c5738337930408b7e0fb57697bf4839e7e72ffa1010319a50aef208829950d60b6c4e57b76bc62d1923003c374710d5370249172064e4e5e0aacae369fecd4ac4bec3861fd24a6c633aca87f2d73c7accb43f9d83bce2d544563c9213e2eaf4a159520500d576bee5d3301613c31580cd6ca8c47039a4d4085dd8b959e5b8ca4835705bcba8982bcf9e8fef0a1602a76364cedb6daf92952ca58be7076ff55364030230daff9fee31152d64fa0d6541d862970c2c013efd711c4f96b532fe9f4a4a180ac4d3cd41e5d66d62371616e6ea88896320944a8f3df632ae0188bd93929ce6a6669803c04be549d80fba1815ec67a0269b74e0a1d33beabc1c94ef6636722a2b27bc0f249da083feeb39ef2fa5666ee38339791602afacc9829abf6541a5ede2cd45ece276ddaa9f49fc4d02b755eab466d5bb0ceb3b7b771ce6a9d85283d4a53f53c54b63b4011110b42e9c1fc8c8dca6e4b69e6c4b3b89c53f0f990e26b84ca5f0660e712c775c1824eab5055527bd92495cc59f8d4c04ae13b49c466e886d81639d00b7bc68875a8ab6cb87807d4b2257252561d69788cc136a5273e5f3e68b9ac4ba4f7547422544edd4ca658e1c13c756420e4a6290c7db03f5ff7f44ac78fe4d353847caacd1692c1521b12f1f55362ae755c9714712a6d80362080d865062905ed0e9601c5b12b1300dca219f7676d0080a33d1a6b08718c36f084211461c0f50f6911f17746752f3a6bda656e3a065aab0cf30ce2542eda35a42821c62c838ed18dcd4dcf5d51346804c034fb2c3a16b0c84a6aad62972c84b499a370965a959e17d537acc13d5d08000d732c11aaad9e0f192a9b74d94ef408040c8bc50e7b2ba9edbac047fd4b80c16dbd3962f7eb528e0d80cb5a439eb3d6cc62e41e2cc7f4e2d5141bd48b400ffd19da07d0694e983b91744e420541c01bbfba3f333c5e3e7946d2dd245b70304c3b1a35cd9485aa6908c7a7a846f23466265c1e55e6dfdf8d0cc320033a18feff132c0e3b1216d33b954679121ff2c8795e7c4f9a4a9725d31200bfc72444cb76f50f198b04afbd4821a31a183593210789f93ed612a2e1d70facfa0b23e5aa854059b83979b55ac382777e351589d266d3ceba76a5bc345c5514f4f07e79e54a8b70a024cb031808bc13524c04b4d1fe28781da04688bad13f379a0659915ce438985428473823a70687daa8b6afb659edf07e25518b00114e9847e3d6598f23f2eecf07e59cd2a801eea6e3891735e457b7fa03872358e682571fec629cf19f17fe167a6253dee7b6deb39773e0d3606e025df91f35fc27be8c046d67489e010f743d84599283fcc418b628dc244d2f859db667c376b2953991e0db773b3e068c1da262302c391681fb414c26c41ed85eb4212e982d0e15eab5a67257a3ff913ce68d6aed6e9a8ff385c7d878cd4789ec9adee99fe25438911252de7a7cf6ef5d6662cb424208003d0ddc04d38e04c32d9beb4f6e8cbb19a8dc0835515bb5ddbc600f148861d6dec69dc8cbd4aaa7fbbe49f782199d618cfcc9820e77f2a474a3fa219c384d66bc8abccecf9f82caed37f05f3f0e1d448af96a5a8287a8c877b25b842dd9e0f66ef810f1b0be4e76f8f4e6e15d7eeadd07633fa3763c493e12a84639f76f67cfc823ab945403ce84d50263edcc95223a22acebb79b85aecd82b3aee931c891ba61bd8ff94c625cfa4d55e1b2bd996b5d99e6cab245e243e6414005f1cc4f0dea54b35e1309cc2db46cd785b294aad50ebd634d363688e3206a57fe38d83cc068c4b8504c11bb4c1d256d496513667170163f7ec98b5b9c3e23777d6a3cf72598ed68fc51466ec4e3ebd0412e002af200f1bc8800400e816ab29293b1c7ef24e30415a8e513e4a9efc851fa549b3d1e0d881fda0a6c393d0ff0c57f44260b3f5d7dd60408ca687429c4cd4274c206f80833d605290e5c992f17e05dbc9552f8c40300bc1f3480c6bb404c75c4220d8888afeaa779eb0f625c5c044bb12349af62adf5b0a18e07b37c954146851dd628dc26e894ffea95c84e78a75c25cb751cc81dc93d3146b6beee9871ca3004af6e644b65e972df9934717e075b53eaa6c878cb94f5d1fea89c3e8c9da4d0bd7d8d8ffedda0b48eee4c9877748be05a06b3e69342d5366e9db9be38f36af0f759fb6904876f5ce327dfc777fad8732e4372ada25106477d8311095b8d9dc4c0100cffd70847305695be46b2b5ba8df8ab3de333d09a7f32736061eadf9182bc4c0ea5965ba7d91d655d6942f0796fb4a05c959b6afb52a8b943065de6e0eae3639006c5b130b0a8b00b617409c5c8d5cfcdd88b1e981930ec92f21ada92a8373fc7b49d3ccc5c63b776849d5efa51de531f9387a9d11ae9fba6987d6b680fe15fc19c88bf0b5e1764044bd689554a12c8013f1e7dd6d2214c74c3fa65b4a0a35bf479d2582e948ef91c464c4dbfbea80d42bc8b1ce1fa42ccc38f492e3acf93b2b64f5e956fb171eb2c0e4ff537c4ea2ca13978dbd280aaa1d5a798b423942b6897663aa75d4c153f76d653b4fbdda2d2e141e9731679d52225fbc6dd0e81e03095b37af927e0c2aaf7eea5bdcbf59749e54e391b2af88626ef8f86920c81043334b3a09acd8c0a20e9aa0849dd56a2643803d133fefa3ee0f6b52b6109170ec5d6a15d0d20f7fb546ed78930b4298f4b5623ed912d0a5d6688b05b1b5c892e6fe60b2f1c68623bcf9a0ed513ac75c17cde5e01c3be75b1ce441174d26244873a7946ec1953666512efae05547dc8cf58fc342b262c3ab072f29ee876327e1de6c67f5c480814ea26702e1c7672de4655a87350b38f7b290cb22a3a0725f8aa2d24a794fea6f70fac5a345fc426ea2931cc3890b8cae7e92cc171d86f5f1baddae8f4b1db7aab80e629022eccfad9276c578d2a6085a446ed4b017e6a0da40343be3761f190d801283c061865610c3173753384bf87ef3ec78e63aebb1b051236f9f4d6712b487f0c407a44c7241c96e2af404a2ca14b8b6a11564d0aa2b6efe18072d6d596e26d105783a57beb5954f6066f7d2f4eefc2b455171d56364b21c3d8747d5f407cff5bd8bd350d904c17a4b91f37b48ffca09e5334420bdcb6fc3797417cf99af8773a027d0dccf56087c7e751e519c365119dd9195ee2449de13aac6d538c31d58dfb3b4183be4e71f6b4893ca588876514b581b03ac897b5e9305234740858f2b2a368b26b4d560c54a3f1018df913344d66229c56b3995a9c67d5f6db145e495159501522472dfd3d38deebf4c8cdd698325914d7472d02c49af1a9c85d20c019b03259a849130a53909929695a2f911e11f04caec36280f9653218911f4fa62ff63d77ecbeab3f2eaa235598617c424eb6caceaf365fdb7659eb06569623d38e47306ca2dfa98398586c4d5aba8ee29b9046416b3d7c6660b03aa5f59ca921e9f25090769428587428c8715f053323dff1eecbc2bec9ce90bda4d890416fcb952018f50f9ac9119d45e7ed56af58a4d0d9ab8a2a301eb17325f89359575a6277d340c8fb40f3271387fcbe04f2d3c1d63b490d12b5d2e8e592529c62d07d5d9c315f54157d30cf5ffb870b6a466c6c1f19fd0aa4b8973f1c3492b77cd7aeea7bd85f21cec76b61c3183cccf83e754d8ecca2b2e39420fbd4724f03efd9b6f4d4d59f1e8cdc3746b1dfebcad85287127de3658c2aadaa514e35c84bc772839575622d872a0e8469b3eec05e143b2129c6a75d1d4f043b2785fd2818a3db7dcf2991ea95caf73db5b2340df001771a8548db332006378466ff16dd0c60fcf6fe0c185da8e501afebcc9f566e1ff34f69b5af7997e6413c9e17e34745e131edce9820540c07ada9f500368b0f3dda452b3d1f8312e2926e20ad55fd398d21fed2ae3440834c9779d747f4553cfa2d5edd8242f3e6b1b3694031fa2c7430e78f117e69487798f1f3ac539979e29cb69ec44d8dcf6d0220d956cb4e6a5c9b8ce5263a950362f88f3ba56ad7d2f38fcfb2195cfe79baf44845dc124aeb5283962691abc25a4e016bed2f127e4e6bb78b22437ebc87cc975fc898793dd20f94784cad271dafeda980b4c6a91de39ba71eed0529bf05907db0b1bb9ff09e2bbec611d8238eac1939c3a7fabe8ab631337300ed6c40dbd5299f934790137ea875e54af87a60a169eb920522af2a50b62856a6e471e6c52f285cca854d0bc98b69622aa2c4364843279ac21eb4002c9814fec8be3de5f1e587ea62b0b2f1b5313b69ea407f1f2b7bab8c13cd54ce2a7704ee97d01c1d40feca1aa698fd90b2003507b32644043254dc61ac50f92840a408c62d6754e80108ca656b0ac977e9d1da44f87f4e8be3f1b2258f092714b9c4027b1678388546031a1c7391d9a151a33c5d291d85a457fe46b12ba6faac046630ad646fd5705a67ae2b2f85e4a79f780bf506829fc9cdcf6b8c2cad831ef7b26b37d3db8d4cf63776eb60151f17b68d86002e878c6198c171c8db609f870ef0ce62bc27b0c97788c25262020c4b42036ac3ea666429f7a47248fc41126bfc5777ea036775437b9d14154aea29884aee95e46966699a6a5707726057de573d77f31d190624dc3833c939c318784fb1d80c448fca6f0af4cd18168cb40d3c19377852195ba42da113d5953c1a0fbe5d188d884f6162503d69442798c891d1fa0c706c80565b9e6300918e6f718770058f18e80ae393a96c83a987ab08b2065c42d02f03d88385f1b2041ed70b90b124b6973990d61cff38b493c778c3eb26c722408f4060da392632be571b7260051cf18dfaea3efbc3d37c67b0c182a0cfacc1d013c38ad0592bfd868797790bc8f5a5e2a95c33bf078bfcee82afa438cd4ce48eb8698906cee16e0eee03c551d8c0df8d3448924d3d1108a6dd89739ae1745d637035af515ef94ab3ef461eb479281e743b9d7ea10e7bc1a033da2eac28a97e1b81550c32033ad630efa2a6ec9f666c34adf8dab8367a40c21f1b70fb8254976eed50be0764be04e62cb0427cfa51a9b78d1f4ddfa09c995d20fa0cc3cda2978ccc762146ce9441394df789bfd8233950f84df64d20808758f19e00b5c6aabe64d3c23f709ce866fffa5d35590801459f076e6751827d131185e36e818c30bd5ade360e4f0818a03188a5266c44747ed5e7154c4c93a87f0ce05b745bc7ebd3fe011c5169f1ca118bab34337eeb61206f251d8a0307f6dcb33aea11b1ec7eb888667c7145b2fc601dac47787c842a45ee0f5af1811b7a57759c14f5da6f8b86f73a3bea7b3f1effd9366dc6658fb3b8510f54621d8d13f330163a6530da45f7263a8fda2c43123ef46580b3990d51def937db27f9e06e87fdfd186df2fd6a5dd6133a8f3ee06e0e14719861def6cccf68f085caa631db3e85b4bcdedf83923c2950665b0187e224522060d5d54a02d5501a0c0a384bd247164caedb02c9a69f9a3638d258b945aeba029250ab549478cb855cb27404fa5cdb15a46b9f1ff8dda401f2dd472a6d6c66dfe8f5f7449238eb959c091db1c26e5efb5e7efe096489c7a25515de6399d7399b793aea554bf9fa1f6083f3c955f144171e8584b133a2ea77f49c974c2e79846e83541f37e0671d65173b3327de75c5173644959ba119f49195ed3ca26b144ca3001aa5044d46781a1336967911496da309744bb6ad244d1a96d47c7089c539486a1977a63b6523782bc2701495d50ea208a7fa411c70953cb506befe8ef37cc41dded7edc0a91de2e952abe338141e020afcff657e3eae7d11b384b0a496dc105fcba6c9cb3404dc20c704f0d37c5a96cc37ee132c47ce1ad12791d48a96ea2dfd0881b1d1d777619405b9040fb52cb1a7ca1ca993f34eaa2a7e97edeec2382ff73bfcf3ed5b6fd911c8d610551aaf92c92111d95a3919e20974ac27f3ceabe6aa3be7b6bceab0080f7ad9ee3d48bdfa7e44f6c71845c4e744726f1069324c519188d7ea3607d466ffd25b2d65a4ae1023929087e959eb8277eb495fa4dbbd1fa229490db87ba6b3a46c55524e398000d7f3d50c11aad2b9e3d033e503fa279f77d2a2fca9c8bd026a006ecc4c913dd3fa519594784c9eb43a9e3f862c3014cc1f01284545004d3733e63b6832607685b329988f26dc394bf17d2d4355e5e4622f86a4a2179b48f6e3a2eb391c343364a6040a384e70babdfb557d23fbf08730f9e8894f28b6c43a8fee397bdb39555c9e1cb389388776f72ac3c88656e4f36ff032c6324d68949bd2608313651eb6662095d40ed72a89dc85b420168c1c299f78ef8601609c1a5a29625545794b89a01e13cbaa339c05f7504bd45b79239d8f0ed106450918fc0be03205e414a58c734cc9fa134e6d7af2e106f25861511c6bb1510f1a4a493bacbad33bea4f41c3d8d28488a87d8fc", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 26, + "comment" : "invalid output size", + "ikm" : "7727bdfb91621dcd4ca5e8cea6b4e2eb", + "salt" : "96b2e11fe817e1e40fba8aa5083cd490482b2abe", + "info" : "f3fecf4736e28862", + "size" : 5101, + "okm" : "", + "result" : "invalid", + "flags" : [ + "SizeTooLarge" + ] + }, + { + "tcId" : 27, + "comment" : "output collision for different salts", + "ikm" : "5943c65bc33bf05a205b04be8ae0ab2e", + "salt" : "", + "info" : "be082f301a03f87787a80fbea88941214d50c42b", + "size" : 32, + "okm" : "bfe5a1669df67ed5638007f620875759af8c0242535a263cd4d17ee9bd9219d2", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 28, + "comment" : "output collision for different salts", + "ikm" : "5943c65bc33bf05a205b04be8ae0ab2e", + "salt" : "0000000000000000000000000000000000000000", + "info" : "be082f301a03f87787a80fbea88941214d50c42b", + "size" : 32, + "okm" : "bfe5a1669df67ed5638007f620875759af8c0242535a263cd4d17ee9bd9219d2", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 29, + "comment" : "a salt longer than the block size of the hash is equivalent to the hash of the salt", + "ikm" : "5943c65bc33bf05a205b04be8ae0ab2e", + "salt" : "329f445e7de8a156cf26a0208dbb028d9de6ef76b8de67ca634f4a5a732138a1bd436a7b345d7a0314c7ed0a00b0d34ecad2cb8bd141e2ecc1c77e237094d55154", + "info" : "be082f301a03f87787a80fbea88941214d50c42b", + "size" : 32, + "okm" : "ef793d5a62169cc1911fe5dac7ddb3ce07404e8299296f7c139442b721a75ef4", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 30, + "comment" : "a salt longer than the block size of the hash is equivalent to the hash of the salt", + "ikm" : "5943c65bc33bf05a205b04be8ae0ab2e", + "salt" : "ff881c9fd53adc0535d68f4690bbbd4f4990c7c1", + "info" : "be082f301a03f87787a80fbea88941214d50c42b", + "size" : 32, + "okm" : "ef793d5a62169cc1911fe5dac7ddb3ce07404e8299296f7c139442b721a75ef4", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 31, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "5943c65bc33bf05a205b04be8ae0ab2e", + "salt" : "e69dcaad55fb0536", + "info" : "be082f301a03f87787a80fbea88941214d50c42b", + "size" : 32, + "okm" : "2a031029e1b02289917618b7e0dcaf0226f84ff1a5770896c92e42cbe6d27d00", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 32, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "5943c65bc33bf05a205b04be8ae0ab2e", + "salt" : "e69dcaad55fb05360000000000000000", + "info" : "be082f301a03f87787a80fbea88941214d50c42b", + "size" : 32, + "okm" : "2a031029e1b02289917618b7e0dcaf0226f84ff1a5770896c92e42cbe6d27d00", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 33, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "5943c65bc33bf05a205b04be8ae0ab2e", + "salt" : "e69dcaad55fb053600000000000000000000000000000000", + "info" : "be082f301a03f87787a80fbea88941214d50c42b", + "size" : 32, + "okm" : "2a031029e1b02289917618b7e0dcaf0226f84ff1a5770896c92e42cbe6d27d00", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 34, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "5943c65bc33bf05a205b04be8ae0ab2e", + "salt" : "e69dcaad55fb0536000000000000000000000000000000000000000000000000", + "info" : "be082f301a03f87787a80fbea88941214d50c42b", + "size" : 32, + "okm" : "2a031029e1b02289917618b7e0dcaf0226f84ff1a5770896c92e42cbe6d27d00", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 35, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "5943c65bc33bf05a205b04be8ae0ab2e", + "salt" : "e69dcaad55fb05360000000000000000000000000000000000000000000000000000000000000000", + "info" : "be082f301a03f87787a80fbea88941214d50c42b", + "size" : 32, + "okm" : "2a031029e1b02289917618b7e0dcaf0226f84ff1a5770896c92e42cbe6d27d00", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 36, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "5943c65bc33bf05a205b04be8ae0ab2e", + "salt" : "e69dcaad55fb053600000000000000000000000000000000000000000000000000000000000000000000000000000000", + "info" : "be082f301a03f87787a80fbea88941214d50c42b", + "size" : 32, + "okm" : "2a031029e1b02289917618b7e0dcaf0226f84ff1a5770896c92e42cbe6d27d00", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 37, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "5943c65bc33bf05a205b04be8ae0ab2e", + "salt" : "e69dcaad55fb0536000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "info" : "be082f301a03f87787a80fbea88941214d50c42b", + "size" : 32, + "okm" : "2a031029e1b02289917618b7e0dcaf0226f84ff1a5770896c92e42cbe6d27d00", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "type" : "HkdfTest", + "keySize" : 160, + "tests" : [ + { + "tcId" : 38, + "comment" : "", + "ikm" : "e2865d6bbc1abf6a815067edc4ee7aa33c290d5a", + "salt" : "", + "info" : "", + "size" : 20, + "okm" : "1c9f5d2c19e47feddf19af9bbf38ed6aab1f872b", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 39, + "comment" : "", + "ikm" : "8c177ab5f40e9c57203883562f01f174070ccd97", + "salt" : "", + "info" : "", + "size" : 42, + "okm" : "07d4aa3e002dad7940089482d10e80b349da499fe7d9530b27a8dc5c61940bb44aa703fba340d21c1fec", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 40, + "comment" : "", + "ikm" : "e842a4fc1a147cf2f87de9bd5a42fce6457496f7", + "salt" : "", + "info" : "", + "size" : 64, + "okm" : "5f426da341127db39b959cd77c13cfa4a7a29259f105f2b181067492a54ba259020a5289b0fff0ffe0b9f72606bb980c929a1aa37255d3cec453bdfb26a3ffe0", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 41, + "comment" : "", + "ikm" : "5b870ee1bb97ee83f67fa7335b4a0f9dadc80d12", + "salt" : "", + "info" : "0a0dfb2a6e051441678788bdec04cc1b63ebe1f4", + "size" : 20, + "okm" : "31aa4cff955a0bc5884e1653087f9d97e284775c", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 42, + "comment" : "", + "ikm" : "58ea7ab33acff514ec08f41e59c17a3c66c1ceef", + "salt" : "", + "info" : "1cf9e25bd70c5546ea7a79eaf5d90cacf754c4f0", + "size" : 42, + "okm" : "16ec1734868565540efe2967cae02d8be26a86abe83edcb4b599f08e016b25b925660179b9dcbf0bf07b", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 43, + "comment" : "", + "ikm" : "e8d20934b9d320458f4854e2442e2f0fa092f461", + "salt" : "", + "info" : "4425999958aa3cc629300c25ab15be8cea7a4277", + "size" : 64, + "okm" : "ad2bdb5383dc53258ca2051b26c53adc156b31acaf61ecef7d0ecfa14b81b0f53b1c98ce28ee804e964f8b106312f429670287ddcf5bbb67bcbf96ac66c242b5", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 44, + "comment" : "", + "ikm" : "dc9e488c684dbf0ac8ff1eefaa0666d413d258f0", + "salt" : "9afa7df500d7a17af1f44422d25a62bf", + "info" : "", + "size" : 20, + "okm" : "65580e5feab001f31405f812d87c7d8bcc187c78", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 45, + "comment" : "", + "ikm" : "34b85c341a04cbade472b3f7dee4de4d1954bf70", + "salt" : "b066b42acea664350a8448f8e064225f", + "info" : "", + "size" : 42, + "okm" : "e02ff2640000391f1fcb3d0fcec40150b20c5af7c3a0c4965281e1761539d48555cddb2cc35efd27ff86", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 46, + "comment" : "", + "ikm" : "44cc641e09f7d5642f7b6007ca5a1c0813319666", + "salt" : "69c0dde6c8e5bd40553a5981fad6ad87", + "info" : "", + "size" : 64, + "okm" : "81c3016fe63b57cfcb13ad04eea7e2f5ab1402dc489c20824271c5a95ac1cb9b0809d76d5d7437e4ac74a36c1693d964d37d10064649fe9003503197456dc4d2", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 47, + "comment" : "", + "ikm" : "88a8880cc2b73e73b3b6ca1d4902caf2128732c3", + "salt" : "0579f690ed32e57a26701a9f6877f243", + "info" : "6dc723df3d26f704067afb2fb6d95a66516d089c", + "size" : 20, + "okm" : "69614a2ebf14d74188e830ee5623c0e0366ea994", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 48, + "comment" : "", + "ikm" : "8408668b9d671121b8c7d31113f045c0d7c020fe", + "salt" : "679b30e6930a8ea3f076e317b9595d5e", + "info" : "b4451b0f1a217db703582881e86d8044d5f2e092", + "size" : 42, + "okm" : "6a6ee276cb321c6cf237360a7b30faab9060653ecad213a3aee36735e29164c6fc929b7f206ea4fc2f1c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 49, + "comment" : "", + "ikm" : "e6715cc4ee13c4d999d8f8f500243c321f70b0be", + "salt" : "ecfaca2ea3301a992b4de081d9d3a4cc", + "info" : "ef17c9227a5ca654fbdb35dd00dd6dc77b6321de", + "size" : 64, + "okm" : "1532fbae2e75d854c96a0b172cbe40b91d36143a93bd1b68d26be85f19de06f585d8670190380dd0690f5fd168cd0c64bcbd99b8dcb9fda9eb345af917f75739", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 50, + "comment" : "", + "ikm" : "9a6b88f3f68f5a8e79903b51dcd733abaece1a41", + "salt" : "0226df3d66ee3abb275eb39c8ec3d3e12e9b87b67f85c552accc4279ec17", + "info" : "", + "size" : 20, + "okm" : "0b45a0d3ee381c5c1a33556af0a050c81a336f9d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 51, + "comment" : "", + "ikm" : "0b9eaec88b2940a4754e83272cbf47fb6f86aaa1", + "salt" : "c1616497d49246400ba68242b635c67515d2528ee1c3b71b318b631f9bef", + "info" : "", + "size" : 42, + "okm" : "844af69cb0e4dbd1a768f69c4a5d2b280b645e48f11cf9f9dfd5930dacae47f5a8a0a58cda227747638f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 52, + "comment" : "", + "ikm" : "c4717276e7c7f794c4ee333b2f7a2ab244be9e8c", + "salt" : "af4c63e5b554063e83e37bf730ffa401c696088ccc4f133a8695ffcbf2a9", + "info" : "", + "size" : 64, + "okm" : "e1e9d8dabba5f8bf934c933170abf15edfa69a19e32666503b00694a1952c38c16703c79ee41d76cc6219533876d162727fa738b949b74b8d04a880d7e917dba", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 53, + "comment" : "", + "ikm" : "5e43a900ee0d432c5fe6fc81db8d5f81a54e39df", + "salt" : "8cc815009350b0b6a924ed93e73c8f8c57a1105726663b72741b67209c1f", + "info" : "32460280e60910b10abee2e9f80a3dab48acbc59", + "size" : 20, + "okm" : "113ea70eb9eb87624ca2956afa5d5acdb4a5eabd", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 54, + "comment" : "", + "ikm" : "070c170fca600aa2b23618150ab9044bff7d4dcf", + "salt" : "f32a1cddb32693860eeb39a5d190f5667a303d5403712cdcebb575c6563b", + "info" : "c1b0971fefa0a23cf4b7185879475ebd8d83b9bc", + "size" : 42, + "okm" : "3184be87cfb54d3cf95b2baf96a415c470be4aaf40c38ecddfdc2ea113c0996f1e2c42040d4508ae9fc8", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 55, + "comment" : "", + "ikm" : "87a23208df5e66488d23f7aaa066e87bdced8e2b", + "salt" : "0488ffa08062f1fe83e9c3934f5688a2e17827f898aa5daa2d595f09b245", + "info" : "e4d66fa23a6020820013d94d1f8e84a58cba2a82", + "size" : 64, + "okm" : "26ed80390ef739f3497e5765f1253706e070a103201988099333c14a70c53762974117c2eeec6b90357e4f5d71f07151fa7d37af7084159653c745915aa23a2c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 56, + "comment" : "", + "ikm" : "214746af12a669b726364027e9a1cfa40c18f8e0", + "salt" : "f65ab21816c5eaa5c9ce77d58608ab67176d2255438096f4b45779d15c2afda12718ec557bfe161e7fab89ebad4fa634cf73f2d12c884c4583e64d2b59b9d8b9", + "info" : "", + "size" : 42, + "okm" : "b7fa371a39453ea956670a412fe6c76bfa4efc0199b20fefd7fdcbd5bb506c9369de90b5d2702ba6e1c7", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 57, + "comment" : "", + "ikm" : "d509c509f91d78c33b9d661e6df1992b2b6ae429", + "salt" : "95ff4b20ade46bada320316dad7e2b4286e93dfa2a72c6366c5ddfe8ce2ff344729ea56416d5b53074c6d6c4eb4e4873980e5e4a4991d6b1497aef822e16e209", + "info" : "bea4f60eff1a0c6ab664ff3db2f774347920a482", + "size" : 42, + "okm" : "e3acc2fed4cbffa22a903ed7718017931584e6cbaf7c61234c27bc1a3fd383df74fdd354cb022fa7b6c6", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 58, + "comment" : "", + "ikm" : "71a4a7f2ccfdbfa5a907e43f46ab5ccd12abe98c", + "salt" : "4769ee2fdaa773b6f8293d45a1727adfcb1c8a95", + "info" : "4f4a4b68bb234db3", + "size" : 20, + "okm" : "cfb7a0e0dfca246a458c830c77eea7a98f8421a9", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 59, + "comment" : "", + "ikm" : "b1818c1e56aca23595c583b89a2bf39bf90ce9ef", + "salt" : "70aa181d4b639d67e8ae33881869c8e7f0f1e75c", + "info" : "5dbc8584e5facee8", + "size" : 32, + "okm" : "63dbd61113df62afed82f2cfdf336f224a528dbe26deaf2446bae9becdd44bee", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 60, + "comment" : "", + "ikm" : "2bf9f0f061cd37f97141853dd93fad6109bd9d1f", + "salt" : "51e306b1bcb7722ded9697541366d5c905ca9395", + "info" : "d1f3077fbe2316e8", + "size" : 80, + "okm" : "93b206bd2e38cd81ebfea96fa3cc0573f0f52266ecc5a47fd001cb0b432ed0c2bcb32dbd8d13cd909ab43c905bbd78eba3a976ee16010fc7c77c23c515964a73c19224ae555b5bb207d86073c903718c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 61, + "comment" : "maximal output size", + "ikm" : "a974f779dfb38415d1cc69df4c2e7dac023e058a", + "salt" : "c2a82e526587f4849d37bcab274aacb2bc01529c", + "info" : "7a036703c77d7bd4", + "size" : 5100, + "okm" : "752d5f1fcdaba5f778ef92a8218c730e1d8e43845eb3e976fb05d51397a57f8b94e7cce3e20469283ec1b6b471bce8c1fbd280a3c49670634a47c877069a54f1e8b478bbd9b4662b314b326258334fa40c2d2b7ae953d71301aa309f14d7e54e658ddd259cc7bb05efa475c00630905396dd8aa5f8fe72d3af04f9fa844b1f0ea9975915073d544b3be33db8df48b9d328ef07a800eda472e38df3fb57de8564b2460d80cf0539d5b86501178314704d9f6af54dec9b06313f9cf85112b05f6351c86841214f5f4d7a7981bc3c8f8d68b9ccd8a81e44e3530739409b1a6fd8a6ea91a5f7bc5b91690e423cad62de26437c5c43c99ba84d84d34e83c34a0b2df6449113e5e3bc602e3f07c3ae2c08416d304308deffa44039212f1c8bac344ce1787232d6628b225f0d624574b977371a611c56515c449b324d2fe9d4d3215ffa95753a3aeb2608087240d32bc8eab576a21b37526d9e35917f512ac886da5a3302f4b76b4b6868e35795a44a0ecd4d23a4f252543ea3bad81d337ad13be1ab417a7967aacb48a564808c225919909ccc33c0f34e8911d59c017b3b279d0a176bdbb77c3c11b5a2c0a91a0e67a4c8a498fbd563ee49cdd3b9794c38efbfe1a45d110b3705070a2da15e010ac90b4b4e0a6863acf20c49c4be0d596104925432678dd39a2f9117fc6579e42c3b245174c2aefb5e63308ba372152596fd842304c335a0010e7c3965829b6bfe4352c41c40bdf1d55879e2c3d30c7e6ea892f5b0832f5fa504d20a202ef1a91baa70ecab57684168cf02224ff45af135da178fb4ca48c03865a9857f62d280272e182c82d53cd0b9ab11620e7edb1a3f9e9df3d59a3b01468208651ec3c53b9e4c49f66ec021b5cd4d47bc8db46132c2ad3e0aa9124b312c6b5366f2108c2a74a9876e556182dd96731179c5c6e6519d4dd83d64e7a49c6b70a96e89b7baab690e15e1263e93434b9b9f4f1ca2c53edee06066d69724506493d216fb44eb6096e35f205bbe0fdaae76fbcc2da07891933b864881d331b49bac09f6a98dfaa2d32fdaf36717017c61105bd1b0d238313b1916ff69a67c5c51da53108d46ecf651aff07a106a09c8fcfc3c6b9e22255f9a95b7e804c1b1678e11050fe6f50c7c53b339c89de46ffa605fb3174ab6cb92f9ab8daef7a5aca41497f489f573269b361efe1e0703a75b91516a88e123b2e82a989e0dbe4e69e37ddb9e20864014d9fb6c6040f2c5558cc22c84b1e8286e0d46400361820a39afca673f898ea57c1cbb9c2d0d643e32b1837a153f70aca708775b84605f60d8d2d0200f55a4a4eab235489c391da0fb885a6948965d5144a85d33fbb795caaf2995338ff206638be4a47faaaff20b79eed27096b3da2c9996a8cafb7b28fe7df4c0be6daf4f32992f2223fb90fd6cd4a15db37a29b10c017e8fef57609ce35239c8017428ce6a4f069b5feaec6f1ac46d54450ad066a6da304b65feb5e9b1c905eb35e051e2ea8d5b8c37c6a75a110e351c2a16f61e944ebe2513986df9917b796cd632b26b533d79b26970d71e741ddd4f899195d036cbf03fe8e3fc9596b0f684bf79babf83d232745bcaa58350a0fa50ba99f87382a5346481f1c91ca8367ab0b4b8386f5aef3ef02f90d19e21f3f89fab1b614fef03fe1da6309c2f0067ba5430d79884359b5387a920d913f48c2f71b0b71d1196a9755b1b7a574b84655da35afe333d6babd3ce46c51167fbd845a0a105121a356234cf2704d4a585b817899d230c0e9f03c96f0bbe0c313cf00b031e5b0e7f2e154a122bf625a5bbf406c2d0d7c404fa1a23e9533fc8632401f01088ce6a8e8bf45aef62b3ccad031fc92c262e3197b11c8e4f97122306eac0dd9a7d2060ed1469c67dda2e086d470c2635dbce357b3ff0a1d5fbb808f33869d0b7a37e97510148f1d41a4c53cf4f04069131ba4bcd48d5aff3f484d51431d7e717e8bfec270775a6336b39c4b314d0ce43f82136458c4344953a2ed9d42b8335ffd23b260b026b213156cc6d9aa512aaa90c6d59116aa78404469756740d0eb232b38fd5268b88c6dd04e25eb7c122c5470c65d48e90765012c3a29c3aa692eeb856d7e33a46661ccc2d9dc1d6fb99c8f19f7fe77a0d042a34124057ee4ff8982e45ea19c7c257547b8a4b46a1f042cf8b42bf045c23628b6998553be1d1fd64464c144251e809698b8b7d095a2a45df7db6b6382fb3818ec3e2bff53956279930c7a73dd4477b6bdc53e959dcf9875ceecac88aecb5dcaeedfdea18ae79b41c04f675a9ec0fdf0b8113741a91cf8f3627c83f78f6aae081d6d4b2ed6e08427528e0bbc8ea52dc8b8e6c5327d9c9fd3f09b772ead820b7b4e2b71b5ec579775ff16b978709a7e17d78ef50998b5858cd0cac664e4b341995535f11888b09d8b028ec66961aafb871c12dcf5c6a30514bcf677383f56ad36b8e1ca42f1c4dea49611f4fb4eb57e5724cbf6767c57213767ccda73a9215802801f4804e68d6f7cf35089092bb12da8b091ac90a242e5feeafb576d7392d829b702651d310544d9875edf4225449dad035fcb3473b704650f9ccf48ace3f076abad1797e5ece1ce0fc6181be66457d6c330be1bbba8547b547bb7512645f92403f39b66611bf8f8879cea8421dad5c076dfc5e68ed5c2e8a7e75e47867c6f30c7f44b178a4ca7c9036d0a8e907c9bc12b38ab2f25cdd320046b55e17a2b4f5218b8cf4228c7d4755acf1d188a3795998209a3b2fff15d6c0994da88cb42b9e06de60824f957b2a2299af5774856de93e7d9f88f4e2d833dffb431190cbecc47a7f3c172cd80ce2c496838b6558062c4f60dca3d0c3a754829007fbd462a1718b205214e797b03e834d36c4877fbc6f7bcf091cd905dd4797fc709967f0f0b612311ffc0126b07a09d54d3a87c19e5ff2ab1fa9a2c08c0931fe94be2f334d2a4ac02c3714ae8be23fc08de5d067871438d3cd9f794af08f81fe4921454410dff0ec370fee9af3f29d9f4bd4a6b3a71539ae87e94609b1decd20310f917ed2143c622e239ee3c9de096a79102b86abcbf25b689c2d9fcd9ef5f7d16e197fdd2d640dc9ddf6346d639725efcdf293dfd070ac0c1fb53bbe9e576509174d11bde19cb8c14ee9efbe297f4fabebdb600233abfbe39ee670ea687a9731b9677a59a50f1ee4d0828f1dbb33031df527c3064c6349c51589273218da3c67833a0e86cda700f2d57337ce71d2ab37919b9be78c2895f52b82c088f662c5e8e9d474aa0922f1ff99a106ec931f5e74cdd468a36c34ae0074fd9bcb315fa2ee0c3513dbe8a681fe1634331a885d86bf44972bc94e79a7eeb068bddd629684430e757781992c88549158345557d49039ce61c4f1cf76e6d0ba3279f99a8685d83421d85d50ef5ffe03b2bf414099c34854d39d6938630ca33f0024530ca85e1d590612a5d8b3c2efede0946621bdb2d51da9b8d3bea6d9b22f2f32f764e11db88b360c4ba4092ee7711ea895736f13a1e29ef7480dbfe8257150b80d6c2e3bc7595c3807e1d9b127f354951155da4cc89e13dd694196fcccc62bbc192a1296f2e44b367c88ec4eaf578bc6aa85d0e03c6b70a15344fd649567f6968a96b518e0eb3f981328b1dcbf2a89c8181395fc7ade3061e3106826c9f0bcdd163d9a5bc9979f9b671ad6a6b57ed5e930f763a593b01c10fcd7e27ee79a7b28d62d5f110ed3f96be8468b5922735d99893b63a395aa0b8e0c5ec8abdfe76e5ceef73a5b7326dace9fbc560fb0c50939f45e849c9519875febe765e6f08e5e65c9d551743e36ebbd34f83c22a2c3f89e7056380b2f5d2303a21fea83e445b07e25e45b11299893b73ad73bdfa574ec51641fd8c1bf1aa2051f179ce9448b6b6d32068684c59ae9afb9095ce0eb42ed78281e3fbbc51ca634676b56725b770f7f46c383154bc398f9cef9aae65a04d334700c2c479ab6170cdee3a75a72071087cb22911db25489e64db66707149202468c10b5b3ae7b26c26f487423e411f849965ad2fa8632993be938ffaefc120a1dade3296624d51a5ef1295f455792b89d223916a41b24a6bb3b8ef848d3e57dc4e0e7fc2c2bc5eb0c187578ebd6def2375d4f7b85b2cb10a9e043a7aad0cbae17609dbf43ad3759bf7f6e32fdea4ecd614a9d6dce4f5f204adf86f6a0b73607fe9efe66b2335f9545a93d56ac15a7c763bf1c7246c8f3208f2a6d16bbbe93fb6f712c6dcdb98b25765eeb56c54871d4c2d7c387432153d848a72d592e61f4a1715a9282a8b97f9888fac216fbef2a784f148c9da8a3cd74ecea787fb4996a5fccf6a044ec138a2df359d23570d99b5b43802d0bb0f26f292f62629dcefd86b105e4f0b3258a446ddaeb5a5c52968d49f212b796ca0d2867c03e613558b5854884c96dbe26a1a8db0ff2af83057dcdcd651751d42ad08b366a8a8c8789754a747c7093bf84ca7c537abc024f55279a4a32a77287dd37703093871988f4e439a5aac058a1dc679904d11990c6319b163a41d91be270884b14c528a297556c78118842ff227e63f2d2411c26b5b5c08e1e21b2ae65b2d8fd8d6755b74f7bffe6a247861abb8e2f67802a32fc30543e3b09c01ecb628a8062a130c85a1f89c1b99ee4f87937c0fec871dc6cdb5faa0cde40f187161e2395207595a10863d9de3c77f67d330bc4eca8d296d459fc245b66ef95be412cc34ea63a4b6ef54667de97ab642f3e04ff1d52fd0c53d91aa4c2a099e95c674cb0062ca64a787271c6f3d1f7a151e49564e717093ccc316d201109655a951a2cbc1452d6c9ad6c8a85f0225f1864448e184f6f345f119ea794633fa4ed14f73cb4a93a565a32b23263ee98d6d7ae6d7e72747d0e701d275549cb0e8cc1836473bca962ed3f1634e12336d8e2031276953da8dbaadf43febb2bbc185deb4e4b6bd5b5ae36351f19b3d5fd4eb224185e06ddd7dd9002543d0d165884a48cf560e68decc251cd308eff3fa3d605e749163920c648311f0d458a6d2e162bb54c25eb4ae35c0388c917155eac3e39600a5f56221f8e2874f19dd3620d5148f40be1905a053c7da299dd665c2a2aed1e72c0b02278c6e67f6ec94b4eb9986169b15375ef2cdef3b8ded36ef3f70d2fedbc33ca04f0ecc8214bb754e30bc9596f1425e318d6ef012d8a5360e85bce81a10b4376f9f668382c5453338c0e4ef03a4787bcf971066e1827925ac3db01c8a26abe8270e727d5e946785503ce3e18a1e01c5caab42cde3770d3c133e4504fb040303ae41d707410bbfd76850e8a91fed41759fe84d12c16043a8cdd8d61b999b0f964fe3c3829e365463382ac4e88b50e0a0a25d42df3dd5c9216e117b45ac9168a5190fa7356a050970257871f1e90760b5156ee694372e2751a2c79e31a49a00f546a1e9c829df7066a0b015bde5caffc7f209f6fc888cb5801613b2b7bae1f4fa7266187e6295f3f7e780b86c401cdb965228fc1e343eb18c57ab92295e4fa9f9f6a1de3f4be78453ea916aba396ca6fc77c4694ade2216d7419ea6817ca28e103d36833dc6020a5131a9c7573d8b5fa7b145fad562a061bdd1fa713a3a2cd19bc5d0f58fdb3a10ab41b984ee7bdce5ec312f0986a30bf9eccf5366e90be9aee28f16bd8fe80d521b5050d352c79389eb3c20f83bc3b354633f0c74264761426f3ac09302cd64ecf2b8a28997b40cbcfdccba88c95c4fb38b15ba75295c3540c9d5c61f5f3b33b6183982d0683638109ac91cd77ac59fb9ec61de4e4e753b2731443556848b6c72ba29d436021e12bc33da2049d50cdc955dc13b03d7b7af5b6e646e2d3d1d66a95f19a107d827c1b6cb1a9df3ada381f18b2789eeacf7c48a181bbd29308527ac6c04002029583edc71b9c93d9ac1e22db647f41f8de22641526c5e9fe09b0dd5161445b7c8a574f60c59487a99dd020e01001d937fd6bef90977948bb99717ed59fdfc59ea2a75ebb3ec627470e6dece5a5a4f5b77d453099ec398397019bf38e70f8b43ad39524c55575778136f8715f61043fa7f26bd8deb04a667b4a524c956f625c1cc40b125a73a7fcb8293f7e85e0cb213d3a70eef24bb8ca8fc9c528ba3e99e6288168f494074f0c35ec8caa57932e626f227f571ba3e54cdeae80456b0aa084f91edd2227c4a2fc9a88b070aac07c1356d6add76b1df1cf8bf2220eded9bfda697867e2a8db619f535e3e71593b3a47ca8f7ab8c4343288700dd322317e28d016f777ebfef45915050315e9d7d43424e6326486f4595167ddb226134e72685723564ef8cd5cf3998ecf47fcea5c9e794366d036a263962d39a97aad98c2c183501d480a2b0492f31642ded1cac194e06ea4bf1ddb73d327d526d63bafda5061a6ed1f056959c260ae7371e70bba49e7e002f2f4a1107f5e3b3575e1b80254b637340a0e5ad28f04453a87450f9d8de3e461cf226627c78a3c0f9a022da96c77122b3d00f50a023148d0736dfd694329d5d47381f4f090f3822476d9644024f4ddb95efb0516d1d036a4224c6797468a3de72cad2a0a61dbff3cf8bd1bd77a5e000f96c2487ab180d6c14592bdba2d2ee7f0877ab62c9bbb59c2d420bab61b760f86f2486d4ebeca62b8143ccae97ce1aada007b24fb923c7213d4e824b328a044190c8b668d58208bdcdd14b040c19d58f11e6a773a6f5ab35e4f81d5558259d5717c81798d5edb538b1767e19881f1e3c4cd28a8b27087a78472f4b4d146216ae001b18d5d0d7eb5f4575b23334ea97e4aa99ee4315a34a52cec41856ee6b6c3f203f78172eb21d9af1e75b42b5fe3a5edb5c700a736fcd25fdfed833078f5d2d4f1e6a3e37036509db0e69ee7054fc9245a9d7ef08c2d54851b5be1ceabedac30b21c1c2540498e98080670e1fdd915430ecccfef3bb3c8bbf9e97e63a664841e8eacea6fb770a4ca66bc61cd317c18455857f561a3d4413f66dff4799dd1d0eebb380967e67b657661ca437da3be1838f2577ebcb0bf43977a6e4c570f0a6af142a9c385cb3371130ba19edb4f4b1e47d5ece1631b4685dd0961fe1ddad831f4d73df810ba636f2f6ba2ad86c5e333ecf2e67f6276252e301d648ea8cefb2c906b635e962aa8f237bd8f782a87a3b2e6434633f024f90b5c44b555831d659d5fc98c295d8abf3b6b5cc7da453bad40c0bb5258860f05ec8ef698848a2f9b7569f9b028278eee239968bf3be77ab9", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 62, + "comment" : "invalid output size", + "ikm" : "7b5b2acc573537f4bbcca4bb02d06c902803ead7", + "salt" : "cfe7614e2db108b12f077ff8e58e2b80718d981e", + "info" : "26a8336ac6218c2b", + "size" : 5101, + "okm" : "", + "result" : "invalid", + "flags" : [ + "SizeTooLarge" + ] + }, + { + "tcId" : 63, + "comment" : "output collision for different salts", + "ikm" : "624a5b59c2be55cbe29ea90c0020a7e8c60f2501", + "salt" : "", + "info" : "5447e595250d02165aae3e61fa90313e25509a7b", + "size" : 32, + "okm" : "eb919ce9c8382ba88195f4fc48df903947f98705bbff58d576ac9bc129034a18", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 64, + "comment" : "output collision for different salts", + "ikm" : "624a5b59c2be55cbe29ea90c0020a7e8c60f2501", + "salt" : "0000000000000000000000000000000000000000", + "info" : "5447e595250d02165aae3e61fa90313e25509a7b", + "size" : 32, + "okm" : "eb919ce9c8382ba88195f4fc48df903947f98705bbff58d576ac9bc129034a18", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 65, + "comment" : "a salt longer than the block size of the hash is equivalent to the hash of the salt", + "ikm" : "624a5b59c2be55cbe29ea90c0020a7e8c60f2501", + "salt" : "1a08959149f4b073bcd902c9bc4ed0324c21c95590773afc77037d610b9584806aeeeda8b5d588d0cd79e7c12211b8e394067516ce12946d61111a52042b539353", + "info" : "5447e595250d02165aae3e61fa90313e25509a7b", + "size" : 32, + "okm" : "bbb1f0bcef58029d47d31d32b5219f5c89e6a108402fbd7f35076455a7f6dc8a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 66, + "comment" : "a salt longer than the block size of the hash is equivalent to the hash of the salt", + "ikm" : "624a5b59c2be55cbe29ea90c0020a7e8c60f2501", + "salt" : "36d0017c873ac651fefae61522d41d97ecc66dee", + "info" : "5447e595250d02165aae3e61fa90313e25509a7b", + "size" : 32, + "okm" : "bbb1f0bcef58029d47d31d32b5219f5c89e6a108402fbd7f35076455a7f6dc8a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 67, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "624a5b59c2be55cbe29ea90c0020a7e8c60f2501", + "salt" : "af856d5eed5c77f4", + "info" : "5447e595250d02165aae3e61fa90313e25509a7b", + "size" : 32, + "okm" : "dea2015fd2e84a9ca599dc622fc9c87aab224569261290a63cbed6f7f61939b6", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 68, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "624a5b59c2be55cbe29ea90c0020a7e8c60f2501", + "salt" : "af856d5eed5c77f40000000000000000", + "info" : "5447e595250d02165aae3e61fa90313e25509a7b", + "size" : 32, + "okm" : "dea2015fd2e84a9ca599dc622fc9c87aab224569261290a63cbed6f7f61939b6", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 69, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "624a5b59c2be55cbe29ea90c0020a7e8c60f2501", + "salt" : "af856d5eed5c77f400000000000000000000000000000000", + "info" : "5447e595250d02165aae3e61fa90313e25509a7b", + "size" : 32, + "okm" : "dea2015fd2e84a9ca599dc622fc9c87aab224569261290a63cbed6f7f61939b6", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 70, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "624a5b59c2be55cbe29ea90c0020a7e8c60f2501", + "salt" : "af856d5eed5c77f4000000000000000000000000000000000000000000000000", + "info" : "5447e595250d02165aae3e61fa90313e25509a7b", + "size" : 32, + "okm" : "dea2015fd2e84a9ca599dc622fc9c87aab224569261290a63cbed6f7f61939b6", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 71, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "624a5b59c2be55cbe29ea90c0020a7e8c60f2501", + "salt" : "af856d5eed5c77f40000000000000000000000000000000000000000000000000000000000000000", + "info" : "5447e595250d02165aae3e61fa90313e25509a7b", + "size" : 32, + "okm" : "dea2015fd2e84a9ca599dc622fc9c87aab224569261290a63cbed6f7f61939b6", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 72, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "624a5b59c2be55cbe29ea90c0020a7e8c60f2501", + "salt" : "af856d5eed5c77f400000000000000000000000000000000000000000000000000000000000000000000000000000000", + "info" : "5447e595250d02165aae3e61fa90313e25509a7b", + "size" : 32, + "okm" : "dea2015fd2e84a9ca599dc622fc9c87aab224569261290a63cbed6f7f61939b6", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 73, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "624a5b59c2be55cbe29ea90c0020a7e8c60f2501", + "salt" : "af856d5eed5c77f4000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "info" : "5447e595250d02165aae3e61fa90313e25509a7b", + "size" : 32, + "okm" : "dea2015fd2e84a9ca599dc622fc9c87aab224569261290a63cbed6f7f61939b6", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "type" : "HkdfTest", + "keySize" : 256, + "tests" : [ + { + "tcId" : 74, + "comment" : "", + "ikm" : "b18e35e63cc4fe4117bf2754ec3f9ebb5346dbb0bf6d4e5f2422418771816fc4", + "salt" : "", + "info" : "", + "size" : 20, + "okm" : "8842b25685d615b84d2aded432bc637a6291bf72", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 75, + "comment" : "", + "ikm" : "236c2ba20c72242820f63d3e9c20633162c1cb048a45dea13861e8a138b9640d", + "salt" : "", + "info" : "", + "size" : 42, + "okm" : "7963ec539686050e96da3e3da97ee1fb997209c0c2d73ae0750032cab8b6ea4d3682568753815b9da183", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 76, + "comment" : "", + "ikm" : "f2cba42dd82acb5d2d569406815a3769b7becb13fa48537fa7d7d5e121081d39", + "salt" : "", + "info" : "", + "size" : 64, + "okm" : "e8687a27812286db996d44fe0c21dbe772bf3589d40b36845cb8585f7d55b433d35dbf5bd566ce742eb3c3e9975821cfd67ca223a2f8a53b4575489dfb7ba116", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 77, + "comment" : "", + "ikm" : "73d97f2ffde01b447a5b8573190a8eb4f87f7ac04482836143f780ad876bfffe", + "salt" : "", + "info" : "74d2301c5aca2441372cf6077bd8806dab3e8721", + "size" : 20, + "okm" : "0f0e082b4d3afbd94d5aaa583c0ad3d8b746b9b1", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 78, + "comment" : "", + "ikm" : "6948521434707e96fa943e44988d1ad409ec57e6594867e8193e9d727238916d", + "salt" : "", + "info" : "9eaddd1e7edb6b84c96fb5ac7e0d673a8f5084f2", + "size" : 42, + "okm" : "623eb8c00bc85148d561833bc44a092b4e05e033640decbf36a70fdba26987cacaba3c19f71536986348", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 79, + "comment" : "", + "ikm" : "b72b3854923b8a0048497a86bddef962552c8f6b2c72b2b2006a1820fea5c6a9", + "salt" : "", + "info" : "113b708f7522ec3b362999db18699bf7871e3b8f", + "size" : 64, + "okm" : "0e9718ad1fa0c5501b42ef7a9b1bb1e4a985f834d44aa10cd77510c182dc2e948c801d5c6fffc92a8342c034b53c499d6af89f0e80ed1942ecee741195aec71c", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 80, + "comment" : "", + "ikm" : "44d774def90685c0e9a685fa50fd434c807d1a57896fa42f91778821fe232057", + "salt" : "0d7d3b47bf8484c8adab7f9c27c9584f", + "info" : "", + "size" : 20, + "okm" : "05a30d9926c5ae588f0694962837d40d412a0555", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 81, + "comment" : "", + "ikm" : "098ecd86354496a701ffcac8d589a1217231da3b80ccce4ef85762d7f3a2c211", + "salt" : "5232e5e4e2dd6133d46ebe5a8a51a0bc", + "info" : "", + "size" : 42, + "okm" : "d8c830bdab6a974b492da563d100201b3361de746a77fc29cb9b886a84aebff5eae86d9cf2ed5fbbd8cd", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 82, + "comment" : "", + "ikm" : "917ad396520e454a571ac39a9f6bc845a8920954fba1ac400cb2988cd8847ba0", + "salt" : "962d86949506450eaca929286ce5d9e7", + "info" : "", + "size" : 64, + "okm" : "c0d75cd597ac28549030c94a90a8935608ec1300577bc84fc09cb35a3cec2a60b98cfb5d6adab160a960c0032e470cf82a80b683c1580871334f248ed92beff6", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 83, + "comment" : "", + "ikm" : "1cbff2202268edf1985bc91466b80133644988c5e81368cf0995274204fb0aa3", + "salt" : "2bde6e33534731f52d39add940ff46f6", + "info" : "3e4f9c8d3d607c2ed43caa9e87e6ecbc307c6048", + "size" : 20, + "okm" : "6c8dd17408c8c2492537ea032874aba93e19386f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 84, + "comment" : "", + "ikm" : "d00d6b4fe088077ffbc64127d6bdb9707a0f9061c0b873c334c3be0adaa7c2bd", + "salt" : "1647a044472179d454b8d2108e4a2aa8", + "info" : "4266351bad419173279c901aea148e8b1d99e50f", + "size" : 42, + "okm" : "e0d47f91e475fd3c8d53e9a5bb4230c0dbd7be0b96ba9ea66d9066291e0f397bf634d2699d935686d4c3", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 85, + "comment" : "", + "ikm" : "9a27c19b607adc8f152faeaeb1282002d3a2166894b7fe5d65829ecdcfaf73b9", + "salt" : "70d83929a6376a6eab859f0d6225f131", + "info" : "36356cdc28187c11cbb9046f9ce7502ab4d2ea46", + "size" : 64, + "okm" : "20e2676587655ee3c899bef116ad4515e947cb549c0fd5d0f3cc61335bbedc7518caafe1950000a067f67bc7bfe5ca81f021723013fd687a13b621613a0775b4", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 86, + "comment" : "", + "ikm" : "f5d1c855d3448e212d76d3927ec797dc439cb182f427064288452988ab79c83f", + "salt" : "87ef5da5400db731d658972ea82b76848004e70d3b22cec76c8be06283c4", + "info" : "", + "size" : 20, + "okm" : "a605589e0fe22ad6dee3e7910534a58f69d24e02", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 87, + "comment" : "", + "ikm" : "3f19b7095a6b3d313b59c3ba2c3a78d8b24f30c9ed4f8be9eb92f8eeaabd2c3c", + "salt" : "8f1f6c8e4f68830319ae859b4b1fa71f1d69552b0c3e53cbbad26293651e", + "info" : "", + "size" : 42, + "okm" : "f364e1b27fa697d6ebc5e2931ba9a4d81c42be447337a8ff519455fd5f89cd356bef5fc8b795334d6a8f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 88, + "comment" : "", + "ikm" : "b1d396c69f14994dc8add0f6e0cde4455677ba9ee95ff84a142295f9177ee629", + "salt" : "7f693304bff77534b8246d832749387ecc0e8daeae11d77d022ca9e362d1", + "info" : "", + "size" : 64, + "okm" : "66ee99f5b2ce636fad989225301ad571d2124cd9c758042eb005a9f3ef091694c036a5975b39396877aa84342e26f8020eda23f0097b89ed7f3252afc87b37f4", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 89, + "comment" : "", + "ikm" : "003d1901a10c062ec44e0f2a94c544b7f53b33f1ea4679fa6e023c2d0a907fcd", + "salt" : "ed86cb8c8ba1c989f9a60a4a82c38be98c70e6218576b292c93fcc18192e", + "info" : "d5d3ef5beb9840d15efe9c778aefe38f1bf7bae3", + "size" : 20, + "okm" : "6924d12a17521e8a235a4b0df4eb8dbe3d5cf277", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 90, + "comment" : "", + "ikm" : "02e0647a4b7ccfc0d3ee7ddfe24ce69c02f51cbaa836b96cbc5a9c2885c45599", + "salt" : "f0862f61f2377ca34b76476ae21e331b114c7712aef501a1bf00f7e9cb79", + "info" : "4e9e27d971e76fda614fde15031f6664b97d4786", + "size" : 42, + "okm" : "3fae59261e358dfe04edd33c1b328ff656a3cb4fac2f1130c97d4e34f10777aa5fc3fd586c4aadc7dbff", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 91, + "comment" : "", + "ikm" : "92bfb7e31e839f109e6622b2c2c4f41ce84c9907172681920e7d90e80e2339bf", + "salt" : "ce869619607f71fde53ef55e18d01d20002e3f91a8b7584190fc6667b8d2", + "info" : "ff36776fc755722ff371f21cfb37a168a2731e99", + "size" : 64, + "okm" : "6ec989baee1db032c1867222e1f98104c546dc784329367a1e0ff4fe55435a88235a52786b6854f2fd809e1ec3d4fe836b9345474fafec29418da2e213a283f0", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 92, + "comment" : "", + "ikm" : "17632581c34ab743992cd99318889b32f92812bd37f41636b5fbbf2b12190c6f", + "salt" : "55e39431c83648867ac98eb7ecbbc8b41c5a5e774646b926a9b49c511915b0de1241f8666da198f6ba4bf7e9025e434b6d7ef794e7a563309303055fe3bbe769", + "info" : "", + "size" : 42, + "okm" : "2486d2d795a6be77f2bca215de895ac1b011bf84b58b07020136cf87972402243ee2c210902c33116789", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 93, + "comment" : "", + "ikm" : "045b4d451bc30c39afe0932f6cd62e65b4b2ae2cf1160f19e8ba1323f7ca146c", + "salt" : "b73682dda0fad41095070b2b26f2d7d98ac62202d918258ca9aca0f794ef5e4d23b3fc43c8cabf9fcb37ad9a62337fbce967fe24054c3bf891195858e53997f4", + "info" : "613e353162c6c1b12fb1477fbc54074ff7848a14", + "size" : 42, + "okm" : "7c9b85c582725a15a90570f03c8ba3be2c5ce553db3ff429fcf6eb58e3888c5dfdf29f003740301346c9", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 94, + "comment" : "maximal output size", + "ikm" : "a65a2526a0452a6bda7e16555658611216973b1e85412e0c6fc8f4e25168cc3a", + "salt" : "bd5cafafd71f517269ce6300208db7593c558639", + "info" : "af7eddefd083edca", + "size" : 5100, + "okm" : "70e1bf4b225a9a6828cd59bd32f1e83264b7eaa6123592002498497bde3f7386c1a42a1866a668c56916e3b3ab355b8807e21f79f0fca49d5ef88be9a6f157c1dc1f74a473212ce8f1ffd759fa6d301718578a7c2332c32d2d924d7ea767954a976fa40043e70c980626ecb4a3326e889a23d0c7267292161da339df633540ffee5a4ee5213e4b37ee302a611fc5130eeb5c0d8e18e7657081867deb121194b3e0c2186e61d4f58c89561de51791708091ae2b2aa2467d8969f67720ef1f6bcdf636cc015fb0b76d8085cf006f7eeaaad6a64301723aaf0a6279aaf1ee7819e882cd5a9ac33cf8b8f5e8b56642f6d540126010f7976b3a8a07152f17353919bbe7447126b004f6100d706627f00a7cd5660026064d50b11b7b487c1a2ac9ebcca2e4a590807293e8e46b6655d4f2aa170a4d42011f0cf406afc63c6685c2e6bb203fa1b80a90160fd4ea1ccc87402bf658cc776ce1133250a35a4c22a34450d180f4eabd9a63a4a38b67a91a4bf6f2c2ace2935e36b03d24566bac6446e0916af2a70675cca74828c5f70861c438d58dce384a3df4bff3c6f372996e2d104878d93b9dee0a7ee4c83d56c206b6d3dea1af2f9ba268303c6be86d99f0b576115f5523dc0918a54709189b3d1e458caa80ea376a3cf9ec421962b89e9ced740dc6ddf065af43afa9cd925ffa8c7d7a9a7643ca73890e490608ad77e0c9a9b98db65ddbda8ad76c8b2539a34370cc79433e0023ddf81bc8a83bea1ac4fbb181ee800bb5682d67fc9c607b178fb984ae9f55471bdceece6c3c5e6af9491fb7d3962bc8ab914f0ef65358a6cd63bee8290d581c1e0bf8b5c118642aa1bdbc02938773754cf6a5a3aa98b9012cebe9c87eed630496d27a28eea3835b7ff9cb51d779a5a60528d08b3ec23a31ec6b5603ddc85b18f0c6772e91019cb15159da61c5df0bc29c4bdeb2c68c66021196b8ccd12d6ca75180b1c129f9a75cd59fc8afc51574d2503ee76fffcf6ed6d46477b874665ef45e6ff04a916b67c89f9e57819c66baa782f12ebabd3a5468b5b729834b0ee0e782201235cc09ffa7f5293ca8d3ca347545e2f3f5806ff44bdc5c8d0ace63e947820b67281bfc1ecf36e637c430e1cf47e39b2ab5f47b4cdbaf60e6db884bf6c5200e0249f7c3e0ba814d6f0ccd914222beaa845884b00faf29b2e630c1a55e1fcbf5d5b3a6fa74dafac252647ff40a271a749fade39df7a1f86f046ca0fc618b649ce023b3a92b35e657deb8ce2d181f2ae6eca0989452853e4f2115567793748164c1cc0a114506cc3ba32bf682030003928fe9f9e00be2236c2b7173b33623452fbbf40c90e5085e90703dbcf1a7267422a68840c9010bbd49961ed0a935f5e6e8c1963ac04b851f0ef8716cbebc27db8868e78556aad4ed4b80e39443bc8ec25359bcc1737330be79227f136a0357475afc585c621a8520d0639fc750d1a44f243b553aab880025687a06947e45da0044a74ef4f352dfdeb629eb1bc1ea343192c68139e36c816f74cf3ae3e476a3652d1d6cfd02c0b84a99c728ec1a3b97f28fb5a3ce2b03c2eb8c0f42aed83e4f5891911fbf189dda44f302def860b308a9022b1c46800616ddd799ee19f7394e3ac10a305537d9f0659bc48fcc9d01996a1fda0df5597c60600cdd0299971ac4f1cdfc6af7de2a3f131c868714a24b3c0aff8162951852aa97a29cee9eb7558bd2f384065130abc4de58ee5b268aab6b2380d885e5c98d22138fdf77bff9fe2370eff28f22a4515341d9c226a6dded964086f3bcb5342acee09451c6257eeb434b61b8d93b0850d49e2d229fbd0bb84ba4efa3fc1c2d59a2e725a528fcdb44d43a0e1f5572d52b3f526581af49043d939e9857713d04ba2a96139e007b974b2971f71a0bbdfa76998f250802eecce869bee6e4bd3e4523c3b5d32a61c9f9aa1e0bc215484a4b11bc81ba3b2562ea49d08f63b46edfdcdcb7a496f414d80f853547ae94d8654de4729774b08dfe3acb94ec5ee2a940efef53bb76d2517ffe1acc915ea5c17652ec6651d3f7734cb8b7aa176c5f2e601dc42f0700357b592d4bc72c25e42ad9897ef1fb43bec5be51b7225e57b87732383d0274e1a9594d4cc22451611ec5de786e31a69fdb3c5aa4a857e02539f1655c542c84a32f40dffc4ae8d83ae8c8f7e54dfcc4362fb4c8134a9137836f0ea40b329bb7040eacb31e7b362010fda9fabfa96622db22316c3b297e26d2b867bdee55f600e97d338cd5a2969f38a76f968d9b76aabc392bf1089c0f99dad174b6f8b8e9897bbb0680e9fb08b39f1b9d618b81e1295b546c3ddf7b8b807950199d9fb48a3c1754d97344908e8a4831477132cc7e8525a5fbbe15608619dd369ace1f9c73c67224358f4ce07dbb3cde19df4bac7bc706f18df54c17c3a8284610ae25c00913edbaf2c9fc8ef582ea3ba5c50b7d15a93acc50f632ce4473009da29a6e1852e752a15e6b7c56f5a0dfe65e5cdd00edd363469dcb9866397646722c6ae0f48502dc75bf8381225a17f3533be924a0864f60ba58341a75b1a83404d1d4380f0565c3d55533e858d4c9f427c712965c015fe91589d43a4ef4e95f4bcff164ba8752ed83cb57a7b460d2c9796177433588f800fcd518c5e99baf8ed652e61c1fb4d47a882174e4a0d2d03078b2316327799adb88d07270fc7c9d7919b6be24bbbe2ee7999ca00eae4c64c19e217196c8df9a45d7a9009f11444340eac6454db20263873c86d884d466dd75ffa5315a693fca6ed2af24452a48c9a5e36c1cd7408f5e6a8fbc41e3653986e0f355a05288c51d1f911c494540e9eb164e2cf270d4d07c334a47fdd3d870a2fe69516f8b4ddbc3c0f21179c3ba3863d2851ee1ff0f336a23add665ddbbf7a8168c6e04119eaf4944b132df977cfc826cb53768c275848a498fb3c68a352c1d0a51701bdbe7194beb546c6f9cca343a7e3d86aa74cae125b926dcb5037bf7b3ac08e15c024b1997c4d01f95fc1a941027f8efc6b8abf34c6b25aed0b4052c0bf15aa56812d90c7a43856d9134dc1140788dd2300c555a0ede7be750bea34dd3f8ccbdba143abf975879f9e374b6d417fba64e22b5c848189173a9f972176ca68e2591e4be093e51ba3775443101767db9be8dd92953ce03d91a9f1bb3ebf0a3bdc434be0197f527da23927d8ab4ce0613e363fb7acafa3f2b11ad4c1f12a1990c431bf2553d936d98822a1c893a41663b0ccae8541da379d14895584151c57605c76390b1c91dbc752acae6ad571ab4d0a47e2a4db7b88fedf2081e1c0bb0cf5f60230129711586fa5c99fd34cc3816fcc30644195c4bb72fe8578d4007f7cc16ede32eaf34ce19084782080e2815f25d117dd1d911601fb77bc0e471189fd0a4bbe01b1aa979f052e0431dae1abd9dc8e2cb7d575c5749fdd82f247f1686c24677f8d3a358b6860632d26af38f2d4c91457372c11acde9b447fa1a598b5ec1a3ac0babdbd4eb737f3c4c2f2e15b5d8df3b8d6e6b70a3cd365b57349e6ac60b8759bb09bbef1855c1468d10a777a2babb7e77313a321f2169761108d5e8f11c51c1314fe8fd59aea60551c402c4102d08f4d0c54e4a8ad7303905e42bae5b1ceb09119324e274b63c32215eedf7dc51e4f1ed19f013c5a23c8a2f0841eafbe1ae2ea5f4cf20719010a448f154397b6c65be5867508cf112f9f2ff236024c8254d921c8de4e4c39d91e847e7aef69a2747f75edde39e3adc4c653f20d5742606baaf985260b955c2b6e1947b469927a61d866f797e73fadb2821ffe03c109219078d8c24c852188e3352fe257ca3e371043470575f1b180d0747550d9ae8b55b29b06be0cdfe6955a1acba316f2e0d9fc4a99d7725d022fc240e3956bd66425dd2c844b4824cb5307af5d6d77ee97590ecd849650cab25567bdfef5661d35966a16ad5fea8ca1dad42e19bb6b2b28b06e24dcd8bb240e065ea027ca71ee286e9b8c7a4100f1f08391dfdc0ea125e35c2867aa55f21af22a5ff685ef1bc3a023453bdd381b3cc0a1f0470f0e198c8e9ece8d469479b73f3eced657dabb588b95f82de80b58a924e41146274cdd7b32aaf7c2c1f600f30353cbd88bd236c37619ec4c54f44dad9eb79b5e0f5900dedf93b43e33b94a0bbd24bcf17aa7986287232717a8ccf085ba6826f7224d4a35fbee2592b32ad48cbb30961d2412c65f6d6385107267b7595568d7d76fc8cf4ec6fb06f1c38d29357511454a28ef029da6b9007f3d6a400c381f4b0bd99c5f8371d97a7adcf122bc8d1b51f914016fc96f1ebf1628d62d0c1ff93bc16b960f93d782c66d73023685a881acef65f40e5891132e723697082b8a9bc48eaa170e5935a801914c175906b0e7a54f199907562bc2a3d919bc41b4b4fc43872aceceb494f186fd2510925d082c623a3f17f80d1d421710b91035dcfdfdb912b84270e07c9be495e8713ff51df5eda5a030e51516917605e24d29f2238d27b2a823443e8c7659c62ee4d69d3094e95e630e27e2c0c913d200e23fdfb947f7d2d2037284680aac2d002adb79848e99ca1ee7d5c40e190a3ef5f05c59eeadc97449300b0f41943dd70f3ca2f59a218a093cc036cad4f8f3bf1d488f402d5c5abf5ac9fee0263f6d44fae0d5c157ac12b78032604b618bd66a2dbec688b28a0c301ae294b1e2fffaf0f4f92030aaf4154f91baa6d1167ace84be70da0cb2c38c1f1e8a0e8a7474f3f3e508c1fc9d4a431e2f1f45d142f8cc22af65ac656b94109905ca95d33e809586d3b409ca68269bda1368ecd8e9b6e2d95327aa491b6bc162a9f6c4e8162809b0efd7bee9e4c915534083d5cb9ff27bfaa40f7cfacd1c301c740254ab4421aaeb4fdf8d6f46014a3c3ea23256ac64fb2fc95cfb99688a8788759d1dc35992d455b3ecc4a4c99ebab223d774270d7ebefa8545203cefd49bb21397b6d68664dad1b3461a5162fced871d8fc2160d57834356ec88841f89da475fa7acebcc2321f04c6cb56268b42087b52191d43bc82c29c44d451d6798758b43040617a6024b5750577ee3679f43e08a893da6c330b54cbcb6a3c6eee525d4740ad5cca9c7dd75c3d1b24801961f7a517386fb0ed2b181521ab207574fd4edfa09597afd0fe976d2edc428ea28ba9a5c96162bf891e6b50e345855bd6852252959586aaeb63c1aa0c07c422d70e5655507c090ee47e98c2b7cecfa6a4d11210ee8f22a28806b5f5dce15f139385dcccd2838a7c6c71740b80a7f0239706fde8be06cb1e8e352c176b8bb564b5cc98eec6d4a554a4d7bca07b5f72ca8131fa8479d706d367d32d1652c6f8ec4b9cd374153acdf29bdedd5d385e3b581a3142092b28cc3c8d89c3470cf56ceb9109d70d5a0d98ebe4e9432143d6ccd58fcde6a1f0eaa845175dca5ff85dcfa5448bae273be2dd5354654763de0f2fb0974164f001b42d1156ede02fce2ca912355d59e510ddef52589210506439138c230298e2c7f1b76a4ca7dbcffda66fa2a52e146dcca8ecc0cfae3340fccd033e83fb85cd3ceb30ff33a8bfaac4e9d3c28bd0a1ab89d6582c3c9cc6894e299e71551e4f394ffd81b0a67985a65c9c9850ce869635da0c769bb283bf27c1c2b70fac3b7f0ec6773351753c7527cab97a982722b422eb950b41b9e03e025c17c8dc73852490bc83e82ae956b2c546aa0b1c9a06dd9d4c60c3702753385f67df61422906f5a63cc5ff225efdfd57d9e33acc917b68661c8145e2db301777659692925511534e701ad80c46479e5808aeb1f90ed45526ccf995255555d57f987e2e56bfb04233aad88790207b67b7675db58cc00f7594bfe5089671617991124b72ad32d46b304a87c2a5074c581421652bd730808ebb039e74cdd6dfd1f8dcbb55f978458d1b161780fbbbfa52e3a2288653210c0ba901b385dd7d886cb2db18407b37e3c455b2773bc670436ff702af2bd9d87dce441ed7083231763ca76fb07389de0be1029f29c0fc873fc2c986ffb21724c6c1a746ec03729a0d9cdcf123129c550b8e1500968110c363bdf0fd68df0e3a60146790b216447f82b17718c3ceff4df0ee840f42712f9bf4b898ac9e703afd5869309d89604f2c6fdae0c8ca348e1a980303c522d89949dda61e02982814708630324e6362839f3d28b80adf42a0772c52b532ebb2636c8a006a39b0d384cdabcfab075e66116fdd9ad6c6af17cc812d4b691708f671d9a63244dd833e2c3a90aadfd68ddc03fa290663f0fc7445aee617dca94941f94ca0c6638d99b92f0ed7ebbe5fb6f1c02273751094d8aaee32772365cd8efdb5a85290bb356c4c787dd8bbb9a97ae562c27941bc68cd38f314080c89e27fc1bd7f45bca8412149be8260eec24928f77fc7a722a42e5050ab5d135985c56cb68abd5b7ec49c56ec519c63373a1c8d6dee785671e3c104ca6f5c740c7ca3bb1fd8cce68a097c540fa40f9a4f2b21a7853554556596665881038d4d4530862931aca8cd76e412bf5d2ef66b0d67ba991c4c676d95e2a8d6a4ba8b9dc70e165c697227e59323c96f28f81d79db8ac1fb80de77f13358a2255b9a8c56eeb7a4e504de72e71d31cc6e4b4166313035bb6a44dd80a369c9106e9baf69f5963f92b2bc7c16d39e0e8b88611c36523a7635bf8172b995892bf67bf2f5b4d971508f1a1a8d8d1bbfc46f87f2bc50ef30a8922a354764c66e9daa50194e3ee90ad0b59072fa84b1c2e36f93446c9b920f543ddbb0485f18191cd1aba0387d7793aa3b6e62dc49e3bb5b7ec1cc06840fb671dfb8e6c185ae1e0c62a142d244863689a5772eb78c6356122498bc088e53f0c6895cdb1cf0f646ac6db2d8efdeea5f7ff23c91901c4d496e34550695667a7db538e2a4982d34e8256f18be3d493fa2cbe46c1f04b0474328f4eb417ba155cf3d926107845f0a734488bfc5c9c3b0b236750bcbe0bed15b7a5d219a7c2df95d3505a4f116fa6dafa8b746f4d1fdb1a502d9a45849cf2cad4dbe24eae0b65cf4f38ee38078997a5ade9ccf13fe11206362300fff7628603a4707c1c2fd5eb883f5321e8882c1dcfa1867877447ed9b6813031b95ab9603ced93317b265f70229bfd702da85e3ec5df6d2b9dc2958fb9a0f99e501efd391e22c0e198eec87bd2db850058e6f42b53d888cf8c5fb400ecf6e804554fe2b8e7a3a9d9db7a7704c3a2c82643816d8362c909720a693b665d3eb", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 95, + "comment" : "invalid output size", + "ikm" : "ac106eababe3b8fcdfe44ed3f332695aa50833d5d110632b4215a86f9f4ceebb", + "salt" : "aac161c03b3d3cf4d94072a48fd6ca3619510888", + "info" : "9824a5f84186c0ea", + "size" : 5101, + "okm" : "", + "result" : "invalid", + "flags" : [ + "SizeTooLarge" + ] + }, + { + "tcId" : 96, + "comment" : "output collision for different salts", + "ikm" : "2b54cba29681b6ff2feaa9202b87322d861aff8a8260e1bda68d61979e605b2d", + "salt" : "", + "info" : "1301b63168af5451377717f7f5ed52de36a197ff", + "size" : 32, + "okm" : "06e27d970948bb30a9d453d843ab332ae2231dfdffbc4815788695c38368fb03", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 97, + "comment" : "output collision for different salts", + "ikm" : "2b54cba29681b6ff2feaa9202b87322d861aff8a8260e1bda68d61979e605b2d", + "salt" : "0000000000000000000000000000000000000000", + "info" : "1301b63168af5451377717f7f5ed52de36a197ff", + "size" : 32, + "okm" : "06e27d970948bb30a9d453d843ab332ae2231dfdffbc4815788695c38368fb03", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 98, + "comment" : "a salt longer than the block size of the hash is equivalent to the hash of the salt", + "ikm" : "2b54cba29681b6ff2feaa9202b87322d861aff8a8260e1bda68d61979e605b2d", + "salt" : "0102c651e047fed9c217bcf915520532d44999534c1e7e7c87311093d7a3681aff3e2d335b3c6139b9fc66dcfe35573b36a329a550c4cd20bfe2a90dfea50167ff", + "info" : "1301b63168af5451377717f7f5ed52de36a197ff", + "size" : 32, + "okm" : "e86ef68c222337607de55e6bef35d9df3563cfd8754a5a231a5fb110f1ed1b40", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 99, + "comment" : "a salt longer than the block size of the hash is equivalent to the hash of the salt", + "ikm" : "2b54cba29681b6ff2feaa9202b87322d861aff8a8260e1bda68d61979e605b2d", + "salt" : "ce4fbf306d1eecef0d60543d9726b5b3d3d5d8d2", + "info" : "1301b63168af5451377717f7f5ed52de36a197ff", + "size" : 32, + "okm" : "e86ef68c222337607de55e6bef35d9df3563cfd8754a5a231a5fb110f1ed1b40", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 100, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "2b54cba29681b6ff2feaa9202b87322d861aff8a8260e1bda68d61979e605b2d", + "salt" : "cd920e8dbf19ed66", + "info" : "1301b63168af5451377717f7f5ed52de36a197ff", + "size" : 32, + "okm" : "87cf7342816d0b08822263edae8567b453a251373e2f3ce338114b6738cdd1b4", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 101, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "2b54cba29681b6ff2feaa9202b87322d861aff8a8260e1bda68d61979e605b2d", + "salt" : "cd920e8dbf19ed660000000000000000", + "info" : "1301b63168af5451377717f7f5ed52de36a197ff", + "size" : 32, + "okm" : "87cf7342816d0b08822263edae8567b453a251373e2f3ce338114b6738cdd1b4", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 102, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "2b54cba29681b6ff2feaa9202b87322d861aff8a8260e1bda68d61979e605b2d", + "salt" : "cd920e8dbf19ed6600000000000000000000000000000000", + "info" : "1301b63168af5451377717f7f5ed52de36a197ff", + "size" : 32, + "okm" : "87cf7342816d0b08822263edae8567b453a251373e2f3ce338114b6738cdd1b4", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 103, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "2b54cba29681b6ff2feaa9202b87322d861aff8a8260e1bda68d61979e605b2d", + "salt" : "cd920e8dbf19ed66000000000000000000000000000000000000000000000000", + "info" : "1301b63168af5451377717f7f5ed52de36a197ff", + "size" : 32, + "okm" : "87cf7342816d0b08822263edae8567b453a251373e2f3ce338114b6738cdd1b4", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 104, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "2b54cba29681b6ff2feaa9202b87322d861aff8a8260e1bda68d61979e605b2d", + "salt" : "cd920e8dbf19ed660000000000000000000000000000000000000000000000000000000000000000", + "info" : "1301b63168af5451377717f7f5ed52de36a197ff", + "size" : 32, + "okm" : "87cf7342816d0b08822263edae8567b453a251373e2f3ce338114b6738cdd1b4", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 105, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "2b54cba29681b6ff2feaa9202b87322d861aff8a8260e1bda68d61979e605b2d", + "salt" : "cd920e8dbf19ed6600000000000000000000000000000000000000000000000000000000000000000000000000000000", + "info" : "1301b63168af5451377717f7f5ed52de36a197ff", + "size" : 32, + "okm" : "87cf7342816d0b08822263edae8567b453a251373e2f3ce338114b6738cdd1b4", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 106, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "2b54cba29681b6ff2feaa9202b87322d861aff8a8260e1bda68d61979e605b2d", + "salt" : "cd920e8dbf19ed66000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "info" : "1301b63168af5451377717f7f5ed52de36a197ff", + "size" : 32, + "okm" : "87cf7342816d0b08822263edae8567b453a251373e2f3ce338114b6738cdd1b4", + "result" : "valid", + "flags" : [] + } + ] + } + ] +} diff --git a/rust/tests/wycheproof/hkdf_sha256_test.json b/rust/tests/wycheproof/hkdf_sha256_test.json new file mode 100644 index 00000000..73c99a07 --- /dev/null +++ b/rust/tests/wycheproof/hkdf_sha256_test.json @@ -0,0 +1,1250 @@ +{ + "algorithm" : "HKDF-SHA-256", + "generatorVersion" : "0.8rc17", + "numberOfTests" : 105, + "header" : [ + "Test vector of type HkdfTest are intended for the verification of HKDF." + ], + "notes" : { + "EmptySalt" : "An empty salt is a valid input for HKDF. It is equivalent to a salt with n zero bytes, where n is the size of the underlying hash function.", + "SizeTooLarge" : "The output size of HKDF is limited to 255*size of the hash digest" + }, + "schema" : "hkdf_test_schema.json", + "testGroups" : [ + { + "type" : "HkdfTest", + "keySize" : 176, + "tests" : [ + { + "tcId" : 1, + "comment" : "RFC 5869", + "ikm" : "0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b", + "salt" : "000102030405060708090a0b0c", + "info" : "f0f1f2f3f4f5f6f7f8f9", + "size" : 42, + "okm" : "3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 2, + "comment" : "RFC 5869", + "ikm" : "0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b", + "salt" : "", + "info" : "", + "size" : 42, + "okm" : "8da4e775a563c18f715f802a063c5a31b8a11f5c5ee1879ec3454e5f3c738d2d9d201395faa4b61a96c8", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + } + ] + }, + { + "type" : "HkdfTest", + "keySize" : 640, + "tests" : [ + { + "tcId" : 3, + "comment" : "RFC 5869", + "ikm" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f", + "salt" : "606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf", + "info" : "b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff", + "size" : 82, + "okm" : "b11e398dc80327a1c8e7f78c596a49344f012eda2d4efad8a050cc4c19afa97c59045a99cac7827271cb41c65e590e09da3275600c2f09b8367793a9aca3db71cc30c58179ec3e87c14c01d5c1f3434f1d87", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "type" : "HkdfTest", + "keySize" : 128, + "tests" : [ + { + "tcId" : 4, + "comment" : "", + "ikm" : "60ab7f45b0ad534683b3a6c020d4f775", + "salt" : "", + "info" : "", + "size" : 20, + "okm" : "ae5dbce80bbab5bca5b3c6d3b7e6548fb2c23b2f", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 5, + "comment" : "", + "ikm" : "e3db76e02278cbd2adbcb4555803da11", + "salt" : "", + "info" : "", + "size" : 42, + "okm" : "207ebfa8798c6d8d5260d797fdb9c9969173442186d9e932b18fb589fee2fd00ca4ab49d0402aba2c1b0", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 6, + "comment" : "", + "ikm" : "d4dcb92a769f57c8bab8a420ee0aa351", + "salt" : "", + "info" : "", + "size" : 64, + "okm" : "d875a072bb18fd7717ceaac8829178884b8e51a926849210caf7f42574109f218596e27b92041155d2012917c20e09539bf52016d78aac0b53a51d9cc21e3b15", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 7, + "comment" : "", + "ikm" : "2d43e54bf0c94c9cbff4300f4aa69ab8", + "salt" : "", + "info" : "d674da3bb47d5c7e38b501e5251d9348af601c44", + "size" : 20, + "okm" : "3d36966f29c0561b4e50f9325c7c98292b6d28bc", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 8, + "comment" : "", + "ikm" : "4055536896c406d5fe14a6cd6b999bff", + "salt" : "", + "info" : "2094768a8816f7df070d6e08b7ad93755dc9024b", + "size" : 42, + "okm" : "b10173a66a08fffa6cf7c1057744eba73cbbde83a3d8674bb0bc1a46d80792a9d5a0d2ca72510e02a6e4", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 9, + "comment" : "", + "ikm" : "5b01b2da3166f217cdd68de8af60078f", + "salt" : "", + "info" : "6884cfa7ffe8f27bf4ebc6e46a7e01488c79243a", + "size" : 64, + "okm" : "7a8e83577d8aeb830d772d8e42fbd105e54ee3f38da12388030580c8b8935f4a2be01c5092f28d5b1bb757bec0a527250eba2549e770d21224e1cdaa5bb76a98", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 10, + "comment" : "", + "ikm" : "467403c2ec02a235bf730ff37e8d8ff3", + "salt" : "41f0f173d307d40436c25856cf559f96", + "info" : "", + "size" : 20, + "okm" : "4b1c4f54615e31f713f2364bf194d3f14f68e704", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 11, + "comment" : "", + "ikm" : "3352f942aa93071da6d39cc5ed8dc460", + "salt" : "57a0db708b25a51afc4271803aa35204", + "info" : "", + "size" : 42, + "okm" : "a6823c9940138becba3f9baac05ec119a2715a018f51f4c0ce2add465db8635a6453efdf7c161c2d172a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 12, + "comment" : "", + "ikm" : "08867e76311126089356623ba5381e73", + "salt" : "0c164c443edcdfaedb1ab150f047951f", + "info" : "", + "size" : 64, + "okm" : "ce632c353328d59ec519023d08652a97252f2c8f3f29104237fe35261c82eed7e0df52514a157a00fd82d7e46ebf9acc23512e1cda7d5b65b92f692965943e8d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 13, + "comment" : "", + "ikm" : "c55c41d69d2424a520414e3662aa7303", + "salt" : "fea9bfc92b74337e43a201a2dc199e27", + "info" : "3fdf20538063b76901d61bbf9b72b0c18749e00e", + "size" : 20, + "okm" : "7fce7c021469c8e016f7a9eee111ad71df7c4fdf", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 14, + "comment" : "", + "ikm" : "5d3db20e8238a90b62a600fa57fdb318", + "salt" : "1d6f3b38a1e607b5e6bcd4af1800a9d3", + "info" : "2bc5f39032b6fc87da69ba8711ce735b169646fd", + "size" : 42, + "okm" : "d3e6274c91a88821367b1853b852a96f3ec12ed466769fdb88e14622165d5878cd736fecc93b9e8633e0", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 15, + "comment" : "", + "ikm" : "8677dc79233ef3480777c4c601ef4f0b", + "salt" : "ad88db718244e2cb60e35f874d7ad81f", + "info" : "a38f634d947819a9bfa792174b42baa20c9fce15", + "size" : 64, + "okm" : "17c2b03dc593fe9bb94f5b9bf646ff15749e82cd4bf569f7806275c241c83e1fe0615663a628ecfd7c1b700215a450f9f42529800424c4707d54488150299f11", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 16, + "comment" : "", + "ikm" : "0f602703d37943e0253bed3da331aff4", + "salt" : "ebdc8510499f69b2e188daab77cd819cccb95f276f46e6b2be11cbe72700", + "info" : "", + "size" : 20, + "okm" : "ff23874bcf844f88f2fb57c0c3a4e3a7a498965c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 17, + "comment" : "", + "ikm" : "9fe65737574c5c7aa67646adf8230ba8", + "salt" : "73a34648c152443586236abcb46a090ce55ef6c7f282ffce6342d694650a", + "info" : "", + "size" : 42, + "okm" : "19d4b9e3bf37ca1affeb953ac3a593882b2dd0002409be198718b376253f1e8522af9f276152739e2d5c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 18, + "comment" : "", + "ikm" : "e8f2b1c3e6a6c3d5ee0a20dd47aafa78", + "salt" : "3f5e162de91e0782cd189f3b7778cdc2ce6bfe9d3fe841cd3c70475d7b3c", + "info" : "", + "size" : 64, + "okm" : "d623e645a84b5ed4a210b9457aad79c9c3171f306bdb8bc9b60496a99e640cdef1cfb56ee336d216aa20122ee33b91c7aac3e5e7d56d87dbed3a446cd5224208", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 19, + "comment" : "", + "ikm" : "a679521cdb56aafc5a4b76db0431a4dd", + "salt" : "123033b1ddaead83a4b9cfef8a660bd8e00fde01e67c35656c6d7607d456", + "info" : "44ec41ab4f4e64f4a36e5e30c9f0dc1d77ae4974", + "size" : 20, + "okm" : "b75be6d7fdb9a7c58514c81e6596973058e8198e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 20, + "comment" : "", + "ikm" : "49bf155ca102026f2a217ea1bc9843ac", + "salt" : "76776e3b4d75f8f43dce4bded71f3b1ae6bcb012d9c0d59f78248b9427b8", + "info" : "851bda4faa8f7add2a3cbf0acf9c2786f8f955b2", + "size" : 42, + "okm" : "afcec12e5ba6481f144f6e6bfeab0a054b30f2710aeedea90d4be9c790c8e05e601fcb208afafc6cb991", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 21, + "comment" : "", + "ikm" : "6cf725e939e8824d4392233eeac75d30", + "salt" : "1e72f24b05a91a0093f34306ffced79e7003055b0833c6d0f27a4f33a1bd", + "info" : "495425d9727fee2e2b7e78899868c1c3e7735e1d", + "size" : 64, + "okm" : "e70ba99926c4edd98bf001ed3c8a1557987449a6fbe58360e96c2d1a3c1f2eac7806fa406ec64c4dc2a743129f97ca449380ff495462d1b1858af83d40fb31ff", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 22, + "comment" : "", + "ikm" : "a319ff7b5ba9b14ac72b681cecf0f742", + "salt" : "d7e3bc6daed343ce77ef793e15a8246e4bfcbaf83d2ac956d0661d1df7262b2e7311623dfe4152caddbfda8fa8ed7a82656ec00b72c5adf7c9d388e5b3bc8d24", + "info" : "", + "size" : 42, + "okm" : "31e7b971f165eb923b499460c94937477fd61cc4e96c27fa2abb552accceef42aa3a35637bce32d996e9", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 23, + "comment" : "", + "ikm" : "34bae5a158c1678aa76a744417a70d7a", + "salt" : "1532075f363e061133780ac959bf653c7687d181b9431215d6f62dd2f1ec3019d61c50fa82c70ae25e624c849a276b0c57d7c02a4d753fe84a1a6621e9a5ef01", + "info" : "87ec30aa53acfc3d09ccc1d57d654fdbce403cd4", + "size" : 42, + "okm" : "b80f7525a93a3f630465033ac53f1ace76caf7dcae3bc7374ffdc6d1be60179e1adb9aa8def2d47823e8", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 24, + "comment" : "maximal output size", + "ikm" : "195b2a73c91f69140910664d79ee7f3c", + "salt" : "45cf5b7711c199f70999902eb755aefe490c86b96cf86ac20d4e67fd87a1c8bf", + "info" : "5b3afef0895fee8a", + "size" : 8160, + "okm" : "ba560d02f6661eb3d0bf3a17438343b231d2757e4c8ac2d0f57de4ae267f3b3a40919c4dde2ad7d11ff636e25e4fdc21db7c2b2f20fa1ce7bd6acd2d534f1f660e0487703adde77a0f72c8e3f2b9202c94527e4bb9adf53a0b897a09abc0dddb7f94e6d6ac00d8eb5233f0b88921c8f4b97a1ebd8dfc32ac5cd089bf07720bec56f85dafe527cdbbeffeb168c8a7867fe35ff6fb57a969189d3c17b230db2d213a6860b5cb678fdc913aef231601d131588f021799625c080013a3547cdca49599368b5a483d830fe182bf4639bf830bdba4e301643c20c09434766dc554d7d4effc7165933ae420b136623ca1314383661593fe5aedddabdb44f77afa633149c832fbefd1c884d2717d61156a1916698ecb30aa2f8a43ef7238eb11e4cb1acc7e98a83f66eb8eb4387a7d6cd26249338054d9e5328d97506ecf06e9bf8923756f2f586dd8f17faf515c75d140f502fd162eb074c250b0c4430b659ee49c0dc2176d60ae2e4818b7089c1ba58cf1d80075ac3446fc8f14ad8a9fe26fc677c398bcafb401dd84755e7e550d20684650ca590376b140942410173149fbd9cbe4781bf81b3a3a2e04130e0b392d747f16aa54b323a8dada9fc690e05f75d9108d49ea10015c90505c2d500ceee985354b28fb74bf5f45c3c412ef281c372f4ee2f8df2ddbe889a9cd541326cc2528728159019bdd4925dce7d8cb6c6672298e24cc8760e8a33a5ec9dfe84725dbaba05a8215b30f0ea143d53706d99351f31fc6632f6a28b57baad13bb6768cf52bafd820ad0b2949b789bb4e4d449c8cf6e6c1543c2882bc225f94f70ca6d25855019f29f9d3ce5746ae88a12b70aca25cc16c7ad19769d63ad0de5e0207c994709755c2816febbdc3c381bcd90c5252139bfe45dc86d0ccafa5d437cb3c2c0cb74c59a1f67a206fb0aafc7282aafc7efc5de534c76425c699dff283cd10d7313f342ff79dca06a12dd44f168fe857d41658015e74f40c76f6765b57bc5827082b6ca55e57221428e812b74df3ff82d18678b619f1ac727751fc4b27f1dfcff461ad30bb17e2774288ec3e337a7c8438877f8006d8024c7a62a02d5ba2f1eb302396de86bccff719dfa721abc5be82373a5e62b69f2fd02cef4cde6e66e98c891221f0de23b6223470d34e357efac653c943ae7ce48718a549ce85a0c5f53b966e0ae1495efafa6f70bfd73e915b67cf9439029153161459ed07c7d3fd54cd66a89d366ff9a86f5595044060b612f2ec65e9f2216e30489545c706d79d23abc7ca26aa486480047a92ac01164c3b97fbf253b722c4545ab83741ff483d8ad28b54c072f0ea72119f2807ef71994d18e9015a6cd813c525ea838d3a437640e4f99273369cde21dd580b8e08865603ca87d9d28e1244e93e560f3fe4ce219b55f8f6753e87e59dbf51d89cd4b8aea2f45cfc1be2863b108920a5c380fc1f07b174c72a3ce791bf0799089a571a6dbc0adc4ea668fd8f6e4a8b5a92363d00f92ece0ccbffdebde591779210b34b329f943c426788661b58d637a37094744d7ff967bb27a9d4fbbf00f3a1c2c49e50c14b55e56224d98dbe7bc1e7612d1fe956f048f831ce663b85778478a8572a63ffbfc04e9db2bb307c655707548e48f2e91b86cedb00877e9fd7fea3f07341f4ac342ed020e2ac993209f7a721ae8ca4b9273790f571de9f9d22ab89572fc9a9743efe5a6accc921be33327ca7fe3d3b1f980919f2f62a58475a570ac9f08d39c6e0f9599bb8ebc2101cd9f60da8331dab6dfa3e65a6fecd113f8d28fb87d3750a7019527b388f5eac13b49640554f031e240f52e202e55938b80471560437be12619e1bbf98f3ae350f5a03722e811693285b4774505fc36ea01a97faa35ecc30fcfa8eab0fbf661293bf79877014c68cf582aad70e5c212b18588a6ef3d75202bc4a02f86c62f99a97fb0ffd980f2d7f2fbe7f1eec22c6bbbe2685b4c1693b0429a5069ee387cef60bf0cbf2fd81263085dfb22f404e09284f075d782dc3cdbc24cf242e6a4c7ef6dd65f0269c5a9b49baa1bc0526cd72ee78db3621fa294ee8b7d6cb15f0edf6d9e62b743f25c38f317d100b706baebcffc11396d5400af4657a267dedd3bcfd96527f03be8d733195c0c47d7dcc97e8c8f639c7c972338dc88861f023b5621b6b55549b47aac9630b19884b072aa58fe1a975e86fbf8482821147597914b28ea5a84fcaff9d8ad021282df1a06feae1d813f4094680c6709d63a3907e98a67a5c7a9232e7d4c01bceda04bec5a5dd8e29753af74521d01e346c29955bde6112e131948582695980b71a777e2c42c37c0cec771b1de9f737cfe5301b487e9bfcf35d2750940de6fbaaf00b9897e3fa99f6c5c79e5d27acd055212e0dea3162b27e2b1a400eabf4e8b78077381fe8bba84c8732f469972a0122b8009138ea77592f68717d66bb8ffb3e9bcf4f77a2b472a393f5c6d7758afa9f6adb1a939da7164c22fda33f290bb15fa17ffb87b445931248c9a67edc3e116bbb75fc9439ba7b451e06a589c1cf506a04c2d1c889ed5b9af2002171055580b9555b58ce083a9f5b9f05d440e7fda4eb9a62df33ce6ecd2399ad2725f1eda7568e313f3dfd85d240924ac987d9273f14259170ab30d7363929e3f22dd2e3976b5592e73ba3b4a2f58c4f490affca796ada73db38bdf8b56211038b22242dac86910c132496e9cd1b7fe0e6daeef0c44e31df2c7424d5a8cca7fd812b5b90fe1566e7558e22c35080a73a12c0057e024c60bbf849c9bf20b5acebf48acb4d513ebe9436fa6c6f2c5334504162e6a0e4297c814408483ef02a21b9bdcddb91e73809c36ba0728659eca89fc978f1f154fbdc84638e00620b505965be1b41dd7e2022fe2100cd5aaea63c2e6f1fe80b9188da7655c8c1457ec3f2b02a839260b8cd39d63a6734064ac59251a167e6d25d9d0384c9b526c10b6b258e40496fdd46c85c3ef2b1e4ba91f5c27ba1624c9135535fb922b43970cf7e9b357f2057137cb3df1375a6e6df71e392f2efd6c5ea6e256a0f7b766c30931d89b09dda788e082f9cd4cb8c9c82734d83b817de5877f3ddf0ca4f5392aebf9e70eb9f5c35ad4c40b26b0c485fe8f46638d3994011f2883a70f898fcdf84edf7f3e95309f2e3b166b0bba18f385cdf1d2e530632422c81766fe9e841c205e5e792b49b572415a5f7f5024aaee6e99c65f63df7967d8b3c1976a6c275c7e5668cfb6378bff333477bf599bdd6fc8a969287f796717f6713b375a9262e06fab02684da3ec5d533de48505e41b766540aea29ec73d7c563f2c5d131c1c758aa932a6e5bb039e725e3958b4f1556ea6e2307e2cf3f111421e4acb596aaf6d83a483b11a5c8dd44ae3ef5e3ad813495b54a5fb2688ec3d22d8109297a87fe891e9f67439f0ea7199d3bfd41ab61531414a4f858d0af8338753257934c05c25dc4618b90829c3a7714e732e4dbca579169bed379a46dbb638a7fdac8838d3b4f0769b75880b142568ce9d55e930db5f4d158262b1dc953ccdb6e0fddfee14f042fbfddc88d64b46b7ac177d26c6b7c20341b53a3f31b5c53e9b824b9d5d5d0f7917295409fb497b7ee9450b9d242b009792c8bcf25413c45ac27532d8f36fccac3922fd6a19d1868b558dafa58680e3add12a3fdbd1cdc92f2aa899ad36eae392ce29fbe66af974361a12495a041b5ffb82843750544c2a3a0e817f55877538ab75524b09ff702d04d694b9f7d4d6716a9e461249c298d2d4dd28ce99c64492477d9aa1b1294bd51b45eab201f4c42636bd2dcfa38f509ab8b49ae4e88ab4ef628491b77f073a4a128f452a7cbe3d82d26ba2d354af17cd6bf77164269da782261cf6daecb328573cf975b4d6e8a984839b1f3e6ec81c5c692e32f78f158c1f472ceceb9b448cb8676b56c7d6bde38fb9a37170492a469f936113127e01a8c3801630d56576654552504860b7677d4e49e021640003c093ba2efa8f4a9e2e3286327d7a84527af378029f4306ef188f02204bad184f9a3c977e9a270892b9c0af614373798f5a089c21db136fe3d078586875e6bda63ac7c25859b83a3d2979374eceb99039baee563ac5c6fc54e7b9d818f6d834fb240b3393e56f465ac497a95ea743d6f48a8e34f9c83915678d6dd580aaf103fa8c87ccc667bc66b8a6964d7705f739828272e4e342d495ce5b10aae5a17c68a86d28086ef7d7cc363fb73f763e6b72975f35b3e0e70d38a90d30577d86099de0d2f4570f852b52876c86a2589c199ef5b22485babf4d655a975e22c9c21db0d01dc32a3bd5b808a7434f3025e04a1559f9b1c8e74d928dade07d4fb01e37691077d4f2b9006c15e8122607a3c3176177ba1e6a8238632f705f3f25693c9a9aabee45b9296fe3b2d9333caca0935553f0fc2a57535bf459066442a922de1b96fdd69d5ff57a051eabb0f4781a46f122d393d21fb0d1856d40f6805546fe1d0778f8ee5d1d41d274f6c9edcd0a1d96bf7360389319a21aa2d116fb6ebc44397f1bf3f7d8382cd16f24ec49fa0285f293ee7c3f6b560097b60eada98927584c1bbf30ff9432e6e377d02876390dea6ef7661d3c3d3a7b481883c2e49714238dce4aa8c428f7fb4a5f601782d8b8f719ad89c2ce74333dbd61c7262a5145f5f7b42d3d642e0c393a6d5a2d4633053a4a2e109d70feea7b020b2691c28b5844bd361a442ee779b836100f8b08bd78fa9cf0baf07722570228f12971bf927e31c61365faef3d1e7692f1e48a579dcf3d5b64ad28fb0a7cdc483dc654ce82ceb69ede7f6a960d6c9fab900164aada8a0f600792caab44bd0b6dd8692d6060f90a751625968413dbe4d1d1a2ef3bbff2a21566e4cb41c3abf7006f6d81eebd0f9afcb4de724d16bb0720553523b33654ec6a0fef8af2d49a171dafad2e3751eb21637e4743375107925cb8e9c15d4f6aabcafa3a9659ee3dce219b6cb3e5205b836bbd75fa21baa00e7885613a241c2de00d0cb0b5de2b944f97b0aa758eb708872f7fb4110b852a27286092d31d2f49ec5104212068051f6ee4576f55e23447aef5172673e6268b977156f5bd5b23640bd0915d2e4313557af0ec6d4d0bf98cc881a4f7b5ccbcb77b74ae60c2e4b1c2c32e3738bde4ba6ff854f7d3912df0e28dd30b36f4008430166aff51725cc973c8c69115a219f677390b37ef442257d46d23fd3963904402cb93c6b6c6dad972478a0d8b79670f6f69f9e0cd8d819d8d1d45c38440cc749cf09ab90434d7b57fb1e66af9d09d38c3961a35cb526023b0469c948199aef59a8e1341ab2a73e42b9f05b8ce78c6ede74e9a355ffa0b81aad630bbbe9ef325be7149acb62b02ec7f0dc72b7ac576daa5b19993fb4a52ecc154935beef88abdfd133d51e9953aaa23669e423467a2be1bd35c09c5959f5861a7f9455fdbd25e4a792907b33f6db7f8ee11e5f36aa14a277785b0af2b8ac49700fcbda5aa55c47a24dfc8081003343d55973615b3783037abde6ae0bb35f4175f01b7ff3054b64ee4eb18cd50e0b879b6d41ccbda2638a33ebc23fbac7a09ccf92e19a0bd62725e555079ab1a3f4362ff43b363cae144034f33366f108f284c63ad8d4a798a540c6687823dab864832dbf299e7065594520156842659efad38e48464561bd7d5259af3e590c63cd43ecb95720cefc5b28c3d6b1c7128334db2c112991addaa5b91ac37f06debcd89852c6e8438024c5b4c10049b03169172ef733b1aadb6edf7add5477fc26a48ed428cf0d5cd336e646d17af02642837371913c7286d71aec82d4854617dd362bafc2d582e87bec7afc57ef3c81876e201ea87603b208031583c78876c3f9eaa3fd8995fe691d5ab476a91223c16ebebdc299b23eefd6e93174624021510a7fa1ee3c6cbc268c969f99eafd01f0f86e0146f9fa963c287b704d6fb11ee0b7d465cfc73d1d4c915cf2de87e94e2de498749cb2e0ee9e3cbba76b1a4b9e9e363b7f35088e99be1880fd235a06a614c3e82ceed6e27a72657a4d4f860b336f090adbfc99d4a80754cc747bf4151ab57358b6b4ca5233b17a2b2d1dfe8ef9ae0a92bc4304653b95578aeb5457ca665323292c441f91b6e237cf3a0b2cbee2f1ef8f356c2b42f4d2dee26729b89ddb7747145fd5e4344a82e4a3cedee77506ff79115f00aaa4ee1ecac6999a543d745cc0977340a2502ba6d32607ffbeb3c693a7910907da1a28f6818e6bf83fc72628cda0ec80947c5fda35ec61c3a87c89f1cba548d4a7bf0b911b35b187179d1c74ce03f14682eccf253933bc0b2bc3d4e3a8cc57ab254511075ccb4cf162cc11d36da79125e31f6ae4e758cc62afd8238b28ab8d4020006fc90854eb729edc885179b2f011b0f6d1be61a47e7e9e52110fd8eba49443bb3ec68617d4584c6e6cdfb6bf85db554d777ad8d7fb1ce7fedd3b873d8788a0103a9bf9dad1b07498eb026f455793bde9210c11b173c1304ec6bb44ec007451be41206009f8c723e9e05b3add083abbcd15ef7026af358880a3e9e66ee891c8c36d8133c13c0afb903869980c30d1df0ec297d0f5434fb3d66ffde872f3d97a723d1a30cc297a2e49b7a4590617e6a3c355cd654c9f5ffc5145ff1484b7f87a1e3ace368dca920a593580520438463900d1f079f27ebf68b48dc0fc39f7d7301b3224b760bb1170571135c82fbf1e1d653719c40a726b02262e846494e83a606a47283f002739faa870593c9e57270e36fa7ef18f490f6ada2f93319a4876b3f481880bc762d7cecd0569641b0705914090185793262c8bb5bbd669c86947bdc3b908a8f8abd9f0175dcdea4c952e2255576adf472da19d077e2988b0d5ce05a1aa5dc5c02646ecc7d5fe0a4bdf233f66cbb761e43e5c4c0863ea9e2876c9f846f6bd1b9b84d2521eb8ca0e3be5a9fcbb76713c69d29181acc9f97d73986f95e140d92b901fbe7399aa191d027c4386888ed49665ff8e2843745a065809990aa0c4fcccf24220fdf1e27aa789e334446e13a5788a5e9de3e575f582df12dd3e520fed30cb04d9349424b71587f581939ecfbeb7b48744cfd30e551ddce85a62b903afb33d999a5a1fdc40215a0cc01812b41a2a52ecd4def95ee47345d90865e8f4269f16214e97a7e1df0b4de2e20359a89f88ab906ae05430a211cfa0a33658fa65af3742c1541be4d3a6582fc4b20e42d9e818a62125a7d148966624cd65ebb5528c8c01dca81d20381d832add767a0126203fe9a2837d0479727876673b611afc9a7f5e87294c00deed48fae0fac6506aadda0f7e999a877f527a61d47e440c5f19c8ce12a8b09dcdcf4ea96b8af6fa7e83caecb2ca03fa35a454c419e1121f23cae9d24e53ba352c701211f3138c413d431937ed83da75aebe0acbb8ec9837e857be00a9cff2ca3eb13f045f347f7c745f56df8b73399b1f3d923571a20b5a9a7ebece39e8f379f6df72765272725bea9612e5bcf3cfb6adc56dd05f3249e799cd02adec060b809ca4425e1eef11f7ef2e5721aa37d051c34daa07fab8e729af4b981636083621d7044c13e52c987621a69ca8eac3889776d9c8aa3070aaf563f96ca393d118ce161fb7911b2952b8af451e1bdb717fc70c6e24f3e2f0048e1ca36be23c13d9957d6a021ebb35677f68fa33778ef7524dfb15ae96a296bc393ac5f25261a422e1f7238464d13e3f8726a75d10ad9fb74b480d44c2e9a6bfe0ca0c8d22fbf0f9ad53e9369d0ffecc27b8a0dd1b85cc77b81e701706231c39a045b1bd891a54b0ed1c87b282de40691dee685423f14ad5a6304fc5997482fe0d1351b34136d60b04cab130ab2e7f5721c6e021983dfd3e868cf2dd9f0b180d5218eae554fabe07a62aa7409a93e7e3b3718961106ca3d1ceb606a2e6e93e5d9c05a8d43d34ea1e14cfed1f25074cb7bdc1289f3f7a6ddaf43cc5e7508a964e0a93e26f6711cd234765f7a35c71975ed4e919f4c45cf83ce20076f5238b995a65cb0b402d3690b0a36cd2d164bc7ca986327ec955f49fad0c3f0e94c18638c5473f5b20ba654646d0178e3ba35353a278f32920a75567c7b87991b413db47a164acb93f73339bfe0f72b034c8785de3da8e22a445b5bbc0d13ff3312a13c11f8b5326e8860c136fdbf79da666469da270e0167735941648dfd8fe1b23ce03305bcbc60930906346821ac373a51eedf5c938d3c9f3de9ab43c68a2035068bcd4eb1585c0a696090c25c2825382d8eeb4b75bafd6e5cec3327e80c72b14445aced447bca79ce78d0e1869146c12fb57fc0e27529cfca81bf30b5829f903ac1a36dd560e2ab2ca33c521dadb57c3caae0298a1df936da26a6afe2c9d280f8d9861be48668150385d589ea349cc77c9f67ed448a01b4615decfd902c01ba53df4416736631256afb890af6aff39e47e5cbe59070aed031f20f16e3589d63540904d7ad5709c4830f09c1bbd5b33cd47ff3da3232e11c17d4d9eb02ceb827e092e8e7b7614adab4b3d9aafb45b083f4cb71e25ff7a865541ea185d95d1e80224c732cc5fbe1f2df689fa4ba1753d148d7f6b1846736071d9a4cecc99e96f47f6ff082cef981183d01b08fd14950878d7dc1101770fb3a1565eac3714820c0e058f83b7f85cd38a1ebe3f0fde0734e99efb883c1d08900253963e17333dc90901c56c8fcaf44e4389cc0515ff06bce030367c1301653fee32dbb8ea88c17cc1346aa072723cdf0644ad3d6d5f0608f21131d2fb7d3c994db65f2a615fb21087b4a9e73d81021d1e0316785c96b8236ac14ebcc6efb194a8f05d8120a6fbe19429c27ad8cb8db54e9404d04f94f681791b8d3251c9307cdbcfcc3619111fb10b1daf8de24da449e0e3c6f4f488dbd42c53ef2765a6e5d1a349d13489225ce8eba209ea228ba155648f59c77d5f8856e80e515741aab423e7f3ebe4700aa5c32d30756c4e37d7552f8e63be7a4612a5f1c6ff6c5846bb85611ffe0241200aa188cdd77303db4ad75489afaab6155212a1aea646b50221a9479c0c7ae53579e44c617d20e6cdadb19583835b19c41d230535cb7b4d06fc286554db084dd5b07e6dc7bb798549a68055b86ef86a119e8dbda606e006610f44f6fb62b0c1abfd3c69aece8746ab44f4993048148f4fa6d13399c70a422383be38844c0a1ba4e4b98c0dbfb2be577f62a5669d05ab1aea757959e1c20c691b1924a7fa7ff0c54a8b7388f1f9eb1641771b782a04366ad5799631fc3951ae756d2f54de50a356520be51eb6699a8e224bcf9c223947235da1286824b0feaad9681e68583697da87f55e0402d2baf68251f938930fdd1536cccac63e2ef55d90fbdc91f725846c592dd8b154e19fac278c3df0c90b5032d79ffd12203c626dcfe3091b59624451cdc9811cb5bb61e2894e0c1d5bbd462d2404302dd881109f99cc5b37b3d42ef44e55a8d68eafc143f01ec1a5d48090745f97ff747fe1aa7dabbaaee2d107d73852c38b35ade93c7e7a6cdfd8b3dba80a63626fd0d10adc304ab5c28fdfeecc83f3e04fbb298dff5233f3e7dbac1736c4ae9e80364b06f8bbade5fd619f4655f5f73ae4e978799f725c3c6f9e51528d9842a4c9df7630c857e856dfbe0d7c7753233a16151eae8bb1e018132a28156ccf9d5a085b73d0a3a530ca431a3e705f419091fad1d0dc3e163433f4b5846db6c15214580a533540dc1e14f90cadaa64f662f41377bf35a86310c9bd4ea2a890e672b5a3cc1ab945edaefaf5a7b99f6b664814c728e1ee958bbfd9e810502cacaf5b9671dc8c52982c810d9b737f7210ba7eab97ed95e03dcb75b2b4bd87b19c474a559829deb5f2459d8c25b4518821ac3e9c0294393126efc184fb52cd14e6381a976ba1bb579ca6249ea09d8fc16de82da10413b1251e9a8d85efa079f1afd02dcb8d92876e4d24fcbbe9b134183a28cdab503d18708395c33f94d50d9d4c1d16f2f417fff903f77c6de34e1f506dae723063052645c98217677ade132e466a07a2256f87aa7ad9bc1061cc9482c74717e544c2050b0ea8729bc1a34ce7ecf825b2137a815701fe04c1a3e50fd590521bd26ca7a193a45f864d33e8c7de51b3c686c47074b03d2c442a6882bc03154a61ba68a5ba5a1bc72a5d8c455f0c67371aba5140793aa1a3dc158004bd4da50b70d5a67cf250c665cb897394df202d79cfbb8917827c705a481c9429c7ed6b2cdcc008e6c33132b9173222ad2219b461d69ccbc63a0587bbb550d0e07711c9e4da24a29664be3222c7463661455021fe64027c1d31b052104c3f7a13c8b669aafc16b9558a0431ac7e997884a8a39f92511caf9647cd8dadfeba6ed0ac35813bb9149ac44f1597b00f85786ddd972474d6a572954383fbef702118754ee38b24bcb72ebe91e9ca9a84ad5cd6bac94157bf63ecec1f77bfeb5942430037378e5776d6931af7254590b90b8ccfd3e05f37bddd9dde73bfd7e3b285bcc494964d180a01ceea8f8cef3b7c34e9192f1c89310c1734dbef35fd13d612f699ffdc50e435a07f556f246ede04074b465150fd8f0d9305526d869db0f1b90386e5f775048e6bfe2e826320bdd95ae65061fae55e7a6a427bcf248008bc7d9a05ecb8ef768e24018a3c4063fc2703e650f4080ef663a80525771b147064037eb819c3f00e9b980dc091f9dd8367e79ec2d1c30ca6aa598554af86f347cb95d0f15b0a41423c27e1491a82a29284d5e0721d1ca8b515a2e2f365add9d4c577d7d769585d2e826dacf5e501b25ee58d1ed04e16955213f557b9d774c26fe2c621c0f38d4bc3a2ee4f39fb1738240cdc121c09f9ccb36fb3c839733027152d4db959a4654ed1cb50e35ab6988a551c560b62ed5c19ae6a1d28673ab5a7c10cf4bd956d14016d1d9e063a8c5135b6a4d0d6ad15195c738a9b2fd890e834b0cbb258a10acb46014c08f77458eaae5fbdcf3cc54a404578fbe639ae1a46139a906a94bffd319fd5ee35d1938dc165935bfd453046f5881bb9161ec199a1daac82dadd11df0427afd77c9789c0fa9cbfbf7406aed350f62ef54a54398f013fcbdb5b9ad58a14c024a9e8b390b06229e005fec042a74a3e169d6c54049fd303be7344695942bd50a4689f5a7c31c63e295d38ffc90802844cfa92980b429fe1d2cf4041f3131090b59bcfc7255319ce362d2dd90cf873f87ef01ee1ccbe31a8eb17cfb2660a169375068e2bc4d2a318d964c0d3a514093f77b50f28498e4fed5b90804b649002650720fb0eea7b9da0f92440c8aae5e4017c67475acca73c946425a588d50e5cea5bb5395b8db5cec759503a6e73858dc53e76bb21320a740cec4023195687cf5e82a68a40f8acad2e68df3b8949af88ce071d2db7b389c09ef55b9d7ff4d27d157bb78aa1db6acb793c82cf0c798cd204b48622a5f6af33c80d4d8068c2468c8a1ccc07e44fa27c3ec9d505a3aae1e7508254921905fa29f5c2e232ba2e5380f64603f44ac8acff4ebcdbc53b4ed75a7534bbe9ee9ceed15d9bedeef5398526b31a766364b5952ee2809ee10a58de9e7d04a1f3b729", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 25, + "comment" : "invalid output size", + "ikm" : "febaf0ce3a452bdad48338ae258775db", + "salt" : "701dfbe3f22c13268a04871dbb9711f371bd702b2bb41dba24409578e6481bc1", + "info" : "572d90bc31fc1edd", + "size" : 8161, + "okm" : "", + "result" : "invalid", + "flags" : [ + "SizeTooLarge" + ] + }, + { + "tcId" : 26, + "comment" : "output collision for different salts", + "ikm" : "5943c65bc33bf05a205b04be8ae0ab2e", + "salt" : "", + "info" : "be082f301a03f87787a80fbea88941214d50c42b", + "size" : 32, + "okm" : "e7f384df2eae32addabd068a758dec84ed7fcfd87a5fcceb37b70c51422d7387", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 27, + "comment" : "output collision for different salts", + "ikm" : "5943c65bc33bf05a205b04be8ae0ab2e", + "salt" : "0000000000000000000000000000000000000000000000000000000000000000", + "info" : "be082f301a03f87787a80fbea88941214d50c42b", + "size" : 32, + "okm" : "e7f384df2eae32addabd068a758dec84ed7fcfd87a5fcceb37b70c51422d7387", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 28, + "comment" : "a salt longer than the block size of the hash is equivalent to the hash of the salt", + "ikm" : "5943c65bc33bf05a205b04be8ae0ab2e", + "salt" : "329f445e7de8a156cf26a0208dbb028d9de6ef76b8de67ca634f4a5a732138a1bd436a7b345d7a0314c7ed0a00b0d34ecad2cb8bd141e2ecc1c77e237094d55154", + "info" : "be082f301a03f87787a80fbea88941214d50c42b", + "size" : 32, + "okm" : "12fce691378f28f92cb26ae9cc7ec5a34007fc693944ab79b6fc461093a66c4e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 29, + "comment" : "a salt longer than the block size of the hash is equivalent to the hash of the salt", + "ikm" : "5943c65bc33bf05a205b04be8ae0ab2e", + "salt" : "ed16eaa37a3cb51a9ae18e69b1ccb5950ba29ece2e94894ba05715bcc9d926f8", + "info" : "be082f301a03f87787a80fbea88941214d50c42b", + "size" : 32, + "okm" : "12fce691378f28f92cb26ae9cc7ec5a34007fc693944ab79b6fc461093a66c4e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 30, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "5943c65bc33bf05a205b04be8ae0ab2e", + "salt" : "e69dcaad55fb0536", + "info" : "be082f301a03f87787a80fbea88941214d50c42b", + "size" : 32, + "okm" : "43e371354001617abb70454751059625ef1a64e0f818469c2f886b27140a0166", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 31, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "5943c65bc33bf05a205b04be8ae0ab2e", + "salt" : "e69dcaad55fb05360000000000000000", + "info" : "be082f301a03f87787a80fbea88941214d50c42b", + "size" : 32, + "okm" : "43e371354001617abb70454751059625ef1a64e0f818469c2f886b27140a0166", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 32, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "5943c65bc33bf05a205b04be8ae0ab2e", + "salt" : "e69dcaad55fb053600000000000000000000000000000000", + "info" : "be082f301a03f87787a80fbea88941214d50c42b", + "size" : 32, + "okm" : "43e371354001617abb70454751059625ef1a64e0f818469c2f886b27140a0166", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 33, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "5943c65bc33bf05a205b04be8ae0ab2e", + "salt" : "e69dcaad55fb0536000000000000000000000000000000000000000000000000", + "info" : "be082f301a03f87787a80fbea88941214d50c42b", + "size" : 32, + "okm" : "43e371354001617abb70454751059625ef1a64e0f818469c2f886b27140a0166", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 34, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "5943c65bc33bf05a205b04be8ae0ab2e", + "salt" : "e69dcaad55fb05360000000000000000000000000000000000000000000000000000000000000000", + "info" : "be082f301a03f87787a80fbea88941214d50c42b", + "size" : 32, + "okm" : "43e371354001617abb70454751059625ef1a64e0f818469c2f886b27140a0166", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 35, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "5943c65bc33bf05a205b04be8ae0ab2e", + "salt" : "e69dcaad55fb053600000000000000000000000000000000000000000000000000000000000000000000000000000000", + "info" : "be082f301a03f87787a80fbea88941214d50c42b", + "size" : 32, + "okm" : "43e371354001617abb70454751059625ef1a64e0f818469c2f886b27140a0166", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 36, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "5943c65bc33bf05a205b04be8ae0ab2e", + "salt" : "e69dcaad55fb0536000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "info" : "be082f301a03f87787a80fbea88941214d50c42b", + "size" : 32, + "okm" : "43e371354001617abb70454751059625ef1a64e0f818469c2f886b27140a0166", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "type" : "HkdfTest", + "keySize" : 160, + "tests" : [ + { + "tcId" : 37, + "comment" : "", + "ikm" : "e2865d6bbc1abf6a815067edc4ee7aa33c290d5a", + "salt" : "", + "info" : "", + "size" : 20, + "okm" : "affd91484b5ba2185adb698632e315e1ae238d19", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 38, + "comment" : "", + "ikm" : "8c177ab5f40e9c57203883562f01f174070ccd97", + "salt" : "", + "info" : "", + "size" : 42, + "okm" : "279bba84f187099f5b5b4f248b7e99114f012b805eb37b4f2bd777c7f626d8026cc3c36afcc6b95dbc53", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 39, + "comment" : "", + "ikm" : "e842a4fc1a147cf2f87de9bd5a42fce6457496f7", + "salt" : "", + "info" : "", + "size" : 64, + "okm" : "d331254a687cdb1572b5061984689d4a3f321ac82248dbf7c88f9c7d43bf295558d945503b573b268de153d22334133ffd026baa58b70da52169b7d4cc2a0f1d", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 40, + "comment" : "", + "ikm" : "5b870ee1bb97ee83f67fa7335b4a0f9dadc80d12", + "salt" : "", + "info" : "0a0dfb2a6e051441678788bdec04cc1b63ebe1f4", + "size" : 20, + "okm" : "f1e1474524b1de386ef1171e2db18b32e074c2d7", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 41, + "comment" : "", + "ikm" : "58ea7ab33acff514ec08f41e59c17a3c66c1ceef", + "salt" : "", + "info" : "1cf9e25bd70c5546ea7a79eaf5d90cacf754c4f0", + "size" : 42, + "okm" : "b35bdc6ce6a357934f6b078e3210d6a1a4427c808f759394f0cbdaeec4de12425c988b7deb545ba452d1", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 42, + "comment" : "", + "ikm" : "e8d20934b9d320458f4854e2442e2f0fa092f461", + "salt" : "", + "info" : "4425999958aa3cc629300c25ab15be8cea7a4277", + "size" : 64, + "okm" : "d9ca1874238b99baa7f62f9e61db9ec45bc6c6618030b0c42c71551e0c56d37a7c59b39dbfa2447647b296a657d096259ed72cc1497f2e6b774da05c00274f05", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 43, + "comment" : "", + "ikm" : "dc9e488c684dbf0ac8ff1eefaa0666d413d258f0", + "salt" : "9afa7df500d7a17af1f44422d25a62bf", + "info" : "", + "size" : 20, + "okm" : "6c91116d61a04407703a3b59cfdba2d71999564d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 44, + "comment" : "", + "ikm" : "34b85c341a04cbade472b3f7dee4de4d1954bf70", + "salt" : "b066b42acea664350a8448f8e064225f", + "info" : "", + "size" : 42, + "okm" : "a043e45d56fb32c784a3aa016f40cba8fa298aa813a27e0797c4a48ac464cfd36a61f0aaa184802a16ca", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 45, + "comment" : "", + "ikm" : "44cc641e09f7d5642f7b6007ca5a1c0813319666", + "salt" : "69c0dde6c8e5bd40553a5981fad6ad87", + "info" : "", + "size" : 64, + "okm" : "a8493c8ba5b733dd1e11ef719fd7cdc6773c5b53b5be55acf4d3365ecb6a82c5d692f0cfda042cef5265d21efb587213155cf17399ae61bd0f167f90eca74f9c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 46, + "comment" : "", + "ikm" : "88a8880cc2b73e73b3b6ca1d4902caf2128732c3", + "salt" : "0579f690ed32e57a26701a9f6877f243", + "info" : "6dc723df3d26f704067afb2fb6d95a66516d089c", + "size" : 20, + "okm" : "27e233f30c2d8501d42d229259c1ec350f7fc9ba", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 47, + "comment" : "", + "ikm" : "8408668b9d671121b8c7d31113f045c0d7c020fe", + "salt" : "679b30e6930a8ea3f076e317b9595d5e", + "info" : "b4451b0f1a217db703582881e86d8044d5f2e092", + "size" : 42, + "okm" : "01c4c9b37f4a5c01c89544bfa5aa92072a36206d90e2feeb0d5dd7c222a4340d65f4cba61ed01e79fd75", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 48, + "comment" : "", + "ikm" : "e6715cc4ee13c4d999d8f8f500243c321f70b0be", + "salt" : "ecfaca2ea3301a992b4de081d9d3a4cc", + "info" : "ef17c9227a5ca654fbdb35dd00dd6dc77b6321de", + "size" : 64, + "okm" : "a3bdbce02823523eaf356cd8f2dcfb450f42f93d03f73487ca86fab09da7e6cc54e0b1e38b8a04fe02c528cb50efe0e3aa172e620b3c3fc11303d1005a137d90", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 49, + "comment" : "", + "ikm" : "9a6b88f3f68f5a8e79903b51dcd733abaece1a41", + "salt" : "0226df3d66ee3abb275eb39c8ec3d3e12e9b87b67f85c552accc4279ec17", + "info" : "", + "size" : 20, + "okm" : "06fb02949f1f1212cf27436ef3f595a15ce52057", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 50, + "comment" : "", + "ikm" : "0b9eaec88b2940a4754e83272cbf47fb6f86aaa1", + "salt" : "c1616497d49246400ba68242b635c67515d2528ee1c3b71b318b631f9bef", + "info" : "", + "size" : 42, + "okm" : "fee9dbc5b95515e77a78fe4c8ea77e76c21f15a1a8207a38dcbe45c3498795be6ec145cc92bd6ea02432", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 51, + "comment" : "", + "ikm" : "c4717276e7c7f794c4ee333b2f7a2ab244be9e8c", + "salt" : "af4c63e5b554063e83e37bf730ffa401c696088ccc4f133a8695ffcbf2a9", + "info" : "", + "size" : 64, + "okm" : "d6fb5c20957dd52e3cf5ba3f7b1b28b7be3957a0b2a39cd913376e95dcbf30b481a5cf37d50e3de4c59a67b6113adb0b6a23458d0c4be71d2baef446944fae9c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 52, + "comment" : "", + "ikm" : "5e43a900ee0d432c5fe6fc81db8d5f81a54e39df", + "salt" : "8cc815009350b0b6a924ed93e73c8f8c57a1105726663b72741b67209c1f", + "info" : "32460280e60910b10abee2e9f80a3dab48acbc59", + "size" : 20, + "okm" : "aaec302f32a812fef48e69dadbb56936b0c3119a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 53, + "comment" : "", + "ikm" : "070c170fca600aa2b23618150ab9044bff7d4dcf", + "salt" : "f32a1cddb32693860eeb39a5d190f5667a303d5403712cdcebb575c6563b", + "info" : "c1b0971fefa0a23cf4b7185879475ebd8d83b9bc", + "size" : 42, + "okm" : "f56000669f0a987954a1e80e3b10588126eb087440b4b253587f5d05ef46530bbe83089aeb1eaa45f0c8", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 54, + "comment" : "", + "ikm" : "87a23208df5e66488d23f7aaa066e87bdced8e2b", + "salt" : "0488ffa08062f1fe83e9c3934f5688a2e17827f898aa5daa2d595f09b245", + "info" : "e4d66fa23a6020820013d94d1f8e84a58cba2a82", + "size" : 64, + "okm" : "3c5003f24499773817f13695c45b937faa82a8d579a0afcb2ef473b925dbeee8dbb62f28c22d1379f02d29e26327d22c2e4a6d951865ae1a6a3ac2bd441c805e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 55, + "comment" : "", + "ikm" : "214746af12a669b726364027e9a1cfa40c18f8e0", + "salt" : "f65ab21816c5eaa5c9ce77d58608ab67176d2255438096f4b45779d15c2afda12718ec557bfe161e7fab89ebad4fa634cf73f2d12c884c4583e64d2b59b9d8b9", + "info" : "", + "size" : 42, + "okm" : "ac9d8595b73c4e23791aecf157ff1ceb9320db1149a5b8e0eea62ea15e4d36d979b3f79e58747b5b6d51", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 56, + "comment" : "", + "ikm" : "d509c509f91d78c33b9d661e6df1992b2b6ae429", + "salt" : "95ff4b20ade46bada320316dad7e2b4286e93dfa2a72c6366c5ddfe8ce2ff344729ea56416d5b53074c6d6c4eb4e4873980e5e4a4991d6b1497aef822e16e209", + "info" : "bea4f60eff1a0c6ab664ff3db2f774347920a482", + "size" : 42, + "okm" : "b8eb1092a47f8b538d33f065b688b3db48b1c47724d26c7106be333228a5f892010eb4ec58597f3ae801", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 57, + "comment" : "maximal output size", + "ikm" : "79210bdd3e2d9185c241114eb2ccdc9cd9a92eda", + "salt" : "eb5f77214e3b70a7422822986dc397ae75bc953d3759a1ab44eea1f08b789d36", + "info" : "583afffd66331da0", + "size" : 8160, + "okm" : "cf24e0b4c6290e8df554afa553e5b6dc85afb681efa20563871e8ffc1fe2b16c2c6ed18f7913c337ddf462475db5af55b5ccc3dc9f80350a9b538573c8cc3fa0e14286af2ac908794a53e065fbc062e65129548f18be49a029d23a2215a89b16fc802467e313a23e1607b08dff77d2e46233c5232cb27acae0ae98199fbaa42cb8315f0762aa320477371021b933c27e99ce59e45e706c36e1ed24788f0080955aec82b3b8d72da158258ee9ab3f9c62e426df25b3673d37b8961e7b57b36c1b75f8b086abc3cec04fb526ba1cf15c8e91e8d60f2e774b99a1c446c707f7947e14b4e074410ea15c84531a7b487091a9dd37e947d6809bc5c16aee9e1b9ee6eadf11763e3a5d55a973e75d2739c631dbc89a5157fd8bba4de5abc42160320771667efd8fd2f7c47ea5300513b655161eb29b8b056ce4d970b2150d18d42c7392dc67b9e6cecd8da53887316819e21699a0385a1e51affa46b19e4addede417978c6e510a1823392a94e99b3fb47880394e39c13931c665477c76da3281393a8a7c63e80bafc203f0cb9d81ae23daea602d2a1a6640dc10abd36265d84a10e3205ac547a6d89f4d43afff02e854d5e0864ae429f38c7ab959f2a5a701c23e4d619d632552bef2f51d85a00eb173e544f7eb14b62b9d5901ad37be747403ba78eb512ae162d6eccc52436fe36d95f0d0baa13a4a1eeacc470cff29f9a9ccdc1d3bcb216af278eeee3dd039e366a66acfc5c51bf5a4800069baf54989ea911f61f1b58790a6318cb856dbd849cbc35bd445083fb33bcda8a97a4b7bc26ae02439e06414b652c61ecbd1fd1fac1319ca9c4b60cac2d2a539e7a5596f040d801fda9e56fcdca560c67056da14137e0b068f333f3526154e2bad4a92dcd777387e7eba1068b6c1ad30215f8e948b48cd89d03665b5bd7605d6b06b1b908a07c729c78501ee490505f1dbab1b545fd612feee0f12bdf94953b41b95b122288575ca36bffa6d32dc5c6ad88bb759c8cb894b607e56499c1037cd9d5a28a5a85766bf9fe8a0a705227b3bb2d6df3377611af40a4750e9587dadbad132f243947e62f2e74dde1d842544583403d778c9045c88c70d30d0f6167ba97828985aa39019f129fb85311eed6f91504931fd431ff90a44b8dd7f117c18dbfa5346dd39b1f9e67a00f04e8ebe69dd275099b3ad752d4162239265bda196d6f6d61f3fd6dbb9eef4bc85955e26d6eec2fbe513cfeaa7eee840c32b7bc06f1d53c7ff4e4e8f5d30a3f8c45e581bf59814b95c3566e47d74ebecde07ce9d3526f71f0c075682c03aebc0e582f2245c9aa3ccebc851d1052190a6f66dc47ce4bb2428d2fbdaa2bebe569995abe925549f56a1d9de904828bc9c11daea269f181f67ce03af3efffa79c5244cde5a552e840352f8aeb741025f71aee4cd800e362bf5554302d5124843a8e71ca03714f7c103d54a1e425d2a80be6b512ed0fda41a0417d49285c71ccbcb662d7bd85e6d599defc315dac7b70fa5ea32ea9469c42feebb78619727fd75ea1da649d51539fa5c16ab24bdaca44f17040bc638009adac1b0ccee9114b2aa67c9f87997bccd9757e9c8f80fb860909f366ed8db6760c92bb5a09205396634c408e3d549305180e232d5ad0d51adae83541330ccc2e92bb8fcd50926376956a00fc195c8373df5d24d0ea45bde59c1f97d68f25eefec352578d305bb0d8c2ec46737c4ddd7bf9a8fb5d0001c9a4baf544a84d2706be2a1f149091f6e03e86ff78fdfe64be9c8fb3413f229cc9c5783192f401c5532d8f359b8f0ee493be40ca9b5d2c1a3d76519d64eb3cdef6f4ed522c52f8e83ff20ad3e35ce7d7d4cedeff21e398828b49d1f2b880477ff7c107349447e1fee43949118f302547ec168810c99339aec5ba3064a58dc2de08b4c15eacfa42a66362feeabdbedd495716b9344503059d20c1b06a135955439ca71f0274e56dc85dbc135d33a9d992784da58603d3ab6873065a36b68f8078acd3a276610e4c4335f57430ba591de81834417e770595317b02491619c259c0f5002afe89058c244468e8c8ed2fcb98bf6cf8fec723eb055eb8745de08b4b4978ab272a5db69dcd4a2ac712a66749e603648076713aea17e046e66d68102eec7a629e57803116d5f90a790ec86e3b54a5dcebb100d6fe6c04a170d9a54f81784cf59c0b3d373396e8310774a0f2063b8a8bfd4406a4e0e14cd52112334d1d1a2fe90a91a40b1becb806c53ad8039cc08885485550d7b84d7dd2d7b24174ebc1186097f44f904646bc68fdda207a99bee9a68dc41351c9a7a76a06cd66190ab922f5c8d0b03e2616f8451241b22a919e60f63431e9d688dbec5b72f7aec8a1d164d0d236767df3490131f01572e97f479fe7a4589936df3e7cd1bc267d71d182f227c9cf8c53ce5f2f29c709f21ef9cbcf89ae646a5b9f1107456ecc20ef28adc28dbe616cdd8373cf1c97863e3d17f078d6fb9c136a1ec619b1353ca6c18e2b6b9276aa14bc2013734c31d0a7641b7c478ac62c0cd19b3b33f4b40691b96a3aabb65cb17fee503bd383ecbf04219fe545b9b4e538bf3bd78a60c6973e0fabf36854cb2420f0996e68832591865db34ff84b84e7701697336d090cc0d43c6fe2cb8d98faa81b74072a4b51af9a43ff52a4a2a794793b2287fc4d611dfb681a3d87fd5dadb64469c2b3eff8770971135bc53552910ba78f154c139ee1ea7ac3d407f86b856fbd5cdcbb5ff51c8f7ac81303ac78ea78a9b2c1f4f7c50dbd4a3079033177194c9249252653dfde9dc1a09ffe849adac8cd952c6a2ae4f7931e3ae4bf49b1ea0f0381abf3877b49e920cfb24c0013fa6bdb95803d465e0165461b8ba4bd085a7581b822f2821f4fef32d1dc80655050911c93dcc86b2784e2c67faf164a1329afb12b92031b80bfd589d2b8e5b4548caf3d656fda7d59e8d6b499c2151d28586b4b735fedda3c731749ae715fa616185993c46c0a1aea431cb5e666d13937917dfcf3519c52917dd8d327e1cb6f7c02f1d83945e8d469cf73ab888e86894b64ffc632159c66af0ac8dd6783300d1f68f553db359194719cb31c0bd652affb1beb4511e4a8e896373cef1e83f88850d4c5799dad239d37116d8b87ffc27c478260011d9da68578218d493dc0b09d2112dc33e97e2de97351fdbc5009d8b351b859253e2072c268e0da6b4bbbebfcecf86c9d8a665020831566ed4f1c8c206b32362397774aa6d0c506d18890a1d616d9ce0844dda2d06af3cb3e7f53bffc642d261b16927ffa15a8fe025b77e693bd434f503c977e0d8ac1402f6b2ddf92aebc8c29ed3b64802d890174ee63348e404c936351aecafafa7eee855c68a4cfa503edfa51e927cbc2f89a8eac7427d96274453631232643da696312a75ca433e919b8fcf563cc5c84f1c2fa1a3d5e46078bd276fab4323b541e6326dfd0cdc057e6dd33172ccbed29bd35d289367cd378c78e96c4e2c01d3bfa295b3164d028ba8b7f0f8d45bfe54525fd847ead0b46af5dccc53fa96ac8237ef2f5389fb7b1dac15458c145425370c22989e09d6249c1a8266b0c924252f5a9b81695c9e566698428ec655d786bc1dddf0c2107824f0ef9f28a6eb97787d77872c0629758bdd8c47b36fcb104714b91d65d4b62a37077e6cbca5102ed64e4960d14b68bdf5f51f5aa19056fd9c4f82b3eae0d05824f3a257f5d5e7e2a22e847b1e2b9dc0ce1d146805513b29fcce72f3d03c9a6a2a4599d77fdff432f76690e42829f51f7c5af716372e830701d8e264bd89a3cecd896b973dd39c07ba39efad8e4e38ebcf040edd4c497f199b00c470cf1c8d5d619f856a003570dc421576fb781f29a2097b7851fc237ff4bb462af5fbfa266614bfadabbf4d631825ab02cdece4b27c9d4023d480d52da3d26ce09f86584d67ea2a8fbe36e61bdcf4065bb2db1c08f57178a6fb9491b9e6fb13a72b99cf25773fa79d0ba9dad45d0682598d8aaa7130b6866158fe71adb7f23c27b8338ecbafffe8b12216b3e9205686b2b819942b3296c03d77e58797ab1e0ee7c61ec507d3f4e9ab7380348753386a0e3a3a9f026d789f2f5192c97d0303bab9980b943428044516725779bb0189ff7c5d0cb05f093ca5940ed30f1b28add3a8c040663777f93bbcc070cb84b8e569da3f02fb4a425c73d14e49972828fa67b819b22cb69f49d3acdbd09963ddf174cbcad48193f2ec2e8b5cfdc785980abd790f18533da0e0965dff388a9121573aa090f1ad3d63ee7b1bbe98d956f3c56db55a22e93123375d7f0315ee15355b0588277de76cd46837ca6a2b1cb8dc00a98c06707f04c23113c0aa3d7c06b351c59ea1d2294c4ec19ad142de809d8277bdd4a40fbcfbe4dccb11d4bf323955e1415fa91efdba9dc79eaaa9be1f17652f68e51588c847fef9447aba64b6806d8013ecde501439503eda39b2d20809f78a96ef4ef88ff71c9430469f2db5069a725a09dd465e7c9c946c04778a9b1dc02fec2d7c655ccbb277572850fd2ea4ac0a45468e8efa97fa23950195957b079a0b002647b08025edb7781b0979b1a7e3a1d681eb59a70b1cfc055e0aedbe9fe56c34a479a85e766bd32a6780a193704b9216dec17dc7d92eb46ed27f091c1f62cca2a329a0d7d748502f21c072bc4b90b71afbd5d66d19df779bcf9514e81eda5b934a14a0509e6721916a2f35e937763a46dd5a7eeaa5ffaab6c68a7c0188d9a4f70f30556ee43a9604a7aa43507067ceafe41a98df64451a1047efd6c88d17c4b5fff71a2312b3d6ff558e579fb2b6acee500bd0a8f9e4e4f81734c6ef4a8fe83a977a67e98c8d2eb6ee099daf0ef410d59a60c49250d48be47511cfcbeff34b8ecdd83802dc4683c32b404609a41629a67e17e6a2bfe6cf0ac5bc926fe97c15552bff54a0d20987281f8574ede505cf802eb2cbbe4a3149e68c4f504c21d91c576a8cfbaffec52a74b842e5d7733b07624741772bdfa75e5b5e0e3785f18357c66a7e50d991748c76c29cb44167d60dfaae9b6b1837361b10e45921090fc9644a4bf968bddc0acfcddffbd44dfbd5824169e3534d7fe7d28ffefe3e992a6579fbbe06bc79d5816eea0b4033830acecc0b84ce000c377d6447796a76869dee1747a3a37891a3c00e809d1b83d0aa4e70c3a6874247e719a648e78e02d17c9547e62c398d6e5c04c88090cd7b7a1dc1e4a57b1e0382bb7bece72c973574ae0ef2f11e4f0c4c6e2e76dea70411ec01a2be5ec2f93d001ac919d01b5ceb2b86f7f4a2081b42210d6f1a8e4301390f54343db84ef4aee9dec2f2a7dd5dc0780fe95d0818b6f9aa0fc7672de920e8187dbd7ec7e3885e5e34d268b2cda1f4c4feb28cda9669fce58cad9b2598f04d767ed8ca2ae78ff5add40596e327af23353f935c7fde402fab88405f4ff78f02e69bc5ec166280f04d886ba2270c895ddf5942ccdae139cd38edbc708630f41d5aef67c7be8f73234b990a3ebb21f50a493ce10f571a04fca61f67677aee0f8531e671ca2a32aeb3540b3228bea0353feee3c144207e5fe5c2198cfda2ac9798bf376f19565c43371153e5f41bc15b80cabf67cda36aa93f92a3530dee33e4556d1702bc916598e92f78bc5637a02398f46e376eabef664b5fe7733b2d0cbb27c5a9c8d7b481cba3f07e56a87cf7aa5e039965a1237b098a8ecb89148f1e077e2fc216b24f7aef754a65809736ec673c018fa9d98831f69838600b011328f17310036dc043c333fba65812934d4f9a2a6b61fabe75b396c3848a095d63e9eb301d0e6d7d77ea2dafae8f40c577a8d3a9f1a77c3d21d18e81b8ec3936c3cc0f06982e5ffcef5479d3172e381144a352109698a3b590f73e238ba7b7d07306ba970964fa92bc3916b4efb301b586988d3f17d0c1caf2021c318173692f543ba7a8ff792608ae4bdf407e41ef017610d784f9ca3e7cc2009ab4c4c3c597677e4c4eea76014e70bb8ea84f474128d648904407acc5a7a75a5dcee6ae81b2fa97e95d9e210fecac7daad4a0a2c45bea7357b4986b25ea97fc234dff28374cddf4adf5702ebf25eafa83fa67623e2417442f78870a78141dcd57a7e3854d133362e711a06cfac847670906c9c0a54e50bf183369d65c254666a9562b42a733254fcffc51120b4ec5b911460da89a9714e204241411ae02cbfa771acfa328a7d777cf802a5b1814e0e227304b006fad8b2579c15f66397830bdaf9cd02399107332fbd538a29a0b3432775b2a1d2b088ea5828adc5a469a900af172c6a24a2a56d9a387c74b55fd38451ec802b8a29271d61d8f1e9b6e6ce964861f10b67d04a521a53e45a73e1085974f2d044175d66689b194e3596538695e83e881fec13537cbef21d5a2ab9dc9719752c188bfc3f204950dba940ba8f8023ed3a571cb0ec9c7a2c247a89b4a3fc6c4d09b5e3b90f76e617da43f1048a17bae73856b971df3fbf52eb4eb6adfc7894401df77d165e1572bccb941f99ee6219cd71ec82a3ce48ac556686cde78136ea28d5b801ad7d73d0890b96497fc6e7799548f82d2071df84dba792066a769f2e616a939958747087464c00d04f814685595ce26d81fb43f07f78daaa85fd32152356976756ba728dbde26ebdb8568ae15d2c6d7b41ce08b024417f471e65f6e143860130985c2c4b6d1b8ba51b87d94ef534b285dc99945f5599c602155a194b03c114cd40ebbd03011c6e8595eed8a9264af8f13201bffc5225e369cc2ed17c5c732331d504b4821aeea3acf79acaa9e98e3d2ee1261c366486c4bc59dbfb62b8a971b976c8c6e7379134d0c42277c779db551c8fd39942f88e2b5f6eac2412b1354cb782047f20dbd9a6fe081888a970d9f3aa881c6ea7ac8aa5d67606e03268c65875aed52d87081b9bf140f2a0598b9f743f290880cb816ab5a8cacc56e079380f25e559b8f7914dfa8aa44e3eeee479bb2fcf297223377c3a153d3cb04f22c4345d80953a1b65ca9d9256f129278bf7538d884384e76932eeac09dd287077ad60a07bf588e1504ae5581c9c30e8a82589b00844d3b337f44bf9d3fbdc34bbc4530551dbbb25bf7c309d700586bbce48a2499698134cfd224ed04597390abc324f6a28361dfe4bcbc04ae47aa7e59d8b1952cd54a169e978055103e573a68dc2dffa6600ebb95acdcefa98009ce111278d3a77a134ec1e3801e030a2ee72d179f9f7b9f1bd53517e0591076353bc5f0079d3a13e35a7da033c39d6448dffb07d4b647fd54f76f78bbb186fb9df42837fd8fc809b388f8105f1ffba02cfd150c7e35ccf513835a7c58d17fa3bb6cc36acbb12a83d4bc6d52d9f9d84227a8b25484eb9c7947f8fc45cfec7c3ebbea0a90c2ae84dc5b92fafc91ead28e5019fb3e9cccd08401f9a829ee441376fc48027b413a2a079adf7a251c3e741439e5193dc2e592038b69bcda4238830fcec5452e12b8df0697f623ffd944884de86c828b603d8577911a0d1948a06b6f81a7bc5b2980b7179d37cc0e7deb148094a0f4837db396063da3cf3df6567221e82aa9b45dc432682cf53674ac3ae20dc8187e3118fc6553e08d1da793de157c36534982abd529fed5fb325aaa14d92a9ec4ea02ad77087280a1ca530e086ef456cb22e68673b6d07ba608f34631f19d4c9846ee2f66f2891b0278d7e8151af3976bba441bfaf95938a041c8553d767777cf6e5a51b10d176fe9e58f242bfd0513e677e1f9fedd7c4ae7de1973b3f094eaf36d0b471fb1a0b67867d2720e513140e569f93240f809b711c54a12daef29fd573e58793b4e597037a0e01ec13fa06e36c88f6eea90136a51ba6cbfd2b5c38e7da13f3b903b5d89a8410bcff27fc2286b7033b228b7639e004cda29b24ce06e17fdbbfc346b8abaff01680df78d01a45d65cf594e4244eeb9f0cef5dcabfe7fd2b1dedfc3cc0540fd4959a90ead36bf92e738506ae6beac4c84cf01df8183a6f3cf7ea7983520b59a8f09a47138b0f5a75d12411e82214ab312fb54f575b33025c3f5ed5ca9bfe3fe9571b9c4b06854232e1d65bd5ac71d7be9196bc7102e7e77fb305e49a16e9eaa24f12948fbee62f4f9e5619e36cc92358252f9a17182ae12c2d78e1942e94ebb0a9cb7c58164186d100e73f93dc7a3bc543579a379514fad48d99e32fe04a947be3df5324da6267ac9b928baeb3c9f9b5181262b7e2956f0a997a469fd079ebe57f7396025abf8c594d09ff2f353790cfda055ed8b570abce9c1c18b5ad4d82a0b7195e4f77c48b58d4f31e36f11d4b64deec09c2068aadb0d74f01ff25ec85569a854f9b171bcb41de033beb985413c3f92c7650edebe9af6ed5c4882045ffaadb95e88d0d737188e81c1430b96c4afd02d2895088522706c0b5e22883ef9bb4040bd276f526971d0e7cfaf9b0d965dec0841ff9db5afae213eec385c6967aa84385e5c1148303b54a45ecea61f3e6279066fa51db25a1c42c88e340c1e8ab6f1ffbe3d2eb6a26279486f9202d8b8c02fe4a7830a4adf57764544cc82df4ca6dcf14e332e283ca6349acc8a90f0dbf1adb93ca294a93e5a34eae79a8ae2b066795f242e8408ceba322608f892de6e559c25118d1f16ead863f90456a036f4e976fa07cc9a61f213a62ed075e0668e90c0241f1dc92a14e09602ca27df696de8f90f0e8ae48960a80db14855b0b0b6c7a7a31a6e719a41df797e09dbfa17f93e9f152fb72d5f2cd56caf3a1532640ae8e5dad86bd6d87ff60cace9b651cf90fb8ff42b5d9caa904ef6ca5164fa1275010b4482d12cf46f4c240b3944e0a9b1d9ddf306668c6049ee3276ab596469882f603eede5ee5e890319693f42f16884c7fe00f06c132ae40cde57f2c0cea275edd6b40f866fad63c0661eb07176b43b529099591e63dc369bccb13b7b38ace2347052b457fccc4510639dd4ce5f324bfd6b7ca399398ff20f58bff4d2fb48a160fa04239106c633414289c419b270fa2c8866392b220a142e00299e4f85ecb1c73c6222c7228eb26bccf3af56cb6c4d308e03010b46327aa08af24bb82acecc978824493cfa7ca97646c936b641fabbf151f85f06992ef48f9e7298a8e6a77836a092d1742ab9cfb1d032e75acb3c5db7125b0407591d54d3952c5f1d597c3adb5013e92b172b9175fa38aa3a4968676112620dcb561adb016a45afa5b4b18660f4fbff9f98f21833e8b46c1070aa8e8e95850631f7e25361eac044e662158aec08cf87ec02e16ba4b1e19a969fec3c7d595694c5b48bfbb7aac5abcada36dfaec9c64256e0649942a1171f886a85cf9ef29881f297f5d6ca63679f6dbed9c638f970d65b602ba63ecb00b9e3b8e5d91d339f400f5c5908e6fd16535d93348e41bb0383c0a7f2790111415a3e8948ca0910a4f1e73f85bdeffa4b3355ab2a14e2e8368de0559c4315486ec21346823d21049860bc0d698766c1f5a86cb283b4f549c31bbd48f26184aabf676bf5ad8377df558e3cc33e5668358e12e3c442df86fa18c60241b8a77be7f12af62618e615a6a9193cd6a15fad70f67e63833cc0eb561688be0cfd9eda0e42481fe5a419778e07b82bc45682af16a7ff00055070f5cc0f2062e0a60d4d59a2ba3aad38f055affdb01e4ffed87124d07650e39eb00ba8dda82cde140cfeec546dd555ca15e1ac231db239caba419a2b39393face30ed9e9971f970fb59883b9d524745d8bf1b250da59704349227e9f2dbb0ce7339c7c9e3b8ac6e3c90974ea8e81b1b73d04f254aee6384903ed2fa844a2ab2759d32e0676d7a64f0f8cd3e5547e5e486c0011304a7b4878caf6e89e4c02306e848d266bca823d9631006aa3fb7986eb35eddc423eba51853945b786179d2580e69177311b76da29c6420549cdc8c4bf76aa0138b27a4d7a0986bb891602482ddeb6472fd6be465c06c7261a6fe0f6f8821786ae408b7de34846f158b3518cf3ca21d660d630c860cef9cb392f5019fa32cf12549d1a0479aaa70fd51a0d293d84d45668d072b17d7101aa49957e2ff5d83a59410ee9d0fde24f335a523fa35298fb5aa8c00445e972f6ba8ceac8b46562c781b9398fb2896b1121d66630b50afdfc93607d8bc020c606b6cdaa8f51146d2038abb193f98371d4235207399994b6f2eaeeec8fc5275b1f087057482ae2792a340f9c0eac56149f04012b2b59d72b1ca596cf11ec9401abb77fd62bbeea3a0c6e25ec6e17e6a5cc4cdafd8e8b940e50ad0994878ade0321f4d2c0732fefb0c5306d3835847626a82909b0b96f0fc9a58c8af8f25d8f0ade664cad6efc79739d4532aabfea8d138478b3757b306d75a8ee51cfa7be05da9255b9734261589433ceea6ab8c44264efa08503d7e87de60c40b3fb9112e8c104e96caf323c2d2972680a2145a45218b5780bd769392f9c649093373cca9555a2a837e7b719a19f446e12d427ee2c5f1161d9d1ad24e4f532db0f24a3d902d02ba3d7e6fdc222ec73c16838519d672aa767382510059edee74c619cc2d064a521224abb370d947a8ddfc26a439a028fca6b0ba40b420ec5313db8198317812e1d784b902797d3bf80593d247ad46ce2a9bcc87174527f1ed9a6bb4a27329fe7af6989c31fda897baa7f38b2231e86546654854fc979539125062a6de298677df139b9602d927e316f942cb83da88497c453a45673c3ce40e3b5385e25d0291f25d187894af86560cfd4714b912c9a4fcc2b12598b55c0d9c9173109769b4a3fb5c1d45a21f5103273d89fc3553f5fb4c19079e64b99ab9f3d39ab2b3ccf16ff00f155f3fdf33c1f85aedc471525c1a9cb468489dd92d6be3e3a864b8dbf4a21beb4771f24ea8ce6f434910d99f6141a1d64041ec3cfdcd8589db60a2cde9ced50a50f9986ef7a334173c7604d16e65f1dc67d9e7d7fa8b154a3973c6ce20479626f1706c3efd7bab3d85a9f12690c29aa786e3aaf80352640d0cb393cceee83a6ce68112052d2f6d6ba1d9c7d4089576bbd2550863fc7a0f0a382878c8095d2f3829853d6b221e49070d8512c72879521d5e956d2d0c0895fc4d9a5a59d07135228ba85d20b672db77b4bba77d7a00d45a039daa98cd70973c57c772dc3b0b9df0b3649a8afc35962a03370a5871cc1ea51f54ed2b52c5bfb4fd54cdc68ed519a40d04e6153d4a1f86c276215cf5fba4ee67f6a9d2f38d1ba579d9634ffd22e05c75a90a825f75911ac787e8cdf70366afbe6a35527b8ea875a7e218d15c9b3d833bf485a716ccbaadaf7f501829aaccdd92c02b77c24d49434f0735be5454be94010b68cbd5a7c70525a81052a46e64447caad264d71199db69791d2b8f9466238c9514feffcd74793d43641fdbc54c692e38b28830df7ddc27524cb97f1861034f5f1c9afb935e062411e407b582b09b8c4a6cccc90fbb491fbaa375bb60893979e86d7081017a8ed25538ba08d49e3fe989083869e88a38a8fb2b3044945f121c7e10a5719a93d2b33e080b9ce3e1d783048c6567e2103987d1f842693c41e44d34c130c3371cc2502cda329eb2a46cbeb56d8bd52f804c162", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 58, + "comment" : "invalid output size", + "ikm" : "b237665db1d0652011a5eb49101c4d910b11f7f9", + "salt" : "9ad532fb460bf6d4c3eb565dcb84dd0f3c04c5ce962076f1397ca7ca472ae2c2", + "info" : "5901d8fb43a50973", + "size" : 8161, + "okm" : "", + "result" : "invalid", + "flags" : [ + "SizeTooLarge" + ] + }, + { + "tcId" : 59, + "comment" : "output collision for different salts", + "ikm" : "624a5b59c2be55cbe29ea90c0020a7e8c60f2501", + "salt" : "", + "info" : "5447e595250d02165aae3e61fa90313e25509a7b", + "size" : 32, + "okm" : "234b37551fb454431c62edd79d67da984eea21e86e56093cff9645d7f80b8188", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 60, + "comment" : "output collision for different salts", + "ikm" : "624a5b59c2be55cbe29ea90c0020a7e8c60f2501", + "salt" : "0000000000000000000000000000000000000000000000000000000000000000", + "info" : "5447e595250d02165aae3e61fa90313e25509a7b", + "size" : 32, + "okm" : "234b37551fb454431c62edd79d67da984eea21e86e56093cff9645d7f80b8188", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 61, + "comment" : "a salt longer than the block size of the hash is equivalent to the hash of the salt", + "ikm" : "624a5b59c2be55cbe29ea90c0020a7e8c60f2501", + "salt" : "1a08959149f4b073bcd902c9bc4ed0324c21c95590773afc77037d610b9584806aeeeda8b5d588d0cd79e7c12211b8e394067516ce12946d61111a52042b539353", + "info" : "5447e595250d02165aae3e61fa90313e25509a7b", + "size" : 32, + "okm" : "d45c3909269f4b5f9de1fb2eeb0593a7cb9175c8835aba37e0ee0c4cb3bd87c4", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 62, + "comment" : "a salt longer than the block size of the hash is equivalent to the hash of the salt", + "ikm" : "624a5b59c2be55cbe29ea90c0020a7e8c60f2501", + "salt" : "c737d7278df1ec7c0a549ce964abd51c3df1d3584d49e77208cd3f9f5bbfb32e", + "info" : "5447e595250d02165aae3e61fa90313e25509a7b", + "size" : 32, + "okm" : "d45c3909269f4b5f9de1fb2eeb0593a7cb9175c8835aba37e0ee0c4cb3bd87c4", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 63, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "624a5b59c2be55cbe29ea90c0020a7e8c60f2501", + "salt" : "af856d5eed5c77f4", + "info" : "5447e595250d02165aae3e61fa90313e25509a7b", + "size" : 32, + "okm" : "5940d282b0f3f91000dd0fd2579db6ac5d86236d5657742fc00e4d9e1757f7c7", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 64, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "624a5b59c2be55cbe29ea90c0020a7e8c60f2501", + "salt" : "af856d5eed5c77f40000000000000000", + "info" : "5447e595250d02165aae3e61fa90313e25509a7b", + "size" : 32, + "okm" : "5940d282b0f3f91000dd0fd2579db6ac5d86236d5657742fc00e4d9e1757f7c7", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 65, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "624a5b59c2be55cbe29ea90c0020a7e8c60f2501", + "salt" : "af856d5eed5c77f400000000000000000000000000000000", + "info" : "5447e595250d02165aae3e61fa90313e25509a7b", + "size" : 32, + "okm" : "5940d282b0f3f91000dd0fd2579db6ac5d86236d5657742fc00e4d9e1757f7c7", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 66, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "624a5b59c2be55cbe29ea90c0020a7e8c60f2501", + "salt" : "af856d5eed5c77f4000000000000000000000000000000000000000000000000", + "info" : "5447e595250d02165aae3e61fa90313e25509a7b", + "size" : 32, + "okm" : "5940d282b0f3f91000dd0fd2579db6ac5d86236d5657742fc00e4d9e1757f7c7", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 67, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "624a5b59c2be55cbe29ea90c0020a7e8c60f2501", + "salt" : "af856d5eed5c77f40000000000000000000000000000000000000000000000000000000000000000", + "info" : "5447e595250d02165aae3e61fa90313e25509a7b", + "size" : 32, + "okm" : "5940d282b0f3f91000dd0fd2579db6ac5d86236d5657742fc00e4d9e1757f7c7", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 68, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "624a5b59c2be55cbe29ea90c0020a7e8c60f2501", + "salt" : "af856d5eed5c77f400000000000000000000000000000000000000000000000000000000000000000000000000000000", + "info" : "5447e595250d02165aae3e61fa90313e25509a7b", + "size" : 32, + "okm" : "5940d282b0f3f91000dd0fd2579db6ac5d86236d5657742fc00e4d9e1757f7c7", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 69, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "624a5b59c2be55cbe29ea90c0020a7e8c60f2501", + "salt" : "af856d5eed5c77f4000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "info" : "5447e595250d02165aae3e61fa90313e25509a7b", + "size" : 32, + "okm" : "5940d282b0f3f91000dd0fd2579db6ac5d86236d5657742fc00e4d9e1757f7c7", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "type" : "HkdfTest", + "keySize" : 256, + "tests" : [ + { + "tcId" : 70, + "comment" : "", + "ikm" : "b18e35e63cc4fe4117bf2754ec3f9ebb5346dbb0bf6d4e5f2422418771816fc4", + "salt" : "", + "info" : "", + "size" : 20, + "okm" : "dffa900130e1d074c51fe2ed2d7764abe94a2adc", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 71, + "comment" : "", + "ikm" : "236c2ba20c72242820f63d3e9c20633162c1cb048a45dea13861e8a138b9640d", + "salt" : "", + "info" : "", + "size" : 42, + "okm" : "e764a7de3f1a3637f41f102d586b8e98f9e95bbc2db63fdd391ec8141cd326259a533fc4b2c7dc6b4fc9", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 72, + "comment" : "", + "ikm" : "f2cba42dd82acb5d2d569406815a3769b7becb13fa48537fa7d7d5e121081d39", + "salt" : "", + "info" : "", + "size" : 64, + "okm" : "a9ff577bfbbc7e01651d10589f0958f5ec2316d6ad96f9a8c822e4b0af8a707ed5c04839ace033274e5eb748db183d48a2876ba13fc11a3fefc05cbe30b9a18a", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 73, + "comment" : "", + "ikm" : "73d97f2ffde01b447a5b8573190a8eb4f87f7ac04482836143f780ad876bfffe", + "salt" : "", + "info" : "74d2301c5aca2441372cf6077bd8806dab3e8721", + "size" : 20, + "okm" : "7e447411adcc3af485031fa5cb8d624c812b4d84", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 74, + "comment" : "", + "ikm" : "6948521434707e96fa943e44988d1ad409ec57e6594867e8193e9d727238916d", + "salt" : "", + "info" : "9eaddd1e7edb6b84c96fb5ac7e0d673a8f5084f2", + "size" : 42, + "okm" : "c746740b67f49da7bb6f5d5e6cb5e23509bece3637f33c45abd96fd8b1da48772baf655f24049af16451", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 75, + "comment" : "", + "ikm" : "b72b3854923b8a0048497a86bddef962552c8f6b2c72b2b2006a1820fea5c6a9", + "salt" : "", + "info" : "113b708f7522ec3b362999db18699bf7871e3b8f", + "size" : 64, + "okm" : "6b00010a427093de7e0eed1f22642b2b034b84ebac3b9002229962ef12e53b5baee7ae771a821b385656398739043da5f60d027e1d01e42736a401c853f2e0ca", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 76, + "comment" : "", + "ikm" : "44d774def90685c0e9a685fa50fd434c807d1a57896fa42f91778821fe232057", + "salt" : "0d7d3b47bf8484c8adab7f9c27c9584f", + "info" : "", + "size" : 20, + "okm" : "651d20c6a40e23cf2dcb0d929776e64cc04c3466", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 77, + "comment" : "", + "ikm" : "098ecd86354496a701ffcac8d589a1217231da3b80ccce4ef85762d7f3a2c211", + "salt" : "5232e5e4e2dd6133d46ebe5a8a51a0bc", + "info" : "", + "size" : 42, + "okm" : "bfbcf6c703d8650b8a7d7d0c84f13f635c73e2e8f608adc8964e0ae632bca4d3a70e92e5da871821ee1e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 78, + "comment" : "", + "ikm" : "917ad396520e454a571ac39a9f6bc845a8920954fba1ac400cb2988cd8847ba0", + "salt" : "962d86949506450eaca929286ce5d9e7", + "info" : "", + "size" : 64, + "okm" : "547e55f20ca5d7eb38596f6b60f9bcada416cb9c987439ad3c772b27b98cd39d954f7ca5d60c05164b7680ea25b101310671a427162e39baf08f8efa5d0569c3", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 79, + "comment" : "", + "ikm" : "1cbff2202268edf1985bc91466b80133644988c5e81368cf0995274204fb0aa3", + "salt" : "2bde6e33534731f52d39add940ff46f6", + "info" : "3e4f9c8d3d607c2ed43caa9e87e6ecbc307c6048", + "size" : 20, + "okm" : "7ce3df3702e7b7aeebc2c11c9fc0bf28b2b90aad", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 80, + "comment" : "", + "ikm" : "d00d6b4fe088077ffbc64127d6bdb9707a0f9061c0b873c334c3be0adaa7c2bd", + "salt" : "1647a044472179d454b8d2108e4a2aa8", + "info" : "4266351bad419173279c901aea148e8b1d99e50f", + "size" : 42, + "okm" : "84afe4ccca3e7c99c6eb84b33a25e66a604308861622009bc7ca1c52e8ddbbecf10aa92415b003686dd5", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 81, + "comment" : "", + "ikm" : "9a27c19b607adc8f152faeaeb1282002d3a2166894b7fe5d65829ecdcfaf73b9", + "salt" : "70d83929a6376a6eab859f0d6225f131", + "info" : "36356cdc28187c11cbb9046f9ce7502ab4d2ea46", + "size" : 64, + "okm" : "96a4cbf7f84bab262ad8cb024cc2766031957b75fc412aee2f539cedcb66cc2acf7a5481c155ae91d7f6b6c2e8484a8c03a3505f0d2210f3053d43d83bc651bd", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 82, + "comment" : "", + "ikm" : "f5d1c855d3448e212d76d3927ec797dc439cb182f427064288452988ab79c83f", + "salt" : "87ef5da5400db731d658972ea82b76848004e70d3b22cec76c8be06283c4", + "info" : "", + "size" : 20, + "okm" : "8d910333d171e6ac3bdbfc703a1eb64e1db04cdc", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 83, + "comment" : "", + "ikm" : "3f19b7095a6b3d313b59c3ba2c3a78d8b24f30c9ed4f8be9eb92f8eeaabd2c3c", + "salt" : "8f1f6c8e4f68830319ae859b4b1fa71f1d69552b0c3e53cbbad26293651e", + "info" : "", + "size" : 42, + "okm" : "7deb232b3eea8f89dfb2527aad8b4e4bf0675cea335d423fe6dd224992aaea61661c886d77034111d8e3", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 84, + "comment" : "", + "ikm" : "b1d396c69f14994dc8add0f6e0cde4455677ba9ee95ff84a142295f9177ee629", + "salt" : "7f693304bff77534b8246d832749387ecc0e8daeae11d77d022ca9e362d1", + "info" : "", + "size" : 64, + "okm" : "192858a93bba3736472d44cfd406f745a19afcf72824f5367fc2f931ed0057b88c06f42aaae31b660720a2db6c6052ed91b3c642a67d04d9621682ce877665a4", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 85, + "comment" : "", + "ikm" : "003d1901a10c062ec44e0f2a94c544b7f53b33f1ea4679fa6e023c2d0a907fcd", + "salt" : "ed86cb8c8ba1c989f9a60a4a82c38be98c70e6218576b292c93fcc18192e", + "info" : "d5d3ef5beb9840d15efe9c778aefe38f1bf7bae3", + "size" : 20, + "okm" : "3154e598c6416fccebc1ab5c820fa8498177ad38", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 86, + "comment" : "", + "ikm" : "02e0647a4b7ccfc0d3ee7ddfe24ce69c02f51cbaa836b96cbc5a9c2885c45599", + "salt" : "f0862f61f2377ca34b76476ae21e331b114c7712aef501a1bf00f7e9cb79", + "info" : "4e9e27d971e76fda614fde15031f6664b97d4786", + "size" : 42, + "okm" : "693bccb2426f36134c61fe44d8f77801dc55489cfaea660f0c91093a82cfe16844a7f60e416edb0fc5d1", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 87, + "comment" : "", + "ikm" : "92bfb7e31e839f109e6622b2c2c4f41ce84c9907172681920e7d90e80e2339bf", + "salt" : "ce869619607f71fde53ef55e18d01d20002e3f91a8b7584190fc6667b8d2", + "info" : "ff36776fc755722ff371f21cfb37a168a2731e99", + "size" : 64, + "okm" : "325bcbf88f99f347fd2a565814d435a295ad73ec203b951e56c11055c62b989bd8138f3d0268672b8b1a1b7ef00578b5d30bac41848383f4e5392b7276121d0a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 88, + "comment" : "", + "ikm" : "17632581c34ab743992cd99318889b32f92812bd37f41636b5fbbf2b12190c6f", + "salt" : "55e39431c83648867ac98eb7ecbbc8b41c5a5e774646b926a9b49c511915b0de1241f8666da198f6ba4bf7e9025e434b6d7ef794e7a563309303055fe3bbe769", + "info" : "", + "size" : 42, + "okm" : "696d76e5811d7808a8d1ab3f88c699685e04f12ebcb7eff276bcadbc9492fd163618f01ef9c92e597d57", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 89, + "comment" : "", + "ikm" : "045b4d451bc30c39afe0932f6cd62e65b4b2ae2cf1160f19e8ba1323f7ca146c", + "salt" : "b73682dda0fad41095070b2b26f2d7d98ac62202d918258ca9aca0f794ef5e4d23b3fc43c8cabf9fcb37ad9a62337fbce967fe24054c3bf891195858e53997f4", + "info" : "613e353162c6c1b12fb1477fbc54074ff7848a14", + "size" : 42, + "okm" : "46f80edfd0107fa0ee7679870d8053efdc002b34a631ef9e80c4ff71f26f1adf67ad86e5e010e03e71cb", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 90, + "comment" : "", + "ikm" : "82efaeb5675daa97466cc61626f3979943f3fdbd115488655cf7d10f278b4777", + "salt" : "f0950b72da1658417656aaff8300de0ba25c294cc37c8cbb5d21500db5329655", + "info" : "2ef76656956e76c6", + "size" : 32, + "okm" : "7c46dbc4ff032e1f51eff7e5b42f7964c0033d2eb1fb9792c9a2e881abf28cf3", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 91, + "comment" : "", + "ikm" : "29f4a06c406716a2d0977bec7da2b1744558bf9cddab315d9a335664e0b3e7fe", + "salt" : "76ce4f337e3cfd2e2f6b285a658bb91e036f9dd2e18cf29c46765e62ffa37b29", + "info" : "5faad6499cb41564", + "size" : 56, + "okm" : "7cf6836ad2510c69ef9fe46956aa21646c59debe68aa2275245406fc317ff9aaef1ee4ade1c393070136c96eca5f84ade585215f4ec4d6db", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 92, + "comment" : "", + "ikm" : "2b1cce4f551d59327f13e0eb78fe51ed5e74d1c5bce2d500d832b4b880c041dd", + "salt" : "7b9ab6287dea796394ab0b7d260476d02f86e02266bc9711f8ba4861ab69ac8d", + "info" : "ebd644650e75a774", + "size" : 128, + "okm" : "7710f9f762a96aceaa5096058e1fb32d62803c1f7fd3f63495bf7773ef16956f3000c53616bd5bd12a5b28df53ae7ba7c36267e2970bbcf3c4b1476928f44c0906b6ab204a746f069cc9f065e038143b842a9e69208a37e740e808c043ddaa663e52a1357617eededfdcbefdd7d5b2c5c0b208f981da0a588b10413fae9ee7f8", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 93, + "comment" : "maximal output size", + "ikm" : "bdd9c30b5fab7f22d859db774779b41cc124daf3ce872f6e80951c0edd8f8214", + "salt" : "90983ed74912c6173d0f7cf8164b525361b89bda04d085341a057bde9083b5af", + "info" : "e6483e923d37e4ba", + "size" : 8160, + "okm" : "5fd99b6a94d1fd2fe8e1f0b9a7b32b6be4b9dc967b78b9d7a221321154c12ce014581e7660649e582377272bd13cbac2c9ae66625b613ed01f3408a560a213e8b6d364bef03ecef71cf58598dcf218e461fefd6d12db5cf2bb196b79082c5ddcb5dc7a83217fbf93c4d89dc803af71c7bd1b91ed9eed4e9515032445d83fa9698433dbc2c357a587df8d1ee4230e1519234992759bcc2b5261fa109141eed97c090806929af8a26d949f505c5f6d0a7c9f5c85e687d947691fc63c44215afdf0223b3813da09b2683e19b8625403eff8e28bd5de09a250e900d9fa8d74dd43904cc21304e708df0fbc6c42f35ad2f1223326ea921d92b03d56208cad1477249e0c9d741327dd264b1fae6f2869da8cb3f4ea0385d7ff27afd49155d2d4099c8f2afc5a93da83b8d2f8fa9668c2dbc66cb84376edc38674b7cd0285c1cff8db4d9b339973055c74bbbc8070591da6b86f5819eaa774124ec203f8e16ed9f9b03207c21769be4b989c0990eb5fc8a25a48b9a906c72f22c5b9d1fe3bbc77d0f276ed3de40bf3699cdc9cc00c5289c8fe1071703d9282d751e0d57d1d68b427a642d73a31b57d9cf321d5faf612223824a58422cbecb9d5f5497758f6c84799649a06cd59d6bdf786ef28fa0fc4d27c33fab33aa9118403286e0f0f5bb01db77e3683dd2765639d5f67b39e3178be9adcadcb336f25ab81701382c8cd9a1faa79d89817060bc3972e5279b3e04d01ace7be1ae79904091f2127945e853eedac23f6eb2ce61aba8e4f789ecc82c6ff846c289de412e0f393de8f1de0ee2024a3acd432f8806122c98be4bc2cc54ddcc80453880ac122a5b37c24a2daac608436a148f83a59f8bf8d9cf40a61ae1e03f8985ce181aa16c6dde9f23f1847ef8c142db603abf27902796140b776b3a98157e449cece81755ad3e0f963cc655b06e4f732a0c4cb8b5902d79d534738662b7f484a2ed9d328b7cc8c22ed5f29bdd13c1a655ed39f0d01b91d5d1b57c0b9368caa362792ba43a6fe58d37af166fda6f440539676fda63b1f42cea3e621bdb8e6f2909d06a38a59e9928f1bb8b0014b43eedd178a14cf070822f4db83491a42a2a07da28e728a998c4386a36f4b4b78f3b66a4716e059b636074f26a9b4535d3009ada020cb04adcdf03b798255896338b16331931b3a803c1472435ede2539d15068f6a06faa16d007ae0660105f3f6a0533792889a13c43fe7cd1ad269e188ffc3eb7dda490848239bfaba8720d85cc8189d48e3be227fd95dfb75bf6ef60bb56dc61ab0bd11bd7e82a6290a249ad7aedb9d0a5d4e5f24fde436b863602285c4825f53ffa99763aef3fc2de5c09d3daa37c5a81b42444676c48d39bfb710921a9e3fbe0cebc110c02952f3dd870fad0c61abaa40b90756e86496de4ceaff9e4123d3e561d62484a7e4f4acbf104ca2c1c4158c9f5e19661c89264d084e5e0b1e505fd83a644ae6b61be6ba04ccd79f42045e2c9254c422aa9a95ae632bd0d2f004e6d7406e83f86a37bd59ed571d0c2ff5c27a7fe97cbe922e0632c93bb7f59f3ff2773774038fda7a617aeb3fbb3ed3732f2b3119333ca100b0a43a0be9cc8e22e699f3e5465edf697d7fd209516002feadcd5a2fc5c3120ec1eba7267c25b12e47493425a257574e6815d0a82d75182b8793eb2f5ef11802ed8cc548d3d465cb54b2e393a840fbbce3d52d404706b441bac12eb462048e3da796c31effc64e3ec372edff1ca546fca3446504e05f5ff9116ab6e0d511a768f70dfb4ab612f12a94714baa0d9df0360d4398d2a7f706a6237d11cb8c36ddf06082008fe1518c694ffb291fd17b8fa7aec004c0696b7ebda028f428fb1130b554590d9d3c0ac15d596ff2ed065e0e812b1e6056862207ab2fb6651009c4a724a41c31d060342fa54ea30390596295e7861d52b9eaf4c7c1c4bef5b1f2606696c570068d8a8f9b6395576071bab35d6749d042370a4042c8a1d044c8e9db39fdc475e3294d2f3faa5c8cd6b833f432ad966f044e4a6e76e4ea985caafca2f2f8828919092fb5f4b7ec5021c1835b60a04f746c73018f01c0cf72a8004076f2fbec0e6f5572241b0141684544998b085e931402282895c027eae0819719a14c42984f46712a954343c4739e817460a1d79e06e8653060de7e1eb34b2a05ebb80750e42cc77060635aefd549cbbaefc55820da18ef2a784a7d8d87104517447085b59e8f2b97a9e6deac97d759fd363cfffc4c4c3b63af30e6958dc27bf46c786a7211dc74cb6405d374c24fc02362a283d822cde59dc72dc0a2deb07d7bc702c49459d142adcdf364103b45eff74c682fb47c7cb34a00ec01de18687c48675494ebef1f09a0a05d5597be15be76faffcb321e0d6984e4a449c92078a9b32ded0cc61bc80bf2b3f06f9b3379f438b022960ce4cc570644db11c1b9833a0f054b6311e155c17ecb0ee8cf73d4e8a762a10ec9e98d7057dd4f00d0970cdc8b6f489118fa3b18d98d506179206b1c4c43910fd81e8df00c1a5e38cfe04c0c5128eedab41f33a238693a42dc02ffa7313cbb79919b482c03659001c5aa36ac96482e882e2963bd33ce69dc0f7a5b82daab911ed9585cfc5a1880667adc0a37a090392b760d9077711ee77d06a7c9f9c68089f1477a4996c32c6f6370c57740605725b46c0faf7ca759004fe19a2ba7829b21e413dc609d039235b97fb5bd4bd6634da0b2ce67946d2047920c7c11279ba0c0ab4fddeb12a53bebe7b5f9c9b02ce66c0c7f691fbcb19914479ef3dea2285a6f0c78e8c81816c35b00109b5f4a6c71909a617ea4d73e4d9311257b828c65019db542b31a72986194b233476cf107cea9779788837f06cdaf9cdeec5e8df4e20af6fd8308d2bf848bfa742ed71ea6edad4b4595ce051abde0d456ff3adf51663d7b7bf291c2f25fb4c0def031d59d48eb365314e1c46d60fb326b136b51cecc05770fcd8fd4d2c7de05ad33be61daa48b96740710fcbf264a5b5a9bd4adef533bd32b1b7a9069ba30c0dec693337d0904019acb1e56858112052955dccf36951eb8ddb50b3e1c37d429c2ebeeda10a0f4c08ff73f7c4147ecf325334ad1e7b85bbccabe7f5cfc225f083cb2615af44d5621449c949d7cb15f23665c7f575ec0adf5718b72eb94e91dd3efee019b255ac09f69bc581adfca4c81432ff189e88da22a4393abc531af4d59344b55df8b81fe7e8f165cb584b120353fb96b6dd2f05e39ee71c859260b4047ca143da050541201355723b8a7a799602e3d67c24cc67629a03876dcf59e9b279cc7ed6503898d6a29eb7051936b5ceefe5a3aa95d31cde6814d7dbbce5cc738f6d04611e8326bf297605107be86e47892fc834cdbb7bc6f45306cb1cb4a9d9f8ee173e8b2af810f827f568e0c43d0c31d782b09a971b414e0ff003cabd04a3e05a596dbbf51de01bccc17ab7b14c4cfc10813cacac54c15e0b1835baf04319463e0198dda56e225016530f35f88cd29a2b5d4dd22b76471fa781a4ac92cca161e2b0b4c41573c638119125722195be871dab7db109b5e66e79bca5306b255b58d3589b3e08bdbf48ec6c4cb5f80163ee84eb55fb17aafe437ea8baccc91a40d078a213f2480752097110aaae940e9edcb1a5db2bd4819286160651ada8665381be49419e01be43ba9c26b0b46fa5d3149ca2b9ba01a15b46612f1a61b3a3769dad50f2e8b05d94fb6cf58790ec3dc0238a7ed6bb2988a7f8e56eba7b228db66d4defab147cf254051852c70f7019bf0dd7e3aad7e49e5bd73f7f6b0dda03476126b0403da7d1b1328921362011a9326b022913fa7b054aef78fb95d3f979aae8f1e1198f105b84a3c097cb77a6cf85958eacf940d274284f4681ff0bcd3a37df5e6fead6c252e3a3af01b730b7cfa90fbcc1e0e1d9af39b4824203c0f4e247c9d393d1ad045f7578972d1b2e4bb970b2545d773e46e2dfdebbc0193372cbb35fb3c9799a49e2bbb196c78321ab28b1e29b4e1f3ac263ca0f3854c4f28314d7dc5ae5c3b47e8fdf8ca74313eabe774acd8feb84583216d53c50d7ebc507f0bccbaf713395c6641021c46aa188be18a3a10c81bbd37f273ce93978ad300ed9691ebb52784f7a0208d34c1eaa2a32a56ff863272f7620576d6a3bf593b87344bfb2a36f1526733cb657ddf0d71881035e3d15f722c69cadf7a3c3f690bae474cd619bca8adc4917322db1130ed4ecd0eeb986f2532760ccb0050dc993e88ba425ed35220cbb7de97b7491c511f244aa243301ab24a72d8dfd6de27ddc5bae277b818cecd1066d0929a11ef1527cd9cace1c598a709aa8ee160f062b1cba0e05f2aa0a9fb5496283465d036fa736bb7e162b693733409da5b2245314926a965f4599d8e3197751cfc33c0d47e2f32a53440109bc257e171bcdcc2cd92adc8f63eeaab0a9d8111a752d37998ac37e47b1b73abe52036c418b039ca2d7214b010104dcc31ecda77670e49ce591e8c422a87243e7529d1a214a84720328811bba534b64a4a893169322d03b2bff9fdaa6df1ac474bb7ff285f3652d171a460cdde44706e757ee9b9e5957d3503734df518dfa30792b6d916877c61a96bba4f104b409f6e6c378dd331fdf6ad124b2b83b885838cc8ee3092b6b30e752058e821a66b217ccbf651dfc504450e71ec6586e5f17d68e7114a1caa8da5360a5aeee9de512ef24aedfb9b48ca3d218f2800aa0c2b8e9e7cddc99a7efda35d71f11916be2cffcf12be9dca9644a856fc64cccc93940d2ecca09b2ec74af5279a3b33eed028ca439e2aa7ea02d043aaf3bf6f13511ca11162951fb9a638de1bd4925d430a63a02da095bd1439f121de1c619627edef0d652c08e4240509f99a715c51e30c6a95c08705355a64d79df580e24700283bb31692b1d1d558187d13dbf61174585915f5da61f22792572de06a64be18270608e0f4723612ca55d295d99a12751d85a54c153713d8bd3cdd0ec92f5ac910b8d27124192cb6d61479461fac6b4b6f0bff38a67c131e3a01c2eaeb6e88673a2b7d45ae3275a19e4a127a672cd91e5497a55ae90178d8130862a223a4b20b3ef51dcf658d63d26514a22107a18051f7f70a3aa1bc69cd60de295b3ac351552b909605a48a983f6ebcfaa1bc13f75db0f92ac8ee4af89daf8cedbc64cb880ef0f2b4679935f0d1cc60a60c5024a7c16ad27ca9fc21c889387977ea6b497d7c3d5e5c45d1ece8c19cca96c4193a19b36b829334385dfab2bac6158f47eefbeec3b171069f516d0fe68fbabde4009d09735fede9298d59d70791ce0572a48283a0549165f9937f165b91003dbacbedf6341b97115710021c1c32263d0edff55d10410628ff4cb5ce3b010951cc6b16d2756eb14ade18005944f0787c1d3860b750ee1e90d1d7a7bafab9d45e29260e0f228869fb353bdf071ac6fcdc0b87071b20d131cdc8305c5a91352d9ffb376e86cd72ce5973713f1e0a2d2079b133ca8a27ca6594c4631900da68dc067dac381dc16ab4da1cdb1c494f295cdd83adc791644fc6ea04915cbe120bc4f2c0e0a93d81c9cf1ca9c302497068c854d2b26d2d39b08c80efc43ec29f268a21a1c3afe2582e5741d7e7a1f364f0fc1e6a760caf6dbdea461b273b34a501dcb7e323f5f3467949692e2548dd60781e8c98262592f73e158d58d579d7859173bd25624e18c310ea8b2dcc5eabb1581b59131c877b663e55532cfa079fd08b4ebf4e9227152d69677d6e7152cde685feaff986167d5331fe5f8d2b509abaec8d2a8771e310c5aa188daca39170f42002ad8dcffd74477ce628c5d157e6e2323c3d2e768749a4194d41a9f6a204663b9efdde8b65d9739812513374659c5ba2ecb72b29a874c814e9ac1e71c005fbbe2b9bd73b00918118a8d6cccbaf2facb4cfab078aef373fa61a7aba5bed3e4b902f2ac9e5a41672c0b8aa024eae9a3e0c9b2365e2f5d8f4b94aa80425db5e16a414499f27eb4e8103cc1da41f2f25579246e0c32d8bc09f36f1f0591ff8a7acc32b2b16dc36ae4c8eb35ccd330eb9dba0abd1646b685f90cc6564ebfd51b0541050ea10e920051c2c2d720747a0ecc8c59bfead9ed542ffe1ff84c8755a2174e6292077e1bb452d199c75fc65218701a3d65a5acdd252a83df1c39745789cd35b05b041206b6e7e7b8ca46671aace80601dfbb50a9b88d636b6c8bc8318e3fd1015f6aa06a59982104ed7d08065a7d99c52f5e03ee16e0e58ca717a899fc1d329aab6ef3f5c442cabea9c20e61e7518c637a975bfc55f5957700b16e2ee0abaae3ea3a10198d7cb7cfde8d74588c9416896a477945712ba256d458b7a076f7f5750588afffc44f53ff99f77060c6dadf5cd921661f72050af110bed15d92a9853c5190d1cfa0cfbd5d73209f00b9257f9fdfc960b338642b7007b7b449bc9858391a4e090402f4b26b818f4f0e759aa583fccb0a54f1707cc222071e8b571ad78a68a1e37601ae655666a955bc5385084830ed2bff7d48af88ef15c08a59f163670a6d908dbdc464075134ee28a8b91a82a711b0ec8eed5ae747b023f0323ad5db9c1c8e7cd1436260754363f3910a94e240becec54980cd3ae6cf82f7e0d642f91045f722bc1f62866ccda4069718c2ab6f831b9b17e87ab967f58fb50ad011c541b2ece0971eda5bfa563c9d3be13cbb3c9c00b9e0297159049ab1f798fae5d555f1b76dedee3eb174955aa76b960815a9f9d9039c45e23f0b855d1c936adbc44cf79217332bde34937e523c797355f95e1ed5ca1e7ec55df924a92abd8ea4beed019aee23d4c31dc78870c90371d02f8c499bf94d6ebc8dca987a294c705f455637ca13f486d6bdd2cc4f6c6e41576ac70479f63eb74f10bb0ed3e82e26d92399046c5fa2b77720415b25c0d86ebb435d5faa4a53aa7103d035e050aec235e848c1d30ef28f49bc12badf7e1f1e9928614e373ad0f462991f0f2cfe39b7fb10d44d6abd53c506e7b2e728ae537ea2a126dfdb3466e373fd773deacc438d55b06f78b4abd8aab4ab2b694ef7422c177cc358ee977afef5b5d50717d4856c4839e747cf106cf1af079c33e8d946cd20a240fb94efe18f0ac7b1c9ab8be58e891976b7e7693cfb0592901bb56da2918b55da38a3615207720972a028266398ef451666fabe85d79b154c0e8157057847d93c7cd14d9fd2173b0f6b57fd7aaf2fee3eb98f059c7539557679090b842186357e19fabb891957788e34264ae867a83f5c5a1d79cadca44dee4ed6797611e9731da5a98b5b43f6a48a67431fb5b1f28e5edffe36a188cb696b0861194bb809b0f8687d790d0a5ada98ab06f6c1aeed04bc1beb0dbcceeece2e0ff3dcb54615206ec070cd109dd6eb5b4a84eccab44ab4712429eb91c5bd2b22f04ea140c252db8f65c42fcb09ceebb9e1de961a8d9ce1e536a5e040f9999ebf9bd8b38cb3562fa9b52ce8e27877303d542896526d5638f8fce8b69dc0ad08e9b1edbb404d24ba86bc37297a5dc0608557f9c520007078480adff54f8a6f36cba5441d7261f1985ad48d0d12b9172e1a1bd463d102134527099ce0c919d427dc53478fa6d6276e438cf83abc94414a5f73da8cdd206613833c836edf4a5d2dbbc7689a8c1abb9cdef52944d31a65d61f5d5a780db652e55ca89dca7d67b7e920c08e95d7d0252d008194b5392c948e4c00da29c0ab2d6a8d8e71fafb5c25e006a5c60ca27179312c7254e5eb82a9797b50169b21306cadc75a96b51c76f0685ee77b13d1d05985c1fcb8dcdb131f5292b79e076f101228173700800e8cb992e2fb3f06565ea245320b1abcf4461e40e6d01708758aad1c790f7859c47d85ad07ba8e693a056907ef24c37e7b2ed52ae5a36552043dc4cb67139b5bac5cb42d2641dbaa76d16aa1471305d677eca15b2ab5a0c54ac4686afc42e541c2ca6c82b8f2a0e4ca0b84d70822d3c86c3c8344f11cac9a1d9a846dfdd55d3789fc1b48c4382d02eb6d9c1b56d7ab915e10907383770457c13ac1ed8cb37b382043b00b921dad98b35ae0f62664b612032752a11902b4abb2b57f403a8417d58467eb35566fee7508e4efeba70f10fe8eea45aed2c3ed7d1c4124d491a4a609267bbeef11f79dfd8fa009b0053cf07750264a44771d94fd7f59477ba8cc35e98dd58e3b32564449b5477abdc1626352124323a28db2340a3813fed4291d6e1ce3d247cbed072c92b0c02214673a5332cf8df8f533a1d042e63b087c0c6666082a6688bdaf355c28592e933ca0d22b271e3973f8c3e19a73eb247041f0c4888ce1933e64b9353b8991e8e6dcc4bb680a4cda36eadb8684ed368247c079e3ad3c9eca7bf36af7f45ef899345b8fb087d7b9e0d74169b9fa5a25cb01512479c6deddaceca52e56682cc4cdbe1228de2e2fd4e2d960c39dbeadf0a170dfee63c326b4a1ecad2229c8244920331aca9b2aee0e2f8734f8b33044eaf313adc11332a2c9665d11021ed9807b8cb25fd533f36e9aaa71a725de7b51b60d00f1ef156027d7170d3a3ac9f05d7ff28c985322ec94758a93ae09c916f114bced7fbf18f8a87e1e7e0d38a45609c78c3c7f4215de6319be36f4900c2a6a333b680be8997b2e5ebef0dc61c45085ac0e7194070f17d1982ae77ea146fca09f02f4fe51ebc3dee456bac5103a7e9d92c6c3c33fa401e64fd35e4ec598c61a9a3a509383cc8bf206ff3686e16a62e603ced7512249b8d0bdbfc8c8e17610e04313ef99787bb305d7eafaf61c3f4bbd655fece58867d68a49aa0569e1d4c267cf30af3096b9c6974a1e14b88ea41d390540c7b9dbf5f796d23d4fa78493eab7f2d8f9004f7ffdea1545a49e54802468d30bce39995d712645aeddbecbb0cfebff195ab658fe05c04a31c6254858af5d8e57f4098e638f1faf3361d851bc7d19e72d8347c3fd27a16fcb329bbf9130af7120e6b8551fb82466f6a75562c50199017ca29fab28b0a38c1a3787a1b66d5edc9d7937ddc8205a210b5a339170bba3fd387e776fbe0f0dc1f05a339c0ffc8ea6f5ec60a7b8d51154103939fbb09496c79e6a62acfa592654be3067ce0fb5faf4499a7bfbe01f0aada0c03f8bb84de45f09e5a4b54bc6edc14588b705688fef1d0188c8726e69ce8c6cf22b576e96810c586601feed56c7926f4fab1cf71802fd25f8ec4ec5b27a5e163ea7a9562efcdb31cf49d310e073287941335babe8d8b1df469e47ae1dd068fa820453db30c3cfc4f6d5857235bb0951ab5e2efacadaa5381184d0a03eaf9be1bb86f8c7a15f078f0be01ac7adb3b1c455e76d1dd3767592ea6cb12986c48aaa4c20a00c8d11bfa44606f5d8475cc6dab844940f88831955d3686e3d0a659abe6482d560aa2c721525e66baa84ebe53aece8e36252b8d2458b955f55eb3706047683130aee910ff235fe48d2e44c868afaa3fc4641948d5dfbecf3ad74f7acc4457207f7e292ff1355af9fa109c498e2613f13071b229a4ebdc69caf29872b6c98cbd17b60fc797214bad78c987451e46418735bed33551e997e6bc8093941ae3d4a6d6a01c786f689e121e02827fc0303852bdf72f44330ca69ce6cc498cdb68823de53768741dea09be1bd98cceeb7f89cf473ccef1f3e672d32188cc599f37ce5255edc6148e7e2e3428d74f112916709609911f6b7f3569c50b9ae727f3365e1f14238184e9c67d2149c2ac408c6f7d7eae8b3fa763706dbaf0271402d92c639810f59698dc9117ad42e1c19701c1d32f069875838b2d83e5a8c8a064ec82dcd1ed3526e01bc511c41fc09d53856dab28f60107769eb259658d84c50e6739edef6f4df380a74c17db01dd0ac1f5465b3eefcd046a1e52bb54c98e52a22af4497c5b59d667b54d7f11969a547555d573df24946d51887f45fce145982b4f2632007f25f280dd87aec910932fba1f742218895412136ef7041f3d00e88efd80260597434a0fef735d07a3f57939821f13dec8de69fc4bb98f5ea8317ff7f89bf7af215c7875142e6c894c596a24acbb703fd5a4705d37ead919326ad55d19775b5765a7cd60314cb453a96bd8c64f51f19f9144f3f88072260d1a27d758fa670d63cca7b5d1ac750b591f0227fbc250f139e663f42b0e8318ee709f3e2e04015ed16918c57bf108f7a8fa0901c99161734db72e530c4e2f41860b0fd703913b4e1993a0fe32e26c2b93fd195aada3b88ae1bb5f40ec7e07bd6bfe95fa1e3cb060a3dab1ca52d87fc955956a25543af410888972e7984eaf94e80faa1b254569c95b0d52badeefd14e4cc14c42ae12adaac72c9eea48cff90ec96d85b37e0225ff9bc82cfea6499ec29d56a61bec24284e885e0021163b14649a050de5a90b5b941aa0ec0891e7d7052d045ef1ca93c47921019b3140b075eb6d99ff5c327f964b5ccb4d3fd4e9985606fa1f2850d1fa5fb1e902049c015d13b128f322fa47ba2552fdc2cabddcc3161b34ae0541945429d7607627b45bd7a808997dc1d5fff59ff3962a300da1dd37296d1cb39425e5fabae502da8d740bdea15101e63b97d896229910241dc438b0937b66a0df0730a966a00df510a54ddf1fbec550093591f891b2cb17934f0380094e096d0448c91bc7d28a5719ec9a8a2f6df5b593a15597a7fc6989eacbb343c928d7fc5e9051299b02b42db3cf3723e92250bb84fda24f61bd5a86e2696f5aa07dd1108fd5862ea54ea307f5a54e7a192f9ed2b214ef65924eed31e07dc3b7ba9a4195b53d446104060f29b26acbd1e36ffae1c0f96d2310ecc1d9ca125f3dc682678a47993bedb9cd91133740d17eca07bc0eb3d8ba18a3eb52f3d6779298045766f33f813212e766f76e48a4b0416b5ee646969659b490da413df61fc3d961b87793676a877123ae7038b3d10fda9fdb2a990097262004b63ae4d992270d53ceb9572f87655f0dc91b78bb4a8ba6047a16ec25fab31c06ac7a2dca432d4b7ae82b1acfa3ee0910af0f7717ea57f98d3330bbbfd0ce475815e85340be8f3d1d713b0d7c437cd5a04c5e511c6d55314d61274e8354c37b8c54b3cc613e9bc97ce393fb2f55873105ba127fca0716bdd399905948fe42b76e7ce9a3f6e91abeb51c346952241edd6edb9c6873f8ed5ac470ec6f69e75d42b88a643b9e10c7515b93cd66cf65a636f5f6157001c4082d53c5876ace30248dd982f035e6c4122a7a5d9d299c7774e55449af162b7a7a33394742817ffd6c4b5aad1e62c7319c1e6724d6fd0c8c2cecbacd2a7eefe17c1cb0b87945f3a19a3cda8cad0935fe7cf6211bd71b54463ce9e5a9616a5ec60bc5c85060ec0a6e63d0c5750d2bd36f6042db66accf596724bbff5d200e3286ca26b744aaad6288cde5540c8d2e99e6b682d19baf0bd70582c572d0271f259b6260ceb5bb831207992c5b20c8bd37067e48062c309236bc08cae43ccb0fe28dd0e1d05a910c5bdf7e255e056b06cf36d9e384e76c8cc42827083a300be06d63e2f17dc39415597fa647c502fe45cdecea40cdf6a5a133ebc8beb2303bd6a628f6c796d71ba2a5aaa4f0105", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 94, + "comment" : "invalid output size", + "ikm" : "2b1017f28a19841832f576bfb3108db78a1e6f2009d49d25aade75d403ded34f", + "salt" : "41535a35ec11384df15a0a24a65f067591b446ac4514f7d981724db4900a6106", + "info" : "e4978d1c18687176", + "size" : 8161, + "okm" : "", + "result" : "invalid", + "flags" : [ + "SizeTooLarge" + ] + }, + { + "tcId" : 95, + "comment" : "output collision for different salts", + "ikm" : "2b54cba29681b6ff2feaa9202b87322d861aff8a8260e1bda68d61979e605b2d", + "salt" : "", + "info" : "1301b63168af5451377717f7f5ed52de36a197ff", + "size" : 32, + "okm" : "2d0d642aea95ee9892fb87ac392b06aeaead1735c3468fff85c4d65fa62d4a06", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 96, + "comment" : "output collision for different salts", + "ikm" : "2b54cba29681b6ff2feaa9202b87322d861aff8a8260e1bda68d61979e605b2d", + "salt" : "0000000000000000000000000000000000000000000000000000000000000000", + "info" : "1301b63168af5451377717f7f5ed52de36a197ff", + "size" : 32, + "okm" : "2d0d642aea95ee9892fb87ac392b06aeaead1735c3468fff85c4d65fa62d4a06", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 97, + "comment" : "a salt longer than the block size of the hash is equivalent to the hash of the salt", + "ikm" : "2b54cba29681b6ff2feaa9202b87322d861aff8a8260e1bda68d61979e605b2d", + "salt" : "0102c651e047fed9c217bcf915520532d44999534c1e7e7c87311093d7a3681aff3e2d335b3c6139b9fc66dcfe35573b36a329a550c4cd20bfe2a90dfea50167ff", + "info" : "1301b63168af5451377717f7f5ed52de36a197ff", + "size" : 32, + "okm" : "99dfa94cc0a5e1c313ffc5b3e664149bfe9c85afa7f4d8cff61b7b4fe4b9515a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 98, + "comment" : "a salt longer than the block size of the hash is equivalent to the hash of the salt", + "ikm" : "2b54cba29681b6ff2feaa9202b87322d861aff8a8260e1bda68d61979e605b2d", + "salt" : "4031634ed8a9a6152058b921eee93908e7277f79263e73976967278317c2b885", + "info" : "1301b63168af5451377717f7f5ed52de36a197ff", + "size" : 32, + "okm" : "99dfa94cc0a5e1c313ffc5b3e664149bfe9c85afa7f4d8cff61b7b4fe4b9515a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 99, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "2b54cba29681b6ff2feaa9202b87322d861aff8a8260e1bda68d61979e605b2d", + "salt" : "cd920e8dbf19ed66", + "info" : "1301b63168af5451377717f7f5ed52de36a197ff", + "size" : 32, + "okm" : "64f72009dd00e4ca7a63f4b9f92dddf6dd074b5cb3e0fa753d47748dc42f0824", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 100, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "2b54cba29681b6ff2feaa9202b87322d861aff8a8260e1bda68d61979e605b2d", + "salt" : "cd920e8dbf19ed660000000000000000", + "info" : "1301b63168af5451377717f7f5ed52de36a197ff", + "size" : 32, + "okm" : "64f72009dd00e4ca7a63f4b9f92dddf6dd074b5cb3e0fa753d47748dc42f0824", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 101, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "2b54cba29681b6ff2feaa9202b87322d861aff8a8260e1bda68d61979e605b2d", + "salt" : "cd920e8dbf19ed6600000000000000000000000000000000", + "info" : "1301b63168af5451377717f7f5ed52de36a197ff", + "size" : 32, + "okm" : "64f72009dd00e4ca7a63f4b9f92dddf6dd074b5cb3e0fa753d47748dc42f0824", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 102, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "2b54cba29681b6ff2feaa9202b87322d861aff8a8260e1bda68d61979e605b2d", + "salt" : "cd920e8dbf19ed66000000000000000000000000000000000000000000000000", + "info" : "1301b63168af5451377717f7f5ed52de36a197ff", + "size" : 32, + "okm" : "64f72009dd00e4ca7a63f4b9f92dddf6dd074b5cb3e0fa753d47748dc42f0824", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 103, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "2b54cba29681b6ff2feaa9202b87322d861aff8a8260e1bda68d61979e605b2d", + "salt" : "cd920e8dbf19ed660000000000000000000000000000000000000000000000000000000000000000", + "info" : "1301b63168af5451377717f7f5ed52de36a197ff", + "size" : 32, + "okm" : "64f72009dd00e4ca7a63f4b9f92dddf6dd074b5cb3e0fa753d47748dc42f0824", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 104, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "2b54cba29681b6ff2feaa9202b87322d861aff8a8260e1bda68d61979e605b2d", + "salt" : "cd920e8dbf19ed6600000000000000000000000000000000000000000000000000000000000000000000000000000000", + "info" : "1301b63168af5451377717f7f5ed52de36a197ff", + "size" : 32, + "okm" : "64f72009dd00e4ca7a63f4b9f92dddf6dd074b5cb3e0fa753d47748dc42f0824", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 105, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "2b54cba29681b6ff2feaa9202b87322d861aff8a8260e1bda68d61979e605b2d", + "salt" : "cd920e8dbf19ed66000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "info" : "1301b63168af5451377717f7f5ed52de36a197ff", + "size" : 32, + "okm" : "64f72009dd00e4ca7a63f4b9f92dddf6dd074b5cb3e0fa753d47748dc42f0824", + "result" : "valid", + "flags" : [] + } + ] + } + ] +} diff --git a/rust/tests/wycheproof/hkdf_sha384_test.json b/rust/tests/wycheproof/hkdf_sha384_test.json new file mode 100644 index 00000000..b36702e0 --- /dev/null +++ b/rust/tests/wycheproof/hkdf_sha384_test.json @@ -0,0 +1,1209 @@ +{ + "algorithm" : "HKDF-SHA-384", + "generatorVersion" : "0.8rc17", + "numberOfTests" : 102, + "header" : [ + "Test vector of type HkdfTest are intended for the verification of HKDF." + ], + "notes" : { + "EmptySalt" : "An empty salt is a valid input for HKDF. It is equivalent to a salt with n zero bytes, where n is the size of the underlying hash function.", + "SizeTooLarge" : "The output size of HKDF is limited to 255*size of the hash digest" + }, + "schema" : "hkdf_test_schema.json", + "testGroups" : [ + { + "type" : "HkdfTest", + "keySize" : 128, + "tests" : [ + { + "tcId" : 1, + "comment" : "", + "ikm" : "60ab7f45b0ad534683b3a6c020d4f775", + "salt" : "", + "info" : "", + "size" : 20, + "okm" : "3f8b0e4a7b2bff01a26a18f1e07c0218897a324e", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 2, + "comment" : "", + "ikm" : "e3db76e02278cbd2adbcb4555803da11", + "salt" : "", + "info" : "", + "size" : 42, + "okm" : "54d872ee6079718738b96cad7573bdd667aef80a43344ccdd2488eb2e1d3c33b9e291faf89609af32365", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 3, + "comment" : "", + "ikm" : "d4dcb92a769f57c8bab8a420ee0aa351", + "salt" : "", + "info" : "", + "size" : 64, + "okm" : "8998abf032b4fbb29e431f0bf1544e19590ef4fc99e013db8d6ce0dc085660dd3f2432b5f9cdcc44cb6ce0053e7eb43c0375ac7efba148ece8688e637a5759f6", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 4, + "comment" : "", + "ikm" : "2d43e54bf0c94c9cbff4300f4aa69ab8", + "salt" : "", + "info" : "d674da3bb47d5c7e38b501e5251d9348af601c44", + "size" : 20, + "okm" : "658e6132e5279439568a617274fc788dccc2bacf", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 5, + "comment" : "", + "ikm" : "4055536896c406d5fe14a6cd6b999bff", + "salt" : "", + "info" : "2094768a8816f7df070d6e08b7ad93755dc9024b", + "size" : 42, + "okm" : "14a650a903d54e0de9962f5462deb135071cd1e3051ecacd65d378b6181b41e1e1ab3b5d2143b710c728", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 6, + "comment" : "", + "ikm" : "5b01b2da3166f217cdd68de8af60078f", + "salt" : "", + "info" : "6884cfa7ffe8f27bf4ebc6e46a7e01488c79243a", + "size" : 64, + "okm" : "7bf6c7c72fa9bf184f9a2e13077a0e1afb9d976a5574fb7ec819d8bafb9b10f962e6fa8bc6a844ee0b609eee34aaaa025065a7e3a7fe4678a005640f7dc286c2", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 7, + "comment" : "", + "ikm" : "467403c2ec02a235bf730ff37e8d8ff3", + "salt" : "41f0f173d307d40436c25856cf559f96", + "info" : "", + "size" : 20, + "okm" : "55169d60bedd7ab2399d830b1da06f69f94e4b0c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 8, + "comment" : "", + "ikm" : "3352f942aa93071da6d39cc5ed8dc460", + "salt" : "57a0db708b25a51afc4271803aa35204", + "info" : "", + "size" : 42, + "okm" : "260a775477eb6b32fbeb4e6825464a47ac8484a92296a3a3d51b0821b346deadf57f9c82e589ee369fe6", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 9, + "comment" : "", + "ikm" : "08867e76311126089356623ba5381e73", + "salt" : "0c164c443edcdfaedb1ab150f047951f", + "info" : "", + "size" : 64, + "okm" : "59debea3637c46394e2fb2790ebf8760de4986f36a6b142305bb62d1466dd56fa201c96814a2e5846acdf141733ccc54df9e6ccbaebf84c4f40e21201e180b12", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 10, + "comment" : "", + "ikm" : "c55c41d69d2424a520414e3662aa7303", + "salt" : "fea9bfc92b74337e43a201a2dc199e27", + "info" : "3fdf20538063b76901d61bbf9b72b0c18749e00e", + "size" : 20, + "okm" : "25ffbc81bc7b1c2dc1cf98020f55d256a31ce89f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 11, + "comment" : "", + "ikm" : "5d3db20e8238a90b62a600fa57fdb318", + "salt" : "1d6f3b38a1e607b5e6bcd4af1800a9d3", + "info" : "2bc5f39032b6fc87da69ba8711ce735b169646fd", + "size" : 42, + "okm" : "6724e716f6a953aab112b61e29d921fec0f8e806841d5ccd3aa567574b502904d04ae707d244187fec52", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 12, + "comment" : "", + "ikm" : "8677dc79233ef3480777c4c601ef4f0b", + "salt" : "ad88db718244e2cb60e35f874d7ad81f", + "info" : "a38f634d947819a9bfa792174b42baa20c9fce15", + "size" : 64, + "okm" : "758546362a070c0f13cbfbf1756e8f29b7819fb903c7ed4f97a56be3c8f81e8c37aef5c0f8e5d2b17eb1aa02ec04c33f546cb2f3d193e930a9f89ec9ce3a82b5", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 13, + "comment" : "", + "ikm" : "0f602703d37943e0253bed3da331aff4", + "salt" : "ebdc8510499f69b2e188daab77cd819cccb95f276f46e6b2be11cbe72700", + "info" : "", + "size" : 20, + "okm" : "25b54be713ec3eabde9f8d25745672d1e6386c07", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 14, + "comment" : "", + "ikm" : "9fe65737574c5c7aa67646adf8230ba8", + "salt" : "73a34648c152443586236abcb46a090ce55ef6c7f282ffce6342d694650a", + "info" : "", + "size" : 42, + "okm" : "24e3486d28a6574270b32541651cccbb93f0418905e628ec1274263681b943114f742b9b81db0f86385d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 15, + "comment" : "", + "ikm" : "e8f2b1c3e6a6c3d5ee0a20dd47aafa78", + "salt" : "3f5e162de91e0782cd189f3b7778cdc2ce6bfe9d3fe841cd3c70475d7b3c", + "info" : "", + "size" : 64, + "okm" : "167928954f92eed2e1c82496e57cf091d9c96aa6d4c01ea0b4275f9f17ceed820d90287cea90ac8297f892c219885243a67429829bfc86ca8eabda4295236252", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 16, + "comment" : "", + "ikm" : "a679521cdb56aafc5a4b76db0431a4dd", + "salt" : "123033b1ddaead83a4b9cfef8a660bd8e00fde01e67c35656c6d7607d456", + "info" : "44ec41ab4f4e64f4a36e5e30c9f0dc1d77ae4974", + "size" : 20, + "okm" : "72f15cece4bc7704a841eb5047f04756f86ec549", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 17, + "comment" : "", + "ikm" : "49bf155ca102026f2a217ea1bc9843ac", + "salt" : "76776e3b4d75f8f43dce4bded71f3b1ae6bcb012d9c0d59f78248b9427b8", + "info" : "851bda4faa8f7add2a3cbf0acf9c2786f8f955b2", + "size" : 42, + "okm" : "f693a3253389435899adac72d3ff59c240c65bf282f373cea7a9ee00864d5b4f39b2000f7eb49af16fda", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 18, + "comment" : "", + "ikm" : "6cf725e939e8824d4392233eeac75d30", + "salt" : "1e72f24b05a91a0093f34306ffced79e7003055b0833c6d0f27a4f33a1bd", + "info" : "495425d9727fee2e2b7e78899868c1c3e7735e1d", + "size" : 64, + "okm" : "e13a7490f842b6e5be206e6d5ce69b2a8e2cba5525715283f22b021d2fbc2aec59d0144088581058f0fb2f551c6d62bfbd8a15d2706e23e10f3bf7277fff337f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 19, + "comment" : "", + "ikm" : "a319ff7b5ba9b14ac72b681cecf0f742", + "salt" : "d7e3bc6daed343ce77ef793e15a8246e4bfcbaf83d2ac956d0661d1df7262b2e7311623dfe4152caddbfda8fa8ed7a82656ec00b72c5adf7c9d388e5b3bc8d24", + "info" : "", + "size" : 42, + "okm" : "83b3d9f22cb5765c16dcca24e6ce6875b180ec9253bb3950666c52e3711f3b9200d2a995aa548bc6bba2", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 20, + "comment" : "", + "ikm" : "34bae5a158c1678aa76a744417a70d7a", + "salt" : "1532075f363e061133780ac959bf653c7687d181b9431215d6f62dd2f1ec3019d61c50fa82c70ae25e624c849a276b0c57d7c02a4d753fe84a1a6621e9a5ef01", + "info" : "87ec30aa53acfc3d09ccc1d57d654fdbce403cd4", + "size" : 42, + "okm" : "9413c6e1b27f829fb82252b5ac5e14a54503e5f433fc8182a6b556bd7b8e04ac34b0d6006950d5917132", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 21, + "comment" : "maximal output size", + "ikm" : "b8a3fec3c020e028a2a9512ad3acb688", + "salt" : "324ea1f30b8dc6e13694326da568c57345b6383444fe6bc425fabdf92653fbc1f5158e43bddc5526ca2ee0caeb301977", + "info" : "006a7b5529648b31", + "size" : 12240, + "okm" : "d21bf9e7a8685d4c052b391b472767d436a0335ce2315a9e44d5b183da2f06fb0ac31733fe0cb0c1b47f1652d16b4ca84a5c05e4fc9432a840426d146cdf17924c62d3e1901cd3f5cbb0aaa55d46e0d3d23fd86f82a2bcf3181a548cef4d848960ec65518ae2230474d6177a29381e6537eedc2b2728db2573ee182afc5d72cd65ba04ed613f245f3ac401de5e4b30018040b8b1f253eb57a2128c2c0e99ab68dab4583f5a1ee7d0a1d16e9f00afb5f63a1e98268f8c66db5d49ddff7528dfe71f792a93623e355d0860d65344eee9eba04e739627874829c2cc469f27d467822a72a5dafbea14fea2aca2c521aa17985c07a8457b18a1965ce824bc886525c439bf48c36e957e567edd26ee015c01e01cf3ae463f8efdf12dd0d102d95310da2849b8b0bb0849e8b1b41c515708299c7fb645c8f5c86e165e14ccdd9f3ac4766e8ca74eec97f7632a75543d4a93818fcd2b3201feddc19eafe19ed596b76aa3a8492edc52e990549f91967aad94536e8234afb862a60c92267e029bf90e07315db87e56ce4fe7a857edd4869c44b4f410f62b7ddcd31bdad3c1d6016edff774ea7e17c1cb3b39ba918ef0d961725ebe407b6c89b06a9f012d8fa55abb1b84e277991d8b2089a7e228d326eb0c24632e4e35289a14cf7fa1f036de44ee56c0444bbe7d84873597fd82dd6b717488ba3086d57c76783e88cb0992944c66f8b87132eb9908c5dfcf30600feca06ac52d28af218bc5df00fdf4b8fe3fc3947e3ee24a68d8f7c96517337df46283adbad468daaefd334ee2b101692651cf5c8c1c60c2b204a111707afa2ff0520727ac222807629e65f8425c925eddd4a301ad247499f6640f9ae9818644cc94ce4b088e37ce728c48e42f82201b9b27c7b0e918c09b3dcf6484d6794ba27f10374f618c4ec49791a3918977a13099e53bb8fe4fdee599016e7fc91f849692ba97e722c90fa6b4fe54e2bdf4699857fafef364fda90767692818a40cd83cfa42e5c12b56f7d83c4a8653434ec7e5e9a13cb46019bdd215c106425ad51418a6258014a62a449287edbd879063d8db019de0980d0ee30c9463c50860c7a2c390974c09c74e634b0543212e99f6db9bc104e14fb7eb52c4d98c5df24808c59baeaa01bcec03dd110d0ca6529e437e2994dadd8a48af91734b638acfe6c8d216b5d1ee48143a0b24c51f4e24ab2687be88233d10bb974906d46ac8e08dee1191fe7455075c167a743290c261362051c28fc441737d92de5ebc763cb52bd905cd3cf115dfd3ee89f0051e31159965e285887fee7fbc529ece2d350985d13bd16abe379ac5f9a89a99b768d4f0353e2d52bc8636c1dcb05bed53e958937de69636e34d5f46ca5371bb0f38e2fd718a6bec6784076efefeb08c3184bc92e18a9fb7042910d1305b560b9c59223db160e2959f061cb0c9a0acb11f479d4e77c6d98d5ca73149bd19875daaf06341b86227a93e09765877c0d7d0e74337f9cce38d59f0c4c9fa202d1c48e9c398064d5f9fe802f634b094f47dc44cd041086b728ef57103162df6d62208c3b60f750a4bcc2ab461424fc88107cfd545518aab77b42fccbebc7bf3da92e4a8c2a1eeca8d7052ce8c94ba6393f66be9b758cacf37b7c87ae41e48f9d2016fcac2305d6e15256d4bf7d19d6129582eaf7237af07463aceb51edd7c56bbaae7a54af6678256bbd5ad3bbb328d0506e451855281c5b380f63c1bce87b370132570ca98e4e330c1ad12831771ecfeb6773eaa44880bc5dc633452160ac8388b9eddbd02fbad325e0dbd66cf20298cba81f3263a402c5e6d5d57d4ee5fe391de78d2103067fd889d870a36e7df6441e466262b759d3e2c051f7c850e8484b6fb837239e8d11570d095a76241817fbd518ac44bf1bdeea004f8496a252726de49f36b0dc69c0a5d01daf2723140922ddec55519d49391f9a34b7c1a5e00d094c0ba8af27bd3b2ae1de2d6ae15b23e49bf65483104ac62172c8f2e9ca109c59649d0318e5c38cdd659779c598c23620151783d521f7ca021cb910f195e36d55bd963c25167cdb3bffe3642bde8e184eff7905affe418f80379393cd7ca78586764a80be777dc9d9cbe0840a4219c83459745f9cae786d26c1edc74f5fad27113fb84e8854c76e1fb02b1998253d365cb7aa682104765ea1f020b0aef0d3cd2378c037e5d64ab2dafd8a23beb5ac5fae3341be1c6a9c6053a3d857a2d74d56a7bafe341bd5bf7779bd7bbd1991a949850fc25ef0f2e012772ea0d2cb7e9292fe2658c6424ce786d7b7aaafe415adaf9ed7ac5e5ac8e24218bf9e629dc93d22d398a7872b9a0477ae98df9fb22e042d475f96d349029dbe108632d4d3b56dd89f352dfc703e2f25fba97da49a079133f1e0c0c729bf80b02edad76bb036a9ce1c841e5202d59cf63149cb3b81a68df64589fba8b1dc7f4fdab3cc8c4b5ac9712d7c9c41a6d5e0efebc2a9ad6310d30087395dd74b61aef03cb4facfd59d5d50d8c04c5e79518823f9824a94e0ec06b7157e48916d551bb5a6831ec44cae0cc8dabba3ae1b6c03391f3b5ce45861902a8e777fea9a5729cd16eefff724636284dea34605f53d98010fd888f469475a6a98b20c8ad8fc07466276e461b9821ea55cf3c42e208fc56c610f70368ff331e3dfdffbecc26e489f70b0a3e995fbdeec6b8fc87e19d3ac6f9036dddab7e8ffc38f58446f75fcb2cc4f7e90a721533de151a61c67346dcc63e15fe1a4ef1a98d1cbb25cd7b24703045fdfcffbb1249ebd3c1e52399d6c24838d7bd5b668807a4310b447c167cd3d3c13697f35225bb284339149bdd4618656b2a09712a812b2586c3492bc07a4c2f8fbe39861cf8d36dad815edc9cdc97dc2fe4b24b0fb3c2513e3504bcdb1dacf2692c98a6f90ff77fc5348d4acc44ee4524506bc176257b434e8584a483c4c734cefbb7457b4761e1dd2dafa10eba4a031e1f0f644e210e5bcfb7a72e2e14577c972a78b1a275f338145e2b7d80851013b784811a91c19c71bbb9df88ccc2c1380699f0d88d203800574a0830632e4401880c547c6bab52d2235638a7222662e166307779d2528c3dc5436508e25544d1025ac3dfb627781e8fc7bfa67738b63a86bdd9f1f089f30a71cb7a79dda35340ac1a2dec129cab38dbde6cd5dcf9d2da3a88f9c2cf65b4a1aba02ca213ba596af1a2f323a47ab6a07f0e3057c6d635b2f5ed1bc2f4f6ece8eac348202cf1c6d9f9c8738044ca5166e371dac0f305fbf1b5ef2536cedda250a4f209ab01c714882244b3c1ab3c0a0e5c07d6b928dbc52c9b23362266ab8a25e2ade5e06c3d645dd557630fabe57733c7543f7453e002da4eb1844899740d95ebe604dbb03e883d9f668b4974282ed491ba183c5d8cb2867788f24eed7d67f4b6c235262cf71d52763fb7688d3d84d92424b0b23468908e95ae82de41a2615cb009aa7e5f18c889125f1167d60aa24c3fd9e2e087c6b99d29733abd06c81e5a728faa0a945a2ac8029d58d7782f03aea0e185dbcca12e0564fd163427ebc2bf46bc71fa3564bc9556546ca2cf1e8ac1720d8955caadd08a6530c98d7df7ac14b07f7959d0edc4ac31e6d58d793be3c6ceb370868cb1ee8b57b74860576398fa5c7bc8d23e673745e7ecb1754dc2c873d6ea61057adb9b91dc4ca1ae1fa69a93e8caebd8a647915a75db4935e040e609e3cbd1e382a433b7a990488094dc53a91104c9c28fac9c74568e5a9e4d37df0a44f750fba7dd45b17c142057f16361ac750fbccd56fe43ccc548c9c97ed9a190e14be1bc2a039a671175ae625bd4a0a7a9f6ff27d75a022a5a0e5bea17eb6976631117ad44beeff05360580b8aa87d8a6c65b7f4b51d53c20d9ccf9008eee95cddc90032325598f0c671810edc80c9de9a74cb32de95b940507773347a17fea02f85cd2461e2e76e0f58315a7393489b9d26440283d89ac0d4f8e853e35790aaabf8dc26981bccb4b85c36393db621c26c99d1ccb072c8f250924fd0411136c5e2f9e79ccf450e785de248b75427dc6f858975b0d3f11feb0f8745ef8e2873424d34f09d04bf01edc974865fb2223b9cf72aa4aa35a5b2c9c91f55f2e545ac403e66435c25fdcd6aff3466bc9b947bd1c811c65de058a92dd3d3668f2ea7c8fdfbc54188d8328e445676a3d115252022b2e828ffedad08c2b96b10b5ca3057083fcc313e3a6d1fffac12987b8d518cdb8b0447f6f23d5266d95e03d36a806dedcc5466ca408580d5c3872d7f6c96bc63fe3c0ffacdbac126ecfaa9426483bee96596d0ff88f8fac8b9c67de4d023b3f0b146d8ee27cad9ae019d8982c85e361cfb7495dfbcff0486448251e34a31f22c0beece7f01f8b81448d267397bfe55b4b384d6604606015a744ae36c92d593a1cf33d3b5562d98093313f3a2ebc7b8b7baaaa0535476b7399ef34521f06d459861985e81e2f1bee5b3544c09e5528bfd472e01383975dabd907be7e9628ba660a776a9ed3a815ffb1df09753e8dc45a0225ba98e197508e0a22560cc0d76fc1692749a16c91dbed55e385593331f3bef1666de4c2b8f29f5df2673ac331a337da8fc020d76f4e4b0933ed6df06b5199715416d6ce46b760205b7583973bdf3967fa546c9e367d6e60f4c9f8dd79fc73a0967a58deb4b779f9b5695a91db67fc2c0e55e7d74eff97bcc322a00c5a5c0fb9564d2c128f5ee3b3378416894ff25b8445e52d21bd35f1759171cb4e6e426c71bab9a6cda6049d8eea904a0c95ebacc98dbf5a5e98d835b6e216e6fc062e600ba74c321620f63e76995637fb506daaf7b7e0514563b536edbc11a35515a75c58cb7f56f3f5ca0e7dfa3ec715089bf6e5f26ad74c10e72ba5f603f3ee51c7bc9645f4194877d4f4645c8226b1d974fab69e62aa3527ad2fbd101eb6b752a739a191d431a87d5c739b7d7f7804430f41820cde5e5a717ed84d80ad154f816657561d58f379e4a2e7761cdb505b5da6f1008143cac623d11859b186c291a0b39267da29f64d5f5c3e0e5cf0f3dca3b78372593aecff71541dbe2d3f89d0febe753f9571684bf8c1b82826715d40cc0da84fc2cbeb3f46c1e53f522fe5f682479503bfa423a2fe10396a9330be5c484e21d60a26aa3f70b210d3ca96226972b7b03fcddfde1499fa81be22e82d851e609834ff9be6407e0bae00909f952798a559809bbe47ea0e4e626de0445b79758726a09e38e757c5645379223141ac21de8ee298542670f329d77ab498f73adfd2d269dcee504d8dd046f7b496fea449e2b265874af3419d43b58df44d9be3e414775c715d65a1d4107bafad16bc315610a36b5775b7fdba09511ce68d1fac79592e740535a27b47a24f07b98bc2548df11610860c5918173f04cf28890e9c038846ea4baaac30b22c552d5545c7dab8f4a034367352336e58409ed2907df1a2fdcb0c56994477c2c9075ce3b1876abda5da66b3768eb7eba609f83376aa5175e3d23a49e8a4327ca3687e401b9fc2f00fb41a13059dd57f9053d438fb66050c4022f9a2d740ca1be13830047d47e9d15184669640ae993fdcd2242977f479b80169ccc802baede5fb86fba380d3d6313bf2034f71f9bd7616c02225ae23b2a83158e31de5726b79564f16abde403a915c0e8d9110319dd91e8c32ba5546ae522ba3204b70d59731d9971157807b024306cbb720563671b282b6e89f82cf91d5686978de9af12e523beb1f2947a384dfe1a6b18989a0cf1c42803c8238eab525ed3a25dad792908db3478d14cb26abbf324d589eaf96204c837b32a4c4e6f9240103ffaa14c1edd6b7ee221ca2dc52dc553cd4eea179ca9a7c4481f17a3f4a9633d29987056afe59b8f51b8665837c62c72c0a3b5a4c5c597327414485c39f298b190da1d9effc1e103b0194f5dc634c6e12c7a22866ae23e64a86bca3629544be79f5b4e89592a69c46d92566c7939385870e3337174dde45ddbda3691ccd6573edb897a15d2d17f2599c523355137de6b987cc35df65d0bba0e06e64bd3059ff94e723ab11bb4f015d72b42e1762226f163b881bf82dcbfa1604fe33107c978181d850bbaec70b44d64fb27baaf7cddd33b1ebb0872115a4fbfaeb6ca5299a02aa07ebbb28574c430d02cedf0396b8e181ff3631a1fe938b0ef175ac9e7dd399b663ec6c6c9520e4a63c80584d8b845087f5419d8c815b1ad78e402a4db542b900c71a16ada2cff190d6fb38815c59238e96e6cde1dda63a89ba907db338e0db29d6151722e9120126d70c6d348b8d3b99084fd8b2bc068258d43a34dba7f639807eaf2176ca7eda0c0e2b4e168c1df200734b592416304e7fefe17f051640464164d643e7b66dce05264a24354651cb803c012af3aa6b61c7c2c5690979b1e1b5e05fc64cb6dbd4c95df382f7d5550e12d7bb9242ddc025f2af03a44f7974dcf5da038f23ad826e9177b23f6163b827a98f0cb065395235e7d3141f94e83e46e8fe71c9e2c43c77837c8616150250485db8a41f7dae069fba1e453cca231ac71454bcace3477af40485ff2f24474115a6029163ab3b7186af02de5c3361c3f26741b1d86334823120178f6d453057cd7b7df09c908ab114c0fda4767bcbc43d1262cb94f07c396ff51858ea2a55ee02873cf9fe2c456f8afb5a64671c05c020177891ba65fd8a3857359de1fb4fdd80d2f7bca6e369f8dca930bd1c977a141728afb66abbad60bbd3b5a08f32901354067f5442de768972a8ac3330f3b4324c16c1a5f4b321c68467404cfe642418620df5078d8525919eff62163c388ad4c2666bcd06330ce5737d438b59fe84f4089fcf35dcdb17ad93d3d40e32493a57ef97a6c0d45604623ecc80714b561e515c0169ccf488ece2672af491446a5d9ec8cd443d6bf95258d2bbbe220be1b56f1179231aca39ae84f5ed34ead9511a2e9af44bac69f4bf42b241696d4cdd5f260d28c22d26ebb580265c5046c81bc386c0bf698ca1d412e7cadcc247dc1c774877f5b9ff8193128934fbcdee8e0932e6658dcd30d07391f82f4d89a17e2b622a8b87997e1848490e26efbc6e79b9e1c40a414d9f84e22a0dec7e21321245c76e64921e3030a1076c9a87596d5aa97caa5c9c68b3280427668348985c7b7759db6fba4c1ce21ebc6b6889fd7d925215d56758131c515b544c56e75f95b90d15dda7f309b7740aa7989cf1a9e3ce217e0ca6e27f502731bb7821a3fdfa73f915ee49e0757a897972d58475e4b12ac735cd9e6b28b81a76d2ab0ff179fc1755a7d96cef5e8a68ac9256d8d8f17d9182daf1540d7af15aab8b1517f7b8656fd3e6708b99dca9a1fd598efeaaa60ebeab6adb5a76a0ab6cbb7dedbe3f0862ffb028ba4e942372344cfe84da9fdec4ec75fb290240828c4c31a1fac0d178f0dd2245f29d346c3a841f863130920bc97dc05c510020852f3c01bd783a8c6db64228b973b20d72c45bc5482517cff230f1a9bf1d8d0979f62049bbd5e8a3e1bc54f6a1c148289b2a66685ddfd0406bbab589abfd183c4299ed66283beb96556ff200497804dbabf9b6702a87692b4b5bb58e01d16ce069b6c3512332b394db1c91db0882a571ee41e458bc960e7535668e334152c9d46e9c155ad09617c348c3874e5db311601f25d5e1682cf69689c15c13dc5c8d836ff6e30b0b804e4810e280252f4bee9470964159f2b271c275c9615b341d20f292107a481955b0b986365c3d7f05de29a8955cccc5d42113c21fe60e2a4a51be45784fc304e8da0091398205a9afdad9b62361d6f8c42b16a7990d5fb50ebb90cd1e1052f62a966a9e8be73593b50be8398c5b3e8f7ced3af398d537bce72ab1d7b10b4f0aa77383560a79f4faf2f29992c1e2afda295d15a65e30e6f968d00d60e5f1dab5a847060e55ad9b64f0203b21bdb506319ad379302c24673a727acc17b59ba12f20c3ba472c0a5628d0b05213116e2dfbaf9e98628fac973046f60f930b7eaf0790ff010914c19e93f07b74ac3f7a6b6c3cf92adb49443194f9167f7dd553768841b34d461f7b854a40926b016d8a0123a1fae741e07662e125d42fdcfd765c52d518049ff16393422e6080b9fc69117e5f17f3764917eba5fff3f078727048f3e5bff1d9eefe8ebe2fb6db7c54cdc9b7678fd0d6551aee06b584dc4047beaa72c198bd96ae9eb9b151f29747af88b75399b21570ba6cf983637e6dd2b1d42d39d07108464ee22d81d640aa4cdbdbee7919de51d8f82710e32dc722a04a8ea96aa32a7a19c7048c1d76d2ae63ea288b1120d139bfd2e51f634c82f6f10a5bf18b02725bfed7a2913896b5f108fcebd949d04647467e9837256d9918c2185905e078a14d2945ae64d57eb7ebf9746f80ef939c3b1a307c6af627b91db34d59234d3b62279fec874720624278a51fa6d22886456135bc98b683eccbabcaacab2f013fcc884c554ddfc6f91950215c4f1f750cac338ef3e420a82c1ba15ef420798053483ced448b730e386f0788e1a3a747f8365385bd0e02cd42f1cb48a61ffeb2b2e6e3ad75363a118a27dcb86cf27400be97bc7d10bccdc03f6e19227ffd0e3881bd7c3126d682596abc15bcebe77854ce2844219b17f604aa2b4cc19971e8dc163ac654126bc39966d35737ae75a4852ea1c29183a3700e7cf609ca864285a8b92de0f32ae7c33b5ca11aaea05e10f87d892c5571e89dfe54091639bd87636245f06cfaf87fa3a7d6d657ab3aa89f5fa6b54eedec92186b2026954045a07822997051bf232e39dc1a36a50cbade8fe4dc6ceaaa29008c13fcd7ef96cafc7554b60d479132b2810ffa583aafd6c7e188293c4c35008d895fba6634eb20c92bc1fc2a93f7034694e6bae8d291c59caad61a723719298ae5d99fbb0485837a284f070fd293f74307fafbcd5b9b3a49c96d9b7dace812d6fc7a94aa381346e879601fc292e850d5a732bcec383ec59a1034a573793ee07b9c30e29c3f3cf0efb40693b8ee6df08cad92be3bc4666093daae5484fc02df28f3601861a2aa9ea96e68bbda698fbb032485a55c4baa03893813804f09a4d3e639f2d84c553f2e917b3d47f658820702a6cda2e06070d29c71640c677fd76c429f98ef0b65aed0d5c82d334a3e22b5e2d49a31518d61833ed8fcef352146e7a1ca1c9eac1d786487e357a108ba102415f9d87ef8b00d1fdadccaf3328d9376600ab0e4ee2400aced47774ef5374e62ceb9f19670e144e4590e80d33e0f5863be0e5c515656c7f0880bf57ad0b986affe07a1f66cc9b1763ae7646a8f28f6c804b6c8c260f5fa02af05cffc3a631377f0e4abe659e55655f691fd9572ad832f6485c06bc025d5300dca8aebf5ac0094e582c5ba28389d76fe6387f933db6d04b5da56b739824bd507a072f32b5e10be0516718d1c9031dc83aef222abe60c6ced982b4256a36beaa9d15e11fd3f3f600e28c2625ba2b7a9290fbe89a41465b075aa5f00b1bbcbbfdced6dbfc41e30d511b02c9711510087652b4c6637c44ebaabdd0d5527e5017dc4a339479c9be804bb5b606ea3e701e88bf02cb6c2b3e8c6f7e4bf730c8cc36748d38b96300ad92136c9ab8632c54da6d7307afc226eef8b3b9c849235347fdd953a194a90cc730edd043d44f4387858fb88daaf9a0b4f73abc949895ad4af054a8d31b69a2a98090940c24cf008fe675befaa7641a79c440e666905a055e4ede90f923d8bf16e2c451bbe8970e4c3c54ba5b1c3ddf66e8ee0cb3ea1d417cf82a72d244ccad0288c9231809302494235e905876cf8ae1f874b61d78c26b9e1645f68a0478767d049dee312f6ca578ef5630cf4bcb55967c960077503927f3562dab3e37bee4c96d18b66f969f04d592457d055302ac96fd47abd3582a5117fd62b09a1a8c74c379961fe68c9e1792a2097d29c1d837161edeee01a4b76158b0939af676edd2bcfd18bced7ebd0ea8464be04edfd2590004004b0b24af9c1c028fc2b7e756408854ad3d4f89f8d1d27f90db5844c1622b007c47882f316ddca82c7429c870b2455aebd0519bacda287f843419cd74bb07a40cc08d1fc812039254411266245f3b16dca3d88d305d7ffeaae1b45b1bf622945e3ce4e90ec153b9ef84741db9782f1b4518233ac86e10d5f212ae7dd3cbbb952336401a1831621aa7aaaf1f053efdf3938e73ec95d084cca4c2a266e7a1db5e58851fc291db9d0e7bc4447319feceb83767a5c226010db7c1068e8831d90c0051689a7d7a9dbf687d1f1ae43f62a33d3076784cb5d800c2e3e9007d9a50c1d218efc59bb6d5e61c12112b90f72deb9348e874f3292135d7ea9dd6061a6023cf8d9d8c3abc3a8f29a50f2a2be9ee11de0a910bd3763f0b90946ed1fa5a6494fc65f155bc0a1349f0c3626359746e020f8d3bd83ad591f6ad00921a13909d6df288f4174bdd2bd231d2c5352fa232687c5262432732b2837fc37874ba8ec887f17e41a0eff1b56a03d6d4cce12cd60b426a0ce2ca0a3af667874b2c43dab58e65f83c0afe85e36a754cf460fd66689746ecf640d5af440403d2339898647dd36e733b550f41882b6aebf31d886091d1f3a7044ac84014ffc793f34f6633e419599c792042282f37cade01ea1b307cff1f7ddfc340703166c24a63587324859d7190d540352bd31ecd34a2213978980a490c456dc55adda4f3c920aeaf16611ef0516180d05ccfb6c05a8df20792591a12df86a3450c0bcf0ee7ca2a861c9eab2de259e77391f4cbc3125e67d41553644b2a1a8268647237255bb08e884852fb050365574a5fd78999e23a6b0457b7007c0f31d1919680ba10e803bb52e8af42c4dd85638c87d5ea436be1c8102876cf7c38aef78864ad5ab556b7648806caf6fda6dc247f26754862b29fd0d8c89b5c70476132737eb9d6bbf044fb0eec96a961d4f9975d866a84df0a08cde0e9525b179b4b4f18ea67d035fcaa946e807bb22ae18c159241534ed15da394ed5f73b1d74c51db40283048dd8c0f8c5c807cc7c13129f10d957b698470c05caaf280b37f605ff4d855726869251fd4952cb35d6a873309a7166548cc3aac9008589a6d258d8b4b31835dc26504455bcaa25fc580f27b213d8af43897d59e89cca09472f57720146f4d0748040c2f21764b9b3faa75e5ff78d3eebba844feefe0ad9bc0493599bdf1de61b3d71446e6acaf3327dcf61635e51694d3713732804b43989a43d293f133ac21ead51d1f2b92b76b3c61f8de0aa8dd660effc9cb1bbab80f9d1915025cbf3f70198f979a5a1e15db18ec2b78da238cdab78dad028fd5aac7ac043acda7828234d93bf512e09deea886b6c9459962705f8cac432ca315c3b9449c68deb4b0e71b4d393b891bbf92c6ba9dcec3fece0dd91512f49af9806c6c05f950bf2af2842a85fe153153dd658719a2e1b1a2e989448fb0c9b456d81f4ca770140fe9e37e1ccbe61893c1886ba8805f08c9417c8a3998b5adaf96a37d71b953aeae5717258b9f11fbc891d2bec8ead8d355656a0d0fb783cdc1353af35d8cfce2ecc36124809a77cb6fdba75d0f1ab2c9f82de83e1d166a70edfb86129d9b4e362db8d4dfd6b37c6c85e0399bddc8d30ef6b24e1f0a49871511aa210027fb6dd37b979d3a79cd386d0aa3629a25df9e77c33f4eb822ea3daf6c29be1c2d88d3ae3be2321c8fea439c0da77cee72cce86673477cced34d4fd93aee2d2dde285eeac032a81d4df620603a141fdd1d62ee11d2a82e70c4134ce2a80071cd39cfca105bc669319fc85aae441754ef7a3ea83ccd1ccf3fc6c22b998107d1c747ad5dae0d304649f2bd9e21e3064be40ec7b570fe564fb71d95f9ddc94ca45b8768a0b96414dace446411a07fa0100835aa70b21526a1d6f59c167ae22e7e181a14cff96e1073f652cea4ff504180c74320633527430719178a4f75e65ae9464d7dff690bbed239e00e7d166c5b7f8b6f12d510c7d8e619976b359c3cf71b6ecca2984dbd080e631af5c0e5b4c5641aba47eeb4f3b0d942eff17da0f59ef22a12bf3c09f3c24b462743e396a0bdc21b728bb1a73c6d0038bdeb6c078efe49262c597c50cae204d7ee129f7189ec333b2099d5b8c30a5e651402dfcdd65aac3a30ce35e905b8480a45f3f339b81eecc19ed0b36f40fea6490f47ee1a3386678164e1f299abf45dbadd518f38c758bf4366f8e6a5774ce0ae4c4501f11b06fd72eb8ccc25e5bff4809ffbc78faf3b0055394348513fcc2053207008244ed0461660105fcdb9540cd7a026cd3485c5a06ed7907309c1666f9391eac01bf63d0c6d4818cfa4782e5350f14f0b61dfc566d2d6ae766ba4832a974e7524c351bdcf5279fc49f385894f64c56dafcea13762d9c1763515fe16207ce1873a183ecb0a7e557a2807289a868cc4194efa2b46e0cdfa8668eaf99e583888030891f9991f47cbd11e6594ddcaa87f1d8caf858fedb73269b5dc5749aaa794cd37241100ae2c6ab74f5e5d091cca278b3e2f16109d0fde76230e5b3c91c6b63dbf736fb2af20429af3975d589ccbf41515d492560e92c4f72ca6655c3faa78ea5f49487d2812c72b455b8be1c1b881d243e1bce03a6b171cbdba96e795eb0164cbdf40538e98efcde2843a8b1b12e66daccc68e2b4c169a7198090dcc60934783bab955259332dc3b2fd9f2ee83ab234184c22554325e0fb07c52cd3d1737f12911947312c46ee47ace07e8183dede9d52d1e4d9b8447ecc3f21d8ae22c4065d4a12ec8b0c317324595f5dcf17b14642d0e8b18c1a821723a9970281a593fd865fb6b9fe3c93e58767d3a60a55972e505cbfdafcd957752d2015af86b956972691ae027725c9bc6bd5ad63e8b41ccc5c6c0bce89441e1ecd86b20c73780b4e453a10cd3928c354bdb96fce9f09bfc0c0e34298604a0f2ab0e87d5ec6d3e20ca312695da3b65f8218f161a05fb224437c94c8a936b2f73f27f112df39ec596ec8248e228d379acedb3664a1a96825db7c770c43cf3fd1d8abff9fd68977a72d2cb6c3792c88588913e106a77749fbc9f8f5f0e3178475caf5b228327a7c1620c3b4e3a9e41f66456e40f484343dd3e14ce084e82a06d285379094d7d820b02673e16c79dc1a5e56c04d69a33b328a944d94e33c8009d7071d3dce25b74b1c7b7ff60cee8807c9dc1b8e854c79087e9ac00ec8216e01f1ecccab81432563d71e604af79bbb24761c6fbebb1b5420764624e0d6b08d7127661873b756cfbd99cdeb494228d03a619cda283e430da5cf2ea8854e3bb42b5af8dc957901e2442c89d189c7d0739eaa4c79aac9cc829bc70320c896d626b5cd2f862bae1294f3e2c83270e61c12d1db6064c4be559bbb03bca33d3129437a5f0f0696b9d36cd29b4f98561e4cf0e765258b324c50066db05ec4ed01caf9f6fec58dbd5818fad71b2ddf59c70506a2245e3a3a2753152d94b3b79a90ce2af0f6819bd9ccda102b73b81419c2a317c59d2baa3a963214050d15aa8fa85ea825a8e9852bbd3711ce45b495079b610c18789e0123c6d07178387bcd88fff0ac62437c5dbddcba1ea4af9ad0983f57381c438ff89700eede5047951aae1cd545597ef2f59b82ee173d1e06dbfd55f93b944ad68aafaab9eacbe1ee366e2e650881647d375abf478ea48cdb196c86fe5d9afd3511845d644f5f3c3ae76d21b34b6f376f9e0f145e91044d78ec47a944df31f6683836f5e7eb6ffc458a6438a30fdd070c90d70b45feb320a00012ee6a5a4c00f2f39c16e05ec35367b1e120c243627a3ea42fea333fd54c5e5b487b81a52ab2f0b7c593fe1cb8aadb8b2d29be1aedaee0567356b44aa4ec3ae5440869c7a9fb6e9c31476fd4cebf1c1c59cccdba7d2ca0ba3df636522ee983169d521cc9ae0074dec1083d54df92bec7aed5c97190dbc1067b0950f052335767eb7fb1ff54ce78d6ab20af3ae08cd83f10e22f603fdb6c216ca88c01b6315f6f4c20b400de3363ecd78991171a2b6ecf5fc2d66f5519f53407e6a6e28cdd2789c5ea21f4ebf46ff6fe93b7f30f7dc38b3a9b52ad0cea17eddfa88d534a5a6589ddf5fd5826f0ef3294f6d40cfcfc790ff25ef282a0885caf25c818f3721ca7463c8b7e2ab00fe3b37379bd9b242962702738b97809e45f373bf98e8962eca221d35406dccc0efb041d165ae9ec16044c8929c66c8e6aedeea0164cb61b6cbed9f46aea04de581d12e9c33329f0d70e5ef3ff2c75c6152a65ebff7308a64a8bd8b4e3aeb7795070e9b1dc19522647a48ac70a7166df2aaeb3b11811a8817593ace2db23076bde79a99400ca25240bf180472d406f171545c461f69f6d550dc1e7afb183dab9975f0e4527c9271aa330579a796010bf80138c2721d05a997e4d49f099a19e781c8b78fb8e6a85b004dd0f8a745e39342b19937a20cde7ba721c1634e89b715ad63572e94542e7ea4cbf0396d2f289460d4ce0357b25a01dfb44098da0fee41b85411b4097eb860f4ac9b3713a4164b2abb1b264ddf347cd84d7941d5f221c84d93310c1e3a1c86c7c64cc4c00d45922bccaa9bd4f86af2b40e3610664ae6be78f6cdae5edaa59893cd91d1b0a33038ba2b102c330785914140426c2992baf110404f2848e275fe11c40b6aa98aba6a5a79777adeaaa783f1e60f95bf2c12652ebaf676b7725fcee87fef63c46c886ee6db1cce0e084edb9ee01d6aca1287d77738737e7c42481260410d0ba8cc71f22440f9f309d893aacbe26f23210bbfb5d3957df2ba2abc471d43c9794fc6ef7df55d32e167e94008ba64ab3cff49b974f0a04d6513e687cb363acb536a280a905933c5e0e0253b1d5cee4812c7df42abbc6aaf17ec4ba0e0c408fb040a28895970d4a605cc87136480807260f82628073e62b21b6cb43d475cdff3dfa278bed482d294c1e82f9d99d4da8698d7223ad0a19b18024ff4aa1027bb29a3b35eacec61175c97e99aec01676479d04e2e3ea09bc0a8c2c3d08e6c5bd0459c4c7c64be06ee2eea9f17c93416fb1e13b6eb27c070bc043a05ce02ac9469d101d20044ec5502a6f650550db40bb4f1c3dd7d238091efc8f8df5f64da3e0df42ad021388d79b79772c06a61c262ead76e95c51d720abb7ddb069662a37b1348430c001e1ba0c7c0336ecc363acc425834efbf31695f66526b09e559c209b4266ad344a3392f1c7a086e08ef4d790c261549ec19b736feb243c97704e1a4c7edc3d50e95d531795ca20a65f2c6cf73c497e93de0e0849df72e25ff882159aa1cc1e2c764acd79d900b7f627bae2d6929eb726bb94c3de42bf0ce7cf086ff47b33ba63ab71c0f4a24e07708381f263c481ca25098c6e977e9aea3a99277b5c127ea056006a4478f73e6660aa5ba6890fc9c517e261611c74f7ef2c9addc7ccedb13731f36792b55cbe3497acad6c84139d62f525789ef648208804cb5300b74bce2fe6c35b16f4146d92ddb6ba4f499425f8d9bcab94e340154492d0c1590820a19bad95761c28903a308e84a0530a99ec5a12262a5f2c6c3c43555cadade946c59c0ef5db8cd2ccd388661f3b3634aee15c5ba323f7b6ba592180d2e68897d24408f4c102c4746c88369865e3798c7bcc2c26af47e0dc404b61ff62e63b655e42c8268618469519a3de8267597de938fa149166764230c3f442b484fced4e73a09988863b9f10d23c59402b7822d972ad2f576be45143897fa08bdc86ff05975ba047aceabb4d8430151af315146fceba98517e10710ee5dffee550cee6c1f9c7261b546997e994518fdda25f9e6c9d00bcab9017f7c8b043e750d3fc8ddee31984a40803164260f809d93c2a9ed6e19273bbe6984157d1c0ffd9df3c38eb64462d1bc220daf2d82a31b523befbf3c0f84803e092ef314eb8420668056f445193471a45a0650ad0ff4b2847735d00b48f4130314393d6263792e907457ff80ff7f16ff1e4716a31479b1575b693c685d0487e18fdeb52320a57d75fd1b39bd9c3a23e537a51406ab438627a32f1e47a7ea4bccc432e6dfdbb86da1c44c639680b5389120bf218fb9aa11e8b07e6828ddbdd96a672a5d429807ef1706c9996d8d3f7d4e3760424d6da0e678da0892d352e2d60c310049c1628a4c8b9f42233b0b25a4bad08f4301b985f8fdf886c3c9d83def2fb58c0d443d3a64a75c06f93e7db5ab0744883195c29bd6830745940600a7644ab87717526adac7cb69f463a66bed88df2d7872b2e964ff059f7a67c1fa61eb50eed5f37495880fa7023b36b2b1befe55ab9fe072b1acadf6ebab7fbdb51c3052d4d56170af68292793573397cf1a0d721a30ade786fcb61ee10dde6b9f340c7ac85b57ee6c01b50dc983110ece4641a8e49b9c7a02e13b9fedb550bbf9bc250cf9c9f5d03cb6dcd7ca1d0859e1722fed1e38a521d05fc1dc18d42de7cd7f5ffa17faec8f8bc2993e8393635dfec2b6669a82979367a57734ce805d9d927621517abc53601618c7b5343442e75b0084d76d62e2ebe04c7f3f8bd28e39b8ea3a2b6d7c2021a026a7e1058b4531bc34b4852004eeae6b5a55f212ec3552bc7b779fd14d03b9343a754d7d425c92b0beb6f65161e377b8f86dcfa7738c543a16812b57c0aa8b36d6f62c25737c828f217175c3bfa6c707837c32ca51533459155e368c3da99c2b31c063d17ca57b251726ba177e26d3ccb75891f0b0b6fcf3839efe99cbc6691f8dff63a988b13c08d1ce3a7bc4cac8d0a52e9331543321b76ceda20df0a7bed490a4048d8a9811a476ac8d0eae6151e7705d76484dd6606bd6f3186b248a6bc56f98a06641bd5a82cb2de1c8eb87eb0839acaaa22cacba4b2d47f6facd5c43e45eb73b7778af40f465c66d88b3185b067e838f115bed756956b683cd3f82917107130a0dcb0629520cffae7d3edcdd5d8a739447b6e819f4864c1a71f378a9343f266162adae57f7b27c5cb17606ce89af722fcaf1f828ebe4bf4c01bd9478309f639b95c513e63e51d1d9a207f8ec8eb3b39f3fdb6dbb8178dfdbe136ebc514ae551435b385240f7d080e01d0b7ff4480f5736efc24468f8a0f044fe6f84e4e8954d29ff5153a130b479e1f45ab50b9554df7736ae46f8f405d3ae75ca6416bba8932850bf057f6fd862154148b45e3ba00dd900b1de69879ae428e1b350d513405c18eddc0f9f4980406482e49828f39ee8c1f7f96920a466fd6bfb0e2d36290bcd3d7f52cd6633b9c89593acd9d2e8a43b982b29faf6251644039785e0a66df01e67da68f8d2764eacea4f3abe5e1ebb42e0db1ab787d028356fe739f966023eb90130afc63e1e947ef1bcc2a70d7e600c9ce109dd6af55eea8b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 22, + "comment" : "invalid output size", + "ikm" : "39053d8bdfa97044ceb676ae54563de2", + "salt" : "85522968a566b7ba10cb8e7a6f10159977e4a572408ace1b65c481ccfdf09532483cf308bba0557c9a72c849780e044c", + "info" : "cae8a93087e97de1", + "size" : 12241, + "okm" : "", + "result" : "invalid", + "flags" : [ + "SizeTooLarge" + ] + }, + { + "tcId" : 23, + "comment" : "output collision for different salts", + "ikm" : "5943c65bc33bf05a205b04be8ae0ab2e", + "salt" : "", + "info" : "be082f301a03f87787a80fbea88941214d50c42b", + "size" : 32, + "okm" : "6f93965b7399bdcaef06c151056ba14b7392a1521af1145e0c1d05e34b6f19f3", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 24, + "comment" : "output collision for different salts", + "ikm" : "5943c65bc33bf05a205b04be8ae0ab2e", + "salt" : "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "info" : "be082f301a03f87787a80fbea88941214d50c42b", + "size" : 32, + "okm" : "6f93965b7399bdcaef06c151056ba14b7392a1521af1145e0c1d05e34b6f19f3", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 25, + "comment" : "a salt longer than the block size of the hash is equivalent to the hash of the salt", + "ikm" : "5943c65bc33bf05a205b04be8ae0ab2e", + "salt" : "329f445e7de8a156cf26a0208dbb028d9de6ef76b8de67ca634f4a5a732138a1bd436a7b345d7a0314c7ed0a00b0d34ecad2cb8bd141e2ecc1c77e237094d55154", + "info" : "be082f301a03f87787a80fbea88941214d50c42b", + "size" : 32, + "okm" : "94190f4f21f412c1d9358264a9dbb5035f94f39f5a503c0f54189b1dff1df637", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 26, + "comment" : "a salt longer than the block size of the hash is equivalent to the hash of the salt", + "ikm" : "5943c65bc33bf05a205b04be8ae0ab2e", + "salt" : "8900e95c7464dd4ad187a480befdbac713cf5e049c4aa4918f11e9caa0e07503cbda48921f5779a685dd220e484d6927", + "info" : "be082f301a03f87787a80fbea88941214d50c42b", + "size" : 32, + "okm" : "998ee6c2df90e53c32281303b2860c214d0325928898603e3dab40ae85cd6e66", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 27, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "5943c65bc33bf05a205b04be8ae0ab2e", + "salt" : "e69dcaad55fb0536", + "info" : "be082f301a03f87787a80fbea88941214d50c42b", + "size" : 32, + "okm" : "ef1423258f12fb40c01f773b9af50226f691abfc82def30ddc09d6b45e9beb03", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 28, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "5943c65bc33bf05a205b04be8ae0ab2e", + "salt" : "e69dcaad55fb05360000000000000000", + "info" : "be082f301a03f87787a80fbea88941214d50c42b", + "size" : 32, + "okm" : "ef1423258f12fb40c01f773b9af50226f691abfc82def30ddc09d6b45e9beb03", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 29, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "5943c65bc33bf05a205b04be8ae0ab2e", + "salt" : "e69dcaad55fb053600000000000000000000000000000000", + "info" : "be082f301a03f87787a80fbea88941214d50c42b", + "size" : 32, + "okm" : "ef1423258f12fb40c01f773b9af50226f691abfc82def30ddc09d6b45e9beb03", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 30, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "5943c65bc33bf05a205b04be8ae0ab2e", + "salt" : "e69dcaad55fb0536000000000000000000000000000000000000000000000000", + "info" : "be082f301a03f87787a80fbea88941214d50c42b", + "size" : 32, + "okm" : "ef1423258f12fb40c01f773b9af50226f691abfc82def30ddc09d6b45e9beb03", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 31, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "5943c65bc33bf05a205b04be8ae0ab2e", + "salt" : "e69dcaad55fb05360000000000000000000000000000000000000000000000000000000000000000", + "info" : "be082f301a03f87787a80fbea88941214d50c42b", + "size" : 32, + "okm" : "ef1423258f12fb40c01f773b9af50226f691abfc82def30ddc09d6b45e9beb03", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 32, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "5943c65bc33bf05a205b04be8ae0ab2e", + "salt" : "e69dcaad55fb053600000000000000000000000000000000000000000000000000000000000000000000000000000000", + "info" : "be082f301a03f87787a80fbea88941214d50c42b", + "size" : 32, + "okm" : "ef1423258f12fb40c01f773b9af50226f691abfc82def30ddc09d6b45e9beb03", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 33, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "5943c65bc33bf05a205b04be8ae0ab2e", + "salt" : "e69dcaad55fb0536000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "info" : "be082f301a03f87787a80fbea88941214d50c42b", + "size" : 32, + "okm" : "ef1423258f12fb40c01f773b9af50226f691abfc82def30ddc09d6b45e9beb03", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "type" : "HkdfTest", + "keySize" : 160, + "tests" : [ + { + "tcId" : 34, + "comment" : "", + "ikm" : "e2865d6bbc1abf6a815067edc4ee7aa33c290d5a", + "salt" : "", + "info" : "", + "size" : 20, + "okm" : "e0f2f690fd50db3731b19ba8d6a7bbaeb5e9f7fb", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 35, + "comment" : "", + "ikm" : "8c177ab5f40e9c57203883562f01f174070ccd97", + "salt" : "", + "info" : "", + "size" : 42, + "okm" : "f94067eaf6df97baacb1b5a519c259b7e9b9322d6da9f71e976611cdc6e7007eadb1d6180ec1ade0bb7b", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 36, + "comment" : "", + "ikm" : "e842a4fc1a147cf2f87de9bd5a42fce6457496f7", + "salt" : "", + "info" : "", + "size" : 64, + "okm" : "380c941a86c66affb4694bebec2858c5c1927a6b920f84a6a952a30ba215bc41948c72e90a8017eaa2033d149fb955a2a222c5101eda58c3d7667cd7764f4795", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 37, + "comment" : "", + "ikm" : "5b870ee1bb97ee83f67fa7335b4a0f9dadc80d12", + "salt" : "", + "info" : "0a0dfb2a6e051441678788bdec04cc1b63ebe1f4", + "size" : 20, + "okm" : "99d9e9b5e7c324f8fff6cd2a2152dc2411457f78", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 38, + "comment" : "", + "ikm" : "58ea7ab33acff514ec08f41e59c17a3c66c1ceef", + "salt" : "", + "info" : "1cf9e25bd70c5546ea7a79eaf5d90cacf754c4f0", + "size" : 42, + "okm" : "2e1036f7359a52ad08f987e8be907e12f36f0a3fe576e1e27365a33439b4ce23a10f6ce329428cc7f471", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 39, + "comment" : "", + "ikm" : "e8d20934b9d320458f4854e2442e2f0fa092f461", + "salt" : "", + "info" : "4425999958aa3cc629300c25ab15be8cea7a4277", + "size" : 64, + "okm" : "d1e7a09a0f77ae7dd5cdb8e568aa53fd4ba63688623079fc8df2a53c9a44275cc61b09091f5997d0c819f89803fb6c990dd6a599f00ff68ab379e7afb29a5b4a", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 40, + "comment" : "", + "ikm" : "dc9e488c684dbf0ac8ff1eefaa0666d413d258f0", + "salt" : "9afa7df500d7a17af1f44422d25a62bf", + "info" : "", + "size" : 20, + "okm" : "ded7f0b68046268ef0e81b03aa74ee58ea72b670", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 41, + "comment" : "", + "ikm" : "34b85c341a04cbade472b3f7dee4de4d1954bf70", + "salt" : "b066b42acea664350a8448f8e064225f", + "info" : "", + "size" : 42, + "okm" : "50f2b92a23e76b1cd51071d9416f4ae497a967068616d55aba15ac025ea56e21a4c63adf9c6b2696d9e9", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 42, + "comment" : "", + "ikm" : "44cc641e09f7d5642f7b6007ca5a1c0813319666", + "salt" : "69c0dde6c8e5bd40553a5981fad6ad87", + "info" : "", + "size" : 64, + "okm" : "b1ac58c93111b1e81191f88eb408ab179881f3bb1c171903aa335cfc541ece2f8ea7eeac2df7f86a7c2d867e06a9173538fcd3e38bcb99128d76887e8ffaf17d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 43, + "comment" : "", + "ikm" : "88a8880cc2b73e73b3b6ca1d4902caf2128732c3", + "salt" : "0579f690ed32e57a26701a9f6877f243", + "info" : "6dc723df3d26f704067afb2fb6d95a66516d089c", + "size" : 20, + "okm" : "43c3e04295d525a0dc49591dc27e4f75699421ac", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 44, + "comment" : "", + "ikm" : "8408668b9d671121b8c7d31113f045c0d7c020fe", + "salt" : "679b30e6930a8ea3f076e317b9595d5e", + "info" : "b4451b0f1a217db703582881e86d8044d5f2e092", + "size" : 42, + "okm" : "22ee54eb05ea001854069664ad1ebac22323b0b79b6def905942757d1f038a63e74bcc61b00119d3635b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 45, + "comment" : "", + "ikm" : "e6715cc4ee13c4d999d8f8f500243c321f70b0be", + "salt" : "ecfaca2ea3301a992b4de081d9d3a4cc", + "info" : "ef17c9227a5ca654fbdb35dd00dd6dc77b6321de", + "size" : 64, + "okm" : "9d1ca84928eaf8cde23028ae306389313265b4380cf85459602d86eae08d32fcad2d6ea589eddaf95545adf856f0fc46902d7ea0656cecedb1cbf2191ac66a54", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 46, + "comment" : "", + "ikm" : "9a6b88f3f68f5a8e79903b51dcd733abaece1a41", + "salt" : "0226df3d66ee3abb275eb39c8ec3d3e12e9b87b67f85c552accc4279ec17", + "info" : "", + "size" : 20, + "okm" : "e15666ec2261badaf8364f4cfff8d21f240bbccc", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 47, + "comment" : "", + "ikm" : "0b9eaec88b2940a4754e83272cbf47fb6f86aaa1", + "salt" : "c1616497d49246400ba68242b635c67515d2528ee1c3b71b318b631f9bef", + "info" : "", + "size" : 42, + "okm" : "86aab917d334ee079d50ea3e20ab243f06e2e29d2475591e88e048f0d3204cb8a8443671724ad11e5e20", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 48, + "comment" : "", + "ikm" : "c4717276e7c7f794c4ee333b2f7a2ab244be9e8c", + "salt" : "af4c63e5b554063e83e37bf730ffa401c696088ccc4f133a8695ffcbf2a9", + "info" : "", + "size" : 64, + "okm" : "00153d105154d1086f950d7829be7e0d75db97441c88b7f31431f04884dd81b8f4ace2f5be6846f0da1853a1db2f89be090d3453488a12cc052f3234d36c4eb5", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 49, + "comment" : "", + "ikm" : "5e43a900ee0d432c5fe6fc81db8d5f81a54e39df", + "salt" : "8cc815009350b0b6a924ed93e73c8f8c57a1105726663b72741b67209c1f", + "info" : "32460280e60910b10abee2e9f80a3dab48acbc59", + "size" : 20, + "okm" : "883561d252df369074fcdafe0cad379653fe4aaf", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 50, + "comment" : "", + "ikm" : "070c170fca600aa2b23618150ab9044bff7d4dcf", + "salt" : "f32a1cddb32693860eeb39a5d190f5667a303d5403712cdcebb575c6563b", + "info" : "c1b0971fefa0a23cf4b7185879475ebd8d83b9bc", + "size" : 42, + "okm" : "ddc00ec19f76258aad541e0359465fcdb6a036fb4582e7d283b8ffda0b73a8b1b4988550b67a9182c227", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 51, + "comment" : "", + "ikm" : "87a23208df5e66488d23f7aaa066e87bdced8e2b", + "salt" : "0488ffa08062f1fe83e9c3934f5688a2e17827f898aa5daa2d595f09b245", + "info" : "e4d66fa23a6020820013d94d1f8e84a58cba2a82", + "size" : 64, + "okm" : "fbe18cc5a99e747477fbd7ec3c7f9d65eedc9538cee9a1aa81b0b3b1f199f5f892122734fba185919a64638eabe2c6932fd96270116f55a411a555f5c60d5ceb", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 52, + "comment" : "", + "ikm" : "214746af12a669b726364027e9a1cfa40c18f8e0", + "salt" : "f65ab21816c5eaa5c9ce77d58608ab67176d2255438096f4b45779d15c2afda12718ec557bfe161e7fab89ebad4fa634cf73f2d12c884c4583e64d2b59b9d8b9", + "info" : "", + "size" : 42, + "okm" : "281c2cce7550a0b02b170cea4985ee34666552d219b982389f1082746d4524cf3a8edf13fde8f5d2cecd", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 53, + "comment" : "", + "ikm" : "d509c509f91d78c33b9d661e6df1992b2b6ae429", + "salt" : "95ff4b20ade46bada320316dad7e2b4286e93dfa2a72c6366c5ddfe8ce2ff344729ea56416d5b53074c6d6c4eb4e4873980e5e4a4991d6b1497aef822e16e209", + "info" : "bea4f60eff1a0c6ab664ff3db2f774347920a482", + "size" : 42, + "okm" : "6a800418892df0663b4469108eea9f01ab66dbc7888da7ae95b05c68f61a5dd27b7a7c1857f2fb6c1a99", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 54, + "comment" : "maximal output size", + "ikm" : "e099aecd5c8f0fe1c5dedf647c5687220faaa64c", + "salt" : "a8febd4ecfa01739cedb1136c9a7fa10362e8f7ee6556fe0e2dad1740e1ed44f5c95b6ac57aeaf509af0732c0b0390d4", + "info" : "0e02ec03576474c1", + "size" : 12240, + "okm" : "43fe9568d5423d93c5f59789319610e996e82ed97aabeb896d88e92614faf45df0fadc3cf496368a07f562eb8036495556edaf95b06d89f1c095da8c18003a20ca5fbb28891596680b3d9e5518f012142a1ff5bb52f4dccbac7d1db2fcfe308d8fd6444d187833ab9dc603305260604d9acc4bf8bfc5ff82d2e4f3bb25a4ad92c30b9236953e096af57eb7f4ac5aefd447f244478b1576ab7f95354f8d2000d986c607e3d1ebc900bf80b4d6cc013ae122a0876191f287f5b5dec28fde54e66858b9169ebb45529ea1c5004fef0aa85a5cf22117039798a30f2f26fe8623c8536751531f6435cc77e0ac841b884f586509e80e4ca98e3260eb60701aaad62a1a4814f4fba950d1690090f0190cf0927cffd0d3ef1b45a846ab9aa1073036c177eaf86d9f4ef8b5ab0fbecd76ee5a293c5f7843a2028a468a952b0109d720d50afd649306685f26ea407d7464e505905f2383460f6b8113923af6916f43259d83bf833cfed074e6a81a997c1a7f8f2f6eec413e3a3768308bd4292dae0d3452619291ab7f3275333edcd39ad2a390149505b6b02d7bcafb91a1185ade1834613396c63eb00e8126a14332205d7c59f39fe1aebf49a46f94bdcc56e1ae834ba06cab4e9a85bea8f4635b3bf6b332946ae3983dd9ef30773471f6c9d5a604efe2d32f4f40f28b9a609db8e6a3049e6bc961b6aa685d7a789a45cf17826305535afb67116447e8a5ca78813bb0e0978ac1a904e2d1d248c714b81fc1642421b43c6992b82cb457703df3ba7767bffca96143886d7157bb3c7a2362636a5f988e1349d57a10d6eff1303c8e3ccedf9350ef65844a173385cf4e12b3c023d99787a7c1a4b74eff2d8da06b6ae69cf71328fc613e68d408e7eaf3b9672525ee72c593e1131a72e3837daad27177a8480d6c0dbe3c61e6b971922ca3f60019e52d648c5981b1da133c1866e9a0fb953383f47441627bab17df6479a9c33547f8fb8c21e555730289d75b48d779b63f4555501220707df4b550a87f356455c516b3e519acb4cd3aff720c60181aa553f0a1a7ba5b2798f988f876e789ebaa32da2ca24b06449cebec9b739ff82ce9d0af6b20271492b53f8cfd00583bc6535f6a778f0a9fc1388b12323e631976ec6c7d69c5a0af7b65f9e2a1553b2104d83de01e98cb80a857e7e7339be2433ed24afbb7b1a663ca8b9b8b0bd21e63089b8ccf49c9669d0dbf6fd2973a0f2a5925e29574e99902d8bfb49193b929edb920d5772f8aae2334ec8efed4287162cf6a14dde23d325222e82f760cc8da3e2453c970c9ca819abcb73e6697a0627090453b8c6c471134125e96416c318f06ddee0824159a7f7be8beb817ff49bd29f2d4d333f7a69cff82ae84076aea16d9cc1bed38b7c2d598428fd0529fdc8082848527d81267511ef9bd420f54540e39c8d648983eb08b2710c7c6456dca567b936d4d55fd0e468a44d0bc469dcd386de6d063a4487e9a17dfe680a4c6c9bc0543152074e9405758fd8036ba74c4f9bbcd3d9518a853f55494960777d60f0bcedadacac8af588fdfa5b68416fd2a7a3c2337bf2c114b2ed39e4b23e461106011b5ca3f13b1d78d2531bf21fec33cfb9f4eb1ef7cca539ce1204cae29239c85e81caebe4c5a01cfe664b5433f95ff1835835068ba7ee15cb3fb7d69187a70e01492454a1b7b00bf270d53fb8deda6f3daab1b996ea3d6ffa3f4bb6cf3dab0d044528183265bc644fce34f8bd1d98cb093447a257bc1ca474f2d3181011310b0c912da67a640b8a7b06b499f8d1d77fed129b47e2685055b1dbe0e831c5e104d11f92a005e2ad67e34c47cf462f867d1d2336c0694d148fb4526ddac66b9f6153c5ea91ccdbff4d2589f53191fc49a595bfada361efd20e9190a5e172e1086df63f6eeb719723cae815b2e2ff76da9c8d359c604f79fb4134bbee3382cb4a2e7ee318f25ddf0097b0e42dcfc49ebdf3467602f7d02040f18b6ed7cbd0d78bc2421795a4072880787db163dd09fc5dabcc35dc557dc68bbaa6176c10772aa7007c0b838dccb22b18750c00a5a1a1a27fac1c4e2b1b6f3923ae004d3d03555224cc54349d2fc9377fb8ce42fc2e246d9c2f2634301018f96bdff0a1d671c0377405e83ffbfa57de8aefcc5de062eb18d0ff922b3a999d0854cec38b276cabe98776c93cc41b5fd345201e1901507fa1e0c1770061263f0559d02a36d0af81f25b9682b38cad3ffe11b5991b1e6967939497424e8320168bd24209d71b0426f1c8d6e86f0377abe4a97e6ac72c9f18ed1929b07c85dd869585e30a30483df52f28545a5068577bd37286bc4b6ee40707b88ffae61344ed7f5723f07fd772d70141ab0a4bc06e3e87e4289176cd65bcd634a2a62075bd759e90c524808909aff506908e659bc1e3b3714f21a9b5c0c28f4232c96a9abe26181b4b27c2409e648a47b3164a8a1c8914835de3cf7eeb630474506ec12585c2d8eb27d692c2b61202a646d4793499ec9217ecd4361b0eaa6514e5483f16be529e2a300f940c94837fc2c68a6a5a71999b6dadbeff5f277a601984cfb74f3659c9c6fd661fecb7a39fdadeb1be5c68ed53eada42deb182445d8def28143147bfba24d65d43978277bdc6137947d6a0ee20ef78603b22919589292fc44e7bfbadda845c626cab6cff4fb4dc6a616da9905f73e16a1b923ab545caa3b11a8edecd9b6ca2812bdc8c49126588ed67aae8066fdbdb190a76c84b9bb49b6d689353ff3dac753dcadd7591c4708ee130f547a731f6880d3e2906154151a71b558d2b6d94801dc7a569c1b030123cee2afbcf121c3868424ab76b0870171cbfa00c15a746f8560e9faa7a35d91b42394ead450eba96735a0c676958fe48ffd9732b21236ea54c9d8c666615866179467b01d3c4e86ede658a3d611fb51340608622429359c7e2eff5480e5d00e948f7dee5da8ddf5a40720d85449142d5440366618dccbeef36a8f47410c344fb9731f86a2ffb4e3706f337c2abe86fd5b0311178b40c4d083d940fda9262bfcf1712a8b30bfb226791a57e0b9138e16cb850182d395433129b96b921b10faf1059c081db4896ae24045c28f9b4b12e7997d52523e3e0cf1e519521ae529146da05bc271fe8f2efaddb82dce5166ddefc86dc790b75ba9ab9458a7e32afb9b4510f9cb419ffd2f92ca479d8e497b87681d895e6536890b9a01d2af13f2a6767b428878812f7a179fe25dc27a45316d9274f49c5510ab2495ddb946d7080aeec72ea81f9b391953d748dcc4c74d5eee53d4dc69269e8f4ceca3d4dbf416840a3b02bee2b4cab18b8e5e88ee4cab4942927ac63eba64f1fb59e23397aa43a0c0f99c2b27ad51a968d61f1c9784e7122d5e63771fd68f9e030f9c26b314c037abf125366b6f199d92212017feefe878f534b32e5f5b18fdfa2edccc85488e5ea4220e8cbe34a15a4b34f1d48291777944e7cfeaefe6d3c3cdc19d216cace0383ccaf7a6fc30c267f01a915e7d8d4dddc53f2c41daf293eb7100b1c9258214669d1de4ba149c37c3a70bc2f4a7cf15d74c81c3bc5f9976677014e4e08e1a23b25790e8b15631044323a26180db21c97a53cba0d5c5a8793df6ad413da4891b9ba403bc1c798fc3bd88435b7170a2e065ae2055ef274d893a0b4ef962c9d92734032d218055ae5be5632f1d3234bb0c4fb4dd8eb2e6bce4fcea9488bc6d59259d99f273a9d76f8fd017b50d43d2d59c7752a26a94ea7e530551bcc09113becd2cfa052ca28e8ef8dbd535a9f859293b64d29a08a01e9b4ad2e4f92c69eb444fe79474a42855bae22d8a38fed765a13df2cc703d59564d55a52d6d3832f1ccdb7ea398934d67fbd4a5584b85b9d3fe2f1c06d76e1ac39a51e994e6217b98d608def8d2c3466bfdb13237ab93987a706ba8090e49a3acaa52fd78d2871f19fec9bb719f7423c566bd34f27f621fa65275457585de575d2af76136698e7f110869c0f71365765d650d3f5dfa7d871be76e761da0e533b0cc1c4acfff0e2ac5bf66c80752520eeab83b43da7e73b1e0c576406de8f2797a5003cdb66eb3a0222de073050ef2afb8fe4b18cba0654bfb8e03b48b78450c80c043df5175859320f5fca3950f226bbc5fc9a1bb25debd1aea9778ac6629840bd584f1d7f5ef9c711ae9f15830fa694660a0d8a890a5f93866ea78476bb0f1de1208eea7bf231dc0274dc496112de0138751dee67f8265dd2efca486a02aaf676e289f7cd994a534c0a062ffbbe1bf1d5aa9bd2b2ca1b864b1ab545bb3468acdb9e4394a499300b0579e475e70f157897f08dfff7fb069e0d72b361e0e5abc4486053ede6b92eadbc784335ffc54e5bc702b0fcd464fe947f29b2ffb4433369bbcb639bc82d3594666c672a57a596359eeb3bde01667d0f43869ff3d818ff715f402be0ed56517934a650f98eba6b15d002249170ed0409fd1fdb3bd241f1a160e1a06dc411e05c55a0d4fefa3b7b5fcca49882f6a83d4d69a23885be5fec6edc77c082456cfa013285979c1b1e157ed37c3c1d4f6bbae36c0f12e1cf82e18cdbf602a7640730f6f53759118aec87cc1ace66298e7fbc671da9d204568c44a0040fb6735b2ba7f1bb6d2fdbda38d04b1ae3ef796cafb1ec98505a3e552361d2950042922f0d649a68953c993bd7ee9cd7ddf2decd0b48213b3db80b640b5b6eb30d2ad36c189ad89d1556db9d016adca7ca00c42471c3f282113c0400cc2ab4016a629d7bf141395584b30c1d70ac53a425894402ab34445948d809c26390e1308ea54f412270f9a9bf24550243d3fd27ab142d0c309ab1511aa417899a123a8a0e2bbaba9758e959667d3572c60113461b6ae43c536d13762748e7ebd30e39ccf5717828038ac3697c7d9af55ed9b82befd8ff67392cd6365419fc7c8c89edead81580ac50108f17ae6b3924221e4ddee45d873de3f024c24838f4723dac9ebd14deec8380682b3a62bae71b44d0d34226502e869cd41fcd41b922e54369ea5cd3c95254d690001caaddae3fe16cf2f44b583c5b8194a2e3a3e09429f8fe6f5f28eba06cb242946ee4dc28f32b7025a05b395ad5072db27eed26ca703bc29325d1bf001d21b26b1cc744e7d87aaf07669333acd066ebf0f27c05631ab204622fc77a06741d5395e42d7ba83d7d59b386aeffc2d93170920adc3066303e1e87c75058a7fa3656505dd4d0fa29d970d5f5220d8618c50e704b03ec5e544ee8b91c028d4cbcc8fe1a52e1c15abbbb7ca810ce45053606b5d6ce21e8d8caa7d496bee2e40d36565def4ee5ff9ef0442ffb16a16998c1c43096dac816976df6e39940cb9097bdc469a567552c485b0e5df1c40ebbe41a90c6df1f6be3754c3946f9e797b8be869fbb195aa3748592298caf24cf0deff33d61ab2bb0b805373df982aedb81a621c58bc664b79bf1d87b298cdc5e5066743339c1f3efe110ed24cfd6655e1d9a3fb243aa4d26dcbbfd7665fe5a090de4be79019786f561a8292fb4434441a68e17edf77c464dff50b7cc5ad4799d43ebb51a23dea7b760d626d041c8bbb96aa6b20e66260c0fcde1e78cc59a5a9ffbc5b409a974c42abf165ba591b4299c3e86ef331c4f71131bedf1a913eeff92da531971698c8884a3f33b43622a9077d118a77645558202ccb437a347051ceda13f2d44f63c24da270bc350f80cbf4ed02a16ca9b5eb75f7e8511a64d16eabaedb6c5a7854cee19b54dd7e37ae423a84889f8f926b5ce07337c023b56cdd09a9f219419630cae32decca6c26e52ca35a90c2e258330982b9896f6664c435ad9319b895e92f310292f3b7e575ec624a65f9258ea6465d5d074d730bfe7d6b19a8d7071a133778cad36b890117f9e75e2c3e755d82756e2f664851f32bb3d48c67a2db19f29a307bdf9b05dce5250a4cb79e48536584b0334cd0f60c256c1d5f0439a0c2f0b44fd1a901a34603cd4692e63439e3374a778f6d7b6186f5f48d7900d6d227bed0b5ea16e0f6b9962adf944b31ab6a4ab5a6f41fa7be2fb605ec181db786f88ac981ba03333f287544e77bcc2f1ff6156099e09acc0a7530a0d7f5e8b45ef6eabd288d26ccc6abe9649f49d4045bf4e6f5e6fdbb735773f58b8e23a108c8229802b20d1252aed2f049e04a83be36406386919770004858fd1133fa4d8721e5caad10ddac2236adcbef269092f2734a0c84be8c55ed3cd42c1920b44832858aded480cb8aaf5104849d67026fd583cffe083b2761baa445f37fcc8205078574e9a746b31a732ff50cc4872d7e0265892a4d7c51dd509099d3682f961689a936e2354e0c4c49e57883b7f8fbb4901e9a8d426d4d85cf7e6280523b372309cde7628f993a19055175f3d959ac2e162aac22b0d4063caae9e6db1e63a866e59554f7dcf887388cdee8eca6608972dcd587a652bb3f75186c44fa32d1cefc4bf593b5c3fb728a898b315f3483285283012738c2e9555ef6dc22309898cab2c6dc75b54f3c1410948cf6c37b6127d89ff0cfdd6b2e512d7a8b150f32c15db6a1443a73907e3c0fdcaeb1df2162823f88dc6c526054686dd57dff1c032f695761397a85181c8817c1bad81ec38230d731d285a0e116eed03b1b03621835cc9143f2a9eae442a7d70e818f701e0e885a794f2afbbb35c5c7210f5f28e356d684bcea9e53a2088052aae19b36870a115855a7df1db48a55a0d3f94929afd81b7dc3973c4749904919a520d7aa664957990ef92a82116a51d5452043d051c29ad36a1c4712c56b92048ec4995c0510abad4f84022eb00037d52ac9133cd1c1e78db7bc57776342f53790a8eb22869eb0868804b753179198c463661faecda241f6c05fdd5236fb802689c35e45087de051f134bc2349ff3ff9f1ad3c33779e607e04478b59ff4b74e4d11cd99235259ef185e7d9bd262c935204c55485b4407b58b21cde59e43d5ad6b9760be9e2cafc676164f99fa909c7b50b3b97367d824529f074c7ae0ec258245be73f4e1395a8bfcb0fbe2f10c90d5b912c6c211d2a9d33d7c0fb31a6251e8b5c48158b81e4ae5fac00dc898eeac6b6b636660a1087f87db043d0ee0ff9a4667c14e18d886db31a5c10b2b17cfc6d97673ed5f7d72b9aab8b0d8ad5fa66ebf32422431dd8783024c986942d380ec48e3e0e0c5faa94355e2093df1fdb027e8ca52d2b997dfc77f005c2cfc331c401a0b00a013b4c8b3584adac06c28549491914366128d6d2f59f42f9e6905bc58a9253df7b95bee53d40264d9c16ff36d880d1f6e477ec09a958ad90ee89464cbb46e7efaff67426abccac3e05c6ff5e6c6f278164d26e623abe8f9d376e9285a80406cce1fc4de26fa8af5311137fcbeda51ef1767a2ebc76755da10818e9a2bbbb2ccccdf5f72de6d4fc7327a9e388e722eb213b85a9be3bbcfe119137e9c8abdeb72bd8c4448b68314b754603ecc846eeaa85f979e6737e325b0501586cba6ca9c2bac24421570eaf9ee6c897689e8130306df9a10436b50d017464419d535c382becbb4da5071cffedd10c902ce0a7a9e181cb0dc775924c66a516c5effb438cc754c9ffa186598153616ce8858fe534126800f1ff9df6116d1dff074736bacec45420494fd0455929c2a33cd7db8cf063e46772b70eb996bacbb7aaab75eeae21944041ec35a4c8564dc1280d6af8b8e598f8f5bf5a422007c3145b31b8ff3d374b49f4f63e219534f26bcf88b6eb10cdf0bf824e4b115997424dafd2e3f967a51a21e7bfcec437b07a212f355cf1dcb337f01bb029342605e3ce90e6fbdd41fb56f516646f4fc9bbebb650057c7f62610aba4ba2a03d572e08ac97769804c0dbce322e008a207f155d93a1bd949aeacd92a6fedd76b1c11c75099ed3bbec327570534134d5e316253fce81720e735af68ce89e8b1671ebe2aaa932d5568c530d7fc9aad77a09e0ebb3c7c72e5feedac49e653e6754b33aee3d8306e4943ae95d398c0ce227e87cd4ddf973346bc733e2b4d7906dab53639f138acf5bfb700d299cbb124c2f77fda5b44a832f2f6740f32c3fba0becacc4c579e3ffaa086d4c1415119691fb855347183f46f64718c6c5f45b167e6639506675fa0c22cecb539f2926b793dd730a788d87aca9abe31eb210b5abf00133238bb1222ff31efc5917f065130f6991b59a3ac4f82924438ed576665a096a5adada8b3e3842be65b1ec1e636af0859fe9ac1bcf3def535a2ad650c428c514139085a6189716a0bf7c3c8f7fa20858d81985213faeb96ea1e4a9ed39a629d2537850fb56052ba7aeebe7fb5f355e4fd17e6d452c94f67ce4bf6b2fd4e91a8a1089f689ad2c1088bfd38d9dc71750cc5836c5cc4630d48f2d9b237d3d6700af559c5f144a207c625fac2db4dcdf03a157603daf1c1cb5f76afe0fcfee609c1ec602f20ffab7fdb9a6f18e9df3cc75e9879c029ae69677b9e4f1bb3555c2f0bbbd8a398ab3004609707fc6a3d062d4b8c4476b433bf273f2d1a8a5193981ec52e4b8361811f0d7d9bbbb4ff86fc04a1d6c7b3cf4753405f12c0e0e53c6d410aaeedbb6f8a1604370d354be1ee0929a90e36fb4e3e5bc8f8491c7f1b563fbdb66296bcdef1d67129ffce4d1083b527710865730370282244537ec059962e4e48286830c89feef9d20e382b1de2cd0875bcd66f6a18b0a27b261b4aec64864648971e299b019e3a8f6b65a2725af4caf7219a38182e3c058d775871032a4ea80795b330e4445a3099e067ebc01461cd439f77f9635517e55cc274304d4a0c222299773d6b2a24c02b8271954b797c370fb3760d3f493f886cb3f4f7851c35ae22e6d531cd339daece8984188cc85848b4ffdb624506e1560fece36f9e2ee27746ef5f1212822f8aa917ff17504457d054fb934e4fe21772636d71f9e255680a9da2c5a937d16a477e1637562bd1dadf402cb91f4744dcf16733bcbad47e09592f15e8c1fc5f0a71ba9d7c9e9bba0d4f807ecf913986ecc88c4c3571e5bff8ad314585b38d265a1379d1f785c30866b2ff5fb42ed869070785f3fd5215631fb83c9cd909a996dc7e957e1b253138edad231c1e8da892733afe567e6e0923572d57ee6dcb13d50a5b09e32d45319dbae84d93b7e2987cec9cf4da686d823b09432f9cf09adedda9918fd1aedbcf06b0c6753d4dfd27797044e93cac49d04a3af016b2b1c553e843af640274a2a06840728c8f0c26dfe8dbf06d1c1866dd290eb45e1f97ee617054499b461e054883b1ce866facf11e001027ea9342941eb47c3203c6a40457a4da350fa2f454d0b2000a081f86ae7f2fc5aafaf1a17f22bbea02bf3822dad0723384d4a08442aac709ee43873eaa1d2044e98e952667c2ecf14c754d642b2810b902a8ce8784a54f37fa3f4cca6853fc49ddf08510d6f54b803a48b4e0dfbecd70af80e74cef54d21341476b5d3bc8be46f2c4222c24524c781ec698dbaf4f2fdee02f0a183bfe82c1b743b148b17824654e38220a187c74cd4dae0c45056a446950ac7886ee71d397c2b46b07ebb07979e6c644a7c6bf1f6f94597a3b8bfd5285a9faf94fbe7e13cad9802e9667c031455ecc4e4f33cfb67b9a7e2bb6cc099316e9ad7dd7bf1027d2de68c91024863193a70a6cf900ad60e1da8c639af32a0542735deeb11294169d0bb10c4811daf7d2715f89a9fbb4904f823545747f291b977e2b4c2f825953d39b392408166ba8f58e8978543c420cc33f3c3b99cf28c9aab2a891f44ac28a6577dac4b2abbb71634b9f1f098836163355f95c9a614a913405f2fa811593434644eccbce541dc59a2b2cf76f021d82fe5d511a3b6d2ee80b66f1c1d5aaf57589ce3d340afcbbd09f687921725663e4bae152d14c6a0d5ac944c4194e94b0ed6042aa1c0084cb95111d162904ac9bb8ec2bd65b62ecdcceda8bb937fcf9e2f76c2e282cdce8b8ddeac3dab93a8f08c22ced1ca8c230e0ed34f488a20545db5e40f50b931380710a1390d24381a74e6c872548587f0d36c99d0bec08d8ef60f653e64a3aea222ca5de85d750e7cdd6a92df38cbd3f0127e971cb477528dd9639594210dd69825d4b1d6ccb16f3c6945e7a27953c634f3be93ed6a5d5adc62f58de6a34404ab0f154708cc98e031c621784bb76daf022cf6c77f64b080409022dee0b0beb40135f8f8c094798ee83bdaa0f414f3254906c3e244340fc5f940f322fb02d4d1d9c7423dbf1f0ed2d009644ce689eee320e2926f8ca4c360180449705151be7e2c41b1db926c8878b32a46c3ab42e96f12a717f2df77f61a5790865a18ef45199b0b5b21033061e532a17f16a7efb8884340762eec930a02808b9488e080c0c7f86f70e6d245eec1bfde72751918336104947935b37368db7f81958e6856184a0f1be47d6c5ce5aa15980fd226e1dd05cf0c0db76ed9dce2f1f2801fbcc7a2f4ad23ea273740c17573834b9e92ab2368e57360acdbb6fd97887e2600d71db902c3feb4318caa4ca35ec2d02e7b3fbe3378e9ac98286961b877e2e6f0322b61d2e43989cd846085de89635e207b900e369f455b1519ad035f4d66e4a761e1f8438697f3e6743143931e53d1e0d3f5a4b96f6d0762d26728a067d433350b6506775f9e20669e9bac120a02390f2032dce2600aa4e20fa2a7d9513fdbb4c105a9f6a3cea5dfaa19cf7da2edc5959fd5b7d4bf8d7792e0f5d123598e6ef45bb205a1421899f95c6ccb888f371b5cb2c0eb4eab7241ea0d8c0521a4eba74bf6dbda1a4b7aecf64309fe785063958ae7db568fe89523a3c54c378e565b9861f4d853cfa19e2999c6b3418cfbcabad15121fa27f515717d27f197f46d60cb14985f288d279660636c02006a0721b819b0177566843430be4527d27a18b79c677df6f6a3013975e53865bac04acecc5c24c4e90c7179796d1de28bbfaa0542f05b669c2493d04713e18333f6ab5cfd2a3a3c3801a7313887200a757ae3c87ab7f4c1c79d5202ddf56cd0ef7b35a71618e761824274696aeec8b12b21f17d17c4a0cd03848896ff4cf846dded27512cc17eb66d59a7307ccf46a6a4b9ee707a096977c2787d86c4664375292d163e598d2efee1257ec6e5d557cda9ff687216a398482baecdc1fe402244a135df0b0874919794849e9da7c5a6863d5cf83fa6c998cb00c3e70462854eaf80774785f6fb55cb1215a04776532ae403db7409a536e931fa15f479e0f7492301c6219557b54882bc634a857d2f2b1601cf4d345b326ced91b40e6e500030d2cdba5901719ed395381e13ebbac90e80f66c4e7520247f07ca941846a90238735a4a7ca21909d858eb2af54f5f52128339cf5fb2af060f02d4668d81c98f8e14501b9edf0dd766cda58da7b6947499249f6c4f3eb38a56457dcb70c5680e29992d36d8a0045a9c942136a9eaf134af71434c5b9c0d6a2820a365605f7578c48796f7e4de9600d2eea8d43d37714461b4412b306c8712e517226d6a190ee73ce529a3b284f69b6eac34dd03a68548fbc3dd7258a26fe2ddbba69bdcf654bac8b140a1b2c3ee788c539d3da52addb21b1f3e5af8fd594ee1d140746da32f5e8c64f9a9643fce278be2cbb1d1702b033a58319eb061c7034f5ce6e967cc9de6451b33a5b0f95f2c11417bebf02cbcf3913628a09b54c47d60e3dc15445c1d430c9e76819948e88c476d3fc8bd3afa506edb216773bc2cc2e9f87b410fe6fa9d3d323d185fcfc1c40943c1dab531bd0e8939c80a75470b012fcb4afe6d83a32b85c95cbc746c47168da969f67c4b2c348da9e3c6da46882188d28143dc6f68d2f0c106cecbe327091368f597549e027c9431899510bbcddc682fd41777b8a497ac627835c7dc97fa1ce161d849fa05cccb644b0bda99be6ef27a0a08ee6a3b0e61bd1ba0ecaca0f39acdd09948cb09fbf9fa686c535bb0a7227923522192ce2c8611f45aa2850745ea6572d167ab450ece7c982226b01a0359ca4518792e26deec16211ce5138868bce7c4cfa6129ce071efb7f6ccb0e99b848ad3a586c2ad77c5e21d4007c56787dcf56ca8f910e395434092e80273be4081241f02649db8e1a6a5757e4d213714089aaf044a2ed0b181a4c79d48d529eb0edb79dd87a2c9366da1b3e0960860516ceaaf0889c2c2160a5818a13d682c8b81ee3318c5a33ca0359a2d4b69f60595ac0b19e2795e0ac5e6235b7b7fa849d1c01682c01ee0c84bbe5f336f07c671db9b239204fbaa6874723b780196360f9a4b8b7d6d7a4bb8d91b5e620e901cf4d23a2111cec6b4e2882637886fe026ae2470f0a86a6422057ffbd152a9490b572d48dc4c93c9d052ef1c86d5704b4b04709e4a7a59bdb2486b3f2d0b84d31e44cae3d51e9efa35d97c8070678c76376bc4a9b6e40884a9ca5203c69e18ccd0140605c5551151e5ca037deab9a5cd8514f5515363228c30cac1591ea6fb5fcc7957a7ab3ad157aedf0348008cd8add6474f5e4d65a305cba5c01c2f5003af45a018c0cc24f07683e907013cd09dfcf82068adbd68521319a2c6661f495ee3c164334358af499fbd225502219882d7c7ca82220e83fd9496cca4f18a129b53d490254475e0332fb949fd8141eeebbc3841fd3478c4af60e205ca43ba378e42abce20fdaf7dc4a9491ee8d3fd74ec5f6e7e9b2e6467a452336bbda0d8fde7ce783d973a9e1343411746f7288975ab20749d7f75ba34ed496e597675a99de38db3a58eec2b31e1ac9ed1fe8512b33a453d98bb1bca29b5784264a18d4a51700685c69706800eee7a27c17e8536812aa0b5ba16ef8622ba0d42334311e054166ef6fa843c09ca92402510849375c209f2e7afbef5938cc7a4cb194b488d2e42b650f559200d0f1d2f087a3d26cfc4c9d13ce0d83cc2ff35b3655b25b2fb8064235ca4364495e0fd017eed4f854b8929326e8c68b985b1c330ee05fd63b063f58871f48e25218798be5700b7313967572db57125cea82d3e4a366f559ec556ee116b19144965574f03d3596bc56431fb051a882f4d61d4b9eda13b96c48310609f1bf7502723a0b4574ad3f6427138151fc59e1cbdd8bcde532d41459b42f04a0f99623f9aa8eb33ec591dcdc88b026753515411bc8ad4ad75530cff0e4da879203c715fae5ff628546dd5cb6c365afaaf01fe0373ab5f4e373a8b6d0634ff5db6f7da3fcae6334bd7887021e687a8187be9bfb64b4c2d4bcb0907cbf38272945e26ffbe37457efa4799ebbf271df4bf49b70254094f14065efd2136d75c19485f32cdb523dd68f04b2e17fb0b63b10b38eb4d219ea38b7e95178a6c54b15ef70c4f8acbc17f487ee9a4331ab92625b544f74c80ef92903a524824ec3029489a93f9321f8160a80b551d764329d55ffd16b4b2c3be632c9733dae71d16d8d46bf1222b33b293e9b218d3e6c1d55c331966bdaa2ab822c1cb1843e83f9cc06df7a207986430a9fde3fced65ef1591541480d45acaeaacba1ccfa40680a8c736d8a949ac30c10f9776fc584c7a161e51c5f20a523559d1ba2d96834fbb688ae0a1cf5a64a95e25e7eece6dd512196115d8d0e01dcbaa9f7c6f23ecddec8354464408857a61d11b349a550dc9cdd52e536bbb8fe21f9bac950146c54f8fa1bdc855aacaad455a9d86db792c502712b32855820b468701c22108976758f1a4b5a7aaf09934e81687e02c1bcdbe99dfc6f6a3af065c817af159fc337bce1078881f72518cff30d22b2029cb01c8fbe012d370eb443d3116e700b09dd9affd7db12dbc7931c63a44cd95c29289bc4ecaf9de37c1b8b70300daabd4fc9e0c3718610f63cec51217150544449cd45387612462e04b2f200149424f5fd9584dbb6b32a1397c68d89b3e4700d61fd489359faf812dbb21e4e63de0c810dbadf84c9a90d18aeb5d104b689e901815eb49ed249f921e7d3218cda3d717c9fa39e07b40d399ba6b74eb030d5abb7736d70eb2262e0dc048402a7aecb30ce6a077a09b50c3a475fcac29b3c171b1cb8e01dd3b8d4378aaeaa9efa431de7c2fdb097b92c8cb7942d204a4f3ffa6832d97e784d2e5225a149d012bd9932397647663de738d3fd805d7e735b36f375c1a26be760e96198bcaa0a22a50c16d2975bf00228ba35f6d76734a182e0efcfbce1b174270a5094560a61d1376b39d8b8f41a9bd57e1665248c13dbb0e39e4ec776c7914d62045821482da7b9f8da5f7fe87e94ff93f62c1dfb84ed8b38d6555d3129248d5520da73abfa37468d6c39b795271e4e7fa24249fb8ece5235386c7a0d9b149e6fe6b296cdb9017e0724f3b34da6315624717b13dd43e7a80831c9edfd7e58aeb136de554eda1ea13f17a6943dc7f946535f8ffe95329d3923d45caae98c7dbac64dc5d0d1c62176ffc42e2dd184f781a7eea698b9731d5ae3357783a838918d562c5436d353ac241b38fe6e6c045981ff216e9e4f8769992ab3d27d462944e2167b0a27b84d083fe5bc04db1730780004d03f9862a5b27b9719623d6006dabb7201cb763f20d29f16f8f80f2506bbdc2448483fe9e515af8fa4e5c199a232429d4882e64f07e90ad939066c60e23c2a9bdf2b875a490b2556b1b4966feac8cbc212d1d4ab24094401b90b733578d8be20e03b9aed8b67b14ec5744af7d0fe6cbe490e689969c79c813344a07d26c23b18589b040688107a936bd30b1ce7dd6af62a7d33a8bd287dbdbf34e754dbfacff62d05fe8526b53e0ebd8b41eb442d4416dbaa621ed9bbb97709f08c85da603d39d6ea42e6465e1e4f8ffe03bfd0865b6bf13755a61b3f8e3937d917102497c77b9b21a3d67b7d393f27753369f6b488eba203b80c7ecc723aaba839c3957805429bca5b159daa39739fbbe7e32bb785ccc1fff186f85d842e2f22a7a9af3ef93739b0de86cd56d82e89b2fe82489d80553dc4a9e55f28af51e041a13eac68020c17093394dfafb75a79aad21d9034cd3845167b0fc5178b4c8015d7328525a90b64f310ba6668cd5f76c25cda4ed34a4a16158b2cea8317337214a7a2fc9959b54814abe77729faca87ba2db39934480e5e988b2709544564092f57d95a5f8dd0695e1e06e695e371737674e6bdc18acd6595a970aed7bd236bbd313bd857cd96148200d81e04c9e7f5419d4be68f3b41dc8ba8392614eb3170bb5a42bbd01a842f72f3be740d77fe0c5ea41b84a5065bbf97fb429d9a4e33d0d5f8a76954f46ab9d1e15422b29ab283161e4a608292531bff1e15e4b2a77d0ba49ef863f5ac8886dcd5938c3ecc8c1060d05ed917c03fbb316d975e64c5d869d82038f9cdfe960e8b2d90809527b75872c205b49a4f9322784a0f788affd5ffa6877820e96125f8d865c7137a04a4d75add2075c3d739193d53c2e018ed2f37a428e76f68941eed83c1dadd95e05ed9b9d768ca9ff6fa041651c2927e7a445b7c1d3766b82d864d3ad56bb2cc8dd35513f1f6aff6de7e9fd62736ad7d742267be35bbd91b0f06e0d2bc395f4d6199421e83ce840a31caa3d62a2f9f94071fdfa4320d46f3612646177c9cec0d1cd5def90e01d1b82a27a22d0b1dca7c383b9aae588ae7b363b864a91871d737252e973f4362f425a8e422889994f4cf047e61652e94dd71e2b39a04664758aac55d17a6f3f26abe24b6fe9ad5e678591adc1ede8cc67a1aff4ecb1463b727b54749ef6c7c7a4c17440172be36e9639098d561d72d4dbc6f2705646911d603605a342ec1984a5cb09930da7ded78f96bf44bfa7223f6ff2cf7c262ff2603160b07c0b8933e2ddc82a0bf91788fbcbe11552550ee00b70ea47f4f569f1013461e047a57ffe3a222dbc5ecd28c95125c3e09b8c6d360043ef40382cca645b93c1d0a2496d7b8ad3bae37985494637a4001d6b61aa7d5cde2ee7af14249b9ab4655ce5b76a529969d7f5ea6e5d0045585e28ec6b91781598aec0e386b3cab3640a69f4cf710b700d3a4a39906b481a91b804072cec90c616d3ad6d7bc365591b6a4e85baa1c2ac6d923518440293f2eeec4c7ad523e30686f24cde1ee619d86e15f4dbbcdc294a315ea7b0652020c10c2189b28028993af3873dee52ef4c8cf7ce4c97457d775ee0ccecd339b83196a7da32fa91fe00db77a242f728f2cb25b91a03a7933acf525a79c63cf88968f78ec078810a5a60718222fde90c09938f2b0b19ce269b3f5123e61418a7f86586af4260060208b5e0a2ece6f01e955ed827da6ff33f93570a6fbd79082abffdb6f45192d7c2e3d4cc8ac868d284de6843b403bec58bb3ee3570fcb6932ca3d5e0aacf4b1c7ea785e59d4ed10a43e08da8e402861ac9bd1e1a110051ed5282ab2016a84da4e76ed457ee1de45423f56f41281174bc897736888852a5f4a01b4b796eb6fecdaf8584ce1d982ad633a51cedaebf602ef3298ea9b63002a21fb3dee97d89ced945572e37c1184a1813895b23e506a8c974db7e7c6f5fe3fa8dc22816a982cca48d052c0a7d8ec4cd37acb86a9578518e9065c61860f3804fcfc385e0a7bcd772267b8cf366046a61f66c19aeb501cb138793b0de11cdeda36846c6b76a5c2d7b0d4b2f7a7241b2f5bf48d1cfcf0a65b468ef307e55f60d0289be6f66a5c36fa4fed684ddeb97b0d85ac1bb7335c145c35c070b80518441251dafd98a796d1cbc464e038d53aeadba1447a7d00f6baba73b7d6084eff55eb4875c8e16b80c1260a1c45a888801277a4ba4b725a4d5b7d715e133bb38f5ff98efbf07a248ff384badcdcc78bbfb085234f59a415f754deaddd0080d08e1366baa15cd0ae6a4dbd258069a7d328c76522624c78a624c166b486470c1ac977c0763386f307dcbf8f06e2c2f4cf4cde9ba620dda2ec703ab7041e3e376e9107056098709d7fce847352836e65d1af6ca5c1d879e24522b391760fd36643b9f7bdcd1e4028f6401e09187e387eda8817a1e230820f943b8b612628efae93022c28b4f35fd7e64156c77f47804cbde126edd4e3bff900b809220df97f9fcf61ec77e21936d990c8d14f5309807f7d3feb28479cabd370145b8b2d04cf6e29a16333343577e4299dc3f58183813a5e45b6dfc806fcb765c57684401cfec6c8df3e669931913953847e733c6b61d858b42f65594f165cade5384265664f808d5596a67b4fae95cd3c564906357d64da843a3993f344d4b27bd79156a1666c60ae9e1bc07c278d9e176e9fd8613592f1c99f4dd73f32cf2787a1a065a1ace9c3ad2bfe0fbc82f98274ac5bc561f426b5979309ba3fcb68ebecfb58f6b059eb9694236e635915bc0d8315ceac966b633f2fd810c42424c5ac887fda243f94ea535e70596015c4e2664a58bc7479f0c3d038fa8be0b62", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 55, + "comment" : "invalid output size", + "ikm" : "487df211f042c4a8e2e50a4929d4bc302e3584b0", + "salt" : "e01bc4ca3df96a1d158434ec7519550d485ec22d45f827c5f1f9c20036591089a8b6dbec705fd80266fac62a66c9681c", + "info" : "943c7f0cbda70cf2", + "size" : 12241, + "okm" : "", + "result" : "invalid", + "flags" : [ + "SizeTooLarge" + ] + }, + { + "tcId" : 56, + "comment" : "output collision for different salts", + "ikm" : "624a5b59c2be55cbe29ea90c0020a7e8c60f2501", + "salt" : "", + "info" : "5447e595250d02165aae3e61fa90313e25509a7b", + "size" : 32, + "okm" : "ee8362786c0c8f19b159b49c0ec33438929d4575a7a319a99386392ac07bef44", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 57, + "comment" : "output collision for different salts", + "ikm" : "624a5b59c2be55cbe29ea90c0020a7e8c60f2501", + "salt" : "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "info" : "5447e595250d02165aae3e61fa90313e25509a7b", + "size" : 32, + "okm" : "ee8362786c0c8f19b159b49c0ec33438929d4575a7a319a99386392ac07bef44", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 58, + "comment" : "a salt longer than the block size of the hash is equivalent to the hash of the salt", + "ikm" : "624a5b59c2be55cbe29ea90c0020a7e8c60f2501", + "salt" : "1a08959149f4b073bcd902c9bc4ed0324c21c95590773afc77037d610b9584806aeeeda8b5d588d0cd79e7c12211b8e394067516ce12946d61111a52042b539353", + "info" : "5447e595250d02165aae3e61fa90313e25509a7b", + "size" : 32, + "okm" : "7e060421904a880f28703cea5defae446809d4cd0b971272ba2cb78d8fd7eadf", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 59, + "comment" : "a salt longer than the block size of the hash is equivalent to the hash of the salt", + "ikm" : "624a5b59c2be55cbe29ea90c0020a7e8c60f2501", + "salt" : "466f383c878a617f0828bf2f86dac9f67b40e6375bbbbbd5615e7e99783bd265fcb5ef946f062250c0186cbe711d930b", + "info" : "5447e595250d02165aae3e61fa90313e25509a7b", + "size" : 32, + "okm" : "86bcde8ec5a2b4cb9993fc0981d3e216f49789936b43d67de83ba9f51fcdf0f1", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 60, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "624a5b59c2be55cbe29ea90c0020a7e8c60f2501", + "salt" : "af856d5eed5c77f4", + "info" : "5447e595250d02165aae3e61fa90313e25509a7b", + "size" : 32, + "okm" : "60a49c2dd255be03e3accc8a66cea4cbc919f957dcba8225be0cd707685df52e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 61, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "624a5b59c2be55cbe29ea90c0020a7e8c60f2501", + "salt" : "af856d5eed5c77f40000000000000000", + "info" : "5447e595250d02165aae3e61fa90313e25509a7b", + "size" : 32, + "okm" : "60a49c2dd255be03e3accc8a66cea4cbc919f957dcba8225be0cd707685df52e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 62, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "624a5b59c2be55cbe29ea90c0020a7e8c60f2501", + "salt" : "af856d5eed5c77f400000000000000000000000000000000", + "info" : "5447e595250d02165aae3e61fa90313e25509a7b", + "size" : 32, + "okm" : "60a49c2dd255be03e3accc8a66cea4cbc919f957dcba8225be0cd707685df52e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 63, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "624a5b59c2be55cbe29ea90c0020a7e8c60f2501", + "salt" : "af856d5eed5c77f4000000000000000000000000000000000000000000000000", + "info" : "5447e595250d02165aae3e61fa90313e25509a7b", + "size" : 32, + "okm" : "60a49c2dd255be03e3accc8a66cea4cbc919f957dcba8225be0cd707685df52e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 64, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "624a5b59c2be55cbe29ea90c0020a7e8c60f2501", + "salt" : "af856d5eed5c77f40000000000000000000000000000000000000000000000000000000000000000", + "info" : "5447e595250d02165aae3e61fa90313e25509a7b", + "size" : 32, + "okm" : "60a49c2dd255be03e3accc8a66cea4cbc919f957dcba8225be0cd707685df52e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 65, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "624a5b59c2be55cbe29ea90c0020a7e8c60f2501", + "salt" : "af856d5eed5c77f400000000000000000000000000000000000000000000000000000000000000000000000000000000", + "info" : "5447e595250d02165aae3e61fa90313e25509a7b", + "size" : 32, + "okm" : "60a49c2dd255be03e3accc8a66cea4cbc919f957dcba8225be0cd707685df52e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 66, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "624a5b59c2be55cbe29ea90c0020a7e8c60f2501", + "salt" : "af856d5eed5c77f4000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "info" : "5447e595250d02165aae3e61fa90313e25509a7b", + "size" : 32, + "okm" : "60a49c2dd255be03e3accc8a66cea4cbc919f957dcba8225be0cd707685df52e", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "type" : "HkdfTest", + "keySize" : 256, + "tests" : [ + { + "tcId" : 67, + "comment" : "", + "ikm" : "b18e35e63cc4fe4117bf2754ec3f9ebb5346dbb0bf6d4e5f2422418771816fc4", + "salt" : "", + "info" : "", + "size" : 20, + "okm" : "9e2d67ac4c0efa0b734570d7299b8e8d2fbbc5b5", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 68, + "comment" : "", + "ikm" : "236c2ba20c72242820f63d3e9c20633162c1cb048a45dea13861e8a138b9640d", + "salt" : "", + "info" : "", + "size" : 42, + "okm" : "a7d98a30ba3320706cf345f0ab09d4cac7d212c8337bef01419b054c10d336009e5636916570452d4b8e", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 69, + "comment" : "", + "ikm" : "f2cba42dd82acb5d2d569406815a3769b7becb13fa48537fa7d7d5e121081d39", + "salt" : "", + "info" : "", + "size" : 64, + "okm" : "558c7cd96388bd7f225afd1580a41083c465aea527cfb4e33a0408565708239eeb6797ba0e9f80f9655fa3bf2c7172252775ccb16170c0c31830c648617ad586", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 70, + "comment" : "", + "ikm" : "73d97f2ffde01b447a5b8573190a8eb4f87f7ac04482836143f780ad876bfffe", + "salt" : "", + "info" : "74d2301c5aca2441372cf6077bd8806dab3e8721", + "size" : 20, + "okm" : "dbff53109babfe9694885c6bc0c577ce8f5201ef", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 71, + "comment" : "", + "ikm" : "6948521434707e96fa943e44988d1ad409ec57e6594867e8193e9d727238916d", + "salt" : "", + "info" : "9eaddd1e7edb6b84c96fb5ac7e0d673a8f5084f2", + "size" : 42, + "okm" : "bd6dcd55a59713754ba4a26c55b6084014db2c3ac568eda3be9ebc55e67a2aee4d3cf2d19ce945555d42", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 72, + "comment" : "", + "ikm" : "b72b3854923b8a0048497a86bddef962552c8f6b2c72b2b2006a1820fea5c6a9", + "salt" : "", + "info" : "113b708f7522ec3b362999db18699bf7871e3b8f", + "size" : 64, + "okm" : "743e992e2d0ebbf94c6b901955270f1cbb472fee9ae645e128a941e62623c3e0f484369e77bba1f6ae485fd23b6ed2bba64ca25a19d56715875f3d092caa5698", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 73, + "comment" : "", + "ikm" : "44d774def90685c0e9a685fa50fd434c807d1a57896fa42f91778821fe232057", + "salt" : "0d7d3b47bf8484c8adab7f9c27c9584f", + "info" : "", + "size" : 20, + "okm" : "f17c54ecdb9769ab1f2c7e5ae6ac720277cac48d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 74, + "comment" : "", + "ikm" : "098ecd86354496a701ffcac8d589a1217231da3b80ccce4ef85762d7f3a2c211", + "salt" : "5232e5e4e2dd6133d46ebe5a8a51a0bc", + "info" : "", + "size" : 42, + "okm" : "5d0568ae988ca4c225eed0b789b488b8b8eb421aaf0aa8056c69031c004ace076dc2d2292e06b0df6095", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 75, + "comment" : "", + "ikm" : "917ad396520e454a571ac39a9f6bc845a8920954fba1ac400cb2988cd8847ba0", + "salt" : "962d86949506450eaca929286ce5d9e7", + "info" : "", + "size" : 64, + "okm" : "dc65cdffb023a4323bb82c444815cbbea1aad5c5fbdea4db2df982432f5a6b4124719f9fd6a47492170041c60a7a075df39e9310ed0394271a53e87f772d8591", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 76, + "comment" : "", + "ikm" : "1cbff2202268edf1985bc91466b80133644988c5e81368cf0995274204fb0aa3", + "salt" : "2bde6e33534731f52d39add940ff46f6", + "info" : "3e4f9c8d3d607c2ed43caa9e87e6ecbc307c6048", + "size" : 20, + "okm" : "8fd42650adad1b8cff79d8a6c690e62779ecdb48", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 77, + "comment" : "", + "ikm" : "d00d6b4fe088077ffbc64127d6bdb9707a0f9061c0b873c334c3be0adaa7c2bd", + "salt" : "1647a044472179d454b8d2108e4a2aa8", + "info" : "4266351bad419173279c901aea148e8b1d99e50f", + "size" : 42, + "okm" : "61a29469106dd22597f742303af8683bcb81fae85b45d38792b019f201194372895897fd7c63f95d616e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 78, + "comment" : "", + "ikm" : "9a27c19b607adc8f152faeaeb1282002d3a2166894b7fe5d65829ecdcfaf73b9", + "salt" : "70d83929a6376a6eab859f0d6225f131", + "info" : "36356cdc28187c11cbb9046f9ce7502ab4d2ea46", + "size" : 64, + "okm" : "6f4c33adde661d92083b96c90e9f030cb372304ee1fa8adaba2f22f45c47aec925e944034737e47845d577e4f2559b9d00cbdd07a3bb9b4fffe701385a0e6e53", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 79, + "comment" : "", + "ikm" : "f5d1c855d3448e212d76d3927ec797dc439cb182f427064288452988ab79c83f", + "salt" : "87ef5da5400db731d658972ea82b76848004e70d3b22cec76c8be06283c4", + "info" : "", + "size" : 20, + "okm" : "2d45645198322629380b4051ec1a219d2cbb49cd", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 80, + "comment" : "", + "ikm" : "3f19b7095a6b3d313b59c3ba2c3a78d8b24f30c9ed4f8be9eb92f8eeaabd2c3c", + "salt" : "8f1f6c8e4f68830319ae859b4b1fa71f1d69552b0c3e53cbbad26293651e", + "info" : "", + "size" : 42, + "okm" : "5eaa1b59bd65ef1a25f255f2b8bf54757c2cac123ccd8ff64e7d0a094c2a8656cd4eb2c4b98b16a0779c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 81, + "comment" : "", + "ikm" : "b1d396c69f14994dc8add0f6e0cde4455677ba9ee95ff84a142295f9177ee629", + "salt" : "7f693304bff77534b8246d832749387ecc0e8daeae11d77d022ca9e362d1", + "info" : "", + "size" : 64, + "okm" : "938ce3bda3308425f80da0093b4f8ccb7afdd75c4b484d8c92e9aad3613a5d0c268539e5bb115b658121ceecadcc367f866c505972665fc4ad0d0664576f6b22", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 82, + "comment" : "", + "ikm" : "003d1901a10c062ec44e0f2a94c544b7f53b33f1ea4679fa6e023c2d0a907fcd", + "salt" : "ed86cb8c8ba1c989f9a60a4a82c38be98c70e6218576b292c93fcc18192e", + "info" : "d5d3ef5beb9840d15efe9c778aefe38f1bf7bae3", + "size" : 20, + "okm" : "a9e331f535da580a86a3b4e0cdd5a7dabbae2de9", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 83, + "comment" : "", + "ikm" : "02e0647a4b7ccfc0d3ee7ddfe24ce69c02f51cbaa836b96cbc5a9c2885c45599", + "salt" : "f0862f61f2377ca34b76476ae21e331b114c7712aef501a1bf00f7e9cb79", + "info" : "4e9e27d971e76fda614fde15031f6664b97d4786", + "size" : 42, + "okm" : "3b17b93969f5e7567f7b955dc1e6bb20a04543724764cae47de80272505d25383687f4ecebe7797c4e9e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 84, + "comment" : "", + "ikm" : "92bfb7e31e839f109e6622b2c2c4f41ce84c9907172681920e7d90e80e2339bf", + "salt" : "ce869619607f71fde53ef55e18d01d20002e3f91a8b7584190fc6667b8d2", + "info" : "ff36776fc755722ff371f21cfb37a168a2731e99", + "size" : 64, + "okm" : "a4b00d604d54e6d1374499c6588e199a9add616403acce0532eaecab0752b1d49a7beafc47220783577eeba89c5f79ffc21a7cf3a061457e6bc54031037f92f9", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 85, + "comment" : "", + "ikm" : "17632581c34ab743992cd99318889b32f92812bd37f41636b5fbbf2b12190c6f", + "salt" : "55e39431c83648867ac98eb7ecbbc8b41c5a5e774646b926a9b49c511915b0de1241f8666da198f6ba4bf7e9025e434b6d7ef794e7a563309303055fe3bbe769", + "info" : "", + "size" : 42, + "okm" : "04ea65201dc5ce6cd19dedfb3a30517e0e1c4d4766bc0229da4cdac8c551632306c9cb14bc05fcba1535", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 86, + "comment" : "", + "ikm" : "045b4d451bc30c39afe0932f6cd62e65b4b2ae2cf1160f19e8ba1323f7ca146c", + "salt" : "b73682dda0fad41095070b2b26f2d7d98ac62202d918258ca9aca0f794ef5e4d23b3fc43c8cabf9fcb37ad9a62337fbce967fe24054c3bf891195858e53997f4", + "info" : "613e353162c6c1b12fb1477fbc54074ff7848a14", + "size" : 42, + "okm" : "cf9736b01f3ae0768b669d53ad335243db19e2587d904d72b72213aba2f0964064039177cd922e2aaf8d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 87, + "comment" : "maximal output size", + "ikm" : "b16b67a856259419ada925f3553103eda6cfda15666ad1d012d43429a8272d75", + "salt" : "8ed2f3533ae5da80bc34db49d9c3b3b0a7873baf9148772f286244b23ec6b3c1d9f235310c383c96bfe02a7e8be2c01c", + "info" : "f82bfdc6aaf0c789", + "size" : 12240, + "okm" : "1c9b28ae006c65a8716df9089e105358aac83c2372e31788e2c1ad0bcfef21e14ce59a2c3defed070ed55424e891aec5215240f8915f92c35b3e8cbe6c91e70cd83dae81e2628e3b668d69ec66093d054f7e213ef5a3e88d6694145fe3bc88a6ab55a8c32ef2cf0907e07e0b05fc9002dee5d86a724b237fb8423c874d21fd541e3c6d89ee2b1990e3dcfe6ddb65c0500d1488ae749529724dd975492bd35f98b89c280586e8ace25c03a8259c52a3c7478d748554d2f7d485ed68d1fa6a804b3d1b6a0aab002eef97b9656752cb0c728e1b0f15aea2928346cb97617ea9760e0d46be6638c905247c6f8c927416c283ce1dc41f16e61060644952bd046bd478a01011907456a03080d7bb0d79c959f5def259e6a4e0fab0eab317ed5e62d0b8d8e7ea4b07b0281e09392e43a00deef79eca892b59b1adeaefd14b10f11f9621edaa8567bb15e52e0f71393ec309d3dfbe3673550b8ec6d9e1f325007b5253bea1b838a2785fe37b80dea14c247ebbaeafc73bc44d013408a2368cbcf6d80c572a9630f38322a778470ec557657d3ac8e1265eaadce9975f26d9ee24eaefc6d6c38b78ac198ac49be0e08502901868b6d966543b682ff658b12f962a0f8f1bbd437a2863ad6246b0738b343d368cac0cce1bd4dc4a1efc2e65b53c732caca0101b0b44fe17b15909f84cad9d107e5374bdbf84a579428219adf9e4f60162566d5f29cb28c851ce9d05995018095ef7b915781dcaa5d75c4db60d497982df7767f907fab51d650acf70cb3430a2b5210a572bcf68453b3ba10672b5c134a70f63e934f8388cf4483871134c6b0089988948a528fe4ac88338f00098826042f096de009a605ab575dbee9bc675d626b83393511efccaf73c941d38be181ee22a368526909f8da2246473e2265b58f1a68c7a876b55223d2de9022f4af4036469eda819a593ca3ed2763c1e8d26c49082e9c8a2ca21b939ad0e8949c105ffa36893d36314b266cd6d22d2a1c1e7e81e0bab9743269cb5ae6808fe1c48bd583bd863b74f919118437bcf7053b2796f1ad1b06a4328612be85e9280009c0a11f212dd748987c2b0abd1825385bc1303c935117d3b968e46a6d554c04073affa3884486340b77a37377214cf799e8b422d3ba77c7eeab27c50d0ef7f07adb97b014b7c09982c70142aae3dd417610c76088042e7196745e5574106ac8043642d3e5d0e3f4e916d5bcf14754e21feccd10006d8fcd222f2d6b268fce261ebea921a35f538b23bb14833c10f31b697675182dc1b2a32616f3174aa40f0296b7b45489c2ff16d8ba0e23ff740b53fb91ce8026c2863f7bc1466594a984ec1744cf07533a9bf35794717dfe170e48616cbf7c24293cf9d931d7848513ecc8960907aa60359275bb9af101ac41ad42be509cb8acc9701440773a486a8615dcb8861eef8c1d63373152df15790280436662f4dc98e3fee01fa8ef61a1c500e060da7c5e284fcf3d27ec9321ace93d8764ee34bc51ee6cfced9e56ba56020652a855099395fc5c0290ce84b0ff6c8ce2f25b30bf85909d906f0c418cb70c7e69d5b3aed6d0eb74387b6efbf33872f3712fe0dad38110dbbd0e5f4432bf102835ccf4795f95e7d07e408ef853d28c226cad475fd361c5de53b2d2a1d6f59dcda82dd6f582c52ecd2421b940939acbaa0f34bc64193d6baf7a809b42ffbab45639fe645ccabc93a97b247e454e63cb891cf187908d33dffcf1225757e87bfcfede42dd0e8b75e4ce05f6a766b915f047e52aff8a7a982d9b2072c1020198ae69a69348a8554fb51edd4ff68a8e0041a0a118ad2bf42c418130e01b3d1c521a80716b0898eb63bf6fde067048e650fac3433b6c7aed5d59bb4065ebab0dbaa03e1b8b348bff92575f5e4db87d64355f75925dffbb090aac2ae320bf72da9371148901c740e34b4355e715b7c8640e016d7ab63c0cf5d6f3a6d62f3358a5fda77ada6947fd711501891c23739f262f71e5314bfba0b7372638a6dd2b2547cd1ab5ed3debbf968669b6273cec753d43085192860c4168a8703b917a609d87e5ab1f733976a06240d288f8846ad27328b071b377accebf4501c75f8e4697e715e8b052bd116cd16895024a8b58f9b96f460e6aa9f6b8c5b760ae84e036b2e83d18c3b242f59e7c00cdf308e43ae576c5d69d78dfb39c78423ffc565a0c27b1ed04f231fadd2cd46f4dfc1caa7ba639746ed61e1787606ff6a9e1422ce3ce817e23ecf95b7940c08b865b1e19d143e230defee3ea88893404992399adbede4a82b34b906631b339dbe2e8d0618ff54b9015012fff625f69a1b9c753d790d3ba76af8fe7ee5f6f493e47c30b28341d98f0aa38ff76f7f660e048a09c5cec238d36e21e26d8dca7d427b609dd35d9cf42447ac88636a4575b0383177be4f1f1e4db97778147b73477c50071a625fc908f4130090a819644f1c1bf7318cc611b0ff4454a7b3d180c445fffa0b52739a474017fbdaeb278fdb901723d0de12f0115831f6b4b2f0b6f15c59194bf28d36ad73a2ce8263d8d293a7555048db5ace9e5669d3c0391475c602bda918dd951a2db8aa94bd8925a646ffbf9a22590bd87ca893f45c53b184f63d93794c6f9f4ac2d4ae4669e9b36af3cac1f59262550c5203a1152cbd0d4a264e337302430f59db44b2c3c1bc7580f09a5326db90d6f88617337d20bbb39b05b7d1710eaecdfbfc7be543df1f52dbd8248209275394ed36cff244b9dc25a46bdf9cd09f2201f2fd8007cf561af8dc4bad49de3c7131820e2c3225eb4ff95de565580c02ed86094a3b3757d8ccb040ecc75aa1b272fc1f96b6a9e5f117f9a229da82ba85f42e2fbc172be3f24c2250d15fdf257d39d2d4b677f23a5ec8cc4083d957d38fde4f5571786278fbebb2b56ad8a1dbce217bb8c64926813dbaf0f068e20595f80cb5ec546206b6660789291b3714db364e9f27d920c606cfbd48f5276aaf07f2defc637d25e146d18dfe207e1e0f946b91108bc60a7a633e960bb77c119620e6da200b650d5b45921e32b307029b769a04972421cb80f3494eb7403c58f779891d994c556043a501836111abb0f8ddb34a894cc2fccbae3d73a95dcbbb0c73c3a4fe516b3bf2109e0b9d2ddce48477890911169449e5c00c8a4782c33c349d7802e1b3fee21f23cb73a9e649ead85c06d7e883bc69982ce63e1b9ee3ead32f2d29f82b0eadfb5f55f8311c18697de6472c7d1b9b37a73ce27ef80413efcdbe992dac8ccecb7463509a096ca33cf5449726a83d078d5558da1a95dac80bbcdacfbf5935011143dd0e4ce91aa1a49efee241a72f0edce6567662a4b9789763ca414445a3a4baa45ad4d9ffe7f28c2c94974f5e74052cdd5008b8d89bc7726caf49693d1dc01619ac91155915031c5f575f0694d9f8a0dffe303ecc3779b8cd4441c6a110aaf682be920b3895f45538e1089ad610edc3ca64589cc82f863cb4be9125f1659c51f693d30bef11042384dd92887da5e45cd127065dcd57847673be82a29c1ea6ba5973994182c06db59272149966603c3f1d3c1efe10e6df1fbe2d32f955b4fe04ae96dd3591dd1314ef715951b4ff8b8378ac2e3814fcd378fe7bc739b2c5b7d401603dd00c2c92f9c86b8c63c90d4da37400f590f36210c60495f049cabc91f4c4585c5f1a1098167190108f704eccac5b1960748502ab4791144c8e049fc2a8d37c125c1da0b15adf85bdfb07102a653645c379f5ebc84d505457e8c22884d850def6c3ed18342a28d4f62b47593db3607b97c7be1acc81278bbcd9772ef366e84af816d0e2d132419034163d5fb0b88ffa183ee2eb3c1f354321c076221ed7d1f0774e7fafa5baedc5eb32fc3ff1e2e48d77ebbf4d7804c7a76eadb7673fe9aaddd2960c288d9159f7a2c21b243dd47f4cdb0c29931a3856e1cdca81cf8ab2fd0bc07b4179ffce30e12a72980e9b705f53bc7ad78bf7e939dcfa5200d15b626e220e465e293379f12e1e82df11caf29536aa085cdfce4d9f824666eaf12b71e42919ffa28a327a4d944873f0a970f9abe4986979d772fb854151fdcdb4faf7534a9a8eeea3e9d080f9b56fb8d281ab2e0f9777f2e2f1e58bf6c471c79f4e1611fc0c541227bf9179e6c76152f86013c78e6035f0361e57fd5494c590cd5285cdeef52904fc4a6713009542da95e8e3ff6785bb953d571855d86742331d62682ef537e25411bf35ab44ac31b451477ec44db4624a83fd637852905473d30a4ba927556163b8fb98f15008d005660caa833f28cb80e299427e044dfb254b97ac03ee5389b93130ddf4c8dec96f6babc43220a59a194408540122f96257be852fdc97303f8c21553a506473e2dfcc50e73b5b6c2b2c99e55b2742752a54fae78daa18271534b82c274fd6aa41e003bc60e935edf4cb4fb377afc273d720f41db68db9a98274da032beef4464f082d06e679cb456f4772eed93eda24e31eba70cdbe12fbf39d413304891c7a720ce8d896fd20952b4b0577c700028fa804cdb7e0e72dd503a5299b346e188e7b0ac0b93c3d4ce7ca24181909589c82b01e9c05769dc2ceebe9df8652bf843746945dec545dd211cdfc0831fc03cb91c6136f5e0e2d558db50ce3dd90cae233442f2a41ffd1d69b2897a10ad0a2fb83075d3f389c26f041f6e178313682e91804256c1d0b4842225e6f63e1bde51e888cb9c93fdff2b7dcab1109da6e648cfd57ba9237e35f1d28e5e69cbb8ac5b941f2a2c56985d76107723288422ea37c2883fe775e44e1a5be4f3ab0410c11e2a3e7cfbce8e359c7004e7a7c86884af6dc32fe94198f2592144b1bb397187ea5df233db8856291c1b91914d87cf0bc1e707e104ed80a74b5273d267626180b035fdcb1ab94b8c6560e8dc0a8ebd7d6df478d719b3b426e26c07c9eaa9bfd62f921ef99b8d25cb9db02ef9346b18f41f88fb17aca4f04595f6ecd8c8f89d01b19faf3b479796945bf714497fc692bceb89620138cc089e64b05c3efc39ca03aa87c0ee5e8766e83362f37fb4aa47fde3acf5f3a6f7c7485af5eaa852f3303c03b1c8c4c82e511f0a1aeeb3aa5465d11a306b08ea1a2561e583bd183da982bdc82c20d7ec33e80ac7dd7b7d93f22b7bac6752d71fa6e767b5af61e5496cb6b896e822dd2ecc57d1f3da815eec7ed83ed50822f96da844b1565f65d72afca24a5ee59d36ddcb6e5ad9fa6d2f19248e120a663d3d93c2f2d3e478d3915200104f5a2402dd37cb8473e6104ccb1a8ffe6b014096def2a03ef2c035620b4267711719ae545951c6e930fe19aa90a7d5ca01d089201c9ceaf49aaf4bc3bd80a47884d12848bad2df4bf99b45b09b888f1be26cdddddf557e4e97f3552cedafed9f0be5a26e46140180e204dede4bd0442899bc4e6192d16267e7e0ecc0e52471206b306254ab4e3908b8a4aff72f337f21c551164319ec9fa947e3184bf8eeb1562932f1446f9a1fa6f7a10fe4e9df16a74ca7072170644163cf1f9849cd15dd1d0902012d4d13172334dd7146e3dd066ae11c59e45588bc597f90d217d2eb0545b8e171b5b36669cec25196a4d92a866de6a8b1ecba130876d787386d596d03471a0169a1cd6bd734815d6d36df83e4273d01761550207445247b14e9f5fd9a04d6e5916cd7c5a27dc10e7347522c2e8df09689787d2dd44d852b1316cdc2178d9718f2af92e9fd711b881de0c058e9c9c302a06b9b7bd40a4e857d3007248090f2ce2c74d64d84f1985ecb9b1ae558fb20bc8180cb8720d215bcd57c27737f6051387178fc177010dca84486d62c7113c0de4b0ec79197d450a733c8492d8c213c5123424560853a7878425412fcdad1ae0986c375a2b19863a07f924f2737991297bada908d5033fee6e734e86ce45c60f6e61f42922d500cfc57cffe21bf42a36a3841e710d1cd94caaafeed9be4f00243a439ac4d37348102f7890c8e8adf6d8ec765d709a15cb526e7c52da7281e6262f5ac206806dd595d58ea0158c1102476f4f7077c8bcb13f80d9fbd4fa29e490ffb74b45480a31df2e75618eddf10f34a0cd2e61c99316e303fbf92326fccc785745adba435d68c2f720064668671345fa1a7af122386c969e79fba2fc6b66d86c4ea79ac9d9fbdb6f21fcda70b96875dc70d915f8ee3bd68f84447d9015d3b8b340929daf16c25f57ee9828ac93989c53028023b7be7e6cbe10f077e2b41b873f0a7a9a4718063975a94e045aa246dd05b5f1d0dbdf123ce661943c2fba51eb41f4cc854bccab72d41fd8ac6a34da8d55e9f943f04b675f6661b9ba03857023e2e00011ba47f8635ca9408ebb55b43ed3a029151a6c44fe2f8a1a61f390c2343cdac9dc24afdc6472478673fd2a024578d2ada32a1376332ea24445ac99ff3081fc327a482b6ee96d56db0694b978296102a448f6010dcb560447d32e4fc67f260c9646dd60e11d39cf736577edbc1330bf8a2a3accd05e7f562fc911635898882a9937d3d527d618d450cfbfc1dd16ea040958e21f72fdbe29fdd91798888d0eaf50d01e9c162034dd12a889112b8281be71b291360a6e676f560fe34faccf5556319acd7067ffe1f7abd2489d88cc8238d5479e18b20b502d8be6c3b9565a97d15f827c177622feb795d32a6cc8d49f0223410a484bf8788dd6ffa1722a13857681646e7ce8fdd89646d54b8a960148df2cc92d310112eb1388f5da1eac32b1fdfea06495f57ebf845ac6f38c942e2ab13f45b4448d35a785f0ec3e1a0f15c4b341dc29e4d936bd438f26d1c3f3fd103b6543790a8d48702b24aca7b3a60a968703e258297a592a2690431ce09993fab0da0555b42a448897afec276d1d48b8a71d3708ea3a453bb653ccff2a3b3cb33c7dcbe432813d859f511735b6ac062b225c706f97241a3acc08b56f88d883dbce97c8aa935fb07d8dc5291d3d74732a10130f88907ef6fa06b96ed4de40dc90beb03cadccc978fdcc7e36ec532eac8eb33e4914faa060d3041ab7386a071458f104f9707a9b8858e220acc78802ed0961a268454a4c02bd8d3f7aaadc6573179c5c0a102517d55301febf5001d4d7a5d95d80143e6383f95af933c83fd68bb7d0c1e283390975fdd29b0e62fcb0cb1d032bafc96c1908ef7839a86f52d0cf6fc61a6d145542b2843c8210fa0c44ebc78f3c42faaff2a560dbe937f2dde15f0110d1284a5c69c7aa9f26455d5bfc5558ab6b60d8c98bae2ee0717fdf1757d26d2082da8f481e7404d32d06da52a1f5da5bb128f4c185e7dfed64513c97329e5836ea707361c6dd45366396f31e7aa46ad88e0849622c3851e72c2b44136ba2e1f1769e8cd86184f9c0a1030da36016f146343ee8fad9a06c33946e2cd3224da22504ab68af25b3b9789df7f2dc1c9f99291f89bd2516115876c3bce1e678a846163386db044eb0ecdbc9e0ec6ff999945c83859f025aae214b5cce6c32a048cc76d7077c11e9962061b73a6827a0a4d0b4a8c1c92b3128f21c7e3372e7e248dff0500358fda14bd46f50838666f3d5d8f28a32fdbbea2829b86bafb15d02db14381581709b2a9cd095d8555035ccd4c67c10a4124acaa9ffd2a76196ded0729cfda8d423fe98fcc126569f90899ee416b397bc16d1fbc88ffb4fca25b2b2c91d5ab91d3a66450708a95ab8250ad8d8ce4614683225ac9bdcc236a25c6f5d65ee25262e54c54dbf59f2ba193a210359ae7ab1615f15a3ae2f017bb1aecdab6833c0256495512f5775ef85655e595b8898a3ed24165ddfc1b73b43aa2a9af4060283a1cd6355fdbf585bdb924899790c477a6343b244be0433da2c084aafc57345bd69e57c5fa3b5e6d19c98eb119e7f5e2080b4dd121dfad487441e6089c97494ee9a932bb8f56b0066940f415b5df917110108bfde7bbfebca4206bad5916b45ccd7118164c97ce0b053e0b2265179494568c0de284b8ebe664fcc74ae13fbe56e35e97c1e6e54d10173950090244f353feab7b0a4bcf892dfbe6a1975632efa67c1964140c8c09d23d300338c8f8702475afef0d794ec815cbc28590bb91967179115f5922d7fca605c2e98213589f540fcdc61c28ce38e955cd5cf86b49cb729afd941055d0273e9ab74b87709fad9aaa56878cae49e063c430459983230bb9c47c36eec08ead6faf7428b13cf11739250c3908088aac25e387c1f7ee461c53dacae84804d0c83185508bd5d9f2f3e7e9bee7d2dcdad485bc3cf076b57d153962730bb23017374c76b5181058a982b96357ed0e5a26ffbe6744cfe2f2bbcc0d6a06bdf6235d53a305e922c207d3374f67f9e9571c044f73adcf28ab399b5187b0fa4db03aaeb10a3c6111669cab03dce28daf75ce598604f28326452133a3dd18dcc925c5394b62f48f803f0ad91fbae1c4ccde3a61fd7e23a00b6582d38257d2de8ff5c84e7c15b373b67d10a55940143c30d9cd01dbdbdc4efd2d78e060248106b68f2a741028bda70c99420f996dd225a0fcd0fc93cffb2194ff47023d9bba1054874d8a50bef8ebb90561468f214e13e505b558af82818fd74aa3bae02ea49f2502fc2791e96c3eea62742a2035468927cf74541329c950df615be360fd0b2fae64030a7add9c35b48a6441527dc4e38e9ca001719d5cf1e3d9a5c0660a54473e90557a2e7494fe2da354ad37ad0f1d8c02c4d78bd5e2c18997039f3ed7e9d82954d532b498eb2df080f5840c34eaa7153719bcf3b0f1b7d16c9a61421f83803ae677920b65420ac4dc2ad0fea214a0f66bb2f2b0c326a2067cbeda0419424393c643a1152cfcf0396a15d30d4e216b656b4934babe2d518ce9bac15ab3e6bed02b397d2df6f0bc9d9d56333ee9963a71b9e0fc5eead36a12efe520aa8ab9d1f9933eebd5e45c3068f8ebc90d1434712c8b078d41dc913668fa8ee6d686a90c16df842418bacfe1482fea4526ca464732fd935c61779d294ceaa828b54e437262d8bea50b7e6b423ae39cdfe390e61f7c847d8fb560b07260fc108abc130bb6dbe99dbfa65245c882a2cd65e4205ddeb902603e1c1dcc2a471c9a206064a8d756353773813f0c9efcd22903c443df9677b5979f7cbf97ac09e35ad048b34c33eebd515dc696a7776997929d0bf49052ec3348a81694a324a6829c227388b5352da311bd7ee38f7e2b6792cefb8b33664a6ed89a11f9d9f6f64f63e898a4b97362fbb2a681a87eb2914e6d10eb4f49881197630b2d8c4c8dd3322566c6d3350b9a05890d0f25beb26a49aa9d6f755a4c533966f137aecbcbd6e65391abc4bf97a17f0e32f5ad0a7c6af2ab0af3ebb07b97210606d68d4d8ccea6f0311f15ada1cf79504ef4e4b58d17bcd87cec74370be0f6cbee92831bea0dc35246fda4feb3299813a18ada050744e836cba694e7fc0a8368c797720f16e238a7e9b4d3008ab555cc0c66c1d0fd00721db81dd40585ebf5a7e7cc0443d11e91ece4536325e9993828cafee77ce6e128d0767279001ff089c44f193b1f7b736334e0dc5085fee52e574b2e4ea6c570ed92175df0c1af574b6285c7f5f8ceb3945a2e337fbd19f6b4553cdd8be98e5937d58d229901dab6dfe7cea5683cf573a3ed097c14372eff45e562629851a75cfdc3ca90f68f4aaf94006d03f078b236c443c31fc96e8c7aac2d0a66954add0c0a7771c5ca6665d782de40eca16449b2275fb04fd15114639cef02a6852c7ca2392923e2ca74f05a721b810b555269bfcf6e788e2ae891d54e0d9528ed8cd49c8b0e1b41f8c9355cc5faa42477415d6e7992f65dc6a62dbf10ca59d55a6bbb71b41fb93de8fd00f3640f620257a00f0af4f4286cadd03df8b06077320f617a889fd7487c2703bea22c2c39d3be70e50692f3410e2ce0fe9ee6829833bbca4a9d70ca7438c798432c1ec563d81c384a42bd5599eebf98985124a27279a610dbe9800a6509f517fb1df6be255ec1015bb808d56eaee3a278e0d8119eaa04375137f22558de2759be8dea393312617c4aa447e28091bd3e79e6e6daceac906a7c180faf0ebe9b01635f075b32effc404d52e914e54642057d4976b7ccbdff3932cad5d35fce432bb675db4548e8d358267d1f34498ecf46baf5efd8bf221c0d35f18d5f64974115af6419d0ab4b71fe0bbe8014c03412532699d7caf4b0707f92ac7c677bff84427476eca38cc2da5310df255bfd11c6905639bfd622a0931fe864d5c52caa357ee46b57af74c23d2e2e4abb076c7bf11dc5dbbc69a75ff9446af6e8d5a165d3dccc33fc6ceabd6790ff4e4032b515f2d85414e59ed6d26d9c19e9133e628e3f2b1b77eb6aa74e50df1618abb12240661ace8cc9cb0a78048dc62349df3b16f5a48bb3462f56da5d74a22a04fd3b6353349f09289713539efec56fcaf0a41650b218005c4ab31c8a1f866c2c29dffb51127d52afec692acecd3ab79e46c331c041fe8ca9212a694c7848736a471966f8d3cbee2b1403177a67c4c030164d006c2967e33f45bd90185d385c87b715314a2b15933d7240d2fb4b8e9572e9e07f8402745b35a78ca5f8d053dcdab3b2a9a885439b20506148d2caecb6327cf7d33e559cfa12678f55747abfb3cc25f32572c47922d7b8c9686e5a66e1855ccbef0c4cf0eb489b6a3aa885b2c78e067421268705a4bbfd88374b33279b71303c70aba755458842f205d3a2a7e40a2828a2cef6ef86659182c68a0252c2eb393270fd26402581e1692eaa77be5e6d7252c683e380e932cb5facd2bae8c5c25739f84f07f2b44d6133aaeef8d87191a9c2037f5a95489adcdcb89e54f1165c1af615890a1e4e56d07d949c003e12aae68820492666c999d8c09a356762820c9146ef9f85828d9a9b818cfc2fe2bf09effcd841e9b77922e2d263982060eea4a06a3ae8fbc15e8b5bdfae224c648b33446ba400ecef428b236ffc8938a7bc6c406fea97fc0e1a324f8e31429f53873d0f24eaab39f0e5c37a0147a95ad22c4312b1d8032da65db800150d4e88bf7b9b1dfd63c3b714eb32b7e6f288d7bddd875934c4cab2cc57f771ab8523721033d769b2ffe9080488a1b201299a1eba6aca7f468fc72e4c26c34d161764c7c5ce96c90115898824c24fcd7a97ec7d5031d1364b2028591ec1f6a286a5d474dae06ebfe38900b0ff730a497d40abe221e0dbe82a90106bee225263fe2c04cbdc5aa7a643bafd3f89d10abdbdb320cd8da6c1753202ea2243395f7fc798db6ab11f78e6a6fd29269169c6925488171a147c651e85777a791837f8f079fb958b54af044a11ff54c493a0f032162dcbeaec09d68df9da5c47e87631f7254b3ee5a26d895d2c980ad62ee8fbc5d7c4235bf1f9be12781d1acaf02e100be5a535438c44860b8ca257257f8b4288f66a7bc82a25c9f78f55397e29e99ea97595599ca41f599653548cc4a2983dab789eab4dc1536ccc2463a0d259d14fc0778696a73fb6f4d78c0c1080b2815b1fe91ecf65fa02206c438e16ffb9aa43aa4c6e68dfca745e4b1b287d03325a9f595c5fe164594a8bd3bb1893151c3a7e3d5ee2d966f367d98578e2564398feaeca7d8c4773d4fb51f706bb4fe13494afbd786c0662d0159557a8c1c56590b5738a116a20218b9c35a29651224dceb00b4a5fda958ca46375885af41ff9e1335a3d57d650aae9901b71645923eb3f3d869dbb7d79c6a58f856fd2be95c376d9934950577b682d82985f0ffc2adeb9ac1d801cee6ddad69d342046487798373560db6331ac07287a9240fe1cffa3bcb14825ee235389e80ecfbbe138c349f6fb43574077213fa5a995ecc936eb12b011a7a1b3417b33f2adc3963a2b7abbd2314c4d32291cf24e9d0e896bd709c01e5a05acb60bb7713234b450557e460aa3ba916c5da158a88f37fab9c0a293565610ee33a42fe1b632c9c5ec0a70667d5fe236fd8405a80152bb91ccf336608dbc472602343579d0bca549d6d97155ff65e6d3cd2342ba931158a97613ea430b8fe663c28dac1cce08e8c28db4bae76758d3d186b6e34c631ad743a20ab81771879df17361e7d5db49fb0a88651d6d4b388b925714c19d790c50a76182f3d121dff6fae46fcd97e7eff2277bc8c6b87984c0fdb67cdec92b763d867ac3f54f30ea1c5e86be4484b8d52408dd9638f3d13d32e9fc43a7596c9748e0aaeabc83c08a7849c28df6262ffa83128341431cb97eb574990a2e2e92610035442bd7fa3520c4ad3f6a849297ff68650516fb80b786a3cd5a2699e37ab1f36d40c6b35843ba7cca1aa445af87711feea243c787165dc51975ae058f80cd70a272721e7d3be99db79e76c9cdbb476eea6b73e50968e9ff7515d78bf550e9b77fde7f686544e238483e7444faef2829a01651eb76aa767c03dbfd37c79ed8d77491cdc75798d230d9734052ab886075da01556263d09e82f2682bbad8c26d780ed6def00bbd3413a3b7d69d2eafc4ea0c42fa89114964aa4b775b5840ea4ea9f69b01d269ba4551f1aa7bff0dafd8e3ed13941abcd91fb3bef76a7b49340382eeca128b9ddd1bb253c1d082f02d20c37f0411a57ba5249b05b1ca2959aa140edfc4bbb474c9273909594b1d970124f86f861c0504bcb56d7ce395da042c175384e8e1c0b2be453df961e9fb0e8d60ad09ab6b8c8b09d8c7c3fa0c0376e70fe6487dab64d398257b8293c19bca53ec82479f7784f5359ef3577c7904acfd59ba3694283d7f0b63be70c5f7e55b45ae013ba5a8a77126a11154e91f8c3e9ed719e087c73e425c7425abda06860b898b1763dc030debaa9790ac22263a099573d6b4fa2ac17ffc9e7e0fa710a23326b965df9e2d2a69f07a249f7b2c931f2219a3f6281aa96937b1f88f952693519089b4504965e0408dc018f449c566f027866f891ca75832689995b72fd5f518e5a1e37f33c06775166822050932319f0d1e53bbccb9ae4d18c100086fae3311c69650d2317d83e4a164c4e67278dc1539dfaf2d9e02b52cd6885c9a66831cb81ce13422ccb069067ab6a6c4d3c89650677551c344918a5c24b0973ef5727f9593c59ba1026a82ca6e78033d6ba6a40488c5ec91708ec2479dc53d0ba7fe14bb238181f1c058e694898c914c2208dc01979119bfc0195e8ac0fcaca51d61fcfc5f72d92ba68a8d51394eea8d10b624dff051a9153b7d729f50f02d04547a6676add6ee0338b6d9ca9dee43260980291adaed18759bddd5311b7b46956cd113a076a3995b2e72cd1a5138dc31fcb5edfbc514bd2ee72fb53e0722367afc717b9ec401e4213a317583e6b3b19a75e1c63f1889f60dfb3059b0a64b85fb758651c713ac43345c8cd3c801da3f6ba8aceaba572f46100def2adcc135c4af0965f379a7a6c75d039a2cd40f2bb5919a3c8b74d58bc9d008b592f2ddb3acf4888e8b7873585f1f3d8581c743b324873fc23a345176635375b746575f79d361d186108eb5609dc78612b7bb530b6327bca6dfca45fb4f4f975afd1bf0f898dae164a19dee3f0feaaede1440cc7ff8fcb21145680e8a24e2eb5404697e25c2558ae9289f528a8faa572a354931a1cd4bc05bfb0116a0359a6b70aa79b145a88df482ed33354c260d1567e000b2d315e2808138638fd7bf7f4e88add370d24ceab5a999643741b13612ea85f67ecfc728e110aedeff58060a8aff0b7e1526f4aa60b9f9b558c2acf584a83b08d91901d6cff5ea2bcdd832303539703d30102ca067db40908dd8b555834a6060f3f6e7189612ed0d3b6c645db8b113909a38149072b3decb1f3a28be9223cfde40c2feea7e8c9d5bf37a2e55a60d8f89c391903e49bc644178531e6891653b1a4d73ee0870b18f8d53a089d5066dfadc3d92271232455637b20c298d640cb04b668d7080a510146b08031fcb84f41ca0cc85428f27ea9657de94073fec43d2c8c464723539276dbdcef593d716d02d172d30e76a9fc022d4952621d4c306278d3969592469d9a9ba62841dedd07e76a362b67ae5f925fae70f27c9cc870ba7b15d2d7d81b4e1d49f02fd963fa6f9ea5f4c901eade1114d92eabbde70cb0c6ba9136c68cbd25acb278e6cc73f9e625f1747e281d248739ecaaf403a21269758211121db85805ac522295ece97b8f90abb56e5a762bb7601b916befe8257e02a2b10c8384887de04b2d1c5afabe583367690c03d3ea6f7294f71b82ca80cd99951e5ccfe9ce7cbc5e04d1d60dcdd2ec88f9edb424bce5f04217be277700df4035443d18c14391bc9469f38f78f41f2d983bf761296161216e5719b37e3653de0d4a90a5171c2fdb9547a75be38910aa96c27ecc4e1fcf7a12d5254a8951a659df30db813ad7c75716ac050e61bd76ee5a4ec0bd7208a4c8cf4dfa0ac4438fc7f85e23db79d006e2acfb8d5a4229dbf0ee5ee26d064dc57a1dfb4374dc306158c1f8a9fe450a11e7ed21700ab2b817724a7139e2ac3df5f953ade220d996821ccef9e8f58a9c4996ed0bf6e70fc17237141d822f393cbc725b6813626cc63b88f5b893732969b47dc884c772e12c9099be0e519eccbc31d5b5886fbd737499a622058d6c13e200e7b201839c52634dd89e87a742cc99c5971e0b7cd976e8b1f5043a74fd6bd9d30eb8ab29c332057b2dac2f95739f34f1abe9e85b856f1d2df1d80915338cfc454b70ce41c2ce77da0f06f3b113d8ebc2ea441721a2f4d6e573eef2ce7e86c2c68a1060f6836526723e6726046c6efc68178798d967a88c17b4b4c59b96828d7497c7e40d6cb57e8f83c7164ad56c4e95cf551cbfe0314523fd7ca84bd0063ba241b591799b5422ba0cec9c2d5d5a3785bc510a4b12ece05c1081bd489edf428bba344eac60f1c9a59152fb8442c7b65987ac41b5ee2ff7ca6b8bbeded9e8b10ece0a3a792a508ac22497df9e66031edade139dffb19a3fc7d27b9bcd572d60b6a0f3482b8fb6ef495e2aaad99cdb89cf6171609096e4f2f03e21f01ad554c59d008ffce5f1ba874fc58638179ff01dd4fdfb01c4b60e08e315654fa5e211d0b75109439082a982ace4667ef510211b1c3ed116bbff57a3304161e1707f4f9c3b22365760b1de206a68c4eea017970e138a5e29fa3f5fb28f220d84596c0a7fa5e192e7aac83a1b83f65a5a61b2ce0586cf5c387ad24efacdec8f4c9e96334b94a9994fe3181a5e0ef82dd8e6a9ca79dcf9e5dec753a01f8d8c89e709a63a92638f0dbd4d083cd80ee7b4c82bb08bdb24d77ead9d20fa041b32386bb68d7e5255290ce65dd07d470b220e5298bf80a064c940378f06d35a3eec74dc60be0a9f46d29014210cb09374406a02e48342bc07db10811d314b0fd9be677909c91958ef5b3de9660d105058cb3a9bb859a355d502076938dc0f8feab32cc342f08e5392735263ab0e84eae11b39e993f0a6dfbbbc69dd01a7c23989f05acf42829f0fedc564e8ea633dbd4a1ae9318b8a7fe03efc535eb008cf30f8c9d38fa572e79a1b6c8bb02b87050dfd40f6d8a91a3b1bbc167247613000dd7fdcfa7e49000eb3604cbc7e790b1df640acb5a7dfb359d138b6fe3e12a8025b512f429d47ddd60c8c56c9084c509766d38ee652d49fa12aa3c2a26be8faafe589bfbae0815203101127aa23abae6b01b4fb82a2f7fee10cac9092d92e68b48bf26629524f2d8882dcd18965c2b7b6ecbab0204bd90e68ba89f1af5ab3992604bebfd482babe08ac40f86dc638c9440796bacc8bda1895d75fa30fcb0434aab12526de4c026d320587ebc36843a662d5c646eefc6524d6350ab11206530a7e48b53c8ef851e1d17d1a78a5f0a58023b9081357b033e2ece1dfc4cd68f99ae754195ba9453cc90f60371ebfb5086f60619f6b951f0708c1304875c618eb30ff4acf7b16a5f88564cebd3afa0c509516889e4a58354aed00433173830cc90c16ebd6b366e7d2b43da4f37ee4a05860e2d3267b4b61facdfed2ffb1960adce69914d4f36d13a5b7d6920524b364c87c2697000335cc5fecbc68c24acb6a6235a61fff788daad1294df9d2fd0d012b446b35e3bd4592f4f6418d7e676cf46bfdf1ede5c9f9c3fabbf3ea0b435555d253412deb4c66922f54a59cedef5dfd961795b0a8840a78266810d45da1e76f4ff7c8642e106852173bb7fb44394bf4b285d95d711651031d8f062ea62f2503c0047d808a131a44c0d67bbf1ae1ff58f9018bd92c63bab4761f572ec67da2538bae95fee458b1f298d27be26fbeb9c80361e30e0738e7da2d5b0dd21817832bd2af3f92f2e6d9a8c75f0bdb4c5f31811c4ba4af5312aa615e0e72a987724b56d78c8d598a59eee50978dd4ef4aa0fe958ce88f6ff8d3672a5d07a50a4c61af4b8121e6b5efdf7e39842d91004d2a78cda448ad233708a91d6a9b0e29e5c6ae3494b3e73f81c04e9df3d7cb5e4f8484bddcc228e87c3efeb39ee367cc3e9bd25521b493b168d15f5e15379177fe625e9a6052f8e3312ba0b85380ce40ec62afe4abb8d21ff9e420865874f16525fa38e3ea1aab965f548db6ba2bc21001a836b2598792e4dc27ac82b136ce604f554078d44b80424f449968cd3e7f07e73c1769fd6bbf2580421d4fa4e6bc2929da999f4ff8fb9f6170210e1d2be140f6fba282ec31c9d57a6d69e73502d194b611b1adbbc4c028bcea1d4003368cd564a59bd93966f2996fe7c6ef5b7ca578dac3b59989080b47024732adf735ffd721fdd88638217d44ac912893f031366150855028af0b12719460cfcb72378447f43fde09ae5fa6060e41372e40b89e088b00decd495dc7f37f9e8a4421f504108fc2f56eef0bc2eefe041dc52cde085622407d0da699cdc018a7844e8f8589e62cdd3359b08a6b90c75eb5b77421df5316c6dcb2e0672369f3feb5fc368d112a1d4d00abbae91f28e5fbecf772c8bfa84c222963934b206f8f77886bfc27e03b876d3c33e59d29901d41c7f3209d9562eee953eeb239a9c83f3c649a86c55d84a799145eac8f05303dfa6530cb693bfd5d1facb26753f76c50a3528003044e64359f22d8b31750782dd323b003c767ab6a8332994c51b57563cdc60c181400c46b5e7f928684e049a146ff614facfc17ad5f34e23f2a3bed5bb41cae4c65b9e6a6e62fa7dbf787543e5d8d2dcda4dad9773ba129e75b4dbf341cf6261c71441875a690ceb6b56b1f8a5c2504f17d521e1fb2b9e802db8a2e332c9ec91dfa044b0d948be844b6c67547efa07d74c9f9b1f44998888a62ce1b04a806923e3368fe4d9a1960191e022a1774589533b5c39090351ad793327dea2c54c6c03fe8afa5185e8579ef4f91a7b34d01b771bcb6cf1c9107bbb06045b4f689c034d4026a0540b44c24e9df543014a18", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 88, + "comment" : "invalid output size", + "ikm" : "f39c81ba274637ba1460a7ecd776db66fa91ac12e1429bef84a9963b76c2c07f", + "salt" : "408df96efb424324020d4836d100280b70f5d0e850e5460db77c543224ad5d2ba935060d1b5d63d80923fe922db1220a", + "info" : "516c2d910a221982", + "size" : 12241, + "okm" : "", + "result" : "invalid", + "flags" : [ + "SizeTooLarge" + ] + }, + { + "tcId" : 89, + "comment" : "output collision for different salts", + "ikm" : "2b54cba29681b6ff2feaa9202b87322d861aff8a8260e1bda68d61979e605b2d", + "salt" : "", + "info" : "1301b63168af5451377717f7f5ed52de36a197ff", + "size" : 32, + "okm" : "ef369d7b63f5509da56c5f6e446e2f03b700ca40c13e059ea0f43b08f5c29f15", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 90, + "comment" : "output collision for different salts", + "ikm" : "2b54cba29681b6ff2feaa9202b87322d861aff8a8260e1bda68d61979e605b2d", + "salt" : "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "info" : "1301b63168af5451377717f7f5ed52de36a197ff", + "size" : 32, + "okm" : "ef369d7b63f5509da56c5f6e446e2f03b700ca40c13e059ea0f43b08f5c29f15", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 91, + "comment" : "a salt longer than the block size of the hash is equivalent to the hash of the salt", + "ikm" : "2b54cba29681b6ff2feaa9202b87322d861aff8a8260e1bda68d61979e605b2d", + "salt" : "0102c651e047fed9c217bcf915520532d44999534c1e7e7c87311093d7a3681aff3e2d335b3c6139b9fc66dcfe35573b36a329a550c4cd20bfe2a90dfea50167ff", + "info" : "1301b63168af5451377717f7f5ed52de36a197ff", + "size" : 32, + "okm" : "b8365c28c10d6cd188f01efa320fa26713f7d87bf18f18529071607d1410b93c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 92, + "comment" : "a salt longer than the block size of the hash is equivalent to the hash of the salt", + "ikm" : "2b54cba29681b6ff2feaa9202b87322d861aff8a8260e1bda68d61979e605b2d", + "salt" : "a0b5f9ccef84deab2a26b5d81f84e62b8800dbf270bad71f53d66881ccc543e33c20eb1b6526ffb53ab50399c5c96339", + "info" : "1301b63168af5451377717f7f5ed52de36a197ff", + "size" : 32, + "okm" : "be14708389e4bf856681504fe3bd6a50eb33bf71a823337ada17316fc641344c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 93, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "2b54cba29681b6ff2feaa9202b87322d861aff8a8260e1bda68d61979e605b2d", + "salt" : "cd920e8dbf19ed66", + "info" : "1301b63168af5451377717f7f5ed52de36a197ff", + "size" : 32, + "okm" : "ab13dba7201b6df9182666cf7e658b2660de998ac8410745c2873aeb502fa371", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 94, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "2b54cba29681b6ff2feaa9202b87322d861aff8a8260e1bda68d61979e605b2d", + "salt" : "cd920e8dbf19ed660000000000000000", + "info" : "1301b63168af5451377717f7f5ed52de36a197ff", + "size" : 32, + "okm" : "ab13dba7201b6df9182666cf7e658b2660de998ac8410745c2873aeb502fa371", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 95, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "2b54cba29681b6ff2feaa9202b87322d861aff8a8260e1bda68d61979e605b2d", + "salt" : "cd920e8dbf19ed6600000000000000000000000000000000", + "info" : "1301b63168af5451377717f7f5ed52de36a197ff", + "size" : 32, + "okm" : "ab13dba7201b6df9182666cf7e658b2660de998ac8410745c2873aeb502fa371", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 96, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "2b54cba29681b6ff2feaa9202b87322d861aff8a8260e1bda68d61979e605b2d", + "salt" : "cd920e8dbf19ed66000000000000000000000000000000000000000000000000", + "info" : "1301b63168af5451377717f7f5ed52de36a197ff", + "size" : 32, + "okm" : "ab13dba7201b6df9182666cf7e658b2660de998ac8410745c2873aeb502fa371", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 97, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "2b54cba29681b6ff2feaa9202b87322d861aff8a8260e1bda68d61979e605b2d", + "salt" : "cd920e8dbf19ed660000000000000000000000000000000000000000000000000000000000000000", + "info" : "1301b63168af5451377717f7f5ed52de36a197ff", + "size" : 32, + "okm" : "ab13dba7201b6df9182666cf7e658b2660de998ac8410745c2873aeb502fa371", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 98, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "2b54cba29681b6ff2feaa9202b87322d861aff8a8260e1bda68d61979e605b2d", + "salt" : "cd920e8dbf19ed6600000000000000000000000000000000000000000000000000000000000000000000000000000000", + "info" : "1301b63168af5451377717f7f5ed52de36a197ff", + "size" : 32, + "okm" : "ab13dba7201b6df9182666cf7e658b2660de998ac8410745c2873aeb502fa371", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 99, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "2b54cba29681b6ff2feaa9202b87322d861aff8a8260e1bda68d61979e605b2d", + "salt" : "cd920e8dbf19ed66000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "info" : "1301b63168af5451377717f7f5ed52de36a197ff", + "size" : 32, + "okm" : "ab13dba7201b6df9182666cf7e658b2660de998ac8410745c2873aeb502fa371", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "type" : "HkdfTest", + "keySize" : 384, + "tests" : [ + { + "tcId" : 100, + "comment" : "", + "ikm" : "baa311295125e326efd92676775b9aa20a0acd68fdd9b05795cf82e157c7dac61394fdc26cd7f8a9015e9587c5d0855d", + "salt" : "79f4669058de474f47efb74371ca5b6e3788a729abc31d47113ca0c2f972217ac9deb56b317f1e80fe42f5504c8690fa", + "info" : "ac9954349e500c55", + "size" : 48, + "okm" : "5f027dcc4e32bc2f1c23de92b8b5fad67312fdeca2c09daa97bf0c81015bfe02ff2c17de1851336833666db3b29ceb16", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 101, + "comment" : "", + "ikm" : "a91adac5ab8bdd60fb350eb81d7243cf97740787877d41b40eee1c4c9a96f077e8bda335cb0e3b106454e85629bc5e63", + "salt" : "07e28c9f6efd74908c06435c95f3ab25f4d9a9e023f287e7298f9cde0cba29717baa1158e86fb70d5bd76d2549291923", + "info" : "3eb47169931585a5", + "size" : 88, + "okm" : "fca326c96af6690eb9b61b4b2a23d78a05c90152667c87cf813c2c16f56047a63cc6103986d3c2bce48c5e4e031dde077fc153876bab3f57e12e871a506278f220d6180321ce84eb1ea45494d6b1c5bf44f60a397cf01d5a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 102, + "comment" : "", + "ikm" : "e80e0fdb818f228c505ea15887a42abfd7b6479b589a76c33b0f63c00e7d188a20ef8e98534aa85df6e482750f85ad7f", + "salt" : "d1dd17d92c45854e1c617830ec2bd6ea613d8debe261ac30f0fdf9358a2be2dbb25f7ffaa9eee85f06df367b370804c8", + "info" : "31580276db515d6b", + "size" : 192, + "okm" : "941c9c841ecfd3b0d2c0488e0b327d151081d6f4d6b927c319df7ba4e3c9dd92ebe1c5b420af2f3b50b6991cc57a4f5a6aded05d5be9d699b4c70555e3dae218eb520158fd63e7be11bff5c5601ed9c6e616147aeb9878d01314ff519c4fe23bf29abe768df09bc485c175d9320e93aebce8336bd83c400b69d07fc19ff692bf05d299b25679cd038bffa43405057d22f014b9db5e5d94f09d3f6cea5d479d7e70f31dce39e2acd93f47f789ff094c0ae4c68b231d818548a81cd1373120b0f5", + "result" : "valid", + "flags" : [] + } + ] + } + ] +} diff --git a/rust/tests/wycheproof/hkdf_sha512_test.json b/rust/tests/wycheproof/hkdf_sha512_test.json new file mode 100644 index 00000000..fb1d7335 --- /dev/null +++ b/rust/tests/wycheproof/hkdf_sha512_test.json @@ -0,0 +1,1209 @@ +{ + "algorithm" : "HKDF-SHA-512", + "generatorVersion" : "0.8rc17", + "numberOfTests" : 102, + "header" : [ + "Test vector of type HkdfTest are intended for the verification of HKDF." + ], + "notes" : { + "EmptySalt" : "An empty salt is a valid input for HKDF. It is equivalent to a salt with n zero bytes, where n is the size of the underlying hash function.", + "SizeTooLarge" : "The output size of HKDF is limited to 255*size of the hash digest" + }, + "schema" : "hkdf_test_schema.json", + "testGroups" : [ + { + "type" : "HkdfTest", + "keySize" : 128, + "tests" : [ + { + "tcId" : 1, + "comment" : "", + "ikm" : "60ab7f45b0ad534683b3a6c020d4f775", + "salt" : "", + "info" : "", + "size" : 20, + "okm" : "2109bd244744acae2b8caa9e70f57596ad680212", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 2, + "comment" : "", + "ikm" : "e3db76e02278cbd2adbcb4555803da11", + "salt" : "", + "info" : "", + "size" : 42, + "okm" : "b28e3c338c70ede899f2a2654f2cd7e0d958d16eab2fa2a76035a2696054b68fa963c617b8fc2a826917", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 3, + "comment" : "", + "ikm" : "d4dcb92a769f57c8bab8a420ee0aa351", + "salt" : "", + "info" : "", + "size" : 64, + "okm" : "a8420281c08c5f087c9d54d5660847805b0fff2d6257f02bf849badfa8a29bee84ebe704a6eadc0beba0c33805d5843e167b1966aeba6a15b0f1f7b3db8c407a", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 4, + "comment" : "", + "ikm" : "2d43e54bf0c94c9cbff4300f4aa69ab8", + "salt" : "", + "info" : "d674da3bb47d5c7e38b501e5251d9348af601c44", + "size" : 20, + "okm" : "ccd42097a730e47cd2908a834f9d81a3239f4b91", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 5, + "comment" : "", + "ikm" : "4055536896c406d5fe14a6cd6b999bff", + "salt" : "", + "info" : "2094768a8816f7df070d6e08b7ad93755dc9024b", + "size" : 42, + "okm" : "0191ca548ab4c1f91eeaeaa2e561f954983885dd363c80079f7bbd053da4274b236f4ef0e4954b34a386", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 6, + "comment" : "", + "ikm" : "5b01b2da3166f217cdd68de8af60078f", + "salt" : "", + "info" : "6884cfa7ffe8f27bf4ebc6e46a7e01488c79243a", + "size" : 64, + "okm" : "01e10d4c477c906d4f67105e4a8054bd2e9479d726166893fcf77b5df431ad007c0ae42847d3706a770a5e468783c9519804be63a404112dcd4ecea952952b73", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 7, + "comment" : "", + "ikm" : "467403c2ec02a235bf730ff37e8d8ff3", + "salt" : "41f0f173d307d40436c25856cf559f96", + "info" : "", + "size" : 20, + "okm" : "13abf6dd4468e2db7114437adc914cda3fab1c26", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 8, + "comment" : "", + "ikm" : "3352f942aa93071da6d39cc5ed8dc460", + "salt" : "57a0db708b25a51afc4271803aa35204", + "info" : "", + "size" : 42, + "okm" : "3cbd7242368ce2eecacd1839876cf2e8ee04d8c54848bf5515dfdd046fbe09483982d406345d1f71a4f9", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 9, + "comment" : "", + "ikm" : "08867e76311126089356623ba5381e73", + "salt" : "0c164c443edcdfaedb1ab150f047951f", + "info" : "", + "size" : 64, + "okm" : "098d9f9e0e0c609b94e8aa57b0449cdb3929605f821cda305e4d93746553a40a1e4c97565183e116511c3dc5d9d56561c698849a114692c8128b5d3c1cd728f7", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 10, + "comment" : "", + "ikm" : "c55c41d69d2424a520414e3662aa7303", + "salt" : "fea9bfc92b74337e43a201a2dc199e27", + "info" : "3fdf20538063b76901d61bbf9b72b0c18749e00e", + "size" : 20, + "okm" : "19c2ea76fcf7ea72279de10e44533436300e250d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 11, + "comment" : "", + "ikm" : "5d3db20e8238a90b62a600fa57fdb318", + "salt" : "1d6f3b38a1e607b5e6bcd4af1800a9d3", + "info" : "2bc5f39032b6fc87da69ba8711ce735b169646fd", + "size" : 42, + "okm" : "8c3cf7122dcb5eb7efaf02718f1faf70bca20dcb75070e9d0871a413a6c05fc195a75aa9ffc349d70aae", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 12, + "comment" : "", + "ikm" : "8677dc79233ef3480777c4c601ef4f0b", + "salt" : "ad88db718244e2cb60e35f874d7ad81f", + "info" : "a38f634d947819a9bfa792174b42baa20c9fce15", + "size" : 64, + "okm" : "918e9cda37bf7f52506111048a878e64a503f9869d0c2615047b995f1efedc4f713b4dbcc940838e68f6a2bf772ebefae9154e9075da80ea1fd68b9df580ad76", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 13, + "comment" : "", + "ikm" : "0f602703d37943e0253bed3da331aff4", + "salt" : "ebdc8510499f69b2e188daab77cd819cccb95f276f46e6b2be11cbe72700", + "info" : "", + "size" : 20, + "okm" : "60738c594db9638656cc8493db969736e743e152", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 14, + "comment" : "", + "ikm" : "9fe65737574c5c7aa67646adf8230ba8", + "salt" : "73a34648c152443586236abcb46a090ce55ef6c7f282ffce6342d694650a", + "info" : "", + "size" : 42, + "okm" : "d02f9f8a507d3cb0bc047b0d979b50f94dd9f3d805a5d7f5cd372ca14479cb698e17a95c737849aa7881", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 15, + "comment" : "", + "ikm" : "e8f2b1c3e6a6c3d5ee0a20dd47aafa78", + "salt" : "3f5e162de91e0782cd189f3b7778cdc2ce6bfe9d3fe841cd3c70475d7b3c", + "info" : "", + "size" : 64, + "okm" : "34718d60d8eba9f7ad6d111ef14160652381239551aca21bfc1f250f8d04c64cb6cd503c7f5fb3ff6b73ce234cf6bf91056228a8a51599a39c402e32d47618cb", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 16, + "comment" : "", + "ikm" : "a679521cdb56aafc5a4b76db0431a4dd", + "salt" : "123033b1ddaead83a4b9cfef8a660bd8e00fde01e67c35656c6d7607d456", + "info" : "44ec41ab4f4e64f4a36e5e30c9f0dc1d77ae4974", + "size" : 20, + "okm" : "cb914a0b318cd57eda5b9575dd511313b60cb7ef", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 17, + "comment" : "", + "ikm" : "49bf155ca102026f2a217ea1bc9843ac", + "salt" : "76776e3b4d75f8f43dce4bded71f3b1ae6bcb012d9c0d59f78248b9427b8", + "info" : "851bda4faa8f7add2a3cbf0acf9c2786f8f955b2", + "size" : 42, + "okm" : "4a540a643b1597bfbd4cb38953f31b677c02c40cdcbdb6c48984aa8ff3e5dc17caf09d0a6f67afe92cb0", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 18, + "comment" : "", + "ikm" : "6cf725e939e8824d4392233eeac75d30", + "salt" : "1e72f24b05a91a0093f34306ffced79e7003055b0833c6d0f27a4f33a1bd", + "info" : "495425d9727fee2e2b7e78899868c1c3e7735e1d", + "size" : 64, + "okm" : "379e6d4fc3c9b344754a1094eac60b71e47e281695515987abbc3b22c1e267d95b101592896e08c869557ea82ba075d9c9524d3cb79d7d8cabb33364f5252968", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 19, + "comment" : "", + "ikm" : "a319ff7b5ba9b14ac72b681cecf0f742", + "salt" : "d7e3bc6daed343ce77ef793e15a8246e4bfcbaf83d2ac956d0661d1df7262b2e7311623dfe4152caddbfda8fa8ed7a82656ec00b72c5adf7c9d388e5b3bc8d24", + "info" : "", + "size" : 42, + "okm" : "ca31c0e0f5ddaa7fded85be96d6311d8b935307b08127f690f15f5ce3ed5a44d1c226e354e8d7e5069ef", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 20, + "comment" : "", + "ikm" : "34bae5a158c1678aa76a744417a70d7a", + "salt" : "1532075f363e061133780ac959bf653c7687d181b9431215d6f62dd2f1ec3019d61c50fa82c70ae25e624c849a276b0c57d7c02a4d753fe84a1a6621e9a5ef01", + "info" : "87ec30aa53acfc3d09ccc1d57d654fdbce403cd4", + "size" : 42, + "okm" : "65f5385dab06d375033a6a25926ef4bf5dc660737ab8ccef370af10cc9dcd7743cf273fd048f64b7301e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 21, + "comment" : "maximal output size", + "ikm" : "dfc7c0159b921546a4ccb3067cafdd6c", + "salt" : "8dec7fa5cb2bf9d277121bd42e04d963f3a6aa6ed54606babc4a40c210296848c08d79c03d018a3f71112dae4d63a0ff86cbe1174457f28946f3af58327d45fc", + "info" : "7fa60cc2c830aba2", + "size" : 16320, + "okm" : "b52c51a447b923e2e6acfc05cd6fb0fb65d8f67f7facce95d3fd4b0dc0dc41d7a92bd06c1fa156d7756d603f8c26a5023cb842c7a133850e842aceea3779417d29a517452fac99855a2ec52503e725975b1d1142fe20608ca753d39301d37d99ff5956b45a7b587e3ad485e135c0002dc9918ec49a985d494795b7cfd53641ea9ceec7834d33d060bdb2eb158d10caccf74f87465052f71c43e67567e62975f02cc79349ed381720965533fa5eaa172d8c7c017036a0b4076d5b76ca16f69586aecc94d2e93585c4c90834ba697d0ecdf04b322c4a6f1b468a7c89bda5ea1307cd99060427fb6c2daeb2f25ad3572b9df69a5bb783d0e91f5f72f95e3aea3575de29e0d91aa8011c85dc918481155dac096260475076e1b5b2cf8061e888de70697899771eb8eaa9c899de2a5fcacb78ecec49a1b8d72df2e208eec858e2af089003c34079a24c15cac878d5339933b91497fe6732bd2d0f77cfb4a5adac9d59a778e38a65c986fd4cbe5f3661ff6e4aec2cb1f103660708a06b9dda3eb50e76629375c4bfc4027f563ffffb0a6b17e80fb1c8705fd28cdace78666dcb64e009ebbd67d77b8fd18c1cac8f7e114c18b4215f4678d719672f7c3307eafeb91b1ac44675654b26c49ec71144fee1fdd0c238be154768be9e851187d41dd1e8842fb4c7de48061cb1a2568a8682aea5cd457453f281541ec0544da726c0fa38b76672867763c1937fde3c9c3f8b58e4120a1ee1704a3dc472da40ac9326aa417b49e3a9603cad661bf1c61f92dff92c553a8368ec0c3b5b105e4c3a4bd1b02a7fe12e93b6674a2b45396206a113d28bc77fa6135d1a3c5d4c876a8c17b6f4611483ed080642677255f7d0219c9e6e7e661ddf05fd7ba333194efa079121091d9b117d9f0281c2a0d51bdafc8a7e391ee607176b1ccbae5b0df7a936f9611753cd5bd815a9fab6bcb2a95343dd7781484afbcdf55d260335cfce70f07b8f4737c49c7a9d93335fbf5bd2595c77e5fb088f81c033ccf08673b446da6edd68cb0e1cb2b93c793dbbd3f845d76bc90728149d6f5bcf3360a5601d42e6befa0574d89ef6f3d749538f7fac02e4b122ab93cee09cd710b0aea2570d761164f6bf37b43f2a252fb5d17a737b83ff36cc07ed550f5cc6d32679691d9cdd72c91f9fd3229c8492c02710a3b380b8ff95d2ed3779cab4abe7e1d16d21b0572a0cff15488721e447efbab8db70c2a79d36e80b6e7da11101e06b560bf6c3dd0e3fe7decbab8c3a023597d07f2ae5af73bac662508f4a86db8e71b9e02545a970f614f66c18fc69e569ff96fc32c05f1b3e87d3376131d69ac2f0aa9e50f4c02806f164a29f32852f64291862609f423be3627ca2a0b76e09f1080c3b602396fc043c7bb77722c08574385685f711446600a98718e78f49ce1ca2d522061bee0dc45a5b899769d098282d1bfde4f35c9a60101dae768e91f59d69e6b9d6f5c08c067044c7efa01790ad94b8e3c562ea8501f67b43933e76a7e416bdacf52f7ced3f5f01af4e317b5e537cb6d1b96960832066d8ccc74ca06664a8416a390ca7d0f31aee6973ea9c4d08d7a14b6dcba15203cada6baf08934cd211b6ec988cf1ae8b23ec9da4f78c5a73313fe294fe2d19c5dd7e5086efaf5956d8653362f03d70a7c4a348ebbab64831a12ba64081e8e4b9233fa75096ac0f0d225f2ca3d4944aaaa7da6dc1bec11a9aecb14e21181bbcd0f5b466d40bdbcd69bbddd51a85e2e9cb8becd5da2c7fcaf20283a35f6408061f9cc0bf68088c68df7e257492f2b1a77db3f6e3884689b09ebe0af6d8bea07eb4ec4f78aa4f61f94533311ce24c8e3bbca0e57d96834e2ab1fe9b80f8ccab305e47e63145244f340480513ea6089fdeab01a69f4401d2da6aed99176d5603cedfad1a9ba79b277c35611801c03534b1de4784e5def8f2e1d81aa68207968e1e9baf3405cd5fffe6a0acab1a18e01540821cdc1b69d344111c6043ea8dd9196a3eb2ea9c2b1f6a1c77564c0eb144e376b9cfe74ba734eddec86ba19e2c57677547ff65dce2091d57fe59b7515941acddacbe757029babde6d8363e9c87ea40973f121463e706514a6b93cacc4375b0a4b640731d39bad93aa5d81d0024406b9412b951158a4a91a40c39dbe50295b01281f78c65430e6ba97ad3106a672721c80909d5d0d3e95b5e81308fe7e9b7cd6145dae402c32967ff73b04a163405e8d104ce751203d2c354622370b9a54601c1b1c9d484d3827d2137faab9fbd6fdae854add24a933b1b32f33985cf3bc1132ee2f6b0399101801754e34ef0d15bd95a40e9d8b3241008e39082a518a3882e30ffa1b4073cc637b2412667d4b51993135746b748fd88ed5da3e83948d278426262368f57cf5179ffe02c35952539c1f61591825c63e8178f45b6eb515e4f02547f7118b39646b8840694ceeb28ad96b4a1f63941fe68cba5eda641538906fb6b930a9e4fca5b02b2ea1e155093dc56bdc8c88780ba1ac9402fd0674ade1621e0aae1936fdca343e6a05e791147150e06c9a5720c76cd7f1b6ea0e02472deed435d69081c57b88c33618bfc31938fb11e5d1e731e1ac83b24c15a32e3c4becdfb839c5e737d21e3321bfd607300b606ec2c73544741536cdb72b0853da920453443d6efd99694124b61d312e11a8bfad436df14d04f9f9fab14ec474c5df8f81f4dd1de24ca5a4a74880ef61106f1218b55df34ed85ff1a6139330c8df45b047fa3acc4f3b1c896cea3a979e8dc5f58ee34c44a82dcdfbbdb6a42e1332579399651cec217355acb55e45f8206bee4e53e6afc6811704e3119e191e3be8182219e8543095cbc639f1b66b4cfbf96fd3b7d02ef6f781b18882e8dc5ccd684d330141029a9d8c8ebebc3a9e49a7a0f21facc94ebe64cc538d328679f38b06f31b3c5996729ffd9d1cd95e7ad33e7c5dfc147c3e75cd9dc417a08c910fdc3041accbe5b669c649502e16c02b78729784d08e81e0bc40b4590836cd877f80217e23bbde955d56176372221ccf1f18b1bac1f5c150b0b4bd764206b7cfe43716f4bbdf7a44b4407278bd849479865a581812221fa56ec34c30a08fff4045853251a12f48e9bc4fbf58fb1cca7aa68b5703ab6f6be834923c933b2b467013a0e6c156f417e14ae817f20a18898db4806465980eda6f166dcd8d8e36f8a138a96d65aa739a4c3ffc5777d1303f4a3c44751b12ebf293df5fa49beaf657ea5e10c06c5160635b5ffb0b252c32a2f0cf448bfb934d099fb450de717981befb8fdf24fa711eea66e3f670124b68eee9c7861e3cdd3e3d1366d981a6362563dd7cd1c3f87faff083c39be3cf2f39101012bd105715f36c34ec8d6a4bfd35ee74a813e4fa0c98c077f6c9f2ebe1decc3b2455f6b2e99121f6b1478ca45d6b2ad2903ecf2294741f80d09076c447bed7da37e3445fea133a4cab5de5c4f7b46abb84756925f3e1e1a6adcad8cf667e6521aaea32d8fd5f423b9ad7fbd6003ca6d15d6457f31720d5ec7833e58866465d89d807b9bf71be745241e6dd2a179f5d2b6ebc9b92ad0a86a7c64d6fb15ddfaba5b030ed94a0cde4ff8f67282b572fcfa85072a3f1102fa710e60e4f59e906fa190ead2056a35efcee0d74d7d6f3bc05fefda6a43362eb966944c23c99810f0ad6998427f33c0e94388ed7e677dee402c48fe08409bb8e7a2109c230f1f0bbeacf57910d5beb58d1d83c10e55454cee4de633b63fba04904b9f796fd0d8428522536c50ba8ba2997b43198ccc4e3009eecbe43ff652e3e17e6cf0e9774b4b8616cc9bc30740c85fd04bdeb181aa281a3fee92bab269fe0999d85d89e8cd1a4d1682ee873de633eff0f51473e0e29d625c2582c2d67d941d6a80aa9eae47bd8b1c147601eaafda28e721082edc8724e3a6ca944f2b96286035fe8017a9dbfdac05d0602037bb330ad2e05aa6ac6b771a836334a7a8eae30f8a0caf757b74e63c995fdbebb159152c7ca7105245597035258bd9b031bfe1951c688cc224fb3ba8da6063f244cad38b8fb5db148dcb838eabdc402572bb30cd8ab5ecf9a220c513f6d45ae3472e04779776b014acd812f48b1356d2c8429213b0204734338d386e29ea394fd856533c1fa81483a3acf32cb33025373debc7d00c8d5a153dd3e56f5069c44a8ac745cb6d1cd6d0a37ddf4816bb64667da38ad6c75e246ed358e539febd606bd66d12153ec3d223a5ff15f74d7a46319c73962aaeaa8cd470a861782ec3de3ca235688a99bdd8b234e61f6a1264fb93292ea2826e3695ee16b6c57e4287220429d2d1a28c6dc8b5a0b50117d23b0b5f4df498d3ad61ac6fc58e398a9f4093b5aa92e23a1a4b5a34ef93b9662e60baccf9bdcce4c058b80469c01975c6f0742e7cab07c14f975072533081a312d30a251867341f0e904391252bb5cf03e9cbc9318e2aac65b0a69c506b7f9e8ad7b9d19ebde74801e0526a2bc03b4821f8cec964bf1763ba94930135d589dbbc63a048c42d79ead50613135278685f99a38070696a4c8e88985a9a4c7fea3e23bae77d287db1281bdfd00e60a5a5cffcf7c29962604df3017c8b4f4fffaf1a27f2d353fca7c40784219c8e31c06ac628257dbc3cecd1341cab153109fc5e0df5e89c0996525ae5d2f949876a85e6f5671e9043c28920f46f5c778490cd1ee733ca3eddb8003abd82fd6973a45e338b9091f472ac877ebf57161b9afc4ec5721a03f17729c95af786d27f02da6c53f43d339e313bc11aa483a354fef6e36d17508bc8f22a98f13508af80a5f136248cecd3c34da11b2ebec4b2f135b66f3188803b840eca048a559b33b842d340e489df31644ec53cac0d10646d6100f76e3c6e074a13e4194796113a770331bb84bd00fdea57433ed74849d90410e2a2913a79d642103a3b732725d6e7a7c02c4fa844fa4866aca3af7c257cc94720fc032eb482d75a27ffd5491b28144bc2191b2db5d4e515ab4c79c55af44000a821f02c31621b0efeef6a4ef945c59ea4b32a6b95b73bf9a2687a3d059c9cb7ea1472271066892c4ab14198897ae910311f0f353ddf4f9e8177f8bb10dc0a64e0c9be776c07d94fa788718973226077dffca41bcbd57c0cdb2cef9b95ddf7beffa76ea663b28225b382c11a8f1a9a7fb3d1ba4448c36aeb55e7a49adba4992d057dbf4dde3f24d208e0611ee7e15fa715046eb32fede6193f64356da54799599a582a499ed2c48182d9a4f208931b64105ed27385ac1727122cabec3580897762509a7a5e5fe4c3bf921bbf2f0308905895c298633dca6450cd9334708b3c0342c73e32674530d6588a7528cf2fef4077597d18e2342b692581d6ddd977ef3a7bff43dc0c5078f38985896f6e6dc753bc5d2b02d8152097f62fb92508bc80bc556e5295329a0b1502b4fccce062bf1166e21da5b1253c0165fda2d31e6d80b7e68e4687ba90acbdad5a8af67b06bdaefdfead0deed71d318805adea6f641fb35b300b9f79a8ef3822463258684e0ee033b5c304db81f3c104fcadc7aaeefd80b8184e2d016440463948d35058ba6be3dae282d096beb6cda140c3663bce15aeb07fae784de1372f766c0ffb2748fb1210f5eede51c67527dcaf5621d225586c17554bc78d367d70413e2a1e0cc06bebfa1fef2b7a971e08e50087d0266a4da1505dfbe5f639d29421bb7045712a603aa65d54e9070e4d71fdd4a14ba92681a8aaa0254b198dd5095780dab36afe8e6e85289c67740cbbca6723ee55173b1c36759edf969af04cd52c05480573f60ce7c97dd97b64e3da1b9889bde260d1dac867c75d365476678c33a4cc2adf218a1d469af05e821cea216bccbff7ed7ce7af028816181e01eee51a9f72c4520abb40a82bdbb8b7b69e97b92c0805555a9052f17a123ff4a1c797be25a661cfc8c3096dddfb987022bfaebf169bb7f3d83b9e66d1999bc8f75df07be79b3be2f1b69d8a5d3c4b9e3b8388ee06bb5891374c922a99f597729066efca97d709c55b9dcb49384a2e49c63e4c83c3378b8cb6147405d2998d113bc29909ebb2fe97fbcdeedfc89d686763bb9a43476a2690600a3cb83858f9198c1b8d5969dd534e609cbf3da0d311c70896772531a53f4e8329b2d8fea575831bfb77283bd688dd6a3004438cc10f0dbc4f5b982fd25325e16b530b6f3fd015036b92e166b5c38238211b81e8f7b92aa492027bd91fe3f8d879dd4b3220c4738fdae0ebd462f554eb1a51987988a130e78c40e0e03c7df1f7527d87899a1fed1ce4155992c753f7b5a8e554b99d14cbe36ab012687e89fe01a87e250bef650611d2be15071119f9649691eef5a147c253eb77eaaeb53d44b1e354e0b5c00eaeba91dc4c5eef389fe861a38f1f9dd4262cc2f85351b7dc1b8dd740f43040c85c5fcf4b3316738c1bf0d31960416a6cab54112987262ea54c06ead156de660559805558ab110145b2df2a601266991f00c9e4dc7567d33834a13a156419eb1cd213629b3ddebe5dce71212c4c08fcadc22ee78687d465b6908cd578729ba23f326c7f02f68a7e567a5c07effefaff4bdf726dc90d37e1f3b72e8332d3ef5016fabf5c73c384816e18d175d718c6fb5f702d39063ae9b92e05e1674cac86a7c34db1f11eb9dcc0898143d8a66e8ca343e4a3f20e593ecb311ac06a36c4e84068de483794bb0fcf516bfb291befb6ff7af518219d6bff8eab670b42e824610522e805aac17808ffeb87ff7bc135de4eee0fd200c4344fb88e4c178fbe517c9f2a4919dc2a3f3c68e849e255106cd5216235fc8d6a0ec04d9f4765c7c9f58a71d2ea63b4446b5ed4cdee274a224d3c4ee5d5edb1b0a7d4fcf7234e612652e06c88f670eccf15086f1da39dcb273e1c0e7365b7fd506b14944f2a387294a3221993e60f0a10a50b662b886e199d3421d0710bf08ebb40a876de217eab4222db41590f13e7660939173606158d050d3d3e5e902b497bea23c38b0715033e0aa117fc2ac13c8f467a9e2547d58e60a68f478b78e6ab7bf8c963a0e708a60cfd9cb5d9e3782bf3cf2449d0df555bbe8fed61c7b55e56b056ae1220e94e13ae292ae2aeb6fac9ab5c5b920889dc0c83d2852ecd25ee82227d112a1ccd356aba1087f72f3885d302b7d302dc44b61483e0d1a692bcf68d96574a462fe217f323c5d88e76cf792fa81e6956800b6c0b5ef54f596dec633ba322dcdb6affe30af64f39bc4907ad4ed4f74e1a067fa82f76fab1d05f0804124e65e2afb43cf97c3c335fa71b7efe743955a5b5910c297799a57fd46828969f8c9690d4e2f102aefb6ea3acd049d811d977827b88ae5c01319beb85ca0a9f3cb835733b8945ba5fe50c23a84864800c87e9e26e3271612006e057a3fc38fbbe52bf7db6bac81d1c1b6c1ec9d12d09a27ef91546cf9f2ac6354e2118bfedd3fcceb77c6aeef1abc9fb985770980d65dbd1b25651268ec9826f979d10d2c9f7b267349c2a2afe2d3a799472a1f555f38c8ec67cd153b3ba55cbc3864fe8bf4e8624d9051fc4270abdf759e1cb1ca09374a747e806002039acea004ba5cc557d04701871c4ca0c5814c1a5912c5ba11dd66a36ca49b098f0d16a1a067f3e5df1c49a6a1ce5a82851a518986d12e0e207eb73c94648ff95437de11e49fe8f1f99f2858356472fdffe262a384e42443cc535767ee5aa223664cd20254e8a26121329fe22b0f64cd59a4b4558d21568e8cfe22272163e3d2af3805703153fa7b252ecc87e2ed1f807d2c8f1f52bd46bab665c207fe031f943a2e48e688c96417496a553eef8ac31d2a284f579464ec7e1e863a603fcae6bda14452a6ff6ea9efd2b83036848905df138232bd8f68ec7f69078469111304bcf83519431481bec07ac9baaafe37dd63dca2aa6a07918d6da72305a3104819759dd829ec38ef1f4f2d96325a1ef4080075dad795c9b99bc0170f3d9868d11edc63e47e3c5bea097abf2817bb5c0e1d682370a22d70310d73280d5b50cd197492ae15176e292ae2fe2e00edb69c55817d5b6fd6eb349c028d35478edcb877d5316cf53d91a91e381bad7c07f015bb7b5f5bbd5047e51207ab93564b2120d34c524aaad5ed7d6334d22971eedc4ace2e319421644ff8f0b072f083e7440dbf8b97dcaa32702e364e481cc7c6fed8b50bddf67165224516ca8043dff05c6a9ffdbfed302ec8587866937ccde5633787e4e2755a81562acef00e150975568ed07a35182c06c79ed2db3c738f4a14d0281a1e649dae9d6b9c13faf164c4eb24a639fbb382776bf5fc01a4ff8273bc8e2229fa421a530f4f625e6ad2ca3b3309ce6eb1b090796771606b41d7a875d62c895937a6f5b8a202a4a215a72977a5ef7a90d63c6be8c4acf2f468a2f67ce26cc13f2d1d39788660eddbea5dd1ccc07578fab26c0d15f64294f8e51aadc1face02f3b990cb49b5898388664dfd0d20aa9f93d0a8a606cded780841bfd8aee52a4c9f701c8461627f94cf4e501ddb23033cf514839a23206306c5158cbbc993614bea44e00b8c927cafd1df01381884bcf35827ec7903f6b6e9eb1c6f6e7e163b5aafd77088d59379437babf32201c99583e65888a06197863fbd2cd814126905e6c4df6a4a4217b7d31535448cc9cc82dc5c3b2d9e939c3b4b6edb4cd2548fc94a2b94cf5c3bf992e5c4b911308df9fb02a4f3bd2565b06486538ffa08adb77fc650b51a3c5d1437a09f8ef2ad418241e9d22e1054133565d13eed0095cfd57364ce634060519d52865344cdac47c5c5c91c3ac77ae18d392146f300fcbd35f61126868b13763eb3978d318f53ca31de3c94449bde5eef91690e1a69d6fb44ad56edef2f8659123fb7022346472a6e218ca641aea266e6e5d582147a2f8e40d0689abfd150c9228cdf6d994ea3d211260a8c6e7ed60b6710babef11ffbd7c0c7bfd6c23f8030164341158ea10697c02855b827561023c20df47c529aa71fbd242425ec2c0fe1d506a0b72bb3b37564390180e0c2597b91c4ab07e02f5e95d71279cb44c01bcc95a2f2cfd095d48e6501ebef72e0696702b1d86506be3e53ac548fe2f567606f0b8d6b9dd0e4cc0fb24d78c6f5c3e9bc59ad74ba7d0dc92646de38bd6f9329cfaf83babd3f94752c44e2e1a20a7c8735d1adf9876360e5916b16761a2e1eb6359870e521099da05eb535b008fbc519aa03b030835033e4d529cc93038eb836c85ca1d61bc454843f0b32992c4f155c18a5cfe15ff5a07eef8e64f741288e8ced16b372d41f82cd13f285a51209a80d7612ea7ed2f11d5bebc20fae499612a9f92e203e49de1fe3a5a8caa9b27f49de9c73e4b7206f87142edfc179cefdc06ba50b8aabeb06f20e6023ce71dc996b53119e6252709b0d42d4abfac576ac907d31403dc260d76d7ab2c6e3dc25a079878e543abb7238f5e0c178388075d1a0abe378dd46e3f28ee782ca60459ba930c5e4083c4d91f4e7538b85e71bb5997c748719ba412ca291e9b9e93e3792dfa471652b710e86bbd38d4c147de34fd1ab283b6b3d8b7eb886b7306137e8c94ed0b18bf7cad1e829186ca25d91bb60af412b37080728f94f8893e6956f99e48cf032eb1604c6ef2021ecea58b87b2673a3f7982ecf16b372d6315f0613dd8b964f5c11218853f0db2f4c12d990386fedd53a848270f9d16c197f48ea850ece23c9b892bfaba8aeefa9d8bda3e801b186ebd7588469028406e0e2605bd66ec849c3269b6e6356ba367e8915d9baa88fdf5d8e039990b858b956daa61faf19856721bc4780662f698cd0ed03ca4f4468115c2c1431bfa187c7edaad651d6f4b361939235622650c1287aaf97dffe04458ef2d10070293cad2ee1b42e405bf3f8a18158d89e58309c37fe6616bca374f89a7566d914cb5ebc32c29141d38cceceaa28bbb02e13d5e8ce5626e6742c54ad953ec5f34eb15e1fb92746cbfdbba531e5e2d3ac6725a02d17007d31d1c7ff2df57af6430559eefd0e814e40553244b8a4a4e31dcce5f5688a7407d262dcf5369a50c964b56b49389d7aa15c3cd40191b21a1faba10db56cf83b2b47aef0944ba252ceb790f52a2537b6d9935029dd9c78631c999ed03c06e9bc608d4a87aec4671fb361bd631699270af5c6304e0fbc309a4d46175ecd1ba5fdfe9bc08dc3745b27af2cc22d67043a8c9d2e616286042cd0286b66de058bf1bc424f035a07804364dd03f85e3353e218c871f9faab4e276a676d0bbc1ae56750a56901b46a65b8d0fe096e571e70b9007d6f2a3c138b49d1883f0d32ac3956b94db4955f638f99c131b7ba291075e7f14692769ea03d8a05a64f68dd34ec9e39b7685192715b3b79463ade1c16dbe3522447078684a50264b26f79f9c6bdf1e8373a3d161f91962f5a850524bff5437bc9b9eecb657141f91aeec634db228a5246a9e2a2f96c005fedcea91bf8c4623894cfdddfe606c7f81cec461678b72cb4542715a72e5790be4f0bd62f36d6d2a1182c19f7832d9dab663c75e89f2f84603e9a172db7d89271ae0cbc7186c17a71204394f63294b540ef407d4b7b83d087026976b3e4b2d3e3252a6e9c281704bbc21333bc15c5f0fd67ecde2a13b763dddc1b6770c28641bafeca1bf333b09d5735b117bd3b93d404afdea4a35b05e910985225472d6363b481adb11672b6cf1ac2e8a6b50b04b355ff9f15fd661b36b8f00a9af9775c7c6fe44fcfc33bb73f702ea96d647cc6758edf04c77e209baec6c2c99bbaf14b43f100e920afcb470bfa5d638e8938908131cebd588f4591f846591b5ac53c32ae5809a807d57b74f08d949eb55f8e21b4b0b6007600a541e0aedbd027727592b6720f4275e832da4a488efba1ca4e94ed3702a2c978c656984960c0893b911aa7ed49cd70d543894eac675b2d9a37659cb89aba129a285323f92918801987f2d87b8c328005ae3fd99c48c1677f057f3b4eb9ed4375ff2cc0b34049276a9007388e0eaff0b20a7d209ce1186707e7773bc95fe97fefc2ba6a06680dd37608d1f76e91fe0a5fcf49577058e4ee270e6966c71f482456b31ca90bd7b43c3781a48eca3eb0689c3a93e9b258d25e49861e6a37e4de6491f6e4924a9fbc6e712fd4aeccdadf5ebf6dcfdc862e11bc52ee047460ed3d0bf6d472500b03762ee040ea403540ef4ce2495e50b64c0b541f7f27d14a6e6e20a3089ef309ce106504788a40fc4ab08a31608ec5237409fe59978339c672ebd22da9af5e791cb41dafad39e6217bee14f7367618e6183ff7280fc9b960871418b2d249b14879dce08f4bf1c1a1150672b5ab73002064d9d2b39941244c3d892d9d901bb9903aa66f224c2944b185c4a4f457d07f9587e850c4a0357bb6d64f0d3ad5f77edad72538dfa9df8569ec6094b24e36fb7a73938a13dac36aaf5813bfd5106e8d4064b9d82b45e3ec7caaa743e393c5de2145f711a6f653ad8de4cca55d9a8c4e90af42aaab37957dd4c9e7bca090dc713820e2395cf884b00e898f5196a8ee68ac822fcbc1a02ad92804d6e01bad3c337e3cdf3050da13a4cc0e5e677d2c225f6a297b4f077a90f52869e548b939a5fdfca735c2d0a58f279e624be63b6ae8ea3e5fc992f821ca38a5f67a05e721c90e79a5192bd6758d3d126ba9646c571b1a9678ac57975894f96f0ae17f0e2ad8cec39e8bc7de599e46bc05811360150acbff1d114cffe1edfba639fb63a1896cda03d42e6cf8fce4473426d92377e23454e8f289c01882305ea571138ae226d7c2951dee3b41f82e00c2425fc7c0b0bf925fdadc8e9abea6464ff49393539495e8b2b2b60a46a256b07b99a961bd11acafdb4235eb1a9d428296f068495861b824bf3be80a7e58dd09062d8141dba93f4b969a3a056cf78c3b91f6987262798045d5e72494bf3954bb56b6f9576ebeb2a4085aca829def1fdcf8a34140e859586819f7c50ef6aa4910c868de43f1c510fd6c049ddedd62dde4f6efbb83959d0a9157bee03c782b0b6e9e965bb0628e0600531372cdf27f510f47f4ec377dda208d43c5da5a0690498ed64dc9efb560295afdd09fe1fad5b1867a44cbde8faad2da662336183620eb7cec6d9bb09e60dcf67d332f28b4b07da39e25ab94fe074bd4919673625de5565a83ec7e42dcdcebe3ee5bcb1d52e7db91e1ac1f76359114080bb4e268d243906cbe5cbab8fef482732b971c4052e746c7136edba055dc6527e0516f5999c05654d28f4e23b56fe7da84d690ebc208193c6859c302346555c76f1e5f92cb4bc8f95abb2522d25a9b31387f3b3002d4c9f6b40d36d19b31fcf7715d9868513eef8de50afbd4f10caef4edebff586250b9965f8414ccf493a5f4c81032a0972c7ee33986cb278f6ff999e8f7be77795241a0c801966071c8f12aba59d9011f46acc1524b9683eef30700f8bab89a9c3d981e61be6d2e7b5227539d0c0227d8d1583e454404283517c2f4915c3612dba632ff9ada1aeb3ae94e9ba31a5c6a9fc555a8b1772fd2f2c7664b50a021f3e7174a65c386278ca670b398afc43c5bc79e6df61766780b73e0bba811fcf7c11541802953d01289f315fc4d1689f27e34ed4179ece68e550357a0ead1c34b7bd7b36d4fd5c812539877255ce67c1f561d58d9389eeda415d939bc3ab34a80e21fe9c6838b751130ceddbd412f8faa61b369670917b4778b0c0244619a6d483466a5ef85ec76a8514fdb1ac5cc429d6c6d6e5904776fced03bb677d9c3929fce21e0cd0f161d6d2e6149f6653f97cf62e802212ad1c6207866ad0fe6261428957f9aa0606262db22ca6490ed5930db5ce49a016265f12ea5262620acf93dc0a22fbb8147d92a11e6ca3999e0cf6d7b2770124db73949f84556ddc3008a0e27c686c40b8f3eac972a4c75a84e76dce3f917f2abe9de474cce9e6fa11711411d471971d74ee7474bf8e612ee769ba9878384f0b61a98c6c62f27dcd96398fc04883cde133d86e396b28c08443217a14efa2fc801cda336afa7481ddb71489df94bb8b432240ed0186511e55d8c03397306d8b67c2fa79da7380a866d40a5af26d5fdaaac09f98eebc69b1b4c0d339115a25c6435c7e6f8905406f0c6dba03d54f32e20333c5c2273613a764a7d594f967f9471a206380ed6f38997a55b7a4287d4f2b1cfd6c15c188b55696b90d5625ed0f33a9dc3ebb89e085bb7e295236b2be0872ec037b43a64b0896d2daaff9058d028298b7aca6a1053cc500885314cd0a304fa04e95a6ee95f859823c1a17808903cdc093c039b11c78108ec49a1af11a3188d61c9517f781745e32a02153a1f9af4fa8d7db0b3d34268c129a2c5f7b72f07342d1f3221037704da06235a6c55c3bec83b705087ca5293765ef24603f36b9280efa3c4683fd25190ccf2342034ac0fe5813ef2aac89c06a0ed565d2f9d590824a09ae785e581628ab9b0de009a736a3939bbe79c62111cf6a16fccdd4f1266017f7e68cfe71898b4ddfcfc58869de822590b124ce4c188eca36087b5f848fa8dc1b8178b943d8096fe3a94e24745026ce50f62632610540fcd8c2db5b9cf714002f8db11807f008e719304f269d1fc41473d14d97f85bcfe4c797bd0529fa8450286284fc57e63f4952e73f96268e7a413754182d5ccfb1fdf5c05a0c016696dae8516e8a5805e7be0f124e2c5c48efd7e5521cad6979141b6029c2c983459bf876ec4a1fbe8164072c5df60f05cceecbdcfe3d537dbe233f35f1b4fbb89eec5d4ba3ce68ebf3912be50927ee0f1e34f8a376150d622991f0c93551d039de7213cee59d8d39616099a427d86fab6311cadab54b58b76290f04589efdececd30d8509a25af556af9b15fdc90a6013933f89c26b50a4386d3e98f4e92468f43c488bce0c3d509124daa2ab2d6fee9466cfcec9096e78ef4b31ccdc9a769d5c04e4707799a38a044a4d597c5d6b6df4c192650a2ef51ea37134dbfe820b825cc015c968e2601cf3147c9e2e0c8114f6e5af51161051a29ae1b7818751c0b0850e707ed3ddc38ad952c19bc754c3d001e9348c7ac01bb1441c959ffca12a1d0341372fae586d76f339305ec8a1c93b49b2d33c2f595fb76d7cab39ba0daf7eac8b53feb3171373faaa2c93c1b29df5a290a20b02fac76d4d1b93e121bfc313046af2f7b96063bc2aad934076803a8b611b603d91bf3fb2852b29902d4b5e0c4201ac346bae432a9b8a57e39a0d1edf82ba7cb6dfb311458aa97b7e269c82ca9479760b720345892d80e291c23c86e4491877932d2ab8a199c60f84fcb3d3fd984e5a93dce7d3915416036ce2e3440eef6877aa03df08cfb8d77305d65f54525dfe57397059606387d89d7752d605677de00b5412fad9e300d16fc5cdcbbfb01d52754f7aadc52561b5e9ef5cedd5eb6f0b3da6f5075c0549cc7092c205f04a8f7008e994b268f118a83c0f2f41aeee9cfe3fdc50381e43054035b3f8de446e1ebf1e18a814b5f5e3c3a990858ab71b546e91a15f27c817dc95e8fe19641dd326ddbe98bb7211a0297ba09e8a00ede828ebb4fbd1b3ad667d7e58c48edb6cf18c693df5858a59fc3bcfa0cde29a50bd466aac096b906795dfd7313049b18be238812cd47eb9ebfe6a86641da68fd4b795e808aa539ba0090344c8a8f8f94f964d4c30bc2b3de337723e8528c7b09693b972f4229e7a60f5a5b73096f04fe24a94238cadf71e8dadf33804fc9070e78035b0e273cf2a5e3cdb935f19795a027027693d50f43dec95e0aed3590348e18318ae55687883a3a55723cd817bf344466fb849d05e9d84b48100d1f4c591efee1d45dd31cd0db36b8656467fea14289982d12bdcdba0e69144e5e96f05fb8527ca95216052cd5cba6e6082b6f528d5da0770f704fa10a66b129dc2df07a20b06707339670bca46222ec9ebfa2f7c28658e6c922ffd5ab3388b1b6de9380aeb21c6801ac7ad7b1318580f867629e73fb4bf04a53316b96b1c89fab40b821b1fc1c51a6357de33b7a3b0d8690396519c7e25e9b0b25aa7023b6be84d1f773638efe833865f1aacfafeb953528ad22ac36bbcd1fa04ad197f77830597e294d3b4657652adfcfe2583cde2f1a2e2b51c032a54952ccddd063e21cac394b5e26e1b0b3d356bf95baef53c2e64de53f5b2b3f30bdfa009872680cc43011f137e57b7471029112e9f7130e20a3a95ee7517b16295f91febe284c2624c81aa2e29e759298abcb169e0f4fb8cf1b6c133da86b760fbbc1c1ee071c73f8ecd38111f4efd1b7939341bd24f91bc669d0d1500c595dbdf948d7e545fcf82beb8ccb1d4ba07262d62c7bfc17ed4d09db55aad49f274cb69d4fbf670557fb224dab146b3466ead035a76a659b5999bc6117e9e2a8f606e596a4b813e68c28633221c08b6e00989656627c0fc43fa728e8385335b8750fe9f5c1d7aaa47418456c963ab29d3a14399832fcf246df02d233651b03922c64fc70908571ca04f013af8f5a8405b96e8520b1d5f762278a34b5cadb99c6ccc5bcb42e7eb987354f28ad13c969d31ad94d38f94f36fd800844feb18e6daff19d53023bf99f9b136fa76f99c429eec13a6ca39fe70f809c8ee734fc89610b8073e86f79fc7312cf31137791f2f5d97878d19d37fa64e70a1f869f60ef47b039a0205b8d1d9f1b4b2399c13cb0481d536deb51accd7b63d96ac0c6517c0d00948049b70f9a25df35028cff9360cc2b38902453a2feb46f4ee737da5e4af289bed20c2f6ed5fcf60bbf48019b318cdd61755360c63b91a4313fefcbf48ba49a6a3d55832c162391e72ac2ea59f3e51748291c327cb2b38f4b7ff451e686bc99320d6a7a624e8ef4307fc0741f58d3e18fa90c19a231f716c2fab4445f062da1dc93db64357e8036f78cef8fa551d70d2d3f2e74944040993e154b11fcf8f9b526861b43b2439d66b9ad8493c041a156d2566a85825990f6f98a8ca1bec4c300ac8a7bb5a9eee1f8bc7ba52b5c24fa2aa09f08946b9026f671b128cef1a19b453ac3b633da0798b55e1dc07bc23adcfa1a2dd19def4c2cb98e05742c5be778519f6a72f9a06db664108e6930a4066cb64f37cb0eb027c9f5d7ebd29d0643185226050b8ac99450bb2f9f84b3fff78fca56f3479da226964ea2977a13d6d84ae73c004792fea34506557fc354fa795781aa3245258e0c548b5a4fa525134263a60421668fdf7bebeafa161315a1046731bbd8cbefe7c101ec0dcba3459106517ba5922c65d19f8f64757658663db33564be86b3953ac6157002e05b86de8cd5061c58449013767121ef0c3d164758bff739d4f8bded53c01f8a4266d5fd0fe3937f2bf22dd05cc7e17eec825d06cb9a26e17d013528d804cde17b68fe228c31c1c4948d0ed23d0c7528c1b421edf9c1e3113b5485b1253e2f2bf70ba32e5d1ac7c27b6b3900967737ecaf260774d14c9f1324b10bd79813a15a2dabc64d4c83a7ff02800be0457a203469831ee8350d7d9d3148981f5f9217a4439a763ff7cf0ae4e28c275336bdb3ec625a16e779cb0cc137f7d019b53f436278f743cdda91f450cc99dc24919d4be99983027ce46edbb27b45e4bc76c175b56c446f56ee14a4ccf3279c38549c2dae22867acd2580582288ad681acc4e2d544df6430a6a845e4973b392d3d4bafb5a5b542a2dfe328e589952d70eb6ccccee5ebec52bf6c16b0554a33f29ce7363535385edab48009c02087affeca2f667de04039e23489062b91d1342eb445bc4f42418c126dac4268ef0ab6c3dffab678690a007e39572ca8c177d836f1e64bebeb3e1fda3cfe4ebd960ac4ab59343ad460436fc375958bdfb72d8c31e5d4a2c47e53126599ade4f5440c4c1027cb3af2fab30d7af60e8e96e808b890fe8e3e1438babb7e36fec250778c0dc249aac57bd74fe7f772dc8c4ae10d24c54d66a094769f93e77358cce7b5669e81afb5cd2b46791c689edc6925d49c3176152194d3d4c8044757a6ab4ef6fb7067281555b0bea1357543c60961df21601cbeaa78a5f48e48f3747b9c89013e1e70b7509e90be9a4347acd9e11aed817f8bcbbcf4965887d52a819833b485fdae03efe3c2ec68e813820447230b513e957e3ebc08d66b794cce5f198ffab702b72ac40107b5f84d420fc23be2e107eebf1913b278db0d6af15e98ae93b873ddd92629cd66010140bb5d6a6749f622dee02bacc37fd02686314b48b1eb91b12f008c0384e013089ec1a6756bdf8a5c0878a9ab30b7bd26da941096a4f71b1b73cc8414d255b2e612023d37e9b4548358b6fada3b36b29198194c72eb59c0736c91f9c39e9d8c7379cb8508a087a40359d0f05d4991c4d36dd5d8d377d53f24392154b2db4559529b6fa1ddbd357b9a6679b2e75a24c39df93f53133fcd5c8e4ef53dfb4056ba88ebf8e7c051fc3fa1cf879c8d602f4e58ca405814a5b58517b0a1bc36f366f416fd22bdfc4cc612aaf68acd838ed9212a9056251f545ffdd1d11e74e985c5629da9128590f4c431736f0cf5d50a88adefcc4a0c727814706fd924fa55746804953cde7c0c5991a5c9cc1faed1ab240723436e4f51429b75ae688c201d2e3823ecfcb3bb902532e45fd0fe1f39fc10caa5a80b2cbe031e3adb33961fd6831abc2c0b59afad958eee9e14c0a65508784216414bff1c512ba9c56fc8457e566fbe9a50e67f64fc66f53aed2622c85472b55a9547610eaa4d61a6aa798f8a39abf179f15fb2c268ef3c98f23520be1235e1eada8565be1eb48259fa045090da99dc0c89e289bf3487314b58740da3df238128be0914607fc7f29b7c843f9a500a180e4d25819fe13c67f9c42c07789a3bea2f93e0214e02a0594d02db485855e2d45a29027c5823d9a79fe4eb7d33c87e55da67c5a16cb881456ee58dc829b4449dbc9cc5146b477754fbf3433b389266425d6290696148bef8e0bd1a1536e827b6cf229a4023de9caf2a7dea93dd37397eb090614206af33c74b8ae2eb96be49431194750ff575e446cbf3effb627bb1b568027d15e3136e6a3f70d96ea1dccf7f2a7f9666697a04be96e5aa101df1e83ec7d71400574ec009494a3c71878567c9d73475fc2195b8eb12eebcf9cd61d9d038469292c95e6adefe8921ec3ca2a2a52e8f6343ed2e8a8f871426e4d1d85c73a8b42311a4c048294221cf241528c8ba4207d5a38d04e8047df54a0d2bc6a190ffa9821f09c648c2b6cdcfb2e8b33869884330dee10c86e101c1de368e778242f499dae643aa7027491cb4992c9ea3ac6a55e6b4325586273e1b09339ed11896a822d27e577062c0b9c6a81e78d0f4688a643585add96cfd299dbb3ba07447b4b48060a00a096299f3c1a68fcce0fdf5525440900d60c6f00512eca56291d35c2c87a957424f4b2806a7b6b687358520db56e59b8105c6dd7973dc9f00d0f6917e0afef879d62c657df781cd3873770cb533ed4490de0ccaeb24d38053783ea3f701aa9ed39d4f8878536c39e1ce4588ec25ce6677c68b0a7a95fba7233bc0c7238e76aff813e0820e8213f5becbe5a11508e9aa07bbc0e74005b7af4e60ebbcb390b4716ee7c1b303417e259f80ece180a53f817e8d6ce2840814278e2a30ddcc4c477019787a0e18ab1cd073373b1562985ebdeacaa7ceaed4c67789b5b7e190bd432d2849e05bc485fe22a616ce200fbb39285b84ef2266faee664a313e19c9b5051838677e4b67a237f96704940757c5163fcb0ca10efd2d2b31b273905d8ca3c5277e3292d40b75ae5a6ea942875960a02202207232e5d29ba4fa0d75f569d20005e36ba3efd5ef2a67a7f76ac317e2b73d872cda51baae5779d470420008e1c26a6454c0ccb275a86e4dc20732ed23715f57216591a4b0505de2c89c3d1c3b35785c51417e4ce4cec58104c2898bf388df3261a904c5559828b0b93f4b0532239d19f2cd925f5cdbbd965fcbcfa96563f51596198b89c50c91f130e97174d1ca86f2d969fca7e78844329503d3e7cfc62fbda22267b37727c890a58aa0298c39fcaf8cd2bd4165e33771d04dd2f4132a1aa4fec3a76f69ace3bdbbaac000b912dfdb9f9d12ceeacce4829b82a45d375026a5cd4edad2b05609cc68196c8067305a97b5a35905d84e58676e973394a8b598236b3a530ce70c93c5070401cd7403b3fbb18c32c189831e76dc64951daaa4644e5f3a4cce561ce3c9d6681b84840a26eac3150509650aaa99dd6d0c35a9a1385cb38e03cd29d30bc908a14cb92d3eb25934702ef338e8fa29fa953b3495e6d9e9c824ef37788905b004a622a8d41f7456d93060aca59910635e4d0429e777350bb34b6fcb72ff2ea501ef72685e9cb773c81e06dddc3163b4daf637658f225b4f0fe21fd1affe861b5c06d35cacc2de7b57bbf7c9dcaa2c148cf96bb9496f9c98dea0a4c67fb59933597043b39fdbf7616fa4d64e8e8747c0e7e29fddcd741fc969dd2107c32f502f5ee12c9e9bc6793a1d2e709edbed465c19ff52ba7944b81453f766a344658fda11c645a904777c2af6b0da86d5f13cb9b0f1e52c0658978c33a86ad2c8d6d7f334c9b6572eef82d162f295602fe3d026fa1d05684acd35037e3ad74a695f0e15c65e7be17d6a258e979108532bc53f148939ddcad9e5eb4705176bb0b593f4a55b4bc59455b37c56a97118d486f35f640a76abe920c9c26167b7d22cc0f2a3fb0651c63be8c2dd767093dc1b1e10e3a9034bb52b8dd20c8d9106cb10a5b30d575b1062d32b3dca2bf930ab1715e50f4a2655c9fae789b5ffee61fefa4dbb25a4ffbcd64e19187c0d992d82e736819e076dd4e2db94c6e9e95741f65f6601598d3fec51d9de98091943331b0b900dacdbf5e5b76b73c72ae62a46a7db844019bed680aa0e46e9cbe104a8f7b4deccf547623767a253d363b473917222a24cbd8b6e234d37dff3bbf5de46bc69af0238644a8c35f823ae8fcef5ecf19c8a2c05e4ad1eb4937be1d6e078ffa619bd80aec5d1f06390de6eaad2218c54ffbe60660990ba19eb67474d5f63946c625b973632cfd3cea0399f4b94ac1df10a431c397439066d72101e1943334d44077a450453f171492ca6a047fc8c53781414658106cd45127b3943de0645c86f94202f01927f91af838692762b5273e8fabd129c2917d75053d8c07baeefca905cc8d312277dd58e777ec2832c8b134bb3e6cd5f84949f72395b6c994ec19177b83b347ced201e86474ff37c60d6d853d50de8edf593ca8322899eb0887351a60968adcb16a88d74ce5c9662335a4f21ae299d9bf4fc18c39d54dfa80ff2d785311596dd217347da2407bb845ed09b796c702a22615623b9554d6df1428fcad0ec86c98f045bbdabcd9d012f0feffc52ea1d04cef55600115446bbbf733d304828ccd14709b5ea58584717199fe643c65c44512840c9bafe0372917fe90a80d5f3f6cd4589947c4ca6a47d3dbff7b706362678d1b3f592b6ce97c831e4c21ca99816757c5c77d0f75b7587b29334685df8a55d81d246d5a0c0697d5914140d514d6baff5b729bd374c9985301f89b1de1951b617b0a3b70a117651e491c1df3af38118f107c13431665f65e0fa34f8c40a54e9aedbb807c029a6f5c469487e66f74dbe20d9202f2b7c3e119e5fe1444013f6ceb557d2e69eacbe6419944b40f7400cc0de04afbcef68d1eac98844b4a2ad6d26b4458e7498d3c5340b4c7d7ad34c87a9102c6546d43991f300144bf7b55f5fd8c92f8ce9e4d513ac1ad1ad82c45e7bc3d04043636f1bbb330a7822be5938158a97c5277ae247c75d6c1253cf63b6700a45ba26269c40cd8b5c24299fa0432f2245e21cb1cdcf218939bc4455f153accae2983023b6ef30dac5a35e21a725f7919a4701181178a23a32f281b5c8d8ed2fea49fb1d383c160a6de2872cf99e5bfadf629430c7b1aefe3417c27a5a1eaa781f761748e2842c8cd7d825891ef67e86540c2dbab8781d5e7364d56dab12a09746aec42150c90a6f6fdf9c9e480cadbe3c5272abac109c3d9dc911a4c7aee256bf774ba4e1cafeeeefe02ffb87952bb6a31b8550ee0fc32aba2236ceb5ae980d90c7cd64dfdd96c53c92979dd3d36e95fbc13ca4f8f85558df2e5dc6eb102f89914ea0e22f9a9dfd9ebf2bd9d82e5dbbb369e6ede5e744115cd4e7cdba67db20fca5c9c3a6363741656965c9fe253d5c9f4a08e24e5e03aca21d579e37b4ddc6e8bf21155065586504da7791d368f8b203b8c50db18966e41821e30272df7e8a0d1c356839d822e75f856892cd4de144b0d41a80f1ed53c51a7aae0801885c1821d0eb050fbc132c0cf206999da276911dcec4929a5e6bfc584ab0ad736d4c1f60ad1bcde83fe6c5ee761a5eb046727f5eff80050d16840187d5504436752681e5f951f0dfd1d72d3add7657676480bcbd6e86734ef844d772bf75309c46ed05061fc723b15f853ec1c1400596396b9f26f67edc085102626104f75cc61653954d9c161d7f3b65a74ee972a722c49dcabd422837c9b3459041e5df14149797bf0d4ed6f7f5282df8d0d5e2338f5c73703dec3ba8d65143a639139b98bd2c3bf901e552fafb0f21c7d6fa1f2eff7b09a9813c279b5345d8d703a106f74edaba74a11b38302207262698eab7ba6256f97961c0d6ff3247e641dc653ba54507310d5a857542b83f51dfdab971340526dcb782d231403eb48e03c7a5b4ed872d2f33147b5641af337e6dca2c36a60c05b63f33665249af51fed02576d05dab7ab9734c0f35f4387088697f0a0c2ae5c9d88f2f86bfc08f17e99978159dcf77241e364acc560a9fccd655eab5ea4894a0463c369bb64016cf75628af85300b8a10647822a68c9b619e7b1755f6644256eda3b4e2f0f2e47e1c6e00a8dc22ad010266ce8a8df10358344a672c508f5b3e4d8f3245feab902a9069bfccfe5b45fe48d66133a76bd30e8d8956c7c6ed88bc616751fc09ff0f5539d18c28f2e079ffd603353b5e4dc91c6017703a99182e4d0a781a9064df2f1dedfe677ff7572b4ebbb51e6209008ae10a0a7beab424e2fc0456d4a527e63d725e80806b3dff054d1321603f0c73d3d976593c022b2341e096562c182158891177a8caac62c5f6c2308508e3dd65d2fe2995de88d5649d161a041e2a4ad4c455293e8a0ea6a6bc6c36160587e5a199dfb7fb116cbcc71f9e8eb3589498ef798fa146865e8dcf552fbfb86347ad21fa257dcec74044f1c894ca62ca8e28d641ee1e11b625aed47c43abfd22c2e505ee9816c61d7e0c50ba9bb25921a4c98b29eade7ef3877d3a21e5d953a02378c3eb8a75e514a4a38d6fac925d2f69f66c4e87357f4758cc12d8c086f0c934678ef84df8bcf8c7c8bbed5909e8c750764b869d0194947c3bc874ae8e70d5d9b8e37fdfb02682b1e0e33aa458750f844554209c42d8544184b4fd94220eadfeed03d61080f551daff95ab238230b4f12eba6477426bee1e8aa53ecf11896d54e6cf7989e25212cdea0087fdda8cf578455e582f6d10773e0e8aecbba42a2803969ad1c396c77c663f64013eec29811f5f0b004952ba3caeab45d9da7409cbf0320b3e4de097b44b289d227489d0b0c5e8f14f36392fedaaf6008d54671e8d72bba4fbab122815fd3d49a25a3c2d85fb83e1645350d0a7de8046e74db6a7f2965d7ab04cf3625b5dab9c02f70cd6a4274aaf9ad4c453e70cf5ea121fc9d5b43d405166d1215c712c9a13fd9a0b34e0f97efe1337e301c592b533276b8ece2192ad05395a00b10a4fb76332acf3dac46d716b618be5dc530561bb5fa69fb2295f3c6bf47fbf34221bb335509e6e8a507fe3d7fe3d0176409fe6403a0f7321936c166b2bcc4eb190661b6add5c5e17cdc3916c8878800fd81784f5c60825472d58bd0b45f1a10044d45384793575b58a4d823774eed9bc45e91b04072b361266972ee0ef82dff917637c344805d17c941f41c950480c162f56ad772c6257f10a8a6cc495b56299b94d190104416ad537bd1b1d4a89d7519d0a7f395e138852f389c0959a13a510f1ef35ca560fb7a7f6c733542e18b59d191e57b3d55a8b53af132f08d719a0860cae66962246e8ab1d99cee40b3db0579302fc23fa41f0e16a6b74728b07c833f6276c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 22, + "comment" : "invalid output size", + "ikm" : "dac05fc4504402cd627f18b35af956b0", + "salt" : "1460e1e2a09bd06410ec04ecacb752b707d5b26a003431a7d67e51c5df028b098853d77c0faa23edc5b27d304fcfc85883cb8fa4cbc5ff32e79139102b8ebcd4", + "info" : "8785200cebfad691", + "size" : 16321, + "okm" : "", + "result" : "invalid", + "flags" : [ + "SizeTooLarge" + ] + }, + { + "tcId" : 23, + "comment" : "output collision for different salts", + "ikm" : "5943c65bc33bf05a205b04be8ae0ab2e", + "salt" : "", + "info" : "be082f301a03f87787a80fbea88941214d50c42b", + "size" : 32, + "okm" : "e91cabd2038706c02f8ba3102a545f40f340bf65de30d3c37c2408f14df06e1a", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 24, + "comment" : "output collision for different salts", + "ikm" : "5943c65bc33bf05a205b04be8ae0ab2e", + "salt" : "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "info" : "be082f301a03f87787a80fbea88941214d50c42b", + "size" : 32, + "okm" : "e91cabd2038706c02f8ba3102a545f40f340bf65de30d3c37c2408f14df06e1a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 25, + "comment" : "a salt longer than the block size of the hash is equivalent to the hash of the salt", + "ikm" : "5943c65bc33bf05a205b04be8ae0ab2e", + "salt" : "329f445e7de8a156cf26a0208dbb028d9de6ef76b8de67ca634f4a5a732138a1bd436a7b345d7a0314c7ed0a00b0d34ecad2cb8bd141e2ecc1c77e237094d55154", + "info" : "be082f301a03f87787a80fbea88941214d50c42b", + "size" : 32, + "okm" : "23117b38f94d22c8180ed72976a1f784fe591caebb6a07c1f0cbf8e29c6938ee", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 26, + "comment" : "a salt longer than the block size of the hash is equivalent to the hash of the salt", + "ikm" : "5943c65bc33bf05a205b04be8ae0ab2e", + "salt" : "e6fed0037da957a6a67318c3d8df737bb52b62b8ae4f48b96ff9eb7a108865eca7cd91b371318c8c7bfba2eb4e8d50ff8c9e8e156f998c46cdd7765375725a5f", + "info" : "be082f301a03f87787a80fbea88941214d50c42b", + "size" : 32, + "okm" : "cbb19fbb59b4647d05c57fc07778fe4a73ff7a0de9408c3cd07292bbbef08fe0", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 27, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "5943c65bc33bf05a205b04be8ae0ab2e", + "salt" : "e69dcaad55fb0536", + "info" : "be082f301a03f87787a80fbea88941214d50c42b", + "size" : 32, + "okm" : "e81c7970f06808e8cab6bc6f3a7ea308b19702197cb41a04eef602df9e26d05c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 28, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "5943c65bc33bf05a205b04be8ae0ab2e", + "salt" : "e69dcaad55fb05360000000000000000", + "info" : "be082f301a03f87787a80fbea88941214d50c42b", + "size" : 32, + "okm" : "e81c7970f06808e8cab6bc6f3a7ea308b19702197cb41a04eef602df9e26d05c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 29, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "5943c65bc33bf05a205b04be8ae0ab2e", + "salt" : "e69dcaad55fb053600000000000000000000000000000000", + "info" : "be082f301a03f87787a80fbea88941214d50c42b", + "size" : 32, + "okm" : "e81c7970f06808e8cab6bc6f3a7ea308b19702197cb41a04eef602df9e26d05c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 30, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "5943c65bc33bf05a205b04be8ae0ab2e", + "salt" : "e69dcaad55fb0536000000000000000000000000000000000000000000000000", + "info" : "be082f301a03f87787a80fbea88941214d50c42b", + "size" : 32, + "okm" : "e81c7970f06808e8cab6bc6f3a7ea308b19702197cb41a04eef602df9e26d05c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 31, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "5943c65bc33bf05a205b04be8ae0ab2e", + "salt" : "e69dcaad55fb05360000000000000000000000000000000000000000000000000000000000000000", + "info" : "be082f301a03f87787a80fbea88941214d50c42b", + "size" : 32, + "okm" : "e81c7970f06808e8cab6bc6f3a7ea308b19702197cb41a04eef602df9e26d05c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 32, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "5943c65bc33bf05a205b04be8ae0ab2e", + "salt" : "e69dcaad55fb053600000000000000000000000000000000000000000000000000000000000000000000000000000000", + "info" : "be082f301a03f87787a80fbea88941214d50c42b", + "size" : 32, + "okm" : "e81c7970f06808e8cab6bc6f3a7ea308b19702197cb41a04eef602df9e26d05c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 33, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "5943c65bc33bf05a205b04be8ae0ab2e", + "salt" : "e69dcaad55fb0536000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "info" : "be082f301a03f87787a80fbea88941214d50c42b", + "size" : 32, + "okm" : "e81c7970f06808e8cab6bc6f3a7ea308b19702197cb41a04eef602df9e26d05c", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "type" : "HkdfTest", + "keySize" : 160, + "tests" : [ + { + "tcId" : 34, + "comment" : "", + "ikm" : "e2865d6bbc1abf6a815067edc4ee7aa33c290d5a", + "salt" : "", + "info" : "", + "size" : 20, + "okm" : "3e80cfd3ff6e21e810b7c3ce1d1b002fc6d0ab75", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 35, + "comment" : "", + "ikm" : "8c177ab5f40e9c57203883562f01f174070ccd97", + "salt" : "", + "info" : "", + "size" : 42, + "okm" : "247885b9b90ef2a8cd1e97710eb9bdead1aab09cd552c840df8ae4fe08ac153f0152b20c1e90e5d4e55f", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 36, + "comment" : "", + "ikm" : "e842a4fc1a147cf2f87de9bd5a42fce6457496f7", + "salt" : "", + "info" : "", + "size" : 64, + "okm" : "60552eee83f4bd894098f901f9a13462796f75603d3bec289a4c55a16dde21cb2ad41708b3a3d76dbe5c54cea3888caac951d728834d3651a37cde0b0664121e", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 37, + "comment" : "", + "ikm" : "5b870ee1bb97ee83f67fa7335b4a0f9dadc80d12", + "salt" : "", + "info" : "0a0dfb2a6e051441678788bdec04cc1b63ebe1f4", + "size" : 20, + "okm" : "453fedfd43595245f3c67c61b9dfc253a356a2b7", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 38, + "comment" : "", + "ikm" : "58ea7ab33acff514ec08f41e59c17a3c66c1ceef", + "salt" : "", + "info" : "1cf9e25bd70c5546ea7a79eaf5d90cacf754c4f0", + "size" : 42, + "okm" : "34226a7c2443a012bd994f8ac6ced5eb70ce08970617b4aca853f6a13b89986725f2b1a3472f5a3122df", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 39, + "comment" : "", + "ikm" : "e8d20934b9d320458f4854e2442e2f0fa092f461", + "salt" : "", + "info" : "4425999958aa3cc629300c25ab15be8cea7a4277", + "size" : 64, + "okm" : "636c9341fc005909bbbfe18d9b4db595b5007178c13d295375d0738204306b522f0e33f37c67465b56d4a09450375a50e8e02199f3c44b7a89618aa940040d1d", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 40, + "comment" : "", + "ikm" : "dc9e488c684dbf0ac8ff1eefaa0666d413d258f0", + "salt" : "9afa7df500d7a17af1f44422d25a62bf", + "info" : "", + "size" : 20, + "okm" : "8f426916a9593815065cdbaada2c23921025e780", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 41, + "comment" : "", + "ikm" : "34b85c341a04cbade472b3f7dee4de4d1954bf70", + "salt" : "b066b42acea664350a8448f8e064225f", + "info" : "", + "size" : 42, + "okm" : "81703cfa5d5f3af1d2105e047f0cba013c1ad5eb27e8d408566a10e00a7e90da4a30a559b33f353d6932", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 42, + "comment" : "", + "ikm" : "44cc641e09f7d5642f7b6007ca5a1c0813319666", + "salt" : "69c0dde6c8e5bd40553a5981fad6ad87", + "info" : "", + "size" : 64, + "okm" : "582d7b17c4c783d2f37f0abdff8adc1e324370e069f274b1c7d6a46655843e446504cbbf3155716b6e824d4038e0bdb344df20f19a4a2dacddfe9aad36a81dac", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 43, + "comment" : "", + "ikm" : "88a8880cc2b73e73b3b6ca1d4902caf2128732c3", + "salt" : "0579f690ed32e57a26701a9f6877f243", + "info" : "6dc723df3d26f704067afb2fb6d95a66516d089c", + "size" : 20, + "okm" : "02d1a60044f4b017bed7e49a6984cd2108455f5c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 44, + "comment" : "", + "ikm" : "8408668b9d671121b8c7d31113f045c0d7c020fe", + "salt" : "679b30e6930a8ea3f076e317b9595d5e", + "info" : "b4451b0f1a217db703582881e86d8044d5f2e092", + "size" : 42, + "okm" : "ff71e665d74a7fcd57e7f6ec5600cea19673bd299766e525959717169d3e735a33bd998a317391f1ba91", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 45, + "comment" : "", + "ikm" : "e6715cc4ee13c4d999d8f8f500243c321f70b0be", + "salt" : "ecfaca2ea3301a992b4de081d9d3a4cc", + "info" : "ef17c9227a5ca654fbdb35dd00dd6dc77b6321de", + "size" : 64, + "okm" : "76882b3bd15ca84585e2a4e7622e9c3bc20da778aee4d33a6d6a095229f0843878157cb1b5970676725375536a5c724fff18056cb28cdce8878a3c687911c5bf", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 46, + "comment" : "", + "ikm" : "9a6b88f3f68f5a8e79903b51dcd733abaece1a41", + "salt" : "0226df3d66ee3abb275eb39c8ec3d3e12e9b87b67f85c552accc4279ec17", + "info" : "", + "size" : 20, + "okm" : "6f0c3e176ea037da5e32418174dceb98fc1c2b4d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 47, + "comment" : "", + "ikm" : "0b9eaec88b2940a4754e83272cbf47fb6f86aaa1", + "salt" : "c1616497d49246400ba68242b635c67515d2528ee1c3b71b318b631f9bef", + "info" : "", + "size" : 42, + "okm" : "4592acac51be6ff829028b39b57dc1705b161b9775e5fc4bb668bd4addbf11a6c8230115cd5890015dfc", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 48, + "comment" : "", + "ikm" : "c4717276e7c7f794c4ee333b2f7a2ab244be9e8c", + "salt" : "af4c63e5b554063e83e37bf730ffa401c696088ccc4f133a8695ffcbf2a9", + "info" : "", + "size" : 64, + "okm" : "3aa97526d07f8cb7f936d6ec9d6503a21ef162b9fedf354a6afab2bf420a922100838efc9deba0bbf31a0ae06deea9118fe47f4bc484c1bc75f649f3a37c3225", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 49, + "comment" : "", + "ikm" : "5e43a900ee0d432c5fe6fc81db8d5f81a54e39df", + "salt" : "8cc815009350b0b6a924ed93e73c8f8c57a1105726663b72741b67209c1f", + "info" : "32460280e60910b10abee2e9f80a3dab48acbc59", + "size" : 20, + "okm" : "a715f5178595b4d7a7592e5fa740b9473ce00777", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 50, + "comment" : "", + "ikm" : "070c170fca600aa2b23618150ab9044bff7d4dcf", + "salt" : "f32a1cddb32693860eeb39a5d190f5667a303d5403712cdcebb575c6563b", + "info" : "c1b0971fefa0a23cf4b7185879475ebd8d83b9bc", + "size" : 42, + "okm" : "de39d37c8f7d27af175221836c34e72fe2c2fd8fae0569f47d24a6de918d5992ff95302b421e477e1240", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 51, + "comment" : "", + "ikm" : "87a23208df5e66488d23f7aaa066e87bdced8e2b", + "salt" : "0488ffa08062f1fe83e9c3934f5688a2e17827f898aa5daa2d595f09b245", + "info" : "e4d66fa23a6020820013d94d1f8e84a58cba2a82", + "size" : 64, + "okm" : "f275c7be87f3a20c5f095c9c11df0105f825bc3c321dbdf4c64190bf3dd572bf6ec867be292de7351995be506d40075a39a6cfab4ececb19d9502898f8a88e8d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 52, + "comment" : "", + "ikm" : "214746af12a669b726364027e9a1cfa40c18f8e0", + "salt" : "f65ab21816c5eaa5c9ce77d58608ab67176d2255438096f4b45779d15c2afda12718ec557bfe161e7fab89ebad4fa634cf73f2d12c884c4583e64d2b59b9d8b9", + "info" : "", + "size" : 42, + "okm" : "bc141ae6584b51855f8f671bdf162fbbde5d8abf3aa42cf9d04908be780075a889472e5093e16a8af780", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 53, + "comment" : "", + "ikm" : "d509c509f91d78c33b9d661e6df1992b2b6ae429", + "salt" : "95ff4b20ade46bada320316dad7e2b4286e93dfa2a72c6366c5ddfe8ce2ff344729ea56416d5b53074c6d6c4eb4e4873980e5e4a4991d6b1497aef822e16e209", + "info" : "bea4f60eff1a0c6ab664ff3db2f774347920a482", + "size" : 42, + "okm" : "7d1b8de204154bda72a69644c6635be89fc1859619f101ef215960dd9c776206e9dcb8e5545dec95b2e8", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 54, + "comment" : "maximal output size", + "ikm" : "a53c9ef28d9df1cf2d27cfc10ee41e6b7d3d8883", + "salt" : "c521bf7ffc3146dc02c9297fdcd45af84441390af658105cc99622d593b68d774e61006e6cc02dcfff483d3aff0f36ec184585f35ddfd46ad8b116205b909b81", + "info" : "721ca065b18af203", + "size" : 16320, + "okm" : "a9aee535bee79891489603a6b874da4c781985a62694256d07701275babbcf55448d189dc1a2c2197b1a9ff695f8ec73a656c1ae1cf3d2febf653206027f7c976d5da9f54b946fae91303f14029b783c76c5c970d688f4dd8478210fcf7525950e1f007e502c0e829f1582bb0c7f0e221dc7463e581599e340b891eb86b77db0bbc420043708d384d6365cd6e06347260b65f629b4b54e83172ff239c39c4a25f5194c5611e560e7c38f5adeb1c4d2078b48f576384866e91867d41b97700a819392f102b0428b2d8b455741d71f4cf165f31095ffbeb4d53bcc787299394a71f48abfbcb2685a324029dc5fd91284fc78b67c241d39db1a75a96ca6e225d98da1fadced84d7f23d6d4bb442037b714867860ca004e3583665c6d7f51559fa38faa5371c0bff7679626f75080b6b36b24f10ef486e24e1ee9e35afa718f67c6b93d75eccce25fb7f3be7e3db767082bcf7ba449447bb6c07460ebb6bfc5bce7d1fc82e3111b44fa8e4838a59ad5458d5b3f70d9891bbb1f74c2b18e72b9861d4d9fe99b13099f6d4978edd6db0aca250f2428a7372405411be7d223568d5db70fefb81b7eee22711c612e3d6514e9340639b454cb52c1969ad56d4303c40863885e6e438060eb20c8de996a91f9bc0879be71ab925e632c0b0e165395db69b34f606bc65637c6648441408ea6fe95a4c13c8f450abf7a3041d853cdebfe61b322d42db087ed7da3175249aec6520e2a079bf39016286995a36d9f11eb348f501132566cde44219e51b2415e04667d06bbc5f7cc0502e8c8ff9b6037654300c64c540d5e4cb78fc20dea518e721a8ed259f26b033617c9dbe239e92377ceef9fa9383b744cbdc044fb8b3d8089c01dd4ba38f147b691fd0cc4e8ef2acbb6f733c73cfdb52dba9b9d8ef80f3e153cf3281f994335e075498b25840a0f51dd4a654cfbab9277e8708b456ddd0e64977bdb5e88067b889883eba0d433b183ff730109dfbdb994a165f61d9d668c27caed764820348210a24e86b77de66b8032a5173d474fee5ac889b5ebdf1bd653d46af427156ed94f36bd1d205bd0c56e9b783420eba82b6926f988055c2f734fc112772137c5fe63f69fa42e3d02a1cfa316ca7458722372de97e6bc4eb9d049358e84511f80ad45e29a862e756275a617e086bbeb299425f879801701dab7c753bff20cdbfe61aad8fc824a3ee3d47cdd0f166a36de7750e121d9a6d74902b8440969485807eee4d4f18a80a7d5d273c2e6eee6c21a031e6c65e25bb791a2b0817ac168920a739e0ae6128ad2ca97bfb6920a748733404b98083b578163791b085832ad4a35c853fe8529e4e4b62df0e8726c035861c6edb6f2eb4170698d2d3da901da1c7f2d85b73c4c12468a8fd0e4122558f866749375d33b6749f41e37bfb49acae681efc67ae3578bbcb086bf9f1833d3a2a9d0e0c042706c41958dd9b5e6f107e28e5bed647d2db94ddfbb75491be54b3f6b315402f0df49587f614d801c90dc6b42803286b5e37fdde549d88bfeeb3fea83522e30e347d38d228a701537a0cc11c9cb32ae1db6e567e8552d9fc97d88598683afbd90ae58c2e786a5285b33d6892af0c4b91f2a34c7a3eed752f89233ea32c9127249d930c274c133232e53fe667732c31104ab8acc0599f3d017e77f34e1e292d05ded1bc5209b7183dbeca21af986957545b2b231115143b23fdff983367d504232765f22e9a9a5c651d66947784f7d408444833089c69871f97b499b1ca127411c4ae2e4e2fa9b52e3215ac9df9c738de19664b2e03315089753c3df5bb20dd84639d8d1b94e523e8d21c6378b7777b7d057de3f4a25f1b8d4cffc5f43d6bb0da79ae6c12ee2d48e652ae168a7eaab602043cc64c5a5a4736b217678b417734d8d55fb33a7f76207ad443686d416f3465c97fc872e8457a9c3e901dc13f6cb7e6c70799df3780023336c6e4309b239cf876ab831ad1fc96ed9c9e311ccad375d9102ab8451902ef3a5b81fbdbe86c441b3b8ebb9002ba679b4005b540a99df75f1965bf3ca20c82e8540723ad96ceac9dda225bc90f9287803a04f52f26053dcaf9f699fe726e714da69ec9d71d78db541904a61435a3dc0e1d00ee4e7598b8d2fc1ee9595e554e943b76228c72475c94e714b9e2e65ca42bd6c27f3a725c9773e8c9b665700de0781a2f1e5e7d3da8cbf002dfe175b5927fea8484ad88123ce76437b9aced1e5a36a8933276eb9839a8cfcd6d1acfadca6f9fa1a507280780059cd8ec3cfb17492f2e38d03f776644d920163ce8418074cb3123ae35ca2326c71bdee6173a3b3d36318924f836c6782a85bc2410ae67139bca7831d815334f022f59e157d5483266c1bb387a1d8e59d37f080532949007de3a53b4a44b67cefe59b9db6326b232bd9850afa4edd3a5236986a3f116e7d5d8a98e6a967993985aa2415201a24655e7567f1a159eec7d2296eac596af5f770077a1d6444f4d7176b201597f33405cb807855f2b8f824c9c5e92078f4b7ba795b1237bd24c7376ad9d2647f6b131ec8120b3efa4b6f254f51d22f8c5da727fe19580404be59b8f3898c66f17ff82ff19b7cf82bf649c0add1144601c8b38bcac2ada242444fd11ae9498eb47f16d77de6ca9cbc861ecf479de373e969d26e5eb2ad39e4090bed1a0affdff31f5bc9f4a8add6f6b2d2e5921fb4ee3e92319246ffaabaf094d92378d5286fce5233029390d224c5be8a3dcc8b1ae880d47725493d90e3def934522f63d80f96f37921cb8397358cc39892767b1155761e3bd68311ab93ec54575b0eb0e3c3c47fd49cd97a2a2ccd76f8bcc316cf2c5d5f877367898fdfd7e88f6301e4b1e1a5d80bdb6e513d134329bb753eb7e982696713eec74602fc1112dd8fdd9f4b129a08b2bd07eefb514b58b043f879aa298b25acc9221d3c366162d15d6389d9443c1d0dd7d8ca217e095ea039ae383716d4c96add3a38f3466f2fae19d2fde3a68806cebfbf8950425cefbd61fcf68400dd26aeffd34da8fa60f51398d9bf1d2d4c24efdf229c8afa346421f9ddff56512fb5707e85b8f43ea9f38c0891592d3ee1a2c9c8700f55a0be7b7bbfdecacd27af04ba8c22424eb027f2a8504b2878f1bcf1e54608a2ee5d8c27d265e9918acc2d2e45baa3c3d5cdc17ed57ff4193ed8d764ed4eb290b24207d36a19c48565eda5a6ac9516f4432594dfca513ca51fdc4b147813706e26857416f94a3ab5258720bf6d9ed59c2a3f3ef6ee561375966fdefa0ecd2f2b82a813e80f8290d5d04f5b20e6092ff3e406afbac8a524e7044bec55f9a685d1aa156e52fd3d77598ba60b4dc478a14a39b41fa027d5f0947bac937ddb169b552b055a83788d66965a4473e4539c65bebf885f09e29051e27dfc76fd466c14726972527a3b798c58f340fa050954c42ee2442af5f9a4a824de31b1b536e775202a2c1f6c4fa093710d8d23382eeea0e8c06704d855280110f70259e2771c5a07326440dc68363ff96223c215735b53c7bb880eaf878d46837f0f58a2c8f34db2563d021c8e005802fa65b746c8d3b2a72d6fa8ce13e22b6cb02a18320687a7aa13aab14e5318dcd13727a1294caa38192e3ea73d2cc4460a0646313a4428be81af3e091c36b2e9dfbf51f391d915489295ef3574cb8aface6f942049cafec4914ded402071a241128e4055528ce7c1a43e5c426c5c1cd4af9974884a0ad55660052fc3d3f2cb85cd5a1d40d6ec4eab3c18d61c2ae6c98949ceb6d07b93086449a8f77e70ca2d55f7a0886c71f3be9e49b7810155e8aba3512b413879d43288adb5d780f5609e2ca5c22ca4cfff3f3482c79ead24b4af0086b605a0e08662673e472fb4b28b8e94f32884dc1c171ff527ef5da7d998eb79ce745d9c5db985d1cfacb34fd1ac16af80425d782f348d94f9ff70d39de1aa38197676137e722ec427033df9e3c5c456c2bf8eb965d628ac3af64725853ccc389def8ea8a7fb5ce19ad4b0fc50b0b32ce6f1dea3bfcfdef7c3032a921958336a7bc356e19e5fe6bb50465fbf14dc38ba037d19df3ad3e3e855ea95ef81cee28899bf162b0d424f38f528e64db4d68986ce0732ec69456f55701b7f5dda90a755858ce0619926b53ef53f9fbce5eadf15794891630394840378a524609811c00e71b5739158ef31d714f3ab7018c0ecc51e99f4264ec98982aeb736337ab3f415213564cdb8077ae104d3e7407d4481f8fae8579528a8fc74c45c36e7b6d54f93d0d39d5b31f1a4c915821a9d7ab8013c1c6f7620ee069bec49608d10a915b2eb556a5562a4f7eeb28cef87030196f98916e2a9f3c8be8893bdb2e5492536090e3ddc6c6553d7555117f49ce54d0c06e2c8ab715bcbe062bfef4a3f7dd9317650f8f7fba3fc03d5c7678b4212867293aef6216a08c60db5dea51b520b15a8c93bfa2d6959f233e04545471942ca2e6516dbb588041f0fe63997c7bfbc6afa990027f1abd62b347261389b9d4811670eb32abcf9fa971b32b5f5a19df16c517de9e6d57e028ee80393a890896ece64639a840fa01446bbbf45e0e5d8b187b85dc4fcc1e818825d4a08d1fb6b397658a5fa592b3587fea96ddca7a520f7130160c35a0cabb1200a0dc7fb2441a3dde721e49e6d2b185cec101aead7f31da0cecb6ff6f2d8a02417bb3f951e88e6e3f10c68f1cb8dc98da1e608148910b55f49b69a6139bdfdc637ab30997e21b8772201f151a09c183fc4803f0defd2dba67080e7ad453c078f027bc7525c7d4571d6e722e3d4547d591d52414409c60d0dba2db1b784c0003ff8d13ed0138a71aefab18e1fb5cdcf1f8f667697e2789c98c2c7cd0e3ebb1f51c6dd37e4c1a1cc06bcec22d4266baeb16e70339c88cbd238504a11369fb53a45fa7f6aaa03ce314a0680c7b7c1833f60940d9305d2b6b7ac85616a7e5ba1472b6e17e1f5775527e4f520f9eec420b70c7261a3344b19aa023e27a202913bf42e87706625f016674d8f79f35a41020ad962e77359c5622bb03266ba1292ebe3837f37c5ee2c5ee92217e14c26412374c1e14e3e4ef40b57dfc3b529e3f29a6e16e7c03ba19ae80dbfc55f856c23111c7b082ffff05658f2176a2786289cb6799bbface2312c58d6b45656dd085b642a09f05ea8b6cc27660bf81b5118778412a88c62a96602610ff89c34bb1a477558b387dd32d352e8a507b27edfbec30a40e5313f262f905b0f5f73e3be0198299b11d13f0e569bacae5e28b7d06c336b6ca4f5c7e973c463bea0cc37129a0e87a17279ce301cb0b0913ea45a04a77c2473c4d2bbc19808f93baf8b392c64a4fbec09e078bd5db416089ba3e60833f53d05a7a96a7c03f913f39b1a3181cf2342eb307965dd01c7e82d65e7840ad297897ed3f1dfbeb17b5c2aedd8db75ef1dfa65aa5c2a321d472d85a455b74e540a1cf09b0a4dd46a6383e0b08604e69aea1b79eed155584118a183a32669a5d550dfa795f4498b98d31391f7bf9aefcf9b32559778f59304f4d6ecebb23654144aaa38f6b6846aa951c437b5e4ed80120d5841f9dc8b5b41926d58059854bf8cbf57d8cbf820bedce68cc88734a40dc7778475fdcfe01e59e260ea866c85d979ef6f7a7a577a75bbdd9cce9b1fd9aa6c2b89a2bb792156f42cb65d784660b762138a7337e87f074878c94cb8f0e7a70d4f19371316aac641d35348fc5ccfc911c5cbdd2983e032df62004f6788940f2e2fd6e7151f9e5563a87312229e8bbadf04e68e2cf4e1b19378db4de335b4c88c87f096dc2937262b63a3644f69241fcfcc14b1e03a066645ec8fb43b33b3b49555d35cb52f6228a213f49b6d0cab46ab3b494153a3c70f100e7491e662107aa8e7b651c68aa5465a24500a700b33480c1a8c02ddfd9965dcff294a7cd4c5873ba32a45592576da3d5ed9636ae5709c6820e4a3ea2a9e950c97e8d171f1528bd19169c470ee7a4df23c33d3f70e9128472442429bd9d4b27c8d73c8161b3cd5d07c3290b3eae3e9a6c14a815413fcf94193535f5a5c0c0023aa6a27e66ddadbdf4661db08a7b7340653fdd8426f784a05b4a365d6ccd38179a285dcaee8e362538270f01c7c40708f0013612a523f41cbbadc9d3c50e5e4eded53396db97a13748cf10e464a81ee5c5f7576f49631dfc6fa951335055ce347e8b7bd75ce9bd00d70ade8dc14d358fd4afbd5184526368add8f9475ef7d9e13df4379efa27b54bc057ea362a08c97b2e8f03458621bdf38c40e9425c45c142d4461023d351c300b3d00c4d17d57df98a60d6dacda38eb46513f786801896ce18add8acfd03973aca374e0571d422d04c306f28b793a99e36211f1670399cc9399c5e5b02b8ed15cfbde1a4e2047c7aa26a01e23e69bf130a57d1911e11169c362f5f3345c381063d28409c8dab60213df67a0bb49d901d3d4441aa0bef3ad2c45d049b89a841e3659e7715537084c466259ed694bdb1ca11c4dfa903b1e1edb6f90fff6c8305f33b923a2b3aa538fef5fef5fe9be69a1dd192f56782c709cad067296807c9c067a7e8404f8e6e4c668a831df88bc44c526672dfb8165087425efbf248730cd1fc4779fddbf51d4c9af348373db1f5b690dcb967394e06cb32245a51241802736dae19362b2d1e37fe30fa7ab79f5330caedcc6c182c09cc44c8982905906106e8114ceb20b41d5c52fd6fb9bd3a3e54e5894e4f2c858f8df3a27e6dd3fd559d3894e530809e1be8ba9f2b5526dd183f9cb3949e0bb14c3fccb471fd1a70751b938326de55e8e6c14e7edf10eb455a2340f48fa63bfaac46f3d3b89b07af2b83b494745b71eaf5e40ea9bcad95a4454c3a6d39fec718b7ba7be5b35078efb8d08877986691ca347c62af92a946b716b8dd076bd7c7161a7c5ae6ccc9929e8ffa11d8f44d3f3b2e45b51a1236779722313f4cf7208d095e3732fa94879eeceb8d7e47e91fd25089c9468f116e15aa764d4607aa77d96147096e46df9e87defe93218dfd5c7498d3dbeb3a004e3776737a8f02cf6c40a538699313e1f70edd510694b5333cc7172c00c16470104618f9a39688a01ea259c600d18051a379614cf4e5844e2e9d4af11c41eb103aa1e839f6226525d92af5e609459a38b3a25dd4e67deff0bafe09b82f99f3d75c523c4ba21221fc642d6fb327a015c6f48ce87dc5d79dc5b650f91e3151a3fe3fe76611d6eaef5c1bd0569133377834facd47f2982c5d4855095308373003fa61d80835cca34002eaa52a4fa7d3b8c34f54ddca79dff197c6fd3cc43e3371bd43fcc37f723d9f41dfec21867df3ecc636199daadbe659214297b8d0babba8e5d00cafc7125aa0cfdcb859e953d238fc2ab6462362dd3097e75ada136c070839c0d0b92c53f09aafc99248fe6198b3334fa1f5f4f06b114037e96c3ee4321177c199a33ddb6cba0739bd2b7f454bc9064158df43191c42ea0d8995e4e94afa21a2c2fa59877f38e0f1184917f0bc87bec9669cb2d9f9a10ba7d99f2ce7a23a8c4c694b4dcd7bb6e28e77f4cb16cbfc86b6cea04380861e7f7388ddd4876055b5f7ba8cce89b92defb8a625040fa252dcf4cf6ba67e8f2c681b4bb5b2000a8e1a49716c0dc69f42ffb27685773119f2e5d57e84f7f8023f8b452a42c285bc920e3a46049e0d7672a5163dd6f72393b238c3d0d3a4992029c71323c3c1ad5e03e942cb148051bdd2d10342da57c6d8f68b99047d43d6200af8878229e4b6afb3396b938ece754e8cc140caba66df1bacb2a505af3e579bb06d43902a8e6b0cada8b52762ad0c795d4d017716bbc7dca79dceeb986a0cf326cbbc9d6a302f34a5831022d461d99303cf7a41bb5175e1cc88e9377a16f205e1d32fce897f167ecde08e593048e1fa2368e4880701332a55b7ee671343ec340f37e5a9b8edc26e789fccdb4f572bf0189d3a887859c5dba8b0490cb591b200a3004442fced4b96bf4717830c027d6f5662fd57d964a18f89d873339a0de6b3ef2617417deb7dd104b7730ddc73eeca6478de7c7084ae5262f1c3a150da9afa79abf9e4de110d49b0a0a727a8675dcb1cbe76feae3cde81d23653b48d07559bc5266584fa067873412f6ffe16c85c9edddcdfddb8fc6998b8a4e0b29127e62cd9ba7dfce390928deb640f86273ae253ff4f6df03c91f80fe25ed2e6de509c3536d41b35abc54cf7ce30287e93acb85395f04073dce0915c02e6731d16ad76527f3fbf3e96006aabd7ee241dbfe38509932560ad98039a4bd56d4d15ed9ee4d36227e13c5305c71b1b878f6b96479cf1166a93894fa6cf01aca4da216ae6f825ade76972a4a593027121bdbc7c2fce2b734bf730b14cf513dd9641cb1d3cfaeb88bec0611c825ca6c60694a854de543db9119fe484cb7bca47ebf03899a185245693ffc282da97ae89d8d00f564fa0ec7988a629ab5264a7fa6c4e17ac3eb3bbd26ca525563d400e9de1219d58c8d4118c637a95efd8350f1cb5cd56c6af87caa7fc2620f34159c455d8e3f2b020c800e78973223c5d9da400bf5efa609f340a1f13742a92d71f6db545c8ef87c2441b99c54b90d19f3fd0dafbd3912b328314e351a9bb7bac449649d3ab0ae090f94f21463b78db4512004d0e2162debd3c95e679fbcaacef0737f8345aa65a76e7d9fbada667abf200c61098000d18144cd026ce517c70908e023b143ad70053aced29fe3cb7d6bc650b96273a4082ebc50e47781681ccddae1567deb7e041c73bd82438775870ecdd9fb06db903c5fd2e768c3b8a8d637ba7040de04045f1e5155bb5aeb887f49f7dcc77c5d3fcfd225c1b30ed7e8bdb52cc5d3c7b43e72c0a3ec9d8381552133813c17c2ccf1d4949fdaa1979ae74bde43c72aee77ca39611a8e2733c64cde1ea0c9eba5b8c34be8d48ca6b5960409b7c09863c39f9db10d07c9f4981ecf1561abebaacfb6b9fde3117d6bc81330649fbee9fed0d231bf3121c48263d32ae4d860d319059b447d047e276c0622cba5aaa9a44e4677db436959256cde98709ad4c72a74f7db88c825464a4f531aa1b0caae6a47d682a137414f996fb3e860383b479978eb99c5e1f082ba3ea4305dffe5a139f3da93048a8f80a92ca598ac27c641a3f82c5d9b4bdc5b8260bc1b90c852bbea66002f0b7812d477f70efa9d7392707b498b84f490cbf3c9e95d6eab34a6b5fe9ec3f13ac8ebcee017622f967e04c2accd564b87b0ec366cceb8aba4561711bc6ac63a3b409cc85b993f67c96b346aa9bc6957c3dd12f3e427ff769a702b5098f3d61c2185d9a7a656646f4f534e68670322fd6a28a0abdc4590dc1c76b9630ed769521902a44677216efdc7ceb099aa7aa68f87e215090a74aa9c376bc5ee4abb45c80d6b8176fa02618a1df6124d4b1ece04bd93c252ee8cb53a4a5caf4068f0695ecd4dfaea8ebe801d54268f7512354142be80a3ec53337b25191ecfd60b6c30c7a5624f1d8cc0475b3ed016ddd31c5f6b25bb4b837a7a35498edbda00edb10ea98079328276808511972e05aec774f5f6ccfd408d232d4622900c85032e5744492c101c5587e16fffb9149eeb996ddc27238dde497de6ccb4848462e444bf8ff5ed13b09e4c2dc11a183473bc53d10d06d69fc8f2211ec31e280361174315f4947b9a92511f36b915d96f65bb03ec93c634eeeb11d100e10a547d4fc3a182b81e489a2694b55b01bc7e88afbfe4dafe6d6f5f6bd5003926e9fbfb03052b431a1b5bef08335a7ef88593aafbd47afee929022fd4af8ae196de9ad520be9bc1437fa40e7bcabc3e70797f7f8ff0c85d2fa66f6102bb33a7cb0f44a3b64eee1bbcd2b6b1aff83d86f313ea8d96a8cfa066722f7cb0f97d7baf3b0b4e6653a351dcd52b1f2bee1e8d3185466dfac516a39f03cdfdc8cfec3ca0082d94f0052c4213e53eb71574edea8c09a08a396838707ee24825f70564d458493c463360462add277f2de81223b992fac5fef4e6eac66f28a35d0c72a1f5274924c691382b47b1fe6a406eb7902ff435f7f5508d1a92009ff7de03f48da3f4b64166c87759a084e6770a7fa687a1d8ae463401617547e91f44943b0e154a71e176b7838c26d02612cdf9118705dbc2d866d7116f0d9b538919b072441d5f7dc1f4f812ad74ff614d165d9aa2efc7670e1fefef6fe595625eb78f5288d5e5759ad0e76e2fe3f97cb73fe0984368d8dd04c283e3cdb0370116315639e154e445e23b09885af5974c0b80e8983e0bb863b78024db0097779f3ecae9ac1939d48fdbfa193066b6150eef83ad97d96b4a9b67c0701081e91178d58d788eb40aa0d24f8fce6bc11aacece595ef8e54377c813f3045302f3e2ab15005f2198a6f17e2c9ac94e7a3ce4b259d63d87a739aabe59c21d957e05494a1bc057e1408997284bacd404d9697c51ba0e74db22b7d8c86cc609ab6dbcaa988cb190659fd58de12bce56c86ff8a27b3fe03a6be5a83929995c9b5375b558895f0d3cf31ff8fce0657fac1f6c302d84b989d2906855fa4f5a254df91d9ef1077ba2b43d9624065e366a9c76da53aba404fbcc2601e5edcddfe72fb9276f35efacba90bc112fa4cf1a3d3f4135a21c44cc9d91ed2f81e77c7f78805ca52a659f61d28cf3fb27b9757486a9a79b90674d03eda7f107e5dfacae41c50fd6157ca108cd8f07d9408005cb6b939851457882e13f165e602c04ad3d01c82df0cd69a2a47225af034a5546e2f8dd1618539059fb17e458f663f637c657ba6e5eb095b88906ad5b9c7a350d24b004399b835cee54a5ca5dfb01e34b5009353e505a726f54853c6ab66a7d111e320f743a6ebf1801921471de6c651521080e2d7e0034e457842617131a2796027462424872ee70ed403f0028ef21fd5cb7ced0d6a7cef7b2ca1782dc57c188484605f2f2b1322f1be653d9af4d4800a1c2119a28cbad19efd23ce61180d3159e42a31ca41cc1e4884d189d2f9de3de876fcac358a9df84ee3a459cacf4a5a3d4a4a2a06d03b5af48e3a0f9b15b63ef3d96158496cf3c8014bd56251e0f01f44efad82e24a31d10fd060f837f4979768178af004fea3826c98fd73891264bcda5bb5fdb2c24f315489fc2732480e7ae0d55f91c51bc005ba9e315ddde962318d95b3bb5c04b02f0d47dc94010dcc6707ab55afb81d3847d036dc561b7e0e1ac897df028f06f622008fef07ae655e0c9fdbf9af10728df7646d249d01c459002471495c657a2c2f0eef09666efb0e38af035b1703d4a865f85bc6d7d20fc4b5f4a7db655913dc65a694b31ec5b90f831b43fb328a2de2dfe0fcbb075bfe32187294085a1c0d776c91949611fe8466d35b1c42c91d303d3231920940267b54fd5fac1485b706abbfd48b9935fcd0c90dac9708515db00237f0cc0b275c050e83665edd68fd738fa8b787522975426c3eaa489b2f5beea9095eee6013695b15ee7be09955ea139a8d039f62edcf4d6e9ad541a1535ec2073b4aaf3b1ffcbb08d359de2134fc1ddf230f04eee3c744ba64848ebd07ac5daefc794350bcbe776874dd8f3c6cc04e7f65bdc2a416273adc5fbe0b3a79b85a89aa492c1430af46f4d4045d7e32fe36c804ff8479d75ab5b310efb19917ed350b74b5d70eda057761187cb8115d5f0132cc3600bcd14d724ca450b065c0d96686d0b10fd10b1df17c722f109f17580f9da1dfa32885fec8e289af30869bf8b9a898c44a69287b72a473eaecaaba1cca8a7320d51021b60ff69335035439da30ab05e04f16cf6c5a079ad6f65019ffd600cf257acc855fdcdab66975bc7bac081732e32b0c11093e6da0865776c10ba342fdd88afa589362c256983ec946b5587122dd6c0e61f35b9160d0c6afa2097ef1dee6b27e43fcec7ad37b0bef4a584a5c316334058f5d4fe8a8b81d53f0582b7b8731eddad8913aa6e0b981d3f577e6fb03400c60762ac674cbbf7926c61312bd00ee3ef2130d27c1af7346efa32e76c1e3172f4a7cc23598653b459ee35a776c93a8c7d3e24758a5542684bcd4b5cf7e482b0573f61768640d592e21484fa82a410ce80ac429378a31c47eda90061d7ccb03c033141c684c86b5987d8f080eef9b0fc4708e10e8dad034e2909da14739b7c32a2549da0d53bfeb5400221932c40577430556f5610589c7f5d10ba991d58eaf2b37a9b6a2ea15928f20604b2d7b17d2ffbf8cb94001c544a9b0f9aaa342199d9e7c0cdfe3a44833829560d875d2f4d69f34bf621ef254cf6c459a3019f1a0a40f7800a6a337faac1de80e3243106743153cde5be027a8d2f12849a905f54ccbe28e652ed63cc02de3a7d75b3554c29a211c6e292655f1c55a60531df2fbb6e362480a2df07b651c04f70862f97776fe3272584c607dde78aa9f09c7e890afc42425af88c4ea5f9feb9bf32e7ce38c73b8a1bcee7e64ec723404b15b53579665762650e3d4d6efc32132fe4ea4d633929cfbb5313ff680921392bc7a04262cdeeee18c41fc779e1dc734d51170f8d2b26a91a2cdf82667dd33092ce72d5ac6b76158f52c7f5cd3cfec7e6fea996df01bfe415d0c5f36431db3c9a391affe75428947080d2a0bb78b333b99f339a6c9c939f4483b3a850cce5afe4b864ccc6b9432971837bbeeaa62fa58f9d41ad7814bdda840b4ead959cc0080b27baa65716c32c3c3a5d7bb28747f03db5ab3eee4b28da3ed88a838d027292b139f9b8333716834df2f54cd6de14245ac89ffd806e3dec2e7a439b77e4f97f65cad10ed00f714538b9e68cf14ea50125189434c9a5bce8470276d3472423275ec84f2d504b8cee5d866ab020bb8bf941228da462bc582c6f2f59355277a455b7ad787a92f9a0b128f7cc866074cbd97df643d132a63dad4fce01f16ae749738c5c79a7bded51a58be37bea7fd6d5777c652eb25f707c22075ec6ee8583f1c8f3bb803c179392f353d851bb178bd2eac4f0535cccf2fccac71ac1ee05a7cdfb20ca436e3416bf231da2e83f545d2640c8e0411877a94bc92c74bb6bb6c5a795ce36141ccd009d6bafad274e82c202349be98625837427e1ef8de6f6e960b08dec7d9a6c26753bfc326a4b4be053729ba975bbf1599059e5f156489482c840beeaf7bf6361677b19f07282ec3e6c360e2518b66dfaf61010a96360a32d41f3a8a23036340b9f5452dd9475593e768fda4b8943a154e3e89e9f0a948817481ae98973e78e6b2edb6dca17d473b6f02b1fb14dee387c90aaa4648b8b0ed41d39a243dfcb1a5fc490284d8d8f2a07d921cb67f1fcc59adfe3297c5e27b6839169911e916c2a0ddd3b9cf619f47835e1db310d2cbb83ee61bfb0f327bfc31ed7796530ecd876a1110e846701d062c4cd9078f33b509d7f7d8096a1d54f13482d18436c4ec0e0c88054bfc58a8ca25e0af80937724acc399959ad92af128c66bd73d81c536e71dc1288a5cbeeaf46d576c012ec993c96c5f9c47708b3f93cafa205e59582e96c798c3ae4f8c67fbadeab10f7b16cc0af8b7f6b7f7f792244e4a322df484c4b84019d32928ce074c50eed31befea4709d16cf5c844657161044018a1fc1ef1897156c23b129ea3513ff0cbea0a9a4187673d3ce4c9e05224747bb66ef21c57c9a23d5cf9a1974fb9076d70340e75b838e44996ea6632d90a71e59a9137f4a97aafacab3b4ad1aa99260efa682858c31965c2386f28e53d19edee0051817d3450cbf45bb6f118c2d0c310e8c3dbad2564f88fe5a58edee9f9dd1795165bea5a7b92a0005f0efad3d740d8fa0714ead750fd5e0366246bd64f0af25466daa59eb5e4b4431566f7ad2dfbcaf243600e656f6dec7af5cfd72eaaf09e8621c778694e8a3e939998e918e9d8c3b8dcaecaf9d1bc363f8fe8151b169e0291d58a1413b3c3a4c64709392e67a6e1cb5728f34ca3e743cfa543fc6123067354ee00ad7853b4eeee59986141975cc9499fb47ac9edc6f39d2eda20e777501c2ff04a493c8f3036df977cd36fbc947c5cf1a5ae7cfb69b1df57ee3a557a5f6e6b6367a335221f34771f8ece137d9155e73a77cdddf1cd0f5c3055a12424b95c6948fc9c4f88e244e4dce40b5ed38f9ac1e7807c8a923e4b44f8ba00e8f06cc0062dda7bb2ef4a798c5d1a8620f8a6bbaed52a68d41902f094cfba1f33d080b2b6dab0323714beefe1fc10568baff471f25b9ea51d84776ce3d9781df36c696cf40d7223487917aafbee15475c100ea27cc678484f9edc9a9ab2c7149e2b38f8f329159a0d98ff492b412a287de6637891efe758c4f37249953dae1eb26643ebf69dee48413858ad596498a38daf6436a1e59c8cac1ac7c94a864382bc834d44ab3787c4571623311ed3c1e66306a280e1fc6bbab8ba56f4c79a15a83eadde199cfa8f80555c97ada73b471b36a21b346fef8c21c44c91b7a7e7085737afbc82da220484ae0804d94f71d33953f4baf07d61fb95676e88c9f8a5cd20f663d0519309daef40ccc45344ec0bf26ec5512bbdc521de3577dfafe01cde71a3002c820ead34386ef1a23bd2f6e3f125c136d4a29bfa8181a59c345412f0f9d2d004edd0a2e6e9b89a113375cde50eafcf2b5b241c0cefddd4e630b6be2d22a93363bdaf0557c06aed611527b23900db763cc1353c33e126c3eda717769b51628bfcb2813308af89c6a3c4445ec0365082e6ce7cca216cfd3fdc29ae96d13c66b7bd5c621b90b3375c19ffe9e2cae18d15bae52007e8ba135bcadd39cea9978f1f49783182f13ecb57f1a77f79b3b0038086ebd9e96d8ae7288414f4725dfe5aa15997ad26941aaa1bfbe1ab9e6660284452bbbc0c8849a1f0bac574d3331d8033178a7461bcebaab54d3e6156a5aef5730dc958cd998a75e1a412d93925048990dadbe22388f6b85c6b4259185e8ed1cf878fe5334c80205750e47932c425c84370cb0bc7933e29e3af5c6724ada3a1a6495fe8acce634ced98f098e7e4bc39598ca744435f09d2652b858ea36f62bc1ddc97cbadb16315767e06b8d0ffb2aceadf2575a0a84eccdd3f7e2bf2baf1c80f8cf69acbd5b71e00e6057ffb43d87d7d244aa30052b379bced1afcba38325454d604aff82ec0e42e3e69deaaabc12718e2e4df13fcaaf855ffe1e2d82e7060062c20f99e94b1e3ba42afd0c7659ed5d0064f61c958329a8fe90eb17a176b5d3d7d559f785602d3401b0ce06b6ede8e58b88db4ecac13df6eb4d16c2f3f83e349c9ca2f66e1f0fc1b37989f722589075421fba332502657575a47aa435b2e93fa0060f38e788fae795e1b62f49260240015b1c12fe019b32be2f361568550c9083a73e4b99979a8fb734bde74248827cb5f3f8204da3afac1107154833b76fbb7e7c84fd690043741e55401149fee035a8d7e59d399e68c19a2ad9888006c11cfc591cc570a78240f2d5c39e0179a37ab53ea97b1f477d757c1af797e3801743202113323778caf219bb548d18293c5f68742ddf0e74a972e09758d475726064d23f75964a23c0bf405ced42b02047c035d2ad245285debc86810feac7bdbd9a055d9ed1e7abe5ef4c806b6ce00bf647e9370c350c60a988da268a9c70b9f41773cab5f6dfa5e11afda54b2318116afebccc0e2c54077d527bf005c2498b083d9b95bf6c665f7a0abf1f62549ecc08c0581bc8dd7b15d2f360a5d795d42bd3899be206192e488692332fbcd065257c11b1467919e768a90af32b18217c3352e2b2858e20f320899430e4fa704240c076224573640a3ac050dbbdc49a70a537ae8185c1b7a070a3b7812a0d3c21d6ae1a94b165f533a630a24660b8b2ac5111e1ba4337d2141be6793d9e104c4c670e22cfa4413d7d5302a6302ddacb7f38caae3794085ab725ca95f671d96160828cff5760fdbb83eba9aba400799df8da00541f5f5189ae0c75b1d5f59db4eff219a57b96a264fdb8ee1764e52da1096b1cda085d72c780615e11f2f04e974980c4c34b80e0de667858d903a626b2b04dd7038acc5ac96f7dc890e43d9774821bbe9d84e5b6275d0fd8f6e532f4894ca4e11888f3bb3223f72198d547c56b70f77f8346f2d2c487c02b19dfb6eb315e30087afe4f5a38589a147b5ba49d59fc17595180fe75607aa1e0a421f1ced70cb73b5f818a0b91927c14befa25a1c4523bc249cd676bbc6f9b46d99baf597783e9d04d18215bdc461ae21a452deba22f1b5ba8f0fe4b3dda043d04de5fc6279906c2ef8d899b05b1deecabe0225a734348e75d6178b3da30dd2c1b1805499365a1068785f75c32de8f59a0326a90e7bdda944b8c4e338583100bcc50cc6d1bfacc9f3d243b698f0d5df7b1a6084333bf61048c0dea3acfd17ab620da603fb420701b9e67118b2b267b53459f5f295b93722333a7c42047c5289bf7e20b2a4389e9248030c72f18e5b2508f4403ed3d1b87204aea8bdce0b463bcea963b66e93a1cf48d630b177efa26531bea9bd1b37f044cc4a02ee8f06de2787d48c1840a6c43de850b4b9f562ab583d9469d63f601bacaec5a32521c5ee92bf35b58995a19584690dad9cb87c5f2625279b5a50f78ec7bba87fec6e1e765ea61c3662b42b13d4e68c1c048847e572041dc865d1567bd9b542e51c1b2af312923ba560f535ff24c3ccc75e334147e608573d0133de25ad7c670ba076f3cde5515572369cc972ef1969c74bd0e5308169bbe5b102367a021b70caf9814b8f2bfe67c6139b82053e1e52ff510447cae98ce3c2f5620a56829024398d4c23d6178551c258004626bdfabdc1d317fa212f44094f53b8a5b47a182f0fd25c443c296a14d5e3b0ac88f3b7686aba71dc3ec8f21231ed172a64fc3aad92e62f76d418f4e5b7aa64eb6018092bf50cfa921758316d91840cf5bae812d826bf6771f2c50b74b6bf9ce86a006282dfa21f9984121573004c58490a5c71c63c10b7ee0193510bef70e76e53cb23f4a0db49c8bf87f330532a344a075f78f2396402537f94bb49c425c13057a55214deeaedceea33819b52c1ac5f275f20b3a93f0f519e792bcc7f9e8152cea0d3924ea411fbd6fa55e451ab4d2da6c7e74a6c5ee26fb550e4214955595269aa0801124201ee2ae99243d53c46038f1a2e9eb109dca40f1784dfa0e976bb61580fe941930721f204f669e344bf88f9284f211d50a2ec61553fc28416d9897c394a05c6489969a4b730b76b908f283f39e5248d3df134d7880250a0050bf26bd85b0ace5d2507627de9819f9225de9039e80221826b207fc00dc9c1b77dfcaea8c5076cf30620761e1eed6761e909050d982455c7f0de450ead290a0223a07b6c60bbce5b90fe2d6a75a6f824d7835b7ca5d73342abd3760bcc6f6bfb037736a201dd285828206cd21e19fa5b583512a6657d9670f4b80e613576306c6df7ac13e99dccf4751405947d2f14b2c4debc1eef724768ba3f3aceec9bcb788f00ea92f1ba5df90182690233b0c4d0a5b09670f01aa6cfd82919f40fdcacd80c5554c1b46468443bfcaa75c52f894866361cd479e3b97d60ff0c092faefc7d7c0e9a3e5282feeb6ecfdc8e498f2aab85a71a12443eed58617613d0043c0cc360bc978c811f74e28ba54d545c0748eba66a6a8a5abcd2cca3b2e3c7e6c842727030aec2e591c0de61bde8201fd43e6df31af74e46ec35c0a1a56420920ae4d4687a8127f83a5ca97c6d21ebd0c8febf60e715670a4ed5d1987d1404d711ef8fe42e1047cae8d523900167e2a8d73d2bbda48d470f874f171482dd3068761da65f7dd9519951807acf5c49b4548427085bf6883126566e820eb7ab6e211c48d1e43c1c1743a7282082e7f922951fde1a98dd2069882bb634dcee32e79cd78835bcc57b263c74d5bd90137dd344bbc6523d5dd89c0c2314839c4f6e24c325a0e544c4c21b786fcb44bff61b2792c58fc1bc034118e93bfe91582a6c66f8c4c8be0d9184b7858554fd66bb6af3e21c0c5410bcad7fc5a7d60269a226259960bb6632b00d0f85531eac457f4f4d9d2694b55cdbd34de186d61827c4b8adb5fd2cc388b939aec81ee1b616aff79f4327a056873ac7a51e05b85cbaa1524b619a4dda3636e927063560a5ef85c0d37b419a4cdf7c0e4d58ee87d7a5209ca9d2b519785a9d7ac81944d1757597dece91b788c1723cd4d8453c251a016466fdaf27258339d2b7b891f875f92248e3809fce2a8bd8561cf87070318c742bbcd04143fb52fff2430c2ee369cc6b3d3cd7ac08a6c7023238feed49f956db734da42058c93c65e3d5c09093c9aba2b07bcd85e70b316109d27489ffe4381746468b4810da570d731a7ef47b67de81f4a0277e80af586bbe0201ba24d799d424cf3592119ce3fff2ca1823cb9244288c7de860c9029bb44b65fb9ac388908a19350c3b470bc699377f2e764e3afa239498aa6c87e292f202ede3f98dcbe74806136bc623c2e96f24c7fdb54f1a7f1f63189af9e9bc67184c889183722769d3dfd4cb0b7e321d745d51f77f855a38e9f7ea6371a0c8b6a80c03cce921be0814c144c2425e344ffb45b5a8eac144e3b6e6c5e638079305b7012029b01929a7e79f6edc02b936f844a86c65ac5cb7b334bf3174e11b2ea0d7896e4afb03e8cafd620c44df5111b9063437d326c14c7223b276f568642d04c387452f77dc4c1fa5c82dc1a8f538c6082541a4c00736cf1b6406ffe2ee1ab29e4caf3737b9da7b615cbc4232ab7421134a1e36574e1fcfcb649334562fe81b006f30d4e7f73741a1a9990a41a69b63c951751353dc02984492a44c1f23074634769f39e13d1f0a9824c7f7cfb4fe5c8cc05d811c45548e92fd4872493f8d5fa2ff39a01a332b75b467137f9a3606bf66b294fc8ab5e0cc8281d2fc36c60804f520b8a644294e5d8d80bc1c2968c4a03808539d7bd10094f61d9dbd7219d465e3c2878b28fc14d0a44714dedfe0eb2fd252dfd36bd79827a31a168e2d5d252c4cd2eef4fea8a37b8d7605345a54499dbe0b6a246dbe90367a84764f78dfc0857ebf78d0b559437938b42e0b6de2257818291e4321cf6074fdffee9604b46fe768a0175eab2983cd7feecfa521c5bcbd7b164351757422972a79319c60824c50fd8e52af845c2adfd17bbf758263732fbd7542f44e07c7e8936ed8c9d6bf75a7db7b0d24bb1d367fbc10de3f1f226b6aaaf803c3cd44ffd11475c949ff5d7db75aa0f511e2b1c947c4c893e554d96d9ea53877c80f703a8ad86e6e1c3aba41cd11ee291570b9e0c3c3e0221394c0c0b98e7c8bfc3e1a51b05c6331944be499d6823cd43493d6682ac585f302fc435c8ceaf2646414501a51b152da5bdbb917342764d4298f4c9cfb3ac900eba0224cd8abfecd5b732a26fc38ee45ab997f6f3b0587cc88411401c1d3e8ae068bfda326abefdfc338f9bde30429d4b15a06a0070348bfd39418bc52a30924a454784e7ea47b697603aa19bc5e08e123e8fa814c863016bc178a315c6d1b67ea73b7162684234d4d4636f306f1d1d1c0dcfa72e48380e54fc33d60121a5da9b67811db7d9c59206a6ecebb1b942a397eb5754a434d14ffc0dabbd9d97372be24ec26399aca48396dcfc439d47e33bdfdccda38439a0431b9ec0c3b2dff46f27b2b0e474bcbd81a71ad5d8a52ba47339ceded7c11064b8add5010d4a7c582bbf7b25f03f540f0ab1b70a915cc9d23562ccc4ccc6f7539fd0d08cf5339b8647a916d6d5efdbc259b6fea87f196e0e62f73add4bdb6e203b502553efddfe0e60fdf6f118ba5f2930a2ce52a5a30f7036857dfd4a5761fa90b753d5ccc623020b39c593b874f646e9dcc2dd0d9c26d6a66fd85d81c57776e49542a5b5ed032c270c2b35e22aa779e63aecbb16d0c2ee09ebe8cb0fa6b74cabf7b645a18058273bac5399af8d0147590abd7b00b5d94f95a0a2c199d5f4c983ce5aad47bf35c515b4e30f5303afd4d01ebdf11ca42682442a575b4ceda683fda64c6802e08748f1ff32bc58138d8a7269d1fbfc0a5170d0020171c9b69960d697a8a4a2f065263e50ba2950bd1ed3dfbb4cbc3290f164a9ea6d10062fb0cb7bd25a0c20d979b3b0dea069e416e5ab7c95df48db5d560e798e2dab0f4e3695685029968777b1659bddc1fb14343060ef8cef7c1325f47c21d2b8e93986e2886e6fdb1de347b516eb724cc84fd9ba94a17bb2c23bacd7b68e74162259a29d126a737a7e0d26372ed28a4a40b7c8e02d75c15cf52fa0cc9bb78f025a7e3413524890250ee922cccebbae13ad53ca87e9e5a60720f069131172ad7cc0d27089cf9d828b113ee15773e8f22bacb66377dc4dc1aee2f199db2924cbb6bc9b38f2e3a42cf358115fa93d59bfc0ce7e42bbc4d988e94c9b68cc621e6950965b6f5cfd6e865ff379c187e8b2a7a6d975ae756da6b39b65643260b1f942df18de38c5bb99d953c2b8ca43f9a9c1cc11e02304a79705c0e28cb37957fa9ef6f4d18050be0f197380f0581f3204382d92878ad3d68a93ff12e672067383a67c32a8c8d18147482aed0a77a0ec7e15c8fe934a8effea9baff792989fb8c4f08bea66283f42129a61ce5c21f4165516f8e08ee45f7bdfeaa925ed7abfe997f530884359dc7abb701be4ea69436ba35ba794593580081af6b0d2ec6f0811be138ef599345a34506c828ccad8df085b0c86797b9058e45ffd88833904ff8ecdc79357a38e77025abe5efdb9e8d0bfc1883439afea184370817e57f08292b95077c54cf4f947c7ef72a245eef232b911a5307ec30de5e8569a7d1009259ac540e38ff08ca4ab2d3812dd9c5058686ab41036c4b0718a2f73ca0a114868684db94ad71362a36f62aa01885f7cc93b0c9dfdcfa22c64a5be52c94315e9613e75122a212465dc5214903e138f92c68fe36f875eb575601739635af2781f4d35eacb39f4f392c96a5c03e4a58e9323e6d6ddd557d786a4f0522fd1697f0692dbdf98b60352889ab73cf1e4852a115c300c6e7853caa33950d51b4f91800fb6af78d1fbfd1d7d04b6fdea8ed13e64088e4e53ad5205c7e2ba53709fd8158e2d79f969789bd6ff03b582c19bdf4a8d49e4d7ee051407de1d28b5969e0ac82c1bcfad655cde6ab0813f4bb9d5965f1673abaced12de8916cf239ae42f38e71438612785cfec947b28a3468b53698e7c9dcce456c0910bb97bb4521f6d03a17209d93a70a53596e5b25ce66edc7099b350fe20dc44dbf45865c7d81f62528eb51ffc67bc683d4977a36b091ff4ca086e04737b7d0a9dc28b21e2a6af7a3cbc8095ca0cddc66217b849ce3abfe6abc78d7be7e7013bbe46de6c93db8bac55a3c831f4857cd18630567defd154c30c7c8b88a731cb19769f1e16c9a41ecfd0ff5b51ab31e4732e99ef11527f4320b3b645f68f03cf694d6711c317860a862047e2ea9d00af95a0cca74e42dfad90eb45ed1617a89e94634e49c82faf6dcdfab6115b7ae22cab27d441afec80f6abaffe7f38e3b421a265ef86c8c2b3cf2005f490bb0930837f325edff037f496637778052d5f552b500ce032f8f0db4129ae7f29997739d63e0ca0f572ef2db8cbcbc943738cbbcf482089fbcf5b0c86a1f454e7042429efc6d17c6765ba9205beeb2ce9bcd3dd77d99c6de84b0219ce18a86dd159b321d30eaec9df24f6d7c3ea2e65ec07cc06ee4304ee5663c20b89e0841f4339e365e3bc233de84f2b88fdc7dec0b823c7be39ee348727232a88ca59c5b30eaf92da2329735ab5b591cc78cf78abda50e74734b0ce3cc817f71f0a8216e3fe1ca703b0518b9067abbe0e7a23c3e27c9a2b930d7670f087dd0f30638ccee3888c9abe7579894f5a4cec8c946ac82e45b094fbed19e5ab168e83eb4290bc48170741fb51e4f563f2fd8a22c3936282accce138a50a3faea0fb615e55727fd044fe3dc289fe9d1b9d7f09601b186b3599623e174cf42ab31301d50211555bd7b5e5e42231ff07b85e15510d712ca2b4c1be895646b0b80b5ffcb23bfb1daeff039d1afcfb7f8d952a3681cc79adea50b163497004767174aab6cfd6e708e7377fe19bbf08e1b271a4098d8cc33117b90b0225642fc92a5b4d9824d9fc3d3ea59465a8374b9dda581862e38d5a3aad3fcd8c10cd48cbab611db5a73a09cd05128717d3c45cabf3ef02e9e55b1560a0b7fcf776d7fecc0631e5671f826599616b7e09f36b73b71d8e8847e7b1a9804f8d70cd802962b8e89de6ac2ffc1de04f3f78819675467ffecb47de3097ccd13c27165646705c53670b99b1a70a835a0fb9a5f7930b91aa9a4e3fa17b9bca709c43cbdb832fde1e4c99be3cc0b9670395aa9c2b6b40b85485717db8332fe95985d7b187a077484a31706a7852a58ae7b7251558086229f68b1243ebeab305a7ea90e97e321aea9ceada4a41d6c6af4025f7f299a6e30c40c77c4e65802c1333ac884ac36a93c2c1d72cbb10ada425eb33553397dbc950ee5dc3e47ad98b5a2def7636261cb3fc356c4382aa0268673ccd11d101a82a61d6131718c1f33979003eec1cb9719cf2419080b9b4df32a55591fb0efca027ac0a04cfa9cf8dd1f2cef4cd5406e0c45aa4e40f86c9c609830536092ab77d9f1f3fbda3e7b209fea4c7570e407b179448e665aebf3a8ff6445f6ccc58f05af5d6dd1cbe596094bf8aea65b3ef04f36ae292136d341a5e72a1b4f0e0e278ef4f811873c8ee5ce54959dbf91d9b171d612d152d44c78fb346c4d6b461fae12a66b8db6aeaa3f9193b4fc0d696a9323828c10e48329c8fbec315bd03f7665bed23f63457954648566bae2d67c15e2e659d068c93a1f6ac7712502a5fb861895ecea6c02d4c7abea9be8000276a4786772961057ff5e03b985fd63a651aa9814c033aa25b329c9493b8e20fac9b254dd59adda1fae29b53b1226bf799b326359e3a5f315c0338b59f3120a284815f11bd72de4eeea3830a5602910ff54d056f8b247e2c1ca6d242b6ddde6c345bab1a20aebe7102f12b5efe2fd0b85f20581fc842213338b332267ba188549c21c6fb96ab734c761b57f2fef5b8ad48db8a450cc07922f8f6eca2a374186ed84422422ff47d85c216d218681a730108af8d96ee6efd8c451aaacbbae99a075fd3a501b4d903ffa120460bf8ee66cdc3c44485230aea38a8239467a185", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 55, + "comment" : "invalid output size", + "ikm" : "dc46034cfb2df51863a09d3c36774403267ff968", + "salt" : "dedfa9e98cf384cc448927bea53574c05c1132f2a07b531b366b15e12dd7c9f69ad1eca26581562f53cb3b4db07b9196664bcfd2b9cd1616a9dfe471af24b55a", + "info" : "5c038dce10e6d437", + "size" : 16321, + "okm" : "", + "result" : "invalid", + "flags" : [ + "SizeTooLarge" + ] + }, + { + "tcId" : 56, + "comment" : "output collision for different salts", + "ikm" : "624a5b59c2be55cbe29ea90c0020a7e8c60f2501", + "salt" : "", + "info" : "5447e595250d02165aae3e61fa90313e25509a7b", + "size" : 32, + "okm" : "30850cf9dca6893d4f864047e6545a3331f221dd49d7e1d2e3042d5af1fbc2c1", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 57, + "comment" : "output collision for different salts", + "ikm" : "624a5b59c2be55cbe29ea90c0020a7e8c60f2501", + "salt" : "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "info" : "5447e595250d02165aae3e61fa90313e25509a7b", + "size" : 32, + "okm" : "30850cf9dca6893d4f864047e6545a3331f221dd49d7e1d2e3042d5af1fbc2c1", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 58, + "comment" : "a salt longer than the block size of the hash is equivalent to the hash of the salt", + "ikm" : "624a5b59c2be55cbe29ea90c0020a7e8c60f2501", + "salt" : "1a08959149f4b073bcd902c9bc4ed0324c21c95590773afc77037d610b9584806aeeeda8b5d588d0cd79e7c12211b8e394067516ce12946d61111a52042b539353", + "info" : "5447e595250d02165aae3e61fa90313e25509a7b", + "size" : 32, + "okm" : "8b4fe5702f56eeb71bf7d90e87c95c3ad054e448d50dca0f65b78101f657dfe3", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 59, + "comment" : "a salt longer than the block size of the hash is equivalent to the hash of the salt", + "ikm" : "624a5b59c2be55cbe29ea90c0020a7e8c60f2501", + "salt" : "96b8543f45cdf8cdf0d8648cbe854e20e21c554c33e6a27be0e5d5caf1f70e26b14a9df8e1c45649bb96e510d095b249d11b526d094f6e900a17056271f12fc6", + "info" : "5447e595250d02165aae3e61fa90313e25509a7b", + "size" : 32, + "okm" : "d5b8c21cf1fb6da39d7cb2394fb7a2c263d8d508d008b8e5fec3030340cc5664", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 60, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "624a5b59c2be55cbe29ea90c0020a7e8c60f2501", + "salt" : "af856d5eed5c77f4", + "info" : "5447e595250d02165aae3e61fa90313e25509a7b", + "size" : 32, + "okm" : "9cb385bb5126c9220bb9870eac3c6b74962b0ab2b76c0f9be6627a7163facb1b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 61, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "624a5b59c2be55cbe29ea90c0020a7e8c60f2501", + "salt" : "af856d5eed5c77f40000000000000000", + "info" : "5447e595250d02165aae3e61fa90313e25509a7b", + "size" : 32, + "okm" : "9cb385bb5126c9220bb9870eac3c6b74962b0ab2b76c0f9be6627a7163facb1b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 62, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "624a5b59c2be55cbe29ea90c0020a7e8c60f2501", + "salt" : "af856d5eed5c77f400000000000000000000000000000000", + "info" : "5447e595250d02165aae3e61fa90313e25509a7b", + "size" : 32, + "okm" : "9cb385bb5126c9220bb9870eac3c6b74962b0ab2b76c0f9be6627a7163facb1b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 63, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "624a5b59c2be55cbe29ea90c0020a7e8c60f2501", + "salt" : "af856d5eed5c77f4000000000000000000000000000000000000000000000000", + "info" : "5447e595250d02165aae3e61fa90313e25509a7b", + "size" : 32, + "okm" : "9cb385bb5126c9220bb9870eac3c6b74962b0ab2b76c0f9be6627a7163facb1b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 64, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "624a5b59c2be55cbe29ea90c0020a7e8c60f2501", + "salt" : "af856d5eed5c77f40000000000000000000000000000000000000000000000000000000000000000", + "info" : "5447e595250d02165aae3e61fa90313e25509a7b", + "size" : 32, + "okm" : "9cb385bb5126c9220bb9870eac3c6b74962b0ab2b76c0f9be6627a7163facb1b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 65, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "624a5b59c2be55cbe29ea90c0020a7e8c60f2501", + "salt" : "af856d5eed5c77f400000000000000000000000000000000000000000000000000000000000000000000000000000000", + "info" : "5447e595250d02165aae3e61fa90313e25509a7b", + "size" : 32, + "okm" : "9cb385bb5126c9220bb9870eac3c6b74962b0ab2b76c0f9be6627a7163facb1b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 66, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "624a5b59c2be55cbe29ea90c0020a7e8c60f2501", + "salt" : "af856d5eed5c77f4000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "info" : "5447e595250d02165aae3e61fa90313e25509a7b", + "size" : 32, + "okm" : "9cb385bb5126c9220bb9870eac3c6b74962b0ab2b76c0f9be6627a7163facb1b", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "type" : "HkdfTest", + "keySize" : 256, + "tests" : [ + { + "tcId" : 67, + "comment" : "", + "ikm" : "b18e35e63cc4fe4117bf2754ec3f9ebb5346dbb0bf6d4e5f2422418771816fc4", + "salt" : "", + "info" : "", + "size" : 20, + "okm" : "6cb29020bbbd80a8525643612b5165a77bf387f3", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 68, + "comment" : "", + "ikm" : "236c2ba20c72242820f63d3e9c20633162c1cb048a45dea13861e8a138b9640d", + "salt" : "", + "info" : "", + "size" : 42, + "okm" : "41500bfebed54b041187964d00b2eb09d3a83a0a1eb483726d08dbdf8cbf02ee78c949562935902437b1", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 69, + "comment" : "", + "ikm" : "f2cba42dd82acb5d2d569406815a3769b7becb13fa48537fa7d7d5e121081d39", + "salt" : "", + "info" : "", + "size" : 64, + "okm" : "6e79ba20f225b2ca5fad5d87d18b5d0922f489961feedaa032a3551dfefa7cc0b636f831105b0301bcb982cfbcfc22cb01f4d4d38bb5336448091218bee6f8a9", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 70, + "comment" : "", + "ikm" : "73d97f2ffde01b447a5b8573190a8eb4f87f7ac04482836143f780ad876bfffe", + "salt" : "", + "info" : "74d2301c5aca2441372cf6077bd8806dab3e8721", + "size" : 20, + "okm" : "604db18fa852e98c2ceba7c5fd876c9565f2d8ac", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 71, + "comment" : "", + "ikm" : "6948521434707e96fa943e44988d1ad409ec57e6594867e8193e9d727238916d", + "salt" : "", + "info" : "9eaddd1e7edb6b84c96fb5ac7e0d673a8f5084f2", + "size" : 42, + "okm" : "f0a591ba1b695a12cf0601ef28ad454aea0381f5136e9d44d45c9a990915eb537d485b02dc21f5602d25", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 72, + "comment" : "", + "ikm" : "b72b3854923b8a0048497a86bddef962552c8f6b2c72b2b2006a1820fea5c6a9", + "salt" : "", + "info" : "113b708f7522ec3b362999db18699bf7871e3b8f", + "size" : 64, + "okm" : "03d4ec407cad5d86bb14557274863c89b426eb6842abfca17809c67027710d683d66d60cda03b01f82c15240b18fd53ef3b1a312a6b1c24b3e68095d624c4e0e", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 73, + "comment" : "", + "ikm" : "44d774def90685c0e9a685fa50fd434c807d1a57896fa42f91778821fe232057", + "salt" : "0d7d3b47bf8484c8adab7f9c27c9584f", + "info" : "", + "size" : 20, + "okm" : "966d70d2a934e0531e7f014ec225173a473ed5f5", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 74, + "comment" : "", + "ikm" : "098ecd86354496a701ffcac8d589a1217231da3b80ccce4ef85762d7f3a2c211", + "salt" : "5232e5e4e2dd6133d46ebe5a8a51a0bc", + "info" : "", + "size" : 42, + "okm" : "960403608cbb8f54559fc16feb4d0b3a2cc083b111795ebc4a47bb21b8d0742759a7f310446ac307baa7", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 75, + "comment" : "", + "ikm" : "917ad396520e454a571ac39a9f6bc845a8920954fba1ac400cb2988cd8847ba0", + "salt" : "962d86949506450eaca929286ce5d9e7", + "info" : "", + "size" : 64, + "okm" : "f4470980d2ae8bbdb48d9c379c1c3c3444b1db1f606f1c9db15ffdf1d6f7778289b3d10b8b3fa44ae071bf8862a980464975351f4d7518ebb520fe3ce93188ad", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 76, + "comment" : "", + "ikm" : "1cbff2202268edf1985bc91466b80133644988c5e81368cf0995274204fb0aa3", + "salt" : "2bde6e33534731f52d39add940ff46f6", + "info" : "3e4f9c8d3d607c2ed43caa9e87e6ecbc307c6048", + "size" : 20, + "okm" : "c5abdaef7f2de0778c32ab5c697173eaa77a052a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 77, + "comment" : "", + "ikm" : "d00d6b4fe088077ffbc64127d6bdb9707a0f9061c0b873c334c3be0adaa7c2bd", + "salt" : "1647a044472179d454b8d2108e4a2aa8", + "info" : "4266351bad419173279c901aea148e8b1d99e50f", + "size" : 42, + "okm" : "c01c828143f4e2d4aa7670b7a530ba550aa70577d1eb7acf1504974d2b48c8b9de2a8f968057230e7a65", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 78, + "comment" : "", + "ikm" : "9a27c19b607adc8f152faeaeb1282002d3a2166894b7fe5d65829ecdcfaf73b9", + "salt" : "70d83929a6376a6eab859f0d6225f131", + "info" : "36356cdc28187c11cbb9046f9ce7502ab4d2ea46", + "size" : 64, + "okm" : "2a9b1cfbdc14bf2ec8663ee121290534c84c1b053e848a241f5a75828ed63c14dc364c90e5008f35c98e54e25923f6f145708f5dcd6cad78157ac9a0d2b18d55", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 79, + "comment" : "", + "ikm" : "f5d1c855d3448e212d76d3927ec797dc439cb182f427064288452988ab79c83f", + "salt" : "87ef5da5400db731d658972ea82b76848004e70d3b22cec76c8be06283c4", + "info" : "", + "size" : 20, + "okm" : "a76a114ca44ccd115e42b6957a678c5f8cf958f0", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 80, + "comment" : "", + "ikm" : "3f19b7095a6b3d313b59c3ba2c3a78d8b24f30c9ed4f8be9eb92f8eeaabd2c3c", + "salt" : "8f1f6c8e4f68830319ae859b4b1fa71f1d69552b0c3e53cbbad26293651e", + "info" : "", + "size" : 42, + "okm" : "232dd33123eb4851feb01bed3e9fa1e42e966d6425ccb3e18f12dbf86d0f201f7b9d5707216de4c69e6e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 81, + "comment" : "", + "ikm" : "b1d396c69f14994dc8add0f6e0cde4455677ba9ee95ff84a142295f9177ee629", + "salt" : "7f693304bff77534b8246d832749387ecc0e8daeae11d77d022ca9e362d1", + "info" : "", + "size" : 64, + "okm" : "b675ad80f49e3cc43fdd385e8d79db1f0335c3cfe9ed03a0924121de4626254936c031330b94c3130587a8e98eec3a4fca781cc220f549c1e6a5fcddc378a0a8", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 82, + "comment" : "", + "ikm" : "003d1901a10c062ec44e0f2a94c544b7f53b33f1ea4679fa6e023c2d0a907fcd", + "salt" : "ed86cb8c8ba1c989f9a60a4a82c38be98c70e6218576b292c93fcc18192e", + "info" : "d5d3ef5beb9840d15efe9c778aefe38f1bf7bae3", + "size" : 20, + "okm" : "8d8b785c0421f032abc0778f97c71f3b3e337627", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 83, + "comment" : "", + "ikm" : "02e0647a4b7ccfc0d3ee7ddfe24ce69c02f51cbaa836b96cbc5a9c2885c45599", + "salt" : "f0862f61f2377ca34b76476ae21e331b114c7712aef501a1bf00f7e9cb79", + "info" : "4e9e27d971e76fda614fde15031f6664b97d4786", + "size" : 42, + "okm" : "b9a02032cb32071c7c5a7b61a87fc6c28a9b6b2547fb951fe14b84271bf893c3fe40173066da4777e87c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 84, + "comment" : "", + "ikm" : "92bfb7e31e839f109e6622b2c2c4f41ce84c9907172681920e7d90e80e2339bf", + "salt" : "ce869619607f71fde53ef55e18d01d20002e3f91a8b7584190fc6667b8d2", + "info" : "ff36776fc755722ff371f21cfb37a168a2731e99", + "size" : 64, + "okm" : "1a3dbaed5d00209df5fcf4218b45a805341eb0aee4ac74c135fd832ac430e058835e46e54f07682e35999fe4c6c760421e25765753bc34a254a562ac49e3f4f1", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 85, + "comment" : "", + "ikm" : "17632581c34ab743992cd99318889b32f92812bd37f41636b5fbbf2b12190c6f", + "salt" : "55e39431c83648867ac98eb7ecbbc8b41c5a5e774646b926a9b49c511915b0de1241f8666da198f6ba4bf7e9025e434b6d7ef794e7a563309303055fe3bbe769", + "info" : "", + "size" : 42, + "okm" : "ddaa59f32235b0b32e5dac17b2b4420cc2a8c3e8ae48d1aaeea8853c2d0a371ed831a94606c6bcf6b08a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 86, + "comment" : "", + "ikm" : "045b4d451bc30c39afe0932f6cd62e65b4b2ae2cf1160f19e8ba1323f7ca146c", + "salt" : "b73682dda0fad41095070b2b26f2d7d98ac62202d918258ca9aca0f794ef5e4d23b3fc43c8cabf9fcb37ad9a62337fbce967fe24054c3bf891195858e53997f4", + "info" : "613e353162c6c1b12fb1477fbc54074ff7848a14", + "size" : 42, + "okm" : "60cdac1a10892b6937b1d648e3339c572e885861444082a0ed013aaa76d763c27c93ed89487ee85e2bd3", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 87, + "comment" : "maximal output size", + "ikm" : "78da0447b11a85e315938f70a45ebfd15cf5bca89b6832e8f490aa09e044c602", + "salt" : "a1f3edc92da6733ed0c662ac5b9564525810e64d87a2b317749f9eb4068f4df93b5e9bf1f5f2033b8e4cde8782738fb46c37aa1023399f29562033cb35b65ea2", + "info" : "d69a09972d98ea41", + "size" : 16320, + "okm" : "1d4f394d4a3ea4f0f91aaf7bb73d6728338988d03004a34086d8fa0b1c3fb83ece7a19b9912a3c68367fe9979aeefb2c3faac683bebb50d6ce8c9187012e361e8ede6cf6ec44bb4d2c1c30dd704a2e6145662a8c700a02fad9bc5158b69bf0371a0b1adc094152138785d0c1ac26ab42e58fd0e86818273c967154c4cfdc1af4d7b9fc788ef0477e271a75002baa9e5b54ca66f81885fbabc6ac03a2308eaa146b76a8c52aa6cb97032e5ece2d6df99ae25cdef3f4d4358704279842cd24dba9c24bb0c396fdab4bb9022365783dd00df293174d66a43ebfe0a562b5d896e31fa59fac550cfbeecbc0af54e6e97854d8fc2bc278bccef70296aa8688bd7488aa0b0a8aa72e3eaaf10f279247fb6929c6f4654f741afe058059bd2eca5a7aa6beb4132afc8e4458f97df107f125c2a9d8c34f62ddbf154a62ae7425e3176ca1232f1f3fc3f763e76282bea8cdaea3c32ebf9047723599b56e0d2ec033c27b5c2577adc9ee979bd88da83d20f8298d3cf99c883f84368d98d8ef3a5dc3366ec420388c6c0144665fd2b091739fabf4a3dea16bd54b45d56cc18ffe9a2c64751ebeec97ca6f5905f01871f6d14561925151bcdafa32a29860f4386c77ac28dbe4dc3d67b008f63bb5a213c3a48f2adc7a024d7988ab26b79b965c85f013806d9c725264974319a54b4d9501ef08baeb606f8f17cc08d60dba42925342c6a77886f95450309ea695a7c7b7af98c797cab067ae7aa0e2ac1e140f841d99af4d9b5f797ccc40ace067d2b86aeb2d4a7bb852e664049d184349d6dd8a54f3fc168fde7d7602977b72acdb218cf2c8adee00902c0fe00712ad10de12735fc006fce75899c446ac151c270b5309f103120caa91b799cd1b7ec368821e4f427c62e983f349ae15ef7972a8d35a347154ac942133bf09cf5f92b8c4bf330e85d95df574589e1e38cf0edab7f091f6b1c3794ec722e9e70fe6fc780525c0b4b0c2135ff0256c2d1d30011494c7e90fa2e92c379f7a74e3b3c8a0b458f41bd5210ea2baadaa9ce5b843f833de3f6775b4f30291cfa8bb7ab2809fa0cca97b01706ca3d9c23f83955c6f47c39b5f38a15a7be91d70d3acbd3045ef92d5404b762edf5b8d3ca4a8e59ae48d779d2d5ae29e3944c7019df498cb7ea7bdaf4cbcc87b45af7b706980a45baec6e25ba4c3dd934eb480545dbb090d0670b8ea353327acfce9aefaeb8f3e17b846c64630a3b4a840ab694bdff734859cff62c55973c4012fb3a697983bc8eb2290a043f314de54a95cccd5c95d807687cf9179155335d16ce0b5cca52c09b951826137188512b30119449f8d4ace4054aa8743dd0f21b9ea404c6e3ef14e49cc36dcec48bbe2c06a053917f4bebb9ab8aff363c36c49076c171c08a18a7a195bfd2c92fb19c7f87d4113fa2fb715e4a7889e13f5ff59e51b0edef284c1bf4f1df33995e975c0bdcba13d3ca7dd3225eaef9718bd841a744e192eef374f65f9e9319b8c2d2f7cc99660b8a4acf77cfbb02c88162a5d7325b474aaa5dd32a2a39aeed0ac68b860e6a11ddc73e2f6a4ff914d40939d80026de5bb50f90620a6f11bbaf8f2656e4197b4ace49a85efdcf856b2c37b602f8ac71b645bb67bbebd4b20d97c00fc3eb92fc9dcd573db6b4d09c6a463b1d25879cb04678f116ac9b152c05a92e5d8246e6b7478e1836abe0e5ec0f17ec454ac8a9f9f400ffd44778df77bcd8db1653912fd2e4018330f249d1fb979bea28a81d1234cb6df3266d8597d5cb9400d602b855c6b7ec7e12f9a63568142b33d4a8c87ff895d37ac99950d75f577cda26a69ac7eec67a7ac6d9f1d419e8beb58388a09fde9c5d0d0fa2bb578815bfc826eaea6a10417700b250fa52796a4a40b2de511621e4bec6b9ae0161241911938a1c719686bf3f442ba341d8dca6cf82e16a72b4e08fb27bc8c1d5b584b65f92bdfb838bc5f0ab6eb38abd7c3ef13ec87a8dc24d69b451c5ee0793624352eb72a9bd9d895650e8c907cddd49c4056f03493bfb7dae63d8045437eea1543386cb89cd7c6875c227fa5c1ff4f20f18e69bd795ecc5256e76e7fb366195c909ee43445184660414befab7f67048bb76f218ef07ecc35c73a23bab782650ebe6c355eb28a29225d79cbcc61ef4b3edaf804b852d292ede13fed0f89be119c7a594a0192aae64c499483b11a9d702f0bb415e486b139d1e07830be92a44da79bb0e4489a74a97f07577a23737b9a03c31320588586437b9a8208c02436fb061adbae958cda6f6222e235a16a3c28a870a58e29698f7996f27d40b5d0d8f3db1dea3ac806c10568ca0588e0a4ec5234ed9ea7ceffaa74a2b8c0486208f3ce28fd9bebd472a66bb4dd1fdcbc0ba9ee630a48c45b31656a50233ae2acf03741a07cf8d18eec13a8127edbe65a6a7a8d0341734a5eaf283afc80710339442b390c48e00b441c9804c3bcbdce2cdf6b94a82bce257fa33be9f38faf7de0f9c20f2bf38ed0621befc05b2fa0828e190bbb2768aeedfc4193fb377b24b8f34e531340c54706aec1cd0fee016f5051c018a0dfa66cd0e0e0f105a9e365deecd3b2a0b658edf88eace65b314131b1ba0de9cdb0586a8c204a4c0878aa444be0c5590628ba53814ea443dec0c08a5bbffa6e4af13918f9ccf235c9036c1bd5590f3e7def42b0f25843c41c9bb32bd716b0deddb3ff7b9bb6e582a9b632614521dd795d26c78754bda13a9d5f15f1eea1fd1cc402fb8da8ab6fb8aff96985afe2ff822f7403e3fd049da82efc34d8dfcbbe3921df8288a5dcfc7f9f3ec990f81a87ef5947a839725d09282c2b1d131a9513c40c8fd3912a51b94475ecc31c221290bd3676c1b925e2fda729843f0c539a1248ff7637d8ff8f03754a7523622fd2cd13e5297e72a97d0299712e428b82524fe99d056df6568dff5e450cf4620a587c711b4f1a016c431241f040e33c4b0e0d96858fbde39a602cecbf7ff263e00c1448b6f3c0c9e9c55b2b035703169236df421d6ff67048908a89e38801a370a92306a235e9b5ad9464d07440ac86803568a36f6d63a9d89fee42b493c18c2e11ce4a9ac57863e95cc98940120db6ed0fecd4800e30f1182e59f9edbd90cf1f2f178b479fbe446ef328155ca11b943b9f5e7c4d1950efc6b77a9f51c5eb0cd559c47102180abde687a17530db2db357c4621b601dc22942cf53a48bc7ff44edc07ce7835d015cb180dd5b4ce7d97fee5ed9e329d6e62828030771b055e9444851b8404dfa806d97ba5f216f317ed922c4e8641c9f767674629ce9a02b98ef0398a5c145338d908156ad9649dbad711e90e4579ea3c728dc69d3d4a60b172f7a94e1b3032705ef0799bc1461ebb34dff6895615d69252b042375a6dbf9dd996feb0edcf6694a39e2300e91a00dc04074a24c59c623c9bda0fde4eb60272d846a9955bf442ab507381376b9714fa55274e1de7e0dab70db44bf27b588d23c4b582dee00c38238eef5e72acf1c644c6cae739503e86c9b36ea74d6c55097dcd71e454621a80e0770657f93405341eb3e48299791b531574773fd6b2cf5faf58e9d6caeeb511c823516ffa92d6d6f7f1726dc7ff014bfaa9421b503b271851cf6baf3d788f363223a586a18ff351682494d65298d204bfe931c23deff4474e223fb735c09f871212b889e0567451db780bcd0f8e226eb01d3ec2237fc761779c8f13aed5fad572a3ca4eb99979aa03e66fc531b71ce1375bd68799b4d92239c93dc341c4e6b60d5dee9168b22ca5de1964275203d982b5e09310ee56a0121a7e0ff92b3ef6495536ec320668a4e88212f5d611335c04457b85d7b0c8718f2665e9bee6fcdeebabb94da8dd377ac8b4ad003b663e163056d7ce2766b97182a7c92354228bb8f06ae9c5d227026b3fc1d55254e1943b2decf5388de21a1fc5758cf74f69d6debb155ee7da7af647ab1c3e6b8a0f5192dfe5be41e94c3cdffaba02663fe53731dd920f37f19ca16c661e58295654e1692cc4cac9bd9d9dce3297c7e04677fec0f90661fc803999f3234d76ed10bfbe4928b28c34acd10e5a1972842b1b6ce216c53789a185957b866e5e2f51f4dac6b16dacaaa865e9ac5eab3e5436e2719d2d12d0c371cf11a35583cbf063875a7c7aca744d713e5295e5edb39b13dc06298d75b7b3a807074a1e8f4abe691f9d1233e619cba4edd9808a271765bb60fc5d674fe3077eda7e97670fb3d68d68621e892a261b28d50b26e519c3c6c77295be3d54f9e797c2a946c97b5dd67c289d028df73a40a3b6d656c812eb2e2209def77ed68625cc8aebad4e4b1641600554619a9864cf6b07200231e016b6e01ddaba40e7047dc312beaa6f891982ee7c777bf224a763f76d7e7baa6807d84d495d661082beb60f9cdd2b8f6a9f1d04ba184df5c45cf5447a388bbd5a6894ae7f759afa04de88032529d37c1ec9396d0080e24ebf4828d57e5b347df8df9f80327ba121e40b444cf7a4245da5d6a37b01ae795d6bb8fef9f947e2842a4967ebbb3919b95922e2896a93f747f9ae6cbcb179910c0a327d656388e47f2241624859a6a87b53a15b4dc4f5e5d19c4af7c7ab2b60c1e71859c276a0c5a09656fcbffbcb5f98fa1401bb257277ab1de03b378a928d308fe5f33a0f21629522b09c0e0bf6c74780a30859c1cf7b045a3a1c70febf69f595da99187b932bba493918bc48ec407638bee8afca71a746d0be340c9562bd420124ba3938e06be7a774405670ca98b677942340774417d957eb3550925bb7eae805306f08de8a5b45c6e5985c437680b8973ab62f69a675cf24a1b833d6c4fca694674c3ac9d2891ac737963c3d2ae5fc8fca9a6348c0791f5f4d322dba8ab53a91c0607c9983373422560f124f5f1eb53a9207335304c35844f503a273fa4f780bf0cb4954397c20899f015bbf27fdc0f5c6e6393a285cc8f279de96875a965dc699f6ef8e23972dc838065db3b5772743dab3a4e91634e1e38f8a0de18ab19368a8902fc9a73f2c902cd3364f0afec7937cd65da2f58037b840ae4cc33bcf8bba1a471f123104df56ce5f5ec0cf7ac924bac63ad700345236c1fa4f34778c36d71c98d7232bfa5dc1c705a1d624bdb641bb83ef61ab4976bdb9e5af58c358ce77b4d4c6cbaa32057a3ed45990c844f61a7a77ddaf65203c9de21c9d7ec7770049cc524fe869d7954d7e7557c895cda88f8dc93f15cbb1f97601383be61eddc083ead645cad67bf404376faeafb6d9776137b50397cb4269700606e149f3f7d031e8e17f4d4e5d905cd782d7d435174930266f90b12d04b67997300b26ba41bd2053acaca853e50bdadb790188c53abb181458361fe5201c46796b4f2c8f698ba9358e75ed64ec8688bec6fdc6158a711c6f299c8e12d78e0cdea6d758f7c07ad8006800f147669c8232419d751a61a8b2c7921b1e9950180867547ab4caa43d45b14486bd4c62e5ff88c066553411638bb1d0788bd1aaf2b62f1865c550eeab9a6c7ce57f55d44edc65fd459f4ecb938466eef07e90768715bfa3f2286721b37c915bbf60184cdb8f725c30fa93d902f3e2225468988678a3424786724f73ac1a276c69deb82387d4397ef27a1c3c0d929d1b0d7a9e652048df5caa0b3039c7ca37e2433c0be76d654b2ad438f5a87058173697e606350e8a3b827efdfbaebd502aec905fd3eaa29e1d0269a49349e8685d290a202cc62adc0bbc18002bcb5ed26ae33dc20c5984edd81f06806e56034f945992329b7e7807455fb876f7f9e3d7c517c181737cbbbc3400f138ac6fb4dfe13a60931eba46e0e76b72d9ef85da6c0f92f2d69dc466a51aa689c6238578b3f668dad4ccac5634e75905bd6bd69daae8a84eb7b13dc658dc548cb7ff0f07b485ca21f3658730eb70367cf05e96030935f153b08ae8d98616e22d0cb43c7cec4e19f8d7f64e396b2aa352a1722f057d15385e1bfa776477547201d4db4053ddb12feb93d3330b1e7f625b328b8fa64c9554d271fb807f5d63485c8e6a00a05fcdcfc9b0da916832519a10b6e416c7e44d23790b4240279af77d11230c84ba50266f20884c60efd9c5cc5510a31c6f5ea8d632dd74862a9e46be6ee0f486aed2a81fccc89caeb4ab41e9cef80f967f136fb4596227d4c604fb5ae4c96ed04f5c1852d185c22e39b4463ae680dc1395926118fcf832b1cdf9dd55d15eaaafa173c6756dd0906e8d6dd28be914f3b1d4dd1fe774426a887ee2214f0b65ad22c5c3d9c175a29df3cc61e26a6dac2b2cfef7b024557f41db4d165416c82ad91aa9c1091371260672837792a41ae09f6b9523404a8339805766b1a88bfbdd017d98d4e32c14aa879540428a9ff83d9ef2fbd937854d30efad4fd9e9887ec915eae17ea64c34886673db98fcefc5ee0e76cefb5873c20770ed356ff6aa16d80bcd5aa8cee864065445dc816da4ee681802a57fdc700429f98de59964a08e4ee2f68e8386c69fac44ec4e5bbf468148df2b400184108f7b98d5e5496f4aef27bbc215008d3582d53d465fd90a119de8532bdac1278adb4f88825bbf9a8e31002e3235488a0703ce1255e7eb12b3daaa306868b86afd2cec3cb31cad2d2751e5ee717c434779d7bef518ab58df9a75be6da58ed8126b5752fcda3903fc46e148dd92ab430e0b61f388d4a5b8243a06fb644846a94e6ad46aeec1c9e828b6ee24b87a98f8d61f59760510323224fdabbbacb8905c536c3713af2d5ac777e545385794536eff117e6730812019a5daa162dfba23addf74e030d91f2b25f7a5f5e1bca09bcfe49df5d52b309aa35fc561f2bb9d67c60cf3dc390e3580d2ef54c57ac839e6e863efef6bfef0f1be28313a4d291fd2cc56bfbce122f358d4e665d987aae72f1c1c2115e4ec730d8e88e39ec4c1744e4f3feaa797c01cca1a86e54eed9db979e67389a39f8c898d2a8ac612487510d03cf1f5fd14744112569d1f13f5928a34bef62b3049e2fba45e7a0800908f9726a1a834c6f145cde1675497031308a34ceff22372ea8ff5c6751ccbe403d00999358124017b56b08f78b7b41bd15aa1a43f99999f449b58717d6a5d048db0a996947e058e899d5b403f7ba43a62bf56bd7f3e7be9b7754d025e90a1b5dfb3ba9875ebce74f9310b5268e85ed5355ed0cc26b70517caf30a46c5bc24d9a3d91aeb5e03e7990f518d01db4de8b29734ddaeee0832c136a6132016f1e7848f413102f6956195d9ac54bd0b488aaf149ea39057cdc528d0f93c1fe487b722fe13bbb95ae40af1fab137e5728a1b5398666ee454c2c7d4244391462b4075a7bc04557ac9479ce09ddf72e8ee1a61ec07a228b3af281ba22699400bcb1acd0ee6aaa2da722e32d8f1aac209ae443610b27b4f3919cb1dc81827817b652b00a892633d5d148957e0414dd913e94e97ec43fac40ab262bee878df6fefaec5defc09468e42ed56f643b9cb48ba220cbf5168ef2428f9d0373d68a4b13aa47fb3e077f3390ae3f49749526a7448c3704d0928a393b3fde5ed62a4f8f65fd572b1acb1b500f2fcc3099dd86e74a88400002618db0b2bc32ed701d10552213f0217aa4b6983f71a8f5575d5d42184186241ae4afd8d0acc6c1ee88462c4ae32fc9dfacf6b4130c91cb5fbc7caa0f39484fbd88fe78b950e33011fdf8643104825e7da91082f7e420c141b8b6f10fabb520a680a2ffc561aeed402a8d59053440090549de3cca2e1d5bbf816d6f1b58680d43736e77a0fc078bb6f531b7758a4cfb3aaab66f0c61aaff50e75e08af403b03e9d0056fe04a63a758eb3c2950a1072d949879d7decc2fd99b3ac736d22fd9fdd9f800b75a3395727129d49a26d8afb9c477550d3daf519ad35e580b05d8c05c5c5aadbdbdd51c971b7452abe98d1187778f15a427993a2bcc6ffe626aaa944948bd0f406557231d8ab67b02b59c18ce4f8b52d2e124f15ed1408ae07025d4ea841a2688f1c33fed563331a30200c0d82da82312f395bc5f54469df34a79fdc9e363c61bccf27b07a06dc7fc459b977192be6806a8f45db5400a09fb2d1c7010f252337927944bf6cec0b7b0d62685c2ab01eb858d69b8344b2830ffb18f9c456bc1f3431b8c4f29064b4d08287d09969ea77941b6c696ed83fb2874fd33725229c9ff87b0c2081d7e708563b4831e4b097d41442ddd27da9fd67f33564f9c8958205e15cd48e4062124b4d6349e99d350d37eb56bf89f8328e60c97365eda057333ae1bafe6cbd00c76477e5e2aa2b51c4d2e6f9623fbeae1b2ebab8442fd16a44c3d632627173518d5c8cdbe5126754ad62827eef5e43770a7c4796da0dfdce390fd138ebddb73ea1b02e8771804747eea0015622e8f06340b4ae9ebe6ebdcaf831dd5278319ff6a1c4d59a0f27b23207d07cb4da58914d560a6ebc20dd094ccb3335cf11df6f6a9134c3689c342af7ebf46d7dbec8aadf8c37afd56cd1e877903efd2ee903ccff9d067491e0dfde2c0041223be2ee7df6dbb51019438b8689d211ef99e903db742c1def4316f4dc071e759758b64e3ce8377c0b960356e7ba035b4f487903f8c16f028e09d8960a94ba843c99377b42b227843432d260d51ef605a13195a1f55f3bb1e256283418d56ed6a1c3898beb44702f092838d7cba347e9af538f5b6b65b52ca562a215cdf68d34ebf60561c02e5086fd78c11d35557f9019632c40faffd64b78d87f411bada077946cfce6e3af66d239e61ba08252bcf158ed296a156021a52425892f48784ff7a6b55fcc5aa987959a3f6800f56b756bbddc3dcf7fbdd79675b55cfc22d89f30f3925a1e9ac04dcbdfa9e50adaae9a36cd8a4af1ce804d7f638fa6c673fd041cc7b3e0e818f11d9c2c6c3acc14141e629fbe977d1c9f904f6f83a1b4ba9fc21ec88e335c82618f5d5d9b8d84b5f31b1d60b69e1f59a6c4d593ae3dc1992af56fddd3fc3e4c58f79f428a958e9c9c930c5add1988792109ee4a0f3def25c1af5d5f66efcff7ce987f9470d44215001ea6900796a1aabc77393a74af29797c6c3467c6c75b0ec1eca2bdca923bdf3c3d40a91128ef56099fa85ff3caeb5b4200bac84e4d57afdb60944cab37b85d15ad4afc72554215bf3d4a09733ec3abbd7bed484ac7061c77027cfadb3751d5edd53f01f01fe8f429da41e8066b747020e34a6630ae8a9407ee988208fb0712ba33b44741d85d6f16991f77e98a4fea68486b3c6fdf40cf241848c641644a80d518d397aae8f7cac1cf9aa56c17d617392d876b5927551eb6d08b448a0863eb898b1e39a41bd1cc6a29c45651599adb94680117822bbcd072eb076b787828bf5c642ec02da763cda9f98274624c94eb09d2675d5d82c41a3ae7ef8c14a57ed24b5c9e79d7c2e2ddcce6a9b11b4a5f74e2c6f7a6edd5951c5d3198b394dab1ed7eff28830e0806648fc0edfbdae636c3e72ac8868e7bbd8c87ff955e75f469817ef238968670bc0c17e79dfcff93486da5e5ef3628126762e2807a2eee6fcb9242036d45f03a7635c7aff2ea61b0750d49f74edb6f8360e74a2d357875f4ffa4567a6c367a9117c29145be97aa27312d80b2086108ed8a66874b6e9a5065ce8c7bea9ee0a7c9974d6824e64a7eacd613d63fd9da09bd3e5f7365edc9841b2168defaba5bbece5a939604ab6a5a89d1fa77446e66d72d40bdf2e25856454077d2468e10be476472ffece14e23e0e907a231ff8e6d6616ff2ec96e022a5a20590ef4ec5d137830efc7fb2b0ffffe22692f06213711a4a09b3c0786811aa043e19020809e9926649eec038f1bc5606519edb9746ec4313fdcc0f30423abbe480f96517e20ad8a9cd613193aa0c503a038a728cf6b01acebb541b65ffec1803251601a33428a263e43d17824eddb9ceb60468c8039fc84a5843df7286c092b02eb297ad191bc47d36c0a9137aa5c281c7499dd982e6a56d60f6145d354e8987916b106776ac806035c3c2d7be3ca84313cd1c4a4ed89682c8e25506a554971fcabb5aeb611300de598a1318873b8a0a8c151bf2660f5359a9926b5c6f67a5a24f8af02a5452aa972a6929511018605fafa6164371e610f6af5b876560b63065db9851671774ae1ad295c0c47c5239d5e6cc30bb1911c92f2382d7b671a1ff036d90333195342a2301eb91a44e731cc4ddcf307cbcdaf650fdfca07a246cdab1dedd50c88a144f7de41aeb9c59919b3aae243cc45beaa337614dda2caf41987d33dec8c392f46793e59a5a0a092d861e0ae54d2bab312b641b9de25ca31facb5f36014ece208025609050d8ee10f95978bb7c045ed8c4b35129af17d8be198b0b3eaf1e4b170f1fa23cb9a59173570135e3e3fb2be9013e16355c5cbf13272293df09e0faf973635139caa589fa52ef4320af22a583deb18c09176fec41cbe017a3cb0f53c622f40b84a87f2913e7fa4f18785798d7103efad3c92cea6af4452d553ea34e43b2b615e06a53b956567db95d0bb61a8a863ea3391ff79a94d50d6e35a89b46cd0e84e10ffe0735f1b3370f763be3c713b64fd23bf28794fe3bc62457d2cb500dcdda415a0c2ea75f1ca1b46b6fe09af8b30ba4a77810579a6545a15bd09f9be023f618c4d2bbf4e5de575e4ee0c3da911494f80dd4276e8e9e6f490bfa0851cd8444ca1c913824d07dc80bd2e7c46a388432604aa2f9488593f2aabe40d8082ede5cb4e7f68737881854175b4843b8f449e29762057918dc317607958e7c5359af8b8969b008654523059931a7d204b39275f7400b46ff5a4b6d21efffaf57f3f0f9c46adbf856d624b78f5f349ea7c87ff3a2a3f6026cf3fc57631e718f0a4a27426585cd0d03951042b92e558f368868bab6e901f136fbbc2a458895eb295486c5b88f68b5c9d507e0a50e5065331bd4cd03890c6a250a42d0178110a0ba409c8144d4271cdf90ace71c4674c898db3aeb10fb7e59587f8b595dc9a914d6a162c796584aac91598dc84d11ac079d41184a16fac6a531f78d94895579b605987894bfd7ebd3fe57f3fa2dec05e4e25d717ecc145c40514b9383a431229658e5f44b4efeb498ad8e5b7a62ca4203a64a05dec0ca701a402bc6f0b57d94f570aea2991215f73674e3d155e15baa75342fa17f7d5d34a05218ccdb4fdc019c4b00ed0476fff874800731686a322ad76571856582743675cd81204134f11663ec1fdc9344bd649ae6f01e4b043fdd74d58c22961a2653d0da7161ea02ddc60028590e3178d573c40e08d8f0814535aeac049cdb06f71f5b537da672c23ea0b28d6327e52feb83acb22be0ecd53d6cc1de914d6b137fea68cd1347967c39de99250377eaf7e909aee9447dd6116aeca50d465feb8f9db3c571e12b9160e2cbe3398d6f065a2e2ab16e322370740d60debae1196f6b27d129b9d0e702eb409afa4b2fa494363cbc3df3ef0ff6dad08a1486d1f3688f8e0c1a9651f4fc79b66b2d6525f13d2faa8398941504f330f34ea7ce4a1f745b905d83169083a806051dfd96aecc95e50e629abaf87f7e6785d86c3c392917b3f4afe087c0082e4cca0f257bdcd6883d1a0cb917c1037c32d4aec1f6827b4051c6f47d052885ded4e7b23d75c4d6489b5196d2c9a32d436a12e51ad94dc88367391df06b4c8e7272ddbbe269673d9b422e87866818bd1d09cc15a79fc8b45654f12e6b431b3c1ace46b8e5ae1b5a6dc02707cfbb2fba27b5bb6bd0d646ec4ae43b3c84ddd605d4ecdc8f6214abadc9844511a3d7449e3b02cabbc2bccdd79760d79b26ba687986c3118d3fa9dfcefad6806e3cb489170b45c65fc0f84f813175247c98731db96154f263add9f1704f142a38461a8105b6d6b6a79adee56b33b4fe7e275d475ee51956c4ef9f1202f1ae479caedf465a730c2edd23406241ca4859f0acab9ff24a561cd4c4fe263fca7d146958f4e9cb2b50aaf33c71fb955b34894e417c41cb0de82b146e4c212b72835ebb8f98c6248e019a908babb06477b595c526694a484d2f1632fc46c27923e9f316a6d732bb8fde0598df6d2c1df4c4872dde9153e85c3211eaec6ac94730c0be7228406a1f9b6a79947f479c31ff2f34fa532cb5df00a9a1fa054252bc764fe2d9c010788fc4be141e574d858c566ab627e92139b4f1b6f6069b520657f7d3cab1693ed693a8f43a037965e608dac3ba4a9608fc8e79fca1d63e2f7a8c3b0307443aca861a83a698318a140c2a1b92fb351314685dfc2bf04e8745b90c4d719d76b57f7bb91c815a70667220601a66b7bf70f7bd8bfba5bb3f9a4e9966269439440d2bd0cc7348bd4aba6383de31058149321e6feacfa6451fe9703f2858c6ffff96ff5b33a5c2a70a229fbd8ac2cd00717305425194b67312b0a339acb39d9184aa43a2fd4e09b0764c6bc05d36fd9e1c258f37a65d5d5b09b5ddab30860ba4e76516678d806208297dca349ba430c0cb51d00d68fb027b587e8a8cc11ddd1d2667a798a4ce01b0106695d57d9b38bea5df494964ea0efcc73418c91976fda9406e33195fcbc097e80dffa1f8deeaa208fe29d666e1b7648960036273c219d188f0bdf7966a424a79c5bb5314564d284b7858acd85952c12e6397a2b978bfd4d20b251933506a532a95cc16c6c8c691432d8758f32a10447c76218a144ddbfff8d4f179ed4a1c6bfaf304a1ddbc92049be8cc16ac1c68f47b0b0aa5cbdb4601f88897770fc4097eb56e44f3ab30b13ce1d7fcb707369a88c73a770702da11107109f993c68747b9d692fd3daa64d9978a3b5c9ffc2f70d8553318ec6605b3722c3e630503d307772caeb839df8bf8a7e707d394501a74e3e1a9d299ea8f2f7c63e9ad92180aaccb52f465ca803ad9c48de555df5b5492a8bf54494c4f9b2951bea4a65a309630d1f4f040ade7cd75d54b6fec534d64b2b0ebf96308aaac9745bd4c9b83773ade37191261b7f5a44604f88e48f4db9e250f24944d72ecfd03355f7e13c959bd726bc614767d49f539660f7133f226981f8fb7165581f14ffa1bc824eedba1a394458887ca1af9edb5af85b2cd86c8e93bf03b401f324a54e2a742882183a649ed2b0243fe0b5f234f4e4d7328e69e7cd4912932220185eb19f333599a9c8befd893dc637cc7a72bc41fe437147d3958049dc768d71c64cc1b87c2fcd7d34ef4ed683bbb366cf061511ae01ccf7ce82014fab14e52abf5782a09bb32e82a330f1453576c21a2ce9aedf6b36116ad4447eee277a0821a22859987783b944a3961bdcbf540d4318e0c5e59558fa88ec3b3ae38fa85303fad6ebefbdc2e16668043e7cfc35da5eafc1717316e13389cc208ce2621b153d65a91488ee18463220c43ff79e8b2eea821c4b91124ab7c513e864e923a75157403599302bca85b72dddfd256c09698c2eae11f478fd7c381bdd7d54bb2eb3eba44d13aa408f80b1f17a74c724268ccad52af73ad281abe9b0703ca4108b1062d0b465525e5a498c13d56736c8250e42206c0efceacbd2a1553d693376896f28b182fec2242969b9d908c12aa3feae637aed62e8195385a5cc38a4154c24e7ae759ef1a4e7cb129bb481870fefbb6138892f293b3afcaf4b5bc260e06798defa433355bd99b347287530fb9a7a33f67f3fbe66ab84079fb9b0efff62161007ce8d0f63f34a494b8dff2abc25c30120cbb12a3abbfb33ac452f0f7899c4fd13bc378fe27eeac867e2523f136b4bafe2e7523b7f73b21aa66f82e352682100d3b461d88f5c90d179c6e5258cc736eefbfe1dda2180c6420554454b546c89ca17fe5672a9cf7e457e1cca331cf4a5b2d503bb0a62904e9166ff769c5b364670339162e386a586091401fb74c580152cf3ce3e58f49585f837289f59128ff7230a294e1a56a7771cec419e3d92ae5420dc4af12336486e13346494a402a455ddd4f6544d81772d0380229c0573dc26d952f23ec66c2438d8e0c9cca660a89e1d0cb8e5114b3b9040630853fcddcc041cd3435c709c81d919295b4f0656dbfe40bb86b2540a8ab93cae5d405abc1dc56b79fc8011e9d34745b28b09dd515df5b75b70e6e01b3a013556ac0c2984652087cf11682a4e14b40d390fdc8f57e5f0e09cd8a808e5c91c45039c1109aec551ce4972fe26f976d5f37f284db1027a85c0f2c511b57fe2cbc0d1e6a4a2eaf9106b21a5b88412b34bea0ed585063e152e0c4f321a81bec40e25f74aecb43cfeaa13823a24438f0340315a7f3030d1b29ff56f3142e9801f62294097d96a61923e747f6f1d3487eb3e2ca0735fd277f6ae054abb3ec1480d58dcb543cf188f238741aadd7b453cd18ddca0d8ba0a587384ccaf69c412839703103ec0325c432253f2e1299f73fdb563218ecf4763ac029ff6a35195bde2a4fa3823842b92afdd59ee341e971337a54a6de6303cd0e09c83be0c3b3b2e71cd1e268259167844ac45d08ff9ec8c9bfd3a17990d8502bc01d192370c9851346715217ba3f9c2b39f6577226db8423ce09fb4f75040327a1034a8256515be64543e15cb204674bc68fe93252e1f1174eb705c0322b3f7295a582a435acba690e30f8ac2815748429bd3b29ccb5575741f9143d026fe0d20abff2eb2ee53473bb2fc869fcfb61f346e5b05e0aaae432fb7bcfd4382ec234cf554604f9548b0a492e4d91c1b6e9d6ccf1e11863b668c0fd25c00fe0b3a90b3195b33c6847f64241ab5bb4bb6c10805f3c2d67fc012cdf420a3c66231e6815b8140d40f840ff55ad6945bb8e4e99397092413655bc385e7005f59a9a74ce6d66eced18eede5b8d83fae6ca98f22b1fcfe5000775f05dee523868c904570af548e8af065713612ac9995536663dea46cdf61133e88eacf9a523ae875a8cd581d93438a629f572b3735d77afba0851130bbca2173cae9d9e84bb979e8acb114d9bc78eb8fc14e6f4560db8a72cccd5a07bb2a1907f4dd294becc0dde4cea8f2a1f138b8d8cf01707fb5500c7353cdd95494b6c8b751322ea6679aced2608c4c691b3c3d6663ffdf96a13b556b7c5fc017858d92ba01e80391ef1b2b23b827eeebe11505f320972f5866f80b3326da4190f17aed2689455d24df9341cb52f81b43f6cdfce78cf2f8a8e6bfdb5c5f667a4d45b9905c800c1f17f06ab3cf3047754463f219db75b03be4d04ae7a7042391387180fde9b5a3ffec8bf8e2801ed8338a6d4d1301b636ad7e221757fedf43f9f3519b6c7743367ea4643f91572042ed2111c38eda14ade56f47929e8723069ef9392fd60b743c09cd6c0467fa4a5367c05eaac20c6e9a84c2367dafe91db2dfdd953a57a9e80814ac8b2bde5193b12214abf9a69a12ce2f43e5bb14ef6ed5678b34bd05b8eac810c202a2b7f3d762a8e79fa98a618a2be5063496f83066dc8b37afc310c07cdfab9a39fec3b16f890b01481a320ed3b09605f27d5b08f16b046149a65c899939c7d8edf912b900e0559b39e23b87740306026d6fe9c2da6066596663c71a5dc98ad91bf59fb8926eb44a373c57073635d6c5377c396f7ff80b22eaa7f40dade5919a8fcec035cf759c4d1c82d43575760e6d94855f971ca0a3c05b206b1aa98fc7740f3fd54dc4902055989a88ffa63c1e3b32f227fed8ec1fb1fce789bf35976024d98296f766404f41cc08fbb3e1147ec31433f653e0c1a7e821c00dd7431217c775c60a90f3232be9b2a132647185a4b6f12d68bf9b25d8bab80cb0e21b4955abd25b7e946e404102a0a293152b95147c695242851f418a56feac219f66a2b0dc7731da57ac9fbf2103e31979d90b7b6be00e187f7b64c9c82de398fb8c3e263fb181df45f43b54481a0b600e640a7d2d35f9901999f22f18a696fbc5d6563ad45d1119ad66daf5c6efefe5a606d3f2a2b2c16b5b2ee902e47eab1e6aad6ef04b542c5ffd95c21964891e4685369855fe0dac84132fb84170fdbb4d82f19e21b2123a003c0348c381da312a9e4a9933fe71c749245705368bcee1a48caf7edb4e605167c39d42c13f7b58f56ac44a6716dd23da791726e17d271ead5e4a85aaef83e6ad5148f6a8d50da31b5dfda5a00a8d52311d9d7558721b86f8fbbf468c488717f288aed39458de6a1f80f5c09cfe40c74d514627d45a68d47fab2f88adc8acfdbab074b72f87d9f46eaae139464748284f70d31d47c0b482b8c94a136a9c8d3e8f35302a05602af8f75983f065b270b816001c1735bca7fefdd37b0deeb8cdaa9c44ade6cd6f2d56284e0c79b764b569b59caacdb7f78f39409fcacd6e8e6dccf67f145f06ebc698096cd5eeff7f402d7a36597c7bd4989e3c77514c6d386435041f7ef808954486f9524f78434c38dff0604800cfd627ef84d5afca98d81b8e1e7b8b0b2af0c2b2382d70116dda6ce1e3a5f395cfceca43741c61a0b88c0eded9550eb2798d2446efef4f60b054c71c7606c219ff7113fa64d42117103a7cc4d7fe96b042e37a1887edfacc0ae1fd70e8fad65bfbe8041ff3a699836628365b811dfc5650cddebe40a44835f6c2738ef6054637106d6c4ee7f69a6f72633c9f35552ebe231644f19adb68c017daa8a5bce18003b34b3e3fa0852843fb08fb7877282fc98cff7c1879e249d83b55ddb236f7dac8bd7627606f524a44df1df61229bd6fc660e3718f13d0bd93d5ebaf50805e514583a28e8a9c66615ba722fd6187b8616476139147b433392bb73ec495f8ce55444d6c5589e19758ad9a88bc34b0a7e9897c7353088e71c5fbec7ab7daa645d9fe6d38b286ce2fa9d9a0cc6af5e749d1019a4986d83b9a6f54c41803c45938783134e54b0dbf6a78623aec3b6923aec68e3a52a809971807b5b65396635037ecad640d6dad60fa109e44395ac570f73f1002c625e0ccc577bdc1a50f2f3a5af4d97f4236198c862758e7792f81fca669213e4c26d9729599aac3de53f5bbd37966d5f2a9c9f97b61951bac115d6161c786a9daa31ff4093c938e230174b1372fd9eba242216f57970faf5c9e06a3732aae658e5bbd2398f0384c90e7ef3a6dd05fe70c91a8a49debdeaa1838d1eabfdeb70a5160ac5d84df14c9c760667502e94175e80d0a5104321cde94f08a226ccb30a26fc6fa15264b59450aeebe36f1a9dc1321157abf5cd5c2d2018f8b7737ec25eeaf2221f6d8b6ea98ee84d5e393627a7c576a276f0ea6b724aa46dc0b4f85003877b801e3c99f2d08773ac32819d368c36fcec2b57ab71e4e6ea0e189b68429e4f872efeb3917c6b92dd6a4b46d743f225919e9f4f86925f7222c7ec1ac061466adc62f5b462538aafaa75d6ef7ed3e022d442c4dbeeb95ae86bc5654f54c77c91d71c7c309601ef3b9679c50507b024da8fc892e1825cb77d131df10e4b53ff5d1fc1897c7fe3b8069b185e8ca97f1772204e5a84ceadc892f8d3dcd2e3314d0d52894beea8ce9a536a88231f4d4386da6cae92841b9b90f78efa335ebca2464dd7017346fb53240150b5effbe0ef6b2d22398879ad07f981a2f079f28e29b73e67b58fa3163bb9411a5be962fdcf419ed7f5e67edb9c325aa6f1440d04a5111dc190e085e7c0f68365ab086f83ea68b4607f7219a4719e5c8288a0bc08889bfbe0dfc469cd9a90d440826ffa49296cd8b157a14f4383d47470bc139e2d38e0656b56f9958b5e08ac1802bffc142f9fed8df02e04ff976ead2817af9cc173aa9328fd73416fd105cd6d5742f509f7ea8864e13d4030555142c5507f1c2c74aa273cb9823e12c54d28842756504b966e2c157a46b20f57154ed063db1d2c31e55642edeaf53c3d078c255f168e5905689c30e94c8ef657e3990e3d32f09d41fbf6c4a360e3cf7957cff3888343f1b24d277d4dd8e70a3defe4cb5247b9f6c24f7469bf5d9270e9a1edd5e764ccd8b5e08927c066e08a792166b7907ef572dc9218600b18ca4c0de84870580871201db507af257d516c40c01902ac4be0a8190fbef31e71cf812dd3fd0d01cc6f4e5abec3bd68cefc1c97aef46e84923c08997c6ad565edbb70b0cd65856fb253cb35f9e10b485713cfcd5dd870ed6ea4d6490ef08323757b067abe2a1ddeb4e4e5b2471eba838682e0c611894bbfc1fbc831d2e6969798016462299a89f2a60860a5ed5fdc5854b2fb6c5b7f7e1b0efd261f70624c290c9207e903900faad06a7690b924edfda733a6e1b9541b556ff4c5585c3530349060eaa8576cc0e56ee3687fd087e26d933e4d0c5cbbd887302c3622a1a747096dedb5fc9cbc86b084df79d205cdfe29bb6e53b8f34d67111dd8218af04142332ddecb12e66d59307633b51d33e465b00b8126d2708d6caf45aa045a800b2860da7ed2b0af0f949a6fb164a9d5c837de7ccb4931c45b6b0c857c52f9030a377a75e5b27623e5d63badbd3d4d15dd9c36dd518f54a7f9f3271686fe5e606e608aacc9114e3ec0f6cc90ac163dd2ffde0fe8f2012477bc3a7a90b9df4233648634ec312a46994d4399ee5b5446c47c4d51658d88d2584bf7fedb329557ff80fcf1a94b03515561539b20e90e4da5c0626b51efeba29496fbc3091b70a73d9fbdb8739606dc5ee6d564d0f54d7febceb590be1e0f2b78fa7b21d5e181c6ba899c40d234e438bccfe37ba779cd8e1194a496e459c9e76fb9d8494a1182623ee747a3349b75bcd90dfc760f6fc72c174b5809789301ccfe6685c69968d1400ea9ecaa2441b8d772ecbbc8b8bbf0cde4887a9729298cbeeb2f9f5c8a823b0634818f78d0d4a79b2252fb5aeaa6c2b89b8818c18a21930e5b740cd842d049e02690fe0c10ff9b962068454d63f4a1bf7f6c5b7bec88db6810bfebfa38071ced9253e21f4be3790c5d96c6e99347b02d1fc6786aa7266bdc6f5c0e39891e772773ff348bf7e54bf21870692d07f2ba6558a20012d80351a9fe55ebbaeee155ffd13f59bab4917f75b1b8a0288340df5e06eee792497cded2f92016c00e44107b3eda12a007e84f9b81b09b21c22760e5d143c7acf0e057817149f07c055e049d96e0490f9b860bb80473a597fa2a842e0d20e7f2dce2eb2c5c68dab59d5205a5c9eeb3087b7cc798b02bd1bd84ac7d6973624fec2443fbbcd67cda5742651a441c0aaeaec96fb1186f66bc33f488c6f243ab16a07227e6796ab2124b62f6cb47255f2cab97c44dc94a090b366aeeee5efbf3846a47a886ff23b29dbec2a3df3b6295127d9b7fa6de46a69c7c195845e996a4384c07d1282dc7cd461fcf7eed91348d7481a4de5b3dae00f7326364c77f746e0271981779dc832edc3665628b504d657103f303443c653c1a1e898f99c794180bdfc2075787c0a6392e57b8afd6a517367cf614474ad2af4c221b448a23c0083daac98f16c9031504e778daf072db58eebf0485fd739e8431b88684f8cb3ca585577e8795415a16f19a11b5a60ae17bd244d12339bf1f5e9610cd19f1b020421c6b5cf6fd3442883cf10dd8ab6ccec576c81ee4cd404e89510b4035947a370442ef46a71ea93703505c240d8430c35d42078f45ff49b2fd382379643b36318efbcaef2d063e5f0306551454752b86adf5e406a9f190a0ac2fd3e8a17f1b02168e1a1a97b909e79c5e820376e6832bc3be73bace1dd05ec791590daf112a232a460a133e0d222d11d6faad404924c8591bd5900b34c829f6ab52fac5ff158b40089324d8e2ffdd53d0dd85b43995f7df351ec38825ea4deb1359e7fbfc8eff2135241fbfd484e1e832b3a680c8e228e5d5e5356818bf93d2b97bb68c6d6e528fcd6bc0fbc3ebb28ad842d94e750072d3a635e69969b778c8f14a97a2d28042a4071753fab49db785b5c41f7761ef49280a1a689642d6e47eb6e03cfcc18313729895c6bdc6bee62a970bcb247099c27c29733de0ed2de83674756ef4c84c41ffb7d47d67aeb8737ba082a33aea742601158d4843e55ee641a0fdc956a3bf2fba5f391b73036f1b4150f2908be5138cc0ee92953e2ef7de0455af425e8c5dcaac16b5e640892c56bf161ff1b94c16ff80bb0c3d6a876d072aeed92e4d4b1becfbee8b5c452d796b92ec452af4f8bc838e7b84dfdd80343983526d315622afdea80ab1ba296617556a993c9169f778c9d9e9256f4585e843fe550d1148d4d1a4891aa0fdff51a8f8914092a162f7959aa899fc3a0d105915bd88c05412fccff60504a0cafae00bb4880b6bd169316f9eb52835267f95c448cfd00dd1e409acc0cf2d7f5f6fdd1325f38adea4fd6f55af71c739ecdafe366dec44f3b544ae5c77c339e8fd5c7e06d28fa7207dd61518b3f327b35c6ab2b6e245fc4560770ddb18820826d95c743ffdce1b1a3af8a71c22beb5b5ef571ecab56373d182c20ccdcda91fc9a1b3bee03ee89cc38bf109cb0070c20d515f0b5339cc9060aabd23c2715f82a44bb10f2d956dd51f9c1d48dcd887b79723f9e7c61c87d61f1414d1ee1945f8defabccc0a4eddc2b5b02e2190d4510ec2b7ad404eeb28ad5a0c5eb838a35f39bf7fa91fc999445ccfa59391363ea6cd7ec389694eb4ecae97ca31524582f207dd120eecb0c6145885eee6bd39c8627c33916379a9d614c929adb64dd3fdb28c12b24d31b66919c4730cafd23fbd0266d471a2bd72b01cbe1649b56b4203c903b7c1e27fd00bdb8146632c2a5916ac678cae648192464082c747da12caf955033f4d942da3bd16690ced4653280abdcbe6ae6780a5512930d8adc6f7badde45a3426b78271bada4c28cbd4c5e5bb5ac958615ef129970ac13c376c7929d60ad1c629f8bab3c610649007dcfbfe6abfb66f4c4585082b1d9167a705cfc685f5fe5b17350e48b405e03a3d3d07f0ab0cedc961137e009b4ecdb9969f6ddbb92fc05bed560080d8450f7235b43ff79c9b460c29b2ffd0b67f4c437cbd8cc3badfe5a9feb3315c0aa6c9bfcb81c87547625038c804061e98346ff3633746cc571c3853ceff7a1842e0d2ddaeafd01f15758954ffac64ba46725acc1e30f6a5872fc090e47640cb4c804a59c55a5ed0316297a72f2bd4154f0452eeb785136f5d9befc4534b2ec2afd932c235c0c58f932aab15aa16f2cf7372633656c8623fab7291525e946550efe47eab479a1fc6c51132856ce09eecf36091892bb06f0f8ccc87f260c858873a4174ba1a64e1060a111efe1224c0b3d2c05e7d1282660b52e35c8f1a68a52cee6516e94b9746917d224c28f68ab4bb4a75a8b47ff343ea1056cf3116ac0660815bf0f6be1a6b98d713647d439c7e2511824026118a96b06c006d27454c3050f8bfbda087b3c7a8397383d652cc3b579fbeb309947773d6fbfdeda2940b7a0bbc2569b31dcac7dbfb8843b5a7bee26e63f734db3eb0773460d040238dbe757db9efb4ef872f781be75f357336b17bd84e2717db6fc23ab1a5c635a2dac389b3b6ff5bbad55711e807fcf207c80183f32efb5d47943bbccd96f5761c3861eb1ad3dc874cbfc5c25435c1a283c662cc13cd65ad6a807020dca215132f6a453ccf26ad4e8bf94dd0f6f8024c17729843d9f359609dd9b25e2a9b3c87622a751ace3ae47ac5675a3011c86d0ba3356ab8f9827bc726c956d11b4617010bdf90ddde46ab21423eb8ffe23da3cf551b23be964f9dbeb79297416ec4b3ac8e3dc7881aebed2a8c168e2c34316fcfff83602ff57cb99c18a71372d9f019fcea16abe0b6b7a27b02d99e2d67564986f122cae4205c0937bdd89a1de0cdb4fb71a4bcacc2a592b02be16e5d32ef4cddc4a52889c793dfe401135ca3baac0e1610f3bef47c89d411a53de275cb290b0715ed885bffe333a2df6bcd681ff0b47760306c0e379b07503e556a0f5313f7314c0d20f53cc41a75f07ef86720a42c88781ac6a968245fba509b43b67a42df8200981bcbee163c88d28b8dd1b70c61f0d558e0c5f827920d0b677e48915b99361dbb017e7df4cb5e2285557751b5dc2427cb7ff490b3f4566b3130b3c373fc877877149c8182c6e8c609eeb46bbc9e353d87cb8dd2fd59112b778881c30a87ee32618501767587e3bf64fbc7b8d801738bc9fb703fb8adeaa7699d4b227a588a4820dd4d07ecbead8910578c190465c14d7a1383b6ff1910017c3cf624b7a02dab9b2713084f45a7bac3d75012c3ea47cb39defc2009ea9fd083dd8b521e7df4c903bd39207ed5fa56c5dc594483e1531190bac65f348baa2159249546cebcf65155cc70b76013883af3df8ed1d8ae43da4cb26eab8d7e13a9ccbc1a8da5cd1026ef1bb5804169bcb25d6724775309414c7fd55d2fa219998a69a911a7e77e447fb12e3a2efea3265c728a0b14139436b50455669838f83463adb4ff0876285c5ce221ff704682f68949b2cce4749a6d442c6fe3a1fcf84e6714a764e19c383174b20f054c7f9488474ad2f8e572c566c1a33457f3ad24347e9f2517769c0a0842e3299b4b693492d5ac595654ced83e3b478676ea56dfc6a0430f356b6a5de1b473d5f9a6aaee5e4d31d1933340f42e09f245ac543fb2e2331f2c30847af524456563c0d9bc4190ab02ff510fcbcf5d8efb0f668587ef0023b0f4bdb193c4c73f7dbf1c7d662bb8e98fafb96bd9015c2b16b8fec91f764add9a57a5a5b25b4c9a836f95043b5fda20dff16e139c35922ce381d246f430036c79b32904979ed54ec4e08fc3fb006a62f90464b7fbbc18624e377710ba748782fc2ab80bb5133311d98a9d234601337b680073800c4408f44040629a3a0d2c6610a28367dd7ab59e43270ff10c3d29d945b01798d01169b13c061b4b60978df83702d7061bfefa1378b2ad3dda42a60179a5e3f080a3e1b8e36d9a689b1f41e039e39c500934d260bc1a51e0f6a87d5b65f65d2bc0bee3cb85adeffff9b0ae52a1bb80e1328a738964d91764fe1416a199b41603aa97fc63489238c6cd17c0d70a16c70118321cd1d3cd2536e40b782b40dc3c6f02d994a9a7270dad180345a48050119d96707c31159e12430a79b15330315c707e2d6843fef43e4454b1e033dd54ba498fe3dab1614aee2e290d971d4cf9d2043102231edeb6b703b4af5a23dc1dfd3f796c4916041aea90dff64d5c9cc9f6181ecd0843d6cc3d1767ee1d660929b953f8b4a51c9f10e90e1fb7dc1130877c46dc26b897e7c2b31cb868e38f9358d7997fc52335f530e41e33c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 88, + "comment" : "invalid output size", + "ikm" : "38ec0b50e79a870ca225d1e78fdfb74b7fbde0891a16ed1b6e7ce8889d441fdd", + "salt" : "78865524949fc5a008997d85b1ce5d33054ea061d6ff5d7bf74c9d36b3502f0b6fc163101376b241024ee063e82d5826ff5395124a18504256544f922b7c1761", + "info" : "9a6c71fc1588b2d2", + "size" : 16321, + "okm" : "", + "result" : "invalid", + "flags" : [ + "SizeTooLarge" + ] + }, + { + "tcId" : 89, + "comment" : "output collision for different salts", + "ikm" : "2b54cba29681b6ff2feaa9202b87322d861aff8a8260e1bda68d61979e605b2d", + "salt" : "", + "info" : "1301b63168af5451377717f7f5ed52de36a197ff", + "size" : 32, + "okm" : "084332b8a0ab8635227a3b9ee0737072f021c21fbf0b087940939f34f685c0a0", + "result" : "valid", + "flags" : [ + "EmptySalt" + ] + }, + { + "tcId" : 90, + "comment" : "output collision for different salts", + "ikm" : "2b54cba29681b6ff2feaa9202b87322d861aff8a8260e1bda68d61979e605b2d", + "salt" : "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "info" : "1301b63168af5451377717f7f5ed52de36a197ff", + "size" : 32, + "okm" : "084332b8a0ab8635227a3b9ee0737072f021c21fbf0b087940939f34f685c0a0", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 91, + "comment" : "a salt longer than the block size of the hash is equivalent to the hash of the salt", + "ikm" : "2b54cba29681b6ff2feaa9202b87322d861aff8a8260e1bda68d61979e605b2d", + "salt" : "0102c651e047fed9c217bcf915520532d44999534c1e7e7c87311093d7a3681aff3e2d335b3c6139b9fc66dcfe35573b36a329a550c4cd20bfe2a90dfea50167ff", + "info" : "1301b63168af5451377717f7f5ed52de36a197ff", + "size" : 32, + "okm" : "d41d1d366b10f6dd7e886e5030ccd01ed14ed918407c84f12f8b9a2ed3a5841c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 92, + "comment" : "a salt longer than the block size of the hash is equivalent to the hash of the salt", + "ikm" : "2b54cba29681b6ff2feaa9202b87322d861aff8a8260e1bda68d61979e605b2d", + "salt" : "1a57a60677a3c97fea6d4d6eabe0201452130c58eef435bb9cbc21eb65f1cf2c879639d10b9a580b1eda822aa5f406b939cea2ff9be10c56f0856709abf33a08", + "info" : "1301b63168af5451377717f7f5ed52de36a197ff", + "size" : 32, + "okm" : "dbbe9ebd37e2545d08d715013b50f31fd1f7089ebc2866191e49e774c537b17d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 93, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "2b54cba29681b6ff2feaa9202b87322d861aff8a8260e1bda68d61979e605b2d", + "salt" : "cd920e8dbf19ed66", + "info" : "1301b63168af5451377717f7f5ed52de36a197ff", + "size" : 32, + "okm" : "f05091c6083c24742adbe5fbdf10a941783517d568e96dcc8cb55db90756d8c2", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 94, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "2b54cba29681b6ff2feaa9202b87322d861aff8a8260e1bda68d61979e605b2d", + "salt" : "cd920e8dbf19ed660000000000000000", + "info" : "1301b63168af5451377717f7f5ed52de36a197ff", + "size" : 32, + "okm" : "f05091c6083c24742adbe5fbdf10a941783517d568e96dcc8cb55db90756d8c2", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 95, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "2b54cba29681b6ff2feaa9202b87322d861aff8a8260e1bda68d61979e605b2d", + "salt" : "cd920e8dbf19ed6600000000000000000000000000000000", + "info" : "1301b63168af5451377717f7f5ed52de36a197ff", + "size" : 32, + "okm" : "f05091c6083c24742adbe5fbdf10a941783517d568e96dcc8cb55db90756d8c2", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 96, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "2b54cba29681b6ff2feaa9202b87322d861aff8a8260e1bda68d61979e605b2d", + "salt" : "cd920e8dbf19ed66000000000000000000000000000000000000000000000000", + "info" : "1301b63168af5451377717f7f5ed52de36a197ff", + "size" : 32, + "okm" : "f05091c6083c24742adbe5fbdf10a941783517d568e96dcc8cb55db90756d8c2", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 97, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "2b54cba29681b6ff2feaa9202b87322d861aff8a8260e1bda68d61979e605b2d", + "salt" : "cd920e8dbf19ed660000000000000000000000000000000000000000000000000000000000000000", + "info" : "1301b63168af5451377717f7f5ed52de36a197ff", + "size" : 32, + "okm" : "f05091c6083c24742adbe5fbdf10a941783517d568e96dcc8cb55db90756d8c2", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 98, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "2b54cba29681b6ff2feaa9202b87322d861aff8a8260e1bda68d61979e605b2d", + "salt" : "cd920e8dbf19ed6600000000000000000000000000000000000000000000000000000000000000000000000000000000", + "info" : "1301b63168af5451377717f7f5ed52de36a197ff", + "size" : 32, + "okm" : "f05091c6083c24742adbe5fbdf10a941783517d568e96dcc8cb55db90756d8c2", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 99, + "comment" : "a salt shorter than the block size is padded with zeros.", + "ikm" : "2b54cba29681b6ff2feaa9202b87322d861aff8a8260e1bda68d61979e605b2d", + "salt" : "cd920e8dbf19ed66000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "info" : "1301b63168af5451377717f7f5ed52de36a197ff", + "size" : 32, + "okm" : "f05091c6083c24742adbe5fbdf10a941783517d568e96dcc8cb55db90756d8c2", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "type" : "HkdfTest", + "keySize" : 512, + "tests" : [ + { + "tcId" : 100, + "comment" : "", + "ikm" : "a75ce5b072311acdf290ceb4c6fd25eb6c52ecabc8ed1ffc698d7556d1132180e2888bbe6a798d891e0c8c5e0f79cabf3d27df56d472be152aae155b52d9a9f9", + "salt" : "8df18f4f797c4be88ca6b2935441a1100db080759c042a6d2c37d2e6fea9fd6fb066805c467b7557c78d078ae44dcb886e5e3d5f74a96bf6394aad36847ed8b7", + "info" : "69d2aa66efec2cca", + "size" : 64, + "okm" : "8b025c9925f105898fe8f75da1839b683beb73e349dd08b79a3d80a7b29e7d9c1eebb5cf4c902371b31376e44d49ea39725ac912d5055c8638ce0771a8edc999", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 101, + "comment" : "", + "ikm" : "5be4b9756eff71ebe87fdb5933e5d88d51bcaf384cc289c16ec642d67f2e9236c04106e01ebe7956bac010e4107b6b788ed8b3916a39b59c7c01161cbc2671a7", + "salt" : "336a871d315b7d2ae0a0d24febebf0702d9f039ca97146cc0aa2341728824e83553e6eb166e954dac33e4d6a2437309d0980e26d1c7665ddc79b2e9ba3354262", + "info" : "e496bea60a731eb7", + "size" : 120, + "okm" : "02487460b110121d3df3746d7860332b6d67d746f96ff8e7bcb2d62481b653dcf67903b25aabaf9031b370959105c9136536b52dab810cf041862e73d3352f77747814aee2d74cfa29840dbfbca242f38b95ea26d4a540edbdab3fbeced1c767d35a73b4c2ff180eee75b4ada9739b7bd8c75c3bb03589ab", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 102, + "comment" : "", + "ikm" : "45102dd5f609c2f9352b91d8b492d83b5ab34976372b4ac814bf82cf0dc4f3875cd31dfd5897022458fc7bb8e5d2930a620909b7385ba4e48c8395b50d7d07fb", + "salt" : "76d1494d3631034558ac7108a69b79f7e38a45aa50783af41bf8c19531fdb30782e7689a50a4eb1391415ab2e6085b1e246ce0e6c35a5e02910c072a241cd8a0", + "info" : "cf6db9210ef18e3d", + "size" : 256, + "okm" : "146e59745a9d65fa6c98308b6f162566045d2f459a09eeb7ef7cf15e076fe8093fa202d15b12063e55d4b5ab4e80d58140b2664d944e33d8b2a72a3ac307ca51c23976adb1ff9ff04fd0fcbd21edea49890c12698b0600b3b70a61dd228542d47e69797122f0734c08d53f51afeccea785af1028b35e6ee911fa0d98f76e2aedc517f35d719c199b6a73aa867ad31253fc1c1d612ecc913b70c2f6b983fd50eccd8a20172052c8726ac6ecad97b8bc8770ba5fd59eec423160828fd8b1936a5ac5bbccfb6398cf46dc3e19df40d315091f2ae3df875334030418143e7b791cd1f732935482fdd585fba2f495973436138c7fc106058f9538b92f055ea3bbfec1", + "result" : "valid", + "flags" : [] + } + ] + } + ] +} diff --git a/rust/tests/wycheproof/hmac_sha1_test.json b/rust/tests/wycheproof/hmac_sha1_test.json new file mode 100644 index 00000000..3a83d592 --- /dev/null +++ b/rust/tests/wycheproof/hmac_sha1_test.json @@ -0,0 +1,1586 @@ +{ + "algorithm" : "HMACSHA1", + "generatorVersion" : "0.8rc21", + "numberOfTests" : 170, + "header" : [ + "Test vectors of type MacTest are intended for testing the", + "generation and verification of MACs." + ], + "notes" : { + }, + "schema" : "mac_test_schema.json", + "testGroups" : [ + { + "keySize" : 160, + "tagSize" : 160, + "type" : "MacTest", + "tests" : [ + { + "tcId" : 1, + "comment" : "empty message", + "key" : "06c0dcdc16ff81dce92807fa2c82b44d28ac178a", + "msg" : "", + "tag" : "7d91d1b4748077b28911b4509762b6df24365810", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 2, + "comment" : "short message", + "key" : "4cd64efdb76df5a85dce3d347012cad06b0c3db4", + "msg" : "6c", + "tag" : "6d3d37af55c75d872d2da07b9b907ba22ad487d4", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 3, + "comment" : "short message", + "key" : "52e1995025297fe7b793dc8e1e4f7d312fee2700", + "msg" : "29df", + "tag" : "82cb24bfa38fbdc91d1eea2d2dc1ce6e60ff881e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 4, + "comment" : "short message", + "key" : "f3edfa003d89c4e2a6422e77a01b8adbd7ac26e4", + "msg" : "b015b7", + "tag" : "cb244ca6ad233947378436076fbfd20c9c8b842b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 5, + "comment" : "short message", + "key" : "4b07ed4e0c8ddaa1f76cf0010728679c8857e18b", + "msg" : "3b2c1afe", + "tag" : "924125532e6b625e7c5a8dcd1614e04334c067cd", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 6, + "comment" : "short message", + "key" : "7f532c8ec83cb21dc98af7734c64f5fd9167ec30", + "msg" : "a33c6f9826", + "tag" : "0d25bc40f60fbed36d8d7a1045ffa60d88484d56", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 7, + "comment" : "short message", + "key" : "99e60c1fc0cb3e6ed836619775e37bf15b2cb93f", + "msg" : "b129bb88ceaa", + "tag" : "6924d833a3e74b48f991e6c44173565fdf8c7470", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 8, + "comment" : "short message", + "key" : "53845f10344b7f39eddbd3e44231fa802d7e1aca", + "msg" : "c6f5b1cee31033", + "tag" : "fd4b28273d3ee8cc24de2d8dad23ad4f355240c7", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 9, + "comment" : "short message", + "key" : "e3220700ce24a010cf623f60891e4f298ff26b11", + "msg" : "c97afb5063a9dd0d", + "tag" : "383b103ce9054cb74a0431d16da99d8233e94fc2", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 10, + "comment" : "short message", + "key" : "466c061ddcf3d9b285a2900f8725971b733f850f", + "msg" : "89024ceda7de3c114e", + "tag" : "1b81f1127635233383b6ea5ba8fd68eb5112ef0a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 11, + "comment" : "short message", + "key" : "a81f9f51b041ff29b8d705bb408f854ccbd7e5ab", + "msg" : "032d866a270762cbae24", + "tag" : "b72ba0c89d010215a8f280616acbd8640fe86cec", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 12, + "comment" : "short message", + "key" : "e60d0b14886fe6fa2c839329204d84d81026b7ab", + "msg" : "fda7f48c11101255e02c8d", + "tag" : "2be7bb541cede978f541e2cac0ab6451060e3e83", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 13, + "comment" : "short message", + "key" : "c090ef122a29348740ccd571d98407764b2adaac", + "msg" : "d1fe3dfa80ade7087efabb52", + "tag" : "e6c1e0c3ebb7750d66a50b6abccfdef9c2599008", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 14, + "comment" : "short message", + "key" : "564a56290e1aea0522f19088a88ab4dce4c7cdf2", + "msg" : "4213bd3cdaebbb1ec1cc81866a", + "tag" : "6d1d5808c085ad512487debb57fb93514b205075", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 15, + "comment" : "short message", + "key" : "f898459d272fd5e43b062156f44958d85d97ea3f", + "msg" : "5e86b05522eb65a4fb7b932cecd5", + "tag" : "b778f421c2d1e2701e75da6bd1bc65379b80e879", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 16, + "comment" : "short message", + "key" : "7d5cc53f464e759438ee90b47f2fe67aa83d6b52", + "msg" : "9f38ea80122b40f742a00c2e83e085", + "tag" : "c80ce6d33fe868432c262766fd23bf431e313882", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 17, + "comment" : "", + "key" : "33e9140175519b2f1619b44848331763c756fad4", + "msg" : "7de0fccc83b51c29e5eb1b658c102438", + "tag" : "34de6b8f479523870b8f905684672617669b0607", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 18, + "comment" : "", + "key" : "0ef29e7c961da37afaea8182f28738d22c340232", + "msg" : "165bb8e5c6f0a3ae40946dc807aee84645", + "tag" : "78e6fa53ec213e9019d47ee7529d963a8a252942", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 19, + "comment" : "", + "key" : "203cfad921e605c80d7aa8b64d3bf18328b7a7a0", + "msg" : "d289c7cd10d996d5daca1410c37815b237f74929588c5ae4", + "tag" : "27d96da41895bf53d150ac15e7c31853f56ae363", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 20, + "comment" : "", + "key" : "8eb7416efd0c73c86b91df0d58891fdb738f40df", + "msg" : "b415cb7cd384a1035d2bac1f7b96ae858dfd44c467030f304e817d11b9f9c606", + "tag" : "24cb16323b7ec47e3add8f55cb9920aa7c1655de", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 21, + "comment" : "long message", + "key" : "6fbb3c55e935e0a002c170a9122f1f7037bc0c59", + "msg" : "36ac9a8cf0223ccf5d9048be9a65df4a1f40aaa857ce13d621f601bdee1fbe803171002d1fa634a1977dc23d9aa8fd", + "tag" : "e2fe8b343cef4b9754308408930526159537ecc8", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 22, + "comment" : "long message", + "key" : "e40f6206105f7800a1f190602bb6dde8057c3a87", + "msg" : "10463b771fa586c5ed5c1f6488d793299db40fdd4f3e53334ae3ff8e09e5a879da06eb46d210ee0af0c8251e6c07aa1d", + "tag" : "b5dfce5998d2e321800e0e42762e62ec7a81448f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 23, + "comment" : "long message", + "key" : "f04cc641ff67aba4ac2d17e6a042b6ccf86ae1d2", + "msg" : "73c179acc26ffd0710b6cb3f73570702c9c059bf685614bb0ba7973ab875ff882d9aeecea4ef452c8893224472cfa5b61c", + "tag" : "b7d1e63fae54638082a9cb58c69fac9efcbee174", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 24, + "comment" : "long message", + "key" : "f61c1a878550d27aa459b3016b31731b89630d36", + "msg" : "82b378d40ca04ad478a980d7b46e56c9967bc4e110a7add8bcbda411c12de384f41324e9df888d81702ff2b9e8752986ba081363eacc2e396f6b5fb01bf842358f0145d569d34fb3b4e24ee9dc9103284d743c52ea8661504b2db42f221b6d49b605fde34aa555e33ab0a140f61f3cda", + "tag" : "e688199489c9d3938f2e33d7cb3fc81bad4ffb8c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 25, + "comment" : "long message", + "key" : "8c29eb661fb633087f2452d057f98d553d2846f1", + "msg" : "021b968c4ce337595154d90e44229980f0e2b64776f562ea25b24881637b44375bde65e5f9418bf163e2aacd37bd10319729ac596615a35cb632e0ffc316936a68acf4c7ae3ad36026124cee6d204f10432f08157cc32c5f4bcadaee67bd42bbeb826a9e9c8af9f554f7419fb265338d22bae2190bb644b32fe9bb6a2287aa", + "tag" : "f940df33b09965a3118c847c2ae1591690d0405f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 26, + "comment" : "long message", + "key" : "6316298f3aadadc664eda2cedf17669bc80d44ae", + "msg" : "bab807df54c009610a5c3f1e81605f6bf7d76b299d7ebdefa70f5e2e0b979011d191ead39c3bbe5dd2658347eb172950a1e03a01552bb38add33bac832b7177a77b08eb11cc1afe3ae84daffe4c4e88bc441e54e4dcbae3e0d5639f635228d811f0a043b13d5c91899c26bce2da2ddabd21b2ee668a21b454928915d6585408d", + "tag" : "23b9a6d6a9c7cef6dce537722f4557b65dcdde99", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 27, + "comment" : "long message", + "key" : "f291696bf4f9655a00c9a2382bd1487342358714", + "msg" : "32a650b5307d94b23139be64d470ef1492d57ca7af98205bf9bce8854ba8f5204880b2e9d58ddbe2e7bb21e6e0673f5e1a39f505909227475e41c1d59c73a933b13f4b07a75cb9f3279cc3bf61a6c09e3b9f755907491b9e745bfda58ad4e2304ff7525b41507a51a2fd664a2ee98cea00148a3663d77c47beb055bd45e7df48f6a0ce66c0a2d9a848761a4575d195d74eef5bb78c0993557a25ad7ca32e0a96b2518d9d8a180f357402a44217f1e36a9138c0909faffd0e9a907048584bb03a4e06fc69c463f39542dd2c7c81467d3728481bbf6bb60259604aa33a2d4c6195012fdc7aec99e2175aeb2d0c1f680964d63ee11418cd4d26e77ec131108417", + "tag" : "3346bf23e52231a4aed773fd73e58d918580ede5", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 28, + "comment" : "Flipped bit 0 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "", + "tag" : "07e8ad50fc1035823661d979e2968968cecd03d9", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 29, + "comment" : "Flipped bit 0 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "e5641600cedd7e12063deaea0788785f56113520", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 30, + "comment" : "Flipped bit 1 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "", + "tag" : "04e8ad50fc1035823661d979e2968968cecd03d9", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 31, + "comment" : "Flipped bit 1 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "e6641600cedd7e12063deaea0788785f56113520", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 32, + "comment" : "Flipped bit 7 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "", + "tag" : "86e8ad50fc1035823661d979e2968968cecd03d9", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 33, + "comment" : "Flipped bit 7 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "64641600cedd7e12063deaea0788785f56113520", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 34, + "comment" : "Flipped bit 8 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "", + "tag" : "06e9ad50fc1035823661d979e2968968cecd03d9", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 35, + "comment" : "Flipped bit 8 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "e4651600cedd7e12063deaea0788785f56113520", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 36, + "comment" : "Flipped bit 31 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "", + "tag" : "06e8add0fc1035823661d979e2968968cecd03d9", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 37, + "comment" : "Flipped bit 31 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "e4641680cedd7e12063deaea0788785f56113520", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 38, + "comment" : "Flipped bit 32 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "", + "tag" : "06e8ad50fd1035823661d979e2968968cecd03d9", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 39, + "comment" : "Flipped bit 32 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "e4641600cfdd7e12063deaea0788785f56113520", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 40, + "comment" : "Flipped bit 33 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "", + "tag" : "06e8ad50fe1035823661d979e2968968cecd03d9", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 41, + "comment" : "Flipped bit 33 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "e4641600ccdd7e12063deaea0788785f56113520", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 42, + "comment" : "Flipped bit 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "", + "tag" : "06e8ad50fc1035023661d979e2968968cecd03d9", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 43, + "comment" : "Flipped bit 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "e4641600cedd7e92063deaea0788785f56113520", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 44, + "comment" : "Flipped bit 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "", + "tag" : "06e8ad50fc1035823761d979e2968968cecd03d9", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 45, + "comment" : "Flipped bit 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "e4641600cedd7e12073deaea0788785f56113520", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 46, + "comment" : "Flipped bit 71 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "", + "tag" : "06e8ad50fc103582b661d979e2968968cecd03d9", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 47, + "comment" : "Flipped bit 71 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "e4641600cedd7e12863deaea0788785f56113520", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 48, + "comment" : "Flipped bit 77 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "", + "tag" : "06e8ad50fc1035823641d979e2968968cecd03d9", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 49, + "comment" : "Flipped bit 77 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "e4641600cedd7e12061deaea0788785f56113520", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 50, + "comment" : "Flipped bit 80 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "", + "tag" : "06e8ad50fc1035823661d879e2968968cecd03d9", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 51, + "comment" : "Flipped bit 80 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "e4641600cedd7e12063debea0788785f56113520", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 52, + "comment" : "Flipped bit 96 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "", + "tag" : "06e8ad50fc1035823661d979e3968968cecd03d9", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 53, + "comment" : "Flipped bit 96 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "e4641600cedd7e12063deaea0688785f56113520", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 54, + "comment" : "Flipped bit 97 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "", + "tag" : "06e8ad50fc1035823661d979e0968968cecd03d9", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 55, + "comment" : "Flipped bit 97 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "e4641600cedd7e12063deaea0588785f56113520", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 56, + "comment" : "Flipped bit 103 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "", + "tag" : "06e8ad50fc1035823661d97962968968cecd03d9", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 57, + "comment" : "Flipped bit 103 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "e4641600cedd7e12063deaea8788785f56113520", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 58, + "comment" : "Flipped bit 152 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "", + "tag" : "06e8ad50fc1035823661d979e2968968cecd03d8", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 59, + "comment" : "Flipped bit 152 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "e4641600cedd7e12063deaea0788785f56113521", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 60, + "comment" : "Flipped bit 153 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "", + "tag" : "06e8ad50fc1035823661d979e2968968cecd03db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 61, + "comment" : "Flipped bit 153 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "e4641600cedd7e12063deaea0788785f56113522", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 62, + "comment" : "Flipped bit 158 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "", + "tag" : "06e8ad50fc1035823661d979e2968968cecd0399", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 63, + "comment" : "Flipped bit 158 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "e4641600cedd7e12063deaea0788785f56113560", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 64, + "comment" : "Flipped bit 159 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "", + "tag" : "06e8ad50fc1035823661d979e2968968cecd0359", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 65, + "comment" : "Flipped bit 159 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "e4641600cedd7e12063deaea0788785f561135a0", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 66, + "comment" : "Flipped bits 0 and 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "", + "tag" : "07e8ad50fc1035823761d979e2968968cecd03d9", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 67, + "comment" : "Flipped bits 0 and 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "e5641600cedd7e12073deaea0788785f56113520", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 68, + "comment" : "Flipped bits 31 and 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "", + "tag" : "06e8add0fc1035023661d979e2968968cecd03d9", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 69, + "comment" : "Flipped bits 31 and 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "e4641680cedd7e92063deaea0788785f56113520", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 70, + "comment" : "Flipped bits 63 and 127 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "", + "tag" : "06e8ad50fc1035023661d979e29689e8cecd03d9", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 71, + "comment" : "Flipped bits 63 and 127 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "e4641600cedd7e92063deaea078878df56113520", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 72, + "comment" : "all bits of tag flipped", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "", + "tag" : "f91752af03efca7dc99e26861d6976973132fc26", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 73, + "comment" : "all bits of tag flipped", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "1b9be9ff312281edf9c21515f87787a0a9eecadf", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 74, + "comment" : "Tag changed to all zero", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "", + "tag" : "0000000000000000000000000000000000000000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 75, + "comment" : "Tag changed to all zero", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0000000000000000000000000000000000000000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 76, + "comment" : "tag changed to all 1", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "", + "tag" : "ffffffffffffffffffffffffffffffffffffffff", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 77, + "comment" : "tag changed to all 1", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "ffffffffffffffffffffffffffffffffffffffff", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 78, + "comment" : "msbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "", + "tag" : "86682dd07c90b502b6e159f9621609e84e4d8359", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 79, + "comment" : "msbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "64e496804e5dfe9286bd6a6a8708f8dfd691b5a0", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 80, + "comment" : "lsbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "", + "tag" : "07e9ac51fd1134833760d878e3978869cfcc02d8", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 81, + "comment" : "lsbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "e5651701cfdc7f13073cebeb0689795e57103421", + "result" : "invalid", + "flags" : [] + } + ] + }, + { + "keySize" : 160, + "tagSize" : 80, + "type" : "MacTest", + "tests" : [ + { + "tcId" : 82, + "comment" : "empty message", + "key" : "5ece0769742feabb6644469c9b264326b3deb126", + "msg" : "", + "tag" : "344f8351f1d2773cae9e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 83, + "comment" : "short message", + "key" : "4ee9f9a93b2ddfe551281b397ccef844fc21af3a", + "msg" : "2d", + "tag" : "3aab1a2c9a2f2b8ac840", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 84, + "comment" : "short message", + "key" : "dfeebe9a5c181afc605ff63b22bf349ebdb6c7fb", + "msg" : "a5f3", + "tag" : "c3b7152230dacae4ef48", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 85, + "comment" : "short message", + "key" : "c5147ecd59b7d42315d5e3a55ec8b3a320c8d615", + "msg" : "371777", + "tag" : "0abb78a2c67c565f89b1", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 86, + "comment" : "short message", + "key" : "db0da5659ba69ce195a69524508e437c688f7147", + "msg" : "4ef4ec44", + "tag" : "4062faeb0b406698b740", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 87, + "comment" : "short message", + "key" : "495d6c1191852ecaf0573e6a77610c32acf5a117", + "msg" : "1566ae63ce", + "tag" : "45cbefcd9c7eeee37ae5", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 88, + "comment" : "short message", + "key" : "e5cfe7dc67514c4c75d28bb805d0700bdea0d669", + "msg" : "af1a6b15b622", + "tag" : "e867269d506a37e8a62d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 89, + "comment" : "short message", + "key" : "cf1b8b902512186e38c38165d6e587bceecae87f", + "msg" : "a59512152c7221", + "tag" : "1a125b21412cdc596894", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 90, + "comment" : "short message", + "key" : "d0157fb40c7739ae506aad7de60f32ccc3325583", + "msg" : "1292df8d53d16f3c", + "tag" : "9224f11bff0e49b9aa95", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 91, + "comment" : "short message", + "key" : "fd55b81edd55a15bff409129e9930f1ba1763c33", + "msg" : "05220a6997533c699b", + "tag" : "3b2d07dc8ca206ba16c4", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 92, + "comment" : "short message", + "key" : "079937cf3bd42864d5b15c62bdd92f275597316d", + "msg" : "5ac13ce1b1f77724e281", + "tag" : "0c24afcdadd8538977b1", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 93, + "comment" : "short message", + "key" : "545b13e1f39f0b7ca9252bc596277278166ad410", + "msg" : "08a7bc90732d54381b6e30", + "tag" : "9bf7f121365a82c2ac69", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 94, + "comment" : "short message", + "key" : "25385e9f89b66098ee8162aeca03bb45b313561f", + "msg" : "bff236aad71fb5daf7fc43b8", + "tag" : "44db86e7a1476226dd86", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 95, + "comment" : "short message", + "key" : "9b68139d93a88fe34cf9f83006c03b3164b60468", + "msg" : "ad672b9719c10863fd6fa8db88", + "tag" : "2d17a88d87aae7dbaced", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 96, + "comment" : "short message", + "key" : "c3b785915e137544dac542cb4bdb16d53036fb11", + "msg" : "f8c1edb469b93c073b6f6bf74cca", + "tag" : "16713d61fbb4149f500b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 97, + "comment" : "short message", + "key" : "da67475185b3615055f971819db27871b23c75d0", + "msg" : "a176533319bee5e43d8f0eafb77bb3", + "tag" : "fceece892852d4a26070", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 98, + "comment" : "", + "key" : "0cf146ca7a254db1e001a29ad03c5e6dcbe7140a", + "msg" : "a83df5d099854eb6ead7031c51460357", + "tag" : "9bcf7513206e27a4697d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 99, + "comment" : "", + "key" : "e038dff028227dc4b4d7453db3070108465dd5b2", + "msg" : "7ae4e30834db449e4244a9fc0322193e7a", + "tag" : "9aa8544a9afdd920c0f2", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 100, + "comment" : "", + "key" : "b399fcfd1ad32140879aa0556ac34d8b5ac267f2", + "msg" : "0e3f0fc5cb1456fede99f86a056f640b8f5e5e1b612f25f6", + "tag" : "fa095c6faed0f086b215", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 101, + "comment" : "", + "key" : "2bf7d201ef44241a22ae4b81aab910d22c2db918", + "msg" : "aa0afaf3af36548227349adcfcb6bf998a7fa78d29b87a0f50609c42edcdb3dd", + "tag" : "708ec45d410b1fe075c8", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 102, + "comment" : "long message", + "key" : "48ccc3907c3612a18294fddf2660e33d9cb787fc", + "msg" : "edbb680243a825068eefe5ba184e5eed4b7f85ca3b511a42d655be3e05d8ff124541b3d56a10a35cff8da8b6229ac1", + "tag" : "3cb7fce20df8385cf6bb", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 103, + "comment" : "long message", + "key" : "227d796b7867409db3de1ffa3cfe376704044f01", + "msg" : "b6393ab18376c025e2d8e00ca774a51aec19dc4a89cf6a9f8fc4aba81d73b3907efef1a0d018a53cb8b8ca1032e31583", + "tag" : "525387c81c2ab67aca74", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 104, + "comment" : "long message", + "key" : "5718e700c48a7971350d8a11b37754ae55a9aad2", + "msg" : "cc95286e9b3ca936191aff8731e6a17806a0958b0b1a39977c46395240641e97d5395a9c8a9d36281eba825a94e8b1ad79", + "tag" : "e54782110d40efb54343", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 105, + "comment" : "long message", + "key" : "f56aa792795eb03ae0990440714ab16cc4ad18c3", + "msg" : "7a024d995addd38d967bc3b41641738b69897d8c52b7aff961a700cb68fa7481da0a3690a151ce09c95b4da60f7cf28990017292893bbb2f81a4dda45fe8639877ac5abaebbe00c1fd179eaaf7dfb4d50929371b9ab8b7d3531a63ab188d7b99160060475c33e83351f65d5e329ee8bf", + "tag" : "1e2205d17ad4de3f1ec1", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 106, + "comment" : "long message", + "key" : "00be0034d32699b1335d8d4e506235ee4f07bef6", + "msg" : "639e828d88bf0642be0a541b1c3fca07609eb98d23a8b2cd4e60e139515e4ff440dfda1bc19392feffed74164d6a9d8f5bafe53fd397cb5ee1dcdf9bfc86169f1bc38ba57f88d7e8c6728c35fc07128ab6c396bb3ef3c14d13a05f8c3453353e850dc1b291ac7061ab52f121663f18b024e5cc0068328c88f52c20cd21793a", + "tag" : "6e98973d3a775ac508e7", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 107, + "comment" : "long message", + "key" : "c5baa750a8424450f1b4d453c58e29c462e52639", + "msg" : "137c7227a192bed26d08da886430f010094243b5c4686e6831e48db450045aa1d7e3aecf193eaaa1a73905f5f1190659a43ed4d10bfca5668ebeb343b21ff71d0737f81f67392b6459aa95f9441f699bf45fee24867a98a8a6c57f972abe3e400fd64ce3e5b48622a0e99e08d424250fa00ed0dfa1193f936c78af276a4b442b", + "tag" : "490dfd2d5e6ea130f6a1", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 108, + "comment" : "long message", + "key" : "6bd486ce934c2f5fe38a19423d257bc5d808e367", + "msg" : "b8a684ada0a01405614b1fa66ebab8b0356e33b889b81b3eb68d13b05c4e60c724785e634c4ec0081cc6bbdf213db7254f92c0a858bfcc3d63a4e4dfd9e75bd4839ac05751c23cb59945f4c3660d2b3009f5b08a596bdc33070244bceea11180ac0906404518b09d5d8612e0d8e69f4b9e55bbc053b56574711b02956db3f3bd8f6c42065871255854a161e57100adb82cba79893aad715dc3df1488b3edb56e58b89c0be3cfab09a3df40524d2d3251b0fcf7faabfc75f50026795060c1d62872574a769e3da0e19af1b5e25514ae17a160c8d1eb253c9f66ec3df789ec0c6c704a9e2fe8ef7e9bf8e8164f86d09d2a23698733a8e40a279cd5fe02c295ff", + "tag" : "a594d26d98b53b4063b2", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 109, + "comment" : "Flipped bit 0 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "", + "tag" : "07e8ad50fc1035823661", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 110, + "comment" : "Flipped bit 0 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "e5641600cedd7e12063d", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 111, + "comment" : "Flipped bit 1 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "", + "tag" : "04e8ad50fc1035823661", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 112, + "comment" : "Flipped bit 1 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "e6641600cedd7e12063d", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 113, + "comment" : "Flipped bit 7 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "", + "tag" : "86e8ad50fc1035823661", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 114, + "comment" : "Flipped bit 7 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "64641600cedd7e12063d", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 115, + "comment" : "Flipped bit 8 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "", + "tag" : "06e9ad50fc1035823661", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 116, + "comment" : "Flipped bit 8 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "e4651600cedd7e12063d", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 117, + "comment" : "Flipped bit 16 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "", + "tag" : "06e8ac50fc1035823661", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 118, + "comment" : "Flipped bit 16 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "e4641700cedd7e12063d", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 119, + "comment" : "Flipped bit 17 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "", + "tag" : "06e8af50fc1035823661", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 120, + "comment" : "Flipped bit 17 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "e4641400cedd7e12063d", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 121, + "comment" : "Flipped bit 23 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "", + "tag" : "06e82d50fc1035823661", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 122, + "comment" : "Flipped bit 23 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "e4649600cedd7e12063d", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 123, + "comment" : "Flipped bit 31 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "", + "tag" : "06e8add0fc1035823661", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 124, + "comment" : "Flipped bit 31 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "e4641680cedd7e12063d", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 125, + "comment" : "Flipped bit 32 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "", + "tag" : "06e8ad50fd1035823661", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 126, + "comment" : "Flipped bit 32 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "e4641600cfdd7e12063d", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 127, + "comment" : "Flipped bit 33 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "", + "tag" : "06e8ad50fe1035823661", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 128, + "comment" : "Flipped bit 33 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "e4641600ccdd7e12063d", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 129, + "comment" : "Flipped bit 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "", + "tag" : "06e8ad50fc1035023661", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 130, + "comment" : "Flipped bit 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "e4641600cedd7e92063d", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 131, + "comment" : "Flipped bit 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "", + "tag" : "06e8ad50fc1035823761", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 132, + "comment" : "Flipped bit 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "e4641600cedd7e12073d", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 133, + "comment" : "Flipped bit 71 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "", + "tag" : "06e8ad50fc103582b661", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 134, + "comment" : "Flipped bit 71 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "e4641600cedd7e12863d", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 135, + "comment" : "Flipped bit 72 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "", + "tag" : "06e8ad50fc1035823660", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 136, + "comment" : "Flipped bit 72 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "e4641600cedd7e12063c", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 137, + "comment" : "Flipped bit 73 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "", + "tag" : "06e8ad50fc1035823663", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 138, + "comment" : "Flipped bit 73 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "e4641600cedd7e12063f", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 139, + "comment" : "Flipped bit 77 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "", + "tag" : "06e8ad50fc1035823641", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 140, + "comment" : "Flipped bit 77 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "e4641600cedd7e12061d", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 141, + "comment" : "Flipped bit 78 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "", + "tag" : "06e8ad50fc1035823621", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 142, + "comment" : "Flipped bit 78 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "e4641600cedd7e12067d", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 143, + "comment" : "Flipped bit 79 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "", + "tag" : "06e8ad50fc10358236e1", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 144, + "comment" : "Flipped bit 79 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "e4641600cedd7e1206bd", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 145, + "comment" : "Flipped bits 0 and 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "", + "tag" : "07e8ad50fc1035823761", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 146, + "comment" : "Flipped bits 0 and 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "e5641600cedd7e12073d", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 147, + "comment" : "Flipped bits 31 and 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "", + "tag" : "06e8add0fc1035023661", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 148, + "comment" : "Flipped bits 31 and 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "e4641680cedd7e92063d", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 149, + "comment" : "all bits of tag flipped", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "", + "tag" : "f91752af03efca7dc99e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 150, + "comment" : "all bits of tag flipped", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "1b9be9ff312281edf9c2", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 151, + "comment" : "Tag changed to all zero", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "", + "tag" : "00000000000000000000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 152, + "comment" : "Tag changed to all zero", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "00000000000000000000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 153, + "comment" : "tag changed to all 1", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "", + "tag" : "ffffffffffffffffffff", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 154, + "comment" : "tag changed to all 1", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "ffffffffffffffffffff", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 155, + "comment" : "msbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "", + "tag" : "86682dd07c90b502b6e1", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 156, + "comment" : "msbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "64e496804e5dfe9286bd", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 157, + "comment" : "lsbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "", + "tag" : "07e9ac51fd1134833760", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 158, + "comment" : "lsbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f10111213", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "e5651701cfdc7f13073c", + "result" : "invalid", + "flags" : [] + } + ] + }, + { + "keySize" : 80, + "tagSize" : 160, + "type" : "MacTest", + "tests" : [ + { + "tcId" : 159, + "comment" : "short key", + "key" : "1d9535a0daea9dfe443a", + "msg" : "", + "tag" : "7436089fede3291c0c421c9ad13c357ec8660bae", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 160, + "comment" : "short key", + "key" : "f5c2c420c6f056467fca", + "msg" : "bc8a29f52e57581cb89a86e5d644a14d", + "tag" : "1eb76df7235c52371d86113f5423628b2eb7c3d5", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 161, + "comment" : "short key", + "key" : "e59b0276e27a0abc75f1", + "msg" : "061ca1a1af51c5133728c414f9646b3f50223e9b2055707032e754dc1d31964b", + "tag" : "2081260f65316df2956aac723a9bd7d2225a8669", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "keySize" : 80, + "tagSize" : 80, + "type" : "MacTest", + "tests" : [ + { + "tcId" : 162, + "comment" : "short key", + "key" : "b18aba1171cc2ffc7d58", + "msg" : "", + "tag" : "deeb3d6d81e33d1cad21", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 163, + "comment" : "short key", + "key" : "23082066e8c45da82fc6", + "msg" : "06c19c6ee4d2f015769f6d46eb46d6b4", + "tag" : "747cd928e8831917c855", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 164, + "comment" : "short key", + "key" : "a6fa1e04df38a78667eb", + "msg" : "51a4ea38e5566d6fd803aec5e073e087e9ae00d37d4a98d559074ebffc7658b7", + "tag" : "ec8c200c1ddad6d3aad0", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "keySize" : 520, + "tagSize" : 160, + "type" : "MacTest", + "tests" : [ + { + "tcId" : 165, + "comment" : "long key", + "key" : "ab92e2cd40e00b40c4442dd7671c067c7792af28e60f2585e87f163bf3bdfca7f553cec71b0065025500c48e2070984ad9e24e733107ebfde27164a4828981ac20", + "msg" : "", + "tag" : "7a29b47ff6ae90c99573d8c922a23e83a62b66bc", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 166, + "comment" : "long key", + "key" : "3b47a5d5b72babe116e61919600cb980c904c298ab91fae3db9c82b0f38a18888bc05a418d65d68f8850937559bb37325bce04d0e5d175a24fea309895f5705ad7", + "msg" : "d71862028fcaf13422bf32ac0c5f079b", + "tag" : "8019231e77aca645182670cadf887afd4b4115a7", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 167, + "comment" : "long key", + "key" : "6e6c43df9bb6c6b8fe414a183e738508f0aca41d5beef6df1b260c39e1979b54683622a4d53354231bef6c35e129f85f822ba09198aa30c65ee60e4202de8cd102", + "msg" : "98f0a4b9a36e173d89730a3b370777c499b4cff2846f50bfb88fbbbc547cbae4", + "tag" : "d1653c90fc591e3a3c285a3be8b12ca9b2121e88", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "keySize" : 520, + "tagSize" : 80, + "type" : "MacTest", + "tests" : [ + { + "tcId" : 168, + "comment" : "long key", + "key" : "4f00fd17ae82a6252ada98280bbd895d743fc4c20bc9e615d8a786c79e454c2b1341e24254fa0371fac86e7c0ef1a7df5c16f3b3569fda112cca8685faecbb8923", + "msg" : "", + "tag" : "6802ca52be056d66b9a0", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 169, + "comment" : "long key", + "key" : "d22ec568909990c213679f7072eaf19763508ebde6962c75e7429c5f2454d4b5472811eea8e02fdc89ec386bc6f41d2ad8a91d116b2cbc52b80d357127d1555a66", + "msg" : "f71b43e0cc64b5409e6501ca55a8d450", + "tag" : "d492a296860cc5a89c5f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 170, + "comment" : "long key", + "key" : "bcf6ad6e5c7e2200299ea8602efb42b409292346f78a0e57a789ba17b17ed608e88497e2bb4ebbbb3ce7750d222b3bdf848d4dc8d49b5b60378fb93ce3f66ab4eb", + "msg" : "586f5ddbc372c0711b77e4b87d345d62b6de55a1ce6fa18de3346c86be5cec6e", + "tag" : "1de9aefcc53130245a6e", + "result" : "valid", + "flags" : [] + } + ] + } + ] +} diff --git a/rust/tests/wycheproof/hmac_sha224_test.json b/rust/tests/wycheproof/hmac_sha224_test.json new file mode 100644 index 00000000..cf7ef81b --- /dev/null +++ b/rust/tests/wycheproof/hmac_sha224_test.json @@ -0,0 +1,1604 @@ +{ + "algorithm" : "HMACSHA224", + "generatorVersion" : "0.8rc21", + "numberOfTests" : 172, + "header" : [ + "Test vectors of type MacTest are intended for testing the", + "generation and verification of MACs." + ], + "notes" : { + }, + "schema" : "mac_test_schema.json", + "testGroups" : [ + { + "keySize" : 224, + "tagSize" : 224, + "type" : "MacTest", + "tests" : [ + { + "tcId" : 1, + "comment" : "empty message", + "key" : "7eef1e40253350eb9307cc6bd8ab8df434bc2faf7095e45b50ffdd64", + "msg" : "", + "tag" : "45b466021214d19245506900532f5272f44b5ad9b3d829f0f5c2108c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 2, + "comment" : "short message", + "key" : "8648ee936c6ebc5ae4bb48c1139a54e3ac5d897beec492dc4d740752", + "msg" : "2e", + "tag" : "5b72e3208679e63f929e6ee19a257d0555f21484c7caac7c9861be43", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 3, + "comment" : "short message", + "key" : "2297d78cc45faf9b885b36ac80205cc08e1b730f264f23f4edbbb406", + "msg" : "329f", + "tag" : "2e7a81c4e29a435d91e95f37fb0a62fbe9a69e061f416c1ad17a7fca", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 4, + "comment" : "short message", + "key" : "0361a904f7cbd107a617614ab69d11208ee6d423b3ae90e2bb6d7e54", + "msg" : "e6e765", + "tag" : "bbfa7ff960931e2f5ed8c925cd74272990e755f31422e5c858995b73", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 5, + "comment" : "short message", + "key" : "264a8d2128e8fd0972d9acc66dc275b1286beeb0aff7ce8e97c7b96c", + "msg" : "25838e50", + "tag" : "b25c33bba1a91024f42cfb93232ad685d54be2ca310b0ff9ba5107b8", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 6, + "comment" : "short message", + "key" : "6dde8828f09b7aa981082aa116fca3b7341721c0440803f52cc9732e", + "msg" : "be81602da7", + "tag" : "e510fbf14bd7301f751cc0ae89f8725a7654ebbba6bb2f741626471d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 7, + "comment" : "short message", + "key" : "3ba156ffdc55d155bd085105aca64d13044db60c82cf2cd9d61d098f", + "msg" : "69c76c8937a0", + "tag" : "a9d38740245038d9c23cbb59ba6513f7034d8047a07a904a2a23d2fc", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 8, + "comment" : "short message", + "key" : "9c2739bae2a863fb0236466ba3408f4eec8d43206d56bb7aa2f8f75e", + "msg" : "aaf4c9146db948", + "tag" : "2110393c6ba01f53be203533fbc5471fc8f04940fe912411564ba36e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 9, + "comment" : "short message", + "key" : "31d9cae2c3df064018209b121f9e883976ea757942ecda9d92fdadfd", + "msg" : "b844289529206f5a", + "tag" : "1f1ddb8680b0d99893c498a772a7bea63c2e08c0257a7f31e3db2b88", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 10, + "comment" : "short message", + "key" : "89a1b9e9004444c1d4e967570c21a05512d3f618ec168fc3e13ea5a2", + "msg" : "6b42eb6d84e90c70c2", + "tag" : "3b6f3b09e03424c8adc267fccefaf614db6d74977754fcad8a8d1a9b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 11, + "comment" : "short message", + "key" : "4398731752fd7af1db86ebccbee0ad65eb5faf00ace6c9aa35441faa", + "msg" : "1ae2e7d917c48026570d", + "tag" : "5f1948336953337c381d449c17ab5c327c86121a8b1e0db19f624e3f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 12, + "comment" : "short message", + "key" : "339460d6bb26ca60ebcef10c38587b9e575c398491782ccf9e8f6803", + "msg" : "ca03eb4f37536b2377738e", + "tag" : "51c5661c31fc7edd09de60c91957036824a19761bcc54f1e93c43c3c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 13, + "comment" : "short message", + "key" : "025f8380d10b8207b3623e4a90f79c3e753b1be6a35b88b68330a40c", + "msg" : "e57daef9ede4e915c3a9eece", + "tag" : "8afdb371714e9d6063ec9e43c8cd55e1c032b2fda57f91e9ec0f6601", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 14, + "comment" : "short message", + "key" : "0bdc5f51f8a1a35d75554be70efbcdf51e54f30fa4696f727431941f", + "msg" : "cc3dd1eb0690f7af09ad408f9c", + "tag" : "c0918951c3422b48502635b6e58c5dcee9fea51c9dce5c7c215c9b93", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 15, + "comment" : "short message", + "key" : "5ada97d90a74a7d4a68c5464fff25a9b7fa2e75d6acf0a59f143a2e9", + "msg" : "3fe4ede158af108e09f543e14ab7", + "tag" : "180a6b8814ae34228ae9ac76da8379376aae6f1aa0102e8f06b022dc", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 16, + "comment" : "short message", + "key" : "007afe6b7c0701c30cb76b431afa3510c8b31d21cfe0bbaa5289cd08", + "msg" : "c2cf80005c591c1f737369fcc212f0", + "tag" : "fbfdb450a42f9a4154146f73c590a0ee9187af8505d60790a9615447", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 17, + "comment" : "", + "key" : "26491168a32ce8cbc4c0cd64107e4fcc432f07d59c992862e1e55b1e", + "msg" : "15e51091b4f424ba1fdecb5e2fba11f6", + "tag" : "3fa99ee160328fddc47a7c5043e9ef645b8b07462b71cad58a024517", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 18, + "comment" : "", + "key" : "6978b6c134dd6949832d65e4cb9c1e1dc36beae4a134907c80da0f44", + "msg" : "6641d834b3fbfdb5d178007801f7b4e7b1", + "tag" : "61387230446f31fde8552f22ec52a7fef82e16d0ad399de939d8229b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 19, + "comment" : "", + "key" : "9f9fb280adf12e739548b1d676cb794d685b9104e63b619b055cb60f", + "msg" : "91513dd6de40a1c23f8d1eb0ab8f5ea6f6835506ec750894", + "tag" : "e6b92f9c030270897c5d27162a5d40f6d373ff136105d1a90e0f9a60", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 20, + "comment" : "", + "key" : "3b1b16e6dd2e69559dbeb964e10fc94c068471b2374d3a2d24d2d466", + "msg" : "8ecd55b56c668dcb8e8b1efd699c0e4a464204d29af140f87d3f5075495378a3", + "tag" : "175856b8f56a8c6fbebc36541771545046bb416254f01ff11a218d2e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 21, + "comment" : "long message", + "key" : "fc296398845063e661bdf36ff3615926eaccbf06947cd31e6677f710", + "msg" : "62bd0ad75d64c554cb2cc109c6e4019fc601c61cabdf99f8de871edc17a301b4c1f55a15ed66f91eb4666dd08bc59c", + "tag" : "b7cf741cf96d6bf57d216c43611c20869ca0d008a4542f5c850605bc", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 22, + "comment" : "long message", + "key" : "6c98d1feafff9861351966bc6ed19ed467f9dc767fa0df6b56955554", + "msg" : "e99d51a1d9a25c5842501a5383133578c8debe501581b1610f7575519bbd26f01ab7cbe069bfd5df3699a2fea5b461a3", + "tag" : "0fe64fdd912966a6542069a22bfd084b484c015cf434d86bca15cdb6", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 23, + "comment" : "long message", + "key" : "42a164f94e33d574118e0f8c938bbc2874bab219ee7a179f21e13b02", + "msg" : "e895639631f8b5d48e3ce00eb310bf129976ffced96a6f30a09d6ac1c291f73e93690526d86cc4d1a8e21c11f5a8979308", + "tag" : "1ea982226e8d4cb7b07922158e535af2233b4c4d39d26b062d6d2aae", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 24, + "comment" : "long message", + "key" : "c1b5b91210667e72aa510346e1811358815a3330c5ed27a695c39451", + "msg" : "bf1086c3ea8b8840418c690c92152c73a6730bd1a0210c8b1d25c43a2193e739684f04a25a52cc305599f22ba6f70c8ed00d10b914a9522a25e06c471ebca2ff1bb4fa6799b85122020978dfa66ef12ed26ad38331b26eaf591afceac96d8c771eae50fb7f46242337dd0029f4813b53", + "tag" : "4f355edbe6a3c93fa7add384be899bb4fb55385a78812a26cb64e44f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 25, + "comment" : "long message", + "key" : "4f09d14d40e475b68288c080668ebb1bc8c6be3191f6664d91a23fcd", + "msg" : "ae8b6ecc219b368d22fb596e42652d0bffee0b20d69cfd089ce3dc9303ba2f054ccaf5f5147c7968a028b140f5e3c9274eae2afc61c3bb6298dc598df77dec1cd2dd84212693b082b8132ad0f0b19f66db69fa7f6bf352b4feac724ce048440d2a42b44d53bb62fe2ab25f7f54bedf9ce7ddafd8e09330dacc6d52ee9b65f5", + "tag" : "29ba268103019e158a35614c80780fda3f5ec3fc32c80aaa27b4025d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 26, + "comment" : "long message", + "key" : "613f414cd94130bb8a6243e12eccd90836808428b4a7177867934da0", + "msg" : "f696b9063b64816a45064f48ca05ffe4d5cc3d0b3beb0dd4057b6ada994969bf039bfbb72ce197101cc4e4b3959b3702f045afb7fb3113c997606dcaf2aaab31e02ac6ee597dfc0f9143d0effedc9ae7ea10e7ddb1db860a91afec62c48ed9c0a6c10b4da1de748caf7f7a5e01799ac57090daf4e3352fe859c5131c205d262d", + "tag" : "8129e2093070168a20899793a04447a7ef01ae723419256a8cb42f6d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 27, + "comment" : "long message", + "key" : "5b88275307aaf691a0cf0c51f50553dda972d14f8afff98e62c2d972", + "msg" : "57e4efbde1ce9fee2e29db19dfc6ba3bcb17f33765af7f20133bbd1910d542145c7def187a304517b8d8954454a90a717f67f9c8cc587965fd9b43f41ecc50b3458d8ce9f66b475f1eaef4a29ba89a3d58e5011c92acd1536fcd18abec29411b389b64f7f344777ed6deae32127abaa69a50ba22a11d6e59354f2ff0e3c3e3293cdc335411cf55b180bab59da36903a6fba91df34d2aadf7017ff49a4fbd73c9c74469f225dafc0a0c7048c2b824cc0cba8cad8aced11b8cdac3243cdb5b654f7a15ce2014e92ee287d06904d778512a1b1f5ec0c9b090b9ab439c44266b6be3d6a98947d26d079e4f7e849f3c6d93de98624e6c5f53ec02dbd368bc24a300", + "tag" : "657dd04b970219edd63abf9d4aa108474aa316b6bb66bca76ed806c6", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 28, + "comment" : "Flipped bit 0 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "6f99e862e532e8936d78b5f02909b130ab09806b2af02f7cb9d39d12", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 29, + "comment" : "Flipped bit 0 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0c216faedf3053cd51fcaf417222c8f144abd5f2f7fa00ab4667d88a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 30, + "comment" : "Flipped bit 1 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "6c99e862e532e8936d78b5f02909b130ab09806b2af02f7cb9d39d12", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 31, + "comment" : "Flipped bit 1 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0f216faedf3053cd51fcaf417222c8f144abd5f2f7fa00ab4667d88a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 32, + "comment" : "Flipped bit 7 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "ee99e862e532e8936d78b5f02909b130ab09806b2af02f7cb9d39d12", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 33, + "comment" : "Flipped bit 7 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "8d216faedf3053cd51fcaf417222c8f144abd5f2f7fa00ab4667d88a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 34, + "comment" : "Flipped bit 8 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "6e98e862e532e8936d78b5f02909b130ab09806b2af02f7cb9d39d12", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 35, + "comment" : "Flipped bit 8 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0d206faedf3053cd51fcaf417222c8f144abd5f2f7fa00ab4667d88a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 36, + "comment" : "Flipped bit 31 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "6e99e8e2e532e8936d78b5f02909b130ab09806b2af02f7cb9d39d12", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 37, + "comment" : "Flipped bit 31 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0d216f2edf3053cd51fcaf417222c8f144abd5f2f7fa00ab4667d88a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 38, + "comment" : "Flipped bit 32 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "6e99e862e432e8936d78b5f02909b130ab09806b2af02f7cb9d39d12", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 39, + "comment" : "Flipped bit 32 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0d216faede3053cd51fcaf417222c8f144abd5f2f7fa00ab4667d88a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 40, + "comment" : "Flipped bit 33 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "6e99e862e732e8936d78b5f02909b130ab09806b2af02f7cb9d39d12", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 41, + "comment" : "Flipped bit 33 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0d216faedd3053cd51fcaf417222c8f144abd5f2f7fa00ab4667d88a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 42, + "comment" : "Flipped bit 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "6e99e862e532e8136d78b5f02909b130ab09806b2af02f7cb9d39d12", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 43, + "comment" : "Flipped bit 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0d216faedf30534d51fcaf417222c8f144abd5f2f7fa00ab4667d88a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 44, + "comment" : "Flipped bit 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "6e99e862e532e8936c78b5f02909b130ab09806b2af02f7cb9d39d12", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 45, + "comment" : "Flipped bit 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0d216faedf3053cd50fcaf417222c8f144abd5f2f7fa00ab4667d88a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 46, + "comment" : "Flipped bit 71 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "6e99e862e532e893ed78b5f02909b130ab09806b2af02f7cb9d39d12", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 47, + "comment" : "Flipped bit 71 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0d216faedf3053cdd1fcaf417222c8f144abd5f2f7fa00ab4667d88a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 48, + "comment" : "Flipped bit 77 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "6e99e862e532e8936d58b5f02909b130ab09806b2af02f7cb9d39d12", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 49, + "comment" : "Flipped bit 77 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0d216faedf3053cd51dcaf417222c8f144abd5f2f7fa00ab4667d88a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 50, + "comment" : "Flipped bit 80 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "6e99e862e532e8936d78b4f02909b130ab09806b2af02f7cb9d39d12", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 51, + "comment" : "Flipped bit 80 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0d216faedf3053cd51fcae417222c8f144abd5f2f7fa00ab4667d88a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 52, + "comment" : "Flipped bit 96 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "6e99e862e532e8936d78b5f02809b130ab09806b2af02f7cb9d39d12", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 53, + "comment" : "Flipped bit 96 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0d216faedf3053cd51fcaf417322c8f144abd5f2f7fa00ab4667d88a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 54, + "comment" : "Flipped bit 97 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "6e99e862e532e8936d78b5f02b09b130ab09806b2af02f7cb9d39d12", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 55, + "comment" : "Flipped bit 97 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0d216faedf3053cd51fcaf417022c8f144abd5f2f7fa00ab4667d88a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 56, + "comment" : "Flipped bit 103 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "6e99e862e532e8936d78b5f0a909b130ab09806b2af02f7cb9d39d12", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 57, + "comment" : "Flipped bit 103 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0d216faedf3053cd51fcaf41f222c8f144abd5f2f7fa00ab4667d88a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 58, + "comment" : "Flipped bit 216 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "6e99e862e532e8936d78b5f02909b130ab09806b2af02f7cb9d39d13", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 59, + "comment" : "Flipped bit 216 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0d216faedf3053cd51fcaf417222c8f144abd5f2f7fa00ab4667d88b", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 60, + "comment" : "Flipped bit 217 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "6e99e862e532e8936d78b5f02909b130ab09806b2af02f7cb9d39d10", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 61, + "comment" : "Flipped bit 217 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0d216faedf3053cd51fcaf417222c8f144abd5f2f7fa00ab4667d888", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 62, + "comment" : "Flipped bit 222 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "6e99e862e532e8936d78b5f02909b130ab09806b2af02f7cb9d39d52", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 63, + "comment" : "Flipped bit 222 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0d216faedf3053cd51fcaf417222c8f144abd5f2f7fa00ab4667d8ca", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 64, + "comment" : "Flipped bit 223 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "6e99e862e532e8936d78b5f02909b130ab09806b2af02f7cb9d39d92", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 65, + "comment" : "Flipped bit 223 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0d216faedf3053cd51fcaf417222c8f144abd5f2f7fa00ab4667d80a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 66, + "comment" : "Flipped bits 0 and 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "6f99e862e532e8936c78b5f02909b130ab09806b2af02f7cb9d39d12", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 67, + "comment" : "Flipped bits 0 and 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0c216faedf3053cd50fcaf417222c8f144abd5f2f7fa00ab4667d88a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 68, + "comment" : "Flipped bits 31 and 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "6e99e8e2e532e8136d78b5f02909b130ab09806b2af02f7cb9d39d12", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 69, + "comment" : "Flipped bits 31 and 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0d216f2edf30534d51fcaf417222c8f144abd5f2f7fa00ab4667d88a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 70, + "comment" : "Flipped bits 63 and 127 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "6e99e862e532e8136d78b5f02909b1b0ab09806b2af02f7cb9d39d12", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 71, + "comment" : "Flipped bits 63 and 127 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0d216faedf30534d51fcaf417222c87144abd5f2f7fa00ab4667d88a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 72, + "comment" : "all bits of tag flipped", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "9166179d1acd176c92874a0fd6f64ecf54f67f94d50fd083462c62ed", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 73, + "comment" : "all bits of tag flipped", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "f2de905120cfac32ae0350be8ddd370ebb542a0d0805ff54b9982775", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 74, + "comment" : "Tag changed to all zero", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "00000000000000000000000000000000000000000000000000000000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 75, + "comment" : "Tag changed to all zero", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "00000000000000000000000000000000000000000000000000000000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 76, + "comment" : "tag changed to all 1", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 77, + "comment" : "tag changed to all 1", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 78, + "comment" : "msbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "ee1968e265b26813edf83570a98931b02b8900ebaa70affc39531d92", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 79, + "comment" : "msbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "8da1ef2e5fb0d34dd17c2fc1f2a24871c42b5572777a802bc6e7580a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 80, + "comment" : "lsbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "6f98e963e433e9926c79b4f12808b031aa08816a2bf12e7db8d29c13", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 81, + "comment" : "lsbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0c206eafde3152cc50fdae407323c9f045aad4f3f6fb01aa4766d98b", + "result" : "invalid", + "flags" : [] + } + ] + }, + { + "keySize" : 224, + "tagSize" : 112, + "type" : "MacTest", + "tests" : [ + { + "tcId" : 82, + "comment" : "empty message", + "key" : "26f314170b054daef5349804da18f969c94174baca2beeb009d47a23", + "msg" : "", + "tag" : "816d7af2475e94713f2dc3aa3069", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 83, + "comment" : "short message", + "key" : "17429a622dc18d38715b31f8f2b963108e952a6708f3e52d5b25848a", + "msg" : "da", + "tag" : "26630777d85f777187630bb94674", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 84, + "comment" : "short message", + "key" : "0acfe12d89acd7d9ca49bae6318f35b2fbbfc84e5d2c9d4954beded7", + "msg" : "03a8", + "tag" : "aa4c4bb63cad66ac675150f718b2", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 85, + "comment" : "short message", + "key" : "5a0680f112354bd467865b19ae956b2719e21ecee1a913bdca294339", + "msg" : "a0fb73", + "tag" : "36c7cd3f290d1d7d332b951aa471", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 86, + "comment" : "short message", + "key" : "46fa59aa524fe30a0f4e39561b5666854440dbd970bb59925ce0ae1a", + "msg" : "c8b2f557", + "tag" : "c1a8a7d43df34d917f0cb512c57d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 87, + "comment" : "short message", + "key" : "29efc5ab5d30e535357603f2711b6e0aa6cf4613546c23144436d213", + "msg" : "c8d9f5b373", + "tag" : "a8cc7bebef4cfcd5ac2f401a372d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 88, + "comment" : "short message", + "key" : "fe60e0322035538f2b1de9de380cde35f291deeb6e027b5d829ecd1e", + "msg" : "185e4cada4f4", + "tag" : "32faa154396b0b62436e6bf937ee", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 89, + "comment" : "short message", + "key" : "1bf7fcdf3742fa77991528cc1c678b98be9876a8c8c5b809beab7d9c", + "msg" : "9c0f34a5654279", + "tag" : "086170c46d2b0a76c61527c2d052", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 90, + "comment" : "short message", + "key" : "32533c16f792ed0acf8e9e60f54aa173937c7194b882ecc3e671009f", + "msg" : "f968dc7a19afe339", + "tag" : "3fb4eb4450ac4b26a714bcfb224c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 91, + "comment" : "short message", + "key" : "3cf28a476ce7eaecfc3fbf1b0859a042a568740a584c77cb8f9603ac", + "msg" : "dbca9e4bdd84b38934", + "tag" : "2cf14eb8f4c7537e9831983bb5af", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 92, + "comment" : "short message", + "key" : "a2a8090aef69277f92830ec7404c032f8fdebfbceabb9e590968a77f", + "msg" : "6b790a946a83364c79d7", + "tag" : "d467209f63a9bd3d2c5398c305da", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 93, + "comment" : "short message", + "key" : "6f999929e91672bac35ea70f8ff8b9aeefa5489493c99b0d27797207", + "msg" : "b7dabb237aeae2be8b5e19", + "tag" : "09b2bb6eaeda5f0229b8c35a2f54", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 94, + "comment" : "short message", + "key" : "4525b96c263e4d2dab2890aa55f3cc503dc1206d9f1915a6fba5ae61", + "msg" : "ef858f496fcb7c3fabbfb52e", + "tag" : "6f5ca7efcb9a70d0abf8425f42ca", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 95, + "comment" : "short message", + "key" : "f89401acb0a60d07fd733ed563f2ee241f4ecfea8114587a44dfdb0c", + "msg" : "7d3c0918085984df95097afa81", + "tag" : "fc227f29b51f9c855343dcd0ea11", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 96, + "comment" : "short message", + "key" : "58bce8c0d17fc7131d2fa2262409bb14663a6e68019f88299987893e", + "msg" : "1ca50cd6c3f1225eb6c4ec4d6a90", + "tag" : "53e103bbded7b825affa240f8578", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 97, + "comment" : "short message", + "key" : "658e510fba4e2208afac98333f9e242bc118f6e79ef0661d619dd32b", + "msg" : "32c385b75ae84558ca302881c51639", + "tag" : "485f351e2a9a82910c3c949e32b8", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 98, + "comment" : "", + "key" : "6a41cc3ca7142ae14e6d979a3f890a331597e592dd74520ce4ea660f", + "msg" : "78e3a770a8aaaf039fd4c9b6a1780411", + "tag" : "331a58ed96fc8b9e684ab05f636c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 99, + "comment" : "", + "key" : "b8972b93b68302cbaa08d32904eae6375a66f3508ece3c9b22382c7e", + "msg" : "3687e6287d73c9e3f679a50e7671247127", + "tag" : "27d8113955026d4d318070fbfd8f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 100, + "comment" : "", + "key" : "bc570932abfa11050ad4fc80a6d5afe3271d86aa29dc62738b207d14", + "msg" : "d53202acd2ec74d746531bd9ad3016d0980e0166fb427a08", + "tag" : "020e3e0c2940ce15eeb67392570f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 101, + "comment" : "", + "key" : "c92a0665c12e87026e1b344f971fdb0e474d450cba834aae40e2d21e", + "msg" : "4a3a85ac09f5190ab94f73fd91d98f056015263c89ed5da223fc4675cab25cdd", + "tag" : "922853f159c42b9e274fcef7bdf3", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 102, + "comment" : "long message", + "key" : "6fbef67cfbacc98c63252b1ca009a60e8e3479769a2d449fb4639064", + "msg" : "006e179eacfa9e1e628bb7823ee9609ae7968b6df90e176f772a79088d37e9b15cab312922aaf8fc6583a341002bda", + "tag" : "0a27a12afbb9c3136202e02ae3b2", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 103, + "comment" : "long message", + "key" : "700b09908174f1072e31ae8ccbda1c4460fcf21fdf146a11482b210d", + "msg" : "f772564ecb109e80eefb1d5a7f1c95e203ba4c980233dd8d13de3046079a6b2ca26dc3521e5e0c807eae7a79877c73e9", + "tag" : "04c718a4cd8b583d5ffb8170276c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 104, + "comment" : "long message", + "key" : "e18a20246ebe1b5796dbfe35110efc7637d74a355f0a6758d4a00b7d", + "msg" : "77720dde530e6eeaa0e9af3311f7e99189d6c4f7d71d0a4207d62c766bee32020c92f5d5d28d5de4d0d9c94b57ec05f0c3", + "tag" : "25ebc8611f4b636d892f11df2b29", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 105, + "comment" : "long message", + "key" : "3c4585a775bec76c7d8b27b87e70a5863a85e6111f3161b3815f59b4", + "msg" : "628c0ff8c432d74f4cfb77ba46b7cef67a48ac053cf0c18be41648736abcc8c6fbe4981529babd4b27866e34ced16d8b0bec456e14653a1422f5a62556d20b0fe4e03749d5f6e986375062dbdd82f6e9e1d4ad547c31530c2a31383c25ff57e879eae99d9b3a0da1f3c1dacb975067ac", + "tag" : "deb94b2d43e98926af51fc0c88dc", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 106, + "comment" : "long message", + "key" : "acaf94cb1a8ff4677fc586d2bdf981ac3a656b208215e0a7647b420f", + "msg" : "314c2c25465de3427279dbc89436505fee6d37d56fbda0e5e2a49449d9dbf003027f2e4ef5c52f7af93fd80155a66a1cd6b9885b56d828058a0de7d247e19580b2e8dcbdef2ae46840565fd8b276569c19d7e185116ea11ad67d5fc27f4a6816ba45be5d14f3ba4315c74d1edb20f217b116be852b62a7f4e32b3e708ff9f7", + "tag" : "5b0d7aec7fbd196ee69ed373e131", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 107, + "comment" : "long message", + "key" : "e490348ad78fd2cd5b51f2795b79e5805ce1d9baf1151dbdf995e1b0", + "msg" : "f6ff1845842b9e46f79adb1079aff47397391dc269bc0c899ba4087b58a676f5408c3f7637ffc4772af3e41b5cea51058bc528ea09bb4bd797594c798b0f0ff881695e98c08bbb040c12c5cbdb228d61cc99e332e963128d06e97ed2eefded2e1b5a035f3bea68273efac03a894dcf2fcc79a5696218595404b2758deb9a80ee", + "tag" : "590727f344d8a540e5c5e0f4dae9", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 108, + "comment" : "long message", + "key" : "c8e099dbb60a8f19d8b86856b21c55f3437ae27f77dff9808f12a1b5", + "msg" : "edbc109bf28c8ab32b1238eff1cd14308cdd845fa919bfd8a00c991cf9a8d6b05dd8cc7d2393782949c899de79e771ef7d8567f32287623963048e6c80d91f0778dd63311106e9d0913c08b7a0b7253fa3ce307ac40ec55a4c445f5455a570fec090e251e8646bada1a486d41c3794bce5639732f2c6cfd58081c479a68c515f5d47bc5b2f1622a08d38a596a817f3d4efef8003ae430e6ae93b0a3ae8fa95a2ace3d24d90a9ef861dc04c13e38f6e524b3abdf9cce4fa490707c80c16e254b7a71af00a12dbf473b50b9fe4097ec00ab27e66b6f3022b0f101ee1a9f7fa8652e9f095ca240a446067446867f78e8352c4110794c2e3383dfedfb35e74a33e", + "tag" : "33e7dcb0fde3b1c5b92506e635eb", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 109, + "comment" : "Flipped bit 0 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "6f99e862e532e8936d78b5f02909", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 110, + "comment" : "Flipped bit 0 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0c216faedf3053cd51fcaf417222", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 111, + "comment" : "Flipped bit 1 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "6c99e862e532e8936d78b5f02909", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 112, + "comment" : "Flipped bit 1 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0f216faedf3053cd51fcaf417222", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 113, + "comment" : "Flipped bit 7 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "ee99e862e532e8936d78b5f02909", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 114, + "comment" : "Flipped bit 7 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "8d216faedf3053cd51fcaf417222", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 115, + "comment" : "Flipped bit 8 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "6e98e862e532e8936d78b5f02909", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 116, + "comment" : "Flipped bit 8 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0d206faedf3053cd51fcaf417222", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 117, + "comment" : "Flipped bit 31 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "6e99e8e2e532e8936d78b5f02909", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 118, + "comment" : "Flipped bit 31 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0d216f2edf3053cd51fcaf417222", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 119, + "comment" : "Flipped bit 32 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "6e99e862e432e8936d78b5f02909", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 120, + "comment" : "Flipped bit 32 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0d216faede3053cd51fcaf417222", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 121, + "comment" : "Flipped bit 33 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "6e99e862e732e8936d78b5f02909", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 122, + "comment" : "Flipped bit 33 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0d216faedd3053cd51fcaf417222", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 123, + "comment" : "Flipped bit 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "6e99e862e532e8136d78b5f02909", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 124, + "comment" : "Flipped bit 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0d216faedf30534d51fcaf417222", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 125, + "comment" : "Flipped bit 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "6e99e862e532e8936c78b5f02909", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 126, + "comment" : "Flipped bit 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0d216faedf3053cd50fcaf417222", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 127, + "comment" : "Flipped bit 71 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "6e99e862e532e893ed78b5f02909", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 128, + "comment" : "Flipped bit 71 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0d216faedf3053cdd1fcaf417222", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 129, + "comment" : "Flipped bit 77 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "6e99e862e532e8936d58b5f02909", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 130, + "comment" : "Flipped bit 77 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0d216faedf3053cd51dcaf417222", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 131, + "comment" : "Flipped bit 80 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "6e99e862e532e8936d78b4f02909", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 132, + "comment" : "Flipped bit 80 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0d216faedf3053cd51fcae417222", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 133, + "comment" : "Flipped bit 96 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "6e99e862e532e8936d78b5f02809", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 134, + "comment" : "Flipped bit 96 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0d216faedf3053cd51fcaf417322", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 135, + "comment" : "Flipped bit 97 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "6e99e862e532e8936d78b5f02b09", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 136, + "comment" : "Flipped bit 97 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0d216faedf3053cd51fcaf417022", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 137, + "comment" : "Flipped bit 103 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "6e99e862e532e8936d78b5f0a909", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 138, + "comment" : "Flipped bit 103 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0d216faedf3053cd51fcaf41f222", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 139, + "comment" : "Flipped bit 104 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "6e99e862e532e8936d78b5f02908", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 140, + "comment" : "Flipped bit 104 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0d216faedf3053cd51fcaf417223", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 141, + "comment" : "Flipped bit 105 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "6e99e862e532e8936d78b5f0290b", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 142, + "comment" : "Flipped bit 105 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0d216faedf3053cd51fcaf417220", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 143, + "comment" : "Flipped bit 110 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "6e99e862e532e8936d78b5f02949", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 144, + "comment" : "Flipped bit 110 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0d216faedf3053cd51fcaf417262", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 145, + "comment" : "Flipped bit 111 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "6e99e862e532e8936d78b5f02989", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 146, + "comment" : "Flipped bit 111 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0d216faedf3053cd51fcaf4172a2", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 147, + "comment" : "Flipped bits 0 and 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "6f99e862e532e8936c78b5f02909", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 148, + "comment" : "Flipped bits 0 and 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0c216faedf3053cd50fcaf417222", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 149, + "comment" : "Flipped bits 31 and 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "6e99e8e2e532e8136d78b5f02909", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 150, + "comment" : "Flipped bits 31 and 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0d216f2edf30534d51fcaf417222", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 151, + "comment" : "all bits of tag flipped", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "9166179d1acd176c92874a0fd6f6", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 152, + "comment" : "all bits of tag flipped", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "f2de905120cfac32ae0350be8ddd", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 153, + "comment" : "Tag changed to all zero", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "0000000000000000000000000000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 154, + "comment" : "Tag changed to all zero", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0000000000000000000000000000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 155, + "comment" : "tag changed to all 1", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "ffffffffffffffffffffffffffff", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 156, + "comment" : "tag changed to all 1", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "ffffffffffffffffffffffffffff", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 157, + "comment" : "msbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "ee1968e265b26813edf83570a989", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 158, + "comment" : "msbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "8da1ef2e5fb0d34dd17c2fc1f2a2", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 159, + "comment" : "lsbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "6f98e963e433e9926c79b4f12808", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 160, + "comment" : "lsbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0c206eafde3152cc50fdae407323", + "result" : "invalid", + "flags" : [] + } + ] + }, + { + "keySize" : 112, + "tagSize" : 224, + "type" : "MacTest", + "tests" : [ + { + "tcId" : 161, + "comment" : "short key", + "key" : "77b0de54e893642caeac34bfd1ab", + "msg" : "", + "tag" : "2014a9f272378fa1c9f6744d4db4861b52e61a19eb28320ebee2d174", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 162, + "comment" : "short key", + "key" : "7346c7e4b118b24e51f4512f906a", + "msg" : "506d4faf624f92965aa6b5c01e0c80a8", + "tag" : "c4e0ad2f62279898a7ede0f709a1ccb8c1004941f3c5074392e79533", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 163, + "comment" : "short key", + "key" : "caa864179f66e826a0ef3b5edbe3", + "msg" : "73f64253706ce6b5094c24ee012ece9ac2495283dcd8c7f1114e81e4587d8ea4", + "tag" : "a1220745bb03d982763bfa7ce352b8bc87576a0ad5d46a0da08ff2d6", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "keySize" : 112, + "tagSize" : 112, + "type" : "MacTest", + "tests" : [ + { + "tcId" : 164, + "comment" : "short key", + "key" : "663a97d6b5493dbfa60c8dd087ed", + "msg" : "", + "tag" : "0c6e21a85e3cd2cd413f36507d6e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 165, + "comment" : "short key", + "key" : "b08c345a7c7166fdd33ce768c1dc", + "msg" : "9964d80ee2338cffe28483aa446a6f76", + "tag" : "aa003015309f2ed6fd7752e49c31", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 166, + "comment" : "short key", + "key" : "fc9d2883c67534fefbd6ed4a9798", + "msg" : "a49820c194a43deef11f3a0f4eaa80425439fca9d9f1d7c8e665d6b130e4e908", + "tag" : "1c2b96623c91ca9c5027f8f81ede", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "keySize" : 520, + "tagSize" : 224, + "type" : "MacTest", + "tests" : [ + { + "tcId" : 167, + "comment" : "long key", + "key" : "cfa639656cd49f8d70f0b1a5a056ab4fc0aeeebc91338d067f36c47b6012dc8d856b8abcc4e1abffc910aeaee21b4d366e907488ffd0ca55b36a621aee0b2e9f0c", + "msg" : "", + "tag" : "0ef4fedaeaab4ad52c843657047b19788a9fa91061b7a14adda8c490", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 168, + "comment" : "long key", + "key" : "b36d3d47a4585b401fc64c98eff56243d4da78863063d814e88f370b92576406d447fcf3d129a1ede57ddc56ea3a0a1f100105a95e83138cdf45ecf2a5992acf90", + "msg" : "15c75a64b04d097af2371af380079eb8", + "tag" : "4ecb2daa5fb08dbd836e92a51e200bb230f54ac2c9778f5226b3abc9", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 169, + "comment" : "long key", + "key" : "cf78b991382db5e8666ccb2333fb672179b10a75cf9e5a7699ae640005e19772ef6499a3bc97f12e58e835bb0017bb3b2e64c6ab44a0d619dfa0363484d1c991e2", + "msg" : "f661e598f180f25dc6dd76db8a9e0e4c9c272b9665a6b1756560c723b8e08595", + "tag" : "cd55cdb0c4f02b9f6148392993b18b4ff00a5e73b6f3fbf83a854aeb", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "keySize" : 520, + "tagSize" : 112, + "type" : "MacTest", + "tests" : [ + { + "tcId" : 170, + "comment" : "long key", + "key" : "3772ff6bb4e5b2811cfd4d6a3d34dc74bca3dbf89a5817b79d8472a1383b8c9afb27b3006196ce9966829eae6a313c2d724d995f4def17117c09edcfc8c0cbbc93", + "msg" : "", + "tag" : "40beb1d3aaab25a403224e577770", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 171, + "comment" : "long key", + "key" : "2ba910bc0bca90644cb21e96063e2cd85f5dd02fda75d353c9b51eaf45eee94c165ca6592d6cfdd987bfdc1cba66363d535a14b2f7ead841b17c4d76a5049105f9", + "msg" : "7ba461040de9ea3cefd4809124f78b39", + "tag" : "4d28a926df1b188e85d092bacf11", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 172, + "comment" : "long key", + "key" : "7fcf3cb1b1c5b537492aede4689284b5881935e3537bb7307198d6518e7a6aabf70b50b44e4a8dfee35e9f5cbada7447e511a37209390fcd171c62075c6a8bf1eb", + "msg" : "83d29c1c4d059ddb0d2aca787e5b701bac3953fb9bc72dc87b1ef92a582e9748", + "tag" : "392ce38f7838b2f87163eea00b86", + "result" : "valid", + "flags" : [] + } + ] + } + ] +} diff --git a/rust/tests/wycheproof/hmac_sha256_test.json b/rust/tests/wycheproof/hmac_sha256_test.json new file mode 100644 index 00000000..46ab5b78 --- /dev/null +++ b/rust/tests/wycheproof/hmac_sha256_test.json @@ -0,0 +1,1622 @@ +{ + "algorithm" : "HMACSHA256", + "generatorVersion" : "0.8rc21", + "numberOfTests" : 174, + "header" : [ + "Test vectors of type MacTest are intended for testing the", + "generation and verification of MACs." + ], + "notes" : { + }, + "schema" : "mac_test_schema.json", + "testGroups" : [ + { + "keySize" : 256, + "tagSize" : 256, + "type" : "MacTest", + "tests" : [ + { + "tcId" : 1, + "comment" : "empty message", + "key" : "1e225cafb90339bba1b24076d4206c3e79c355805d851682bc818baa4f5a7779", + "msg" : "", + "tag" : "b175b57d89ea6cb606fb3363f2538abd73a4c00b4a1386905bac809004cf1933", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 2, + "comment" : "short message", + "key" : "8159fd15133cd964c9a6964c94f0ea269a806fd9f43f0da58b6cd1b33d189b2a", + "msg" : "77", + "tag" : "dfc5105d5eecf7ae7b8b8de3930e7659e84c4172f2555142f1e568fc1872ad93", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 3, + "comment" : "short message", + "key" : "85a7cbaae825bb82c9b6f6c5c2af5ac03d1f6daa63d2a93c189948ec41b9ded9", + "msg" : "a59b", + "tag" : "0fe2f13bba2198f6dda1a084be928e304e9cb16a56bc0b7b939a073280244373", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 4, + "comment" : "short message", + "key" : "48f3029334e55cfbd574ccc765fb2c3685aab1f4837d23370874a3e634c3a76d", + "msg" : "c7b8b2", + "tag" : "6c13f79bb2d5b6f9a315fe8fd6cbb5cb817a660687009deccd88c377429e596d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 5, + "comment" : "short message", + "key" : "de8b5b5b2f09645be47ecb6407a4e1d9c6b33ae3c2d22517d3357da0357a3139", + "msg" : "cc021d65", + "tag" : "e87538eb167e62d7cb236690ff3f034a9c12d417aa8dfa694d7405f9e1f85fe8", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 6, + "comment" : "short message", + "key" : "b7938910f518f13205ca1492c669001a14ff913c8ab4a0dc3564e7418e91297c", + "msg" : "a4a6ef6ebd", + "tag" : "01a93f4ed216d0b280896301e366aa67b25e6b6a5a6e84f291a13391c6e496c5", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 7, + "comment" : "short message", + "key" : "1bb997ff4de8a5a391de5c08a33bc2c7c2891e47ad5b9c63110192f78b98fe78", + "msg" : "667e015df7fc", + "tag" : "06b5d8c5392323a802bc5cdd0b3c527454a873d9651c368836eaa4ad982ba546", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 8, + "comment" : "short message", + "key" : "32fdeda39f98b4f4426c2d2ac00ab5dd4bfabb68f311447256ed6d3d3a51b154", + "msg" : "4163a9f77e41f5", + "tag" : "1b0103729f48c2772bb132aef9ebd6dd6aafc9145df6d5c514b233ee92ef4a00", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 9, + "comment" : "short message", + "key" : "233e4fdee70bcc20235b6977ddfc05b0df66f5635d827c66e5a63cdb16a24938", + "msg" : "fdb2ee4b6d1a0ac2", + "tag" : "120b26ee1355c134c262513c7922deb6c4fd90303de4cd61b9f9cd08f22d6e18", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 10, + "comment" : "short message", + "key" : "b984c6734e0bd12b1737b2fc7a1b3803b4dfec402140a57b9eccc35414ae661b", + "msg" : "dea584d0e2a14ad5fd", + "tag" : "88bc2282e5fce47ec6d9895395cd47fff91a0cdc589a8fd56d8d344616533a3d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 11, + "comment" : "short message", + "key" : "d0caf1456ac5e255fa6afd61a79dc8c716f5358a298a508271363fe1ff983561", + "msg" : "18261dc806913c534666", + "tag" : "f678f081d83cf126ad6bd52c2dffd786214f519c47452b85a97458d0c10c3ee5", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 12, + "comment" : "short message", + "key" : "835bc8241ed817735ec9d3d0e2df4c173ee4dded4a8ef0c04a96c48f11820463", + "msg" : "26f8083e944bacf04e9a4d", + "tag" : "e0e46cd7d1a75b3d102893da64def46e455308761f1d908786628ca7ee22a0eb", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 13, + "comment" : "short message", + "key" : "055f95c9461b0809575eccdfa5cdd06275f25d30915c4eb8db40e1acd3ab7591", + "msg" : "bfb7d6a08dbaa5225f320887", + "tag" : "e76d5c8c070a6b3c4824e9f342dc3056e63819509e1def98b585aeba0d638a00", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 14, + "comment" : "short message", + "key" : "e40f7a3eb88ddec4c6347ea4d67610756c82c8ebcc237629bf873ccabc32984a", + "msg" : "7fe43febc78474649e45bf99b2", + "tag" : "aa57d020aa24ad823472c2b80ff2d0cf475f7de0068f9a59e8112fede53a3581", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 15, + "comment" : "short message", + "key" : "b020ad1de1c141f7ec615ee5701521773f9b232e4d06376c382894ce51a61f48", + "msg" : "81c7581a194b5e71b41146a582c1", + "tag" : "f45c72603cc160c0762f703407844a7781dfe0f1ddf0aaf4ccd8205e94469aed", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 16, + "comment" : "short message", + "key" : "9f3fd61a105202648ecff6074c95e502c1c51acd32ec538a5cce89ef841f7989", + "msg" : "2a76f2acdace42e3b779724946912c", + "tag" : "0226ee13cc05e2340135b3f4b27a9da1a160f6170fe805dadd98a3711ec9c421", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 17, + "comment" : "", + "key" : "6fa353868c82e5deeedac7f09471a61bf749ab5498239e947e012eee3c82d7c4", + "msg" : "aeed3e4d4cb9bbb60d482e98c126c0f5", + "tag" : "9ed7f0e73812a27a87a3808ee0c89a6456499e835974ba57c5aab2a0d8c69e93", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 18, + "comment" : "", + "key" : "5300489494ca86221c91d6d953952ae1a5e097139dc9cf1179c2f56433753824", + "msg" : "90fea6cf2bd811b449f333ee9233e57697", + "tag" : "5b692cba13b54fffc3adcbb0e015cc011fbfd61235303ff0ad2a49775083bf22", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 19, + "comment" : "", + "key" : "383e7c5c13476a62268423ef0500479f9e86e236c5a081c6449189e6afdf2af5", + "msg" : "3202705af89f9555c540b0e1276911d01971abb2c35c78b2", + "tag" : "4e4901592ba46476408d758435c7d1b489d2689afd84ceaaee78bfb91fd9391d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 20, + "comment" : "", + "key" : "186e248ad824e1eb93329a7fdcd565b6cb4eaf3f85b90b910777128d8c538d27", + "msg" : "92ef9ff52f46eccc7e38b9ee19fd2de3b37726c8e6ce9e1b96db5dda4c317902", + "tag" : "3fc1d73dd4a8858c1fc3d8c4a3f33ed5ad0c70210038394a5902cb26fe287348", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 21, + "comment" : "long message", + "key" : "28855c7efc8532d92567300933cc1ca2d0586f55dcc9f054fcca2f05254fbf7f", + "msg" : "9c09207ff0e6e582cb3747dca954c94d45c05e93f1e6f21179cf0e25b4cede74b5479d32f5166935c86f0441905865", + "tag" : "788c0589000fb7f0b5d51f1596472bc9ec413421a43df96ee32b02b5d275ffe3", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 22, + "comment" : "long message", + "key" : "8e540cb30c94836ae2a5950f355d482a7002e255207e94fda3f7ef1a099013a0", + "msg" : "d6500f95e11262e308bf3df4df4b855f33e857563d4543f195639a0a17b442eb9fdcc1367d2eee75c8f805730b89290f", + "tag" : "39697e70ce741feb33dedc069f00b5627fd9b837d10cbdd5b6d19cfbd511dd2c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 23, + "comment" : "long message", + "key" : "69c50d5274358188cff4c0fae742243d4e8a5e5ba55d94ff40edd90f6a43dd10", + "msg" : "1ac5255aff052828d8ea21b376f1ebdd4bb879949913900405aebce83e48feb6813b5e9c89f94501a8ade41b26b815c521", + "tag" : "4b0b4d0416fa2e11586fbfa7fb11261e69991dfa34019b9893d69a2be8c1fc80", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 24, + "comment" : "long message", + "key" : "23209b7c5aadcbd13f7279af1a86d3c7ae8f179d1bcaaad0dff9a15302e78dbf", + "msg" : "84bdac37e1af35d9356404e2787d47ece58348dea76a4a46e8aade3463d4db8c94a051be3733b38d756984865d56c60e8025f15e3f968f093e7fb7ebc7e31189c5692d15ed4256737b9b1894e5809503aaa1c9983fb096aa21916361eeb6ef455b129723a1a1ddf9deddea208529a648", + "tag" : "4a85c479d1650dbd73bc5248074a55ff50218bddaa8d1fddaaf44946dc19aefb", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 25, + "comment" : "long message", + "key" : "7c9cc667cae175f448faa96647319633b2d48531373ae7d316c44ddd8b9f69cf", + "msg" : "9233c1d73b498c5106ff88951e07b9652cb0ddae740737ec205c9876d094978bfc947f7dc937119fd6a93915b19b625958a7a22363aa2ac33fb869ed16b303336ab740a0498a2df66a6599da710094481a7b544bd955b6f97135ba4673401db2db144a6e287041e47a51ed9b6ba956c13508c1c0c25310105239ab73629e30", + "tag" : "ca1b80441d333909c2bb30769650055051ed20f17de8ee953cb9070af56c704f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 26, + "comment" : "long message", + "key" : "82314540564ea3ce30591e97f68b2602de40fa29f773c2508327471b8348e8c4", + "msg" : "6a6d2f45cebf2757ae16ea33c68617671d77f8fdf80bed8fc5cdc5c8b7086bd28e7eb3eecc7163491104e5309455e67f836579b82a1da3bf5991a8e2b2f189a49e05700e46c409ed5de77780a5f389e3f13dad406c9d55675329c5c921f07034180937c0f6ef34a2308b6ff3e1a0e9dc1ea65f5632730e8744d1db2c40a6595b", + "tag" : "0900b3e6535d34f90e2c335775e86bf38ee7e3d26fb60cd9cdf639eb3496b94c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 27, + "comment" : "long message", + "key" : "d115acc9a636915241795f48852052e07b51273ae2448251ec1d0d0f9807f3db", + "msg" : "696d2456de853fa028f486fef437b6b6d1b530a8475e299db3a9005ae9cef8401985b7d31e172e8f439ccd1ad1ec44c9b86b78f3f243c1305b53bc21abad7a8fc5256311bfd34c98e37dfdc649e7ae4bda08cf2994b063c0c7106ed0b02a1f48af9191cbfb0d6a953b7e04327dfe8c93779cb574ba9cba575d01674e83621aa0c5f400d6e6cd24b301e33c9f3303e73bf357408c1be86c2489c09de998ff2ef32df554f1247d9313ce1a7160115d06f4c18d6556ff7986ef8a55e2adcfa27e4c69c71cc2ff01639e9d49bd9ed0687f530ffeb0890132457df2088081bc4a2f7f0a9f4dcea2c80d991db7f3747a1803d7619aaf3dd382c69536a0bcdb931cbe", + "tag" : "82f92977f0b605eaada510ffceb53ad75fde16a8029f1b75b406a84270dbb8b7", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 28, + "comment" : "Flipped bit 0 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "d28b42096d80f45f826b44a9d5607de72496a415d3f4a1a8c88e3bb9da8dc1cb", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 29, + "comment" : "Flipped bit 0 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "d9b99f2709a3ca74172cbe93824c1f29b23a0c1e9c21bd851ff2d2c39dbef14e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 30, + "comment" : "Flipped bit 1 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "d18b42096d80f45f826b44a9d5607de72496a415d3f4a1a8c88e3bb9da8dc1cb", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 31, + "comment" : "Flipped bit 1 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "dab99f2709a3ca74172cbe93824c1f29b23a0c1e9c21bd851ff2d2c39dbef14e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 32, + "comment" : "Flipped bit 7 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "538b42096d80f45f826b44a9d5607de72496a415d3f4a1a8c88e3bb9da8dc1cb", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 33, + "comment" : "Flipped bit 7 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "58b99f2709a3ca74172cbe93824c1f29b23a0c1e9c21bd851ff2d2c39dbef14e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 34, + "comment" : "Flipped bit 8 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "d38a42096d80f45f826b44a9d5607de72496a415d3f4a1a8c88e3bb9da8dc1cb", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 35, + "comment" : "Flipped bit 8 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "d8b89f2709a3ca74172cbe93824c1f29b23a0c1e9c21bd851ff2d2c39dbef14e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 36, + "comment" : "Flipped bit 31 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "d38b42896d80f45f826b44a9d5607de72496a415d3f4a1a8c88e3bb9da8dc1cb", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 37, + "comment" : "Flipped bit 31 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "d8b99fa709a3ca74172cbe93824c1f29b23a0c1e9c21bd851ff2d2c39dbef14e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 38, + "comment" : "Flipped bit 32 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "d38b42096c80f45f826b44a9d5607de72496a415d3f4a1a8c88e3bb9da8dc1cb", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 39, + "comment" : "Flipped bit 32 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "d8b99f2708a3ca74172cbe93824c1f29b23a0c1e9c21bd851ff2d2c39dbef14e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 40, + "comment" : "Flipped bit 33 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "d38b42096f80f45f826b44a9d5607de72496a415d3f4a1a8c88e3bb9da8dc1cb", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 41, + "comment" : "Flipped bit 33 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "d8b99f270ba3ca74172cbe93824c1f29b23a0c1e9c21bd851ff2d2c39dbef14e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 42, + "comment" : "Flipped bit 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "d38b42096d80f4df826b44a9d5607de72496a415d3f4a1a8c88e3bb9da8dc1cb", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 43, + "comment" : "Flipped bit 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "d8b99f2709a3caf4172cbe93824c1f29b23a0c1e9c21bd851ff2d2c39dbef14e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 44, + "comment" : "Flipped bit 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "d38b42096d80f45f836b44a9d5607de72496a415d3f4a1a8c88e3bb9da8dc1cb", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 45, + "comment" : "Flipped bit 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "d8b99f2709a3ca74162cbe93824c1f29b23a0c1e9c21bd851ff2d2c39dbef14e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 46, + "comment" : "Flipped bit 71 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "d38b42096d80f45f026b44a9d5607de72496a415d3f4a1a8c88e3bb9da8dc1cb", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 47, + "comment" : "Flipped bit 71 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "d8b99f2709a3ca74972cbe93824c1f29b23a0c1e9c21bd851ff2d2c39dbef14e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 48, + "comment" : "Flipped bit 77 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "d38b42096d80f45f824b44a9d5607de72496a415d3f4a1a8c88e3bb9da8dc1cb", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 49, + "comment" : "Flipped bit 77 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "d8b99f2709a3ca74170cbe93824c1f29b23a0c1e9c21bd851ff2d2c39dbef14e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 50, + "comment" : "Flipped bit 80 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "d38b42096d80f45f826b45a9d5607de72496a415d3f4a1a8c88e3bb9da8dc1cb", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 51, + "comment" : "Flipped bit 80 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "d8b99f2709a3ca74172cbf93824c1f29b23a0c1e9c21bd851ff2d2c39dbef14e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 52, + "comment" : "Flipped bit 96 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "d38b42096d80f45f826b44a9d4607de72496a415d3f4a1a8c88e3bb9da8dc1cb", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 53, + "comment" : "Flipped bit 96 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "d8b99f2709a3ca74172cbe93834c1f29b23a0c1e9c21bd851ff2d2c39dbef14e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 54, + "comment" : "Flipped bit 97 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "d38b42096d80f45f826b44a9d7607de72496a415d3f4a1a8c88e3bb9da8dc1cb", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 55, + "comment" : "Flipped bit 97 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "d8b99f2709a3ca74172cbe93804c1f29b23a0c1e9c21bd851ff2d2c39dbef14e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 56, + "comment" : "Flipped bit 103 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "d38b42096d80f45f826b44a955607de72496a415d3f4a1a8c88e3bb9da8dc1cb", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 57, + "comment" : "Flipped bit 103 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "d8b99f2709a3ca74172cbe93024c1f29b23a0c1e9c21bd851ff2d2c39dbef14e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 58, + "comment" : "Flipped bit 248 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "d38b42096d80f45f826b44a9d5607de72496a415d3f4a1a8c88e3bb9da8dc1ca", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 59, + "comment" : "Flipped bit 248 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "d8b99f2709a3ca74172cbe93824c1f29b23a0c1e9c21bd851ff2d2c39dbef14f", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 60, + "comment" : "Flipped bit 249 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "d38b42096d80f45f826b44a9d5607de72496a415d3f4a1a8c88e3bb9da8dc1c9", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 61, + "comment" : "Flipped bit 249 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "d8b99f2709a3ca74172cbe93824c1f29b23a0c1e9c21bd851ff2d2c39dbef14c", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 62, + "comment" : "Flipped bit 254 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "d38b42096d80f45f826b44a9d5607de72496a415d3f4a1a8c88e3bb9da8dc18b", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 63, + "comment" : "Flipped bit 254 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "d8b99f2709a3ca74172cbe93824c1f29b23a0c1e9c21bd851ff2d2c39dbef10e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 64, + "comment" : "Flipped bit 255 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "d38b42096d80f45f826b44a9d5607de72496a415d3f4a1a8c88e3bb9da8dc14b", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 65, + "comment" : "Flipped bit 255 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "d8b99f2709a3ca74172cbe93824c1f29b23a0c1e9c21bd851ff2d2c39dbef1ce", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 66, + "comment" : "Flipped bits 0 and 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "d28b42096d80f45f836b44a9d5607de72496a415d3f4a1a8c88e3bb9da8dc1cb", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 67, + "comment" : "Flipped bits 0 and 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "d9b99f2709a3ca74162cbe93824c1f29b23a0c1e9c21bd851ff2d2c39dbef14e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 68, + "comment" : "Flipped bits 31 and 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "d38b42896d80f4df826b44a9d5607de72496a415d3f4a1a8c88e3bb9da8dc1cb", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 69, + "comment" : "Flipped bits 31 and 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "d8b99fa709a3caf4172cbe93824c1f29b23a0c1e9c21bd851ff2d2c39dbef14e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 70, + "comment" : "Flipped bits 63 and 127 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "d38b42096d80f4df826b44a9d5607d672496a415d3f4a1a8c88e3bb9da8dc1cb", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 71, + "comment" : "Flipped bits 63 and 127 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "d8b99f2709a3caf4172cbe93824c1fa9b23a0c1e9c21bd851ff2d2c39dbef14e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 72, + "comment" : "all bits of tag flipped", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "2c74bdf6927f0ba07d94bb562a9f8218db695bea2c0b5e573771c44625723e34", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 73, + "comment" : "all bits of tag flipped", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "274660d8f65c358be8d3416c7db3e0d64dc5f3e163de427ae00d2d3c62410eb1", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 74, + "comment" : "Tag changed to all zero", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 75, + "comment" : "Tag changed to all zero", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 76, + "comment" : "tag changed to all 1", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 77, + "comment" : "tag changed to all 1", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 78, + "comment" : "msbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "530bc289ed0074df02ebc42955e0fd67a416249553742128480ebb395a0d414b", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 79, + "comment" : "msbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "58391fa789234af497ac3e1302cc9fa932ba8c9e1ca13d059f7252431d3e71ce", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 80, + "comment" : "lsbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "d28a43086c81f55e836a45a8d4617ce62597a514d2f5a0a9c98f3ab8db8cc0ca", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 81, + "comment" : "lsbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "d9b89e2608a2cb75162dbf92834d1e28b33b0d1f9d20bc841ef3d3c29cbff04f", + "result" : "invalid", + "flags" : [] + } + ] + }, + { + "keySize" : 256, + "tagSize" : 128, + "type" : "MacTest", + "tests" : [ + { + "tcId" : 82, + "comment" : "empty message", + "key" : "7bf9e536b66a215c22233fe2daaa743a898b9acb9f7802de70b40e3d6e43ef97", + "msg" : "", + "tag" : "f4605585949747de26f3ee98a738b172", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 83, + "comment" : "short message", + "key" : "e754076ceab3fdaf4f9bcab7d4f0df0cbbafbc87731b8f9b7cd2166472e8eebc", + "msg" : "40", + "tag" : "0dc00d7217bbafe8d78bf961189b8fd2", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 84, + "comment" : "short message", + "key" : "ea3b016bdd387dd64d837c71683808f335dbdc53598a4ea8c5f952473fafaf5f", + "msg" : "6601", + "tag" : "ff296b368d3bf059cc48682f6949ccaa", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 85, + "comment" : "short message", + "key" : "73d4709637857dafab6ad8b2b0a51b06524717fedf100296644f7cfdaae1805b", + "msg" : "f1d300", + "tag" : "2d02bd1c25b1fe52b1ead07374d6e883", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 86, + "comment" : "short message", + "key" : "d5c81b399d4c0d1583a13da56de6d2dc45a66e7b47c24ab1192e246dc961dd77", + "msg" : "2ae63cbf", + "tag" : "4d9e8bddf9b7a1218309d5988aa1b0d9", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 87, + "comment" : "short message", + "key" : "2521203fa0dddf59d837b2830f87b1aa61f958155df3ca4d1df2457cb4284dc8", + "msg" : "af3a015ea1", + "tag" : "cb8a4b413350b42f4ac3533cc7f47864", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 88, + "comment" : "short message", + "key" : "665a02bc265a66d01775091da56726b6668bfd903cb7af66fb1b78a8a062e43c", + "msg" : "3f56935def3f", + "tag" : "1cfce745db1ca7de9a1d4420e612ca55", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 89, + "comment" : "short message", + "key" : "facd75b22221380047305bc981f570e2a1af38928ea7e2059e3af5fc6b82b493", + "msg" : "57bb86beed156f", + "tag" : "0bde0d0c756df09d4f6da81b299a3adf", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 90, + "comment" : "short message", + "key" : "505aa98819809ef63b9a368a1e8bc2e922da45b03ce02d9a7966b15006dba2d5", + "msg" : "2e4e7ef728fe11af", + "tag" : "406a5c2bd3e6a9595f9b7dff608d59a7", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 91, + "comment" : "short message", + "key" : "f942093842808ba47f64e427f7351dde6b9546e66de4e7d60aa6f328182712cf", + "msg" : "852a21d92848e627c7", + "tag" : "0b1bf9e98d0a794fa55c09b63e25799f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 92, + "comment" : "short message", + "key" : "64be162b39c6e5f1fed9c32d9f674d9a8cde6eaa2443214d86bd4a1fb53b81b4", + "msg" : "195a3b292f93baff0a2c", + "tag" : "71f33f6021d90858cadb1353d7fbe8d7", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 93, + "comment" : "short message", + "key" : "b259a555d44b8a20c5489e2f38392ddaa6be9e35b9833b67e1b5fdf6cb3e4c6c", + "msg" : "afd73117330c6e8528a6e4", + "tag" : "4b8d76372ebe5e5caa56ca4e5c59cdd3", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 94, + "comment" : "short message", + "key" : "2c6fc62daa77ba8c6881b3dd6989898fef646663cc7b0a3db8228a707b85f2dc", + "msg" : "0ff54d6b6759120c2e8a51e3", + "tag" : "c580c542846a96e84ea77701778455bf", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 95, + "comment" : "short message", + "key" : "abab815d51df29f740e4e2079fb798e0152836e6ab57d1536ae8929e52c06eb8", + "msg" : "f0058d412a104e53d820b95a7f", + "tag" : "13cdb005059338f0f28e2d8ce1af5d0a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 96, + "comment" : "short message", + "key" : "3d5da1af83f7287458bff7a7651ea5d8db72259401333f6b82096996dd7eaf19", + "msg" : "aacc36972f183057919ff57b49e1", + "tag" : "bd993e4428cbc0e275e4d80b6f520363", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 97, + "comment" : "short message", + "key" : "c19bdf314c6cf64381425467f42aefa17c1cc9358be16ce31b1d214859ce86aa", + "msg" : "5d066a92c300e9b6ddd63a7c13ae33", + "tag" : "86c9f4dde0b257a7053a7b03c7504409", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 98, + "comment" : "", + "key" : "612e837843ceae7f61d49625faa7e7494f9253e20cb3adcea686512b043936cd", + "msg" : "cc37fae15f745a2f40e2c8b192f2b38d", + "tag" : "b96bcacafac30094f18ac5039e7b3656", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 99, + "comment" : "", + "key" : "73216fafd0022d0d6ee27198b2272578fa8f04dd9f44467fbb6437aa45641bf7", + "msg" : "d5247b8f6c3edcbfb1d591d13ece23d2f5", + "tag" : "6e597c4c3861a380c06854b446fc2a87", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 100, + "comment" : "", + "key" : "0427a70e257528f3ab70640bba1a5de12cf3885dd4c8e284fbbb55feb35294a5", + "msg" : "13937f8544f44270d01175a011f7670e93fa6ba7ef02336e", + "tag" : "f731aaf2f04023d621f10495344679a0", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 101, + "comment" : "", + "key" : "96e1e4896fb2cd05f133a6a100bc5609a7ac3ca6d81721e922dadd69ad07a892", + "msg" : "91a17e4dfcc3166a1add26ff0e7c12056e8a654f28a6de24f4ba739ceb5b5b18", + "tag" : "95243eb1a9d448174ae4fccf4a53ebfe", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 102, + "comment" : "long message", + "key" : "41201567be4e6ea06de2295fd0e6e8a7d862bb57311894f525d8adeabba4a3e4", + "msg" : "58c8c73bdd3f350c97477816eae4d0789c9369c0e99c248902c700bc29ed986425985eb3fa55709b73bf620cd9b1cb", + "tag" : "343367207f71425d8f81f3110b0405f6", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 103, + "comment" : "long message", + "key" : "649e373e681ef52e3c10ac265484750932a9918f28fb824f7cb50adab39781fe", + "msg" : "39b447bd3a01983c1cb761b456d69000948ceb870562a536126a0d18a8e7e49b16de8fe672f13d0808d8b7d957899917", + "tag" : "151618eec4f503f3b63b539de0a58966", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 104, + "comment" : "long message", + "key" : "7b0d237f7b536e2c6950990e61b361b384333dda690045c591321a4e3f79747f", + "msg" : "3d6283d11c0219b525620e9bf5b9fd887d3f0f707acb1fbdffab0d97a5c6d07fc547762e0e7dd7c43ad35fab1c790f8047", + "tag" : "ce201c0dcfdc3f2bef360609a31fb19e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 105, + "comment" : "long message", + "key" : "17c92663741f012e5bb6714e614c2d155948617f10936269d954c58aba2ae62d", + "msg" : "7fdd6a15c861d0313f6635d77dc55e115ff18c8ab063b5d03eab472eeca87a378188f25813515cf90b6cffa94a8ff36b29d65603eab3fbd2aa9500b261e184049893dc6ca2010becac163053f211070bdda621b8bd8af77e450268603b52db34c90be836dfebddef42303f724e63bf0f", + "tag" : "76e8dfd94db4af9d79d9718eec46cb2d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 106, + "comment" : "long message", + "key" : "424c6b22606fcc094ae82fc5d3cbe484174c2211b3ec778091cac34a8e38a152", + "msg" : "d96ff062e2490e8e0c54c5a8b89e85b25a66d93d7c2b93bdfef846b70d38672746a4b988d08f15a5c527ca4f2c80e53f7c6ac0521bc57ebe38209180cbf934e0bbeb58cfb63d75da64af41d09ce174af1896f42522910fced35ea000402e95fd3ac7aa6d5e0a6b533b0879bc466019b3a5e6b16e4bd1ea6cdfc9ccc1d6f0f0", + "tag" : "eda709c7009714c372d0d6a63dfde469", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 107, + "comment" : "long message", + "key" : "15d553c8da433d53cdc7f15087a70349caab57b379a4078928ce9b99302e31a6", + "msg" : "d6c0c53b73f74fb426adfdc143d70db7f7a8f8ed32a2faef263cf9ab117537b6b9d1728bd1000c1f28906c6ce6ad21862bfa4d689c1a8ebe3868b992098b7f981b2af5189a6adedff53a6c70c83693f5c8d6385a9a8a4dca017c5716ac4d5b9765c5ca2ab5f9867e02795198c0b9527e07d08af52dbcb91ceb3d8b412a2b2402", + "tag" : "8ca1402bf8fc23442ac2067be925b828", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 108, + "comment" : "long message", + "key" : "ffe559468a1031dfb3ced2e381e74b5821a36d9abf5f2e59895a7fdca0fa56a0", + "msg" : "238899a84a3cf15202a1fbef4741e133fb24c009a0cd83854c6d1d7c9266d4c3eafe6d1dfc18f13845ccdad7fe277627b5fd5ff2555ce6dfde1ee078540a0a3590c6d9bf2fb63ba9afbe9380e797be7cd017645c5a3613eef38ef89e3b7461e6e700ff2b4deef5636c9d2198b143f797ca1820a3dcc5d462ebf4a8c4c09eb202a23592eb9524082c79adda8fcd56d256041a26bf8f523962ba911ce5a5786570d65be3c4df722ed8830302065febdf944715298a1fbb7d10b68d7da2bf889324314ce51e815c7fbf03aa0a8358aff3a86eb7a33f9a4923660db3047e793bebb0c6918f4395d400381723fdae2832c36efc8e368a68f30f6351c3bc942cd560", + "tag" : "a830b313f4936dea56a3aefd6a3ebe7d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 109, + "comment" : "Flipped bit 0 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "d28b42096d80f45f826b44a9d5607de7", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 110, + "comment" : "Flipped bit 0 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "d9b99f2709a3ca74172cbe93824c1f29", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 111, + "comment" : "Flipped bit 1 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "d18b42096d80f45f826b44a9d5607de7", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 112, + "comment" : "Flipped bit 1 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "dab99f2709a3ca74172cbe93824c1f29", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 113, + "comment" : "Flipped bit 7 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "538b42096d80f45f826b44a9d5607de7", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 114, + "comment" : "Flipped bit 7 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "58b99f2709a3ca74172cbe93824c1f29", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 115, + "comment" : "Flipped bit 8 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "d38a42096d80f45f826b44a9d5607de7", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 116, + "comment" : "Flipped bit 8 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "d8b89f2709a3ca74172cbe93824c1f29", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 117, + "comment" : "Flipped bit 31 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "d38b42896d80f45f826b44a9d5607de7", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 118, + "comment" : "Flipped bit 31 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "d8b99fa709a3ca74172cbe93824c1f29", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 119, + "comment" : "Flipped bit 32 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "d38b42096c80f45f826b44a9d5607de7", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 120, + "comment" : "Flipped bit 32 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "d8b99f2708a3ca74172cbe93824c1f29", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 121, + "comment" : "Flipped bit 33 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "d38b42096f80f45f826b44a9d5607de7", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 122, + "comment" : "Flipped bit 33 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "d8b99f270ba3ca74172cbe93824c1f29", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 123, + "comment" : "Flipped bit 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "d38b42096d80f4df826b44a9d5607de7", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 124, + "comment" : "Flipped bit 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "d8b99f2709a3caf4172cbe93824c1f29", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 125, + "comment" : "Flipped bit 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "d38b42096d80f45f836b44a9d5607de7", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 126, + "comment" : "Flipped bit 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "d8b99f2709a3ca74162cbe93824c1f29", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 127, + "comment" : "Flipped bit 71 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "d38b42096d80f45f026b44a9d5607de7", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 128, + "comment" : "Flipped bit 71 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "d8b99f2709a3ca74972cbe93824c1f29", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 129, + "comment" : "Flipped bit 77 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "d38b42096d80f45f824b44a9d5607de7", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 130, + "comment" : "Flipped bit 77 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "d8b99f2709a3ca74170cbe93824c1f29", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 131, + "comment" : "Flipped bit 80 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "d38b42096d80f45f826b45a9d5607de7", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 132, + "comment" : "Flipped bit 80 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "d8b99f2709a3ca74172cbf93824c1f29", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 133, + "comment" : "Flipped bit 96 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "d38b42096d80f45f826b44a9d4607de7", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 134, + "comment" : "Flipped bit 96 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "d8b99f2709a3ca74172cbe93834c1f29", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 135, + "comment" : "Flipped bit 97 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "d38b42096d80f45f826b44a9d7607de7", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 136, + "comment" : "Flipped bit 97 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "d8b99f2709a3ca74172cbe93804c1f29", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 137, + "comment" : "Flipped bit 103 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "d38b42096d80f45f826b44a955607de7", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 138, + "comment" : "Flipped bit 103 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "d8b99f2709a3ca74172cbe93024c1f29", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 139, + "comment" : "Flipped bit 120 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "d38b42096d80f45f826b44a9d5607de6", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 140, + "comment" : "Flipped bit 120 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "d8b99f2709a3ca74172cbe93824c1f28", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 141, + "comment" : "Flipped bit 121 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "d38b42096d80f45f826b44a9d5607de5", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 142, + "comment" : "Flipped bit 121 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "d8b99f2709a3ca74172cbe93824c1f2b", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 143, + "comment" : "Flipped bit 126 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "d38b42096d80f45f826b44a9d5607da7", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 144, + "comment" : "Flipped bit 126 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "d8b99f2709a3ca74172cbe93824c1f69", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 145, + "comment" : "Flipped bit 127 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "d38b42096d80f45f826b44a9d5607d67", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 146, + "comment" : "Flipped bit 127 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "d8b99f2709a3ca74172cbe93824c1fa9", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 147, + "comment" : "Flipped bits 0 and 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "d28b42096d80f45f836b44a9d5607de7", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 148, + "comment" : "Flipped bits 0 and 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "d9b99f2709a3ca74162cbe93824c1f29", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 149, + "comment" : "Flipped bits 31 and 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "d38b42896d80f4df826b44a9d5607de7", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 150, + "comment" : "Flipped bits 31 and 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "d8b99fa709a3caf4172cbe93824c1f29", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 151, + "comment" : "Flipped bits 63 and 127 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "d38b42096d80f4df826b44a9d5607d67", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 152, + "comment" : "Flipped bits 63 and 127 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "d8b99f2709a3caf4172cbe93824c1fa9", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 153, + "comment" : "all bits of tag flipped", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "2c74bdf6927f0ba07d94bb562a9f8218", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 154, + "comment" : "all bits of tag flipped", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "274660d8f65c358be8d3416c7db3e0d6", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 155, + "comment" : "Tag changed to all zero", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "00000000000000000000000000000000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 156, + "comment" : "Tag changed to all zero", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "00000000000000000000000000000000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 157, + "comment" : "tag changed to all 1", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "ffffffffffffffffffffffffffffffff", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 158, + "comment" : "tag changed to all 1", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "ffffffffffffffffffffffffffffffff", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 159, + "comment" : "msbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "530bc289ed0074df02ebc42955e0fd67", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 160, + "comment" : "msbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "58391fa789234af497ac3e1302cc9fa9", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 161, + "comment" : "lsbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "d28a43086c81f55e836a45a8d4617ce6", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 162, + "comment" : "lsbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "d9b89e2608a2cb75162dbf92834d1e28", + "result" : "invalid", + "flags" : [] + } + ] + }, + { + "keySize" : 128, + "tagSize" : 256, + "type" : "MacTest", + "tests" : [ + { + "tcId" : 163, + "comment" : "short key", + "key" : "a349ac0a9f9f74e48e099cc3dbf9a9c9", + "msg" : "", + "tag" : "3a8437b877b75cc08a4d8d7559a8fc6869a58c713da63d1d4b350d59b597e30c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 164, + "comment" : "short key", + "key" : "ac686ba0f1a51b4ec4f0b30492b7f556", + "msg" : "2fa43a14ae500507deb95ab5bd32b0fe", + "tag" : "008532a53d0c0ab22027ae249023375374e2239b959609e8339b05a15742a675", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 165, + "comment" : "short key", + "key" : "73ef9ef1a4225e51e3c1db3ace1fa24f", + "msg" : "ffad380d9aabb0acede5c1bf112925cdfc3d379fc2376a4fe2644490d0430ac3", + "tag" : "9c7cb9f7c207ec46d1e3c55764731c4ab5ddbae4e1401e52a895df0cff4787c9", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "keySize" : 128, + "tagSize" : 128, + "type" : "MacTest", + "tests" : [ + { + "tcId" : 166, + "comment" : "short key", + "key" : "e34f15c7bd819930fe9d66e0c166e61c", + "msg" : "", + "tag" : "1d765ab9e29892f7bfec2975ad4bc2dc", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 167, + "comment" : "short key", + "key" : "e09eaa5a3f5e56d279d5e7a03373f6ea", + "msg" : "ef4eab37181f98423e53e947e7050fd0", + "tag" : "cfc19ec07902ec8be489606d8f40d172", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 168, + "comment" : "short key", + "key" : "9bd3902ed0996c869b572272e76f3889", + "msg" : "a7ba19d49ee1ea02f098aa8e30c740d893a4456ccc294040484ed8a00a55f93e", + "tag" : "ac50adad9785a89c7282d8ab881dc615", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "keySize" : 520, + "tagSize" : 256, + "type" : "MacTest", + "tests" : [ + { + "tcId" : 169, + "comment" : "long key", + "key" : "8a0c46eb8a2959e39865330079763341e7439dab149694ee57e0d61ec73d947e1d5301cd974e18a5e0d1cf0d2c37e8aadd9fd589d57ef32e47024a99bc3f70c077", + "msg" : "", + "tag" : "f5bfb940561fb4db73ebba49bf2e4893bb0cca618a71b7ecf6aca38231e167ea", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 170, + "comment" : "long key", + "key" : "2877ebb81f80334fd00516337446c5cf5ad4a3a2e197269e5b0ad1889dfe2b4b0aaa676fac55b36ce3affc7f1092ab89c53273a837bd5bc94d1a9d9e5b02e9856f", + "msg" : "ba448db88f154f775028fdecf9e6752d", + "tag" : "1690ed4180642899e0deb9ec2270374e8b0a484217f5a682c524316eca219b64", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 171, + "comment" : "long key", + "key" : "21178e26bc28ffc27c06f762ba190a627075856d7ca6feab79ac63149b17126e34fd9e5590e0e90aac801df09505d8af2dd0a2703b352c573ac9d2cb063927f2af", + "msg" : "7d5f1d6b993452b1b53a4375760d10a20d46a0ab9ec3943fc4b07a2ce735e731", + "tag" : "e542ac8ac8f364bae4b7da8b7a0777df350f001de4e8cfa2d9ef0b15019496ec", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "keySize" : 520, + "tagSize" : 128, + "type" : "MacTest", + "tests" : [ + { + "tcId" : 172, + "comment" : "long key", + "key" : "813e0c078c221375e80590ace6774eafd2d2c242350988d02efa550e05aecbe100c1b8bf154c932cf9e57177015c816c42bc7fbc71ceaa5328c7316b7f0f30330f", + "msg" : "", + "tag" : "bb6ab66f51e53fa086c9c61a26ca27e0", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 173, + "comment" : "long key", + "key" : "5713343096b0aaf0562a6b92c1a15535924160475a4e4233589159728c562e3b2ad96f740c6a4da2bc3f768ce98c9bd66bac28d1646ff592028c940d455f35eeb4", + "msg" : "71712de2fac1fb855673bff72af64257", + "tag" : "c18165b8b97db1ca5e2486a32b39731e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 174, + "comment" : "long key", + "key" : "7208afbecf5f1f34828f98b719414e280716de64f5edd1ae1c774153cd2022337bb20fade1b7856f1dbfd40e2b4307f1293ceff1692ee90d8c90b5fdf953ab01a5", + "msg" : "43b53302b604d613e62db002044a4782d572ac8fbd3cd0ece91b43bc52e18e98", + "tag" : "2fecfe45d79339c57dddba68ab34f5f1", + "result" : "valid", + "flags" : [] + } + ] + } + ] +} diff --git a/rust/tests/wycheproof/hmac_sha384_test.json b/rust/tests/wycheproof/hmac_sha384_test.json new file mode 100644 index 00000000..ca9ed1ad --- /dev/null +++ b/rust/tests/wycheproof/hmac_sha384_test.json @@ -0,0 +1,1622 @@ +{ + "algorithm" : "HMACSHA384", + "generatorVersion" : "0.8rc21", + "numberOfTests" : 174, + "header" : [ + "Test vectors of type MacTest are intended for testing the", + "generation and verification of MACs." + ], + "notes" : { + }, + "schema" : "mac_test_schema.json", + "testGroups" : [ + { + "keySize" : 384, + "tagSize" : 384, + "type" : "MacTest", + "tests" : [ + { + "tcId" : 1, + "comment" : "empty message", + "key" : "ee8df067857df2300fa71a10c30997178bb3796127b5ece5f2ccc170932be0e78ea9b0a5936c09157e671ce7ec9fc510", + "msg" : "", + "tag" : "a655184daf3346ffc6629d493c8442644e4996a2799e42e3306fa6f5b0967b6cf3a6f819bab89bce297d1d1a5907b2d0", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 2, + "comment" : "short message", + "key" : "976696c0dc97182ca771975c3928ff9168ef89cd740cd2292858fd916068a702bc1df7c6cd8ee1f0d25e61d4c514cc5d", + "msg" : "2b", + "tag" : "363e8973fedcf7892013dfae0b7065d61d80b98c635bc09ed860a01473b9bcd0dc550dbf66cf0d601fe9cbf3ae59620d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 3, + "comment" : "short message", + "key" : "c55ea4c64a0a63e2d14ad42559ba7c816b8824d263c2cc6a015761b53f681e514369f0dfba5cde165320ee10a96eb1fc", + "msg" : "5abd", + "tag" : "ccc2925f164a7d9662f1e76bcaf6345492bb091d4d2d775af2178a4bcc1ca21dcf8b3bf8f056823770782f25a419bb3e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 4, + "comment" : "short message", + "key" : "2928d465d92fa40072ca9d67761be66e491755e43499003c1057d3bec870f255126c3658d0d8a0c7d207df8710037ca7", + "msg" : "c405ae", + "tag" : "d9e19c672a466e4c83a849905728c4be1db99bdd260946d9ff52939779002dcc460c576f02b40dda0717182be96b5411", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 5, + "comment" : "short message", + "key" : "686a3730085cc944fceb141628419818e662fe21e52bea2748f3b704f80ce801086db1e3068917b242e62b4d6e6ed685", + "msg" : "6601c683", + "tag" : "10dc39103983b3a6be376a8eda7b6f363cb91efe11b027a62440ae136bd66f98b0a1d8b8f2399099492021076afa14a0", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 6, + "comment" : "short message", + "key" : "f22d867b972b232e3f444a488dd794d170807c70eb650f952b6177596f76c558a5d860d6f7be0be9e666f9bd53732f8d", + "msg" : "15b29377e0", + "tag" : "e02e4e20b5f1e5f06913bc9745c9069c09ec1369f1a296ad1d07c04cc4f9cb4741248d7ba097cd3ba0e75d2409d6a01b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 7, + "comment" : "short message", + "key" : "3ac9abd53dbd0fbb891f9b5e16dd45df994e5283527832707138fc2712bad9e34761e7d9c6d05d46f2c8323ddb0efe99", + "msg" : "5a34155b1115", + "tag" : "78c53dd1a2431174628f5f4867fa777afa6df1b36269bba114d016d1065fcb021170baad09b4a528f40573903a65f540", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 8, + "comment" : "short message", + "key" : "ae3aa94fdd35e2bef40472d29bdad3a409840ea441c3d7025cd72f3e81ff56da602161d84b23d1634061385be30c5bbd", + "msg" : "8a140d781e7191", + "tag" : "fd22ba896cb1147bb86f8ad51c253b792657c0becc913e90104da0f139f9b08c9169706f1531a2c6c03d6bd72a77eff2", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 9, + "comment" : "short message", + "key" : "44b79852cabcf3fe93d2fff55d2afe6a46c35b7ad1954ce0888de7b459b982722faf8b490e6b00e7bcabbd36f18443f5", + "msg" : "9398cd251deafe8b", + "tag" : "56128fb438a93f6f48f47c0f4c7549f8008a8e69bbdbf0886ec40f86e7870034ef9090d2b04057391f1def5b25e8f0ad", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 10, + "comment" : "short message", + "key" : "03fed2f579a3ebdececfb184ebe2984876113399c4a593d98b5f5e606dd330fb394c285d9ead601748259b493335f8e5", + "msg" : "18d879b1f63df3ac7a", + "tag" : "a0e3b5660eeb5fc4a5dd48e725b09a0e282b22bbe2693d8b893ddf0f2116450e0875925407e909fde0f1f728f608fba9", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 11, + "comment" : "short message", + "key" : "f4ef48bf4056d39dbba4154018c63bdf29420b9991ea594ff05e3cc1cb02e176d54ba038a6b78692519d6788e495bbab", + "msg" : "0a5de13cd9ba31c94486", + "tag" : "e9a1219e86983d69e336068b280309f974ab61f25968fc6352324ba49c36ce42c578676a3a31ef11e960d6771386650e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 12, + "comment" : "short message", + "key" : "fc771f7ccd499a1ed633d86876d707b5f1d53c6bcdf21aa2907766ab3ca7fa6cdd6a9b981b1a84a528e81444303f1057", + "msg" : "03ba11f3f3173b85226b25", + "tag" : "cfb4971d5449db364e2c8d0d429a0767050d480a5397f0dcc74294f52ea96260a57fe6cad14409ad67da6fbebf2da0d8", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 13, + "comment" : "short message", + "key" : "b3999de680b11550e18631c8199f7eb8a74e21bdc9d97f781245c2af19f85497d9f38b250a564e48650fd00be365f155", + "msg" : "9c658cb5e601d85dc3857863", + "tag" : "d547e4cbd56e82b47d2ec93eeb6b34924ebda461fb60e475bf328d2368618f55fbf7b0e2eb1ff542c4eb7eefbfc8bd2b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 14, + "comment" : "short message", + "key" : "88005a62864ea699e1509616ec48033e84d2e2a13b8bc2e8a76f2eccbdb207a95ac8e2f5b5a703b22a0b571e8acc599a", + "msg" : "5a94f84541a794bf23d72db16d", + "tag" : "d6b73ee67e88a20fceb5520be92594daf1b3786c7187535ccb1f0b926dae11adde6e8697ba803b159019849df3c9d2c7", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 15, + "comment" : "short message", + "key" : "b1cbda2c9a12f92315a5101aef311e99d6db002b0e04fb53c50106aa4d28e9a346697ba97084572eea56ccfc4ad7e572", + "msg" : "ce12c0c78e3f6b276ac56ed7435e", + "tag" : "5c0802cd0ed82380e4c2a61d146ed72762613de89eb4ab9fe71da9ad3d79e1d2321cae186292f7c52ab639d3ba6aa85a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 16, + "comment" : "short message", + "key" : "08517e8014e00db5c37f2a20f987ea2ec52e7938de018ad6be256ba2236804144ad2a1bcc242738862b40647007e0a2c", + "msg" : "21e2a0a167789a6b722d1737d92f8b", + "tag" : "2264d3c9b835aedf699d5fbfc05d46f085591441df75aa2b2873f6c8a11a0856a2b79ae11ea0a91609dbd564a0bed456", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 17, + "comment" : "", + "key" : "503d7478a773b694d6e552c9703cc8bc56fd49fafc9a17cab8b0332dca8d49336fa7e9ec2bcb56253fe5bb504e3e7f7f", + "msg" : "d96e6fed893addfd9237c81c4f4e341b", + "tag" : "19389766789912260f3f9757df3651663829c358bb48b22c1c63132070df318905beffd45f51e4dfcb3e785f44cf9106", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 18, + "comment" : "", + "key" : "41341bab902e767d4d1964c0acfecf46eff1b02b6455bcb2097de9c154be1f667f21be076de18cd2c15c005896fca87f", + "msg" : "4c43ac7de3631cc86f4da72fe6b6a552f1", + "tag" : "3c3104f24b7070cc3277d9ae640d416298fc917a0c1cdc3c2e7b6da75706fd2ae234efd551af12ae29144704793e2f6a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 19, + "comment" : "", + "key" : "c2f83be1acce7b89a5f9e9ea7e4c4f8b0f4319986fbe479fa3b4a3c298168362393b56ea03b5cef77f48e5a72abe6d08", + "msg" : "8dd0cd786cd800ffebec098728923d69249d3223c4c595cb", + "tag" : "751c6c7d00fef5e4edc993915fba694943a7ee3a2c8e5b700d0ee536bf85fb117a9cd6c456485cd670f7a0b490c83e61", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 20, + "comment" : "", + "key" : "6bd2aee9dd98d6b6609fce82181b10c20bba861da68a1590586fab08c5e9e90ff584047db4760828643fea38087160e4", + "msg" : "33236a9de603c1e4f5e11164224740627d10f6008eb73ec2642321bf0b82d579", + "tag" : "e4cd8b8868bb078ed5d6938e40d9ff4bf61a4994be40a5f2b5446463e5db90516bccdd19f16c92e3f839b9d6de68b2a9", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 21, + "comment" : "long message", + "key" : "2f98ba2ceaadc5ba08880a35cb0080dc870a5734a782ebe31c4bab100ff8786dcc3be6de18482ea5d1b3bf14aeabb470", + "msg" : "2d74a66dacf12edb85ef3073feafd122889cb634add00ff0395d224b4ff8b5d5d67ca6419b6826abffdb41bab427d5", + "tag" : "a8ea72100859f4b7b6f2fe596248f1729bcdf0606c900ab52e51eab548d26e1eb634a42e5fc7ccc18356c0d283597ee2", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 22, + "comment" : "long message", + "key" : "5e5f60e40d84c7ca2608af3bcc6e04abc5f8b7ca730a78af7f6f032e5a1501695bd91f3bebb28590af1db90d8390ca58", + "msg" : "2efe6a14ea8d679e62dbcedf35e61852278c83c54adbe1f1c72cb1a746b11cff8cb4fc3a2c3acd44255d51c020ca6d47", + "tag" : "6e8c95a4097ea13d064ed10809a33b569a6a84205158bd692ff82bc4b70b47a60ed332f2f5bca5211a1cc89c06f9c595", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 23, + "comment" : "long message", + "key" : "bc310bc3913d9fe59e2012a058c9e150534d25611e36206cf07ccaefe153f38eb0eaad9941b6883dfbce01bcb5196041", + "msg" : "9f0747d7396bfbe01cf3e85361e50085e0a91a7490b994031d81851b725065993f45dad0d60d794aedec7ba5d9d6dbbee4", + "tag" : "3a86498f78c3fb7eb3b7b3d82f677d2dfe01166fe76e232083334d74f11588fd089637c94761e9cfe836436005deaef7", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 24, + "comment" : "long message", + "key" : "dc770c64d00d156e43cb74970e3a1a2ad28b6d9ec6b2b6e5ac3e356a99f879cb620f00340c044cc1f31bdccfa0dbd177", + "msg" : "403fd8e3ef51b6539db658a894be85b58fbc84881e61c5e0cb13ae421a09d31d780603256d390edd056d190856be00ad20a7048f0c67416fe8e02884086155f4263262e8c1275504d4f91f2751d3c3dccd4409ff2b45e41de93f7b104d58f6e15bacb62ace9700615ecc1b30a0cc1b35", + "tag" : "1c4f6474f39e6eabbe7a99faa234f49833444130acf01dae68d68251a930419960b0fb5f48360149e05d1209941cc9ec", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 25, + "comment" : "long message", + "key" : "cca9299c7bdc26a4b595055c99ca23bec8ed11b5deeda91f83e2365e7340395ceef4e86e5cd91f2593bcfec498a67fc9", + "msg" : "a05b40b8d3a7bc7b75b0e97309c9bd1c9d8755c1ff5245ef6308a6a5cad3ecfbcb6364b41ca6f3d24bbee844d6204d1026abe345af7bdec114a373b109aa5724b738d50ab7a826c268e873709f8b35135a870045d5fb9daa82d3c245b5338917354e72b3058c9a4b807117465217d7d14f36f8a8d4e97bc3b93587c92641e7", + "tag" : "1b6b5ba848bc13dd46c35177ae9ff9bd2d6ca5f4c9373964d3182483d980b4654527f36d7cc51b9e2efe7ed97a82e3be", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 26, + "comment" : "long message", + "key" : "c728e65e08d9296fe3cdf2dedb49c81a30b603a62569eece4ee5d01e9a32ae3bcb4ec163e455e452582454ceefefc046", + "msg" : "e6c6bac87c17e269a471434ca9568401451d78c2444a9d6edcda3cdab51c5bed1c19eaf34326580fd85ae5236ad51bc5dae386b36101f54695c595eeedcdd0182a4a117f8093f4f4812e03db396ede9849d193e7722081aeec4be6c4caf6c979d36ead56634a21be21162ea232dec9cffdbd2474245878dca369e814fd028303", + "tag" : "533920a013cf006aa29b26f74b6dd293634293089986aa249271c426b942dc6bae32b2641616672f3d75968866e182e5", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 27, + "comment" : "long message", + "key" : "90c4215dc3f237435047fefdd8638d339a3fc66fca06c5063eacbda002ab335e621605f672f3da9f641fae110afc3e7b", + "msg" : "1ebc22c3031b64615eb6f1a0696e33b7df139a4b891d3e6721cc26c05d55de790dca623668c10308485d38e95ec4769fa4430ca3ebc25da9f5d31c972674517d9a2222e6b97d8def6512af096c6d1480d83a229c84b7f28c80184b6bebf3f4eff5fc4e5c6cfea4f8eba9a957f7913b20a88ad1734f7c38547e934d1dbf2d73dbd61e31fb1583c7b6577a171e7d02f19045126ac2973d855bc18d34d32326d1e216da58366a60033450091128ae26a479069bba7b91b2ab7f3c5fbcde391de3ca114b951d6852f92795f8023d7a29a7f4ce61e9241b4f235d21e899087167ab3f3a0e9321c7942b165178788df48d3b106b203ec1e01d29bda41a99ac0d2c00", + "tag" : "c52b91daed6ee46416f2db78978251cb334e5d8e00b32ae06e365f455d28de406a9cce2f9f29378f229822dbf26bfdad", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 28, + "comment" : "Flipped bit 0 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "45be81c415d283ab7a62a45188e5dafbcb97da606bd5b16c92c1fc36f198c0b3a714921848d5e03df1c4849bb8310c66", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 29, + "comment" : "Flipped bit 0 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "a84d07ff90b338e064b03603d76bcf0214b1fb88c66b9415dde76674896400f97b8408bfefa6ee86c716bfa4a460d216", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 30, + "comment" : "Flipped bit 1 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "46be81c415d283ab7a62a45188e5dafbcb97da606bd5b16c92c1fc36f198c0b3a714921848d5e03df1c4849bb8310c66", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 31, + "comment" : "Flipped bit 1 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "ab4d07ff90b338e064b03603d76bcf0214b1fb88c66b9415dde76674896400f97b8408bfefa6ee86c716bfa4a460d216", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 32, + "comment" : "Flipped bit 7 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "c4be81c415d283ab7a62a45188e5dafbcb97da606bd5b16c92c1fc36f198c0b3a714921848d5e03df1c4849bb8310c66", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 33, + "comment" : "Flipped bit 7 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "294d07ff90b338e064b03603d76bcf0214b1fb88c66b9415dde76674896400f97b8408bfefa6ee86c716bfa4a460d216", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 34, + "comment" : "Flipped bit 8 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "44bf81c415d283ab7a62a45188e5dafbcb97da606bd5b16c92c1fc36f198c0b3a714921848d5e03df1c4849bb8310c66", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 35, + "comment" : "Flipped bit 8 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "a94c07ff90b338e064b03603d76bcf0214b1fb88c66b9415dde76674896400f97b8408bfefa6ee86c716bfa4a460d216", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 36, + "comment" : "Flipped bit 31 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "44be814415d283ab7a62a45188e5dafbcb97da606bd5b16c92c1fc36f198c0b3a714921848d5e03df1c4849bb8310c66", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 37, + "comment" : "Flipped bit 31 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "a94d077f90b338e064b03603d76bcf0214b1fb88c66b9415dde76674896400f97b8408bfefa6ee86c716bfa4a460d216", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 38, + "comment" : "Flipped bit 32 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "44be81c414d283ab7a62a45188e5dafbcb97da606bd5b16c92c1fc36f198c0b3a714921848d5e03df1c4849bb8310c66", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 39, + "comment" : "Flipped bit 32 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "a94d07ff91b338e064b03603d76bcf0214b1fb88c66b9415dde76674896400f97b8408bfefa6ee86c716bfa4a460d216", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 40, + "comment" : "Flipped bit 33 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "44be81c417d283ab7a62a45188e5dafbcb97da606bd5b16c92c1fc36f198c0b3a714921848d5e03df1c4849bb8310c66", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 41, + "comment" : "Flipped bit 33 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "a94d07ff92b338e064b03603d76bcf0214b1fb88c66b9415dde76674896400f97b8408bfefa6ee86c716bfa4a460d216", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 42, + "comment" : "Flipped bit 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "44be81c415d2832b7a62a45188e5dafbcb97da606bd5b16c92c1fc36f198c0b3a714921848d5e03df1c4849bb8310c66", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 43, + "comment" : "Flipped bit 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "a94d07ff90b3386064b03603d76bcf0214b1fb88c66b9415dde76674896400f97b8408bfefa6ee86c716bfa4a460d216", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 44, + "comment" : "Flipped bit 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "44be81c415d283ab7b62a45188e5dafbcb97da606bd5b16c92c1fc36f198c0b3a714921848d5e03df1c4849bb8310c66", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 45, + "comment" : "Flipped bit 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "a94d07ff90b338e065b03603d76bcf0214b1fb88c66b9415dde76674896400f97b8408bfefa6ee86c716bfa4a460d216", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 46, + "comment" : "Flipped bit 71 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "44be81c415d283abfa62a45188e5dafbcb97da606bd5b16c92c1fc36f198c0b3a714921848d5e03df1c4849bb8310c66", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 47, + "comment" : "Flipped bit 71 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "a94d07ff90b338e0e4b03603d76bcf0214b1fb88c66b9415dde76674896400f97b8408bfefa6ee86c716bfa4a460d216", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 48, + "comment" : "Flipped bit 77 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "44be81c415d283ab7a42a45188e5dafbcb97da606bd5b16c92c1fc36f198c0b3a714921848d5e03df1c4849bb8310c66", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 49, + "comment" : "Flipped bit 77 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "a94d07ff90b338e064903603d76bcf0214b1fb88c66b9415dde76674896400f97b8408bfefa6ee86c716bfa4a460d216", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 50, + "comment" : "Flipped bit 80 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "44be81c415d283ab7a62a55188e5dafbcb97da606bd5b16c92c1fc36f198c0b3a714921848d5e03df1c4849bb8310c66", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 51, + "comment" : "Flipped bit 80 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "a94d07ff90b338e064b03703d76bcf0214b1fb88c66b9415dde76674896400f97b8408bfefa6ee86c716bfa4a460d216", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 52, + "comment" : "Flipped bit 96 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "44be81c415d283ab7a62a45189e5dafbcb97da606bd5b16c92c1fc36f198c0b3a714921848d5e03df1c4849bb8310c66", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 53, + "comment" : "Flipped bit 96 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "a94d07ff90b338e064b03603d66bcf0214b1fb88c66b9415dde76674896400f97b8408bfefa6ee86c716bfa4a460d216", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 54, + "comment" : "Flipped bit 97 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "44be81c415d283ab7a62a4518ae5dafbcb97da606bd5b16c92c1fc36f198c0b3a714921848d5e03df1c4849bb8310c66", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 55, + "comment" : "Flipped bit 97 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "a94d07ff90b338e064b03603d56bcf0214b1fb88c66b9415dde76674896400f97b8408bfefa6ee86c716bfa4a460d216", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 56, + "comment" : "Flipped bit 103 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "44be81c415d283ab7a62a45108e5dafbcb97da606bd5b16c92c1fc36f198c0b3a714921848d5e03df1c4849bb8310c66", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 57, + "comment" : "Flipped bit 103 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "a94d07ff90b338e064b03603576bcf0214b1fb88c66b9415dde76674896400f97b8408bfefa6ee86c716bfa4a460d216", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 58, + "comment" : "Flipped bit 376 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "44be81c415d283ab7a62a45188e5dafbcb97da606bd5b16c92c1fc36f198c0b3a714921848d5e03df1c4849bb8310c67", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 59, + "comment" : "Flipped bit 376 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "a94d07ff90b338e064b03603d76bcf0214b1fb88c66b9415dde76674896400f97b8408bfefa6ee86c716bfa4a460d217", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 60, + "comment" : "Flipped bit 377 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "44be81c415d283ab7a62a45188e5dafbcb97da606bd5b16c92c1fc36f198c0b3a714921848d5e03df1c4849bb8310c64", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 61, + "comment" : "Flipped bit 377 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "a94d07ff90b338e064b03603d76bcf0214b1fb88c66b9415dde76674896400f97b8408bfefa6ee86c716bfa4a460d214", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 62, + "comment" : "Flipped bit 382 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "44be81c415d283ab7a62a45188e5dafbcb97da606bd5b16c92c1fc36f198c0b3a714921848d5e03df1c4849bb8310c26", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 63, + "comment" : "Flipped bit 382 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "a94d07ff90b338e064b03603d76bcf0214b1fb88c66b9415dde76674896400f97b8408bfefa6ee86c716bfa4a460d256", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 64, + "comment" : "Flipped bit 383 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "44be81c415d283ab7a62a45188e5dafbcb97da606bd5b16c92c1fc36f198c0b3a714921848d5e03df1c4849bb8310ce6", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 65, + "comment" : "Flipped bit 383 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "a94d07ff90b338e064b03603d76bcf0214b1fb88c66b9415dde76674896400f97b8408bfefa6ee86c716bfa4a460d296", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 66, + "comment" : "Flipped bits 0 and 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "45be81c415d283ab7b62a45188e5dafbcb97da606bd5b16c92c1fc36f198c0b3a714921848d5e03df1c4849bb8310c66", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 67, + "comment" : "Flipped bits 0 and 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "a84d07ff90b338e065b03603d76bcf0214b1fb88c66b9415dde76674896400f97b8408bfefa6ee86c716bfa4a460d216", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 68, + "comment" : "Flipped bits 31 and 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "44be814415d2832b7a62a45188e5dafbcb97da606bd5b16c92c1fc36f198c0b3a714921848d5e03df1c4849bb8310c66", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 69, + "comment" : "Flipped bits 31 and 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "a94d077f90b3386064b03603d76bcf0214b1fb88c66b9415dde76674896400f97b8408bfefa6ee86c716bfa4a460d216", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 70, + "comment" : "Flipped bits 63 and 127 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "44be81c415d2832b7a62a45188e5da7bcb97da606bd5b16c92c1fc36f198c0b3a714921848d5e03df1c4849bb8310c66", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 71, + "comment" : "Flipped bits 63 and 127 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "a94d07ff90b3386064b03603d76bcf8214b1fb88c66b9415dde76674896400f97b8408bfefa6ee86c716bfa4a460d216", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 72, + "comment" : "all bits of tag flipped", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "bb417e3bea2d7c54859d5bae771a25043468259f942a4e936d3e03c90e673f4c58eb6de7b72a1fc20e3b7b6447cef399", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 73, + "comment" : "all bits of tag flipped", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "56b2f8006f4cc71f9b4fc9fc289430fdeb4e047739946bea2218998b769bff06847bf7401059117938e9405b5b9f2de9", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 74, + "comment" : "Tag changed to all zero", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 75, + "comment" : "Tag changed to all zero", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 76, + "comment" : "tag changed to all 1", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 77, + "comment" : "tag changed to all 1", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 78, + "comment" : "msbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "c43e01449552032bfae224d108655a7b4b175ae0eb5531ec12417cb67118403327941298c85560bd7144041b38b18ce6", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 79, + "comment" : "msbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "29cd877f1033b860e430b68357eb4f8294317b0846eb14955d67e6f409e48079fb04883f6f266e0647963f2424e05296", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 80, + "comment" : "lsbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "45bf80c514d382aa7b63a55089e4dbfaca96db616ad4b06d93c0fd37f099c1b2a615931949d4e13cf0c5859ab9300d67", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 81, + "comment" : "lsbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "a84c06fe91b239e165b13702d66ace0315b0fa89c76a9514dce66775886501f87a8509beeea7ef87c617bea5a561d317", + "result" : "invalid", + "flags" : [] + } + ] + }, + { + "keySize" : 384, + "tagSize" : 192, + "type" : "MacTest", + "tests" : [ + { + "tcId" : 82, + "comment" : "empty message", + "key" : "1c678267be13acb464939c2896c9e9ce1deb5b30833bdd9ca00370889b84410782ad52afe25dc10ab7ec5cf5f34793b7", + "msg" : "", + "tag" : "6dd566be678c1e6359ab31b635cc160160a0c5a9c49a0ac5", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 83, + "comment" : "short message", + "key" : "00b184c2c0a491d764a26f8b2e56a965222b36213bdd106ae782305c50f89269902476e5df3fa58e0ecfae82a9607c8e", + "msg" : "9f", + "tag" : "5afff4b009ca9c9e5dcd84f05607e7a7d43ee43b42498989", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 84, + "comment" : "short message", + "key" : "055b67edb659e29c10e3e9cd25aa1cd5abf0880e2026ed8436e39b064b7315760cd7a9294ee23d4750969cc8b5dbaed7", + "msg" : "4047", + "tag" : "4d08baef969eed23b814472acff08d08fd3491a728778a1c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 85, + "comment" : "short message", + "key" : "9e3c198e93930f076b035c5fa8f10d9a65e98c66cfb36633e3cb33279cdf57688f10b7472d1fc9d962ce6954519bfbf6", + "msg" : "88cfab", + "tag" : "1cde3765ba5a15b1d0182136a72c603acd3b904ceac8f7ad", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 86, + "comment" : "short message", + "key" : "f5f5962bda257b38b2a2318929121b2eaef792d5c6a9585e48b80cf5357b29c3951b787ed3e03e385b05b8ffe6861dc3", + "msg" : "d9397753", + "tag" : "4638e4427e6084b76c53ed9d6e916162fcb8b962c3d616f1", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 87, + "comment" : "short message", + "key" : "f62820ed5f9833fd22dee7bd49e2c9b19fc9668897c2c33e6c7c1fa5c277c3b9f581faef3ddc664ba537975d8afaa707", + "msg" : "9b6cc7caa4", + "tag" : "f6e272a7a6235f60b72b4c7424cf32a07f98ea592665bad8", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 88, + "comment" : "short message", + "key" : "f222a1dabf322aff8463acee6444939331212be3e19d31f4b73fdcc97e2925365ea33c985282805c83dcd8fb42a0e214", + "msg" : "c85ad7872b76", + "tag" : "933f0fa61d4466b5baf5a601f6b96d81a97e81c512d822e6", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 89, + "comment" : "short message", + "key" : "56e80f3899e945310a9d9bef3d32091f29c157dd46b2d439ad89d63e14b2c24390f74db4d905f6bd03f75c32e91225fe", + "msg" : "80ba25f1c27650", + "tag" : "a1a6e248b40864ddf83b00c52ae2c303b7e76fba0548d4d4", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 90, + "comment" : "short message", + "key" : "6cb6261a56a21b2c3c13453c158364aafa78f58172a9ae3eeb328ac38808b5c68c111197a303ec36847c9a315ac5eb5b", + "msg" : "79430de51d68cf34", + "tag" : "33593a80da455e580ccc5ee9b60edcd1468460539788fc41", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 91, + "comment" : "short message", + "key" : "44ca1ecb490470a84c7e13e1f1c69da21f48c33b6f050f48f7f244f0fda8b3c855904ed0612e2dafa5105cbd7f6449eb", + "msg" : "870b981c8afd9fae1b", + "tag" : "930f2e401e3aafb46a0c4029002f4ef1ab9fe838bc00c79e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 92, + "comment" : "short message", + "key" : "aaca68882cfa7250988a247b96cfb3232d6567378f8fa7e7aaaca1c386e1ae15e54957d22bfff1e50ae7f21beea197a5", + "msg" : "a6f31b822ec24da1b1e9", + "tag" : "a9c2d68f0ad1ba50089b169c86d965f97f52388a48ace744", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 93, + "comment" : "short message", + "key" : "1b32f9b6378934a502dd74d8b74a4606d5b2c9a8587fab1cfa90d75007734d2b8bdfe634815243526ebc0f33c04d0d05", + "msg" : "55367c657c792610efdcc0", + "tag" : "934083c8594591da783f0da28f4b58adb604e9cc76b99efe", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 94, + "comment" : "short message", + "key" : "09d91b2fa22e68b5335d478235aa4e157435c9acfed772219adfa1e9dd72f33e1a2183a0203a104f80e643cdf29e5aff", + "msg" : "b31e254957db6b1b70a06ce2", + "tag" : "7d45f3899455787e7116b570df8f7787f672d5821d6f75fe", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 95, + "comment" : "short message", + "key" : "d311a80ac801e3639b9185608af4a85e4122e29b5c23f05234c30d92d59ad13cb80390e5fa0ea4a54853228b356689f5", + "msg" : "e6b443dba0dab35d43ca5d6ce6", + "tag" : "27297096f58f598391c57778129949b94628bf17bb2422d1", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 96, + "comment" : "short message", + "key" : "06297e6c46558b9b0fc36c272b4ae7e65dd536cc1d13acbfa831fa5574b34f99e09adfb7f20321f203075fd26ed2e29d", + "msg" : "309b95e5f1ec26f70786e74d806d", + "tag" : "aabff26fc44a40f0b87a40c175c17ea7140f8467dcdb95cd", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 97, + "comment" : "short message", + "key" : "e8b63a25cd85ad4f39e3c0e9584eacb94d6ae33f984da259aa533d4d28aeb341cf3ffe49c029e4af6a4805f760f35f2c", + "msg" : "d225c27795f809454bb2c51d21f3ac", + "tag" : "0e12b758015ac89797d55470f3982c13a5ff1483276083d2", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 98, + "comment" : "", + "key" : "d83a685ace9fa0c0aa47f0c7b4f0f00717619a82e2eeff87f51f67d814d51dd9e4cad7578a4e49b672b5af83943c2583", + "msg" : "abfa7f5978f751e87e8b5a15a6e89f4f", + "tag" : "e4e6ba041bbb7a47ec8482b2043455c119fbdb389a3945a0", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 99, + "comment" : "", + "key" : "5beaf406a6627eaafcadb6dea4e27ba4fd879fd3e5bfd87ea3c8d5e0acfbbda2c6bf006beaf5a30312e690724c4744a3", + "msg" : "bc57d467a9a2af64ad5e14b7bc0898dc63", + "tag" : "3fab1a7a192359b6333a9699b75612211a38b6dccab4572d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 100, + "comment" : "", + "key" : "76b36cc3b8ca975708ee4b32bdbe40ca13f9ce384c52c4b6602b7fd92164f1fd8432706c1966f648bf4830f4deb34795", + "msg" : "b1d022c6536f401d147dfc0d7d4e600bb753ef0e9f243bc3", + "tag" : "c91eb3f362049c5336c5074cb887edcb27aac1ef6575a92d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 101, + "comment" : "", + "key" : "20569a16f453dd3c34df98155286b1ca8a392ea164c919311f0df9d39d976062f4f992b96def3851886e6295f2615064", + "msg" : "5402c4e683d1a431868ad528afbf4128b0b10cef947d063b34d376d344b793b2", + "tag" : "27728059696aed5bb00a13c1db100691d4a21ebea0a8e4c3", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 102, + "comment" : "long message", + "key" : "9ef6a55f8a9b6b9ef1f8296167319078163706ae5b60897c2dd6e340b67ed5d577fb54c5547cd5f248f06e7082ffb826", + "msg" : "6a0d16276941d8f04eac2ec723fa53b9d6b16da7e30e7f2d9ad898e7cbb71bd3dd234ee22836ff4ac6011b6f12bd3a", + "tag" : "cef5d900eef0abefc625c1d2862a3f42998ce8b1e007d2b8", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 103, + "comment" : "long message", + "key" : "fb56bbbc6d751b744d8c1b57cc27a1d2c2f4e38e3491f54448cfcfb9389b7f63fd0d41920968ef612510625f2637d28d", + "msg" : "cf1791517ef5a61c0db65a668bee26fdbc975d799b2623cc0f3e4560e80c7014fa9c02d568c98c86385e000fe6776bb7", + "tag" : "88e99accc9c23c9c8c1110e7470cade0317817916d8505f5", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 104, + "comment" : "long message", + "key" : "d041e24e59b34d7a18128a42d8a7a52dcba5d79e5ed585b55c7c9e4946e5ccaf7e59df0f3da98c7d0523e4cc8f9d7da4", + "msg" : "5279618f1b41534910395a78ded968aee3431085b599c4f55eb5ff8a2e879bc44291d923de31009db1b9f7f81095afb3ea", + "tag" : "8500f603ce85c030cfa05731758b6be3317b6fe8e99b7d48", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 105, + "comment" : "long message", + "key" : "e1ce4884fd74a0e197c68ace3b29b552313af8e451e98d9ab8d0e8f8ee74143e8fcb6446217c0f3123a426b8ab6f62cb", + "msg" : "71154b9a657b905f884ba5140d5e7b9243fec3e03fbbdbb360c8194963ae43177b5502cd20f559eeeff8638d028c501926ebc7eddd132ccea29ead7ad0c95a30b9d325952cafb0ea5ec9d9d6fdeb63950d5d69c8bbbea702aed1d444da286807ffd6b36cb49902cba7abf9bda1b577c6", + "tag" : "c7e9ae2a81de32280b518d055c2c9d7f0f5db6d06ad0e4ae", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 106, + "comment" : "long message", + "key" : "8a242c22d1b54ce216ca03c88455beb128211a9f35af2343709af7c5f43a681451ea53a36de2e5048eb44a51681c6120", + "msg" : "ab5eee6b83869119f00dd3cc66dde75cb5700535a90e9b3e32b31434c297ef53f94659d7d9b11323161b2e66c6b9c9ad20e313303f81e88e471786c8e936011f78121e39630b2e0804fc97ce5cb3a34f26949439fe530adcea6e97c78b042e0817253bf75dd54335584122f5edd210341b6d93f58aa1b4de2aad76fecec44f", + "tag" : "77392b18577ba8819fbd76fc73d45029e55e7ebecd58a320", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 107, + "comment" : "long message", + "key" : "311c4bee7cf257b780135a2e4a6413e68a816f5d8462515dcb1c72494b6335581a9b60a217b9ff1c75e7768148f8df46", + "msg" : "63ccc3849c4c323cb6ce926877969048b849ee4af18e71eef52fe9f274a8678560f9a5d47510c3c98c8a08ed4c01a01e0a3663ef0cc6c3cdca6276d91e99b0d414263498fb64ad74b820ab52b37adeaf27cb44545edb8f09094992837b8d3a0baa2a101a49592eb889dc8bace4c71e3efcb9d4149bd670ce2f774d73c12f2a45", + "tag" : "94674aaefc06eead22d15317900fa26c8df8cdfb252bcaae", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 108, + "comment" : "long message", + "key" : "fb792867c8928f0503aa24477cebf42e0b018346e3619770b9e8f5097945e2e275ad06f0c12152366ac06e278c94090a", + "msg" : "0a63e6d91d7a6a18dbad879fb8e23ae351920391eb40fead6cba846768a2c6797ff347b4301327b09afc41f7b803af6b61f6d9b818e0ddcc02536d0543dbf1a87f2c5e020f6459094344b72596d548435c313544e92c254d54a70a1d6f6edd2f82540a1ea2e82125b0715fa0f890bb2be4ba0065d2ba0144854682aed041c1035996648e2ed671b7253ba567ffb999d91fd8e7ffce5c6dc4790732adae443435a454fe6c2a7c6708d9d5b2eb9292d6fbe5e026d65332b38c7925eff9beb89063cab63fbecb2ac0e1bb61a5b1e511f949c43a34ee26f1156e97793da97bcf5b5c67641384f268131b297857d719eeb6cafa3dbe9b8d0da55c98656f20e5b39b", + "tag" : "1aaaff966c0a84bac791ab9e0b9b505d393073665732a74a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 109, + "comment" : "Flipped bit 0 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "45be81c415d283ab7a62a45188e5dafbcb97da606bd5b16c", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 110, + "comment" : "Flipped bit 0 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "a84d07ff90b338e064b03603d76bcf0214b1fb88c66b9415", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 111, + "comment" : "Flipped bit 1 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "46be81c415d283ab7a62a45188e5dafbcb97da606bd5b16c", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 112, + "comment" : "Flipped bit 1 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "ab4d07ff90b338e064b03603d76bcf0214b1fb88c66b9415", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 113, + "comment" : "Flipped bit 7 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "c4be81c415d283ab7a62a45188e5dafbcb97da606bd5b16c", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 114, + "comment" : "Flipped bit 7 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "294d07ff90b338e064b03603d76bcf0214b1fb88c66b9415", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 115, + "comment" : "Flipped bit 8 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "44bf81c415d283ab7a62a45188e5dafbcb97da606bd5b16c", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 116, + "comment" : "Flipped bit 8 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "a94c07ff90b338e064b03603d76bcf0214b1fb88c66b9415", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 117, + "comment" : "Flipped bit 31 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "44be814415d283ab7a62a45188e5dafbcb97da606bd5b16c", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 118, + "comment" : "Flipped bit 31 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "a94d077f90b338e064b03603d76bcf0214b1fb88c66b9415", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 119, + "comment" : "Flipped bit 32 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "44be81c414d283ab7a62a45188e5dafbcb97da606bd5b16c", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 120, + "comment" : "Flipped bit 32 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "a94d07ff91b338e064b03603d76bcf0214b1fb88c66b9415", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 121, + "comment" : "Flipped bit 33 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "44be81c417d283ab7a62a45188e5dafbcb97da606bd5b16c", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 122, + "comment" : "Flipped bit 33 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "a94d07ff92b338e064b03603d76bcf0214b1fb88c66b9415", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 123, + "comment" : "Flipped bit 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "44be81c415d2832b7a62a45188e5dafbcb97da606bd5b16c", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 124, + "comment" : "Flipped bit 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "a94d07ff90b3386064b03603d76bcf0214b1fb88c66b9415", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 125, + "comment" : "Flipped bit 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "44be81c415d283ab7b62a45188e5dafbcb97da606bd5b16c", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 126, + "comment" : "Flipped bit 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "a94d07ff90b338e065b03603d76bcf0214b1fb88c66b9415", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 127, + "comment" : "Flipped bit 71 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "44be81c415d283abfa62a45188e5dafbcb97da606bd5b16c", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 128, + "comment" : "Flipped bit 71 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "a94d07ff90b338e0e4b03603d76bcf0214b1fb88c66b9415", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 129, + "comment" : "Flipped bit 77 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "44be81c415d283ab7a42a45188e5dafbcb97da606bd5b16c", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 130, + "comment" : "Flipped bit 77 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "a94d07ff90b338e064903603d76bcf0214b1fb88c66b9415", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 131, + "comment" : "Flipped bit 80 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "44be81c415d283ab7a62a55188e5dafbcb97da606bd5b16c", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 132, + "comment" : "Flipped bit 80 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "a94d07ff90b338e064b03703d76bcf0214b1fb88c66b9415", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 133, + "comment" : "Flipped bit 96 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "44be81c415d283ab7a62a45189e5dafbcb97da606bd5b16c", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 134, + "comment" : "Flipped bit 96 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "a94d07ff90b338e064b03603d66bcf0214b1fb88c66b9415", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 135, + "comment" : "Flipped bit 97 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "44be81c415d283ab7a62a4518ae5dafbcb97da606bd5b16c", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 136, + "comment" : "Flipped bit 97 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "a94d07ff90b338e064b03603d56bcf0214b1fb88c66b9415", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 137, + "comment" : "Flipped bit 103 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "44be81c415d283ab7a62a45108e5dafbcb97da606bd5b16c", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 138, + "comment" : "Flipped bit 103 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "a94d07ff90b338e064b03603576bcf0214b1fb88c66b9415", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 139, + "comment" : "Flipped bit 184 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "44be81c415d283ab7a62a45188e5dafbcb97da606bd5b16d", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 140, + "comment" : "Flipped bit 184 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "a94d07ff90b338e064b03603d76bcf0214b1fb88c66b9414", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 141, + "comment" : "Flipped bit 185 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "44be81c415d283ab7a62a45188e5dafbcb97da606bd5b16e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 142, + "comment" : "Flipped bit 185 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "a94d07ff90b338e064b03603d76bcf0214b1fb88c66b9417", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 143, + "comment" : "Flipped bit 190 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "44be81c415d283ab7a62a45188e5dafbcb97da606bd5b12c", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 144, + "comment" : "Flipped bit 190 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "a94d07ff90b338e064b03603d76bcf0214b1fb88c66b9455", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 145, + "comment" : "Flipped bit 191 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "44be81c415d283ab7a62a45188e5dafbcb97da606bd5b1ec", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 146, + "comment" : "Flipped bit 191 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "a94d07ff90b338e064b03603d76bcf0214b1fb88c66b9495", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 147, + "comment" : "Flipped bits 0 and 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "45be81c415d283ab7b62a45188e5dafbcb97da606bd5b16c", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 148, + "comment" : "Flipped bits 0 and 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "a84d07ff90b338e065b03603d76bcf0214b1fb88c66b9415", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 149, + "comment" : "Flipped bits 31 and 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "44be814415d2832b7a62a45188e5dafbcb97da606bd5b16c", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 150, + "comment" : "Flipped bits 31 and 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "a94d077f90b3386064b03603d76bcf0214b1fb88c66b9415", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 151, + "comment" : "Flipped bits 63 and 127 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "44be81c415d2832b7a62a45188e5da7bcb97da606bd5b16c", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 152, + "comment" : "Flipped bits 63 and 127 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "a94d07ff90b3386064b03603d76bcf8214b1fb88c66b9415", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 153, + "comment" : "all bits of tag flipped", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "bb417e3bea2d7c54859d5bae771a25043468259f942a4e93", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 154, + "comment" : "all bits of tag flipped", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "56b2f8006f4cc71f9b4fc9fc289430fdeb4e047739946bea", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 155, + "comment" : "Tag changed to all zero", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "000000000000000000000000000000000000000000000000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 156, + "comment" : "Tag changed to all zero", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "000000000000000000000000000000000000000000000000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 157, + "comment" : "tag changed to all 1", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "ffffffffffffffffffffffffffffffffffffffffffffffff", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 158, + "comment" : "tag changed to all 1", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "ffffffffffffffffffffffffffffffffffffffffffffffff", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 159, + "comment" : "msbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "c43e01449552032bfae224d108655a7b4b175ae0eb5531ec", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 160, + "comment" : "msbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "29cd877f1033b860e430b68357eb4f8294317b0846eb1495", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 161, + "comment" : "lsbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "45bf80c514d382aa7b63a55089e4dbfaca96db616ad4b06d", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 162, + "comment" : "lsbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "a84c06fe91b239e165b13702d66ace0315b0fa89c76a9514", + "result" : "invalid", + "flags" : [] + } + ] + }, + { + "keySize" : 192, + "tagSize" : 384, + "type" : "MacTest", + "tests" : [ + { + "tcId" : 163, + "comment" : "short key", + "key" : "08476e9d49499c5f52e37f80ece6f5a45459948806b48241", + "msg" : "", + "tag" : "1b6cfc8709aab8075465f32e13b0b0f796cc34d93d7bed090f297dcf9fb75e0d8e285b1500b732d554ac97ba45f33e47", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 164, + "comment" : "short key", + "key" : "213b44d8e1fabaff837ef30ee2542f9ab82ed70411dae78f", + "msg" : "ee0bf48585c186ff991b4d8607817c9c", + "tag" : "54f4010d50f80bcdb4b84d56bc4ef30e4c68f75128214cf446b5145f6fff1326a209945fc21ab5e1f5d917559ea9b800", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 165, + "comment" : "short key", + "key" : "b4afa9daaa8c944d73a3881f3221e42b34ef4e35f184e878", + "msg" : "cf607f6a0eb44ecbca81b6d1fdb595cee35f2353da02e82e28e133b9decd8fbb", + "tag" : "d064a51fb109c3b1d443f13f41e90e14198f846080464547806d46a8151c4e3855a81f4af40915609095dd72f869aa1b", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "keySize" : 192, + "tagSize" : 192, + "type" : "MacTest", + "tests" : [ + { + "tcId" : 166, + "comment" : "short key", + "key" : "89e46b66209548c80b0c830662223b49b0e3b895eb30e2fc", + "msg" : "", + "tag" : "4b012c0c0da44ede2a427e85ace8ecc54b379e9e24f08d41", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 167, + "comment" : "short key", + "key" : "f2c10ce8cb1cf3b363354473b027c1e53deccef03233be0c", + "msg" : "e1fa10b8e301e0348405770bc3fafcb1", + "tag" : "2d088af29cc744e347124fbe4100cbcdebbae037ed9bf69d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 168, + "comment" : "short key", + "key" : "92e074442cc4c59e72260808d80d8e7b85c6335068917b83", + "msg" : "34eae27425ace17771e164cbb634306f352edc9c37bf608be8a755fb94148183", + "tag" : "b7e6b7bb29c02e4635dbdc50d8be71e2ddf0a544471de285", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "keySize" : 520, + "tagSize" : 384, + "type" : "MacTest", + "tests" : [ + { + "tcId" : 169, + "comment" : "long key", + "key" : "db6f9956c3f4ca6e41f1f7f14629d44c79e0353edbf3e310e6858bbc45a7cd57778a9053ba22a141bf58bfd434ad08648c7041a224b97a0d17e0edf94fd40b410a", + "msg" : "", + "tag" : "0cb1b296255bb259f3b601b49b35524a5eca6c52360754d3d96dd521c905b1c1821d74965967d8e86d50de950fe4d635", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 170, + "comment" : "long key", + "key" : "f03404bdb3e08f530d4c3a5f165d236012a4c45cd063e3e4483da088ec0afdb24e9639fccabb91f98a49dc2972e2981426573ecfe69c00c43a2d99a3107cef3a70", + "msg" : "73ed9fa2acf49d6c98bfc7d6c5ad9c56", + "tag" : "b6132e5216f711eeeb44da3d92983fe5b6de5cd9410be71db8d3b07228341686aa60e7081e95f2e4b69bb7cd9648bc0b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 171, + "comment" : "long key", + "key" : "ee799e25edb1b18452e5ed174bc6b2185a6754417d6cc05d736d2ba9efc8367e4b05ba0a2ee525ceeab74f9804a8479130c328d671e34070cf174a003a1dfb5994", + "msg" : "ac3e7da7e578b9b4dc2424030446c7f6aebcc471445a9e0e6e65099caeec5b2f", + "tag" : "c8607fca1888418166c550dd58d7a3976a6ecd0e4ca99b02fb187800a9c9ef909a6c1497c0652d4dca82405ab07f5eed", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "keySize" : 520, + "tagSize" : 192, + "type" : "MacTest", + "tests" : [ + { + "tcId" : 172, + "comment" : "long key", + "key" : "063d6e12e670098adabe68192023b637bb6d8d713fc8436188c4ec06fdd084ce6d193f26c86a9560e1abc27d813fce2b3eac0170fd1cb72e1930a2776bc84d6c11", + "msg" : "", + "tag" : "9dc2acbfa28a7ac5f2a5bdd4b1b2dbc806c48f96ce950eb5", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 173, + "comment" : "long key", + "key" : "359318e6c6279ba9ebcb1675f5a98195bbf5d895da9c17b8329038be857dc395b12ae91a55598876593c1c20bc0172cf15126b7a6bf0a238eda3325d6dd60600ef", + "msg" : "7ad0c9098ea10e615bb672b52c96542d", + "tag" : "4163737c219f7c5e743843dc3d36019c6585ea5d4e7cf24f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 174, + "comment" : "long key", + "key" : "d01cd898089d8a1eeb0035b0d332da80fbd3571b9192db10fa6f55f665ab192d7050cab643996e99254d9573e0cf4eeaa63afccdefd81614fe7b83dfe30e3ba19f", + "msg" : "d67c77cdd0af5d10e8cae887e5a609bb76a9e5597653773c303b82b918fdc59f", + "tag" : "e7df527a988080749ee215ba0f8207838df38a37707a6330", + "result" : "valid", + "flags" : [] + } + ] + } + ] +} diff --git a/rust/tests/wycheproof/hmac_sha3_224_test.json b/rust/tests/wycheproof/hmac_sha3_224_test.json new file mode 100644 index 00000000..299a1ea5 --- /dev/null +++ b/rust/tests/wycheproof/hmac_sha3_224_test.json @@ -0,0 +1,1604 @@ +{ + "algorithm" : "HMACSHA3-224", + "generatorVersion" : "0.8rc21", + "numberOfTests" : 172, + "header" : [ + "Test vectors of type MacTest are intended for testing the", + "generation and verification of MACs." + ], + "notes" : { + }, + "schema" : "mac_test_schema.json", + "testGroups" : [ + { + "keySize" : 224, + "tagSize" : 224, + "type" : "MacTest", + "tests" : [ + { + "tcId" : 1, + "comment" : "empty message", + "key" : "7eef1e40253350eb9307cc6bd8ab8df434bc2faf7095e45b50ffdd64", + "msg" : "", + "tag" : "f2aa17e549253ac51a9332c5c2390fc0c5003c40bed255df439c3d05", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 2, + "comment" : "short message", + "key" : "8648ee936c6ebc5ae4bb48c1139a54e3ac5d897beec492dc4d740752", + "msg" : "2e", + "tag" : "e4bbe7b3a8f173736a1b1e58283040bd20090a772ba1d1fa1f0f02ce", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 3, + "comment" : "short message", + "key" : "2297d78cc45faf9b885b36ac80205cc08e1b730f264f23f4edbbb406", + "msg" : "329f", + "tag" : "ec7ef165239a3eea8ea6310c9b98f33aa036175be706fc0186a86ef9", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 4, + "comment" : "short message", + "key" : "0361a904f7cbd107a617614ab69d11208ee6d423b3ae90e2bb6d7e54", + "msg" : "e6e765", + "tag" : "fcbcf9840d73b4143fbc2a988b801bea0212049e615dd0e5fd823b0a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 5, + "comment" : "short message", + "key" : "264a8d2128e8fd0972d9acc66dc275b1286beeb0aff7ce8e97c7b96c", + "msg" : "25838e50", + "tag" : "edffc65c657d16730fe63bb6326ab7fd4366596ed6a62c26ae43d3d8", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 6, + "comment" : "short message", + "key" : "6dde8828f09b7aa981082aa116fca3b7341721c0440803f52cc9732e", + "msg" : "be81602da7", + "tag" : "6b349764a2d6cc6cc8ecdbbb2526d7cb9acfe2abe7057dae3755ad20", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 7, + "comment" : "short message", + "key" : "3ba156ffdc55d155bd085105aca64d13044db60c82cf2cd9d61d098f", + "msg" : "69c76c8937a0", + "tag" : "f0a6bc996be079f62c2c6a73337ce50013a05180a876d3363e07f12a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 8, + "comment" : "short message", + "key" : "9c2739bae2a863fb0236466ba3408f4eec8d43206d56bb7aa2f8f75e", + "msg" : "aaf4c9146db948", + "tag" : "a473dd1d6f34fb1cf2586d1bb5a414d232e7dcc7397a1ef1735fb46f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 9, + "comment" : "short message", + "key" : "31d9cae2c3df064018209b121f9e883976ea757942ecda9d92fdadfd", + "msg" : "b844289529206f5a", + "tag" : "2e44f4d141c338a4c882be2c8d326dda3ab53dcb02536a2096392726", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 10, + "comment" : "short message", + "key" : "89a1b9e9004444c1d4e967570c21a05512d3f618ec168fc3e13ea5a2", + "msg" : "6b42eb6d84e90c70c2", + "tag" : "56a078272a84a7dd98d9fd2551679b308f2ca0b8a31ec90448ffc2e4", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 11, + "comment" : "short message", + "key" : "4398731752fd7af1db86ebccbee0ad65eb5faf00ace6c9aa35441faa", + "msg" : "1ae2e7d917c48026570d", + "tag" : "37e090b83d12e0663c9ea9037ed32ab67afbfe43783669e6f57544e4", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 12, + "comment" : "short message", + "key" : "339460d6bb26ca60ebcef10c38587b9e575c398491782ccf9e8f6803", + "msg" : "ca03eb4f37536b2377738e", + "tag" : "ab81ecca201e69b7a6c11102943d141157865b6884b67da7593b6953", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 13, + "comment" : "short message", + "key" : "025f8380d10b8207b3623e4a90f79c3e753b1be6a35b88b68330a40c", + "msg" : "e57daef9ede4e915c3a9eece", + "tag" : "a22d2b3586b2f574eb65798f18a04e763935c88be53963a2e904838a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 14, + "comment" : "short message", + "key" : "0bdc5f51f8a1a35d75554be70efbcdf51e54f30fa4696f727431941f", + "msg" : "cc3dd1eb0690f7af09ad408f9c", + "tag" : "96d7cc8bae498a3345b05d399b126162e156920eddca40e6f488f5bc", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 15, + "comment" : "short message", + "key" : "5ada97d90a74a7d4a68c5464fff25a9b7fa2e75d6acf0a59f143a2e9", + "msg" : "3fe4ede158af108e09f543e14ab7", + "tag" : "c5c07816701eecfa1d61b5c11ed9ed1d11ec495f711ec9752e6787ba", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 16, + "comment" : "short message", + "key" : "007afe6b7c0701c30cb76b431afa3510c8b31d21cfe0bbaa5289cd08", + "msg" : "c2cf80005c591c1f737369fcc212f0", + "tag" : "fb651bc4f41ab50d88849739529199519e33e948635e246235c81af3", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 17, + "comment" : "", + "key" : "26491168a32ce8cbc4c0cd64107e4fcc432f07d59c992862e1e55b1e", + "msg" : "15e51091b4f424ba1fdecb5e2fba11f6", + "tag" : "6ca3ae8f244120dee0b4c1d4db3dbed42564c04206fb47cfded97662", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 18, + "comment" : "", + "key" : "6978b6c134dd6949832d65e4cb9c1e1dc36beae4a134907c80da0f44", + "msg" : "6641d834b3fbfdb5d178007801f7b4e7b1", + "tag" : "fffc90de02cf66f6c9dc4272faf6b5cdcb165b3295add1b359f504cd", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 19, + "comment" : "", + "key" : "9f9fb280adf12e739548b1d676cb794d685b9104e63b619b055cb60f", + "msg" : "91513dd6de40a1c23f8d1eb0ab8f5ea6f6835506ec750894", + "tag" : "c49f485f16bbc63695ee3e5221d8b3dfda5b85aa461dbe925e44d18d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 20, + "comment" : "", + "key" : "3b1b16e6dd2e69559dbeb964e10fc94c068471b2374d3a2d24d2d466", + "msg" : "8ecd55b56c668dcb8e8b1efd699c0e4a464204d29af140f87d3f5075495378a3", + "tag" : "9d849dee727eed22ae379f5bbd3f77a0f35d88f8f39a753013bdd4d0", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 21, + "comment" : "long message", + "key" : "fc296398845063e661bdf36ff3615926eaccbf06947cd31e6677f710", + "msg" : "62bd0ad75d64c554cb2cc109c6e4019fc601c61cabdf99f8de871edc17a301b4c1f55a15ed66f91eb4666dd08bc59c", + "tag" : "74dd2a6644c4ee035ae39ad8ff88c93003eeadb7ddc3042e69975816", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 22, + "comment" : "long message", + "key" : "6c98d1feafff9861351966bc6ed19ed467f9dc767fa0df6b56955554", + "msg" : "e99d51a1d9a25c5842501a5383133578c8debe501581b1610f7575519bbd26f01ab7cbe069bfd5df3699a2fea5b461a3", + "tag" : "66f22e75e9cb458aab043c45ac3914e51d4cb6bc4c9c9bc376b566d9", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 23, + "comment" : "long message", + "key" : "42a164f94e33d574118e0f8c938bbc2874bab219ee7a179f21e13b02", + "msg" : "e895639631f8b5d48e3ce00eb310bf129976ffced96a6f30a09d6ac1c291f73e93690526d86cc4d1a8e21c11f5a8979308", + "tag" : "bf5f90d12aa12812778beea4cebe1972c715a04d90aa651f95fe58d2", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 24, + "comment" : "long message", + "key" : "c1b5b91210667e72aa510346e1811358815a3330c5ed27a695c39451", + "msg" : "bf1086c3ea8b8840418c690c92152c73a6730bd1a0210c8b1d25c43a2193e739684f04a25a52cc305599f22ba6f70c8ed00d10b914a9522a25e06c471ebca2ff1bb4fa6799b85122020978dfa66ef12ed26ad38331b26eaf591afceac96d8c771eae50fb7f46242337dd0029f4813b53", + "tag" : "37d74bbc46661f0e2819bf745b136ab9a2ac5833b0b53ec4e25fc59a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 25, + "comment" : "long message", + "key" : "4f09d14d40e475b68288c080668ebb1bc8c6be3191f6664d91a23fcd", + "msg" : "ae8b6ecc219b368d22fb596e42652d0bffee0b20d69cfd089ce3dc9303ba2f054ccaf5f5147c7968a028b140f5e3c9274eae2afc61c3bb6298dc598df77dec1cd2dd84212693b082b8132ad0f0b19f66db69fa7f6bf352b4feac724ce048440d2a42b44d53bb62fe2ab25f7f54bedf9ce7ddafd8e09330dacc6d52ee9b65f5", + "tag" : "8cf86ed44adb37c55b7a9be866b89b8fec1d772050b5424a5fa890d2", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 26, + "comment" : "long message", + "key" : "613f414cd94130bb8a6243e12eccd90836808428b4a7177867934da0", + "msg" : "f696b9063b64816a45064f48ca05ffe4d5cc3d0b3beb0dd4057b6ada994969bf039bfbb72ce197101cc4e4b3959b3702f045afb7fb3113c997606dcaf2aaab31e02ac6ee597dfc0f9143d0effedc9ae7ea10e7ddb1db860a91afec62c48ed9c0a6c10b4da1de748caf7f7a5e01799ac57090daf4e3352fe859c5131c205d262d", + "tag" : "0c8165ba519c38c931095d5d4cd13c8fb3035252896f26c058167fe0", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 27, + "comment" : "long message", + "key" : "5b88275307aaf691a0cf0c51f50553dda972d14f8afff98e62c2d972", + "msg" : "57e4efbde1ce9fee2e29db19dfc6ba3bcb17f33765af7f20133bbd1910d542145c7def187a304517b8d8954454a90a717f67f9c8cc587965fd9b43f41ecc50b3458d8ce9f66b475f1eaef4a29ba89a3d58e5011c92acd1536fcd18abec29411b389b64f7f344777ed6deae32127abaa69a50ba22a11d6e59354f2ff0e3c3e3293cdc335411cf55b180bab59da36903a6fba91df34d2aadf7017ff49a4fbd73c9c74469f225dafc0a0c7048c2b824cc0cba8cad8aced11b8cdac3243cdb5b654f7a15ce2014e92ee287d06904d778512a1b1f5ec0c9b090b9ab439c44266b6be3d6a98947d26d079e4f7e849f3c6d93de98624e6c5f53ec02dbd368bc24a300", + "tag" : "9c62c309977641be25ede8f7cd227df71bbf1514d26c0df5ff3adfe7", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 28, + "comment" : "Flipped bit 0 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "42b8f94fe31d2662600c97097aa0d45422de6c5beb14dc05f76ba6da", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 29, + "comment" : "Flipped bit 0 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "14bbda5ae11dc2dfad9608568f019710300a5e0b56672f6199fc62eb", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 30, + "comment" : "Flipped bit 1 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "41b8f94fe31d2662600c97097aa0d45422de6c5beb14dc05f76ba6da", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 31, + "comment" : "Flipped bit 1 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "17bbda5ae11dc2dfad9608568f019710300a5e0b56672f6199fc62eb", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 32, + "comment" : "Flipped bit 7 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "c3b8f94fe31d2662600c97097aa0d45422de6c5beb14dc05f76ba6da", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 33, + "comment" : "Flipped bit 7 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "95bbda5ae11dc2dfad9608568f019710300a5e0b56672f6199fc62eb", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 34, + "comment" : "Flipped bit 8 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "43b9f94fe31d2662600c97097aa0d45422de6c5beb14dc05f76ba6da", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 35, + "comment" : "Flipped bit 8 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "15bada5ae11dc2dfad9608568f019710300a5e0b56672f6199fc62eb", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 36, + "comment" : "Flipped bit 31 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "43b8f9cfe31d2662600c97097aa0d45422de6c5beb14dc05f76ba6da", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 37, + "comment" : "Flipped bit 31 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "15bbdadae11dc2dfad9608568f019710300a5e0b56672f6199fc62eb", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 38, + "comment" : "Flipped bit 32 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "43b8f94fe21d2662600c97097aa0d45422de6c5beb14dc05f76ba6da", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 39, + "comment" : "Flipped bit 32 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "15bbda5ae01dc2dfad9608568f019710300a5e0b56672f6199fc62eb", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 40, + "comment" : "Flipped bit 33 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "43b8f94fe11d2662600c97097aa0d45422de6c5beb14dc05f76ba6da", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 41, + "comment" : "Flipped bit 33 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "15bbda5ae31dc2dfad9608568f019710300a5e0b56672f6199fc62eb", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 42, + "comment" : "Flipped bit 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "43b8f94fe31d26e2600c97097aa0d45422de6c5beb14dc05f76ba6da", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 43, + "comment" : "Flipped bit 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "15bbda5ae11dc25fad9608568f019710300a5e0b56672f6199fc62eb", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 44, + "comment" : "Flipped bit 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "43b8f94fe31d2662610c97097aa0d45422de6c5beb14dc05f76ba6da", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 45, + "comment" : "Flipped bit 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "15bbda5ae11dc2dfac9608568f019710300a5e0b56672f6199fc62eb", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 46, + "comment" : "Flipped bit 71 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "43b8f94fe31d2662e00c97097aa0d45422de6c5beb14dc05f76ba6da", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 47, + "comment" : "Flipped bit 71 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "15bbda5ae11dc2df2d9608568f019710300a5e0b56672f6199fc62eb", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 48, + "comment" : "Flipped bit 77 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "43b8f94fe31d2662602c97097aa0d45422de6c5beb14dc05f76ba6da", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 49, + "comment" : "Flipped bit 77 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "15bbda5ae11dc2dfadb608568f019710300a5e0b56672f6199fc62eb", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 50, + "comment" : "Flipped bit 80 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "43b8f94fe31d2662600c96097aa0d45422de6c5beb14dc05f76ba6da", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 51, + "comment" : "Flipped bit 80 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "15bbda5ae11dc2dfad9609568f019710300a5e0b56672f6199fc62eb", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 52, + "comment" : "Flipped bit 96 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "43b8f94fe31d2662600c97097ba0d45422de6c5beb14dc05f76ba6da", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 53, + "comment" : "Flipped bit 96 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "15bbda5ae11dc2dfad9608568e019710300a5e0b56672f6199fc62eb", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 54, + "comment" : "Flipped bit 97 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "43b8f94fe31d2662600c970978a0d45422de6c5beb14dc05f76ba6da", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 55, + "comment" : "Flipped bit 97 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "15bbda5ae11dc2dfad9608568d019710300a5e0b56672f6199fc62eb", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 56, + "comment" : "Flipped bit 103 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "43b8f94fe31d2662600c9709faa0d45422de6c5beb14dc05f76ba6da", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 57, + "comment" : "Flipped bit 103 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "15bbda5ae11dc2dfad9608560f019710300a5e0b56672f6199fc62eb", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 58, + "comment" : "Flipped bit 216 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "43b8f94fe31d2662600c97097aa0d45422de6c5beb14dc05f76ba6db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 59, + "comment" : "Flipped bit 216 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "15bbda5ae11dc2dfad9608568f019710300a5e0b56672f6199fc62ea", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 60, + "comment" : "Flipped bit 217 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "43b8f94fe31d2662600c97097aa0d45422de6c5beb14dc05f76ba6d8", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 61, + "comment" : "Flipped bit 217 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "15bbda5ae11dc2dfad9608568f019710300a5e0b56672f6199fc62e9", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 62, + "comment" : "Flipped bit 222 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "43b8f94fe31d2662600c97097aa0d45422de6c5beb14dc05f76ba69a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 63, + "comment" : "Flipped bit 222 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "15bbda5ae11dc2dfad9608568f019710300a5e0b56672f6199fc62ab", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 64, + "comment" : "Flipped bit 223 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "43b8f94fe31d2662600c97097aa0d45422de6c5beb14dc05f76ba65a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 65, + "comment" : "Flipped bit 223 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "15bbda5ae11dc2dfad9608568f019710300a5e0b56672f6199fc626b", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 66, + "comment" : "Flipped bits 0 and 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "42b8f94fe31d2662610c97097aa0d45422de6c5beb14dc05f76ba6da", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 67, + "comment" : "Flipped bits 0 and 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "14bbda5ae11dc2dfac9608568f019710300a5e0b56672f6199fc62eb", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 68, + "comment" : "Flipped bits 31 and 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "43b8f9cfe31d26e2600c97097aa0d45422de6c5beb14dc05f76ba6da", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 69, + "comment" : "Flipped bits 31 and 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "15bbdadae11dc25fad9608568f019710300a5e0b56672f6199fc62eb", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 70, + "comment" : "Flipped bits 63 and 127 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "43b8f94fe31d26e2600c97097aa0d4d422de6c5beb14dc05f76ba6da", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 71, + "comment" : "Flipped bits 63 and 127 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "15bbda5ae11dc25fad9608568f019790300a5e0b56672f6199fc62eb", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 72, + "comment" : "all bits of tag flipped", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "bc4706b01ce2d99d9ff368f6855f2babdd2193a414eb23fa08945925", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 73, + "comment" : "all bits of tag flipped", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "ea4425a51ee23d205269f7a970fe68efcff5a1f4a998d09e66039d14", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 74, + "comment" : "Tag changed to all zero", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "00000000000000000000000000000000000000000000000000000000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 75, + "comment" : "Tag changed to all zero", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "00000000000000000000000000000000000000000000000000000000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 76, + "comment" : "tag changed to all 1", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 77, + "comment" : "tag changed to all 1", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 78, + "comment" : "msbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "c33879cf639da6e2e08c1789fa2054d4a25eecdb6b945c8577eb265a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 79, + "comment" : "msbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "953b5ada619d425f2d1688d60f811790b08ade8bd6e7afe1197ce26b", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 80, + "comment" : "lsbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "42b9f84ee21c2763610d96087ba1d55523df6d5aea15dd04f66aa7db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 81, + "comment" : "lsbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "14badb5be01cc3deac9709578e009611310b5f0a57662e6098fd63ea", + "result" : "invalid", + "flags" : [] + } + ] + }, + { + "keySize" : 224, + "tagSize" : 112, + "type" : "MacTest", + "tests" : [ + { + "tcId" : 82, + "comment" : "empty message", + "key" : "26f314170b054daef5349804da18f969c94174baca2beeb009d47a23", + "msg" : "", + "tag" : "32f3e12826c2c869660ed7ac65a5", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 83, + "comment" : "short message", + "key" : "17429a622dc18d38715b31f8f2b963108e952a6708f3e52d5b25848a", + "msg" : "da", + "tag" : "24cae2ffb844b1074fbecfa21585", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 84, + "comment" : "short message", + "key" : "0acfe12d89acd7d9ca49bae6318f35b2fbbfc84e5d2c9d4954beded7", + "msg" : "03a8", + "tag" : "2594d62daaedef9e87080713ead3", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 85, + "comment" : "short message", + "key" : "5a0680f112354bd467865b19ae956b2719e21ecee1a913bdca294339", + "msg" : "a0fb73", + "tag" : "5111521c27f8235f154cce85d02c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 86, + "comment" : "short message", + "key" : "46fa59aa524fe30a0f4e39561b5666854440dbd970bb59925ce0ae1a", + "msg" : "c8b2f557", + "tag" : "038521397a49e95f43c741276bd0", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 87, + "comment" : "short message", + "key" : "29efc5ab5d30e535357603f2711b6e0aa6cf4613546c23144436d213", + "msg" : "c8d9f5b373", + "tag" : "bcce4dd5a90f1a0431d45e8f1dcf", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 88, + "comment" : "short message", + "key" : "fe60e0322035538f2b1de9de380cde35f291deeb6e027b5d829ecd1e", + "msg" : "185e4cada4f4", + "tag" : "a11873691fd9ffcad1f1a3f66511", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 89, + "comment" : "short message", + "key" : "1bf7fcdf3742fa77991528cc1c678b98be9876a8c8c5b809beab7d9c", + "msg" : "9c0f34a5654279", + "tag" : "63722a805684c31a37aba7f5d79a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 90, + "comment" : "short message", + "key" : "32533c16f792ed0acf8e9e60f54aa173937c7194b882ecc3e671009f", + "msg" : "f968dc7a19afe339", + "tag" : "348666b68285b51787be5d8d50ca", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 91, + "comment" : "short message", + "key" : "3cf28a476ce7eaecfc3fbf1b0859a042a568740a584c77cb8f9603ac", + "msg" : "dbca9e4bdd84b38934", + "tag" : "49a78665d8f77df14ad66047c377", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 92, + "comment" : "short message", + "key" : "a2a8090aef69277f92830ec7404c032f8fdebfbceabb9e590968a77f", + "msg" : "6b790a946a83364c79d7", + "tag" : "e7c0183be70df5d06d288827012b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 93, + "comment" : "short message", + "key" : "6f999929e91672bac35ea70f8ff8b9aeefa5489493c99b0d27797207", + "msg" : "b7dabb237aeae2be8b5e19", + "tag" : "920b9e959d3d05bc7065d4f126f1", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 94, + "comment" : "short message", + "key" : "4525b96c263e4d2dab2890aa55f3cc503dc1206d9f1915a6fba5ae61", + "msg" : "ef858f496fcb7c3fabbfb52e", + "tag" : "b08764fec1a8a75c3cb81204d932", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 95, + "comment" : "short message", + "key" : "f89401acb0a60d07fd733ed563f2ee241f4ecfea8114587a44dfdb0c", + "msg" : "7d3c0918085984df95097afa81", + "tag" : "32b9e37330307f47ef400277c9a0", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 96, + "comment" : "short message", + "key" : "58bce8c0d17fc7131d2fa2262409bb14663a6e68019f88299987893e", + "msg" : "1ca50cd6c3f1225eb6c4ec4d6a90", + "tag" : "2adc605564c6da00bb3abebd5066", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 97, + "comment" : "short message", + "key" : "658e510fba4e2208afac98333f9e242bc118f6e79ef0661d619dd32b", + "msg" : "32c385b75ae84558ca302881c51639", + "tag" : "382cec4b6a5e80a6d703ef323161", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 98, + "comment" : "", + "key" : "6a41cc3ca7142ae14e6d979a3f890a331597e592dd74520ce4ea660f", + "msg" : "78e3a770a8aaaf039fd4c9b6a1780411", + "tag" : "fc51222de880062beb4fb986ba71", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 99, + "comment" : "", + "key" : "b8972b93b68302cbaa08d32904eae6375a66f3508ece3c9b22382c7e", + "msg" : "3687e6287d73c9e3f679a50e7671247127", + "tag" : "2f9a78f5175f17372920c8e7638f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 100, + "comment" : "", + "key" : "bc570932abfa11050ad4fc80a6d5afe3271d86aa29dc62738b207d14", + "msg" : "d53202acd2ec74d746531bd9ad3016d0980e0166fb427a08", + "tag" : "edba9b4466e1145179c53b5eb65c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 101, + "comment" : "", + "key" : "c92a0665c12e87026e1b344f971fdb0e474d450cba834aae40e2d21e", + "msg" : "4a3a85ac09f5190ab94f73fd91d98f056015263c89ed5da223fc4675cab25cdd", + "tag" : "05758de1ec12f00f069eed387c83", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 102, + "comment" : "long message", + "key" : "6fbef67cfbacc98c63252b1ca009a60e8e3479769a2d449fb4639064", + "msg" : "006e179eacfa9e1e628bb7823ee9609ae7968b6df90e176f772a79088d37e9b15cab312922aaf8fc6583a341002bda", + "tag" : "c3756d9a9a1ed56b97d7b95e7e46", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 103, + "comment" : "long message", + "key" : "700b09908174f1072e31ae8ccbda1c4460fcf21fdf146a11482b210d", + "msg" : "f772564ecb109e80eefb1d5a7f1c95e203ba4c980233dd8d13de3046079a6b2ca26dc3521e5e0c807eae7a79877c73e9", + "tag" : "1f39ce1fcdfc2f19a8f34594f0b1", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 104, + "comment" : "long message", + "key" : "e18a20246ebe1b5796dbfe35110efc7637d74a355f0a6758d4a00b7d", + "msg" : "77720dde530e6eeaa0e9af3311f7e99189d6c4f7d71d0a4207d62c766bee32020c92f5d5d28d5de4d0d9c94b57ec05f0c3", + "tag" : "82dcc13275c2178befa27462bff8", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 105, + "comment" : "long message", + "key" : "3c4585a775bec76c7d8b27b87e70a5863a85e6111f3161b3815f59b4", + "msg" : "628c0ff8c432d74f4cfb77ba46b7cef67a48ac053cf0c18be41648736abcc8c6fbe4981529babd4b27866e34ced16d8b0bec456e14653a1422f5a62556d20b0fe4e03749d5f6e986375062dbdd82f6e9e1d4ad547c31530c2a31383c25ff57e879eae99d9b3a0da1f3c1dacb975067ac", + "tag" : "5d763c4c224c4034de56ef2aa1b2", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 106, + "comment" : "long message", + "key" : "acaf94cb1a8ff4677fc586d2bdf981ac3a656b208215e0a7647b420f", + "msg" : "314c2c25465de3427279dbc89436505fee6d37d56fbda0e5e2a49449d9dbf003027f2e4ef5c52f7af93fd80155a66a1cd6b9885b56d828058a0de7d247e19580b2e8dcbdef2ae46840565fd8b276569c19d7e185116ea11ad67d5fc27f4a6816ba45be5d14f3ba4315c74d1edb20f217b116be852b62a7f4e32b3e708ff9f7", + "tag" : "8876296366c17d836b269129af65", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 107, + "comment" : "long message", + "key" : "e490348ad78fd2cd5b51f2795b79e5805ce1d9baf1151dbdf995e1b0", + "msg" : "f6ff1845842b9e46f79adb1079aff47397391dc269bc0c899ba4087b58a676f5408c3f7637ffc4772af3e41b5cea51058bc528ea09bb4bd797594c798b0f0ff881695e98c08bbb040c12c5cbdb228d61cc99e332e963128d06e97ed2eefded2e1b5a035f3bea68273efac03a894dcf2fcc79a5696218595404b2758deb9a80ee", + "tag" : "f6970364f45c8b91d57947649742", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 108, + "comment" : "long message", + "key" : "c8e099dbb60a8f19d8b86856b21c55f3437ae27f77dff9808f12a1b5", + "msg" : "edbc109bf28c8ab32b1238eff1cd14308cdd845fa919bfd8a00c991cf9a8d6b05dd8cc7d2393782949c899de79e771ef7d8567f32287623963048e6c80d91f0778dd63311106e9d0913c08b7a0b7253fa3ce307ac40ec55a4c445f5455a570fec090e251e8646bada1a486d41c3794bce5639732f2c6cfd58081c479a68c515f5d47bc5b2f1622a08d38a596a817f3d4efef8003ae430e6ae93b0a3ae8fa95a2ace3d24d90a9ef861dc04c13e38f6e524b3abdf9cce4fa490707c80c16e254b7a71af00a12dbf473b50b9fe4097ec00ab27e66b6f3022b0f101ee1a9f7fa8652e9f095ca240a446067446867f78e8352c4110794c2e3383dfedfb35e74a33e", + "tag" : "865b855fbbcb0feb5dbea3507efa", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 109, + "comment" : "Flipped bit 0 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "42b8f94fe31d2662600c97097aa0", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 110, + "comment" : "Flipped bit 0 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "14bbda5ae11dc2dfad9608568f01", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 111, + "comment" : "Flipped bit 1 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "41b8f94fe31d2662600c97097aa0", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 112, + "comment" : "Flipped bit 1 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "17bbda5ae11dc2dfad9608568f01", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 113, + "comment" : "Flipped bit 7 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "c3b8f94fe31d2662600c97097aa0", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 114, + "comment" : "Flipped bit 7 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "95bbda5ae11dc2dfad9608568f01", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 115, + "comment" : "Flipped bit 8 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "43b9f94fe31d2662600c97097aa0", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 116, + "comment" : "Flipped bit 8 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "15bada5ae11dc2dfad9608568f01", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 117, + "comment" : "Flipped bit 31 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "43b8f9cfe31d2662600c97097aa0", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 118, + "comment" : "Flipped bit 31 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "15bbdadae11dc2dfad9608568f01", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 119, + "comment" : "Flipped bit 32 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "43b8f94fe21d2662600c97097aa0", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 120, + "comment" : "Flipped bit 32 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "15bbda5ae01dc2dfad9608568f01", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 121, + "comment" : "Flipped bit 33 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "43b8f94fe11d2662600c97097aa0", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 122, + "comment" : "Flipped bit 33 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "15bbda5ae31dc2dfad9608568f01", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 123, + "comment" : "Flipped bit 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "43b8f94fe31d26e2600c97097aa0", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 124, + "comment" : "Flipped bit 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "15bbda5ae11dc25fad9608568f01", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 125, + "comment" : "Flipped bit 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "43b8f94fe31d2662610c97097aa0", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 126, + "comment" : "Flipped bit 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "15bbda5ae11dc2dfac9608568f01", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 127, + "comment" : "Flipped bit 71 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "43b8f94fe31d2662e00c97097aa0", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 128, + "comment" : "Flipped bit 71 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "15bbda5ae11dc2df2d9608568f01", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 129, + "comment" : "Flipped bit 77 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "43b8f94fe31d2662602c97097aa0", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 130, + "comment" : "Flipped bit 77 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "15bbda5ae11dc2dfadb608568f01", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 131, + "comment" : "Flipped bit 80 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "43b8f94fe31d2662600c96097aa0", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 132, + "comment" : "Flipped bit 80 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "15bbda5ae11dc2dfad9609568f01", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 133, + "comment" : "Flipped bit 96 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "43b8f94fe31d2662600c97097ba0", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 134, + "comment" : "Flipped bit 96 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "15bbda5ae11dc2dfad9608568e01", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 135, + "comment" : "Flipped bit 97 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "43b8f94fe31d2662600c970978a0", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 136, + "comment" : "Flipped bit 97 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "15bbda5ae11dc2dfad9608568d01", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 137, + "comment" : "Flipped bit 103 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "43b8f94fe31d2662600c9709faa0", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 138, + "comment" : "Flipped bit 103 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "15bbda5ae11dc2dfad9608560f01", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 139, + "comment" : "Flipped bit 104 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "43b8f94fe31d2662600c97097aa1", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 140, + "comment" : "Flipped bit 104 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "15bbda5ae11dc2dfad9608568f00", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 141, + "comment" : "Flipped bit 105 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "43b8f94fe31d2662600c97097aa2", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 142, + "comment" : "Flipped bit 105 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "15bbda5ae11dc2dfad9608568f03", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 143, + "comment" : "Flipped bit 110 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "43b8f94fe31d2662600c97097ae0", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 144, + "comment" : "Flipped bit 110 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "15bbda5ae11dc2dfad9608568f41", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 145, + "comment" : "Flipped bit 111 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "43b8f94fe31d2662600c97097a20", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 146, + "comment" : "Flipped bit 111 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "15bbda5ae11dc2dfad9608568f81", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 147, + "comment" : "Flipped bits 0 and 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "42b8f94fe31d2662610c97097aa0", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 148, + "comment" : "Flipped bits 0 and 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "14bbda5ae11dc2dfac9608568f01", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 149, + "comment" : "Flipped bits 31 and 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "43b8f9cfe31d26e2600c97097aa0", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 150, + "comment" : "Flipped bits 31 and 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "15bbdadae11dc25fad9608568f01", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 151, + "comment" : "all bits of tag flipped", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "bc4706b01ce2d99d9ff368f6855f", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 152, + "comment" : "all bits of tag flipped", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "ea4425a51ee23d205269f7a970fe", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 153, + "comment" : "Tag changed to all zero", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "0000000000000000000000000000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 154, + "comment" : "Tag changed to all zero", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0000000000000000000000000000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 155, + "comment" : "tag changed to all 1", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "ffffffffffffffffffffffffffff", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 156, + "comment" : "tag changed to all 1", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "ffffffffffffffffffffffffffff", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 157, + "comment" : "msbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "c33879cf639da6e2e08c1789fa20", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 158, + "comment" : "msbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "953b5ada619d425f2d1688d60f81", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 159, + "comment" : "lsbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "", + "tag" : "42b9f84ee21c2763610d96087ba1", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 160, + "comment" : "lsbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "14badb5be01cc3deac9709578e00", + "result" : "invalid", + "flags" : [] + } + ] + }, + { + "keySize" : 112, + "tagSize" : 224, + "type" : "MacTest", + "tests" : [ + { + "tcId" : 161, + "comment" : "short key", + "key" : "77b0de54e893642caeac34bfd1ab", + "msg" : "", + "tag" : "ec98a3472919934900eccd3e0ec3ed6b9def6f324b02fd35e1938194", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 162, + "comment" : "short key", + "key" : "7346c7e4b118b24e51f4512f906a", + "msg" : "506d4faf624f92965aa6b5c01e0c80a8", + "tag" : "09a4d9759d544b73bfd7a663adf5b13c0499073d861f9e1adea5df83", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 163, + "comment" : "short key", + "key" : "caa864179f66e826a0ef3b5edbe3", + "msg" : "73f64253706ce6b5094c24ee012ece9ac2495283dcd8c7f1114e81e4587d8ea4", + "tag" : "36db20b14b79d6294c9817d1aba325644f58526a1cda8f6f493711c3", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "keySize" : 112, + "tagSize" : 112, + "type" : "MacTest", + "tests" : [ + { + "tcId" : 164, + "comment" : "short key", + "key" : "663a97d6b5493dbfa60c8dd087ed", + "msg" : "", + "tag" : "afa2a693fb38a01a7ee809b44624", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 165, + "comment" : "short key", + "key" : "b08c345a7c7166fdd33ce768c1dc", + "msg" : "9964d80ee2338cffe28483aa446a6f76", + "tag" : "73abc31c5da5608373ec9b8248c7", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 166, + "comment" : "short key", + "key" : "fc9d2883c67534fefbd6ed4a9798", + "msg" : "a49820c194a43deef11f3a0f4eaa80425439fca9d9f1d7c8e665d6b130e4e908", + "tag" : "9a9703ea2037345f994a3a9d1267", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "keySize" : 520, + "tagSize" : 224, + "type" : "MacTest", + "tests" : [ + { + "tcId" : 167, + "comment" : "long key", + "key" : "cfa639656cd49f8d70f0b1a5a056ab4fc0aeeebc91338d067f36c47b6012dc8d856b8abcc4e1abffc910aeaee21b4d366e907488ffd0ca55b36a621aee0b2e9f0c", + "msg" : "", + "tag" : "75138f920397e8dc25abff1bbb844fb26a05f39f9456cf7157968b2b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 168, + "comment" : "long key", + "key" : "b36d3d47a4585b401fc64c98eff56243d4da78863063d814e88f370b92576406d447fcf3d129a1ede57ddc56ea3a0a1f100105a95e83138cdf45ecf2a5992acf90", + "msg" : "15c75a64b04d097af2371af380079eb8", + "tag" : "0419e735f2ed98f26ef36f15c320a92512a4c3a53383d255464b70da", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 169, + "comment" : "long key", + "key" : "cf78b991382db5e8666ccb2333fb672179b10a75cf9e5a7699ae640005e19772ef6499a3bc97f12e58e835bb0017bb3b2e64c6ab44a0d619dfa0363484d1c991e2", + "msg" : "f661e598f180f25dc6dd76db8a9e0e4c9c272b9665a6b1756560c723b8e08595", + "tag" : "ca4610a8d081fc133fe6657700af54ee66fcda80f4bce0d4be110b51", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "keySize" : 520, + "tagSize" : 112, + "type" : "MacTest", + "tests" : [ + { + "tcId" : 170, + "comment" : "long key", + "key" : "3772ff6bb4e5b2811cfd4d6a3d34dc74bca3dbf89a5817b79d8472a1383b8c9afb27b3006196ce9966829eae6a313c2d724d995f4def17117c09edcfc8c0cbbc93", + "msg" : "", + "tag" : "1243fc7ecb0fb41e777d2207a72e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 171, + "comment" : "long key", + "key" : "2ba910bc0bca90644cb21e96063e2cd85f5dd02fda75d353c9b51eaf45eee94c165ca6592d6cfdd987bfdc1cba66363d535a14b2f7ead841b17c4d76a5049105f9", + "msg" : "7ba461040de9ea3cefd4809124f78b39", + "tag" : "1f30f3b7a7ff3971032def03bf73", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 172, + "comment" : "long key", + "key" : "7fcf3cb1b1c5b537492aede4689284b5881935e3537bb7307198d6518e7a6aabf70b50b44e4a8dfee35e9f5cbada7447e511a37209390fcd171c62075c6a8bf1eb", + "msg" : "83d29c1c4d059ddb0d2aca787e5b701bac3953fb9bc72dc87b1ef92a582e9748", + "tag" : "dd10401fac834914f0a9a574c65e", + "result" : "valid", + "flags" : [] + } + ] + } + ] +} diff --git a/rust/tests/wycheproof/hmac_sha3_256_test.json b/rust/tests/wycheproof/hmac_sha3_256_test.json new file mode 100644 index 00000000..93123f48 --- /dev/null +++ b/rust/tests/wycheproof/hmac_sha3_256_test.json @@ -0,0 +1,1622 @@ +{ + "algorithm" : "HMACSHA3-256", + "generatorVersion" : "0.8rc21", + "numberOfTests" : 174, + "header" : [ + "Test vectors of type MacTest are intended for testing the", + "generation and verification of MACs." + ], + "notes" : { + }, + "schema" : "mac_test_schema.json", + "testGroups" : [ + { + "keySize" : 256, + "tagSize" : 256, + "type" : "MacTest", + "tests" : [ + { + "tcId" : 1, + "comment" : "empty message", + "key" : "1e225cafb90339bba1b24076d4206c3e79c355805d851682bc818baa4f5a7779", + "msg" : "", + "tag" : "a3c58470afa8835d6e2357fb7b1cd07f8c4bc4c7874ca59d83163f046a9e227e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 2, + "comment" : "short message", + "key" : "8159fd15133cd964c9a6964c94f0ea269a806fd9f43f0da58b6cd1b33d189b2a", + "msg" : "77", + "tag" : "f709a35d41e82e36955512bf5fc1af0c1a9c580ff8fc3199bcb7454027029282", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 3, + "comment" : "short message", + "key" : "85a7cbaae825bb82c9b6f6c5c2af5ac03d1f6daa63d2a93c189948ec41b9ded9", + "msg" : "a59b", + "tag" : "bd323e494c3d22bde1d11dbde458f81bbe590007b42c4cee1cc45030d2b733cf", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 4, + "comment" : "short message", + "key" : "48f3029334e55cfbd574ccc765fb2c3685aab1f4837d23370874a3e634c3a76d", + "msg" : "c7b8b2", + "tag" : "7ad928d2f7e905aaca9bd63d34e4b84c58ed37f439b9b85b33f1f47c8baa26da", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 5, + "comment" : "short message", + "key" : "de8b5b5b2f09645be47ecb6407a4e1d9c6b33ae3c2d22517d3357da0357a3139", + "msg" : "cc021d65", + "tag" : "8a5db60345aa7cc4afb39e645ede87b16e73d37df045623ec58e9e901f96e224", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 6, + "comment" : "short message", + "key" : "b7938910f518f13205ca1492c669001a14ff913c8ab4a0dc3564e7418e91297c", + "msg" : "a4a6ef6ebd", + "tag" : "dfd1ddfec9c5133d1a2be33c4a978d3bee78740895a5b1e15c54542842e4c8de", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 7, + "comment" : "short message", + "key" : "1bb997ff4de8a5a391de5c08a33bc2c7c2891e47ad5b9c63110192f78b98fe78", + "msg" : "667e015df7fc", + "tag" : "ca5e8f039efc1137cefd128c40e275e727811bc2f785f7222343c2866f80b44d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 8, + "comment" : "short message", + "key" : "32fdeda39f98b4f4426c2d2ac00ab5dd4bfabb68f311447256ed6d3d3a51b154", + "msg" : "4163a9f77e41f5", + "tag" : "06d38848b90d0a797567cb6fa68e3b2d970b2c52ea9114786eb54aa22d403e70", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 9, + "comment" : "short message", + "key" : "233e4fdee70bcc20235b6977ddfc05b0df66f5635d827c66e5a63cdb16a24938", + "msg" : "fdb2ee4b6d1a0ac2", + "tag" : "799b30418ec2619936b0260bb50264ef4c8233997418604d04f8e8d318d4ff3c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 10, + "comment" : "short message", + "key" : "b984c6734e0bd12b1737b2fc7a1b3803b4dfec402140a57b9eccc35414ae661b", + "msg" : "dea584d0e2a14ad5fd", + "tag" : "684383e2460fd270044532e95b5e83fec520ffa99dd2a898aa8c88a5d76da02d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 11, + "comment" : "short message", + "key" : "d0caf1456ac5e255fa6afd61a79dc8c716f5358a298a508271363fe1ff983561", + "msg" : "18261dc806913c534666", + "tag" : "665b8f703c719a6a4bfce97567050aba77aaeea66e70fd3ec37d52b9b80ec937", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 12, + "comment" : "short message", + "key" : "835bc8241ed817735ec9d3d0e2df4c173ee4dded4a8ef0c04a96c48f11820463", + "msg" : "26f8083e944bacf04e9a4d", + "tag" : "5208852f40c5fe6e97ba733a9fd0aa39e039e1b2d2501da361ae0e92fcbd6e7d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 13, + "comment" : "short message", + "key" : "055f95c9461b0809575eccdfa5cdd06275f25d30915c4eb8db40e1acd3ab7591", + "msg" : "bfb7d6a08dbaa5225f320887", + "tag" : "678908a602c9c215049a92221f22981039c2cfd1c699bc360f7da5e6d0967b5a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 14, + "comment" : "short message", + "key" : "e40f7a3eb88ddec4c6347ea4d67610756c82c8ebcc237629bf873ccabc32984a", + "msg" : "7fe43febc78474649e45bf99b2", + "tag" : "80bdbf6abc65ee4223fff5e91d61a4a3e3973286dfb4e62b51bff7d2e4a4e43c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 15, + "comment" : "short message", + "key" : "b020ad1de1c141f7ec615ee5701521773f9b232e4d06376c382894ce51a61f48", + "msg" : "81c7581a194b5e71b41146a582c1", + "tag" : "4a57e7b7d438b93c8b7951ef789b93a13b20d6463fdbd4fa0026354b9959a273", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 16, + "comment" : "short message", + "key" : "9f3fd61a105202648ecff6074c95e502c1c51acd32ec538a5cce89ef841f7989", + "msg" : "2a76f2acdace42e3b779724946912c", + "tag" : "f95b627660ece175304f36a701e647f26f0794b6d5e226f2e272ef9e9bf69744", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 17, + "comment" : "", + "key" : "6fa353868c82e5deeedac7f09471a61bf749ab5498239e947e012eee3c82d7c4", + "msg" : "aeed3e4d4cb9bbb60d482e98c126c0f5", + "tag" : "4c5198e69a42db2d77aae9975c96429970a4bc64dd906d8cb16883a216a3f304", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 18, + "comment" : "", + "key" : "5300489494ca86221c91d6d953952ae1a5e097139dc9cf1179c2f56433753824", + "msg" : "90fea6cf2bd811b449f333ee9233e57697", + "tag" : "a8ade6e91e97abb4cf6e92d4bcf1fb3b8f1be3b9da4add09b0e4544b978fbe14", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 19, + "comment" : "", + "key" : "383e7c5c13476a62268423ef0500479f9e86e236c5a081c6449189e6afdf2af5", + "msg" : "3202705af89f9555c540b0e1276911d01971abb2c35c78b2", + "tag" : "e9b4fe8196723db56d59221197f11a713f21a17fd217788726c4d98a4f5730a0", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 20, + "comment" : "", + "key" : "186e248ad824e1eb93329a7fdcd565b6cb4eaf3f85b90b910777128d8c538d27", + "msg" : "92ef9ff52f46eccc7e38b9ee19fd2de3b37726c8e6ce9e1b96db5dda4c317902", + "tag" : "d565faa179be14d8c6679e00235fda9db5b4bc13c00b876be62cf61c30dd8392", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 21, + "comment" : "long message", + "key" : "28855c7efc8532d92567300933cc1ca2d0586f55dcc9f054fcca2f05254fbf7f", + "msg" : "9c09207ff0e6e582cb3747dca954c94d45c05e93f1e6f21179cf0e25b4cede74b5479d32f5166935c86f0441905865", + "tag" : "2876012e6bdfc89899b8d080f5e3ac584c4150e5e0bbbea3a98baa68d74c7893", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 22, + "comment" : "long message", + "key" : "8e540cb30c94836ae2a5950f355d482a7002e255207e94fda3f7ef1a099013a0", + "msg" : "d6500f95e11262e308bf3df4df4b855f33e857563d4543f195639a0a17b442eb9fdcc1367d2eee75c8f805730b89290f", + "tag" : "394ad185fc8d8b1351c4a3aa96e7f6ccd8e817d86f244a427791f865f5aa1d3c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 23, + "comment" : "long message", + "key" : "69c50d5274358188cff4c0fae742243d4e8a5e5ba55d94ff40edd90f6a43dd10", + "msg" : "1ac5255aff052828d8ea21b376f1ebdd4bb879949913900405aebce83e48feb6813b5e9c89f94501a8ade41b26b815c521", + "tag" : "928d84f9ce34b5b5e6c1d7486a369f2d94186629aad94d644c16728863eb619a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 24, + "comment" : "long message", + "key" : "23209b7c5aadcbd13f7279af1a86d3c7ae8f179d1bcaaad0dff9a15302e78dbf", + "msg" : "84bdac37e1af35d9356404e2787d47ece58348dea76a4a46e8aade3463d4db8c94a051be3733b38d756984865d56c60e8025f15e3f968f093e7fb7ebc7e31189c5692d15ed4256737b9b1894e5809503aaa1c9983fb096aa21916361eeb6ef455b129723a1a1ddf9deddea208529a648", + "tag" : "0e408a884cedac6f019dfc13364dcaf490f3f542b3d4795e10bf9c55641e3b2e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 25, + "comment" : "long message", + "key" : "7c9cc667cae175f448faa96647319633b2d48531373ae7d316c44ddd8b9f69cf", + "msg" : "9233c1d73b498c5106ff88951e07b9652cb0ddae740737ec205c9876d094978bfc947f7dc937119fd6a93915b19b625958a7a22363aa2ac33fb869ed16b303336ab740a0498a2df66a6599da710094481a7b544bd955b6f97135ba4673401db2db144a6e287041e47a51ed9b6ba956c13508c1c0c25310105239ab73629e30", + "tag" : "8577a591c1cf204334bc3f45008dc373d2c366c8959a144db9681b364a591d54", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 26, + "comment" : "long message", + "key" : "82314540564ea3ce30591e97f68b2602de40fa29f773c2508327471b8348e8c4", + "msg" : "6a6d2f45cebf2757ae16ea33c68617671d77f8fdf80bed8fc5cdc5c8b7086bd28e7eb3eecc7163491104e5309455e67f836579b82a1da3bf5991a8e2b2f189a49e05700e46c409ed5de77780a5f389e3f13dad406c9d55675329c5c921f07034180937c0f6ef34a2308b6ff3e1a0e9dc1ea65f5632730e8744d1db2c40a6595b", + "tag" : "773a539701e55662fe11f01690b70dac29366e55ac57c251993439972ead7ce4", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 27, + "comment" : "long message", + "key" : "d115acc9a636915241795f48852052e07b51273ae2448251ec1d0d0f9807f3db", + "msg" : "696d2456de853fa028f486fef437b6b6d1b530a8475e299db3a9005ae9cef8401985b7d31e172e8f439ccd1ad1ec44c9b86b78f3f243c1305b53bc21abad7a8fc5256311bfd34c98e37dfdc649e7ae4bda08cf2994b063c0c7106ed0b02a1f48af9191cbfb0d6a953b7e04327dfe8c93779cb574ba9cba575d01674e83621aa0c5f400d6e6cd24b301e33c9f3303e73bf357408c1be86c2489c09de998ff2ef32df554f1247d9313ce1a7160115d06f4c18d6556ff7986ef8a55e2adcfa27e4c69c71cc2ff01639e9d49bd9ed0687f530ffeb0890132457df2088081bc4a2f7f0a9f4dcea2c80d991db7f3747a1803d7619aaf3dd382c69536a0bcdb931cbe", + "tag" : "2f2a862bd0d9f305135629396b05988054e0f5103883892271a20b7902e0cb86", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 28, + "comment" : "Flipped bit 0 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "51ab1606034383fe4b3b4bc0a341a82e40ac85e455cdfeed4cac902a7b8ccfc1", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 29, + "comment" : "Flipped bit 0 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0a7aeb9eab9b57a80d7bd0ea2726394a56144e2a0fc0b979d090c1846c14b3ed", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 30, + "comment" : "Flipped bit 1 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "52ab1606034383fe4b3b4bc0a341a82e40ac85e455cdfeed4cac902a7b8ccfc1", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 31, + "comment" : "Flipped bit 1 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "097aeb9eab9b57a80d7bd0ea2726394a56144e2a0fc0b979d090c1846c14b3ed", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 32, + "comment" : "Flipped bit 7 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "d0ab1606034383fe4b3b4bc0a341a82e40ac85e455cdfeed4cac902a7b8ccfc1", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 33, + "comment" : "Flipped bit 7 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "8b7aeb9eab9b57a80d7bd0ea2726394a56144e2a0fc0b979d090c1846c14b3ed", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 34, + "comment" : "Flipped bit 8 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "50aa1606034383fe4b3b4bc0a341a82e40ac85e455cdfeed4cac902a7b8ccfc1", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 35, + "comment" : "Flipped bit 8 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0b7beb9eab9b57a80d7bd0ea2726394a56144e2a0fc0b979d090c1846c14b3ed", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 36, + "comment" : "Flipped bit 31 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "50ab1686034383fe4b3b4bc0a341a82e40ac85e455cdfeed4cac902a7b8ccfc1", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 37, + "comment" : "Flipped bit 31 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0b7aeb1eab9b57a80d7bd0ea2726394a56144e2a0fc0b979d090c1846c14b3ed", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 38, + "comment" : "Flipped bit 32 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "50ab1606024383fe4b3b4bc0a341a82e40ac85e455cdfeed4cac902a7b8ccfc1", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 39, + "comment" : "Flipped bit 32 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0b7aeb9eaa9b57a80d7bd0ea2726394a56144e2a0fc0b979d090c1846c14b3ed", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 40, + "comment" : "Flipped bit 33 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "50ab1606014383fe4b3b4bc0a341a82e40ac85e455cdfeed4cac902a7b8ccfc1", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 41, + "comment" : "Flipped bit 33 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0b7aeb9ea99b57a80d7bd0ea2726394a56144e2a0fc0b979d090c1846c14b3ed", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 42, + "comment" : "Flipped bit 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "50ab16060343837e4b3b4bc0a341a82e40ac85e455cdfeed4cac902a7b8ccfc1", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 43, + "comment" : "Flipped bit 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0b7aeb9eab9b57280d7bd0ea2726394a56144e2a0fc0b979d090c1846c14b3ed", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 44, + "comment" : "Flipped bit 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "50ab1606034383fe4a3b4bc0a341a82e40ac85e455cdfeed4cac902a7b8ccfc1", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 45, + "comment" : "Flipped bit 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0b7aeb9eab9b57a80c7bd0ea2726394a56144e2a0fc0b979d090c1846c14b3ed", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 46, + "comment" : "Flipped bit 71 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "50ab1606034383fecb3b4bc0a341a82e40ac85e455cdfeed4cac902a7b8ccfc1", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 47, + "comment" : "Flipped bit 71 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0b7aeb9eab9b57a88d7bd0ea2726394a56144e2a0fc0b979d090c1846c14b3ed", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 48, + "comment" : "Flipped bit 77 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "50ab1606034383fe4b1b4bc0a341a82e40ac85e455cdfeed4cac902a7b8ccfc1", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 49, + "comment" : "Flipped bit 77 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0b7aeb9eab9b57a80d5bd0ea2726394a56144e2a0fc0b979d090c1846c14b3ed", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 50, + "comment" : "Flipped bit 80 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "50ab1606034383fe4b3b4ac0a341a82e40ac85e455cdfeed4cac902a7b8ccfc1", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 51, + "comment" : "Flipped bit 80 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0b7aeb9eab9b57a80d7bd1ea2726394a56144e2a0fc0b979d090c1846c14b3ed", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 52, + "comment" : "Flipped bit 96 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "50ab1606034383fe4b3b4bc0a241a82e40ac85e455cdfeed4cac902a7b8ccfc1", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 53, + "comment" : "Flipped bit 96 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0b7aeb9eab9b57a80d7bd0ea2626394a56144e2a0fc0b979d090c1846c14b3ed", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 54, + "comment" : "Flipped bit 97 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "50ab1606034383fe4b3b4bc0a141a82e40ac85e455cdfeed4cac902a7b8ccfc1", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 55, + "comment" : "Flipped bit 97 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0b7aeb9eab9b57a80d7bd0ea2526394a56144e2a0fc0b979d090c1846c14b3ed", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 56, + "comment" : "Flipped bit 103 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "50ab1606034383fe4b3b4bc02341a82e40ac85e455cdfeed4cac902a7b8ccfc1", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 57, + "comment" : "Flipped bit 103 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0b7aeb9eab9b57a80d7bd0eaa726394a56144e2a0fc0b979d090c1846c14b3ed", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 58, + "comment" : "Flipped bit 248 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "50ab1606034383fe4b3b4bc0a341a82e40ac85e455cdfeed4cac902a7b8ccfc0", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 59, + "comment" : "Flipped bit 248 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0b7aeb9eab9b57a80d7bd0ea2726394a56144e2a0fc0b979d090c1846c14b3ec", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 60, + "comment" : "Flipped bit 249 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "50ab1606034383fe4b3b4bc0a341a82e40ac85e455cdfeed4cac902a7b8ccfc3", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 61, + "comment" : "Flipped bit 249 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0b7aeb9eab9b57a80d7bd0ea2726394a56144e2a0fc0b979d090c1846c14b3ef", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 62, + "comment" : "Flipped bit 254 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "50ab1606034383fe4b3b4bc0a341a82e40ac85e455cdfeed4cac902a7b8ccf81", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 63, + "comment" : "Flipped bit 254 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0b7aeb9eab9b57a80d7bd0ea2726394a56144e2a0fc0b979d090c1846c14b3ad", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 64, + "comment" : "Flipped bit 255 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "50ab1606034383fe4b3b4bc0a341a82e40ac85e455cdfeed4cac902a7b8ccf41", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 65, + "comment" : "Flipped bit 255 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0b7aeb9eab9b57a80d7bd0ea2726394a56144e2a0fc0b979d090c1846c14b36d", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 66, + "comment" : "Flipped bits 0 and 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "51ab1606034383fe4a3b4bc0a341a82e40ac85e455cdfeed4cac902a7b8ccfc1", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 67, + "comment" : "Flipped bits 0 and 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0a7aeb9eab9b57a80c7bd0ea2726394a56144e2a0fc0b979d090c1846c14b3ed", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 68, + "comment" : "Flipped bits 31 and 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "50ab16860343837e4b3b4bc0a341a82e40ac85e455cdfeed4cac902a7b8ccfc1", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 69, + "comment" : "Flipped bits 31 and 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0b7aeb1eab9b57280d7bd0ea2726394a56144e2a0fc0b979d090c1846c14b3ed", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 70, + "comment" : "Flipped bits 63 and 127 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "50ab16060343837e4b3b4bc0a341a8ae40ac85e455cdfeed4cac902a7b8ccfc1", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 71, + "comment" : "Flipped bits 63 and 127 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0b7aeb9eab9b57280d7bd0ea272639ca56144e2a0fc0b979d090c1846c14b3ed", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 72, + "comment" : "all bits of tag flipped", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "af54e9f9fcbc7c01b4c4b43f5cbe57d1bf537a1baa320112b3536fd58473303e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 73, + "comment" : "all bits of tag flipped", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "f48514615464a857f2842f15d8d9c6b5a9ebb1d5f03f46862f6f3e7b93eb4c12", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 74, + "comment" : "Tag changed to all zero", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 75, + "comment" : "Tag changed to all zero", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 76, + "comment" : "tag changed to all 1", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 77, + "comment" : "tag changed to all 1", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 78, + "comment" : "msbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "d02b968683c3037ecbbbcb4023c128aec02c0564d54d7e6dcc2c10aafb0c4f41", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 79, + "comment" : "msbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "8bfa6b1e2b1bd7288dfb506aa7a6b9cad694ceaa8f4039f950104104ec94336d", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 80, + "comment" : "lsbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "51aa1707024282ff4a3a4ac1a240a92f41ad84e554ccffec4dad912b7a8dcec0", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 81, + "comment" : "lsbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0a7bea9faa9a56a90c7ad1eb2627384b57154f2b0ec1b878d191c0856d15b2ec", + "result" : "invalid", + "flags" : [] + } + ] + }, + { + "keySize" : 256, + "tagSize" : 128, + "type" : "MacTest", + "tests" : [ + { + "tcId" : 82, + "comment" : "empty message", + "key" : "7bf9e536b66a215c22233fe2daaa743a898b9acb9f7802de70b40e3d6e43ef97", + "msg" : "", + "tag" : "d087790afab25477456d379cab1639d1", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 83, + "comment" : "short message", + "key" : "e754076ceab3fdaf4f9bcab7d4f0df0cbbafbc87731b8f9b7cd2166472e8eebc", + "msg" : "40", + "tag" : "9bd4531b76933c9267d5dd0ee9bc81b9", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 84, + "comment" : "short message", + "key" : "ea3b016bdd387dd64d837c71683808f335dbdc53598a4ea8c5f952473fafaf5f", + "msg" : "6601", + "tag" : "79965f484fff8350ddf0fcb0cc513f13", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 85, + "comment" : "short message", + "key" : "73d4709637857dafab6ad8b2b0a51b06524717fedf100296644f7cfdaae1805b", + "msg" : "f1d300", + "tag" : "37747ec77e7844a81c3355f9c2f72875", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 86, + "comment" : "short message", + "key" : "d5c81b399d4c0d1583a13da56de6d2dc45a66e7b47c24ab1192e246dc961dd77", + "msg" : "2ae63cbf", + "tag" : "ad6d1627d7a1f67b855381da44fd4ec3", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 87, + "comment" : "short message", + "key" : "2521203fa0dddf59d837b2830f87b1aa61f958155df3ca4d1df2457cb4284dc8", + "msg" : "af3a015ea1", + "tag" : "0fca2284a5d3346cbf9b98a65822a8a7", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 88, + "comment" : "short message", + "key" : "665a02bc265a66d01775091da56726b6668bfd903cb7af66fb1b78a8a062e43c", + "msg" : "3f56935def3f", + "tag" : "8cd87f6ae1614e4a731d52ad0d877442", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 89, + "comment" : "short message", + "key" : "facd75b22221380047305bc981f570e2a1af38928ea7e2059e3af5fc6b82b493", + "msg" : "57bb86beed156f", + "tag" : "73941b79cb7c9f0c7b711bb94441b432", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 90, + "comment" : "short message", + "key" : "505aa98819809ef63b9a368a1e8bc2e922da45b03ce02d9a7966b15006dba2d5", + "msg" : "2e4e7ef728fe11af", + "tag" : "5cf2b04fe3af8d2694ba4e614367c08a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 91, + "comment" : "short message", + "key" : "f942093842808ba47f64e427f7351dde6b9546e66de4e7d60aa6f328182712cf", + "msg" : "852a21d92848e627c7", + "tag" : "3e06ab8ab01fffb65865a7e8a123b374", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 92, + "comment" : "short message", + "key" : "64be162b39c6e5f1fed9c32d9f674d9a8cde6eaa2443214d86bd4a1fb53b81b4", + "msg" : "195a3b292f93baff0a2c", + "tag" : "80cb2ab4e57ec551fd73a3fcbc622538", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 93, + "comment" : "short message", + "key" : "b259a555d44b8a20c5489e2f38392ddaa6be9e35b9833b67e1b5fdf6cb3e4c6c", + "msg" : "afd73117330c6e8528a6e4", + "tag" : "71ceb6dd3ccf0c96b15ae42b432c1d83", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 94, + "comment" : "short message", + "key" : "2c6fc62daa77ba8c6881b3dd6989898fef646663cc7b0a3db8228a707b85f2dc", + "msg" : "0ff54d6b6759120c2e8a51e3", + "tag" : "ef5e5e4a958e7820b13fce3d181f2a76", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 95, + "comment" : "short message", + "key" : "abab815d51df29f740e4e2079fb798e0152836e6ab57d1536ae8929e52c06eb8", + "msg" : "f0058d412a104e53d820b95a7f", + "tag" : "d56cbaf3aee9310f66083f242a37affe", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 96, + "comment" : "short message", + "key" : "3d5da1af83f7287458bff7a7651ea5d8db72259401333f6b82096996dd7eaf19", + "msg" : "aacc36972f183057919ff57b49e1", + "tag" : "6520b49b8a11abdbe5ac46f4ec00ffbc", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 97, + "comment" : "short message", + "key" : "c19bdf314c6cf64381425467f42aefa17c1cc9358be16ce31b1d214859ce86aa", + "msg" : "5d066a92c300e9b6ddd63a7c13ae33", + "tag" : "3f14e6b55d2691a6048b70bab7ceada6", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 98, + "comment" : "", + "key" : "612e837843ceae7f61d49625faa7e7494f9253e20cb3adcea686512b043936cd", + "msg" : "cc37fae15f745a2f40e2c8b192f2b38d", + "tag" : "22f48f8668f5c2505315f0b525cf4f95", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 99, + "comment" : "", + "key" : "73216fafd0022d0d6ee27198b2272578fa8f04dd9f44467fbb6437aa45641bf7", + "msg" : "d5247b8f6c3edcbfb1d591d13ece23d2f5", + "tag" : "31a2a03723c51e04611ab09d47bf2598", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 100, + "comment" : "", + "key" : "0427a70e257528f3ab70640bba1a5de12cf3885dd4c8e284fbbb55feb35294a5", + "msg" : "13937f8544f44270d01175a011f7670e93fa6ba7ef02336e", + "tag" : "ed651a977854fb5cc577ab7db7b567af", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 101, + "comment" : "", + "key" : "96e1e4896fb2cd05f133a6a100bc5609a7ac3ca6d81721e922dadd69ad07a892", + "msg" : "91a17e4dfcc3166a1add26ff0e7c12056e8a654f28a6de24f4ba739ceb5b5b18", + "tag" : "a3cdf96778e1f9a42a89f91426873ff1", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 102, + "comment" : "long message", + "key" : "41201567be4e6ea06de2295fd0e6e8a7d862bb57311894f525d8adeabba4a3e4", + "msg" : "58c8c73bdd3f350c97477816eae4d0789c9369c0e99c248902c700bc29ed986425985eb3fa55709b73bf620cd9b1cb", + "tag" : "15cf5da2312cfd8f9debdd8b3ab07d6b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 103, + "comment" : "long message", + "key" : "649e373e681ef52e3c10ac265484750932a9918f28fb824f7cb50adab39781fe", + "msg" : "39b447bd3a01983c1cb761b456d69000948ceb870562a536126a0d18a8e7e49b16de8fe672f13d0808d8b7d957899917", + "tag" : "5ddcacb9ad0b02dac96012b4a4d1729d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 104, + "comment" : "long message", + "key" : "7b0d237f7b536e2c6950990e61b361b384333dda690045c591321a4e3f79747f", + "msg" : "3d6283d11c0219b525620e9bf5b9fd887d3f0f707acb1fbdffab0d97a5c6d07fc547762e0e7dd7c43ad35fab1c790f8047", + "tag" : "781c196c0d71d88e8db7685571ad13e4", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 105, + "comment" : "long message", + "key" : "17c92663741f012e5bb6714e614c2d155948617f10936269d954c58aba2ae62d", + "msg" : "7fdd6a15c861d0313f6635d77dc55e115ff18c8ab063b5d03eab472eeca87a378188f25813515cf90b6cffa94a8ff36b29d65603eab3fbd2aa9500b261e184049893dc6ca2010becac163053f211070bdda621b8bd8af77e450268603b52db34c90be836dfebddef42303f724e63bf0f", + "tag" : "3c31e9fa2ea634f2bfbd0d7f6dbf29c2", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 106, + "comment" : "long message", + "key" : "424c6b22606fcc094ae82fc5d3cbe484174c2211b3ec778091cac34a8e38a152", + "msg" : "d96ff062e2490e8e0c54c5a8b89e85b25a66d93d7c2b93bdfef846b70d38672746a4b988d08f15a5c527ca4f2c80e53f7c6ac0521bc57ebe38209180cbf934e0bbeb58cfb63d75da64af41d09ce174af1896f42522910fced35ea000402e95fd3ac7aa6d5e0a6b533b0879bc466019b3a5e6b16e4bd1ea6cdfc9ccc1d6f0f0", + "tag" : "0f937aa5b5aa5efa6f8c1940c9b57b19", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 107, + "comment" : "long message", + "key" : "15d553c8da433d53cdc7f15087a70349caab57b379a4078928ce9b99302e31a6", + "msg" : "d6c0c53b73f74fb426adfdc143d70db7f7a8f8ed32a2faef263cf9ab117537b6b9d1728bd1000c1f28906c6ce6ad21862bfa4d689c1a8ebe3868b992098b7f981b2af5189a6adedff53a6c70c83693f5c8d6385a9a8a4dca017c5716ac4d5b9765c5ca2ab5f9867e02795198c0b9527e07d08af52dbcb91ceb3d8b412a2b2402", + "tag" : "b2948a1b6fa0558d443c0b8cee87c4c8", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 108, + "comment" : "long message", + "key" : "ffe559468a1031dfb3ced2e381e74b5821a36d9abf5f2e59895a7fdca0fa56a0", + "msg" : "238899a84a3cf15202a1fbef4741e133fb24c009a0cd83854c6d1d7c9266d4c3eafe6d1dfc18f13845ccdad7fe277627b5fd5ff2555ce6dfde1ee078540a0a3590c6d9bf2fb63ba9afbe9380e797be7cd017645c5a3613eef38ef89e3b7461e6e700ff2b4deef5636c9d2198b143f797ca1820a3dcc5d462ebf4a8c4c09eb202a23592eb9524082c79adda8fcd56d256041a26bf8f523962ba911ce5a5786570d65be3c4df722ed8830302065febdf944715298a1fbb7d10b68d7da2bf889324314ce51e815c7fbf03aa0a8358aff3a86eb7a33f9a4923660db3047e793bebb0c6918f4395d400381723fdae2832c36efc8e368a68f30f6351c3bc942cd560", + "tag" : "9c899283ace03520d5109e43c30d4698", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 109, + "comment" : "Flipped bit 0 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "51ab1606034383fe4b3b4bc0a341a82e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 110, + "comment" : "Flipped bit 0 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0a7aeb9eab9b57a80d7bd0ea2726394a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 111, + "comment" : "Flipped bit 1 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "52ab1606034383fe4b3b4bc0a341a82e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 112, + "comment" : "Flipped bit 1 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "097aeb9eab9b57a80d7bd0ea2726394a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 113, + "comment" : "Flipped bit 7 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "d0ab1606034383fe4b3b4bc0a341a82e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 114, + "comment" : "Flipped bit 7 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "8b7aeb9eab9b57a80d7bd0ea2726394a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 115, + "comment" : "Flipped bit 8 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "50aa1606034383fe4b3b4bc0a341a82e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 116, + "comment" : "Flipped bit 8 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0b7beb9eab9b57a80d7bd0ea2726394a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 117, + "comment" : "Flipped bit 31 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "50ab1686034383fe4b3b4bc0a341a82e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 118, + "comment" : "Flipped bit 31 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0b7aeb1eab9b57a80d7bd0ea2726394a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 119, + "comment" : "Flipped bit 32 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "50ab1606024383fe4b3b4bc0a341a82e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 120, + "comment" : "Flipped bit 32 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0b7aeb9eaa9b57a80d7bd0ea2726394a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 121, + "comment" : "Flipped bit 33 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "50ab1606014383fe4b3b4bc0a341a82e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 122, + "comment" : "Flipped bit 33 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0b7aeb9ea99b57a80d7bd0ea2726394a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 123, + "comment" : "Flipped bit 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "50ab16060343837e4b3b4bc0a341a82e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 124, + "comment" : "Flipped bit 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0b7aeb9eab9b57280d7bd0ea2726394a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 125, + "comment" : "Flipped bit 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "50ab1606034383fe4a3b4bc0a341a82e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 126, + "comment" : "Flipped bit 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0b7aeb9eab9b57a80c7bd0ea2726394a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 127, + "comment" : "Flipped bit 71 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "50ab1606034383fecb3b4bc0a341a82e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 128, + "comment" : "Flipped bit 71 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0b7aeb9eab9b57a88d7bd0ea2726394a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 129, + "comment" : "Flipped bit 77 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "50ab1606034383fe4b1b4bc0a341a82e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 130, + "comment" : "Flipped bit 77 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0b7aeb9eab9b57a80d5bd0ea2726394a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 131, + "comment" : "Flipped bit 80 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "50ab1606034383fe4b3b4ac0a341a82e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 132, + "comment" : "Flipped bit 80 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0b7aeb9eab9b57a80d7bd1ea2726394a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 133, + "comment" : "Flipped bit 96 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "50ab1606034383fe4b3b4bc0a241a82e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 134, + "comment" : "Flipped bit 96 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0b7aeb9eab9b57a80d7bd0ea2626394a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 135, + "comment" : "Flipped bit 97 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "50ab1606034383fe4b3b4bc0a141a82e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 136, + "comment" : "Flipped bit 97 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0b7aeb9eab9b57a80d7bd0ea2526394a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 137, + "comment" : "Flipped bit 103 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "50ab1606034383fe4b3b4bc02341a82e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 138, + "comment" : "Flipped bit 103 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0b7aeb9eab9b57a80d7bd0eaa726394a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 139, + "comment" : "Flipped bit 120 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "50ab1606034383fe4b3b4bc0a341a82f", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 140, + "comment" : "Flipped bit 120 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0b7aeb9eab9b57a80d7bd0ea2726394b", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 141, + "comment" : "Flipped bit 121 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "50ab1606034383fe4b3b4bc0a341a82c", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 142, + "comment" : "Flipped bit 121 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0b7aeb9eab9b57a80d7bd0ea27263948", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 143, + "comment" : "Flipped bit 126 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "50ab1606034383fe4b3b4bc0a341a86e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 144, + "comment" : "Flipped bit 126 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0b7aeb9eab9b57a80d7bd0ea2726390a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 145, + "comment" : "Flipped bit 127 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "50ab1606034383fe4b3b4bc0a341a8ae", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 146, + "comment" : "Flipped bit 127 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0b7aeb9eab9b57a80d7bd0ea272639ca", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 147, + "comment" : "Flipped bits 0 and 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "51ab1606034383fe4a3b4bc0a341a82e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 148, + "comment" : "Flipped bits 0 and 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0a7aeb9eab9b57a80c7bd0ea2726394a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 149, + "comment" : "Flipped bits 31 and 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "50ab16860343837e4b3b4bc0a341a82e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 150, + "comment" : "Flipped bits 31 and 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0b7aeb1eab9b57280d7bd0ea2726394a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 151, + "comment" : "Flipped bits 63 and 127 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "50ab16060343837e4b3b4bc0a341a8ae", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 152, + "comment" : "Flipped bits 63 and 127 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0b7aeb9eab9b57280d7bd0ea272639ca", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 153, + "comment" : "all bits of tag flipped", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "af54e9f9fcbc7c01b4c4b43f5cbe57d1", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 154, + "comment" : "all bits of tag flipped", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "f48514615464a857f2842f15d8d9c6b5", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 155, + "comment" : "Tag changed to all zero", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "00000000000000000000000000000000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 156, + "comment" : "Tag changed to all zero", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "00000000000000000000000000000000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 157, + "comment" : "tag changed to all 1", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "ffffffffffffffffffffffffffffffff", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 158, + "comment" : "tag changed to all 1", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "ffffffffffffffffffffffffffffffff", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 159, + "comment" : "msbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "d02b968683c3037ecbbbcb4023c128ae", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 160, + "comment" : "msbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "8bfa6b1e2b1bd7288dfb506aa7a6b9ca", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 161, + "comment" : "lsbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "", + "tag" : "51aa1707024282ff4a3a4ac1a240a92f", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 162, + "comment" : "lsbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0a7bea9faa9a56a90c7ad1eb2627384b", + "result" : "invalid", + "flags" : [] + } + ] + }, + { + "keySize" : 128, + "tagSize" : 256, + "type" : "MacTest", + "tests" : [ + { + "tcId" : 163, + "comment" : "short key", + "key" : "a349ac0a9f9f74e48e099cc3dbf9a9c9", + "msg" : "", + "tag" : "ee8234ca22b6cbd87cc2ba492ecea39aebc634032998965689d393e2d4f88653", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 164, + "comment" : "short key", + "key" : "ac686ba0f1a51b4ec4f0b30492b7f556", + "msg" : "2fa43a14ae500507deb95ab5bd32b0fe", + "tag" : "39eaea730a72f19b316dae7ae77904000c8e64ac5bb8a1e75eeaea2e3dc3afce", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 165, + "comment" : "short key", + "key" : "73ef9ef1a4225e51e3c1db3ace1fa24f", + "msg" : "ffad380d9aabb0acede5c1bf112925cdfc3d379fc2376a4fe2644490d0430ac3", + "tag" : "4c85f67258256226dcdde626b100daef34dedb8c38b34bf9f3b9db5afe87ae9b", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "keySize" : 128, + "tagSize" : 128, + "type" : "MacTest", + "tests" : [ + { + "tcId" : 166, + "comment" : "short key", + "key" : "e34f15c7bd819930fe9d66e0c166e61c", + "msg" : "", + "tag" : "872026cd30ed8482af7508c0c52c8cb6", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 167, + "comment" : "short key", + "key" : "e09eaa5a3f5e56d279d5e7a03373f6ea", + "msg" : "ef4eab37181f98423e53e947e7050fd0", + "tag" : "6700cfd7fdb1c667ead477fb942ff03b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 168, + "comment" : "short key", + "key" : "9bd3902ed0996c869b572272e76f3889", + "msg" : "a7ba19d49ee1ea02f098aa8e30c740d893a4456ccc294040484ed8a00a55f93e", + "tag" : "54632b0ffcbb3763b70c6dd6dc38ed3a", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "keySize" : 520, + "tagSize" : 256, + "type" : "MacTest", + "tests" : [ + { + "tcId" : 169, + "comment" : "long key", + "key" : "8a0c46eb8a2959e39865330079763341e7439dab149694ee57e0d61ec73d947e1d5301cd974e18a5e0d1cf0d2c37e8aadd9fd589d57ef32e47024a99bc3f70c077", + "msg" : "", + "tag" : "7a1ea05873f754f9993062243474d3874f4fffa823ce16a804b22cb101a5b100", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 170, + "comment" : "long key", + "key" : "2877ebb81f80334fd00516337446c5cf5ad4a3a2e197269e5b0ad1889dfe2b4b0aaa676fac55b36ce3affc7f1092ab89c53273a837bd5bc94d1a9d9e5b02e9856f", + "msg" : "ba448db88f154f775028fdecf9e6752d", + "tag" : "17831971b854b2210579098b019ae62f3bf56affbd0ecd3bac77a02bd78b4f49", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 171, + "comment" : "long key", + "key" : "21178e26bc28ffc27c06f762ba190a627075856d7ca6feab79ac63149b17126e34fd9e5590e0e90aac801df09505d8af2dd0a2703b352c573ac9d2cb063927f2af", + "msg" : "7d5f1d6b993452b1b53a4375760d10a20d46a0ab9ec3943fc4b07a2ce735e731", + "tag" : "a14f8864e3c71a3da1fd268701547cee12c0b1ddc4f7480f253b7cafc3d04e6a", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "keySize" : 520, + "tagSize" : 128, + "type" : "MacTest", + "tests" : [ + { + "tcId" : 172, + "comment" : "long key", + "key" : "813e0c078c221375e80590ace6774eafd2d2c242350988d02efa550e05aecbe100c1b8bf154c932cf9e57177015c816c42bc7fbc71ceaa5328c7316b7f0f30330f", + "msg" : "", + "tag" : "681f84442bd90223bd5577a7bce8b93e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 173, + "comment" : "long key", + "key" : "5713343096b0aaf0562a6b92c1a15535924160475a4e4233589159728c562e3b2ad96f740c6a4da2bc3f768ce98c9bd66bac28d1646ff592028c940d455f35eeb4", + "msg" : "71712de2fac1fb855673bff72af64257", + "tag" : "2e6969e57f7b33e96a31ea194f3e188c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 174, + "comment" : "long key", + "key" : "7208afbecf5f1f34828f98b719414e280716de64f5edd1ae1c774153cd2022337bb20fade1b7856f1dbfd40e2b4307f1293ceff1692ee90d8c90b5fdf953ab01a5", + "msg" : "43b53302b604d613e62db002044a4782d572ac8fbd3cd0ece91b43bc52e18e98", + "tag" : "c6712f2c1b0df39eca97ac472b257ecd", + "result" : "valid", + "flags" : [] + } + ] + } + ] +} diff --git a/rust/tests/wycheproof/hmac_sha3_384_test.json b/rust/tests/wycheproof/hmac_sha3_384_test.json new file mode 100644 index 00000000..f0e07cb6 --- /dev/null +++ b/rust/tests/wycheproof/hmac_sha3_384_test.json @@ -0,0 +1,1622 @@ +{ + "algorithm" : "HMACSHA3-384", + "generatorVersion" : "0.8rc21", + "numberOfTests" : 174, + "header" : [ + "Test vectors of type MacTest are intended for testing the", + "generation and verification of MACs." + ], + "notes" : { + }, + "schema" : "mac_test_schema.json", + "testGroups" : [ + { + "keySize" : 384, + "tagSize" : 384, + "type" : "MacTest", + "tests" : [ + { + "tcId" : 1, + "comment" : "empty message", + "key" : "ee8df067857df2300fa71a10c30997178bb3796127b5ece5f2ccc170932be0e78ea9b0a5936c09157e671ce7ec9fc510", + "msg" : "", + "tag" : "7c87e3bf2a63428c2005a82c1ef0e0152537ce7a6f49344f3a85274724e075f9c833b6b2e6dd257e60222e7126312426", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 2, + "comment" : "short message", + "key" : "976696c0dc97182ca771975c3928ff9168ef89cd740cd2292858fd916068a702bc1df7c6cd8ee1f0d25e61d4c514cc5d", + "msg" : "2b", + "tag" : "b9c77f78d4e7928219105b1fa64d24a98a81816ca0c714d5424d0882ce7bb7be04b5bb4ac2a0092b4f5ce06f04c8654a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 3, + "comment" : "short message", + "key" : "c55ea4c64a0a63e2d14ad42559ba7c816b8824d263c2cc6a015761b53f681e514369f0dfba5cde165320ee10a96eb1fc", + "msg" : "5abd", + "tag" : "d26883d233ad5a26257f5ebb088ede5a9155894fd331a79f89d331fe07d2baabd2f3735b959ad48ad290d38664d0f8eb", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 4, + "comment" : "short message", + "key" : "2928d465d92fa40072ca9d67761be66e491755e43499003c1057d3bec870f255126c3658d0d8a0c7d207df8710037ca7", + "msg" : "c405ae", + "tag" : "1c990f90e90e65bfee62549857bb10455200f425a21ba3f4b12636647c391d56b47e63e0c111b078eda90324799deb3a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 5, + "comment" : "short message", + "key" : "686a3730085cc944fceb141628419818e662fe21e52bea2748f3b704f80ce801086db1e3068917b242e62b4d6e6ed685", + "msg" : "6601c683", + "tag" : "9911d4e5f30167ec382b7f7b394310a7ea5ecd0394eddea94382f05a8af9533b0b72024711180add607d290e5f4602dc", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 6, + "comment" : "short message", + "key" : "f22d867b972b232e3f444a488dd794d170807c70eb650f952b6177596f76c558a5d860d6f7be0be9e666f9bd53732f8d", + "msg" : "15b29377e0", + "tag" : "aec46fb03a28d4fa55a5492930d1cb3731c5e80bb0c91f7c1e948680aa666a10f0bcf538927961ef30fa24673e9ffaf8", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 7, + "comment" : "short message", + "key" : "3ac9abd53dbd0fbb891f9b5e16dd45df994e5283527832707138fc2712bad9e34761e7d9c6d05d46f2c8323ddb0efe99", + "msg" : "5a34155b1115", + "tag" : "ff5391301e105d0f18b8256aa8e5c03f4c57f341e0f61149cb62c0d2366826b8618b4ba2894de235b723755c1cbc7a45", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 8, + "comment" : "short message", + "key" : "ae3aa94fdd35e2bef40472d29bdad3a409840ea441c3d7025cd72f3e81ff56da602161d84b23d1634061385be30c5bbd", + "msg" : "8a140d781e7191", + "tag" : "b99181b96e6dadcdbf203c392a3bfad10130555837ee647a320ca2b723747a5f40bc4803eadd9091418041e98ff10658", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 9, + "comment" : "short message", + "key" : "44b79852cabcf3fe93d2fff55d2afe6a46c35b7ad1954ce0888de7b459b982722faf8b490e6b00e7bcabbd36f18443f5", + "msg" : "9398cd251deafe8b", + "tag" : "8968d5e0f3d170c0d1977c7df67a3ec0bb637b19ee73150f84d35c8da9dd02fdbf563c5737834edf790765ba2b478ef0", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 10, + "comment" : "short message", + "key" : "03fed2f579a3ebdececfb184ebe2984876113399c4a593d98b5f5e606dd330fb394c285d9ead601748259b493335f8e5", + "msg" : "18d879b1f63df3ac7a", + "tag" : "c739ac7a0187774cb6ccf81069f75ecdb5e09331281641809e00334dbbc54552c01db07eafadfcc23cdb6ca324e2c5db", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 11, + "comment" : "short message", + "key" : "f4ef48bf4056d39dbba4154018c63bdf29420b9991ea594ff05e3cc1cb02e176d54ba038a6b78692519d6788e495bbab", + "msg" : "0a5de13cd9ba31c94486", + "tag" : "cf21c5c7b56ae0ff5f95ebc2c7c6b9f95420b249121f9a97d901fb6c64969ec9be82fe2e336c66fdda3ce306fd422a6e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 12, + "comment" : "short message", + "key" : "fc771f7ccd499a1ed633d86876d707b5f1d53c6bcdf21aa2907766ab3ca7fa6cdd6a9b981b1a84a528e81444303f1057", + "msg" : "03ba11f3f3173b85226b25", + "tag" : "73942556ed0f294c5674444800c93eba42006083bccbd7bbd486a5ffd59a2be0d86743cdcdbf6f763ff763dca193cb0c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 13, + "comment" : "short message", + "key" : "b3999de680b11550e18631c8199f7eb8a74e21bdc9d97f781245c2af19f85497d9f38b250a564e48650fd00be365f155", + "msg" : "9c658cb5e601d85dc3857863", + "tag" : "c94c0800814522d1fc042d05c4bf1ef0bd73c61bc847bfdcf3fa48867513815ece4593af5dd03b256e132f5f79894565", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 14, + "comment" : "short message", + "key" : "88005a62864ea699e1509616ec48033e84d2e2a13b8bc2e8a76f2eccbdb207a95ac8e2f5b5a703b22a0b571e8acc599a", + "msg" : "5a94f84541a794bf23d72db16d", + "tag" : "10a3839df086546ebfe7d5dba28d15ea4c27c3f4f1ee402d1e0f63443906c5e34a963b5690093484802c228dd26c1bd6", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 15, + "comment" : "short message", + "key" : "b1cbda2c9a12f92315a5101aef311e99d6db002b0e04fb53c50106aa4d28e9a346697ba97084572eea56ccfc4ad7e572", + "msg" : "ce12c0c78e3f6b276ac56ed7435e", + "tag" : "a0543a371f019bc19f2fbede34ce4efde43984a0c56f453f923e152abf914c4412f46b64bf626f22c309db403fcb7753", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 16, + "comment" : "short message", + "key" : "08517e8014e00db5c37f2a20f987ea2ec52e7938de018ad6be256ba2236804144ad2a1bcc242738862b40647007e0a2c", + "msg" : "21e2a0a167789a6b722d1737d92f8b", + "tag" : "bb74337940cc107f0cbbf1194bf6e784d9acd1d492f112e7f6d656eeca881e09c59fd6dae88a9daeca6d13c8eb9782d1", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 17, + "comment" : "", + "key" : "503d7478a773b694d6e552c9703cc8bc56fd49fafc9a17cab8b0332dca8d49336fa7e9ec2bcb56253fe5bb504e3e7f7f", + "msg" : "d96e6fed893addfd9237c81c4f4e341b", + "tag" : "8651de548c5110fe0112d26c7e0a2f244f84aeff6baf5267cfd3afdb544bb0a5c1b29e9b78a2e9499e2c4f62c0f16e4a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 18, + "comment" : "", + "key" : "41341bab902e767d4d1964c0acfecf46eff1b02b6455bcb2097de9c154be1f667f21be076de18cd2c15c005896fca87f", + "msg" : "4c43ac7de3631cc86f4da72fe6b6a552f1", + "tag" : "3bc4757211532a6c6ae964087ec9985f89d02b3925d91064cd09e6f39e5bea6ae451a1f4a723abf2c994d63fb5b80772", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 19, + "comment" : "", + "key" : "c2f83be1acce7b89a5f9e9ea7e4c4f8b0f4319986fbe479fa3b4a3c298168362393b56ea03b5cef77f48e5a72abe6d08", + "msg" : "8dd0cd786cd800ffebec098728923d69249d3223c4c595cb", + "tag" : "552f35f9431cb7f76fce30c75d1a6d22403859e257f646fe52b2dc9c7cfc7f50670fbf7bbb62f95515f6aae0b1d45792", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 20, + "comment" : "", + "key" : "6bd2aee9dd98d6b6609fce82181b10c20bba861da68a1590586fab08c5e9e90ff584047db4760828643fea38087160e4", + "msg" : "33236a9de603c1e4f5e11164224740627d10f6008eb73ec2642321bf0b82d579", + "tag" : "d45174df3241ddb1a0890178fa4aa54523699b23be61a9616633631a4ef5e39bd2d88f42bd5016aa8bc1148056d8527c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 21, + "comment" : "long message", + "key" : "2f98ba2ceaadc5ba08880a35cb0080dc870a5734a782ebe31c4bab100ff8786dcc3be6de18482ea5d1b3bf14aeabb470", + "msg" : "2d74a66dacf12edb85ef3073feafd122889cb634add00ff0395d224b4ff8b5d5d67ca6419b6826abffdb41bab427d5", + "tag" : "00dd35f10e7fc7f1646d250abdf437893f52389df761fdf27840aa1374db786a22365be5a33e09adaaffee19515173d5", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 22, + "comment" : "long message", + "key" : "5e5f60e40d84c7ca2608af3bcc6e04abc5f8b7ca730a78af7f6f032e5a1501695bd91f3bebb28590af1db90d8390ca58", + "msg" : "2efe6a14ea8d679e62dbcedf35e61852278c83c54adbe1f1c72cb1a746b11cff8cb4fc3a2c3acd44255d51c020ca6d47", + "tag" : "f03c7331e8c708a257e7550718d964c0f7e1ac7bf52e9db6ab6f0556b3a575fda6f1678608f6e63ca3f2eb8d371b07de", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 23, + "comment" : "long message", + "key" : "bc310bc3913d9fe59e2012a058c9e150534d25611e36206cf07ccaefe153f38eb0eaad9941b6883dfbce01bcb5196041", + "msg" : "9f0747d7396bfbe01cf3e85361e50085e0a91a7490b994031d81851b725065993f45dad0d60d794aedec7ba5d9d6dbbee4", + "tag" : "aafe3d553f033f4de73aac4c6766583d5b2afa65d03758615066308bc5ae26ed93f28dfe6ded54104eadfcd43c16b284", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 24, + "comment" : "long message", + "key" : "dc770c64d00d156e43cb74970e3a1a2ad28b6d9ec6b2b6e5ac3e356a99f879cb620f00340c044cc1f31bdccfa0dbd177", + "msg" : "403fd8e3ef51b6539db658a894be85b58fbc84881e61c5e0cb13ae421a09d31d780603256d390edd056d190856be00ad20a7048f0c67416fe8e02884086155f4263262e8c1275504d4f91f2751d3c3dccd4409ff2b45e41de93f7b104d58f6e15bacb62ace9700615ecc1b30a0cc1b35", + "tag" : "34706cd3597860733b5e651f99d350e308f596ddb52b01e185bb38a1813bbd91e6e4c64c4fa683d4803c878fc5b42052", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 25, + "comment" : "long message", + "key" : "cca9299c7bdc26a4b595055c99ca23bec8ed11b5deeda91f83e2365e7340395ceef4e86e5cd91f2593bcfec498a67fc9", + "msg" : "a05b40b8d3a7bc7b75b0e97309c9bd1c9d8755c1ff5245ef6308a6a5cad3ecfbcb6364b41ca6f3d24bbee844d6204d1026abe345af7bdec114a373b109aa5724b738d50ab7a826c268e873709f8b35135a870045d5fb9daa82d3c245b5338917354e72b3058c9a4b807117465217d7d14f36f8a8d4e97bc3b93587c92641e7", + "tag" : "537df9c448ebe5ad42e15687a9fe9fd76c3b8cd854481090118c63e5e6e2bcc1a1f8dc6d7824eeab4823c3ab4de55edd", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 26, + "comment" : "long message", + "key" : "c728e65e08d9296fe3cdf2dedb49c81a30b603a62569eece4ee5d01e9a32ae3bcb4ec163e455e452582454ceefefc046", + "msg" : "e6c6bac87c17e269a471434ca9568401451d78c2444a9d6edcda3cdab51c5bed1c19eaf34326580fd85ae5236ad51bc5dae386b36101f54695c595eeedcdd0182a4a117f8093f4f4812e03db396ede9849d193e7722081aeec4be6c4caf6c979d36ead56634a21be21162ea232dec9cffdbd2474245878dca369e814fd028303", + "tag" : "0d5bcff1b650c2ac70262e1ef6b74dccdc5b31ecfc32e2e3a862dd61e8e636430e623bfd620a8e2aaa98c138899560da", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 27, + "comment" : "long message", + "key" : "90c4215dc3f237435047fefdd8638d339a3fc66fca06c5063eacbda002ab335e621605f672f3da9f641fae110afc3e7b", + "msg" : "1ebc22c3031b64615eb6f1a0696e33b7df139a4b891d3e6721cc26c05d55de790dca623668c10308485d38e95ec4769fa4430ca3ebc25da9f5d31c972674517d9a2222e6b97d8def6512af096c6d1480d83a229c84b7f28c80184b6bebf3f4eff5fc4e5c6cfea4f8eba9a957f7913b20a88ad1734f7c38547e934d1dbf2d73dbd61e31fb1583c7b6577a171e7d02f19045126ac2973d855bc18d34d32326d1e216da58366a60033450091128ae26a479069bba7b91b2ab7f3c5fbcde391de3ca114b951d6852f92795f8023d7a29a7f4ce61e9241b4f235d21e899087167ab3f3a0e9321c7942b165178788df48d3b106b203ec1e01d29bda41a99ac0d2c00", + "tag" : "e14912a4d0a3dd7fee54be8055f78f14a72f1d48beb24226380cefd1efc733aad129e504bebad98d1ff7fc303750073a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 28, + "comment" : "Flipped bit 0 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "d10ce89d5235b22aaf49dae078c0c8c29fc3ab699d89837e1d1a9b443a70c9a86cfde0a690cd4377be0d91acf03fc86e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 29, + "comment" : "Flipped bit 0 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "6654fe44542b3f1cd0b14728e69bbf6083f02cafd8ccc416525fe4013f7c7a51a8384d47afefa1fdd528d3fb6258bbd4", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 30, + "comment" : "Flipped bit 1 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "d20ce89d5235b22aaf49dae078c0c8c29fc3ab699d89837e1d1a9b443a70c9a86cfde0a690cd4377be0d91acf03fc86e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 31, + "comment" : "Flipped bit 1 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "6554fe44542b3f1cd0b14728e69bbf6083f02cafd8ccc416525fe4013f7c7a51a8384d47afefa1fdd528d3fb6258bbd4", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 32, + "comment" : "Flipped bit 7 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "500ce89d5235b22aaf49dae078c0c8c29fc3ab699d89837e1d1a9b443a70c9a86cfde0a690cd4377be0d91acf03fc86e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 33, + "comment" : "Flipped bit 7 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "e754fe44542b3f1cd0b14728e69bbf6083f02cafd8ccc416525fe4013f7c7a51a8384d47afefa1fdd528d3fb6258bbd4", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 34, + "comment" : "Flipped bit 8 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "d00de89d5235b22aaf49dae078c0c8c29fc3ab699d89837e1d1a9b443a70c9a86cfde0a690cd4377be0d91acf03fc86e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 35, + "comment" : "Flipped bit 8 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "6755fe44542b3f1cd0b14728e69bbf6083f02cafd8ccc416525fe4013f7c7a51a8384d47afefa1fdd528d3fb6258bbd4", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 36, + "comment" : "Flipped bit 31 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "d00ce81d5235b22aaf49dae078c0c8c29fc3ab699d89837e1d1a9b443a70c9a86cfde0a690cd4377be0d91acf03fc86e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 37, + "comment" : "Flipped bit 31 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "6754fec4542b3f1cd0b14728e69bbf6083f02cafd8ccc416525fe4013f7c7a51a8384d47afefa1fdd528d3fb6258bbd4", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 38, + "comment" : "Flipped bit 32 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "d00ce89d5335b22aaf49dae078c0c8c29fc3ab699d89837e1d1a9b443a70c9a86cfde0a690cd4377be0d91acf03fc86e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 39, + "comment" : "Flipped bit 32 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "6754fe44552b3f1cd0b14728e69bbf6083f02cafd8ccc416525fe4013f7c7a51a8384d47afefa1fdd528d3fb6258bbd4", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 40, + "comment" : "Flipped bit 33 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "d00ce89d5035b22aaf49dae078c0c8c29fc3ab699d89837e1d1a9b443a70c9a86cfde0a690cd4377be0d91acf03fc86e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 41, + "comment" : "Flipped bit 33 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "6754fe44562b3f1cd0b14728e69bbf6083f02cafd8ccc416525fe4013f7c7a51a8384d47afefa1fdd528d3fb6258bbd4", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 42, + "comment" : "Flipped bit 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "d00ce89d5235b2aaaf49dae078c0c8c29fc3ab699d89837e1d1a9b443a70c9a86cfde0a690cd4377be0d91acf03fc86e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 43, + "comment" : "Flipped bit 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "6754fe44542b3f9cd0b14728e69bbf6083f02cafd8ccc416525fe4013f7c7a51a8384d47afefa1fdd528d3fb6258bbd4", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 44, + "comment" : "Flipped bit 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "d00ce89d5235b22aae49dae078c0c8c29fc3ab699d89837e1d1a9b443a70c9a86cfde0a690cd4377be0d91acf03fc86e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 45, + "comment" : "Flipped bit 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "6754fe44542b3f1cd1b14728e69bbf6083f02cafd8ccc416525fe4013f7c7a51a8384d47afefa1fdd528d3fb6258bbd4", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 46, + "comment" : "Flipped bit 71 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "d00ce89d5235b22a2f49dae078c0c8c29fc3ab699d89837e1d1a9b443a70c9a86cfde0a690cd4377be0d91acf03fc86e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 47, + "comment" : "Flipped bit 71 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "6754fe44542b3f1c50b14728e69bbf6083f02cafd8ccc416525fe4013f7c7a51a8384d47afefa1fdd528d3fb6258bbd4", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 48, + "comment" : "Flipped bit 77 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "d00ce89d5235b22aaf69dae078c0c8c29fc3ab699d89837e1d1a9b443a70c9a86cfde0a690cd4377be0d91acf03fc86e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 49, + "comment" : "Flipped bit 77 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "6754fe44542b3f1cd0914728e69bbf6083f02cafd8ccc416525fe4013f7c7a51a8384d47afefa1fdd528d3fb6258bbd4", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 50, + "comment" : "Flipped bit 80 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "d00ce89d5235b22aaf49dbe078c0c8c29fc3ab699d89837e1d1a9b443a70c9a86cfde0a690cd4377be0d91acf03fc86e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 51, + "comment" : "Flipped bit 80 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "6754fe44542b3f1cd0b14628e69bbf6083f02cafd8ccc416525fe4013f7c7a51a8384d47afefa1fdd528d3fb6258bbd4", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 52, + "comment" : "Flipped bit 96 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "d00ce89d5235b22aaf49dae079c0c8c29fc3ab699d89837e1d1a9b443a70c9a86cfde0a690cd4377be0d91acf03fc86e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 53, + "comment" : "Flipped bit 96 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "6754fe44542b3f1cd0b14728e79bbf6083f02cafd8ccc416525fe4013f7c7a51a8384d47afefa1fdd528d3fb6258bbd4", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 54, + "comment" : "Flipped bit 97 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "d00ce89d5235b22aaf49dae07ac0c8c29fc3ab699d89837e1d1a9b443a70c9a86cfde0a690cd4377be0d91acf03fc86e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 55, + "comment" : "Flipped bit 97 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "6754fe44542b3f1cd0b14728e49bbf6083f02cafd8ccc416525fe4013f7c7a51a8384d47afefa1fdd528d3fb6258bbd4", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 56, + "comment" : "Flipped bit 103 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "d00ce89d5235b22aaf49dae0f8c0c8c29fc3ab699d89837e1d1a9b443a70c9a86cfde0a690cd4377be0d91acf03fc86e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 57, + "comment" : "Flipped bit 103 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "6754fe44542b3f1cd0b14728669bbf6083f02cafd8ccc416525fe4013f7c7a51a8384d47afefa1fdd528d3fb6258bbd4", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 58, + "comment" : "Flipped bit 376 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "d00ce89d5235b22aaf49dae078c0c8c29fc3ab699d89837e1d1a9b443a70c9a86cfde0a690cd4377be0d91acf03fc86f", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 59, + "comment" : "Flipped bit 376 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "6754fe44542b3f1cd0b14728e69bbf6083f02cafd8ccc416525fe4013f7c7a51a8384d47afefa1fdd528d3fb6258bbd5", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 60, + "comment" : "Flipped bit 377 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "d00ce89d5235b22aaf49dae078c0c8c29fc3ab699d89837e1d1a9b443a70c9a86cfde0a690cd4377be0d91acf03fc86c", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 61, + "comment" : "Flipped bit 377 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "6754fe44542b3f1cd0b14728e69bbf6083f02cafd8ccc416525fe4013f7c7a51a8384d47afefa1fdd528d3fb6258bbd6", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 62, + "comment" : "Flipped bit 382 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "d00ce89d5235b22aaf49dae078c0c8c29fc3ab699d89837e1d1a9b443a70c9a86cfde0a690cd4377be0d91acf03fc82e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 63, + "comment" : "Flipped bit 382 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "6754fe44542b3f1cd0b14728e69bbf6083f02cafd8ccc416525fe4013f7c7a51a8384d47afefa1fdd528d3fb6258bb94", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 64, + "comment" : "Flipped bit 383 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "d00ce89d5235b22aaf49dae078c0c8c29fc3ab699d89837e1d1a9b443a70c9a86cfde0a690cd4377be0d91acf03fc8ee", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 65, + "comment" : "Flipped bit 383 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "6754fe44542b3f1cd0b14728e69bbf6083f02cafd8ccc416525fe4013f7c7a51a8384d47afefa1fdd528d3fb6258bb54", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 66, + "comment" : "Flipped bits 0 and 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "d10ce89d5235b22aae49dae078c0c8c29fc3ab699d89837e1d1a9b443a70c9a86cfde0a690cd4377be0d91acf03fc86e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 67, + "comment" : "Flipped bits 0 and 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "6654fe44542b3f1cd1b14728e69bbf6083f02cafd8ccc416525fe4013f7c7a51a8384d47afefa1fdd528d3fb6258bbd4", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 68, + "comment" : "Flipped bits 31 and 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "d00ce81d5235b2aaaf49dae078c0c8c29fc3ab699d89837e1d1a9b443a70c9a86cfde0a690cd4377be0d91acf03fc86e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 69, + "comment" : "Flipped bits 31 and 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "6754fec4542b3f9cd0b14728e69bbf6083f02cafd8ccc416525fe4013f7c7a51a8384d47afefa1fdd528d3fb6258bbd4", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 70, + "comment" : "Flipped bits 63 and 127 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "d00ce89d5235b2aaaf49dae078c0c8429fc3ab699d89837e1d1a9b443a70c9a86cfde0a690cd4377be0d91acf03fc86e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 71, + "comment" : "Flipped bits 63 and 127 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "6754fe44542b3f9cd0b14728e69bbfe083f02cafd8ccc416525fe4013f7c7a51a8384d47afefa1fdd528d3fb6258bbd4", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 72, + "comment" : "all bits of tag flipped", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "2ff31762adca4dd550b6251f873f373d603c549662767c81e2e564bbc58f365793021f596f32bc8841f26e530fc03791", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 73, + "comment" : "all bits of tag flipped", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "98ab01bbabd4c0e32f4eb8d71964409f7c0fd35027333be9ada01bfec08385ae57c7b2b850105e022ad72c049da7442b", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 74, + "comment" : "Tag changed to all zero", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 75, + "comment" : "Tag changed to all zero", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 76, + "comment" : "tag changed to all 1", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 77, + "comment" : "tag changed to all 1", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 78, + "comment" : "msbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "508c681dd2b532aa2fc95a60f84048421f432be91d0903fe9d9a1bc4baf04928ec7d6026104dc3f73e8d112c70bf48ee", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 79, + "comment" : "msbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "e7d47ec4d4abbf9c5031c7a8661b3fe00370ac2f584c4496d2df6481bffcfad128b8cdc72f6f217d55a8537be2d83b54", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 80, + "comment" : "lsbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "d10de99c5334b32bae48dbe179c1c9c39ec2aa689c88827f1c1b9a453b71c8a96dfce1a791cc4276bf0c90adf13ec96f", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 81, + "comment" : "lsbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "6655ff45552a3e1dd1b04629e79abe6182f12daed9cdc517535ee5003e7d7b50a9394c46aeeea0fcd429d2fa6359bad5", + "result" : "invalid", + "flags" : [] + } + ] + }, + { + "keySize" : 384, + "tagSize" : 192, + "type" : "MacTest", + "tests" : [ + { + "tcId" : 82, + "comment" : "empty message", + "key" : "1c678267be13acb464939c2896c9e9ce1deb5b30833bdd9ca00370889b84410782ad52afe25dc10ab7ec5cf5f34793b7", + "msg" : "", + "tag" : "b1bbb62a3d2e33ab8cdc0da03091bb83efbbe2c484b9ee8b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 83, + "comment" : "short message", + "key" : "00b184c2c0a491d764a26f8b2e56a965222b36213bdd106ae782305c50f89269902476e5df3fa58e0ecfae82a9607c8e", + "msg" : "9f", + "tag" : "424d7ad3fb7addd09488de8b5e5951853ed915a66209ce02", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 84, + "comment" : "short message", + "key" : "055b67edb659e29c10e3e9cd25aa1cd5abf0880e2026ed8436e39b064b7315760cd7a9294ee23d4750969cc8b5dbaed7", + "msg" : "4047", + "tag" : "deb3604abe3406493230f871adbb10945371c725d77ff001", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 85, + "comment" : "short message", + "key" : "9e3c198e93930f076b035c5fa8f10d9a65e98c66cfb36633e3cb33279cdf57688f10b7472d1fc9d962ce6954519bfbf6", + "msg" : "88cfab", + "tag" : "8952c88be29d5a7ad5c252197a67d3af7512af0f320d5efb", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 86, + "comment" : "short message", + "key" : "f5f5962bda257b38b2a2318929121b2eaef792d5c6a9585e48b80cf5357b29c3951b787ed3e03e385b05b8ffe6861dc3", + "msg" : "d9397753", + "tag" : "3afda5e82a3a0b01f6de056633348bff2c59838fc10476af", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 87, + "comment" : "short message", + "key" : "f62820ed5f9833fd22dee7bd49e2c9b19fc9668897c2c33e6c7c1fa5c277c3b9f581faef3ddc664ba537975d8afaa707", + "msg" : "9b6cc7caa4", + "tag" : "0ebdc562d3b5df13f1370a0a555f30e5d77b92a71c885884", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 88, + "comment" : "short message", + "key" : "f222a1dabf322aff8463acee6444939331212be3e19d31f4b73fdcc97e2925365ea33c985282805c83dcd8fb42a0e214", + "msg" : "c85ad7872b76", + "tag" : "4fc8b44f25d87a32f6e0dbb7d9851482344d4af5bfd77845", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 89, + "comment" : "short message", + "key" : "56e80f3899e945310a9d9bef3d32091f29c157dd46b2d439ad89d63e14b2c24390f74db4d905f6bd03f75c32e91225fe", + "msg" : "80ba25f1c27650", + "tag" : "f1686d7c0a808ae4ee2c4d8912b3f6e5bea141de7b80b586", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 90, + "comment" : "short message", + "key" : "6cb6261a56a21b2c3c13453c158364aafa78f58172a9ae3eeb328ac38808b5c68c111197a303ec36847c9a315ac5eb5b", + "msg" : "79430de51d68cf34", + "tag" : "7cf93b400cc52b516f12e42270f2591e2cb9b6f98016fe2c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 91, + "comment" : "short message", + "key" : "44ca1ecb490470a84c7e13e1f1c69da21f48c33b6f050f48f7f244f0fda8b3c855904ed0612e2dafa5105cbd7f6449eb", + "msg" : "870b981c8afd9fae1b", + "tag" : "b51efe22849cac69821f995906f002c53bfb71eadb902e1a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 92, + "comment" : "short message", + "key" : "aaca68882cfa7250988a247b96cfb3232d6567378f8fa7e7aaaca1c386e1ae15e54957d22bfff1e50ae7f21beea197a5", + "msg" : "a6f31b822ec24da1b1e9", + "tag" : "755c630f0038e61b0df635a86990a0efce63be5dfa448c68", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 93, + "comment" : "short message", + "key" : "1b32f9b6378934a502dd74d8b74a4606d5b2c9a8587fab1cfa90d75007734d2b8bdfe634815243526ebc0f33c04d0d05", + "msg" : "55367c657c792610efdcc0", + "tag" : "eb16b29740aa41ce9324d6a29befe848109c8be189983b2b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 94, + "comment" : "short message", + "key" : "09d91b2fa22e68b5335d478235aa4e157435c9acfed772219adfa1e9dd72f33e1a2183a0203a104f80e643cdf29e5aff", + "msg" : "b31e254957db6b1b70a06ce2", + "tag" : "ab2b667e1f8a3e5fedc4da62ab85c422280efdd255005491", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 95, + "comment" : "short message", + "key" : "d311a80ac801e3639b9185608af4a85e4122e29b5c23f05234c30d92d59ad13cb80390e5fa0ea4a54853228b356689f5", + "msg" : "e6b443dba0dab35d43ca5d6ce6", + "tag" : "ec3e9d2c208d5739d8509ad6e88ea865383d9f034c3f80a5", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 96, + "comment" : "short message", + "key" : "06297e6c46558b9b0fc36c272b4ae7e65dd536cc1d13acbfa831fa5574b34f99e09adfb7f20321f203075fd26ed2e29d", + "msg" : "309b95e5f1ec26f70786e74d806d", + "tag" : "8eb37decaaf8376ea94b82767af4c4be78cb607d9930a28f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 97, + "comment" : "short message", + "key" : "e8b63a25cd85ad4f39e3c0e9584eacb94d6ae33f984da259aa533d4d28aeb341cf3ffe49c029e4af6a4805f760f35f2c", + "msg" : "d225c27795f809454bb2c51d21f3ac", + "tag" : "7194c69928ebc338d6c34ab5aa5506d2fc069743d7660c7b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 98, + "comment" : "", + "key" : "d83a685ace9fa0c0aa47f0c7b4f0f00717619a82e2eeff87f51f67d814d51dd9e4cad7578a4e49b672b5af83943c2583", + "msg" : "abfa7f5978f751e87e8b5a15a6e89f4f", + "tag" : "90247d2933f8f4a6564ad7d272721ff6e76fd4c0e3a8fabc", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 99, + "comment" : "", + "key" : "5beaf406a6627eaafcadb6dea4e27ba4fd879fd3e5bfd87ea3c8d5e0acfbbda2c6bf006beaf5a30312e690724c4744a3", + "msg" : "bc57d467a9a2af64ad5e14b7bc0898dc63", + "tag" : "7cfaae1946e462ece04ec2fde8fef1a6e9e5a5a51657e14e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 100, + "comment" : "", + "key" : "76b36cc3b8ca975708ee4b32bdbe40ca13f9ce384c52c4b6602b7fd92164f1fd8432706c1966f648bf4830f4deb34795", + "msg" : "b1d022c6536f401d147dfc0d7d4e600bb753ef0e9f243bc3", + "tag" : "f41947ef686bb9a4aa3555f72bb320dab577123f8f7b8add", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 101, + "comment" : "", + "key" : "20569a16f453dd3c34df98155286b1ca8a392ea164c919311f0df9d39d976062f4f992b96def3851886e6295f2615064", + "msg" : "5402c4e683d1a431868ad528afbf4128b0b10cef947d063b34d376d344b793b2", + "tag" : "ae11f9b8380ffb396aee5a643dcd8d1cc91544ab18201aec", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 102, + "comment" : "long message", + "key" : "9ef6a55f8a9b6b9ef1f8296167319078163706ae5b60897c2dd6e340b67ed5d577fb54c5547cd5f248f06e7082ffb826", + "msg" : "6a0d16276941d8f04eac2ec723fa53b9d6b16da7e30e7f2d9ad898e7cbb71bd3dd234ee22836ff4ac6011b6f12bd3a", + "tag" : "57d58ab4cbc8d53e6c18ce556afa2d9bcf22c1f4486e459c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 103, + "comment" : "long message", + "key" : "fb56bbbc6d751b744d8c1b57cc27a1d2c2f4e38e3491f54448cfcfb9389b7f63fd0d41920968ef612510625f2637d28d", + "msg" : "cf1791517ef5a61c0db65a668bee26fdbc975d799b2623cc0f3e4560e80c7014fa9c02d568c98c86385e000fe6776bb7", + "tag" : "c4aa19f4243645fa5731e03768d16d55225ade23ee7f371b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 104, + "comment" : "long message", + "key" : "d041e24e59b34d7a18128a42d8a7a52dcba5d79e5ed585b55c7c9e4946e5ccaf7e59df0f3da98c7d0523e4cc8f9d7da4", + "msg" : "5279618f1b41534910395a78ded968aee3431085b599c4f55eb5ff8a2e879bc44291d923de31009db1b9f7f81095afb3ea", + "tag" : "ee3f2946aa04e60b7f4b7f57ee15dec5a7fcf8d114ebc14d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 105, + "comment" : "long message", + "key" : "e1ce4884fd74a0e197c68ace3b29b552313af8e451e98d9ab8d0e8f8ee74143e8fcb6446217c0f3123a426b8ab6f62cb", + "msg" : "71154b9a657b905f884ba5140d5e7b9243fec3e03fbbdbb360c8194963ae43177b5502cd20f559eeeff8638d028c501926ebc7eddd132ccea29ead7ad0c95a30b9d325952cafb0ea5ec9d9d6fdeb63950d5d69c8bbbea702aed1d444da286807ffd6b36cb49902cba7abf9bda1b577c6", + "tag" : "928ac14f18d87b8e1eee759b4ffee3c17a2913c914d8974d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 106, + "comment" : "long message", + "key" : "8a242c22d1b54ce216ca03c88455beb128211a9f35af2343709af7c5f43a681451ea53a36de2e5048eb44a51681c6120", + "msg" : "ab5eee6b83869119f00dd3cc66dde75cb5700535a90e9b3e32b31434c297ef53f94659d7d9b11323161b2e66c6b9c9ad20e313303f81e88e471786c8e936011f78121e39630b2e0804fc97ce5cb3a34f26949439fe530adcea6e97c78b042e0817253bf75dd54335584122f5edd210341b6d93f58aa1b4de2aad76fecec44f", + "tag" : "20ccf4f222d139d4ab7623b3a38c91543469270056ff8c80", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 107, + "comment" : "long message", + "key" : "311c4bee7cf257b780135a2e4a6413e68a816f5d8462515dcb1c72494b6335581a9b60a217b9ff1c75e7768148f8df46", + "msg" : "63ccc3849c4c323cb6ce926877969048b849ee4af18e71eef52fe9f274a8678560f9a5d47510c3c98c8a08ed4c01a01e0a3663ef0cc6c3cdca6276d91e99b0d414263498fb64ad74b820ab52b37adeaf27cb44545edb8f09094992837b8d3a0baa2a101a49592eb889dc8bace4c71e3efcb9d4149bd670ce2f774d73c12f2a45", + "tag" : "dae65a8c37c5458f017770fdbfc2023291e021bddf7625c4", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 108, + "comment" : "long message", + "key" : "fb792867c8928f0503aa24477cebf42e0b018346e3619770b9e8f5097945e2e275ad06f0c12152366ac06e278c94090a", + "msg" : "0a63e6d91d7a6a18dbad879fb8e23ae351920391eb40fead6cba846768a2c6797ff347b4301327b09afc41f7b803af6b61f6d9b818e0ddcc02536d0543dbf1a87f2c5e020f6459094344b72596d548435c313544e92c254d54a70a1d6f6edd2f82540a1ea2e82125b0715fa0f890bb2be4ba0065d2ba0144854682aed041c1035996648e2ed671b7253ba567ffb999d91fd8e7ffce5c6dc4790732adae443435a454fe6c2a7c6708d9d5b2eb9292d6fbe5e026d65332b38c7925eff9beb89063cab63fbecb2ac0e1bb61a5b1e511f949c43a34ee26f1156e97793da97bcf5b5c67641384f268131b297857d719eeb6cafa3dbe9b8d0da55c98656f20e5b39b", + "tag" : "927bfdba4ee11d8f158491764840fd64ff6401401543b539", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 109, + "comment" : "Flipped bit 0 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "d10ce89d5235b22aaf49dae078c0c8c29fc3ab699d89837e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 110, + "comment" : "Flipped bit 0 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "6654fe44542b3f1cd0b14728e69bbf6083f02cafd8ccc416", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 111, + "comment" : "Flipped bit 1 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "d20ce89d5235b22aaf49dae078c0c8c29fc3ab699d89837e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 112, + "comment" : "Flipped bit 1 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "6554fe44542b3f1cd0b14728e69bbf6083f02cafd8ccc416", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 113, + "comment" : "Flipped bit 7 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "500ce89d5235b22aaf49dae078c0c8c29fc3ab699d89837e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 114, + "comment" : "Flipped bit 7 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "e754fe44542b3f1cd0b14728e69bbf6083f02cafd8ccc416", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 115, + "comment" : "Flipped bit 8 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "d00de89d5235b22aaf49dae078c0c8c29fc3ab699d89837e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 116, + "comment" : "Flipped bit 8 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "6755fe44542b3f1cd0b14728e69bbf6083f02cafd8ccc416", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 117, + "comment" : "Flipped bit 31 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "d00ce81d5235b22aaf49dae078c0c8c29fc3ab699d89837e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 118, + "comment" : "Flipped bit 31 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "6754fec4542b3f1cd0b14728e69bbf6083f02cafd8ccc416", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 119, + "comment" : "Flipped bit 32 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "d00ce89d5335b22aaf49dae078c0c8c29fc3ab699d89837e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 120, + "comment" : "Flipped bit 32 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "6754fe44552b3f1cd0b14728e69bbf6083f02cafd8ccc416", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 121, + "comment" : "Flipped bit 33 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "d00ce89d5035b22aaf49dae078c0c8c29fc3ab699d89837e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 122, + "comment" : "Flipped bit 33 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "6754fe44562b3f1cd0b14728e69bbf6083f02cafd8ccc416", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 123, + "comment" : "Flipped bit 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "d00ce89d5235b2aaaf49dae078c0c8c29fc3ab699d89837e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 124, + "comment" : "Flipped bit 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "6754fe44542b3f9cd0b14728e69bbf6083f02cafd8ccc416", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 125, + "comment" : "Flipped bit 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "d00ce89d5235b22aae49dae078c0c8c29fc3ab699d89837e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 126, + "comment" : "Flipped bit 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "6754fe44542b3f1cd1b14728e69bbf6083f02cafd8ccc416", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 127, + "comment" : "Flipped bit 71 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "d00ce89d5235b22a2f49dae078c0c8c29fc3ab699d89837e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 128, + "comment" : "Flipped bit 71 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "6754fe44542b3f1c50b14728e69bbf6083f02cafd8ccc416", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 129, + "comment" : "Flipped bit 77 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "d00ce89d5235b22aaf69dae078c0c8c29fc3ab699d89837e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 130, + "comment" : "Flipped bit 77 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "6754fe44542b3f1cd0914728e69bbf6083f02cafd8ccc416", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 131, + "comment" : "Flipped bit 80 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "d00ce89d5235b22aaf49dbe078c0c8c29fc3ab699d89837e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 132, + "comment" : "Flipped bit 80 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "6754fe44542b3f1cd0b14628e69bbf6083f02cafd8ccc416", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 133, + "comment" : "Flipped bit 96 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "d00ce89d5235b22aaf49dae079c0c8c29fc3ab699d89837e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 134, + "comment" : "Flipped bit 96 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "6754fe44542b3f1cd0b14728e79bbf6083f02cafd8ccc416", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 135, + "comment" : "Flipped bit 97 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "d00ce89d5235b22aaf49dae07ac0c8c29fc3ab699d89837e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 136, + "comment" : "Flipped bit 97 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "6754fe44542b3f1cd0b14728e49bbf6083f02cafd8ccc416", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 137, + "comment" : "Flipped bit 103 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "d00ce89d5235b22aaf49dae0f8c0c8c29fc3ab699d89837e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 138, + "comment" : "Flipped bit 103 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "6754fe44542b3f1cd0b14728669bbf6083f02cafd8ccc416", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 139, + "comment" : "Flipped bit 184 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "d00ce89d5235b22aaf49dae078c0c8c29fc3ab699d89837f", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 140, + "comment" : "Flipped bit 184 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "6754fe44542b3f1cd0b14728e69bbf6083f02cafd8ccc417", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 141, + "comment" : "Flipped bit 185 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "d00ce89d5235b22aaf49dae078c0c8c29fc3ab699d89837c", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 142, + "comment" : "Flipped bit 185 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "6754fe44542b3f1cd0b14728e69bbf6083f02cafd8ccc414", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 143, + "comment" : "Flipped bit 190 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "d00ce89d5235b22aaf49dae078c0c8c29fc3ab699d89833e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 144, + "comment" : "Flipped bit 190 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "6754fe44542b3f1cd0b14728e69bbf6083f02cafd8ccc456", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 145, + "comment" : "Flipped bit 191 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "d00ce89d5235b22aaf49dae078c0c8c29fc3ab699d8983fe", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 146, + "comment" : "Flipped bit 191 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "6754fe44542b3f1cd0b14728e69bbf6083f02cafd8ccc496", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 147, + "comment" : "Flipped bits 0 and 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "d10ce89d5235b22aae49dae078c0c8c29fc3ab699d89837e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 148, + "comment" : "Flipped bits 0 and 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "6654fe44542b3f1cd1b14728e69bbf6083f02cafd8ccc416", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 149, + "comment" : "Flipped bits 31 and 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "d00ce81d5235b2aaaf49dae078c0c8c29fc3ab699d89837e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 150, + "comment" : "Flipped bits 31 and 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "6754fec4542b3f9cd0b14728e69bbf6083f02cafd8ccc416", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 151, + "comment" : "Flipped bits 63 and 127 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "d00ce89d5235b2aaaf49dae078c0c8429fc3ab699d89837e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 152, + "comment" : "Flipped bits 63 and 127 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "6754fe44542b3f9cd0b14728e69bbfe083f02cafd8ccc416", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 153, + "comment" : "all bits of tag flipped", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "2ff31762adca4dd550b6251f873f373d603c549662767c81", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 154, + "comment" : "all bits of tag flipped", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "98ab01bbabd4c0e32f4eb8d71964409f7c0fd35027333be9", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 155, + "comment" : "Tag changed to all zero", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "000000000000000000000000000000000000000000000000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 156, + "comment" : "Tag changed to all zero", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "000000000000000000000000000000000000000000000000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 157, + "comment" : "tag changed to all 1", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "ffffffffffffffffffffffffffffffffffffffffffffffff", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 158, + "comment" : "tag changed to all 1", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "ffffffffffffffffffffffffffffffffffffffffffffffff", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 159, + "comment" : "msbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "508c681dd2b532aa2fc95a60f84048421f432be91d0903fe", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 160, + "comment" : "msbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "e7d47ec4d4abbf9c5031c7a8661b3fe00370ac2f584c4496", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 161, + "comment" : "lsbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "", + "tag" : "d10de99c5334b32bae48dbe179c1c9c39ec2aa689c88827f", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 162, + "comment" : "lsbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "6655ff45552a3e1dd1b04629e79abe6182f12daed9cdc517", + "result" : "invalid", + "flags" : [] + } + ] + }, + { + "keySize" : 192, + "tagSize" : 384, + "type" : "MacTest", + "tests" : [ + { + "tcId" : 163, + "comment" : "short key", + "key" : "08476e9d49499c5f52e37f80ece6f5a45459948806b48241", + "msg" : "", + "tag" : "fc5143709d60f6655e009acfea7016386350593622e590560c47e846a3fae8f6edc3e4331b8305834cae249dba9e269f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 164, + "comment" : "short key", + "key" : "213b44d8e1fabaff837ef30ee2542f9ab82ed70411dae78f", + "msg" : "ee0bf48585c186ff991b4d8607817c9c", + "tag" : "b9255a1f98c06ff6048760a1b22d63c0e8a7479c5d453664a60028512d64e13d79f7e39e8cb5399d859f1c8be4761172", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 165, + "comment" : "short key", + "key" : "b4afa9daaa8c944d73a3881f3221e42b34ef4e35f184e878", + "msg" : "cf607f6a0eb44ecbca81b6d1fdb595cee35f2353da02e82e28e133b9decd8fbb", + "tag" : "b56641a9d6514b118c70f30a61c08e7e7a650ae2cfb9d73d633c3cc402a0b9ff75c9224a94610861322225ba31d9f3ad", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "keySize" : 192, + "tagSize" : 192, + "type" : "MacTest", + "tests" : [ + { + "tcId" : 166, + "comment" : "short key", + "key" : "89e46b66209548c80b0c830662223b49b0e3b895eb30e2fc", + "msg" : "", + "tag" : "eeebe1823fb042cc7c56b31748af6a134458eab62fa2e0a7", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 167, + "comment" : "short key", + "key" : "f2c10ce8cb1cf3b363354473b027c1e53deccef03233be0c", + "msg" : "e1fa10b8e301e0348405770bc3fafcb1", + "tag" : "9f0e9d9be70c82525f8add7dd15d925b9398d7fdbe1f2110", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 168, + "comment" : "short key", + "key" : "92e074442cc4c59e72260808d80d8e7b85c6335068917b83", + "msg" : "34eae27425ace17771e164cbb634306f352edc9c37bf608be8a755fb94148183", + "tag" : "b789a4371f0aa2f667a7ade1c53c98b53a39ff65dfbe7d28", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "keySize" : 520, + "tagSize" : 384, + "type" : "MacTest", + "tests" : [ + { + "tcId" : 169, + "comment" : "long key", + "key" : "db6f9956c3f4ca6e41f1f7f14629d44c79e0353edbf3e310e6858bbc45a7cd57778a9053ba22a141bf58bfd434ad08648c7041a224b97a0d17e0edf94fd40b410a", + "msg" : "", + "tag" : "2553a0441bda89fe78a8fef9d334f92224c3fd47b7eb8f18bd6ba3e7c2ddc383ab9264f50eed7d09f5e40a10e5cf5271", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 170, + "comment" : "long key", + "key" : "f03404bdb3e08f530d4c3a5f165d236012a4c45cd063e3e4483da088ec0afdb24e9639fccabb91f98a49dc2972e2981426573ecfe69c00c43a2d99a3107cef3a70", + "msg" : "73ed9fa2acf49d6c98bfc7d6c5ad9c56", + "tag" : "c345a72ff4dc5a62c8fef912c51f7d95814a3b59291df3f38da214a46423af89a40f8e37047403c9499768b3171a55c2", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 171, + "comment" : "long key", + "key" : "ee799e25edb1b18452e5ed174bc6b2185a6754417d6cc05d736d2ba9efc8367e4b05ba0a2ee525ceeab74f9804a8479130c328d671e34070cf174a003a1dfb5994", + "msg" : "ac3e7da7e578b9b4dc2424030446c7f6aebcc471445a9e0e6e65099caeec5b2f", + "tag" : "956d33ddc96bacdcb4e0058c161ae812d79d81d9f0f597e203aa6dae0daab27ad93c5171f564525fb91926dfcfbaa09d", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "keySize" : 520, + "tagSize" : 192, + "type" : "MacTest", + "tests" : [ + { + "tcId" : 172, + "comment" : "long key", + "key" : "063d6e12e670098adabe68192023b637bb6d8d713fc8436188c4ec06fdd084ce6d193f26c86a9560e1abc27d813fce2b3eac0170fd1cb72e1930a2776bc84d6c11", + "msg" : "", + "tag" : "24a9852f76ffa1ba3a6043cd348f17be036755162131259a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 173, + "comment" : "long key", + "key" : "359318e6c6279ba9ebcb1675f5a98195bbf5d895da9c17b8329038be857dc395b12ae91a55598876593c1c20bc0172cf15126b7a6bf0a238eda3325d6dd60600ef", + "msg" : "7ad0c9098ea10e615bb672b52c96542d", + "tag" : "b3de2addd5fce93122f0f2f320c607fafac23b280898068e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 174, + "comment" : "long key", + "key" : "d01cd898089d8a1eeb0035b0d332da80fbd3571b9192db10fa6f55f665ab192d7050cab643996e99254d9573e0cf4eeaa63afccdefd81614fe7b83dfe30e3ba19f", + "msg" : "d67c77cdd0af5d10e8cae887e5a609bb76a9e5597653773c303b82b918fdc59f", + "tag" : "f692da39c59268288b0f081a7b60de6111cef724a14f893a", + "result" : "valid", + "flags" : [] + } + ] + } + ] +} diff --git a/rust/tests/wycheproof/hmac_sha3_512_test.json b/rust/tests/wycheproof/hmac_sha3_512_test.json new file mode 100644 index 00000000..b41f4e19 --- /dev/null +++ b/rust/tests/wycheproof/hmac_sha3_512_test.json @@ -0,0 +1,1622 @@ +{ + "algorithm" : "HMACSHA3-512", + "generatorVersion" : "0.8rc21", + "numberOfTests" : 174, + "header" : [ + "Test vectors of type MacTest are intended for testing the", + "generation and verification of MACs." + ], + "notes" : { + }, + "schema" : "mac_test_schema.json", + "testGroups" : [ + { + "keySize" : 512, + "tagSize" : 512, + "type" : "MacTest", + "tests" : [ + { + "tcId" : 1, + "comment" : "empty message", + "key" : "5365244bb43f23f18dfc86c09d62db4741138bec1fbddc282d295e0a098eb5c3e37bd6f4cc16d5ce7d77b1d474a1eb4db313cc0c24e48992ac125196549df9a8", + "msg" : "", + "tag" : "8327dc85e33898f05724b34a89dfc74f2581b228203ff148f7c86aa328e0e5330c00015d1d983ab005fbc18d3695f2dd5f304bab7a4b7c34f6d010ca0af1acf5", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 2, + "comment" : "short message", + "key" : "00698977f7102c67b594166919aa99dc3e58c7b6697a6422e238d04d2f57b2c74e4e84f5c4c6b792952df72f1c09244802f0bcf8752efb90e836110703bfa21c", + "msg" : "01", + "tag" : "84185a2890b3f4c5ef8723c292db676c69104e7ff7def5ecf26928a41626d2b16b063d8a9df03917498467f5abd7af3c6c732957f67cb800a517b26963142a1d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 3, + "comment" : "short message", + "key" : "ed6dc65dbeaadbdaab530a0d35f19f78a7bd93e698546c82751bf650c2a44fc8529033d088febeed288fb4c8132a59df0207687640c76dcdb270ac3af5f042f1", + "msg" : "a78f", + "tag" : "b4805d3a32d4dcc2e08178889173e65d3fa1d3b3f3bb688a46c8793386e7136e6caa55581e04dbc01b561b8fa3ab6bf71121df6e5a51aec6b2f253df99d16bf7", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 4, + "comment" : "short message", + "key" : "463c5e696da0ec0d784388be775d1d91d94746aa8d3d2c209f56ac95ea54e7288329f9fb40be4eef35547e64c61dc51a4a1f3380a2b96420f088655ea9d85b97", + "msg" : "e956c1", + "tag" : "30d4794d0f072622d4a326dc9957974ab5ee5e403c8e8ed673911b95838331e99ff8dfd16defedeb696f1c661a0094685dbb6c8604c072a1bb088b9e8cd55d9c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 5, + "comment" : "short message", + "key" : "4bc0d32e945cfdafd20d39be3820f9649727cbda5ab5859953a322cbde1ab7a514d7dcd14ba90905e70919bb86b85cfeaa375ee2ce2703711b938c8f4ab5f178", + "msg" : "b2aa48b3", + "tag" : "6daf3dad42636bfd962246b0b314c939a4fd0a9ae46efec848a56bb6b85de6c47b60243644aa5e4658a4042f8577b388bdf544e120fb32b1af10f0f84b8ae4ca", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 6, + "comment" : "short message", + "key" : "aca47f6350941a0efd8c3bac9064a554be337cde7d192f6fbf86d1b4db09b36531165cbae0a634206f71fa400df33352fff60e1fba4009ac6671cd37312bdd98", + "msg" : "bc993b1db0", + "tag" : "d448310d37fbc2c5d26d6ceceb999a2551793691f36019d88db99d041b0cdb6fbdb40c13b76a235713a59bcbd140c99e5612d3c2ef66dc0fb41586a6c384279a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 7, + "comment" : "short message", + "key" : "b3ecae6f25c2f699f158b3ffcd0a7a575583e4c9cb56b5c22ef4273cde6c6734e84d7400749c17e47e8cfccafaf8b50c65eb47dfeb273d5d30a1181e37b27ad0", + "msg" : "f0361d58291e", + "tag" : "5d3b47454f71949a441c59a20b0a56b6b2aa4c256e1c6e128c5eb201c68e63da130ad69594126ff789fa471e2e51de73ea57f75ce2a1e2c9d02eabdf55153228", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 8, + "comment" : "short message", + "key" : "70ff24a252d65183bdc6b7c88751f850821141a61246727c3240b4f96088ae3278767a822b65735a28ccebe4c874bcb2c942882cb23f9dd87fe08fbaad5ae72f", + "msg" : "e18da3ebf0ffa4", + "tag" : "253a4f223cac5e24b4ffb9b21a325d7645192203cacabfe18d3299010a7d203eb1ef5319547f140840a9742d4907b7fafb4d1ef1b54f26682ac98e3a37c03a89", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 9, + "comment" : "short message", + "key" : "dd4e05933d09711ee88cb4c1ceb3600b2b33808bc08d499387b331d9c7af49bc65b55172cf8083385a940e4b864b7b4b73ddf3bd513a6cbcac73878a879b4d06", + "msg" : "66948029351432c3", + "tag" : "88db64f580e7e2bcf9329007e2831c6764541331679ea4493b24507dc72a3f9ac8fb5dac7e08799d139f74a0c163cf0456552ff12d14785f3deb29278c3ba679", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 10, + "comment" : "short message", + "key" : "fbd32caf8984fc4376d10daa7288db8e6e74464bdd94b448adab4497b319e9a6dcce542f82a7ff2e775d12477c880e460a9eab8efc49fcfc8c5476cb4b08954a", + "msg" : "38a2586a2883953cc4", + "tag" : "9a0f3c3829a11186c69d88433785b784e1dcbd955be679649a89158396cf91fdf26e73a27c3bc5325f6710c421d8cbeb5922af2cfeb7232fb6929c00d8190922", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 11, + "comment" : "short message", + "key" : "fd4c3f6b2137513616c28ed4d8638f867ad0b97188b73fc9b36f3d52b82d72a49b9dc1b8b25397eb448054a8d38d838e7a88b4df9c263aea1b968771d5ac5756", + "msg" : "86b4e61b3b7d650044ad", + "tag" : "e97bd7a78267ac6b575da2f7364448efef8dc7dd4f9a44d0454b021f59957cf620bbae47f0d3b7dec2bf4d153bada472472685a35228970fc99dcceb14f34dd5", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 12, + "comment" : "short message", + "key" : "f95baea535f477d22b405c67d927f59a9e042c46297a1681bcc16fdbe1b2cd59675a221351a78075981e7eb4998066768801cbd7a85231114d7f27f9bdf24899", + "msg" : "5a34dee4e0982d458efffb", + "tag" : "f6d382a7782c1a63ad98897dd2616bf29e46b1e430b7d69d02df4f640c9c1e8faf677633d86f639f6834e1599927d9aa23f49fd4fb66085eb56968f9b7b9fb3c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 13, + "comment" : "short message", + "key" : "4d76ae95a123207e01c6d22d8b587e63ba682963e50961afff531160a9b9aac6c772c5e8bf918ddecbeb56455ea64710e51ac21e3bb9af4b24eaa8535b3c2924", + "msg" : "2c31f2d986f68a6d6a96c4b0", + "tag" : "0e4081af61c51dc831ba0448efa24f0ce6e05bdc38e11ef03a4456164542f28dc38368d308dde117087a86aead3b4fd4ad8cff00c5ab93539281bee27f7e5ae1", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 14, + "comment" : "short message", + "key" : "0da7fa1f5d217951e3e343cda81f232deb71764eb49e8510bc28dba8eb62afa2a98b6f0536adb10250c74878fe649f47bbafdf3f722fa150f66e83f65f606ab0", + "msg" : "83511de190663c9c4229ace901", + "tag" : "bd1000dcd41ed8aac4edbb818884ddbea01c0cb60a202427a977489c310bbb10dd3a96ad858702d6ac5edb3431f780c2201920deaf760c719e64c6e390f7911c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 15, + "comment" : "short message", + "key" : "cec9e9f25ed9a017004a7882b1e44e8bd8fa3203c50cb6058455ed4f2a036788d46fcd328327d0d86b1abae69f7bbb96e3d66373ec8bd45075890879a83f4d33", + "msg" : "80dcd8ba66f98b51094144e9b8bd", + "tag" : "9920662e0b60073916ec0cb17c9f0a62de7f1f193eb6a9ef52870c93cd9697dfdc13fd2b7ba7664138b037f7e63023865be898c2f4bec6bde9ea8ee1b69b2563", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 16, + "comment" : "short message", + "key" : "bbe25649ecdf54ae0028fb923cc8c28ec00e10e2d44214590781238a143b75d54efb037eb9f53082a8ab3d8876daf4dbdc2483c4ba222797fe20da3b7730368b", + "msg" : "33f630088c0d24cda98caff1a3afc7", + "tag" : "00eaa766f4f3d92047b5e85efc9288cb8a5a2b56d2267dbfd5b16d8c918ed9404314aaddea241bbc966e49b2368232129d1edd06d99bf93bc57291b896bae485", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 17, + "comment" : "", + "key" : "f5e2b9e2313f4f807cb3a924a7d4943fc3fb475d8f1a1b40ce09a37770f621af8977729cadf986c98c75f08a4fab4280538e09e7e51e87a8d62c03411bdb8d24", + "msg" : "74ef623c83275ae99745bff7e6142afa", + "tag" : "8d0acc11d6c6992ad16a5e7070236a1000b0f1ccd1c98849eeca395a0daf5f404c8d272257ecbf8bd84c42de302fe368d6c308e4639f2ecd2d91f3dda6a0d8e6", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 18, + "comment" : "", + "key" : "8e323d5fb4752d92a6d905c512b287d07b21ae50002d026ff0388e1593bde9998dd02321e200d148f5fa2e824b37e9f5a77441794b840bedd552d1051c1ddd8c", + "msg" : "4daa229b009b8984354c2ec3e7973e0042", + "tag" : "b9395c2b7e360385ccb3da590b17279e121f92fd85660e802e24dd92998b2e531d3aa911c3ca389b515620b6bd3f97b63df7ebbd10b639799952927d1c2dc360", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 19, + "comment" : "", + "key" : "465bc1ab2125cca29729d01df044e393b0677defdd939280a3aa141224efa06457e623056d02f6c36eca3dfc4a7476dd36b97d0c2d60c7672129189e73b6af8f", + "msg" : "dd84599b47ba9ae9f2ad0c8eac678485433eb6b1dfb7c998", + "tag" : "7072471ab504696f060a3bded10e657e3bc6bad2e0f8239fd4f17e35174c2acbf059aa7d85b3b3adf3d644e0bceba93490a54948138e743091d5225bdbddf6ae", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 20, + "comment" : "", + "key" : "b90226798dff2ffb91d1ee4103f26397d0bf84c13c1ec717392c5fe1d4d0f4dc790236d759fa1be852e305da585a3dbde0d3912bea60d6b140c25645eb00943f", + "msg" : "aa29c372f136993c65ace5e1d62078806eb787913bb35af33371056359d354b2", + "tag" : "8d6ef6ea9bf61d3e39535b1f3759c01da28d9ff7370491de117a520188e15a152050371d533ff4b927fd91bd33a6c7404cce34ce4701fc7a8f03ebf70ad188ba", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 21, + "comment" : "long message", + "key" : "af1bb91775cb40c73983f119c927a2ce8f7b954a6274ecc1cd96019e5c417af4b094376194eae71c7f68f3345654d5d9f8198a697b41ae251e82308accd935bd", + "msg" : "75ededdfa7f1df1dc144fb195b27e454640e3f897cb564222f05e8aab0c6024f90472afea6e7254ed25134ea43452a", + "tag" : "cd3075b66d5fb6d90cd9384cd1aeea9a2c67a59bc5a71b9b1e5ef5407ed58229baa67d3e9f9895de320b421a6670210288afe2da4ae4845ab069501185b76ca0", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 22, + "comment" : "long message", + "key" : "513e0e7622eabcb6bfc81669dac903df46daea1240f32248bbf4fc61f1f9b13b2c3fe1bcc97540d30065be9eee41e51748bc42c16a8c8269fbe2b6f625c19228", + "msg" : "81d8650937f50871a66af71605ea4fa9d6c5d7a375774c2280eb34aefcee8c0ef83345bc547e4de7cbea482369b25a93", + "tag" : "f7b263b7c2380d0ba70844d2e6e56dfd68fabf7ec9af5c8ba897ae4e9d308aa28ff7a10ba4d37525e858074093ae8b15908de22be70e3f0b23dc61c39b17ab39", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 23, + "comment" : "long message", + "key" : "627c9a72247d07b0cec8346277468311c7401fc4cecaea8e22e13ece4b352c8f7a7eb1ba81ce348a08670438c97b8d9e883614d550f1ff16d636975c59988c2d", + "msg" : "118e0468cbb52f93a3396ebfaa114881a98a4101f4ff912ced47ecfc73b27f52205b7a5d4f3899506f9e34ebf99460da7a", + "tag" : "050b55346ab112e0ba62409f3bb48f7099a5098e2ccb2d18e47b5171029f43f9a011fa1b134b6412fb9df161abf295405ba3e212657d7420ee831885e71a324b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 24, + "comment" : "long message", + "key" : "1e981d0cbbad5bea9480d836b4704bf3147663b6ea59e1e0a280fb45d9b85d445dc972159dde301c6f1e66681f95642dbb9a9218c00d0cd724cb02f3bcaea2ea", + "msg" : "440dff390688c9fde31c17fdb61c1d13899f9544a986324c34d5eb07bef9a4436297f4a7fe16de5dd7b24e0c7c129051efe6f2dd0a21aec05c3e3c8f6fa30d9c0cbd60d840d14f0b2a928bc7189b9de4a6a731151d6b31e6a0ecae75095434737be8c3db11a6a697d0616c78b97041de", + "tag" : "4a7a1d6b15ee94410325362980df659b5f72598faa1963c3f129800439e7a7148f9f1f6031f7d0f3c0a8b8a248c5f5ea88a3544def2b30553061533ebfb47997", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 25, + "comment" : "long message", + "key" : "ee8aea2a52eb7e0c1120ab736b1a825b12610063de9642c594766c020cb87314d8ac94b13072bfbf3c019b4aacb1d2695cdd7563a26f574e12559906784d853c", + "msg" : "a3951f1d18135602fdadceeef5741c24ad22756160d0c55e51b788af952adaeb13e18c24c6b09672f405d7ec3d49b0bd86c7f8691b6f69af49175423215cf57d7c08a54ab0b0293e685c9aa250f1599d78193a00af822dec4b56fdb41f0343ab2cf85ea27bb2e650930f5e8ca836833903b053b3e06899b4012a6532978d90", + "tag" : "741d2fef6b194913b7b6c5431d36cd80f5985480b37a8198f60e0a96bb56d89780b87d8bc3feb03d29fecc28dfa285f052eec5d0f9cfcb7c9cfed200ae60d0f8", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 26, + "comment" : "long message", + "key" : "ecd1861a12eaee48aef1d7ed278223b50d3416dbff81e976c56ecd4b1a1bc8892b584cbcc72370ff5e976a6af1790caa32f9ea912855914c0315979578fbf165", + "msg" : "5779c56373a8e5db43bd65c0453ce23144230d43666d717a3b59d2e90f0e10732376831d7281cb23dd5566e5f8c627d00d39650139ceb87cd47e921d65d6c1cc7712ac4bd75bda8828e68abc968f4160ed91b28946c9d706b0360bbbdd65f47ef9983c50f2d09d05c3674c0943ea4af54c381089f9b846dd69ce908e0f6eaaaf", + "tag" : "e5d84c73db427dbda25d546c5ef17a1a7a7c194b745f42ff6abf5821bfb0a9b778bfc2e0e74871c7bbf645e3a4f735c135d7a83b15bfee39bd5f6cbd68c91e4f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 27, + "comment" : "long message", + "key" : "71aadbf330ea133b46c939d12e603896902e8df638597c98872dfb5aecd5161bc84095221de3222367012f45c6d70701e862ab000e782e91b505b21b4e212c38", + "msg" : "e6d7b0280d2f7df83fd26562fcdea2597cf687a9c9fa194f655c44d3271b881f28adc436db8e0437ff4dc5d38356271c338829c3e2d9ba4ac1777c94886983d4b72c275bc00e4f7b06c5ce38a2fe549fe53761857f236da705fd03790b41cc6f759f41aa206feca7ba5486f4fc9d09f35c8e0887241291882010414ae41b8b384a715a409be13da17bfd60d3fbd4b8cb3cc7c26043807264a20b9a5c02725e742fff03e1806b38af357ebf8c79fc4c38b007bf0613286cf063e45482375475e6c426d4f70057cd92efcb2dfe86e45bdea399273a5e0f142221fae206800555c01b18533295f577e23a9a7a0aa072823002b9096501174d3bc4aac33e0dc600", + "tag" : "e6e46495538a977dc006dcdaeb115dad0b88706ad7b80e46f57ea8f910d75c810edc7e7e0b92d129846aec9baef99a2ae8b580825037db6068f760334519689f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 28, + "comment" : "Flipped bit 0 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "617063701a568559228544d63a27d3eefeecab50933a989e8a2f5a6d0741a463e504d4c03a1be0e8fce99a20368dc5ac0f60d90ca0c48443f81a51d4c8ac4a74", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 29, + "comment" : "Flipped bit 0 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "7ec8b68b4548c12f71be13428cbb4ab9fea280421c209345dbf0c985bf6910ddc353f0b2040df3fffc38be8caf863c1a4b504f0ca89b200451a1c310d3e41980", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 30, + "comment" : "Flipped bit 1 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "627063701a568559228544d63a27d3eefeecab50933a989e8a2f5a6d0741a463e504d4c03a1be0e8fce99a20368dc5ac0f60d90ca0c48443f81a51d4c8ac4a74", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 31, + "comment" : "Flipped bit 1 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "7dc8b68b4548c12f71be13428cbb4ab9fea280421c209345dbf0c985bf6910ddc353f0b2040df3fffc38be8caf863c1a4b504f0ca89b200451a1c310d3e41980", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 32, + "comment" : "Flipped bit 7 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "e07063701a568559228544d63a27d3eefeecab50933a989e8a2f5a6d0741a463e504d4c03a1be0e8fce99a20368dc5ac0f60d90ca0c48443f81a51d4c8ac4a74", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 33, + "comment" : "Flipped bit 7 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "ffc8b68b4548c12f71be13428cbb4ab9fea280421c209345dbf0c985bf6910ddc353f0b2040df3fffc38be8caf863c1a4b504f0ca89b200451a1c310d3e41980", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 34, + "comment" : "Flipped bit 8 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "607163701a568559228544d63a27d3eefeecab50933a989e8a2f5a6d0741a463e504d4c03a1be0e8fce99a20368dc5ac0f60d90ca0c48443f81a51d4c8ac4a74", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 35, + "comment" : "Flipped bit 8 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "7fc9b68b4548c12f71be13428cbb4ab9fea280421c209345dbf0c985bf6910ddc353f0b2040df3fffc38be8caf863c1a4b504f0ca89b200451a1c310d3e41980", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 36, + "comment" : "Flipped bit 31 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "607063f01a568559228544d63a27d3eefeecab50933a989e8a2f5a6d0741a463e504d4c03a1be0e8fce99a20368dc5ac0f60d90ca0c48443f81a51d4c8ac4a74", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 37, + "comment" : "Flipped bit 31 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "7fc8b60b4548c12f71be13428cbb4ab9fea280421c209345dbf0c985bf6910ddc353f0b2040df3fffc38be8caf863c1a4b504f0ca89b200451a1c310d3e41980", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 38, + "comment" : "Flipped bit 32 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "607063701b568559228544d63a27d3eefeecab50933a989e8a2f5a6d0741a463e504d4c03a1be0e8fce99a20368dc5ac0f60d90ca0c48443f81a51d4c8ac4a74", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 39, + "comment" : "Flipped bit 32 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "7fc8b68b4448c12f71be13428cbb4ab9fea280421c209345dbf0c985bf6910ddc353f0b2040df3fffc38be8caf863c1a4b504f0ca89b200451a1c310d3e41980", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 40, + "comment" : "Flipped bit 33 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "6070637018568559228544d63a27d3eefeecab50933a989e8a2f5a6d0741a463e504d4c03a1be0e8fce99a20368dc5ac0f60d90ca0c48443f81a51d4c8ac4a74", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 41, + "comment" : "Flipped bit 33 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "7fc8b68b4748c12f71be13428cbb4ab9fea280421c209345dbf0c985bf6910ddc353f0b2040df3fffc38be8caf863c1a4b504f0ca89b200451a1c310d3e41980", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 42, + "comment" : "Flipped bit 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "607063701a5685d9228544d63a27d3eefeecab50933a989e8a2f5a6d0741a463e504d4c03a1be0e8fce99a20368dc5ac0f60d90ca0c48443f81a51d4c8ac4a74", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 43, + "comment" : "Flipped bit 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "7fc8b68b4548c1af71be13428cbb4ab9fea280421c209345dbf0c985bf6910ddc353f0b2040df3fffc38be8caf863c1a4b504f0ca89b200451a1c310d3e41980", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 44, + "comment" : "Flipped bit 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "607063701a568559238544d63a27d3eefeecab50933a989e8a2f5a6d0741a463e504d4c03a1be0e8fce99a20368dc5ac0f60d90ca0c48443f81a51d4c8ac4a74", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 45, + "comment" : "Flipped bit 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "7fc8b68b4548c12f70be13428cbb4ab9fea280421c209345dbf0c985bf6910ddc353f0b2040df3fffc38be8caf863c1a4b504f0ca89b200451a1c310d3e41980", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 46, + "comment" : "Flipped bit 71 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "607063701a568559a28544d63a27d3eefeecab50933a989e8a2f5a6d0741a463e504d4c03a1be0e8fce99a20368dc5ac0f60d90ca0c48443f81a51d4c8ac4a74", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 47, + "comment" : "Flipped bit 71 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "7fc8b68b4548c12ff1be13428cbb4ab9fea280421c209345dbf0c985bf6910ddc353f0b2040df3fffc38be8caf863c1a4b504f0ca89b200451a1c310d3e41980", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 48, + "comment" : "Flipped bit 77 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "607063701a56855922a544d63a27d3eefeecab50933a989e8a2f5a6d0741a463e504d4c03a1be0e8fce99a20368dc5ac0f60d90ca0c48443f81a51d4c8ac4a74", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 49, + "comment" : "Flipped bit 77 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "7fc8b68b4548c12f719e13428cbb4ab9fea280421c209345dbf0c985bf6910ddc353f0b2040df3fffc38be8caf863c1a4b504f0ca89b200451a1c310d3e41980", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 50, + "comment" : "Flipped bit 80 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "607063701a568559228545d63a27d3eefeecab50933a989e8a2f5a6d0741a463e504d4c03a1be0e8fce99a20368dc5ac0f60d90ca0c48443f81a51d4c8ac4a74", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 51, + "comment" : "Flipped bit 80 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "7fc8b68b4548c12f71be12428cbb4ab9fea280421c209345dbf0c985bf6910ddc353f0b2040df3fffc38be8caf863c1a4b504f0ca89b200451a1c310d3e41980", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 52, + "comment" : "Flipped bit 96 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "607063701a568559228544d63b27d3eefeecab50933a989e8a2f5a6d0741a463e504d4c03a1be0e8fce99a20368dc5ac0f60d90ca0c48443f81a51d4c8ac4a74", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 53, + "comment" : "Flipped bit 96 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "7fc8b68b4548c12f71be13428dbb4ab9fea280421c209345dbf0c985bf6910ddc353f0b2040df3fffc38be8caf863c1a4b504f0ca89b200451a1c310d3e41980", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 54, + "comment" : "Flipped bit 97 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "607063701a568559228544d63827d3eefeecab50933a989e8a2f5a6d0741a463e504d4c03a1be0e8fce99a20368dc5ac0f60d90ca0c48443f81a51d4c8ac4a74", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 55, + "comment" : "Flipped bit 97 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "7fc8b68b4548c12f71be13428ebb4ab9fea280421c209345dbf0c985bf6910ddc353f0b2040df3fffc38be8caf863c1a4b504f0ca89b200451a1c310d3e41980", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 56, + "comment" : "Flipped bit 103 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "607063701a568559228544d6ba27d3eefeecab50933a989e8a2f5a6d0741a463e504d4c03a1be0e8fce99a20368dc5ac0f60d90ca0c48443f81a51d4c8ac4a74", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 57, + "comment" : "Flipped bit 103 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "7fc8b68b4548c12f71be13420cbb4ab9fea280421c209345dbf0c985bf6910ddc353f0b2040df3fffc38be8caf863c1a4b504f0ca89b200451a1c310d3e41980", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 58, + "comment" : "Flipped bit 504 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "607063701a568559228544d63a27d3eefeecab50933a989e8a2f5a6d0741a463e504d4c03a1be0e8fce99a20368dc5ac0f60d90ca0c48443f81a51d4c8ac4a75", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 59, + "comment" : "Flipped bit 504 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "7fc8b68b4548c12f71be13428cbb4ab9fea280421c209345dbf0c985bf6910ddc353f0b2040df3fffc38be8caf863c1a4b504f0ca89b200451a1c310d3e41981", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 60, + "comment" : "Flipped bit 505 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "607063701a568559228544d63a27d3eefeecab50933a989e8a2f5a6d0741a463e504d4c03a1be0e8fce99a20368dc5ac0f60d90ca0c48443f81a51d4c8ac4a76", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 61, + "comment" : "Flipped bit 505 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "7fc8b68b4548c12f71be13428cbb4ab9fea280421c209345dbf0c985bf6910ddc353f0b2040df3fffc38be8caf863c1a4b504f0ca89b200451a1c310d3e41982", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 62, + "comment" : "Flipped bit 510 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "607063701a568559228544d63a27d3eefeecab50933a989e8a2f5a6d0741a463e504d4c03a1be0e8fce99a20368dc5ac0f60d90ca0c48443f81a51d4c8ac4a34", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 63, + "comment" : "Flipped bit 510 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "7fc8b68b4548c12f71be13428cbb4ab9fea280421c209345dbf0c985bf6910ddc353f0b2040df3fffc38be8caf863c1a4b504f0ca89b200451a1c310d3e419c0", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 64, + "comment" : "Flipped bit 511 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "607063701a568559228544d63a27d3eefeecab50933a989e8a2f5a6d0741a463e504d4c03a1be0e8fce99a20368dc5ac0f60d90ca0c48443f81a51d4c8ac4af4", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 65, + "comment" : "Flipped bit 511 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "7fc8b68b4548c12f71be13428cbb4ab9fea280421c209345dbf0c985bf6910ddc353f0b2040df3fffc38be8caf863c1a4b504f0ca89b200451a1c310d3e41900", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 66, + "comment" : "Flipped bits 0 and 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "617063701a568559238544d63a27d3eefeecab50933a989e8a2f5a6d0741a463e504d4c03a1be0e8fce99a20368dc5ac0f60d90ca0c48443f81a51d4c8ac4a74", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 67, + "comment" : "Flipped bits 0 and 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "7ec8b68b4548c12f70be13428cbb4ab9fea280421c209345dbf0c985bf6910ddc353f0b2040df3fffc38be8caf863c1a4b504f0ca89b200451a1c310d3e41980", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 68, + "comment" : "Flipped bits 31 and 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "607063f01a5685d9228544d63a27d3eefeecab50933a989e8a2f5a6d0741a463e504d4c03a1be0e8fce99a20368dc5ac0f60d90ca0c48443f81a51d4c8ac4a74", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 69, + "comment" : "Flipped bits 31 and 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "7fc8b60b4548c1af71be13428cbb4ab9fea280421c209345dbf0c985bf6910ddc353f0b2040df3fffc38be8caf863c1a4b504f0ca89b200451a1c310d3e41980", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 70, + "comment" : "Flipped bits 63 and 127 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "607063701a5685d9228544d63a27d36efeecab50933a989e8a2f5a6d0741a463e504d4c03a1be0e8fce99a20368dc5ac0f60d90ca0c48443f81a51d4c8ac4a74", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 71, + "comment" : "Flipped bits 63 and 127 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "7fc8b68b4548c1af71be13428cbb4a39fea280421c209345dbf0c985bf6910ddc353f0b2040df3fffc38be8caf863c1a4b504f0ca89b200451a1c310d3e41980", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 72, + "comment" : "all bits of tag flipped", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "9f8f9c8fe5a97aa6dd7abb29c5d82c11011354af6cc5676175d0a592f8be5b9c1afb2b3fc5e41f17031665dfc9723a53f09f26f35f3b7bbc07e5ae2b3753b58b", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 73, + "comment" : "all bits of tag flipped", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "80374974bab73ed08e41ecbd7344b546015d7fbde3df6cba240f367a4096ef223cac0f4dfbf20c0003c741735079c3e5b4afb0f35764dffbae5e3cef2c1be67f", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 74, + "comment" : "Tag changed to all zero", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 75, + "comment" : "Tag changed to all zero", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 76, + "comment" : "tag changed to all 1", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 77, + "comment" : "tag changed to all 1", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 78, + "comment" : "msbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "e0f0e3f09ad605d9a205c456baa7536e7e6c2bd013ba181e0aafdaed87c124e365845440ba9b60687c691aa0b60d452c8fe0598c204404c3789ad154482ccaf4", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 79, + "comment" : "msbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "ff48360bc5c841aff13e93c20c3bca397e2200c29ca013c55b7049053fe9905d43d37032848d737f7cb83e0c2f06bc9acbd0cf8c281ba084d121439053649900", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 80, + "comment" : "lsbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "617162711b578458238445d73b26d2efffedaa51923b999f8b2e5b6c0640a562e405d5c13b1ae1e9fde89b21378cc4ad0e61d80da1c58542f91b50d5c9ad4b75", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 81, + "comment" : "lsbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "7ec9b78a4449c02e70bf12438dba4bb8ffa381431d219244daf1c884be6811dcc252f1b3050cf2fefd39bf8dae873d1b4a514e0da99a210550a0c211d2e51881", + "result" : "invalid", + "flags" : [] + } + ] + }, + { + "keySize" : 512, + "tagSize" : 256, + "type" : "MacTest", + "tests" : [ + { + "tcId" : 82, + "comment" : "empty message", + "key" : "eef6bcf16ef7ae17326a33f22d1406ec1bd3f866505f4b2e4fe8b45bd62ccbd85032a9899facf2db0c93a2345cb8892afb74db549781211dd8881a8c8e25c171", + "msg" : "", + "tag" : "a2408e6044d91093d34c1f283c19c014e739e2911c01baa0a3079e73d7c8e1d2", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 83, + "comment" : "short message", + "key" : "838696e6190c874c3717b8be0cf063ca6d60760987d1a33703e7e35eb173e5ae954e741a37935139d612149e76f6ab2a370604f5b4a68bee87e309240a9ba3d6", + "msg" : "d8", + "tag" : "38497695114208d90af884f6485e942af1e42963c32d8ea0b46a52eca970afef", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 84, + "comment" : "short message", + "key" : "fa999ed1cfbc5c43afb16f22d024e3ce645e00b06712c93b946167c9c2c037d192f0f3003f87c43a71166fe1a3c5824c348673a2f0f3c475706985940f6b02a2", + "msg" : "cad2", + "tag" : "6a0d324e2b498d57fdcc1d4b052de9fbc0086627ebd0e9cfed82dbc8b54a0b5f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 85, + "comment" : "short message", + "key" : "b53fced8b7b4aa59d3b56d91e1386763c39e351c2f5ad6a4885e442ad894d5181c5bfe5c05280a84ad19d758e359bf8171fe652988fcf9d1458ea17364ca8fa9", + "msg" : "d3393c", + "tag" : "3f23eabdb750c10f3232a4b396ff97e6df1a4626c1383caafbf5e6aab0c5510a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 86, + "comment" : "short message", + "key" : "3f0cbeebe391c6491e77c57a05e85a16f0b5294d19f9a7f3390baf7a2051fbf980e041ee45c9104a9126a6a7ec182eaec27a99c1a7a3f5a1e8cd8ffde60641dc", + "msg" : "bebb0392", + "tag" : "ae3ee84825ec607adcad8ad70ce1b6cfc7206f4f9d5046812073f6a3d48ef133", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 87, + "comment" : "short message", + "key" : "4a7f110b92241badc907ba3c61477bab0953a851bf327425e858fc724bd33ede2a4a5018fe71aab434bda8eb2464a41577c8d570530c460f7c8bc0172f1ee0f1", + "msg" : "40a333f4cf", + "tag" : "e3a52f9388f9af038298b778123fcdf5ea58712bc5b46f1e4cdcae98f2ab2e09", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 88, + "comment" : "short message", + "key" : "c6c95bf9facab295cebfa4b907855874f57a5c1548576ad8bae694a364f5e58dbb8c8dd49330b2fdd1b71657d211db2a6569a9f3a356c0c5b3c4efbd5b6777cb", + "msg" : "4cf926af475a", + "tag" : "29e274b1851fa268e0e02e3b450469ce4a69762e45af8afca567776967955de6", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 89, + "comment" : "short message", + "key" : "0d3387fe59e8e7c43c928dac7913826dec4d63ac3c8ee346ba7caed9505b9e63ff8942cde90997e8dbeaf6e17ee187c0a84a1853952d866c15f9a32fcee6a82a", + "msg" : "2ba3bc3cd64bc6", + "tag" : "e049f480934a3ccc5b483874ed6eb992f94557b303f44721f7ba72b6c762b108", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 90, + "comment" : "short message", + "key" : "3cb9ce565388a6f0454a80add86c7e107ea537d7f468a0648930fc37172cf7b4ca9058033071c354a20a608e2d46e98afe46435a344362989cbaafac18859bba", + "msg" : "33ce498e1f94f412", + "tag" : "91749d95bc706cb8c1f14f6a61342c44f59a963644b9fd35d58a09e1071e4ee7", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 91, + "comment" : "short message", + "key" : "c25f45ceb2a5597f361445fa41a9019f41a6e6d7f144203f29c0b9fcea362d60894c3cadc1ce25d53da362e464c11fc6e169e3db2ea1cf40fe08fffb429b1a5b", + "msg" : "81978af4795c50f89c", + "tag" : "08550f63be595cd9ba3c66e33b19bd2739bdfaa4eec9acdd9823a214538d322e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 92, + "comment" : "short message", + "key" : "b458764ee273f391cb718f64a1bca64c96a870d9426d6254ee37e5c93898d6a5ef68e9d3b0e057a3c396faa834a29926a9680cfa903d2a605b85407bb24c8cee", + "msg" : "d804dc2a1e146f62b621", + "tag" : "d5572726cc7521ef30e0d8390ca521a57f039da4c45f1275fe67c3121c7008b5", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 93, + "comment" : "short message", + "key" : "7cbc5778f70595fc211cee3a93e17ff7f25a1d9f3766f8eb70eb1e08c9420a62bd89e8b7d834cc854d059afd413e4d9c062a532e015928528c7f5812dfebecac", + "msg" : "4017e0ffcaac4c485ce7ec", + "tag" : "7e0836625892a37523ee178eb16f785396602fca5addb0006fa6907c530fce0c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 94, + "comment" : "short message", + "key" : "937b9711d670daa2359920e47dd6d0fb75275105b3ef07bb4a31d3c4b99baa8ff79ee4b4a1b4a5b250d0fd7b4721e04a7b06035b1d0c9d739597707839018bce", + "msg" : "6991810e9788af7aabff8eb4", + "tag" : "5b36f377078ce820bd33759a85691efc2053407fd86a3e4946da1e38a4557ab1", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 95, + "comment" : "short message", + "key" : "ad37630a280b1a75ebed1984217150a400a55dca2362a8eaf3c907858d0b45db3e208c316d033854eb4284f71117d33876e0e203ca922d26f9b76d94cab0d4f3", + "msg" : "7c6f2fd83e5691827be38e49a0", + "tag" : "c15a7f38007bc32c61d912b30889d6f5c624ad0e6e2e3fa41af2d3295b0259b7", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 96, + "comment" : "short message", + "key" : "526aa2645ab71229e2c60f68bd5bbcf0cea0978a0a9c60cf695e81fecaedecfa0362c21747eaa995975208ca35cfa6bc2b95d1c2afcee11275f43add6f026d6c", + "msg" : "681bca550fe301f2dcc1e38b53c1", + "tag" : "87a7e6448d64e006339487b2d93409f00f1dafc0dbfe35a361da264f251ceb71", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 97, + "comment" : "short message", + "key" : "6026a9047a07ccf197fde09c8b9f15f34bc52472b7d1ea4673b4914a0e1c3aa4cfe8d6ef12d4d4019f5ff3ac0adcad7358490874155daf41da2f74aca1cd894a", + "msg" : "ce1d869c53041c5f6acdda7a05af15", + "tag" : "b44c984a2241527545d9cf755663346ba82841d039a3e2aae56b40020a6be1f4", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 98, + "comment" : "", + "key" : "a03d2c543c302949c51b662f43114c1305a8f6961ae48342803d3690dc18255fab924965536a79bc38564c7c97cb8cc0209786e9f76375bf181529cf7f93d954", + "msg" : "697617ae31f19b8a6ad4b8489bfc3db1", + "tag" : "1827375ec9d32581adfe2347984e33c0fd95362d158fe6a7ca07e084557e2b40", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 99, + "comment" : "", + "key" : "25843665d39c3ae9a7b3e4427e2bf7785281fd2594bdde67860ca9b8fa11646469d1645ae8ca3825b8c551f9eac3da0660d8c2e2e3bd23d34395c6775dcdfd2e", + "msg" : "74082cc5d14db1967442d66aac6092bd23", + "tag" : "6bd2e4c2fb8c4849065ebc921b4fbea6de5af848fc9d22ce60b1a3ed536b4eea", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 100, + "comment" : "", + "key" : "4831ab4962a2d2436091cbbf388d2ba042b472a262ed8373c85d047c702adf73a87eb097e72d91d089b7d1504a7f7d8abb3bc2c44c1340d6c16c84ea9269e64b", + "msg" : "2803c2f4e5b4bfccd2b407469a6cb5ef21fd14a682636397", + "tag" : "ab6570dd52670051d6879591618a582a15d5bbac995a09d6aeb97e52bbca2296", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 101, + "comment" : "", + "key" : "449bb57d046551e1819b3c994122c3605954317d0d76212284a3328c226732cbf4ecb442a582c8423888aaed946e5eec2be66e127f1e2e29b66e68b9b4bec4d1", + "msg" : "79004e644389a11b709bc0a23cb8592f9fc7960bfa46132cc1ffb9747df37dec", + "tag" : "023ffaeb8ee50eb1869f51384011af14c9c99610058a9cc3ba871e3c56fd2ed3", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 102, + "comment" : "long message", + "key" : "ff97b77020861a0ce00eff8de9e701aea8c6de0fffd9b4c1342a416d357fce35a7016c64ccd38e2bdf674802281c2234153dd83aacb948966dc87ea4718fff75", + "msg" : "d7e2d2437b7067a30f04529041960e041e281737d1e0daa8cd50cc0b264716e117aa2fe9a7e39c2f178c607faa50c2", + "tag" : "cee096bbd66cb2a500f279aa34418e7c690dd1f46dbe2348d1fd04190ed78cd5", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 103, + "comment" : "long message", + "key" : "f4daf370c4f437d8a85391ec455e34540be8d32df8dfac05b166ae72ec1cc608f8c177b30dde8bf07c9d434732c26a6e530b182c7ab21093eb79d0bb5be85e53", + "msg" : "f60418f6c54a25fabf518273088619c0741c1c7187de93a0cf6a03f4565f1765de656754541b860137f3f8455de7c403", + "tag" : "3b260d9bb6d9b18441e07e96c3f3f19a97faec005e98ad3b3566486724dec695", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 104, + "comment" : "long message", + "key" : "3be95e879421ed7856269eef39a2070fae406cec5e30b50d92792df5a37de98595684eaa9205587ca607eeac8f96592f458f63434b7dc82596d3e4a1a16c3d59", + "msg" : "c64f7c970a441c6c503838a491308c783099eac52bd35a217978a64dcec84d34186ab3b74f20285d6fea2165eab4da3d2c", + "tag" : "67329f88b1e99c978ef50b2bccf8a405d4f9ea3f0d10703fe4b335a829f76008", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 105, + "comment" : "long message", + "key" : "b5eb53586b948587db3dd46c43ad65498a5079157562e4074c9c20d097d0c97f19db4661fb2dd11b87a5ccba2c345642618f561d00bf87dffc66762e45e0156f", + "msg" : "9e8ebf96429955d60b925a4111745ec7028de24e694a6d2eee1dbd5e820ab9f00beafde09f95095933a02f251297282b0cf67c518397655841f230e1d9ae5ba93150d4375dc7c0738b99850b07d5a442994e68dc813d55edefa6cd063ccb202711d97ba674efa02ddbdc692341e77cfa", + "tag" : "52bb6b6d0018135187e7265883815d904a57434e68a0a868676059adfb5727b5", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 106, + "comment" : "long message", + "key" : "fbc678235d596980268730a7aa8a3c25095f1dbcf7f830990716a510c44e62b1ae8ce095c65e1852bd8a09f25ab93415ae736f22b2c68ecdf3c0f71e15a057dc", + "msg" : "ef395738f2b3bd7a0649eea75e734e5c79baf21358c7ae96c63a58e260266c7bfa869664c5d10e87c26d0f5edb3b5f73900c1d9a96a5a2c2912506c19dff04e900b8d5d63e1bb606fe3d5a229b642b1ac59e08a4687a7aade3de16d183131ddd02da988ff826e88b74ba0c5c41cfcd8570cca59fb3304d588f7f7e63dad47a", + "tag" : "fe957b5c1a0f337e9f119c8eb8398d2c5bdedbd1f84af785b5d365e07d4740b4", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 107, + "comment" : "long message", + "key" : "d8437b093e170afc30fb68d873db6dd67ee0372b6c5feb124d548abbd93304a082235a170a9d326268d0cfc34264d8ebcfcbcc0dc0ea7767b650dbcfc7848f91", + "msg" : "0fb91bb043cf3d49341482eacbab92da92117bb6ec03b518a93c9d59e54702c6a21ade4f255870cb52da4a24b36856b0cbf8b122d2fd5b0219aeacb6e292c95863921789092d5d65d5a9389231670e38be31d8b76630650c77edc23773d5ec9189915560ef6f45a4275f85957d8762916d8147ef43ea6f438d066227354df26c", + "tag" : "5e08a2cef9370a6f040788b716e27b6094e4d9f6549ffd6f69ead6610dbd7ac6", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 108, + "comment" : "long message", + "key" : "d29225e3042b43d4eb7a9399f224424b5b4dd99031c8abf609d3a6e3175897134cc7ba8a6be25d436d41a757a2daa4e1b03f7c3053ee8cada19531d48dab93e0", + "msg" : "1fdad8cd37e115ef8131d4619b5d61a9827a11b9c25c5b8220b002d5b7f6e2bc30a7e2f3d103dbcaf849a255c20ec5d1b40a623e398d76c5b7f07fe305181cd5bee29de3360fed55f69063e6a8fd2ef31291e4d7c3908449466b4ff1166959ff1f2e86eb48a7ed11bdcec2fc2dfb6684b36b8d0b68e0f1b23ef11bf5907d4a2b162cec26f31b6d5d9892a27b3fad7a5549858dad530bae193d9b60d42d7ad2a66476a3ba4bf7a27ff9d0f885a540bf181caad71a235eb348a23d053ba2db7aed8d7d01d96dc9f780e2e426c72bb63fcb3fff44c14bb7b0f8af3552d67ee6761092c757627d19c080499c247d13b431699397159b1b71c6274584959d5c30f0", + "tag" : "3b28ef1afeba82c4123956e6b902107984b2938d82912e84868c195768769086", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 109, + "comment" : "Flipped bit 0 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "617063701a568559228544d63a27d3eefeecab50933a989e8a2f5a6d0741a463", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 110, + "comment" : "Flipped bit 0 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "7ec8b68b4548c12f71be13428cbb4ab9fea280421c209345dbf0c985bf6910dd", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 111, + "comment" : "Flipped bit 1 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "627063701a568559228544d63a27d3eefeecab50933a989e8a2f5a6d0741a463", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 112, + "comment" : "Flipped bit 1 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "7dc8b68b4548c12f71be13428cbb4ab9fea280421c209345dbf0c985bf6910dd", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 113, + "comment" : "Flipped bit 7 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "e07063701a568559228544d63a27d3eefeecab50933a989e8a2f5a6d0741a463", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 114, + "comment" : "Flipped bit 7 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "ffc8b68b4548c12f71be13428cbb4ab9fea280421c209345dbf0c985bf6910dd", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 115, + "comment" : "Flipped bit 8 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "607163701a568559228544d63a27d3eefeecab50933a989e8a2f5a6d0741a463", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 116, + "comment" : "Flipped bit 8 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "7fc9b68b4548c12f71be13428cbb4ab9fea280421c209345dbf0c985bf6910dd", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 117, + "comment" : "Flipped bit 31 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "607063f01a568559228544d63a27d3eefeecab50933a989e8a2f5a6d0741a463", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 118, + "comment" : "Flipped bit 31 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "7fc8b60b4548c12f71be13428cbb4ab9fea280421c209345dbf0c985bf6910dd", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 119, + "comment" : "Flipped bit 32 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "607063701b568559228544d63a27d3eefeecab50933a989e8a2f5a6d0741a463", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 120, + "comment" : "Flipped bit 32 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "7fc8b68b4448c12f71be13428cbb4ab9fea280421c209345dbf0c985bf6910dd", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 121, + "comment" : "Flipped bit 33 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "6070637018568559228544d63a27d3eefeecab50933a989e8a2f5a6d0741a463", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 122, + "comment" : "Flipped bit 33 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "7fc8b68b4748c12f71be13428cbb4ab9fea280421c209345dbf0c985bf6910dd", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 123, + "comment" : "Flipped bit 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "607063701a5685d9228544d63a27d3eefeecab50933a989e8a2f5a6d0741a463", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 124, + "comment" : "Flipped bit 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "7fc8b68b4548c1af71be13428cbb4ab9fea280421c209345dbf0c985bf6910dd", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 125, + "comment" : "Flipped bit 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "607063701a568559238544d63a27d3eefeecab50933a989e8a2f5a6d0741a463", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 126, + "comment" : "Flipped bit 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "7fc8b68b4548c12f70be13428cbb4ab9fea280421c209345dbf0c985bf6910dd", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 127, + "comment" : "Flipped bit 71 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "607063701a568559a28544d63a27d3eefeecab50933a989e8a2f5a6d0741a463", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 128, + "comment" : "Flipped bit 71 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "7fc8b68b4548c12ff1be13428cbb4ab9fea280421c209345dbf0c985bf6910dd", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 129, + "comment" : "Flipped bit 77 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "607063701a56855922a544d63a27d3eefeecab50933a989e8a2f5a6d0741a463", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 130, + "comment" : "Flipped bit 77 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "7fc8b68b4548c12f719e13428cbb4ab9fea280421c209345dbf0c985bf6910dd", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 131, + "comment" : "Flipped bit 80 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "607063701a568559228545d63a27d3eefeecab50933a989e8a2f5a6d0741a463", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 132, + "comment" : "Flipped bit 80 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "7fc8b68b4548c12f71be12428cbb4ab9fea280421c209345dbf0c985bf6910dd", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 133, + "comment" : "Flipped bit 96 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "607063701a568559228544d63b27d3eefeecab50933a989e8a2f5a6d0741a463", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 134, + "comment" : "Flipped bit 96 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "7fc8b68b4548c12f71be13428dbb4ab9fea280421c209345dbf0c985bf6910dd", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 135, + "comment" : "Flipped bit 97 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "607063701a568559228544d63827d3eefeecab50933a989e8a2f5a6d0741a463", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 136, + "comment" : "Flipped bit 97 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "7fc8b68b4548c12f71be13428ebb4ab9fea280421c209345dbf0c985bf6910dd", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 137, + "comment" : "Flipped bit 103 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "607063701a568559228544d6ba27d3eefeecab50933a989e8a2f5a6d0741a463", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 138, + "comment" : "Flipped bit 103 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "7fc8b68b4548c12f71be13420cbb4ab9fea280421c209345dbf0c985bf6910dd", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 139, + "comment" : "Flipped bit 248 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "607063701a568559228544d63a27d3eefeecab50933a989e8a2f5a6d0741a462", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 140, + "comment" : "Flipped bit 248 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "7fc8b68b4548c12f71be13428cbb4ab9fea280421c209345dbf0c985bf6910dc", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 141, + "comment" : "Flipped bit 249 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "607063701a568559228544d63a27d3eefeecab50933a989e8a2f5a6d0741a461", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 142, + "comment" : "Flipped bit 249 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "7fc8b68b4548c12f71be13428cbb4ab9fea280421c209345dbf0c985bf6910df", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 143, + "comment" : "Flipped bit 254 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "607063701a568559228544d63a27d3eefeecab50933a989e8a2f5a6d0741a423", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 144, + "comment" : "Flipped bit 254 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "7fc8b68b4548c12f71be13428cbb4ab9fea280421c209345dbf0c985bf69109d", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 145, + "comment" : "Flipped bit 255 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "607063701a568559228544d63a27d3eefeecab50933a989e8a2f5a6d0741a4e3", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 146, + "comment" : "Flipped bit 255 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "7fc8b68b4548c12f71be13428cbb4ab9fea280421c209345dbf0c985bf69105d", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 147, + "comment" : "Flipped bits 0 and 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "617063701a568559238544d63a27d3eefeecab50933a989e8a2f5a6d0741a463", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 148, + "comment" : "Flipped bits 0 and 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "7ec8b68b4548c12f70be13428cbb4ab9fea280421c209345dbf0c985bf6910dd", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 149, + "comment" : "Flipped bits 31 and 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "607063f01a5685d9228544d63a27d3eefeecab50933a989e8a2f5a6d0741a463", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 150, + "comment" : "Flipped bits 31 and 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "7fc8b60b4548c1af71be13428cbb4ab9fea280421c209345dbf0c985bf6910dd", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 151, + "comment" : "Flipped bits 63 and 127 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "607063701a5685d9228544d63a27d36efeecab50933a989e8a2f5a6d0741a463", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 152, + "comment" : "Flipped bits 63 and 127 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "7fc8b68b4548c1af71be13428cbb4a39fea280421c209345dbf0c985bf6910dd", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 153, + "comment" : "all bits of tag flipped", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "9f8f9c8fe5a97aa6dd7abb29c5d82c11011354af6cc5676175d0a592f8be5b9c", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 154, + "comment" : "all bits of tag flipped", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "80374974bab73ed08e41ecbd7344b546015d7fbde3df6cba240f367a4096ef22", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 155, + "comment" : "Tag changed to all zero", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 156, + "comment" : "Tag changed to all zero", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 157, + "comment" : "tag changed to all 1", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 158, + "comment" : "tag changed to all 1", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 159, + "comment" : "msbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "e0f0e3f09ad605d9a205c456baa7536e7e6c2bd013ba181e0aafdaed87c124e3", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 160, + "comment" : "msbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "ff48360bc5c841aff13e93c20c3bca397e2200c29ca013c55b7049053fe9905d", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 161, + "comment" : "lsbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "617162711b578458238445d73b26d2efffedaa51923b999f8b2e5b6c0640a562", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 162, + "comment" : "lsbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "7ec9b78a4449c02e70bf12438dba4bb8ffa381431d219244daf1c884be6811dc", + "result" : "invalid", + "flags" : [] + } + ] + }, + { + "keySize" : 256, + "tagSize" : 512, + "type" : "MacTest", + "tests" : [ + { + "tcId" : 163, + "comment" : "short key", + "key" : "14d93759fc28f3319ab74b8167c974e800f032344dc2747ec0f4945061a47827", + "msg" : "", + "tag" : "bfbc9e095822745f9bae15ee3418f330e63891a2972fbfe1045165d8b5fbd288061973ed40ba310b85e7e6dafb9dfb4c29c4de7969499c67aa2ccaa48c63178f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 164, + "comment" : "short key", + "key" : "9fa371f36fb273d514fd628cb938067a4bae32a19a1e045a7d6d7f6de3751cbf", + "msg" : "311bbf722d322cd7a0710f480fc66518", + "tag" : "5d6619bd88bdd18aaafe2c3773d8a92e6617e741196d0c2e9d5271fb9abebb72b520bce1e1f147d861be15734ab25c93437e1058bb44dddb8104185521785099", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 165, + "comment" : "short key", + "key" : "6313f1526bc220f20dde1e64ced8597279586d1e15aad05ad591d841b369284f", + "msg" : "f744fa3933e16d8bf524afaeb34c715653a9cfb01fa45fe1fb68e701fe1487ca", + "tag" : "20df7e320ef62fd4b347193de868516a0b4c245546f1e6b43f5ac42f1cff66a56d214b1bbf7d32849fee3a2c6dee8a8fe209e6e28c6e2416b9cf95ebc10fc8b8", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "keySize" : 256, + "tagSize" : 256, + "type" : "MacTest", + "tests" : [ + { + "tcId" : 166, + "comment" : "short key", + "key" : "1e225cafb90339bba1b24076d4206c3e79c355805d851682bc818baa4f5a7779", + "msg" : "", + "tag" : "4e35e7b4b0029d62e3a765c2a41d19f512d77468f8a43860f933f13306bf6204", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 167, + "comment" : "short key", + "key" : "6fa353868c82e5deeedac7f09471a61bf749ab5498239e947e012eee3c82d7c4", + "msg" : "aeed3e4d4cb9bbb60d482e98c126c0f5", + "tag" : "4b08479a99964744881a02f32435b60bf83ea5036835a0be2b3c6544d502cd95", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 168, + "comment" : "short key", + "key" : "186e248ad824e1eb93329a7fdcd565b6cb4eaf3f85b90b910777128d8c538d27", + "msg" : "92ef9ff52f46eccc7e38b9ee19fd2de3b37726c8e6ce9e1b96db5dda4c317902", + "tag" : "318cc3d4a8a10830975458cf984196980c0f3f5ff040e3478ae29b287663752f", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "keySize" : 520, + "tagSize" : 512, + "type" : "MacTest", + "tests" : [ + { + "tcId" : 169, + "comment" : "long key", + "key" : "dd1e0bdbb6b60862176484f3669da531455f1cd714f999c29f08b851055fee8d72186d376c236f4e16cba7a25cba879fb2753deca4459aaebc6f6de625d99af330", + "msg" : "", + "tag" : "dca1d28776d636773d4397b792323d315dab2fdbf7027e9ce6b216db7a35505686a1ea0a410a1473c7c0ca737b4ece05c82e8aa5203db9863677495013dbfd48", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 170, + "comment" : "long key", + "key" : "432b311ebcfd46ecfcd3cc706ebd05c787dfbe1855fdcfce8d50c9a00f72b65a8d42acec335b4e07d544c92fd7b1d38543ac6e0fc04c26d88de8dd974af69e24d7", + "msg" : "36b1fbe8f1335e7c0399c24730906420", + "tag" : "c0ce831930455d18917c4e4f097f2000db8b295041ce822cfe67b9106fabf4800916f75fa00fb9c49eb7cfb7aeaef3170a4575db66161d2035efbc132957f1b3", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 171, + "comment" : "long key", + "key" : "17f720f09df5972af9b9c63e10043284608900d50b7955db3b4e2679cb4120be2c9b9e2aa1a5743eb519792822c326b4d890b5554d1cb0eb71081b7569a2f04df7", + "msg" : "57167c2524a55289687b83a40d3a69bc90adc53ad247020b88897f9b95d1516d", + "tag" : "677530c17b888f416a303f32a3a8b0d707eafbb65845ccfe0b963b7666601385e0daf21b0affa1070109e0812135b7e51e001168e08d17da1106e40d47f084f4", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "keySize" : 520, + "tagSize" : 256, + "type" : "MacTest", + "tests" : [ + { + "tcId" : 172, + "comment" : "long key", + "key" : "8a0c46eb8a2959e39865330079763341e7439dab149694ee57e0d61ec73d947e1d5301cd974e18a5e0d1cf0d2c37e8aadd9fd589d57ef32e47024a99bc3f70c077", + "msg" : "", + "tag" : "0fd5265ee5f787925a827b5f68f9f45460afd232db4a7ad6a09c817dac9f1c68", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 173, + "comment" : "long key", + "key" : "2877ebb81f80334fd00516337446c5cf5ad4a3a2e197269e5b0ad1889dfe2b4b0aaa676fac55b36ce3affc7f1092ab89c53273a837bd5bc94d1a9d9e5b02e9856f", + "msg" : "ba448db88f154f775028fdecf9e6752d", + "tag" : "1ea78bfb221933ddb7dcf5b08f0ef34771143e2cabc6b0b8d4552fa1286dd5ce", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 174, + "comment" : "long key", + "key" : "21178e26bc28ffc27c06f762ba190a627075856d7ca6feab79ac63149b17126e34fd9e5590e0e90aac801df09505d8af2dd0a2703b352c573ac9d2cb063927f2af", + "msg" : "7d5f1d6b993452b1b53a4375760d10a20d46a0ab9ec3943fc4b07a2ce735e731", + "tag" : "e8db4b9925ad01399a25be1b2e9b08288f50bbe7ece18a279134806bef69d9be", + "result" : "valid", + "flags" : [] + } + ] + } + ] +} diff --git a/rust/tests/wycheproof/hmac_sha512_test.json b/rust/tests/wycheproof/hmac_sha512_test.json new file mode 100644 index 00000000..b78a7aa8 --- /dev/null +++ b/rust/tests/wycheproof/hmac_sha512_test.json @@ -0,0 +1,1622 @@ +{ + "algorithm" : "HMACSHA512", + "generatorVersion" : "0.8rc21", + "numberOfTests" : 174, + "header" : [ + "Test vectors of type MacTest are intended for testing the", + "generation and verification of MACs." + ], + "notes" : { + }, + "schema" : "mac_test_schema.json", + "testGroups" : [ + { + "keySize" : 512, + "tagSize" : 512, + "type" : "MacTest", + "tests" : [ + { + "tcId" : 1, + "comment" : "empty message", + "key" : "5365244bb43f23f18dfc86c09d62db4741138bec1fbddc282d295e0a098eb5c3e37bd6f4cc16d5ce7d77b1d474a1eb4db313cc0c24e48992ac125196549df9a8", + "msg" : "", + "tag" : "d0a556bd1afa8df1ebf9e3ee683a8a2450a7c83eba2daf2e2ff2f953f0cd64da216e67134cf55578b205c8a1e241ba1369516a5ef4298b9c1d31e9d59fc04fe4", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 2, + "comment" : "short message", + "key" : "00698977f7102c67b594166919aa99dc3e58c7b6697a6422e238d04d2f57b2c74e4e84f5c4c6b792952df72f1c09244802f0bcf8752efb90e836110703bfa21c", + "msg" : "01", + "tag" : "4d1609cc2c2f1ab5ddc35815ae1b5dc046f226bde17ec37a4c89ec46fbd31af2aeb810b196dffdd11924d3772bef26a7a542e0a1673b76b915d41cbd3df0f6a6", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 3, + "comment" : "short message", + "key" : "ed6dc65dbeaadbdaab530a0d35f19f78a7bd93e698546c82751bf650c2a44fc8529033d088febeed288fb4c8132a59df0207687640c76dcdb270ac3af5f042f1", + "msg" : "a78f", + "tag" : "0757b27e120559d64cd3d6e3cb40d497845375815181bd9b4e74f2189d09d01a1b3ead53701380d988958ed22bc379ace9d47cbcac1d49bfa7e14f1f44804c30", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 4, + "comment" : "short message", + "key" : "463c5e696da0ec0d784388be775d1d91d94746aa8d3d2c209f56ac95ea54e7288329f9fb40be4eef35547e64c61dc51a4a1f3380a2b96420f088655ea9d85b97", + "msg" : "e956c1", + "tag" : "ac4b1509391814ae5cb5a123e7a060601575c11d81b563bdc52febe6bb2c747b85eeddcb6748c98147a46a1cc9be6776d1a8e82ae4896b9c18da2ff351c56795", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 5, + "comment" : "short message", + "key" : "4bc0d32e945cfdafd20d39be3820f9649727cbda5ab5859953a322cbde1ab7a514d7dcd14ba90905e70919bb86b85cfeaa375ee2ce2703711b938c8f4ab5f178", + "msg" : "b2aa48b3", + "tag" : "c4ecdbd2efb17640ce6707e2e9d0ee5bfb98b91584bc86ab386437eaa37b0f2eb70500361105416c0dcecff389dc94c723fcff18cb801740962312007a195a23", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 6, + "comment" : "short message", + "key" : "aca47f6350941a0efd8c3bac9064a554be337cde7d192f6fbf86d1b4db09b36531165cbae0a634206f71fa400df33352fff60e1fba4009ac6671cd37312bdd98", + "msg" : "bc993b1db0", + "tag" : "89af2f5746cab89fda6993e00f1bf0cc70a77188945bb7b5409b536aec5533ad501db6ecfa3e516b580b7df9c8eadb3cf556ccc01668be984335bd5a6255d566", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 7, + "comment" : "short message", + "key" : "b3ecae6f25c2f699f158b3ffcd0a7a575583e4c9cb56b5c22ef4273cde6c6734e84d7400749c17e47e8cfccafaf8b50c65eb47dfeb273d5d30a1181e37b27ad0", + "msg" : "f0361d58291e", + "tag" : "4037a57aa279b5a07abe9389dcf508be9495a8257dcb3feba3f0801cd57574c30bfddc6df5df6567cd572c4e82735fd4e67b65e85b030f183a7f4457fb7d2c3d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 8, + "comment" : "short message", + "key" : "70ff24a252d65183bdc6b7c88751f850821141a61246727c3240b4f96088ae3278767a822b65735a28ccebe4c874bcb2c942882cb23f9dd87fe08fbaad5ae72f", + "msg" : "e18da3ebf0ffa4", + "tag" : "878d488754bc796c70e11d5db77acda2e1796d86146e27d862586740c4d488ed12239e6fb4ab2925afc88168609edc048f8572536fae96e149d73d230b18db66", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 9, + "comment" : "short message", + "key" : "dd4e05933d09711ee88cb4c1ceb3600b2b33808bc08d499387b331d9c7af49bc65b55172cf8083385a940e4b864b7b4b73ddf3bd513a6cbcac73878a879b4d06", + "msg" : "66948029351432c3", + "tag" : "9968a16eff2b4eeecb2f9d11fcb105e8d8ca59ed4e69131c9de599cd8155fa4f33def1195a6b452263aad9265e16d4951841d7cd33c74c475da04497c02922ea", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 10, + "comment" : "short message", + "key" : "fbd32caf8984fc4376d10daa7288db8e6e74464bdd94b448adab4497b319e9a6dcce542f82a7ff2e775d12477c880e460a9eab8efc49fcfc8c5476cb4b08954a", + "msg" : "38a2586a2883953cc4", + "tag" : "e0c69bd034cdec5b48150fdf3a4383456a7626d4405df52dc6c2bc8fe93bd87e369e06a781ed80ba8b1fe1146c4df82b6a514412358b31b77b9b79c7a91ec9e4", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 11, + "comment" : "short message", + "key" : "fd4c3f6b2137513616c28ed4d8638f867ad0b97188b73fc9b36f3d52b82d72a49b9dc1b8b25397eb448054a8d38d838e7a88b4df9c263aea1b968771d5ac5756", + "msg" : "86b4e61b3b7d650044ad", + "tag" : "29345d7da44e2f228e8d502e29fb655da3676a481f9947c8482502ce070b3da5065589d84c02a05cd774b4bd5a15b668c59bafc192695aec43e5df3a82301745", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 12, + "comment" : "short message", + "key" : "f95baea535f477d22b405c67d927f59a9e042c46297a1681bcc16fdbe1b2cd59675a221351a78075981e7eb4998066768801cbd7a85231114d7f27f9bdf24899", + "msg" : "5a34dee4e0982d458efffb", + "tag" : "63867bb3e82bd4a5f715b3dd67ba3625666e458c5e3d75804709f80b6dde6f774ea223ba9e2536c60ab636dd12d07b217234a490ea9cae4fe673215d33f8c57a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 13, + "comment" : "short message", + "key" : "4d76ae95a123207e01c6d22d8b587e63ba682963e50961afff531160a9b9aac6c772c5e8bf918ddecbeb56455ea64710e51ac21e3bb9af4b24eaa8535b3c2924", + "msg" : "2c31f2d986f68a6d6a96c4b0", + "tag" : "9d4f9549ac134a6f60f17fd0fbc80f55426afa73cdaf84a806d98dfffc94263178116f76aadca95a9243a9128f5f66d3e7f33e72603d4b35ab90ab7d1e870ad7", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 14, + "comment" : "short message", + "key" : "0da7fa1f5d217951e3e343cda81f232deb71764eb49e8510bc28dba8eb62afa2a98b6f0536adb10250c74878fe649f47bbafdf3f722fa150f66e83f65f606ab0", + "msg" : "83511de190663c9c4229ace901", + "tag" : "11bd76ba2fd5684e3faadd44abc05d32661472ae4c75fd69e62e47a2d462e483ab5fd374070e648017250934d486fed55e68f4338547fb5dc54d4bed894c1c2f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 15, + "comment" : "short message", + "key" : "cec9e9f25ed9a017004a7882b1e44e8bd8fa3203c50cb6058455ed4f2a036788d46fcd328327d0d86b1abae69f7bbb96e3d66373ec8bd45075890879a83f4d33", + "msg" : "80dcd8ba66f98b51094144e9b8bd", + "tag" : "c69f1787bf7804bfffd9da7e62f58c1c9f599ccae2ed4fc6abda1be48620afc797d59d4adb396e1fa5d18b8c1aa1c7c15218a9f9e3aab226119adad742641089", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 16, + "comment" : "short message", + "key" : "bbe25649ecdf54ae0028fb923cc8c28ec00e10e2d44214590781238a143b75d54efb037eb9f53082a8ab3d8876daf4dbdc2483c4ba222797fe20da3b7730368b", + "msg" : "33f630088c0d24cda98caff1a3afc7", + "tag" : "c803ca833e851418a3d9ed764f8c83f481060141eb1b2bf64d7ee7991b041c48bfc747bce13d69722f63944085cef8e7a166270530fe31a2a525a99b8a75f1b1", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 17, + "comment" : "", + "key" : "f5e2b9e2313f4f807cb3a924a7d4943fc3fb475d8f1a1b40ce09a37770f621af8977729cadf986c98c75f08a4fab4280538e09e7e51e87a8d62c03411bdb8d24", + "msg" : "74ef623c83275ae99745bff7e6142afa", + "tag" : "471055f7a2d44758e7d7837db85c33626b8306760eb45e18d4ba8dfbcd0d4279fcf8b539ef7b165eeabf5457ee2c41e52d07e9121da02c988f08162f86bdf208", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 18, + "comment" : "", + "key" : "8e323d5fb4752d92a6d905c512b287d07b21ae50002d026ff0388e1593bde9998dd02321e200d148f5fa2e824b37e9f5a77441794b840bedd552d1051c1ddd8c", + "msg" : "4daa229b009b8984354c2ec3e7973e0042", + "tag" : "93a2137cc84e2fa1439d7c239767b3ce653d634c58a4590eb61af9d3ef986445220aff3554de45a1b0933fa06d3d64460418910977d8d9ddb2eb04963c816841", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 19, + "comment" : "", + "key" : "465bc1ab2125cca29729d01df044e393b0677defdd939280a3aa141224efa06457e623056d02f6c36eca3dfc4a7476dd36b97d0c2d60c7672129189e73b6af8f", + "msg" : "dd84599b47ba9ae9f2ad0c8eac678485433eb6b1dfb7c998", + "tag" : "9fff43a83c71833211f9d60eeef4166965c41a37c76634b1bdf9c5291df75dc877668f2287bcf8108ea9e03d061a708db2db08687eda61fa97b1ca92dcf22b92", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 20, + "comment" : "", + "key" : "b90226798dff2ffb91d1ee4103f26397d0bf84c13c1ec717392c5fe1d4d0f4dc790236d759fa1be852e305da585a3dbde0d3912bea60d6b140c25645eb00943f", + "msg" : "aa29c372f136993c65ace5e1d62078806eb787913bb35af33371056359d354b2", + "tag" : "493a727536b07d434a7fc8df6b70989148a8d94cadb9761ad845ac5fde2068f9565e68607b531b0f307d7c17ce0a2ba69fb1ac1b0c716f93904eec75669e70b7", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 21, + "comment" : "long message", + "key" : "af1bb91775cb40c73983f119c927a2ce8f7b954a6274ecc1cd96019e5c417af4b094376194eae71c7f68f3345654d5d9f8198a697b41ae251e82308accd935bd", + "msg" : "75ededdfa7f1df1dc144fb195b27e454640e3f897cb564222f05e8aab0c6024f90472afea6e7254ed25134ea43452a", + "tag" : "b53d564086a745b10d88a48b50ed8b53f4c83fd12bf56a75108074de9b343cdf0668ce8b6a3d884ba2da5f4c957f1319e26c0813c99a4269c171ad80981013a2", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 22, + "comment" : "long message", + "key" : "513e0e7622eabcb6bfc81669dac903df46daea1240f32248bbf4fc61f1f9b13b2c3fe1bcc97540d30065be9eee41e51748bc42c16a8c8269fbe2b6f625c19228", + "msg" : "81d8650937f50871a66af71605ea4fa9d6c5d7a375774c2280eb34aefcee8c0ef83345bc547e4de7cbea482369b25a93", + "tag" : "9d942e4585742ba118bda6e132510af3b9297047d364f76b2a0d1fc803849b06ccac0eaa427934055c9d2e5a5da19cf17299ffdab65089580d10ff7207c9ed03", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 23, + "comment" : "long message", + "key" : "627c9a72247d07b0cec8346277468311c7401fc4cecaea8e22e13ece4b352c8f7a7eb1ba81ce348a08670438c97b8d9e883614d550f1ff16d636975c59988c2d", + "msg" : "118e0468cbb52f93a3396ebfaa114881a98a4101f4ff912ced47ecfc73b27f52205b7a5d4f3899506f9e34ebf99460da7a", + "tag" : "a186e08c7731d4bbb1d5342a105ef48f5353c5c542277de607831fcbbc8d0b9fd509c74bf9e352ee739792ee3cd6382f96e70adb589fdf1fb031d43eef1a595f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 24, + "comment" : "long message", + "key" : "1e981d0cbbad5bea9480d836b4704bf3147663b6ea59e1e0a280fb45d9b85d445dc972159dde301c6f1e66681f95642dbb9a9218c00d0cd724cb02f3bcaea2ea", + "msg" : "440dff390688c9fde31c17fdb61c1d13899f9544a986324c34d5eb07bef9a4436297f4a7fe16de5dd7b24e0c7c129051efe6f2dd0a21aec05c3e3c8f6fa30d9c0cbd60d840d14f0b2a928bc7189b9de4a6a731151d6b31e6a0ecae75095434737be8c3db11a6a697d0616c78b97041de", + "tag" : "c52eb5d18e90687248342a84dc0241c680e992b88b1409275df7e347c99169a50cd780eb4726ad759e2a027fb091354e3d7c7aba8a21f8acd1d0e21236af5f98", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 25, + "comment" : "long message", + "key" : "ee8aea2a52eb7e0c1120ab736b1a825b12610063de9642c594766c020cb87314d8ac94b13072bfbf3c019b4aacb1d2695cdd7563a26f574e12559906784d853c", + "msg" : "a3951f1d18135602fdadceeef5741c24ad22756160d0c55e51b788af952adaeb13e18c24c6b09672f405d7ec3d49b0bd86c7f8691b6f69af49175423215cf57d7c08a54ab0b0293e685c9aa250f1599d78193a00af822dec4b56fdb41f0343ab2cf85ea27bb2e650930f5e8ca836833903b053b3e06899b4012a6532978d90", + "tag" : "d3678ca7c5c1aa21f12eccc21a1add0b3eb12ccd134033570468191e51b058c61f2a7d88f2ca6c652c29c65c491bf1f0252bc157bdd77436ff55204eac6dfb0d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 26, + "comment" : "long message", + "key" : "ecd1861a12eaee48aef1d7ed278223b50d3416dbff81e976c56ecd4b1a1bc8892b584cbcc72370ff5e976a6af1790caa32f9ea912855914c0315979578fbf165", + "msg" : "5779c56373a8e5db43bd65c0453ce23144230d43666d717a3b59d2e90f0e10732376831d7281cb23dd5566e5f8c627d00d39650139ceb87cd47e921d65d6c1cc7712ac4bd75bda8828e68abc968f4160ed91b28946c9d706b0360bbbdd65f47ef9983c50f2d09d05c3674c0943ea4af54c381089f9b846dd69ce908e0f6eaaaf", + "tag" : "d377e4efc39f25ca751452e79dcb5661f8adcc06570bd3f710e03854e032286ca477e6a620647958fd31706463b542ddf617757875f349c61109358d04f6dc58", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 27, + "comment" : "long message", + "key" : "71aadbf330ea133b46c939d12e603896902e8df638597c98872dfb5aecd5161bc84095221de3222367012f45c6d70701e862ab000e782e91b505b21b4e212c38", + "msg" : "e6d7b0280d2f7df83fd26562fcdea2597cf687a9c9fa194f655c44d3271b881f28adc436db8e0437ff4dc5d38356271c338829c3e2d9ba4ac1777c94886983d4b72c275bc00e4f7b06c5ce38a2fe549fe53761857f236da705fd03790b41cc6f759f41aa206feca7ba5486f4fc9d09f35c8e0887241291882010414ae41b8b384a715a409be13da17bfd60d3fbd4b8cb3cc7c26043807264a20b9a5c02725e742fff03e1806b38af357ebf8c79fc4c38b007bf0613286cf063e45482375475e6c426d4f70057cd92efcb2dfe86e45bdea399273a5e0f142221fae206800555c01b18533295f577e23a9a7a0aa072823002b9096501174d3bc4aac33e0dc600", + "tag" : "0c1cbb2f196d3d1af5f982a330bf1d9accaada72cf6c254658cb32bfd8705481abd2e163a73338700f0d961ca02a31b600df04faf311cd06498557831102f80f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 28, + "comment" : "Flipped bit 0 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "d39b9e3f87809686f34109fbc718d6abbb09c278cf05a206adf21463e1170362122e58272a31679720b254cbd63a7c6d696bf9283f9c6897e7d792483bb0388c", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 29, + "comment" : "Flipped bit 0 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "be301cbfb566720e23f166e24865c396f21619c7c15033cc6e8ebbcc8c5c5ba3e7e2dca7b011bf4cec4c7e7d6cc41bc10c3be36e8320c50aaf6c35f04ac8ca52", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 30, + "comment" : "Flipped bit 1 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "d09b9e3f87809686f34109fbc718d6abbb09c278cf05a206adf21463e1170362122e58272a31679720b254cbd63a7c6d696bf9283f9c6897e7d792483bb0388c", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 31, + "comment" : "Flipped bit 1 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "bd301cbfb566720e23f166e24865c396f21619c7c15033cc6e8ebbcc8c5c5ba3e7e2dca7b011bf4cec4c7e7d6cc41bc10c3be36e8320c50aaf6c35f04ac8ca52", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 32, + "comment" : "Flipped bit 7 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "529b9e3f87809686f34109fbc718d6abbb09c278cf05a206adf21463e1170362122e58272a31679720b254cbd63a7c6d696bf9283f9c6897e7d792483bb0388c", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 33, + "comment" : "Flipped bit 7 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "3f301cbfb566720e23f166e24865c396f21619c7c15033cc6e8ebbcc8c5c5ba3e7e2dca7b011bf4cec4c7e7d6cc41bc10c3be36e8320c50aaf6c35f04ac8ca52", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 34, + "comment" : "Flipped bit 8 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "d29a9e3f87809686f34109fbc718d6abbb09c278cf05a206adf21463e1170362122e58272a31679720b254cbd63a7c6d696bf9283f9c6897e7d792483bb0388c", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 35, + "comment" : "Flipped bit 8 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "bf311cbfb566720e23f166e24865c396f21619c7c15033cc6e8ebbcc8c5c5ba3e7e2dca7b011bf4cec4c7e7d6cc41bc10c3be36e8320c50aaf6c35f04ac8ca52", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 36, + "comment" : "Flipped bit 31 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "d29b9ebf87809686f34109fbc718d6abbb09c278cf05a206adf21463e1170362122e58272a31679720b254cbd63a7c6d696bf9283f9c6897e7d792483bb0388c", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 37, + "comment" : "Flipped bit 31 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "bf301c3fb566720e23f166e24865c396f21619c7c15033cc6e8ebbcc8c5c5ba3e7e2dca7b011bf4cec4c7e7d6cc41bc10c3be36e8320c50aaf6c35f04ac8ca52", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 38, + "comment" : "Flipped bit 32 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "d29b9e3f86809686f34109fbc718d6abbb09c278cf05a206adf21463e1170362122e58272a31679720b254cbd63a7c6d696bf9283f9c6897e7d792483bb0388c", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 39, + "comment" : "Flipped bit 32 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "bf301cbfb466720e23f166e24865c396f21619c7c15033cc6e8ebbcc8c5c5ba3e7e2dca7b011bf4cec4c7e7d6cc41bc10c3be36e8320c50aaf6c35f04ac8ca52", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 40, + "comment" : "Flipped bit 33 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "d29b9e3f85809686f34109fbc718d6abbb09c278cf05a206adf21463e1170362122e58272a31679720b254cbd63a7c6d696bf9283f9c6897e7d792483bb0388c", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 41, + "comment" : "Flipped bit 33 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "bf301cbfb766720e23f166e24865c396f21619c7c15033cc6e8ebbcc8c5c5ba3e7e2dca7b011bf4cec4c7e7d6cc41bc10c3be36e8320c50aaf6c35f04ac8ca52", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 42, + "comment" : "Flipped bit 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "d29b9e3f87809606f34109fbc718d6abbb09c278cf05a206adf21463e1170362122e58272a31679720b254cbd63a7c6d696bf9283f9c6897e7d792483bb0388c", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 43, + "comment" : "Flipped bit 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "bf301cbfb566728e23f166e24865c396f21619c7c15033cc6e8ebbcc8c5c5ba3e7e2dca7b011bf4cec4c7e7d6cc41bc10c3be36e8320c50aaf6c35f04ac8ca52", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 44, + "comment" : "Flipped bit 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "d29b9e3f87809686f24109fbc718d6abbb09c278cf05a206adf21463e1170362122e58272a31679720b254cbd63a7c6d696bf9283f9c6897e7d792483bb0388c", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 45, + "comment" : "Flipped bit 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "bf301cbfb566720e22f166e24865c396f21619c7c15033cc6e8ebbcc8c5c5ba3e7e2dca7b011bf4cec4c7e7d6cc41bc10c3be36e8320c50aaf6c35f04ac8ca52", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 46, + "comment" : "Flipped bit 71 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "d29b9e3f87809686734109fbc718d6abbb09c278cf05a206adf21463e1170362122e58272a31679720b254cbd63a7c6d696bf9283f9c6897e7d792483bb0388c", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 47, + "comment" : "Flipped bit 71 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "bf301cbfb566720ea3f166e24865c396f21619c7c15033cc6e8ebbcc8c5c5ba3e7e2dca7b011bf4cec4c7e7d6cc41bc10c3be36e8320c50aaf6c35f04ac8ca52", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 48, + "comment" : "Flipped bit 77 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "d29b9e3f87809686f36109fbc718d6abbb09c278cf05a206adf21463e1170362122e58272a31679720b254cbd63a7c6d696bf9283f9c6897e7d792483bb0388c", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 49, + "comment" : "Flipped bit 77 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "bf301cbfb566720e23d166e24865c396f21619c7c15033cc6e8ebbcc8c5c5ba3e7e2dca7b011bf4cec4c7e7d6cc41bc10c3be36e8320c50aaf6c35f04ac8ca52", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 50, + "comment" : "Flipped bit 80 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "d29b9e3f87809686f34108fbc718d6abbb09c278cf05a206adf21463e1170362122e58272a31679720b254cbd63a7c6d696bf9283f9c6897e7d792483bb0388c", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 51, + "comment" : "Flipped bit 80 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "bf301cbfb566720e23f167e24865c396f21619c7c15033cc6e8ebbcc8c5c5ba3e7e2dca7b011bf4cec4c7e7d6cc41bc10c3be36e8320c50aaf6c35f04ac8ca52", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 52, + "comment" : "Flipped bit 96 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "d29b9e3f87809686f34109fbc618d6abbb09c278cf05a206adf21463e1170362122e58272a31679720b254cbd63a7c6d696bf9283f9c6897e7d792483bb0388c", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 53, + "comment" : "Flipped bit 96 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "bf301cbfb566720e23f166e24965c396f21619c7c15033cc6e8ebbcc8c5c5ba3e7e2dca7b011bf4cec4c7e7d6cc41bc10c3be36e8320c50aaf6c35f04ac8ca52", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 54, + "comment" : "Flipped bit 97 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "d29b9e3f87809686f34109fbc518d6abbb09c278cf05a206adf21463e1170362122e58272a31679720b254cbd63a7c6d696bf9283f9c6897e7d792483bb0388c", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 55, + "comment" : "Flipped bit 97 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "bf301cbfb566720e23f166e24a65c396f21619c7c15033cc6e8ebbcc8c5c5ba3e7e2dca7b011bf4cec4c7e7d6cc41bc10c3be36e8320c50aaf6c35f04ac8ca52", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 56, + "comment" : "Flipped bit 103 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "d29b9e3f87809686f34109fb4718d6abbb09c278cf05a206adf21463e1170362122e58272a31679720b254cbd63a7c6d696bf9283f9c6897e7d792483bb0388c", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 57, + "comment" : "Flipped bit 103 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "bf301cbfb566720e23f166e2c865c396f21619c7c15033cc6e8ebbcc8c5c5ba3e7e2dca7b011bf4cec4c7e7d6cc41bc10c3be36e8320c50aaf6c35f04ac8ca52", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 58, + "comment" : "Flipped bit 504 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "d29b9e3f87809686f34109fbc718d6abbb09c278cf05a206adf21463e1170362122e58272a31679720b254cbd63a7c6d696bf9283f9c6897e7d792483bb0388d", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 59, + "comment" : "Flipped bit 504 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "bf301cbfb566720e23f166e24865c396f21619c7c15033cc6e8ebbcc8c5c5ba3e7e2dca7b011bf4cec4c7e7d6cc41bc10c3be36e8320c50aaf6c35f04ac8ca53", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 60, + "comment" : "Flipped bit 505 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "d29b9e3f87809686f34109fbc718d6abbb09c278cf05a206adf21463e1170362122e58272a31679720b254cbd63a7c6d696bf9283f9c6897e7d792483bb0388e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 61, + "comment" : "Flipped bit 505 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "bf301cbfb566720e23f166e24865c396f21619c7c15033cc6e8ebbcc8c5c5ba3e7e2dca7b011bf4cec4c7e7d6cc41bc10c3be36e8320c50aaf6c35f04ac8ca50", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 62, + "comment" : "Flipped bit 510 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "d29b9e3f87809686f34109fbc718d6abbb09c278cf05a206adf21463e1170362122e58272a31679720b254cbd63a7c6d696bf9283f9c6897e7d792483bb038cc", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 63, + "comment" : "Flipped bit 510 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "bf301cbfb566720e23f166e24865c396f21619c7c15033cc6e8ebbcc8c5c5ba3e7e2dca7b011bf4cec4c7e7d6cc41bc10c3be36e8320c50aaf6c35f04ac8ca12", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 64, + "comment" : "Flipped bit 511 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "d29b9e3f87809686f34109fbc718d6abbb09c278cf05a206adf21463e1170362122e58272a31679720b254cbd63a7c6d696bf9283f9c6897e7d792483bb0380c", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 65, + "comment" : "Flipped bit 511 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "bf301cbfb566720e23f166e24865c396f21619c7c15033cc6e8ebbcc8c5c5ba3e7e2dca7b011bf4cec4c7e7d6cc41bc10c3be36e8320c50aaf6c35f04ac8cad2", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 66, + "comment" : "Flipped bits 0 and 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "d39b9e3f87809686f24109fbc718d6abbb09c278cf05a206adf21463e1170362122e58272a31679720b254cbd63a7c6d696bf9283f9c6897e7d792483bb0388c", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 67, + "comment" : "Flipped bits 0 and 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "be301cbfb566720e22f166e24865c396f21619c7c15033cc6e8ebbcc8c5c5ba3e7e2dca7b011bf4cec4c7e7d6cc41bc10c3be36e8320c50aaf6c35f04ac8ca52", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 68, + "comment" : "Flipped bits 31 and 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "d29b9ebf87809606f34109fbc718d6abbb09c278cf05a206adf21463e1170362122e58272a31679720b254cbd63a7c6d696bf9283f9c6897e7d792483bb0388c", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 69, + "comment" : "Flipped bits 31 and 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "bf301c3fb566728e23f166e24865c396f21619c7c15033cc6e8ebbcc8c5c5ba3e7e2dca7b011bf4cec4c7e7d6cc41bc10c3be36e8320c50aaf6c35f04ac8ca52", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 70, + "comment" : "Flipped bits 63 and 127 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "d29b9e3f87809606f34109fbc718d62bbb09c278cf05a206adf21463e1170362122e58272a31679720b254cbd63a7c6d696bf9283f9c6897e7d792483bb0388c", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 71, + "comment" : "Flipped bits 63 and 127 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "bf301cbfb566728e23f166e24865c316f21619c7c15033cc6e8ebbcc8c5c5ba3e7e2dca7b011bf4cec4c7e7d6cc41bc10c3be36e8320c50aaf6c35f04ac8ca52", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 72, + "comment" : "all bits of tag flipped", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "2d6461c0787f69790cbef60438e7295444f63d8730fa5df9520deb9c1ee8fc9dedd1a7d8d5ce9868df4dab3429c58392969406d7c063976818286db7c44fc773", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 73, + "comment" : "all bits of tag flipped", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "40cfe3404a998df1dc0e991db79a3c690de9e6383eafcc339171443373a3a45c181d23584fee40b313b38182933be43ef3c41c917cdf3af55093ca0fb53735ad", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 74, + "comment" : "Tag changed to all zero", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 75, + "comment" : "Tag changed to all zero", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 76, + "comment" : "tag changed to all 1", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 77, + "comment" : "tag changed to all 1", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 78, + "comment" : "msbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "521b1ebf0700160673c1897b4798562b3b8942f84f8522862d7294e3619783e292aed8a7aab1e717a032d44b56bafcede9eb79a8bf1ce817675712c8bb30b80c", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 79, + "comment" : "msbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "3fb09c3f35e6f28ea371e662c8e543167296994741d0b34cee0e3b4c0cdcdb2367625c2730913fcc6cccfefdec449b418cbb63ee03a0458a2fecb570ca484ad2", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 80, + "comment" : "lsbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "d39a9f3e86819787f24008fac619d7aaba08c379ce04a307acf31562e0160263132f59262b30669621b355cad73b7d6c686af8293e9d6996e6d693493ab1398d", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 81, + "comment" : "lsbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "be311dbeb467730f22f067e34964c297f31718c6c05132cd6f8fbacd8d5d5aa2e6e3dda6b110be4ded4d7f7c6dc51ac00d3ae26f8221c40bae6d34f14bc9cb53", + "result" : "invalid", + "flags" : [] + } + ] + }, + { + "keySize" : 512, + "tagSize" : 256, + "type" : "MacTest", + "tests" : [ + { + "tcId" : 82, + "comment" : "empty message", + "key" : "eef6bcf16ef7ae17326a33f22d1406ec1bd3f866505f4b2e4fe8b45bd62ccbd85032a9899facf2db0c93a2345cb8892afb74db549781211dd8881a8c8e25c171", + "msg" : "", + "tag" : "75f6975e3500be4fbfee1bc95644745ce9f8d47b6f3818a48ff34e8c2b186ba6", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 83, + "comment" : "short message", + "key" : "838696e6190c874c3717b8be0cf063ca6d60760987d1a33703e7e35eb173e5ae954e741a37935139d612149e76f6ab2a370604f5b4a68bee87e309240a9ba3d6", + "msg" : "d8", + "tag" : "5bcf44539d8783bb708e7f5dafc4d683bcaa0d240c902675bdde059f944dacde", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 84, + "comment" : "short message", + "key" : "fa999ed1cfbc5c43afb16f22d024e3ce645e00b06712c93b946167c9c2c037d192f0f3003f87c43a71166fe1a3c5824c348673a2f0f3c475706985940f6b02a2", + "msg" : "cad2", + "tag" : "9a93f4728aa5941da160ec707f14b7e9ee1e768c7f627269543430d2fc681e90", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 85, + "comment" : "short message", + "key" : "b53fced8b7b4aa59d3b56d91e1386763c39e351c2f5ad6a4885e442ad894d5181c5bfe5c05280a84ad19d758e359bf8171fe652988fcf9d1458ea17364ca8fa9", + "msg" : "d3393c", + "tag" : "02c4968e86d1c62837a41650d3199ca6b3c59b8227f55e0ba40e5e3904ab512a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 86, + "comment" : "short message", + "key" : "3f0cbeebe391c6491e77c57a05e85a16f0b5294d19f9a7f3390baf7a2051fbf980e041ee45c9104a9126a6a7ec182eaec27a99c1a7a3f5a1e8cd8ffde60641dc", + "msg" : "bebb0392", + "tag" : "8d68dd7d67763e8eafee0029d01e96e6a09c4ba09e57a2e5bde3bacca213c695", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 87, + "comment" : "short message", + "key" : "4a7f110b92241badc907ba3c61477bab0953a851bf327425e858fc724bd33ede2a4a5018fe71aab434bda8eb2464a41577c8d570530c460f7c8bc0172f1ee0f1", + "msg" : "40a333f4cf", + "tag" : "5feda3366ce9f5ac3402c977a4062d33c09e2c9a3d0c2dcda0c8d67b4bbd1a37", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 88, + "comment" : "short message", + "key" : "c6c95bf9facab295cebfa4b907855874f57a5c1548576ad8bae694a364f5e58dbb8c8dd49330b2fdd1b71657d211db2a6569a9f3a356c0c5b3c4efbd5b6777cb", + "msg" : "4cf926af475a", + "tag" : "0a748aa33762d374aa04b617b58d129ad1aaf252a40463fd62ce924e21e6d52c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 89, + "comment" : "short message", + "key" : "0d3387fe59e8e7c43c928dac7913826dec4d63ac3c8ee346ba7caed9505b9e63ff8942cde90997e8dbeaf6e17ee187c0a84a1853952d866c15f9a32fcee6a82a", + "msg" : "2ba3bc3cd64bc6", + "tag" : "cc7e97630884bd8ad56f6d96fd34690eab6c8ad5556b519db3bc3c6083c82d3c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 90, + "comment" : "short message", + "key" : "3cb9ce565388a6f0454a80add86c7e107ea537d7f468a0648930fc37172cf7b4ca9058033071c354a20a608e2d46e98afe46435a344362989cbaafac18859bba", + "msg" : "33ce498e1f94f412", + "tag" : "76335ee23ee1dc258812be373bb5f95918babed0b69e565e00ee3af776c5a5fc", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 91, + "comment" : "short message", + "key" : "c25f45ceb2a5597f361445fa41a9019f41a6e6d7f144203f29c0b9fcea362d60894c3cadc1ce25d53da362e464c11fc6e169e3db2ea1cf40fe08fffb429b1a5b", + "msg" : "81978af4795c50f89c", + "tag" : "bf73218544d8458e6ad00727b236f833d281723d7dcae4d1019b70b9d6e8bc4d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 92, + "comment" : "short message", + "key" : "b458764ee273f391cb718f64a1bca64c96a870d9426d6254ee37e5c93898d6a5ef68e9d3b0e057a3c396faa834a29926a9680cfa903d2a605b85407bb24c8cee", + "msg" : "d804dc2a1e146f62b621", + "tag" : "5b25843416467b9e0a24cfab67d8fc27e0623ff9e01b2204b5afdf3e9cc05d1b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 93, + "comment" : "short message", + "key" : "7cbc5778f70595fc211cee3a93e17ff7f25a1d9f3766f8eb70eb1e08c9420a62bd89e8b7d834cc854d059afd413e4d9c062a532e015928528c7f5812dfebecac", + "msg" : "4017e0ffcaac4c485ce7ec", + "tag" : "66b4191b37a6f78809c434736ed6ac2273c04a11219636e92671ea05bf6dc299", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 94, + "comment" : "short message", + "key" : "937b9711d670daa2359920e47dd6d0fb75275105b3ef07bb4a31d3c4b99baa8ff79ee4b4a1b4a5b250d0fd7b4721e04a7b06035b1d0c9d739597707839018bce", + "msg" : "6991810e9788af7aabff8eb4", + "tag" : "23522de80ff6a3a6d8fc1bf9b632e1600df53c59f38589a6f2ae9b95d940a340", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 95, + "comment" : "short message", + "key" : "ad37630a280b1a75ebed1984217150a400a55dca2362a8eaf3c907858d0b45db3e208c316d033854eb4284f71117d33876e0e203ca922d26f9b76d94cab0d4f3", + "msg" : "7c6f2fd83e5691827be38e49a0", + "tag" : "b609c0b5d359061ac066bd3bccabc98493fd33bac8fe0e3f2e2b4758cb6578b0", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 96, + "comment" : "short message", + "key" : "526aa2645ab71229e2c60f68bd5bbcf0cea0978a0a9c60cf695e81fecaedecfa0362c21747eaa995975208ca35cfa6bc2b95d1c2afcee11275f43add6f026d6c", + "msg" : "681bca550fe301f2dcc1e38b53c1", + "tag" : "1f1f50dacb3dc35b90429c0f9b31edd239a6af4c09d51095cb39ff11c7c26598", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 97, + "comment" : "short message", + "key" : "6026a9047a07ccf197fde09c8b9f15f34bc52472b7d1ea4673b4914a0e1c3aa4cfe8d6ef12d4d4019f5ff3ac0adcad7358490874155daf41da2f74aca1cd894a", + "msg" : "ce1d869c53041c5f6acdda7a05af15", + "tag" : "bd2d678ceadd71680f9987c88d24c49335cb985af0bcf8e23fe810e83a920f13", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 98, + "comment" : "", + "key" : "a03d2c543c302949c51b662f43114c1305a8f6961ae48342803d3690dc18255fab924965536a79bc38564c7c97cb8cc0209786e9f76375bf181529cf7f93d954", + "msg" : "697617ae31f19b8a6ad4b8489bfc3db1", + "tag" : "577d62d7279b39a0d71e2f80833425ed43e4a16233eeb5d251f766db0bf7a58c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 99, + "comment" : "", + "key" : "25843665d39c3ae9a7b3e4427e2bf7785281fd2594bdde67860ca9b8fa11646469d1645ae8ca3825b8c551f9eac3da0660d8c2e2e3bd23d34395c6775dcdfd2e", + "msg" : "74082cc5d14db1967442d66aac6092bd23", + "tag" : "b373ac5fb1982b9d47d28844e969d51680dc81d21d556c2671c29c11dfa6e340", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 100, + "comment" : "", + "key" : "4831ab4962a2d2436091cbbf388d2ba042b472a262ed8373c85d047c702adf73a87eb097e72d91d089b7d1504a7f7d8abb3bc2c44c1340d6c16c84ea9269e64b", + "msg" : "2803c2f4e5b4bfccd2b407469a6cb5ef21fd14a682636397", + "tag" : "641f29925c06aa01086c8bce89d99e1456dc2ad4b1d3364442187ce4392838ee", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 101, + "comment" : "", + "key" : "449bb57d046551e1819b3c994122c3605954317d0d76212284a3328c226732cbf4ecb442a582c8423888aaed946e5eec2be66e127f1e2e29b66e68b9b4bec4d1", + "msg" : "79004e644389a11b709bc0a23cb8592f9fc7960bfa46132cc1ffb9747df37dec", + "tag" : "c054667d992cc1e84fa5b13f6402125b4bb6fd2900dbcdaf8b8644c82edadc2b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 102, + "comment" : "long message", + "key" : "ff97b77020861a0ce00eff8de9e701aea8c6de0fffd9b4c1342a416d357fce35a7016c64ccd38e2bdf674802281c2234153dd83aacb948966dc87ea4718fff75", + "msg" : "d7e2d2437b7067a30f04529041960e041e281737d1e0daa8cd50cc0b264716e117aa2fe9a7e39c2f178c607faa50c2", + "tag" : "062e9c4609a3b1d5df277a33ac1c7501df81ec1ddf460b0850a2aa332d07bfcb", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 103, + "comment" : "long message", + "key" : "f4daf370c4f437d8a85391ec455e34540be8d32df8dfac05b166ae72ec1cc608f8c177b30dde8bf07c9d434732c26a6e530b182c7ab21093eb79d0bb5be85e53", + "msg" : "f60418f6c54a25fabf518273088619c0741c1c7187de93a0cf6a03f4565f1765de656754541b860137f3f8455de7c403", + "tag" : "4d4a568dd26d27267d0772540ebb0b94d44fbbb15a1bb749a570ed6313ee695b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 104, + "comment" : "long message", + "key" : "3be95e879421ed7856269eef39a2070fae406cec5e30b50d92792df5a37de98595684eaa9205587ca607eeac8f96592f458f63434b7dc82596d3e4a1a16c3d59", + "msg" : "c64f7c970a441c6c503838a491308c783099eac52bd35a217978a64dcec84d34186ab3b74f20285d6fea2165eab4da3d2c", + "tag" : "4ea9e2f08870c30cb68d419816deb681cfd6ba62906e6b4a8088efcd9fa4edf9", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 105, + "comment" : "long message", + "key" : "b5eb53586b948587db3dd46c43ad65498a5079157562e4074c9c20d097d0c97f19db4661fb2dd11b87a5ccba2c345642618f561d00bf87dffc66762e45e0156f", + "msg" : "9e8ebf96429955d60b925a4111745ec7028de24e694a6d2eee1dbd5e820ab9f00beafde09f95095933a02f251297282b0cf67c518397655841f230e1d9ae5ba93150d4375dc7c0738b99850b07d5a442994e68dc813d55edefa6cd063ccb202711d97ba674efa02ddbdc692341e77cfa", + "tag" : "6a5b6272df7fb6315293ce22483511d700a83c34db6b0ee4398b4a770241fcf2", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 106, + "comment" : "long message", + "key" : "fbc678235d596980268730a7aa8a3c25095f1dbcf7f830990716a510c44e62b1ae8ce095c65e1852bd8a09f25ab93415ae736f22b2c68ecdf3c0f71e15a057dc", + "msg" : "ef395738f2b3bd7a0649eea75e734e5c79baf21358c7ae96c63a58e260266c7bfa869664c5d10e87c26d0f5edb3b5f73900c1d9a96a5a2c2912506c19dff04e900b8d5d63e1bb606fe3d5a229b642b1ac59e08a4687a7aade3de16d183131ddd02da988ff826e88b74ba0c5c41cfcd8570cca59fb3304d588f7f7e63dad47a", + "tag" : "84df3338f502e65866cf2077f6776341a89dd2234961b474d5b7438d1836fd6b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 107, + "comment" : "long message", + "key" : "d8437b093e170afc30fb68d873db6dd67ee0372b6c5feb124d548abbd93304a082235a170a9d326268d0cfc34264d8ebcfcbcc0dc0ea7767b650dbcfc7848f91", + "msg" : "0fb91bb043cf3d49341482eacbab92da92117bb6ec03b518a93c9d59e54702c6a21ade4f255870cb52da4a24b36856b0cbf8b122d2fd5b0219aeacb6e292c95863921789092d5d65d5a9389231670e38be31d8b76630650c77edc23773d5ec9189915560ef6f45a4275f85957d8762916d8147ef43ea6f438d066227354df26c", + "tag" : "4b9b51f2c7d725269a5bd735d4251cbfda71ea5cf5c046379b439ddff766d21a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 108, + "comment" : "long message", + "key" : "d29225e3042b43d4eb7a9399f224424b5b4dd99031c8abf609d3a6e3175897134cc7ba8a6be25d436d41a757a2daa4e1b03f7c3053ee8cada19531d48dab93e0", + "msg" : "1fdad8cd37e115ef8131d4619b5d61a9827a11b9c25c5b8220b002d5b7f6e2bc30a7e2f3d103dbcaf849a255c20ec5d1b40a623e398d76c5b7f07fe305181cd5bee29de3360fed55f69063e6a8fd2ef31291e4d7c3908449466b4ff1166959ff1f2e86eb48a7ed11bdcec2fc2dfb6684b36b8d0b68e0f1b23ef11bf5907d4a2b162cec26f31b6d5d9892a27b3fad7a5549858dad530bae193d9b60d42d7ad2a66476a3ba4bf7a27ff9d0f885a540bf181caad71a235eb348a23d053ba2db7aed8d7d01d96dc9f780e2e426c72bb63fcb3fff44c14bb7b0f8af3552d67ee6761092c757627d19c080499c247d13b431699397159b1b71c6274584959d5c30f0", + "tag" : "f9ad00420ce909cd050fdb84dcc70f00df97928968d0aca51db2784f0394898d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 109, + "comment" : "Flipped bit 0 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "d39b9e3f87809686f34109fbc718d6abbb09c278cf05a206adf21463e1170362", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 110, + "comment" : "Flipped bit 0 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "be301cbfb566720e23f166e24865c396f21619c7c15033cc6e8ebbcc8c5c5ba3", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 111, + "comment" : "Flipped bit 1 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "d09b9e3f87809686f34109fbc718d6abbb09c278cf05a206adf21463e1170362", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 112, + "comment" : "Flipped bit 1 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "bd301cbfb566720e23f166e24865c396f21619c7c15033cc6e8ebbcc8c5c5ba3", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 113, + "comment" : "Flipped bit 7 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "529b9e3f87809686f34109fbc718d6abbb09c278cf05a206adf21463e1170362", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 114, + "comment" : "Flipped bit 7 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "3f301cbfb566720e23f166e24865c396f21619c7c15033cc6e8ebbcc8c5c5ba3", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 115, + "comment" : "Flipped bit 8 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "d29a9e3f87809686f34109fbc718d6abbb09c278cf05a206adf21463e1170362", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 116, + "comment" : "Flipped bit 8 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "bf311cbfb566720e23f166e24865c396f21619c7c15033cc6e8ebbcc8c5c5ba3", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 117, + "comment" : "Flipped bit 31 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "d29b9ebf87809686f34109fbc718d6abbb09c278cf05a206adf21463e1170362", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 118, + "comment" : "Flipped bit 31 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "bf301c3fb566720e23f166e24865c396f21619c7c15033cc6e8ebbcc8c5c5ba3", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 119, + "comment" : "Flipped bit 32 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "d29b9e3f86809686f34109fbc718d6abbb09c278cf05a206adf21463e1170362", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 120, + "comment" : "Flipped bit 32 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "bf301cbfb466720e23f166e24865c396f21619c7c15033cc6e8ebbcc8c5c5ba3", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 121, + "comment" : "Flipped bit 33 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "d29b9e3f85809686f34109fbc718d6abbb09c278cf05a206adf21463e1170362", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 122, + "comment" : "Flipped bit 33 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "bf301cbfb766720e23f166e24865c396f21619c7c15033cc6e8ebbcc8c5c5ba3", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 123, + "comment" : "Flipped bit 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "d29b9e3f87809606f34109fbc718d6abbb09c278cf05a206adf21463e1170362", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 124, + "comment" : "Flipped bit 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "bf301cbfb566728e23f166e24865c396f21619c7c15033cc6e8ebbcc8c5c5ba3", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 125, + "comment" : "Flipped bit 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "d29b9e3f87809686f24109fbc718d6abbb09c278cf05a206adf21463e1170362", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 126, + "comment" : "Flipped bit 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "bf301cbfb566720e22f166e24865c396f21619c7c15033cc6e8ebbcc8c5c5ba3", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 127, + "comment" : "Flipped bit 71 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "d29b9e3f87809686734109fbc718d6abbb09c278cf05a206adf21463e1170362", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 128, + "comment" : "Flipped bit 71 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "bf301cbfb566720ea3f166e24865c396f21619c7c15033cc6e8ebbcc8c5c5ba3", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 129, + "comment" : "Flipped bit 77 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "d29b9e3f87809686f36109fbc718d6abbb09c278cf05a206adf21463e1170362", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 130, + "comment" : "Flipped bit 77 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "bf301cbfb566720e23d166e24865c396f21619c7c15033cc6e8ebbcc8c5c5ba3", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 131, + "comment" : "Flipped bit 80 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "d29b9e3f87809686f34108fbc718d6abbb09c278cf05a206adf21463e1170362", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 132, + "comment" : "Flipped bit 80 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "bf301cbfb566720e23f167e24865c396f21619c7c15033cc6e8ebbcc8c5c5ba3", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 133, + "comment" : "Flipped bit 96 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "d29b9e3f87809686f34109fbc618d6abbb09c278cf05a206adf21463e1170362", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 134, + "comment" : "Flipped bit 96 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "bf301cbfb566720e23f166e24965c396f21619c7c15033cc6e8ebbcc8c5c5ba3", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 135, + "comment" : "Flipped bit 97 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "d29b9e3f87809686f34109fbc518d6abbb09c278cf05a206adf21463e1170362", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 136, + "comment" : "Flipped bit 97 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "bf301cbfb566720e23f166e24a65c396f21619c7c15033cc6e8ebbcc8c5c5ba3", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 137, + "comment" : "Flipped bit 103 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "d29b9e3f87809686f34109fb4718d6abbb09c278cf05a206adf21463e1170362", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 138, + "comment" : "Flipped bit 103 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "bf301cbfb566720e23f166e2c865c396f21619c7c15033cc6e8ebbcc8c5c5ba3", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 139, + "comment" : "Flipped bit 248 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "d29b9e3f87809686f34109fbc718d6abbb09c278cf05a206adf21463e1170363", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 140, + "comment" : "Flipped bit 248 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "bf301cbfb566720e23f166e24865c396f21619c7c15033cc6e8ebbcc8c5c5ba2", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 141, + "comment" : "Flipped bit 249 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "d29b9e3f87809686f34109fbc718d6abbb09c278cf05a206adf21463e1170360", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 142, + "comment" : "Flipped bit 249 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "bf301cbfb566720e23f166e24865c396f21619c7c15033cc6e8ebbcc8c5c5ba1", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 143, + "comment" : "Flipped bit 254 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "d29b9e3f87809686f34109fbc718d6abbb09c278cf05a206adf21463e1170322", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 144, + "comment" : "Flipped bit 254 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "bf301cbfb566720e23f166e24865c396f21619c7c15033cc6e8ebbcc8c5c5be3", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 145, + "comment" : "Flipped bit 255 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "d29b9e3f87809686f34109fbc718d6abbb09c278cf05a206adf21463e11703e2", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 146, + "comment" : "Flipped bit 255 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "bf301cbfb566720e23f166e24865c396f21619c7c15033cc6e8ebbcc8c5c5b23", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 147, + "comment" : "Flipped bits 0 and 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "d39b9e3f87809686f24109fbc718d6abbb09c278cf05a206adf21463e1170362", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 148, + "comment" : "Flipped bits 0 and 64 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "be301cbfb566720e22f166e24865c396f21619c7c15033cc6e8ebbcc8c5c5ba3", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 149, + "comment" : "Flipped bits 31 and 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "d29b9ebf87809606f34109fbc718d6abbb09c278cf05a206adf21463e1170362", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 150, + "comment" : "Flipped bits 31 and 63 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "bf301c3fb566728e23f166e24865c396f21619c7c15033cc6e8ebbcc8c5c5ba3", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 151, + "comment" : "Flipped bits 63 and 127 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "d29b9e3f87809606f34109fbc718d62bbb09c278cf05a206adf21463e1170362", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 152, + "comment" : "Flipped bits 63 and 127 in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "bf301cbfb566728e23f166e24865c316f21619c7c15033cc6e8ebbcc8c5c5ba3", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 153, + "comment" : "all bits of tag flipped", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "2d6461c0787f69790cbef60438e7295444f63d8730fa5df9520deb9c1ee8fc9d", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 154, + "comment" : "all bits of tag flipped", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "40cfe3404a998df1dc0e991db79a3c690de9e6383eafcc339171443373a3a45c", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 155, + "comment" : "Tag changed to all zero", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 156, + "comment" : "Tag changed to all zero", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 157, + "comment" : "tag changed to all 1", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 158, + "comment" : "tag changed to all 1", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 159, + "comment" : "msbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "521b1ebf0700160673c1897b4798562b3b8942f84f8522862d7294e3619783e2", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 160, + "comment" : "msbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "3fb09c3f35e6f28ea371e662c8e543167296994741d0b34cee0e3b4c0cdcdb23", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 161, + "comment" : "lsbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "", + "tag" : "d39a9f3e86819787f24008fac619d7aaba08c379ce04a307acf31562e0160263", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 162, + "comment" : "lsbs changed in tag", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "msg" : "000102030405060708090a0b0c0d0e0f", + "tag" : "be311dbeb467730f22f067e34964c297f31718c6c05132cd6f8fbacd8d5d5aa2", + "result" : "invalid", + "flags" : [] + } + ] + }, + { + "keySize" : 256, + "tagSize" : 512, + "type" : "MacTest", + "tests" : [ + { + "tcId" : 163, + "comment" : "short key", + "key" : "14d93759fc28f3319ab74b8167c974e800f032344dc2747ec0f4945061a47827", + "msg" : "", + "tag" : "68934dbe948d9a77a5e0a92ed98254fa3b6c93c8bf5eeaa912b7dfdf762b37192c5d8523bcab9ad71b09bf96d8454188d001c7f2077eb641199f5731b9f94669", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 164, + "comment" : "short key", + "key" : "9fa371f36fb273d514fd628cb938067a4bae32a19a1e045a7d6d7f6de3751cbf", + "msg" : "311bbf722d322cd7a0710f480fc66518", + "tag" : "16345f6a6ca6e78d4ccac30b48d76691d6442420efa113c15ef127b538b5b024018b7d2db4bc3ed3424251ab6b8b6c3cb108b0beda842dc3e68e63400287e5cd", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 165, + "comment" : "short key", + "key" : "6313f1526bc220f20dde1e64ced8597279586d1e15aad05ad591d841b369284f", + "msg" : "f744fa3933e16d8bf524afaeb34c715653a9cfb01fa45fe1fb68e701fe1487ca", + "tag" : "b88d1ba03e2799200a447550d18e310697a57974f513df77eb07bbe315ba5fef397eeb81ad9071680bcc6c70f6b252ade35b4a4040279ec01b86e40b98770e39", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "keySize" : 256, + "tagSize" : 256, + "type" : "MacTest", + "tests" : [ + { + "tcId" : 166, + "comment" : "short key", + "key" : "1e225cafb90339bba1b24076d4206c3e79c355805d851682bc818baa4f5a7779", + "msg" : "", + "tag" : "23d482a05c907eeb346ba98f83db0f63c2adfbd5b2940f33c7964c7f1799f180", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 167, + "comment" : "short key", + "key" : "6fa353868c82e5deeedac7f09471a61bf749ab5498239e947e012eee3c82d7c4", + "msg" : "aeed3e4d4cb9bbb60d482e98c126c0f5", + "tag" : "1cf9d2c9c1b55a45190b5beb590cd4cc95e3853df8aaf9f4fef9bbbbd72435ff", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 168, + "comment" : "short key", + "key" : "186e248ad824e1eb93329a7fdcd565b6cb4eaf3f85b90b910777128d8c538d27", + "msg" : "92ef9ff52f46eccc7e38b9ee19fd2de3b37726c8e6ce9e1b96db5dda4c317902", + "tag" : "d127b7385badf0c76f2b3d8aa9c722333592e01f462fedd35ec664a6f6d52d74", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "keySize" : 520, + "tagSize" : 512, + "type" : "MacTest", + "tests" : [ + { + "tcId" : 169, + "comment" : "long key", + "key" : "dd1e0bdbb6b60862176484f3669da531455f1cd714f999c29f08b851055fee8d72186d376c236f4e16cba7a25cba879fb2753deca4459aaebc6f6de625d99af330", + "msg" : "", + "tag" : "7e4f7d844b3ba0e025b66de7cc6227bc50d4e174930251bfff3df36c3900b5b76b00095a896d0f96842e37b6134df40760307699534d6670f138974ee1c58d94", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 170, + "comment" : "long key", + "key" : "432b311ebcfd46ecfcd3cc706ebd05c787dfbe1855fdcfce8d50c9a00f72b65a8d42acec335b4e07d544c92fd7b1d38543ac6e0fc04c26d88de8dd974af69e24d7", + "msg" : "36b1fbe8f1335e7c0399c24730906420", + "tag" : "2cfb688f30b10534da9377a4b3fbee1dec161cb288ac8b758793838b45ab953979dadf27817f477c9ebf23cfdcbacb60b81038e08bc4fc3180bd2a1ee805976a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 171, + "comment" : "long key", + "key" : "17f720f09df5972af9b9c63e10043284608900d50b7955db3b4e2679cb4120be2c9b9e2aa1a5743eb519792822c326b4d890b5554d1cb0eb71081b7569a2f04df7", + "msg" : "57167c2524a55289687b83a40d3a69bc90adc53ad247020b88897f9b95d1516d", + "tag" : "4f70267b98fceb4f662901bd18fb4c81ac164281dd0ece43028a3c2a65ca213aedf1bd207f0939bd879bbe20fd09cdeb20246e6539766add08b3adc5143d2bd9", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "keySize" : 520, + "tagSize" : 256, + "type" : "MacTest", + "tests" : [ + { + "tcId" : 172, + "comment" : "long key", + "key" : "8a0c46eb8a2959e39865330079763341e7439dab149694ee57e0d61ec73d947e1d5301cd974e18a5e0d1cf0d2c37e8aadd9fd589d57ef32e47024a99bc3f70c077", + "msg" : "", + "tag" : "e1657f44bf84895e6db0810a2cca61a6e105e12ec006f0b5961020301b57744e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 173, + "comment" : "long key", + "key" : "2877ebb81f80334fd00516337446c5cf5ad4a3a2e197269e5b0ad1889dfe2b4b0aaa676fac55b36ce3affc7f1092ab89c53273a837bd5bc94d1a9d9e5b02e9856f", + "msg" : "ba448db88f154f775028fdecf9e6752d", + "tag" : "33d5a2d1998a586849eebf8134728485fcfc71248f4a98e622f83b967844c40e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 174, + "comment" : "long key", + "key" : "21178e26bc28ffc27c06f762ba190a627075856d7ca6feab79ac63149b17126e34fd9e5590e0e90aac801df09505d8af2dd0a2703b352c573ac9d2cb063927f2af", + "msg" : "7d5f1d6b993452b1b53a4375760d10a20d46a0ab9ec3943fc4b07a2ce735e731", + "tag" : "88d579c2801905b818070ccebd2c7192f97bb3e7acdcaf613cecc74d0e411232", + "result" : "valid", + "flags" : [] + } + ] + } + ] +} diff --git a/rust/tests/wycheproof/x25519_test.json b/rust/tests/wycheproof/x25519_test.json new file mode 100644 index 00000000..431b434b --- /dev/null +++ b/rust/tests/wycheproof/x25519_test.json @@ -0,0 +1,5248 @@ +{ + "algorithm" : "XDH", + "generatorVersion" : "0.8r12", + "numberOfTests" : 518, + "header" : [ + "Test vectors of type XdhComp are intended for tests that verify the", + "computation of and Xdh key exchange." + ], + "notes" : { + "LowOrderPublic" : "The curves and its twists contain some points of low order. This test vector contains a public key with such a point. While many libraries reject such public keys, doing so is not a strict requirement according to RFC 7748.", + "NonCanonicalPublic" : "The public key is in non-canonical form. RFC 7749, section 5 defines the value that this public key represents. Section 7 of the same RFC recommends accepting such keys. If a non-canonical key is accepted then it must follow the RFC.", + "SmallPublicKey" : "The public key is insecure and does not belong to a valid private key. Some libraries reject such keys.", + "Twist" : "Public keys are either points on a given curve or points on its twist. The functions X25519 and X448 are defined for points on a twist with the goal that the output of computations do not leak private keys. Implementations may accept or reject points on a twist. If a point multiplication is performed then it is important that the result is correct, since otherwise attacks with invalid keys are possible.", + "ZeroSharedSecret" : "Some libraries include a check that the shared secret is not all-zero. This check is described in Section 6.1 of RFC 7748. " + }, + "schema" : "xdh_comp_schema.json", + "testGroups" : [ + { + "curve" : "curve25519", + "type" : "XdhComp", + "tests" : [ + { + "tcId" : 1, + "comment" : "normal case", + "public" : "504a36999f489cd2fdbc08baff3d88fa00569ba986cba22548ffde80f9806829", + "private" : "c8a9d5a91091ad851c668b0736c1c9a02936c0d3ad62670858088047ba057475", + "shared" : "436a2c040cf45fea9b29a0cb81b1f41458f863d0d61b453d0a982720d6d61320", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 2, + "comment" : "public key on twist", + "public" : "63aa40c6e38346c5caf23a6df0a5e6c80889a08647e551b3563449befcfc9733", + "private" : "d85d8c061a50804ac488ad774ac716c3f5ba714b2712e048491379a500211958", + "shared" : "279df67a7c4611db4708a0e8282b195e5ac0ed6f4b2f292c6fbd0acac30d1332", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 3, + "comment" : "public key on twist", + "public" : "0f83c36fded9d32fadf4efa3ae93a90bb5cfa66893bc412c43fa7287dbb99779", + "private" : "c8b45bfd32e55325d9fd648cb302848039000b390e44d521e58aab3b29a6964b", + "shared" : "4bc7e01e7d83d6cf67632bf90033487a5fc29eba5328890ea7b1026d23b9a45f", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 4, + "comment" : "public key on twist", + "public" : "0b8211a2b6049097f6871c6c052d3c5fc1ba17da9e32ae458403b05bb283092a", + "private" : "f876e34bcbe1f47fbc0fddfd7c1e1aa53d57bfe0f66d243067b424bb6210be51", + "shared" : "119d37ed4b109cbd6418b1f28dea83c836c844715cdf98a3a8c362191debd514", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 5, + "comment" : "public key on twist", + "public" : "343ac20a3b9c6a27b1008176509ad30735856ec1c8d8fcae13912d08d152f46c", + "private" : "006ac1f3a653a4cdb1d37bba94738f8b957a57beb24d646e994dc29a276aad45", + "shared" : "cc4873aed3fcee4b3aaea7f0d20716b4276359081f634b7bea4b705bfc8a4d3e", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 6, + "comment" : "public key on twist", + "public" : "fa695fc7be8d1be5bf704898f388c452bafdd3b8eae805f8681a8d15c2d4e142", + "private" : "08da77b26d06dff9d9f7fd4c5b3769f8cdd5b30516a5ab806be324ff3eb69e60", + "shared" : "b6f8e2fcb1affc79e2ff798319b2701139b95ad6dd07f05cbac78bd83edfd92e", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 7, + "comment" : "public key on twist", + "public" : "0200000000000000000000000000000000000000000000000000000000000000", + "private" : "d03edde9f3e7b799045f9ac3793d4a9277dadeadc41bec0290f81f744f73775f", + "shared" : "b87a1722cc6c1e2feecb54e97abd5a22acc27616f78f6e315fd2b73d9f221e57", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 8, + "comment" : "public key on twist", + "public" : "0300000000000000000000000000000000000000000000000000000000000000", + "private" : "e09d57a914e3c29036fd9a442ba526b5cdcdf28216153e636c10677acab6bd6a", + "shared" : "a29d8dad28d590cd3017aa97a4761f851bf1d3672b042a4256a45881e2ad9035", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 9, + "comment" : "public key on twist", + "public" : "ff00000000000000000000000000000000000000000000000000000000000000", + "private" : "e0ed78e6ee02f08bec1c15d66fbbe5b83ffc37ea14e1512cc1bd4b2ea6d8066f", + "shared" : "e703bc8aa94b7d87ba34e2678353d12cdaaa1a97b5ca3e1b8c060c4636087f07", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 10, + "comment" : "public key on twist", + "public" : "ffff000000000000000000000000000000000000000000000000000000000000", + "private" : "a8a1a2ec9fa9915ae7aace6a37c68591d39e15995c4ef5ebd3561c02f72dda41", + "shared" : "ff5cf041e924dbe1a64ac9bdba96bdcdfaf7d59d91c7e33e76ed0e4c8c836446", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 11, + "comment" : "public key on twist", + "public" : "0000010000000000000000000000000000000000000000000000000000000000", + "private" : "a8c9df5820eb399d471dfa3215d96055b3c7d0f4ea49f8ab028d6a6e3194517b", + "shared" : "a92a96fa029960f9530e6fe37e2429cd113be4d8f3f4431f8546e6c76351475d", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 12, + "comment" : "public key on twist", + "public" : "ffffff0f00000000000000000000000000000000000000000000000000000000", + "private" : "d0d31c491cbd39271859b4a63a316826507b1db8c701709fd0ffe3eb21c4467c", + "shared" : "9f8954868158ec62b6b586b8cae1d67d1b9f4c03d5b3ca0393cee71accc9ab65", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 13, + "comment" : "public key on twist", + "public" : "ffffffff00000000000000000000000000000000000000000000000000000000", + "private" : "d053e7bf1902619cd61c9c739e09d54c4147f46d190720966f7de1d9cffbbd4e", + "shared" : "6cbf1dc9af97bc148513a18be4a257de1a3b065584df94e8b43c1ab89720b110", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 14, + "comment" : "public key on twist", + "public" : "0000000000001000000000000000000000000000000000000000000000000000", + "private" : "a021d75009a4596e5a33f12921c10f3670933bc80dde3bba22881b6120582144", + "shared" : "38284b7086095a9406028c1f800c071ea106039ad7a1d7f82fe00906fd90594b", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 15, + "comment" : "public key on twist", + "public" : "0000000000000001000000000000000000000000000000000000000000000000", + "private" : "a89c6687f99bd569a01fd8bd438236160d15ce2c57c1d71ebaa3f2da88233863", + "shared" : "c721041df0244071794a8db06b9f7eaeec690c257265343666f4416f4166840f", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 16, + "comment" : "public key on twist", + "public" : "ffffffffffffffff000000000000000000000000000000000000000000000000", + "private" : "68964bca51465bf0f5ba524b1482ceff0e960a1ed9f48dcc30f1608d0e501a50", + "shared" : "25ff9a6631b143dbdbdc207b38e38f832ae079a52a618c534322e77345fd9049", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 17, + "comment" : "public key on twist", + "public" : "0000000000000000000000000000000000000000000000000100000000000000", + "private" : "a8e56bb13a9f2b33b8e6750b4a6e6621dc26ae8c5c624a0992c8f0d5b910f170", + "shared" : "f294e7922c6cea587aefe72911630d50f2456a2ba7f21207d57f1ecce04f6213", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 18, + "comment" : "public key on twist", + "public" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000", + "private" : "e045f55c159451e97814d747050fd7769bd478434a01876a56e553f66384a74c", + "shared" : "ff4715bd8cf847b77c244ce2d9b008b19efaa8e845feb85ce4889b5b2c6a4b4d", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 19, + "comment" : "public key on twist", + "public" : "ffffff030000f8ffff1f0000c0ffffff000000feffff070000f0ffff3f000000", + "private" : "105d621e1ef339c3d99245cfb77cd3a5bd0c4427a0e4d8752c3b51f045889b4f", + "shared" : "61eace52da5f5ecefafa4f199b077ff64f2e3d2a6ece6f8ec0497826b212ef5f", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 20, + "comment" : "public key on twist", + "public" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f0000", + "private" : "d88a441e706f606ae7f630f8b21f3c2554739e3e549f804118c03771f608017b", + "shared" : "ff1b509a0a1a54726086f1e1c0acf040ab463a2a542e5d54e92c6df8126cf636", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 21, + "comment" : "public key on twist", + "public" : "0000000000000000000000000000000000000000000000000000000000800000", + "private" : "80bbad168222276200aafd36f7f25fdc025632d8bf9f6354bb762e06fb63e250", + "shared" : "f134e6267bf93903085117b99932cc0c7ba26f25fca12102a26d7533d9c4272a", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 22, + "comment" : "public key on twist", + "public" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff1f", + "private" : "68e134092e94e622c8a0cd18aff55be23dabd994ebdee982d90601f6f0f4b369", + "shared" : "74bfc15e5597e9f5193f941e10a5c008fc89f051392723886a4a8fe5093a7354", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 23, + "comment" : "public key on twist", + "public" : "0000000000000000000000000000000000000000000000000000000000000020", + "private" : "e8e43fc1ebac0bbc9b99c8035ee1ac59b90f19a16c42c0b90f96adfcc5fdee78", + "shared" : "0d41a5b3af770bf2fcd34ff7972243a0e2cf4d34f2046a144581ae1ec68df03b", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 24, + "comment" : "public key on twist", + "public" : "000000fcffff070000e0ffff3f000000ffffff010000f8ffff0f0000c0ffff7f", + "private" : "18bffb16f92680a9e267473e43c464476d5372ddd1f664f3d0678efe7c98bc79", + "shared" : "5894e0963583ae14a0b80420894167f4b759c8d2eb9b69cb675543f66510f646", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 25, + "comment" : "public key on twist", + "public" : "ffffffffffffff00000000000000ffffffffffffff00000000000000ffffff7f", + "private" : "300305eb002bf86c71fe9c0b311993727b9dc618d0ce7251d0dfd8552d17905d", + "shared" : "f8624d6e35e6c548ac47832f2e5d151a8e53b9290363b28d2ab8d84ab7cb6a72", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 26, + "comment" : "public key on twist", + "public" : "00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffff7f", + "private" : "80da9f02842247d4ade5ddbac51dbce55ea7dca2844e7f97ab8987ce7fd8bc71", + "shared" : "bfe183ba3d4157a7b53ef178613db619e27800f85359c0b39a9fd6e32152c208", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 27, + "comment" : "public key on twist", + "public" : "edfffffffffffffffffffffffffffeffffffffffffffffffffffffffffffff7f", + "private" : "806e7f26ca3246de8182946cbed09f52b95da626c823c7b50450001a47b7b252", + "shared" : "bca4a0724f5c1feb184078448c898c8620e7caf81f64cca746f557dff2498859", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 28, + "comment" : "public key on twist", + "public" : "edfffffffffffffeffffffffffffffffffffffffffffffffffffffffffffff7f", + "private" : "58354fd64bc022cba3a71b2ae64281e4ea7bf6d65fdbaead1440eeb18604fe62", + "shared" : "b3418a52464c15ab0cacbbd43887a1199206d59229ced49202300638d7a40f04", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 29, + "comment" : "public key on twist", + "public" : "edffffffffffefffffffffffffffffffffffffffffffffffffffffffffffff7f", + "private" : "f0019cf05159794cc8052b00c2e75b7f46fb6693c4b38c02b12a4fe272e8556a", + "shared" : "fcde6e0a3d5fd5b63f10c2d3aad4efa05196f26bc0cb26fd6d9d3bd015eaa74f", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 30, + "comment" : "public key on twist", + "public" : "edfeffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f", + "private" : "d0fca64cc5f3a0c8e75c824e8b09d1615aa79aeba139bb7302e2bb2fcbe54b40", + "shared" : "7d62f189444c6231a48afab10a0af2eee4a52e431ea05ff781d616af2114672f", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 31, + "comment" : "public key on twist", + "public" : "eaffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f", + "private" : "d02456e456911d3c6cd054933199807732dfdc958642ad1aebe900c793bef24a", + "shared" : "07ba5fcbda21a9a17845c401492b10e6de0a168d5c94b606694c11bac39bea41", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 32, + "comment" : "public key = 0", + "public" : "0000000000000000000000000000000000000000000000000000000000000000", + "private" : "88227494038f2bb811d47805bcdf04a2ac585ada7f2f23389bfd4658f9ddd45e", + "shared" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "acceptable", + "flags" : [ + "SmallPublicKey", + "LowOrderPublic", + "ZeroSharedSecret" + ] + }, + { + "tcId" : 33, + "comment" : "public key = 1", + "public" : "0100000000000000000000000000000000000000000000000000000000000000", + "private" : "48232e8972b61c7e61930eb9450b5070eae1c670475685541f0476217e48184f", + "shared" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "acceptable", + "flags" : [ + "SmallPublicKey", + "LowOrderPublic", + "ZeroSharedSecret" + ] + }, + { + "tcId" : 34, + "comment" : "edge case public key", + "public" : "0400000000000000000000000000000000000000000000000000000000000000", + "private" : "a8386f7f16c50731d64f82e6a170b142a4e34f31fd7768fcb8902925e7d1e25a", + "shared" : "34b7e4fa53264420d9f943d15513902342b386b172a0b0b7c8b8f2dd3d669f59", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 35, + "comment" : "edge case public key", + "public" : "0001000000000000000000000000000000000000000000000000000000000000", + "private" : "d05abd08bf5e62538cb9a5ed105dbedd6de38d07940085072b4311c2678ed77d", + "shared" : "3aa227a30781ed746bd4b3365e5f61461b844d09410c70570abd0d75574dfc77", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 36, + "comment" : "edge case public key", + "public" : "0000001000000000000000000000000000000000000000000000000000000000", + "private" : "f0b8b0998c8394364d7dcb25a3885e571374f91615275440db0645ee7c0a6f6b", + "shared" : "97755e7e775789184e176847ffbc2f8ef98799d46a709c6a1c0ffd29081d7039", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 37, + "comment" : "edge case public key", + "public" : "0000000001000000000000000000000000000000000000000000000000000000", + "private" : "d00c35dc17460f360bfae7b94647bc4e9a7ad9ce82abeadb50a2f1a0736e2175", + "shared" : "c212bfceb91f8588d46cd94684c2c9ee0734087796dc0a9f3404ff534012123d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 38, + "comment" : "edge case public key", + "public" : "ffffffffffff0f00000000000000000000000000000000000000000000000000", + "private" : "385fc8058900a85021dd92425d2fb39a62d4e23aef1d5104c4c2d88712d39e4d", + "shared" : "388faffb4a85d06702ba3e479c6b216a8f33efce0542979bf129d860f93b9f02", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 39, + "comment" : "edge case public key", + "public" : "ffffffffffffff00000000000000000000000000000000000000000000000000", + "private" : "e0614b0c408af24d9d24c0a72f9137fbd6b16f02ccc94797ea3971ab16073a7f", + "shared" : "877fec0669d8c1a5c866641420eea9f6bd1dfd38d36a5d55a8c0ab2bf3105c68", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 40, + "comment" : "edge case public key", + "public" : "0000000000000000010000000000000000000000000000000000000000000000", + "private" : "f004b8fd05d9fffd853cdc6d2266389b737e8dfc296ad00b5a69b2a9dcf72956", + "shared" : "180373ea0f23ea73447e5a90398a97d490b541c69320719d7dd733fb80d5480f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 41, + "comment" : "edge case public key", + "public" : "ffffffffffffffffffffffffffff000000000000000000000000000000000000", + "private" : "e80bf0e609bf3b035b552f9db7e9ecbc44a04b7910b1493661a524f46c3c2277", + "shared" : "208142350af938aba52a156dce19d3c27ab1628729683cf4ef2667c3dc60cf38", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 42, + "comment" : "edge case public key", + "public" : "0000000000000000000000000000010000000000000000000000000000000000", + "private" : "48890e95d1b03e603bcb51fdf6f296f1f1d10f5df10e00b8a25c9809f9aa1a54", + "shared" : "1c3263890f7a081cefe50cb92abd496582d90dcc2b9cb858bd286854aa6b0a7e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 43, + "comment" : "edge case public key", + "public" : "ffffffffffffffffffffffffffffffff00000000000000000000000000000000", + "private" : "a806f1e39b742615a7dde3b29415ed827c68f07d4a47a4d9595c40c7fccb9263", + "shared" : "56128e78d7c66f48e863e7e6f2caa9c0988fd439deac11d4aac9664083087f7a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 44, + "comment" : "edge case public key", + "public" : "0000000000000000000000000000000001000000000000000000000000000000", + "private" : "9899d5e265e1fc7c32345227d6699a6d6b5517cf33b43ab156ee20df4878794e", + "shared" : "30eca56f1f1c2e8ff780134e0e9382c5927d305d86b53477e9aeca79fc9ced05", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 45, + "comment" : "edge case public key", + "public" : "ffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000", + "private" : "d842316e5476aeaee838204258a06f15de011ba40b9962705e7f6e889fe71f40", + "shared" : "cb21b7aa3f992ecfc92954849154b3af6b96a01f17bf21c612da748db38eb364", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 46, + "comment" : "edge case public key", + "public" : "ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000", + "private" : "a0933ee30512b25ee4e900aaa07f73e507a8ec53b53a44626e0f589af4e0356c", + "shared" : "c5caf8cabc36f086deaf1ab226434098c222abdf8acd3ce75c75e9debb271524", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 47, + "comment" : "edge case public key", + "public" : "0000000000000000000000000000000000000000000000000000000001000000", + "private" : "38d6403e1377734cdce98285e820f256ad6b769d6b5612bcf42cf2b97945c073", + "shared" : "4d46052c7eabba215df8d91327e0c4610421d2d9129b1486d914c766cf104c27", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 48, + "comment" : "edge case public key", + "public" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff03", + "private" : "182191b7052e9cd630ef08007fc6b43bc7652913be6774e2fd271b71b962a641", + "shared" : "a0e0315175788362d4ebe05e6ac76d52d40187bd687492af05abc7ba7c70197d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 49, + "comment" : "edge case public key", + "public" : "ffffff0f000000ffffff0f000000ffffff0f000000ffffff0f000000ffffff0f", + "private" : "106221fe5694a710d6e147696c5d5b93d6887d584f24f228182ebe1b1d2db85d", + "shared" : "5e64924b91873b499a5402fa64337c65d4b2ed54beeb3fa5d7347809e43aef1c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 50, + "comment" : "edge case public key", + "public" : "000000fcffff030000e0ffff1f000000ffffff000000f8ffff070000c0ffff3f", + "private" : "d035de9456080d85a912083b2e3c7ddd7971f786f25a96c5e782cf6f4376e362", + "shared" : "c052466f9712d9ec4ef40f276bb7e6441c5434a83efd8e41d20ce83f2dbf5952", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 51, + "comment" : "edge case public key", + "public" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff3f", + "private" : "a8f37318a4c760f3cb2d894822918735683cb1edacf3e666e15694154978fd6d", + "shared" : "d151b97cba9c25d48e6d576338b97d53dd8b25e84f65f7a2091a17016317c553", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 52, + "comment" : "edge case public key", + "public" : "edffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff5f", + "private" : "20d4d624cf732f826f09e8088017742f13f2da98f4dcf4b40519adb790cebf64", + "shared" : "5716296baf2b1a6b9cd15b23ba86829743d60b0396569be1d5b40014c06b477d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 53, + "comment" : "edge case public key", + "public" : "edffffffffffffffffffffffffffffffffffffffffffffffffffffffff7fff7f", + "private" : "d806a735d138efb3b404683c9d84485ab4af540d0af253b574323d8913003c66", + "shared" : "ddbd56d0454b794c1d1d4923f023a51f6f34ef3f4868e3d6659307c683c74126", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 54, + "comment" : "edge case public key", + "public" : "fffffffffeffff7ffffffffffeffff7ffffffffffeffff7ffffffffffeffff7f", + "private" : "184198c6228177f3ef41dc9a341258f8181ae365fe9ec98d93639b0bbee1467d", + "shared" : "8039eebed1a4f3b811ea92102a6267d4da412370f3f0d6b70f1faaa2e8d5236d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 55, + "comment" : "edge case public key", + "public" : "edfffffffffffffffffffffffffffffffffffffffffffffffffffffffeffff7f", + "private" : "f0a46a7f4b989fe515edc441109346ba746ec1516896ec5b7e4f4d903064b463", + "shared" : "b69524e3955da23df6ad1a7cd38540047f50860f1c8fded9b1fdfcc9e812a035", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 56, + "comment" : "edge case public key", + "public" : "edfffffffffffffffffffffffffffffffffffffffffffffffeffffffffffff7f", + "private" : "881874fda3a99c0f0216e1172fbd07ab1c7df78602cc6b11264e57aab5f23a49", + "shared" : "e417bb8854f3b4f70ecea557454c5c4e5f3804ae537960a8097b9f338410d757", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 57, + "comment" : "edge case public key", + "public" : "edfffffffffffffffffffffffffffffffeffffffffffffffffffffffffffff7f", + "private" : "b8d0f1ae05a5072831443150e202ac6db00322cdf341f467e9f296588b04db72", + "shared" : "afca72bb8ef727b60c530c937a2f7d06bb39c39b903a7f4435b3f5d8fc1ca810", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 58, + "comment" : "edge case public key", + "public" : "edfffffffffffffffeffffffffffffffffffffffffffffffffffffffffffff7f", + "private" : "c8619ba988859db7d6f20fbf3ffb8b113418cc278065b4e8bb6d4e5b3e7cb569", + "shared" : "7e41c2886fed4af04c1641a59af93802f25af0f9cba7a29ae72e2a92f35a1e5a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 59, + "comment" : "edge case public key", + "public" : "edfffffffeffffffffffffffffffffffffffffffffffffffffffffffffffff7f", + "private" : "f8d4ca1f37a30ec9acd6dbe5a6e150e5bc447d22b355d80ba002c5b05c26935d", + "shared" : "dd3abd4746bf4f2a0d93c02a7d19f76d921c090d07e6ea5abae7f28848355947", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 60, + "comment" : "edge case public key", + "public" : "edffffefffffffffffffffffffffffffffffffffffffffffffffffffffffff7f", + "private" : "88037ac8e33c72c2c51037c7c8c5288bba9265c82fd8c31796dd7ea5df9aaa4a", + "shared" : "8c27b3bff8d3c1f6daf2d3b7b3479cf9ad2056e2002be247992a3b29de13a625", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 61, + "comment" : "edge case public key", + "public" : "edfffeffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f", + "private" : "5034ee7bf83a13d9167df86b0640294f3620f4f4d9030e5e293f9190824ae562", + "shared" : "8e1d2207b47432f881677448b9d426a30de1a1f3fd38cad6f4b23dbdfe8a2901", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 62, + "comment" : "edge case public key", + "public" : "ebffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f", + "private" : "40bd4e1caf39d9def7663823502dad3e7d30eb6eb01e9b89516d4f2f45b7cd7f", + "shared" : "2cf6974b0c070e3707bf92e721d3ea9de3db6f61ed810e0a23d72d433365f631", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 63, + "comment" : "public key with low order", + "public" : "e0eb7a7c3b41b8ae1656e3faf19fc46ada098deb9c32b1fd866205165f49b800", + "private" : "e0f978dfcd3a8f1a5093418de54136a584c20b7b349afdf6c0520886f95b1272", + "shared" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "acceptable", + "flags" : [ + "LowOrderPublic", + "ZeroSharedSecret" + ] + }, + { + "tcId" : 64, + "comment" : "public key with low order", + "public" : "5f9c95bca3508c24b1d0b1559c83ef5b04445cc4581c8e86d8224eddd09f1157", + "private" : "387355d995616090503aafad49da01fb3dc3eda962704eaee6b86f9e20c92579", + "shared" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "acceptable", + "flags" : [ + "LowOrderPublic", + "ZeroSharedSecret" + ] + }, + { + "tcId" : 65, + "comment" : "public key with low order", + "public" : "ecffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f", + "private" : "c8fe0df92ae68a03023fc0c9adb9557d31be7feed0d3ab36c558143daf4dbb40", + "shared" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "acceptable", + "flags" : [ + "LowOrderPublic", + "Twist", + "ZeroSharedSecret" + ] + }, + { + "tcId" : 66, + "comment" : "public key with low order", + "public" : "e0eb7a7c3b41b8ae1656e3faf19fc46ada098deb9c32b1fd866205165f49b880", + "private" : "c8d74acde5934e64b9895d5ff7afbffd7f704f7dfccff7ac28fa62a1e6410347", + "shared" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "acceptable", + "flags" : [ + "LowOrderPublic", + "NonCanonicalPublic", + "Twist", + "ZeroSharedSecret" + ] + }, + { + "tcId" : 67, + "comment" : "public key with low order", + "public" : "5f9c95bca3508c24b1d0b1559c83ef5b04445cc4581c8e86d8224eddd09f11d7", + "private" : "b85649d5120e01e8ccaf7b2fb8d81b62e8ad6f3d5c0553fdde1906cb9d79c050", + "shared" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "acceptable", + "flags" : [ + "LowOrderPublic", + "NonCanonicalPublic", + "Twist", + "ZeroSharedSecret" + ] + }, + { + "tcId" : 68, + "comment" : "public key with low order", + "public" : "ecffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "private" : "2064b2f4c9dc97ec7cf58932fdfa3265ba6ea4d11f0259b8efc8afb35db88c48", + "shared" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "acceptable", + "flags" : [ + "LowOrderPublic", + "NonCanonicalPublic", + "ZeroSharedSecret" + ] + }, + { + "tcId" : 69, + "comment" : "public key with low order", + "public" : "0000000000000000000000000000000000000000000000000000000000000000", + "private" : "786a33a4f7af297a20e7642925932bf509e7070fa1bc36986af1eb13f4f50b55", + "shared" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "acceptable", + "flags" : [ + "LowOrderPublic", + "ZeroSharedSecret" + ] + }, + { + "tcId" : 70, + "comment" : "public key with low order", + "public" : "0100000000000000000000000000000000000000000000000000000000000000", + "private" : "786a33a4f7af297a20e7642925932bf509e7070fa1bc36986af1eb13f4f50b55", + "shared" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "acceptable", + "flags" : [ + "LowOrderPublic", + "ZeroSharedSecret" + ] + }, + { + "tcId" : 71, + "comment" : "public key with low order", + "public" : "ecffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f", + "private" : "786a33a4f7af297a20e7642925932bf509e7070fa1bc36986af1eb13f4f50b55", + "shared" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "acceptable", + "flags" : [ + "LowOrderPublic", + "ZeroSharedSecret" + ] + }, + { + "tcId" : 72, + "comment" : "public key with low order", + "public" : "5f9c95bca3508c24b1d0b1559c83ef5b04445cc4581c8e86d8224eddd09f1157", + "private" : "786a33a4f7af297a20e7642925932bf509e7070fa1bc36986af1eb13f4f50b55", + "shared" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "acceptable", + "flags" : [ + "LowOrderPublic", + "ZeroSharedSecret" + ] + }, + { + "tcId" : 73, + "comment" : "public key with low order", + "public" : "e0eb7a7c3b41b8ae1656e3faf19fc46ada098deb9c32b1fd866205165f49b800", + "private" : "786a33a4f7af297a20e7642925932bf509e7070fa1bc36986af1eb13f4f50b55", + "shared" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "acceptable", + "flags" : [ + "LowOrderPublic", + "ZeroSharedSecret" + ] + }, + { + "tcId" : 74, + "comment" : "public key with low order", + "public" : "edffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f", + "private" : "786a33a4f7af297a20e7642925932bf509e7070fa1bc36986af1eb13f4f50b55", + "shared" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "acceptable", + "flags" : [ + "LowOrderPublic", + "ZeroSharedSecret" + ] + }, + { + "tcId" : 75, + "comment" : "public key with low order", + "public" : "eeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f", + "private" : "786a33a4f7af297a20e7642925932bf509e7070fa1bc36986af1eb13f4f50b55", + "shared" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "acceptable", + "flags" : [ + "LowOrderPublic", + "ZeroSharedSecret" + ] + }, + { + "tcId" : 76, + "comment" : "public key with low order", + "public" : "0000000000000000000000000000000000000000000000000000000000000080", + "private" : "786a33a4f7af297a20e7642925932bf509e7070fa1bc36986af1eb13f4f50b55", + "shared" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "acceptable", + "flags" : [ + "LowOrderPublic", + "ZeroSharedSecret" + ] + }, + { + "tcId" : 77, + "comment" : "public key with low order", + "public" : "0100000000000000000000000000000000000000000000000000000000000080", + "private" : "786a33a4f7af297a20e7642925932bf509e7070fa1bc36986af1eb13f4f50b55", + "shared" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "acceptable", + "flags" : [ + "LowOrderPublic", + "ZeroSharedSecret" + ] + }, + { + "tcId" : 78, + "comment" : "public key with low order", + "public" : "ecffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "private" : "786a33a4f7af297a20e7642925932bf509e7070fa1bc36986af1eb13f4f50b55", + "shared" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "acceptable", + "flags" : [ + "LowOrderPublic", + "ZeroSharedSecret" + ] + }, + { + "tcId" : 79, + "comment" : "public key with low order", + "public" : "5f9c95bca3508c24b1d0b1559c83ef5b04445cc4581c8e86d8224eddd09f11d7", + "private" : "786a33a4f7af297a20e7642925932bf509e7070fa1bc36986af1eb13f4f50b55", + "shared" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "acceptable", + "flags" : [ + "LowOrderPublic", + "ZeroSharedSecret" + ] + }, + { + "tcId" : 80, + "comment" : "public key with low order", + "public" : "e0eb7a7c3b41b8ae1656e3faf19fc46ada098deb9c32b1fd866205165f49b880", + "private" : "786a33a4f7af297a20e7642925932bf509e7070fa1bc36986af1eb13f4f50b55", + "shared" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "acceptable", + "flags" : [ + "LowOrderPublic", + "ZeroSharedSecret" + ] + }, + { + "tcId" : 81, + "comment" : "public key with low order", + "public" : "edffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "private" : "786a33a4f7af297a20e7642925932bf509e7070fa1bc36986af1eb13f4f50b55", + "shared" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "acceptable", + "flags" : [ + "LowOrderPublic", + "ZeroSharedSecret" + ] + }, + { + "tcId" : 82, + "comment" : "public key with low order", + "public" : "eeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "private" : "786a33a4f7af297a20e7642925932bf509e7070fa1bc36986af1eb13f4f50b55", + "shared" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "acceptable", + "flags" : [ + "LowOrderPublic", + "ZeroSharedSecret" + ] + }, + { + "tcId" : 83, + "comment" : "public key = 57896044618658097711785492504343953926634992332820282019728792003956564819949", + "public" : "edffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f", + "private" : "40ff586e73d61f0960dc2d763ac19e98225f1194f6fe43d5dd97ad55b3d35961", + "shared" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "acceptable", + "flags" : [ + "SmallPublicKey", + "LowOrderPublic", + "ZeroSharedSecret" + ] + }, + { + "tcId" : 84, + "comment" : "public key = 57896044618658097711785492504343953926634992332820282019728792003956564819950", + "public" : "eeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f", + "private" : "584fceaebae944bfe93b2e0d0a575f706ce5ada1da2b1311c3b421f9186c7a6f", + "shared" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "acceptable", + "flags" : [ + "SmallPublicKey", + "LowOrderPublic", + "NonCanonicalPublic", + "ZeroSharedSecret" + ] + }, + { + "tcId" : 85, + "comment" : "non-canonical public key", + "public" : "efffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f", + "private" : "0016b62af5cabde8c40938ebf2108e05d27fa0533ed85d70015ad4ad39762d54", + "shared" : "b4d10e832714972f96bd3382e4d082a21a8333a16315b3ffb536061d2482360d", + "result" : "acceptable", + "flags" : [ + "NonCanonicalPublic", + "Twist" + ] + }, + { + "tcId" : 86, + "comment" : "non-canonical public key", + "public" : "f0ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f", + "private" : "d83650ba7cec115881916255e3fa5fa0d6b8dcf968731bd2c9d2aec3f561f649", + "shared" : "515eac8f1ed0b00c70762322c3ef86716cd2c51fe77cec3d31b6388bc6eea336", + "result" : "acceptable", + "flags" : [ + "NonCanonicalPublic", + "Twist" + ] + }, + { + "tcId" : 87, + "comment" : "non-canonical public key", + "public" : "f1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f", + "private" : "88dd14e2711ebd0b0026c651264ca965e7e3da5082789fbab7e24425e7b4377e", + "shared" : "6919992d6a591e77b3f2bacbd74caf3aea4be4802b18b2bc07eb09ade3ad6662", + "result" : "acceptable", + "flags" : [ + "NonCanonicalPublic" + ] + }, + { + "tcId" : 88, + "comment" : "non-canonical public key", + "public" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f", + "private" : "98c2b08cbac14e15953154e3b558d42bb1268a365b0ef2f22725129d8ac5cb7f", + "shared" : "9c034fcd8d3bf69964958c0105161fcb5d1ea5b8f8abb371491e42a7684c2322", + "result" : "acceptable", + "flags" : [ + "NonCanonicalPublic" + ] + }, + { + "tcId" : 89, + "comment" : "non-canonical public key", + "public" : "0200000000000000000000000000000000000000000000000000000000000080", + "private" : "c0697b6f05e0f3433b44ea352f20508eb0623098a7770853af5ca09727340c4e", + "shared" : "ed18b06da512cab63f22d2d51d77d99facd3c4502e4abf4e97b094c20a9ddf10", + "result" : "acceptable", + "flags" : [ + "NonCanonicalPublic", + "Twist" + ] + }, + { + "tcId" : 90, + "comment" : "non-canonical public key", + "public" : "0300000000000000000000000000000000000000000000000000000000000080", + "private" : "18422b58a18e0f4519b7a887b8cfb649e0bfe4b34d75963350a9944e5b7f5b7e", + "shared" : "448ce410fffc7e6149c5abec0ad5f3607dfde8a34e2ac3243c3009176168b432", + "result" : "acceptable", + "flags" : [ + "NonCanonicalPublic", + "Twist" + ] + }, + { + "tcId" : 91, + "comment" : "non-canonical public key", + "public" : "0400000000000000000000000000000000000000000000000000000000000080", + "private" : "20620d82487707bedf9ee3549e95cb9390d2618f50cf6acba47ffaa103224a6f", + "shared" : "03a633df01480d0d5048d92f51b20dc1d11f73e9515c699429b90a4f6903122a", + "result" : "acceptable", + "flags" : [ + "NonCanonicalPublic" + ] + }, + { + "tcId" : 92, + "comment" : "non-canonical public key", + "public" : "daffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "private" : "285a6a7ceeb7122f2c78d99c53b2a902b490892f7dff326f89d12673c3101b53", + "shared" : "9b01287717d72f4cfb583ec85f8f936849b17d978dbae7b837db56a62f100a68", + "result" : "acceptable", + "flags" : [ + "NonCanonicalPublic" + ] + }, + { + "tcId" : 93, + "comment" : "non-canonical public key", + "public" : "dbffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "private" : "c8e0330ae9dceeff887fba761225879a4bd2e0db08799244136e4721b2c88970", + "shared" : "dfe60831c9f4f96c816e51048804dbdc27795d760eced75ef575cbe3b464054b", + "result" : "acceptable", + "flags" : [ + "NonCanonicalPublic" + ] + }, + { + "tcId" : 94, + "comment" : "non-canonical public key", + "public" : "dcffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "private" : "10db6210fc1fb13382472fa1787b004b5d11868ab3a79510e0cee30f4a6df26b", + "shared" : "50bfa826ca77036dd2bbfd092c3f78e2e4a1f980d7c8e78f2f14dca3cce5cc3c", + "result" : "acceptable", + "flags" : [ + "NonCanonicalPublic", + "Twist" + ] + }, + { + "tcId" : 95, + "comment" : "non-canonical public key", + "public" : "eaffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "private" : "9041c6e044a277df8466275ca8b5ee0da7bc028648054ade5c592add3057474e", + "shared" : "13da5695a4c206115409b5277a934782fe985fa050bc902cba5616f9156fe277", + "result" : "acceptable", + "flags" : [ + "NonCanonicalPublic" + ] + }, + { + "tcId" : 96, + "comment" : "non-canonical public key", + "public" : "ebffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "private" : "b8d499041a6713c0f6f876db7406587fdb44582f9542356ae89cfa958a34d266", + "shared" : "63483b5d69236c63cddbed33d8e22baecc2b0ccf886598e863c844d2bf256704", + "result" : "acceptable", + "flags" : [ + "NonCanonicalPublic" + ] + }, + { + "tcId" : 97, + "comment" : "non-canonical public key", + "public" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "private" : "c85f08e60c845f82099141a66dc4583d2b1040462c544d33d0453b20b1a6377e", + "shared" : "e9db74bc88d0d9bf046ddd13f943bccbe6dbb47d49323f8dfeedc4a694991a3c", + "result" : "acceptable", + "flags" : [ + "NonCanonicalPublic" + ] + }, + { + "tcId" : 98, + "comment" : "public key = 57896044618658097711785492504343953926634992332820282019728792003956564819968", + "public" : "0000000000000000000000000000000000000000000000000000000000000080", + "private" : "7887889bac4c629a101d3724f2ed8b98d936fde79e1a1f77d86779626bf8f263", + "shared" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "acceptable", + "flags" : [ + "SmallPublicKey", + "LowOrderPublic", + "NonCanonicalPublic", + "ZeroSharedSecret" + ] + }, + { + "tcId" : 99, + "comment" : "public key = 57896044618658097711785492504343953926634992332820282019728792003956564819969", + "public" : "0100000000000000000000000000000000000000000000000000000000000080", + "private" : "e07971ee820e48b0b266d8be3cdbbb5e900a43f59ee8535c6572418615de4962", + "shared" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "acceptable", + "flags" : [ + "SmallPublicKey", + "LowOrderPublic", + "NonCanonicalPublic", + "Twist", + "ZeroSharedSecret" + ] + }, + { + "tcId" : 100, + "comment" : "RFC 7748", + "public" : "e6db6867583030db3594c1a424b15f7c726624ec26b3353b10a903a6d0ab1c4c", + "private" : "a046e36bf0527c9d3b16154b82465edd62144c0ac1fc5a18506a2244ba449a44", + "shared" : "c3da55379de9c6908e94ea4df28d084f32eccf03491c71f754b4075577a28552", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 101, + "comment" : "RFC 7748", + "public" : "e5210f12786811d3f4b7959d0538ae2c31dbe7106fc03c3efc4cd549c715a413", + "private" : "4866e9d4d1b4673c5ad22691957d6af5c11b6421e0ea01d42ca4169e7918ba4d", + "shared" : "95cbde9476e8907d7aade45cb4b873f88b595a68799fa152e6f8f7647aac7957", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 102, + "comment" : "RFC 8037, Section A.6", + "public" : "de9edb7d7b7dc1b4d35b61c2ece435373f8343c85b78674dadfc7e146f882b4f", + "private" : "77076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c2a", + "shared" : "4a5d9d5ba4ce2de1728e3bf480350f25e07e21c947d19e3376f09b3c1e161742", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 103, + "comment" : "edge case for shared secret", + "public" : "b7b6d39c765cb60c0c8542f4f3952ffb51d3002d4aeb9f8ff988b192043e6d0a", + "private" : "60a3a4f130b98a5be4b1cedb7cb85584a3520e142d474dc9ccb909a073a9767f", + "shared" : "0200000000000000000000000000000000000000000000000000000000000000", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 104, + "comment" : "edge case for shared secret", + "public" : "3b18df1e50b899ebd588c3161cbd3bf98ebcc2c1f7df53b811bd0e91b4d5153d", + "private" : "60a3a4f130b98a5be4b1cedb7cb85584a3520e142d474dc9ccb909a073a9767f", + "shared" : "0900000000000000000000000000000000000000000000000000000000000000", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 105, + "comment" : "edge case for shared secret", + "public" : "cab6f9e7d8ce00dfcea9bbd8f069ef7fb2ac504abf83b87db601b5ae0a7f7615", + "private" : "60a3a4f130b98a5be4b1cedb7cb85584a3520e142d474dc9ccb909a073a9767f", + "shared" : "1000000000000000000000000000000000000000000000000000000000000000", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 106, + "comment" : "edge case for shared secret", + "public" : "4977d0d897e1ba566590f60f2eb0db6f7b24c13d436918ccfd32708dfad7e247", + "private" : "60a3a4f130b98a5be4b1cedb7cb85584a3520e142d474dc9ccb909a073a9767f", + "shared" : "feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff3f", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 107, + "comment" : "edge case for shared secret", + "public" : "98730bc03e29e8b057fb1d20ef8c0bffc822485d3db7f45f4e3cc2c3c6d1d14c", + "private" : "60a3a4f130b98a5be4b1cedb7cb85584a3520e142d474dc9ccb909a073a9767f", + "shared" : "fcffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff3f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 108, + "comment" : "edge case for shared secret", + "public" : "97b4fff682df7f096cd1756569e252db482d45406a3198a1aff282a5da474c49", + "private" : "60a3a4f130b98a5be4b1cedb7cb85584a3520e142d474dc9ccb909a073a9767f", + "shared" : "f9ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff3f", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 109, + "comment" : "edge case for shared secret", + "public" : "317781b0163bae74accc06c0d44ef9a911a22b0d37faf7726621591f9343ea2f", + "private" : "60a3a4f130b98a5be4b1cedb7cb85584a3520e142d474dc9ccb909a073a9767f", + "shared" : "f3ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff3f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 110, + "comment" : "edge case for shared secret", + "public" : "7e26f8f24cb590027f9d1bc49b0e1a242c7d8f43624d3e8fab28ee08e02cb45e", + "private" : "60a3a4f130b98a5be4b1cedb7cb85584a3520e142d474dc9ccb909a073a9767f", + "shared" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff03", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 111, + "comment" : "edge case for shared secret", + "public" : "e96d2780e5469a74620ab5aa2f62151d140c473320dbe1b028f1a48f8e76f95f", + "private" : "60a3a4f130b98a5be4b1cedb7cb85584a3520e142d474dc9ccb909a073a9767f", + "shared" : "e5ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 112, + "comment" : "edge case for shared secret", + "public" : "8d612c5831aa64b057300e7e310f3aa332af34066fefcab2b089c9592878f832", + "private" : "60a3a4f130b98a5be4b1cedb7cb85584a3520e142d474dc9ccb909a073a9767f", + "shared" : "e3ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 113, + "comment" : "edge case for shared secret", + "public" : "8d44108d05d940d3dfe5647ea7a87be24d0d036c9f0a95a2386b839e7b7bf145", + "private" : "60a3a4f130b98a5be4b1cedb7cb85584a3520e142d474dc9ccb909a073a9767f", + "shared" : "ddffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 114, + "comment" : "edge case for shared secret", + "public" : "21a35d5db1b6237c739b56345a930aeee373cdcfb4701266782a8ac594913b29", + "private" : "60a3a4f130b98a5be4b1cedb7cb85584a3520e142d474dc9ccb909a073a9767f", + "shared" : "dbffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 115, + "comment" : "edge case for shared secret", + "public" : "3e5efb63c352ce942762482bc9337a5d35ba55664743ac5e93d11f957336cb10", + "private" : "60a3a4f130b98a5be4b1cedb7cb85584a3520e142d474dc9ccb909a073a9767f", + "shared" : "0000000000000000000000000000000000000000000000000000000000000002", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 116, + "comment" : "edge case for shared secret", + "public" : "8e41f05ea3c76572be104ad8788e970863c6e2ca3daae64d1c2f46decfffa571", + "private" : "60a3a4f130b98a5be4b1cedb7cb85584a3520e142d474dc9ccb909a073a9767f", + "shared" : "0000000000000000000000000000000000000000000000000000000000008000", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 117, + "comment" : "special case public key", + "public" : "0000000000000000000000000000000000000000000000000000000000000000", + "private" : "c8d07c46bbfb827753b92c70e49583ce8bfa44641a7382258ea903d6a832c96b", + "shared" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "acceptable", + "flags" : [ + "SmallPublicKey", + "LowOrderPublic", + "ZeroSharedSecret" + ] + }, + { + "tcId" : 118, + "comment" : "special case public key", + "public" : "0100000000000000000000000000000000000000000000000000000000000000", + "private" : "90b7ef237a055f348dcb4c4364a59d7d31edc7ab78f2ca254e2c810975c3f543", + "shared" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "acceptable", + "flags" : [ + "SmallPublicKey", + "LowOrderPublic", + "ZeroSharedSecret" + ] + }, + { + "tcId" : 119, + "comment" : "special case public key", + "public" : "0200000000000000000000000000000000000000000000000000000000000000", + "private" : "e0a8be63315c4f0f0a3fee607f44d30a55be63f09561d9af93e0a1c9cf0ed751", + "shared" : "0c50ac2bfb6815b47d0734c5981379882a24a2de6166853c735329d978baee4d", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 120, + "comment" : "special case public key", + "public" : "1200000000000000000000000000000000000000000000000000000000000000", + "private" : "0840a8af5bc4c48da8850e973d7e14220f45c192cea4020d377eecd25c7c3643", + "shared" : "77557137a2a2a651c49627a9b239ac1f2bf78b8a3e72168ccecc10a51fc5ae66", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 121, + "comment" : "special case public key", + "public" : "1400000000000000000000000000000000000000000000000000000000000000", + "private" : "0092229c753a71284d0853909470ad847ab62f439ea51482fb41d30cc3b44743", + "shared" : "c88e719ae5c2248b5f90da346a92ae214f44a5d129fd4e9c26cf6a0da1efe077", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 122, + "comment" : "special case public key", + "public" : "0000000000000000000000000080000000000000000000000000000000000000", + "private" : "b8da2bd2d7cf25a3e54e5f87ee15911effb9ff86baec4076d56c8e953670bf5b", + "shared" : "4bf6789c7ea036f973cde0af02d6fdb9b64a0b957022111439570fad7d7a453f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 123, + "comment" : "special case public key", + "public" : "ffffffffffffffffffffffffffff000000000000000000000000000000000000", + "private" : "684cd420af41abb3d10c61e773238cf729c2155f941ac27e15f4c37f49b29576", + "shared" : "bcac235ae15cc7148372e11f9315e3bc76ceb904b3d2a8246bd9d9be2082bb62", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 124, + "comment" : "special case public key", + "public" : "0100000000000000000000000000010000000000000000000000000000000000", + "private" : "38cfacaa4460796b4de434bdd6739f0d043671f97fa829517511e6b47aa93474", + "shared" : "5dd7d16fff25cc5fdf9e03c3157cb0a235cea17d618f36e6f13461567edeb943", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 125, + "comment" : "special case public key", + "public" : "0000000000000000000000000000000000000000000000000000004000000000", + "private" : "30832e8cb627ac195f77b1105258e4bb18b99a5ed944404bfacb3a039fbdb14b", + "shared" : "2816fd031d51d6750f9225ede950625cca47441ca97e43092650396991afcb6d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 126, + "comment" : "special case public key", + "public" : "0000000000000000000000000000000000000000000000000000008000000000", + "private" : "d818fd6971e546447f361d33d3dbb3eadcf02fb28f246f1d5107b9073a93cd4f", + "shared" : "7ed8f2d5424e7ebb3edbdf4abe455447e5a48b658e64abd06c218f33bd151f64", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 127, + "comment" : "special case public key", + "public" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000", + "private" : "1021cd8682bdc3f5da9100adff5b2230b3acd836b3a455db8352a2c27e69d17e", + "shared" : "e8620ed5ca89c72c5ea5503e6dcd01131cd5e875c30e13d5dc619ce28ec7d559", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 128, + "comment" : "special case public key", + "public" : "0100000000000000000000000000000000000000000000000000000001000000", + "private" : "20e4c9247102292655d6765d7d84c6fce5309b8004045daea6d7d7dcad462871", + "shared" : "ceadb264379dcadd6e3bb8ad24dd653d2a609dd703d41da6caf3ad00f001862c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 129, + "comment" : "special case public key", + "public" : "a8b9c7372118a53a9de9eaf0868e3b1a3d88e81cb2e407ff7125e9f5c5088715", + "private" : "90b150d462de512056d5bd55173074969b496f262fb6916b733f6263a8078971", + "shared" : "f86cc7bf1be49574fc97a074282e9bb5cd238e002bc8e9a7b8552b2d60eccb52", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 130, + "comment" : "special case public key", + "public" : "aab9c7372118a53a9de9eaf0868e3b1a3d88e81cb2e407ff7125e9f5c5088715", + "private" : "9887286b3261c8d857a16f6db21277f75d88d4e861b3ebe7596699047e816668", + "shared" : "ccbb8fd9dee165a398b2dbd7c8396f81736c1b3da36b35fbec8f326f38f92767", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 131, + "comment" : "special case public key", + "public" : "585007a5930d77623cf29756038ca197d3ebfd9e4c80a69585efe0274092c115", + "private" : "20ca2c85cc8762e96b7047bf15c71c050ffe0ed1616040a953ae32a1297ad871", + "shared" : "46add6f48ffff461777d4f89b6fdf1155aa051a96387d45f3e5e371a236b6e52", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 132, + "comment" : "special case public key", + "public" : "fbffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff1f", + "private" : "d027656605b10bf18dea28bc52546f9f1f08cef06cafd200fc84f87dbb4ebe46", + "shared" : "1adbe32207e21f71e1af53884d2a2276481e298e557f4dacb3720f2458e3082d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 133, + "comment" : "special case public key", + "public" : "0000000000000000000000000000000000000000000000000000000000000020", + "private" : "4867a83ee9d01b7510840867db1af6a6049bdbb056b74443f70c358e162c8867", + "shared" : "e12cc58fbeb70a5e35c861c33710be6516a6a92e52376060211b2487db542b4f", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 134, + "comment" : "special case public key", + "public" : "afa00e4a271beec478e42fad0618432fa7d7fb3d99004d2b0bdfc14f8024832b", + "private" : "a015970a8add940fca5b1b5d23875397d547d8d494fcb314f2045a67a2d12c4b", + "shared" : "421bed1b26da1e9adbeada1f32b91a0fb4ced0f1110e0a4a88e735a19ee4571e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 135, + "comment" : "special case public key", + "public" : "b1a00e4a271beec478e42fad0618432fa7d7fb3d99004d2b0bdfc14f8024832b", + "private" : "4058cb6b9aaba02a338aaa392dbc10039e26e9e444117e758e24c5d8b232ea5e", + "shared" : "d7b47463e2f4ca9a1a7deea098da8e74ac3b4a109083d997259b12992e7e7e06", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 136, + "comment" : "special case public key", + "public" : "fbffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff2f", + "private" : "b876b05daff0530b139d9e11250563418077178246c5fa7005ba00e9b6647763", + "shared" : "686eb910a937211b9147c8a051a1197906818fdc626668eb5f5d394afd86d41b", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 137, + "comment" : "special case public key", + "public" : "22231c64ef73ad62318b8a87bc38e272e1bb8bf1a60d7c00476d0b059d7b3c35", + "private" : "d87fd6aa5d8deef6dee9619a56846a0829620590f2da40835d8e251597e39078", + "shared" : "09559733b35bcc6bb8ac574b5abe3a4d8841deff051c294a07487e3eec3c5558", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 138, + "comment" : "special case public key", + "public" : "f6ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff3f", + "private" : "90036321b63751f7622aa93da34d85e59ce81009ac5b9a068921d83bc4715b57", + "shared" : "f7d5cbcf39eb722b01ed20c85563ebb81d076511aead4ccc429027866b9fd270", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 139, + "comment" : "special case public key", + "public" : "f7ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff3f", + "private" : "a06781fd4c4a0874e00e72ba131b9dd87a83b2904e294de176e8a9af1f695d67", + "shared" : "e995ad6a1ec6c5ab32922cff9d204721704673143c4a11deaa203f3c81989b3f", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 140, + "comment" : "special case public key", + "public" : "feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff3f", + "private" : "b822d72d8b68bdb4fbf67e56a61d672b2c7747e94479fe5ae4072d0accdd6571", + "shared" : "32b6dabe01d13867f3b5b0892fefd80dca666f2edc5afb43cd0baf703c3e6926", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 141, + "comment" : "special case public key", + "public" : "0000000000000000000000000000000000000000000000000000000000000040", + "private" : "d08ce1237e248d02cdf619d20bea5848ade4f6ffd171b8dee8793fc67c459640", + "shared" : "a93d83fc9ea0f6cb0cc8b631da600019b76cbb2ec57222f2e42dd540e3da850b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 142, + "comment" : "special case public key", + "public" : "cbdce39b108c529dce74757843c71d8d1e44740e59f283ffb892f4fa6284c34a", + "private" : "180ae3c928514cfb9edd06e7dc1d5d066160e967445a5c58e4463b69ed205e6d", + "shared" : "017cbfa2b38e9ef3297a339ecce1a917bdcf7e910036086a41d1e22d04241870", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 143, + "comment" : "special case public key", + "public" : "3c5ff1b5d8e4113b871bd052f9e7bcd0582804c266ffb2d4f4203eb07fdb7c54", + "private" : "e881d806a110560cd8fee899d59c0249f1233a4322c41aa369c7a2a99f5b5962", + "shared" : "71133905b8a57ea8c38de0ecf213699a75b096c2df21f07f7e9eb03e9fa53f5c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 144, + "comment" : "special case public key", + "public" : "3e5ff1b5d8e4113b871bd052f9e7bcd0582804c266ffb2d4f4203eb07fdb7c54", + "private" : "08e410e1d7e8b9411236af4a35d6b62a5d8931478e4c62197cfafb491467b162", + "shared" : "3dc7b70e110766b2bf525252ebed98a100b2e532dc69544464da1bbab8625f6d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 145, + "comment" : "special case public key", + "public" : "f2ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff5f", + "private" : "e02fdf7e0ee3d55b4440f01432dd253c949793bc04da44ddece83e54c8c39b40", + "shared" : "e317e5cc438b5f79ead5533ac7c45519a117b31033cc2140b19edf8572011240", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 146, + "comment" : "special case public key", + "public" : "f6ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff5f", + "private" : "f05d18f68ef7a5865c14db3a9c255fdf2dabea2aa36581e94f68b727b582867b", + "shared" : "d86810516aeddc18061036f599a9eb84d1c6146b0f543652dd4526743ba42c04", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 147, + "comment" : "special case public key", + "public" : "95aff85a6cf2889dc30d68a9fc735e682c140261b37f596a7a101fd8bf6d3e6a", + "private" : "00c103578d5c079d7bcc22c1c31e787c1b15c57fcb493fdafefa20371cfc746b", + "shared" : "dfa988a477003be125b95ccbf2223d97729577d25e1d6e89e3da0afabdd0ae71", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 148, + "comment" : "special case public key", + "public" : "434638c8dee75ac56216150f7971c4e5c27717e34d1bf8008eda160a3af7786a", + "private" : "7005bb927485c435642b424a3dde014bcf76345e5be64ae6e9b24db39e1cdb51", + "shared" : "d450af45b8ed5fe140cc5263ffb7b52e66736899a8b872b6e28552129819b25b", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 149, + "comment" : "special case public key", + "public" : "454638c8dee75ac56216150f7971c4e5c27717e34d1bf8008eda160a3af7786a", + "private" : "0822039a5dc13c40fcccf346e2a7769b4fd272052d43260ad626468a50d44162", + "shared" : "58002c89bf8bc32ae6fc205b796acd13ef7f8476f6492ae4b2be47f1095e8a4f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 150, + "comment" : "special case public key", + "public" : "ecfffffffffffffffffffffffffffeffffffffffffffffffffffffffffffff7f", + "private" : "40a6349c03f0dc0a42358f6353ca67632af687b14c9dff626c54e211e8fc355a", + "shared" : "7773aad6e72eb1735b65ad51f7dad258c11d7bfff53094424cb103cd6bfb4368", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 151, + "comment" : "special case public key", + "public" : "eefffffffffffffffffffffffffffeffffffffffffffffffffffffffffffff7f", + "private" : "50696d4d05209971d6ba0676ea274262ba639aac74fa75e5df4570768ad8ae74", + "shared" : "c118ddf6462fbea80f14ef1f2972a1ab12cafa511d1323d4d22d0d426d651b5b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 152, + "comment" : "special case public key", + "public" : "edffffffffffffffffffffffff7fffffffffffffffffffffffffffffffffff7f", + "private" : "68bb680c853f4e4daa47c586dc886cf4568d7b0383770f6df439a53be4a3236d", + "shared" : "cc0775bfd970a2706b11c7222a4436a3d17160382c83b76f89b66192c81b4408", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 153, + "comment" : "special case public key", + "public" : "ebffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f", + "private" : "b0f6c28dbdc647068a76d71805ef770f087cf76b82afdc0d26c45b71ace49768", + "shared" : "f0097fa0ba70d019126277ab15c56ecc170ca88180b2bf9d80fcda3d7d74552a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 154, + "comment" : "special case public key", + "public" : "ecffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f", + "private" : "18630f93598637c35da623a74559cf944374a559114c7937811041fc8605564a", + "shared" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "acceptable", + "flags" : [ + "LowOrderPublic", + "Twist", + "ZeroSharedSecret" + ] + }, + { + "tcId" : 155, + "comment" : "special case for E in multiplication by 2", + "public" : "0000000000000000000008000000000000000000000000000000000000000000", + "private" : "581ecbda5a4a228044fefd6e03df234558c3c79152c6e2c5e60b142c4f26a851", + "shared" : "59e7b1e6f47065a48bd34913d910176b6792a1372aad22e73cd7df45fcf91a0e", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 156, + "comment" : "special case for E in multiplication by 2", + "public" : "77af0d3897a715dfe25df5d538cf133bc9ab7ad52df6bd922a2fb75621d59901", + "private" : "b0561a38000795b7cb537b55e975ea452c2118506295d5eb15fd9c83b67f7a50", + "shared" : "179f6b020748acba349133eaa4518f1bd8bab7bfc4fb05fd4c24e7553da1e960", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 157, + "comment" : "special case for E in multiplication by 2", + "public" : "4e39866127b6a12a54914e106aab86464af55631f3cb61766d5999aa8d2e070e", + "private" : "b00f7df2d47128441c7270b9a87eee45b6056fc64236a57bdf81dbcccf5f5d42", + "shared" : "43c5ee1451f213ef7624729e595a0fee7c9af7ee5d27eb03278ee9f94c202352", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 158, + "comment" : "special case for E in multiplication by 2", + "public" : "adc6799ed8495ed5ab6eb1ef955479b9b50aa9ce0c349e8992a6665572d1f811", + "private" : "c8f7a0c0bfb1e9c72576c534f86854fbe4af521d4fa807f67e2440e100ec8852", + "shared" : "2f350bcf0b40784d1d756c9ca3e38ec9dd68ba80faf1f9847de50779c0d4902a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 159, + "comment" : "special case for E in multiplication by 2", + "public" : "770f4218ef234f5e185466e32442c302bbec21bbb6cd28c979e783fe5013333f", + "private" : "58181f581aa37022ff71c56c6e68e6175d967c5c995a249885f66565074ded4d", + "shared" : "d5d650dc621072eca952e4344efc7320b2b1459aba48f5e2480db881c50cc650", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 160, + "comment" : "special case for E in multiplication by 2", + "public" : "5c6118c4c74cfb842d9a87449f9d8db8b992d46c5a9093ce2fcb7a49b535c451", + "private" : "301c935cae4357070b0adaf9cd6192830b2c989c153729eed99f589eb45f884b", + "shared" : "909cc57275d54f20c67b45f9af9484fd67581afb7d887bee1db5461f303ef257", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 161, + "comment" : "special case for E in multiplication by 2", + "public" : "4039866127b6a12a54914e106aab86464af55631f3cb61766d5999aa8d2e076e", + "private" : "d002292d4359a3d42bc8767f1380009332e7a0df2f3379011ab78f789f6baa54", + "shared" : "4a7e2c5caf1d8180eb1c4f22692f29a14b4cdc9b193bd1d16e2f27438eef1448", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 162, + "comment" : "special case for E in multiplication by 2", + "public" : "078fa523498fb51cba1112d83b20af448b8009d8eea14368564d01b8f9b6086f", + "private" : "d0c2c49e644ab738270707ff9917065942687e2f12886d961161db46c05b565f", + "shared" : "c0ee59d3685fc2c3c803608b5ee39a7f8da30b48e4293ae011f0ea1e5aeb7173", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 163, + "comment" : "special case for E in multiplication by 2", + "public" : "9fc6799ed8495ed5ab6eb1ef955479b9b50aa9ce0c349e8992a6665572d1f871", + "private" : "f087d38b274c1dad1bce6eaa36b48e2190b90b9bf8ca59669cc5e00464534342", + "shared" : "b252bc8eabfaa68c56e54d61b99061a35d11e3a7b9bda417d90f69b1119bcf45", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 164, + "comment" : "special case for E in multiplication by 2", + "public" : "7650f2c76858ea201da2022ac730ecc43654852ad209426dd5d048a9de2a667e", + "private" : "48dbcc5a695f1514bbbaa6ad00842b69d9ae5216b1963add07fb2947c97b8447", + "shared" : "fbda33bc930c08df837208e19afdc1cfe3fd0f8f0e3976be34775e58a4a7771f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 165, + "comment" : "D = 0 in multiplication by 2", + "public" : "e0eb7a7c3b41b8ae1656e3faf19fc46ada098deb9c32b1fd866205165f49b800", + "private" : "5891c9272cf9a197735b701e5715268d36d7436b7e351a3e997a0862e4807d4d", + "shared" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "acceptable", + "flags" : [ + "LowOrderPublic", + "ZeroSharedSecret" + ] + }, + { + "tcId" : 166, + "comment" : "D = 0 in multiplication by 2", + "public" : "5f9c95bca3508c24b1d0b1559c83ef5b04445cc4581c8e86d8224eddd09f1157", + "private" : "c0f9c60aea73731d92ab5ed9f4cea122f9a6eb2577bda72f94948fea4d4cc65d", + "shared" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "acceptable", + "flags" : [ + "LowOrderPublic", + "ZeroSharedSecret" + ] + }, + { + "tcId" : 167, + "comment" : "special case for DA - CB in multiplication by 2", + "public" : "b0224e7134cf92d40a31515f2f0e89c2a2777e8ac2fe741db0dc39399fdf2702", + "private" : "0066dd7674fe51f9326c1e239b875f8ac0701aae69a804c25fe43595e8660b45", + "shared" : "8dacfe7beaaa62b94bf6e50ee5214d99ad7cda5a431ea0c62f2b20a89d73c62e", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 168, + "comment" : "special case for DA - CB in multiplication by 2", + "public" : "601e3febb848ec3e57fce64588aad82afc9c2af99bbcdffcc4cd58d4b3d15c07", + "private" : "80067f30f40d61318b420c859fce128c9017ab81b47b76028a57bc30d5856846", + "shared" : "20f1d3fe90e08bc6f152bf5dacc3ed35899785333f1470e6a62c3b8cbe28d260", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 169, + "comment" : "special case for DA - CB in multiplication by 2", + "public" : "82a3807bbdec2fa9938fb4141e27dc57456606301f78ff7133cf24f3d13ee117", + "private" : "584577669d21ce0ae3e30b02c9783ffe97709cbfe396889aa31e8ee43352dc52", + "shared" : "2b28cc5140b816add5ad3a77a81b1c073d67bf51bf95bda2064a14eb12d5f766", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 170, + "comment" : "special case for DA - CB in multiplication by 2", + "public" : "f329ab2376462e5f3128a2682086253c19222ac1e2bca45692f0c3b528f4c428", + "private" : "18e597a4e2ccdb5e8052d57c9009938c2d4c43d6d8c9f93c98727b7311035953", + "shared" : "8392160083b9af9e0ef44fcfce53ba8ff7282ee7a6c71ab66f8843a55d09cd68", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 171, + "comment" : "special case for DA in multiplication by 2", + "public" : "4fce3bb6c8aaf022dbd100e3cde3941b37d543f00401dba7da9bc143dfc55709", + "private" : "88281cc51d5512d8814ea5249b879dcbad0323d38512dafbdc7ba85bba8c8d5d", + "shared" : "42184e22c535530c457bd3b4f1084cbf5e297f502fe136b8d1daecf5334cc96c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 172, + "comment" : "special case for DA in multiplication by 2", + "public" : "15c68851c1db844b5a1ef3456a659f188854b1a75fbdb2f68f514c9289ce711f", + "private" : "d0e795450df0a813c6573496ec5793ca02e1bdbad10ed08df83fdaed68b3385f", + "shared" : "f654d78e5945b24bc63e3e6d790e0ae986e53937764068b1bce920e1d79b756f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 173, + "comment" : "special case for DA in multiplication by 2", + "public" : "4200a242434337b8914f49345301ed782b13594f9ede089c41fb1e7ea82c9053", + "private" : "30b69a1cc1eb2d0b83ea213846e90a2c922088bdf294a6995bf6e6e77c646c41", + "shared" : "cd8a09b04795edcc7061867373981aa748651ebdce5ec218a335b878cefe4872", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 174, + "comment" : "special case for DA in multiplication by 2", + "public" : "baabf0174aaaea4de48cc83adfb0401461a741903ea6fb130d7d64b7bf03a966", + "private" : "78b30bb63cd8ade71b7a77d426f4419d05f199ffef349e89faa9d9a5f21f6654", + "shared" : "c9f8258f237db1c80702c5c4d9048dfba9dfe259da4aeee90dc2945526961275", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 175, + "comment" : "special case for x_2 in multiplication by 2", + "public" : "f12f18bd59c126348f6a7a9f4a5fdd9fcaf581345073a851fba098e5d64b4a0c", + "private" : "c0b386f4ef0d4698686404977e7b60cb6c1f8b6012a22e29d6224c5947439041", + "shared" : "6600cbe900616a770a126b8b19156d5e27e1174bd538d0944eb3c0be4899c758", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 176, + "comment" : "special case for x_2 in multiplication by 2", + "public" : "bee386527b772490aeb96fc4d23b9304037cb4430f64b228f3d8b3b498319f22", + "private" : "9886602e719bacafea092bb75b51ae7258abe1a364c176857f3dc188c03e6759", + "shared" : "3fe710d6344ff0cb342e52349e1c5b57b7a271f2a133bb5249bbe40dc86e1b40", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 177, + "comment" : "special case for x_2 in multiplication by 2", + "public" : "cf911ac91b0d944049cec66ae5ef0c4549d1e612e107c68e87263a2fbcf8323f", + "private" : "b83960f5d0613cdaac6dda690351666e9f277bba6bd406b0e27a1886bb2d3e46", + "shared" : "71373ebe67f39a2c230027c7db4b3b74bab80ed212b232679785ee10f47c304e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 178, + "comment" : "special case for x_2 in multiplication by 2", + "public" : "1e6ee536e4f26bbfb63139951a10f3bab62e19ed1ef8397178d9c5d04307cd40", + "private" : "d03b75f09ac807dfd2ee352c04a1f25984720f785ffaa0af88bc5db6ff9c3453", + "shared" : "238eef43c589822e1d3de41c1cc46dcfec7a93febf37c8546b6625e1a123815d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 179, + "comment" : "special case for x_2 in multiplication by 2", + "public" : "2f1c79ad8488db6f5146903b2dc46cfbfc834bbcf09b4dd70c274c4b67ce605d", + "private" : "d036948c0ec223f0ee577e390dbf87222358ed199f2823345ad154bbc4cbcc47", + "shared" : "87a79c9c231d3b9526b49bf3d683bf38c3c319af7c7c5d1456487398da535010", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 180, + "comment" : "special case for x_2 in multiplication by 2", + "public" : "fccfe742a63ed9cb70958560b5a02260350a7ecbaf8c57ae045f671a29b4b573", + "private" : "d054ded613febf2950ac5c927fcb120c387de0ba61b331cd33024c8b6e737048", + "shared" : "d683ca6194452d878c12d7da35f22833f99728bba89931a51274f61210336a5f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 181, + "comment" : "special case for AA in multiplication by 2", + "public" : "cb3d4a90f86b3011da3369d9988597c7fff1499273b4a04f84d0e26ed1683c0d", + "private" : "e82c480631fb153ba2211fe603032b3e71b162dbd3c11bec03208ffcd510655f", + "shared" : "dbf6203516635840cf69a02db87cf0d95dae315da7fc1ec7ce2b29e1f2db6666", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 182, + "comment" : "special case for AA in multiplication by 2", + "public" : "101e13f7bc0570fa2638caa20a67c6e0c21dab132f4b456191590264c493d018", + "private" : "c0c01d28c1cab01f59700aca5f18d2697658b37fdd54a339ff391c0a1a1b1645", + "shared" : "1fe314744390d525278b1f5fbf108101b8ded587081375ed4ac4ac690d92414f", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 183, + "comment" : "special case for AA in multiplication by 2", + "public" : "dce1ec0843fa8f05d9c7355df598391f3de254ecd0b4ba9e6ea6fd9b3b6c2f67", + "private" : "c82bde72df36479688c485a8bf442f4a34412e429c02db97704f03daf4dfd542", + "shared" : "ad454395ee392be677be7b9cb914038d57d2d87ec56cc98678dd84f19920912b", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 184, + "comment" : "special case for AA in multiplication by 2", + "public" : "21c2b56f0794cfee25cc9626677a6838000eb66d8c4b5fb07b2f1d912e97c372", + "private" : "503f697617fb02a7b8ef00ba34e7fc8ce93f9ec3e1cbfe4bf2c05bcee0cb9757", + "shared" : "c6d6499255133398f9dd7f32525db977a538118800bfaf3aad8bcd26f02c3863", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 185, + "comment" : "special case for BB in multiplication by 2", + "public" : "cc3d4a90f86b3011da3369d9988597c7fff1499273b4a04f84d0e26ed1683c0d", + "private" : "58cd4ca1e4331188de2b2889419ce20ec5ef88a0e93af092099065551b904e41", + "shared" : "0d74214da1344b111d59dfad3713eb56effe7c560c59cbbb99ec313962dbba58", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 186, + "comment" : "special case for BB in multiplication by 2", + "public" : "111e13f7bc0570fa2638caa20a67c6e0c21dab132f4b456191590264c493d018", + "private" : "004ea3448b84ca509efec5fcc24c63ee984def63b29deb9037894709709c0957", + "shared" : "7b9dbf8d6c6d65898b518167bf4011d54ddc265d953c0743d7868e22d9909e67", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 187, + "comment" : "special case for BB in multiplication by 2", + "public" : "dde1ec0843fa8f05d9c7355df598391f3de254ecd0b4ba9e6ea6fd9b3b6c2f67", + "private" : "c8a6eb00a4d74bbdff239522c3c891ed7ce1904be2a329cd0ae0061a253c9542", + "shared" : "fb0e0209c5b9d51b401183d7e56a59081d37a62ab1e05753a0667eebd377fd39", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 188, + "comment" : "special case for BB in multiplication by 2", + "public" : "22c2b56f0794cfee25cc9626677a6838000eb66d8c4b5fb07b2f1d912e97c372", + "private" : "50322ff0d0dcdd6b14f307c04dfecefe5b7cdeaf92bffb919e9d62ed27079040", + "shared" : "dbe7a1fe3b337c9720123e6fcc02cf96953a17dc9b395a2206cb1bf91d41756e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 189, + "comment" : "special case for D in multiplication by 2", + "public" : "e58baccede32bcf33b3b6e3d69c02af8284a9631de74b6af3f046a9369df040f", + "private" : "e0328c7d188d98faf2ac72d728b7d14f2bbbd7a94d0fbd8e8f79abe0b1fe1055", + "shared" : "97bd42093e0d48f973f059dd7ab9f97d13d5b0d5eedffdf6da3c3c432872c549", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 190, + "comment" : "special case for D in multiplication by 2", + "public" : "c6d5c693fc0a4e2df6b290026860566a166b6d7aebe3c98828d492745c8df936", + "private" : "5017679a17bd23adf95ad47e310fc6526f4ba9ca3b0839b53bd0d92839eb5b4f", + "shared" : "99bcbc7b9aa5e25580f92bf589e95dae874b83e420225d8a93e18e96dac00b63", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 191, + "comment" : "special case for D in multiplication by 2", + "public" : "d15f4bf2ef5c7bda4ee95196f3c0df710df5d3d206360fc3174ea75c3aa3a743", + "private" : "2864aaf61c146df06cc256b065f66b34985cc015da5b1d647a6ed4e2c76bfc43", + "shared" : "afa2adb52a670aa9c3ec3020d5fda285474ede5c4f4c30e9238b884a77969443", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 192, + "comment" : "special case for D in multiplication by 2", + "public" : "6dffb0a25888bf23cf1ac701bfbdede8a18e323b9d4d3d31e516a05fce7ce872", + "private" : "184a6cfbabcbd1507a2ea41f52796583dbdb851b88a85781ee8e3c28782c3349", + "shared" : "e6a2fc8ed93ce3530178fef94bb0056f43118e5be3a6eabee7d2ed384a73800c", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 193, + "comment" : "special case for D in multiplication by 2", + "public" : "21f86d123c923a92aaf2563df94b5b5c93874f5b7ab9954aaa53e3d72f0ff67e", + "private" : "c85f954b85bc102aca799671793452176538d077862ee45e0b253619767dff42", + "shared" : "7fc28781631410c5a6f25c9cfd91ec0a848adb7a9eb40bc5b495d0f4753f2260", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 194, + "comment" : "special case for D in multiplication by 2", + "public" : "587c347c8cb249564ab77383de358cc2a19fe7370a8476d43091123598941c7f", + "private" : "50e3e5a9a19be2ee3548b0964672fb5e3134cb0d2f7adf000e4556d0ffa37643", + "shared" : "314d8a2b5c76cc7ee1217df2283b7e6724436e273aeb80628dce0600ab478a63", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 195, + "comment" : "special case for DA + CB in multiplication by 2", + "public" : "f5c6311a1dd1b9e0f8cfd034ac6d01bf28d9d0f962a1934ae2cb97cb173dd810", + "private" : "08ece580bb6ddf96559b81d7a97dd4531def6cc78d448a70cebabdd26caab146", + "shared" : "2bfd8e5308c34498eb2b4daf9ed51cf623da3beaeb0efd3d687f2b8becbf3101", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 196, + "comment" : "special case for DA + CB in multiplication by 2", + "public" : "9316c06d27b24abc673ffb5105c5b9a89bdfaa79e81cdbb89556074377c70320", + "private" : "a886033e9dc2b6a913fffbc2bd402e8c11ec34d49c0dc0fa1429329b694a285f", + "shared" : "d53c3d6f538c126b9336785d1d4e6935dc8b21f3d7e9c25bc240a03e39023363", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 197, + "comment" : "special case for DA + CB in multiplication by 2", + "public" : "8a4179807b07649e04f711bf9473a79993f84293e4a8b9afee44a22ef1000b21", + "private" : "98b1cc2020a8ec575d5c46c76024cf7c7ad7628eb909730bc4f460aaf0e6da4b", + "shared" : "4531881ad9cf011693ddf02842fbdab86d71e27680e9b4b3f93b4cf15e737e50", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 198, + "comment" : "special case for DA + CB in multiplication by 2", + "public" : "a773277ae1029f854749137b0f3a02b5b3560b9c4ca4dbdeb3125ec896b81841", + "private" : "c8e193de162aa349a3432c7a0c0521d92cbc5e3bf82615e42955dd67ec12345f", + "shared" : "7ba4d3de697aa11addf3911e93c94b7e943beff3e3b1b56b7de4461f9e48be6b", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 199, + "comment" : "special case for DA + CB in multiplication by 2", + "public" : "1eceb2b3763231bc3c99dc62266a09ab5d3661c756524cddc5aabcedee92da61", + "private" : "88e01237b336014075676082afbde51d595d47e1fa5214b51a351abbf6491442", + "shared" : "bcf0884052f912a63bbab8c5c674b91c4989ae051fa07fcf30cb5317fb1f2e72", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 200, + "comment" : "special case for DA + CB in multiplication by 2", + "public" : "9a2acbb3b5a386a6102e3728be3a97de03981d5c71fd2d954604bee3d3d0ce62", + "private" : "e82313e451a198dce4ae95c6832a8281d847fc87b28db00fe43757c16cc49c4a", + "shared" : "e5772a92b103ee696a999705cf07110c460f0545682db3fac5d875d69648bc68", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 201, + "comment" : "special case for DA + CB in multiplication by 2", + "public" : "27430e1c2d3089708bca56d7a5ad03792828d47685b6131e023dd0808716b863", + "private" : "2828594d16768e586df39601ecc86d3fad6389d872b53fca3edcaf6fb958f653", + "shared" : "378c29e3be97a21b9f81afca0d0f5c242fd4f896114f77a77155d06ce5fbfa5e", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 202, + "comment" : "special case for z_2 in multiplication by 2", + "public" : "4ef367901aac8ba90a50e0cf86ca4e4a3ff164fb121605be346e2e48d04ac912", + "private" : "a84f488e193139f986b0e5b249635b137d385e420342aef1f194fcde1fe5e850", + "shared" : "7eb48a60b14fb9ea5728f6410aef627d1522fad481b934af64e2c483b64d585f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 203, + "comment" : "special case for z_2 in multiplication by 2", + "public" : "d1de303c4ddd05d57c29df92ad172dd8c8f424e63ec93445beaea44f9d124b17", + "private" : "30fd2a781e095c34a483907b3dd2d8bd2736e279617bfa6b8b4e0e1cf90fbd46", + "shared" : "b71bdbed78023a06deed1c182e14c98f7cf46bc627a4a2c102ad23c41cf32454", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 204, + "comment" : "special case for z_2 in multiplication by 2", + "public" : "5bccd739fd7517d9344bf6b2b0f19a1e0c38d9349a25ad1f94af4a2cdcf5e837", + "private" : "28312e17b47dd32d90561168245187963c7469a31c881e4a5c94384262b71959", + "shared" : "5bb56877caf2cdac98611b60367fbb74265984614e5e73996e8ea1bd6f749f1a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 205, + "comment" : "special case for z_2 in multiplication by 2", + "public" : "8a7a939310df7ea768454df51bcd0dfbd7be4fcbb2ffc98429d913ec6911f337", + "private" : "a87640cf8237b473c638b3e9df08644e8607e563b5964363ccc42133b2996742", + "shared" : "b568ed46d04f6291f8c176dca8aff6d221de4c9cce4b404d5401fbe70a324501", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 206, + "comment" : "special case for z_2 in multiplication by 2", + "public" : "fe3590fc382da7a82e28d07fafe40d4afc91183a4536e3e6b550fee84a4b7b4b", + "private" : "780c5b882720d85e5ddfaf1033e9a1385df9e21689eeda4dcc7444ad28330a50", + "shared" : "11fb44e810bce8536a957eaa56e02d04dd866700298f13b04ebeb48e20d93647", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 207, + "comment" : "special case for z_2 in multiplication by 2", + "public" : "fad9ab3e803b49fc81b27ee69db6fc9fdb82e35453b59ef8fab2a3beb5e1134c", + "private" : "209e5e0ae1994bd859ce8992b62ec3a66df2eb50232bcc3a3d27b6614f6b014d", + "shared" : "85d9db8f182bc68db67de3471f786b45b1619aec0f32b108ace30ee7b2624305", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 208, + "comment" : "special case for z_2 in multiplication by 2", + "public" : "98bed955f1516c7a442751ac590046d7d52ca64f76df82be09d32e5d33b49073", + "private" : "806d1dee5ff6aea84a848916991a89ef3625583e1bd4ae0b3dd25c2524a4ff46", + "shared" : "61d4ef71cbe7be3128be829ab26ed3463eb4ab25937c309788e876b23412aa7c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 209, + "comment" : "special case for z_2 in multiplication by 2", + "public" : "e59be4917b3f05b6fc8748c9b90f1b910273c9c6e17ff96ef415ff3d927d987e", + "private" : "00f98b02ae0df5274cc899f526eb1b877289e0963440a57dd97e414cdd2f7c51", + "shared" : "5ba4394ed1a664811b01557944becf7585652a8acbdbf806742911207bd79346", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 210, + "comment" : "special case for A in multiplication by 2", + "public" : "8c9885a26cb334054700a270f7a5f4aac06bad8263b651ebf0712eca1ebb6416", + "private" : "d86c18f2be396b3bb72f22e6ece22e273af6e1506a1c09ad4d01bdd2f439f843", + "shared" : "a5952588613eb7a5cd49dd526f1f20a4f0ffe9423e82cea302c2dd90ce559955", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 211, + "comment" : "special case for A in multiplication by 2", + "public" : "f6135fe9741c2c9de7dcf7627ef08832f351cb325dbb3a26f93a2b48620e1727", + "private" : "f81aadb9053eb698996d0f781d9cda67f82ddefa3987d276ff5a94ffdf5d255f", + "shared" : "cb6fb623084b6197443ec9ba1050c0923332e5e829ae0194269cfaf920a43601", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 212, + "comment" : "special case for A in multiplication by 2", + "public" : "f6ffffffffffffffffffffffffffffbfffffffffffffffffffffffffffffff3f", + "private" : "305b4db4321b4923fc559bf91df677d0e12c3a31b16ec655cb708b759d7c114d", + "shared" : "9e526079c2fcf12426ae6c2a54b5ffb70f2ec662e29ea5ce0c8385c3b21cd162", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 213, + "comment" : "special case for A in multiplication by 2", + "public" : "f6ffffffffffffffffffffffffffff3f00000000000000000000000000000040", + "private" : "900638d1979802db9b52e4dd84fa19579f61cd7bef3c0b62fcccaeaa15fa484d", + "shared" : "6329c7dc2318ec36153ef4f6f91bc6e7d1e008f5293065d9586ab88abb58f241", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 214, + "comment" : "special case for A in multiplication by 2", + "public" : "f6eba0168be3d3621823089d810f77cd0cae34cda244c5d906c5d4b79df1e858", + "private" : "38575cf7c8691ecc79cd5f8d7d4703aa48592ff6e7f64731c2d98a19aeae514f", + "shared" : "603f4fc410081f880944e0e13d56fc542a430eec813fad302b7c5ac380576f1c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 215, + "comment" : "special case for A in multiplication by 2", + "public" : "60677a5d934ccbfab8ff5d8f085a0b553f94527d9c49ae140f8ed135e1449b69", + "private" : "e88bd02c7016547a24f428bc2a9dcccad6c6f880c17bffcf66fc68459627af4e", + "shared" : "834bbad5470e1498c4b0148782dfe630e8bfadff1997de802ac8ce302a1bda28", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 216, + "comment" : "special case for B in multiplication by 2", + "public" : "8d9885a26cb334054700a270f7a5f4aac06bad8263b651ebf0712eca1ebb6416", + "private" : "9036ed7d68f7448ac440dc51216b49840dcabd3d5e32e3b4ffc32a5fe9e96742", + "shared" : "ec9070ad3491a5ff50d7d0db6c9c844783dde1c6fbd4fe163e9ade1ce9cd041d", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 217, + "comment" : "special case for B in multiplication by 2", + "public" : "f7135fe9741c2c9de7dcf7627ef08832f351cb325dbb3a26f93a2b48620e1727", + "private" : "90c55e77aa0fe4afb1287109fd010f526364dea18d88e2fd870ac01b66e3fa4e", + "shared" : "dc6d05b92edcdb5dc334b1fc3dff58fe5b24a5c5f0b2d4311555d0fc945d7759", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 218, + "comment" : "special case for B in multiplication by 2", + "public" : "f7ffffffffffffffffffffffffffffbfffffffffffffffffffffffffffffff3f", + "private" : "a021ba2fd4e3ad57bcbf204d6f6c3e8018d8978552633b6dff1b7447bf529459", + "shared" : "1b174b189981d81bc6887932083e8488df8bbbed57f9214c9cfa59d59b572359", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 219, + "comment" : "special case for B in multiplication by 2", + "public" : "f7ffffffffffffffffffffffffffff3f00000000000000000000000000000040", + "private" : "3035083e984837587f6b7346af871bf3fc9581c50eb55c83aefabeed68cee349", + "shared" : "15a052148abaad1b0f2e7481a34edb61403589439b5bd5e5646cecebe2a1be2b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 220, + "comment" : "special case for B in multiplication by 2", + "public" : "f7eba0168be3d3621823089d810f77cd0cae34cda244c5d906c5d4b79df1e858", + "private" : "30435ce187f2723f9a3bdea0eef892207e152e4cee8985fa72d2db4147bd2a53", + "shared" : "1d048cbe2f8df07c233a8f93706f307d17130c2497fb752eeaa31fe3edfc725a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 221, + "comment" : "special case for B in multiplication by 2", + "public" : "61677a5d934ccbfab8ff5d8f085a0b553f94527d9c49ae140f8ed135e1449b69", + "private" : "580f0a9bba7281a30fb033490e0f429f22e3f267852caeacefa3e5291f0e614e", + "shared" : "cb92a98b6aa99ac9e3c5750cea6f0846b0181faa5992845b798923d419e82756", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 222, + "comment" : "special case for C in multiplication by 2", + "public" : "c8239b710136fe431fb4d98436157e47c9e78a10f09ff92e98baff159926061c", + "private" : "709098feb2e25c67b4bfd3be0a01af409adb6da52b3fbe3d970642dd2c983856", + "shared" : "f1bd12d9d32c6f4c5b2dcb3a5c52d9fd454d52ca704c2c137956ec8ad9aef107", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 223, + "comment" : "special case for C in multiplication by 2", + "public" : "b7a2f79e0de9b58147691b5546d9ec463da8325e1440e58bb20aa129d1b97327", + "private" : "185ac62e729f88528950926c0de7c481c924bf9cf26a122f443b861e8b6af640", + "shared" : "e6f1c494c9e4bd2325c17183e82d31ab0bbee6c847d4b0e4a99c7c6891117c3f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 224, + "comment" : "special case for C in multiplication by 2", + "public" : "2dc624e1663f42a7b9336350f277541b50b8ddc7ee0d86133ad53273aed4e62e", + "private" : "f03743eead7c2f7719794324f271072817d1a04cbda42b232f3bee43f397cc40", + "shared" : "aa2a12edf752d279bdb000fb1405a5df8c5f1d41309b4f2bd41aed7ac1ed0149", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 225, + "comment" : "special case for C in multiplication by 2", + "public" : "0e5eceee9104a64f82c9093b9bf7b4076ee5bc70815af7ee9f942ef015756176", + "private" : "a8fbb4f90da45794981405d59ef310621e3c3b6b7760b5e30308c7822c88ae5f", + "shared" : "74d5606ba0b6ad1d8ba36ae6f264d6315f479b3984de573e9b001e0555247c32", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 226, + "comment" : "special case for CB in multiplication by 2", + "public" : "737d45477e2beb77a6c38b98e2a19b05c395df7da998cb91f6dfab5819614f27", + "private" : "c887886fd07107c7221f6d9dd36c305ec779ceca132ac933ff77dab2beac6345", + "shared" : "8cf4538ae5f445cc6d273df4ad300a45d7bb2f6e373a562440f1b37773904e32", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 227, + "comment" : "special case for CB in multiplication by 2", + "public" : "873f8b260ea9d9ddac08b7b030727bf0072315ab54075ecc393a37a975882b7e", + "private" : "58096ee29361978f630ad1fb00c1267c5a901f99c502f9569b933ad0dcce0f50", + "shared" : "d5766753211d9968de4ac2559998f22ef44e8aa879f3328cbc46aa858dcb433c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 228, + "comment" : "special case for CB in multiplication by 2", + "public" : "75e1587c5eefc83715d71020aa6be5347bb9ec9d91ce5b28a9bbb74c92ef407e", + "private" : "0829a49046dce2c07ab28440dbad146453e128960e85dd2e6a69a1512873dd44", + "shared" : "761d8cecf13f93b379a772e5fac5b9ffe996cad9af06152580afe87ff9651c71", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 229, + "comment" : "special case for x_2 in multiplication by 3", + "public" : "f85a06065ea2527238fc5ec1b75ead9262e6b1aed61feff83b91230aeb4b7d01", + "private" : "587ac36b9a23594632679adea1a826f2f62d79738220fb487464039f36ca2372", + "shared" : "f12acd36f6299a4d192c03aa4efeea7df51e2d15d763172e68accf7bc6f5c230", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 230, + "comment" : "special case for x_2 in multiplication by 3", + "public" : "6e0f1d00b1099d2a71f7be86655feb8988bba5577b02f964043a49f00c749613", + "private" : "a8a442b7c0a99227b4cb5c75fb9e5a72cea25eba8a0bdf07271bb4a93c2b6665", + "shared" : "b2bbbd173f41d952d329251da973a9500300628177ad0fb79d01e2e263905b38", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 231, + "comment" : "special case for x_2 in multiplication by 3", + "public" : "696757ced3097fa960c8390a09e8bd6d390dbde8d1fa170261f3422edc192929", + "private" : "d8f7233e9612c00c9dca2c751ec1d3f5f67bad77c2e714a20e71eb3f220a6671", + "shared" : "45ecfa275f1daa25d3fadf33cdf89a152afea25eae37e68e00b30c367789887a", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 232, + "comment" : "special case for x_2 in multiplication by 3", + "public" : "fd84b3f2fbfa16aebf40c27f46e18d77bafa0c7971bedde4909212e771bd3c35", + "private" : "d80c7c7557c9907e1b11e844bf1369cba669bc38e9b7b253e51f239bda322374", + "shared" : "595e144e07bbe65b38e0e4163d02ad75a65e422e74067db35c90dfa6e055d456", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 233, + "comment" : "special case for x_2 in multiplication by 3", + "public" : "805485703ccfc4a221ef281267f52b61cebc879f0f13b1e5f521c17352a0784f", + "private" : "8002a85115ad7b41c50f84f35fac750ee8e19734807102830ff6a306beed4464", + "shared" : "226e16a279ac81e268437eb3e09e07406324cb72a9d4ee58e4cf009147497201", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 234, + "comment" : "special case for x_2 in multiplication by 3", + "public" : "80642a3279da6bf5fc13db14a569c7089db014225cfcae7dff5a0d25ecc9235b", + "private" : "782db0c8e3e68f106fe0c56415e0bd13d812dea0e94cbd18bdf6761295613a6d", + "shared" : "790d09b1726d210957ce8f65869ca1ec8fa0b2b06b6bcf9483b3eb55e49e9272", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 235, + "comment" : "special case for z_2 in multiplication by 3", + "public" : "84e827f78cae0cf063e4340198f788c284e07430b3a94a3873df38b1f872ce02", + "private" : "909fb0bdbf53a69a2fe39c8b2497abd4fa57d2d54e046b5f514595e2c0f33d63", + "shared" : "684cc83af806bcd9cd251e1858f3c10f0166e0a0cd2be154339a886b13e7c76f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 236, + "comment" : "special case for z_2 in multiplication by 3", + "public" : "d445e1df0083bb6b8e886e6632251807171d4e88c41816fc684373c09d7e5d6e", + "private" : "78a67909757248665f79371eb014825ab6bd4af3571f140389c636e004bcf46b", + "shared" : "e426e4a3c54d3e77f4f157301e0ac7d9e12337a2b58df16780041cf6d6198c5a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 237, + "comment" : "special case for z_2 in multiplication by 3", + "public" : "f26aa6151a4b22390176f6233e742f40f2ecd5137166fb2e1ec9b2f2454ac277", + "private" : "286a302d5b076d2aba7c2a4daf9e7cc9d8539b7c0391307db65a2f4220d30f70", + "shared" : "862df92e25277bd94f9af2e1dda51f905a6e2a3f6068a92fabfc6c53da21ec11", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 238, + "comment" : "special case for DA - CB in multiplication by 3", + "public" : "2b02db3c82477fe21aa7a94d85df379f571c8449b43cbd0605d0acc53c472f05", + "private" : "a838b70d17161cb38222f7bc69a3c8576032d580275b3b7d63fba08908cb4879", + "shared" : "3f438dbf03947995c99fd4cb366ca7e00e8cfbce64c3039c26d9fad00fa49c70", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 239, + "comment" : "special case for DA - CB in multiplication by 3", + "public" : "d71dd7db122330c9bbaab5da6cf1f6e1c25345ee6a66b17512b1804ace287359", + "private" : "b0733b4203267ab3c94c506acadb949a76cc600486fcd601478fcdef79c29d6c", + "shared" : "95f3f1849b0a070184e6077c92ae36ba3324bf1441168b89bb4b9167edd67308", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 240, + "comment" : "special case for BB in multiplication by 3", + "public" : "737bc07de0729bbcfbee3a08e696f97f3770577e4b01ec108f59caf46406d205", + "private" : "d844a36b58aefdb08b981796029a2766101884b348f70eed947c2541064caf6a", + "shared" : "6a969af6d236aba08fa83160f699e9ed76fb6355f0662f03dbc5915a3c23063e", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 241, + "comment" : "special case for BB in multiplication by 3", + "public" : "9758061a7b3e2c02fb5c20875ae6b55b11fb6795990a0f4fdcd1147be5521607", + "private" : "a0b7d312d9b832e124d1bc8cb21db545440e3cf14e7473ee9ccbe9b682f2156c", + "shared" : "ab39db4aa29ac4017c7446f1ad0c7daa9a37f1b6b4f2e9d2902ccefb84839d28", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 242, + "comment" : "special case for BB in multiplication by 3", + "public" : "37cd65d33036205f3449e8655a50d4b0c86fec02100b4f2db7da92dcf5e3aa0a", + "private" : "787f1ddd78cc6473d3e63949409ad3f35bfe0ce0738f255dee682f2bfbc80f7f", + "shared" : "13de41659e3e308d6e26c94282fcc3e0364ddf0809ddee6c8e7abb5091b02b00", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 243, + "comment" : "special case for BB in multiplication by 3", + "public" : "a9b6e8081460383adc587c8f91a02c59a7a35576ca62436ccd1b5fef1b92545d", + "private" : "4080ae60a85c1fa95aad9beabd98b405e7f28141bf08f2c9a4fdbde1c5680265", + "shared" : "69ed8a0a27812ae6741474bd5c6a4e683a126649f7245aa0f91a3a384bcde25a", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 244, + "comment" : "special case for E in multiplication by 3", + "public" : "fd1a2cd17a93f850deb8c45a2d34539232dfd8a558304209781c6cb58229870e", + "private" : "08f9f4a4fac4db413315f74a59818b2452fc7b7685592e26556775f9b86d907f", + "shared" : "010218bd67b1b92fee3e7fa4578c13617d73195de10279747e53ba01a254525a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 245, + "comment" : "special case for E in multiplication by 3", + "public" : "b88119e5ae6d9e6b912d52524739e612ef19ab7e5dd3d946cb9bc003c378f81f", + "private" : "1888cfae3085867657b09435c42b74cc762457839451a3659db218d4214fdd63", + "shared" : "e6b298de9cb6358fbbb00f11890f5714a3858e8f05a2a8d1cf39fe78cc55dd4e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 246, + "comment" : "special case for E in multiplication by 3", + "public" : "7b70e29dce0479cde4a36c7f9786582f104bc0788f046b48af495e67bdb88f36", + "private" : "789ce13ed007818d7a5181e629eed944a20a058cfe39669c9831bfa5215a1269", + "shared" : "967bbe298494b4a5f95853cfde9dc85970b2a4b5dd2c92782901e853957f5809", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 247, + "comment" : "special case for E in multiplication by 3", + "public" : "2a209e2ace0e3d6973ffbf7403f9857ff97a5fdcd27f2c7098b444fc3c166738", + "private" : "00022b43775ab2f4b91bc1cb54c97f78026289eaaf02abeed04ca84f736c686c", + "shared" : "9f66848681d534e52b659946ea2c92d2fabed43fe6e69032c11153db43dca75b", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 248, + "comment" : "special case for E in multiplication by 3", + "public" : "f50709aca7f314e8d05b5ff97a427e427bd5e85c4e86712125076a771be21448", + "private" : "8097a52fc562e8a516682f5363cc5e7c88e9c78e308df0deef40497b35cc127d", + "shared" : "ea7572e27a9120de1f13b85710ba69a3471b7b3f5d12bc430c12c4bbf8aa3957", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 249, + "comment" : "special case for E in multiplication by 3", + "public" : "0f13955978b93d7b9f9a2e70d96df922850a8ffd8412e236fb074aef99d37d54", + "private" : "4028802030d8a8221a7160eebbf1846116c1c253abc467d6e43cb850f1459860", + "shared" : "e23d63a46be67c7443c07b9371ff6a06afcd7a5794bf2537926074b88190307a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 250, + "comment" : "special case for E in multiplication by 3", + "public" : "18ffe992a729ce70c3b7cdc55bab55f2210d279134b3082a9f682d3a0b131273", + "private" : "d8515d45c7ab2b9529816543150068b8e4bb614cf2b68a8a99363975af503d74", + "shared" : "33ccaf24e1e26290ed7e462093e9f77607ef52a0626b2cd2511c41cd24c13849", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 251, + "comment" : "special case for AA in multiplication by 3", + "public" : "c3ba28057728d0533965ec34979fe7bd93cf6cb644e8da038baa87997b8dc20e", + "private" : "d8815bd144518fa526befdd373f5f9cff254d5d3c4660e8a90ef2a22c6876a74", + "shared" : "74f95b4700f0185f33c5b5528ed5012a3363f8bbd6f6a840aa1f0f3bdb7c9650", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 252, + "comment" : "special case for AA in multiplication by 3", + "public" : "4eb095a86d1e781bb182233075ebf1db109d57135bf91d54fdb18eb371427640", + "private" : "a82d996093eefdaf283f4049bba4f5af6ecc2e64894f325ee1f9ca1e156d0567", + "shared" : "e9677b854851c41cc489e03981ae78690be6cbf0054ea9834759de3e27bcf03e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 253, + "comment" : "special case for AA in multiplication by 3", + "public" : "83f67d7c92b11c8fb072484642a01f43deb022b54d94a4015e39849a2e2e9555", + "private" : "c02609df3d5436c123dcd7ee11f23f1da321666c09f379d37914203340510861", + "shared" : "f148716ebe7269a7076f0cf1f22b6978d3c7e3607b0bcc87a8c7a85b9fd20c2f", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 254, + "comment" : "special case for AA in multiplication by 3", + "public" : "20cc75d376d8453b9d049c84f58eafcf61126c08a03661e735f0a8be228fd466", + "private" : "a0e3b78c0f3be2a760b2c916f244df219624fdda2e9e31b15328f4a77690296a", + "shared" : "1d5c123e88e9dc7a3b16ec90b60578dfca7e11eab9b88c6eca7bc33d91fde83b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 255, + "comment" : "special case for AA in multiplication by 3", + "public" : "ef31b43d19c0a5434deb56129c16298a394a7032a2e52cb997476bdeca325b73", + "private" : "701f130a290584cb28c7d6539506a1a054f926a17ef7c568ae43047c05e10f60", + "shared" : "2fc065ba8f5040a0a659f6f7330554bd1b9d7c893b91e316e0af90c37af4f135", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 256, + "comment" : "special case for AA in multiplication by 3", + "public" : "d8c8e2c6f33a98525df3767d1d04430dab0bda41f1f904c95bc61cc122caca74", + "private" : "d0e67f68183a4c1aed9c56864b36278bb7bb75d57a78321bc7c24ff61636607a", + "shared" : "ef7612c156078dae3a81e50ef33951cab661fb07731d8f419bc0105c4d6d6050", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 257, + "comment" : "special case for AA in multiplication by 3", + "public" : "1833619516b80db0c05b225509e6698df028d83b66ed6bac6f0f6308970d2c7d", + "private" : "88eb7775dacc32b045ceb35f261b3616315efa98b780e08c79d544edadb5467d", + "shared" : "a3cf3d81ec56896a68fca0da6335171d0c622568738c0db26fe117033726a049", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 258, + "comment" : "special case for AA in multiplication by 3", + "public" : "e2e989aad2397fc34b6cbe2db27d5ab69b28048383c91d9e8226d548253fab7e", + "private" : "7055b1c0576e7ab6c89fcc1ce49e79c8c371bf9fc2b22b8f8396a9b64c5ae26d", + "shared" : "e7f45823a45b6a46192b37d73e8609b5bda68cd7cfbdccaa49082080993e640f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 259, + "comment" : "special case for D in multiplication by 4", + "public" : "b9bd793624d6a7e808486110058853edb25e136bd4d6a795d6d2ef53b25e3804", + "private" : "906a9bfcfd71014d18967680d4509eaa41c666424af98bf9ff7ff49eb1baba41", + "shared" : "7c6148134c9e8b2ba5daeca41e6a1f3a82d8f75d0b292b23c40fe7f5ce0a2b7a", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 260, + "comment" : "special case for D in multiplication by 4", + "public" : "e3f444e208da9043f3f74c20e28d7f404bb687a346709abcd555156f88607820", + "private" : "28392b1b035a8465aa22aabb571061c6effeed40cc2530b628e4fd40395ae04a", + "shared" : "ea5e772bac4693ce69ea3ac761011fa7674037653a433c7f05456e7291cd3c4e", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 261, + "comment" : "special case for D in multiplication by 4", + "public" : "87b43f90f76d12fb3a469fa8687c27e369d4a82f95cf95e8dc3970de8f86d92b", + "private" : "78cbb35204cc88676c14e0ff18171392e998411b23d905d4c4dceab70511f442", + "shared" : "81c395aed5cc5f5e2a206a8a4cacecd501df5b81e49433835ad8a3779edffb30", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 262, + "comment" : "special case for D in multiplication by 4", + "public" : "86441ea06c5cd2a34c6b51261e93a2f30ea7db0f74e14c42f0fc443c6735973c", + "private" : "a8225b49ef7b7330e3de787cbc40479644db7ab126370295c94189673430d745", + "shared" : "513eba5870dc5187e2552fe3ba8292b516d2af9ecb9a9bdc51eac2ce2de40112", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 263, + "comment" : "special case for D in multiplication by 4", + "public" : "4624aa4ae9d12725bf92b85f93e3e8cea16b7bd83fda0eb18fab2dbe0e8bf742", + "private" : "0841e1a5c7420b94b6cc6991316ebdd608626339c09d0f67b24088588b9d0d49", + "shared" : "983b7e236ffaddb4b759b7353fe87846f59fb6f28a3ed65c256176b6609b7c6e", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 264, + "comment" : "special case for D in multiplication by 4", + "public" : "a625a5b7a04cea462d123b485c39ea44a8079aa223c59e9ca97abcd30b500e4b", + "private" : "08ecf76e31a23039ea8a15ee474b6251a9d725bff1a5751eb5ecde9d7d4e2f49", + "shared" : "c941369b085c7465d50d23ceaf6717ab06e24638f217a7b8055ce8ebd3ca1225", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 265, + "comment" : "special case for D in multiplication by 4", + "public" : "8a5f2063f259f3317ae3e0b459f82c4677666e49a2eb9bf0369aee663631265b", + "private" : "6038fb0a830d1001ca8ea74a613ea98f6ab8512644e55e8d45a29071bd4bef45", + "shared" : "a3f7e169db44d0d179c242e66347364ab92744dc6ad80e4775aef7f4ff9d5f34", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 266, + "comment" : "special case for D in multiplication by 4", + "public" : "54cfb6ad0d03e3115acafee12606397f2bb46a8c5f326a255c494118aead3b62", + "private" : "c04cf129f0b33332e2654f8e45225c042d7fa6cbc793c88bd4c731985289b045", + "shared" : "401aabfbb73fe6694c446ecfffb43006427a9d4756e049a1ffc79578d62f1660", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 267, + "comment" : "special case for E in multiplication by 4", + "public" : "0ee3bee8cb3a0afcec22fa2233706e8ec29ccf1af212c0a674745ebba34f9d08", + "private" : "3806b036c92d7bc0771998d24dbda2945b601d42449bd3ec4bbf3757d01b894d", + "shared" : "20322dd024fb5a40f327cf7c00da203734c2a279b9666a9ff7d8527c927b675e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 268, + "comment" : "special case for E in multiplication by 4", + "public" : "797ec7512afbf0ad918d0e4947903be95234f3abf36750a8f854888d117b774e", + "private" : "380d9056b5a2f4b3dffb30e6ceb722ac4684245f1befafb5661bc8c7a9ad4c43", + "shared" : "46152d59c2d2f3ecf03ce652d2b6978d401d5ede4570a6c911771bdcfb37cd41", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 269, + "comment" : "special case for E in multiplication by 4", + "public" : "d570c7810f69e502b355253afa7c667bfa5060d90dc86e358ab445f6381e415d", + "private" : "384929a42c8d8df146db9508e2f21a4e8cd4d99c1b1338df17a457e88afb0043", + "shared" : "37567f7ec0449c7b823cf7b0e219e9dd880e56a1464d0417a9e67eff42332866", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 270, + "comment" : "special case for E in multiplication by 4", + "public" : "2c611cb94448f1c7822425a4cf5356236b90a555b1ed4747820ba7f739c8f57d", + "private" : "48a986825b2680e2f2547ba75a9599b04ed57f8ed18d98e7099c544efbdf284b", + "shared" : "fbf6587ec181116cf1ace7dcd548029d69c130e50fcf6ad5dfcd25c23ee9f939", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 271, + "comment" : "special case for B in multiplication by 4", + "public" : "e559c417da7fd5851352f508b90031d49b5d2d0aac88a9c8b5fb6e80165ac10b", + "private" : "98452ad7df4e26bc4b3d403f9ebf72bb2d7b6b7d5860dbf6fb9a4f78dc02704a", + "shared" : "c7c6f6d7ce1e4f54c727e5900686c34e6a6953254bd470bbbf0c7c18bbddad73", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 272, + "comment" : "special case for B in multiplication by 4", + "public" : "746d97e7774292a3d703f604e79d8764c99a6a2fe280eaa9811115f5e038f21a", + "private" : "a8dbc9be5034ed7fe7f469264f2135e9c67cd30f525570d2d841e4bdeac52349", + "shared" : "cf7d2a66ea4dfed94469b2d343533ff302a576f8402ed2187904437038e54665", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 273, + "comment" : "special case for B in multiplication by 4", + "public" : "1f354aa8ffc4eae2b40dad2ebf830db3feb07e2a1a2da39e55df87c8c613de1d", + "private" : "f8d26878dff25ced02d3b27ce74002695bb879b3c4328930934315ecae842b47", + "shared" : "b204d3bbcbdc624f9f1a743fa3daa8f4c8785ed088d37d08cd13c601170a461b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 274, + "comment" : "special case for B in multiplication by 4", + "public" : "9c3f0023e1a4832586af2483bbec64ce9f06f3ea806d4019a5e4abb1b5627029", + "private" : "d0f5e9c43c95b1ffc36f832b943601d5e17647f7d78e2e7710ace63ff274d447", + "shared" : "b9f21465615f39dddcc37520ce9b956f7de9883ac93a870d74e388b8e1775463", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 275, + "comment" : "special case for B in multiplication by 4", + "public" : "d05656aa014d476022dfc55e8d3b4884ed0bdf85209be8b55351394d52be684b", + "private" : "700679e8c24df828f2e5212a3263d5e93ea61679988298bab3b480f46f961a48", + "shared" : "20f1fc613874495f20562c10b7a8be47bfc12c168d829d6321aa2de17060e40d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 276, + "comment" : "special case for B in multiplication by 4", + "public" : "c4a19b8686e18c29359aa548427f06a368d55a8737483d4893523adac6795a4c", + "private" : "d0d077c9461f747e5660be85cc620428b4cefe805de0fd254adaa465ea5e784f", + "shared" : "652b18ffd41cfb7d1f0b6dc79baa3b2a392ef1617f5cf6259b5b4ff065916a16", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 277, + "comment" : "special case for B in multiplication by 4", + "public" : "4989de79853ff35be8c9f92fc94674feef38a0e65788471c521f8e259adf015d", + "private" : "00711ac08ef88c3d43a3cbda67b6fe5f34f54723dbe6d725c8a3569070ab9a4e", + "shared" : "679825c259392d86f8edb15328d4faf52300779d979a503a76e27be3d7a85e03", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 278, + "comment" : "special case for B in multiplication by 4", + "public" : "a981483cb0ea4385ffbb552826c3dd110d4ae89ff52ed0cd6018f99d3387987b", + "private" : "989a75b40451139ec36ca6aa043765c61a18be323a5987fcb025c2dad8d4bd40", + "shared" : "9cadc14ac153fa383ef66d1833f589100dff90523272e32b06e2c6f1f4424040", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 279, + "comment" : "special case for BB in multiplication by 4", + "public" : "1df3dfdab74ff38177dac294b2da2f49a348bc3b3bc6ce9312bea5ef3ecdd30b", + "private" : "90c3cfedd919a2ccd51fb455649e3ad2da1ef0ff619b59a7f9c55a68a8219645", + "shared" : "bcc95fb4890ed311f3fb4f44c2b60866cdddec97db820a7f79f475337e16284a", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 280, + "comment" : "special case for BB in multiplication by 4", + "public" : "fc6b718ba8b47d24b1cfd6b5d0dd8b20fd920960fabc302dbe4f93bd2a06e933", + "private" : "e8fef5c9b60f84984e8836d535acb372096ba8159824a0b49a17eccda843bd41", + "shared" : "06f1b495b04a0010845c9d39b13bf2784ade860d9632c8847618c0b34297c249", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 281, + "comment" : "special case for BB in multiplication by 4", + "public" : "b279b6c065f95c7040f148bcb4a3d310e34bdb005931a879be469573deedd041", + "private" : "c0e05bde7727db4e352b5e7f035327b4d86a42d513ca116e22d64a4ede56434a", + "shared" : "cce7bb644df94501421db49d15e821c7b0aaabecdf8837ab989b1f23bac08f35", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 282, + "comment" : "special case for BB in multiplication by 4", + "public" : "98e2cd4c10554e41b0a3e41082c8b6b61b55447d26c0aa97f9a06baeeb54b55b", + "private" : "d87308bf753573f596ac8330b204014b2152dbdfc9881a0d9975058582bdf646", + "shared" : "71fdd3405c30805701ae4dfad98c493aecfcf2e3b563e7068373c1b19137c268", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 283, + "comment" : "special case for BB in multiplication by 4", + "public" : "872897f1bd1885da08b9d03e46811044fbb04186ba30c806f38b94ebdc27186a", + "private" : "d80059a8a387e16f6ded6e7e980e806d1f78b470bb61103d0ca70623ccee8b4f", + "shared" : "bf280aeecb74ab34e1310aa6fe8dc972f94dc40c7f88b72137ccfe34ed343c13", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 284, + "comment" : "special case for x_2 in multiplication by 4", + "public" : "c08f72760d9cb4a542aad6e2af777920c44563bd90356168c3608c6b9af2ef0f", + "private" : "b0a4fe63515169bd82639b515ff7e5c4ac85bba0a53bbaca80477eb3b4250d44", + "shared" : "72566a91ccd2bcf38cf639e4a5fcb296f0b67de192c6091242a62fae467fb635", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 285, + "comment" : "special case for x_2 in multiplication by 4", + "public" : "4f03849c24d584534d74302220cfdc90e1bc360bb5e297c0fd0fd5f8d799e416", + "private" : "984256b12ef154ff6c2e1d030826164cba3614e3df7688d82b59e16201c9114d", + "shared" : "24acb4afa63919621df795206c3929b599ec9d253693895d51a0555072e89a34", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 286, + "comment" : "special case for x_2 in multiplication by 4", + "public" : "4959771a931e242d5713d5cb76f33310c6a283df16645604289553809cda6518", + "private" : "6847141d5d4377af96a2a647c642ee81600fe48d3467e3a70f3ee312bb621742", + "shared" : "5ba2112a41b5bb381f202446fa9f23c54d2de149f9ad233753417263840ea432", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 287, + "comment" : "special case for x_2 in multiplication by 4", + "public" : "f6fe690cf547049635bb3a7785537b4379c9ee06b46120493b8bdb152e09c81d", + "private" : "e85f1164e2ab6faf62667c74b03ce529b49a0e2041b1ac0fa242e522d2b7694c", + "shared" : "a87c9fdf40c409b9edab481b2cc69687ee1ab92e340c3db0107d40b5de6e7a20", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 288, + "comment" : "special case for x_2 in multiplication by 4", + "public" : "b468681a1275850c11d37ec736af939a75a7098514e04cfc1c6ca78239a88426", + "private" : "281e1bbfa711de69921a64c5d2183c338db5504606ce2b6b4ce1cdd54b41e14a", + "shared" : "3be98798f01e71639f3cb8fd4a17bf273e10c67f8974dd9802eed59d847d4020", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 289, + "comment" : "special case for x_2 in multiplication by 4", + "public" : "2d71e8457099e3f445f9e2a14f18b0f5914bb35f482f9c069b64bf63710d4228", + "private" : "20aacf1902b3cd609d7ee15cc96453cc22e2899d7d17852680f2a728bac6dc4a", + "shared" : "338c9917dbf11a0cabe8ad4a65959229bc00f99c211e752b20b8b49b87756d0b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 290, + "comment" : "special case for x_2 in multiplication by 4", + "public" : "fa8f24e944de5d003746d4630350c0f4f6175a3269c19184824105398fbdd329", + "private" : "009e8e9fa993804dce94cecb96b1de2568245a97059e4d7ae116ecdb1badd141", + "shared" : "56e2bfc7f6ab7da8fc734afc515e57d0794d002434f9bc8e18bd0b72c0df3c4a", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 291, + "comment" : "special case for x_2 in multiplication by 4", + "public" : "ae4e37ef53c79e25e8275a60f2fc1dfc277ebc5d3b88428c6432c3f98494212c", + "private" : "f01574643f231ffac055bd235ee74dd416b94c8e55a2ab2b4d13a8b788d90148", + "shared" : "17fa1276d9fd5025172736449a1c0ae33512e5037014a18db5903e47bb3bc950", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 292, + "comment" : "special case for x_2 in multiplication by 4", + "public" : "95e56a830792478f7c42504043a9cab8e2eebff5fd90983709e29e03c0a41b64", + "private" : "3800a42659954281ca266d7cf1ea9db6d79891a406a70f9e84c3570a6a12d24e", + "shared" : "167a3b2fdce9413c89ee892daf9f839a2eea80ea8044924035db1724a5b0217c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 293, + "comment" : "special case for x_2 in multiplication by 4", + "public" : "5f16aa7ccabf4da6b686bd28c7460e106bb1b97a823792527765c29a9ad8fc71", + "private" : "70a826b186962218dbafca113319daefb5ddf3cf14e15fe3faadc4c0a2e46648", + "shared" : "30a4ba793f2dffe1700c61428b4d84b5fcd0aa99a23b903f84a48eca5cc9fb0a", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 294, + "comment" : "special case for DA + CB in multiplication by 4", + "public" : "47fb78111805a11982a3d6c5d83e8e189e7fcc462c9abf805d3625be7a6eac11", + "private" : "a85a5eda0a269500b3ab0b58495fc254c2691028ac533494b5f86d44e9dc654c", + "shared" : "2bf9ab750bd58ff6f877b783eda45a71a65cc9b7c037fcfef4cb5f4c8842f529", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 295, + "comment" : "special case for DA + CB in multiplication by 4", + "public" : "03b8ca5efd1777d6d625a945db52b81f11214daf015d09fdc9df7d47b9850e31", + "private" : "183f28ec867624ef5eca4827ed0714a5525ef21d5e35038b24d307a3391a2846", + "shared" : "35e9289234bd5e531da65d161a065a14f785076088d741c9a2d886efd7d17921", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 296, + "comment" : "special case for DA + CB in multiplication by 4", + "public" : "4eca5f8731b0fa0c106acf578b83a350fa8173a290f1eba803956de34eeb7671", + "private" : "888c6444ff5eb482b2b10bd4e8a01bdccb65f32934d8026106f16a91349f484c", + "shared" : "833afb867054b8b9ac70d6013c163e8b7676fd45ae49a1325f3acb75975d8c13", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 297, + "comment" : "special case for A in multiplication by 4", + "public" : "a5562b4ba86b464dff4c2cfae85b384be211771efe8a9697e51d84de47f1eb14", + "private" : "c8a85d140ba150f5c6a8d3cb363bcbcb75365e51c61640e974a0725b5e9d5940", + "shared" : "8a914760129575c8ab3270d04b0465fc2f327acaf1676463113803bbb2ec8021", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 298, + "comment" : "special case for A in multiplication by 4", + "public" : "88ae1631cd08ab54c24a31e1fec860391fe29bc50db23eb66709362ec4264929", + "private" : "90a3aeb1417c3d61c1efef1ac052218fb55d3a59c4fe930b5a33cc5183b48547", + "shared" : "c1988b6e1f020151ec913b4fb2695bae2c21cc553d0f91cf0c668623a3e5a43d", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 299, + "comment" : "special case for A in multiplication by 4", + "public" : "cbc4d55d5bfddd0bc5c5edbe3a04836b2c701d25195b26221cbea19311e55a3d", + "private" : "b858d7414bd9ab9a3ebea79064ab87bc050e74407f4d4748f62fa4d9d203b640", + "shared" : "bb24817bd9fff423dc0972908e2c03fddf4dbe100016b459f28fe9594adb3714", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 300, + "comment" : "special case for A in multiplication by 4", + "public" : "d66a2f9f7577e2df4a56cb51962b3056ff5cc0494c60f39511782e79923edd41", + "private" : "f825edf1f79eddd715a72b3ac267d6b2e97e18bb13bcafdac5940370b85ba64b", + "shared" : "b3b4513f8a3102e1ae782fbc69888177f2c24c569303a5d01ab1c3c5e285524a", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 301, + "comment" : "special case for DA - CB in multiplication by 4", + "public" : "de0fed2fab6e01492675bc75cbe45d7b45b0306cec8dc67611699811c9aaef16", + "private" : "b0a710b470e324bb56a7d8ff8788d05eb327616129b84972482425ea4ad4f34b", + "shared" : "471ba91a99634f9acf34fd7fd58f72682be97ee1c821486d62ba4e448cbc0417", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 302, + "comment" : "special case for DA - CB in multiplication by 4", + "public" : "6418d49fe440a755c9ff1a3582d35dc9b44c818498f15782c95284fe868a914c", + "private" : "b898f0329794747d33269a3989b67e43a7ab5a55fa1210b0e5dba193f4fa094e", + "shared" : "cdb3ca02d5fdb536dbc7395bab12bdcfd55b1ae771a4176dedb55eb4d755c752", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 303, + "comment" : "special case for DA - CB in multiplication by 4", + "public" : "a89bcfa236bbccf07c434b59f8655fb085b6cbe5ed6376281df813afba22b752", + "private" : "a0528ed9a8ec22ebe9cc2e32fafc3f467500a9a22f5377382df6604edcdf4f44", + "shared" : "cd3245403fd9edfcf91c9581ebb2eb7c77ad6837fca372479e78de9faf60a34a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 304, + "comment" : "special case for DA - CB in multiplication by 4", + "public" : "cdb1f95f6eacc24b6d029c6ed976666dc51794db8e4aa966ba850fd7f5048965", + "private" : "f06888bde75d689d056874f6436000497d22d8ad9b95a1c67de1dda4ada3164d", + "shared" : "ab7c47ecb0c0167156f44f66a527264b958fc992c21ce98cef3ae214d66bd82d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 305, + "comment" : "special case for DA - CB in multiplication by 4", + "public" : "9491a82744f1cb6105b76b0442e54e605ac67f47a1b2b3b552d486f75bd98e6a", + "private" : "e034fcaa3ae40603f9b22af159fd67ef009380946de92cb1d83cc489e8b35041", + "shared" : "1bfa264a7c7229147a20dd021211891e61f5d8c76cd83f0be24bc70e466a815b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 306, + "comment" : "special case for C in multiplication by 4", + "public" : "4d19e156e084fe582a0eb79b2f12b61d0b03f3f229227e798a933eea5a1b6129", + "private" : "702a7448c0ed58e1f4e0e332d096a36360beca2f6955c815bc120b3a691d7742", + "shared" : "c46057fcf63088b3a80e0be5ce24c8026dfadd341b5d8215b8afcb2a5a02bb2b", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 307, + "comment" : "special case for C in multiplication by 4", + "public" : "cc4729c4eae292e431ec3a5cf5020e19f9bea50ef3218d9a790034526c3ee14a", + "private" : "50025cb508ad4faa06fafd0f4a33b747ccf1b3573885d3426500d51b56300144", + "shared" : "d4361e26127adfbe37c2ed8f42cce4ebab8ab74ed9e74f14c3435d612c1a992a", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 308, + "comment" : "special case for C in multiplication by 4", + "public" : "4a474249af8f771f0cfb1116f24fda4c42f4136d2afb766d1b291c73c6668d5a", + "private" : "7082fc53299a4d30e5d0c383c035935b1eeebd9408fe4d04b93eec24be52eb47", + "shared" : "80dfae7a28bb13d9e51ff199267cec2a19dfc8b6f4974e3446b2f62fe9b62470", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 309, + "comment" : "special case for C in multiplication by 4", + "public" : "0f2a5cbbe503139531ac0529183da8e624d25286f6e35d1407ab1f4d76ebc260", + "private" : "98ff7e711d65cc7fd9d0ac12dfe8b894e0a93602ca9e75bf0eabbf0bfe670148", + "shared" : "7a5c373065e339b26ee537cff1cf4597cfcb4bf2dc7c4bcfec9884443281c273", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 310, + "comment" : "special case for z_2 in multiplication by 4", + "public" : "2fe11d723dba63559e1b96147893cb7ec862711806316daa86cd4da769d4b22d", + "private" : "b080f4ac1e758bbfbfa888a78cb8d624d97b8688002b2017e35f52f3d7c79649", + "shared" : "c5edcc5d447071c08dfa8281414ae6a02de753e2f7bb80af5f6253e56db43422", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 311, + "comment" : "special case for z_2 in multiplication by 4", + "public" : "98e1211dcf6651fa9f2d00eb083ae5855869a2a53e835f2e03b30c0a19ba8051", + "private" : "e815bf9a967e1208af8e74ce9af6d113dab17c01c90f1ae2bc25e3e2f9e3a44a", + "shared" : "263a38fe538b50e8e988bf07ae86f33d49886b14c7143efd1d2025c840e36a25", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 312, + "comment" : "special case for z_2 in multiplication by 4", + "public" : "2f1b938b81a4c90e1251135ad7fabe835f6a8bc5e22d4b2ab119f6f677877677", + "private" : "4051b01cdf90af38f0a96ffb83f8d4133abe4fb035b6fe6f65276447caa7314f", + "shared" : "340acf2801de71c18f4c79cfea372bc354e4c8a5eb5c2cce8b45d885df162f45", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 313, + "comment" : "special case for CB in multiplication by 4", + "public" : "340b9f613550d14e3c6256caf029b31cad3fe6db588294e2d3af37605a68d837", + "private" : "98c092363184e58ad6ce510bd32b309c9d5a46f8d9ee6f64a69d8180bbc6cb45", + "shared" : "9efe5cd71102d899a333a45ea6d2c089604b926db8c2645ce5ff21492f27a314", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 314, + "comment" : "special case for CB in multiplication by 4", + "public" : "edfbd6f09aa32435440b0ca8ba436308319613f8f2d501133c526c3ff55c7b3d", + "private" : "686e51c00116d1c191aa9d5823b96e5956102e8fe75f5cf2376d99989f6f4342", + "shared" : "196182095bcd2ef46b18f64c63607e0ab162a0869e6265ac8ae35e358c3d8a63", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 315, + "comment" : "special case for CB in multiplication by 4", + "public" : "9b0538cd618b0a4de09e45420f84d54d74514fbb1a31c1a4aa1e93306f20723f", + "private" : "208af2c9442b36b521fc3a1ecefe342aac308bd6e6296ee091c196dc02e7ae40", + "shared" : "a3c6b75168211e8e0a49ca815bfe3f469f29864dc8166152b456e7074afa9b5b", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 316, + "comment" : "special case for CB in multiplication by 4", + "public" : "ae8cf2fcdde710c2c1184524bc32430874dfa08c125f61d6919daf8e66db415a", + "private" : "c0d861a6d5ff91f91e3bd05934161ff0ab0f3ce7e4a2b5b4fcb31ae34b46664f", + "shared" : "deaae6c9952844a3a1d01688e7105b0bbeadc160763c2002b6d0bcf35c22d123", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 317, + "comment" : "special case for AA in multiplication by 4", + "public" : "2a59f478402d2829cd3b62e9f7cc01445e8e73a42cb11af00b6b9a9f0e44cb3b", + "private" : "70785cad160972b711318659b47b574f6941ef6da1ea06508b2650f57ec9e54a", + "shared" : "c204bd15f01a11a2efdabe2e902b7cd0aa079316f60e911b3ee5d46262e98631", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 318, + "comment" : "special case for AA in multiplication by 4", + "public" : "836c8e45dd890e658c33e69b6f578a5a774c48b435bc3b91ac693df94a055857", + "private" : "60afc8eb1f87df4b55287f3c4698c5f8b997b28a73c573fc273e9c467fb7e44c", + "shared" : "c5457487e90932f57b94af2e8750403e09c9ac727e2bd213590462b6937b0753", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 319, + "comment" : "special case for AA in multiplication by 4", + "public" : "59519ead7995a6df89bb54c840d61a8481881098b8a4f83c6a2f6ba800338257", + "private" : "a83c11b2834136b9aaf0152d90e76e3c27177693a2834e8beda0a3571bce6947", + "shared" : "4ed6f8d62932541c6bea16e03835f1f758a5c41722b5c9989c9c7cc08e34e37b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 320, + "comment" : "special case for AA in multiplication by 4", + "public" : "32f34da84ab4bfca369c4b884691becf54be7fbed16449dc86969da7ea9abf62", + "private" : "b80d8795735806579e71759894939d758853592127efe84fc82eb7cdee45014f", + "shared" : "521a5b8149a132d155e6b4ed113900506cfc2f76d2a3e14196d69eb85db3c952", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 321, + "comment" : "special case for AA in multiplication by 4", + "public" : "82ae48dcf59bc5e469f9a11b18a32d4753ac818692dfae27d675411a2272b363", + "private" : "e08ffa45efbe1f96584c76254554adb9177b58ed09609a6ce499e5bd22d35c45", + "shared" : "e831d6cee95ca1b4c96bb89457562fff36cb4d08b81da89b810b425ecdbafd78", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 322, + "comment" : "special case for AA in multiplication by 4", + "public" : "b33bd3ad14b66896f971cbdf27785fc3aa3cfb39adc6c29257d22ea4df8cbf63", + "private" : "688e1bbb5114f34e8531c278b2d9714ba07c32a7aea6e627135bd1fc65238045", + "shared" : "350e3ab9d0dbff78f3f2157428beba189333be274827c10d59673f21c0c48a24", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 323, + "comment" : "special case for AA in multiplication by 4", + "public" : "18e58df6bfbe184b0e3c7c4bf2a051ed055b793501c0d4fc47bc8a95c4deec7c", + "private" : "8036a4e2e93e9ed82d99d71a522aac9289bd9905fe41d01d08a499376a258442", + "shared" : "ade71d6460287fe808e947560e67a9d6ff2f96eaa1355d2e9fbbe549e883381b", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 324, + "comment" : "special case for DA in multiplication by 4", + "public" : "772e31e776e8d4f23b7af2037af28a37e68f61e740b3904f4ec4c90157be1478", + "private" : "901b20f0cda74076c3d4bf4e02653cd406ed480c355159e22ca44b984f10764f", + "shared" : "91a9bec28cf18c7094e2d80d2764df59ada0cb1946be422864bd7ad0e533b663", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 325, + "comment" : "special case for z_2 in multiplication by 5", + "public" : "a8d55d5c1137e9bb626557f9d6eea8d3120e9364f8bcd9b67934260b1a091801", + "private" : "d83eb7affd1bcc1ec0b4823cee5cf0b15b5f57085aa2708ed437a2925329b550", + "shared" : "6c1b8e240edfa5db2abb3dc12bcf9e8ac9ca10dd3507083746f6f36dc035d755", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 326, + "comment" : "special case for z_2 in multiplication by 5", + "public" : "33c94be58b0f0e6cf363e1b12a2ebfb93040715be91518f21df2953eeab5fb01", + "private" : "989eee317b9c254dc023f9e35eff0224bc2e0bc871996b946a96970e7506a85e", + "shared" : "d4c3b3467714f2d105904a84cc7e81d7f291304e908041682d8906a683c12125", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 327, + "comment" : "special case for z_2 in multiplication by 5", + "public" : "a218ae9624b07ce05178b9d0cc1b71dee21f27852a2ceb18610b4052b244f00f", + "private" : "b8355455d358f2dd7c5707b2c6973c9c27b99e7d8ac1650c791e5fdbcbea4957", + "shared" : "1ebe6ca711a649ae487b332747e3dc0306340560cab6bc6029e44f6a7e0ee41c", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 328, + "comment" : "special case for z_2 in multiplication by 5", + "public" : "d7067faeafd3e966e57525f930b3317c9e8b9c9a9ae946e76c1e4602a59a7e33", + "private" : "8065567ef082b16c20853487f54893012ba4762224e5c59f250dfbf82581e85a", + "shared" : "03e7a777e648bdc612189f3cd42d34e35736d3e52e6edc8ac873a58e244a6073", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 329, + "comment" : "special case for z_2 in multiplication by 5", + "public" : "8df9682cbe8802478a8531377e752cdde54738d528d639bea9eaf47702f8bf3b", + "private" : "00b51448139a61fe6c5fbf9395877d53d820ef59da3be856458b5eb90985ba53", + "shared" : "308ef99dae1064a444fa90775b5dd5b1952d7224a0e5ae031df432640f416208", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 330, + "comment" : "special case for z_2 in multiplication by 5", + "public" : "7d92706868aa09538638d633c255f333b9da03bc74b49b35941c57820cd3fd47", + "private" : "e8eb9f6f62f93dbc325b833aa763a90f13f0acb2c2c4b8b33decd471ce70c45f", + "shared" : "f33e2e86443a2c68823b72a2b59d6a028e0a8e283cfe29fea4f7aa22bd1afe72", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 331, + "comment" : "special case for E in multiplication by 5", + "public" : "dfb1ffc176aff84db30182d2378f83728f83dd1b33d79856f3da5459cf9df907", + "private" : "68a1a7ccc50bab4b01e55e18cbd464aff43131fb0741e68d53cdebfc54f33051", + "shared" : "7b535fc31c6c2a3803d8bd45410a1781bd90a09205da28c9df120df23a9fa32d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 332, + "comment" : "special case for E in multiplication by 5", + "public" : "12e81e838b21eac96dc130432571216d7a9b4a817f1938721d2267dd150ebf20", + "private" : "e075bcfc165a471b2f76c3003fb0172c82f707137de2fa7082e43a87a255935c", + "shared" : "ca23a781da0911e4115a29a9f56447157c23bee187b0c17369c4f7730d781718", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 333, + "comment" : "special case for E in multiplication by 5", + "public" : "832a46aec02240d716fe22dea94ad566a3fafbeedcce35c83e41e58076c99749", + "private" : "c0e19634dbf6460e1486930c46e8556b3c16d6de959904600549bb3e08603455", + "shared" : "cd0686b32ea4cddb8e13ff20a78d380749a5d4f6a3dc55d72f4813d949a0ea57", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 334, + "comment" : "special case for E in multiplication by 5", + "public" : "8c8033432bcc12d479f67d6d876b1c8e89f16a234b9b093322effa9dee94554d", + "private" : "b84caa18acc3db37225d32cab4f60e6fba4acab1277e20425d30f94cab2e2c55", + "shared" : "a950aa57bb2beb9ed5d3228c7ef448dab69552f3d3b1e466accf41bfb6d5b874", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 335, + "comment" : "special case for E in multiplication by 5", + "public" : "6df799bba6cdf5f46a57ab227f93fba491dad296a2fdb7e491921d610cce8f5e", + "private" : "2896818cddf572521943e9f0c5e845f530b740427588a0f6de2504bd5bf40c53", + "shared" : "54f5ae57e676d08c8f8a3cf891e36ddaab751093f92f409060c57e745941700e", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 336, + "comment" : "special case for AA in multiplication by 5", + "public" : "0c8090e1cfe7f761cfdf08d944d4aeb7a509a07a6101645b9a4c7c9e9c3d4609", + "private" : "a01f0cad98cf2905b812d3530531bb3ac899391abd1eaf4a3ebed96ac6126f58", + "shared" : "2d49b09f81f3f6fab2c67e32f1bcead2ad09ac9e0d642b0873becfb64de2ab23", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 337, + "comment" : "special case for AA in multiplication by 5", + "public" : "08352936c8afd8543ac95f24bce9a07e3e3235763ea512a584298967b83c070a", + "private" : "106b36344cc4a5a389d8168137786806ff03cd4a00f8636bb7e758d456151d59", + "shared" : "a199368e683c3036a48f4c5f32b32a547dd39f3d1007ca0a0bebcad0a8ac6f5c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 338, + "comment" : "special case for AA in multiplication by 5", + "public" : "73bdeef8cc044f5ad8d6a241273e1995e0007dc9e6579046df86aa6cd97f5d2a", + "private" : "88f9a0d2354adfcbab2d12a0e09b3c7719c944384edfbaa27fe0731cb9c6fc5a", + "shared" : "5aa750de4207869ec7fddab34c639559b1eb27ef244aaf2a702c84963b6d6e7c", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 339, + "comment" : "special case for AA in multiplication by 5", + "public" : "7fdd399b6ef4a3f5cade62e74113b29c27db15203f9b8e398d2c6f230051cd2b", + "private" : "0811f2e560a205e96e28bc312bcad45fe8befefb7f6da5faa035311eed80b251", + "shared" : "a6947ee089ff28ce3644ea4c6eb33dbb20c7974fb8d853f4e146e2466177502d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 340, + "comment" : "special case for DA - CB in multiplication by 5", + "public" : "f0173a96273c646fb63d13b0c686b89e37676fcc7178faf4a6f4601f3068150d", + "private" : "40ad984066a69080fb4a315878e736096cc577dae4c42c40d893d8c2173b785a", + "shared" : "230b6aa1f24df90a60839179ba5e9de673cff11cab59e8020b20626c22090b0a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 341, + "comment" : "special case for DA - CB in multiplication by 5", + "public" : "255bbe7230cd2bee90d283f418a474ab30146ce5e801a0f5ed60ee8def3e6558", + "private" : "48b10cd45639bbbf83a0b28f0dd3ad0b7b00caf48d05534480556a8278116d59", + "shared" : "2299e384958bedd2c3d367759155136d1ff76e4434dc1d9e8212cdca52ea8421", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 342, + "comment" : "special case for DA - CB in multiplication by 5", + "public" : "21accf97b7fee173001ccfcab21637c175ef5186ff0002502b3d52fa8c51e766", + "private" : "e8fad77946e0de4cf4236798490b838948b82cfb29f8e7686001b11e8d961657", + "shared" : "97fca065acd3b943c654997c0f125767f9abc4b7c9d8b7246942f12be65d9231", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 343, + "comment" : "special case for BB in multiplication by 5", + "public" : "5b40777e80ff6efe378b5e81959ccdcbb4ca04b9d77edc6b3006deb99926fa22", + "private" : "d07babed90b27c4eacafdc871703bd036b720a82b5c094dceb4749eeaeb81052", + "shared" : "f482531e523d058d6e3fe3a427fc40dbce6dd6f18defbc097bfd7d0cdd2f710d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 344, + "comment" : "special case for BB in multiplication by 5", + "public" : "48d952a2924ff167f037707469ec715da72bb65f49aaf4dce7ec5a17039ddb42", + "private" : "68a3049aef8c069b906cf743286d3952a888bf2b9b93bc8775fb5adde06e9f53", + "shared" : "de88af905d37417d8331105345dabaab9fd2d3cb1ee902911c1c8eae2991d911", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 345, + "comment" : "special case for BB in multiplication by 5", + "public" : "a5ef265ccbc5c54021d34f82364a4624030f5b9d5ff7e63d7a379e533de5e742", + "private" : "18d8c3d2a4e366185a85c38698d937e13bbbafdbdab1a0a83dbbe89badf70756", + "shared" : "075d18ccc984761b70752279e7f6a757208f6c11e29480c32b40aba128a4d52b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 346, + "comment" : "special case for x_2 in multiplication by 5", + "public" : "9051e55a4050ef4dce0b0c40811f16371e8b16932541da37f069406d848ea424", + "private" : "18efcd5fe345be4985316695391d2c952eee13b0e1ee7584721fbe8b19d4fc5f", + "shared" : "212dbf9bc89b6873a60dfc8731a10be11ab2dca4b172142e6c9f06614cd72852", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 347, + "comment" : "special case for x_2 in multiplication by 5", + "public" : "419adb8b1f2f87de016b0c78d1029a210492eb8cadd164b12cd65b1d57bf3634", + "private" : "28ec7c693e222c72ac0815f1fd36661357e0a8da7bc996daeeeafcd21c013451", + "shared" : "379f9221abebf3582681a0e857f3da578a1b0121982b96f14b94de5dc8b24528", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 348, + "comment" : "special case for x_2 in multiplication by 5", + "public" : "13e00dae3b1ccc97ccd649088c4a7f32ca9976214d645667bd082039bbd9ab7a", + "private" : "78b35e7ae549308b6414bb610196c04f2af79d4266c86e8a9ce0c02bbdb88d59", + "shared" : "cff2596b7afe36f4cab9c70133d7aa0f9914f9abc6c3b9895472e2a5894a8037", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 349, + "comment" : "special case for C in multiplication by 6", + "public" : "441c487a48f0a4989d931cd77a6142a0a13d1aabad82623ba8d94b5c374f4f08", + "private" : "f0de9c5f8a9372f30c41ca47a55743ce697d46e32e7a9ae26d32503fd5222767", + "shared" : "d47c46b4329bedcbc1986b3c6d2aa9bcd027d6b68925175d35bbb536b3440801", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 350, + "comment" : "special case for C in multiplication by 6", + "public" : "0e67ee5c6b65aa802259810b2605f8d7accf9b49bf14cb4a536928e883172915", + "private" : "686be5a12b310420f9bfb209381fd459a5ccd55c752b88337ebe89e1921ae765", + "shared" : "1d730158da880533dbf1e6c64a8e99f9169611660969b0a84fb42dd8dc2efa3d", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 351, + "comment" : "special case for C in multiplication by 6", + "public" : "dc9d7ef1cb49c191e258663a94e731b9c066c11a17d8b5fdea1987f5d9a00568", + "private" : "a0c0337c5bec5ca24dea2f1d701498ae2bad87b8269ac23be113929fe4eb1963", + "shared" : "07732529a628badeb8d74946775ba457c700bf8390f46bc523fb64e471c86a7e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 352, + "comment" : "special case for C in multiplication by 6", + "public" : "556b3ee7cd0d37979056ecc1f56a5677a4935be6e49ce28e394f8bfb73d13b6a", + "private" : "b8824cfce5550b5e17b12f74e28459cab34eb49895cc36bf645a0cf00e3d2d67", + "shared" : "9e3aae35fa1cc80a359878e212180294ff6608dcb4929e91901abbf976f39c16", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 353, + "comment" : "special case for C in multiplication by 6", + "public" : "1211be5809605b54f5727d233c783a2a199a3db24ed4499d7b48c7603e4ad371", + "private" : "e02dba7335af8fb9168de2fcd310c2e2df4a3e25263e0ab9ada87bfb8258a66b", + "shared" : "880f6dc73220307a597670f3282fc366aa66f04a0a9ca30d895fdde337afe825", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 354, + "comment" : "special case for CB in multiplication by 6", + "public" : "505e7851e2352e311ca9536a1fe6c0d95d648197374ce08e4b8a0fbddf62910b", + "private" : "30ce71f856ceb874fe580039ca67e896e6d08207a73cd55db7059127c1342b67", + "shared" : "ea62b0eda2d7b249a42417675a2b82b1e6c0d69a4e7cef336448844d2f432251", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 355, + "comment" : "special case for CB in multiplication by 6", + "public" : "ddf4e90503dd82610c3a034b925a880b72dbde30c626009202b358c6eb00f418", + "private" : "e881f46d4141ea69a671649b93b63e97dc67c12521d445862f087b2626fa2b6f", + "shared" : "302c4f83b5c5bf30c1e3afd9f643f65bfe56ca1628ee042b1ab7393bafe36c06", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 356, + "comment" : "special case for CB in multiplication by 6", + "public" : "0e9c4431999ef1ce177e900d37ec6ae665e387e2d4fa27cba8e7baebc65c6520", + "private" : "e879752683cd73a834251c65749135e06eb9064d3ae35095d88cde14a02ba366", + "shared" : "8ff2ac65c85ee2fe9452fce460f8c87f9570d769cadddc87fe93ef8b7657c726", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 357, + "comment" : "special case for CB in multiplication by 6", + "public" : "5761d6c08624104d4117ff17c75e9211a591c9ca9aecca3a665a7ed844195225", + "private" : "20576ab456da26c18da5fbf06ec4d16564e111bfae2a92b9f6e1927c15770a62", + "shared" : "97c91a23c3e4f3ff727d188a352b67ad490b62381566fb3e111cb67aa9e3435c", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 358, + "comment" : "special case for CB in multiplication by 6", + "public" : "e92d45b3ec56531266303c5113c46310c41650001065b4d87b02b382fc82662e", + "private" : "a8467418b924c2c003c56e1610a35469356360c29d52aa557a2bb30fb8a9a464", + "shared" : "24346bb133dd9ae3ff02d2f50510b3a92d9030834d60e5af08b0eebbf1d4dd6f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 359, + "comment" : "special case for CB in multiplication by 6", + "public" : "f38b63459d05e422ad024c2dcea5029a0a7a6b6c4c1d2093ce556aab331e2540", + "private" : "f0f5e162923d7c299388bed781199417ade097475515162d9590976a196fb16f", + "shared" : "b3453c9c82a2d1d956156de2399cb70dd4e1ec53aea967e035753c1cdae13c39", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 360, + "comment" : "special case for CB in multiplication by 6", + "public" : "a7ded0eea45a400b8f5637154d42974aa98c92962314d822ef88b01383a9da4d", + "private" : "608fcf787fe789644a09bcab958f0737aa81a9e29d505f51035c78e374b9e46b", + "shared" : "ebeb0c7b7a4165cd02a278f3a222c236eed83266b806d13494c1c3f98a2f3425", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 361, + "comment" : "special case for CB in multiplication by 6", + "public" : "7b0ecb4c72ee147789d74813ced3ebe40f45c3da526ed1272952e453e43b796d", + "private" : "58a3396d291eb23571b52d98a31549e514e501e8d0958ad9f25fe5a76c503e69", + "shared" : "9213a53f22ff0cb5eca87b27b193c773bfdf4c01a193a11f37c157474e15cb07", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 362, + "comment" : "special case for x_2 in multiplication by 6", + "public" : "a244413ddc3a205d038d64266833eea1efba51ba62c9c6cdcdbe943be52bb00c", + "private" : "d805a7014755dd656f98d2b331f2d2d4912725ef3d03752f26f74dc1ad61666a", + "shared" : "66484a4120e0eb0c7e0505e1d2c5d15de9b52b72e094c9bac88634200c557267", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 363, + "comment" : "special case for x_2 in multiplication by 6", + "public" : "ec3c8b0c10b1fa65dbbd17cf1ba5f86381284765709b07c5f0428e3d5bcd3920", + "private" : "40cb1fe06b08f068f7080ba07c695eda91a2bebeadd4db95c97dd7c91af2566d", + "shared" : "384f2221618e71d456b1551651efdb708a161d7f89f5604b27eb872d4aa93276", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 364, + "comment" : "special case for x_2 in multiplication by 6", + "public" : "6330d3e28a8b6126ace165a9dfccc6e4bd40dbc9768cfb16330cb7f27f906230", + "private" : "8021464c64c9d6d3c0c852f6972d11969b04c9e066562fa7f0d5fa0d98ebad62", + "shared" : "8daf5f4b84730144ea8a53ce39cc907e39a89ed09f0202e7be0d3bda38da663b", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 365, + "comment" : "special case for x_2 in multiplication by 6", + "public" : "8678aa29cbc06e78b218d22a3e66c38ec0da8fdb0f2570c585c62517c9704f37", + "private" : "707a2d710b32f55c6eba34898020a2fb981d61b1e822fca84c47d9321e279268", + "shared" : "da8b7eba6f72c3f3ef33d8982093492e06be39bb0db29c465d95a8e52ef64341", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 366, + "comment" : "special case for x_2 in multiplication by 6", + "public" : "303289c2b1079ea59412faccfeba8c113d2299b9dcfedeabc42697b0829c4658", + "private" : "204a43dea79d779577581b8c2a51be66e1effce96425b7422b9ca65bdf1a4867", + "shared" : "0419a71a08d3fdd574cbc932e8f1605933ddcdd9774f5614269b7ed850c8650e", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 367, + "comment" : "special case for x_2 in multiplication by 6", + "public" : "3e6e16e02d44ebd94680832e065aeddcbb74af64fbb7c6d8367e7605be13ff5b", + "private" : "58e4741735d2589322151947a1ce2f5829908626886941cb1631d25a8a684169", + "shared" : "9f2fcd0c756288c1716ecd1f2a74864b93a7717bfaf5248858dcb6fdbea12864", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 368, + "comment" : "special case for x_2 in multiplication by 6", + "public" : "a7c1716a41ed23a8870438714ff9745fb0e46f7a5baeb37c9a2d83fe477d146c", + "private" : "d0af3428ea5205f6bf8d4f1b4e4903cd76f04236a1c0b3ecfdcaf28b21348e63", + "shared" : "261ab6267c35a9755359e957473870522b7f923fe839f2b155408649cc5e8004", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 369, + "comment" : "special case for DA - CB in multiplication by 6", + "public" : "dad981552c57541c57ef395ed770ce5edc48f8015461b2ba7aa831ec593ceb15", + "private" : "c0ea97e442e5dc1c8142bfab7089ecb9bb9c5ae372f9907c2825e678defae567", + "shared" : "9093bfa3ed3491d0891f02ae466e5e13c980df229db7404c5b9d34e4ed21c653", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 370, + "comment" : "special case for DA - CB in multiplication by 6", + "public" : "c588dfe6e733d90581cbe112079749d8eb30ab8631134ec29abfb98b32e76522", + "private" : "b0333f09ac1eaacd3cd617eb8832e9de488b458b735cb4b5345f517130c25d6b", + "shared" : "6e88bb6bf75596bbe5f1fbe91e365a527a156f4f1b57c13ac1e3e6db93191239", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 371, + "comment" : "special case for DA - CB in multiplication by 6", + "public" : "0670116a435e8d9b7a12ffc4322fd6b149d0b1dc799b5c0957d9d6e42546e824", + "private" : "10719099dc63bcc282ef525845c108897ac9fae9590b593e0d505d1cf167c061", + "shared" : "e6de74d2c5cea54094d7a70af03c768afe05d52a038bb72d56dcacf0ba502d74", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 372, + "comment" : "special case for DA - CB in multiplication by 6", + "public" : "8b200dd226c5c0f7e116e5388ba162438caf1dddf4edc3b6ba838c21b5929737", + "private" : "10e20e4fda57084ca90f7ad572a78aa8e6575c659cd01f30c43c58040c20e860", + "shared" : "78c9c3aff9416a538ce3ea8fa553244528d1fbecbcf91695a33ca464ef76b85a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 373, + "comment" : "special case for DA - CB in multiplication by 6", + "public" : "419a076b179f79720096eaabaf03477e8f89d61f885c8d7f58f6eaa4fa77df5f", + "private" : "a8312df473adfec7171e1635f5bad44f0753a88a6b3174ec5ae762703ae25e60", + "shared" : "c1a96ccba08bdd82d0fc12e8cde4cc1f25cfd5276dce7f18e407ed0e4a898466", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 374, + "comment" : "special case for DA + CB in multiplication by 6", + "public" : "aa34d772e9ace43c4d92f4f85596ab9ccd8c36c4f4cbddc819afe2a33cb8b216", + "private" : "109697f400210f9a92de80a8bed264097199bc240e22767b54d8bb22050b7a61", + "shared" : "2533b845bb83e3d48cffa8dbd1edd5d601778662d5da03759152a5e0a84b357d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 375, + "comment" : "special case for DA + CB in multiplication by 6", + "public" : "1f06cfe464ccc0e27a5ec5f9edd9bc7bc822ad2ff5068ca5c963d20edd1a2d22", + "private" : "d036308a53c11bebcb02e83688ad74fec43f8462ef4d806272676637d99b3765", + "shared" : "eb40a3974b1b0310b1597d1f1f4101c08dca727455a9d8224cd061a7aa3cb628", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 376, + "comment" : "special case for DA + CB in multiplication by 6", + "public" : "9d4b2ed7817132af5830e899627ea97dc39bd3772e82f2d05769a918273dc02e", + "private" : "786e5a5ff37405c769d0d3788c3c1b05a62a8442c385570e4438bc5f2eaacd67", + "shared" : "9509757e289553cfa2cc71313473c3ff1eebce484ee237eae554fda3d3d22f0e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 377, + "comment" : "special case for DA + CB in multiplication by 6", + "public" : "4e056b317a31dd96f8ec14b48474af587d195efcc2a70f01f052ef882d7b3a45", + "private" : "c01f66cb094289d728421dd46c6f9718412e1c546dad70e586851be4da58bf67", + "shared" : "bad9f7b27dac64b0fc980a41f1cefa50c5ca40c714296c0c4042095c2db60e11", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 378, + "comment" : "special case for DA + CB in multiplication by 6", + "public" : "72c60535e9c423f302d6a10796d954d778032cd4dbd40ca0f359e204d67b6f4c", + "private" : "3877d9ce25cededeb572604f2d123df685690c26e181f777ed33302b82082966", + "shared" : "51c359768ab0219003af193e2bdb8e5cc9f8e176b8db49e597afca3e7125e370", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 379, + "comment" : "special case for DA + CB in multiplication by 6", + "public" : "5856358ed420047cd084f17ae696bad79a4d26c6d5bb79bfb82bbc6332442d51", + "private" : "50b84618d073c4618f9aa69a3b8518da76dbb2127286214fb43a2b44503b9969", + "shared" : "fa9fb0df4cfbacd0fbf3262d3a1bf8d7aacb45f73bf94671775e509c8043df7d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 380, + "comment" : "special case for DA + CB in multiplication by 6", + "public" : "c31e37b04332abca8315f317171566aef38111f622d8bffa29c23c0151cdad6e", + "private" : "109acfa638e112f6bbec21e352a74e8fc9b7ffe5d9dc28634eeb516e59830a63", + "shared" : "91ac72b0ed8d7fc4c8846b8a2530d9fb8f0532064880c00dab100c977697db28", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 381, + "comment" : "special case for z_2 in multiplication by 6", + "public" : "b775e016b32a97f49971121906763f3a0b41689092b9583b6710cf7dee03a61c", + "private" : "685c0784aa6d194c1b859bda44c4e27cd1dfdf34776e498dd03d09f87ae68a65", + "shared" : "11393bb548813e04fb54133edbe0626458e80981885e1fe5f3377e8ebe9afa52", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 382, + "comment" : "special case for z_2 in multiplication by 6", + "public" : "f8bd0e7cf6ec6186f205ab03ab72c8f6b3cde8f6ad9b166916a04d43d1d6d546", + "private" : "18e9a05a20436cf0dbc3d5b92dac8d996e62ea11fbb3445f29195fc75a8beb69", + "shared" : "0a83a224fbfcbc5d0f07f6dd8ebb2e9bbee8134f0fab268002ce837f5495d833", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 383, + "comment" : "special case for z_2 in multiplication by 6", + "public" : "8dfee48ad8b367488ea4dafcf7086e305356a80901f87c720149a5f522337453", + "private" : "00e099eb23125dab5ec35a419d455d0ba8c01da160f9354e9fb21e6a55d55c64", + "shared" : "45dc39831f3471d7466bbe29c8142b1a6d6b00c47fea021be2ffc452d9046806", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 384, + "comment" : "special case for z_2 in multiplication by 6", + "public" : "8f68bfc57d792c322ebb27f44a37c1c93e7eb15c5d5fcedffc1de850487b3372", + "private" : "b0ca251e0dbae7324a6ca0c2c8d6a888edd12d1447d400a47bcba004b648716e", + "shared" : "a29005c6b9dbf1707dc2adce4506b55831e8675b7d2d54b0c1037741e3bc611b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 385, + "comment" : "special case for D in multiplication by 6", + "public" : "ff0f15adeab334afeda3916785ddd38d252dce9876c2357b643b5dc2c06a3b1d", + "private" : "a8b64b8ed397773b8290425ca5c2f7c3e50fac7a4781bd4a54c133781c9a1360", + "shared" : "9f04e42c1b2f311d87e1470a4708bba25ac6ffd3f7b486f9b6b502ecbb2c004e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 386, + "comment" : "special case for D in multiplication by 6", + "public" : "1076fdc827f2550ee95ff9a15d044aedfac65b5e9ba809f62438ccea54637a29", + "private" : "d0cd0db51ff232afa0919d3106fcb3a8ae581ef12d09c877aa6f31ef74eed068", + "shared" : "688000bd60af375b4eeac4a7d0e0782c0e6188eabdc608b732f49b4d6ccab44f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 387, + "comment" : "special case for D in multiplication by 6", + "public" : "ed1c82082b74cc2aaebf3dc772ba09557c0fc14139a8814fc5f9370bb8e98858", + "private" : "204a3b5652854ff48e25cd385cabe6360f64ce44fea5621db1fa2f6e219f3063", + "shared" : "e0a82f313046024b3cea93b98e2f8ecf228cbfab8ae10b10292c32feccff1603", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 388, + "comment" : "special case for D in multiplication by 6", + "public" : "12e1589a34094af5f121c9bd3c1119f2b1f05264c573f667a748683c5633a47e", + "private" : "88109b1d0e7bace44d41a15d5bcbcd36968c5b8b47c0a2c606b57c4a68cc5f66", + "shared" : "1fcc50333eb90706935f25b02f437bfd22b6b16cc375afff8a1aa7432fb86251", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 389, + "comment" : "special case for DA in multiplication by 6", + "public" : "151f54a8a899711757b3b118fc5501779d621d25227af53d0af00b7583ba8824", + "private" : "5082e497c42979cdbfdd1b3b0653cfea6f2ceb7d07639ebf3541866bb60edb62", + "shared" : "fac30a74f4ca99f6cf233065e9acd826690cab364bf69320b58095783ed76e11", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 390, + "comment" : "special case for DA in multiplication by 6", + "public" : "a819c667ed466bd9a69ea0b38642ee8e53f40a50377b051eb590142dd27e3431", + "private" : "f85a8db44f9e56b11729f51682a9769fc504f93597cbe39444616b224532106e", + "shared" : "17f6543c4727e7f129ee82477655577635c125a20c3dc8ba206ca3cc4854ca6c", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 391, + "comment" : "special case for DA in multiplication by 6", + "public" : "40b053d056668982a1f550be95e16348e303945f53a3ac64491a9a56d4095b71", + "private" : "505a076641fac398fc7d8c629937f42db559db5e12052ad366d46d7b20e95769", + "shared" : "889a8d611e0a7da71475e7c93a2d7f6f7228c787a00ee5cf55474adc376ff762", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 392, + "comment" : "special case for DA in multiplication by 6", + "public" : "e7dd0549a765bbef34be2e8da18a1bc1b989a8b0614d358ebf38c12a9ca64079", + "private" : "e8db2bf1af5b8907420789c56e71414706aef0d9f6ffaed0c249c3b7ab14bf65", + "shared" : "37232fb397af27f5fb5ca493284ff1c5d25786b0d716c73b33aca8d42265f318", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 393, + "comment" : "special case for z_2 in multiplication by 7", + "public" : "1ee1b9a74604ac31c3db83280170e3811504fcc78c7626b5b2c07a99d80daa0a", + "private" : "c006ab1762720882017d106b9a4675fdd47005657155c90ca61d4cbf7cc4f973", + "shared" : "a1b30418436ba1908804ffcce1be2cdcf50c61a8e3938d95c790abdb786b8022", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 394, + "comment" : "special case for z_2 in multiplication by 7", + "public" : "f226c2d6bd7831eda1b51ee5aec29443a507ef9f7a04e2340f349dbf14933844", + "private" : "d071807d607953da432d8574d5f3f420676dafdbc6a285a36e1d737624d77c75", + "shared" : "a5976fda89954a81e442107f9e416a2b4b481bbd4654ebc0c7b57a78b45b4979", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 395, + "comment" : "special case for z_2 in multiplication by 7", + "public" : "c5197312de3a7a3ee11b29873bae3fc8c85109c66784804f89435db210fcc24b", + "private" : "304b526f6fe994731980c0975529bca4d061017fbec56f6070d42678d3e11177", + "shared" : "55b5b5eb38b127617ffe00056d84d35a5071d18783e3a82b5f4e131b1538b150", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 396, + "comment" : "special case for z_2 in multiplication by 7", + "public" : "590ed0b879319c38a19962a5d216ff2bfaf33555518877969c20c054cbe43e56", + "private" : "982ddf2c035789379b8a58917d5c3c6c061b503b19a0028e01894c2eb371d079", + "shared" : "0080e5b9985a960a832133812a7ab9951c6b2c75894deb3e35509190a6bdf457", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 397, + "comment" : "special case for z_2 in multiplication by 7", + "public" : "7c5f0143a6682f60ccad16f21150c7bb5bc6f807254d08b353fc96ce07bceb6f", + "private" : "78cc3ec0687e3e53d9cec56b79d11bf049d173f127f5b40fae122a6d0016cd76", + "shared" : "5241222226638c4bbbc98792cdbd74882ca2e08aa2edf313070425031009e925", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 398, + "comment" : "special case for BB in multiplication by 7", + "public" : "010850a0974d3e89c029d252b46f739548294c0f9a23183863f9455b9559c211", + "private" : "c86fc76650cf3b58837aa0f0633560415241c6c4f8f293ba0222b7d6a3875773", + "shared" : "63788190b10d7451f5fc2b82c421151db4f3e22782e392da6d8d3aba2c344306", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 399, + "comment" : "special case for BB in multiplication by 7", + "public" : "ad1dd82c23d6a0d5fe0f2a4561d1c16733a3e1e6afa6d902dd077dc43a961628", + "private" : "888d51c0a2230369e5b65a814b3213dde2e62f2eb95d0971486b733e4f90c174", + "shared" : "e4b40974a166ac49ed831715c071c751752744b891465e6c45001855aacdc362", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 400, + "comment" : "special case for BB in multiplication by 7", + "public" : "d0c0d6393c41f4d7e0d5e850b7716f401eda1e028a4ed4a05bea8bf81acfd930", + "private" : "68bed425d534315584d80f79da6eab9b7e6036b51fe62e1ad933e266640b4673", + "shared" : "514a4cd0676f1c3101c8c45c17ad416bd33e20a405544fc1a60449abb22fa104", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 401, + "comment" : "special case for E in multiplication by 7", + "public" : "0f460100d88a1d316dff02d1b22ffb2e42d99d0b92474fc3ec7d62567d0cf112", + "private" : "98ff2856ef44b4fa14d86782ea793828bdf6f1ef9b669cac1aae338a7bb69376", + "shared" : "ed83e810ce5ff0868f8589623bb13478dec1c22326c92765ae5e48c84bbabb24", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 402, + "comment" : "special case for E in multiplication by 7", + "public" : "13756a411ff3ae0c39222dde0810f08c432463162d81ef061071249a48439e15", + "private" : "b0cdbfdd98bd988d7c6a530455c51c57dd33fd2c7aee3961971bd3a31388fc71", + "shared" : "ff94862117d3c6edc9dd5f4852fa8a589452b924ca8a75cb23b3d68dfed88c4b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 403, + "comment" : "special case for E in multiplication by 7", + "public" : "8fc1fae969a6185404db22749ef6d225de86773a4d1bf3857eb8fbbd829a1b47", + "private" : "e0677644ed4935f01e052e9967302d0fb78ff22bb92fbae0605f3ee54e2f6878", + "shared" : "1c94868bc8acb3137498209b2812feb53501389f5aa37fecbfd5cb54e1358e0e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 404, + "comment" : "special case for E in multiplication by 7", + "public" : "7bab0891ecb9e72a15771f0a4fff90547024206339c340b1a2fdb53bcfb86b59", + "private" : "887b61553843ca99ad1ca92253a6fe082b82494752513fd53ff6530f54c40572", + "shared" : "adbf3b439b16dbc653578f53374ed3a86f9c0bf1f736573349773bc3b8d60734", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 405, + "comment" : "special case for AA in multiplication by 7", + "public" : "102e95eadca7c3c28e5d52336c857bad99ea246f299b06334f401276f49ca814", + "private" : "00615e4697014fc12484ef53a1440206410a8df78caa0bfff82161db83fea574", + "shared" : "3952efb93573ae9ce2162d10e4b8c46435859f3f2778db89f72bc579e695cb51", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 406, + "comment" : "special case for AA in multiplication by 7", + "public" : "3548c16bf31afdcd445ad9bef0e60d7bd6195aa591ca8c82813cd7d446226720", + "private" : "58175113550faad56458fb375a6cb3f05df2f6ff3c4ee09d4a6ba643e022d17a", + "shared" : "96128f929fc03c1269d429f609a1a8acac7a758e3446a125ecf4a359a0e37b73", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 407, + "comment" : "special case for AA in multiplication by 7", + "public" : "ba74e766d44855ec93bd441aa41058a4c4ad2be63c639a3f9a87bde51eeaba20", + "private" : "009738e1e6efef9e2cad8b416fe90a098eb5cb0199f2df5218166c7b181ea079", + "shared" : "fec3e94cb5f316625b090c2c820828ce0f3ee431e8d6e12abccc7ef2bd0be81a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 408, + "comment" : "special case for AA in multiplication by 7", + "public" : "9a5a1d37e5010c356aa80afb347c3d613542ddfa0be7abb8e8cdcd6674411449", + "private" : "c82019159be792747a39f388ea48a8c568594e3383273e51100721b376e8ba73", + "shared" : "96903bac9dc60b6178d734890c25db4bed9ea4dbcf6fcbcdc90e6f5694c8b21c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 409, + "comment" : "special case for AA in multiplication by 7", + "public" : "630847e28274dbae5491210303c85a359074ee742957b0fc3c9ff55d9e019a50", + "private" : "10ac9f8383262ef280faac1e4da15a7de4f2cb74af33b50e0d82dcb85d8bcb70", + "shared" : "50050d0ab1ddd2dd90c460ab8f09e1f80e37cae57d4231adae10c10a4a2b003e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 410, + "comment" : "special case for AA in multiplication by 7", + "public" : "11749b00a45067af2c7e7d50f8d178d5a9fedb8f1b69b239763885bc611b136c", + "private" : "b84c098382f6e37d510cc33e62ddc664e02c8bb6ed9ed0e5fa78cc099a26fe73", + "shared" : "9170c4c628d5fcfd0ec719cf6e1796dab0a69e46d6379fffa247d444a0056041", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 411, + "comment" : "special case for AA in multiplication by 7", + "public" : "df1021d8f95950afde77c86ba5ee2f5876ef778376a7fdc7efb8dff0e4836e7b", + "private" : "78cde8930a1d81aef6601f71409728854987578b0f8349588c04adbe2c1f6e74", + "shared" : "d7d2a82953f680cee0c81c4d00fe628ac530ce682eb7fb3b0af24f804a58ef5c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 412, + "comment" : "special case for x_2 in multiplication by 7", + "public" : "2743ba408d5f68c65324a485086a004b6bbf784cc9e8b1a7dbeb8c4b9414b018", + "private" : "b0fe7b06b9950600b3a7ce1d7bb2a1d984194cc9d6c8964504c364dd5c875b74", + "shared" : "a6b97da989dccf730f122d455152328051c8ed9abc1815c19eec6501d6cfc77c", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 413, + "comment" : "special case for x_2 in multiplication by 7", + "public" : "cc275a2cdd9125e52f20ce2abad41f920afa5a643fb7f276ef416f761d689f1e", + "private" : "f0c9c3984854d5bd599d3819738a023eb795e93586dc0e5e29b1c870c612d178", + "shared" : "b210e368729501d9f9b6ebefbebae38f195f91eaf2a5a3a49288bb615ff2216c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 414, + "comment" : "special case for x_2 in multiplication by 7", + "public" : "4929543101ee7ae239059cd134c35d400e50d0821441351d0fa6c3d54efb342e", + "private" : "906c2f12be89702db26fa7ee905ce36525d2dee4e96a879ca07da097a6aa5075", + "shared" : "b9e3796c58701ded4237c52994501cee14e18f2fb02b781a8400923484bd4a6c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 415, + "comment" : "special case for x_2 in multiplication by 7", + "public" : "1324e0368597b3181555bb5b2cc7b7ebba46931aeabb6f05ababd4240f0fb933", + "private" : "f026031ea373e1d16e6e7e0357bc96bc093f4b6bb76a738cbb54fe6cfd2ea271", + "shared" : "6dcdf8e86903b0caded124d8a7da18e623430ca869aaf267d31029d93de99e66", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 416, + "comment" : "special case for x_2 in multiplication by 7", + "public" : "c7f3842297d6941cac63d6f1bdaea0709437c82dbc9161fc1bae6c79d668eb44", + "private" : "703f4ac8667d77f9536045cf748f18d42345e39ccab10c18dde0f5170d307f73", + "shared" : "385ddbf2505ebf537bf5e976b61a4b69d190ae965b7e4a81ae4e1c16b7148748", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 417, + "comment" : "special case for x_2 in multiplication by 7", + "public" : "1e4660ba865fb8085afd4692885d74237fa3bca5af4b84ba3de400f16a5ac45c", + "private" : "c8a96ae4e77271a0680dd24fcb09f9c5d3ee8316536eec7cc2276597e50fe37f", + "shared" : "0fbaea73f9518795e026c1fc1079c3738aeb9ee9c8dc9761d65bbf8f94e30154", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 418, + "comment" : "special case for x_2 in multiplication by 7", + "public" : "2488bb6fadb79d46585ff01c160c5b4172799d92bd168edceb65cededc492762", + "private" : "d0dde8eda38c3783442864c0cb46a0e9832dcf784c21268a21bed2cace87cd70", + "shared" : "510c64151e5d0737fc324bd15fb5d3966908751cd1a06954b556196655ee5540", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 419, + "comment" : "special case for x_2 in multiplication by 7", + "public" : "a0c1087811af1491171bc51691b8ca84716af36c4baa764ec536280cc1983d6d", + "private" : "c09cd47e1ce53604f14e4e13426c8f08962f556bcd81f8d75375b1507c6fda78", + "shared" : "23ef825e1c8e6e64428001a7463e32a9701c81cf78203e6ae753740c91570e6b", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 420, + "comment" : "special case for x_2 in multiplication by 7", + "public" : "cc5c97934607d8b981bce1d6a232bb3aecc3001f698ae1ae84938fbf2861077b", + "private" : "e09a5f74f318f02303857aa0208d76913d9e240a80549d12013118bad620597f", + "shared" : "0e55a7ec1a2ddbea1ac5981200812232f7f4c3a60ee3c9ab09f2163bd13da329", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 421, + "comment" : "special case for DA - CB in multiplication by 7", + "public" : "238de7fcc8a3f194c3554c328efb1215d0640ac674b61a98ef934ec004cfd73b", + "private" : "706cee5f9b357c03b2f1913294f6e4f0ca5a190a87d30268327d0cb6bdd5bc79", + "shared" : "0681036a0d27583ba6f2be7630613171a33fb8a6c8991c53b379999f0f15923b", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 422, + "comment" : "special case for DA - CB in multiplication by 7", + "public" : "ac9fd80a45da109fa2329390e5a951cfc03065d7bb4a7855826ccb22c3bfeb3d", + "private" : "40e300cb1ff260574f85b3f04aac478464a86e6203b3d4656418f4305157877b", + "shared" : "67b88774f19bd1081d6f23656a135803e34ae1cdcae10818124a78569c299f42", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 423, + "comment" : "special case for DA - CB in multiplication by 7", + "public" : "a45ab1dc2fa2c50718fb4985d9791401e8d2d34ffe3cd93cffb4e870cce5e855", + "private" : "882f78b4558b7faa835904c9235e32f300fc8b5ef0a718406a5c8520ca54d071", + "shared" : "a512e864bd898a5ba6551adcebd836c6a78e7871728e1b8ee528d483af276104", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 424, + "comment" : "special case for DA - CB in multiplication by 7", + "public" : "1761d3d50ba46b446655aa6a8d9b8b75aa5bb24a7953208d5b69fcc38f18ec7a", + "private" : "d8649b735590a17d0fc4c378fbf4c2f7d6600569b2e84cbe0ff7bcdbac0b5f71", + "shared" : "518b778cf5e976c60235abcf6211a18bad2a8e693ab261074c7fab43dbb5da27", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 425, + "comment" : "special case for D in multiplication by 8", + "public" : "dc99ad0031463e4537c01e16629966d1b962c0b4e4872f067ca3c26ccc957001", + "private" : "a8edec59ae6ba23813ec54d66df152e0626762b97d4b0c20e0dd8a5695d86e47", + "shared" : "6cfa935f24b031ff261a7cd3526660fd6b396c5c30e299575f6a322281191e03", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 426, + "comment" : "special case for D in multiplication by 8", + "public" : "b32750fd80d2d7c62c6b8e39670654baea5719a3e072e99507fd5bcb23898264", + "private" : "1098723ffe567ea6dcc8d04ecc01efafeea0aee44e1c733be8b1e5d97c8b8041", + "shared" : "c623e2d2083f18110a525f2b66d89ed82d313b6a2dd082f6b7a6e733134f5a06", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 427, + "comment" : "special case for D in multiplication by 8", + "public" : "e7b3205777b375f1b1515a50a16a6067953ff221e12b4f416d74fb28c1c85865", + "private" : "a0f20df98b49218ac832f26fa8c218a0d6872eb7aea07c1d43c9ff699b465b47", + "shared" : "388ea421650a8d837bad8904018195e99ef494c2d170b93ee721a67d2c108729", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 428, + "comment" : "special case for DA + CB in multiplication by 8", + "public" : "21cc338d7869e5863349cc739c8a6946cfc797cb82fbf62dcd2154844b106003", + "private" : "30473a77a98374f67d5bd43df231ce142916aea0d271e72333fa47dc441a0247", + "shared" : "b9e5728b37435b1d339988f93267d59f3bd1c517851c5a258e74cb64aea73d2d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 429, + "comment" : "special case for DA + CB in multiplication by 8", + "public" : "c34217c02072d7e2bca0454525030780cfb60215d7ca82dbec8f4a59034c5f43", + "private" : "d8657be3a30fc85fb2f3a68e92ace1b31b26e76e6bdb6727aea507cb7c10dc45", + "shared" : "20b67b205e22ce87fd44a8e8fd10a6d8890b9270b60e1c6a68b4aa78e6e37961", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 430, + "comment" : "special case for DA + CB in multiplication by 8", + "public" : "8abb8cfd60c6f8a4d84d0750d3b40a4f846b30edf2052fef7df84142cd0d9e47", + "private" : "882f5578ae4a13d8f5af473bdde1709bf2e059df809ee05b505f34de857c3447", + "shared" : "5faba645fc21f9421ebd35c69bdb1d85b46f95e3746ff7f4886bc280a9ab2522", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 431, + "comment" : "special case for DA + CB in multiplication by 8", + "public" : "9fd7b49a08f206688d72db737df8e517aa7b764f5de7c9a2b1c3fcbaa985f64c", + "private" : "98294db7cbf4958bfb3ed21d5d5c91e13cc8dc27b3c716c86f7167a4819f8741", + "shared" : "9cb8a0f4ad86a27b96ca61242eab198db2767d3862dd323e41368fcdcc5fab68", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 432, + "comment" : "special case for DA + CB in multiplication by 8", + "public" : "c4fefac7acd448e8fd4d6ac4f5dd1bc21f2c67d638444060918fb344aa77e757", + "private" : "789bc4047ad81b9b6656eef298b766e8763a2f8ea64e374a603dc1fdf2eee146", + "shared" : "4b42fcf84b51b2b82f1f70b3cf49bd9dc6ab2672920a8de37e81ba7e99acf734", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 433, + "comment" : "special case for DA + CB in multiplication by 8", + "public" : "a8341deecc0be6db11401ef7f884ac3ade35650cc21f14b5cdb0a5cf0ee6b15a", + "private" : "801ffe4e0f6eeb8a50c8fe79663ff585f9d6aebcfbf4b7edc676c693900cb141", + "shared" : "e55fc931669bd02d1c64689eda62648212b1078c43b5caf97cf9763ff87a3455", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 434, + "comment" : "special case for DA + CB in multiplication by 8", + "public" : "55a0e6631a52f29fb90a1777ccbc69ff94547459d541f72e8316e4d616535a67", + "private" : "e04e412383a63b338b70e1be5fd75995350321dee428aa4f3ba62a50a3b0de44", + "shared" : "87f7976a17f3e03a7f1eb74e6db950b8c0994f40b7903495599d227725809e01", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 435, + "comment" : "special case for DA + CB in multiplication by 8", + "public" : "7976d520f1a2512d564af41c68313f5351b0156d5118be4817f192798ae9777d", + "private" : "382dbe9f10158bfbb7d1d79a35a7809214899a6b8572b35b55875d79bd2f1640", + "shared" : "3bb3e30105a71901b115065e39bdb3e053d387b39027b12c92cdf4c638adf00d", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 436, + "comment" : "special case for AA in multiplication by 8", + "public" : "a26a722f7ba71ccfc96ed8e108d7c9f842d17f92051ee7d429ea7fa7908ab907", + "private" : "60c9af7f4d03136a6034ae52deadfd9d4f274ad8122812eb92a53169c8354141", + "shared" : "f5cb3a1b76185a29a6360b2142feebb11f3d08f4fd8d73df3a5228624a521c02", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 437, + "comment" : "special case for AA in multiplication by 8", + "public" : "ca3a2d96f5dda482b002324cbbdcf1dacc9815eab797c7151c3a88c75cded621", + "private" : "283fae8bd8b294de2848056449751965abb5c7fa86ba4c2c5cdc3bb524dad140", + "shared" : "b0b47868e70465ee2dd737f1ba5a6399e09cd813d72da7585ab45c946cc28d4d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 438, + "comment" : "special case for AA in multiplication by 8", + "public" : "eebd858850b56febb707f27a7aad5ff5ab4b0e0c73b9c86ec4ca0f42e7f38e75", + "private" : "401539703ca4980db4ba42c59fc29e83b4189f2ddea53ba54ca966c06898a640", + "shared" : "581e4b12b0f39a7cc42dee4513ecfdd20b595f905f17ad8c1fbf1b5cb2068b31", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 439, + "comment" : "special case for z_2 in multiplication by 8", + "public" : "c800bf799783275eb93312b43dc032ccdfb00a4b77c8b3772cd2fec8db7e4a09", + "private" : "c8eb056286e098e6b2c79e42f007ebc6ab3705346cdbdace949b5de1e8c36743", + "shared" : "6bf264532fc70a6a7e459f4579eca6b84f8f76ab85c3264b20bca725a6eb6c40", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 440, + "comment" : "special case for z_2 in multiplication by 8", + "public" : "7bbc504e04d134eedc13f06dfdfc69c518257a3f374040a49a8d21dac109110c", + "private" : "487882956c49c69fd0e2d7277a24fb1dbe4b0365b36a13f63440248bca2fbb42", + "shared" : "690305c9e192cd8a513f705b3f101ecdf3db1ea15a09c4a1bce3a8cdc3a1a93f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 441, + "comment" : "special case for z_2 in multiplication by 8", + "public" : "132533db62aff4fa06e96314383bf58ebdec5183a19f2e4cb17552ae19a3366e", + "private" : "9876010f4d64c77ffc4d7dccd72b9ac82078deb883609650b8cff8a686719d46", + "shared" : "c58591b33e490e4766ff7addff570ce4e89a98338015a55df3d2f232aea3fc4f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 442, + "comment" : "special case for B in multiplication by 8", + "public" : "ceb90c56508cf330c7f25bab42b05b5612a8310690107ac63a404c0ade788009", + "private" : "a8a5d4f7894a519537babfac736de36054f508dae434b4fe63cd5633846a2647", + "shared" : "3d145851b6ff2b92b5807ed1df21eb50c9f24c4474d4721db3abb7356df7b764", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 443, + "comment" : "special case for B in multiplication by 8", + "public" : "66a09767a0d83bb18d404e1200375a745d1f1f749d5dc6f84a205efa6a11bc65", + "private" : "f83e4647e82c560aa082c59641e13bf366be8f24dc01d14801e67841160bed47", + "shared" : "1401829aac4e64bcfa297a7effc60477090d3627a64a35b872ae055d2091785f", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 444, + "comment" : "special case for B in multiplication by 8", + "public" : "39d431316307c85747bd2bcf4f9e0f8892ee45df15f7806ce65147d97f503478", + "private" : "58c6b94bce9b15f64946c2aa6a4e383b0b2d4365b7997eb2310ac4eef1803145", + "shared" : "a0ebe6908c5472f937769b9aeb313224437fc5d73f4f866fe7ef41f30e359e09", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 445, + "comment" : "special case for C in multiplication by 8", + "public" : "84c92d8ecf3d0cb22dde7d721f04140c2d9c179cc813ce6cf8db2dce6168880d", + "private" : "786a97207adbd4b0d6bfc9f49b18660ad3606c12e325044b8690b4fa07874641", + "shared" : "07538f1b6583041c4949fafae3349d62f9dd302d3d86857af0dedc0d5ad6741f", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 446, + "comment" : "special case for C in multiplication by 8", + "public" : "a9cedb9e942a47221e4296953220d10007db327d2acb68da6ef3a4f877b8ef1e", + "private" : "282310210e575a59393cf19bbe6e24752dc247706f1e0031e5d39b2de4fff745", + "shared" : "1223505fbb534c1bc6108e6b98b4f0af29e11158c02d333d6559beecd6d3e558", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 447, + "comment" : "special case for C in multiplication by 8", + "public" : "64e1c0c5f59405bbc6c7db41a3485cc9f91c183b0f2b7e1894a7abd8fbbeeb23", + "private" : "c8bf2fd4c40d00f1465aada682b12fa92dec10343484ab62b8871337de1d3345", + "shared" : "ee031868165f456f75907bf39742b820e0f8e6df9f9768d757d408e1cc92ff7b", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 448, + "comment" : "special case for C in multiplication by 8", + "public" : "a68d2f55e60eac7983926310f4fae13f95b2bbf140be5ea91751884d900ab44d", + "private" : "c06a4a4b70f613136f18c0f88e2245086c3d1a52717210a21ac9d63682f2e740", + "shared" : "c954fa7b042c32943e03191e367d54be0085fa8950ef2bec99620df79ecbea4b", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 449, + "comment" : "special case for x_2 in multiplication by 8", + "public" : "6d3cd623f26a7453fa05a01ae758ba84d3c58d93d60ce32735a15e0d053d5b12", + "private" : "20596e1dc56596823d37698dfa699c79874aaefde797f863ef92135980fb2043", + "shared" : "7c3219b3c1fae1f95590ac843efd2084a1f4bd3efa2f592f022032db64ebcd77", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 450, + "comment" : "special case for x_2 in multiplication by 8", + "public" : "8f195547346b3d53b7ea4f742b22f1ef7b3cc01a7d3dcd19aa7c5b03f31bd214", + "private" : "38141518e8e5efa1d031c6c4d95480239f6c30b8ccd8c751a9e04bd3aec17342", + "shared" : "a31f6b249d64a87c4aed329c6c05c3f2240b3ca938ccdc920ba8016c1aeaeb45", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 451, + "comment" : "special case for x_2 in multiplication by 8", + "public" : "ffc4fe2c2127a309c739565651e9812f834a86dbadbb78776977f786ecdb0217", + "private" : "207147f2b68fef1efc10a04f988f0eb18b273b0b5ed17aa7af32c90480e19b43", + "shared" : "4cff9f53ce82064882329a18ea4e4d0bc6d80a631c87c9e6fdc918f9c1bda34a", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 452, + "comment" : "special case for x_2 in multiplication by 8", + "public" : "8475babeeab9980d426abd5323dfb335b219e129bddae4d6cebcda50754a6825", + "private" : "488084537b840f9c93ca57b3ee80491418d44221113e03f56355302604d03547", + "shared" : "248d3d1a49b7d173eb080ab716ac8fde6bd1c3ed8e7fd5b448af21bcdc2c1616", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 453, + "comment" : "special case for x_2 in multiplication by 8", + "public" : "81f90a2f6633d30c2b72a25795d2a49463a80b6b0edc5aa68bae4bf738185539", + "private" : "28cfc1d03f5c7428ff3e20b137268b33ccc74db03582d2127c566df4ac99f441", + "shared" : "66c6e70cf630be90a2c88fcde7f58cff3868660fa96406e8df4ac677dbd85f50", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 454, + "comment" : "special case for x_2 in multiplication by 8", + "public" : "41626e33b3c8f48bd19e49ded307f2b63bde705c4f3cdf9d4f92bf37c48cba42", + "private" : "c8e37d10f3d03db3f43e467bddf98f595cb529ad253c20d491282d1400b9e740", + "shared" : "06283fcf69dc83e99d92e5336f499a1d8fa75ed2c819b5ae6ea8094454324b27", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 455, + "comment" : "special case for x_2 in multiplication by 8", + "public" : "ebb32f781c0e89b252e611f9d8f79f8567874c966598314b2f16aa44cfc07843", + "private" : "00237e91406a7b4db61e780c5976fbb926cdace2fbdfdbcfce65e6dbe7782a42", + "shared" : "7d2affb43355f5db1294daff55f59b1f17e7d25bca20746f12484d78e5015517", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 456, + "comment" : "special case for x_2 in multiplication by 8", + "public" : "fa75e6f08ca815b4e42af24a8e057c9e00e828e33d12c0e94d1012a758336744", + "private" : "489c4184a23a8f5eec68a31b41aa2c0392cd6fb123f10acdb4de75292b4b9a43", + "shared" : "ef8e78cab091d667888489fd3a2ec93fb633427d02eb77b328d556f2b2b0e266", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 457, + "comment" : "special case for x_2 in multiplication by 8", + "public" : "4d96320cdb0ca52655e91118c33f93afe4ae69e9e513ff4506750b8ea784ce46", + "private" : "c05957fbc3a0e2c22a2aef627651ca1e99307b82a0c6170f7950a334f3004941", + "shared" : "c8d85bfa74b4b26461297b350c975183fea9d33ba29c3a4934509c2ecda58a79", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 458, + "comment" : "special case for x_2 in multiplication by 8", + "public" : "c0ef1b7c20237db370501f24274e4eba91998ae4545f937007e1c4a2eab63365", + "private" : "60111c6629f73635985be964b845f87a88ae5652d45bb1451ce8cfd2ea45fe41", + "shared" : "22557e0d8741ed2a63afd5e313aa1579fc0c88c7772e23a676c94b60c89df577", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 459, + "comment" : "special case for x_2 in multiplication by 8", + "public" : "d534d8ff4d56a73ef7615e94523b17e35edb3d0fb87e98c68536f63f114a8d6c", + "private" : "58785889a216d15456582d4e1e3de9e9ca4a432954416d81caf52b2b434c1746", + "shared" : "54d7fc17bad00296ba50b0f3d5bf8fb83f82d571952a5fdb5a494120cc61446b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 460, + "comment" : "special case for x_2 in multiplication by 8", + "public" : "733a711ba01b6e9b64a0be4cdca8c7cf3c66df2435d5248fb4413fec6ee03f70", + "private" : "60bef38a3890ec1ed05c299fceb77db5ead4b88d9e931b0f21d664f77df9b544", + "shared" : "db6851b12585bc11be9362c96a545c6f2ba55f04009792463b96a38cb9b3f07c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 461, + "comment" : "special case for x_2 in multiplication by 8", + "public" : "35738dd539d60f69cd1a1cffc8a42b6af68fe7de45392d02831e2a77500ea278", + "private" : "5854ee566878ef8b7ebaf5a058306f250edf0c84fd52af2d74b7ce3c1edda746", + "shared" : "f6d1a664257fa5de3d4d57f04eda2976bf1e35cc3ac513e1ee84d57d2135ed13", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 462, + "comment" : "special case for x_2 in multiplication by 8", + "public" : "ce932b5af4be4721f96f7b79ba1c43b20687d4af49c37b58dc894279e04bb578", + "private" : "985b551261fce38ddc8ff3add32f5c26811d271b9a1794e249dd76a38df28446", + "shared" : "f8f7625ac5bde63f753a9bb4aefbfb9c4647207708af9d774ef08ff1b1e5a354", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 463, + "comment" : "special case for E in multiplication by 8", + "public" : "e3655448339e4850806eb58abba0c89185511ea72c37c49e9583ee6dd235d213", + "private" : "8815052344dcad97efd1341e9072a808cf999e46e52cf04e0cfbcd9901e18d43", + "shared" : "5e10dfbff4443efcae2ccc78c289a41460d5a82f79df726b8824ccbef7146d40", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 464, + "comment" : "special case for E in multiplication by 8", + "public" : "4d16965b1637e9d7ae8feb499ed0553962a9aa0022d1620c928072f6501bc41b", + "private" : "b8e032e9e5ffbaa004390f3a0b900bc7cf5d11238b7ec964afc4bda2aa6c3444", + "shared" : "19d7b44c1847c44e8f37a22ab69c180fd9d787f204123013e1b16800b9cd0f57", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 465, + "comment" : "special case for E in multiplication by 8", + "public" : "c6b9e6288737ad40452cec1022871d90af1642d10bd0a97792b1a9c8998e2220", + "private" : "7012852211f6536fca79937e7e316c9149b0e20ea03f951e1bb072895ca0e044", + "shared" : "db990d979f4f22f766e7826d93554e771b361de461274d6c37baadeb8ef7be4e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 466, + "comment" : "special case for E in multiplication by 8", + "public" : "d566fab505ac4c7a3dc3b9403ef121392cbbe21216e5bcb8eab2dc9408986e34", + "private" : "d039c1b9ec4763e0ad8a0ef2b0870297d0f8b487e660595a484105d180e14a47", + "shared" : "6d7fc5d4a8f534b1bc0fa5e078104234675c02664736957abdb27df6faf07c00", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 467, + "comment" : "special case for E in multiplication by 8", + "public" : "468d35ecfb6d9b7272523276cc5e13760519667f0e1e3888da4c56955fe91151", + "private" : "58efcbc8777c1b54f09c61a216efd427292eb12312dbb3b32bd45254a6683e47", + "shared" : "539c8d629ab51c2f3ea7278fd5f1c31b6c150a82fe3f786b93ffa159fd6d9316", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 468, + "comment" : "special case for E in multiplication by 8", + "public" : "1929538743977dfea20bf4927ddabb2f3bb15cac2461054508849718854b5568", + "private" : "c8d73446026cd0ea795773c2eb7b16348cd5f228e352dbc77328c2d8b9cde240", + "shared" : "dee3fd19c8f296415448b21af44385ec46727bbe67d4839b93efe2f680e76d34", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 469, + "comment" : "special case for E in multiplication by 8", + "public" : "2d7ab4c6f59865355ee8e9de57db19aadf7708b7c1d1a818487c340623badc6d", + "private" : "98b559523bc778b0418af53c0c32f6ff5cf771ff5df8ae7cbf7c3b72aedb5b43", + "shared" : "2a0340aaafa05d00529c09057ed0145f34d2de66a3e149cf084ea97168914f39", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 470, + "comment" : "special case for E in multiplication by 8", + "public" : "43839f4a6aa206c82c5a73f49d8c9e573826b3ba7235d312987c17aebee62776", + "private" : "589815027caf82714e96c9f91bace66ec4ba3e92df3fa14b9b8fe503556e4543", + "shared" : "00313717d33e3b41a0865986157582e053502a172b88d01bb7b10831a9fc4e6c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 471, + "comment" : "special case for E in multiplication by 8", + "public" : "3c321e7f0b9e555bc264a2cea617e6b2b562ebab21fe0c226c3e487b7df9a27d", + "private" : "80715f67270c99789855ceaea99b9957ccda33326f76bb4474ab52ab1ec37041", + "shared" : "9b6be9e6f2fdb5d3321842225d3e91d14828cc53ba6654dabe190b0c3edeb309", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 472, + "comment" : "special case for DA - CB in multiplication by 8", + "public" : "42e5a6b8e9654bb4ad624af3f491877977513cc8775c8fb312ad19dbf3903a28", + "private" : "101b990bd83d684126ff047d930c27d086a588dd19683d2629f0e34f4374ab41", + "shared" : "223f1eb552308373026d11c954684ce6db870b638b190b9443e50aae219f4e3e", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 473, + "comment" : "special case for DA - CB in multiplication by 8", + "public" : "0a51dd90ab985f6deaf72f16c45014da26df848697f6582d75688f5223342b51", + "private" : "200089b712d9a2050597779d463712fcd223e3d67879c0fb7606f8f5f0efee40", + "shared" : "fb95ce4a3c1f325638b7d47f4216d39a7c6c5da9a01caa297c37b62816555b2a", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 474, + "comment" : "special case for DA - CB in multiplication by 8", + "public" : "8842317357bde825ef438a1c53906fb8b04ea360f7ef338c78e668586047936a", + "private" : "f04f87f4e623af4c31ceca0bb87fac2d5b12517b5a7284902ad75838e65f1e41", + "shared" : "488b8341c9cb1bbf124510b9f8dae4faf2e0dca9b84e00e952a63b5aa328a860", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 475, + "comment" : "special case for DA - CB in multiplication by 8", + "public" : "c71d92d3c92dbfaed755fb32797b667cc86b0e79362498e2aca38c689713b16e", + "private" : "383cbd5a3dd0901d09a3cac3d3a77a979cecf15e206a553e4ca3f24b90783945", + "shared" : "1129eae97bf75f7314f2e1b403b18737ad830c80429e2ba0d4866b362399855f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 476, + "comment" : "special case for DA - CB in multiplication by 8", + "public" : "3a21d1cf7b3744d1ad26197335844982c2a0c6a5aa835492bd03c401a4fe6778", + "private" : "701df09e57b98aec375745df147b72949a6b2bb2ca3a34881512ee31e790ad42", + "shared" : "072f51d94727f392d59dc7caff1f4460452352ec39c32a1c9f071e388833da56", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 477, + "comment" : "special case for CB in multiplication by 8", + "public" : "d128ea3e13325ed6ebd6533a9fd3045a55f25ad8b67def30912843504c1aab29", + "private" : "b0ffa5f4922bb117ad75ff43acac62331efaa45536fe88306e4a4cb58db73a47", + "shared" : "30512142d3e3a4cad6726d9d35f2e043fca9dfb750884ae22b2547c840f3587b", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 478, + "comment" : "special case for CB in multiplication by 8", + "public" : "e079c8f8423165c7e0a2c48b4abe90aece4e6d903d7a5a1625fad0410cd55b32", + "private" : "685e3271d2015741756612a930e858b930acf2018145f382c83d8cced2e22044", + "shared" : "5b81b3761a66d199e8ef99d2494bd57a0229d4564a7f6d6055f22aa48681bd3a", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 479, + "comment" : "special case for BB in multiplication by 8", + "public" : "65922a06e9be4e8a5e8aceb1a4e08fe90f01e10ef2dd27315427cedfcf95ec32", + "private" : "f8e161d69297e017d7c51b1b1ff3ba703d4c4cf8fc2b8ff47f74c3ff8c7d3541", + "shared" : "038de7fdb9cc0030f5c11dda00589f0a95f65658815b06ed013553a02b6c5017", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 480, + "comment" : "special case for BB in multiplication by 8", + "public" : "d36a240e972dc16e9b97a997ada337f02760d05c46d7f8d7b4e9ea9a635c7c64", + "private" : "105d7589f8abef0acf0940da84a69e8f2f306fa73c9afd27342287c1dba80044", + "shared" : "22b0dea3b3b7ca55eceeaae6443426548c7c15cc7ddf31780318d1c23879c16a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 481, + "comment" : "special case for BB in multiplication by 8", + "public" : "4f5b8b9892b8a46df08d76a4745b1c58d4e7a394905435875688ca11f1e9d86a", + "private" : "1893d4388b0e90f0b50208aa8f0cc24f576d03641baf1c3eddb2a3efa69c9d40", + "shared" : "a25e1306684ad7870a31f0404566e8d28f2d83d4b9497822c57f8781b18fec20", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 482, + "comment" : "special case for BB in multiplication by 8", + "public" : "aa2f02628269139a7a8a16fde95c9bad7da7ffbd5439c396a7d77b6c3213e67f", + "private" : "0065171301bf6b90fb16efa35509161f1bd6b3b93130d490af9fe224dd155f45", + "shared" : "bb4431bea7a5871c1be27a2674094627eaaa4425c99cd3fa41bd7e13cbd7bf7e", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 483, + "comment" : "special case for A in multiplication by 8", + "public" : "d995cb287e9a9c5791f3cae3d494a5b516a1e26cbc930f43e73c8b70b69d783b", + "private" : "10c81a4e78d82145b266e1d74b3869bf1c27427803ebb11c92ff8073d1e4cc46", + "shared" : "330f5d0b5bccc90f7694dfdd9c6449a62d93af8840eaf571e3e0610e0198b03f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 484, + "comment" : "special case for A in multiplication by 8", + "public" : "479afb1e73dc77c3743e51e9ec0bcc61ce66ed084dc10bfa2794b4c3e4953769", + "private" : "48b98b4a99eadd73012c07fe5c4a0b9590ac55e821353b41d5f665e17188bc41", + "shared" : "bdef00caa514b2f8ab1fb2241e83787a02601ecdff6cf166c4210f8c1ade4211", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 485, + "comment" : "special case for DA in multiplication by 8", + "public" : "378eda41470b0f238a200f80809ad562ca41e62411a61feb7f7e9b752b554642", + "private" : "1897678e38222a61fe105dc6643c1eb5940e8dbc73ed6c00f25a34328f43a641", + "shared" : "bfd5b5acd2d89f213a26caf54062f9a24e6f6fd8ddd0cd2e5e47b7fea4a9c537", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 486, + "comment" : "special case for DA in multiplication by 8", + "public" : "0cad7545ade2fd93fcae007c97648348f26d85829bdb7223a63eccb84e56d475", + "private" : "a898af8138e11ae45bbcefa737182a571885f92d515c32056c7cb0d7deac4741", + "shared" : "c8085877800c175e949cdd88e196eb9c4841da2ac446dfed9085bda5bbec265d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 487, + "comment" : "special case for AA in multiplication by 9", + "public" : "60f27ed0a27804ced237cf3c1cc776650fb320bae6d5acb564e97b56cba25210", + "private" : "b0bfef6ec095b5a1f93917d32f16a21d0462c1fde17446f5a590232d9c895f4a", + "shared" : "4c300895827382a9d1079028bd6f694a7a12ddac9c76abac6fdf5d29457a3310", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 488, + "comment" : "special case for AA in multiplication by 9", + "public" : "f93a73270ac19194b8e4ffd02be4b1438525f84a76224688ea89a9dd6a1bd623", + "private" : "60497d4464ed8823c50fbc6b68620826c4f629c1d9193058df6bf857c6aecc4b", + "shared" : "7285fbb3f76340a979ab6e288727a2113332cf933809b018b8739a796a09d00b", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 489, + "comment" : "special case for AA in multiplication by 9", + "public" : "cf80c30fcbfd535666ca1da499e2e99cc537063e2de19458fcf92f5ee34acf47", + "private" : "08c6cbe03792a3829f06e8ad54c55db113236ac0dcc9ab6a9a6b10eed1041b48", + "shared" : "dabc3bd49f19cf7071802e43c863ed0b1d93a841588098b98a0c581bf4fe0a11", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 490, + "comment" : "special case for AA in multiplication by 9", + "public" : "698effe0ad42e15ee1f46fde6fc5074ffda183bcf1b2db8647f561ddd191dd60", + "private" : "50044da3315dd082e9dfb6a1994aabb331f53e0d1c12633383b2a3c8678cfe4c", + "shared" : "a61a3b150b4770532373676298c9a5da28adcc4365b06fe07c959ca80e477a57", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 491, + "comment" : "special case for AA in multiplication by 9", + "public" : "bd1565b4a3f8515dff577be6dcb414511d3d4ec2de15e0bd45b28e9cc4caef60", + "private" : "285640da7a48252e35ddce60c14addb73097fbc9ac2f87c8d2772ce89aa6be4d", + "shared" : "916ab4f3bfc8321e1087d9c5444f8f7a43e9ca6d29e7ba98a19dc05fff34ed4c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 492, + "comment" : "special case for AA in multiplication by 9", + "public" : "b8649e13843f80cf5702398e4a9a8c378f29da96dfd6579f1eb4f7ea34df6765", + "private" : "783271c21199ba2e94ead92cd9dd79f70aab378b59497455d327a5907dafcb4a", + "shared" : "844a5dd5139554ca7b41cbe6a4796193912e7aa4e201cc68944ce2a55774a10f", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 493, + "comment" : "special case for AA in multiplication by 9", + "public" : "c396938737abdf791e09a97eba577c437d9b67c2dae94e13eab7296ec0fc737e", + "private" : "d0676a0b9a046c62d5b2e740d9cc43fa37965dea93c23254f7bf569f2bebaa4a", + "shared" : "10780333b2a6170136265bb5ebc6c818817f2e48ae372528c8f34433fdd6215a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 494, + "comment" : "special case for DA - CB in multiplication by 9", + "public" : "557b825012d98f065bb95a2ab9b2d2d8b83fd2037912508c263f86d7e36c4f24", + "private" : "608c84d2b76fccda579e974db3d3b2ce39a6bc0dad440599db22411b60467849", + "shared" : "5ce84842dbae8b795b3d545343558045508f271383bfb3dd3943f4101398c864", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 495, + "comment" : "special case for z_2 in multiplication by 9", + "public" : "ae98296d4a2fbcbb40b472f4063231608bb1465c226c8a4a2dff29afd915882a", + "private" : "80f233936a8821936d39114c84d929e79760b27680779e5009e1709410dd8e4f", + "shared" : "4f11aa0c313195f96f25cadcbf49f06a932d8b051879ea537d1c6dfee7f36d35", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 496, + "comment" : "special case for z_2 in multiplication by 9", + "public" : "8b9d249829fbe81333d85050da88998f63fac665679e27dbbe21b745dd14e145", + "private" : "c8d80b1a34f21194f047a6f0328bb947e2e7aff6a043553aa07f2abf99aaf048", + "shared" : "1d619070bf5626064be10025e74e336c81ef3166b743f99c751fb90587c31d7e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 497, + "comment" : "special case for z_2 in multiplication by 9", + "public" : "61896093e2697c78230afdda12639cbe4342827b8d2b093281f148eb60b9034b", + "private" : "9021477b452361580059364c6f94f4981ee94ea3f9b7d37439bc82ae45816f4d", + "shared" : "532e797861db56b9d5db8825fb72f8629c2422f8abea721ad2d7b9e77a95b576", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 498, + "comment" : "special case for z_2 in multiplication by 9", + "public" : "ccc1dc186229dba9a9360a0f7ff00247a3732625acaacd18ea13a9a8b40fac4f", + "private" : "6079dae04c40a59ea4e0c8c17092e4c85ea9133d143307363487836df4e30349", + "shared" : "4f678b64fd1f85cbbd5f7e7f3c8ac95ec7500e102e9006d6d42f48fb2473ab02", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 499, + "comment" : "special case for z_2 in multiplication by 9", + "public" : "69e368c0b7e78eb9f3a53bf458f6e79dc4883bf9458f04a8c12c4ddd94d62151", + "private" : "281db6a5ac9a47d4a7b2b91a87f6536ce62d4e5129b8d647b97f9c504014894c", + "shared" : "e069fd06702f10f33adb8cf0766880634865b510e2da409241fb5f178050514a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 500, + "comment" : "special case for z_2 in multiplication by 9", + "public" : "f21f9badd98dd8a103cc2ab5484fac6c2bfdd2671ee6e674134a86b89cee9160", + "private" : "d830f3c4785829a0f945857e0e85e0ae723702b57783b933cd2a2ad05484fe49", + "shared" : "fee218eb1f92864486e83c1731f04bb8c7e6d7143e3915bcbf80fe03ff69dc77", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 501, + "comment" : "special case for E in multiplication by 9", + "public" : "e853062b2d6f38d021d645163ea208d0e193a479f11f99971b98e21188fd0b2c", + "private" : "10230bd0721f4c8c4b921881dd88c603af501ee80e2102f8acc30cf8b2acd349", + "shared" : "64bdfa0207a174ca17eeba8df74d79b25f54510e6174923034a4d6ee0c167e7b", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 502, + "comment" : "special case for E in multiplication by 9", + "public" : "362eb92dab9fb29f7ed0e03843dcc15797928c2b4e51ec260204179c1c12945f", + "private" : "f0a34d6d76896e17cb8f66feda23115ffb96f246b823bb63dec08335787de74c", + "shared" : "d7f4583ee4fe86af3a3f1dfcb295ba3a3e37bced7b9c6f000a95336530318902", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 503, + "comment" : "special case for E in multiplication by 9", + "public" : "ff543f1e81996e88631f030ceba7e603b13033efd205e68bd36b28468134aa73", + "private" : "9073c1d0a173c7ff02dc966a165993d9c4c9357514f7a6bb7aaa4b0827718948", + "shared" : "c1b5e5f4401c98fa14eba8aafae30a641bfd8fb132be03413f3bf29290d49e0b", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 504, + "comment" : "special case for x_2 in multiplication by 9", + "public" : "90ef70844ead1613f69df7d78c057813f866c0d95e6d22caee4a012b9c1c4b33", + "private" : "b0c1822566e016c12ae35ec035edd09af3cb7a48f55c9028e05e1178a8c3824e", + "shared" : "9369ebb3d2b744341cba77302719a4b2d63aff612872f86d9877a76bc919ca1c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 505, + "comment" : "special case for x_2 in multiplication by 9", + "public" : "88c1ae575ad073dda66c6eacb7b7f436e1f8ad72a0db5c04e5660b7b719e4c4b", + "private" : "e06fe64e2117796f997bbcd3bcad3067cf1291640a3a643fb359809a4016834d", + "shared" : "335394be9c154901c0b4063300001804b1cd01b27fa562e44f3302168837166e", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 506, + "comment" : "special case for x_2 in multiplication by 9", + "public" : "dcffc4c1e1fba5fda9d5c98421d99c257afa90921bc212a046d90f6683e8a467", + "private" : "707ee81f113a244c9d87608b12158c50f9ac1f2c8948d170ad16ab0ad866d74b", + "shared" : "7ecdd54c5e15f7b4061be2c30b5a4884a0256581f87df60d579a3345653eb641", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 507, + "comment" : "special case for BB in multiplication by 9", + "public" : "6c0044cd10578c5aff1ff4917b041b76c9a9ae23664eb8cf978bd7aa192cf249", + "private" : "7089654baacbb65bd00cd8cb9de4680e748075e8842ca69d448fb50fea85e74e", + "shared" : "0d8c21fa800ee63ce5e473d4c2975495062d8afa655091122cb41799d374594f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 508, + "comment" : "special case for BB in multiplication by 9", + "public" : "d9089de902e143dcd9107e5a3393a3f7fe05d926c357b47e307a236cb590fd64", + "private" : "8089784c52cd67e4536e568218c7b7033b28413f942fca24ed69e43496efa14b", + "shared" : "db6fec44bf118316a6bdfbae9af447baede4d82daa16bed596ea6f05d4a51400", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 509, + "comment" : "special case for BB in multiplication by 9", + "public" : "8c4a26aa319c2cc4a4158c2bc69a0d5b340b60628a14cf31bb0ae5ddc38ae866", + "private" : "00e73e4e013148b9f05273bad626bb126a40ec4558f5425096b48947e0a9de4a", + "shared" : "ecc1204bc753c4cec4c9059fd7b504944ebf995ab1b1d49f0b3b325353be3a15", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 510, + "comment" : "special case for BB in multiplication by 9", + "public" : "ce7295d1227c9062aab9cf02fc5671fb81632e725367f131d4122824a6132d68", + "private" : "78ed4c9bf9f44db8d93388985191ecf59226b9c1205fe7e762c327581c75884e", + "shared" : "3740de297ff0122067951e8985247123440e0f27171da99e263d5b4450f59f3d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 511, + "comment" : "private key == -1 (mod order)", + "public" : "6c05871352a451dbe182ed5e6ba554f2034456ffe041a054ff9cc56b8e946376", + "private" : "a023cdd083ef5bb82f10d62e59e15a6800000000000000000000000000000050", + "shared" : "6c05871352a451dbe182ed5e6ba554f2034456ffe041a054ff9cc56b8e946376", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 512, + "comment" : "private key == 1 (mod order) on twist", + "public" : "2eae5ec3dd494e9f2d37d258f873a8e6e9d0dbd1e383ef64d98bb91b3e0be035", + "private" : "58083dd261ad91eff952322ec824c682ffffffffffffffffffffffffffffff5f", + "shared" : "2eae5ec3dd494e9f2d37d258f873a8e6e9d0dbd1e383ef64d98bb91b3e0be035", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 513, + "comment" : "special case private key", + "public" : "3e3e7708ef72a6dd78d858025089765b1c30a19715ac19e8d917067d208e0666", + "private" : "4855555555555555555555555555555555555555555555555555555555555555", + "shared" : "63ef7d1c586476ec78bb7f747e321e01102166bf967a9ea9ba9741f49d439510", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 514, + "comment" : "special case private key", + "public" : "9f40bb30f68ab67b1c4b8b664982fdab04ff385cd850deac732f7fb705e6013a", + "private" : "4855555555555555555555555555555555555555555555555555555555555555", + "shared" : "8b98ef4d6bf30df7f88e58d51505d37ed6845a969fe598747c033dcd08014065", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 515, + "comment" : "special case private key", + "public" : "be3b3edeffaf83c54ae526379b23dd79f1cb41446e3687fef347eb9b5f0dc308", + "private" : "4855555555555555555555555555555555555555555555555555555555555555", + "shared" : "cfa83e098829fe82fd4c14355f70829015219942c01e2b85bdd9ac4889ec2921", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 516, + "comment" : "special case private key", + "public" : "3e3e7708ef72a6dd78d858025089765b1c30a19715ac19e8d917067d208e0666", + "private" : "b8aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa6a", + "shared" : "4782036d6b136ca44a2fd7674d8afb0169943230ac8eab5160a212376c06d778", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 517, + "comment" : "special case private key", + "public" : "9f40bb30f68ab67b1c4b8b664982fdab04ff385cd850deac732f7fb705e6013a", + "private" : "b8aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa6a", + "shared" : "65fc1e7453a3f8c7ebcd577ade4b8efe1035efc181ab3bdb2fcc7484cbcf1e4e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 518, + "comment" : "special case private key", + "public" : "be3b3edeffaf83c54ae526379b23dd79f1cb41446e3687fef347eb9b5f0dc308", + "private" : "b8aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa6a", + "shared" : "e3c649beae7cc4a0698d519a0a61932ee5493cbb590dbe14db0274cc8611f914", + "result" : "valid", + "flags" : [] + } + ] + } + ] +} diff --git a/src/EverCrypt_AEAD.c b/src/EverCrypt_AEAD.c new file mode 100644 index 00000000..bd5c04d7 --- /dev/null +++ b/src/EverCrypt_AEAD.c @@ -0,0 +1,2134 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "EverCrypt_AEAD.h" + +#include "internal/Vale.h" +#include "internal/Hacl_Kremlib.h" + +typedef struct EverCrypt_AEAD_state_s_s +{ + Spec_Cipher_Expansion_impl impl; + uint8_t *ek; +} +EverCrypt_AEAD_state_s; + +bool EverCrypt_AEAD_uu___is_Ek(Spec_Agile_AEAD_alg a, EverCrypt_AEAD_state_s projectee) +{ + return true; +} + +Spec_Agile_AEAD_alg EverCrypt_AEAD_alg_of_state(EverCrypt_AEAD_state_s *s) +{ + EverCrypt_AEAD_state_s scrut = *s; + Spec_Cipher_Expansion_impl impl = scrut.impl; + switch (impl) + { + case Spec_Cipher_Expansion_Hacl_CHACHA20: + { + return Spec_Agile_AEAD_CHACHA20_POLY1305; + } + case Spec_Cipher_Expansion_Vale_AES128: + { + return Spec_Agile_AEAD_AES128_GCM; + } + case Spec_Cipher_Expansion_Vale_AES256: + { + return Spec_Agile_AEAD_AES256_GCM; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +static EverCrypt_Error_error_code +create_in_chacha20_poly1305(EverCrypt_AEAD_state_s **dst, uint8_t *k) +{ + uint8_t *ek = KRML_HOST_CALLOC((uint32_t)32U, sizeof (uint8_t)); + KRML_CHECK_SIZE(sizeof (EverCrypt_AEAD_state_s), (uint32_t)1U); + EverCrypt_AEAD_state_s *p = KRML_HOST_MALLOC(sizeof (EverCrypt_AEAD_state_s)); + p[0U] = ((EverCrypt_AEAD_state_s){ .impl = Spec_Cipher_Expansion_Hacl_CHACHA20, .ek = ek }); + memcpy(ek, k, (uint32_t)32U * sizeof (uint8_t)); + dst[0U] = p; + return EverCrypt_Error_Success; +} + +static EverCrypt_Error_error_code +create_in_aes128_gcm(EverCrypt_AEAD_state_s **dst, uint8_t *k) +{ + bool has_aesni = EverCrypt_AutoConfig2_has_aesni(); + bool has_pclmulqdq = EverCrypt_AutoConfig2_has_pclmulqdq(); + bool has_avx = EverCrypt_AutoConfig2_has_avx(); + bool has_sse = EverCrypt_AutoConfig2_has_sse(); + bool has_movbe = EverCrypt_AutoConfig2_has_movbe(); + #if HACL_CAN_COMPILE_VALE + if (has_aesni && has_pclmulqdq && has_avx && has_sse && has_movbe) + { + uint8_t *ek = KRML_HOST_CALLOC((uint32_t)480U, sizeof (uint8_t)); + uint8_t *keys_b = ek; + uint8_t *hkeys_b = ek + (uint32_t)176U; + uint64_t scrut = aes128_key_expansion(k, keys_b); + uint64_t scrut0 = aes128_keyhash_init(keys_b, hkeys_b); + KRML_CHECK_SIZE(sizeof (EverCrypt_AEAD_state_s), (uint32_t)1U); + EverCrypt_AEAD_state_s *p = KRML_HOST_MALLOC(sizeof (EverCrypt_AEAD_state_s)); + p[0U] = ((EverCrypt_AEAD_state_s){ .impl = Spec_Cipher_Expansion_Vale_AES128, .ek = ek }); + *dst = p; + return EverCrypt_Error_Success; + } + #endif + return EverCrypt_Error_UnsupportedAlgorithm; +} + +static EverCrypt_Error_error_code +create_in_aes256_gcm(EverCrypt_AEAD_state_s **dst, uint8_t *k) +{ + bool has_aesni = EverCrypt_AutoConfig2_has_aesni(); + bool has_pclmulqdq = EverCrypt_AutoConfig2_has_pclmulqdq(); + bool has_avx = EverCrypt_AutoConfig2_has_avx(); + bool has_sse = EverCrypt_AutoConfig2_has_sse(); + bool has_movbe = EverCrypt_AutoConfig2_has_movbe(); + #if HACL_CAN_COMPILE_VALE + if (has_aesni && has_pclmulqdq && has_avx && has_sse && has_movbe) + { + uint8_t *ek = KRML_HOST_CALLOC((uint32_t)544U, sizeof (uint8_t)); + uint8_t *keys_b = ek; + uint8_t *hkeys_b = ek + (uint32_t)240U; + uint64_t scrut = aes256_key_expansion(k, keys_b); + uint64_t scrut0 = aes256_keyhash_init(keys_b, hkeys_b); + KRML_CHECK_SIZE(sizeof (EverCrypt_AEAD_state_s), (uint32_t)1U); + EverCrypt_AEAD_state_s *p = KRML_HOST_MALLOC(sizeof (EverCrypt_AEAD_state_s)); + p[0U] = ((EverCrypt_AEAD_state_s){ .impl = Spec_Cipher_Expansion_Vale_AES256, .ek = ek }); + *dst = p; + return EverCrypt_Error_Success; + } + #endif + return EverCrypt_Error_UnsupportedAlgorithm; +} + +EverCrypt_Error_error_code +EverCrypt_AEAD_create_in(Spec_Agile_AEAD_alg a, EverCrypt_AEAD_state_s **dst, uint8_t *k) +{ + switch (a) + { + case Spec_Agile_AEAD_AES128_GCM: + { + return create_in_aes128_gcm(dst, k); + } + case Spec_Agile_AEAD_AES256_GCM: + { + return create_in_aes256_gcm(dst, k); + } + case Spec_Agile_AEAD_CHACHA20_POLY1305: + { + return create_in_chacha20_poly1305(dst, k); + } + default: + { + return EverCrypt_Error_UnsupportedAlgorithm; + } + } +} + +static EverCrypt_Error_error_code +encrypt_aes128_gcm( + EverCrypt_AEAD_state_s *s, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *plain, + uint32_t plain_len, + uint8_t *cipher, + uint8_t *tag +) +{ + #if HACL_CAN_COMPILE_VALE + if (s == NULL) + { + return EverCrypt_Error_InvalidKey; + } + if (iv_len == (uint32_t)0U) + { + return EverCrypt_Error_InvalidIVLength; + } + EverCrypt_AEAD_state_s scrut = *s; + uint8_t *ek = scrut.ek; + uint8_t *scratch_b = ek + (uint32_t)304U; + uint8_t *ek1 = ek; + uint8_t *keys_b = ek1; + uint8_t *hkeys_b = ek1 + (uint32_t)176U; + uint8_t tmp_iv[16U] = { 0U }; + uint32_t len = iv_len / (uint32_t)16U; + uint32_t bytes_len = len * (uint32_t)16U; + uint8_t *iv_b = iv; + memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); + uint64_t + uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + uint8_t *inout_b = scratch_b; + uint8_t *abytes_b = scratch_b + (uint32_t)16U; + uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; + uint32_t plain_len_ = (uint32_t)(uint64_t)plain_len / (uint32_t)16U * (uint32_t)16U; + uint32_t auth_len_ = (uint32_t)(uint64_t)ad_len / (uint32_t)16U * (uint32_t)16U; + uint8_t *plain_b_ = plain; + uint8_t *out_b_ = cipher; + uint8_t *auth_b_ = ad; + memcpy(inout_b, + plain + plain_len_, + (uint32_t)(uint64_t)plain_len % (uint32_t)16U * sizeof (uint8_t)); + memcpy(abytes_b, + ad + auth_len_, + (uint32_t)(uint64_t)ad_len % (uint32_t)16U * sizeof (uint8_t)); + uint64_t len128x6 = (uint64_t)plain_len / (uint64_t)96U * (uint64_t)96U; + if (len128x6 / (uint64_t)16U >= (uint64_t)18U) + { + uint64_t len128_num = (uint64_t)plain_len / (uint64_t)16U * (uint64_t)16U - len128x6; + uint8_t *in128x6_b = plain_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = plain_b_ + (uint32_t)len128x6; + uint8_t *out128_b = out_b_ + (uint32_t)len128x6; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128x6_ = len128x6 / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t + scrut0 = + gcm128_encrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)plain_len, + scratch_b1, + tag); + } + else + { + uint32_t len128x61 = (uint32_t)0U; + uint64_t len128_num = (uint64_t)plain_len / (uint64_t)16U * (uint64_t)16U; + uint8_t *in128x6_b = plain_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = plain_b_ + len128x61; + uint8_t *out128_b = out_b_ + len128x61; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t len128x6_ = (uint64_t)0U; + uint64_t + scrut0 = + gcm128_encrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)plain_len, + scratch_b1, + tag); + } + memcpy(cipher + (uint32_t)(uint64_t)plain_len / (uint32_t)16U * (uint32_t)16U, + inout_b, + (uint32_t)(uint64_t)plain_len % (uint32_t)16U * sizeof (uint8_t)); + return EverCrypt_Error_Success; + #else + KRML_HOST_EPRINTF("KreMLin abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "statically unreachable"); + KRML_HOST_EXIT(255U); + #endif +} + +static EverCrypt_Error_error_code +encrypt_aes256_gcm( + EverCrypt_AEAD_state_s *s, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *plain, + uint32_t plain_len, + uint8_t *cipher, + uint8_t *tag +) +{ + #if HACL_CAN_COMPILE_VALE + if (s == NULL) + { + return EverCrypt_Error_InvalidKey; + } + if (iv_len == (uint32_t)0U) + { + return EverCrypt_Error_InvalidIVLength; + } + EverCrypt_AEAD_state_s scrut = *s; + uint8_t *ek = scrut.ek; + uint8_t *scratch_b = ek + (uint32_t)368U; + uint8_t *ek1 = ek; + uint8_t *keys_b = ek1; + uint8_t *hkeys_b = ek1 + (uint32_t)240U; + uint8_t tmp_iv[16U] = { 0U }; + uint32_t len = iv_len / (uint32_t)16U; + uint32_t bytes_len = len * (uint32_t)16U; + uint8_t *iv_b = iv; + memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); + uint64_t + uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + uint8_t *inout_b = scratch_b; + uint8_t *abytes_b = scratch_b + (uint32_t)16U; + uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; + uint32_t plain_len_ = (uint32_t)(uint64_t)plain_len / (uint32_t)16U * (uint32_t)16U; + uint32_t auth_len_ = (uint32_t)(uint64_t)ad_len / (uint32_t)16U * (uint32_t)16U; + uint8_t *plain_b_ = plain; + uint8_t *out_b_ = cipher; + uint8_t *auth_b_ = ad; + memcpy(inout_b, + plain + plain_len_, + (uint32_t)(uint64_t)plain_len % (uint32_t)16U * sizeof (uint8_t)); + memcpy(abytes_b, + ad + auth_len_, + (uint32_t)(uint64_t)ad_len % (uint32_t)16U * sizeof (uint8_t)); + uint64_t len128x6 = (uint64_t)plain_len / (uint64_t)96U * (uint64_t)96U; + if (len128x6 / (uint64_t)16U >= (uint64_t)18U) + { + uint64_t len128_num = (uint64_t)plain_len / (uint64_t)16U * (uint64_t)16U - len128x6; + uint8_t *in128x6_b = plain_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = plain_b_ + (uint32_t)len128x6; + uint8_t *out128_b = out_b_ + (uint32_t)len128x6; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128x6_ = len128x6 / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t + scrut0 = + gcm256_encrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)plain_len, + scratch_b1, + tag); + } + else + { + uint32_t len128x61 = (uint32_t)0U; + uint64_t len128_num = (uint64_t)plain_len / (uint64_t)16U * (uint64_t)16U; + uint8_t *in128x6_b = plain_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = plain_b_ + len128x61; + uint8_t *out128_b = out_b_ + len128x61; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t len128x6_ = (uint64_t)0U; + uint64_t + scrut0 = + gcm256_encrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)plain_len, + scratch_b1, + tag); + } + memcpy(cipher + (uint32_t)(uint64_t)plain_len / (uint32_t)16U * (uint32_t)16U, + inout_b, + (uint32_t)(uint64_t)plain_len % (uint32_t)16U * sizeof (uint8_t)); + return EverCrypt_Error_Success; + #else + KRML_HOST_EPRINTF("KreMLin abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "statically unreachable"); + KRML_HOST_EXIT(255U); + #endif +} + +EverCrypt_Error_error_code +EverCrypt_AEAD_encrypt( + EverCrypt_AEAD_state_s *s, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *plain, + uint32_t plain_len, + uint8_t *cipher, + uint8_t *tag +) +{ + if (s == NULL) + { + return EverCrypt_Error_InvalidKey; + } + EverCrypt_AEAD_state_s scrut = *s; + Spec_Cipher_Expansion_impl i = scrut.impl; + uint8_t *ek = scrut.ek; + switch (i) + { + case Spec_Cipher_Expansion_Vale_AES128: + { + return encrypt_aes128_gcm(s, iv, iv_len, ad, ad_len, plain, plain_len, cipher, tag); + } + case Spec_Cipher_Expansion_Vale_AES256: + { + return encrypt_aes256_gcm(s, iv, iv_len, ad, ad_len, plain, plain_len, cipher, tag); + } + case Spec_Cipher_Expansion_Hacl_CHACHA20: + { + if (iv_len != (uint32_t)12U) + { + return EverCrypt_Error_InvalidIVLength; + } + EverCrypt_Chacha20Poly1305_aead_encrypt(ek, iv, ad_len, ad, plain_len, plain, cipher, tag); + return EverCrypt_Error_Success; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +/* +WARNING: this function doesn't perform any dynamic + hardware check. You MUST make sure your hardware supports the + implementation of AESGCM. Besides, this function was not designed + for cross-compilation: if you compile it on a system which doesn't + support Vale, it will compile it to a function which makes the + program exit. +*/ +EverCrypt_Error_error_code +EverCrypt_AEAD_encrypt_expand_aes128_gcm_no_check( + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *plain, + uint32_t plain_len, + uint8_t *cipher, + uint8_t *tag +) +{ + #if HACL_CAN_COMPILE_VALE + uint8_t ek[480U] = { 0U }; + uint8_t *keys_b0 = ek; + uint8_t *hkeys_b0 = ek + (uint32_t)176U; + uint64_t scrut0 = aes128_key_expansion(k, keys_b0); + uint64_t scrut1 = aes128_keyhash_init(keys_b0, hkeys_b0); + EverCrypt_AEAD_state_s p = { .impl = Spec_Cipher_Expansion_Vale_AES128, .ek = ek }; + EverCrypt_AEAD_state_s *s = &p; + EverCrypt_Error_error_code r; + if (s == NULL) + { + r = EverCrypt_Error_InvalidKey; + } + else if (iv_len == (uint32_t)0U) + { + r = EverCrypt_Error_InvalidIVLength; + } + else + { + EverCrypt_AEAD_state_s scrut = *s; + uint8_t *ek0 = scrut.ek; + uint8_t *scratch_b = ek0 + (uint32_t)304U; + uint8_t *ek1 = ek0; + uint8_t *keys_b = ek1; + uint8_t *hkeys_b = ek1 + (uint32_t)176U; + uint8_t tmp_iv[16U] = { 0U }; + uint32_t len = iv_len / (uint32_t)16U; + uint32_t bytes_len = len * (uint32_t)16U; + uint8_t *iv_b = iv; + memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); + uint64_t + uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + uint8_t *inout_b = scratch_b; + uint8_t *abytes_b = scratch_b + (uint32_t)16U; + uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; + uint32_t plain_len_ = (uint32_t)(uint64_t)plain_len / (uint32_t)16U * (uint32_t)16U; + uint32_t auth_len_ = (uint32_t)(uint64_t)ad_len / (uint32_t)16U * (uint32_t)16U; + uint8_t *plain_b_ = plain; + uint8_t *out_b_ = cipher; + uint8_t *auth_b_ = ad; + memcpy(inout_b, + plain + plain_len_, + (uint32_t)(uint64_t)plain_len % (uint32_t)16U * sizeof (uint8_t)); + memcpy(abytes_b, + ad + auth_len_, + (uint32_t)(uint64_t)ad_len % (uint32_t)16U * sizeof (uint8_t)); + uint64_t len128x6 = (uint64_t)plain_len / (uint64_t)96U * (uint64_t)96U; + if (len128x6 / (uint64_t)16U >= (uint64_t)18U) + { + uint64_t len128_num = (uint64_t)plain_len / (uint64_t)16U * (uint64_t)16U - len128x6; + uint8_t *in128x6_b = plain_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = plain_b_ + (uint32_t)len128x6; + uint8_t *out128_b = out_b_ + (uint32_t)len128x6; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128x6_ = len128x6 / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t + scrut2 = + gcm128_encrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)plain_len, + scratch_b1, + tag); + } + else + { + uint32_t len128x61 = (uint32_t)0U; + uint64_t len128_num = (uint64_t)plain_len / (uint64_t)16U * (uint64_t)16U; + uint8_t *in128x6_b = plain_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = plain_b_ + len128x61; + uint8_t *out128_b = out_b_ + len128x61; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t len128x6_ = (uint64_t)0U; + uint64_t + scrut2 = + gcm128_encrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)plain_len, + scratch_b1, + tag); + } + memcpy(cipher + (uint32_t)(uint64_t)plain_len / (uint32_t)16U * (uint32_t)16U, + inout_b, + (uint32_t)(uint64_t)plain_len % (uint32_t)16U * sizeof (uint8_t)); + r = EverCrypt_Error_Success; + } + return EverCrypt_Error_Success; + #else + KRML_HOST_EPRINTF("KreMLin abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "EverCrypt was compiled on a system which doesn\'t support Vale"); + KRML_HOST_EXIT(255U); + #endif +} + +/* +WARNING: this function doesn't perform any dynamic + hardware check. You MUST make sure your hardware supports the + implementation of AESGCM. Besides, this function was not designed + for cross-compilation: if you compile it on a system which doesn't + support Vale, it will compile it to a function which makes the + program exit. +*/ +EverCrypt_Error_error_code +EverCrypt_AEAD_encrypt_expand_aes256_gcm_no_check( + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *plain, + uint32_t plain_len, + uint8_t *cipher, + uint8_t *tag +) +{ + #if HACL_CAN_COMPILE_VALE + uint8_t ek[544U] = { 0U }; + uint8_t *keys_b0 = ek; + uint8_t *hkeys_b0 = ek + (uint32_t)240U; + uint64_t scrut0 = aes256_key_expansion(k, keys_b0); + uint64_t scrut1 = aes256_keyhash_init(keys_b0, hkeys_b0); + EverCrypt_AEAD_state_s p = { .impl = Spec_Cipher_Expansion_Vale_AES256, .ek = ek }; + EverCrypt_AEAD_state_s *s = &p; + EverCrypt_Error_error_code r; + if (s == NULL) + { + r = EverCrypt_Error_InvalidKey; + } + else if (iv_len == (uint32_t)0U) + { + r = EverCrypt_Error_InvalidIVLength; + } + else + { + EverCrypt_AEAD_state_s scrut = *s; + uint8_t *ek0 = scrut.ek; + uint8_t *scratch_b = ek0 + (uint32_t)368U; + uint8_t *ek1 = ek0; + uint8_t *keys_b = ek1; + uint8_t *hkeys_b = ek1 + (uint32_t)240U; + uint8_t tmp_iv[16U] = { 0U }; + uint32_t len = iv_len / (uint32_t)16U; + uint32_t bytes_len = len * (uint32_t)16U; + uint8_t *iv_b = iv; + memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); + uint64_t + uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + uint8_t *inout_b = scratch_b; + uint8_t *abytes_b = scratch_b + (uint32_t)16U; + uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; + uint32_t plain_len_ = (uint32_t)(uint64_t)plain_len / (uint32_t)16U * (uint32_t)16U; + uint32_t auth_len_ = (uint32_t)(uint64_t)ad_len / (uint32_t)16U * (uint32_t)16U; + uint8_t *plain_b_ = plain; + uint8_t *out_b_ = cipher; + uint8_t *auth_b_ = ad; + memcpy(inout_b, + plain + plain_len_, + (uint32_t)(uint64_t)plain_len % (uint32_t)16U * sizeof (uint8_t)); + memcpy(abytes_b, + ad + auth_len_, + (uint32_t)(uint64_t)ad_len % (uint32_t)16U * sizeof (uint8_t)); + uint64_t len128x6 = (uint64_t)plain_len / (uint64_t)96U * (uint64_t)96U; + if (len128x6 / (uint64_t)16U >= (uint64_t)18U) + { + uint64_t len128_num = (uint64_t)plain_len / (uint64_t)16U * (uint64_t)16U - len128x6; + uint8_t *in128x6_b = plain_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = plain_b_ + (uint32_t)len128x6; + uint8_t *out128_b = out_b_ + (uint32_t)len128x6; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128x6_ = len128x6 / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t + scrut2 = + gcm256_encrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)plain_len, + scratch_b1, + tag); + } + else + { + uint32_t len128x61 = (uint32_t)0U; + uint64_t len128_num = (uint64_t)plain_len / (uint64_t)16U * (uint64_t)16U; + uint8_t *in128x6_b = plain_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = plain_b_ + len128x61; + uint8_t *out128_b = out_b_ + len128x61; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t len128x6_ = (uint64_t)0U; + uint64_t + scrut2 = + gcm256_encrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)plain_len, + scratch_b1, + tag); + } + memcpy(cipher + (uint32_t)(uint64_t)plain_len / (uint32_t)16U * (uint32_t)16U, + inout_b, + (uint32_t)(uint64_t)plain_len % (uint32_t)16U * sizeof (uint8_t)); + r = EverCrypt_Error_Success; + } + return EverCrypt_Error_Success; + #else + KRML_HOST_EPRINTF("KreMLin abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "EverCrypt was compiled on a system which doesn\'t support Vale"); + KRML_HOST_EXIT(255U); + #endif +} + +EverCrypt_Error_error_code +EverCrypt_AEAD_encrypt_expand_aes128_gcm( + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *plain, + uint32_t plain_len, + uint8_t *cipher, + uint8_t *tag +) +{ + bool has_pclmulqdq = EverCrypt_AutoConfig2_has_pclmulqdq(); + bool has_avx = EverCrypt_AutoConfig2_has_avx(); + bool has_sse = EverCrypt_AutoConfig2_has_sse(); + bool has_movbe = EverCrypt_AutoConfig2_has_movbe(); + bool has_aesni = EverCrypt_AutoConfig2_has_aesni(); + #if HACL_CAN_COMPILE_VALE + if (has_aesni && has_pclmulqdq && has_avx && has_sse && has_movbe) + { + uint8_t ek[480U] = { 0U }; + uint8_t *keys_b0 = ek; + uint8_t *hkeys_b0 = ek + (uint32_t)176U; + uint64_t scrut0 = aes128_key_expansion(k, keys_b0); + uint64_t scrut1 = aes128_keyhash_init(keys_b0, hkeys_b0); + EverCrypt_AEAD_state_s p = { .impl = Spec_Cipher_Expansion_Vale_AES128, .ek = ek }; + EverCrypt_AEAD_state_s *s = &p; + EverCrypt_Error_error_code r; + if (s == NULL) + { + r = EverCrypt_Error_InvalidKey; + } + else if (iv_len == (uint32_t)0U) + { + r = EverCrypt_Error_InvalidIVLength; + } + else + { + EverCrypt_AEAD_state_s scrut = *s; + uint8_t *ek0 = scrut.ek; + uint8_t *scratch_b = ek0 + (uint32_t)304U; + uint8_t *ek1 = ek0; + uint8_t *keys_b = ek1; + uint8_t *hkeys_b = ek1 + (uint32_t)176U; + uint8_t tmp_iv[16U] = { 0U }; + uint32_t len = iv_len / (uint32_t)16U; + uint32_t bytes_len = len * (uint32_t)16U; + uint8_t *iv_b = iv; + memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); + uint64_t + uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + uint8_t *inout_b = scratch_b; + uint8_t *abytes_b = scratch_b + (uint32_t)16U; + uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; + uint32_t plain_len_ = (uint32_t)(uint64_t)plain_len / (uint32_t)16U * (uint32_t)16U; + uint32_t auth_len_ = (uint32_t)(uint64_t)ad_len / (uint32_t)16U * (uint32_t)16U; + uint8_t *plain_b_ = plain; + uint8_t *out_b_ = cipher; + uint8_t *auth_b_ = ad; + memcpy(inout_b, + plain + plain_len_, + (uint32_t)(uint64_t)plain_len % (uint32_t)16U * sizeof (uint8_t)); + memcpy(abytes_b, + ad + auth_len_, + (uint32_t)(uint64_t)ad_len % (uint32_t)16U * sizeof (uint8_t)); + uint64_t len128x6 = (uint64_t)plain_len / (uint64_t)96U * (uint64_t)96U; + if (len128x6 / (uint64_t)16U >= (uint64_t)18U) + { + uint64_t len128_num = (uint64_t)plain_len / (uint64_t)16U * (uint64_t)16U - len128x6; + uint8_t *in128x6_b = plain_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = plain_b_ + (uint32_t)len128x6; + uint8_t *out128_b = out_b_ + (uint32_t)len128x6; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128x6_ = len128x6 / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t + scrut2 = + gcm128_encrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)plain_len, + scratch_b1, + tag); + } + else + { + uint32_t len128x61 = (uint32_t)0U; + uint64_t len128_num = (uint64_t)plain_len / (uint64_t)16U * (uint64_t)16U; + uint8_t *in128x6_b = plain_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = plain_b_ + len128x61; + uint8_t *out128_b = out_b_ + len128x61; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t len128x6_ = (uint64_t)0U; + uint64_t + scrut2 = + gcm128_encrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)plain_len, + scratch_b1, + tag); + } + memcpy(cipher + (uint32_t)(uint64_t)plain_len / (uint32_t)16U * (uint32_t)16U, + inout_b, + (uint32_t)(uint64_t)plain_len % (uint32_t)16U * sizeof (uint8_t)); + r = EverCrypt_Error_Success; + } + return EverCrypt_Error_Success; + } + #endif + return EverCrypt_Error_UnsupportedAlgorithm; +} + +EverCrypt_Error_error_code +EverCrypt_AEAD_encrypt_expand_aes256_gcm( + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *plain, + uint32_t plain_len, + uint8_t *cipher, + uint8_t *tag +) +{ + bool has_pclmulqdq = EverCrypt_AutoConfig2_has_pclmulqdq(); + bool has_avx = EverCrypt_AutoConfig2_has_avx(); + bool has_sse = EverCrypt_AutoConfig2_has_sse(); + bool has_movbe = EverCrypt_AutoConfig2_has_movbe(); + bool has_aesni = EverCrypt_AutoConfig2_has_aesni(); + #if HACL_CAN_COMPILE_VALE + if (has_aesni && has_pclmulqdq && has_avx && has_sse && has_movbe) + { + uint8_t ek[544U] = { 0U }; + uint8_t *keys_b0 = ek; + uint8_t *hkeys_b0 = ek + (uint32_t)240U; + uint64_t scrut0 = aes256_key_expansion(k, keys_b0); + uint64_t scrut1 = aes256_keyhash_init(keys_b0, hkeys_b0); + EverCrypt_AEAD_state_s p = { .impl = Spec_Cipher_Expansion_Vale_AES256, .ek = ek }; + EverCrypt_AEAD_state_s *s = &p; + EverCrypt_Error_error_code r; + if (s == NULL) + { + r = EverCrypt_Error_InvalidKey; + } + else if (iv_len == (uint32_t)0U) + { + r = EverCrypt_Error_InvalidIVLength; + } + else + { + EverCrypt_AEAD_state_s scrut = *s; + uint8_t *ek0 = scrut.ek; + uint8_t *scratch_b = ek0 + (uint32_t)368U; + uint8_t *ek1 = ek0; + uint8_t *keys_b = ek1; + uint8_t *hkeys_b = ek1 + (uint32_t)240U; + uint8_t tmp_iv[16U] = { 0U }; + uint32_t len = iv_len / (uint32_t)16U; + uint32_t bytes_len = len * (uint32_t)16U; + uint8_t *iv_b = iv; + memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); + uint64_t + uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + uint8_t *inout_b = scratch_b; + uint8_t *abytes_b = scratch_b + (uint32_t)16U; + uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; + uint32_t plain_len_ = (uint32_t)(uint64_t)plain_len / (uint32_t)16U * (uint32_t)16U; + uint32_t auth_len_ = (uint32_t)(uint64_t)ad_len / (uint32_t)16U * (uint32_t)16U; + uint8_t *plain_b_ = plain; + uint8_t *out_b_ = cipher; + uint8_t *auth_b_ = ad; + memcpy(inout_b, + plain + plain_len_, + (uint32_t)(uint64_t)plain_len % (uint32_t)16U * sizeof (uint8_t)); + memcpy(abytes_b, + ad + auth_len_, + (uint32_t)(uint64_t)ad_len % (uint32_t)16U * sizeof (uint8_t)); + uint64_t len128x6 = (uint64_t)plain_len / (uint64_t)96U * (uint64_t)96U; + if (len128x6 / (uint64_t)16U >= (uint64_t)18U) + { + uint64_t len128_num = (uint64_t)plain_len / (uint64_t)16U * (uint64_t)16U - len128x6; + uint8_t *in128x6_b = plain_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = plain_b_ + (uint32_t)len128x6; + uint8_t *out128_b = out_b_ + (uint32_t)len128x6; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128x6_ = len128x6 / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t + scrut2 = + gcm256_encrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)plain_len, + scratch_b1, + tag); + } + else + { + uint32_t len128x61 = (uint32_t)0U; + uint64_t len128_num = (uint64_t)plain_len / (uint64_t)16U * (uint64_t)16U; + uint8_t *in128x6_b = plain_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = plain_b_ + len128x61; + uint8_t *out128_b = out_b_ + len128x61; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t len128x6_ = (uint64_t)0U; + uint64_t + scrut2 = + gcm256_encrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)plain_len, + scratch_b1, + tag); + } + memcpy(cipher + (uint32_t)(uint64_t)plain_len / (uint32_t)16U * (uint32_t)16U, + inout_b, + (uint32_t)(uint64_t)plain_len % (uint32_t)16U * sizeof (uint8_t)); + r = EverCrypt_Error_Success; + } + return EverCrypt_Error_Success; + } + #endif + return EverCrypt_Error_UnsupportedAlgorithm; +} + +EverCrypt_Error_error_code +EverCrypt_AEAD_encrypt_expand_chacha20_poly1305( + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *plain, + uint32_t plain_len, + uint8_t *cipher, + uint8_t *tag +) +{ + uint8_t ek[32U] = { 0U }; + EverCrypt_AEAD_state_s p = { .impl = Spec_Cipher_Expansion_Hacl_CHACHA20, .ek = ek }; + memcpy(ek, k, (uint32_t)32U * sizeof (uint8_t)); + EverCrypt_AEAD_state_s *s = &p; + EverCrypt_AEAD_state_s scrut = *s; + uint8_t *ek0 = scrut.ek; + EverCrypt_Chacha20Poly1305_aead_encrypt(ek0, iv, ad_len, ad, plain_len, plain, cipher, tag); + return EverCrypt_Error_Success; +} + +EverCrypt_Error_error_code +EverCrypt_AEAD_encrypt_expand( + Spec_Agile_AEAD_alg a, + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *plain, + uint32_t plain_len, + uint8_t *cipher, + uint8_t *tag +) +{ + switch (a) + { + case Spec_Agile_AEAD_AES128_GCM: + { + return + EverCrypt_AEAD_encrypt_expand_aes128_gcm(k, + iv, + iv_len, + ad, + ad_len, + plain, + plain_len, + cipher, + tag); + } + case Spec_Agile_AEAD_AES256_GCM: + { + return + EverCrypt_AEAD_encrypt_expand_aes256_gcm(k, + iv, + iv_len, + ad, + ad_len, + plain, + plain_len, + cipher, + tag); + } + case Spec_Agile_AEAD_CHACHA20_POLY1305: + { + return + EverCrypt_AEAD_encrypt_expand_chacha20_poly1305(k, + iv, + iv_len, + ad, + ad_len, + plain, + plain_len, + cipher, + tag); + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +static EverCrypt_Error_error_code +decrypt_aes128_gcm( + EverCrypt_AEAD_state_s *s, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *cipher, + uint32_t cipher_len, + uint8_t *tag, + uint8_t *dst +) +{ + #if HACL_CAN_COMPILE_VALE + if (s == NULL) + { + return EverCrypt_Error_InvalidKey; + } + if (iv_len == (uint32_t)0U) + { + return EverCrypt_Error_InvalidIVLength; + } + EverCrypt_AEAD_state_s scrut = *s; + uint8_t *ek = scrut.ek; + uint8_t *scratch_b = ek + (uint32_t)304U; + uint8_t *ek1 = ek; + uint8_t *keys_b = ek1; + uint8_t *hkeys_b = ek1 + (uint32_t)176U; + uint8_t tmp_iv[16U] = { 0U }; + uint32_t len = iv_len / (uint32_t)16U; + uint32_t bytes_len = len * (uint32_t)16U; + uint8_t *iv_b = iv; + memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); + uint64_t + uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + uint8_t *inout_b = scratch_b; + uint8_t *abytes_b = scratch_b + (uint32_t)16U; + uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; + uint32_t cipher_len_ = (uint32_t)(uint64_t)cipher_len / (uint32_t)16U * (uint32_t)16U; + uint32_t auth_len_ = (uint32_t)(uint64_t)ad_len / (uint32_t)16U * (uint32_t)16U; + uint8_t *cipher_b_ = cipher; + uint8_t *out_b_ = dst; + uint8_t *auth_b_ = ad; + memcpy(inout_b, + cipher + cipher_len_, + (uint32_t)(uint64_t)cipher_len % (uint32_t)16U * sizeof (uint8_t)); + memcpy(abytes_b, + ad + auth_len_, + (uint32_t)(uint64_t)ad_len % (uint32_t)16U * sizeof (uint8_t)); + uint64_t len128x6 = (uint64_t)cipher_len / (uint64_t)96U * (uint64_t)96U; + uint64_t c; + if (len128x6 / (uint64_t)16U >= (uint64_t)6U) + { + uint64_t len128_num = (uint64_t)cipher_len / (uint64_t)16U * (uint64_t)16U - len128x6; + uint8_t *in128x6_b = cipher_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = cipher_b_ + (uint32_t)len128x6; + uint8_t *out128_b = out_b_ + (uint32_t)len128x6; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128x6_ = len128x6 / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t + scrut0 = + gcm128_decrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)cipher_len, + scratch_b1, + tag); + uint64_t c0 = scrut0; + c = c0; + } + else + { + uint32_t len128x61 = (uint32_t)0U; + uint64_t len128_num = (uint64_t)cipher_len / (uint64_t)16U * (uint64_t)16U; + uint8_t *in128x6_b = cipher_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = cipher_b_ + len128x61; + uint8_t *out128_b = out_b_ + len128x61; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t len128x6_ = (uint64_t)0U; + uint64_t + scrut0 = + gcm128_decrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)cipher_len, + scratch_b1, + tag); + uint64_t c0 = scrut0; + c = c0; + } + memcpy(dst + (uint32_t)(uint64_t)cipher_len / (uint32_t)16U * (uint32_t)16U, + inout_b, + (uint32_t)(uint64_t)cipher_len % (uint32_t)16U * sizeof (uint8_t)); + uint64_t r = c; + if (r == (uint64_t)0U) + { + return EverCrypt_Error_Success; + } + return EverCrypt_Error_AuthenticationFailure; + #else + KRML_HOST_EPRINTF("KreMLin abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "statically unreachable"); + KRML_HOST_EXIT(255U); + #endif +} + +static EverCrypt_Error_error_code +decrypt_aes256_gcm( + EverCrypt_AEAD_state_s *s, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *cipher, + uint32_t cipher_len, + uint8_t *tag, + uint8_t *dst +) +{ + #if HACL_CAN_COMPILE_VALE + if (s == NULL) + { + return EverCrypt_Error_InvalidKey; + } + if (iv_len == (uint32_t)0U) + { + return EverCrypt_Error_InvalidIVLength; + } + EverCrypt_AEAD_state_s scrut = *s; + uint8_t *ek = scrut.ek; + uint8_t *scratch_b = ek + (uint32_t)368U; + uint8_t *ek1 = ek; + uint8_t *keys_b = ek1; + uint8_t *hkeys_b = ek1 + (uint32_t)240U; + uint8_t tmp_iv[16U] = { 0U }; + uint32_t len = iv_len / (uint32_t)16U; + uint32_t bytes_len = len * (uint32_t)16U; + uint8_t *iv_b = iv; + memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); + uint64_t + uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + uint8_t *inout_b = scratch_b; + uint8_t *abytes_b = scratch_b + (uint32_t)16U; + uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; + uint32_t cipher_len_ = (uint32_t)(uint64_t)cipher_len / (uint32_t)16U * (uint32_t)16U; + uint32_t auth_len_ = (uint32_t)(uint64_t)ad_len / (uint32_t)16U * (uint32_t)16U; + uint8_t *cipher_b_ = cipher; + uint8_t *out_b_ = dst; + uint8_t *auth_b_ = ad; + memcpy(inout_b, + cipher + cipher_len_, + (uint32_t)(uint64_t)cipher_len % (uint32_t)16U * sizeof (uint8_t)); + memcpy(abytes_b, + ad + auth_len_, + (uint32_t)(uint64_t)ad_len % (uint32_t)16U * sizeof (uint8_t)); + uint64_t len128x6 = (uint64_t)cipher_len / (uint64_t)96U * (uint64_t)96U; + uint64_t c; + if (len128x6 / (uint64_t)16U >= (uint64_t)6U) + { + uint64_t len128_num = (uint64_t)cipher_len / (uint64_t)16U * (uint64_t)16U - len128x6; + uint8_t *in128x6_b = cipher_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = cipher_b_ + (uint32_t)len128x6; + uint8_t *out128_b = out_b_ + (uint32_t)len128x6; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128x6_ = len128x6 / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t + scrut0 = + gcm256_decrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)cipher_len, + scratch_b1, + tag); + uint64_t c0 = scrut0; + c = c0; + } + else + { + uint32_t len128x61 = (uint32_t)0U; + uint64_t len128_num = (uint64_t)cipher_len / (uint64_t)16U * (uint64_t)16U; + uint8_t *in128x6_b = cipher_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = cipher_b_ + len128x61; + uint8_t *out128_b = out_b_ + len128x61; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t len128x6_ = (uint64_t)0U; + uint64_t + scrut0 = + gcm256_decrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)cipher_len, + scratch_b1, + tag); + uint64_t c0 = scrut0; + c = c0; + } + memcpy(dst + (uint32_t)(uint64_t)cipher_len / (uint32_t)16U * (uint32_t)16U, + inout_b, + (uint32_t)(uint64_t)cipher_len % (uint32_t)16U * sizeof (uint8_t)); + uint64_t r = c; + if (r == (uint64_t)0U) + { + return EverCrypt_Error_Success; + } + return EverCrypt_Error_AuthenticationFailure; + #else + KRML_HOST_EPRINTF("KreMLin abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "statically unreachable"); + KRML_HOST_EXIT(255U); + #endif +} + +static EverCrypt_Error_error_code +decrypt_chacha20_poly1305( + EverCrypt_AEAD_state_s *s, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *cipher, + uint32_t cipher_len, + uint8_t *tag, + uint8_t *dst +) +{ + if (s == NULL) + { + return EverCrypt_Error_InvalidKey; + } + if (iv_len != (uint32_t)12U) + { + return EverCrypt_Error_InvalidIVLength; + } + EverCrypt_AEAD_state_s scrut = *s; + uint8_t *ek = scrut.ek; + uint32_t + r = EverCrypt_Chacha20Poly1305_aead_decrypt(ek, iv, ad_len, ad, cipher_len, dst, cipher, tag); + if (r == (uint32_t)0U) + { + return EverCrypt_Error_Success; + } + return EverCrypt_Error_AuthenticationFailure; +} + +EverCrypt_Error_error_code +EverCrypt_AEAD_decrypt( + EverCrypt_AEAD_state_s *s, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *cipher, + uint32_t cipher_len, + uint8_t *tag, + uint8_t *dst +) +{ + if (s == NULL) + { + return EverCrypt_Error_InvalidKey; + } + EverCrypt_AEAD_state_s scrut = *s; + Spec_Cipher_Expansion_impl i = scrut.impl; + switch (i) + { + case Spec_Cipher_Expansion_Vale_AES128: + { + return decrypt_aes128_gcm(s, iv, iv_len, ad, ad_len, cipher, cipher_len, tag, dst); + } + case Spec_Cipher_Expansion_Vale_AES256: + { + return decrypt_aes256_gcm(s, iv, iv_len, ad, ad_len, cipher, cipher_len, tag, dst); + } + case Spec_Cipher_Expansion_Hacl_CHACHA20: + { + return decrypt_chacha20_poly1305(s, iv, iv_len, ad, ad_len, cipher, cipher_len, tag, dst); + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +/* +WARNING: this function doesn't perform any dynamic + hardware check. You MUST make sure your hardware supports the + implementation of AESGCM. Besides, this function was not designed + for cross-compilation: if you compile it on a system which doesn't + support Vale, it will compile it to a function which makes the + program exit. +*/ +EverCrypt_Error_error_code +EverCrypt_AEAD_decrypt_expand_aes128_gcm_no_check( + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *cipher, + uint32_t cipher_len, + uint8_t *tag, + uint8_t *dst +) +{ + #if HACL_CAN_COMPILE_VALE + uint8_t ek[480U] = { 0U }; + uint8_t *keys_b0 = ek; + uint8_t *hkeys_b0 = ek + (uint32_t)176U; + uint64_t scrut = aes128_key_expansion(k, keys_b0); + uint64_t scrut0 = aes128_keyhash_init(keys_b0, hkeys_b0); + EverCrypt_AEAD_state_s p = { .impl = Spec_Cipher_Expansion_Vale_AES128, .ek = ek }; + EverCrypt_AEAD_state_s *s = &p; + if (s == NULL) + { + return EverCrypt_Error_InvalidKey; + } + if (iv_len == (uint32_t)0U) + { + return EverCrypt_Error_InvalidIVLength; + } + EverCrypt_AEAD_state_s scrut1 = *s; + uint8_t *ek0 = scrut1.ek; + uint8_t *scratch_b = ek0 + (uint32_t)304U; + uint8_t *ek1 = ek0; + uint8_t *keys_b = ek1; + uint8_t *hkeys_b = ek1 + (uint32_t)176U; + uint8_t tmp_iv[16U] = { 0U }; + uint32_t len = iv_len / (uint32_t)16U; + uint32_t bytes_len = len * (uint32_t)16U; + uint8_t *iv_b = iv; + memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); + uint64_t + uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + uint8_t *inout_b = scratch_b; + uint8_t *abytes_b = scratch_b + (uint32_t)16U; + uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; + uint32_t cipher_len_ = (uint32_t)(uint64_t)cipher_len / (uint32_t)16U * (uint32_t)16U; + uint32_t auth_len_ = (uint32_t)(uint64_t)ad_len / (uint32_t)16U * (uint32_t)16U; + uint8_t *cipher_b_ = cipher; + uint8_t *out_b_ = dst; + uint8_t *auth_b_ = ad; + memcpy(inout_b, + cipher + cipher_len_, + (uint32_t)(uint64_t)cipher_len % (uint32_t)16U * sizeof (uint8_t)); + memcpy(abytes_b, + ad + auth_len_, + (uint32_t)(uint64_t)ad_len % (uint32_t)16U * sizeof (uint8_t)); + uint64_t len128x6 = (uint64_t)cipher_len / (uint64_t)96U * (uint64_t)96U; + uint64_t c; + if (len128x6 / (uint64_t)16U >= (uint64_t)6U) + { + uint64_t len128_num = (uint64_t)cipher_len / (uint64_t)16U * (uint64_t)16U - len128x6; + uint8_t *in128x6_b = cipher_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = cipher_b_ + (uint32_t)len128x6; + uint8_t *out128_b = out_b_ + (uint32_t)len128x6; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128x6_ = len128x6 / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t + scrut2 = + gcm128_decrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)cipher_len, + scratch_b1, + tag); + uint64_t c0 = scrut2; + c = c0; + } + else + { + uint32_t len128x61 = (uint32_t)0U; + uint64_t len128_num = (uint64_t)cipher_len / (uint64_t)16U * (uint64_t)16U; + uint8_t *in128x6_b = cipher_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = cipher_b_ + len128x61; + uint8_t *out128_b = out_b_ + len128x61; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t len128x6_ = (uint64_t)0U; + uint64_t + scrut2 = + gcm128_decrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)cipher_len, + scratch_b1, + tag); + uint64_t c0 = scrut2; + c = c0; + } + memcpy(dst + (uint32_t)(uint64_t)cipher_len / (uint32_t)16U * (uint32_t)16U, + inout_b, + (uint32_t)(uint64_t)cipher_len % (uint32_t)16U * sizeof (uint8_t)); + uint64_t r = c; + if (r == (uint64_t)0U) + { + return EverCrypt_Error_Success; + } + return EverCrypt_Error_AuthenticationFailure; + #else + KRML_HOST_EPRINTF("KreMLin abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "EverCrypt was compiled on a system which doesn\'t support Vale"); + KRML_HOST_EXIT(255U); + #endif +} + +/* +WARNING: this function doesn't perform any dynamic + hardware check. You MUST make sure your hardware supports the + implementation of AESGCM. Besides, this function was not designed + for cross-compilation: if you compile it on a system which doesn't + support Vale, it will compile it to a function which makes the + program exit. +*/ +EverCrypt_Error_error_code +EverCrypt_AEAD_decrypt_expand_aes256_gcm_no_check( + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *cipher, + uint32_t cipher_len, + uint8_t *tag, + uint8_t *dst +) +{ + #if HACL_CAN_COMPILE_VALE + uint8_t ek[544U] = { 0U }; + uint8_t *keys_b0 = ek; + uint8_t *hkeys_b0 = ek + (uint32_t)240U; + uint64_t scrut = aes256_key_expansion(k, keys_b0); + uint64_t scrut0 = aes256_keyhash_init(keys_b0, hkeys_b0); + EverCrypt_AEAD_state_s p = { .impl = Spec_Cipher_Expansion_Vale_AES256, .ek = ek }; + EverCrypt_AEAD_state_s *s = &p; + if (s == NULL) + { + return EverCrypt_Error_InvalidKey; + } + if (iv_len == (uint32_t)0U) + { + return EverCrypt_Error_InvalidIVLength; + } + EverCrypt_AEAD_state_s scrut1 = *s; + uint8_t *ek0 = scrut1.ek; + uint8_t *scratch_b = ek0 + (uint32_t)368U; + uint8_t *ek1 = ek0; + uint8_t *keys_b = ek1; + uint8_t *hkeys_b = ek1 + (uint32_t)240U; + uint8_t tmp_iv[16U] = { 0U }; + uint32_t len = iv_len / (uint32_t)16U; + uint32_t bytes_len = len * (uint32_t)16U; + uint8_t *iv_b = iv; + memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); + uint64_t + uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + uint8_t *inout_b = scratch_b; + uint8_t *abytes_b = scratch_b + (uint32_t)16U; + uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; + uint32_t cipher_len_ = (uint32_t)(uint64_t)cipher_len / (uint32_t)16U * (uint32_t)16U; + uint32_t auth_len_ = (uint32_t)(uint64_t)ad_len / (uint32_t)16U * (uint32_t)16U; + uint8_t *cipher_b_ = cipher; + uint8_t *out_b_ = dst; + uint8_t *auth_b_ = ad; + memcpy(inout_b, + cipher + cipher_len_, + (uint32_t)(uint64_t)cipher_len % (uint32_t)16U * sizeof (uint8_t)); + memcpy(abytes_b, + ad + auth_len_, + (uint32_t)(uint64_t)ad_len % (uint32_t)16U * sizeof (uint8_t)); + uint64_t len128x6 = (uint64_t)cipher_len / (uint64_t)96U * (uint64_t)96U; + uint64_t c; + if (len128x6 / (uint64_t)16U >= (uint64_t)6U) + { + uint64_t len128_num = (uint64_t)cipher_len / (uint64_t)16U * (uint64_t)16U - len128x6; + uint8_t *in128x6_b = cipher_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = cipher_b_ + (uint32_t)len128x6; + uint8_t *out128_b = out_b_ + (uint32_t)len128x6; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128x6_ = len128x6 / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t + scrut2 = + gcm256_decrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)cipher_len, + scratch_b1, + tag); + uint64_t c0 = scrut2; + c = c0; + } + else + { + uint32_t len128x61 = (uint32_t)0U; + uint64_t len128_num = (uint64_t)cipher_len / (uint64_t)16U * (uint64_t)16U; + uint8_t *in128x6_b = cipher_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = cipher_b_ + len128x61; + uint8_t *out128_b = out_b_ + len128x61; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t len128x6_ = (uint64_t)0U; + uint64_t + scrut2 = + gcm256_decrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)cipher_len, + scratch_b1, + tag); + uint64_t c0 = scrut2; + c = c0; + } + memcpy(dst + (uint32_t)(uint64_t)cipher_len / (uint32_t)16U * (uint32_t)16U, + inout_b, + (uint32_t)(uint64_t)cipher_len % (uint32_t)16U * sizeof (uint8_t)); + uint64_t r = c; + if (r == (uint64_t)0U) + { + return EverCrypt_Error_Success; + } + return EverCrypt_Error_AuthenticationFailure; + #else + KRML_HOST_EPRINTF("KreMLin abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "EverCrypt was compiled on a system which doesn\'t support Vale"); + KRML_HOST_EXIT(255U); + #endif +} + +EverCrypt_Error_error_code +EverCrypt_AEAD_decrypt_expand_aes128_gcm( + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *cipher, + uint32_t cipher_len, + uint8_t *tag, + uint8_t *dst +) +{ + bool has_pclmulqdq = EverCrypt_AutoConfig2_has_pclmulqdq(); + bool has_avx = EverCrypt_AutoConfig2_has_avx(); + bool has_sse = EverCrypt_AutoConfig2_has_sse(); + bool has_movbe = EverCrypt_AutoConfig2_has_movbe(); + bool has_aesni = EverCrypt_AutoConfig2_has_aesni(); + #if HACL_CAN_COMPILE_VALE + if (has_aesni && has_pclmulqdq && has_avx && has_sse && has_movbe) + { + uint8_t ek[480U] = { 0U }; + uint8_t *keys_b0 = ek; + uint8_t *hkeys_b0 = ek + (uint32_t)176U; + uint64_t scrut = aes128_key_expansion(k, keys_b0); + uint64_t scrut0 = aes128_keyhash_init(keys_b0, hkeys_b0); + EverCrypt_AEAD_state_s p = { .impl = Spec_Cipher_Expansion_Vale_AES128, .ek = ek }; + EverCrypt_AEAD_state_s *s = &p; + if (s == NULL) + { + return EverCrypt_Error_InvalidKey; + } + else if (iv_len == (uint32_t)0U) + { + return EverCrypt_Error_InvalidIVLength; + } + else + { + EverCrypt_AEAD_state_s scrut1 = *s; + uint8_t *ek0 = scrut1.ek; + uint8_t *scratch_b = ek0 + (uint32_t)304U; + uint8_t *ek1 = ek0; + uint8_t *keys_b = ek1; + uint8_t *hkeys_b = ek1 + (uint32_t)176U; + uint8_t tmp_iv[16U] = { 0U }; + uint32_t len = iv_len / (uint32_t)16U; + uint32_t bytes_len = len * (uint32_t)16U; + uint8_t *iv_b = iv; + memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); + uint64_t + uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + uint8_t *inout_b = scratch_b; + uint8_t *abytes_b = scratch_b + (uint32_t)16U; + uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; + uint32_t cipher_len_ = (uint32_t)(uint64_t)cipher_len / (uint32_t)16U * (uint32_t)16U; + uint32_t auth_len_ = (uint32_t)(uint64_t)ad_len / (uint32_t)16U * (uint32_t)16U; + uint8_t *cipher_b_ = cipher; + uint8_t *out_b_ = dst; + uint8_t *auth_b_ = ad; + memcpy(inout_b, + cipher + cipher_len_, + (uint32_t)(uint64_t)cipher_len % (uint32_t)16U * sizeof (uint8_t)); + memcpy(abytes_b, + ad + auth_len_, + (uint32_t)(uint64_t)ad_len % (uint32_t)16U * sizeof (uint8_t)); + uint64_t len128x6 = (uint64_t)cipher_len / (uint64_t)96U * (uint64_t)96U; + uint64_t c; + if (len128x6 / (uint64_t)16U >= (uint64_t)6U) + { + uint64_t len128_num = (uint64_t)cipher_len / (uint64_t)16U * (uint64_t)16U - len128x6; + uint8_t *in128x6_b = cipher_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = cipher_b_ + (uint32_t)len128x6; + uint8_t *out128_b = out_b_ + (uint32_t)len128x6; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128x6_ = len128x6 / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t + scrut2 = + gcm128_decrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)cipher_len, + scratch_b1, + tag); + uint64_t c0 = scrut2; + c = c0; + } + else + { + uint32_t len128x61 = (uint32_t)0U; + uint64_t len128_num = (uint64_t)cipher_len / (uint64_t)16U * (uint64_t)16U; + uint8_t *in128x6_b = cipher_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = cipher_b_ + len128x61; + uint8_t *out128_b = out_b_ + len128x61; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t len128x6_ = (uint64_t)0U; + uint64_t + scrut2 = + gcm128_decrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)cipher_len, + scratch_b1, + tag); + uint64_t c0 = scrut2; + c = c0; + } + memcpy(dst + (uint32_t)(uint64_t)cipher_len / (uint32_t)16U * (uint32_t)16U, + inout_b, + (uint32_t)(uint64_t)cipher_len % (uint32_t)16U * sizeof (uint8_t)); + uint64_t r = c; + if (r == (uint64_t)0U) + { + return EverCrypt_Error_Success; + } + else + { + return EverCrypt_Error_AuthenticationFailure; + } + } + } + #endif + return EverCrypt_Error_UnsupportedAlgorithm; +} + +EverCrypt_Error_error_code +EverCrypt_AEAD_decrypt_expand_aes256_gcm( + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *cipher, + uint32_t cipher_len, + uint8_t *tag, + uint8_t *dst +) +{ + bool has_pclmulqdq = EverCrypt_AutoConfig2_has_pclmulqdq(); + bool has_avx = EverCrypt_AutoConfig2_has_avx(); + bool has_sse = EverCrypt_AutoConfig2_has_sse(); + bool has_movbe = EverCrypt_AutoConfig2_has_movbe(); + bool has_aesni = EverCrypt_AutoConfig2_has_aesni(); + #if HACL_CAN_COMPILE_VALE + if (has_aesni && has_pclmulqdq && has_avx && has_sse && has_movbe) + { + uint8_t ek[544U] = { 0U }; + uint8_t *keys_b0 = ek; + uint8_t *hkeys_b0 = ek + (uint32_t)240U; + uint64_t scrut = aes256_key_expansion(k, keys_b0); + uint64_t scrut0 = aes256_keyhash_init(keys_b0, hkeys_b0); + EverCrypt_AEAD_state_s p = { .impl = Spec_Cipher_Expansion_Vale_AES256, .ek = ek }; + EverCrypt_AEAD_state_s *s = &p; + if (s == NULL) + { + return EverCrypt_Error_InvalidKey; + } + else if (iv_len == (uint32_t)0U) + { + return EverCrypt_Error_InvalidIVLength; + } + else + { + EverCrypt_AEAD_state_s scrut1 = *s; + uint8_t *ek0 = scrut1.ek; + uint8_t *scratch_b = ek0 + (uint32_t)368U; + uint8_t *ek1 = ek0; + uint8_t *keys_b = ek1; + uint8_t *hkeys_b = ek1 + (uint32_t)240U; + uint8_t tmp_iv[16U] = { 0U }; + uint32_t len = iv_len / (uint32_t)16U; + uint32_t bytes_len = len * (uint32_t)16U; + uint8_t *iv_b = iv; + memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); + uint64_t + uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + uint8_t *inout_b = scratch_b; + uint8_t *abytes_b = scratch_b + (uint32_t)16U; + uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; + uint32_t cipher_len_ = (uint32_t)(uint64_t)cipher_len / (uint32_t)16U * (uint32_t)16U; + uint32_t auth_len_ = (uint32_t)(uint64_t)ad_len / (uint32_t)16U * (uint32_t)16U; + uint8_t *cipher_b_ = cipher; + uint8_t *out_b_ = dst; + uint8_t *auth_b_ = ad; + memcpy(inout_b, + cipher + cipher_len_, + (uint32_t)(uint64_t)cipher_len % (uint32_t)16U * sizeof (uint8_t)); + memcpy(abytes_b, + ad + auth_len_, + (uint32_t)(uint64_t)ad_len % (uint32_t)16U * sizeof (uint8_t)); + uint64_t len128x6 = (uint64_t)cipher_len / (uint64_t)96U * (uint64_t)96U; + uint64_t c; + if (len128x6 / (uint64_t)16U >= (uint64_t)6U) + { + uint64_t len128_num = (uint64_t)cipher_len / (uint64_t)16U * (uint64_t)16U - len128x6; + uint8_t *in128x6_b = cipher_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = cipher_b_ + (uint32_t)len128x6; + uint8_t *out128_b = out_b_ + (uint32_t)len128x6; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128x6_ = len128x6 / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t + scrut2 = + gcm256_decrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)cipher_len, + scratch_b1, + tag); + uint64_t c0 = scrut2; + c = c0; + } + else + { + uint32_t len128x61 = (uint32_t)0U; + uint64_t len128_num = (uint64_t)cipher_len / (uint64_t)16U * (uint64_t)16U; + uint8_t *in128x6_b = cipher_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = cipher_b_ + len128x61; + uint8_t *out128_b = out_b_ + len128x61; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t len128x6_ = (uint64_t)0U; + uint64_t + scrut2 = + gcm256_decrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)cipher_len, + scratch_b1, + tag); + uint64_t c0 = scrut2; + c = c0; + } + memcpy(dst + (uint32_t)(uint64_t)cipher_len / (uint32_t)16U * (uint32_t)16U, + inout_b, + (uint32_t)(uint64_t)cipher_len % (uint32_t)16U * sizeof (uint8_t)); + uint64_t r = c; + if (r == (uint64_t)0U) + { + return EverCrypt_Error_Success; + } + else + { + return EverCrypt_Error_AuthenticationFailure; + } + } + } + #endif + return EverCrypt_Error_UnsupportedAlgorithm; +} + +EverCrypt_Error_error_code +EverCrypt_AEAD_decrypt_expand_chacha20_poly1305( + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *cipher, + uint32_t cipher_len, + uint8_t *tag, + uint8_t *dst +) +{ + uint8_t ek[32U] = { 0U }; + EverCrypt_AEAD_state_s p = { .impl = Spec_Cipher_Expansion_Hacl_CHACHA20, .ek = ek }; + memcpy(ek, k, (uint32_t)32U * sizeof (uint8_t)); + EverCrypt_AEAD_state_s *s = &p; + EverCrypt_Error_error_code + r = decrypt_chacha20_poly1305(s, iv, iv_len, ad, ad_len, cipher, cipher_len, tag, dst); + return r; +} + +EverCrypt_Error_error_code +EverCrypt_AEAD_decrypt_expand( + Spec_Agile_AEAD_alg a, + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *cipher, + uint32_t cipher_len, + uint8_t *tag, + uint8_t *dst +) +{ + switch (a) + { + case Spec_Agile_AEAD_AES128_GCM: + { + return + EverCrypt_AEAD_decrypt_expand_aes128_gcm(k, + iv, + iv_len, + ad, + ad_len, + cipher, + cipher_len, + tag, + dst); + } + case Spec_Agile_AEAD_AES256_GCM: + { + return + EverCrypt_AEAD_decrypt_expand_aes256_gcm(k, + iv, + iv_len, + ad, + ad_len, + cipher, + cipher_len, + tag, + dst); + } + case Spec_Agile_AEAD_CHACHA20_POLY1305: + { + return + EverCrypt_AEAD_decrypt_expand_chacha20_poly1305(k, + iv, + iv_len, + ad, + ad_len, + cipher, + cipher_len, + tag, + dst); + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +void EverCrypt_AEAD_free(EverCrypt_AEAD_state_s *s) +{ + EverCrypt_AEAD_state_s scrut = *s; + uint8_t *ek = scrut.ek; + KRML_HOST_FREE(ek); + KRML_HOST_FREE(s); +} + diff --git a/src/EverCrypt_AutoConfig2.c b/src/EverCrypt_AutoConfig2.c new file mode 100644 index 00000000..d64ceb6f --- /dev/null +++ b/src/EverCrypt_AutoConfig2.c @@ -0,0 +1,314 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "EverCrypt_AutoConfig2.h" + +#include "internal/Vale.h" + +static bool cpu_has_shaext[1U] = { false }; + +static bool cpu_has_aesni[1U] = { false }; + +static bool cpu_has_pclmulqdq[1U] = { false }; + +static bool cpu_has_avx2[1U] = { false }; + +static bool cpu_has_avx[1U] = { false }; + +static bool cpu_has_bmi2[1U] = { false }; + +static bool cpu_has_adx[1U] = { false }; + +static bool cpu_has_sse[1U] = { false }; + +static bool cpu_has_movbe[1U] = { false }; + +static bool cpu_has_rdrand[1U] = { false }; + +static bool cpu_has_avx512[1U] = { false }; + +static bool user_wants_hacl[1U] = { true }; + +static bool user_wants_vale[1U] = { true }; + +static bool user_wants_openssl[1U] = { true }; + +static bool user_wants_bcrypt[1U] = { false }; + +bool EverCrypt_AutoConfig2_has_shaext() +{ + return cpu_has_shaext[0U]; +} + +bool EverCrypt_AutoConfig2_has_aesni() +{ + return cpu_has_aesni[0U]; +} + +bool EverCrypt_AutoConfig2_has_pclmulqdq() +{ + return cpu_has_pclmulqdq[0U]; +} + +bool EverCrypt_AutoConfig2_has_avx2() +{ + return cpu_has_avx2[0U]; +} + +bool EverCrypt_AutoConfig2_has_avx() +{ + return cpu_has_avx[0U]; +} + +bool EverCrypt_AutoConfig2_has_bmi2() +{ + return cpu_has_bmi2[0U]; +} + +bool EverCrypt_AutoConfig2_has_adx() +{ + return cpu_has_adx[0U]; +} + +bool EverCrypt_AutoConfig2_has_sse() +{ + return cpu_has_sse[0U]; +} + +bool EverCrypt_AutoConfig2_has_movbe() +{ + return cpu_has_movbe[0U]; +} + +bool EverCrypt_AutoConfig2_has_rdrand() +{ + return cpu_has_rdrand[0U]; +} + +bool EverCrypt_AutoConfig2_has_avx512() +{ + return cpu_has_avx512[0U]; +} + +KRML_DEPRECATED("") + +bool EverCrypt_AutoConfig2_wants_vale() +{ + return user_wants_vale[0U]; +} + +bool EverCrypt_AutoConfig2_wants_hacl() +{ + return user_wants_hacl[0U]; +} + +bool EverCrypt_AutoConfig2_wants_openssl() +{ + return user_wants_openssl[0U]; +} + +bool EverCrypt_AutoConfig2_wants_bcrypt() +{ + return user_wants_bcrypt[0U]; +} + +void EverCrypt_AutoConfig2_recall() +{ + +} + +void EverCrypt_AutoConfig2_init() +{ + #if HACL_CAN_COMPILE_VALE + uint64_t scrut = check_aesni(); + if (scrut != (uint64_t)0U) + { + cpu_has_aesni[0U] = true; + cpu_has_pclmulqdq[0U] = true; + } + uint64_t scrut0 = check_sha(); + if (scrut0 != (uint64_t)0U) + { + cpu_has_shaext[0U] = true; + } + uint64_t scrut1 = check_adx_bmi2(); + if (scrut1 != (uint64_t)0U) + { + cpu_has_bmi2[0U] = true; + cpu_has_adx[0U] = true; + } + uint64_t scrut2 = check_avx(); + if (scrut2 != (uint64_t)0U) + { + uint64_t scrut3 = check_osxsave(); + if (scrut3 != (uint64_t)0U) + { + uint64_t scrut4 = check_avx_xcr0(); + if (scrut4 != (uint64_t)0U) + { + cpu_has_avx[0U] = true; + } + } + } + uint64_t scrut3 = check_avx2(); + if (scrut3 != (uint64_t)0U) + { + uint64_t scrut4 = check_osxsave(); + if (scrut4 != (uint64_t)0U) + { + uint64_t scrut5 = check_avx_xcr0(); + if (scrut5 != (uint64_t)0U) + { + cpu_has_avx2[0U] = true; + } + } + } + uint64_t scrut4 = check_sse(); + if (scrut4 != (uint64_t)0U) + { + cpu_has_sse[0U] = true; + } + uint64_t scrut5 = check_movbe(); + if (scrut5 != (uint64_t)0U) + { + cpu_has_movbe[0U] = true; + } + uint64_t scrut6 = check_rdrand(); + if (scrut6 != (uint64_t)0U) + { + cpu_has_rdrand[0U] = true; + } + uint64_t scrut7 = check_avx512(); + if (scrut7 != (uint64_t)0U) + { + uint64_t scrut8 = check_osxsave(); + if (scrut8 != (uint64_t)0U) + { + uint64_t scrut9 = check_avx_xcr0(); + if (scrut9 != (uint64_t)0U) + { + uint64_t scrut10 = check_avx512_xcr0(); + if (scrut10 != (uint64_t)0U) + { + cpu_has_avx512[0U] = true; + } + } + } + } + #endif + user_wants_hacl[0U] = true; + user_wants_vale[0U] = true; + user_wants_bcrypt[0U] = false; + user_wants_openssl[0U] = true; +} + +void EverCrypt_AutoConfig2_disable_avx2() +{ + cpu_has_avx2[0U] = false; +} + +void EverCrypt_AutoConfig2_disable_avx() +{ + cpu_has_avx[0U] = false; +} + +void EverCrypt_AutoConfig2_disable_bmi2() +{ + cpu_has_bmi2[0U] = false; +} + +void EverCrypt_AutoConfig2_disable_adx() +{ + cpu_has_adx[0U] = false; +} + +void EverCrypt_AutoConfig2_disable_shaext() +{ + cpu_has_shaext[0U] = false; +} + +void EverCrypt_AutoConfig2_disable_aesni() +{ + cpu_has_aesni[0U] = false; +} + +void EverCrypt_AutoConfig2_disable_pclmulqdq() +{ + cpu_has_pclmulqdq[0U] = false; +} + +void EverCrypt_AutoConfig2_disable_sse() +{ + cpu_has_sse[0U] = false; +} + +void EverCrypt_AutoConfig2_disable_movbe() +{ + cpu_has_movbe[0U] = false; +} + +void EverCrypt_AutoConfig2_disable_rdrand() +{ + cpu_has_rdrand[0U] = false; +} + +void EverCrypt_AutoConfig2_disable_avx512() +{ + cpu_has_avx512[0U] = false; +} + +void EverCrypt_AutoConfig2_disable_vale() +{ + user_wants_vale[0U] = false; +} + +void EverCrypt_AutoConfig2_disable_hacl() +{ + user_wants_hacl[0U] = false; +} + +void EverCrypt_AutoConfig2_disable_openssl() +{ + user_wants_openssl[0U] = false; +} + +void EverCrypt_AutoConfig2_disable_bcrypt() +{ + user_wants_bcrypt[0U] = false; +} + +bool EverCrypt_AutoConfig2_has_vec128() +{ + bool avx = EverCrypt_AutoConfig2_has_avx(); + bool other = has_vec128_not_avx(); + return avx || other; +} + +bool EverCrypt_AutoConfig2_has_vec256() +{ + bool avx2 = EverCrypt_AutoConfig2_has_avx2(); + bool other = has_vec256_not_avx2(); + return avx2 || other; +} + diff --git a/src/EverCrypt_CTR.c b/src/EverCrypt_CTR.c new file mode 100644 index 00000000..eac92464 --- /dev/null +++ b/src/EverCrypt_CTR.c @@ -0,0 +1,383 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "EverCrypt_CTR.h" + +#include "internal/Vale.h" +#include "internal/Hacl_Spec.h" +#include "internal/Hacl_Chacha20.h" + +typedef struct EverCrypt_CTR_state_s_s +{ + Spec_Cipher_Expansion_impl i; + uint8_t *iv; + uint32_t iv_len; + uint8_t *xkey; + uint32_t ctr; +} +EverCrypt_CTR_state_s; + +bool +EverCrypt_CTR_uu___is_State(Spec_Agile_Cipher_cipher_alg a, EverCrypt_CTR_state_s projectee) +{ + return true; +} + +uint8_t EverCrypt_CTR_xor8(uint8_t a, uint8_t b) +{ + return a ^ b; +} + +Spec_Agile_Cipher_cipher_alg EverCrypt_CTR_alg_of_state(EverCrypt_CTR_state_s *s) +{ + EverCrypt_CTR_state_s scrut = *s; + Spec_Cipher_Expansion_impl i = scrut.i; + return Spec_Cipher_Expansion_cipher_alg_of_impl(i); +} + +static Spec_Cipher_Expansion_impl vale_impl_of_alg(Spec_Agile_Cipher_cipher_alg a) +{ + switch (a) + { + case Spec_Agile_Cipher_AES128: + { + return Spec_Cipher_Expansion_Vale_AES128; + } + case Spec_Agile_Cipher_AES256: + { + return Spec_Cipher_Expansion_Vale_AES256; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +EverCrypt_Error_error_code +EverCrypt_CTR_create_in( + Spec_Agile_Cipher_cipher_alg a, + EverCrypt_CTR_state_s **dst, + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint32_t c +) +{ + switch (a) + { + case Spec_Agile_Cipher_AES128: + { + bool has_aesni = EverCrypt_AutoConfig2_has_aesni(); + bool has_pclmulqdq = EverCrypt_AutoConfig2_has_pclmulqdq(); + bool has_avx = EverCrypt_AutoConfig2_has_avx(); + bool has_sse = EverCrypt_AutoConfig2_has_sse(); + if (iv_len < (uint32_t)12U) + { + return EverCrypt_Error_InvalidIVLength; + } + #if HACL_CAN_COMPILE_VALE + if (has_aesni && has_pclmulqdq && has_avx && has_sse) + { + uint8_t *ek = KRML_HOST_CALLOC((uint32_t)304U, sizeof (uint8_t)); + uint8_t *keys_b = ek; + uint8_t *hkeys_b = ek + (uint32_t)176U; + uint64_t scrut = aes128_key_expansion(k, keys_b); + uint64_t scrut0 = aes128_keyhash_init(keys_b, hkeys_b); + uint8_t *iv_ = KRML_HOST_CALLOC((uint32_t)16U, sizeof (uint8_t)); + memcpy(iv_, iv, iv_len * sizeof (uint8_t)); + KRML_CHECK_SIZE(sizeof (EverCrypt_CTR_state_s), (uint32_t)1U); + EverCrypt_CTR_state_s *p = KRML_HOST_MALLOC(sizeof (EverCrypt_CTR_state_s)); + p[0U] + = + ( + (EverCrypt_CTR_state_s){ + .i = vale_impl_of_alg(Spec_Cipher_Expansion_cipher_alg_of_impl(Spec_Cipher_Expansion_Vale_AES128)), + .iv = iv_, + .iv_len = iv_len, + .xkey = ek, + .ctr = c + } + ); + *dst = p; + return EverCrypt_Error_Success; + } + #endif + return EverCrypt_Error_UnsupportedAlgorithm; + } + case Spec_Agile_Cipher_AES256: + { + bool has_aesni = EverCrypt_AutoConfig2_has_aesni(); + bool has_pclmulqdq = EverCrypt_AutoConfig2_has_pclmulqdq(); + bool has_avx = EverCrypt_AutoConfig2_has_avx(); + bool has_sse = EverCrypt_AutoConfig2_has_sse(); + if (iv_len < (uint32_t)12U) + { + return EverCrypt_Error_InvalidIVLength; + } + #if HACL_CAN_COMPILE_VALE + if (has_aesni && has_pclmulqdq && has_avx && has_sse) + { + uint8_t *ek = KRML_HOST_CALLOC((uint32_t)368U, sizeof (uint8_t)); + uint8_t *keys_b = ek; + uint8_t *hkeys_b = ek + (uint32_t)240U; + uint64_t scrut = aes256_key_expansion(k, keys_b); + uint64_t scrut0 = aes256_keyhash_init(keys_b, hkeys_b); + uint8_t *iv_ = KRML_HOST_CALLOC((uint32_t)16U, sizeof (uint8_t)); + memcpy(iv_, iv, iv_len * sizeof (uint8_t)); + KRML_CHECK_SIZE(sizeof (EverCrypt_CTR_state_s), (uint32_t)1U); + EverCrypt_CTR_state_s *p = KRML_HOST_MALLOC(sizeof (EverCrypt_CTR_state_s)); + p[0U] + = + ( + (EverCrypt_CTR_state_s){ + .i = vale_impl_of_alg(Spec_Cipher_Expansion_cipher_alg_of_impl(Spec_Cipher_Expansion_Vale_AES256)), + .iv = iv_, + .iv_len = iv_len, + .xkey = ek, + .ctr = c + } + ); + *dst = p; + return EverCrypt_Error_Success; + } + #endif + return EverCrypt_Error_UnsupportedAlgorithm; + } + case Spec_Agile_Cipher_CHACHA20: + { + uint8_t *ek = KRML_HOST_CALLOC((uint32_t)32U, sizeof (uint8_t)); + memcpy(ek, k, (uint32_t)32U * sizeof (uint8_t)); + KRML_CHECK_SIZE(sizeof (uint8_t), iv_len); + uint8_t *iv_ = KRML_HOST_CALLOC(iv_len, sizeof (uint8_t)); + memcpy(iv_, iv, iv_len * sizeof (uint8_t)); + KRML_CHECK_SIZE(sizeof (EverCrypt_CTR_state_s), (uint32_t)1U); + EverCrypt_CTR_state_s *p = KRML_HOST_MALLOC(sizeof (EverCrypt_CTR_state_s)); + p[0U] + = + ( + (EverCrypt_CTR_state_s){ + .i = Spec_Cipher_Expansion_Hacl_CHACHA20, + .iv = iv_, + .iv_len = (uint32_t)12U, + .xkey = ek, + .ctr = c + } + ); + *dst = p; + return EverCrypt_Error_Success; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +void +EverCrypt_CTR_init( + EverCrypt_CTR_state_s *p, + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint32_t c +) +{ + EverCrypt_CTR_state_s scrut0 = *p; + uint8_t *ek = scrut0.xkey; + uint8_t *iv_ = scrut0.iv; + Spec_Cipher_Expansion_impl i = scrut0.i; + memcpy(iv_, iv, iv_len * sizeof (uint8_t)); + switch (i) + { + case Spec_Cipher_Expansion_Vale_AES128: + { + #if HACL_CAN_COMPILE_VALE + uint8_t *keys_b = ek; + uint8_t *hkeys_b = ek + (uint32_t)176U; + uint64_t scrut = aes128_key_expansion(k, keys_b); + uint64_t scrut1 = aes128_keyhash_init(keys_b, hkeys_b); + #endif + break; + } + case Spec_Cipher_Expansion_Vale_AES256: + { + #if HACL_CAN_COMPILE_VALE + uint8_t *keys_b = ek; + uint8_t *hkeys_b = ek + (uint32_t)240U; + uint64_t scrut = aes256_key_expansion(k, keys_b); + uint64_t scrut1 = aes256_keyhash_init(keys_b, hkeys_b); + #endif + break; + } + case Spec_Cipher_Expansion_Hacl_CHACHA20: + { + memcpy(ek, k, (uint32_t)32U * sizeof (uint8_t)); + break; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + *p = ((EverCrypt_CTR_state_s){ .i = i, .iv = iv_, .iv_len = iv_len, .xkey = ek, .ctr = c }); +} + +void EverCrypt_CTR_update_block(EverCrypt_CTR_state_s *p, uint8_t *dst, uint8_t *src) +{ + EverCrypt_CTR_state_s scrut = *p; + Spec_Cipher_Expansion_impl i = scrut.i; + uint8_t *iv = scrut.iv; + uint8_t *ek = scrut.xkey; + uint32_t c0 = scrut.ctr; + switch (i) + { + case Spec_Cipher_Expansion_Vale_AES128: + { + #if HACL_CAN_COMPILE_VALE + EverCrypt_CTR_state_s scrut0 = *p; + uint32_t c01 = scrut0.ctr; + uint8_t *ek1 = scrut0.xkey; + uint32_t iv_len1 = scrut0.iv_len; + uint8_t *iv1 = scrut0.iv; + uint8_t ctr_block[16U] = { 0U }; + memcpy(ctr_block, iv1, iv_len1 * sizeof (uint8_t)); + FStar_UInt128_uint128 uu____0 = load128_be(ctr_block); + FStar_UInt128_uint128 + c = FStar_UInt128_add_mod(uu____0, FStar_UInt128_uint64_to_uint128((uint64_t)c01)); + store128_le(ctr_block, c); + uint8_t *uu____1 = ek1; + uint8_t inout_b[16U] = { 0U }; + uint32_t num_blocks = (uint32_t)(uint64_t)16U / (uint32_t)16U; + uint32_t num_bytes_ = num_blocks * (uint32_t)16U; + uint8_t *in_b_ = src; + uint8_t *out_b_ = dst; + memcpy(inout_b, + src + num_bytes_, + (uint32_t)(uint64_t)16U % (uint32_t)16U * sizeof (uint8_t)); + uint64_t + scrut1 = + gctr128_bytes(in_b_, + (uint64_t)16U, + out_b_, + inout_b, + uu____1, + ctr_block, + (uint64_t)num_blocks); + memcpy(dst + num_bytes_, + inout_b, + (uint32_t)(uint64_t)16U % (uint32_t)16U * sizeof (uint8_t)); + uint32_t c1 = c01 + (uint32_t)1U; + *p + = + ( + (EverCrypt_CTR_state_s){ + .i = Spec_Cipher_Expansion_Vale_AES128, + .iv = iv1, + .iv_len = iv_len1, + .xkey = ek1, + .ctr = c1 + } + ); + #endif + break; + } + case Spec_Cipher_Expansion_Vale_AES256: + { + #if HACL_CAN_COMPILE_VALE + EverCrypt_CTR_state_s scrut0 = *p; + uint32_t c01 = scrut0.ctr; + uint8_t *ek1 = scrut0.xkey; + uint32_t iv_len1 = scrut0.iv_len; + uint8_t *iv1 = scrut0.iv; + uint8_t ctr_block[16U] = { 0U }; + memcpy(ctr_block, iv1, iv_len1 * sizeof (uint8_t)); + FStar_UInt128_uint128 uu____2 = load128_be(ctr_block); + FStar_UInt128_uint128 + c = FStar_UInt128_add_mod(uu____2, FStar_UInt128_uint64_to_uint128((uint64_t)c01)); + store128_le(ctr_block, c); + uint8_t *uu____3 = ek1; + uint8_t inout_b[16U] = { 0U }; + uint32_t num_blocks = (uint32_t)(uint64_t)16U / (uint32_t)16U; + uint32_t num_bytes_ = num_blocks * (uint32_t)16U; + uint8_t *in_b_ = src; + uint8_t *out_b_ = dst; + memcpy(inout_b, + src + num_bytes_, + (uint32_t)(uint64_t)16U % (uint32_t)16U * sizeof (uint8_t)); + uint64_t + scrut1 = + gctr256_bytes(in_b_, + (uint64_t)16U, + out_b_, + inout_b, + uu____3, + ctr_block, + (uint64_t)num_blocks); + memcpy(dst + num_bytes_, + inout_b, + (uint32_t)(uint64_t)16U % (uint32_t)16U * sizeof (uint8_t)); + uint32_t c1 = c01 + (uint32_t)1U; + *p + = + ( + (EverCrypt_CTR_state_s){ + .i = Spec_Cipher_Expansion_Vale_AES256, + .iv = iv1, + .iv_len = iv_len1, + .xkey = ek1, + .ctr = c1 + } + ); + #endif + break; + } + case Spec_Cipher_Expansion_Hacl_CHACHA20: + { + uint32_t ctx[16U] = { 0U }; + Hacl_Impl_Chacha20_chacha20_init(ctx, ek, iv, (uint32_t)0U); + Hacl_Impl_Chacha20_chacha20_encrypt_block(ctx, dst, c0, src); + break; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +void EverCrypt_CTR_free(EverCrypt_CTR_state_s *p) +{ + EverCrypt_CTR_state_s scrut = *p; + uint8_t *iv = scrut.iv; + uint8_t *ek = scrut.xkey; + KRML_HOST_FREE(iv); + KRML_HOST_FREE(ek); + KRML_HOST_FREE(p); +} + diff --git a/src/EverCrypt_Chacha20Poly1305.c b/src/EverCrypt_Chacha20Poly1305.c new file mode 100644 index 00000000..a4116986 --- /dev/null +++ b/src/EverCrypt_Chacha20Poly1305.c @@ -0,0 +1,92 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "EverCrypt_Chacha20Poly1305.h" + + + +void +EverCrypt_Chacha20Poly1305_aead_encrypt( + uint8_t *k, + uint8_t *n, + uint32_t aadlen, + uint8_t *aad, + uint32_t mlen, + uint8_t *m, + uint8_t *cipher, + uint8_t *tag +) +{ + bool avx2 = EverCrypt_AutoConfig2_has_avx2(); + bool avx = EverCrypt_AutoConfig2_has_avx(); + bool vec256 = EverCrypt_AutoConfig2_has_vec256(); + bool vec128 = EverCrypt_AutoConfig2_has_vec128(); + #if HACL_CAN_COMPILE_VEC256 + if (vec256) + { + Hacl_Chacha20Poly1305_256_aead_encrypt(k, n, aadlen, aad, mlen, m, cipher, tag); + return; + } + #endif + #if HACL_CAN_COMPILE_VEC128 + if (vec128) + { + Hacl_Chacha20Poly1305_128_aead_encrypt(k, n, aadlen, aad, mlen, m, cipher, tag); + return; + } + #endif + Hacl_Chacha20Poly1305_32_aead_encrypt(k, n, aadlen, aad, mlen, m, cipher, tag); +} + +uint32_t +EverCrypt_Chacha20Poly1305_aead_decrypt( + uint8_t *k, + uint8_t *n, + uint32_t aadlen, + uint8_t *aad, + uint32_t mlen, + uint8_t *m, + uint8_t *cipher, + uint8_t *tag +) +{ + bool avx2 = EverCrypt_AutoConfig2_has_avx2(); + bool avx = EverCrypt_AutoConfig2_has_avx(); + bool vec256 = EverCrypt_AutoConfig2_has_vec256(); + bool vec128 = EverCrypt_AutoConfig2_has_vec128(); + #if HACL_CAN_COMPILE_VEC256 + if (vec256) + { + return Hacl_Chacha20Poly1305_256_aead_decrypt(k, n, aadlen, aad, mlen, m, cipher, tag); + } + #endif + #if HACL_CAN_COMPILE_VEC128 + if (vec128) + { + return Hacl_Chacha20Poly1305_128_aead_decrypt(k, n, aadlen, aad, mlen, m, cipher, tag); + } + #endif + return Hacl_Chacha20Poly1305_32_aead_decrypt(k, n, aadlen, aad, mlen, m, cipher, tag); +} + diff --git a/src/EverCrypt_Cipher.c b/src/EverCrypt_Cipher.c new file mode 100644 index 00000000..a8324c00 --- /dev/null +++ b/src/EverCrypt_Cipher.c @@ -0,0 +1,43 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "EverCrypt_Cipher.h" + +#include "internal/Hacl_Chacha20.h" + +void +EverCrypt_Cipher_chacha20( + uint32_t len, + uint8_t *dst, + uint8_t *src, + uint8_t *key, + uint8_t *iv, + uint32_t ctr +) +{ + uint32_t ctx[16U] = { 0U }; + Hacl_Impl_Chacha20_chacha20_init(ctx, key, iv, ctr); + Hacl_Impl_Chacha20_chacha20_update(ctx, len, dst, src); +} + diff --git a/src/EverCrypt_Curve25519.c b/src/EverCrypt_Curve25519.c new file mode 100644 index 00000000..71db562b --- /dev/null +++ b/src/EverCrypt_Curve25519.c @@ -0,0 +1,70 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "EverCrypt_Curve25519.h" + + + +static inline bool has_adx_bmi2() +{ + bool has_bmi2 = EverCrypt_AutoConfig2_has_bmi2(); + bool has_adx = EverCrypt_AutoConfig2_has_adx(); + return has_bmi2 && has_adx; +} + +void EverCrypt_Curve25519_secret_to_public(uint8_t *pub, uint8_t *priv) +{ + #if HACL_CAN_COMPILE_VALE + if (has_adx_bmi2()) + { + Hacl_Curve25519_64_secret_to_public(pub, priv); + return; + } + #endif + Hacl_Curve25519_51_secret_to_public(pub, priv); +} + +void EverCrypt_Curve25519_scalarmult(uint8_t *shared, uint8_t *my_priv, uint8_t *their_pub) +{ + #if HACL_CAN_COMPILE_VALE + if (has_adx_bmi2()) + { + Hacl_Curve25519_64_scalarmult(shared, my_priv, their_pub); + return; + } + #endif + Hacl_Curve25519_51_scalarmult(shared, my_priv, their_pub); +} + +bool EverCrypt_Curve25519_ecdh(uint8_t *shared, uint8_t *my_priv, uint8_t *their_pub) +{ + #if HACL_CAN_COMPILE_VALE + if (has_adx_bmi2()) + { + return Hacl_Curve25519_64_ecdh(shared, my_priv, their_pub); + } + #endif + return Hacl_Curve25519_51_ecdh(shared, my_priv, their_pub); +} + diff --git a/src/EverCrypt_DRBG.c b/src/EverCrypt_DRBG.c new file mode 100644 index 00000000..a6aea73d --- /dev/null +++ b/src/EverCrypt_DRBG.c @@ -0,0 +1,2006 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "EverCrypt_DRBG.h" + + + +uint32_t EverCrypt_DRBG_reseed_interval = (uint32_t)1024U; + +uint32_t EverCrypt_DRBG_max_output_length = (uint32_t)65536U; + +uint32_t EverCrypt_DRBG_max_length = (uint32_t)65536U; + +uint32_t EverCrypt_DRBG_max_personalization_string_length = (uint32_t)65536U; + +uint32_t EverCrypt_DRBG_max_additional_input_length = (uint32_t)65536U; + +uint32_t EverCrypt_DRBG_min_length(Spec_Hash_Definitions_hash_alg a) +{ + switch (a) + { + case Spec_Hash_Definitions_SHA1: + { + return (uint32_t)16U; + } + case Spec_Hash_Definitions_SHA2_256: + { + return (uint32_t)32U; + } + case Spec_Hash_Definitions_SHA2_384: + { + return (uint32_t)32U; + } + case Spec_Hash_Definitions_SHA2_512: + { + return (uint32_t)32U; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +typedef struct EverCrypt_DRBG_state_s_s +{ + EverCrypt_DRBG_state_s_tags tag; + union { + Hacl_HMAC_DRBG_state case_SHA1_s; + Hacl_HMAC_DRBG_state case_SHA2_256_s; + Hacl_HMAC_DRBG_state case_SHA2_384_s; + Hacl_HMAC_DRBG_state case_SHA2_512_s; + } + ; +} +EverCrypt_DRBG_state_s; + +bool +EverCrypt_DRBG_uu___is_SHA1_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_DRBG_state_s projectee +) +{ + if (projectee.tag == EverCrypt_DRBG_SHA1_s) + { + return true; + } + return false; +} + +bool +EverCrypt_DRBG_uu___is_SHA2_256_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_DRBG_state_s projectee +) +{ + if (projectee.tag == EverCrypt_DRBG_SHA2_256_s) + { + return true; + } + return false; +} + +bool +EverCrypt_DRBG_uu___is_SHA2_384_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_DRBG_state_s projectee +) +{ + if (projectee.tag == EverCrypt_DRBG_SHA2_384_s) + { + return true; + } + return false; +} + +bool +EverCrypt_DRBG_uu___is_SHA2_512_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_DRBG_state_s projectee +) +{ + if (projectee.tag == EverCrypt_DRBG_SHA2_512_s) + { + return true; + } + return false; +} + +EverCrypt_DRBG_state_s *EverCrypt_DRBG_create(Spec_Hash_Definitions_hash_alg a) +{ + EverCrypt_DRBG_state_s st; + switch (a) + { + case Spec_Hash_Definitions_SHA1: + { + uint8_t *k = KRML_HOST_CALLOC((uint32_t)20U, sizeof (uint8_t)); + uint8_t *v = KRML_HOST_CALLOC((uint32_t)20U, sizeof (uint8_t)); + uint32_t *ctr = KRML_HOST_MALLOC(sizeof (uint32_t)); + ctr[0U] = (uint32_t)1U; + st = + ( + (EverCrypt_DRBG_state_s){ + .tag = EverCrypt_DRBG_SHA1_s, + { .case_SHA1_s = { .k = k, .v = v, .reseed_counter = ctr } } + } + ); + break; + } + case Spec_Hash_Definitions_SHA2_256: + { + uint8_t *k = KRML_HOST_CALLOC((uint32_t)32U, sizeof (uint8_t)); + uint8_t *v = KRML_HOST_CALLOC((uint32_t)32U, sizeof (uint8_t)); + uint32_t *ctr = KRML_HOST_MALLOC(sizeof (uint32_t)); + ctr[0U] = (uint32_t)1U; + st = + ( + (EverCrypt_DRBG_state_s){ + .tag = EverCrypt_DRBG_SHA2_256_s, + { .case_SHA2_256_s = { .k = k, .v = v, .reseed_counter = ctr } } + } + ); + break; + } + case Spec_Hash_Definitions_SHA2_384: + { + uint8_t *k = KRML_HOST_CALLOC((uint32_t)48U, sizeof (uint8_t)); + uint8_t *v = KRML_HOST_CALLOC((uint32_t)48U, sizeof (uint8_t)); + uint32_t *ctr = KRML_HOST_MALLOC(sizeof (uint32_t)); + ctr[0U] = (uint32_t)1U; + st = + ( + (EverCrypt_DRBG_state_s){ + .tag = EverCrypt_DRBG_SHA2_384_s, + { .case_SHA2_384_s = { .k = k, .v = v, .reseed_counter = ctr } } + } + ); + break; + } + case Spec_Hash_Definitions_SHA2_512: + { + uint8_t *k = KRML_HOST_CALLOC((uint32_t)64U, sizeof (uint8_t)); + uint8_t *v = KRML_HOST_CALLOC((uint32_t)64U, sizeof (uint8_t)); + uint32_t *ctr = KRML_HOST_MALLOC(sizeof (uint32_t)); + ctr[0U] = (uint32_t)1U; + st = + ( + (EverCrypt_DRBG_state_s){ + .tag = EverCrypt_DRBG_SHA2_512_s, + { .case_SHA2_512_s = { .k = k, .v = v, .reseed_counter = ctr } } + } + ); + break; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + KRML_CHECK_SIZE(sizeof (EverCrypt_DRBG_state_s), (uint32_t)1U); + EverCrypt_DRBG_state_s *buf = KRML_HOST_MALLOC(sizeof (EverCrypt_DRBG_state_s)); + buf[0U] = st; + return buf; +} + +bool +EverCrypt_DRBG_instantiate_sha1( + EverCrypt_DRBG_state_s *st, + uint8_t *personalization_string, + uint32_t personalization_string_len +) +{ + if (personalization_string_len > Hacl_HMAC_DRBG_max_personalization_string_length) + { + return false; + } + uint32_t entropy_input_len = Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_SHA1); + uint32_t nonce_len = Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_SHA1) / (uint32_t)2U; + uint32_t min_entropy = entropy_input_len + nonce_len; + KRML_CHECK_SIZE(sizeof (uint8_t), min_entropy); + uint8_t entropy[min_entropy]; + memset(entropy, 0U, min_entropy * sizeof (uint8_t)); + bool ok = Lib_RandomBuffer_System_randombytes(entropy, min_entropy); + if (!ok) + { + return false; + } + uint8_t *entropy_input = entropy; + uint8_t *nonce = entropy + entropy_input_len; + EverCrypt_DRBG_state_s st_s = *st; + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len + nonce_len + personalization_string_len); + uint8_t seed_material[entropy_input_len + nonce_len + personalization_string_len]; + memset(seed_material, + 0U, + (entropy_input_len + nonce_len + personalization_string_len) * sizeof (uint8_t)); + memcpy(seed_material, entropy_input, entropy_input_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len, nonce, nonce_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len + nonce_len, + personalization_string, + personalization_string_len * sizeof (uint8_t)); + Hacl_HMAC_DRBG_state scrut; + if (st_s.tag == EverCrypt_DRBG_SHA1_s) + { + scrut = st_s.case_SHA1_s; + } + else + { + scrut = KRML_EABORT(Hacl_HMAC_DRBG_state, "unreachable (pattern matches are exhaustive in F*)"); + } + uint8_t *k = scrut.k; + uint8_t *v = scrut.v; + uint32_t *ctr = scrut.reseed_counter; + memset(k, 0U, (uint32_t)20U * sizeof (uint8_t)); + memset(v, (uint8_t)1U, (uint32_t)20U * sizeof (uint8_t)); + ctr[0U] = (uint32_t)1U; + uint32_t + input_len = (uint32_t)21U + entropy_input_len + nonce_len + personalization_string_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)20U * sizeof (uint8_t)); + if (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)21U, + seed_material, + (entropy_input_len + nonce_len + personalization_string_len) * sizeof (uint8_t)); + } + input0[20U] = (uint8_t)0U; + EverCrypt_HMAC_compute_sha1(k_, k, (uint32_t)20U, input0, input_len); + EverCrypt_HMAC_compute_sha1(v, k_, (uint32_t)20U, v, (uint32_t)20U); + memcpy(k, k_, (uint32_t)20U * sizeof (uint8_t)); + if (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + uint32_t + input_len0 = (uint32_t)21U + entropy_input_len + nonce_len + personalization_string_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)20U * sizeof (uint8_t)); + if (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)21U, + seed_material, + (entropy_input_len + nonce_len + personalization_string_len) * sizeof (uint8_t)); + } + input[20U] = (uint8_t)1U; + EverCrypt_HMAC_compute_sha1(k_0, k, (uint32_t)20U, input, input_len0); + EverCrypt_HMAC_compute_sha1(v, k_0, (uint32_t)20U, v, (uint32_t)20U); + memcpy(k, k_0, (uint32_t)20U * sizeof (uint8_t)); + } + return true; +} + +bool +EverCrypt_DRBG_instantiate_sha2_256( + EverCrypt_DRBG_state_s *st, + uint8_t *personalization_string, + uint32_t personalization_string_len +) +{ + if (personalization_string_len > Hacl_HMAC_DRBG_max_personalization_string_length) + { + return false; + } + uint32_t entropy_input_len = Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_SHA2_256); + uint32_t nonce_len = Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_SHA2_256) / (uint32_t)2U; + uint32_t min_entropy = entropy_input_len + nonce_len; + KRML_CHECK_SIZE(sizeof (uint8_t), min_entropy); + uint8_t entropy[min_entropy]; + memset(entropy, 0U, min_entropy * sizeof (uint8_t)); + bool ok = Lib_RandomBuffer_System_randombytes(entropy, min_entropy); + if (!ok) + { + return false; + } + uint8_t *entropy_input = entropy; + uint8_t *nonce = entropy + entropy_input_len; + EverCrypt_DRBG_state_s st_s = *st; + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len + nonce_len + personalization_string_len); + uint8_t seed_material[entropy_input_len + nonce_len + personalization_string_len]; + memset(seed_material, + 0U, + (entropy_input_len + nonce_len + personalization_string_len) * sizeof (uint8_t)); + memcpy(seed_material, entropy_input, entropy_input_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len, nonce, nonce_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len + nonce_len, + personalization_string, + personalization_string_len * sizeof (uint8_t)); + Hacl_HMAC_DRBG_state scrut; + if (st_s.tag == EverCrypt_DRBG_SHA2_256_s) + { + scrut = st_s.case_SHA2_256_s; + } + else + { + scrut = KRML_EABORT(Hacl_HMAC_DRBG_state, "unreachable (pattern matches are exhaustive in F*)"); + } + uint8_t *k = scrut.k; + uint8_t *v = scrut.v; + uint32_t *ctr = scrut.reseed_counter; + memset(k, 0U, (uint32_t)32U * sizeof (uint8_t)); + memset(v, (uint8_t)1U, (uint32_t)32U * sizeof (uint8_t)); + ctr[0U] = (uint32_t)1U; + uint32_t + input_len = (uint32_t)33U + entropy_input_len + nonce_len + personalization_string_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)32U * sizeof (uint8_t)); + if (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)33U, + seed_material, + (entropy_input_len + nonce_len + personalization_string_len) * sizeof (uint8_t)); + } + input0[32U] = (uint8_t)0U; + EverCrypt_HMAC_compute_sha2_256(k_, k, (uint32_t)32U, input0, input_len); + EverCrypt_HMAC_compute_sha2_256(v, k_, (uint32_t)32U, v, (uint32_t)32U); + memcpy(k, k_, (uint32_t)32U * sizeof (uint8_t)); + if (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + uint32_t + input_len0 = (uint32_t)33U + entropy_input_len + nonce_len + personalization_string_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)32U * sizeof (uint8_t)); + if (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)33U, + seed_material, + (entropy_input_len + nonce_len + personalization_string_len) * sizeof (uint8_t)); + } + input[32U] = (uint8_t)1U; + EverCrypt_HMAC_compute_sha2_256(k_0, k, (uint32_t)32U, input, input_len0); + EverCrypt_HMAC_compute_sha2_256(v, k_0, (uint32_t)32U, v, (uint32_t)32U); + memcpy(k, k_0, (uint32_t)32U * sizeof (uint8_t)); + } + return true; +} + +bool +EverCrypt_DRBG_instantiate_sha2_384( + EverCrypt_DRBG_state_s *st, + uint8_t *personalization_string, + uint32_t personalization_string_len +) +{ + if (personalization_string_len > Hacl_HMAC_DRBG_max_personalization_string_length) + { + return false; + } + uint32_t entropy_input_len = Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_SHA2_384); + uint32_t nonce_len = Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_SHA2_384) / (uint32_t)2U; + uint32_t min_entropy = entropy_input_len + nonce_len; + KRML_CHECK_SIZE(sizeof (uint8_t), min_entropy); + uint8_t entropy[min_entropy]; + memset(entropy, 0U, min_entropy * sizeof (uint8_t)); + bool ok = Lib_RandomBuffer_System_randombytes(entropy, min_entropy); + if (!ok) + { + return false; + } + uint8_t *entropy_input = entropy; + uint8_t *nonce = entropy + entropy_input_len; + EverCrypt_DRBG_state_s st_s = *st; + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len + nonce_len + personalization_string_len); + uint8_t seed_material[entropy_input_len + nonce_len + personalization_string_len]; + memset(seed_material, + 0U, + (entropy_input_len + nonce_len + personalization_string_len) * sizeof (uint8_t)); + memcpy(seed_material, entropy_input, entropy_input_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len, nonce, nonce_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len + nonce_len, + personalization_string, + personalization_string_len * sizeof (uint8_t)); + Hacl_HMAC_DRBG_state scrut; + if (st_s.tag == EverCrypt_DRBG_SHA2_384_s) + { + scrut = st_s.case_SHA2_384_s; + } + else + { + scrut = KRML_EABORT(Hacl_HMAC_DRBG_state, "unreachable (pattern matches are exhaustive in F*)"); + } + uint8_t *k = scrut.k; + uint8_t *v = scrut.v; + uint32_t *ctr = scrut.reseed_counter; + memset(k, 0U, (uint32_t)48U * sizeof (uint8_t)); + memset(v, (uint8_t)1U, (uint32_t)48U * sizeof (uint8_t)); + ctr[0U] = (uint32_t)1U; + uint32_t + input_len = (uint32_t)49U + entropy_input_len + nonce_len + personalization_string_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)48U * sizeof (uint8_t)); + if (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)49U, + seed_material, + (entropy_input_len + nonce_len + personalization_string_len) * sizeof (uint8_t)); + } + input0[48U] = (uint8_t)0U; + EverCrypt_HMAC_compute_sha2_384(k_, k, (uint32_t)48U, input0, input_len); + EverCrypt_HMAC_compute_sha2_384(v, k_, (uint32_t)48U, v, (uint32_t)48U); + memcpy(k, k_, (uint32_t)48U * sizeof (uint8_t)); + if (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + uint32_t + input_len0 = (uint32_t)49U + entropy_input_len + nonce_len + personalization_string_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)48U * sizeof (uint8_t)); + if (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)49U, + seed_material, + (entropy_input_len + nonce_len + personalization_string_len) * sizeof (uint8_t)); + } + input[48U] = (uint8_t)1U; + EverCrypt_HMAC_compute_sha2_384(k_0, k, (uint32_t)48U, input, input_len0); + EverCrypt_HMAC_compute_sha2_384(v, k_0, (uint32_t)48U, v, (uint32_t)48U); + memcpy(k, k_0, (uint32_t)48U * sizeof (uint8_t)); + } + return true; +} + +bool +EverCrypt_DRBG_instantiate_sha2_512( + EverCrypt_DRBG_state_s *st, + uint8_t *personalization_string, + uint32_t personalization_string_len +) +{ + if (personalization_string_len > Hacl_HMAC_DRBG_max_personalization_string_length) + { + return false; + } + uint32_t entropy_input_len = Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_SHA2_512); + uint32_t nonce_len = Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_SHA2_512) / (uint32_t)2U; + uint32_t min_entropy = entropy_input_len + nonce_len; + KRML_CHECK_SIZE(sizeof (uint8_t), min_entropy); + uint8_t entropy[min_entropy]; + memset(entropy, 0U, min_entropy * sizeof (uint8_t)); + bool ok = Lib_RandomBuffer_System_randombytes(entropy, min_entropy); + if (!ok) + { + return false; + } + uint8_t *entropy_input = entropy; + uint8_t *nonce = entropy + entropy_input_len; + EverCrypt_DRBG_state_s st_s = *st; + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len + nonce_len + personalization_string_len); + uint8_t seed_material[entropy_input_len + nonce_len + personalization_string_len]; + memset(seed_material, + 0U, + (entropy_input_len + nonce_len + personalization_string_len) * sizeof (uint8_t)); + memcpy(seed_material, entropy_input, entropy_input_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len, nonce, nonce_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len + nonce_len, + personalization_string, + personalization_string_len * sizeof (uint8_t)); + Hacl_HMAC_DRBG_state scrut; + if (st_s.tag == EverCrypt_DRBG_SHA2_512_s) + { + scrut = st_s.case_SHA2_512_s; + } + else + { + scrut = KRML_EABORT(Hacl_HMAC_DRBG_state, "unreachable (pattern matches are exhaustive in F*)"); + } + uint8_t *k = scrut.k; + uint8_t *v = scrut.v; + uint32_t *ctr = scrut.reseed_counter; + memset(k, 0U, (uint32_t)64U * sizeof (uint8_t)); + memset(v, (uint8_t)1U, (uint32_t)64U * sizeof (uint8_t)); + ctr[0U] = (uint32_t)1U; + uint32_t + input_len = (uint32_t)65U + entropy_input_len + nonce_len + personalization_string_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)64U * sizeof (uint8_t)); + if (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)65U, + seed_material, + (entropy_input_len + nonce_len + personalization_string_len) * sizeof (uint8_t)); + } + input0[64U] = (uint8_t)0U; + EverCrypt_HMAC_compute_sha2_512(k_, k, (uint32_t)64U, input0, input_len); + EverCrypt_HMAC_compute_sha2_512(v, k_, (uint32_t)64U, v, (uint32_t)64U); + memcpy(k, k_, (uint32_t)64U * sizeof (uint8_t)); + if (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + uint32_t + input_len0 = (uint32_t)65U + entropy_input_len + nonce_len + personalization_string_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)64U * sizeof (uint8_t)); + if (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)65U, + seed_material, + (entropy_input_len + nonce_len + personalization_string_len) * sizeof (uint8_t)); + } + input[64U] = (uint8_t)1U; + EverCrypt_HMAC_compute_sha2_512(k_0, k, (uint32_t)64U, input, input_len0); + EverCrypt_HMAC_compute_sha2_512(v, k_0, (uint32_t)64U, v, (uint32_t)64U); + memcpy(k, k_0, (uint32_t)64U * sizeof (uint8_t)); + } + return true; +} + +bool +EverCrypt_DRBG_reseed_sha1( + EverCrypt_DRBG_state_s *st, + uint8_t *additional_input, + uint32_t additional_input_len +) +{ + if (additional_input_len > Hacl_HMAC_DRBG_max_additional_input_length) + { + return false; + } + uint32_t entropy_input_len = Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_SHA1); + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len); + uint8_t entropy_input[entropy_input_len]; + memset(entropy_input, 0U, entropy_input_len * sizeof (uint8_t)); + bool ok = Lib_RandomBuffer_System_randombytes(entropy_input, entropy_input_len); + if (!ok) + { + return false; + } + EverCrypt_DRBG_state_s st_s = *st; + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len + additional_input_len); + uint8_t seed_material[entropy_input_len + additional_input_len]; + memset(seed_material, 0U, (entropy_input_len + additional_input_len) * sizeof (uint8_t)); + memcpy(seed_material, entropy_input, entropy_input_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len, + additional_input, + additional_input_len * sizeof (uint8_t)); + Hacl_HMAC_DRBG_state uu____0; + if (st_s.tag == EverCrypt_DRBG_SHA1_s) + { + uu____0 = st_s.case_SHA1_s; + } + else + { + uu____0 = + KRML_EABORT(Hacl_HMAC_DRBG_state, + "unreachable (pattern matches are exhaustive in F*)"); + } + uint8_t *k = uu____0.k; + uint8_t *v = uu____0.v; + uint32_t *ctr = uu____0.reseed_counter; + uint32_t input_len = (uint32_t)21U + entropy_input_len + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)20U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)21U, + seed_material, + (entropy_input_len + additional_input_len) * sizeof (uint8_t)); + } + input0[20U] = (uint8_t)0U; + EverCrypt_HMAC_compute_sha1(k_, k, (uint32_t)20U, input0, input_len); + EverCrypt_HMAC_compute_sha1(v, k_, (uint32_t)20U, v, (uint32_t)20U); + memcpy(k, k_, (uint32_t)20U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)21U + entropy_input_len + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)20U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)21U, + seed_material, + (entropy_input_len + additional_input_len) * sizeof (uint8_t)); + } + input[20U] = (uint8_t)1U; + EverCrypt_HMAC_compute_sha1(k_0, k, (uint32_t)20U, input, input_len0); + EverCrypt_HMAC_compute_sha1(v, k_0, (uint32_t)20U, v, (uint32_t)20U); + memcpy(k, k_0, (uint32_t)20U * sizeof (uint8_t)); + } + ctr[0U] = (uint32_t)1U; + return true; +} + +bool +EverCrypt_DRBG_reseed_sha2_256( + EverCrypt_DRBG_state_s *st, + uint8_t *additional_input, + uint32_t additional_input_len +) +{ + if (additional_input_len > Hacl_HMAC_DRBG_max_additional_input_length) + { + return false; + } + uint32_t entropy_input_len = Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_SHA2_256); + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len); + uint8_t entropy_input[entropy_input_len]; + memset(entropy_input, 0U, entropy_input_len * sizeof (uint8_t)); + bool ok = Lib_RandomBuffer_System_randombytes(entropy_input, entropy_input_len); + if (!ok) + { + return false; + } + EverCrypt_DRBG_state_s st_s = *st; + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len + additional_input_len); + uint8_t seed_material[entropy_input_len + additional_input_len]; + memset(seed_material, 0U, (entropy_input_len + additional_input_len) * sizeof (uint8_t)); + memcpy(seed_material, entropy_input, entropy_input_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len, + additional_input, + additional_input_len * sizeof (uint8_t)); + Hacl_HMAC_DRBG_state uu____0; + if (st_s.tag == EverCrypt_DRBG_SHA2_256_s) + { + uu____0 = st_s.case_SHA2_256_s; + } + else + { + uu____0 = + KRML_EABORT(Hacl_HMAC_DRBG_state, + "unreachable (pattern matches are exhaustive in F*)"); + } + uint8_t *k = uu____0.k; + uint8_t *v = uu____0.v; + uint32_t *ctr = uu____0.reseed_counter; + uint32_t input_len = (uint32_t)33U + entropy_input_len + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)32U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)33U, + seed_material, + (entropy_input_len + additional_input_len) * sizeof (uint8_t)); + } + input0[32U] = (uint8_t)0U; + EverCrypt_HMAC_compute_sha2_256(k_, k, (uint32_t)32U, input0, input_len); + EverCrypt_HMAC_compute_sha2_256(v, k_, (uint32_t)32U, v, (uint32_t)32U); + memcpy(k, k_, (uint32_t)32U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)33U + entropy_input_len + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)32U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)33U, + seed_material, + (entropy_input_len + additional_input_len) * sizeof (uint8_t)); + } + input[32U] = (uint8_t)1U; + EverCrypt_HMAC_compute_sha2_256(k_0, k, (uint32_t)32U, input, input_len0); + EverCrypt_HMAC_compute_sha2_256(v, k_0, (uint32_t)32U, v, (uint32_t)32U); + memcpy(k, k_0, (uint32_t)32U * sizeof (uint8_t)); + } + ctr[0U] = (uint32_t)1U; + return true; +} + +bool +EverCrypt_DRBG_reseed_sha2_384( + EverCrypt_DRBG_state_s *st, + uint8_t *additional_input, + uint32_t additional_input_len +) +{ + if (additional_input_len > Hacl_HMAC_DRBG_max_additional_input_length) + { + return false; + } + uint32_t entropy_input_len = Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_SHA2_384); + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len); + uint8_t entropy_input[entropy_input_len]; + memset(entropy_input, 0U, entropy_input_len * sizeof (uint8_t)); + bool ok = Lib_RandomBuffer_System_randombytes(entropy_input, entropy_input_len); + if (!ok) + { + return false; + } + EverCrypt_DRBG_state_s st_s = *st; + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len + additional_input_len); + uint8_t seed_material[entropy_input_len + additional_input_len]; + memset(seed_material, 0U, (entropy_input_len + additional_input_len) * sizeof (uint8_t)); + memcpy(seed_material, entropy_input, entropy_input_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len, + additional_input, + additional_input_len * sizeof (uint8_t)); + Hacl_HMAC_DRBG_state uu____0; + if (st_s.tag == EverCrypt_DRBG_SHA2_384_s) + { + uu____0 = st_s.case_SHA2_384_s; + } + else + { + uu____0 = + KRML_EABORT(Hacl_HMAC_DRBG_state, + "unreachable (pattern matches are exhaustive in F*)"); + } + uint8_t *k = uu____0.k; + uint8_t *v = uu____0.v; + uint32_t *ctr = uu____0.reseed_counter; + uint32_t input_len = (uint32_t)49U + entropy_input_len + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)48U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)49U, + seed_material, + (entropy_input_len + additional_input_len) * sizeof (uint8_t)); + } + input0[48U] = (uint8_t)0U; + EverCrypt_HMAC_compute_sha2_384(k_, k, (uint32_t)48U, input0, input_len); + EverCrypt_HMAC_compute_sha2_384(v, k_, (uint32_t)48U, v, (uint32_t)48U); + memcpy(k, k_, (uint32_t)48U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)49U + entropy_input_len + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)48U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)49U, + seed_material, + (entropy_input_len + additional_input_len) * sizeof (uint8_t)); + } + input[48U] = (uint8_t)1U; + EverCrypt_HMAC_compute_sha2_384(k_0, k, (uint32_t)48U, input, input_len0); + EverCrypt_HMAC_compute_sha2_384(v, k_0, (uint32_t)48U, v, (uint32_t)48U); + memcpy(k, k_0, (uint32_t)48U * sizeof (uint8_t)); + } + ctr[0U] = (uint32_t)1U; + return true; +} + +bool +EverCrypt_DRBG_reseed_sha2_512( + EverCrypt_DRBG_state_s *st, + uint8_t *additional_input, + uint32_t additional_input_len +) +{ + if (additional_input_len > Hacl_HMAC_DRBG_max_additional_input_length) + { + return false; + } + uint32_t entropy_input_len = Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_SHA2_512); + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len); + uint8_t entropy_input[entropy_input_len]; + memset(entropy_input, 0U, entropy_input_len * sizeof (uint8_t)); + bool ok = Lib_RandomBuffer_System_randombytes(entropy_input, entropy_input_len); + if (!ok) + { + return false; + } + EverCrypt_DRBG_state_s st_s = *st; + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len + additional_input_len); + uint8_t seed_material[entropy_input_len + additional_input_len]; + memset(seed_material, 0U, (entropy_input_len + additional_input_len) * sizeof (uint8_t)); + memcpy(seed_material, entropy_input, entropy_input_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len, + additional_input, + additional_input_len * sizeof (uint8_t)); + Hacl_HMAC_DRBG_state uu____0; + if (st_s.tag == EverCrypt_DRBG_SHA2_512_s) + { + uu____0 = st_s.case_SHA2_512_s; + } + else + { + uu____0 = + KRML_EABORT(Hacl_HMAC_DRBG_state, + "unreachable (pattern matches are exhaustive in F*)"); + } + uint8_t *k = uu____0.k; + uint8_t *v = uu____0.v; + uint32_t *ctr = uu____0.reseed_counter; + uint32_t input_len = (uint32_t)65U + entropy_input_len + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)64U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)65U, + seed_material, + (entropy_input_len + additional_input_len) * sizeof (uint8_t)); + } + input0[64U] = (uint8_t)0U; + EverCrypt_HMAC_compute_sha2_512(k_, k, (uint32_t)64U, input0, input_len); + EverCrypt_HMAC_compute_sha2_512(v, k_, (uint32_t)64U, v, (uint32_t)64U); + memcpy(k, k_, (uint32_t)64U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)65U + entropy_input_len + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)64U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)65U, + seed_material, + (entropy_input_len + additional_input_len) * sizeof (uint8_t)); + } + input[64U] = (uint8_t)1U; + EverCrypt_HMAC_compute_sha2_512(k_0, k, (uint32_t)64U, input, input_len0); + EverCrypt_HMAC_compute_sha2_512(v, k_0, (uint32_t)64U, v, (uint32_t)64U); + memcpy(k, k_0, (uint32_t)64U * sizeof (uint8_t)); + } + ctr[0U] = (uint32_t)1U; + return true; +} + +bool +EverCrypt_DRBG_generate_sha1( + uint8_t *output, + EverCrypt_DRBG_state_s *st, + uint32_t n, + uint8_t *additional_input, + uint32_t additional_input_len +) +{ + if + ( + additional_input_len + > Hacl_HMAC_DRBG_max_additional_input_length + || n > Hacl_HMAC_DRBG_max_output_length + ) + { + return false; + } + uint32_t entropy_input_len = Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_SHA1); + bool ok0; + if (additional_input_len > Hacl_HMAC_DRBG_max_additional_input_length) + { + ok0 = false; + } + else + { + uint32_t entropy_input_len1 = Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_SHA1); + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len1); + uint8_t entropy_input[entropy_input_len1]; + memset(entropy_input, 0U, entropy_input_len1 * sizeof (uint8_t)); + bool ok = Lib_RandomBuffer_System_randombytes(entropy_input, entropy_input_len1); + bool result; + if (!ok) + { + result = false; + } + else + { + EverCrypt_DRBG_state_s st_s = *st; + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len1 + additional_input_len); + uint8_t seed_material[entropy_input_len1 + additional_input_len]; + memset(seed_material, 0U, (entropy_input_len1 + additional_input_len) * sizeof (uint8_t)); + memcpy(seed_material, entropy_input, entropy_input_len1 * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len1, + additional_input, + additional_input_len * sizeof (uint8_t)); + Hacl_HMAC_DRBG_state uu____0; + if (st_s.tag == EverCrypt_DRBG_SHA1_s) + { + uu____0 = st_s.case_SHA1_s; + } + else + { + uu____0 = + KRML_EABORT(Hacl_HMAC_DRBG_state, + "unreachable (pattern matches are exhaustive in F*)"); + } + uint8_t *k = uu____0.k; + uint8_t *v = uu____0.v; + uint32_t *ctr = uu____0.reseed_counter; + uint32_t input_len = (uint32_t)21U + entropy_input_len1 + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)20U * sizeof (uint8_t)); + if (entropy_input_len1 + additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)21U, + seed_material, + (entropy_input_len1 + additional_input_len) * sizeof (uint8_t)); + } + input0[20U] = (uint8_t)0U; + EverCrypt_HMAC_compute_sha1(k_, k, (uint32_t)20U, input0, input_len); + EverCrypt_HMAC_compute_sha1(v, k_, (uint32_t)20U, v, (uint32_t)20U); + memcpy(k, k_, (uint32_t)20U * sizeof (uint8_t)); + if (entropy_input_len1 + additional_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)21U + entropy_input_len1 + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)20U * sizeof (uint8_t)); + if (entropy_input_len1 + additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)21U, + seed_material, + (entropy_input_len1 + additional_input_len) * sizeof (uint8_t)); + } + input[20U] = (uint8_t)1U; + EverCrypt_HMAC_compute_sha1(k_0, k, (uint32_t)20U, input, input_len0); + EverCrypt_HMAC_compute_sha1(v, k_0, (uint32_t)20U, v, (uint32_t)20U); + memcpy(k, k_0, (uint32_t)20U * sizeof (uint8_t)); + } + ctr[0U] = (uint32_t)1U; + result = true; + } + ok0 = result; + } + if (!ok0) + { + return false; + } + EverCrypt_DRBG_state_s st_s = *st; + Hacl_HMAC_DRBG_state x1; + if (st_s.tag == EverCrypt_DRBG_SHA1_s) + { + x1 = st_s.case_SHA1_s; + } + else + { + x1 = KRML_EABORT(Hacl_HMAC_DRBG_state, "unreachable (pattern matches are exhaustive in F*)"); + } + bool b; + if (x1.reseed_counter[0U] > Hacl_HMAC_DRBG_reseed_interval) + { + b = false; + } + else + { + Hacl_HMAC_DRBG_state scrut; + if (st_s.tag == EverCrypt_DRBG_SHA1_s) + { + scrut = st_s.case_SHA1_s; + } + else + { + scrut = + KRML_EABORT(Hacl_HMAC_DRBG_state, + "unreachable (pattern matches are exhaustive in F*)"); + } + uint8_t *k = scrut.k; + uint8_t *v = scrut.v; + uint32_t *ctr = scrut.reseed_counter; + if (additional_input_len > (uint32_t)0U) + { + uint32_t input_len = (uint32_t)21U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)20U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)21U, additional_input, additional_input_len * sizeof (uint8_t)); + } + input0[20U] = (uint8_t)0U; + EverCrypt_HMAC_compute_sha1(k_, k, (uint32_t)20U, input0, input_len); + EverCrypt_HMAC_compute_sha1(v, k_, (uint32_t)20U, v, (uint32_t)20U); + memcpy(k, k_, (uint32_t)20U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)21U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)20U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)21U, additional_input, additional_input_len * sizeof (uint8_t)); + } + input[20U] = (uint8_t)1U; + EverCrypt_HMAC_compute_sha1(k_0, k, (uint32_t)20U, input, input_len0); + EverCrypt_HMAC_compute_sha1(v, k_0, (uint32_t)20U, v, (uint32_t)20U); + memcpy(k, k_0, (uint32_t)20U * sizeof (uint8_t)); + } + } + uint8_t *output1 = output; + uint32_t max = n / (uint32_t)20U; + uint8_t *out = output1; + for (uint32_t i = (uint32_t)0U; i < max; i++) + { + EverCrypt_HMAC_compute_sha1(v, k, (uint32_t)20U, v, (uint32_t)20U); + memcpy(out + i * (uint32_t)20U, v, (uint32_t)20U * sizeof (uint8_t)); + } + if (max * (uint32_t)20U < n) + { + uint8_t *block = output1 + max * (uint32_t)20U; + EverCrypt_HMAC_compute_sha1(v, k, (uint32_t)20U, v, (uint32_t)20U); + memcpy(block, v, (n - max * (uint32_t)20U) * sizeof (uint8_t)); + } + uint32_t input_len = (uint32_t)21U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)20U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)21U, additional_input, additional_input_len * sizeof (uint8_t)); + } + input0[20U] = (uint8_t)0U; + EverCrypt_HMAC_compute_sha1(k_, k, (uint32_t)20U, input0, input_len); + EverCrypt_HMAC_compute_sha1(v, k_, (uint32_t)20U, v, (uint32_t)20U); + memcpy(k, k_, (uint32_t)20U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)21U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)20U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)21U, additional_input, additional_input_len * sizeof (uint8_t)); + } + input[20U] = (uint8_t)1U; + EverCrypt_HMAC_compute_sha1(k_0, k, (uint32_t)20U, input, input_len0); + EverCrypt_HMAC_compute_sha1(v, k_0, (uint32_t)20U, v, (uint32_t)20U); + memcpy(k, k_0, (uint32_t)20U * sizeof (uint8_t)); + } + uint32_t old_ctr = ctr[0U]; + ctr[0U] = old_ctr + (uint32_t)1U; + b = true; + } + return true; +} + +bool +EverCrypt_DRBG_generate_sha2_256( + uint8_t *output, + EverCrypt_DRBG_state_s *st, + uint32_t n, + uint8_t *additional_input, + uint32_t additional_input_len +) +{ + if + ( + additional_input_len + > Hacl_HMAC_DRBG_max_additional_input_length + || n > Hacl_HMAC_DRBG_max_output_length + ) + { + return false; + } + uint32_t entropy_input_len = Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_SHA2_256); + bool ok0; + if (additional_input_len > Hacl_HMAC_DRBG_max_additional_input_length) + { + ok0 = false; + } + else + { + uint32_t entropy_input_len1 = Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_SHA2_256); + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len1); + uint8_t entropy_input[entropy_input_len1]; + memset(entropy_input, 0U, entropy_input_len1 * sizeof (uint8_t)); + bool ok = Lib_RandomBuffer_System_randombytes(entropy_input, entropy_input_len1); + bool result; + if (!ok) + { + result = false; + } + else + { + EverCrypt_DRBG_state_s st_s = *st; + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len1 + additional_input_len); + uint8_t seed_material[entropy_input_len1 + additional_input_len]; + memset(seed_material, 0U, (entropy_input_len1 + additional_input_len) * sizeof (uint8_t)); + memcpy(seed_material, entropy_input, entropy_input_len1 * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len1, + additional_input, + additional_input_len * sizeof (uint8_t)); + Hacl_HMAC_DRBG_state uu____0; + if (st_s.tag == EverCrypt_DRBG_SHA2_256_s) + { + uu____0 = st_s.case_SHA2_256_s; + } + else + { + uu____0 = + KRML_EABORT(Hacl_HMAC_DRBG_state, + "unreachable (pattern matches are exhaustive in F*)"); + } + uint8_t *k = uu____0.k; + uint8_t *v = uu____0.v; + uint32_t *ctr = uu____0.reseed_counter; + uint32_t input_len = (uint32_t)33U + entropy_input_len1 + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)32U * sizeof (uint8_t)); + if (entropy_input_len1 + additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)33U, + seed_material, + (entropy_input_len1 + additional_input_len) * sizeof (uint8_t)); + } + input0[32U] = (uint8_t)0U; + EverCrypt_HMAC_compute_sha2_256(k_, k, (uint32_t)32U, input0, input_len); + EverCrypt_HMAC_compute_sha2_256(v, k_, (uint32_t)32U, v, (uint32_t)32U); + memcpy(k, k_, (uint32_t)32U * sizeof (uint8_t)); + if (entropy_input_len1 + additional_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)33U + entropy_input_len1 + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)32U * sizeof (uint8_t)); + if (entropy_input_len1 + additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)33U, + seed_material, + (entropy_input_len1 + additional_input_len) * sizeof (uint8_t)); + } + input[32U] = (uint8_t)1U; + EverCrypt_HMAC_compute_sha2_256(k_0, k, (uint32_t)32U, input, input_len0); + EverCrypt_HMAC_compute_sha2_256(v, k_0, (uint32_t)32U, v, (uint32_t)32U); + memcpy(k, k_0, (uint32_t)32U * sizeof (uint8_t)); + } + ctr[0U] = (uint32_t)1U; + result = true; + } + ok0 = result; + } + if (!ok0) + { + return false; + } + EverCrypt_DRBG_state_s st_s = *st; + Hacl_HMAC_DRBG_state x1; + if (st_s.tag == EverCrypt_DRBG_SHA2_256_s) + { + x1 = st_s.case_SHA2_256_s; + } + else + { + x1 = KRML_EABORT(Hacl_HMAC_DRBG_state, "unreachable (pattern matches are exhaustive in F*)"); + } + bool b; + if (x1.reseed_counter[0U] > Hacl_HMAC_DRBG_reseed_interval) + { + b = false; + } + else + { + Hacl_HMAC_DRBG_state scrut; + if (st_s.tag == EverCrypt_DRBG_SHA2_256_s) + { + scrut = st_s.case_SHA2_256_s; + } + else + { + scrut = + KRML_EABORT(Hacl_HMAC_DRBG_state, + "unreachable (pattern matches are exhaustive in F*)"); + } + uint8_t *k = scrut.k; + uint8_t *v = scrut.v; + uint32_t *ctr = scrut.reseed_counter; + if (additional_input_len > (uint32_t)0U) + { + uint32_t input_len = (uint32_t)33U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)32U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)33U, additional_input, additional_input_len * sizeof (uint8_t)); + } + input0[32U] = (uint8_t)0U; + EverCrypt_HMAC_compute_sha2_256(k_, k, (uint32_t)32U, input0, input_len); + EverCrypt_HMAC_compute_sha2_256(v, k_, (uint32_t)32U, v, (uint32_t)32U); + memcpy(k, k_, (uint32_t)32U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)33U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)32U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)33U, additional_input, additional_input_len * sizeof (uint8_t)); + } + input[32U] = (uint8_t)1U; + EverCrypt_HMAC_compute_sha2_256(k_0, k, (uint32_t)32U, input, input_len0); + EverCrypt_HMAC_compute_sha2_256(v, k_0, (uint32_t)32U, v, (uint32_t)32U); + memcpy(k, k_0, (uint32_t)32U * sizeof (uint8_t)); + } + } + uint8_t *output1 = output; + uint32_t max = n / (uint32_t)32U; + uint8_t *out = output1; + for (uint32_t i = (uint32_t)0U; i < max; i++) + { + EverCrypt_HMAC_compute_sha2_256(v, k, (uint32_t)32U, v, (uint32_t)32U); + memcpy(out + i * (uint32_t)32U, v, (uint32_t)32U * sizeof (uint8_t)); + } + if (max * (uint32_t)32U < n) + { + uint8_t *block = output1 + max * (uint32_t)32U; + EverCrypt_HMAC_compute_sha2_256(v, k, (uint32_t)32U, v, (uint32_t)32U); + memcpy(block, v, (n - max * (uint32_t)32U) * sizeof (uint8_t)); + } + uint32_t input_len = (uint32_t)33U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)32U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)33U, additional_input, additional_input_len * sizeof (uint8_t)); + } + input0[32U] = (uint8_t)0U; + EverCrypt_HMAC_compute_sha2_256(k_, k, (uint32_t)32U, input0, input_len); + EverCrypt_HMAC_compute_sha2_256(v, k_, (uint32_t)32U, v, (uint32_t)32U); + memcpy(k, k_, (uint32_t)32U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)33U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)32U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)33U, additional_input, additional_input_len * sizeof (uint8_t)); + } + input[32U] = (uint8_t)1U; + EverCrypt_HMAC_compute_sha2_256(k_0, k, (uint32_t)32U, input, input_len0); + EverCrypt_HMAC_compute_sha2_256(v, k_0, (uint32_t)32U, v, (uint32_t)32U); + memcpy(k, k_0, (uint32_t)32U * sizeof (uint8_t)); + } + uint32_t old_ctr = ctr[0U]; + ctr[0U] = old_ctr + (uint32_t)1U; + b = true; + } + return true; +} + +bool +EverCrypt_DRBG_generate_sha2_384( + uint8_t *output, + EverCrypt_DRBG_state_s *st, + uint32_t n, + uint8_t *additional_input, + uint32_t additional_input_len +) +{ + if + ( + additional_input_len + > Hacl_HMAC_DRBG_max_additional_input_length + || n > Hacl_HMAC_DRBG_max_output_length + ) + { + return false; + } + uint32_t entropy_input_len = Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_SHA2_384); + bool ok0; + if (additional_input_len > Hacl_HMAC_DRBG_max_additional_input_length) + { + ok0 = false; + } + else + { + uint32_t entropy_input_len1 = Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_SHA2_384); + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len1); + uint8_t entropy_input[entropy_input_len1]; + memset(entropy_input, 0U, entropy_input_len1 * sizeof (uint8_t)); + bool ok = Lib_RandomBuffer_System_randombytes(entropy_input, entropy_input_len1); + bool result; + if (!ok) + { + result = false; + } + else + { + EverCrypt_DRBG_state_s st_s = *st; + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len1 + additional_input_len); + uint8_t seed_material[entropy_input_len1 + additional_input_len]; + memset(seed_material, 0U, (entropy_input_len1 + additional_input_len) * sizeof (uint8_t)); + memcpy(seed_material, entropy_input, entropy_input_len1 * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len1, + additional_input, + additional_input_len * sizeof (uint8_t)); + Hacl_HMAC_DRBG_state uu____0; + if (st_s.tag == EverCrypt_DRBG_SHA2_384_s) + { + uu____0 = st_s.case_SHA2_384_s; + } + else + { + uu____0 = + KRML_EABORT(Hacl_HMAC_DRBG_state, + "unreachable (pattern matches are exhaustive in F*)"); + } + uint8_t *k = uu____0.k; + uint8_t *v = uu____0.v; + uint32_t *ctr = uu____0.reseed_counter; + uint32_t input_len = (uint32_t)49U + entropy_input_len1 + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)48U * sizeof (uint8_t)); + if (entropy_input_len1 + additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)49U, + seed_material, + (entropy_input_len1 + additional_input_len) * sizeof (uint8_t)); + } + input0[48U] = (uint8_t)0U; + EverCrypt_HMAC_compute_sha2_384(k_, k, (uint32_t)48U, input0, input_len); + EverCrypt_HMAC_compute_sha2_384(v, k_, (uint32_t)48U, v, (uint32_t)48U); + memcpy(k, k_, (uint32_t)48U * sizeof (uint8_t)); + if (entropy_input_len1 + additional_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)49U + entropy_input_len1 + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)48U * sizeof (uint8_t)); + if (entropy_input_len1 + additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)49U, + seed_material, + (entropy_input_len1 + additional_input_len) * sizeof (uint8_t)); + } + input[48U] = (uint8_t)1U; + EverCrypt_HMAC_compute_sha2_384(k_0, k, (uint32_t)48U, input, input_len0); + EverCrypt_HMAC_compute_sha2_384(v, k_0, (uint32_t)48U, v, (uint32_t)48U); + memcpy(k, k_0, (uint32_t)48U * sizeof (uint8_t)); + } + ctr[0U] = (uint32_t)1U; + result = true; + } + ok0 = result; + } + if (!ok0) + { + return false; + } + EverCrypt_DRBG_state_s st_s = *st; + Hacl_HMAC_DRBG_state x1; + if (st_s.tag == EverCrypt_DRBG_SHA2_384_s) + { + x1 = st_s.case_SHA2_384_s; + } + else + { + x1 = KRML_EABORT(Hacl_HMAC_DRBG_state, "unreachable (pattern matches are exhaustive in F*)"); + } + bool b; + if (x1.reseed_counter[0U] > Hacl_HMAC_DRBG_reseed_interval) + { + b = false; + } + else + { + Hacl_HMAC_DRBG_state scrut; + if (st_s.tag == EverCrypt_DRBG_SHA2_384_s) + { + scrut = st_s.case_SHA2_384_s; + } + else + { + scrut = + KRML_EABORT(Hacl_HMAC_DRBG_state, + "unreachable (pattern matches are exhaustive in F*)"); + } + uint8_t *k = scrut.k; + uint8_t *v = scrut.v; + uint32_t *ctr = scrut.reseed_counter; + if (additional_input_len > (uint32_t)0U) + { + uint32_t input_len = (uint32_t)49U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)48U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)49U, additional_input, additional_input_len * sizeof (uint8_t)); + } + input0[48U] = (uint8_t)0U; + EverCrypt_HMAC_compute_sha2_384(k_, k, (uint32_t)48U, input0, input_len); + EverCrypt_HMAC_compute_sha2_384(v, k_, (uint32_t)48U, v, (uint32_t)48U); + memcpy(k, k_, (uint32_t)48U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)49U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)48U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)49U, additional_input, additional_input_len * sizeof (uint8_t)); + } + input[48U] = (uint8_t)1U; + EverCrypt_HMAC_compute_sha2_384(k_0, k, (uint32_t)48U, input, input_len0); + EverCrypt_HMAC_compute_sha2_384(v, k_0, (uint32_t)48U, v, (uint32_t)48U); + memcpy(k, k_0, (uint32_t)48U * sizeof (uint8_t)); + } + } + uint8_t *output1 = output; + uint32_t max = n / (uint32_t)48U; + uint8_t *out = output1; + for (uint32_t i = (uint32_t)0U; i < max; i++) + { + EverCrypt_HMAC_compute_sha2_384(v, k, (uint32_t)48U, v, (uint32_t)48U); + memcpy(out + i * (uint32_t)48U, v, (uint32_t)48U * sizeof (uint8_t)); + } + if (max * (uint32_t)48U < n) + { + uint8_t *block = output1 + max * (uint32_t)48U; + EverCrypt_HMAC_compute_sha2_384(v, k, (uint32_t)48U, v, (uint32_t)48U); + memcpy(block, v, (n - max * (uint32_t)48U) * sizeof (uint8_t)); + } + uint32_t input_len = (uint32_t)49U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)48U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)49U, additional_input, additional_input_len * sizeof (uint8_t)); + } + input0[48U] = (uint8_t)0U; + EverCrypt_HMAC_compute_sha2_384(k_, k, (uint32_t)48U, input0, input_len); + EverCrypt_HMAC_compute_sha2_384(v, k_, (uint32_t)48U, v, (uint32_t)48U); + memcpy(k, k_, (uint32_t)48U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)49U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)48U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)49U, additional_input, additional_input_len * sizeof (uint8_t)); + } + input[48U] = (uint8_t)1U; + EverCrypt_HMAC_compute_sha2_384(k_0, k, (uint32_t)48U, input, input_len0); + EverCrypt_HMAC_compute_sha2_384(v, k_0, (uint32_t)48U, v, (uint32_t)48U); + memcpy(k, k_0, (uint32_t)48U * sizeof (uint8_t)); + } + uint32_t old_ctr = ctr[0U]; + ctr[0U] = old_ctr + (uint32_t)1U; + b = true; + } + return true; +} + +bool +EverCrypt_DRBG_generate_sha2_512( + uint8_t *output, + EverCrypt_DRBG_state_s *st, + uint32_t n, + uint8_t *additional_input, + uint32_t additional_input_len +) +{ + if + ( + additional_input_len + > Hacl_HMAC_DRBG_max_additional_input_length + || n > Hacl_HMAC_DRBG_max_output_length + ) + { + return false; + } + uint32_t entropy_input_len = Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_SHA2_512); + bool ok0; + if (additional_input_len > Hacl_HMAC_DRBG_max_additional_input_length) + { + ok0 = false; + } + else + { + uint32_t entropy_input_len1 = Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_SHA2_512); + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len1); + uint8_t entropy_input[entropy_input_len1]; + memset(entropy_input, 0U, entropy_input_len1 * sizeof (uint8_t)); + bool ok = Lib_RandomBuffer_System_randombytes(entropy_input, entropy_input_len1); + bool result; + if (!ok) + { + result = false; + } + else + { + EverCrypt_DRBG_state_s st_s = *st; + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len1 + additional_input_len); + uint8_t seed_material[entropy_input_len1 + additional_input_len]; + memset(seed_material, 0U, (entropy_input_len1 + additional_input_len) * sizeof (uint8_t)); + memcpy(seed_material, entropy_input, entropy_input_len1 * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len1, + additional_input, + additional_input_len * sizeof (uint8_t)); + Hacl_HMAC_DRBG_state uu____0; + if (st_s.tag == EverCrypt_DRBG_SHA2_512_s) + { + uu____0 = st_s.case_SHA2_512_s; + } + else + { + uu____0 = + KRML_EABORT(Hacl_HMAC_DRBG_state, + "unreachable (pattern matches are exhaustive in F*)"); + } + uint8_t *k = uu____0.k; + uint8_t *v = uu____0.v; + uint32_t *ctr = uu____0.reseed_counter; + uint32_t input_len = (uint32_t)65U + entropy_input_len1 + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)64U * sizeof (uint8_t)); + if (entropy_input_len1 + additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)65U, + seed_material, + (entropy_input_len1 + additional_input_len) * sizeof (uint8_t)); + } + input0[64U] = (uint8_t)0U; + EverCrypt_HMAC_compute_sha2_512(k_, k, (uint32_t)64U, input0, input_len); + EverCrypt_HMAC_compute_sha2_512(v, k_, (uint32_t)64U, v, (uint32_t)64U); + memcpy(k, k_, (uint32_t)64U * sizeof (uint8_t)); + if (entropy_input_len1 + additional_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)65U + entropy_input_len1 + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)64U * sizeof (uint8_t)); + if (entropy_input_len1 + additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)65U, + seed_material, + (entropy_input_len1 + additional_input_len) * sizeof (uint8_t)); + } + input[64U] = (uint8_t)1U; + EverCrypt_HMAC_compute_sha2_512(k_0, k, (uint32_t)64U, input, input_len0); + EverCrypt_HMAC_compute_sha2_512(v, k_0, (uint32_t)64U, v, (uint32_t)64U); + memcpy(k, k_0, (uint32_t)64U * sizeof (uint8_t)); + } + ctr[0U] = (uint32_t)1U; + result = true; + } + ok0 = result; + } + if (!ok0) + { + return false; + } + EverCrypt_DRBG_state_s st_s = *st; + Hacl_HMAC_DRBG_state x1; + if (st_s.tag == EverCrypt_DRBG_SHA2_512_s) + { + x1 = st_s.case_SHA2_512_s; + } + else + { + x1 = KRML_EABORT(Hacl_HMAC_DRBG_state, "unreachable (pattern matches are exhaustive in F*)"); + } + bool b; + if (x1.reseed_counter[0U] > Hacl_HMAC_DRBG_reseed_interval) + { + b = false; + } + else + { + Hacl_HMAC_DRBG_state scrut; + if (st_s.tag == EverCrypt_DRBG_SHA2_512_s) + { + scrut = st_s.case_SHA2_512_s; + } + else + { + scrut = + KRML_EABORT(Hacl_HMAC_DRBG_state, + "unreachable (pattern matches are exhaustive in F*)"); + } + uint8_t *k = scrut.k; + uint8_t *v = scrut.v; + uint32_t *ctr = scrut.reseed_counter; + if (additional_input_len > (uint32_t)0U) + { + uint32_t input_len = (uint32_t)65U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)64U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)65U, additional_input, additional_input_len * sizeof (uint8_t)); + } + input0[64U] = (uint8_t)0U; + EverCrypt_HMAC_compute_sha2_512(k_, k, (uint32_t)64U, input0, input_len); + EverCrypt_HMAC_compute_sha2_512(v, k_, (uint32_t)64U, v, (uint32_t)64U); + memcpy(k, k_, (uint32_t)64U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)65U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)64U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)65U, additional_input, additional_input_len * sizeof (uint8_t)); + } + input[64U] = (uint8_t)1U; + EverCrypt_HMAC_compute_sha2_512(k_0, k, (uint32_t)64U, input, input_len0); + EverCrypt_HMAC_compute_sha2_512(v, k_0, (uint32_t)64U, v, (uint32_t)64U); + memcpy(k, k_0, (uint32_t)64U * sizeof (uint8_t)); + } + } + uint8_t *output1 = output; + uint32_t max = n / (uint32_t)64U; + uint8_t *out = output1; + for (uint32_t i = (uint32_t)0U; i < max; i++) + { + EverCrypt_HMAC_compute_sha2_512(v, k, (uint32_t)64U, v, (uint32_t)64U); + memcpy(out + i * (uint32_t)64U, v, (uint32_t)64U * sizeof (uint8_t)); + } + if (max * (uint32_t)64U < n) + { + uint8_t *block = output1 + max * (uint32_t)64U; + EverCrypt_HMAC_compute_sha2_512(v, k, (uint32_t)64U, v, (uint32_t)64U); + memcpy(block, v, (n - max * (uint32_t)64U) * sizeof (uint8_t)); + } + uint32_t input_len = (uint32_t)65U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)64U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)65U, additional_input, additional_input_len * sizeof (uint8_t)); + } + input0[64U] = (uint8_t)0U; + EverCrypt_HMAC_compute_sha2_512(k_, k, (uint32_t)64U, input0, input_len); + EverCrypt_HMAC_compute_sha2_512(v, k_, (uint32_t)64U, v, (uint32_t)64U); + memcpy(k, k_, (uint32_t)64U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)65U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)64U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)65U, additional_input, additional_input_len * sizeof (uint8_t)); + } + input[64U] = (uint8_t)1U; + EverCrypt_HMAC_compute_sha2_512(k_0, k, (uint32_t)64U, input, input_len0); + EverCrypt_HMAC_compute_sha2_512(v, k_0, (uint32_t)64U, v, (uint32_t)64U); + memcpy(k, k_0, (uint32_t)64U * sizeof (uint8_t)); + } + uint32_t old_ctr = ctr[0U]; + ctr[0U] = old_ctr + (uint32_t)1U; + b = true; + } + return true; +} + +void EverCrypt_DRBG_uninstantiate_sha1(EverCrypt_DRBG_state_s *st) +{ + EverCrypt_DRBG_state_s st_s = *st; + Hacl_HMAC_DRBG_state s; + if (st_s.tag == EverCrypt_DRBG_SHA1_s) + { + s = st_s.case_SHA1_s; + } + else + { + s = KRML_EABORT(Hacl_HMAC_DRBG_state, "unreachable (pattern matches are exhaustive in F*)"); + } + uint8_t *k = s.k; + uint8_t *v = s.v; + uint32_t *ctr = s.reseed_counter; + Lib_Memzero0_memzero(k, (uint32_t)20U * sizeof (k[0U])); + Lib_Memzero0_memzero(v, (uint32_t)20U * sizeof (v[0U])); + ctr[0U] = (uint32_t)0U; + KRML_HOST_FREE(k); + KRML_HOST_FREE(v); + KRML_HOST_FREE(ctr); + KRML_HOST_FREE(st); +} + +void EverCrypt_DRBG_uninstantiate_sha2_256(EverCrypt_DRBG_state_s *st) +{ + EverCrypt_DRBG_state_s st_s = *st; + Hacl_HMAC_DRBG_state s; + if (st_s.tag == EverCrypt_DRBG_SHA2_256_s) + { + s = st_s.case_SHA2_256_s; + } + else + { + s = KRML_EABORT(Hacl_HMAC_DRBG_state, "unreachable (pattern matches are exhaustive in F*)"); + } + uint8_t *k = s.k; + uint8_t *v = s.v; + uint32_t *ctr = s.reseed_counter; + Lib_Memzero0_memzero(k, (uint32_t)32U * sizeof (k[0U])); + Lib_Memzero0_memzero(v, (uint32_t)32U * sizeof (v[0U])); + ctr[0U] = (uint32_t)0U; + KRML_HOST_FREE(k); + KRML_HOST_FREE(v); + KRML_HOST_FREE(ctr); + KRML_HOST_FREE(st); +} + +void EverCrypt_DRBG_uninstantiate_sha2_384(EverCrypt_DRBG_state_s *st) +{ + EverCrypt_DRBG_state_s st_s = *st; + Hacl_HMAC_DRBG_state s; + if (st_s.tag == EverCrypt_DRBG_SHA2_384_s) + { + s = st_s.case_SHA2_384_s; + } + else + { + s = KRML_EABORT(Hacl_HMAC_DRBG_state, "unreachable (pattern matches are exhaustive in F*)"); + } + uint8_t *k = s.k; + uint8_t *v = s.v; + uint32_t *ctr = s.reseed_counter; + Lib_Memzero0_memzero(k, (uint32_t)48U * sizeof (k[0U])); + Lib_Memzero0_memzero(v, (uint32_t)48U * sizeof (v[0U])); + ctr[0U] = (uint32_t)0U; + KRML_HOST_FREE(k); + KRML_HOST_FREE(v); + KRML_HOST_FREE(ctr); + KRML_HOST_FREE(st); +} + +void EverCrypt_DRBG_uninstantiate_sha2_512(EverCrypt_DRBG_state_s *st) +{ + EverCrypt_DRBG_state_s st_s = *st; + Hacl_HMAC_DRBG_state s; + if (st_s.tag == EverCrypt_DRBG_SHA2_512_s) + { + s = st_s.case_SHA2_512_s; + } + else + { + s = KRML_EABORT(Hacl_HMAC_DRBG_state, "unreachable (pattern matches are exhaustive in F*)"); + } + uint8_t *k = s.k; + uint8_t *v = s.v; + uint32_t *ctr = s.reseed_counter; + Lib_Memzero0_memzero(k, (uint32_t)64U * sizeof (k[0U])); + Lib_Memzero0_memzero(v, (uint32_t)64U * sizeof (v[0U])); + ctr[0U] = (uint32_t)0U; + KRML_HOST_FREE(k); + KRML_HOST_FREE(v); + KRML_HOST_FREE(ctr); + KRML_HOST_FREE(st); +} + +bool +EverCrypt_DRBG_instantiate( + EverCrypt_DRBG_state_s *st, + uint8_t *personalization_string, + uint32_t personalization_string_len +) +{ + EverCrypt_DRBG_state_s scrut = *st; + if (scrut.tag == EverCrypt_DRBG_SHA1_s) + { + return EverCrypt_DRBG_instantiate_sha1(st, personalization_string, personalization_string_len); + } + if (scrut.tag == EverCrypt_DRBG_SHA2_256_s) + { + return + EverCrypt_DRBG_instantiate_sha2_256(st, + personalization_string, + personalization_string_len); + } + if (scrut.tag == EverCrypt_DRBG_SHA2_384_s) + { + return + EverCrypt_DRBG_instantiate_sha2_384(st, + personalization_string, + personalization_string_len); + } + if (scrut.tag == EverCrypt_DRBG_SHA2_512_s) + { + return + EverCrypt_DRBG_instantiate_sha2_512(st, + personalization_string, + personalization_string_len); + } + KRML_HOST_EPRINTF("KreMLin abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); +} + +bool +EverCrypt_DRBG_reseed( + EverCrypt_DRBG_state_s *st, + uint8_t *additional_input, + uint32_t additional_input_len +) +{ + EverCrypt_DRBG_state_s scrut = *st; + if (scrut.tag == EverCrypt_DRBG_SHA1_s) + { + return EverCrypt_DRBG_reseed_sha1(st, additional_input, additional_input_len); + } + if (scrut.tag == EverCrypt_DRBG_SHA2_256_s) + { + return EverCrypt_DRBG_reseed_sha2_256(st, additional_input, additional_input_len); + } + if (scrut.tag == EverCrypt_DRBG_SHA2_384_s) + { + return EverCrypt_DRBG_reseed_sha2_384(st, additional_input, additional_input_len); + } + if (scrut.tag == EverCrypt_DRBG_SHA2_512_s) + { + return EverCrypt_DRBG_reseed_sha2_512(st, additional_input, additional_input_len); + } + KRML_HOST_EPRINTF("KreMLin abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); +} + +bool +EverCrypt_DRBG_generate( + uint8_t *output, + EverCrypt_DRBG_state_s *st, + uint32_t n, + uint8_t *additional_input, + uint32_t additional_input_len +) +{ + EverCrypt_DRBG_state_s scrut = *st; + if (scrut.tag == EverCrypt_DRBG_SHA1_s) + { + return EverCrypt_DRBG_generate_sha1(output, st, n, additional_input, additional_input_len); + } + if (scrut.tag == EverCrypt_DRBG_SHA2_256_s) + { + return EverCrypt_DRBG_generate_sha2_256(output, st, n, additional_input, additional_input_len); + } + if (scrut.tag == EverCrypt_DRBG_SHA2_384_s) + { + return EverCrypt_DRBG_generate_sha2_384(output, st, n, additional_input, additional_input_len); + } + if (scrut.tag == EverCrypt_DRBG_SHA2_512_s) + { + return EverCrypt_DRBG_generate_sha2_512(output, st, n, additional_input, additional_input_len); + } + KRML_HOST_EPRINTF("KreMLin abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); +} + +void EverCrypt_DRBG_uninstantiate(EverCrypt_DRBG_state_s *st) +{ + EverCrypt_DRBG_state_s scrut = *st; + if (scrut.tag == EverCrypt_DRBG_SHA1_s) + { + EverCrypt_DRBG_uninstantiate_sha1(st); + return; + } + if (scrut.tag == EverCrypt_DRBG_SHA2_256_s) + { + EverCrypt_DRBG_uninstantiate_sha2_256(st); + return; + } + if (scrut.tag == EverCrypt_DRBG_SHA2_384_s) + { + EverCrypt_DRBG_uninstantiate_sha2_384(st); + return; + } + if (scrut.tag == EverCrypt_DRBG_SHA2_512_s) + { + EverCrypt_DRBG_uninstantiate_sha2_512(st); + return; + } + KRML_HOST_EPRINTF("KreMLin abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); +} + diff --git a/src/EverCrypt_Ed25519.c b/src/EverCrypt_Ed25519.c new file mode 100644 index 00000000..09a2a0fd --- /dev/null +++ b/src/EverCrypt_Ed25519.c @@ -0,0 +1,54 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "EverCrypt_Ed25519.h" + + + +void EverCrypt_Ed25519_sign(uint8_t *signature, uint8_t *secret, uint32_t len, uint8_t *msg) +{ + Hacl_Ed25519_sign(signature, secret, len, msg); +} + +bool EverCrypt_Ed25519_verify(uint8_t *pubkey, uint32_t len, uint8_t *msg, uint8_t *signature) +{ + return Hacl_Ed25519_verify(pubkey, len, msg, signature); +} + +void EverCrypt_Ed25519_secret_to_public(uint8_t *output, uint8_t *secret) +{ + Hacl_Ed25519_secret_to_public(output, secret); +} + +void EverCrypt_Ed25519_expand_keys(uint8_t *ks, uint8_t *secret) +{ + Hacl_Ed25519_expand_keys(ks, secret); +} + +void +EverCrypt_Ed25519_sign_expanded(uint8_t *signature, uint8_t *ks, uint32_t len, uint8_t *msg) +{ + Hacl_Ed25519_sign_expanded(signature, ks, len, msg); +} + diff --git a/src/EverCrypt_Error.c b/src/EverCrypt_Error.c new file mode 100644 index 00000000..1a311ad2 --- /dev/null +++ b/src/EverCrypt_Error.c @@ -0,0 +1,118 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "EverCrypt_Error.h" + + + +bool EverCrypt_Error_uu___is_Success(EverCrypt_Error_error_code projectee) +{ + switch (projectee) + { + case EverCrypt_Error_Success: + { + return true; + } + default: + { + return false; + } + } +} + +bool EverCrypt_Error_uu___is_UnsupportedAlgorithm(EverCrypt_Error_error_code projectee) +{ + switch (projectee) + { + case EverCrypt_Error_UnsupportedAlgorithm: + { + return true; + } + default: + { + return false; + } + } +} + +bool EverCrypt_Error_uu___is_InvalidKey(EverCrypt_Error_error_code projectee) +{ + switch (projectee) + { + case EverCrypt_Error_InvalidKey: + { + return true; + } + default: + { + return false; + } + } +} + +bool EverCrypt_Error_uu___is_AuthenticationFailure(EverCrypt_Error_error_code projectee) +{ + switch (projectee) + { + case EverCrypt_Error_AuthenticationFailure: + { + return true; + } + default: + { + return false; + } + } +} + +bool EverCrypt_Error_uu___is_InvalidIVLength(EverCrypt_Error_error_code projectee) +{ + switch (projectee) + { + case EverCrypt_Error_InvalidIVLength: + { + return true; + } + default: + { + return false; + } + } +} + +bool EverCrypt_Error_uu___is_DecodeError(EverCrypt_Error_error_code projectee) +{ + switch (projectee) + { + case EverCrypt_Error_DecodeError: + { + return true; + } + default: + { + return false; + } + } +} + diff --git a/src/EverCrypt_HKDF.c b/src/EverCrypt_HKDF.c new file mode 100644 index 00000000..a50db22d --- /dev/null +++ b/src/EverCrypt_HKDF.c @@ -0,0 +1,526 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "EverCrypt_HKDF.h" + + + +void +EverCrypt_HKDF_expand_sha1( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +) +{ + uint32_t tlen = (uint32_t)20U; + uint32_t n = len / tlen; + uint8_t *output = okm; + KRML_CHECK_SIZE(sizeof (uint8_t), tlen + infolen + (uint32_t)1U); + uint8_t text[tlen + infolen + (uint32_t)1U]; + memset(text, 0U, (tlen + infolen + (uint32_t)1U) * sizeof (uint8_t)); + uint8_t *text0 = text + tlen; + uint8_t *tag = text; + uint8_t *ctr = text + tlen + infolen; + memcpy(text + tlen, info, infolen * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < n; i++) + { + ctr[0U] = (uint8_t)(i + (uint32_t)1U); + if (i == (uint32_t)0U) + { + EverCrypt_HMAC_compute_sha1(tag, prk, prklen, text0, infolen + (uint32_t)1U); + } + else + { + EverCrypt_HMAC_compute_sha1(tag, prk, prklen, text, tlen + infolen + (uint32_t)1U); + } + memcpy(output + i * tlen, tag, tlen * sizeof (uint8_t)); + } + if (n * tlen < len) + { + ctr[0U] = (uint8_t)(n + (uint32_t)1U); + if (n == (uint32_t)0U) + { + EverCrypt_HMAC_compute_sha1(tag, prk, prklen, text0, infolen + (uint32_t)1U); + } + else + { + EverCrypt_HMAC_compute_sha1(tag, prk, prklen, text, tlen + infolen + (uint32_t)1U); + } + uint8_t *block = okm + n * tlen; + memcpy(block, tag, (len - n * tlen) * sizeof (uint8_t)); + } +} + +void +EverCrypt_HKDF_extract_sha1( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +) +{ + EverCrypt_HMAC_compute_sha1(prk, salt, saltlen, ikm, ikmlen); +} + +void +EverCrypt_HKDF_expand_sha2_256( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +) +{ + uint32_t tlen = (uint32_t)32U; + uint32_t n = len / tlen; + uint8_t *output = okm; + KRML_CHECK_SIZE(sizeof (uint8_t), tlen + infolen + (uint32_t)1U); + uint8_t text[tlen + infolen + (uint32_t)1U]; + memset(text, 0U, (tlen + infolen + (uint32_t)1U) * sizeof (uint8_t)); + uint8_t *text0 = text + tlen; + uint8_t *tag = text; + uint8_t *ctr = text + tlen + infolen; + memcpy(text + tlen, info, infolen * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < n; i++) + { + ctr[0U] = (uint8_t)(i + (uint32_t)1U); + if (i == (uint32_t)0U) + { + EverCrypt_HMAC_compute_sha2_256(tag, prk, prklen, text0, infolen + (uint32_t)1U); + } + else + { + EverCrypt_HMAC_compute_sha2_256(tag, prk, prklen, text, tlen + infolen + (uint32_t)1U); + } + memcpy(output + i * tlen, tag, tlen * sizeof (uint8_t)); + } + if (n * tlen < len) + { + ctr[0U] = (uint8_t)(n + (uint32_t)1U); + if (n == (uint32_t)0U) + { + EverCrypt_HMAC_compute_sha2_256(tag, prk, prklen, text0, infolen + (uint32_t)1U); + } + else + { + EverCrypt_HMAC_compute_sha2_256(tag, prk, prklen, text, tlen + infolen + (uint32_t)1U); + } + uint8_t *block = okm + n * tlen; + memcpy(block, tag, (len - n * tlen) * sizeof (uint8_t)); + } +} + +void +EverCrypt_HKDF_extract_sha2_256( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +) +{ + EverCrypt_HMAC_compute_sha2_256(prk, salt, saltlen, ikm, ikmlen); +} + +void +EverCrypt_HKDF_expand_sha2_384( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +) +{ + uint32_t tlen = (uint32_t)48U; + uint32_t n = len / tlen; + uint8_t *output = okm; + KRML_CHECK_SIZE(sizeof (uint8_t), tlen + infolen + (uint32_t)1U); + uint8_t text[tlen + infolen + (uint32_t)1U]; + memset(text, 0U, (tlen + infolen + (uint32_t)1U) * sizeof (uint8_t)); + uint8_t *text0 = text + tlen; + uint8_t *tag = text; + uint8_t *ctr = text + tlen + infolen; + memcpy(text + tlen, info, infolen * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < n; i++) + { + ctr[0U] = (uint8_t)(i + (uint32_t)1U); + if (i == (uint32_t)0U) + { + EverCrypt_HMAC_compute_sha2_384(tag, prk, prklen, text0, infolen + (uint32_t)1U); + } + else + { + EverCrypt_HMAC_compute_sha2_384(tag, prk, prklen, text, tlen + infolen + (uint32_t)1U); + } + memcpy(output + i * tlen, tag, tlen * sizeof (uint8_t)); + } + if (n * tlen < len) + { + ctr[0U] = (uint8_t)(n + (uint32_t)1U); + if (n == (uint32_t)0U) + { + EverCrypt_HMAC_compute_sha2_384(tag, prk, prklen, text0, infolen + (uint32_t)1U); + } + else + { + EverCrypt_HMAC_compute_sha2_384(tag, prk, prklen, text, tlen + infolen + (uint32_t)1U); + } + uint8_t *block = okm + n * tlen; + memcpy(block, tag, (len - n * tlen) * sizeof (uint8_t)); + } +} + +void +EverCrypt_HKDF_extract_sha2_384( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +) +{ + EverCrypt_HMAC_compute_sha2_384(prk, salt, saltlen, ikm, ikmlen); +} + +void +EverCrypt_HKDF_expand_sha2_512( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +) +{ + uint32_t tlen = (uint32_t)64U; + uint32_t n = len / tlen; + uint8_t *output = okm; + KRML_CHECK_SIZE(sizeof (uint8_t), tlen + infolen + (uint32_t)1U); + uint8_t text[tlen + infolen + (uint32_t)1U]; + memset(text, 0U, (tlen + infolen + (uint32_t)1U) * sizeof (uint8_t)); + uint8_t *text0 = text + tlen; + uint8_t *tag = text; + uint8_t *ctr = text + tlen + infolen; + memcpy(text + tlen, info, infolen * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < n; i++) + { + ctr[0U] = (uint8_t)(i + (uint32_t)1U); + if (i == (uint32_t)0U) + { + EverCrypt_HMAC_compute_sha2_512(tag, prk, prklen, text0, infolen + (uint32_t)1U); + } + else + { + EverCrypt_HMAC_compute_sha2_512(tag, prk, prklen, text, tlen + infolen + (uint32_t)1U); + } + memcpy(output + i * tlen, tag, tlen * sizeof (uint8_t)); + } + if (n * tlen < len) + { + ctr[0U] = (uint8_t)(n + (uint32_t)1U); + if (n == (uint32_t)0U) + { + EverCrypt_HMAC_compute_sha2_512(tag, prk, prklen, text0, infolen + (uint32_t)1U); + } + else + { + EverCrypt_HMAC_compute_sha2_512(tag, prk, prklen, text, tlen + infolen + (uint32_t)1U); + } + uint8_t *block = okm + n * tlen; + memcpy(block, tag, (len - n * tlen) * sizeof (uint8_t)); + } +} + +void +EverCrypt_HKDF_extract_sha2_512( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +) +{ + EverCrypt_HMAC_compute_sha2_512(prk, salt, saltlen, ikm, ikmlen); +} + +void +EverCrypt_HKDF_expand_blake2s( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +) +{ + uint32_t tlen = (uint32_t)32U; + uint32_t n = len / tlen; + uint8_t *output = okm; + KRML_CHECK_SIZE(sizeof (uint8_t), tlen + infolen + (uint32_t)1U); + uint8_t text[tlen + infolen + (uint32_t)1U]; + memset(text, 0U, (tlen + infolen + (uint32_t)1U) * sizeof (uint8_t)); + uint8_t *text0 = text + tlen; + uint8_t *tag = text; + uint8_t *ctr = text + tlen + infolen; + memcpy(text + tlen, info, infolen * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < n; i++) + { + ctr[0U] = (uint8_t)(i + (uint32_t)1U); + if (i == (uint32_t)0U) + { + EverCrypt_HMAC_compute_blake2s(tag, prk, prklen, text0, infolen + (uint32_t)1U); + } + else + { + EverCrypt_HMAC_compute_blake2s(tag, prk, prklen, text, tlen + infolen + (uint32_t)1U); + } + memcpy(output + i * tlen, tag, tlen * sizeof (uint8_t)); + } + if (n * tlen < len) + { + ctr[0U] = (uint8_t)(n + (uint32_t)1U); + if (n == (uint32_t)0U) + { + EverCrypt_HMAC_compute_blake2s(tag, prk, prklen, text0, infolen + (uint32_t)1U); + } + else + { + EverCrypt_HMAC_compute_blake2s(tag, prk, prklen, text, tlen + infolen + (uint32_t)1U); + } + uint8_t *block = okm + n * tlen; + memcpy(block, tag, (len - n * tlen) * sizeof (uint8_t)); + } +} + +void +EverCrypt_HKDF_extract_blake2s( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +) +{ + EverCrypt_HMAC_compute_blake2s(prk, salt, saltlen, ikm, ikmlen); +} + +void +EverCrypt_HKDF_expand_blake2b( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +) +{ + uint32_t tlen = (uint32_t)64U; + uint32_t n = len / tlen; + uint8_t *output = okm; + KRML_CHECK_SIZE(sizeof (uint8_t), tlen + infolen + (uint32_t)1U); + uint8_t text[tlen + infolen + (uint32_t)1U]; + memset(text, 0U, (tlen + infolen + (uint32_t)1U) * sizeof (uint8_t)); + uint8_t *text0 = text + tlen; + uint8_t *tag = text; + uint8_t *ctr = text + tlen + infolen; + memcpy(text + tlen, info, infolen * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < n; i++) + { + ctr[0U] = (uint8_t)(i + (uint32_t)1U); + if (i == (uint32_t)0U) + { + EverCrypt_HMAC_compute_blake2b(tag, prk, prklen, text0, infolen + (uint32_t)1U); + } + else + { + EverCrypt_HMAC_compute_blake2b(tag, prk, prklen, text, tlen + infolen + (uint32_t)1U); + } + memcpy(output + i * tlen, tag, tlen * sizeof (uint8_t)); + } + if (n * tlen < len) + { + ctr[0U] = (uint8_t)(n + (uint32_t)1U); + if (n == (uint32_t)0U) + { + EverCrypt_HMAC_compute_blake2b(tag, prk, prklen, text0, infolen + (uint32_t)1U); + } + else + { + EverCrypt_HMAC_compute_blake2b(tag, prk, prklen, text, tlen + infolen + (uint32_t)1U); + } + uint8_t *block = okm + n * tlen; + memcpy(block, tag, (len - n * tlen) * sizeof (uint8_t)); + } +} + +void +EverCrypt_HKDF_extract_blake2b( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +) +{ + EverCrypt_HMAC_compute_blake2b(prk, salt, saltlen, ikm, ikmlen); +} + +void +EverCrypt_HKDF_expand( + Spec_Hash_Definitions_hash_alg a, + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +) +{ + switch (a) + { + case Spec_Hash_Definitions_SHA1: + { + EverCrypt_HKDF_expand_sha1(okm, prk, prklen, info, infolen, len); + break; + } + case Spec_Hash_Definitions_SHA2_256: + { + EverCrypt_HKDF_expand_sha2_256(okm, prk, prklen, info, infolen, len); + break; + } + case Spec_Hash_Definitions_SHA2_384: + { + EverCrypt_HKDF_expand_sha2_384(okm, prk, prklen, info, infolen, len); + break; + } + case Spec_Hash_Definitions_SHA2_512: + { + EverCrypt_HKDF_expand_sha2_512(okm, prk, prklen, info, infolen, len); + break; + } + case Spec_Hash_Definitions_Blake2S: + { + EverCrypt_HKDF_expand_blake2s(okm, prk, prklen, info, infolen, len); + break; + } + case Spec_Hash_Definitions_Blake2B: + { + EverCrypt_HKDF_expand_blake2b(okm, prk, prklen, info, infolen, len); + break; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +void +EverCrypt_HKDF_extract( + Spec_Hash_Definitions_hash_alg a, + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +) +{ + switch (a) + { + case Spec_Hash_Definitions_SHA1: + { + EverCrypt_HKDF_extract_sha1(prk, salt, saltlen, ikm, ikmlen); + break; + } + case Spec_Hash_Definitions_SHA2_256: + { + EverCrypt_HKDF_extract_sha2_256(prk, salt, saltlen, ikm, ikmlen); + break; + } + case Spec_Hash_Definitions_SHA2_384: + { + EverCrypt_HKDF_extract_sha2_384(prk, salt, saltlen, ikm, ikmlen); + break; + } + case Spec_Hash_Definitions_SHA2_512: + { + EverCrypt_HKDF_extract_sha2_512(prk, salt, saltlen, ikm, ikmlen); + break; + } + case Spec_Hash_Definitions_Blake2S: + { + EverCrypt_HKDF_extract_blake2s(prk, salt, saltlen, ikm, ikmlen); + break; + } + case Spec_Hash_Definitions_Blake2B: + { + EverCrypt_HKDF_extract_blake2b(prk, salt, saltlen, ikm, ikmlen); + break; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +KRML_DEPRECATED("expand") + +void +EverCrypt_HKDF_hkdf_expand( + Spec_Hash_Definitions_hash_alg a, + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +) +{ + EverCrypt_HKDF_expand(a, okm, prk, prklen, info, infolen, len); +} + +KRML_DEPRECATED("extract") + +void +EverCrypt_HKDF_hkdf_extract( + Spec_Hash_Definitions_hash_alg a, + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +) +{ + EverCrypt_HKDF_extract(a, prk, salt, saltlen, ikm, ikmlen); +} + diff --git a/src/EverCrypt_HMAC.c b/src/EverCrypt_HMAC.c new file mode 100644 index 00000000..b39f1198 --- /dev/null +++ b/src/EverCrypt_HMAC.c @@ -0,0 +1,855 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "EverCrypt_HMAC.h" + +#include "internal/Hacl_Hash_SHA2.h" +#include "internal/Hacl_Hash_SHA1.h" +#include "internal/Hacl_Hash_Blake2.h" +#include "internal/Hacl_HMAC.h" + +void +EverCrypt_HMAC_compute_sha1( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +) +{ + uint32_t l = (uint32_t)64U; + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t key_block[l]; + memset(key_block, 0U, l * sizeof (uint8_t)); + uint32_t i0; + if (key_len <= (uint32_t)64U) + { + i0 = key_len; + } + else + { + i0 = (uint32_t)20U; + } + uint8_t *nkey = key_block; + if (key_len <= (uint32_t)64U) + { + memcpy(nkey, key, key_len * sizeof (uint8_t)); + } + else + { + Hacl_Hash_SHA1_legacy_hash(key, key_len, nkey); + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t ipad[l]; + memset(ipad, (uint8_t)0x36U, l * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = ipad[i]; + uint8_t yi = key_block[i]; + ipad[i] = xi ^ yi; + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t opad[l]; + memset(opad, (uint8_t)0x5cU, l * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = opad[i]; + uint8_t yi = key_block[i]; + opad[i] = xi ^ yi; + } + uint32_t + scrut[5U] = + { + (uint32_t)0x67452301U, (uint32_t)0xefcdab89U, (uint32_t)0x98badcfeU, (uint32_t)0x10325476U, + (uint32_t)0xc3d2e1f0U + }; + uint32_t *s = scrut; + uint8_t *dst1 = ipad; + Hacl_Hash_Core_SHA1_legacy_init(s); + if (data_len == (uint32_t)0U) + { + Hacl_Hash_SHA1_legacy_update_last(s, (uint64_t)0U, ipad, (uint32_t)64U); + } + else + { + Hacl_Hash_SHA1_legacy_update_multi(s, ipad, (uint32_t)1U); + Hacl_Hash_SHA1_legacy_update_last(s, (uint64_t)(uint32_t)64U, data, data_len); + } + Hacl_Hash_Core_SHA1_legacy_finish(s, dst1); + uint8_t *hash1 = ipad; + Hacl_Hash_Core_SHA1_legacy_init(s); + if ((uint32_t)20U == (uint32_t)0U) + { + Hacl_Hash_SHA1_legacy_update_last(s, (uint64_t)0U, opad, (uint32_t)64U); + } + else + { + Hacl_Hash_SHA1_legacy_update_multi(s, opad, (uint32_t)1U); + Hacl_Hash_SHA1_legacy_update_last(s, (uint64_t)(uint32_t)64U, hash1, (uint32_t)20U); + } + Hacl_Hash_Core_SHA1_legacy_finish(s, dst); +} + +void +EverCrypt_HMAC_compute_sha2_256( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +) +{ + uint32_t l = (uint32_t)64U; + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t key_block[l]; + memset(key_block, 0U, l * sizeof (uint8_t)); + uint32_t i0; + if (key_len <= (uint32_t)64U) + { + i0 = key_len; + } + else + { + i0 = (uint32_t)32U; + } + uint8_t *nkey = key_block; + if (key_len <= (uint32_t)64U) + { + memcpy(nkey, key, key_len * sizeof (uint8_t)); + } + else + { + EverCrypt_Hash_hash_256(key, key_len, nkey); + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t ipad[l]; + memset(ipad, (uint8_t)0x36U, l * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = ipad[i]; + uint8_t yi = key_block[i]; + ipad[i] = xi ^ yi; + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t opad[l]; + memset(opad, (uint8_t)0x5cU, l * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = opad[i]; + uint8_t yi = key_block[i]; + opad[i] = xi ^ yi; + } + uint32_t + scrut[8U] = + { + (uint32_t)0x6a09e667U, (uint32_t)0xbb67ae85U, (uint32_t)0x3c6ef372U, (uint32_t)0xa54ff53aU, + (uint32_t)0x510e527fU, (uint32_t)0x9b05688cU, (uint32_t)0x1f83d9abU, (uint32_t)0x5be0cd19U + }; + uint32_t *s = scrut; + uint8_t *dst1 = ipad; + Hacl_Hash_Core_SHA2_init_256(s); + if (data_len == (uint32_t)0U) + { + EverCrypt_Hash_update_last_256(s, (uint64_t)0U, ipad, (uint32_t)64U); + } + else + { + EverCrypt_Hash_update_multi_256(s, ipad, (uint32_t)1U); + EverCrypt_Hash_update_last_256(s, (uint64_t)(uint32_t)64U, data, data_len); + } + Hacl_Hash_Core_SHA2_finish_256(s, dst1); + uint8_t *hash1 = ipad; + Hacl_Hash_Core_SHA2_init_256(s); + if ((uint32_t)32U == (uint32_t)0U) + { + EverCrypt_Hash_update_last_256(s, (uint64_t)0U, opad, (uint32_t)64U); + } + else + { + EverCrypt_Hash_update_multi_256(s, opad, (uint32_t)1U); + EverCrypt_Hash_update_last_256(s, (uint64_t)(uint32_t)64U, hash1, (uint32_t)32U); + } + Hacl_Hash_Core_SHA2_finish_256(s, dst); +} + +void +EverCrypt_HMAC_compute_sha2_384( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +) +{ + uint32_t l = (uint32_t)128U; + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t key_block[l]; + memset(key_block, 0U, l * sizeof (uint8_t)); + uint32_t i0; + if (key_len <= (uint32_t)128U) + { + i0 = key_len; + } + else + { + i0 = (uint32_t)48U; + } + uint8_t *nkey = key_block; + if (key_len <= (uint32_t)128U) + { + memcpy(nkey, key, key_len * sizeof (uint8_t)); + } + else + { + Hacl_Hash_SHA2_hash_384(key, key_len, nkey); + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t ipad[l]; + memset(ipad, (uint8_t)0x36U, l * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = ipad[i]; + uint8_t yi = key_block[i]; + ipad[i] = xi ^ yi; + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t opad[l]; + memset(opad, (uint8_t)0x5cU, l * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = opad[i]; + uint8_t yi = key_block[i]; + opad[i] = xi ^ yi; + } + uint64_t + scrut[8U] = + { + (uint64_t)0xcbbb9d5dc1059ed8U, (uint64_t)0x629a292a367cd507U, (uint64_t)0x9159015a3070dd17U, + (uint64_t)0x152fecd8f70e5939U, (uint64_t)0x67332667ffc00b31U, (uint64_t)0x8eb44a8768581511U, + (uint64_t)0xdb0c2e0d64f98fa7U, (uint64_t)0x47b5481dbefa4fa4U + }; + uint64_t *s = scrut; + uint8_t *dst1 = ipad; + Hacl_Hash_Core_SHA2_init_384(s); + if (data_len == (uint32_t)0U) + { + Hacl_Hash_SHA2_update_last_384(s, + FStar_UInt128_uint64_to_uint128((uint64_t)0U), + ipad, + (uint32_t)128U); + } + else + { + Hacl_Hash_SHA2_update_multi_384(s, ipad, (uint32_t)1U); + Hacl_Hash_SHA2_update_last_384(s, + FStar_UInt128_uint64_to_uint128((uint64_t)(uint32_t)128U), + data, + data_len); + } + Hacl_Hash_Core_SHA2_finish_384(s, dst1); + uint8_t *hash1 = ipad; + Hacl_Hash_Core_SHA2_init_384(s); + if ((uint32_t)48U == (uint32_t)0U) + { + Hacl_Hash_SHA2_update_last_384(s, + FStar_UInt128_uint64_to_uint128((uint64_t)0U), + opad, + (uint32_t)128U); + } + else + { + Hacl_Hash_SHA2_update_multi_384(s, opad, (uint32_t)1U); + Hacl_Hash_SHA2_update_last_384(s, + FStar_UInt128_uint64_to_uint128((uint64_t)(uint32_t)128U), + hash1, + (uint32_t)48U); + } + Hacl_Hash_Core_SHA2_finish_384(s, dst); +} + +void +EverCrypt_HMAC_compute_sha2_512( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +) +{ + uint32_t l = (uint32_t)128U; + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t key_block[l]; + memset(key_block, 0U, l * sizeof (uint8_t)); + uint32_t i0; + if (key_len <= (uint32_t)128U) + { + i0 = key_len; + } + else + { + i0 = (uint32_t)64U; + } + uint8_t *nkey = key_block; + if (key_len <= (uint32_t)128U) + { + memcpy(nkey, key, key_len * sizeof (uint8_t)); + } + else + { + Hacl_Hash_SHA2_hash_512(key, key_len, nkey); + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t ipad[l]; + memset(ipad, (uint8_t)0x36U, l * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = ipad[i]; + uint8_t yi = key_block[i]; + ipad[i] = xi ^ yi; + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t opad[l]; + memset(opad, (uint8_t)0x5cU, l * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = opad[i]; + uint8_t yi = key_block[i]; + opad[i] = xi ^ yi; + } + uint64_t + scrut[8U] = + { + (uint64_t)0x6a09e667f3bcc908U, (uint64_t)0xbb67ae8584caa73bU, (uint64_t)0x3c6ef372fe94f82bU, + (uint64_t)0xa54ff53a5f1d36f1U, (uint64_t)0x510e527fade682d1U, (uint64_t)0x9b05688c2b3e6c1fU, + (uint64_t)0x1f83d9abfb41bd6bU, (uint64_t)0x5be0cd19137e2179U + }; + uint64_t *s = scrut; + uint8_t *dst1 = ipad; + Hacl_Hash_Core_SHA2_init_512(s); + if (data_len == (uint32_t)0U) + { + Hacl_Hash_SHA2_update_last_512(s, + FStar_UInt128_uint64_to_uint128((uint64_t)0U), + ipad, + (uint32_t)128U); + } + else + { + Hacl_Hash_SHA2_update_multi_512(s, ipad, (uint32_t)1U); + Hacl_Hash_SHA2_update_last_512(s, + FStar_UInt128_uint64_to_uint128((uint64_t)(uint32_t)128U), + data, + data_len); + } + Hacl_Hash_Core_SHA2_finish_512(s, dst1); + uint8_t *hash1 = ipad; + Hacl_Hash_Core_SHA2_init_512(s); + if ((uint32_t)64U == (uint32_t)0U) + { + Hacl_Hash_SHA2_update_last_512(s, + FStar_UInt128_uint64_to_uint128((uint64_t)0U), + opad, + (uint32_t)128U); + } + else + { + Hacl_Hash_SHA2_update_multi_512(s, opad, (uint32_t)1U); + Hacl_Hash_SHA2_update_last_512(s, + FStar_UInt128_uint64_to_uint128((uint64_t)(uint32_t)128U), + hash1, + (uint32_t)64U); + } + Hacl_Hash_Core_SHA2_finish_512(s, dst); +} + +void +EverCrypt_HMAC_compute_blake2s( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +) +{ + uint32_t l = (uint32_t)64U; + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t key_block[l]; + memset(key_block, 0U, l * sizeof (uint8_t)); + uint32_t i0; + if (key_len <= (uint32_t)64U) + { + i0 = key_len; + } + else + { + i0 = (uint32_t)32U; + } + uint8_t *nkey = key_block; + if (key_len <= (uint32_t)64U) + { + memcpy(nkey, key, key_len * sizeof (uint8_t)); + } + else + { + Hacl_Hash_Blake2_hash_blake2s_32(key, key_len, nkey); + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t ipad[l]; + memset(ipad, (uint8_t)0x36U, l * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = ipad[i]; + uint8_t yi = key_block[i]; + ipad[i] = xi ^ yi; + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t opad[l]; + memset(opad, (uint8_t)0x5cU, l * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = opad[i]; + uint8_t yi = key_block[i]; + opad[i] = xi ^ yi; + } + uint32_t s[16U] = { 0U }; + uint32_t *r00 = s + (uint32_t)0U * (uint32_t)4U; + uint32_t *r10 = s + (uint32_t)1U * (uint32_t)4U; + uint32_t *r20 = s + (uint32_t)2U * (uint32_t)4U; + uint32_t *r30 = s + (uint32_t)3U * (uint32_t)4U; + uint32_t iv00 = Hacl_Impl_Blake2_Constants_ivTable_S[0U]; + uint32_t iv10 = Hacl_Impl_Blake2_Constants_ivTable_S[1U]; + uint32_t iv20 = Hacl_Impl_Blake2_Constants_ivTable_S[2U]; + uint32_t iv30 = Hacl_Impl_Blake2_Constants_ivTable_S[3U]; + uint32_t iv40 = Hacl_Impl_Blake2_Constants_ivTable_S[4U]; + uint32_t iv50 = Hacl_Impl_Blake2_Constants_ivTable_S[5U]; + uint32_t iv60 = Hacl_Impl_Blake2_Constants_ivTable_S[6U]; + uint32_t iv70 = Hacl_Impl_Blake2_Constants_ivTable_S[7U]; + r20[0U] = iv00; + r20[1U] = iv10; + r20[2U] = iv20; + r20[3U] = iv30; + r30[0U] = iv40; + r30[1U] = iv50; + r30[2U] = iv60; + r30[3U] = iv70; + uint32_t kk_shift_80 = (uint32_t)0U; + uint32_t iv0_ = iv00 ^ ((uint32_t)0x01010000U ^ (kk_shift_80 ^ (uint32_t)32U)); + r00[0U] = iv0_; + r00[1U] = iv10; + r00[2U] = iv20; + r00[3U] = iv30; + r10[0U] = iv40; + r10[1U] = iv50; + r10[2U] = iv60; + r10[3U] = iv70; + uint64_t es = (uint64_t)0U; + K____uint32_t__uint64_t scrut = { .fst = s, .snd = es }; + uint32_t *s0 = scrut.fst; + uint8_t *dst1 = ipad; + uint32_t *r01 = s0 + (uint32_t)0U * (uint32_t)4U; + uint32_t *r11 = s0 + (uint32_t)1U * (uint32_t)4U; + uint32_t *r21 = s0 + (uint32_t)2U * (uint32_t)4U; + uint32_t *r31 = s0 + (uint32_t)3U * (uint32_t)4U; + uint32_t iv01 = Hacl_Impl_Blake2_Constants_ivTable_S[0U]; + uint32_t iv11 = Hacl_Impl_Blake2_Constants_ivTable_S[1U]; + uint32_t iv21 = Hacl_Impl_Blake2_Constants_ivTable_S[2U]; + uint32_t iv31 = Hacl_Impl_Blake2_Constants_ivTable_S[3U]; + uint32_t iv41 = Hacl_Impl_Blake2_Constants_ivTable_S[4U]; + uint32_t iv51 = Hacl_Impl_Blake2_Constants_ivTable_S[5U]; + uint32_t iv61 = Hacl_Impl_Blake2_Constants_ivTable_S[6U]; + uint32_t iv71 = Hacl_Impl_Blake2_Constants_ivTable_S[7U]; + r21[0U] = iv01; + r21[1U] = iv11; + r21[2U] = iv21; + r21[3U] = iv31; + r31[0U] = iv41; + r31[1U] = iv51; + r31[2U] = iv61; + r31[3U] = iv71; + uint32_t kk_shift_81 = (uint32_t)0U; + uint32_t iv0_0 = iv01 ^ ((uint32_t)0x01010000U ^ (kk_shift_81 ^ (uint32_t)32U)); + r01[0U] = iv0_0; + r01[1U] = iv11; + r01[2U] = iv21; + r01[3U] = iv31; + r11[0U] = iv41; + r11[1U] = iv51; + r11[2U] = iv61; + r11[3U] = iv71; + uint64_t ev = (uint64_t)0U; + uint64_t ev10; + if (data_len == (uint32_t)0U) + { + uint64_t + ev1 = Hacl_Hash_Blake2_update_last_blake2s_32(s0, ev, (uint64_t)0U, ipad, (uint32_t)64U); + ev10 = ev1; + } + else + { + uint64_t ev1 = Hacl_Hash_Blake2_update_multi_blake2s_32(s0, ev, ipad, (uint32_t)1U); + uint64_t + ev2 = Hacl_Hash_Blake2_update_last_blake2s_32(s0, ev1, (uint64_t)(uint32_t)64U, data, data_len); + ev10 = ev2; + } + Hacl_Hash_Core_Blake2_finish_blake2s_32(s0, ev10, dst1); + uint8_t *hash1 = ipad; + uint32_t *r0 = s0 + (uint32_t)0U * (uint32_t)4U; + uint32_t *r1 = s0 + (uint32_t)1U * (uint32_t)4U; + uint32_t *r2 = s0 + (uint32_t)2U * (uint32_t)4U; + uint32_t *r3 = s0 + (uint32_t)3U * (uint32_t)4U; + uint32_t iv0 = Hacl_Impl_Blake2_Constants_ivTable_S[0U]; + uint32_t iv1 = Hacl_Impl_Blake2_Constants_ivTable_S[1U]; + uint32_t iv2 = Hacl_Impl_Blake2_Constants_ivTable_S[2U]; + uint32_t iv3 = Hacl_Impl_Blake2_Constants_ivTable_S[3U]; + uint32_t iv4 = Hacl_Impl_Blake2_Constants_ivTable_S[4U]; + uint32_t iv5 = Hacl_Impl_Blake2_Constants_ivTable_S[5U]; + uint32_t iv6 = Hacl_Impl_Blake2_Constants_ivTable_S[6U]; + uint32_t iv7 = Hacl_Impl_Blake2_Constants_ivTable_S[7U]; + r2[0U] = iv0; + r2[1U] = iv1; + r2[2U] = iv2; + r2[3U] = iv3; + r3[0U] = iv4; + r3[1U] = iv5; + r3[2U] = iv6; + r3[3U] = iv7; + uint32_t kk_shift_8 = (uint32_t)0U; + uint32_t iv0_1 = iv0 ^ ((uint32_t)0x01010000U ^ (kk_shift_8 ^ (uint32_t)32U)); + r0[0U] = iv0_1; + r0[1U] = iv1; + r0[2U] = iv2; + r0[3U] = iv3; + r1[0U] = iv4; + r1[1U] = iv5; + r1[2U] = iv6; + r1[3U] = iv7; + uint64_t ev0 = (uint64_t)0U; + uint64_t ev11; + if ((uint32_t)32U == (uint32_t)0U) + { + uint64_t + ev1 = Hacl_Hash_Blake2_update_last_blake2s_32(s0, ev0, (uint64_t)0U, opad, (uint32_t)64U); + ev11 = ev1; + } + else + { + uint64_t ev1 = Hacl_Hash_Blake2_update_multi_blake2s_32(s0, ev0, opad, (uint32_t)1U); + uint64_t + ev2 = + Hacl_Hash_Blake2_update_last_blake2s_32(s0, + ev1, + (uint64_t)(uint32_t)64U, + hash1, + (uint32_t)32U); + ev11 = ev2; + } + Hacl_Hash_Core_Blake2_finish_blake2s_32(s0, ev11, dst); +} + +void +EverCrypt_HMAC_compute_blake2b( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +) +{ + uint32_t l = (uint32_t)128U; + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t key_block[l]; + memset(key_block, 0U, l * sizeof (uint8_t)); + uint32_t i0; + if (key_len <= (uint32_t)128U) + { + i0 = key_len; + } + else + { + i0 = (uint32_t)64U; + } + uint8_t *nkey = key_block; + if (key_len <= (uint32_t)128U) + { + memcpy(nkey, key, key_len * sizeof (uint8_t)); + } + else + { + Hacl_Hash_Blake2_hash_blake2b_32(key, key_len, nkey); + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t ipad[l]; + memset(ipad, (uint8_t)0x36U, l * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = ipad[i]; + uint8_t yi = key_block[i]; + ipad[i] = xi ^ yi; + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t opad[l]; + memset(opad, (uint8_t)0x5cU, l * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = opad[i]; + uint8_t yi = key_block[i]; + opad[i] = xi ^ yi; + } + uint64_t s[16U] = { 0U }; + uint64_t *r00 = s + (uint32_t)0U * (uint32_t)4U; + uint64_t *r10 = s + (uint32_t)1U * (uint32_t)4U; + uint64_t *r20 = s + (uint32_t)2U * (uint32_t)4U; + uint64_t *r30 = s + (uint32_t)3U * (uint32_t)4U; + uint64_t iv00 = Hacl_Impl_Blake2_Constants_ivTable_B[0U]; + uint64_t iv10 = Hacl_Impl_Blake2_Constants_ivTable_B[1U]; + uint64_t iv20 = Hacl_Impl_Blake2_Constants_ivTable_B[2U]; + uint64_t iv30 = Hacl_Impl_Blake2_Constants_ivTable_B[3U]; + uint64_t iv40 = Hacl_Impl_Blake2_Constants_ivTable_B[4U]; + uint64_t iv50 = Hacl_Impl_Blake2_Constants_ivTable_B[5U]; + uint64_t iv60 = Hacl_Impl_Blake2_Constants_ivTable_B[6U]; + uint64_t iv70 = Hacl_Impl_Blake2_Constants_ivTable_B[7U]; + r20[0U] = iv00; + r20[1U] = iv10; + r20[2U] = iv20; + r20[3U] = iv30; + r30[0U] = iv40; + r30[1U] = iv50; + r30[2U] = iv60; + r30[3U] = iv70; + uint64_t kk_shift_80 = (uint64_t)(uint32_t)0U << (uint32_t)8U; + uint64_t iv0_ = iv00 ^ ((uint64_t)0x01010000U ^ (kk_shift_80 ^ (uint64_t)(uint32_t)64U)); + r00[0U] = iv0_; + r00[1U] = iv10; + r00[2U] = iv20; + r00[3U] = iv30; + r10[0U] = iv40; + r10[1U] = iv50; + r10[2U] = iv60; + r10[3U] = iv70; + FStar_UInt128_uint128 es = FStar_UInt128_uint64_to_uint128((uint64_t)0U); + K____uint64_t__FStar_UInt128_uint128 scrut = { .fst = s, .snd = es }; + uint64_t *s0 = scrut.fst; + uint8_t *dst1 = ipad; + uint64_t *r01 = s0 + (uint32_t)0U * (uint32_t)4U; + uint64_t *r11 = s0 + (uint32_t)1U * (uint32_t)4U; + uint64_t *r21 = s0 + (uint32_t)2U * (uint32_t)4U; + uint64_t *r31 = s0 + (uint32_t)3U * (uint32_t)4U; + uint64_t iv01 = Hacl_Impl_Blake2_Constants_ivTable_B[0U]; + uint64_t iv11 = Hacl_Impl_Blake2_Constants_ivTable_B[1U]; + uint64_t iv21 = Hacl_Impl_Blake2_Constants_ivTable_B[2U]; + uint64_t iv31 = Hacl_Impl_Blake2_Constants_ivTable_B[3U]; + uint64_t iv41 = Hacl_Impl_Blake2_Constants_ivTable_B[4U]; + uint64_t iv51 = Hacl_Impl_Blake2_Constants_ivTable_B[5U]; + uint64_t iv61 = Hacl_Impl_Blake2_Constants_ivTable_B[6U]; + uint64_t iv71 = Hacl_Impl_Blake2_Constants_ivTable_B[7U]; + r21[0U] = iv01; + r21[1U] = iv11; + r21[2U] = iv21; + r21[3U] = iv31; + r31[0U] = iv41; + r31[1U] = iv51; + r31[2U] = iv61; + r31[3U] = iv71; + uint64_t kk_shift_81 = (uint64_t)(uint32_t)0U << (uint32_t)8U; + uint64_t iv0_0 = iv01 ^ ((uint64_t)0x01010000U ^ (kk_shift_81 ^ (uint64_t)(uint32_t)64U)); + r01[0U] = iv0_0; + r01[1U] = iv11; + r01[2U] = iv21; + r01[3U] = iv31; + r11[0U] = iv41; + r11[1U] = iv51; + r11[2U] = iv61; + r11[3U] = iv71; + FStar_UInt128_uint128 ev = FStar_UInt128_uint64_to_uint128((uint64_t)0U); + FStar_UInt128_uint128 ev10; + if (data_len == (uint32_t)0U) + { + FStar_UInt128_uint128 + ev1 = + Hacl_Hash_Blake2_update_last_blake2b_32(s0, + ev, + FStar_UInt128_uint64_to_uint128((uint64_t)0U), + ipad, + (uint32_t)128U); + ev10 = ev1; + } + else + { + FStar_UInt128_uint128 + ev1 = Hacl_Hash_Blake2_update_multi_blake2b_32(s0, ev, ipad, (uint32_t)1U); + FStar_UInt128_uint128 + ev2 = + Hacl_Hash_Blake2_update_last_blake2b_32(s0, + ev1, + FStar_UInt128_uint64_to_uint128((uint64_t)(uint32_t)128U), + data, + data_len); + ev10 = ev2; + } + Hacl_Hash_Core_Blake2_finish_blake2b_32(s0, ev10, dst1); + uint8_t *hash1 = ipad; + uint64_t *r0 = s0 + (uint32_t)0U * (uint32_t)4U; + uint64_t *r1 = s0 + (uint32_t)1U * (uint32_t)4U; + uint64_t *r2 = s0 + (uint32_t)2U * (uint32_t)4U; + uint64_t *r3 = s0 + (uint32_t)3U * (uint32_t)4U; + uint64_t iv0 = Hacl_Impl_Blake2_Constants_ivTable_B[0U]; + uint64_t iv1 = Hacl_Impl_Blake2_Constants_ivTable_B[1U]; + uint64_t iv2 = Hacl_Impl_Blake2_Constants_ivTable_B[2U]; + uint64_t iv3 = Hacl_Impl_Blake2_Constants_ivTable_B[3U]; + uint64_t iv4 = Hacl_Impl_Blake2_Constants_ivTable_B[4U]; + uint64_t iv5 = Hacl_Impl_Blake2_Constants_ivTable_B[5U]; + uint64_t iv6 = Hacl_Impl_Blake2_Constants_ivTable_B[6U]; + uint64_t iv7 = Hacl_Impl_Blake2_Constants_ivTable_B[7U]; + r2[0U] = iv0; + r2[1U] = iv1; + r2[2U] = iv2; + r2[3U] = iv3; + r3[0U] = iv4; + r3[1U] = iv5; + r3[2U] = iv6; + r3[3U] = iv7; + uint64_t kk_shift_8 = (uint64_t)(uint32_t)0U << (uint32_t)8U; + uint64_t iv0_1 = iv0 ^ ((uint64_t)0x01010000U ^ (kk_shift_8 ^ (uint64_t)(uint32_t)64U)); + r0[0U] = iv0_1; + r0[1U] = iv1; + r0[2U] = iv2; + r0[3U] = iv3; + r1[0U] = iv4; + r1[1U] = iv5; + r1[2U] = iv6; + r1[3U] = iv7; + FStar_UInt128_uint128 ev0 = FStar_UInt128_uint64_to_uint128((uint64_t)0U); + FStar_UInt128_uint128 ev11; + if ((uint32_t)64U == (uint32_t)0U) + { + FStar_UInt128_uint128 + ev1 = + Hacl_Hash_Blake2_update_last_blake2b_32(s0, + ev0, + FStar_UInt128_uint64_to_uint128((uint64_t)0U), + opad, + (uint32_t)128U); + ev11 = ev1; + } + else + { + FStar_UInt128_uint128 + ev1 = Hacl_Hash_Blake2_update_multi_blake2b_32(s0, ev0, opad, (uint32_t)1U); + FStar_UInt128_uint128 + ev2 = + Hacl_Hash_Blake2_update_last_blake2b_32(s0, + ev1, + FStar_UInt128_uint64_to_uint128((uint64_t)(uint32_t)128U), + hash1, + (uint32_t)64U); + ev11 = ev2; + } + Hacl_Hash_Core_Blake2_finish_blake2b_32(s0, ev11, dst); +} + +bool EverCrypt_HMAC_is_supported_alg(Spec_Hash_Definitions_hash_alg uu___) +{ + switch (uu___) + { + case Spec_Hash_Definitions_SHA1: + { + return true; + } + case Spec_Hash_Definitions_SHA2_256: + { + return true; + } + case Spec_Hash_Definitions_SHA2_384: + { + return true; + } + case Spec_Hash_Definitions_SHA2_512: + { + return true; + } + case Spec_Hash_Definitions_Blake2S: + { + return true; + } + case Spec_Hash_Definitions_Blake2B: + { + return true; + } + default: + { + return false; + } + } +} + +void +EverCrypt_HMAC_compute( + Spec_Hash_Definitions_hash_alg a, + uint8_t *mac, + uint8_t *key, + uint32_t keylen, + uint8_t *data, + uint32_t datalen +) +{ + switch (a) + { + case Spec_Hash_Definitions_SHA1: + { + EverCrypt_HMAC_compute_sha1(mac, key, keylen, data, datalen); + break; + } + case Spec_Hash_Definitions_SHA2_256: + { + EverCrypt_HMAC_compute_sha2_256(mac, key, keylen, data, datalen); + break; + } + case Spec_Hash_Definitions_SHA2_384: + { + EverCrypt_HMAC_compute_sha2_384(mac, key, keylen, data, datalen); + break; + } + case Spec_Hash_Definitions_SHA2_512: + { + EverCrypt_HMAC_compute_sha2_512(mac, key, keylen, data, datalen); + break; + } + case Spec_Hash_Definitions_Blake2S: + { + EverCrypt_HMAC_compute_blake2s(mac, key, keylen, data, datalen); + break; + } + case Spec_Hash_Definitions_Blake2B: + { + EverCrypt_HMAC_compute_blake2b(mac, key, keylen, data, datalen); + break; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + diff --git a/src/EverCrypt_Hash.c b/src/EverCrypt_Hash.c new file mode 100644 index 00000000..5ad6288b --- /dev/null +++ b/src/EverCrypt_Hash.c @@ -0,0 +1,2012 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "EverCrypt_Hash.h" + +#include "internal/Vale.h" +#include "internal/Hacl_Hash_SHA2.h" +#include "internal/Hacl_Hash_SHA1.h" +#include "internal/Hacl_Hash_MD5.h" +#include "internal/Hacl_Hash_Blake2.h" + +C_String_t EverCrypt_Hash_string_of_alg(Spec_Hash_Definitions_hash_alg uu___) +{ + switch (uu___) + { + case Spec_Hash_Definitions_MD5: + { + return "MD5"; + } + case Spec_Hash_Definitions_SHA1: + { + return "SHA1"; + } + case Spec_Hash_Definitions_SHA2_224: + { + return "SHA2_224"; + } + case Spec_Hash_Definitions_SHA2_256: + { + return "SHA2_256"; + } + case Spec_Hash_Definitions_SHA2_384: + { + return "SHA2_384"; + } + case Spec_Hash_Definitions_SHA2_512: + { + return "SHA2_512"; + } + case Spec_Hash_Definitions_Blake2S: + { + return "Blake2S"; + } + case Spec_Hash_Definitions_Blake2B: + { + return "Blake2B"; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +bool +EverCrypt_Hash_uu___is_MD5_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_Hash_state_s projectee +) +{ + if (projectee.tag == EverCrypt_Hash_MD5_s) + { + return true; + } + return false; +} + +bool +EverCrypt_Hash_uu___is_SHA1_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_Hash_state_s projectee +) +{ + if (projectee.tag == EverCrypt_Hash_SHA1_s) + { + return true; + } + return false; +} + +bool +EverCrypt_Hash_uu___is_SHA2_224_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_Hash_state_s projectee +) +{ + if (projectee.tag == EverCrypt_Hash_SHA2_224_s) + { + return true; + } + return false; +} + +bool +EverCrypt_Hash_uu___is_SHA2_256_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_Hash_state_s projectee +) +{ + if (projectee.tag == EverCrypt_Hash_SHA2_256_s) + { + return true; + } + return false; +} + +bool +EverCrypt_Hash_uu___is_SHA2_384_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_Hash_state_s projectee +) +{ + if (projectee.tag == EverCrypt_Hash_SHA2_384_s) + { + return true; + } + return false; +} + +bool +EverCrypt_Hash_uu___is_SHA2_512_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_Hash_state_s projectee +) +{ + if (projectee.tag == EverCrypt_Hash_SHA2_512_s) + { + return true; + } + return false; +} + +bool +EverCrypt_Hash_uu___is_Blake2S_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_Hash_state_s projectee +) +{ + if (projectee.tag == EverCrypt_Hash_Blake2S_s) + { + return true; + } + return false; +} + +bool +EverCrypt_Hash_uu___is_Blake2B_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_Hash_state_s projectee +) +{ + if (projectee.tag == EverCrypt_Hash_Blake2B_s) + { + return true; + } + return false; +} + +Spec_Hash_Definitions_hash_alg EverCrypt_Hash_alg_of_state(EverCrypt_Hash_state_s *s) +{ + EverCrypt_Hash_state_s scrut = *s; + if (scrut.tag == EverCrypt_Hash_MD5_s) + { + return Spec_Hash_Definitions_MD5; + } + if (scrut.tag == EverCrypt_Hash_SHA1_s) + { + return Spec_Hash_Definitions_SHA1; + } + if (scrut.tag == EverCrypt_Hash_SHA2_224_s) + { + return Spec_Hash_Definitions_SHA2_224; + } + if (scrut.tag == EverCrypt_Hash_SHA2_256_s) + { + return Spec_Hash_Definitions_SHA2_256; + } + if (scrut.tag == EverCrypt_Hash_SHA2_384_s) + { + return Spec_Hash_Definitions_SHA2_384; + } + if (scrut.tag == EverCrypt_Hash_SHA2_512_s) + { + return Spec_Hash_Definitions_SHA2_512; + } + if (scrut.tag == EverCrypt_Hash_Blake2S_s) + { + return Spec_Hash_Definitions_Blake2S; + } + if (scrut.tag == EverCrypt_Hash_Blake2B_s) + { + return Spec_Hash_Definitions_Blake2B; + } + KRML_HOST_EPRINTF("KreMLin abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); +} + +EverCrypt_Hash_state_s *EverCrypt_Hash_create_in(Spec_Hash_Definitions_hash_alg a) +{ + EverCrypt_Hash_state_s s; + switch (a) + { + case Spec_Hash_Definitions_MD5: + { + uint32_t *buf = KRML_HOST_CALLOC((uint32_t)4U, sizeof (uint32_t)); + s = ((EverCrypt_Hash_state_s){ .tag = EverCrypt_Hash_MD5_s, { .case_MD5_s = buf } }); + break; + } + case Spec_Hash_Definitions_SHA1: + { + uint32_t *buf = KRML_HOST_CALLOC((uint32_t)5U, sizeof (uint32_t)); + s = ((EverCrypt_Hash_state_s){ .tag = EverCrypt_Hash_SHA1_s, { .case_SHA1_s = buf } }); + break; + } + case Spec_Hash_Definitions_SHA2_224: + { + uint32_t *buf = KRML_HOST_CALLOC((uint32_t)8U, sizeof (uint32_t)); + s = + ((EverCrypt_Hash_state_s){ .tag = EverCrypt_Hash_SHA2_224_s, { .case_SHA2_224_s = buf } }); + break; + } + case Spec_Hash_Definitions_SHA2_256: + { + uint32_t *buf = KRML_HOST_CALLOC((uint32_t)8U, sizeof (uint32_t)); + s = + ((EverCrypt_Hash_state_s){ .tag = EverCrypt_Hash_SHA2_256_s, { .case_SHA2_256_s = buf } }); + break; + } + case Spec_Hash_Definitions_SHA2_384: + { + uint64_t *buf = KRML_HOST_CALLOC((uint32_t)8U, sizeof (uint64_t)); + s = + ((EverCrypt_Hash_state_s){ .tag = EverCrypt_Hash_SHA2_384_s, { .case_SHA2_384_s = buf } }); + break; + } + case Spec_Hash_Definitions_SHA2_512: + { + uint64_t *buf = KRML_HOST_CALLOC((uint32_t)8U, sizeof (uint64_t)); + s = + ((EverCrypt_Hash_state_s){ .tag = EverCrypt_Hash_SHA2_512_s, { .case_SHA2_512_s = buf } }); + break; + } + case Spec_Hash_Definitions_Blake2S: + { + uint32_t *buf = KRML_HOST_CALLOC((uint32_t)16U, sizeof (uint32_t)); + s = ((EverCrypt_Hash_state_s){ .tag = EverCrypt_Hash_Blake2S_s, { .case_Blake2S_s = buf } }); + break; + } + case Spec_Hash_Definitions_Blake2B: + { + uint64_t *buf = KRML_HOST_CALLOC((uint32_t)16U, sizeof (uint64_t)); + s = ((EverCrypt_Hash_state_s){ .tag = EverCrypt_Hash_Blake2B_s, { .case_Blake2B_s = buf } }); + break; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + KRML_CHECK_SIZE(sizeof (EverCrypt_Hash_state_s), (uint32_t)1U); + EverCrypt_Hash_state_s *buf = KRML_HOST_MALLOC(sizeof (EverCrypt_Hash_state_s)); + buf[0U] = s; + return buf; +} + +EverCrypt_Hash_state_s *EverCrypt_Hash_create(Spec_Hash_Definitions_hash_alg a) +{ + return EverCrypt_Hash_create_in(a); +} + +void EverCrypt_Hash_init(EverCrypt_Hash_state_s *s) +{ + EverCrypt_Hash_state_s scrut = *s; + if (scrut.tag == EverCrypt_Hash_MD5_s) + { + uint32_t *p1 = scrut.case_MD5_s; + Hacl_Hash_Core_MD5_legacy_init(p1); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA1_s) + { + uint32_t *p1 = scrut.case_SHA1_s; + Hacl_Hash_Core_SHA1_legacy_init(p1); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_224_s) + { + uint32_t *p1 = scrut.case_SHA2_224_s; + Hacl_Hash_Core_SHA2_init_224(p1); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_256_s) + { + uint32_t *p1 = scrut.case_SHA2_256_s; + Hacl_Hash_Core_SHA2_init_256(p1); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_384_s) + { + uint64_t *p1 = scrut.case_SHA2_384_s; + Hacl_Hash_Core_SHA2_init_384(p1); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_512_s) + { + uint64_t *p1 = scrut.case_SHA2_512_s; + Hacl_Hash_Core_SHA2_init_512(p1); + return; + } + if (scrut.tag == EverCrypt_Hash_Blake2S_s) + { + uint32_t *p1 = scrut.case_Blake2S_s; + uint32_t *r0 = p1 + (uint32_t)0U * (uint32_t)4U; + uint32_t *r1 = p1 + (uint32_t)1U * (uint32_t)4U; + uint32_t *r2 = p1 + (uint32_t)2U * (uint32_t)4U; + uint32_t *r3 = p1 + (uint32_t)3U * (uint32_t)4U; + uint32_t iv0 = Hacl_Impl_Blake2_Constants_ivTable_S[0U]; + uint32_t iv1 = Hacl_Impl_Blake2_Constants_ivTable_S[1U]; + uint32_t iv2 = Hacl_Impl_Blake2_Constants_ivTable_S[2U]; + uint32_t iv3 = Hacl_Impl_Blake2_Constants_ivTable_S[3U]; + uint32_t iv4 = Hacl_Impl_Blake2_Constants_ivTable_S[4U]; + uint32_t iv5 = Hacl_Impl_Blake2_Constants_ivTable_S[5U]; + uint32_t iv6 = Hacl_Impl_Blake2_Constants_ivTable_S[6U]; + uint32_t iv7 = Hacl_Impl_Blake2_Constants_ivTable_S[7U]; + r2[0U] = iv0; + r2[1U] = iv1; + r2[2U] = iv2; + r2[3U] = iv3; + r3[0U] = iv4; + r3[1U] = iv5; + r3[2U] = iv6; + r3[3U] = iv7; + uint32_t kk_shift_8 = (uint32_t)0U; + uint32_t iv0_ = iv0 ^ ((uint32_t)0x01010000U ^ (kk_shift_8 ^ (uint32_t)32U)); + r0[0U] = iv0_; + r0[1U] = iv1; + r0[2U] = iv2; + r0[3U] = iv3; + r1[0U] = iv4; + r1[1U] = iv5; + r1[2U] = iv6; + r1[3U] = iv7; + uint64_t uu____0 = (uint64_t)0U; + return; + } + if (scrut.tag == EverCrypt_Hash_Blake2B_s) + { + uint64_t *p1 = scrut.case_Blake2B_s; + uint64_t *r0 = p1 + (uint32_t)0U * (uint32_t)4U; + uint64_t *r1 = p1 + (uint32_t)1U * (uint32_t)4U; + uint64_t *r2 = p1 + (uint32_t)2U * (uint32_t)4U; + uint64_t *r3 = p1 + (uint32_t)3U * (uint32_t)4U; + uint64_t iv0 = Hacl_Impl_Blake2_Constants_ivTable_B[0U]; + uint64_t iv1 = Hacl_Impl_Blake2_Constants_ivTable_B[1U]; + uint64_t iv2 = Hacl_Impl_Blake2_Constants_ivTable_B[2U]; + uint64_t iv3 = Hacl_Impl_Blake2_Constants_ivTable_B[3U]; + uint64_t iv4 = Hacl_Impl_Blake2_Constants_ivTable_B[4U]; + uint64_t iv5 = Hacl_Impl_Blake2_Constants_ivTable_B[5U]; + uint64_t iv6 = Hacl_Impl_Blake2_Constants_ivTable_B[6U]; + uint64_t iv7 = Hacl_Impl_Blake2_Constants_ivTable_B[7U]; + r2[0U] = iv0; + r2[1U] = iv1; + r2[2U] = iv2; + r2[3U] = iv3; + r3[0U] = iv4; + r3[1U] = iv5; + r3[2U] = iv6; + r3[3U] = iv7; + uint64_t kk_shift_8 = (uint64_t)(uint32_t)0U << (uint32_t)8U; + uint64_t iv0_ = iv0 ^ ((uint64_t)0x01010000U ^ (kk_shift_8 ^ (uint64_t)(uint32_t)64U)); + r0[0U] = iv0_; + r0[1U] = iv1; + r0[2U] = iv2; + r0[3U] = iv3; + r1[0U] = iv4; + r1[1U] = iv5; + r1[2U] = iv6; + r1[3U] = iv7; + FStar_UInt128_uint128 uu____1 = FStar_UInt128_uint64_to_uint128((uint64_t)0U); + return; + } + KRML_HOST_EPRINTF("KreMLin abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); +} + +static uint32_t +k224_256[64U] = + { + (uint32_t)0x428a2f98U, (uint32_t)0x71374491U, (uint32_t)0xb5c0fbcfU, (uint32_t)0xe9b5dba5U, + (uint32_t)0x3956c25bU, (uint32_t)0x59f111f1U, (uint32_t)0x923f82a4U, (uint32_t)0xab1c5ed5U, + (uint32_t)0xd807aa98U, (uint32_t)0x12835b01U, (uint32_t)0x243185beU, (uint32_t)0x550c7dc3U, + (uint32_t)0x72be5d74U, (uint32_t)0x80deb1feU, (uint32_t)0x9bdc06a7U, (uint32_t)0xc19bf174U, + (uint32_t)0xe49b69c1U, (uint32_t)0xefbe4786U, (uint32_t)0x0fc19dc6U, (uint32_t)0x240ca1ccU, + (uint32_t)0x2de92c6fU, (uint32_t)0x4a7484aaU, (uint32_t)0x5cb0a9dcU, (uint32_t)0x76f988daU, + (uint32_t)0x983e5152U, (uint32_t)0xa831c66dU, (uint32_t)0xb00327c8U, (uint32_t)0xbf597fc7U, + (uint32_t)0xc6e00bf3U, (uint32_t)0xd5a79147U, (uint32_t)0x06ca6351U, (uint32_t)0x14292967U, + (uint32_t)0x27b70a85U, (uint32_t)0x2e1b2138U, (uint32_t)0x4d2c6dfcU, (uint32_t)0x53380d13U, + (uint32_t)0x650a7354U, (uint32_t)0x766a0abbU, (uint32_t)0x81c2c92eU, (uint32_t)0x92722c85U, + (uint32_t)0xa2bfe8a1U, (uint32_t)0xa81a664bU, (uint32_t)0xc24b8b70U, (uint32_t)0xc76c51a3U, + (uint32_t)0xd192e819U, (uint32_t)0xd6990624U, (uint32_t)0xf40e3585U, (uint32_t)0x106aa070U, + (uint32_t)0x19a4c116U, (uint32_t)0x1e376c08U, (uint32_t)0x2748774cU, (uint32_t)0x34b0bcb5U, + (uint32_t)0x391c0cb3U, (uint32_t)0x4ed8aa4aU, (uint32_t)0x5b9cca4fU, (uint32_t)0x682e6ff3U, + (uint32_t)0x748f82eeU, (uint32_t)0x78a5636fU, (uint32_t)0x84c87814U, (uint32_t)0x8cc70208U, + (uint32_t)0x90befffaU, (uint32_t)0xa4506cebU, (uint32_t)0xbef9a3f7U, (uint32_t)0xc67178f2U + }; + +void EverCrypt_Hash_update_multi_256(uint32_t *s, uint8_t *blocks, uint32_t n) +{ + bool has_shaext = EverCrypt_AutoConfig2_has_shaext(); + bool has_sse = EverCrypt_AutoConfig2_has_sse(); + #if HACL_CAN_COMPILE_VALE + if (has_shaext && has_sse) + { + uint64_t n1 = (uint64_t)n; + uint64_t scrut = sha256_update(s, blocks, n1, k224_256); + return; + } + #endif + Hacl_Hash_SHA2_update_multi_256(s, blocks, n); +} + +void EverCrypt_Hash_update2(EverCrypt_Hash_state_s *s, uint64_t prevlen, uint8_t *block) +{ + EverCrypt_Hash_state_s scrut = *s; + if (scrut.tag == EverCrypt_Hash_MD5_s) + { + uint32_t *p1 = scrut.case_MD5_s; + Hacl_Hash_Core_MD5_legacy_update(p1, block); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA1_s) + { + uint32_t *p1 = scrut.case_SHA1_s; + Hacl_Hash_Core_SHA1_legacy_update(p1, block); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_224_s) + { + uint32_t *p1 = scrut.case_SHA2_224_s; + EverCrypt_Hash_update_multi_256(p1, block, (uint32_t)1U); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_256_s) + { + uint32_t *p1 = scrut.case_SHA2_256_s; + EverCrypt_Hash_update_multi_256(p1, block, (uint32_t)1U); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_384_s) + { + uint64_t *p1 = scrut.case_SHA2_384_s; + Hacl_Hash_Core_SHA2_update_384(p1, block); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_512_s) + { + uint64_t *p1 = scrut.case_SHA2_512_s; + Hacl_Hash_Core_SHA2_update_512(p1, block); + return; + } + if (scrut.tag == EverCrypt_Hash_Blake2S_s) + { + uint32_t *p1 = scrut.case_Blake2S_s; + uint64_t uu____0 = Hacl_Hash_Core_Blake2_update_blake2s_32(p1, prevlen, block); + return; + } + if (scrut.tag == EverCrypt_Hash_Blake2B_s) + { + uint64_t *p1 = scrut.case_Blake2B_s; + FStar_UInt128_uint128 + uu____1 = + Hacl_Hash_Core_Blake2_update_blake2b_32(p1, + FStar_UInt128_uint64_to_uint128(prevlen), + block); + return; + } + KRML_HOST_EPRINTF("KreMLin abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); +} + +KRML_DEPRECATED("Use update2 instead") + +void EverCrypt_Hash_update(EverCrypt_Hash_state_s *s, uint8_t *block) +{ + EverCrypt_Hash_update2(s, (uint64_t)0U, block); +} + +void +EverCrypt_Hash_update_multi2( + EverCrypt_Hash_state_s *s, + uint64_t prevlen, + uint8_t *blocks, + uint32_t len +) +{ + EverCrypt_Hash_state_s scrut = *s; + if (scrut.tag == EverCrypt_Hash_MD5_s) + { + uint32_t *p1 = scrut.case_MD5_s; + uint32_t n = len / (uint32_t)64U; + Hacl_Hash_MD5_legacy_update_multi(p1, blocks, n); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA1_s) + { + uint32_t *p1 = scrut.case_SHA1_s; + uint32_t n = len / (uint32_t)64U; + Hacl_Hash_SHA1_legacy_update_multi(p1, blocks, n); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_224_s) + { + uint32_t *p1 = scrut.case_SHA2_224_s; + uint32_t n = len / (uint32_t)64U; + EverCrypt_Hash_update_multi_256(p1, blocks, n); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_256_s) + { + uint32_t *p1 = scrut.case_SHA2_256_s; + uint32_t n = len / (uint32_t)64U; + EverCrypt_Hash_update_multi_256(p1, blocks, n); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_384_s) + { + uint64_t *p1 = scrut.case_SHA2_384_s; + uint32_t n = len / (uint32_t)128U; + Hacl_Hash_SHA2_update_multi_384(p1, blocks, n); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_512_s) + { + uint64_t *p1 = scrut.case_SHA2_512_s; + uint32_t n = len / (uint32_t)128U; + Hacl_Hash_SHA2_update_multi_512(p1, blocks, n); + return; + } + if (scrut.tag == EverCrypt_Hash_Blake2S_s) + { + uint32_t *p1 = scrut.case_Blake2S_s; + uint32_t n = len / (uint32_t)64U; + uint64_t uu____0 = Hacl_Hash_Blake2_update_multi_blake2s_32(p1, prevlen, blocks, n); + return; + } + if (scrut.tag == EverCrypt_Hash_Blake2B_s) + { + uint64_t *p1 = scrut.case_Blake2B_s; + uint32_t n = len / (uint32_t)128U; + FStar_UInt128_uint128 + uu____1 = + Hacl_Hash_Blake2_update_multi_blake2b_32(p1, + FStar_UInt128_uint64_to_uint128(prevlen), + blocks, + n); + return; + } + KRML_HOST_EPRINTF("KreMLin abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); +} + +KRML_DEPRECATED("Use update_multi2 instead") + +void EverCrypt_Hash_update_multi(EverCrypt_Hash_state_s *s, uint8_t *blocks, uint32_t len) +{ + EverCrypt_Hash_update_multi2(s, (uint64_t)0U, blocks, len); +} + +void +EverCrypt_Hash_update_last_256( + uint32_t *s, + uint64_t input, + uint8_t *input_len, + uint32_t input_len1 +) +{ + uint32_t blocks_n = input_len1 / (uint32_t)64U; + uint32_t blocks_len = blocks_n * (uint32_t)64U; + uint8_t *blocks = input_len; + uint32_t rest_len = input_len1 - blocks_len; + uint8_t *rest = input_len + blocks_len; + EverCrypt_Hash_update_multi_256(s, blocks, blocks_n); + uint64_t total_input_len = input + (uint64_t)input_len1; + uint32_t + pad_len = + (uint32_t)1U + + + ((uint32_t)128U - ((uint32_t)9U + (uint32_t)(total_input_len % (uint64_t)(uint32_t)64U))) + % (uint32_t)64U + + (uint32_t)8U; + uint32_t tmp_len = rest_len + pad_len; + uint8_t tmp_twoblocks[128U] = { 0U }; + uint8_t *tmp = tmp_twoblocks; + uint8_t *tmp_rest = tmp; + uint8_t *tmp_pad = tmp + rest_len; + memcpy(tmp_rest, rest, rest_len * sizeof (uint8_t)); + Hacl_Hash_Core_SHA2_pad_256(total_input_len, tmp_pad); + EverCrypt_Hash_update_multi_256(s, tmp, tmp_len / (uint32_t)64U); +} + +void +EverCrypt_Hash_update_last2( + EverCrypt_Hash_state_s *s, + uint64_t prev_len, + uint8_t *last, + uint32_t last_len +) +{ + EverCrypt_Hash_state_s scrut = *s; + if (scrut.tag == EverCrypt_Hash_MD5_s) + { + uint32_t *p1 = scrut.case_MD5_s; + Hacl_Hash_MD5_legacy_update_last(p1, prev_len, last, last_len); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA1_s) + { + uint32_t *p1 = scrut.case_SHA1_s; + Hacl_Hash_SHA1_legacy_update_last(p1, prev_len, last, last_len); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_224_s) + { + uint32_t *p1 = scrut.case_SHA2_224_s; + EverCrypt_Hash_update_last_256(p1, prev_len, last, last_len); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_256_s) + { + uint32_t *p1 = scrut.case_SHA2_256_s; + EverCrypt_Hash_update_last_256(p1, prev_len, last, last_len); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_384_s) + { + uint64_t *p1 = scrut.case_SHA2_384_s; + Hacl_Hash_SHA2_update_last_384(p1, FStar_UInt128_uint64_to_uint128(prev_len), last, last_len); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_512_s) + { + uint64_t *p1 = scrut.case_SHA2_512_s; + Hacl_Hash_SHA2_update_last_512(p1, FStar_UInt128_uint64_to_uint128(prev_len), last, last_len); + return; + } + if (scrut.tag == EverCrypt_Hash_Blake2S_s) + { + uint32_t *p1 = scrut.case_Blake2S_s; + uint64_t x = Hacl_Hash_Blake2_update_last_blake2s_32(p1, prev_len, prev_len, last, last_len); + return; + } + if (scrut.tag == EverCrypt_Hash_Blake2B_s) + { + uint64_t *p1 = scrut.case_Blake2B_s; + FStar_UInt128_uint128 + x = + Hacl_Hash_Blake2_update_last_blake2b_32(p1, + FStar_UInt128_uint64_to_uint128(prev_len), + FStar_UInt128_uint64_to_uint128(prev_len), + last, + last_len); + return; + } + KRML_HOST_EPRINTF("KreMLin abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); +} + +KRML_DEPRECATED("Use update_last2 instead") + +void EverCrypt_Hash_update_last(EverCrypt_Hash_state_s *s, uint8_t *last, uint64_t total_len) +{ + Spec_Hash_Definitions_hash_alg a = EverCrypt_Hash_alg_of_state(s); + uint32_t sw; + switch (a) + { + case Spec_Hash_Definitions_MD5: + { + sw = (uint32_t)64U; + break; + } + case Spec_Hash_Definitions_SHA1: + { + sw = (uint32_t)64U; + break; + } + case Spec_Hash_Definitions_SHA2_224: + { + sw = (uint32_t)64U; + break; + } + case Spec_Hash_Definitions_SHA2_256: + { + sw = (uint32_t)64U; + break; + } + case Spec_Hash_Definitions_SHA2_384: + { + sw = (uint32_t)128U; + break; + } + case Spec_Hash_Definitions_SHA2_512: + { + sw = (uint32_t)128U; + break; + } + case Spec_Hash_Definitions_Blake2S: + { + sw = (uint32_t)64U; + break; + } + case Spec_Hash_Definitions_Blake2B: + { + sw = (uint32_t)128U; + break; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + uint64_t last_len = total_len % (uint64_t)sw; + uint64_t prev_len = total_len - last_len; + EverCrypt_Hash_update_last2(s, prev_len, last, (uint32_t)last_len); +} + +void EverCrypt_Hash_finish(EverCrypt_Hash_state_s *s, uint8_t *dst) +{ + EverCrypt_Hash_state_s scrut = *s; + if (scrut.tag == EverCrypt_Hash_MD5_s) + { + uint32_t *p1 = scrut.case_MD5_s; + Hacl_Hash_Core_MD5_legacy_finish(p1, dst); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA1_s) + { + uint32_t *p1 = scrut.case_SHA1_s; + Hacl_Hash_Core_SHA1_legacy_finish(p1, dst); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_224_s) + { + uint32_t *p1 = scrut.case_SHA2_224_s; + Hacl_Hash_Core_SHA2_finish_224(p1, dst); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_256_s) + { + uint32_t *p1 = scrut.case_SHA2_256_s; + Hacl_Hash_Core_SHA2_finish_256(p1, dst); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_384_s) + { + uint64_t *p1 = scrut.case_SHA2_384_s; + Hacl_Hash_Core_SHA2_finish_384(p1, dst); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_512_s) + { + uint64_t *p1 = scrut.case_SHA2_512_s; + Hacl_Hash_Core_SHA2_finish_512(p1, dst); + return; + } + if (scrut.tag == EverCrypt_Hash_Blake2S_s) + { + uint32_t *p1 = scrut.case_Blake2S_s; + Hacl_Hash_Core_Blake2_finish_blake2s_32(p1, (uint64_t)0U, dst); + return; + } + if (scrut.tag == EverCrypt_Hash_Blake2B_s) + { + uint64_t *p1 = scrut.case_Blake2B_s; + Hacl_Hash_Core_Blake2_finish_blake2b_32(p1, + FStar_UInt128_uint64_to_uint128((uint64_t)0U), + dst); + return; + } + KRML_HOST_EPRINTF("KreMLin abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); +} + +void EverCrypt_Hash_free(EverCrypt_Hash_state_s *s) +{ + EverCrypt_Hash_state_s scrut = *s; + if (scrut.tag == EverCrypt_Hash_MD5_s) + { + uint32_t *p1 = scrut.case_MD5_s; + KRML_HOST_FREE(p1); + } + else if (scrut.tag == EverCrypt_Hash_SHA1_s) + { + uint32_t *p1 = scrut.case_SHA1_s; + KRML_HOST_FREE(p1); + } + else if (scrut.tag == EverCrypt_Hash_SHA2_224_s) + { + uint32_t *p1 = scrut.case_SHA2_224_s; + KRML_HOST_FREE(p1); + } + else if (scrut.tag == EverCrypt_Hash_SHA2_256_s) + { + uint32_t *p1 = scrut.case_SHA2_256_s; + KRML_HOST_FREE(p1); + } + else if (scrut.tag == EverCrypt_Hash_SHA2_384_s) + { + uint64_t *p1 = scrut.case_SHA2_384_s; + KRML_HOST_FREE(p1); + } + else if (scrut.tag == EverCrypt_Hash_SHA2_512_s) + { + uint64_t *p1 = scrut.case_SHA2_512_s; + KRML_HOST_FREE(p1); + } + else if (scrut.tag == EverCrypt_Hash_Blake2S_s) + { + uint32_t *p1 = scrut.case_Blake2S_s; + KRML_HOST_FREE(p1); + } + else if (scrut.tag == EverCrypt_Hash_Blake2B_s) + { + uint64_t *p1 = scrut.case_Blake2B_s; + KRML_HOST_FREE(p1); + } + else + { + KRML_HOST_EPRINTF("KreMLin abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); + } + KRML_HOST_FREE(s); +} + +void EverCrypt_Hash_copy(EverCrypt_Hash_state_s *s_src, EverCrypt_Hash_state_s *s_dst) +{ + EverCrypt_Hash_state_s scrut = *s_src; + if (scrut.tag == EverCrypt_Hash_MD5_s) + { + uint32_t *p_src = scrut.case_MD5_s; + EverCrypt_Hash_state_s x1 = *s_dst; + uint32_t *p_dst; + if (x1.tag == EverCrypt_Hash_MD5_s) + { + p_dst = x1.case_MD5_s; + } + else + { + p_dst = KRML_EABORT(uint32_t *, "unreachable (pattern matches are exhaustive in F*)"); + } + memcpy(p_dst, p_src, (uint32_t)4U * sizeof (uint32_t)); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA1_s) + { + uint32_t *p_src = scrut.case_SHA1_s; + EverCrypt_Hash_state_s x1 = *s_dst; + uint32_t *p_dst; + if (x1.tag == EverCrypt_Hash_SHA1_s) + { + p_dst = x1.case_SHA1_s; + } + else + { + p_dst = KRML_EABORT(uint32_t *, "unreachable (pattern matches are exhaustive in F*)"); + } + memcpy(p_dst, p_src, (uint32_t)5U * sizeof (uint32_t)); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_224_s) + { + uint32_t *p_src = scrut.case_SHA2_224_s; + EverCrypt_Hash_state_s x1 = *s_dst; + uint32_t *p_dst; + if (x1.tag == EverCrypt_Hash_SHA2_224_s) + { + p_dst = x1.case_SHA2_224_s; + } + else + { + p_dst = KRML_EABORT(uint32_t *, "unreachable (pattern matches are exhaustive in F*)"); + } + memcpy(p_dst, p_src, (uint32_t)8U * sizeof (uint32_t)); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_256_s) + { + uint32_t *p_src = scrut.case_SHA2_256_s; + EverCrypt_Hash_state_s x1 = *s_dst; + uint32_t *p_dst; + if (x1.tag == EverCrypt_Hash_SHA2_256_s) + { + p_dst = x1.case_SHA2_256_s; + } + else + { + p_dst = KRML_EABORT(uint32_t *, "unreachable (pattern matches are exhaustive in F*)"); + } + memcpy(p_dst, p_src, (uint32_t)8U * sizeof (uint32_t)); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_384_s) + { + uint64_t *p_src = scrut.case_SHA2_384_s; + EverCrypt_Hash_state_s x1 = *s_dst; + uint64_t *p_dst; + if (x1.tag == EverCrypt_Hash_SHA2_384_s) + { + p_dst = x1.case_SHA2_384_s; + } + else + { + p_dst = KRML_EABORT(uint64_t *, "unreachable (pattern matches are exhaustive in F*)"); + } + memcpy(p_dst, p_src, (uint32_t)8U * sizeof (uint64_t)); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_512_s) + { + uint64_t *p_src = scrut.case_SHA2_512_s; + EverCrypt_Hash_state_s x1 = *s_dst; + uint64_t *p_dst; + if (x1.tag == EverCrypt_Hash_SHA2_512_s) + { + p_dst = x1.case_SHA2_512_s; + } + else + { + p_dst = KRML_EABORT(uint64_t *, "unreachable (pattern matches are exhaustive in F*)"); + } + memcpy(p_dst, p_src, (uint32_t)8U * sizeof (uint64_t)); + return; + } + if (scrut.tag == EverCrypt_Hash_Blake2S_s) + { + uint32_t *p_src = scrut.case_Blake2S_s; + EverCrypt_Hash_state_s x1 = *s_dst; + uint32_t *p_dst; + if (x1.tag == EverCrypt_Hash_Blake2S_s) + { + p_dst = x1.case_Blake2S_s; + } + else + { + p_dst = KRML_EABORT(uint32_t *, "unreachable (pattern matches are exhaustive in F*)"); + } + memcpy(p_dst, p_src, (uint32_t)16U * sizeof (uint32_t)); + return; + } + if (scrut.tag == EverCrypt_Hash_Blake2B_s) + { + uint64_t *p_src = scrut.case_Blake2B_s; + EverCrypt_Hash_state_s x1 = *s_dst; + uint64_t *p_dst; + if (x1.tag == EverCrypt_Hash_Blake2B_s) + { + p_dst = x1.case_Blake2B_s; + } + else + { + p_dst = KRML_EABORT(uint64_t *, "unreachable (pattern matches are exhaustive in F*)"); + } + memcpy(p_dst, p_src, (uint32_t)16U * sizeof (uint64_t)); + return; + } + KRML_HOST_EPRINTF("KreMLin abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); +} + +void EverCrypt_Hash_hash_256(uint8_t *input, uint32_t input_len, uint8_t *dst) +{ + uint32_t + scrut[8U] = + { + (uint32_t)0x6a09e667U, (uint32_t)0xbb67ae85U, (uint32_t)0x3c6ef372U, (uint32_t)0xa54ff53aU, + (uint32_t)0x510e527fU, (uint32_t)0x9b05688cU, (uint32_t)0x1f83d9abU, (uint32_t)0x5be0cd19U + }; + uint32_t *s = scrut; + uint32_t blocks_n0 = input_len / (uint32_t)64U; + uint32_t blocks_n1; + if (input_len % (uint32_t)64U == (uint32_t)0U && blocks_n0 > (uint32_t)0U) + { + blocks_n1 = blocks_n0 - (uint32_t)1U; + } + else + { + blocks_n1 = blocks_n0; + } + uint32_t blocks_len0 = blocks_n1 * (uint32_t)64U; + uint8_t *blocks0 = input; + uint32_t rest_len0 = input_len - blocks_len0; + uint8_t *rest0 = input + blocks_len0; + uint32_t blocks_n = blocks_n1; + uint32_t blocks_len = blocks_len0; + uint8_t *blocks = blocks0; + uint32_t rest_len = rest_len0; + uint8_t *rest = rest0; + EverCrypt_Hash_update_multi_256(s, blocks, blocks_n); + EverCrypt_Hash_update_last_256(s, (uint64_t)blocks_len, rest, rest_len); + Hacl_Hash_Core_SHA2_finish_256(s, dst); +} + +void EverCrypt_Hash_hash_224(uint8_t *input, uint32_t input_len, uint8_t *dst) +{ + uint32_t + scrut[8U] = + { + (uint32_t)0xc1059ed8U, (uint32_t)0x367cd507U, (uint32_t)0x3070dd17U, (uint32_t)0xf70e5939U, + (uint32_t)0xffc00b31U, (uint32_t)0x68581511U, (uint32_t)0x64f98fa7U, (uint32_t)0xbefa4fa4U + }; + uint32_t *s = scrut; + uint32_t blocks_n0 = input_len / (uint32_t)64U; + uint32_t blocks_n1; + if (input_len % (uint32_t)64U == (uint32_t)0U && blocks_n0 > (uint32_t)0U) + { + blocks_n1 = blocks_n0 - (uint32_t)1U; + } + else + { + blocks_n1 = blocks_n0; + } + uint32_t blocks_len0 = blocks_n1 * (uint32_t)64U; + uint8_t *blocks0 = input; + uint32_t rest_len0 = input_len - blocks_len0; + uint8_t *rest0 = input + blocks_len0; + uint32_t blocks_n = blocks_n1; + uint32_t blocks_len = blocks_len0; + uint8_t *blocks = blocks0; + uint32_t rest_len = rest_len0; + uint8_t *rest = rest0; + EverCrypt_Hash_update_multi_256(s, blocks, blocks_n); + EverCrypt_Hash_update_last_256(s, (uint64_t)blocks_len, rest, rest_len); + Hacl_Hash_Core_SHA2_finish_224(s, dst); +} + +void +EverCrypt_Hash_hash( + Spec_Hash_Definitions_hash_alg a, + uint8_t *dst, + uint8_t *input, + uint32_t len +) +{ + switch (a) + { + case Spec_Hash_Definitions_MD5: + { + Hacl_Hash_MD5_legacy_hash(input, len, dst); + break; + } + case Spec_Hash_Definitions_SHA1: + { + Hacl_Hash_SHA1_legacy_hash(input, len, dst); + break; + } + case Spec_Hash_Definitions_SHA2_224: + { + EverCrypt_Hash_hash_224(input, len, dst); + break; + } + case Spec_Hash_Definitions_SHA2_256: + { + EverCrypt_Hash_hash_256(input, len, dst); + break; + } + case Spec_Hash_Definitions_SHA2_384: + { + Hacl_Hash_SHA2_hash_384(input, len, dst); + break; + } + case Spec_Hash_Definitions_SHA2_512: + { + Hacl_Hash_SHA2_hash_512(input, len, dst); + break; + } + case Spec_Hash_Definitions_Blake2S: + { + Hacl_Hash_Blake2_hash_blake2s_32(input, len, dst); + break; + } + case Spec_Hash_Definitions_Blake2B: + { + Hacl_Hash_Blake2_hash_blake2b_32(input, len, dst); + break; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +uint32_t EverCrypt_Hash_Incremental_hash_len(Spec_Hash_Definitions_hash_alg a) +{ + switch (a) + { + case Spec_Hash_Definitions_MD5: + { + return (uint32_t)16U; + } + case Spec_Hash_Definitions_SHA1: + { + return (uint32_t)20U; + } + case Spec_Hash_Definitions_SHA2_224: + { + return (uint32_t)28U; + } + case Spec_Hash_Definitions_SHA2_256: + { + return (uint32_t)32U; + } + case Spec_Hash_Definitions_SHA2_384: + { + return (uint32_t)48U; + } + case Spec_Hash_Definitions_SHA2_512: + { + return (uint32_t)64U; + } + case Spec_Hash_Definitions_Blake2S: + { + return (uint32_t)32U; + } + case Spec_Hash_Definitions_Blake2B: + { + return (uint32_t)64U; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +uint32_t EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_hash_alg a) +{ + switch (a) + { + case Spec_Hash_Definitions_MD5: + { + return (uint32_t)64U; + } + case Spec_Hash_Definitions_SHA1: + { + return (uint32_t)64U; + } + case Spec_Hash_Definitions_SHA2_224: + { + return (uint32_t)64U; + } + case Spec_Hash_Definitions_SHA2_256: + { + return (uint32_t)64U; + } + case Spec_Hash_Definitions_SHA2_384: + { + return (uint32_t)128U; + } + case Spec_Hash_Definitions_SHA2_512: + { + return (uint32_t)128U; + } + case Spec_Hash_Definitions_Blake2S: + { + return (uint32_t)64U; + } + case Spec_Hash_Definitions_Blake2B: + { + return (uint32_t)128U; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ +*EverCrypt_Hash_Incremental_create_in(Spec_Hash_Definitions_hash_alg a) +{ + KRML_CHECK_SIZE(sizeof (uint8_t), EverCrypt_Hash_Incremental_block_len(a)); + uint8_t *buf = KRML_HOST_CALLOC(EverCrypt_Hash_Incremental_block_len(a), sizeof (uint8_t)); + EverCrypt_Hash_state_s *block_state = EverCrypt_Hash_create_in(a); + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ + s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; + KRML_CHECK_SIZE(sizeof (Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____), + (uint32_t)1U); + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ + *p = KRML_HOST_MALLOC(sizeof (Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____)); + p[0U] = s; + EverCrypt_Hash_init(block_state); + return p; +} + +void +EverCrypt_Hash_Incremental_init(Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *s) +{ + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ scrut = *s; + uint8_t *buf = scrut.buf; + EverCrypt_Hash_state_s *block_state = scrut.block_state; + Spec_Hash_Definitions_hash_alg i = EverCrypt_Hash_alg_of_state(block_state); + EverCrypt_Hash_init(block_state); + s[0U] = + ( + (Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____){ + .block_state = block_state, + .buf = buf, + .total_len = (uint64_t)0U + } + ); +} + +void +EverCrypt_Hash_Incremental_update( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *p, + uint8_t *data, + uint32_t len +) +{ + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ s = *p; + EverCrypt_Hash_state_s *block_state = s.block_state; + uint64_t total_len = s.total_len; + Spec_Hash_Definitions_hash_alg i1 = EverCrypt_Hash_alg_of_state(block_state); + uint32_t sz; + if + ( + total_len + % (uint64_t)EverCrypt_Hash_Incremental_block_len(i1) + == (uint64_t)0U + && total_len > (uint64_t)0U + ) + { + sz = EverCrypt_Hash_Incremental_block_len(i1); + } + else + { + sz = (uint32_t)(total_len % (uint64_t)EverCrypt_Hash_Incremental_block_len(i1)); + } + if (len <= EverCrypt_Hash_Incremental_block_len(i1) - sz) + { + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ s1 = *p; + EverCrypt_Hash_state_s *block_state1 = s1.block_state; + uint8_t *buf = s1.buf; + uint64_t total_len1 = s1.total_len; + Spec_Hash_Definitions_hash_alg i2 = EverCrypt_Hash_alg_of_state(block_state1); + uint32_t sz1; + if + ( + total_len1 + % (uint64_t)EverCrypt_Hash_Incremental_block_len(i2) + == (uint64_t)0U + && total_len1 > (uint64_t)0U + ) + { + sz1 = EverCrypt_Hash_Incremental_block_len(i2); + } + else + { + sz1 = (uint32_t)(total_len1 % (uint64_t)EverCrypt_Hash_Incremental_block_len(i2)); + } + uint8_t *buf2 = buf + sz1; + memcpy(buf2, data, len * sizeof (uint8_t)); + uint64_t total_len2 = total_len1 + (uint64_t)len; + *p + = + ( + (Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len2 + } + ); + return; + } + if (sz == (uint32_t)0U) + { + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ s1 = *p; + EverCrypt_Hash_state_s *block_state1 = s1.block_state; + uint8_t *buf = s1.buf; + uint64_t total_len1 = s1.total_len; + Spec_Hash_Definitions_hash_alg i2 = EverCrypt_Hash_alg_of_state(block_state1); + uint32_t sz1; + if + ( + total_len1 + % (uint64_t)EverCrypt_Hash_Incremental_block_len(i2) + == (uint64_t)0U + && total_len1 > (uint64_t)0U + ) + { + sz1 = EverCrypt_Hash_Incremental_block_len(i2); + } + else + { + sz1 = (uint32_t)(total_len1 % (uint64_t)EverCrypt_Hash_Incremental_block_len(i2)); + } + if (!(sz1 == (uint32_t)0U)) + { + uint64_t prevlen = total_len1 - (uint64_t)sz1; + EverCrypt_Hash_update_multi2(block_state1, + prevlen, + buf, + EverCrypt_Hash_Incremental_block_len(i2)); + } + uint32_t ite; + if + ( + (uint64_t)len + % (uint64_t)EverCrypt_Hash_Incremental_block_len(i2) + == (uint64_t)0U + && (uint64_t)len > (uint64_t)0U + ) + { + ite = EverCrypt_Hash_Incremental_block_len(i2); + } + else + { + ite = (uint32_t)((uint64_t)len % (uint64_t)EverCrypt_Hash_Incremental_block_len(i2)); + } + uint32_t n_blocks = (len - ite) / EverCrypt_Hash_Incremental_block_len(i2); + uint32_t data1_len = n_blocks * EverCrypt_Hash_Incremental_block_len(i2); + uint32_t data2_len = len - data1_len; + uint8_t *data1 = data; + uint8_t *data2 = data + data1_len; + EverCrypt_Hash_update_multi2(block_state1, total_len1, data1, data1_len); + uint8_t *dst = buf; + memcpy(dst, data2, data2_len * sizeof (uint8_t)); + *p + = + ( + (Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len1 + (uint64_t)len + } + ); + return; + } + uint32_t diff = EverCrypt_Hash_Incremental_block_len(i1) - sz; + uint8_t *data1 = data; + uint8_t *data2 = data + diff; + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ s1 = *p; + EverCrypt_Hash_state_s *block_state10 = s1.block_state; + uint8_t *buf0 = s1.buf; + uint64_t total_len10 = s1.total_len; + Spec_Hash_Definitions_hash_alg i20 = EverCrypt_Hash_alg_of_state(block_state10); + uint32_t sz10; + if + ( + total_len10 + % (uint64_t)EverCrypt_Hash_Incremental_block_len(i20) + == (uint64_t)0U + && total_len10 > (uint64_t)0U + ) + { + sz10 = EverCrypt_Hash_Incremental_block_len(i20); + } + else + { + sz10 = (uint32_t)(total_len10 % (uint64_t)EverCrypt_Hash_Incremental_block_len(i20)); + } + uint8_t *buf2 = buf0 + sz10; + memcpy(buf2, data1, diff * sizeof (uint8_t)); + uint64_t total_len2 = total_len10 + (uint64_t)diff; + *p + = + ( + (Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____){ + .block_state = block_state10, + .buf = buf0, + .total_len = total_len2 + } + ); + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ s10 = *p; + EverCrypt_Hash_state_s *block_state1 = s10.block_state; + uint8_t *buf = s10.buf; + uint64_t total_len1 = s10.total_len; + Spec_Hash_Definitions_hash_alg i2 = EverCrypt_Hash_alg_of_state(block_state1); + uint32_t sz1; + if + ( + total_len1 + % (uint64_t)EverCrypt_Hash_Incremental_block_len(i2) + == (uint64_t)0U + && total_len1 > (uint64_t)0U + ) + { + sz1 = EverCrypt_Hash_Incremental_block_len(i2); + } + else + { + sz1 = (uint32_t)(total_len1 % (uint64_t)EverCrypt_Hash_Incremental_block_len(i2)); + } + if (!(sz1 == (uint32_t)0U)) + { + uint64_t prevlen = total_len1 - (uint64_t)sz1; + EverCrypt_Hash_update_multi2(block_state1, + prevlen, + buf, + EverCrypt_Hash_Incremental_block_len(i2)); + } + uint32_t ite; + if + ( + (uint64_t)(len - diff) + % (uint64_t)EverCrypt_Hash_Incremental_block_len(i2) + == (uint64_t)0U + && (uint64_t)(len - diff) > (uint64_t)0U + ) + { + ite = EverCrypt_Hash_Incremental_block_len(i2); + } + else + { + ite = (uint32_t)((uint64_t)(len - diff) % (uint64_t)EverCrypt_Hash_Incremental_block_len(i2)); + } + uint32_t n_blocks = (len - diff - ite) / EverCrypt_Hash_Incremental_block_len(i2); + uint32_t data1_len = n_blocks * EverCrypt_Hash_Incremental_block_len(i2); + uint32_t data2_len = len - diff - data1_len; + uint8_t *data11 = data2; + uint8_t *data21 = data2 + data1_len; + EverCrypt_Hash_update_multi2(block_state1, total_len1, data11, data1_len); + uint8_t *dst = buf; + memcpy(dst, data21, data2_len * sizeof (uint8_t)); + *p + = + ( + (Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len1 + (uint64_t)(len - diff) + } + ); +} + +void +EverCrypt_Hash_Incremental_finish_md5( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *p, + uint8_t *dst +) +{ + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ scrut = *p; + EverCrypt_Hash_state_s *block_state = scrut.block_state; + uint8_t *buf_ = scrut.buf; + uint64_t total_len = scrut.total_len; + uint32_t r; + if + ( + total_len + % (uint64_t)EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_MD5) + == (uint64_t)0U + && total_len > (uint64_t)0U + ) + { + r = EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_MD5); + } + else + { + r = + (uint32_t)(total_len + % (uint64_t)EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_MD5)); + } + uint8_t *buf_1 = buf_; + uint32_t buf[4U] = { 0U }; + EverCrypt_Hash_state_s s = { .tag = EverCrypt_Hash_MD5_s, { .case_MD5_s = buf } }; + EverCrypt_Hash_state_s tmp_block_state = s; + EverCrypt_Hash_copy(block_state, &tmp_block_state); + uint64_t prev_len = total_len - (uint64_t)r; + uint32_t ite; + if + ( + r + % EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_MD5) + == (uint32_t)0U + && r > (uint32_t)0U + ) + { + ite = EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_MD5); + } + else + { + ite = r % EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_MD5); + } + uint8_t *buf_last = buf_1 + r - ite; + uint8_t *buf_multi = buf_1; + EverCrypt_Hash_update_multi2(&tmp_block_state, prev_len, buf_multi, (uint32_t)0U); + uint64_t prev_len_last = total_len - (uint64_t)r; + EverCrypt_Hash_update_last2(&tmp_block_state, prev_len_last, buf_last, r); + EverCrypt_Hash_finish(&tmp_block_state, dst); +} + +void +EverCrypt_Hash_Incremental_finish_sha1( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *p, + uint8_t *dst +) +{ + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ scrut = *p; + EverCrypt_Hash_state_s *block_state = scrut.block_state; + uint8_t *buf_ = scrut.buf; + uint64_t total_len = scrut.total_len; + uint32_t r; + if + ( + total_len + % (uint64_t)EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA1) + == (uint64_t)0U + && total_len > (uint64_t)0U + ) + { + r = EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA1); + } + else + { + r = + (uint32_t)(total_len + % (uint64_t)EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA1)); + } + uint8_t *buf_1 = buf_; + uint32_t buf[5U] = { 0U }; + EverCrypt_Hash_state_s s = { .tag = EverCrypt_Hash_SHA1_s, { .case_SHA1_s = buf } }; + EverCrypt_Hash_state_s tmp_block_state = s; + EverCrypt_Hash_copy(block_state, &tmp_block_state); + uint64_t prev_len = total_len - (uint64_t)r; + uint32_t ite; + if + ( + r + % EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA1) + == (uint32_t)0U + && r > (uint32_t)0U + ) + { + ite = EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA1); + } + else + { + ite = r % EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA1); + } + uint8_t *buf_last = buf_1 + r - ite; + uint8_t *buf_multi = buf_1; + EverCrypt_Hash_update_multi2(&tmp_block_state, prev_len, buf_multi, (uint32_t)0U); + uint64_t prev_len_last = total_len - (uint64_t)r; + EverCrypt_Hash_update_last2(&tmp_block_state, prev_len_last, buf_last, r); + EverCrypt_Hash_finish(&tmp_block_state, dst); +} + +void +EverCrypt_Hash_Incremental_finish_sha224( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *p, + uint8_t *dst +) +{ + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ scrut = *p; + EverCrypt_Hash_state_s *block_state = scrut.block_state; + uint8_t *buf_ = scrut.buf; + uint64_t total_len = scrut.total_len; + uint32_t r; + if + ( + total_len + % (uint64_t)EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_224) + == (uint64_t)0U + && total_len > (uint64_t)0U + ) + { + r = EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_224); + } + else + { + r = + (uint32_t)(total_len + % (uint64_t)EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_224)); + } + uint8_t *buf_1 = buf_; + uint32_t buf[8U] = { 0U }; + EverCrypt_Hash_state_s s = { .tag = EverCrypt_Hash_SHA2_224_s, { .case_SHA2_224_s = buf } }; + EverCrypt_Hash_state_s tmp_block_state = s; + EverCrypt_Hash_copy(block_state, &tmp_block_state); + uint64_t prev_len = total_len - (uint64_t)r; + uint32_t ite; + if + ( + r + % EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_224) + == (uint32_t)0U + && r > (uint32_t)0U + ) + { + ite = EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_224); + } + else + { + ite = r % EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_224); + } + uint8_t *buf_last = buf_1 + r - ite; + uint8_t *buf_multi = buf_1; + EverCrypt_Hash_update_multi2(&tmp_block_state, prev_len, buf_multi, (uint32_t)0U); + uint64_t prev_len_last = total_len - (uint64_t)r; + EverCrypt_Hash_update_last2(&tmp_block_state, prev_len_last, buf_last, r); + EverCrypt_Hash_finish(&tmp_block_state, dst); +} + +void +EverCrypt_Hash_Incremental_finish_sha256( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *p, + uint8_t *dst +) +{ + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ scrut = *p; + EverCrypt_Hash_state_s *block_state = scrut.block_state; + uint8_t *buf_ = scrut.buf; + uint64_t total_len = scrut.total_len; + uint32_t r; + if + ( + total_len + % (uint64_t)EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_256) + == (uint64_t)0U + && total_len > (uint64_t)0U + ) + { + r = EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_256); + } + else + { + r = + (uint32_t)(total_len + % (uint64_t)EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_256)); + } + uint8_t *buf_1 = buf_; + uint32_t buf[8U] = { 0U }; + EverCrypt_Hash_state_s s = { .tag = EverCrypt_Hash_SHA2_256_s, { .case_SHA2_256_s = buf } }; + EverCrypt_Hash_state_s tmp_block_state = s; + EverCrypt_Hash_copy(block_state, &tmp_block_state); + uint64_t prev_len = total_len - (uint64_t)r; + uint32_t ite; + if + ( + r + % EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_256) + == (uint32_t)0U + && r > (uint32_t)0U + ) + { + ite = EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_256); + } + else + { + ite = r % EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_256); + } + uint8_t *buf_last = buf_1 + r - ite; + uint8_t *buf_multi = buf_1; + EverCrypt_Hash_update_multi2(&tmp_block_state, prev_len, buf_multi, (uint32_t)0U); + uint64_t prev_len_last = total_len - (uint64_t)r; + EverCrypt_Hash_update_last2(&tmp_block_state, prev_len_last, buf_last, r); + EverCrypt_Hash_finish(&tmp_block_state, dst); +} + +void +EverCrypt_Hash_Incremental_finish_sha384( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *p, + uint8_t *dst +) +{ + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ scrut = *p; + EverCrypt_Hash_state_s *block_state = scrut.block_state; + uint8_t *buf_ = scrut.buf; + uint64_t total_len = scrut.total_len; + uint32_t r; + if + ( + total_len + % (uint64_t)EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_384) + == (uint64_t)0U + && total_len > (uint64_t)0U + ) + { + r = EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_384); + } + else + { + r = + (uint32_t)(total_len + % (uint64_t)EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_384)); + } + uint8_t *buf_1 = buf_; + uint64_t buf[8U] = { 0U }; + EverCrypt_Hash_state_s s = { .tag = EverCrypt_Hash_SHA2_384_s, { .case_SHA2_384_s = buf } }; + EverCrypt_Hash_state_s tmp_block_state = s; + EverCrypt_Hash_copy(block_state, &tmp_block_state); + uint64_t prev_len = total_len - (uint64_t)r; + uint32_t ite; + if + ( + r + % EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_384) + == (uint32_t)0U + && r > (uint32_t)0U + ) + { + ite = EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_384); + } + else + { + ite = r % EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_384); + } + uint8_t *buf_last = buf_1 + r - ite; + uint8_t *buf_multi = buf_1; + EverCrypt_Hash_update_multi2(&tmp_block_state, prev_len, buf_multi, (uint32_t)0U); + uint64_t prev_len_last = total_len - (uint64_t)r; + EverCrypt_Hash_update_last2(&tmp_block_state, prev_len_last, buf_last, r); + EverCrypt_Hash_finish(&tmp_block_state, dst); +} + +void +EverCrypt_Hash_Incremental_finish_sha512( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *p, + uint8_t *dst +) +{ + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ scrut = *p; + EverCrypt_Hash_state_s *block_state = scrut.block_state; + uint8_t *buf_ = scrut.buf; + uint64_t total_len = scrut.total_len; + uint32_t r; + if + ( + total_len + % (uint64_t)EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_512) + == (uint64_t)0U + && total_len > (uint64_t)0U + ) + { + r = EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_512); + } + else + { + r = + (uint32_t)(total_len + % (uint64_t)EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_512)); + } + uint8_t *buf_1 = buf_; + uint64_t buf[8U] = { 0U }; + EverCrypt_Hash_state_s s = { .tag = EverCrypt_Hash_SHA2_512_s, { .case_SHA2_512_s = buf } }; + EverCrypt_Hash_state_s tmp_block_state = s; + EverCrypt_Hash_copy(block_state, &tmp_block_state); + uint64_t prev_len = total_len - (uint64_t)r; + uint32_t ite; + if + ( + r + % EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_512) + == (uint32_t)0U + && r > (uint32_t)0U + ) + { + ite = EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_512); + } + else + { + ite = r % EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_512); + } + uint8_t *buf_last = buf_1 + r - ite; + uint8_t *buf_multi = buf_1; + EverCrypt_Hash_update_multi2(&tmp_block_state, prev_len, buf_multi, (uint32_t)0U); + uint64_t prev_len_last = total_len - (uint64_t)r; + EverCrypt_Hash_update_last2(&tmp_block_state, prev_len_last, buf_last, r); + EverCrypt_Hash_finish(&tmp_block_state, dst); +} + +void +EverCrypt_Hash_Incremental_finish_blake2s( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *p, + uint8_t *dst +) +{ + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ scrut = *p; + EverCrypt_Hash_state_s *block_state = scrut.block_state; + uint8_t *buf_ = scrut.buf; + uint64_t total_len = scrut.total_len; + uint32_t r; + if + ( + total_len + % (uint64_t)EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_Blake2S) + == (uint64_t)0U + && total_len > (uint64_t)0U + ) + { + r = EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_Blake2S); + } + else + { + r = + (uint32_t)(total_len + % (uint64_t)EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_Blake2S)); + } + uint8_t *buf_1 = buf_; + uint32_t buf[16U] = { 0U }; + EverCrypt_Hash_state_s s = { .tag = EverCrypt_Hash_Blake2S_s, { .case_Blake2S_s = buf } }; + EverCrypt_Hash_state_s tmp_block_state = s; + EverCrypt_Hash_copy(block_state, &tmp_block_state); + uint64_t prev_len = total_len - (uint64_t)r; + uint32_t ite; + if + ( + r + % EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_Blake2S) + == (uint32_t)0U + && r > (uint32_t)0U + ) + { + ite = EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_Blake2S); + } + else + { + ite = r % EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_Blake2S); + } + uint8_t *buf_last = buf_1 + r - ite; + uint8_t *buf_multi = buf_1; + EverCrypt_Hash_update_multi2(&tmp_block_state, prev_len, buf_multi, (uint32_t)0U); + uint64_t prev_len_last = total_len - (uint64_t)r; + EverCrypt_Hash_update_last2(&tmp_block_state, prev_len_last, buf_last, r); + EverCrypt_Hash_finish(&tmp_block_state, dst); +} + +void +EverCrypt_Hash_Incremental_finish_blake2b( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *p, + uint8_t *dst +) +{ + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ scrut = *p; + EverCrypt_Hash_state_s *block_state = scrut.block_state; + uint8_t *buf_ = scrut.buf; + uint64_t total_len = scrut.total_len; + uint32_t r; + if + ( + total_len + % (uint64_t)EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_Blake2B) + == (uint64_t)0U + && total_len > (uint64_t)0U + ) + { + r = EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_Blake2B); + } + else + { + r = + (uint32_t)(total_len + % (uint64_t)EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_Blake2B)); + } + uint8_t *buf_1 = buf_; + uint64_t buf[16U] = { 0U }; + EverCrypt_Hash_state_s s = { .tag = EverCrypt_Hash_Blake2B_s, { .case_Blake2B_s = buf } }; + EverCrypt_Hash_state_s tmp_block_state = s; + EverCrypt_Hash_copy(block_state, &tmp_block_state); + uint64_t prev_len = total_len - (uint64_t)r; + uint32_t ite; + if + ( + r + % EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_Blake2B) + == (uint32_t)0U + && r > (uint32_t)0U + ) + { + ite = EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_Blake2B); + } + else + { + ite = r % EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_Blake2B); + } + uint8_t *buf_last = buf_1 + r - ite; + uint8_t *buf_multi = buf_1; + EverCrypt_Hash_update_multi2(&tmp_block_state, prev_len, buf_multi, (uint32_t)0U); + uint64_t prev_len_last = total_len - (uint64_t)r; + EverCrypt_Hash_update_last2(&tmp_block_state, prev_len_last, buf_last, r); + EverCrypt_Hash_finish(&tmp_block_state, dst); +} + +Spec_Hash_Definitions_hash_alg +EverCrypt_Hash_Incremental_alg_of_state( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *s +) +{ + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ scrut = *s; + EverCrypt_Hash_state_s *block_state = scrut.block_state; + return EverCrypt_Hash_alg_of_state(block_state); +} + +void +EverCrypt_Hash_Incremental_finish( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *s, + uint8_t *dst +) +{ + Spec_Hash_Definitions_hash_alg a1 = EverCrypt_Hash_Incremental_alg_of_state(s); + switch (a1) + { + case Spec_Hash_Definitions_MD5: + { + EverCrypt_Hash_Incremental_finish_md5(s, dst); + break; + } + case Spec_Hash_Definitions_SHA1: + { + EverCrypt_Hash_Incremental_finish_sha1(s, dst); + break; + } + case Spec_Hash_Definitions_SHA2_224: + { + EverCrypt_Hash_Incremental_finish_sha224(s, dst); + break; + } + case Spec_Hash_Definitions_SHA2_256: + { + EverCrypt_Hash_Incremental_finish_sha256(s, dst); + break; + } + case Spec_Hash_Definitions_SHA2_384: + { + EverCrypt_Hash_Incremental_finish_sha384(s, dst); + break; + } + case Spec_Hash_Definitions_SHA2_512: + { + EverCrypt_Hash_Incremental_finish_sha512(s, dst); + break; + } + case Spec_Hash_Definitions_Blake2S: + { + EverCrypt_Hash_Incremental_finish_blake2s(s, dst); + break; + } + case Spec_Hash_Definitions_Blake2B: + { + EverCrypt_Hash_Incremental_finish_blake2b(s, dst); + break; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +void +EverCrypt_Hash_Incremental_free(Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *s) +{ + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ scrut = *s; + uint8_t *buf = scrut.buf; + EverCrypt_Hash_state_s *block_state = scrut.block_state; + EverCrypt_Hash_free(block_state); + KRML_HOST_FREE(buf); + KRML_HOST_FREE(s); +} + diff --git a/src/EverCrypt_Poly1305.c b/src/EverCrypt_Poly1305.c new file mode 100644 index 00000000..90a392d3 --- /dev/null +++ b/src/EverCrypt_Poly1305.c @@ -0,0 +1,87 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "EverCrypt_Poly1305.h" + +#include "internal/Vale.h" + +static void poly1305_vale(uint8_t *dst, uint8_t *src, uint32_t len, uint8_t *key) +{ + uint8_t ctx[192U] = { 0U }; + memcpy(ctx + (uint32_t)24U, key, (uint32_t)32U * sizeof (uint8_t)); + uint32_t n_blocks = len / (uint32_t)16U; + uint32_t n_extra = len % (uint32_t)16U; + uint8_t tmp[16U]; + if (n_extra == (uint32_t)0U) + { + uint64_t scrut = x64_poly1305(ctx, src, (uint64_t)len, (uint64_t)1U); + } + else + { + uint8_t init = (uint8_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + tmp[i] = init; + } + uint32_t len16 = n_blocks * (uint32_t)16U; + uint8_t *src16 = src; + memcpy(tmp, src + len16, n_extra * sizeof (uint8_t)); + uint64_t scrut = x64_poly1305(ctx, src16, (uint64_t)len16, (uint64_t)0U); + memcpy(ctx + (uint32_t)24U, key, (uint32_t)32U * sizeof (uint8_t)); + uint64_t scrut0 = x64_poly1305(ctx, tmp, (uint64_t)n_extra, (uint64_t)1U); + } + memcpy(dst, ctx, (uint32_t)16U * sizeof (uint8_t)); +} + +void EverCrypt_Poly1305_poly1305(uint8_t *dst, uint8_t *src, uint32_t len, uint8_t *key) +{ + bool avx2 = EverCrypt_AutoConfig2_has_avx2(); + bool avx = EverCrypt_AutoConfig2_has_avx(); + bool vec256 = EverCrypt_AutoConfig2_has_vec256(); + bool vec128 = EverCrypt_AutoConfig2_has_vec128(); + bool vale = EverCrypt_AutoConfig2_wants_vale(); + #if HACL_CAN_COMPILE_VEC256 + if (vec256) + { + Hacl_Poly1305_256_poly1305_mac(dst, len, src, key); + return; + } + #endif + #if HACL_CAN_COMPILE_VEC128 + if (vec128) + { + Hacl_Poly1305_128_poly1305_mac(dst, len, src, key); + return; + } + #endif + #if HACL_CAN_COMPILE_VALE + if (vale) + { + poly1305_vale(dst, src, len, key); + return; + } + #endif + Hacl_Poly1305_32_poly1305_mac(dst, len, src, key); +} + diff --git a/src/Hacl_Bignum.c b/src/Hacl_Bignum.c new file mode 100644 index 00000000..53c201e9 --- /dev/null +++ b/src/Hacl_Bignum.c @@ -0,0 +1,2594 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "internal/Hacl_Bignum.h" + +#include "internal/Hacl_Kremlib.h" + +void Hacl_Bignum_Convert_bn_from_bytes_be_uint64(uint32_t len, uint8_t *b, uint64_t *res) +{ + uint32_t bnLen = (len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)8U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + uint8_t tmp[tmpLen]; + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + memcpy(tmp + tmpLen - len, b, len * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < bnLen; i++) + { + uint64_t *os = res; + uint64_t u = load64_be(tmp + (bnLen - i - (uint32_t)1U) * (uint32_t)8U); + uint64_t x = u; + os[i] = x; + } +} + +void Hacl_Bignum_Convert_bn_to_bytes_be_uint64(uint32_t len, uint64_t *b, uint8_t *res) +{ + uint32_t bnLen = (len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)8U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + uint8_t tmp[tmpLen]; + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + uint32_t numb = (uint32_t)8U; + for (uint32_t i = (uint32_t)0U; i < bnLen; i++) + { + store64_be(tmp + i * numb, b[bnLen - i - (uint32_t)1U]); + } + memcpy(res, tmp + tmpLen - len, len * sizeof (uint8_t)); +} + +uint32_t Hacl_Bignum_Lib_bn_get_top_index_u32(uint32_t len, uint32_t *b) +{ + uint32_t priv = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint32_t mask = FStar_UInt32_eq_mask(b[i], (uint32_t)0U); + priv = (mask & priv) | (~mask & i); + } + return priv; +} + +uint64_t Hacl_Bignum_Lib_bn_get_top_index_u64(uint32_t len, uint64_t *b) +{ + uint64_t priv = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint64_t mask = FStar_UInt64_eq_mask(b[i], (uint64_t)0U); + priv = (mask & priv) | (~mask & (uint64_t)i); + } + return priv; +} + +uint32_t +Hacl_Bignum_Addition_bn_sub_eq_len_u32(uint32_t aLen, uint32_t *a, uint32_t *b, uint32_t *res) +{ + uint32_t c = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < aLen / (uint32_t)4U; i++) + { + uint32_t t1 = a[(uint32_t)4U * i]; + uint32_t t20 = b[(uint32_t)4U * i]; + uint32_t *res_i0 = res + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, t20, res_i0); + uint32_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t10, t21, res_i1); + uint32_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t11, t22, res_i2); + uint32_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t12, t2, res_i); + } + for (uint32_t i = aLen / (uint32_t)4U * (uint32_t)4U; i < aLen; i++) + { + uint32_t t1 = a[i]; + uint32_t t2 = b[i]; + uint32_t *res_i = res + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, t2, res_i); + } + return c; +} + +uint64_t +Hacl_Bignum_Addition_bn_sub_eq_len_u64(uint32_t aLen, uint64_t *a, uint64_t *b, uint64_t *res) +{ + uint64_t c = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < aLen / (uint32_t)4U; i++) + { + uint64_t t1 = a[(uint32_t)4U * i]; + uint64_t t20 = b[(uint32_t)4U * i]; + uint64_t *res_i0 = res + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, t20, res_i0); + uint64_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t10, t21, res_i1); + uint64_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t11, t22, res_i2); + uint64_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t12, t2, res_i); + } + for (uint32_t i = aLen / (uint32_t)4U * (uint32_t)4U; i < aLen; i++) + { + uint64_t t1 = a[i]; + uint64_t t2 = b[i]; + uint64_t *res_i = res + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, t2, res_i); + } + return c; +} + +uint32_t +Hacl_Bignum_Addition_bn_add_eq_len_u32(uint32_t aLen, uint32_t *a, uint32_t *b, uint32_t *res) +{ + uint32_t c = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < aLen / (uint32_t)4U; i++) + { + uint32_t t1 = a[(uint32_t)4U * i]; + uint32_t t20 = b[(uint32_t)4U * i]; + uint32_t *res_i0 = res + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t1, t20, res_i0); + uint32_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t10, t21, res_i1); + uint32_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t11, t22, res_i2); + uint32_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t12, t2, res_i); + } + for (uint32_t i = aLen / (uint32_t)4U * (uint32_t)4U; i < aLen; i++) + { + uint32_t t1 = a[i]; + uint32_t t2 = b[i]; + uint32_t *res_i = res + i; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t1, t2, res_i); + } + return c; +} + +uint64_t +Hacl_Bignum_Addition_bn_add_eq_len_u64(uint32_t aLen, uint64_t *a, uint64_t *b, uint64_t *res) +{ + uint64_t c = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < aLen / (uint32_t)4U; i++) + { + uint64_t t1 = a[(uint32_t)4U * i]; + uint64_t t20 = b[(uint32_t)4U * i]; + uint64_t *res_i0 = res + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t1, t20, res_i0); + uint64_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t10, t21, res_i1); + uint64_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t11, t22, res_i2); + uint64_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t12, t2, res_i); + } + for (uint32_t i = aLen / (uint32_t)4U * (uint32_t)4U; i < aLen; i++) + { + uint64_t t1 = a[i]; + uint64_t t2 = b[i]; + uint64_t *res_i = res + i; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t1, t2, res_i); + } + return c; +} + +static inline void +bn_mul_u32(uint32_t aLen, uint32_t *a, uint32_t bLen, uint32_t *b, uint32_t *res) +{ + memset(res, 0U, (aLen + bLen) * sizeof (uint32_t)); + for (uint32_t i0 = (uint32_t)0U; i0 < bLen; i0++) + { + uint32_t bj = b[i0]; + uint32_t *res_j = res + i0; + uint32_t c = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < aLen / (uint32_t)4U; i++) + { + uint32_t a_i = a[(uint32_t)4U * i]; + uint32_t *res_i0 = res_j + (uint32_t)4U * i; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, bj, c, res_i0); + uint32_t a_i0 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res_j + (uint32_t)4U * i + (uint32_t)1U; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i0, bj, c, res_i1); + uint32_t a_i1 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res_j + (uint32_t)4U * i + (uint32_t)2U; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i1, bj, c, res_i2); + uint32_t a_i2 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res_j + (uint32_t)4U * i + (uint32_t)3U; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i2, bj, c, res_i); + } + for (uint32_t i = aLen / (uint32_t)4U * (uint32_t)4U; i < aLen; i++) + { + uint32_t a_i = a[i]; + uint32_t *res_i = res_j + i; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, bj, c, res_i); + } + uint32_t r = c; + res[aLen + i0] = r; + } +} + +static inline void +bn_mul_u64(uint32_t aLen, uint64_t *a, uint32_t bLen, uint64_t *b, uint64_t *res) +{ + memset(res, 0U, (aLen + bLen) * sizeof (uint64_t)); + for (uint32_t i0 = (uint32_t)0U; i0 < bLen; i0++) + { + uint64_t bj = b[i0]; + uint64_t *res_j = res + i0; + uint64_t c = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < aLen / (uint32_t)4U; i++) + { + uint64_t a_i = a[(uint32_t)4U * i]; + uint64_t *res_i0 = res_j + (uint32_t)4U * i; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, bj, c, res_i0); + uint64_t a_i0 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res_j + (uint32_t)4U * i + (uint32_t)1U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, bj, c, res_i1); + uint64_t a_i1 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res_j + (uint32_t)4U * i + (uint32_t)2U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, bj, c, res_i2); + uint64_t a_i2 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res_j + (uint32_t)4U * i + (uint32_t)3U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, bj, c, res_i); + } + for (uint32_t i = aLen / (uint32_t)4U * (uint32_t)4U; i < aLen; i++) + { + uint64_t a_i = a[i]; + uint64_t *res_i = res_j + i; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, bj, c, res_i); + } + uint64_t r = c; + res[aLen + i0] = r; + } +} + +static inline void bn_sqr_u32(uint32_t aLen, uint32_t *a, uint32_t *res) +{ + memset(res, 0U, (aLen + aLen) * sizeof (uint32_t)); + for (uint32_t i0 = (uint32_t)0U; i0 < aLen; i0++) + { + uint32_t *ab = a; + uint32_t a_j = a[i0]; + uint32_t *res_j = res + i0; + uint32_t c = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < i0 / (uint32_t)4U; i++) + { + uint32_t a_i = ab[(uint32_t)4U * i]; + uint32_t *res_i0 = res_j + (uint32_t)4U * i; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, a_j, c, res_i0); + uint32_t a_i0 = ab[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res_j + (uint32_t)4U * i + (uint32_t)1U; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i0, a_j, c, res_i1); + uint32_t a_i1 = ab[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res_j + (uint32_t)4U * i + (uint32_t)2U; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i1, a_j, c, res_i2); + uint32_t a_i2 = ab[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res_j + (uint32_t)4U * i + (uint32_t)3U; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i2, a_j, c, res_i); + } + for (uint32_t i = i0 / (uint32_t)4U * (uint32_t)4U; i < i0; i++) + { + uint32_t a_i = ab[i]; + uint32_t *res_i = res_j + i; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, a_j, c, res_i); + } + uint32_t r = c; + res[i0 + i0] = r; + } + uint32_t c0 = Hacl_Bignum_Addition_bn_add_eq_len_u32(aLen + aLen, res, res, res); + KRML_CHECK_SIZE(sizeof (uint32_t), aLen + aLen); + uint32_t tmp[aLen + aLen]; + memset(tmp, 0U, (aLen + aLen) * sizeof (uint32_t)); + for (uint32_t i = (uint32_t)0U; i < aLen; i++) + { + uint64_t res1 = (uint64_t)a[i] * (uint64_t)a[i]; + uint32_t hi = (uint32_t)(res1 >> (uint32_t)32U); + uint32_t lo = (uint32_t)res1; + tmp[(uint32_t)2U * i] = lo; + tmp[(uint32_t)2U * i + (uint32_t)1U] = hi; + } + uint32_t c1 = Hacl_Bignum_Addition_bn_add_eq_len_u32(aLen + aLen, res, tmp, res); +} + +static inline void bn_sqr_u64(uint32_t aLen, uint64_t *a, uint64_t *res) +{ + memset(res, 0U, (aLen + aLen) * sizeof (uint64_t)); + for (uint32_t i0 = (uint32_t)0U; i0 < aLen; i0++) + { + uint64_t *ab = a; + uint64_t a_j = a[i0]; + uint64_t *res_j = res + i0; + uint64_t c = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < i0 / (uint32_t)4U; i++) + { + uint64_t a_i = ab[(uint32_t)4U * i]; + uint64_t *res_i0 = res_j + (uint32_t)4U * i; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, a_j, c, res_i0); + uint64_t a_i0 = ab[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res_j + (uint32_t)4U * i + (uint32_t)1U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, a_j, c, res_i1); + uint64_t a_i1 = ab[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res_j + (uint32_t)4U * i + (uint32_t)2U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, a_j, c, res_i2); + uint64_t a_i2 = ab[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res_j + (uint32_t)4U * i + (uint32_t)3U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, a_j, c, res_i); + } + for (uint32_t i = i0 / (uint32_t)4U * (uint32_t)4U; i < i0; i++) + { + uint64_t a_i = ab[i]; + uint64_t *res_i = res_j + i; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, a_j, c, res_i); + } + uint64_t r = c; + res[i0 + i0] = r; + } + uint64_t c0 = Hacl_Bignum_Addition_bn_add_eq_len_u64(aLen + aLen, res, res, res); + KRML_CHECK_SIZE(sizeof (uint64_t), aLen + aLen); + uint64_t tmp[aLen + aLen]; + memset(tmp, 0U, (aLen + aLen) * sizeof (uint64_t)); + for (uint32_t i = (uint32_t)0U; i < aLen; i++) + { + FStar_UInt128_uint128 res1 = FStar_UInt128_mul_wide(a[i], a[i]); + uint64_t hi = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(res1, (uint32_t)64U)); + uint64_t lo = FStar_UInt128_uint128_to_uint64(res1); + tmp[(uint32_t)2U * i] = lo; + tmp[(uint32_t)2U * i + (uint32_t)1U] = hi; + } + uint64_t c1 = Hacl_Bignum_Addition_bn_add_eq_len_u64(aLen + aLen, res, tmp, res); +} + +void +Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint32( + uint32_t aLen, + uint32_t *a, + uint32_t *b, + uint32_t *tmp, + uint32_t *res +) +{ + if (aLen < (uint32_t)32U || aLen % (uint32_t)2U == (uint32_t)1U) + { + bn_mul_u32(aLen, a, aLen, b, res); + return; + } + uint32_t len2 = aLen / (uint32_t)2U; + uint32_t *a0 = a; + uint32_t *a1 = a + len2; + uint32_t *b0 = b; + uint32_t *b1 = b + len2; + uint32_t *t0 = tmp; + uint32_t *t1 = tmp + len2; + uint32_t *tmp_ = tmp + aLen; + uint32_t c0 = Hacl_Bignum_Addition_bn_sub_eq_len_u32(len2, a0, a1, tmp_); + uint32_t c10 = Hacl_Bignum_Addition_bn_sub_eq_len_u32(len2, a1, a0, t0); + for (uint32_t i = (uint32_t)0U; i < len2; i++) + { + uint32_t *os = t0; + uint32_t x = (((uint32_t)0U - c0) & t0[i]) | (~((uint32_t)0U - c0) & tmp_[i]); + os[i] = x; + } + uint32_t c00 = c0; + uint32_t c010 = Hacl_Bignum_Addition_bn_sub_eq_len_u32(len2, b0, b1, tmp_); + uint32_t c1 = Hacl_Bignum_Addition_bn_sub_eq_len_u32(len2, b1, b0, t1); + for (uint32_t i = (uint32_t)0U; i < len2; i++) + { + uint32_t *os = t1; + uint32_t x = (((uint32_t)0U - c010) & t1[i]) | (~((uint32_t)0U - c010) & tmp_[i]); + os[i] = x; + } + uint32_t c11 = c010; + uint32_t *t23 = tmp + aLen; + uint32_t *tmp1 = tmp + aLen + aLen; + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint32(len2, t0, t1, tmp1, t23); + uint32_t *r01 = res; + uint32_t *r23 = res + aLen; + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint32(len2, a0, b0, tmp1, r01); + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint32(len2, a1, b1, tmp1, r23); + uint32_t *r011 = res; + uint32_t *r231 = res + aLen; + uint32_t *t01 = tmp; + uint32_t *t231 = tmp + aLen; + uint32_t *t45 = tmp + (uint32_t)2U * aLen; + uint32_t *t67 = tmp + (uint32_t)3U * aLen; + uint32_t c2 = Hacl_Bignum_Addition_bn_add_eq_len_u32(aLen, r011, r231, t01); + uint32_t c_sign = c00 ^ c11; + uint32_t c3 = Hacl_Bignum_Addition_bn_sub_eq_len_u32(aLen, t01, t231, t67); + uint32_t c31 = c2 - c3; + uint32_t c4 = Hacl_Bignum_Addition_bn_add_eq_len_u32(aLen, t01, t231, t45); + uint32_t c41 = c2 + c4; + uint32_t mask = (uint32_t)0U - c_sign; + for (uint32_t i = (uint32_t)0U; i < aLen; i++) + { + uint32_t *os = t45; + uint32_t x = (mask & t45[i]) | (~mask & t67[i]); + os[i] = x; + } + uint32_t c5 = (mask & c41) | (~mask & c31); + uint32_t aLen2 = aLen / (uint32_t)2U; + uint32_t *r0 = res + aLen2; + uint32_t r10 = Hacl_Bignum_Addition_bn_add_eq_len_u32(aLen, r0, t45, r0); + uint32_t c6 = r10; + uint32_t c60 = c6; + uint32_t c7 = c5 + c60; + uint32_t *r = res + aLen + aLen2; + uint32_t c01 = Lib_IntTypes_Intrinsics_add_carry_u32((uint32_t)0U, r[0U], c7, r); + uint32_t r1; + if ((uint32_t)1U < aLen + aLen - (aLen + aLen2)) + { + uint32_t rLen = aLen + aLen - (aLen + aLen2) - (uint32_t)1U; + uint32_t *a11 = r + (uint32_t)1U; + uint32_t *res1 = r + (uint32_t)1U; + uint32_t c = c01; + for (uint32_t i = (uint32_t)0U; i < rLen / (uint32_t)4U; i++) + { + uint32_t t11 = a11[(uint32_t)4U * i]; + uint32_t *res_i0 = res1 + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t11, (uint32_t)0U, res_i0); + uint32_t t110 = a11[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res1 + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t110, (uint32_t)0U, res_i1); + uint32_t t111 = a11[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res1 + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t111, (uint32_t)0U, res_i2); + uint32_t t112 = a11[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res1 + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t112, (uint32_t)0U, res_i); + } + for (uint32_t i = rLen / (uint32_t)4U * (uint32_t)4U; i < rLen; i++) + { + uint32_t t11 = a11[i]; + uint32_t *res_i = res1 + i; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t11, (uint32_t)0U, res_i); + } + uint32_t c110 = c; + r1 = c110; + } + else + { + r1 = c01; + } + uint32_t c8 = r1; + uint32_t c = c8; + uint32_t c9 = c; +} + +void +Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint64( + uint32_t aLen, + uint64_t *a, + uint64_t *b, + uint64_t *tmp, + uint64_t *res +) +{ + if (aLen < (uint32_t)32U || aLen % (uint32_t)2U == (uint32_t)1U) + { + bn_mul_u64(aLen, a, aLen, b, res); + return; + } + uint32_t len2 = aLen / (uint32_t)2U; + uint64_t *a0 = a; + uint64_t *a1 = a + len2; + uint64_t *b0 = b; + uint64_t *b1 = b + len2; + uint64_t *t0 = tmp; + uint64_t *t1 = tmp + len2; + uint64_t *tmp_ = tmp + aLen; + uint64_t c0 = Hacl_Bignum_Addition_bn_sub_eq_len_u64(len2, a0, a1, tmp_); + uint64_t c10 = Hacl_Bignum_Addition_bn_sub_eq_len_u64(len2, a1, a0, t0); + for (uint32_t i = (uint32_t)0U; i < len2; i++) + { + uint64_t *os = t0; + uint64_t x = (((uint64_t)0U - c0) & t0[i]) | (~((uint64_t)0U - c0) & tmp_[i]); + os[i] = x; + } + uint64_t c00 = c0; + uint64_t c010 = Hacl_Bignum_Addition_bn_sub_eq_len_u64(len2, b0, b1, tmp_); + uint64_t c1 = Hacl_Bignum_Addition_bn_sub_eq_len_u64(len2, b1, b0, t1); + for (uint32_t i = (uint32_t)0U; i < len2; i++) + { + uint64_t *os = t1; + uint64_t x = (((uint64_t)0U - c010) & t1[i]) | (~((uint64_t)0U - c010) & tmp_[i]); + os[i] = x; + } + uint64_t c11 = c010; + uint64_t *t23 = tmp + aLen; + uint64_t *tmp1 = tmp + aLen + aLen; + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint64(len2, t0, t1, tmp1, t23); + uint64_t *r01 = res; + uint64_t *r23 = res + aLen; + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint64(len2, a0, b0, tmp1, r01); + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint64(len2, a1, b1, tmp1, r23); + uint64_t *r011 = res; + uint64_t *r231 = res + aLen; + uint64_t *t01 = tmp; + uint64_t *t231 = tmp + aLen; + uint64_t *t45 = tmp + (uint32_t)2U * aLen; + uint64_t *t67 = tmp + (uint32_t)3U * aLen; + uint64_t c2 = Hacl_Bignum_Addition_bn_add_eq_len_u64(aLen, r011, r231, t01); + uint64_t c_sign = c00 ^ c11; + uint64_t c3 = Hacl_Bignum_Addition_bn_sub_eq_len_u64(aLen, t01, t231, t67); + uint64_t c31 = c2 - c3; + uint64_t c4 = Hacl_Bignum_Addition_bn_add_eq_len_u64(aLen, t01, t231, t45); + uint64_t c41 = c2 + c4; + uint64_t mask = (uint64_t)0U - c_sign; + for (uint32_t i = (uint32_t)0U; i < aLen; i++) + { + uint64_t *os = t45; + uint64_t x = (mask & t45[i]) | (~mask & t67[i]); + os[i] = x; + } + uint64_t c5 = (mask & c41) | (~mask & c31); + uint32_t aLen2 = aLen / (uint32_t)2U; + uint64_t *r0 = res + aLen2; + uint64_t r10 = Hacl_Bignum_Addition_bn_add_eq_len_u64(aLen, r0, t45, r0); + uint64_t c6 = r10; + uint64_t c60 = c6; + uint64_t c7 = c5 + c60; + uint64_t *r = res + aLen + aLen2; + uint64_t c01 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, r[0U], c7, r); + uint64_t r1; + if ((uint32_t)1U < aLen + aLen - (aLen + aLen2)) + { + uint32_t rLen = aLen + aLen - (aLen + aLen2) - (uint32_t)1U; + uint64_t *a11 = r + (uint32_t)1U; + uint64_t *res1 = r + (uint32_t)1U; + uint64_t c = c01; + for (uint32_t i = (uint32_t)0U; i < rLen / (uint32_t)4U; i++) + { + uint64_t t11 = a11[(uint32_t)4U * i]; + uint64_t *res_i0 = res1 + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t11, (uint64_t)0U, res_i0); + uint64_t t110 = a11[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res1 + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t110, (uint64_t)0U, res_i1); + uint64_t t111 = a11[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res1 + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t111, (uint64_t)0U, res_i2); + uint64_t t112 = a11[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res1 + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t112, (uint64_t)0U, res_i); + } + for (uint32_t i = rLen / (uint32_t)4U * (uint32_t)4U; i < rLen; i++) + { + uint64_t t11 = a11[i]; + uint64_t *res_i = res1 + i; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t11, (uint64_t)0U, res_i); + } + uint64_t c110 = c; + r1 = c110; + } + else + { + r1 = c01; + } + uint64_t c8 = r1; + uint64_t c = c8; + uint64_t c9 = c; +} + +void +Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint32( + uint32_t aLen, + uint32_t *a, + uint32_t *tmp, + uint32_t *res +) +{ + if (aLen < (uint32_t)32U || aLen % (uint32_t)2U == (uint32_t)1U) + { + bn_sqr_u32(aLen, a, res); + return; + } + uint32_t len2 = aLen / (uint32_t)2U; + uint32_t *a0 = a; + uint32_t *a1 = a + len2; + uint32_t *t0 = tmp; + uint32_t *tmp_ = tmp + aLen; + uint32_t c0 = Hacl_Bignum_Addition_bn_sub_eq_len_u32(len2, a0, a1, tmp_); + uint32_t c1 = Hacl_Bignum_Addition_bn_sub_eq_len_u32(len2, a1, a0, t0); + for (uint32_t i = (uint32_t)0U; i < len2; i++) + { + uint32_t *os = t0; + uint32_t x = (((uint32_t)0U - c0) & t0[i]) | (~((uint32_t)0U - c0) & tmp_[i]); + os[i] = x; + } + uint32_t c00 = c0; + uint32_t *t23 = tmp + aLen; + uint32_t *tmp1 = tmp + aLen + aLen; + Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint32(len2, t0, tmp1, t23); + uint32_t *r01 = res; + uint32_t *r23 = res + aLen; + Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint32(len2, a0, tmp1, r01); + Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint32(len2, a1, tmp1, r23); + uint32_t *r011 = res; + uint32_t *r231 = res + aLen; + uint32_t *t01 = tmp; + uint32_t *t231 = tmp + aLen; + uint32_t *t45 = tmp + (uint32_t)2U * aLen; + uint32_t c2 = Hacl_Bignum_Addition_bn_add_eq_len_u32(aLen, r011, r231, t01); + uint32_t c3 = Hacl_Bignum_Addition_bn_sub_eq_len_u32(aLen, t01, t231, t45); + uint32_t c5 = c2 - c3; + uint32_t aLen2 = aLen / (uint32_t)2U; + uint32_t *r0 = res + aLen2; + uint32_t r10 = Hacl_Bignum_Addition_bn_add_eq_len_u32(aLen, r0, t45, r0); + uint32_t c4 = r10; + uint32_t c6 = c4; + uint32_t c7 = c5 + c6; + uint32_t *r = res + aLen + aLen2; + uint32_t c01 = Lib_IntTypes_Intrinsics_add_carry_u32((uint32_t)0U, r[0U], c7, r); + uint32_t r1; + if ((uint32_t)1U < aLen + aLen - (aLen + aLen2)) + { + uint32_t rLen = aLen + aLen - (aLen + aLen2) - (uint32_t)1U; + uint32_t *a11 = r + (uint32_t)1U; + uint32_t *res1 = r + (uint32_t)1U; + uint32_t c = c01; + for (uint32_t i = (uint32_t)0U; i < rLen / (uint32_t)4U; i++) + { + uint32_t t1 = a11[(uint32_t)4U * i]; + uint32_t *res_i0 = res1 + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t1, (uint32_t)0U, res_i0); + uint32_t t10 = a11[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res1 + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t10, (uint32_t)0U, res_i1); + uint32_t t11 = a11[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res1 + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t11, (uint32_t)0U, res_i2); + uint32_t t12 = a11[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res1 + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t12, (uint32_t)0U, res_i); + } + for (uint32_t i = rLen / (uint32_t)4U * (uint32_t)4U; i < rLen; i++) + { + uint32_t t1 = a11[i]; + uint32_t *res_i = res1 + i; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t1, (uint32_t)0U, res_i); + } + uint32_t c10 = c; + r1 = c10; + } + else + { + r1 = c01; + } + uint32_t c8 = r1; + uint32_t c = c8; + uint32_t c9 = c; +} + +void +Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint64( + uint32_t aLen, + uint64_t *a, + uint64_t *tmp, + uint64_t *res +) +{ + if (aLen < (uint32_t)32U || aLen % (uint32_t)2U == (uint32_t)1U) + { + bn_sqr_u64(aLen, a, res); + return; + } + uint32_t len2 = aLen / (uint32_t)2U; + uint64_t *a0 = a; + uint64_t *a1 = a + len2; + uint64_t *t0 = tmp; + uint64_t *tmp_ = tmp + aLen; + uint64_t c0 = Hacl_Bignum_Addition_bn_sub_eq_len_u64(len2, a0, a1, tmp_); + uint64_t c1 = Hacl_Bignum_Addition_bn_sub_eq_len_u64(len2, a1, a0, t0); + for (uint32_t i = (uint32_t)0U; i < len2; i++) + { + uint64_t *os = t0; + uint64_t x = (((uint64_t)0U - c0) & t0[i]) | (~((uint64_t)0U - c0) & tmp_[i]); + os[i] = x; + } + uint64_t c00 = c0; + uint64_t *t23 = tmp + aLen; + uint64_t *tmp1 = tmp + aLen + aLen; + Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint64(len2, t0, tmp1, t23); + uint64_t *r01 = res; + uint64_t *r23 = res + aLen; + Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint64(len2, a0, tmp1, r01); + Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint64(len2, a1, tmp1, r23); + uint64_t *r011 = res; + uint64_t *r231 = res + aLen; + uint64_t *t01 = tmp; + uint64_t *t231 = tmp + aLen; + uint64_t *t45 = tmp + (uint32_t)2U * aLen; + uint64_t c2 = Hacl_Bignum_Addition_bn_add_eq_len_u64(aLen, r011, r231, t01); + uint64_t c3 = Hacl_Bignum_Addition_bn_sub_eq_len_u64(aLen, t01, t231, t45); + uint64_t c5 = c2 - c3; + uint32_t aLen2 = aLen / (uint32_t)2U; + uint64_t *r0 = res + aLen2; + uint64_t r10 = Hacl_Bignum_Addition_bn_add_eq_len_u64(aLen, r0, t45, r0); + uint64_t c4 = r10; + uint64_t c6 = c4; + uint64_t c7 = c5 + c6; + uint64_t *r = res + aLen + aLen2; + uint64_t c01 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, r[0U], c7, r); + uint64_t r1; + if ((uint32_t)1U < aLen + aLen - (aLen + aLen2)) + { + uint32_t rLen = aLen + aLen - (aLen + aLen2) - (uint32_t)1U; + uint64_t *a11 = r + (uint32_t)1U; + uint64_t *res1 = r + (uint32_t)1U; + uint64_t c = c01; + for (uint32_t i = (uint32_t)0U; i < rLen / (uint32_t)4U; i++) + { + uint64_t t1 = a11[(uint32_t)4U * i]; + uint64_t *res_i0 = res1 + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t1, (uint64_t)0U, res_i0); + uint64_t t10 = a11[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res1 + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t10, (uint64_t)0U, res_i1); + uint64_t t11 = a11[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res1 + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t11, (uint64_t)0U, res_i2); + uint64_t t12 = a11[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res1 + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t12, (uint64_t)0U, res_i); + } + for (uint32_t i = rLen / (uint32_t)4U * (uint32_t)4U; i < rLen; i++) + { + uint64_t t1 = a11[i]; + uint64_t *res_i = res1 + i; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t1, (uint64_t)0U, res_i); + } + uint64_t c10 = c; + r1 = c10; + } + else + { + r1 = c01; + } + uint64_t c8 = r1; + uint64_t c = c8; + uint64_t c9 = c; +} + +void +Hacl_Bignum_bn_add_mod_n_u32( + uint32_t len1, + uint32_t *n, + uint32_t *a, + uint32_t *b, + uint32_t *res +) +{ + uint32_t c0 = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < len1 / (uint32_t)4U; i++) + { + uint32_t t1 = a[(uint32_t)4U * i]; + uint32_t t20 = b[(uint32_t)4U * i]; + uint32_t *res_i0 = res + (uint32_t)4U * i; + c0 = Lib_IntTypes_Intrinsics_add_carry_u32(c0, t1, t20, res_i0); + uint32_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c0 = Lib_IntTypes_Intrinsics_add_carry_u32(c0, t10, t21, res_i1); + uint32_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c0 = Lib_IntTypes_Intrinsics_add_carry_u32(c0, t11, t22, res_i2); + uint32_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c0 = Lib_IntTypes_Intrinsics_add_carry_u32(c0, t12, t2, res_i); + } + for (uint32_t i = len1 / (uint32_t)4U * (uint32_t)4U; i < len1; i++) + { + uint32_t t1 = a[i]; + uint32_t t2 = b[i]; + uint32_t *res_i = res + i; + c0 = Lib_IntTypes_Intrinsics_add_carry_u32(c0, t1, t2, res_i); + } + uint32_t c00 = c0; + KRML_CHECK_SIZE(sizeof (uint32_t), len1); + uint32_t tmp[len1]; + memset(tmp, 0U, len1 * sizeof (uint32_t)); + uint32_t c = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < len1 / (uint32_t)4U; i++) + { + uint32_t t1 = res[(uint32_t)4U * i]; + uint32_t t20 = n[(uint32_t)4U * i]; + uint32_t *res_i0 = tmp + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, t20, res_i0); + uint32_t t10 = res[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t t21 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = tmp + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t10, t21, res_i1); + uint32_t t11 = res[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t t22 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = tmp + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t11, t22, res_i2); + uint32_t t12 = res[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t t2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = tmp + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t12, t2, res_i); + } + for (uint32_t i = len1 / (uint32_t)4U * (uint32_t)4U; i < len1; i++) + { + uint32_t t1 = res[i]; + uint32_t t2 = n[i]; + uint32_t *res_i = tmp + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, t2, res_i); + } + uint32_t c1 = c; + uint32_t c2 = c00 - c1; + for (uint32_t i = (uint32_t)0U; i < len1; i++) + { + uint32_t *os = res; + uint32_t x = (c2 & res[i]) | (~c2 & tmp[i]); + os[i] = x; + } +} + +void +Hacl_Bignum_bn_add_mod_n_u64( + uint32_t len1, + uint64_t *n, + uint64_t *a, + uint64_t *b, + uint64_t *res +) +{ + uint64_t c0 = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < len1 / (uint32_t)4U; i++) + { + uint64_t t1 = a[(uint32_t)4U * i]; + uint64_t t20 = b[(uint32_t)4U * i]; + uint64_t *res_i0 = res + (uint32_t)4U * i; + c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, t1, t20, res_i0); + uint64_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, t10, t21, res_i1); + uint64_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, t11, t22, res_i2); + uint64_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, t12, t2, res_i); + } + for (uint32_t i = len1 / (uint32_t)4U * (uint32_t)4U; i < len1; i++) + { + uint64_t t1 = a[i]; + uint64_t t2 = b[i]; + uint64_t *res_i = res + i; + c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, t1, t2, res_i); + } + uint64_t c00 = c0; + KRML_CHECK_SIZE(sizeof (uint64_t), len1); + uint64_t tmp[len1]; + memset(tmp, 0U, len1 * sizeof (uint64_t)); + uint64_t c = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < len1 / (uint32_t)4U; i++) + { + uint64_t t1 = res[(uint32_t)4U * i]; + uint64_t t20 = n[(uint32_t)4U * i]; + uint64_t *res_i0 = tmp + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, t20, res_i0); + uint64_t t10 = res[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t t21 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = tmp + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t10, t21, res_i1); + uint64_t t11 = res[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t t22 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = tmp + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t11, t22, res_i2); + uint64_t t12 = res[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t t2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = tmp + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t12, t2, res_i); + } + for (uint32_t i = len1 / (uint32_t)4U * (uint32_t)4U; i < len1; i++) + { + uint64_t t1 = res[i]; + uint64_t t2 = n[i]; + uint64_t *res_i = tmp + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, t2, res_i); + } + uint64_t c1 = c; + uint64_t c2 = c00 - c1; + for (uint32_t i = (uint32_t)0U; i < len1; i++) + { + uint64_t *os = res; + uint64_t x = (c2 & res[i]) | (~c2 & tmp[i]); + os[i] = x; + } +} + +void +Hacl_Bignum_bn_sub_mod_n_u32( + uint32_t len1, + uint32_t *n, + uint32_t *a, + uint32_t *b, + uint32_t *res +) +{ + uint32_t c0 = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < len1 / (uint32_t)4U; i++) + { + uint32_t t1 = a[(uint32_t)4U * i]; + uint32_t t20 = b[(uint32_t)4U * i]; + uint32_t *res_i0 = res + (uint32_t)4U * i; + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c0, t1, t20, res_i0); + uint32_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c0, t10, t21, res_i1); + uint32_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c0, t11, t22, res_i2); + uint32_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c0, t12, t2, res_i); + } + for (uint32_t i = len1 / (uint32_t)4U * (uint32_t)4U; i < len1; i++) + { + uint32_t t1 = a[i]; + uint32_t t2 = b[i]; + uint32_t *res_i = res + i; + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c0, t1, t2, res_i); + } + uint32_t c00 = c0; + KRML_CHECK_SIZE(sizeof (uint32_t), len1); + uint32_t tmp[len1]; + memset(tmp, 0U, len1 * sizeof (uint32_t)); + uint32_t c = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < len1 / (uint32_t)4U; i++) + { + uint32_t t1 = res[(uint32_t)4U * i]; + uint32_t t20 = n[(uint32_t)4U * i]; + uint32_t *res_i0 = tmp + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t1, t20, res_i0); + uint32_t t10 = res[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t t21 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = tmp + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t10, t21, res_i1); + uint32_t t11 = res[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t t22 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = tmp + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t11, t22, res_i2); + uint32_t t12 = res[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t t2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = tmp + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t12, t2, res_i); + } + for (uint32_t i = len1 / (uint32_t)4U * (uint32_t)4U; i < len1; i++) + { + uint32_t t1 = res[i]; + uint32_t t2 = n[i]; + uint32_t *res_i = tmp + i; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t1, t2, res_i); + } + uint32_t c1 = c; + uint32_t c2 = (uint32_t)0U - c00; + for (uint32_t i = (uint32_t)0U; i < len1; i++) + { + uint32_t *os = res; + uint32_t x = (c2 & tmp[i]) | (~c2 & res[i]); + os[i] = x; + } +} + +void +Hacl_Bignum_bn_sub_mod_n_u64( + uint32_t len1, + uint64_t *n, + uint64_t *a, + uint64_t *b, + uint64_t *res +) +{ + uint64_t c0 = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < len1 / (uint32_t)4U; i++) + { + uint64_t t1 = a[(uint32_t)4U * i]; + uint64_t t20 = b[(uint32_t)4U * i]; + uint64_t *res_i0 = res + (uint32_t)4U * i; + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c0, t1, t20, res_i0); + uint64_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c0, t10, t21, res_i1); + uint64_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c0, t11, t22, res_i2); + uint64_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c0, t12, t2, res_i); + } + for (uint32_t i = len1 / (uint32_t)4U * (uint32_t)4U; i < len1; i++) + { + uint64_t t1 = a[i]; + uint64_t t2 = b[i]; + uint64_t *res_i = res + i; + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c0, t1, t2, res_i); + } + uint64_t c00 = c0; + KRML_CHECK_SIZE(sizeof (uint64_t), len1); + uint64_t tmp[len1]; + memset(tmp, 0U, len1 * sizeof (uint64_t)); + uint64_t c = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < len1 / (uint32_t)4U; i++) + { + uint64_t t1 = res[(uint32_t)4U * i]; + uint64_t t20 = n[(uint32_t)4U * i]; + uint64_t *res_i0 = tmp + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t1, t20, res_i0); + uint64_t t10 = res[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t t21 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = tmp + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t10, t21, res_i1); + uint64_t t11 = res[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t t22 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = tmp + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t11, t22, res_i2); + uint64_t t12 = res[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t t2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = tmp + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t12, t2, res_i); + } + for (uint32_t i = len1 / (uint32_t)4U * (uint32_t)4U; i < len1; i++) + { + uint64_t t1 = res[i]; + uint64_t t2 = n[i]; + uint64_t *res_i = tmp + i; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t1, t2, res_i); + } + uint64_t c1 = c; + uint64_t c2 = (uint64_t)0U - c00; + for (uint32_t i = (uint32_t)0U; i < len1; i++) + { + uint64_t *os = res; + uint64_t x = (c2 & tmp[i]) | (~c2 & res[i]); + os[i] = x; + } +} + +uint32_t Hacl_Bignum_ModInvLimb_mod_inv_uint32(uint32_t n0) +{ + uint32_t alpha = (uint32_t)2147483648U; + uint32_t beta = n0; + uint32_t ub = (uint32_t)0U; + uint32_t vb = (uint32_t)0U; + ub = (uint32_t)1U; + vb = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)32U; i++) + { + uint32_t us = ub; + uint32_t vs = vb; + uint32_t u_is_odd = (uint32_t)0U - (us & (uint32_t)1U); + uint32_t beta_if_u_is_odd = beta & u_is_odd; + ub = ((us ^ beta_if_u_is_odd) >> (uint32_t)1U) + (us & beta_if_u_is_odd); + uint32_t alpha_if_u_is_odd = alpha & u_is_odd; + vb = (vs >> (uint32_t)1U) + alpha_if_u_is_odd; + } + return vb; +} + +uint64_t Hacl_Bignum_ModInvLimb_mod_inv_uint64(uint64_t n0) +{ + uint64_t alpha = (uint64_t)9223372036854775808U; + uint64_t beta = n0; + uint64_t ub = (uint64_t)0U; + uint64_t vb = (uint64_t)0U; + ub = (uint64_t)1U; + vb = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + uint64_t us = ub; + uint64_t vs = vb; + uint64_t u_is_odd = (uint64_t)0U - (us & (uint64_t)1U); + uint64_t beta_if_u_is_odd = beta & u_is_odd; + ub = ((us ^ beta_if_u_is_odd) >> (uint32_t)1U) + (us & beta_if_u_is_odd); + uint64_t alpha_if_u_is_odd = alpha & u_is_odd; + vb = (vs >> (uint32_t)1U) + alpha_if_u_is_odd; + } + return vb; +} + +uint32_t Hacl_Bignum_Montgomery_bn_check_modulus_u32(uint32_t len, uint32_t *n) +{ + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t one[len]; + memset(one, 0U, len * sizeof (uint32_t)); + memset(one, 0U, len * sizeof (uint32_t)); + one[0U] = (uint32_t)1U; + uint32_t bit0 = n[0U] & (uint32_t)1U; + uint32_t m0 = (uint32_t)0U - bit0; + uint32_t acc = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(one[i], n[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(one[i], n[i]); + acc = (beq & acc) | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + uint32_t m1 = acc; + return m0 & m1; +} + +void +Hacl_Bignum_Montgomery_bn_precomp_r2_mod_n_u32( + uint32_t len, + uint32_t nBits, + uint32_t *n, + uint32_t *res +) +{ + memset(res, 0U, len * sizeof (uint32_t)); + uint32_t i = nBits / (uint32_t)32U; + uint32_t j = nBits % (uint32_t)32U; + res[i] = res[i] | (uint32_t)1U << j; + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)64U * len - nBits; i0++) + { + Hacl_Bignum_bn_add_mod_n_u32(len, n, res, res, res); + } +} + +void +Hacl_Bignum_Montgomery_bn_mont_reduction_u32( + uint32_t len, + uint32_t *n, + uint32_t nInv, + uint32_t *c, + uint32_t *res +) +{ + uint32_t c0 = (uint32_t)0U; + for (uint32_t i0 = (uint32_t)0U; i0 < len; i0++) + { + uint32_t qj = nInv * c[i0]; + uint32_t *res_j0 = c + i0; + uint32_t c1 = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < len / (uint32_t)4U; i++) + { + uint32_t a_i = n[(uint32_t)4U * i]; + uint32_t *res_i0 = res_j0 + (uint32_t)4U * i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, qj, c1, res_i0); + uint32_t a_i0 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res_j0 + (uint32_t)4U * i + (uint32_t)1U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i0, qj, c1, res_i1); + uint32_t a_i1 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res_j0 + (uint32_t)4U * i + (uint32_t)2U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i1, qj, c1, res_i2); + uint32_t a_i2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res_j0 + (uint32_t)4U * i + (uint32_t)3U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i2, qj, c1, res_i); + } + for (uint32_t i = len / (uint32_t)4U * (uint32_t)4U; i < len; i++) + { + uint32_t a_i = n[i]; + uint32_t *res_i = res_j0 + i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, qj, c1, res_i); + } + uint32_t r = c1; + uint32_t c10 = r; + uint32_t *resb = c + len + i0; + uint32_t res_j = c[len + i0]; + c0 = Lib_IntTypes_Intrinsics_add_carry_u32(c0, c10, res_j, resb); + } + memcpy(res, c + len, (len + len - len) * sizeof (uint32_t)); + uint32_t c00 = c0; + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t tmp[len]; + memset(tmp, 0U, len * sizeof (uint32_t)); + uint32_t c1 = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < len / (uint32_t)4U; i++) + { + uint32_t t1 = res[(uint32_t)4U * i]; + uint32_t t20 = n[(uint32_t)4U * i]; + uint32_t *res_i0 = tmp + (uint32_t)4U * i; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c1, t1, t20, res_i0); + uint32_t t10 = res[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t t21 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = tmp + (uint32_t)4U * i + (uint32_t)1U; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c1, t10, t21, res_i1); + uint32_t t11 = res[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t t22 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = tmp + (uint32_t)4U * i + (uint32_t)2U; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c1, t11, t22, res_i2); + uint32_t t12 = res[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t t2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = tmp + (uint32_t)4U * i + (uint32_t)3U; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c1, t12, t2, res_i); + } + for (uint32_t i = len / (uint32_t)4U * (uint32_t)4U; i < len; i++) + { + uint32_t t1 = res[i]; + uint32_t t2 = n[i]; + uint32_t *res_i = tmp + i; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c1, t1, t2, res_i); + } + uint32_t c10 = c1; + uint32_t c2 = c00 - c10; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint32_t *os = res; + uint32_t x = (c2 & res[i]) | (~c2 & tmp[i]); + os[i] = x; + } +} + +void +Hacl_Bignum_Montgomery_bn_to_mont_u32( + uint32_t len, + uint32_t *n, + uint32_t nInv, + uint32_t *r2, + uint32_t *a, + uint32_t *aM +) +{ + KRML_CHECK_SIZE(sizeof (uint32_t), len + len); + uint32_t c[len + len]; + memset(c, 0U, (len + len) * sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)4U * len); + uint32_t tmp[(uint32_t)4U * len]; + memset(tmp, 0U, (uint32_t)4U * len * sizeof (uint32_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint32(len, a, r2, tmp, c); + Hacl_Bignum_Montgomery_bn_mont_reduction_u32(len, n, nInv, c, aM); +} + +void +Hacl_Bignum_Montgomery_bn_from_mont_u32( + uint32_t len, + uint32_t *n, + uint32_t nInv_u64, + uint32_t *aM, + uint32_t *a +) +{ + KRML_CHECK_SIZE(sizeof (uint32_t), len + len); + uint32_t tmp[len + len]; + memset(tmp, 0U, (len + len) * sizeof (uint32_t)); + memcpy(tmp, aM, len * sizeof (uint32_t)); + Hacl_Bignum_Montgomery_bn_mont_reduction_u32(len, n, nInv_u64, tmp, a); +} + +void +Hacl_Bignum_Montgomery_bn_mont_mul_u32( + uint32_t len, + uint32_t *n, + uint32_t nInv_u64, + uint32_t *aM, + uint32_t *bM, + uint32_t *resM +) +{ + KRML_CHECK_SIZE(sizeof (uint32_t), len + len); + uint32_t c[len + len]; + memset(c, 0U, (len + len) * sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)4U * len); + uint32_t tmp[(uint32_t)4U * len]; + memset(tmp, 0U, (uint32_t)4U * len * sizeof (uint32_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint32(len, aM, bM, tmp, c); + Hacl_Bignum_Montgomery_bn_mont_reduction_u32(len, n, nInv_u64, c, resM); +} + +void +Hacl_Bignum_Montgomery_bn_mont_sqr_u32( + uint32_t len, + uint32_t *n, + uint32_t nInv_u64, + uint32_t *aM, + uint32_t *resM +) +{ + KRML_CHECK_SIZE(sizeof (uint32_t), len + len); + uint32_t c[len + len]; + memset(c, 0U, (len + len) * sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)4U * len); + uint32_t tmp[(uint32_t)4U * len]; + memset(tmp, 0U, (uint32_t)4U * len * sizeof (uint32_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint32(len, aM, tmp, c); + Hacl_Bignum_Montgomery_bn_mont_reduction_u32(len, n, nInv_u64, c, resM); +} + +uint64_t Hacl_Bignum_Montgomery_bn_check_modulus_u64(uint32_t len, uint64_t *n) +{ + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t one[len]; + memset(one, 0U, len * sizeof (uint64_t)); + memset(one, 0U, len * sizeof (uint64_t)); + one[0U] = (uint64_t)1U; + uint64_t bit0 = n[0U] & (uint64_t)1U; + uint64_t m0 = (uint64_t)0U - bit0; + uint64_t acc = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(one[i], n[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(one[i], n[i]); + acc = (beq & acc) | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + uint64_t m1 = acc; + return m0 & m1; +} + +void +Hacl_Bignum_Montgomery_bn_precomp_r2_mod_n_u64( + uint32_t len, + uint32_t nBits, + uint64_t *n, + uint64_t *res +) +{ + memset(res, 0U, len * sizeof (uint64_t)); + uint32_t i = nBits / (uint32_t)64U; + uint32_t j = nBits % (uint32_t)64U; + res[i] = res[i] | (uint64_t)1U << j; + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)128U * len - nBits; i0++) + { + Hacl_Bignum_bn_add_mod_n_u64(len, n, res, res, res); + } +} + +void +Hacl_Bignum_Montgomery_bn_mont_reduction_u64( + uint32_t len, + uint64_t *n, + uint64_t nInv, + uint64_t *c, + uint64_t *res +) +{ + uint64_t c0 = (uint64_t)0U; + for (uint32_t i0 = (uint32_t)0U; i0 < len; i0++) + { + uint64_t qj = nInv * c[i0]; + uint64_t *res_j0 = c + i0; + uint64_t c1 = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < len / (uint32_t)4U; i++) + { + uint64_t a_i = n[(uint32_t)4U * i]; + uint64_t *res_i0 = res_j0 + (uint32_t)4U * i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c1, res_i0); + uint64_t a_i0 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res_j0 + (uint32_t)4U * i + (uint32_t)1U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, qj, c1, res_i1); + uint64_t a_i1 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res_j0 + (uint32_t)4U * i + (uint32_t)2U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, qj, c1, res_i2); + uint64_t a_i2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res_j0 + (uint32_t)4U * i + (uint32_t)3U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, qj, c1, res_i); + } + for (uint32_t i = len / (uint32_t)4U * (uint32_t)4U; i < len; i++) + { + uint64_t a_i = n[i]; + uint64_t *res_i = res_j0 + i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c1, res_i); + } + uint64_t r = c1; + uint64_t c10 = r; + uint64_t *resb = c + len + i0; + uint64_t res_j = c[len + i0]; + c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, c10, res_j, resb); + } + memcpy(res, c + len, (len + len - len) * sizeof (uint64_t)); + uint64_t c00 = c0; + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t tmp[len]; + memset(tmp, 0U, len * sizeof (uint64_t)); + uint64_t c1 = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < len / (uint32_t)4U; i++) + { + uint64_t t1 = res[(uint32_t)4U * i]; + uint64_t t20 = n[(uint32_t)4U * i]; + uint64_t *res_i0 = tmp + (uint32_t)4U * i; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t1, t20, res_i0); + uint64_t t10 = res[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t t21 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = tmp + (uint32_t)4U * i + (uint32_t)1U; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t10, t21, res_i1); + uint64_t t11 = res[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t t22 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = tmp + (uint32_t)4U * i + (uint32_t)2U; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t11, t22, res_i2); + uint64_t t12 = res[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t t2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = tmp + (uint32_t)4U * i + (uint32_t)3U; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t12, t2, res_i); + } + for (uint32_t i = len / (uint32_t)4U * (uint32_t)4U; i < len; i++) + { + uint64_t t1 = res[i]; + uint64_t t2 = n[i]; + uint64_t *res_i = tmp + i; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t1, t2, res_i); + } + uint64_t c10 = c1; + uint64_t c2 = c00 - c10; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint64_t *os = res; + uint64_t x = (c2 & res[i]) | (~c2 & tmp[i]); + os[i] = x; + } +} + +void +Hacl_Bignum_Montgomery_bn_to_mont_u64( + uint32_t len, + uint64_t *n, + uint64_t nInv, + uint64_t *r2, + uint64_t *a, + uint64_t *aM +) +{ + KRML_CHECK_SIZE(sizeof (uint64_t), len + len); + uint64_t c[len + len]; + memset(c, 0U, (len + len) * sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)4U * len); + uint64_t tmp[(uint32_t)4U * len]; + memset(tmp, 0U, (uint32_t)4U * len * sizeof (uint64_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint64(len, a, r2, tmp, c); + Hacl_Bignum_Montgomery_bn_mont_reduction_u64(len, n, nInv, c, aM); +} + +void +Hacl_Bignum_Montgomery_bn_from_mont_u64( + uint32_t len, + uint64_t *n, + uint64_t nInv_u64, + uint64_t *aM, + uint64_t *a +) +{ + KRML_CHECK_SIZE(sizeof (uint64_t), len + len); + uint64_t tmp[len + len]; + memset(tmp, 0U, (len + len) * sizeof (uint64_t)); + memcpy(tmp, aM, len * sizeof (uint64_t)); + Hacl_Bignum_Montgomery_bn_mont_reduction_u64(len, n, nInv_u64, tmp, a); +} + +void +Hacl_Bignum_Montgomery_bn_mont_mul_u64( + uint32_t len, + uint64_t *n, + uint64_t nInv_u64, + uint64_t *aM, + uint64_t *bM, + uint64_t *resM +) +{ + KRML_CHECK_SIZE(sizeof (uint64_t), len + len); + uint64_t c[len + len]; + memset(c, 0U, (len + len) * sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)4U * len); + uint64_t tmp[(uint32_t)4U * len]; + memset(tmp, 0U, (uint32_t)4U * len * sizeof (uint64_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint64(len, aM, bM, tmp, c); + Hacl_Bignum_Montgomery_bn_mont_reduction_u64(len, n, nInv_u64, c, resM); +} + +void +Hacl_Bignum_Montgomery_bn_mont_sqr_u64( + uint32_t len, + uint64_t *n, + uint64_t nInv_u64, + uint64_t *aM, + uint64_t *resM +) +{ + KRML_CHECK_SIZE(sizeof (uint64_t), len + len); + uint64_t c[len + len]; + memset(c, 0U, (len + len) * sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)4U * len); + uint64_t tmp[(uint32_t)4U * len]; + memset(tmp, 0U, (uint32_t)4U * len * sizeof (uint64_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint64(len, aM, tmp, c); + Hacl_Bignum_Montgomery_bn_mont_reduction_u64(len, n, nInv_u64, c, resM); +} + +static void +bn_almost_mont_reduction_u32( + uint32_t len, + uint32_t *n, + uint32_t nInv, + uint32_t *c, + uint32_t *res +) +{ + uint32_t c0 = (uint32_t)0U; + for (uint32_t i0 = (uint32_t)0U; i0 < len; i0++) + { + uint32_t qj = nInv * c[i0]; + uint32_t *res_j0 = c + i0; + uint32_t c1 = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < len / (uint32_t)4U; i++) + { + uint32_t a_i = n[(uint32_t)4U * i]; + uint32_t *res_i0 = res_j0 + (uint32_t)4U * i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, qj, c1, res_i0); + uint32_t a_i0 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res_j0 + (uint32_t)4U * i + (uint32_t)1U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i0, qj, c1, res_i1); + uint32_t a_i1 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res_j0 + (uint32_t)4U * i + (uint32_t)2U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i1, qj, c1, res_i2); + uint32_t a_i2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res_j0 + (uint32_t)4U * i + (uint32_t)3U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i2, qj, c1, res_i); + } + for (uint32_t i = len / (uint32_t)4U * (uint32_t)4U; i < len; i++) + { + uint32_t a_i = n[i]; + uint32_t *res_i = res_j0 + i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, qj, c1, res_i); + } + uint32_t r = c1; + uint32_t c10 = r; + uint32_t *resb = c + len + i0; + uint32_t res_j = c[len + i0]; + c0 = Lib_IntTypes_Intrinsics_add_carry_u32(c0, c10, res_j, resb); + } + memcpy(res, c + len, (len + len - len) * sizeof (uint32_t)); + uint32_t c00 = c0; + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t tmp[len]; + memset(tmp, 0U, len * sizeof (uint32_t)); + uint32_t c1 = Hacl_Bignum_Addition_bn_sub_eq_len_u32(len, res, n, tmp); + uint32_t m = (uint32_t)0U - c00; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint32_t *os = res; + uint32_t x = (m & tmp[i]) | (~m & res[i]); + os[i] = x; + } +} + +static void +bn_almost_mont_mul_u32( + uint32_t len, + uint32_t *n, + uint32_t nInv_u64, + uint32_t *aM, + uint32_t *bM, + uint32_t *resM +) +{ + KRML_CHECK_SIZE(sizeof (uint32_t), len + len); + uint32_t c[len + len]; + memset(c, 0U, (len + len) * sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)4U * len); + uint32_t tmp[(uint32_t)4U * len]; + memset(tmp, 0U, (uint32_t)4U * len * sizeof (uint32_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint32(len, aM, bM, tmp, c); + bn_almost_mont_reduction_u32(len, n, nInv_u64, c, resM); +} + +static void +bn_almost_mont_sqr_u32( + uint32_t len, + uint32_t *n, + uint32_t nInv_u64, + uint32_t *aM, + uint32_t *resM +) +{ + KRML_CHECK_SIZE(sizeof (uint32_t), len + len); + uint32_t c[len + len]; + memset(c, 0U, (len + len) * sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)4U * len); + uint32_t tmp[(uint32_t)4U * len]; + memset(tmp, 0U, (uint32_t)4U * len * sizeof (uint32_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint32(len, aM, tmp, c); + bn_almost_mont_reduction_u32(len, n, nInv_u64, c, resM); +} + +static void +bn_almost_mont_reduction_u64( + uint32_t len, + uint64_t *n, + uint64_t nInv, + uint64_t *c, + uint64_t *res +) +{ + uint64_t c0 = (uint64_t)0U; + for (uint32_t i0 = (uint32_t)0U; i0 < len; i0++) + { + uint64_t qj = nInv * c[i0]; + uint64_t *res_j0 = c + i0; + uint64_t c1 = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < len / (uint32_t)4U; i++) + { + uint64_t a_i = n[(uint32_t)4U * i]; + uint64_t *res_i0 = res_j0 + (uint32_t)4U * i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c1, res_i0); + uint64_t a_i0 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res_j0 + (uint32_t)4U * i + (uint32_t)1U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, qj, c1, res_i1); + uint64_t a_i1 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res_j0 + (uint32_t)4U * i + (uint32_t)2U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, qj, c1, res_i2); + uint64_t a_i2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res_j0 + (uint32_t)4U * i + (uint32_t)3U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, qj, c1, res_i); + } + for (uint32_t i = len / (uint32_t)4U * (uint32_t)4U; i < len; i++) + { + uint64_t a_i = n[i]; + uint64_t *res_i = res_j0 + i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c1, res_i); + } + uint64_t r = c1; + uint64_t c10 = r; + uint64_t *resb = c + len + i0; + uint64_t res_j = c[len + i0]; + c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, c10, res_j, resb); + } + memcpy(res, c + len, (len + len - len) * sizeof (uint64_t)); + uint64_t c00 = c0; + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t tmp[len]; + memset(tmp, 0U, len * sizeof (uint64_t)); + uint64_t c1 = Hacl_Bignum_Addition_bn_sub_eq_len_u64(len, res, n, tmp); + uint64_t m = (uint64_t)0U - c00; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint64_t *os = res; + uint64_t x = (m & tmp[i]) | (~m & res[i]); + os[i] = x; + } +} + +static void +bn_almost_mont_mul_u64( + uint32_t len, + uint64_t *n, + uint64_t nInv_u64, + uint64_t *aM, + uint64_t *bM, + uint64_t *resM +) +{ + KRML_CHECK_SIZE(sizeof (uint64_t), len + len); + uint64_t c[len + len]; + memset(c, 0U, (len + len) * sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)4U * len); + uint64_t tmp[(uint32_t)4U * len]; + memset(tmp, 0U, (uint32_t)4U * len * sizeof (uint64_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint64(len, aM, bM, tmp, c); + bn_almost_mont_reduction_u64(len, n, nInv_u64, c, resM); +} + +static void +bn_almost_mont_sqr_u64( + uint32_t len, + uint64_t *n, + uint64_t nInv_u64, + uint64_t *aM, + uint64_t *resM +) +{ + KRML_CHECK_SIZE(sizeof (uint64_t), len + len); + uint64_t c[len + len]; + memset(c, 0U, (len + len) * sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)4U * len); + uint64_t tmp[(uint32_t)4U * len]; + memset(tmp, 0U, (uint32_t)4U * len * sizeof (uint64_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint64(len, aM, tmp, c); + bn_almost_mont_reduction_u64(len, n, nInv_u64, c, resM); +} + +uint32_t +Hacl_Bignum_Exponentiation_bn_check_mod_exp_u32( + uint32_t len, + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b +) +{ + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t one[len]; + memset(one, 0U, len * sizeof (uint32_t)); + memset(one, 0U, len * sizeof (uint32_t)); + one[0U] = (uint32_t)1U; + uint32_t bit0 = n[0U] & (uint32_t)1U; + uint32_t m0 = (uint32_t)0U - bit0; + uint32_t acc0 = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(one[i], n[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(one[i], n[i]); + acc0 = (beq & acc0) | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + uint32_t m10 = acc0; + uint32_t m00 = m0 & m10; + uint32_t bLen; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)32U + (uint32_t)1U; + } + uint32_t m1; + if (bBits < (uint32_t)32U * bLen) + { + KRML_CHECK_SIZE(sizeof (uint32_t), bLen); + uint32_t b2[bLen]; + memset(b2, 0U, bLen * sizeof (uint32_t)); + uint32_t i0 = bBits / (uint32_t)32U; + uint32_t j = bBits % (uint32_t)32U; + b2[i0] = b2[i0] | (uint32_t)1U << j; + uint32_t acc = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < bLen; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(b[i], b2[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(b[i], b2[i]); + acc = (beq & acc) | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + uint32_t res = acc; + m1 = res; + } + else + { + m1 = (uint32_t)0xFFFFFFFFU; + } + uint32_t acc = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(a[i], n[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(a[i], n[i]); + acc = (beq & acc) | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + uint32_t m2 = acc; + uint32_t m = m1 & m2; + return m00 & m; +} + +void +Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_precomp_u32( + uint32_t len, + uint32_t *n, + uint32_t mu, + uint32_t *r2, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + if (bBits < (uint32_t)200U) + { + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t aM[len]; + memset(aM, 0U, len * sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), len + len); + uint32_t c[len + len]; + memset(c, 0U, (len + len) * sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)4U * len); + uint32_t tmp0[(uint32_t)4U * len]; + memset(tmp0, 0U, (uint32_t)4U * len * sizeof (uint32_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint32(len, a, r2, tmp0, c); + Hacl_Bignum_Montgomery_bn_mont_reduction_u32(len, n, mu, c, aM); + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t resM[len]; + memset(resM, 0U, len * sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), len + len); + uint32_t tmp1[len + len]; + memset(tmp1, 0U, (len + len) * sizeof (uint32_t)); + memcpy(tmp1, r2, len * sizeof (uint32_t)); + Hacl_Bignum_Montgomery_bn_mont_reduction_u32(len, n, mu, tmp1, resM); + for (uint32_t i = (uint32_t)0U; i < bBits; i++) + { + uint32_t i1 = i / (uint32_t)32U; + uint32_t j = i % (uint32_t)32U; + uint32_t tmp = b[i1]; + uint32_t bit = tmp >> j & (uint32_t)1U; + if (!(bit == (uint32_t)0U)) + { + bn_almost_mont_mul_u32(len, n, mu, resM, aM, resM); + } + bn_almost_mont_sqr_u32(len, n, mu, aM, aM); + } + KRML_CHECK_SIZE(sizeof (uint32_t), len + len); + uint32_t tmp[len + len]; + memset(tmp, 0U, (len + len) * sizeof (uint32_t)); + memcpy(tmp, resM, len * sizeof (uint32_t)); + Hacl_Bignum_Montgomery_bn_mont_reduction_u32(len, n, mu, tmp, res); + return; + } + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t aM[len]; + memset(aM, 0U, len * sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), len + len); + uint32_t c[len + len]; + memset(c, 0U, (len + len) * sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)4U * len); + uint32_t tmp0[(uint32_t)4U * len]; + memset(tmp0, 0U, (uint32_t)4U * len * sizeof (uint32_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint32(len, a, r2, tmp0, c); + Hacl_Bignum_Montgomery_bn_mont_reduction_u32(len, n, mu, c, aM); + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t resM[len]; + memset(resM, 0U, len * sizeof (uint32_t)); + uint32_t bLen; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)32U + (uint32_t)1U; + } + KRML_CHECK_SIZE(sizeof (uint32_t), len + len); + uint32_t tmp[len + len]; + memset(tmp, 0U, (len + len) * sizeof (uint32_t)); + memcpy(tmp, r2, len * sizeof (uint32_t)); + Hacl_Bignum_Montgomery_bn_mont_reduction_u32(len, n, mu, tmp, resM); + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)16U * len); + uint32_t table[(uint32_t)16U * len]; + memset(table, 0U, (uint32_t)16U * len * sizeof (uint32_t)); + memcpy(table, resM, len * sizeof (uint32_t)); + uint32_t *t1 = table + len; + memcpy(t1, aM, len * sizeof (uint32_t)); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)14U; i++) + { + uint32_t *t11 = table + (i + (uint32_t)1U) * len; + uint32_t *t2 = table + (i + (uint32_t)2U) * len; + bn_almost_mont_mul_u32(len, n, mu, t11, aM, t2); + } + if (bBits % (uint32_t)4U != (uint32_t)0U) + { + uint32_t mask_l = (uint32_t)16U - (uint32_t)1U; + uint32_t i = bBits / (uint32_t)4U * (uint32_t)4U / (uint32_t)32U; + uint32_t j = bBits / (uint32_t)4U * (uint32_t)4U % (uint32_t)32U; + uint32_t p1 = b[i] >> j; + uint32_t ite; + if (i + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i + (uint32_t)1U] << ((uint32_t)32U - j); + } + else + { + ite = p1; + } + uint32_t bits_c = ite & mask_l; + uint32_t bits_l32 = bits_c; + uint32_t *a_bits_l = table + bits_l32 * len; + memcpy(resM, a_bits_l, len * sizeof (uint32_t)); + } + for (uint32_t i = (uint32_t)0U; i < bBits / (uint32_t)4U; i++) + { + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + bn_almost_mont_sqr_u32(len, n, mu, resM, resM); + } + uint32_t bk = bBits - bBits % (uint32_t)4U; + uint32_t mask_l = (uint32_t)16U - (uint32_t)1U; + uint32_t i1 = (bk - (uint32_t)4U * i - (uint32_t)4U) / (uint32_t)32U; + uint32_t j = (bk - (uint32_t)4U * i - (uint32_t)4U) % (uint32_t)32U; + uint32_t p1 = b[i1] >> j; + uint32_t ite; + if (i1 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i1 + (uint32_t)1U] << ((uint32_t)32U - j); + } + else + { + ite = p1; + } + uint32_t bits_l = ite & mask_l; + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t a_bits_l[len]; + memset(a_bits_l, 0U, len * sizeof (uint32_t)); + uint32_t bits_l32 = bits_l; + uint32_t *a_bits_l1 = table + bits_l32 * len; + memcpy(a_bits_l, a_bits_l1, len * sizeof (uint32_t)); + bn_almost_mont_mul_u32(len, n, mu, resM, a_bits_l, resM); + } + KRML_CHECK_SIZE(sizeof (uint32_t), len + len); + uint32_t tmp1[len + len]; + memset(tmp1, 0U, (len + len) * sizeof (uint32_t)); + memcpy(tmp1, resM, len * sizeof (uint32_t)); + Hacl_Bignum_Montgomery_bn_mont_reduction_u32(len, n, mu, tmp1, res); +} + +void +Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_precomp_u32( + uint32_t len, + uint32_t *n, + uint32_t mu, + uint32_t *r2, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + if (bBits < (uint32_t)200U) + { + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t aM[len]; + memset(aM, 0U, len * sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), len + len); + uint32_t c[len + len]; + memset(c, 0U, (len + len) * sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)4U * len); + uint32_t tmp0[(uint32_t)4U * len]; + memset(tmp0, 0U, (uint32_t)4U * len * sizeof (uint32_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint32(len, a, r2, tmp0, c); + Hacl_Bignum_Montgomery_bn_mont_reduction_u32(len, n, mu, c, aM); + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t resM[len]; + memset(resM, 0U, len * sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), len + len); + uint32_t tmp1[len + len]; + memset(tmp1, 0U, (len + len) * sizeof (uint32_t)); + memcpy(tmp1, r2, len * sizeof (uint32_t)); + Hacl_Bignum_Montgomery_bn_mont_reduction_u32(len, n, mu, tmp1, resM); + uint32_t sw = (uint32_t)0U; + for (uint32_t i0 = (uint32_t)0U; i0 < bBits; i0++) + { + uint32_t i1 = (bBits - i0 - (uint32_t)1U) / (uint32_t)32U; + uint32_t j = (bBits - i0 - (uint32_t)1U) % (uint32_t)32U; + uint32_t tmp = b[i1]; + uint32_t bit = tmp >> j & (uint32_t)1U; + uint32_t sw1 = bit ^ sw; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint32_t dummy = ((uint32_t)0U - sw1) & (resM[i] ^ aM[i]); + resM[i] = resM[i] ^ dummy; + aM[i] = aM[i] ^ dummy; + } + bn_almost_mont_mul_u32(len, n, mu, aM, resM, aM); + bn_almost_mont_sqr_u32(len, n, mu, resM, resM); + sw = bit; + } + uint32_t sw0 = sw; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint32_t dummy = ((uint32_t)0U - sw0) & (resM[i] ^ aM[i]); + resM[i] = resM[i] ^ dummy; + aM[i] = aM[i] ^ dummy; + } + KRML_CHECK_SIZE(sizeof (uint32_t), len + len); + uint32_t tmp[len + len]; + memset(tmp, 0U, (len + len) * sizeof (uint32_t)); + memcpy(tmp, resM, len * sizeof (uint32_t)); + Hacl_Bignum_Montgomery_bn_mont_reduction_u32(len, n, mu, tmp, res); + return; + } + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t aM[len]; + memset(aM, 0U, len * sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), len + len); + uint32_t c0[len + len]; + memset(c0, 0U, (len + len) * sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)4U * len); + uint32_t tmp0[(uint32_t)4U * len]; + memset(tmp0, 0U, (uint32_t)4U * len * sizeof (uint32_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint32(len, a, r2, tmp0, c0); + Hacl_Bignum_Montgomery_bn_mont_reduction_u32(len, n, mu, c0, aM); + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t resM[len]; + memset(resM, 0U, len * sizeof (uint32_t)); + uint32_t bLen; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)32U + (uint32_t)1U; + } + KRML_CHECK_SIZE(sizeof (uint32_t), len + len); + uint32_t tmp[len + len]; + memset(tmp, 0U, (len + len) * sizeof (uint32_t)); + memcpy(tmp, r2, len * sizeof (uint32_t)); + Hacl_Bignum_Montgomery_bn_mont_reduction_u32(len, n, mu, tmp, resM); + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)16U * len); + uint32_t table[(uint32_t)16U * len]; + memset(table, 0U, (uint32_t)16U * len * sizeof (uint32_t)); + memcpy(table, resM, len * sizeof (uint32_t)); + uint32_t *t1 = table + len; + memcpy(t1, aM, len * sizeof (uint32_t)); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)14U; i++) + { + uint32_t *t11 = table + (i + (uint32_t)1U) * len; + uint32_t *t2 = table + (i + (uint32_t)2U) * len; + bn_almost_mont_mul_u32(len, n, mu, t11, aM, t2); + } + if (bBits % (uint32_t)4U != (uint32_t)0U) + { + uint32_t mask_l = (uint32_t)16U - (uint32_t)1U; + uint32_t i0 = bBits / (uint32_t)4U * (uint32_t)4U / (uint32_t)32U; + uint32_t j = bBits / (uint32_t)4U * (uint32_t)4U % (uint32_t)32U; + uint32_t p1 = b[i0] >> j; + uint32_t ite; + if (i0 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i0 + (uint32_t)1U] << ((uint32_t)32U - j); + } + else + { + ite = p1; + } + uint32_t bits_c = ite & mask_l; + memcpy(resM, table, len * sizeof (uint32_t)); + for (uint32_t i1 = (uint32_t)0U; i1 < (uint32_t)15U; i1++) + { + uint32_t c = FStar_UInt32_eq_mask(bits_c, i1 + (uint32_t)1U); + uint32_t *res_j = table + (i1 + (uint32_t)1U) * len; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint32_t *os = resM; + uint32_t x = (c & res_j[i]) | (~c & resM[i]); + os[i] = x; + } + } + } + for (uint32_t i0 = (uint32_t)0U; i0 < bBits / (uint32_t)4U; i0++) + { + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + bn_almost_mont_sqr_u32(len, n, mu, resM, resM); + } + uint32_t bk = bBits - bBits % (uint32_t)4U; + uint32_t mask_l = (uint32_t)16U - (uint32_t)1U; + uint32_t i1 = (bk - (uint32_t)4U * i0 - (uint32_t)4U) / (uint32_t)32U; + uint32_t j = (bk - (uint32_t)4U * i0 - (uint32_t)4U) % (uint32_t)32U; + uint32_t p1 = b[i1] >> j; + uint32_t ite; + if (i1 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i1 + (uint32_t)1U] << ((uint32_t)32U - j); + } + else + { + ite = p1; + } + uint32_t bits_l = ite & mask_l; + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t a_bits_l[len]; + memset(a_bits_l, 0U, len * sizeof (uint32_t)); + memcpy(a_bits_l, table, len * sizeof (uint32_t)); + for (uint32_t i2 = (uint32_t)0U; i2 < (uint32_t)15U; i2++) + { + uint32_t c = FStar_UInt32_eq_mask(bits_l, i2 + (uint32_t)1U); + uint32_t *res_j = table + (i2 + (uint32_t)1U) * len; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint32_t *os = a_bits_l; + uint32_t x = (c & res_j[i]) | (~c & a_bits_l[i]); + os[i] = x; + } + } + bn_almost_mont_mul_u32(len, n, mu, resM, a_bits_l, resM); + } + KRML_CHECK_SIZE(sizeof (uint32_t), len + len); + uint32_t tmp1[len + len]; + memset(tmp1, 0U, (len + len) * sizeof (uint32_t)); + memcpy(tmp1, resM, len * sizeof (uint32_t)); + Hacl_Bignum_Montgomery_bn_mont_reduction_u32(len, n, mu, tmp1, res); +} + +void +Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_u32( + uint32_t len, + uint32_t nBits, + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t r2[len]; + memset(r2, 0U, len * sizeof (uint32_t)); + Hacl_Bignum_Montgomery_bn_precomp_r2_mod_n_u32(len, nBits, n, r2); + uint32_t mu = Hacl_Bignum_ModInvLimb_mod_inv_uint32(n[0U]); + Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_precomp_u32(len, n, mu, r2, a, bBits, b, res); +} + +void +Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_u32( + uint32_t len, + uint32_t nBits, + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t r2[len]; + memset(r2, 0U, len * sizeof (uint32_t)); + Hacl_Bignum_Montgomery_bn_precomp_r2_mod_n_u32(len, nBits, n, r2); + uint32_t mu = Hacl_Bignum_ModInvLimb_mod_inv_uint32(n[0U]); + Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_precomp_u32(len, n, mu, r2, a, bBits, b, res); +} + +uint64_t +Hacl_Bignum_Exponentiation_bn_check_mod_exp_u64( + uint32_t len, + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b +) +{ + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t one[len]; + memset(one, 0U, len * sizeof (uint64_t)); + memset(one, 0U, len * sizeof (uint64_t)); + one[0U] = (uint64_t)1U; + uint64_t bit0 = n[0U] & (uint64_t)1U; + uint64_t m0 = (uint64_t)0U - bit0; + uint64_t acc0 = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(one[i], n[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(one[i], n[i]); + acc0 = (beq & acc0) | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + uint64_t m10 = acc0; + uint64_t m00 = m0 & m10; + uint32_t bLen; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + } + uint64_t m1; + if (bBits < (uint32_t)64U * bLen) + { + KRML_CHECK_SIZE(sizeof (uint64_t), bLen); + uint64_t b2[bLen]; + memset(b2, 0U, bLen * sizeof (uint64_t)); + uint32_t i0 = bBits / (uint32_t)64U; + uint32_t j = bBits % (uint32_t)64U; + b2[i0] = b2[i0] | (uint64_t)1U << j; + uint64_t acc = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < bLen; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(b[i], b2[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(b[i], b2[i]); + acc = (beq & acc) | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + uint64_t res = acc; + m1 = res; + } + else + { + m1 = (uint64_t)0xFFFFFFFFFFFFFFFFU; + } + uint64_t acc = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(a[i], n[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(a[i], n[i]); + acc = (beq & acc) | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + uint64_t m2 = acc; + uint64_t m = m1 & m2; + return m00 & m; +} + +void +Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_precomp_u64( + uint32_t len, + uint64_t *n, + uint64_t mu, + uint64_t *r2, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + if (bBits < (uint32_t)200U) + { + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t aM[len]; + memset(aM, 0U, len * sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), len + len); + uint64_t c[len + len]; + memset(c, 0U, (len + len) * sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)4U * len); + uint64_t tmp0[(uint32_t)4U * len]; + memset(tmp0, 0U, (uint32_t)4U * len * sizeof (uint64_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint64(len, a, r2, tmp0, c); + Hacl_Bignum_Montgomery_bn_mont_reduction_u64(len, n, mu, c, aM); + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t resM[len]; + memset(resM, 0U, len * sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), len + len); + uint64_t tmp1[len + len]; + memset(tmp1, 0U, (len + len) * sizeof (uint64_t)); + memcpy(tmp1, r2, len * sizeof (uint64_t)); + Hacl_Bignum_Montgomery_bn_mont_reduction_u64(len, n, mu, tmp1, resM); + for (uint32_t i = (uint32_t)0U; i < bBits; i++) + { + uint32_t i1 = i / (uint32_t)64U; + uint32_t j = i % (uint32_t)64U; + uint64_t tmp = b[i1]; + uint64_t bit = tmp >> j & (uint64_t)1U; + if (!(bit == (uint64_t)0U)) + { + bn_almost_mont_mul_u64(len, n, mu, resM, aM, resM); + } + bn_almost_mont_sqr_u64(len, n, mu, aM, aM); + } + KRML_CHECK_SIZE(sizeof (uint64_t), len + len); + uint64_t tmp[len + len]; + memset(tmp, 0U, (len + len) * sizeof (uint64_t)); + memcpy(tmp, resM, len * sizeof (uint64_t)); + Hacl_Bignum_Montgomery_bn_mont_reduction_u64(len, n, mu, tmp, res); + return; + } + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t aM[len]; + memset(aM, 0U, len * sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), len + len); + uint64_t c[len + len]; + memset(c, 0U, (len + len) * sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)4U * len); + uint64_t tmp0[(uint32_t)4U * len]; + memset(tmp0, 0U, (uint32_t)4U * len * sizeof (uint64_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint64(len, a, r2, tmp0, c); + Hacl_Bignum_Montgomery_bn_mont_reduction_u64(len, n, mu, c, aM); + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t resM[len]; + memset(resM, 0U, len * sizeof (uint64_t)); + uint32_t bLen; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + } + KRML_CHECK_SIZE(sizeof (uint64_t), len + len); + uint64_t tmp[len + len]; + memset(tmp, 0U, (len + len) * sizeof (uint64_t)); + memcpy(tmp, r2, len * sizeof (uint64_t)); + Hacl_Bignum_Montgomery_bn_mont_reduction_u64(len, n, mu, tmp, resM); + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)16U * len); + uint64_t table[(uint32_t)16U * len]; + memset(table, 0U, (uint32_t)16U * len * sizeof (uint64_t)); + memcpy(table, resM, len * sizeof (uint64_t)); + uint64_t *t1 = table + len; + memcpy(t1, aM, len * sizeof (uint64_t)); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)14U; i++) + { + uint64_t *t11 = table + (i + (uint32_t)1U) * len; + uint64_t *t2 = table + (i + (uint32_t)2U) * len; + bn_almost_mont_mul_u64(len, n, mu, t11, aM, t2); + } + if (bBits % (uint32_t)4U != (uint32_t)0U) + { + uint64_t mask_l = (uint64_t)16U - (uint64_t)1U; + uint32_t i = bBits / (uint32_t)4U * (uint32_t)4U / (uint32_t)64U; + uint32_t j = bBits / (uint32_t)4U * (uint32_t)4U % (uint32_t)64U; + uint64_t p1 = b[i] >> j; + uint64_t ite; + if (i + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i + (uint32_t)1U] << ((uint32_t)64U - j); + } + else + { + ite = p1; + } + uint64_t bits_c = ite & mask_l; + uint32_t bits_l32 = (uint32_t)bits_c; + uint64_t *a_bits_l = table + bits_l32 * len; + memcpy(resM, a_bits_l, len * sizeof (uint64_t)); + } + for (uint32_t i = (uint32_t)0U; i < bBits / (uint32_t)4U; i++) + { + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + bn_almost_mont_sqr_u64(len, n, mu, resM, resM); + } + uint32_t bk = bBits - bBits % (uint32_t)4U; + uint64_t mask_l = (uint64_t)16U - (uint64_t)1U; + uint32_t i1 = (bk - (uint32_t)4U * i - (uint32_t)4U) / (uint32_t)64U; + uint32_t j = (bk - (uint32_t)4U * i - (uint32_t)4U) % (uint32_t)64U; + uint64_t p1 = b[i1] >> j; + uint64_t ite; + if (i1 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i1 + (uint32_t)1U] << ((uint32_t)64U - j); + } + else + { + ite = p1; + } + uint64_t bits_l = ite & mask_l; + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t a_bits_l[len]; + memset(a_bits_l, 0U, len * sizeof (uint64_t)); + uint32_t bits_l32 = (uint32_t)bits_l; + uint64_t *a_bits_l1 = table + bits_l32 * len; + memcpy(a_bits_l, a_bits_l1, len * sizeof (uint64_t)); + bn_almost_mont_mul_u64(len, n, mu, resM, a_bits_l, resM); + } + KRML_CHECK_SIZE(sizeof (uint64_t), len + len); + uint64_t tmp1[len + len]; + memset(tmp1, 0U, (len + len) * sizeof (uint64_t)); + memcpy(tmp1, resM, len * sizeof (uint64_t)); + Hacl_Bignum_Montgomery_bn_mont_reduction_u64(len, n, mu, tmp1, res); +} + +void +Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_precomp_u64( + uint32_t len, + uint64_t *n, + uint64_t mu, + uint64_t *r2, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + if (bBits < (uint32_t)200U) + { + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t aM[len]; + memset(aM, 0U, len * sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), len + len); + uint64_t c[len + len]; + memset(c, 0U, (len + len) * sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)4U * len); + uint64_t tmp0[(uint32_t)4U * len]; + memset(tmp0, 0U, (uint32_t)4U * len * sizeof (uint64_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint64(len, a, r2, tmp0, c); + Hacl_Bignum_Montgomery_bn_mont_reduction_u64(len, n, mu, c, aM); + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t resM[len]; + memset(resM, 0U, len * sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), len + len); + uint64_t tmp1[len + len]; + memset(tmp1, 0U, (len + len) * sizeof (uint64_t)); + memcpy(tmp1, r2, len * sizeof (uint64_t)); + Hacl_Bignum_Montgomery_bn_mont_reduction_u64(len, n, mu, tmp1, resM); + uint64_t sw = (uint64_t)0U; + for (uint32_t i0 = (uint32_t)0U; i0 < bBits; i0++) + { + uint32_t i1 = (bBits - i0 - (uint32_t)1U) / (uint32_t)64U; + uint32_t j = (bBits - i0 - (uint32_t)1U) % (uint32_t)64U; + uint64_t tmp = b[i1]; + uint64_t bit = tmp >> j & (uint64_t)1U; + uint64_t sw1 = bit ^ sw; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint64_t dummy = ((uint64_t)0U - sw1) & (resM[i] ^ aM[i]); + resM[i] = resM[i] ^ dummy; + aM[i] = aM[i] ^ dummy; + } + bn_almost_mont_mul_u64(len, n, mu, aM, resM, aM); + bn_almost_mont_sqr_u64(len, n, mu, resM, resM); + sw = bit; + } + uint64_t sw0 = sw; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint64_t dummy = ((uint64_t)0U - sw0) & (resM[i] ^ aM[i]); + resM[i] = resM[i] ^ dummy; + aM[i] = aM[i] ^ dummy; + } + KRML_CHECK_SIZE(sizeof (uint64_t), len + len); + uint64_t tmp[len + len]; + memset(tmp, 0U, (len + len) * sizeof (uint64_t)); + memcpy(tmp, resM, len * sizeof (uint64_t)); + Hacl_Bignum_Montgomery_bn_mont_reduction_u64(len, n, mu, tmp, res); + return; + } + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t aM[len]; + memset(aM, 0U, len * sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), len + len); + uint64_t c0[len + len]; + memset(c0, 0U, (len + len) * sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)4U * len); + uint64_t tmp0[(uint32_t)4U * len]; + memset(tmp0, 0U, (uint32_t)4U * len * sizeof (uint64_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint64(len, a, r2, tmp0, c0); + Hacl_Bignum_Montgomery_bn_mont_reduction_u64(len, n, mu, c0, aM); + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t resM[len]; + memset(resM, 0U, len * sizeof (uint64_t)); + uint32_t bLen; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + } + KRML_CHECK_SIZE(sizeof (uint64_t), len + len); + uint64_t tmp[len + len]; + memset(tmp, 0U, (len + len) * sizeof (uint64_t)); + memcpy(tmp, r2, len * sizeof (uint64_t)); + Hacl_Bignum_Montgomery_bn_mont_reduction_u64(len, n, mu, tmp, resM); + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)16U * len); + uint64_t table[(uint32_t)16U * len]; + memset(table, 0U, (uint32_t)16U * len * sizeof (uint64_t)); + memcpy(table, resM, len * sizeof (uint64_t)); + uint64_t *t1 = table + len; + memcpy(t1, aM, len * sizeof (uint64_t)); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)14U; i++) + { + uint64_t *t11 = table + (i + (uint32_t)1U) * len; + uint64_t *t2 = table + (i + (uint32_t)2U) * len; + bn_almost_mont_mul_u64(len, n, mu, t11, aM, t2); + } + if (bBits % (uint32_t)4U != (uint32_t)0U) + { + uint64_t mask_l = (uint64_t)16U - (uint64_t)1U; + uint32_t i0 = bBits / (uint32_t)4U * (uint32_t)4U / (uint32_t)64U; + uint32_t j = bBits / (uint32_t)4U * (uint32_t)4U % (uint32_t)64U; + uint64_t p1 = b[i0] >> j; + uint64_t ite; + if (i0 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i0 + (uint32_t)1U] << ((uint32_t)64U - j); + } + else + { + ite = p1; + } + uint64_t bits_c = ite & mask_l; + memcpy(resM, table, len * sizeof (uint64_t)); + for (uint32_t i1 = (uint32_t)0U; i1 < (uint32_t)15U; i1++) + { + uint64_t c = FStar_UInt64_eq_mask(bits_c, (uint64_t)(i1 + (uint32_t)1U)); + uint64_t *res_j = table + (i1 + (uint32_t)1U) * len; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint64_t *os = resM; + uint64_t x = (c & res_j[i]) | (~c & resM[i]); + os[i] = x; + } + } + } + for (uint32_t i0 = (uint32_t)0U; i0 < bBits / (uint32_t)4U; i0++) + { + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + bn_almost_mont_sqr_u64(len, n, mu, resM, resM); + } + uint32_t bk = bBits - bBits % (uint32_t)4U; + uint64_t mask_l = (uint64_t)16U - (uint64_t)1U; + uint32_t i1 = (bk - (uint32_t)4U * i0 - (uint32_t)4U) / (uint32_t)64U; + uint32_t j = (bk - (uint32_t)4U * i0 - (uint32_t)4U) % (uint32_t)64U; + uint64_t p1 = b[i1] >> j; + uint64_t ite; + if (i1 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i1 + (uint32_t)1U] << ((uint32_t)64U - j); + } + else + { + ite = p1; + } + uint64_t bits_l = ite & mask_l; + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t a_bits_l[len]; + memset(a_bits_l, 0U, len * sizeof (uint64_t)); + memcpy(a_bits_l, table, len * sizeof (uint64_t)); + for (uint32_t i2 = (uint32_t)0U; i2 < (uint32_t)15U; i2++) + { + uint64_t c = FStar_UInt64_eq_mask(bits_l, (uint64_t)(i2 + (uint32_t)1U)); + uint64_t *res_j = table + (i2 + (uint32_t)1U) * len; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint64_t *os = a_bits_l; + uint64_t x = (c & res_j[i]) | (~c & a_bits_l[i]); + os[i] = x; + } + } + bn_almost_mont_mul_u64(len, n, mu, resM, a_bits_l, resM); + } + KRML_CHECK_SIZE(sizeof (uint64_t), len + len); + uint64_t tmp1[len + len]; + memset(tmp1, 0U, (len + len) * sizeof (uint64_t)); + memcpy(tmp1, resM, len * sizeof (uint64_t)); + Hacl_Bignum_Montgomery_bn_mont_reduction_u64(len, n, mu, tmp1, res); +} + +void +Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_u64( + uint32_t len, + uint32_t nBits, + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t r2[len]; + memset(r2, 0U, len * sizeof (uint64_t)); + Hacl_Bignum_Montgomery_bn_precomp_r2_mod_n_u64(len, nBits, n, r2); + uint64_t mu = Hacl_Bignum_ModInvLimb_mod_inv_uint64(n[0U]); + Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_precomp_u64(len, n, mu, r2, a, bBits, b, res); +} + +void +Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_u64( + uint32_t len, + uint32_t nBits, + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t r2[len]; + memset(r2, 0U, len * sizeof (uint64_t)); + Hacl_Bignum_Montgomery_bn_precomp_r2_mod_n_u64(len, nBits, n, r2); + uint64_t mu = Hacl_Bignum_ModInvLimb_mod_inv_uint64(n[0U]); + Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_precomp_u64(len, n, mu, r2, a, bBits, b, res); +} + diff --git a/src/Hacl_Bignum256.c b/src/Hacl_Bignum256.c new file mode 100644 index 00000000..1d7bf54f --- /dev/null +++ b/src/Hacl_Bignum256.c @@ -0,0 +1,1617 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Bignum256.h" + +#include "internal/Hacl_Kremlib.h" +#include "internal/Hacl_Bignum.h" + +/******************************************************************************* + +A verified 256-bit bignum library. + +This is a 64-bit optimized version, where bignums are represented as an array +of four unsigned 64-bit integers, i.e. uint64_t[4]. Furthermore, the +limbs are stored in little-endian format, i.e. the least significant limb is at +index 0. Each limb is stored in native format in memory. Example: + + uint64_t sixteen[4] = { 0x10; 0x00; 0x00; 0x00 } + +We strongly encourage users to go through the conversion functions, e.g. +bn_from_bytes_be, to i) not depend on internal representation choices and ii) +have the ability to switch easily to a 32-bit optimized version in the future. + +*******************************************************************************/ + +/************************/ +/* Arithmetic functions */ +/************************/ + + +/* +Write `a + b mod 2^256` in `res`. + + This functions returns the carry. + + The arguments a, b and res are meant to be 256-bit bignums, i.e. uint64_t[4] +*/ +uint64_t Hacl_Bignum256_add(uint64_t *a, uint64_t *b, uint64_t *res) +{ + uint64_t c = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)1U; i++) + { + uint64_t t1 = a[(uint32_t)4U * i]; + uint64_t t20 = b[(uint32_t)4U * i]; + uint64_t *res_i0 = res + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t1, t20, res_i0); + uint64_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t10, t21, res_i1); + uint64_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t11, t22, res_i2); + uint64_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t12, t2, res_i); + } + for (uint32_t i = (uint32_t)4U; i < (uint32_t)4U; i++) + { + uint64_t t1 = a[i]; + uint64_t t2 = b[i]; + uint64_t *res_i = res + i; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t1, t2, res_i); + } + return c; +} + +/* +Write `a - b mod 2^256` in `res`. + + This functions returns the carry. + + The arguments a, b and res are meant to be 256-bit bignums, i.e. uint64_t[4] +*/ +uint64_t Hacl_Bignum256_sub(uint64_t *a, uint64_t *b, uint64_t *res) +{ + uint64_t c = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)1U; i++) + { + uint64_t t1 = a[(uint32_t)4U * i]; + uint64_t t20 = b[(uint32_t)4U * i]; + uint64_t *res_i0 = res + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, t20, res_i0); + uint64_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t10, t21, res_i1); + uint64_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t11, t22, res_i2); + uint64_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t12, t2, res_i); + } + for (uint32_t i = (uint32_t)4U; i < (uint32_t)4U; i++) + { + uint64_t t1 = a[i]; + uint64_t t2 = b[i]; + uint64_t *res_i = res + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, t2, res_i); + } + return c; +} + +/* +Write `(a + b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be 256-bit bignums, i.e. uint64_t[4]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum256_add_mod(uint64_t *n, uint64_t *a, uint64_t *b, uint64_t *res) +{ + uint64_t c0 = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)1U; i++) + { + uint64_t t1 = a[(uint32_t)4U * i]; + uint64_t t20 = b[(uint32_t)4U * i]; + uint64_t *res_i0 = res + (uint32_t)4U * i; + c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, t1, t20, res_i0); + uint64_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, t10, t21, res_i1); + uint64_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, t11, t22, res_i2); + uint64_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, t12, t2, res_i); + } + for (uint32_t i = (uint32_t)4U; i < (uint32_t)4U; i++) + { + uint64_t t1 = a[i]; + uint64_t t2 = b[i]; + uint64_t *res_i = res + i; + c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, t1, t2, res_i); + } + uint64_t c00 = c0; + uint64_t tmp[4U] = { 0U }; + uint64_t c = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)1U; i++) + { + uint64_t t1 = res[(uint32_t)4U * i]; + uint64_t t20 = n[(uint32_t)4U * i]; + uint64_t *res_i0 = tmp + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, t20, res_i0); + uint64_t t10 = res[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t t21 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = tmp + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t10, t21, res_i1); + uint64_t t11 = res[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t t22 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = tmp + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t11, t22, res_i2); + uint64_t t12 = res[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t t2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = tmp + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t12, t2, res_i); + } + for (uint32_t i = (uint32_t)4U; i < (uint32_t)4U; i++) + { + uint64_t t1 = res[i]; + uint64_t t2 = n[i]; + uint64_t *res_i = tmp + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, t2, res_i); + } + uint64_t c1 = c; + uint64_t c2 = c00 - c1; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = res; + uint64_t x = (c2 & res[i]) | (~c2 & tmp[i]); + os[i] = x; + } +} + +/* +Write `(a - b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be 256-bit bignums, i.e. uint64_t[4]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum256_sub_mod(uint64_t *n, uint64_t *a, uint64_t *b, uint64_t *res) +{ + uint64_t c0 = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)1U; i++) + { + uint64_t t1 = a[(uint32_t)4U * i]; + uint64_t t20 = b[(uint32_t)4U * i]; + uint64_t *res_i0 = res + (uint32_t)4U * i; + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c0, t1, t20, res_i0); + uint64_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c0, t10, t21, res_i1); + uint64_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c0, t11, t22, res_i2); + uint64_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c0, t12, t2, res_i); + } + for (uint32_t i = (uint32_t)4U; i < (uint32_t)4U; i++) + { + uint64_t t1 = a[i]; + uint64_t t2 = b[i]; + uint64_t *res_i = res + i; + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c0, t1, t2, res_i); + } + uint64_t c00 = c0; + uint64_t tmp[4U] = { 0U }; + uint64_t c = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)1U; i++) + { + uint64_t t1 = res[(uint32_t)4U * i]; + uint64_t t20 = n[(uint32_t)4U * i]; + uint64_t *res_i0 = tmp + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t1, t20, res_i0); + uint64_t t10 = res[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t t21 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = tmp + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t10, t21, res_i1); + uint64_t t11 = res[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t t22 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = tmp + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t11, t22, res_i2); + uint64_t t12 = res[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t t2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = tmp + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t12, t2, res_i); + } + for (uint32_t i = (uint32_t)4U; i < (uint32_t)4U; i++) + { + uint64_t t1 = res[i]; + uint64_t t2 = n[i]; + uint64_t *res_i = tmp + i; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t1, t2, res_i); + } + uint64_t c1 = c; + uint64_t c2 = (uint64_t)0U - c00; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = res; + uint64_t x = (c2 & tmp[i]) | (~c2 & res[i]); + os[i] = x; + } +} + +/* +Write `a * b` in `res`. + + The arguments a and b are meant to be 256-bit bignums, i.e. uint64_t[4]. + The outparam res is meant to be a 512-bit bignum, i.e. uint64_t[8]. +*/ +void Hacl_Bignum256_mul(uint64_t *a, uint64_t *b, uint64_t *res) +{ + memset(res, 0U, (uint32_t)8U * sizeof (uint64_t)); + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + uint64_t bj = b[i0]; + uint64_t *res_j = res + i0; + uint64_t c = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)1U; i++) + { + uint64_t a_i = a[(uint32_t)4U * i]; + uint64_t *res_i0 = res_j + (uint32_t)4U * i; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, bj, c, res_i0); + uint64_t a_i0 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res_j + (uint32_t)4U * i + (uint32_t)1U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, bj, c, res_i1); + uint64_t a_i1 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res_j + (uint32_t)4U * i + (uint32_t)2U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, bj, c, res_i2); + uint64_t a_i2 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res_j + (uint32_t)4U * i + (uint32_t)3U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, bj, c, res_i); + } + for (uint32_t i = (uint32_t)4U; i < (uint32_t)4U; i++) + { + uint64_t a_i = a[i]; + uint64_t *res_i = res_j + i; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, bj, c, res_i); + } + uint64_t r = c; + res[(uint32_t)4U + i0] = r; + } +} + +/* +Write `a * a` in `res`. + + The argument a is meant to be a 256-bit bignum, i.e. uint64_t[4]. + The outparam res is meant to be a 512-bit bignum, i.e. uint64_t[8]. +*/ +void Hacl_Bignum256_sqr(uint64_t *a, uint64_t *res) +{ + memset(res, 0U, (uint32_t)8U * sizeof (uint64_t)); + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + uint64_t *ab = a; + uint64_t a_j = a[i0]; + uint64_t *res_j = res + i0; + uint64_t c = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < i0 / (uint32_t)4U; i++) + { + uint64_t a_i = ab[(uint32_t)4U * i]; + uint64_t *res_i0 = res_j + (uint32_t)4U * i; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, a_j, c, res_i0); + uint64_t a_i0 = ab[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res_j + (uint32_t)4U * i + (uint32_t)1U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, a_j, c, res_i1); + uint64_t a_i1 = ab[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res_j + (uint32_t)4U * i + (uint32_t)2U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, a_j, c, res_i2); + uint64_t a_i2 = ab[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res_j + (uint32_t)4U * i + (uint32_t)3U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, a_j, c, res_i); + } + for (uint32_t i = i0 / (uint32_t)4U * (uint32_t)4U; i < i0; i++) + { + uint64_t a_i = ab[i]; + uint64_t *res_i = res_j + i; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, a_j, c, res_i); + } + uint64_t r = c; + res[i0 + i0] = r; + } + uint64_t c0 = Hacl_Bignum_Addition_bn_add_eq_len_u64((uint32_t)8U, res, res, res); + uint64_t tmp[8U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + FStar_UInt128_uint128 res1 = FStar_UInt128_mul_wide(a[i], a[i]); + uint64_t hi = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(res1, (uint32_t)64U)); + uint64_t lo = FStar_UInt128_uint128_to_uint64(res1); + tmp[(uint32_t)2U * i] = lo; + tmp[(uint32_t)2U * i + (uint32_t)1U] = hi; + } + uint64_t c1 = Hacl_Bignum_Addition_bn_add_eq_len_u64((uint32_t)8U, res, tmp, res); +} + +static inline void precompr2(uint32_t nBits, uint64_t *n, uint64_t *res) +{ + memset(res, 0U, (uint32_t)4U * sizeof (uint64_t)); + uint32_t i = nBits / (uint32_t)64U; + uint32_t j = nBits % (uint32_t)64U; + res[i] = res[i] | (uint64_t)1U << j; + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)512U - nBits; i0++) + { + Hacl_Bignum256_add_mod(n, res, res, res); + } +} + +static inline void reduction(uint64_t *n, uint64_t nInv, uint64_t *c, uint64_t *res) +{ + uint64_t c0 = (uint64_t)0U; + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + uint64_t qj = nInv * c[i0]; + uint64_t *res_j0 = c + i0; + uint64_t c1 = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)1U; i++) + { + uint64_t a_i = n[(uint32_t)4U * i]; + uint64_t *res_i0 = res_j0 + (uint32_t)4U * i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c1, res_i0); + uint64_t a_i0 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res_j0 + (uint32_t)4U * i + (uint32_t)1U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, qj, c1, res_i1); + uint64_t a_i1 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res_j0 + (uint32_t)4U * i + (uint32_t)2U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, qj, c1, res_i2); + uint64_t a_i2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res_j0 + (uint32_t)4U * i + (uint32_t)3U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, qj, c1, res_i); + } + for (uint32_t i = (uint32_t)4U; i < (uint32_t)4U; i++) + { + uint64_t a_i = n[i]; + uint64_t *res_i = res_j0 + i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c1, res_i); + } + uint64_t r = c1; + uint64_t c10 = r; + uint64_t *resb = c + (uint32_t)4U + i0; + uint64_t res_j = c[(uint32_t)4U + i0]; + c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, c10, res_j, resb); + } + memcpy(res, c + (uint32_t)4U, (uint32_t)4U * sizeof (uint64_t)); + uint64_t c00 = c0; + uint64_t tmp[4U] = { 0U }; + uint64_t c1 = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)1U; i++) + { + uint64_t t1 = res[(uint32_t)4U * i]; + uint64_t t20 = n[(uint32_t)4U * i]; + uint64_t *res_i0 = tmp + (uint32_t)4U * i; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t1, t20, res_i0); + uint64_t t10 = res[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t t21 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = tmp + (uint32_t)4U * i + (uint32_t)1U; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t10, t21, res_i1); + uint64_t t11 = res[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t t22 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = tmp + (uint32_t)4U * i + (uint32_t)2U; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t11, t22, res_i2); + uint64_t t12 = res[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t t2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = tmp + (uint32_t)4U * i + (uint32_t)3U; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t12, t2, res_i); + } + for (uint32_t i = (uint32_t)4U; i < (uint32_t)4U; i++) + { + uint64_t t1 = res[i]; + uint64_t t2 = n[i]; + uint64_t *res_i = tmp + i; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t1, t2, res_i); + } + uint64_t c10 = c1; + uint64_t c2 = c00 - c10; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = res; + uint64_t x = (c2 & res[i]) | (~c2 & tmp[i]); + os[i] = x; + } +} + +static inline void areduction(uint64_t *n, uint64_t nInv, uint64_t *c, uint64_t *res) +{ + uint64_t c0 = (uint64_t)0U; + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + uint64_t qj = nInv * c[i0]; + uint64_t *res_j0 = c + i0; + uint64_t c1 = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)1U; i++) + { + uint64_t a_i = n[(uint32_t)4U * i]; + uint64_t *res_i0 = res_j0 + (uint32_t)4U * i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c1, res_i0); + uint64_t a_i0 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res_j0 + (uint32_t)4U * i + (uint32_t)1U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, qj, c1, res_i1); + uint64_t a_i1 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res_j0 + (uint32_t)4U * i + (uint32_t)2U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, qj, c1, res_i2); + uint64_t a_i2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res_j0 + (uint32_t)4U * i + (uint32_t)3U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, qj, c1, res_i); + } + for (uint32_t i = (uint32_t)4U; i < (uint32_t)4U; i++) + { + uint64_t a_i = n[i]; + uint64_t *res_i = res_j0 + i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c1, res_i); + } + uint64_t r = c1; + uint64_t c10 = r; + uint64_t *resb = c + (uint32_t)4U + i0; + uint64_t res_j = c[(uint32_t)4U + i0]; + c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, c10, res_j, resb); + } + memcpy(res, c + (uint32_t)4U, (uint32_t)4U * sizeof (uint64_t)); + uint64_t c00 = c0; + uint64_t tmp[4U] = { 0U }; + uint64_t c1 = Hacl_Bignum256_sub(res, n, tmp); + uint64_t m = (uint64_t)0U - c00; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = res; + uint64_t x = (m & tmp[i]) | (~m & res[i]); + os[i] = x; + } +} + +static inline void +amont_mul(uint64_t *n, uint64_t nInv_u64, uint64_t *aM, uint64_t *bM, uint64_t *resM) +{ + uint64_t c[8U] = { 0U }; + memset(c, 0U, (uint32_t)8U * sizeof (uint64_t)); + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + uint64_t bj = bM[i0]; + uint64_t *res_j = c + i0; + uint64_t c1 = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)1U; i++) + { + uint64_t a_i = aM[(uint32_t)4U * i]; + uint64_t *res_i0 = res_j + (uint32_t)4U * i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, bj, c1, res_i0); + uint64_t a_i0 = aM[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res_j + (uint32_t)4U * i + (uint32_t)1U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, bj, c1, res_i1); + uint64_t a_i1 = aM[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res_j + (uint32_t)4U * i + (uint32_t)2U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, bj, c1, res_i2); + uint64_t a_i2 = aM[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res_j + (uint32_t)4U * i + (uint32_t)3U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, bj, c1, res_i); + } + for (uint32_t i = (uint32_t)4U; i < (uint32_t)4U; i++) + { + uint64_t a_i = aM[i]; + uint64_t *res_i = res_j + i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, bj, c1, res_i); + } + uint64_t r = c1; + c[(uint32_t)4U + i0] = r; + } + areduction(n, nInv_u64, c, resM); +} + +static inline void amont_sqr(uint64_t *n, uint64_t nInv_u64, uint64_t *aM, uint64_t *resM) +{ + uint64_t c[8U] = { 0U }; + memset(c, 0U, (uint32_t)8U * sizeof (uint64_t)); + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + uint64_t *ab = aM; + uint64_t a_j = aM[i0]; + uint64_t *res_j = c + i0; + uint64_t c1 = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < i0 / (uint32_t)4U; i++) + { + uint64_t a_i = ab[(uint32_t)4U * i]; + uint64_t *res_i0 = res_j + (uint32_t)4U * i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, a_j, c1, res_i0); + uint64_t a_i0 = ab[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res_j + (uint32_t)4U * i + (uint32_t)1U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, a_j, c1, res_i1); + uint64_t a_i1 = ab[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res_j + (uint32_t)4U * i + (uint32_t)2U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, a_j, c1, res_i2); + uint64_t a_i2 = ab[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res_j + (uint32_t)4U * i + (uint32_t)3U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, a_j, c1, res_i); + } + for (uint32_t i = i0 / (uint32_t)4U * (uint32_t)4U; i < i0; i++) + { + uint64_t a_i = ab[i]; + uint64_t *res_i = res_j + i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, a_j, c1, res_i); + } + uint64_t r = c1; + c[i0 + i0] = r; + } + uint64_t c0 = Hacl_Bignum_Addition_bn_add_eq_len_u64((uint32_t)8U, c, c, c); + uint64_t tmp[8U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + FStar_UInt128_uint128 res = FStar_UInt128_mul_wide(aM[i], aM[i]); + uint64_t hi = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(res, (uint32_t)64U)); + uint64_t lo = FStar_UInt128_uint128_to_uint64(res); + tmp[(uint32_t)2U * i] = lo; + tmp[(uint32_t)2U * i + (uint32_t)1U] = hi; + } + uint64_t c1 = Hacl_Bignum_Addition_bn_add_eq_len_u64((uint32_t)8U, c, tmp, c); + areduction(n, nInv_u64, c, resM); +} + +static inline void +bn_slow_precomp(uint64_t *n, uint64_t mu, uint64_t *r2, uint64_t *a, uint64_t *res) +{ + uint64_t a_mod[4U] = { 0U }; + uint64_t a1[8U] = { 0U }; + memcpy(a1, a, (uint32_t)8U * sizeof (uint64_t)); + uint64_t c0 = (uint64_t)0U; + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + uint64_t qj = mu * a1[i0]; + uint64_t *res_j0 = a1 + i0; + uint64_t c = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)1U; i++) + { + uint64_t a_i = n[(uint32_t)4U * i]; + uint64_t *res_i0 = res_j0 + (uint32_t)4U * i; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c, res_i0); + uint64_t a_i0 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res_j0 + (uint32_t)4U * i + (uint32_t)1U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, qj, c, res_i1); + uint64_t a_i1 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res_j0 + (uint32_t)4U * i + (uint32_t)2U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, qj, c, res_i2); + uint64_t a_i2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res_j0 + (uint32_t)4U * i + (uint32_t)3U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, qj, c, res_i); + } + for (uint32_t i = (uint32_t)4U; i < (uint32_t)4U; i++) + { + uint64_t a_i = n[i]; + uint64_t *res_i = res_j0 + i; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c, res_i); + } + uint64_t r = c; + uint64_t c1 = r; + uint64_t *resb = a1 + (uint32_t)4U + i0; + uint64_t res_j = a1[(uint32_t)4U + i0]; + c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, c1, res_j, resb); + } + memcpy(a_mod, a1 + (uint32_t)4U, (uint32_t)4U * sizeof (uint64_t)); + uint64_t c00 = c0; + uint64_t tmp[4U] = { 0U }; + uint64_t c1 = Hacl_Bignum256_sub(a_mod, n, tmp); + uint64_t m = (uint64_t)0U - c00; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = a_mod; + uint64_t x = (m & tmp[i]) | (~m & a_mod[i]); + os[i] = x; + } + uint64_t c[8U] = { 0U }; + Hacl_Bignum256_mul(a_mod, r2, c); + reduction(n, mu, c, res); +} + +/* +Write `a mod n` in `res`. + + The argument a is meant to be a 512-bit bignum, i.e. uint64_t[8]. + The argument n and the outparam res are meant to be 256-bit bignums, i.e. uint64_t[4]. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • 1 < n + • n % 2 = 1 +*/ +bool Hacl_Bignum256_mod(uint64_t *n, uint64_t *a, uint64_t *res) +{ + uint64_t one[4U] = { 0U }; + memset(one, 0U, (uint32_t)4U * sizeof (uint64_t)); + one[0U] = (uint64_t)1U; + uint64_t bit0 = n[0U] & (uint64_t)1U; + uint64_t m0 = (uint64_t)0U - bit0; + uint64_t acc = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(one[i], n[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(one[i], n[i]); + acc = (beq & acc) | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + uint64_t m1 = acc; + uint64_t is_valid_m = m0 & m1; + uint32_t + nBits = (uint32_t)64U * (uint32_t)Hacl_Bignum_Lib_bn_get_top_index_u64((uint32_t)4U, n); + if (is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU) + { + uint64_t r2[4U] = { 0U }; + precompr2(nBits, n, r2); + uint64_t mu = Hacl_Bignum_ModInvLimb_mod_inv_uint64(n[0U]); + bn_slow_precomp(n, mu, r2, a, res); + } + else + { + memset(res, 0U, (uint32_t)4U * sizeof (uint64_t)); + } + return is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU; +} + +static uint64_t exp_check(uint64_t *n, uint64_t *a, uint32_t bBits, uint64_t *b) +{ + uint64_t one[4U] = { 0U }; + memset(one, 0U, (uint32_t)4U * sizeof (uint64_t)); + one[0U] = (uint64_t)1U; + uint64_t bit0 = n[0U] & (uint64_t)1U; + uint64_t m0 = (uint64_t)0U - bit0; + uint64_t acc0 = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(one[i], n[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(one[i], n[i]); + acc0 = (beq & acc0) | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + uint64_t m10 = acc0; + uint64_t m00 = m0 & m10; + uint32_t bLen; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + } + uint64_t m1; + if (bBits < (uint32_t)64U * bLen) + { + KRML_CHECK_SIZE(sizeof (uint64_t), bLen); + uint64_t b2[bLen]; + memset(b2, 0U, bLen * sizeof (uint64_t)); + uint32_t i0 = bBits / (uint32_t)64U; + uint32_t j = bBits % (uint32_t)64U; + b2[i0] = b2[i0] | (uint64_t)1U << j; + uint64_t acc = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < bLen; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(b[i], b2[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(b[i], b2[i]); + acc = (beq & acc) | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + uint64_t res = acc; + m1 = res; + } + else + { + m1 = (uint64_t)0xFFFFFFFFFFFFFFFFU; + } + uint64_t acc = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(a[i], n[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(a[i], n[i]); + acc = (beq & acc) | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + uint64_t m2 = acc; + uint64_t m = m1 & m2; + return m00 & m; +} + +static inline void +exp_vartime_precomp( + uint64_t *n, + uint64_t mu, + uint64_t *r2, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + if (bBits < (uint32_t)200U) + { + uint64_t aM[4U] = { 0U }; + uint64_t c[8U] = { 0U }; + Hacl_Bignum256_mul(a, r2, c); + reduction(n, mu, c, aM); + uint64_t resM[4U] = { 0U }; + uint64_t tmp0[8U] = { 0U }; + memcpy(tmp0, r2, (uint32_t)4U * sizeof (uint64_t)); + reduction(n, mu, tmp0, resM); + for (uint32_t i = (uint32_t)0U; i < bBits; i++) + { + uint32_t i1 = i / (uint32_t)64U; + uint32_t j = i % (uint32_t)64U; + uint64_t tmp = b[i1]; + uint64_t bit = tmp >> j & (uint64_t)1U; + if (!(bit == (uint64_t)0U)) + { + amont_mul(n, mu, resM, aM, resM); + } + amont_sqr(n, mu, aM, aM); + } + uint64_t tmp[8U] = { 0U }; + memcpy(tmp, resM, (uint32_t)4U * sizeof (uint64_t)); + reduction(n, mu, tmp, res); + return; + } + uint64_t aM[4U] = { 0U }; + uint64_t c[8U] = { 0U }; + Hacl_Bignum256_mul(a, r2, c); + reduction(n, mu, c, aM); + uint64_t resM[4U] = { 0U }; + uint32_t bLen; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + } + uint64_t tmp[8U] = { 0U }; + memcpy(tmp, r2, (uint32_t)4U * sizeof (uint64_t)); + reduction(n, mu, tmp, resM); + uint64_t table[64U] = { 0U }; + memcpy(table, resM, (uint32_t)4U * sizeof (uint64_t)); + uint64_t *t1 = table + (uint32_t)4U; + memcpy(t1, aM, (uint32_t)4U * sizeof (uint64_t)); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)14U; i++) + { + uint64_t *t11 = table + (i + (uint32_t)1U) * (uint32_t)4U; + uint64_t *t2 = table + (i + (uint32_t)2U) * (uint32_t)4U; + amont_mul(n, mu, t11, aM, t2); + } + if (bBits % (uint32_t)4U != (uint32_t)0U) + { + uint64_t mask_l = (uint64_t)16U - (uint64_t)1U; + uint32_t i = bBits / (uint32_t)4U * (uint32_t)4U / (uint32_t)64U; + uint32_t j = bBits / (uint32_t)4U * (uint32_t)4U % (uint32_t)64U; + uint64_t p1 = b[i] >> j; + uint64_t ite; + if (i + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i + (uint32_t)1U] << ((uint32_t)64U - j); + } + else + { + ite = p1; + } + uint64_t bits_c = ite & mask_l; + uint32_t bits_l32 = (uint32_t)bits_c; + uint64_t *a_bits_l = table + bits_l32 * (uint32_t)4U; + memcpy(resM, a_bits_l, (uint32_t)4U * sizeof (uint64_t)); + } + for (uint32_t i = (uint32_t)0U; i < bBits / (uint32_t)4U; i++) + { + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + amont_sqr(n, mu, resM, resM); + } + uint32_t bk = bBits - bBits % (uint32_t)4U; + uint64_t mask_l = (uint64_t)16U - (uint64_t)1U; + uint32_t i1 = (bk - (uint32_t)4U * i - (uint32_t)4U) / (uint32_t)64U; + uint32_t j = (bk - (uint32_t)4U * i - (uint32_t)4U) % (uint32_t)64U; + uint64_t p1 = b[i1] >> j; + uint64_t ite; + if (i1 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i1 + (uint32_t)1U] << ((uint32_t)64U - j); + } + else + { + ite = p1; + } + uint64_t bits_l = ite & mask_l; + uint64_t a_bits_l[4U] = { 0U }; + uint32_t bits_l32 = (uint32_t)bits_l; + uint64_t *a_bits_l1 = table + bits_l32 * (uint32_t)4U; + memcpy(a_bits_l, a_bits_l1, (uint32_t)4U * sizeof (uint64_t)); + amont_mul(n, mu, resM, a_bits_l, resM); + } + uint64_t tmp0[8U] = { 0U }; + memcpy(tmp0, resM, (uint32_t)4U * sizeof (uint64_t)); + reduction(n, mu, tmp0, res); +} + +static inline void +exp_consttime_precomp( + uint64_t *n, + uint64_t mu, + uint64_t *r2, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + if (bBits < (uint32_t)200U) + { + uint64_t aM[4U] = { 0U }; + uint64_t c[8U] = { 0U }; + Hacl_Bignum256_mul(a, r2, c); + reduction(n, mu, c, aM); + uint64_t resM[4U] = { 0U }; + uint64_t tmp0[8U] = { 0U }; + memcpy(tmp0, r2, (uint32_t)4U * sizeof (uint64_t)); + reduction(n, mu, tmp0, resM); + uint64_t sw = (uint64_t)0U; + for (uint32_t i0 = (uint32_t)0U; i0 < bBits; i0++) + { + uint32_t i1 = (bBits - i0 - (uint32_t)1U) / (uint32_t)64U; + uint32_t j = (bBits - i0 - (uint32_t)1U) % (uint32_t)64U; + uint64_t tmp = b[i1]; + uint64_t bit = tmp >> j & (uint64_t)1U; + uint64_t sw1 = bit ^ sw; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t dummy = ((uint64_t)0U - sw1) & (resM[i] ^ aM[i]); + resM[i] = resM[i] ^ dummy; + aM[i] = aM[i] ^ dummy; + } + amont_mul(n, mu, aM, resM, aM); + amont_sqr(n, mu, resM, resM); + sw = bit; + } + uint64_t sw0 = sw; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t dummy = ((uint64_t)0U - sw0) & (resM[i] ^ aM[i]); + resM[i] = resM[i] ^ dummy; + aM[i] = aM[i] ^ dummy; + } + uint64_t tmp[8U] = { 0U }; + memcpy(tmp, resM, (uint32_t)4U * sizeof (uint64_t)); + reduction(n, mu, tmp, res); + return; + } + uint64_t aM[4U] = { 0U }; + uint64_t c0[8U] = { 0U }; + Hacl_Bignum256_mul(a, r2, c0); + reduction(n, mu, c0, aM); + uint64_t resM[4U] = { 0U }; + uint32_t bLen; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + } + uint64_t tmp[8U] = { 0U }; + memcpy(tmp, r2, (uint32_t)4U * sizeof (uint64_t)); + reduction(n, mu, tmp, resM); + uint64_t table[64U] = { 0U }; + memcpy(table, resM, (uint32_t)4U * sizeof (uint64_t)); + uint64_t *t1 = table + (uint32_t)4U; + memcpy(t1, aM, (uint32_t)4U * sizeof (uint64_t)); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)14U; i++) + { + uint64_t *t11 = table + (i + (uint32_t)1U) * (uint32_t)4U; + uint64_t *t2 = table + (i + (uint32_t)2U) * (uint32_t)4U; + amont_mul(n, mu, t11, aM, t2); + } + if (bBits % (uint32_t)4U != (uint32_t)0U) + { + uint64_t mask_l = (uint64_t)16U - (uint64_t)1U; + uint32_t i0 = bBits / (uint32_t)4U * (uint32_t)4U / (uint32_t)64U; + uint32_t j = bBits / (uint32_t)4U * (uint32_t)4U % (uint32_t)64U; + uint64_t p1 = b[i0] >> j; + uint64_t ite; + if (i0 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i0 + (uint32_t)1U] << ((uint32_t)64U - j); + } + else + { + ite = p1; + } + uint64_t bits_c = ite & mask_l; + memcpy(resM, table, (uint32_t)4U * sizeof (uint64_t)); + for (uint32_t i1 = (uint32_t)0U; i1 < (uint32_t)15U; i1++) + { + uint64_t c = FStar_UInt64_eq_mask(bits_c, (uint64_t)(i1 + (uint32_t)1U)); + uint64_t *res_j = table + (i1 + (uint32_t)1U) * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = resM; + uint64_t x = (c & res_j[i]) | (~c & resM[i]); + os[i] = x; + } + } + } + for (uint32_t i0 = (uint32_t)0U; i0 < bBits / (uint32_t)4U; i0++) + { + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + amont_sqr(n, mu, resM, resM); + } + uint32_t bk = bBits - bBits % (uint32_t)4U; + uint64_t mask_l = (uint64_t)16U - (uint64_t)1U; + uint32_t i1 = (bk - (uint32_t)4U * i0 - (uint32_t)4U) / (uint32_t)64U; + uint32_t j = (bk - (uint32_t)4U * i0 - (uint32_t)4U) % (uint32_t)64U; + uint64_t p1 = b[i1] >> j; + uint64_t ite; + if (i1 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i1 + (uint32_t)1U] << ((uint32_t)64U - j); + } + else + { + ite = p1; + } + uint64_t bits_l = ite & mask_l; + uint64_t a_bits_l[4U] = { 0U }; + memcpy(a_bits_l, table, (uint32_t)4U * sizeof (uint64_t)); + for (uint32_t i2 = (uint32_t)0U; i2 < (uint32_t)15U; i2++) + { + uint64_t c = FStar_UInt64_eq_mask(bits_l, (uint64_t)(i2 + (uint32_t)1U)); + uint64_t *res_j = table + (i2 + (uint32_t)1U) * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = a_bits_l; + uint64_t x = (c & res_j[i]) | (~c & a_bits_l[i]); + os[i] = x; + } + } + amont_mul(n, mu, resM, a_bits_l, resM); + } + uint64_t tmp0[8U] = { 0U }; + memcpy(tmp0, resM, (uint32_t)4U * sizeof (uint64_t)); + reduction(n, mu, tmp0, res); +} + +static inline void +exp_vartime( + uint32_t nBits, + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + uint64_t r2[4U] = { 0U }; + precompr2(nBits, n, r2); + uint64_t mu = Hacl_Bignum_ModInvLimb_mod_inv_uint64(n[0U]); + exp_vartime_precomp(n, mu, r2, a, bBits, b, res); +} + +static inline void +exp_consttime( + uint32_t nBits, + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + uint64_t r2[4U] = { 0U }; + precompr2(nBits, n, r2); + uint64_t mu = Hacl_Bignum_ModInvLimb_mod_inv_uint64(n[0U]); + exp_consttime_precomp(n, mu, r2, a, bBits, b, res); +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 256-bit bignums, i.e. uint64_t[4]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum256_mod_exp_vartime( + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + uint64_t is_valid_m = exp_check(n, a, bBits, b); + uint32_t + nBits = (uint32_t)64U * (uint32_t)Hacl_Bignum_Lib_bn_get_top_index_u64((uint32_t)4U, n); + if (is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU) + { + exp_vartime(nBits, n, a, bBits, b, res); + } + else + { + memset(res, 0U, (uint32_t)4U * sizeof (uint64_t)); + } + return is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU; +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 256-bit bignums, i.e. uint64_t[4]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum256_mod_exp_consttime( + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + uint64_t is_valid_m = exp_check(n, a, bBits, b); + uint32_t + nBits = (uint32_t)64U * (uint32_t)Hacl_Bignum_Lib_bn_get_top_index_u64((uint32_t)4U, n); + if (is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU) + { + exp_consttime(nBits, n, a, bBits, b, res); + } + else + { + memset(res, 0U, (uint32_t)4U * sizeof (uint64_t)); + } + return is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU; +} + +/* +Write `a ^ (-1) mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 256-bit bignums, i.e. uint64_t[4]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + + The function returns false if any of the following preconditions are violated, true otherwise. + • n % 2 = 1 + • 1 < n + • 0 < a + • a < n +*/ +bool Hacl_Bignum256_mod_inv_prime_vartime(uint64_t *n, uint64_t *a, uint64_t *res) +{ + uint64_t one[4U] = { 0U }; + memset(one, 0U, (uint32_t)4U * sizeof (uint64_t)); + one[0U] = (uint64_t)1U; + uint64_t bit0 = n[0U] & (uint64_t)1U; + uint64_t m0 = (uint64_t)0U - bit0; + uint64_t acc0 = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(one[i], n[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(one[i], n[i]); + acc0 = (beq & acc0) | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + uint64_t m1 = acc0; + uint64_t m00 = m0 & m1; + uint64_t bn_zero[4U] = { 0U }; + uint64_t mask = (uint64_t)0xFFFFFFFFFFFFFFFFU; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t uu____0 = FStar_UInt64_eq_mask(a[i], bn_zero[i]); + mask = uu____0 & mask; + } + uint64_t mask1 = mask; + uint64_t res10 = mask1; + uint64_t m10 = res10; + uint64_t acc = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(a[i], n[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(a[i], n[i]); + acc = (beq & acc) | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + uint64_t m2 = acc; + uint64_t is_valid_m = (m00 & ~m10) & m2; + uint32_t + nBits = (uint32_t)64U * (uint32_t)Hacl_Bignum_Lib_bn_get_top_index_u64((uint32_t)4U, n); + if (is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU) + { + uint64_t n2[4U] = { 0U }; + uint64_t c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64((uint64_t)0U, n[0U], (uint64_t)2U, n2); + uint64_t c1; + if ((uint32_t)1U < (uint32_t)4U) + { + uint32_t rLen = (uint32_t)3U; + uint64_t *a1 = n + (uint32_t)1U; + uint64_t *res1 = n2 + (uint32_t)1U; + uint64_t c = c0; + for (uint32_t i = (uint32_t)0U; i < rLen / (uint32_t)4U; i++) + { + uint64_t t1 = a1[(uint32_t)4U * i]; + uint64_t *res_i0 = res1 + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, (uint64_t)0U, res_i0); + uint64_t t10 = a1[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res1 + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t10, (uint64_t)0U, res_i1); + uint64_t t11 = a1[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res1 + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t11, (uint64_t)0U, res_i2); + uint64_t t12 = a1[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res1 + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t12, (uint64_t)0U, res_i); + } + for (uint32_t i = rLen / (uint32_t)4U * (uint32_t)4U; i < rLen; i++) + { + uint64_t t1 = a1[i]; + uint64_t *res_i = res1 + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, (uint64_t)0U, res_i); + } + uint64_t c10 = c; + c1 = c10; + } + else + { + c1 = c0; + } + exp_vartime(nBits, n, a, (uint32_t)256U, n2, res); + } + else + { + memset(res, 0U, (uint32_t)4U * sizeof (uint64_t)); + } + return is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU; +} + + +/**********************************************/ +/* Arithmetic functions with precomputations. */ +/**********************************************/ + + +/* +Heap-allocate and initialize a montgomery context. + + The argument n is meant to be a 256-bit bignum, i.e. uint64_t[4]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n % 2 = 1 + • 1 < n + + The caller will need to call Hacl_Bignum256_mont_ctx_free on the return value + to avoid memory leaks. +*/ +Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *Hacl_Bignum256_mont_ctx_init(uint64_t *n) +{ + uint64_t *r2 = KRML_HOST_CALLOC((uint32_t)4U, sizeof (uint64_t)); + uint64_t *n1 = KRML_HOST_CALLOC((uint32_t)4U, sizeof (uint64_t)); + uint64_t *r21 = r2; + uint64_t *n11 = n1; + memcpy(n11, n, (uint32_t)4U * sizeof (uint64_t)); + uint32_t + nBits = (uint32_t)64U * (uint32_t)Hacl_Bignum_Lib_bn_get_top_index_u64((uint32_t)4U, n); + precompr2(nBits, n, r21); + uint64_t mu = Hacl_Bignum_ModInvLimb_mod_inv_uint64(n[0U]); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 + res = { .len = (uint32_t)4U, .n = n11, .mu = mu, .r2 = r21 }; + KRML_CHECK_SIZE(sizeof (Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64), (uint32_t)1U); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 + *buf = KRML_HOST_MALLOC(sizeof (Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64)); + buf[0U] = res; + return buf; +} + +/* +Deallocate the memory previously allocated by Hacl_Bignum256_mont_ctx_init. + + The argument k is a montgomery context obtained through Hacl_Bignum256_mont_ctx_init. +*/ +void Hacl_Bignum256_mont_ctx_free(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + uint64_t *n = k1.n; + uint64_t *r2 = k1.r2; + KRML_HOST_FREE(n); + KRML_HOST_FREE(r2); + KRML_HOST_FREE(k); +} + +/* +Write `a mod n` in `res`. + + The argument a is meant to be a 512-bit bignum, i.e. uint64_t[8]. + The outparam res is meant to be a 256-bit bignum, i.e. uint64_t[4]. + The argument k is a montgomery context obtained through Hacl_Bignum256_mont_ctx_init. +*/ +void +Hacl_Bignum256_mod_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint64_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + bn_slow_precomp(k1.n, k1.mu, k1.r2, a, res); +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be 256-bit bignums, i.e. uint64_t[4]. + The argument k is a montgomery context obtained through Hacl_Bignum256_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum256_mod_exp_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + exp_vartime_precomp(k1.n, k1.mu, k1.r2, a, bBits, b, res); +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be 256-bit bignums, i.e. uint64_t[4]. + The argument k is a montgomery context obtained through Hacl_Bignum256_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime_*. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum256_mod_exp_consttime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + exp_consttime_precomp(k1.n, k1.mu, k1.r2, a, bBits, b, res); +} + +/* +Write `a ^ (-1) mod n` in `res`. + + The argument a and the outparam res are meant to be 256-bit bignums, i.e. uint64_t[4]. + The argument k is a montgomery context obtained through Hacl_Bignum256_mont_ctx_init. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + • 0 < a + • a < n +*/ +void +Hacl_Bignum256_mod_inv_prime_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint64_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + uint64_t n2[4U] = { 0U }; + uint64_t c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64((uint64_t)0U, k1.n[0U], (uint64_t)2U, n2); + uint64_t c1; + if ((uint32_t)1U < (uint32_t)4U) + { + uint32_t rLen = (uint32_t)3U; + uint64_t *a1 = k1.n + (uint32_t)1U; + uint64_t *res1 = n2 + (uint32_t)1U; + uint64_t c = c0; + for (uint32_t i = (uint32_t)0U; i < rLen / (uint32_t)4U; i++) + { + uint64_t t1 = a1[(uint32_t)4U * i]; + uint64_t *res_i0 = res1 + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, (uint64_t)0U, res_i0); + uint64_t t10 = a1[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res1 + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t10, (uint64_t)0U, res_i1); + uint64_t t11 = a1[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res1 + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t11, (uint64_t)0U, res_i2); + uint64_t t12 = a1[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res1 + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t12, (uint64_t)0U, res_i); + } + for (uint32_t i = rLen / (uint32_t)4U * (uint32_t)4U; i < rLen; i++) + { + uint64_t t1 = a1[i]; + uint64_t *res_i = res1 + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, (uint64_t)0U, res_i); + } + uint64_t c10 = c; + c1 = c10; + } + else + { + c1 = c0; + } + exp_vartime_precomp(k1.n, k1.mu, k1.r2, a, (uint32_t)256U, n2, res); +} + + +/********************/ +/* Loads and stores */ +/********************/ + + +/* +Load a bid-endian bignum from memory. + + The argument b points to len bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint64_t *Hacl_Bignum256_new_bn_from_bytes_be(uint32_t len, uint8_t *b) +{ + if + ( + len + == (uint32_t)0U + || !((len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U <= (uint32_t)536870911U) + ) + { + return NULL; + } + KRML_CHECK_SIZE(sizeof (uint64_t), (len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U); + uint64_t + *res = KRML_HOST_CALLOC((len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U, sizeof (uint64_t)); + if (res == NULL) + { + return res; + } + uint64_t *res1 = res; + uint64_t *res2 = res1; + uint32_t bnLen = (len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)8U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + uint8_t tmp[tmpLen]; + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + memcpy(tmp + tmpLen - len, b, len * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < bnLen; i++) + { + uint64_t *os = res2; + uint64_t u = load64_be(tmp + (bnLen - i - (uint32_t)1U) * (uint32_t)8U); + uint64_t x = u; + os[i] = x; + } + return res2; +} + +/* +Load a little-endian bignum from memory. + + The argument b points to len bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint64_t *Hacl_Bignum256_new_bn_from_bytes_le(uint32_t len, uint8_t *b) +{ + if + ( + len + == (uint32_t)0U + || !((len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U <= (uint32_t)536870911U) + ) + { + return NULL; + } + KRML_CHECK_SIZE(sizeof (uint64_t), (len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U); + uint64_t + *res = KRML_HOST_CALLOC((len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U, sizeof (uint64_t)); + if (res == NULL) + { + return res; + } + uint64_t *res1 = res; + uint64_t *res2 = res1; + uint32_t bnLen = (len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)8U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + uint8_t tmp[tmpLen]; + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + memcpy(tmp, b, len * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < (len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; i++) + { + uint64_t *os = res2; + uint8_t *bj = tmp + i * (uint32_t)8U; + uint64_t u = load64_le(bj); + uint64_t r1 = u; + uint64_t x = r1; + os[i] = x; + } + return res2; +} + +/* +Serialize a bignum into big-endian memory. + + The argument b points to a 256-bit bignum. + The outparam res points to 32 bytes of valid memory. +*/ +void Hacl_Bignum256_bn_to_bytes_be(uint64_t *b, uint8_t *res) +{ + uint32_t bnLen = ((uint32_t)32U - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)8U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + uint8_t tmp[tmpLen]; + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + uint32_t numb = (uint32_t)8U; + for (uint32_t i = (uint32_t)0U; i < bnLen; i++) + { + store64_be(tmp + i * numb, b[bnLen - i - (uint32_t)1U]); + } + memcpy(res, tmp + tmpLen - (uint32_t)32U, (uint32_t)32U * sizeof (uint8_t)); +} + +/* +Serialize a bignum into little-endian memory. + + The argument b points to a 256-bit bignum. + The outparam res points to 32 bytes of valid memory. +*/ +void Hacl_Bignum256_bn_to_bytes_le(uint64_t *b, uint8_t *res) +{ + uint32_t bnLen = ((uint32_t)32U - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)8U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + uint8_t tmp[tmpLen]; + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < bnLen; i++) + { + store64_le(tmp + i * (uint32_t)8U, b[i]); + } + memcpy(res, tmp, (uint32_t)32U * sizeof (uint8_t)); +} + + +/***************/ +/* Comparisons */ +/***************/ + + +/* +Returns 2^64 - 1 if a < b, otherwise returns 0. + + The arguments a and b are meant to be 256-bit bignums, i.e. uint64_t[4]. +*/ +uint64_t Hacl_Bignum256_lt_mask(uint64_t *a, uint64_t *b) +{ + uint64_t acc = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(a[i], b[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(a[i], b[i]); + acc = (beq & acc) | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + return acc; +} + +/* +Returns 2^64 - 1 if a = b, otherwise returns 0. + + The arguments a and b are meant to be 256-bit bignums, i.e. uint64_t[4]. +*/ +uint64_t Hacl_Bignum256_eq_mask(uint64_t *a, uint64_t *b) +{ + uint64_t mask = (uint64_t)0xFFFFFFFFFFFFFFFFU; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t uu____0 = FStar_UInt64_eq_mask(a[i], b[i]); + mask = uu____0 & mask; + } + uint64_t mask1 = mask; + return mask1; +} + diff --git a/src/Hacl_Bignum256_32.c b/src/Hacl_Bignum256_32.c new file mode 100644 index 00000000..f96f0357 --- /dev/null +++ b/src/Hacl_Bignum256_32.c @@ -0,0 +1,1612 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Bignum256_32.h" + +#include "internal/Hacl_Kremlib.h" +#include "internal/Hacl_Bignum.h" + +/******************************************************************************* + +A verified 256-bit bignum library. + +This is a 32-bit optimized version, where bignums are represented as an array +of eight unsigned 32-bit integers, i.e. uint32_t[8]. Furthermore, the +limbs are stored in little-endian format, i.e. the least significant limb is at +index 0. Each limb is stored in native format in memory. Example: + + uint32_t sixteen[8] = { 0x10; 0x00; 0x00; 0x00; 0x00; 0x00; 0x00; 0x00 } + +We strongly encourage users to go through the conversion functions, e.g. +bn_from_bytes_be, to i) not depend on internal representation choices and ii) +have the ability to switch easily to a 64-bit optimized version in the future. + +*******************************************************************************/ + +/************************/ +/* Arithmetic functions */ +/************************/ + + +/* +Write `a + b mod 2^256` in `res`. + + This functions returns the carry. + + The arguments a, b and res are meant to be 256-bit bignums, i.e. uint32_t[8] +*/ +uint32_t Hacl_Bignum256_32_add(uint32_t *a, uint32_t *b, uint32_t *res) +{ + uint32_t c = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)2U; i++) + { + uint32_t t1 = a[(uint32_t)4U * i]; + uint32_t t20 = b[(uint32_t)4U * i]; + uint32_t *res_i0 = res + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t1, t20, res_i0); + uint32_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t10, t21, res_i1); + uint32_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t11, t22, res_i2); + uint32_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t12, t2, res_i); + } + for (uint32_t i = (uint32_t)8U; i < (uint32_t)8U; i++) + { + uint32_t t1 = a[i]; + uint32_t t2 = b[i]; + uint32_t *res_i = res + i; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t1, t2, res_i); + } + return c; +} + +/* +Write `a - b mod 2^256` in `res`. + + This functions returns the carry. + + The arguments a, b and res are meant to be 256-bit bignums, i.e. uint32_t[8] +*/ +uint32_t Hacl_Bignum256_32_sub(uint32_t *a, uint32_t *b, uint32_t *res) +{ + uint32_t c = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)2U; i++) + { + uint32_t t1 = a[(uint32_t)4U * i]; + uint32_t t20 = b[(uint32_t)4U * i]; + uint32_t *res_i0 = res + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, t20, res_i0); + uint32_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t10, t21, res_i1); + uint32_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t11, t22, res_i2); + uint32_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t12, t2, res_i); + } + for (uint32_t i = (uint32_t)8U; i < (uint32_t)8U; i++) + { + uint32_t t1 = a[i]; + uint32_t t2 = b[i]; + uint32_t *res_i = res + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, t2, res_i); + } + return c; +} + +/* +Write `(a + b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be 256-bit bignums, i.e. uint32_t[8]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum256_32_add_mod(uint32_t *n, uint32_t *a, uint32_t *b, uint32_t *res) +{ + uint32_t c0 = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)2U; i++) + { + uint32_t t1 = a[(uint32_t)4U * i]; + uint32_t t20 = b[(uint32_t)4U * i]; + uint32_t *res_i0 = res + (uint32_t)4U * i; + c0 = Lib_IntTypes_Intrinsics_add_carry_u32(c0, t1, t20, res_i0); + uint32_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c0 = Lib_IntTypes_Intrinsics_add_carry_u32(c0, t10, t21, res_i1); + uint32_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c0 = Lib_IntTypes_Intrinsics_add_carry_u32(c0, t11, t22, res_i2); + uint32_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c0 = Lib_IntTypes_Intrinsics_add_carry_u32(c0, t12, t2, res_i); + } + for (uint32_t i = (uint32_t)8U; i < (uint32_t)8U; i++) + { + uint32_t t1 = a[i]; + uint32_t t2 = b[i]; + uint32_t *res_i = res + i; + c0 = Lib_IntTypes_Intrinsics_add_carry_u32(c0, t1, t2, res_i); + } + uint32_t c00 = c0; + uint32_t tmp[8U] = { 0U }; + uint32_t c = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)2U; i++) + { + uint32_t t1 = res[(uint32_t)4U * i]; + uint32_t t20 = n[(uint32_t)4U * i]; + uint32_t *res_i0 = tmp + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, t20, res_i0); + uint32_t t10 = res[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t t21 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = tmp + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t10, t21, res_i1); + uint32_t t11 = res[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t t22 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = tmp + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t11, t22, res_i2); + uint32_t t12 = res[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t t2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = tmp + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t12, t2, res_i); + } + for (uint32_t i = (uint32_t)8U; i < (uint32_t)8U; i++) + { + uint32_t t1 = res[i]; + uint32_t t2 = n[i]; + uint32_t *res_i = tmp + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, t2, res_i); + } + uint32_t c1 = c; + uint32_t c2 = c00 - c1; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t *os = res; + uint32_t x = (c2 & res[i]) | (~c2 & tmp[i]); + os[i] = x; + } +} + +/* +Write `(a - b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be 256-bit bignums, i.e. uint32_t[8]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum256_32_sub_mod(uint32_t *n, uint32_t *a, uint32_t *b, uint32_t *res) +{ + uint32_t c0 = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)2U; i++) + { + uint32_t t1 = a[(uint32_t)4U * i]; + uint32_t t20 = b[(uint32_t)4U * i]; + uint32_t *res_i0 = res + (uint32_t)4U * i; + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c0, t1, t20, res_i0); + uint32_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c0, t10, t21, res_i1); + uint32_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c0, t11, t22, res_i2); + uint32_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c0, t12, t2, res_i); + } + for (uint32_t i = (uint32_t)8U; i < (uint32_t)8U; i++) + { + uint32_t t1 = a[i]; + uint32_t t2 = b[i]; + uint32_t *res_i = res + i; + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c0, t1, t2, res_i); + } + uint32_t c00 = c0; + uint32_t tmp[8U] = { 0U }; + uint32_t c = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)2U; i++) + { + uint32_t t1 = res[(uint32_t)4U * i]; + uint32_t t20 = n[(uint32_t)4U * i]; + uint32_t *res_i0 = tmp + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t1, t20, res_i0); + uint32_t t10 = res[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t t21 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = tmp + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t10, t21, res_i1); + uint32_t t11 = res[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t t22 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = tmp + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t11, t22, res_i2); + uint32_t t12 = res[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t t2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = tmp + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t12, t2, res_i); + } + for (uint32_t i = (uint32_t)8U; i < (uint32_t)8U; i++) + { + uint32_t t1 = res[i]; + uint32_t t2 = n[i]; + uint32_t *res_i = tmp + i; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t1, t2, res_i); + } + uint32_t c1 = c; + uint32_t c2 = (uint32_t)0U - c00; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t *os = res; + uint32_t x = (c2 & tmp[i]) | (~c2 & res[i]); + os[i] = x; + } +} + +/* +Write `a * b` in `res`. + + The arguments a and b are meant to be 256-bit bignums, i.e. uint32_t[8]. + The outparam res is meant to be a 512-bit bignum, i.e. uint32_t[16]. +*/ +void Hacl_Bignum256_32_mul(uint32_t *a, uint32_t *b, uint32_t *res) +{ + memset(res, 0U, (uint32_t)16U * sizeof (uint32_t)); + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)8U; i0++) + { + uint32_t bj = b[i0]; + uint32_t *res_j = res + i0; + uint32_t c = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)2U; i++) + { + uint32_t a_i = a[(uint32_t)4U * i]; + uint32_t *res_i0 = res_j + (uint32_t)4U * i; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, bj, c, res_i0); + uint32_t a_i0 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res_j + (uint32_t)4U * i + (uint32_t)1U; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i0, bj, c, res_i1); + uint32_t a_i1 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res_j + (uint32_t)4U * i + (uint32_t)2U; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i1, bj, c, res_i2); + uint32_t a_i2 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res_j + (uint32_t)4U * i + (uint32_t)3U; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i2, bj, c, res_i); + } + for (uint32_t i = (uint32_t)8U; i < (uint32_t)8U; i++) + { + uint32_t a_i = a[i]; + uint32_t *res_i = res_j + i; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, bj, c, res_i); + } + uint32_t r = c; + res[(uint32_t)8U + i0] = r; + } +} + +/* +Write `a * a` in `res`. + + The argument a is meant to be a 256-bit bignum, i.e. uint32_t[8]. + The outparam res is meant to be a 512-bit bignum, i.e. uint32_t[16]. +*/ +void Hacl_Bignum256_32_sqr(uint32_t *a, uint32_t *res) +{ + memset(res, 0U, (uint32_t)16U * sizeof (uint32_t)); + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)8U; i0++) + { + uint32_t *ab = a; + uint32_t a_j = a[i0]; + uint32_t *res_j = res + i0; + uint32_t c = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < i0 / (uint32_t)4U; i++) + { + uint32_t a_i = ab[(uint32_t)4U * i]; + uint32_t *res_i0 = res_j + (uint32_t)4U * i; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, a_j, c, res_i0); + uint32_t a_i0 = ab[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res_j + (uint32_t)4U * i + (uint32_t)1U; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i0, a_j, c, res_i1); + uint32_t a_i1 = ab[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res_j + (uint32_t)4U * i + (uint32_t)2U; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i1, a_j, c, res_i2); + uint32_t a_i2 = ab[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res_j + (uint32_t)4U * i + (uint32_t)3U; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i2, a_j, c, res_i); + } + for (uint32_t i = i0 / (uint32_t)4U * (uint32_t)4U; i < i0; i++) + { + uint32_t a_i = ab[i]; + uint32_t *res_i = res_j + i; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, a_j, c, res_i); + } + uint32_t r = c; + res[i0 + i0] = r; + } + uint32_t c0 = Hacl_Bignum_Addition_bn_add_eq_len_u32((uint32_t)16U, res, res, res); + uint32_t tmp[16U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint64_t res1 = (uint64_t)a[i] * (uint64_t)a[i]; + uint32_t hi = (uint32_t)(res1 >> (uint32_t)32U); + uint32_t lo = (uint32_t)res1; + tmp[(uint32_t)2U * i] = lo; + tmp[(uint32_t)2U * i + (uint32_t)1U] = hi; + } + uint32_t c1 = Hacl_Bignum_Addition_bn_add_eq_len_u32((uint32_t)16U, res, tmp, res); +} + +static inline void precompr2(uint32_t nBits, uint32_t *n, uint32_t *res) +{ + memset(res, 0U, (uint32_t)8U * sizeof (uint32_t)); + uint32_t i = nBits / (uint32_t)32U; + uint32_t j = nBits % (uint32_t)32U; + res[i] = res[i] | (uint32_t)1U << j; + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)512U - nBits; i0++) + { + Hacl_Bignum256_32_add_mod(n, res, res, res); + } +} + +static inline void reduction(uint32_t *n, uint32_t nInv, uint32_t *c, uint32_t *res) +{ + uint32_t c0 = (uint32_t)0U; + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)8U; i0++) + { + uint32_t qj = nInv * c[i0]; + uint32_t *res_j0 = c + i0; + uint32_t c1 = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)2U; i++) + { + uint32_t a_i = n[(uint32_t)4U * i]; + uint32_t *res_i0 = res_j0 + (uint32_t)4U * i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, qj, c1, res_i0); + uint32_t a_i0 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res_j0 + (uint32_t)4U * i + (uint32_t)1U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i0, qj, c1, res_i1); + uint32_t a_i1 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res_j0 + (uint32_t)4U * i + (uint32_t)2U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i1, qj, c1, res_i2); + uint32_t a_i2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res_j0 + (uint32_t)4U * i + (uint32_t)3U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i2, qj, c1, res_i); + } + for (uint32_t i = (uint32_t)8U; i < (uint32_t)8U; i++) + { + uint32_t a_i = n[i]; + uint32_t *res_i = res_j0 + i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, qj, c1, res_i); + } + uint32_t r = c1; + uint32_t c10 = r; + uint32_t *resb = c + (uint32_t)8U + i0; + uint32_t res_j = c[(uint32_t)8U + i0]; + c0 = Lib_IntTypes_Intrinsics_add_carry_u32(c0, c10, res_j, resb); + } + memcpy(res, c + (uint32_t)8U, (uint32_t)8U * sizeof (uint32_t)); + uint32_t c00 = c0; + uint32_t tmp[8U] = { 0U }; + uint32_t c1 = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)2U; i++) + { + uint32_t t1 = res[(uint32_t)4U * i]; + uint32_t t20 = n[(uint32_t)4U * i]; + uint32_t *res_i0 = tmp + (uint32_t)4U * i; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c1, t1, t20, res_i0); + uint32_t t10 = res[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t t21 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = tmp + (uint32_t)4U * i + (uint32_t)1U; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c1, t10, t21, res_i1); + uint32_t t11 = res[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t t22 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = tmp + (uint32_t)4U * i + (uint32_t)2U; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c1, t11, t22, res_i2); + uint32_t t12 = res[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t t2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = tmp + (uint32_t)4U * i + (uint32_t)3U; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c1, t12, t2, res_i); + } + for (uint32_t i = (uint32_t)8U; i < (uint32_t)8U; i++) + { + uint32_t t1 = res[i]; + uint32_t t2 = n[i]; + uint32_t *res_i = tmp + i; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c1, t1, t2, res_i); + } + uint32_t c10 = c1; + uint32_t c2 = c00 - c10; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t *os = res; + uint32_t x = (c2 & res[i]) | (~c2 & tmp[i]); + os[i] = x; + } +} + +static inline void areduction(uint32_t *n, uint32_t nInv, uint32_t *c, uint32_t *res) +{ + uint32_t c0 = (uint32_t)0U; + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)8U; i0++) + { + uint32_t qj = nInv * c[i0]; + uint32_t *res_j0 = c + i0; + uint32_t c1 = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)2U; i++) + { + uint32_t a_i = n[(uint32_t)4U * i]; + uint32_t *res_i0 = res_j0 + (uint32_t)4U * i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, qj, c1, res_i0); + uint32_t a_i0 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res_j0 + (uint32_t)4U * i + (uint32_t)1U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i0, qj, c1, res_i1); + uint32_t a_i1 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res_j0 + (uint32_t)4U * i + (uint32_t)2U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i1, qj, c1, res_i2); + uint32_t a_i2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res_j0 + (uint32_t)4U * i + (uint32_t)3U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i2, qj, c1, res_i); + } + for (uint32_t i = (uint32_t)8U; i < (uint32_t)8U; i++) + { + uint32_t a_i = n[i]; + uint32_t *res_i = res_j0 + i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, qj, c1, res_i); + } + uint32_t r = c1; + uint32_t c10 = r; + uint32_t *resb = c + (uint32_t)8U + i0; + uint32_t res_j = c[(uint32_t)8U + i0]; + c0 = Lib_IntTypes_Intrinsics_add_carry_u32(c0, c10, res_j, resb); + } + memcpy(res, c + (uint32_t)8U, (uint32_t)8U * sizeof (uint32_t)); + uint32_t c00 = c0; + uint32_t tmp[8U] = { 0U }; + uint32_t c1 = Hacl_Bignum256_32_sub(res, n, tmp); + uint32_t m = (uint32_t)0U - c00; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t *os = res; + uint32_t x = (m & tmp[i]) | (~m & res[i]); + os[i] = x; + } +} + +static inline void +amont_mul(uint32_t *n, uint32_t nInv_u64, uint32_t *aM, uint32_t *bM, uint32_t *resM) +{ + uint32_t c[16U] = { 0U }; + memset(c, 0U, (uint32_t)16U * sizeof (uint32_t)); + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)8U; i0++) + { + uint32_t bj = bM[i0]; + uint32_t *res_j = c + i0; + uint32_t c1 = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)2U; i++) + { + uint32_t a_i = aM[(uint32_t)4U * i]; + uint32_t *res_i0 = res_j + (uint32_t)4U * i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, bj, c1, res_i0); + uint32_t a_i0 = aM[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res_j + (uint32_t)4U * i + (uint32_t)1U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i0, bj, c1, res_i1); + uint32_t a_i1 = aM[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res_j + (uint32_t)4U * i + (uint32_t)2U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i1, bj, c1, res_i2); + uint32_t a_i2 = aM[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res_j + (uint32_t)4U * i + (uint32_t)3U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i2, bj, c1, res_i); + } + for (uint32_t i = (uint32_t)8U; i < (uint32_t)8U; i++) + { + uint32_t a_i = aM[i]; + uint32_t *res_i = res_j + i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, bj, c1, res_i); + } + uint32_t r = c1; + c[(uint32_t)8U + i0] = r; + } + areduction(n, nInv_u64, c, resM); +} + +static inline void amont_sqr(uint32_t *n, uint32_t nInv_u64, uint32_t *aM, uint32_t *resM) +{ + uint32_t c[16U] = { 0U }; + memset(c, 0U, (uint32_t)16U * sizeof (uint32_t)); + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)8U; i0++) + { + uint32_t *ab = aM; + uint32_t a_j = aM[i0]; + uint32_t *res_j = c + i0; + uint32_t c1 = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < i0 / (uint32_t)4U; i++) + { + uint32_t a_i = ab[(uint32_t)4U * i]; + uint32_t *res_i0 = res_j + (uint32_t)4U * i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, a_j, c1, res_i0); + uint32_t a_i0 = ab[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res_j + (uint32_t)4U * i + (uint32_t)1U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i0, a_j, c1, res_i1); + uint32_t a_i1 = ab[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res_j + (uint32_t)4U * i + (uint32_t)2U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i1, a_j, c1, res_i2); + uint32_t a_i2 = ab[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res_j + (uint32_t)4U * i + (uint32_t)3U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i2, a_j, c1, res_i); + } + for (uint32_t i = i0 / (uint32_t)4U * (uint32_t)4U; i < i0; i++) + { + uint32_t a_i = ab[i]; + uint32_t *res_i = res_j + i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, a_j, c1, res_i); + } + uint32_t r = c1; + c[i0 + i0] = r; + } + uint32_t c0 = Hacl_Bignum_Addition_bn_add_eq_len_u32((uint32_t)16U, c, c, c); + uint32_t tmp[16U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint64_t res = (uint64_t)aM[i] * (uint64_t)aM[i]; + uint32_t hi = (uint32_t)(res >> (uint32_t)32U); + uint32_t lo = (uint32_t)res; + tmp[(uint32_t)2U * i] = lo; + tmp[(uint32_t)2U * i + (uint32_t)1U] = hi; + } + uint32_t c1 = Hacl_Bignum_Addition_bn_add_eq_len_u32((uint32_t)16U, c, tmp, c); + areduction(n, nInv_u64, c, resM); +} + +static inline void +bn_slow_precomp(uint32_t *n, uint32_t mu, uint32_t *r2, uint32_t *a, uint32_t *res) +{ + uint32_t a_mod[8U] = { 0U }; + uint32_t a1[16U] = { 0U }; + memcpy(a1, a, (uint32_t)16U * sizeof (uint32_t)); + uint32_t c0 = (uint32_t)0U; + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)8U; i0++) + { + uint32_t qj = mu * a1[i0]; + uint32_t *res_j0 = a1 + i0; + uint32_t c = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)2U; i++) + { + uint32_t a_i = n[(uint32_t)4U * i]; + uint32_t *res_i0 = res_j0 + (uint32_t)4U * i; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, qj, c, res_i0); + uint32_t a_i0 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res_j0 + (uint32_t)4U * i + (uint32_t)1U; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i0, qj, c, res_i1); + uint32_t a_i1 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res_j0 + (uint32_t)4U * i + (uint32_t)2U; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i1, qj, c, res_i2); + uint32_t a_i2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res_j0 + (uint32_t)4U * i + (uint32_t)3U; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i2, qj, c, res_i); + } + for (uint32_t i = (uint32_t)8U; i < (uint32_t)8U; i++) + { + uint32_t a_i = n[i]; + uint32_t *res_i = res_j0 + i; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, qj, c, res_i); + } + uint32_t r = c; + uint32_t c1 = r; + uint32_t *resb = a1 + (uint32_t)8U + i0; + uint32_t res_j = a1[(uint32_t)8U + i0]; + c0 = Lib_IntTypes_Intrinsics_add_carry_u32(c0, c1, res_j, resb); + } + memcpy(a_mod, a1 + (uint32_t)8U, (uint32_t)8U * sizeof (uint32_t)); + uint32_t c00 = c0; + uint32_t tmp[8U] = { 0U }; + uint32_t c1 = Hacl_Bignum256_32_sub(a_mod, n, tmp); + uint32_t m = (uint32_t)0U - c00; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t *os = a_mod; + uint32_t x = (m & tmp[i]) | (~m & a_mod[i]); + os[i] = x; + } + uint32_t c[16U] = { 0U }; + Hacl_Bignum256_32_mul(a_mod, r2, c); + reduction(n, mu, c, res); +} + +/* +Write `a mod n` in `res`. + + The argument a is meant to be a 512-bit bignum, i.e. uint32_t[16]. + The argument n and the outparam res are meant to be 256-bit bignums, i.e. uint32_t[8]. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • 1 < n + • n % 2 = 1 +*/ +bool Hacl_Bignum256_32_mod(uint32_t *n, uint32_t *a, uint32_t *res) +{ + uint32_t one[8U] = { 0U }; + memset(one, 0U, (uint32_t)8U * sizeof (uint32_t)); + one[0U] = (uint32_t)1U; + uint32_t bit0 = n[0U] & (uint32_t)1U; + uint32_t m0 = (uint32_t)0U - bit0; + uint32_t acc = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(one[i], n[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(one[i], n[i]); + acc = (beq & acc) | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + uint32_t m1 = acc; + uint32_t is_valid_m = m0 & m1; + uint32_t nBits = (uint32_t)32U * Hacl_Bignum_Lib_bn_get_top_index_u32((uint32_t)8U, n); + if (is_valid_m == (uint32_t)0xFFFFFFFFU) + { + uint32_t r2[8U] = { 0U }; + precompr2(nBits, n, r2); + uint32_t mu = Hacl_Bignum_ModInvLimb_mod_inv_uint32(n[0U]); + bn_slow_precomp(n, mu, r2, a, res); + } + else + { + memset(res, 0U, (uint32_t)8U * sizeof (uint32_t)); + } + return is_valid_m == (uint32_t)0xFFFFFFFFU; +} + +static uint32_t exp_check(uint32_t *n, uint32_t *a, uint32_t bBits, uint32_t *b) +{ + uint32_t one[8U] = { 0U }; + memset(one, 0U, (uint32_t)8U * sizeof (uint32_t)); + one[0U] = (uint32_t)1U; + uint32_t bit0 = n[0U] & (uint32_t)1U; + uint32_t m0 = (uint32_t)0U - bit0; + uint32_t acc0 = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(one[i], n[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(one[i], n[i]); + acc0 = (beq & acc0) | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + uint32_t m10 = acc0; + uint32_t m00 = m0 & m10; + uint32_t bLen; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)32U + (uint32_t)1U; + } + uint32_t m1; + if (bBits < (uint32_t)32U * bLen) + { + KRML_CHECK_SIZE(sizeof (uint32_t), bLen); + uint32_t b2[bLen]; + memset(b2, 0U, bLen * sizeof (uint32_t)); + uint32_t i0 = bBits / (uint32_t)32U; + uint32_t j = bBits % (uint32_t)32U; + b2[i0] = b2[i0] | (uint32_t)1U << j; + uint32_t acc = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < bLen; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(b[i], b2[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(b[i], b2[i]); + acc = (beq & acc) | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + uint32_t res = acc; + m1 = res; + } + else + { + m1 = (uint32_t)0xFFFFFFFFU; + } + uint32_t acc = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(a[i], n[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(a[i], n[i]); + acc = (beq & acc) | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + uint32_t m2 = acc; + uint32_t m = m1 & m2; + return m00 & m; +} + +static inline void +exp_vartime_precomp( + uint32_t *n, + uint32_t mu, + uint32_t *r2, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + if (bBits < (uint32_t)200U) + { + uint32_t aM[8U] = { 0U }; + uint32_t c[16U] = { 0U }; + Hacl_Bignum256_32_mul(a, r2, c); + reduction(n, mu, c, aM); + uint32_t resM[8U] = { 0U }; + uint32_t tmp0[16U] = { 0U }; + memcpy(tmp0, r2, (uint32_t)8U * sizeof (uint32_t)); + reduction(n, mu, tmp0, resM); + for (uint32_t i = (uint32_t)0U; i < bBits; i++) + { + uint32_t i1 = i / (uint32_t)32U; + uint32_t j = i % (uint32_t)32U; + uint32_t tmp = b[i1]; + uint32_t bit = tmp >> j & (uint32_t)1U; + if (!(bit == (uint32_t)0U)) + { + amont_mul(n, mu, resM, aM, resM); + } + amont_sqr(n, mu, aM, aM); + } + uint32_t tmp[16U] = { 0U }; + memcpy(tmp, resM, (uint32_t)8U * sizeof (uint32_t)); + reduction(n, mu, tmp, res); + return; + } + uint32_t aM[8U] = { 0U }; + uint32_t c[16U] = { 0U }; + Hacl_Bignum256_32_mul(a, r2, c); + reduction(n, mu, c, aM); + uint32_t resM[8U] = { 0U }; + uint32_t bLen; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)32U + (uint32_t)1U; + } + uint32_t tmp[16U] = { 0U }; + memcpy(tmp, r2, (uint32_t)8U * sizeof (uint32_t)); + reduction(n, mu, tmp, resM); + uint32_t table[128U] = { 0U }; + memcpy(table, resM, (uint32_t)8U * sizeof (uint32_t)); + uint32_t *t1 = table + (uint32_t)8U; + memcpy(t1, aM, (uint32_t)8U * sizeof (uint32_t)); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)14U; i++) + { + uint32_t *t11 = table + (i + (uint32_t)1U) * (uint32_t)8U; + uint32_t *t2 = table + (i + (uint32_t)2U) * (uint32_t)8U; + amont_mul(n, mu, t11, aM, t2); + } + if (bBits % (uint32_t)4U != (uint32_t)0U) + { + uint32_t mask_l = (uint32_t)16U - (uint32_t)1U; + uint32_t i = bBits / (uint32_t)4U * (uint32_t)4U / (uint32_t)32U; + uint32_t j = bBits / (uint32_t)4U * (uint32_t)4U % (uint32_t)32U; + uint32_t p1 = b[i] >> j; + uint32_t ite; + if (i + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i + (uint32_t)1U] << ((uint32_t)32U - j); + } + else + { + ite = p1; + } + uint32_t bits_c = ite & mask_l; + uint32_t bits_l32 = bits_c; + uint32_t *a_bits_l = table + bits_l32 * (uint32_t)8U; + memcpy(resM, a_bits_l, (uint32_t)8U * sizeof (uint32_t)); + } + for (uint32_t i = (uint32_t)0U; i < bBits / (uint32_t)4U; i++) + { + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + amont_sqr(n, mu, resM, resM); + } + uint32_t bk = bBits - bBits % (uint32_t)4U; + uint32_t mask_l = (uint32_t)16U - (uint32_t)1U; + uint32_t i1 = (bk - (uint32_t)4U * i - (uint32_t)4U) / (uint32_t)32U; + uint32_t j = (bk - (uint32_t)4U * i - (uint32_t)4U) % (uint32_t)32U; + uint32_t p1 = b[i1] >> j; + uint32_t ite; + if (i1 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i1 + (uint32_t)1U] << ((uint32_t)32U - j); + } + else + { + ite = p1; + } + uint32_t bits_l = ite & mask_l; + uint32_t a_bits_l[8U] = { 0U }; + uint32_t bits_l32 = bits_l; + uint32_t *a_bits_l1 = table + bits_l32 * (uint32_t)8U; + memcpy(a_bits_l, a_bits_l1, (uint32_t)8U * sizeof (uint32_t)); + amont_mul(n, mu, resM, a_bits_l, resM); + } + uint32_t tmp0[16U] = { 0U }; + memcpy(tmp0, resM, (uint32_t)8U * sizeof (uint32_t)); + reduction(n, mu, tmp0, res); +} + +static inline void +exp_consttime_precomp( + uint32_t *n, + uint32_t mu, + uint32_t *r2, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + if (bBits < (uint32_t)200U) + { + uint32_t aM[8U] = { 0U }; + uint32_t c[16U] = { 0U }; + Hacl_Bignum256_32_mul(a, r2, c); + reduction(n, mu, c, aM); + uint32_t resM[8U] = { 0U }; + uint32_t tmp0[16U] = { 0U }; + memcpy(tmp0, r2, (uint32_t)8U * sizeof (uint32_t)); + reduction(n, mu, tmp0, resM); + uint32_t sw = (uint32_t)0U; + for (uint32_t i0 = (uint32_t)0U; i0 < bBits; i0++) + { + uint32_t i1 = (bBits - i0 - (uint32_t)1U) / (uint32_t)32U; + uint32_t j = (bBits - i0 - (uint32_t)1U) % (uint32_t)32U; + uint32_t tmp = b[i1]; + uint32_t bit = tmp >> j & (uint32_t)1U; + uint32_t sw1 = bit ^ sw; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t dummy = ((uint32_t)0U - sw1) & (resM[i] ^ aM[i]); + resM[i] = resM[i] ^ dummy; + aM[i] = aM[i] ^ dummy; + } + amont_mul(n, mu, aM, resM, aM); + amont_sqr(n, mu, resM, resM); + sw = bit; + } + uint32_t sw0 = sw; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t dummy = ((uint32_t)0U - sw0) & (resM[i] ^ aM[i]); + resM[i] = resM[i] ^ dummy; + aM[i] = aM[i] ^ dummy; + } + uint32_t tmp[16U] = { 0U }; + memcpy(tmp, resM, (uint32_t)8U * sizeof (uint32_t)); + reduction(n, mu, tmp, res); + return; + } + uint32_t aM[8U] = { 0U }; + uint32_t c0[16U] = { 0U }; + Hacl_Bignum256_32_mul(a, r2, c0); + reduction(n, mu, c0, aM); + uint32_t resM[8U] = { 0U }; + uint32_t bLen; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)32U + (uint32_t)1U; + } + uint32_t tmp[16U] = { 0U }; + memcpy(tmp, r2, (uint32_t)8U * sizeof (uint32_t)); + reduction(n, mu, tmp, resM); + uint32_t table[128U] = { 0U }; + memcpy(table, resM, (uint32_t)8U * sizeof (uint32_t)); + uint32_t *t1 = table + (uint32_t)8U; + memcpy(t1, aM, (uint32_t)8U * sizeof (uint32_t)); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)14U; i++) + { + uint32_t *t11 = table + (i + (uint32_t)1U) * (uint32_t)8U; + uint32_t *t2 = table + (i + (uint32_t)2U) * (uint32_t)8U; + amont_mul(n, mu, t11, aM, t2); + } + if (bBits % (uint32_t)4U != (uint32_t)0U) + { + uint32_t mask_l = (uint32_t)16U - (uint32_t)1U; + uint32_t i0 = bBits / (uint32_t)4U * (uint32_t)4U / (uint32_t)32U; + uint32_t j = bBits / (uint32_t)4U * (uint32_t)4U % (uint32_t)32U; + uint32_t p1 = b[i0] >> j; + uint32_t ite; + if (i0 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i0 + (uint32_t)1U] << ((uint32_t)32U - j); + } + else + { + ite = p1; + } + uint32_t bits_c = ite & mask_l; + memcpy(resM, table, (uint32_t)8U * sizeof (uint32_t)); + for (uint32_t i1 = (uint32_t)0U; i1 < (uint32_t)15U; i1++) + { + uint32_t c = FStar_UInt32_eq_mask(bits_c, i1 + (uint32_t)1U); + uint32_t *res_j = table + (i1 + (uint32_t)1U) * (uint32_t)8U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t *os = resM; + uint32_t x = (c & res_j[i]) | (~c & resM[i]); + os[i] = x; + } + } + } + for (uint32_t i0 = (uint32_t)0U; i0 < bBits / (uint32_t)4U; i0++) + { + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + amont_sqr(n, mu, resM, resM); + } + uint32_t bk = bBits - bBits % (uint32_t)4U; + uint32_t mask_l = (uint32_t)16U - (uint32_t)1U; + uint32_t i1 = (bk - (uint32_t)4U * i0 - (uint32_t)4U) / (uint32_t)32U; + uint32_t j = (bk - (uint32_t)4U * i0 - (uint32_t)4U) % (uint32_t)32U; + uint32_t p1 = b[i1] >> j; + uint32_t ite; + if (i1 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i1 + (uint32_t)1U] << ((uint32_t)32U - j); + } + else + { + ite = p1; + } + uint32_t bits_l = ite & mask_l; + uint32_t a_bits_l[8U] = { 0U }; + memcpy(a_bits_l, table, (uint32_t)8U * sizeof (uint32_t)); + for (uint32_t i2 = (uint32_t)0U; i2 < (uint32_t)15U; i2++) + { + uint32_t c = FStar_UInt32_eq_mask(bits_l, i2 + (uint32_t)1U); + uint32_t *res_j = table + (i2 + (uint32_t)1U) * (uint32_t)8U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t *os = a_bits_l; + uint32_t x = (c & res_j[i]) | (~c & a_bits_l[i]); + os[i] = x; + } + } + amont_mul(n, mu, resM, a_bits_l, resM); + } + uint32_t tmp0[16U] = { 0U }; + memcpy(tmp0, resM, (uint32_t)8U * sizeof (uint32_t)); + reduction(n, mu, tmp0, res); +} + +static inline void +exp_vartime( + uint32_t nBits, + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + uint32_t r2[8U] = { 0U }; + precompr2(nBits, n, r2); + uint32_t mu = Hacl_Bignum_ModInvLimb_mod_inv_uint32(n[0U]); + exp_vartime_precomp(n, mu, r2, a, bBits, b, res); +} + +static inline void +exp_consttime( + uint32_t nBits, + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + uint32_t r2[8U] = { 0U }; + precompr2(nBits, n, r2); + uint32_t mu = Hacl_Bignum_ModInvLimb_mod_inv_uint32(n[0U]); + exp_consttime_precomp(n, mu, r2, a, bBits, b, res); +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 256-bit bignums, i.e. uint32_t[8]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum256_32_mod_exp_vartime( + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + uint32_t is_valid_m = exp_check(n, a, bBits, b); + uint32_t nBits = (uint32_t)32U * Hacl_Bignum_Lib_bn_get_top_index_u32((uint32_t)8U, n); + if (is_valid_m == (uint32_t)0xFFFFFFFFU) + { + exp_vartime(nBits, n, a, bBits, b, res); + } + else + { + memset(res, 0U, (uint32_t)8U * sizeof (uint32_t)); + } + return is_valid_m == (uint32_t)0xFFFFFFFFU; +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 256-bit bignums, i.e. uint32_t[8]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum256_32_mod_exp_consttime( + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + uint32_t is_valid_m = exp_check(n, a, bBits, b); + uint32_t nBits = (uint32_t)32U * Hacl_Bignum_Lib_bn_get_top_index_u32((uint32_t)8U, n); + if (is_valid_m == (uint32_t)0xFFFFFFFFU) + { + exp_consttime(nBits, n, a, bBits, b, res); + } + else + { + memset(res, 0U, (uint32_t)8U * sizeof (uint32_t)); + } + return is_valid_m == (uint32_t)0xFFFFFFFFU; +} + +/* +Write `a ^ (-1) mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 256-bit bignums, i.e. uint32_t[8]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + + The function returns false if any of the following preconditions are violated, true otherwise. + • n % 2 = 1 + • 1 < n + • 0 < a + • a < n +*/ +bool Hacl_Bignum256_32_mod_inv_prime_vartime(uint32_t *n, uint32_t *a, uint32_t *res) +{ + uint32_t one[8U] = { 0U }; + memset(one, 0U, (uint32_t)8U * sizeof (uint32_t)); + one[0U] = (uint32_t)1U; + uint32_t bit0 = n[0U] & (uint32_t)1U; + uint32_t m0 = (uint32_t)0U - bit0; + uint32_t acc0 = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(one[i], n[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(one[i], n[i]); + acc0 = (beq & acc0) | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + uint32_t m1 = acc0; + uint32_t m00 = m0 & m1; + uint32_t bn_zero[8U] = { 0U }; + uint32_t mask = (uint32_t)0xFFFFFFFFU; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t uu____0 = FStar_UInt32_eq_mask(a[i], bn_zero[i]); + mask = uu____0 & mask; + } + uint32_t mask1 = mask; + uint32_t res10 = mask1; + uint32_t m10 = res10; + uint32_t acc = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(a[i], n[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(a[i], n[i]); + acc = (beq & acc) | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + uint32_t m2 = acc; + uint32_t is_valid_m = (m00 & ~m10) & m2; + uint32_t nBits = (uint32_t)32U * Hacl_Bignum_Lib_bn_get_top_index_u32((uint32_t)8U, n); + if (is_valid_m == (uint32_t)0xFFFFFFFFU) + { + uint32_t n2[8U] = { 0U }; + uint32_t c0 = Lib_IntTypes_Intrinsics_sub_borrow_u32((uint32_t)0U, n[0U], (uint32_t)2U, n2); + uint32_t c1; + if ((uint32_t)1U < (uint32_t)8U) + { + uint32_t rLen = (uint32_t)7U; + uint32_t *a1 = n + (uint32_t)1U; + uint32_t *res1 = n2 + (uint32_t)1U; + uint32_t c = c0; + for (uint32_t i = (uint32_t)0U; i < rLen / (uint32_t)4U; i++) + { + uint32_t t1 = a1[(uint32_t)4U * i]; + uint32_t *res_i0 = res1 + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, (uint32_t)0U, res_i0); + uint32_t t10 = a1[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res1 + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t10, (uint32_t)0U, res_i1); + uint32_t t11 = a1[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res1 + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t11, (uint32_t)0U, res_i2); + uint32_t t12 = a1[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res1 + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t12, (uint32_t)0U, res_i); + } + for (uint32_t i = rLen / (uint32_t)4U * (uint32_t)4U; i < rLen; i++) + { + uint32_t t1 = a1[i]; + uint32_t *res_i = res1 + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, (uint32_t)0U, res_i); + } + uint32_t c10 = c; + c1 = c10; + } + else + { + c1 = c0; + } + exp_vartime(nBits, n, a, (uint32_t)256U, n2, res); + } + else + { + memset(res, 0U, (uint32_t)8U * sizeof (uint32_t)); + } + return is_valid_m == (uint32_t)0xFFFFFFFFU; +} + + +/**********************************************/ +/* Arithmetic functions with precomputations. */ +/**********************************************/ + + +/* +Heap-allocate and initialize a montgomery context. + + The argument n is meant to be a 256-bit bignum, i.e. uint32_t[8]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n % 2 = 1 + • 1 < n + + The caller will need to call Hacl_Bignum256_mont_ctx_free on the return value + to avoid memory leaks. +*/ +Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *Hacl_Bignum256_32_mont_ctx_init(uint32_t *n) +{ + uint32_t *r2 = KRML_HOST_CALLOC((uint32_t)8U, sizeof (uint32_t)); + uint32_t *n1 = KRML_HOST_CALLOC((uint32_t)8U, sizeof (uint32_t)); + uint32_t *r21 = r2; + uint32_t *n11 = n1; + memcpy(n11, n, (uint32_t)8U * sizeof (uint32_t)); + uint32_t nBits = (uint32_t)32U * Hacl_Bignum_Lib_bn_get_top_index_u32((uint32_t)8U, n); + precompr2(nBits, n, r21); + uint32_t mu = Hacl_Bignum_ModInvLimb_mod_inv_uint32(n[0U]); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 + res = { .len = (uint32_t)8U, .n = n11, .mu = mu, .r2 = r21 }; + KRML_CHECK_SIZE(sizeof (Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32), (uint32_t)1U); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 + *buf = KRML_HOST_MALLOC(sizeof (Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32)); + buf[0U] = res; + return buf; +} + +/* +Deallocate the memory previously allocated by Hacl_Bignum256_mont_ctx_init. + + The argument k is a montgomery context obtained through Hacl_Bignum256_mont_ctx_init. +*/ +void Hacl_Bignum256_32_mont_ctx_free(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + uint32_t *n = k1.n; + uint32_t *r2 = k1.r2; + KRML_HOST_FREE(n); + KRML_HOST_FREE(r2); + KRML_HOST_FREE(k); +} + +/* +Write `a mod n` in `res`. + + The argument a is meant to be a 512-bit bignum, i.e. uint32_t[16]. + The outparam res is meant to be a 256-bit bignum, i.e. uint32_t[8]. + The argument k is a montgomery context obtained through Hacl_Bignum256_mont_ctx_init. +*/ +void +Hacl_Bignum256_32_mod_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + bn_slow_precomp(k1.n, k1.mu, k1.r2, a, res); +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be 256-bit bignums, i.e. uint32_t[8]. + The argument k is a montgomery context obtained through Hacl_Bignum256_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum256_32_mod_exp_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + exp_vartime_precomp(k1.n, k1.mu, k1.r2, a, bBits, b, res); +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be 256-bit bignums, i.e. uint32_t[8]. + The argument k is a montgomery context obtained through Hacl_Bignum256_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime_*. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum256_32_mod_exp_consttime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + exp_consttime_precomp(k1.n, k1.mu, k1.r2, a, bBits, b, res); +} + +/* +Write `a ^ (-1) mod n` in `res`. + + The argument a and the outparam res are meant to be 256-bit bignums, i.e. uint32_t[8]. + The argument k is a montgomery context obtained through Hacl_Bignum256_mont_ctx_init. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + • 0 < a + • a < n +*/ +void +Hacl_Bignum256_32_mod_inv_prime_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + uint32_t n2[8U] = { 0U }; + uint32_t c0 = Lib_IntTypes_Intrinsics_sub_borrow_u32((uint32_t)0U, k1.n[0U], (uint32_t)2U, n2); + uint32_t c1; + if ((uint32_t)1U < (uint32_t)8U) + { + uint32_t rLen = (uint32_t)7U; + uint32_t *a1 = k1.n + (uint32_t)1U; + uint32_t *res1 = n2 + (uint32_t)1U; + uint32_t c = c0; + for (uint32_t i = (uint32_t)0U; i < rLen / (uint32_t)4U; i++) + { + uint32_t t1 = a1[(uint32_t)4U * i]; + uint32_t *res_i0 = res1 + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, (uint32_t)0U, res_i0); + uint32_t t10 = a1[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res1 + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t10, (uint32_t)0U, res_i1); + uint32_t t11 = a1[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res1 + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t11, (uint32_t)0U, res_i2); + uint32_t t12 = a1[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res1 + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t12, (uint32_t)0U, res_i); + } + for (uint32_t i = rLen / (uint32_t)4U * (uint32_t)4U; i < rLen; i++) + { + uint32_t t1 = a1[i]; + uint32_t *res_i = res1 + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, (uint32_t)0U, res_i); + } + uint32_t c10 = c; + c1 = c10; + } + else + { + c1 = c0; + } + exp_vartime_precomp(k1.n, k1.mu, k1.r2, a, (uint32_t)256U, n2, res); +} + + +/********************/ +/* Loads and stores */ +/********************/ + + +/* +Load a bid-endian bignum from memory. + + The argument b points to len bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint32_t *Hacl_Bignum256_32_new_bn_from_bytes_be(uint32_t len, uint8_t *b) +{ + if + ( + len + == (uint32_t)0U + || !((len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U <= (uint32_t)1073741823U) + ) + { + return NULL; + } + KRML_CHECK_SIZE(sizeof (uint32_t), (len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U); + uint32_t + *res = KRML_HOST_CALLOC((len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U, sizeof (uint32_t)); + if (res == NULL) + { + return res; + } + uint32_t *res1 = res; + uint32_t *res2 = res1; + uint32_t bnLen = (len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)4U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + uint8_t tmp[tmpLen]; + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + memcpy(tmp + tmpLen - len, b, len * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < bnLen; i++) + { + uint32_t *os = res2; + uint32_t u = load32_be(tmp + (bnLen - i - (uint32_t)1U) * (uint32_t)4U); + uint32_t x = u; + os[i] = x; + } + return res2; +} + +/* +Load a little-endian bignum from memory. + + The argument b points to len bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint32_t *Hacl_Bignum256_32_new_bn_from_bytes_le(uint32_t len, uint8_t *b) +{ + if + ( + len + == (uint32_t)0U + || !((len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U <= (uint32_t)1073741823U) + ) + { + return NULL; + } + KRML_CHECK_SIZE(sizeof (uint32_t), (len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U); + uint32_t + *res = KRML_HOST_CALLOC((len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U, sizeof (uint32_t)); + if (res == NULL) + { + return res; + } + uint32_t *res1 = res; + uint32_t *res2 = res1; + uint32_t bnLen = (len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)4U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + uint8_t tmp[tmpLen]; + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + memcpy(tmp, b, len * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < (len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U; i++) + { + uint32_t *os = res2; + uint8_t *bj = tmp + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r1 = u; + uint32_t x = r1; + os[i] = x; + } + return res2; +} + +/* +Serialize a bignum into big-endian memory. + + The argument b points to a 256-bit bignum. + The outparam res points to 32 bytes of valid memory. +*/ +void Hacl_Bignum256_32_bn_to_bytes_be(uint32_t *b, uint8_t *res) +{ + uint32_t bnLen = ((uint32_t)32U - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)4U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + uint8_t tmp[tmpLen]; + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + uint32_t numb = (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < bnLen; i++) + { + store32_be(tmp + i * numb, b[bnLen - i - (uint32_t)1U]); + } + memcpy(res, tmp + tmpLen - (uint32_t)32U, (uint32_t)32U * sizeof (uint8_t)); +} + +/* +Serialize a bignum into little-endian memory. + + The argument b points to a 256-bit bignum. + The outparam res points to 32 bytes of valid memory. +*/ +void Hacl_Bignum256_32_bn_to_bytes_le(uint32_t *b, uint8_t *res) +{ + uint32_t bnLen = ((uint32_t)32U - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)4U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + uint8_t tmp[tmpLen]; + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < bnLen; i++) + { + store32_le(tmp + i * (uint32_t)4U, b[i]); + } + memcpy(res, tmp, (uint32_t)32U * sizeof (uint8_t)); +} + + +/***************/ +/* Comparisons */ +/***************/ + + +/* +Returns 2^32 - 1 if a < b, otherwise returns 0. + + The arguments a and b are meant to be 256-bit bignums, i.e. uint32_t[8]. +*/ +uint32_t Hacl_Bignum256_32_lt_mask(uint32_t *a, uint32_t *b) +{ + uint32_t acc = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(a[i], b[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(a[i], b[i]); + acc = (beq & acc) | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + return acc; +} + +/* +Returns 2^32 - 1 if a = b, otherwise returns 0. + + The arguments a and b are meant to be 256-bit bignums, i.e. uint32_t[8]. +*/ +uint32_t Hacl_Bignum256_32_eq_mask(uint32_t *a, uint32_t *b) +{ + uint32_t mask = (uint32_t)0xFFFFFFFFU; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t uu____0 = FStar_UInt32_eq_mask(a[i], b[i]); + mask = uu____0 & mask; + } + uint32_t mask1 = mask; + return mask1; +} + diff --git a/src/Hacl_Bignum32.c b/src/Hacl_Bignum32.c new file mode 100644 index 00000000..6f0f0bd7 --- /dev/null +++ b/src/Hacl_Bignum32.c @@ -0,0 +1,853 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Bignum32.h" + +#include "internal/Hacl_Kremlib.h" +#include "internal/Hacl_Bignum.h" + +/******************************************************************************* + +A verified bignum library. + +This is a 32-bit optimized version, where bignums are represented as an array +of `len` unsigned 32-bit integers, i.e. uint32_t[len]. + +*******************************************************************************/ + +/************************/ +/* Arithmetic functions */ +/************************/ + + +/* +Write `a + b mod 2 ^ (32 * len)` in `res`. + + This functions returns the carry. + + The arguments a, b and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len] +*/ +uint32_t Hacl_Bignum32_add(uint32_t len, uint32_t *a, uint32_t *b, uint32_t *res) +{ + return Hacl_Bignum_Addition_bn_add_eq_len_u32(len, a, b, res); +} + +/* +Write `a - b mod 2 ^ (32 * len)` in `res`. + + This functions returns the carry. + + The arguments a, b and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len] +*/ +uint32_t Hacl_Bignum32_sub(uint32_t len, uint32_t *a, uint32_t *b, uint32_t *res) +{ + return Hacl_Bignum_Addition_bn_sub_eq_len_u32(len, a, b, res); +} + +/* +Write `(a + b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum32_add_mod(uint32_t len, uint32_t *n, uint32_t *a, uint32_t *b, uint32_t *res) +{ + Hacl_Bignum_bn_add_mod_n_u32(len, n, a, b, res); +} + +/* +Write `(a - b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum32_sub_mod(uint32_t len, uint32_t *n, uint32_t *a, uint32_t *b, uint32_t *res) +{ + Hacl_Bignum_bn_sub_mod_n_u32(len, n, a, b, res); +} + +/* +Write `a * b` in `res`. + + The arguments a and b are meant to be `len` limbs in size, i.e. uint32_t[len]. + The outparam res is meant to be `2*len` limbs in size, i.e. uint32_t[2*len]. +*/ +void Hacl_Bignum32_mul(uint32_t len, uint32_t *a, uint32_t *b, uint32_t *res) +{ + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)4U * len); + uint32_t tmp[(uint32_t)4U * len]; + memset(tmp, 0U, (uint32_t)4U * len * sizeof (uint32_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint32(len, a, b, tmp, res); +} + +/* +Write `a * a` in `res`. + + The argument a is meant to be `len` limbs in size, i.e. uint32_t[len]. + The outparam res is meant to be `2*len` limbs in size, i.e. uint32_t[2*len]. +*/ +void Hacl_Bignum32_sqr(uint32_t len, uint32_t *a, uint32_t *res) +{ + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)4U * len); + uint32_t tmp[(uint32_t)4U * len]; + memset(tmp, 0U, (uint32_t)4U * len * sizeof (uint32_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint32(len, a, tmp, res); +} + +static inline void +bn_slow_precomp( + uint32_t len, + uint32_t *n, + uint32_t mu, + uint32_t *r2, + uint32_t *a, + uint32_t *res +) +{ + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t a_mod[len]; + memset(a_mod, 0U, len * sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), len + len); + uint32_t a1[len + len]; + memset(a1, 0U, (len + len) * sizeof (uint32_t)); + memcpy(a1, a, (len + len) * sizeof (uint32_t)); + uint32_t c0 = (uint32_t)0U; + for (uint32_t i0 = (uint32_t)0U; i0 < len; i0++) + { + uint32_t qj = mu * a1[i0]; + uint32_t *res_j0 = a1 + i0; + uint32_t c = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < len / (uint32_t)4U; i++) + { + uint32_t a_i = n[(uint32_t)4U * i]; + uint32_t *res_i0 = res_j0 + (uint32_t)4U * i; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, qj, c, res_i0); + uint32_t a_i0 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res_j0 + (uint32_t)4U * i + (uint32_t)1U; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i0, qj, c, res_i1); + uint32_t a_i1 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res_j0 + (uint32_t)4U * i + (uint32_t)2U; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i1, qj, c, res_i2); + uint32_t a_i2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res_j0 + (uint32_t)4U * i + (uint32_t)3U; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i2, qj, c, res_i); + } + for (uint32_t i = len / (uint32_t)4U * (uint32_t)4U; i < len; i++) + { + uint32_t a_i = n[i]; + uint32_t *res_i = res_j0 + i; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, qj, c, res_i); + } + uint32_t r = c; + uint32_t c1 = r; + uint32_t *resb = a1 + len + i0; + uint32_t res_j = a1[len + i0]; + c0 = Lib_IntTypes_Intrinsics_add_carry_u32(c0, c1, res_j, resb); + } + memcpy(a_mod, a1 + len, (len + len - len) * sizeof (uint32_t)); + uint32_t c00 = c0; + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t tmp0[len]; + memset(tmp0, 0U, len * sizeof (uint32_t)); + uint32_t c1 = Hacl_Bignum_Addition_bn_sub_eq_len_u32(len, a_mod, n, tmp0); + uint32_t m = (uint32_t)0U - c00; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint32_t *os = a_mod; + uint32_t x = (m & tmp0[i]) | (~m & a_mod[i]); + os[i] = x; + } + KRML_CHECK_SIZE(sizeof (uint32_t), len + len); + uint32_t c[len + len]; + memset(c, 0U, (len + len) * sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)4U * len); + uint32_t tmp[(uint32_t)4U * len]; + memset(tmp, 0U, (uint32_t)4U * len * sizeof (uint32_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint32(len, a_mod, r2, tmp, c); + Hacl_Bignum_Montgomery_bn_mont_reduction_u32(len, n, mu, c, res); +} + +/* +Write `a mod n` in `res`. + + The argument a is meant to be `2*len` limbs in size, i.e. uint32_t[2*len]. + The argument n and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • 1 < n + • n % 2 = 1 +*/ +bool Hacl_Bignum32_mod(uint32_t len, uint32_t *n, uint32_t *a, uint32_t *res) +{ + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t one[len]; + memset(one, 0U, len * sizeof (uint32_t)); + memset(one, 0U, len * sizeof (uint32_t)); + one[0U] = (uint32_t)1U; + uint32_t bit0 = n[0U] & (uint32_t)1U; + uint32_t m0 = (uint32_t)0U - bit0; + uint32_t acc = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(one[i], n[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(one[i], n[i]); + acc = (beq & acc) | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + uint32_t m1 = acc; + uint32_t is_valid_m = m0 & m1; + uint32_t nBits = (uint32_t)32U * Hacl_Bignum_Lib_bn_get_top_index_u32(len, n); + if (is_valid_m == (uint32_t)0xFFFFFFFFU) + { + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t r2[len]; + memset(r2, 0U, len * sizeof (uint32_t)); + Hacl_Bignum_Montgomery_bn_precomp_r2_mod_n_u32(len, nBits, n, r2); + uint32_t mu = Hacl_Bignum_ModInvLimb_mod_inv_uint32(n[0U]); + bn_slow_precomp(len, n, mu, r2, a, res); + } + else + { + memset(res, 0U, len * sizeof (uint32_t)); + } + return is_valid_m == (uint32_t)0xFFFFFFFFU; +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum32_mod_exp_vartime( + uint32_t len, + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + uint32_t is_valid_m = Hacl_Bignum_Exponentiation_bn_check_mod_exp_u32(len, n, a, bBits, b); + uint32_t nBits = (uint32_t)32U * Hacl_Bignum_Lib_bn_get_top_index_u32(len, n); + if (is_valid_m == (uint32_t)0xFFFFFFFFU) + { + Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_u32(len, nBits, n, a, bBits, b, res); + } + else + { + memset(res, 0U, len * sizeof (uint32_t)); + } + return is_valid_m == (uint32_t)0xFFFFFFFFU; +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum32_mod_exp_consttime( + uint32_t len, + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + uint32_t is_valid_m = Hacl_Bignum_Exponentiation_bn_check_mod_exp_u32(len, n, a, bBits, b); + uint32_t nBits = (uint32_t)32U * Hacl_Bignum_Lib_bn_get_top_index_u32(len, n); + if (is_valid_m == (uint32_t)0xFFFFFFFFU) + { + Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_u32(len, nBits, n, a, bBits, b, res); + } + else + { + memset(res, 0U, len * sizeof (uint32_t)); + } + return is_valid_m == (uint32_t)0xFFFFFFFFU; +} + +/* +Write `a ^ (-1) mod n` in `res`. + + The arguments a, n and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • 0 < a + • a < n +*/ +bool Hacl_Bignum32_mod_inv_prime_vartime(uint32_t len, uint32_t *n, uint32_t *a, uint32_t *res) +{ + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t one[len]; + memset(one, 0U, len * sizeof (uint32_t)); + memset(one, 0U, len * sizeof (uint32_t)); + one[0U] = (uint32_t)1U; + uint32_t bit0 = n[0U] & (uint32_t)1U; + uint32_t m0 = (uint32_t)0U - bit0; + uint32_t acc0 = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(one[i], n[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(one[i], n[i]); + acc0 = (beq & acc0) | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + uint32_t m1 = acc0; + uint32_t m00 = m0 & m1; + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t bn_zero[len]; + memset(bn_zero, 0U, len * sizeof (uint32_t)); + uint32_t mask = (uint32_t)0xFFFFFFFFU; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint32_t uu____0 = FStar_UInt32_eq_mask(a[i], bn_zero[i]); + mask = uu____0 & mask; + } + uint32_t mask1 = mask; + uint32_t res10 = mask1; + uint32_t m10 = res10; + uint32_t acc = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(a[i], n[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(a[i], n[i]); + acc = (beq & acc) | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + uint32_t m2 = acc; + uint32_t is_valid_m = (m00 & ~m10) & m2; + uint32_t nBits = (uint32_t)32U * Hacl_Bignum_Lib_bn_get_top_index_u32(len, n); + if (is_valid_m == (uint32_t)0xFFFFFFFFU) + { + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t n2[len]; + memset(n2, 0U, len * sizeof (uint32_t)); + uint32_t c0 = Lib_IntTypes_Intrinsics_sub_borrow_u32((uint32_t)0U, n[0U], (uint32_t)2U, n2); + uint32_t c1; + if ((uint32_t)1U < len) + { + uint32_t rLen = len - (uint32_t)1U; + uint32_t *a1 = n + (uint32_t)1U; + uint32_t *res1 = n2 + (uint32_t)1U; + uint32_t c = c0; + for (uint32_t i = (uint32_t)0U; i < rLen / (uint32_t)4U; i++) + { + uint32_t t1 = a1[(uint32_t)4U * i]; + uint32_t *res_i0 = res1 + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, (uint32_t)0U, res_i0); + uint32_t t10 = a1[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res1 + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t10, (uint32_t)0U, res_i1); + uint32_t t11 = a1[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res1 + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t11, (uint32_t)0U, res_i2); + uint32_t t12 = a1[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res1 + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t12, (uint32_t)0U, res_i); + } + for (uint32_t i = rLen / (uint32_t)4U * (uint32_t)4U; i < rLen; i++) + { + uint32_t t1 = a1[i]; + uint32_t *res_i = res1 + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, (uint32_t)0U, res_i); + } + uint32_t c10 = c; + c1 = c10; + } + else + { + c1 = c0; + } + Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_u32(len, + nBits, + n, + a, + (uint32_t)32U * len, + n2, + res); + } + else + { + memset(res, 0U, len * sizeof (uint32_t)); + } + return is_valid_m == (uint32_t)0xFFFFFFFFU; +} + + +/**********************************************/ +/* Arithmetic functions with precomputations. */ +/**********************************************/ + + +/* +Heap-allocate and initialize a montgomery context. + + The argument n is meant to be `len` limbs in size, i.e. uint32_t[len]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n % 2 = 1 + • 1 < n + + The caller will need to call Hacl_Bignum32_mont_ctx_free on the return value + to avoid memory leaks. +*/ +Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 +*Hacl_Bignum32_mont_ctx_init(uint32_t len, uint32_t *n) +{ + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t *r2 = KRML_HOST_CALLOC(len, sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t *n1 = KRML_HOST_CALLOC(len, sizeof (uint32_t)); + uint32_t *r21 = r2; + uint32_t *n11 = n1; + memcpy(n11, n, len * sizeof (uint32_t)); + uint32_t nBits = (uint32_t)32U * Hacl_Bignum_Lib_bn_get_top_index_u32(len, n); + Hacl_Bignum_Montgomery_bn_precomp_r2_mod_n_u32(len, nBits, n, r21); + uint32_t mu = Hacl_Bignum_ModInvLimb_mod_inv_uint32(n[0U]); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 res = { .len = len, .n = n11, .mu = mu, .r2 = r21 }; + KRML_CHECK_SIZE(sizeof (Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32), (uint32_t)1U); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 + *buf = KRML_HOST_MALLOC(sizeof (Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32)); + buf[0U] = res; + return buf; +} + +/* +Deallocate the memory previously allocated by Hacl_Bignum32_mont_ctx_init. + + The argument k is a montgomery context obtained through Hacl_Bignum32_mont_ctx_init. +*/ +void Hacl_Bignum32_mont_ctx_free(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + uint32_t *n = k1.n; + uint32_t *r2 = k1.r2; + KRML_HOST_FREE(n); + KRML_HOST_FREE(r2); + KRML_HOST_FREE(k); +} + +/* +Write `a mod n` in `res`. + + The argument a is meant to be `2*len` limbs in size, i.e. uint32_t[2*len]. + The outparam res is meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_Bignum32_mont_ctx_init. +*/ +void +Hacl_Bignum32_mod_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k10 = *k; + uint32_t len1 = k10.len; + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + bn_slow_precomp(len1, k1.n, k1.mu, k1.r2, a, res); +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_Bignum32_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum32_mod_exp_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k10 = *k; + uint32_t len1 = k10.len; + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_precomp_u32(len1, + k1.n, + k1.mu, + k1.r2, + a, + bBits, + b, + res); +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_Bignum32_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime_*. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum32_mod_exp_consttime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k10 = *k; + uint32_t len1 = k10.len; + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_precomp_u32(len1, + k1.n, + k1.mu, + k1.r2, + a, + bBits, + b, + res); +} + +/* +Write `a ^ (-1) mod n` in `res`. + + The argument a and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_Bignum32_mont_ctx_init. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + • 0 < a + • a < n +*/ +void +Hacl_Bignum32_mod_inv_prime_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k10 = *k; + uint32_t len1 = k10.len; + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + KRML_CHECK_SIZE(sizeof (uint32_t), len1); + uint32_t n2[len1]; + memset(n2, 0U, len1 * sizeof (uint32_t)); + uint32_t c0 = Lib_IntTypes_Intrinsics_sub_borrow_u32((uint32_t)0U, k1.n[0U], (uint32_t)2U, n2); + uint32_t c1; + if ((uint32_t)1U < len1) + { + uint32_t rLen = len1 - (uint32_t)1U; + uint32_t *a1 = k1.n + (uint32_t)1U; + uint32_t *res1 = n2 + (uint32_t)1U; + uint32_t c = c0; + for (uint32_t i = (uint32_t)0U; i < rLen / (uint32_t)4U; i++) + { + uint32_t t1 = a1[(uint32_t)4U * i]; + uint32_t *res_i0 = res1 + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, (uint32_t)0U, res_i0); + uint32_t t10 = a1[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res1 + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t10, (uint32_t)0U, res_i1); + uint32_t t11 = a1[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res1 + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t11, (uint32_t)0U, res_i2); + uint32_t t12 = a1[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res1 + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t12, (uint32_t)0U, res_i); + } + for (uint32_t i = rLen / (uint32_t)4U * (uint32_t)4U; i < rLen; i++) + { + uint32_t t1 = a1[i]; + uint32_t *res_i = res1 + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, (uint32_t)0U, res_i); + } + uint32_t c10 = c; + c1 = c10; + } + else + { + c1 = c0; + } + Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_precomp_u32(len1, + k1.n, + k1.mu, + k1.r2, + a, + (uint32_t)32U * len1, + n2, + res); +} + + +/********************/ +/* Loads and stores */ +/********************/ + + +/* +Load a bid-endian bignum from memory. + + The argument b points to `len` bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint32_t *Hacl_Bignum32_new_bn_from_bytes_be(uint32_t len, uint8_t *b) +{ + if + ( + len + == (uint32_t)0U + || !((len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U <= (uint32_t)1073741823U) + ) + { + return NULL; + } + KRML_CHECK_SIZE(sizeof (uint32_t), (len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U); + uint32_t + *res = KRML_HOST_CALLOC((len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U, sizeof (uint32_t)); + if (res == NULL) + { + return res; + } + uint32_t *res1 = res; + uint32_t *res2 = res1; + uint32_t bnLen = (len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)4U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + uint8_t tmp[tmpLen]; + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + memcpy(tmp + tmpLen - len, b, len * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < bnLen; i++) + { + uint32_t *os = res2; + uint32_t u = load32_be(tmp + (bnLen - i - (uint32_t)1U) * (uint32_t)4U); + uint32_t x = u; + os[i] = x; + } + return res2; +} + +/* +Load a little-endian bignum from memory. + + The argument b points to `len` bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint32_t *Hacl_Bignum32_new_bn_from_bytes_le(uint32_t len, uint8_t *b) +{ + if + ( + len + == (uint32_t)0U + || !((len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U <= (uint32_t)1073741823U) + ) + { + return NULL; + } + KRML_CHECK_SIZE(sizeof (uint32_t), (len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U); + uint32_t + *res = KRML_HOST_CALLOC((len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U, sizeof (uint32_t)); + if (res == NULL) + { + return res; + } + uint32_t *res1 = res; + uint32_t *res2 = res1; + uint32_t bnLen = (len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)4U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + uint8_t tmp[tmpLen]; + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + memcpy(tmp, b, len * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < (len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U; i++) + { + uint32_t *os = res2; + uint8_t *bj = tmp + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r1 = u; + uint32_t x = r1; + os[i] = x; + } + return res2; +} + +/* +Serialize a bignum into big-endian memory. + + The argument b points to a bignum of ⌈len / 4⌉ size. + The outparam res points to `len` bytes of valid memory. +*/ +void Hacl_Bignum32_bn_to_bytes_be(uint32_t len, uint32_t *b, uint8_t *res) +{ + uint32_t bnLen = (len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)4U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + uint8_t tmp[tmpLen]; + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + uint32_t numb = (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < bnLen; i++) + { + store32_be(tmp + i * numb, b[bnLen - i - (uint32_t)1U]); + } + memcpy(res, tmp + tmpLen - len, len * sizeof (uint8_t)); +} + +/* +Serialize a bignum into little-endian memory. + + The argument b points to a bignum of ⌈len / 4⌉ size. + The outparam res points to `len` bytes of valid memory. +*/ +void Hacl_Bignum32_bn_to_bytes_le(uint32_t len, uint32_t *b, uint8_t *res) +{ + uint32_t bnLen = (len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)4U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + uint8_t tmp[tmpLen]; + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < bnLen; i++) + { + store32_le(tmp + i * (uint32_t)4U, b[i]); + } + memcpy(res, tmp, len * sizeof (uint8_t)); +} + + +/***************/ +/* Comparisons */ +/***************/ + + +/* +Returns 2^32 - 1 if a < b, otherwise returns 0. + + The arguments a and b are meant to be `len` limbs in size, i.e. uint32_t[len]. +*/ +uint32_t Hacl_Bignum32_lt_mask(uint32_t len, uint32_t *a, uint32_t *b) +{ + uint32_t acc = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(a[i], b[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(a[i], b[i]); + acc = (beq & acc) | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + return acc; +} + +/* +Returns 2^32 - 1 if a = b, otherwise returns 0. + + The arguments a and b are meant to be `len` limbs in size, i.e. uint32_t[len]. +*/ +uint32_t Hacl_Bignum32_eq_mask(uint32_t len, uint32_t *a, uint32_t *b) +{ + uint32_t mask = (uint32_t)0xFFFFFFFFU; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint32_t uu____0 = FStar_UInt32_eq_mask(a[i], b[i]); + mask = uu____0 & mask; + } + uint32_t mask1 = mask; + return mask1; +} + diff --git a/src/Hacl_Bignum4096.c b/src/Hacl_Bignum4096.c new file mode 100644 index 00000000..fb07e3b5 --- /dev/null +++ b/src/Hacl_Bignum4096.c @@ -0,0 +1,1485 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Bignum4096.h" + +#include "internal/Hacl_Kremlib.h" +#include "internal/Hacl_Bignum.h" + +/******************************************************************************* + +A verified 4096-bit bignum library. + +This is a 64-bit optimized version, where bignums are represented as an array +of sixty four unsigned 64-bit integers, i.e. uint64_t[64]. Furthermore, the +limbs are stored in little-endian format, i.e. the least significant limb is at +index 0. Each limb is stored in native format in memory. Example: + + uint64_t sixteen[64] = { 0x10 } + + (relying on the fact that when an initializer-list is provided, the remainder + of the object gets initialized as if it had static storage duration, i.e. with + zeroes) + +We strongly encourage users to go through the conversion functions, e.g. +bn_from_bytes_be, to i) not depend on internal representation choices and ii) +have the ability to switch easily to a 32-bit optimized version in the future. + +*******************************************************************************/ + +/************************/ +/* Arithmetic functions */ +/************************/ + + +/* +Write `a + b mod 2^4096` in `res`. + + This functions returns the carry. + + The arguments a, b and res are meant to be 4096-bit bignums, i.e. uint64_t[64] +*/ +uint64_t Hacl_Bignum4096_add(uint64_t *a, uint64_t *b, uint64_t *res) +{ + uint64_t c = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint64_t t1 = a[(uint32_t)4U * i]; + uint64_t t20 = b[(uint32_t)4U * i]; + uint64_t *res_i0 = res + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t1, t20, res_i0); + uint64_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t10, t21, res_i1); + uint64_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t11, t22, res_i2); + uint64_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t12, t2, res_i); + } + for (uint32_t i = (uint32_t)64U; i < (uint32_t)64U; i++) + { + uint64_t t1 = a[i]; + uint64_t t2 = b[i]; + uint64_t *res_i = res + i; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t1, t2, res_i); + } + return c; +} + +/* +Write `a - b mod 2^4096` in `res`. + + This functions returns the carry. + + The arguments a, b and res are meant to be 4096-bit bignums, i.e. uint64_t[64] +*/ +uint64_t Hacl_Bignum4096_sub(uint64_t *a, uint64_t *b, uint64_t *res) +{ + uint64_t c = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint64_t t1 = a[(uint32_t)4U * i]; + uint64_t t20 = b[(uint32_t)4U * i]; + uint64_t *res_i0 = res + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, t20, res_i0); + uint64_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t10, t21, res_i1); + uint64_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t11, t22, res_i2); + uint64_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t12, t2, res_i); + } + for (uint32_t i = (uint32_t)64U; i < (uint32_t)64U; i++) + { + uint64_t t1 = a[i]; + uint64_t t2 = b[i]; + uint64_t *res_i = res + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, t2, res_i); + } + return c; +} + +/* +Write `(a + b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be 4096-bit bignums, i.e. uint64_t[64]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum4096_add_mod(uint64_t *n, uint64_t *a, uint64_t *b, uint64_t *res) +{ + uint64_t c0 = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint64_t t1 = a[(uint32_t)4U * i]; + uint64_t t20 = b[(uint32_t)4U * i]; + uint64_t *res_i0 = res + (uint32_t)4U * i; + c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, t1, t20, res_i0); + uint64_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, t10, t21, res_i1); + uint64_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, t11, t22, res_i2); + uint64_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, t12, t2, res_i); + } + for (uint32_t i = (uint32_t)64U; i < (uint32_t)64U; i++) + { + uint64_t t1 = a[i]; + uint64_t t2 = b[i]; + uint64_t *res_i = res + i; + c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, t1, t2, res_i); + } + uint64_t c00 = c0; + uint64_t tmp[64U] = { 0U }; + uint64_t c = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint64_t t1 = res[(uint32_t)4U * i]; + uint64_t t20 = n[(uint32_t)4U * i]; + uint64_t *res_i0 = tmp + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, t20, res_i0); + uint64_t t10 = res[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t t21 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = tmp + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t10, t21, res_i1); + uint64_t t11 = res[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t t22 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = tmp + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t11, t22, res_i2); + uint64_t t12 = res[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t t2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = tmp + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t12, t2, res_i); + } + for (uint32_t i = (uint32_t)64U; i < (uint32_t)64U; i++) + { + uint64_t t1 = res[i]; + uint64_t t2 = n[i]; + uint64_t *res_i = tmp + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, t2, res_i); + } + uint64_t c1 = c; + uint64_t c2 = c00 - c1; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + uint64_t *os = res; + uint64_t x = (c2 & res[i]) | (~c2 & tmp[i]); + os[i] = x; + } +} + +/* +Write `(a - b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be 4096-bit bignums, i.e. uint64_t[64]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum4096_sub_mod(uint64_t *n, uint64_t *a, uint64_t *b, uint64_t *res) +{ + uint64_t c0 = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint64_t t1 = a[(uint32_t)4U * i]; + uint64_t t20 = b[(uint32_t)4U * i]; + uint64_t *res_i0 = res + (uint32_t)4U * i; + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c0, t1, t20, res_i0); + uint64_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c0, t10, t21, res_i1); + uint64_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c0, t11, t22, res_i2); + uint64_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c0, t12, t2, res_i); + } + for (uint32_t i = (uint32_t)64U; i < (uint32_t)64U; i++) + { + uint64_t t1 = a[i]; + uint64_t t2 = b[i]; + uint64_t *res_i = res + i; + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c0, t1, t2, res_i); + } + uint64_t c00 = c0; + uint64_t tmp[64U] = { 0U }; + uint64_t c = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint64_t t1 = res[(uint32_t)4U * i]; + uint64_t t20 = n[(uint32_t)4U * i]; + uint64_t *res_i0 = tmp + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t1, t20, res_i0); + uint64_t t10 = res[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t t21 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = tmp + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t10, t21, res_i1); + uint64_t t11 = res[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t t22 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = tmp + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t11, t22, res_i2); + uint64_t t12 = res[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t t2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = tmp + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t12, t2, res_i); + } + for (uint32_t i = (uint32_t)64U; i < (uint32_t)64U; i++) + { + uint64_t t1 = res[i]; + uint64_t t2 = n[i]; + uint64_t *res_i = tmp + i; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t1, t2, res_i); + } + uint64_t c1 = c; + uint64_t c2 = (uint64_t)0U - c00; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + uint64_t *os = res; + uint64_t x = (c2 & tmp[i]) | (~c2 & res[i]); + os[i] = x; + } +} + +/* +Write `a * b` in `res`. + + The arguments a and b are meant to be 4096-bit bignums, i.e. uint64_t[64]. + The outparam res is meant to be a 8192-bit bignum, i.e. uint64_t[128]. +*/ +void Hacl_Bignum4096_mul(uint64_t *a, uint64_t *b, uint64_t *res) +{ + uint64_t tmp[256U] = { 0U }; + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint64((uint32_t)64U, a, b, tmp, res); +} + +/* +Write `a * a` in `res`. + + The argument a is meant to be a 4096-bit bignum, i.e. uint64_t[64]. + The outparam res is meant to be a 8192-bit bignum, i.e. uint64_t[128]. +*/ +void Hacl_Bignum4096_sqr(uint64_t *a, uint64_t *res) +{ + uint64_t tmp[256U] = { 0U }; + Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint64((uint32_t)64U, a, tmp, res); +} + +static inline void precompr2(uint32_t nBits, uint64_t *n, uint64_t *res) +{ + memset(res, 0U, (uint32_t)64U * sizeof (uint64_t)); + uint32_t i = nBits / (uint32_t)64U; + uint32_t j = nBits % (uint32_t)64U; + res[i] = res[i] | (uint64_t)1U << j; + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)8192U - nBits; i0++) + { + Hacl_Bignum4096_add_mod(n, res, res, res); + } +} + +static inline void reduction(uint64_t *n, uint64_t nInv, uint64_t *c, uint64_t *res) +{ + uint64_t c0 = (uint64_t)0U; + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)64U; i0++) + { + uint64_t qj = nInv * c[i0]; + uint64_t *res_j0 = c + i0; + uint64_t c1 = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint64_t a_i = n[(uint32_t)4U * i]; + uint64_t *res_i0 = res_j0 + (uint32_t)4U * i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c1, res_i0); + uint64_t a_i0 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res_j0 + (uint32_t)4U * i + (uint32_t)1U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, qj, c1, res_i1); + uint64_t a_i1 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res_j0 + (uint32_t)4U * i + (uint32_t)2U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, qj, c1, res_i2); + uint64_t a_i2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res_j0 + (uint32_t)4U * i + (uint32_t)3U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, qj, c1, res_i); + } + for (uint32_t i = (uint32_t)64U; i < (uint32_t)64U; i++) + { + uint64_t a_i = n[i]; + uint64_t *res_i = res_j0 + i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c1, res_i); + } + uint64_t r = c1; + uint64_t c10 = r; + uint64_t *resb = c + (uint32_t)64U + i0; + uint64_t res_j = c[(uint32_t)64U + i0]; + c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, c10, res_j, resb); + } + memcpy(res, c + (uint32_t)64U, (uint32_t)64U * sizeof (uint64_t)); + uint64_t c00 = c0; + uint64_t tmp[64U] = { 0U }; + uint64_t c1 = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint64_t t1 = res[(uint32_t)4U * i]; + uint64_t t20 = n[(uint32_t)4U * i]; + uint64_t *res_i0 = tmp + (uint32_t)4U * i; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t1, t20, res_i0); + uint64_t t10 = res[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t t21 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = tmp + (uint32_t)4U * i + (uint32_t)1U; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t10, t21, res_i1); + uint64_t t11 = res[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t t22 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = tmp + (uint32_t)4U * i + (uint32_t)2U; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t11, t22, res_i2); + uint64_t t12 = res[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t t2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = tmp + (uint32_t)4U * i + (uint32_t)3U; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t12, t2, res_i); + } + for (uint32_t i = (uint32_t)64U; i < (uint32_t)64U; i++) + { + uint64_t t1 = res[i]; + uint64_t t2 = n[i]; + uint64_t *res_i = tmp + i; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t1, t2, res_i); + } + uint64_t c10 = c1; + uint64_t c2 = c00 - c10; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + uint64_t *os = res; + uint64_t x = (c2 & res[i]) | (~c2 & tmp[i]); + os[i] = x; + } +} + +static inline void areduction(uint64_t *n, uint64_t nInv, uint64_t *c, uint64_t *res) +{ + uint64_t c0 = (uint64_t)0U; + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)64U; i0++) + { + uint64_t qj = nInv * c[i0]; + uint64_t *res_j0 = c + i0; + uint64_t c1 = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint64_t a_i = n[(uint32_t)4U * i]; + uint64_t *res_i0 = res_j0 + (uint32_t)4U * i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c1, res_i0); + uint64_t a_i0 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res_j0 + (uint32_t)4U * i + (uint32_t)1U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, qj, c1, res_i1); + uint64_t a_i1 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res_j0 + (uint32_t)4U * i + (uint32_t)2U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, qj, c1, res_i2); + uint64_t a_i2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res_j0 + (uint32_t)4U * i + (uint32_t)3U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, qj, c1, res_i); + } + for (uint32_t i = (uint32_t)64U; i < (uint32_t)64U; i++) + { + uint64_t a_i = n[i]; + uint64_t *res_i = res_j0 + i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c1, res_i); + } + uint64_t r = c1; + uint64_t c10 = r; + uint64_t *resb = c + (uint32_t)64U + i0; + uint64_t res_j = c[(uint32_t)64U + i0]; + c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, c10, res_j, resb); + } + memcpy(res, c + (uint32_t)64U, (uint32_t)64U * sizeof (uint64_t)); + uint64_t c00 = c0; + uint64_t tmp[64U] = { 0U }; + uint64_t c1 = Hacl_Bignum4096_sub(res, n, tmp); + uint64_t m = (uint64_t)0U - c00; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + uint64_t *os = res; + uint64_t x = (m & tmp[i]) | (~m & res[i]); + os[i] = x; + } +} + +static inline void +amont_mul(uint64_t *n, uint64_t nInv_u64, uint64_t *aM, uint64_t *bM, uint64_t *resM) +{ + uint64_t c[128U] = { 0U }; + uint64_t tmp[256U] = { 0U }; + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint64((uint32_t)64U, aM, bM, tmp, c); + areduction(n, nInv_u64, c, resM); +} + +static inline void amont_sqr(uint64_t *n, uint64_t nInv_u64, uint64_t *aM, uint64_t *resM) +{ + uint64_t c[128U] = { 0U }; + uint64_t tmp[256U] = { 0U }; + Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint64((uint32_t)64U, aM, tmp, c); + areduction(n, nInv_u64, c, resM); +} + +static inline void +bn_slow_precomp(uint64_t *n, uint64_t mu, uint64_t *r2, uint64_t *a, uint64_t *res) +{ + uint64_t a_mod[64U] = { 0U }; + uint64_t a1[128U] = { 0U }; + memcpy(a1, a, (uint32_t)128U * sizeof (uint64_t)); + uint64_t c0 = (uint64_t)0U; + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)64U; i0++) + { + uint64_t qj = mu * a1[i0]; + uint64_t *res_j0 = a1 + i0; + uint64_t c = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint64_t a_i = n[(uint32_t)4U * i]; + uint64_t *res_i0 = res_j0 + (uint32_t)4U * i; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c, res_i0); + uint64_t a_i0 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res_j0 + (uint32_t)4U * i + (uint32_t)1U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, qj, c, res_i1); + uint64_t a_i1 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res_j0 + (uint32_t)4U * i + (uint32_t)2U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, qj, c, res_i2); + uint64_t a_i2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res_j0 + (uint32_t)4U * i + (uint32_t)3U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, qj, c, res_i); + } + for (uint32_t i = (uint32_t)64U; i < (uint32_t)64U; i++) + { + uint64_t a_i = n[i]; + uint64_t *res_i = res_j0 + i; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c, res_i); + } + uint64_t r = c; + uint64_t c1 = r; + uint64_t *resb = a1 + (uint32_t)64U + i0; + uint64_t res_j = a1[(uint32_t)64U + i0]; + c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, c1, res_j, resb); + } + memcpy(a_mod, a1 + (uint32_t)64U, (uint32_t)64U * sizeof (uint64_t)); + uint64_t c00 = c0; + uint64_t tmp[64U] = { 0U }; + uint64_t c1 = Hacl_Bignum4096_sub(a_mod, n, tmp); + uint64_t m = (uint64_t)0U - c00; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + uint64_t *os = a_mod; + uint64_t x = (m & tmp[i]) | (~m & a_mod[i]); + os[i] = x; + } + uint64_t c[128U] = { 0U }; + Hacl_Bignum4096_mul(a_mod, r2, c); + reduction(n, mu, c, res); +} + +/* +Write `a mod n` in `res`. + + The argument a is meant to be a 8192-bit bignum, i.e. uint64_t[128]. + The argument n and the outparam res are meant to be 4096-bit bignums, i.e. uint64_t[64]. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • 1 < n + • n % 2 = 1 +*/ +bool Hacl_Bignum4096_mod(uint64_t *n, uint64_t *a, uint64_t *res) +{ + uint64_t one[64U] = { 0U }; + memset(one, 0U, (uint32_t)64U * sizeof (uint64_t)); + one[0U] = (uint64_t)1U; + uint64_t bit0 = n[0U] & (uint64_t)1U; + uint64_t m0 = (uint64_t)0U - bit0; + uint64_t acc = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(one[i], n[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(one[i], n[i]); + acc = (beq & acc) | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + uint64_t m1 = acc; + uint64_t is_valid_m = m0 & m1; + uint32_t + nBits = (uint32_t)64U * (uint32_t)Hacl_Bignum_Lib_bn_get_top_index_u64((uint32_t)64U, n); + if (is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU) + { + uint64_t r2[64U] = { 0U }; + precompr2(nBits, n, r2); + uint64_t mu = Hacl_Bignum_ModInvLimb_mod_inv_uint64(n[0U]); + bn_slow_precomp(n, mu, r2, a, res); + } + else + { + memset(res, 0U, (uint32_t)64U * sizeof (uint64_t)); + } + return is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU; +} + +static uint64_t exp_check(uint64_t *n, uint64_t *a, uint32_t bBits, uint64_t *b) +{ + uint64_t one[64U] = { 0U }; + memset(one, 0U, (uint32_t)64U * sizeof (uint64_t)); + one[0U] = (uint64_t)1U; + uint64_t bit0 = n[0U] & (uint64_t)1U; + uint64_t m0 = (uint64_t)0U - bit0; + uint64_t acc0 = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(one[i], n[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(one[i], n[i]); + acc0 = (beq & acc0) | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + uint64_t m10 = acc0; + uint64_t m00 = m0 & m10; + uint32_t bLen; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + } + uint64_t m1; + if (bBits < (uint32_t)64U * bLen) + { + KRML_CHECK_SIZE(sizeof (uint64_t), bLen); + uint64_t b2[bLen]; + memset(b2, 0U, bLen * sizeof (uint64_t)); + uint32_t i0 = bBits / (uint32_t)64U; + uint32_t j = bBits % (uint32_t)64U; + b2[i0] = b2[i0] | (uint64_t)1U << j; + uint64_t acc = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < bLen; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(b[i], b2[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(b[i], b2[i]); + acc = (beq & acc) | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + uint64_t res = acc; + m1 = res; + } + else + { + m1 = (uint64_t)0xFFFFFFFFFFFFFFFFU; + } + uint64_t acc = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(a[i], n[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(a[i], n[i]); + acc = (beq & acc) | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + uint64_t m2 = acc; + uint64_t m = m1 & m2; + return m00 & m; +} + +static inline void +exp_vartime_precomp( + uint64_t *n, + uint64_t mu, + uint64_t *r2, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + if (bBits < (uint32_t)200U) + { + uint64_t aM[64U] = { 0U }; + uint64_t c[128U] = { 0U }; + Hacl_Bignum4096_mul(a, r2, c); + reduction(n, mu, c, aM); + uint64_t resM[64U] = { 0U }; + uint64_t tmp0[128U] = { 0U }; + memcpy(tmp0, r2, (uint32_t)64U * sizeof (uint64_t)); + reduction(n, mu, tmp0, resM); + for (uint32_t i = (uint32_t)0U; i < bBits; i++) + { + uint32_t i1 = i / (uint32_t)64U; + uint32_t j = i % (uint32_t)64U; + uint64_t tmp = b[i1]; + uint64_t bit = tmp >> j & (uint64_t)1U; + if (!(bit == (uint64_t)0U)) + { + amont_mul(n, mu, resM, aM, resM); + } + amont_sqr(n, mu, aM, aM); + } + uint64_t tmp[128U] = { 0U }; + memcpy(tmp, resM, (uint32_t)64U * sizeof (uint64_t)); + reduction(n, mu, tmp, res); + return; + } + uint64_t aM[64U] = { 0U }; + uint64_t c[128U] = { 0U }; + Hacl_Bignum4096_mul(a, r2, c); + reduction(n, mu, c, aM); + uint64_t resM[64U] = { 0U }; + uint32_t bLen; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + } + uint64_t tmp[128U] = { 0U }; + memcpy(tmp, r2, (uint32_t)64U * sizeof (uint64_t)); + reduction(n, mu, tmp, resM); + uint64_t table[1024U] = { 0U }; + memcpy(table, resM, (uint32_t)64U * sizeof (uint64_t)); + uint64_t *t1 = table + (uint32_t)64U; + memcpy(t1, aM, (uint32_t)64U * sizeof (uint64_t)); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)14U; i++) + { + uint64_t *t11 = table + (i + (uint32_t)1U) * (uint32_t)64U; + uint64_t *t2 = table + (i + (uint32_t)2U) * (uint32_t)64U; + amont_mul(n, mu, t11, aM, t2); + } + if (bBits % (uint32_t)4U != (uint32_t)0U) + { + uint64_t mask_l = (uint64_t)16U - (uint64_t)1U; + uint32_t i = bBits / (uint32_t)4U * (uint32_t)4U / (uint32_t)64U; + uint32_t j = bBits / (uint32_t)4U * (uint32_t)4U % (uint32_t)64U; + uint64_t p1 = b[i] >> j; + uint64_t ite; + if (i + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i + (uint32_t)1U] << ((uint32_t)64U - j); + } + else + { + ite = p1; + } + uint64_t bits_c = ite & mask_l; + uint32_t bits_l32 = (uint32_t)bits_c; + uint64_t *a_bits_l = table + bits_l32 * (uint32_t)64U; + memcpy(resM, a_bits_l, (uint32_t)64U * sizeof (uint64_t)); + } + for (uint32_t i = (uint32_t)0U; i < bBits / (uint32_t)4U; i++) + { + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + amont_sqr(n, mu, resM, resM); + } + uint32_t bk = bBits - bBits % (uint32_t)4U; + uint64_t mask_l = (uint64_t)16U - (uint64_t)1U; + uint32_t i1 = (bk - (uint32_t)4U * i - (uint32_t)4U) / (uint32_t)64U; + uint32_t j = (bk - (uint32_t)4U * i - (uint32_t)4U) % (uint32_t)64U; + uint64_t p1 = b[i1] >> j; + uint64_t ite; + if (i1 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i1 + (uint32_t)1U] << ((uint32_t)64U - j); + } + else + { + ite = p1; + } + uint64_t bits_l = ite & mask_l; + uint64_t a_bits_l[64U] = { 0U }; + uint32_t bits_l32 = (uint32_t)bits_l; + uint64_t *a_bits_l1 = table + bits_l32 * (uint32_t)64U; + memcpy(a_bits_l, a_bits_l1, (uint32_t)64U * sizeof (uint64_t)); + amont_mul(n, mu, resM, a_bits_l, resM); + } + uint64_t tmp0[128U] = { 0U }; + memcpy(tmp0, resM, (uint32_t)64U * sizeof (uint64_t)); + reduction(n, mu, tmp0, res); +} + +static inline void +exp_consttime_precomp( + uint64_t *n, + uint64_t mu, + uint64_t *r2, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + if (bBits < (uint32_t)200U) + { + uint64_t aM[64U] = { 0U }; + uint64_t c[128U] = { 0U }; + Hacl_Bignum4096_mul(a, r2, c); + reduction(n, mu, c, aM); + uint64_t resM[64U] = { 0U }; + uint64_t tmp0[128U] = { 0U }; + memcpy(tmp0, r2, (uint32_t)64U * sizeof (uint64_t)); + reduction(n, mu, tmp0, resM); + uint64_t sw = (uint64_t)0U; + for (uint32_t i0 = (uint32_t)0U; i0 < bBits; i0++) + { + uint32_t i1 = (bBits - i0 - (uint32_t)1U) / (uint32_t)64U; + uint32_t j = (bBits - i0 - (uint32_t)1U) % (uint32_t)64U; + uint64_t tmp = b[i1]; + uint64_t bit = tmp >> j & (uint64_t)1U; + uint64_t sw1 = bit ^ sw; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + uint64_t dummy = ((uint64_t)0U - sw1) & (resM[i] ^ aM[i]); + resM[i] = resM[i] ^ dummy; + aM[i] = aM[i] ^ dummy; + } + amont_mul(n, mu, aM, resM, aM); + amont_sqr(n, mu, resM, resM); + sw = bit; + } + uint64_t sw0 = sw; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + uint64_t dummy = ((uint64_t)0U - sw0) & (resM[i] ^ aM[i]); + resM[i] = resM[i] ^ dummy; + aM[i] = aM[i] ^ dummy; + } + uint64_t tmp[128U] = { 0U }; + memcpy(tmp, resM, (uint32_t)64U * sizeof (uint64_t)); + reduction(n, mu, tmp, res); + return; + } + uint64_t aM[64U] = { 0U }; + uint64_t c0[128U] = { 0U }; + Hacl_Bignum4096_mul(a, r2, c0); + reduction(n, mu, c0, aM); + uint64_t resM[64U] = { 0U }; + uint32_t bLen; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + } + uint64_t tmp[128U] = { 0U }; + memcpy(tmp, r2, (uint32_t)64U * sizeof (uint64_t)); + reduction(n, mu, tmp, resM); + uint64_t table[1024U] = { 0U }; + memcpy(table, resM, (uint32_t)64U * sizeof (uint64_t)); + uint64_t *t1 = table + (uint32_t)64U; + memcpy(t1, aM, (uint32_t)64U * sizeof (uint64_t)); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)14U; i++) + { + uint64_t *t11 = table + (i + (uint32_t)1U) * (uint32_t)64U; + uint64_t *t2 = table + (i + (uint32_t)2U) * (uint32_t)64U; + amont_mul(n, mu, t11, aM, t2); + } + if (bBits % (uint32_t)4U != (uint32_t)0U) + { + uint64_t mask_l = (uint64_t)16U - (uint64_t)1U; + uint32_t i0 = bBits / (uint32_t)4U * (uint32_t)4U / (uint32_t)64U; + uint32_t j = bBits / (uint32_t)4U * (uint32_t)4U % (uint32_t)64U; + uint64_t p1 = b[i0] >> j; + uint64_t ite; + if (i0 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i0 + (uint32_t)1U] << ((uint32_t)64U - j); + } + else + { + ite = p1; + } + uint64_t bits_c = ite & mask_l; + memcpy(resM, table, (uint32_t)64U * sizeof (uint64_t)); + for (uint32_t i1 = (uint32_t)0U; i1 < (uint32_t)15U; i1++) + { + uint64_t c = FStar_UInt64_eq_mask(bits_c, (uint64_t)(i1 + (uint32_t)1U)); + uint64_t *res_j = table + (i1 + (uint32_t)1U) * (uint32_t)64U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + uint64_t *os = resM; + uint64_t x = (c & res_j[i]) | (~c & resM[i]); + os[i] = x; + } + } + } + for (uint32_t i0 = (uint32_t)0U; i0 < bBits / (uint32_t)4U; i0++) + { + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + amont_sqr(n, mu, resM, resM); + } + uint32_t bk = bBits - bBits % (uint32_t)4U; + uint64_t mask_l = (uint64_t)16U - (uint64_t)1U; + uint32_t i1 = (bk - (uint32_t)4U * i0 - (uint32_t)4U) / (uint32_t)64U; + uint32_t j = (bk - (uint32_t)4U * i0 - (uint32_t)4U) % (uint32_t)64U; + uint64_t p1 = b[i1] >> j; + uint64_t ite; + if (i1 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i1 + (uint32_t)1U] << ((uint32_t)64U - j); + } + else + { + ite = p1; + } + uint64_t bits_l = ite & mask_l; + uint64_t a_bits_l[64U] = { 0U }; + memcpy(a_bits_l, table, (uint32_t)64U * sizeof (uint64_t)); + for (uint32_t i2 = (uint32_t)0U; i2 < (uint32_t)15U; i2++) + { + uint64_t c = FStar_UInt64_eq_mask(bits_l, (uint64_t)(i2 + (uint32_t)1U)); + uint64_t *res_j = table + (i2 + (uint32_t)1U) * (uint32_t)64U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + uint64_t *os = a_bits_l; + uint64_t x = (c & res_j[i]) | (~c & a_bits_l[i]); + os[i] = x; + } + } + amont_mul(n, mu, resM, a_bits_l, resM); + } + uint64_t tmp0[128U] = { 0U }; + memcpy(tmp0, resM, (uint32_t)64U * sizeof (uint64_t)); + reduction(n, mu, tmp0, res); +} + +static inline void +exp_vartime( + uint32_t nBits, + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + uint64_t r2[64U] = { 0U }; + precompr2(nBits, n, r2); + uint64_t mu = Hacl_Bignum_ModInvLimb_mod_inv_uint64(n[0U]); + exp_vartime_precomp(n, mu, r2, a, bBits, b, res); +} + +static inline void +exp_consttime( + uint32_t nBits, + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + uint64_t r2[64U] = { 0U }; + precompr2(nBits, n, r2); + uint64_t mu = Hacl_Bignum_ModInvLimb_mod_inv_uint64(n[0U]); + exp_consttime_precomp(n, mu, r2, a, bBits, b, res); +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 4096-bit bignums, i.e. uint64_t[64]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum4096_mod_exp_vartime( + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + uint64_t is_valid_m = exp_check(n, a, bBits, b); + uint32_t + nBits = (uint32_t)64U * (uint32_t)Hacl_Bignum_Lib_bn_get_top_index_u64((uint32_t)64U, n); + if (is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU) + { + exp_vartime(nBits, n, a, bBits, b, res); + } + else + { + memset(res, 0U, (uint32_t)64U * sizeof (uint64_t)); + } + return is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU; +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 4096-bit bignums, i.e. uint64_t[64]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum4096_mod_exp_consttime( + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + uint64_t is_valid_m = exp_check(n, a, bBits, b); + uint32_t + nBits = (uint32_t)64U * (uint32_t)Hacl_Bignum_Lib_bn_get_top_index_u64((uint32_t)64U, n); + if (is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU) + { + exp_consttime(nBits, n, a, bBits, b, res); + } + else + { + memset(res, 0U, (uint32_t)64U * sizeof (uint64_t)); + } + return is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU; +} + +/* +Write `a ^ (-1) mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 4096-bit bignums, i.e. uint64_t[64]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + + The function returns false if any of the following preconditions are violated, true otherwise. + • n % 2 = 1 + • 1 < n + • 0 < a + • a < n +*/ +bool Hacl_Bignum4096_mod_inv_prime_vartime(uint64_t *n, uint64_t *a, uint64_t *res) +{ + uint64_t one[64U] = { 0U }; + memset(one, 0U, (uint32_t)64U * sizeof (uint64_t)); + one[0U] = (uint64_t)1U; + uint64_t bit0 = n[0U] & (uint64_t)1U; + uint64_t m0 = (uint64_t)0U - bit0; + uint64_t acc0 = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(one[i], n[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(one[i], n[i]); + acc0 = (beq & acc0) | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + uint64_t m1 = acc0; + uint64_t m00 = m0 & m1; + uint64_t bn_zero[64U] = { 0U }; + uint64_t mask = (uint64_t)0xFFFFFFFFFFFFFFFFU; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + uint64_t uu____0 = FStar_UInt64_eq_mask(a[i], bn_zero[i]); + mask = uu____0 & mask; + } + uint64_t mask1 = mask; + uint64_t res10 = mask1; + uint64_t m10 = res10; + uint64_t acc = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(a[i], n[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(a[i], n[i]); + acc = (beq & acc) | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + uint64_t m2 = acc; + uint64_t is_valid_m = (m00 & ~m10) & m2; + uint32_t + nBits = (uint32_t)64U * (uint32_t)Hacl_Bignum_Lib_bn_get_top_index_u64((uint32_t)64U, n); + if (is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU) + { + uint64_t n2[64U] = { 0U }; + uint64_t c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64((uint64_t)0U, n[0U], (uint64_t)2U, n2); + uint64_t c1; + if ((uint32_t)1U < (uint32_t)64U) + { + uint32_t rLen = (uint32_t)63U; + uint64_t *a1 = n + (uint32_t)1U; + uint64_t *res1 = n2 + (uint32_t)1U; + uint64_t c = c0; + for (uint32_t i = (uint32_t)0U; i < rLen / (uint32_t)4U; i++) + { + uint64_t t1 = a1[(uint32_t)4U * i]; + uint64_t *res_i0 = res1 + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, (uint64_t)0U, res_i0); + uint64_t t10 = a1[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res1 + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t10, (uint64_t)0U, res_i1); + uint64_t t11 = a1[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res1 + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t11, (uint64_t)0U, res_i2); + uint64_t t12 = a1[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res1 + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t12, (uint64_t)0U, res_i); + } + for (uint32_t i = rLen / (uint32_t)4U * (uint32_t)4U; i < rLen; i++) + { + uint64_t t1 = a1[i]; + uint64_t *res_i = res1 + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, (uint64_t)0U, res_i); + } + uint64_t c10 = c; + c1 = c10; + } + else + { + c1 = c0; + } + exp_vartime(nBits, n, a, (uint32_t)4096U, n2, res); + } + else + { + memset(res, 0U, (uint32_t)64U * sizeof (uint64_t)); + } + return is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU; +} + + +/**********************************************/ +/* Arithmetic functions with precomputations. */ +/**********************************************/ + + +/* +Heap-allocate and initialize a montgomery context. + + The argument n is meant to be a 4096-bit bignum, i.e. uint64_t[64]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n % 2 = 1 + • 1 < n + + The caller will need to call Hacl_Bignum4096_mont_ctx_free on the return value + to avoid memory leaks. +*/ +Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *Hacl_Bignum4096_mont_ctx_init(uint64_t *n) +{ + uint64_t *r2 = KRML_HOST_CALLOC((uint32_t)64U, sizeof (uint64_t)); + uint64_t *n1 = KRML_HOST_CALLOC((uint32_t)64U, sizeof (uint64_t)); + uint64_t *r21 = r2; + uint64_t *n11 = n1; + memcpy(n11, n, (uint32_t)64U * sizeof (uint64_t)); + uint32_t + nBits = (uint32_t)64U * (uint32_t)Hacl_Bignum_Lib_bn_get_top_index_u64((uint32_t)64U, n); + precompr2(nBits, n, r21); + uint64_t mu = Hacl_Bignum_ModInvLimb_mod_inv_uint64(n[0U]); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 + res = { .len = (uint32_t)64U, .n = n11, .mu = mu, .r2 = r21 }; + KRML_CHECK_SIZE(sizeof (Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64), (uint32_t)1U); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 + *buf = KRML_HOST_MALLOC(sizeof (Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64)); + buf[0U] = res; + return buf; +} + +/* +Deallocate the memory previously allocated by Hacl_Bignum4096_mont_ctx_init. + + The argument k is a montgomery context obtained through Hacl_Bignum4096_mont_ctx_init. +*/ +void Hacl_Bignum4096_mont_ctx_free(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + uint64_t *n = k1.n; + uint64_t *r2 = k1.r2; + KRML_HOST_FREE(n); + KRML_HOST_FREE(r2); + KRML_HOST_FREE(k); +} + +/* +Write `a mod n` in `res`. + + The argument a is meant to be a 8192-bit bignum, i.e. uint64_t[128]. + The outparam res is meant to be a 4096-bit bignum, i.e. uint64_t[64]. + The argument k is a montgomery context obtained through Hacl_Bignum4096_mont_ctx_init. +*/ +void +Hacl_Bignum4096_mod_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint64_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + bn_slow_precomp(k1.n, k1.mu, k1.r2, a, res); +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be 4096-bit bignums, i.e. uint64_t[64]. + The argument k is a montgomery context obtained through Hacl_Bignum4096_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum4096_mod_exp_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + exp_vartime_precomp(k1.n, k1.mu, k1.r2, a, bBits, b, res); +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be 4096-bit bignums, i.e. uint64_t[64]. + The argument k is a montgomery context obtained through Hacl_Bignum4096_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime_*. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum4096_mod_exp_consttime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + exp_consttime_precomp(k1.n, k1.mu, k1.r2, a, bBits, b, res); +} + +/* +Write `a ^ (-1) mod n` in `res`. + + The argument a and the outparam res are meant to be 4096-bit bignums, i.e. uint64_t[64]. + The argument k is a montgomery context obtained through Hacl_Bignum4096_mont_ctx_init. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + • 0 < a + • a < n +*/ +void +Hacl_Bignum4096_mod_inv_prime_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint64_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + uint64_t n2[64U] = { 0U }; + uint64_t c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64((uint64_t)0U, k1.n[0U], (uint64_t)2U, n2); + uint64_t c1; + if ((uint32_t)1U < (uint32_t)64U) + { + uint32_t rLen = (uint32_t)63U; + uint64_t *a1 = k1.n + (uint32_t)1U; + uint64_t *res1 = n2 + (uint32_t)1U; + uint64_t c = c0; + for (uint32_t i = (uint32_t)0U; i < rLen / (uint32_t)4U; i++) + { + uint64_t t1 = a1[(uint32_t)4U * i]; + uint64_t *res_i0 = res1 + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, (uint64_t)0U, res_i0); + uint64_t t10 = a1[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res1 + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t10, (uint64_t)0U, res_i1); + uint64_t t11 = a1[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res1 + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t11, (uint64_t)0U, res_i2); + uint64_t t12 = a1[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res1 + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t12, (uint64_t)0U, res_i); + } + for (uint32_t i = rLen / (uint32_t)4U * (uint32_t)4U; i < rLen; i++) + { + uint64_t t1 = a1[i]; + uint64_t *res_i = res1 + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, (uint64_t)0U, res_i); + } + uint64_t c10 = c; + c1 = c10; + } + else + { + c1 = c0; + } + exp_vartime_precomp(k1.n, k1.mu, k1.r2, a, (uint32_t)4096U, n2, res); +} + + +/********************/ +/* Loads and stores */ +/********************/ + + +/* +Load a bid-endian bignum from memory. + + The argument b points to len bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint64_t *Hacl_Bignum4096_new_bn_from_bytes_be(uint32_t len, uint8_t *b) +{ + if + ( + len + == (uint32_t)0U + || !((len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U <= (uint32_t)536870911U) + ) + { + return NULL; + } + KRML_CHECK_SIZE(sizeof (uint64_t), (len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U); + uint64_t + *res = KRML_HOST_CALLOC((len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U, sizeof (uint64_t)); + if (res == NULL) + { + return res; + } + uint64_t *res1 = res; + uint64_t *res2 = res1; + uint32_t bnLen = (len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)8U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + uint8_t tmp[tmpLen]; + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + memcpy(tmp + tmpLen - len, b, len * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < bnLen; i++) + { + uint64_t *os = res2; + uint64_t u = load64_be(tmp + (bnLen - i - (uint32_t)1U) * (uint32_t)8U); + uint64_t x = u; + os[i] = x; + } + return res2; +} + +/* +Load a little-endian bignum from memory. + + The argument b points to len bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint64_t *Hacl_Bignum4096_new_bn_from_bytes_le(uint32_t len, uint8_t *b) +{ + if + ( + len + == (uint32_t)0U + || !((len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U <= (uint32_t)536870911U) + ) + { + return NULL; + } + KRML_CHECK_SIZE(sizeof (uint64_t), (len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U); + uint64_t + *res = KRML_HOST_CALLOC((len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U, sizeof (uint64_t)); + if (res == NULL) + { + return res; + } + uint64_t *res1 = res; + uint64_t *res2 = res1; + uint32_t bnLen = (len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)8U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + uint8_t tmp[tmpLen]; + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + memcpy(tmp, b, len * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < (len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; i++) + { + uint64_t *os = res2; + uint8_t *bj = tmp + i * (uint32_t)8U; + uint64_t u = load64_le(bj); + uint64_t r1 = u; + uint64_t x = r1; + os[i] = x; + } + return res2; +} + +/* +Serialize a bignum into big-endian memory. + + The argument b points to a 4096-bit bignum. + The outparam res points to 512 bytes of valid memory. +*/ +void Hacl_Bignum4096_bn_to_bytes_be(uint64_t *b, uint8_t *res) +{ + uint32_t bnLen = ((uint32_t)512U - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)8U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + uint8_t tmp[tmpLen]; + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + uint32_t numb = (uint32_t)8U; + for (uint32_t i = (uint32_t)0U; i < bnLen; i++) + { + store64_be(tmp + i * numb, b[bnLen - i - (uint32_t)1U]); + } + memcpy(res, tmp + tmpLen - (uint32_t)512U, (uint32_t)512U * sizeof (uint8_t)); +} + +/* +Serialize a bignum into little-endian memory. + + The argument b points to a 4096-bit bignum. + The outparam res points to 512 bytes of valid memory. +*/ +void Hacl_Bignum4096_bn_to_bytes_le(uint64_t *b, uint8_t *res) +{ + uint32_t bnLen = ((uint32_t)512U - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)8U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + uint8_t tmp[tmpLen]; + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < bnLen; i++) + { + store64_le(tmp + i * (uint32_t)8U, b[i]); + } + memcpy(res, tmp, (uint32_t)512U * sizeof (uint8_t)); +} + + +/***************/ +/* Comparisons */ +/***************/ + + +/* +Returns 2^64 - 1 if a < b, otherwise returns 0. + + The arguments a and b are meant to be 4096-bit bignums, i.e. uint64_t[64]. +*/ +uint64_t Hacl_Bignum4096_lt_mask(uint64_t *a, uint64_t *b) +{ + uint64_t acc = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(a[i], b[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(a[i], b[i]); + acc = (beq & acc) | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + return acc; +} + +/* +Returns 2^64 - 1 if a = b, otherwise returns 0. + + The arguments a and b are meant to be 4096-bit bignums, i.e. uint64_t[64]. +*/ +uint64_t Hacl_Bignum4096_eq_mask(uint64_t *a, uint64_t *b) +{ + uint64_t mask = (uint64_t)0xFFFFFFFFFFFFFFFFU; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + uint64_t uu____0 = FStar_UInt64_eq_mask(a[i], b[i]); + mask = uu____0 & mask; + } + uint64_t mask1 = mask; + return mask1; +} + diff --git a/src/Hacl_Bignum4096_32.c b/src/Hacl_Bignum4096_32.c new file mode 100644 index 00000000..73db011d --- /dev/null +++ b/src/Hacl_Bignum4096_32.c @@ -0,0 +1,1480 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Bignum4096_32.h" + +#include "internal/Hacl_Kremlib.h" +#include "internal/Hacl_Bignum.h" + +/******************************************************************************* + +A verified 4096-bit bignum library. + +This is a 32-bit optimized version, where bignums are represented as an array +of 128 unsigned 32-bit integers, i.e. uint32_t[128]. Furthermore, the +limbs are stored in little-endian format, i.e. the least significant limb is at +index 0. Each limb is stored in native format in memory. Example: + + uint32_t sixteen[128] = { 0x10 } + + (relying on the fact that when an initializer-list is provided, the remainder + of the object gets initialized as if it had static storage duration, i.e. with + zeroes) + +We strongly encourage users to go through the conversion functions, e.g. +bn_from_bytes_be, to i) not depend on internal representation choices and ii) +have the ability to switch easily to a 64-bit optimized version in the future. + +*******************************************************************************/ + +/************************/ +/* Arithmetic functions */ +/************************/ + + +/* +Write `a + b mod 2^4096` in `res`. + + This functions returns the carry. + + The arguments a, b and res are meant to be 4096-bit bignums, i.e. uint32_t[128] +*/ +uint32_t Hacl_Bignum4096_32_add(uint32_t *a, uint32_t *b, uint32_t *res) +{ + uint32_t c = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)32U; i++) + { + uint32_t t1 = a[(uint32_t)4U * i]; + uint32_t t20 = b[(uint32_t)4U * i]; + uint32_t *res_i0 = res + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t1, t20, res_i0); + uint32_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t10, t21, res_i1); + uint32_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t11, t22, res_i2); + uint32_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t12, t2, res_i); + } + for (uint32_t i = (uint32_t)128U; i < (uint32_t)128U; i++) + { + uint32_t t1 = a[i]; + uint32_t t2 = b[i]; + uint32_t *res_i = res + i; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t1, t2, res_i); + } + return c; +} + +/* +Write `a - b mod 2^4096` in `res`. + + This functions returns the carry. + + The arguments a, b and res are meant to be 4096-bit bignums, i.e. uint32_t[128] +*/ +uint32_t Hacl_Bignum4096_32_sub(uint32_t *a, uint32_t *b, uint32_t *res) +{ + uint32_t c = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)32U; i++) + { + uint32_t t1 = a[(uint32_t)4U * i]; + uint32_t t20 = b[(uint32_t)4U * i]; + uint32_t *res_i0 = res + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, t20, res_i0); + uint32_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t10, t21, res_i1); + uint32_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t11, t22, res_i2); + uint32_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t12, t2, res_i); + } + for (uint32_t i = (uint32_t)128U; i < (uint32_t)128U; i++) + { + uint32_t t1 = a[i]; + uint32_t t2 = b[i]; + uint32_t *res_i = res + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, t2, res_i); + } + return c; +} + +/* +Write `(a + b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be 4096-bit bignums, i.e. uint32_t[128]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum4096_32_add_mod(uint32_t *n, uint32_t *a, uint32_t *b, uint32_t *res) +{ + uint32_t c0 = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)32U; i++) + { + uint32_t t1 = a[(uint32_t)4U * i]; + uint32_t t20 = b[(uint32_t)4U * i]; + uint32_t *res_i0 = res + (uint32_t)4U * i; + c0 = Lib_IntTypes_Intrinsics_add_carry_u32(c0, t1, t20, res_i0); + uint32_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c0 = Lib_IntTypes_Intrinsics_add_carry_u32(c0, t10, t21, res_i1); + uint32_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c0 = Lib_IntTypes_Intrinsics_add_carry_u32(c0, t11, t22, res_i2); + uint32_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c0 = Lib_IntTypes_Intrinsics_add_carry_u32(c0, t12, t2, res_i); + } + for (uint32_t i = (uint32_t)128U; i < (uint32_t)128U; i++) + { + uint32_t t1 = a[i]; + uint32_t t2 = b[i]; + uint32_t *res_i = res + i; + c0 = Lib_IntTypes_Intrinsics_add_carry_u32(c0, t1, t2, res_i); + } + uint32_t c00 = c0; + uint32_t tmp[128U] = { 0U }; + uint32_t c = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)32U; i++) + { + uint32_t t1 = res[(uint32_t)4U * i]; + uint32_t t20 = n[(uint32_t)4U * i]; + uint32_t *res_i0 = tmp + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, t20, res_i0); + uint32_t t10 = res[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t t21 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = tmp + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t10, t21, res_i1); + uint32_t t11 = res[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t t22 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = tmp + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t11, t22, res_i2); + uint32_t t12 = res[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t t2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = tmp + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t12, t2, res_i); + } + for (uint32_t i = (uint32_t)128U; i < (uint32_t)128U; i++) + { + uint32_t t1 = res[i]; + uint32_t t2 = n[i]; + uint32_t *res_i = tmp + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, t2, res_i); + } + uint32_t c1 = c; + uint32_t c2 = c00 - c1; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)128U; i++) + { + uint32_t *os = res; + uint32_t x = (c2 & res[i]) | (~c2 & tmp[i]); + os[i] = x; + } +} + +/* +Write `(a - b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be 4096-bit bignums, i.e. uint32_t[128]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum4096_32_sub_mod(uint32_t *n, uint32_t *a, uint32_t *b, uint32_t *res) +{ + uint32_t c0 = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)32U; i++) + { + uint32_t t1 = a[(uint32_t)4U * i]; + uint32_t t20 = b[(uint32_t)4U * i]; + uint32_t *res_i0 = res + (uint32_t)4U * i; + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c0, t1, t20, res_i0); + uint32_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c0, t10, t21, res_i1); + uint32_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c0, t11, t22, res_i2); + uint32_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c0, t12, t2, res_i); + } + for (uint32_t i = (uint32_t)128U; i < (uint32_t)128U; i++) + { + uint32_t t1 = a[i]; + uint32_t t2 = b[i]; + uint32_t *res_i = res + i; + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c0, t1, t2, res_i); + } + uint32_t c00 = c0; + uint32_t tmp[128U] = { 0U }; + uint32_t c = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)32U; i++) + { + uint32_t t1 = res[(uint32_t)4U * i]; + uint32_t t20 = n[(uint32_t)4U * i]; + uint32_t *res_i0 = tmp + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t1, t20, res_i0); + uint32_t t10 = res[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t t21 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = tmp + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t10, t21, res_i1); + uint32_t t11 = res[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t t22 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = tmp + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t11, t22, res_i2); + uint32_t t12 = res[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t t2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = tmp + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t12, t2, res_i); + } + for (uint32_t i = (uint32_t)128U; i < (uint32_t)128U; i++) + { + uint32_t t1 = res[i]; + uint32_t t2 = n[i]; + uint32_t *res_i = tmp + i; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t1, t2, res_i); + } + uint32_t c1 = c; + uint32_t c2 = (uint32_t)0U - c00; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)128U; i++) + { + uint32_t *os = res; + uint32_t x = (c2 & tmp[i]) | (~c2 & res[i]); + os[i] = x; + } +} + +/* +Write `a * b` in `res`. + + The arguments a and b are meant to be 4096-bit bignums, i.e. uint32_t[128]. + The outparam res is meant to be a 8192-bit bignum, i.e. uint32_t[256]. +*/ +void Hacl_Bignum4096_32_mul(uint32_t *a, uint32_t *b, uint32_t *res) +{ + uint32_t tmp[512U] = { 0U }; + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint32((uint32_t)128U, a, b, tmp, res); +} + +/* +Write `a * a` in `res`. + + The argument a is meant to be a 4096-bit bignum, i.e. uint32_t[128]. + The outparam res is meant to be a 8192-bit bignum, i.e. uint32_t[256]. +*/ +void Hacl_Bignum4096_32_sqr(uint32_t *a, uint32_t *res) +{ + uint32_t tmp[512U] = { 0U }; + Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint32((uint32_t)128U, a, tmp, res); +} + +static inline void precompr2(uint32_t nBits, uint32_t *n, uint32_t *res) +{ + memset(res, 0U, (uint32_t)128U * sizeof (uint32_t)); + uint32_t i = nBits / (uint32_t)32U; + uint32_t j = nBits % (uint32_t)32U; + res[i] = res[i] | (uint32_t)1U << j; + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)8192U - nBits; i0++) + { + Hacl_Bignum4096_32_add_mod(n, res, res, res); + } +} + +static inline void reduction(uint32_t *n, uint32_t nInv, uint32_t *c, uint32_t *res) +{ + uint32_t c0 = (uint32_t)0U; + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)128U; i0++) + { + uint32_t qj = nInv * c[i0]; + uint32_t *res_j0 = c + i0; + uint32_t c1 = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)32U; i++) + { + uint32_t a_i = n[(uint32_t)4U * i]; + uint32_t *res_i0 = res_j0 + (uint32_t)4U * i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, qj, c1, res_i0); + uint32_t a_i0 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res_j0 + (uint32_t)4U * i + (uint32_t)1U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i0, qj, c1, res_i1); + uint32_t a_i1 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res_j0 + (uint32_t)4U * i + (uint32_t)2U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i1, qj, c1, res_i2); + uint32_t a_i2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res_j0 + (uint32_t)4U * i + (uint32_t)3U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i2, qj, c1, res_i); + } + for (uint32_t i = (uint32_t)128U; i < (uint32_t)128U; i++) + { + uint32_t a_i = n[i]; + uint32_t *res_i = res_j0 + i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, qj, c1, res_i); + } + uint32_t r = c1; + uint32_t c10 = r; + uint32_t *resb = c + (uint32_t)128U + i0; + uint32_t res_j = c[(uint32_t)128U + i0]; + c0 = Lib_IntTypes_Intrinsics_add_carry_u32(c0, c10, res_j, resb); + } + memcpy(res, c + (uint32_t)128U, (uint32_t)128U * sizeof (uint32_t)); + uint32_t c00 = c0; + uint32_t tmp[128U] = { 0U }; + uint32_t c1 = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)32U; i++) + { + uint32_t t1 = res[(uint32_t)4U * i]; + uint32_t t20 = n[(uint32_t)4U * i]; + uint32_t *res_i0 = tmp + (uint32_t)4U * i; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c1, t1, t20, res_i0); + uint32_t t10 = res[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t t21 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = tmp + (uint32_t)4U * i + (uint32_t)1U; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c1, t10, t21, res_i1); + uint32_t t11 = res[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t t22 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = tmp + (uint32_t)4U * i + (uint32_t)2U; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c1, t11, t22, res_i2); + uint32_t t12 = res[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t t2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = tmp + (uint32_t)4U * i + (uint32_t)3U; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c1, t12, t2, res_i); + } + for (uint32_t i = (uint32_t)128U; i < (uint32_t)128U; i++) + { + uint32_t t1 = res[i]; + uint32_t t2 = n[i]; + uint32_t *res_i = tmp + i; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c1, t1, t2, res_i); + } + uint32_t c10 = c1; + uint32_t c2 = c00 - c10; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)128U; i++) + { + uint32_t *os = res; + uint32_t x = (c2 & res[i]) | (~c2 & tmp[i]); + os[i] = x; + } +} + +static inline void areduction(uint32_t *n, uint32_t nInv, uint32_t *c, uint32_t *res) +{ + uint32_t c0 = (uint32_t)0U; + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)128U; i0++) + { + uint32_t qj = nInv * c[i0]; + uint32_t *res_j0 = c + i0; + uint32_t c1 = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)32U; i++) + { + uint32_t a_i = n[(uint32_t)4U * i]; + uint32_t *res_i0 = res_j0 + (uint32_t)4U * i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, qj, c1, res_i0); + uint32_t a_i0 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res_j0 + (uint32_t)4U * i + (uint32_t)1U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i0, qj, c1, res_i1); + uint32_t a_i1 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res_j0 + (uint32_t)4U * i + (uint32_t)2U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i1, qj, c1, res_i2); + uint32_t a_i2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res_j0 + (uint32_t)4U * i + (uint32_t)3U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i2, qj, c1, res_i); + } + for (uint32_t i = (uint32_t)128U; i < (uint32_t)128U; i++) + { + uint32_t a_i = n[i]; + uint32_t *res_i = res_j0 + i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, qj, c1, res_i); + } + uint32_t r = c1; + uint32_t c10 = r; + uint32_t *resb = c + (uint32_t)128U + i0; + uint32_t res_j = c[(uint32_t)128U + i0]; + c0 = Lib_IntTypes_Intrinsics_add_carry_u32(c0, c10, res_j, resb); + } + memcpy(res, c + (uint32_t)128U, (uint32_t)128U * sizeof (uint32_t)); + uint32_t c00 = c0; + uint32_t tmp[128U] = { 0U }; + uint32_t c1 = Hacl_Bignum4096_32_sub(res, n, tmp); + uint32_t m = (uint32_t)0U - c00; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)128U; i++) + { + uint32_t *os = res; + uint32_t x = (m & tmp[i]) | (~m & res[i]); + os[i] = x; + } +} + +static inline void +amont_mul(uint32_t *n, uint32_t nInv_u64, uint32_t *aM, uint32_t *bM, uint32_t *resM) +{ + uint32_t c[256U] = { 0U }; + uint32_t tmp[512U] = { 0U }; + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint32((uint32_t)128U, aM, bM, tmp, c); + areduction(n, nInv_u64, c, resM); +} + +static inline void amont_sqr(uint32_t *n, uint32_t nInv_u64, uint32_t *aM, uint32_t *resM) +{ + uint32_t c[256U] = { 0U }; + uint32_t tmp[512U] = { 0U }; + Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint32((uint32_t)128U, aM, tmp, c); + areduction(n, nInv_u64, c, resM); +} + +static inline void +bn_slow_precomp(uint32_t *n, uint32_t mu, uint32_t *r2, uint32_t *a, uint32_t *res) +{ + uint32_t a_mod[128U] = { 0U }; + uint32_t a1[256U] = { 0U }; + memcpy(a1, a, (uint32_t)256U * sizeof (uint32_t)); + uint32_t c0 = (uint32_t)0U; + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)128U; i0++) + { + uint32_t qj = mu * a1[i0]; + uint32_t *res_j0 = a1 + i0; + uint32_t c = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)32U; i++) + { + uint32_t a_i = n[(uint32_t)4U * i]; + uint32_t *res_i0 = res_j0 + (uint32_t)4U * i; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, qj, c, res_i0); + uint32_t a_i0 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res_j0 + (uint32_t)4U * i + (uint32_t)1U; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i0, qj, c, res_i1); + uint32_t a_i1 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res_j0 + (uint32_t)4U * i + (uint32_t)2U; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i1, qj, c, res_i2); + uint32_t a_i2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res_j0 + (uint32_t)4U * i + (uint32_t)3U; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i2, qj, c, res_i); + } + for (uint32_t i = (uint32_t)128U; i < (uint32_t)128U; i++) + { + uint32_t a_i = n[i]; + uint32_t *res_i = res_j0 + i; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, qj, c, res_i); + } + uint32_t r = c; + uint32_t c1 = r; + uint32_t *resb = a1 + (uint32_t)128U + i0; + uint32_t res_j = a1[(uint32_t)128U + i0]; + c0 = Lib_IntTypes_Intrinsics_add_carry_u32(c0, c1, res_j, resb); + } + memcpy(a_mod, a1 + (uint32_t)128U, (uint32_t)128U * sizeof (uint32_t)); + uint32_t c00 = c0; + uint32_t tmp[128U] = { 0U }; + uint32_t c1 = Hacl_Bignum4096_32_sub(a_mod, n, tmp); + uint32_t m = (uint32_t)0U - c00; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)128U; i++) + { + uint32_t *os = a_mod; + uint32_t x = (m & tmp[i]) | (~m & a_mod[i]); + os[i] = x; + } + uint32_t c[256U] = { 0U }; + Hacl_Bignum4096_32_mul(a_mod, r2, c); + reduction(n, mu, c, res); +} + +/* +Write `a mod n` in `res`. + + The argument a is meant to be a 8192-bit bignum, i.e. uint32_t[256]. + The argument n and the outparam res are meant to be 4096-bit bignums, i.e. uint32_t[128]. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • 1 < n + • n % 2 = 1 +*/ +bool Hacl_Bignum4096_32_mod(uint32_t *n, uint32_t *a, uint32_t *res) +{ + uint32_t one[128U] = { 0U }; + memset(one, 0U, (uint32_t)128U * sizeof (uint32_t)); + one[0U] = (uint32_t)1U; + uint32_t bit0 = n[0U] & (uint32_t)1U; + uint32_t m0 = (uint32_t)0U - bit0; + uint32_t acc = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)128U; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(one[i], n[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(one[i], n[i]); + acc = (beq & acc) | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + uint32_t m1 = acc; + uint32_t is_valid_m = m0 & m1; + uint32_t nBits = (uint32_t)32U * Hacl_Bignum_Lib_bn_get_top_index_u32((uint32_t)128U, n); + if (is_valid_m == (uint32_t)0xFFFFFFFFU) + { + uint32_t r2[128U] = { 0U }; + precompr2(nBits, n, r2); + uint32_t mu = Hacl_Bignum_ModInvLimb_mod_inv_uint32(n[0U]); + bn_slow_precomp(n, mu, r2, a, res); + } + else + { + memset(res, 0U, (uint32_t)128U * sizeof (uint32_t)); + } + return is_valid_m == (uint32_t)0xFFFFFFFFU; +} + +static uint32_t exp_check(uint32_t *n, uint32_t *a, uint32_t bBits, uint32_t *b) +{ + uint32_t one[128U] = { 0U }; + memset(one, 0U, (uint32_t)128U * sizeof (uint32_t)); + one[0U] = (uint32_t)1U; + uint32_t bit0 = n[0U] & (uint32_t)1U; + uint32_t m0 = (uint32_t)0U - bit0; + uint32_t acc0 = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)128U; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(one[i], n[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(one[i], n[i]); + acc0 = (beq & acc0) | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + uint32_t m10 = acc0; + uint32_t m00 = m0 & m10; + uint32_t bLen; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)32U + (uint32_t)1U; + } + uint32_t m1; + if (bBits < (uint32_t)32U * bLen) + { + KRML_CHECK_SIZE(sizeof (uint32_t), bLen); + uint32_t b2[bLen]; + memset(b2, 0U, bLen * sizeof (uint32_t)); + uint32_t i0 = bBits / (uint32_t)32U; + uint32_t j = bBits % (uint32_t)32U; + b2[i0] = b2[i0] | (uint32_t)1U << j; + uint32_t acc = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < bLen; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(b[i], b2[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(b[i], b2[i]); + acc = (beq & acc) | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + uint32_t res = acc; + m1 = res; + } + else + { + m1 = (uint32_t)0xFFFFFFFFU; + } + uint32_t acc = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)128U; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(a[i], n[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(a[i], n[i]); + acc = (beq & acc) | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + uint32_t m2 = acc; + uint32_t m = m1 & m2; + return m00 & m; +} + +static inline void +exp_vartime_precomp( + uint32_t *n, + uint32_t mu, + uint32_t *r2, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + if (bBits < (uint32_t)200U) + { + uint32_t aM[128U] = { 0U }; + uint32_t c[256U] = { 0U }; + Hacl_Bignum4096_32_mul(a, r2, c); + reduction(n, mu, c, aM); + uint32_t resM[128U] = { 0U }; + uint32_t tmp0[256U] = { 0U }; + memcpy(tmp0, r2, (uint32_t)128U * sizeof (uint32_t)); + reduction(n, mu, tmp0, resM); + for (uint32_t i = (uint32_t)0U; i < bBits; i++) + { + uint32_t i1 = i / (uint32_t)32U; + uint32_t j = i % (uint32_t)32U; + uint32_t tmp = b[i1]; + uint32_t bit = tmp >> j & (uint32_t)1U; + if (!(bit == (uint32_t)0U)) + { + amont_mul(n, mu, resM, aM, resM); + } + amont_sqr(n, mu, aM, aM); + } + uint32_t tmp[256U] = { 0U }; + memcpy(tmp, resM, (uint32_t)128U * sizeof (uint32_t)); + reduction(n, mu, tmp, res); + return; + } + uint32_t aM[128U] = { 0U }; + uint32_t c[256U] = { 0U }; + Hacl_Bignum4096_32_mul(a, r2, c); + reduction(n, mu, c, aM); + uint32_t resM[128U] = { 0U }; + uint32_t bLen; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)32U + (uint32_t)1U; + } + uint32_t tmp[256U] = { 0U }; + memcpy(tmp, r2, (uint32_t)128U * sizeof (uint32_t)); + reduction(n, mu, tmp, resM); + uint32_t table[2048U] = { 0U }; + memcpy(table, resM, (uint32_t)128U * sizeof (uint32_t)); + uint32_t *t1 = table + (uint32_t)128U; + memcpy(t1, aM, (uint32_t)128U * sizeof (uint32_t)); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)14U; i++) + { + uint32_t *t11 = table + (i + (uint32_t)1U) * (uint32_t)128U; + uint32_t *t2 = table + (i + (uint32_t)2U) * (uint32_t)128U; + amont_mul(n, mu, t11, aM, t2); + } + if (bBits % (uint32_t)4U != (uint32_t)0U) + { + uint32_t mask_l = (uint32_t)16U - (uint32_t)1U; + uint32_t i = bBits / (uint32_t)4U * (uint32_t)4U / (uint32_t)32U; + uint32_t j = bBits / (uint32_t)4U * (uint32_t)4U % (uint32_t)32U; + uint32_t p1 = b[i] >> j; + uint32_t ite; + if (i + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i + (uint32_t)1U] << ((uint32_t)32U - j); + } + else + { + ite = p1; + } + uint32_t bits_c = ite & mask_l; + uint32_t bits_l32 = bits_c; + uint32_t *a_bits_l = table + bits_l32 * (uint32_t)128U; + memcpy(resM, a_bits_l, (uint32_t)128U * sizeof (uint32_t)); + } + for (uint32_t i = (uint32_t)0U; i < bBits / (uint32_t)4U; i++) + { + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + amont_sqr(n, mu, resM, resM); + } + uint32_t bk = bBits - bBits % (uint32_t)4U; + uint32_t mask_l = (uint32_t)16U - (uint32_t)1U; + uint32_t i1 = (bk - (uint32_t)4U * i - (uint32_t)4U) / (uint32_t)32U; + uint32_t j = (bk - (uint32_t)4U * i - (uint32_t)4U) % (uint32_t)32U; + uint32_t p1 = b[i1] >> j; + uint32_t ite; + if (i1 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i1 + (uint32_t)1U] << ((uint32_t)32U - j); + } + else + { + ite = p1; + } + uint32_t bits_l = ite & mask_l; + uint32_t a_bits_l[128U] = { 0U }; + uint32_t bits_l32 = bits_l; + uint32_t *a_bits_l1 = table + bits_l32 * (uint32_t)128U; + memcpy(a_bits_l, a_bits_l1, (uint32_t)128U * sizeof (uint32_t)); + amont_mul(n, mu, resM, a_bits_l, resM); + } + uint32_t tmp0[256U] = { 0U }; + memcpy(tmp0, resM, (uint32_t)128U * sizeof (uint32_t)); + reduction(n, mu, tmp0, res); +} + +static inline void +exp_consttime_precomp( + uint32_t *n, + uint32_t mu, + uint32_t *r2, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + if (bBits < (uint32_t)200U) + { + uint32_t aM[128U] = { 0U }; + uint32_t c[256U] = { 0U }; + Hacl_Bignum4096_32_mul(a, r2, c); + reduction(n, mu, c, aM); + uint32_t resM[128U] = { 0U }; + uint32_t tmp0[256U] = { 0U }; + memcpy(tmp0, r2, (uint32_t)128U * sizeof (uint32_t)); + reduction(n, mu, tmp0, resM); + uint32_t sw = (uint32_t)0U; + for (uint32_t i0 = (uint32_t)0U; i0 < bBits; i0++) + { + uint32_t i1 = (bBits - i0 - (uint32_t)1U) / (uint32_t)32U; + uint32_t j = (bBits - i0 - (uint32_t)1U) % (uint32_t)32U; + uint32_t tmp = b[i1]; + uint32_t bit = tmp >> j & (uint32_t)1U; + uint32_t sw1 = bit ^ sw; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)128U; i++) + { + uint32_t dummy = ((uint32_t)0U - sw1) & (resM[i] ^ aM[i]); + resM[i] = resM[i] ^ dummy; + aM[i] = aM[i] ^ dummy; + } + amont_mul(n, mu, aM, resM, aM); + amont_sqr(n, mu, resM, resM); + sw = bit; + } + uint32_t sw0 = sw; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)128U; i++) + { + uint32_t dummy = ((uint32_t)0U - sw0) & (resM[i] ^ aM[i]); + resM[i] = resM[i] ^ dummy; + aM[i] = aM[i] ^ dummy; + } + uint32_t tmp[256U] = { 0U }; + memcpy(tmp, resM, (uint32_t)128U * sizeof (uint32_t)); + reduction(n, mu, tmp, res); + return; + } + uint32_t aM[128U] = { 0U }; + uint32_t c0[256U] = { 0U }; + Hacl_Bignum4096_32_mul(a, r2, c0); + reduction(n, mu, c0, aM); + uint32_t resM[128U] = { 0U }; + uint32_t bLen; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)32U + (uint32_t)1U; + } + uint32_t tmp[256U] = { 0U }; + memcpy(tmp, r2, (uint32_t)128U * sizeof (uint32_t)); + reduction(n, mu, tmp, resM); + uint32_t table[2048U] = { 0U }; + memcpy(table, resM, (uint32_t)128U * sizeof (uint32_t)); + uint32_t *t1 = table + (uint32_t)128U; + memcpy(t1, aM, (uint32_t)128U * sizeof (uint32_t)); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)14U; i++) + { + uint32_t *t11 = table + (i + (uint32_t)1U) * (uint32_t)128U; + uint32_t *t2 = table + (i + (uint32_t)2U) * (uint32_t)128U; + amont_mul(n, mu, t11, aM, t2); + } + if (bBits % (uint32_t)4U != (uint32_t)0U) + { + uint32_t mask_l = (uint32_t)16U - (uint32_t)1U; + uint32_t i0 = bBits / (uint32_t)4U * (uint32_t)4U / (uint32_t)32U; + uint32_t j = bBits / (uint32_t)4U * (uint32_t)4U % (uint32_t)32U; + uint32_t p1 = b[i0] >> j; + uint32_t ite; + if (i0 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i0 + (uint32_t)1U] << ((uint32_t)32U - j); + } + else + { + ite = p1; + } + uint32_t bits_c = ite & mask_l; + memcpy(resM, table, (uint32_t)128U * sizeof (uint32_t)); + for (uint32_t i1 = (uint32_t)0U; i1 < (uint32_t)15U; i1++) + { + uint32_t c = FStar_UInt32_eq_mask(bits_c, i1 + (uint32_t)1U); + uint32_t *res_j = table + (i1 + (uint32_t)1U) * (uint32_t)128U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)128U; i++) + { + uint32_t *os = resM; + uint32_t x = (c & res_j[i]) | (~c & resM[i]); + os[i] = x; + } + } + } + for (uint32_t i0 = (uint32_t)0U; i0 < bBits / (uint32_t)4U; i0++) + { + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + amont_sqr(n, mu, resM, resM); + } + uint32_t bk = bBits - bBits % (uint32_t)4U; + uint32_t mask_l = (uint32_t)16U - (uint32_t)1U; + uint32_t i1 = (bk - (uint32_t)4U * i0 - (uint32_t)4U) / (uint32_t)32U; + uint32_t j = (bk - (uint32_t)4U * i0 - (uint32_t)4U) % (uint32_t)32U; + uint32_t p1 = b[i1] >> j; + uint32_t ite; + if (i1 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i1 + (uint32_t)1U] << ((uint32_t)32U - j); + } + else + { + ite = p1; + } + uint32_t bits_l = ite & mask_l; + uint32_t a_bits_l[128U] = { 0U }; + memcpy(a_bits_l, table, (uint32_t)128U * sizeof (uint32_t)); + for (uint32_t i2 = (uint32_t)0U; i2 < (uint32_t)15U; i2++) + { + uint32_t c = FStar_UInt32_eq_mask(bits_l, i2 + (uint32_t)1U); + uint32_t *res_j = table + (i2 + (uint32_t)1U) * (uint32_t)128U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)128U; i++) + { + uint32_t *os = a_bits_l; + uint32_t x = (c & res_j[i]) | (~c & a_bits_l[i]); + os[i] = x; + } + } + amont_mul(n, mu, resM, a_bits_l, resM); + } + uint32_t tmp0[256U] = { 0U }; + memcpy(tmp0, resM, (uint32_t)128U * sizeof (uint32_t)); + reduction(n, mu, tmp0, res); +} + +static inline void +exp_vartime( + uint32_t nBits, + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + uint32_t r2[128U] = { 0U }; + precompr2(nBits, n, r2); + uint32_t mu = Hacl_Bignum_ModInvLimb_mod_inv_uint32(n[0U]); + exp_vartime_precomp(n, mu, r2, a, bBits, b, res); +} + +static inline void +exp_consttime( + uint32_t nBits, + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + uint32_t r2[128U] = { 0U }; + precompr2(nBits, n, r2); + uint32_t mu = Hacl_Bignum_ModInvLimb_mod_inv_uint32(n[0U]); + exp_consttime_precomp(n, mu, r2, a, bBits, b, res); +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 4096-bit bignums, i.e. uint32_t[128]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum4096_32_mod_exp_vartime( + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + uint32_t is_valid_m = exp_check(n, a, bBits, b); + uint32_t nBits = (uint32_t)32U * Hacl_Bignum_Lib_bn_get_top_index_u32((uint32_t)128U, n); + if (is_valid_m == (uint32_t)0xFFFFFFFFU) + { + exp_vartime(nBits, n, a, bBits, b, res); + } + else + { + memset(res, 0U, (uint32_t)128U * sizeof (uint32_t)); + } + return is_valid_m == (uint32_t)0xFFFFFFFFU; +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 4096-bit bignums, i.e. uint32_t[128]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum4096_32_mod_exp_consttime( + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + uint32_t is_valid_m = exp_check(n, a, bBits, b); + uint32_t nBits = (uint32_t)32U * Hacl_Bignum_Lib_bn_get_top_index_u32((uint32_t)128U, n); + if (is_valid_m == (uint32_t)0xFFFFFFFFU) + { + exp_consttime(nBits, n, a, bBits, b, res); + } + else + { + memset(res, 0U, (uint32_t)128U * sizeof (uint32_t)); + } + return is_valid_m == (uint32_t)0xFFFFFFFFU; +} + +/* +Write `a ^ (-1) mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 4096-bit bignums, i.e. uint32_t[128]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + + The function returns false if any of the following preconditions are violated, true otherwise. + • n % 2 = 1 + • 1 < n + • 0 < a + • a < n +*/ +bool Hacl_Bignum4096_32_mod_inv_prime_vartime(uint32_t *n, uint32_t *a, uint32_t *res) +{ + uint32_t one[128U] = { 0U }; + memset(one, 0U, (uint32_t)128U * sizeof (uint32_t)); + one[0U] = (uint32_t)1U; + uint32_t bit0 = n[0U] & (uint32_t)1U; + uint32_t m0 = (uint32_t)0U - bit0; + uint32_t acc0 = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)128U; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(one[i], n[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(one[i], n[i]); + acc0 = (beq & acc0) | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + uint32_t m1 = acc0; + uint32_t m00 = m0 & m1; + uint32_t bn_zero[128U] = { 0U }; + uint32_t mask = (uint32_t)0xFFFFFFFFU; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)128U; i++) + { + uint32_t uu____0 = FStar_UInt32_eq_mask(a[i], bn_zero[i]); + mask = uu____0 & mask; + } + uint32_t mask1 = mask; + uint32_t res10 = mask1; + uint32_t m10 = res10; + uint32_t acc = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)128U; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(a[i], n[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(a[i], n[i]); + acc = (beq & acc) | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + uint32_t m2 = acc; + uint32_t is_valid_m = (m00 & ~m10) & m2; + uint32_t nBits = (uint32_t)32U * Hacl_Bignum_Lib_bn_get_top_index_u32((uint32_t)128U, n); + if (is_valid_m == (uint32_t)0xFFFFFFFFU) + { + uint32_t n2[128U] = { 0U }; + uint32_t c0 = Lib_IntTypes_Intrinsics_sub_borrow_u32((uint32_t)0U, n[0U], (uint32_t)2U, n2); + uint32_t c1; + if ((uint32_t)1U < (uint32_t)128U) + { + uint32_t rLen = (uint32_t)127U; + uint32_t *a1 = n + (uint32_t)1U; + uint32_t *res1 = n2 + (uint32_t)1U; + uint32_t c = c0; + for (uint32_t i = (uint32_t)0U; i < rLen / (uint32_t)4U; i++) + { + uint32_t t1 = a1[(uint32_t)4U * i]; + uint32_t *res_i0 = res1 + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, (uint32_t)0U, res_i0); + uint32_t t10 = a1[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res1 + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t10, (uint32_t)0U, res_i1); + uint32_t t11 = a1[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res1 + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t11, (uint32_t)0U, res_i2); + uint32_t t12 = a1[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res1 + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t12, (uint32_t)0U, res_i); + } + for (uint32_t i = rLen / (uint32_t)4U * (uint32_t)4U; i < rLen; i++) + { + uint32_t t1 = a1[i]; + uint32_t *res_i = res1 + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, (uint32_t)0U, res_i); + } + uint32_t c10 = c; + c1 = c10; + } + else + { + c1 = c0; + } + exp_vartime(nBits, n, a, (uint32_t)4096U, n2, res); + } + else + { + memset(res, 0U, (uint32_t)128U * sizeof (uint32_t)); + } + return is_valid_m == (uint32_t)0xFFFFFFFFU; +} + + +/**********************************************/ +/* Arithmetic functions with precomputations. */ +/**********************************************/ + + +/* +Heap-allocate and initialize a montgomery context. + + The argument n is meant to be a 4096-bit bignum, i.e. uint32_t[128]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n % 2 = 1 + • 1 < n + + The caller will need to call Hacl_Bignum4096_mont_ctx_free on the return value + to avoid memory leaks. +*/ +Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *Hacl_Bignum4096_32_mont_ctx_init(uint32_t *n) +{ + uint32_t *r2 = KRML_HOST_CALLOC((uint32_t)128U, sizeof (uint32_t)); + uint32_t *n1 = KRML_HOST_CALLOC((uint32_t)128U, sizeof (uint32_t)); + uint32_t *r21 = r2; + uint32_t *n11 = n1; + memcpy(n11, n, (uint32_t)128U * sizeof (uint32_t)); + uint32_t nBits = (uint32_t)32U * Hacl_Bignum_Lib_bn_get_top_index_u32((uint32_t)128U, n); + precompr2(nBits, n, r21); + uint32_t mu = Hacl_Bignum_ModInvLimb_mod_inv_uint32(n[0U]); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 + res = { .len = (uint32_t)128U, .n = n11, .mu = mu, .r2 = r21 }; + KRML_CHECK_SIZE(sizeof (Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32), (uint32_t)1U); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 + *buf = KRML_HOST_MALLOC(sizeof (Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32)); + buf[0U] = res; + return buf; +} + +/* +Deallocate the memory previously allocated by Hacl_Bignum4096_mont_ctx_init. + + The argument k is a montgomery context obtained through Hacl_Bignum4096_mont_ctx_init. +*/ +void Hacl_Bignum4096_32_mont_ctx_free(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + uint32_t *n = k1.n; + uint32_t *r2 = k1.r2; + KRML_HOST_FREE(n); + KRML_HOST_FREE(r2); + KRML_HOST_FREE(k); +} + +/* +Write `a mod n` in `res`. + + The argument a is meant to be a 8192-bit bignum, i.e. uint32_t[256]. + The outparam res is meant to be a 4096-bit bignum, i.e. uint32_t[128]. + The argument k is a montgomery context obtained through Hacl_Bignum4096_mont_ctx_init. +*/ +void +Hacl_Bignum4096_32_mod_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + bn_slow_precomp(k1.n, k1.mu, k1.r2, a, res); +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be 4096-bit bignums, i.e. uint32_t[128]. + The argument k is a montgomery context obtained through Hacl_Bignum4096_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum4096_32_mod_exp_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + exp_vartime_precomp(k1.n, k1.mu, k1.r2, a, bBits, b, res); +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be 4096-bit bignums, i.e. uint32_t[128]. + The argument k is a montgomery context obtained through Hacl_Bignum4096_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime_*. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum4096_32_mod_exp_consttime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + exp_consttime_precomp(k1.n, k1.mu, k1.r2, a, bBits, b, res); +} + +/* +Write `a ^ (-1) mod n` in `res`. + + The argument a and the outparam res are meant to be 4096-bit bignums, i.e. uint32_t[128]. + The argument k is a montgomery context obtained through Hacl_Bignum4096_mont_ctx_init. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + • 0 < a + • a < n +*/ +void +Hacl_Bignum4096_32_mod_inv_prime_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + uint32_t n2[128U] = { 0U }; + uint32_t c0 = Lib_IntTypes_Intrinsics_sub_borrow_u32((uint32_t)0U, k1.n[0U], (uint32_t)2U, n2); + uint32_t c1; + if ((uint32_t)1U < (uint32_t)128U) + { + uint32_t rLen = (uint32_t)127U; + uint32_t *a1 = k1.n + (uint32_t)1U; + uint32_t *res1 = n2 + (uint32_t)1U; + uint32_t c = c0; + for (uint32_t i = (uint32_t)0U; i < rLen / (uint32_t)4U; i++) + { + uint32_t t1 = a1[(uint32_t)4U * i]; + uint32_t *res_i0 = res1 + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, (uint32_t)0U, res_i0); + uint32_t t10 = a1[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res1 + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t10, (uint32_t)0U, res_i1); + uint32_t t11 = a1[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res1 + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t11, (uint32_t)0U, res_i2); + uint32_t t12 = a1[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res1 + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t12, (uint32_t)0U, res_i); + } + for (uint32_t i = rLen / (uint32_t)4U * (uint32_t)4U; i < rLen; i++) + { + uint32_t t1 = a1[i]; + uint32_t *res_i = res1 + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, (uint32_t)0U, res_i); + } + uint32_t c10 = c; + c1 = c10; + } + else + { + c1 = c0; + } + exp_vartime_precomp(k1.n, k1.mu, k1.r2, a, (uint32_t)4096U, n2, res); +} + + +/********************/ +/* Loads and stores */ +/********************/ + + +/* +Load a bid-endian bignum from memory. + + The argument b points to len bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint32_t *Hacl_Bignum4096_32_new_bn_from_bytes_be(uint32_t len, uint8_t *b) +{ + if + ( + len + == (uint32_t)0U + || !((len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U <= (uint32_t)1073741823U) + ) + { + return NULL; + } + KRML_CHECK_SIZE(sizeof (uint32_t), (len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U); + uint32_t + *res = KRML_HOST_CALLOC((len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U, sizeof (uint32_t)); + if (res == NULL) + { + return res; + } + uint32_t *res1 = res; + uint32_t *res2 = res1; + uint32_t bnLen = (len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)4U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + uint8_t tmp[tmpLen]; + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + memcpy(tmp + tmpLen - len, b, len * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < bnLen; i++) + { + uint32_t *os = res2; + uint32_t u = load32_be(tmp + (bnLen - i - (uint32_t)1U) * (uint32_t)4U); + uint32_t x = u; + os[i] = x; + } + return res2; +} + +/* +Load a little-endian bignum from memory. + + The argument b points to len bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint32_t *Hacl_Bignum4096_32_new_bn_from_bytes_le(uint32_t len, uint8_t *b) +{ + if + ( + len + == (uint32_t)0U + || !((len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U <= (uint32_t)1073741823U) + ) + { + return NULL; + } + KRML_CHECK_SIZE(sizeof (uint32_t), (len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U); + uint32_t + *res = KRML_HOST_CALLOC((len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U, sizeof (uint32_t)); + if (res == NULL) + { + return res; + } + uint32_t *res1 = res; + uint32_t *res2 = res1; + uint32_t bnLen = (len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)4U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + uint8_t tmp[tmpLen]; + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + memcpy(tmp, b, len * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < (len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U; i++) + { + uint32_t *os = res2; + uint8_t *bj = tmp + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r1 = u; + uint32_t x = r1; + os[i] = x; + } + return res2; +} + +/* +Serialize a bignum into big-endian memory. + + The argument b points to a 4096-bit bignum. + The outparam res points to 512 bytes of valid memory. +*/ +void Hacl_Bignum4096_32_bn_to_bytes_be(uint32_t *b, uint8_t *res) +{ + uint32_t bnLen = ((uint32_t)512U - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)4U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + uint8_t tmp[tmpLen]; + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + uint32_t numb = (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < bnLen; i++) + { + store32_be(tmp + i * numb, b[bnLen - i - (uint32_t)1U]); + } + memcpy(res, tmp + tmpLen - (uint32_t)512U, (uint32_t)512U * sizeof (uint8_t)); +} + +/* +Serialize a bignum into little-endian memory. + + The argument b points to a 4096-bit bignum. + The outparam res points to 512 bytes of valid memory. +*/ +void Hacl_Bignum4096_32_bn_to_bytes_le(uint32_t *b, uint8_t *res) +{ + uint32_t bnLen = ((uint32_t)512U - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)4U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + uint8_t tmp[tmpLen]; + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < bnLen; i++) + { + store32_le(tmp + i * (uint32_t)4U, b[i]); + } + memcpy(res, tmp, (uint32_t)512U * sizeof (uint8_t)); +} + + +/***************/ +/* Comparisons */ +/***************/ + + +/* +Returns 2^32 - 1 if a < b, otherwise returns 0. + + The arguments a and b are meant to be 4096-bit bignums, i.e. uint32_t[128]. +*/ +uint32_t Hacl_Bignum4096_32_lt_mask(uint32_t *a, uint32_t *b) +{ + uint32_t acc = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)128U; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(a[i], b[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(a[i], b[i]); + acc = (beq & acc) | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + return acc; +} + +/* +Returns 2^32 - 1 if a = b, otherwise returns 0. + + The arguments a and b are meant to be 4096-bit bignums, i.e. uint32_t[128]. +*/ +uint32_t Hacl_Bignum4096_32_eq_mask(uint32_t *a, uint32_t *b) +{ + uint32_t mask = (uint32_t)0xFFFFFFFFU; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)128U; i++) + { + uint32_t uu____0 = FStar_UInt32_eq_mask(a[i], b[i]); + mask = uu____0 & mask; + } + uint32_t mask1 = mask; + return mask1; +} + diff --git a/src/Hacl_Bignum64.c b/src/Hacl_Bignum64.c new file mode 100644 index 00000000..a81a28b3 --- /dev/null +++ b/src/Hacl_Bignum64.c @@ -0,0 +1,853 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Bignum64.h" + +#include "internal/Hacl_Kremlib.h" +#include "internal/Hacl_Bignum.h" + +/******************************************************************************* + +A verified bignum library. + +This is a 64-bit optimized version, where bignums are represented as an array +of `len` unsigned 64-bit integers, i.e. uint64_t[len]. + +*******************************************************************************/ + +/************************/ +/* Arithmetic functions */ +/************************/ + + +/* +Write `a + b mod 2 ^ (64 * len)` in `res`. + + This functions returns the carry. + + The arguments a, b and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len] +*/ +uint64_t Hacl_Bignum64_add(uint32_t len, uint64_t *a, uint64_t *b, uint64_t *res) +{ + return Hacl_Bignum_Addition_bn_add_eq_len_u64(len, a, b, res); +} + +/* +Write `a - b mod 2 ^ (64 * len)` in `res`. + + This functions returns the carry. + + The arguments a, b and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len] +*/ +uint64_t Hacl_Bignum64_sub(uint32_t len, uint64_t *a, uint64_t *b, uint64_t *res) +{ + return Hacl_Bignum_Addition_bn_sub_eq_len_u64(len, a, b, res); +} + +/* +Write `(a + b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum64_add_mod(uint32_t len, uint64_t *n, uint64_t *a, uint64_t *b, uint64_t *res) +{ + Hacl_Bignum_bn_add_mod_n_u64(len, n, a, b, res); +} + +/* +Write `(a - b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum64_sub_mod(uint32_t len, uint64_t *n, uint64_t *a, uint64_t *b, uint64_t *res) +{ + Hacl_Bignum_bn_sub_mod_n_u64(len, n, a, b, res); +} + +/* +Write `a * b` in `res`. + + The arguments a and b are meant to be `len` limbs in size, i.e. uint64_t[len]. + The outparam res is meant to be `2*len` limbs in size, i.e. uint64_t[2*len]. +*/ +void Hacl_Bignum64_mul(uint32_t len, uint64_t *a, uint64_t *b, uint64_t *res) +{ + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)4U * len); + uint64_t tmp[(uint32_t)4U * len]; + memset(tmp, 0U, (uint32_t)4U * len * sizeof (uint64_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint64(len, a, b, tmp, res); +} + +/* +Write `a * a` in `res`. + + The argument a is meant to be `len` limbs in size, i.e. uint64_t[len]. + The outparam res is meant to be `2*len` limbs in size, i.e. uint64_t[2*len]. +*/ +void Hacl_Bignum64_sqr(uint32_t len, uint64_t *a, uint64_t *res) +{ + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)4U * len); + uint64_t tmp[(uint32_t)4U * len]; + memset(tmp, 0U, (uint32_t)4U * len * sizeof (uint64_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint64(len, a, tmp, res); +} + +static inline void +bn_slow_precomp( + uint32_t len, + uint64_t *n, + uint64_t mu, + uint64_t *r2, + uint64_t *a, + uint64_t *res +) +{ + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t a_mod[len]; + memset(a_mod, 0U, len * sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), len + len); + uint64_t a1[len + len]; + memset(a1, 0U, (len + len) * sizeof (uint64_t)); + memcpy(a1, a, (len + len) * sizeof (uint64_t)); + uint64_t c0 = (uint64_t)0U; + for (uint32_t i0 = (uint32_t)0U; i0 < len; i0++) + { + uint64_t qj = mu * a1[i0]; + uint64_t *res_j0 = a1 + i0; + uint64_t c = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < len / (uint32_t)4U; i++) + { + uint64_t a_i = n[(uint32_t)4U * i]; + uint64_t *res_i0 = res_j0 + (uint32_t)4U * i; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c, res_i0); + uint64_t a_i0 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res_j0 + (uint32_t)4U * i + (uint32_t)1U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, qj, c, res_i1); + uint64_t a_i1 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res_j0 + (uint32_t)4U * i + (uint32_t)2U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, qj, c, res_i2); + uint64_t a_i2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res_j0 + (uint32_t)4U * i + (uint32_t)3U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, qj, c, res_i); + } + for (uint32_t i = len / (uint32_t)4U * (uint32_t)4U; i < len; i++) + { + uint64_t a_i = n[i]; + uint64_t *res_i = res_j0 + i; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c, res_i); + } + uint64_t r = c; + uint64_t c1 = r; + uint64_t *resb = a1 + len + i0; + uint64_t res_j = a1[len + i0]; + c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, c1, res_j, resb); + } + memcpy(a_mod, a1 + len, (len + len - len) * sizeof (uint64_t)); + uint64_t c00 = c0; + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t tmp0[len]; + memset(tmp0, 0U, len * sizeof (uint64_t)); + uint64_t c1 = Hacl_Bignum_Addition_bn_sub_eq_len_u64(len, a_mod, n, tmp0); + uint64_t m = (uint64_t)0U - c00; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint64_t *os = a_mod; + uint64_t x = (m & tmp0[i]) | (~m & a_mod[i]); + os[i] = x; + } + KRML_CHECK_SIZE(sizeof (uint64_t), len + len); + uint64_t c[len + len]; + memset(c, 0U, (len + len) * sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)4U * len); + uint64_t tmp[(uint32_t)4U * len]; + memset(tmp, 0U, (uint32_t)4U * len * sizeof (uint64_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint64(len, a_mod, r2, tmp, c); + Hacl_Bignum_Montgomery_bn_mont_reduction_u64(len, n, mu, c, res); +} + +/* +Write `a mod n` in `res`. + + The argument a is meant to be `2*len` limbs in size, i.e. uint64_t[2*len]. + The argument n and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len]. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • 1 < n + • n % 2 = 1 +*/ +bool Hacl_Bignum64_mod(uint32_t len, uint64_t *n, uint64_t *a, uint64_t *res) +{ + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t one[len]; + memset(one, 0U, len * sizeof (uint64_t)); + memset(one, 0U, len * sizeof (uint64_t)); + one[0U] = (uint64_t)1U; + uint64_t bit0 = n[0U] & (uint64_t)1U; + uint64_t m0 = (uint64_t)0U - bit0; + uint64_t acc = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(one[i], n[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(one[i], n[i]); + acc = (beq & acc) | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + uint64_t m1 = acc; + uint64_t is_valid_m = m0 & m1; + uint32_t nBits = (uint32_t)64U * (uint32_t)Hacl_Bignum_Lib_bn_get_top_index_u64(len, n); + if (is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU) + { + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t r2[len]; + memset(r2, 0U, len * sizeof (uint64_t)); + Hacl_Bignum_Montgomery_bn_precomp_r2_mod_n_u64(len, nBits, n, r2); + uint64_t mu = Hacl_Bignum_ModInvLimb_mod_inv_uint64(n[0U]); + bn_slow_precomp(len, n, mu, r2, a, res); + } + else + { + memset(res, 0U, len * sizeof (uint64_t)); + } + return is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU; +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum64_mod_exp_vartime( + uint32_t len, + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + uint64_t is_valid_m = Hacl_Bignum_Exponentiation_bn_check_mod_exp_u64(len, n, a, bBits, b); + uint32_t nBits = (uint32_t)64U * (uint32_t)Hacl_Bignum_Lib_bn_get_top_index_u64(len, n); + if (is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU) + { + Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_u64(len, nBits, n, a, bBits, b, res); + } + else + { + memset(res, 0U, len * sizeof (uint64_t)); + } + return is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU; +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum64_mod_exp_consttime( + uint32_t len, + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + uint64_t is_valid_m = Hacl_Bignum_Exponentiation_bn_check_mod_exp_u64(len, n, a, bBits, b); + uint32_t nBits = (uint32_t)64U * (uint32_t)Hacl_Bignum_Lib_bn_get_top_index_u64(len, n); + if (is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU) + { + Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_u64(len, nBits, n, a, bBits, b, res); + } + else + { + memset(res, 0U, len * sizeof (uint64_t)); + } + return is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU; +} + +/* +Write `a ^ (-1) mod n` in `res`. + + The arguments a, n and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • 0 < a + • a < n +*/ +bool Hacl_Bignum64_mod_inv_prime_vartime(uint32_t len, uint64_t *n, uint64_t *a, uint64_t *res) +{ + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t one[len]; + memset(one, 0U, len * sizeof (uint64_t)); + memset(one, 0U, len * sizeof (uint64_t)); + one[0U] = (uint64_t)1U; + uint64_t bit0 = n[0U] & (uint64_t)1U; + uint64_t m0 = (uint64_t)0U - bit0; + uint64_t acc0 = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(one[i], n[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(one[i], n[i]); + acc0 = (beq & acc0) | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + uint64_t m1 = acc0; + uint64_t m00 = m0 & m1; + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t bn_zero[len]; + memset(bn_zero, 0U, len * sizeof (uint64_t)); + uint64_t mask = (uint64_t)0xFFFFFFFFFFFFFFFFU; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint64_t uu____0 = FStar_UInt64_eq_mask(a[i], bn_zero[i]); + mask = uu____0 & mask; + } + uint64_t mask1 = mask; + uint64_t res10 = mask1; + uint64_t m10 = res10; + uint64_t acc = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(a[i], n[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(a[i], n[i]); + acc = (beq & acc) | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + uint64_t m2 = acc; + uint64_t is_valid_m = (m00 & ~m10) & m2; + uint32_t nBits = (uint32_t)64U * (uint32_t)Hacl_Bignum_Lib_bn_get_top_index_u64(len, n); + if (is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU) + { + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t n2[len]; + memset(n2, 0U, len * sizeof (uint64_t)); + uint64_t c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64((uint64_t)0U, n[0U], (uint64_t)2U, n2); + uint64_t c1; + if ((uint32_t)1U < len) + { + uint32_t rLen = len - (uint32_t)1U; + uint64_t *a1 = n + (uint32_t)1U; + uint64_t *res1 = n2 + (uint32_t)1U; + uint64_t c = c0; + for (uint32_t i = (uint32_t)0U; i < rLen / (uint32_t)4U; i++) + { + uint64_t t1 = a1[(uint32_t)4U * i]; + uint64_t *res_i0 = res1 + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, (uint64_t)0U, res_i0); + uint64_t t10 = a1[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res1 + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t10, (uint64_t)0U, res_i1); + uint64_t t11 = a1[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res1 + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t11, (uint64_t)0U, res_i2); + uint64_t t12 = a1[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res1 + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t12, (uint64_t)0U, res_i); + } + for (uint32_t i = rLen / (uint32_t)4U * (uint32_t)4U; i < rLen; i++) + { + uint64_t t1 = a1[i]; + uint64_t *res_i = res1 + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, (uint64_t)0U, res_i); + } + uint64_t c10 = c; + c1 = c10; + } + else + { + c1 = c0; + } + Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_u64(len, + nBits, + n, + a, + (uint32_t)64U * len, + n2, + res); + } + else + { + memset(res, 0U, len * sizeof (uint64_t)); + } + return is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU; +} + + +/**********************************************/ +/* Arithmetic functions with precomputations. */ +/**********************************************/ + + +/* +Heap-allocate and initialize a montgomery context. + + The argument n is meant to be `len` limbs in size, i.e. uint64_t[len]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n % 2 = 1 + • 1 < n + + The caller will need to call Hacl_Bignum64_mont_ctx_free on the return value + to avoid memory leaks. +*/ +Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 +*Hacl_Bignum64_mont_ctx_init(uint32_t len, uint64_t *n) +{ + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t *r2 = KRML_HOST_CALLOC(len, sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t *n1 = KRML_HOST_CALLOC(len, sizeof (uint64_t)); + uint64_t *r21 = r2; + uint64_t *n11 = n1; + memcpy(n11, n, len * sizeof (uint64_t)); + uint32_t nBits = (uint32_t)64U * (uint32_t)Hacl_Bignum_Lib_bn_get_top_index_u64(len, n); + Hacl_Bignum_Montgomery_bn_precomp_r2_mod_n_u64(len, nBits, n, r21); + uint64_t mu = Hacl_Bignum_ModInvLimb_mod_inv_uint64(n[0U]); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 res = { .len = len, .n = n11, .mu = mu, .r2 = r21 }; + KRML_CHECK_SIZE(sizeof (Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64), (uint32_t)1U); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 + *buf = KRML_HOST_MALLOC(sizeof (Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64)); + buf[0U] = res; + return buf; +} + +/* +Deallocate the memory previously allocated by Hacl_Bignum64_mont_ctx_init. + + The argument k is a montgomery context obtained through Hacl_Bignum64_mont_ctx_init. +*/ +void Hacl_Bignum64_mont_ctx_free(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + uint64_t *n = k1.n; + uint64_t *r2 = k1.r2; + KRML_HOST_FREE(n); + KRML_HOST_FREE(r2); + KRML_HOST_FREE(k); +} + +/* +Write `a mod n` in `res`. + + The argument a is meant to be `2*len` limbs in size, i.e. uint64_t[2*len]. + The outparam res is meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_Bignum64_mont_ctx_init. +*/ +void +Hacl_Bignum64_mod_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint64_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k10 = *k; + uint32_t len1 = k10.len; + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + bn_slow_precomp(len1, k1.n, k1.mu, k1.r2, a, res); +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_Bignum64_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum64_mod_exp_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k10 = *k; + uint32_t len1 = k10.len; + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_precomp_u64(len1, + k1.n, + k1.mu, + k1.r2, + a, + bBits, + b, + res); +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_Bignum64_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime_*. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum64_mod_exp_consttime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k10 = *k; + uint32_t len1 = k10.len; + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_precomp_u64(len1, + k1.n, + k1.mu, + k1.r2, + a, + bBits, + b, + res); +} + +/* +Write `a ^ (-1) mod n` in `res`. + + The argument a and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_Bignum64_mont_ctx_init. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + • 0 < a + • a < n +*/ +void +Hacl_Bignum64_mod_inv_prime_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint64_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k10 = *k; + uint32_t len1 = k10.len; + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + KRML_CHECK_SIZE(sizeof (uint64_t), len1); + uint64_t n2[len1]; + memset(n2, 0U, len1 * sizeof (uint64_t)); + uint64_t c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64((uint64_t)0U, k1.n[0U], (uint64_t)2U, n2); + uint64_t c1; + if ((uint32_t)1U < len1) + { + uint32_t rLen = len1 - (uint32_t)1U; + uint64_t *a1 = k1.n + (uint32_t)1U; + uint64_t *res1 = n2 + (uint32_t)1U; + uint64_t c = c0; + for (uint32_t i = (uint32_t)0U; i < rLen / (uint32_t)4U; i++) + { + uint64_t t1 = a1[(uint32_t)4U * i]; + uint64_t *res_i0 = res1 + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, (uint64_t)0U, res_i0); + uint64_t t10 = a1[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res1 + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t10, (uint64_t)0U, res_i1); + uint64_t t11 = a1[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res1 + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t11, (uint64_t)0U, res_i2); + uint64_t t12 = a1[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res1 + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t12, (uint64_t)0U, res_i); + } + for (uint32_t i = rLen / (uint32_t)4U * (uint32_t)4U; i < rLen; i++) + { + uint64_t t1 = a1[i]; + uint64_t *res_i = res1 + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, (uint64_t)0U, res_i); + } + uint64_t c10 = c; + c1 = c10; + } + else + { + c1 = c0; + } + Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_precomp_u64(len1, + k1.n, + k1.mu, + k1.r2, + a, + (uint32_t)64U * len1, + n2, + res); +} + + +/********************/ +/* Loads and stores */ +/********************/ + + +/* +Load a bid-endian bignum from memory. + + The argument b points to `len` bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint64_t *Hacl_Bignum64_new_bn_from_bytes_be(uint32_t len, uint8_t *b) +{ + if + ( + len + == (uint32_t)0U + || !((len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U <= (uint32_t)536870911U) + ) + { + return NULL; + } + KRML_CHECK_SIZE(sizeof (uint64_t), (len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U); + uint64_t + *res = KRML_HOST_CALLOC((len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U, sizeof (uint64_t)); + if (res == NULL) + { + return res; + } + uint64_t *res1 = res; + uint64_t *res2 = res1; + uint32_t bnLen = (len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)8U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + uint8_t tmp[tmpLen]; + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + memcpy(tmp + tmpLen - len, b, len * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < bnLen; i++) + { + uint64_t *os = res2; + uint64_t u = load64_be(tmp + (bnLen - i - (uint32_t)1U) * (uint32_t)8U); + uint64_t x = u; + os[i] = x; + } + return res2; +} + +/* +Load a little-endian bignum from memory. + + The argument b points to `len` bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint64_t *Hacl_Bignum64_new_bn_from_bytes_le(uint32_t len, uint8_t *b) +{ + if + ( + len + == (uint32_t)0U + || !((len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U <= (uint32_t)536870911U) + ) + { + return NULL; + } + KRML_CHECK_SIZE(sizeof (uint64_t), (len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U); + uint64_t + *res = KRML_HOST_CALLOC((len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U, sizeof (uint64_t)); + if (res == NULL) + { + return res; + } + uint64_t *res1 = res; + uint64_t *res2 = res1; + uint32_t bnLen = (len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)8U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + uint8_t tmp[tmpLen]; + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + memcpy(tmp, b, len * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < (len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; i++) + { + uint64_t *os = res2; + uint8_t *bj = tmp + i * (uint32_t)8U; + uint64_t u = load64_le(bj); + uint64_t r1 = u; + uint64_t x = r1; + os[i] = x; + } + return res2; +} + +/* +Serialize a bignum into big-endian memory. + + The argument b points to a bignum of ⌈len / 8⌉ size. + The outparam res points to `len` bytes of valid memory. +*/ +void Hacl_Bignum64_bn_to_bytes_be(uint32_t len, uint64_t *b, uint8_t *res) +{ + uint32_t bnLen = (len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)8U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + uint8_t tmp[tmpLen]; + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + uint32_t numb = (uint32_t)8U; + for (uint32_t i = (uint32_t)0U; i < bnLen; i++) + { + store64_be(tmp + i * numb, b[bnLen - i - (uint32_t)1U]); + } + memcpy(res, tmp + tmpLen - len, len * sizeof (uint8_t)); +} + +/* +Serialize a bignum into little-endian memory. + + The argument b points to a bignum of ⌈len / 8⌉ size. + The outparam res points to `len` bytes of valid memory. +*/ +void Hacl_Bignum64_bn_to_bytes_le(uint32_t len, uint64_t *b, uint8_t *res) +{ + uint32_t bnLen = (len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)8U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + uint8_t tmp[tmpLen]; + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < bnLen; i++) + { + store64_le(tmp + i * (uint32_t)8U, b[i]); + } + memcpy(res, tmp, len * sizeof (uint8_t)); +} + + +/***************/ +/* Comparisons */ +/***************/ + + +/* +Returns 2^64 - 1 if a < b, otherwise returns 0. + + The arguments a and b are meant to be `len` limbs in size, i.e. uint64_t[len]. +*/ +uint64_t Hacl_Bignum64_lt_mask(uint32_t len, uint64_t *a, uint64_t *b) +{ + uint64_t acc = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(a[i], b[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(a[i], b[i]); + acc = (beq & acc) | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + return acc; +} + +/* +Returns 2^64 - 1 if a = b, otherwise returns 0. + + The arguments a and b are meant to be `len` limbs in size, i.e. uint64_t[len]. +*/ +uint64_t Hacl_Bignum64_eq_mask(uint32_t len, uint64_t *a, uint64_t *b) +{ + uint64_t mask = (uint64_t)0xFFFFFFFFFFFFFFFFU; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint64_t uu____0 = FStar_UInt64_eq_mask(a[i], b[i]); + mask = uu____0 & mask; + } + uint64_t mask1 = mask; + return mask1; +} + diff --git a/src/Hacl_Chacha20.c b/src/Hacl_Chacha20.c new file mode 100644 index 00000000..56f54cc6 --- /dev/null +++ b/src/Hacl_Chacha20.c @@ -0,0 +1,237 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "internal/Hacl_Chacha20.h" + + + +const +uint32_t +Hacl_Impl_Chacha20_Vec_chacha20_constants[4U] = + { (uint32_t)0x61707865U, (uint32_t)0x3320646eU, (uint32_t)0x79622d32U, (uint32_t)0x6b206574U }; + +static inline void quarter_round(uint32_t *st, uint32_t a, uint32_t b, uint32_t c, uint32_t d) +{ + uint32_t sta = st[a]; + uint32_t stb0 = st[b]; + uint32_t std0 = st[d]; + uint32_t sta10 = sta + stb0; + uint32_t std10 = std0 ^ sta10; + uint32_t std2 = std10 << (uint32_t)16U | std10 >> (uint32_t)16U; + st[a] = sta10; + st[d] = std2; + uint32_t sta0 = st[c]; + uint32_t stb1 = st[d]; + uint32_t std3 = st[b]; + uint32_t sta11 = sta0 + stb1; + uint32_t std11 = std3 ^ sta11; + uint32_t std20 = std11 << (uint32_t)12U | std11 >> (uint32_t)20U; + st[c] = sta11; + st[b] = std20; + uint32_t sta2 = st[a]; + uint32_t stb2 = st[b]; + uint32_t std4 = st[d]; + uint32_t sta12 = sta2 + stb2; + uint32_t std12 = std4 ^ sta12; + uint32_t std21 = std12 << (uint32_t)8U | std12 >> (uint32_t)24U; + st[a] = sta12; + st[d] = std21; + uint32_t sta3 = st[c]; + uint32_t stb = st[d]; + uint32_t std = st[b]; + uint32_t sta1 = sta3 + stb; + uint32_t std1 = std ^ sta1; + uint32_t std22 = std1 << (uint32_t)7U | std1 >> (uint32_t)25U; + st[c] = sta1; + st[b] = std22; +} + +static inline void double_round(uint32_t *st) +{ + quarter_round(st, (uint32_t)0U, (uint32_t)4U, (uint32_t)8U, (uint32_t)12U); + quarter_round(st, (uint32_t)1U, (uint32_t)5U, (uint32_t)9U, (uint32_t)13U); + quarter_round(st, (uint32_t)2U, (uint32_t)6U, (uint32_t)10U, (uint32_t)14U); + quarter_round(st, (uint32_t)3U, (uint32_t)7U, (uint32_t)11U, (uint32_t)15U); + quarter_round(st, (uint32_t)0U, (uint32_t)5U, (uint32_t)10U, (uint32_t)15U); + quarter_round(st, (uint32_t)1U, (uint32_t)6U, (uint32_t)11U, (uint32_t)12U); + quarter_round(st, (uint32_t)2U, (uint32_t)7U, (uint32_t)8U, (uint32_t)13U); + quarter_round(st, (uint32_t)3U, (uint32_t)4U, (uint32_t)9U, (uint32_t)14U); +} + +static inline void rounds(uint32_t *st) +{ + double_round(st); + double_round(st); + double_round(st); + double_round(st); + double_round(st); + double_round(st); + double_round(st); + double_round(st); + double_round(st); + double_round(st); +} + +static inline void chacha20_core(uint32_t *k, uint32_t *ctx, uint32_t ctr) +{ + memcpy(k, ctx, (uint32_t)16U * sizeof (uint32_t)); + uint32_t ctr_u32 = ctr; + k[12U] = k[12U] + ctr_u32; + rounds(k); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t *os = k; + uint32_t x = k[i] + ctx[i]; + os[i] = x; + } + k[12U] = k[12U] + ctr_u32; +} + +static const +uint32_t +chacha20_constants[4U] = + { (uint32_t)0x61707865U, (uint32_t)0x3320646eU, (uint32_t)0x79622d32U, (uint32_t)0x6b206574U }; + +void Hacl_Impl_Chacha20_chacha20_init(uint32_t *ctx, uint8_t *k, uint8_t *n, uint32_t ctr) +{ + uint32_t *uu____0 = ctx; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = uu____0; + uint32_t x = chacha20_constants[i]; + os[i] = x; + } + uint32_t *uu____1 = ctx + (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t *os = uu____1; + uint8_t *bj = k + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + ctx[12U] = ctr; + uint32_t *uu____2 = ctx + (uint32_t)13U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)3U; i++) + { + uint32_t *os = uu____2; + uint8_t *bj = n + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } +} + +void +Hacl_Impl_Chacha20_chacha20_encrypt_block( + uint32_t *ctx, + uint8_t *out, + uint32_t incr, + uint8_t *text +) +{ + uint32_t k[16U] = { 0U }; + chacha20_core(k, ctx, incr); + uint32_t bl[16U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t *os = bl; + uint8_t *bj = text + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t *os = bl; + uint32_t x = bl[i] ^ k[i]; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + store32_le(out + i * (uint32_t)4U, bl[i]); + } +} + +static inline void +chacha20_encrypt_last(uint32_t *ctx, uint32_t len, uint8_t *out, uint32_t incr, uint8_t *text) +{ + uint8_t plain[64U] = { 0U }; + memcpy(plain, text, len * sizeof (uint8_t)); + Hacl_Impl_Chacha20_chacha20_encrypt_block(ctx, plain, incr, plain); + memcpy(out, plain, len * sizeof (uint8_t)); +} + +void +Hacl_Impl_Chacha20_chacha20_update(uint32_t *ctx, uint32_t len, uint8_t *out, uint8_t *text) +{ + uint32_t rem = len % (uint32_t)64U; + uint32_t nb = len / (uint32_t)64U; + uint32_t rem1 = len % (uint32_t)64U; + for (uint32_t i = (uint32_t)0U; i < nb; i++) + { + Hacl_Impl_Chacha20_chacha20_encrypt_block(ctx, + out + i * (uint32_t)64U, + i, + text + i * (uint32_t)64U); + } + if (rem1 > (uint32_t)0U) + { + chacha20_encrypt_last(ctx, rem, out + nb * (uint32_t)64U, nb, text + nb * (uint32_t)64U); + } +} + +void +Hacl_Chacha20_chacha20_encrypt( + uint32_t len, + uint8_t *out, + uint8_t *text, + uint8_t *key, + uint8_t *n, + uint32_t ctr +) +{ + uint32_t ctx[16U] = { 0U }; + Hacl_Impl_Chacha20_chacha20_init(ctx, key, n, ctr); + Hacl_Impl_Chacha20_chacha20_update(ctx, len, out, text); +} + +void +Hacl_Chacha20_chacha20_decrypt( + uint32_t len, + uint8_t *out, + uint8_t *cipher, + uint8_t *key, + uint8_t *n, + uint32_t ctr +) +{ + uint32_t ctx[16U] = { 0U }; + Hacl_Impl_Chacha20_chacha20_init(ctx, key, n, ctr); + Hacl_Impl_Chacha20_chacha20_update(ctx, len, out, cipher); +} + diff --git a/src/Hacl_Chacha20Poly1305_128.c b/src/Hacl_Chacha20Poly1305_128.c new file mode 100644 index 00000000..fb8a419d --- /dev/null +++ b/src/Hacl_Chacha20Poly1305_128.c @@ -0,0 +1,1195 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Chacha20Poly1305_128.h" + +#include "internal/Hacl_Poly1305_128.h" +#include "internal/Hacl_Kremlib.h" + +static inline void +poly1305_padded_128(Lib_IntVector_Intrinsics_vec128 *ctx, uint32_t len, uint8_t *text) +{ + uint32_t n = len / (uint32_t)16U; + uint32_t r = len % (uint32_t)16U; + uint8_t *blocks = text; + uint8_t *rem = text + n * (uint32_t)16U; + Lib_IntVector_Intrinsics_vec128 *pre0 = ctx + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec128 *acc0 = ctx; + uint32_t sz_block = (uint32_t)32U; + uint32_t len0 = n * (uint32_t)16U / sz_block * sz_block; + uint8_t *t00 = blocks; + if (len0 > (uint32_t)0U) + { + uint32_t bs = (uint32_t)32U; + uint8_t *text0 = t00; + Hacl_Impl_Poly1305_Field32xN_128_load_acc2(acc0, text0); + uint32_t len1 = len0 - bs; + uint8_t *text1 = t00 + bs; + uint32_t nb = len1 / bs; + for (uint32_t i = (uint32_t)0U; i < nb; i++) + { + uint8_t *block = text1 + i * bs; + Lib_IntVector_Intrinsics_vec128 e[5U]; + for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i) + e[_i] = Lib_IntVector_Intrinsics_vec128_zero; + Lib_IntVector_Intrinsics_vec128 b1 = Lib_IntVector_Intrinsics_vec128_load64_le(block); + Lib_IntVector_Intrinsics_vec128 + b2 = Lib_IntVector_Intrinsics_vec128_load64_le(block + (uint32_t)16U); + Lib_IntVector_Intrinsics_vec128 lo = Lib_IntVector_Intrinsics_vec128_interleave_low64(b1, b2); + Lib_IntVector_Intrinsics_vec128 + hi = Lib_IntVector_Intrinsics_vec128_interleave_high64(b1, b2); + Lib_IntVector_Intrinsics_vec128 + f00 = + Lib_IntVector_Intrinsics_vec128_and(lo, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f15 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(lo, + (uint32_t)26U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f25 = + Lib_IntVector_Intrinsics_vec128_or(Lib_IntVector_Intrinsics_vec128_shift_right64(lo, + (uint32_t)52U), + Lib_IntVector_Intrinsics_vec128_shift_left64(Lib_IntVector_Intrinsics_vec128_and(hi, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3fffU)), + (uint32_t)12U)); + Lib_IntVector_Intrinsics_vec128 + f30 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(hi, + (uint32_t)14U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f40 = Lib_IntVector_Intrinsics_vec128_shift_right64(hi, (uint32_t)40U); + Lib_IntVector_Intrinsics_vec128 f0 = f00; + Lib_IntVector_Intrinsics_vec128 f1 = f15; + Lib_IntVector_Intrinsics_vec128 f2 = f25; + Lib_IntVector_Intrinsics_vec128 f3 = f30; + Lib_IntVector_Intrinsics_vec128 f41 = f40; + e[0U] = f0; + e[1U] = f1; + e[2U] = f2; + e[3U] = f3; + e[4U] = f41; + uint64_t b = (uint64_t)0x1000000U; + Lib_IntVector_Intrinsics_vec128 mask = Lib_IntVector_Intrinsics_vec128_load64(b); + Lib_IntVector_Intrinsics_vec128 f4 = e[4U]; + e[4U] = Lib_IntVector_Intrinsics_vec128_or(f4, mask); + Lib_IntVector_Intrinsics_vec128 *rn = pre0 + (uint32_t)10U; + Lib_IntVector_Intrinsics_vec128 *rn5 = pre0 + (uint32_t)15U; + Lib_IntVector_Intrinsics_vec128 r0 = rn[0U]; + Lib_IntVector_Intrinsics_vec128 r1 = rn[1U]; + Lib_IntVector_Intrinsics_vec128 r2 = rn[2U]; + Lib_IntVector_Intrinsics_vec128 r3 = rn[3U]; + Lib_IntVector_Intrinsics_vec128 r4 = rn[4U]; + Lib_IntVector_Intrinsics_vec128 r51 = rn5[1U]; + Lib_IntVector_Intrinsics_vec128 r52 = rn5[2U]; + Lib_IntVector_Intrinsics_vec128 r53 = rn5[3U]; + Lib_IntVector_Intrinsics_vec128 r54 = rn5[4U]; + Lib_IntVector_Intrinsics_vec128 f10 = acc0[0U]; + Lib_IntVector_Intrinsics_vec128 f110 = acc0[1U]; + Lib_IntVector_Intrinsics_vec128 f120 = acc0[2U]; + Lib_IntVector_Intrinsics_vec128 f130 = acc0[3U]; + Lib_IntVector_Intrinsics_vec128 f140 = acc0[4U]; + Lib_IntVector_Intrinsics_vec128 a0 = Lib_IntVector_Intrinsics_vec128_mul64(r0, f10); + Lib_IntVector_Intrinsics_vec128 a1 = Lib_IntVector_Intrinsics_vec128_mul64(r1, f10); + Lib_IntVector_Intrinsics_vec128 a2 = Lib_IntVector_Intrinsics_vec128_mul64(r2, f10); + Lib_IntVector_Intrinsics_vec128 a3 = Lib_IntVector_Intrinsics_vec128_mul64(r3, f10); + Lib_IntVector_Intrinsics_vec128 a4 = Lib_IntVector_Intrinsics_vec128_mul64(r4, f10); + Lib_IntVector_Intrinsics_vec128 + a01 = + Lib_IntVector_Intrinsics_vec128_add64(a0, + Lib_IntVector_Intrinsics_vec128_mul64(r54, f110)); + Lib_IntVector_Intrinsics_vec128 + a11 = + Lib_IntVector_Intrinsics_vec128_add64(a1, + Lib_IntVector_Intrinsics_vec128_mul64(r0, f110)); + Lib_IntVector_Intrinsics_vec128 + a21 = + Lib_IntVector_Intrinsics_vec128_add64(a2, + Lib_IntVector_Intrinsics_vec128_mul64(r1, f110)); + Lib_IntVector_Intrinsics_vec128 + a31 = + Lib_IntVector_Intrinsics_vec128_add64(a3, + Lib_IntVector_Intrinsics_vec128_mul64(r2, f110)); + Lib_IntVector_Intrinsics_vec128 + a41 = + Lib_IntVector_Intrinsics_vec128_add64(a4, + Lib_IntVector_Intrinsics_vec128_mul64(r3, f110)); + Lib_IntVector_Intrinsics_vec128 + a02 = + Lib_IntVector_Intrinsics_vec128_add64(a01, + Lib_IntVector_Intrinsics_vec128_mul64(r53, f120)); + Lib_IntVector_Intrinsics_vec128 + a12 = + Lib_IntVector_Intrinsics_vec128_add64(a11, + Lib_IntVector_Intrinsics_vec128_mul64(r54, f120)); + Lib_IntVector_Intrinsics_vec128 + a22 = + Lib_IntVector_Intrinsics_vec128_add64(a21, + Lib_IntVector_Intrinsics_vec128_mul64(r0, f120)); + Lib_IntVector_Intrinsics_vec128 + a32 = + Lib_IntVector_Intrinsics_vec128_add64(a31, + Lib_IntVector_Intrinsics_vec128_mul64(r1, f120)); + Lib_IntVector_Intrinsics_vec128 + a42 = + Lib_IntVector_Intrinsics_vec128_add64(a41, + Lib_IntVector_Intrinsics_vec128_mul64(r2, f120)); + Lib_IntVector_Intrinsics_vec128 + a03 = + Lib_IntVector_Intrinsics_vec128_add64(a02, + Lib_IntVector_Intrinsics_vec128_mul64(r52, f130)); + Lib_IntVector_Intrinsics_vec128 + a13 = + Lib_IntVector_Intrinsics_vec128_add64(a12, + Lib_IntVector_Intrinsics_vec128_mul64(r53, f130)); + Lib_IntVector_Intrinsics_vec128 + a23 = + Lib_IntVector_Intrinsics_vec128_add64(a22, + Lib_IntVector_Intrinsics_vec128_mul64(r54, f130)); + Lib_IntVector_Intrinsics_vec128 + a33 = + Lib_IntVector_Intrinsics_vec128_add64(a32, + Lib_IntVector_Intrinsics_vec128_mul64(r0, f130)); + Lib_IntVector_Intrinsics_vec128 + a43 = + Lib_IntVector_Intrinsics_vec128_add64(a42, + Lib_IntVector_Intrinsics_vec128_mul64(r1, f130)); + Lib_IntVector_Intrinsics_vec128 + a04 = + Lib_IntVector_Intrinsics_vec128_add64(a03, + Lib_IntVector_Intrinsics_vec128_mul64(r51, f140)); + Lib_IntVector_Intrinsics_vec128 + a14 = + Lib_IntVector_Intrinsics_vec128_add64(a13, + Lib_IntVector_Intrinsics_vec128_mul64(r52, f140)); + Lib_IntVector_Intrinsics_vec128 + a24 = + Lib_IntVector_Intrinsics_vec128_add64(a23, + Lib_IntVector_Intrinsics_vec128_mul64(r53, f140)); + Lib_IntVector_Intrinsics_vec128 + a34 = + Lib_IntVector_Intrinsics_vec128_add64(a33, + Lib_IntVector_Intrinsics_vec128_mul64(r54, f140)); + Lib_IntVector_Intrinsics_vec128 + a44 = + Lib_IntVector_Intrinsics_vec128_add64(a43, + Lib_IntVector_Intrinsics_vec128_mul64(r0, f140)); + Lib_IntVector_Intrinsics_vec128 t01 = a04; + Lib_IntVector_Intrinsics_vec128 t1 = a14; + Lib_IntVector_Intrinsics_vec128 t2 = a24; + Lib_IntVector_Intrinsics_vec128 t3 = a34; + Lib_IntVector_Intrinsics_vec128 t4 = a44; + Lib_IntVector_Intrinsics_vec128 + mask26 = Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec128 + z0 = Lib_IntVector_Intrinsics_vec128_shift_right64(t01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z1 = Lib_IntVector_Intrinsics_vec128_shift_right64(t3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x0 = Lib_IntVector_Intrinsics_vec128_and(t01, mask26); + Lib_IntVector_Intrinsics_vec128 x3 = Lib_IntVector_Intrinsics_vec128_and(t3, mask26); + Lib_IntVector_Intrinsics_vec128 x1 = Lib_IntVector_Intrinsics_vec128_add64(t1, z0); + Lib_IntVector_Intrinsics_vec128 x4 = Lib_IntVector_Intrinsics_vec128_add64(t4, z1); + Lib_IntVector_Intrinsics_vec128 + z01 = Lib_IntVector_Intrinsics_vec128_shift_right64(x1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z11 = Lib_IntVector_Intrinsics_vec128_shift_right64(x4, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + t = Lib_IntVector_Intrinsics_vec128_shift_left64(z11, (uint32_t)2U); + Lib_IntVector_Intrinsics_vec128 z12 = Lib_IntVector_Intrinsics_vec128_add64(z11, t); + Lib_IntVector_Intrinsics_vec128 x11 = Lib_IntVector_Intrinsics_vec128_and(x1, mask26); + Lib_IntVector_Intrinsics_vec128 x41 = Lib_IntVector_Intrinsics_vec128_and(x4, mask26); + Lib_IntVector_Intrinsics_vec128 x2 = Lib_IntVector_Intrinsics_vec128_add64(t2, z01); + Lib_IntVector_Intrinsics_vec128 x01 = Lib_IntVector_Intrinsics_vec128_add64(x0, z12); + Lib_IntVector_Intrinsics_vec128 + z02 = Lib_IntVector_Intrinsics_vec128_shift_right64(x2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z13 = Lib_IntVector_Intrinsics_vec128_shift_right64(x01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x21 = Lib_IntVector_Intrinsics_vec128_and(x2, mask26); + Lib_IntVector_Intrinsics_vec128 x02 = Lib_IntVector_Intrinsics_vec128_and(x01, mask26); + Lib_IntVector_Intrinsics_vec128 x31 = Lib_IntVector_Intrinsics_vec128_add64(x3, z02); + Lib_IntVector_Intrinsics_vec128 x12 = Lib_IntVector_Intrinsics_vec128_add64(x11, z13); + Lib_IntVector_Intrinsics_vec128 + z03 = Lib_IntVector_Intrinsics_vec128_shift_right64(x31, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x32 = Lib_IntVector_Intrinsics_vec128_and(x31, mask26); + Lib_IntVector_Intrinsics_vec128 x42 = Lib_IntVector_Intrinsics_vec128_add64(x41, z03); + Lib_IntVector_Intrinsics_vec128 o00 = x02; + Lib_IntVector_Intrinsics_vec128 o10 = x12; + Lib_IntVector_Intrinsics_vec128 o20 = x21; + Lib_IntVector_Intrinsics_vec128 o30 = x32; + Lib_IntVector_Intrinsics_vec128 o40 = x42; + acc0[0U] = o00; + acc0[1U] = o10; + acc0[2U] = o20; + acc0[3U] = o30; + acc0[4U] = o40; + Lib_IntVector_Intrinsics_vec128 f100 = acc0[0U]; + Lib_IntVector_Intrinsics_vec128 f11 = acc0[1U]; + Lib_IntVector_Intrinsics_vec128 f12 = acc0[2U]; + Lib_IntVector_Intrinsics_vec128 f13 = acc0[3U]; + Lib_IntVector_Intrinsics_vec128 f14 = acc0[4U]; + Lib_IntVector_Intrinsics_vec128 f20 = e[0U]; + Lib_IntVector_Intrinsics_vec128 f21 = e[1U]; + Lib_IntVector_Intrinsics_vec128 f22 = e[2U]; + Lib_IntVector_Intrinsics_vec128 f23 = e[3U]; + Lib_IntVector_Intrinsics_vec128 f24 = e[4U]; + Lib_IntVector_Intrinsics_vec128 o0 = Lib_IntVector_Intrinsics_vec128_add64(f100, f20); + Lib_IntVector_Intrinsics_vec128 o1 = Lib_IntVector_Intrinsics_vec128_add64(f11, f21); + Lib_IntVector_Intrinsics_vec128 o2 = Lib_IntVector_Intrinsics_vec128_add64(f12, f22); + Lib_IntVector_Intrinsics_vec128 o3 = Lib_IntVector_Intrinsics_vec128_add64(f13, f23); + Lib_IntVector_Intrinsics_vec128 o4 = Lib_IntVector_Intrinsics_vec128_add64(f14, f24); + acc0[0U] = o0; + acc0[1U] = o1; + acc0[2U] = o2; + acc0[3U] = o3; + acc0[4U] = o4; + } + Hacl_Impl_Poly1305_Field32xN_128_fmul_r2_normalize(acc0, pre0); + } + uint32_t len1 = n * (uint32_t)16U - len0; + uint8_t *t10 = blocks + len0; + uint32_t nb = len1 / (uint32_t)16U; + uint32_t rem1 = len1 % (uint32_t)16U; + for (uint32_t i = (uint32_t)0U; i < nb; i++) + { + uint8_t *block = t10 + i * (uint32_t)16U; + Lib_IntVector_Intrinsics_vec128 e[5U]; + for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i) + e[_i] = Lib_IntVector_Intrinsics_vec128_zero; + uint64_t u0 = load64_le(block); + uint64_t lo = u0; + uint64_t u = load64_le(block + (uint32_t)8U); + uint64_t hi = u; + Lib_IntVector_Intrinsics_vec128 f0 = Lib_IntVector_Intrinsics_vec128_load64(lo); + Lib_IntVector_Intrinsics_vec128 f1 = Lib_IntVector_Intrinsics_vec128_load64(hi); + Lib_IntVector_Intrinsics_vec128 + f010 = + Lib_IntVector_Intrinsics_vec128_and(f0, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f110 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(f0, + (uint32_t)26U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f20 = + Lib_IntVector_Intrinsics_vec128_or(Lib_IntVector_Intrinsics_vec128_shift_right64(f0, + (uint32_t)52U), + Lib_IntVector_Intrinsics_vec128_shift_left64(Lib_IntVector_Intrinsics_vec128_and(f1, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3fffU)), + (uint32_t)12U)); + Lib_IntVector_Intrinsics_vec128 + f30 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(f1, + (uint32_t)14U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f40 = Lib_IntVector_Intrinsics_vec128_shift_right64(f1, (uint32_t)40U); + Lib_IntVector_Intrinsics_vec128 f01 = f010; + Lib_IntVector_Intrinsics_vec128 f111 = f110; + Lib_IntVector_Intrinsics_vec128 f2 = f20; + Lib_IntVector_Intrinsics_vec128 f3 = f30; + Lib_IntVector_Intrinsics_vec128 f41 = f40; + e[0U] = f01; + e[1U] = f111; + e[2U] = f2; + e[3U] = f3; + e[4U] = f41; + uint64_t b = (uint64_t)0x1000000U; + Lib_IntVector_Intrinsics_vec128 mask = Lib_IntVector_Intrinsics_vec128_load64(b); + Lib_IntVector_Intrinsics_vec128 f4 = e[4U]; + e[4U] = Lib_IntVector_Intrinsics_vec128_or(f4, mask); + Lib_IntVector_Intrinsics_vec128 *r1 = pre0; + Lib_IntVector_Intrinsics_vec128 *r5 = pre0 + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec128 r0 = r1[0U]; + Lib_IntVector_Intrinsics_vec128 r11 = r1[1U]; + Lib_IntVector_Intrinsics_vec128 r2 = r1[2U]; + Lib_IntVector_Intrinsics_vec128 r3 = r1[3U]; + Lib_IntVector_Intrinsics_vec128 r4 = r1[4U]; + Lib_IntVector_Intrinsics_vec128 r51 = r5[1U]; + Lib_IntVector_Intrinsics_vec128 r52 = r5[2U]; + Lib_IntVector_Intrinsics_vec128 r53 = r5[3U]; + Lib_IntVector_Intrinsics_vec128 r54 = r5[4U]; + Lib_IntVector_Intrinsics_vec128 f10 = e[0U]; + Lib_IntVector_Intrinsics_vec128 f11 = e[1U]; + Lib_IntVector_Intrinsics_vec128 f12 = e[2U]; + Lib_IntVector_Intrinsics_vec128 f13 = e[3U]; + Lib_IntVector_Intrinsics_vec128 f14 = e[4U]; + Lib_IntVector_Intrinsics_vec128 a0 = acc0[0U]; + Lib_IntVector_Intrinsics_vec128 a1 = acc0[1U]; + Lib_IntVector_Intrinsics_vec128 a2 = acc0[2U]; + Lib_IntVector_Intrinsics_vec128 a3 = acc0[3U]; + Lib_IntVector_Intrinsics_vec128 a4 = acc0[4U]; + Lib_IntVector_Intrinsics_vec128 a01 = Lib_IntVector_Intrinsics_vec128_add64(a0, f10); + Lib_IntVector_Intrinsics_vec128 a11 = Lib_IntVector_Intrinsics_vec128_add64(a1, f11); + Lib_IntVector_Intrinsics_vec128 a21 = Lib_IntVector_Intrinsics_vec128_add64(a2, f12); + Lib_IntVector_Intrinsics_vec128 a31 = Lib_IntVector_Intrinsics_vec128_add64(a3, f13); + Lib_IntVector_Intrinsics_vec128 a41 = Lib_IntVector_Intrinsics_vec128_add64(a4, f14); + Lib_IntVector_Intrinsics_vec128 a02 = Lib_IntVector_Intrinsics_vec128_mul64(r0, a01); + Lib_IntVector_Intrinsics_vec128 a12 = Lib_IntVector_Intrinsics_vec128_mul64(r11, a01); + Lib_IntVector_Intrinsics_vec128 a22 = Lib_IntVector_Intrinsics_vec128_mul64(r2, a01); + Lib_IntVector_Intrinsics_vec128 a32 = Lib_IntVector_Intrinsics_vec128_mul64(r3, a01); + Lib_IntVector_Intrinsics_vec128 a42 = Lib_IntVector_Intrinsics_vec128_mul64(r4, a01); + Lib_IntVector_Intrinsics_vec128 + a03 = + Lib_IntVector_Intrinsics_vec128_add64(a02, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a11)); + Lib_IntVector_Intrinsics_vec128 + a13 = + Lib_IntVector_Intrinsics_vec128_add64(a12, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a11)); + Lib_IntVector_Intrinsics_vec128 + a23 = + Lib_IntVector_Intrinsics_vec128_add64(a22, + Lib_IntVector_Intrinsics_vec128_mul64(r11, a11)); + Lib_IntVector_Intrinsics_vec128 + a33 = + Lib_IntVector_Intrinsics_vec128_add64(a32, + Lib_IntVector_Intrinsics_vec128_mul64(r2, a11)); + Lib_IntVector_Intrinsics_vec128 + a43 = + Lib_IntVector_Intrinsics_vec128_add64(a42, + Lib_IntVector_Intrinsics_vec128_mul64(r3, a11)); + Lib_IntVector_Intrinsics_vec128 + a04 = + Lib_IntVector_Intrinsics_vec128_add64(a03, + Lib_IntVector_Intrinsics_vec128_mul64(r53, a21)); + Lib_IntVector_Intrinsics_vec128 + a14 = + Lib_IntVector_Intrinsics_vec128_add64(a13, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a21)); + Lib_IntVector_Intrinsics_vec128 + a24 = + Lib_IntVector_Intrinsics_vec128_add64(a23, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a21)); + Lib_IntVector_Intrinsics_vec128 + a34 = + Lib_IntVector_Intrinsics_vec128_add64(a33, + Lib_IntVector_Intrinsics_vec128_mul64(r11, a21)); + Lib_IntVector_Intrinsics_vec128 + a44 = + Lib_IntVector_Intrinsics_vec128_add64(a43, + Lib_IntVector_Intrinsics_vec128_mul64(r2, a21)); + Lib_IntVector_Intrinsics_vec128 + a05 = + Lib_IntVector_Intrinsics_vec128_add64(a04, + Lib_IntVector_Intrinsics_vec128_mul64(r52, a31)); + Lib_IntVector_Intrinsics_vec128 + a15 = + Lib_IntVector_Intrinsics_vec128_add64(a14, + Lib_IntVector_Intrinsics_vec128_mul64(r53, a31)); + Lib_IntVector_Intrinsics_vec128 + a25 = + Lib_IntVector_Intrinsics_vec128_add64(a24, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a31)); + Lib_IntVector_Intrinsics_vec128 + a35 = + Lib_IntVector_Intrinsics_vec128_add64(a34, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a31)); + Lib_IntVector_Intrinsics_vec128 + a45 = + Lib_IntVector_Intrinsics_vec128_add64(a44, + Lib_IntVector_Intrinsics_vec128_mul64(r11, a31)); + Lib_IntVector_Intrinsics_vec128 + a06 = + Lib_IntVector_Intrinsics_vec128_add64(a05, + Lib_IntVector_Intrinsics_vec128_mul64(r51, a41)); + Lib_IntVector_Intrinsics_vec128 + a16 = + Lib_IntVector_Intrinsics_vec128_add64(a15, + Lib_IntVector_Intrinsics_vec128_mul64(r52, a41)); + Lib_IntVector_Intrinsics_vec128 + a26 = + Lib_IntVector_Intrinsics_vec128_add64(a25, + Lib_IntVector_Intrinsics_vec128_mul64(r53, a41)); + Lib_IntVector_Intrinsics_vec128 + a36 = + Lib_IntVector_Intrinsics_vec128_add64(a35, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a41)); + Lib_IntVector_Intrinsics_vec128 + a46 = + Lib_IntVector_Intrinsics_vec128_add64(a45, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a41)); + Lib_IntVector_Intrinsics_vec128 t01 = a06; + Lib_IntVector_Intrinsics_vec128 t11 = a16; + Lib_IntVector_Intrinsics_vec128 t2 = a26; + Lib_IntVector_Intrinsics_vec128 t3 = a36; + Lib_IntVector_Intrinsics_vec128 t4 = a46; + Lib_IntVector_Intrinsics_vec128 + mask26 = Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec128 + z0 = Lib_IntVector_Intrinsics_vec128_shift_right64(t01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z1 = Lib_IntVector_Intrinsics_vec128_shift_right64(t3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x0 = Lib_IntVector_Intrinsics_vec128_and(t01, mask26); + Lib_IntVector_Intrinsics_vec128 x3 = Lib_IntVector_Intrinsics_vec128_and(t3, mask26); + Lib_IntVector_Intrinsics_vec128 x1 = Lib_IntVector_Intrinsics_vec128_add64(t11, z0); + Lib_IntVector_Intrinsics_vec128 x4 = Lib_IntVector_Intrinsics_vec128_add64(t4, z1); + Lib_IntVector_Intrinsics_vec128 + z01 = Lib_IntVector_Intrinsics_vec128_shift_right64(x1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z11 = Lib_IntVector_Intrinsics_vec128_shift_right64(x4, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + t = Lib_IntVector_Intrinsics_vec128_shift_left64(z11, (uint32_t)2U); + Lib_IntVector_Intrinsics_vec128 z12 = Lib_IntVector_Intrinsics_vec128_add64(z11, t); + Lib_IntVector_Intrinsics_vec128 x11 = Lib_IntVector_Intrinsics_vec128_and(x1, mask26); + Lib_IntVector_Intrinsics_vec128 x41 = Lib_IntVector_Intrinsics_vec128_and(x4, mask26); + Lib_IntVector_Intrinsics_vec128 x2 = Lib_IntVector_Intrinsics_vec128_add64(t2, z01); + Lib_IntVector_Intrinsics_vec128 x01 = Lib_IntVector_Intrinsics_vec128_add64(x0, z12); + Lib_IntVector_Intrinsics_vec128 + z02 = Lib_IntVector_Intrinsics_vec128_shift_right64(x2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z13 = Lib_IntVector_Intrinsics_vec128_shift_right64(x01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x21 = Lib_IntVector_Intrinsics_vec128_and(x2, mask26); + Lib_IntVector_Intrinsics_vec128 x02 = Lib_IntVector_Intrinsics_vec128_and(x01, mask26); + Lib_IntVector_Intrinsics_vec128 x31 = Lib_IntVector_Intrinsics_vec128_add64(x3, z02); + Lib_IntVector_Intrinsics_vec128 x12 = Lib_IntVector_Intrinsics_vec128_add64(x11, z13); + Lib_IntVector_Intrinsics_vec128 + z03 = Lib_IntVector_Intrinsics_vec128_shift_right64(x31, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x32 = Lib_IntVector_Intrinsics_vec128_and(x31, mask26); + Lib_IntVector_Intrinsics_vec128 x42 = Lib_IntVector_Intrinsics_vec128_add64(x41, z03); + Lib_IntVector_Intrinsics_vec128 o0 = x02; + Lib_IntVector_Intrinsics_vec128 o1 = x12; + Lib_IntVector_Intrinsics_vec128 o2 = x21; + Lib_IntVector_Intrinsics_vec128 o3 = x32; + Lib_IntVector_Intrinsics_vec128 o4 = x42; + acc0[0U] = o0; + acc0[1U] = o1; + acc0[2U] = o2; + acc0[3U] = o3; + acc0[4U] = o4; + } + if (rem1 > (uint32_t)0U) + { + uint8_t *last = t10 + nb * (uint32_t)16U; + Lib_IntVector_Intrinsics_vec128 e[5U]; + for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i) + e[_i] = Lib_IntVector_Intrinsics_vec128_zero; + uint8_t tmp[16U] = { 0U }; + memcpy(tmp, last, rem1 * sizeof (uint8_t)); + uint64_t u0 = load64_le(tmp); + uint64_t lo = u0; + uint64_t u = load64_le(tmp + (uint32_t)8U); + uint64_t hi = u; + Lib_IntVector_Intrinsics_vec128 f0 = Lib_IntVector_Intrinsics_vec128_load64(lo); + Lib_IntVector_Intrinsics_vec128 f1 = Lib_IntVector_Intrinsics_vec128_load64(hi); + Lib_IntVector_Intrinsics_vec128 + f010 = + Lib_IntVector_Intrinsics_vec128_and(f0, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f110 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(f0, + (uint32_t)26U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f20 = + Lib_IntVector_Intrinsics_vec128_or(Lib_IntVector_Intrinsics_vec128_shift_right64(f0, + (uint32_t)52U), + Lib_IntVector_Intrinsics_vec128_shift_left64(Lib_IntVector_Intrinsics_vec128_and(f1, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3fffU)), + (uint32_t)12U)); + Lib_IntVector_Intrinsics_vec128 + f30 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(f1, + (uint32_t)14U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f40 = Lib_IntVector_Intrinsics_vec128_shift_right64(f1, (uint32_t)40U); + Lib_IntVector_Intrinsics_vec128 f01 = f010; + Lib_IntVector_Intrinsics_vec128 f111 = f110; + Lib_IntVector_Intrinsics_vec128 f2 = f20; + Lib_IntVector_Intrinsics_vec128 f3 = f30; + Lib_IntVector_Intrinsics_vec128 f4 = f40; + e[0U] = f01; + e[1U] = f111; + e[2U] = f2; + e[3U] = f3; + e[4U] = f4; + uint64_t b = (uint64_t)1U << rem1 * (uint32_t)8U % (uint32_t)26U; + Lib_IntVector_Intrinsics_vec128 mask = Lib_IntVector_Intrinsics_vec128_load64(b); + Lib_IntVector_Intrinsics_vec128 fi = e[rem1 * (uint32_t)8U / (uint32_t)26U]; + e[rem1 * (uint32_t)8U / (uint32_t)26U] = Lib_IntVector_Intrinsics_vec128_or(fi, mask); + Lib_IntVector_Intrinsics_vec128 *r1 = pre0; + Lib_IntVector_Intrinsics_vec128 *r5 = pre0 + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec128 r0 = r1[0U]; + Lib_IntVector_Intrinsics_vec128 r11 = r1[1U]; + Lib_IntVector_Intrinsics_vec128 r2 = r1[2U]; + Lib_IntVector_Intrinsics_vec128 r3 = r1[3U]; + Lib_IntVector_Intrinsics_vec128 r4 = r1[4U]; + Lib_IntVector_Intrinsics_vec128 r51 = r5[1U]; + Lib_IntVector_Intrinsics_vec128 r52 = r5[2U]; + Lib_IntVector_Intrinsics_vec128 r53 = r5[3U]; + Lib_IntVector_Intrinsics_vec128 r54 = r5[4U]; + Lib_IntVector_Intrinsics_vec128 f10 = e[0U]; + Lib_IntVector_Intrinsics_vec128 f11 = e[1U]; + Lib_IntVector_Intrinsics_vec128 f12 = e[2U]; + Lib_IntVector_Intrinsics_vec128 f13 = e[3U]; + Lib_IntVector_Intrinsics_vec128 f14 = e[4U]; + Lib_IntVector_Intrinsics_vec128 a0 = acc0[0U]; + Lib_IntVector_Intrinsics_vec128 a1 = acc0[1U]; + Lib_IntVector_Intrinsics_vec128 a2 = acc0[2U]; + Lib_IntVector_Intrinsics_vec128 a3 = acc0[3U]; + Lib_IntVector_Intrinsics_vec128 a4 = acc0[4U]; + Lib_IntVector_Intrinsics_vec128 a01 = Lib_IntVector_Intrinsics_vec128_add64(a0, f10); + Lib_IntVector_Intrinsics_vec128 a11 = Lib_IntVector_Intrinsics_vec128_add64(a1, f11); + Lib_IntVector_Intrinsics_vec128 a21 = Lib_IntVector_Intrinsics_vec128_add64(a2, f12); + Lib_IntVector_Intrinsics_vec128 a31 = Lib_IntVector_Intrinsics_vec128_add64(a3, f13); + Lib_IntVector_Intrinsics_vec128 a41 = Lib_IntVector_Intrinsics_vec128_add64(a4, f14); + Lib_IntVector_Intrinsics_vec128 a02 = Lib_IntVector_Intrinsics_vec128_mul64(r0, a01); + Lib_IntVector_Intrinsics_vec128 a12 = Lib_IntVector_Intrinsics_vec128_mul64(r11, a01); + Lib_IntVector_Intrinsics_vec128 a22 = Lib_IntVector_Intrinsics_vec128_mul64(r2, a01); + Lib_IntVector_Intrinsics_vec128 a32 = Lib_IntVector_Intrinsics_vec128_mul64(r3, a01); + Lib_IntVector_Intrinsics_vec128 a42 = Lib_IntVector_Intrinsics_vec128_mul64(r4, a01); + Lib_IntVector_Intrinsics_vec128 + a03 = + Lib_IntVector_Intrinsics_vec128_add64(a02, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a11)); + Lib_IntVector_Intrinsics_vec128 + a13 = + Lib_IntVector_Intrinsics_vec128_add64(a12, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a11)); + Lib_IntVector_Intrinsics_vec128 + a23 = + Lib_IntVector_Intrinsics_vec128_add64(a22, + Lib_IntVector_Intrinsics_vec128_mul64(r11, a11)); + Lib_IntVector_Intrinsics_vec128 + a33 = + Lib_IntVector_Intrinsics_vec128_add64(a32, + Lib_IntVector_Intrinsics_vec128_mul64(r2, a11)); + Lib_IntVector_Intrinsics_vec128 + a43 = + Lib_IntVector_Intrinsics_vec128_add64(a42, + Lib_IntVector_Intrinsics_vec128_mul64(r3, a11)); + Lib_IntVector_Intrinsics_vec128 + a04 = + Lib_IntVector_Intrinsics_vec128_add64(a03, + Lib_IntVector_Intrinsics_vec128_mul64(r53, a21)); + Lib_IntVector_Intrinsics_vec128 + a14 = + Lib_IntVector_Intrinsics_vec128_add64(a13, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a21)); + Lib_IntVector_Intrinsics_vec128 + a24 = + Lib_IntVector_Intrinsics_vec128_add64(a23, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a21)); + Lib_IntVector_Intrinsics_vec128 + a34 = + Lib_IntVector_Intrinsics_vec128_add64(a33, + Lib_IntVector_Intrinsics_vec128_mul64(r11, a21)); + Lib_IntVector_Intrinsics_vec128 + a44 = + Lib_IntVector_Intrinsics_vec128_add64(a43, + Lib_IntVector_Intrinsics_vec128_mul64(r2, a21)); + Lib_IntVector_Intrinsics_vec128 + a05 = + Lib_IntVector_Intrinsics_vec128_add64(a04, + Lib_IntVector_Intrinsics_vec128_mul64(r52, a31)); + Lib_IntVector_Intrinsics_vec128 + a15 = + Lib_IntVector_Intrinsics_vec128_add64(a14, + Lib_IntVector_Intrinsics_vec128_mul64(r53, a31)); + Lib_IntVector_Intrinsics_vec128 + a25 = + Lib_IntVector_Intrinsics_vec128_add64(a24, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a31)); + Lib_IntVector_Intrinsics_vec128 + a35 = + Lib_IntVector_Intrinsics_vec128_add64(a34, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a31)); + Lib_IntVector_Intrinsics_vec128 + a45 = + Lib_IntVector_Intrinsics_vec128_add64(a44, + Lib_IntVector_Intrinsics_vec128_mul64(r11, a31)); + Lib_IntVector_Intrinsics_vec128 + a06 = + Lib_IntVector_Intrinsics_vec128_add64(a05, + Lib_IntVector_Intrinsics_vec128_mul64(r51, a41)); + Lib_IntVector_Intrinsics_vec128 + a16 = + Lib_IntVector_Intrinsics_vec128_add64(a15, + Lib_IntVector_Intrinsics_vec128_mul64(r52, a41)); + Lib_IntVector_Intrinsics_vec128 + a26 = + Lib_IntVector_Intrinsics_vec128_add64(a25, + Lib_IntVector_Intrinsics_vec128_mul64(r53, a41)); + Lib_IntVector_Intrinsics_vec128 + a36 = + Lib_IntVector_Intrinsics_vec128_add64(a35, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a41)); + Lib_IntVector_Intrinsics_vec128 + a46 = + Lib_IntVector_Intrinsics_vec128_add64(a45, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a41)); + Lib_IntVector_Intrinsics_vec128 t01 = a06; + Lib_IntVector_Intrinsics_vec128 t11 = a16; + Lib_IntVector_Intrinsics_vec128 t2 = a26; + Lib_IntVector_Intrinsics_vec128 t3 = a36; + Lib_IntVector_Intrinsics_vec128 t4 = a46; + Lib_IntVector_Intrinsics_vec128 + mask26 = Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec128 + z0 = Lib_IntVector_Intrinsics_vec128_shift_right64(t01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z1 = Lib_IntVector_Intrinsics_vec128_shift_right64(t3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x0 = Lib_IntVector_Intrinsics_vec128_and(t01, mask26); + Lib_IntVector_Intrinsics_vec128 x3 = Lib_IntVector_Intrinsics_vec128_and(t3, mask26); + Lib_IntVector_Intrinsics_vec128 x1 = Lib_IntVector_Intrinsics_vec128_add64(t11, z0); + Lib_IntVector_Intrinsics_vec128 x4 = Lib_IntVector_Intrinsics_vec128_add64(t4, z1); + Lib_IntVector_Intrinsics_vec128 + z01 = Lib_IntVector_Intrinsics_vec128_shift_right64(x1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z11 = Lib_IntVector_Intrinsics_vec128_shift_right64(x4, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + t = Lib_IntVector_Intrinsics_vec128_shift_left64(z11, (uint32_t)2U); + Lib_IntVector_Intrinsics_vec128 z12 = Lib_IntVector_Intrinsics_vec128_add64(z11, t); + Lib_IntVector_Intrinsics_vec128 x11 = Lib_IntVector_Intrinsics_vec128_and(x1, mask26); + Lib_IntVector_Intrinsics_vec128 x41 = Lib_IntVector_Intrinsics_vec128_and(x4, mask26); + Lib_IntVector_Intrinsics_vec128 x2 = Lib_IntVector_Intrinsics_vec128_add64(t2, z01); + Lib_IntVector_Intrinsics_vec128 x01 = Lib_IntVector_Intrinsics_vec128_add64(x0, z12); + Lib_IntVector_Intrinsics_vec128 + z02 = Lib_IntVector_Intrinsics_vec128_shift_right64(x2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z13 = Lib_IntVector_Intrinsics_vec128_shift_right64(x01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x21 = Lib_IntVector_Intrinsics_vec128_and(x2, mask26); + Lib_IntVector_Intrinsics_vec128 x02 = Lib_IntVector_Intrinsics_vec128_and(x01, mask26); + Lib_IntVector_Intrinsics_vec128 x31 = Lib_IntVector_Intrinsics_vec128_add64(x3, z02); + Lib_IntVector_Intrinsics_vec128 x12 = Lib_IntVector_Intrinsics_vec128_add64(x11, z13); + Lib_IntVector_Intrinsics_vec128 + z03 = Lib_IntVector_Intrinsics_vec128_shift_right64(x31, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x32 = Lib_IntVector_Intrinsics_vec128_and(x31, mask26); + Lib_IntVector_Intrinsics_vec128 x42 = Lib_IntVector_Intrinsics_vec128_add64(x41, z03); + Lib_IntVector_Intrinsics_vec128 o0 = x02; + Lib_IntVector_Intrinsics_vec128 o1 = x12; + Lib_IntVector_Intrinsics_vec128 o2 = x21; + Lib_IntVector_Intrinsics_vec128 o3 = x32; + Lib_IntVector_Intrinsics_vec128 o4 = x42; + acc0[0U] = o0; + acc0[1U] = o1; + acc0[2U] = o2; + acc0[3U] = o3; + acc0[4U] = o4; + } + uint8_t tmp[16U] = { 0U }; + memcpy(tmp, rem, r * sizeof (uint8_t)); + if (r > (uint32_t)0U) + { + Lib_IntVector_Intrinsics_vec128 *pre = ctx + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec128 *acc = ctx; + Lib_IntVector_Intrinsics_vec128 e[5U]; + for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i) + e[_i] = Lib_IntVector_Intrinsics_vec128_zero; + uint64_t u0 = load64_le(tmp); + uint64_t lo = u0; + uint64_t u = load64_le(tmp + (uint32_t)8U); + uint64_t hi = u; + Lib_IntVector_Intrinsics_vec128 f0 = Lib_IntVector_Intrinsics_vec128_load64(lo); + Lib_IntVector_Intrinsics_vec128 f1 = Lib_IntVector_Intrinsics_vec128_load64(hi); + Lib_IntVector_Intrinsics_vec128 + f010 = + Lib_IntVector_Intrinsics_vec128_and(f0, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f110 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(f0, + (uint32_t)26U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f20 = + Lib_IntVector_Intrinsics_vec128_or(Lib_IntVector_Intrinsics_vec128_shift_right64(f0, + (uint32_t)52U), + Lib_IntVector_Intrinsics_vec128_shift_left64(Lib_IntVector_Intrinsics_vec128_and(f1, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3fffU)), + (uint32_t)12U)); + Lib_IntVector_Intrinsics_vec128 + f30 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(f1, + (uint32_t)14U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f40 = Lib_IntVector_Intrinsics_vec128_shift_right64(f1, (uint32_t)40U); + Lib_IntVector_Intrinsics_vec128 f01 = f010; + Lib_IntVector_Intrinsics_vec128 f111 = f110; + Lib_IntVector_Intrinsics_vec128 f2 = f20; + Lib_IntVector_Intrinsics_vec128 f3 = f30; + Lib_IntVector_Intrinsics_vec128 f41 = f40; + e[0U] = f01; + e[1U] = f111; + e[2U] = f2; + e[3U] = f3; + e[4U] = f41; + uint64_t b = (uint64_t)0x1000000U; + Lib_IntVector_Intrinsics_vec128 mask = Lib_IntVector_Intrinsics_vec128_load64(b); + Lib_IntVector_Intrinsics_vec128 f4 = e[4U]; + e[4U] = Lib_IntVector_Intrinsics_vec128_or(f4, mask); + Lib_IntVector_Intrinsics_vec128 *r1 = pre; + Lib_IntVector_Intrinsics_vec128 *r5 = pre + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec128 r0 = r1[0U]; + Lib_IntVector_Intrinsics_vec128 r11 = r1[1U]; + Lib_IntVector_Intrinsics_vec128 r2 = r1[2U]; + Lib_IntVector_Intrinsics_vec128 r3 = r1[3U]; + Lib_IntVector_Intrinsics_vec128 r4 = r1[4U]; + Lib_IntVector_Intrinsics_vec128 r51 = r5[1U]; + Lib_IntVector_Intrinsics_vec128 r52 = r5[2U]; + Lib_IntVector_Intrinsics_vec128 r53 = r5[3U]; + Lib_IntVector_Intrinsics_vec128 r54 = r5[4U]; + Lib_IntVector_Intrinsics_vec128 f10 = e[0U]; + Lib_IntVector_Intrinsics_vec128 f11 = e[1U]; + Lib_IntVector_Intrinsics_vec128 f12 = e[2U]; + Lib_IntVector_Intrinsics_vec128 f13 = e[3U]; + Lib_IntVector_Intrinsics_vec128 f14 = e[4U]; + Lib_IntVector_Intrinsics_vec128 a0 = acc[0U]; + Lib_IntVector_Intrinsics_vec128 a1 = acc[1U]; + Lib_IntVector_Intrinsics_vec128 a2 = acc[2U]; + Lib_IntVector_Intrinsics_vec128 a3 = acc[3U]; + Lib_IntVector_Intrinsics_vec128 a4 = acc[4U]; + Lib_IntVector_Intrinsics_vec128 a01 = Lib_IntVector_Intrinsics_vec128_add64(a0, f10); + Lib_IntVector_Intrinsics_vec128 a11 = Lib_IntVector_Intrinsics_vec128_add64(a1, f11); + Lib_IntVector_Intrinsics_vec128 a21 = Lib_IntVector_Intrinsics_vec128_add64(a2, f12); + Lib_IntVector_Intrinsics_vec128 a31 = Lib_IntVector_Intrinsics_vec128_add64(a3, f13); + Lib_IntVector_Intrinsics_vec128 a41 = Lib_IntVector_Intrinsics_vec128_add64(a4, f14); + Lib_IntVector_Intrinsics_vec128 a02 = Lib_IntVector_Intrinsics_vec128_mul64(r0, a01); + Lib_IntVector_Intrinsics_vec128 a12 = Lib_IntVector_Intrinsics_vec128_mul64(r11, a01); + Lib_IntVector_Intrinsics_vec128 a22 = Lib_IntVector_Intrinsics_vec128_mul64(r2, a01); + Lib_IntVector_Intrinsics_vec128 a32 = Lib_IntVector_Intrinsics_vec128_mul64(r3, a01); + Lib_IntVector_Intrinsics_vec128 a42 = Lib_IntVector_Intrinsics_vec128_mul64(r4, a01); + Lib_IntVector_Intrinsics_vec128 + a03 = + Lib_IntVector_Intrinsics_vec128_add64(a02, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a11)); + Lib_IntVector_Intrinsics_vec128 + a13 = + Lib_IntVector_Intrinsics_vec128_add64(a12, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a11)); + Lib_IntVector_Intrinsics_vec128 + a23 = + Lib_IntVector_Intrinsics_vec128_add64(a22, + Lib_IntVector_Intrinsics_vec128_mul64(r11, a11)); + Lib_IntVector_Intrinsics_vec128 + a33 = + Lib_IntVector_Intrinsics_vec128_add64(a32, + Lib_IntVector_Intrinsics_vec128_mul64(r2, a11)); + Lib_IntVector_Intrinsics_vec128 + a43 = + Lib_IntVector_Intrinsics_vec128_add64(a42, + Lib_IntVector_Intrinsics_vec128_mul64(r3, a11)); + Lib_IntVector_Intrinsics_vec128 + a04 = + Lib_IntVector_Intrinsics_vec128_add64(a03, + Lib_IntVector_Intrinsics_vec128_mul64(r53, a21)); + Lib_IntVector_Intrinsics_vec128 + a14 = + Lib_IntVector_Intrinsics_vec128_add64(a13, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a21)); + Lib_IntVector_Intrinsics_vec128 + a24 = + Lib_IntVector_Intrinsics_vec128_add64(a23, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a21)); + Lib_IntVector_Intrinsics_vec128 + a34 = + Lib_IntVector_Intrinsics_vec128_add64(a33, + Lib_IntVector_Intrinsics_vec128_mul64(r11, a21)); + Lib_IntVector_Intrinsics_vec128 + a44 = + Lib_IntVector_Intrinsics_vec128_add64(a43, + Lib_IntVector_Intrinsics_vec128_mul64(r2, a21)); + Lib_IntVector_Intrinsics_vec128 + a05 = + Lib_IntVector_Intrinsics_vec128_add64(a04, + Lib_IntVector_Intrinsics_vec128_mul64(r52, a31)); + Lib_IntVector_Intrinsics_vec128 + a15 = + Lib_IntVector_Intrinsics_vec128_add64(a14, + Lib_IntVector_Intrinsics_vec128_mul64(r53, a31)); + Lib_IntVector_Intrinsics_vec128 + a25 = + Lib_IntVector_Intrinsics_vec128_add64(a24, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a31)); + Lib_IntVector_Intrinsics_vec128 + a35 = + Lib_IntVector_Intrinsics_vec128_add64(a34, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a31)); + Lib_IntVector_Intrinsics_vec128 + a45 = + Lib_IntVector_Intrinsics_vec128_add64(a44, + Lib_IntVector_Intrinsics_vec128_mul64(r11, a31)); + Lib_IntVector_Intrinsics_vec128 + a06 = + Lib_IntVector_Intrinsics_vec128_add64(a05, + Lib_IntVector_Intrinsics_vec128_mul64(r51, a41)); + Lib_IntVector_Intrinsics_vec128 + a16 = + Lib_IntVector_Intrinsics_vec128_add64(a15, + Lib_IntVector_Intrinsics_vec128_mul64(r52, a41)); + Lib_IntVector_Intrinsics_vec128 + a26 = + Lib_IntVector_Intrinsics_vec128_add64(a25, + Lib_IntVector_Intrinsics_vec128_mul64(r53, a41)); + Lib_IntVector_Intrinsics_vec128 + a36 = + Lib_IntVector_Intrinsics_vec128_add64(a35, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a41)); + Lib_IntVector_Intrinsics_vec128 + a46 = + Lib_IntVector_Intrinsics_vec128_add64(a45, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a41)); + Lib_IntVector_Intrinsics_vec128 t0 = a06; + Lib_IntVector_Intrinsics_vec128 t1 = a16; + Lib_IntVector_Intrinsics_vec128 t2 = a26; + Lib_IntVector_Intrinsics_vec128 t3 = a36; + Lib_IntVector_Intrinsics_vec128 t4 = a46; + Lib_IntVector_Intrinsics_vec128 + mask26 = Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec128 + z0 = Lib_IntVector_Intrinsics_vec128_shift_right64(t0, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z1 = Lib_IntVector_Intrinsics_vec128_shift_right64(t3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x0 = Lib_IntVector_Intrinsics_vec128_and(t0, mask26); + Lib_IntVector_Intrinsics_vec128 x3 = Lib_IntVector_Intrinsics_vec128_and(t3, mask26); + Lib_IntVector_Intrinsics_vec128 x1 = Lib_IntVector_Intrinsics_vec128_add64(t1, z0); + Lib_IntVector_Intrinsics_vec128 x4 = Lib_IntVector_Intrinsics_vec128_add64(t4, z1); + Lib_IntVector_Intrinsics_vec128 + z01 = Lib_IntVector_Intrinsics_vec128_shift_right64(x1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z11 = Lib_IntVector_Intrinsics_vec128_shift_right64(x4, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + t = Lib_IntVector_Intrinsics_vec128_shift_left64(z11, (uint32_t)2U); + Lib_IntVector_Intrinsics_vec128 z12 = Lib_IntVector_Intrinsics_vec128_add64(z11, t); + Lib_IntVector_Intrinsics_vec128 x11 = Lib_IntVector_Intrinsics_vec128_and(x1, mask26); + Lib_IntVector_Intrinsics_vec128 x41 = Lib_IntVector_Intrinsics_vec128_and(x4, mask26); + Lib_IntVector_Intrinsics_vec128 x2 = Lib_IntVector_Intrinsics_vec128_add64(t2, z01); + Lib_IntVector_Intrinsics_vec128 x01 = Lib_IntVector_Intrinsics_vec128_add64(x0, z12); + Lib_IntVector_Intrinsics_vec128 + z02 = Lib_IntVector_Intrinsics_vec128_shift_right64(x2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z13 = Lib_IntVector_Intrinsics_vec128_shift_right64(x01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x21 = Lib_IntVector_Intrinsics_vec128_and(x2, mask26); + Lib_IntVector_Intrinsics_vec128 x02 = Lib_IntVector_Intrinsics_vec128_and(x01, mask26); + Lib_IntVector_Intrinsics_vec128 x31 = Lib_IntVector_Intrinsics_vec128_add64(x3, z02); + Lib_IntVector_Intrinsics_vec128 x12 = Lib_IntVector_Intrinsics_vec128_add64(x11, z13); + Lib_IntVector_Intrinsics_vec128 + z03 = Lib_IntVector_Intrinsics_vec128_shift_right64(x31, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x32 = Lib_IntVector_Intrinsics_vec128_and(x31, mask26); + Lib_IntVector_Intrinsics_vec128 x42 = Lib_IntVector_Intrinsics_vec128_add64(x41, z03); + Lib_IntVector_Intrinsics_vec128 o0 = x02; + Lib_IntVector_Intrinsics_vec128 o1 = x12; + Lib_IntVector_Intrinsics_vec128 o2 = x21; + Lib_IntVector_Intrinsics_vec128 o3 = x32; + Lib_IntVector_Intrinsics_vec128 o4 = x42; + acc[0U] = o0; + acc[1U] = o1; + acc[2U] = o2; + acc[3U] = o3; + acc[4U] = o4; + return; + } +} + +static inline void +poly1305_do_128( + uint8_t *k, + uint32_t aadlen, + uint8_t *aad, + uint32_t mlen, + uint8_t *m, + uint8_t *out +) +{ + Lib_IntVector_Intrinsics_vec128 ctx[25U]; + for (uint32_t _i = 0U; _i < (uint32_t)25U; ++_i) + ctx[_i] = Lib_IntVector_Intrinsics_vec128_zero; + uint8_t block[16U] = { 0U }; + Hacl_Poly1305_128_poly1305_init(ctx, k); + if (aadlen != (uint32_t)0U) + { + poly1305_padded_128(ctx, aadlen, aad); + } + if (mlen != (uint32_t)0U) + { + poly1305_padded_128(ctx, mlen, m); + } + store64_le(block, (uint64_t)aadlen); + store64_le(block + (uint32_t)8U, (uint64_t)mlen); + Lib_IntVector_Intrinsics_vec128 *pre = ctx + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec128 *acc = ctx; + Lib_IntVector_Intrinsics_vec128 e[5U]; + for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i) + e[_i] = Lib_IntVector_Intrinsics_vec128_zero; + uint64_t u0 = load64_le(block); + uint64_t lo = u0; + uint64_t u = load64_le(block + (uint32_t)8U); + uint64_t hi = u; + Lib_IntVector_Intrinsics_vec128 f0 = Lib_IntVector_Intrinsics_vec128_load64(lo); + Lib_IntVector_Intrinsics_vec128 f1 = Lib_IntVector_Intrinsics_vec128_load64(hi); + Lib_IntVector_Intrinsics_vec128 + f010 = + Lib_IntVector_Intrinsics_vec128_and(f0, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f110 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(f0, + (uint32_t)26U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f20 = + Lib_IntVector_Intrinsics_vec128_or(Lib_IntVector_Intrinsics_vec128_shift_right64(f0, + (uint32_t)52U), + Lib_IntVector_Intrinsics_vec128_shift_left64(Lib_IntVector_Intrinsics_vec128_and(f1, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3fffU)), + (uint32_t)12U)); + Lib_IntVector_Intrinsics_vec128 + f30 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(f1, + (uint32_t)14U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f40 = Lib_IntVector_Intrinsics_vec128_shift_right64(f1, (uint32_t)40U); + Lib_IntVector_Intrinsics_vec128 f01 = f010; + Lib_IntVector_Intrinsics_vec128 f111 = f110; + Lib_IntVector_Intrinsics_vec128 f2 = f20; + Lib_IntVector_Intrinsics_vec128 f3 = f30; + Lib_IntVector_Intrinsics_vec128 f41 = f40; + e[0U] = f01; + e[1U] = f111; + e[2U] = f2; + e[3U] = f3; + e[4U] = f41; + uint64_t b = (uint64_t)0x1000000U; + Lib_IntVector_Intrinsics_vec128 mask = Lib_IntVector_Intrinsics_vec128_load64(b); + Lib_IntVector_Intrinsics_vec128 f4 = e[4U]; + e[4U] = Lib_IntVector_Intrinsics_vec128_or(f4, mask); + Lib_IntVector_Intrinsics_vec128 *r = pre; + Lib_IntVector_Intrinsics_vec128 *r5 = pre + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec128 r0 = r[0U]; + Lib_IntVector_Intrinsics_vec128 r1 = r[1U]; + Lib_IntVector_Intrinsics_vec128 r2 = r[2U]; + Lib_IntVector_Intrinsics_vec128 r3 = r[3U]; + Lib_IntVector_Intrinsics_vec128 r4 = r[4U]; + Lib_IntVector_Intrinsics_vec128 r51 = r5[1U]; + Lib_IntVector_Intrinsics_vec128 r52 = r5[2U]; + Lib_IntVector_Intrinsics_vec128 r53 = r5[3U]; + Lib_IntVector_Intrinsics_vec128 r54 = r5[4U]; + Lib_IntVector_Intrinsics_vec128 f10 = e[0U]; + Lib_IntVector_Intrinsics_vec128 f11 = e[1U]; + Lib_IntVector_Intrinsics_vec128 f12 = e[2U]; + Lib_IntVector_Intrinsics_vec128 f13 = e[3U]; + Lib_IntVector_Intrinsics_vec128 f14 = e[4U]; + Lib_IntVector_Intrinsics_vec128 a0 = acc[0U]; + Lib_IntVector_Intrinsics_vec128 a1 = acc[1U]; + Lib_IntVector_Intrinsics_vec128 a2 = acc[2U]; + Lib_IntVector_Intrinsics_vec128 a3 = acc[3U]; + Lib_IntVector_Intrinsics_vec128 a4 = acc[4U]; + Lib_IntVector_Intrinsics_vec128 a01 = Lib_IntVector_Intrinsics_vec128_add64(a0, f10); + Lib_IntVector_Intrinsics_vec128 a11 = Lib_IntVector_Intrinsics_vec128_add64(a1, f11); + Lib_IntVector_Intrinsics_vec128 a21 = Lib_IntVector_Intrinsics_vec128_add64(a2, f12); + Lib_IntVector_Intrinsics_vec128 a31 = Lib_IntVector_Intrinsics_vec128_add64(a3, f13); + Lib_IntVector_Intrinsics_vec128 a41 = Lib_IntVector_Intrinsics_vec128_add64(a4, f14); + Lib_IntVector_Intrinsics_vec128 a02 = Lib_IntVector_Intrinsics_vec128_mul64(r0, a01); + Lib_IntVector_Intrinsics_vec128 a12 = Lib_IntVector_Intrinsics_vec128_mul64(r1, a01); + Lib_IntVector_Intrinsics_vec128 a22 = Lib_IntVector_Intrinsics_vec128_mul64(r2, a01); + Lib_IntVector_Intrinsics_vec128 a32 = Lib_IntVector_Intrinsics_vec128_mul64(r3, a01); + Lib_IntVector_Intrinsics_vec128 a42 = Lib_IntVector_Intrinsics_vec128_mul64(r4, a01); + Lib_IntVector_Intrinsics_vec128 + a03 = + Lib_IntVector_Intrinsics_vec128_add64(a02, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a11)); + Lib_IntVector_Intrinsics_vec128 + a13 = + Lib_IntVector_Intrinsics_vec128_add64(a12, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a11)); + Lib_IntVector_Intrinsics_vec128 + a23 = + Lib_IntVector_Intrinsics_vec128_add64(a22, + Lib_IntVector_Intrinsics_vec128_mul64(r1, a11)); + Lib_IntVector_Intrinsics_vec128 + a33 = + Lib_IntVector_Intrinsics_vec128_add64(a32, + Lib_IntVector_Intrinsics_vec128_mul64(r2, a11)); + Lib_IntVector_Intrinsics_vec128 + a43 = + Lib_IntVector_Intrinsics_vec128_add64(a42, + Lib_IntVector_Intrinsics_vec128_mul64(r3, a11)); + Lib_IntVector_Intrinsics_vec128 + a04 = + Lib_IntVector_Intrinsics_vec128_add64(a03, + Lib_IntVector_Intrinsics_vec128_mul64(r53, a21)); + Lib_IntVector_Intrinsics_vec128 + a14 = + Lib_IntVector_Intrinsics_vec128_add64(a13, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a21)); + Lib_IntVector_Intrinsics_vec128 + a24 = + Lib_IntVector_Intrinsics_vec128_add64(a23, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a21)); + Lib_IntVector_Intrinsics_vec128 + a34 = + Lib_IntVector_Intrinsics_vec128_add64(a33, + Lib_IntVector_Intrinsics_vec128_mul64(r1, a21)); + Lib_IntVector_Intrinsics_vec128 + a44 = + Lib_IntVector_Intrinsics_vec128_add64(a43, + Lib_IntVector_Intrinsics_vec128_mul64(r2, a21)); + Lib_IntVector_Intrinsics_vec128 + a05 = + Lib_IntVector_Intrinsics_vec128_add64(a04, + Lib_IntVector_Intrinsics_vec128_mul64(r52, a31)); + Lib_IntVector_Intrinsics_vec128 + a15 = + Lib_IntVector_Intrinsics_vec128_add64(a14, + Lib_IntVector_Intrinsics_vec128_mul64(r53, a31)); + Lib_IntVector_Intrinsics_vec128 + a25 = + Lib_IntVector_Intrinsics_vec128_add64(a24, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a31)); + Lib_IntVector_Intrinsics_vec128 + a35 = + Lib_IntVector_Intrinsics_vec128_add64(a34, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a31)); + Lib_IntVector_Intrinsics_vec128 + a45 = + Lib_IntVector_Intrinsics_vec128_add64(a44, + Lib_IntVector_Intrinsics_vec128_mul64(r1, a31)); + Lib_IntVector_Intrinsics_vec128 + a06 = + Lib_IntVector_Intrinsics_vec128_add64(a05, + Lib_IntVector_Intrinsics_vec128_mul64(r51, a41)); + Lib_IntVector_Intrinsics_vec128 + a16 = + Lib_IntVector_Intrinsics_vec128_add64(a15, + Lib_IntVector_Intrinsics_vec128_mul64(r52, a41)); + Lib_IntVector_Intrinsics_vec128 + a26 = + Lib_IntVector_Intrinsics_vec128_add64(a25, + Lib_IntVector_Intrinsics_vec128_mul64(r53, a41)); + Lib_IntVector_Intrinsics_vec128 + a36 = + Lib_IntVector_Intrinsics_vec128_add64(a35, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a41)); + Lib_IntVector_Intrinsics_vec128 + a46 = + Lib_IntVector_Intrinsics_vec128_add64(a45, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a41)); + Lib_IntVector_Intrinsics_vec128 t0 = a06; + Lib_IntVector_Intrinsics_vec128 t1 = a16; + Lib_IntVector_Intrinsics_vec128 t2 = a26; + Lib_IntVector_Intrinsics_vec128 t3 = a36; + Lib_IntVector_Intrinsics_vec128 t4 = a46; + Lib_IntVector_Intrinsics_vec128 + mask26 = Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec128 + z0 = Lib_IntVector_Intrinsics_vec128_shift_right64(t0, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z1 = Lib_IntVector_Intrinsics_vec128_shift_right64(t3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x0 = Lib_IntVector_Intrinsics_vec128_and(t0, mask26); + Lib_IntVector_Intrinsics_vec128 x3 = Lib_IntVector_Intrinsics_vec128_and(t3, mask26); + Lib_IntVector_Intrinsics_vec128 x1 = Lib_IntVector_Intrinsics_vec128_add64(t1, z0); + Lib_IntVector_Intrinsics_vec128 x4 = Lib_IntVector_Intrinsics_vec128_add64(t4, z1); + Lib_IntVector_Intrinsics_vec128 + z01 = Lib_IntVector_Intrinsics_vec128_shift_right64(x1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z11 = Lib_IntVector_Intrinsics_vec128_shift_right64(x4, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + t = Lib_IntVector_Intrinsics_vec128_shift_left64(z11, (uint32_t)2U); + Lib_IntVector_Intrinsics_vec128 z12 = Lib_IntVector_Intrinsics_vec128_add64(z11, t); + Lib_IntVector_Intrinsics_vec128 x11 = Lib_IntVector_Intrinsics_vec128_and(x1, mask26); + Lib_IntVector_Intrinsics_vec128 x41 = Lib_IntVector_Intrinsics_vec128_and(x4, mask26); + Lib_IntVector_Intrinsics_vec128 x2 = Lib_IntVector_Intrinsics_vec128_add64(t2, z01); + Lib_IntVector_Intrinsics_vec128 x01 = Lib_IntVector_Intrinsics_vec128_add64(x0, z12); + Lib_IntVector_Intrinsics_vec128 + z02 = Lib_IntVector_Intrinsics_vec128_shift_right64(x2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z13 = Lib_IntVector_Intrinsics_vec128_shift_right64(x01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x21 = Lib_IntVector_Intrinsics_vec128_and(x2, mask26); + Lib_IntVector_Intrinsics_vec128 x02 = Lib_IntVector_Intrinsics_vec128_and(x01, mask26); + Lib_IntVector_Intrinsics_vec128 x31 = Lib_IntVector_Intrinsics_vec128_add64(x3, z02); + Lib_IntVector_Intrinsics_vec128 x12 = Lib_IntVector_Intrinsics_vec128_add64(x11, z13); + Lib_IntVector_Intrinsics_vec128 + z03 = Lib_IntVector_Intrinsics_vec128_shift_right64(x31, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x32 = Lib_IntVector_Intrinsics_vec128_and(x31, mask26); + Lib_IntVector_Intrinsics_vec128 x42 = Lib_IntVector_Intrinsics_vec128_add64(x41, z03); + Lib_IntVector_Intrinsics_vec128 o0 = x02; + Lib_IntVector_Intrinsics_vec128 o1 = x12; + Lib_IntVector_Intrinsics_vec128 o2 = x21; + Lib_IntVector_Intrinsics_vec128 o3 = x32; + Lib_IntVector_Intrinsics_vec128 o4 = x42; + acc[0U] = o0; + acc[1U] = o1; + acc[2U] = o2; + acc[3U] = o3; + acc[4U] = o4; + Hacl_Poly1305_128_poly1305_finish(out, k, ctx); +} + +void +Hacl_Chacha20Poly1305_128_aead_encrypt( + uint8_t *k, + uint8_t *n, + uint32_t aadlen, + uint8_t *aad, + uint32_t mlen, + uint8_t *m, + uint8_t *cipher, + uint8_t *mac +) +{ + Hacl_Chacha20_Vec128_chacha20_encrypt_128(mlen, cipher, m, k, n, (uint32_t)1U); + uint8_t tmp[64U] = { 0U }; + Hacl_Chacha20_Vec128_chacha20_encrypt_128((uint32_t)64U, tmp, tmp, k, n, (uint32_t)0U); + uint8_t *key = tmp; + poly1305_do_128(key, aadlen, aad, mlen, cipher, mac); +} + +uint32_t +Hacl_Chacha20Poly1305_128_aead_decrypt( + uint8_t *k, + uint8_t *n, + uint32_t aadlen, + uint8_t *aad, + uint32_t mlen, + uint8_t *m, + uint8_t *cipher, + uint8_t *mac +) +{ + uint8_t computed_mac[16U] = { 0U }; + uint8_t tmp[64U] = { 0U }; + Hacl_Chacha20_Vec128_chacha20_encrypt_128((uint32_t)64U, tmp, tmp, k, n, (uint32_t)0U); + uint8_t *key = tmp; + poly1305_do_128(key, aadlen, aad, mlen, cipher, computed_mac); + uint8_t res = (uint8_t)255U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint8_t uu____0 = FStar_UInt8_eq_mask(computed_mac[i], mac[i]); + res = uu____0 & res; + } + uint8_t z = res; + if (z == (uint8_t)255U) + { + Hacl_Chacha20_Vec128_chacha20_encrypt_128(mlen, m, cipher, k, n, (uint32_t)1U); + return (uint32_t)0U; + } + return (uint32_t)1U; +} + diff --git a/src/Hacl_Chacha20Poly1305_256.c b/src/Hacl_Chacha20Poly1305_256.c new file mode 100644 index 00000000..d2ef7d5c --- /dev/null +++ b/src/Hacl_Chacha20Poly1305_256.c @@ -0,0 +1,1197 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Chacha20Poly1305_256.h" + +#include "internal/Hacl_Poly1305_256.h" +#include "internal/Hacl_Kremlib.h" + +static inline void +poly1305_padded_256(Lib_IntVector_Intrinsics_vec256 *ctx, uint32_t len, uint8_t *text) +{ + uint32_t n = len / (uint32_t)16U; + uint32_t r = len % (uint32_t)16U; + uint8_t *blocks = text; + uint8_t *rem = text + n * (uint32_t)16U; + Lib_IntVector_Intrinsics_vec256 *pre0 = ctx + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec256 *acc0 = ctx; + uint32_t sz_block = (uint32_t)64U; + uint32_t len0 = n * (uint32_t)16U / sz_block * sz_block; + uint8_t *t00 = blocks; + if (len0 > (uint32_t)0U) + { + uint32_t bs = (uint32_t)64U; + uint8_t *text0 = t00; + Hacl_Impl_Poly1305_Field32xN_256_load_acc4(acc0, text0); + uint32_t len1 = len0 - bs; + uint8_t *text1 = t00 + bs; + uint32_t nb = len1 / bs; + for (uint32_t i = (uint32_t)0U; i < nb; i++) + { + uint8_t *block = text1 + i * bs; + Lib_IntVector_Intrinsics_vec256 e[5U]; + for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i) + e[_i] = Lib_IntVector_Intrinsics_vec256_zero; + Lib_IntVector_Intrinsics_vec256 lo = Lib_IntVector_Intrinsics_vec256_load64_le(block); + Lib_IntVector_Intrinsics_vec256 + hi = Lib_IntVector_Intrinsics_vec256_load64_le(block + (uint32_t)32U); + Lib_IntVector_Intrinsics_vec256 + mask260 = Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec256 + m0 = Lib_IntVector_Intrinsics_vec256_interleave_low128(lo, hi); + Lib_IntVector_Intrinsics_vec256 + m1 = Lib_IntVector_Intrinsics_vec256_interleave_high128(lo, hi); + Lib_IntVector_Intrinsics_vec256 + m2 = Lib_IntVector_Intrinsics_vec256_shift_right(m0, (uint32_t)48U); + Lib_IntVector_Intrinsics_vec256 + m3 = Lib_IntVector_Intrinsics_vec256_shift_right(m1, (uint32_t)48U); + Lib_IntVector_Intrinsics_vec256 + m4 = Lib_IntVector_Intrinsics_vec256_interleave_high64(m0, m1); + Lib_IntVector_Intrinsics_vec256 + t010 = Lib_IntVector_Intrinsics_vec256_interleave_low64(m0, m1); + Lib_IntVector_Intrinsics_vec256 + t30 = Lib_IntVector_Intrinsics_vec256_interleave_low64(m2, m3); + Lib_IntVector_Intrinsics_vec256 + t20 = Lib_IntVector_Intrinsics_vec256_shift_right64(t30, (uint32_t)4U); + Lib_IntVector_Intrinsics_vec256 o20 = Lib_IntVector_Intrinsics_vec256_and(t20, mask260); + Lib_IntVector_Intrinsics_vec256 + t10 = Lib_IntVector_Intrinsics_vec256_shift_right64(t010, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 o10 = Lib_IntVector_Intrinsics_vec256_and(t10, mask260); + Lib_IntVector_Intrinsics_vec256 o5 = Lib_IntVector_Intrinsics_vec256_and(t010, mask260); + Lib_IntVector_Intrinsics_vec256 + t31 = Lib_IntVector_Intrinsics_vec256_shift_right64(t30, (uint32_t)30U); + Lib_IntVector_Intrinsics_vec256 o30 = Lib_IntVector_Intrinsics_vec256_and(t31, mask260); + Lib_IntVector_Intrinsics_vec256 + o40 = Lib_IntVector_Intrinsics_vec256_shift_right64(m4, (uint32_t)40U); + Lib_IntVector_Intrinsics_vec256 o00 = o5; + Lib_IntVector_Intrinsics_vec256 o11 = o10; + Lib_IntVector_Intrinsics_vec256 o21 = o20; + Lib_IntVector_Intrinsics_vec256 o31 = o30; + Lib_IntVector_Intrinsics_vec256 o41 = o40; + e[0U] = o00; + e[1U] = o11; + e[2U] = o21; + e[3U] = o31; + e[4U] = o41; + uint64_t b = (uint64_t)0x1000000U; + Lib_IntVector_Intrinsics_vec256 mask = Lib_IntVector_Intrinsics_vec256_load64(b); + Lib_IntVector_Intrinsics_vec256 f4 = e[4U]; + e[4U] = Lib_IntVector_Intrinsics_vec256_or(f4, mask); + Lib_IntVector_Intrinsics_vec256 *rn = pre0 + (uint32_t)10U; + Lib_IntVector_Intrinsics_vec256 *rn5 = pre0 + (uint32_t)15U; + Lib_IntVector_Intrinsics_vec256 r0 = rn[0U]; + Lib_IntVector_Intrinsics_vec256 r1 = rn[1U]; + Lib_IntVector_Intrinsics_vec256 r2 = rn[2U]; + Lib_IntVector_Intrinsics_vec256 r3 = rn[3U]; + Lib_IntVector_Intrinsics_vec256 r4 = rn[4U]; + Lib_IntVector_Intrinsics_vec256 r51 = rn5[1U]; + Lib_IntVector_Intrinsics_vec256 r52 = rn5[2U]; + Lib_IntVector_Intrinsics_vec256 r53 = rn5[3U]; + Lib_IntVector_Intrinsics_vec256 r54 = rn5[4U]; + Lib_IntVector_Intrinsics_vec256 f10 = acc0[0U]; + Lib_IntVector_Intrinsics_vec256 f110 = acc0[1U]; + Lib_IntVector_Intrinsics_vec256 f120 = acc0[2U]; + Lib_IntVector_Intrinsics_vec256 f130 = acc0[3U]; + Lib_IntVector_Intrinsics_vec256 f140 = acc0[4U]; + Lib_IntVector_Intrinsics_vec256 a0 = Lib_IntVector_Intrinsics_vec256_mul64(r0, f10); + Lib_IntVector_Intrinsics_vec256 a1 = Lib_IntVector_Intrinsics_vec256_mul64(r1, f10); + Lib_IntVector_Intrinsics_vec256 a2 = Lib_IntVector_Intrinsics_vec256_mul64(r2, f10); + Lib_IntVector_Intrinsics_vec256 a3 = Lib_IntVector_Intrinsics_vec256_mul64(r3, f10); + Lib_IntVector_Intrinsics_vec256 a4 = Lib_IntVector_Intrinsics_vec256_mul64(r4, f10); + Lib_IntVector_Intrinsics_vec256 + a01 = + Lib_IntVector_Intrinsics_vec256_add64(a0, + Lib_IntVector_Intrinsics_vec256_mul64(r54, f110)); + Lib_IntVector_Intrinsics_vec256 + a11 = + Lib_IntVector_Intrinsics_vec256_add64(a1, + Lib_IntVector_Intrinsics_vec256_mul64(r0, f110)); + Lib_IntVector_Intrinsics_vec256 + a21 = + Lib_IntVector_Intrinsics_vec256_add64(a2, + Lib_IntVector_Intrinsics_vec256_mul64(r1, f110)); + Lib_IntVector_Intrinsics_vec256 + a31 = + Lib_IntVector_Intrinsics_vec256_add64(a3, + Lib_IntVector_Intrinsics_vec256_mul64(r2, f110)); + Lib_IntVector_Intrinsics_vec256 + a41 = + Lib_IntVector_Intrinsics_vec256_add64(a4, + Lib_IntVector_Intrinsics_vec256_mul64(r3, f110)); + Lib_IntVector_Intrinsics_vec256 + a02 = + Lib_IntVector_Intrinsics_vec256_add64(a01, + Lib_IntVector_Intrinsics_vec256_mul64(r53, f120)); + Lib_IntVector_Intrinsics_vec256 + a12 = + Lib_IntVector_Intrinsics_vec256_add64(a11, + Lib_IntVector_Intrinsics_vec256_mul64(r54, f120)); + Lib_IntVector_Intrinsics_vec256 + a22 = + Lib_IntVector_Intrinsics_vec256_add64(a21, + Lib_IntVector_Intrinsics_vec256_mul64(r0, f120)); + Lib_IntVector_Intrinsics_vec256 + a32 = + Lib_IntVector_Intrinsics_vec256_add64(a31, + Lib_IntVector_Intrinsics_vec256_mul64(r1, f120)); + Lib_IntVector_Intrinsics_vec256 + a42 = + Lib_IntVector_Intrinsics_vec256_add64(a41, + Lib_IntVector_Intrinsics_vec256_mul64(r2, f120)); + Lib_IntVector_Intrinsics_vec256 + a03 = + Lib_IntVector_Intrinsics_vec256_add64(a02, + Lib_IntVector_Intrinsics_vec256_mul64(r52, f130)); + Lib_IntVector_Intrinsics_vec256 + a13 = + Lib_IntVector_Intrinsics_vec256_add64(a12, + Lib_IntVector_Intrinsics_vec256_mul64(r53, f130)); + Lib_IntVector_Intrinsics_vec256 + a23 = + Lib_IntVector_Intrinsics_vec256_add64(a22, + Lib_IntVector_Intrinsics_vec256_mul64(r54, f130)); + Lib_IntVector_Intrinsics_vec256 + a33 = + Lib_IntVector_Intrinsics_vec256_add64(a32, + Lib_IntVector_Intrinsics_vec256_mul64(r0, f130)); + Lib_IntVector_Intrinsics_vec256 + a43 = + Lib_IntVector_Intrinsics_vec256_add64(a42, + Lib_IntVector_Intrinsics_vec256_mul64(r1, f130)); + Lib_IntVector_Intrinsics_vec256 + a04 = + Lib_IntVector_Intrinsics_vec256_add64(a03, + Lib_IntVector_Intrinsics_vec256_mul64(r51, f140)); + Lib_IntVector_Intrinsics_vec256 + a14 = + Lib_IntVector_Intrinsics_vec256_add64(a13, + Lib_IntVector_Intrinsics_vec256_mul64(r52, f140)); + Lib_IntVector_Intrinsics_vec256 + a24 = + Lib_IntVector_Intrinsics_vec256_add64(a23, + Lib_IntVector_Intrinsics_vec256_mul64(r53, f140)); + Lib_IntVector_Intrinsics_vec256 + a34 = + Lib_IntVector_Intrinsics_vec256_add64(a33, + Lib_IntVector_Intrinsics_vec256_mul64(r54, f140)); + Lib_IntVector_Intrinsics_vec256 + a44 = + Lib_IntVector_Intrinsics_vec256_add64(a43, + Lib_IntVector_Intrinsics_vec256_mul64(r0, f140)); + Lib_IntVector_Intrinsics_vec256 t01 = a04; + Lib_IntVector_Intrinsics_vec256 t1 = a14; + Lib_IntVector_Intrinsics_vec256 t2 = a24; + Lib_IntVector_Intrinsics_vec256 t3 = a34; + Lib_IntVector_Intrinsics_vec256 t4 = a44; + Lib_IntVector_Intrinsics_vec256 + mask26 = Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec256 + z0 = Lib_IntVector_Intrinsics_vec256_shift_right64(t01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z1 = Lib_IntVector_Intrinsics_vec256_shift_right64(t3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x0 = Lib_IntVector_Intrinsics_vec256_and(t01, mask26); + Lib_IntVector_Intrinsics_vec256 x3 = Lib_IntVector_Intrinsics_vec256_and(t3, mask26); + Lib_IntVector_Intrinsics_vec256 x1 = Lib_IntVector_Intrinsics_vec256_add64(t1, z0); + Lib_IntVector_Intrinsics_vec256 x4 = Lib_IntVector_Intrinsics_vec256_add64(t4, z1); + Lib_IntVector_Intrinsics_vec256 + z01 = Lib_IntVector_Intrinsics_vec256_shift_right64(x1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z11 = Lib_IntVector_Intrinsics_vec256_shift_right64(x4, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + t = Lib_IntVector_Intrinsics_vec256_shift_left64(z11, (uint32_t)2U); + Lib_IntVector_Intrinsics_vec256 z12 = Lib_IntVector_Intrinsics_vec256_add64(z11, t); + Lib_IntVector_Intrinsics_vec256 x11 = Lib_IntVector_Intrinsics_vec256_and(x1, mask26); + Lib_IntVector_Intrinsics_vec256 x41 = Lib_IntVector_Intrinsics_vec256_and(x4, mask26); + Lib_IntVector_Intrinsics_vec256 x2 = Lib_IntVector_Intrinsics_vec256_add64(t2, z01); + Lib_IntVector_Intrinsics_vec256 x01 = Lib_IntVector_Intrinsics_vec256_add64(x0, z12); + Lib_IntVector_Intrinsics_vec256 + z02 = Lib_IntVector_Intrinsics_vec256_shift_right64(x2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z13 = Lib_IntVector_Intrinsics_vec256_shift_right64(x01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x21 = Lib_IntVector_Intrinsics_vec256_and(x2, mask26); + Lib_IntVector_Intrinsics_vec256 x02 = Lib_IntVector_Intrinsics_vec256_and(x01, mask26); + Lib_IntVector_Intrinsics_vec256 x31 = Lib_IntVector_Intrinsics_vec256_add64(x3, z02); + Lib_IntVector_Intrinsics_vec256 x12 = Lib_IntVector_Intrinsics_vec256_add64(x11, z13); + Lib_IntVector_Intrinsics_vec256 + z03 = Lib_IntVector_Intrinsics_vec256_shift_right64(x31, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x32 = Lib_IntVector_Intrinsics_vec256_and(x31, mask26); + Lib_IntVector_Intrinsics_vec256 x42 = Lib_IntVector_Intrinsics_vec256_add64(x41, z03); + Lib_IntVector_Intrinsics_vec256 o01 = x02; + Lib_IntVector_Intrinsics_vec256 o12 = x12; + Lib_IntVector_Intrinsics_vec256 o22 = x21; + Lib_IntVector_Intrinsics_vec256 o32 = x32; + Lib_IntVector_Intrinsics_vec256 o42 = x42; + acc0[0U] = o01; + acc0[1U] = o12; + acc0[2U] = o22; + acc0[3U] = o32; + acc0[4U] = o42; + Lib_IntVector_Intrinsics_vec256 f100 = acc0[0U]; + Lib_IntVector_Intrinsics_vec256 f11 = acc0[1U]; + Lib_IntVector_Intrinsics_vec256 f12 = acc0[2U]; + Lib_IntVector_Intrinsics_vec256 f13 = acc0[3U]; + Lib_IntVector_Intrinsics_vec256 f14 = acc0[4U]; + Lib_IntVector_Intrinsics_vec256 f20 = e[0U]; + Lib_IntVector_Intrinsics_vec256 f21 = e[1U]; + Lib_IntVector_Intrinsics_vec256 f22 = e[2U]; + Lib_IntVector_Intrinsics_vec256 f23 = e[3U]; + Lib_IntVector_Intrinsics_vec256 f24 = e[4U]; + Lib_IntVector_Intrinsics_vec256 o0 = Lib_IntVector_Intrinsics_vec256_add64(f100, f20); + Lib_IntVector_Intrinsics_vec256 o1 = Lib_IntVector_Intrinsics_vec256_add64(f11, f21); + Lib_IntVector_Intrinsics_vec256 o2 = Lib_IntVector_Intrinsics_vec256_add64(f12, f22); + Lib_IntVector_Intrinsics_vec256 o3 = Lib_IntVector_Intrinsics_vec256_add64(f13, f23); + Lib_IntVector_Intrinsics_vec256 o4 = Lib_IntVector_Intrinsics_vec256_add64(f14, f24); + acc0[0U] = o0; + acc0[1U] = o1; + acc0[2U] = o2; + acc0[3U] = o3; + acc0[4U] = o4; + } + Hacl_Impl_Poly1305_Field32xN_256_fmul_r4_normalize(acc0, pre0); + } + uint32_t len1 = n * (uint32_t)16U - len0; + uint8_t *t10 = blocks + len0; + uint32_t nb = len1 / (uint32_t)16U; + uint32_t rem1 = len1 % (uint32_t)16U; + for (uint32_t i = (uint32_t)0U; i < nb; i++) + { + uint8_t *block = t10 + i * (uint32_t)16U; + Lib_IntVector_Intrinsics_vec256 e[5U]; + for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i) + e[_i] = Lib_IntVector_Intrinsics_vec256_zero; + uint64_t u0 = load64_le(block); + uint64_t lo = u0; + uint64_t u = load64_le(block + (uint32_t)8U); + uint64_t hi = u; + Lib_IntVector_Intrinsics_vec256 f0 = Lib_IntVector_Intrinsics_vec256_load64(lo); + Lib_IntVector_Intrinsics_vec256 f1 = Lib_IntVector_Intrinsics_vec256_load64(hi); + Lib_IntVector_Intrinsics_vec256 + f010 = + Lib_IntVector_Intrinsics_vec256_and(f0, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f110 = + Lib_IntVector_Intrinsics_vec256_and(Lib_IntVector_Intrinsics_vec256_shift_right64(f0, + (uint32_t)26U), + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f20 = + Lib_IntVector_Intrinsics_vec256_or(Lib_IntVector_Intrinsics_vec256_shift_right64(f0, + (uint32_t)52U), + Lib_IntVector_Intrinsics_vec256_shift_left64(Lib_IntVector_Intrinsics_vec256_and(f1, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3fffU)), + (uint32_t)12U)); + Lib_IntVector_Intrinsics_vec256 + f30 = + Lib_IntVector_Intrinsics_vec256_and(Lib_IntVector_Intrinsics_vec256_shift_right64(f1, + (uint32_t)14U), + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f40 = Lib_IntVector_Intrinsics_vec256_shift_right64(f1, (uint32_t)40U); + Lib_IntVector_Intrinsics_vec256 f01 = f010; + Lib_IntVector_Intrinsics_vec256 f111 = f110; + Lib_IntVector_Intrinsics_vec256 f2 = f20; + Lib_IntVector_Intrinsics_vec256 f3 = f30; + Lib_IntVector_Intrinsics_vec256 f41 = f40; + e[0U] = f01; + e[1U] = f111; + e[2U] = f2; + e[3U] = f3; + e[4U] = f41; + uint64_t b = (uint64_t)0x1000000U; + Lib_IntVector_Intrinsics_vec256 mask = Lib_IntVector_Intrinsics_vec256_load64(b); + Lib_IntVector_Intrinsics_vec256 f4 = e[4U]; + e[4U] = Lib_IntVector_Intrinsics_vec256_or(f4, mask); + Lib_IntVector_Intrinsics_vec256 *r1 = pre0; + Lib_IntVector_Intrinsics_vec256 *r5 = pre0 + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec256 r0 = r1[0U]; + Lib_IntVector_Intrinsics_vec256 r11 = r1[1U]; + Lib_IntVector_Intrinsics_vec256 r2 = r1[2U]; + Lib_IntVector_Intrinsics_vec256 r3 = r1[3U]; + Lib_IntVector_Intrinsics_vec256 r4 = r1[4U]; + Lib_IntVector_Intrinsics_vec256 r51 = r5[1U]; + Lib_IntVector_Intrinsics_vec256 r52 = r5[2U]; + Lib_IntVector_Intrinsics_vec256 r53 = r5[3U]; + Lib_IntVector_Intrinsics_vec256 r54 = r5[4U]; + Lib_IntVector_Intrinsics_vec256 f10 = e[0U]; + Lib_IntVector_Intrinsics_vec256 f11 = e[1U]; + Lib_IntVector_Intrinsics_vec256 f12 = e[2U]; + Lib_IntVector_Intrinsics_vec256 f13 = e[3U]; + Lib_IntVector_Intrinsics_vec256 f14 = e[4U]; + Lib_IntVector_Intrinsics_vec256 a0 = acc0[0U]; + Lib_IntVector_Intrinsics_vec256 a1 = acc0[1U]; + Lib_IntVector_Intrinsics_vec256 a2 = acc0[2U]; + Lib_IntVector_Intrinsics_vec256 a3 = acc0[3U]; + Lib_IntVector_Intrinsics_vec256 a4 = acc0[4U]; + Lib_IntVector_Intrinsics_vec256 a01 = Lib_IntVector_Intrinsics_vec256_add64(a0, f10); + Lib_IntVector_Intrinsics_vec256 a11 = Lib_IntVector_Intrinsics_vec256_add64(a1, f11); + Lib_IntVector_Intrinsics_vec256 a21 = Lib_IntVector_Intrinsics_vec256_add64(a2, f12); + Lib_IntVector_Intrinsics_vec256 a31 = Lib_IntVector_Intrinsics_vec256_add64(a3, f13); + Lib_IntVector_Intrinsics_vec256 a41 = Lib_IntVector_Intrinsics_vec256_add64(a4, f14); + Lib_IntVector_Intrinsics_vec256 a02 = Lib_IntVector_Intrinsics_vec256_mul64(r0, a01); + Lib_IntVector_Intrinsics_vec256 a12 = Lib_IntVector_Intrinsics_vec256_mul64(r11, a01); + Lib_IntVector_Intrinsics_vec256 a22 = Lib_IntVector_Intrinsics_vec256_mul64(r2, a01); + Lib_IntVector_Intrinsics_vec256 a32 = Lib_IntVector_Intrinsics_vec256_mul64(r3, a01); + Lib_IntVector_Intrinsics_vec256 a42 = Lib_IntVector_Intrinsics_vec256_mul64(r4, a01); + Lib_IntVector_Intrinsics_vec256 + a03 = + Lib_IntVector_Intrinsics_vec256_add64(a02, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a11)); + Lib_IntVector_Intrinsics_vec256 + a13 = + Lib_IntVector_Intrinsics_vec256_add64(a12, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a11)); + Lib_IntVector_Intrinsics_vec256 + a23 = + Lib_IntVector_Intrinsics_vec256_add64(a22, + Lib_IntVector_Intrinsics_vec256_mul64(r11, a11)); + Lib_IntVector_Intrinsics_vec256 + a33 = + Lib_IntVector_Intrinsics_vec256_add64(a32, + Lib_IntVector_Intrinsics_vec256_mul64(r2, a11)); + Lib_IntVector_Intrinsics_vec256 + a43 = + Lib_IntVector_Intrinsics_vec256_add64(a42, + Lib_IntVector_Intrinsics_vec256_mul64(r3, a11)); + Lib_IntVector_Intrinsics_vec256 + a04 = + Lib_IntVector_Intrinsics_vec256_add64(a03, + Lib_IntVector_Intrinsics_vec256_mul64(r53, a21)); + Lib_IntVector_Intrinsics_vec256 + a14 = + Lib_IntVector_Intrinsics_vec256_add64(a13, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a21)); + Lib_IntVector_Intrinsics_vec256 + a24 = + Lib_IntVector_Intrinsics_vec256_add64(a23, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a21)); + Lib_IntVector_Intrinsics_vec256 + a34 = + Lib_IntVector_Intrinsics_vec256_add64(a33, + Lib_IntVector_Intrinsics_vec256_mul64(r11, a21)); + Lib_IntVector_Intrinsics_vec256 + a44 = + Lib_IntVector_Intrinsics_vec256_add64(a43, + Lib_IntVector_Intrinsics_vec256_mul64(r2, a21)); + Lib_IntVector_Intrinsics_vec256 + a05 = + Lib_IntVector_Intrinsics_vec256_add64(a04, + Lib_IntVector_Intrinsics_vec256_mul64(r52, a31)); + Lib_IntVector_Intrinsics_vec256 + a15 = + Lib_IntVector_Intrinsics_vec256_add64(a14, + Lib_IntVector_Intrinsics_vec256_mul64(r53, a31)); + Lib_IntVector_Intrinsics_vec256 + a25 = + Lib_IntVector_Intrinsics_vec256_add64(a24, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a31)); + Lib_IntVector_Intrinsics_vec256 + a35 = + Lib_IntVector_Intrinsics_vec256_add64(a34, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a31)); + Lib_IntVector_Intrinsics_vec256 + a45 = + Lib_IntVector_Intrinsics_vec256_add64(a44, + Lib_IntVector_Intrinsics_vec256_mul64(r11, a31)); + Lib_IntVector_Intrinsics_vec256 + a06 = + Lib_IntVector_Intrinsics_vec256_add64(a05, + Lib_IntVector_Intrinsics_vec256_mul64(r51, a41)); + Lib_IntVector_Intrinsics_vec256 + a16 = + Lib_IntVector_Intrinsics_vec256_add64(a15, + Lib_IntVector_Intrinsics_vec256_mul64(r52, a41)); + Lib_IntVector_Intrinsics_vec256 + a26 = + Lib_IntVector_Intrinsics_vec256_add64(a25, + Lib_IntVector_Intrinsics_vec256_mul64(r53, a41)); + Lib_IntVector_Intrinsics_vec256 + a36 = + Lib_IntVector_Intrinsics_vec256_add64(a35, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a41)); + Lib_IntVector_Intrinsics_vec256 + a46 = + Lib_IntVector_Intrinsics_vec256_add64(a45, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a41)); + Lib_IntVector_Intrinsics_vec256 t01 = a06; + Lib_IntVector_Intrinsics_vec256 t11 = a16; + Lib_IntVector_Intrinsics_vec256 t2 = a26; + Lib_IntVector_Intrinsics_vec256 t3 = a36; + Lib_IntVector_Intrinsics_vec256 t4 = a46; + Lib_IntVector_Intrinsics_vec256 + mask26 = Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec256 + z0 = Lib_IntVector_Intrinsics_vec256_shift_right64(t01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z1 = Lib_IntVector_Intrinsics_vec256_shift_right64(t3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x0 = Lib_IntVector_Intrinsics_vec256_and(t01, mask26); + Lib_IntVector_Intrinsics_vec256 x3 = Lib_IntVector_Intrinsics_vec256_and(t3, mask26); + Lib_IntVector_Intrinsics_vec256 x1 = Lib_IntVector_Intrinsics_vec256_add64(t11, z0); + Lib_IntVector_Intrinsics_vec256 x4 = Lib_IntVector_Intrinsics_vec256_add64(t4, z1); + Lib_IntVector_Intrinsics_vec256 + z01 = Lib_IntVector_Intrinsics_vec256_shift_right64(x1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z11 = Lib_IntVector_Intrinsics_vec256_shift_right64(x4, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + t = Lib_IntVector_Intrinsics_vec256_shift_left64(z11, (uint32_t)2U); + Lib_IntVector_Intrinsics_vec256 z12 = Lib_IntVector_Intrinsics_vec256_add64(z11, t); + Lib_IntVector_Intrinsics_vec256 x11 = Lib_IntVector_Intrinsics_vec256_and(x1, mask26); + Lib_IntVector_Intrinsics_vec256 x41 = Lib_IntVector_Intrinsics_vec256_and(x4, mask26); + Lib_IntVector_Intrinsics_vec256 x2 = Lib_IntVector_Intrinsics_vec256_add64(t2, z01); + Lib_IntVector_Intrinsics_vec256 x01 = Lib_IntVector_Intrinsics_vec256_add64(x0, z12); + Lib_IntVector_Intrinsics_vec256 + z02 = Lib_IntVector_Intrinsics_vec256_shift_right64(x2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z13 = Lib_IntVector_Intrinsics_vec256_shift_right64(x01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x21 = Lib_IntVector_Intrinsics_vec256_and(x2, mask26); + Lib_IntVector_Intrinsics_vec256 x02 = Lib_IntVector_Intrinsics_vec256_and(x01, mask26); + Lib_IntVector_Intrinsics_vec256 x31 = Lib_IntVector_Intrinsics_vec256_add64(x3, z02); + Lib_IntVector_Intrinsics_vec256 x12 = Lib_IntVector_Intrinsics_vec256_add64(x11, z13); + Lib_IntVector_Intrinsics_vec256 + z03 = Lib_IntVector_Intrinsics_vec256_shift_right64(x31, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x32 = Lib_IntVector_Intrinsics_vec256_and(x31, mask26); + Lib_IntVector_Intrinsics_vec256 x42 = Lib_IntVector_Intrinsics_vec256_add64(x41, z03); + Lib_IntVector_Intrinsics_vec256 o0 = x02; + Lib_IntVector_Intrinsics_vec256 o1 = x12; + Lib_IntVector_Intrinsics_vec256 o2 = x21; + Lib_IntVector_Intrinsics_vec256 o3 = x32; + Lib_IntVector_Intrinsics_vec256 o4 = x42; + acc0[0U] = o0; + acc0[1U] = o1; + acc0[2U] = o2; + acc0[3U] = o3; + acc0[4U] = o4; + } + if (rem1 > (uint32_t)0U) + { + uint8_t *last = t10 + nb * (uint32_t)16U; + Lib_IntVector_Intrinsics_vec256 e[5U]; + for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i) + e[_i] = Lib_IntVector_Intrinsics_vec256_zero; + uint8_t tmp[16U] = { 0U }; + memcpy(tmp, last, rem1 * sizeof (uint8_t)); + uint64_t u0 = load64_le(tmp); + uint64_t lo = u0; + uint64_t u = load64_le(tmp + (uint32_t)8U); + uint64_t hi = u; + Lib_IntVector_Intrinsics_vec256 f0 = Lib_IntVector_Intrinsics_vec256_load64(lo); + Lib_IntVector_Intrinsics_vec256 f1 = Lib_IntVector_Intrinsics_vec256_load64(hi); + Lib_IntVector_Intrinsics_vec256 + f010 = + Lib_IntVector_Intrinsics_vec256_and(f0, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f110 = + Lib_IntVector_Intrinsics_vec256_and(Lib_IntVector_Intrinsics_vec256_shift_right64(f0, + (uint32_t)26U), + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f20 = + Lib_IntVector_Intrinsics_vec256_or(Lib_IntVector_Intrinsics_vec256_shift_right64(f0, + (uint32_t)52U), + Lib_IntVector_Intrinsics_vec256_shift_left64(Lib_IntVector_Intrinsics_vec256_and(f1, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3fffU)), + (uint32_t)12U)); + Lib_IntVector_Intrinsics_vec256 + f30 = + Lib_IntVector_Intrinsics_vec256_and(Lib_IntVector_Intrinsics_vec256_shift_right64(f1, + (uint32_t)14U), + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f40 = Lib_IntVector_Intrinsics_vec256_shift_right64(f1, (uint32_t)40U); + Lib_IntVector_Intrinsics_vec256 f01 = f010; + Lib_IntVector_Intrinsics_vec256 f111 = f110; + Lib_IntVector_Intrinsics_vec256 f2 = f20; + Lib_IntVector_Intrinsics_vec256 f3 = f30; + Lib_IntVector_Intrinsics_vec256 f4 = f40; + e[0U] = f01; + e[1U] = f111; + e[2U] = f2; + e[3U] = f3; + e[4U] = f4; + uint64_t b = (uint64_t)1U << rem1 * (uint32_t)8U % (uint32_t)26U; + Lib_IntVector_Intrinsics_vec256 mask = Lib_IntVector_Intrinsics_vec256_load64(b); + Lib_IntVector_Intrinsics_vec256 fi = e[rem1 * (uint32_t)8U / (uint32_t)26U]; + e[rem1 * (uint32_t)8U / (uint32_t)26U] = Lib_IntVector_Intrinsics_vec256_or(fi, mask); + Lib_IntVector_Intrinsics_vec256 *r1 = pre0; + Lib_IntVector_Intrinsics_vec256 *r5 = pre0 + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec256 r0 = r1[0U]; + Lib_IntVector_Intrinsics_vec256 r11 = r1[1U]; + Lib_IntVector_Intrinsics_vec256 r2 = r1[2U]; + Lib_IntVector_Intrinsics_vec256 r3 = r1[3U]; + Lib_IntVector_Intrinsics_vec256 r4 = r1[4U]; + Lib_IntVector_Intrinsics_vec256 r51 = r5[1U]; + Lib_IntVector_Intrinsics_vec256 r52 = r5[2U]; + Lib_IntVector_Intrinsics_vec256 r53 = r5[3U]; + Lib_IntVector_Intrinsics_vec256 r54 = r5[4U]; + Lib_IntVector_Intrinsics_vec256 f10 = e[0U]; + Lib_IntVector_Intrinsics_vec256 f11 = e[1U]; + Lib_IntVector_Intrinsics_vec256 f12 = e[2U]; + Lib_IntVector_Intrinsics_vec256 f13 = e[3U]; + Lib_IntVector_Intrinsics_vec256 f14 = e[4U]; + Lib_IntVector_Intrinsics_vec256 a0 = acc0[0U]; + Lib_IntVector_Intrinsics_vec256 a1 = acc0[1U]; + Lib_IntVector_Intrinsics_vec256 a2 = acc0[2U]; + Lib_IntVector_Intrinsics_vec256 a3 = acc0[3U]; + Lib_IntVector_Intrinsics_vec256 a4 = acc0[4U]; + Lib_IntVector_Intrinsics_vec256 a01 = Lib_IntVector_Intrinsics_vec256_add64(a0, f10); + Lib_IntVector_Intrinsics_vec256 a11 = Lib_IntVector_Intrinsics_vec256_add64(a1, f11); + Lib_IntVector_Intrinsics_vec256 a21 = Lib_IntVector_Intrinsics_vec256_add64(a2, f12); + Lib_IntVector_Intrinsics_vec256 a31 = Lib_IntVector_Intrinsics_vec256_add64(a3, f13); + Lib_IntVector_Intrinsics_vec256 a41 = Lib_IntVector_Intrinsics_vec256_add64(a4, f14); + Lib_IntVector_Intrinsics_vec256 a02 = Lib_IntVector_Intrinsics_vec256_mul64(r0, a01); + Lib_IntVector_Intrinsics_vec256 a12 = Lib_IntVector_Intrinsics_vec256_mul64(r11, a01); + Lib_IntVector_Intrinsics_vec256 a22 = Lib_IntVector_Intrinsics_vec256_mul64(r2, a01); + Lib_IntVector_Intrinsics_vec256 a32 = Lib_IntVector_Intrinsics_vec256_mul64(r3, a01); + Lib_IntVector_Intrinsics_vec256 a42 = Lib_IntVector_Intrinsics_vec256_mul64(r4, a01); + Lib_IntVector_Intrinsics_vec256 + a03 = + Lib_IntVector_Intrinsics_vec256_add64(a02, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a11)); + Lib_IntVector_Intrinsics_vec256 + a13 = + Lib_IntVector_Intrinsics_vec256_add64(a12, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a11)); + Lib_IntVector_Intrinsics_vec256 + a23 = + Lib_IntVector_Intrinsics_vec256_add64(a22, + Lib_IntVector_Intrinsics_vec256_mul64(r11, a11)); + Lib_IntVector_Intrinsics_vec256 + a33 = + Lib_IntVector_Intrinsics_vec256_add64(a32, + Lib_IntVector_Intrinsics_vec256_mul64(r2, a11)); + Lib_IntVector_Intrinsics_vec256 + a43 = + Lib_IntVector_Intrinsics_vec256_add64(a42, + Lib_IntVector_Intrinsics_vec256_mul64(r3, a11)); + Lib_IntVector_Intrinsics_vec256 + a04 = + Lib_IntVector_Intrinsics_vec256_add64(a03, + Lib_IntVector_Intrinsics_vec256_mul64(r53, a21)); + Lib_IntVector_Intrinsics_vec256 + a14 = + Lib_IntVector_Intrinsics_vec256_add64(a13, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a21)); + Lib_IntVector_Intrinsics_vec256 + a24 = + Lib_IntVector_Intrinsics_vec256_add64(a23, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a21)); + Lib_IntVector_Intrinsics_vec256 + a34 = + Lib_IntVector_Intrinsics_vec256_add64(a33, + Lib_IntVector_Intrinsics_vec256_mul64(r11, a21)); + Lib_IntVector_Intrinsics_vec256 + a44 = + Lib_IntVector_Intrinsics_vec256_add64(a43, + Lib_IntVector_Intrinsics_vec256_mul64(r2, a21)); + Lib_IntVector_Intrinsics_vec256 + a05 = + Lib_IntVector_Intrinsics_vec256_add64(a04, + Lib_IntVector_Intrinsics_vec256_mul64(r52, a31)); + Lib_IntVector_Intrinsics_vec256 + a15 = + Lib_IntVector_Intrinsics_vec256_add64(a14, + Lib_IntVector_Intrinsics_vec256_mul64(r53, a31)); + Lib_IntVector_Intrinsics_vec256 + a25 = + Lib_IntVector_Intrinsics_vec256_add64(a24, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a31)); + Lib_IntVector_Intrinsics_vec256 + a35 = + Lib_IntVector_Intrinsics_vec256_add64(a34, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a31)); + Lib_IntVector_Intrinsics_vec256 + a45 = + Lib_IntVector_Intrinsics_vec256_add64(a44, + Lib_IntVector_Intrinsics_vec256_mul64(r11, a31)); + Lib_IntVector_Intrinsics_vec256 + a06 = + Lib_IntVector_Intrinsics_vec256_add64(a05, + Lib_IntVector_Intrinsics_vec256_mul64(r51, a41)); + Lib_IntVector_Intrinsics_vec256 + a16 = + Lib_IntVector_Intrinsics_vec256_add64(a15, + Lib_IntVector_Intrinsics_vec256_mul64(r52, a41)); + Lib_IntVector_Intrinsics_vec256 + a26 = + Lib_IntVector_Intrinsics_vec256_add64(a25, + Lib_IntVector_Intrinsics_vec256_mul64(r53, a41)); + Lib_IntVector_Intrinsics_vec256 + a36 = + Lib_IntVector_Intrinsics_vec256_add64(a35, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a41)); + Lib_IntVector_Intrinsics_vec256 + a46 = + Lib_IntVector_Intrinsics_vec256_add64(a45, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a41)); + Lib_IntVector_Intrinsics_vec256 t01 = a06; + Lib_IntVector_Intrinsics_vec256 t11 = a16; + Lib_IntVector_Intrinsics_vec256 t2 = a26; + Lib_IntVector_Intrinsics_vec256 t3 = a36; + Lib_IntVector_Intrinsics_vec256 t4 = a46; + Lib_IntVector_Intrinsics_vec256 + mask26 = Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec256 + z0 = Lib_IntVector_Intrinsics_vec256_shift_right64(t01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z1 = Lib_IntVector_Intrinsics_vec256_shift_right64(t3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x0 = Lib_IntVector_Intrinsics_vec256_and(t01, mask26); + Lib_IntVector_Intrinsics_vec256 x3 = Lib_IntVector_Intrinsics_vec256_and(t3, mask26); + Lib_IntVector_Intrinsics_vec256 x1 = Lib_IntVector_Intrinsics_vec256_add64(t11, z0); + Lib_IntVector_Intrinsics_vec256 x4 = Lib_IntVector_Intrinsics_vec256_add64(t4, z1); + Lib_IntVector_Intrinsics_vec256 + z01 = Lib_IntVector_Intrinsics_vec256_shift_right64(x1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z11 = Lib_IntVector_Intrinsics_vec256_shift_right64(x4, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + t = Lib_IntVector_Intrinsics_vec256_shift_left64(z11, (uint32_t)2U); + Lib_IntVector_Intrinsics_vec256 z12 = Lib_IntVector_Intrinsics_vec256_add64(z11, t); + Lib_IntVector_Intrinsics_vec256 x11 = Lib_IntVector_Intrinsics_vec256_and(x1, mask26); + Lib_IntVector_Intrinsics_vec256 x41 = Lib_IntVector_Intrinsics_vec256_and(x4, mask26); + Lib_IntVector_Intrinsics_vec256 x2 = Lib_IntVector_Intrinsics_vec256_add64(t2, z01); + Lib_IntVector_Intrinsics_vec256 x01 = Lib_IntVector_Intrinsics_vec256_add64(x0, z12); + Lib_IntVector_Intrinsics_vec256 + z02 = Lib_IntVector_Intrinsics_vec256_shift_right64(x2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z13 = Lib_IntVector_Intrinsics_vec256_shift_right64(x01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x21 = Lib_IntVector_Intrinsics_vec256_and(x2, mask26); + Lib_IntVector_Intrinsics_vec256 x02 = Lib_IntVector_Intrinsics_vec256_and(x01, mask26); + Lib_IntVector_Intrinsics_vec256 x31 = Lib_IntVector_Intrinsics_vec256_add64(x3, z02); + Lib_IntVector_Intrinsics_vec256 x12 = Lib_IntVector_Intrinsics_vec256_add64(x11, z13); + Lib_IntVector_Intrinsics_vec256 + z03 = Lib_IntVector_Intrinsics_vec256_shift_right64(x31, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x32 = Lib_IntVector_Intrinsics_vec256_and(x31, mask26); + Lib_IntVector_Intrinsics_vec256 x42 = Lib_IntVector_Intrinsics_vec256_add64(x41, z03); + Lib_IntVector_Intrinsics_vec256 o0 = x02; + Lib_IntVector_Intrinsics_vec256 o1 = x12; + Lib_IntVector_Intrinsics_vec256 o2 = x21; + Lib_IntVector_Intrinsics_vec256 o3 = x32; + Lib_IntVector_Intrinsics_vec256 o4 = x42; + acc0[0U] = o0; + acc0[1U] = o1; + acc0[2U] = o2; + acc0[3U] = o3; + acc0[4U] = o4; + } + uint8_t tmp[16U] = { 0U }; + memcpy(tmp, rem, r * sizeof (uint8_t)); + if (r > (uint32_t)0U) + { + Lib_IntVector_Intrinsics_vec256 *pre = ctx + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec256 *acc = ctx; + Lib_IntVector_Intrinsics_vec256 e[5U]; + for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i) + e[_i] = Lib_IntVector_Intrinsics_vec256_zero; + uint64_t u0 = load64_le(tmp); + uint64_t lo = u0; + uint64_t u = load64_le(tmp + (uint32_t)8U); + uint64_t hi = u; + Lib_IntVector_Intrinsics_vec256 f0 = Lib_IntVector_Intrinsics_vec256_load64(lo); + Lib_IntVector_Intrinsics_vec256 f1 = Lib_IntVector_Intrinsics_vec256_load64(hi); + Lib_IntVector_Intrinsics_vec256 + f010 = + Lib_IntVector_Intrinsics_vec256_and(f0, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f110 = + Lib_IntVector_Intrinsics_vec256_and(Lib_IntVector_Intrinsics_vec256_shift_right64(f0, + (uint32_t)26U), + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f20 = + Lib_IntVector_Intrinsics_vec256_or(Lib_IntVector_Intrinsics_vec256_shift_right64(f0, + (uint32_t)52U), + Lib_IntVector_Intrinsics_vec256_shift_left64(Lib_IntVector_Intrinsics_vec256_and(f1, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3fffU)), + (uint32_t)12U)); + Lib_IntVector_Intrinsics_vec256 + f30 = + Lib_IntVector_Intrinsics_vec256_and(Lib_IntVector_Intrinsics_vec256_shift_right64(f1, + (uint32_t)14U), + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f40 = Lib_IntVector_Intrinsics_vec256_shift_right64(f1, (uint32_t)40U); + Lib_IntVector_Intrinsics_vec256 f01 = f010; + Lib_IntVector_Intrinsics_vec256 f111 = f110; + Lib_IntVector_Intrinsics_vec256 f2 = f20; + Lib_IntVector_Intrinsics_vec256 f3 = f30; + Lib_IntVector_Intrinsics_vec256 f41 = f40; + e[0U] = f01; + e[1U] = f111; + e[2U] = f2; + e[3U] = f3; + e[4U] = f41; + uint64_t b = (uint64_t)0x1000000U; + Lib_IntVector_Intrinsics_vec256 mask = Lib_IntVector_Intrinsics_vec256_load64(b); + Lib_IntVector_Intrinsics_vec256 f4 = e[4U]; + e[4U] = Lib_IntVector_Intrinsics_vec256_or(f4, mask); + Lib_IntVector_Intrinsics_vec256 *r1 = pre; + Lib_IntVector_Intrinsics_vec256 *r5 = pre + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec256 r0 = r1[0U]; + Lib_IntVector_Intrinsics_vec256 r11 = r1[1U]; + Lib_IntVector_Intrinsics_vec256 r2 = r1[2U]; + Lib_IntVector_Intrinsics_vec256 r3 = r1[3U]; + Lib_IntVector_Intrinsics_vec256 r4 = r1[4U]; + Lib_IntVector_Intrinsics_vec256 r51 = r5[1U]; + Lib_IntVector_Intrinsics_vec256 r52 = r5[2U]; + Lib_IntVector_Intrinsics_vec256 r53 = r5[3U]; + Lib_IntVector_Intrinsics_vec256 r54 = r5[4U]; + Lib_IntVector_Intrinsics_vec256 f10 = e[0U]; + Lib_IntVector_Intrinsics_vec256 f11 = e[1U]; + Lib_IntVector_Intrinsics_vec256 f12 = e[2U]; + Lib_IntVector_Intrinsics_vec256 f13 = e[3U]; + Lib_IntVector_Intrinsics_vec256 f14 = e[4U]; + Lib_IntVector_Intrinsics_vec256 a0 = acc[0U]; + Lib_IntVector_Intrinsics_vec256 a1 = acc[1U]; + Lib_IntVector_Intrinsics_vec256 a2 = acc[2U]; + Lib_IntVector_Intrinsics_vec256 a3 = acc[3U]; + Lib_IntVector_Intrinsics_vec256 a4 = acc[4U]; + Lib_IntVector_Intrinsics_vec256 a01 = Lib_IntVector_Intrinsics_vec256_add64(a0, f10); + Lib_IntVector_Intrinsics_vec256 a11 = Lib_IntVector_Intrinsics_vec256_add64(a1, f11); + Lib_IntVector_Intrinsics_vec256 a21 = Lib_IntVector_Intrinsics_vec256_add64(a2, f12); + Lib_IntVector_Intrinsics_vec256 a31 = Lib_IntVector_Intrinsics_vec256_add64(a3, f13); + Lib_IntVector_Intrinsics_vec256 a41 = Lib_IntVector_Intrinsics_vec256_add64(a4, f14); + Lib_IntVector_Intrinsics_vec256 a02 = Lib_IntVector_Intrinsics_vec256_mul64(r0, a01); + Lib_IntVector_Intrinsics_vec256 a12 = Lib_IntVector_Intrinsics_vec256_mul64(r11, a01); + Lib_IntVector_Intrinsics_vec256 a22 = Lib_IntVector_Intrinsics_vec256_mul64(r2, a01); + Lib_IntVector_Intrinsics_vec256 a32 = Lib_IntVector_Intrinsics_vec256_mul64(r3, a01); + Lib_IntVector_Intrinsics_vec256 a42 = Lib_IntVector_Intrinsics_vec256_mul64(r4, a01); + Lib_IntVector_Intrinsics_vec256 + a03 = + Lib_IntVector_Intrinsics_vec256_add64(a02, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a11)); + Lib_IntVector_Intrinsics_vec256 + a13 = + Lib_IntVector_Intrinsics_vec256_add64(a12, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a11)); + Lib_IntVector_Intrinsics_vec256 + a23 = + Lib_IntVector_Intrinsics_vec256_add64(a22, + Lib_IntVector_Intrinsics_vec256_mul64(r11, a11)); + Lib_IntVector_Intrinsics_vec256 + a33 = + Lib_IntVector_Intrinsics_vec256_add64(a32, + Lib_IntVector_Intrinsics_vec256_mul64(r2, a11)); + Lib_IntVector_Intrinsics_vec256 + a43 = + Lib_IntVector_Intrinsics_vec256_add64(a42, + Lib_IntVector_Intrinsics_vec256_mul64(r3, a11)); + Lib_IntVector_Intrinsics_vec256 + a04 = + Lib_IntVector_Intrinsics_vec256_add64(a03, + Lib_IntVector_Intrinsics_vec256_mul64(r53, a21)); + Lib_IntVector_Intrinsics_vec256 + a14 = + Lib_IntVector_Intrinsics_vec256_add64(a13, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a21)); + Lib_IntVector_Intrinsics_vec256 + a24 = + Lib_IntVector_Intrinsics_vec256_add64(a23, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a21)); + Lib_IntVector_Intrinsics_vec256 + a34 = + Lib_IntVector_Intrinsics_vec256_add64(a33, + Lib_IntVector_Intrinsics_vec256_mul64(r11, a21)); + Lib_IntVector_Intrinsics_vec256 + a44 = + Lib_IntVector_Intrinsics_vec256_add64(a43, + Lib_IntVector_Intrinsics_vec256_mul64(r2, a21)); + Lib_IntVector_Intrinsics_vec256 + a05 = + Lib_IntVector_Intrinsics_vec256_add64(a04, + Lib_IntVector_Intrinsics_vec256_mul64(r52, a31)); + Lib_IntVector_Intrinsics_vec256 + a15 = + Lib_IntVector_Intrinsics_vec256_add64(a14, + Lib_IntVector_Intrinsics_vec256_mul64(r53, a31)); + Lib_IntVector_Intrinsics_vec256 + a25 = + Lib_IntVector_Intrinsics_vec256_add64(a24, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a31)); + Lib_IntVector_Intrinsics_vec256 + a35 = + Lib_IntVector_Intrinsics_vec256_add64(a34, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a31)); + Lib_IntVector_Intrinsics_vec256 + a45 = + Lib_IntVector_Intrinsics_vec256_add64(a44, + Lib_IntVector_Intrinsics_vec256_mul64(r11, a31)); + Lib_IntVector_Intrinsics_vec256 + a06 = + Lib_IntVector_Intrinsics_vec256_add64(a05, + Lib_IntVector_Intrinsics_vec256_mul64(r51, a41)); + Lib_IntVector_Intrinsics_vec256 + a16 = + Lib_IntVector_Intrinsics_vec256_add64(a15, + Lib_IntVector_Intrinsics_vec256_mul64(r52, a41)); + Lib_IntVector_Intrinsics_vec256 + a26 = + Lib_IntVector_Intrinsics_vec256_add64(a25, + Lib_IntVector_Intrinsics_vec256_mul64(r53, a41)); + Lib_IntVector_Intrinsics_vec256 + a36 = + Lib_IntVector_Intrinsics_vec256_add64(a35, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a41)); + Lib_IntVector_Intrinsics_vec256 + a46 = + Lib_IntVector_Intrinsics_vec256_add64(a45, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a41)); + Lib_IntVector_Intrinsics_vec256 t0 = a06; + Lib_IntVector_Intrinsics_vec256 t1 = a16; + Lib_IntVector_Intrinsics_vec256 t2 = a26; + Lib_IntVector_Intrinsics_vec256 t3 = a36; + Lib_IntVector_Intrinsics_vec256 t4 = a46; + Lib_IntVector_Intrinsics_vec256 + mask26 = Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec256 + z0 = Lib_IntVector_Intrinsics_vec256_shift_right64(t0, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z1 = Lib_IntVector_Intrinsics_vec256_shift_right64(t3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x0 = Lib_IntVector_Intrinsics_vec256_and(t0, mask26); + Lib_IntVector_Intrinsics_vec256 x3 = Lib_IntVector_Intrinsics_vec256_and(t3, mask26); + Lib_IntVector_Intrinsics_vec256 x1 = Lib_IntVector_Intrinsics_vec256_add64(t1, z0); + Lib_IntVector_Intrinsics_vec256 x4 = Lib_IntVector_Intrinsics_vec256_add64(t4, z1); + Lib_IntVector_Intrinsics_vec256 + z01 = Lib_IntVector_Intrinsics_vec256_shift_right64(x1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z11 = Lib_IntVector_Intrinsics_vec256_shift_right64(x4, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + t = Lib_IntVector_Intrinsics_vec256_shift_left64(z11, (uint32_t)2U); + Lib_IntVector_Intrinsics_vec256 z12 = Lib_IntVector_Intrinsics_vec256_add64(z11, t); + Lib_IntVector_Intrinsics_vec256 x11 = Lib_IntVector_Intrinsics_vec256_and(x1, mask26); + Lib_IntVector_Intrinsics_vec256 x41 = Lib_IntVector_Intrinsics_vec256_and(x4, mask26); + Lib_IntVector_Intrinsics_vec256 x2 = Lib_IntVector_Intrinsics_vec256_add64(t2, z01); + Lib_IntVector_Intrinsics_vec256 x01 = Lib_IntVector_Intrinsics_vec256_add64(x0, z12); + Lib_IntVector_Intrinsics_vec256 + z02 = Lib_IntVector_Intrinsics_vec256_shift_right64(x2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z13 = Lib_IntVector_Intrinsics_vec256_shift_right64(x01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x21 = Lib_IntVector_Intrinsics_vec256_and(x2, mask26); + Lib_IntVector_Intrinsics_vec256 x02 = Lib_IntVector_Intrinsics_vec256_and(x01, mask26); + Lib_IntVector_Intrinsics_vec256 x31 = Lib_IntVector_Intrinsics_vec256_add64(x3, z02); + Lib_IntVector_Intrinsics_vec256 x12 = Lib_IntVector_Intrinsics_vec256_add64(x11, z13); + Lib_IntVector_Intrinsics_vec256 + z03 = Lib_IntVector_Intrinsics_vec256_shift_right64(x31, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x32 = Lib_IntVector_Intrinsics_vec256_and(x31, mask26); + Lib_IntVector_Intrinsics_vec256 x42 = Lib_IntVector_Intrinsics_vec256_add64(x41, z03); + Lib_IntVector_Intrinsics_vec256 o0 = x02; + Lib_IntVector_Intrinsics_vec256 o1 = x12; + Lib_IntVector_Intrinsics_vec256 o2 = x21; + Lib_IntVector_Intrinsics_vec256 o3 = x32; + Lib_IntVector_Intrinsics_vec256 o4 = x42; + acc[0U] = o0; + acc[1U] = o1; + acc[2U] = o2; + acc[3U] = o3; + acc[4U] = o4; + return; + } +} + +static inline void +poly1305_do_256( + uint8_t *k, + uint32_t aadlen, + uint8_t *aad, + uint32_t mlen, + uint8_t *m, + uint8_t *out +) +{ + Lib_IntVector_Intrinsics_vec256 ctx[25U]; + for (uint32_t _i = 0U; _i < (uint32_t)25U; ++_i) + ctx[_i] = Lib_IntVector_Intrinsics_vec256_zero; + uint8_t block[16U] = { 0U }; + Hacl_Poly1305_256_poly1305_init(ctx, k); + if (aadlen != (uint32_t)0U) + { + poly1305_padded_256(ctx, aadlen, aad); + } + if (mlen != (uint32_t)0U) + { + poly1305_padded_256(ctx, mlen, m); + } + store64_le(block, (uint64_t)aadlen); + store64_le(block + (uint32_t)8U, (uint64_t)mlen); + Lib_IntVector_Intrinsics_vec256 *pre = ctx + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec256 *acc = ctx; + Lib_IntVector_Intrinsics_vec256 e[5U]; + for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i) + e[_i] = Lib_IntVector_Intrinsics_vec256_zero; + uint64_t u0 = load64_le(block); + uint64_t lo = u0; + uint64_t u = load64_le(block + (uint32_t)8U); + uint64_t hi = u; + Lib_IntVector_Intrinsics_vec256 f0 = Lib_IntVector_Intrinsics_vec256_load64(lo); + Lib_IntVector_Intrinsics_vec256 f1 = Lib_IntVector_Intrinsics_vec256_load64(hi); + Lib_IntVector_Intrinsics_vec256 + f010 = + Lib_IntVector_Intrinsics_vec256_and(f0, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f110 = + Lib_IntVector_Intrinsics_vec256_and(Lib_IntVector_Intrinsics_vec256_shift_right64(f0, + (uint32_t)26U), + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f20 = + Lib_IntVector_Intrinsics_vec256_or(Lib_IntVector_Intrinsics_vec256_shift_right64(f0, + (uint32_t)52U), + Lib_IntVector_Intrinsics_vec256_shift_left64(Lib_IntVector_Intrinsics_vec256_and(f1, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3fffU)), + (uint32_t)12U)); + Lib_IntVector_Intrinsics_vec256 + f30 = + Lib_IntVector_Intrinsics_vec256_and(Lib_IntVector_Intrinsics_vec256_shift_right64(f1, + (uint32_t)14U), + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f40 = Lib_IntVector_Intrinsics_vec256_shift_right64(f1, (uint32_t)40U); + Lib_IntVector_Intrinsics_vec256 f01 = f010; + Lib_IntVector_Intrinsics_vec256 f111 = f110; + Lib_IntVector_Intrinsics_vec256 f2 = f20; + Lib_IntVector_Intrinsics_vec256 f3 = f30; + Lib_IntVector_Intrinsics_vec256 f41 = f40; + e[0U] = f01; + e[1U] = f111; + e[2U] = f2; + e[3U] = f3; + e[4U] = f41; + uint64_t b = (uint64_t)0x1000000U; + Lib_IntVector_Intrinsics_vec256 mask = Lib_IntVector_Intrinsics_vec256_load64(b); + Lib_IntVector_Intrinsics_vec256 f4 = e[4U]; + e[4U] = Lib_IntVector_Intrinsics_vec256_or(f4, mask); + Lib_IntVector_Intrinsics_vec256 *r = pre; + Lib_IntVector_Intrinsics_vec256 *r5 = pre + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec256 r0 = r[0U]; + Lib_IntVector_Intrinsics_vec256 r1 = r[1U]; + Lib_IntVector_Intrinsics_vec256 r2 = r[2U]; + Lib_IntVector_Intrinsics_vec256 r3 = r[3U]; + Lib_IntVector_Intrinsics_vec256 r4 = r[4U]; + Lib_IntVector_Intrinsics_vec256 r51 = r5[1U]; + Lib_IntVector_Intrinsics_vec256 r52 = r5[2U]; + Lib_IntVector_Intrinsics_vec256 r53 = r5[3U]; + Lib_IntVector_Intrinsics_vec256 r54 = r5[4U]; + Lib_IntVector_Intrinsics_vec256 f10 = e[0U]; + Lib_IntVector_Intrinsics_vec256 f11 = e[1U]; + Lib_IntVector_Intrinsics_vec256 f12 = e[2U]; + Lib_IntVector_Intrinsics_vec256 f13 = e[3U]; + Lib_IntVector_Intrinsics_vec256 f14 = e[4U]; + Lib_IntVector_Intrinsics_vec256 a0 = acc[0U]; + Lib_IntVector_Intrinsics_vec256 a1 = acc[1U]; + Lib_IntVector_Intrinsics_vec256 a2 = acc[2U]; + Lib_IntVector_Intrinsics_vec256 a3 = acc[3U]; + Lib_IntVector_Intrinsics_vec256 a4 = acc[4U]; + Lib_IntVector_Intrinsics_vec256 a01 = Lib_IntVector_Intrinsics_vec256_add64(a0, f10); + Lib_IntVector_Intrinsics_vec256 a11 = Lib_IntVector_Intrinsics_vec256_add64(a1, f11); + Lib_IntVector_Intrinsics_vec256 a21 = Lib_IntVector_Intrinsics_vec256_add64(a2, f12); + Lib_IntVector_Intrinsics_vec256 a31 = Lib_IntVector_Intrinsics_vec256_add64(a3, f13); + Lib_IntVector_Intrinsics_vec256 a41 = Lib_IntVector_Intrinsics_vec256_add64(a4, f14); + Lib_IntVector_Intrinsics_vec256 a02 = Lib_IntVector_Intrinsics_vec256_mul64(r0, a01); + Lib_IntVector_Intrinsics_vec256 a12 = Lib_IntVector_Intrinsics_vec256_mul64(r1, a01); + Lib_IntVector_Intrinsics_vec256 a22 = Lib_IntVector_Intrinsics_vec256_mul64(r2, a01); + Lib_IntVector_Intrinsics_vec256 a32 = Lib_IntVector_Intrinsics_vec256_mul64(r3, a01); + Lib_IntVector_Intrinsics_vec256 a42 = Lib_IntVector_Intrinsics_vec256_mul64(r4, a01); + Lib_IntVector_Intrinsics_vec256 + a03 = + Lib_IntVector_Intrinsics_vec256_add64(a02, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a11)); + Lib_IntVector_Intrinsics_vec256 + a13 = + Lib_IntVector_Intrinsics_vec256_add64(a12, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a11)); + Lib_IntVector_Intrinsics_vec256 + a23 = + Lib_IntVector_Intrinsics_vec256_add64(a22, + Lib_IntVector_Intrinsics_vec256_mul64(r1, a11)); + Lib_IntVector_Intrinsics_vec256 + a33 = + Lib_IntVector_Intrinsics_vec256_add64(a32, + Lib_IntVector_Intrinsics_vec256_mul64(r2, a11)); + Lib_IntVector_Intrinsics_vec256 + a43 = + Lib_IntVector_Intrinsics_vec256_add64(a42, + Lib_IntVector_Intrinsics_vec256_mul64(r3, a11)); + Lib_IntVector_Intrinsics_vec256 + a04 = + Lib_IntVector_Intrinsics_vec256_add64(a03, + Lib_IntVector_Intrinsics_vec256_mul64(r53, a21)); + Lib_IntVector_Intrinsics_vec256 + a14 = + Lib_IntVector_Intrinsics_vec256_add64(a13, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a21)); + Lib_IntVector_Intrinsics_vec256 + a24 = + Lib_IntVector_Intrinsics_vec256_add64(a23, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a21)); + Lib_IntVector_Intrinsics_vec256 + a34 = + Lib_IntVector_Intrinsics_vec256_add64(a33, + Lib_IntVector_Intrinsics_vec256_mul64(r1, a21)); + Lib_IntVector_Intrinsics_vec256 + a44 = + Lib_IntVector_Intrinsics_vec256_add64(a43, + Lib_IntVector_Intrinsics_vec256_mul64(r2, a21)); + Lib_IntVector_Intrinsics_vec256 + a05 = + Lib_IntVector_Intrinsics_vec256_add64(a04, + Lib_IntVector_Intrinsics_vec256_mul64(r52, a31)); + Lib_IntVector_Intrinsics_vec256 + a15 = + Lib_IntVector_Intrinsics_vec256_add64(a14, + Lib_IntVector_Intrinsics_vec256_mul64(r53, a31)); + Lib_IntVector_Intrinsics_vec256 + a25 = + Lib_IntVector_Intrinsics_vec256_add64(a24, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a31)); + Lib_IntVector_Intrinsics_vec256 + a35 = + Lib_IntVector_Intrinsics_vec256_add64(a34, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a31)); + Lib_IntVector_Intrinsics_vec256 + a45 = + Lib_IntVector_Intrinsics_vec256_add64(a44, + Lib_IntVector_Intrinsics_vec256_mul64(r1, a31)); + Lib_IntVector_Intrinsics_vec256 + a06 = + Lib_IntVector_Intrinsics_vec256_add64(a05, + Lib_IntVector_Intrinsics_vec256_mul64(r51, a41)); + Lib_IntVector_Intrinsics_vec256 + a16 = + Lib_IntVector_Intrinsics_vec256_add64(a15, + Lib_IntVector_Intrinsics_vec256_mul64(r52, a41)); + Lib_IntVector_Intrinsics_vec256 + a26 = + Lib_IntVector_Intrinsics_vec256_add64(a25, + Lib_IntVector_Intrinsics_vec256_mul64(r53, a41)); + Lib_IntVector_Intrinsics_vec256 + a36 = + Lib_IntVector_Intrinsics_vec256_add64(a35, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a41)); + Lib_IntVector_Intrinsics_vec256 + a46 = + Lib_IntVector_Intrinsics_vec256_add64(a45, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a41)); + Lib_IntVector_Intrinsics_vec256 t0 = a06; + Lib_IntVector_Intrinsics_vec256 t1 = a16; + Lib_IntVector_Intrinsics_vec256 t2 = a26; + Lib_IntVector_Intrinsics_vec256 t3 = a36; + Lib_IntVector_Intrinsics_vec256 t4 = a46; + Lib_IntVector_Intrinsics_vec256 + mask26 = Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec256 + z0 = Lib_IntVector_Intrinsics_vec256_shift_right64(t0, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z1 = Lib_IntVector_Intrinsics_vec256_shift_right64(t3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x0 = Lib_IntVector_Intrinsics_vec256_and(t0, mask26); + Lib_IntVector_Intrinsics_vec256 x3 = Lib_IntVector_Intrinsics_vec256_and(t3, mask26); + Lib_IntVector_Intrinsics_vec256 x1 = Lib_IntVector_Intrinsics_vec256_add64(t1, z0); + Lib_IntVector_Intrinsics_vec256 x4 = Lib_IntVector_Intrinsics_vec256_add64(t4, z1); + Lib_IntVector_Intrinsics_vec256 + z01 = Lib_IntVector_Intrinsics_vec256_shift_right64(x1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z11 = Lib_IntVector_Intrinsics_vec256_shift_right64(x4, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + t = Lib_IntVector_Intrinsics_vec256_shift_left64(z11, (uint32_t)2U); + Lib_IntVector_Intrinsics_vec256 z12 = Lib_IntVector_Intrinsics_vec256_add64(z11, t); + Lib_IntVector_Intrinsics_vec256 x11 = Lib_IntVector_Intrinsics_vec256_and(x1, mask26); + Lib_IntVector_Intrinsics_vec256 x41 = Lib_IntVector_Intrinsics_vec256_and(x4, mask26); + Lib_IntVector_Intrinsics_vec256 x2 = Lib_IntVector_Intrinsics_vec256_add64(t2, z01); + Lib_IntVector_Intrinsics_vec256 x01 = Lib_IntVector_Intrinsics_vec256_add64(x0, z12); + Lib_IntVector_Intrinsics_vec256 + z02 = Lib_IntVector_Intrinsics_vec256_shift_right64(x2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z13 = Lib_IntVector_Intrinsics_vec256_shift_right64(x01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x21 = Lib_IntVector_Intrinsics_vec256_and(x2, mask26); + Lib_IntVector_Intrinsics_vec256 x02 = Lib_IntVector_Intrinsics_vec256_and(x01, mask26); + Lib_IntVector_Intrinsics_vec256 x31 = Lib_IntVector_Intrinsics_vec256_add64(x3, z02); + Lib_IntVector_Intrinsics_vec256 x12 = Lib_IntVector_Intrinsics_vec256_add64(x11, z13); + Lib_IntVector_Intrinsics_vec256 + z03 = Lib_IntVector_Intrinsics_vec256_shift_right64(x31, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x32 = Lib_IntVector_Intrinsics_vec256_and(x31, mask26); + Lib_IntVector_Intrinsics_vec256 x42 = Lib_IntVector_Intrinsics_vec256_add64(x41, z03); + Lib_IntVector_Intrinsics_vec256 o0 = x02; + Lib_IntVector_Intrinsics_vec256 o1 = x12; + Lib_IntVector_Intrinsics_vec256 o2 = x21; + Lib_IntVector_Intrinsics_vec256 o3 = x32; + Lib_IntVector_Intrinsics_vec256 o4 = x42; + acc[0U] = o0; + acc[1U] = o1; + acc[2U] = o2; + acc[3U] = o3; + acc[4U] = o4; + Hacl_Poly1305_256_poly1305_finish(out, k, ctx); +} + +void +Hacl_Chacha20Poly1305_256_aead_encrypt( + uint8_t *k, + uint8_t *n, + uint32_t aadlen, + uint8_t *aad, + uint32_t mlen, + uint8_t *m, + uint8_t *cipher, + uint8_t *mac +) +{ + Hacl_Chacha20_Vec256_chacha20_encrypt_256(mlen, cipher, m, k, n, (uint32_t)1U); + uint8_t tmp[64U] = { 0U }; + Hacl_Chacha20_Vec256_chacha20_encrypt_256((uint32_t)64U, tmp, tmp, k, n, (uint32_t)0U); + uint8_t *key = tmp; + poly1305_do_256(key, aadlen, aad, mlen, cipher, mac); +} + +uint32_t +Hacl_Chacha20Poly1305_256_aead_decrypt( + uint8_t *k, + uint8_t *n, + uint32_t aadlen, + uint8_t *aad, + uint32_t mlen, + uint8_t *m, + uint8_t *cipher, + uint8_t *mac +) +{ + uint8_t computed_mac[16U] = { 0U }; + uint8_t tmp[64U] = { 0U }; + Hacl_Chacha20_Vec256_chacha20_encrypt_256((uint32_t)64U, tmp, tmp, k, n, (uint32_t)0U); + uint8_t *key = tmp; + poly1305_do_256(key, aadlen, aad, mlen, cipher, computed_mac); + uint8_t res = (uint8_t)255U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint8_t uu____0 = FStar_UInt8_eq_mask(computed_mac[i], mac[i]); + res = uu____0 & res; + } + uint8_t z = res; + if (z == (uint8_t)255U) + { + Hacl_Chacha20_Vec256_chacha20_encrypt_256(mlen, m, cipher, k, n, (uint32_t)1U); + return (uint32_t)0U; + } + return (uint32_t)1U; +} + diff --git a/src/Hacl_Chacha20Poly1305_32.c b/src/Hacl_Chacha20Poly1305_32.c new file mode 100644 index 00000000..f25a377e --- /dev/null +++ b/src/Hacl_Chacha20Poly1305_32.c @@ -0,0 +1,601 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Chacha20Poly1305_32.h" + +#include "internal/Hacl_Kremlib.h" + +static inline void poly1305_padded_32(uint64_t *ctx, uint32_t len, uint8_t *text) +{ + uint32_t n = len / (uint32_t)16U; + uint32_t r = len % (uint32_t)16U; + uint8_t *blocks = text; + uint8_t *rem = text + n * (uint32_t)16U; + uint64_t *pre0 = ctx + (uint32_t)5U; + uint64_t *acc0 = ctx; + uint32_t nb = n * (uint32_t)16U / (uint32_t)16U; + uint32_t rem1 = n * (uint32_t)16U % (uint32_t)16U; + for (uint32_t i = (uint32_t)0U; i < nb; i++) + { + uint8_t *block = blocks + i * (uint32_t)16U; + uint64_t e[5U] = { 0U }; + uint64_t u0 = load64_le(block); + uint64_t lo = u0; + uint64_t u = load64_le(block + (uint32_t)8U); + uint64_t hi = u; + uint64_t f0 = lo; + uint64_t f1 = hi; + uint64_t f010 = f0 & (uint64_t)0x3ffffffU; + uint64_t f110 = f0 >> (uint32_t)26U & (uint64_t)0x3ffffffU; + uint64_t f20 = f0 >> (uint32_t)52U | (f1 & (uint64_t)0x3fffU) << (uint32_t)12U; + uint64_t f30 = f1 >> (uint32_t)14U & (uint64_t)0x3ffffffU; + uint64_t f40 = f1 >> (uint32_t)40U; + uint64_t f01 = f010; + uint64_t f111 = f110; + uint64_t f2 = f20; + uint64_t f3 = f30; + uint64_t f41 = f40; + e[0U] = f01; + e[1U] = f111; + e[2U] = f2; + e[3U] = f3; + e[4U] = f41; + uint64_t b = (uint64_t)0x1000000U; + uint64_t mask = b; + uint64_t f4 = e[4U]; + e[4U] = f4 | mask; + uint64_t *r1 = pre0; + uint64_t *r5 = pre0 + (uint32_t)5U; + uint64_t r0 = r1[0U]; + uint64_t r11 = r1[1U]; + uint64_t r2 = r1[2U]; + uint64_t r3 = r1[3U]; + uint64_t r4 = r1[4U]; + uint64_t r51 = r5[1U]; + uint64_t r52 = r5[2U]; + uint64_t r53 = r5[3U]; + uint64_t r54 = r5[4U]; + uint64_t f10 = e[0U]; + uint64_t f11 = e[1U]; + uint64_t f12 = e[2U]; + uint64_t f13 = e[3U]; + uint64_t f14 = e[4U]; + uint64_t a0 = acc0[0U]; + uint64_t a1 = acc0[1U]; + uint64_t a2 = acc0[2U]; + uint64_t a3 = acc0[3U]; + uint64_t a4 = acc0[4U]; + uint64_t a01 = a0 + f10; + uint64_t a11 = a1 + f11; + uint64_t a21 = a2 + f12; + uint64_t a31 = a3 + f13; + uint64_t a41 = a4 + f14; + uint64_t a02 = r0 * a01; + uint64_t a12 = r11 * a01; + uint64_t a22 = r2 * a01; + uint64_t a32 = r3 * a01; + uint64_t a42 = r4 * a01; + uint64_t a03 = a02 + r54 * a11; + uint64_t a13 = a12 + r0 * a11; + uint64_t a23 = a22 + r11 * a11; + uint64_t a33 = a32 + r2 * a11; + uint64_t a43 = a42 + r3 * a11; + uint64_t a04 = a03 + r53 * a21; + uint64_t a14 = a13 + r54 * a21; + uint64_t a24 = a23 + r0 * a21; + uint64_t a34 = a33 + r11 * a21; + uint64_t a44 = a43 + r2 * a21; + uint64_t a05 = a04 + r52 * a31; + uint64_t a15 = a14 + r53 * a31; + uint64_t a25 = a24 + r54 * a31; + uint64_t a35 = a34 + r0 * a31; + uint64_t a45 = a44 + r11 * a31; + uint64_t a06 = a05 + r51 * a41; + uint64_t a16 = a15 + r52 * a41; + uint64_t a26 = a25 + r53 * a41; + uint64_t a36 = a35 + r54 * a41; + uint64_t a46 = a45 + r0 * a41; + uint64_t t0 = a06; + uint64_t t1 = a16; + uint64_t t2 = a26; + uint64_t t3 = a36; + uint64_t t4 = a46; + uint64_t mask26 = (uint64_t)0x3ffffffU; + uint64_t z0 = t0 >> (uint32_t)26U; + uint64_t z1 = t3 >> (uint32_t)26U; + uint64_t x0 = t0 & mask26; + uint64_t x3 = t3 & mask26; + uint64_t x1 = t1 + z0; + uint64_t x4 = t4 + z1; + uint64_t z01 = x1 >> (uint32_t)26U; + uint64_t z11 = x4 >> (uint32_t)26U; + uint64_t t = z11 << (uint32_t)2U; + uint64_t z12 = z11 + t; + uint64_t x11 = x1 & mask26; + uint64_t x41 = x4 & mask26; + uint64_t x2 = t2 + z01; + uint64_t x01 = x0 + z12; + uint64_t z02 = x2 >> (uint32_t)26U; + uint64_t z13 = x01 >> (uint32_t)26U; + uint64_t x21 = x2 & mask26; + uint64_t x02 = x01 & mask26; + uint64_t x31 = x3 + z02; + uint64_t x12 = x11 + z13; + uint64_t z03 = x31 >> (uint32_t)26U; + uint64_t x32 = x31 & mask26; + uint64_t x42 = x41 + z03; + uint64_t o0 = x02; + uint64_t o1 = x12; + uint64_t o2 = x21; + uint64_t o3 = x32; + uint64_t o4 = x42; + acc0[0U] = o0; + acc0[1U] = o1; + acc0[2U] = o2; + acc0[3U] = o3; + acc0[4U] = o4; + } + if (rem1 > (uint32_t)0U) + { + uint8_t *last = blocks + nb * (uint32_t)16U; + uint64_t e[5U] = { 0U }; + uint8_t tmp[16U] = { 0U }; + memcpy(tmp, last, rem1 * sizeof (uint8_t)); + uint64_t u0 = load64_le(tmp); + uint64_t lo = u0; + uint64_t u = load64_le(tmp + (uint32_t)8U); + uint64_t hi = u; + uint64_t f0 = lo; + uint64_t f1 = hi; + uint64_t f010 = f0 & (uint64_t)0x3ffffffU; + uint64_t f110 = f0 >> (uint32_t)26U & (uint64_t)0x3ffffffU; + uint64_t f20 = f0 >> (uint32_t)52U | (f1 & (uint64_t)0x3fffU) << (uint32_t)12U; + uint64_t f30 = f1 >> (uint32_t)14U & (uint64_t)0x3ffffffU; + uint64_t f40 = f1 >> (uint32_t)40U; + uint64_t f01 = f010; + uint64_t f111 = f110; + uint64_t f2 = f20; + uint64_t f3 = f30; + uint64_t f4 = f40; + e[0U] = f01; + e[1U] = f111; + e[2U] = f2; + e[3U] = f3; + e[4U] = f4; + uint64_t b = (uint64_t)1U << rem1 * (uint32_t)8U % (uint32_t)26U; + uint64_t mask = b; + uint64_t fi = e[rem1 * (uint32_t)8U / (uint32_t)26U]; + e[rem1 * (uint32_t)8U / (uint32_t)26U] = fi | mask; + uint64_t *r1 = pre0; + uint64_t *r5 = pre0 + (uint32_t)5U; + uint64_t r0 = r1[0U]; + uint64_t r11 = r1[1U]; + uint64_t r2 = r1[2U]; + uint64_t r3 = r1[3U]; + uint64_t r4 = r1[4U]; + uint64_t r51 = r5[1U]; + uint64_t r52 = r5[2U]; + uint64_t r53 = r5[3U]; + uint64_t r54 = r5[4U]; + uint64_t f10 = e[0U]; + uint64_t f11 = e[1U]; + uint64_t f12 = e[2U]; + uint64_t f13 = e[3U]; + uint64_t f14 = e[4U]; + uint64_t a0 = acc0[0U]; + uint64_t a1 = acc0[1U]; + uint64_t a2 = acc0[2U]; + uint64_t a3 = acc0[3U]; + uint64_t a4 = acc0[4U]; + uint64_t a01 = a0 + f10; + uint64_t a11 = a1 + f11; + uint64_t a21 = a2 + f12; + uint64_t a31 = a3 + f13; + uint64_t a41 = a4 + f14; + uint64_t a02 = r0 * a01; + uint64_t a12 = r11 * a01; + uint64_t a22 = r2 * a01; + uint64_t a32 = r3 * a01; + uint64_t a42 = r4 * a01; + uint64_t a03 = a02 + r54 * a11; + uint64_t a13 = a12 + r0 * a11; + uint64_t a23 = a22 + r11 * a11; + uint64_t a33 = a32 + r2 * a11; + uint64_t a43 = a42 + r3 * a11; + uint64_t a04 = a03 + r53 * a21; + uint64_t a14 = a13 + r54 * a21; + uint64_t a24 = a23 + r0 * a21; + uint64_t a34 = a33 + r11 * a21; + uint64_t a44 = a43 + r2 * a21; + uint64_t a05 = a04 + r52 * a31; + uint64_t a15 = a14 + r53 * a31; + uint64_t a25 = a24 + r54 * a31; + uint64_t a35 = a34 + r0 * a31; + uint64_t a45 = a44 + r11 * a31; + uint64_t a06 = a05 + r51 * a41; + uint64_t a16 = a15 + r52 * a41; + uint64_t a26 = a25 + r53 * a41; + uint64_t a36 = a35 + r54 * a41; + uint64_t a46 = a45 + r0 * a41; + uint64_t t0 = a06; + uint64_t t1 = a16; + uint64_t t2 = a26; + uint64_t t3 = a36; + uint64_t t4 = a46; + uint64_t mask26 = (uint64_t)0x3ffffffU; + uint64_t z0 = t0 >> (uint32_t)26U; + uint64_t z1 = t3 >> (uint32_t)26U; + uint64_t x0 = t0 & mask26; + uint64_t x3 = t3 & mask26; + uint64_t x1 = t1 + z0; + uint64_t x4 = t4 + z1; + uint64_t z01 = x1 >> (uint32_t)26U; + uint64_t z11 = x4 >> (uint32_t)26U; + uint64_t t = z11 << (uint32_t)2U; + uint64_t z12 = z11 + t; + uint64_t x11 = x1 & mask26; + uint64_t x41 = x4 & mask26; + uint64_t x2 = t2 + z01; + uint64_t x01 = x0 + z12; + uint64_t z02 = x2 >> (uint32_t)26U; + uint64_t z13 = x01 >> (uint32_t)26U; + uint64_t x21 = x2 & mask26; + uint64_t x02 = x01 & mask26; + uint64_t x31 = x3 + z02; + uint64_t x12 = x11 + z13; + uint64_t z03 = x31 >> (uint32_t)26U; + uint64_t x32 = x31 & mask26; + uint64_t x42 = x41 + z03; + uint64_t o0 = x02; + uint64_t o1 = x12; + uint64_t o2 = x21; + uint64_t o3 = x32; + uint64_t o4 = x42; + acc0[0U] = o0; + acc0[1U] = o1; + acc0[2U] = o2; + acc0[3U] = o3; + acc0[4U] = o4; + } + uint8_t tmp[16U] = { 0U }; + memcpy(tmp, rem, r * sizeof (uint8_t)); + if (r > (uint32_t)0U) + { + uint64_t *pre = ctx + (uint32_t)5U; + uint64_t *acc = ctx; + uint64_t e[5U] = { 0U }; + uint64_t u0 = load64_le(tmp); + uint64_t lo = u0; + uint64_t u = load64_le(tmp + (uint32_t)8U); + uint64_t hi = u; + uint64_t f0 = lo; + uint64_t f1 = hi; + uint64_t f010 = f0 & (uint64_t)0x3ffffffU; + uint64_t f110 = f0 >> (uint32_t)26U & (uint64_t)0x3ffffffU; + uint64_t f20 = f0 >> (uint32_t)52U | (f1 & (uint64_t)0x3fffU) << (uint32_t)12U; + uint64_t f30 = f1 >> (uint32_t)14U & (uint64_t)0x3ffffffU; + uint64_t f40 = f1 >> (uint32_t)40U; + uint64_t f01 = f010; + uint64_t f111 = f110; + uint64_t f2 = f20; + uint64_t f3 = f30; + uint64_t f41 = f40; + e[0U] = f01; + e[1U] = f111; + e[2U] = f2; + e[3U] = f3; + e[4U] = f41; + uint64_t b = (uint64_t)0x1000000U; + uint64_t mask = b; + uint64_t f4 = e[4U]; + e[4U] = f4 | mask; + uint64_t *r1 = pre; + uint64_t *r5 = pre + (uint32_t)5U; + uint64_t r0 = r1[0U]; + uint64_t r11 = r1[1U]; + uint64_t r2 = r1[2U]; + uint64_t r3 = r1[3U]; + uint64_t r4 = r1[4U]; + uint64_t r51 = r5[1U]; + uint64_t r52 = r5[2U]; + uint64_t r53 = r5[3U]; + uint64_t r54 = r5[4U]; + uint64_t f10 = e[0U]; + uint64_t f11 = e[1U]; + uint64_t f12 = e[2U]; + uint64_t f13 = e[3U]; + uint64_t f14 = e[4U]; + uint64_t a0 = acc[0U]; + uint64_t a1 = acc[1U]; + uint64_t a2 = acc[2U]; + uint64_t a3 = acc[3U]; + uint64_t a4 = acc[4U]; + uint64_t a01 = a0 + f10; + uint64_t a11 = a1 + f11; + uint64_t a21 = a2 + f12; + uint64_t a31 = a3 + f13; + uint64_t a41 = a4 + f14; + uint64_t a02 = r0 * a01; + uint64_t a12 = r11 * a01; + uint64_t a22 = r2 * a01; + uint64_t a32 = r3 * a01; + uint64_t a42 = r4 * a01; + uint64_t a03 = a02 + r54 * a11; + uint64_t a13 = a12 + r0 * a11; + uint64_t a23 = a22 + r11 * a11; + uint64_t a33 = a32 + r2 * a11; + uint64_t a43 = a42 + r3 * a11; + uint64_t a04 = a03 + r53 * a21; + uint64_t a14 = a13 + r54 * a21; + uint64_t a24 = a23 + r0 * a21; + uint64_t a34 = a33 + r11 * a21; + uint64_t a44 = a43 + r2 * a21; + uint64_t a05 = a04 + r52 * a31; + uint64_t a15 = a14 + r53 * a31; + uint64_t a25 = a24 + r54 * a31; + uint64_t a35 = a34 + r0 * a31; + uint64_t a45 = a44 + r11 * a31; + uint64_t a06 = a05 + r51 * a41; + uint64_t a16 = a15 + r52 * a41; + uint64_t a26 = a25 + r53 * a41; + uint64_t a36 = a35 + r54 * a41; + uint64_t a46 = a45 + r0 * a41; + uint64_t t0 = a06; + uint64_t t1 = a16; + uint64_t t2 = a26; + uint64_t t3 = a36; + uint64_t t4 = a46; + uint64_t mask26 = (uint64_t)0x3ffffffU; + uint64_t z0 = t0 >> (uint32_t)26U; + uint64_t z1 = t3 >> (uint32_t)26U; + uint64_t x0 = t0 & mask26; + uint64_t x3 = t3 & mask26; + uint64_t x1 = t1 + z0; + uint64_t x4 = t4 + z1; + uint64_t z01 = x1 >> (uint32_t)26U; + uint64_t z11 = x4 >> (uint32_t)26U; + uint64_t t = z11 << (uint32_t)2U; + uint64_t z12 = z11 + t; + uint64_t x11 = x1 & mask26; + uint64_t x41 = x4 & mask26; + uint64_t x2 = t2 + z01; + uint64_t x01 = x0 + z12; + uint64_t z02 = x2 >> (uint32_t)26U; + uint64_t z13 = x01 >> (uint32_t)26U; + uint64_t x21 = x2 & mask26; + uint64_t x02 = x01 & mask26; + uint64_t x31 = x3 + z02; + uint64_t x12 = x11 + z13; + uint64_t z03 = x31 >> (uint32_t)26U; + uint64_t x32 = x31 & mask26; + uint64_t x42 = x41 + z03; + uint64_t o0 = x02; + uint64_t o1 = x12; + uint64_t o2 = x21; + uint64_t o3 = x32; + uint64_t o4 = x42; + acc[0U] = o0; + acc[1U] = o1; + acc[2U] = o2; + acc[3U] = o3; + acc[4U] = o4; + return; + } +} + +static inline void +poly1305_do_32( + uint8_t *k, + uint32_t aadlen, + uint8_t *aad, + uint32_t mlen, + uint8_t *m, + uint8_t *out +) +{ + uint64_t ctx[25U] = { 0U }; + uint8_t block[16U] = { 0U }; + Hacl_Poly1305_32_poly1305_init(ctx, k); + if (aadlen != (uint32_t)0U) + { + poly1305_padded_32(ctx, aadlen, aad); + } + if (mlen != (uint32_t)0U) + { + poly1305_padded_32(ctx, mlen, m); + } + store64_le(block, (uint64_t)aadlen); + store64_le(block + (uint32_t)8U, (uint64_t)mlen); + uint64_t *pre = ctx + (uint32_t)5U; + uint64_t *acc = ctx; + uint64_t e[5U] = { 0U }; + uint64_t u0 = load64_le(block); + uint64_t lo = u0; + uint64_t u = load64_le(block + (uint32_t)8U); + uint64_t hi = u; + uint64_t f0 = lo; + uint64_t f1 = hi; + uint64_t f010 = f0 & (uint64_t)0x3ffffffU; + uint64_t f110 = f0 >> (uint32_t)26U & (uint64_t)0x3ffffffU; + uint64_t f20 = f0 >> (uint32_t)52U | (f1 & (uint64_t)0x3fffU) << (uint32_t)12U; + uint64_t f30 = f1 >> (uint32_t)14U & (uint64_t)0x3ffffffU; + uint64_t f40 = f1 >> (uint32_t)40U; + uint64_t f01 = f010; + uint64_t f111 = f110; + uint64_t f2 = f20; + uint64_t f3 = f30; + uint64_t f41 = f40; + e[0U] = f01; + e[1U] = f111; + e[2U] = f2; + e[3U] = f3; + e[4U] = f41; + uint64_t b = (uint64_t)0x1000000U; + uint64_t mask = b; + uint64_t f4 = e[4U]; + e[4U] = f4 | mask; + uint64_t *r = pre; + uint64_t *r5 = pre + (uint32_t)5U; + uint64_t r0 = r[0U]; + uint64_t r1 = r[1U]; + uint64_t r2 = r[2U]; + uint64_t r3 = r[3U]; + uint64_t r4 = r[4U]; + uint64_t r51 = r5[1U]; + uint64_t r52 = r5[2U]; + uint64_t r53 = r5[3U]; + uint64_t r54 = r5[4U]; + uint64_t f10 = e[0U]; + uint64_t f11 = e[1U]; + uint64_t f12 = e[2U]; + uint64_t f13 = e[3U]; + uint64_t f14 = e[4U]; + uint64_t a0 = acc[0U]; + uint64_t a1 = acc[1U]; + uint64_t a2 = acc[2U]; + uint64_t a3 = acc[3U]; + uint64_t a4 = acc[4U]; + uint64_t a01 = a0 + f10; + uint64_t a11 = a1 + f11; + uint64_t a21 = a2 + f12; + uint64_t a31 = a3 + f13; + uint64_t a41 = a4 + f14; + uint64_t a02 = r0 * a01; + uint64_t a12 = r1 * a01; + uint64_t a22 = r2 * a01; + uint64_t a32 = r3 * a01; + uint64_t a42 = r4 * a01; + uint64_t a03 = a02 + r54 * a11; + uint64_t a13 = a12 + r0 * a11; + uint64_t a23 = a22 + r1 * a11; + uint64_t a33 = a32 + r2 * a11; + uint64_t a43 = a42 + r3 * a11; + uint64_t a04 = a03 + r53 * a21; + uint64_t a14 = a13 + r54 * a21; + uint64_t a24 = a23 + r0 * a21; + uint64_t a34 = a33 + r1 * a21; + uint64_t a44 = a43 + r2 * a21; + uint64_t a05 = a04 + r52 * a31; + uint64_t a15 = a14 + r53 * a31; + uint64_t a25 = a24 + r54 * a31; + uint64_t a35 = a34 + r0 * a31; + uint64_t a45 = a44 + r1 * a31; + uint64_t a06 = a05 + r51 * a41; + uint64_t a16 = a15 + r52 * a41; + uint64_t a26 = a25 + r53 * a41; + uint64_t a36 = a35 + r54 * a41; + uint64_t a46 = a45 + r0 * a41; + uint64_t t0 = a06; + uint64_t t1 = a16; + uint64_t t2 = a26; + uint64_t t3 = a36; + uint64_t t4 = a46; + uint64_t mask26 = (uint64_t)0x3ffffffU; + uint64_t z0 = t0 >> (uint32_t)26U; + uint64_t z1 = t3 >> (uint32_t)26U; + uint64_t x0 = t0 & mask26; + uint64_t x3 = t3 & mask26; + uint64_t x1 = t1 + z0; + uint64_t x4 = t4 + z1; + uint64_t z01 = x1 >> (uint32_t)26U; + uint64_t z11 = x4 >> (uint32_t)26U; + uint64_t t = z11 << (uint32_t)2U; + uint64_t z12 = z11 + t; + uint64_t x11 = x1 & mask26; + uint64_t x41 = x4 & mask26; + uint64_t x2 = t2 + z01; + uint64_t x01 = x0 + z12; + uint64_t z02 = x2 >> (uint32_t)26U; + uint64_t z13 = x01 >> (uint32_t)26U; + uint64_t x21 = x2 & mask26; + uint64_t x02 = x01 & mask26; + uint64_t x31 = x3 + z02; + uint64_t x12 = x11 + z13; + uint64_t z03 = x31 >> (uint32_t)26U; + uint64_t x32 = x31 & mask26; + uint64_t x42 = x41 + z03; + uint64_t o0 = x02; + uint64_t o1 = x12; + uint64_t o2 = x21; + uint64_t o3 = x32; + uint64_t o4 = x42; + acc[0U] = o0; + acc[1U] = o1; + acc[2U] = o2; + acc[3U] = o3; + acc[4U] = o4; + Hacl_Poly1305_32_poly1305_finish(out, k, ctx); +} + +void +Hacl_Chacha20Poly1305_32_aead_encrypt( + uint8_t *k, + uint8_t *n, + uint32_t aadlen, + uint8_t *aad, + uint32_t mlen, + uint8_t *m, + uint8_t *cipher, + uint8_t *mac +) +{ + Hacl_Chacha20_chacha20_encrypt(mlen, cipher, m, k, n, (uint32_t)1U); + uint8_t tmp[64U] = { 0U }; + Hacl_Chacha20_chacha20_encrypt((uint32_t)64U, tmp, tmp, k, n, (uint32_t)0U); + uint8_t *key = tmp; + poly1305_do_32(key, aadlen, aad, mlen, cipher, mac); +} + +uint32_t +Hacl_Chacha20Poly1305_32_aead_decrypt( + uint8_t *k, + uint8_t *n, + uint32_t aadlen, + uint8_t *aad, + uint32_t mlen, + uint8_t *m, + uint8_t *cipher, + uint8_t *mac +) +{ + uint8_t computed_mac[16U] = { 0U }; + uint8_t tmp[64U] = { 0U }; + Hacl_Chacha20_chacha20_encrypt((uint32_t)64U, tmp, tmp, k, n, (uint32_t)0U); + uint8_t *key = tmp; + poly1305_do_32(key, aadlen, aad, mlen, cipher, computed_mac); + uint8_t res = (uint8_t)255U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint8_t uu____0 = FStar_UInt8_eq_mask(computed_mac[i], mac[i]); + res = uu____0 & res; + } + uint8_t z = res; + if (z == (uint8_t)255U) + { + Hacl_Chacha20_chacha20_encrypt(mlen, m, cipher, k, n, (uint32_t)1U); + return (uint32_t)0U; + } + return (uint32_t)1U; +} + diff --git a/src/Hacl_Chacha20_Vec128.c b/src/Hacl_Chacha20_Vec128.c new file mode 100644 index 00000000..cbb36e04 --- /dev/null +++ b/src/Hacl_Chacha20_Vec128.c @@ -0,0 +1,827 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Chacha20_Vec128.h" + +#include "internal/Hacl_Chacha20.h" + +static inline void double_round_128(Lib_IntVector_Intrinsics_vec128 *st) +{ + st[0U] = Lib_IntVector_Intrinsics_vec128_add32(st[0U], st[4U]); + Lib_IntVector_Intrinsics_vec128 std = Lib_IntVector_Intrinsics_vec128_xor(st[12U], st[0U]); + st[12U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std, (uint32_t)16U); + st[8U] = Lib_IntVector_Intrinsics_vec128_add32(st[8U], st[12U]); + Lib_IntVector_Intrinsics_vec128 std0 = Lib_IntVector_Intrinsics_vec128_xor(st[4U], st[8U]); + st[4U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std0, (uint32_t)12U); + st[0U] = Lib_IntVector_Intrinsics_vec128_add32(st[0U], st[4U]); + Lib_IntVector_Intrinsics_vec128 std1 = Lib_IntVector_Intrinsics_vec128_xor(st[12U], st[0U]); + st[12U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std1, (uint32_t)8U); + st[8U] = Lib_IntVector_Intrinsics_vec128_add32(st[8U], st[12U]); + Lib_IntVector_Intrinsics_vec128 std2 = Lib_IntVector_Intrinsics_vec128_xor(st[4U], st[8U]); + st[4U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std2, (uint32_t)7U); + st[1U] = Lib_IntVector_Intrinsics_vec128_add32(st[1U], st[5U]); + Lib_IntVector_Intrinsics_vec128 std3 = Lib_IntVector_Intrinsics_vec128_xor(st[13U], st[1U]); + st[13U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std3, (uint32_t)16U); + st[9U] = Lib_IntVector_Intrinsics_vec128_add32(st[9U], st[13U]); + Lib_IntVector_Intrinsics_vec128 std4 = Lib_IntVector_Intrinsics_vec128_xor(st[5U], st[9U]); + st[5U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std4, (uint32_t)12U); + st[1U] = Lib_IntVector_Intrinsics_vec128_add32(st[1U], st[5U]); + Lib_IntVector_Intrinsics_vec128 std5 = Lib_IntVector_Intrinsics_vec128_xor(st[13U], st[1U]); + st[13U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std5, (uint32_t)8U); + st[9U] = Lib_IntVector_Intrinsics_vec128_add32(st[9U], st[13U]); + Lib_IntVector_Intrinsics_vec128 std6 = Lib_IntVector_Intrinsics_vec128_xor(st[5U], st[9U]); + st[5U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std6, (uint32_t)7U); + st[2U] = Lib_IntVector_Intrinsics_vec128_add32(st[2U], st[6U]); + Lib_IntVector_Intrinsics_vec128 std7 = Lib_IntVector_Intrinsics_vec128_xor(st[14U], st[2U]); + st[14U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std7, (uint32_t)16U); + st[10U] = Lib_IntVector_Intrinsics_vec128_add32(st[10U], st[14U]); + Lib_IntVector_Intrinsics_vec128 std8 = Lib_IntVector_Intrinsics_vec128_xor(st[6U], st[10U]); + st[6U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std8, (uint32_t)12U); + st[2U] = Lib_IntVector_Intrinsics_vec128_add32(st[2U], st[6U]); + Lib_IntVector_Intrinsics_vec128 std9 = Lib_IntVector_Intrinsics_vec128_xor(st[14U], st[2U]); + st[14U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std9, (uint32_t)8U); + st[10U] = Lib_IntVector_Intrinsics_vec128_add32(st[10U], st[14U]); + Lib_IntVector_Intrinsics_vec128 std10 = Lib_IntVector_Intrinsics_vec128_xor(st[6U], st[10U]); + st[6U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std10, (uint32_t)7U); + st[3U] = Lib_IntVector_Intrinsics_vec128_add32(st[3U], st[7U]); + Lib_IntVector_Intrinsics_vec128 std11 = Lib_IntVector_Intrinsics_vec128_xor(st[15U], st[3U]); + st[15U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std11, (uint32_t)16U); + st[11U] = Lib_IntVector_Intrinsics_vec128_add32(st[11U], st[15U]); + Lib_IntVector_Intrinsics_vec128 std12 = Lib_IntVector_Intrinsics_vec128_xor(st[7U], st[11U]); + st[7U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std12, (uint32_t)12U); + st[3U] = Lib_IntVector_Intrinsics_vec128_add32(st[3U], st[7U]); + Lib_IntVector_Intrinsics_vec128 std13 = Lib_IntVector_Intrinsics_vec128_xor(st[15U], st[3U]); + st[15U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std13, (uint32_t)8U); + st[11U] = Lib_IntVector_Intrinsics_vec128_add32(st[11U], st[15U]); + Lib_IntVector_Intrinsics_vec128 std14 = Lib_IntVector_Intrinsics_vec128_xor(st[7U], st[11U]); + st[7U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std14, (uint32_t)7U); + st[0U] = Lib_IntVector_Intrinsics_vec128_add32(st[0U], st[5U]); + Lib_IntVector_Intrinsics_vec128 std15 = Lib_IntVector_Intrinsics_vec128_xor(st[15U], st[0U]); + st[15U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std15, (uint32_t)16U); + st[10U] = Lib_IntVector_Intrinsics_vec128_add32(st[10U], st[15U]); + Lib_IntVector_Intrinsics_vec128 std16 = Lib_IntVector_Intrinsics_vec128_xor(st[5U], st[10U]); + st[5U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std16, (uint32_t)12U); + st[0U] = Lib_IntVector_Intrinsics_vec128_add32(st[0U], st[5U]); + Lib_IntVector_Intrinsics_vec128 std17 = Lib_IntVector_Intrinsics_vec128_xor(st[15U], st[0U]); + st[15U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std17, (uint32_t)8U); + st[10U] = Lib_IntVector_Intrinsics_vec128_add32(st[10U], st[15U]); + Lib_IntVector_Intrinsics_vec128 std18 = Lib_IntVector_Intrinsics_vec128_xor(st[5U], st[10U]); + st[5U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std18, (uint32_t)7U); + st[1U] = Lib_IntVector_Intrinsics_vec128_add32(st[1U], st[6U]); + Lib_IntVector_Intrinsics_vec128 std19 = Lib_IntVector_Intrinsics_vec128_xor(st[12U], st[1U]); + st[12U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std19, (uint32_t)16U); + st[11U] = Lib_IntVector_Intrinsics_vec128_add32(st[11U], st[12U]); + Lib_IntVector_Intrinsics_vec128 std20 = Lib_IntVector_Intrinsics_vec128_xor(st[6U], st[11U]); + st[6U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std20, (uint32_t)12U); + st[1U] = Lib_IntVector_Intrinsics_vec128_add32(st[1U], st[6U]); + Lib_IntVector_Intrinsics_vec128 std21 = Lib_IntVector_Intrinsics_vec128_xor(st[12U], st[1U]); + st[12U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std21, (uint32_t)8U); + st[11U] = Lib_IntVector_Intrinsics_vec128_add32(st[11U], st[12U]); + Lib_IntVector_Intrinsics_vec128 std22 = Lib_IntVector_Intrinsics_vec128_xor(st[6U], st[11U]); + st[6U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std22, (uint32_t)7U); + st[2U] = Lib_IntVector_Intrinsics_vec128_add32(st[2U], st[7U]); + Lib_IntVector_Intrinsics_vec128 std23 = Lib_IntVector_Intrinsics_vec128_xor(st[13U], st[2U]); + st[13U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std23, (uint32_t)16U); + st[8U] = Lib_IntVector_Intrinsics_vec128_add32(st[8U], st[13U]); + Lib_IntVector_Intrinsics_vec128 std24 = Lib_IntVector_Intrinsics_vec128_xor(st[7U], st[8U]); + st[7U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std24, (uint32_t)12U); + st[2U] = Lib_IntVector_Intrinsics_vec128_add32(st[2U], st[7U]); + Lib_IntVector_Intrinsics_vec128 std25 = Lib_IntVector_Intrinsics_vec128_xor(st[13U], st[2U]); + st[13U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std25, (uint32_t)8U); + st[8U] = Lib_IntVector_Intrinsics_vec128_add32(st[8U], st[13U]); + Lib_IntVector_Intrinsics_vec128 std26 = Lib_IntVector_Intrinsics_vec128_xor(st[7U], st[8U]); + st[7U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std26, (uint32_t)7U); + st[3U] = Lib_IntVector_Intrinsics_vec128_add32(st[3U], st[4U]); + Lib_IntVector_Intrinsics_vec128 std27 = Lib_IntVector_Intrinsics_vec128_xor(st[14U], st[3U]); + st[14U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std27, (uint32_t)16U); + st[9U] = Lib_IntVector_Intrinsics_vec128_add32(st[9U], st[14U]); + Lib_IntVector_Intrinsics_vec128 std28 = Lib_IntVector_Intrinsics_vec128_xor(st[4U], st[9U]); + st[4U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std28, (uint32_t)12U); + st[3U] = Lib_IntVector_Intrinsics_vec128_add32(st[3U], st[4U]); + Lib_IntVector_Intrinsics_vec128 std29 = Lib_IntVector_Intrinsics_vec128_xor(st[14U], st[3U]); + st[14U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std29, (uint32_t)8U); + st[9U] = Lib_IntVector_Intrinsics_vec128_add32(st[9U], st[14U]); + Lib_IntVector_Intrinsics_vec128 std30 = Lib_IntVector_Intrinsics_vec128_xor(st[4U], st[9U]); + st[4U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std30, (uint32_t)7U); +} + +static inline void +chacha20_core_128( + Lib_IntVector_Intrinsics_vec128 *k, + Lib_IntVector_Intrinsics_vec128 *ctx, + uint32_t ctr +) +{ + memcpy(k, ctx, (uint32_t)16U * sizeof (Lib_IntVector_Intrinsics_vec128)); + uint32_t ctr_u32 = (uint32_t)4U * ctr; + Lib_IntVector_Intrinsics_vec128 cv = Lib_IntVector_Intrinsics_vec128_load32(ctr_u32); + k[12U] = Lib_IntVector_Intrinsics_vec128_add32(k[12U], cv); + double_round_128(k); + double_round_128(k); + double_round_128(k); + double_round_128(k); + double_round_128(k); + double_round_128(k); + double_round_128(k); + double_round_128(k); + double_round_128(k); + double_round_128(k); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + Lib_IntVector_Intrinsics_vec128 *os = k; + Lib_IntVector_Intrinsics_vec128 x = Lib_IntVector_Intrinsics_vec128_add32(k[i], ctx[i]); + os[i] = x; + } + k[12U] = Lib_IntVector_Intrinsics_vec128_add32(k[12U], cv); +} + +static inline void +chacha20_init_128(Lib_IntVector_Intrinsics_vec128 *ctx, uint8_t *k, uint8_t *n, uint32_t ctr) +{ + uint32_t ctx1[16U] = { 0U }; + uint32_t *uu____0 = ctx1; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = uu____0; + uint32_t x = Hacl_Impl_Chacha20_Vec_chacha20_constants[i]; + os[i] = x; + } + uint32_t *uu____1 = ctx1 + (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t *os = uu____1; + uint8_t *bj = k + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + ctx1[12U] = ctr; + uint32_t *uu____2 = ctx1 + (uint32_t)13U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)3U; i++) + { + uint32_t *os = uu____2; + uint8_t *bj = n + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + Lib_IntVector_Intrinsics_vec128 *os = ctx; + uint32_t x = ctx1[i]; + Lib_IntVector_Intrinsics_vec128 x0 = Lib_IntVector_Intrinsics_vec128_load32(x); + os[i] = x0; + } + Lib_IntVector_Intrinsics_vec128 + ctr1 = + Lib_IntVector_Intrinsics_vec128_load32s((uint32_t)0U, + (uint32_t)1U, + (uint32_t)2U, + (uint32_t)3U); + Lib_IntVector_Intrinsics_vec128 c12 = ctx[12U]; + ctx[12U] = Lib_IntVector_Intrinsics_vec128_add32(c12, ctr1); +} + +void +Hacl_Chacha20_Vec128_chacha20_encrypt_128( + uint32_t len, + uint8_t *out, + uint8_t *text, + uint8_t *key, + uint8_t *n, + uint32_t ctr +) +{ + Lib_IntVector_Intrinsics_vec128 ctx[16U]; + for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i) + ctx[_i] = Lib_IntVector_Intrinsics_vec128_zero; + chacha20_init_128(ctx, key, n, ctr); + uint32_t rem = len % (uint32_t)256U; + uint32_t nb = len / (uint32_t)256U; + uint32_t rem1 = len % (uint32_t)256U; + for (uint32_t i = (uint32_t)0U; i < nb; i++) + { + uint8_t *uu____0 = out + i * (uint32_t)256U; + uint8_t *uu____1 = text + i * (uint32_t)256U; + Lib_IntVector_Intrinsics_vec128 k[16U]; + for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i) + k[_i] = Lib_IntVector_Intrinsics_vec128_zero; + chacha20_core_128(k, ctx, i); + Lib_IntVector_Intrinsics_vec128 st0 = k[0U]; + Lib_IntVector_Intrinsics_vec128 st1 = k[1U]; + Lib_IntVector_Intrinsics_vec128 st2 = k[2U]; + Lib_IntVector_Intrinsics_vec128 st3 = k[3U]; + Lib_IntVector_Intrinsics_vec128 st4 = k[4U]; + Lib_IntVector_Intrinsics_vec128 st5 = k[5U]; + Lib_IntVector_Intrinsics_vec128 st6 = k[6U]; + Lib_IntVector_Intrinsics_vec128 st7 = k[7U]; + Lib_IntVector_Intrinsics_vec128 st8 = k[8U]; + Lib_IntVector_Intrinsics_vec128 st9 = k[9U]; + Lib_IntVector_Intrinsics_vec128 st10 = k[10U]; + Lib_IntVector_Intrinsics_vec128 st11 = k[11U]; + Lib_IntVector_Intrinsics_vec128 st12 = k[12U]; + Lib_IntVector_Intrinsics_vec128 st13 = k[13U]; + Lib_IntVector_Intrinsics_vec128 st14 = k[14U]; + Lib_IntVector_Intrinsics_vec128 st15 = k[15U]; + Lib_IntVector_Intrinsics_vec128 + v0_ = Lib_IntVector_Intrinsics_vec128_interleave_low32(st0, st1); + Lib_IntVector_Intrinsics_vec128 + v1_ = Lib_IntVector_Intrinsics_vec128_interleave_high32(st0, st1); + Lib_IntVector_Intrinsics_vec128 + v2_ = Lib_IntVector_Intrinsics_vec128_interleave_low32(st2, st3); + Lib_IntVector_Intrinsics_vec128 + v3_ = Lib_IntVector_Intrinsics_vec128_interleave_high32(st2, st3); + Lib_IntVector_Intrinsics_vec128 + v0__ = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_, v2_); + Lib_IntVector_Intrinsics_vec128 + v1__ = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_, v2_); + Lib_IntVector_Intrinsics_vec128 + v2__ = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_, v3_); + Lib_IntVector_Intrinsics_vec128 + v3__ = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_, v3_); + Lib_IntVector_Intrinsics_vec128 v0__0 = v0__; + Lib_IntVector_Intrinsics_vec128 v2__0 = v2__; + Lib_IntVector_Intrinsics_vec128 v1__0 = v1__; + Lib_IntVector_Intrinsics_vec128 v3__0 = v3__; + Lib_IntVector_Intrinsics_vec128 v0 = v0__0; + Lib_IntVector_Intrinsics_vec128 v1 = v1__0; + Lib_IntVector_Intrinsics_vec128 v2 = v2__0; + Lib_IntVector_Intrinsics_vec128 v3 = v3__0; + Lib_IntVector_Intrinsics_vec128 + v0_0 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st4, st5); + Lib_IntVector_Intrinsics_vec128 + v1_0 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st4, st5); + Lib_IntVector_Intrinsics_vec128 + v2_0 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st6, st7); + Lib_IntVector_Intrinsics_vec128 + v3_0 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st6, st7); + Lib_IntVector_Intrinsics_vec128 + v0__1 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec128 + v1__1 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec128 + v2__1 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec128 + v3__1 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec128 v0__2 = v0__1; + Lib_IntVector_Intrinsics_vec128 v2__2 = v2__1; + Lib_IntVector_Intrinsics_vec128 v1__2 = v1__1; + Lib_IntVector_Intrinsics_vec128 v3__2 = v3__1; + Lib_IntVector_Intrinsics_vec128 v4 = v0__2; + Lib_IntVector_Intrinsics_vec128 v5 = v1__2; + Lib_IntVector_Intrinsics_vec128 v6 = v2__2; + Lib_IntVector_Intrinsics_vec128 v7 = v3__2; + Lib_IntVector_Intrinsics_vec128 + v0_1 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st8, st9); + Lib_IntVector_Intrinsics_vec128 + v1_1 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st8, st9); + Lib_IntVector_Intrinsics_vec128 + v2_1 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st10, st11); + Lib_IntVector_Intrinsics_vec128 + v3_1 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st10, st11); + Lib_IntVector_Intrinsics_vec128 + v0__3 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_1, v2_1); + Lib_IntVector_Intrinsics_vec128 + v1__3 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_1, v2_1); + Lib_IntVector_Intrinsics_vec128 + v2__3 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_1, v3_1); + Lib_IntVector_Intrinsics_vec128 + v3__3 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_1, v3_1); + Lib_IntVector_Intrinsics_vec128 v0__4 = v0__3; + Lib_IntVector_Intrinsics_vec128 v2__4 = v2__3; + Lib_IntVector_Intrinsics_vec128 v1__4 = v1__3; + Lib_IntVector_Intrinsics_vec128 v3__4 = v3__3; + Lib_IntVector_Intrinsics_vec128 v8 = v0__4; + Lib_IntVector_Intrinsics_vec128 v9 = v1__4; + Lib_IntVector_Intrinsics_vec128 v10 = v2__4; + Lib_IntVector_Intrinsics_vec128 v11 = v3__4; + Lib_IntVector_Intrinsics_vec128 + v0_2 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st12, st13); + Lib_IntVector_Intrinsics_vec128 + v1_2 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st12, st13); + Lib_IntVector_Intrinsics_vec128 + v2_2 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st14, st15); + Lib_IntVector_Intrinsics_vec128 + v3_2 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st14, st15); + Lib_IntVector_Intrinsics_vec128 + v0__5 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_2, v2_2); + Lib_IntVector_Intrinsics_vec128 + v1__5 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_2, v2_2); + Lib_IntVector_Intrinsics_vec128 + v2__5 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_2, v3_2); + Lib_IntVector_Intrinsics_vec128 + v3__5 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_2, v3_2); + Lib_IntVector_Intrinsics_vec128 v0__6 = v0__5; + Lib_IntVector_Intrinsics_vec128 v2__6 = v2__5; + Lib_IntVector_Intrinsics_vec128 v1__6 = v1__5; + Lib_IntVector_Intrinsics_vec128 v3__6 = v3__5; + Lib_IntVector_Intrinsics_vec128 v12 = v0__6; + Lib_IntVector_Intrinsics_vec128 v13 = v1__6; + Lib_IntVector_Intrinsics_vec128 v14 = v2__6; + Lib_IntVector_Intrinsics_vec128 v15 = v3__6; + k[0U] = v0; + k[1U] = v4; + k[2U] = v8; + k[3U] = v12; + k[4U] = v1; + k[5U] = v5; + k[6U] = v9; + k[7U] = v13; + k[8U] = v2; + k[9U] = v6; + k[10U] = v10; + k[11U] = v14; + k[12U] = v3; + k[13U] = v7; + k[14U] = v11; + k[15U] = v15; + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)16U; i0++) + { + Lib_IntVector_Intrinsics_vec128 + x = Lib_IntVector_Intrinsics_vec128_load32_le(uu____1 + i0 * (uint32_t)16U); + Lib_IntVector_Intrinsics_vec128 y = Lib_IntVector_Intrinsics_vec128_xor(x, k[i0]); + Lib_IntVector_Intrinsics_vec128_store32_le(uu____0 + i0 * (uint32_t)16U, y); + } + } + if (rem1 > (uint32_t)0U) + { + uint8_t *uu____2 = out + nb * (uint32_t)256U; + uint8_t *uu____3 = text + nb * (uint32_t)256U; + uint8_t plain[256U] = { 0U }; + memcpy(plain, uu____3, rem * sizeof (uint8_t)); + Lib_IntVector_Intrinsics_vec128 k[16U]; + for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i) + k[_i] = Lib_IntVector_Intrinsics_vec128_zero; + chacha20_core_128(k, ctx, nb); + Lib_IntVector_Intrinsics_vec128 st0 = k[0U]; + Lib_IntVector_Intrinsics_vec128 st1 = k[1U]; + Lib_IntVector_Intrinsics_vec128 st2 = k[2U]; + Lib_IntVector_Intrinsics_vec128 st3 = k[3U]; + Lib_IntVector_Intrinsics_vec128 st4 = k[4U]; + Lib_IntVector_Intrinsics_vec128 st5 = k[5U]; + Lib_IntVector_Intrinsics_vec128 st6 = k[6U]; + Lib_IntVector_Intrinsics_vec128 st7 = k[7U]; + Lib_IntVector_Intrinsics_vec128 st8 = k[8U]; + Lib_IntVector_Intrinsics_vec128 st9 = k[9U]; + Lib_IntVector_Intrinsics_vec128 st10 = k[10U]; + Lib_IntVector_Intrinsics_vec128 st11 = k[11U]; + Lib_IntVector_Intrinsics_vec128 st12 = k[12U]; + Lib_IntVector_Intrinsics_vec128 st13 = k[13U]; + Lib_IntVector_Intrinsics_vec128 st14 = k[14U]; + Lib_IntVector_Intrinsics_vec128 st15 = k[15U]; + Lib_IntVector_Intrinsics_vec128 + v0_ = Lib_IntVector_Intrinsics_vec128_interleave_low32(st0, st1); + Lib_IntVector_Intrinsics_vec128 + v1_ = Lib_IntVector_Intrinsics_vec128_interleave_high32(st0, st1); + Lib_IntVector_Intrinsics_vec128 + v2_ = Lib_IntVector_Intrinsics_vec128_interleave_low32(st2, st3); + Lib_IntVector_Intrinsics_vec128 + v3_ = Lib_IntVector_Intrinsics_vec128_interleave_high32(st2, st3); + Lib_IntVector_Intrinsics_vec128 + v0__ = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_, v2_); + Lib_IntVector_Intrinsics_vec128 + v1__ = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_, v2_); + Lib_IntVector_Intrinsics_vec128 + v2__ = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_, v3_); + Lib_IntVector_Intrinsics_vec128 + v3__ = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_, v3_); + Lib_IntVector_Intrinsics_vec128 v0__0 = v0__; + Lib_IntVector_Intrinsics_vec128 v2__0 = v2__; + Lib_IntVector_Intrinsics_vec128 v1__0 = v1__; + Lib_IntVector_Intrinsics_vec128 v3__0 = v3__; + Lib_IntVector_Intrinsics_vec128 v0 = v0__0; + Lib_IntVector_Intrinsics_vec128 v1 = v1__0; + Lib_IntVector_Intrinsics_vec128 v2 = v2__0; + Lib_IntVector_Intrinsics_vec128 v3 = v3__0; + Lib_IntVector_Intrinsics_vec128 + v0_0 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st4, st5); + Lib_IntVector_Intrinsics_vec128 + v1_0 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st4, st5); + Lib_IntVector_Intrinsics_vec128 + v2_0 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st6, st7); + Lib_IntVector_Intrinsics_vec128 + v3_0 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st6, st7); + Lib_IntVector_Intrinsics_vec128 + v0__1 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec128 + v1__1 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec128 + v2__1 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec128 + v3__1 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec128 v0__2 = v0__1; + Lib_IntVector_Intrinsics_vec128 v2__2 = v2__1; + Lib_IntVector_Intrinsics_vec128 v1__2 = v1__1; + Lib_IntVector_Intrinsics_vec128 v3__2 = v3__1; + Lib_IntVector_Intrinsics_vec128 v4 = v0__2; + Lib_IntVector_Intrinsics_vec128 v5 = v1__2; + Lib_IntVector_Intrinsics_vec128 v6 = v2__2; + Lib_IntVector_Intrinsics_vec128 v7 = v3__2; + Lib_IntVector_Intrinsics_vec128 + v0_1 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st8, st9); + Lib_IntVector_Intrinsics_vec128 + v1_1 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st8, st9); + Lib_IntVector_Intrinsics_vec128 + v2_1 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st10, st11); + Lib_IntVector_Intrinsics_vec128 + v3_1 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st10, st11); + Lib_IntVector_Intrinsics_vec128 + v0__3 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_1, v2_1); + Lib_IntVector_Intrinsics_vec128 + v1__3 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_1, v2_1); + Lib_IntVector_Intrinsics_vec128 + v2__3 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_1, v3_1); + Lib_IntVector_Intrinsics_vec128 + v3__3 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_1, v3_1); + Lib_IntVector_Intrinsics_vec128 v0__4 = v0__3; + Lib_IntVector_Intrinsics_vec128 v2__4 = v2__3; + Lib_IntVector_Intrinsics_vec128 v1__4 = v1__3; + Lib_IntVector_Intrinsics_vec128 v3__4 = v3__3; + Lib_IntVector_Intrinsics_vec128 v8 = v0__4; + Lib_IntVector_Intrinsics_vec128 v9 = v1__4; + Lib_IntVector_Intrinsics_vec128 v10 = v2__4; + Lib_IntVector_Intrinsics_vec128 v11 = v3__4; + Lib_IntVector_Intrinsics_vec128 + v0_2 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st12, st13); + Lib_IntVector_Intrinsics_vec128 + v1_2 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st12, st13); + Lib_IntVector_Intrinsics_vec128 + v2_2 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st14, st15); + Lib_IntVector_Intrinsics_vec128 + v3_2 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st14, st15); + Lib_IntVector_Intrinsics_vec128 + v0__5 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_2, v2_2); + Lib_IntVector_Intrinsics_vec128 + v1__5 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_2, v2_2); + Lib_IntVector_Intrinsics_vec128 + v2__5 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_2, v3_2); + Lib_IntVector_Intrinsics_vec128 + v3__5 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_2, v3_2); + Lib_IntVector_Intrinsics_vec128 v0__6 = v0__5; + Lib_IntVector_Intrinsics_vec128 v2__6 = v2__5; + Lib_IntVector_Intrinsics_vec128 v1__6 = v1__5; + Lib_IntVector_Intrinsics_vec128 v3__6 = v3__5; + Lib_IntVector_Intrinsics_vec128 v12 = v0__6; + Lib_IntVector_Intrinsics_vec128 v13 = v1__6; + Lib_IntVector_Intrinsics_vec128 v14 = v2__6; + Lib_IntVector_Intrinsics_vec128 v15 = v3__6; + k[0U] = v0; + k[1U] = v4; + k[2U] = v8; + k[3U] = v12; + k[4U] = v1; + k[5U] = v5; + k[6U] = v9; + k[7U] = v13; + k[8U] = v2; + k[9U] = v6; + k[10U] = v10; + k[11U] = v14; + k[12U] = v3; + k[13U] = v7; + k[14U] = v11; + k[15U] = v15; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + Lib_IntVector_Intrinsics_vec128 + x = Lib_IntVector_Intrinsics_vec128_load32_le(plain + i * (uint32_t)16U); + Lib_IntVector_Intrinsics_vec128 y = Lib_IntVector_Intrinsics_vec128_xor(x, k[i]); + Lib_IntVector_Intrinsics_vec128_store32_le(plain + i * (uint32_t)16U, y); + } + memcpy(uu____2, plain, rem * sizeof (uint8_t)); + } +} + +void +Hacl_Chacha20_Vec128_chacha20_decrypt_128( + uint32_t len, + uint8_t *out, + uint8_t *cipher, + uint8_t *key, + uint8_t *n, + uint32_t ctr +) +{ + Lib_IntVector_Intrinsics_vec128 ctx[16U]; + for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i) + ctx[_i] = Lib_IntVector_Intrinsics_vec128_zero; + chacha20_init_128(ctx, key, n, ctr); + uint32_t rem = len % (uint32_t)256U; + uint32_t nb = len / (uint32_t)256U; + uint32_t rem1 = len % (uint32_t)256U; + for (uint32_t i = (uint32_t)0U; i < nb; i++) + { + uint8_t *uu____0 = out + i * (uint32_t)256U; + uint8_t *uu____1 = cipher + i * (uint32_t)256U; + Lib_IntVector_Intrinsics_vec128 k[16U]; + for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i) + k[_i] = Lib_IntVector_Intrinsics_vec128_zero; + chacha20_core_128(k, ctx, i); + Lib_IntVector_Intrinsics_vec128 st0 = k[0U]; + Lib_IntVector_Intrinsics_vec128 st1 = k[1U]; + Lib_IntVector_Intrinsics_vec128 st2 = k[2U]; + Lib_IntVector_Intrinsics_vec128 st3 = k[3U]; + Lib_IntVector_Intrinsics_vec128 st4 = k[4U]; + Lib_IntVector_Intrinsics_vec128 st5 = k[5U]; + Lib_IntVector_Intrinsics_vec128 st6 = k[6U]; + Lib_IntVector_Intrinsics_vec128 st7 = k[7U]; + Lib_IntVector_Intrinsics_vec128 st8 = k[8U]; + Lib_IntVector_Intrinsics_vec128 st9 = k[9U]; + Lib_IntVector_Intrinsics_vec128 st10 = k[10U]; + Lib_IntVector_Intrinsics_vec128 st11 = k[11U]; + Lib_IntVector_Intrinsics_vec128 st12 = k[12U]; + Lib_IntVector_Intrinsics_vec128 st13 = k[13U]; + Lib_IntVector_Intrinsics_vec128 st14 = k[14U]; + Lib_IntVector_Intrinsics_vec128 st15 = k[15U]; + Lib_IntVector_Intrinsics_vec128 + v0_ = Lib_IntVector_Intrinsics_vec128_interleave_low32(st0, st1); + Lib_IntVector_Intrinsics_vec128 + v1_ = Lib_IntVector_Intrinsics_vec128_interleave_high32(st0, st1); + Lib_IntVector_Intrinsics_vec128 + v2_ = Lib_IntVector_Intrinsics_vec128_interleave_low32(st2, st3); + Lib_IntVector_Intrinsics_vec128 + v3_ = Lib_IntVector_Intrinsics_vec128_interleave_high32(st2, st3); + Lib_IntVector_Intrinsics_vec128 + v0__ = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_, v2_); + Lib_IntVector_Intrinsics_vec128 + v1__ = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_, v2_); + Lib_IntVector_Intrinsics_vec128 + v2__ = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_, v3_); + Lib_IntVector_Intrinsics_vec128 + v3__ = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_, v3_); + Lib_IntVector_Intrinsics_vec128 v0__0 = v0__; + Lib_IntVector_Intrinsics_vec128 v2__0 = v2__; + Lib_IntVector_Intrinsics_vec128 v1__0 = v1__; + Lib_IntVector_Intrinsics_vec128 v3__0 = v3__; + Lib_IntVector_Intrinsics_vec128 v0 = v0__0; + Lib_IntVector_Intrinsics_vec128 v1 = v1__0; + Lib_IntVector_Intrinsics_vec128 v2 = v2__0; + Lib_IntVector_Intrinsics_vec128 v3 = v3__0; + Lib_IntVector_Intrinsics_vec128 + v0_0 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st4, st5); + Lib_IntVector_Intrinsics_vec128 + v1_0 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st4, st5); + Lib_IntVector_Intrinsics_vec128 + v2_0 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st6, st7); + Lib_IntVector_Intrinsics_vec128 + v3_0 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st6, st7); + Lib_IntVector_Intrinsics_vec128 + v0__1 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec128 + v1__1 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec128 + v2__1 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec128 + v3__1 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec128 v0__2 = v0__1; + Lib_IntVector_Intrinsics_vec128 v2__2 = v2__1; + Lib_IntVector_Intrinsics_vec128 v1__2 = v1__1; + Lib_IntVector_Intrinsics_vec128 v3__2 = v3__1; + Lib_IntVector_Intrinsics_vec128 v4 = v0__2; + Lib_IntVector_Intrinsics_vec128 v5 = v1__2; + Lib_IntVector_Intrinsics_vec128 v6 = v2__2; + Lib_IntVector_Intrinsics_vec128 v7 = v3__2; + Lib_IntVector_Intrinsics_vec128 + v0_1 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st8, st9); + Lib_IntVector_Intrinsics_vec128 + v1_1 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st8, st9); + Lib_IntVector_Intrinsics_vec128 + v2_1 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st10, st11); + Lib_IntVector_Intrinsics_vec128 + v3_1 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st10, st11); + Lib_IntVector_Intrinsics_vec128 + v0__3 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_1, v2_1); + Lib_IntVector_Intrinsics_vec128 + v1__3 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_1, v2_1); + Lib_IntVector_Intrinsics_vec128 + v2__3 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_1, v3_1); + Lib_IntVector_Intrinsics_vec128 + v3__3 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_1, v3_1); + Lib_IntVector_Intrinsics_vec128 v0__4 = v0__3; + Lib_IntVector_Intrinsics_vec128 v2__4 = v2__3; + Lib_IntVector_Intrinsics_vec128 v1__4 = v1__3; + Lib_IntVector_Intrinsics_vec128 v3__4 = v3__3; + Lib_IntVector_Intrinsics_vec128 v8 = v0__4; + Lib_IntVector_Intrinsics_vec128 v9 = v1__4; + Lib_IntVector_Intrinsics_vec128 v10 = v2__4; + Lib_IntVector_Intrinsics_vec128 v11 = v3__4; + Lib_IntVector_Intrinsics_vec128 + v0_2 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st12, st13); + Lib_IntVector_Intrinsics_vec128 + v1_2 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st12, st13); + Lib_IntVector_Intrinsics_vec128 + v2_2 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st14, st15); + Lib_IntVector_Intrinsics_vec128 + v3_2 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st14, st15); + Lib_IntVector_Intrinsics_vec128 + v0__5 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_2, v2_2); + Lib_IntVector_Intrinsics_vec128 + v1__5 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_2, v2_2); + Lib_IntVector_Intrinsics_vec128 + v2__5 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_2, v3_2); + Lib_IntVector_Intrinsics_vec128 + v3__5 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_2, v3_2); + Lib_IntVector_Intrinsics_vec128 v0__6 = v0__5; + Lib_IntVector_Intrinsics_vec128 v2__6 = v2__5; + Lib_IntVector_Intrinsics_vec128 v1__6 = v1__5; + Lib_IntVector_Intrinsics_vec128 v3__6 = v3__5; + Lib_IntVector_Intrinsics_vec128 v12 = v0__6; + Lib_IntVector_Intrinsics_vec128 v13 = v1__6; + Lib_IntVector_Intrinsics_vec128 v14 = v2__6; + Lib_IntVector_Intrinsics_vec128 v15 = v3__6; + k[0U] = v0; + k[1U] = v4; + k[2U] = v8; + k[3U] = v12; + k[4U] = v1; + k[5U] = v5; + k[6U] = v9; + k[7U] = v13; + k[8U] = v2; + k[9U] = v6; + k[10U] = v10; + k[11U] = v14; + k[12U] = v3; + k[13U] = v7; + k[14U] = v11; + k[15U] = v15; + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)16U; i0++) + { + Lib_IntVector_Intrinsics_vec128 + x = Lib_IntVector_Intrinsics_vec128_load32_le(uu____1 + i0 * (uint32_t)16U); + Lib_IntVector_Intrinsics_vec128 y = Lib_IntVector_Intrinsics_vec128_xor(x, k[i0]); + Lib_IntVector_Intrinsics_vec128_store32_le(uu____0 + i0 * (uint32_t)16U, y); + } + } + if (rem1 > (uint32_t)0U) + { + uint8_t *uu____2 = out + nb * (uint32_t)256U; + uint8_t *uu____3 = cipher + nb * (uint32_t)256U; + uint8_t plain[256U] = { 0U }; + memcpy(plain, uu____3, rem * sizeof (uint8_t)); + Lib_IntVector_Intrinsics_vec128 k[16U]; + for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i) + k[_i] = Lib_IntVector_Intrinsics_vec128_zero; + chacha20_core_128(k, ctx, nb); + Lib_IntVector_Intrinsics_vec128 st0 = k[0U]; + Lib_IntVector_Intrinsics_vec128 st1 = k[1U]; + Lib_IntVector_Intrinsics_vec128 st2 = k[2U]; + Lib_IntVector_Intrinsics_vec128 st3 = k[3U]; + Lib_IntVector_Intrinsics_vec128 st4 = k[4U]; + Lib_IntVector_Intrinsics_vec128 st5 = k[5U]; + Lib_IntVector_Intrinsics_vec128 st6 = k[6U]; + Lib_IntVector_Intrinsics_vec128 st7 = k[7U]; + Lib_IntVector_Intrinsics_vec128 st8 = k[8U]; + Lib_IntVector_Intrinsics_vec128 st9 = k[9U]; + Lib_IntVector_Intrinsics_vec128 st10 = k[10U]; + Lib_IntVector_Intrinsics_vec128 st11 = k[11U]; + Lib_IntVector_Intrinsics_vec128 st12 = k[12U]; + Lib_IntVector_Intrinsics_vec128 st13 = k[13U]; + Lib_IntVector_Intrinsics_vec128 st14 = k[14U]; + Lib_IntVector_Intrinsics_vec128 st15 = k[15U]; + Lib_IntVector_Intrinsics_vec128 + v0_ = Lib_IntVector_Intrinsics_vec128_interleave_low32(st0, st1); + Lib_IntVector_Intrinsics_vec128 + v1_ = Lib_IntVector_Intrinsics_vec128_interleave_high32(st0, st1); + Lib_IntVector_Intrinsics_vec128 + v2_ = Lib_IntVector_Intrinsics_vec128_interleave_low32(st2, st3); + Lib_IntVector_Intrinsics_vec128 + v3_ = Lib_IntVector_Intrinsics_vec128_interleave_high32(st2, st3); + Lib_IntVector_Intrinsics_vec128 + v0__ = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_, v2_); + Lib_IntVector_Intrinsics_vec128 + v1__ = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_, v2_); + Lib_IntVector_Intrinsics_vec128 + v2__ = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_, v3_); + Lib_IntVector_Intrinsics_vec128 + v3__ = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_, v3_); + Lib_IntVector_Intrinsics_vec128 v0__0 = v0__; + Lib_IntVector_Intrinsics_vec128 v2__0 = v2__; + Lib_IntVector_Intrinsics_vec128 v1__0 = v1__; + Lib_IntVector_Intrinsics_vec128 v3__0 = v3__; + Lib_IntVector_Intrinsics_vec128 v0 = v0__0; + Lib_IntVector_Intrinsics_vec128 v1 = v1__0; + Lib_IntVector_Intrinsics_vec128 v2 = v2__0; + Lib_IntVector_Intrinsics_vec128 v3 = v3__0; + Lib_IntVector_Intrinsics_vec128 + v0_0 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st4, st5); + Lib_IntVector_Intrinsics_vec128 + v1_0 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st4, st5); + Lib_IntVector_Intrinsics_vec128 + v2_0 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st6, st7); + Lib_IntVector_Intrinsics_vec128 + v3_0 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st6, st7); + Lib_IntVector_Intrinsics_vec128 + v0__1 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec128 + v1__1 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec128 + v2__1 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec128 + v3__1 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec128 v0__2 = v0__1; + Lib_IntVector_Intrinsics_vec128 v2__2 = v2__1; + Lib_IntVector_Intrinsics_vec128 v1__2 = v1__1; + Lib_IntVector_Intrinsics_vec128 v3__2 = v3__1; + Lib_IntVector_Intrinsics_vec128 v4 = v0__2; + Lib_IntVector_Intrinsics_vec128 v5 = v1__2; + Lib_IntVector_Intrinsics_vec128 v6 = v2__2; + Lib_IntVector_Intrinsics_vec128 v7 = v3__2; + Lib_IntVector_Intrinsics_vec128 + v0_1 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st8, st9); + Lib_IntVector_Intrinsics_vec128 + v1_1 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st8, st9); + Lib_IntVector_Intrinsics_vec128 + v2_1 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st10, st11); + Lib_IntVector_Intrinsics_vec128 + v3_1 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st10, st11); + Lib_IntVector_Intrinsics_vec128 + v0__3 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_1, v2_1); + Lib_IntVector_Intrinsics_vec128 + v1__3 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_1, v2_1); + Lib_IntVector_Intrinsics_vec128 + v2__3 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_1, v3_1); + Lib_IntVector_Intrinsics_vec128 + v3__3 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_1, v3_1); + Lib_IntVector_Intrinsics_vec128 v0__4 = v0__3; + Lib_IntVector_Intrinsics_vec128 v2__4 = v2__3; + Lib_IntVector_Intrinsics_vec128 v1__4 = v1__3; + Lib_IntVector_Intrinsics_vec128 v3__4 = v3__3; + Lib_IntVector_Intrinsics_vec128 v8 = v0__4; + Lib_IntVector_Intrinsics_vec128 v9 = v1__4; + Lib_IntVector_Intrinsics_vec128 v10 = v2__4; + Lib_IntVector_Intrinsics_vec128 v11 = v3__4; + Lib_IntVector_Intrinsics_vec128 + v0_2 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st12, st13); + Lib_IntVector_Intrinsics_vec128 + v1_2 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st12, st13); + Lib_IntVector_Intrinsics_vec128 + v2_2 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st14, st15); + Lib_IntVector_Intrinsics_vec128 + v3_2 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st14, st15); + Lib_IntVector_Intrinsics_vec128 + v0__5 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_2, v2_2); + Lib_IntVector_Intrinsics_vec128 + v1__5 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_2, v2_2); + Lib_IntVector_Intrinsics_vec128 + v2__5 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_2, v3_2); + Lib_IntVector_Intrinsics_vec128 + v3__5 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_2, v3_2); + Lib_IntVector_Intrinsics_vec128 v0__6 = v0__5; + Lib_IntVector_Intrinsics_vec128 v2__6 = v2__5; + Lib_IntVector_Intrinsics_vec128 v1__6 = v1__5; + Lib_IntVector_Intrinsics_vec128 v3__6 = v3__5; + Lib_IntVector_Intrinsics_vec128 v12 = v0__6; + Lib_IntVector_Intrinsics_vec128 v13 = v1__6; + Lib_IntVector_Intrinsics_vec128 v14 = v2__6; + Lib_IntVector_Intrinsics_vec128 v15 = v3__6; + k[0U] = v0; + k[1U] = v4; + k[2U] = v8; + k[3U] = v12; + k[4U] = v1; + k[5U] = v5; + k[6U] = v9; + k[7U] = v13; + k[8U] = v2; + k[9U] = v6; + k[10U] = v10; + k[11U] = v14; + k[12U] = v3; + k[13U] = v7; + k[14U] = v11; + k[15U] = v15; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + Lib_IntVector_Intrinsics_vec128 + x = Lib_IntVector_Intrinsics_vec128_load32_le(plain + i * (uint32_t)16U); + Lib_IntVector_Intrinsics_vec128 y = Lib_IntVector_Intrinsics_vec128_xor(x, k[i]); + Lib_IntVector_Intrinsics_vec128_store32_le(plain + i * (uint32_t)16U, y); + } + memcpy(uu____2, plain, rem * sizeof (uint8_t)); + } +} + diff --git a/src/Hacl_Chacha20_Vec256.c b/src/Hacl_Chacha20_Vec256.c new file mode 100644 index 00000000..746e3993 --- /dev/null +++ b/src/Hacl_Chacha20_Vec256.c @@ -0,0 +1,1215 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Chacha20_Vec256.h" + +#include "internal/Hacl_Chacha20.h" + +static inline void double_round_256(Lib_IntVector_Intrinsics_vec256 *st) +{ + st[0U] = Lib_IntVector_Intrinsics_vec256_add32(st[0U], st[4U]); + Lib_IntVector_Intrinsics_vec256 std = Lib_IntVector_Intrinsics_vec256_xor(st[12U], st[0U]); + st[12U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std, (uint32_t)16U); + st[8U] = Lib_IntVector_Intrinsics_vec256_add32(st[8U], st[12U]); + Lib_IntVector_Intrinsics_vec256 std0 = Lib_IntVector_Intrinsics_vec256_xor(st[4U], st[8U]); + st[4U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std0, (uint32_t)12U); + st[0U] = Lib_IntVector_Intrinsics_vec256_add32(st[0U], st[4U]); + Lib_IntVector_Intrinsics_vec256 std1 = Lib_IntVector_Intrinsics_vec256_xor(st[12U], st[0U]); + st[12U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std1, (uint32_t)8U); + st[8U] = Lib_IntVector_Intrinsics_vec256_add32(st[8U], st[12U]); + Lib_IntVector_Intrinsics_vec256 std2 = Lib_IntVector_Intrinsics_vec256_xor(st[4U], st[8U]); + st[4U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std2, (uint32_t)7U); + st[1U] = Lib_IntVector_Intrinsics_vec256_add32(st[1U], st[5U]); + Lib_IntVector_Intrinsics_vec256 std3 = Lib_IntVector_Intrinsics_vec256_xor(st[13U], st[1U]); + st[13U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std3, (uint32_t)16U); + st[9U] = Lib_IntVector_Intrinsics_vec256_add32(st[9U], st[13U]); + Lib_IntVector_Intrinsics_vec256 std4 = Lib_IntVector_Intrinsics_vec256_xor(st[5U], st[9U]); + st[5U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std4, (uint32_t)12U); + st[1U] = Lib_IntVector_Intrinsics_vec256_add32(st[1U], st[5U]); + Lib_IntVector_Intrinsics_vec256 std5 = Lib_IntVector_Intrinsics_vec256_xor(st[13U], st[1U]); + st[13U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std5, (uint32_t)8U); + st[9U] = Lib_IntVector_Intrinsics_vec256_add32(st[9U], st[13U]); + Lib_IntVector_Intrinsics_vec256 std6 = Lib_IntVector_Intrinsics_vec256_xor(st[5U], st[9U]); + st[5U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std6, (uint32_t)7U); + st[2U] = Lib_IntVector_Intrinsics_vec256_add32(st[2U], st[6U]); + Lib_IntVector_Intrinsics_vec256 std7 = Lib_IntVector_Intrinsics_vec256_xor(st[14U], st[2U]); + st[14U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std7, (uint32_t)16U); + st[10U] = Lib_IntVector_Intrinsics_vec256_add32(st[10U], st[14U]); + Lib_IntVector_Intrinsics_vec256 std8 = Lib_IntVector_Intrinsics_vec256_xor(st[6U], st[10U]); + st[6U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std8, (uint32_t)12U); + st[2U] = Lib_IntVector_Intrinsics_vec256_add32(st[2U], st[6U]); + Lib_IntVector_Intrinsics_vec256 std9 = Lib_IntVector_Intrinsics_vec256_xor(st[14U], st[2U]); + st[14U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std9, (uint32_t)8U); + st[10U] = Lib_IntVector_Intrinsics_vec256_add32(st[10U], st[14U]); + Lib_IntVector_Intrinsics_vec256 std10 = Lib_IntVector_Intrinsics_vec256_xor(st[6U], st[10U]); + st[6U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std10, (uint32_t)7U); + st[3U] = Lib_IntVector_Intrinsics_vec256_add32(st[3U], st[7U]); + Lib_IntVector_Intrinsics_vec256 std11 = Lib_IntVector_Intrinsics_vec256_xor(st[15U], st[3U]); + st[15U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std11, (uint32_t)16U); + st[11U] = Lib_IntVector_Intrinsics_vec256_add32(st[11U], st[15U]); + Lib_IntVector_Intrinsics_vec256 std12 = Lib_IntVector_Intrinsics_vec256_xor(st[7U], st[11U]); + st[7U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std12, (uint32_t)12U); + st[3U] = Lib_IntVector_Intrinsics_vec256_add32(st[3U], st[7U]); + Lib_IntVector_Intrinsics_vec256 std13 = Lib_IntVector_Intrinsics_vec256_xor(st[15U], st[3U]); + st[15U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std13, (uint32_t)8U); + st[11U] = Lib_IntVector_Intrinsics_vec256_add32(st[11U], st[15U]); + Lib_IntVector_Intrinsics_vec256 std14 = Lib_IntVector_Intrinsics_vec256_xor(st[7U], st[11U]); + st[7U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std14, (uint32_t)7U); + st[0U] = Lib_IntVector_Intrinsics_vec256_add32(st[0U], st[5U]); + Lib_IntVector_Intrinsics_vec256 std15 = Lib_IntVector_Intrinsics_vec256_xor(st[15U], st[0U]); + st[15U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std15, (uint32_t)16U); + st[10U] = Lib_IntVector_Intrinsics_vec256_add32(st[10U], st[15U]); + Lib_IntVector_Intrinsics_vec256 std16 = Lib_IntVector_Intrinsics_vec256_xor(st[5U], st[10U]); + st[5U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std16, (uint32_t)12U); + st[0U] = Lib_IntVector_Intrinsics_vec256_add32(st[0U], st[5U]); + Lib_IntVector_Intrinsics_vec256 std17 = Lib_IntVector_Intrinsics_vec256_xor(st[15U], st[0U]); + st[15U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std17, (uint32_t)8U); + st[10U] = Lib_IntVector_Intrinsics_vec256_add32(st[10U], st[15U]); + Lib_IntVector_Intrinsics_vec256 std18 = Lib_IntVector_Intrinsics_vec256_xor(st[5U], st[10U]); + st[5U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std18, (uint32_t)7U); + st[1U] = Lib_IntVector_Intrinsics_vec256_add32(st[1U], st[6U]); + Lib_IntVector_Intrinsics_vec256 std19 = Lib_IntVector_Intrinsics_vec256_xor(st[12U], st[1U]); + st[12U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std19, (uint32_t)16U); + st[11U] = Lib_IntVector_Intrinsics_vec256_add32(st[11U], st[12U]); + Lib_IntVector_Intrinsics_vec256 std20 = Lib_IntVector_Intrinsics_vec256_xor(st[6U], st[11U]); + st[6U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std20, (uint32_t)12U); + st[1U] = Lib_IntVector_Intrinsics_vec256_add32(st[1U], st[6U]); + Lib_IntVector_Intrinsics_vec256 std21 = Lib_IntVector_Intrinsics_vec256_xor(st[12U], st[1U]); + st[12U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std21, (uint32_t)8U); + st[11U] = Lib_IntVector_Intrinsics_vec256_add32(st[11U], st[12U]); + Lib_IntVector_Intrinsics_vec256 std22 = Lib_IntVector_Intrinsics_vec256_xor(st[6U], st[11U]); + st[6U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std22, (uint32_t)7U); + st[2U] = Lib_IntVector_Intrinsics_vec256_add32(st[2U], st[7U]); + Lib_IntVector_Intrinsics_vec256 std23 = Lib_IntVector_Intrinsics_vec256_xor(st[13U], st[2U]); + st[13U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std23, (uint32_t)16U); + st[8U] = Lib_IntVector_Intrinsics_vec256_add32(st[8U], st[13U]); + Lib_IntVector_Intrinsics_vec256 std24 = Lib_IntVector_Intrinsics_vec256_xor(st[7U], st[8U]); + st[7U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std24, (uint32_t)12U); + st[2U] = Lib_IntVector_Intrinsics_vec256_add32(st[2U], st[7U]); + Lib_IntVector_Intrinsics_vec256 std25 = Lib_IntVector_Intrinsics_vec256_xor(st[13U], st[2U]); + st[13U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std25, (uint32_t)8U); + st[8U] = Lib_IntVector_Intrinsics_vec256_add32(st[8U], st[13U]); + Lib_IntVector_Intrinsics_vec256 std26 = Lib_IntVector_Intrinsics_vec256_xor(st[7U], st[8U]); + st[7U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std26, (uint32_t)7U); + st[3U] = Lib_IntVector_Intrinsics_vec256_add32(st[3U], st[4U]); + Lib_IntVector_Intrinsics_vec256 std27 = Lib_IntVector_Intrinsics_vec256_xor(st[14U], st[3U]); + st[14U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std27, (uint32_t)16U); + st[9U] = Lib_IntVector_Intrinsics_vec256_add32(st[9U], st[14U]); + Lib_IntVector_Intrinsics_vec256 std28 = Lib_IntVector_Intrinsics_vec256_xor(st[4U], st[9U]); + st[4U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std28, (uint32_t)12U); + st[3U] = Lib_IntVector_Intrinsics_vec256_add32(st[3U], st[4U]); + Lib_IntVector_Intrinsics_vec256 std29 = Lib_IntVector_Intrinsics_vec256_xor(st[14U], st[3U]); + st[14U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std29, (uint32_t)8U); + st[9U] = Lib_IntVector_Intrinsics_vec256_add32(st[9U], st[14U]); + Lib_IntVector_Intrinsics_vec256 std30 = Lib_IntVector_Intrinsics_vec256_xor(st[4U], st[9U]); + st[4U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std30, (uint32_t)7U); +} + +static inline void +chacha20_core_256( + Lib_IntVector_Intrinsics_vec256 *k, + Lib_IntVector_Intrinsics_vec256 *ctx, + uint32_t ctr +) +{ + memcpy(k, ctx, (uint32_t)16U * sizeof (Lib_IntVector_Intrinsics_vec256)); + uint32_t ctr_u32 = (uint32_t)8U * ctr; + Lib_IntVector_Intrinsics_vec256 cv = Lib_IntVector_Intrinsics_vec256_load32(ctr_u32); + k[12U] = Lib_IntVector_Intrinsics_vec256_add32(k[12U], cv); + double_round_256(k); + double_round_256(k); + double_round_256(k); + double_round_256(k); + double_round_256(k); + double_round_256(k); + double_round_256(k); + double_round_256(k); + double_round_256(k); + double_round_256(k); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + Lib_IntVector_Intrinsics_vec256 *os = k; + Lib_IntVector_Intrinsics_vec256 x = Lib_IntVector_Intrinsics_vec256_add32(k[i], ctx[i]); + os[i] = x; + } + k[12U] = Lib_IntVector_Intrinsics_vec256_add32(k[12U], cv); +} + +static inline void +chacha20_init_256(Lib_IntVector_Intrinsics_vec256 *ctx, uint8_t *k, uint8_t *n, uint32_t ctr) +{ + uint32_t ctx1[16U] = { 0U }; + uint32_t *uu____0 = ctx1; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = uu____0; + uint32_t x = Hacl_Impl_Chacha20_Vec_chacha20_constants[i]; + os[i] = x; + } + uint32_t *uu____1 = ctx1 + (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t *os = uu____1; + uint8_t *bj = k + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + ctx1[12U] = ctr; + uint32_t *uu____2 = ctx1 + (uint32_t)13U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)3U; i++) + { + uint32_t *os = uu____2; + uint8_t *bj = n + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + Lib_IntVector_Intrinsics_vec256 *os = ctx; + uint32_t x = ctx1[i]; + Lib_IntVector_Intrinsics_vec256 x0 = Lib_IntVector_Intrinsics_vec256_load32(x); + os[i] = x0; + } + Lib_IntVector_Intrinsics_vec256 + ctr1 = + Lib_IntVector_Intrinsics_vec256_load32s((uint32_t)0U, + (uint32_t)1U, + (uint32_t)2U, + (uint32_t)3U, + (uint32_t)4U, + (uint32_t)5U, + (uint32_t)6U, + (uint32_t)7U); + Lib_IntVector_Intrinsics_vec256 c12 = ctx[12U]; + ctx[12U] = Lib_IntVector_Intrinsics_vec256_add32(c12, ctr1); +} + +void +Hacl_Chacha20_Vec256_chacha20_encrypt_256( + uint32_t len, + uint8_t *out, + uint8_t *text, + uint8_t *key, + uint8_t *n, + uint32_t ctr +) +{ + Lib_IntVector_Intrinsics_vec256 ctx[16U]; + for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i) + ctx[_i] = Lib_IntVector_Intrinsics_vec256_zero; + chacha20_init_256(ctx, key, n, ctr); + uint32_t rem = len % (uint32_t)512U; + uint32_t nb = len / (uint32_t)512U; + uint32_t rem1 = len % (uint32_t)512U; + for (uint32_t i = (uint32_t)0U; i < nb; i++) + { + uint8_t *uu____0 = out + i * (uint32_t)512U; + uint8_t *uu____1 = text + i * (uint32_t)512U; + Lib_IntVector_Intrinsics_vec256 k[16U]; + for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i) + k[_i] = Lib_IntVector_Intrinsics_vec256_zero; + chacha20_core_256(k, ctx, i); + Lib_IntVector_Intrinsics_vec256 st0 = k[0U]; + Lib_IntVector_Intrinsics_vec256 st1 = k[1U]; + Lib_IntVector_Intrinsics_vec256 st2 = k[2U]; + Lib_IntVector_Intrinsics_vec256 st3 = k[3U]; + Lib_IntVector_Intrinsics_vec256 st4 = k[4U]; + Lib_IntVector_Intrinsics_vec256 st5 = k[5U]; + Lib_IntVector_Intrinsics_vec256 st6 = k[6U]; + Lib_IntVector_Intrinsics_vec256 st7 = k[7U]; + Lib_IntVector_Intrinsics_vec256 st8 = k[8U]; + Lib_IntVector_Intrinsics_vec256 st9 = k[9U]; + Lib_IntVector_Intrinsics_vec256 st10 = k[10U]; + Lib_IntVector_Intrinsics_vec256 st11 = k[11U]; + Lib_IntVector_Intrinsics_vec256 st12 = k[12U]; + Lib_IntVector_Intrinsics_vec256 st13 = k[13U]; + Lib_IntVector_Intrinsics_vec256 st14 = k[14U]; + Lib_IntVector_Intrinsics_vec256 st15 = k[15U]; + Lib_IntVector_Intrinsics_vec256 v00 = st0; + Lib_IntVector_Intrinsics_vec256 v16 = st1; + Lib_IntVector_Intrinsics_vec256 v20 = st2; + Lib_IntVector_Intrinsics_vec256 v30 = st3; + Lib_IntVector_Intrinsics_vec256 v40 = st4; + Lib_IntVector_Intrinsics_vec256 v50 = st5; + Lib_IntVector_Intrinsics_vec256 v60 = st6; + Lib_IntVector_Intrinsics_vec256 v70 = st7; + Lib_IntVector_Intrinsics_vec256 + v0_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v00, v16); + Lib_IntVector_Intrinsics_vec256 + v1_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v00, v16); + Lib_IntVector_Intrinsics_vec256 + v2_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v20, v30); + Lib_IntVector_Intrinsics_vec256 + v3_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v20, v30); + Lib_IntVector_Intrinsics_vec256 + v4_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v40, v50); + Lib_IntVector_Intrinsics_vec256 + v5_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v40, v50); + Lib_IntVector_Intrinsics_vec256 + v6_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v60, v70); + Lib_IntVector_Intrinsics_vec256 + v7_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v60, v70); + Lib_IntVector_Intrinsics_vec256 v0_0 = v0_; + Lib_IntVector_Intrinsics_vec256 v1_0 = v1_; + Lib_IntVector_Intrinsics_vec256 v2_0 = v2_; + Lib_IntVector_Intrinsics_vec256 v3_0 = v3_; + Lib_IntVector_Intrinsics_vec256 v4_0 = v4_; + Lib_IntVector_Intrinsics_vec256 v5_0 = v5_; + Lib_IntVector_Intrinsics_vec256 v6_0 = v6_; + Lib_IntVector_Intrinsics_vec256 v7_0 = v7_; + Lib_IntVector_Intrinsics_vec256 + v0_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v2_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v1_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 + v3_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 + v4_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v4_0, v6_0); + Lib_IntVector_Intrinsics_vec256 + v6_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v4_0, v6_0); + Lib_IntVector_Intrinsics_vec256 + v5_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v5_0, v7_0); + Lib_IntVector_Intrinsics_vec256 + v7_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v5_0, v7_0); + Lib_IntVector_Intrinsics_vec256 v0_10 = v0_1; + Lib_IntVector_Intrinsics_vec256 v1_10 = v1_1; + Lib_IntVector_Intrinsics_vec256 v2_10 = v2_1; + Lib_IntVector_Intrinsics_vec256 v3_10 = v3_1; + Lib_IntVector_Intrinsics_vec256 v4_10 = v4_1; + Lib_IntVector_Intrinsics_vec256 v5_10 = v5_1; + Lib_IntVector_Intrinsics_vec256 v6_10 = v6_1; + Lib_IntVector_Intrinsics_vec256 v7_10 = v7_1; + Lib_IntVector_Intrinsics_vec256 + v0_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_10, v4_10); + Lib_IntVector_Intrinsics_vec256 + v4_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_10, v4_10); + Lib_IntVector_Intrinsics_vec256 + v1_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_10, v5_10); + Lib_IntVector_Intrinsics_vec256 + v5_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_10, v5_10); + Lib_IntVector_Intrinsics_vec256 + v2_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v2_10, v6_10); + Lib_IntVector_Intrinsics_vec256 + v6_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v2_10, v6_10); + Lib_IntVector_Intrinsics_vec256 + v3_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v3_10, v7_10); + Lib_IntVector_Intrinsics_vec256 + v7_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v3_10, v7_10); + Lib_IntVector_Intrinsics_vec256 v0_20 = v0_2; + Lib_IntVector_Intrinsics_vec256 v1_20 = v1_2; + Lib_IntVector_Intrinsics_vec256 v2_20 = v2_2; + Lib_IntVector_Intrinsics_vec256 v3_20 = v3_2; + Lib_IntVector_Intrinsics_vec256 v4_20 = v4_2; + Lib_IntVector_Intrinsics_vec256 v5_20 = v5_2; + Lib_IntVector_Intrinsics_vec256 v6_20 = v6_2; + Lib_IntVector_Intrinsics_vec256 v7_20 = v7_2; + Lib_IntVector_Intrinsics_vec256 v0_3 = v0_20; + Lib_IntVector_Intrinsics_vec256 v1_3 = v1_20; + Lib_IntVector_Intrinsics_vec256 v2_3 = v2_20; + Lib_IntVector_Intrinsics_vec256 v3_3 = v3_20; + Lib_IntVector_Intrinsics_vec256 v4_3 = v4_20; + Lib_IntVector_Intrinsics_vec256 v5_3 = v5_20; + Lib_IntVector_Intrinsics_vec256 v6_3 = v6_20; + Lib_IntVector_Intrinsics_vec256 v7_3 = v7_20; + Lib_IntVector_Intrinsics_vec256 v0 = v0_3; + Lib_IntVector_Intrinsics_vec256 v1 = v2_3; + Lib_IntVector_Intrinsics_vec256 v2 = v1_3; + Lib_IntVector_Intrinsics_vec256 v3 = v3_3; + Lib_IntVector_Intrinsics_vec256 v4 = v4_3; + Lib_IntVector_Intrinsics_vec256 v5 = v6_3; + Lib_IntVector_Intrinsics_vec256 v6 = v5_3; + Lib_IntVector_Intrinsics_vec256 v7 = v7_3; + Lib_IntVector_Intrinsics_vec256 v01 = st8; + Lib_IntVector_Intrinsics_vec256 v110 = st9; + Lib_IntVector_Intrinsics_vec256 v21 = st10; + Lib_IntVector_Intrinsics_vec256 v31 = st11; + Lib_IntVector_Intrinsics_vec256 v41 = st12; + Lib_IntVector_Intrinsics_vec256 v51 = st13; + Lib_IntVector_Intrinsics_vec256 v61 = st14; + Lib_IntVector_Intrinsics_vec256 v71 = st15; + Lib_IntVector_Intrinsics_vec256 + v0_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v01, v110); + Lib_IntVector_Intrinsics_vec256 + v1_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v01, v110); + Lib_IntVector_Intrinsics_vec256 + v2_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v21, v31); + Lib_IntVector_Intrinsics_vec256 + v3_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v21, v31); + Lib_IntVector_Intrinsics_vec256 + v4_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v41, v51); + Lib_IntVector_Intrinsics_vec256 + v5_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v41, v51); + Lib_IntVector_Intrinsics_vec256 + v6_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v61, v71); + Lib_IntVector_Intrinsics_vec256 + v7_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v61, v71); + Lib_IntVector_Intrinsics_vec256 v0_5 = v0_4; + Lib_IntVector_Intrinsics_vec256 v1_5 = v1_4; + Lib_IntVector_Intrinsics_vec256 v2_5 = v2_4; + Lib_IntVector_Intrinsics_vec256 v3_5 = v3_4; + Lib_IntVector_Intrinsics_vec256 v4_5 = v4_4; + Lib_IntVector_Intrinsics_vec256 v5_5 = v5_4; + Lib_IntVector_Intrinsics_vec256 v6_5 = v6_4; + Lib_IntVector_Intrinsics_vec256 v7_5 = v7_4; + Lib_IntVector_Intrinsics_vec256 + v0_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0_5, v2_5); + Lib_IntVector_Intrinsics_vec256 + v2_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0_5, v2_5); + Lib_IntVector_Intrinsics_vec256 + v1_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v1_5, v3_5); + Lib_IntVector_Intrinsics_vec256 + v3_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v1_5, v3_5); + Lib_IntVector_Intrinsics_vec256 + v4_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v4_5, v6_5); + Lib_IntVector_Intrinsics_vec256 + v6_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v4_5, v6_5); + Lib_IntVector_Intrinsics_vec256 + v5_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v5_5, v7_5); + Lib_IntVector_Intrinsics_vec256 + v7_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v5_5, v7_5); + Lib_IntVector_Intrinsics_vec256 v0_12 = v0_11; + Lib_IntVector_Intrinsics_vec256 v1_12 = v1_11; + Lib_IntVector_Intrinsics_vec256 v2_12 = v2_11; + Lib_IntVector_Intrinsics_vec256 v3_12 = v3_11; + Lib_IntVector_Intrinsics_vec256 v4_12 = v4_11; + Lib_IntVector_Intrinsics_vec256 v5_12 = v5_11; + Lib_IntVector_Intrinsics_vec256 v6_12 = v6_11; + Lib_IntVector_Intrinsics_vec256 v7_12 = v7_11; + Lib_IntVector_Intrinsics_vec256 + v0_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_12, v4_12); + Lib_IntVector_Intrinsics_vec256 + v4_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_12, v4_12); + Lib_IntVector_Intrinsics_vec256 + v1_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_12, v5_12); + Lib_IntVector_Intrinsics_vec256 + v5_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_12, v5_12); + Lib_IntVector_Intrinsics_vec256 + v2_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v2_12, v6_12); + Lib_IntVector_Intrinsics_vec256 + v6_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v2_12, v6_12); + Lib_IntVector_Intrinsics_vec256 + v3_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v3_12, v7_12); + Lib_IntVector_Intrinsics_vec256 + v7_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v3_12, v7_12); + Lib_IntVector_Intrinsics_vec256 v0_22 = v0_21; + Lib_IntVector_Intrinsics_vec256 v1_22 = v1_21; + Lib_IntVector_Intrinsics_vec256 v2_22 = v2_21; + Lib_IntVector_Intrinsics_vec256 v3_22 = v3_21; + Lib_IntVector_Intrinsics_vec256 v4_22 = v4_21; + Lib_IntVector_Intrinsics_vec256 v5_22 = v5_21; + Lib_IntVector_Intrinsics_vec256 v6_22 = v6_21; + Lib_IntVector_Intrinsics_vec256 v7_22 = v7_21; + Lib_IntVector_Intrinsics_vec256 v0_6 = v0_22; + Lib_IntVector_Intrinsics_vec256 v1_6 = v1_22; + Lib_IntVector_Intrinsics_vec256 v2_6 = v2_22; + Lib_IntVector_Intrinsics_vec256 v3_6 = v3_22; + Lib_IntVector_Intrinsics_vec256 v4_6 = v4_22; + Lib_IntVector_Intrinsics_vec256 v5_6 = v5_22; + Lib_IntVector_Intrinsics_vec256 v6_6 = v6_22; + Lib_IntVector_Intrinsics_vec256 v7_6 = v7_22; + Lib_IntVector_Intrinsics_vec256 v8 = v0_6; + Lib_IntVector_Intrinsics_vec256 v9 = v2_6; + Lib_IntVector_Intrinsics_vec256 v10 = v1_6; + Lib_IntVector_Intrinsics_vec256 v11 = v3_6; + Lib_IntVector_Intrinsics_vec256 v12 = v4_6; + Lib_IntVector_Intrinsics_vec256 v13 = v6_6; + Lib_IntVector_Intrinsics_vec256 v14 = v5_6; + Lib_IntVector_Intrinsics_vec256 v15 = v7_6; + k[0U] = v0; + k[1U] = v8; + k[2U] = v1; + k[3U] = v9; + k[4U] = v2; + k[5U] = v10; + k[6U] = v3; + k[7U] = v11; + k[8U] = v4; + k[9U] = v12; + k[10U] = v5; + k[11U] = v13; + k[12U] = v6; + k[13U] = v14; + k[14U] = v7; + k[15U] = v15; + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)16U; i0++) + { + Lib_IntVector_Intrinsics_vec256 + x = Lib_IntVector_Intrinsics_vec256_load32_le(uu____1 + i0 * (uint32_t)32U); + Lib_IntVector_Intrinsics_vec256 y = Lib_IntVector_Intrinsics_vec256_xor(x, k[i0]); + Lib_IntVector_Intrinsics_vec256_store32_le(uu____0 + i0 * (uint32_t)32U, y); + } + } + if (rem1 > (uint32_t)0U) + { + uint8_t *uu____2 = out + nb * (uint32_t)512U; + uint8_t *uu____3 = text + nb * (uint32_t)512U; + uint8_t plain[512U] = { 0U }; + memcpy(plain, uu____3, rem * sizeof (uint8_t)); + Lib_IntVector_Intrinsics_vec256 k[16U]; + for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i) + k[_i] = Lib_IntVector_Intrinsics_vec256_zero; + chacha20_core_256(k, ctx, nb); + Lib_IntVector_Intrinsics_vec256 st0 = k[0U]; + Lib_IntVector_Intrinsics_vec256 st1 = k[1U]; + Lib_IntVector_Intrinsics_vec256 st2 = k[2U]; + Lib_IntVector_Intrinsics_vec256 st3 = k[3U]; + Lib_IntVector_Intrinsics_vec256 st4 = k[4U]; + Lib_IntVector_Intrinsics_vec256 st5 = k[5U]; + Lib_IntVector_Intrinsics_vec256 st6 = k[6U]; + Lib_IntVector_Intrinsics_vec256 st7 = k[7U]; + Lib_IntVector_Intrinsics_vec256 st8 = k[8U]; + Lib_IntVector_Intrinsics_vec256 st9 = k[9U]; + Lib_IntVector_Intrinsics_vec256 st10 = k[10U]; + Lib_IntVector_Intrinsics_vec256 st11 = k[11U]; + Lib_IntVector_Intrinsics_vec256 st12 = k[12U]; + Lib_IntVector_Intrinsics_vec256 st13 = k[13U]; + Lib_IntVector_Intrinsics_vec256 st14 = k[14U]; + Lib_IntVector_Intrinsics_vec256 st15 = k[15U]; + Lib_IntVector_Intrinsics_vec256 v00 = st0; + Lib_IntVector_Intrinsics_vec256 v16 = st1; + Lib_IntVector_Intrinsics_vec256 v20 = st2; + Lib_IntVector_Intrinsics_vec256 v30 = st3; + Lib_IntVector_Intrinsics_vec256 v40 = st4; + Lib_IntVector_Intrinsics_vec256 v50 = st5; + Lib_IntVector_Intrinsics_vec256 v60 = st6; + Lib_IntVector_Intrinsics_vec256 v70 = st7; + Lib_IntVector_Intrinsics_vec256 + v0_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v00, v16); + Lib_IntVector_Intrinsics_vec256 + v1_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v00, v16); + Lib_IntVector_Intrinsics_vec256 + v2_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v20, v30); + Lib_IntVector_Intrinsics_vec256 + v3_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v20, v30); + Lib_IntVector_Intrinsics_vec256 + v4_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v40, v50); + Lib_IntVector_Intrinsics_vec256 + v5_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v40, v50); + Lib_IntVector_Intrinsics_vec256 + v6_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v60, v70); + Lib_IntVector_Intrinsics_vec256 + v7_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v60, v70); + Lib_IntVector_Intrinsics_vec256 v0_0 = v0_; + Lib_IntVector_Intrinsics_vec256 v1_0 = v1_; + Lib_IntVector_Intrinsics_vec256 v2_0 = v2_; + Lib_IntVector_Intrinsics_vec256 v3_0 = v3_; + Lib_IntVector_Intrinsics_vec256 v4_0 = v4_; + Lib_IntVector_Intrinsics_vec256 v5_0 = v5_; + Lib_IntVector_Intrinsics_vec256 v6_0 = v6_; + Lib_IntVector_Intrinsics_vec256 v7_0 = v7_; + Lib_IntVector_Intrinsics_vec256 + v0_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v2_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v1_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 + v3_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 + v4_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v4_0, v6_0); + Lib_IntVector_Intrinsics_vec256 + v6_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v4_0, v6_0); + Lib_IntVector_Intrinsics_vec256 + v5_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v5_0, v7_0); + Lib_IntVector_Intrinsics_vec256 + v7_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v5_0, v7_0); + Lib_IntVector_Intrinsics_vec256 v0_10 = v0_1; + Lib_IntVector_Intrinsics_vec256 v1_10 = v1_1; + Lib_IntVector_Intrinsics_vec256 v2_10 = v2_1; + Lib_IntVector_Intrinsics_vec256 v3_10 = v3_1; + Lib_IntVector_Intrinsics_vec256 v4_10 = v4_1; + Lib_IntVector_Intrinsics_vec256 v5_10 = v5_1; + Lib_IntVector_Intrinsics_vec256 v6_10 = v6_1; + Lib_IntVector_Intrinsics_vec256 v7_10 = v7_1; + Lib_IntVector_Intrinsics_vec256 + v0_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_10, v4_10); + Lib_IntVector_Intrinsics_vec256 + v4_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_10, v4_10); + Lib_IntVector_Intrinsics_vec256 + v1_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_10, v5_10); + Lib_IntVector_Intrinsics_vec256 + v5_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_10, v5_10); + Lib_IntVector_Intrinsics_vec256 + v2_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v2_10, v6_10); + Lib_IntVector_Intrinsics_vec256 + v6_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v2_10, v6_10); + Lib_IntVector_Intrinsics_vec256 + v3_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v3_10, v7_10); + Lib_IntVector_Intrinsics_vec256 + v7_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v3_10, v7_10); + Lib_IntVector_Intrinsics_vec256 v0_20 = v0_2; + Lib_IntVector_Intrinsics_vec256 v1_20 = v1_2; + Lib_IntVector_Intrinsics_vec256 v2_20 = v2_2; + Lib_IntVector_Intrinsics_vec256 v3_20 = v3_2; + Lib_IntVector_Intrinsics_vec256 v4_20 = v4_2; + Lib_IntVector_Intrinsics_vec256 v5_20 = v5_2; + Lib_IntVector_Intrinsics_vec256 v6_20 = v6_2; + Lib_IntVector_Intrinsics_vec256 v7_20 = v7_2; + Lib_IntVector_Intrinsics_vec256 v0_3 = v0_20; + Lib_IntVector_Intrinsics_vec256 v1_3 = v1_20; + Lib_IntVector_Intrinsics_vec256 v2_3 = v2_20; + Lib_IntVector_Intrinsics_vec256 v3_3 = v3_20; + Lib_IntVector_Intrinsics_vec256 v4_3 = v4_20; + Lib_IntVector_Intrinsics_vec256 v5_3 = v5_20; + Lib_IntVector_Intrinsics_vec256 v6_3 = v6_20; + Lib_IntVector_Intrinsics_vec256 v7_3 = v7_20; + Lib_IntVector_Intrinsics_vec256 v0 = v0_3; + Lib_IntVector_Intrinsics_vec256 v1 = v2_3; + Lib_IntVector_Intrinsics_vec256 v2 = v1_3; + Lib_IntVector_Intrinsics_vec256 v3 = v3_3; + Lib_IntVector_Intrinsics_vec256 v4 = v4_3; + Lib_IntVector_Intrinsics_vec256 v5 = v6_3; + Lib_IntVector_Intrinsics_vec256 v6 = v5_3; + Lib_IntVector_Intrinsics_vec256 v7 = v7_3; + Lib_IntVector_Intrinsics_vec256 v01 = st8; + Lib_IntVector_Intrinsics_vec256 v110 = st9; + Lib_IntVector_Intrinsics_vec256 v21 = st10; + Lib_IntVector_Intrinsics_vec256 v31 = st11; + Lib_IntVector_Intrinsics_vec256 v41 = st12; + Lib_IntVector_Intrinsics_vec256 v51 = st13; + Lib_IntVector_Intrinsics_vec256 v61 = st14; + Lib_IntVector_Intrinsics_vec256 v71 = st15; + Lib_IntVector_Intrinsics_vec256 + v0_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v01, v110); + Lib_IntVector_Intrinsics_vec256 + v1_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v01, v110); + Lib_IntVector_Intrinsics_vec256 + v2_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v21, v31); + Lib_IntVector_Intrinsics_vec256 + v3_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v21, v31); + Lib_IntVector_Intrinsics_vec256 + v4_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v41, v51); + Lib_IntVector_Intrinsics_vec256 + v5_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v41, v51); + Lib_IntVector_Intrinsics_vec256 + v6_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v61, v71); + Lib_IntVector_Intrinsics_vec256 + v7_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v61, v71); + Lib_IntVector_Intrinsics_vec256 v0_5 = v0_4; + Lib_IntVector_Intrinsics_vec256 v1_5 = v1_4; + Lib_IntVector_Intrinsics_vec256 v2_5 = v2_4; + Lib_IntVector_Intrinsics_vec256 v3_5 = v3_4; + Lib_IntVector_Intrinsics_vec256 v4_5 = v4_4; + Lib_IntVector_Intrinsics_vec256 v5_5 = v5_4; + Lib_IntVector_Intrinsics_vec256 v6_5 = v6_4; + Lib_IntVector_Intrinsics_vec256 v7_5 = v7_4; + Lib_IntVector_Intrinsics_vec256 + v0_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0_5, v2_5); + Lib_IntVector_Intrinsics_vec256 + v2_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0_5, v2_5); + Lib_IntVector_Intrinsics_vec256 + v1_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v1_5, v3_5); + Lib_IntVector_Intrinsics_vec256 + v3_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v1_5, v3_5); + Lib_IntVector_Intrinsics_vec256 + v4_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v4_5, v6_5); + Lib_IntVector_Intrinsics_vec256 + v6_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v4_5, v6_5); + Lib_IntVector_Intrinsics_vec256 + v5_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v5_5, v7_5); + Lib_IntVector_Intrinsics_vec256 + v7_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v5_5, v7_5); + Lib_IntVector_Intrinsics_vec256 v0_12 = v0_11; + Lib_IntVector_Intrinsics_vec256 v1_12 = v1_11; + Lib_IntVector_Intrinsics_vec256 v2_12 = v2_11; + Lib_IntVector_Intrinsics_vec256 v3_12 = v3_11; + Lib_IntVector_Intrinsics_vec256 v4_12 = v4_11; + Lib_IntVector_Intrinsics_vec256 v5_12 = v5_11; + Lib_IntVector_Intrinsics_vec256 v6_12 = v6_11; + Lib_IntVector_Intrinsics_vec256 v7_12 = v7_11; + Lib_IntVector_Intrinsics_vec256 + v0_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_12, v4_12); + Lib_IntVector_Intrinsics_vec256 + v4_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_12, v4_12); + Lib_IntVector_Intrinsics_vec256 + v1_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_12, v5_12); + Lib_IntVector_Intrinsics_vec256 + v5_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_12, v5_12); + Lib_IntVector_Intrinsics_vec256 + v2_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v2_12, v6_12); + Lib_IntVector_Intrinsics_vec256 + v6_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v2_12, v6_12); + Lib_IntVector_Intrinsics_vec256 + v3_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v3_12, v7_12); + Lib_IntVector_Intrinsics_vec256 + v7_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v3_12, v7_12); + Lib_IntVector_Intrinsics_vec256 v0_22 = v0_21; + Lib_IntVector_Intrinsics_vec256 v1_22 = v1_21; + Lib_IntVector_Intrinsics_vec256 v2_22 = v2_21; + Lib_IntVector_Intrinsics_vec256 v3_22 = v3_21; + Lib_IntVector_Intrinsics_vec256 v4_22 = v4_21; + Lib_IntVector_Intrinsics_vec256 v5_22 = v5_21; + Lib_IntVector_Intrinsics_vec256 v6_22 = v6_21; + Lib_IntVector_Intrinsics_vec256 v7_22 = v7_21; + Lib_IntVector_Intrinsics_vec256 v0_6 = v0_22; + Lib_IntVector_Intrinsics_vec256 v1_6 = v1_22; + Lib_IntVector_Intrinsics_vec256 v2_6 = v2_22; + Lib_IntVector_Intrinsics_vec256 v3_6 = v3_22; + Lib_IntVector_Intrinsics_vec256 v4_6 = v4_22; + Lib_IntVector_Intrinsics_vec256 v5_6 = v5_22; + Lib_IntVector_Intrinsics_vec256 v6_6 = v6_22; + Lib_IntVector_Intrinsics_vec256 v7_6 = v7_22; + Lib_IntVector_Intrinsics_vec256 v8 = v0_6; + Lib_IntVector_Intrinsics_vec256 v9 = v2_6; + Lib_IntVector_Intrinsics_vec256 v10 = v1_6; + Lib_IntVector_Intrinsics_vec256 v11 = v3_6; + Lib_IntVector_Intrinsics_vec256 v12 = v4_6; + Lib_IntVector_Intrinsics_vec256 v13 = v6_6; + Lib_IntVector_Intrinsics_vec256 v14 = v5_6; + Lib_IntVector_Intrinsics_vec256 v15 = v7_6; + k[0U] = v0; + k[1U] = v8; + k[2U] = v1; + k[3U] = v9; + k[4U] = v2; + k[5U] = v10; + k[6U] = v3; + k[7U] = v11; + k[8U] = v4; + k[9U] = v12; + k[10U] = v5; + k[11U] = v13; + k[12U] = v6; + k[13U] = v14; + k[14U] = v7; + k[15U] = v15; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + Lib_IntVector_Intrinsics_vec256 + x = Lib_IntVector_Intrinsics_vec256_load32_le(plain + i * (uint32_t)32U); + Lib_IntVector_Intrinsics_vec256 y = Lib_IntVector_Intrinsics_vec256_xor(x, k[i]); + Lib_IntVector_Intrinsics_vec256_store32_le(plain + i * (uint32_t)32U, y); + } + memcpy(uu____2, plain, rem * sizeof (uint8_t)); + } +} + +void +Hacl_Chacha20_Vec256_chacha20_decrypt_256( + uint32_t len, + uint8_t *out, + uint8_t *cipher, + uint8_t *key, + uint8_t *n, + uint32_t ctr +) +{ + Lib_IntVector_Intrinsics_vec256 ctx[16U]; + for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i) + ctx[_i] = Lib_IntVector_Intrinsics_vec256_zero; + chacha20_init_256(ctx, key, n, ctr); + uint32_t rem = len % (uint32_t)512U; + uint32_t nb = len / (uint32_t)512U; + uint32_t rem1 = len % (uint32_t)512U; + for (uint32_t i = (uint32_t)0U; i < nb; i++) + { + uint8_t *uu____0 = out + i * (uint32_t)512U; + uint8_t *uu____1 = cipher + i * (uint32_t)512U; + Lib_IntVector_Intrinsics_vec256 k[16U]; + for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i) + k[_i] = Lib_IntVector_Intrinsics_vec256_zero; + chacha20_core_256(k, ctx, i); + Lib_IntVector_Intrinsics_vec256 st0 = k[0U]; + Lib_IntVector_Intrinsics_vec256 st1 = k[1U]; + Lib_IntVector_Intrinsics_vec256 st2 = k[2U]; + Lib_IntVector_Intrinsics_vec256 st3 = k[3U]; + Lib_IntVector_Intrinsics_vec256 st4 = k[4U]; + Lib_IntVector_Intrinsics_vec256 st5 = k[5U]; + Lib_IntVector_Intrinsics_vec256 st6 = k[6U]; + Lib_IntVector_Intrinsics_vec256 st7 = k[7U]; + Lib_IntVector_Intrinsics_vec256 st8 = k[8U]; + Lib_IntVector_Intrinsics_vec256 st9 = k[9U]; + Lib_IntVector_Intrinsics_vec256 st10 = k[10U]; + Lib_IntVector_Intrinsics_vec256 st11 = k[11U]; + Lib_IntVector_Intrinsics_vec256 st12 = k[12U]; + Lib_IntVector_Intrinsics_vec256 st13 = k[13U]; + Lib_IntVector_Intrinsics_vec256 st14 = k[14U]; + Lib_IntVector_Intrinsics_vec256 st15 = k[15U]; + Lib_IntVector_Intrinsics_vec256 v00 = st0; + Lib_IntVector_Intrinsics_vec256 v16 = st1; + Lib_IntVector_Intrinsics_vec256 v20 = st2; + Lib_IntVector_Intrinsics_vec256 v30 = st3; + Lib_IntVector_Intrinsics_vec256 v40 = st4; + Lib_IntVector_Intrinsics_vec256 v50 = st5; + Lib_IntVector_Intrinsics_vec256 v60 = st6; + Lib_IntVector_Intrinsics_vec256 v70 = st7; + Lib_IntVector_Intrinsics_vec256 + v0_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v00, v16); + Lib_IntVector_Intrinsics_vec256 + v1_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v00, v16); + Lib_IntVector_Intrinsics_vec256 + v2_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v20, v30); + Lib_IntVector_Intrinsics_vec256 + v3_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v20, v30); + Lib_IntVector_Intrinsics_vec256 + v4_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v40, v50); + Lib_IntVector_Intrinsics_vec256 + v5_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v40, v50); + Lib_IntVector_Intrinsics_vec256 + v6_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v60, v70); + Lib_IntVector_Intrinsics_vec256 + v7_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v60, v70); + Lib_IntVector_Intrinsics_vec256 v0_0 = v0_; + Lib_IntVector_Intrinsics_vec256 v1_0 = v1_; + Lib_IntVector_Intrinsics_vec256 v2_0 = v2_; + Lib_IntVector_Intrinsics_vec256 v3_0 = v3_; + Lib_IntVector_Intrinsics_vec256 v4_0 = v4_; + Lib_IntVector_Intrinsics_vec256 v5_0 = v5_; + Lib_IntVector_Intrinsics_vec256 v6_0 = v6_; + Lib_IntVector_Intrinsics_vec256 v7_0 = v7_; + Lib_IntVector_Intrinsics_vec256 + v0_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v2_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v1_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 + v3_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 + v4_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v4_0, v6_0); + Lib_IntVector_Intrinsics_vec256 + v6_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v4_0, v6_0); + Lib_IntVector_Intrinsics_vec256 + v5_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v5_0, v7_0); + Lib_IntVector_Intrinsics_vec256 + v7_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v5_0, v7_0); + Lib_IntVector_Intrinsics_vec256 v0_10 = v0_1; + Lib_IntVector_Intrinsics_vec256 v1_10 = v1_1; + Lib_IntVector_Intrinsics_vec256 v2_10 = v2_1; + Lib_IntVector_Intrinsics_vec256 v3_10 = v3_1; + Lib_IntVector_Intrinsics_vec256 v4_10 = v4_1; + Lib_IntVector_Intrinsics_vec256 v5_10 = v5_1; + Lib_IntVector_Intrinsics_vec256 v6_10 = v6_1; + Lib_IntVector_Intrinsics_vec256 v7_10 = v7_1; + Lib_IntVector_Intrinsics_vec256 + v0_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_10, v4_10); + Lib_IntVector_Intrinsics_vec256 + v4_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_10, v4_10); + Lib_IntVector_Intrinsics_vec256 + v1_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_10, v5_10); + Lib_IntVector_Intrinsics_vec256 + v5_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_10, v5_10); + Lib_IntVector_Intrinsics_vec256 + v2_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v2_10, v6_10); + Lib_IntVector_Intrinsics_vec256 + v6_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v2_10, v6_10); + Lib_IntVector_Intrinsics_vec256 + v3_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v3_10, v7_10); + Lib_IntVector_Intrinsics_vec256 + v7_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v3_10, v7_10); + Lib_IntVector_Intrinsics_vec256 v0_20 = v0_2; + Lib_IntVector_Intrinsics_vec256 v1_20 = v1_2; + Lib_IntVector_Intrinsics_vec256 v2_20 = v2_2; + Lib_IntVector_Intrinsics_vec256 v3_20 = v3_2; + Lib_IntVector_Intrinsics_vec256 v4_20 = v4_2; + Lib_IntVector_Intrinsics_vec256 v5_20 = v5_2; + Lib_IntVector_Intrinsics_vec256 v6_20 = v6_2; + Lib_IntVector_Intrinsics_vec256 v7_20 = v7_2; + Lib_IntVector_Intrinsics_vec256 v0_3 = v0_20; + Lib_IntVector_Intrinsics_vec256 v1_3 = v1_20; + Lib_IntVector_Intrinsics_vec256 v2_3 = v2_20; + Lib_IntVector_Intrinsics_vec256 v3_3 = v3_20; + Lib_IntVector_Intrinsics_vec256 v4_3 = v4_20; + Lib_IntVector_Intrinsics_vec256 v5_3 = v5_20; + Lib_IntVector_Intrinsics_vec256 v6_3 = v6_20; + Lib_IntVector_Intrinsics_vec256 v7_3 = v7_20; + Lib_IntVector_Intrinsics_vec256 v0 = v0_3; + Lib_IntVector_Intrinsics_vec256 v1 = v2_3; + Lib_IntVector_Intrinsics_vec256 v2 = v1_3; + Lib_IntVector_Intrinsics_vec256 v3 = v3_3; + Lib_IntVector_Intrinsics_vec256 v4 = v4_3; + Lib_IntVector_Intrinsics_vec256 v5 = v6_3; + Lib_IntVector_Intrinsics_vec256 v6 = v5_3; + Lib_IntVector_Intrinsics_vec256 v7 = v7_3; + Lib_IntVector_Intrinsics_vec256 v01 = st8; + Lib_IntVector_Intrinsics_vec256 v110 = st9; + Lib_IntVector_Intrinsics_vec256 v21 = st10; + Lib_IntVector_Intrinsics_vec256 v31 = st11; + Lib_IntVector_Intrinsics_vec256 v41 = st12; + Lib_IntVector_Intrinsics_vec256 v51 = st13; + Lib_IntVector_Intrinsics_vec256 v61 = st14; + Lib_IntVector_Intrinsics_vec256 v71 = st15; + Lib_IntVector_Intrinsics_vec256 + v0_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v01, v110); + Lib_IntVector_Intrinsics_vec256 + v1_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v01, v110); + Lib_IntVector_Intrinsics_vec256 + v2_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v21, v31); + Lib_IntVector_Intrinsics_vec256 + v3_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v21, v31); + Lib_IntVector_Intrinsics_vec256 + v4_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v41, v51); + Lib_IntVector_Intrinsics_vec256 + v5_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v41, v51); + Lib_IntVector_Intrinsics_vec256 + v6_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v61, v71); + Lib_IntVector_Intrinsics_vec256 + v7_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v61, v71); + Lib_IntVector_Intrinsics_vec256 v0_5 = v0_4; + Lib_IntVector_Intrinsics_vec256 v1_5 = v1_4; + Lib_IntVector_Intrinsics_vec256 v2_5 = v2_4; + Lib_IntVector_Intrinsics_vec256 v3_5 = v3_4; + Lib_IntVector_Intrinsics_vec256 v4_5 = v4_4; + Lib_IntVector_Intrinsics_vec256 v5_5 = v5_4; + Lib_IntVector_Intrinsics_vec256 v6_5 = v6_4; + Lib_IntVector_Intrinsics_vec256 v7_5 = v7_4; + Lib_IntVector_Intrinsics_vec256 + v0_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0_5, v2_5); + Lib_IntVector_Intrinsics_vec256 + v2_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0_5, v2_5); + Lib_IntVector_Intrinsics_vec256 + v1_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v1_5, v3_5); + Lib_IntVector_Intrinsics_vec256 + v3_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v1_5, v3_5); + Lib_IntVector_Intrinsics_vec256 + v4_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v4_5, v6_5); + Lib_IntVector_Intrinsics_vec256 + v6_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v4_5, v6_5); + Lib_IntVector_Intrinsics_vec256 + v5_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v5_5, v7_5); + Lib_IntVector_Intrinsics_vec256 + v7_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v5_5, v7_5); + Lib_IntVector_Intrinsics_vec256 v0_12 = v0_11; + Lib_IntVector_Intrinsics_vec256 v1_12 = v1_11; + Lib_IntVector_Intrinsics_vec256 v2_12 = v2_11; + Lib_IntVector_Intrinsics_vec256 v3_12 = v3_11; + Lib_IntVector_Intrinsics_vec256 v4_12 = v4_11; + Lib_IntVector_Intrinsics_vec256 v5_12 = v5_11; + Lib_IntVector_Intrinsics_vec256 v6_12 = v6_11; + Lib_IntVector_Intrinsics_vec256 v7_12 = v7_11; + Lib_IntVector_Intrinsics_vec256 + v0_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_12, v4_12); + Lib_IntVector_Intrinsics_vec256 + v4_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_12, v4_12); + Lib_IntVector_Intrinsics_vec256 + v1_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_12, v5_12); + Lib_IntVector_Intrinsics_vec256 + v5_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_12, v5_12); + Lib_IntVector_Intrinsics_vec256 + v2_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v2_12, v6_12); + Lib_IntVector_Intrinsics_vec256 + v6_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v2_12, v6_12); + Lib_IntVector_Intrinsics_vec256 + v3_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v3_12, v7_12); + Lib_IntVector_Intrinsics_vec256 + v7_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v3_12, v7_12); + Lib_IntVector_Intrinsics_vec256 v0_22 = v0_21; + Lib_IntVector_Intrinsics_vec256 v1_22 = v1_21; + Lib_IntVector_Intrinsics_vec256 v2_22 = v2_21; + Lib_IntVector_Intrinsics_vec256 v3_22 = v3_21; + Lib_IntVector_Intrinsics_vec256 v4_22 = v4_21; + Lib_IntVector_Intrinsics_vec256 v5_22 = v5_21; + Lib_IntVector_Intrinsics_vec256 v6_22 = v6_21; + Lib_IntVector_Intrinsics_vec256 v7_22 = v7_21; + Lib_IntVector_Intrinsics_vec256 v0_6 = v0_22; + Lib_IntVector_Intrinsics_vec256 v1_6 = v1_22; + Lib_IntVector_Intrinsics_vec256 v2_6 = v2_22; + Lib_IntVector_Intrinsics_vec256 v3_6 = v3_22; + Lib_IntVector_Intrinsics_vec256 v4_6 = v4_22; + Lib_IntVector_Intrinsics_vec256 v5_6 = v5_22; + Lib_IntVector_Intrinsics_vec256 v6_6 = v6_22; + Lib_IntVector_Intrinsics_vec256 v7_6 = v7_22; + Lib_IntVector_Intrinsics_vec256 v8 = v0_6; + Lib_IntVector_Intrinsics_vec256 v9 = v2_6; + Lib_IntVector_Intrinsics_vec256 v10 = v1_6; + Lib_IntVector_Intrinsics_vec256 v11 = v3_6; + Lib_IntVector_Intrinsics_vec256 v12 = v4_6; + Lib_IntVector_Intrinsics_vec256 v13 = v6_6; + Lib_IntVector_Intrinsics_vec256 v14 = v5_6; + Lib_IntVector_Intrinsics_vec256 v15 = v7_6; + k[0U] = v0; + k[1U] = v8; + k[2U] = v1; + k[3U] = v9; + k[4U] = v2; + k[5U] = v10; + k[6U] = v3; + k[7U] = v11; + k[8U] = v4; + k[9U] = v12; + k[10U] = v5; + k[11U] = v13; + k[12U] = v6; + k[13U] = v14; + k[14U] = v7; + k[15U] = v15; + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)16U; i0++) + { + Lib_IntVector_Intrinsics_vec256 + x = Lib_IntVector_Intrinsics_vec256_load32_le(uu____1 + i0 * (uint32_t)32U); + Lib_IntVector_Intrinsics_vec256 y = Lib_IntVector_Intrinsics_vec256_xor(x, k[i0]); + Lib_IntVector_Intrinsics_vec256_store32_le(uu____0 + i0 * (uint32_t)32U, y); + } + } + if (rem1 > (uint32_t)0U) + { + uint8_t *uu____2 = out + nb * (uint32_t)512U; + uint8_t *uu____3 = cipher + nb * (uint32_t)512U; + uint8_t plain[512U] = { 0U }; + memcpy(plain, uu____3, rem * sizeof (uint8_t)); + Lib_IntVector_Intrinsics_vec256 k[16U]; + for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i) + k[_i] = Lib_IntVector_Intrinsics_vec256_zero; + chacha20_core_256(k, ctx, nb); + Lib_IntVector_Intrinsics_vec256 st0 = k[0U]; + Lib_IntVector_Intrinsics_vec256 st1 = k[1U]; + Lib_IntVector_Intrinsics_vec256 st2 = k[2U]; + Lib_IntVector_Intrinsics_vec256 st3 = k[3U]; + Lib_IntVector_Intrinsics_vec256 st4 = k[4U]; + Lib_IntVector_Intrinsics_vec256 st5 = k[5U]; + Lib_IntVector_Intrinsics_vec256 st6 = k[6U]; + Lib_IntVector_Intrinsics_vec256 st7 = k[7U]; + Lib_IntVector_Intrinsics_vec256 st8 = k[8U]; + Lib_IntVector_Intrinsics_vec256 st9 = k[9U]; + Lib_IntVector_Intrinsics_vec256 st10 = k[10U]; + Lib_IntVector_Intrinsics_vec256 st11 = k[11U]; + Lib_IntVector_Intrinsics_vec256 st12 = k[12U]; + Lib_IntVector_Intrinsics_vec256 st13 = k[13U]; + Lib_IntVector_Intrinsics_vec256 st14 = k[14U]; + Lib_IntVector_Intrinsics_vec256 st15 = k[15U]; + Lib_IntVector_Intrinsics_vec256 v00 = st0; + Lib_IntVector_Intrinsics_vec256 v16 = st1; + Lib_IntVector_Intrinsics_vec256 v20 = st2; + Lib_IntVector_Intrinsics_vec256 v30 = st3; + Lib_IntVector_Intrinsics_vec256 v40 = st4; + Lib_IntVector_Intrinsics_vec256 v50 = st5; + Lib_IntVector_Intrinsics_vec256 v60 = st6; + Lib_IntVector_Intrinsics_vec256 v70 = st7; + Lib_IntVector_Intrinsics_vec256 + v0_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v00, v16); + Lib_IntVector_Intrinsics_vec256 + v1_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v00, v16); + Lib_IntVector_Intrinsics_vec256 + v2_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v20, v30); + Lib_IntVector_Intrinsics_vec256 + v3_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v20, v30); + Lib_IntVector_Intrinsics_vec256 + v4_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v40, v50); + Lib_IntVector_Intrinsics_vec256 + v5_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v40, v50); + Lib_IntVector_Intrinsics_vec256 + v6_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v60, v70); + Lib_IntVector_Intrinsics_vec256 + v7_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v60, v70); + Lib_IntVector_Intrinsics_vec256 v0_0 = v0_; + Lib_IntVector_Intrinsics_vec256 v1_0 = v1_; + Lib_IntVector_Intrinsics_vec256 v2_0 = v2_; + Lib_IntVector_Intrinsics_vec256 v3_0 = v3_; + Lib_IntVector_Intrinsics_vec256 v4_0 = v4_; + Lib_IntVector_Intrinsics_vec256 v5_0 = v5_; + Lib_IntVector_Intrinsics_vec256 v6_0 = v6_; + Lib_IntVector_Intrinsics_vec256 v7_0 = v7_; + Lib_IntVector_Intrinsics_vec256 + v0_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v2_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v1_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 + v3_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 + v4_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v4_0, v6_0); + Lib_IntVector_Intrinsics_vec256 + v6_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v4_0, v6_0); + Lib_IntVector_Intrinsics_vec256 + v5_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v5_0, v7_0); + Lib_IntVector_Intrinsics_vec256 + v7_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v5_0, v7_0); + Lib_IntVector_Intrinsics_vec256 v0_10 = v0_1; + Lib_IntVector_Intrinsics_vec256 v1_10 = v1_1; + Lib_IntVector_Intrinsics_vec256 v2_10 = v2_1; + Lib_IntVector_Intrinsics_vec256 v3_10 = v3_1; + Lib_IntVector_Intrinsics_vec256 v4_10 = v4_1; + Lib_IntVector_Intrinsics_vec256 v5_10 = v5_1; + Lib_IntVector_Intrinsics_vec256 v6_10 = v6_1; + Lib_IntVector_Intrinsics_vec256 v7_10 = v7_1; + Lib_IntVector_Intrinsics_vec256 + v0_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_10, v4_10); + Lib_IntVector_Intrinsics_vec256 + v4_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_10, v4_10); + Lib_IntVector_Intrinsics_vec256 + v1_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_10, v5_10); + Lib_IntVector_Intrinsics_vec256 + v5_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_10, v5_10); + Lib_IntVector_Intrinsics_vec256 + v2_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v2_10, v6_10); + Lib_IntVector_Intrinsics_vec256 + v6_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v2_10, v6_10); + Lib_IntVector_Intrinsics_vec256 + v3_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v3_10, v7_10); + Lib_IntVector_Intrinsics_vec256 + v7_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v3_10, v7_10); + Lib_IntVector_Intrinsics_vec256 v0_20 = v0_2; + Lib_IntVector_Intrinsics_vec256 v1_20 = v1_2; + Lib_IntVector_Intrinsics_vec256 v2_20 = v2_2; + Lib_IntVector_Intrinsics_vec256 v3_20 = v3_2; + Lib_IntVector_Intrinsics_vec256 v4_20 = v4_2; + Lib_IntVector_Intrinsics_vec256 v5_20 = v5_2; + Lib_IntVector_Intrinsics_vec256 v6_20 = v6_2; + Lib_IntVector_Intrinsics_vec256 v7_20 = v7_2; + Lib_IntVector_Intrinsics_vec256 v0_3 = v0_20; + Lib_IntVector_Intrinsics_vec256 v1_3 = v1_20; + Lib_IntVector_Intrinsics_vec256 v2_3 = v2_20; + Lib_IntVector_Intrinsics_vec256 v3_3 = v3_20; + Lib_IntVector_Intrinsics_vec256 v4_3 = v4_20; + Lib_IntVector_Intrinsics_vec256 v5_3 = v5_20; + Lib_IntVector_Intrinsics_vec256 v6_3 = v6_20; + Lib_IntVector_Intrinsics_vec256 v7_3 = v7_20; + Lib_IntVector_Intrinsics_vec256 v0 = v0_3; + Lib_IntVector_Intrinsics_vec256 v1 = v2_3; + Lib_IntVector_Intrinsics_vec256 v2 = v1_3; + Lib_IntVector_Intrinsics_vec256 v3 = v3_3; + Lib_IntVector_Intrinsics_vec256 v4 = v4_3; + Lib_IntVector_Intrinsics_vec256 v5 = v6_3; + Lib_IntVector_Intrinsics_vec256 v6 = v5_3; + Lib_IntVector_Intrinsics_vec256 v7 = v7_3; + Lib_IntVector_Intrinsics_vec256 v01 = st8; + Lib_IntVector_Intrinsics_vec256 v110 = st9; + Lib_IntVector_Intrinsics_vec256 v21 = st10; + Lib_IntVector_Intrinsics_vec256 v31 = st11; + Lib_IntVector_Intrinsics_vec256 v41 = st12; + Lib_IntVector_Intrinsics_vec256 v51 = st13; + Lib_IntVector_Intrinsics_vec256 v61 = st14; + Lib_IntVector_Intrinsics_vec256 v71 = st15; + Lib_IntVector_Intrinsics_vec256 + v0_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v01, v110); + Lib_IntVector_Intrinsics_vec256 + v1_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v01, v110); + Lib_IntVector_Intrinsics_vec256 + v2_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v21, v31); + Lib_IntVector_Intrinsics_vec256 + v3_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v21, v31); + Lib_IntVector_Intrinsics_vec256 + v4_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v41, v51); + Lib_IntVector_Intrinsics_vec256 + v5_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v41, v51); + Lib_IntVector_Intrinsics_vec256 + v6_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v61, v71); + Lib_IntVector_Intrinsics_vec256 + v7_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v61, v71); + Lib_IntVector_Intrinsics_vec256 v0_5 = v0_4; + Lib_IntVector_Intrinsics_vec256 v1_5 = v1_4; + Lib_IntVector_Intrinsics_vec256 v2_5 = v2_4; + Lib_IntVector_Intrinsics_vec256 v3_5 = v3_4; + Lib_IntVector_Intrinsics_vec256 v4_5 = v4_4; + Lib_IntVector_Intrinsics_vec256 v5_5 = v5_4; + Lib_IntVector_Intrinsics_vec256 v6_5 = v6_4; + Lib_IntVector_Intrinsics_vec256 v7_5 = v7_4; + Lib_IntVector_Intrinsics_vec256 + v0_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0_5, v2_5); + Lib_IntVector_Intrinsics_vec256 + v2_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0_5, v2_5); + Lib_IntVector_Intrinsics_vec256 + v1_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v1_5, v3_5); + Lib_IntVector_Intrinsics_vec256 + v3_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v1_5, v3_5); + Lib_IntVector_Intrinsics_vec256 + v4_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v4_5, v6_5); + Lib_IntVector_Intrinsics_vec256 + v6_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v4_5, v6_5); + Lib_IntVector_Intrinsics_vec256 + v5_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v5_5, v7_5); + Lib_IntVector_Intrinsics_vec256 + v7_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v5_5, v7_5); + Lib_IntVector_Intrinsics_vec256 v0_12 = v0_11; + Lib_IntVector_Intrinsics_vec256 v1_12 = v1_11; + Lib_IntVector_Intrinsics_vec256 v2_12 = v2_11; + Lib_IntVector_Intrinsics_vec256 v3_12 = v3_11; + Lib_IntVector_Intrinsics_vec256 v4_12 = v4_11; + Lib_IntVector_Intrinsics_vec256 v5_12 = v5_11; + Lib_IntVector_Intrinsics_vec256 v6_12 = v6_11; + Lib_IntVector_Intrinsics_vec256 v7_12 = v7_11; + Lib_IntVector_Intrinsics_vec256 + v0_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_12, v4_12); + Lib_IntVector_Intrinsics_vec256 + v4_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_12, v4_12); + Lib_IntVector_Intrinsics_vec256 + v1_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_12, v5_12); + Lib_IntVector_Intrinsics_vec256 + v5_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_12, v5_12); + Lib_IntVector_Intrinsics_vec256 + v2_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v2_12, v6_12); + Lib_IntVector_Intrinsics_vec256 + v6_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v2_12, v6_12); + Lib_IntVector_Intrinsics_vec256 + v3_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v3_12, v7_12); + Lib_IntVector_Intrinsics_vec256 + v7_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v3_12, v7_12); + Lib_IntVector_Intrinsics_vec256 v0_22 = v0_21; + Lib_IntVector_Intrinsics_vec256 v1_22 = v1_21; + Lib_IntVector_Intrinsics_vec256 v2_22 = v2_21; + Lib_IntVector_Intrinsics_vec256 v3_22 = v3_21; + Lib_IntVector_Intrinsics_vec256 v4_22 = v4_21; + Lib_IntVector_Intrinsics_vec256 v5_22 = v5_21; + Lib_IntVector_Intrinsics_vec256 v6_22 = v6_21; + Lib_IntVector_Intrinsics_vec256 v7_22 = v7_21; + Lib_IntVector_Intrinsics_vec256 v0_6 = v0_22; + Lib_IntVector_Intrinsics_vec256 v1_6 = v1_22; + Lib_IntVector_Intrinsics_vec256 v2_6 = v2_22; + Lib_IntVector_Intrinsics_vec256 v3_6 = v3_22; + Lib_IntVector_Intrinsics_vec256 v4_6 = v4_22; + Lib_IntVector_Intrinsics_vec256 v5_6 = v5_22; + Lib_IntVector_Intrinsics_vec256 v6_6 = v6_22; + Lib_IntVector_Intrinsics_vec256 v7_6 = v7_22; + Lib_IntVector_Intrinsics_vec256 v8 = v0_6; + Lib_IntVector_Intrinsics_vec256 v9 = v2_6; + Lib_IntVector_Intrinsics_vec256 v10 = v1_6; + Lib_IntVector_Intrinsics_vec256 v11 = v3_6; + Lib_IntVector_Intrinsics_vec256 v12 = v4_6; + Lib_IntVector_Intrinsics_vec256 v13 = v6_6; + Lib_IntVector_Intrinsics_vec256 v14 = v5_6; + Lib_IntVector_Intrinsics_vec256 v15 = v7_6; + k[0U] = v0; + k[1U] = v8; + k[2U] = v1; + k[3U] = v9; + k[4U] = v2; + k[5U] = v10; + k[6U] = v3; + k[7U] = v11; + k[8U] = v4; + k[9U] = v12; + k[10U] = v5; + k[11U] = v13; + k[12U] = v6; + k[13U] = v14; + k[14U] = v7; + k[15U] = v15; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + Lib_IntVector_Intrinsics_vec256 + x = Lib_IntVector_Intrinsics_vec256_load32_le(plain + i * (uint32_t)32U); + Lib_IntVector_Intrinsics_vec256 y = Lib_IntVector_Intrinsics_vec256_xor(x, k[i]); + Lib_IntVector_Intrinsics_vec256_store32_le(plain + i * (uint32_t)32U, y); + } + memcpy(uu____2, plain, rem * sizeof (uint8_t)); + } +} + diff --git a/src/Hacl_Curve25519_51.c b/src/Hacl_Curve25519_51.c new file mode 100644 index 00000000..be50cf91 --- /dev/null +++ b/src/Hacl_Curve25519_51.c @@ -0,0 +1,296 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "internal/Hacl_Curve25519_51.h" + +#include "internal/Hacl_Kremlib.h" + +static const uint8_t g25519[32U] = { (uint8_t)9U }; + +static void point_add_and_double(uint64_t *q, uint64_t *p01_tmp1, FStar_UInt128_uint128 *tmp2) +{ + uint64_t *nq = p01_tmp1; + uint64_t *nq_p1 = p01_tmp1 + (uint32_t)10U; + uint64_t *tmp1 = p01_tmp1 + (uint32_t)20U; + uint64_t *x1 = q; + uint64_t *x2 = nq; + uint64_t *z2 = nq + (uint32_t)5U; + uint64_t *z3 = nq_p1 + (uint32_t)5U; + uint64_t *a = tmp1; + uint64_t *b = tmp1 + (uint32_t)5U; + uint64_t *ab = tmp1; + uint64_t *dc = tmp1 + (uint32_t)10U; + Hacl_Impl_Curve25519_Field51_fadd(a, x2, z2); + Hacl_Impl_Curve25519_Field51_fsub(b, x2, z2); + uint64_t *x3 = nq_p1; + uint64_t *z31 = nq_p1 + (uint32_t)5U; + uint64_t *d0 = dc; + uint64_t *c0 = dc + (uint32_t)5U; + Hacl_Impl_Curve25519_Field51_fadd(c0, x3, z31); + Hacl_Impl_Curve25519_Field51_fsub(d0, x3, z31); + Hacl_Impl_Curve25519_Field51_fmul2(dc, dc, ab, tmp2); + Hacl_Impl_Curve25519_Field51_fadd(x3, d0, c0); + Hacl_Impl_Curve25519_Field51_fsub(z31, d0, c0); + uint64_t *a1 = tmp1; + uint64_t *b1 = tmp1 + (uint32_t)5U; + uint64_t *d = tmp1 + (uint32_t)10U; + uint64_t *c = tmp1 + (uint32_t)15U; + uint64_t *ab1 = tmp1; + uint64_t *dc1 = tmp1 + (uint32_t)10U; + Hacl_Impl_Curve25519_Field51_fsqr2(dc1, ab1, tmp2); + Hacl_Impl_Curve25519_Field51_fsqr2(nq_p1, nq_p1, tmp2); + a1[0U] = c[0U]; + a1[1U] = c[1U]; + a1[2U] = c[2U]; + a1[3U] = c[3U]; + a1[4U] = c[4U]; + Hacl_Impl_Curve25519_Field51_fsub(c, d, c); + Hacl_Impl_Curve25519_Field51_fmul1(b1, c, (uint64_t)121665U); + Hacl_Impl_Curve25519_Field51_fadd(b1, b1, d); + Hacl_Impl_Curve25519_Field51_fmul2(nq, dc1, ab1, tmp2); + Hacl_Impl_Curve25519_Field51_fmul(z3, z3, x1, tmp2); +} + +static void point_double(uint64_t *nq, uint64_t *tmp1, FStar_UInt128_uint128 *tmp2) +{ + uint64_t *x2 = nq; + uint64_t *z2 = nq + (uint32_t)5U; + uint64_t *a = tmp1; + uint64_t *b = tmp1 + (uint32_t)5U; + uint64_t *d = tmp1 + (uint32_t)10U; + uint64_t *c = tmp1 + (uint32_t)15U; + uint64_t *ab = tmp1; + uint64_t *dc = tmp1 + (uint32_t)10U; + Hacl_Impl_Curve25519_Field51_fadd(a, x2, z2); + Hacl_Impl_Curve25519_Field51_fsub(b, x2, z2); + Hacl_Impl_Curve25519_Field51_fsqr2(dc, ab, tmp2); + a[0U] = c[0U]; + a[1U] = c[1U]; + a[2U] = c[2U]; + a[3U] = c[3U]; + a[4U] = c[4U]; + Hacl_Impl_Curve25519_Field51_fsub(c, d, c); + Hacl_Impl_Curve25519_Field51_fmul1(b, c, (uint64_t)121665U); + Hacl_Impl_Curve25519_Field51_fadd(b, b, d); + Hacl_Impl_Curve25519_Field51_fmul2(nq, dc, ab, tmp2); +} + +static void montgomery_ladder(uint64_t *out, uint8_t *key, uint64_t *init) +{ + FStar_UInt128_uint128 tmp2[10U]; + for (uint32_t _i = 0U; _i < (uint32_t)10U; ++_i) + tmp2[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U); + uint64_t p01_tmp1_swap[41U] = { 0U }; + uint64_t *p0 = p01_tmp1_swap; + uint64_t *p01 = p01_tmp1_swap; + uint64_t *p03 = p01; + uint64_t *p11 = p01 + (uint32_t)10U; + memcpy(p11, init, (uint32_t)10U * sizeof (uint64_t)); + uint64_t *x0 = p03; + uint64_t *z0 = p03 + (uint32_t)5U; + x0[0U] = (uint64_t)1U; + x0[1U] = (uint64_t)0U; + x0[2U] = (uint64_t)0U; + x0[3U] = (uint64_t)0U; + x0[4U] = (uint64_t)0U; + z0[0U] = (uint64_t)0U; + z0[1U] = (uint64_t)0U; + z0[2U] = (uint64_t)0U; + z0[3U] = (uint64_t)0U; + z0[4U] = (uint64_t)0U; + uint64_t *p01_tmp1 = p01_tmp1_swap; + uint64_t *p01_tmp11 = p01_tmp1_swap; + uint64_t *nq1 = p01_tmp1_swap; + uint64_t *nq_p11 = p01_tmp1_swap + (uint32_t)10U; + uint64_t *swap = p01_tmp1_swap + (uint32_t)40U; + Hacl_Impl_Curve25519_Field51_cswap2((uint64_t)1U, nq1, nq_p11); + point_add_and_double(init, p01_tmp11, tmp2); + swap[0U] = (uint64_t)1U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)251U; i++) + { + uint64_t *p01_tmp12 = p01_tmp1_swap; + uint64_t *swap1 = p01_tmp1_swap + (uint32_t)40U; + uint64_t *nq2 = p01_tmp12; + uint64_t *nq_p12 = p01_tmp12 + (uint32_t)10U; + uint64_t + bit = + (uint64_t)(key[((uint32_t)253U - i) + / (uint32_t)8U] + >> ((uint32_t)253U - i) % (uint32_t)8U + & (uint8_t)1U); + uint64_t sw = swap1[0U] ^ bit; + Hacl_Impl_Curve25519_Field51_cswap2(sw, nq2, nq_p12); + point_add_and_double(init, p01_tmp12, tmp2); + swap1[0U] = bit; + } + uint64_t sw = swap[0U]; + Hacl_Impl_Curve25519_Field51_cswap2(sw, nq1, nq_p11); + uint64_t *nq10 = p01_tmp1; + uint64_t *tmp1 = p01_tmp1 + (uint32_t)20U; + point_double(nq10, tmp1, tmp2); + point_double(nq10, tmp1, tmp2); + point_double(nq10, tmp1, tmp2); + memcpy(out, p0, (uint32_t)10U * sizeof (uint64_t)); +} + +void +Hacl_Curve25519_51_fsquare_times( + uint64_t *o, + uint64_t *inp, + FStar_UInt128_uint128 *tmp, + uint32_t n +) +{ + Hacl_Impl_Curve25519_Field51_fsqr(o, inp, tmp); + for (uint32_t i = (uint32_t)0U; i < n - (uint32_t)1U; i++) + { + Hacl_Impl_Curve25519_Field51_fsqr(o, o, tmp); + } +} + +void Hacl_Curve25519_51_finv(uint64_t *o, uint64_t *i, FStar_UInt128_uint128 *tmp) +{ + uint64_t t1[20U] = { 0U }; + uint64_t *a1 = t1; + uint64_t *b1 = t1 + (uint32_t)5U; + uint64_t *t010 = t1 + (uint32_t)15U; + FStar_UInt128_uint128 *tmp10 = tmp; + Hacl_Curve25519_51_fsquare_times(a1, i, tmp10, (uint32_t)1U); + Hacl_Curve25519_51_fsquare_times(t010, a1, tmp10, (uint32_t)2U); + Hacl_Impl_Curve25519_Field51_fmul(b1, t010, i, tmp); + Hacl_Impl_Curve25519_Field51_fmul(a1, b1, a1, tmp); + Hacl_Curve25519_51_fsquare_times(t010, a1, tmp10, (uint32_t)1U); + Hacl_Impl_Curve25519_Field51_fmul(b1, t010, b1, tmp); + Hacl_Curve25519_51_fsquare_times(t010, b1, tmp10, (uint32_t)5U); + Hacl_Impl_Curve25519_Field51_fmul(b1, t010, b1, tmp); + uint64_t *b10 = t1 + (uint32_t)5U; + uint64_t *c10 = t1 + (uint32_t)10U; + uint64_t *t011 = t1 + (uint32_t)15U; + FStar_UInt128_uint128 *tmp11 = tmp; + Hacl_Curve25519_51_fsquare_times(t011, b10, tmp11, (uint32_t)10U); + Hacl_Impl_Curve25519_Field51_fmul(c10, t011, b10, tmp); + Hacl_Curve25519_51_fsquare_times(t011, c10, tmp11, (uint32_t)20U); + Hacl_Impl_Curve25519_Field51_fmul(t011, t011, c10, tmp); + Hacl_Curve25519_51_fsquare_times(t011, t011, tmp11, (uint32_t)10U); + Hacl_Impl_Curve25519_Field51_fmul(b10, t011, b10, tmp); + Hacl_Curve25519_51_fsquare_times(t011, b10, tmp11, (uint32_t)50U); + Hacl_Impl_Curve25519_Field51_fmul(c10, t011, b10, tmp); + uint64_t *b11 = t1 + (uint32_t)5U; + uint64_t *c1 = t1 + (uint32_t)10U; + uint64_t *t01 = t1 + (uint32_t)15U; + FStar_UInt128_uint128 *tmp1 = tmp; + Hacl_Curve25519_51_fsquare_times(t01, c1, tmp1, (uint32_t)100U); + Hacl_Impl_Curve25519_Field51_fmul(t01, t01, c1, tmp); + Hacl_Curve25519_51_fsquare_times(t01, t01, tmp1, (uint32_t)50U); + Hacl_Impl_Curve25519_Field51_fmul(t01, t01, b11, tmp); + Hacl_Curve25519_51_fsquare_times(t01, t01, tmp1, (uint32_t)5U); + uint64_t *a = t1; + uint64_t *t0 = t1 + (uint32_t)15U; + Hacl_Impl_Curve25519_Field51_fmul(o, t0, a, tmp); +} + +static void encode_point(uint8_t *o, uint64_t *i) +{ + uint64_t *x = i; + uint64_t *z = i + (uint32_t)5U; + uint64_t tmp[5U] = { 0U }; + uint64_t u64s[4U] = { 0U }; + FStar_UInt128_uint128 tmp_w[10U]; + for (uint32_t _i = 0U; _i < (uint32_t)10U; ++_i) + tmp_w[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U); + Hacl_Curve25519_51_finv(tmp, z, tmp_w); + Hacl_Impl_Curve25519_Field51_fmul(tmp, tmp, x, tmp_w); + Hacl_Impl_Curve25519_Field51_store_felem(u64s, tmp); + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + store64_le(o + i0 * (uint32_t)8U, u64s[i0]); + } +} + +void Hacl_Curve25519_51_scalarmult(uint8_t *out, uint8_t *priv, uint8_t *pub) +{ + uint64_t init[10U] = { 0U }; + uint64_t tmp[4U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = tmp; + uint8_t *bj = pub + i * (uint32_t)8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x; + } + uint64_t tmp3 = tmp[3U]; + tmp[3U] = tmp3 & (uint64_t)0x7fffffffffffffffU; + uint64_t *x = init; + uint64_t *z = init + (uint32_t)5U; + z[0U] = (uint64_t)1U; + z[1U] = (uint64_t)0U; + z[2U] = (uint64_t)0U; + z[3U] = (uint64_t)0U; + z[4U] = (uint64_t)0U; + uint64_t f0l = tmp[0U] & (uint64_t)0x7ffffffffffffU; + uint64_t f0h = tmp[0U] >> (uint32_t)51U; + uint64_t f1l = (tmp[1U] & (uint64_t)0x3fffffffffU) << (uint32_t)13U; + uint64_t f1h = tmp[1U] >> (uint32_t)38U; + uint64_t f2l = (tmp[2U] & (uint64_t)0x1ffffffU) << (uint32_t)26U; + uint64_t f2h = tmp[2U] >> (uint32_t)25U; + uint64_t f3l = (tmp[3U] & (uint64_t)0xfffU) << (uint32_t)39U; + uint64_t f3h = tmp[3U] >> (uint32_t)12U; + x[0U] = f0l; + x[1U] = f0h | f1l; + x[2U] = f1h | f2l; + x[3U] = f2h | f3l; + x[4U] = f3h; + montgomery_ladder(init, priv, init); + encode_point(out, init); +} + +void Hacl_Curve25519_51_secret_to_public(uint8_t *pub, uint8_t *priv) +{ + uint8_t basepoint[32U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)32U; i++) + { + uint8_t *os = basepoint; + uint8_t x = g25519[i]; + os[i] = x; + } + Hacl_Curve25519_51_scalarmult(pub, priv, basepoint); +} + +bool Hacl_Curve25519_51_ecdh(uint8_t *out, uint8_t *priv, uint8_t *pub) +{ + uint8_t zeros[32U] = { 0U }; + Hacl_Curve25519_51_scalarmult(out, priv, pub); + uint8_t res = (uint8_t)255U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)32U; i++) + { + uint8_t uu____0 = FStar_UInt8_eq_mask(out[i], zeros[i]); + res = uu____0 & res; + } + uint8_t z = res; + bool r = z == (uint8_t)255U; + return !r; +} + diff --git a/src/Hacl_Curve25519_64.c b/src/Hacl_Curve25519_64.c new file mode 100644 index 00000000..c2d09f93 --- /dev/null +++ b/src/Hacl_Curve25519_64.c @@ -0,0 +1,388 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Curve25519_64.h" + +#include "internal/Vale.h" +#include "internal/Hacl_Kremlib.h" +#include "curve25519-inline.h" +static inline uint64_t add_scalar0(uint64_t *out, uint64_t *f1, uint64_t f2) +{ + #if HACL_CAN_COMPILE_INLINE_ASM + return add_scalar(out, f1, f2); + #else + uint64_t scrut = add_scalar_e(out, f1, f2); + return scrut; + #endif +} + +static inline void fadd0(uint64_t *out, uint64_t *f1, uint64_t *f2) +{ + #if HACL_CAN_COMPILE_INLINE_ASM + fadd(out, f1, f2); + #else + uint64_t uu____0 = fadd_e(out, f1, f2); + #endif +} + +static inline void fsub0(uint64_t *out, uint64_t *f1, uint64_t *f2) +{ + #if HACL_CAN_COMPILE_INLINE_ASM + fsub(out, f1, f2); + #else + uint64_t uu____0 = fsub_e(out, f1, f2); + #endif +} + +static inline void fmul0(uint64_t *out, uint64_t *f1, uint64_t *f2, uint64_t *tmp) +{ + #if HACL_CAN_COMPILE_INLINE_ASM + fmul(out, f1, f2, tmp); + #else + uint64_t uu____0 = fmul_e(tmp, f1, out, f2); + #endif +} + +static inline void fmul20(uint64_t *out, uint64_t *f1, uint64_t *f2, uint64_t *tmp) +{ + #if HACL_CAN_COMPILE_INLINE_ASM + fmul2(out, f1, f2, tmp); + #else + uint64_t uu____0 = fmul2_e(tmp, f1, out, f2); + #endif +} + +static inline void fmul_scalar0(uint64_t *out, uint64_t *f1, uint64_t f2) +{ + #if HACL_CAN_COMPILE_INLINE_ASM + fmul_scalar(out, f1, f2); + #else + uint64_t uu____0 = fmul_scalar_e(out, f1, f2); + #endif +} + +static inline void fsqr0(uint64_t *out, uint64_t *f1, uint64_t *tmp) +{ + #if HACL_CAN_COMPILE_INLINE_ASM + fsqr(out, f1, tmp); + #else + uint64_t uu____0 = fsqr_e(tmp, f1, out); + #endif +} + +static inline void fsqr20(uint64_t *out, uint64_t *f, uint64_t *tmp) +{ + #if HACL_CAN_COMPILE_INLINE_ASM + fsqr2(out, f, tmp); + #else + uint64_t uu____0 = fsqr2_e(tmp, f, out); + #endif +} + +static inline void cswap20(uint64_t bit, uint64_t *p1, uint64_t *p2) +{ + #if HACL_CAN_COMPILE_INLINE_ASM + cswap2(bit, p1, p2); + #else + uint64_t uu____0 = cswap2_e(bit, p1, p2); + #endif +} + +static const uint8_t g25519[32U] = { (uint8_t)9U }; + +static void point_add_and_double(uint64_t *q, uint64_t *p01_tmp1, uint64_t *tmp2) +{ + uint64_t *nq = p01_tmp1; + uint64_t *nq_p1 = p01_tmp1 + (uint32_t)8U; + uint64_t *tmp1 = p01_tmp1 + (uint32_t)16U; + uint64_t *x1 = q; + uint64_t *x2 = nq; + uint64_t *z2 = nq + (uint32_t)4U; + uint64_t *z3 = nq_p1 + (uint32_t)4U; + uint64_t *a = tmp1; + uint64_t *b = tmp1 + (uint32_t)4U; + uint64_t *ab = tmp1; + uint64_t *dc = tmp1 + (uint32_t)8U; + fadd0(a, x2, z2); + fsub0(b, x2, z2); + uint64_t *x3 = nq_p1; + uint64_t *z31 = nq_p1 + (uint32_t)4U; + uint64_t *d0 = dc; + uint64_t *c0 = dc + (uint32_t)4U; + fadd0(c0, x3, z31); + fsub0(d0, x3, z31); + fmul20(dc, dc, ab, tmp2); + fadd0(x3, d0, c0); + fsub0(z31, d0, c0); + uint64_t *a1 = tmp1; + uint64_t *b1 = tmp1 + (uint32_t)4U; + uint64_t *d = tmp1 + (uint32_t)8U; + uint64_t *c = tmp1 + (uint32_t)12U; + uint64_t *ab1 = tmp1; + uint64_t *dc1 = tmp1 + (uint32_t)8U; + fsqr20(dc1, ab1, tmp2); + fsqr20(nq_p1, nq_p1, tmp2); + a1[0U] = c[0U]; + a1[1U] = c[1U]; + a1[2U] = c[2U]; + a1[3U] = c[3U]; + fsub0(c, d, c); + fmul_scalar0(b1, c, (uint64_t)121665U); + fadd0(b1, b1, d); + fmul20(nq, dc1, ab1, tmp2); + fmul0(z3, z3, x1, tmp2); +} + +static void point_double(uint64_t *nq, uint64_t *tmp1, uint64_t *tmp2) +{ + uint64_t *x2 = nq; + uint64_t *z2 = nq + (uint32_t)4U; + uint64_t *a = tmp1; + uint64_t *b = tmp1 + (uint32_t)4U; + uint64_t *d = tmp1 + (uint32_t)8U; + uint64_t *c = tmp1 + (uint32_t)12U; + uint64_t *ab = tmp1; + uint64_t *dc = tmp1 + (uint32_t)8U; + fadd0(a, x2, z2); + fsub0(b, x2, z2); + fsqr20(dc, ab, tmp2); + a[0U] = c[0U]; + a[1U] = c[1U]; + a[2U] = c[2U]; + a[3U] = c[3U]; + fsub0(c, d, c); + fmul_scalar0(b, c, (uint64_t)121665U); + fadd0(b, b, d); + fmul20(nq, dc, ab, tmp2); +} + +static void montgomery_ladder(uint64_t *out, uint8_t *key, uint64_t *init) +{ + uint64_t tmp2[16U] = { 0U }; + uint64_t p01_tmp1_swap[33U] = { 0U }; + uint64_t *p0 = p01_tmp1_swap; + uint64_t *p01 = p01_tmp1_swap; + uint64_t *p03 = p01; + uint64_t *p11 = p01 + (uint32_t)8U; + memcpy(p11, init, (uint32_t)8U * sizeof (uint64_t)); + uint64_t *x0 = p03; + uint64_t *z0 = p03 + (uint32_t)4U; + x0[0U] = (uint64_t)1U; + x0[1U] = (uint64_t)0U; + x0[2U] = (uint64_t)0U; + x0[3U] = (uint64_t)0U; + z0[0U] = (uint64_t)0U; + z0[1U] = (uint64_t)0U; + z0[2U] = (uint64_t)0U; + z0[3U] = (uint64_t)0U; + uint64_t *p01_tmp1 = p01_tmp1_swap; + uint64_t *p01_tmp11 = p01_tmp1_swap; + uint64_t *nq1 = p01_tmp1_swap; + uint64_t *nq_p11 = p01_tmp1_swap + (uint32_t)8U; + uint64_t *swap = p01_tmp1_swap + (uint32_t)32U; + cswap20((uint64_t)1U, nq1, nq_p11); + point_add_and_double(init, p01_tmp11, tmp2); + swap[0U] = (uint64_t)1U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)251U; i++) + { + uint64_t *p01_tmp12 = p01_tmp1_swap; + uint64_t *swap1 = p01_tmp1_swap + (uint32_t)32U; + uint64_t *nq2 = p01_tmp12; + uint64_t *nq_p12 = p01_tmp12 + (uint32_t)8U; + uint64_t + bit = + (uint64_t)(key[((uint32_t)253U - i) + / (uint32_t)8U] + >> ((uint32_t)253U - i) % (uint32_t)8U + & (uint8_t)1U); + uint64_t sw = swap1[0U] ^ bit; + cswap20(sw, nq2, nq_p12); + point_add_and_double(init, p01_tmp12, tmp2); + swap1[0U] = bit; + } + uint64_t sw = swap[0U]; + cswap20(sw, nq1, nq_p11); + uint64_t *nq10 = p01_tmp1; + uint64_t *tmp1 = p01_tmp1 + (uint32_t)16U; + point_double(nq10, tmp1, tmp2); + point_double(nq10, tmp1, tmp2); + point_double(nq10, tmp1, tmp2); + memcpy(out, p0, (uint32_t)8U * sizeof (uint64_t)); +} + +static void fsquare_times(uint64_t *o, uint64_t *inp, uint64_t *tmp, uint32_t n) +{ + fsqr0(o, inp, tmp); + for (uint32_t i = (uint32_t)0U; i < n - (uint32_t)1U; i++) + { + fsqr0(o, o, tmp); + } +} + +static void finv(uint64_t *o, uint64_t *i, uint64_t *tmp) +{ + uint64_t t1[16U] = { 0U }; + uint64_t *a1 = t1; + uint64_t *b1 = t1 + (uint32_t)4U; + uint64_t *t010 = t1 + (uint32_t)12U; + uint64_t *tmp10 = tmp; + fsquare_times(a1, i, tmp10, (uint32_t)1U); + fsquare_times(t010, a1, tmp10, (uint32_t)2U); + fmul0(b1, t010, i, tmp); + fmul0(a1, b1, a1, tmp); + fsquare_times(t010, a1, tmp10, (uint32_t)1U); + fmul0(b1, t010, b1, tmp); + fsquare_times(t010, b1, tmp10, (uint32_t)5U); + fmul0(b1, t010, b1, tmp); + uint64_t *b10 = t1 + (uint32_t)4U; + uint64_t *c10 = t1 + (uint32_t)8U; + uint64_t *t011 = t1 + (uint32_t)12U; + uint64_t *tmp11 = tmp; + fsquare_times(t011, b10, tmp11, (uint32_t)10U); + fmul0(c10, t011, b10, tmp); + fsquare_times(t011, c10, tmp11, (uint32_t)20U); + fmul0(t011, t011, c10, tmp); + fsquare_times(t011, t011, tmp11, (uint32_t)10U); + fmul0(b10, t011, b10, tmp); + fsquare_times(t011, b10, tmp11, (uint32_t)50U); + fmul0(c10, t011, b10, tmp); + uint64_t *b11 = t1 + (uint32_t)4U; + uint64_t *c1 = t1 + (uint32_t)8U; + uint64_t *t01 = t1 + (uint32_t)12U; + uint64_t *tmp1 = tmp; + fsquare_times(t01, c1, tmp1, (uint32_t)100U); + fmul0(t01, t01, c1, tmp); + fsquare_times(t01, t01, tmp1, (uint32_t)50U); + fmul0(t01, t01, b11, tmp); + fsquare_times(t01, t01, tmp1, (uint32_t)5U); + uint64_t *a = t1; + uint64_t *t0 = t1 + (uint32_t)12U; + fmul0(o, t0, a, tmp); +} + +static void store_felem(uint64_t *b, uint64_t *f) +{ + uint64_t f30 = f[3U]; + uint64_t top_bit0 = f30 >> (uint32_t)63U; + f[3U] = f30 & (uint64_t)0x7fffffffffffffffU; + uint64_t carry = add_scalar0(f, f, (uint64_t)19U * top_bit0); + uint64_t f31 = f[3U]; + uint64_t top_bit = f31 >> (uint32_t)63U; + f[3U] = f31 & (uint64_t)0x7fffffffffffffffU; + uint64_t carry0 = add_scalar0(f, f, (uint64_t)19U * top_bit); + uint64_t f0 = f[0U]; + uint64_t f1 = f[1U]; + uint64_t f2 = f[2U]; + uint64_t f3 = f[3U]; + uint64_t m0 = FStar_UInt64_gte_mask(f0, (uint64_t)0xffffffffffffffedU); + uint64_t m1 = FStar_UInt64_eq_mask(f1, (uint64_t)0xffffffffffffffffU); + uint64_t m2 = FStar_UInt64_eq_mask(f2, (uint64_t)0xffffffffffffffffU); + uint64_t m3 = FStar_UInt64_eq_mask(f3, (uint64_t)0x7fffffffffffffffU); + uint64_t mask = ((m0 & m1) & m2) & m3; + uint64_t f0_ = f0 - (mask & (uint64_t)0xffffffffffffffedU); + uint64_t f1_ = f1 - (mask & (uint64_t)0xffffffffffffffffU); + uint64_t f2_ = f2 - (mask & (uint64_t)0xffffffffffffffffU); + uint64_t f3_ = f3 - (mask & (uint64_t)0x7fffffffffffffffU); + uint64_t o0 = f0_; + uint64_t o1 = f1_; + uint64_t o2 = f2_; + uint64_t o3 = f3_; + b[0U] = o0; + b[1U] = o1; + b[2U] = o2; + b[3U] = o3; +} + +static void encode_point(uint8_t *o, uint64_t *i) +{ + uint64_t *x = i; + uint64_t *z = i + (uint32_t)4U; + uint64_t tmp[4U] = { 0U }; + uint64_t u64s[4U] = { 0U }; + uint64_t tmp_w[16U] = { 0U }; + finv(tmp, z, tmp_w); + fmul0(tmp, tmp, x, tmp_w); + store_felem(u64s, tmp); + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + store64_le(o + i0 * (uint32_t)8U, u64s[i0]); + } +} + +void Hacl_Curve25519_64_scalarmult(uint8_t *out, uint8_t *priv, uint8_t *pub) +{ + uint64_t init[8U] = { 0U }; + uint64_t tmp[4U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = tmp; + uint8_t *bj = pub + i * (uint32_t)8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x; + } + uint64_t tmp3 = tmp[3U]; + tmp[3U] = tmp3 & (uint64_t)0x7fffffffffffffffU; + uint64_t *x = init; + uint64_t *z = init + (uint32_t)4U; + z[0U] = (uint64_t)1U; + z[1U] = (uint64_t)0U; + z[2U] = (uint64_t)0U; + z[3U] = (uint64_t)0U; + x[0U] = tmp[0U]; + x[1U] = tmp[1U]; + x[2U] = tmp[2U]; + x[3U] = tmp[3U]; + montgomery_ladder(init, priv, init); + encode_point(out, init); +} + +void Hacl_Curve25519_64_secret_to_public(uint8_t *pub, uint8_t *priv) +{ + uint8_t basepoint[32U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)32U; i++) + { + uint8_t *os = basepoint; + uint8_t x = g25519[i]; + os[i] = x; + } + Hacl_Curve25519_64_scalarmult(pub, priv, basepoint); +} + +bool Hacl_Curve25519_64_ecdh(uint8_t *out, uint8_t *priv, uint8_t *pub) +{ + uint8_t zeros[32U] = { 0U }; + Hacl_Curve25519_64_scalarmult(out, priv, pub); + uint8_t res = (uint8_t)255U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)32U; i++) + { + uint8_t uu____0 = FStar_UInt8_eq_mask(out[i], zeros[i]); + res = uu____0 & res; + } + uint8_t z = res; + bool r = z == (uint8_t)255U; + return !r; +} + diff --git a/src/Hacl_Ed25519.c b/src/Hacl_Ed25519.c new file mode 100644 index 00000000..62c2ecc0 --- /dev/null +++ b/src/Hacl_Ed25519.c @@ -0,0 +1,1857 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "internal/Hacl_Ed25519.h" + +#include "internal/Hacl_Kremlib.h" +#include "internal/Hacl_Hash_SHA2.h" +#include "internal/Hacl_Curve25519_51.h" + +static inline void fsum(uint64_t *a, uint64_t *b) +{ + Hacl_Impl_Curve25519_Field51_fadd(a, a, b); +} + +static inline void fdifference(uint64_t *a, uint64_t *b) +{ + Hacl_Impl_Curve25519_Field51_fsub(a, b, a); +} + +void Hacl_Bignum25519_reduce_513(uint64_t *a) +{ + uint64_t f0 = a[0U]; + uint64_t f1 = a[1U]; + uint64_t f2 = a[2U]; + uint64_t f3 = a[3U]; + uint64_t f4 = a[4U]; + uint64_t l_ = f0 + (uint64_t)0U; + uint64_t tmp0 = l_ & (uint64_t)0x7ffffffffffffU; + uint64_t c0 = l_ >> (uint32_t)51U; + uint64_t l_0 = f1 + c0; + uint64_t tmp1 = l_0 & (uint64_t)0x7ffffffffffffU; + uint64_t c1 = l_0 >> (uint32_t)51U; + uint64_t l_1 = f2 + c1; + uint64_t tmp2 = l_1 & (uint64_t)0x7ffffffffffffU; + uint64_t c2 = l_1 >> (uint32_t)51U; + uint64_t l_2 = f3 + c2; + uint64_t tmp3 = l_2 & (uint64_t)0x7ffffffffffffU; + uint64_t c3 = l_2 >> (uint32_t)51U; + uint64_t l_3 = f4 + c3; + uint64_t tmp4 = l_3 & (uint64_t)0x7ffffffffffffU; + uint64_t c4 = l_3 >> (uint32_t)51U; + uint64_t l_4 = tmp0 + c4 * (uint64_t)19U; + uint64_t tmp0_ = l_4 & (uint64_t)0x7ffffffffffffU; + uint64_t c5 = l_4 >> (uint32_t)51U; + a[0U] = tmp0_; + a[1U] = tmp1 + c5; + a[2U] = tmp2; + a[3U] = tmp3; + a[4U] = tmp4; +} + +static inline void fmul0(uint64_t *output, uint64_t *input, uint64_t *input2) +{ + FStar_UInt128_uint128 tmp[10U]; + for (uint32_t _i = 0U; _i < (uint32_t)10U; ++_i) + tmp[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U); + Hacl_Impl_Curve25519_Field51_fmul(output, input, input2, tmp); +} + +static inline void times_2(uint64_t *out, uint64_t *a) +{ + uint64_t a0 = a[0U]; + uint64_t a1 = a[1U]; + uint64_t a2 = a[2U]; + uint64_t a3 = a[3U]; + uint64_t a4 = a[4U]; + uint64_t o0 = (uint64_t)2U * a0; + uint64_t o1 = (uint64_t)2U * a1; + uint64_t o2 = (uint64_t)2U * a2; + uint64_t o3 = (uint64_t)2U * a3; + uint64_t o4 = (uint64_t)2U * a4; + out[0U] = o0; + out[1U] = o1; + out[2U] = o2; + out[3U] = o3; + out[4U] = o4; +} + +static inline void times_d(uint64_t *out, uint64_t *a) +{ + uint64_t d[5U] = { 0U }; + d[0U] = (uint64_t)0x00034dca135978a3U; + d[1U] = (uint64_t)0x0001a8283b156ebdU; + d[2U] = (uint64_t)0x0005e7a26001c029U; + d[3U] = (uint64_t)0x000739c663a03cbbU; + d[4U] = (uint64_t)0x00052036cee2b6ffU; + fmul0(out, d, a); +} + +static inline void times_2d(uint64_t *out, uint64_t *a) +{ + uint64_t d2[5U] = { 0U }; + d2[0U] = (uint64_t)0x00069b9426b2f159U; + d2[1U] = (uint64_t)0x00035050762add7aU; + d2[2U] = (uint64_t)0x0003cf44c0038052U; + d2[3U] = (uint64_t)0x0006738cc7407977U; + d2[4U] = (uint64_t)0x0002406d9dc56dffU; + fmul0(out, d2, a); +} + +static inline void fsquare(uint64_t *out, uint64_t *a) +{ + FStar_UInt128_uint128 tmp[5U]; + for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i) + tmp[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U); + Hacl_Impl_Curve25519_Field51_fsqr(out, a, tmp); +} + +static inline void fsquare_times(uint64_t *output, uint64_t *input, uint32_t count) +{ + FStar_UInt128_uint128 tmp[5U]; + for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i) + tmp[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U); + Hacl_Curve25519_51_fsquare_times(output, input, tmp, count); +} + +static inline void fsquare_times_inplace(uint64_t *output, uint32_t count) +{ + FStar_UInt128_uint128 tmp[5U]; + for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i) + tmp[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U); + Hacl_Curve25519_51_fsquare_times(output, output, tmp, count); +} + +void Hacl_Bignum25519_inverse(uint64_t *out, uint64_t *a) +{ + FStar_UInt128_uint128 tmp[10U]; + for (uint32_t _i = 0U; _i < (uint32_t)10U; ++_i) + tmp[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U); + Hacl_Curve25519_51_finv(out, a, tmp); +} + +static inline void reduce(uint64_t *out) +{ + uint64_t o0 = out[0U]; + uint64_t o1 = out[1U]; + uint64_t o2 = out[2U]; + uint64_t o3 = out[3U]; + uint64_t o4 = out[4U]; + uint64_t l_ = o0 + (uint64_t)0U; + uint64_t tmp0 = l_ & (uint64_t)0x7ffffffffffffU; + uint64_t c0 = l_ >> (uint32_t)51U; + uint64_t l_0 = o1 + c0; + uint64_t tmp1 = l_0 & (uint64_t)0x7ffffffffffffU; + uint64_t c1 = l_0 >> (uint32_t)51U; + uint64_t l_1 = o2 + c1; + uint64_t tmp2 = l_1 & (uint64_t)0x7ffffffffffffU; + uint64_t c2 = l_1 >> (uint32_t)51U; + uint64_t l_2 = o3 + c2; + uint64_t tmp3 = l_2 & (uint64_t)0x7ffffffffffffU; + uint64_t c3 = l_2 >> (uint32_t)51U; + uint64_t l_3 = o4 + c3; + uint64_t tmp4 = l_3 & (uint64_t)0x7ffffffffffffU; + uint64_t c4 = l_3 >> (uint32_t)51U; + uint64_t l_4 = tmp0 + c4 * (uint64_t)19U; + uint64_t tmp0_ = l_4 & (uint64_t)0x7ffffffffffffU; + uint64_t c5 = l_4 >> (uint32_t)51U; + uint64_t f0 = tmp0_; + uint64_t f1 = tmp1 + c5; + uint64_t f2 = tmp2; + uint64_t f3 = tmp3; + uint64_t f4 = tmp4; + uint64_t m0 = FStar_UInt64_gte_mask(f0, (uint64_t)0x7ffffffffffedU); + uint64_t m1 = FStar_UInt64_eq_mask(f1, (uint64_t)0x7ffffffffffffU); + uint64_t m2 = FStar_UInt64_eq_mask(f2, (uint64_t)0x7ffffffffffffU); + uint64_t m3 = FStar_UInt64_eq_mask(f3, (uint64_t)0x7ffffffffffffU); + uint64_t m4 = FStar_UInt64_eq_mask(f4, (uint64_t)0x7ffffffffffffU); + uint64_t mask = (((m0 & m1) & m2) & m3) & m4; + uint64_t f0_ = f0 - (mask & (uint64_t)0x7ffffffffffedU); + uint64_t f1_ = f1 - (mask & (uint64_t)0x7ffffffffffffU); + uint64_t f2_ = f2 - (mask & (uint64_t)0x7ffffffffffffU); + uint64_t f3_ = f3 - (mask & (uint64_t)0x7ffffffffffffU); + uint64_t f4_ = f4 - (mask & (uint64_t)0x7ffffffffffffU); + uint64_t f01 = f0_; + uint64_t f11 = f1_; + uint64_t f21 = f2_; + uint64_t f31 = f3_; + uint64_t f41 = f4_; + out[0U] = f01; + out[1U] = f11; + out[2U] = f21; + out[3U] = f31; + out[4U] = f41; +} + +void Hacl_Bignum25519_load_51(uint64_t *output, uint8_t *input) +{ + uint64_t u64s[4U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = u64s; + uint8_t *bj = input + i * (uint32_t)8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x; + } + uint64_t u64s3 = u64s[3U]; + u64s[3U] = u64s3 & (uint64_t)0x7fffffffffffffffU; + output[0U] = u64s[0U] & (uint64_t)0x7ffffffffffffU; + output[1U] = u64s[0U] >> (uint32_t)51U | (u64s[1U] & (uint64_t)0x3fffffffffU) << (uint32_t)13U; + output[2U] = u64s[1U] >> (uint32_t)38U | (u64s[2U] & (uint64_t)0x1ffffffU) << (uint32_t)26U; + output[3U] = u64s[2U] >> (uint32_t)25U | (u64s[3U] & (uint64_t)0xfffU) << (uint32_t)39U; + output[4U] = u64s[3U] >> (uint32_t)12U; +} + +void Hacl_Bignum25519_store_51(uint8_t *output, uint64_t *input) +{ + uint64_t u64s[4U] = { 0U }; + Hacl_Impl_Curve25519_Field51_store_felem(u64s, input); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + store64_le(output + i * (uint32_t)8U, u64s[i]); + } +} + +static inline void point_double(uint64_t *out, uint64_t *p) +{ + uint64_t tmp[30U] = { 0U }; + uint64_t *tmp2 = tmp + (uint32_t)5U; + uint64_t *tmp3 = tmp + (uint32_t)10U; + uint64_t *tmp4 = tmp + (uint32_t)15U; + uint64_t *tmp6 = tmp + (uint32_t)25U; + uint64_t *x3 = out; + uint64_t *y3 = out + (uint32_t)5U; + uint64_t *z3 = out + (uint32_t)10U; + uint64_t *t3 = out + (uint32_t)15U; + uint64_t *tmp11 = tmp; + uint64_t *tmp210 = tmp + (uint32_t)5U; + uint64_t *tmp310 = tmp + (uint32_t)10U; + uint64_t *tmp410 = tmp + (uint32_t)15U; + uint64_t *x10 = p; + uint64_t *y10 = p + (uint32_t)5U; + uint64_t *z1 = p + (uint32_t)10U; + fsquare(tmp11, x10); + fsquare(tmp210, y10); + fsquare(tmp310, z1); + times_2(tmp410, tmp310); + memcpy(tmp310, tmp11, (uint32_t)5U * sizeof (uint64_t)); + fsum(tmp310, tmp210); + uint64_t *tmp110 = tmp; + uint64_t *tmp21 = tmp + (uint32_t)5U; + uint64_t *tmp31 = tmp + (uint32_t)10U; + uint64_t *tmp41 = tmp + (uint32_t)15U; + uint64_t *tmp51 = tmp + (uint32_t)20U; + uint64_t *tmp61 = tmp + (uint32_t)25U; + uint64_t *x1 = p; + uint64_t *y1 = p + (uint32_t)5U; + memcpy(tmp51, x1, (uint32_t)5U * sizeof (uint64_t)); + fsum(tmp51, y1); + fsquare(tmp61, tmp51); + memcpy(tmp51, tmp31, (uint32_t)5U * sizeof (uint64_t)); + Hacl_Bignum25519_reduce_513(tmp51); + fdifference(tmp61, tmp51); + fdifference(tmp21, tmp110); + Hacl_Bignum25519_reduce_513(tmp21); + Hacl_Bignum25519_reduce_513(tmp41); + fsum(tmp41, tmp21); + fmul0(x3, tmp4, tmp6); + fmul0(y3, tmp2, tmp3); + fmul0(t3, tmp6, tmp3); + fmul0(z3, tmp4, tmp2); +} + +void Hacl_Impl_Ed25519_PointAdd_point_add(uint64_t *out, uint64_t *p, uint64_t *q) +{ + uint64_t tmp[30U] = { 0U }; + uint64_t *tmp1 = tmp; + uint64_t *tmp20 = tmp + (uint32_t)5U; + uint64_t *tmp30 = tmp + (uint32_t)10U; + uint64_t *tmp40 = tmp + (uint32_t)15U; + uint64_t *x1 = p; + uint64_t *y1 = p + (uint32_t)5U; + uint64_t *x2 = q; + uint64_t *y2 = q + (uint32_t)5U; + memcpy(tmp1, x1, (uint32_t)5U * sizeof (uint64_t)); + memcpy(tmp20, x2, (uint32_t)5U * sizeof (uint64_t)); + fdifference(tmp1, y1); + fdifference(tmp20, y2); + fmul0(tmp30, tmp1, tmp20); + memcpy(tmp1, y1, (uint32_t)5U * sizeof (uint64_t)); + memcpy(tmp20, y2, (uint32_t)5U * sizeof (uint64_t)); + fsum(tmp1, x1); + fsum(tmp20, x2); + fmul0(tmp40, tmp1, tmp20); + uint64_t *tmp10 = tmp; + uint64_t *tmp2 = tmp + (uint32_t)5U; + uint64_t *tmp3 = tmp + (uint32_t)10U; + uint64_t *tmp41 = tmp + (uint32_t)15U; + uint64_t *tmp50 = tmp + (uint32_t)20U; + uint64_t *tmp60 = tmp + (uint32_t)25U; + uint64_t *z1 = p + (uint32_t)10U; + uint64_t *t1 = p + (uint32_t)15U; + uint64_t *z2 = q + (uint32_t)10U; + uint64_t *t2 = q + (uint32_t)15U; + times_2d(tmp10, t1); + fmul0(tmp2, tmp10, t2); + times_2(tmp10, z1); + fmul0(tmp50, tmp10, z2); + memcpy(tmp10, tmp3, (uint32_t)5U * sizeof (uint64_t)); + memcpy(tmp60, tmp2, (uint32_t)5U * sizeof (uint64_t)); + fdifference(tmp10, tmp41); + fdifference(tmp60, tmp50); + fsum(tmp50, tmp2); + fsum(tmp41, tmp3); + uint64_t *tmp11 = tmp; + uint64_t *tmp4 = tmp + (uint32_t)15U; + uint64_t *tmp5 = tmp + (uint32_t)20U; + uint64_t *tmp6 = tmp + (uint32_t)25U; + uint64_t *x3 = out; + uint64_t *y3 = out + (uint32_t)5U; + uint64_t *z3 = out + (uint32_t)10U; + uint64_t *t3 = out + (uint32_t)15U; + fmul0(x3, tmp11, tmp6); + fmul0(y3, tmp5, tmp4); + fmul0(t3, tmp11, tmp4); + fmul0(z3, tmp6, tmp5); +} + +void Hacl_Impl_Ed25519_Ladder_point_mul(uint64_t *result, uint8_t *scalar, uint64_t *q) +{ + uint64_t bscalar[4U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = bscalar; + uint8_t *bj = scalar + i * (uint32_t)8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x; + } + uint64_t *x0 = result; + uint64_t *y = result + (uint32_t)5U; + uint64_t *z = result + (uint32_t)10U; + uint64_t *t = result + (uint32_t)15U; + x0[0U] = (uint64_t)0U; + x0[1U] = (uint64_t)0U; + x0[2U] = (uint64_t)0U; + x0[3U] = (uint64_t)0U; + x0[4U] = (uint64_t)0U; + y[0U] = (uint64_t)1U; + y[1U] = (uint64_t)0U; + y[2U] = (uint64_t)0U; + y[3U] = (uint64_t)0U; + y[4U] = (uint64_t)0U; + z[0U] = (uint64_t)1U; + z[1U] = (uint64_t)0U; + z[2U] = (uint64_t)0U; + z[3U] = (uint64_t)0U; + z[4U] = (uint64_t)0U; + t[0U] = (uint64_t)0U; + t[1U] = (uint64_t)0U; + t[2U] = (uint64_t)0U; + t[3U] = (uint64_t)0U; + t[4U] = (uint64_t)0U; + uint64_t table[320U] = { 0U }; + memcpy(table, result, (uint32_t)20U * sizeof (uint64_t)); + uint64_t *t1 = table + (uint32_t)20U; + memcpy(t1, q, (uint32_t)20U * sizeof (uint64_t)); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)14U; i++) + { + uint64_t *t11 = table + (i + (uint32_t)1U) * (uint32_t)20U; + uint64_t *t2 = table + (i + (uint32_t)2U) * (uint32_t)20U; + Hacl_Impl_Ed25519_PointAdd_point_add(t2, t11, q); + } + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)64U; i0++) + { + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + point_double(result, result); + } + uint32_t bk = (uint32_t)256U; + uint64_t mask_l = (uint64_t)16U - (uint64_t)1U; + uint32_t i1 = (bk - (uint32_t)4U * i0 - (uint32_t)4U) / (uint32_t)64U; + uint32_t j = (bk - (uint32_t)4U * i0 - (uint32_t)4U) % (uint32_t)64U; + uint64_t p1 = bscalar[i1] >> j; + uint64_t ite; + if (i1 + (uint32_t)1U < (uint32_t)4U && (uint32_t)0U < j) + { + ite = p1 | bscalar[i1 + (uint32_t)1U] << ((uint32_t)64U - j); + } + else + { + ite = p1; + } + uint64_t bits_l = ite & mask_l; + uint64_t a_bits_l[20U] = { 0U }; + memcpy(a_bits_l, table, (uint32_t)20U * sizeof (uint64_t)); + for (uint32_t i2 = (uint32_t)0U; i2 < (uint32_t)15U; i2++) + { + uint64_t c = FStar_UInt64_eq_mask(bits_l, (uint64_t)(i2 + (uint32_t)1U)); + uint64_t *res_j = table + (i2 + (uint32_t)1U) * (uint32_t)20U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)20U; i++) + { + uint64_t *os = a_bits_l; + uint64_t x = (c & res_j[i]) | (~c & a_bits_l[i]); + os[i] = x; + } + } + Hacl_Impl_Ed25519_PointAdd_point_add(result, result, a_bits_l); + } +} + +static inline void point_mul_g(uint64_t *result, uint8_t *scalar) +{ + uint64_t g[20U] = { 0U }; + uint64_t *gx = g; + uint64_t *gy = g + (uint32_t)5U; + uint64_t *gz = g + (uint32_t)10U; + uint64_t *gt = g + (uint32_t)15U; + gx[0U] = (uint64_t)0x00062d608f25d51aU; + gx[1U] = (uint64_t)0x000412a4b4f6592aU; + gx[2U] = (uint64_t)0x00075b7171a4b31dU; + gx[3U] = (uint64_t)0x0001ff60527118feU; + gx[4U] = (uint64_t)0x000216936d3cd6e5U; + gy[0U] = (uint64_t)0x0006666666666658U; + gy[1U] = (uint64_t)0x0004ccccccccccccU; + gy[2U] = (uint64_t)0x0001999999999999U; + gy[3U] = (uint64_t)0x0003333333333333U; + gy[4U] = (uint64_t)0x0006666666666666U; + gz[0U] = (uint64_t)1U; + gz[1U] = (uint64_t)0U; + gz[2U] = (uint64_t)0U; + gz[3U] = (uint64_t)0U; + gz[4U] = (uint64_t)0U; + gt[0U] = (uint64_t)0x00068ab3a5b7dda3U; + gt[1U] = (uint64_t)0x00000eea2a5eadbbU; + gt[2U] = (uint64_t)0x0002af8df483c27eU; + gt[3U] = (uint64_t)0x000332b375274732U; + gt[4U] = (uint64_t)0x00067875f0fd78b7U; + Hacl_Impl_Ed25519_Ladder_point_mul(result, scalar, g); +} + +static inline void +point_mul_double_vartime( + uint64_t *result, + uint8_t *scalar1, + uint64_t *q1, + uint8_t *scalar2, + uint64_t *q2 +) +{ + uint64_t bscalar1[4U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = bscalar1; + uint8_t *bj = scalar1 + i * (uint32_t)8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x; + } + uint64_t bscalar2[4U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = bscalar2; + uint8_t *bj = scalar2 + i * (uint32_t)8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x; + } + uint64_t *x = result; + uint64_t *y = result + (uint32_t)5U; + uint64_t *z = result + (uint32_t)10U; + uint64_t *t = result + (uint32_t)15U; + x[0U] = (uint64_t)0U; + x[1U] = (uint64_t)0U; + x[2U] = (uint64_t)0U; + x[3U] = (uint64_t)0U; + x[4U] = (uint64_t)0U; + y[0U] = (uint64_t)1U; + y[1U] = (uint64_t)0U; + y[2U] = (uint64_t)0U; + y[3U] = (uint64_t)0U; + y[4U] = (uint64_t)0U; + z[0U] = (uint64_t)1U; + z[1U] = (uint64_t)0U; + z[2U] = (uint64_t)0U; + z[3U] = (uint64_t)0U; + z[4U] = (uint64_t)0U; + t[0U] = (uint64_t)0U; + t[1U] = (uint64_t)0U; + t[2U] = (uint64_t)0U; + t[3U] = (uint64_t)0U; + t[4U] = (uint64_t)0U; + uint64_t table1[320U] = { 0U }; + memcpy(table1, result, (uint32_t)20U * sizeof (uint64_t)); + uint64_t *t10 = table1 + (uint32_t)20U; + memcpy(t10, q1, (uint32_t)20U * sizeof (uint64_t)); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)14U; i++) + { + uint64_t *t11 = table1 + (i + (uint32_t)1U) * (uint32_t)20U; + uint64_t *t2 = table1 + (i + (uint32_t)2U) * (uint32_t)20U; + Hacl_Impl_Ed25519_PointAdd_point_add(t2, t11, q1); + } + uint64_t table2[320U] = { 0U }; + memcpy(table2, result, (uint32_t)20U * sizeof (uint64_t)); + uint64_t *t1 = table2 + (uint32_t)20U; + memcpy(t1, q2, (uint32_t)20U * sizeof (uint64_t)); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)14U; i++) + { + uint64_t *t11 = table2 + (i + (uint32_t)1U) * (uint32_t)20U; + uint64_t *t2 = table2 + (i + (uint32_t)2U) * (uint32_t)20U; + Hacl_Impl_Ed25519_PointAdd_point_add(t2, t11, q2); + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + point_double(result, result); + } + uint32_t bk = (uint32_t)256U; + uint64_t mask_l0 = (uint64_t)16U - (uint64_t)1U; + uint32_t i10 = (bk - (uint32_t)4U * i - (uint32_t)4U) / (uint32_t)64U; + uint32_t j0 = (bk - (uint32_t)4U * i - (uint32_t)4U) % (uint32_t)64U; + uint64_t p10 = bscalar1[i10] >> j0; + uint64_t ite0; + if (i10 + (uint32_t)1U < (uint32_t)4U && (uint32_t)0U < j0) + { + ite0 = p10 | bscalar1[i10 + (uint32_t)1U] << ((uint32_t)64U - j0); + } + else + { + ite0 = p10; + } + uint64_t bits_l = ite0 & mask_l0; + uint64_t a_bits_l0[20U] = { 0U }; + uint32_t bits_l320 = (uint32_t)bits_l; + uint64_t *a_bits_l1 = table1 + bits_l320 * (uint32_t)20U; + memcpy(a_bits_l0, a_bits_l1, (uint32_t)20U * sizeof (uint64_t)); + Hacl_Impl_Ed25519_PointAdd_point_add(result, result, a_bits_l0); + uint32_t bk0 = (uint32_t)256U; + uint64_t mask_l = (uint64_t)16U - (uint64_t)1U; + uint32_t i1 = (bk0 - (uint32_t)4U * i - (uint32_t)4U) / (uint32_t)64U; + uint32_t j = (bk0 - (uint32_t)4U * i - (uint32_t)4U) % (uint32_t)64U; + uint64_t p1 = bscalar2[i1] >> j; + uint64_t ite; + if (i1 + (uint32_t)1U < (uint32_t)4U && (uint32_t)0U < j) + { + ite = p1 | bscalar2[i1 + (uint32_t)1U] << ((uint32_t)64U - j); + } + else + { + ite = p1; + } + uint64_t bits_l0 = ite & mask_l; + uint64_t a_bits_l[20U] = { 0U }; + uint32_t bits_l32 = (uint32_t)bits_l0; + uint64_t *a_bits_l10 = table2 + bits_l32 * (uint32_t)20U; + memcpy(a_bits_l, a_bits_l10, (uint32_t)20U * sizeof (uint64_t)); + Hacl_Impl_Ed25519_PointAdd_point_add(result, result, a_bits_l); + } +} + +static inline void +point_mul_g_double_vartime(uint64_t *result, uint8_t *scalar1, uint8_t *scalar2, uint64_t *q2) +{ + uint64_t g[20U] = { 0U }; + uint64_t *gx = g; + uint64_t *gy = g + (uint32_t)5U; + uint64_t *gz = g + (uint32_t)10U; + uint64_t *gt = g + (uint32_t)15U; + gx[0U] = (uint64_t)0x00062d608f25d51aU; + gx[1U] = (uint64_t)0x000412a4b4f6592aU; + gx[2U] = (uint64_t)0x00075b7171a4b31dU; + gx[3U] = (uint64_t)0x0001ff60527118feU; + gx[4U] = (uint64_t)0x000216936d3cd6e5U; + gy[0U] = (uint64_t)0x0006666666666658U; + gy[1U] = (uint64_t)0x0004ccccccccccccU; + gy[2U] = (uint64_t)0x0001999999999999U; + gy[3U] = (uint64_t)0x0003333333333333U; + gy[4U] = (uint64_t)0x0006666666666666U; + gz[0U] = (uint64_t)1U; + gz[1U] = (uint64_t)0U; + gz[2U] = (uint64_t)0U; + gz[3U] = (uint64_t)0U; + gz[4U] = (uint64_t)0U; + gt[0U] = (uint64_t)0x00068ab3a5b7dda3U; + gt[1U] = (uint64_t)0x00000eea2a5eadbbU; + gt[2U] = (uint64_t)0x0002af8df483c27eU; + gt[3U] = (uint64_t)0x000332b375274732U; + gt[4U] = (uint64_t)0x00067875f0fd78b7U; + point_mul_double_vartime(result, scalar1, g, scalar2, q2); +} + +void Hacl_Impl_Ed25519_PointCompress_point_compress(uint8_t *z, uint64_t *p) +{ + uint64_t tmp[15U] = { 0U }; + uint64_t *x = tmp + (uint32_t)5U; + uint64_t *out = tmp + (uint32_t)10U; + uint64_t *zinv1 = tmp; + uint64_t *x1 = tmp + (uint32_t)5U; + uint64_t *out1 = tmp + (uint32_t)10U; + uint64_t *px = p; + uint64_t *py = p + (uint32_t)5U; + uint64_t *pz = p + (uint32_t)10U; + Hacl_Bignum25519_inverse(zinv1, pz); + fmul0(x1, px, zinv1); + reduce(x1); + fmul0(out1, py, zinv1); + Hacl_Bignum25519_reduce_513(out1); + uint64_t x0 = x[0U]; + uint64_t b = x0 & (uint64_t)1U; + Hacl_Bignum25519_store_51(z, out); + uint8_t xbyte = (uint8_t)b; + uint8_t o31 = z[31U]; + z[31U] = o31 + (xbyte << (uint32_t)7U); +} + +static inline void secret_expand(uint8_t *expanded, uint8_t *secret) +{ + Hacl_Hash_SHA2_hash_512(secret, (uint32_t)32U, expanded); + uint8_t *h_low = expanded; + uint8_t h_low0 = h_low[0U]; + uint8_t h_low31 = h_low[31U]; + h_low[0U] = h_low0 & (uint8_t)0xf8U; + h_low[31U] = (h_low31 & (uint8_t)127U) | (uint8_t)64U; +} + +static inline void secret_to_public(uint8_t *out, uint8_t *secret) +{ + uint8_t expanded_secret[64U] = { 0U }; + uint64_t res[20U] = { 0U }; + secret_expand(expanded_secret, secret); + uint8_t *a = expanded_secret; + point_mul_g(res, a); + Hacl_Impl_Ed25519_PointCompress_point_compress(out, res); +} + +static inline void barrett_reduction(uint64_t *z, uint64_t *t) +{ + uint64_t t0 = t[0U]; + uint64_t t1 = t[1U]; + uint64_t t2 = t[2U]; + uint64_t t3 = t[3U]; + uint64_t t4 = t[4U]; + uint64_t t5 = t[5U]; + uint64_t t6 = t[6U]; + uint64_t t7 = t[7U]; + uint64_t t8 = t[8U]; + uint64_t t9 = t[9U]; + uint64_t m00 = (uint64_t)0x12631a5cf5d3edU; + uint64_t m10 = (uint64_t)0xf9dea2f79cd658U; + uint64_t m20 = (uint64_t)0x000000000014deU; + uint64_t m30 = (uint64_t)0x00000000000000U; + uint64_t m40 = (uint64_t)0x00000010000000U; + uint64_t m0 = m00; + uint64_t m1 = m10; + uint64_t m2 = m20; + uint64_t m3 = m30; + uint64_t m4 = m40; + uint64_t m010 = (uint64_t)0x9ce5a30a2c131bU; + uint64_t m110 = (uint64_t)0x215d086329a7edU; + uint64_t m210 = (uint64_t)0xffffffffeb2106U; + uint64_t m310 = (uint64_t)0xffffffffffffffU; + uint64_t m410 = (uint64_t)0x00000fffffffffU; + uint64_t mu0 = m010; + uint64_t mu1 = m110; + uint64_t mu2 = m210; + uint64_t mu3 = m310; + uint64_t mu4 = m410; + uint64_t y_ = (t5 & (uint64_t)0xffffffU) << (uint32_t)32U; + uint64_t x_ = t4 >> (uint32_t)24U; + uint64_t z00 = x_ | y_; + uint64_t y_0 = (t6 & (uint64_t)0xffffffU) << (uint32_t)32U; + uint64_t x_0 = t5 >> (uint32_t)24U; + uint64_t z10 = x_0 | y_0; + uint64_t y_1 = (t7 & (uint64_t)0xffffffU) << (uint32_t)32U; + uint64_t x_1 = t6 >> (uint32_t)24U; + uint64_t z20 = x_1 | y_1; + uint64_t y_2 = (t8 & (uint64_t)0xffffffU) << (uint32_t)32U; + uint64_t x_2 = t7 >> (uint32_t)24U; + uint64_t z30 = x_2 | y_2; + uint64_t y_3 = (t9 & (uint64_t)0xffffffU) << (uint32_t)32U; + uint64_t x_3 = t8 >> (uint32_t)24U; + uint64_t z40 = x_3 | y_3; + uint64_t q0 = z00; + uint64_t q1 = z10; + uint64_t q2 = z20; + uint64_t q3 = z30; + uint64_t q4 = z40; + FStar_UInt128_uint128 xy000 = FStar_UInt128_mul_wide(q0, mu0); + FStar_UInt128_uint128 xy010 = FStar_UInt128_mul_wide(q0, mu1); + FStar_UInt128_uint128 xy020 = FStar_UInt128_mul_wide(q0, mu2); + FStar_UInt128_uint128 xy030 = FStar_UInt128_mul_wide(q0, mu3); + FStar_UInt128_uint128 xy040 = FStar_UInt128_mul_wide(q0, mu4); + FStar_UInt128_uint128 xy100 = FStar_UInt128_mul_wide(q1, mu0); + FStar_UInt128_uint128 xy110 = FStar_UInt128_mul_wide(q1, mu1); + FStar_UInt128_uint128 xy120 = FStar_UInt128_mul_wide(q1, mu2); + FStar_UInt128_uint128 xy130 = FStar_UInt128_mul_wide(q1, mu3); + FStar_UInt128_uint128 xy14 = FStar_UInt128_mul_wide(q1, mu4); + FStar_UInt128_uint128 xy200 = FStar_UInt128_mul_wide(q2, mu0); + FStar_UInt128_uint128 xy210 = FStar_UInt128_mul_wide(q2, mu1); + FStar_UInt128_uint128 xy220 = FStar_UInt128_mul_wide(q2, mu2); + FStar_UInt128_uint128 xy23 = FStar_UInt128_mul_wide(q2, mu3); + FStar_UInt128_uint128 xy24 = FStar_UInt128_mul_wide(q2, mu4); + FStar_UInt128_uint128 xy300 = FStar_UInt128_mul_wide(q3, mu0); + FStar_UInt128_uint128 xy310 = FStar_UInt128_mul_wide(q3, mu1); + FStar_UInt128_uint128 xy32 = FStar_UInt128_mul_wide(q3, mu2); + FStar_UInt128_uint128 xy33 = FStar_UInt128_mul_wide(q3, mu3); + FStar_UInt128_uint128 xy34 = FStar_UInt128_mul_wide(q3, mu4); + FStar_UInt128_uint128 xy400 = FStar_UInt128_mul_wide(q4, mu0); + FStar_UInt128_uint128 xy41 = FStar_UInt128_mul_wide(q4, mu1); + FStar_UInt128_uint128 xy42 = FStar_UInt128_mul_wide(q4, mu2); + FStar_UInt128_uint128 xy43 = FStar_UInt128_mul_wide(q4, mu3); + FStar_UInt128_uint128 xy44 = FStar_UInt128_mul_wide(q4, mu4); + FStar_UInt128_uint128 z01 = xy000; + FStar_UInt128_uint128 z11 = FStar_UInt128_add_mod(xy010, xy100); + FStar_UInt128_uint128 z21 = FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy020, xy110), xy200); + FStar_UInt128_uint128 + z31 = + FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy030, xy120), xy210), + xy300); + FStar_UInt128_uint128 + z41 = + FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy040, + xy130), + xy220), + xy310), + xy400); + FStar_UInt128_uint128 + z5 = + FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy14, xy23), xy32), + xy41); + FStar_UInt128_uint128 z6 = FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy24, xy33), xy42); + FStar_UInt128_uint128 z7 = FStar_UInt128_add_mod(xy34, xy43); + FStar_UInt128_uint128 z8 = xy44; + FStar_UInt128_uint128 carry0 = FStar_UInt128_shift_right(z01, (uint32_t)56U); + FStar_UInt128_uint128 c00 = carry0; + FStar_UInt128_uint128 + carry1 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z11, c00), (uint32_t)56U); + uint64_t + t100 = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z11, c00)) + & (uint64_t)0xffffffffffffffU; + FStar_UInt128_uint128 c10 = carry1; + FStar_UInt128_uint128 + carry2 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z21, c10), (uint32_t)56U); + uint64_t + t101 = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z21, c10)) + & (uint64_t)0xffffffffffffffU; + FStar_UInt128_uint128 c20 = carry2; + FStar_UInt128_uint128 + carry3 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z31, c20), (uint32_t)56U); + uint64_t + t102 = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z31, c20)) + & (uint64_t)0xffffffffffffffU; + FStar_UInt128_uint128 c30 = carry3; + FStar_UInt128_uint128 + carry4 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z41, c30), (uint32_t)56U); + uint64_t + t103 = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z41, c30)) + & (uint64_t)0xffffffffffffffU; + FStar_UInt128_uint128 c40 = carry4; + uint64_t t410 = t103; + FStar_UInt128_uint128 + carry5 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z5, c40), (uint32_t)56U); + uint64_t + t104 = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z5, c40)) + & (uint64_t)0xffffffffffffffU; + FStar_UInt128_uint128 c5 = carry5; + uint64_t t51 = t104; + FStar_UInt128_uint128 + carry6 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z6, c5), (uint32_t)56U); + uint64_t + t105 = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z6, c5)) + & (uint64_t)0xffffffffffffffU; + FStar_UInt128_uint128 c6 = carry6; + uint64_t t61 = t105; + FStar_UInt128_uint128 + carry7 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z7, c6), (uint32_t)56U); + uint64_t + t106 = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z7, c6)) + & (uint64_t)0xffffffffffffffU; + FStar_UInt128_uint128 c7 = carry7; + uint64_t t71 = t106; + FStar_UInt128_uint128 + carry8 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z8, c7), (uint32_t)56U); + uint64_t + t107 = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z8, c7)) + & (uint64_t)0xffffffffffffffU; + FStar_UInt128_uint128 c8 = carry8; + uint64_t t81 = t107; + uint64_t t91 = FStar_UInt128_uint128_to_uint64(c8); + uint64_t qmu4_ = t410; + uint64_t qmu5_ = t51; + uint64_t qmu6_ = t61; + uint64_t qmu7_ = t71; + uint64_t qmu8_ = t81; + uint64_t qmu9_ = t91; + uint64_t y_4 = (qmu5_ & (uint64_t)0xffffffffffU) << (uint32_t)16U; + uint64_t x_4 = qmu4_ >> (uint32_t)40U; + uint64_t z02 = x_4 | y_4; + uint64_t y_5 = (qmu6_ & (uint64_t)0xffffffffffU) << (uint32_t)16U; + uint64_t x_5 = qmu5_ >> (uint32_t)40U; + uint64_t z12 = x_5 | y_5; + uint64_t y_6 = (qmu7_ & (uint64_t)0xffffffffffU) << (uint32_t)16U; + uint64_t x_6 = qmu6_ >> (uint32_t)40U; + uint64_t z22 = x_6 | y_6; + uint64_t y_7 = (qmu8_ & (uint64_t)0xffffffffffU) << (uint32_t)16U; + uint64_t x_7 = qmu7_ >> (uint32_t)40U; + uint64_t z32 = x_7 | y_7; + uint64_t y_8 = (qmu9_ & (uint64_t)0xffffffffffU) << (uint32_t)16U; + uint64_t x_8 = qmu8_ >> (uint32_t)40U; + uint64_t z42 = x_8 | y_8; + uint64_t qdiv0 = z02; + uint64_t qdiv1 = z12; + uint64_t qdiv2 = z22; + uint64_t qdiv3 = z32; + uint64_t qdiv4 = z42; + uint64_t r0 = t0; + uint64_t r1 = t1; + uint64_t r2 = t2; + uint64_t r3 = t3; + uint64_t r4 = t4 & (uint64_t)0xffffffffffU; + FStar_UInt128_uint128 xy00 = FStar_UInt128_mul_wide(qdiv0, m0); + FStar_UInt128_uint128 xy01 = FStar_UInt128_mul_wide(qdiv0, m1); + FStar_UInt128_uint128 xy02 = FStar_UInt128_mul_wide(qdiv0, m2); + FStar_UInt128_uint128 xy03 = FStar_UInt128_mul_wide(qdiv0, m3); + FStar_UInt128_uint128 xy04 = FStar_UInt128_mul_wide(qdiv0, m4); + FStar_UInt128_uint128 xy10 = FStar_UInt128_mul_wide(qdiv1, m0); + FStar_UInt128_uint128 xy11 = FStar_UInt128_mul_wide(qdiv1, m1); + FStar_UInt128_uint128 xy12 = FStar_UInt128_mul_wide(qdiv1, m2); + FStar_UInt128_uint128 xy13 = FStar_UInt128_mul_wide(qdiv1, m3); + FStar_UInt128_uint128 xy20 = FStar_UInt128_mul_wide(qdiv2, m0); + FStar_UInt128_uint128 xy21 = FStar_UInt128_mul_wide(qdiv2, m1); + FStar_UInt128_uint128 xy22 = FStar_UInt128_mul_wide(qdiv2, m2); + FStar_UInt128_uint128 xy30 = FStar_UInt128_mul_wide(qdiv3, m0); + FStar_UInt128_uint128 xy31 = FStar_UInt128_mul_wide(qdiv3, m1); + FStar_UInt128_uint128 xy40 = FStar_UInt128_mul_wide(qdiv4, m0); + FStar_UInt128_uint128 carry9 = FStar_UInt128_shift_right(xy00, (uint32_t)56U); + uint64_t t108 = FStar_UInt128_uint128_to_uint64(xy00) & (uint64_t)0xffffffffffffffU; + FStar_UInt128_uint128 c0 = carry9; + uint64_t t010 = t108; + FStar_UInt128_uint128 + carry10 = + FStar_UInt128_shift_right(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy01, xy10), c0), + (uint32_t)56U); + uint64_t + t109 = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy01, xy10), c0)) + & (uint64_t)0xffffffffffffffU; + FStar_UInt128_uint128 c11 = carry10; + uint64_t t110 = t109; + FStar_UInt128_uint128 + carry11 = + FStar_UInt128_shift_right(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy02, + xy11), + xy20), + c11), + (uint32_t)56U); + uint64_t + t1010 = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy02, + xy11), + xy20), + c11)) + & (uint64_t)0xffffffffffffffU; + FStar_UInt128_uint128 c21 = carry11; + uint64_t t210 = t1010; + FStar_UInt128_uint128 + carry = + FStar_UInt128_shift_right(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy03, + xy12), + xy21), + xy30), + c21), + (uint32_t)56U); + uint64_t + t1011 = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy03, + xy12), + xy21), + xy30), + c21)) + & (uint64_t)0xffffffffffffffU; + FStar_UInt128_uint128 c31 = carry; + uint64_t t310 = t1011; + uint64_t + t411 = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy04, + xy13), + xy22), + xy31), + xy40), + c31)) + & (uint64_t)0xffffffffffU; + uint64_t qmul0 = t010; + uint64_t qmul1 = t110; + uint64_t qmul2 = t210; + uint64_t qmul3 = t310; + uint64_t qmul4 = t411; + uint64_t b5 = (r0 - qmul0) >> (uint32_t)63U; + uint64_t t1012 = (b5 << (uint32_t)56U) + r0 - qmul0; + uint64_t c1 = b5; + uint64_t t011 = t1012; + uint64_t b6 = (r1 - (qmul1 + c1)) >> (uint32_t)63U; + uint64_t t1013 = (b6 << (uint32_t)56U) + r1 - (qmul1 + c1); + uint64_t c2 = b6; + uint64_t t111 = t1013; + uint64_t b7 = (r2 - (qmul2 + c2)) >> (uint32_t)63U; + uint64_t t1014 = (b7 << (uint32_t)56U) + r2 - (qmul2 + c2); + uint64_t c3 = b7; + uint64_t t211 = t1014; + uint64_t b8 = (r3 - (qmul3 + c3)) >> (uint32_t)63U; + uint64_t t1015 = (b8 << (uint32_t)56U) + r3 - (qmul3 + c3); + uint64_t c4 = b8; + uint64_t t311 = t1015; + uint64_t b9 = (r4 - (qmul4 + c4)) >> (uint32_t)63U; + uint64_t t1016 = (b9 << (uint32_t)40U) + r4 - (qmul4 + c4); + uint64_t t412 = t1016; + uint64_t s0 = t011; + uint64_t s1 = t111; + uint64_t s2 = t211; + uint64_t s3 = t311; + uint64_t s4 = t412; + uint64_t m01 = (uint64_t)0x12631a5cf5d3edU; + uint64_t m11 = (uint64_t)0xf9dea2f79cd658U; + uint64_t m21 = (uint64_t)0x000000000014deU; + uint64_t m31 = (uint64_t)0x00000000000000U; + uint64_t m41 = (uint64_t)0x00000010000000U; + uint64_t y0 = m01; + uint64_t y1 = m11; + uint64_t y2 = m21; + uint64_t y3 = m31; + uint64_t y4 = m41; + uint64_t b10 = (s0 - y0) >> (uint32_t)63U; + uint64_t t1017 = (b10 << (uint32_t)56U) + s0 - y0; + uint64_t b0 = b10; + uint64_t t01 = t1017; + uint64_t b11 = (s1 - (y1 + b0)) >> (uint32_t)63U; + uint64_t t1018 = (b11 << (uint32_t)56U) + s1 - (y1 + b0); + uint64_t b1 = b11; + uint64_t t11 = t1018; + uint64_t b12 = (s2 - (y2 + b1)) >> (uint32_t)63U; + uint64_t t1019 = (b12 << (uint32_t)56U) + s2 - (y2 + b1); + uint64_t b2 = b12; + uint64_t t21 = t1019; + uint64_t b13 = (s3 - (y3 + b2)) >> (uint32_t)63U; + uint64_t t1020 = (b13 << (uint32_t)56U) + s3 - (y3 + b2); + uint64_t b3 = b13; + uint64_t t31 = t1020; + uint64_t b = (s4 - (y4 + b3)) >> (uint32_t)63U; + uint64_t t10 = (b << (uint32_t)56U) + s4 - (y4 + b3); + uint64_t b4 = b; + uint64_t t41 = t10; + uint64_t mask = b4 - (uint64_t)1U; + uint64_t z03 = s0 ^ (mask & (s0 ^ t01)); + uint64_t z13 = s1 ^ (mask & (s1 ^ t11)); + uint64_t z23 = s2 ^ (mask & (s2 ^ t21)); + uint64_t z33 = s3 ^ (mask & (s3 ^ t31)); + uint64_t z43 = s4 ^ (mask & (s4 ^ t41)); + uint64_t z04 = z03; + uint64_t z14 = z13; + uint64_t z24 = z23; + uint64_t z34 = z33; + uint64_t z44 = z43; + uint64_t o0 = z04; + uint64_t o1 = z14; + uint64_t o2 = z24; + uint64_t o3 = z34; + uint64_t o4 = z44; + uint64_t z0 = o0; + uint64_t z1 = o1; + uint64_t z2 = o2; + uint64_t z3 = o3; + uint64_t z4 = o4; + z[0U] = z0; + z[1U] = z1; + z[2U] = z2; + z[3U] = z3; + z[4U] = z4; +} + +static inline void mul_modq(uint64_t *out, uint64_t *x, uint64_t *y) +{ + uint64_t tmp[10U] = { 0U }; + uint64_t x0 = x[0U]; + uint64_t x1 = x[1U]; + uint64_t x2 = x[2U]; + uint64_t x3 = x[3U]; + uint64_t x4 = x[4U]; + uint64_t y0 = y[0U]; + uint64_t y1 = y[1U]; + uint64_t y2 = y[2U]; + uint64_t y3 = y[3U]; + uint64_t y4 = y[4U]; + FStar_UInt128_uint128 xy00 = FStar_UInt128_mul_wide(x0, y0); + FStar_UInt128_uint128 xy01 = FStar_UInt128_mul_wide(x0, y1); + FStar_UInt128_uint128 xy02 = FStar_UInt128_mul_wide(x0, y2); + FStar_UInt128_uint128 xy03 = FStar_UInt128_mul_wide(x0, y3); + FStar_UInt128_uint128 xy04 = FStar_UInt128_mul_wide(x0, y4); + FStar_UInt128_uint128 xy10 = FStar_UInt128_mul_wide(x1, y0); + FStar_UInt128_uint128 xy11 = FStar_UInt128_mul_wide(x1, y1); + FStar_UInt128_uint128 xy12 = FStar_UInt128_mul_wide(x1, y2); + FStar_UInt128_uint128 xy13 = FStar_UInt128_mul_wide(x1, y3); + FStar_UInt128_uint128 xy14 = FStar_UInt128_mul_wide(x1, y4); + FStar_UInt128_uint128 xy20 = FStar_UInt128_mul_wide(x2, y0); + FStar_UInt128_uint128 xy21 = FStar_UInt128_mul_wide(x2, y1); + FStar_UInt128_uint128 xy22 = FStar_UInt128_mul_wide(x2, y2); + FStar_UInt128_uint128 xy23 = FStar_UInt128_mul_wide(x2, y3); + FStar_UInt128_uint128 xy24 = FStar_UInt128_mul_wide(x2, y4); + FStar_UInt128_uint128 xy30 = FStar_UInt128_mul_wide(x3, y0); + FStar_UInt128_uint128 xy31 = FStar_UInt128_mul_wide(x3, y1); + FStar_UInt128_uint128 xy32 = FStar_UInt128_mul_wide(x3, y2); + FStar_UInt128_uint128 xy33 = FStar_UInt128_mul_wide(x3, y3); + FStar_UInt128_uint128 xy34 = FStar_UInt128_mul_wide(x3, y4); + FStar_UInt128_uint128 xy40 = FStar_UInt128_mul_wide(x4, y0); + FStar_UInt128_uint128 xy41 = FStar_UInt128_mul_wide(x4, y1); + FStar_UInt128_uint128 xy42 = FStar_UInt128_mul_wide(x4, y2); + FStar_UInt128_uint128 xy43 = FStar_UInt128_mul_wide(x4, y3); + FStar_UInt128_uint128 xy44 = FStar_UInt128_mul_wide(x4, y4); + FStar_UInt128_uint128 z00 = xy00; + FStar_UInt128_uint128 z10 = FStar_UInt128_add_mod(xy01, xy10); + FStar_UInt128_uint128 z20 = FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy02, xy11), xy20); + FStar_UInt128_uint128 + z30 = + FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy03, xy12), xy21), + xy30); + FStar_UInt128_uint128 + z40 = + FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy04, + xy13), + xy22), + xy31), + xy40); + FStar_UInt128_uint128 + z50 = + FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy14, xy23), xy32), + xy41); + FStar_UInt128_uint128 z60 = FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy24, xy33), xy42); + FStar_UInt128_uint128 z70 = FStar_UInt128_add_mod(xy34, xy43); + FStar_UInt128_uint128 z80 = xy44; + FStar_UInt128_uint128 carry0 = FStar_UInt128_shift_right(z00, (uint32_t)56U); + uint64_t t10 = FStar_UInt128_uint128_to_uint64(z00) & (uint64_t)0xffffffffffffffU; + FStar_UInt128_uint128 c0 = carry0; + uint64_t t0 = t10; + FStar_UInt128_uint128 + carry1 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z10, c0), (uint32_t)56U); + uint64_t + t11 = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z10, c0)) + & (uint64_t)0xffffffffffffffU; + FStar_UInt128_uint128 c1 = carry1; + uint64_t t1 = t11; + FStar_UInt128_uint128 + carry2 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z20, c1), (uint32_t)56U); + uint64_t + t12 = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z20, c1)) + & (uint64_t)0xffffffffffffffU; + FStar_UInt128_uint128 c2 = carry2; + uint64_t t2 = t12; + FStar_UInt128_uint128 + carry3 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z30, c2), (uint32_t)56U); + uint64_t + t13 = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z30, c2)) + & (uint64_t)0xffffffffffffffU; + FStar_UInt128_uint128 c3 = carry3; + uint64_t t3 = t13; + FStar_UInt128_uint128 + carry4 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z40, c3), (uint32_t)56U); + uint64_t + t14 = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z40, c3)) + & (uint64_t)0xffffffffffffffU; + FStar_UInt128_uint128 c4 = carry4; + uint64_t t4 = t14; + FStar_UInt128_uint128 + carry5 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z50, c4), (uint32_t)56U); + uint64_t + t15 = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z50, c4)) + & (uint64_t)0xffffffffffffffU; + FStar_UInt128_uint128 c5 = carry5; + uint64_t t5 = t15; + FStar_UInt128_uint128 + carry6 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z60, c5), (uint32_t)56U); + uint64_t + t16 = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z60, c5)) + & (uint64_t)0xffffffffffffffU; + FStar_UInt128_uint128 c6 = carry6; + uint64_t t6 = t16; + FStar_UInt128_uint128 + carry7 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z70, c6), (uint32_t)56U); + uint64_t + t17 = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z70, c6)) + & (uint64_t)0xffffffffffffffU; + FStar_UInt128_uint128 c7 = carry7; + uint64_t t7 = t17; + FStar_UInt128_uint128 + carry = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z80, c7), (uint32_t)56U); + uint64_t + t = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z80, c7)) + & (uint64_t)0xffffffffffffffU; + FStar_UInt128_uint128 c8 = carry; + uint64_t t8 = t; + uint64_t t9 = FStar_UInt128_uint128_to_uint64(c8); + uint64_t z0 = t0; + uint64_t z1 = t1; + uint64_t z2 = t2; + uint64_t z3 = t3; + uint64_t z4 = t4; + uint64_t z5 = t5; + uint64_t z6 = t6; + uint64_t z7 = t7; + uint64_t z8 = t8; + uint64_t z9 = t9; + tmp[0U] = z0; + tmp[1U] = z1; + tmp[2U] = z2; + tmp[3U] = z3; + tmp[4U] = z4; + tmp[5U] = z5; + tmp[6U] = z6; + tmp[7U] = z7; + tmp[8U] = z8; + tmp[9U] = z9; + barrett_reduction(out, tmp); +} + +static inline void add_modq(uint64_t *out, uint64_t *x, uint64_t *y) +{ + uint64_t x0 = x[0U]; + uint64_t x1 = x[1U]; + uint64_t x2 = x[2U]; + uint64_t x3 = x[3U]; + uint64_t x4 = x[4U]; + uint64_t y0 = y[0U]; + uint64_t y1 = y[1U]; + uint64_t y2 = y[2U]; + uint64_t y3 = y[3U]; + uint64_t y4 = y[4U]; + uint64_t carry0 = (x0 + y0) >> (uint32_t)56U; + uint64_t t0 = (x0 + y0) & (uint64_t)0xffffffffffffffU; + uint64_t t00 = t0; + uint64_t c0 = carry0; + uint64_t carry1 = (x1 + y1 + c0) >> (uint32_t)56U; + uint64_t t1 = (x1 + y1 + c0) & (uint64_t)0xffffffffffffffU; + uint64_t t10 = t1; + uint64_t c1 = carry1; + uint64_t carry2 = (x2 + y2 + c1) >> (uint32_t)56U; + uint64_t t2 = (x2 + y2 + c1) & (uint64_t)0xffffffffffffffU; + uint64_t t20 = t2; + uint64_t c2 = carry2; + uint64_t carry = (x3 + y3 + c2) >> (uint32_t)56U; + uint64_t t3 = (x3 + y3 + c2) & (uint64_t)0xffffffffffffffU; + uint64_t t30 = t3; + uint64_t c3 = carry; + uint64_t t4 = x4 + y4 + c3; + uint64_t m0 = (uint64_t)0x12631a5cf5d3edU; + uint64_t m1 = (uint64_t)0xf9dea2f79cd658U; + uint64_t m2 = (uint64_t)0x000000000014deU; + uint64_t m3 = (uint64_t)0x00000000000000U; + uint64_t m4 = (uint64_t)0x00000010000000U; + uint64_t y01 = m0; + uint64_t y11 = m1; + uint64_t y21 = m2; + uint64_t y31 = m3; + uint64_t y41 = m4; + uint64_t b5 = (t00 - y01) >> (uint32_t)63U; + uint64_t t5 = (b5 << (uint32_t)56U) + t00 - y01; + uint64_t b0 = b5; + uint64_t t01 = t5; + uint64_t b6 = (t10 - (y11 + b0)) >> (uint32_t)63U; + uint64_t t6 = (b6 << (uint32_t)56U) + t10 - (y11 + b0); + uint64_t b1 = b6; + uint64_t t11 = t6; + uint64_t b7 = (t20 - (y21 + b1)) >> (uint32_t)63U; + uint64_t t7 = (b7 << (uint32_t)56U) + t20 - (y21 + b1); + uint64_t b2 = b7; + uint64_t t21 = t7; + uint64_t b8 = (t30 - (y31 + b2)) >> (uint32_t)63U; + uint64_t t8 = (b8 << (uint32_t)56U) + t30 - (y31 + b2); + uint64_t b3 = b8; + uint64_t t31 = t8; + uint64_t b = (t4 - (y41 + b3)) >> (uint32_t)63U; + uint64_t t = (b << (uint32_t)56U) + t4 - (y41 + b3); + uint64_t b4 = b; + uint64_t t41 = t; + uint64_t mask = b4 - (uint64_t)1U; + uint64_t z00 = t00 ^ (mask & (t00 ^ t01)); + uint64_t z10 = t10 ^ (mask & (t10 ^ t11)); + uint64_t z20 = t20 ^ (mask & (t20 ^ t21)); + uint64_t z30 = t30 ^ (mask & (t30 ^ t31)); + uint64_t z40 = t4 ^ (mask & (t4 ^ t41)); + uint64_t z01 = z00; + uint64_t z11 = z10; + uint64_t z21 = z20; + uint64_t z31 = z30; + uint64_t z41 = z40; + uint64_t o0 = z01; + uint64_t o1 = z11; + uint64_t o2 = z21; + uint64_t o3 = z31; + uint64_t o4 = z41; + uint64_t z0 = o0; + uint64_t z1 = o1; + uint64_t z2 = o2; + uint64_t z3 = o3; + uint64_t z4 = o4; + out[0U] = z0; + out[1U] = z1; + out[2U] = z2; + out[3U] = z3; + out[4U] = z4; +} + +static inline void load_64_bytes(uint64_t *out, uint8_t *b) +{ + uint8_t *b80 = b; + uint64_t u = load64_le(b80); + uint64_t z = u; + uint64_t b0 = z & (uint64_t)0xffffffffffffffU; + uint8_t *b81 = b + (uint32_t)7U; + uint64_t u0 = load64_le(b81); + uint64_t z0 = u0; + uint64_t b1 = z0 & (uint64_t)0xffffffffffffffU; + uint8_t *b82 = b + (uint32_t)14U; + uint64_t u1 = load64_le(b82); + uint64_t z1 = u1; + uint64_t b2 = z1 & (uint64_t)0xffffffffffffffU; + uint8_t *b83 = b + (uint32_t)21U; + uint64_t u2 = load64_le(b83); + uint64_t z2 = u2; + uint64_t b3 = z2 & (uint64_t)0xffffffffffffffU; + uint8_t *b84 = b + (uint32_t)28U; + uint64_t u3 = load64_le(b84); + uint64_t z3 = u3; + uint64_t b4 = z3 & (uint64_t)0xffffffffffffffU; + uint8_t *b85 = b + (uint32_t)35U; + uint64_t u4 = load64_le(b85); + uint64_t z4 = u4; + uint64_t b5 = z4 & (uint64_t)0xffffffffffffffU; + uint8_t *b86 = b + (uint32_t)42U; + uint64_t u5 = load64_le(b86); + uint64_t z5 = u5; + uint64_t b6 = z5 & (uint64_t)0xffffffffffffffU; + uint8_t *b87 = b + (uint32_t)49U; + uint64_t u6 = load64_le(b87); + uint64_t z6 = u6; + uint64_t b7 = z6 & (uint64_t)0xffffffffffffffU; + uint8_t *b8 = b + (uint32_t)56U; + uint64_t u7 = load64_le(b8); + uint64_t z7 = u7; + uint64_t b88 = z7 & (uint64_t)0xffffffffffffffU; + uint8_t b63 = b[63U]; + uint64_t b9 = (uint64_t)b63; + out[0U] = b0; + out[1U] = b1; + out[2U] = b2; + out[3U] = b3; + out[4U] = b4; + out[5U] = b5; + out[6U] = b6; + out[7U] = b7; + out[8U] = b88; + out[9U] = b9; +} + +static inline void load_32_bytes(uint64_t *out, uint8_t *b) +{ + uint8_t *b80 = b; + uint64_t u0 = load64_le(b80); + uint64_t z = u0; + uint64_t b0 = z & (uint64_t)0xffffffffffffffU; + uint8_t *b81 = b + (uint32_t)7U; + uint64_t u1 = load64_le(b81); + uint64_t z0 = u1; + uint64_t b1 = z0 & (uint64_t)0xffffffffffffffU; + uint8_t *b82 = b + (uint32_t)14U; + uint64_t u2 = load64_le(b82); + uint64_t z1 = u2; + uint64_t b2 = z1 & (uint64_t)0xffffffffffffffU; + uint8_t *b8 = b + (uint32_t)21U; + uint64_t u3 = load64_le(b8); + uint64_t z2 = u3; + uint64_t b3 = z2 & (uint64_t)0xffffffffffffffU; + uint32_t u = load32_le(b + (uint32_t)28U); + uint32_t b4 = u; + uint64_t b41 = (uint64_t)b4; + out[0U] = b0; + out[1U] = b1; + out[2U] = b2; + out[3U] = b3; + out[4U] = b41; +} + +static inline void store_56(uint8_t *out, uint64_t *b) +{ + uint64_t b0 = b[0U]; + uint64_t b1 = b[1U]; + uint64_t b2 = b[2U]; + uint64_t b3 = b[3U]; + uint64_t b4 = b[4U]; + uint32_t b4_ = (uint32_t)b4; + uint8_t *b8 = out; + store64_le(b8, b0); + uint8_t *b80 = out + (uint32_t)7U; + store64_le(b80, b1); + uint8_t *b81 = out + (uint32_t)14U; + store64_le(b81, b2); + uint8_t *b82 = out + (uint32_t)21U; + store64_le(b82, b3); + store32_le(out + (uint32_t)28U, b4_); +} + +static inline void sha512_pre_msg(uint8_t *hash, uint8_t *prefix, uint32_t len, uint8_t *input) +{ + uint8_t buf[128U] = { 0U }; + uint64_t block_state[8U] = { 0U }; + Hacl_Streaming_SHA2_state_sha2_384 + s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; + Hacl_Streaming_SHA2_state_sha2_384 p = s; + Hacl_Hash_Core_SHA2_init_512(block_state); + Hacl_Streaming_SHA2_state_sha2_384 *st = &p; + Hacl_Streaming_SHA2_update_512(st, prefix, (uint32_t)32U); + Hacl_Streaming_SHA2_update_512(st, input, len); + Hacl_Streaming_SHA2_finish_512(st, hash); +} + +static inline void +sha512_pre_pre2_msg( + uint8_t *hash, + uint8_t *prefix, + uint8_t *prefix2, + uint32_t len, + uint8_t *input +) +{ + uint8_t buf[128U] = { 0U }; + uint64_t block_state[8U] = { 0U }; + Hacl_Streaming_SHA2_state_sha2_384 + s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; + Hacl_Streaming_SHA2_state_sha2_384 p = s; + Hacl_Hash_Core_SHA2_init_512(block_state); + Hacl_Streaming_SHA2_state_sha2_384 *st = &p; + Hacl_Streaming_SHA2_update_512(st, prefix, (uint32_t)32U); + Hacl_Streaming_SHA2_update_512(st, prefix2, (uint32_t)32U); + Hacl_Streaming_SHA2_update_512(st, input, len); + Hacl_Streaming_SHA2_finish_512(st, hash); +} + +static inline void +sha512_modq_pre(uint64_t *out, uint8_t *prefix, uint32_t len, uint8_t *input) +{ + uint64_t tmp[10U] = { 0U }; + uint8_t hash[64U] = { 0U }; + sha512_pre_msg(hash, prefix, len, input); + load_64_bytes(tmp, hash); + barrett_reduction(out, tmp); +} + +static inline void +sha512_modq_pre_pre2( + uint64_t *out, + uint8_t *prefix, + uint8_t *prefix2, + uint32_t len, + uint8_t *input +) +{ + uint64_t tmp[10U] = { 0U }; + uint8_t hash[64U] = { 0U }; + sha512_pre_pre2_msg(hash, prefix, prefix2, len, input); + load_64_bytes(tmp, hash); + barrett_reduction(out, tmp); +} + +static inline void point_mul_g_compress(uint8_t *out, uint8_t *s) +{ + uint64_t tmp[20U] = { 0U }; + point_mul_g(tmp, s); + Hacl_Impl_Ed25519_PointCompress_point_compress(out, tmp); +} + +static inline void sign_expanded(uint8_t *signature, uint8_t *ks, uint32_t msg, uint8_t *len) +{ + uint8_t tmp_bytes[160U] = { 0U }; + uint64_t tmp_ints[25U] = { 0U }; + uint8_t *rs_ = tmp_bytes + (uint32_t)32U; + uint8_t *s_ = tmp_bytes + (uint32_t)64U; + uint8_t *tmp_public = tmp_bytes; + uint8_t *tmp_xsecret = tmp_bytes + (uint32_t)96U; + memcpy(tmp_public, ks, (uint32_t)32U * sizeof (uint8_t)); + memcpy(tmp_xsecret, ks + (uint32_t)32U, (uint32_t)64U * sizeof (uint8_t)); + uint64_t *r0 = tmp_ints; + uint8_t *prefix = tmp_bytes + (uint32_t)128U; + sha512_modq_pre(r0, prefix, msg, len); + uint8_t *rs_1 = tmp_bytes + (uint32_t)32U; + uint64_t *r = tmp_ints; + uint8_t rb[32U] = { 0U }; + store_56(rb, r); + point_mul_g_compress(rs_1, rb); + uint64_t *h0 = tmp_ints + (uint32_t)20U; + uint8_t *a__ = tmp_bytes; + uint8_t *rs_10 = tmp_bytes + (uint32_t)32U; + sha512_modq_pre_pre2(h0, rs_10, a__, msg, len); + uint64_t *r1 = tmp_ints; + uint64_t *aq = tmp_ints + (uint32_t)5U; + uint64_t *ha = tmp_ints + (uint32_t)10U; + uint64_t *s = tmp_ints + (uint32_t)15U; + uint64_t *h = tmp_ints + (uint32_t)20U; + uint8_t *s_1 = tmp_bytes + (uint32_t)64U; + uint8_t *a = tmp_bytes + (uint32_t)96U; + load_32_bytes(aq, a); + mul_modq(ha, h, aq); + add_modq(s, r1, ha); + store_56(s_1, s); + memcpy(signature, rs_, (uint32_t)32U * sizeof (uint8_t)); + memcpy(signature + (uint32_t)32U, s_, (uint32_t)32U * sizeof (uint8_t)); +} + +static inline void pow2_252m2(uint64_t *out, uint64_t *z) +{ + uint64_t buf[20U] = { 0U }; + uint64_t *a = buf; + uint64_t *t00 = buf + (uint32_t)5U; + uint64_t *b0 = buf + (uint32_t)10U; + uint64_t *c0 = buf + (uint32_t)15U; + fsquare_times(a, z, (uint32_t)1U); + fsquare_times(t00, a, (uint32_t)2U); + fmul0(b0, t00, z); + fmul0(a, b0, a); + fsquare_times(t00, a, (uint32_t)1U); + fmul0(b0, t00, b0); + fsquare_times(t00, b0, (uint32_t)5U); + fmul0(b0, t00, b0); + fsquare_times(t00, b0, (uint32_t)10U); + fmul0(c0, t00, b0); + fsquare_times(t00, c0, (uint32_t)20U); + fmul0(t00, t00, c0); + fsquare_times_inplace(t00, (uint32_t)10U); + fmul0(b0, t00, b0); + fsquare_times(t00, b0, (uint32_t)50U); + uint64_t *a0 = buf; + uint64_t *t0 = buf + (uint32_t)5U; + uint64_t *b = buf + (uint32_t)10U; + uint64_t *c = buf + (uint32_t)15U; + fsquare_times(a0, z, (uint32_t)1U); + fmul0(c, t0, b); + fsquare_times(t0, c, (uint32_t)100U); + fmul0(t0, t0, c); + fsquare_times_inplace(t0, (uint32_t)50U); + fmul0(t0, t0, b); + fsquare_times_inplace(t0, (uint32_t)2U); + fmul0(out, t0, a0); +} + +static inline bool is_0(uint64_t *x) +{ + uint64_t x0 = x[0U]; + uint64_t x1 = x[1U]; + uint64_t x2 = x[2U]; + uint64_t x3 = x[3U]; + uint64_t x4 = x[4U]; + return + x0 + == (uint64_t)0U + && x1 == (uint64_t)0U + && x2 == (uint64_t)0U + && x3 == (uint64_t)0U + && x4 == (uint64_t)0U; +} + +static inline void mul_modp_sqrt_m1(uint64_t *x) +{ + uint64_t sqrt_m1[5U] = { 0U }; + sqrt_m1[0U] = (uint64_t)0x00061b274a0ea0b0U; + sqrt_m1[1U] = (uint64_t)0x0000d5a5fc8f189dU; + sqrt_m1[2U] = (uint64_t)0x0007ef5e9cbd0c60U; + sqrt_m1[3U] = (uint64_t)0x00078595a6804c9eU; + sqrt_m1[4U] = (uint64_t)0x0002b8324804fc1dU; + fmul0(x, x, sqrt_m1); +} + +static inline bool recover_x(uint64_t *x, uint64_t *y, uint64_t sign) +{ + uint64_t tmp[20U] = { 0U }; + uint64_t *x2 = tmp; + uint64_t x00 = y[0U]; + uint64_t x1 = y[1U]; + uint64_t x21 = y[2U]; + uint64_t x30 = y[3U]; + uint64_t x4 = y[4U]; + bool + b = + x00 + >= (uint64_t)0x7ffffffffffedU + && x1 == (uint64_t)0x7ffffffffffffU + && x21 == (uint64_t)0x7ffffffffffffU + && x30 == (uint64_t)0x7ffffffffffffU + && x4 == (uint64_t)0x7ffffffffffffU; + bool res; + if (b) + { + res = false; + } + else + { + uint64_t tmp1[25U] = { 0U }; + uint64_t *one = tmp1; + uint64_t *y2 = tmp1 + (uint32_t)5U; + uint64_t *dyyi = tmp1 + (uint32_t)10U; + uint64_t *dyy = tmp1 + (uint32_t)15U; + one[0U] = (uint64_t)1U; + one[1U] = (uint64_t)0U; + one[2U] = (uint64_t)0U; + one[3U] = (uint64_t)0U; + one[4U] = (uint64_t)0U; + fsquare(y2, y); + times_d(dyy, y2); + fsum(dyy, one); + Hacl_Bignum25519_reduce_513(dyy); + Hacl_Bignum25519_inverse(dyyi, dyy); + fdifference(one, y2); + fmul0(x2, one, dyyi); + reduce(x2); + bool x2_is_0 = is_0(x2); + uint8_t z; + if (x2_is_0) + { + if (sign == (uint64_t)0U) + { + x[0U] = (uint64_t)0U; + x[1U] = (uint64_t)0U; + x[2U] = (uint64_t)0U; + x[3U] = (uint64_t)0U; + x[4U] = (uint64_t)0U; + z = (uint8_t)1U; + } + else + { + z = (uint8_t)0U; + } + } + else + { + z = (uint8_t)2U; + } + if (z == (uint8_t)0U) + { + res = false; + } + else if (z == (uint8_t)1U) + { + res = true; + } + else + { + uint64_t *x210 = tmp; + uint64_t *x31 = tmp + (uint32_t)5U; + uint64_t *t00 = tmp + (uint32_t)10U; + uint64_t *t10 = tmp + (uint32_t)15U; + pow2_252m2(x31, x210); + fsquare(t00, x31); + memcpy(t10, x210, (uint32_t)5U * sizeof (uint64_t)); + fdifference(t10, t00); + Hacl_Bignum25519_reduce_513(t10); + reduce(t10); + bool t1_is_0 = is_0(t10); + if (!t1_is_0) + { + mul_modp_sqrt_m1(x31); + } + uint64_t *x211 = tmp; + uint64_t *x3 = tmp + (uint32_t)5U; + uint64_t *t01 = tmp + (uint32_t)10U; + uint64_t *t1 = tmp + (uint32_t)15U; + fsquare(t01, x3); + memcpy(t1, x211, (uint32_t)5U * sizeof (uint64_t)); + fdifference(t1, t01); + Hacl_Bignum25519_reduce_513(t1); + reduce(t1); + bool z1 = is_0(t1); + if (z1 == false) + { + res = false; + } + else + { + uint64_t *x32 = tmp + (uint32_t)5U; + uint64_t *t0 = tmp + (uint32_t)10U; + reduce(x32); + uint64_t x0 = x32[0U]; + uint64_t x01 = x0 & (uint64_t)1U; + if (!(x01 == sign)) + { + t0[0U] = (uint64_t)0U; + t0[1U] = (uint64_t)0U; + t0[2U] = (uint64_t)0U; + t0[3U] = (uint64_t)0U; + t0[4U] = (uint64_t)0U; + fdifference(x32, t0); + Hacl_Bignum25519_reduce_513(x32); + reduce(x32); + } + memcpy(x, x32, (uint32_t)5U * sizeof (uint64_t)); + res = true; + } + } + } + bool res0 = res; + return res0; +} + +bool Hacl_Impl_Ed25519_PointDecompress_point_decompress(uint64_t *out, uint8_t *s) +{ + uint64_t tmp[10U] = { 0U }; + uint64_t *y = tmp; + uint64_t *x = tmp + (uint32_t)5U; + uint8_t s31 = s[31U]; + uint8_t z = s31 >> (uint32_t)7U; + uint64_t sign = (uint64_t)z; + Hacl_Bignum25519_load_51(y, s); + bool z0 = recover_x(x, y, sign); + bool res; + if (z0 == false) + { + res = false; + } + else + { + uint64_t *outx = out; + uint64_t *outy = out + (uint32_t)5U; + uint64_t *outz = out + (uint32_t)10U; + uint64_t *outt = out + (uint32_t)15U; + memcpy(outx, x, (uint32_t)5U * sizeof (uint64_t)); + memcpy(outy, y, (uint32_t)5U * sizeof (uint64_t)); + outz[0U] = (uint64_t)1U; + outz[1U] = (uint64_t)0U; + outz[2U] = (uint64_t)0U; + outz[3U] = (uint64_t)0U; + outz[4U] = (uint64_t)0U; + fmul0(outt, x, y); + res = true; + } + bool res0 = res; + return res0; +} + +static inline bool gte_q(uint64_t *s) +{ + uint64_t s0 = s[0U]; + uint64_t s1 = s[1U]; + uint64_t s2 = s[2U]; + uint64_t s3 = s[3U]; + uint64_t s4 = s[4U]; + if (s4 > (uint64_t)0x00000010000000U) + { + return true; + } + if (s4 < (uint64_t)0x00000010000000U) + { + return false; + } + if (s3 > (uint64_t)0x00000000000000U) + { + return true; + } + if (s2 > (uint64_t)0x000000000014deU) + { + return true; + } + if (s2 < (uint64_t)0x000000000014deU) + { + return false; + } + if (s1 > (uint64_t)0xf9dea2f79cd658U) + { + return true; + } + if (s1 < (uint64_t)0xf9dea2f79cd658U) + { + return false; + } + if (s0 >= (uint64_t)0x12631a5cf5d3edU) + { + return true; + } + return false; +} + +static inline bool eq(uint64_t *a, uint64_t *b) +{ + uint64_t a0 = a[0U]; + uint64_t a1 = a[1U]; + uint64_t a2 = a[2U]; + uint64_t a3 = a[3U]; + uint64_t a4 = a[4U]; + uint64_t b0 = b[0U]; + uint64_t b1 = b[1U]; + uint64_t b2 = b[2U]; + uint64_t b3 = b[3U]; + uint64_t b4 = b[4U]; + return a0 == b0 && a1 == b1 && a2 == b2 && a3 == b3 && a4 == b4; +} + +bool Hacl_Impl_Ed25519_PointEqual_point_equal(uint64_t *p, uint64_t *q) +{ + uint64_t tmp[20U] = { 0U }; + uint64_t *pxqz = tmp; + uint64_t *qxpz = tmp + (uint32_t)5U; + fmul0(pxqz, p, q + (uint32_t)10U); + reduce(pxqz); + fmul0(qxpz, q, p + (uint32_t)10U); + reduce(qxpz); + bool b = eq(pxqz, qxpz); + if (b) + { + uint64_t *pyqz = tmp + (uint32_t)10U; + uint64_t *qypz = tmp + (uint32_t)15U; + fmul0(pyqz, p + (uint32_t)5U, q + (uint32_t)10U); + reduce(pyqz); + fmul0(qypz, q + (uint32_t)5U, p + (uint32_t)10U); + reduce(qypz); + return eq(pyqz, qypz); + } + return false; +} + +void Hacl_Impl_Ed25519_PointNegate_point_negate(uint64_t *p, uint64_t *out) +{ + uint64_t zero[5U] = { 0U }; + zero[0U] = (uint64_t)0U; + zero[1U] = (uint64_t)0U; + zero[2U] = (uint64_t)0U; + zero[3U] = (uint64_t)0U; + zero[4U] = (uint64_t)0U; + uint64_t *x = p; + uint64_t *y = p + (uint32_t)5U; + uint64_t *z = p + (uint32_t)10U; + uint64_t *t = p + (uint32_t)15U; + uint64_t *x1 = out; + uint64_t *y1 = out + (uint32_t)5U; + uint64_t *z1 = out + (uint32_t)10U; + uint64_t *t1 = out + (uint32_t)15U; + memcpy(x1, x, (uint32_t)5U * sizeof (uint64_t)); + fdifference(x1, zero); + Hacl_Bignum25519_reduce_513(x1); + memcpy(y1, y, (uint32_t)5U * sizeof (uint64_t)); + memcpy(z1, z, (uint32_t)5U * sizeof (uint64_t)); + memcpy(t1, t, (uint32_t)5U * sizeof (uint64_t)); + fdifference(t1, zero); + Hacl_Bignum25519_reduce_513(t1); +} + +void Hacl_Ed25519_sign(uint8_t *signature, uint8_t *priv, uint32_t len, uint8_t *msg) +{ + uint8_t ks[96U] = { 0U }; + secret_expand(ks + (uint32_t)32U, priv); + secret_to_public(ks, priv); + sign_expanded(signature, ks, len, msg); +} + +bool Hacl_Ed25519_verify(uint8_t *pub, uint32_t len, uint8_t *msg, uint8_t *signature) +{ + uint64_t tmp[45U] = { 0U }; + uint8_t tmp_[32U] = { 0U }; + uint64_t *a_ = tmp; + uint64_t *r_ = tmp + (uint32_t)20U; + bool b = Hacl_Impl_Ed25519_PointDecompress_point_decompress(a_, pub); + bool res; + if (b) + { + uint8_t *rs = signature; + bool b_ = Hacl_Impl_Ed25519_PointDecompress_point_decompress(r_, rs); + if (b_) + { + uint8_t *rs1 = signature; + uint64_t *a_1 = tmp; + uint64_t *r_1 = tmp + (uint32_t)20U; + uint64_t *s = tmp + (uint32_t)40U; + load_32_bytes(s, signature + (uint32_t)32U); + bool b__ = gte_q(s); + if (b__) + { + res = false; + } + else + { + uint64_t r_2[5U] = { 0U }; + sha512_modq_pre_pre2(r_2, rs1, pub, len, msg); + store_56(tmp_, r_2); + uint8_t *uu____0 = signature + (uint32_t)32U; + uint64_t tmp1[40U] = { 0U }; + uint64_t *a_neg = tmp1; + uint64_t *exp_d = tmp1 + (uint32_t)20U; + Hacl_Impl_Ed25519_PointNegate_point_negate(a_1, a_neg); + point_mul_g_double_vartime(exp_d, uu____0, tmp_, a_neg); + uint64_t *exp_d0 = tmp1 + (uint32_t)20U; + bool b1 = Hacl_Impl_Ed25519_PointEqual_point_equal(exp_d0, r_1); + res = b1; + } + } + else + { + res = false; + } + } + else + { + res = false; + } + bool res0 = res; + return res0; +} + +void Hacl_Ed25519_secret_to_public(uint8_t *pub, uint8_t *priv) +{ + secret_to_public(pub, priv); +} + +void Hacl_Ed25519_expand_keys(uint8_t *ks, uint8_t *priv) +{ + secret_expand(ks + (uint32_t)32U, priv); + secret_to_public(ks, priv); +} + +void Hacl_Ed25519_sign_expanded(uint8_t *signature, uint8_t *ks, uint32_t len, uint8_t *msg) +{ + sign_expanded(signature, ks, len, msg); +} + diff --git a/src/Hacl_GenericField32.c b/src/Hacl_GenericField32.c new file mode 100644 index 00000000..010df82a --- /dev/null +++ b/src/Hacl_GenericField32.c @@ -0,0 +1,591 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_GenericField32.h" + +#include "internal/Hacl_Kremlib.h" +#include "internal/Hacl_Bignum.h" + +/******************************************************************************* + +A verified field arithmetic library. + +This is a 32-bit optimized version, where bignums are represented as an array +of `len` unsigned 32-bit integers, i.e. uint32_t[len]. + +All the arithmetic operations are performed in the Montgomery domain. + +All the functions below preserve the following invariant for a bignum `aM` in +Montgomery form. + • aM < n + +*******************************************************************************/ + + +/* +Check whether this library will work for a modulus `n`. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n +*/ +bool Hacl_GenericField32_field_modulus_check(uint32_t len, uint32_t *n) +{ + uint32_t m = Hacl_Bignum_Montgomery_bn_check_modulus_u32(len, n); + return m == (uint32_t)0xFFFFFFFFU; +} + +/* +Heap-allocate and initialize a montgomery context. + + The argument n is meant to be `len` limbs in size, i.e. uint32_t[len]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n % 2 = 1 + • 1 < n + + The caller will need to call Hacl_GenericField32_field_free on the return value + to avoid memory leaks. +*/ +Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 +*Hacl_GenericField32_field_init(uint32_t len, uint32_t *n) +{ + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t *r2 = KRML_HOST_CALLOC(len, sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t *n1 = KRML_HOST_CALLOC(len, sizeof (uint32_t)); + uint32_t *r21 = r2; + uint32_t *n11 = n1; + memcpy(n11, n, len * sizeof (uint32_t)); + uint32_t nBits = (uint32_t)32U * Hacl_Bignum_Lib_bn_get_top_index_u32(len, n); + Hacl_Bignum_Montgomery_bn_precomp_r2_mod_n_u32(len, nBits, n, r21); + uint32_t mu = Hacl_Bignum_ModInvLimb_mod_inv_uint32(n[0U]); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 res = { .len = len, .n = n11, .mu = mu, .r2 = r21 }; + KRML_CHECK_SIZE(sizeof (Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32), (uint32_t)1U); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 + *buf = KRML_HOST_MALLOC(sizeof (Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32)); + buf[0U] = res; + return buf; +} + +/* +Deallocate the memory previously allocated by Hacl_GenericField32_field_init. + + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. +*/ +void Hacl_GenericField32_field_free(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + uint32_t *n = k1.n; + uint32_t *r2 = k1.r2; + KRML_HOST_FREE(n); + KRML_HOST_FREE(r2); + KRML_HOST_FREE(k); +} + +/* +Return the size of a modulus `n` in limbs. + + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. +*/ +uint32_t Hacl_GenericField32_field_get_len(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + return k1.len; +} + +/* +Convert a bignum from the regular representation to the Montgomery representation. + + Write `a * R mod n` in `aM`. + + The argument a and the outparam aM are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. +*/ +void +Hacl_GenericField32_to_field( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t *aM +) +{ + uint32_t len1 = Hacl_GenericField32_field_get_len(k); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + Hacl_Bignum_Montgomery_bn_to_mont_u32(len1, k1.n, k1.mu, k1.r2, a, aM); +} + +/* +Convert a result back from the Montgomery representation to the regular representation. + + Write `aM / R mod n` in `a`, i.e. + Hacl_GenericField32_from_field(k, Hacl_GenericField32_to_field(k, a)) == a % n + + The argument aM and the outparam a are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. +*/ +void +Hacl_GenericField32_from_field( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *aM, + uint32_t *a +) +{ + uint32_t len1 = Hacl_GenericField32_field_get_len(k); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + Hacl_Bignum_Montgomery_bn_from_mont_u32(len1, k1.n, k1.mu, aM, a); +} + +/* +Write `aM + bM mod n` in `cM`. + + The arguments aM, bM, and the outparam cM are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. +*/ +void +Hacl_GenericField32_add( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *aM, + uint32_t *bM, + uint32_t *cM +) +{ + uint32_t len1 = Hacl_GenericField32_field_get_len(k); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + Hacl_Bignum_bn_add_mod_n_u32(len1, k1.n, aM, bM, cM); +} + +/* +Write `aM - bM mod n` to `cM`. + + The arguments aM, bM, and the outparam cM are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. +*/ +void +Hacl_GenericField32_sub( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *aM, + uint32_t *bM, + uint32_t *cM +) +{ + uint32_t len1 = Hacl_GenericField32_field_get_len(k); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + Hacl_Bignum_bn_sub_mod_n_u32(len1, k1.n, aM, bM, cM); +} + +/* +Write `aM * bM mod n` in `cM`. + + The arguments aM, bM, and the outparam cM are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. +*/ +void +Hacl_GenericField32_mul( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *aM, + uint32_t *bM, + uint32_t *cM +) +{ + uint32_t len1 = Hacl_GenericField32_field_get_len(k); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + Hacl_Bignum_Montgomery_bn_mont_mul_u32(len1, k1.n, k1.mu, aM, bM, cM); +} + +/* +Write `aM * aM mod n` in `cM`. + + The argument aM and the outparam cM are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. +*/ +void +Hacl_GenericField32_sqr( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *aM, + uint32_t *cM +) +{ + uint32_t len1 = Hacl_GenericField32_field_get_len(k); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + Hacl_Bignum_Montgomery_bn_mont_sqr_u32(len1, k1.n, k1.mu, aM, cM); +} + +/* +Convert a bignum `one` to its Montgomery representation. + + The outparam oneM is meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. +*/ +void Hacl_GenericField32_one(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, uint32_t *oneM) +{ + uint32_t len1 = Hacl_GenericField32_field_get_len(k); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + Hacl_Bignum_Montgomery_bn_from_mont_u32(len1, k1.n, k1.mu, k1.r2, oneM); +} + +/* +Write `aM ^ b mod n` in `resM`. + + The argument aM and the outparam resM are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + This function is constant-time over its argument b, at the cost of a slower + execution time than exp_vartime. + + Before calling this function, the caller will need to ensure that the following + precondition is observed. + • b < pow2 bBits +*/ +void +Hacl_GenericField32_exp_consttime( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *aM, + uint32_t bBits, + uint32_t *b, + uint32_t *resM +) +{ + uint32_t len1 = Hacl_GenericField32_field_get_len(k); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + KRML_CHECK_SIZE(sizeof (uint32_t), k1.len); + uint32_t aMc[k1.len]; + memset(aMc, 0U, k1.len * sizeof (uint32_t)); + memcpy(aMc, aM, k1.len * sizeof (uint32_t)); + if (bBits < (uint32_t)200U) + { + Hacl_Bignum_Montgomery_bn_from_mont_u32(len1, k1.n, k1.mu, k1.r2, resM); + uint32_t sw = (uint32_t)0U; + for (uint32_t i0 = (uint32_t)0U; i0 < bBits; i0++) + { + uint32_t i1 = (bBits - i0 - (uint32_t)1U) / (uint32_t)32U; + uint32_t j = (bBits - i0 - (uint32_t)1U) % (uint32_t)32U; + uint32_t tmp = b[i1]; + uint32_t bit = tmp >> j & (uint32_t)1U; + uint32_t sw1 = bit ^ sw; + for (uint32_t i = (uint32_t)0U; i < len1; i++) + { + uint32_t dummy = ((uint32_t)0U - sw1) & (resM[i] ^ aMc[i]); + resM[i] = resM[i] ^ dummy; + aMc[i] = aMc[i] ^ dummy; + } + Hacl_Bignum_Montgomery_bn_mont_mul_u32(len1, k1.n, k1.mu, aMc, resM, aMc); + Hacl_Bignum_Montgomery_bn_mont_sqr_u32(len1, k1.n, k1.mu, resM, resM); + sw = bit; + } + uint32_t sw0 = sw; + for (uint32_t i = (uint32_t)0U; i < len1; i++) + { + uint32_t dummy = ((uint32_t)0U - sw0) & (resM[i] ^ aMc[i]); + resM[i] = resM[i] ^ dummy; + aMc[i] = aMc[i] ^ dummy; + } + } + else + { + uint32_t bLen; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)32U + (uint32_t)1U; + } + Hacl_Bignum_Montgomery_bn_from_mont_u32(len1, k1.n, k1.mu, k1.r2, resM); + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)16U * len1); + uint32_t table[(uint32_t)16U * len1]; + memset(table, 0U, (uint32_t)16U * len1 * sizeof (uint32_t)); + memcpy(table, resM, len1 * sizeof (uint32_t)); + uint32_t *t1 = table + len1; + memcpy(t1, aMc, len1 * sizeof (uint32_t)); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)14U; i++) + { + uint32_t *t11 = table + (i + (uint32_t)1U) * len1; + uint32_t *t2 = table + (i + (uint32_t)2U) * len1; + Hacl_Bignum_Montgomery_bn_mont_mul_u32(len1, k1.n, k1.mu, t11, aMc, t2); + } + if (bBits % (uint32_t)4U != (uint32_t)0U) + { + uint32_t mask_l = (uint32_t)16U - (uint32_t)1U; + uint32_t i0 = bBits / (uint32_t)4U * (uint32_t)4U / (uint32_t)32U; + uint32_t j = bBits / (uint32_t)4U * (uint32_t)4U % (uint32_t)32U; + uint32_t p1 = b[i0] >> j; + uint32_t ite; + if (i0 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i0 + (uint32_t)1U] << ((uint32_t)32U - j); + } + else + { + ite = p1; + } + uint32_t bits_c = ite & mask_l; + memcpy(resM, table, len1 * sizeof (uint32_t)); + for (uint32_t i1 = (uint32_t)0U; i1 < (uint32_t)15U; i1++) + { + uint32_t c = FStar_UInt32_eq_mask(bits_c, i1 + (uint32_t)1U); + uint32_t *res_j = table + (i1 + (uint32_t)1U) * len1; + for (uint32_t i = (uint32_t)0U; i < len1; i++) + { + uint32_t *os = resM; + uint32_t x = (c & res_j[i]) | (~c & resM[i]); + os[i] = x; + } + } + } + for (uint32_t i0 = (uint32_t)0U; i0 < bBits / (uint32_t)4U; i0++) + { + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + Hacl_Bignum_Montgomery_bn_mont_sqr_u32(len1, k1.n, k1.mu, resM, resM); + } + uint32_t bk = bBits - bBits % (uint32_t)4U; + uint32_t mask_l = (uint32_t)16U - (uint32_t)1U; + uint32_t i1 = (bk - (uint32_t)4U * i0 - (uint32_t)4U) / (uint32_t)32U; + uint32_t j = (bk - (uint32_t)4U * i0 - (uint32_t)4U) % (uint32_t)32U; + uint32_t p1 = b[i1] >> j; + uint32_t ite; + if (i1 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i1 + (uint32_t)1U] << ((uint32_t)32U - j); + } + else + { + ite = p1; + } + uint32_t bits_l = ite & mask_l; + KRML_CHECK_SIZE(sizeof (uint32_t), len1); + uint32_t a_bits_l[len1]; + memset(a_bits_l, 0U, len1 * sizeof (uint32_t)); + memcpy(a_bits_l, table, len1 * sizeof (uint32_t)); + for (uint32_t i2 = (uint32_t)0U; i2 < (uint32_t)15U; i2++) + { + uint32_t c = FStar_UInt32_eq_mask(bits_l, i2 + (uint32_t)1U); + uint32_t *res_j = table + (i2 + (uint32_t)1U) * len1; + for (uint32_t i = (uint32_t)0U; i < len1; i++) + { + uint32_t *os = a_bits_l; + uint32_t x = (c & res_j[i]) | (~c & a_bits_l[i]); + os[i] = x; + } + } + Hacl_Bignum_Montgomery_bn_mont_mul_u32(len1, k1.n, k1.mu, resM, a_bits_l, resM); + } + } +} + +/* +Write `aM ^ b mod n` in `resM`. + + The argument aM and the outparam resM are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + The function is *NOT* constant-time on the argument b. See the + exp_consttime function for constant-time variant. + + Before calling this function, the caller will need to ensure that the following + precondition is observed. + • b < pow2 bBits +*/ +void +Hacl_GenericField32_exp_vartime( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *aM, + uint32_t bBits, + uint32_t *b, + uint32_t *resM +) +{ + uint32_t len1 = Hacl_GenericField32_field_get_len(k); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + KRML_CHECK_SIZE(sizeof (uint32_t), k1.len); + uint32_t aMc[k1.len]; + memset(aMc, 0U, k1.len * sizeof (uint32_t)); + memcpy(aMc, aM, k1.len * sizeof (uint32_t)); + if (bBits < (uint32_t)200U) + { + Hacl_Bignum_Montgomery_bn_from_mont_u32(len1, k1.n, k1.mu, k1.r2, resM); + for (uint32_t i = (uint32_t)0U; i < bBits; i++) + { + uint32_t i1 = i / (uint32_t)32U; + uint32_t j = i % (uint32_t)32U; + uint32_t tmp = b[i1]; + uint32_t bit = tmp >> j & (uint32_t)1U; + if (!(bit == (uint32_t)0U)) + { + Hacl_Bignum_Montgomery_bn_mont_mul_u32(len1, k1.n, k1.mu, resM, aMc, resM); + } + Hacl_Bignum_Montgomery_bn_mont_sqr_u32(len1, k1.n, k1.mu, aMc, aMc); + } + } + else + { + uint32_t bLen; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)32U + (uint32_t)1U; + } + Hacl_Bignum_Montgomery_bn_from_mont_u32(len1, k1.n, k1.mu, k1.r2, resM); + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)16U * len1); + uint32_t table[(uint32_t)16U * len1]; + memset(table, 0U, (uint32_t)16U * len1 * sizeof (uint32_t)); + memcpy(table, resM, len1 * sizeof (uint32_t)); + uint32_t *t1 = table + len1; + memcpy(t1, aMc, len1 * sizeof (uint32_t)); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)14U; i++) + { + uint32_t *t11 = table + (i + (uint32_t)1U) * len1; + uint32_t *t2 = table + (i + (uint32_t)2U) * len1; + Hacl_Bignum_Montgomery_bn_mont_mul_u32(len1, k1.n, k1.mu, t11, aMc, t2); + } + if (bBits % (uint32_t)4U != (uint32_t)0U) + { + uint32_t mask_l = (uint32_t)16U - (uint32_t)1U; + uint32_t i = bBits / (uint32_t)4U * (uint32_t)4U / (uint32_t)32U; + uint32_t j = bBits / (uint32_t)4U * (uint32_t)4U % (uint32_t)32U; + uint32_t p1 = b[i] >> j; + uint32_t ite; + if (i + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i + (uint32_t)1U] << ((uint32_t)32U - j); + } + else + { + ite = p1; + } + uint32_t bits_c = ite & mask_l; + uint32_t bits_l32 = bits_c; + uint32_t *a_bits_l = table + bits_l32 * len1; + memcpy(resM, a_bits_l, len1 * sizeof (uint32_t)); + } + for (uint32_t i = (uint32_t)0U; i < bBits / (uint32_t)4U; i++) + { + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + Hacl_Bignum_Montgomery_bn_mont_sqr_u32(len1, k1.n, k1.mu, resM, resM); + } + uint32_t bk = bBits - bBits % (uint32_t)4U; + uint32_t mask_l = (uint32_t)16U - (uint32_t)1U; + uint32_t i1 = (bk - (uint32_t)4U * i - (uint32_t)4U) / (uint32_t)32U; + uint32_t j = (bk - (uint32_t)4U * i - (uint32_t)4U) % (uint32_t)32U; + uint32_t p1 = b[i1] >> j; + uint32_t ite; + if (i1 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i1 + (uint32_t)1U] << ((uint32_t)32U - j); + } + else + { + ite = p1; + } + uint32_t bits_l = ite & mask_l; + KRML_CHECK_SIZE(sizeof (uint32_t), len1); + uint32_t a_bits_l[len1]; + memset(a_bits_l, 0U, len1 * sizeof (uint32_t)); + uint32_t bits_l32 = bits_l; + uint32_t *a_bits_l1 = table + bits_l32 * len1; + memcpy(a_bits_l, a_bits_l1, len1 * sizeof (uint32_t)); + Hacl_Bignum_Montgomery_bn_mont_mul_u32(len1, k1.n, k1.mu, resM, a_bits_l, resM); + } + } +} + +/* +Write `aM ^ (-1) mod n` in `aInvM`. + + The argument aM and the outparam aInvM are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + • 0 < aM +*/ +void +Hacl_GenericField32_inverse( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *aM, + uint32_t *aInvM +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + uint32_t len1 = k1.len; + KRML_CHECK_SIZE(sizeof (uint32_t), len1); + uint32_t n2[len1]; + memset(n2, 0U, len1 * sizeof (uint32_t)); + uint32_t c0 = Lib_IntTypes_Intrinsics_sub_borrow_u32((uint32_t)0U, k1.n[0U], (uint32_t)2U, n2); + uint32_t c1; + if ((uint32_t)1U < len1) + { + uint32_t rLen = len1 - (uint32_t)1U; + uint32_t *a1 = k1.n + (uint32_t)1U; + uint32_t *res1 = n2 + (uint32_t)1U; + uint32_t c = c0; + for (uint32_t i = (uint32_t)0U; i < rLen / (uint32_t)4U; i++) + { + uint32_t t1 = a1[(uint32_t)4U * i]; + uint32_t *res_i0 = res1 + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, (uint32_t)0U, res_i0); + uint32_t t10 = a1[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res1 + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t10, (uint32_t)0U, res_i1); + uint32_t t11 = a1[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res1 + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t11, (uint32_t)0U, res_i2); + uint32_t t12 = a1[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res1 + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t12, (uint32_t)0U, res_i); + } + for (uint32_t i = rLen / (uint32_t)4U * (uint32_t)4U; i < rLen; i++) + { + uint32_t t1 = a1[i]; + uint32_t *res_i = res1 + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, (uint32_t)0U, res_i); + } + uint32_t c10 = c; + c1 = c10; + } + else + { + c1 = c0; + } + Hacl_GenericField32_exp_vartime(k, aM, k1.len * (uint32_t)32U, n2, aInvM); +} + diff --git a/src/Hacl_GenericField64.c b/src/Hacl_GenericField64.c new file mode 100644 index 00000000..a93df223 --- /dev/null +++ b/src/Hacl_GenericField64.c @@ -0,0 +1,591 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_GenericField64.h" + +#include "internal/Hacl_Kremlib.h" +#include "internal/Hacl_Bignum.h" + +/******************************************************************************* + +A verified field arithmetic library. + +This is a 64-bit optimized version, where bignums are represented as an array +of `len` unsigned 64-bit integers, i.e. uint64_t[len]. + +All the arithmetic operations are performed in the Montgomery domain. + +All the functions below preserve the following invariant for a bignum `aM` in +Montgomery form. + • aM < n + +*******************************************************************************/ + + +/* +Check whether this library will work for a modulus `n`. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n +*/ +bool Hacl_GenericField64_field_modulus_check(uint32_t len, uint64_t *n) +{ + uint64_t m = Hacl_Bignum_Montgomery_bn_check_modulus_u64(len, n); + return m == (uint64_t)0xFFFFFFFFFFFFFFFFU; +} + +/* +Heap-allocate and initialize a montgomery context. + + The argument n is meant to be `len` limbs in size, i.e. uint64_t[len]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n % 2 = 1 + • 1 < n + + The caller will need to call Hacl_GenericField64_field_free on the return value + to avoid memory leaks. +*/ +Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 +*Hacl_GenericField64_field_init(uint32_t len, uint64_t *n) +{ + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t *r2 = KRML_HOST_CALLOC(len, sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t *n1 = KRML_HOST_CALLOC(len, sizeof (uint64_t)); + uint64_t *r21 = r2; + uint64_t *n11 = n1; + memcpy(n11, n, len * sizeof (uint64_t)); + uint32_t nBits = (uint32_t)64U * (uint32_t)Hacl_Bignum_Lib_bn_get_top_index_u64(len, n); + Hacl_Bignum_Montgomery_bn_precomp_r2_mod_n_u64(len, nBits, n, r21); + uint64_t mu = Hacl_Bignum_ModInvLimb_mod_inv_uint64(n[0U]); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 res = { .len = len, .n = n11, .mu = mu, .r2 = r21 }; + KRML_CHECK_SIZE(sizeof (Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64), (uint32_t)1U); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 + *buf = KRML_HOST_MALLOC(sizeof (Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64)); + buf[0U] = res; + return buf; +} + +/* +Deallocate the memory previously allocated by Hacl_GenericField64_field_init. + + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. +*/ +void Hacl_GenericField64_field_free(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + uint64_t *n = k1.n; + uint64_t *r2 = k1.r2; + KRML_HOST_FREE(n); + KRML_HOST_FREE(r2); + KRML_HOST_FREE(k); +} + +/* +Return the size of a modulus `n` in limbs. + + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. +*/ +uint32_t Hacl_GenericField64_field_get_len(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + return k1.len; +} + +/* +Convert a bignum from the regular representation to the Montgomery representation. + + Write `a * R mod n` in `aM`. + + The argument a and the outparam aM are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. +*/ +void +Hacl_GenericField64_to_field( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint64_t *aM +) +{ + uint32_t len1 = Hacl_GenericField64_field_get_len(k); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + Hacl_Bignum_Montgomery_bn_to_mont_u64(len1, k1.n, k1.mu, k1.r2, a, aM); +} + +/* +Convert a result back from the Montgomery representation to the regular representation. + + Write `aM / R mod n` in `a`, i.e. + Hacl_GenericField64_from_field(k, Hacl_GenericField64_to_field(k, a)) == a % n + + The argument aM and the outparam a are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. +*/ +void +Hacl_GenericField64_from_field( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *aM, + uint64_t *a +) +{ + uint32_t len1 = Hacl_GenericField64_field_get_len(k); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + Hacl_Bignum_Montgomery_bn_from_mont_u64(len1, k1.n, k1.mu, aM, a); +} + +/* +Write `aM + bM mod n` in `cM`. + + The arguments aM, bM, and the outparam cM are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. +*/ +void +Hacl_GenericField64_add( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *aM, + uint64_t *bM, + uint64_t *cM +) +{ + uint32_t len1 = Hacl_GenericField64_field_get_len(k); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + Hacl_Bignum_bn_add_mod_n_u64(len1, k1.n, aM, bM, cM); +} + +/* +Write `aM - bM mod n` to `cM`. + + The arguments aM, bM, and the outparam cM are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. +*/ +void +Hacl_GenericField64_sub( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *aM, + uint64_t *bM, + uint64_t *cM +) +{ + uint32_t len1 = Hacl_GenericField64_field_get_len(k); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + Hacl_Bignum_bn_sub_mod_n_u64(len1, k1.n, aM, bM, cM); +} + +/* +Write `aM * bM mod n` in `cM`. + + The arguments aM, bM, and the outparam cM are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. +*/ +void +Hacl_GenericField64_mul( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *aM, + uint64_t *bM, + uint64_t *cM +) +{ + uint32_t len1 = Hacl_GenericField64_field_get_len(k); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + Hacl_Bignum_Montgomery_bn_mont_mul_u64(len1, k1.n, k1.mu, aM, bM, cM); +} + +/* +Write `aM * aM mod n` in `cM`. + + The argument aM and the outparam cM are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. +*/ +void +Hacl_GenericField64_sqr( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *aM, + uint64_t *cM +) +{ + uint32_t len1 = Hacl_GenericField64_field_get_len(k); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + Hacl_Bignum_Montgomery_bn_mont_sqr_u64(len1, k1.n, k1.mu, aM, cM); +} + +/* +Convert a bignum `one` to its Montgomery representation. + + The outparam oneM is meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. +*/ +void Hacl_GenericField64_one(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, uint64_t *oneM) +{ + uint32_t len1 = Hacl_GenericField64_field_get_len(k); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + Hacl_Bignum_Montgomery_bn_from_mont_u64(len1, k1.n, k1.mu, k1.r2, oneM); +} + +/* +Write `aM ^ b mod n` in `resM`. + + The argument aM and the outparam resM are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + This function is constant-time over its argument b, at the cost of a slower + execution time than exp_vartime. + + Before calling this function, the caller will need to ensure that the following + precondition is observed. + • b < pow2 bBits +*/ +void +Hacl_GenericField64_exp_consttime( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *aM, + uint32_t bBits, + uint64_t *b, + uint64_t *resM +) +{ + uint32_t len1 = Hacl_GenericField64_field_get_len(k); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + KRML_CHECK_SIZE(sizeof (uint64_t), k1.len); + uint64_t aMc[k1.len]; + memset(aMc, 0U, k1.len * sizeof (uint64_t)); + memcpy(aMc, aM, k1.len * sizeof (uint64_t)); + if (bBits < (uint32_t)200U) + { + Hacl_Bignum_Montgomery_bn_from_mont_u64(len1, k1.n, k1.mu, k1.r2, resM); + uint64_t sw = (uint64_t)0U; + for (uint32_t i0 = (uint32_t)0U; i0 < bBits; i0++) + { + uint32_t i1 = (bBits - i0 - (uint32_t)1U) / (uint32_t)64U; + uint32_t j = (bBits - i0 - (uint32_t)1U) % (uint32_t)64U; + uint64_t tmp = b[i1]; + uint64_t bit = tmp >> j & (uint64_t)1U; + uint64_t sw1 = bit ^ sw; + for (uint32_t i = (uint32_t)0U; i < len1; i++) + { + uint64_t dummy = ((uint64_t)0U - sw1) & (resM[i] ^ aMc[i]); + resM[i] = resM[i] ^ dummy; + aMc[i] = aMc[i] ^ dummy; + } + Hacl_Bignum_Montgomery_bn_mont_mul_u64(len1, k1.n, k1.mu, aMc, resM, aMc); + Hacl_Bignum_Montgomery_bn_mont_sqr_u64(len1, k1.n, k1.mu, resM, resM); + sw = bit; + } + uint64_t sw0 = sw; + for (uint32_t i = (uint32_t)0U; i < len1; i++) + { + uint64_t dummy = ((uint64_t)0U - sw0) & (resM[i] ^ aMc[i]); + resM[i] = resM[i] ^ dummy; + aMc[i] = aMc[i] ^ dummy; + } + } + else + { + uint32_t bLen; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + } + Hacl_Bignum_Montgomery_bn_from_mont_u64(len1, k1.n, k1.mu, k1.r2, resM); + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)16U * len1); + uint64_t table[(uint32_t)16U * len1]; + memset(table, 0U, (uint32_t)16U * len1 * sizeof (uint64_t)); + memcpy(table, resM, len1 * sizeof (uint64_t)); + uint64_t *t1 = table + len1; + memcpy(t1, aMc, len1 * sizeof (uint64_t)); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)14U; i++) + { + uint64_t *t11 = table + (i + (uint32_t)1U) * len1; + uint64_t *t2 = table + (i + (uint32_t)2U) * len1; + Hacl_Bignum_Montgomery_bn_mont_mul_u64(len1, k1.n, k1.mu, t11, aMc, t2); + } + if (bBits % (uint32_t)4U != (uint32_t)0U) + { + uint64_t mask_l = (uint64_t)16U - (uint64_t)1U; + uint32_t i0 = bBits / (uint32_t)4U * (uint32_t)4U / (uint32_t)64U; + uint32_t j = bBits / (uint32_t)4U * (uint32_t)4U % (uint32_t)64U; + uint64_t p1 = b[i0] >> j; + uint64_t ite; + if (i0 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i0 + (uint32_t)1U] << ((uint32_t)64U - j); + } + else + { + ite = p1; + } + uint64_t bits_c = ite & mask_l; + memcpy(resM, table, len1 * sizeof (uint64_t)); + for (uint32_t i1 = (uint32_t)0U; i1 < (uint32_t)15U; i1++) + { + uint64_t c = FStar_UInt64_eq_mask(bits_c, (uint64_t)(i1 + (uint32_t)1U)); + uint64_t *res_j = table + (i1 + (uint32_t)1U) * len1; + for (uint32_t i = (uint32_t)0U; i < len1; i++) + { + uint64_t *os = resM; + uint64_t x = (c & res_j[i]) | (~c & resM[i]); + os[i] = x; + } + } + } + for (uint32_t i0 = (uint32_t)0U; i0 < bBits / (uint32_t)4U; i0++) + { + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + Hacl_Bignum_Montgomery_bn_mont_sqr_u64(len1, k1.n, k1.mu, resM, resM); + } + uint32_t bk = bBits - bBits % (uint32_t)4U; + uint64_t mask_l = (uint64_t)16U - (uint64_t)1U; + uint32_t i1 = (bk - (uint32_t)4U * i0 - (uint32_t)4U) / (uint32_t)64U; + uint32_t j = (bk - (uint32_t)4U * i0 - (uint32_t)4U) % (uint32_t)64U; + uint64_t p1 = b[i1] >> j; + uint64_t ite; + if (i1 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i1 + (uint32_t)1U] << ((uint32_t)64U - j); + } + else + { + ite = p1; + } + uint64_t bits_l = ite & mask_l; + KRML_CHECK_SIZE(sizeof (uint64_t), len1); + uint64_t a_bits_l[len1]; + memset(a_bits_l, 0U, len1 * sizeof (uint64_t)); + memcpy(a_bits_l, table, len1 * sizeof (uint64_t)); + for (uint32_t i2 = (uint32_t)0U; i2 < (uint32_t)15U; i2++) + { + uint64_t c = FStar_UInt64_eq_mask(bits_l, (uint64_t)(i2 + (uint32_t)1U)); + uint64_t *res_j = table + (i2 + (uint32_t)1U) * len1; + for (uint32_t i = (uint32_t)0U; i < len1; i++) + { + uint64_t *os = a_bits_l; + uint64_t x = (c & res_j[i]) | (~c & a_bits_l[i]); + os[i] = x; + } + } + Hacl_Bignum_Montgomery_bn_mont_mul_u64(len1, k1.n, k1.mu, resM, a_bits_l, resM); + } + } +} + +/* +Write `aM ^ b mod n` in `resM`. + + The argument aM and the outparam resM are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + The function is *NOT* constant-time on the argument b. See the + exp_consttime function for constant-time variant. + + Before calling this function, the caller will need to ensure that the following + precondition is observed. + • b < pow2 bBits +*/ +void +Hacl_GenericField64_exp_vartime( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *aM, + uint32_t bBits, + uint64_t *b, + uint64_t *resM +) +{ + uint32_t len1 = Hacl_GenericField64_field_get_len(k); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + KRML_CHECK_SIZE(sizeof (uint64_t), k1.len); + uint64_t aMc[k1.len]; + memset(aMc, 0U, k1.len * sizeof (uint64_t)); + memcpy(aMc, aM, k1.len * sizeof (uint64_t)); + if (bBits < (uint32_t)200U) + { + Hacl_Bignum_Montgomery_bn_from_mont_u64(len1, k1.n, k1.mu, k1.r2, resM); + for (uint32_t i = (uint32_t)0U; i < bBits; i++) + { + uint32_t i1 = i / (uint32_t)64U; + uint32_t j = i % (uint32_t)64U; + uint64_t tmp = b[i1]; + uint64_t bit = tmp >> j & (uint64_t)1U; + if (!(bit == (uint64_t)0U)) + { + Hacl_Bignum_Montgomery_bn_mont_mul_u64(len1, k1.n, k1.mu, resM, aMc, resM); + } + Hacl_Bignum_Montgomery_bn_mont_sqr_u64(len1, k1.n, k1.mu, aMc, aMc); + } + } + else + { + uint32_t bLen; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + } + Hacl_Bignum_Montgomery_bn_from_mont_u64(len1, k1.n, k1.mu, k1.r2, resM); + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)16U * len1); + uint64_t table[(uint32_t)16U * len1]; + memset(table, 0U, (uint32_t)16U * len1 * sizeof (uint64_t)); + memcpy(table, resM, len1 * sizeof (uint64_t)); + uint64_t *t1 = table + len1; + memcpy(t1, aMc, len1 * sizeof (uint64_t)); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)14U; i++) + { + uint64_t *t11 = table + (i + (uint32_t)1U) * len1; + uint64_t *t2 = table + (i + (uint32_t)2U) * len1; + Hacl_Bignum_Montgomery_bn_mont_mul_u64(len1, k1.n, k1.mu, t11, aMc, t2); + } + if (bBits % (uint32_t)4U != (uint32_t)0U) + { + uint64_t mask_l = (uint64_t)16U - (uint64_t)1U; + uint32_t i = bBits / (uint32_t)4U * (uint32_t)4U / (uint32_t)64U; + uint32_t j = bBits / (uint32_t)4U * (uint32_t)4U % (uint32_t)64U; + uint64_t p1 = b[i] >> j; + uint64_t ite; + if (i + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i + (uint32_t)1U] << ((uint32_t)64U - j); + } + else + { + ite = p1; + } + uint64_t bits_c = ite & mask_l; + uint32_t bits_l32 = (uint32_t)bits_c; + uint64_t *a_bits_l = table + bits_l32 * len1; + memcpy(resM, a_bits_l, len1 * sizeof (uint64_t)); + } + for (uint32_t i = (uint32_t)0U; i < bBits / (uint32_t)4U; i++) + { + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + Hacl_Bignum_Montgomery_bn_mont_sqr_u64(len1, k1.n, k1.mu, resM, resM); + } + uint32_t bk = bBits - bBits % (uint32_t)4U; + uint64_t mask_l = (uint64_t)16U - (uint64_t)1U; + uint32_t i1 = (bk - (uint32_t)4U * i - (uint32_t)4U) / (uint32_t)64U; + uint32_t j = (bk - (uint32_t)4U * i - (uint32_t)4U) % (uint32_t)64U; + uint64_t p1 = b[i1] >> j; + uint64_t ite; + if (i1 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i1 + (uint32_t)1U] << ((uint32_t)64U - j); + } + else + { + ite = p1; + } + uint64_t bits_l = ite & mask_l; + KRML_CHECK_SIZE(sizeof (uint64_t), len1); + uint64_t a_bits_l[len1]; + memset(a_bits_l, 0U, len1 * sizeof (uint64_t)); + uint32_t bits_l32 = (uint32_t)bits_l; + uint64_t *a_bits_l1 = table + bits_l32 * len1; + memcpy(a_bits_l, a_bits_l1, len1 * sizeof (uint64_t)); + Hacl_Bignum_Montgomery_bn_mont_mul_u64(len1, k1.n, k1.mu, resM, a_bits_l, resM); + } + } +} + +/* +Write `aM ^ (-1) mod n` in `aInvM`. + + The argument aM and the outparam aInvM are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + • 0 < aM +*/ +void +Hacl_GenericField64_inverse( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *aM, + uint64_t *aInvM +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + uint32_t len1 = k1.len; + KRML_CHECK_SIZE(sizeof (uint64_t), len1); + uint64_t n2[len1]; + memset(n2, 0U, len1 * sizeof (uint64_t)); + uint64_t c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64((uint64_t)0U, k1.n[0U], (uint64_t)2U, n2); + uint64_t c1; + if ((uint32_t)1U < len1) + { + uint32_t rLen = len1 - (uint32_t)1U; + uint64_t *a1 = k1.n + (uint32_t)1U; + uint64_t *res1 = n2 + (uint32_t)1U; + uint64_t c = c0; + for (uint32_t i = (uint32_t)0U; i < rLen / (uint32_t)4U; i++) + { + uint64_t t1 = a1[(uint32_t)4U * i]; + uint64_t *res_i0 = res1 + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, (uint64_t)0U, res_i0); + uint64_t t10 = a1[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res1 + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t10, (uint64_t)0U, res_i1); + uint64_t t11 = a1[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res1 + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t11, (uint64_t)0U, res_i2); + uint64_t t12 = a1[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res1 + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t12, (uint64_t)0U, res_i); + } + for (uint32_t i = rLen / (uint32_t)4U * (uint32_t)4U; i < rLen; i++) + { + uint64_t t1 = a1[i]; + uint64_t *res_i = res1 + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, (uint64_t)0U, res_i); + } + uint64_t c10 = c; + c1 = c10; + } + else + { + c1 = c0; + } + Hacl_GenericField64_exp_vartime(k, aM, k1.len * (uint32_t)64U, n2, aInvM); +} + diff --git a/src/Hacl_HKDF.c b/src/Hacl_HKDF.c new file mode 100644 index 00000000..ce89afe0 --- /dev/null +++ b/src/Hacl_HKDF.c @@ -0,0 +1,272 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_HKDF.h" + + + +void +Hacl_HKDF_expand_sha2_256( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +) +{ + uint32_t tlen = (uint32_t)32U; + uint32_t n = len / tlen; + uint8_t *output = okm; + KRML_CHECK_SIZE(sizeof (uint8_t), tlen + infolen + (uint32_t)1U); + uint8_t text[tlen + infolen + (uint32_t)1U]; + memset(text, 0U, (tlen + infolen + (uint32_t)1U) * sizeof (uint8_t)); + uint8_t *text0 = text + tlen; + uint8_t *tag = text; + uint8_t *ctr = text + tlen + infolen; + memcpy(text + tlen, info, infolen * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < n; i++) + { + ctr[0U] = (uint8_t)(i + (uint32_t)1U); + if (i == (uint32_t)0U) + { + Hacl_HMAC_compute_sha2_256(tag, prk, prklen, text0, infolen + (uint32_t)1U); + } + else + { + Hacl_HMAC_compute_sha2_256(tag, prk, prklen, text, tlen + infolen + (uint32_t)1U); + } + memcpy(output + i * tlen, tag, tlen * sizeof (uint8_t)); + } + if (n * tlen < len) + { + ctr[0U] = (uint8_t)(n + (uint32_t)1U); + if (n == (uint32_t)0U) + { + Hacl_HMAC_compute_sha2_256(tag, prk, prklen, text0, infolen + (uint32_t)1U); + } + else + { + Hacl_HMAC_compute_sha2_256(tag, prk, prklen, text, tlen + infolen + (uint32_t)1U); + } + uint8_t *block = okm + n * tlen; + memcpy(block, tag, (len - n * tlen) * sizeof (uint8_t)); + } +} + +void +Hacl_HKDF_extract_sha2_256( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +) +{ + Hacl_HMAC_compute_sha2_256(prk, salt, saltlen, ikm, ikmlen); +} + +void +Hacl_HKDF_expand_sha2_512( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +) +{ + uint32_t tlen = (uint32_t)64U; + uint32_t n = len / tlen; + uint8_t *output = okm; + KRML_CHECK_SIZE(sizeof (uint8_t), tlen + infolen + (uint32_t)1U); + uint8_t text[tlen + infolen + (uint32_t)1U]; + memset(text, 0U, (tlen + infolen + (uint32_t)1U) * sizeof (uint8_t)); + uint8_t *text0 = text + tlen; + uint8_t *tag = text; + uint8_t *ctr = text + tlen + infolen; + memcpy(text + tlen, info, infolen * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < n; i++) + { + ctr[0U] = (uint8_t)(i + (uint32_t)1U); + if (i == (uint32_t)0U) + { + Hacl_HMAC_compute_sha2_512(tag, prk, prklen, text0, infolen + (uint32_t)1U); + } + else + { + Hacl_HMAC_compute_sha2_512(tag, prk, prklen, text, tlen + infolen + (uint32_t)1U); + } + memcpy(output + i * tlen, tag, tlen * sizeof (uint8_t)); + } + if (n * tlen < len) + { + ctr[0U] = (uint8_t)(n + (uint32_t)1U); + if (n == (uint32_t)0U) + { + Hacl_HMAC_compute_sha2_512(tag, prk, prklen, text0, infolen + (uint32_t)1U); + } + else + { + Hacl_HMAC_compute_sha2_512(tag, prk, prklen, text, tlen + infolen + (uint32_t)1U); + } + uint8_t *block = okm + n * tlen; + memcpy(block, tag, (len - n * tlen) * sizeof (uint8_t)); + } +} + +void +Hacl_HKDF_extract_sha2_512( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +) +{ + Hacl_HMAC_compute_sha2_512(prk, salt, saltlen, ikm, ikmlen); +} + +void +Hacl_HKDF_expand_blake2s_32( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +) +{ + uint32_t tlen = (uint32_t)32U; + uint32_t n = len / tlen; + uint8_t *output = okm; + KRML_CHECK_SIZE(sizeof (uint8_t), tlen + infolen + (uint32_t)1U); + uint8_t text[tlen + infolen + (uint32_t)1U]; + memset(text, 0U, (tlen + infolen + (uint32_t)1U) * sizeof (uint8_t)); + uint8_t *text0 = text + tlen; + uint8_t *tag = text; + uint8_t *ctr = text + tlen + infolen; + memcpy(text + tlen, info, infolen * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < n; i++) + { + ctr[0U] = (uint8_t)(i + (uint32_t)1U); + if (i == (uint32_t)0U) + { + Hacl_HMAC_compute_blake2s_32(tag, prk, prklen, text0, infolen + (uint32_t)1U); + } + else + { + Hacl_HMAC_compute_blake2s_32(tag, prk, prklen, text, tlen + infolen + (uint32_t)1U); + } + memcpy(output + i * tlen, tag, tlen * sizeof (uint8_t)); + } + if (n * tlen < len) + { + ctr[0U] = (uint8_t)(n + (uint32_t)1U); + if (n == (uint32_t)0U) + { + Hacl_HMAC_compute_blake2s_32(tag, prk, prklen, text0, infolen + (uint32_t)1U); + } + else + { + Hacl_HMAC_compute_blake2s_32(tag, prk, prklen, text, tlen + infolen + (uint32_t)1U); + } + uint8_t *block = okm + n * tlen; + memcpy(block, tag, (len - n * tlen) * sizeof (uint8_t)); + } +} + +void +Hacl_HKDF_extract_blake2s_32( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +) +{ + Hacl_HMAC_compute_blake2s_32(prk, salt, saltlen, ikm, ikmlen); +} + +void +Hacl_HKDF_expand_blake2b_32( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +) +{ + uint32_t tlen = (uint32_t)64U; + uint32_t n = len / tlen; + uint8_t *output = okm; + KRML_CHECK_SIZE(sizeof (uint8_t), tlen + infolen + (uint32_t)1U); + uint8_t text[tlen + infolen + (uint32_t)1U]; + memset(text, 0U, (tlen + infolen + (uint32_t)1U) * sizeof (uint8_t)); + uint8_t *text0 = text + tlen; + uint8_t *tag = text; + uint8_t *ctr = text + tlen + infolen; + memcpy(text + tlen, info, infolen * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < n; i++) + { + ctr[0U] = (uint8_t)(i + (uint32_t)1U); + if (i == (uint32_t)0U) + { + Hacl_HMAC_compute_blake2b_32(tag, prk, prklen, text0, infolen + (uint32_t)1U); + } + else + { + Hacl_HMAC_compute_blake2b_32(tag, prk, prklen, text, tlen + infolen + (uint32_t)1U); + } + memcpy(output + i * tlen, tag, tlen * sizeof (uint8_t)); + } + if (n * tlen < len) + { + ctr[0U] = (uint8_t)(n + (uint32_t)1U); + if (n == (uint32_t)0U) + { + Hacl_HMAC_compute_blake2b_32(tag, prk, prklen, text0, infolen + (uint32_t)1U); + } + else + { + Hacl_HMAC_compute_blake2b_32(tag, prk, prklen, text, tlen + infolen + (uint32_t)1U); + } + uint8_t *block = okm + n * tlen; + memcpy(block, tag, (len - n * tlen) * sizeof (uint8_t)); + } +} + +void +Hacl_HKDF_extract_blake2b_32( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +) +{ + Hacl_HMAC_compute_blake2b_32(prk, salt, saltlen, ikm, ikmlen); +} + diff --git a/src/Hacl_HMAC.c b/src/Hacl_HMAC.c new file mode 100644 index 00000000..617dac38 --- /dev/null +++ b/src/Hacl_HMAC.c @@ -0,0 +1,769 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "internal/Hacl_HMAC.h" + +#include "internal/Hacl_Hash_SHA2.h" +#include "internal/Hacl_Hash_SHA1.h" +#include "internal/Hacl_Hash_Blake2.h" + +void +Hacl_HMAC_legacy_compute_sha1( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +) +{ + uint32_t l = (uint32_t)64U; + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t key_block[l]; + memset(key_block, 0U, l * sizeof (uint8_t)); + uint32_t i0; + if (key_len <= (uint32_t)64U) + { + i0 = key_len; + } + else + { + i0 = (uint32_t)20U; + } + uint8_t *nkey = key_block; + if (key_len <= (uint32_t)64U) + { + memcpy(nkey, key, key_len * sizeof (uint8_t)); + } + else + { + Hacl_Hash_SHA1_legacy_hash(key, key_len, nkey); + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t ipad[l]; + memset(ipad, (uint8_t)0x36U, l * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = ipad[i]; + uint8_t yi = key_block[i]; + ipad[i] = xi ^ yi; + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t opad[l]; + memset(opad, (uint8_t)0x5cU, l * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = opad[i]; + uint8_t yi = key_block[i]; + opad[i] = xi ^ yi; + } + uint32_t + scrut[5U] = + { + (uint32_t)0x67452301U, (uint32_t)0xefcdab89U, (uint32_t)0x98badcfeU, (uint32_t)0x10325476U, + (uint32_t)0xc3d2e1f0U + }; + uint32_t *s = scrut; + uint8_t *dst1 = ipad; + Hacl_Hash_Core_SHA1_legacy_init(s); + if (data_len == (uint32_t)0U) + { + Hacl_Hash_SHA1_legacy_update_last(s, (uint64_t)0U, ipad, (uint32_t)64U); + } + else + { + Hacl_Hash_SHA1_legacy_update_multi(s, ipad, (uint32_t)1U); + Hacl_Hash_SHA1_legacy_update_last(s, (uint64_t)(uint32_t)64U, data, data_len); + } + Hacl_Hash_Core_SHA1_legacy_finish(s, dst1); + uint8_t *hash1 = ipad; + Hacl_Hash_Core_SHA1_legacy_init(s); + if ((uint32_t)20U == (uint32_t)0U) + { + Hacl_Hash_SHA1_legacy_update_last(s, (uint64_t)0U, opad, (uint32_t)64U); + } + else + { + Hacl_Hash_SHA1_legacy_update_multi(s, opad, (uint32_t)1U); + Hacl_Hash_SHA1_legacy_update_last(s, (uint64_t)(uint32_t)64U, hash1, (uint32_t)20U); + } + Hacl_Hash_Core_SHA1_legacy_finish(s, dst); +} + +void +Hacl_HMAC_compute_sha2_256( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +) +{ + uint32_t l = (uint32_t)64U; + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t key_block[l]; + memset(key_block, 0U, l * sizeof (uint8_t)); + uint32_t i0; + if (key_len <= (uint32_t)64U) + { + i0 = key_len; + } + else + { + i0 = (uint32_t)32U; + } + uint8_t *nkey = key_block; + if (key_len <= (uint32_t)64U) + { + memcpy(nkey, key, key_len * sizeof (uint8_t)); + } + else + { + Hacl_Hash_SHA2_hash_256(key, key_len, nkey); + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t ipad[l]; + memset(ipad, (uint8_t)0x36U, l * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = ipad[i]; + uint8_t yi = key_block[i]; + ipad[i] = xi ^ yi; + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t opad[l]; + memset(opad, (uint8_t)0x5cU, l * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = opad[i]; + uint8_t yi = key_block[i]; + opad[i] = xi ^ yi; + } + uint32_t + scrut[8U] = + { + (uint32_t)0x6a09e667U, (uint32_t)0xbb67ae85U, (uint32_t)0x3c6ef372U, (uint32_t)0xa54ff53aU, + (uint32_t)0x510e527fU, (uint32_t)0x9b05688cU, (uint32_t)0x1f83d9abU, (uint32_t)0x5be0cd19U + }; + uint32_t *s = scrut; + uint8_t *dst1 = ipad; + Hacl_Hash_Core_SHA2_init_256(s); + if (data_len == (uint32_t)0U) + { + Hacl_Hash_SHA2_update_last_256(s, (uint64_t)0U, ipad, (uint32_t)64U); + } + else + { + Hacl_Hash_SHA2_update_multi_256(s, ipad, (uint32_t)1U); + Hacl_Hash_SHA2_update_last_256(s, (uint64_t)(uint32_t)64U, data, data_len); + } + Hacl_Hash_Core_SHA2_finish_256(s, dst1); + uint8_t *hash1 = ipad; + Hacl_Hash_Core_SHA2_init_256(s); + if ((uint32_t)32U == (uint32_t)0U) + { + Hacl_Hash_SHA2_update_last_256(s, (uint64_t)0U, opad, (uint32_t)64U); + } + else + { + Hacl_Hash_SHA2_update_multi_256(s, opad, (uint32_t)1U); + Hacl_Hash_SHA2_update_last_256(s, (uint64_t)(uint32_t)64U, hash1, (uint32_t)32U); + } + Hacl_Hash_Core_SHA2_finish_256(s, dst); +} + +void +Hacl_HMAC_compute_sha2_384( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +) +{ + uint32_t l = (uint32_t)128U; + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t key_block[l]; + memset(key_block, 0U, l * sizeof (uint8_t)); + uint32_t i0; + if (key_len <= (uint32_t)128U) + { + i0 = key_len; + } + else + { + i0 = (uint32_t)48U; + } + uint8_t *nkey = key_block; + if (key_len <= (uint32_t)128U) + { + memcpy(nkey, key, key_len * sizeof (uint8_t)); + } + else + { + Hacl_Hash_SHA2_hash_384(key, key_len, nkey); + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t ipad[l]; + memset(ipad, (uint8_t)0x36U, l * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = ipad[i]; + uint8_t yi = key_block[i]; + ipad[i] = xi ^ yi; + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t opad[l]; + memset(opad, (uint8_t)0x5cU, l * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = opad[i]; + uint8_t yi = key_block[i]; + opad[i] = xi ^ yi; + } + uint64_t + scrut[8U] = + { + (uint64_t)0xcbbb9d5dc1059ed8U, (uint64_t)0x629a292a367cd507U, (uint64_t)0x9159015a3070dd17U, + (uint64_t)0x152fecd8f70e5939U, (uint64_t)0x67332667ffc00b31U, (uint64_t)0x8eb44a8768581511U, + (uint64_t)0xdb0c2e0d64f98fa7U, (uint64_t)0x47b5481dbefa4fa4U + }; + uint64_t *s = scrut; + uint8_t *dst1 = ipad; + Hacl_Hash_Core_SHA2_init_384(s); + if (data_len == (uint32_t)0U) + { + Hacl_Hash_SHA2_update_last_384(s, + FStar_UInt128_uint64_to_uint128((uint64_t)0U), + ipad, + (uint32_t)128U); + } + else + { + Hacl_Hash_SHA2_update_multi_384(s, ipad, (uint32_t)1U); + Hacl_Hash_SHA2_update_last_384(s, + FStar_UInt128_uint64_to_uint128((uint64_t)(uint32_t)128U), + data, + data_len); + } + Hacl_Hash_Core_SHA2_finish_384(s, dst1); + uint8_t *hash1 = ipad; + Hacl_Hash_Core_SHA2_init_384(s); + if ((uint32_t)48U == (uint32_t)0U) + { + Hacl_Hash_SHA2_update_last_384(s, + FStar_UInt128_uint64_to_uint128((uint64_t)0U), + opad, + (uint32_t)128U); + } + else + { + Hacl_Hash_SHA2_update_multi_384(s, opad, (uint32_t)1U); + Hacl_Hash_SHA2_update_last_384(s, + FStar_UInt128_uint64_to_uint128((uint64_t)(uint32_t)128U), + hash1, + (uint32_t)48U); + } + Hacl_Hash_Core_SHA2_finish_384(s, dst); +} + +void +Hacl_HMAC_compute_sha2_512( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +) +{ + uint32_t l = (uint32_t)128U; + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t key_block[l]; + memset(key_block, 0U, l * sizeof (uint8_t)); + uint32_t i0; + if (key_len <= (uint32_t)128U) + { + i0 = key_len; + } + else + { + i0 = (uint32_t)64U; + } + uint8_t *nkey = key_block; + if (key_len <= (uint32_t)128U) + { + memcpy(nkey, key, key_len * sizeof (uint8_t)); + } + else + { + Hacl_Hash_SHA2_hash_512(key, key_len, nkey); + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t ipad[l]; + memset(ipad, (uint8_t)0x36U, l * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = ipad[i]; + uint8_t yi = key_block[i]; + ipad[i] = xi ^ yi; + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t opad[l]; + memset(opad, (uint8_t)0x5cU, l * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = opad[i]; + uint8_t yi = key_block[i]; + opad[i] = xi ^ yi; + } + uint64_t + scrut[8U] = + { + (uint64_t)0x6a09e667f3bcc908U, (uint64_t)0xbb67ae8584caa73bU, (uint64_t)0x3c6ef372fe94f82bU, + (uint64_t)0xa54ff53a5f1d36f1U, (uint64_t)0x510e527fade682d1U, (uint64_t)0x9b05688c2b3e6c1fU, + (uint64_t)0x1f83d9abfb41bd6bU, (uint64_t)0x5be0cd19137e2179U + }; + uint64_t *s = scrut; + uint8_t *dst1 = ipad; + Hacl_Hash_Core_SHA2_init_512(s); + if (data_len == (uint32_t)0U) + { + Hacl_Hash_SHA2_update_last_512(s, + FStar_UInt128_uint64_to_uint128((uint64_t)0U), + ipad, + (uint32_t)128U); + } + else + { + Hacl_Hash_SHA2_update_multi_512(s, ipad, (uint32_t)1U); + Hacl_Hash_SHA2_update_last_512(s, + FStar_UInt128_uint64_to_uint128((uint64_t)(uint32_t)128U), + data, + data_len); + } + Hacl_Hash_Core_SHA2_finish_512(s, dst1); + uint8_t *hash1 = ipad; + Hacl_Hash_Core_SHA2_init_512(s); + if ((uint32_t)64U == (uint32_t)0U) + { + Hacl_Hash_SHA2_update_last_512(s, + FStar_UInt128_uint64_to_uint128((uint64_t)0U), + opad, + (uint32_t)128U); + } + else + { + Hacl_Hash_SHA2_update_multi_512(s, opad, (uint32_t)1U); + Hacl_Hash_SHA2_update_last_512(s, + FStar_UInt128_uint64_to_uint128((uint64_t)(uint32_t)128U), + hash1, + (uint32_t)64U); + } + Hacl_Hash_Core_SHA2_finish_512(s, dst); +} + +void +Hacl_HMAC_compute_blake2s_32( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +) +{ + uint32_t l = (uint32_t)64U; + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t key_block[l]; + memset(key_block, 0U, l * sizeof (uint8_t)); + uint32_t i0; + if (key_len <= (uint32_t)64U) + { + i0 = key_len; + } + else + { + i0 = (uint32_t)32U; + } + uint8_t *nkey = key_block; + if (key_len <= (uint32_t)64U) + { + memcpy(nkey, key, key_len * sizeof (uint8_t)); + } + else + { + Hacl_Hash_Blake2_hash_blake2s_32(key, key_len, nkey); + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t ipad[l]; + memset(ipad, (uint8_t)0x36U, l * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = ipad[i]; + uint8_t yi = key_block[i]; + ipad[i] = xi ^ yi; + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t opad[l]; + memset(opad, (uint8_t)0x5cU, l * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = opad[i]; + uint8_t yi = key_block[i]; + opad[i] = xi ^ yi; + } + uint32_t s[16U] = { 0U }; + uint32_t *r00 = s + (uint32_t)0U * (uint32_t)4U; + uint32_t *r10 = s + (uint32_t)1U * (uint32_t)4U; + uint32_t *r20 = s + (uint32_t)2U * (uint32_t)4U; + uint32_t *r30 = s + (uint32_t)3U * (uint32_t)4U; + uint32_t iv00 = Hacl_Impl_Blake2_Constants_ivTable_S[0U]; + uint32_t iv10 = Hacl_Impl_Blake2_Constants_ivTable_S[1U]; + uint32_t iv20 = Hacl_Impl_Blake2_Constants_ivTable_S[2U]; + uint32_t iv30 = Hacl_Impl_Blake2_Constants_ivTable_S[3U]; + uint32_t iv40 = Hacl_Impl_Blake2_Constants_ivTable_S[4U]; + uint32_t iv50 = Hacl_Impl_Blake2_Constants_ivTable_S[5U]; + uint32_t iv60 = Hacl_Impl_Blake2_Constants_ivTable_S[6U]; + uint32_t iv70 = Hacl_Impl_Blake2_Constants_ivTable_S[7U]; + r20[0U] = iv00; + r20[1U] = iv10; + r20[2U] = iv20; + r20[3U] = iv30; + r30[0U] = iv40; + r30[1U] = iv50; + r30[2U] = iv60; + r30[3U] = iv70; + uint32_t kk_shift_80 = (uint32_t)0U; + uint32_t iv0_ = iv00 ^ ((uint32_t)0x01010000U ^ (kk_shift_80 ^ (uint32_t)32U)); + r00[0U] = iv0_; + r00[1U] = iv10; + r00[2U] = iv20; + r00[3U] = iv30; + r10[0U] = iv40; + r10[1U] = iv50; + r10[2U] = iv60; + r10[3U] = iv70; + uint64_t es = (uint64_t)0U; + K____uint32_t__uint64_t scrut = { .fst = s, .snd = es }; + uint32_t *s0 = scrut.fst; + uint8_t *dst1 = ipad; + uint32_t *r01 = s0 + (uint32_t)0U * (uint32_t)4U; + uint32_t *r11 = s0 + (uint32_t)1U * (uint32_t)4U; + uint32_t *r21 = s0 + (uint32_t)2U * (uint32_t)4U; + uint32_t *r31 = s0 + (uint32_t)3U * (uint32_t)4U; + uint32_t iv01 = Hacl_Impl_Blake2_Constants_ivTable_S[0U]; + uint32_t iv11 = Hacl_Impl_Blake2_Constants_ivTable_S[1U]; + uint32_t iv21 = Hacl_Impl_Blake2_Constants_ivTable_S[2U]; + uint32_t iv31 = Hacl_Impl_Blake2_Constants_ivTable_S[3U]; + uint32_t iv41 = Hacl_Impl_Blake2_Constants_ivTable_S[4U]; + uint32_t iv51 = Hacl_Impl_Blake2_Constants_ivTable_S[5U]; + uint32_t iv61 = Hacl_Impl_Blake2_Constants_ivTable_S[6U]; + uint32_t iv71 = Hacl_Impl_Blake2_Constants_ivTable_S[7U]; + r21[0U] = iv01; + r21[1U] = iv11; + r21[2U] = iv21; + r21[3U] = iv31; + r31[0U] = iv41; + r31[1U] = iv51; + r31[2U] = iv61; + r31[3U] = iv71; + uint32_t kk_shift_81 = (uint32_t)0U; + uint32_t iv0_0 = iv01 ^ ((uint32_t)0x01010000U ^ (kk_shift_81 ^ (uint32_t)32U)); + r01[0U] = iv0_0; + r01[1U] = iv11; + r01[2U] = iv21; + r01[3U] = iv31; + r11[0U] = iv41; + r11[1U] = iv51; + r11[2U] = iv61; + r11[3U] = iv71; + uint64_t ev = (uint64_t)0U; + uint64_t ev10; + if (data_len == (uint32_t)0U) + { + uint64_t + ev1 = Hacl_Hash_Blake2_update_last_blake2s_32(s0, ev, (uint64_t)0U, ipad, (uint32_t)64U); + ev10 = ev1; + } + else + { + uint64_t ev1 = Hacl_Hash_Blake2_update_multi_blake2s_32(s0, ev, ipad, (uint32_t)1U); + uint64_t + ev2 = Hacl_Hash_Blake2_update_last_blake2s_32(s0, ev1, (uint64_t)(uint32_t)64U, data, data_len); + ev10 = ev2; + } + Hacl_Hash_Core_Blake2_finish_blake2s_32(s0, ev10, dst1); + uint8_t *hash1 = ipad; + uint32_t *r0 = s0 + (uint32_t)0U * (uint32_t)4U; + uint32_t *r1 = s0 + (uint32_t)1U * (uint32_t)4U; + uint32_t *r2 = s0 + (uint32_t)2U * (uint32_t)4U; + uint32_t *r3 = s0 + (uint32_t)3U * (uint32_t)4U; + uint32_t iv0 = Hacl_Impl_Blake2_Constants_ivTable_S[0U]; + uint32_t iv1 = Hacl_Impl_Blake2_Constants_ivTable_S[1U]; + uint32_t iv2 = Hacl_Impl_Blake2_Constants_ivTable_S[2U]; + uint32_t iv3 = Hacl_Impl_Blake2_Constants_ivTable_S[3U]; + uint32_t iv4 = Hacl_Impl_Blake2_Constants_ivTable_S[4U]; + uint32_t iv5 = Hacl_Impl_Blake2_Constants_ivTable_S[5U]; + uint32_t iv6 = Hacl_Impl_Blake2_Constants_ivTable_S[6U]; + uint32_t iv7 = Hacl_Impl_Blake2_Constants_ivTable_S[7U]; + r2[0U] = iv0; + r2[1U] = iv1; + r2[2U] = iv2; + r2[3U] = iv3; + r3[0U] = iv4; + r3[1U] = iv5; + r3[2U] = iv6; + r3[3U] = iv7; + uint32_t kk_shift_8 = (uint32_t)0U; + uint32_t iv0_1 = iv0 ^ ((uint32_t)0x01010000U ^ (kk_shift_8 ^ (uint32_t)32U)); + r0[0U] = iv0_1; + r0[1U] = iv1; + r0[2U] = iv2; + r0[3U] = iv3; + r1[0U] = iv4; + r1[1U] = iv5; + r1[2U] = iv6; + r1[3U] = iv7; + uint64_t ev0 = (uint64_t)0U; + uint64_t ev11; + if ((uint32_t)32U == (uint32_t)0U) + { + uint64_t + ev1 = Hacl_Hash_Blake2_update_last_blake2s_32(s0, ev0, (uint64_t)0U, opad, (uint32_t)64U); + ev11 = ev1; + } + else + { + uint64_t ev1 = Hacl_Hash_Blake2_update_multi_blake2s_32(s0, ev0, opad, (uint32_t)1U); + uint64_t + ev2 = + Hacl_Hash_Blake2_update_last_blake2s_32(s0, + ev1, + (uint64_t)(uint32_t)64U, + hash1, + (uint32_t)32U); + ev11 = ev2; + } + Hacl_Hash_Core_Blake2_finish_blake2s_32(s0, ev11, dst); +} + +void +Hacl_HMAC_compute_blake2b_32( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +) +{ + uint32_t l = (uint32_t)128U; + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t key_block[l]; + memset(key_block, 0U, l * sizeof (uint8_t)); + uint32_t i0; + if (key_len <= (uint32_t)128U) + { + i0 = key_len; + } + else + { + i0 = (uint32_t)64U; + } + uint8_t *nkey = key_block; + if (key_len <= (uint32_t)128U) + { + memcpy(nkey, key, key_len * sizeof (uint8_t)); + } + else + { + Hacl_Hash_Blake2_hash_blake2b_32(key, key_len, nkey); + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t ipad[l]; + memset(ipad, (uint8_t)0x36U, l * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = ipad[i]; + uint8_t yi = key_block[i]; + ipad[i] = xi ^ yi; + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t opad[l]; + memset(opad, (uint8_t)0x5cU, l * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = opad[i]; + uint8_t yi = key_block[i]; + opad[i] = xi ^ yi; + } + uint64_t s[16U] = { 0U }; + uint64_t *r00 = s + (uint32_t)0U * (uint32_t)4U; + uint64_t *r10 = s + (uint32_t)1U * (uint32_t)4U; + uint64_t *r20 = s + (uint32_t)2U * (uint32_t)4U; + uint64_t *r30 = s + (uint32_t)3U * (uint32_t)4U; + uint64_t iv00 = Hacl_Impl_Blake2_Constants_ivTable_B[0U]; + uint64_t iv10 = Hacl_Impl_Blake2_Constants_ivTable_B[1U]; + uint64_t iv20 = Hacl_Impl_Blake2_Constants_ivTable_B[2U]; + uint64_t iv30 = Hacl_Impl_Blake2_Constants_ivTable_B[3U]; + uint64_t iv40 = Hacl_Impl_Blake2_Constants_ivTable_B[4U]; + uint64_t iv50 = Hacl_Impl_Blake2_Constants_ivTable_B[5U]; + uint64_t iv60 = Hacl_Impl_Blake2_Constants_ivTable_B[6U]; + uint64_t iv70 = Hacl_Impl_Blake2_Constants_ivTable_B[7U]; + r20[0U] = iv00; + r20[1U] = iv10; + r20[2U] = iv20; + r20[3U] = iv30; + r30[0U] = iv40; + r30[1U] = iv50; + r30[2U] = iv60; + r30[3U] = iv70; + uint64_t kk_shift_80 = (uint64_t)(uint32_t)0U << (uint32_t)8U; + uint64_t iv0_ = iv00 ^ ((uint64_t)0x01010000U ^ (kk_shift_80 ^ (uint64_t)(uint32_t)64U)); + r00[0U] = iv0_; + r00[1U] = iv10; + r00[2U] = iv20; + r00[3U] = iv30; + r10[0U] = iv40; + r10[1U] = iv50; + r10[2U] = iv60; + r10[3U] = iv70; + FStar_UInt128_uint128 es = FStar_UInt128_uint64_to_uint128((uint64_t)0U); + K____uint64_t__FStar_UInt128_uint128 scrut = { .fst = s, .snd = es }; + uint64_t *s0 = scrut.fst; + uint8_t *dst1 = ipad; + uint64_t *r01 = s0 + (uint32_t)0U * (uint32_t)4U; + uint64_t *r11 = s0 + (uint32_t)1U * (uint32_t)4U; + uint64_t *r21 = s0 + (uint32_t)2U * (uint32_t)4U; + uint64_t *r31 = s0 + (uint32_t)3U * (uint32_t)4U; + uint64_t iv01 = Hacl_Impl_Blake2_Constants_ivTable_B[0U]; + uint64_t iv11 = Hacl_Impl_Blake2_Constants_ivTable_B[1U]; + uint64_t iv21 = Hacl_Impl_Blake2_Constants_ivTable_B[2U]; + uint64_t iv31 = Hacl_Impl_Blake2_Constants_ivTable_B[3U]; + uint64_t iv41 = Hacl_Impl_Blake2_Constants_ivTable_B[4U]; + uint64_t iv51 = Hacl_Impl_Blake2_Constants_ivTable_B[5U]; + uint64_t iv61 = Hacl_Impl_Blake2_Constants_ivTable_B[6U]; + uint64_t iv71 = Hacl_Impl_Blake2_Constants_ivTable_B[7U]; + r21[0U] = iv01; + r21[1U] = iv11; + r21[2U] = iv21; + r21[3U] = iv31; + r31[0U] = iv41; + r31[1U] = iv51; + r31[2U] = iv61; + r31[3U] = iv71; + uint64_t kk_shift_81 = (uint64_t)(uint32_t)0U << (uint32_t)8U; + uint64_t iv0_0 = iv01 ^ ((uint64_t)0x01010000U ^ (kk_shift_81 ^ (uint64_t)(uint32_t)64U)); + r01[0U] = iv0_0; + r01[1U] = iv11; + r01[2U] = iv21; + r01[3U] = iv31; + r11[0U] = iv41; + r11[1U] = iv51; + r11[2U] = iv61; + r11[3U] = iv71; + FStar_UInt128_uint128 ev = FStar_UInt128_uint64_to_uint128((uint64_t)0U); + FStar_UInt128_uint128 ev10; + if (data_len == (uint32_t)0U) + { + FStar_UInt128_uint128 + ev1 = + Hacl_Hash_Blake2_update_last_blake2b_32(s0, + ev, + FStar_UInt128_uint64_to_uint128((uint64_t)0U), + ipad, + (uint32_t)128U); + ev10 = ev1; + } + else + { + FStar_UInt128_uint128 + ev1 = Hacl_Hash_Blake2_update_multi_blake2b_32(s0, ev, ipad, (uint32_t)1U); + FStar_UInt128_uint128 + ev2 = + Hacl_Hash_Blake2_update_last_blake2b_32(s0, + ev1, + FStar_UInt128_uint64_to_uint128((uint64_t)(uint32_t)128U), + data, + data_len); + ev10 = ev2; + } + Hacl_Hash_Core_Blake2_finish_blake2b_32(s0, ev10, dst1); + uint8_t *hash1 = ipad; + uint64_t *r0 = s0 + (uint32_t)0U * (uint32_t)4U; + uint64_t *r1 = s0 + (uint32_t)1U * (uint32_t)4U; + uint64_t *r2 = s0 + (uint32_t)2U * (uint32_t)4U; + uint64_t *r3 = s0 + (uint32_t)3U * (uint32_t)4U; + uint64_t iv0 = Hacl_Impl_Blake2_Constants_ivTable_B[0U]; + uint64_t iv1 = Hacl_Impl_Blake2_Constants_ivTable_B[1U]; + uint64_t iv2 = Hacl_Impl_Blake2_Constants_ivTable_B[2U]; + uint64_t iv3 = Hacl_Impl_Blake2_Constants_ivTable_B[3U]; + uint64_t iv4 = Hacl_Impl_Blake2_Constants_ivTable_B[4U]; + uint64_t iv5 = Hacl_Impl_Blake2_Constants_ivTable_B[5U]; + uint64_t iv6 = Hacl_Impl_Blake2_Constants_ivTable_B[6U]; + uint64_t iv7 = Hacl_Impl_Blake2_Constants_ivTable_B[7U]; + r2[0U] = iv0; + r2[1U] = iv1; + r2[2U] = iv2; + r2[3U] = iv3; + r3[0U] = iv4; + r3[1U] = iv5; + r3[2U] = iv6; + r3[3U] = iv7; + uint64_t kk_shift_8 = (uint64_t)(uint32_t)0U << (uint32_t)8U; + uint64_t iv0_1 = iv0 ^ ((uint64_t)0x01010000U ^ (kk_shift_8 ^ (uint64_t)(uint32_t)64U)); + r0[0U] = iv0_1; + r0[1U] = iv1; + r0[2U] = iv2; + r0[3U] = iv3; + r1[0U] = iv4; + r1[1U] = iv5; + r1[2U] = iv6; + r1[3U] = iv7; + FStar_UInt128_uint128 ev0 = FStar_UInt128_uint64_to_uint128((uint64_t)0U); + FStar_UInt128_uint128 ev11; + if ((uint32_t)64U == (uint32_t)0U) + { + FStar_UInt128_uint128 + ev1 = + Hacl_Hash_Blake2_update_last_blake2b_32(s0, + ev0, + FStar_UInt128_uint64_to_uint128((uint64_t)0U), + opad, + (uint32_t)128U); + ev11 = ev1; + } + else + { + FStar_UInt128_uint128 + ev1 = Hacl_Hash_Blake2_update_multi_blake2b_32(s0, ev0, opad, (uint32_t)1U); + FStar_UInt128_uint128 + ev2 = + Hacl_Hash_Blake2_update_last_blake2b_32(s0, + ev1, + FStar_UInt128_uint64_to_uint128((uint64_t)(uint32_t)128U), + hash1, + (uint32_t)64U); + ev11 = ev2; + } + Hacl_Hash_Core_Blake2_finish_blake2b_32(s0, ev11, dst); +} + diff --git a/src/Hacl_HMAC_DRBG.c b/src/Hacl_HMAC_DRBG.c new file mode 100644 index 00000000..245ffebc --- /dev/null +++ b/src/Hacl_HMAC_DRBG.c @@ -0,0 +1,1043 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_HMAC_DRBG.h" + + + +uint32_t Hacl_HMAC_DRBG_reseed_interval = (uint32_t)1024U; + +uint32_t Hacl_HMAC_DRBG_max_output_length = (uint32_t)65536U; + +uint32_t Hacl_HMAC_DRBG_max_length = (uint32_t)65536U; + +uint32_t Hacl_HMAC_DRBG_max_personalization_string_length = (uint32_t)65536U; + +uint32_t Hacl_HMAC_DRBG_max_additional_input_length = (uint32_t)65536U; + +uint32_t Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_hash_alg a) +{ + switch (a) + { + case Spec_Hash_Definitions_SHA1: + { + return (uint32_t)16U; + } + case Spec_Hash_Definitions_SHA2_256: + { + return (uint32_t)32U; + } + case Spec_Hash_Definitions_SHA2_384: + { + return (uint32_t)32U; + } + case Spec_Hash_Definitions_SHA2_512: + { + return (uint32_t)32U; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +bool +Hacl_HMAC_DRBG_uu___is_State(Spec_Hash_Definitions_hash_alg a, Hacl_HMAC_DRBG_state projectee) +{ + return true; +} + +Hacl_HMAC_DRBG_state Hacl_HMAC_DRBG_create_in(Spec_Hash_Definitions_hash_alg a) +{ + uint8_t *k; + switch (a) + { + case Spec_Hash_Definitions_SHA1: + { + uint8_t *buf = KRML_HOST_CALLOC((uint32_t)20U, sizeof (uint8_t)); + k = buf; + break; + } + case Spec_Hash_Definitions_SHA2_256: + { + uint8_t *buf = KRML_HOST_CALLOC((uint32_t)32U, sizeof (uint8_t)); + k = buf; + break; + } + case Spec_Hash_Definitions_SHA2_384: + { + uint8_t *buf = KRML_HOST_CALLOC((uint32_t)48U, sizeof (uint8_t)); + k = buf; + break; + } + case Spec_Hash_Definitions_SHA2_512: + { + uint8_t *buf = KRML_HOST_CALLOC((uint32_t)64U, sizeof (uint8_t)); + k = buf; + break; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + uint8_t *v; + switch (a) + { + case Spec_Hash_Definitions_SHA1: + { + uint8_t *buf = KRML_HOST_CALLOC((uint32_t)20U, sizeof (uint8_t)); + v = buf; + break; + } + case Spec_Hash_Definitions_SHA2_256: + { + uint8_t *buf = KRML_HOST_CALLOC((uint32_t)32U, sizeof (uint8_t)); + v = buf; + break; + } + case Spec_Hash_Definitions_SHA2_384: + { + uint8_t *buf = KRML_HOST_CALLOC((uint32_t)48U, sizeof (uint8_t)); + v = buf; + break; + } + case Spec_Hash_Definitions_SHA2_512: + { + uint8_t *buf = KRML_HOST_CALLOC((uint32_t)64U, sizeof (uint8_t)); + v = buf; + break; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + uint32_t *ctr = KRML_HOST_MALLOC(sizeof (uint32_t)); + ctr[0U] = (uint32_t)1U; + return ((Hacl_HMAC_DRBG_state){ .k = k, .v = v, .reseed_counter = ctr }); +} + +void +Hacl_HMAC_DRBG_instantiate( + Spec_Hash_Definitions_hash_alg a, + Hacl_HMAC_DRBG_state st, + uint32_t entropy_input_len, + uint8_t *entropy_input, + uint32_t nonce_len, + uint8_t *nonce, + uint32_t personalization_string_len, + uint8_t *personalization_string +) +{ + switch (a) + { + case Spec_Hash_Definitions_SHA1: + { + KRML_CHECK_SIZE(sizeof (uint8_t), + entropy_input_len + nonce_len + personalization_string_len); + uint8_t seed_material[entropy_input_len + nonce_len + personalization_string_len]; + memset(seed_material, + 0U, + (entropy_input_len + nonce_len + personalization_string_len) * sizeof (uint8_t)); + memcpy(seed_material, entropy_input, entropy_input_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len, nonce, nonce_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len + nonce_len, + personalization_string, + personalization_string_len * sizeof (uint8_t)); + uint8_t *k = st.k; + uint8_t *v = st.v; + uint32_t *ctr = st.reseed_counter; + memset(k, 0U, (uint32_t)20U * sizeof (uint8_t)); + memset(v, (uint8_t)1U, (uint32_t)20U * sizeof (uint8_t)); + ctr[0U] = (uint32_t)1U; + uint32_t + input_len = (uint32_t)21U + entropy_input_len + nonce_len + personalization_string_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)20U * sizeof (uint8_t)); + if (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)21U, + seed_material, + (entropy_input_len + nonce_len + personalization_string_len) * sizeof (uint8_t)); + } + input0[20U] = (uint8_t)0U; + Hacl_HMAC_legacy_compute_sha1(k_, k, (uint32_t)20U, input0, input_len); + Hacl_HMAC_legacy_compute_sha1(v, k_, (uint32_t)20U, v, (uint32_t)20U); + memcpy(k, k_, (uint32_t)20U * sizeof (uint8_t)); + if (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + uint32_t + input_len0 = (uint32_t)21U + entropy_input_len + nonce_len + personalization_string_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)20U * sizeof (uint8_t)); + if (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)21U, + seed_material, + (entropy_input_len + nonce_len + personalization_string_len) * sizeof (uint8_t)); + } + input[20U] = (uint8_t)1U; + Hacl_HMAC_legacy_compute_sha1(k_0, k, (uint32_t)20U, input, input_len0); + Hacl_HMAC_legacy_compute_sha1(v, k_0, (uint32_t)20U, v, (uint32_t)20U); + memcpy(k, k_0, (uint32_t)20U * sizeof (uint8_t)); + } + break; + } + case Spec_Hash_Definitions_SHA2_256: + { + KRML_CHECK_SIZE(sizeof (uint8_t), + entropy_input_len + nonce_len + personalization_string_len); + uint8_t seed_material[entropy_input_len + nonce_len + personalization_string_len]; + memset(seed_material, + 0U, + (entropy_input_len + nonce_len + personalization_string_len) * sizeof (uint8_t)); + memcpy(seed_material, entropy_input, entropy_input_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len, nonce, nonce_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len + nonce_len, + personalization_string, + personalization_string_len * sizeof (uint8_t)); + uint8_t *k = st.k; + uint8_t *v = st.v; + uint32_t *ctr = st.reseed_counter; + memset(k, 0U, (uint32_t)32U * sizeof (uint8_t)); + memset(v, (uint8_t)1U, (uint32_t)32U * sizeof (uint8_t)); + ctr[0U] = (uint32_t)1U; + uint32_t + input_len = (uint32_t)33U + entropy_input_len + nonce_len + personalization_string_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)32U * sizeof (uint8_t)); + if (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)33U, + seed_material, + (entropy_input_len + nonce_len + personalization_string_len) * sizeof (uint8_t)); + } + input0[32U] = (uint8_t)0U; + Hacl_HMAC_compute_sha2_256(k_, k, (uint32_t)32U, input0, input_len); + Hacl_HMAC_compute_sha2_256(v, k_, (uint32_t)32U, v, (uint32_t)32U); + memcpy(k, k_, (uint32_t)32U * sizeof (uint8_t)); + if (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + uint32_t + input_len0 = (uint32_t)33U + entropy_input_len + nonce_len + personalization_string_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)32U * sizeof (uint8_t)); + if (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)33U, + seed_material, + (entropy_input_len + nonce_len + personalization_string_len) * sizeof (uint8_t)); + } + input[32U] = (uint8_t)1U; + Hacl_HMAC_compute_sha2_256(k_0, k, (uint32_t)32U, input, input_len0); + Hacl_HMAC_compute_sha2_256(v, k_0, (uint32_t)32U, v, (uint32_t)32U); + memcpy(k, k_0, (uint32_t)32U * sizeof (uint8_t)); + } + break; + } + case Spec_Hash_Definitions_SHA2_384: + { + KRML_CHECK_SIZE(sizeof (uint8_t), + entropy_input_len + nonce_len + personalization_string_len); + uint8_t seed_material[entropy_input_len + nonce_len + personalization_string_len]; + memset(seed_material, + 0U, + (entropy_input_len + nonce_len + personalization_string_len) * sizeof (uint8_t)); + memcpy(seed_material, entropy_input, entropy_input_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len, nonce, nonce_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len + nonce_len, + personalization_string, + personalization_string_len * sizeof (uint8_t)); + uint8_t *k = st.k; + uint8_t *v = st.v; + uint32_t *ctr = st.reseed_counter; + memset(k, 0U, (uint32_t)48U * sizeof (uint8_t)); + memset(v, (uint8_t)1U, (uint32_t)48U * sizeof (uint8_t)); + ctr[0U] = (uint32_t)1U; + uint32_t + input_len = (uint32_t)49U + entropy_input_len + nonce_len + personalization_string_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)48U * sizeof (uint8_t)); + if (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)49U, + seed_material, + (entropy_input_len + nonce_len + personalization_string_len) * sizeof (uint8_t)); + } + input0[48U] = (uint8_t)0U; + Hacl_HMAC_compute_sha2_384(k_, k, (uint32_t)48U, input0, input_len); + Hacl_HMAC_compute_sha2_384(v, k_, (uint32_t)48U, v, (uint32_t)48U); + memcpy(k, k_, (uint32_t)48U * sizeof (uint8_t)); + if (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + uint32_t + input_len0 = (uint32_t)49U + entropy_input_len + nonce_len + personalization_string_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)48U * sizeof (uint8_t)); + if (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)49U, + seed_material, + (entropy_input_len + nonce_len + personalization_string_len) * sizeof (uint8_t)); + } + input[48U] = (uint8_t)1U; + Hacl_HMAC_compute_sha2_384(k_0, k, (uint32_t)48U, input, input_len0); + Hacl_HMAC_compute_sha2_384(v, k_0, (uint32_t)48U, v, (uint32_t)48U); + memcpy(k, k_0, (uint32_t)48U * sizeof (uint8_t)); + } + break; + } + case Spec_Hash_Definitions_SHA2_512: + { + KRML_CHECK_SIZE(sizeof (uint8_t), + entropy_input_len + nonce_len + personalization_string_len); + uint8_t seed_material[entropy_input_len + nonce_len + personalization_string_len]; + memset(seed_material, + 0U, + (entropy_input_len + nonce_len + personalization_string_len) * sizeof (uint8_t)); + memcpy(seed_material, entropy_input, entropy_input_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len, nonce, nonce_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len + nonce_len, + personalization_string, + personalization_string_len * sizeof (uint8_t)); + uint8_t *k = st.k; + uint8_t *v = st.v; + uint32_t *ctr = st.reseed_counter; + memset(k, 0U, (uint32_t)64U * sizeof (uint8_t)); + memset(v, (uint8_t)1U, (uint32_t)64U * sizeof (uint8_t)); + ctr[0U] = (uint32_t)1U; + uint32_t + input_len = (uint32_t)65U + entropy_input_len + nonce_len + personalization_string_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)64U * sizeof (uint8_t)); + if (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)65U, + seed_material, + (entropy_input_len + nonce_len + personalization_string_len) * sizeof (uint8_t)); + } + input0[64U] = (uint8_t)0U; + Hacl_HMAC_compute_sha2_512(k_, k, (uint32_t)64U, input0, input_len); + Hacl_HMAC_compute_sha2_512(v, k_, (uint32_t)64U, v, (uint32_t)64U); + memcpy(k, k_, (uint32_t)64U * sizeof (uint8_t)); + if (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + uint32_t + input_len0 = (uint32_t)65U + entropy_input_len + nonce_len + personalization_string_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)64U * sizeof (uint8_t)); + if (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)65U, + seed_material, + (entropy_input_len + nonce_len + personalization_string_len) * sizeof (uint8_t)); + } + input[64U] = (uint8_t)1U; + Hacl_HMAC_compute_sha2_512(k_0, k, (uint32_t)64U, input, input_len0); + Hacl_HMAC_compute_sha2_512(v, k_0, (uint32_t)64U, v, (uint32_t)64U); + memcpy(k, k_0, (uint32_t)64U * sizeof (uint8_t)); + } + break; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +void +Hacl_HMAC_DRBG_reseed( + Spec_Hash_Definitions_hash_alg a, + Hacl_HMAC_DRBG_state st, + uint32_t entropy_input_len, + uint8_t *entropy_input, + uint32_t additional_input_input_len, + uint8_t *additional_input_input +) +{ + switch (a) + { + case Spec_Hash_Definitions_SHA1: + { + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len + additional_input_input_len); + uint8_t seed_material[entropy_input_len + additional_input_input_len]; + memset(seed_material, + 0U, + (entropy_input_len + additional_input_input_len) * sizeof (uint8_t)); + memcpy(seed_material, entropy_input, entropy_input_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len, + additional_input_input, + additional_input_input_len * sizeof (uint8_t)); + Hacl_HMAC_DRBG_state uu____0 = st; + uint8_t *k = uu____0.k; + uint8_t *v = uu____0.v; + uint32_t *ctr = uu____0.reseed_counter; + uint32_t input_len = (uint32_t)21U + entropy_input_len + additional_input_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)20U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)21U, + seed_material, + (entropy_input_len + additional_input_input_len) * sizeof (uint8_t)); + } + input0[20U] = (uint8_t)0U; + Hacl_HMAC_legacy_compute_sha1(k_, k, (uint32_t)20U, input0, input_len); + Hacl_HMAC_legacy_compute_sha1(v, k_, (uint32_t)20U, v, (uint32_t)20U); + memcpy(k, k_, (uint32_t)20U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)21U + entropy_input_len + additional_input_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)20U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)21U, + seed_material, + (entropy_input_len + additional_input_input_len) * sizeof (uint8_t)); + } + input[20U] = (uint8_t)1U; + Hacl_HMAC_legacy_compute_sha1(k_0, k, (uint32_t)20U, input, input_len0); + Hacl_HMAC_legacy_compute_sha1(v, k_0, (uint32_t)20U, v, (uint32_t)20U); + memcpy(k, k_0, (uint32_t)20U * sizeof (uint8_t)); + } + ctr[0U] = (uint32_t)1U; + break; + } + case Spec_Hash_Definitions_SHA2_256: + { + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len + additional_input_input_len); + uint8_t seed_material[entropy_input_len + additional_input_input_len]; + memset(seed_material, + 0U, + (entropy_input_len + additional_input_input_len) * sizeof (uint8_t)); + memcpy(seed_material, entropy_input, entropy_input_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len, + additional_input_input, + additional_input_input_len * sizeof (uint8_t)); + Hacl_HMAC_DRBG_state uu____1 = st; + uint8_t *k = uu____1.k; + uint8_t *v = uu____1.v; + uint32_t *ctr = uu____1.reseed_counter; + uint32_t input_len = (uint32_t)33U + entropy_input_len + additional_input_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)32U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)33U, + seed_material, + (entropy_input_len + additional_input_input_len) * sizeof (uint8_t)); + } + input0[32U] = (uint8_t)0U; + Hacl_HMAC_compute_sha2_256(k_, k, (uint32_t)32U, input0, input_len); + Hacl_HMAC_compute_sha2_256(v, k_, (uint32_t)32U, v, (uint32_t)32U); + memcpy(k, k_, (uint32_t)32U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)33U + entropy_input_len + additional_input_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)32U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)33U, + seed_material, + (entropy_input_len + additional_input_input_len) * sizeof (uint8_t)); + } + input[32U] = (uint8_t)1U; + Hacl_HMAC_compute_sha2_256(k_0, k, (uint32_t)32U, input, input_len0); + Hacl_HMAC_compute_sha2_256(v, k_0, (uint32_t)32U, v, (uint32_t)32U); + memcpy(k, k_0, (uint32_t)32U * sizeof (uint8_t)); + } + ctr[0U] = (uint32_t)1U; + break; + } + case Spec_Hash_Definitions_SHA2_384: + { + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len + additional_input_input_len); + uint8_t seed_material[entropy_input_len + additional_input_input_len]; + memset(seed_material, + 0U, + (entropy_input_len + additional_input_input_len) * sizeof (uint8_t)); + memcpy(seed_material, entropy_input, entropy_input_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len, + additional_input_input, + additional_input_input_len * sizeof (uint8_t)); + Hacl_HMAC_DRBG_state uu____2 = st; + uint8_t *k = uu____2.k; + uint8_t *v = uu____2.v; + uint32_t *ctr = uu____2.reseed_counter; + uint32_t input_len = (uint32_t)49U + entropy_input_len + additional_input_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)48U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)49U, + seed_material, + (entropy_input_len + additional_input_input_len) * sizeof (uint8_t)); + } + input0[48U] = (uint8_t)0U; + Hacl_HMAC_compute_sha2_384(k_, k, (uint32_t)48U, input0, input_len); + Hacl_HMAC_compute_sha2_384(v, k_, (uint32_t)48U, v, (uint32_t)48U); + memcpy(k, k_, (uint32_t)48U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)49U + entropy_input_len + additional_input_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)48U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)49U, + seed_material, + (entropy_input_len + additional_input_input_len) * sizeof (uint8_t)); + } + input[48U] = (uint8_t)1U; + Hacl_HMAC_compute_sha2_384(k_0, k, (uint32_t)48U, input, input_len0); + Hacl_HMAC_compute_sha2_384(v, k_0, (uint32_t)48U, v, (uint32_t)48U); + memcpy(k, k_0, (uint32_t)48U * sizeof (uint8_t)); + } + ctr[0U] = (uint32_t)1U; + break; + } + case Spec_Hash_Definitions_SHA2_512: + { + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len + additional_input_input_len); + uint8_t seed_material[entropy_input_len + additional_input_input_len]; + memset(seed_material, + 0U, + (entropy_input_len + additional_input_input_len) * sizeof (uint8_t)); + memcpy(seed_material, entropy_input, entropy_input_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len, + additional_input_input, + additional_input_input_len * sizeof (uint8_t)); + Hacl_HMAC_DRBG_state uu____3 = st; + uint8_t *k = uu____3.k; + uint8_t *v = uu____3.v; + uint32_t *ctr = uu____3.reseed_counter; + uint32_t input_len = (uint32_t)65U + entropy_input_len + additional_input_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)64U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)65U, + seed_material, + (entropy_input_len + additional_input_input_len) * sizeof (uint8_t)); + } + input0[64U] = (uint8_t)0U; + Hacl_HMAC_compute_sha2_512(k_, k, (uint32_t)64U, input0, input_len); + Hacl_HMAC_compute_sha2_512(v, k_, (uint32_t)64U, v, (uint32_t)64U); + memcpy(k, k_, (uint32_t)64U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)65U + entropy_input_len + additional_input_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)64U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)65U, + seed_material, + (entropy_input_len + additional_input_input_len) * sizeof (uint8_t)); + } + input[64U] = (uint8_t)1U; + Hacl_HMAC_compute_sha2_512(k_0, k, (uint32_t)64U, input, input_len0); + Hacl_HMAC_compute_sha2_512(v, k_0, (uint32_t)64U, v, (uint32_t)64U); + memcpy(k, k_0, (uint32_t)64U * sizeof (uint8_t)); + } + ctr[0U] = (uint32_t)1U; + break; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +bool +Hacl_HMAC_DRBG_generate( + Spec_Hash_Definitions_hash_alg a, + uint8_t *output, + Hacl_HMAC_DRBG_state st, + uint32_t n, + uint32_t additional_input_len, + uint8_t *additional_input +) +{ + switch (a) + { + case Spec_Hash_Definitions_SHA1: + { + if (st.reseed_counter[0U] > Hacl_HMAC_DRBG_reseed_interval) + { + return false; + } + uint8_t *k = st.k; + uint8_t *v = st.v; + uint32_t *ctr = st.reseed_counter; + if (additional_input_len > (uint32_t)0U) + { + uint32_t input_len = (uint32_t)21U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)20U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)21U, + additional_input, + additional_input_len * sizeof (uint8_t)); + } + input0[20U] = (uint8_t)0U; + Hacl_HMAC_legacy_compute_sha1(k_, k, (uint32_t)20U, input0, input_len); + Hacl_HMAC_legacy_compute_sha1(v, k_, (uint32_t)20U, v, (uint32_t)20U); + memcpy(k, k_, (uint32_t)20U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)21U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)20U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)21U, + additional_input, + additional_input_len * sizeof (uint8_t)); + } + input[20U] = (uint8_t)1U; + Hacl_HMAC_legacy_compute_sha1(k_0, k, (uint32_t)20U, input, input_len0); + Hacl_HMAC_legacy_compute_sha1(v, k_0, (uint32_t)20U, v, (uint32_t)20U); + memcpy(k, k_0, (uint32_t)20U * sizeof (uint8_t)); + } + } + uint8_t *output1 = output; + uint32_t max = n / (uint32_t)20U; + uint8_t *out = output1; + for (uint32_t i = (uint32_t)0U; i < max; i++) + { + Hacl_HMAC_legacy_compute_sha1(v, k, (uint32_t)20U, v, (uint32_t)20U); + memcpy(out + i * (uint32_t)20U, v, (uint32_t)20U * sizeof (uint8_t)); + } + if (max * (uint32_t)20U < n) + { + uint8_t *block = output1 + max * (uint32_t)20U; + Hacl_HMAC_legacy_compute_sha1(v, k, (uint32_t)20U, v, (uint32_t)20U); + memcpy(block, v, (n - max * (uint32_t)20U) * sizeof (uint8_t)); + } + uint32_t input_len = (uint32_t)21U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)20U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)21U, additional_input, additional_input_len * sizeof (uint8_t)); + } + input0[20U] = (uint8_t)0U; + Hacl_HMAC_legacy_compute_sha1(k_, k, (uint32_t)20U, input0, input_len); + Hacl_HMAC_legacy_compute_sha1(v, k_, (uint32_t)20U, v, (uint32_t)20U); + memcpy(k, k_, (uint32_t)20U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)21U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)20U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)21U, + additional_input, + additional_input_len * sizeof (uint8_t)); + } + input[20U] = (uint8_t)1U; + Hacl_HMAC_legacy_compute_sha1(k_0, k, (uint32_t)20U, input, input_len0); + Hacl_HMAC_legacy_compute_sha1(v, k_0, (uint32_t)20U, v, (uint32_t)20U); + memcpy(k, k_0, (uint32_t)20U * sizeof (uint8_t)); + } + uint32_t old_ctr = ctr[0U]; + ctr[0U] = old_ctr + (uint32_t)1U; + return true; + } + case Spec_Hash_Definitions_SHA2_256: + { + if (st.reseed_counter[0U] > Hacl_HMAC_DRBG_reseed_interval) + { + return false; + } + uint8_t *k = st.k; + uint8_t *v = st.v; + uint32_t *ctr = st.reseed_counter; + if (additional_input_len > (uint32_t)0U) + { + uint32_t input_len = (uint32_t)33U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)32U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)33U, + additional_input, + additional_input_len * sizeof (uint8_t)); + } + input0[32U] = (uint8_t)0U; + Hacl_HMAC_compute_sha2_256(k_, k, (uint32_t)32U, input0, input_len); + Hacl_HMAC_compute_sha2_256(v, k_, (uint32_t)32U, v, (uint32_t)32U); + memcpy(k, k_, (uint32_t)32U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)33U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)32U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)33U, + additional_input, + additional_input_len * sizeof (uint8_t)); + } + input[32U] = (uint8_t)1U; + Hacl_HMAC_compute_sha2_256(k_0, k, (uint32_t)32U, input, input_len0); + Hacl_HMAC_compute_sha2_256(v, k_0, (uint32_t)32U, v, (uint32_t)32U); + memcpy(k, k_0, (uint32_t)32U * sizeof (uint8_t)); + } + } + uint8_t *output1 = output; + uint32_t max = n / (uint32_t)32U; + uint8_t *out = output1; + for (uint32_t i = (uint32_t)0U; i < max; i++) + { + Hacl_HMAC_compute_sha2_256(v, k, (uint32_t)32U, v, (uint32_t)32U); + memcpy(out + i * (uint32_t)32U, v, (uint32_t)32U * sizeof (uint8_t)); + } + if (max * (uint32_t)32U < n) + { + uint8_t *block = output1 + max * (uint32_t)32U; + Hacl_HMAC_compute_sha2_256(v, k, (uint32_t)32U, v, (uint32_t)32U); + memcpy(block, v, (n - max * (uint32_t)32U) * sizeof (uint8_t)); + } + uint32_t input_len = (uint32_t)33U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)32U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)33U, additional_input, additional_input_len * sizeof (uint8_t)); + } + input0[32U] = (uint8_t)0U; + Hacl_HMAC_compute_sha2_256(k_, k, (uint32_t)32U, input0, input_len); + Hacl_HMAC_compute_sha2_256(v, k_, (uint32_t)32U, v, (uint32_t)32U); + memcpy(k, k_, (uint32_t)32U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)33U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)32U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)33U, + additional_input, + additional_input_len * sizeof (uint8_t)); + } + input[32U] = (uint8_t)1U; + Hacl_HMAC_compute_sha2_256(k_0, k, (uint32_t)32U, input, input_len0); + Hacl_HMAC_compute_sha2_256(v, k_0, (uint32_t)32U, v, (uint32_t)32U); + memcpy(k, k_0, (uint32_t)32U * sizeof (uint8_t)); + } + uint32_t old_ctr = ctr[0U]; + ctr[0U] = old_ctr + (uint32_t)1U; + return true; + } + case Spec_Hash_Definitions_SHA2_384: + { + if (st.reseed_counter[0U] > Hacl_HMAC_DRBG_reseed_interval) + { + return false; + } + uint8_t *k = st.k; + uint8_t *v = st.v; + uint32_t *ctr = st.reseed_counter; + if (additional_input_len > (uint32_t)0U) + { + uint32_t input_len = (uint32_t)49U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)48U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)49U, + additional_input, + additional_input_len * sizeof (uint8_t)); + } + input0[48U] = (uint8_t)0U; + Hacl_HMAC_compute_sha2_384(k_, k, (uint32_t)48U, input0, input_len); + Hacl_HMAC_compute_sha2_384(v, k_, (uint32_t)48U, v, (uint32_t)48U); + memcpy(k, k_, (uint32_t)48U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)49U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)48U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)49U, + additional_input, + additional_input_len * sizeof (uint8_t)); + } + input[48U] = (uint8_t)1U; + Hacl_HMAC_compute_sha2_384(k_0, k, (uint32_t)48U, input, input_len0); + Hacl_HMAC_compute_sha2_384(v, k_0, (uint32_t)48U, v, (uint32_t)48U); + memcpy(k, k_0, (uint32_t)48U * sizeof (uint8_t)); + } + } + uint8_t *output1 = output; + uint32_t max = n / (uint32_t)48U; + uint8_t *out = output1; + for (uint32_t i = (uint32_t)0U; i < max; i++) + { + Hacl_HMAC_compute_sha2_384(v, k, (uint32_t)48U, v, (uint32_t)48U); + memcpy(out + i * (uint32_t)48U, v, (uint32_t)48U * sizeof (uint8_t)); + } + if (max * (uint32_t)48U < n) + { + uint8_t *block = output1 + max * (uint32_t)48U; + Hacl_HMAC_compute_sha2_384(v, k, (uint32_t)48U, v, (uint32_t)48U); + memcpy(block, v, (n - max * (uint32_t)48U) * sizeof (uint8_t)); + } + uint32_t input_len = (uint32_t)49U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)48U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)49U, additional_input, additional_input_len * sizeof (uint8_t)); + } + input0[48U] = (uint8_t)0U; + Hacl_HMAC_compute_sha2_384(k_, k, (uint32_t)48U, input0, input_len); + Hacl_HMAC_compute_sha2_384(v, k_, (uint32_t)48U, v, (uint32_t)48U); + memcpy(k, k_, (uint32_t)48U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)49U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)48U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)49U, + additional_input, + additional_input_len * sizeof (uint8_t)); + } + input[48U] = (uint8_t)1U; + Hacl_HMAC_compute_sha2_384(k_0, k, (uint32_t)48U, input, input_len0); + Hacl_HMAC_compute_sha2_384(v, k_0, (uint32_t)48U, v, (uint32_t)48U); + memcpy(k, k_0, (uint32_t)48U * sizeof (uint8_t)); + } + uint32_t old_ctr = ctr[0U]; + ctr[0U] = old_ctr + (uint32_t)1U; + return true; + } + case Spec_Hash_Definitions_SHA2_512: + { + if (st.reseed_counter[0U] > Hacl_HMAC_DRBG_reseed_interval) + { + return false; + } + uint8_t *k = st.k; + uint8_t *v = st.v; + uint32_t *ctr = st.reseed_counter; + if (additional_input_len > (uint32_t)0U) + { + uint32_t input_len = (uint32_t)65U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)64U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)65U, + additional_input, + additional_input_len * sizeof (uint8_t)); + } + input0[64U] = (uint8_t)0U; + Hacl_HMAC_compute_sha2_512(k_, k, (uint32_t)64U, input0, input_len); + Hacl_HMAC_compute_sha2_512(v, k_, (uint32_t)64U, v, (uint32_t)64U); + memcpy(k, k_, (uint32_t)64U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)65U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)64U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)65U, + additional_input, + additional_input_len * sizeof (uint8_t)); + } + input[64U] = (uint8_t)1U; + Hacl_HMAC_compute_sha2_512(k_0, k, (uint32_t)64U, input, input_len0); + Hacl_HMAC_compute_sha2_512(v, k_0, (uint32_t)64U, v, (uint32_t)64U); + memcpy(k, k_0, (uint32_t)64U * sizeof (uint8_t)); + } + } + uint8_t *output1 = output; + uint32_t max = n / (uint32_t)64U; + uint8_t *out = output1; + for (uint32_t i = (uint32_t)0U; i < max; i++) + { + Hacl_HMAC_compute_sha2_512(v, k, (uint32_t)64U, v, (uint32_t)64U); + memcpy(out + i * (uint32_t)64U, v, (uint32_t)64U * sizeof (uint8_t)); + } + if (max * (uint32_t)64U < n) + { + uint8_t *block = output1 + max * (uint32_t)64U; + Hacl_HMAC_compute_sha2_512(v, k, (uint32_t)64U, v, (uint32_t)64U); + memcpy(block, v, (n - max * (uint32_t)64U) * sizeof (uint8_t)); + } + uint32_t input_len = (uint32_t)65U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)64U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)65U, additional_input, additional_input_len * sizeof (uint8_t)); + } + input0[64U] = (uint8_t)0U; + Hacl_HMAC_compute_sha2_512(k_, k, (uint32_t)64U, input0, input_len); + Hacl_HMAC_compute_sha2_512(v, k_, (uint32_t)64U, v, (uint32_t)64U); + memcpy(k, k_, (uint32_t)64U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)65U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)64U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)65U, + additional_input, + additional_input_len * sizeof (uint8_t)); + } + input[64U] = (uint8_t)1U; + Hacl_HMAC_compute_sha2_512(k_0, k, (uint32_t)64U, input, input_len0); + Hacl_HMAC_compute_sha2_512(v, k_0, (uint32_t)64U, v, (uint32_t)64U); + memcpy(k, k_0, (uint32_t)64U * sizeof (uint8_t)); + } + uint32_t old_ctr = ctr[0U]; + ctr[0U] = old_ctr + (uint32_t)1U; + return true; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + diff --git a/src/Hacl_Hash_Base.c b/src/Hacl_Hash_Base.c new file mode 100644 index 00000000..b6516a11 --- /dev/null +++ b/src/Hacl_Hash_Base.c @@ -0,0 +1,204 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Hash_Base.h" + + + +uint32_t Hacl_Hash_Definitions_word_len(Spec_Hash_Definitions_hash_alg a) +{ + switch (a) + { + case Spec_Hash_Definitions_MD5: + { + return (uint32_t)4U; + } + case Spec_Hash_Definitions_SHA1: + { + return (uint32_t)4U; + } + case Spec_Hash_Definitions_SHA2_224: + { + return (uint32_t)4U; + } + case Spec_Hash_Definitions_SHA2_256: + { + return (uint32_t)4U; + } + case Spec_Hash_Definitions_SHA2_384: + { + return (uint32_t)8U; + } + case Spec_Hash_Definitions_SHA2_512: + { + return (uint32_t)8U; + } + case Spec_Hash_Definitions_Blake2S: + { + return (uint32_t)4U; + } + case Spec_Hash_Definitions_Blake2B: + { + return (uint32_t)8U; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +uint32_t Hacl_Hash_Definitions_block_len(Spec_Hash_Definitions_hash_alg a) +{ + switch (a) + { + case Spec_Hash_Definitions_MD5: + { + return (uint32_t)64U; + } + case Spec_Hash_Definitions_SHA1: + { + return (uint32_t)64U; + } + case Spec_Hash_Definitions_SHA2_224: + { + return (uint32_t)64U; + } + case Spec_Hash_Definitions_SHA2_256: + { + return (uint32_t)64U; + } + case Spec_Hash_Definitions_SHA2_384: + { + return (uint32_t)128U; + } + case Spec_Hash_Definitions_SHA2_512: + { + return (uint32_t)128U; + } + case Spec_Hash_Definitions_Blake2S: + { + return (uint32_t)64U; + } + case Spec_Hash_Definitions_Blake2B: + { + return (uint32_t)128U; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +uint32_t Hacl_Hash_Definitions_hash_word_len(Spec_Hash_Definitions_hash_alg a) +{ + switch (a) + { + case Spec_Hash_Definitions_MD5: + { + return (uint32_t)4U; + } + case Spec_Hash_Definitions_SHA1: + { + return (uint32_t)5U; + } + case Spec_Hash_Definitions_SHA2_224: + { + return (uint32_t)7U; + } + case Spec_Hash_Definitions_SHA2_256: + { + return (uint32_t)8U; + } + case Spec_Hash_Definitions_SHA2_384: + { + return (uint32_t)6U; + } + case Spec_Hash_Definitions_SHA2_512: + { + return (uint32_t)8U; + } + case Spec_Hash_Definitions_Blake2S: + { + return (uint32_t)8U; + } + case Spec_Hash_Definitions_Blake2B: + { + return (uint32_t)8U; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +uint32_t Hacl_Hash_Definitions_hash_len(Spec_Hash_Definitions_hash_alg a) +{ + switch (a) + { + case Spec_Hash_Definitions_MD5: + { + return (uint32_t)16U; + } + case Spec_Hash_Definitions_SHA1: + { + return (uint32_t)20U; + } + case Spec_Hash_Definitions_SHA2_224: + { + return (uint32_t)28U; + } + case Spec_Hash_Definitions_SHA2_256: + { + return (uint32_t)32U; + } + case Spec_Hash_Definitions_SHA2_384: + { + return (uint32_t)48U; + } + case Spec_Hash_Definitions_SHA2_512: + { + return (uint32_t)64U; + } + case Spec_Hash_Definitions_Blake2S: + { + return (uint32_t)32U; + } + case Spec_Hash_Definitions_Blake2B: + { + return (uint32_t)64U; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + diff --git a/src/Hacl_Hash_Blake2.c b/src/Hacl_Hash_Blake2.c new file mode 100644 index 00000000..5393b87a --- /dev/null +++ b/src/Hacl_Hash_Blake2.c @@ -0,0 +1,3056 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "internal/Hacl_Hash_Blake2.h" + +#include "internal/Hacl_Kremlib.h" + +uint64_t Hacl_Hash_Core_Blake2_update_blake2s_32(uint32_t *s, uint64_t totlen, uint8_t *block) +{ + uint32_t wv[16U] = { 0U }; + uint64_t totlen1 = totlen + (uint64_t)(uint32_t)64U; + uint32_t m_w[16U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t *os = m_w; + uint8_t *bj = block + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + uint32_t mask[4U] = { 0U }; + uint32_t wv_14 = (uint32_t)0U; + uint32_t wv_15 = (uint32_t)0U; + mask[0U] = (uint32_t)totlen1; + mask[1U] = (uint32_t)(totlen1 >> (uint32_t)32U); + mask[2U] = wv_14; + mask[3U] = wv_15; + memcpy(wv, s, (uint32_t)4U * (uint32_t)4U * sizeof (uint32_t)); + uint32_t *wv3 = wv + (uint32_t)3U * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv3; + uint32_t x = wv3[i] ^ mask[i]; + os[i] = x; + } + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)10U; i0++) + { + uint32_t start_idx = i0 % (uint32_t)10U * (uint32_t)16U; + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)4U * (uint32_t)4U); + uint32_t m_st[(uint32_t)4U * (uint32_t)4U]; + memset(m_st, 0U, (uint32_t)4U * (uint32_t)4U * sizeof (uint32_t)); + uint32_t *r0 = m_st + (uint32_t)0U * (uint32_t)4U; + uint32_t *r1 = m_st + (uint32_t)1U * (uint32_t)4U; + uint32_t *r20 = m_st + (uint32_t)2U * (uint32_t)4U; + uint32_t *r30 = m_st + (uint32_t)3U * (uint32_t)4U; + uint32_t s0 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx]; + uint32_t s1 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)1U]; + uint32_t s2 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)2U]; + uint32_t s3 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)3U]; + uint32_t s4 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)4U]; + uint32_t s5 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)5U]; + uint32_t s6 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)6U]; + uint32_t s7 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)7U]; + uint32_t s8 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)8U]; + uint32_t s9 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)9U]; + uint32_t s10 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)10U]; + uint32_t s11 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)11U]; + uint32_t s12 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)12U]; + uint32_t s13 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)13U]; + uint32_t s14 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)14U]; + uint32_t s15 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)15U]; + uint32_t uu____0 = m_w[s2]; + uint32_t uu____1 = m_w[s4]; + uint32_t uu____2 = m_w[s6]; + r0[0U] = m_w[s0]; + r0[1U] = uu____0; + r0[2U] = uu____1; + r0[3U] = uu____2; + uint32_t uu____3 = m_w[s3]; + uint32_t uu____4 = m_w[s5]; + uint32_t uu____5 = m_w[s7]; + r1[0U] = m_w[s1]; + r1[1U] = uu____3; + r1[2U] = uu____4; + r1[3U] = uu____5; + uint32_t uu____6 = m_w[s10]; + uint32_t uu____7 = m_w[s12]; + uint32_t uu____8 = m_w[s14]; + r20[0U] = m_w[s8]; + r20[1U] = uu____6; + r20[2U] = uu____7; + r20[3U] = uu____8; + uint32_t uu____9 = m_w[s11]; + uint32_t uu____10 = m_w[s13]; + uint32_t uu____11 = m_w[s15]; + r30[0U] = m_w[s9]; + r30[1U] = uu____9; + r30[2U] = uu____10; + r30[3U] = uu____11; + uint32_t *x = m_st + (uint32_t)0U * (uint32_t)4U; + uint32_t *y = m_st + (uint32_t)1U * (uint32_t)4U; + uint32_t *z = m_st + (uint32_t)2U * (uint32_t)4U; + uint32_t *w = m_st + (uint32_t)3U * (uint32_t)4U; + uint32_t a = (uint32_t)0U; + uint32_t b0 = (uint32_t)1U; + uint32_t c0 = (uint32_t)2U; + uint32_t d0 = (uint32_t)3U; + uint32_t *wv_a0 = wv + a * (uint32_t)4U; + uint32_t *wv_b0 = wv + b0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a0; + uint32_t x1 = wv_a0[i] + wv_b0[i]; + os[i] = x1; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a0; + uint32_t x1 = wv_a0[i] + x[i]; + os[i] = x1; + } + uint32_t *wv_a1 = wv + d0 * (uint32_t)4U; + uint32_t *wv_b1 = wv + a * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a1; + uint32_t x1 = wv_a1[i] ^ wv_b1[i]; + os[i] = x1; + } + uint32_t *r10 = wv_a1; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = r10; + uint32_t x1 = r10[i]; + uint32_t x10 = x1 >> (uint32_t)16U | x1 << (uint32_t)16U; + os[i] = x10; + } + uint32_t *wv_a2 = wv + c0 * (uint32_t)4U; + uint32_t *wv_b2 = wv + d0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a2; + uint32_t x1 = wv_a2[i] + wv_b2[i]; + os[i] = x1; + } + uint32_t *wv_a3 = wv + b0 * (uint32_t)4U; + uint32_t *wv_b3 = wv + c0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a3; + uint32_t x1 = wv_a3[i] ^ wv_b3[i]; + os[i] = x1; + } + uint32_t *r12 = wv_a3; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = r12; + uint32_t x1 = r12[i]; + uint32_t x10 = x1 >> (uint32_t)12U | x1 << (uint32_t)20U; + os[i] = x10; + } + uint32_t *wv_a4 = wv + a * (uint32_t)4U; + uint32_t *wv_b4 = wv + b0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a4; + uint32_t x1 = wv_a4[i] + wv_b4[i]; + os[i] = x1; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a4; + uint32_t x1 = wv_a4[i] + y[i]; + os[i] = x1; + } + uint32_t *wv_a5 = wv + d0 * (uint32_t)4U; + uint32_t *wv_b5 = wv + a * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a5; + uint32_t x1 = wv_a5[i] ^ wv_b5[i]; + os[i] = x1; + } + uint32_t *r13 = wv_a5; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = r13; + uint32_t x1 = r13[i]; + uint32_t x10 = x1 >> (uint32_t)8U | x1 << (uint32_t)24U; + os[i] = x10; + } + uint32_t *wv_a6 = wv + c0 * (uint32_t)4U; + uint32_t *wv_b6 = wv + d0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a6; + uint32_t x1 = wv_a6[i] + wv_b6[i]; + os[i] = x1; + } + uint32_t *wv_a7 = wv + b0 * (uint32_t)4U; + uint32_t *wv_b7 = wv + c0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a7; + uint32_t x1 = wv_a7[i] ^ wv_b7[i]; + os[i] = x1; + } + uint32_t *r14 = wv_a7; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = r14; + uint32_t x1 = r14[i]; + uint32_t x10 = x1 >> (uint32_t)7U | x1 << (uint32_t)25U; + os[i] = x10; + } + uint32_t *r15 = wv + (uint32_t)1U * (uint32_t)4U; + uint32_t *r21 = wv + (uint32_t)2U * (uint32_t)4U; + uint32_t *r31 = wv + (uint32_t)3U * (uint32_t)4U; + uint32_t *r110 = r15; + uint32_t x00 = r110[1U]; + uint32_t x10 = r110[((uint32_t)1U + (uint32_t)1U) % (uint32_t)4U]; + uint32_t x20 = r110[((uint32_t)1U + (uint32_t)2U) % (uint32_t)4U]; + uint32_t x30 = r110[((uint32_t)1U + (uint32_t)3U) % (uint32_t)4U]; + r110[0U] = x00; + r110[1U] = x10; + r110[2U] = x20; + r110[3U] = x30; + uint32_t *r111 = r21; + uint32_t x01 = r111[2U]; + uint32_t x11 = r111[((uint32_t)2U + (uint32_t)1U) % (uint32_t)4U]; + uint32_t x21 = r111[((uint32_t)2U + (uint32_t)2U) % (uint32_t)4U]; + uint32_t x31 = r111[((uint32_t)2U + (uint32_t)3U) % (uint32_t)4U]; + r111[0U] = x01; + r111[1U] = x11; + r111[2U] = x21; + r111[3U] = x31; + uint32_t *r112 = r31; + uint32_t x02 = r112[3U]; + uint32_t x12 = r112[((uint32_t)3U + (uint32_t)1U) % (uint32_t)4U]; + uint32_t x22 = r112[((uint32_t)3U + (uint32_t)2U) % (uint32_t)4U]; + uint32_t x32 = r112[((uint32_t)3U + (uint32_t)3U) % (uint32_t)4U]; + r112[0U] = x02; + r112[1U] = x12; + r112[2U] = x22; + r112[3U] = x32; + uint32_t a0 = (uint32_t)0U; + uint32_t b = (uint32_t)1U; + uint32_t c = (uint32_t)2U; + uint32_t d = (uint32_t)3U; + uint32_t *wv_a = wv + a0 * (uint32_t)4U; + uint32_t *wv_b8 = wv + b * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a; + uint32_t x1 = wv_a[i] + wv_b8[i]; + os[i] = x1; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a; + uint32_t x1 = wv_a[i] + z[i]; + os[i] = x1; + } + uint32_t *wv_a8 = wv + d * (uint32_t)4U; + uint32_t *wv_b9 = wv + a0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a8; + uint32_t x1 = wv_a8[i] ^ wv_b9[i]; + os[i] = x1; + } + uint32_t *r16 = wv_a8; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = r16; + uint32_t x1 = r16[i]; + uint32_t x13 = x1 >> (uint32_t)16U | x1 << (uint32_t)16U; + os[i] = x13; + } + uint32_t *wv_a9 = wv + c * (uint32_t)4U; + uint32_t *wv_b10 = wv + d * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a9; + uint32_t x1 = wv_a9[i] + wv_b10[i]; + os[i] = x1; + } + uint32_t *wv_a10 = wv + b * (uint32_t)4U; + uint32_t *wv_b11 = wv + c * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a10; + uint32_t x1 = wv_a10[i] ^ wv_b11[i]; + os[i] = x1; + } + uint32_t *r17 = wv_a10; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = r17; + uint32_t x1 = r17[i]; + uint32_t x13 = x1 >> (uint32_t)12U | x1 << (uint32_t)20U; + os[i] = x13; + } + uint32_t *wv_a11 = wv + a0 * (uint32_t)4U; + uint32_t *wv_b12 = wv + b * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a11; + uint32_t x1 = wv_a11[i] + wv_b12[i]; + os[i] = x1; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a11; + uint32_t x1 = wv_a11[i] + w[i]; + os[i] = x1; + } + uint32_t *wv_a12 = wv + d * (uint32_t)4U; + uint32_t *wv_b13 = wv + a0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a12; + uint32_t x1 = wv_a12[i] ^ wv_b13[i]; + os[i] = x1; + } + uint32_t *r18 = wv_a12; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = r18; + uint32_t x1 = r18[i]; + uint32_t x13 = x1 >> (uint32_t)8U | x1 << (uint32_t)24U; + os[i] = x13; + } + uint32_t *wv_a13 = wv + c * (uint32_t)4U; + uint32_t *wv_b14 = wv + d * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a13; + uint32_t x1 = wv_a13[i] + wv_b14[i]; + os[i] = x1; + } + uint32_t *wv_a14 = wv + b * (uint32_t)4U; + uint32_t *wv_b = wv + c * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a14; + uint32_t x1 = wv_a14[i] ^ wv_b[i]; + os[i] = x1; + } + uint32_t *r19 = wv_a14; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = r19; + uint32_t x1 = r19[i]; + uint32_t x13 = x1 >> (uint32_t)7U | x1 << (uint32_t)25U; + os[i] = x13; + } + uint32_t *r113 = wv + (uint32_t)1U * (uint32_t)4U; + uint32_t *r2 = wv + (uint32_t)2U * (uint32_t)4U; + uint32_t *r3 = wv + (uint32_t)3U * (uint32_t)4U; + uint32_t *r11 = r113; + uint32_t x03 = r11[3U]; + uint32_t x13 = r11[((uint32_t)3U + (uint32_t)1U) % (uint32_t)4U]; + uint32_t x23 = r11[((uint32_t)3U + (uint32_t)2U) % (uint32_t)4U]; + uint32_t x33 = r11[((uint32_t)3U + (uint32_t)3U) % (uint32_t)4U]; + r11[0U] = x03; + r11[1U] = x13; + r11[2U] = x23; + r11[3U] = x33; + uint32_t *r114 = r2; + uint32_t x04 = r114[2U]; + uint32_t x14 = r114[((uint32_t)2U + (uint32_t)1U) % (uint32_t)4U]; + uint32_t x24 = r114[((uint32_t)2U + (uint32_t)2U) % (uint32_t)4U]; + uint32_t x34 = r114[((uint32_t)2U + (uint32_t)3U) % (uint32_t)4U]; + r114[0U] = x04; + r114[1U] = x14; + r114[2U] = x24; + r114[3U] = x34; + uint32_t *r115 = r3; + uint32_t x0 = r115[1U]; + uint32_t x1 = r115[((uint32_t)1U + (uint32_t)1U) % (uint32_t)4U]; + uint32_t x2 = r115[((uint32_t)1U + (uint32_t)2U) % (uint32_t)4U]; + uint32_t x3 = r115[((uint32_t)1U + (uint32_t)3U) % (uint32_t)4U]; + r115[0U] = x0; + r115[1U] = x1; + r115[2U] = x2; + r115[3U] = x3; + } + uint32_t *s0 = s + (uint32_t)0U * (uint32_t)4U; + uint32_t *s1 = s + (uint32_t)1U * (uint32_t)4U; + uint32_t *r0 = wv + (uint32_t)0U * (uint32_t)4U; + uint32_t *r1 = wv + (uint32_t)1U * (uint32_t)4U; + uint32_t *r2 = wv + (uint32_t)2U * (uint32_t)4U; + uint32_t *r3 = wv + (uint32_t)3U * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = s0; + uint32_t x = s0[i] ^ r0[i]; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = s0; + uint32_t x = s0[i] ^ r2[i]; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = s1; + uint32_t x = s1[i] ^ r1[i]; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = s1; + uint32_t x = s1[i] ^ r3[i]; + os[i] = x; + } + return totlen1; +} + +void Hacl_Hash_Core_Blake2_finish_blake2s_32(uint32_t *s, uint64_t ev, uint8_t *dst) +{ + uint32_t double_row = (uint32_t)2U * ((uint32_t)4U * (uint32_t)4U); + KRML_CHECK_SIZE(sizeof (uint8_t), double_row); + uint8_t b[double_row]; + memset(b, 0U, double_row * sizeof (uint8_t)); + uint8_t *first = b; + uint8_t *second = b + (uint32_t)4U * (uint32_t)4U; + uint32_t *row0 = s + (uint32_t)0U * (uint32_t)4U; + uint32_t *row1 = s + (uint32_t)1U * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + store32_le(first + i * (uint32_t)4U, row0[i]); + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + store32_le(second + i * (uint32_t)4U, row1[i]); + } + uint8_t *final = b; + memcpy(dst, final, (uint32_t)32U * sizeof (uint8_t)); + Lib_Memzero0_memzero(b, double_row * sizeof (b[0U])); +} + +FStar_UInt128_uint128 +Hacl_Hash_Core_Blake2_update_blake2b_32( + uint64_t *s, + FStar_UInt128_uint128 totlen, + uint8_t *block +) +{ + uint64_t wv[16U] = { 0U }; + FStar_UInt128_uint128 + totlen1 = + FStar_UInt128_add_mod(totlen, + FStar_UInt128_uint64_to_uint128((uint64_t)(uint32_t)128U)); + uint64_t m_w[16U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint64_t *os = m_w; + uint8_t *bj = block + i * (uint32_t)8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x; + } + uint64_t mask[4U] = { 0U }; + uint64_t wv_14 = (uint64_t)0U; + uint64_t wv_15 = (uint64_t)0U; + mask[0U] = FStar_UInt128_uint128_to_uint64(totlen1); + mask[1U] = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(totlen1, (uint32_t)64U)); + mask[2U] = wv_14; + mask[3U] = wv_15; + memcpy(wv, s, (uint32_t)4U * (uint32_t)4U * sizeof (uint64_t)); + uint64_t *wv3 = wv + (uint32_t)3U * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv3; + uint64_t x = wv3[i] ^ mask[i]; + os[i] = x; + } + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)12U; i0++) + { + uint32_t start_idx = i0 % (uint32_t)10U * (uint32_t)16U; + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)4U * (uint32_t)4U); + uint64_t m_st[(uint32_t)4U * (uint32_t)4U]; + memset(m_st, 0U, (uint32_t)4U * (uint32_t)4U * sizeof (uint64_t)); + uint64_t *r0 = m_st + (uint32_t)0U * (uint32_t)4U; + uint64_t *r1 = m_st + (uint32_t)1U * (uint32_t)4U; + uint64_t *r20 = m_st + (uint32_t)2U * (uint32_t)4U; + uint64_t *r30 = m_st + (uint32_t)3U * (uint32_t)4U; + uint32_t s0 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx]; + uint32_t s1 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)1U]; + uint32_t s2 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)2U]; + uint32_t s3 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)3U]; + uint32_t s4 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)4U]; + uint32_t s5 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)5U]; + uint32_t s6 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)6U]; + uint32_t s7 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)7U]; + uint32_t s8 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)8U]; + uint32_t s9 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)9U]; + uint32_t s10 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)10U]; + uint32_t s11 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)11U]; + uint32_t s12 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)12U]; + uint32_t s13 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)13U]; + uint32_t s14 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)14U]; + uint32_t s15 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)15U]; + uint64_t uu____0 = m_w[s2]; + uint64_t uu____1 = m_w[s4]; + uint64_t uu____2 = m_w[s6]; + r0[0U] = m_w[s0]; + r0[1U] = uu____0; + r0[2U] = uu____1; + r0[3U] = uu____2; + uint64_t uu____3 = m_w[s3]; + uint64_t uu____4 = m_w[s5]; + uint64_t uu____5 = m_w[s7]; + r1[0U] = m_w[s1]; + r1[1U] = uu____3; + r1[2U] = uu____4; + r1[3U] = uu____5; + uint64_t uu____6 = m_w[s10]; + uint64_t uu____7 = m_w[s12]; + uint64_t uu____8 = m_w[s14]; + r20[0U] = m_w[s8]; + r20[1U] = uu____6; + r20[2U] = uu____7; + r20[3U] = uu____8; + uint64_t uu____9 = m_w[s11]; + uint64_t uu____10 = m_w[s13]; + uint64_t uu____11 = m_w[s15]; + r30[0U] = m_w[s9]; + r30[1U] = uu____9; + r30[2U] = uu____10; + r30[3U] = uu____11; + uint64_t *x = m_st + (uint32_t)0U * (uint32_t)4U; + uint64_t *y = m_st + (uint32_t)1U * (uint32_t)4U; + uint64_t *z = m_st + (uint32_t)2U * (uint32_t)4U; + uint64_t *w = m_st + (uint32_t)3U * (uint32_t)4U; + uint32_t a = (uint32_t)0U; + uint32_t b0 = (uint32_t)1U; + uint32_t c0 = (uint32_t)2U; + uint32_t d0 = (uint32_t)3U; + uint64_t *wv_a0 = wv + a * (uint32_t)4U; + uint64_t *wv_b0 = wv + b0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a0; + uint64_t x1 = wv_a0[i] + wv_b0[i]; + os[i] = x1; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a0; + uint64_t x1 = wv_a0[i] + x[i]; + os[i] = x1; + } + uint64_t *wv_a1 = wv + d0 * (uint32_t)4U; + uint64_t *wv_b1 = wv + a * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a1; + uint64_t x1 = wv_a1[i] ^ wv_b1[i]; + os[i] = x1; + } + uint64_t *r10 = wv_a1; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = r10; + uint64_t x1 = r10[i]; + uint64_t x10 = x1 >> (uint32_t)32U | x1 << (uint32_t)32U; + os[i] = x10; + } + uint64_t *wv_a2 = wv + c0 * (uint32_t)4U; + uint64_t *wv_b2 = wv + d0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a2; + uint64_t x1 = wv_a2[i] + wv_b2[i]; + os[i] = x1; + } + uint64_t *wv_a3 = wv + b0 * (uint32_t)4U; + uint64_t *wv_b3 = wv + c0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a3; + uint64_t x1 = wv_a3[i] ^ wv_b3[i]; + os[i] = x1; + } + uint64_t *r12 = wv_a3; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = r12; + uint64_t x1 = r12[i]; + uint64_t x10 = x1 >> (uint32_t)24U | x1 << (uint32_t)40U; + os[i] = x10; + } + uint64_t *wv_a4 = wv + a * (uint32_t)4U; + uint64_t *wv_b4 = wv + b0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a4; + uint64_t x1 = wv_a4[i] + wv_b4[i]; + os[i] = x1; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a4; + uint64_t x1 = wv_a4[i] + y[i]; + os[i] = x1; + } + uint64_t *wv_a5 = wv + d0 * (uint32_t)4U; + uint64_t *wv_b5 = wv + a * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a5; + uint64_t x1 = wv_a5[i] ^ wv_b5[i]; + os[i] = x1; + } + uint64_t *r13 = wv_a5; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = r13; + uint64_t x1 = r13[i]; + uint64_t x10 = x1 >> (uint32_t)16U | x1 << (uint32_t)48U; + os[i] = x10; + } + uint64_t *wv_a6 = wv + c0 * (uint32_t)4U; + uint64_t *wv_b6 = wv + d0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a6; + uint64_t x1 = wv_a6[i] + wv_b6[i]; + os[i] = x1; + } + uint64_t *wv_a7 = wv + b0 * (uint32_t)4U; + uint64_t *wv_b7 = wv + c0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a7; + uint64_t x1 = wv_a7[i] ^ wv_b7[i]; + os[i] = x1; + } + uint64_t *r14 = wv_a7; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = r14; + uint64_t x1 = r14[i]; + uint64_t x10 = x1 >> (uint32_t)63U | x1 << (uint32_t)1U; + os[i] = x10; + } + uint64_t *r15 = wv + (uint32_t)1U * (uint32_t)4U; + uint64_t *r21 = wv + (uint32_t)2U * (uint32_t)4U; + uint64_t *r31 = wv + (uint32_t)3U * (uint32_t)4U; + uint64_t *r110 = r15; + uint64_t x00 = r110[1U]; + uint64_t x10 = r110[((uint32_t)1U + (uint32_t)1U) % (uint32_t)4U]; + uint64_t x20 = r110[((uint32_t)1U + (uint32_t)2U) % (uint32_t)4U]; + uint64_t x30 = r110[((uint32_t)1U + (uint32_t)3U) % (uint32_t)4U]; + r110[0U] = x00; + r110[1U] = x10; + r110[2U] = x20; + r110[3U] = x30; + uint64_t *r111 = r21; + uint64_t x01 = r111[2U]; + uint64_t x11 = r111[((uint32_t)2U + (uint32_t)1U) % (uint32_t)4U]; + uint64_t x21 = r111[((uint32_t)2U + (uint32_t)2U) % (uint32_t)4U]; + uint64_t x31 = r111[((uint32_t)2U + (uint32_t)3U) % (uint32_t)4U]; + r111[0U] = x01; + r111[1U] = x11; + r111[2U] = x21; + r111[3U] = x31; + uint64_t *r112 = r31; + uint64_t x02 = r112[3U]; + uint64_t x12 = r112[((uint32_t)3U + (uint32_t)1U) % (uint32_t)4U]; + uint64_t x22 = r112[((uint32_t)3U + (uint32_t)2U) % (uint32_t)4U]; + uint64_t x32 = r112[((uint32_t)3U + (uint32_t)3U) % (uint32_t)4U]; + r112[0U] = x02; + r112[1U] = x12; + r112[2U] = x22; + r112[3U] = x32; + uint32_t a0 = (uint32_t)0U; + uint32_t b = (uint32_t)1U; + uint32_t c = (uint32_t)2U; + uint32_t d = (uint32_t)3U; + uint64_t *wv_a = wv + a0 * (uint32_t)4U; + uint64_t *wv_b8 = wv + b * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a; + uint64_t x1 = wv_a[i] + wv_b8[i]; + os[i] = x1; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a; + uint64_t x1 = wv_a[i] + z[i]; + os[i] = x1; + } + uint64_t *wv_a8 = wv + d * (uint32_t)4U; + uint64_t *wv_b9 = wv + a0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a8; + uint64_t x1 = wv_a8[i] ^ wv_b9[i]; + os[i] = x1; + } + uint64_t *r16 = wv_a8; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = r16; + uint64_t x1 = r16[i]; + uint64_t x13 = x1 >> (uint32_t)32U | x1 << (uint32_t)32U; + os[i] = x13; + } + uint64_t *wv_a9 = wv + c * (uint32_t)4U; + uint64_t *wv_b10 = wv + d * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a9; + uint64_t x1 = wv_a9[i] + wv_b10[i]; + os[i] = x1; + } + uint64_t *wv_a10 = wv + b * (uint32_t)4U; + uint64_t *wv_b11 = wv + c * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a10; + uint64_t x1 = wv_a10[i] ^ wv_b11[i]; + os[i] = x1; + } + uint64_t *r17 = wv_a10; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = r17; + uint64_t x1 = r17[i]; + uint64_t x13 = x1 >> (uint32_t)24U | x1 << (uint32_t)40U; + os[i] = x13; + } + uint64_t *wv_a11 = wv + a0 * (uint32_t)4U; + uint64_t *wv_b12 = wv + b * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a11; + uint64_t x1 = wv_a11[i] + wv_b12[i]; + os[i] = x1; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a11; + uint64_t x1 = wv_a11[i] + w[i]; + os[i] = x1; + } + uint64_t *wv_a12 = wv + d * (uint32_t)4U; + uint64_t *wv_b13 = wv + a0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a12; + uint64_t x1 = wv_a12[i] ^ wv_b13[i]; + os[i] = x1; + } + uint64_t *r18 = wv_a12; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = r18; + uint64_t x1 = r18[i]; + uint64_t x13 = x1 >> (uint32_t)16U | x1 << (uint32_t)48U; + os[i] = x13; + } + uint64_t *wv_a13 = wv + c * (uint32_t)4U; + uint64_t *wv_b14 = wv + d * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a13; + uint64_t x1 = wv_a13[i] + wv_b14[i]; + os[i] = x1; + } + uint64_t *wv_a14 = wv + b * (uint32_t)4U; + uint64_t *wv_b = wv + c * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a14; + uint64_t x1 = wv_a14[i] ^ wv_b[i]; + os[i] = x1; + } + uint64_t *r19 = wv_a14; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = r19; + uint64_t x1 = r19[i]; + uint64_t x13 = x1 >> (uint32_t)63U | x1 << (uint32_t)1U; + os[i] = x13; + } + uint64_t *r113 = wv + (uint32_t)1U * (uint32_t)4U; + uint64_t *r2 = wv + (uint32_t)2U * (uint32_t)4U; + uint64_t *r3 = wv + (uint32_t)3U * (uint32_t)4U; + uint64_t *r11 = r113; + uint64_t x03 = r11[3U]; + uint64_t x13 = r11[((uint32_t)3U + (uint32_t)1U) % (uint32_t)4U]; + uint64_t x23 = r11[((uint32_t)3U + (uint32_t)2U) % (uint32_t)4U]; + uint64_t x33 = r11[((uint32_t)3U + (uint32_t)3U) % (uint32_t)4U]; + r11[0U] = x03; + r11[1U] = x13; + r11[2U] = x23; + r11[3U] = x33; + uint64_t *r114 = r2; + uint64_t x04 = r114[2U]; + uint64_t x14 = r114[((uint32_t)2U + (uint32_t)1U) % (uint32_t)4U]; + uint64_t x24 = r114[((uint32_t)2U + (uint32_t)2U) % (uint32_t)4U]; + uint64_t x34 = r114[((uint32_t)2U + (uint32_t)3U) % (uint32_t)4U]; + r114[0U] = x04; + r114[1U] = x14; + r114[2U] = x24; + r114[3U] = x34; + uint64_t *r115 = r3; + uint64_t x0 = r115[1U]; + uint64_t x1 = r115[((uint32_t)1U + (uint32_t)1U) % (uint32_t)4U]; + uint64_t x2 = r115[((uint32_t)1U + (uint32_t)2U) % (uint32_t)4U]; + uint64_t x3 = r115[((uint32_t)1U + (uint32_t)3U) % (uint32_t)4U]; + r115[0U] = x0; + r115[1U] = x1; + r115[2U] = x2; + r115[3U] = x3; + } + uint64_t *s0 = s + (uint32_t)0U * (uint32_t)4U; + uint64_t *s1 = s + (uint32_t)1U * (uint32_t)4U; + uint64_t *r0 = wv + (uint32_t)0U * (uint32_t)4U; + uint64_t *r1 = wv + (uint32_t)1U * (uint32_t)4U; + uint64_t *r2 = wv + (uint32_t)2U * (uint32_t)4U; + uint64_t *r3 = wv + (uint32_t)3U * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = s0; + uint64_t x = s0[i] ^ r0[i]; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = s0; + uint64_t x = s0[i] ^ r2[i]; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = s1; + uint64_t x = s1[i] ^ r1[i]; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = s1; + uint64_t x = s1[i] ^ r3[i]; + os[i] = x; + } + return totlen1; +} + +void +Hacl_Hash_Core_Blake2_finish_blake2b_32(uint64_t *s, FStar_UInt128_uint128 ev, uint8_t *dst) +{ + uint32_t double_row = (uint32_t)2U * ((uint32_t)4U * (uint32_t)8U); + KRML_CHECK_SIZE(sizeof (uint8_t), double_row); + uint8_t b[double_row]; + memset(b, 0U, double_row * sizeof (uint8_t)); + uint8_t *first = b; + uint8_t *second = b + (uint32_t)4U * (uint32_t)8U; + uint64_t *row0 = s + (uint32_t)0U * (uint32_t)4U; + uint64_t *row1 = s + (uint32_t)1U * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + store64_le(first + i * (uint32_t)8U, row0[i]); + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + store64_le(second + i * (uint32_t)8U, row1[i]); + } + uint8_t *final = b; + memcpy(dst, final, (uint32_t)64U * sizeof (uint8_t)); + Lib_Memzero0_memzero(b, double_row * sizeof (b[0U])); +} + +uint64_t +Hacl_Hash_Blake2_update_multi_blake2s_32( + uint32_t *s, + uint64_t ev, + uint8_t *blocks, + uint32_t n_blocks +) +{ + for (uint32_t i = (uint32_t)0U; i < n_blocks; i++) + { + uint32_t sz = (uint32_t)64U; + uint8_t *block = blocks + sz * i; + uint64_t + v_ = + Hacl_Hash_Core_Blake2_update_blake2s_32(s, + ev + (uint64_t)i * (uint64_t)(uint32_t)64U, + block); + } + return ev + (uint64_t)n_blocks * (uint64_t)(uint32_t)64U; +} + +FStar_UInt128_uint128 +Hacl_Hash_Blake2_update_multi_blake2b_32( + uint64_t *s, + FStar_UInt128_uint128 ev, + uint8_t *blocks, + uint32_t n_blocks +) +{ + for (uint32_t i = (uint32_t)0U; i < n_blocks; i++) + { + uint32_t sz = (uint32_t)128U; + uint8_t *block = blocks + sz * i; + FStar_UInt128_uint128 + v_ = + Hacl_Hash_Core_Blake2_update_blake2b_32(s, + FStar_UInt128_add_mod(ev, + FStar_UInt128_uint64_to_uint128((uint64_t)i * (uint64_t)(uint32_t)128U)), + block); + } + return + FStar_UInt128_add_mod(ev, + FStar_UInt128_uint64_to_uint128((uint64_t)n_blocks * (uint64_t)(uint32_t)128U)); +} + +uint64_t +Hacl_Hash_Blake2_update_last_blake2s_32( + uint32_t *s, + uint64_t ev, + uint64_t prev_len, + uint8_t *input, + uint32_t input_len +) +{ + uint32_t blocks_n = input_len / (uint32_t)64U; + uint32_t blocks_len0 = blocks_n * (uint32_t)64U; + uint32_t rest_len0 = input_len - blocks_len0; + K___uint32_t_uint32_t_uint32_t scrut; + if (rest_len0 == (uint32_t)0U && blocks_n > (uint32_t)0U) + { + uint32_t blocks_n1 = blocks_n - (uint32_t)1U; + uint32_t blocks_len1 = blocks_len0 - (uint32_t)64U; + uint32_t rest_len1 = (uint32_t)64U; + scrut = + ((K___uint32_t_uint32_t_uint32_t){ .fst = blocks_n1, .snd = blocks_len1, .thd = rest_len1 }); + } + else + { + scrut = + ((K___uint32_t_uint32_t_uint32_t){ .fst = blocks_n, .snd = blocks_len0, .thd = rest_len0 }); + } + uint32_t num_blocks0 = scrut.fst; + uint32_t blocks_len = scrut.snd; + uint32_t rest_len1 = scrut.thd; + uint8_t *blocks0 = input; + uint8_t *rest0 = input + blocks_len; + K___uint32_t_uint32_t_uint32_t__uint8_t___uint8_t_ + scrut0 = + { .fst = num_blocks0, .snd = blocks_len, .thd = rest_len1, .f3 = blocks0, .f4 = rest0 }; + uint32_t num_blocks = scrut0.fst; + uint32_t rest_len = scrut0.thd; + uint8_t *blocks = scrut0.f3; + uint8_t *rest = scrut0.f4; + uint64_t ev_ = Hacl_Hash_Blake2_update_multi_blake2s_32(s, ev, blocks, num_blocks); + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)4U * (uint32_t)4U); + uint32_t wv[(uint32_t)4U * (uint32_t)4U]; + memset(wv, 0U, (uint32_t)4U * (uint32_t)4U * sizeof (uint32_t)); + uint8_t tmp[64U] = { 0U }; + uint8_t *tmp_rest = tmp; + memcpy(tmp_rest, rest, rest_len * sizeof (uint8_t)); + uint64_t totlen = ev_ + (uint64_t)rest_len; + uint32_t m_w[16U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t *os = m_w; + uint8_t *bj = tmp + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + uint32_t mask[4U] = { 0U }; + uint32_t wv_14 = (uint32_t)0xFFFFFFFFU; + uint32_t wv_15 = (uint32_t)0U; + mask[0U] = (uint32_t)totlen; + mask[1U] = (uint32_t)(totlen >> (uint32_t)32U); + mask[2U] = wv_14; + mask[3U] = wv_15; + memcpy(wv, s, (uint32_t)4U * (uint32_t)4U * sizeof (uint32_t)); + uint32_t *wv3 = wv + (uint32_t)3U * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv3; + uint32_t x = wv3[i] ^ mask[i]; + os[i] = x; + } + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)10U; i0++) + { + uint32_t start_idx = i0 % (uint32_t)10U * (uint32_t)16U; + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)4U * (uint32_t)4U); + uint32_t m_st[(uint32_t)4U * (uint32_t)4U]; + memset(m_st, 0U, (uint32_t)4U * (uint32_t)4U * sizeof (uint32_t)); + uint32_t *r0 = m_st + (uint32_t)0U * (uint32_t)4U; + uint32_t *r1 = m_st + (uint32_t)1U * (uint32_t)4U; + uint32_t *r20 = m_st + (uint32_t)2U * (uint32_t)4U; + uint32_t *r30 = m_st + (uint32_t)3U * (uint32_t)4U; + uint32_t s0 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx]; + uint32_t s1 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)1U]; + uint32_t s2 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)2U]; + uint32_t s3 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)3U]; + uint32_t s4 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)4U]; + uint32_t s5 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)5U]; + uint32_t s6 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)6U]; + uint32_t s7 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)7U]; + uint32_t s8 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)8U]; + uint32_t s9 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)9U]; + uint32_t s10 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)10U]; + uint32_t s11 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)11U]; + uint32_t s12 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)12U]; + uint32_t s13 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)13U]; + uint32_t s14 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)14U]; + uint32_t s15 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)15U]; + uint32_t uu____0 = m_w[s2]; + uint32_t uu____1 = m_w[s4]; + uint32_t uu____2 = m_w[s6]; + r0[0U] = m_w[s0]; + r0[1U] = uu____0; + r0[2U] = uu____1; + r0[3U] = uu____2; + uint32_t uu____3 = m_w[s3]; + uint32_t uu____4 = m_w[s5]; + uint32_t uu____5 = m_w[s7]; + r1[0U] = m_w[s1]; + r1[1U] = uu____3; + r1[2U] = uu____4; + r1[3U] = uu____5; + uint32_t uu____6 = m_w[s10]; + uint32_t uu____7 = m_w[s12]; + uint32_t uu____8 = m_w[s14]; + r20[0U] = m_w[s8]; + r20[1U] = uu____6; + r20[2U] = uu____7; + r20[3U] = uu____8; + uint32_t uu____9 = m_w[s11]; + uint32_t uu____10 = m_w[s13]; + uint32_t uu____11 = m_w[s15]; + r30[0U] = m_w[s9]; + r30[1U] = uu____9; + r30[2U] = uu____10; + r30[3U] = uu____11; + uint32_t *x = m_st + (uint32_t)0U * (uint32_t)4U; + uint32_t *y = m_st + (uint32_t)1U * (uint32_t)4U; + uint32_t *z = m_st + (uint32_t)2U * (uint32_t)4U; + uint32_t *w = m_st + (uint32_t)3U * (uint32_t)4U; + uint32_t a = (uint32_t)0U; + uint32_t b0 = (uint32_t)1U; + uint32_t c0 = (uint32_t)2U; + uint32_t d0 = (uint32_t)3U; + uint32_t *wv_a0 = wv + a * (uint32_t)4U; + uint32_t *wv_b0 = wv + b0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a0; + uint32_t x1 = wv_a0[i] + wv_b0[i]; + os[i] = x1; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a0; + uint32_t x1 = wv_a0[i] + x[i]; + os[i] = x1; + } + uint32_t *wv_a1 = wv + d0 * (uint32_t)4U; + uint32_t *wv_b1 = wv + a * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a1; + uint32_t x1 = wv_a1[i] ^ wv_b1[i]; + os[i] = x1; + } + uint32_t *r10 = wv_a1; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = r10; + uint32_t x1 = r10[i]; + uint32_t x10 = x1 >> (uint32_t)16U | x1 << (uint32_t)16U; + os[i] = x10; + } + uint32_t *wv_a2 = wv + c0 * (uint32_t)4U; + uint32_t *wv_b2 = wv + d0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a2; + uint32_t x1 = wv_a2[i] + wv_b2[i]; + os[i] = x1; + } + uint32_t *wv_a3 = wv + b0 * (uint32_t)4U; + uint32_t *wv_b3 = wv + c0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a3; + uint32_t x1 = wv_a3[i] ^ wv_b3[i]; + os[i] = x1; + } + uint32_t *r12 = wv_a3; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = r12; + uint32_t x1 = r12[i]; + uint32_t x10 = x1 >> (uint32_t)12U | x1 << (uint32_t)20U; + os[i] = x10; + } + uint32_t *wv_a4 = wv + a * (uint32_t)4U; + uint32_t *wv_b4 = wv + b0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a4; + uint32_t x1 = wv_a4[i] + wv_b4[i]; + os[i] = x1; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a4; + uint32_t x1 = wv_a4[i] + y[i]; + os[i] = x1; + } + uint32_t *wv_a5 = wv + d0 * (uint32_t)4U; + uint32_t *wv_b5 = wv + a * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a5; + uint32_t x1 = wv_a5[i] ^ wv_b5[i]; + os[i] = x1; + } + uint32_t *r13 = wv_a5; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = r13; + uint32_t x1 = r13[i]; + uint32_t x10 = x1 >> (uint32_t)8U | x1 << (uint32_t)24U; + os[i] = x10; + } + uint32_t *wv_a6 = wv + c0 * (uint32_t)4U; + uint32_t *wv_b6 = wv + d0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a6; + uint32_t x1 = wv_a6[i] + wv_b6[i]; + os[i] = x1; + } + uint32_t *wv_a7 = wv + b0 * (uint32_t)4U; + uint32_t *wv_b7 = wv + c0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a7; + uint32_t x1 = wv_a7[i] ^ wv_b7[i]; + os[i] = x1; + } + uint32_t *r14 = wv_a7; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = r14; + uint32_t x1 = r14[i]; + uint32_t x10 = x1 >> (uint32_t)7U | x1 << (uint32_t)25U; + os[i] = x10; + } + uint32_t *r15 = wv + (uint32_t)1U * (uint32_t)4U; + uint32_t *r21 = wv + (uint32_t)2U * (uint32_t)4U; + uint32_t *r31 = wv + (uint32_t)3U * (uint32_t)4U; + uint32_t *r110 = r15; + uint32_t x00 = r110[1U]; + uint32_t x10 = r110[((uint32_t)1U + (uint32_t)1U) % (uint32_t)4U]; + uint32_t x20 = r110[((uint32_t)1U + (uint32_t)2U) % (uint32_t)4U]; + uint32_t x30 = r110[((uint32_t)1U + (uint32_t)3U) % (uint32_t)4U]; + r110[0U] = x00; + r110[1U] = x10; + r110[2U] = x20; + r110[3U] = x30; + uint32_t *r111 = r21; + uint32_t x01 = r111[2U]; + uint32_t x11 = r111[((uint32_t)2U + (uint32_t)1U) % (uint32_t)4U]; + uint32_t x21 = r111[((uint32_t)2U + (uint32_t)2U) % (uint32_t)4U]; + uint32_t x31 = r111[((uint32_t)2U + (uint32_t)3U) % (uint32_t)4U]; + r111[0U] = x01; + r111[1U] = x11; + r111[2U] = x21; + r111[3U] = x31; + uint32_t *r112 = r31; + uint32_t x02 = r112[3U]; + uint32_t x12 = r112[((uint32_t)3U + (uint32_t)1U) % (uint32_t)4U]; + uint32_t x22 = r112[((uint32_t)3U + (uint32_t)2U) % (uint32_t)4U]; + uint32_t x32 = r112[((uint32_t)3U + (uint32_t)3U) % (uint32_t)4U]; + r112[0U] = x02; + r112[1U] = x12; + r112[2U] = x22; + r112[3U] = x32; + uint32_t a0 = (uint32_t)0U; + uint32_t b = (uint32_t)1U; + uint32_t c = (uint32_t)2U; + uint32_t d = (uint32_t)3U; + uint32_t *wv_a = wv + a0 * (uint32_t)4U; + uint32_t *wv_b8 = wv + b * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a; + uint32_t x1 = wv_a[i] + wv_b8[i]; + os[i] = x1; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a; + uint32_t x1 = wv_a[i] + z[i]; + os[i] = x1; + } + uint32_t *wv_a8 = wv + d * (uint32_t)4U; + uint32_t *wv_b9 = wv + a0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a8; + uint32_t x1 = wv_a8[i] ^ wv_b9[i]; + os[i] = x1; + } + uint32_t *r16 = wv_a8; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = r16; + uint32_t x1 = r16[i]; + uint32_t x13 = x1 >> (uint32_t)16U | x1 << (uint32_t)16U; + os[i] = x13; + } + uint32_t *wv_a9 = wv + c * (uint32_t)4U; + uint32_t *wv_b10 = wv + d * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a9; + uint32_t x1 = wv_a9[i] + wv_b10[i]; + os[i] = x1; + } + uint32_t *wv_a10 = wv + b * (uint32_t)4U; + uint32_t *wv_b11 = wv + c * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a10; + uint32_t x1 = wv_a10[i] ^ wv_b11[i]; + os[i] = x1; + } + uint32_t *r17 = wv_a10; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = r17; + uint32_t x1 = r17[i]; + uint32_t x13 = x1 >> (uint32_t)12U | x1 << (uint32_t)20U; + os[i] = x13; + } + uint32_t *wv_a11 = wv + a0 * (uint32_t)4U; + uint32_t *wv_b12 = wv + b * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a11; + uint32_t x1 = wv_a11[i] + wv_b12[i]; + os[i] = x1; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a11; + uint32_t x1 = wv_a11[i] + w[i]; + os[i] = x1; + } + uint32_t *wv_a12 = wv + d * (uint32_t)4U; + uint32_t *wv_b13 = wv + a0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a12; + uint32_t x1 = wv_a12[i] ^ wv_b13[i]; + os[i] = x1; + } + uint32_t *r18 = wv_a12; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = r18; + uint32_t x1 = r18[i]; + uint32_t x13 = x1 >> (uint32_t)8U | x1 << (uint32_t)24U; + os[i] = x13; + } + uint32_t *wv_a13 = wv + c * (uint32_t)4U; + uint32_t *wv_b14 = wv + d * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a13; + uint32_t x1 = wv_a13[i] + wv_b14[i]; + os[i] = x1; + } + uint32_t *wv_a14 = wv + b * (uint32_t)4U; + uint32_t *wv_b = wv + c * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a14; + uint32_t x1 = wv_a14[i] ^ wv_b[i]; + os[i] = x1; + } + uint32_t *r19 = wv_a14; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = r19; + uint32_t x1 = r19[i]; + uint32_t x13 = x1 >> (uint32_t)7U | x1 << (uint32_t)25U; + os[i] = x13; + } + uint32_t *r113 = wv + (uint32_t)1U * (uint32_t)4U; + uint32_t *r2 = wv + (uint32_t)2U * (uint32_t)4U; + uint32_t *r3 = wv + (uint32_t)3U * (uint32_t)4U; + uint32_t *r11 = r113; + uint32_t x03 = r11[3U]; + uint32_t x13 = r11[((uint32_t)3U + (uint32_t)1U) % (uint32_t)4U]; + uint32_t x23 = r11[((uint32_t)3U + (uint32_t)2U) % (uint32_t)4U]; + uint32_t x33 = r11[((uint32_t)3U + (uint32_t)3U) % (uint32_t)4U]; + r11[0U] = x03; + r11[1U] = x13; + r11[2U] = x23; + r11[3U] = x33; + uint32_t *r114 = r2; + uint32_t x04 = r114[2U]; + uint32_t x14 = r114[((uint32_t)2U + (uint32_t)1U) % (uint32_t)4U]; + uint32_t x24 = r114[((uint32_t)2U + (uint32_t)2U) % (uint32_t)4U]; + uint32_t x34 = r114[((uint32_t)2U + (uint32_t)3U) % (uint32_t)4U]; + r114[0U] = x04; + r114[1U] = x14; + r114[2U] = x24; + r114[3U] = x34; + uint32_t *r115 = r3; + uint32_t x0 = r115[1U]; + uint32_t x1 = r115[((uint32_t)1U + (uint32_t)1U) % (uint32_t)4U]; + uint32_t x2 = r115[((uint32_t)1U + (uint32_t)2U) % (uint32_t)4U]; + uint32_t x3 = r115[((uint32_t)1U + (uint32_t)3U) % (uint32_t)4U]; + r115[0U] = x0; + r115[1U] = x1; + r115[2U] = x2; + r115[3U] = x3; + } + uint32_t *s0 = s + (uint32_t)0U * (uint32_t)4U; + uint32_t *s1 = s + (uint32_t)1U * (uint32_t)4U; + uint32_t *r0 = wv + (uint32_t)0U * (uint32_t)4U; + uint32_t *r1 = wv + (uint32_t)1U * (uint32_t)4U; + uint32_t *r2 = wv + (uint32_t)2U * (uint32_t)4U; + uint32_t *r3 = wv + (uint32_t)3U * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = s0; + uint32_t x = s0[i] ^ r0[i]; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = s0; + uint32_t x = s0[i] ^ r2[i]; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = s1; + uint32_t x = s1[i] ^ r1[i]; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = s1; + uint32_t x = s1[i] ^ r3[i]; + os[i] = x; + } + return (uint64_t)0U; +} + +FStar_UInt128_uint128 +Hacl_Hash_Blake2_update_last_blake2b_32( + uint64_t *s, + FStar_UInt128_uint128 ev, + FStar_UInt128_uint128 prev_len, + uint8_t *input, + uint32_t input_len +) +{ + uint32_t blocks_n = input_len / (uint32_t)128U; + uint32_t blocks_len0 = blocks_n * (uint32_t)128U; + uint32_t rest_len0 = input_len - blocks_len0; + K___uint32_t_uint32_t_uint32_t scrut; + if (rest_len0 == (uint32_t)0U && blocks_n > (uint32_t)0U) + { + uint32_t blocks_n1 = blocks_n - (uint32_t)1U; + uint32_t blocks_len1 = blocks_len0 - (uint32_t)128U; + uint32_t rest_len1 = (uint32_t)128U; + scrut = + ((K___uint32_t_uint32_t_uint32_t){ .fst = blocks_n1, .snd = blocks_len1, .thd = rest_len1 }); + } + else + { + scrut = + ((K___uint32_t_uint32_t_uint32_t){ .fst = blocks_n, .snd = blocks_len0, .thd = rest_len0 }); + } + uint32_t num_blocks0 = scrut.fst; + uint32_t blocks_len = scrut.snd; + uint32_t rest_len1 = scrut.thd; + uint8_t *blocks0 = input; + uint8_t *rest0 = input + blocks_len; + K___uint32_t_uint32_t_uint32_t__uint8_t___uint8_t_ + scrut0 = + { .fst = num_blocks0, .snd = blocks_len, .thd = rest_len1, .f3 = blocks0, .f4 = rest0 }; + uint32_t num_blocks = scrut0.fst; + uint32_t rest_len = scrut0.thd; + uint8_t *blocks = scrut0.f3; + uint8_t *rest = scrut0.f4; + FStar_UInt128_uint128 + ev_ = Hacl_Hash_Blake2_update_multi_blake2b_32(s, ev, blocks, num_blocks); + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)4U * (uint32_t)4U); + uint64_t wv[(uint32_t)4U * (uint32_t)4U]; + memset(wv, 0U, (uint32_t)4U * (uint32_t)4U * sizeof (uint64_t)); + uint8_t tmp[128U] = { 0U }; + uint8_t *tmp_rest = tmp; + memcpy(tmp_rest, rest, rest_len * sizeof (uint8_t)); + FStar_UInt128_uint128 + totlen = FStar_UInt128_add_mod(ev_, FStar_UInt128_uint64_to_uint128((uint64_t)rest_len)); + uint64_t m_w[16U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint64_t *os = m_w; + uint8_t *bj = tmp + i * (uint32_t)8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x; + } + uint64_t mask[4U] = { 0U }; + uint64_t wv_14 = (uint64_t)0xFFFFFFFFFFFFFFFFU; + uint64_t wv_15 = (uint64_t)0U; + mask[0U] = FStar_UInt128_uint128_to_uint64(totlen); + mask[1U] = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(totlen, (uint32_t)64U)); + mask[2U] = wv_14; + mask[3U] = wv_15; + memcpy(wv, s, (uint32_t)4U * (uint32_t)4U * sizeof (uint64_t)); + uint64_t *wv3 = wv + (uint32_t)3U * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv3; + uint64_t x = wv3[i] ^ mask[i]; + os[i] = x; + } + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)12U; i0++) + { + uint32_t start_idx = i0 % (uint32_t)10U * (uint32_t)16U; + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)4U * (uint32_t)4U); + uint64_t m_st[(uint32_t)4U * (uint32_t)4U]; + memset(m_st, 0U, (uint32_t)4U * (uint32_t)4U * sizeof (uint64_t)); + uint64_t *r0 = m_st + (uint32_t)0U * (uint32_t)4U; + uint64_t *r1 = m_st + (uint32_t)1U * (uint32_t)4U; + uint64_t *r20 = m_st + (uint32_t)2U * (uint32_t)4U; + uint64_t *r30 = m_st + (uint32_t)3U * (uint32_t)4U; + uint32_t s0 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx]; + uint32_t s1 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)1U]; + uint32_t s2 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)2U]; + uint32_t s3 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)3U]; + uint32_t s4 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)4U]; + uint32_t s5 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)5U]; + uint32_t s6 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)6U]; + uint32_t s7 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)7U]; + uint32_t s8 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)8U]; + uint32_t s9 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)9U]; + uint32_t s10 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)10U]; + uint32_t s11 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)11U]; + uint32_t s12 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)12U]; + uint32_t s13 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)13U]; + uint32_t s14 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)14U]; + uint32_t s15 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)15U]; + uint64_t uu____0 = m_w[s2]; + uint64_t uu____1 = m_w[s4]; + uint64_t uu____2 = m_w[s6]; + r0[0U] = m_w[s0]; + r0[1U] = uu____0; + r0[2U] = uu____1; + r0[3U] = uu____2; + uint64_t uu____3 = m_w[s3]; + uint64_t uu____4 = m_w[s5]; + uint64_t uu____5 = m_w[s7]; + r1[0U] = m_w[s1]; + r1[1U] = uu____3; + r1[2U] = uu____4; + r1[3U] = uu____5; + uint64_t uu____6 = m_w[s10]; + uint64_t uu____7 = m_w[s12]; + uint64_t uu____8 = m_w[s14]; + r20[0U] = m_w[s8]; + r20[1U] = uu____6; + r20[2U] = uu____7; + r20[3U] = uu____8; + uint64_t uu____9 = m_w[s11]; + uint64_t uu____10 = m_w[s13]; + uint64_t uu____11 = m_w[s15]; + r30[0U] = m_w[s9]; + r30[1U] = uu____9; + r30[2U] = uu____10; + r30[3U] = uu____11; + uint64_t *x = m_st + (uint32_t)0U * (uint32_t)4U; + uint64_t *y = m_st + (uint32_t)1U * (uint32_t)4U; + uint64_t *z = m_st + (uint32_t)2U * (uint32_t)4U; + uint64_t *w = m_st + (uint32_t)3U * (uint32_t)4U; + uint32_t a = (uint32_t)0U; + uint32_t b0 = (uint32_t)1U; + uint32_t c0 = (uint32_t)2U; + uint32_t d0 = (uint32_t)3U; + uint64_t *wv_a0 = wv + a * (uint32_t)4U; + uint64_t *wv_b0 = wv + b0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a0; + uint64_t x1 = wv_a0[i] + wv_b0[i]; + os[i] = x1; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a0; + uint64_t x1 = wv_a0[i] + x[i]; + os[i] = x1; + } + uint64_t *wv_a1 = wv + d0 * (uint32_t)4U; + uint64_t *wv_b1 = wv + a * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a1; + uint64_t x1 = wv_a1[i] ^ wv_b1[i]; + os[i] = x1; + } + uint64_t *r10 = wv_a1; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = r10; + uint64_t x1 = r10[i]; + uint64_t x10 = x1 >> (uint32_t)32U | x1 << (uint32_t)32U; + os[i] = x10; + } + uint64_t *wv_a2 = wv + c0 * (uint32_t)4U; + uint64_t *wv_b2 = wv + d0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a2; + uint64_t x1 = wv_a2[i] + wv_b2[i]; + os[i] = x1; + } + uint64_t *wv_a3 = wv + b0 * (uint32_t)4U; + uint64_t *wv_b3 = wv + c0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a3; + uint64_t x1 = wv_a3[i] ^ wv_b3[i]; + os[i] = x1; + } + uint64_t *r12 = wv_a3; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = r12; + uint64_t x1 = r12[i]; + uint64_t x10 = x1 >> (uint32_t)24U | x1 << (uint32_t)40U; + os[i] = x10; + } + uint64_t *wv_a4 = wv + a * (uint32_t)4U; + uint64_t *wv_b4 = wv + b0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a4; + uint64_t x1 = wv_a4[i] + wv_b4[i]; + os[i] = x1; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a4; + uint64_t x1 = wv_a4[i] + y[i]; + os[i] = x1; + } + uint64_t *wv_a5 = wv + d0 * (uint32_t)4U; + uint64_t *wv_b5 = wv + a * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a5; + uint64_t x1 = wv_a5[i] ^ wv_b5[i]; + os[i] = x1; + } + uint64_t *r13 = wv_a5; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = r13; + uint64_t x1 = r13[i]; + uint64_t x10 = x1 >> (uint32_t)16U | x1 << (uint32_t)48U; + os[i] = x10; + } + uint64_t *wv_a6 = wv + c0 * (uint32_t)4U; + uint64_t *wv_b6 = wv + d0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a6; + uint64_t x1 = wv_a6[i] + wv_b6[i]; + os[i] = x1; + } + uint64_t *wv_a7 = wv + b0 * (uint32_t)4U; + uint64_t *wv_b7 = wv + c0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a7; + uint64_t x1 = wv_a7[i] ^ wv_b7[i]; + os[i] = x1; + } + uint64_t *r14 = wv_a7; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = r14; + uint64_t x1 = r14[i]; + uint64_t x10 = x1 >> (uint32_t)63U | x1 << (uint32_t)1U; + os[i] = x10; + } + uint64_t *r15 = wv + (uint32_t)1U * (uint32_t)4U; + uint64_t *r21 = wv + (uint32_t)2U * (uint32_t)4U; + uint64_t *r31 = wv + (uint32_t)3U * (uint32_t)4U; + uint64_t *r110 = r15; + uint64_t x00 = r110[1U]; + uint64_t x10 = r110[((uint32_t)1U + (uint32_t)1U) % (uint32_t)4U]; + uint64_t x20 = r110[((uint32_t)1U + (uint32_t)2U) % (uint32_t)4U]; + uint64_t x30 = r110[((uint32_t)1U + (uint32_t)3U) % (uint32_t)4U]; + r110[0U] = x00; + r110[1U] = x10; + r110[2U] = x20; + r110[3U] = x30; + uint64_t *r111 = r21; + uint64_t x01 = r111[2U]; + uint64_t x11 = r111[((uint32_t)2U + (uint32_t)1U) % (uint32_t)4U]; + uint64_t x21 = r111[((uint32_t)2U + (uint32_t)2U) % (uint32_t)4U]; + uint64_t x31 = r111[((uint32_t)2U + (uint32_t)3U) % (uint32_t)4U]; + r111[0U] = x01; + r111[1U] = x11; + r111[2U] = x21; + r111[3U] = x31; + uint64_t *r112 = r31; + uint64_t x02 = r112[3U]; + uint64_t x12 = r112[((uint32_t)3U + (uint32_t)1U) % (uint32_t)4U]; + uint64_t x22 = r112[((uint32_t)3U + (uint32_t)2U) % (uint32_t)4U]; + uint64_t x32 = r112[((uint32_t)3U + (uint32_t)3U) % (uint32_t)4U]; + r112[0U] = x02; + r112[1U] = x12; + r112[2U] = x22; + r112[3U] = x32; + uint32_t a0 = (uint32_t)0U; + uint32_t b = (uint32_t)1U; + uint32_t c = (uint32_t)2U; + uint32_t d = (uint32_t)3U; + uint64_t *wv_a = wv + a0 * (uint32_t)4U; + uint64_t *wv_b8 = wv + b * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a; + uint64_t x1 = wv_a[i] + wv_b8[i]; + os[i] = x1; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a; + uint64_t x1 = wv_a[i] + z[i]; + os[i] = x1; + } + uint64_t *wv_a8 = wv + d * (uint32_t)4U; + uint64_t *wv_b9 = wv + a0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a8; + uint64_t x1 = wv_a8[i] ^ wv_b9[i]; + os[i] = x1; + } + uint64_t *r16 = wv_a8; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = r16; + uint64_t x1 = r16[i]; + uint64_t x13 = x1 >> (uint32_t)32U | x1 << (uint32_t)32U; + os[i] = x13; + } + uint64_t *wv_a9 = wv + c * (uint32_t)4U; + uint64_t *wv_b10 = wv + d * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a9; + uint64_t x1 = wv_a9[i] + wv_b10[i]; + os[i] = x1; + } + uint64_t *wv_a10 = wv + b * (uint32_t)4U; + uint64_t *wv_b11 = wv + c * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a10; + uint64_t x1 = wv_a10[i] ^ wv_b11[i]; + os[i] = x1; + } + uint64_t *r17 = wv_a10; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = r17; + uint64_t x1 = r17[i]; + uint64_t x13 = x1 >> (uint32_t)24U | x1 << (uint32_t)40U; + os[i] = x13; + } + uint64_t *wv_a11 = wv + a0 * (uint32_t)4U; + uint64_t *wv_b12 = wv + b * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a11; + uint64_t x1 = wv_a11[i] + wv_b12[i]; + os[i] = x1; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a11; + uint64_t x1 = wv_a11[i] + w[i]; + os[i] = x1; + } + uint64_t *wv_a12 = wv + d * (uint32_t)4U; + uint64_t *wv_b13 = wv + a0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a12; + uint64_t x1 = wv_a12[i] ^ wv_b13[i]; + os[i] = x1; + } + uint64_t *r18 = wv_a12; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = r18; + uint64_t x1 = r18[i]; + uint64_t x13 = x1 >> (uint32_t)16U | x1 << (uint32_t)48U; + os[i] = x13; + } + uint64_t *wv_a13 = wv + c * (uint32_t)4U; + uint64_t *wv_b14 = wv + d * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a13; + uint64_t x1 = wv_a13[i] + wv_b14[i]; + os[i] = x1; + } + uint64_t *wv_a14 = wv + b * (uint32_t)4U; + uint64_t *wv_b = wv + c * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a14; + uint64_t x1 = wv_a14[i] ^ wv_b[i]; + os[i] = x1; + } + uint64_t *r19 = wv_a14; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = r19; + uint64_t x1 = r19[i]; + uint64_t x13 = x1 >> (uint32_t)63U | x1 << (uint32_t)1U; + os[i] = x13; + } + uint64_t *r113 = wv + (uint32_t)1U * (uint32_t)4U; + uint64_t *r2 = wv + (uint32_t)2U * (uint32_t)4U; + uint64_t *r3 = wv + (uint32_t)3U * (uint32_t)4U; + uint64_t *r11 = r113; + uint64_t x03 = r11[3U]; + uint64_t x13 = r11[((uint32_t)3U + (uint32_t)1U) % (uint32_t)4U]; + uint64_t x23 = r11[((uint32_t)3U + (uint32_t)2U) % (uint32_t)4U]; + uint64_t x33 = r11[((uint32_t)3U + (uint32_t)3U) % (uint32_t)4U]; + r11[0U] = x03; + r11[1U] = x13; + r11[2U] = x23; + r11[3U] = x33; + uint64_t *r114 = r2; + uint64_t x04 = r114[2U]; + uint64_t x14 = r114[((uint32_t)2U + (uint32_t)1U) % (uint32_t)4U]; + uint64_t x24 = r114[((uint32_t)2U + (uint32_t)2U) % (uint32_t)4U]; + uint64_t x34 = r114[((uint32_t)2U + (uint32_t)3U) % (uint32_t)4U]; + r114[0U] = x04; + r114[1U] = x14; + r114[2U] = x24; + r114[3U] = x34; + uint64_t *r115 = r3; + uint64_t x0 = r115[1U]; + uint64_t x1 = r115[((uint32_t)1U + (uint32_t)1U) % (uint32_t)4U]; + uint64_t x2 = r115[((uint32_t)1U + (uint32_t)2U) % (uint32_t)4U]; + uint64_t x3 = r115[((uint32_t)1U + (uint32_t)3U) % (uint32_t)4U]; + r115[0U] = x0; + r115[1U] = x1; + r115[2U] = x2; + r115[3U] = x3; + } + uint64_t *s0 = s + (uint32_t)0U * (uint32_t)4U; + uint64_t *s1 = s + (uint32_t)1U * (uint32_t)4U; + uint64_t *r0 = wv + (uint32_t)0U * (uint32_t)4U; + uint64_t *r1 = wv + (uint32_t)1U * (uint32_t)4U; + uint64_t *r2 = wv + (uint32_t)2U * (uint32_t)4U; + uint64_t *r3 = wv + (uint32_t)3U * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = s0; + uint64_t x = s0[i] ^ r0[i]; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = s0; + uint64_t x = s0[i] ^ r2[i]; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = s1; + uint64_t x = s1[i] ^ r1[i]; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = s1; + uint64_t x = s1[i] ^ r3[i]; + os[i] = x; + } + return FStar_UInt128_uint64_to_uint128((uint64_t)0U); +} + +void Hacl_Hash_Blake2_hash_blake2s_32(uint8_t *input, uint32_t input_len, uint8_t *dst) +{ + Hacl_Blake2s_32_blake2s((uint32_t)32U, dst, input_len, input, (uint32_t)0U, NULL); +} + +void Hacl_Hash_Blake2_hash_blake2b_32(uint8_t *input, uint32_t input_len, uint8_t *dst) +{ + Hacl_Blake2b_32_blake2b((uint32_t)64U, dst, input_len, input, (uint32_t)0U, NULL); +} + +static inline void +blake2b_update_block( + uint64_t *wv, + uint64_t *hash, + bool flag, + FStar_UInt128_uint128 totlen, + uint8_t *d +) +{ + uint64_t m_w[16U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint64_t *os = m_w; + uint8_t *bj = d + i * (uint32_t)8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x; + } + uint64_t mask[4U] = { 0U }; + uint64_t wv_14; + if (flag) + { + wv_14 = (uint64_t)0xFFFFFFFFFFFFFFFFU; + } + else + { + wv_14 = (uint64_t)0U; + } + uint64_t wv_15 = (uint64_t)0U; + mask[0U] = FStar_UInt128_uint128_to_uint64(totlen); + mask[1U] = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(totlen, (uint32_t)64U)); + mask[2U] = wv_14; + mask[3U] = wv_15; + memcpy(wv, hash, (uint32_t)4U * (uint32_t)4U * sizeof (uint64_t)); + uint64_t *wv3 = wv + (uint32_t)3U * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv3; + uint64_t x = wv3[i] ^ mask[i]; + os[i] = x; + } + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)12U; i0++) + { + uint32_t start_idx = i0 % (uint32_t)10U * (uint32_t)16U; + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)4U * (uint32_t)4U); + uint64_t m_st[(uint32_t)4U * (uint32_t)4U]; + memset(m_st, 0U, (uint32_t)4U * (uint32_t)4U * sizeof (uint64_t)); + uint64_t *r0 = m_st + (uint32_t)0U * (uint32_t)4U; + uint64_t *r1 = m_st + (uint32_t)1U * (uint32_t)4U; + uint64_t *r20 = m_st + (uint32_t)2U * (uint32_t)4U; + uint64_t *r30 = m_st + (uint32_t)3U * (uint32_t)4U; + uint32_t s0 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx]; + uint32_t s1 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)1U]; + uint32_t s2 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)2U]; + uint32_t s3 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)3U]; + uint32_t s4 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)4U]; + uint32_t s5 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)5U]; + uint32_t s6 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)6U]; + uint32_t s7 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)7U]; + uint32_t s8 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)8U]; + uint32_t s9 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)9U]; + uint32_t s10 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)10U]; + uint32_t s11 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)11U]; + uint32_t s12 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)12U]; + uint32_t s13 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)13U]; + uint32_t s14 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)14U]; + uint32_t s15 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)15U]; + uint64_t uu____0 = m_w[s2]; + uint64_t uu____1 = m_w[s4]; + uint64_t uu____2 = m_w[s6]; + r0[0U] = m_w[s0]; + r0[1U] = uu____0; + r0[2U] = uu____1; + r0[3U] = uu____2; + uint64_t uu____3 = m_w[s3]; + uint64_t uu____4 = m_w[s5]; + uint64_t uu____5 = m_w[s7]; + r1[0U] = m_w[s1]; + r1[1U] = uu____3; + r1[2U] = uu____4; + r1[3U] = uu____5; + uint64_t uu____6 = m_w[s10]; + uint64_t uu____7 = m_w[s12]; + uint64_t uu____8 = m_w[s14]; + r20[0U] = m_w[s8]; + r20[1U] = uu____6; + r20[2U] = uu____7; + r20[3U] = uu____8; + uint64_t uu____9 = m_w[s11]; + uint64_t uu____10 = m_w[s13]; + uint64_t uu____11 = m_w[s15]; + r30[0U] = m_w[s9]; + r30[1U] = uu____9; + r30[2U] = uu____10; + r30[3U] = uu____11; + uint64_t *x = m_st + (uint32_t)0U * (uint32_t)4U; + uint64_t *y = m_st + (uint32_t)1U * (uint32_t)4U; + uint64_t *z = m_st + (uint32_t)2U * (uint32_t)4U; + uint64_t *w = m_st + (uint32_t)3U * (uint32_t)4U; + uint32_t a = (uint32_t)0U; + uint32_t b0 = (uint32_t)1U; + uint32_t c0 = (uint32_t)2U; + uint32_t d10 = (uint32_t)3U; + uint64_t *wv_a0 = wv + a * (uint32_t)4U; + uint64_t *wv_b0 = wv + b0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a0; + uint64_t x1 = wv_a0[i] + wv_b0[i]; + os[i] = x1; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a0; + uint64_t x1 = wv_a0[i] + x[i]; + os[i] = x1; + } + uint64_t *wv_a1 = wv + d10 * (uint32_t)4U; + uint64_t *wv_b1 = wv + a * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a1; + uint64_t x1 = wv_a1[i] ^ wv_b1[i]; + os[i] = x1; + } + uint64_t *r10 = wv_a1; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = r10; + uint64_t x1 = r10[i]; + uint64_t x10 = x1 >> (uint32_t)32U | x1 << (uint32_t)32U; + os[i] = x10; + } + uint64_t *wv_a2 = wv + c0 * (uint32_t)4U; + uint64_t *wv_b2 = wv + d10 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a2; + uint64_t x1 = wv_a2[i] + wv_b2[i]; + os[i] = x1; + } + uint64_t *wv_a3 = wv + b0 * (uint32_t)4U; + uint64_t *wv_b3 = wv + c0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a3; + uint64_t x1 = wv_a3[i] ^ wv_b3[i]; + os[i] = x1; + } + uint64_t *r12 = wv_a3; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = r12; + uint64_t x1 = r12[i]; + uint64_t x10 = x1 >> (uint32_t)24U | x1 << (uint32_t)40U; + os[i] = x10; + } + uint64_t *wv_a4 = wv + a * (uint32_t)4U; + uint64_t *wv_b4 = wv + b0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a4; + uint64_t x1 = wv_a4[i] + wv_b4[i]; + os[i] = x1; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a4; + uint64_t x1 = wv_a4[i] + y[i]; + os[i] = x1; + } + uint64_t *wv_a5 = wv + d10 * (uint32_t)4U; + uint64_t *wv_b5 = wv + a * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a5; + uint64_t x1 = wv_a5[i] ^ wv_b5[i]; + os[i] = x1; + } + uint64_t *r13 = wv_a5; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = r13; + uint64_t x1 = r13[i]; + uint64_t x10 = x1 >> (uint32_t)16U | x1 << (uint32_t)48U; + os[i] = x10; + } + uint64_t *wv_a6 = wv + c0 * (uint32_t)4U; + uint64_t *wv_b6 = wv + d10 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a6; + uint64_t x1 = wv_a6[i] + wv_b6[i]; + os[i] = x1; + } + uint64_t *wv_a7 = wv + b0 * (uint32_t)4U; + uint64_t *wv_b7 = wv + c0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a7; + uint64_t x1 = wv_a7[i] ^ wv_b7[i]; + os[i] = x1; + } + uint64_t *r14 = wv_a7; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = r14; + uint64_t x1 = r14[i]; + uint64_t x10 = x1 >> (uint32_t)63U | x1 << (uint32_t)1U; + os[i] = x10; + } + uint64_t *r15 = wv + (uint32_t)1U * (uint32_t)4U; + uint64_t *r21 = wv + (uint32_t)2U * (uint32_t)4U; + uint64_t *r31 = wv + (uint32_t)3U * (uint32_t)4U; + uint64_t *r110 = r15; + uint64_t x00 = r110[1U]; + uint64_t x10 = r110[((uint32_t)1U + (uint32_t)1U) % (uint32_t)4U]; + uint64_t x20 = r110[((uint32_t)1U + (uint32_t)2U) % (uint32_t)4U]; + uint64_t x30 = r110[((uint32_t)1U + (uint32_t)3U) % (uint32_t)4U]; + r110[0U] = x00; + r110[1U] = x10; + r110[2U] = x20; + r110[3U] = x30; + uint64_t *r111 = r21; + uint64_t x01 = r111[2U]; + uint64_t x11 = r111[((uint32_t)2U + (uint32_t)1U) % (uint32_t)4U]; + uint64_t x21 = r111[((uint32_t)2U + (uint32_t)2U) % (uint32_t)4U]; + uint64_t x31 = r111[((uint32_t)2U + (uint32_t)3U) % (uint32_t)4U]; + r111[0U] = x01; + r111[1U] = x11; + r111[2U] = x21; + r111[3U] = x31; + uint64_t *r112 = r31; + uint64_t x02 = r112[3U]; + uint64_t x12 = r112[((uint32_t)3U + (uint32_t)1U) % (uint32_t)4U]; + uint64_t x22 = r112[((uint32_t)3U + (uint32_t)2U) % (uint32_t)4U]; + uint64_t x32 = r112[((uint32_t)3U + (uint32_t)3U) % (uint32_t)4U]; + r112[0U] = x02; + r112[1U] = x12; + r112[2U] = x22; + r112[3U] = x32; + uint32_t a0 = (uint32_t)0U; + uint32_t b = (uint32_t)1U; + uint32_t c = (uint32_t)2U; + uint32_t d1 = (uint32_t)3U; + uint64_t *wv_a = wv + a0 * (uint32_t)4U; + uint64_t *wv_b8 = wv + b * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a; + uint64_t x1 = wv_a[i] + wv_b8[i]; + os[i] = x1; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a; + uint64_t x1 = wv_a[i] + z[i]; + os[i] = x1; + } + uint64_t *wv_a8 = wv + d1 * (uint32_t)4U; + uint64_t *wv_b9 = wv + a0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a8; + uint64_t x1 = wv_a8[i] ^ wv_b9[i]; + os[i] = x1; + } + uint64_t *r16 = wv_a8; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = r16; + uint64_t x1 = r16[i]; + uint64_t x13 = x1 >> (uint32_t)32U | x1 << (uint32_t)32U; + os[i] = x13; + } + uint64_t *wv_a9 = wv + c * (uint32_t)4U; + uint64_t *wv_b10 = wv + d1 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a9; + uint64_t x1 = wv_a9[i] + wv_b10[i]; + os[i] = x1; + } + uint64_t *wv_a10 = wv + b * (uint32_t)4U; + uint64_t *wv_b11 = wv + c * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a10; + uint64_t x1 = wv_a10[i] ^ wv_b11[i]; + os[i] = x1; + } + uint64_t *r17 = wv_a10; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = r17; + uint64_t x1 = r17[i]; + uint64_t x13 = x1 >> (uint32_t)24U | x1 << (uint32_t)40U; + os[i] = x13; + } + uint64_t *wv_a11 = wv + a0 * (uint32_t)4U; + uint64_t *wv_b12 = wv + b * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a11; + uint64_t x1 = wv_a11[i] + wv_b12[i]; + os[i] = x1; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a11; + uint64_t x1 = wv_a11[i] + w[i]; + os[i] = x1; + } + uint64_t *wv_a12 = wv + d1 * (uint32_t)4U; + uint64_t *wv_b13 = wv + a0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a12; + uint64_t x1 = wv_a12[i] ^ wv_b13[i]; + os[i] = x1; + } + uint64_t *r18 = wv_a12; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = r18; + uint64_t x1 = r18[i]; + uint64_t x13 = x1 >> (uint32_t)16U | x1 << (uint32_t)48U; + os[i] = x13; + } + uint64_t *wv_a13 = wv + c * (uint32_t)4U; + uint64_t *wv_b14 = wv + d1 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a13; + uint64_t x1 = wv_a13[i] + wv_b14[i]; + os[i] = x1; + } + uint64_t *wv_a14 = wv + b * (uint32_t)4U; + uint64_t *wv_b = wv + c * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a14; + uint64_t x1 = wv_a14[i] ^ wv_b[i]; + os[i] = x1; + } + uint64_t *r19 = wv_a14; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = r19; + uint64_t x1 = r19[i]; + uint64_t x13 = x1 >> (uint32_t)63U | x1 << (uint32_t)1U; + os[i] = x13; + } + uint64_t *r113 = wv + (uint32_t)1U * (uint32_t)4U; + uint64_t *r2 = wv + (uint32_t)2U * (uint32_t)4U; + uint64_t *r3 = wv + (uint32_t)3U * (uint32_t)4U; + uint64_t *r11 = r113; + uint64_t x03 = r11[3U]; + uint64_t x13 = r11[((uint32_t)3U + (uint32_t)1U) % (uint32_t)4U]; + uint64_t x23 = r11[((uint32_t)3U + (uint32_t)2U) % (uint32_t)4U]; + uint64_t x33 = r11[((uint32_t)3U + (uint32_t)3U) % (uint32_t)4U]; + r11[0U] = x03; + r11[1U] = x13; + r11[2U] = x23; + r11[3U] = x33; + uint64_t *r114 = r2; + uint64_t x04 = r114[2U]; + uint64_t x14 = r114[((uint32_t)2U + (uint32_t)1U) % (uint32_t)4U]; + uint64_t x24 = r114[((uint32_t)2U + (uint32_t)2U) % (uint32_t)4U]; + uint64_t x34 = r114[((uint32_t)2U + (uint32_t)3U) % (uint32_t)4U]; + r114[0U] = x04; + r114[1U] = x14; + r114[2U] = x24; + r114[3U] = x34; + uint64_t *r115 = r3; + uint64_t x0 = r115[1U]; + uint64_t x1 = r115[((uint32_t)1U + (uint32_t)1U) % (uint32_t)4U]; + uint64_t x2 = r115[((uint32_t)1U + (uint32_t)2U) % (uint32_t)4U]; + uint64_t x3 = r115[((uint32_t)1U + (uint32_t)3U) % (uint32_t)4U]; + r115[0U] = x0; + r115[1U] = x1; + r115[2U] = x2; + r115[3U] = x3; + } + uint64_t *s0 = hash + (uint32_t)0U * (uint32_t)4U; + uint64_t *s1 = hash + (uint32_t)1U * (uint32_t)4U; + uint64_t *r0 = wv + (uint32_t)0U * (uint32_t)4U; + uint64_t *r1 = wv + (uint32_t)1U * (uint32_t)4U; + uint64_t *r2 = wv + (uint32_t)2U * (uint32_t)4U; + uint64_t *r3 = wv + (uint32_t)3U * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = s0; + uint64_t x = s0[i] ^ r0[i]; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = s0; + uint64_t x = s0[i] ^ r2[i]; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = s1; + uint64_t x = s1[i] ^ r1[i]; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = s1; + uint64_t x = s1[i] ^ r3[i]; + os[i] = x; + } +} + +void Hacl_Blake2b_32_blake2b_init(uint64_t *hash, uint32_t kk, uint32_t nn) +{ + uint64_t *r0 = hash + (uint32_t)0U * (uint32_t)4U; + uint64_t *r1 = hash + (uint32_t)1U * (uint32_t)4U; + uint64_t *r2 = hash + (uint32_t)2U * (uint32_t)4U; + uint64_t *r3 = hash + (uint32_t)3U * (uint32_t)4U; + uint64_t iv0 = Hacl_Impl_Blake2_Constants_ivTable_B[0U]; + uint64_t iv1 = Hacl_Impl_Blake2_Constants_ivTable_B[1U]; + uint64_t iv2 = Hacl_Impl_Blake2_Constants_ivTable_B[2U]; + uint64_t iv3 = Hacl_Impl_Blake2_Constants_ivTable_B[3U]; + uint64_t iv4 = Hacl_Impl_Blake2_Constants_ivTable_B[4U]; + uint64_t iv5 = Hacl_Impl_Blake2_Constants_ivTable_B[5U]; + uint64_t iv6 = Hacl_Impl_Blake2_Constants_ivTable_B[6U]; + uint64_t iv7 = Hacl_Impl_Blake2_Constants_ivTable_B[7U]; + r2[0U] = iv0; + r2[1U] = iv1; + r2[2U] = iv2; + r2[3U] = iv3; + r3[0U] = iv4; + r3[1U] = iv5; + r3[2U] = iv6; + r3[3U] = iv7; + uint64_t kk_shift_8 = (uint64_t)kk << (uint32_t)8U; + uint64_t iv0_ = iv0 ^ ((uint64_t)0x01010000U ^ (kk_shift_8 ^ (uint64_t)nn)); + r0[0U] = iv0_; + r0[1U] = iv1; + r0[2U] = iv2; + r0[3U] = iv3; + r1[0U] = iv4; + r1[1U] = iv5; + r1[2U] = iv6; + r1[3U] = iv7; +} + +void +Hacl_Blake2b_32_blake2b_update_key( + uint64_t *wv, + uint64_t *hash, + uint32_t kk, + uint8_t *k, + uint32_t ll +) +{ + FStar_UInt128_uint128 lb = FStar_UInt128_uint64_to_uint128((uint64_t)(uint32_t)128U); + uint8_t b[128U] = { 0U }; + memcpy(b, k, kk * sizeof (uint8_t)); + if (ll == (uint32_t)0U) + { + blake2b_update_block(wv, hash, true, lb, b); + } + else + { + blake2b_update_block(wv, hash, false, lb, b); + } + Lib_Memzero0_memzero(b, (uint32_t)128U * sizeof (b[0U])); +} + +void +Hacl_Blake2b_32_blake2b_update_multi( + uint32_t len, + uint64_t *wv, + uint64_t *hash, + FStar_UInt128_uint128 prev, + uint8_t *blocks, + uint32_t nb +) +{ + for (uint32_t i = (uint32_t)0U; i < nb; i++) + { + FStar_UInt128_uint128 + totlen = + FStar_UInt128_add_mod(prev, + FStar_UInt128_uint64_to_uint128((uint64_t)((i + (uint32_t)1U) * (uint32_t)128U))); + uint8_t *b = blocks + i * (uint32_t)128U; + blake2b_update_block(wv, hash, false, totlen, b); + } +} + +void +Hacl_Blake2b_32_blake2b_update_last( + uint32_t len, + uint64_t *wv, + uint64_t *hash, + FStar_UInt128_uint128 prev, + uint32_t rem, + uint8_t *d +) +{ + uint8_t b[128U] = { 0U }; + uint8_t *last = d + len - rem; + memcpy(b, last, rem * sizeof (uint8_t)); + FStar_UInt128_uint128 + totlen = FStar_UInt128_add_mod(prev, FStar_UInt128_uint64_to_uint128((uint64_t)len)); + blake2b_update_block(wv, hash, true, totlen, b); + Lib_Memzero0_memzero(b, (uint32_t)128U * sizeof (b[0U])); +} + +static inline void +blake2b_update_blocks( + uint32_t len, + uint64_t *wv, + uint64_t *hash, + FStar_UInt128_uint128 prev, + uint8_t *blocks +) +{ + uint32_t nb0 = len / (uint32_t)128U; + uint32_t rem0 = len % (uint32_t)128U; + K___uint32_t_uint32_t scrut; + if (rem0 == (uint32_t)0U && nb0 > (uint32_t)0U) + { + uint32_t nb_ = nb0 - (uint32_t)1U; + uint32_t rem_ = (uint32_t)128U; + scrut = ((K___uint32_t_uint32_t){ .fst = nb_, .snd = rem_ }); + } + else + { + scrut = ((K___uint32_t_uint32_t){ .fst = nb0, .snd = rem0 }); + } + uint32_t nb = scrut.fst; + uint32_t rem = scrut.snd; + Hacl_Blake2b_32_blake2b_update_multi(len, wv, hash, prev, blocks, nb); + Hacl_Blake2b_32_blake2b_update_last(len, wv, hash, prev, rem, blocks); +} + +static inline void +blake2b_update(uint64_t *wv, uint64_t *hash, uint32_t kk, uint8_t *k, uint32_t ll, uint8_t *d) +{ + FStar_UInt128_uint128 lb = FStar_UInt128_uint64_to_uint128((uint64_t)(uint32_t)128U); + if (kk > (uint32_t)0U) + { + Hacl_Blake2b_32_blake2b_update_key(wv, hash, kk, k, ll); + if (!(ll == (uint32_t)0U)) + { + blake2b_update_blocks(ll, wv, hash, lb, d); + return; + } + return; + } + blake2b_update_blocks(ll, + wv, + hash, + FStar_UInt128_uint64_to_uint128((uint64_t)(uint32_t)0U), + d); +} + +void Hacl_Blake2b_32_blake2b_finish(uint32_t nn, uint8_t *output, uint64_t *hash) +{ + uint32_t double_row = (uint32_t)2U * ((uint32_t)4U * (uint32_t)8U); + KRML_CHECK_SIZE(sizeof (uint8_t), double_row); + uint8_t b[double_row]; + memset(b, 0U, double_row * sizeof (uint8_t)); + uint8_t *first = b; + uint8_t *second = b + (uint32_t)4U * (uint32_t)8U; + uint64_t *row0 = hash + (uint32_t)0U * (uint32_t)4U; + uint64_t *row1 = hash + (uint32_t)1U * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + store64_le(first + i * (uint32_t)8U, row0[i]); + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + store64_le(second + i * (uint32_t)8U, row1[i]); + } + uint8_t *final = b; + memcpy(output, final, nn * sizeof (uint8_t)); + Lib_Memzero0_memzero(b, double_row * sizeof (b[0U])); +} + +void +Hacl_Blake2b_32_blake2b( + uint32_t nn, + uint8_t *output, + uint32_t ll, + uint8_t *d, + uint32_t kk, + uint8_t *k +) +{ + uint32_t stlen = (uint32_t)4U * (uint32_t)4U; + uint64_t stzero = (uint64_t)0U; + KRML_CHECK_SIZE(sizeof (uint64_t), stlen); + uint64_t b[stlen]; + for (uint32_t _i = 0U; _i < stlen; ++_i) + b[_i] = stzero; + KRML_CHECK_SIZE(sizeof (uint64_t), stlen); + uint64_t b1[stlen]; + for (uint32_t _i = 0U; _i < stlen; ++_i) + b1[_i] = stzero; + Hacl_Blake2b_32_blake2b_init(b, kk, nn); + blake2b_update(b1, b, kk, k, ll, d); + Hacl_Blake2b_32_blake2b_finish(nn, output, b); + Lib_Memzero0_memzero(b1, stlen * sizeof (b1[0U])); + Lib_Memzero0_memzero(b, stlen * sizeof (b[0U])); +} + +static inline void +blake2s_update_block(uint32_t *wv, uint32_t *hash, bool flag, uint64_t totlen, uint8_t *d) +{ + uint32_t m_w[16U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t *os = m_w; + uint8_t *bj = d + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + uint32_t mask[4U] = { 0U }; + uint32_t wv_14; + if (flag) + { + wv_14 = (uint32_t)0xFFFFFFFFU; + } + else + { + wv_14 = (uint32_t)0U; + } + uint32_t wv_15 = (uint32_t)0U; + mask[0U] = (uint32_t)totlen; + mask[1U] = (uint32_t)(totlen >> (uint32_t)32U); + mask[2U] = wv_14; + mask[3U] = wv_15; + memcpy(wv, hash, (uint32_t)4U * (uint32_t)4U * sizeof (uint32_t)); + uint32_t *wv3 = wv + (uint32_t)3U * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv3; + uint32_t x = wv3[i] ^ mask[i]; + os[i] = x; + } + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)10U; i0++) + { + uint32_t start_idx = i0 % (uint32_t)10U * (uint32_t)16U; + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)4U * (uint32_t)4U); + uint32_t m_st[(uint32_t)4U * (uint32_t)4U]; + memset(m_st, 0U, (uint32_t)4U * (uint32_t)4U * sizeof (uint32_t)); + uint32_t *r0 = m_st + (uint32_t)0U * (uint32_t)4U; + uint32_t *r1 = m_st + (uint32_t)1U * (uint32_t)4U; + uint32_t *r20 = m_st + (uint32_t)2U * (uint32_t)4U; + uint32_t *r30 = m_st + (uint32_t)3U * (uint32_t)4U; + uint32_t s0 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx]; + uint32_t s1 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)1U]; + uint32_t s2 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)2U]; + uint32_t s3 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)3U]; + uint32_t s4 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)4U]; + uint32_t s5 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)5U]; + uint32_t s6 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)6U]; + uint32_t s7 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)7U]; + uint32_t s8 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)8U]; + uint32_t s9 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)9U]; + uint32_t s10 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)10U]; + uint32_t s11 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)11U]; + uint32_t s12 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)12U]; + uint32_t s13 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)13U]; + uint32_t s14 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)14U]; + uint32_t s15 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)15U]; + uint32_t uu____0 = m_w[s2]; + uint32_t uu____1 = m_w[s4]; + uint32_t uu____2 = m_w[s6]; + r0[0U] = m_w[s0]; + r0[1U] = uu____0; + r0[2U] = uu____1; + r0[3U] = uu____2; + uint32_t uu____3 = m_w[s3]; + uint32_t uu____4 = m_w[s5]; + uint32_t uu____5 = m_w[s7]; + r1[0U] = m_w[s1]; + r1[1U] = uu____3; + r1[2U] = uu____4; + r1[3U] = uu____5; + uint32_t uu____6 = m_w[s10]; + uint32_t uu____7 = m_w[s12]; + uint32_t uu____8 = m_w[s14]; + r20[0U] = m_w[s8]; + r20[1U] = uu____6; + r20[2U] = uu____7; + r20[3U] = uu____8; + uint32_t uu____9 = m_w[s11]; + uint32_t uu____10 = m_w[s13]; + uint32_t uu____11 = m_w[s15]; + r30[0U] = m_w[s9]; + r30[1U] = uu____9; + r30[2U] = uu____10; + r30[3U] = uu____11; + uint32_t *x = m_st + (uint32_t)0U * (uint32_t)4U; + uint32_t *y = m_st + (uint32_t)1U * (uint32_t)4U; + uint32_t *z = m_st + (uint32_t)2U * (uint32_t)4U; + uint32_t *w = m_st + (uint32_t)3U * (uint32_t)4U; + uint32_t a = (uint32_t)0U; + uint32_t b0 = (uint32_t)1U; + uint32_t c0 = (uint32_t)2U; + uint32_t d10 = (uint32_t)3U; + uint32_t *wv_a0 = wv + a * (uint32_t)4U; + uint32_t *wv_b0 = wv + b0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a0; + uint32_t x1 = wv_a0[i] + wv_b0[i]; + os[i] = x1; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a0; + uint32_t x1 = wv_a0[i] + x[i]; + os[i] = x1; + } + uint32_t *wv_a1 = wv + d10 * (uint32_t)4U; + uint32_t *wv_b1 = wv + a * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a1; + uint32_t x1 = wv_a1[i] ^ wv_b1[i]; + os[i] = x1; + } + uint32_t *r10 = wv_a1; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = r10; + uint32_t x1 = r10[i]; + uint32_t x10 = x1 >> (uint32_t)16U | x1 << (uint32_t)16U; + os[i] = x10; + } + uint32_t *wv_a2 = wv + c0 * (uint32_t)4U; + uint32_t *wv_b2 = wv + d10 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a2; + uint32_t x1 = wv_a2[i] + wv_b2[i]; + os[i] = x1; + } + uint32_t *wv_a3 = wv + b0 * (uint32_t)4U; + uint32_t *wv_b3 = wv + c0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a3; + uint32_t x1 = wv_a3[i] ^ wv_b3[i]; + os[i] = x1; + } + uint32_t *r12 = wv_a3; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = r12; + uint32_t x1 = r12[i]; + uint32_t x10 = x1 >> (uint32_t)12U | x1 << (uint32_t)20U; + os[i] = x10; + } + uint32_t *wv_a4 = wv + a * (uint32_t)4U; + uint32_t *wv_b4 = wv + b0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a4; + uint32_t x1 = wv_a4[i] + wv_b4[i]; + os[i] = x1; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a4; + uint32_t x1 = wv_a4[i] + y[i]; + os[i] = x1; + } + uint32_t *wv_a5 = wv + d10 * (uint32_t)4U; + uint32_t *wv_b5 = wv + a * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a5; + uint32_t x1 = wv_a5[i] ^ wv_b5[i]; + os[i] = x1; + } + uint32_t *r13 = wv_a5; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = r13; + uint32_t x1 = r13[i]; + uint32_t x10 = x1 >> (uint32_t)8U | x1 << (uint32_t)24U; + os[i] = x10; + } + uint32_t *wv_a6 = wv + c0 * (uint32_t)4U; + uint32_t *wv_b6 = wv + d10 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a6; + uint32_t x1 = wv_a6[i] + wv_b6[i]; + os[i] = x1; + } + uint32_t *wv_a7 = wv + b0 * (uint32_t)4U; + uint32_t *wv_b7 = wv + c0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a7; + uint32_t x1 = wv_a7[i] ^ wv_b7[i]; + os[i] = x1; + } + uint32_t *r14 = wv_a7; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = r14; + uint32_t x1 = r14[i]; + uint32_t x10 = x1 >> (uint32_t)7U | x1 << (uint32_t)25U; + os[i] = x10; + } + uint32_t *r15 = wv + (uint32_t)1U * (uint32_t)4U; + uint32_t *r21 = wv + (uint32_t)2U * (uint32_t)4U; + uint32_t *r31 = wv + (uint32_t)3U * (uint32_t)4U; + uint32_t *r110 = r15; + uint32_t x00 = r110[1U]; + uint32_t x10 = r110[((uint32_t)1U + (uint32_t)1U) % (uint32_t)4U]; + uint32_t x20 = r110[((uint32_t)1U + (uint32_t)2U) % (uint32_t)4U]; + uint32_t x30 = r110[((uint32_t)1U + (uint32_t)3U) % (uint32_t)4U]; + r110[0U] = x00; + r110[1U] = x10; + r110[2U] = x20; + r110[3U] = x30; + uint32_t *r111 = r21; + uint32_t x01 = r111[2U]; + uint32_t x11 = r111[((uint32_t)2U + (uint32_t)1U) % (uint32_t)4U]; + uint32_t x21 = r111[((uint32_t)2U + (uint32_t)2U) % (uint32_t)4U]; + uint32_t x31 = r111[((uint32_t)2U + (uint32_t)3U) % (uint32_t)4U]; + r111[0U] = x01; + r111[1U] = x11; + r111[2U] = x21; + r111[3U] = x31; + uint32_t *r112 = r31; + uint32_t x02 = r112[3U]; + uint32_t x12 = r112[((uint32_t)3U + (uint32_t)1U) % (uint32_t)4U]; + uint32_t x22 = r112[((uint32_t)3U + (uint32_t)2U) % (uint32_t)4U]; + uint32_t x32 = r112[((uint32_t)3U + (uint32_t)3U) % (uint32_t)4U]; + r112[0U] = x02; + r112[1U] = x12; + r112[2U] = x22; + r112[3U] = x32; + uint32_t a0 = (uint32_t)0U; + uint32_t b = (uint32_t)1U; + uint32_t c = (uint32_t)2U; + uint32_t d1 = (uint32_t)3U; + uint32_t *wv_a = wv + a0 * (uint32_t)4U; + uint32_t *wv_b8 = wv + b * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a; + uint32_t x1 = wv_a[i] + wv_b8[i]; + os[i] = x1; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a; + uint32_t x1 = wv_a[i] + z[i]; + os[i] = x1; + } + uint32_t *wv_a8 = wv + d1 * (uint32_t)4U; + uint32_t *wv_b9 = wv + a0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a8; + uint32_t x1 = wv_a8[i] ^ wv_b9[i]; + os[i] = x1; + } + uint32_t *r16 = wv_a8; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = r16; + uint32_t x1 = r16[i]; + uint32_t x13 = x1 >> (uint32_t)16U | x1 << (uint32_t)16U; + os[i] = x13; + } + uint32_t *wv_a9 = wv + c * (uint32_t)4U; + uint32_t *wv_b10 = wv + d1 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a9; + uint32_t x1 = wv_a9[i] + wv_b10[i]; + os[i] = x1; + } + uint32_t *wv_a10 = wv + b * (uint32_t)4U; + uint32_t *wv_b11 = wv + c * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a10; + uint32_t x1 = wv_a10[i] ^ wv_b11[i]; + os[i] = x1; + } + uint32_t *r17 = wv_a10; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = r17; + uint32_t x1 = r17[i]; + uint32_t x13 = x1 >> (uint32_t)12U | x1 << (uint32_t)20U; + os[i] = x13; + } + uint32_t *wv_a11 = wv + a0 * (uint32_t)4U; + uint32_t *wv_b12 = wv + b * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a11; + uint32_t x1 = wv_a11[i] + wv_b12[i]; + os[i] = x1; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a11; + uint32_t x1 = wv_a11[i] + w[i]; + os[i] = x1; + } + uint32_t *wv_a12 = wv + d1 * (uint32_t)4U; + uint32_t *wv_b13 = wv + a0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a12; + uint32_t x1 = wv_a12[i] ^ wv_b13[i]; + os[i] = x1; + } + uint32_t *r18 = wv_a12; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = r18; + uint32_t x1 = r18[i]; + uint32_t x13 = x1 >> (uint32_t)8U | x1 << (uint32_t)24U; + os[i] = x13; + } + uint32_t *wv_a13 = wv + c * (uint32_t)4U; + uint32_t *wv_b14 = wv + d1 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a13; + uint32_t x1 = wv_a13[i] + wv_b14[i]; + os[i] = x1; + } + uint32_t *wv_a14 = wv + b * (uint32_t)4U; + uint32_t *wv_b = wv + c * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a14; + uint32_t x1 = wv_a14[i] ^ wv_b[i]; + os[i] = x1; + } + uint32_t *r19 = wv_a14; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = r19; + uint32_t x1 = r19[i]; + uint32_t x13 = x1 >> (uint32_t)7U | x1 << (uint32_t)25U; + os[i] = x13; + } + uint32_t *r113 = wv + (uint32_t)1U * (uint32_t)4U; + uint32_t *r2 = wv + (uint32_t)2U * (uint32_t)4U; + uint32_t *r3 = wv + (uint32_t)3U * (uint32_t)4U; + uint32_t *r11 = r113; + uint32_t x03 = r11[3U]; + uint32_t x13 = r11[((uint32_t)3U + (uint32_t)1U) % (uint32_t)4U]; + uint32_t x23 = r11[((uint32_t)3U + (uint32_t)2U) % (uint32_t)4U]; + uint32_t x33 = r11[((uint32_t)3U + (uint32_t)3U) % (uint32_t)4U]; + r11[0U] = x03; + r11[1U] = x13; + r11[2U] = x23; + r11[3U] = x33; + uint32_t *r114 = r2; + uint32_t x04 = r114[2U]; + uint32_t x14 = r114[((uint32_t)2U + (uint32_t)1U) % (uint32_t)4U]; + uint32_t x24 = r114[((uint32_t)2U + (uint32_t)2U) % (uint32_t)4U]; + uint32_t x34 = r114[((uint32_t)2U + (uint32_t)3U) % (uint32_t)4U]; + r114[0U] = x04; + r114[1U] = x14; + r114[2U] = x24; + r114[3U] = x34; + uint32_t *r115 = r3; + uint32_t x0 = r115[1U]; + uint32_t x1 = r115[((uint32_t)1U + (uint32_t)1U) % (uint32_t)4U]; + uint32_t x2 = r115[((uint32_t)1U + (uint32_t)2U) % (uint32_t)4U]; + uint32_t x3 = r115[((uint32_t)1U + (uint32_t)3U) % (uint32_t)4U]; + r115[0U] = x0; + r115[1U] = x1; + r115[2U] = x2; + r115[3U] = x3; + } + uint32_t *s0 = hash + (uint32_t)0U * (uint32_t)4U; + uint32_t *s1 = hash + (uint32_t)1U * (uint32_t)4U; + uint32_t *r0 = wv + (uint32_t)0U * (uint32_t)4U; + uint32_t *r1 = wv + (uint32_t)1U * (uint32_t)4U; + uint32_t *r2 = wv + (uint32_t)2U * (uint32_t)4U; + uint32_t *r3 = wv + (uint32_t)3U * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = s0; + uint32_t x = s0[i] ^ r0[i]; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = s0; + uint32_t x = s0[i] ^ r2[i]; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = s1; + uint32_t x = s1[i] ^ r1[i]; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = s1; + uint32_t x = s1[i] ^ r3[i]; + os[i] = x; + } +} + +void Hacl_Blake2s_32_blake2s_init(uint32_t *hash, uint32_t kk, uint32_t nn) +{ + uint32_t *r0 = hash + (uint32_t)0U * (uint32_t)4U; + uint32_t *r1 = hash + (uint32_t)1U * (uint32_t)4U; + uint32_t *r2 = hash + (uint32_t)2U * (uint32_t)4U; + uint32_t *r3 = hash + (uint32_t)3U * (uint32_t)4U; + uint32_t iv0 = Hacl_Impl_Blake2_Constants_ivTable_S[0U]; + uint32_t iv1 = Hacl_Impl_Blake2_Constants_ivTable_S[1U]; + uint32_t iv2 = Hacl_Impl_Blake2_Constants_ivTable_S[2U]; + uint32_t iv3 = Hacl_Impl_Blake2_Constants_ivTable_S[3U]; + uint32_t iv4 = Hacl_Impl_Blake2_Constants_ivTable_S[4U]; + uint32_t iv5 = Hacl_Impl_Blake2_Constants_ivTable_S[5U]; + uint32_t iv6 = Hacl_Impl_Blake2_Constants_ivTable_S[6U]; + uint32_t iv7 = Hacl_Impl_Blake2_Constants_ivTable_S[7U]; + r2[0U] = iv0; + r2[1U] = iv1; + r2[2U] = iv2; + r2[3U] = iv3; + r3[0U] = iv4; + r3[1U] = iv5; + r3[2U] = iv6; + r3[3U] = iv7; + uint32_t kk_shift_8 = kk << (uint32_t)8U; + uint32_t iv0_ = iv0 ^ ((uint32_t)0x01010000U ^ (kk_shift_8 ^ nn)); + r0[0U] = iv0_; + r0[1U] = iv1; + r0[2U] = iv2; + r0[3U] = iv3; + r1[0U] = iv4; + r1[1U] = iv5; + r1[2U] = iv6; + r1[3U] = iv7; +} + +void +Hacl_Blake2s_32_blake2s_update_key( + uint32_t *wv, + uint32_t *hash, + uint32_t kk, + uint8_t *k, + uint32_t ll +) +{ + uint64_t lb = (uint64_t)(uint32_t)64U; + uint8_t b[64U] = { 0U }; + memcpy(b, k, kk * sizeof (uint8_t)); + if (ll == (uint32_t)0U) + { + blake2s_update_block(wv, hash, true, lb, b); + } + else + { + blake2s_update_block(wv, hash, false, lb, b); + } + Lib_Memzero0_memzero(b, (uint32_t)64U * sizeof (b[0U])); +} + +void +Hacl_Blake2s_32_blake2s_update_multi( + uint32_t len, + uint32_t *wv, + uint32_t *hash, + uint64_t prev, + uint8_t *blocks, + uint32_t nb +) +{ + for (uint32_t i = (uint32_t)0U; i < nb; i++) + { + uint64_t totlen = prev + (uint64_t)((i + (uint32_t)1U) * (uint32_t)64U); + uint8_t *b = blocks + i * (uint32_t)64U; + blake2s_update_block(wv, hash, false, totlen, b); + } +} + +void +Hacl_Blake2s_32_blake2s_update_last( + uint32_t len, + uint32_t *wv, + uint32_t *hash, + uint64_t prev, + uint32_t rem, + uint8_t *d +) +{ + uint8_t b[64U] = { 0U }; + uint8_t *last = d + len - rem; + memcpy(b, last, rem * sizeof (uint8_t)); + uint64_t totlen = prev + (uint64_t)len; + blake2s_update_block(wv, hash, true, totlen, b); + Lib_Memzero0_memzero(b, (uint32_t)64U * sizeof (b[0U])); +} + +static inline void +blake2s_update_blocks( + uint32_t len, + uint32_t *wv, + uint32_t *hash, + uint64_t prev, + uint8_t *blocks +) +{ + uint32_t nb0 = len / (uint32_t)64U; + uint32_t rem0 = len % (uint32_t)64U; + K___uint32_t_uint32_t scrut; + if (rem0 == (uint32_t)0U && nb0 > (uint32_t)0U) + { + uint32_t nb_ = nb0 - (uint32_t)1U; + uint32_t rem_ = (uint32_t)64U; + scrut = ((K___uint32_t_uint32_t){ .fst = nb_, .snd = rem_ }); + } + else + { + scrut = ((K___uint32_t_uint32_t){ .fst = nb0, .snd = rem0 }); + } + uint32_t nb = scrut.fst; + uint32_t rem = scrut.snd; + Hacl_Blake2s_32_blake2s_update_multi(len, wv, hash, prev, blocks, nb); + Hacl_Blake2s_32_blake2s_update_last(len, wv, hash, prev, rem, blocks); +} + +static inline void +blake2s_update(uint32_t *wv, uint32_t *hash, uint32_t kk, uint8_t *k, uint32_t ll, uint8_t *d) +{ + uint64_t lb = (uint64_t)(uint32_t)64U; + if (kk > (uint32_t)0U) + { + Hacl_Blake2s_32_blake2s_update_key(wv, hash, kk, k, ll); + if (!(ll == (uint32_t)0U)) + { + blake2s_update_blocks(ll, wv, hash, lb, d); + return; + } + return; + } + blake2s_update_blocks(ll, wv, hash, (uint64_t)(uint32_t)0U, d); +} + +void Hacl_Blake2s_32_blake2s_finish(uint32_t nn, uint8_t *output, uint32_t *hash) +{ + uint32_t double_row = (uint32_t)2U * ((uint32_t)4U * (uint32_t)4U); + KRML_CHECK_SIZE(sizeof (uint8_t), double_row); + uint8_t b[double_row]; + memset(b, 0U, double_row * sizeof (uint8_t)); + uint8_t *first = b; + uint8_t *second = b + (uint32_t)4U * (uint32_t)4U; + uint32_t *row0 = hash + (uint32_t)0U * (uint32_t)4U; + uint32_t *row1 = hash + (uint32_t)1U * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + store32_le(first + i * (uint32_t)4U, row0[i]); + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + store32_le(second + i * (uint32_t)4U, row1[i]); + } + uint8_t *final = b; + memcpy(output, final, nn * sizeof (uint8_t)); + Lib_Memzero0_memzero(b, double_row * sizeof (b[0U])); +} + +void +Hacl_Blake2s_32_blake2s( + uint32_t nn, + uint8_t *output, + uint32_t ll, + uint8_t *d, + uint32_t kk, + uint8_t *k +) +{ + uint32_t stlen = (uint32_t)4U * (uint32_t)4U; + uint32_t stzero = (uint32_t)0U; + KRML_CHECK_SIZE(sizeof (uint32_t), stlen); + uint32_t b[stlen]; + for (uint32_t _i = 0U; _i < stlen; ++_i) + b[_i] = stzero; + KRML_CHECK_SIZE(sizeof (uint32_t), stlen); + uint32_t b1[stlen]; + for (uint32_t _i = 0U; _i < stlen; ++_i) + b1[_i] = stzero; + Hacl_Blake2s_32_blake2s_init(b, kk, nn); + blake2s_update(b1, b, kk, k, ll, d); + Hacl_Blake2s_32_blake2s_finish(nn, output, b); + Lib_Memzero0_memzero(b1, stlen * sizeof (b1[0U])); + Lib_Memzero0_memzero(b, stlen * sizeof (b[0U])); +} + diff --git a/src/Hacl_Hash_Blake2b_256.c b/src/Hacl_Hash_Blake2b_256.c new file mode 100644 index 00000000..4a1e17bf --- /dev/null +++ b/src/Hacl_Hash_Blake2b_256.c @@ -0,0 +1,854 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "internal/Hacl_Hash_Blake2b_256.h" + +#include "internal/Hacl_Kremlib.h" +#include "internal/Hacl_Hash_Blake2.h" + +static FStar_UInt128_uint128 +update_blake2b_256( + Lib_IntVector_Intrinsics_vec256 *s, + FStar_UInt128_uint128 totlen, + uint8_t *block +) +{ + Lib_IntVector_Intrinsics_vec256 wv[4U]; + for (uint32_t _i = 0U; _i < (uint32_t)4U; ++_i) + wv[_i] = Lib_IntVector_Intrinsics_vec256_zero; + FStar_UInt128_uint128 + totlen1 = + FStar_UInt128_add_mod(totlen, + FStar_UInt128_uint64_to_uint128((uint64_t)(uint32_t)128U)); + uint64_t m_w[16U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint64_t *os = m_w; + uint8_t *bj = block + i * (uint32_t)8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x; + } + Lib_IntVector_Intrinsics_vec256 mask = Lib_IntVector_Intrinsics_vec256_zero; + uint64_t wv_14 = (uint64_t)0U; + uint64_t wv_15 = (uint64_t)0U; + mask = + Lib_IntVector_Intrinsics_vec256_load64s(FStar_UInt128_uint128_to_uint64(totlen1), + FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(totlen1, (uint32_t)64U)), + wv_14, + wv_15); + memcpy(wv, s, (uint32_t)4U * (uint32_t)1U * sizeof (Lib_IntVector_Intrinsics_vec256)); + Lib_IntVector_Intrinsics_vec256 *wv3 = wv + (uint32_t)3U * (uint32_t)1U; + wv3[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv3[0U], mask); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)12U; i++) + { + uint32_t start_idx = i % (uint32_t)10U * (uint32_t)16U; + KRML_CHECK_SIZE(sizeof (Lib_IntVector_Intrinsics_vec256), (uint32_t)4U * (uint32_t)1U); + Lib_IntVector_Intrinsics_vec256 m_st[(uint32_t)4U * (uint32_t)1U]; + for (uint32_t _i = 0U; _i < (uint32_t)4U * (uint32_t)1U; ++_i) + m_st[_i] = Lib_IntVector_Intrinsics_vec256_zero; + Lib_IntVector_Intrinsics_vec256 *r0 = m_st + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r1 = m_st + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r20 = m_st + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r30 = m_st + (uint32_t)3U * (uint32_t)1U; + uint32_t s0 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx]; + uint32_t s1 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)1U]; + uint32_t s2 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)2U]; + uint32_t s3 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)3U]; + uint32_t s4 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)4U]; + uint32_t s5 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)5U]; + uint32_t s6 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)6U]; + uint32_t s7 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)7U]; + uint32_t s8 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)8U]; + uint32_t s9 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)9U]; + uint32_t s10 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)10U]; + uint32_t s11 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)11U]; + uint32_t s12 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)12U]; + uint32_t s13 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)13U]; + uint32_t s14 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)14U]; + uint32_t s15 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)15U]; + r0[0U] = Lib_IntVector_Intrinsics_vec256_load64s(m_w[s0], m_w[s2], m_w[s4], m_w[s6]); + r1[0U] = Lib_IntVector_Intrinsics_vec256_load64s(m_w[s1], m_w[s3], m_w[s5], m_w[s7]); + r20[0U] = Lib_IntVector_Intrinsics_vec256_load64s(m_w[s8], m_w[s10], m_w[s12], m_w[s14]); + r30[0U] = Lib_IntVector_Intrinsics_vec256_load64s(m_w[s9], m_w[s11], m_w[s13], m_w[s15]); + Lib_IntVector_Intrinsics_vec256 *x = m_st + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *y = m_st + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *z = m_st + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *w = m_st + (uint32_t)3U * (uint32_t)1U; + uint32_t a = (uint32_t)0U; + uint32_t b0 = (uint32_t)1U; + uint32_t c0 = (uint32_t)2U; + uint32_t d0 = (uint32_t)3U; + Lib_IntVector_Intrinsics_vec256 *wv_a0 = wv + a * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b0 = wv + b0 * (uint32_t)1U; + wv_a0[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a0[0U], wv_b0[0U]); + wv_a0[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a0[0U], x[0U]); + Lib_IntVector_Intrinsics_vec256 *wv_a1 = wv + d0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b1 = wv + a * (uint32_t)1U; + wv_a1[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv_a1[0U], wv_b1[0U]); + wv_a1[0U] = Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a1[0U], (uint32_t)32U); + Lib_IntVector_Intrinsics_vec256 *wv_a2 = wv + c0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b2 = wv + d0 * (uint32_t)1U; + wv_a2[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a2[0U], wv_b2[0U]); + Lib_IntVector_Intrinsics_vec256 *wv_a3 = wv + b0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b3 = wv + c0 * (uint32_t)1U; + wv_a3[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv_a3[0U], wv_b3[0U]); + wv_a3[0U] = Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a3[0U], (uint32_t)24U); + Lib_IntVector_Intrinsics_vec256 *wv_a4 = wv + a * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b4 = wv + b0 * (uint32_t)1U; + wv_a4[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a4[0U], wv_b4[0U]); + wv_a4[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a4[0U], y[0U]); + Lib_IntVector_Intrinsics_vec256 *wv_a5 = wv + d0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b5 = wv + a * (uint32_t)1U; + wv_a5[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv_a5[0U], wv_b5[0U]); + wv_a5[0U] = Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a5[0U], (uint32_t)16U); + Lib_IntVector_Intrinsics_vec256 *wv_a6 = wv + c0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b6 = wv + d0 * (uint32_t)1U; + wv_a6[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a6[0U], wv_b6[0U]); + Lib_IntVector_Intrinsics_vec256 *wv_a7 = wv + b0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b7 = wv + c0 * (uint32_t)1U; + wv_a7[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv_a7[0U], wv_b7[0U]); + wv_a7[0U] = Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a7[0U], (uint32_t)63U); + Lib_IntVector_Intrinsics_vec256 *r10 = wv + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r21 = wv + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r31 = wv + (uint32_t)3U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 v00 = r10[0U]; + Lib_IntVector_Intrinsics_vec256 + v1 = Lib_IntVector_Intrinsics_vec256_rotate_right_lanes64(v00, (uint32_t)1U); + r10[0U] = v1; + Lib_IntVector_Intrinsics_vec256 v01 = r21[0U]; + Lib_IntVector_Intrinsics_vec256 + v10 = Lib_IntVector_Intrinsics_vec256_rotate_right_lanes64(v01, (uint32_t)2U); + r21[0U] = v10; + Lib_IntVector_Intrinsics_vec256 v02 = r31[0U]; + Lib_IntVector_Intrinsics_vec256 + v11 = Lib_IntVector_Intrinsics_vec256_rotate_right_lanes64(v02, (uint32_t)3U); + r31[0U] = v11; + uint32_t a0 = (uint32_t)0U; + uint32_t b = (uint32_t)1U; + uint32_t c = (uint32_t)2U; + uint32_t d = (uint32_t)3U; + Lib_IntVector_Intrinsics_vec256 *wv_a = wv + a0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b8 = wv + b * (uint32_t)1U; + wv_a[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a[0U], wv_b8[0U]); + wv_a[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a[0U], z[0U]); + Lib_IntVector_Intrinsics_vec256 *wv_a8 = wv + d * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b9 = wv + a0 * (uint32_t)1U; + wv_a8[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv_a8[0U], wv_b9[0U]); + wv_a8[0U] = Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a8[0U], (uint32_t)32U); + Lib_IntVector_Intrinsics_vec256 *wv_a9 = wv + c * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b10 = wv + d * (uint32_t)1U; + wv_a9[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a9[0U], wv_b10[0U]); + Lib_IntVector_Intrinsics_vec256 *wv_a10 = wv + b * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b11 = wv + c * (uint32_t)1U; + wv_a10[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv_a10[0U], wv_b11[0U]); + wv_a10[0U] = Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a10[0U], (uint32_t)24U); + Lib_IntVector_Intrinsics_vec256 *wv_a11 = wv + a0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b12 = wv + b * (uint32_t)1U; + wv_a11[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a11[0U], wv_b12[0U]); + wv_a11[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a11[0U], w[0U]); + Lib_IntVector_Intrinsics_vec256 *wv_a12 = wv + d * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b13 = wv + a0 * (uint32_t)1U; + wv_a12[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv_a12[0U], wv_b13[0U]); + wv_a12[0U] = Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a12[0U], (uint32_t)16U); + Lib_IntVector_Intrinsics_vec256 *wv_a13 = wv + c * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b14 = wv + d * (uint32_t)1U; + wv_a13[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a13[0U], wv_b14[0U]); + Lib_IntVector_Intrinsics_vec256 *wv_a14 = wv + b * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b = wv + c * (uint32_t)1U; + wv_a14[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv_a14[0U], wv_b[0U]); + wv_a14[0U] = Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a14[0U], (uint32_t)63U); + Lib_IntVector_Intrinsics_vec256 *r11 = wv + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r2 = wv + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r3 = wv + (uint32_t)3U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 v0 = r11[0U]; + Lib_IntVector_Intrinsics_vec256 + v12 = Lib_IntVector_Intrinsics_vec256_rotate_right_lanes64(v0, (uint32_t)3U); + r11[0U] = v12; + Lib_IntVector_Intrinsics_vec256 v03 = r2[0U]; + Lib_IntVector_Intrinsics_vec256 + v13 = Lib_IntVector_Intrinsics_vec256_rotate_right_lanes64(v03, (uint32_t)2U); + r2[0U] = v13; + Lib_IntVector_Intrinsics_vec256 v04 = r3[0U]; + Lib_IntVector_Intrinsics_vec256 + v14 = Lib_IntVector_Intrinsics_vec256_rotate_right_lanes64(v04, (uint32_t)1U); + r3[0U] = v14; + } + Lib_IntVector_Intrinsics_vec256 *s0 = s + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *s1 = s + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r0 = wv + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r1 = wv + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r2 = wv + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r3 = wv + (uint32_t)3U * (uint32_t)1U; + s0[0U] = Lib_IntVector_Intrinsics_vec256_xor(s0[0U], r0[0U]); + s0[0U] = Lib_IntVector_Intrinsics_vec256_xor(s0[0U], r2[0U]); + s1[0U] = Lib_IntVector_Intrinsics_vec256_xor(s1[0U], r1[0U]); + s1[0U] = Lib_IntVector_Intrinsics_vec256_xor(s1[0U], r3[0U]); + return totlen1; +} + +void +Hacl_Hash_Blake2b_256_finish_blake2b_256( + Lib_IntVector_Intrinsics_vec256 *s, + FStar_UInt128_uint128 ev, + uint8_t *dst +) +{ + uint32_t double_row = (uint32_t)2U * ((uint32_t)4U * (uint32_t)8U); + KRML_CHECK_SIZE(sizeof (uint8_t), double_row); + uint8_t b[double_row]; + memset(b, 0U, double_row * sizeof (uint8_t)); + uint8_t *first = b; + uint8_t *second = b + (uint32_t)4U * (uint32_t)8U; + Lib_IntVector_Intrinsics_vec256 *row0 = s + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *row1 = s + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256_store64_le(first, row0[0U]); + Lib_IntVector_Intrinsics_vec256_store64_le(second, row1[0U]); + uint8_t *final = b; + memcpy(dst, final, (uint32_t)64U * sizeof (uint8_t)); + Lib_Memzero0_memzero(b, double_row * sizeof (b[0U])); +} + +FStar_UInt128_uint128 +Hacl_Hash_Blake2b_256_update_multi_blake2b_256( + Lib_IntVector_Intrinsics_vec256 *s, + FStar_UInt128_uint128 ev, + uint8_t *blocks, + uint32_t n_blocks +) +{ + for (uint32_t i = (uint32_t)0U; i < n_blocks; i++) + { + uint32_t sz = (uint32_t)128U; + uint8_t *block = blocks + sz * i; + FStar_UInt128_uint128 + v_ = + update_blake2b_256(s, + FStar_UInt128_add_mod(ev, + FStar_UInt128_uint64_to_uint128((uint64_t)i * (uint64_t)(uint32_t)128U)), + block); + } + return + FStar_UInt128_add_mod(ev, + FStar_UInt128_uint64_to_uint128((uint64_t)n_blocks * (uint64_t)(uint32_t)128U)); +} + +FStar_UInt128_uint128 +Hacl_Hash_Blake2b_256_update_last_blake2b_256( + Lib_IntVector_Intrinsics_vec256 *s, + FStar_UInt128_uint128 ev, + FStar_UInt128_uint128 prev_len, + uint8_t *input, + uint32_t input_len +) +{ + uint32_t blocks_n = input_len / (uint32_t)128U; + uint32_t blocks_len0 = blocks_n * (uint32_t)128U; + uint32_t rest_len0 = input_len - blocks_len0; + K___uint32_t_uint32_t_uint32_t scrut; + if (rest_len0 == (uint32_t)0U && blocks_n > (uint32_t)0U) + { + uint32_t blocks_n1 = blocks_n - (uint32_t)1U; + uint32_t blocks_len1 = blocks_len0 - (uint32_t)128U; + uint32_t rest_len1 = (uint32_t)128U; + scrut = + ((K___uint32_t_uint32_t_uint32_t){ .fst = blocks_n1, .snd = blocks_len1, .thd = rest_len1 }); + } + else + { + scrut = + ((K___uint32_t_uint32_t_uint32_t){ .fst = blocks_n, .snd = blocks_len0, .thd = rest_len0 }); + } + uint32_t num_blocks0 = scrut.fst; + uint32_t blocks_len = scrut.snd; + uint32_t rest_len1 = scrut.thd; + uint8_t *blocks0 = input; + uint8_t *rest0 = input + blocks_len; + K___uint32_t_uint32_t_uint32_t__uint8_t___uint8_t_ + scrut0 = + { .fst = num_blocks0, .snd = blocks_len, .thd = rest_len1, .f3 = blocks0, .f4 = rest0 }; + uint32_t num_blocks = scrut0.fst; + uint32_t rest_len = scrut0.thd; + uint8_t *blocks = scrut0.f3; + uint8_t *rest = scrut0.f4; + FStar_UInt128_uint128 + ev_ = Hacl_Hash_Blake2b_256_update_multi_blake2b_256(s, ev, blocks, num_blocks); + KRML_CHECK_SIZE(sizeof (Lib_IntVector_Intrinsics_vec256), (uint32_t)4U * (uint32_t)1U); + Lib_IntVector_Intrinsics_vec256 wv[(uint32_t)4U * (uint32_t)1U]; + for (uint32_t _i = 0U; _i < (uint32_t)4U * (uint32_t)1U; ++_i) + wv[_i] = Lib_IntVector_Intrinsics_vec256_zero; + uint8_t tmp[128U] = { 0U }; + uint8_t *tmp_rest = tmp; + memcpy(tmp_rest, rest, rest_len * sizeof (uint8_t)); + FStar_UInt128_uint128 + totlen = FStar_UInt128_add_mod(ev_, FStar_UInt128_uint64_to_uint128((uint64_t)rest_len)); + uint64_t m_w[16U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint64_t *os = m_w; + uint8_t *bj = tmp + i * (uint32_t)8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x; + } + Lib_IntVector_Intrinsics_vec256 mask = Lib_IntVector_Intrinsics_vec256_zero; + uint64_t wv_14 = (uint64_t)0xFFFFFFFFFFFFFFFFU; + uint64_t wv_15 = (uint64_t)0U; + mask = + Lib_IntVector_Intrinsics_vec256_load64s(FStar_UInt128_uint128_to_uint64(totlen), + FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(totlen, (uint32_t)64U)), + wv_14, + wv_15); + memcpy(wv, s, (uint32_t)4U * (uint32_t)1U * sizeof (Lib_IntVector_Intrinsics_vec256)); + Lib_IntVector_Intrinsics_vec256 *wv3 = wv + (uint32_t)3U * (uint32_t)1U; + wv3[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv3[0U], mask); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)12U; i++) + { + uint32_t start_idx = i % (uint32_t)10U * (uint32_t)16U; + KRML_CHECK_SIZE(sizeof (Lib_IntVector_Intrinsics_vec256), (uint32_t)4U * (uint32_t)1U); + Lib_IntVector_Intrinsics_vec256 m_st[(uint32_t)4U * (uint32_t)1U]; + for (uint32_t _i = 0U; _i < (uint32_t)4U * (uint32_t)1U; ++_i) + m_st[_i] = Lib_IntVector_Intrinsics_vec256_zero; + Lib_IntVector_Intrinsics_vec256 *r0 = m_st + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r1 = m_st + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r20 = m_st + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r30 = m_st + (uint32_t)3U * (uint32_t)1U; + uint32_t s0 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx]; + uint32_t s1 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)1U]; + uint32_t s2 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)2U]; + uint32_t s3 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)3U]; + uint32_t s4 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)4U]; + uint32_t s5 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)5U]; + uint32_t s6 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)6U]; + uint32_t s7 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)7U]; + uint32_t s8 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)8U]; + uint32_t s9 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)9U]; + uint32_t s10 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)10U]; + uint32_t s11 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)11U]; + uint32_t s12 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)12U]; + uint32_t s13 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)13U]; + uint32_t s14 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)14U]; + uint32_t s15 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)15U]; + r0[0U] = Lib_IntVector_Intrinsics_vec256_load64s(m_w[s0], m_w[s2], m_w[s4], m_w[s6]); + r1[0U] = Lib_IntVector_Intrinsics_vec256_load64s(m_w[s1], m_w[s3], m_w[s5], m_w[s7]); + r20[0U] = Lib_IntVector_Intrinsics_vec256_load64s(m_w[s8], m_w[s10], m_w[s12], m_w[s14]); + r30[0U] = Lib_IntVector_Intrinsics_vec256_load64s(m_w[s9], m_w[s11], m_w[s13], m_w[s15]); + Lib_IntVector_Intrinsics_vec256 *x = m_st + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *y = m_st + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *z = m_st + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *w = m_st + (uint32_t)3U * (uint32_t)1U; + uint32_t a = (uint32_t)0U; + uint32_t b0 = (uint32_t)1U; + uint32_t c0 = (uint32_t)2U; + uint32_t d0 = (uint32_t)3U; + Lib_IntVector_Intrinsics_vec256 *wv_a0 = wv + a * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b0 = wv + b0 * (uint32_t)1U; + wv_a0[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a0[0U], wv_b0[0U]); + wv_a0[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a0[0U], x[0U]); + Lib_IntVector_Intrinsics_vec256 *wv_a1 = wv + d0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b1 = wv + a * (uint32_t)1U; + wv_a1[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv_a1[0U], wv_b1[0U]); + wv_a1[0U] = Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a1[0U], (uint32_t)32U); + Lib_IntVector_Intrinsics_vec256 *wv_a2 = wv + c0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b2 = wv + d0 * (uint32_t)1U; + wv_a2[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a2[0U], wv_b2[0U]); + Lib_IntVector_Intrinsics_vec256 *wv_a3 = wv + b0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b3 = wv + c0 * (uint32_t)1U; + wv_a3[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv_a3[0U], wv_b3[0U]); + wv_a3[0U] = Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a3[0U], (uint32_t)24U); + Lib_IntVector_Intrinsics_vec256 *wv_a4 = wv + a * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b4 = wv + b0 * (uint32_t)1U; + wv_a4[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a4[0U], wv_b4[0U]); + wv_a4[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a4[0U], y[0U]); + Lib_IntVector_Intrinsics_vec256 *wv_a5 = wv + d0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b5 = wv + a * (uint32_t)1U; + wv_a5[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv_a5[0U], wv_b5[0U]); + wv_a5[0U] = Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a5[0U], (uint32_t)16U); + Lib_IntVector_Intrinsics_vec256 *wv_a6 = wv + c0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b6 = wv + d0 * (uint32_t)1U; + wv_a6[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a6[0U], wv_b6[0U]); + Lib_IntVector_Intrinsics_vec256 *wv_a7 = wv + b0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b7 = wv + c0 * (uint32_t)1U; + wv_a7[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv_a7[0U], wv_b7[0U]); + wv_a7[0U] = Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a7[0U], (uint32_t)63U); + Lib_IntVector_Intrinsics_vec256 *r10 = wv + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r21 = wv + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r31 = wv + (uint32_t)3U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 v00 = r10[0U]; + Lib_IntVector_Intrinsics_vec256 + v1 = Lib_IntVector_Intrinsics_vec256_rotate_right_lanes64(v00, (uint32_t)1U); + r10[0U] = v1; + Lib_IntVector_Intrinsics_vec256 v01 = r21[0U]; + Lib_IntVector_Intrinsics_vec256 + v10 = Lib_IntVector_Intrinsics_vec256_rotate_right_lanes64(v01, (uint32_t)2U); + r21[0U] = v10; + Lib_IntVector_Intrinsics_vec256 v02 = r31[0U]; + Lib_IntVector_Intrinsics_vec256 + v11 = Lib_IntVector_Intrinsics_vec256_rotate_right_lanes64(v02, (uint32_t)3U); + r31[0U] = v11; + uint32_t a0 = (uint32_t)0U; + uint32_t b = (uint32_t)1U; + uint32_t c = (uint32_t)2U; + uint32_t d = (uint32_t)3U; + Lib_IntVector_Intrinsics_vec256 *wv_a = wv + a0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b8 = wv + b * (uint32_t)1U; + wv_a[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a[0U], wv_b8[0U]); + wv_a[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a[0U], z[0U]); + Lib_IntVector_Intrinsics_vec256 *wv_a8 = wv + d * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b9 = wv + a0 * (uint32_t)1U; + wv_a8[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv_a8[0U], wv_b9[0U]); + wv_a8[0U] = Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a8[0U], (uint32_t)32U); + Lib_IntVector_Intrinsics_vec256 *wv_a9 = wv + c * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b10 = wv + d * (uint32_t)1U; + wv_a9[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a9[0U], wv_b10[0U]); + Lib_IntVector_Intrinsics_vec256 *wv_a10 = wv + b * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b11 = wv + c * (uint32_t)1U; + wv_a10[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv_a10[0U], wv_b11[0U]); + wv_a10[0U] = Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a10[0U], (uint32_t)24U); + Lib_IntVector_Intrinsics_vec256 *wv_a11 = wv + a0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b12 = wv + b * (uint32_t)1U; + wv_a11[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a11[0U], wv_b12[0U]); + wv_a11[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a11[0U], w[0U]); + Lib_IntVector_Intrinsics_vec256 *wv_a12 = wv + d * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b13 = wv + a0 * (uint32_t)1U; + wv_a12[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv_a12[0U], wv_b13[0U]); + wv_a12[0U] = Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a12[0U], (uint32_t)16U); + Lib_IntVector_Intrinsics_vec256 *wv_a13 = wv + c * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b14 = wv + d * (uint32_t)1U; + wv_a13[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a13[0U], wv_b14[0U]); + Lib_IntVector_Intrinsics_vec256 *wv_a14 = wv + b * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b = wv + c * (uint32_t)1U; + wv_a14[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv_a14[0U], wv_b[0U]); + wv_a14[0U] = Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a14[0U], (uint32_t)63U); + Lib_IntVector_Intrinsics_vec256 *r11 = wv + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r2 = wv + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r3 = wv + (uint32_t)3U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 v0 = r11[0U]; + Lib_IntVector_Intrinsics_vec256 + v12 = Lib_IntVector_Intrinsics_vec256_rotate_right_lanes64(v0, (uint32_t)3U); + r11[0U] = v12; + Lib_IntVector_Intrinsics_vec256 v03 = r2[0U]; + Lib_IntVector_Intrinsics_vec256 + v13 = Lib_IntVector_Intrinsics_vec256_rotate_right_lanes64(v03, (uint32_t)2U); + r2[0U] = v13; + Lib_IntVector_Intrinsics_vec256 v04 = r3[0U]; + Lib_IntVector_Intrinsics_vec256 + v14 = Lib_IntVector_Intrinsics_vec256_rotate_right_lanes64(v04, (uint32_t)1U); + r3[0U] = v14; + } + Lib_IntVector_Intrinsics_vec256 *s0 = s + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *s1 = s + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r0 = wv + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r1 = wv + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r2 = wv + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r3 = wv + (uint32_t)3U * (uint32_t)1U; + s0[0U] = Lib_IntVector_Intrinsics_vec256_xor(s0[0U], r0[0U]); + s0[0U] = Lib_IntVector_Intrinsics_vec256_xor(s0[0U], r2[0U]); + s1[0U] = Lib_IntVector_Intrinsics_vec256_xor(s1[0U], r1[0U]); + s1[0U] = Lib_IntVector_Intrinsics_vec256_xor(s1[0U], r3[0U]); + return FStar_UInt128_uint64_to_uint128((uint64_t)0U); +} + +void Hacl_Hash_Blake2b_256_hash_blake2b_256(uint8_t *input, uint32_t input_len, uint8_t *dst) +{ + Hacl_Blake2b_256_blake2b((uint32_t)64U, dst, input_len, input, (uint32_t)0U, NULL); +} + +static inline void +blake2b_update_block( + Lib_IntVector_Intrinsics_vec256 *wv, + Lib_IntVector_Intrinsics_vec256 *hash, + bool flag, + FStar_UInt128_uint128 totlen, + uint8_t *d +) +{ + uint64_t m_w[16U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint64_t *os = m_w; + uint8_t *bj = d + i * (uint32_t)8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x; + } + Lib_IntVector_Intrinsics_vec256 mask = Lib_IntVector_Intrinsics_vec256_zero; + uint64_t wv_14; + if (flag) + { + wv_14 = (uint64_t)0xFFFFFFFFFFFFFFFFU; + } + else + { + wv_14 = (uint64_t)0U; + } + uint64_t wv_15 = (uint64_t)0U; + mask = + Lib_IntVector_Intrinsics_vec256_load64s(FStar_UInt128_uint128_to_uint64(totlen), + FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(totlen, (uint32_t)64U)), + wv_14, + wv_15); + memcpy(wv, hash, (uint32_t)4U * (uint32_t)1U * sizeof (Lib_IntVector_Intrinsics_vec256)); + Lib_IntVector_Intrinsics_vec256 *wv3 = wv + (uint32_t)3U * (uint32_t)1U; + wv3[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv3[0U], mask); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)12U; i++) + { + uint32_t start_idx = i % (uint32_t)10U * (uint32_t)16U; + KRML_CHECK_SIZE(sizeof (Lib_IntVector_Intrinsics_vec256), (uint32_t)4U * (uint32_t)1U); + Lib_IntVector_Intrinsics_vec256 m_st[(uint32_t)4U * (uint32_t)1U]; + for (uint32_t _i = 0U; _i < (uint32_t)4U * (uint32_t)1U; ++_i) + m_st[_i] = Lib_IntVector_Intrinsics_vec256_zero; + Lib_IntVector_Intrinsics_vec256 *r0 = m_st + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r1 = m_st + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r20 = m_st + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r30 = m_st + (uint32_t)3U * (uint32_t)1U; + uint32_t s0 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx]; + uint32_t s1 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)1U]; + uint32_t s2 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)2U]; + uint32_t s3 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)3U]; + uint32_t s4 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)4U]; + uint32_t s5 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)5U]; + uint32_t s6 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)6U]; + uint32_t s7 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)7U]; + uint32_t s8 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)8U]; + uint32_t s9 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)9U]; + uint32_t s10 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)10U]; + uint32_t s11 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)11U]; + uint32_t s12 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)12U]; + uint32_t s13 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)13U]; + uint32_t s14 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)14U]; + uint32_t s15 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)15U]; + r0[0U] = Lib_IntVector_Intrinsics_vec256_load64s(m_w[s0], m_w[s2], m_w[s4], m_w[s6]); + r1[0U] = Lib_IntVector_Intrinsics_vec256_load64s(m_w[s1], m_w[s3], m_w[s5], m_w[s7]); + r20[0U] = Lib_IntVector_Intrinsics_vec256_load64s(m_w[s8], m_w[s10], m_w[s12], m_w[s14]); + r30[0U] = Lib_IntVector_Intrinsics_vec256_load64s(m_w[s9], m_w[s11], m_w[s13], m_w[s15]); + Lib_IntVector_Intrinsics_vec256 *x = m_st + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *y = m_st + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *z = m_st + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *w = m_st + (uint32_t)3U * (uint32_t)1U; + uint32_t a = (uint32_t)0U; + uint32_t b0 = (uint32_t)1U; + uint32_t c0 = (uint32_t)2U; + uint32_t d10 = (uint32_t)3U; + Lib_IntVector_Intrinsics_vec256 *wv_a0 = wv + a * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b0 = wv + b0 * (uint32_t)1U; + wv_a0[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a0[0U], wv_b0[0U]); + wv_a0[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a0[0U], x[0U]); + Lib_IntVector_Intrinsics_vec256 *wv_a1 = wv + d10 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b1 = wv + a * (uint32_t)1U; + wv_a1[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv_a1[0U], wv_b1[0U]); + wv_a1[0U] = Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a1[0U], (uint32_t)32U); + Lib_IntVector_Intrinsics_vec256 *wv_a2 = wv + c0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b2 = wv + d10 * (uint32_t)1U; + wv_a2[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a2[0U], wv_b2[0U]); + Lib_IntVector_Intrinsics_vec256 *wv_a3 = wv + b0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b3 = wv + c0 * (uint32_t)1U; + wv_a3[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv_a3[0U], wv_b3[0U]); + wv_a3[0U] = Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a3[0U], (uint32_t)24U); + Lib_IntVector_Intrinsics_vec256 *wv_a4 = wv + a * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b4 = wv + b0 * (uint32_t)1U; + wv_a4[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a4[0U], wv_b4[0U]); + wv_a4[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a4[0U], y[0U]); + Lib_IntVector_Intrinsics_vec256 *wv_a5 = wv + d10 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b5 = wv + a * (uint32_t)1U; + wv_a5[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv_a5[0U], wv_b5[0U]); + wv_a5[0U] = Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a5[0U], (uint32_t)16U); + Lib_IntVector_Intrinsics_vec256 *wv_a6 = wv + c0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b6 = wv + d10 * (uint32_t)1U; + wv_a6[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a6[0U], wv_b6[0U]); + Lib_IntVector_Intrinsics_vec256 *wv_a7 = wv + b0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b7 = wv + c0 * (uint32_t)1U; + wv_a7[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv_a7[0U], wv_b7[0U]); + wv_a7[0U] = Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a7[0U], (uint32_t)63U); + Lib_IntVector_Intrinsics_vec256 *r10 = wv + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r21 = wv + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r31 = wv + (uint32_t)3U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 v00 = r10[0U]; + Lib_IntVector_Intrinsics_vec256 + v1 = Lib_IntVector_Intrinsics_vec256_rotate_right_lanes64(v00, (uint32_t)1U); + r10[0U] = v1; + Lib_IntVector_Intrinsics_vec256 v01 = r21[0U]; + Lib_IntVector_Intrinsics_vec256 + v10 = Lib_IntVector_Intrinsics_vec256_rotate_right_lanes64(v01, (uint32_t)2U); + r21[0U] = v10; + Lib_IntVector_Intrinsics_vec256 v02 = r31[0U]; + Lib_IntVector_Intrinsics_vec256 + v11 = Lib_IntVector_Intrinsics_vec256_rotate_right_lanes64(v02, (uint32_t)3U); + r31[0U] = v11; + uint32_t a0 = (uint32_t)0U; + uint32_t b = (uint32_t)1U; + uint32_t c = (uint32_t)2U; + uint32_t d1 = (uint32_t)3U; + Lib_IntVector_Intrinsics_vec256 *wv_a = wv + a0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b8 = wv + b * (uint32_t)1U; + wv_a[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a[0U], wv_b8[0U]); + wv_a[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a[0U], z[0U]); + Lib_IntVector_Intrinsics_vec256 *wv_a8 = wv + d1 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b9 = wv + a0 * (uint32_t)1U; + wv_a8[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv_a8[0U], wv_b9[0U]); + wv_a8[0U] = Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a8[0U], (uint32_t)32U); + Lib_IntVector_Intrinsics_vec256 *wv_a9 = wv + c * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b10 = wv + d1 * (uint32_t)1U; + wv_a9[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a9[0U], wv_b10[0U]); + Lib_IntVector_Intrinsics_vec256 *wv_a10 = wv + b * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b11 = wv + c * (uint32_t)1U; + wv_a10[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv_a10[0U], wv_b11[0U]); + wv_a10[0U] = Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a10[0U], (uint32_t)24U); + Lib_IntVector_Intrinsics_vec256 *wv_a11 = wv + a0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b12 = wv + b * (uint32_t)1U; + wv_a11[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a11[0U], wv_b12[0U]); + wv_a11[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a11[0U], w[0U]); + Lib_IntVector_Intrinsics_vec256 *wv_a12 = wv + d1 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b13 = wv + a0 * (uint32_t)1U; + wv_a12[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv_a12[0U], wv_b13[0U]); + wv_a12[0U] = Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a12[0U], (uint32_t)16U); + Lib_IntVector_Intrinsics_vec256 *wv_a13 = wv + c * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b14 = wv + d1 * (uint32_t)1U; + wv_a13[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a13[0U], wv_b14[0U]); + Lib_IntVector_Intrinsics_vec256 *wv_a14 = wv + b * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b = wv + c * (uint32_t)1U; + wv_a14[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv_a14[0U], wv_b[0U]); + wv_a14[0U] = Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a14[0U], (uint32_t)63U); + Lib_IntVector_Intrinsics_vec256 *r11 = wv + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r2 = wv + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r3 = wv + (uint32_t)3U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 v0 = r11[0U]; + Lib_IntVector_Intrinsics_vec256 + v12 = Lib_IntVector_Intrinsics_vec256_rotate_right_lanes64(v0, (uint32_t)3U); + r11[0U] = v12; + Lib_IntVector_Intrinsics_vec256 v03 = r2[0U]; + Lib_IntVector_Intrinsics_vec256 + v13 = Lib_IntVector_Intrinsics_vec256_rotate_right_lanes64(v03, (uint32_t)2U); + r2[0U] = v13; + Lib_IntVector_Intrinsics_vec256 v04 = r3[0U]; + Lib_IntVector_Intrinsics_vec256 + v14 = Lib_IntVector_Intrinsics_vec256_rotate_right_lanes64(v04, (uint32_t)1U); + r3[0U] = v14; + } + Lib_IntVector_Intrinsics_vec256 *s0 = hash + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *s1 = hash + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r0 = wv + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r1 = wv + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r2 = wv + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r3 = wv + (uint32_t)3U * (uint32_t)1U; + s0[0U] = Lib_IntVector_Intrinsics_vec256_xor(s0[0U], r0[0U]); + s0[0U] = Lib_IntVector_Intrinsics_vec256_xor(s0[0U], r2[0U]); + s1[0U] = Lib_IntVector_Intrinsics_vec256_xor(s1[0U], r1[0U]); + s1[0U] = Lib_IntVector_Intrinsics_vec256_xor(s1[0U], r3[0U]); +} + +void +Hacl_Blake2b_256_blake2b_init(Lib_IntVector_Intrinsics_vec256 *hash, uint32_t kk, uint32_t nn) +{ + Lib_IntVector_Intrinsics_vec256 *r0 = hash + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r1 = hash + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r2 = hash + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r3 = hash + (uint32_t)3U * (uint32_t)1U; + uint64_t iv0 = Hacl_Impl_Blake2_Constants_ivTable_B[0U]; + uint64_t iv1 = Hacl_Impl_Blake2_Constants_ivTable_B[1U]; + uint64_t iv2 = Hacl_Impl_Blake2_Constants_ivTable_B[2U]; + uint64_t iv3 = Hacl_Impl_Blake2_Constants_ivTable_B[3U]; + uint64_t iv4 = Hacl_Impl_Blake2_Constants_ivTable_B[4U]; + uint64_t iv5 = Hacl_Impl_Blake2_Constants_ivTable_B[5U]; + uint64_t iv6 = Hacl_Impl_Blake2_Constants_ivTable_B[6U]; + uint64_t iv7 = Hacl_Impl_Blake2_Constants_ivTable_B[7U]; + r2[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv0, iv1, iv2, iv3); + r3[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv4, iv5, iv6, iv7); + uint64_t kk_shift_8 = (uint64_t)kk << (uint32_t)8U; + uint64_t iv0_ = iv0 ^ ((uint64_t)0x01010000U ^ (kk_shift_8 ^ (uint64_t)nn)); + r0[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv0_, iv1, iv2, iv3); + r1[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv4, iv5, iv6, iv7); +} + +void +Hacl_Blake2b_256_blake2b_update_key( + Lib_IntVector_Intrinsics_vec256 *wv, + Lib_IntVector_Intrinsics_vec256 *hash, + uint32_t kk, + uint8_t *k, + uint32_t ll +) +{ + FStar_UInt128_uint128 lb = FStar_UInt128_uint64_to_uint128((uint64_t)(uint32_t)128U); + uint8_t b[128U] = { 0U }; + memcpy(b, k, kk * sizeof (uint8_t)); + if (ll == (uint32_t)0U) + { + blake2b_update_block(wv, hash, true, lb, b); + } + else + { + blake2b_update_block(wv, hash, false, lb, b); + } + Lib_Memzero0_memzero(b, (uint32_t)128U * sizeof (b[0U])); +} + +void +Hacl_Blake2b_256_blake2b_update_multi( + uint32_t len, + Lib_IntVector_Intrinsics_vec256 *wv, + Lib_IntVector_Intrinsics_vec256 *hash, + FStar_UInt128_uint128 prev, + uint8_t *blocks, + uint32_t nb +) +{ + for (uint32_t i = (uint32_t)0U; i < nb; i++) + { + FStar_UInt128_uint128 + totlen = + FStar_UInt128_add_mod(prev, + FStar_UInt128_uint64_to_uint128((uint64_t)((i + (uint32_t)1U) * (uint32_t)128U))); + uint8_t *b = blocks + i * (uint32_t)128U; + blake2b_update_block(wv, hash, false, totlen, b); + } +} + +void +Hacl_Blake2b_256_blake2b_update_last( + uint32_t len, + Lib_IntVector_Intrinsics_vec256 *wv, + Lib_IntVector_Intrinsics_vec256 *hash, + FStar_UInt128_uint128 prev, + uint32_t rem, + uint8_t *d +) +{ + uint8_t b[128U] = { 0U }; + uint8_t *last = d + len - rem; + memcpy(b, last, rem * sizeof (uint8_t)); + FStar_UInt128_uint128 + totlen = FStar_UInt128_add_mod(prev, FStar_UInt128_uint64_to_uint128((uint64_t)len)); + blake2b_update_block(wv, hash, true, totlen, b); + Lib_Memzero0_memzero(b, (uint32_t)128U * sizeof (b[0U])); +} + +static inline void +blake2b_update_blocks( + uint32_t len, + Lib_IntVector_Intrinsics_vec256 *wv, + Lib_IntVector_Intrinsics_vec256 *hash, + FStar_UInt128_uint128 prev, + uint8_t *blocks +) +{ + uint32_t nb0 = len / (uint32_t)128U; + uint32_t rem0 = len % (uint32_t)128U; + K___uint32_t_uint32_t scrut; + if (rem0 == (uint32_t)0U && nb0 > (uint32_t)0U) + { + uint32_t nb_ = nb0 - (uint32_t)1U; + uint32_t rem_ = (uint32_t)128U; + scrut = ((K___uint32_t_uint32_t){ .fst = nb_, .snd = rem_ }); + } + else + { + scrut = ((K___uint32_t_uint32_t){ .fst = nb0, .snd = rem0 }); + } + uint32_t nb = scrut.fst; + uint32_t rem = scrut.snd; + Hacl_Blake2b_256_blake2b_update_multi(len, wv, hash, prev, blocks, nb); + Hacl_Blake2b_256_blake2b_update_last(len, wv, hash, prev, rem, blocks); +} + +static inline void +blake2b_update( + Lib_IntVector_Intrinsics_vec256 *wv, + Lib_IntVector_Intrinsics_vec256 *hash, + uint32_t kk, + uint8_t *k, + uint32_t ll, + uint8_t *d +) +{ + FStar_UInt128_uint128 lb = FStar_UInt128_uint64_to_uint128((uint64_t)(uint32_t)128U); + if (kk > (uint32_t)0U) + { + Hacl_Blake2b_256_blake2b_update_key(wv, hash, kk, k, ll); + if (!(ll == (uint32_t)0U)) + { + blake2b_update_blocks(ll, wv, hash, lb, d); + return; + } + return; + } + blake2b_update_blocks(ll, + wv, + hash, + FStar_UInt128_uint64_to_uint128((uint64_t)(uint32_t)0U), + d); +} + +void +Hacl_Blake2b_256_blake2b_finish( + uint32_t nn, + uint8_t *output, + Lib_IntVector_Intrinsics_vec256 *hash +) +{ + uint32_t double_row = (uint32_t)2U * ((uint32_t)4U * (uint32_t)8U); + KRML_CHECK_SIZE(sizeof (uint8_t), double_row); + uint8_t b[double_row]; + memset(b, 0U, double_row * sizeof (uint8_t)); + uint8_t *first = b; + uint8_t *second = b + (uint32_t)4U * (uint32_t)8U; + Lib_IntVector_Intrinsics_vec256 *row0 = hash + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *row1 = hash + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256_store64_le(first, row0[0U]); + Lib_IntVector_Intrinsics_vec256_store64_le(second, row1[0U]); + uint8_t *final = b; + memcpy(output, final, nn * sizeof (uint8_t)); + Lib_Memzero0_memzero(b, double_row * sizeof (b[0U])); +} + +void +Hacl_Blake2b_256_blake2b( + uint32_t nn, + uint8_t *output, + uint32_t ll, + uint8_t *d, + uint32_t kk, + uint8_t *k +) +{ + uint32_t stlen = (uint32_t)4U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 stzero = Lib_IntVector_Intrinsics_vec256_zero; + KRML_CHECK_SIZE(sizeof (Lib_IntVector_Intrinsics_vec256), stlen); + Lib_IntVector_Intrinsics_vec256 b[stlen]; + for (uint32_t _i = 0U; _i < stlen; ++_i) + b[_i] = stzero; + KRML_CHECK_SIZE(sizeof (Lib_IntVector_Intrinsics_vec256), stlen); + Lib_IntVector_Intrinsics_vec256 b1[stlen]; + for (uint32_t _i = 0U; _i < stlen; ++_i) + b1[_i] = stzero; + Hacl_Blake2b_256_blake2b_init(b, kk, nn); + blake2b_update(b1, b, kk, k, ll, d); + Hacl_Blake2b_256_blake2b_finish(nn, output, b); + Lib_Memzero0_memzero(b1, stlen * sizeof (b1[0U])); + Lib_Memzero0_memzero(b, stlen * sizeof (b[0U])); +} + diff --git a/src/Hacl_Hash_Blake2s_128.c b/src/Hacl_Hash_Blake2s_128.c new file mode 100644 index 00000000..fcfbf568 --- /dev/null +++ b/src/Hacl_Hash_Blake2s_128.c @@ -0,0 +1,830 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "internal/Hacl_Hash_Blake2s_128.h" + +#include "internal/Hacl_Kremlib.h" +#include "internal/Hacl_Hash_Blake2.h" + +static uint64_t +update_blake2s_128(Lib_IntVector_Intrinsics_vec128 *s, uint64_t totlen, uint8_t *block) +{ + Lib_IntVector_Intrinsics_vec128 wv[4U]; + for (uint32_t _i = 0U; _i < (uint32_t)4U; ++_i) + wv[_i] = Lib_IntVector_Intrinsics_vec128_zero; + uint64_t totlen1 = totlen + (uint64_t)(uint32_t)64U; + uint32_t m_w[16U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t *os = m_w; + uint8_t *bj = block + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + Lib_IntVector_Intrinsics_vec128 mask = Lib_IntVector_Intrinsics_vec128_zero; + uint32_t wv_14 = (uint32_t)0U; + uint32_t wv_15 = (uint32_t)0U; + mask = + Lib_IntVector_Intrinsics_vec128_load32s((uint32_t)totlen1, + (uint32_t)(totlen1 >> (uint32_t)32U), + wv_14, + wv_15); + memcpy(wv, s, (uint32_t)4U * (uint32_t)1U * sizeof (Lib_IntVector_Intrinsics_vec128)); + Lib_IntVector_Intrinsics_vec128 *wv3 = wv + (uint32_t)3U * (uint32_t)1U; + wv3[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv3[0U], mask); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)10U; i++) + { + uint32_t start_idx = i % (uint32_t)10U * (uint32_t)16U; + KRML_CHECK_SIZE(sizeof (Lib_IntVector_Intrinsics_vec128), (uint32_t)4U * (uint32_t)1U); + Lib_IntVector_Intrinsics_vec128 m_st[(uint32_t)4U * (uint32_t)1U]; + for (uint32_t _i = 0U; _i < (uint32_t)4U * (uint32_t)1U; ++_i) + m_st[_i] = Lib_IntVector_Intrinsics_vec128_zero; + Lib_IntVector_Intrinsics_vec128 *r0 = m_st + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r1 = m_st + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r20 = m_st + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r30 = m_st + (uint32_t)3U * (uint32_t)1U; + uint32_t s0 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx]; + uint32_t s1 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)1U]; + uint32_t s2 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)2U]; + uint32_t s3 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)3U]; + uint32_t s4 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)4U]; + uint32_t s5 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)5U]; + uint32_t s6 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)6U]; + uint32_t s7 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)7U]; + uint32_t s8 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)8U]; + uint32_t s9 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)9U]; + uint32_t s10 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)10U]; + uint32_t s11 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)11U]; + uint32_t s12 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)12U]; + uint32_t s13 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)13U]; + uint32_t s14 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)14U]; + uint32_t s15 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)15U]; + r0[0U] = Lib_IntVector_Intrinsics_vec128_load32s(m_w[s0], m_w[s2], m_w[s4], m_w[s6]); + r1[0U] = Lib_IntVector_Intrinsics_vec128_load32s(m_w[s1], m_w[s3], m_w[s5], m_w[s7]); + r20[0U] = Lib_IntVector_Intrinsics_vec128_load32s(m_w[s8], m_w[s10], m_w[s12], m_w[s14]); + r30[0U] = Lib_IntVector_Intrinsics_vec128_load32s(m_w[s9], m_w[s11], m_w[s13], m_w[s15]); + Lib_IntVector_Intrinsics_vec128 *x = m_st + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *y = m_st + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *z = m_st + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *w = m_st + (uint32_t)3U * (uint32_t)1U; + uint32_t a = (uint32_t)0U; + uint32_t b0 = (uint32_t)1U; + uint32_t c0 = (uint32_t)2U; + uint32_t d0 = (uint32_t)3U; + Lib_IntVector_Intrinsics_vec128 *wv_a0 = wv + a * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b0 = wv + b0 * (uint32_t)1U; + wv_a0[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a0[0U], wv_b0[0U]); + wv_a0[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a0[0U], x[0U]); + Lib_IntVector_Intrinsics_vec128 *wv_a1 = wv + d0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b1 = wv + a * (uint32_t)1U; + wv_a1[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv_a1[0U], wv_b1[0U]); + wv_a1[0U] = Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a1[0U], (uint32_t)16U); + Lib_IntVector_Intrinsics_vec128 *wv_a2 = wv + c0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b2 = wv + d0 * (uint32_t)1U; + wv_a2[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a2[0U], wv_b2[0U]); + Lib_IntVector_Intrinsics_vec128 *wv_a3 = wv + b0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b3 = wv + c0 * (uint32_t)1U; + wv_a3[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv_a3[0U], wv_b3[0U]); + wv_a3[0U] = Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a3[0U], (uint32_t)12U); + Lib_IntVector_Intrinsics_vec128 *wv_a4 = wv + a * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b4 = wv + b0 * (uint32_t)1U; + wv_a4[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a4[0U], wv_b4[0U]); + wv_a4[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a4[0U], y[0U]); + Lib_IntVector_Intrinsics_vec128 *wv_a5 = wv + d0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b5 = wv + a * (uint32_t)1U; + wv_a5[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv_a5[0U], wv_b5[0U]); + wv_a5[0U] = Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a5[0U], (uint32_t)8U); + Lib_IntVector_Intrinsics_vec128 *wv_a6 = wv + c0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b6 = wv + d0 * (uint32_t)1U; + wv_a6[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a6[0U], wv_b6[0U]); + Lib_IntVector_Intrinsics_vec128 *wv_a7 = wv + b0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b7 = wv + c0 * (uint32_t)1U; + wv_a7[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv_a7[0U], wv_b7[0U]); + wv_a7[0U] = Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a7[0U], (uint32_t)7U); + Lib_IntVector_Intrinsics_vec128 *r10 = wv + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r21 = wv + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r31 = wv + (uint32_t)3U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 v00 = r10[0U]; + Lib_IntVector_Intrinsics_vec128 + v1 = Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(v00, (uint32_t)1U); + r10[0U] = v1; + Lib_IntVector_Intrinsics_vec128 v01 = r21[0U]; + Lib_IntVector_Intrinsics_vec128 + v10 = Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(v01, (uint32_t)2U); + r21[0U] = v10; + Lib_IntVector_Intrinsics_vec128 v02 = r31[0U]; + Lib_IntVector_Intrinsics_vec128 + v11 = Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(v02, (uint32_t)3U); + r31[0U] = v11; + uint32_t a0 = (uint32_t)0U; + uint32_t b = (uint32_t)1U; + uint32_t c = (uint32_t)2U; + uint32_t d = (uint32_t)3U; + Lib_IntVector_Intrinsics_vec128 *wv_a = wv + a0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b8 = wv + b * (uint32_t)1U; + wv_a[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a[0U], wv_b8[0U]); + wv_a[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a[0U], z[0U]); + Lib_IntVector_Intrinsics_vec128 *wv_a8 = wv + d * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b9 = wv + a0 * (uint32_t)1U; + wv_a8[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv_a8[0U], wv_b9[0U]); + wv_a8[0U] = Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a8[0U], (uint32_t)16U); + Lib_IntVector_Intrinsics_vec128 *wv_a9 = wv + c * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b10 = wv + d * (uint32_t)1U; + wv_a9[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a9[0U], wv_b10[0U]); + Lib_IntVector_Intrinsics_vec128 *wv_a10 = wv + b * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b11 = wv + c * (uint32_t)1U; + wv_a10[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv_a10[0U], wv_b11[0U]); + wv_a10[0U] = Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a10[0U], (uint32_t)12U); + Lib_IntVector_Intrinsics_vec128 *wv_a11 = wv + a0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b12 = wv + b * (uint32_t)1U; + wv_a11[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a11[0U], wv_b12[0U]); + wv_a11[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a11[0U], w[0U]); + Lib_IntVector_Intrinsics_vec128 *wv_a12 = wv + d * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b13 = wv + a0 * (uint32_t)1U; + wv_a12[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv_a12[0U], wv_b13[0U]); + wv_a12[0U] = Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a12[0U], (uint32_t)8U); + Lib_IntVector_Intrinsics_vec128 *wv_a13 = wv + c * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b14 = wv + d * (uint32_t)1U; + wv_a13[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a13[0U], wv_b14[0U]); + Lib_IntVector_Intrinsics_vec128 *wv_a14 = wv + b * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b = wv + c * (uint32_t)1U; + wv_a14[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv_a14[0U], wv_b[0U]); + wv_a14[0U] = Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a14[0U], (uint32_t)7U); + Lib_IntVector_Intrinsics_vec128 *r11 = wv + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r2 = wv + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r3 = wv + (uint32_t)3U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 v0 = r11[0U]; + Lib_IntVector_Intrinsics_vec128 + v12 = Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(v0, (uint32_t)3U); + r11[0U] = v12; + Lib_IntVector_Intrinsics_vec128 v03 = r2[0U]; + Lib_IntVector_Intrinsics_vec128 + v13 = Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(v03, (uint32_t)2U); + r2[0U] = v13; + Lib_IntVector_Intrinsics_vec128 v04 = r3[0U]; + Lib_IntVector_Intrinsics_vec128 + v14 = Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(v04, (uint32_t)1U); + r3[0U] = v14; + } + Lib_IntVector_Intrinsics_vec128 *s0 = s + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *s1 = s + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r0 = wv + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r1 = wv + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r2 = wv + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r3 = wv + (uint32_t)3U * (uint32_t)1U; + s0[0U] = Lib_IntVector_Intrinsics_vec128_xor(s0[0U], r0[0U]); + s0[0U] = Lib_IntVector_Intrinsics_vec128_xor(s0[0U], r2[0U]); + s1[0U] = Lib_IntVector_Intrinsics_vec128_xor(s1[0U], r1[0U]); + s1[0U] = Lib_IntVector_Intrinsics_vec128_xor(s1[0U], r3[0U]); + return totlen1; +} + +void +Hacl_Hash_Blake2s_128_finish_blake2s_128( + Lib_IntVector_Intrinsics_vec128 *s, + uint64_t ev, + uint8_t *dst +) +{ + uint32_t double_row = (uint32_t)2U * ((uint32_t)4U * (uint32_t)4U); + KRML_CHECK_SIZE(sizeof (uint8_t), double_row); + uint8_t b[double_row]; + memset(b, 0U, double_row * sizeof (uint8_t)); + uint8_t *first = b; + uint8_t *second = b + (uint32_t)4U * (uint32_t)4U; + Lib_IntVector_Intrinsics_vec128 *row0 = s + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *row1 = s + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128_store32_le(first, row0[0U]); + Lib_IntVector_Intrinsics_vec128_store32_le(second, row1[0U]); + uint8_t *final = b; + memcpy(dst, final, (uint32_t)32U * sizeof (uint8_t)); + Lib_Memzero0_memzero(b, double_row * sizeof (b[0U])); +} + +uint64_t +Hacl_Hash_Blake2s_128_update_multi_blake2s_128( + Lib_IntVector_Intrinsics_vec128 *s, + uint64_t ev, + uint8_t *blocks, + uint32_t n_blocks +) +{ + for (uint32_t i = (uint32_t)0U; i < n_blocks; i++) + { + uint32_t sz = (uint32_t)64U; + uint8_t *block = blocks + sz * i; + uint64_t v_ = update_blake2s_128(s, ev + (uint64_t)i * (uint64_t)(uint32_t)64U, block); + } + return ev + (uint64_t)n_blocks * (uint64_t)(uint32_t)64U; +} + +uint64_t +Hacl_Hash_Blake2s_128_update_last_blake2s_128( + Lib_IntVector_Intrinsics_vec128 *s, + uint64_t ev, + uint64_t prev_len, + uint8_t *input, + uint32_t input_len +) +{ + uint32_t blocks_n = input_len / (uint32_t)64U; + uint32_t blocks_len0 = blocks_n * (uint32_t)64U; + uint32_t rest_len0 = input_len - blocks_len0; + K___uint32_t_uint32_t_uint32_t scrut; + if (rest_len0 == (uint32_t)0U && blocks_n > (uint32_t)0U) + { + uint32_t blocks_n1 = blocks_n - (uint32_t)1U; + uint32_t blocks_len1 = blocks_len0 - (uint32_t)64U; + uint32_t rest_len1 = (uint32_t)64U; + scrut = + ((K___uint32_t_uint32_t_uint32_t){ .fst = blocks_n1, .snd = blocks_len1, .thd = rest_len1 }); + } + else + { + scrut = + ((K___uint32_t_uint32_t_uint32_t){ .fst = blocks_n, .snd = blocks_len0, .thd = rest_len0 }); + } + uint32_t num_blocks0 = scrut.fst; + uint32_t blocks_len = scrut.snd; + uint32_t rest_len1 = scrut.thd; + uint8_t *blocks0 = input; + uint8_t *rest0 = input + blocks_len; + K___uint32_t_uint32_t_uint32_t__uint8_t___uint8_t_ + scrut0 = + { .fst = num_blocks0, .snd = blocks_len, .thd = rest_len1, .f3 = blocks0, .f4 = rest0 }; + uint32_t num_blocks = scrut0.fst; + uint32_t rest_len = scrut0.thd; + uint8_t *blocks = scrut0.f3; + uint8_t *rest = scrut0.f4; + uint64_t ev_ = Hacl_Hash_Blake2s_128_update_multi_blake2s_128(s, ev, blocks, num_blocks); + KRML_CHECK_SIZE(sizeof (Lib_IntVector_Intrinsics_vec128), (uint32_t)4U * (uint32_t)1U); + Lib_IntVector_Intrinsics_vec128 wv[(uint32_t)4U * (uint32_t)1U]; + for (uint32_t _i = 0U; _i < (uint32_t)4U * (uint32_t)1U; ++_i) + wv[_i] = Lib_IntVector_Intrinsics_vec128_zero; + uint8_t tmp[64U] = { 0U }; + uint8_t *tmp_rest = tmp; + memcpy(tmp_rest, rest, rest_len * sizeof (uint8_t)); + uint64_t totlen = ev_ + (uint64_t)rest_len; + uint32_t m_w[16U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t *os = m_w; + uint8_t *bj = tmp + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + Lib_IntVector_Intrinsics_vec128 mask = Lib_IntVector_Intrinsics_vec128_zero; + uint32_t wv_14 = (uint32_t)0xFFFFFFFFU; + uint32_t wv_15 = (uint32_t)0U; + mask = + Lib_IntVector_Intrinsics_vec128_load32s((uint32_t)totlen, + (uint32_t)(totlen >> (uint32_t)32U), + wv_14, + wv_15); + memcpy(wv, s, (uint32_t)4U * (uint32_t)1U * sizeof (Lib_IntVector_Intrinsics_vec128)); + Lib_IntVector_Intrinsics_vec128 *wv3 = wv + (uint32_t)3U * (uint32_t)1U; + wv3[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv3[0U], mask); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)10U; i++) + { + uint32_t start_idx = i % (uint32_t)10U * (uint32_t)16U; + KRML_CHECK_SIZE(sizeof (Lib_IntVector_Intrinsics_vec128), (uint32_t)4U * (uint32_t)1U); + Lib_IntVector_Intrinsics_vec128 m_st[(uint32_t)4U * (uint32_t)1U]; + for (uint32_t _i = 0U; _i < (uint32_t)4U * (uint32_t)1U; ++_i) + m_st[_i] = Lib_IntVector_Intrinsics_vec128_zero; + Lib_IntVector_Intrinsics_vec128 *r0 = m_st + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r1 = m_st + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r20 = m_st + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r30 = m_st + (uint32_t)3U * (uint32_t)1U; + uint32_t s0 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx]; + uint32_t s1 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)1U]; + uint32_t s2 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)2U]; + uint32_t s3 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)3U]; + uint32_t s4 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)4U]; + uint32_t s5 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)5U]; + uint32_t s6 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)6U]; + uint32_t s7 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)7U]; + uint32_t s8 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)8U]; + uint32_t s9 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)9U]; + uint32_t s10 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)10U]; + uint32_t s11 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)11U]; + uint32_t s12 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)12U]; + uint32_t s13 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)13U]; + uint32_t s14 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)14U]; + uint32_t s15 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)15U]; + r0[0U] = Lib_IntVector_Intrinsics_vec128_load32s(m_w[s0], m_w[s2], m_w[s4], m_w[s6]); + r1[0U] = Lib_IntVector_Intrinsics_vec128_load32s(m_w[s1], m_w[s3], m_w[s5], m_w[s7]); + r20[0U] = Lib_IntVector_Intrinsics_vec128_load32s(m_w[s8], m_w[s10], m_w[s12], m_w[s14]); + r30[0U] = Lib_IntVector_Intrinsics_vec128_load32s(m_w[s9], m_w[s11], m_w[s13], m_w[s15]); + Lib_IntVector_Intrinsics_vec128 *x = m_st + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *y = m_st + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *z = m_st + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *w = m_st + (uint32_t)3U * (uint32_t)1U; + uint32_t a = (uint32_t)0U; + uint32_t b0 = (uint32_t)1U; + uint32_t c0 = (uint32_t)2U; + uint32_t d0 = (uint32_t)3U; + Lib_IntVector_Intrinsics_vec128 *wv_a0 = wv + a * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b0 = wv + b0 * (uint32_t)1U; + wv_a0[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a0[0U], wv_b0[0U]); + wv_a0[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a0[0U], x[0U]); + Lib_IntVector_Intrinsics_vec128 *wv_a1 = wv + d0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b1 = wv + a * (uint32_t)1U; + wv_a1[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv_a1[0U], wv_b1[0U]); + wv_a1[0U] = Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a1[0U], (uint32_t)16U); + Lib_IntVector_Intrinsics_vec128 *wv_a2 = wv + c0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b2 = wv + d0 * (uint32_t)1U; + wv_a2[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a2[0U], wv_b2[0U]); + Lib_IntVector_Intrinsics_vec128 *wv_a3 = wv + b0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b3 = wv + c0 * (uint32_t)1U; + wv_a3[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv_a3[0U], wv_b3[0U]); + wv_a3[0U] = Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a3[0U], (uint32_t)12U); + Lib_IntVector_Intrinsics_vec128 *wv_a4 = wv + a * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b4 = wv + b0 * (uint32_t)1U; + wv_a4[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a4[0U], wv_b4[0U]); + wv_a4[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a4[0U], y[0U]); + Lib_IntVector_Intrinsics_vec128 *wv_a5 = wv + d0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b5 = wv + a * (uint32_t)1U; + wv_a5[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv_a5[0U], wv_b5[0U]); + wv_a5[0U] = Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a5[0U], (uint32_t)8U); + Lib_IntVector_Intrinsics_vec128 *wv_a6 = wv + c0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b6 = wv + d0 * (uint32_t)1U; + wv_a6[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a6[0U], wv_b6[0U]); + Lib_IntVector_Intrinsics_vec128 *wv_a7 = wv + b0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b7 = wv + c0 * (uint32_t)1U; + wv_a7[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv_a7[0U], wv_b7[0U]); + wv_a7[0U] = Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a7[0U], (uint32_t)7U); + Lib_IntVector_Intrinsics_vec128 *r10 = wv + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r21 = wv + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r31 = wv + (uint32_t)3U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 v00 = r10[0U]; + Lib_IntVector_Intrinsics_vec128 + v1 = Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(v00, (uint32_t)1U); + r10[0U] = v1; + Lib_IntVector_Intrinsics_vec128 v01 = r21[0U]; + Lib_IntVector_Intrinsics_vec128 + v10 = Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(v01, (uint32_t)2U); + r21[0U] = v10; + Lib_IntVector_Intrinsics_vec128 v02 = r31[0U]; + Lib_IntVector_Intrinsics_vec128 + v11 = Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(v02, (uint32_t)3U); + r31[0U] = v11; + uint32_t a0 = (uint32_t)0U; + uint32_t b = (uint32_t)1U; + uint32_t c = (uint32_t)2U; + uint32_t d = (uint32_t)3U; + Lib_IntVector_Intrinsics_vec128 *wv_a = wv + a0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b8 = wv + b * (uint32_t)1U; + wv_a[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a[0U], wv_b8[0U]); + wv_a[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a[0U], z[0U]); + Lib_IntVector_Intrinsics_vec128 *wv_a8 = wv + d * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b9 = wv + a0 * (uint32_t)1U; + wv_a8[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv_a8[0U], wv_b9[0U]); + wv_a8[0U] = Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a8[0U], (uint32_t)16U); + Lib_IntVector_Intrinsics_vec128 *wv_a9 = wv + c * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b10 = wv + d * (uint32_t)1U; + wv_a9[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a9[0U], wv_b10[0U]); + Lib_IntVector_Intrinsics_vec128 *wv_a10 = wv + b * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b11 = wv + c * (uint32_t)1U; + wv_a10[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv_a10[0U], wv_b11[0U]); + wv_a10[0U] = Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a10[0U], (uint32_t)12U); + Lib_IntVector_Intrinsics_vec128 *wv_a11 = wv + a0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b12 = wv + b * (uint32_t)1U; + wv_a11[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a11[0U], wv_b12[0U]); + wv_a11[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a11[0U], w[0U]); + Lib_IntVector_Intrinsics_vec128 *wv_a12 = wv + d * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b13 = wv + a0 * (uint32_t)1U; + wv_a12[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv_a12[0U], wv_b13[0U]); + wv_a12[0U] = Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a12[0U], (uint32_t)8U); + Lib_IntVector_Intrinsics_vec128 *wv_a13 = wv + c * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b14 = wv + d * (uint32_t)1U; + wv_a13[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a13[0U], wv_b14[0U]); + Lib_IntVector_Intrinsics_vec128 *wv_a14 = wv + b * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b = wv + c * (uint32_t)1U; + wv_a14[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv_a14[0U], wv_b[0U]); + wv_a14[0U] = Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a14[0U], (uint32_t)7U); + Lib_IntVector_Intrinsics_vec128 *r11 = wv + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r2 = wv + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r3 = wv + (uint32_t)3U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 v0 = r11[0U]; + Lib_IntVector_Intrinsics_vec128 + v12 = Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(v0, (uint32_t)3U); + r11[0U] = v12; + Lib_IntVector_Intrinsics_vec128 v03 = r2[0U]; + Lib_IntVector_Intrinsics_vec128 + v13 = Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(v03, (uint32_t)2U); + r2[0U] = v13; + Lib_IntVector_Intrinsics_vec128 v04 = r3[0U]; + Lib_IntVector_Intrinsics_vec128 + v14 = Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(v04, (uint32_t)1U); + r3[0U] = v14; + } + Lib_IntVector_Intrinsics_vec128 *s0 = s + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *s1 = s + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r0 = wv + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r1 = wv + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r2 = wv + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r3 = wv + (uint32_t)3U * (uint32_t)1U; + s0[0U] = Lib_IntVector_Intrinsics_vec128_xor(s0[0U], r0[0U]); + s0[0U] = Lib_IntVector_Intrinsics_vec128_xor(s0[0U], r2[0U]); + s1[0U] = Lib_IntVector_Intrinsics_vec128_xor(s1[0U], r1[0U]); + s1[0U] = Lib_IntVector_Intrinsics_vec128_xor(s1[0U], r3[0U]); + return (uint64_t)0U; +} + +void Hacl_Hash_Blake2s_128_hash_blake2s_128(uint8_t *input, uint32_t input_len, uint8_t *dst) +{ + Hacl_Blake2s_128_blake2s((uint32_t)32U, dst, input_len, input, (uint32_t)0U, NULL); +} + +static inline void +blake2s_update_block( + Lib_IntVector_Intrinsics_vec128 *wv, + Lib_IntVector_Intrinsics_vec128 *hash, + bool flag, + uint64_t totlen, + uint8_t *d +) +{ + uint32_t m_w[16U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t *os = m_w; + uint8_t *bj = d + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + Lib_IntVector_Intrinsics_vec128 mask = Lib_IntVector_Intrinsics_vec128_zero; + uint32_t wv_14; + if (flag) + { + wv_14 = (uint32_t)0xFFFFFFFFU; + } + else + { + wv_14 = (uint32_t)0U; + } + uint32_t wv_15 = (uint32_t)0U; + mask = + Lib_IntVector_Intrinsics_vec128_load32s((uint32_t)totlen, + (uint32_t)(totlen >> (uint32_t)32U), + wv_14, + wv_15); + memcpy(wv, hash, (uint32_t)4U * (uint32_t)1U * sizeof (Lib_IntVector_Intrinsics_vec128)); + Lib_IntVector_Intrinsics_vec128 *wv3 = wv + (uint32_t)3U * (uint32_t)1U; + wv3[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv3[0U], mask); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)10U; i++) + { + uint32_t start_idx = i % (uint32_t)10U * (uint32_t)16U; + KRML_CHECK_SIZE(sizeof (Lib_IntVector_Intrinsics_vec128), (uint32_t)4U * (uint32_t)1U); + Lib_IntVector_Intrinsics_vec128 m_st[(uint32_t)4U * (uint32_t)1U]; + for (uint32_t _i = 0U; _i < (uint32_t)4U * (uint32_t)1U; ++_i) + m_st[_i] = Lib_IntVector_Intrinsics_vec128_zero; + Lib_IntVector_Intrinsics_vec128 *r0 = m_st + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r1 = m_st + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r20 = m_st + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r30 = m_st + (uint32_t)3U * (uint32_t)1U; + uint32_t s0 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx]; + uint32_t s1 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)1U]; + uint32_t s2 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)2U]; + uint32_t s3 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)3U]; + uint32_t s4 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)4U]; + uint32_t s5 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)5U]; + uint32_t s6 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)6U]; + uint32_t s7 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)7U]; + uint32_t s8 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)8U]; + uint32_t s9 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)9U]; + uint32_t s10 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)10U]; + uint32_t s11 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)11U]; + uint32_t s12 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)12U]; + uint32_t s13 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)13U]; + uint32_t s14 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)14U]; + uint32_t s15 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)15U]; + r0[0U] = Lib_IntVector_Intrinsics_vec128_load32s(m_w[s0], m_w[s2], m_w[s4], m_w[s6]); + r1[0U] = Lib_IntVector_Intrinsics_vec128_load32s(m_w[s1], m_w[s3], m_w[s5], m_w[s7]); + r20[0U] = Lib_IntVector_Intrinsics_vec128_load32s(m_w[s8], m_w[s10], m_w[s12], m_w[s14]); + r30[0U] = Lib_IntVector_Intrinsics_vec128_load32s(m_w[s9], m_w[s11], m_w[s13], m_w[s15]); + Lib_IntVector_Intrinsics_vec128 *x = m_st + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *y = m_st + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *z = m_st + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *w = m_st + (uint32_t)3U * (uint32_t)1U; + uint32_t a = (uint32_t)0U; + uint32_t b0 = (uint32_t)1U; + uint32_t c0 = (uint32_t)2U; + uint32_t d10 = (uint32_t)3U; + Lib_IntVector_Intrinsics_vec128 *wv_a0 = wv + a * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b0 = wv + b0 * (uint32_t)1U; + wv_a0[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a0[0U], wv_b0[0U]); + wv_a0[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a0[0U], x[0U]); + Lib_IntVector_Intrinsics_vec128 *wv_a1 = wv + d10 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b1 = wv + a * (uint32_t)1U; + wv_a1[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv_a1[0U], wv_b1[0U]); + wv_a1[0U] = Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a1[0U], (uint32_t)16U); + Lib_IntVector_Intrinsics_vec128 *wv_a2 = wv + c0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b2 = wv + d10 * (uint32_t)1U; + wv_a2[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a2[0U], wv_b2[0U]); + Lib_IntVector_Intrinsics_vec128 *wv_a3 = wv + b0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b3 = wv + c0 * (uint32_t)1U; + wv_a3[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv_a3[0U], wv_b3[0U]); + wv_a3[0U] = Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a3[0U], (uint32_t)12U); + Lib_IntVector_Intrinsics_vec128 *wv_a4 = wv + a * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b4 = wv + b0 * (uint32_t)1U; + wv_a4[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a4[0U], wv_b4[0U]); + wv_a4[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a4[0U], y[0U]); + Lib_IntVector_Intrinsics_vec128 *wv_a5 = wv + d10 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b5 = wv + a * (uint32_t)1U; + wv_a5[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv_a5[0U], wv_b5[0U]); + wv_a5[0U] = Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a5[0U], (uint32_t)8U); + Lib_IntVector_Intrinsics_vec128 *wv_a6 = wv + c0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b6 = wv + d10 * (uint32_t)1U; + wv_a6[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a6[0U], wv_b6[0U]); + Lib_IntVector_Intrinsics_vec128 *wv_a7 = wv + b0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b7 = wv + c0 * (uint32_t)1U; + wv_a7[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv_a7[0U], wv_b7[0U]); + wv_a7[0U] = Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a7[0U], (uint32_t)7U); + Lib_IntVector_Intrinsics_vec128 *r10 = wv + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r21 = wv + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r31 = wv + (uint32_t)3U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 v00 = r10[0U]; + Lib_IntVector_Intrinsics_vec128 + v1 = Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(v00, (uint32_t)1U); + r10[0U] = v1; + Lib_IntVector_Intrinsics_vec128 v01 = r21[0U]; + Lib_IntVector_Intrinsics_vec128 + v10 = Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(v01, (uint32_t)2U); + r21[0U] = v10; + Lib_IntVector_Intrinsics_vec128 v02 = r31[0U]; + Lib_IntVector_Intrinsics_vec128 + v11 = Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(v02, (uint32_t)3U); + r31[0U] = v11; + uint32_t a0 = (uint32_t)0U; + uint32_t b = (uint32_t)1U; + uint32_t c = (uint32_t)2U; + uint32_t d1 = (uint32_t)3U; + Lib_IntVector_Intrinsics_vec128 *wv_a = wv + a0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b8 = wv + b * (uint32_t)1U; + wv_a[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a[0U], wv_b8[0U]); + wv_a[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a[0U], z[0U]); + Lib_IntVector_Intrinsics_vec128 *wv_a8 = wv + d1 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b9 = wv + a0 * (uint32_t)1U; + wv_a8[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv_a8[0U], wv_b9[0U]); + wv_a8[0U] = Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a8[0U], (uint32_t)16U); + Lib_IntVector_Intrinsics_vec128 *wv_a9 = wv + c * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b10 = wv + d1 * (uint32_t)1U; + wv_a9[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a9[0U], wv_b10[0U]); + Lib_IntVector_Intrinsics_vec128 *wv_a10 = wv + b * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b11 = wv + c * (uint32_t)1U; + wv_a10[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv_a10[0U], wv_b11[0U]); + wv_a10[0U] = Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a10[0U], (uint32_t)12U); + Lib_IntVector_Intrinsics_vec128 *wv_a11 = wv + a0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b12 = wv + b * (uint32_t)1U; + wv_a11[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a11[0U], wv_b12[0U]); + wv_a11[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a11[0U], w[0U]); + Lib_IntVector_Intrinsics_vec128 *wv_a12 = wv + d1 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b13 = wv + a0 * (uint32_t)1U; + wv_a12[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv_a12[0U], wv_b13[0U]); + wv_a12[0U] = Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a12[0U], (uint32_t)8U); + Lib_IntVector_Intrinsics_vec128 *wv_a13 = wv + c * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b14 = wv + d1 * (uint32_t)1U; + wv_a13[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a13[0U], wv_b14[0U]); + Lib_IntVector_Intrinsics_vec128 *wv_a14 = wv + b * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b = wv + c * (uint32_t)1U; + wv_a14[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv_a14[0U], wv_b[0U]); + wv_a14[0U] = Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a14[0U], (uint32_t)7U); + Lib_IntVector_Intrinsics_vec128 *r11 = wv + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r2 = wv + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r3 = wv + (uint32_t)3U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 v0 = r11[0U]; + Lib_IntVector_Intrinsics_vec128 + v12 = Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(v0, (uint32_t)3U); + r11[0U] = v12; + Lib_IntVector_Intrinsics_vec128 v03 = r2[0U]; + Lib_IntVector_Intrinsics_vec128 + v13 = Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(v03, (uint32_t)2U); + r2[0U] = v13; + Lib_IntVector_Intrinsics_vec128 v04 = r3[0U]; + Lib_IntVector_Intrinsics_vec128 + v14 = Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(v04, (uint32_t)1U); + r3[0U] = v14; + } + Lib_IntVector_Intrinsics_vec128 *s0 = hash + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *s1 = hash + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r0 = wv + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r1 = wv + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r2 = wv + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r3 = wv + (uint32_t)3U * (uint32_t)1U; + s0[0U] = Lib_IntVector_Intrinsics_vec128_xor(s0[0U], r0[0U]); + s0[0U] = Lib_IntVector_Intrinsics_vec128_xor(s0[0U], r2[0U]); + s1[0U] = Lib_IntVector_Intrinsics_vec128_xor(s1[0U], r1[0U]); + s1[0U] = Lib_IntVector_Intrinsics_vec128_xor(s1[0U], r3[0U]); +} + +void +Hacl_Blake2s_128_blake2s_init(Lib_IntVector_Intrinsics_vec128 *hash, uint32_t kk, uint32_t nn) +{ + Lib_IntVector_Intrinsics_vec128 *r0 = hash + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r1 = hash + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r2 = hash + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r3 = hash + (uint32_t)3U * (uint32_t)1U; + uint32_t iv0 = Hacl_Impl_Blake2_Constants_ivTable_S[0U]; + uint32_t iv1 = Hacl_Impl_Blake2_Constants_ivTable_S[1U]; + uint32_t iv2 = Hacl_Impl_Blake2_Constants_ivTable_S[2U]; + uint32_t iv3 = Hacl_Impl_Blake2_Constants_ivTable_S[3U]; + uint32_t iv4 = Hacl_Impl_Blake2_Constants_ivTable_S[4U]; + uint32_t iv5 = Hacl_Impl_Blake2_Constants_ivTable_S[5U]; + uint32_t iv6 = Hacl_Impl_Blake2_Constants_ivTable_S[6U]; + uint32_t iv7 = Hacl_Impl_Blake2_Constants_ivTable_S[7U]; + r2[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv0, iv1, iv2, iv3); + r3[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv4, iv5, iv6, iv7); + uint32_t kk_shift_8 = kk << (uint32_t)8U; + uint32_t iv0_ = iv0 ^ ((uint32_t)0x01010000U ^ (kk_shift_8 ^ nn)); + r0[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv0_, iv1, iv2, iv3); + r1[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv4, iv5, iv6, iv7); +} + +void +Hacl_Blake2s_128_blake2s_update_key( + Lib_IntVector_Intrinsics_vec128 *wv, + Lib_IntVector_Intrinsics_vec128 *hash, + uint32_t kk, + uint8_t *k, + uint32_t ll +) +{ + uint64_t lb = (uint64_t)(uint32_t)64U; + uint8_t b[64U] = { 0U }; + memcpy(b, k, kk * sizeof (uint8_t)); + if (ll == (uint32_t)0U) + { + blake2s_update_block(wv, hash, true, lb, b); + } + else + { + blake2s_update_block(wv, hash, false, lb, b); + } + Lib_Memzero0_memzero(b, (uint32_t)64U * sizeof (b[0U])); +} + +void +Hacl_Blake2s_128_blake2s_update_multi( + uint32_t len, + Lib_IntVector_Intrinsics_vec128 *wv, + Lib_IntVector_Intrinsics_vec128 *hash, + uint64_t prev, + uint8_t *blocks, + uint32_t nb +) +{ + for (uint32_t i = (uint32_t)0U; i < nb; i++) + { + uint64_t totlen = prev + (uint64_t)((i + (uint32_t)1U) * (uint32_t)64U); + uint8_t *b = blocks + i * (uint32_t)64U; + blake2s_update_block(wv, hash, false, totlen, b); + } +} + +void +Hacl_Blake2s_128_blake2s_update_last( + uint32_t len, + Lib_IntVector_Intrinsics_vec128 *wv, + Lib_IntVector_Intrinsics_vec128 *hash, + uint64_t prev, + uint32_t rem, + uint8_t *d +) +{ + uint8_t b[64U] = { 0U }; + uint8_t *last = d + len - rem; + memcpy(b, last, rem * sizeof (uint8_t)); + uint64_t totlen = prev + (uint64_t)len; + blake2s_update_block(wv, hash, true, totlen, b); + Lib_Memzero0_memzero(b, (uint32_t)64U * sizeof (b[0U])); +} + +static inline void +blake2s_update_blocks( + uint32_t len, + Lib_IntVector_Intrinsics_vec128 *wv, + Lib_IntVector_Intrinsics_vec128 *hash, + uint64_t prev, + uint8_t *blocks +) +{ + uint32_t nb0 = len / (uint32_t)64U; + uint32_t rem0 = len % (uint32_t)64U; + K___uint32_t_uint32_t scrut; + if (rem0 == (uint32_t)0U && nb0 > (uint32_t)0U) + { + uint32_t nb_ = nb0 - (uint32_t)1U; + uint32_t rem_ = (uint32_t)64U; + scrut = ((K___uint32_t_uint32_t){ .fst = nb_, .snd = rem_ }); + } + else + { + scrut = ((K___uint32_t_uint32_t){ .fst = nb0, .snd = rem0 }); + } + uint32_t nb = scrut.fst; + uint32_t rem = scrut.snd; + Hacl_Blake2s_128_blake2s_update_multi(len, wv, hash, prev, blocks, nb); + Hacl_Blake2s_128_blake2s_update_last(len, wv, hash, prev, rem, blocks); +} + +static inline void +blake2s_update( + Lib_IntVector_Intrinsics_vec128 *wv, + Lib_IntVector_Intrinsics_vec128 *hash, + uint32_t kk, + uint8_t *k, + uint32_t ll, + uint8_t *d +) +{ + uint64_t lb = (uint64_t)(uint32_t)64U; + if (kk > (uint32_t)0U) + { + Hacl_Blake2s_128_blake2s_update_key(wv, hash, kk, k, ll); + if (!(ll == (uint32_t)0U)) + { + blake2s_update_blocks(ll, wv, hash, lb, d); + return; + } + return; + } + blake2s_update_blocks(ll, wv, hash, (uint64_t)(uint32_t)0U, d); +} + +void +Hacl_Blake2s_128_blake2s_finish( + uint32_t nn, + uint8_t *output, + Lib_IntVector_Intrinsics_vec128 *hash +) +{ + uint32_t double_row = (uint32_t)2U * ((uint32_t)4U * (uint32_t)4U); + KRML_CHECK_SIZE(sizeof (uint8_t), double_row); + uint8_t b[double_row]; + memset(b, 0U, double_row * sizeof (uint8_t)); + uint8_t *first = b; + uint8_t *second = b + (uint32_t)4U * (uint32_t)4U; + Lib_IntVector_Intrinsics_vec128 *row0 = hash + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *row1 = hash + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128_store32_le(first, row0[0U]); + Lib_IntVector_Intrinsics_vec128_store32_le(second, row1[0U]); + uint8_t *final = b; + memcpy(output, final, nn * sizeof (uint8_t)); + Lib_Memzero0_memzero(b, double_row * sizeof (b[0U])); +} + +void +Hacl_Blake2s_128_blake2s( + uint32_t nn, + uint8_t *output, + uint32_t ll, + uint8_t *d, + uint32_t kk, + uint8_t *k +) +{ + uint32_t stlen = (uint32_t)4U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 stzero = Lib_IntVector_Intrinsics_vec128_zero; + KRML_CHECK_SIZE(sizeof (Lib_IntVector_Intrinsics_vec128), stlen); + Lib_IntVector_Intrinsics_vec128 b[stlen]; + for (uint32_t _i = 0U; _i < stlen; ++_i) + b[_i] = stzero; + KRML_CHECK_SIZE(sizeof (Lib_IntVector_Intrinsics_vec128), stlen); + Lib_IntVector_Intrinsics_vec128 b1[stlen]; + for (uint32_t _i = 0U; _i < stlen; ++_i) + b1[_i] = stzero; + Hacl_Blake2s_128_blake2s_init(b, kk, nn); + blake2s_update(b1, b, kk, k, ll, d); + Hacl_Blake2s_128_blake2s_finish(nn, output, b); + Lib_Memzero0_memzero(b1, stlen * sizeof (b1[0U])); + Lib_Memzero0_memzero(b, stlen * sizeof (b[0U])); +} + diff --git a/src/Hacl_Hash_MD5.c b/src/Hacl_Hash_MD5.c new file mode 100644 index 00000000..54aef8c9 --- /dev/null +++ b/src/Hacl_Hash_MD5.c @@ -0,0 +1,1209 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "internal/Hacl_Hash_MD5.h" + + + +static uint32_t +_h0[4U] = + { (uint32_t)0x67452301U, (uint32_t)0xefcdab89U, (uint32_t)0x98badcfeU, (uint32_t)0x10325476U }; + +static uint32_t +_t[64U] = + { + (uint32_t)0xd76aa478U, (uint32_t)0xe8c7b756U, (uint32_t)0x242070dbU, (uint32_t)0xc1bdceeeU, + (uint32_t)0xf57c0fafU, (uint32_t)0x4787c62aU, (uint32_t)0xa8304613U, (uint32_t)0xfd469501U, + (uint32_t)0x698098d8U, (uint32_t)0x8b44f7afU, (uint32_t)0xffff5bb1U, (uint32_t)0x895cd7beU, + (uint32_t)0x6b901122U, (uint32_t)0xfd987193U, (uint32_t)0xa679438eU, (uint32_t)0x49b40821U, + (uint32_t)0xf61e2562U, (uint32_t)0xc040b340U, (uint32_t)0x265e5a51U, (uint32_t)0xe9b6c7aaU, + (uint32_t)0xd62f105dU, (uint32_t)0x02441453U, (uint32_t)0xd8a1e681U, (uint32_t)0xe7d3fbc8U, + (uint32_t)0x21e1cde6U, (uint32_t)0xc33707d6U, (uint32_t)0xf4d50d87U, (uint32_t)0x455a14edU, + (uint32_t)0xa9e3e905U, (uint32_t)0xfcefa3f8U, (uint32_t)0x676f02d9U, (uint32_t)0x8d2a4c8aU, + (uint32_t)0xfffa3942U, (uint32_t)0x8771f681U, (uint32_t)0x6d9d6122U, (uint32_t)0xfde5380cU, + (uint32_t)0xa4beea44U, (uint32_t)0x4bdecfa9U, (uint32_t)0xf6bb4b60U, (uint32_t)0xbebfbc70U, + (uint32_t)0x289b7ec6U, (uint32_t)0xeaa127faU, (uint32_t)0xd4ef3085U, (uint32_t)0x4881d05U, + (uint32_t)0xd9d4d039U, (uint32_t)0xe6db99e5U, (uint32_t)0x1fa27cf8U, (uint32_t)0xc4ac5665U, + (uint32_t)0xf4292244U, (uint32_t)0x432aff97U, (uint32_t)0xab9423a7U, (uint32_t)0xfc93a039U, + (uint32_t)0x655b59c3U, (uint32_t)0x8f0ccc92U, (uint32_t)0xffeff47dU, (uint32_t)0x85845dd1U, + (uint32_t)0x6fa87e4fU, (uint32_t)0xfe2ce6e0U, (uint32_t)0xa3014314U, (uint32_t)0x4e0811a1U, + (uint32_t)0xf7537e82U, (uint32_t)0xbd3af235U, (uint32_t)0x2ad7d2bbU, (uint32_t)0xeb86d391U + }; + +void Hacl_Hash_Core_MD5_legacy_init(uint32_t *s) +{ + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + s[i] = _h0[i]; + } +} + +void Hacl_Hash_Core_MD5_legacy_update(uint32_t *abcd, uint8_t *x) +{ + uint32_t aa = abcd[0U]; + uint32_t bb = abcd[1U]; + uint32_t cc = abcd[2U]; + uint32_t dd = abcd[3U]; + uint32_t va = abcd[0U]; + uint32_t vb0 = abcd[1U]; + uint32_t vc0 = abcd[2U]; + uint32_t vd0 = abcd[3U]; + uint8_t *b0 = x; + uint32_t u = load32_le(b0); + uint32_t xk = u; + uint32_t ti0 = _t[0U]; + uint32_t + v = + vb0 + + + ((va + ((vb0 & vc0) | (~vb0 & vd0)) + xk + ti0) + << (uint32_t)7U + | (va + ((vb0 & vc0) | (~vb0 & vd0)) + xk + ti0) >> (uint32_t)25U); + abcd[0U] = v; + uint32_t va0 = abcd[3U]; + uint32_t vb1 = abcd[0U]; + uint32_t vc1 = abcd[1U]; + uint32_t vd1 = abcd[2U]; + uint8_t *b1 = x + (uint32_t)4U; + uint32_t u0 = load32_le(b1); + uint32_t xk0 = u0; + uint32_t ti1 = _t[1U]; + uint32_t + v0 = + vb1 + + + ((va0 + ((vb1 & vc1) | (~vb1 & vd1)) + xk0 + ti1) + << (uint32_t)12U + | (va0 + ((vb1 & vc1) | (~vb1 & vd1)) + xk0 + ti1) >> (uint32_t)20U); + abcd[3U] = v0; + uint32_t va1 = abcd[2U]; + uint32_t vb2 = abcd[3U]; + uint32_t vc2 = abcd[0U]; + uint32_t vd2 = abcd[1U]; + uint8_t *b2 = x + (uint32_t)8U; + uint32_t u1 = load32_le(b2); + uint32_t xk1 = u1; + uint32_t ti2 = _t[2U]; + uint32_t + v1 = + vb2 + + + ((va1 + ((vb2 & vc2) | (~vb2 & vd2)) + xk1 + ti2) + << (uint32_t)17U + | (va1 + ((vb2 & vc2) | (~vb2 & vd2)) + xk1 + ti2) >> (uint32_t)15U); + abcd[2U] = v1; + uint32_t va2 = abcd[1U]; + uint32_t vb3 = abcd[2U]; + uint32_t vc3 = abcd[3U]; + uint32_t vd3 = abcd[0U]; + uint8_t *b3 = x + (uint32_t)12U; + uint32_t u2 = load32_le(b3); + uint32_t xk2 = u2; + uint32_t ti3 = _t[3U]; + uint32_t + v2 = + vb3 + + + ((va2 + ((vb3 & vc3) | (~vb3 & vd3)) + xk2 + ti3) + << (uint32_t)22U + | (va2 + ((vb3 & vc3) | (~vb3 & vd3)) + xk2 + ti3) >> (uint32_t)10U); + abcd[1U] = v2; + uint32_t va3 = abcd[0U]; + uint32_t vb4 = abcd[1U]; + uint32_t vc4 = abcd[2U]; + uint32_t vd4 = abcd[3U]; + uint8_t *b4 = x + (uint32_t)16U; + uint32_t u3 = load32_le(b4); + uint32_t xk3 = u3; + uint32_t ti4 = _t[4U]; + uint32_t + v3 = + vb4 + + + ((va3 + ((vb4 & vc4) | (~vb4 & vd4)) + xk3 + ti4) + << (uint32_t)7U + | (va3 + ((vb4 & vc4) | (~vb4 & vd4)) + xk3 + ti4) >> (uint32_t)25U); + abcd[0U] = v3; + uint32_t va4 = abcd[3U]; + uint32_t vb5 = abcd[0U]; + uint32_t vc5 = abcd[1U]; + uint32_t vd5 = abcd[2U]; + uint8_t *b5 = x + (uint32_t)20U; + uint32_t u4 = load32_le(b5); + uint32_t xk4 = u4; + uint32_t ti5 = _t[5U]; + uint32_t + v4 = + vb5 + + + ((va4 + ((vb5 & vc5) | (~vb5 & vd5)) + xk4 + ti5) + << (uint32_t)12U + | (va4 + ((vb5 & vc5) | (~vb5 & vd5)) + xk4 + ti5) >> (uint32_t)20U); + abcd[3U] = v4; + uint32_t va5 = abcd[2U]; + uint32_t vb6 = abcd[3U]; + uint32_t vc6 = abcd[0U]; + uint32_t vd6 = abcd[1U]; + uint8_t *b6 = x + (uint32_t)24U; + uint32_t u5 = load32_le(b6); + uint32_t xk5 = u5; + uint32_t ti6 = _t[6U]; + uint32_t + v5 = + vb6 + + + ((va5 + ((vb6 & vc6) | (~vb6 & vd6)) + xk5 + ti6) + << (uint32_t)17U + | (va5 + ((vb6 & vc6) | (~vb6 & vd6)) + xk5 + ti6) >> (uint32_t)15U); + abcd[2U] = v5; + uint32_t va6 = abcd[1U]; + uint32_t vb7 = abcd[2U]; + uint32_t vc7 = abcd[3U]; + uint32_t vd7 = abcd[0U]; + uint8_t *b7 = x + (uint32_t)28U; + uint32_t u6 = load32_le(b7); + uint32_t xk6 = u6; + uint32_t ti7 = _t[7U]; + uint32_t + v6 = + vb7 + + + ((va6 + ((vb7 & vc7) | (~vb7 & vd7)) + xk6 + ti7) + << (uint32_t)22U + | (va6 + ((vb7 & vc7) | (~vb7 & vd7)) + xk6 + ti7) >> (uint32_t)10U); + abcd[1U] = v6; + uint32_t va7 = abcd[0U]; + uint32_t vb8 = abcd[1U]; + uint32_t vc8 = abcd[2U]; + uint32_t vd8 = abcd[3U]; + uint8_t *b8 = x + (uint32_t)32U; + uint32_t u7 = load32_le(b8); + uint32_t xk7 = u7; + uint32_t ti8 = _t[8U]; + uint32_t + v7 = + vb8 + + + ((va7 + ((vb8 & vc8) | (~vb8 & vd8)) + xk7 + ti8) + << (uint32_t)7U + | (va7 + ((vb8 & vc8) | (~vb8 & vd8)) + xk7 + ti8) >> (uint32_t)25U); + abcd[0U] = v7; + uint32_t va8 = abcd[3U]; + uint32_t vb9 = abcd[0U]; + uint32_t vc9 = abcd[1U]; + uint32_t vd9 = abcd[2U]; + uint8_t *b9 = x + (uint32_t)36U; + uint32_t u8 = load32_le(b9); + uint32_t xk8 = u8; + uint32_t ti9 = _t[9U]; + uint32_t + v8 = + vb9 + + + ((va8 + ((vb9 & vc9) | (~vb9 & vd9)) + xk8 + ti9) + << (uint32_t)12U + | (va8 + ((vb9 & vc9) | (~vb9 & vd9)) + xk8 + ti9) >> (uint32_t)20U); + abcd[3U] = v8; + uint32_t va9 = abcd[2U]; + uint32_t vb10 = abcd[3U]; + uint32_t vc10 = abcd[0U]; + uint32_t vd10 = abcd[1U]; + uint8_t *b10 = x + (uint32_t)40U; + uint32_t u9 = load32_le(b10); + uint32_t xk9 = u9; + uint32_t ti10 = _t[10U]; + uint32_t + v9 = + vb10 + + + ((va9 + ((vb10 & vc10) | (~vb10 & vd10)) + xk9 + ti10) + << (uint32_t)17U + | (va9 + ((vb10 & vc10) | (~vb10 & vd10)) + xk9 + ti10) >> (uint32_t)15U); + abcd[2U] = v9; + uint32_t va10 = abcd[1U]; + uint32_t vb11 = abcd[2U]; + uint32_t vc11 = abcd[3U]; + uint32_t vd11 = abcd[0U]; + uint8_t *b11 = x + (uint32_t)44U; + uint32_t u10 = load32_le(b11); + uint32_t xk10 = u10; + uint32_t ti11 = _t[11U]; + uint32_t + v10 = + vb11 + + + ((va10 + ((vb11 & vc11) | (~vb11 & vd11)) + xk10 + ti11) + << (uint32_t)22U + | (va10 + ((vb11 & vc11) | (~vb11 & vd11)) + xk10 + ti11) >> (uint32_t)10U); + abcd[1U] = v10; + uint32_t va11 = abcd[0U]; + uint32_t vb12 = abcd[1U]; + uint32_t vc12 = abcd[2U]; + uint32_t vd12 = abcd[3U]; + uint8_t *b12 = x + (uint32_t)48U; + uint32_t u11 = load32_le(b12); + uint32_t xk11 = u11; + uint32_t ti12 = _t[12U]; + uint32_t + v11 = + vb12 + + + ((va11 + ((vb12 & vc12) | (~vb12 & vd12)) + xk11 + ti12) + << (uint32_t)7U + | (va11 + ((vb12 & vc12) | (~vb12 & vd12)) + xk11 + ti12) >> (uint32_t)25U); + abcd[0U] = v11; + uint32_t va12 = abcd[3U]; + uint32_t vb13 = abcd[0U]; + uint32_t vc13 = abcd[1U]; + uint32_t vd13 = abcd[2U]; + uint8_t *b13 = x + (uint32_t)52U; + uint32_t u12 = load32_le(b13); + uint32_t xk12 = u12; + uint32_t ti13 = _t[13U]; + uint32_t + v12 = + vb13 + + + ((va12 + ((vb13 & vc13) | (~vb13 & vd13)) + xk12 + ti13) + << (uint32_t)12U + | (va12 + ((vb13 & vc13) | (~vb13 & vd13)) + xk12 + ti13) >> (uint32_t)20U); + abcd[3U] = v12; + uint32_t va13 = abcd[2U]; + uint32_t vb14 = abcd[3U]; + uint32_t vc14 = abcd[0U]; + uint32_t vd14 = abcd[1U]; + uint8_t *b14 = x + (uint32_t)56U; + uint32_t u13 = load32_le(b14); + uint32_t xk13 = u13; + uint32_t ti14 = _t[14U]; + uint32_t + v13 = + vb14 + + + ((va13 + ((vb14 & vc14) | (~vb14 & vd14)) + xk13 + ti14) + << (uint32_t)17U + | (va13 + ((vb14 & vc14) | (~vb14 & vd14)) + xk13 + ti14) >> (uint32_t)15U); + abcd[2U] = v13; + uint32_t va14 = abcd[1U]; + uint32_t vb15 = abcd[2U]; + uint32_t vc15 = abcd[3U]; + uint32_t vd15 = abcd[0U]; + uint8_t *b15 = x + (uint32_t)60U; + uint32_t u14 = load32_le(b15); + uint32_t xk14 = u14; + uint32_t ti15 = _t[15U]; + uint32_t + v14 = + vb15 + + + ((va14 + ((vb15 & vc15) | (~vb15 & vd15)) + xk14 + ti15) + << (uint32_t)22U + | (va14 + ((vb15 & vc15) | (~vb15 & vd15)) + xk14 + ti15) >> (uint32_t)10U); + abcd[1U] = v14; + uint32_t va15 = abcd[0U]; + uint32_t vb16 = abcd[1U]; + uint32_t vc16 = abcd[2U]; + uint32_t vd16 = abcd[3U]; + uint8_t *b16 = x + (uint32_t)4U; + uint32_t u15 = load32_le(b16); + uint32_t xk15 = u15; + uint32_t ti16 = _t[16U]; + uint32_t + v15 = + vb16 + + + ((va15 + ((vb16 & vd16) | (vc16 & ~vd16)) + xk15 + ti16) + << (uint32_t)5U + | (va15 + ((vb16 & vd16) | (vc16 & ~vd16)) + xk15 + ti16) >> (uint32_t)27U); + abcd[0U] = v15; + uint32_t va16 = abcd[3U]; + uint32_t vb17 = abcd[0U]; + uint32_t vc17 = abcd[1U]; + uint32_t vd17 = abcd[2U]; + uint8_t *b17 = x + (uint32_t)24U; + uint32_t u16 = load32_le(b17); + uint32_t xk16 = u16; + uint32_t ti17 = _t[17U]; + uint32_t + v16 = + vb17 + + + ((va16 + ((vb17 & vd17) | (vc17 & ~vd17)) + xk16 + ti17) + << (uint32_t)9U + | (va16 + ((vb17 & vd17) | (vc17 & ~vd17)) + xk16 + ti17) >> (uint32_t)23U); + abcd[3U] = v16; + uint32_t va17 = abcd[2U]; + uint32_t vb18 = abcd[3U]; + uint32_t vc18 = abcd[0U]; + uint32_t vd18 = abcd[1U]; + uint8_t *b18 = x + (uint32_t)44U; + uint32_t u17 = load32_le(b18); + uint32_t xk17 = u17; + uint32_t ti18 = _t[18U]; + uint32_t + v17 = + vb18 + + + ((va17 + ((vb18 & vd18) | (vc18 & ~vd18)) + xk17 + ti18) + << (uint32_t)14U + | (va17 + ((vb18 & vd18) | (vc18 & ~vd18)) + xk17 + ti18) >> (uint32_t)18U); + abcd[2U] = v17; + uint32_t va18 = abcd[1U]; + uint32_t vb19 = abcd[2U]; + uint32_t vc19 = abcd[3U]; + uint32_t vd19 = abcd[0U]; + uint8_t *b19 = x; + uint32_t u18 = load32_le(b19); + uint32_t xk18 = u18; + uint32_t ti19 = _t[19U]; + uint32_t + v18 = + vb19 + + + ((va18 + ((vb19 & vd19) | (vc19 & ~vd19)) + xk18 + ti19) + << (uint32_t)20U + | (va18 + ((vb19 & vd19) | (vc19 & ~vd19)) + xk18 + ti19) >> (uint32_t)12U); + abcd[1U] = v18; + uint32_t va19 = abcd[0U]; + uint32_t vb20 = abcd[1U]; + uint32_t vc20 = abcd[2U]; + uint32_t vd20 = abcd[3U]; + uint8_t *b20 = x + (uint32_t)20U; + uint32_t u19 = load32_le(b20); + uint32_t xk19 = u19; + uint32_t ti20 = _t[20U]; + uint32_t + v19 = + vb20 + + + ((va19 + ((vb20 & vd20) | (vc20 & ~vd20)) + xk19 + ti20) + << (uint32_t)5U + | (va19 + ((vb20 & vd20) | (vc20 & ~vd20)) + xk19 + ti20) >> (uint32_t)27U); + abcd[0U] = v19; + uint32_t va20 = abcd[3U]; + uint32_t vb21 = abcd[0U]; + uint32_t vc21 = abcd[1U]; + uint32_t vd21 = abcd[2U]; + uint8_t *b21 = x + (uint32_t)40U; + uint32_t u20 = load32_le(b21); + uint32_t xk20 = u20; + uint32_t ti21 = _t[21U]; + uint32_t + v20 = + vb21 + + + ((va20 + ((vb21 & vd21) | (vc21 & ~vd21)) + xk20 + ti21) + << (uint32_t)9U + | (va20 + ((vb21 & vd21) | (vc21 & ~vd21)) + xk20 + ti21) >> (uint32_t)23U); + abcd[3U] = v20; + uint32_t va21 = abcd[2U]; + uint32_t vb22 = abcd[3U]; + uint32_t vc22 = abcd[0U]; + uint32_t vd22 = abcd[1U]; + uint8_t *b22 = x + (uint32_t)60U; + uint32_t u21 = load32_le(b22); + uint32_t xk21 = u21; + uint32_t ti22 = _t[22U]; + uint32_t + v21 = + vb22 + + + ((va21 + ((vb22 & vd22) | (vc22 & ~vd22)) + xk21 + ti22) + << (uint32_t)14U + | (va21 + ((vb22 & vd22) | (vc22 & ~vd22)) + xk21 + ti22) >> (uint32_t)18U); + abcd[2U] = v21; + uint32_t va22 = abcd[1U]; + uint32_t vb23 = abcd[2U]; + uint32_t vc23 = abcd[3U]; + uint32_t vd23 = abcd[0U]; + uint8_t *b23 = x + (uint32_t)16U; + uint32_t u22 = load32_le(b23); + uint32_t xk22 = u22; + uint32_t ti23 = _t[23U]; + uint32_t + v22 = + vb23 + + + ((va22 + ((vb23 & vd23) | (vc23 & ~vd23)) + xk22 + ti23) + << (uint32_t)20U + | (va22 + ((vb23 & vd23) | (vc23 & ~vd23)) + xk22 + ti23) >> (uint32_t)12U); + abcd[1U] = v22; + uint32_t va23 = abcd[0U]; + uint32_t vb24 = abcd[1U]; + uint32_t vc24 = abcd[2U]; + uint32_t vd24 = abcd[3U]; + uint8_t *b24 = x + (uint32_t)36U; + uint32_t u23 = load32_le(b24); + uint32_t xk23 = u23; + uint32_t ti24 = _t[24U]; + uint32_t + v23 = + vb24 + + + ((va23 + ((vb24 & vd24) | (vc24 & ~vd24)) + xk23 + ti24) + << (uint32_t)5U + | (va23 + ((vb24 & vd24) | (vc24 & ~vd24)) + xk23 + ti24) >> (uint32_t)27U); + abcd[0U] = v23; + uint32_t va24 = abcd[3U]; + uint32_t vb25 = abcd[0U]; + uint32_t vc25 = abcd[1U]; + uint32_t vd25 = abcd[2U]; + uint8_t *b25 = x + (uint32_t)56U; + uint32_t u24 = load32_le(b25); + uint32_t xk24 = u24; + uint32_t ti25 = _t[25U]; + uint32_t + v24 = + vb25 + + + ((va24 + ((vb25 & vd25) | (vc25 & ~vd25)) + xk24 + ti25) + << (uint32_t)9U + | (va24 + ((vb25 & vd25) | (vc25 & ~vd25)) + xk24 + ti25) >> (uint32_t)23U); + abcd[3U] = v24; + uint32_t va25 = abcd[2U]; + uint32_t vb26 = abcd[3U]; + uint32_t vc26 = abcd[0U]; + uint32_t vd26 = abcd[1U]; + uint8_t *b26 = x + (uint32_t)12U; + uint32_t u25 = load32_le(b26); + uint32_t xk25 = u25; + uint32_t ti26 = _t[26U]; + uint32_t + v25 = + vb26 + + + ((va25 + ((vb26 & vd26) | (vc26 & ~vd26)) + xk25 + ti26) + << (uint32_t)14U + | (va25 + ((vb26 & vd26) | (vc26 & ~vd26)) + xk25 + ti26) >> (uint32_t)18U); + abcd[2U] = v25; + uint32_t va26 = abcd[1U]; + uint32_t vb27 = abcd[2U]; + uint32_t vc27 = abcd[3U]; + uint32_t vd27 = abcd[0U]; + uint8_t *b27 = x + (uint32_t)32U; + uint32_t u26 = load32_le(b27); + uint32_t xk26 = u26; + uint32_t ti27 = _t[27U]; + uint32_t + v26 = + vb27 + + + ((va26 + ((vb27 & vd27) | (vc27 & ~vd27)) + xk26 + ti27) + << (uint32_t)20U + | (va26 + ((vb27 & vd27) | (vc27 & ~vd27)) + xk26 + ti27) >> (uint32_t)12U); + abcd[1U] = v26; + uint32_t va27 = abcd[0U]; + uint32_t vb28 = abcd[1U]; + uint32_t vc28 = abcd[2U]; + uint32_t vd28 = abcd[3U]; + uint8_t *b28 = x + (uint32_t)52U; + uint32_t u27 = load32_le(b28); + uint32_t xk27 = u27; + uint32_t ti28 = _t[28U]; + uint32_t + v27 = + vb28 + + + ((va27 + ((vb28 & vd28) | (vc28 & ~vd28)) + xk27 + ti28) + << (uint32_t)5U + | (va27 + ((vb28 & vd28) | (vc28 & ~vd28)) + xk27 + ti28) >> (uint32_t)27U); + abcd[0U] = v27; + uint32_t va28 = abcd[3U]; + uint32_t vb29 = abcd[0U]; + uint32_t vc29 = abcd[1U]; + uint32_t vd29 = abcd[2U]; + uint8_t *b29 = x + (uint32_t)8U; + uint32_t u28 = load32_le(b29); + uint32_t xk28 = u28; + uint32_t ti29 = _t[29U]; + uint32_t + v28 = + vb29 + + + ((va28 + ((vb29 & vd29) | (vc29 & ~vd29)) + xk28 + ti29) + << (uint32_t)9U + | (va28 + ((vb29 & vd29) | (vc29 & ~vd29)) + xk28 + ti29) >> (uint32_t)23U); + abcd[3U] = v28; + uint32_t va29 = abcd[2U]; + uint32_t vb30 = abcd[3U]; + uint32_t vc30 = abcd[0U]; + uint32_t vd30 = abcd[1U]; + uint8_t *b30 = x + (uint32_t)28U; + uint32_t u29 = load32_le(b30); + uint32_t xk29 = u29; + uint32_t ti30 = _t[30U]; + uint32_t + v29 = + vb30 + + + ((va29 + ((vb30 & vd30) | (vc30 & ~vd30)) + xk29 + ti30) + << (uint32_t)14U + | (va29 + ((vb30 & vd30) | (vc30 & ~vd30)) + xk29 + ti30) >> (uint32_t)18U); + abcd[2U] = v29; + uint32_t va30 = abcd[1U]; + uint32_t vb31 = abcd[2U]; + uint32_t vc31 = abcd[3U]; + uint32_t vd31 = abcd[0U]; + uint8_t *b31 = x + (uint32_t)48U; + uint32_t u30 = load32_le(b31); + uint32_t xk30 = u30; + uint32_t ti31 = _t[31U]; + uint32_t + v30 = + vb31 + + + ((va30 + ((vb31 & vd31) | (vc31 & ~vd31)) + xk30 + ti31) + << (uint32_t)20U + | (va30 + ((vb31 & vd31) | (vc31 & ~vd31)) + xk30 + ti31) >> (uint32_t)12U); + abcd[1U] = v30; + uint32_t va31 = abcd[0U]; + uint32_t vb32 = abcd[1U]; + uint32_t vc32 = abcd[2U]; + uint32_t vd32 = abcd[3U]; + uint8_t *b32 = x + (uint32_t)20U; + uint32_t u31 = load32_le(b32); + uint32_t xk31 = u31; + uint32_t ti32 = _t[32U]; + uint32_t + v31 = + vb32 + + + ((va31 + (vb32 ^ (vc32 ^ vd32)) + xk31 + ti32) + << (uint32_t)4U + | (va31 + (vb32 ^ (vc32 ^ vd32)) + xk31 + ti32) >> (uint32_t)28U); + abcd[0U] = v31; + uint32_t va32 = abcd[3U]; + uint32_t vb33 = abcd[0U]; + uint32_t vc33 = abcd[1U]; + uint32_t vd33 = abcd[2U]; + uint8_t *b33 = x + (uint32_t)32U; + uint32_t u32 = load32_le(b33); + uint32_t xk32 = u32; + uint32_t ti33 = _t[33U]; + uint32_t + v32 = + vb33 + + + ((va32 + (vb33 ^ (vc33 ^ vd33)) + xk32 + ti33) + << (uint32_t)11U + | (va32 + (vb33 ^ (vc33 ^ vd33)) + xk32 + ti33) >> (uint32_t)21U); + abcd[3U] = v32; + uint32_t va33 = abcd[2U]; + uint32_t vb34 = abcd[3U]; + uint32_t vc34 = abcd[0U]; + uint32_t vd34 = abcd[1U]; + uint8_t *b34 = x + (uint32_t)44U; + uint32_t u33 = load32_le(b34); + uint32_t xk33 = u33; + uint32_t ti34 = _t[34U]; + uint32_t + v33 = + vb34 + + + ((va33 + (vb34 ^ (vc34 ^ vd34)) + xk33 + ti34) + << (uint32_t)16U + | (va33 + (vb34 ^ (vc34 ^ vd34)) + xk33 + ti34) >> (uint32_t)16U); + abcd[2U] = v33; + uint32_t va34 = abcd[1U]; + uint32_t vb35 = abcd[2U]; + uint32_t vc35 = abcd[3U]; + uint32_t vd35 = abcd[0U]; + uint8_t *b35 = x + (uint32_t)56U; + uint32_t u34 = load32_le(b35); + uint32_t xk34 = u34; + uint32_t ti35 = _t[35U]; + uint32_t + v34 = + vb35 + + + ((va34 + (vb35 ^ (vc35 ^ vd35)) + xk34 + ti35) + << (uint32_t)23U + | (va34 + (vb35 ^ (vc35 ^ vd35)) + xk34 + ti35) >> (uint32_t)9U); + abcd[1U] = v34; + uint32_t va35 = abcd[0U]; + uint32_t vb36 = abcd[1U]; + uint32_t vc36 = abcd[2U]; + uint32_t vd36 = abcd[3U]; + uint8_t *b36 = x + (uint32_t)4U; + uint32_t u35 = load32_le(b36); + uint32_t xk35 = u35; + uint32_t ti36 = _t[36U]; + uint32_t + v35 = + vb36 + + + ((va35 + (vb36 ^ (vc36 ^ vd36)) + xk35 + ti36) + << (uint32_t)4U + | (va35 + (vb36 ^ (vc36 ^ vd36)) + xk35 + ti36) >> (uint32_t)28U); + abcd[0U] = v35; + uint32_t va36 = abcd[3U]; + uint32_t vb37 = abcd[0U]; + uint32_t vc37 = abcd[1U]; + uint32_t vd37 = abcd[2U]; + uint8_t *b37 = x + (uint32_t)16U; + uint32_t u36 = load32_le(b37); + uint32_t xk36 = u36; + uint32_t ti37 = _t[37U]; + uint32_t + v36 = + vb37 + + + ((va36 + (vb37 ^ (vc37 ^ vd37)) + xk36 + ti37) + << (uint32_t)11U + | (va36 + (vb37 ^ (vc37 ^ vd37)) + xk36 + ti37) >> (uint32_t)21U); + abcd[3U] = v36; + uint32_t va37 = abcd[2U]; + uint32_t vb38 = abcd[3U]; + uint32_t vc38 = abcd[0U]; + uint32_t vd38 = abcd[1U]; + uint8_t *b38 = x + (uint32_t)28U; + uint32_t u37 = load32_le(b38); + uint32_t xk37 = u37; + uint32_t ti38 = _t[38U]; + uint32_t + v37 = + vb38 + + + ((va37 + (vb38 ^ (vc38 ^ vd38)) + xk37 + ti38) + << (uint32_t)16U + | (va37 + (vb38 ^ (vc38 ^ vd38)) + xk37 + ti38) >> (uint32_t)16U); + abcd[2U] = v37; + uint32_t va38 = abcd[1U]; + uint32_t vb39 = abcd[2U]; + uint32_t vc39 = abcd[3U]; + uint32_t vd39 = abcd[0U]; + uint8_t *b39 = x + (uint32_t)40U; + uint32_t u38 = load32_le(b39); + uint32_t xk38 = u38; + uint32_t ti39 = _t[39U]; + uint32_t + v38 = + vb39 + + + ((va38 + (vb39 ^ (vc39 ^ vd39)) + xk38 + ti39) + << (uint32_t)23U + | (va38 + (vb39 ^ (vc39 ^ vd39)) + xk38 + ti39) >> (uint32_t)9U); + abcd[1U] = v38; + uint32_t va39 = abcd[0U]; + uint32_t vb40 = abcd[1U]; + uint32_t vc40 = abcd[2U]; + uint32_t vd40 = abcd[3U]; + uint8_t *b40 = x + (uint32_t)52U; + uint32_t u39 = load32_le(b40); + uint32_t xk39 = u39; + uint32_t ti40 = _t[40U]; + uint32_t + v39 = + vb40 + + + ((va39 + (vb40 ^ (vc40 ^ vd40)) + xk39 + ti40) + << (uint32_t)4U + | (va39 + (vb40 ^ (vc40 ^ vd40)) + xk39 + ti40) >> (uint32_t)28U); + abcd[0U] = v39; + uint32_t va40 = abcd[3U]; + uint32_t vb41 = abcd[0U]; + uint32_t vc41 = abcd[1U]; + uint32_t vd41 = abcd[2U]; + uint8_t *b41 = x; + uint32_t u40 = load32_le(b41); + uint32_t xk40 = u40; + uint32_t ti41 = _t[41U]; + uint32_t + v40 = + vb41 + + + ((va40 + (vb41 ^ (vc41 ^ vd41)) + xk40 + ti41) + << (uint32_t)11U + | (va40 + (vb41 ^ (vc41 ^ vd41)) + xk40 + ti41) >> (uint32_t)21U); + abcd[3U] = v40; + uint32_t va41 = abcd[2U]; + uint32_t vb42 = abcd[3U]; + uint32_t vc42 = abcd[0U]; + uint32_t vd42 = abcd[1U]; + uint8_t *b42 = x + (uint32_t)12U; + uint32_t u41 = load32_le(b42); + uint32_t xk41 = u41; + uint32_t ti42 = _t[42U]; + uint32_t + v41 = + vb42 + + + ((va41 + (vb42 ^ (vc42 ^ vd42)) + xk41 + ti42) + << (uint32_t)16U + | (va41 + (vb42 ^ (vc42 ^ vd42)) + xk41 + ti42) >> (uint32_t)16U); + abcd[2U] = v41; + uint32_t va42 = abcd[1U]; + uint32_t vb43 = abcd[2U]; + uint32_t vc43 = abcd[3U]; + uint32_t vd43 = abcd[0U]; + uint8_t *b43 = x + (uint32_t)24U; + uint32_t u42 = load32_le(b43); + uint32_t xk42 = u42; + uint32_t ti43 = _t[43U]; + uint32_t + v42 = + vb43 + + + ((va42 + (vb43 ^ (vc43 ^ vd43)) + xk42 + ti43) + << (uint32_t)23U + | (va42 + (vb43 ^ (vc43 ^ vd43)) + xk42 + ti43) >> (uint32_t)9U); + abcd[1U] = v42; + uint32_t va43 = abcd[0U]; + uint32_t vb44 = abcd[1U]; + uint32_t vc44 = abcd[2U]; + uint32_t vd44 = abcd[3U]; + uint8_t *b44 = x + (uint32_t)36U; + uint32_t u43 = load32_le(b44); + uint32_t xk43 = u43; + uint32_t ti44 = _t[44U]; + uint32_t + v43 = + vb44 + + + ((va43 + (vb44 ^ (vc44 ^ vd44)) + xk43 + ti44) + << (uint32_t)4U + | (va43 + (vb44 ^ (vc44 ^ vd44)) + xk43 + ti44) >> (uint32_t)28U); + abcd[0U] = v43; + uint32_t va44 = abcd[3U]; + uint32_t vb45 = abcd[0U]; + uint32_t vc45 = abcd[1U]; + uint32_t vd45 = abcd[2U]; + uint8_t *b45 = x + (uint32_t)48U; + uint32_t u44 = load32_le(b45); + uint32_t xk44 = u44; + uint32_t ti45 = _t[45U]; + uint32_t + v44 = + vb45 + + + ((va44 + (vb45 ^ (vc45 ^ vd45)) + xk44 + ti45) + << (uint32_t)11U + | (va44 + (vb45 ^ (vc45 ^ vd45)) + xk44 + ti45) >> (uint32_t)21U); + abcd[3U] = v44; + uint32_t va45 = abcd[2U]; + uint32_t vb46 = abcd[3U]; + uint32_t vc46 = abcd[0U]; + uint32_t vd46 = abcd[1U]; + uint8_t *b46 = x + (uint32_t)60U; + uint32_t u45 = load32_le(b46); + uint32_t xk45 = u45; + uint32_t ti46 = _t[46U]; + uint32_t + v45 = + vb46 + + + ((va45 + (vb46 ^ (vc46 ^ vd46)) + xk45 + ti46) + << (uint32_t)16U + | (va45 + (vb46 ^ (vc46 ^ vd46)) + xk45 + ti46) >> (uint32_t)16U); + abcd[2U] = v45; + uint32_t va46 = abcd[1U]; + uint32_t vb47 = abcd[2U]; + uint32_t vc47 = abcd[3U]; + uint32_t vd47 = abcd[0U]; + uint8_t *b47 = x + (uint32_t)8U; + uint32_t u46 = load32_le(b47); + uint32_t xk46 = u46; + uint32_t ti47 = _t[47U]; + uint32_t + v46 = + vb47 + + + ((va46 + (vb47 ^ (vc47 ^ vd47)) + xk46 + ti47) + << (uint32_t)23U + | (va46 + (vb47 ^ (vc47 ^ vd47)) + xk46 + ti47) >> (uint32_t)9U); + abcd[1U] = v46; + uint32_t va47 = abcd[0U]; + uint32_t vb48 = abcd[1U]; + uint32_t vc48 = abcd[2U]; + uint32_t vd48 = abcd[3U]; + uint8_t *b48 = x; + uint32_t u47 = load32_le(b48); + uint32_t xk47 = u47; + uint32_t ti48 = _t[48U]; + uint32_t + v47 = + vb48 + + + ((va47 + (vc48 ^ (vb48 | ~vd48)) + xk47 + ti48) + << (uint32_t)6U + | (va47 + (vc48 ^ (vb48 | ~vd48)) + xk47 + ti48) >> (uint32_t)26U); + abcd[0U] = v47; + uint32_t va48 = abcd[3U]; + uint32_t vb49 = abcd[0U]; + uint32_t vc49 = abcd[1U]; + uint32_t vd49 = abcd[2U]; + uint8_t *b49 = x + (uint32_t)28U; + uint32_t u48 = load32_le(b49); + uint32_t xk48 = u48; + uint32_t ti49 = _t[49U]; + uint32_t + v48 = + vb49 + + + ((va48 + (vc49 ^ (vb49 | ~vd49)) + xk48 + ti49) + << (uint32_t)10U + | (va48 + (vc49 ^ (vb49 | ~vd49)) + xk48 + ti49) >> (uint32_t)22U); + abcd[3U] = v48; + uint32_t va49 = abcd[2U]; + uint32_t vb50 = abcd[3U]; + uint32_t vc50 = abcd[0U]; + uint32_t vd50 = abcd[1U]; + uint8_t *b50 = x + (uint32_t)56U; + uint32_t u49 = load32_le(b50); + uint32_t xk49 = u49; + uint32_t ti50 = _t[50U]; + uint32_t + v49 = + vb50 + + + ((va49 + (vc50 ^ (vb50 | ~vd50)) + xk49 + ti50) + << (uint32_t)15U + | (va49 + (vc50 ^ (vb50 | ~vd50)) + xk49 + ti50) >> (uint32_t)17U); + abcd[2U] = v49; + uint32_t va50 = abcd[1U]; + uint32_t vb51 = abcd[2U]; + uint32_t vc51 = abcd[3U]; + uint32_t vd51 = abcd[0U]; + uint8_t *b51 = x + (uint32_t)20U; + uint32_t u50 = load32_le(b51); + uint32_t xk50 = u50; + uint32_t ti51 = _t[51U]; + uint32_t + v50 = + vb51 + + + ((va50 + (vc51 ^ (vb51 | ~vd51)) + xk50 + ti51) + << (uint32_t)21U + | (va50 + (vc51 ^ (vb51 | ~vd51)) + xk50 + ti51) >> (uint32_t)11U); + abcd[1U] = v50; + uint32_t va51 = abcd[0U]; + uint32_t vb52 = abcd[1U]; + uint32_t vc52 = abcd[2U]; + uint32_t vd52 = abcd[3U]; + uint8_t *b52 = x + (uint32_t)48U; + uint32_t u51 = load32_le(b52); + uint32_t xk51 = u51; + uint32_t ti52 = _t[52U]; + uint32_t + v51 = + vb52 + + + ((va51 + (vc52 ^ (vb52 | ~vd52)) + xk51 + ti52) + << (uint32_t)6U + | (va51 + (vc52 ^ (vb52 | ~vd52)) + xk51 + ti52) >> (uint32_t)26U); + abcd[0U] = v51; + uint32_t va52 = abcd[3U]; + uint32_t vb53 = abcd[0U]; + uint32_t vc53 = abcd[1U]; + uint32_t vd53 = abcd[2U]; + uint8_t *b53 = x + (uint32_t)12U; + uint32_t u52 = load32_le(b53); + uint32_t xk52 = u52; + uint32_t ti53 = _t[53U]; + uint32_t + v52 = + vb53 + + + ((va52 + (vc53 ^ (vb53 | ~vd53)) + xk52 + ti53) + << (uint32_t)10U + | (va52 + (vc53 ^ (vb53 | ~vd53)) + xk52 + ti53) >> (uint32_t)22U); + abcd[3U] = v52; + uint32_t va53 = abcd[2U]; + uint32_t vb54 = abcd[3U]; + uint32_t vc54 = abcd[0U]; + uint32_t vd54 = abcd[1U]; + uint8_t *b54 = x + (uint32_t)40U; + uint32_t u53 = load32_le(b54); + uint32_t xk53 = u53; + uint32_t ti54 = _t[54U]; + uint32_t + v53 = + vb54 + + + ((va53 + (vc54 ^ (vb54 | ~vd54)) + xk53 + ti54) + << (uint32_t)15U + | (va53 + (vc54 ^ (vb54 | ~vd54)) + xk53 + ti54) >> (uint32_t)17U); + abcd[2U] = v53; + uint32_t va54 = abcd[1U]; + uint32_t vb55 = abcd[2U]; + uint32_t vc55 = abcd[3U]; + uint32_t vd55 = abcd[0U]; + uint8_t *b55 = x + (uint32_t)4U; + uint32_t u54 = load32_le(b55); + uint32_t xk54 = u54; + uint32_t ti55 = _t[55U]; + uint32_t + v54 = + vb55 + + + ((va54 + (vc55 ^ (vb55 | ~vd55)) + xk54 + ti55) + << (uint32_t)21U + | (va54 + (vc55 ^ (vb55 | ~vd55)) + xk54 + ti55) >> (uint32_t)11U); + abcd[1U] = v54; + uint32_t va55 = abcd[0U]; + uint32_t vb56 = abcd[1U]; + uint32_t vc56 = abcd[2U]; + uint32_t vd56 = abcd[3U]; + uint8_t *b56 = x + (uint32_t)32U; + uint32_t u55 = load32_le(b56); + uint32_t xk55 = u55; + uint32_t ti56 = _t[56U]; + uint32_t + v55 = + vb56 + + + ((va55 + (vc56 ^ (vb56 | ~vd56)) + xk55 + ti56) + << (uint32_t)6U + | (va55 + (vc56 ^ (vb56 | ~vd56)) + xk55 + ti56) >> (uint32_t)26U); + abcd[0U] = v55; + uint32_t va56 = abcd[3U]; + uint32_t vb57 = abcd[0U]; + uint32_t vc57 = abcd[1U]; + uint32_t vd57 = abcd[2U]; + uint8_t *b57 = x + (uint32_t)60U; + uint32_t u56 = load32_le(b57); + uint32_t xk56 = u56; + uint32_t ti57 = _t[57U]; + uint32_t + v56 = + vb57 + + + ((va56 + (vc57 ^ (vb57 | ~vd57)) + xk56 + ti57) + << (uint32_t)10U + | (va56 + (vc57 ^ (vb57 | ~vd57)) + xk56 + ti57) >> (uint32_t)22U); + abcd[3U] = v56; + uint32_t va57 = abcd[2U]; + uint32_t vb58 = abcd[3U]; + uint32_t vc58 = abcd[0U]; + uint32_t vd58 = abcd[1U]; + uint8_t *b58 = x + (uint32_t)24U; + uint32_t u57 = load32_le(b58); + uint32_t xk57 = u57; + uint32_t ti58 = _t[58U]; + uint32_t + v57 = + vb58 + + + ((va57 + (vc58 ^ (vb58 | ~vd58)) + xk57 + ti58) + << (uint32_t)15U + | (va57 + (vc58 ^ (vb58 | ~vd58)) + xk57 + ti58) >> (uint32_t)17U); + abcd[2U] = v57; + uint32_t va58 = abcd[1U]; + uint32_t vb59 = abcd[2U]; + uint32_t vc59 = abcd[3U]; + uint32_t vd59 = abcd[0U]; + uint8_t *b59 = x + (uint32_t)52U; + uint32_t u58 = load32_le(b59); + uint32_t xk58 = u58; + uint32_t ti59 = _t[59U]; + uint32_t + v58 = + vb59 + + + ((va58 + (vc59 ^ (vb59 | ~vd59)) + xk58 + ti59) + << (uint32_t)21U + | (va58 + (vc59 ^ (vb59 | ~vd59)) + xk58 + ti59) >> (uint32_t)11U); + abcd[1U] = v58; + uint32_t va59 = abcd[0U]; + uint32_t vb60 = abcd[1U]; + uint32_t vc60 = abcd[2U]; + uint32_t vd60 = abcd[3U]; + uint8_t *b60 = x + (uint32_t)16U; + uint32_t u59 = load32_le(b60); + uint32_t xk59 = u59; + uint32_t ti60 = _t[60U]; + uint32_t + v59 = + vb60 + + + ((va59 + (vc60 ^ (vb60 | ~vd60)) + xk59 + ti60) + << (uint32_t)6U + | (va59 + (vc60 ^ (vb60 | ~vd60)) + xk59 + ti60) >> (uint32_t)26U); + abcd[0U] = v59; + uint32_t va60 = abcd[3U]; + uint32_t vb61 = abcd[0U]; + uint32_t vc61 = abcd[1U]; + uint32_t vd61 = abcd[2U]; + uint8_t *b61 = x + (uint32_t)44U; + uint32_t u60 = load32_le(b61); + uint32_t xk60 = u60; + uint32_t ti61 = _t[61U]; + uint32_t + v60 = + vb61 + + + ((va60 + (vc61 ^ (vb61 | ~vd61)) + xk60 + ti61) + << (uint32_t)10U + | (va60 + (vc61 ^ (vb61 | ~vd61)) + xk60 + ti61) >> (uint32_t)22U); + abcd[3U] = v60; + uint32_t va61 = abcd[2U]; + uint32_t vb62 = abcd[3U]; + uint32_t vc62 = abcd[0U]; + uint32_t vd62 = abcd[1U]; + uint8_t *b62 = x + (uint32_t)8U; + uint32_t u61 = load32_le(b62); + uint32_t xk61 = u61; + uint32_t ti62 = _t[62U]; + uint32_t + v61 = + vb62 + + + ((va61 + (vc62 ^ (vb62 | ~vd62)) + xk61 + ti62) + << (uint32_t)15U + | (va61 + (vc62 ^ (vb62 | ~vd62)) + xk61 + ti62) >> (uint32_t)17U); + abcd[2U] = v61; + uint32_t va62 = abcd[1U]; + uint32_t vb = abcd[2U]; + uint32_t vc = abcd[3U]; + uint32_t vd = abcd[0U]; + uint8_t *b63 = x + (uint32_t)36U; + uint32_t u62 = load32_le(b63); + uint32_t xk62 = u62; + uint32_t ti = _t[63U]; + uint32_t + v62 = + vb + + + ((va62 + (vc ^ (vb | ~vd)) + xk62 + ti) + << (uint32_t)21U + | (va62 + (vc ^ (vb | ~vd)) + xk62 + ti) >> (uint32_t)11U); + abcd[1U] = v62; + uint32_t a = abcd[0U]; + uint32_t b = abcd[1U]; + uint32_t c = abcd[2U]; + uint32_t d = abcd[3U]; + abcd[0U] = a + aa; + abcd[1U] = b + bb; + abcd[2U] = c + cc; + abcd[3U] = d + dd; +} + +static void legacy_pad(uint64_t len, uint8_t *dst) +{ + uint8_t *dst1 = dst; + dst1[0U] = (uint8_t)0x80U; + uint8_t *dst2 = dst + (uint32_t)1U; + for + (uint32_t + i = (uint32_t)0U; + i + < ((uint32_t)128U - ((uint32_t)9U + (uint32_t)(len % (uint64_t)(uint32_t)64U))) % (uint32_t)64U; + i++) + { + dst2[i] = (uint8_t)0U; + } + uint8_t + *dst3 = + dst + + + (uint32_t)1U + + + ((uint32_t)128U - ((uint32_t)9U + (uint32_t)(len % (uint64_t)(uint32_t)64U))) + % (uint32_t)64U; + store64_le(dst3, len << (uint32_t)3U); +} + +void Hacl_Hash_Core_MD5_legacy_finish(uint32_t *s, uint8_t *dst) +{ + uint32_t *uu____0 = s; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + store32_le(dst + i * (uint32_t)4U, uu____0[i]); + } +} + +void Hacl_Hash_MD5_legacy_update_multi(uint32_t *s, uint8_t *blocks, uint32_t n_blocks) +{ + for (uint32_t i = (uint32_t)0U; i < n_blocks; i++) + { + uint32_t sz = (uint32_t)64U; + uint8_t *block = blocks + sz * i; + Hacl_Hash_Core_MD5_legacy_update(s, block); + } +} + +void +Hacl_Hash_MD5_legacy_update_last( + uint32_t *s, + uint64_t prev_len, + uint8_t *input, + uint32_t input_len +) +{ + uint32_t blocks_n = input_len / (uint32_t)64U; + uint32_t blocks_len = blocks_n * (uint32_t)64U; + uint8_t *blocks = input; + uint32_t rest_len = input_len - blocks_len; + uint8_t *rest = input + blocks_len; + Hacl_Hash_MD5_legacy_update_multi(s, blocks, blocks_n); + uint64_t total_input_len = prev_len + (uint64_t)input_len; + uint32_t + pad_len = + (uint32_t)1U + + + ((uint32_t)128U - ((uint32_t)9U + (uint32_t)(total_input_len % (uint64_t)(uint32_t)64U))) + % (uint32_t)64U + + (uint32_t)8U; + uint32_t tmp_len = rest_len + pad_len; + uint8_t tmp_twoblocks[128U] = { 0U }; + uint8_t *tmp = tmp_twoblocks; + uint8_t *tmp_rest = tmp; + uint8_t *tmp_pad = tmp + rest_len; + memcpy(tmp_rest, rest, rest_len * sizeof (uint8_t)); + legacy_pad(total_input_len, tmp_pad); + Hacl_Hash_MD5_legacy_update_multi(s, tmp, tmp_len / (uint32_t)64U); +} + +typedef uint32_t *___uint32_t____; + +void Hacl_Hash_MD5_legacy_hash(uint8_t *input, uint32_t input_len, uint8_t *dst) +{ + uint32_t + scrut[4U] = + { (uint32_t)0x67452301U, (uint32_t)0xefcdab89U, (uint32_t)0x98badcfeU, (uint32_t)0x10325476U }; + uint32_t *s = scrut; + uint32_t blocks_n0 = input_len / (uint32_t)64U; + uint32_t blocks_n1; + if (input_len % (uint32_t)64U == (uint32_t)0U && blocks_n0 > (uint32_t)0U) + { + blocks_n1 = blocks_n0 - (uint32_t)1U; + } + else + { + blocks_n1 = blocks_n0; + } + uint32_t blocks_len0 = blocks_n1 * (uint32_t)64U; + uint8_t *blocks0 = input; + uint32_t rest_len0 = input_len - blocks_len0; + uint8_t *rest0 = input + blocks_len0; + uint32_t blocks_n = blocks_n1; + uint32_t blocks_len = blocks_len0; + uint8_t *blocks = blocks0; + uint32_t rest_len = rest_len0; + uint8_t *rest = rest0; + Hacl_Hash_MD5_legacy_update_multi(s, blocks, blocks_n); + Hacl_Hash_MD5_legacy_update_last(s, (uint64_t)blocks_len, rest, rest_len); + Hacl_Hash_Core_MD5_legacy_finish(s, dst); +} + diff --git a/src/Hacl_Hash_SHA1.c b/src/Hacl_Hash_SHA1.c new file mode 100644 index 00000000..2d581ad1 --- /dev/null +++ b/src/Hacl_Hash_SHA1.c @@ -0,0 +1,243 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "internal/Hacl_Hash_SHA1.h" + + + +static uint32_t +_h0[5U] = + { + (uint32_t)0x67452301U, (uint32_t)0xefcdab89U, (uint32_t)0x98badcfeU, (uint32_t)0x10325476U, + (uint32_t)0xc3d2e1f0U + }; + +void Hacl_Hash_Core_SHA1_legacy_init(uint32_t *s) +{ + for (uint32_t i = (uint32_t)0U; i < (uint32_t)5U; i++) + { + s[i] = _h0[i]; + } +} + +void Hacl_Hash_Core_SHA1_legacy_update(uint32_t *h, uint8_t *l) +{ + uint32_t ha = h[0U]; + uint32_t hb = h[1U]; + uint32_t hc = h[2U]; + uint32_t hd = h[3U]; + uint32_t he = h[4U]; + uint32_t _w[80U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)80U; i++) + { + uint32_t v; + if (i < (uint32_t)16U) + { + uint8_t *b = l + i * (uint32_t)4U; + uint32_t u = load32_be(b); + v = u; + } + else + { + uint32_t wmit3 = _w[i - (uint32_t)3U]; + uint32_t wmit8 = _w[i - (uint32_t)8U]; + uint32_t wmit14 = _w[i - (uint32_t)14U]; + uint32_t wmit16 = _w[i - (uint32_t)16U]; + v = + (wmit3 ^ (wmit8 ^ (wmit14 ^ wmit16))) + << (uint32_t)1U + | (wmit3 ^ (wmit8 ^ (wmit14 ^ wmit16))) >> (uint32_t)31U; + } + _w[i] = v; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)80U; i++) + { + uint32_t _a = h[0U]; + uint32_t _b = h[1U]; + uint32_t _c = h[2U]; + uint32_t _d = h[3U]; + uint32_t _e = h[4U]; + uint32_t wmit = _w[i]; + uint32_t ite0; + if (i < (uint32_t)20U) + { + ite0 = (_b & _c) ^ (~_b & _d); + } + else if ((uint32_t)39U < i && i < (uint32_t)60U) + { + ite0 = (_b & _c) ^ ((_b & _d) ^ (_c & _d)); + } + else + { + ite0 = _b ^ (_c ^ _d); + } + uint32_t ite; + if (i < (uint32_t)20U) + { + ite = (uint32_t)0x5a827999U; + } + else if (i < (uint32_t)40U) + { + ite = (uint32_t)0x6ed9eba1U; + } + else if (i < (uint32_t)60U) + { + ite = (uint32_t)0x8f1bbcdcU; + } + else + { + ite = (uint32_t)0xca62c1d6U; + } + uint32_t _T = (_a << (uint32_t)5U | _a >> (uint32_t)27U) + ite0 + _e + ite + wmit; + h[0U] = _T; + h[1U] = _a; + h[2U] = _b << (uint32_t)30U | _b >> (uint32_t)2U; + h[3U] = _c; + h[4U] = _d; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)80U; i++) + { + _w[i] = (uint32_t)0U; + } + uint32_t sta = h[0U]; + uint32_t stb = h[1U]; + uint32_t stc = h[2U]; + uint32_t std = h[3U]; + uint32_t ste = h[4U]; + h[0U] = sta + ha; + h[1U] = stb + hb; + h[2U] = stc + hc; + h[3U] = std + hd; + h[4U] = ste + he; +} + +static void legacy_pad(uint64_t len, uint8_t *dst) +{ + uint8_t *dst1 = dst; + dst1[0U] = (uint8_t)0x80U; + uint8_t *dst2 = dst + (uint32_t)1U; + for + (uint32_t + i = (uint32_t)0U; + i + < ((uint32_t)128U - ((uint32_t)9U + (uint32_t)(len % (uint64_t)(uint32_t)64U))) % (uint32_t)64U; + i++) + { + dst2[i] = (uint8_t)0U; + } + uint8_t + *dst3 = + dst + + + (uint32_t)1U + + + ((uint32_t)128U - ((uint32_t)9U + (uint32_t)(len % (uint64_t)(uint32_t)64U))) + % (uint32_t)64U; + store64_be(dst3, len << (uint32_t)3U); +} + +void Hacl_Hash_Core_SHA1_legacy_finish(uint32_t *s, uint8_t *dst) +{ + uint32_t *uu____0 = s; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)5U; i++) + { + store32_be(dst + i * (uint32_t)4U, uu____0[i]); + } +} + +void Hacl_Hash_SHA1_legacy_update_multi(uint32_t *s, uint8_t *blocks, uint32_t n_blocks) +{ + for (uint32_t i = (uint32_t)0U; i < n_blocks; i++) + { + uint32_t sz = (uint32_t)64U; + uint8_t *block = blocks + sz * i; + Hacl_Hash_Core_SHA1_legacy_update(s, block); + } +} + +void +Hacl_Hash_SHA1_legacy_update_last( + uint32_t *s, + uint64_t prev_len, + uint8_t *input, + uint32_t input_len +) +{ + uint32_t blocks_n = input_len / (uint32_t)64U; + uint32_t blocks_len = blocks_n * (uint32_t)64U; + uint8_t *blocks = input; + uint32_t rest_len = input_len - blocks_len; + uint8_t *rest = input + blocks_len; + Hacl_Hash_SHA1_legacy_update_multi(s, blocks, blocks_n); + uint64_t total_input_len = prev_len + (uint64_t)input_len; + uint32_t + pad_len = + (uint32_t)1U + + + ((uint32_t)128U - ((uint32_t)9U + (uint32_t)(total_input_len % (uint64_t)(uint32_t)64U))) + % (uint32_t)64U + + (uint32_t)8U; + uint32_t tmp_len = rest_len + pad_len; + uint8_t tmp_twoblocks[128U] = { 0U }; + uint8_t *tmp = tmp_twoblocks; + uint8_t *tmp_rest = tmp; + uint8_t *tmp_pad = tmp + rest_len; + memcpy(tmp_rest, rest, rest_len * sizeof (uint8_t)); + legacy_pad(total_input_len, tmp_pad); + Hacl_Hash_SHA1_legacy_update_multi(s, tmp, tmp_len / (uint32_t)64U); +} + +void Hacl_Hash_SHA1_legacy_hash(uint8_t *input, uint32_t input_len, uint8_t *dst) +{ + uint32_t + scrut[5U] = + { + (uint32_t)0x67452301U, (uint32_t)0xefcdab89U, (uint32_t)0x98badcfeU, (uint32_t)0x10325476U, + (uint32_t)0xc3d2e1f0U + }; + uint32_t *s = scrut; + uint32_t blocks_n0 = input_len / (uint32_t)64U; + uint32_t blocks_n1; + if (input_len % (uint32_t)64U == (uint32_t)0U && blocks_n0 > (uint32_t)0U) + { + blocks_n1 = blocks_n0 - (uint32_t)1U; + } + else + { + blocks_n1 = blocks_n0; + } + uint32_t blocks_len0 = blocks_n1 * (uint32_t)64U; + uint8_t *blocks0 = input; + uint32_t rest_len0 = input_len - blocks_len0; + uint8_t *rest0 = input + blocks_len0; + uint32_t blocks_n = blocks_n1; + uint32_t blocks_len = blocks_len0; + uint8_t *blocks = blocks0; + uint32_t rest_len = rest_len0; + uint8_t *rest = rest0; + Hacl_Hash_SHA1_legacy_update_multi(s, blocks, blocks_n); + Hacl_Hash_SHA1_legacy_update_last(s, (uint64_t)blocks_len, rest, rest_len); + Hacl_Hash_Core_SHA1_legacy_finish(s, dst); +} + diff --git a/src/Hacl_Hash_SHA2.c b/src/Hacl_Hash_SHA2.c new file mode 100644 index 00000000..8de9eaa0 --- /dev/null +++ b/src/Hacl_Hash_SHA2.c @@ -0,0 +1,915 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "internal/Hacl_Hash_SHA2.h" + + + +static uint32_t +h224[8U] = + { + (uint32_t)0xc1059ed8U, (uint32_t)0x367cd507U, (uint32_t)0x3070dd17U, (uint32_t)0xf70e5939U, + (uint32_t)0xffc00b31U, (uint32_t)0x68581511U, (uint32_t)0x64f98fa7U, (uint32_t)0xbefa4fa4U + }; + +static uint32_t +h256[8U] = + { + (uint32_t)0x6a09e667U, (uint32_t)0xbb67ae85U, (uint32_t)0x3c6ef372U, (uint32_t)0xa54ff53aU, + (uint32_t)0x510e527fU, (uint32_t)0x9b05688cU, (uint32_t)0x1f83d9abU, (uint32_t)0x5be0cd19U + }; + +static uint64_t +h384[8U] = + { + (uint64_t)0xcbbb9d5dc1059ed8U, (uint64_t)0x629a292a367cd507U, (uint64_t)0x9159015a3070dd17U, + (uint64_t)0x152fecd8f70e5939U, (uint64_t)0x67332667ffc00b31U, (uint64_t)0x8eb44a8768581511U, + (uint64_t)0xdb0c2e0d64f98fa7U, (uint64_t)0x47b5481dbefa4fa4U + }; + +static uint64_t +h512[8U] = + { + (uint64_t)0x6a09e667f3bcc908U, (uint64_t)0xbb67ae8584caa73bU, (uint64_t)0x3c6ef372fe94f82bU, + (uint64_t)0xa54ff53a5f1d36f1U, (uint64_t)0x510e527fade682d1U, (uint64_t)0x9b05688c2b3e6c1fU, + (uint64_t)0x1f83d9abfb41bd6bU, (uint64_t)0x5be0cd19137e2179U + }; + +static uint32_t +k224_256[64U] = + { + (uint32_t)0x428a2f98U, (uint32_t)0x71374491U, (uint32_t)0xb5c0fbcfU, (uint32_t)0xe9b5dba5U, + (uint32_t)0x3956c25bU, (uint32_t)0x59f111f1U, (uint32_t)0x923f82a4U, (uint32_t)0xab1c5ed5U, + (uint32_t)0xd807aa98U, (uint32_t)0x12835b01U, (uint32_t)0x243185beU, (uint32_t)0x550c7dc3U, + (uint32_t)0x72be5d74U, (uint32_t)0x80deb1feU, (uint32_t)0x9bdc06a7U, (uint32_t)0xc19bf174U, + (uint32_t)0xe49b69c1U, (uint32_t)0xefbe4786U, (uint32_t)0x0fc19dc6U, (uint32_t)0x240ca1ccU, + (uint32_t)0x2de92c6fU, (uint32_t)0x4a7484aaU, (uint32_t)0x5cb0a9dcU, (uint32_t)0x76f988daU, + (uint32_t)0x983e5152U, (uint32_t)0xa831c66dU, (uint32_t)0xb00327c8U, (uint32_t)0xbf597fc7U, + (uint32_t)0xc6e00bf3U, (uint32_t)0xd5a79147U, (uint32_t)0x06ca6351U, (uint32_t)0x14292967U, + (uint32_t)0x27b70a85U, (uint32_t)0x2e1b2138U, (uint32_t)0x4d2c6dfcU, (uint32_t)0x53380d13U, + (uint32_t)0x650a7354U, (uint32_t)0x766a0abbU, (uint32_t)0x81c2c92eU, (uint32_t)0x92722c85U, + (uint32_t)0xa2bfe8a1U, (uint32_t)0xa81a664bU, (uint32_t)0xc24b8b70U, (uint32_t)0xc76c51a3U, + (uint32_t)0xd192e819U, (uint32_t)0xd6990624U, (uint32_t)0xf40e3585U, (uint32_t)0x106aa070U, + (uint32_t)0x19a4c116U, (uint32_t)0x1e376c08U, (uint32_t)0x2748774cU, (uint32_t)0x34b0bcb5U, + (uint32_t)0x391c0cb3U, (uint32_t)0x4ed8aa4aU, (uint32_t)0x5b9cca4fU, (uint32_t)0x682e6ff3U, + (uint32_t)0x748f82eeU, (uint32_t)0x78a5636fU, (uint32_t)0x84c87814U, (uint32_t)0x8cc70208U, + (uint32_t)0x90befffaU, (uint32_t)0xa4506cebU, (uint32_t)0xbef9a3f7U, (uint32_t)0xc67178f2U + }; + +static uint64_t +k384_512[80U] = + { + (uint64_t)0x428a2f98d728ae22U, (uint64_t)0x7137449123ef65cdU, (uint64_t)0xb5c0fbcfec4d3b2fU, + (uint64_t)0xe9b5dba58189dbbcU, (uint64_t)0x3956c25bf348b538U, (uint64_t)0x59f111f1b605d019U, + (uint64_t)0x923f82a4af194f9bU, (uint64_t)0xab1c5ed5da6d8118U, (uint64_t)0xd807aa98a3030242U, + (uint64_t)0x12835b0145706fbeU, (uint64_t)0x243185be4ee4b28cU, (uint64_t)0x550c7dc3d5ffb4e2U, + (uint64_t)0x72be5d74f27b896fU, (uint64_t)0x80deb1fe3b1696b1U, (uint64_t)0x9bdc06a725c71235U, + (uint64_t)0xc19bf174cf692694U, (uint64_t)0xe49b69c19ef14ad2U, (uint64_t)0xefbe4786384f25e3U, + (uint64_t)0x0fc19dc68b8cd5b5U, (uint64_t)0x240ca1cc77ac9c65U, (uint64_t)0x2de92c6f592b0275U, + (uint64_t)0x4a7484aa6ea6e483U, (uint64_t)0x5cb0a9dcbd41fbd4U, (uint64_t)0x76f988da831153b5U, + (uint64_t)0x983e5152ee66dfabU, (uint64_t)0xa831c66d2db43210U, (uint64_t)0xb00327c898fb213fU, + (uint64_t)0xbf597fc7beef0ee4U, (uint64_t)0xc6e00bf33da88fc2U, (uint64_t)0xd5a79147930aa725U, + (uint64_t)0x06ca6351e003826fU, (uint64_t)0x142929670a0e6e70U, (uint64_t)0x27b70a8546d22ffcU, + (uint64_t)0x2e1b21385c26c926U, (uint64_t)0x4d2c6dfc5ac42aedU, (uint64_t)0x53380d139d95b3dfU, + (uint64_t)0x650a73548baf63deU, (uint64_t)0x766a0abb3c77b2a8U, (uint64_t)0x81c2c92e47edaee6U, + (uint64_t)0x92722c851482353bU, (uint64_t)0xa2bfe8a14cf10364U, (uint64_t)0xa81a664bbc423001U, + (uint64_t)0xc24b8b70d0f89791U, (uint64_t)0xc76c51a30654be30U, (uint64_t)0xd192e819d6ef5218U, + (uint64_t)0xd69906245565a910U, (uint64_t)0xf40e35855771202aU, (uint64_t)0x106aa07032bbd1b8U, + (uint64_t)0x19a4c116b8d2d0c8U, (uint64_t)0x1e376c085141ab53U, (uint64_t)0x2748774cdf8eeb99U, + (uint64_t)0x34b0bcb5e19b48a8U, (uint64_t)0x391c0cb3c5c95a63U, (uint64_t)0x4ed8aa4ae3418acbU, + (uint64_t)0x5b9cca4f7763e373U, (uint64_t)0x682e6ff3d6b2b8a3U, (uint64_t)0x748f82ee5defb2fcU, + (uint64_t)0x78a5636f43172f60U, (uint64_t)0x84c87814a1f0ab72U, (uint64_t)0x8cc702081a6439ecU, + (uint64_t)0x90befffa23631e28U, (uint64_t)0xa4506cebde82bde9U, (uint64_t)0xbef9a3f7b2c67915U, + (uint64_t)0xc67178f2e372532bU, (uint64_t)0xca273eceea26619cU, (uint64_t)0xd186b8c721c0c207U, + (uint64_t)0xeada7dd6cde0eb1eU, (uint64_t)0xf57d4f7fee6ed178U, (uint64_t)0x06f067aa72176fbaU, + (uint64_t)0x0a637dc5a2c898a6U, (uint64_t)0x113f9804bef90daeU, (uint64_t)0x1b710b35131c471bU, + (uint64_t)0x28db77f523047d84U, (uint64_t)0x32caab7b40c72493U, (uint64_t)0x3c9ebe0a15c9bebcU, + (uint64_t)0x431d67c49c100d4cU, (uint64_t)0x4cc5d4becb3e42b6U, (uint64_t)0x597f299cfc657e2aU, + (uint64_t)0x5fcb6fab3ad6faecU, (uint64_t)0x6c44198c4a475817U + }; + +void Hacl_Hash_Core_SHA2_init_224(uint32_t *s) +{ + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + s[i] = h224[i]; + } +} + +void Hacl_Hash_Core_SHA2_init_256(uint32_t *s) +{ + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + s[i] = h256[i]; + } +} + +void Hacl_Hash_Core_SHA2_init_384(uint64_t *s) +{ + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + s[i] = h384[i]; + } +} + +void Hacl_Hash_Core_SHA2_init_512(uint64_t *s) +{ + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + s[i] = h512[i]; + } +} + +static void update_224(uint32_t *hash, uint8_t *block) +{ + uint32_t hash1[8U] = { 0U }; + uint32_t computed_ws[64U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + if (i < (uint32_t)16U) + { + uint8_t *b = block + i * (uint32_t)4U; + uint32_t u = load32_be(b); + computed_ws[i] = u; + } + else + { + uint32_t t16 = computed_ws[i - (uint32_t)16U]; + uint32_t t15 = computed_ws[i - (uint32_t)15U]; + uint32_t t7 = computed_ws[i - (uint32_t)7U]; + uint32_t t2 = computed_ws[i - (uint32_t)2U]; + uint32_t + s1 = + (t2 >> (uint32_t)17U | t2 << (uint32_t)15U) + ^ ((t2 >> (uint32_t)19U | t2 << (uint32_t)13U) ^ t2 >> (uint32_t)10U); + uint32_t + s0 = + (t15 >> (uint32_t)7U | t15 << (uint32_t)25U) + ^ ((t15 >> (uint32_t)18U | t15 << (uint32_t)14U) ^ t15 >> (uint32_t)3U); + uint32_t w = s1 + t7 + s0 + t16; + computed_ws[i] = w; + } + } + memcpy(hash1, hash, (uint32_t)8U * sizeof (uint32_t)); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + uint32_t a0 = hash1[0U]; + uint32_t b0 = hash1[1U]; + uint32_t c0 = hash1[2U]; + uint32_t d0 = hash1[3U]; + uint32_t e0 = hash1[4U]; + uint32_t f0 = hash1[5U]; + uint32_t g0 = hash1[6U]; + uint32_t h02 = hash1[7U]; + uint32_t w = computed_ws[i]; + uint32_t + t1 = + h02 + + + ((e0 >> (uint32_t)6U | e0 << (uint32_t)26U) + ^ ((e0 >> (uint32_t)11U | e0 << (uint32_t)21U) ^ (e0 >> (uint32_t)25U | e0 << (uint32_t)7U))) + + ((e0 & f0) ^ (~e0 & g0)) + + k224_256[i] + + w; + uint32_t + t2 = + ((a0 >> (uint32_t)2U | a0 << (uint32_t)30U) + ^ ((a0 >> (uint32_t)13U | a0 << (uint32_t)19U) ^ (a0 >> (uint32_t)22U | a0 << (uint32_t)10U))) + + ((a0 & b0) ^ ((a0 & c0) ^ (b0 & c0))); + hash1[0U] = t1 + t2; + hash1[1U] = a0; + hash1[2U] = b0; + hash1[3U] = c0; + hash1[4U] = d0 + t1; + hash1[5U] = e0; + hash1[6U] = f0; + hash1[7U] = g0; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t xi = hash[i]; + uint32_t yi = hash1[i]; + hash[i] = xi + yi; + } +} + +static void update_256(uint32_t *hash, uint8_t *block) +{ + uint32_t hash1[8U] = { 0U }; + uint32_t computed_ws[64U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + if (i < (uint32_t)16U) + { + uint8_t *b = block + i * (uint32_t)4U; + uint32_t u = load32_be(b); + computed_ws[i] = u; + } + else + { + uint32_t t16 = computed_ws[i - (uint32_t)16U]; + uint32_t t15 = computed_ws[i - (uint32_t)15U]; + uint32_t t7 = computed_ws[i - (uint32_t)7U]; + uint32_t t2 = computed_ws[i - (uint32_t)2U]; + uint32_t + s1 = + (t2 >> (uint32_t)17U | t2 << (uint32_t)15U) + ^ ((t2 >> (uint32_t)19U | t2 << (uint32_t)13U) ^ t2 >> (uint32_t)10U); + uint32_t + s0 = + (t15 >> (uint32_t)7U | t15 << (uint32_t)25U) + ^ ((t15 >> (uint32_t)18U | t15 << (uint32_t)14U) ^ t15 >> (uint32_t)3U); + uint32_t w = s1 + t7 + s0 + t16; + computed_ws[i] = w; + } + } + memcpy(hash1, hash, (uint32_t)8U * sizeof (uint32_t)); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + uint32_t a0 = hash1[0U]; + uint32_t b0 = hash1[1U]; + uint32_t c0 = hash1[2U]; + uint32_t d0 = hash1[3U]; + uint32_t e0 = hash1[4U]; + uint32_t f0 = hash1[5U]; + uint32_t g0 = hash1[6U]; + uint32_t h02 = hash1[7U]; + uint32_t w = computed_ws[i]; + uint32_t + t1 = + h02 + + + ((e0 >> (uint32_t)6U | e0 << (uint32_t)26U) + ^ ((e0 >> (uint32_t)11U | e0 << (uint32_t)21U) ^ (e0 >> (uint32_t)25U | e0 << (uint32_t)7U))) + + ((e0 & f0) ^ (~e0 & g0)) + + k224_256[i] + + w; + uint32_t + t2 = + ((a0 >> (uint32_t)2U | a0 << (uint32_t)30U) + ^ ((a0 >> (uint32_t)13U | a0 << (uint32_t)19U) ^ (a0 >> (uint32_t)22U | a0 << (uint32_t)10U))) + + ((a0 & b0) ^ ((a0 & c0) ^ (b0 & c0))); + hash1[0U] = t1 + t2; + hash1[1U] = a0; + hash1[2U] = b0; + hash1[3U] = c0; + hash1[4U] = d0 + t1; + hash1[5U] = e0; + hash1[6U] = f0; + hash1[7U] = g0; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t xi = hash[i]; + uint32_t yi = hash1[i]; + hash[i] = xi + yi; + } +} + +void Hacl_Hash_Core_SHA2_update_384(uint64_t *hash, uint8_t *block) +{ + uint64_t hash1[8U] = { 0U }; + uint64_t computed_ws[80U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)80U; i++) + { + if (i < (uint32_t)16U) + { + uint8_t *b = block + i * (uint32_t)8U; + uint64_t u = load64_be(b); + computed_ws[i] = u; + } + else + { + uint64_t t16 = computed_ws[i - (uint32_t)16U]; + uint64_t t15 = computed_ws[i - (uint32_t)15U]; + uint64_t t7 = computed_ws[i - (uint32_t)7U]; + uint64_t t2 = computed_ws[i - (uint32_t)2U]; + uint64_t + s1 = + (t2 >> (uint32_t)19U | t2 << (uint32_t)45U) + ^ ((t2 >> (uint32_t)61U | t2 << (uint32_t)3U) ^ t2 >> (uint32_t)6U); + uint64_t + s0 = + (t15 >> (uint32_t)1U | t15 << (uint32_t)63U) + ^ ((t15 >> (uint32_t)8U | t15 << (uint32_t)56U) ^ t15 >> (uint32_t)7U); + uint64_t w = s1 + t7 + s0 + t16; + computed_ws[i] = w; + } + } + memcpy(hash1, hash, (uint32_t)8U * sizeof (uint64_t)); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)80U; i++) + { + uint64_t a0 = hash1[0U]; + uint64_t b0 = hash1[1U]; + uint64_t c0 = hash1[2U]; + uint64_t d0 = hash1[3U]; + uint64_t e0 = hash1[4U]; + uint64_t f0 = hash1[5U]; + uint64_t g0 = hash1[6U]; + uint64_t h02 = hash1[7U]; + uint64_t w = computed_ws[i]; + uint64_t + t1 = + h02 + + + ((e0 >> (uint32_t)14U | e0 << (uint32_t)50U) + ^ + ((e0 >> (uint32_t)18U | e0 << (uint32_t)46U) + ^ (e0 >> (uint32_t)41U | e0 << (uint32_t)23U))) + + ((e0 & f0) ^ (~e0 & g0)) + + k384_512[i] + + w; + uint64_t + t2 = + ((a0 >> (uint32_t)28U | a0 << (uint32_t)36U) + ^ ((a0 >> (uint32_t)34U | a0 << (uint32_t)30U) ^ (a0 >> (uint32_t)39U | a0 << (uint32_t)25U))) + + ((a0 & b0) ^ ((a0 & c0) ^ (b0 & c0))); + hash1[0U] = t1 + t2; + hash1[1U] = a0; + hash1[2U] = b0; + hash1[3U] = c0; + hash1[4U] = d0 + t1; + hash1[5U] = e0; + hash1[6U] = f0; + hash1[7U] = g0; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint64_t xi = hash[i]; + uint64_t yi = hash1[i]; + hash[i] = xi + yi; + } +} + +void Hacl_Hash_Core_SHA2_update_512(uint64_t *hash, uint8_t *block) +{ + uint64_t hash1[8U] = { 0U }; + uint64_t computed_ws[80U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)80U; i++) + { + if (i < (uint32_t)16U) + { + uint8_t *b = block + i * (uint32_t)8U; + uint64_t u = load64_be(b); + computed_ws[i] = u; + } + else + { + uint64_t t16 = computed_ws[i - (uint32_t)16U]; + uint64_t t15 = computed_ws[i - (uint32_t)15U]; + uint64_t t7 = computed_ws[i - (uint32_t)7U]; + uint64_t t2 = computed_ws[i - (uint32_t)2U]; + uint64_t + s1 = + (t2 >> (uint32_t)19U | t2 << (uint32_t)45U) + ^ ((t2 >> (uint32_t)61U | t2 << (uint32_t)3U) ^ t2 >> (uint32_t)6U); + uint64_t + s0 = + (t15 >> (uint32_t)1U | t15 << (uint32_t)63U) + ^ ((t15 >> (uint32_t)8U | t15 << (uint32_t)56U) ^ t15 >> (uint32_t)7U); + uint64_t w = s1 + t7 + s0 + t16; + computed_ws[i] = w; + } + } + memcpy(hash1, hash, (uint32_t)8U * sizeof (uint64_t)); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)80U; i++) + { + uint64_t a0 = hash1[0U]; + uint64_t b0 = hash1[1U]; + uint64_t c0 = hash1[2U]; + uint64_t d0 = hash1[3U]; + uint64_t e0 = hash1[4U]; + uint64_t f0 = hash1[5U]; + uint64_t g0 = hash1[6U]; + uint64_t h02 = hash1[7U]; + uint64_t w = computed_ws[i]; + uint64_t + t1 = + h02 + + + ((e0 >> (uint32_t)14U | e0 << (uint32_t)50U) + ^ + ((e0 >> (uint32_t)18U | e0 << (uint32_t)46U) + ^ (e0 >> (uint32_t)41U | e0 << (uint32_t)23U))) + + ((e0 & f0) ^ (~e0 & g0)) + + k384_512[i] + + w; + uint64_t + t2 = + ((a0 >> (uint32_t)28U | a0 << (uint32_t)36U) + ^ ((a0 >> (uint32_t)34U | a0 << (uint32_t)30U) ^ (a0 >> (uint32_t)39U | a0 << (uint32_t)25U))) + + ((a0 & b0) ^ ((a0 & c0) ^ (b0 & c0))); + hash1[0U] = t1 + t2; + hash1[1U] = a0; + hash1[2U] = b0; + hash1[3U] = c0; + hash1[4U] = d0 + t1; + hash1[5U] = e0; + hash1[6U] = f0; + hash1[7U] = g0; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint64_t xi = hash[i]; + uint64_t yi = hash1[i]; + hash[i] = xi + yi; + } +} + +static void pad_224(uint64_t len, uint8_t *dst) +{ + uint8_t *dst1 = dst; + dst1[0U] = (uint8_t)0x80U; + uint8_t *dst2 = dst + (uint32_t)1U; + for + (uint32_t + i = (uint32_t)0U; + i + < ((uint32_t)128U - ((uint32_t)9U + (uint32_t)(len % (uint64_t)(uint32_t)64U))) % (uint32_t)64U; + i++) + { + dst2[i] = (uint8_t)0U; + } + uint8_t + *dst3 = + dst + + + (uint32_t)1U + + + ((uint32_t)128U - ((uint32_t)9U + (uint32_t)(len % (uint64_t)(uint32_t)64U))) + % (uint32_t)64U; + store64_be(dst3, len << (uint32_t)3U); +} + +void Hacl_Hash_Core_SHA2_pad_256(uint64_t len, uint8_t *dst) +{ + uint8_t *dst1 = dst; + dst1[0U] = (uint8_t)0x80U; + uint8_t *dst2 = dst + (uint32_t)1U; + for + (uint32_t + i = (uint32_t)0U; + i + < ((uint32_t)128U - ((uint32_t)9U + (uint32_t)(len % (uint64_t)(uint32_t)64U))) % (uint32_t)64U; + i++) + { + dst2[i] = (uint8_t)0U; + } + uint8_t + *dst3 = + dst + + + (uint32_t)1U + + + ((uint32_t)128U - ((uint32_t)9U + (uint32_t)(len % (uint64_t)(uint32_t)64U))) + % (uint32_t)64U; + store64_be(dst3, len << (uint32_t)3U); +} + +static void pad_384(FStar_UInt128_uint128 len, uint8_t *dst) +{ + uint8_t *dst1 = dst; + dst1[0U] = (uint8_t)0x80U; + uint8_t *dst2 = dst + (uint32_t)1U; + for + (uint32_t + i = (uint32_t)0U; + i + < + ((uint32_t)256U + - + ((uint32_t)17U + + (uint32_t)(FStar_UInt128_uint128_to_uint64(len) % (uint64_t)(uint32_t)128U))) + % (uint32_t)128U; + i++) + { + dst2[i] = (uint8_t)0U; + } + uint8_t + *dst3 = + dst + + + (uint32_t)1U + + + ((uint32_t)256U + - + ((uint32_t)17U + + (uint32_t)(FStar_UInt128_uint128_to_uint64(len) % (uint64_t)(uint32_t)128U))) + % (uint32_t)128U; + FStar_UInt128_uint128 len_ = FStar_UInt128_shift_left(len, (uint32_t)3U); + store128_be(dst3, len_); +} + +static void pad_512(FStar_UInt128_uint128 len, uint8_t *dst) +{ + uint8_t *dst1 = dst; + dst1[0U] = (uint8_t)0x80U; + uint8_t *dst2 = dst + (uint32_t)1U; + for + (uint32_t + i = (uint32_t)0U; + i + < + ((uint32_t)256U + - + ((uint32_t)17U + + (uint32_t)(FStar_UInt128_uint128_to_uint64(len) % (uint64_t)(uint32_t)128U))) + % (uint32_t)128U; + i++) + { + dst2[i] = (uint8_t)0U; + } + uint8_t + *dst3 = + dst + + + (uint32_t)1U + + + ((uint32_t)256U + - + ((uint32_t)17U + + (uint32_t)(FStar_UInt128_uint128_to_uint64(len) % (uint64_t)(uint32_t)128U))) + % (uint32_t)128U; + FStar_UInt128_uint128 len_ = FStar_UInt128_shift_left(len, (uint32_t)3U); + store128_be(dst3, len_); +} + +void Hacl_Hash_Core_SHA2_finish_224(uint32_t *s, uint8_t *dst) +{ + uint32_t *uu____0 = s; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)7U; i++) + { + store32_be(dst + i * (uint32_t)4U, uu____0[i]); + } +} + +void Hacl_Hash_Core_SHA2_finish_256(uint32_t *s, uint8_t *dst) +{ + uint32_t *uu____0 = s; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + store32_be(dst + i * (uint32_t)4U, uu____0[i]); + } +} + +void Hacl_Hash_Core_SHA2_finish_384(uint64_t *s, uint8_t *dst) +{ + uint64_t *uu____0 = s; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)6U; i++) + { + store64_be(dst + i * (uint32_t)8U, uu____0[i]); + } +} + +void Hacl_Hash_Core_SHA2_finish_512(uint64_t *s, uint8_t *dst) +{ + uint64_t *uu____0 = s; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + store64_be(dst + i * (uint32_t)8U, uu____0[i]); + } +} + +void Hacl_Hash_SHA2_update_multi_224(uint32_t *s, uint8_t *blocks, uint32_t n_blocks) +{ + for (uint32_t i = (uint32_t)0U; i < n_blocks; i++) + { + uint32_t sz = (uint32_t)64U; + uint8_t *block = blocks + sz * i; + update_224(s, block); + } +} + +void Hacl_Hash_SHA2_update_multi_256(uint32_t *s, uint8_t *blocks, uint32_t n_blocks) +{ + for (uint32_t i = (uint32_t)0U; i < n_blocks; i++) + { + uint32_t sz = (uint32_t)64U; + uint8_t *block = blocks + sz * i; + update_256(s, block); + } +} + +void Hacl_Hash_SHA2_update_multi_384(uint64_t *s, uint8_t *blocks, uint32_t n_blocks) +{ + for (uint32_t i = (uint32_t)0U; i < n_blocks; i++) + { + uint32_t sz = (uint32_t)128U; + uint8_t *block = blocks + sz * i; + Hacl_Hash_Core_SHA2_update_384(s, block); + } +} + +void Hacl_Hash_SHA2_update_multi_512(uint64_t *s, uint8_t *blocks, uint32_t n_blocks) +{ + for (uint32_t i = (uint32_t)0U; i < n_blocks; i++) + { + uint32_t sz = (uint32_t)128U; + uint8_t *block = blocks + sz * i; + Hacl_Hash_Core_SHA2_update_512(s, block); + } +} + +void +Hacl_Hash_SHA2_update_last_224( + uint32_t *s, + uint64_t prev_len, + uint8_t *input, + uint32_t input_len +) +{ + uint32_t blocks_n = input_len / (uint32_t)64U; + uint32_t blocks_len = blocks_n * (uint32_t)64U; + uint8_t *blocks = input; + uint32_t rest_len = input_len - blocks_len; + uint8_t *rest = input + blocks_len; + Hacl_Hash_SHA2_update_multi_224(s, blocks, blocks_n); + uint64_t total_input_len = prev_len + (uint64_t)input_len; + uint32_t + pad_len = + (uint32_t)1U + + + ((uint32_t)128U - ((uint32_t)9U + (uint32_t)(total_input_len % (uint64_t)(uint32_t)64U))) + % (uint32_t)64U + + (uint32_t)8U; + uint32_t tmp_len = rest_len + pad_len; + uint8_t tmp_twoblocks[128U] = { 0U }; + uint8_t *tmp = tmp_twoblocks; + uint8_t *tmp_rest = tmp; + uint8_t *tmp_pad = tmp + rest_len; + memcpy(tmp_rest, rest, rest_len * sizeof (uint8_t)); + pad_224(total_input_len, tmp_pad); + Hacl_Hash_SHA2_update_multi_224(s, tmp, tmp_len / (uint32_t)64U); +} + +void +Hacl_Hash_SHA2_update_last_256( + uint32_t *s, + uint64_t prev_len, + uint8_t *input, + uint32_t input_len +) +{ + uint32_t blocks_n = input_len / (uint32_t)64U; + uint32_t blocks_len = blocks_n * (uint32_t)64U; + uint8_t *blocks = input; + uint32_t rest_len = input_len - blocks_len; + uint8_t *rest = input + blocks_len; + Hacl_Hash_SHA2_update_multi_256(s, blocks, blocks_n); + uint64_t total_input_len = prev_len + (uint64_t)input_len; + uint32_t + pad_len = + (uint32_t)1U + + + ((uint32_t)128U - ((uint32_t)9U + (uint32_t)(total_input_len % (uint64_t)(uint32_t)64U))) + % (uint32_t)64U + + (uint32_t)8U; + uint32_t tmp_len = rest_len + pad_len; + uint8_t tmp_twoblocks[128U] = { 0U }; + uint8_t *tmp = tmp_twoblocks; + uint8_t *tmp_rest = tmp; + uint8_t *tmp_pad = tmp + rest_len; + memcpy(tmp_rest, rest, rest_len * sizeof (uint8_t)); + Hacl_Hash_Core_SHA2_pad_256(total_input_len, tmp_pad); + Hacl_Hash_SHA2_update_multi_256(s, tmp, tmp_len / (uint32_t)64U); +} + +void +Hacl_Hash_SHA2_update_last_384( + uint64_t *s, + FStar_UInt128_uint128 prev_len, + uint8_t *input, + uint32_t input_len +) +{ + uint32_t blocks_n = input_len / (uint32_t)128U; + uint32_t blocks_len = blocks_n * (uint32_t)128U; + uint8_t *blocks = input; + uint32_t rest_len = input_len - blocks_len; + uint8_t *rest = input + blocks_len; + Hacl_Hash_SHA2_update_multi_384(s, blocks, blocks_n); + FStar_UInt128_uint128 + total_input_len = + FStar_UInt128_add(prev_len, + FStar_UInt128_uint64_to_uint128((uint64_t)input_len)); + uint32_t + pad_len = + (uint32_t)1U + + + ((uint32_t)256U + - + ((uint32_t)17U + + (uint32_t)(FStar_UInt128_uint128_to_uint64(total_input_len) % (uint64_t)(uint32_t)128U))) + % (uint32_t)128U + + (uint32_t)16U; + uint32_t tmp_len = rest_len + pad_len; + uint8_t tmp_twoblocks[256U] = { 0U }; + uint8_t *tmp = tmp_twoblocks; + uint8_t *tmp_rest = tmp; + uint8_t *tmp_pad = tmp + rest_len; + memcpy(tmp_rest, rest, rest_len * sizeof (uint8_t)); + pad_384(total_input_len, tmp_pad); + Hacl_Hash_SHA2_update_multi_384(s, tmp, tmp_len / (uint32_t)128U); +} + +void +Hacl_Hash_SHA2_update_last_512( + uint64_t *s, + FStar_UInt128_uint128 prev_len, + uint8_t *input, + uint32_t input_len +) +{ + uint32_t blocks_n = input_len / (uint32_t)128U; + uint32_t blocks_len = blocks_n * (uint32_t)128U; + uint8_t *blocks = input; + uint32_t rest_len = input_len - blocks_len; + uint8_t *rest = input + blocks_len; + Hacl_Hash_SHA2_update_multi_512(s, blocks, blocks_n); + FStar_UInt128_uint128 + total_input_len = + FStar_UInt128_add(prev_len, + FStar_UInt128_uint64_to_uint128((uint64_t)input_len)); + uint32_t + pad_len = + (uint32_t)1U + + + ((uint32_t)256U + - + ((uint32_t)17U + + (uint32_t)(FStar_UInt128_uint128_to_uint64(total_input_len) % (uint64_t)(uint32_t)128U))) + % (uint32_t)128U + + (uint32_t)16U; + uint32_t tmp_len = rest_len + pad_len; + uint8_t tmp_twoblocks[256U] = { 0U }; + uint8_t *tmp = tmp_twoblocks; + uint8_t *tmp_rest = tmp; + uint8_t *tmp_pad = tmp + rest_len; + memcpy(tmp_rest, rest, rest_len * sizeof (uint8_t)); + pad_512(total_input_len, tmp_pad); + Hacl_Hash_SHA2_update_multi_512(s, tmp, tmp_len / (uint32_t)128U); +} + +void Hacl_Hash_SHA2_hash_224(uint8_t *input, uint32_t input_len, uint8_t *dst) +{ + uint32_t + scrut[8U] = + { + (uint32_t)0xc1059ed8U, (uint32_t)0x367cd507U, (uint32_t)0x3070dd17U, (uint32_t)0xf70e5939U, + (uint32_t)0xffc00b31U, (uint32_t)0x68581511U, (uint32_t)0x64f98fa7U, (uint32_t)0xbefa4fa4U + }; + uint32_t *s = scrut; + uint32_t blocks_n0 = input_len / (uint32_t)64U; + uint32_t blocks_n1; + if (input_len % (uint32_t)64U == (uint32_t)0U && blocks_n0 > (uint32_t)0U) + { + blocks_n1 = blocks_n0 - (uint32_t)1U; + } + else + { + blocks_n1 = blocks_n0; + } + uint32_t blocks_len0 = blocks_n1 * (uint32_t)64U; + uint8_t *blocks0 = input; + uint32_t rest_len0 = input_len - blocks_len0; + uint8_t *rest0 = input + blocks_len0; + uint32_t blocks_n = blocks_n1; + uint32_t blocks_len = blocks_len0; + uint8_t *blocks = blocks0; + uint32_t rest_len = rest_len0; + uint8_t *rest = rest0; + Hacl_Hash_SHA2_update_multi_224(s, blocks, blocks_n); + Hacl_Hash_SHA2_update_last_224(s, (uint64_t)blocks_len, rest, rest_len); + Hacl_Hash_Core_SHA2_finish_224(s, dst); +} + +void Hacl_Hash_SHA2_hash_256(uint8_t *input, uint32_t input_len, uint8_t *dst) +{ + uint32_t + scrut[8U] = + { + (uint32_t)0x6a09e667U, (uint32_t)0xbb67ae85U, (uint32_t)0x3c6ef372U, (uint32_t)0xa54ff53aU, + (uint32_t)0x510e527fU, (uint32_t)0x9b05688cU, (uint32_t)0x1f83d9abU, (uint32_t)0x5be0cd19U + }; + uint32_t *s = scrut; + uint32_t blocks_n0 = input_len / (uint32_t)64U; + uint32_t blocks_n1; + if (input_len % (uint32_t)64U == (uint32_t)0U && blocks_n0 > (uint32_t)0U) + { + blocks_n1 = blocks_n0 - (uint32_t)1U; + } + else + { + blocks_n1 = blocks_n0; + } + uint32_t blocks_len0 = blocks_n1 * (uint32_t)64U; + uint8_t *blocks0 = input; + uint32_t rest_len0 = input_len - blocks_len0; + uint8_t *rest0 = input + blocks_len0; + uint32_t blocks_n = blocks_n1; + uint32_t blocks_len = blocks_len0; + uint8_t *blocks = blocks0; + uint32_t rest_len = rest_len0; + uint8_t *rest = rest0; + Hacl_Hash_SHA2_update_multi_256(s, blocks, blocks_n); + Hacl_Hash_SHA2_update_last_256(s, (uint64_t)blocks_len, rest, rest_len); + Hacl_Hash_Core_SHA2_finish_256(s, dst); +} + +typedef uint64_t *___uint64_t____; + +void Hacl_Hash_SHA2_hash_384(uint8_t *input, uint32_t input_len, uint8_t *dst) +{ + uint64_t + scrut[8U] = + { + (uint64_t)0xcbbb9d5dc1059ed8U, (uint64_t)0x629a292a367cd507U, (uint64_t)0x9159015a3070dd17U, + (uint64_t)0x152fecd8f70e5939U, (uint64_t)0x67332667ffc00b31U, (uint64_t)0x8eb44a8768581511U, + (uint64_t)0xdb0c2e0d64f98fa7U, (uint64_t)0x47b5481dbefa4fa4U + }; + uint64_t *s = scrut; + uint32_t blocks_n0 = input_len / (uint32_t)128U; + uint32_t blocks_n1; + if (input_len % (uint32_t)128U == (uint32_t)0U && blocks_n0 > (uint32_t)0U) + { + blocks_n1 = blocks_n0 - (uint32_t)1U; + } + else + { + blocks_n1 = blocks_n0; + } + uint32_t blocks_len0 = blocks_n1 * (uint32_t)128U; + uint8_t *blocks0 = input; + uint32_t rest_len0 = input_len - blocks_len0; + uint8_t *rest0 = input + blocks_len0; + uint32_t blocks_n = blocks_n1; + uint32_t blocks_len = blocks_len0; + uint8_t *blocks = blocks0; + uint32_t rest_len = rest_len0; + uint8_t *rest = rest0; + Hacl_Hash_SHA2_update_multi_384(s, blocks, blocks_n); + Hacl_Hash_SHA2_update_last_384(s, + FStar_UInt128_uint64_to_uint128((uint64_t)blocks_len), + rest, + rest_len); + Hacl_Hash_Core_SHA2_finish_384(s, dst); +} + +void Hacl_Hash_SHA2_hash_512(uint8_t *input, uint32_t input_len, uint8_t *dst) +{ + uint64_t + scrut[8U] = + { + (uint64_t)0x6a09e667f3bcc908U, (uint64_t)0xbb67ae8584caa73bU, (uint64_t)0x3c6ef372fe94f82bU, + (uint64_t)0xa54ff53a5f1d36f1U, (uint64_t)0x510e527fade682d1U, (uint64_t)0x9b05688c2b3e6c1fU, + (uint64_t)0x1f83d9abfb41bd6bU, (uint64_t)0x5be0cd19137e2179U + }; + uint64_t *s = scrut; + uint32_t blocks_n0 = input_len / (uint32_t)128U; + uint32_t blocks_n1; + if (input_len % (uint32_t)128U == (uint32_t)0U && blocks_n0 > (uint32_t)0U) + { + blocks_n1 = blocks_n0 - (uint32_t)1U; + } + else + { + blocks_n1 = blocks_n0; + } + uint32_t blocks_len0 = blocks_n1 * (uint32_t)128U; + uint8_t *blocks0 = input; + uint32_t rest_len0 = input_len - blocks_len0; + uint8_t *rest0 = input + blocks_len0; + uint32_t blocks_n = blocks_n1; + uint32_t blocks_len = blocks_len0; + uint8_t *blocks = blocks0; + uint32_t rest_len = rest_len0; + uint8_t *rest = rest0; + Hacl_Hash_SHA2_update_multi_512(s, blocks, blocks_n); + Hacl_Hash_SHA2_update_last_512(s, + FStar_UInt128_uint64_to_uint128((uint64_t)blocks_len), + rest, + rest_len); + Hacl_Hash_Core_SHA2_finish_512(s, dst); +} + diff --git a/src/Hacl_Kremlib.c b/src/Hacl_Kremlib.c new file mode 100644 index 00000000..ac1f323c --- /dev/null +++ b/src/Hacl_Kremlib.c @@ -0,0 +1,45 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "internal/Hacl_Kremlib.h" + + + +static uint32_t max_uint32 = (uint32_t)4294967295U; + +static uint32_t resize_ratio = (uint32_t)2U; + +uint32_t LowStar_Vector_new_capacity(uint32_t cap) +{ + if (cap >= max_uint32 / resize_ratio) + { + return max_uint32; + } + if (cap == (uint32_t)0U) + { + return (uint32_t)1U; + } + return cap * resize_ratio; +} + diff --git a/src/Hacl_NaCl.c b/src/Hacl_NaCl.c new file mode 100644 index 00000000..6cbed421 --- /dev/null +++ b/src/Hacl_NaCl.c @@ -0,0 +1,413 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_NaCl.h" + +#include "internal/Hacl_Kremlib.h" + +static void secretbox_init(uint8_t *xkeys, uint8_t *k, uint8_t *n) +{ + uint8_t *subkey = xkeys; + uint8_t *aekey = xkeys + (uint32_t)32U; + uint8_t *n0 = n; + uint8_t *n1 = n + (uint32_t)16U; + Hacl_Salsa20_hsalsa20(subkey, k, n0); + Hacl_Salsa20_salsa20_key_block0(aekey, subkey, n1); +} + +static void +secretbox_detached(uint32_t mlen, uint8_t *c, uint8_t *tag, uint8_t *k, uint8_t *n, uint8_t *m) +{ + uint8_t xkeys[96U] = { 0U }; + secretbox_init(xkeys, k, n); + uint8_t *mkey = xkeys + (uint32_t)32U; + uint8_t *n1 = n + (uint32_t)16U; + uint8_t *subkey = xkeys; + uint8_t *ekey0 = xkeys + (uint32_t)64U; + uint32_t mlen0; + if (mlen <= (uint32_t)32U) + { + mlen0 = mlen; + } + else + { + mlen0 = (uint32_t)32U; + } + uint32_t mlen1 = mlen - mlen0; + uint8_t *m0 = m; + uint8_t *m1 = m + mlen0; + uint8_t block0[32U] = { 0U }; + memcpy(block0, m0, mlen0 * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)32U; i++) + { + uint8_t *os = block0; + uint8_t x = block0[i] ^ ekey0[i]; + os[i] = x; + } + uint8_t *c0 = c; + uint8_t *c1 = c + mlen0; + memcpy(c0, block0, mlen0 * sizeof (uint8_t)); + Hacl_Salsa20_salsa20_encrypt(mlen1, c1, m1, subkey, n1, (uint32_t)1U); + Hacl_Poly1305_32_poly1305_mac(tag, mlen, c, mkey); +} + +static uint32_t +secretbox_open_detached( + uint32_t mlen, + uint8_t *m, + uint8_t *k, + uint8_t *n, + uint8_t *c, + uint8_t *tag +) +{ + uint8_t xkeys[96U] = { 0U }; + secretbox_init(xkeys, k, n); + uint8_t *mkey = xkeys + (uint32_t)32U; + uint8_t tag_[16U] = { 0U }; + Hacl_Poly1305_32_poly1305_mac(tag_, mlen, c, mkey); + uint8_t res = (uint8_t)255U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint8_t uu____0 = FStar_UInt8_eq_mask(tag[i], tag_[i]); + res = uu____0 & res; + } + uint8_t z = res; + if (z == (uint8_t)255U) + { + uint8_t *subkey = xkeys; + uint8_t *ekey0 = xkeys + (uint32_t)64U; + uint8_t *n1 = n + (uint32_t)16U; + uint32_t mlen0; + if (mlen <= (uint32_t)32U) + { + mlen0 = mlen; + } + else + { + mlen0 = (uint32_t)32U; + } + uint32_t mlen1 = mlen - mlen0; + uint8_t *c0 = c; + uint8_t *c1 = c + mlen0; + uint8_t block0[32U] = { 0U }; + memcpy(block0, c0, mlen0 * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)32U; i++) + { + uint8_t *os = block0; + uint8_t x = block0[i] ^ ekey0[i]; + os[i] = x; + } + uint8_t *m0 = m; + uint8_t *m1 = m + mlen0; + memcpy(m0, block0, mlen0 * sizeof (uint8_t)); + Hacl_Salsa20_salsa20_decrypt(mlen1, m1, c1, subkey, n1, (uint32_t)1U); + return (uint32_t)0U; + } + return (uint32_t)0xffffffffU; +} + +static void secretbox_easy(uint32_t mlen, uint8_t *c, uint8_t *k, uint8_t *n, uint8_t *m) +{ + uint8_t *tag = c; + uint8_t *cip = c + (uint32_t)16U; + secretbox_detached(mlen, cip, tag, k, n, m); +} + +static uint32_t +secretbox_open_easy(uint32_t mlen, uint8_t *m, uint8_t *k, uint8_t *n, uint8_t *c) +{ + uint8_t *tag = c; + uint8_t *cip = c + (uint32_t)16U; + return secretbox_open_detached(mlen, m, k, n, cip, tag); +} + +static inline uint32_t box_beforenm(uint8_t *k, uint8_t *pk, uint8_t *sk) +{ + uint8_t n0[16U] = { 0U }; + bool r = Hacl_Curve25519_51_ecdh(k, sk, pk); + if (r) + { + Hacl_Salsa20_hsalsa20(k, k, n0); + return (uint32_t)0U; + } + return (uint32_t)0xffffffffU; +} + +static inline uint32_t +box_detached_afternm( + uint32_t mlen, + uint8_t *c, + uint8_t *tag, + uint8_t *k, + uint8_t *n, + uint8_t *m +) +{ + secretbox_detached(mlen, c, tag, k, n, m); + return (uint32_t)0U; +} + +static inline uint32_t +box_detached( + uint32_t mlen, + uint8_t *c, + uint8_t *tag, + uint8_t *sk, + uint8_t *pk, + uint8_t *n, + uint8_t *m +) +{ + uint8_t k[32U] = { 0U }; + uint32_t r = box_beforenm(k, pk, sk); + if (r == (uint32_t)0U) + { + return box_detached_afternm(mlen, c, tag, k, n, m); + } + return (uint32_t)0xffffffffU; +} + +static inline uint32_t +box_open_detached_afternm( + uint32_t mlen, + uint8_t *m, + uint8_t *k, + uint8_t *n, + uint8_t *c, + uint8_t *tag +) +{ + return secretbox_open_detached(mlen, m, k, n, c, tag); +} + +static inline uint32_t +box_open_detached( + uint32_t mlen, + uint8_t *m, + uint8_t *pk, + uint8_t *sk, + uint8_t *n, + uint8_t *c, + uint8_t *tag +) +{ + uint8_t k[32U] = { 0U }; + uint32_t r = box_beforenm(k, pk, sk); + if (r == (uint32_t)0U) + { + return box_open_detached_afternm(mlen, m, k, n, c, tag); + } + return (uint32_t)0xffffffffU; +} + +static inline uint32_t +box_easy_afternm(uint32_t mlen, uint8_t *c, uint8_t *k, uint8_t *n, uint8_t *m) +{ + uint8_t *tag = c; + uint8_t *cip = c + (uint32_t)16U; + uint32_t res = box_detached_afternm(mlen, cip, tag, k, n, m); + return res; +} + +static inline uint32_t +box_easy(uint32_t mlen, uint8_t *c, uint8_t *sk, uint8_t *pk, uint8_t *n, uint8_t *m) +{ + uint8_t *tag = c; + uint8_t *cip = c + (uint32_t)16U; + uint32_t res = box_detached(mlen, cip, tag, sk, pk, n, m); + return res; +} + +static inline uint32_t +box_open_easy_afternm(uint32_t mlen, uint8_t *m, uint8_t *k, uint8_t *n, uint8_t *c) +{ + uint8_t *tag = c; + uint8_t *cip = c + (uint32_t)16U; + return box_open_detached_afternm(mlen, m, k, n, cip, tag); +} + +static inline uint32_t +box_open_easy(uint32_t mlen, uint8_t *m, uint8_t *pk, uint8_t *sk, uint8_t *n, uint8_t *c) +{ + uint8_t *tag = c; + uint8_t *cip = c + (uint32_t)16U; + return box_open_detached(mlen, m, pk, sk, n, cip, tag); +} + +uint32_t +Hacl_NaCl_crypto_secretbox_detached( + uint8_t *c, + uint8_t *tag, + uint8_t *m, + uint32_t mlen, + uint8_t *n, + uint8_t *k +) +{ + secretbox_detached(mlen, c, tag, k, n, m); + return (uint32_t)0U; +} + +uint32_t +Hacl_NaCl_crypto_secretbox_open_detached( + uint8_t *m, + uint8_t *c, + uint8_t *tag, + uint32_t mlen, + uint8_t *n, + uint8_t *k +) +{ + return secretbox_open_detached(mlen, m, k, n, c, tag); +} + +uint32_t +Hacl_NaCl_crypto_secretbox_easy(uint8_t *c, uint8_t *m, uint32_t mlen, uint8_t *n, uint8_t *k) +{ + secretbox_easy(mlen, c, k, n, m); + return (uint32_t)0U; +} + +uint32_t +Hacl_NaCl_crypto_secretbox_open_easy( + uint8_t *m, + uint8_t *c, + uint32_t clen, + uint8_t *n, + uint8_t *k +) +{ + return secretbox_open_easy(clen - (uint32_t)16U, m, k, n, c); +} + +uint32_t Hacl_NaCl_crypto_box_beforenm(uint8_t *k, uint8_t *pk, uint8_t *sk) +{ + return box_beforenm(k, pk, sk); +} + +uint32_t +Hacl_NaCl_crypto_box_detached_afternm( + uint8_t *c, + uint8_t *tag, + uint8_t *m, + uint32_t mlen, + uint8_t *n, + uint8_t *k +) +{ + return box_detached_afternm(mlen, c, tag, k, n, m); +} + +uint32_t +Hacl_NaCl_crypto_box_detached( + uint8_t *c, + uint8_t *tag, + uint8_t *m, + uint32_t mlen, + uint8_t *n, + uint8_t *pk, + uint8_t *sk +) +{ + return box_detached(mlen, c, tag, sk, pk, n, m); +} + +uint32_t +Hacl_NaCl_crypto_box_open_detached_afternm( + uint8_t *m, + uint8_t *c, + uint8_t *tag, + uint32_t mlen, + uint8_t *n, + uint8_t *k +) +{ + return box_open_detached_afternm(mlen, m, k, n, c, tag); +} + +uint32_t +Hacl_NaCl_crypto_box_open_detached( + uint8_t *m, + uint8_t *c, + uint8_t *tag, + uint32_t mlen, + uint8_t *n, + uint8_t *pk, + uint8_t *sk +) +{ + return box_open_detached(mlen, m, pk, sk, n, c, tag); +} + +uint32_t +Hacl_NaCl_crypto_box_easy_afternm( + uint8_t *c, + uint8_t *m, + uint32_t mlen, + uint8_t *n, + uint8_t *k +) +{ + return box_easy_afternm(mlen, c, k, n, m); +} + +uint32_t +Hacl_NaCl_crypto_box_easy( + uint8_t *c, + uint8_t *m, + uint32_t mlen, + uint8_t *n, + uint8_t *pk, + uint8_t *sk +) +{ + return box_easy(mlen, c, sk, pk, n, m); +} + +uint32_t +Hacl_NaCl_crypto_box_open_easy_afternm( + uint8_t *m, + uint8_t *c, + uint32_t clen, + uint8_t *n, + uint8_t *k +) +{ + return box_open_easy_afternm(clen - (uint32_t)16U, m, k, n, c); +} + +uint32_t +Hacl_NaCl_crypto_box_open_easy( + uint8_t *m, + uint8_t *c, + uint32_t clen, + uint8_t *n, + uint8_t *pk, + uint8_t *sk +) +{ + return box_open_easy(clen - (uint32_t)16U, m, pk, sk, n, c); +} + diff --git a/src/Hacl_P256.c b/src/Hacl_P256.c new file mode 100644 index 00000000..6da23f6b --- /dev/null +++ b/src/Hacl_P256.c @@ -0,0 +1,3118 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "internal/Hacl_P256.h" + +#include "internal/Hacl_Spec.h" +#include "internal/Hacl_Kremlib.h" + +static uint64_t isZero_uint64_CT(uint64_t *f) +{ + uint64_t a0 = f[0U]; + uint64_t a1 = f[1U]; + uint64_t a2 = f[2U]; + uint64_t a3 = f[3U]; + uint64_t r0 = FStar_UInt64_eq_mask(a0, (uint64_t)0U); + uint64_t r1 = FStar_UInt64_eq_mask(a1, (uint64_t)0U); + uint64_t r2 = FStar_UInt64_eq_mask(a2, (uint64_t)0U); + uint64_t r3 = FStar_UInt64_eq_mask(a3, (uint64_t)0U); + uint64_t r01 = r0 & r1; + uint64_t r23 = r2 & r3; + return r01 & r23; +} + +static uint64_t compare_felem(uint64_t *a, uint64_t *b) +{ + uint64_t a_0 = a[0U]; + uint64_t a_1 = a[1U]; + uint64_t a_2 = a[2U]; + uint64_t a_3 = a[3U]; + uint64_t b_0 = b[0U]; + uint64_t b_1 = b[1U]; + uint64_t b_2 = b[2U]; + uint64_t b_3 = b[3U]; + uint64_t r_0 = FStar_UInt64_eq_mask(a_0, b_0); + uint64_t r_1 = FStar_UInt64_eq_mask(a_1, b_1); + uint64_t r_2 = FStar_UInt64_eq_mask(a_2, b_2); + uint64_t r_3 = FStar_UInt64_eq_mask(a_3, b_3); + uint64_t r01 = r_0 & r_1; + uint64_t r23 = r_2 & r_3; + return r01 & r23; +} + +static void copy_conditional(uint64_t *out, uint64_t *x, uint64_t mask) +{ + uint64_t out_0 = out[0U]; + uint64_t out_1 = out[1U]; + uint64_t out_2 = out[2U]; + uint64_t out_3 = out[3U]; + uint64_t x_0 = x[0U]; + uint64_t x_1 = x[1U]; + uint64_t x_2 = x[2U]; + uint64_t x_3 = x[3U]; + uint64_t r_0 = out_0 ^ (mask & (out_0 ^ x_0)); + uint64_t r_1 = out_1 ^ (mask & (out_1 ^ x_1)); + uint64_t r_2 = out_2 ^ (mask & (out_2 ^ x_2)); + uint64_t r_3 = out_3 ^ (mask & (out_3 ^ x_3)); + out[0U] = r_0; + out[1U] = r_1; + out[2U] = r_2; + out[3U] = r_3; +} + +static uint64_t add4(uint64_t *x, uint64_t *y, uint64_t *result) +{ + uint64_t *r0 = result; + uint64_t *r1 = result + (uint32_t)1U; + uint64_t *r2 = result + (uint32_t)2U; + uint64_t *r3 = result + (uint32_t)3U; + uint64_t cc0 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, x[0U], y[0U], r0); + uint64_t cc1 = Lib_IntTypes_Intrinsics_add_carry_u64(cc0, x[1U], y[1U], r1); + uint64_t cc2 = Lib_IntTypes_Intrinsics_add_carry_u64(cc1, x[2U], y[2U], r2); + uint64_t cc3 = Lib_IntTypes_Intrinsics_add_carry_u64(cc2, x[3U], y[3U], r3); + return cc3; +} + +static uint64_t add4_with_carry(uint64_t c, uint64_t *x, uint64_t *y, uint64_t *result) +{ + uint64_t *r0 = result; + uint64_t *r1 = result + (uint32_t)1U; + uint64_t *r2 = result + (uint32_t)2U; + uint64_t *r3 = result + (uint32_t)3U; + uint64_t cc = Lib_IntTypes_Intrinsics_add_carry_u64(c, x[0U], y[0U], r0); + uint64_t cc1 = Lib_IntTypes_Intrinsics_add_carry_u64(cc, x[1U], y[1U], r1); + uint64_t cc2 = Lib_IntTypes_Intrinsics_add_carry_u64(cc1, x[2U], y[2U], r2); + uint64_t cc3 = Lib_IntTypes_Intrinsics_add_carry_u64(cc2, x[3U], y[3U], r3); + return cc3; +} + +static uint64_t add8(uint64_t *x, uint64_t *y, uint64_t *result) +{ + uint64_t *a0 = x; + uint64_t *a1 = x + (uint32_t)4U; + uint64_t *b0 = y; + uint64_t *b1 = y + (uint32_t)4U; + uint64_t *c0 = result; + uint64_t *c1 = result + (uint32_t)4U; + uint64_t carry0 = add4(a0, b0, c0); + uint64_t carry1 = add4_with_carry(carry0, a1, b1, c1); + return carry1; +} + +static uint64_t +add4_variables( + uint64_t *x, + uint64_t cin, + uint64_t y0, + uint64_t y1, + uint64_t y2, + uint64_t y3, + uint64_t *result +) +{ + uint64_t *r0 = result; + uint64_t *r1 = result + (uint32_t)1U; + uint64_t *r2 = result + (uint32_t)2U; + uint64_t *r3 = result + (uint32_t)3U; + uint64_t cc = Lib_IntTypes_Intrinsics_add_carry_u64(cin, x[0U], y0, r0); + uint64_t cc1 = Lib_IntTypes_Intrinsics_add_carry_u64(cc, x[1U], y1, r1); + uint64_t cc2 = Lib_IntTypes_Intrinsics_add_carry_u64(cc1, x[2U], y2, r2); + uint64_t cc3 = Lib_IntTypes_Intrinsics_add_carry_u64(cc2, x[3U], y3, r3); + return cc3; +} + +static uint64_t sub4_il(uint64_t *x, const uint64_t *y, uint64_t *result) +{ + uint64_t *r0 = result; + uint64_t *r1 = result + (uint32_t)1U; + uint64_t *r2 = result + (uint32_t)2U; + uint64_t *r3 = result + (uint32_t)3U; + uint64_t cc = Lib_IntTypes_Intrinsics_sub_borrow_u64((uint64_t)0U, x[0U], y[0U], r0); + uint64_t cc1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(cc, x[1U], y[1U], r1); + uint64_t cc2 = Lib_IntTypes_Intrinsics_sub_borrow_u64(cc1, x[2U], y[2U], r2); + uint64_t cc3 = Lib_IntTypes_Intrinsics_sub_borrow_u64(cc2, x[3U], y[3U], r3); + return cc3; +} + +static uint64_t sub4(uint64_t *x, uint64_t *y, uint64_t *result) +{ + uint64_t *r0 = result; + uint64_t *r1 = result + (uint32_t)1U; + uint64_t *r2 = result + (uint32_t)2U; + uint64_t *r3 = result + (uint32_t)3U; + uint64_t cc = Lib_IntTypes_Intrinsics_sub_borrow_u64((uint64_t)0U, x[0U], y[0U], r0); + uint64_t cc1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(cc, x[1U], y[1U], r1); + uint64_t cc2 = Lib_IntTypes_Intrinsics_sub_borrow_u64(cc1, x[2U], y[2U], r2); + uint64_t cc3 = Lib_IntTypes_Intrinsics_sub_borrow_u64(cc2, x[3U], y[3U], r3); + return cc3; +} + +static void mul64(uint64_t x, uint64_t y, uint64_t *result, uint64_t *temp) +{ + FStar_UInt128_uint128 res = FStar_UInt128_mul_wide(x, y); + uint64_t l0 = FStar_UInt128_uint128_to_uint64(res); + uint64_t h0 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(res, (uint32_t)64U)); + result[0U] = l0; + temp[0U] = h0; +} + +static void sq(uint64_t *f, uint64_t *out) +{ + uint64_t wb[17U] = { 0U }; + uint64_t *tb = wb; + uint64_t *memory = wb + (uint32_t)5U; + uint64_t *b0 = out; + uint64_t f01 = f[0U]; + uint64_t f310 = f[3U]; + uint64_t *o30 = b0 + (uint32_t)3U; + uint64_t *temp1 = tb; + uint64_t f02 = f[0U]; + uint64_t f12 = f[1U]; + uint64_t f22 = f[2U]; + uint64_t *o01 = b0; + uint64_t *o10 = b0 + (uint32_t)1U; + uint64_t *o20 = b0 + (uint32_t)2U; + mul64(f02, f02, o01, temp1); + uint64_t h_00 = temp1[0U]; + mul64(f02, f12, o10, temp1); + uint64_t l0 = o10[0U]; + memory[0U] = l0; + memory[1U] = temp1[0U]; + uint64_t c1 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l0, h_00, o10); + uint64_t h_10 = temp1[0U]; + mul64(f02, f22, o20, temp1); + uint64_t l10 = o20[0U]; + memory[2U] = l10; + memory[3U] = temp1[0U]; + uint64_t c2 = Lib_IntTypes_Intrinsics_add_carry_u64(c1, l10, h_10, o20); + uint64_t h_20 = temp1[0U]; + mul64(f01, f310, o30, temp1); + uint64_t l3 = o30[0U]; + memory[4U] = l3; + memory[5U] = temp1[0U]; + uint64_t c3 = Lib_IntTypes_Intrinsics_add_carry_u64(c2, l3, h_20, o30); + uint64_t temp0 = temp1[0U]; + uint64_t c0 = c3 + temp0; + out[4U] = c0; + uint64_t *b1 = out + (uint32_t)1U; + uint64_t *temp2 = tb; + uint64_t *tempBufferResult0 = tb + (uint32_t)1U; + uint64_t f11 = f[1U]; + uint64_t f210 = f[2U]; + uint64_t f311 = f[3U]; + uint64_t *o00 = tempBufferResult0; + uint64_t *o11 = tempBufferResult0 + (uint32_t)1U; + uint64_t *o21 = tempBufferResult0 + (uint32_t)2U; + uint64_t *o31 = tempBufferResult0 + (uint32_t)3U; + o00[0U] = memory[0U]; + uint64_t h_01 = memory[1U]; + mul64(f11, f11, o11, temp2); + uint64_t l4 = o11[0U]; + uint64_t c10 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l4, h_01, o11); + uint64_t h_11 = temp2[0U]; + mul64(f11, f210, o21, temp2); + uint64_t l11 = o21[0U]; + memory[6U] = l11; + memory[7U] = temp2[0U]; + uint64_t c20 = Lib_IntTypes_Intrinsics_add_carry_u64(c10, l11, h_11, o21); + uint64_t h_21 = temp2[0U]; + mul64(f11, f311, o31, temp2); + uint64_t l20 = o31[0U]; + memory[8U] = l20; + memory[9U] = temp2[0U]; + uint64_t c30 = Lib_IntTypes_Intrinsics_add_carry_u64(c20, l20, h_21, o31); + uint64_t h_30 = temp2[0U]; + uint64_t c40 = add4(tempBufferResult0, b1, b1); + uint64_t c11 = c30 + h_30 + c40; + out[5U] = c11; + uint64_t *b2 = out + (uint32_t)2U; + uint64_t *temp3 = tb; + uint64_t *tempBufferResult1 = tb + (uint32_t)1U; + uint64_t f21 = f[2U]; + uint64_t f312 = f[3U]; + uint64_t *o02 = tempBufferResult1; + uint64_t *o12 = tempBufferResult1 + (uint32_t)1U; + uint64_t *o22 = tempBufferResult1 + (uint32_t)2U; + uint64_t *o32 = tempBufferResult1 + (uint32_t)3U; + o02[0U] = memory[2U]; + uint64_t h_0 = memory[3U]; + o12[0U] = memory[6U]; + uint64_t l5 = o12[0U]; + uint64_t c110 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l5, h_0, o12); + uint64_t h_1 = memory[7U]; + mul64(f21, f21, o22, temp3); + uint64_t l12 = o22[0U]; + uint64_t c21 = Lib_IntTypes_Intrinsics_add_carry_u64(c110, l12, h_1, o22); + uint64_t h_2 = temp3[0U]; + mul64(f21, f312, o32, temp3); + uint64_t l21 = o32[0U]; + memory[10U] = l21; + memory[11U] = temp3[0U]; + uint64_t c31 = Lib_IntTypes_Intrinsics_add_carry_u64(c21, l21, h_2, o32); + uint64_t h_31 = temp3[0U]; + uint64_t c41 = add4(tempBufferResult1, b2, b2); + uint64_t c22 = c31 + h_31 + c41; + out[6U] = c22; + uint64_t *b3 = out + (uint32_t)3U; + uint64_t *temp = tb; + uint64_t *tempBufferResult = tb + (uint32_t)1U; + uint64_t f31 = f[3U]; + uint64_t *o0 = tempBufferResult; + uint64_t *o1 = tempBufferResult + (uint32_t)1U; + uint64_t *o2 = tempBufferResult + (uint32_t)2U; + uint64_t *o3 = tempBufferResult + (uint32_t)3U; + o0[0U] = memory[4U]; + uint64_t h = memory[5U]; + o1[0U] = memory[8U]; + uint64_t l = o1[0U]; + uint64_t c111 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l, h, o1); + uint64_t h4 = memory[9U]; + o2[0U] = memory[10U]; + uint64_t l1 = o2[0U]; + uint64_t c210 = Lib_IntTypes_Intrinsics_add_carry_u64(c111, l1, h4, o2); + uint64_t h5 = memory[11U]; + mul64(f31, f31, o3, temp); + uint64_t l2 = o3[0U]; + uint64_t c32 = Lib_IntTypes_Intrinsics_add_carry_u64(c210, l2, h5, o3); + uint64_t h_3 = temp[0U]; + uint64_t c4 = add4(tempBufferResult, b3, b3); + uint64_t c33 = c32 + h_3 + c4; + out[7U] = c33; +} + +static void cmovznz4(uint64_t cin, uint64_t *x, uint64_t *y, uint64_t *r) +{ + uint64_t mask = ~FStar_UInt64_eq_mask(cin, (uint64_t)0U); + uint64_t r0 = (y[0U] & mask) | (x[0U] & ~mask); + uint64_t r1 = (y[1U] & mask) | (x[1U] & ~mask); + uint64_t r2 = (y[2U] & mask) | (x[2U] & ~mask); + uint64_t r3 = (y[3U] & mask) | (x[3U] & ~mask); + r[0U] = r0; + r[1U] = r1; + r[2U] = r2; + r[3U] = r3; +} + +static void shift_256_impl(uint64_t *i, uint64_t *o) +{ + o[0U] = (uint64_t)0U; + o[1U] = (uint64_t)0U; + o[2U] = (uint64_t)0U; + o[3U] = (uint64_t)0U; + o[4U] = i[0U]; + o[5U] = i[1U]; + o[6U] = i[2U]; + o[7U] = i[3U]; +} + +static void shift8(uint64_t *t, uint64_t *out) +{ + uint64_t t1 = t[1U]; + uint64_t t2 = t[2U]; + uint64_t t3 = t[3U]; + uint64_t t4 = t[4U]; + uint64_t t5 = t[5U]; + uint64_t t6 = t[6U]; + uint64_t t7 = t[7U]; + out[0U] = t1; + out[1U] = t2; + out[2U] = t3; + out[3U] = t4; + out[4U] = t5; + out[5U] = t6; + out[6U] = t7; + out[7U] = (uint64_t)0U; +} + +static void uploadZeroImpl(uint64_t *f) +{ + f[0U] = (uint64_t)0U; + f[1U] = (uint64_t)0U; + f[2U] = (uint64_t)0U; + f[3U] = (uint64_t)0U; +} + +static void uploadOneImpl(uint64_t *f) +{ + f[0U] = (uint64_t)1U; + f[1U] = (uint64_t)0U; + f[2U] = (uint64_t)0U; + f[3U] = (uint64_t)0U; +} + +void Hacl_Impl_P256_LowLevel_toUint8(uint64_t *i, uint8_t *o) +{ + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + store64_be(o + i0 * (uint32_t)8U, i[i0]); + } +} + +void Hacl_Impl_P256_LowLevel_changeEndian(uint64_t *i) +{ + uint64_t zero = i[0U]; + uint64_t one = i[1U]; + uint64_t two = i[2U]; + uint64_t three = i[3U]; + i[0U] = three; + i[1U] = two; + i[2U] = one; + i[3U] = zero; +} + +void Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(uint8_t *i, uint64_t *o) +{ + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + uint64_t *os = o; + uint8_t *bj = i + i0 * (uint32_t)8U; + uint64_t u = load64_be(bj); + uint64_t r = u; + uint64_t x = r; + os[i0] = x; + } + Hacl_Impl_P256_LowLevel_changeEndian(o); +} + +static const +uint64_t +prime256_buffer[4U] = + { + (uint64_t)0xffffffffffffffffU, + (uint64_t)0xffffffffU, + (uint64_t)0U, + (uint64_t)0xffffffff00000001U + }; + +static void reduction_prime_2prime_impl(uint64_t *x, uint64_t *result) +{ + uint64_t tempBuffer[4U] = { 0U }; + uint64_t c = sub4_il(x, prime256_buffer, tempBuffer); + cmovznz4(c, tempBuffer, x, result); +} + +static void p256_add(uint64_t *arg1, uint64_t *arg2, uint64_t *out) +{ + uint64_t t = add4(arg1, arg2, out); + uint64_t tempBuffer[4U] = { 0U }; + uint64_t tempBufferForSubborrow = (uint64_t)0U; + uint64_t c = sub4_il(out, prime256_buffer, tempBuffer); + uint64_t + carry = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t, (uint64_t)0U, &tempBufferForSubborrow); + cmovznz4(carry, tempBuffer, out, out); +} + +static void p256_double(uint64_t *arg1, uint64_t *out) +{ + uint64_t t = add4(arg1, arg1, out); + uint64_t tempBuffer[4U] = { 0U }; + uint64_t tempBufferForSubborrow = (uint64_t)0U; + uint64_t c = sub4_il(out, prime256_buffer, tempBuffer); + uint64_t + carry = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t, (uint64_t)0U, &tempBufferForSubborrow); + cmovznz4(carry, tempBuffer, out, out); +} + +static void p256_sub(uint64_t *arg1, uint64_t *arg2, uint64_t *out) +{ + uint64_t t = sub4(arg1, arg2, out); + uint64_t t0 = (uint64_t)0U - t; + uint64_t t1 = ((uint64_t)0U - t) >> (uint32_t)32U; + uint64_t t2 = (uint64_t)0U; + uint64_t t3 = t - (t << (uint32_t)32U); + uint64_t c = add4_variables(out, (uint64_t)0U, t0, t1, t2, t3, out); +} + +static void montgomery_multiplication_buffer_by_one(uint64_t *a, uint64_t *result) +{ + uint64_t t[8U] = { 0U }; + uint64_t *t_low = t; + uint64_t round2[8U] = { 0U }; + uint64_t round4[8U] = { 0U }; + memcpy(t_low, a, (uint32_t)4U * sizeof (uint64_t)); + uint64_t tempRound[8U] = { 0U }; + uint64_t t20[8U] = { 0U }; + uint64_t t30[8U] = { 0U }; + uint64_t t10 = t[0U]; + uint64_t *result040 = t20; + uint64_t temp1 = (uint64_t)0U; + uint64_t f10 = prime256_buffer[1U]; + uint64_t f20 = prime256_buffer[2U]; + uint64_t f30 = prime256_buffer[3U]; + uint64_t *o00 = result040; + uint64_t *o10 = result040 + (uint32_t)1U; + uint64_t *o20 = result040 + (uint32_t)2U; + uint64_t *o30 = result040 + (uint32_t)3U; + uint64_t f010 = prime256_buffer[0U]; + mul64(f010, t10, o00, &temp1); + uint64_t h0 = temp1; + mul64(f10, t10, o10, &temp1); + uint64_t l0 = o10[0U]; + uint64_t c1 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l0, h0, o10); + uint64_t h1 = temp1; + mul64(f20, t10, o20, &temp1); + uint64_t l1 = o20[0U]; + uint64_t c2 = Lib_IntTypes_Intrinsics_add_carry_u64(c1, l1, h1, o20); + uint64_t h2 = temp1; + mul64(f30, t10, o30, &temp1); + uint64_t l2 = o30[0U]; + uint64_t c3 = Lib_IntTypes_Intrinsics_add_carry_u64(c2, l2, h2, o30); + uint64_t temp00 = temp1; + uint64_t c0 = c3 + temp00; + t20[4U] = c0; + uint64_t uu____0 = add8(t, t20, t30); + shift8(t30, tempRound); + uint64_t t21[8U] = { 0U }; + uint64_t t31[8U] = { 0U }; + uint64_t t11 = tempRound[0U]; + uint64_t *result041 = t21; + uint64_t temp2 = (uint64_t)0U; + uint64_t f11 = prime256_buffer[1U]; + uint64_t f21 = prime256_buffer[2U]; + uint64_t f31 = prime256_buffer[3U]; + uint64_t *o01 = result041; + uint64_t *o11 = result041 + (uint32_t)1U; + uint64_t *o21 = result041 + (uint32_t)2U; + uint64_t *o31 = result041 + (uint32_t)3U; + uint64_t f011 = prime256_buffer[0U]; + mul64(f011, t11, o01, &temp2); + uint64_t h3 = temp2; + mul64(f11, t11, o11, &temp2); + uint64_t l3 = o11[0U]; + uint64_t c10 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l3, h3, o11); + uint64_t h4 = temp2; + mul64(f21, t11, o21, &temp2); + uint64_t l4 = o21[0U]; + uint64_t c20 = Lib_IntTypes_Intrinsics_add_carry_u64(c10, l4, h4, o21); + uint64_t h5 = temp2; + mul64(f31, t11, o31, &temp2); + uint64_t l5 = o31[0U]; + uint64_t c30 = Lib_IntTypes_Intrinsics_add_carry_u64(c20, l5, h5, o31); + uint64_t temp01 = temp2; + uint64_t c4 = c30 + temp01; + t21[4U] = c4; + uint64_t uu____1 = add8(tempRound, t21, t31); + shift8(t31, round2); + uint64_t tempRound0[8U] = { 0U }; + uint64_t t2[8U] = { 0U }; + uint64_t t32[8U] = { 0U }; + uint64_t t12 = round2[0U]; + uint64_t *result042 = t2; + uint64_t temp3 = (uint64_t)0U; + uint64_t f12 = prime256_buffer[1U]; + uint64_t f22 = prime256_buffer[2U]; + uint64_t f32 = prime256_buffer[3U]; + uint64_t *o02 = result042; + uint64_t *o12 = result042 + (uint32_t)1U; + uint64_t *o22 = result042 + (uint32_t)2U; + uint64_t *o32 = result042 + (uint32_t)3U; + uint64_t f012 = prime256_buffer[0U]; + mul64(f012, t12, o02, &temp3); + uint64_t h6 = temp3; + mul64(f12, t12, o12, &temp3); + uint64_t l6 = o12[0U]; + uint64_t c11 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l6, h6, o12); + uint64_t h7 = temp3; + mul64(f22, t12, o22, &temp3); + uint64_t l7 = o22[0U]; + uint64_t c21 = Lib_IntTypes_Intrinsics_add_carry_u64(c11, l7, h7, o22); + uint64_t h8 = temp3; + mul64(f32, t12, o32, &temp3); + uint64_t l8 = o32[0U]; + uint64_t c31 = Lib_IntTypes_Intrinsics_add_carry_u64(c21, l8, h8, o32); + uint64_t temp02 = temp3; + uint64_t c5 = c31 + temp02; + t2[4U] = c5; + uint64_t uu____2 = add8(round2, t2, t32); + shift8(t32, tempRound0); + uint64_t t22[8U] = { 0U }; + uint64_t t3[8U] = { 0U }; + uint64_t t1 = tempRound0[0U]; + uint64_t *result04 = t22; + uint64_t temp = (uint64_t)0U; + uint64_t f1 = prime256_buffer[1U]; + uint64_t f2 = prime256_buffer[2U]; + uint64_t f3 = prime256_buffer[3U]; + uint64_t *o0 = result04; + uint64_t *o1 = result04 + (uint32_t)1U; + uint64_t *o2 = result04 + (uint32_t)2U; + uint64_t *o3 = result04 + (uint32_t)3U; + uint64_t f01 = prime256_buffer[0U]; + mul64(f01, t1, o0, &temp); + uint64_t h9 = temp; + mul64(f1, t1, o1, &temp); + uint64_t l9 = o1[0U]; + uint64_t c12 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l9, h9, o1); + uint64_t h10 = temp; + mul64(f2, t1, o2, &temp); + uint64_t l10 = o2[0U]; + uint64_t c22 = Lib_IntTypes_Intrinsics_add_carry_u64(c12, l10, h10, o2); + uint64_t h = temp; + mul64(f3, t1, o3, &temp); + uint64_t l = o3[0U]; + uint64_t c32 = Lib_IntTypes_Intrinsics_add_carry_u64(c22, l, h, o3); + uint64_t temp0 = temp; + uint64_t c6 = c32 + temp0; + t22[4U] = c6; + uint64_t uu____3 = add8(tempRound0, t22, t3); + shift8(t3, round4); + uint64_t tempBuffer[4U] = { 0U }; + uint64_t tempBufferForSubborrow = (uint64_t)0U; + uint64_t cin = round4[4U]; + uint64_t *x_ = round4; + uint64_t c = sub4_il(x_, prime256_buffer, tempBuffer); + uint64_t + carry = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, cin, (uint64_t)0U, &tempBufferForSubborrow); + cmovznz4(carry, tempBuffer, x_, result); +} + +static void montgomery_multiplication_buffer(uint64_t *a, uint64_t *b, uint64_t *result) +{ + uint64_t t[8U] = { 0U }; + uint64_t round2[8U] = { 0U }; + uint64_t round4[8U] = { 0U }; + uint64_t f0 = a[0U]; + uint64_t f10 = a[1U]; + uint64_t f20 = a[2U]; + uint64_t f30 = a[3U]; + uint64_t *b0 = t; + uint64_t temp2 = (uint64_t)0U; + uint64_t f110 = b[1U]; + uint64_t f210 = b[2U]; + uint64_t f310 = b[3U]; + uint64_t *o00 = b0; + uint64_t *o10 = b0 + (uint32_t)1U; + uint64_t *o20 = b0 + (uint32_t)2U; + uint64_t *o30 = b0 + (uint32_t)3U; + uint64_t f020 = b[0U]; + mul64(f020, f0, o00, &temp2); + uint64_t h0 = temp2; + mul64(f110, f0, o10, &temp2); + uint64_t l0 = o10[0U]; + uint64_t c1 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l0, h0, o10); + uint64_t h1 = temp2; + mul64(f210, f0, o20, &temp2); + uint64_t l1 = o20[0U]; + uint64_t c2 = Lib_IntTypes_Intrinsics_add_carry_u64(c1, l1, h1, o20); + uint64_t h2 = temp2; + mul64(f310, f0, o30, &temp2); + uint64_t l2 = o30[0U]; + uint64_t c30 = Lib_IntTypes_Intrinsics_add_carry_u64(c2, l2, h2, o30); + uint64_t temp00 = temp2; + uint64_t c0 = c30 + temp00; + t[4U] = c0; + uint64_t *b1 = t + (uint32_t)1U; + uint64_t temp3[4U] = { 0U }; + uint64_t temp10 = (uint64_t)0U; + uint64_t f111 = b[1U]; + uint64_t f211 = b[2U]; + uint64_t f311 = b[3U]; + uint64_t *o01 = temp3; + uint64_t *o11 = temp3 + (uint32_t)1U; + uint64_t *o21 = temp3 + (uint32_t)2U; + uint64_t *o31 = temp3 + (uint32_t)3U; + uint64_t f021 = b[0U]; + mul64(f021, f10, o01, &temp10); + uint64_t h3 = temp10; + mul64(f111, f10, o11, &temp10); + uint64_t l3 = o11[0U]; + uint64_t c10 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l3, h3, o11); + uint64_t h4 = temp10; + mul64(f211, f10, o21, &temp10); + uint64_t l4 = o21[0U]; + uint64_t c20 = Lib_IntTypes_Intrinsics_add_carry_u64(c10, l4, h4, o21); + uint64_t h5 = temp10; + mul64(f311, f10, o31, &temp10); + uint64_t l5 = o31[0U]; + uint64_t c31 = Lib_IntTypes_Intrinsics_add_carry_u64(c20, l5, h5, o31); + uint64_t temp01 = temp10; + uint64_t c4 = c31 + temp01; + uint64_t c32 = add4(temp3, b1, b1); + uint64_t c11 = c4 + c32; + t[5U] = c11; + uint64_t *b2 = t + (uint32_t)2U; + uint64_t temp4[4U] = { 0U }; + uint64_t temp11 = (uint64_t)0U; + uint64_t f112 = b[1U]; + uint64_t f212 = b[2U]; + uint64_t f312 = b[3U]; + uint64_t *o02 = temp4; + uint64_t *o12 = temp4 + (uint32_t)1U; + uint64_t *o22 = temp4 + (uint32_t)2U; + uint64_t *o32 = temp4 + (uint32_t)3U; + uint64_t f022 = b[0U]; + mul64(f022, f20, o02, &temp11); + uint64_t h6 = temp11; + mul64(f112, f20, o12, &temp11); + uint64_t l6 = o12[0U]; + uint64_t c110 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l6, h6, o12); + uint64_t h7 = temp11; + mul64(f212, f20, o22, &temp11); + uint64_t l7 = o22[0U]; + uint64_t c21 = Lib_IntTypes_Intrinsics_add_carry_u64(c110, l7, h7, o22); + uint64_t h8 = temp11; + mul64(f312, f20, o32, &temp11); + uint64_t l8 = o32[0U]; + uint64_t c33 = Lib_IntTypes_Intrinsics_add_carry_u64(c21, l8, h8, o32); + uint64_t temp02 = temp11; + uint64_t c5 = c33 + temp02; + uint64_t c34 = add4(temp4, b2, b2); + uint64_t c22 = c5 + c34; + t[6U] = c22; + uint64_t *b3 = t + (uint32_t)3U; + uint64_t temp5[4U] = { 0U }; + uint64_t temp1 = (uint64_t)0U; + uint64_t f11 = b[1U]; + uint64_t f21 = b[2U]; + uint64_t f31 = b[3U]; + uint64_t *o03 = temp5; + uint64_t *o13 = temp5 + (uint32_t)1U; + uint64_t *o23 = temp5 + (uint32_t)2U; + uint64_t *o33 = temp5 + (uint32_t)3U; + uint64_t f02 = b[0U]; + mul64(f02, f30, o03, &temp1); + uint64_t h9 = temp1; + mul64(f11, f30, o13, &temp1); + uint64_t l9 = o13[0U]; + uint64_t c111 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l9, h9, o13); + uint64_t h10 = temp1; + mul64(f21, f30, o23, &temp1); + uint64_t l10 = o23[0U]; + uint64_t c210 = Lib_IntTypes_Intrinsics_add_carry_u64(c111, l10, h10, o23); + uint64_t h11 = temp1; + mul64(f31, f30, o33, &temp1); + uint64_t l11 = o33[0U]; + uint64_t c35 = Lib_IntTypes_Intrinsics_add_carry_u64(c210, l11, h11, o33); + uint64_t temp03 = temp1; + uint64_t c6 = c35 + temp03; + uint64_t c3 = add4(temp5, b3, b3); + uint64_t c36 = c6 + c3; + t[7U] = c36; + uint64_t tempRound[8U] = { 0U }; + uint64_t t20[8U] = { 0U }; + uint64_t t30[8U] = { 0U }; + uint64_t t10 = t[0U]; + uint64_t *result040 = t20; + uint64_t temp6 = (uint64_t)0U; + uint64_t f12 = prime256_buffer[1U]; + uint64_t f22 = prime256_buffer[2U]; + uint64_t f32 = prime256_buffer[3U]; + uint64_t *o04 = result040; + uint64_t *o14 = result040 + (uint32_t)1U; + uint64_t *o24 = result040 + (uint32_t)2U; + uint64_t *o34 = result040 + (uint32_t)3U; + uint64_t f010 = prime256_buffer[0U]; + mul64(f010, t10, o04, &temp6); + uint64_t h12 = temp6; + mul64(f12, t10, o14, &temp6); + uint64_t l12 = o14[0U]; + uint64_t c12 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l12, h12, o14); + uint64_t h13 = temp6; + mul64(f22, t10, o24, &temp6); + uint64_t l13 = o24[0U]; + uint64_t c23 = Lib_IntTypes_Intrinsics_add_carry_u64(c12, l13, h13, o24); + uint64_t h14 = temp6; + mul64(f32, t10, o34, &temp6); + uint64_t l14 = o34[0U]; + uint64_t c37 = Lib_IntTypes_Intrinsics_add_carry_u64(c23, l14, h14, o34); + uint64_t temp04 = temp6; + uint64_t c7 = c37 + temp04; + t20[4U] = c7; + uint64_t uu____0 = add8(t, t20, t30); + shift8(t30, tempRound); + uint64_t t21[8U] = { 0U }; + uint64_t t31[8U] = { 0U }; + uint64_t t11 = tempRound[0U]; + uint64_t *result041 = t21; + uint64_t temp7 = (uint64_t)0U; + uint64_t f13 = prime256_buffer[1U]; + uint64_t f23 = prime256_buffer[2U]; + uint64_t f33 = prime256_buffer[3U]; + uint64_t *o05 = result041; + uint64_t *o15 = result041 + (uint32_t)1U; + uint64_t *o25 = result041 + (uint32_t)2U; + uint64_t *o35 = result041 + (uint32_t)3U; + uint64_t f011 = prime256_buffer[0U]; + mul64(f011, t11, o05, &temp7); + uint64_t h15 = temp7; + mul64(f13, t11, o15, &temp7); + uint64_t l15 = o15[0U]; + uint64_t c13 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l15, h15, o15); + uint64_t h16 = temp7; + mul64(f23, t11, o25, &temp7); + uint64_t l16 = o25[0U]; + uint64_t c24 = Lib_IntTypes_Intrinsics_add_carry_u64(c13, l16, h16, o25); + uint64_t h17 = temp7; + mul64(f33, t11, o35, &temp7); + uint64_t l17 = o35[0U]; + uint64_t c38 = Lib_IntTypes_Intrinsics_add_carry_u64(c24, l17, h17, o35); + uint64_t temp05 = temp7; + uint64_t c8 = c38 + temp05; + t21[4U] = c8; + uint64_t uu____1 = add8(tempRound, t21, t31); + shift8(t31, round2); + uint64_t tempRound0[8U] = { 0U }; + uint64_t t2[8U] = { 0U }; + uint64_t t32[8U] = { 0U }; + uint64_t t12 = round2[0U]; + uint64_t *result042 = t2; + uint64_t temp8 = (uint64_t)0U; + uint64_t f14 = prime256_buffer[1U]; + uint64_t f24 = prime256_buffer[2U]; + uint64_t f34 = prime256_buffer[3U]; + uint64_t *o06 = result042; + uint64_t *o16 = result042 + (uint32_t)1U; + uint64_t *o26 = result042 + (uint32_t)2U; + uint64_t *o36 = result042 + (uint32_t)3U; + uint64_t f012 = prime256_buffer[0U]; + mul64(f012, t12, o06, &temp8); + uint64_t h18 = temp8; + mul64(f14, t12, o16, &temp8); + uint64_t l18 = o16[0U]; + uint64_t c14 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l18, h18, o16); + uint64_t h19 = temp8; + mul64(f24, t12, o26, &temp8); + uint64_t l19 = o26[0U]; + uint64_t c25 = Lib_IntTypes_Intrinsics_add_carry_u64(c14, l19, h19, o26); + uint64_t h20 = temp8; + mul64(f34, t12, o36, &temp8); + uint64_t l20 = o36[0U]; + uint64_t c39 = Lib_IntTypes_Intrinsics_add_carry_u64(c25, l20, h20, o36); + uint64_t temp06 = temp8; + uint64_t c9 = c39 + temp06; + t2[4U] = c9; + uint64_t uu____2 = add8(round2, t2, t32); + shift8(t32, tempRound0); + uint64_t t22[8U] = { 0U }; + uint64_t t3[8U] = { 0U }; + uint64_t t1 = tempRound0[0U]; + uint64_t *result04 = t22; + uint64_t temp = (uint64_t)0U; + uint64_t f1 = prime256_buffer[1U]; + uint64_t f2 = prime256_buffer[2U]; + uint64_t f3 = prime256_buffer[3U]; + uint64_t *o0 = result04; + uint64_t *o1 = result04 + (uint32_t)1U; + uint64_t *o2 = result04 + (uint32_t)2U; + uint64_t *o3 = result04 + (uint32_t)3U; + uint64_t f01 = prime256_buffer[0U]; + mul64(f01, t1, o0, &temp); + uint64_t h21 = temp; + mul64(f1, t1, o1, &temp); + uint64_t l21 = o1[0U]; + uint64_t c15 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l21, h21, o1); + uint64_t h22 = temp; + mul64(f2, t1, o2, &temp); + uint64_t l22 = o2[0U]; + uint64_t c26 = Lib_IntTypes_Intrinsics_add_carry_u64(c15, l22, h22, o2); + uint64_t h = temp; + mul64(f3, t1, o3, &temp); + uint64_t l = o3[0U]; + uint64_t c310 = Lib_IntTypes_Intrinsics_add_carry_u64(c26, l, h, o3); + uint64_t temp0 = temp; + uint64_t c16 = c310 + temp0; + t22[4U] = c16; + uint64_t uu____3 = add8(tempRound0, t22, t3); + shift8(t3, round4); + uint64_t tempBuffer[4U] = { 0U }; + uint64_t tempBufferForSubborrow = (uint64_t)0U; + uint64_t cin = round4[4U]; + uint64_t *x_ = round4; + uint64_t c = sub4_il(x_, prime256_buffer, tempBuffer); + uint64_t + carry = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, cin, (uint64_t)0U, &tempBufferForSubborrow); + cmovznz4(carry, tempBuffer, x_, result); +} + +static void montgomery_square_buffer(uint64_t *a, uint64_t *result) +{ + uint64_t t[8U] = { 0U }; + uint64_t round2[8U] = { 0U }; + uint64_t round4[8U] = { 0U }; + sq(a, t); + uint64_t tempRound[8U] = { 0U }; + uint64_t t20[8U] = { 0U }; + uint64_t t30[8U] = { 0U }; + uint64_t t10 = t[0U]; + uint64_t *result040 = t20; + uint64_t temp1 = (uint64_t)0U; + uint64_t f10 = prime256_buffer[1U]; + uint64_t f20 = prime256_buffer[2U]; + uint64_t f30 = prime256_buffer[3U]; + uint64_t *o00 = result040; + uint64_t *o10 = result040 + (uint32_t)1U; + uint64_t *o20 = result040 + (uint32_t)2U; + uint64_t *o30 = result040 + (uint32_t)3U; + uint64_t f010 = prime256_buffer[0U]; + mul64(f010, t10, o00, &temp1); + uint64_t h0 = temp1; + mul64(f10, t10, o10, &temp1); + uint64_t l0 = o10[0U]; + uint64_t c1 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l0, h0, o10); + uint64_t h1 = temp1; + mul64(f20, t10, o20, &temp1); + uint64_t l1 = o20[0U]; + uint64_t c2 = Lib_IntTypes_Intrinsics_add_carry_u64(c1, l1, h1, o20); + uint64_t h2 = temp1; + mul64(f30, t10, o30, &temp1); + uint64_t l2 = o30[0U]; + uint64_t c3 = Lib_IntTypes_Intrinsics_add_carry_u64(c2, l2, h2, o30); + uint64_t temp00 = temp1; + uint64_t c0 = c3 + temp00; + t20[4U] = c0; + uint64_t uu____0 = add8(t, t20, t30); + shift8(t30, tempRound); + uint64_t t21[8U] = { 0U }; + uint64_t t31[8U] = { 0U }; + uint64_t t11 = tempRound[0U]; + uint64_t *result041 = t21; + uint64_t temp2 = (uint64_t)0U; + uint64_t f11 = prime256_buffer[1U]; + uint64_t f21 = prime256_buffer[2U]; + uint64_t f31 = prime256_buffer[3U]; + uint64_t *o01 = result041; + uint64_t *o11 = result041 + (uint32_t)1U; + uint64_t *o21 = result041 + (uint32_t)2U; + uint64_t *o31 = result041 + (uint32_t)3U; + uint64_t f011 = prime256_buffer[0U]; + mul64(f011, t11, o01, &temp2); + uint64_t h3 = temp2; + mul64(f11, t11, o11, &temp2); + uint64_t l3 = o11[0U]; + uint64_t c10 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l3, h3, o11); + uint64_t h4 = temp2; + mul64(f21, t11, o21, &temp2); + uint64_t l4 = o21[0U]; + uint64_t c20 = Lib_IntTypes_Intrinsics_add_carry_u64(c10, l4, h4, o21); + uint64_t h5 = temp2; + mul64(f31, t11, o31, &temp2); + uint64_t l5 = o31[0U]; + uint64_t c30 = Lib_IntTypes_Intrinsics_add_carry_u64(c20, l5, h5, o31); + uint64_t temp01 = temp2; + uint64_t c4 = c30 + temp01; + t21[4U] = c4; + uint64_t uu____1 = add8(tempRound, t21, t31); + shift8(t31, round2); + uint64_t tempRound0[8U] = { 0U }; + uint64_t t2[8U] = { 0U }; + uint64_t t32[8U] = { 0U }; + uint64_t t12 = round2[0U]; + uint64_t *result042 = t2; + uint64_t temp3 = (uint64_t)0U; + uint64_t f12 = prime256_buffer[1U]; + uint64_t f22 = prime256_buffer[2U]; + uint64_t f32 = prime256_buffer[3U]; + uint64_t *o02 = result042; + uint64_t *o12 = result042 + (uint32_t)1U; + uint64_t *o22 = result042 + (uint32_t)2U; + uint64_t *o32 = result042 + (uint32_t)3U; + uint64_t f012 = prime256_buffer[0U]; + mul64(f012, t12, o02, &temp3); + uint64_t h6 = temp3; + mul64(f12, t12, o12, &temp3); + uint64_t l6 = o12[0U]; + uint64_t c11 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l6, h6, o12); + uint64_t h7 = temp3; + mul64(f22, t12, o22, &temp3); + uint64_t l7 = o22[0U]; + uint64_t c21 = Lib_IntTypes_Intrinsics_add_carry_u64(c11, l7, h7, o22); + uint64_t h8 = temp3; + mul64(f32, t12, o32, &temp3); + uint64_t l8 = o32[0U]; + uint64_t c31 = Lib_IntTypes_Intrinsics_add_carry_u64(c21, l8, h8, o32); + uint64_t temp02 = temp3; + uint64_t c5 = c31 + temp02; + t2[4U] = c5; + uint64_t uu____2 = add8(round2, t2, t32); + shift8(t32, tempRound0); + uint64_t t22[8U] = { 0U }; + uint64_t t3[8U] = { 0U }; + uint64_t t1 = tempRound0[0U]; + uint64_t *result04 = t22; + uint64_t temp = (uint64_t)0U; + uint64_t f1 = prime256_buffer[1U]; + uint64_t f2 = prime256_buffer[2U]; + uint64_t f3 = prime256_buffer[3U]; + uint64_t *o0 = result04; + uint64_t *o1 = result04 + (uint32_t)1U; + uint64_t *o2 = result04 + (uint32_t)2U; + uint64_t *o3 = result04 + (uint32_t)3U; + uint64_t f01 = prime256_buffer[0U]; + mul64(f01, t1, o0, &temp); + uint64_t h9 = temp; + mul64(f1, t1, o1, &temp); + uint64_t l9 = o1[0U]; + uint64_t c12 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l9, h9, o1); + uint64_t h10 = temp; + mul64(f2, t1, o2, &temp); + uint64_t l10 = o2[0U]; + uint64_t c22 = Lib_IntTypes_Intrinsics_add_carry_u64(c12, l10, h10, o2); + uint64_t h = temp; + mul64(f3, t1, o3, &temp); + uint64_t l = o3[0U]; + uint64_t c32 = Lib_IntTypes_Intrinsics_add_carry_u64(c22, l, h, o3); + uint64_t temp0 = temp; + uint64_t c6 = c32 + temp0; + t22[4U] = c6; + uint64_t uu____3 = add8(tempRound0, t22, t3); + shift8(t3, round4); + uint64_t tempBuffer[4U] = { 0U }; + uint64_t tempBufferForSubborrow = (uint64_t)0U; + uint64_t cin = round4[4U]; + uint64_t *x_ = round4; + uint64_t c = sub4_il(x_, prime256_buffer, tempBuffer); + uint64_t + carry = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, cin, (uint64_t)0U, &tempBufferForSubborrow); + cmovznz4(carry, tempBuffer, x_, result); +} + +static void fsquarePowN(uint32_t n, uint64_t *a) +{ + for (uint32_t i = (uint32_t)0U; i < n; i++) + { + montgomery_square_buffer(a, a); + } +} + +static void fsquarePowNminusOne(uint32_t n, uint64_t *a, uint64_t *b) +{ + b[0U] = (uint64_t)1U; + b[1U] = (uint64_t)18446744069414584320U; + b[2U] = (uint64_t)18446744073709551615U; + b[3U] = (uint64_t)4294967294U; + for (uint32_t i = (uint32_t)0U; i < n; i++) + { + montgomery_multiplication_buffer(b, a, b); + montgomery_square_buffer(a, a); + } +} + +static void exponent(uint64_t *a, uint64_t *result, uint64_t *tempBuffer) +{ + uint64_t *buffer_norm_1 = tempBuffer; + uint64_t *buffer_result1 = tempBuffer + (uint32_t)4U; + uint64_t *buffer_result2 = tempBuffer + (uint32_t)8U; + uint64_t *buffer_norm_3 = tempBuffer + (uint32_t)12U; + uint64_t *buffer_result3 = tempBuffer + (uint32_t)16U; + memcpy(buffer_norm_1, a, (uint32_t)4U * sizeof (uint64_t)); + uint64_t *buffer_a = buffer_norm_1; + uint64_t *buffer_b0 = buffer_norm_1 + (uint32_t)4U; + fsquarePowNminusOne((uint32_t)32U, buffer_a, buffer_b0); + fsquarePowN((uint32_t)224U, buffer_b0); + memcpy(buffer_result2, a, (uint32_t)4U * sizeof (uint64_t)); + fsquarePowN((uint32_t)192U, buffer_result2); + memcpy(buffer_norm_3, a, (uint32_t)4U * sizeof (uint64_t)); + uint64_t *buffer_a0 = buffer_norm_3; + uint64_t *buffer_b = buffer_norm_3 + (uint32_t)4U; + fsquarePowNminusOne((uint32_t)94U, buffer_a0, buffer_b); + fsquarePowN((uint32_t)2U, buffer_b); + montgomery_multiplication_buffer(buffer_result1, buffer_result2, buffer_result1); + montgomery_multiplication_buffer(buffer_result1, buffer_result3, buffer_result1); + montgomery_multiplication_buffer(buffer_result1, a, buffer_result1); + memcpy(result, buffer_result1, (uint32_t)4U * sizeof (uint64_t)); +} + +static void cube(uint64_t *a, uint64_t *result) +{ + montgomery_square_buffer(a, result); + montgomery_multiplication_buffer(result, a, result); +} + +static void multByTwo(uint64_t *a, uint64_t *out) +{ + p256_add(a, a, out); +} + +static void multByThree(uint64_t *a, uint64_t *result) +{ + multByTwo(a, result); + p256_add(a, result, result); +} + +static void multByFour(uint64_t *a, uint64_t *result) +{ + multByTwo(a, result); + multByTwo(result, result); +} + +static void multByEight(uint64_t *a, uint64_t *result) +{ + multByTwo(a, result); + multByTwo(result, result); + multByTwo(result, result); +} + +static uint64_t store_high_low_u(uint32_t high, uint32_t low) +{ + uint64_t as_uint64_high = (uint64_t)high; + uint64_t as_uint64_high1 = as_uint64_high << (uint32_t)32U; + uint64_t as_uint64_low = (uint64_t)low; + return as_uint64_low ^ as_uint64_high1; +} + +static void solinas_reduction_impl(uint64_t *i, uint64_t *o) +{ + uint64_t tempBuffer[36U] = { 0U }; + uint64_t i0 = i[0U]; + uint64_t i1 = i[1U]; + uint64_t i2 = i[2U]; + uint64_t i3 = i[3U]; + uint64_t i4 = i[4U]; + uint64_t i5 = i[5U]; + uint64_t i6 = i[6U]; + uint64_t i7 = i[7U]; + uint32_t c0 = (uint32_t)i0; + uint32_t c1 = (uint32_t)(i0 >> (uint32_t)32U); + uint32_t c2 = (uint32_t)i1; + uint32_t c3 = (uint32_t)(i1 >> (uint32_t)32U); + uint32_t c4 = (uint32_t)i2; + uint32_t c5 = (uint32_t)(i2 >> (uint32_t)32U); + uint32_t c6 = (uint32_t)i3; + uint32_t c7 = (uint32_t)(i3 >> (uint32_t)32U); + uint32_t c8 = (uint32_t)i4; + uint32_t c9 = (uint32_t)(i4 >> (uint32_t)32U); + uint32_t c10 = (uint32_t)i5; + uint32_t c11 = (uint32_t)(i5 >> (uint32_t)32U); + uint32_t c12 = (uint32_t)i6; + uint32_t c13 = (uint32_t)(i6 >> (uint32_t)32U); + uint32_t c14 = (uint32_t)i7; + uint32_t c15 = (uint32_t)(i7 >> (uint32_t)32U); + uint64_t *t01 = tempBuffer; + uint64_t *t110 = tempBuffer + (uint32_t)4U; + uint64_t *t210 = tempBuffer + (uint32_t)8U; + uint64_t *t310 = tempBuffer + (uint32_t)12U; + uint64_t *t410 = tempBuffer + (uint32_t)16U; + uint64_t *t510 = tempBuffer + (uint32_t)20U; + uint64_t *t610 = tempBuffer + (uint32_t)24U; + uint64_t *t710 = tempBuffer + (uint32_t)28U; + uint64_t *t810 = tempBuffer + (uint32_t)32U; + uint64_t b0 = store_high_low_u(c1, c0); + uint64_t b10 = store_high_low_u(c3, c2); + uint64_t b20 = store_high_low_u(c5, c4); + uint64_t b30 = store_high_low_u(c7, c6); + t01[0U] = b0; + t01[1U] = b10; + t01[2U] = b20; + t01[3U] = b30; + reduction_prime_2prime_impl(t01, t01); + uint64_t b00 = (uint64_t)0U; + uint64_t b11 = store_high_low_u(c11, (uint32_t)0U); + uint64_t b21 = store_high_low_u(c13, c12); + uint64_t b31 = store_high_low_u(c15, c14); + t110[0U] = b00; + t110[1U] = b11; + t110[2U] = b21; + t110[3U] = b31; + reduction_prime_2prime_impl(t110, t110); + uint64_t b01 = (uint64_t)0U; + uint64_t b12 = store_high_low_u(c12, (uint32_t)0U); + uint64_t b22 = store_high_low_u(c14, c13); + uint64_t b32 = store_high_low_u((uint32_t)0U, c15); + t210[0U] = b01; + t210[1U] = b12; + t210[2U] = b22; + t210[3U] = b32; + uint64_t b02 = store_high_low_u(c9, c8); + uint64_t b13 = store_high_low_u((uint32_t)0U, c10); + uint64_t b23 = (uint64_t)0U; + uint64_t b33 = store_high_low_u(c15, c14); + t310[0U] = b02; + t310[1U] = b13; + t310[2U] = b23; + t310[3U] = b33; + reduction_prime_2prime_impl(t310, t310); + uint64_t b03 = store_high_low_u(c10, c9); + uint64_t b14 = store_high_low_u(c13, c11); + uint64_t b24 = store_high_low_u(c15, c14); + uint64_t b34 = store_high_low_u(c8, c13); + t410[0U] = b03; + t410[1U] = b14; + t410[2U] = b24; + t410[3U] = b34; + reduction_prime_2prime_impl(t410, t410); + uint64_t b04 = store_high_low_u(c12, c11); + uint64_t b15 = store_high_low_u((uint32_t)0U, c13); + uint64_t b25 = (uint64_t)0U; + uint64_t b35 = store_high_low_u(c10, c8); + t510[0U] = b04; + t510[1U] = b15; + t510[2U] = b25; + t510[3U] = b35; + reduction_prime_2prime_impl(t510, t510); + uint64_t b05 = store_high_low_u(c13, c12); + uint64_t b16 = store_high_low_u(c15, c14); + uint64_t b26 = (uint64_t)0U; + uint64_t b36 = store_high_low_u(c11, c9); + t610[0U] = b05; + t610[1U] = b16; + t610[2U] = b26; + t610[3U] = b36; + reduction_prime_2prime_impl(t610, t610); + uint64_t b06 = store_high_low_u(c14, c13); + uint64_t b17 = store_high_low_u(c8, c15); + uint64_t b27 = store_high_low_u(c10, c9); + uint64_t b37 = store_high_low_u(c12, (uint32_t)0U); + t710[0U] = b06; + t710[1U] = b17; + t710[2U] = b27; + t710[3U] = b37; + reduction_prime_2prime_impl(t710, t710); + uint64_t b07 = store_high_low_u(c15, c14); + uint64_t b1 = store_high_low_u(c9, (uint32_t)0U); + uint64_t b2 = store_high_low_u(c11, c10); + uint64_t b3 = store_high_low_u(c13, (uint32_t)0U); + t810[0U] = b07; + t810[1U] = b1; + t810[2U] = b2; + t810[3U] = b3; + reduction_prime_2prime_impl(t810, t810); + uint64_t *t010 = tempBuffer; + uint64_t *t11 = tempBuffer + (uint32_t)4U; + uint64_t *t21 = tempBuffer + (uint32_t)8U; + uint64_t *t31 = tempBuffer + (uint32_t)12U; + uint64_t *t41 = tempBuffer + (uint32_t)16U; + uint64_t *t51 = tempBuffer + (uint32_t)20U; + uint64_t *t61 = tempBuffer + (uint32_t)24U; + uint64_t *t71 = tempBuffer + (uint32_t)28U; + uint64_t *t81 = tempBuffer + (uint32_t)32U; + p256_double(t21, t21); + p256_double(t11, t11); + p256_add(t010, t11, o); + p256_add(t21, o, o); + p256_add(t31, o, o); + p256_add(t41, o, o); + p256_sub(o, t51, o); + p256_sub(o, t61, o); + p256_sub(o, t71, o); + p256_sub(o, t81, o); +} + +static void +point_double_a_b_g( + uint64_t *p, + uint64_t *alpha, + uint64_t *beta, + uint64_t *gamma, + uint64_t *delta, + uint64_t *tempBuffer +) +{ + uint64_t *pX = p; + uint64_t *pY = p + (uint32_t)4U; + uint64_t *pZ = p + (uint32_t)8U; + uint64_t *a0 = tempBuffer; + uint64_t *a1 = tempBuffer + (uint32_t)4U; + uint64_t *alpha0 = tempBuffer + (uint32_t)8U; + montgomery_square_buffer(pZ, delta); + montgomery_square_buffer(pY, gamma); + montgomery_multiplication_buffer(pX, gamma, beta); + p256_sub(pX, delta, a0); + p256_add(pX, delta, a1); + montgomery_multiplication_buffer(a0, a1, alpha0); + multByThree(alpha0, alpha); +} + +static void +point_double_x3( + uint64_t *x3, + uint64_t *alpha, + uint64_t *fourBeta, + uint64_t *beta, + uint64_t *eightBeta +) +{ + montgomery_square_buffer(alpha, x3); + multByFour(beta, fourBeta); + multByTwo(fourBeta, eightBeta); + p256_sub(x3, eightBeta, x3); +} + +static void +point_double_z3(uint64_t *z3, uint64_t *pY, uint64_t *pZ, uint64_t *gamma, uint64_t *delta) +{ + p256_add(pY, pZ, z3); + montgomery_square_buffer(z3, z3); + p256_sub(z3, gamma, z3); + p256_sub(z3, delta, z3); +} + +static void +point_double_y3( + uint64_t *y3, + uint64_t *x3, + uint64_t *alpha, + uint64_t *gamma, + uint64_t *eightGamma, + uint64_t *fourBeta +) +{ + p256_sub(fourBeta, x3, y3); + montgomery_multiplication_buffer(alpha, y3, y3); + montgomery_square_buffer(gamma, gamma); + multByEight(gamma, eightGamma); + p256_sub(y3, eightGamma, y3); +} + +static void point_double(uint64_t *p, uint64_t *result, uint64_t *tempBuffer) +{ + uint64_t *pY = p + (uint32_t)4U; + uint64_t *pZ = p + (uint32_t)8U; + uint64_t *x3 = result; + uint64_t *y3 = result + (uint32_t)4U; + uint64_t *z3 = result + (uint32_t)8U; + uint64_t *delta = tempBuffer; + uint64_t *gamma = tempBuffer + (uint32_t)4U; + uint64_t *beta = tempBuffer + (uint32_t)8U; + uint64_t *alpha = tempBuffer + (uint32_t)16U; + uint64_t *fourBeta = tempBuffer + (uint32_t)20U; + uint64_t *eightBeta = tempBuffer + (uint32_t)24U; + uint64_t *eightGamma = tempBuffer + (uint32_t)28U; + uint64_t *tmp = tempBuffer + (uint32_t)32U; + point_double_a_b_g(p, alpha, beta, gamma, delta, tmp); + point_double_x3(x3, alpha, fourBeta, beta, eightBeta); + point_double_z3(z3, pY, pZ, gamma, delta); + point_double_y3(y3, x3, alpha, gamma, eightGamma, fourBeta); +} + +static void +copy_point_conditional( + uint64_t *x3_out, + uint64_t *y3_out, + uint64_t *z3_out, + uint64_t *p, + uint64_t *maskPoint +) +{ + uint64_t *z = maskPoint + (uint32_t)8U; + uint64_t mask = isZero_uint64_CT(z); + uint64_t *p_x = p; + uint64_t *p_y = p + (uint32_t)4U; + uint64_t *p_z = p + (uint32_t)8U; + copy_conditional(x3_out, p_x, mask); + copy_conditional(y3_out, p_y, mask); + copy_conditional(z3_out, p_z, mask); +} + +static void point_add(uint64_t *p, uint64_t *q, uint64_t *result, uint64_t *tempBuffer) +{ + uint64_t *tempBuffer16 = tempBuffer; + uint64_t *u1 = tempBuffer + (uint32_t)16U; + uint64_t *u2 = tempBuffer + (uint32_t)20U; + uint64_t *s1 = tempBuffer + (uint32_t)24U; + uint64_t *s2 = tempBuffer + (uint32_t)28U; + uint64_t *h = tempBuffer + (uint32_t)32U; + uint64_t *r = tempBuffer + (uint32_t)36U; + uint64_t *uh = tempBuffer + (uint32_t)40U; + uint64_t *hCube = tempBuffer + (uint32_t)44U; + uint64_t *tempBuffer28 = tempBuffer + (uint32_t)60U; + uint64_t *pX = p; + uint64_t *pY = p + (uint32_t)4U; + uint64_t *pZ = p + (uint32_t)8U; + uint64_t *qX = q; + uint64_t *qY = q + (uint32_t)4U; + uint64_t *qZ0 = q + (uint32_t)8U; + uint64_t *z2Square = tempBuffer16; + uint64_t *z1Square = tempBuffer16 + (uint32_t)4U; + uint64_t *z2Cube = tempBuffer16 + (uint32_t)8U; + uint64_t *z1Cube = tempBuffer16 + (uint32_t)12U; + montgomery_square_buffer(qZ0, z2Square); + montgomery_square_buffer(pZ, z1Square); + montgomery_multiplication_buffer(z2Square, qZ0, z2Cube); + montgomery_multiplication_buffer(z1Square, pZ, z1Cube); + montgomery_multiplication_buffer(z2Square, pX, u1); + montgomery_multiplication_buffer(z1Square, qX, u2); + montgomery_multiplication_buffer(z2Cube, pY, s1); + montgomery_multiplication_buffer(z1Cube, qY, s2); + uint64_t *temp = tempBuffer16; + p256_sub(u2, u1, h); + p256_sub(s2, s1, r); + montgomery_square_buffer(h, temp); + montgomery_multiplication_buffer(temp, u1, uh); + montgomery_multiplication_buffer(temp, h, hCube); + uint64_t *pZ0 = p + (uint32_t)8U; + uint64_t *qZ = q + (uint32_t)8U; + uint64_t *tempBuffer161 = tempBuffer28; + uint64_t *x3_out1 = tempBuffer28 + (uint32_t)16U; + uint64_t *y3_out1 = tempBuffer28 + (uint32_t)20U; + uint64_t *z3_out1 = tempBuffer28 + (uint32_t)24U; + uint64_t *rSquare = tempBuffer161; + uint64_t *rH = tempBuffer161 + (uint32_t)4U; + uint64_t *twoUh = tempBuffer161 + (uint32_t)8U; + montgomery_square_buffer(r, rSquare); + p256_sub(rSquare, hCube, rH); + multByTwo(uh, twoUh); + p256_sub(rH, twoUh, x3_out1); + uint64_t *s1hCube = tempBuffer161; + uint64_t *u1hx3 = tempBuffer161 + (uint32_t)4U; + uint64_t *ru1hx3 = tempBuffer161 + (uint32_t)8U; + montgomery_multiplication_buffer(s1, hCube, s1hCube); + p256_sub(uh, x3_out1, u1hx3); + montgomery_multiplication_buffer(u1hx3, r, ru1hx3); + p256_sub(ru1hx3, s1hCube, y3_out1); + uint64_t *z1z2 = tempBuffer161; + montgomery_multiplication_buffer(pZ0, qZ, z1z2); + montgomery_multiplication_buffer(z1z2, h, z3_out1); + copy_point_conditional(x3_out1, y3_out1, z3_out1, q, p); + copy_point_conditional(x3_out1, y3_out1, z3_out1, p, q); + memcpy(result, x3_out1, (uint32_t)4U * sizeof (uint64_t)); + memcpy(result + (uint32_t)4U, y3_out1, (uint32_t)4U * sizeof (uint64_t)); + memcpy(result + (uint32_t)8U, z3_out1, (uint32_t)4U * sizeof (uint64_t)); +} + +static void pointToDomain(uint64_t *p, uint64_t *result) +{ + uint64_t *p_x = p; + uint64_t *p_y = p + (uint32_t)4U; + uint64_t *p_z = p + (uint32_t)8U; + uint64_t *r_x = result; + uint64_t *r_y = result + (uint32_t)4U; + uint64_t *r_z = result + (uint32_t)8U; + uint64_t multBuffer[8U] = { 0U }; + shift_256_impl(p_x, multBuffer); + solinas_reduction_impl(multBuffer, r_x); + uint64_t multBuffer0[8U] = { 0U }; + shift_256_impl(p_y, multBuffer0); + solinas_reduction_impl(multBuffer0, r_y); + uint64_t multBuffer1[8U] = { 0U }; + shift_256_impl(p_z, multBuffer1); + solinas_reduction_impl(multBuffer1, r_z); +} + +static void copy_point(uint64_t *p, uint64_t *result) +{ + memcpy(result, p, (uint32_t)12U * sizeof (uint64_t)); +} + +uint64_t Hacl_Impl_P256_Core_isPointAtInfinityPrivate(uint64_t *p) +{ + uint64_t z0 = p[8U]; + uint64_t z1 = p[9U]; + uint64_t z2 = p[10U]; + uint64_t z3 = p[11U]; + uint64_t z0_zero = FStar_UInt64_eq_mask(z0, (uint64_t)0U); + uint64_t z1_zero = FStar_UInt64_eq_mask(z1, (uint64_t)0U); + uint64_t z2_zero = FStar_UInt64_eq_mask(z2, (uint64_t)0U); + uint64_t z3_zero = FStar_UInt64_eq_mask(z3, (uint64_t)0U); + return (z0_zero & z1_zero) & (z2_zero & z3_zero); +} + +static inline void cswap(uint64_t bit, uint64_t *p1, uint64_t *p2) +{ + uint64_t mask = (uint64_t)0U - bit; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)12U; i++) + { + uint64_t dummy = mask & (p1[i] ^ p2[i]); + p1[i] = p1[i] ^ dummy; + p2[i] = p2[i] ^ dummy; + } +} + +static void norm(uint64_t *p, uint64_t *resultPoint, uint64_t *tempBuffer) +{ + uint64_t *xf = p; + uint64_t *yf = p + (uint32_t)4U; + uint64_t *zf = p + (uint32_t)8U; + uint64_t *z2f = tempBuffer + (uint32_t)4U; + uint64_t *z3f = tempBuffer + (uint32_t)8U; + uint64_t *tempBuffer20 = tempBuffer + (uint32_t)12U; + montgomery_square_buffer(zf, z2f); + montgomery_multiplication_buffer(z2f, zf, z3f); + exponent(z2f, z2f, tempBuffer20); + exponent(z3f, z3f, tempBuffer20); + montgomery_multiplication_buffer(xf, z2f, z2f); + montgomery_multiplication_buffer(yf, z3f, z3f); + uint64_t zeroBuffer[4U] = { 0U }; + uint64_t *resultX = resultPoint; + uint64_t *resultY = resultPoint + (uint32_t)4U; + uint64_t *resultZ = resultPoint + (uint32_t)8U; + uint64_t bit = Hacl_Impl_P256_Core_isPointAtInfinityPrivate(p); + montgomery_multiplication_buffer_by_one(z2f, resultX); + montgomery_multiplication_buffer_by_one(z3f, resultY); + uploadOneImpl(resultZ); + copy_conditional(resultZ, zeroBuffer, bit); +} + +static void normX(uint64_t *p, uint64_t *result, uint64_t *tempBuffer) +{ + uint64_t *xf = p; + uint64_t *zf = p + (uint32_t)8U; + uint64_t *z2f = tempBuffer + (uint32_t)4U; + uint64_t *tempBuffer20 = tempBuffer + (uint32_t)12U; + montgomery_square_buffer(zf, z2f); + exponent(z2f, z2f, tempBuffer20); + montgomery_multiplication_buffer(z2f, xf, z2f); + montgomery_multiplication_buffer_by_one(z2f, result); +} + +static void zero_buffer(uint64_t *p) +{ + p[0U] = (uint64_t)0U; + p[1U] = (uint64_t)0U; + p[2U] = (uint64_t)0U; + p[3U] = (uint64_t)0U; + p[4U] = (uint64_t)0U; + p[5U] = (uint64_t)0U; + p[6U] = (uint64_t)0U; + p[7U] = (uint64_t)0U; + p[8U] = (uint64_t)0U; + p[9U] = (uint64_t)0U; + p[10U] = (uint64_t)0U; + p[11U] = (uint64_t)0U; +} + +static void +scalarMultiplicationL(uint64_t *p, uint64_t *result, uint8_t *scalar, uint64_t *tempBuffer) +{ + uint64_t *q = tempBuffer; + zero_buffer(q); + uint64_t *buff = tempBuffer + (uint32_t)12U; + pointToDomain(p, result); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)256U; i++) + { + uint32_t bit0 = (uint32_t)255U - i; + uint64_t + bit = + (uint64_t)(scalar[(uint32_t)31U - bit0 / (uint32_t)8U] >> bit0 % (uint32_t)8U & (uint8_t)1U); + cswap(bit, q, result); + point_add(q, result, result, buff); + point_double(q, q, buff); + cswap(bit, q, result); + } + norm(q, result, buff); +} + +static void +scalarMultiplicationC( + uint64_t *p, + uint64_t *result, + const uint8_t *scalar, + uint64_t *tempBuffer +) +{ + uint64_t *q = tempBuffer; + zero_buffer(q); + uint64_t *buff = tempBuffer + (uint32_t)12U; + pointToDomain(p, result); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)256U; i++) + { + uint32_t bit0 = (uint32_t)255U - i; + uint64_t + bit = + (uint64_t)(scalar[(uint32_t)31U - bit0 / (uint32_t)8U] >> bit0 % (uint32_t)8U & (uint8_t)1U); + cswap(bit, q, result); + point_add(q, result, result, buff); + point_double(q, q, buff); + cswap(bit, q, result); + } + norm(q, result, buff); +} + +static void uploadBasePoint(uint64_t *p) +{ + p[0U] = (uint64_t)8784043285714375740U; + p[1U] = (uint64_t)8483257759279461889U; + p[2U] = (uint64_t)8789745728267363600U; + p[3U] = (uint64_t)1770019616739251654U; + p[4U] = (uint64_t)15992936863339206154U; + p[5U] = (uint64_t)10037038012062884956U; + p[6U] = (uint64_t)15197544864945402661U; + p[7U] = (uint64_t)9615747158586711429U; + p[8U] = (uint64_t)1U; + p[9U] = (uint64_t)18446744069414584320U; + p[10U] = (uint64_t)18446744073709551615U; + p[11U] = (uint64_t)4294967294U; +} + +static void +scalarMultiplicationWithoutNorm( + uint64_t *p, + uint64_t *result, + uint8_t *scalar, + uint64_t *tempBuffer +) +{ + uint64_t *q = tempBuffer; + zero_buffer(q); + uint64_t *buff = tempBuffer + (uint32_t)12U; + pointToDomain(p, result); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)256U; i++) + { + uint32_t bit0 = (uint32_t)255U - i; + uint64_t + bit = + (uint64_t)(scalar[(uint32_t)31U - bit0 / (uint32_t)8U] >> bit0 % (uint32_t)8U & (uint8_t)1U); + cswap(bit, q, result); + point_add(q, result, result, buff); + point_double(q, q, buff); + cswap(bit, q, result); + } + copy_point(q, result); +} + +void +Hacl_Impl_P256_Core_secretToPublic(uint64_t *result, uint8_t *scalar, uint64_t *tempBuffer) +{ + uint64_t basePoint[12U] = { 0U }; + uploadBasePoint(basePoint); + uint64_t *q = tempBuffer; + uint64_t *buff = tempBuffer + (uint32_t)12U; + zero_buffer(q); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)256U; i++) + { + uint32_t bit0 = (uint32_t)255U - i; + uint64_t + bit = + (uint64_t)(scalar[(uint32_t)31U - bit0 / (uint32_t)8U] >> bit0 % (uint32_t)8U & (uint8_t)1U); + cswap(bit, q, basePoint); + point_add(q, basePoint, basePoint, buff); + point_double(q, q, buff); + cswap(bit, q, basePoint); + } + norm(q, result, buff); +} + +static void secretToPublicWithoutNorm(uint64_t *result, uint8_t *scalar, uint64_t *tempBuffer) +{ + uint64_t basePoint[12U] = { 0U }; + uploadBasePoint(basePoint); + uint64_t *q = tempBuffer; + uint64_t *buff = tempBuffer + (uint32_t)12U; + zero_buffer(q); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)256U; i++) + { + uint32_t bit0 = (uint32_t)255U - i; + uint64_t + bit = + (uint64_t)(scalar[(uint32_t)31U - bit0 / (uint32_t)8U] >> bit0 % (uint32_t)8U & (uint8_t)1U); + cswap(bit, q, basePoint); + point_add(q, basePoint, basePoint, buff); + point_double(q, q, buff); + cswap(bit, q, basePoint); + } + copy_point(q, result); +} + +static const +uint64_t +prime256order_buffer[4U] = + { + (uint64_t)17562291160714782033U, + (uint64_t)13611842547513532036U, + (uint64_t)18446744073709551615U, + (uint64_t)18446744069414584320U + }; + +static const +uint8_t +order_inverse_buffer[32U] = + { + (uint8_t)79U, (uint8_t)37U, (uint8_t)99U, (uint8_t)252U, (uint8_t)194U, (uint8_t)202U, + (uint8_t)185U, (uint8_t)243U, (uint8_t)132U, (uint8_t)158U, (uint8_t)23U, (uint8_t)167U, + (uint8_t)173U, (uint8_t)250U, (uint8_t)230U, (uint8_t)188U, (uint8_t)255U, (uint8_t)255U, + (uint8_t)255U, (uint8_t)255U, (uint8_t)255U, (uint8_t)255U, (uint8_t)255U, (uint8_t)255U, + (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)255U, (uint8_t)255U, (uint8_t)255U, + (uint8_t)255U + }; + +static const +uint8_t +order_buffer[32U] = + { + (uint8_t)255U, (uint8_t)255U, (uint8_t)255U, (uint8_t)255U, (uint8_t)0U, (uint8_t)0U, + (uint8_t)0U, (uint8_t)0U, (uint8_t)255U, (uint8_t)255U, (uint8_t)255U, (uint8_t)255U, + (uint8_t)255U, (uint8_t)255U, (uint8_t)255U, (uint8_t)255U, (uint8_t)188U, (uint8_t)230U, + (uint8_t)250U, (uint8_t)173U, (uint8_t)167U, (uint8_t)23U, (uint8_t)158U, (uint8_t)132U, + (uint8_t)243U, (uint8_t)185U, (uint8_t)202U, (uint8_t)194U, (uint8_t)252U, (uint8_t)99U, + (uint8_t)37U, (uint8_t)81U + }; + +static void montgomery_multiplication_round(uint64_t *t, uint64_t *round, uint64_t k0) +{ + uint64_t temp = (uint64_t)0U; + uint64_t y = (uint64_t)0U; + uint64_t t2[8U] = { 0U }; + uint64_t t3[8U] = { 0U }; + uint64_t t1 = t[0U]; + mul64(t1, k0, &y, &temp); + uint64_t y_ = y; + uint64_t *result04 = t2; + uint64_t temp1 = (uint64_t)0U; + uint64_t f1 = prime256order_buffer[1U]; + uint64_t f2 = prime256order_buffer[2U]; + uint64_t f3 = prime256order_buffer[3U]; + uint64_t *o0 = result04; + uint64_t *o1 = result04 + (uint32_t)1U; + uint64_t *o2 = result04 + (uint32_t)2U; + uint64_t *o3 = result04 + (uint32_t)3U; + uint64_t f01 = prime256order_buffer[0U]; + mul64(f01, y_, o0, &temp1); + uint64_t h0 = temp1; + mul64(f1, y_, o1, &temp1); + uint64_t l0 = o1[0U]; + uint64_t c1 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l0, h0, o1); + uint64_t h1 = temp1; + mul64(f2, y_, o2, &temp1); + uint64_t l1 = o2[0U]; + uint64_t c2 = Lib_IntTypes_Intrinsics_add_carry_u64(c1, l1, h1, o2); + uint64_t h = temp1; + mul64(f3, y_, o3, &temp1); + uint64_t l = o3[0U]; + uint64_t c3 = Lib_IntTypes_Intrinsics_add_carry_u64(c2, l, h, o3); + uint64_t temp0 = temp1; + uint64_t c = c3 + temp0; + t2[4U] = c; + uint64_t uu____0 = add8(t, t2, t3); + shift8(t3, round); +} + +static void montgomery_multiplication_round_twice(uint64_t *t, uint64_t *result, uint64_t k0) +{ + uint64_t tempRound[8U] = { 0U }; + montgomery_multiplication_round(t, tempRound, k0); + montgomery_multiplication_round(tempRound, result, k0); +} + +static void reduction_prime_2prime_with_carry(uint64_t *x, uint64_t *result) +{ + uint64_t tempBuffer[4U] = { 0U }; + uint64_t tempBufferForSubborrow = (uint64_t)0U; + uint64_t cin = x[4U]; + uint64_t *x_ = x; + uint64_t c = sub4_il(x_, prime256order_buffer, tempBuffer); + uint64_t + carry = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, cin, (uint64_t)0U, &tempBufferForSubborrow); + cmovznz4(carry, tempBuffer, x_, result); +} + +static void reduction_prime_2prime_order(uint64_t *x, uint64_t *result) +{ + uint64_t tempBuffer[4U] = { 0U }; + uint64_t c = sub4_il(x, prime256order_buffer, tempBuffer); + cmovznz4(c, tempBuffer, x, result); +} + +static void montgomery_multiplication_ecdsa_module(uint64_t *a, uint64_t *b, uint64_t *result) +{ + uint64_t t[8U] = { 0U }; + uint64_t round2[8U] = { 0U }; + uint64_t round4[8U] = { 0U }; + uint64_t prime_p256_orderBuffer[4U] = { 0U }; + uint64_t k0 = (uint64_t)14758798090332847183U; + uint64_t f0 = a[0U]; + uint64_t f1 = a[1U]; + uint64_t f2 = a[2U]; + uint64_t f3 = a[3U]; + uint64_t *b0 = t; + uint64_t temp2 = (uint64_t)0U; + uint64_t f110 = b[1U]; + uint64_t f210 = b[2U]; + uint64_t f310 = b[3U]; + uint64_t *o00 = b0; + uint64_t *o10 = b0 + (uint32_t)1U; + uint64_t *o20 = b0 + (uint32_t)2U; + uint64_t *o30 = b0 + (uint32_t)3U; + uint64_t f020 = b[0U]; + mul64(f020, f0, o00, &temp2); + uint64_t h0 = temp2; + mul64(f110, f0, o10, &temp2); + uint64_t l0 = o10[0U]; + uint64_t c1 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l0, h0, o10); + uint64_t h1 = temp2; + mul64(f210, f0, o20, &temp2); + uint64_t l1 = o20[0U]; + uint64_t c2 = Lib_IntTypes_Intrinsics_add_carry_u64(c1, l1, h1, o20); + uint64_t h2 = temp2; + mul64(f310, f0, o30, &temp2); + uint64_t l2 = o30[0U]; + uint64_t c30 = Lib_IntTypes_Intrinsics_add_carry_u64(c2, l2, h2, o30); + uint64_t temp00 = temp2; + uint64_t c0 = c30 + temp00; + t[4U] = c0; + uint64_t *b1 = t + (uint32_t)1U; + uint64_t temp3[4U] = { 0U }; + uint64_t temp10 = (uint64_t)0U; + uint64_t f111 = b[1U]; + uint64_t f211 = b[2U]; + uint64_t f311 = b[3U]; + uint64_t *o01 = temp3; + uint64_t *o11 = temp3 + (uint32_t)1U; + uint64_t *o21 = temp3 + (uint32_t)2U; + uint64_t *o31 = temp3 + (uint32_t)3U; + uint64_t f021 = b[0U]; + mul64(f021, f1, o01, &temp10); + uint64_t h3 = temp10; + mul64(f111, f1, o11, &temp10); + uint64_t l3 = o11[0U]; + uint64_t c10 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l3, h3, o11); + uint64_t h4 = temp10; + mul64(f211, f1, o21, &temp10); + uint64_t l4 = o21[0U]; + uint64_t c20 = Lib_IntTypes_Intrinsics_add_carry_u64(c10, l4, h4, o21); + uint64_t h5 = temp10; + mul64(f311, f1, o31, &temp10); + uint64_t l5 = o31[0U]; + uint64_t c31 = Lib_IntTypes_Intrinsics_add_carry_u64(c20, l5, h5, o31); + uint64_t temp01 = temp10; + uint64_t c = c31 + temp01; + uint64_t c32 = add4(temp3, b1, b1); + uint64_t c11 = c + c32; + t[5U] = c11; + uint64_t *b2 = t + (uint32_t)2U; + uint64_t temp4[4U] = { 0U }; + uint64_t temp11 = (uint64_t)0U; + uint64_t f112 = b[1U]; + uint64_t f212 = b[2U]; + uint64_t f312 = b[3U]; + uint64_t *o02 = temp4; + uint64_t *o12 = temp4 + (uint32_t)1U; + uint64_t *o22 = temp4 + (uint32_t)2U; + uint64_t *o32 = temp4 + (uint32_t)3U; + uint64_t f022 = b[0U]; + mul64(f022, f2, o02, &temp11); + uint64_t h6 = temp11; + mul64(f112, f2, o12, &temp11); + uint64_t l6 = o12[0U]; + uint64_t c110 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l6, h6, o12); + uint64_t h7 = temp11; + mul64(f212, f2, o22, &temp11); + uint64_t l7 = o22[0U]; + uint64_t c21 = Lib_IntTypes_Intrinsics_add_carry_u64(c110, l7, h7, o22); + uint64_t h8 = temp11; + mul64(f312, f2, o32, &temp11); + uint64_t l8 = o32[0U]; + uint64_t c33 = Lib_IntTypes_Intrinsics_add_carry_u64(c21, l8, h8, o32); + uint64_t temp02 = temp11; + uint64_t c4 = c33 + temp02; + uint64_t c34 = add4(temp4, b2, b2); + uint64_t c22 = c4 + c34; + t[6U] = c22; + uint64_t *b3 = t + (uint32_t)3U; + uint64_t temp[4U] = { 0U }; + uint64_t temp1 = (uint64_t)0U; + uint64_t f11 = b[1U]; + uint64_t f21 = b[2U]; + uint64_t f31 = b[3U]; + uint64_t *o0 = temp; + uint64_t *o1 = temp + (uint32_t)1U; + uint64_t *o2 = temp + (uint32_t)2U; + uint64_t *o3 = temp + (uint32_t)3U; + uint64_t f02 = b[0U]; + mul64(f02, f3, o0, &temp1); + uint64_t h9 = temp1; + mul64(f11, f3, o1, &temp1); + uint64_t l9 = o1[0U]; + uint64_t c111 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l9, h9, o1); + uint64_t h10 = temp1; + mul64(f21, f3, o2, &temp1); + uint64_t l10 = o2[0U]; + uint64_t c210 = Lib_IntTypes_Intrinsics_add_carry_u64(c111, l10, h10, o2); + uint64_t h = temp1; + mul64(f31, f3, o3, &temp1); + uint64_t l = o3[0U]; + uint64_t c35 = Lib_IntTypes_Intrinsics_add_carry_u64(c210, l, h, o3); + uint64_t temp0 = temp1; + uint64_t c5 = c35 + temp0; + uint64_t c3 = add4(temp, b3, b3); + uint64_t c36 = c5 + c3; + t[7U] = c36; + montgomery_multiplication_round_twice(t, round2, k0); + montgomery_multiplication_round_twice(round2, round4, k0); + reduction_prime_2prime_with_carry(round4, result); +} + +static void bufferToJac(uint64_t *p, uint64_t *result) +{ + uint64_t *partPoint = result; + memcpy(partPoint, p, (uint32_t)8U * sizeof (uint64_t)); + result[8U] = (uint64_t)1U; + result[9U] = (uint64_t)0U; + result[10U] = (uint64_t)0U; + result[11U] = (uint64_t)0U; +} + +/* + The input of the function is considered to be public, +thus this code is not secret independent with respect to the operations done over the input. +*/ +static bool isPointAtInfinityPublic(uint64_t *p) +{ + uint64_t z0 = p[8U]; + uint64_t z1 = p[9U]; + uint64_t z2 = p[10U]; + uint64_t z3 = p[11U]; + bool z0_zero = z0 == (uint64_t)0U; + bool z1_zero = z1 == (uint64_t)0U; + bool z2_zero = z2 == (uint64_t)0U; + bool z3_zero = z3 == (uint64_t)0U; + return z0_zero && z1_zero && z2_zero && z3_zero; +} + +/* + The input of the function is considered to be public, +thus this code is not secret independent with respect to the operations done over the input. +*/ +static bool isPointOnCurvePublic(uint64_t *p) +{ + uint64_t y2Buffer[4U] = { 0U }; + uint64_t xBuffer[4U] = { 0U }; + uint64_t *x = p; + uint64_t *y = p + (uint32_t)4U; + uint64_t multBuffer0[8U] = { 0U }; + shift_256_impl(y, multBuffer0); + solinas_reduction_impl(multBuffer0, y2Buffer); + montgomery_square_buffer(y2Buffer, y2Buffer); + uint64_t xToDomainBuffer[4U] = { 0U }; + uint64_t minusThreeXBuffer[4U] = { 0U }; + uint64_t p256_constant[4U] = { 0U }; + uint64_t multBuffer[8U] = { 0U }; + shift_256_impl(x, multBuffer); + solinas_reduction_impl(multBuffer, xToDomainBuffer); + montgomery_square_buffer(xToDomainBuffer, xBuffer); + montgomery_multiplication_buffer(xBuffer, xToDomainBuffer, xBuffer); + multByThree(xToDomainBuffer, minusThreeXBuffer); + p256_sub(xBuffer, minusThreeXBuffer, xBuffer); + p256_constant[0U] = (uint64_t)15608596021259845087U; + p256_constant[1U] = (uint64_t)12461466548982526096U; + p256_constant[2U] = (uint64_t)16546823903870267094U; + p256_constant[3U] = (uint64_t)15866188208926050356U; + p256_add(xBuffer, p256_constant, xBuffer); + uint64_t r = compare_felem(y2Buffer, xBuffer); + return !(r == (uint64_t)0U); +} + +static bool isCoordinateValid(uint64_t *p) +{ + uint64_t tempBuffer[4U] = { 0U }; + uint64_t *x = p; + uint64_t *y = p + (uint32_t)4U; + uint64_t carryX = sub4_il(x, prime256_buffer, tempBuffer); + uint64_t carryY = sub4_il(y, prime256_buffer, tempBuffer); + bool lessX = carryX == (uint64_t)1U; + bool lessY = carryY == (uint64_t)1U; + return lessX && lessY; +} + +/* + The input of the function is considered to be public, +thus this code is not secret independent with respect to the operations done over the input. +*/ +static bool isOrderCorrect(uint64_t *p, uint64_t *tempBuffer) +{ + uint64_t multResult[12U] = { 0U }; + uint64_t pBuffer[12U] = { 0U }; + memcpy(pBuffer, p, (uint32_t)12U * sizeof (uint64_t)); + scalarMultiplicationC(pBuffer, multResult, order_buffer, tempBuffer); + bool result = isPointAtInfinityPublic(multResult); + return result; +} + +/* + The input of the function is considered to be public, +thus this code is not secret independent with respect to the operations done over the input. +*/ +static bool verifyQValidCurvePoint(uint64_t *pubKeyAsPoint, uint64_t *tempBuffer) +{ + bool coordinatesValid = isCoordinateValid(pubKeyAsPoint); + if (!coordinatesValid) + { + return false; + } + bool belongsToCurve = isPointOnCurvePublic(pubKeyAsPoint); + bool orderCorrect = isOrderCorrect(pubKeyAsPoint, tempBuffer); + return coordinatesValid && belongsToCurve && orderCorrect; +} + +static bool isMoreThanZeroLessThanOrder(uint8_t *x) +{ + uint64_t xAsFelem[4U] = { 0U }; + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(x, xAsFelem); + uint64_t tempBuffer[4U] = { 0U }; + uint64_t carry = sub4_il(xAsFelem, prime256order_buffer, tempBuffer); + uint64_t less = FStar_UInt64_eq_mask(carry, (uint64_t)1U); + uint64_t more = isZero_uint64_CT(xAsFelem); + uint64_t notMore = ~more; + uint64_t result = less & notMore; + return ~result == (uint64_t)0U; +} + +/* + The pub(lic)_key input of the function is considered to be public, + thus this code is not secret independent with respect to the operations done over this variable. +*/ +uint64_t Hacl_Impl_P256_DH__ecp256dh_r(uint64_t *result, uint64_t *pubKey, uint8_t *scalar) +{ + uint64_t tempBuffer[100U] = { 0U }; + uint64_t publicKeyBuffer[12U] = { 0U }; + bufferToJac(pubKey, publicKeyBuffer); + bool publicKeyCorrect = verifyQValidCurvePoint(publicKeyBuffer, tempBuffer); + if (publicKeyCorrect) + { + scalarMultiplicationL(publicKeyBuffer, result, scalar, tempBuffer); + uint64_t flag = Hacl_Impl_P256_Core_isPointAtInfinityPrivate(result); + return flag; + } + return (uint64_t)18446744073709551615U; +} + +static inline void cswap0(uint64_t bit, uint64_t *p1, uint64_t *p2) +{ + uint64_t mask = (uint64_t)0U - bit; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t dummy = mask & (p1[i] ^ p2[i]); + p1[i] = p1[i] ^ dummy; + p2[i] = p2[i] ^ dummy; + } +} + +static void montgomery_ladder_exponent(uint64_t *r) +{ + uint64_t p[4U] = { 0U }; + p[0U] = (uint64_t)884452912994769583U; + p[1U] = (uint64_t)4834901526196019579U; + p[2U] = (uint64_t)0U; + p[3U] = (uint64_t)4294967295U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)256U; i++) + { + uint32_t bit0 = (uint32_t)255U - i; + uint64_t + bit = + (uint64_t)(order_inverse_buffer[bit0 / (uint32_t)8U] >> bit0 % (uint32_t)8U & (uint8_t)1U); + cswap0(bit, p, r); + montgomery_multiplication_ecdsa_module(p, r, r); + montgomery_multiplication_ecdsa_module(p, p, p); + cswap0(bit, p, r); + } + memcpy(r, p, (uint32_t)4U * sizeof (uint64_t)); +} + +static void fromDomainImpl(uint64_t *a, uint64_t *result) +{ + uint64_t one[4U] = { 0U }; + uploadOneImpl(one); + montgomery_multiplication_ecdsa_module(one, a, result); +} + +static void multPowerPartial(uint64_t *a, uint64_t *b, uint64_t *result) +{ + uint64_t buffFromDB[4U] = { 0U }; + fromDomainImpl(b, buffFromDB); + fromDomainImpl(buffFromDB, buffFromDB); + montgomery_multiplication_ecdsa_module(a, buffFromDB, result); +} + +/* + The input of the function is considered to be public, +thus this code is not secret independent with respect to the operations done over the input. +*/ +static bool isMoreThanZeroLessThanOrderMinusOne(uint64_t *f) +{ + uint64_t tempBuffer[4U] = { 0U }; + uint64_t carry = sub4_il(f, prime256order_buffer, tempBuffer); + bool less = carry == (uint64_t)1U; + uint64_t f0 = f[0U]; + uint64_t f1 = f[1U]; + uint64_t f2 = f[2U]; + uint64_t f3 = f[3U]; + bool z0_zero = f0 == (uint64_t)0U; + bool z1_zero = f1 == (uint64_t)0U; + bool z2_zero = f2 == (uint64_t)0U; + bool z3_zero = f3 == (uint64_t)0U; + bool more = z0_zero && z1_zero && z2_zero && z3_zero; + return less && !more; +} + +/* + The input of the function is considered to be public, +thus this code is not secret independent with respect to the operations done over the input. +*/ +static bool compare_felem_bool(uint64_t *a, uint64_t *b) +{ + uint64_t a_0 = a[0U]; + uint64_t a_1 = a[1U]; + uint64_t a_2 = a[2U]; + uint64_t a_3 = a[3U]; + uint64_t b_0 = b[0U]; + uint64_t b_1 = b[1U]; + uint64_t b_2 = b[2U]; + uint64_t b_3 = b[3U]; + return a_0 == b_0 && a_1 == b_1 && a_2 == b_2 && a_3 == b_3; +} + +/* + The input of the function is considered to be public, +thus this code is not secret independent with respect to the operations done over the input. +*/ +static bool +ecdsa_verification_( + Spec_ECDSA_hash_alg_ecdsa alg, + uint64_t *pubKey, + uint64_t *r, + uint64_t *s, + uint32_t mLen, + uint8_t *m +) +{ + uint64_t tempBufferU64[120U] = { 0U }; + uint64_t *publicKeyBuffer = tempBufferU64; + uint64_t *hashAsFelem = tempBufferU64 + (uint32_t)12U; + uint64_t *tempBuffer = tempBufferU64 + (uint32_t)16U; + uint64_t *xBuffer = tempBufferU64 + (uint32_t)116U; + bufferToJac(pubKey, publicKeyBuffer); + bool publicKeyCorrect = verifyQValidCurvePoint(publicKeyBuffer, tempBuffer); + if (publicKeyCorrect == false) + { + return false; + } + bool isRCorrect = isMoreThanZeroLessThanOrderMinusOne(r); + bool isSCorrect = isMoreThanZeroLessThanOrderMinusOne(s); + bool step1 = isRCorrect && isSCorrect; + if (step1 == false) + { + return false; + } + uint8_t tempBufferU8[64U] = { 0U }; + uint8_t *bufferU1 = tempBufferU8; + uint8_t *bufferU2 = tempBufferU8 + (uint32_t)32U; + uint32_t sz; + if (alg.tag == Spec_ECDSA_NoHash) + { + sz = mLen; + } + else if (alg.tag == Spec_ECDSA_Hash) + { + Spec_Hash_Definitions_hash_alg a = alg._0; + switch (a) + { + case Spec_Hash_Definitions_MD5: + { + sz = (uint32_t)16U; + break; + } + case Spec_Hash_Definitions_SHA1: + { + sz = (uint32_t)20U; + break; + } + case Spec_Hash_Definitions_SHA2_224: + { + sz = (uint32_t)28U; + break; + } + case Spec_Hash_Definitions_SHA2_256: + { + sz = (uint32_t)32U; + break; + } + case Spec_Hash_Definitions_SHA2_384: + { + sz = (uint32_t)48U; + break; + } + case Spec_Hash_Definitions_SHA2_512: + { + sz = (uint32_t)64U; + break; + } + case Spec_Hash_Definitions_Blake2S: + { + sz = (uint32_t)32U; + break; + } + case Spec_Hash_Definitions_Blake2B: + { + sz = (uint32_t)64U; + break; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + } + else + { + sz = KRML_EABORT(uint32_t, "unreachable (pattern matches are exhaustive in F*)"); + } + KRML_CHECK_SIZE(sizeof (uint8_t), sz); + uint8_t mHash[sz]; + memset(mHash, 0U, sz * sizeof (uint8_t)); + if (alg.tag == Spec_ECDSA_NoHash) + { + memcpy(mHash, m, sz * sizeof (uint8_t)); + } + else if (alg.tag == Spec_ECDSA_Hash) + { + Spec_Hash_Definitions_hash_alg a = alg._0; + switch (a) + { + case Spec_Hash_Definitions_SHA2_256: + { + Hacl_Hash_SHA2_hash_256(m, mLen, mHash); + break; + } + case Spec_Hash_Definitions_SHA2_384: + { + Hacl_Hash_SHA2_hash_384(m, mLen, mHash); + break; + } + case Spec_Hash_Definitions_SHA2_512: + { + Hacl_Hash_SHA2_hash_512(m, mLen, mHash); + break; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + } + else + { + KRML_HOST_EPRINTF("KreMLin abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); + } + uint8_t *cutHash = mHash; + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(cutHash, hashAsFelem); + reduction_prime_2prime_order(hashAsFelem, hashAsFelem); + uint64_t tempBuffer1[12U] = { 0U }; + uint64_t *inverseS = tempBuffer1; + uint64_t *u1 = tempBuffer1 + (uint32_t)4U; + uint64_t *u2 = tempBuffer1 + (uint32_t)8U; + fromDomainImpl(s, inverseS); + montgomery_ladder_exponent(inverseS); + multPowerPartial(inverseS, hashAsFelem, u1); + multPowerPartial(inverseS, r, u2); + Hacl_Impl_P256_LowLevel_changeEndian(u1); + Hacl_Impl_P256_LowLevel_changeEndian(u2); + Hacl_Impl_P256_LowLevel_toUint8(u1, bufferU1); + Hacl_Impl_P256_LowLevel_toUint8(u2, bufferU2); + uint64_t pointSum[12U] = { 0U }; + uint64_t points[24U] = { 0U }; + uint64_t *buff = tempBuffer + (uint32_t)12U; + uint64_t *pointU1G = points; + uint64_t *pointU2Q0 = points + (uint32_t)12U; + secretToPublicWithoutNorm(pointU1G, bufferU1, tempBuffer); + scalarMultiplicationWithoutNorm(publicKeyBuffer, pointU2Q0, bufferU2, tempBuffer); + uint64_t *pointU1G0 = points; + uint64_t *pointU2Q = points + (uint32_t)12U; + uint64_t tmp[112U] = { 0U }; + uint64_t *tmpForNorm = tmp; + uint64_t *result0Norm = tmp + (uint32_t)88U; + uint64_t *result1Norm = tmp + (uint32_t)100U; + uint64_t *pointU1G1 = points; + uint64_t *pointU2Q1 = points + (uint32_t)12U; + norm(pointU1G1, result0Norm, tmpForNorm); + norm(pointU2Q1, result1Norm, tmpForNorm); + uint64_t *x0 = result0Norm; + uint64_t *y0 = result0Norm + (uint32_t)4U; + uint64_t *z0 = result0Norm + (uint32_t)8U; + uint64_t *x1 = result1Norm; + uint64_t *y1 = result1Norm + (uint32_t)4U; + uint64_t *z1 = result1Norm + (uint32_t)8U; + bool xEqual = compare_felem_bool(x0, x1); + bool yEqual = compare_felem_bool(y0, y1); + bool zEqual = compare_felem_bool(z0, z1); + bool equalX = xEqual && yEqual && zEqual; + bool equalX0 = equalX; + if (equalX0) + { + point_double(pointU1G0, pointSum, buff); + } + else + { + point_add(pointU1G0, pointU2Q, pointSum, buff); + } + norm(pointSum, pointSum, buff); + bool resultIsPAI = isPointAtInfinityPublic(pointSum); + uint64_t *xCoordinateSum = pointSum; + memcpy(xBuffer, xCoordinateSum, (uint32_t)4U * sizeof (uint64_t)); + reduction_prime_2prime_order(xBuffer, xBuffer); + bool r1 = !resultIsPAI; + bool state = r1; + if (state == false) + { + return false; + } + bool result = compare_felem_bool(xBuffer, r); + return result; +} + +static uint64_t +ecdsa_signature_core( + Spec_ECDSA_hash_alg_ecdsa alg, + uint64_t *r, + uint64_t *s, + uint32_t mLen, + uint8_t *m, + uint64_t *privKeyAsFelem, + uint8_t *k +) +{ + uint64_t hashAsFelem[4U] = { 0U }; + uint64_t tempBuffer[100U] = { 0U }; + uint64_t kAsFelem[4U] = { 0U }; + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(k, kAsFelem); + uint32_t sz; + if (alg.tag == Spec_ECDSA_NoHash) + { + sz = mLen; + } + else if (alg.tag == Spec_ECDSA_Hash) + { + Spec_Hash_Definitions_hash_alg a = alg._0; + switch (a) + { + case Spec_Hash_Definitions_MD5: + { + sz = (uint32_t)16U; + break; + } + case Spec_Hash_Definitions_SHA1: + { + sz = (uint32_t)20U; + break; + } + case Spec_Hash_Definitions_SHA2_224: + { + sz = (uint32_t)28U; + break; + } + case Spec_Hash_Definitions_SHA2_256: + { + sz = (uint32_t)32U; + break; + } + case Spec_Hash_Definitions_SHA2_384: + { + sz = (uint32_t)48U; + break; + } + case Spec_Hash_Definitions_SHA2_512: + { + sz = (uint32_t)64U; + break; + } + case Spec_Hash_Definitions_Blake2S: + { + sz = (uint32_t)32U; + break; + } + case Spec_Hash_Definitions_Blake2B: + { + sz = (uint32_t)64U; + break; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + } + else + { + sz = KRML_EABORT(uint32_t, "unreachable (pattern matches are exhaustive in F*)"); + } + KRML_CHECK_SIZE(sizeof (uint8_t), sz); + uint8_t mHash[sz]; + memset(mHash, 0U, sz * sizeof (uint8_t)); + if (alg.tag == Spec_ECDSA_NoHash) + { + memcpy(mHash, m, sz * sizeof (uint8_t)); + } + else if (alg.tag == Spec_ECDSA_Hash) + { + Spec_Hash_Definitions_hash_alg a = alg._0; + switch (a) + { + case Spec_Hash_Definitions_SHA2_256: + { + Hacl_Hash_SHA2_hash_256(m, mLen, mHash); + break; + } + case Spec_Hash_Definitions_SHA2_384: + { + Hacl_Hash_SHA2_hash_384(m, mLen, mHash); + break; + } + case Spec_Hash_Definitions_SHA2_512: + { + Hacl_Hash_SHA2_hash_512(m, mLen, mHash); + break; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + } + else + { + KRML_HOST_EPRINTF("KreMLin abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); + } + uint8_t *cutHash = mHash; + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(cutHash, hashAsFelem); + reduction_prime_2prime_order(hashAsFelem, hashAsFelem); + uint64_t result[12U] = { 0U }; + uint64_t *tempForNorm = tempBuffer; + secretToPublicWithoutNorm(result, k, tempBuffer); + normX(result, r, tempForNorm); + reduction_prime_2prime_order(r, r); + uint64_t step5Flag = isZero_uint64_CT(r); + uint64_t rda[4U] = { 0U }; + uint64_t zBuffer[4U] = { 0U }; + uint64_t kInv[4U] = { 0U }; + montgomery_multiplication_ecdsa_module(r, privKeyAsFelem, rda); + fromDomainImpl(hashAsFelem, zBuffer); + uint64_t t = add4(rda, zBuffer, zBuffer); + uint64_t tempBuffer1[4U] = { 0U }; + uint64_t tempBufferForSubborrow = (uint64_t)0U; + uint64_t c = sub4_il(zBuffer, prime256order_buffer, tempBuffer1); + uint64_t + carry = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t, (uint64_t)0U, &tempBufferForSubborrow); + cmovznz4(carry, tempBuffer1, zBuffer, zBuffer); + memcpy(kInv, kAsFelem, (uint32_t)4U * sizeof (uint64_t)); + montgomery_ladder_exponent(kInv); + montgomery_multiplication_ecdsa_module(zBuffer, kInv, s); + uint64_t sIsZero = isZero_uint64_CT(s); + return step5Flag | sIsZero; +} + +static inline void cswap1(uint64_t bit, uint64_t *p1, uint64_t *p2) +{ + uint64_t mask = (uint64_t)0U - bit; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t dummy = mask & (p1[i] ^ p2[i]); + p1[i] = p1[i] ^ dummy; + p2[i] = p2[i] ^ dummy; + } +} + +static void montgomery_ladder_power(uint64_t *a, const uint8_t *scalar, uint64_t *result) +{ + uint64_t p[4U] = { 0U }; + p[0U] = (uint64_t)1U; + p[1U] = (uint64_t)18446744069414584320U; + p[2U] = (uint64_t)18446744073709551615U; + p[3U] = (uint64_t)4294967294U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)256U; i++) + { + uint32_t bit0 = (uint32_t)255U - i; + uint64_t bit = (uint64_t)(scalar[bit0 / (uint32_t)8U] >> bit0 % (uint32_t)8U & (uint8_t)1U); + cswap1(bit, p, a); + montgomery_multiplication_buffer(p, a, a); + montgomery_square_buffer(p, p); + cswap1(bit, p, a); + } + memcpy(result, p, (uint32_t)4U * sizeof (uint64_t)); +} + +static const +uint8_t +sqPower_buffer[32U] = + { + (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, + (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)64U, (uint8_t)0U, (uint8_t)0U, + (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, + (uint8_t)0U, (uint8_t)0U, (uint8_t)64U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)192U, + (uint8_t)255U, (uint8_t)255U, (uint8_t)255U, (uint8_t)63U + }; + +static void computeYFromX(uint64_t *x, uint64_t *result, uint64_t sign) +{ + uint64_t aCoordinateBuffer[4U] = { 0U }; + uint64_t bCoordinateBuffer[4U] = { 0U }; + aCoordinateBuffer[0U] = (uint64_t)18446744073709551612U; + aCoordinateBuffer[1U] = (uint64_t)17179869183U; + aCoordinateBuffer[2U] = (uint64_t)0U; + aCoordinateBuffer[3U] = (uint64_t)18446744056529682436U; + bCoordinateBuffer[0U] = (uint64_t)15608596021259845087U; + bCoordinateBuffer[1U] = (uint64_t)12461466548982526096U; + bCoordinateBuffer[2U] = (uint64_t)16546823903870267094U; + bCoordinateBuffer[3U] = (uint64_t)15866188208926050356U; + montgomery_multiplication_buffer(aCoordinateBuffer, x, aCoordinateBuffer); + cube(x, result); + p256_add(result, aCoordinateBuffer, result); + p256_add(result, bCoordinateBuffer, result); + uploadZeroImpl(aCoordinateBuffer); + montgomery_ladder_power(result, sqPower_buffer, result); + montgomery_multiplication_buffer_by_one(result, result); + p256_sub(aCoordinateBuffer, result, bCoordinateBuffer); + uint64_t word = result[0U]; + uint64_t bitToCheck = word & (uint64_t)1U; + uint64_t flag = FStar_UInt64_eq_mask(bitToCheck, sign); + cmovznz4(flag, bCoordinateBuffer, result, result); +} + + +/******************************************************************************* + +ECDSA and ECDH functions over the P-256 NIST curve. + +This module implements signing and verification, key validation, conversions +between various point representations, and ECDH key agreement. + +*******************************************************************************/ + +/**************/ +/* Signatures */ +/**************/ + +/* + Per the standard, a hash function *shall* be used. Therefore, we recommend + using one of the three combined hash-and-sign variants. +*/ + +/* +Hash the message with SHA2-256, then sign the resulting digest with the P256 signature function. + +Input: result buffer: uint8[64], + m buffer: uint8 [mLen], + priv(ate)Key: uint8[32], + k (nonce): uint32[32]. + + Output: bool, where True stands for the correct signature generation. False value means that an error has occurred. + + The private key and the nonce are expected to be more than 0 and less than the curve order. +*/ +bool +Hacl_P256_ecdsa_sign_p256_sha2( + uint8_t *result, + uint32_t mLen, + uint8_t *m, + uint8_t *privKey, + uint8_t *k +) +{ + uint64_t privKeyAsFelem[4U] = { 0U }; + uint64_t r[4U] = { 0U }; + uint64_t s[4U] = { 0U }; + uint8_t *resultR = result; + uint8_t *resultS = result + (uint32_t)32U; + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(privKey, privKeyAsFelem); + uint64_t + flag = + ecdsa_signature_core(( + (Spec_ECDSA_hash_alg_ecdsa){ .tag = Spec_ECDSA_Hash, ._0 = Spec_Hash_Definitions_SHA2_256 } + ), + r, + s, + mLen, + m, + privKeyAsFelem, + k); + Hacl_Impl_P256_LowLevel_changeEndian(r); + Hacl_Impl_P256_LowLevel_toUint8(r, resultR); + Hacl_Impl_P256_LowLevel_changeEndian(s); + Hacl_Impl_P256_LowLevel_toUint8(s, resultS); + return flag == (uint64_t)0U; +} + +/* +Hash the message with SHA2-384, then sign the resulting digest with the P256 signature function. + +Input: result buffer: uint8[64], + m buffer: uint8 [mLen], + priv(ate)Key: uint8[32], + k (nonce): uint32[32]. + + Output: bool, where True stands for the correct signature generation. False value means that an error has occurred. + + The private key and the nonce are expected to be more than 0 and less than the curve order. +*/ +bool +Hacl_P256_ecdsa_sign_p256_sha384( + uint8_t *result, + uint32_t mLen, + uint8_t *m, + uint8_t *privKey, + uint8_t *k +) +{ + uint64_t privKeyAsFelem[4U] = { 0U }; + uint64_t r[4U] = { 0U }; + uint64_t s[4U] = { 0U }; + uint8_t *resultR = result; + uint8_t *resultS = result + (uint32_t)32U; + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(privKey, privKeyAsFelem); + uint64_t + flag = + ecdsa_signature_core(( + (Spec_ECDSA_hash_alg_ecdsa){ .tag = Spec_ECDSA_Hash, ._0 = Spec_Hash_Definitions_SHA2_384 } + ), + r, + s, + mLen, + m, + privKeyAsFelem, + k); + Hacl_Impl_P256_LowLevel_changeEndian(r); + Hacl_Impl_P256_LowLevel_toUint8(r, resultR); + Hacl_Impl_P256_LowLevel_changeEndian(s); + Hacl_Impl_P256_LowLevel_toUint8(s, resultS); + return flag == (uint64_t)0U; +} + +/* +Hash the message with SHA2-512, then sign the resulting digest with the P256 signature function. + +Input: result buffer: uint8[64], + m buffer: uint8 [mLen], + priv(ate)Key: uint8[32], + k (nonce): uint32[32]. + + Output: bool, where True stands for the correct signature generation. False value means that an error has occurred. + + The private key and the nonce are expected to be more than 0 and less than the curve order. +*/ +bool +Hacl_P256_ecdsa_sign_p256_sha512( + uint8_t *result, + uint32_t mLen, + uint8_t *m, + uint8_t *privKey, + uint8_t *k +) +{ + uint64_t privKeyAsFelem[4U] = { 0U }; + uint64_t r[4U] = { 0U }; + uint64_t s[4U] = { 0U }; + uint8_t *resultR = result; + uint8_t *resultS = result + (uint32_t)32U; + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(privKey, privKeyAsFelem); + uint64_t + flag = + ecdsa_signature_core(( + (Spec_ECDSA_hash_alg_ecdsa){ .tag = Spec_ECDSA_Hash, ._0 = Spec_Hash_Definitions_SHA2_512 } + ), + r, + s, + mLen, + m, + privKeyAsFelem, + k); + Hacl_Impl_P256_LowLevel_changeEndian(r); + Hacl_Impl_P256_LowLevel_toUint8(r, resultR); + Hacl_Impl_P256_LowLevel_changeEndian(s); + Hacl_Impl_P256_LowLevel_toUint8(s, resultS); + return flag == (uint64_t)0U; +} + +/* +P256 signature WITHOUT hashing first. + +This function is intended to receive a hash of the input. For convenience, we +recommend using one of the hash-and-sign combined functions above. + +The argument `m` MUST be at least 32 bytes (i.e. `mLen >= 32`). + +NOTE: The equivalent functions in OpenSSL and Fiat-Crypto both accept inputs +smaller than 32 bytes. These libraries left-pad the input with enough zeroes to +reach the minimum 32 byte size. Clients who need behavior identical to OpenSSL +need to perform the left-padding themselves. + +Input: result buffer: uint8[64], + m buffer: uint8 [mLen], + priv(ate)Key: uint8[32], + k (nonce): uint32[32]. + + Output: bool, where True stands for the correct signature generation. False value means that an error has occurred. + + The private key and the nonce are expected to be more than 0 and less than the curve order. + + The message m is expected to be hashed by a strong hash function, the lenght of the message is expected to be 32 bytes and more. +*/ +bool +Hacl_P256_ecdsa_sign_p256_without_hash( + uint8_t *result, + uint32_t mLen, + uint8_t *m, + uint8_t *privKey, + uint8_t *k +) +{ + uint64_t privKeyAsFelem[4U] = { 0U }; + uint64_t r[4U] = { 0U }; + uint64_t s[4U] = { 0U }; + uint8_t *resultR = result; + uint8_t *resultS = result + (uint32_t)32U; + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(privKey, privKeyAsFelem); + uint64_t + flag = + ecdsa_signature_core(((Spec_ECDSA_hash_alg_ecdsa){ .tag = Spec_ECDSA_NoHash }), + r, + s, + mLen, + m, + privKeyAsFelem, + k); + Hacl_Impl_P256_LowLevel_changeEndian(r); + Hacl_Impl_P256_LowLevel_toUint8(r, resultR); + Hacl_Impl_P256_LowLevel_changeEndian(s); + Hacl_Impl_P256_LowLevel_toUint8(s, resultS); + return flag == (uint64_t)0U; +} + + +/****************/ +/* Verification */ +/****************/ + +/* + Verify a message signature. These functions internally validate the public key using validate_public_key. +*/ + + +/* + The input of the function is considered to be public, + thus this code is not secret independent with respect to the operations done over the input. + + Input: m buffer: uint8 [mLen], + pub(lic)Key: uint8[64], + r: uint8[32], + s: uint8[32]. + + Output: bool, where true stands for the correct signature verification. +*/ +bool +Hacl_P256_ecdsa_verif_p256_sha2( + uint32_t mLen, + uint8_t *m, + uint8_t *pubKey, + uint8_t *r, + uint8_t *s +) +{ + uint64_t publicKeyAsFelem[8U] = { 0U }; + uint64_t *publicKeyFelemX = publicKeyAsFelem; + uint64_t *publicKeyFelemY = publicKeyAsFelem + (uint32_t)4U; + uint64_t rAsFelem[4U] = { 0U }; + uint64_t sAsFelem[4U] = { 0U }; + uint8_t *pubKeyX = pubKey; + uint8_t *pubKeyY = pubKey + (uint32_t)32U; + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(pubKeyX, publicKeyFelemX); + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(pubKeyY, publicKeyFelemY); + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(r, rAsFelem); + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(s, sAsFelem); + bool + result = + ecdsa_verification_(( + (Spec_ECDSA_hash_alg_ecdsa){ .tag = Spec_ECDSA_Hash, ._0 = Spec_Hash_Definitions_SHA2_256 } + ), + publicKeyAsFelem, + rAsFelem, + sAsFelem, + mLen, + m); + return result; +} + +/* + The input of the function is considered to be public, + thus this code is not secret independent with respect to the operations done over the input. + + Input: m buffer: uint8 [mLen], + pub(lic)Key: uint8[64], + r: uint8[32], + s: uint8[32]. + + Output: bool, where true stands for the correct signature verification. +*/ +bool +Hacl_P256_ecdsa_verif_p256_sha384( + uint32_t mLen, + uint8_t *m, + uint8_t *pubKey, + uint8_t *r, + uint8_t *s +) +{ + uint64_t publicKeyAsFelem[8U] = { 0U }; + uint64_t *publicKeyFelemX = publicKeyAsFelem; + uint64_t *publicKeyFelemY = publicKeyAsFelem + (uint32_t)4U; + uint64_t rAsFelem[4U] = { 0U }; + uint64_t sAsFelem[4U] = { 0U }; + uint8_t *pubKeyX = pubKey; + uint8_t *pubKeyY = pubKey + (uint32_t)32U; + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(pubKeyX, publicKeyFelemX); + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(pubKeyY, publicKeyFelemY); + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(r, rAsFelem); + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(s, sAsFelem); + bool + result = + ecdsa_verification_(( + (Spec_ECDSA_hash_alg_ecdsa){ .tag = Spec_ECDSA_Hash, ._0 = Spec_Hash_Definitions_SHA2_384 } + ), + publicKeyAsFelem, + rAsFelem, + sAsFelem, + mLen, + m); + return result; +} + +/* + The input of the function is considered to be public, + thus this code is not secret independent with respect to the operations done over the input. + + Input: m buffer: uint8 [mLen], + pub(lic)Key: uint8[64], + r: uint8[32], + s: uint8[32]. + + Output: bool, where true stands for the correct signature verification. +*/ +bool +Hacl_P256_ecdsa_verif_p256_sha512( + uint32_t mLen, + uint8_t *m, + uint8_t *pubKey, + uint8_t *r, + uint8_t *s +) +{ + uint64_t publicKeyAsFelem[8U] = { 0U }; + uint64_t *publicKeyFelemX = publicKeyAsFelem; + uint64_t *publicKeyFelemY = publicKeyAsFelem + (uint32_t)4U; + uint64_t rAsFelem[4U] = { 0U }; + uint64_t sAsFelem[4U] = { 0U }; + uint8_t *pubKeyX = pubKey; + uint8_t *pubKeyY = pubKey + (uint32_t)32U; + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(pubKeyX, publicKeyFelemX); + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(pubKeyY, publicKeyFelemY); + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(r, rAsFelem); + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(s, sAsFelem); + bool + result = + ecdsa_verification_(( + (Spec_ECDSA_hash_alg_ecdsa){ .tag = Spec_ECDSA_Hash, ._0 = Spec_Hash_Definitions_SHA2_512 } + ), + publicKeyAsFelem, + rAsFelem, + sAsFelem, + mLen, + m); + return result; +} + +/* + The input of the function is considered to be public, + thus this code is not secret independent with respect to the operations done over the input. + + Input: m buffer: uint8 [mLen], + pub(lic)Key: uint8[64], + r: uint8[32], + s: uint8[32]. + + Output: bool, where true stands for the correct signature verification. + + The message m is expected to be hashed by a strong hash function, the lenght of the message is expected to be 32 bytes and more. +*/ +bool +Hacl_P256_ecdsa_verif_without_hash( + uint32_t mLen, + uint8_t *m, + uint8_t *pubKey, + uint8_t *r, + uint8_t *s +) +{ + uint64_t publicKeyAsFelem[8U] = { 0U }; + uint64_t *publicKeyFelemX = publicKeyAsFelem; + uint64_t *publicKeyFelemY = publicKeyAsFelem + (uint32_t)4U; + uint64_t rAsFelem[4U] = { 0U }; + uint64_t sAsFelem[4U] = { 0U }; + uint8_t *pubKeyX = pubKey; + uint8_t *pubKeyY = pubKey + (uint32_t)32U; + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(pubKeyX, publicKeyFelemX); + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(pubKeyY, publicKeyFelemY); + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(r, rAsFelem); + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(s, sAsFelem); + bool + result = + ecdsa_verification_(((Spec_ECDSA_hash_alg_ecdsa){ .tag = Spec_ECDSA_NoHash }), + publicKeyAsFelem, + rAsFelem, + sAsFelem, + mLen, + m); + return result; +} + + +/******************/ +/* Key validation */ +/******************/ + + +/* +Validate a public key. + + + The input of the function is considered to be public, + thus this code is not secret independent with respect to the operations done over the input. + + Input: pub(lic)Key: uint8[64]. + + Output: bool, where 0 stands for the public key to be correct with respect to SP 800-56A: + Verify that the public key is not the “point at infinity”, represented as O. + Verify that the affine x and y coordinates of the point represented by the public key are in the range [0, p – 1] where p is the prime defining the finite field. + Verify that y2 = x3 + ax + b where a and b are the coefficients of the curve equation. + Verify that nQ = O (the point at infinity), where n is the order of the curve and Q is the public key point. + + The last extract is taken from : https://neilmadden.blog/2017/05/17/so-how-do-you-validate-nist-ecdh-public-keys/ +*/ +bool Hacl_P256_validate_public_key(uint8_t *pubKey) +{ + uint8_t *pubKeyX = pubKey; + uint8_t *pubKeyY = pubKey + (uint32_t)32U; + uint64_t tempBuffer[120U] = { 0U }; + uint64_t *tempBufferV = tempBuffer; + uint64_t *publicKeyJ = tempBuffer + (uint32_t)100U; + uint64_t *publicKeyB = tempBuffer + (uint32_t)112U; + uint64_t *publicKeyX = publicKeyB; + uint64_t *publicKeyY = publicKeyB + (uint32_t)4U; + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(pubKeyX, publicKeyX); + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(pubKeyY, publicKeyY); + bufferToJac(publicKeyB, publicKeyJ); + bool r = verifyQValidCurvePoint(publicKeyJ, tempBufferV); + return r; +} + +/* +Validate a private key, e.g. prior to signing. + +Input: scalar: uint8[32]. + + Output: bool, where true stands for the scalar to be more than 0 and less than order. +*/ +bool Hacl_P256_validate_private_key(uint8_t *x) +{ + return isMoreThanZeroLessThanOrder(x); +} + + +/*****************************************/ +/* Point representations and conversions */ +/*****************************************/ + +/* + Elliptic curve points have 2 32-byte coordinates (x, y) and can be represented in 3 ways: + + - "raw" form (64 bytes): the concatenation of the 2 coordinates, also known as "internal" + - "compressed" form (33 bytes): first the sign byte of y (either 0x02 or 0x03), followed by x + - "uncompressed" form (65 bytes): first a constant byte (always 0x04), followed by the "raw" form + + For all of the conversation functions below, the input and output MUST NOT overlap. +*/ + + +/* +Convert 65-byte uncompressed to raw. + +The function errors out if the first byte is incorrect, or if the resulting point is invalid. + + + + Input: a point in not compressed form (uint8[65]), + result: uint8[64] (internal point representation). + + Output: bool, where true stands for the correct decompression. + +*/ +bool Hacl_P256_uncompressed_to_raw(uint8_t *b, uint8_t *result) +{ + uint8_t compressionIdentifier = b[0U]; + bool correctIdentifier = (uint8_t)4U == compressionIdentifier; + if (correctIdentifier) + { + memcpy(result, b + (uint32_t)1U, (uint32_t)64U * sizeof (uint8_t)); + } + return correctIdentifier; +} + +/* +Convert 33-byte compressed to raw. + +The function errors out if the first byte is incorrect, or if the resulting point is invalid. + +Input: a point in compressed form (uint8[33]), + result: uint8[64] (internal point representation). + + Output: bool, where true stands for the correct decompression. + +*/ +bool Hacl_P256_compressed_to_raw(uint8_t *b, uint8_t *result) +{ + uint64_t temp[8U] = { 0U }; + uint64_t *t0 = temp; + uint64_t *t1 = temp + (uint32_t)4U; + uint8_t compressedIdentifier = b[0U]; + uint8_t correctIdentifier2 = FStar_UInt8_eq_mask((uint8_t)2U, compressedIdentifier); + uint8_t correctIdentifier3 = FStar_UInt8_eq_mask((uint8_t)3U, compressedIdentifier); + uint8_t isIdentifierCorrect = correctIdentifier2 | correctIdentifier3; + bool flag = isIdentifierCorrect == (uint8_t)255U; + if (flag) + { + uint8_t *x = b + (uint32_t)1U; + memcpy(result, x, (uint32_t)32U * sizeof (uint8_t)); + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(x, t0); + uint64_t tempBuffer[4U] = { 0U }; + uint64_t carry = sub4_il(t0, prime256_buffer, tempBuffer); + bool lessThanPrimeXCoordinate = carry == (uint64_t)1U; + if (!lessThanPrimeXCoordinate) + { + return false; + } + uint64_t multBuffer[8U] = { 0U }; + shift_256_impl(t0, multBuffer); + solinas_reduction_impl(multBuffer, t0); + uint64_t identifierBit = (uint64_t)(compressedIdentifier & (uint8_t)1U); + computeYFromX(t0, t1, identifierBit); + Hacl_Impl_P256_LowLevel_changeEndian(t1); + Hacl_Impl_P256_LowLevel_toUint8(t1, result + (uint32_t)32U); + return true; + } + return false; +} + +/* +Convert raw to 65-byte uncompressed. + +This function effectively prepends a 0x04 byte. + +Input: a point buffer (internal representation: uint8[64]), + result: a point in not compressed form (uint8[65]). +*/ +void Hacl_P256_raw_to_uncompressed(uint8_t *b, uint8_t *result) +{ + uint8_t *to = result + (uint32_t)1U; + memcpy(to, b, (uint32_t)64U * sizeof (uint8_t)); + result[0U] = (uint8_t)4U; +} + +/* +Convert raw to 33-byte compressed. + + Input: `b`, the pointer buffer in internal representation, of type `uint8[64]` + Output: `result`, a point in compressed form, of type `uint8[33]` + +*/ +void Hacl_P256_raw_to_compressed(uint8_t *b, uint8_t *result) +{ + uint8_t *y = b + (uint32_t)32U; + uint8_t lastWordY = y[31U]; + uint8_t lastBitY = lastWordY & (uint8_t)1U; + uint8_t identifier = lastBitY + (uint8_t)2U; + memcpy(result + (uint32_t)1U, b, (uint32_t)32U * sizeof (uint8_t)); + result[0U] = identifier; +} + + +/******************/ +/* ECDH agreement */ +/******************/ + +/* +Convert a private key into a raw public key. + +This function performs no key validation. + + Input: `scalar`, the private key, of type `uint8[32]`. + Output: `result`, the public key, of type `uint8[64]`. + Returns: + - `true`, for success, meaning the public key is not a point at infinity + - `false`, otherwise. + + `scalar` and `result` MUST NOT overlap. +*/ +bool Hacl_P256_dh_initiator(uint8_t *result, uint8_t *scalar) +{ + uint64_t tempBuffer[100U] = { 0U }; + uint64_t resultBuffer[12U] = { 0U }; + uint64_t *resultBufferX = resultBuffer; + uint64_t *resultBufferY = resultBuffer + (uint32_t)4U; + uint8_t *resultX = result; + uint8_t *resultY = result + (uint32_t)32U; + Hacl_Impl_P256_Core_secretToPublic(resultBuffer, scalar, tempBuffer); + uint64_t flag = Hacl_Impl_P256_Core_isPointAtInfinityPrivate(resultBuffer); + Hacl_Impl_P256_LowLevel_changeEndian(resultBufferX); + Hacl_Impl_P256_LowLevel_changeEndian(resultBufferY); + Hacl_Impl_P256_LowLevel_toUint8(resultBufferX, resultX); + Hacl_Impl_P256_LowLevel_toUint8(resultBufferY, resultY); + return flag == (uint64_t)0U; +} + +/* +ECDH key agreement. + +This function takes a 32-byte secret key, another party's 64-byte raw public +key, and computeds the 64-byte ECDH shared key. + +This function ONLY validates the public key. + + The pub(lic)_key input of the function is considered to be public, + thus this code is not secret independent with respect to the operations done over this variable. + + Input: result: uint8[64], + pub(lic)Key: uint8[64], + scalar: uint8[32]. + + Output: bool, where True stands for the correct key generation. False value means that an error has occurred (possibly the provided public key was incorrect or the result represents point at infinity). + +*/ +bool Hacl_P256_dh_responder(uint8_t *result, uint8_t *pubKey, uint8_t *scalar) +{ + uint64_t resultBufferFelem[12U] = { 0U }; + uint64_t *resultBufferFelemX = resultBufferFelem; + uint64_t *resultBufferFelemY = resultBufferFelem + (uint32_t)4U; + uint8_t *resultX = result; + uint8_t *resultY = result + (uint32_t)32U; + uint64_t publicKeyAsFelem[8U] = { 0U }; + uint64_t *publicKeyFelemX = publicKeyAsFelem; + uint64_t *publicKeyFelemY = publicKeyAsFelem + (uint32_t)4U; + uint8_t *pubKeyX = pubKey; + uint8_t *pubKeyY = pubKey + (uint32_t)32U; + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(pubKeyX, publicKeyFelemX); + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(pubKeyY, publicKeyFelemY); + uint64_t flag = Hacl_Impl_P256_DH__ecp256dh_r(resultBufferFelem, publicKeyAsFelem, scalar); + Hacl_Impl_P256_LowLevel_changeEndian(resultBufferFelemX); + Hacl_Impl_P256_LowLevel_changeEndian(resultBufferFelemY); + Hacl_Impl_P256_LowLevel_toUint8(resultBufferFelemX, resultX); + Hacl_Impl_P256_LowLevel_toUint8(resultBufferFelemY, resultY); + return flag == (uint64_t)0U; +} + diff --git a/src/Hacl_Poly1305_128.c b/src/Hacl_Poly1305_128.c new file mode 100644 index 00000000..46f6e187 --- /dev/null +++ b/src/Hacl_Poly1305_128.c @@ -0,0 +1,1632 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "internal/Hacl_Poly1305_128.h" + + + +void +Hacl_Impl_Poly1305_Field32xN_128_load_acc2(Lib_IntVector_Intrinsics_vec128 *acc, uint8_t *b) +{ + Lib_IntVector_Intrinsics_vec128 e[5U]; + for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i) + e[_i] = Lib_IntVector_Intrinsics_vec128_zero; + Lib_IntVector_Intrinsics_vec128 b1 = Lib_IntVector_Intrinsics_vec128_load64_le(b); + Lib_IntVector_Intrinsics_vec128 + b2 = Lib_IntVector_Intrinsics_vec128_load64_le(b + (uint32_t)16U); + Lib_IntVector_Intrinsics_vec128 lo = Lib_IntVector_Intrinsics_vec128_interleave_low64(b1, b2); + Lib_IntVector_Intrinsics_vec128 hi = Lib_IntVector_Intrinsics_vec128_interleave_high64(b1, b2); + Lib_IntVector_Intrinsics_vec128 + f00 = + Lib_IntVector_Intrinsics_vec128_and(lo, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f10 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(lo, + (uint32_t)26U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f20 = + Lib_IntVector_Intrinsics_vec128_or(Lib_IntVector_Intrinsics_vec128_shift_right64(lo, + (uint32_t)52U), + Lib_IntVector_Intrinsics_vec128_shift_left64(Lib_IntVector_Intrinsics_vec128_and(hi, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3fffU)), + (uint32_t)12U)); + Lib_IntVector_Intrinsics_vec128 + f30 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(hi, + (uint32_t)14U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f40 = Lib_IntVector_Intrinsics_vec128_shift_right64(hi, (uint32_t)40U); + Lib_IntVector_Intrinsics_vec128 f02 = f00; + Lib_IntVector_Intrinsics_vec128 f12 = f10; + Lib_IntVector_Intrinsics_vec128 f22 = f20; + Lib_IntVector_Intrinsics_vec128 f32 = f30; + Lib_IntVector_Intrinsics_vec128 f42 = f40; + e[0U] = f02; + e[1U] = f12; + e[2U] = f22; + e[3U] = f32; + e[4U] = f42; + uint64_t b10 = (uint64_t)0x1000000U; + Lib_IntVector_Intrinsics_vec128 mask = Lib_IntVector_Intrinsics_vec128_load64(b10); + Lib_IntVector_Intrinsics_vec128 f43 = e[4U]; + e[4U] = Lib_IntVector_Intrinsics_vec128_or(f43, mask); + Lib_IntVector_Intrinsics_vec128 acc0 = acc[0U]; + Lib_IntVector_Intrinsics_vec128 acc1 = acc[1U]; + Lib_IntVector_Intrinsics_vec128 acc2 = acc[2U]; + Lib_IntVector_Intrinsics_vec128 acc3 = acc[3U]; + Lib_IntVector_Intrinsics_vec128 acc4 = acc[4U]; + Lib_IntVector_Intrinsics_vec128 e0 = e[0U]; + Lib_IntVector_Intrinsics_vec128 e1 = e[1U]; + Lib_IntVector_Intrinsics_vec128 e2 = e[2U]; + Lib_IntVector_Intrinsics_vec128 e3 = e[3U]; + Lib_IntVector_Intrinsics_vec128 e4 = e[4U]; + Lib_IntVector_Intrinsics_vec128 + f0 = Lib_IntVector_Intrinsics_vec128_insert64(acc0, (uint64_t)0U, (uint32_t)1U); + Lib_IntVector_Intrinsics_vec128 + f1 = Lib_IntVector_Intrinsics_vec128_insert64(acc1, (uint64_t)0U, (uint32_t)1U); + Lib_IntVector_Intrinsics_vec128 + f2 = Lib_IntVector_Intrinsics_vec128_insert64(acc2, (uint64_t)0U, (uint32_t)1U); + Lib_IntVector_Intrinsics_vec128 + f3 = Lib_IntVector_Intrinsics_vec128_insert64(acc3, (uint64_t)0U, (uint32_t)1U); + Lib_IntVector_Intrinsics_vec128 + f4 = Lib_IntVector_Intrinsics_vec128_insert64(acc4, (uint64_t)0U, (uint32_t)1U); + Lib_IntVector_Intrinsics_vec128 f01 = Lib_IntVector_Intrinsics_vec128_add64(f0, e0); + Lib_IntVector_Intrinsics_vec128 f11 = Lib_IntVector_Intrinsics_vec128_add64(f1, e1); + Lib_IntVector_Intrinsics_vec128 f21 = Lib_IntVector_Intrinsics_vec128_add64(f2, e2); + Lib_IntVector_Intrinsics_vec128 f31 = Lib_IntVector_Intrinsics_vec128_add64(f3, e3); + Lib_IntVector_Intrinsics_vec128 f41 = Lib_IntVector_Intrinsics_vec128_add64(f4, e4); + Lib_IntVector_Intrinsics_vec128 acc01 = f01; + Lib_IntVector_Intrinsics_vec128 acc11 = f11; + Lib_IntVector_Intrinsics_vec128 acc21 = f21; + Lib_IntVector_Intrinsics_vec128 acc31 = f31; + Lib_IntVector_Intrinsics_vec128 acc41 = f41; + acc[0U] = acc01; + acc[1U] = acc11; + acc[2U] = acc21; + acc[3U] = acc31; + acc[4U] = acc41; +} + +void +Hacl_Impl_Poly1305_Field32xN_128_fmul_r2_normalize( + Lib_IntVector_Intrinsics_vec128 *out, + Lib_IntVector_Intrinsics_vec128 *p +) +{ + Lib_IntVector_Intrinsics_vec128 *r = p; + Lib_IntVector_Intrinsics_vec128 *r2 = p + (uint32_t)10U; + Lib_IntVector_Intrinsics_vec128 a0 = out[0U]; + Lib_IntVector_Intrinsics_vec128 a1 = out[1U]; + Lib_IntVector_Intrinsics_vec128 a2 = out[2U]; + Lib_IntVector_Intrinsics_vec128 a3 = out[3U]; + Lib_IntVector_Intrinsics_vec128 a4 = out[4U]; + Lib_IntVector_Intrinsics_vec128 r10 = r[0U]; + Lib_IntVector_Intrinsics_vec128 r11 = r[1U]; + Lib_IntVector_Intrinsics_vec128 r12 = r[2U]; + Lib_IntVector_Intrinsics_vec128 r13 = r[3U]; + Lib_IntVector_Intrinsics_vec128 r14 = r[4U]; + Lib_IntVector_Intrinsics_vec128 r20 = r2[0U]; + Lib_IntVector_Intrinsics_vec128 r21 = r2[1U]; + Lib_IntVector_Intrinsics_vec128 r22 = r2[2U]; + Lib_IntVector_Intrinsics_vec128 r23 = r2[3U]; + Lib_IntVector_Intrinsics_vec128 r24 = r2[4U]; + Lib_IntVector_Intrinsics_vec128 + r201 = Lib_IntVector_Intrinsics_vec128_interleave_low64(r20, r10); + Lib_IntVector_Intrinsics_vec128 + r211 = Lib_IntVector_Intrinsics_vec128_interleave_low64(r21, r11); + Lib_IntVector_Intrinsics_vec128 + r221 = Lib_IntVector_Intrinsics_vec128_interleave_low64(r22, r12); + Lib_IntVector_Intrinsics_vec128 + r231 = Lib_IntVector_Intrinsics_vec128_interleave_low64(r23, r13); + Lib_IntVector_Intrinsics_vec128 + r241 = Lib_IntVector_Intrinsics_vec128_interleave_low64(r24, r14); + Lib_IntVector_Intrinsics_vec128 + r251 = Lib_IntVector_Intrinsics_vec128_smul64(r211, (uint64_t)5U); + Lib_IntVector_Intrinsics_vec128 + r252 = Lib_IntVector_Intrinsics_vec128_smul64(r221, (uint64_t)5U); + Lib_IntVector_Intrinsics_vec128 + r253 = Lib_IntVector_Intrinsics_vec128_smul64(r231, (uint64_t)5U); + Lib_IntVector_Intrinsics_vec128 + r254 = Lib_IntVector_Intrinsics_vec128_smul64(r241, (uint64_t)5U); + Lib_IntVector_Intrinsics_vec128 a01 = Lib_IntVector_Intrinsics_vec128_mul64(r201, a0); + Lib_IntVector_Intrinsics_vec128 a11 = Lib_IntVector_Intrinsics_vec128_mul64(r211, a0); + Lib_IntVector_Intrinsics_vec128 a21 = Lib_IntVector_Intrinsics_vec128_mul64(r221, a0); + Lib_IntVector_Intrinsics_vec128 a31 = Lib_IntVector_Intrinsics_vec128_mul64(r231, a0); + Lib_IntVector_Intrinsics_vec128 a41 = Lib_IntVector_Intrinsics_vec128_mul64(r241, a0); + Lib_IntVector_Intrinsics_vec128 + a02 = + Lib_IntVector_Intrinsics_vec128_add64(a01, + Lib_IntVector_Intrinsics_vec128_mul64(r254, a1)); + Lib_IntVector_Intrinsics_vec128 + a12 = + Lib_IntVector_Intrinsics_vec128_add64(a11, + Lib_IntVector_Intrinsics_vec128_mul64(r201, a1)); + Lib_IntVector_Intrinsics_vec128 + a22 = + Lib_IntVector_Intrinsics_vec128_add64(a21, + Lib_IntVector_Intrinsics_vec128_mul64(r211, a1)); + Lib_IntVector_Intrinsics_vec128 + a32 = + Lib_IntVector_Intrinsics_vec128_add64(a31, + Lib_IntVector_Intrinsics_vec128_mul64(r221, a1)); + Lib_IntVector_Intrinsics_vec128 + a42 = + Lib_IntVector_Intrinsics_vec128_add64(a41, + Lib_IntVector_Intrinsics_vec128_mul64(r231, a1)); + Lib_IntVector_Intrinsics_vec128 + a03 = + Lib_IntVector_Intrinsics_vec128_add64(a02, + Lib_IntVector_Intrinsics_vec128_mul64(r253, a2)); + Lib_IntVector_Intrinsics_vec128 + a13 = + Lib_IntVector_Intrinsics_vec128_add64(a12, + Lib_IntVector_Intrinsics_vec128_mul64(r254, a2)); + Lib_IntVector_Intrinsics_vec128 + a23 = + Lib_IntVector_Intrinsics_vec128_add64(a22, + Lib_IntVector_Intrinsics_vec128_mul64(r201, a2)); + Lib_IntVector_Intrinsics_vec128 + a33 = + Lib_IntVector_Intrinsics_vec128_add64(a32, + Lib_IntVector_Intrinsics_vec128_mul64(r211, a2)); + Lib_IntVector_Intrinsics_vec128 + a43 = + Lib_IntVector_Intrinsics_vec128_add64(a42, + Lib_IntVector_Intrinsics_vec128_mul64(r221, a2)); + Lib_IntVector_Intrinsics_vec128 + a04 = + Lib_IntVector_Intrinsics_vec128_add64(a03, + Lib_IntVector_Intrinsics_vec128_mul64(r252, a3)); + Lib_IntVector_Intrinsics_vec128 + a14 = + Lib_IntVector_Intrinsics_vec128_add64(a13, + Lib_IntVector_Intrinsics_vec128_mul64(r253, a3)); + Lib_IntVector_Intrinsics_vec128 + a24 = + Lib_IntVector_Intrinsics_vec128_add64(a23, + Lib_IntVector_Intrinsics_vec128_mul64(r254, a3)); + Lib_IntVector_Intrinsics_vec128 + a34 = + Lib_IntVector_Intrinsics_vec128_add64(a33, + Lib_IntVector_Intrinsics_vec128_mul64(r201, a3)); + Lib_IntVector_Intrinsics_vec128 + a44 = + Lib_IntVector_Intrinsics_vec128_add64(a43, + Lib_IntVector_Intrinsics_vec128_mul64(r211, a3)); + Lib_IntVector_Intrinsics_vec128 + a05 = + Lib_IntVector_Intrinsics_vec128_add64(a04, + Lib_IntVector_Intrinsics_vec128_mul64(r251, a4)); + Lib_IntVector_Intrinsics_vec128 + a15 = + Lib_IntVector_Intrinsics_vec128_add64(a14, + Lib_IntVector_Intrinsics_vec128_mul64(r252, a4)); + Lib_IntVector_Intrinsics_vec128 + a25 = + Lib_IntVector_Intrinsics_vec128_add64(a24, + Lib_IntVector_Intrinsics_vec128_mul64(r253, a4)); + Lib_IntVector_Intrinsics_vec128 + a35 = + Lib_IntVector_Intrinsics_vec128_add64(a34, + Lib_IntVector_Intrinsics_vec128_mul64(r254, a4)); + Lib_IntVector_Intrinsics_vec128 + a45 = + Lib_IntVector_Intrinsics_vec128_add64(a44, + Lib_IntVector_Intrinsics_vec128_mul64(r201, a4)); + Lib_IntVector_Intrinsics_vec128 t0 = a05; + Lib_IntVector_Intrinsics_vec128 t1 = a15; + Lib_IntVector_Intrinsics_vec128 t2 = a25; + Lib_IntVector_Intrinsics_vec128 t3 = a35; + Lib_IntVector_Intrinsics_vec128 t4 = a45; + Lib_IntVector_Intrinsics_vec128 + mask26 = Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec128 + z0 = Lib_IntVector_Intrinsics_vec128_shift_right64(t0, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z1 = Lib_IntVector_Intrinsics_vec128_shift_right64(t3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x0 = Lib_IntVector_Intrinsics_vec128_and(t0, mask26); + Lib_IntVector_Intrinsics_vec128 x3 = Lib_IntVector_Intrinsics_vec128_and(t3, mask26); + Lib_IntVector_Intrinsics_vec128 x1 = Lib_IntVector_Intrinsics_vec128_add64(t1, z0); + Lib_IntVector_Intrinsics_vec128 x4 = Lib_IntVector_Intrinsics_vec128_add64(t4, z1); + Lib_IntVector_Intrinsics_vec128 + z01 = Lib_IntVector_Intrinsics_vec128_shift_right64(x1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z11 = Lib_IntVector_Intrinsics_vec128_shift_right64(x4, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + t = Lib_IntVector_Intrinsics_vec128_shift_left64(z11, (uint32_t)2U); + Lib_IntVector_Intrinsics_vec128 z12 = Lib_IntVector_Intrinsics_vec128_add64(z11, t); + Lib_IntVector_Intrinsics_vec128 x11 = Lib_IntVector_Intrinsics_vec128_and(x1, mask26); + Lib_IntVector_Intrinsics_vec128 x41 = Lib_IntVector_Intrinsics_vec128_and(x4, mask26); + Lib_IntVector_Intrinsics_vec128 x2 = Lib_IntVector_Intrinsics_vec128_add64(t2, z01); + Lib_IntVector_Intrinsics_vec128 x01 = Lib_IntVector_Intrinsics_vec128_add64(x0, z12); + Lib_IntVector_Intrinsics_vec128 + z02 = Lib_IntVector_Intrinsics_vec128_shift_right64(x2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z13 = Lib_IntVector_Intrinsics_vec128_shift_right64(x01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x21 = Lib_IntVector_Intrinsics_vec128_and(x2, mask26); + Lib_IntVector_Intrinsics_vec128 x02 = Lib_IntVector_Intrinsics_vec128_and(x01, mask26); + Lib_IntVector_Intrinsics_vec128 x31 = Lib_IntVector_Intrinsics_vec128_add64(x3, z02); + Lib_IntVector_Intrinsics_vec128 x12 = Lib_IntVector_Intrinsics_vec128_add64(x11, z13); + Lib_IntVector_Intrinsics_vec128 + z03 = Lib_IntVector_Intrinsics_vec128_shift_right64(x31, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x32 = Lib_IntVector_Intrinsics_vec128_and(x31, mask26); + Lib_IntVector_Intrinsics_vec128 x42 = Lib_IntVector_Intrinsics_vec128_add64(x41, z03); + Lib_IntVector_Intrinsics_vec128 o0 = x02; + Lib_IntVector_Intrinsics_vec128 o10 = x12; + Lib_IntVector_Intrinsics_vec128 o20 = x21; + Lib_IntVector_Intrinsics_vec128 o30 = x32; + Lib_IntVector_Intrinsics_vec128 o40 = x42; + Lib_IntVector_Intrinsics_vec128 + o01 = + Lib_IntVector_Intrinsics_vec128_add64(o0, + Lib_IntVector_Intrinsics_vec128_interleave_high64(o0, o0)); + Lib_IntVector_Intrinsics_vec128 + o11 = + Lib_IntVector_Intrinsics_vec128_add64(o10, + Lib_IntVector_Intrinsics_vec128_interleave_high64(o10, o10)); + Lib_IntVector_Intrinsics_vec128 + o21 = + Lib_IntVector_Intrinsics_vec128_add64(o20, + Lib_IntVector_Intrinsics_vec128_interleave_high64(o20, o20)); + Lib_IntVector_Intrinsics_vec128 + o31 = + Lib_IntVector_Intrinsics_vec128_add64(o30, + Lib_IntVector_Intrinsics_vec128_interleave_high64(o30, o30)); + Lib_IntVector_Intrinsics_vec128 + o41 = + Lib_IntVector_Intrinsics_vec128_add64(o40, + Lib_IntVector_Intrinsics_vec128_interleave_high64(o40, o40)); + Lib_IntVector_Intrinsics_vec128 + l = Lib_IntVector_Intrinsics_vec128_add64(o01, Lib_IntVector_Intrinsics_vec128_zero); + Lib_IntVector_Intrinsics_vec128 + tmp0 = + Lib_IntVector_Intrinsics_vec128_and(l, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + c0 = Lib_IntVector_Intrinsics_vec128_shift_right64(l, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 l0 = Lib_IntVector_Intrinsics_vec128_add64(o11, c0); + Lib_IntVector_Intrinsics_vec128 + tmp1 = + Lib_IntVector_Intrinsics_vec128_and(l0, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + c1 = Lib_IntVector_Intrinsics_vec128_shift_right64(l0, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 l1 = Lib_IntVector_Intrinsics_vec128_add64(o21, c1); + Lib_IntVector_Intrinsics_vec128 + tmp2 = + Lib_IntVector_Intrinsics_vec128_and(l1, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + c2 = Lib_IntVector_Intrinsics_vec128_shift_right64(l1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 l2 = Lib_IntVector_Intrinsics_vec128_add64(o31, c2); + Lib_IntVector_Intrinsics_vec128 + tmp3 = + Lib_IntVector_Intrinsics_vec128_and(l2, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + c3 = Lib_IntVector_Intrinsics_vec128_shift_right64(l2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 l3 = Lib_IntVector_Intrinsics_vec128_add64(o41, c3); + Lib_IntVector_Intrinsics_vec128 + tmp4 = + Lib_IntVector_Intrinsics_vec128_and(l3, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + c4 = Lib_IntVector_Intrinsics_vec128_shift_right64(l3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + o00 = + Lib_IntVector_Intrinsics_vec128_add64(tmp0, + Lib_IntVector_Intrinsics_vec128_smul64(c4, (uint64_t)5U)); + Lib_IntVector_Intrinsics_vec128 o1 = tmp1; + Lib_IntVector_Intrinsics_vec128 o2 = tmp2; + Lib_IntVector_Intrinsics_vec128 o3 = tmp3; + Lib_IntVector_Intrinsics_vec128 o4 = tmp4; + out[0U] = o00; + out[1U] = o1; + out[2U] = o2; + out[3U] = o3; + out[4U] = o4; +} + +uint32_t Hacl_Poly1305_128_blocklen = (uint32_t)16U; + +void Hacl_Poly1305_128_poly1305_init(Lib_IntVector_Intrinsics_vec128 *ctx, uint8_t *key) +{ + Lib_IntVector_Intrinsics_vec128 *acc = ctx; + Lib_IntVector_Intrinsics_vec128 *pre = ctx + (uint32_t)5U; + uint8_t *kr = key; + acc[0U] = Lib_IntVector_Intrinsics_vec128_zero; + acc[1U] = Lib_IntVector_Intrinsics_vec128_zero; + acc[2U] = Lib_IntVector_Intrinsics_vec128_zero; + acc[3U] = Lib_IntVector_Intrinsics_vec128_zero; + acc[4U] = Lib_IntVector_Intrinsics_vec128_zero; + uint64_t u0 = load64_le(kr); + uint64_t lo = u0; + uint64_t u = load64_le(kr + (uint32_t)8U); + uint64_t hi = u; + uint64_t mask0 = (uint64_t)0x0ffffffc0fffffffU; + uint64_t mask1 = (uint64_t)0x0ffffffc0ffffffcU; + uint64_t lo1 = lo & mask0; + uint64_t hi1 = hi & mask1; + Lib_IntVector_Intrinsics_vec128 *r = pre; + Lib_IntVector_Intrinsics_vec128 *r5 = pre + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec128 *rn = pre + (uint32_t)10U; + Lib_IntVector_Intrinsics_vec128 *rn_5 = pre + (uint32_t)15U; + Lib_IntVector_Intrinsics_vec128 r_vec0 = Lib_IntVector_Intrinsics_vec128_load64(lo1); + Lib_IntVector_Intrinsics_vec128 r_vec1 = Lib_IntVector_Intrinsics_vec128_load64(hi1); + Lib_IntVector_Intrinsics_vec128 + f00 = + Lib_IntVector_Intrinsics_vec128_and(r_vec0, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f15 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(r_vec0, + (uint32_t)26U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f20 = + Lib_IntVector_Intrinsics_vec128_or(Lib_IntVector_Intrinsics_vec128_shift_right64(r_vec0, + (uint32_t)52U), + Lib_IntVector_Intrinsics_vec128_shift_left64(Lib_IntVector_Intrinsics_vec128_and(r_vec1, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3fffU)), + (uint32_t)12U)); + Lib_IntVector_Intrinsics_vec128 + f30 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(r_vec1, + (uint32_t)14U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f40 = Lib_IntVector_Intrinsics_vec128_shift_right64(r_vec1, (uint32_t)40U); + Lib_IntVector_Intrinsics_vec128 f0 = f00; + Lib_IntVector_Intrinsics_vec128 f1 = f15; + Lib_IntVector_Intrinsics_vec128 f2 = f20; + Lib_IntVector_Intrinsics_vec128 f3 = f30; + Lib_IntVector_Intrinsics_vec128 f4 = f40; + r[0U] = f0; + r[1U] = f1; + r[2U] = f2; + r[3U] = f3; + r[4U] = f4; + Lib_IntVector_Intrinsics_vec128 f200 = r[0U]; + Lib_IntVector_Intrinsics_vec128 f210 = r[1U]; + Lib_IntVector_Intrinsics_vec128 f220 = r[2U]; + Lib_IntVector_Intrinsics_vec128 f230 = r[3U]; + Lib_IntVector_Intrinsics_vec128 f240 = r[4U]; + r5[0U] = Lib_IntVector_Intrinsics_vec128_smul64(f200, (uint64_t)5U); + r5[1U] = Lib_IntVector_Intrinsics_vec128_smul64(f210, (uint64_t)5U); + r5[2U] = Lib_IntVector_Intrinsics_vec128_smul64(f220, (uint64_t)5U); + r5[3U] = Lib_IntVector_Intrinsics_vec128_smul64(f230, (uint64_t)5U); + r5[4U] = Lib_IntVector_Intrinsics_vec128_smul64(f240, (uint64_t)5U); + Lib_IntVector_Intrinsics_vec128 r0 = r[0U]; + Lib_IntVector_Intrinsics_vec128 r1 = r[1U]; + Lib_IntVector_Intrinsics_vec128 r2 = r[2U]; + Lib_IntVector_Intrinsics_vec128 r3 = r[3U]; + Lib_IntVector_Intrinsics_vec128 r4 = r[4U]; + Lib_IntVector_Intrinsics_vec128 r51 = r5[1U]; + Lib_IntVector_Intrinsics_vec128 r52 = r5[2U]; + Lib_IntVector_Intrinsics_vec128 r53 = r5[3U]; + Lib_IntVector_Intrinsics_vec128 r54 = r5[4U]; + Lib_IntVector_Intrinsics_vec128 f10 = r[0U]; + Lib_IntVector_Intrinsics_vec128 f11 = r[1U]; + Lib_IntVector_Intrinsics_vec128 f12 = r[2U]; + Lib_IntVector_Intrinsics_vec128 f13 = r[3U]; + Lib_IntVector_Intrinsics_vec128 f14 = r[4U]; + Lib_IntVector_Intrinsics_vec128 a0 = Lib_IntVector_Intrinsics_vec128_mul64(r0, f10); + Lib_IntVector_Intrinsics_vec128 a1 = Lib_IntVector_Intrinsics_vec128_mul64(r1, f10); + Lib_IntVector_Intrinsics_vec128 a2 = Lib_IntVector_Intrinsics_vec128_mul64(r2, f10); + Lib_IntVector_Intrinsics_vec128 a3 = Lib_IntVector_Intrinsics_vec128_mul64(r3, f10); + Lib_IntVector_Intrinsics_vec128 a4 = Lib_IntVector_Intrinsics_vec128_mul64(r4, f10); + Lib_IntVector_Intrinsics_vec128 + a01 = + Lib_IntVector_Intrinsics_vec128_add64(a0, + Lib_IntVector_Intrinsics_vec128_mul64(r54, f11)); + Lib_IntVector_Intrinsics_vec128 + a11 = Lib_IntVector_Intrinsics_vec128_add64(a1, Lib_IntVector_Intrinsics_vec128_mul64(r0, f11)); + Lib_IntVector_Intrinsics_vec128 + a21 = Lib_IntVector_Intrinsics_vec128_add64(a2, Lib_IntVector_Intrinsics_vec128_mul64(r1, f11)); + Lib_IntVector_Intrinsics_vec128 + a31 = Lib_IntVector_Intrinsics_vec128_add64(a3, Lib_IntVector_Intrinsics_vec128_mul64(r2, f11)); + Lib_IntVector_Intrinsics_vec128 + a41 = Lib_IntVector_Intrinsics_vec128_add64(a4, Lib_IntVector_Intrinsics_vec128_mul64(r3, f11)); + Lib_IntVector_Intrinsics_vec128 + a02 = + Lib_IntVector_Intrinsics_vec128_add64(a01, + Lib_IntVector_Intrinsics_vec128_mul64(r53, f12)); + Lib_IntVector_Intrinsics_vec128 + a12 = + Lib_IntVector_Intrinsics_vec128_add64(a11, + Lib_IntVector_Intrinsics_vec128_mul64(r54, f12)); + Lib_IntVector_Intrinsics_vec128 + a22 = + Lib_IntVector_Intrinsics_vec128_add64(a21, + Lib_IntVector_Intrinsics_vec128_mul64(r0, f12)); + Lib_IntVector_Intrinsics_vec128 + a32 = + Lib_IntVector_Intrinsics_vec128_add64(a31, + Lib_IntVector_Intrinsics_vec128_mul64(r1, f12)); + Lib_IntVector_Intrinsics_vec128 + a42 = + Lib_IntVector_Intrinsics_vec128_add64(a41, + Lib_IntVector_Intrinsics_vec128_mul64(r2, f12)); + Lib_IntVector_Intrinsics_vec128 + a03 = + Lib_IntVector_Intrinsics_vec128_add64(a02, + Lib_IntVector_Intrinsics_vec128_mul64(r52, f13)); + Lib_IntVector_Intrinsics_vec128 + a13 = + Lib_IntVector_Intrinsics_vec128_add64(a12, + Lib_IntVector_Intrinsics_vec128_mul64(r53, f13)); + Lib_IntVector_Intrinsics_vec128 + a23 = + Lib_IntVector_Intrinsics_vec128_add64(a22, + Lib_IntVector_Intrinsics_vec128_mul64(r54, f13)); + Lib_IntVector_Intrinsics_vec128 + a33 = + Lib_IntVector_Intrinsics_vec128_add64(a32, + Lib_IntVector_Intrinsics_vec128_mul64(r0, f13)); + Lib_IntVector_Intrinsics_vec128 + a43 = + Lib_IntVector_Intrinsics_vec128_add64(a42, + Lib_IntVector_Intrinsics_vec128_mul64(r1, f13)); + Lib_IntVector_Intrinsics_vec128 + a04 = + Lib_IntVector_Intrinsics_vec128_add64(a03, + Lib_IntVector_Intrinsics_vec128_mul64(r51, f14)); + Lib_IntVector_Intrinsics_vec128 + a14 = + Lib_IntVector_Intrinsics_vec128_add64(a13, + Lib_IntVector_Intrinsics_vec128_mul64(r52, f14)); + Lib_IntVector_Intrinsics_vec128 + a24 = + Lib_IntVector_Intrinsics_vec128_add64(a23, + Lib_IntVector_Intrinsics_vec128_mul64(r53, f14)); + Lib_IntVector_Intrinsics_vec128 + a34 = + Lib_IntVector_Intrinsics_vec128_add64(a33, + Lib_IntVector_Intrinsics_vec128_mul64(r54, f14)); + Lib_IntVector_Intrinsics_vec128 + a44 = + Lib_IntVector_Intrinsics_vec128_add64(a43, + Lib_IntVector_Intrinsics_vec128_mul64(r0, f14)); + Lib_IntVector_Intrinsics_vec128 t0 = a04; + Lib_IntVector_Intrinsics_vec128 t1 = a14; + Lib_IntVector_Intrinsics_vec128 t2 = a24; + Lib_IntVector_Intrinsics_vec128 t3 = a34; + Lib_IntVector_Intrinsics_vec128 t4 = a44; + Lib_IntVector_Intrinsics_vec128 + mask26 = Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec128 + z0 = Lib_IntVector_Intrinsics_vec128_shift_right64(t0, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z1 = Lib_IntVector_Intrinsics_vec128_shift_right64(t3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x0 = Lib_IntVector_Intrinsics_vec128_and(t0, mask26); + Lib_IntVector_Intrinsics_vec128 x3 = Lib_IntVector_Intrinsics_vec128_and(t3, mask26); + Lib_IntVector_Intrinsics_vec128 x1 = Lib_IntVector_Intrinsics_vec128_add64(t1, z0); + Lib_IntVector_Intrinsics_vec128 x4 = Lib_IntVector_Intrinsics_vec128_add64(t4, z1); + Lib_IntVector_Intrinsics_vec128 + z01 = Lib_IntVector_Intrinsics_vec128_shift_right64(x1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z11 = Lib_IntVector_Intrinsics_vec128_shift_right64(x4, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + t = Lib_IntVector_Intrinsics_vec128_shift_left64(z11, (uint32_t)2U); + Lib_IntVector_Intrinsics_vec128 z12 = Lib_IntVector_Intrinsics_vec128_add64(z11, t); + Lib_IntVector_Intrinsics_vec128 x11 = Lib_IntVector_Intrinsics_vec128_and(x1, mask26); + Lib_IntVector_Intrinsics_vec128 x41 = Lib_IntVector_Intrinsics_vec128_and(x4, mask26); + Lib_IntVector_Intrinsics_vec128 x2 = Lib_IntVector_Intrinsics_vec128_add64(t2, z01); + Lib_IntVector_Intrinsics_vec128 x01 = Lib_IntVector_Intrinsics_vec128_add64(x0, z12); + Lib_IntVector_Intrinsics_vec128 + z02 = Lib_IntVector_Intrinsics_vec128_shift_right64(x2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z13 = Lib_IntVector_Intrinsics_vec128_shift_right64(x01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x21 = Lib_IntVector_Intrinsics_vec128_and(x2, mask26); + Lib_IntVector_Intrinsics_vec128 x02 = Lib_IntVector_Intrinsics_vec128_and(x01, mask26); + Lib_IntVector_Intrinsics_vec128 x31 = Lib_IntVector_Intrinsics_vec128_add64(x3, z02); + Lib_IntVector_Intrinsics_vec128 x12 = Lib_IntVector_Intrinsics_vec128_add64(x11, z13); + Lib_IntVector_Intrinsics_vec128 + z03 = Lib_IntVector_Intrinsics_vec128_shift_right64(x31, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x32 = Lib_IntVector_Intrinsics_vec128_and(x31, mask26); + Lib_IntVector_Intrinsics_vec128 x42 = Lib_IntVector_Intrinsics_vec128_add64(x41, z03); + Lib_IntVector_Intrinsics_vec128 o0 = x02; + Lib_IntVector_Intrinsics_vec128 o1 = x12; + Lib_IntVector_Intrinsics_vec128 o2 = x21; + Lib_IntVector_Intrinsics_vec128 o3 = x32; + Lib_IntVector_Intrinsics_vec128 o4 = x42; + rn[0U] = o0; + rn[1U] = o1; + rn[2U] = o2; + rn[3U] = o3; + rn[4U] = o4; + Lib_IntVector_Intrinsics_vec128 f201 = rn[0U]; + Lib_IntVector_Intrinsics_vec128 f21 = rn[1U]; + Lib_IntVector_Intrinsics_vec128 f22 = rn[2U]; + Lib_IntVector_Intrinsics_vec128 f23 = rn[3U]; + Lib_IntVector_Intrinsics_vec128 f24 = rn[4U]; + rn_5[0U] = Lib_IntVector_Intrinsics_vec128_smul64(f201, (uint64_t)5U); + rn_5[1U] = Lib_IntVector_Intrinsics_vec128_smul64(f21, (uint64_t)5U); + rn_5[2U] = Lib_IntVector_Intrinsics_vec128_smul64(f22, (uint64_t)5U); + rn_5[3U] = Lib_IntVector_Intrinsics_vec128_smul64(f23, (uint64_t)5U); + rn_5[4U] = Lib_IntVector_Intrinsics_vec128_smul64(f24, (uint64_t)5U); +} + +void Hacl_Poly1305_128_poly1305_update1(Lib_IntVector_Intrinsics_vec128 *ctx, uint8_t *text) +{ + Lib_IntVector_Intrinsics_vec128 *pre = ctx + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec128 *acc = ctx; + Lib_IntVector_Intrinsics_vec128 e[5U]; + for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i) + e[_i] = Lib_IntVector_Intrinsics_vec128_zero; + uint64_t u0 = load64_le(text); + uint64_t lo = u0; + uint64_t u = load64_le(text + (uint32_t)8U); + uint64_t hi = u; + Lib_IntVector_Intrinsics_vec128 f0 = Lib_IntVector_Intrinsics_vec128_load64(lo); + Lib_IntVector_Intrinsics_vec128 f1 = Lib_IntVector_Intrinsics_vec128_load64(hi); + Lib_IntVector_Intrinsics_vec128 + f010 = + Lib_IntVector_Intrinsics_vec128_and(f0, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f110 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(f0, + (uint32_t)26U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f20 = + Lib_IntVector_Intrinsics_vec128_or(Lib_IntVector_Intrinsics_vec128_shift_right64(f0, + (uint32_t)52U), + Lib_IntVector_Intrinsics_vec128_shift_left64(Lib_IntVector_Intrinsics_vec128_and(f1, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3fffU)), + (uint32_t)12U)); + Lib_IntVector_Intrinsics_vec128 + f30 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(f1, + (uint32_t)14U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f40 = Lib_IntVector_Intrinsics_vec128_shift_right64(f1, (uint32_t)40U); + Lib_IntVector_Intrinsics_vec128 f01 = f010; + Lib_IntVector_Intrinsics_vec128 f111 = f110; + Lib_IntVector_Intrinsics_vec128 f2 = f20; + Lib_IntVector_Intrinsics_vec128 f3 = f30; + Lib_IntVector_Intrinsics_vec128 f41 = f40; + e[0U] = f01; + e[1U] = f111; + e[2U] = f2; + e[3U] = f3; + e[4U] = f41; + uint64_t b = (uint64_t)0x1000000U; + Lib_IntVector_Intrinsics_vec128 mask = Lib_IntVector_Intrinsics_vec128_load64(b); + Lib_IntVector_Intrinsics_vec128 f4 = e[4U]; + e[4U] = Lib_IntVector_Intrinsics_vec128_or(f4, mask); + Lib_IntVector_Intrinsics_vec128 *r = pre; + Lib_IntVector_Intrinsics_vec128 *r5 = pre + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec128 r0 = r[0U]; + Lib_IntVector_Intrinsics_vec128 r1 = r[1U]; + Lib_IntVector_Intrinsics_vec128 r2 = r[2U]; + Lib_IntVector_Intrinsics_vec128 r3 = r[3U]; + Lib_IntVector_Intrinsics_vec128 r4 = r[4U]; + Lib_IntVector_Intrinsics_vec128 r51 = r5[1U]; + Lib_IntVector_Intrinsics_vec128 r52 = r5[2U]; + Lib_IntVector_Intrinsics_vec128 r53 = r5[3U]; + Lib_IntVector_Intrinsics_vec128 r54 = r5[4U]; + Lib_IntVector_Intrinsics_vec128 f10 = e[0U]; + Lib_IntVector_Intrinsics_vec128 f11 = e[1U]; + Lib_IntVector_Intrinsics_vec128 f12 = e[2U]; + Lib_IntVector_Intrinsics_vec128 f13 = e[3U]; + Lib_IntVector_Intrinsics_vec128 f14 = e[4U]; + Lib_IntVector_Intrinsics_vec128 a0 = acc[0U]; + Lib_IntVector_Intrinsics_vec128 a1 = acc[1U]; + Lib_IntVector_Intrinsics_vec128 a2 = acc[2U]; + Lib_IntVector_Intrinsics_vec128 a3 = acc[3U]; + Lib_IntVector_Intrinsics_vec128 a4 = acc[4U]; + Lib_IntVector_Intrinsics_vec128 a01 = Lib_IntVector_Intrinsics_vec128_add64(a0, f10); + Lib_IntVector_Intrinsics_vec128 a11 = Lib_IntVector_Intrinsics_vec128_add64(a1, f11); + Lib_IntVector_Intrinsics_vec128 a21 = Lib_IntVector_Intrinsics_vec128_add64(a2, f12); + Lib_IntVector_Intrinsics_vec128 a31 = Lib_IntVector_Intrinsics_vec128_add64(a3, f13); + Lib_IntVector_Intrinsics_vec128 a41 = Lib_IntVector_Intrinsics_vec128_add64(a4, f14); + Lib_IntVector_Intrinsics_vec128 a02 = Lib_IntVector_Intrinsics_vec128_mul64(r0, a01); + Lib_IntVector_Intrinsics_vec128 a12 = Lib_IntVector_Intrinsics_vec128_mul64(r1, a01); + Lib_IntVector_Intrinsics_vec128 a22 = Lib_IntVector_Intrinsics_vec128_mul64(r2, a01); + Lib_IntVector_Intrinsics_vec128 a32 = Lib_IntVector_Intrinsics_vec128_mul64(r3, a01); + Lib_IntVector_Intrinsics_vec128 a42 = Lib_IntVector_Intrinsics_vec128_mul64(r4, a01); + Lib_IntVector_Intrinsics_vec128 + a03 = + Lib_IntVector_Intrinsics_vec128_add64(a02, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a11)); + Lib_IntVector_Intrinsics_vec128 + a13 = + Lib_IntVector_Intrinsics_vec128_add64(a12, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a11)); + Lib_IntVector_Intrinsics_vec128 + a23 = + Lib_IntVector_Intrinsics_vec128_add64(a22, + Lib_IntVector_Intrinsics_vec128_mul64(r1, a11)); + Lib_IntVector_Intrinsics_vec128 + a33 = + Lib_IntVector_Intrinsics_vec128_add64(a32, + Lib_IntVector_Intrinsics_vec128_mul64(r2, a11)); + Lib_IntVector_Intrinsics_vec128 + a43 = + Lib_IntVector_Intrinsics_vec128_add64(a42, + Lib_IntVector_Intrinsics_vec128_mul64(r3, a11)); + Lib_IntVector_Intrinsics_vec128 + a04 = + Lib_IntVector_Intrinsics_vec128_add64(a03, + Lib_IntVector_Intrinsics_vec128_mul64(r53, a21)); + Lib_IntVector_Intrinsics_vec128 + a14 = + Lib_IntVector_Intrinsics_vec128_add64(a13, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a21)); + Lib_IntVector_Intrinsics_vec128 + a24 = + Lib_IntVector_Intrinsics_vec128_add64(a23, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a21)); + Lib_IntVector_Intrinsics_vec128 + a34 = + Lib_IntVector_Intrinsics_vec128_add64(a33, + Lib_IntVector_Intrinsics_vec128_mul64(r1, a21)); + Lib_IntVector_Intrinsics_vec128 + a44 = + Lib_IntVector_Intrinsics_vec128_add64(a43, + Lib_IntVector_Intrinsics_vec128_mul64(r2, a21)); + Lib_IntVector_Intrinsics_vec128 + a05 = + Lib_IntVector_Intrinsics_vec128_add64(a04, + Lib_IntVector_Intrinsics_vec128_mul64(r52, a31)); + Lib_IntVector_Intrinsics_vec128 + a15 = + Lib_IntVector_Intrinsics_vec128_add64(a14, + Lib_IntVector_Intrinsics_vec128_mul64(r53, a31)); + Lib_IntVector_Intrinsics_vec128 + a25 = + Lib_IntVector_Intrinsics_vec128_add64(a24, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a31)); + Lib_IntVector_Intrinsics_vec128 + a35 = + Lib_IntVector_Intrinsics_vec128_add64(a34, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a31)); + Lib_IntVector_Intrinsics_vec128 + a45 = + Lib_IntVector_Intrinsics_vec128_add64(a44, + Lib_IntVector_Intrinsics_vec128_mul64(r1, a31)); + Lib_IntVector_Intrinsics_vec128 + a06 = + Lib_IntVector_Intrinsics_vec128_add64(a05, + Lib_IntVector_Intrinsics_vec128_mul64(r51, a41)); + Lib_IntVector_Intrinsics_vec128 + a16 = + Lib_IntVector_Intrinsics_vec128_add64(a15, + Lib_IntVector_Intrinsics_vec128_mul64(r52, a41)); + Lib_IntVector_Intrinsics_vec128 + a26 = + Lib_IntVector_Intrinsics_vec128_add64(a25, + Lib_IntVector_Intrinsics_vec128_mul64(r53, a41)); + Lib_IntVector_Intrinsics_vec128 + a36 = + Lib_IntVector_Intrinsics_vec128_add64(a35, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a41)); + Lib_IntVector_Intrinsics_vec128 + a46 = + Lib_IntVector_Intrinsics_vec128_add64(a45, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a41)); + Lib_IntVector_Intrinsics_vec128 t0 = a06; + Lib_IntVector_Intrinsics_vec128 t1 = a16; + Lib_IntVector_Intrinsics_vec128 t2 = a26; + Lib_IntVector_Intrinsics_vec128 t3 = a36; + Lib_IntVector_Intrinsics_vec128 t4 = a46; + Lib_IntVector_Intrinsics_vec128 + mask26 = Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec128 + z0 = Lib_IntVector_Intrinsics_vec128_shift_right64(t0, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z1 = Lib_IntVector_Intrinsics_vec128_shift_right64(t3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x0 = Lib_IntVector_Intrinsics_vec128_and(t0, mask26); + Lib_IntVector_Intrinsics_vec128 x3 = Lib_IntVector_Intrinsics_vec128_and(t3, mask26); + Lib_IntVector_Intrinsics_vec128 x1 = Lib_IntVector_Intrinsics_vec128_add64(t1, z0); + Lib_IntVector_Intrinsics_vec128 x4 = Lib_IntVector_Intrinsics_vec128_add64(t4, z1); + Lib_IntVector_Intrinsics_vec128 + z01 = Lib_IntVector_Intrinsics_vec128_shift_right64(x1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z11 = Lib_IntVector_Intrinsics_vec128_shift_right64(x4, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + t = Lib_IntVector_Intrinsics_vec128_shift_left64(z11, (uint32_t)2U); + Lib_IntVector_Intrinsics_vec128 z12 = Lib_IntVector_Intrinsics_vec128_add64(z11, t); + Lib_IntVector_Intrinsics_vec128 x11 = Lib_IntVector_Intrinsics_vec128_and(x1, mask26); + Lib_IntVector_Intrinsics_vec128 x41 = Lib_IntVector_Intrinsics_vec128_and(x4, mask26); + Lib_IntVector_Intrinsics_vec128 x2 = Lib_IntVector_Intrinsics_vec128_add64(t2, z01); + Lib_IntVector_Intrinsics_vec128 x01 = Lib_IntVector_Intrinsics_vec128_add64(x0, z12); + Lib_IntVector_Intrinsics_vec128 + z02 = Lib_IntVector_Intrinsics_vec128_shift_right64(x2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z13 = Lib_IntVector_Intrinsics_vec128_shift_right64(x01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x21 = Lib_IntVector_Intrinsics_vec128_and(x2, mask26); + Lib_IntVector_Intrinsics_vec128 x02 = Lib_IntVector_Intrinsics_vec128_and(x01, mask26); + Lib_IntVector_Intrinsics_vec128 x31 = Lib_IntVector_Intrinsics_vec128_add64(x3, z02); + Lib_IntVector_Intrinsics_vec128 x12 = Lib_IntVector_Intrinsics_vec128_add64(x11, z13); + Lib_IntVector_Intrinsics_vec128 + z03 = Lib_IntVector_Intrinsics_vec128_shift_right64(x31, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x32 = Lib_IntVector_Intrinsics_vec128_and(x31, mask26); + Lib_IntVector_Intrinsics_vec128 x42 = Lib_IntVector_Intrinsics_vec128_add64(x41, z03); + Lib_IntVector_Intrinsics_vec128 o0 = x02; + Lib_IntVector_Intrinsics_vec128 o1 = x12; + Lib_IntVector_Intrinsics_vec128 o2 = x21; + Lib_IntVector_Intrinsics_vec128 o3 = x32; + Lib_IntVector_Intrinsics_vec128 o4 = x42; + acc[0U] = o0; + acc[1U] = o1; + acc[2U] = o2; + acc[3U] = o3; + acc[4U] = o4; +} + +void +Hacl_Poly1305_128_poly1305_update( + Lib_IntVector_Intrinsics_vec128 *ctx, + uint32_t len, + uint8_t *text +) +{ + Lib_IntVector_Intrinsics_vec128 *pre = ctx + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec128 *acc = ctx; + uint32_t sz_block = (uint32_t)32U; + uint32_t len0 = len / sz_block * sz_block; + uint8_t *t0 = text; + if (len0 > (uint32_t)0U) + { + uint32_t bs = (uint32_t)32U; + uint8_t *text0 = t0; + Hacl_Impl_Poly1305_Field32xN_128_load_acc2(acc, text0); + uint32_t len1 = len0 - bs; + uint8_t *text1 = t0 + bs; + uint32_t nb = len1 / bs; + for (uint32_t i = (uint32_t)0U; i < nb; i++) + { + uint8_t *block = text1 + i * bs; + Lib_IntVector_Intrinsics_vec128 e[5U]; + for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i) + e[_i] = Lib_IntVector_Intrinsics_vec128_zero; + Lib_IntVector_Intrinsics_vec128 b1 = Lib_IntVector_Intrinsics_vec128_load64_le(block); + Lib_IntVector_Intrinsics_vec128 + b2 = Lib_IntVector_Intrinsics_vec128_load64_le(block + (uint32_t)16U); + Lib_IntVector_Intrinsics_vec128 lo = Lib_IntVector_Intrinsics_vec128_interleave_low64(b1, b2); + Lib_IntVector_Intrinsics_vec128 + hi = Lib_IntVector_Intrinsics_vec128_interleave_high64(b1, b2); + Lib_IntVector_Intrinsics_vec128 + f00 = + Lib_IntVector_Intrinsics_vec128_and(lo, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f15 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(lo, + (uint32_t)26U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f25 = + Lib_IntVector_Intrinsics_vec128_or(Lib_IntVector_Intrinsics_vec128_shift_right64(lo, + (uint32_t)52U), + Lib_IntVector_Intrinsics_vec128_shift_left64(Lib_IntVector_Intrinsics_vec128_and(hi, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3fffU)), + (uint32_t)12U)); + Lib_IntVector_Intrinsics_vec128 + f30 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(hi, + (uint32_t)14U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f40 = Lib_IntVector_Intrinsics_vec128_shift_right64(hi, (uint32_t)40U); + Lib_IntVector_Intrinsics_vec128 f0 = f00; + Lib_IntVector_Intrinsics_vec128 f1 = f15; + Lib_IntVector_Intrinsics_vec128 f2 = f25; + Lib_IntVector_Intrinsics_vec128 f3 = f30; + Lib_IntVector_Intrinsics_vec128 f41 = f40; + e[0U] = f0; + e[1U] = f1; + e[2U] = f2; + e[3U] = f3; + e[4U] = f41; + uint64_t b = (uint64_t)0x1000000U; + Lib_IntVector_Intrinsics_vec128 mask = Lib_IntVector_Intrinsics_vec128_load64(b); + Lib_IntVector_Intrinsics_vec128 f4 = e[4U]; + e[4U] = Lib_IntVector_Intrinsics_vec128_or(f4, mask); + Lib_IntVector_Intrinsics_vec128 *rn = pre + (uint32_t)10U; + Lib_IntVector_Intrinsics_vec128 *rn5 = pre + (uint32_t)15U; + Lib_IntVector_Intrinsics_vec128 r0 = rn[0U]; + Lib_IntVector_Intrinsics_vec128 r1 = rn[1U]; + Lib_IntVector_Intrinsics_vec128 r2 = rn[2U]; + Lib_IntVector_Intrinsics_vec128 r3 = rn[3U]; + Lib_IntVector_Intrinsics_vec128 r4 = rn[4U]; + Lib_IntVector_Intrinsics_vec128 r51 = rn5[1U]; + Lib_IntVector_Intrinsics_vec128 r52 = rn5[2U]; + Lib_IntVector_Intrinsics_vec128 r53 = rn5[3U]; + Lib_IntVector_Intrinsics_vec128 r54 = rn5[4U]; + Lib_IntVector_Intrinsics_vec128 f10 = acc[0U]; + Lib_IntVector_Intrinsics_vec128 f110 = acc[1U]; + Lib_IntVector_Intrinsics_vec128 f120 = acc[2U]; + Lib_IntVector_Intrinsics_vec128 f130 = acc[3U]; + Lib_IntVector_Intrinsics_vec128 f140 = acc[4U]; + Lib_IntVector_Intrinsics_vec128 a0 = Lib_IntVector_Intrinsics_vec128_mul64(r0, f10); + Lib_IntVector_Intrinsics_vec128 a1 = Lib_IntVector_Intrinsics_vec128_mul64(r1, f10); + Lib_IntVector_Intrinsics_vec128 a2 = Lib_IntVector_Intrinsics_vec128_mul64(r2, f10); + Lib_IntVector_Intrinsics_vec128 a3 = Lib_IntVector_Intrinsics_vec128_mul64(r3, f10); + Lib_IntVector_Intrinsics_vec128 a4 = Lib_IntVector_Intrinsics_vec128_mul64(r4, f10); + Lib_IntVector_Intrinsics_vec128 + a01 = + Lib_IntVector_Intrinsics_vec128_add64(a0, + Lib_IntVector_Intrinsics_vec128_mul64(r54, f110)); + Lib_IntVector_Intrinsics_vec128 + a11 = + Lib_IntVector_Intrinsics_vec128_add64(a1, + Lib_IntVector_Intrinsics_vec128_mul64(r0, f110)); + Lib_IntVector_Intrinsics_vec128 + a21 = + Lib_IntVector_Intrinsics_vec128_add64(a2, + Lib_IntVector_Intrinsics_vec128_mul64(r1, f110)); + Lib_IntVector_Intrinsics_vec128 + a31 = + Lib_IntVector_Intrinsics_vec128_add64(a3, + Lib_IntVector_Intrinsics_vec128_mul64(r2, f110)); + Lib_IntVector_Intrinsics_vec128 + a41 = + Lib_IntVector_Intrinsics_vec128_add64(a4, + Lib_IntVector_Intrinsics_vec128_mul64(r3, f110)); + Lib_IntVector_Intrinsics_vec128 + a02 = + Lib_IntVector_Intrinsics_vec128_add64(a01, + Lib_IntVector_Intrinsics_vec128_mul64(r53, f120)); + Lib_IntVector_Intrinsics_vec128 + a12 = + Lib_IntVector_Intrinsics_vec128_add64(a11, + Lib_IntVector_Intrinsics_vec128_mul64(r54, f120)); + Lib_IntVector_Intrinsics_vec128 + a22 = + Lib_IntVector_Intrinsics_vec128_add64(a21, + Lib_IntVector_Intrinsics_vec128_mul64(r0, f120)); + Lib_IntVector_Intrinsics_vec128 + a32 = + Lib_IntVector_Intrinsics_vec128_add64(a31, + Lib_IntVector_Intrinsics_vec128_mul64(r1, f120)); + Lib_IntVector_Intrinsics_vec128 + a42 = + Lib_IntVector_Intrinsics_vec128_add64(a41, + Lib_IntVector_Intrinsics_vec128_mul64(r2, f120)); + Lib_IntVector_Intrinsics_vec128 + a03 = + Lib_IntVector_Intrinsics_vec128_add64(a02, + Lib_IntVector_Intrinsics_vec128_mul64(r52, f130)); + Lib_IntVector_Intrinsics_vec128 + a13 = + Lib_IntVector_Intrinsics_vec128_add64(a12, + Lib_IntVector_Intrinsics_vec128_mul64(r53, f130)); + Lib_IntVector_Intrinsics_vec128 + a23 = + Lib_IntVector_Intrinsics_vec128_add64(a22, + Lib_IntVector_Intrinsics_vec128_mul64(r54, f130)); + Lib_IntVector_Intrinsics_vec128 + a33 = + Lib_IntVector_Intrinsics_vec128_add64(a32, + Lib_IntVector_Intrinsics_vec128_mul64(r0, f130)); + Lib_IntVector_Intrinsics_vec128 + a43 = + Lib_IntVector_Intrinsics_vec128_add64(a42, + Lib_IntVector_Intrinsics_vec128_mul64(r1, f130)); + Lib_IntVector_Intrinsics_vec128 + a04 = + Lib_IntVector_Intrinsics_vec128_add64(a03, + Lib_IntVector_Intrinsics_vec128_mul64(r51, f140)); + Lib_IntVector_Intrinsics_vec128 + a14 = + Lib_IntVector_Intrinsics_vec128_add64(a13, + Lib_IntVector_Intrinsics_vec128_mul64(r52, f140)); + Lib_IntVector_Intrinsics_vec128 + a24 = + Lib_IntVector_Intrinsics_vec128_add64(a23, + Lib_IntVector_Intrinsics_vec128_mul64(r53, f140)); + Lib_IntVector_Intrinsics_vec128 + a34 = + Lib_IntVector_Intrinsics_vec128_add64(a33, + Lib_IntVector_Intrinsics_vec128_mul64(r54, f140)); + Lib_IntVector_Intrinsics_vec128 + a44 = + Lib_IntVector_Intrinsics_vec128_add64(a43, + Lib_IntVector_Intrinsics_vec128_mul64(r0, f140)); + Lib_IntVector_Intrinsics_vec128 t01 = a04; + Lib_IntVector_Intrinsics_vec128 t1 = a14; + Lib_IntVector_Intrinsics_vec128 t2 = a24; + Lib_IntVector_Intrinsics_vec128 t3 = a34; + Lib_IntVector_Intrinsics_vec128 t4 = a44; + Lib_IntVector_Intrinsics_vec128 + mask26 = Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec128 + z0 = Lib_IntVector_Intrinsics_vec128_shift_right64(t01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z1 = Lib_IntVector_Intrinsics_vec128_shift_right64(t3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x0 = Lib_IntVector_Intrinsics_vec128_and(t01, mask26); + Lib_IntVector_Intrinsics_vec128 x3 = Lib_IntVector_Intrinsics_vec128_and(t3, mask26); + Lib_IntVector_Intrinsics_vec128 x1 = Lib_IntVector_Intrinsics_vec128_add64(t1, z0); + Lib_IntVector_Intrinsics_vec128 x4 = Lib_IntVector_Intrinsics_vec128_add64(t4, z1); + Lib_IntVector_Intrinsics_vec128 + z01 = Lib_IntVector_Intrinsics_vec128_shift_right64(x1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z11 = Lib_IntVector_Intrinsics_vec128_shift_right64(x4, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + t = Lib_IntVector_Intrinsics_vec128_shift_left64(z11, (uint32_t)2U); + Lib_IntVector_Intrinsics_vec128 z12 = Lib_IntVector_Intrinsics_vec128_add64(z11, t); + Lib_IntVector_Intrinsics_vec128 x11 = Lib_IntVector_Intrinsics_vec128_and(x1, mask26); + Lib_IntVector_Intrinsics_vec128 x41 = Lib_IntVector_Intrinsics_vec128_and(x4, mask26); + Lib_IntVector_Intrinsics_vec128 x2 = Lib_IntVector_Intrinsics_vec128_add64(t2, z01); + Lib_IntVector_Intrinsics_vec128 x01 = Lib_IntVector_Intrinsics_vec128_add64(x0, z12); + Lib_IntVector_Intrinsics_vec128 + z02 = Lib_IntVector_Intrinsics_vec128_shift_right64(x2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z13 = Lib_IntVector_Intrinsics_vec128_shift_right64(x01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x21 = Lib_IntVector_Intrinsics_vec128_and(x2, mask26); + Lib_IntVector_Intrinsics_vec128 x02 = Lib_IntVector_Intrinsics_vec128_and(x01, mask26); + Lib_IntVector_Intrinsics_vec128 x31 = Lib_IntVector_Intrinsics_vec128_add64(x3, z02); + Lib_IntVector_Intrinsics_vec128 x12 = Lib_IntVector_Intrinsics_vec128_add64(x11, z13); + Lib_IntVector_Intrinsics_vec128 + z03 = Lib_IntVector_Intrinsics_vec128_shift_right64(x31, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x32 = Lib_IntVector_Intrinsics_vec128_and(x31, mask26); + Lib_IntVector_Intrinsics_vec128 x42 = Lib_IntVector_Intrinsics_vec128_add64(x41, z03); + Lib_IntVector_Intrinsics_vec128 o00 = x02; + Lib_IntVector_Intrinsics_vec128 o10 = x12; + Lib_IntVector_Intrinsics_vec128 o20 = x21; + Lib_IntVector_Intrinsics_vec128 o30 = x32; + Lib_IntVector_Intrinsics_vec128 o40 = x42; + acc[0U] = o00; + acc[1U] = o10; + acc[2U] = o20; + acc[3U] = o30; + acc[4U] = o40; + Lib_IntVector_Intrinsics_vec128 f100 = acc[0U]; + Lib_IntVector_Intrinsics_vec128 f11 = acc[1U]; + Lib_IntVector_Intrinsics_vec128 f12 = acc[2U]; + Lib_IntVector_Intrinsics_vec128 f13 = acc[3U]; + Lib_IntVector_Intrinsics_vec128 f14 = acc[4U]; + Lib_IntVector_Intrinsics_vec128 f20 = e[0U]; + Lib_IntVector_Intrinsics_vec128 f21 = e[1U]; + Lib_IntVector_Intrinsics_vec128 f22 = e[2U]; + Lib_IntVector_Intrinsics_vec128 f23 = e[3U]; + Lib_IntVector_Intrinsics_vec128 f24 = e[4U]; + Lib_IntVector_Intrinsics_vec128 o0 = Lib_IntVector_Intrinsics_vec128_add64(f100, f20); + Lib_IntVector_Intrinsics_vec128 o1 = Lib_IntVector_Intrinsics_vec128_add64(f11, f21); + Lib_IntVector_Intrinsics_vec128 o2 = Lib_IntVector_Intrinsics_vec128_add64(f12, f22); + Lib_IntVector_Intrinsics_vec128 o3 = Lib_IntVector_Intrinsics_vec128_add64(f13, f23); + Lib_IntVector_Intrinsics_vec128 o4 = Lib_IntVector_Intrinsics_vec128_add64(f14, f24); + acc[0U] = o0; + acc[1U] = o1; + acc[2U] = o2; + acc[3U] = o3; + acc[4U] = o4; + } + Hacl_Impl_Poly1305_Field32xN_128_fmul_r2_normalize(acc, pre); + } + uint32_t len1 = len - len0; + uint8_t *t1 = text + len0; + uint32_t nb = len1 / (uint32_t)16U; + uint32_t rem = len1 % (uint32_t)16U; + for (uint32_t i = (uint32_t)0U; i < nb; i++) + { + uint8_t *block = t1 + i * (uint32_t)16U; + Lib_IntVector_Intrinsics_vec128 e[5U]; + for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i) + e[_i] = Lib_IntVector_Intrinsics_vec128_zero; + uint64_t u0 = load64_le(block); + uint64_t lo = u0; + uint64_t u = load64_le(block + (uint32_t)8U); + uint64_t hi = u; + Lib_IntVector_Intrinsics_vec128 f0 = Lib_IntVector_Intrinsics_vec128_load64(lo); + Lib_IntVector_Intrinsics_vec128 f1 = Lib_IntVector_Intrinsics_vec128_load64(hi); + Lib_IntVector_Intrinsics_vec128 + f010 = + Lib_IntVector_Intrinsics_vec128_and(f0, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f110 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(f0, + (uint32_t)26U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f20 = + Lib_IntVector_Intrinsics_vec128_or(Lib_IntVector_Intrinsics_vec128_shift_right64(f0, + (uint32_t)52U), + Lib_IntVector_Intrinsics_vec128_shift_left64(Lib_IntVector_Intrinsics_vec128_and(f1, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3fffU)), + (uint32_t)12U)); + Lib_IntVector_Intrinsics_vec128 + f30 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(f1, + (uint32_t)14U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f40 = Lib_IntVector_Intrinsics_vec128_shift_right64(f1, (uint32_t)40U); + Lib_IntVector_Intrinsics_vec128 f01 = f010; + Lib_IntVector_Intrinsics_vec128 f111 = f110; + Lib_IntVector_Intrinsics_vec128 f2 = f20; + Lib_IntVector_Intrinsics_vec128 f3 = f30; + Lib_IntVector_Intrinsics_vec128 f41 = f40; + e[0U] = f01; + e[1U] = f111; + e[2U] = f2; + e[3U] = f3; + e[4U] = f41; + uint64_t b = (uint64_t)0x1000000U; + Lib_IntVector_Intrinsics_vec128 mask = Lib_IntVector_Intrinsics_vec128_load64(b); + Lib_IntVector_Intrinsics_vec128 f4 = e[4U]; + e[4U] = Lib_IntVector_Intrinsics_vec128_or(f4, mask); + Lib_IntVector_Intrinsics_vec128 *r = pre; + Lib_IntVector_Intrinsics_vec128 *r5 = pre + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec128 r0 = r[0U]; + Lib_IntVector_Intrinsics_vec128 r1 = r[1U]; + Lib_IntVector_Intrinsics_vec128 r2 = r[2U]; + Lib_IntVector_Intrinsics_vec128 r3 = r[3U]; + Lib_IntVector_Intrinsics_vec128 r4 = r[4U]; + Lib_IntVector_Intrinsics_vec128 r51 = r5[1U]; + Lib_IntVector_Intrinsics_vec128 r52 = r5[2U]; + Lib_IntVector_Intrinsics_vec128 r53 = r5[3U]; + Lib_IntVector_Intrinsics_vec128 r54 = r5[4U]; + Lib_IntVector_Intrinsics_vec128 f10 = e[0U]; + Lib_IntVector_Intrinsics_vec128 f11 = e[1U]; + Lib_IntVector_Intrinsics_vec128 f12 = e[2U]; + Lib_IntVector_Intrinsics_vec128 f13 = e[3U]; + Lib_IntVector_Intrinsics_vec128 f14 = e[4U]; + Lib_IntVector_Intrinsics_vec128 a0 = acc[0U]; + Lib_IntVector_Intrinsics_vec128 a1 = acc[1U]; + Lib_IntVector_Intrinsics_vec128 a2 = acc[2U]; + Lib_IntVector_Intrinsics_vec128 a3 = acc[3U]; + Lib_IntVector_Intrinsics_vec128 a4 = acc[4U]; + Lib_IntVector_Intrinsics_vec128 a01 = Lib_IntVector_Intrinsics_vec128_add64(a0, f10); + Lib_IntVector_Intrinsics_vec128 a11 = Lib_IntVector_Intrinsics_vec128_add64(a1, f11); + Lib_IntVector_Intrinsics_vec128 a21 = Lib_IntVector_Intrinsics_vec128_add64(a2, f12); + Lib_IntVector_Intrinsics_vec128 a31 = Lib_IntVector_Intrinsics_vec128_add64(a3, f13); + Lib_IntVector_Intrinsics_vec128 a41 = Lib_IntVector_Intrinsics_vec128_add64(a4, f14); + Lib_IntVector_Intrinsics_vec128 a02 = Lib_IntVector_Intrinsics_vec128_mul64(r0, a01); + Lib_IntVector_Intrinsics_vec128 a12 = Lib_IntVector_Intrinsics_vec128_mul64(r1, a01); + Lib_IntVector_Intrinsics_vec128 a22 = Lib_IntVector_Intrinsics_vec128_mul64(r2, a01); + Lib_IntVector_Intrinsics_vec128 a32 = Lib_IntVector_Intrinsics_vec128_mul64(r3, a01); + Lib_IntVector_Intrinsics_vec128 a42 = Lib_IntVector_Intrinsics_vec128_mul64(r4, a01); + Lib_IntVector_Intrinsics_vec128 + a03 = + Lib_IntVector_Intrinsics_vec128_add64(a02, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a11)); + Lib_IntVector_Intrinsics_vec128 + a13 = + Lib_IntVector_Intrinsics_vec128_add64(a12, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a11)); + Lib_IntVector_Intrinsics_vec128 + a23 = + Lib_IntVector_Intrinsics_vec128_add64(a22, + Lib_IntVector_Intrinsics_vec128_mul64(r1, a11)); + Lib_IntVector_Intrinsics_vec128 + a33 = + Lib_IntVector_Intrinsics_vec128_add64(a32, + Lib_IntVector_Intrinsics_vec128_mul64(r2, a11)); + Lib_IntVector_Intrinsics_vec128 + a43 = + Lib_IntVector_Intrinsics_vec128_add64(a42, + Lib_IntVector_Intrinsics_vec128_mul64(r3, a11)); + Lib_IntVector_Intrinsics_vec128 + a04 = + Lib_IntVector_Intrinsics_vec128_add64(a03, + Lib_IntVector_Intrinsics_vec128_mul64(r53, a21)); + Lib_IntVector_Intrinsics_vec128 + a14 = + Lib_IntVector_Intrinsics_vec128_add64(a13, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a21)); + Lib_IntVector_Intrinsics_vec128 + a24 = + Lib_IntVector_Intrinsics_vec128_add64(a23, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a21)); + Lib_IntVector_Intrinsics_vec128 + a34 = + Lib_IntVector_Intrinsics_vec128_add64(a33, + Lib_IntVector_Intrinsics_vec128_mul64(r1, a21)); + Lib_IntVector_Intrinsics_vec128 + a44 = + Lib_IntVector_Intrinsics_vec128_add64(a43, + Lib_IntVector_Intrinsics_vec128_mul64(r2, a21)); + Lib_IntVector_Intrinsics_vec128 + a05 = + Lib_IntVector_Intrinsics_vec128_add64(a04, + Lib_IntVector_Intrinsics_vec128_mul64(r52, a31)); + Lib_IntVector_Intrinsics_vec128 + a15 = + Lib_IntVector_Intrinsics_vec128_add64(a14, + Lib_IntVector_Intrinsics_vec128_mul64(r53, a31)); + Lib_IntVector_Intrinsics_vec128 + a25 = + Lib_IntVector_Intrinsics_vec128_add64(a24, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a31)); + Lib_IntVector_Intrinsics_vec128 + a35 = + Lib_IntVector_Intrinsics_vec128_add64(a34, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a31)); + Lib_IntVector_Intrinsics_vec128 + a45 = + Lib_IntVector_Intrinsics_vec128_add64(a44, + Lib_IntVector_Intrinsics_vec128_mul64(r1, a31)); + Lib_IntVector_Intrinsics_vec128 + a06 = + Lib_IntVector_Intrinsics_vec128_add64(a05, + Lib_IntVector_Intrinsics_vec128_mul64(r51, a41)); + Lib_IntVector_Intrinsics_vec128 + a16 = + Lib_IntVector_Intrinsics_vec128_add64(a15, + Lib_IntVector_Intrinsics_vec128_mul64(r52, a41)); + Lib_IntVector_Intrinsics_vec128 + a26 = + Lib_IntVector_Intrinsics_vec128_add64(a25, + Lib_IntVector_Intrinsics_vec128_mul64(r53, a41)); + Lib_IntVector_Intrinsics_vec128 + a36 = + Lib_IntVector_Intrinsics_vec128_add64(a35, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a41)); + Lib_IntVector_Intrinsics_vec128 + a46 = + Lib_IntVector_Intrinsics_vec128_add64(a45, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a41)); + Lib_IntVector_Intrinsics_vec128 t01 = a06; + Lib_IntVector_Intrinsics_vec128 t11 = a16; + Lib_IntVector_Intrinsics_vec128 t2 = a26; + Lib_IntVector_Intrinsics_vec128 t3 = a36; + Lib_IntVector_Intrinsics_vec128 t4 = a46; + Lib_IntVector_Intrinsics_vec128 + mask26 = Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec128 + z0 = Lib_IntVector_Intrinsics_vec128_shift_right64(t01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z1 = Lib_IntVector_Intrinsics_vec128_shift_right64(t3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x0 = Lib_IntVector_Intrinsics_vec128_and(t01, mask26); + Lib_IntVector_Intrinsics_vec128 x3 = Lib_IntVector_Intrinsics_vec128_and(t3, mask26); + Lib_IntVector_Intrinsics_vec128 x1 = Lib_IntVector_Intrinsics_vec128_add64(t11, z0); + Lib_IntVector_Intrinsics_vec128 x4 = Lib_IntVector_Intrinsics_vec128_add64(t4, z1); + Lib_IntVector_Intrinsics_vec128 + z01 = Lib_IntVector_Intrinsics_vec128_shift_right64(x1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z11 = Lib_IntVector_Intrinsics_vec128_shift_right64(x4, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + t = Lib_IntVector_Intrinsics_vec128_shift_left64(z11, (uint32_t)2U); + Lib_IntVector_Intrinsics_vec128 z12 = Lib_IntVector_Intrinsics_vec128_add64(z11, t); + Lib_IntVector_Intrinsics_vec128 x11 = Lib_IntVector_Intrinsics_vec128_and(x1, mask26); + Lib_IntVector_Intrinsics_vec128 x41 = Lib_IntVector_Intrinsics_vec128_and(x4, mask26); + Lib_IntVector_Intrinsics_vec128 x2 = Lib_IntVector_Intrinsics_vec128_add64(t2, z01); + Lib_IntVector_Intrinsics_vec128 x01 = Lib_IntVector_Intrinsics_vec128_add64(x0, z12); + Lib_IntVector_Intrinsics_vec128 + z02 = Lib_IntVector_Intrinsics_vec128_shift_right64(x2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z13 = Lib_IntVector_Intrinsics_vec128_shift_right64(x01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x21 = Lib_IntVector_Intrinsics_vec128_and(x2, mask26); + Lib_IntVector_Intrinsics_vec128 x02 = Lib_IntVector_Intrinsics_vec128_and(x01, mask26); + Lib_IntVector_Intrinsics_vec128 x31 = Lib_IntVector_Intrinsics_vec128_add64(x3, z02); + Lib_IntVector_Intrinsics_vec128 x12 = Lib_IntVector_Intrinsics_vec128_add64(x11, z13); + Lib_IntVector_Intrinsics_vec128 + z03 = Lib_IntVector_Intrinsics_vec128_shift_right64(x31, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x32 = Lib_IntVector_Intrinsics_vec128_and(x31, mask26); + Lib_IntVector_Intrinsics_vec128 x42 = Lib_IntVector_Intrinsics_vec128_add64(x41, z03); + Lib_IntVector_Intrinsics_vec128 o0 = x02; + Lib_IntVector_Intrinsics_vec128 o1 = x12; + Lib_IntVector_Intrinsics_vec128 o2 = x21; + Lib_IntVector_Intrinsics_vec128 o3 = x32; + Lib_IntVector_Intrinsics_vec128 o4 = x42; + acc[0U] = o0; + acc[1U] = o1; + acc[2U] = o2; + acc[3U] = o3; + acc[4U] = o4; + } + if (rem > (uint32_t)0U) + { + uint8_t *last = t1 + nb * (uint32_t)16U; + Lib_IntVector_Intrinsics_vec128 e[5U]; + for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i) + e[_i] = Lib_IntVector_Intrinsics_vec128_zero; + uint8_t tmp[16U] = { 0U }; + memcpy(tmp, last, rem * sizeof (uint8_t)); + uint64_t u0 = load64_le(tmp); + uint64_t lo = u0; + uint64_t u = load64_le(tmp + (uint32_t)8U); + uint64_t hi = u; + Lib_IntVector_Intrinsics_vec128 f0 = Lib_IntVector_Intrinsics_vec128_load64(lo); + Lib_IntVector_Intrinsics_vec128 f1 = Lib_IntVector_Intrinsics_vec128_load64(hi); + Lib_IntVector_Intrinsics_vec128 + f010 = + Lib_IntVector_Intrinsics_vec128_and(f0, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f110 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(f0, + (uint32_t)26U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f20 = + Lib_IntVector_Intrinsics_vec128_or(Lib_IntVector_Intrinsics_vec128_shift_right64(f0, + (uint32_t)52U), + Lib_IntVector_Intrinsics_vec128_shift_left64(Lib_IntVector_Intrinsics_vec128_and(f1, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3fffU)), + (uint32_t)12U)); + Lib_IntVector_Intrinsics_vec128 + f30 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(f1, + (uint32_t)14U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f40 = Lib_IntVector_Intrinsics_vec128_shift_right64(f1, (uint32_t)40U); + Lib_IntVector_Intrinsics_vec128 f01 = f010; + Lib_IntVector_Intrinsics_vec128 f111 = f110; + Lib_IntVector_Intrinsics_vec128 f2 = f20; + Lib_IntVector_Intrinsics_vec128 f3 = f30; + Lib_IntVector_Intrinsics_vec128 f4 = f40; + e[0U] = f01; + e[1U] = f111; + e[2U] = f2; + e[3U] = f3; + e[4U] = f4; + uint64_t b = (uint64_t)1U << rem * (uint32_t)8U % (uint32_t)26U; + Lib_IntVector_Intrinsics_vec128 mask = Lib_IntVector_Intrinsics_vec128_load64(b); + Lib_IntVector_Intrinsics_vec128 fi = e[rem * (uint32_t)8U / (uint32_t)26U]; + e[rem * (uint32_t)8U / (uint32_t)26U] = Lib_IntVector_Intrinsics_vec128_or(fi, mask); + Lib_IntVector_Intrinsics_vec128 *r = pre; + Lib_IntVector_Intrinsics_vec128 *r5 = pre + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec128 r0 = r[0U]; + Lib_IntVector_Intrinsics_vec128 r1 = r[1U]; + Lib_IntVector_Intrinsics_vec128 r2 = r[2U]; + Lib_IntVector_Intrinsics_vec128 r3 = r[3U]; + Lib_IntVector_Intrinsics_vec128 r4 = r[4U]; + Lib_IntVector_Intrinsics_vec128 r51 = r5[1U]; + Lib_IntVector_Intrinsics_vec128 r52 = r5[2U]; + Lib_IntVector_Intrinsics_vec128 r53 = r5[3U]; + Lib_IntVector_Intrinsics_vec128 r54 = r5[4U]; + Lib_IntVector_Intrinsics_vec128 f10 = e[0U]; + Lib_IntVector_Intrinsics_vec128 f11 = e[1U]; + Lib_IntVector_Intrinsics_vec128 f12 = e[2U]; + Lib_IntVector_Intrinsics_vec128 f13 = e[3U]; + Lib_IntVector_Intrinsics_vec128 f14 = e[4U]; + Lib_IntVector_Intrinsics_vec128 a0 = acc[0U]; + Lib_IntVector_Intrinsics_vec128 a1 = acc[1U]; + Lib_IntVector_Intrinsics_vec128 a2 = acc[2U]; + Lib_IntVector_Intrinsics_vec128 a3 = acc[3U]; + Lib_IntVector_Intrinsics_vec128 a4 = acc[4U]; + Lib_IntVector_Intrinsics_vec128 a01 = Lib_IntVector_Intrinsics_vec128_add64(a0, f10); + Lib_IntVector_Intrinsics_vec128 a11 = Lib_IntVector_Intrinsics_vec128_add64(a1, f11); + Lib_IntVector_Intrinsics_vec128 a21 = Lib_IntVector_Intrinsics_vec128_add64(a2, f12); + Lib_IntVector_Intrinsics_vec128 a31 = Lib_IntVector_Intrinsics_vec128_add64(a3, f13); + Lib_IntVector_Intrinsics_vec128 a41 = Lib_IntVector_Intrinsics_vec128_add64(a4, f14); + Lib_IntVector_Intrinsics_vec128 a02 = Lib_IntVector_Intrinsics_vec128_mul64(r0, a01); + Lib_IntVector_Intrinsics_vec128 a12 = Lib_IntVector_Intrinsics_vec128_mul64(r1, a01); + Lib_IntVector_Intrinsics_vec128 a22 = Lib_IntVector_Intrinsics_vec128_mul64(r2, a01); + Lib_IntVector_Intrinsics_vec128 a32 = Lib_IntVector_Intrinsics_vec128_mul64(r3, a01); + Lib_IntVector_Intrinsics_vec128 a42 = Lib_IntVector_Intrinsics_vec128_mul64(r4, a01); + Lib_IntVector_Intrinsics_vec128 + a03 = + Lib_IntVector_Intrinsics_vec128_add64(a02, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a11)); + Lib_IntVector_Intrinsics_vec128 + a13 = + Lib_IntVector_Intrinsics_vec128_add64(a12, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a11)); + Lib_IntVector_Intrinsics_vec128 + a23 = + Lib_IntVector_Intrinsics_vec128_add64(a22, + Lib_IntVector_Intrinsics_vec128_mul64(r1, a11)); + Lib_IntVector_Intrinsics_vec128 + a33 = + Lib_IntVector_Intrinsics_vec128_add64(a32, + Lib_IntVector_Intrinsics_vec128_mul64(r2, a11)); + Lib_IntVector_Intrinsics_vec128 + a43 = + Lib_IntVector_Intrinsics_vec128_add64(a42, + Lib_IntVector_Intrinsics_vec128_mul64(r3, a11)); + Lib_IntVector_Intrinsics_vec128 + a04 = + Lib_IntVector_Intrinsics_vec128_add64(a03, + Lib_IntVector_Intrinsics_vec128_mul64(r53, a21)); + Lib_IntVector_Intrinsics_vec128 + a14 = + Lib_IntVector_Intrinsics_vec128_add64(a13, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a21)); + Lib_IntVector_Intrinsics_vec128 + a24 = + Lib_IntVector_Intrinsics_vec128_add64(a23, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a21)); + Lib_IntVector_Intrinsics_vec128 + a34 = + Lib_IntVector_Intrinsics_vec128_add64(a33, + Lib_IntVector_Intrinsics_vec128_mul64(r1, a21)); + Lib_IntVector_Intrinsics_vec128 + a44 = + Lib_IntVector_Intrinsics_vec128_add64(a43, + Lib_IntVector_Intrinsics_vec128_mul64(r2, a21)); + Lib_IntVector_Intrinsics_vec128 + a05 = + Lib_IntVector_Intrinsics_vec128_add64(a04, + Lib_IntVector_Intrinsics_vec128_mul64(r52, a31)); + Lib_IntVector_Intrinsics_vec128 + a15 = + Lib_IntVector_Intrinsics_vec128_add64(a14, + Lib_IntVector_Intrinsics_vec128_mul64(r53, a31)); + Lib_IntVector_Intrinsics_vec128 + a25 = + Lib_IntVector_Intrinsics_vec128_add64(a24, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a31)); + Lib_IntVector_Intrinsics_vec128 + a35 = + Lib_IntVector_Intrinsics_vec128_add64(a34, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a31)); + Lib_IntVector_Intrinsics_vec128 + a45 = + Lib_IntVector_Intrinsics_vec128_add64(a44, + Lib_IntVector_Intrinsics_vec128_mul64(r1, a31)); + Lib_IntVector_Intrinsics_vec128 + a06 = + Lib_IntVector_Intrinsics_vec128_add64(a05, + Lib_IntVector_Intrinsics_vec128_mul64(r51, a41)); + Lib_IntVector_Intrinsics_vec128 + a16 = + Lib_IntVector_Intrinsics_vec128_add64(a15, + Lib_IntVector_Intrinsics_vec128_mul64(r52, a41)); + Lib_IntVector_Intrinsics_vec128 + a26 = + Lib_IntVector_Intrinsics_vec128_add64(a25, + Lib_IntVector_Intrinsics_vec128_mul64(r53, a41)); + Lib_IntVector_Intrinsics_vec128 + a36 = + Lib_IntVector_Intrinsics_vec128_add64(a35, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a41)); + Lib_IntVector_Intrinsics_vec128 + a46 = + Lib_IntVector_Intrinsics_vec128_add64(a45, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a41)); + Lib_IntVector_Intrinsics_vec128 t01 = a06; + Lib_IntVector_Intrinsics_vec128 t11 = a16; + Lib_IntVector_Intrinsics_vec128 t2 = a26; + Lib_IntVector_Intrinsics_vec128 t3 = a36; + Lib_IntVector_Intrinsics_vec128 t4 = a46; + Lib_IntVector_Intrinsics_vec128 + mask26 = Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec128 + z0 = Lib_IntVector_Intrinsics_vec128_shift_right64(t01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z1 = Lib_IntVector_Intrinsics_vec128_shift_right64(t3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x0 = Lib_IntVector_Intrinsics_vec128_and(t01, mask26); + Lib_IntVector_Intrinsics_vec128 x3 = Lib_IntVector_Intrinsics_vec128_and(t3, mask26); + Lib_IntVector_Intrinsics_vec128 x1 = Lib_IntVector_Intrinsics_vec128_add64(t11, z0); + Lib_IntVector_Intrinsics_vec128 x4 = Lib_IntVector_Intrinsics_vec128_add64(t4, z1); + Lib_IntVector_Intrinsics_vec128 + z01 = Lib_IntVector_Intrinsics_vec128_shift_right64(x1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z11 = Lib_IntVector_Intrinsics_vec128_shift_right64(x4, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + t = Lib_IntVector_Intrinsics_vec128_shift_left64(z11, (uint32_t)2U); + Lib_IntVector_Intrinsics_vec128 z12 = Lib_IntVector_Intrinsics_vec128_add64(z11, t); + Lib_IntVector_Intrinsics_vec128 x11 = Lib_IntVector_Intrinsics_vec128_and(x1, mask26); + Lib_IntVector_Intrinsics_vec128 x41 = Lib_IntVector_Intrinsics_vec128_and(x4, mask26); + Lib_IntVector_Intrinsics_vec128 x2 = Lib_IntVector_Intrinsics_vec128_add64(t2, z01); + Lib_IntVector_Intrinsics_vec128 x01 = Lib_IntVector_Intrinsics_vec128_add64(x0, z12); + Lib_IntVector_Intrinsics_vec128 + z02 = Lib_IntVector_Intrinsics_vec128_shift_right64(x2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z13 = Lib_IntVector_Intrinsics_vec128_shift_right64(x01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x21 = Lib_IntVector_Intrinsics_vec128_and(x2, mask26); + Lib_IntVector_Intrinsics_vec128 x02 = Lib_IntVector_Intrinsics_vec128_and(x01, mask26); + Lib_IntVector_Intrinsics_vec128 x31 = Lib_IntVector_Intrinsics_vec128_add64(x3, z02); + Lib_IntVector_Intrinsics_vec128 x12 = Lib_IntVector_Intrinsics_vec128_add64(x11, z13); + Lib_IntVector_Intrinsics_vec128 + z03 = Lib_IntVector_Intrinsics_vec128_shift_right64(x31, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x32 = Lib_IntVector_Intrinsics_vec128_and(x31, mask26); + Lib_IntVector_Intrinsics_vec128 x42 = Lib_IntVector_Intrinsics_vec128_add64(x41, z03); + Lib_IntVector_Intrinsics_vec128 o0 = x02; + Lib_IntVector_Intrinsics_vec128 o1 = x12; + Lib_IntVector_Intrinsics_vec128 o2 = x21; + Lib_IntVector_Intrinsics_vec128 o3 = x32; + Lib_IntVector_Intrinsics_vec128 o4 = x42; + acc[0U] = o0; + acc[1U] = o1; + acc[2U] = o2; + acc[3U] = o3; + acc[4U] = o4; + return; + } +} + +void +Hacl_Poly1305_128_poly1305_finish( + uint8_t *tag, + uint8_t *key, + Lib_IntVector_Intrinsics_vec128 *ctx +) +{ + Lib_IntVector_Intrinsics_vec128 *acc = ctx; + uint8_t *ks = key + (uint32_t)16U; + Lib_IntVector_Intrinsics_vec128 f0 = acc[0U]; + Lib_IntVector_Intrinsics_vec128 f13 = acc[1U]; + Lib_IntVector_Intrinsics_vec128 f23 = acc[2U]; + Lib_IntVector_Intrinsics_vec128 f33 = acc[3U]; + Lib_IntVector_Intrinsics_vec128 f40 = acc[4U]; + Lib_IntVector_Intrinsics_vec128 + l0 = Lib_IntVector_Intrinsics_vec128_add64(f0, Lib_IntVector_Intrinsics_vec128_zero); + Lib_IntVector_Intrinsics_vec128 + tmp00 = + Lib_IntVector_Intrinsics_vec128_and(l0, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + c00 = Lib_IntVector_Intrinsics_vec128_shift_right64(l0, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 l1 = Lib_IntVector_Intrinsics_vec128_add64(f13, c00); + Lib_IntVector_Intrinsics_vec128 + tmp10 = + Lib_IntVector_Intrinsics_vec128_and(l1, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + c10 = Lib_IntVector_Intrinsics_vec128_shift_right64(l1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 l2 = Lib_IntVector_Intrinsics_vec128_add64(f23, c10); + Lib_IntVector_Intrinsics_vec128 + tmp20 = + Lib_IntVector_Intrinsics_vec128_and(l2, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + c20 = Lib_IntVector_Intrinsics_vec128_shift_right64(l2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 l3 = Lib_IntVector_Intrinsics_vec128_add64(f33, c20); + Lib_IntVector_Intrinsics_vec128 + tmp30 = + Lib_IntVector_Intrinsics_vec128_and(l3, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + c30 = Lib_IntVector_Intrinsics_vec128_shift_right64(l3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 l4 = Lib_IntVector_Intrinsics_vec128_add64(f40, c30); + Lib_IntVector_Intrinsics_vec128 + tmp40 = + Lib_IntVector_Intrinsics_vec128_and(l4, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + c40 = Lib_IntVector_Intrinsics_vec128_shift_right64(l4, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + f010 = + Lib_IntVector_Intrinsics_vec128_add64(tmp00, + Lib_IntVector_Intrinsics_vec128_smul64(c40, (uint64_t)5U)); + Lib_IntVector_Intrinsics_vec128 f110 = tmp10; + Lib_IntVector_Intrinsics_vec128 f210 = tmp20; + Lib_IntVector_Intrinsics_vec128 f310 = tmp30; + Lib_IntVector_Intrinsics_vec128 f410 = tmp40; + Lib_IntVector_Intrinsics_vec128 + l = Lib_IntVector_Intrinsics_vec128_add64(f010, Lib_IntVector_Intrinsics_vec128_zero); + Lib_IntVector_Intrinsics_vec128 + tmp0 = + Lib_IntVector_Intrinsics_vec128_and(l, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + c0 = Lib_IntVector_Intrinsics_vec128_shift_right64(l, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 l5 = Lib_IntVector_Intrinsics_vec128_add64(f110, c0); + Lib_IntVector_Intrinsics_vec128 + tmp1 = + Lib_IntVector_Intrinsics_vec128_and(l5, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + c1 = Lib_IntVector_Intrinsics_vec128_shift_right64(l5, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 l6 = Lib_IntVector_Intrinsics_vec128_add64(f210, c1); + Lib_IntVector_Intrinsics_vec128 + tmp2 = + Lib_IntVector_Intrinsics_vec128_and(l6, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + c2 = Lib_IntVector_Intrinsics_vec128_shift_right64(l6, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 l7 = Lib_IntVector_Intrinsics_vec128_add64(f310, c2); + Lib_IntVector_Intrinsics_vec128 + tmp3 = + Lib_IntVector_Intrinsics_vec128_and(l7, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + c3 = Lib_IntVector_Intrinsics_vec128_shift_right64(l7, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 l8 = Lib_IntVector_Intrinsics_vec128_add64(f410, c3); + Lib_IntVector_Intrinsics_vec128 + tmp4 = + Lib_IntVector_Intrinsics_vec128_and(l8, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + c4 = Lib_IntVector_Intrinsics_vec128_shift_right64(l8, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + f02 = + Lib_IntVector_Intrinsics_vec128_add64(tmp0, + Lib_IntVector_Intrinsics_vec128_smul64(c4, (uint64_t)5U)); + Lib_IntVector_Intrinsics_vec128 f12 = tmp1; + Lib_IntVector_Intrinsics_vec128 f22 = tmp2; + Lib_IntVector_Intrinsics_vec128 f32 = tmp3; + Lib_IntVector_Intrinsics_vec128 f42 = tmp4; + Lib_IntVector_Intrinsics_vec128 + mh = Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec128 + ml = Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3fffffbU); + Lib_IntVector_Intrinsics_vec128 mask = Lib_IntVector_Intrinsics_vec128_eq64(f42, mh); + Lib_IntVector_Intrinsics_vec128 + mask1 = + Lib_IntVector_Intrinsics_vec128_and(mask, + Lib_IntVector_Intrinsics_vec128_eq64(f32, mh)); + Lib_IntVector_Intrinsics_vec128 + mask2 = + Lib_IntVector_Intrinsics_vec128_and(mask1, + Lib_IntVector_Intrinsics_vec128_eq64(f22, mh)); + Lib_IntVector_Intrinsics_vec128 + mask3 = + Lib_IntVector_Intrinsics_vec128_and(mask2, + Lib_IntVector_Intrinsics_vec128_eq64(f12, mh)); + Lib_IntVector_Intrinsics_vec128 + mask4 = + Lib_IntVector_Intrinsics_vec128_and(mask3, + Lib_IntVector_Intrinsics_vec128_lognot(Lib_IntVector_Intrinsics_vec128_gt64(ml, f02))); + Lib_IntVector_Intrinsics_vec128 ph = Lib_IntVector_Intrinsics_vec128_and(mask4, mh); + Lib_IntVector_Intrinsics_vec128 pl = Lib_IntVector_Intrinsics_vec128_and(mask4, ml); + Lib_IntVector_Intrinsics_vec128 o0 = Lib_IntVector_Intrinsics_vec128_sub64(f02, pl); + Lib_IntVector_Intrinsics_vec128 o1 = Lib_IntVector_Intrinsics_vec128_sub64(f12, ph); + Lib_IntVector_Intrinsics_vec128 o2 = Lib_IntVector_Intrinsics_vec128_sub64(f22, ph); + Lib_IntVector_Intrinsics_vec128 o3 = Lib_IntVector_Intrinsics_vec128_sub64(f32, ph); + Lib_IntVector_Intrinsics_vec128 o4 = Lib_IntVector_Intrinsics_vec128_sub64(f42, ph); + Lib_IntVector_Intrinsics_vec128 f011 = o0; + Lib_IntVector_Intrinsics_vec128 f111 = o1; + Lib_IntVector_Intrinsics_vec128 f211 = o2; + Lib_IntVector_Intrinsics_vec128 f311 = o3; + Lib_IntVector_Intrinsics_vec128 f411 = o4; + acc[0U] = f011; + acc[1U] = f111; + acc[2U] = f211; + acc[3U] = f311; + acc[4U] = f411; + Lib_IntVector_Intrinsics_vec128 f00 = acc[0U]; + Lib_IntVector_Intrinsics_vec128 f1 = acc[1U]; + Lib_IntVector_Intrinsics_vec128 f2 = acc[2U]; + Lib_IntVector_Intrinsics_vec128 f3 = acc[3U]; + Lib_IntVector_Intrinsics_vec128 f4 = acc[4U]; + uint64_t f01 = Lib_IntVector_Intrinsics_vec128_extract64(f00, (uint32_t)0U); + uint64_t f112 = Lib_IntVector_Intrinsics_vec128_extract64(f1, (uint32_t)0U); + uint64_t f212 = Lib_IntVector_Intrinsics_vec128_extract64(f2, (uint32_t)0U); + uint64_t f312 = Lib_IntVector_Intrinsics_vec128_extract64(f3, (uint32_t)0U); + uint64_t f41 = Lib_IntVector_Intrinsics_vec128_extract64(f4, (uint32_t)0U); + uint64_t lo = (f01 | f112 << (uint32_t)26U) | f212 << (uint32_t)52U; + uint64_t hi = (f212 >> (uint32_t)12U | f312 << (uint32_t)14U) | f41 << (uint32_t)40U; + uint64_t f10 = lo; + uint64_t f11 = hi; + uint64_t u0 = load64_le(ks); + uint64_t lo0 = u0; + uint64_t u = load64_le(ks + (uint32_t)8U); + uint64_t hi0 = u; + uint64_t f20 = lo0; + uint64_t f21 = hi0; + uint64_t r0 = f10 + f20; + uint64_t r1 = f11 + f21; + uint64_t c = (r0 ^ ((r0 ^ f20) | ((r0 - f20) ^ f20))) >> (uint32_t)63U; + uint64_t r11 = r1 + c; + uint64_t f30 = r0; + uint64_t f31 = r11; + store64_le(tag, f30); + store64_le(tag + (uint32_t)8U, f31); +} + +void Hacl_Poly1305_128_poly1305_mac(uint8_t *tag, uint32_t len, uint8_t *text, uint8_t *key) +{ + Lib_IntVector_Intrinsics_vec128 ctx[25U]; + for (uint32_t _i = 0U; _i < (uint32_t)25U; ++_i) + ctx[_i] = Lib_IntVector_Intrinsics_vec128_zero; + Hacl_Poly1305_128_poly1305_init(ctx, key); + Hacl_Poly1305_128_poly1305_update(ctx, len, text); + Hacl_Poly1305_128_poly1305_finish(tag, key, ctx); +} + diff --git a/src/Hacl_Poly1305_256.c b/src/Hacl_Poly1305_256.c new file mode 100644 index 00000000..7430d78c --- /dev/null +++ b/src/Hacl_Poly1305_256.c @@ -0,0 +1,2103 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "internal/Hacl_Poly1305_256.h" + + + +void +Hacl_Impl_Poly1305_Field32xN_256_load_acc4(Lib_IntVector_Intrinsics_vec256 *acc, uint8_t *b) +{ + Lib_IntVector_Intrinsics_vec256 e[5U]; + for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i) + e[_i] = Lib_IntVector_Intrinsics_vec256_zero; + Lib_IntVector_Intrinsics_vec256 lo = Lib_IntVector_Intrinsics_vec256_load64_le(b); + Lib_IntVector_Intrinsics_vec256 + hi = Lib_IntVector_Intrinsics_vec256_load64_le(b + (uint32_t)32U); + Lib_IntVector_Intrinsics_vec256 + mask26 = Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec256 m0 = Lib_IntVector_Intrinsics_vec256_interleave_low128(lo, hi); + Lib_IntVector_Intrinsics_vec256 + m1 = Lib_IntVector_Intrinsics_vec256_interleave_high128(lo, hi); + Lib_IntVector_Intrinsics_vec256 + m2 = Lib_IntVector_Intrinsics_vec256_shift_right(m0, (uint32_t)48U); + Lib_IntVector_Intrinsics_vec256 + m3 = Lib_IntVector_Intrinsics_vec256_shift_right(m1, (uint32_t)48U); + Lib_IntVector_Intrinsics_vec256 m4 = Lib_IntVector_Intrinsics_vec256_interleave_high64(m0, m1); + Lib_IntVector_Intrinsics_vec256 t0 = Lib_IntVector_Intrinsics_vec256_interleave_low64(m0, m1); + Lib_IntVector_Intrinsics_vec256 t3 = Lib_IntVector_Intrinsics_vec256_interleave_low64(m2, m3); + Lib_IntVector_Intrinsics_vec256 + t2 = Lib_IntVector_Intrinsics_vec256_shift_right64(t3, (uint32_t)4U); + Lib_IntVector_Intrinsics_vec256 o20 = Lib_IntVector_Intrinsics_vec256_and(t2, mask26); + Lib_IntVector_Intrinsics_vec256 + t1 = Lib_IntVector_Intrinsics_vec256_shift_right64(t0, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 o10 = Lib_IntVector_Intrinsics_vec256_and(t1, mask26); + Lib_IntVector_Intrinsics_vec256 o5 = Lib_IntVector_Intrinsics_vec256_and(t0, mask26); + Lib_IntVector_Intrinsics_vec256 + t31 = Lib_IntVector_Intrinsics_vec256_shift_right64(t3, (uint32_t)30U); + Lib_IntVector_Intrinsics_vec256 o30 = Lib_IntVector_Intrinsics_vec256_and(t31, mask26); + Lib_IntVector_Intrinsics_vec256 + o40 = Lib_IntVector_Intrinsics_vec256_shift_right64(m4, (uint32_t)40U); + Lib_IntVector_Intrinsics_vec256 o0 = o5; + Lib_IntVector_Intrinsics_vec256 o1 = o10; + Lib_IntVector_Intrinsics_vec256 o2 = o20; + Lib_IntVector_Intrinsics_vec256 o3 = o30; + Lib_IntVector_Intrinsics_vec256 o4 = o40; + e[0U] = o0; + e[1U] = o1; + e[2U] = o2; + e[3U] = o3; + e[4U] = o4; + uint64_t b1 = (uint64_t)0x1000000U; + Lib_IntVector_Intrinsics_vec256 mask = Lib_IntVector_Intrinsics_vec256_load64(b1); + Lib_IntVector_Intrinsics_vec256 f40 = e[4U]; + e[4U] = Lib_IntVector_Intrinsics_vec256_or(f40, mask); + Lib_IntVector_Intrinsics_vec256 acc0 = acc[0U]; + Lib_IntVector_Intrinsics_vec256 acc1 = acc[1U]; + Lib_IntVector_Intrinsics_vec256 acc2 = acc[2U]; + Lib_IntVector_Intrinsics_vec256 acc3 = acc[3U]; + Lib_IntVector_Intrinsics_vec256 acc4 = acc[4U]; + Lib_IntVector_Intrinsics_vec256 e0 = e[0U]; + Lib_IntVector_Intrinsics_vec256 e1 = e[1U]; + Lib_IntVector_Intrinsics_vec256 e2 = e[2U]; + Lib_IntVector_Intrinsics_vec256 e3 = e[3U]; + Lib_IntVector_Intrinsics_vec256 e4 = e[4U]; + Lib_IntVector_Intrinsics_vec256 r0 = Lib_IntVector_Intrinsics_vec256_zero; + Lib_IntVector_Intrinsics_vec256 r1 = Lib_IntVector_Intrinsics_vec256_zero; + Lib_IntVector_Intrinsics_vec256 r2 = Lib_IntVector_Intrinsics_vec256_zero; + Lib_IntVector_Intrinsics_vec256 r3 = Lib_IntVector_Intrinsics_vec256_zero; + Lib_IntVector_Intrinsics_vec256 r4 = Lib_IntVector_Intrinsics_vec256_zero; + Lib_IntVector_Intrinsics_vec256 + r01 = + Lib_IntVector_Intrinsics_vec256_insert64(r0, + Lib_IntVector_Intrinsics_vec256_extract64(acc0, (uint32_t)0U), + (uint32_t)0U); + Lib_IntVector_Intrinsics_vec256 + r11 = + Lib_IntVector_Intrinsics_vec256_insert64(r1, + Lib_IntVector_Intrinsics_vec256_extract64(acc1, (uint32_t)0U), + (uint32_t)0U); + Lib_IntVector_Intrinsics_vec256 + r21 = + Lib_IntVector_Intrinsics_vec256_insert64(r2, + Lib_IntVector_Intrinsics_vec256_extract64(acc2, (uint32_t)0U), + (uint32_t)0U); + Lib_IntVector_Intrinsics_vec256 + r31 = + Lib_IntVector_Intrinsics_vec256_insert64(r3, + Lib_IntVector_Intrinsics_vec256_extract64(acc3, (uint32_t)0U), + (uint32_t)0U); + Lib_IntVector_Intrinsics_vec256 + r41 = + Lib_IntVector_Intrinsics_vec256_insert64(r4, + Lib_IntVector_Intrinsics_vec256_extract64(acc4, (uint32_t)0U), + (uint32_t)0U); + Lib_IntVector_Intrinsics_vec256 f0 = Lib_IntVector_Intrinsics_vec256_add64(r01, e0); + Lib_IntVector_Intrinsics_vec256 f1 = Lib_IntVector_Intrinsics_vec256_add64(r11, e1); + Lib_IntVector_Intrinsics_vec256 f2 = Lib_IntVector_Intrinsics_vec256_add64(r21, e2); + Lib_IntVector_Intrinsics_vec256 f3 = Lib_IntVector_Intrinsics_vec256_add64(r31, e3); + Lib_IntVector_Intrinsics_vec256 f4 = Lib_IntVector_Intrinsics_vec256_add64(r41, e4); + Lib_IntVector_Intrinsics_vec256 acc01 = f0; + Lib_IntVector_Intrinsics_vec256 acc11 = f1; + Lib_IntVector_Intrinsics_vec256 acc21 = f2; + Lib_IntVector_Intrinsics_vec256 acc31 = f3; + Lib_IntVector_Intrinsics_vec256 acc41 = f4; + acc[0U] = acc01; + acc[1U] = acc11; + acc[2U] = acc21; + acc[3U] = acc31; + acc[4U] = acc41; +} + +void +Hacl_Impl_Poly1305_Field32xN_256_fmul_r4_normalize( + Lib_IntVector_Intrinsics_vec256 *out, + Lib_IntVector_Intrinsics_vec256 *p +) +{ + Lib_IntVector_Intrinsics_vec256 *r = p; + Lib_IntVector_Intrinsics_vec256 *r_5 = p + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec256 *r4 = p + (uint32_t)10U; + Lib_IntVector_Intrinsics_vec256 a0 = out[0U]; + Lib_IntVector_Intrinsics_vec256 a1 = out[1U]; + Lib_IntVector_Intrinsics_vec256 a2 = out[2U]; + Lib_IntVector_Intrinsics_vec256 a3 = out[3U]; + Lib_IntVector_Intrinsics_vec256 a4 = out[4U]; + Lib_IntVector_Intrinsics_vec256 r10 = r[0U]; + Lib_IntVector_Intrinsics_vec256 r11 = r[1U]; + Lib_IntVector_Intrinsics_vec256 r12 = r[2U]; + Lib_IntVector_Intrinsics_vec256 r13 = r[3U]; + Lib_IntVector_Intrinsics_vec256 r14 = r[4U]; + Lib_IntVector_Intrinsics_vec256 r151 = r_5[1U]; + Lib_IntVector_Intrinsics_vec256 r152 = r_5[2U]; + Lib_IntVector_Intrinsics_vec256 r153 = r_5[3U]; + Lib_IntVector_Intrinsics_vec256 r154 = r_5[4U]; + Lib_IntVector_Intrinsics_vec256 r40 = r4[0U]; + Lib_IntVector_Intrinsics_vec256 r41 = r4[1U]; + Lib_IntVector_Intrinsics_vec256 r42 = r4[2U]; + Lib_IntVector_Intrinsics_vec256 r43 = r4[3U]; + Lib_IntVector_Intrinsics_vec256 r44 = r4[4U]; + Lib_IntVector_Intrinsics_vec256 a010 = Lib_IntVector_Intrinsics_vec256_mul64(r10, r10); + Lib_IntVector_Intrinsics_vec256 a110 = Lib_IntVector_Intrinsics_vec256_mul64(r11, r10); + Lib_IntVector_Intrinsics_vec256 a210 = Lib_IntVector_Intrinsics_vec256_mul64(r12, r10); + Lib_IntVector_Intrinsics_vec256 a310 = Lib_IntVector_Intrinsics_vec256_mul64(r13, r10); + Lib_IntVector_Intrinsics_vec256 a410 = Lib_IntVector_Intrinsics_vec256_mul64(r14, r10); + Lib_IntVector_Intrinsics_vec256 + a020 = + Lib_IntVector_Intrinsics_vec256_add64(a010, + Lib_IntVector_Intrinsics_vec256_mul64(r154, r11)); + Lib_IntVector_Intrinsics_vec256 + a120 = + Lib_IntVector_Intrinsics_vec256_add64(a110, + Lib_IntVector_Intrinsics_vec256_mul64(r10, r11)); + Lib_IntVector_Intrinsics_vec256 + a220 = + Lib_IntVector_Intrinsics_vec256_add64(a210, + Lib_IntVector_Intrinsics_vec256_mul64(r11, r11)); + Lib_IntVector_Intrinsics_vec256 + a320 = + Lib_IntVector_Intrinsics_vec256_add64(a310, + Lib_IntVector_Intrinsics_vec256_mul64(r12, r11)); + Lib_IntVector_Intrinsics_vec256 + a420 = + Lib_IntVector_Intrinsics_vec256_add64(a410, + Lib_IntVector_Intrinsics_vec256_mul64(r13, r11)); + Lib_IntVector_Intrinsics_vec256 + a030 = + Lib_IntVector_Intrinsics_vec256_add64(a020, + Lib_IntVector_Intrinsics_vec256_mul64(r153, r12)); + Lib_IntVector_Intrinsics_vec256 + a130 = + Lib_IntVector_Intrinsics_vec256_add64(a120, + Lib_IntVector_Intrinsics_vec256_mul64(r154, r12)); + Lib_IntVector_Intrinsics_vec256 + a230 = + Lib_IntVector_Intrinsics_vec256_add64(a220, + Lib_IntVector_Intrinsics_vec256_mul64(r10, r12)); + Lib_IntVector_Intrinsics_vec256 + a330 = + Lib_IntVector_Intrinsics_vec256_add64(a320, + Lib_IntVector_Intrinsics_vec256_mul64(r11, r12)); + Lib_IntVector_Intrinsics_vec256 + a430 = + Lib_IntVector_Intrinsics_vec256_add64(a420, + Lib_IntVector_Intrinsics_vec256_mul64(r12, r12)); + Lib_IntVector_Intrinsics_vec256 + a040 = + Lib_IntVector_Intrinsics_vec256_add64(a030, + Lib_IntVector_Intrinsics_vec256_mul64(r152, r13)); + Lib_IntVector_Intrinsics_vec256 + a140 = + Lib_IntVector_Intrinsics_vec256_add64(a130, + Lib_IntVector_Intrinsics_vec256_mul64(r153, r13)); + Lib_IntVector_Intrinsics_vec256 + a240 = + Lib_IntVector_Intrinsics_vec256_add64(a230, + Lib_IntVector_Intrinsics_vec256_mul64(r154, r13)); + Lib_IntVector_Intrinsics_vec256 + a340 = + Lib_IntVector_Intrinsics_vec256_add64(a330, + Lib_IntVector_Intrinsics_vec256_mul64(r10, r13)); + Lib_IntVector_Intrinsics_vec256 + a440 = + Lib_IntVector_Intrinsics_vec256_add64(a430, + Lib_IntVector_Intrinsics_vec256_mul64(r11, r13)); + Lib_IntVector_Intrinsics_vec256 + a050 = + Lib_IntVector_Intrinsics_vec256_add64(a040, + Lib_IntVector_Intrinsics_vec256_mul64(r151, r14)); + Lib_IntVector_Intrinsics_vec256 + a150 = + Lib_IntVector_Intrinsics_vec256_add64(a140, + Lib_IntVector_Intrinsics_vec256_mul64(r152, r14)); + Lib_IntVector_Intrinsics_vec256 + a250 = + Lib_IntVector_Intrinsics_vec256_add64(a240, + Lib_IntVector_Intrinsics_vec256_mul64(r153, r14)); + Lib_IntVector_Intrinsics_vec256 + a350 = + Lib_IntVector_Intrinsics_vec256_add64(a340, + Lib_IntVector_Intrinsics_vec256_mul64(r154, r14)); + Lib_IntVector_Intrinsics_vec256 + a450 = + Lib_IntVector_Intrinsics_vec256_add64(a440, + Lib_IntVector_Intrinsics_vec256_mul64(r10, r14)); + Lib_IntVector_Intrinsics_vec256 t00 = a050; + Lib_IntVector_Intrinsics_vec256 t10 = a150; + Lib_IntVector_Intrinsics_vec256 t20 = a250; + Lib_IntVector_Intrinsics_vec256 t30 = a350; + Lib_IntVector_Intrinsics_vec256 t40 = a450; + Lib_IntVector_Intrinsics_vec256 + mask260 = Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec256 + z00 = Lib_IntVector_Intrinsics_vec256_shift_right64(t00, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z10 = Lib_IntVector_Intrinsics_vec256_shift_right64(t30, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x00 = Lib_IntVector_Intrinsics_vec256_and(t00, mask260); + Lib_IntVector_Intrinsics_vec256 x30 = Lib_IntVector_Intrinsics_vec256_and(t30, mask260); + Lib_IntVector_Intrinsics_vec256 x10 = Lib_IntVector_Intrinsics_vec256_add64(t10, z00); + Lib_IntVector_Intrinsics_vec256 x40 = Lib_IntVector_Intrinsics_vec256_add64(t40, z10); + Lib_IntVector_Intrinsics_vec256 + z010 = Lib_IntVector_Intrinsics_vec256_shift_right64(x10, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z110 = Lib_IntVector_Intrinsics_vec256_shift_right64(x40, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + t5 = Lib_IntVector_Intrinsics_vec256_shift_left64(z110, (uint32_t)2U); + Lib_IntVector_Intrinsics_vec256 z12 = Lib_IntVector_Intrinsics_vec256_add64(z110, t5); + Lib_IntVector_Intrinsics_vec256 x110 = Lib_IntVector_Intrinsics_vec256_and(x10, mask260); + Lib_IntVector_Intrinsics_vec256 x410 = Lib_IntVector_Intrinsics_vec256_and(x40, mask260); + Lib_IntVector_Intrinsics_vec256 x20 = Lib_IntVector_Intrinsics_vec256_add64(t20, z010); + Lib_IntVector_Intrinsics_vec256 x010 = Lib_IntVector_Intrinsics_vec256_add64(x00, z12); + Lib_IntVector_Intrinsics_vec256 + z020 = Lib_IntVector_Intrinsics_vec256_shift_right64(x20, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z130 = Lib_IntVector_Intrinsics_vec256_shift_right64(x010, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x210 = Lib_IntVector_Intrinsics_vec256_and(x20, mask260); + Lib_IntVector_Intrinsics_vec256 x020 = Lib_IntVector_Intrinsics_vec256_and(x010, mask260); + Lib_IntVector_Intrinsics_vec256 x310 = Lib_IntVector_Intrinsics_vec256_add64(x30, z020); + Lib_IntVector_Intrinsics_vec256 x120 = Lib_IntVector_Intrinsics_vec256_add64(x110, z130); + Lib_IntVector_Intrinsics_vec256 + z030 = Lib_IntVector_Intrinsics_vec256_shift_right64(x310, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x320 = Lib_IntVector_Intrinsics_vec256_and(x310, mask260); + Lib_IntVector_Intrinsics_vec256 x420 = Lib_IntVector_Intrinsics_vec256_add64(x410, z030); + Lib_IntVector_Intrinsics_vec256 r20 = x020; + Lib_IntVector_Intrinsics_vec256 r21 = x120; + Lib_IntVector_Intrinsics_vec256 r22 = x210; + Lib_IntVector_Intrinsics_vec256 r23 = x320; + Lib_IntVector_Intrinsics_vec256 r24 = x420; + Lib_IntVector_Intrinsics_vec256 a011 = Lib_IntVector_Intrinsics_vec256_mul64(r10, r20); + Lib_IntVector_Intrinsics_vec256 a111 = Lib_IntVector_Intrinsics_vec256_mul64(r11, r20); + Lib_IntVector_Intrinsics_vec256 a211 = Lib_IntVector_Intrinsics_vec256_mul64(r12, r20); + Lib_IntVector_Intrinsics_vec256 a311 = Lib_IntVector_Intrinsics_vec256_mul64(r13, r20); + Lib_IntVector_Intrinsics_vec256 a411 = Lib_IntVector_Intrinsics_vec256_mul64(r14, r20); + Lib_IntVector_Intrinsics_vec256 + a021 = + Lib_IntVector_Intrinsics_vec256_add64(a011, + Lib_IntVector_Intrinsics_vec256_mul64(r154, r21)); + Lib_IntVector_Intrinsics_vec256 + a121 = + Lib_IntVector_Intrinsics_vec256_add64(a111, + Lib_IntVector_Intrinsics_vec256_mul64(r10, r21)); + Lib_IntVector_Intrinsics_vec256 + a221 = + Lib_IntVector_Intrinsics_vec256_add64(a211, + Lib_IntVector_Intrinsics_vec256_mul64(r11, r21)); + Lib_IntVector_Intrinsics_vec256 + a321 = + Lib_IntVector_Intrinsics_vec256_add64(a311, + Lib_IntVector_Intrinsics_vec256_mul64(r12, r21)); + Lib_IntVector_Intrinsics_vec256 + a421 = + Lib_IntVector_Intrinsics_vec256_add64(a411, + Lib_IntVector_Intrinsics_vec256_mul64(r13, r21)); + Lib_IntVector_Intrinsics_vec256 + a031 = + Lib_IntVector_Intrinsics_vec256_add64(a021, + Lib_IntVector_Intrinsics_vec256_mul64(r153, r22)); + Lib_IntVector_Intrinsics_vec256 + a131 = + Lib_IntVector_Intrinsics_vec256_add64(a121, + Lib_IntVector_Intrinsics_vec256_mul64(r154, r22)); + Lib_IntVector_Intrinsics_vec256 + a231 = + Lib_IntVector_Intrinsics_vec256_add64(a221, + Lib_IntVector_Intrinsics_vec256_mul64(r10, r22)); + Lib_IntVector_Intrinsics_vec256 + a331 = + Lib_IntVector_Intrinsics_vec256_add64(a321, + Lib_IntVector_Intrinsics_vec256_mul64(r11, r22)); + Lib_IntVector_Intrinsics_vec256 + a431 = + Lib_IntVector_Intrinsics_vec256_add64(a421, + Lib_IntVector_Intrinsics_vec256_mul64(r12, r22)); + Lib_IntVector_Intrinsics_vec256 + a041 = + Lib_IntVector_Intrinsics_vec256_add64(a031, + Lib_IntVector_Intrinsics_vec256_mul64(r152, r23)); + Lib_IntVector_Intrinsics_vec256 + a141 = + Lib_IntVector_Intrinsics_vec256_add64(a131, + Lib_IntVector_Intrinsics_vec256_mul64(r153, r23)); + Lib_IntVector_Intrinsics_vec256 + a241 = + Lib_IntVector_Intrinsics_vec256_add64(a231, + Lib_IntVector_Intrinsics_vec256_mul64(r154, r23)); + Lib_IntVector_Intrinsics_vec256 + a341 = + Lib_IntVector_Intrinsics_vec256_add64(a331, + Lib_IntVector_Intrinsics_vec256_mul64(r10, r23)); + Lib_IntVector_Intrinsics_vec256 + a441 = + Lib_IntVector_Intrinsics_vec256_add64(a431, + Lib_IntVector_Intrinsics_vec256_mul64(r11, r23)); + Lib_IntVector_Intrinsics_vec256 + a051 = + Lib_IntVector_Intrinsics_vec256_add64(a041, + Lib_IntVector_Intrinsics_vec256_mul64(r151, r24)); + Lib_IntVector_Intrinsics_vec256 + a151 = + Lib_IntVector_Intrinsics_vec256_add64(a141, + Lib_IntVector_Intrinsics_vec256_mul64(r152, r24)); + Lib_IntVector_Intrinsics_vec256 + a251 = + Lib_IntVector_Intrinsics_vec256_add64(a241, + Lib_IntVector_Intrinsics_vec256_mul64(r153, r24)); + Lib_IntVector_Intrinsics_vec256 + a351 = + Lib_IntVector_Intrinsics_vec256_add64(a341, + Lib_IntVector_Intrinsics_vec256_mul64(r154, r24)); + Lib_IntVector_Intrinsics_vec256 + a451 = + Lib_IntVector_Intrinsics_vec256_add64(a441, + Lib_IntVector_Intrinsics_vec256_mul64(r10, r24)); + Lib_IntVector_Intrinsics_vec256 t01 = a051; + Lib_IntVector_Intrinsics_vec256 t11 = a151; + Lib_IntVector_Intrinsics_vec256 t21 = a251; + Lib_IntVector_Intrinsics_vec256 t31 = a351; + Lib_IntVector_Intrinsics_vec256 t41 = a451; + Lib_IntVector_Intrinsics_vec256 + mask261 = Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec256 + z04 = Lib_IntVector_Intrinsics_vec256_shift_right64(t01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z14 = Lib_IntVector_Intrinsics_vec256_shift_right64(t31, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x03 = Lib_IntVector_Intrinsics_vec256_and(t01, mask261); + Lib_IntVector_Intrinsics_vec256 x33 = Lib_IntVector_Intrinsics_vec256_and(t31, mask261); + Lib_IntVector_Intrinsics_vec256 x13 = Lib_IntVector_Intrinsics_vec256_add64(t11, z04); + Lib_IntVector_Intrinsics_vec256 x43 = Lib_IntVector_Intrinsics_vec256_add64(t41, z14); + Lib_IntVector_Intrinsics_vec256 + z011 = Lib_IntVector_Intrinsics_vec256_shift_right64(x13, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z111 = Lib_IntVector_Intrinsics_vec256_shift_right64(x43, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + t6 = Lib_IntVector_Intrinsics_vec256_shift_left64(z111, (uint32_t)2U); + Lib_IntVector_Intrinsics_vec256 z120 = Lib_IntVector_Intrinsics_vec256_add64(z111, t6); + Lib_IntVector_Intrinsics_vec256 x111 = Lib_IntVector_Intrinsics_vec256_and(x13, mask261); + Lib_IntVector_Intrinsics_vec256 x411 = Lib_IntVector_Intrinsics_vec256_and(x43, mask261); + Lib_IntVector_Intrinsics_vec256 x22 = Lib_IntVector_Intrinsics_vec256_add64(t21, z011); + Lib_IntVector_Intrinsics_vec256 x011 = Lib_IntVector_Intrinsics_vec256_add64(x03, z120); + Lib_IntVector_Intrinsics_vec256 + z021 = Lib_IntVector_Intrinsics_vec256_shift_right64(x22, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z131 = Lib_IntVector_Intrinsics_vec256_shift_right64(x011, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x211 = Lib_IntVector_Intrinsics_vec256_and(x22, mask261); + Lib_IntVector_Intrinsics_vec256 x021 = Lib_IntVector_Intrinsics_vec256_and(x011, mask261); + Lib_IntVector_Intrinsics_vec256 x311 = Lib_IntVector_Intrinsics_vec256_add64(x33, z021); + Lib_IntVector_Intrinsics_vec256 x121 = Lib_IntVector_Intrinsics_vec256_add64(x111, z131); + Lib_IntVector_Intrinsics_vec256 + z031 = Lib_IntVector_Intrinsics_vec256_shift_right64(x311, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x321 = Lib_IntVector_Intrinsics_vec256_and(x311, mask261); + Lib_IntVector_Intrinsics_vec256 x421 = Lib_IntVector_Intrinsics_vec256_add64(x411, z031); + Lib_IntVector_Intrinsics_vec256 r30 = x021; + Lib_IntVector_Intrinsics_vec256 r31 = x121; + Lib_IntVector_Intrinsics_vec256 r32 = x211; + Lib_IntVector_Intrinsics_vec256 r33 = x321; + Lib_IntVector_Intrinsics_vec256 r34 = x421; + Lib_IntVector_Intrinsics_vec256 + v12120 = Lib_IntVector_Intrinsics_vec256_interleave_low64(r20, r10); + Lib_IntVector_Intrinsics_vec256 + v34340 = Lib_IntVector_Intrinsics_vec256_interleave_low64(r40, r30); + Lib_IntVector_Intrinsics_vec256 + r12340 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v34340, v12120); + Lib_IntVector_Intrinsics_vec256 + v12121 = Lib_IntVector_Intrinsics_vec256_interleave_low64(r21, r11); + Lib_IntVector_Intrinsics_vec256 + v34341 = Lib_IntVector_Intrinsics_vec256_interleave_low64(r41, r31); + Lib_IntVector_Intrinsics_vec256 + r12341 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v34341, v12121); + Lib_IntVector_Intrinsics_vec256 + v12122 = Lib_IntVector_Intrinsics_vec256_interleave_low64(r22, r12); + Lib_IntVector_Intrinsics_vec256 + v34342 = Lib_IntVector_Intrinsics_vec256_interleave_low64(r42, r32); + Lib_IntVector_Intrinsics_vec256 + r12342 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v34342, v12122); + Lib_IntVector_Intrinsics_vec256 + v12123 = Lib_IntVector_Intrinsics_vec256_interleave_low64(r23, r13); + Lib_IntVector_Intrinsics_vec256 + v34343 = Lib_IntVector_Intrinsics_vec256_interleave_low64(r43, r33); + Lib_IntVector_Intrinsics_vec256 + r12343 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v34343, v12123); + Lib_IntVector_Intrinsics_vec256 + v12124 = Lib_IntVector_Intrinsics_vec256_interleave_low64(r24, r14); + Lib_IntVector_Intrinsics_vec256 + v34344 = Lib_IntVector_Intrinsics_vec256_interleave_low64(r44, r34); + Lib_IntVector_Intrinsics_vec256 + r12344 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v34344, v12124); + Lib_IntVector_Intrinsics_vec256 + r123451 = Lib_IntVector_Intrinsics_vec256_smul64(r12341, (uint64_t)5U); + Lib_IntVector_Intrinsics_vec256 + r123452 = Lib_IntVector_Intrinsics_vec256_smul64(r12342, (uint64_t)5U); + Lib_IntVector_Intrinsics_vec256 + r123453 = Lib_IntVector_Intrinsics_vec256_smul64(r12343, (uint64_t)5U); + Lib_IntVector_Intrinsics_vec256 + r123454 = Lib_IntVector_Intrinsics_vec256_smul64(r12344, (uint64_t)5U); + Lib_IntVector_Intrinsics_vec256 a01 = Lib_IntVector_Intrinsics_vec256_mul64(r12340, a0); + Lib_IntVector_Intrinsics_vec256 a11 = Lib_IntVector_Intrinsics_vec256_mul64(r12341, a0); + Lib_IntVector_Intrinsics_vec256 a21 = Lib_IntVector_Intrinsics_vec256_mul64(r12342, a0); + Lib_IntVector_Intrinsics_vec256 a31 = Lib_IntVector_Intrinsics_vec256_mul64(r12343, a0); + Lib_IntVector_Intrinsics_vec256 a41 = Lib_IntVector_Intrinsics_vec256_mul64(r12344, a0); + Lib_IntVector_Intrinsics_vec256 + a02 = + Lib_IntVector_Intrinsics_vec256_add64(a01, + Lib_IntVector_Intrinsics_vec256_mul64(r123454, a1)); + Lib_IntVector_Intrinsics_vec256 + a12 = + Lib_IntVector_Intrinsics_vec256_add64(a11, + Lib_IntVector_Intrinsics_vec256_mul64(r12340, a1)); + Lib_IntVector_Intrinsics_vec256 + a22 = + Lib_IntVector_Intrinsics_vec256_add64(a21, + Lib_IntVector_Intrinsics_vec256_mul64(r12341, a1)); + Lib_IntVector_Intrinsics_vec256 + a32 = + Lib_IntVector_Intrinsics_vec256_add64(a31, + Lib_IntVector_Intrinsics_vec256_mul64(r12342, a1)); + Lib_IntVector_Intrinsics_vec256 + a42 = + Lib_IntVector_Intrinsics_vec256_add64(a41, + Lib_IntVector_Intrinsics_vec256_mul64(r12343, a1)); + Lib_IntVector_Intrinsics_vec256 + a03 = + Lib_IntVector_Intrinsics_vec256_add64(a02, + Lib_IntVector_Intrinsics_vec256_mul64(r123453, a2)); + Lib_IntVector_Intrinsics_vec256 + a13 = + Lib_IntVector_Intrinsics_vec256_add64(a12, + Lib_IntVector_Intrinsics_vec256_mul64(r123454, a2)); + Lib_IntVector_Intrinsics_vec256 + a23 = + Lib_IntVector_Intrinsics_vec256_add64(a22, + Lib_IntVector_Intrinsics_vec256_mul64(r12340, a2)); + Lib_IntVector_Intrinsics_vec256 + a33 = + Lib_IntVector_Intrinsics_vec256_add64(a32, + Lib_IntVector_Intrinsics_vec256_mul64(r12341, a2)); + Lib_IntVector_Intrinsics_vec256 + a43 = + Lib_IntVector_Intrinsics_vec256_add64(a42, + Lib_IntVector_Intrinsics_vec256_mul64(r12342, a2)); + Lib_IntVector_Intrinsics_vec256 + a04 = + Lib_IntVector_Intrinsics_vec256_add64(a03, + Lib_IntVector_Intrinsics_vec256_mul64(r123452, a3)); + Lib_IntVector_Intrinsics_vec256 + a14 = + Lib_IntVector_Intrinsics_vec256_add64(a13, + Lib_IntVector_Intrinsics_vec256_mul64(r123453, a3)); + Lib_IntVector_Intrinsics_vec256 + a24 = + Lib_IntVector_Intrinsics_vec256_add64(a23, + Lib_IntVector_Intrinsics_vec256_mul64(r123454, a3)); + Lib_IntVector_Intrinsics_vec256 + a34 = + Lib_IntVector_Intrinsics_vec256_add64(a33, + Lib_IntVector_Intrinsics_vec256_mul64(r12340, a3)); + Lib_IntVector_Intrinsics_vec256 + a44 = + Lib_IntVector_Intrinsics_vec256_add64(a43, + Lib_IntVector_Intrinsics_vec256_mul64(r12341, a3)); + Lib_IntVector_Intrinsics_vec256 + a05 = + Lib_IntVector_Intrinsics_vec256_add64(a04, + Lib_IntVector_Intrinsics_vec256_mul64(r123451, a4)); + Lib_IntVector_Intrinsics_vec256 + a15 = + Lib_IntVector_Intrinsics_vec256_add64(a14, + Lib_IntVector_Intrinsics_vec256_mul64(r123452, a4)); + Lib_IntVector_Intrinsics_vec256 + a25 = + Lib_IntVector_Intrinsics_vec256_add64(a24, + Lib_IntVector_Intrinsics_vec256_mul64(r123453, a4)); + Lib_IntVector_Intrinsics_vec256 + a35 = + Lib_IntVector_Intrinsics_vec256_add64(a34, + Lib_IntVector_Intrinsics_vec256_mul64(r123454, a4)); + Lib_IntVector_Intrinsics_vec256 + a45 = + Lib_IntVector_Intrinsics_vec256_add64(a44, + Lib_IntVector_Intrinsics_vec256_mul64(r12340, a4)); + Lib_IntVector_Intrinsics_vec256 t0 = a05; + Lib_IntVector_Intrinsics_vec256 t1 = a15; + Lib_IntVector_Intrinsics_vec256 t2 = a25; + Lib_IntVector_Intrinsics_vec256 t3 = a35; + Lib_IntVector_Intrinsics_vec256 t4 = a45; + Lib_IntVector_Intrinsics_vec256 + mask26 = Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec256 + z0 = Lib_IntVector_Intrinsics_vec256_shift_right64(t0, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z1 = Lib_IntVector_Intrinsics_vec256_shift_right64(t3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x0 = Lib_IntVector_Intrinsics_vec256_and(t0, mask26); + Lib_IntVector_Intrinsics_vec256 x3 = Lib_IntVector_Intrinsics_vec256_and(t3, mask26); + Lib_IntVector_Intrinsics_vec256 x1 = Lib_IntVector_Intrinsics_vec256_add64(t1, z0); + Lib_IntVector_Intrinsics_vec256 x4 = Lib_IntVector_Intrinsics_vec256_add64(t4, z1); + Lib_IntVector_Intrinsics_vec256 + z01 = Lib_IntVector_Intrinsics_vec256_shift_right64(x1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z11 = Lib_IntVector_Intrinsics_vec256_shift_right64(x4, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + t = Lib_IntVector_Intrinsics_vec256_shift_left64(z11, (uint32_t)2U); + Lib_IntVector_Intrinsics_vec256 z121 = Lib_IntVector_Intrinsics_vec256_add64(z11, t); + Lib_IntVector_Intrinsics_vec256 x11 = Lib_IntVector_Intrinsics_vec256_and(x1, mask26); + Lib_IntVector_Intrinsics_vec256 x41 = Lib_IntVector_Intrinsics_vec256_and(x4, mask26); + Lib_IntVector_Intrinsics_vec256 x2 = Lib_IntVector_Intrinsics_vec256_add64(t2, z01); + Lib_IntVector_Intrinsics_vec256 x01 = Lib_IntVector_Intrinsics_vec256_add64(x0, z121); + Lib_IntVector_Intrinsics_vec256 + z02 = Lib_IntVector_Intrinsics_vec256_shift_right64(x2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z13 = Lib_IntVector_Intrinsics_vec256_shift_right64(x01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x21 = Lib_IntVector_Intrinsics_vec256_and(x2, mask26); + Lib_IntVector_Intrinsics_vec256 x02 = Lib_IntVector_Intrinsics_vec256_and(x01, mask26); + Lib_IntVector_Intrinsics_vec256 x31 = Lib_IntVector_Intrinsics_vec256_add64(x3, z02); + Lib_IntVector_Intrinsics_vec256 x12 = Lib_IntVector_Intrinsics_vec256_add64(x11, z13); + Lib_IntVector_Intrinsics_vec256 + z03 = Lib_IntVector_Intrinsics_vec256_shift_right64(x31, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x32 = Lib_IntVector_Intrinsics_vec256_and(x31, mask26); + Lib_IntVector_Intrinsics_vec256 x42 = Lib_IntVector_Intrinsics_vec256_add64(x41, z03); + Lib_IntVector_Intrinsics_vec256 o0 = x02; + Lib_IntVector_Intrinsics_vec256 o10 = x12; + Lib_IntVector_Intrinsics_vec256 o20 = x21; + Lib_IntVector_Intrinsics_vec256 o30 = x32; + Lib_IntVector_Intrinsics_vec256 o40 = x42; + Lib_IntVector_Intrinsics_vec256 + v00 = Lib_IntVector_Intrinsics_vec256_interleave_high128(o0, o0); + Lib_IntVector_Intrinsics_vec256 v10 = Lib_IntVector_Intrinsics_vec256_add64(o0, v00); + Lib_IntVector_Intrinsics_vec256 + v10h = Lib_IntVector_Intrinsics_vec256_interleave_high64(v10, v10); + Lib_IntVector_Intrinsics_vec256 v20 = Lib_IntVector_Intrinsics_vec256_add64(v10, v10h); + Lib_IntVector_Intrinsics_vec256 + v01 = Lib_IntVector_Intrinsics_vec256_interleave_high128(o10, o10); + Lib_IntVector_Intrinsics_vec256 v11 = Lib_IntVector_Intrinsics_vec256_add64(o10, v01); + Lib_IntVector_Intrinsics_vec256 + v11h = Lib_IntVector_Intrinsics_vec256_interleave_high64(v11, v11); + Lib_IntVector_Intrinsics_vec256 v21 = Lib_IntVector_Intrinsics_vec256_add64(v11, v11h); + Lib_IntVector_Intrinsics_vec256 + v02 = Lib_IntVector_Intrinsics_vec256_interleave_high128(o20, o20); + Lib_IntVector_Intrinsics_vec256 v12 = Lib_IntVector_Intrinsics_vec256_add64(o20, v02); + Lib_IntVector_Intrinsics_vec256 + v12h = Lib_IntVector_Intrinsics_vec256_interleave_high64(v12, v12); + Lib_IntVector_Intrinsics_vec256 v22 = Lib_IntVector_Intrinsics_vec256_add64(v12, v12h); + Lib_IntVector_Intrinsics_vec256 + v03 = Lib_IntVector_Intrinsics_vec256_interleave_high128(o30, o30); + Lib_IntVector_Intrinsics_vec256 v13 = Lib_IntVector_Intrinsics_vec256_add64(o30, v03); + Lib_IntVector_Intrinsics_vec256 + v13h = Lib_IntVector_Intrinsics_vec256_interleave_high64(v13, v13); + Lib_IntVector_Intrinsics_vec256 v23 = Lib_IntVector_Intrinsics_vec256_add64(v13, v13h); + Lib_IntVector_Intrinsics_vec256 + v04 = Lib_IntVector_Intrinsics_vec256_interleave_high128(o40, o40); + Lib_IntVector_Intrinsics_vec256 v14 = Lib_IntVector_Intrinsics_vec256_add64(o40, v04); + Lib_IntVector_Intrinsics_vec256 + v14h = Lib_IntVector_Intrinsics_vec256_interleave_high64(v14, v14); + Lib_IntVector_Intrinsics_vec256 v24 = Lib_IntVector_Intrinsics_vec256_add64(v14, v14h); + Lib_IntVector_Intrinsics_vec256 + l = Lib_IntVector_Intrinsics_vec256_add64(v20, Lib_IntVector_Intrinsics_vec256_zero); + Lib_IntVector_Intrinsics_vec256 + tmp0 = + Lib_IntVector_Intrinsics_vec256_and(l, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + c0 = Lib_IntVector_Intrinsics_vec256_shift_right64(l, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 l0 = Lib_IntVector_Intrinsics_vec256_add64(v21, c0); + Lib_IntVector_Intrinsics_vec256 + tmp1 = + Lib_IntVector_Intrinsics_vec256_and(l0, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + c1 = Lib_IntVector_Intrinsics_vec256_shift_right64(l0, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 l1 = Lib_IntVector_Intrinsics_vec256_add64(v22, c1); + Lib_IntVector_Intrinsics_vec256 + tmp2 = + Lib_IntVector_Intrinsics_vec256_and(l1, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + c2 = Lib_IntVector_Intrinsics_vec256_shift_right64(l1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 l2 = Lib_IntVector_Intrinsics_vec256_add64(v23, c2); + Lib_IntVector_Intrinsics_vec256 + tmp3 = + Lib_IntVector_Intrinsics_vec256_and(l2, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + c3 = Lib_IntVector_Intrinsics_vec256_shift_right64(l2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 l3 = Lib_IntVector_Intrinsics_vec256_add64(v24, c3); + Lib_IntVector_Intrinsics_vec256 + tmp4 = + Lib_IntVector_Intrinsics_vec256_and(l3, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + c4 = Lib_IntVector_Intrinsics_vec256_shift_right64(l3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + o00 = + Lib_IntVector_Intrinsics_vec256_add64(tmp0, + Lib_IntVector_Intrinsics_vec256_smul64(c4, (uint64_t)5U)); + Lib_IntVector_Intrinsics_vec256 o1 = tmp1; + Lib_IntVector_Intrinsics_vec256 o2 = tmp2; + Lib_IntVector_Intrinsics_vec256 o3 = tmp3; + Lib_IntVector_Intrinsics_vec256 o4 = tmp4; + out[0U] = o00; + out[1U] = o1; + out[2U] = o2; + out[3U] = o3; + out[4U] = o4; +} + +uint32_t Hacl_Poly1305_256_blocklen = (uint32_t)16U; + +void Hacl_Poly1305_256_poly1305_init(Lib_IntVector_Intrinsics_vec256 *ctx, uint8_t *key) +{ + Lib_IntVector_Intrinsics_vec256 *acc = ctx; + Lib_IntVector_Intrinsics_vec256 *pre = ctx + (uint32_t)5U; + uint8_t *kr = key; + acc[0U] = Lib_IntVector_Intrinsics_vec256_zero; + acc[1U] = Lib_IntVector_Intrinsics_vec256_zero; + acc[2U] = Lib_IntVector_Intrinsics_vec256_zero; + acc[3U] = Lib_IntVector_Intrinsics_vec256_zero; + acc[4U] = Lib_IntVector_Intrinsics_vec256_zero; + uint64_t u0 = load64_le(kr); + uint64_t lo = u0; + uint64_t u = load64_le(kr + (uint32_t)8U); + uint64_t hi = u; + uint64_t mask0 = (uint64_t)0x0ffffffc0fffffffU; + uint64_t mask1 = (uint64_t)0x0ffffffc0ffffffcU; + uint64_t lo1 = lo & mask0; + uint64_t hi1 = hi & mask1; + Lib_IntVector_Intrinsics_vec256 *r = pre; + Lib_IntVector_Intrinsics_vec256 *r5 = pre + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec256 *rn = pre + (uint32_t)10U; + Lib_IntVector_Intrinsics_vec256 *rn_5 = pre + (uint32_t)15U; + Lib_IntVector_Intrinsics_vec256 r_vec0 = Lib_IntVector_Intrinsics_vec256_load64(lo1); + Lib_IntVector_Intrinsics_vec256 r_vec1 = Lib_IntVector_Intrinsics_vec256_load64(hi1); + Lib_IntVector_Intrinsics_vec256 + f00 = + Lib_IntVector_Intrinsics_vec256_and(r_vec0, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f15 = + Lib_IntVector_Intrinsics_vec256_and(Lib_IntVector_Intrinsics_vec256_shift_right64(r_vec0, + (uint32_t)26U), + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f20 = + Lib_IntVector_Intrinsics_vec256_or(Lib_IntVector_Intrinsics_vec256_shift_right64(r_vec0, + (uint32_t)52U), + Lib_IntVector_Intrinsics_vec256_shift_left64(Lib_IntVector_Intrinsics_vec256_and(r_vec1, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3fffU)), + (uint32_t)12U)); + Lib_IntVector_Intrinsics_vec256 + f30 = + Lib_IntVector_Intrinsics_vec256_and(Lib_IntVector_Intrinsics_vec256_shift_right64(r_vec1, + (uint32_t)14U), + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f40 = Lib_IntVector_Intrinsics_vec256_shift_right64(r_vec1, (uint32_t)40U); + Lib_IntVector_Intrinsics_vec256 f0 = f00; + Lib_IntVector_Intrinsics_vec256 f1 = f15; + Lib_IntVector_Intrinsics_vec256 f2 = f20; + Lib_IntVector_Intrinsics_vec256 f3 = f30; + Lib_IntVector_Intrinsics_vec256 f4 = f40; + r[0U] = f0; + r[1U] = f1; + r[2U] = f2; + r[3U] = f3; + r[4U] = f4; + Lib_IntVector_Intrinsics_vec256 f200 = r[0U]; + Lib_IntVector_Intrinsics_vec256 f210 = r[1U]; + Lib_IntVector_Intrinsics_vec256 f220 = r[2U]; + Lib_IntVector_Intrinsics_vec256 f230 = r[3U]; + Lib_IntVector_Intrinsics_vec256 f240 = r[4U]; + r5[0U] = Lib_IntVector_Intrinsics_vec256_smul64(f200, (uint64_t)5U); + r5[1U] = Lib_IntVector_Intrinsics_vec256_smul64(f210, (uint64_t)5U); + r5[2U] = Lib_IntVector_Intrinsics_vec256_smul64(f220, (uint64_t)5U); + r5[3U] = Lib_IntVector_Intrinsics_vec256_smul64(f230, (uint64_t)5U); + r5[4U] = Lib_IntVector_Intrinsics_vec256_smul64(f240, (uint64_t)5U); + Lib_IntVector_Intrinsics_vec256 r0 = r[0U]; + Lib_IntVector_Intrinsics_vec256 r10 = r[1U]; + Lib_IntVector_Intrinsics_vec256 r20 = r[2U]; + Lib_IntVector_Intrinsics_vec256 r30 = r[3U]; + Lib_IntVector_Intrinsics_vec256 r40 = r[4U]; + Lib_IntVector_Intrinsics_vec256 r510 = r5[1U]; + Lib_IntVector_Intrinsics_vec256 r520 = r5[2U]; + Lib_IntVector_Intrinsics_vec256 r530 = r5[3U]; + Lib_IntVector_Intrinsics_vec256 r540 = r5[4U]; + Lib_IntVector_Intrinsics_vec256 f100 = r[0U]; + Lib_IntVector_Intrinsics_vec256 f110 = r[1U]; + Lib_IntVector_Intrinsics_vec256 f120 = r[2U]; + Lib_IntVector_Intrinsics_vec256 f130 = r[3U]; + Lib_IntVector_Intrinsics_vec256 f140 = r[4U]; + Lib_IntVector_Intrinsics_vec256 a00 = Lib_IntVector_Intrinsics_vec256_mul64(r0, f100); + Lib_IntVector_Intrinsics_vec256 a10 = Lib_IntVector_Intrinsics_vec256_mul64(r10, f100); + Lib_IntVector_Intrinsics_vec256 a20 = Lib_IntVector_Intrinsics_vec256_mul64(r20, f100); + Lib_IntVector_Intrinsics_vec256 a30 = Lib_IntVector_Intrinsics_vec256_mul64(r30, f100); + Lib_IntVector_Intrinsics_vec256 a40 = Lib_IntVector_Intrinsics_vec256_mul64(r40, f100); + Lib_IntVector_Intrinsics_vec256 + a010 = + Lib_IntVector_Intrinsics_vec256_add64(a00, + Lib_IntVector_Intrinsics_vec256_mul64(r540, f110)); + Lib_IntVector_Intrinsics_vec256 + a110 = + Lib_IntVector_Intrinsics_vec256_add64(a10, + Lib_IntVector_Intrinsics_vec256_mul64(r0, f110)); + Lib_IntVector_Intrinsics_vec256 + a210 = + Lib_IntVector_Intrinsics_vec256_add64(a20, + Lib_IntVector_Intrinsics_vec256_mul64(r10, f110)); + Lib_IntVector_Intrinsics_vec256 + a310 = + Lib_IntVector_Intrinsics_vec256_add64(a30, + Lib_IntVector_Intrinsics_vec256_mul64(r20, f110)); + Lib_IntVector_Intrinsics_vec256 + a410 = + Lib_IntVector_Intrinsics_vec256_add64(a40, + Lib_IntVector_Intrinsics_vec256_mul64(r30, f110)); + Lib_IntVector_Intrinsics_vec256 + a020 = + Lib_IntVector_Intrinsics_vec256_add64(a010, + Lib_IntVector_Intrinsics_vec256_mul64(r530, f120)); + Lib_IntVector_Intrinsics_vec256 + a120 = + Lib_IntVector_Intrinsics_vec256_add64(a110, + Lib_IntVector_Intrinsics_vec256_mul64(r540, f120)); + Lib_IntVector_Intrinsics_vec256 + a220 = + Lib_IntVector_Intrinsics_vec256_add64(a210, + Lib_IntVector_Intrinsics_vec256_mul64(r0, f120)); + Lib_IntVector_Intrinsics_vec256 + a320 = + Lib_IntVector_Intrinsics_vec256_add64(a310, + Lib_IntVector_Intrinsics_vec256_mul64(r10, f120)); + Lib_IntVector_Intrinsics_vec256 + a420 = + Lib_IntVector_Intrinsics_vec256_add64(a410, + Lib_IntVector_Intrinsics_vec256_mul64(r20, f120)); + Lib_IntVector_Intrinsics_vec256 + a030 = + Lib_IntVector_Intrinsics_vec256_add64(a020, + Lib_IntVector_Intrinsics_vec256_mul64(r520, f130)); + Lib_IntVector_Intrinsics_vec256 + a130 = + Lib_IntVector_Intrinsics_vec256_add64(a120, + Lib_IntVector_Intrinsics_vec256_mul64(r530, f130)); + Lib_IntVector_Intrinsics_vec256 + a230 = + Lib_IntVector_Intrinsics_vec256_add64(a220, + Lib_IntVector_Intrinsics_vec256_mul64(r540, f130)); + Lib_IntVector_Intrinsics_vec256 + a330 = + Lib_IntVector_Intrinsics_vec256_add64(a320, + Lib_IntVector_Intrinsics_vec256_mul64(r0, f130)); + Lib_IntVector_Intrinsics_vec256 + a430 = + Lib_IntVector_Intrinsics_vec256_add64(a420, + Lib_IntVector_Intrinsics_vec256_mul64(r10, f130)); + Lib_IntVector_Intrinsics_vec256 + a040 = + Lib_IntVector_Intrinsics_vec256_add64(a030, + Lib_IntVector_Intrinsics_vec256_mul64(r510, f140)); + Lib_IntVector_Intrinsics_vec256 + a140 = + Lib_IntVector_Intrinsics_vec256_add64(a130, + Lib_IntVector_Intrinsics_vec256_mul64(r520, f140)); + Lib_IntVector_Intrinsics_vec256 + a240 = + Lib_IntVector_Intrinsics_vec256_add64(a230, + Lib_IntVector_Intrinsics_vec256_mul64(r530, f140)); + Lib_IntVector_Intrinsics_vec256 + a340 = + Lib_IntVector_Intrinsics_vec256_add64(a330, + Lib_IntVector_Intrinsics_vec256_mul64(r540, f140)); + Lib_IntVector_Intrinsics_vec256 + a440 = + Lib_IntVector_Intrinsics_vec256_add64(a430, + Lib_IntVector_Intrinsics_vec256_mul64(r0, f140)); + Lib_IntVector_Intrinsics_vec256 t00 = a040; + Lib_IntVector_Intrinsics_vec256 t10 = a140; + Lib_IntVector_Intrinsics_vec256 t20 = a240; + Lib_IntVector_Intrinsics_vec256 t30 = a340; + Lib_IntVector_Intrinsics_vec256 t40 = a440; + Lib_IntVector_Intrinsics_vec256 + mask260 = Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec256 + z00 = Lib_IntVector_Intrinsics_vec256_shift_right64(t00, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z10 = Lib_IntVector_Intrinsics_vec256_shift_right64(t30, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x00 = Lib_IntVector_Intrinsics_vec256_and(t00, mask260); + Lib_IntVector_Intrinsics_vec256 x30 = Lib_IntVector_Intrinsics_vec256_and(t30, mask260); + Lib_IntVector_Intrinsics_vec256 x10 = Lib_IntVector_Intrinsics_vec256_add64(t10, z00); + Lib_IntVector_Intrinsics_vec256 x40 = Lib_IntVector_Intrinsics_vec256_add64(t40, z10); + Lib_IntVector_Intrinsics_vec256 + z010 = Lib_IntVector_Intrinsics_vec256_shift_right64(x10, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z110 = Lib_IntVector_Intrinsics_vec256_shift_right64(x40, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + t5 = Lib_IntVector_Intrinsics_vec256_shift_left64(z110, (uint32_t)2U); + Lib_IntVector_Intrinsics_vec256 z12 = Lib_IntVector_Intrinsics_vec256_add64(z110, t5); + Lib_IntVector_Intrinsics_vec256 x110 = Lib_IntVector_Intrinsics_vec256_and(x10, mask260); + Lib_IntVector_Intrinsics_vec256 x410 = Lib_IntVector_Intrinsics_vec256_and(x40, mask260); + Lib_IntVector_Intrinsics_vec256 x20 = Lib_IntVector_Intrinsics_vec256_add64(t20, z010); + Lib_IntVector_Intrinsics_vec256 x010 = Lib_IntVector_Intrinsics_vec256_add64(x00, z12); + Lib_IntVector_Intrinsics_vec256 + z020 = Lib_IntVector_Intrinsics_vec256_shift_right64(x20, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z130 = Lib_IntVector_Intrinsics_vec256_shift_right64(x010, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x210 = Lib_IntVector_Intrinsics_vec256_and(x20, mask260); + Lib_IntVector_Intrinsics_vec256 x020 = Lib_IntVector_Intrinsics_vec256_and(x010, mask260); + Lib_IntVector_Intrinsics_vec256 x310 = Lib_IntVector_Intrinsics_vec256_add64(x30, z020); + Lib_IntVector_Intrinsics_vec256 x120 = Lib_IntVector_Intrinsics_vec256_add64(x110, z130); + Lib_IntVector_Intrinsics_vec256 + z030 = Lib_IntVector_Intrinsics_vec256_shift_right64(x310, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x320 = Lib_IntVector_Intrinsics_vec256_and(x310, mask260); + Lib_IntVector_Intrinsics_vec256 x420 = Lib_IntVector_Intrinsics_vec256_add64(x410, z030); + Lib_IntVector_Intrinsics_vec256 o00 = x020; + Lib_IntVector_Intrinsics_vec256 o10 = x120; + Lib_IntVector_Intrinsics_vec256 o20 = x210; + Lib_IntVector_Intrinsics_vec256 o30 = x320; + Lib_IntVector_Intrinsics_vec256 o40 = x420; + rn[0U] = o00; + rn[1U] = o10; + rn[2U] = o20; + rn[3U] = o30; + rn[4U] = o40; + Lib_IntVector_Intrinsics_vec256 f201 = rn[0U]; + Lib_IntVector_Intrinsics_vec256 f211 = rn[1U]; + Lib_IntVector_Intrinsics_vec256 f221 = rn[2U]; + Lib_IntVector_Intrinsics_vec256 f231 = rn[3U]; + Lib_IntVector_Intrinsics_vec256 f241 = rn[4U]; + rn_5[0U] = Lib_IntVector_Intrinsics_vec256_smul64(f201, (uint64_t)5U); + rn_5[1U] = Lib_IntVector_Intrinsics_vec256_smul64(f211, (uint64_t)5U); + rn_5[2U] = Lib_IntVector_Intrinsics_vec256_smul64(f221, (uint64_t)5U); + rn_5[3U] = Lib_IntVector_Intrinsics_vec256_smul64(f231, (uint64_t)5U); + rn_5[4U] = Lib_IntVector_Intrinsics_vec256_smul64(f241, (uint64_t)5U); + Lib_IntVector_Intrinsics_vec256 r00 = rn[0U]; + Lib_IntVector_Intrinsics_vec256 r1 = rn[1U]; + Lib_IntVector_Intrinsics_vec256 r2 = rn[2U]; + Lib_IntVector_Intrinsics_vec256 r3 = rn[3U]; + Lib_IntVector_Intrinsics_vec256 r4 = rn[4U]; + Lib_IntVector_Intrinsics_vec256 r51 = rn_5[1U]; + Lib_IntVector_Intrinsics_vec256 r52 = rn_5[2U]; + Lib_IntVector_Intrinsics_vec256 r53 = rn_5[3U]; + Lib_IntVector_Intrinsics_vec256 r54 = rn_5[4U]; + Lib_IntVector_Intrinsics_vec256 f10 = rn[0U]; + Lib_IntVector_Intrinsics_vec256 f11 = rn[1U]; + Lib_IntVector_Intrinsics_vec256 f12 = rn[2U]; + Lib_IntVector_Intrinsics_vec256 f13 = rn[3U]; + Lib_IntVector_Intrinsics_vec256 f14 = rn[4U]; + Lib_IntVector_Intrinsics_vec256 a0 = Lib_IntVector_Intrinsics_vec256_mul64(r00, f10); + Lib_IntVector_Intrinsics_vec256 a1 = Lib_IntVector_Intrinsics_vec256_mul64(r1, f10); + Lib_IntVector_Intrinsics_vec256 a2 = Lib_IntVector_Intrinsics_vec256_mul64(r2, f10); + Lib_IntVector_Intrinsics_vec256 a3 = Lib_IntVector_Intrinsics_vec256_mul64(r3, f10); + Lib_IntVector_Intrinsics_vec256 a4 = Lib_IntVector_Intrinsics_vec256_mul64(r4, f10); + Lib_IntVector_Intrinsics_vec256 + a01 = + Lib_IntVector_Intrinsics_vec256_add64(a0, + Lib_IntVector_Intrinsics_vec256_mul64(r54, f11)); + Lib_IntVector_Intrinsics_vec256 + a11 = + Lib_IntVector_Intrinsics_vec256_add64(a1, + Lib_IntVector_Intrinsics_vec256_mul64(r00, f11)); + Lib_IntVector_Intrinsics_vec256 + a21 = Lib_IntVector_Intrinsics_vec256_add64(a2, Lib_IntVector_Intrinsics_vec256_mul64(r1, f11)); + Lib_IntVector_Intrinsics_vec256 + a31 = Lib_IntVector_Intrinsics_vec256_add64(a3, Lib_IntVector_Intrinsics_vec256_mul64(r2, f11)); + Lib_IntVector_Intrinsics_vec256 + a41 = Lib_IntVector_Intrinsics_vec256_add64(a4, Lib_IntVector_Intrinsics_vec256_mul64(r3, f11)); + Lib_IntVector_Intrinsics_vec256 + a02 = + Lib_IntVector_Intrinsics_vec256_add64(a01, + Lib_IntVector_Intrinsics_vec256_mul64(r53, f12)); + Lib_IntVector_Intrinsics_vec256 + a12 = + Lib_IntVector_Intrinsics_vec256_add64(a11, + Lib_IntVector_Intrinsics_vec256_mul64(r54, f12)); + Lib_IntVector_Intrinsics_vec256 + a22 = + Lib_IntVector_Intrinsics_vec256_add64(a21, + Lib_IntVector_Intrinsics_vec256_mul64(r00, f12)); + Lib_IntVector_Intrinsics_vec256 + a32 = + Lib_IntVector_Intrinsics_vec256_add64(a31, + Lib_IntVector_Intrinsics_vec256_mul64(r1, f12)); + Lib_IntVector_Intrinsics_vec256 + a42 = + Lib_IntVector_Intrinsics_vec256_add64(a41, + Lib_IntVector_Intrinsics_vec256_mul64(r2, f12)); + Lib_IntVector_Intrinsics_vec256 + a03 = + Lib_IntVector_Intrinsics_vec256_add64(a02, + Lib_IntVector_Intrinsics_vec256_mul64(r52, f13)); + Lib_IntVector_Intrinsics_vec256 + a13 = + Lib_IntVector_Intrinsics_vec256_add64(a12, + Lib_IntVector_Intrinsics_vec256_mul64(r53, f13)); + Lib_IntVector_Intrinsics_vec256 + a23 = + Lib_IntVector_Intrinsics_vec256_add64(a22, + Lib_IntVector_Intrinsics_vec256_mul64(r54, f13)); + Lib_IntVector_Intrinsics_vec256 + a33 = + Lib_IntVector_Intrinsics_vec256_add64(a32, + Lib_IntVector_Intrinsics_vec256_mul64(r00, f13)); + Lib_IntVector_Intrinsics_vec256 + a43 = + Lib_IntVector_Intrinsics_vec256_add64(a42, + Lib_IntVector_Intrinsics_vec256_mul64(r1, f13)); + Lib_IntVector_Intrinsics_vec256 + a04 = + Lib_IntVector_Intrinsics_vec256_add64(a03, + Lib_IntVector_Intrinsics_vec256_mul64(r51, f14)); + Lib_IntVector_Intrinsics_vec256 + a14 = + Lib_IntVector_Intrinsics_vec256_add64(a13, + Lib_IntVector_Intrinsics_vec256_mul64(r52, f14)); + Lib_IntVector_Intrinsics_vec256 + a24 = + Lib_IntVector_Intrinsics_vec256_add64(a23, + Lib_IntVector_Intrinsics_vec256_mul64(r53, f14)); + Lib_IntVector_Intrinsics_vec256 + a34 = + Lib_IntVector_Intrinsics_vec256_add64(a33, + Lib_IntVector_Intrinsics_vec256_mul64(r54, f14)); + Lib_IntVector_Intrinsics_vec256 + a44 = + Lib_IntVector_Intrinsics_vec256_add64(a43, + Lib_IntVector_Intrinsics_vec256_mul64(r00, f14)); + Lib_IntVector_Intrinsics_vec256 t0 = a04; + Lib_IntVector_Intrinsics_vec256 t1 = a14; + Lib_IntVector_Intrinsics_vec256 t2 = a24; + Lib_IntVector_Intrinsics_vec256 t3 = a34; + Lib_IntVector_Intrinsics_vec256 t4 = a44; + Lib_IntVector_Intrinsics_vec256 + mask26 = Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec256 + z0 = Lib_IntVector_Intrinsics_vec256_shift_right64(t0, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z1 = Lib_IntVector_Intrinsics_vec256_shift_right64(t3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x0 = Lib_IntVector_Intrinsics_vec256_and(t0, mask26); + Lib_IntVector_Intrinsics_vec256 x3 = Lib_IntVector_Intrinsics_vec256_and(t3, mask26); + Lib_IntVector_Intrinsics_vec256 x1 = Lib_IntVector_Intrinsics_vec256_add64(t1, z0); + Lib_IntVector_Intrinsics_vec256 x4 = Lib_IntVector_Intrinsics_vec256_add64(t4, z1); + Lib_IntVector_Intrinsics_vec256 + z01 = Lib_IntVector_Intrinsics_vec256_shift_right64(x1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z11 = Lib_IntVector_Intrinsics_vec256_shift_right64(x4, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + t = Lib_IntVector_Intrinsics_vec256_shift_left64(z11, (uint32_t)2U); + Lib_IntVector_Intrinsics_vec256 z120 = Lib_IntVector_Intrinsics_vec256_add64(z11, t); + Lib_IntVector_Intrinsics_vec256 x11 = Lib_IntVector_Intrinsics_vec256_and(x1, mask26); + Lib_IntVector_Intrinsics_vec256 x41 = Lib_IntVector_Intrinsics_vec256_and(x4, mask26); + Lib_IntVector_Intrinsics_vec256 x2 = Lib_IntVector_Intrinsics_vec256_add64(t2, z01); + Lib_IntVector_Intrinsics_vec256 x01 = Lib_IntVector_Intrinsics_vec256_add64(x0, z120); + Lib_IntVector_Intrinsics_vec256 + z02 = Lib_IntVector_Intrinsics_vec256_shift_right64(x2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z13 = Lib_IntVector_Intrinsics_vec256_shift_right64(x01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x21 = Lib_IntVector_Intrinsics_vec256_and(x2, mask26); + Lib_IntVector_Intrinsics_vec256 x02 = Lib_IntVector_Intrinsics_vec256_and(x01, mask26); + Lib_IntVector_Intrinsics_vec256 x31 = Lib_IntVector_Intrinsics_vec256_add64(x3, z02); + Lib_IntVector_Intrinsics_vec256 x12 = Lib_IntVector_Intrinsics_vec256_add64(x11, z13); + Lib_IntVector_Intrinsics_vec256 + z03 = Lib_IntVector_Intrinsics_vec256_shift_right64(x31, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x32 = Lib_IntVector_Intrinsics_vec256_and(x31, mask26); + Lib_IntVector_Intrinsics_vec256 x42 = Lib_IntVector_Intrinsics_vec256_add64(x41, z03); + Lib_IntVector_Intrinsics_vec256 o0 = x02; + Lib_IntVector_Intrinsics_vec256 o1 = x12; + Lib_IntVector_Intrinsics_vec256 o2 = x21; + Lib_IntVector_Intrinsics_vec256 o3 = x32; + Lib_IntVector_Intrinsics_vec256 o4 = x42; + rn[0U] = o0; + rn[1U] = o1; + rn[2U] = o2; + rn[3U] = o3; + rn[4U] = o4; + Lib_IntVector_Intrinsics_vec256 f202 = rn[0U]; + Lib_IntVector_Intrinsics_vec256 f21 = rn[1U]; + Lib_IntVector_Intrinsics_vec256 f22 = rn[2U]; + Lib_IntVector_Intrinsics_vec256 f23 = rn[3U]; + Lib_IntVector_Intrinsics_vec256 f24 = rn[4U]; + rn_5[0U] = Lib_IntVector_Intrinsics_vec256_smul64(f202, (uint64_t)5U); + rn_5[1U] = Lib_IntVector_Intrinsics_vec256_smul64(f21, (uint64_t)5U); + rn_5[2U] = Lib_IntVector_Intrinsics_vec256_smul64(f22, (uint64_t)5U); + rn_5[3U] = Lib_IntVector_Intrinsics_vec256_smul64(f23, (uint64_t)5U); + rn_5[4U] = Lib_IntVector_Intrinsics_vec256_smul64(f24, (uint64_t)5U); +} + +void Hacl_Poly1305_256_poly1305_update1(Lib_IntVector_Intrinsics_vec256 *ctx, uint8_t *text) +{ + Lib_IntVector_Intrinsics_vec256 *pre = ctx + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec256 *acc = ctx; + Lib_IntVector_Intrinsics_vec256 e[5U]; + for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i) + e[_i] = Lib_IntVector_Intrinsics_vec256_zero; + uint64_t u0 = load64_le(text); + uint64_t lo = u0; + uint64_t u = load64_le(text + (uint32_t)8U); + uint64_t hi = u; + Lib_IntVector_Intrinsics_vec256 f0 = Lib_IntVector_Intrinsics_vec256_load64(lo); + Lib_IntVector_Intrinsics_vec256 f1 = Lib_IntVector_Intrinsics_vec256_load64(hi); + Lib_IntVector_Intrinsics_vec256 + f010 = + Lib_IntVector_Intrinsics_vec256_and(f0, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f110 = + Lib_IntVector_Intrinsics_vec256_and(Lib_IntVector_Intrinsics_vec256_shift_right64(f0, + (uint32_t)26U), + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f20 = + Lib_IntVector_Intrinsics_vec256_or(Lib_IntVector_Intrinsics_vec256_shift_right64(f0, + (uint32_t)52U), + Lib_IntVector_Intrinsics_vec256_shift_left64(Lib_IntVector_Intrinsics_vec256_and(f1, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3fffU)), + (uint32_t)12U)); + Lib_IntVector_Intrinsics_vec256 + f30 = + Lib_IntVector_Intrinsics_vec256_and(Lib_IntVector_Intrinsics_vec256_shift_right64(f1, + (uint32_t)14U), + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f40 = Lib_IntVector_Intrinsics_vec256_shift_right64(f1, (uint32_t)40U); + Lib_IntVector_Intrinsics_vec256 f01 = f010; + Lib_IntVector_Intrinsics_vec256 f111 = f110; + Lib_IntVector_Intrinsics_vec256 f2 = f20; + Lib_IntVector_Intrinsics_vec256 f3 = f30; + Lib_IntVector_Intrinsics_vec256 f41 = f40; + e[0U] = f01; + e[1U] = f111; + e[2U] = f2; + e[3U] = f3; + e[4U] = f41; + uint64_t b = (uint64_t)0x1000000U; + Lib_IntVector_Intrinsics_vec256 mask = Lib_IntVector_Intrinsics_vec256_load64(b); + Lib_IntVector_Intrinsics_vec256 f4 = e[4U]; + e[4U] = Lib_IntVector_Intrinsics_vec256_or(f4, mask); + Lib_IntVector_Intrinsics_vec256 *r = pre; + Lib_IntVector_Intrinsics_vec256 *r5 = pre + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec256 r0 = r[0U]; + Lib_IntVector_Intrinsics_vec256 r1 = r[1U]; + Lib_IntVector_Intrinsics_vec256 r2 = r[2U]; + Lib_IntVector_Intrinsics_vec256 r3 = r[3U]; + Lib_IntVector_Intrinsics_vec256 r4 = r[4U]; + Lib_IntVector_Intrinsics_vec256 r51 = r5[1U]; + Lib_IntVector_Intrinsics_vec256 r52 = r5[2U]; + Lib_IntVector_Intrinsics_vec256 r53 = r5[3U]; + Lib_IntVector_Intrinsics_vec256 r54 = r5[4U]; + Lib_IntVector_Intrinsics_vec256 f10 = e[0U]; + Lib_IntVector_Intrinsics_vec256 f11 = e[1U]; + Lib_IntVector_Intrinsics_vec256 f12 = e[2U]; + Lib_IntVector_Intrinsics_vec256 f13 = e[3U]; + Lib_IntVector_Intrinsics_vec256 f14 = e[4U]; + Lib_IntVector_Intrinsics_vec256 a0 = acc[0U]; + Lib_IntVector_Intrinsics_vec256 a1 = acc[1U]; + Lib_IntVector_Intrinsics_vec256 a2 = acc[2U]; + Lib_IntVector_Intrinsics_vec256 a3 = acc[3U]; + Lib_IntVector_Intrinsics_vec256 a4 = acc[4U]; + Lib_IntVector_Intrinsics_vec256 a01 = Lib_IntVector_Intrinsics_vec256_add64(a0, f10); + Lib_IntVector_Intrinsics_vec256 a11 = Lib_IntVector_Intrinsics_vec256_add64(a1, f11); + Lib_IntVector_Intrinsics_vec256 a21 = Lib_IntVector_Intrinsics_vec256_add64(a2, f12); + Lib_IntVector_Intrinsics_vec256 a31 = Lib_IntVector_Intrinsics_vec256_add64(a3, f13); + Lib_IntVector_Intrinsics_vec256 a41 = Lib_IntVector_Intrinsics_vec256_add64(a4, f14); + Lib_IntVector_Intrinsics_vec256 a02 = Lib_IntVector_Intrinsics_vec256_mul64(r0, a01); + Lib_IntVector_Intrinsics_vec256 a12 = Lib_IntVector_Intrinsics_vec256_mul64(r1, a01); + Lib_IntVector_Intrinsics_vec256 a22 = Lib_IntVector_Intrinsics_vec256_mul64(r2, a01); + Lib_IntVector_Intrinsics_vec256 a32 = Lib_IntVector_Intrinsics_vec256_mul64(r3, a01); + Lib_IntVector_Intrinsics_vec256 a42 = Lib_IntVector_Intrinsics_vec256_mul64(r4, a01); + Lib_IntVector_Intrinsics_vec256 + a03 = + Lib_IntVector_Intrinsics_vec256_add64(a02, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a11)); + Lib_IntVector_Intrinsics_vec256 + a13 = + Lib_IntVector_Intrinsics_vec256_add64(a12, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a11)); + Lib_IntVector_Intrinsics_vec256 + a23 = + Lib_IntVector_Intrinsics_vec256_add64(a22, + Lib_IntVector_Intrinsics_vec256_mul64(r1, a11)); + Lib_IntVector_Intrinsics_vec256 + a33 = + Lib_IntVector_Intrinsics_vec256_add64(a32, + Lib_IntVector_Intrinsics_vec256_mul64(r2, a11)); + Lib_IntVector_Intrinsics_vec256 + a43 = + Lib_IntVector_Intrinsics_vec256_add64(a42, + Lib_IntVector_Intrinsics_vec256_mul64(r3, a11)); + Lib_IntVector_Intrinsics_vec256 + a04 = + Lib_IntVector_Intrinsics_vec256_add64(a03, + Lib_IntVector_Intrinsics_vec256_mul64(r53, a21)); + Lib_IntVector_Intrinsics_vec256 + a14 = + Lib_IntVector_Intrinsics_vec256_add64(a13, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a21)); + Lib_IntVector_Intrinsics_vec256 + a24 = + Lib_IntVector_Intrinsics_vec256_add64(a23, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a21)); + Lib_IntVector_Intrinsics_vec256 + a34 = + Lib_IntVector_Intrinsics_vec256_add64(a33, + Lib_IntVector_Intrinsics_vec256_mul64(r1, a21)); + Lib_IntVector_Intrinsics_vec256 + a44 = + Lib_IntVector_Intrinsics_vec256_add64(a43, + Lib_IntVector_Intrinsics_vec256_mul64(r2, a21)); + Lib_IntVector_Intrinsics_vec256 + a05 = + Lib_IntVector_Intrinsics_vec256_add64(a04, + Lib_IntVector_Intrinsics_vec256_mul64(r52, a31)); + Lib_IntVector_Intrinsics_vec256 + a15 = + Lib_IntVector_Intrinsics_vec256_add64(a14, + Lib_IntVector_Intrinsics_vec256_mul64(r53, a31)); + Lib_IntVector_Intrinsics_vec256 + a25 = + Lib_IntVector_Intrinsics_vec256_add64(a24, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a31)); + Lib_IntVector_Intrinsics_vec256 + a35 = + Lib_IntVector_Intrinsics_vec256_add64(a34, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a31)); + Lib_IntVector_Intrinsics_vec256 + a45 = + Lib_IntVector_Intrinsics_vec256_add64(a44, + Lib_IntVector_Intrinsics_vec256_mul64(r1, a31)); + Lib_IntVector_Intrinsics_vec256 + a06 = + Lib_IntVector_Intrinsics_vec256_add64(a05, + Lib_IntVector_Intrinsics_vec256_mul64(r51, a41)); + Lib_IntVector_Intrinsics_vec256 + a16 = + Lib_IntVector_Intrinsics_vec256_add64(a15, + Lib_IntVector_Intrinsics_vec256_mul64(r52, a41)); + Lib_IntVector_Intrinsics_vec256 + a26 = + Lib_IntVector_Intrinsics_vec256_add64(a25, + Lib_IntVector_Intrinsics_vec256_mul64(r53, a41)); + Lib_IntVector_Intrinsics_vec256 + a36 = + Lib_IntVector_Intrinsics_vec256_add64(a35, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a41)); + Lib_IntVector_Intrinsics_vec256 + a46 = + Lib_IntVector_Intrinsics_vec256_add64(a45, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a41)); + Lib_IntVector_Intrinsics_vec256 t0 = a06; + Lib_IntVector_Intrinsics_vec256 t1 = a16; + Lib_IntVector_Intrinsics_vec256 t2 = a26; + Lib_IntVector_Intrinsics_vec256 t3 = a36; + Lib_IntVector_Intrinsics_vec256 t4 = a46; + Lib_IntVector_Intrinsics_vec256 + mask26 = Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec256 + z0 = Lib_IntVector_Intrinsics_vec256_shift_right64(t0, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z1 = Lib_IntVector_Intrinsics_vec256_shift_right64(t3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x0 = Lib_IntVector_Intrinsics_vec256_and(t0, mask26); + Lib_IntVector_Intrinsics_vec256 x3 = Lib_IntVector_Intrinsics_vec256_and(t3, mask26); + Lib_IntVector_Intrinsics_vec256 x1 = Lib_IntVector_Intrinsics_vec256_add64(t1, z0); + Lib_IntVector_Intrinsics_vec256 x4 = Lib_IntVector_Intrinsics_vec256_add64(t4, z1); + Lib_IntVector_Intrinsics_vec256 + z01 = Lib_IntVector_Intrinsics_vec256_shift_right64(x1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z11 = Lib_IntVector_Intrinsics_vec256_shift_right64(x4, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + t = Lib_IntVector_Intrinsics_vec256_shift_left64(z11, (uint32_t)2U); + Lib_IntVector_Intrinsics_vec256 z12 = Lib_IntVector_Intrinsics_vec256_add64(z11, t); + Lib_IntVector_Intrinsics_vec256 x11 = Lib_IntVector_Intrinsics_vec256_and(x1, mask26); + Lib_IntVector_Intrinsics_vec256 x41 = Lib_IntVector_Intrinsics_vec256_and(x4, mask26); + Lib_IntVector_Intrinsics_vec256 x2 = Lib_IntVector_Intrinsics_vec256_add64(t2, z01); + Lib_IntVector_Intrinsics_vec256 x01 = Lib_IntVector_Intrinsics_vec256_add64(x0, z12); + Lib_IntVector_Intrinsics_vec256 + z02 = Lib_IntVector_Intrinsics_vec256_shift_right64(x2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z13 = Lib_IntVector_Intrinsics_vec256_shift_right64(x01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x21 = Lib_IntVector_Intrinsics_vec256_and(x2, mask26); + Lib_IntVector_Intrinsics_vec256 x02 = Lib_IntVector_Intrinsics_vec256_and(x01, mask26); + Lib_IntVector_Intrinsics_vec256 x31 = Lib_IntVector_Intrinsics_vec256_add64(x3, z02); + Lib_IntVector_Intrinsics_vec256 x12 = Lib_IntVector_Intrinsics_vec256_add64(x11, z13); + Lib_IntVector_Intrinsics_vec256 + z03 = Lib_IntVector_Intrinsics_vec256_shift_right64(x31, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x32 = Lib_IntVector_Intrinsics_vec256_and(x31, mask26); + Lib_IntVector_Intrinsics_vec256 x42 = Lib_IntVector_Intrinsics_vec256_add64(x41, z03); + Lib_IntVector_Intrinsics_vec256 o0 = x02; + Lib_IntVector_Intrinsics_vec256 o1 = x12; + Lib_IntVector_Intrinsics_vec256 o2 = x21; + Lib_IntVector_Intrinsics_vec256 o3 = x32; + Lib_IntVector_Intrinsics_vec256 o4 = x42; + acc[0U] = o0; + acc[1U] = o1; + acc[2U] = o2; + acc[3U] = o3; + acc[4U] = o4; +} + +void +Hacl_Poly1305_256_poly1305_update( + Lib_IntVector_Intrinsics_vec256 *ctx, + uint32_t len, + uint8_t *text +) +{ + Lib_IntVector_Intrinsics_vec256 *pre = ctx + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec256 *acc = ctx; + uint32_t sz_block = (uint32_t)64U; + uint32_t len0 = len / sz_block * sz_block; + uint8_t *t0 = text; + if (len0 > (uint32_t)0U) + { + uint32_t bs = (uint32_t)64U; + uint8_t *text0 = t0; + Hacl_Impl_Poly1305_Field32xN_256_load_acc4(acc, text0); + uint32_t len1 = len0 - bs; + uint8_t *text1 = t0 + bs; + uint32_t nb = len1 / bs; + for (uint32_t i = (uint32_t)0U; i < nb; i++) + { + uint8_t *block = text1 + i * bs; + Lib_IntVector_Intrinsics_vec256 e[5U]; + for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i) + e[_i] = Lib_IntVector_Intrinsics_vec256_zero; + Lib_IntVector_Intrinsics_vec256 lo = Lib_IntVector_Intrinsics_vec256_load64_le(block); + Lib_IntVector_Intrinsics_vec256 + hi = Lib_IntVector_Intrinsics_vec256_load64_le(block + (uint32_t)32U); + Lib_IntVector_Intrinsics_vec256 + mask260 = Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec256 + m0 = Lib_IntVector_Intrinsics_vec256_interleave_low128(lo, hi); + Lib_IntVector_Intrinsics_vec256 + m1 = Lib_IntVector_Intrinsics_vec256_interleave_high128(lo, hi); + Lib_IntVector_Intrinsics_vec256 + m2 = Lib_IntVector_Intrinsics_vec256_shift_right(m0, (uint32_t)48U); + Lib_IntVector_Intrinsics_vec256 + m3 = Lib_IntVector_Intrinsics_vec256_shift_right(m1, (uint32_t)48U); + Lib_IntVector_Intrinsics_vec256 + m4 = Lib_IntVector_Intrinsics_vec256_interleave_high64(m0, m1); + Lib_IntVector_Intrinsics_vec256 + t010 = Lib_IntVector_Intrinsics_vec256_interleave_low64(m0, m1); + Lib_IntVector_Intrinsics_vec256 + t30 = Lib_IntVector_Intrinsics_vec256_interleave_low64(m2, m3); + Lib_IntVector_Intrinsics_vec256 + t20 = Lib_IntVector_Intrinsics_vec256_shift_right64(t30, (uint32_t)4U); + Lib_IntVector_Intrinsics_vec256 o20 = Lib_IntVector_Intrinsics_vec256_and(t20, mask260); + Lib_IntVector_Intrinsics_vec256 + t10 = Lib_IntVector_Intrinsics_vec256_shift_right64(t010, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 o10 = Lib_IntVector_Intrinsics_vec256_and(t10, mask260); + Lib_IntVector_Intrinsics_vec256 o5 = Lib_IntVector_Intrinsics_vec256_and(t010, mask260); + Lib_IntVector_Intrinsics_vec256 + t31 = Lib_IntVector_Intrinsics_vec256_shift_right64(t30, (uint32_t)30U); + Lib_IntVector_Intrinsics_vec256 o30 = Lib_IntVector_Intrinsics_vec256_and(t31, mask260); + Lib_IntVector_Intrinsics_vec256 + o40 = Lib_IntVector_Intrinsics_vec256_shift_right64(m4, (uint32_t)40U); + Lib_IntVector_Intrinsics_vec256 o00 = o5; + Lib_IntVector_Intrinsics_vec256 o11 = o10; + Lib_IntVector_Intrinsics_vec256 o21 = o20; + Lib_IntVector_Intrinsics_vec256 o31 = o30; + Lib_IntVector_Intrinsics_vec256 o41 = o40; + e[0U] = o00; + e[1U] = o11; + e[2U] = o21; + e[3U] = o31; + e[4U] = o41; + uint64_t b = (uint64_t)0x1000000U; + Lib_IntVector_Intrinsics_vec256 mask = Lib_IntVector_Intrinsics_vec256_load64(b); + Lib_IntVector_Intrinsics_vec256 f4 = e[4U]; + e[4U] = Lib_IntVector_Intrinsics_vec256_or(f4, mask); + Lib_IntVector_Intrinsics_vec256 *rn = pre + (uint32_t)10U; + Lib_IntVector_Intrinsics_vec256 *rn5 = pre + (uint32_t)15U; + Lib_IntVector_Intrinsics_vec256 r0 = rn[0U]; + Lib_IntVector_Intrinsics_vec256 r1 = rn[1U]; + Lib_IntVector_Intrinsics_vec256 r2 = rn[2U]; + Lib_IntVector_Intrinsics_vec256 r3 = rn[3U]; + Lib_IntVector_Intrinsics_vec256 r4 = rn[4U]; + Lib_IntVector_Intrinsics_vec256 r51 = rn5[1U]; + Lib_IntVector_Intrinsics_vec256 r52 = rn5[2U]; + Lib_IntVector_Intrinsics_vec256 r53 = rn5[3U]; + Lib_IntVector_Intrinsics_vec256 r54 = rn5[4U]; + Lib_IntVector_Intrinsics_vec256 f10 = acc[0U]; + Lib_IntVector_Intrinsics_vec256 f110 = acc[1U]; + Lib_IntVector_Intrinsics_vec256 f120 = acc[2U]; + Lib_IntVector_Intrinsics_vec256 f130 = acc[3U]; + Lib_IntVector_Intrinsics_vec256 f140 = acc[4U]; + Lib_IntVector_Intrinsics_vec256 a0 = Lib_IntVector_Intrinsics_vec256_mul64(r0, f10); + Lib_IntVector_Intrinsics_vec256 a1 = Lib_IntVector_Intrinsics_vec256_mul64(r1, f10); + Lib_IntVector_Intrinsics_vec256 a2 = Lib_IntVector_Intrinsics_vec256_mul64(r2, f10); + Lib_IntVector_Intrinsics_vec256 a3 = Lib_IntVector_Intrinsics_vec256_mul64(r3, f10); + Lib_IntVector_Intrinsics_vec256 a4 = Lib_IntVector_Intrinsics_vec256_mul64(r4, f10); + Lib_IntVector_Intrinsics_vec256 + a01 = + Lib_IntVector_Intrinsics_vec256_add64(a0, + Lib_IntVector_Intrinsics_vec256_mul64(r54, f110)); + Lib_IntVector_Intrinsics_vec256 + a11 = + Lib_IntVector_Intrinsics_vec256_add64(a1, + Lib_IntVector_Intrinsics_vec256_mul64(r0, f110)); + Lib_IntVector_Intrinsics_vec256 + a21 = + Lib_IntVector_Intrinsics_vec256_add64(a2, + Lib_IntVector_Intrinsics_vec256_mul64(r1, f110)); + Lib_IntVector_Intrinsics_vec256 + a31 = + Lib_IntVector_Intrinsics_vec256_add64(a3, + Lib_IntVector_Intrinsics_vec256_mul64(r2, f110)); + Lib_IntVector_Intrinsics_vec256 + a41 = + Lib_IntVector_Intrinsics_vec256_add64(a4, + Lib_IntVector_Intrinsics_vec256_mul64(r3, f110)); + Lib_IntVector_Intrinsics_vec256 + a02 = + Lib_IntVector_Intrinsics_vec256_add64(a01, + Lib_IntVector_Intrinsics_vec256_mul64(r53, f120)); + Lib_IntVector_Intrinsics_vec256 + a12 = + Lib_IntVector_Intrinsics_vec256_add64(a11, + Lib_IntVector_Intrinsics_vec256_mul64(r54, f120)); + Lib_IntVector_Intrinsics_vec256 + a22 = + Lib_IntVector_Intrinsics_vec256_add64(a21, + Lib_IntVector_Intrinsics_vec256_mul64(r0, f120)); + Lib_IntVector_Intrinsics_vec256 + a32 = + Lib_IntVector_Intrinsics_vec256_add64(a31, + Lib_IntVector_Intrinsics_vec256_mul64(r1, f120)); + Lib_IntVector_Intrinsics_vec256 + a42 = + Lib_IntVector_Intrinsics_vec256_add64(a41, + Lib_IntVector_Intrinsics_vec256_mul64(r2, f120)); + Lib_IntVector_Intrinsics_vec256 + a03 = + Lib_IntVector_Intrinsics_vec256_add64(a02, + Lib_IntVector_Intrinsics_vec256_mul64(r52, f130)); + Lib_IntVector_Intrinsics_vec256 + a13 = + Lib_IntVector_Intrinsics_vec256_add64(a12, + Lib_IntVector_Intrinsics_vec256_mul64(r53, f130)); + Lib_IntVector_Intrinsics_vec256 + a23 = + Lib_IntVector_Intrinsics_vec256_add64(a22, + Lib_IntVector_Intrinsics_vec256_mul64(r54, f130)); + Lib_IntVector_Intrinsics_vec256 + a33 = + Lib_IntVector_Intrinsics_vec256_add64(a32, + Lib_IntVector_Intrinsics_vec256_mul64(r0, f130)); + Lib_IntVector_Intrinsics_vec256 + a43 = + Lib_IntVector_Intrinsics_vec256_add64(a42, + Lib_IntVector_Intrinsics_vec256_mul64(r1, f130)); + Lib_IntVector_Intrinsics_vec256 + a04 = + Lib_IntVector_Intrinsics_vec256_add64(a03, + Lib_IntVector_Intrinsics_vec256_mul64(r51, f140)); + Lib_IntVector_Intrinsics_vec256 + a14 = + Lib_IntVector_Intrinsics_vec256_add64(a13, + Lib_IntVector_Intrinsics_vec256_mul64(r52, f140)); + Lib_IntVector_Intrinsics_vec256 + a24 = + Lib_IntVector_Intrinsics_vec256_add64(a23, + Lib_IntVector_Intrinsics_vec256_mul64(r53, f140)); + Lib_IntVector_Intrinsics_vec256 + a34 = + Lib_IntVector_Intrinsics_vec256_add64(a33, + Lib_IntVector_Intrinsics_vec256_mul64(r54, f140)); + Lib_IntVector_Intrinsics_vec256 + a44 = + Lib_IntVector_Intrinsics_vec256_add64(a43, + Lib_IntVector_Intrinsics_vec256_mul64(r0, f140)); + Lib_IntVector_Intrinsics_vec256 t01 = a04; + Lib_IntVector_Intrinsics_vec256 t1 = a14; + Lib_IntVector_Intrinsics_vec256 t2 = a24; + Lib_IntVector_Intrinsics_vec256 t3 = a34; + Lib_IntVector_Intrinsics_vec256 t4 = a44; + Lib_IntVector_Intrinsics_vec256 + mask26 = Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec256 + z0 = Lib_IntVector_Intrinsics_vec256_shift_right64(t01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z1 = Lib_IntVector_Intrinsics_vec256_shift_right64(t3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x0 = Lib_IntVector_Intrinsics_vec256_and(t01, mask26); + Lib_IntVector_Intrinsics_vec256 x3 = Lib_IntVector_Intrinsics_vec256_and(t3, mask26); + Lib_IntVector_Intrinsics_vec256 x1 = Lib_IntVector_Intrinsics_vec256_add64(t1, z0); + Lib_IntVector_Intrinsics_vec256 x4 = Lib_IntVector_Intrinsics_vec256_add64(t4, z1); + Lib_IntVector_Intrinsics_vec256 + z01 = Lib_IntVector_Intrinsics_vec256_shift_right64(x1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z11 = Lib_IntVector_Intrinsics_vec256_shift_right64(x4, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + t = Lib_IntVector_Intrinsics_vec256_shift_left64(z11, (uint32_t)2U); + Lib_IntVector_Intrinsics_vec256 z12 = Lib_IntVector_Intrinsics_vec256_add64(z11, t); + Lib_IntVector_Intrinsics_vec256 x11 = Lib_IntVector_Intrinsics_vec256_and(x1, mask26); + Lib_IntVector_Intrinsics_vec256 x41 = Lib_IntVector_Intrinsics_vec256_and(x4, mask26); + Lib_IntVector_Intrinsics_vec256 x2 = Lib_IntVector_Intrinsics_vec256_add64(t2, z01); + Lib_IntVector_Intrinsics_vec256 x01 = Lib_IntVector_Intrinsics_vec256_add64(x0, z12); + Lib_IntVector_Intrinsics_vec256 + z02 = Lib_IntVector_Intrinsics_vec256_shift_right64(x2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z13 = Lib_IntVector_Intrinsics_vec256_shift_right64(x01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x21 = Lib_IntVector_Intrinsics_vec256_and(x2, mask26); + Lib_IntVector_Intrinsics_vec256 x02 = Lib_IntVector_Intrinsics_vec256_and(x01, mask26); + Lib_IntVector_Intrinsics_vec256 x31 = Lib_IntVector_Intrinsics_vec256_add64(x3, z02); + Lib_IntVector_Intrinsics_vec256 x12 = Lib_IntVector_Intrinsics_vec256_add64(x11, z13); + Lib_IntVector_Intrinsics_vec256 + z03 = Lib_IntVector_Intrinsics_vec256_shift_right64(x31, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x32 = Lib_IntVector_Intrinsics_vec256_and(x31, mask26); + Lib_IntVector_Intrinsics_vec256 x42 = Lib_IntVector_Intrinsics_vec256_add64(x41, z03); + Lib_IntVector_Intrinsics_vec256 o01 = x02; + Lib_IntVector_Intrinsics_vec256 o12 = x12; + Lib_IntVector_Intrinsics_vec256 o22 = x21; + Lib_IntVector_Intrinsics_vec256 o32 = x32; + Lib_IntVector_Intrinsics_vec256 o42 = x42; + acc[0U] = o01; + acc[1U] = o12; + acc[2U] = o22; + acc[3U] = o32; + acc[4U] = o42; + Lib_IntVector_Intrinsics_vec256 f100 = acc[0U]; + Lib_IntVector_Intrinsics_vec256 f11 = acc[1U]; + Lib_IntVector_Intrinsics_vec256 f12 = acc[2U]; + Lib_IntVector_Intrinsics_vec256 f13 = acc[3U]; + Lib_IntVector_Intrinsics_vec256 f14 = acc[4U]; + Lib_IntVector_Intrinsics_vec256 f20 = e[0U]; + Lib_IntVector_Intrinsics_vec256 f21 = e[1U]; + Lib_IntVector_Intrinsics_vec256 f22 = e[2U]; + Lib_IntVector_Intrinsics_vec256 f23 = e[3U]; + Lib_IntVector_Intrinsics_vec256 f24 = e[4U]; + Lib_IntVector_Intrinsics_vec256 o0 = Lib_IntVector_Intrinsics_vec256_add64(f100, f20); + Lib_IntVector_Intrinsics_vec256 o1 = Lib_IntVector_Intrinsics_vec256_add64(f11, f21); + Lib_IntVector_Intrinsics_vec256 o2 = Lib_IntVector_Intrinsics_vec256_add64(f12, f22); + Lib_IntVector_Intrinsics_vec256 o3 = Lib_IntVector_Intrinsics_vec256_add64(f13, f23); + Lib_IntVector_Intrinsics_vec256 o4 = Lib_IntVector_Intrinsics_vec256_add64(f14, f24); + acc[0U] = o0; + acc[1U] = o1; + acc[2U] = o2; + acc[3U] = o3; + acc[4U] = o4; + } + Hacl_Impl_Poly1305_Field32xN_256_fmul_r4_normalize(acc, pre); + } + uint32_t len1 = len - len0; + uint8_t *t1 = text + len0; + uint32_t nb = len1 / (uint32_t)16U; + uint32_t rem = len1 % (uint32_t)16U; + for (uint32_t i = (uint32_t)0U; i < nb; i++) + { + uint8_t *block = t1 + i * (uint32_t)16U; + Lib_IntVector_Intrinsics_vec256 e[5U]; + for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i) + e[_i] = Lib_IntVector_Intrinsics_vec256_zero; + uint64_t u0 = load64_le(block); + uint64_t lo = u0; + uint64_t u = load64_le(block + (uint32_t)8U); + uint64_t hi = u; + Lib_IntVector_Intrinsics_vec256 f0 = Lib_IntVector_Intrinsics_vec256_load64(lo); + Lib_IntVector_Intrinsics_vec256 f1 = Lib_IntVector_Intrinsics_vec256_load64(hi); + Lib_IntVector_Intrinsics_vec256 + f010 = + Lib_IntVector_Intrinsics_vec256_and(f0, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f110 = + Lib_IntVector_Intrinsics_vec256_and(Lib_IntVector_Intrinsics_vec256_shift_right64(f0, + (uint32_t)26U), + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f20 = + Lib_IntVector_Intrinsics_vec256_or(Lib_IntVector_Intrinsics_vec256_shift_right64(f0, + (uint32_t)52U), + Lib_IntVector_Intrinsics_vec256_shift_left64(Lib_IntVector_Intrinsics_vec256_and(f1, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3fffU)), + (uint32_t)12U)); + Lib_IntVector_Intrinsics_vec256 + f30 = + Lib_IntVector_Intrinsics_vec256_and(Lib_IntVector_Intrinsics_vec256_shift_right64(f1, + (uint32_t)14U), + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f40 = Lib_IntVector_Intrinsics_vec256_shift_right64(f1, (uint32_t)40U); + Lib_IntVector_Intrinsics_vec256 f01 = f010; + Lib_IntVector_Intrinsics_vec256 f111 = f110; + Lib_IntVector_Intrinsics_vec256 f2 = f20; + Lib_IntVector_Intrinsics_vec256 f3 = f30; + Lib_IntVector_Intrinsics_vec256 f41 = f40; + e[0U] = f01; + e[1U] = f111; + e[2U] = f2; + e[3U] = f3; + e[4U] = f41; + uint64_t b = (uint64_t)0x1000000U; + Lib_IntVector_Intrinsics_vec256 mask = Lib_IntVector_Intrinsics_vec256_load64(b); + Lib_IntVector_Intrinsics_vec256 f4 = e[4U]; + e[4U] = Lib_IntVector_Intrinsics_vec256_or(f4, mask); + Lib_IntVector_Intrinsics_vec256 *r = pre; + Lib_IntVector_Intrinsics_vec256 *r5 = pre + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec256 r0 = r[0U]; + Lib_IntVector_Intrinsics_vec256 r1 = r[1U]; + Lib_IntVector_Intrinsics_vec256 r2 = r[2U]; + Lib_IntVector_Intrinsics_vec256 r3 = r[3U]; + Lib_IntVector_Intrinsics_vec256 r4 = r[4U]; + Lib_IntVector_Intrinsics_vec256 r51 = r5[1U]; + Lib_IntVector_Intrinsics_vec256 r52 = r5[2U]; + Lib_IntVector_Intrinsics_vec256 r53 = r5[3U]; + Lib_IntVector_Intrinsics_vec256 r54 = r5[4U]; + Lib_IntVector_Intrinsics_vec256 f10 = e[0U]; + Lib_IntVector_Intrinsics_vec256 f11 = e[1U]; + Lib_IntVector_Intrinsics_vec256 f12 = e[2U]; + Lib_IntVector_Intrinsics_vec256 f13 = e[3U]; + Lib_IntVector_Intrinsics_vec256 f14 = e[4U]; + Lib_IntVector_Intrinsics_vec256 a0 = acc[0U]; + Lib_IntVector_Intrinsics_vec256 a1 = acc[1U]; + Lib_IntVector_Intrinsics_vec256 a2 = acc[2U]; + Lib_IntVector_Intrinsics_vec256 a3 = acc[3U]; + Lib_IntVector_Intrinsics_vec256 a4 = acc[4U]; + Lib_IntVector_Intrinsics_vec256 a01 = Lib_IntVector_Intrinsics_vec256_add64(a0, f10); + Lib_IntVector_Intrinsics_vec256 a11 = Lib_IntVector_Intrinsics_vec256_add64(a1, f11); + Lib_IntVector_Intrinsics_vec256 a21 = Lib_IntVector_Intrinsics_vec256_add64(a2, f12); + Lib_IntVector_Intrinsics_vec256 a31 = Lib_IntVector_Intrinsics_vec256_add64(a3, f13); + Lib_IntVector_Intrinsics_vec256 a41 = Lib_IntVector_Intrinsics_vec256_add64(a4, f14); + Lib_IntVector_Intrinsics_vec256 a02 = Lib_IntVector_Intrinsics_vec256_mul64(r0, a01); + Lib_IntVector_Intrinsics_vec256 a12 = Lib_IntVector_Intrinsics_vec256_mul64(r1, a01); + Lib_IntVector_Intrinsics_vec256 a22 = Lib_IntVector_Intrinsics_vec256_mul64(r2, a01); + Lib_IntVector_Intrinsics_vec256 a32 = Lib_IntVector_Intrinsics_vec256_mul64(r3, a01); + Lib_IntVector_Intrinsics_vec256 a42 = Lib_IntVector_Intrinsics_vec256_mul64(r4, a01); + Lib_IntVector_Intrinsics_vec256 + a03 = + Lib_IntVector_Intrinsics_vec256_add64(a02, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a11)); + Lib_IntVector_Intrinsics_vec256 + a13 = + Lib_IntVector_Intrinsics_vec256_add64(a12, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a11)); + Lib_IntVector_Intrinsics_vec256 + a23 = + Lib_IntVector_Intrinsics_vec256_add64(a22, + Lib_IntVector_Intrinsics_vec256_mul64(r1, a11)); + Lib_IntVector_Intrinsics_vec256 + a33 = + Lib_IntVector_Intrinsics_vec256_add64(a32, + Lib_IntVector_Intrinsics_vec256_mul64(r2, a11)); + Lib_IntVector_Intrinsics_vec256 + a43 = + Lib_IntVector_Intrinsics_vec256_add64(a42, + Lib_IntVector_Intrinsics_vec256_mul64(r3, a11)); + Lib_IntVector_Intrinsics_vec256 + a04 = + Lib_IntVector_Intrinsics_vec256_add64(a03, + Lib_IntVector_Intrinsics_vec256_mul64(r53, a21)); + Lib_IntVector_Intrinsics_vec256 + a14 = + Lib_IntVector_Intrinsics_vec256_add64(a13, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a21)); + Lib_IntVector_Intrinsics_vec256 + a24 = + Lib_IntVector_Intrinsics_vec256_add64(a23, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a21)); + Lib_IntVector_Intrinsics_vec256 + a34 = + Lib_IntVector_Intrinsics_vec256_add64(a33, + Lib_IntVector_Intrinsics_vec256_mul64(r1, a21)); + Lib_IntVector_Intrinsics_vec256 + a44 = + Lib_IntVector_Intrinsics_vec256_add64(a43, + Lib_IntVector_Intrinsics_vec256_mul64(r2, a21)); + Lib_IntVector_Intrinsics_vec256 + a05 = + Lib_IntVector_Intrinsics_vec256_add64(a04, + Lib_IntVector_Intrinsics_vec256_mul64(r52, a31)); + Lib_IntVector_Intrinsics_vec256 + a15 = + Lib_IntVector_Intrinsics_vec256_add64(a14, + Lib_IntVector_Intrinsics_vec256_mul64(r53, a31)); + Lib_IntVector_Intrinsics_vec256 + a25 = + Lib_IntVector_Intrinsics_vec256_add64(a24, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a31)); + Lib_IntVector_Intrinsics_vec256 + a35 = + Lib_IntVector_Intrinsics_vec256_add64(a34, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a31)); + Lib_IntVector_Intrinsics_vec256 + a45 = + Lib_IntVector_Intrinsics_vec256_add64(a44, + Lib_IntVector_Intrinsics_vec256_mul64(r1, a31)); + Lib_IntVector_Intrinsics_vec256 + a06 = + Lib_IntVector_Intrinsics_vec256_add64(a05, + Lib_IntVector_Intrinsics_vec256_mul64(r51, a41)); + Lib_IntVector_Intrinsics_vec256 + a16 = + Lib_IntVector_Intrinsics_vec256_add64(a15, + Lib_IntVector_Intrinsics_vec256_mul64(r52, a41)); + Lib_IntVector_Intrinsics_vec256 + a26 = + Lib_IntVector_Intrinsics_vec256_add64(a25, + Lib_IntVector_Intrinsics_vec256_mul64(r53, a41)); + Lib_IntVector_Intrinsics_vec256 + a36 = + Lib_IntVector_Intrinsics_vec256_add64(a35, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a41)); + Lib_IntVector_Intrinsics_vec256 + a46 = + Lib_IntVector_Intrinsics_vec256_add64(a45, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a41)); + Lib_IntVector_Intrinsics_vec256 t01 = a06; + Lib_IntVector_Intrinsics_vec256 t11 = a16; + Lib_IntVector_Intrinsics_vec256 t2 = a26; + Lib_IntVector_Intrinsics_vec256 t3 = a36; + Lib_IntVector_Intrinsics_vec256 t4 = a46; + Lib_IntVector_Intrinsics_vec256 + mask26 = Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec256 + z0 = Lib_IntVector_Intrinsics_vec256_shift_right64(t01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z1 = Lib_IntVector_Intrinsics_vec256_shift_right64(t3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x0 = Lib_IntVector_Intrinsics_vec256_and(t01, mask26); + Lib_IntVector_Intrinsics_vec256 x3 = Lib_IntVector_Intrinsics_vec256_and(t3, mask26); + Lib_IntVector_Intrinsics_vec256 x1 = Lib_IntVector_Intrinsics_vec256_add64(t11, z0); + Lib_IntVector_Intrinsics_vec256 x4 = Lib_IntVector_Intrinsics_vec256_add64(t4, z1); + Lib_IntVector_Intrinsics_vec256 + z01 = Lib_IntVector_Intrinsics_vec256_shift_right64(x1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z11 = Lib_IntVector_Intrinsics_vec256_shift_right64(x4, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + t = Lib_IntVector_Intrinsics_vec256_shift_left64(z11, (uint32_t)2U); + Lib_IntVector_Intrinsics_vec256 z12 = Lib_IntVector_Intrinsics_vec256_add64(z11, t); + Lib_IntVector_Intrinsics_vec256 x11 = Lib_IntVector_Intrinsics_vec256_and(x1, mask26); + Lib_IntVector_Intrinsics_vec256 x41 = Lib_IntVector_Intrinsics_vec256_and(x4, mask26); + Lib_IntVector_Intrinsics_vec256 x2 = Lib_IntVector_Intrinsics_vec256_add64(t2, z01); + Lib_IntVector_Intrinsics_vec256 x01 = Lib_IntVector_Intrinsics_vec256_add64(x0, z12); + Lib_IntVector_Intrinsics_vec256 + z02 = Lib_IntVector_Intrinsics_vec256_shift_right64(x2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z13 = Lib_IntVector_Intrinsics_vec256_shift_right64(x01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x21 = Lib_IntVector_Intrinsics_vec256_and(x2, mask26); + Lib_IntVector_Intrinsics_vec256 x02 = Lib_IntVector_Intrinsics_vec256_and(x01, mask26); + Lib_IntVector_Intrinsics_vec256 x31 = Lib_IntVector_Intrinsics_vec256_add64(x3, z02); + Lib_IntVector_Intrinsics_vec256 x12 = Lib_IntVector_Intrinsics_vec256_add64(x11, z13); + Lib_IntVector_Intrinsics_vec256 + z03 = Lib_IntVector_Intrinsics_vec256_shift_right64(x31, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x32 = Lib_IntVector_Intrinsics_vec256_and(x31, mask26); + Lib_IntVector_Intrinsics_vec256 x42 = Lib_IntVector_Intrinsics_vec256_add64(x41, z03); + Lib_IntVector_Intrinsics_vec256 o0 = x02; + Lib_IntVector_Intrinsics_vec256 o1 = x12; + Lib_IntVector_Intrinsics_vec256 o2 = x21; + Lib_IntVector_Intrinsics_vec256 o3 = x32; + Lib_IntVector_Intrinsics_vec256 o4 = x42; + acc[0U] = o0; + acc[1U] = o1; + acc[2U] = o2; + acc[3U] = o3; + acc[4U] = o4; + } + if (rem > (uint32_t)0U) + { + uint8_t *last = t1 + nb * (uint32_t)16U; + Lib_IntVector_Intrinsics_vec256 e[5U]; + for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i) + e[_i] = Lib_IntVector_Intrinsics_vec256_zero; + uint8_t tmp[16U] = { 0U }; + memcpy(tmp, last, rem * sizeof (uint8_t)); + uint64_t u0 = load64_le(tmp); + uint64_t lo = u0; + uint64_t u = load64_le(tmp + (uint32_t)8U); + uint64_t hi = u; + Lib_IntVector_Intrinsics_vec256 f0 = Lib_IntVector_Intrinsics_vec256_load64(lo); + Lib_IntVector_Intrinsics_vec256 f1 = Lib_IntVector_Intrinsics_vec256_load64(hi); + Lib_IntVector_Intrinsics_vec256 + f010 = + Lib_IntVector_Intrinsics_vec256_and(f0, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f110 = + Lib_IntVector_Intrinsics_vec256_and(Lib_IntVector_Intrinsics_vec256_shift_right64(f0, + (uint32_t)26U), + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f20 = + Lib_IntVector_Intrinsics_vec256_or(Lib_IntVector_Intrinsics_vec256_shift_right64(f0, + (uint32_t)52U), + Lib_IntVector_Intrinsics_vec256_shift_left64(Lib_IntVector_Intrinsics_vec256_and(f1, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3fffU)), + (uint32_t)12U)); + Lib_IntVector_Intrinsics_vec256 + f30 = + Lib_IntVector_Intrinsics_vec256_and(Lib_IntVector_Intrinsics_vec256_shift_right64(f1, + (uint32_t)14U), + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f40 = Lib_IntVector_Intrinsics_vec256_shift_right64(f1, (uint32_t)40U); + Lib_IntVector_Intrinsics_vec256 f01 = f010; + Lib_IntVector_Intrinsics_vec256 f111 = f110; + Lib_IntVector_Intrinsics_vec256 f2 = f20; + Lib_IntVector_Intrinsics_vec256 f3 = f30; + Lib_IntVector_Intrinsics_vec256 f4 = f40; + e[0U] = f01; + e[1U] = f111; + e[2U] = f2; + e[3U] = f3; + e[4U] = f4; + uint64_t b = (uint64_t)1U << rem * (uint32_t)8U % (uint32_t)26U; + Lib_IntVector_Intrinsics_vec256 mask = Lib_IntVector_Intrinsics_vec256_load64(b); + Lib_IntVector_Intrinsics_vec256 fi = e[rem * (uint32_t)8U / (uint32_t)26U]; + e[rem * (uint32_t)8U / (uint32_t)26U] = Lib_IntVector_Intrinsics_vec256_or(fi, mask); + Lib_IntVector_Intrinsics_vec256 *r = pre; + Lib_IntVector_Intrinsics_vec256 *r5 = pre + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec256 r0 = r[0U]; + Lib_IntVector_Intrinsics_vec256 r1 = r[1U]; + Lib_IntVector_Intrinsics_vec256 r2 = r[2U]; + Lib_IntVector_Intrinsics_vec256 r3 = r[3U]; + Lib_IntVector_Intrinsics_vec256 r4 = r[4U]; + Lib_IntVector_Intrinsics_vec256 r51 = r5[1U]; + Lib_IntVector_Intrinsics_vec256 r52 = r5[2U]; + Lib_IntVector_Intrinsics_vec256 r53 = r5[3U]; + Lib_IntVector_Intrinsics_vec256 r54 = r5[4U]; + Lib_IntVector_Intrinsics_vec256 f10 = e[0U]; + Lib_IntVector_Intrinsics_vec256 f11 = e[1U]; + Lib_IntVector_Intrinsics_vec256 f12 = e[2U]; + Lib_IntVector_Intrinsics_vec256 f13 = e[3U]; + Lib_IntVector_Intrinsics_vec256 f14 = e[4U]; + Lib_IntVector_Intrinsics_vec256 a0 = acc[0U]; + Lib_IntVector_Intrinsics_vec256 a1 = acc[1U]; + Lib_IntVector_Intrinsics_vec256 a2 = acc[2U]; + Lib_IntVector_Intrinsics_vec256 a3 = acc[3U]; + Lib_IntVector_Intrinsics_vec256 a4 = acc[4U]; + Lib_IntVector_Intrinsics_vec256 a01 = Lib_IntVector_Intrinsics_vec256_add64(a0, f10); + Lib_IntVector_Intrinsics_vec256 a11 = Lib_IntVector_Intrinsics_vec256_add64(a1, f11); + Lib_IntVector_Intrinsics_vec256 a21 = Lib_IntVector_Intrinsics_vec256_add64(a2, f12); + Lib_IntVector_Intrinsics_vec256 a31 = Lib_IntVector_Intrinsics_vec256_add64(a3, f13); + Lib_IntVector_Intrinsics_vec256 a41 = Lib_IntVector_Intrinsics_vec256_add64(a4, f14); + Lib_IntVector_Intrinsics_vec256 a02 = Lib_IntVector_Intrinsics_vec256_mul64(r0, a01); + Lib_IntVector_Intrinsics_vec256 a12 = Lib_IntVector_Intrinsics_vec256_mul64(r1, a01); + Lib_IntVector_Intrinsics_vec256 a22 = Lib_IntVector_Intrinsics_vec256_mul64(r2, a01); + Lib_IntVector_Intrinsics_vec256 a32 = Lib_IntVector_Intrinsics_vec256_mul64(r3, a01); + Lib_IntVector_Intrinsics_vec256 a42 = Lib_IntVector_Intrinsics_vec256_mul64(r4, a01); + Lib_IntVector_Intrinsics_vec256 + a03 = + Lib_IntVector_Intrinsics_vec256_add64(a02, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a11)); + Lib_IntVector_Intrinsics_vec256 + a13 = + Lib_IntVector_Intrinsics_vec256_add64(a12, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a11)); + Lib_IntVector_Intrinsics_vec256 + a23 = + Lib_IntVector_Intrinsics_vec256_add64(a22, + Lib_IntVector_Intrinsics_vec256_mul64(r1, a11)); + Lib_IntVector_Intrinsics_vec256 + a33 = + Lib_IntVector_Intrinsics_vec256_add64(a32, + Lib_IntVector_Intrinsics_vec256_mul64(r2, a11)); + Lib_IntVector_Intrinsics_vec256 + a43 = + Lib_IntVector_Intrinsics_vec256_add64(a42, + Lib_IntVector_Intrinsics_vec256_mul64(r3, a11)); + Lib_IntVector_Intrinsics_vec256 + a04 = + Lib_IntVector_Intrinsics_vec256_add64(a03, + Lib_IntVector_Intrinsics_vec256_mul64(r53, a21)); + Lib_IntVector_Intrinsics_vec256 + a14 = + Lib_IntVector_Intrinsics_vec256_add64(a13, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a21)); + Lib_IntVector_Intrinsics_vec256 + a24 = + Lib_IntVector_Intrinsics_vec256_add64(a23, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a21)); + Lib_IntVector_Intrinsics_vec256 + a34 = + Lib_IntVector_Intrinsics_vec256_add64(a33, + Lib_IntVector_Intrinsics_vec256_mul64(r1, a21)); + Lib_IntVector_Intrinsics_vec256 + a44 = + Lib_IntVector_Intrinsics_vec256_add64(a43, + Lib_IntVector_Intrinsics_vec256_mul64(r2, a21)); + Lib_IntVector_Intrinsics_vec256 + a05 = + Lib_IntVector_Intrinsics_vec256_add64(a04, + Lib_IntVector_Intrinsics_vec256_mul64(r52, a31)); + Lib_IntVector_Intrinsics_vec256 + a15 = + Lib_IntVector_Intrinsics_vec256_add64(a14, + Lib_IntVector_Intrinsics_vec256_mul64(r53, a31)); + Lib_IntVector_Intrinsics_vec256 + a25 = + Lib_IntVector_Intrinsics_vec256_add64(a24, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a31)); + Lib_IntVector_Intrinsics_vec256 + a35 = + Lib_IntVector_Intrinsics_vec256_add64(a34, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a31)); + Lib_IntVector_Intrinsics_vec256 + a45 = + Lib_IntVector_Intrinsics_vec256_add64(a44, + Lib_IntVector_Intrinsics_vec256_mul64(r1, a31)); + Lib_IntVector_Intrinsics_vec256 + a06 = + Lib_IntVector_Intrinsics_vec256_add64(a05, + Lib_IntVector_Intrinsics_vec256_mul64(r51, a41)); + Lib_IntVector_Intrinsics_vec256 + a16 = + Lib_IntVector_Intrinsics_vec256_add64(a15, + Lib_IntVector_Intrinsics_vec256_mul64(r52, a41)); + Lib_IntVector_Intrinsics_vec256 + a26 = + Lib_IntVector_Intrinsics_vec256_add64(a25, + Lib_IntVector_Intrinsics_vec256_mul64(r53, a41)); + Lib_IntVector_Intrinsics_vec256 + a36 = + Lib_IntVector_Intrinsics_vec256_add64(a35, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a41)); + Lib_IntVector_Intrinsics_vec256 + a46 = + Lib_IntVector_Intrinsics_vec256_add64(a45, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a41)); + Lib_IntVector_Intrinsics_vec256 t01 = a06; + Lib_IntVector_Intrinsics_vec256 t11 = a16; + Lib_IntVector_Intrinsics_vec256 t2 = a26; + Lib_IntVector_Intrinsics_vec256 t3 = a36; + Lib_IntVector_Intrinsics_vec256 t4 = a46; + Lib_IntVector_Intrinsics_vec256 + mask26 = Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec256 + z0 = Lib_IntVector_Intrinsics_vec256_shift_right64(t01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z1 = Lib_IntVector_Intrinsics_vec256_shift_right64(t3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x0 = Lib_IntVector_Intrinsics_vec256_and(t01, mask26); + Lib_IntVector_Intrinsics_vec256 x3 = Lib_IntVector_Intrinsics_vec256_and(t3, mask26); + Lib_IntVector_Intrinsics_vec256 x1 = Lib_IntVector_Intrinsics_vec256_add64(t11, z0); + Lib_IntVector_Intrinsics_vec256 x4 = Lib_IntVector_Intrinsics_vec256_add64(t4, z1); + Lib_IntVector_Intrinsics_vec256 + z01 = Lib_IntVector_Intrinsics_vec256_shift_right64(x1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z11 = Lib_IntVector_Intrinsics_vec256_shift_right64(x4, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + t = Lib_IntVector_Intrinsics_vec256_shift_left64(z11, (uint32_t)2U); + Lib_IntVector_Intrinsics_vec256 z12 = Lib_IntVector_Intrinsics_vec256_add64(z11, t); + Lib_IntVector_Intrinsics_vec256 x11 = Lib_IntVector_Intrinsics_vec256_and(x1, mask26); + Lib_IntVector_Intrinsics_vec256 x41 = Lib_IntVector_Intrinsics_vec256_and(x4, mask26); + Lib_IntVector_Intrinsics_vec256 x2 = Lib_IntVector_Intrinsics_vec256_add64(t2, z01); + Lib_IntVector_Intrinsics_vec256 x01 = Lib_IntVector_Intrinsics_vec256_add64(x0, z12); + Lib_IntVector_Intrinsics_vec256 + z02 = Lib_IntVector_Intrinsics_vec256_shift_right64(x2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z13 = Lib_IntVector_Intrinsics_vec256_shift_right64(x01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x21 = Lib_IntVector_Intrinsics_vec256_and(x2, mask26); + Lib_IntVector_Intrinsics_vec256 x02 = Lib_IntVector_Intrinsics_vec256_and(x01, mask26); + Lib_IntVector_Intrinsics_vec256 x31 = Lib_IntVector_Intrinsics_vec256_add64(x3, z02); + Lib_IntVector_Intrinsics_vec256 x12 = Lib_IntVector_Intrinsics_vec256_add64(x11, z13); + Lib_IntVector_Intrinsics_vec256 + z03 = Lib_IntVector_Intrinsics_vec256_shift_right64(x31, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x32 = Lib_IntVector_Intrinsics_vec256_and(x31, mask26); + Lib_IntVector_Intrinsics_vec256 x42 = Lib_IntVector_Intrinsics_vec256_add64(x41, z03); + Lib_IntVector_Intrinsics_vec256 o0 = x02; + Lib_IntVector_Intrinsics_vec256 o1 = x12; + Lib_IntVector_Intrinsics_vec256 o2 = x21; + Lib_IntVector_Intrinsics_vec256 o3 = x32; + Lib_IntVector_Intrinsics_vec256 o4 = x42; + acc[0U] = o0; + acc[1U] = o1; + acc[2U] = o2; + acc[3U] = o3; + acc[4U] = o4; + return; + } +} + +void +Hacl_Poly1305_256_poly1305_finish( + uint8_t *tag, + uint8_t *key, + Lib_IntVector_Intrinsics_vec256 *ctx +) +{ + Lib_IntVector_Intrinsics_vec256 *acc = ctx; + uint8_t *ks = key + (uint32_t)16U; + Lib_IntVector_Intrinsics_vec256 f0 = acc[0U]; + Lib_IntVector_Intrinsics_vec256 f13 = acc[1U]; + Lib_IntVector_Intrinsics_vec256 f23 = acc[2U]; + Lib_IntVector_Intrinsics_vec256 f33 = acc[3U]; + Lib_IntVector_Intrinsics_vec256 f40 = acc[4U]; + Lib_IntVector_Intrinsics_vec256 + l0 = Lib_IntVector_Intrinsics_vec256_add64(f0, Lib_IntVector_Intrinsics_vec256_zero); + Lib_IntVector_Intrinsics_vec256 + tmp00 = + Lib_IntVector_Intrinsics_vec256_and(l0, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + c00 = Lib_IntVector_Intrinsics_vec256_shift_right64(l0, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 l1 = Lib_IntVector_Intrinsics_vec256_add64(f13, c00); + Lib_IntVector_Intrinsics_vec256 + tmp10 = + Lib_IntVector_Intrinsics_vec256_and(l1, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + c10 = Lib_IntVector_Intrinsics_vec256_shift_right64(l1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 l2 = Lib_IntVector_Intrinsics_vec256_add64(f23, c10); + Lib_IntVector_Intrinsics_vec256 + tmp20 = + Lib_IntVector_Intrinsics_vec256_and(l2, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + c20 = Lib_IntVector_Intrinsics_vec256_shift_right64(l2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 l3 = Lib_IntVector_Intrinsics_vec256_add64(f33, c20); + Lib_IntVector_Intrinsics_vec256 + tmp30 = + Lib_IntVector_Intrinsics_vec256_and(l3, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + c30 = Lib_IntVector_Intrinsics_vec256_shift_right64(l3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 l4 = Lib_IntVector_Intrinsics_vec256_add64(f40, c30); + Lib_IntVector_Intrinsics_vec256 + tmp40 = + Lib_IntVector_Intrinsics_vec256_and(l4, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + c40 = Lib_IntVector_Intrinsics_vec256_shift_right64(l4, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + f010 = + Lib_IntVector_Intrinsics_vec256_add64(tmp00, + Lib_IntVector_Intrinsics_vec256_smul64(c40, (uint64_t)5U)); + Lib_IntVector_Intrinsics_vec256 f110 = tmp10; + Lib_IntVector_Intrinsics_vec256 f210 = tmp20; + Lib_IntVector_Intrinsics_vec256 f310 = tmp30; + Lib_IntVector_Intrinsics_vec256 f410 = tmp40; + Lib_IntVector_Intrinsics_vec256 + l = Lib_IntVector_Intrinsics_vec256_add64(f010, Lib_IntVector_Intrinsics_vec256_zero); + Lib_IntVector_Intrinsics_vec256 + tmp0 = + Lib_IntVector_Intrinsics_vec256_and(l, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + c0 = Lib_IntVector_Intrinsics_vec256_shift_right64(l, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 l5 = Lib_IntVector_Intrinsics_vec256_add64(f110, c0); + Lib_IntVector_Intrinsics_vec256 + tmp1 = + Lib_IntVector_Intrinsics_vec256_and(l5, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + c1 = Lib_IntVector_Intrinsics_vec256_shift_right64(l5, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 l6 = Lib_IntVector_Intrinsics_vec256_add64(f210, c1); + Lib_IntVector_Intrinsics_vec256 + tmp2 = + Lib_IntVector_Intrinsics_vec256_and(l6, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + c2 = Lib_IntVector_Intrinsics_vec256_shift_right64(l6, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 l7 = Lib_IntVector_Intrinsics_vec256_add64(f310, c2); + Lib_IntVector_Intrinsics_vec256 + tmp3 = + Lib_IntVector_Intrinsics_vec256_and(l7, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + c3 = Lib_IntVector_Intrinsics_vec256_shift_right64(l7, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 l8 = Lib_IntVector_Intrinsics_vec256_add64(f410, c3); + Lib_IntVector_Intrinsics_vec256 + tmp4 = + Lib_IntVector_Intrinsics_vec256_and(l8, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + c4 = Lib_IntVector_Intrinsics_vec256_shift_right64(l8, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + f02 = + Lib_IntVector_Intrinsics_vec256_add64(tmp0, + Lib_IntVector_Intrinsics_vec256_smul64(c4, (uint64_t)5U)); + Lib_IntVector_Intrinsics_vec256 f12 = tmp1; + Lib_IntVector_Intrinsics_vec256 f22 = tmp2; + Lib_IntVector_Intrinsics_vec256 f32 = tmp3; + Lib_IntVector_Intrinsics_vec256 f42 = tmp4; + Lib_IntVector_Intrinsics_vec256 + mh = Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec256 + ml = Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3fffffbU); + Lib_IntVector_Intrinsics_vec256 mask = Lib_IntVector_Intrinsics_vec256_eq64(f42, mh); + Lib_IntVector_Intrinsics_vec256 + mask1 = + Lib_IntVector_Intrinsics_vec256_and(mask, + Lib_IntVector_Intrinsics_vec256_eq64(f32, mh)); + Lib_IntVector_Intrinsics_vec256 + mask2 = + Lib_IntVector_Intrinsics_vec256_and(mask1, + Lib_IntVector_Intrinsics_vec256_eq64(f22, mh)); + Lib_IntVector_Intrinsics_vec256 + mask3 = + Lib_IntVector_Intrinsics_vec256_and(mask2, + Lib_IntVector_Intrinsics_vec256_eq64(f12, mh)); + Lib_IntVector_Intrinsics_vec256 + mask4 = + Lib_IntVector_Intrinsics_vec256_and(mask3, + Lib_IntVector_Intrinsics_vec256_lognot(Lib_IntVector_Intrinsics_vec256_gt64(ml, f02))); + Lib_IntVector_Intrinsics_vec256 ph = Lib_IntVector_Intrinsics_vec256_and(mask4, mh); + Lib_IntVector_Intrinsics_vec256 pl = Lib_IntVector_Intrinsics_vec256_and(mask4, ml); + Lib_IntVector_Intrinsics_vec256 o0 = Lib_IntVector_Intrinsics_vec256_sub64(f02, pl); + Lib_IntVector_Intrinsics_vec256 o1 = Lib_IntVector_Intrinsics_vec256_sub64(f12, ph); + Lib_IntVector_Intrinsics_vec256 o2 = Lib_IntVector_Intrinsics_vec256_sub64(f22, ph); + Lib_IntVector_Intrinsics_vec256 o3 = Lib_IntVector_Intrinsics_vec256_sub64(f32, ph); + Lib_IntVector_Intrinsics_vec256 o4 = Lib_IntVector_Intrinsics_vec256_sub64(f42, ph); + Lib_IntVector_Intrinsics_vec256 f011 = o0; + Lib_IntVector_Intrinsics_vec256 f111 = o1; + Lib_IntVector_Intrinsics_vec256 f211 = o2; + Lib_IntVector_Intrinsics_vec256 f311 = o3; + Lib_IntVector_Intrinsics_vec256 f411 = o4; + acc[0U] = f011; + acc[1U] = f111; + acc[2U] = f211; + acc[3U] = f311; + acc[4U] = f411; + Lib_IntVector_Intrinsics_vec256 f00 = acc[0U]; + Lib_IntVector_Intrinsics_vec256 f1 = acc[1U]; + Lib_IntVector_Intrinsics_vec256 f2 = acc[2U]; + Lib_IntVector_Intrinsics_vec256 f3 = acc[3U]; + Lib_IntVector_Intrinsics_vec256 f4 = acc[4U]; + uint64_t f01 = Lib_IntVector_Intrinsics_vec256_extract64(f00, (uint32_t)0U); + uint64_t f112 = Lib_IntVector_Intrinsics_vec256_extract64(f1, (uint32_t)0U); + uint64_t f212 = Lib_IntVector_Intrinsics_vec256_extract64(f2, (uint32_t)0U); + uint64_t f312 = Lib_IntVector_Intrinsics_vec256_extract64(f3, (uint32_t)0U); + uint64_t f41 = Lib_IntVector_Intrinsics_vec256_extract64(f4, (uint32_t)0U); + uint64_t lo = (f01 | f112 << (uint32_t)26U) | f212 << (uint32_t)52U; + uint64_t hi = (f212 >> (uint32_t)12U | f312 << (uint32_t)14U) | f41 << (uint32_t)40U; + uint64_t f10 = lo; + uint64_t f11 = hi; + uint64_t u0 = load64_le(ks); + uint64_t lo0 = u0; + uint64_t u = load64_le(ks + (uint32_t)8U); + uint64_t hi0 = u; + uint64_t f20 = lo0; + uint64_t f21 = hi0; + uint64_t r0 = f10 + f20; + uint64_t r1 = f11 + f21; + uint64_t c = (r0 ^ ((r0 ^ f20) | ((r0 - f20) ^ f20))) >> (uint32_t)63U; + uint64_t r11 = r1 + c; + uint64_t f30 = r0; + uint64_t f31 = r11; + store64_le(tag, f30); + store64_le(tag + (uint32_t)8U, f31); +} + +void Hacl_Poly1305_256_poly1305_mac(uint8_t *tag, uint32_t len, uint8_t *text, uint8_t *key) +{ + Lib_IntVector_Intrinsics_vec256 ctx[25U]; + for (uint32_t _i = 0U; _i < (uint32_t)25U; ++_i) + ctx[_i] = Lib_IntVector_Intrinsics_vec256_zero; + Hacl_Poly1305_256_poly1305_init(ctx, key); + Hacl_Poly1305_256_poly1305_update(ctx, len, text); + Hacl_Poly1305_256_poly1305_finish(tag, key, ctx); +} + diff --git a/src/Hacl_Poly1305_32.c b/src/Hacl_Poly1305_32.c new file mode 100644 index 00000000..7223c365 --- /dev/null +++ b/src/Hacl_Poly1305_32.c @@ -0,0 +1,575 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Poly1305_32.h" + +#include "internal/Hacl_Kremlib.h" + +uint32_t Hacl_Poly1305_32_blocklen = (uint32_t)16U; + +void Hacl_Poly1305_32_poly1305_init(uint64_t *ctx, uint8_t *key) +{ + uint64_t *acc = ctx; + uint64_t *pre = ctx + (uint32_t)5U; + uint8_t *kr = key; + acc[0U] = (uint64_t)0U; + acc[1U] = (uint64_t)0U; + acc[2U] = (uint64_t)0U; + acc[3U] = (uint64_t)0U; + acc[4U] = (uint64_t)0U; + uint64_t u0 = load64_le(kr); + uint64_t lo = u0; + uint64_t u = load64_le(kr + (uint32_t)8U); + uint64_t hi = u; + uint64_t mask0 = (uint64_t)0x0ffffffc0fffffffU; + uint64_t mask1 = (uint64_t)0x0ffffffc0ffffffcU; + uint64_t lo1 = lo & mask0; + uint64_t hi1 = hi & mask1; + uint64_t *r = pre; + uint64_t *r5 = pre + (uint32_t)5U; + uint64_t *rn = pre + (uint32_t)10U; + uint64_t *rn_5 = pre + (uint32_t)15U; + uint64_t r_vec0 = lo1; + uint64_t r_vec1 = hi1; + uint64_t f00 = r_vec0 & (uint64_t)0x3ffffffU; + uint64_t f10 = r_vec0 >> (uint32_t)26U & (uint64_t)0x3ffffffU; + uint64_t f20 = r_vec0 >> (uint32_t)52U | (r_vec1 & (uint64_t)0x3fffU) << (uint32_t)12U; + uint64_t f30 = r_vec1 >> (uint32_t)14U & (uint64_t)0x3ffffffU; + uint64_t f40 = r_vec1 >> (uint32_t)40U; + uint64_t f0 = f00; + uint64_t f1 = f10; + uint64_t f2 = f20; + uint64_t f3 = f30; + uint64_t f4 = f40; + r[0U] = f0; + r[1U] = f1; + r[2U] = f2; + r[3U] = f3; + r[4U] = f4; + uint64_t f200 = r[0U]; + uint64_t f21 = r[1U]; + uint64_t f22 = r[2U]; + uint64_t f23 = r[3U]; + uint64_t f24 = r[4U]; + r5[0U] = f200 * (uint64_t)5U; + r5[1U] = f21 * (uint64_t)5U; + r5[2U] = f22 * (uint64_t)5U; + r5[3U] = f23 * (uint64_t)5U; + r5[4U] = f24 * (uint64_t)5U; + rn[0U] = r[0U]; + rn[1U] = r[1U]; + rn[2U] = r[2U]; + rn[3U] = r[3U]; + rn[4U] = r[4U]; + rn_5[0U] = r5[0U]; + rn_5[1U] = r5[1U]; + rn_5[2U] = r5[2U]; + rn_5[3U] = r5[3U]; + rn_5[4U] = r5[4U]; +} + +void Hacl_Poly1305_32_poly1305_update1(uint64_t *ctx, uint8_t *text) +{ + uint64_t *pre = ctx + (uint32_t)5U; + uint64_t *acc = ctx; + uint64_t e[5U] = { 0U }; + uint64_t u0 = load64_le(text); + uint64_t lo = u0; + uint64_t u = load64_le(text + (uint32_t)8U); + uint64_t hi = u; + uint64_t f0 = lo; + uint64_t f1 = hi; + uint64_t f010 = f0 & (uint64_t)0x3ffffffU; + uint64_t f110 = f0 >> (uint32_t)26U & (uint64_t)0x3ffffffU; + uint64_t f20 = f0 >> (uint32_t)52U | (f1 & (uint64_t)0x3fffU) << (uint32_t)12U; + uint64_t f30 = f1 >> (uint32_t)14U & (uint64_t)0x3ffffffU; + uint64_t f40 = f1 >> (uint32_t)40U; + uint64_t f01 = f010; + uint64_t f111 = f110; + uint64_t f2 = f20; + uint64_t f3 = f30; + uint64_t f41 = f40; + e[0U] = f01; + e[1U] = f111; + e[2U] = f2; + e[3U] = f3; + e[4U] = f41; + uint64_t b = (uint64_t)0x1000000U; + uint64_t mask = b; + uint64_t f4 = e[4U]; + e[4U] = f4 | mask; + uint64_t *r = pre; + uint64_t *r5 = pre + (uint32_t)5U; + uint64_t r0 = r[0U]; + uint64_t r1 = r[1U]; + uint64_t r2 = r[2U]; + uint64_t r3 = r[3U]; + uint64_t r4 = r[4U]; + uint64_t r51 = r5[1U]; + uint64_t r52 = r5[2U]; + uint64_t r53 = r5[3U]; + uint64_t r54 = r5[4U]; + uint64_t f10 = e[0U]; + uint64_t f11 = e[1U]; + uint64_t f12 = e[2U]; + uint64_t f13 = e[3U]; + uint64_t f14 = e[4U]; + uint64_t a0 = acc[0U]; + uint64_t a1 = acc[1U]; + uint64_t a2 = acc[2U]; + uint64_t a3 = acc[3U]; + uint64_t a4 = acc[4U]; + uint64_t a01 = a0 + f10; + uint64_t a11 = a1 + f11; + uint64_t a21 = a2 + f12; + uint64_t a31 = a3 + f13; + uint64_t a41 = a4 + f14; + uint64_t a02 = r0 * a01; + uint64_t a12 = r1 * a01; + uint64_t a22 = r2 * a01; + uint64_t a32 = r3 * a01; + uint64_t a42 = r4 * a01; + uint64_t a03 = a02 + r54 * a11; + uint64_t a13 = a12 + r0 * a11; + uint64_t a23 = a22 + r1 * a11; + uint64_t a33 = a32 + r2 * a11; + uint64_t a43 = a42 + r3 * a11; + uint64_t a04 = a03 + r53 * a21; + uint64_t a14 = a13 + r54 * a21; + uint64_t a24 = a23 + r0 * a21; + uint64_t a34 = a33 + r1 * a21; + uint64_t a44 = a43 + r2 * a21; + uint64_t a05 = a04 + r52 * a31; + uint64_t a15 = a14 + r53 * a31; + uint64_t a25 = a24 + r54 * a31; + uint64_t a35 = a34 + r0 * a31; + uint64_t a45 = a44 + r1 * a31; + uint64_t a06 = a05 + r51 * a41; + uint64_t a16 = a15 + r52 * a41; + uint64_t a26 = a25 + r53 * a41; + uint64_t a36 = a35 + r54 * a41; + uint64_t a46 = a45 + r0 * a41; + uint64_t t0 = a06; + uint64_t t1 = a16; + uint64_t t2 = a26; + uint64_t t3 = a36; + uint64_t t4 = a46; + uint64_t mask26 = (uint64_t)0x3ffffffU; + uint64_t z0 = t0 >> (uint32_t)26U; + uint64_t z1 = t3 >> (uint32_t)26U; + uint64_t x0 = t0 & mask26; + uint64_t x3 = t3 & mask26; + uint64_t x1 = t1 + z0; + uint64_t x4 = t4 + z1; + uint64_t z01 = x1 >> (uint32_t)26U; + uint64_t z11 = x4 >> (uint32_t)26U; + uint64_t t = z11 << (uint32_t)2U; + uint64_t z12 = z11 + t; + uint64_t x11 = x1 & mask26; + uint64_t x41 = x4 & mask26; + uint64_t x2 = t2 + z01; + uint64_t x01 = x0 + z12; + uint64_t z02 = x2 >> (uint32_t)26U; + uint64_t z13 = x01 >> (uint32_t)26U; + uint64_t x21 = x2 & mask26; + uint64_t x02 = x01 & mask26; + uint64_t x31 = x3 + z02; + uint64_t x12 = x11 + z13; + uint64_t z03 = x31 >> (uint32_t)26U; + uint64_t x32 = x31 & mask26; + uint64_t x42 = x41 + z03; + uint64_t o0 = x02; + uint64_t o1 = x12; + uint64_t o2 = x21; + uint64_t o3 = x32; + uint64_t o4 = x42; + acc[0U] = o0; + acc[1U] = o1; + acc[2U] = o2; + acc[3U] = o3; + acc[4U] = o4; +} + +void Hacl_Poly1305_32_poly1305_update(uint64_t *ctx, uint32_t len, uint8_t *text) +{ + uint64_t *pre = ctx + (uint32_t)5U; + uint64_t *acc = ctx; + uint32_t nb = len / (uint32_t)16U; + uint32_t rem = len % (uint32_t)16U; + for (uint32_t i = (uint32_t)0U; i < nb; i++) + { + uint8_t *block = text + i * (uint32_t)16U; + uint64_t e[5U] = { 0U }; + uint64_t u0 = load64_le(block); + uint64_t lo = u0; + uint64_t u = load64_le(block + (uint32_t)8U); + uint64_t hi = u; + uint64_t f0 = lo; + uint64_t f1 = hi; + uint64_t f010 = f0 & (uint64_t)0x3ffffffU; + uint64_t f110 = f0 >> (uint32_t)26U & (uint64_t)0x3ffffffU; + uint64_t f20 = f0 >> (uint32_t)52U | (f1 & (uint64_t)0x3fffU) << (uint32_t)12U; + uint64_t f30 = f1 >> (uint32_t)14U & (uint64_t)0x3ffffffU; + uint64_t f40 = f1 >> (uint32_t)40U; + uint64_t f01 = f010; + uint64_t f111 = f110; + uint64_t f2 = f20; + uint64_t f3 = f30; + uint64_t f41 = f40; + e[0U] = f01; + e[1U] = f111; + e[2U] = f2; + e[3U] = f3; + e[4U] = f41; + uint64_t b = (uint64_t)0x1000000U; + uint64_t mask = b; + uint64_t f4 = e[4U]; + e[4U] = f4 | mask; + uint64_t *r = pre; + uint64_t *r5 = pre + (uint32_t)5U; + uint64_t r0 = r[0U]; + uint64_t r1 = r[1U]; + uint64_t r2 = r[2U]; + uint64_t r3 = r[3U]; + uint64_t r4 = r[4U]; + uint64_t r51 = r5[1U]; + uint64_t r52 = r5[2U]; + uint64_t r53 = r5[3U]; + uint64_t r54 = r5[4U]; + uint64_t f10 = e[0U]; + uint64_t f11 = e[1U]; + uint64_t f12 = e[2U]; + uint64_t f13 = e[3U]; + uint64_t f14 = e[4U]; + uint64_t a0 = acc[0U]; + uint64_t a1 = acc[1U]; + uint64_t a2 = acc[2U]; + uint64_t a3 = acc[3U]; + uint64_t a4 = acc[4U]; + uint64_t a01 = a0 + f10; + uint64_t a11 = a1 + f11; + uint64_t a21 = a2 + f12; + uint64_t a31 = a3 + f13; + uint64_t a41 = a4 + f14; + uint64_t a02 = r0 * a01; + uint64_t a12 = r1 * a01; + uint64_t a22 = r2 * a01; + uint64_t a32 = r3 * a01; + uint64_t a42 = r4 * a01; + uint64_t a03 = a02 + r54 * a11; + uint64_t a13 = a12 + r0 * a11; + uint64_t a23 = a22 + r1 * a11; + uint64_t a33 = a32 + r2 * a11; + uint64_t a43 = a42 + r3 * a11; + uint64_t a04 = a03 + r53 * a21; + uint64_t a14 = a13 + r54 * a21; + uint64_t a24 = a23 + r0 * a21; + uint64_t a34 = a33 + r1 * a21; + uint64_t a44 = a43 + r2 * a21; + uint64_t a05 = a04 + r52 * a31; + uint64_t a15 = a14 + r53 * a31; + uint64_t a25 = a24 + r54 * a31; + uint64_t a35 = a34 + r0 * a31; + uint64_t a45 = a44 + r1 * a31; + uint64_t a06 = a05 + r51 * a41; + uint64_t a16 = a15 + r52 * a41; + uint64_t a26 = a25 + r53 * a41; + uint64_t a36 = a35 + r54 * a41; + uint64_t a46 = a45 + r0 * a41; + uint64_t t0 = a06; + uint64_t t1 = a16; + uint64_t t2 = a26; + uint64_t t3 = a36; + uint64_t t4 = a46; + uint64_t mask26 = (uint64_t)0x3ffffffU; + uint64_t z0 = t0 >> (uint32_t)26U; + uint64_t z1 = t3 >> (uint32_t)26U; + uint64_t x0 = t0 & mask26; + uint64_t x3 = t3 & mask26; + uint64_t x1 = t1 + z0; + uint64_t x4 = t4 + z1; + uint64_t z01 = x1 >> (uint32_t)26U; + uint64_t z11 = x4 >> (uint32_t)26U; + uint64_t t = z11 << (uint32_t)2U; + uint64_t z12 = z11 + t; + uint64_t x11 = x1 & mask26; + uint64_t x41 = x4 & mask26; + uint64_t x2 = t2 + z01; + uint64_t x01 = x0 + z12; + uint64_t z02 = x2 >> (uint32_t)26U; + uint64_t z13 = x01 >> (uint32_t)26U; + uint64_t x21 = x2 & mask26; + uint64_t x02 = x01 & mask26; + uint64_t x31 = x3 + z02; + uint64_t x12 = x11 + z13; + uint64_t z03 = x31 >> (uint32_t)26U; + uint64_t x32 = x31 & mask26; + uint64_t x42 = x41 + z03; + uint64_t o0 = x02; + uint64_t o1 = x12; + uint64_t o2 = x21; + uint64_t o3 = x32; + uint64_t o4 = x42; + acc[0U] = o0; + acc[1U] = o1; + acc[2U] = o2; + acc[3U] = o3; + acc[4U] = o4; + } + if (rem > (uint32_t)0U) + { + uint8_t *last = text + nb * (uint32_t)16U; + uint64_t e[5U] = { 0U }; + uint8_t tmp[16U] = { 0U }; + memcpy(tmp, last, rem * sizeof (uint8_t)); + uint64_t u0 = load64_le(tmp); + uint64_t lo = u0; + uint64_t u = load64_le(tmp + (uint32_t)8U); + uint64_t hi = u; + uint64_t f0 = lo; + uint64_t f1 = hi; + uint64_t f010 = f0 & (uint64_t)0x3ffffffU; + uint64_t f110 = f0 >> (uint32_t)26U & (uint64_t)0x3ffffffU; + uint64_t f20 = f0 >> (uint32_t)52U | (f1 & (uint64_t)0x3fffU) << (uint32_t)12U; + uint64_t f30 = f1 >> (uint32_t)14U & (uint64_t)0x3ffffffU; + uint64_t f40 = f1 >> (uint32_t)40U; + uint64_t f01 = f010; + uint64_t f111 = f110; + uint64_t f2 = f20; + uint64_t f3 = f30; + uint64_t f4 = f40; + e[0U] = f01; + e[1U] = f111; + e[2U] = f2; + e[3U] = f3; + e[4U] = f4; + uint64_t b = (uint64_t)1U << rem * (uint32_t)8U % (uint32_t)26U; + uint64_t mask = b; + uint64_t fi = e[rem * (uint32_t)8U / (uint32_t)26U]; + e[rem * (uint32_t)8U / (uint32_t)26U] = fi | mask; + uint64_t *r = pre; + uint64_t *r5 = pre + (uint32_t)5U; + uint64_t r0 = r[0U]; + uint64_t r1 = r[1U]; + uint64_t r2 = r[2U]; + uint64_t r3 = r[3U]; + uint64_t r4 = r[4U]; + uint64_t r51 = r5[1U]; + uint64_t r52 = r5[2U]; + uint64_t r53 = r5[3U]; + uint64_t r54 = r5[4U]; + uint64_t f10 = e[0U]; + uint64_t f11 = e[1U]; + uint64_t f12 = e[2U]; + uint64_t f13 = e[3U]; + uint64_t f14 = e[4U]; + uint64_t a0 = acc[0U]; + uint64_t a1 = acc[1U]; + uint64_t a2 = acc[2U]; + uint64_t a3 = acc[3U]; + uint64_t a4 = acc[4U]; + uint64_t a01 = a0 + f10; + uint64_t a11 = a1 + f11; + uint64_t a21 = a2 + f12; + uint64_t a31 = a3 + f13; + uint64_t a41 = a4 + f14; + uint64_t a02 = r0 * a01; + uint64_t a12 = r1 * a01; + uint64_t a22 = r2 * a01; + uint64_t a32 = r3 * a01; + uint64_t a42 = r4 * a01; + uint64_t a03 = a02 + r54 * a11; + uint64_t a13 = a12 + r0 * a11; + uint64_t a23 = a22 + r1 * a11; + uint64_t a33 = a32 + r2 * a11; + uint64_t a43 = a42 + r3 * a11; + uint64_t a04 = a03 + r53 * a21; + uint64_t a14 = a13 + r54 * a21; + uint64_t a24 = a23 + r0 * a21; + uint64_t a34 = a33 + r1 * a21; + uint64_t a44 = a43 + r2 * a21; + uint64_t a05 = a04 + r52 * a31; + uint64_t a15 = a14 + r53 * a31; + uint64_t a25 = a24 + r54 * a31; + uint64_t a35 = a34 + r0 * a31; + uint64_t a45 = a44 + r1 * a31; + uint64_t a06 = a05 + r51 * a41; + uint64_t a16 = a15 + r52 * a41; + uint64_t a26 = a25 + r53 * a41; + uint64_t a36 = a35 + r54 * a41; + uint64_t a46 = a45 + r0 * a41; + uint64_t t0 = a06; + uint64_t t1 = a16; + uint64_t t2 = a26; + uint64_t t3 = a36; + uint64_t t4 = a46; + uint64_t mask26 = (uint64_t)0x3ffffffU; + uint64_t z0 = t0 >> (uint32_t)26U; + uint64_t z1 = t3 >> (uint32_t)26U; + uint64_t x0 = t0 & mask26; + uint64_t x3 = t3 & mask26; + uint64_t x1 = t1 + z0; + uint64_t x4 = t4 + z1; + uint64_t z01 = x1 >> (uint32_t)26U; + uint64_t z11 = x4 >> (uint32_t)26U; + uint64_t t = z11 << (uint32_t)2U; + uint64_t z12 = z11 + t; + uint64_t x11 = x1 & mask26; + uint64_t x41 = x4 & mask26; + uint64_t x2 = t2 + z01; + uint64_t x01 = x0 + z12; + uint64_t z02 = x2 >> (uint32_t)26U; + uint64_t z13 = x01 >> (uint32_t)26U; + uint64_t x21 = x2 & mask26; + uint64_t x02 = x01 & mask26; + uint64_t x31 = x3 + z02; + uint64_t x12 = x11 + z13; + uint64_t z03 = x31 >> (uint32_t)26U; + uint64_t x32 = x31 & mask26; + uint64_t x42 = x41 + z03; + uint64_t o0 = x02; + uint64_t o1 = x12; + uint64_t o2 = x21; + uint64_t o3 = x32; + uint64_t o4 = x42; + acc[0U] = o0; + acc[1U] = o1; + acc[2U] = o2; + acc[3U] = o3; + acc[4U] = o4; + return; + } +} + +void Hacl_Poly1305_32_poly1305_finish(uint8_t *tag, uint8_t *key, uint64_t *ctx) +{ + uint64_t *acc = ctx; + uint8_t *ks = key + (uint32_t)16U; + uint64_t f0 = acc[0U]; + uint64_t f13 = acc[1U]; + uint64_t f23 = acc[2U]; + uint64_t f33 = acc[3U]; + uint64_t f40 = acc[4U]; + uint64_t l0 = f0 + (uint64_t)0U; + uint64_t tmp00 = l0 & (uint64_t)0x3ffffffU; + uint64_t c00 = l0 >> (uint32_t)26U; + uint64_t l1 = f13 + c00; + uint64_t tmp10 = l1 & (uint64_t)0x3ffffffU; + uint64_t c10 = l1 >> (uint32_t)26U; + uint64_t l2 = f23 + c10; + uint64_t tmp20 = l2 & (uint64_t)0x3ffffffU; + uint64_t c20 = l2 >> (uint32_t)26U; + uint64_t l3 = f33 + c20; + uint64_t tmp30 = l3 & (uint64_t)0x3ffffffU; + uint64_t c30 = l3 >> (uint32_t)26U; + uint64_t l4 = f40 + c30; + uint64_t tmp40 = l4 & (uint64_t)0x3ffffffU; + uint64_t c40 = l4 >> (uint32_t)26U; + uint64_t f010 = tmp00 + c40 * (uint64_t)5U; + uint64_t f110 = tmp10; + uint64_t f210 = tmp20; + uint64_t f310 = tmp30; + uint64_t f410 = tmp40; + uint64_t l = f010 + (uint64_t)0U; + uint64_t tmp0 = l & (uint64_t)0x3ffffffU; + uint64_t c0 = l >> (uint32_t)26U; + uint64_t l5 = f110 + c0; + uint64_t tmp1 = l5 & (uint64_t)0x3ffffffU; + uint64_t c1 = l5 >> (uint32_t)26U; + uint64_t l6 = f210 + c1; + uint64_t tmp2 = l6 & (uint64_t)0x3ffffffU; + uint64_t c2 = l6 >> (uint32_t)26U; + uint64_t l7 = f310 + c2; + uint64_t tmp3 = l7 & (uint64_t)0x3ffffffU; + uint64_t c3 = l7 >> (uint32_t)26U; + uint64_t l8 = f410 + c3; + uint64_t tmp4 = l8 & (uint64_t)0x3ffffffU; + uint64_t c4 = l8 >> (uint32_t)26U; + uint64_t f02 = tmp0 + c4 * (uint64_t)5U; + uint64_t f12 = tmp1; + uint64_t f22 = tmp2; + uint64_t f32 = tmp3; + uint64_t f42 = tmp4; + uint64_t mh = (uint64_t)0x3ffffffU; + uint64_t ml = (uint64_t)0x3fffffbU; + uint64_t mask = FStar_UInt64_eq_mask(f42, mh); + uint64_t mask1 = mask & FStar_UInt64_eq_mask(f32, mh); + uint64_t mask2 = mask1 & FStar_UInt64_eq_mask(f22, mh); + uint64_t mask3 = mask2 & FStar_UInt64_eq_mask(f12, mh); + uint64_t mask4 = mask3 & ~~FStar_UInt64_gte_mask(f02, ml); + uint64_t ph = mask4 & mh; + uint64_t pl = mask4 & ml; + uint64_t o0 = f02 - pl; + uint64_t o1 = f12 - ph; + uint64_t o2 = f22 - ph; + uint64_t o3 = f32 - ph; + uint64_t o4 = f42 - ph; + uint64_t f011 = o0; + uint64_t f111 = o1; + uint64_t f211 = o2; + uint64_t f311 = o3; + uint64_t f411 = o4; + acc[0U] = f011; + acc[1U] = f111; + acc[2U] = f211; + acc[3U] = f311; + acc[4U] = f411; + uint64_t f00 = acc[0U]; + uint64_t f1 = acc[1U]; + uint64_t f2 = acc[2U]; + uint64_t f3 = acc[3U]; + uint64_t f4 = acc[4U]; + uint64_t f01 = f00; + uint64_t f112 = f1; + uint64_t f212 = f2; + uint64_t f312 = f3; + uint64_t f41 = f4; + uint64_t lo = (f01 | f112 << (uint32_t)26U) | f212 << (uint32_t)52U; + uint64_t hi = (f212 >> (uint32_t)12U | f312 << (uint32_t)14U) | f41 << (uint32_t)40U; + uint64_t f10 = lo; + uint64_t f11 = hi; + uint64_t u0 = load64_le(ks); + uint64_t lo0 = u0; + uint64_t u = load64_le(ks + (uint32_t)8U); + uint64_t hi0 = u; + uint64_t f20 = lo0; + uint64_t f21 = hi0; + uint64_t r0 = f10 + f20; + uint64_t r1 = f11 + f21; + uint64_t c = (r0 ^ ((r0 ^ f20) | ((r0 - f20) ^ f20))) >> (uint32_t)63U; + uint64_t r11 = r1 + c; + uint64_t f30 = r0; + uint64_t f31 = r11; + store64_le(tag, f30); + store64_le(tag + (uint32_t)8U, f31); +} + +void Hacl_Poly1305_32_poly1305_mac(uint8_t *tag, uint32_t len, uint8_t *text, uint8_t *key) +{ + uint64_t ctx[25U] = { 0U }; + Hacl_Poly1305_32_poly1305_init(ctx, key); + Hacl_Poly1305_32_poly1305_update(ctx, len, text); + Hacl_Poly1305_32_poly1305_finish(tag, key, ctx); +} + diff --git a/src/Hacl_RSAPSS.c b/src/Hacl_RSAPSS.c new file mode 100644 index 00000000..8a505da5 --- /dev/null +++ b/src/Hacl_RSAPSS.c @@ -0,0 +1,814 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_RSAPSS.h" + +#include "internal/Hacl_Kremlib.h" +#include "internal/Hacl_Bignum.h" + +static inline uint32_t hash_len(Spec_Hash_Definitions_hash_alg a) +{ + switch (a) + { + case Spec_Hash_Definitions_MD5: + { + return (uint32_t)16U; + } + case Spec_Hash_Definitions_SHA1: + { + return (uint32_t)20U; + } + case Spec_Hash_Definitions_SHA2_224: + { + return (uint32_t)28U; + } + case Spec_Hash_Definitions_SHA2_256: + { + return (uint32_t)32U; + } + case Spec_Hash_Definitions_SHA2_384: + { + return (uint32_t)48U; + } + case Spec_Hash_Definitions_SHA2_512: + { + return (uint32_t)64U; + } + case Spec_Hash_Definitions_Blake2S: + { + return (uint32_t)32U; + } + case Spec_Hash_Definitions_Blake2B: + { + return (uint32_t)64U; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +static inline void +hash(Spec_Hash_Definitions_hash_alg a, uint8_t *mHash, uint32_t msgLen, uint8_t *msg) +{ + switch (a) + { + case Spec_Hash_Definitions_SHA2_256: + { + Hacl_Hash_SHA2_hash_256(msg, msgLen, mHash); + break; + } + case Spec_Hash_Definitions_SHA2_384: + { + Hacl_Hash_SHA2_hash_384(msg, msgLen, mHash); + break; + } + case Spec_Hash_Definitions_SHA2_512: + { + Hacl_Hash_SHA2_hash_512(msg, msgLen, mHash); + break; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +static inline void +mgf_hash( + Spec_Hash_Definitions_hash_alg a, + uint32_t len, + uint8_t *mgfseed, + uint32_t maskLen, + uint8_t *res +) +{ + KRML_CHECK_SIZE(sizeof (uint8_t), len + (uint32_t)4U); + uint8_t mgfseed_counter[len + (uint32_t)4U]; + memset(mgfseed_counter, 0U, (len + (uint32_t)4U) * sizeof (uint8_t)); + memcpy(mgfseed_counter, mgfseed, len * sizeof (uint8_t)); + uint32_t hLen = hash_len(a); + uint32_t n = (maskLen - (uint32_t)1U) / hLen + (uint32_t)1U; + uint32_t accLen = n * hLen; + KRML_CHECK_SIZE(sizeof (uint8_t), accLen); + uint8_t acc[accLen]; + memset(acc, 0U, accLen * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < n; i++) + { + uint8_t *acc_i = acc + i * hLen; + uint8_t *c = mgfseed_counter + len; + c[0U] = (uint8_t)(i >> (uint32_t)24U); + c[1U] = (uint8_t)(i >> (uint32_t)16U); + c[2U] = (uint8_t)(i >> (uint32_t)8U); + c[3U] = (uint8_t)i; + hash(a, acc_i, len + (uint32_t)4U, mgfseed_counter); + } + memcpy(res, acc, maskLen * sizeof (uint8_t)); +} + +static inline uint64_t check_num_bits_u64(uint32_t bs, uint64_t *b) +{ + uint32_t bLen = (bs - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + if (bs == (uint32_t)64U * bLen) + { + return (uint64_t)0xFFFFFFFFFFFFFFFFU; + } + KRML_CHECK_SIZE(sizeof (uint64_t), bLen); + uint64_t b2[bLen]; + memset(b2, 0U, bLen * sizeof (uint64_t)); + uint32_t i0 = bs / (uint32_t)64U; + uint32_t j = bs % (uint32_t)64U; + b2[i0] = b2[i0] | (uint64_t)1U << j; + uint64_t acc = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < bLen; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(b[i], b2[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(b[i], b2[i]); + acc = (beq & acc) | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + uint64_t res = acc; + return res; +} + +static inline uint64_t check_modulus_u64(uint32_t modBits, uint64_t *n) +{ + uint32_t nLen = (modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint64_t bits0 = n[0U] & (uint64_t)1U; + uint64_t m0 = (uint64_t)0U - bits0; + KRML_CHECK_SIZE(sizeof (uint64_t), nLen); + uint64_t b2[nLen]; + memset(b2, 0U, nLen * sizeof (uint64_t)); + uint32_t i0 = (modBits - (uint32_t)1U) / (uint32_t)64U; + uint32_t j = (modBits - (uint32_t)1U) % (uint32_t)64U; + b2[i0] = b2[i0] | (uint64_t)1U << j; + uint64_t acc = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < nLen; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(b2[i], n[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(b2[i], n[i]); + acc = (beq & acc) | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + uint64_t res = acc; + uint64_t m1 = res; + uint64_t m2 = check_num_bits_u64(modBits, n); + return m0 & (m1 & m2); +} + +static inline uint64_t check_exponent_u64(uint32_t eBits, uint64_t *e) +{ + uint32_t eLen = (eBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + KRML_CHECK_SIZE(sizeof (uint64_t), eLen); + uint64_t bn_zero[eLen]; + memset(bn_zero, 0U, eLen * sizeof (uint64_t)); + uint64_t mask = (uint64_t)0xFFFFFFFFFFFFFFFFU; + for (uint32_t i = (uint32_t)0U; i < eLen; i++) + { + uint64_t uu____0 = FStar_UInt64_eq_mask(e[i], bn_zero[i]); + mask = uu____0 & mask; + } + uint64_t mask1 = mask; + uint64_t res = mask1; + uint64_t m0 = res; + uint64_t m1 = check_num_bits_u64(eBits, e); + return ~m0 & m1; +} + +static inline void +pss_encode( + Spec_Hash_Definitions_hash_alg a, + uint32_t saltLen, + uint8_t *salt, + uint32_t msgLen, + uint8_t *msg, + uint32_t emBits, + uint8_t *em +) +{ + uint32_t hLen = hash_len(a); + KRML_CHECK_SIZE(sizeof (uint8_t), hLen); + uint8_t m1Hash[hLen]; + memset(m1Hash, 0U, hLen * sizeof (uint8_t)); + uint32_t m1Len = (uint32_t)8U + hLen + saltLen; + KRML_CHECK_SIZE(sizeof (uint8_t), m1Len); + uint8_t m1[m1Len]; + memset(m1, 0U, m1Len * sizeof (uint8_t)); + hash(a, m1 + (uint32_t)8U, msgLen, msg); + memcpy(m1 + (uint32_t)8U + hLen, salt, saltLen * sizeof (uint8_t)); + hash(a, m1Hash, m1Len, m1); + uint32_t emLen = (emBits - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t dbLen = emLen - hLen - (uint32_t)1U; + KRML_CHECK_SIZE(sizeof (uint8_t), dbLen); + uint8_t db[dbLen]; + memset(db, 0U, dbLen * sizeof (uint8_t)); + uint32_t last_before_salt = dbLen - saltLen - (uint32_t)1U; + db[last_before_salt] = (uint8_t)1U; + memcpy(db + last_before_salt + (uint32_t)1U, salt, saltLen * sizeof (uint8_t)); + KRML_CHECK_SIZE(sizeof (uint8_t), dbLen); + uint8_t dbMask[dbLen]; + memset(dbMask, 0U, dbLen * sizeof (uint8_t)); + mgf_hash(a, hLen, m1Hash, dbLen, dbMask); + for (uint32_t i = (uint32_t)0U; i < dbLen; i++) + { + uint8_t *os = db; + uint8_t x = db[i] ^ dbMask[i]; + os[i] = x; + } + uint32_t msBits = emBits % (uint32_t)8U; + if (msBits > (uint32_t)0U) + { + db[0U] = db[0U] & (uint8_t)0xffU >> ((uint32_t)8U - msBits); + } + memcpy(em, db, dbLen * sizeof (uint8_t)); + memcpy(em + dbLen, m1Hash, hLen * sizeof (uint8_t)); + em[emLen - (uint32_t)1U] = (uint8_t)0xbcU; +} + +static inline bool +pss_verify( + Spec_Hash_Definitions_hash_alg a, + uint32_t saltLen, + uint32_t msgLen, + uint8_t *msg, + uint32_t emBits, + uint8_t *em +) +{ + uint32_t emLen = (emBits - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t msBits = emBits % (uint32_t)8U; + uint8_t em_0; + if (msBits > (uint32_t)0U) + { + em_0 = em[0U] & (uint8_t)0xffU << msBits; + } + else + { + em_0 = (uint8_t)0U; + } + uint8_t em_last = em[emLen - (uint32_t)1U]; + if (emLen < saltLen + hash_len(a) + (uint32_t)2U) + { + return false; + } + if (!(em_last == (uint8_t)0xbcU && em_0 == (uint8_t)0U)) + { + return false; + } + uint32_t emLen1 = (emBits - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t hLen = hash_len(a); + KRML_CHECK_SIZE(sizeof (uint8_t), hLen); + uint8_t m1Hash0[hLen]; + memset(m1Hash0, 0U, hLen * sizeof (uint8_t)); + uint32_t dbLen = emLen1 - hLen - (uint32_t)1U; + uint8_t *maskedDB = em; + uint8_t *m1Hash = em + dbLen; + KRML_CHECK_SIZE(sizeof (uint8_t), dbLen); + uint8_t dbMask[dbLen]; + memset(dbMask, 0U, dbLen * sizeof (uint8_t)); + mgf_hash(a, hLen, m1Hash, dbLen, dbMask); + for (uint32_t i = (uint32_t)0U; i < dbLen; i++) + { + uint8_t *os = dbMask; + uint8_t x = dbMask[i] ^ maskedDB[i]; + os[i] = x; + } + uint32_t msBits1 = emBits % (uint32_t)8U; + if (msBits1 > (uint32_t)0U) + { + dbMask[0U] = dbMask[0U] & (uint8_t)0xffU >> ((uint32_t)8U - msBits1); + } + uint32_t padLen = emLen1 - saltLen - hLen - (uint32_t)1U; + KRML_CHECK_SIZE(sizeof (uint8_t), padLen); + uint8_t pad2[padLen]; + memset(pad2, 0U, padLen * sizeof (uint8_t)); + pad2[padLen - (uint32_t)1U] = (uint8_t)0x01U; + uint8_t *pad = dbMask; + uint8_t *salt = dbMask + padLen; + uint8_t res = (uint8_t)255U; + for (uint32_t i = (uint32_t)0U; i < padLen; i++) + { + uint8_t uu____0 = FStar_UInt8_eq_mask(pad[i], pad2[i]); + res = uu____0 & res; + } + uint8_t z = res; + if (!(z == (uint8_t)255U)) + { + return false; + } + uint32_t m1Len = (uint32_t)8U + hLen + saltLen; + KRML_CHECK_SIZE(sizeof (uint8_t), m1Len); + uint8_t m1[m1Len]; + memset(m1, 0U, m1Len * sizeof (uint8_t)); + hash(a, m1 + (uint32_t)8U, msgLen, msg); + memcpy(m1 + (uint32_t)8U + hLen, salt, saltLen * sizeof (uint8_t)); + hash(a, m1Hash0, m1Len, m1); + uint8_t res0 = (uint8_t)255U; + for (uint32_t i = (uint32_t)0U; i < hLen; i++) + { + uint8_t uu____1 = FStar_UInt8_eq_mask(m1Hash0[i], m1Hash[i]); + res0 = uu____1 & res0; + } + uint8_t z0 = res0; + return z0 == (uint8_t)255U; +} + +static inline bool +load_pkey(uint32_t modBits, uint32_t eBits, uint8_t *nb, uint8_t *eb, uint64_t *pkey) +{ + uint32_t nbLen = (modBits - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t ebLen = (eBits - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t nLen = (modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint64_t *n = pkey; + uint64_t *r2 = pkey + nLen; + uint64_t *e = pkey + nLen + nLen; + Hacl_Bignum_Convert_bn_from_bytes_be_uint64(nbLen, nb, n); + Hacl_Bignum_Montgomery_bn_precomp_r2_mod_n_u64((modBits - (uint32_t)1U) + / (uint32_t)64U + + (uint32_t)1U, + modBits - (uint32_t)1U, + n, + r2); + Hacl_Bignum_Convert_bn_from_bytes_be_uint64(ebLen, eb, e); + uint64_t m0 = check_modulus_u64(modBits, n); + uint64_t m1 = check_exponent_u64(eBits, e); + uint64_t m = m0 & m1; + return m == (uint64_t)0xFFFFFFFFFFFFFFFFU; +} + +static inline bool +load_skey( + uint32_t modBits, + uint32_t eBits, + uint32_t dBits, + uint8_t *nb, + uint8_t *eb, + uint8_t *db, + uint64_t *skey +) +{ + uint32_t dbLen = (dBits - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t nLen = (modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint32_t eLen = (eBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint32_t pkeyLen = nLen + nLen + eLen; + uint64_t *pkey = skey; + uint64_t *d = skey + pkeyLen; + bool b = load_pkey(modBits, eBits, nb, eb, pkey); + Hacl_Bignum_Convert_bn_from_bytes_be_uint64(dbLen, db, d); + uint64_t m1 = check_exponent_u64(dBits, d); + return b && m1 == (uint64_t)0xFFFFFFFFFFFFFFFFU; +} + +bool +Hacl_RSAPSS_rsapss_sign( + Spec_Hash_Definitions_hash_alg a, + uint32_t modBits, + uint32_t eBits, + uint32_t dBits, + uint64_t *skey, + uint32_t saltLen, + uint8_t *salt, + uint32_t msgLen, + uint8_t *msg, + uint8_t *sgnt +) +{ + uint32_t hLen = hash_len(a); + bool + b = + saltLen + <= (uint32_t)0xffffffffU - hLen - (uint32_t)8U + && + saltLen + + hLen + + (uint32_t)2U + <= (modBits - (uint32_t)1U - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + if (b) + { + uint32_t nLen = (modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + KRML_CHECK_SIZE(sizeof (uint64_t), nLen); + uint64_t m[nLen]; + memset(m, 0U, nLen * sizeof (uint64_t)); + uint32_t emBits = modBits - (uint32_t)1U; + uint32_t emLen = (emBits - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + KRML_CHECK_SIZE(sizeof (uint8_t), emLen); + uint8_t em[emLen]; + memset(em, 0U, emLen * sizeof (uint8_t)); + pss_encode(a, saltLen, salt, msgLen, msg, emBits, em); + Hacl_Bignum_Convert_bn_from_bytes_be_uint64(emLen, em, m); + uint32_t nLen1 = (modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint32_t k = (modBits - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + KRML_CHECK_SIZE(sizeof (uint64_t), nLen1); + uint64_t s[nLen1]; + memset(s, 0U, nLen1 * sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), nLen1); + uint64_t m_[nLen1]; + memset(m_, 0U, nLen1 * sizeof (uint64_t)); + uint32_t nLen2 = (modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint32_t eLen = (eBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint64_t *n = skey; + uint64_t *r2 = skey + nLen2; + uint64_t *e = skey + nLen2 + nLen2; + uint64_t *d = skey + nLen2 + nLen2 + eLen; + uint64_t mu = Hacl_Bignum_ModInvLimb_mod_inv_uint64(n[0U]); + Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_precomp_u64((modBits - (uint32_t)1U) + / (uint32_t)64U + + (uint32_t)1U, + n, + mu, + r2, + m, + dBits, + d, + s); + uint64_t mu0 = Hacl_Bignum_ModInvLimb_mod_inv_uint64(n[0U]); + Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_precomp_u64((modBits - (uint32_t)1U) + / (uint32_t)64U + + (uint32_t)1U, + n, + mu0, + r2, + s, + eBits, + e, + m_); + uint64_t mask = (uint64_t)0xFFFFFFFFFFFFFFFFU; + for (uint32_t i = (uint32_t)0U; i < nLen2; i++) + { + uint64_t uu____0 = FStar_UInt64_eq_mask(m[i], m_[i]); + mask = uu____0 & mask; + } + uint64_t mask1 = mask; + uint64_t eq_m = mask1; + for (uint32_t i = (uint32_t)0U; i < nLen2; i++) + { + uint64_t *os = s; + uint64_t x = s[i]; + uint64_t x0 = eq_m & x; + os[i] = x0; + } + bool eq_b = eq_m == (uint64_t)0xFFFFFFFFFFFFFFFFU; + Hacl_Bignum_Convert_bn_to_bytes_be_uint64(k, s, sgnt); + bool eq_b0 = eq_b; + return eq_b0; + } + return false; +} + +bool +Hacl_RSAPSS_rsapss_verify( + Spec_Hash_Definitions_hash_alg a, + uint32_t modBits, + uint32_t eBits, + uint64_t *pkey, + uint32_t saltLen, + uint32_t sgntLen, + uint8_t *sgnt, + uint32_t msgLen, + uint8_t *msg +) +{ + uint32_t hLen = hash_len(a); + bool + b = + saltLen + <= (uint32_t)0xffffffffU - hLen - (uint32_t)8U + && sgntLen == (modBits - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + if (b) + { + uint32_t nLen = (modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + KRML_CHECK_SIZE(sizeof (uint64_t), nLen); + uint64_t m[nLen]; + memset(m, 0U, nLen * sizeof (uint64_t)); + uint32_t nLen1 = (modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint32_t k = (modBits - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + KRML_CHECK_SIZE(sizeof (uint64_t), nLen1); + uint64_t s[nLen1]; + memset(s, 0U, nLen1 * sizeof (uint64_t)); + Hacl_Bignum_Convert_bn_from_bytes_be_uint64(k, sgnt, s); + uint32_t nLen2 = (modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint64_t *n = pkey; + uint64_t *r2 = pkey + nLen2; + uint64_t *e = pkey + nLen2 + nLen2; + uint64_t acc = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < nLen2; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(s[i], n[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(s[i], n[i]); + acc = (beq & acc) | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + uint64_t mask = acc; + bool res; + if (mask == (uint64_t)0xFFFFFFFFFFFFFFFFU) + { + uint64_t mu = Hacl_Bignum_ModInvLimb_mod_inv_uint64(n[0U]); + Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_precomp_u64((modBits - (uint32_t)1U) + / (uint32_t)64U + + (uint32_t)1U, + n, + mu, + r2, + s, + eBits, + e, + m); + bool ite; + if (!((modBits - (uint32_t)1U) % (uint32_t)8U == (uint32_t)0U)) + { + ite = true; + } + else + { + uint32_t i = (modBits - (uint32_t)1U) / (uint32_t)64U; + uint32_t j = (modBits - (uint32_t)1U) % (uint32_t)64U; + uint64_t tmp = m[i]; + uint64_t get_bit = tmp >> j & (uint64_t)1U; + ite = get_bit == (uint64_t)0U; + } + if (ite) + { + res = true; + } + else + { + res = false; + } + } + else + { + res = false; + } + bool b1 = res; + bool b10 = b1; + if (b10) + { + uint32_t emBits = modBits - (uint32_t)1U; + uint32_t emLen = (emBits - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + KRML_CHECK_SIZE(sizeof (uint8_t), emLen); + uint8_t em[emLen]; + memset(em, 0U, emLen * sizeof (uint8_t)); + uint64_t *m1 = m; + Hacl_Bignum_Convert_bn_to_bytes_be_uint64(emLen, m1, em); + bool res0 = pss_verify(a, saltLen, msgLen, msg, emBits, em); + return res0; + } + return false; + } + return false; +} + +uint64_t +*Hacl_RSAPSS_new_rsapss_load_pkey(uint32_t modBits, uint32_t eBits, uint8_t *nb, uint8_t *eb) +{ + bool ite; + if ((uint32_t)1U < modBits && (uint32_t)0U < eBits) + { + uint32_t nLen = (modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint32_t eLen = (eBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + ite = + nLen + <= (uint32_t)33554431U + && eLen <= (uint32_t)67108863U + && nLen + nLen <= (uint32_t)0xffffffffU - eLen; + } + else + { + ite = false; + } + if (!ite) + { + return NULL; + } + uint32_t nLen = (modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint32_t eLen = (eBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint32_t pkeyLen = nLen + nLen + eLen; + KRML_CHECK_SIZE(sizeof (uint64_t), pkeyLen); + uint64_t *pkey = KRML_HOST_CALLOC(pkeyLen, sizeof (uint64_t)); + if (pkey == NULL) + { + return pkey; + } + uint64_t *pkey1 = pkey; + uint64_t *pkey2 = pkey1; + uint32_t nbLen = (modBits - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t ebLen = (eBits - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t nLen1 = (modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint64_t *n = pkey2; + uint64_t *r2 = pkey2 + nLen1; + uint64_t *e = pkey2 + nLen1 + nLen1; + Hacl_Bignum_Convert_bn_from_bytes_be_uint64(nbLen, nb, n); + Hacl_Bignum_Montgomery_bn_precomp_r2_mod_n_u64((modBits - (uint32_t)1U) + / (uint32_t)64U + + (uint32_t)1U, + modBits - (uint32_t)1U, + n, + r2); + Hacl_Bignum_Convert_bn_from_bytes_be_uint64(ebLen, eb, e); + uint64_t m0 = check_modulus_u64(modBits, n); + uint64_t m1 = check_exponent_u64(eBits, e); + uint64_t m = m0 & m1; + bool b = m == (uint64_t)0xFFFFFFFFFFFFFFFFU; + if (b) + { + return pkey2; + } + return NULL; +} + +uint64_t +*Hacl_RSAPSS_new_rsapss_load_skey( + uint32_t modBits, + uint32_t eBits, + uint32_t dBits, + uint8_t *nb, + uint8_t *eb, + uint8_t *db +) +{ + bool ite0; + if ((uint32_t)1U < modBits && (uint32_t)0U < eBits) + { + uint32_t nLen = (modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint32_t eLen = (eBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + ite0 = + nLen + <= (uint32_t)33554431U + && eLen <= (uint32_t)67108863U + && nLen + nLen <= (uint32_t)0xffffffffU - eLen; + } + else + { + ite0 = false; + } + bool ite; + if (ite0 && (uint32_t)0U < dBits) + { + uint32_t nLen = (modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint32_t eLen = (eBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint32_t dLen = (dBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + ite = dLen <= (uint32_t)67108863U && (uint32_t)2U * nLen <= (uint32_t)0xffffffffU - eLen - dLen; + } + else + { + ite = false; + } + if (!ite) + { + return NULL; + } + uint32_t nLen = (modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint32_t eLen = (eBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint32_t dLen = (dBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint32_t skeyLen = nLen + nLen + eLen + dLen; + KRML_CHECK_SIZE(sizeof (uint64_t), skeyLen); + uint64_t *skey = KRML_HOST_CALLOC(skeyLen, sizeof (uint64_t)); + if (skey == NULL) + { + return skey; + } + uint64_t *skey1 = skey; + uint64_t *skey2 = skey1; + uint32_t dbLen = (dBits - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t nLen1 = (modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint32_t eLen1 = (eBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint32_t pkeyLen = nLen1 + nLen1 + eLen1; + uint64_t *pkey = skey2; + uint64_t *d = skey2 + pkeyLen; + uint32_t nbLen1 = (modBits - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t ebLen1 = (eBits - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t nLen2 = (modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint64_t *n = pkey; + uint64_t *r2 = pkey + nLen2; + uint64_t *e = pkey + nLen2 + nLen2; + Hacl_Bignum_Convert_bn_from_bytes_be_uint64(nbLen1, nb, n); + Hacl_Bignum_Montgomery_bn_precomp_r2_mod_n_u64((modBits - (uint32_t)1U) + / (uint32_t)64U + + (uint32_t)1U, + modBits - (uint32_t)1U, + n, + r2); + Hacl_Bignum_Convert_bn_from_bytes_be_uint64(ebLen1, eb, e); + uint64_t m0 = check_modulus_u64(modBits, n); + uint64_t m10 = check_exponent_u64(eBits, e); + uint64_t m = m0 & m10; + bool b = m == (uint64_t)0xFFFFFFFFFFFFFFFFU; + Hacl_Bignum_Convert_bn_from_bytes_be_uint64(dbLen, db, d); + uint64_t m1 = check_exponent_u64(dBits, d); + bool b0 = b && m1 == (uint64_t)0xFFFFFFFFFFFFFFFFU; + if (b0) + { + return skey2; + } + return NULL; +} + +bool +Hacl_RSAPSS_rsapss_skey_sign( + Spec_Hash_Definitions_hash_alg a, + uint32_t modBits, + uint32_t eBits, + uint32_t dBits, + uint8_t *nb, + uint8_t *eb, + uint8_t *db, + uint32_t saltLen, + uint8_t *salt, + uint32_t msgLen, + uint8_t *msg, + uint8_t *sgnt +) +{ + KRML_CHECK_SIZE(sizeof (uint64_t), + (uint32_t)2U + * ((modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U) + + (eBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U + + (dBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U); + uint64_t + skey[(uint32_t)2U + * ((modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U) + + (eBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U + + (dBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U]; + memset(skey, + 0U, + ((uint32_t)2U + * ((modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U) + + (eBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U + + (dBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U) + * sizeof (uint64_t)); + bool b = load_skey(modBits, eBits, dBits, nb, eb, db, skey); + if (b) + { + return + Hacl_RSAPSS_rsapss_sign(a, + modBits, + eBits, + dBits, + skey, + saltLen, + salt, + msgLen, + msg, + sgnt); + } + return false; +} + +bool +Hacl_RSAPSS_rsapss_pkey_verify( + Spec_Hash_Definitions_hash_alg a, + uint32_t modBits, + uint32_t eBits, + uint8_t *nb, + uint8_t *eb, + uint32_t saltLen, + uint32_t sgntLen, + uint8_t *sgnt, + uint32_t msgLen, + uint8_t *msg +) +{ + KRML_CHECK_SIZE(sizeof (uint64_t), + (uint32_t)2U + * ((modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U) + + (eBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U); + uint64_t + pkey[(uint32_t)2U + * ((modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U) + + (eBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U]; + memset(pkey, + 0U, + ((uint32_t)2U + * ((modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U) + + (eBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U) + * sizeof (uint64_t)); + bool b = load_pkey(modBits, eBits, nb, eb, pkey); + if (b) + { + return Hacl_RSAPSS_rsapss_verify(a, modBits, eBits, pkey, saltLen, sgntLen, sgnt, msgLen, msg); + } + return false; +} + diff --git a/src/Hacl_SHA2_Vec128.c b/src/Hacl_SHA2_Vec128.c new file mode 100644 index 00000000..83ef181c --- /dev/null +++ b/src/Hacl_SHA2_Vec128.c @@ -0,0 +1,942 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_SHA2_Vec128.h" + +#include "internal/Hacl_SHA2_Vec128.h" + +static inline void +sha224_update4( + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ block, + Lib_IntVector_Intrinsics_vec128 *hash +) +{ + Lib_IntVector_Intrinsics_vec128 hash_old[8U]; + for (uint32_t _i = 0U; _i < (uint32_t)8U; ++_i) + hash_old[_i] = Lib_IntVector_Intrinsics_vec128_zero; + Lib_IntVector_Intrinsics_vec128 ws[16U]; + for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i) + ws[_i] = Lib_IntVector_Intrinsics_vec128_zero; + memcpy(hash_old, hash, (uint32_t)8U * sizeof (Lib_IntVector_Intrinsics_vec128)); + uint8_t *b3 = block.snd.snd.snd; + uint8_t *b2 = block.snd.snd.fst; + uint8_t *b10 = block.snd.fst; + uint8_t *b00 = block.fst; + ws[0U] = Lib_IntVector_Intrinsics_vec128_load32_be(b00); + ws[1U] = Lib_IntVector_Intrinsics_vec128_load32_be(b10); + ws[2U] = Lib_IntVector_Intrinsics_vec128_load32_be(b2); + ws[3U] = Lib_IntVector_Intrinsics_vec128_load32_be(b3); + ws[4U] = Lib_IntVector_Intrinsics_vec128_load32_be(b00 + (uint32_t)16U); + ws[5U] = Lib_IntVector_Intrinsics_vec128_load32_be(b10 + (uint32_t)16U); + ws[6U] = Lib_IntVector_Intrinsics_vec128_load32_be(b2 + (uint32_t)16U); + ws[7U] = Lib_IntVector_Intrinsics_vec128_load32_be(b3 + (uint32_t)16U); + ws[8U] = Lib_IntVector_Intrinsics_vec128_load32_be(b00 + (uint32_t)32U); + ws[9U] = Lib_IntVector_Intrinsics_vec128_load32_be(b10 + (uint32_t)32U); + ws[10U] = Lib_IntVector_Intrinsics_vec128_load32_be(b2 + (uint32_t)32U); + ws[11U] = Lib_IntVector_Intrinsics_vec128_load32_be(b3 + (uint32_t)32U); + ws[12U] = Lib_IntVector_Intrinsics_vec128_load32_be(b00 + (uint32_t)48U); + ws[13U] = Lib_IntVector_Intrinsics_vec128_load32_be(b10 + (uint32_t)48U); + ws[14U] = Lib_IntVector_Intrinsics_vec128_load32_be(b2 + (uint32_t)48U); + ws[15U] = Lib_IntVector_Intrinsics_vec128_load32_be(b3 + (uint32_t)48U); + Lib_IntVector_Intrinsics_vec128 v00 = ws[0U]; + Lib_IntVector_Intrinsics_vec128 v10 = ws[1U]; + Lib_IntVector_Intrinsics_vec128 v20 = ws[2U]; + Lib_IntVector_Intrinsics_vec128 v30 = ws[3U]; + Lib_IntVector_Intrinsics_vec128 + v0_ = Lib_IntVector_Intrinsics_vec128_interleave_low32(v00, v10); + Lib_IntVector_Intrinsics_vec128 + v1_ = Lib_IntVector_Intrinsics_vec128_interleave_high32(v00, v10); + Lib_IntVector_Intrinsics_vec128 + v2_ = Lib_IntVector_Intrinsics_vec128_interleave_low32(v20, v30); + Lib_IntVector_Intrinsics_vec128 + v3_ = Lib_IntVector_Intrinsics_vec128_interleave_high32(v20, v30); + Lib_IntVector_Intrinsics_vec128 + v0__ = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_, v2_); + Lib_IntVector_Intrinsics_vec128 + v1__ = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_, v2_); + Lib_IntVector_Intrinsics_vec128 + v2__ = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_, v3_); + Lib_IntVector_Intrinsics_vec128 + v3__ = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_, v3_); + Lib_IntVector_Intrinsics_vec128 v0__0 = v0__; + Lib_IntVector_Intrinsics_vec128 v2__0 = v2__; + Lib_IntVector_Intrinsics_vec128 v1__0 = v1__; + Lib_IntVector_Intrinsics_vec128 v3__0 = v3__; + Lib_IntVector_Intrinsics_vec128 ws0 = v0__0; + Lib_IntVector_Intrinsics_vec128 ws1 = v1__0; + Lib_IntVector_Intrinsics_vec128 ws2 = v2__0; + Lib_IntVector_Intrinsics_vec128 ws3 = v3__0; + Lib_IntVector_Intrinsics_vec128 v01 = ws[4U]; + Lib_IntVector_Intrinsics_vec128 v11 = ws[5U]; + Lib_IntVector_Intrinsics_vec128 v21 = ws[6U]; + Lib_IntVector_Intrinsics_vec128 v31 = ws[7U]; + Lib_IntVector_Intrinsics_vec128 + v0_0 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v01, v11); + Lib_IntVector_Intrinsics_vec128 + v1_0 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v01, v11); + Lib_IntVector_Intrinsics_vec128 + v2_0 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v21, v31); + Lib_IntVector_Intrinsics_vec128 + v3_0 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v21, v31); + Lib_IntVector_Intrinsics_vec128 + v0__1 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec128 + v1__1 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec128 + v2__1 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec128 + v3__1 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec128 v0__2 = v0__1; + Lib_IntVector_Intrinsics_vec128 v2__2 = v2__1; + Lib_IntVector_Intrinsics_vec128 v1__2 = v1__1; + Lib_IntVector_Intrinsics_vec128 v3__2 = v3__1; + Lib_IntVector_Intrinsics_vec128 ws4 = v0__2; + Lib_IntVector_Intrinsics_vec128 ws5 = v1__2; + Lib_IntVector_Intrinsics_vec128 ws6 = v2__2; + Lib_IntVector_Intrinsics_vec128 ws7 = v3__2; + Lib_IntVector_Intrinsics_vec128 v02 = ws[8U]; + Lib_IntVector_Intrinsics_vec128 v12 = ws[9U]; + Lib_IntVector_Intrinsics_vec128 v22 = ws[10U]; + Lib_IntVector_Intrinsics_vec128 v32 = ws[11U]; + Lib_IntVector_Intrinsics_vec128 + v0_1 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v02, v12); + Lib_IntVector_Intrinsics_vec128 + v1_1 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v02, v12); + Lib_IntVector_Intrinsics_vec128 + v2_1 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v22, v32); + Lib_IntVector_Intrinsics_vec128 + v3_1 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v22, v32); + Lib_IntVector_Intrinsics_vec128 + v0__3 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_1, v2_1); + Lib_IntVector_Intrinsics_vec128 + v1__3 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_1, v2_1); + Lib_IntVector_Intrinsics_vec128 + v2__3 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_1, v3_1); + Lib_IntVector_Intrinsics_vec128 + v3__3 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_1, v3_1); + Lib_IntVector_Intrinsics_vec128 v0__4 = v0__3; + Lib_IntVector_Intrinsics_vec128 v2__4 = v2__3; + Lib_IntVector_Intrinsics_vec128 v1__4 = v1__3; + Lib_IntVector_Intrinsics_vec128 v3__4 = v3__3; + Lib_IntVector_Intrinsics_vec128 ws8 = v0__4; + Lib_IntVector_Intrinsics_vec128 ws9 = v1__4; + Lib_IntVector_Intrinsics_vec128 ws10 = v2__4; + Lib_IntVector_Intrinsics_vec128 ws11 = v3__4; + Lib_IntVector_Intrinsics_vec128 v0 = ws[12U]; + Lib_IntVector_Intrinsics_vec128 v1 = ws[13U]; + Lib_IntVector_Intrinsics_vec128 v2 = ws[14U]; + Lib_IntVector_Intrinsics_vec128 v3 = ws[15U]; + Lib_IntVector_Intrinsics_vec128 + v0_2 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v0, v1); + Lib_IntVector_Intrinsics_vec128 + v1_2 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v0, v1); + Lib_IntVector_Intrinsics_vec128 + v2_2 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v2, v3); + Lib_IntVector_Intrinsics_vec128 + v3_2 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v2, v3); + Lib_IntVector_Intrinsics_vec128 + v0__5 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_2, v2_2); + Lib_IntVector_Intrinsics_vec128 + v1__5 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_2, v2_2); + Lib_IntVector_Intrinsics_vec128 + v2__5 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_2, v3_2); + Lib_IntVector_Intrinsics_vec128 + v3__5 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_2, v3_2); + Lib_IntVector_Intrinsics_vec128 v0__6 = v0__5; + Lib_IntVector_Intrinsics_vec128 v2__6 = v2__5; + Lib_IntVector_Intrinsics_vec128 v1__6 = v1__5; + Lib_IntVector_Intrinsics_vec128 v3__6 = v3__5; + Lib_IntVector_Intrinsics_vec128 ws12 = v0__6; + Lib_IntVector_Intrinsics_vec128 ws13 = v1__6; + Lib_IntVector_Intrinsics_vec128 ws14 = v2__6; + Lib_IntVector_Intrinsics_vec128 ws15 = v3__6; + ws[0U] = ws0; + ws[1U] = ws1; + ws[2U] = ws2; + ws[3U] = ws3; + ws[4U] = ws4; + ws[5U] = ws5; + ws[6U] = ws6; + ws[7U] = ws7; + ws[8U] = ws8; + ws[9U] = ws9; + ws[10U] = ws10; + ws[11U] = ws11; + ws[12U] = ws12; + ws[13U] = ws13; + ws[14U] = ws14; + ws[15U] = ws15; + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t k_t = Hacl_Impl_SHA2_Generic_k224_256[(uint32_t)16U * i0 + i]; + Lib_IntVector_Intrinsics_vec128 ws_t = ws[i]; + Lib_IntVector_Intrinsics_vec128 a0 = hash[0U]; + Lib_IntVector_Intrinsics_vec128 b0 = hash[1U]; + Lib_IntVector_Intrinsics_vec128 c0 = hash[2U]; + Lib_IntVector_Intrinsics_vec128 d0 = hash[3U]; + Lib_IntVector_Intrinsics_vec128 e0 = hash[4U]; + Lib_IntVector_Intrinsics_vec128 f0 = hash[5U]; + Lib_IntVector_Intrinsics_vec128 g0 = hash[6U]; + Lib_IntVector_Intrinsics_vec128 h02 = hash[7U]; + Lib_IntVector_Intrinsics_vec128 k_e_t = Lib_IntVector_Intrinsics_vec128_load32(k_t); + Lib_IntVector_Intrinsics_vec128 + t1 = + Lib_IntVector_Intrinsics_vec128_add32(Lib_IntVector_Intrinsics_vec128_add32(Lib_IntVector_Intrinsics_vec128_add32(Lib_IntVector_Intrinsics_vec128_add32(h02, + Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_rotate_right32(e0, + (uint32_t)6U), + Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_rotate_right32(e0, + (uint32_t)11U), + Lib_IntVector_Intrinsics_vec128_rotate_right32(e0, (uint32_t)25U)))), + Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_and(e0, f0), + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_lognot(e0), g0))), + k_e_t), + ws_t); + Lib_IntVector_Intrinsics_vec128 + t2 = + Lib_IntVector_Intrinsics_vec128_add32(Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_rotate_right32(a0, + (uint32_t)2U), + Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_rotate_right32(a0, + (uint32_t)13U), + Lib_IntVector_Intrinsics_vec128_rotate_right32(a0, (uint32_t)22U))), + Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_and(a0, b0), + Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_and(a0, c0), + Lib_IntVector_Intrinsics_vec128_and(b0, c0)))); + Lib_IntVector_Intrinsics_vec128 a1 = Lib_IntVector_Intrinsics_vec128_add32(t1, t2); + Lib_IntVector_Intrinsics_vec128 b1 = a0; + Lib_IntVector_Intrinsics_vec128 c1 = b0; + Lib_IntVector_Intrinsics_vec128 d1 = c0; + Lib_IntVector_Intrinsics_vec128 e1 = Lib_IntVector_Intrinsics_vec128_add32(d0, t1); + Lib_IntVector_Intrinsics_vec128 f1 = e0; + Lib_IntVector_Intrinsics_vec128 g1 = f0; + Lib_IntVector_Intrinsics_vec128 h12 = g0; + hash[0U] = a1; + hash[1U] = b1; + hash[2U] = c1; + hash[3U] = d1; + hash[4U] = e1; + hash[5U] = f1; + hash[6U] = g1; + hash[7U] = h12; + } + if (i0 < (uint32_t)4U - (uint32_t)1U) + { + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + Lib_IntVector_Intrinsics_vec128 t16 = ws[i]; + Lib_IntVector_Intrinsics_vec128 t15 = ws[(i + (uint32_t)1U) % (uint32_t)16U]; + Lib_IntVector_Intrinsics_vec128 t7 = ws[(i + (uint32_t)9U) % (uint32_t)16U]; + Lib_IntVector_Intrinsics_vec128 t2 = ws[(i + (uint32_t)14U) % (uint32_t)16U]; + Lib_IntVector_Intrinsics_vec128 + s1 = + Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_rotate_right32(t2, + (uint32_t)17U), + Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_rotate_right32(t2, + (uint32_t)19U), + Lib_IntVector_Intrinsics_vec128_shift_right32(t2, (uint32_t)10U))); + Lib_IntVector_Intrinsics_vec128 + s0 = + Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_rotate_right32(t15, + (uint32_t)7U), + Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_rotate_right32(t15, + (uint32_t)18U), + Lib_IntVector_Intrinsics_vec128_shift_right32(t15, (uint32_t)3U))); + ws[i] = + Lib_IntVector_Intrinsics_vec128_add32(Lib_IntVector_Intrinsics_vec128_add32(Lib_IntVector_Intrinsics_vec128_add32(s1, + t7), + s0), + t16); + } + } + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + Lib_IntVector_Intrinsics_vec128 *os = hash; + Lib_IntVector_Intrinsics_vec128 + x = Lib_IntVector_Intrinsics_vec128_add32(hash[i], hash_old[i]); + os[i] = x; + } +} + +void +Hacl_SHA2_Vec128_sha224_4( + uint8_t *dst0, + uint8_t *dst1, + uint8_t *dst2, + uint8_t *dst3, + uint32_t input_len, + uint8_t *input0, + uint8_t *input1, + uint8_t *input2, + uint8_t *input3 +) +{ + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + ib = { .fst = input0, .snd = { .fst = input1, .snd = { .fst = input2, .snd = input3 } } }; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + rb = { .fst = dst0, .snd = { .fst = dst1, .snd = { .fst = dst2, .snd = dst3 } } }; + Lib_IntVector_Intrinsics_vec128 st[8U]; + for (uint32_t _i = 0U; _i < (uint32_t)8U; ++_i) + st[_i] = Lib_IntVector_Intrinsics_vec128_zero; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + Lib_IntVector_Intrinsics_vec128 *os = st; + uint32_t hi = Hacl_Impl_SHA2_Generic_h224[i]; + Lib_IntVector_Intrinsics_vec128 x = Lib_IntVector_Intrinsics_vec128_load32(hi); + os[i] = x; + } + uint32_t rem = input_len % (uint32_t)64U; + uint64_t len_ = (uint64_t)input_len; + uint32_t blocks0 = input_len / (uint32_t)64U; + for (uint32_t i = (uint32_t)0U; i < blocks0; i++) + { + uint8_t *b3 = ib.snd.snd.snd; + uint8_t *b2 = ib.snd.snd.fst; + uint8_t *b1 = ib.snd.fst; + uint8_t *b0 = ib.fst; + uint8_t *bl0 = b0 + i * (uint32_t)64U; + uint8_t *bl1 = b1 + i * (uint32_t)64U; + uint8_t *bl2 = b2 + i * (uint32_t)64U; + uint8_t *bl3 = b3 + i * (uint32_t)64U; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + mb = { .fst = bl0, .snd = { .fst = bl1, .snd = { .fst = bl2, .snd = bl3 } } }; + sha224_update4(mb, st); + } + uint32_t rem1 = input_len % (uint32_t)64U; + uint8_t *b3 = ib.snd.snd.snd; + uint8_t *b20 = ib.snd.snd.fst; + uint8_t *b10 = ib.snd.fst; + uint8_t *b00 = ib.fst; + uint8_t *bl0 = b00 + input_len - rem1; + uint8_t *bl1 = b10 + input_len - rem1; + uint8_t *bl2 = b20 + input_len - rem1; + uint8_t *bl3 = b3 + input_len - rem1; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + lb = { .fst = bl0, .snd = { .fst = bl1, .snd = { .fst = bl2, .snd = bl3 } } }; + uint32_t blocks; + if (rem + (uint32_t)8U + (uint32_t)1U <= (uint32_t)64U) + { + blocks = (uint32_t)1U; + } + else + { + blocks = (uint32_t)2U; + } + uint32_t fin = blocks * (uint32_t)64U; + uint8_t last[512U] = { 0U }; + uint8_t totlen_buf[8U] = { 0U }; + uint64_t total_len_bits = len_ << (uint32_t)3U; + store64_be(totlen_buf, total_len_bits); + uint8_t *b30 = lb.snd.snd.snd; + uint8_t *b21 = lb.snd.snd.fst; + uint8_t *b11 = lb.snd.fst; + uint8_t *b01 = lb.fst; + uint8_t *last00 = last; + uint8_t *last10 = last + (uint32_t)128U; + uint8_t *last2 = last + (uint32_t)256U; + uint8_t *last3 = last + (uint32_t)384U; + memcpy(last00, b01, rem * sizeof (uint8_t)); + last00[rem] = (uint8_t)0x80U; + memcpy(last00 + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + uint8_t *last010 = last00; + uint8_t *last110 = last00 + (uint32_t)64U; + K____uint8_t___uint8_t_ scrut = { .fst = last010, .snd = last110 }; + uint8_t *l00 = scrut.fst; + uint8_t *l01 = scrut.snd; + memcpy(last10, b11, rem * sizeof (uint8_t)); + last10[rem] = (uint8_t)0x80U; + memcpy(last10 + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + uint8_t *last011 = last10; + uint8_t *last111 = last10 + (uint32_t)64U; + K____uint8_t___uint8_t_ scrut0 = { .fst = last011, .snd = last111 }; + uint8_t *l10 = scrut0.fst; + uint8_t *l11 = scrut0.snd; + memcpy(last2, b21, rem * sizeof (uint8_t)); + last2[rem] = (uint8_t)0x80U; + memcpy(last2 + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + uint8_t *last012 = last2; + uint8_t *last112 = last2 + (uint32_t)64U; + K____uint8_t___uint8_t_ scrut1 = { .fst = last012, .snd = last112 }; + uint8_t *l20 = scrut1.fst; + uint8_t *l21 = scrut1.snd; + memcpy(last3, b30, rem * sizeof (uint8_t)); + last3[rem] = (uint8_t)0x80U; + memcpy(last3 + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + uint8_t *last01 = last3; + uint8_t *last11 = last3 + (uint32_t)64U; + K____uint8_t___uint8_t_ scrut2 = { .fst = last01, .snd = last11 }; + uint8_t *l30 = scrut2.fst; + uint8_t *l31 = scrut2.snd; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + mb0 = { .fst = l00, .snd = { .fst = l10, .snd = { .fst = l20, .snd = l30 } } }; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + mb1 = { .fst = l01, .snd = { .fst = l11, .snd = { .fst = l21, .snd = l31 } } }; + K___K____uint8_t__K____uint8_t__K____uint8_t___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + scrut3 = { .fst = mb0, .snd = mb1 }; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ last0 = scrut3.fst; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ last1 = scrut3.snd; + sha224_update4(last0, st); + if (blocks > (uint32_t)1U) + { + sha224_update4(last1, st); + } + KRML_CHECK_SIZE(sizeof (uint8_t), (uint32_t)4U * (uint32_t)8U * (uint32_t)4U); + uint8_t hbuf[(uint32_t)4U * (uint32_t)8U * (uint32_t)4U]; + memset(hbuf, 0U, (uint32_t)4U * (uint32_t)8U * (uint32_t)4U * sizeof (uint8_t)); + Lib_IntVector_Intrinsics_vec128 v00 = st[0U]; + Lib_IntVector_Intrinsics_vec128 v10 = st[1U]; + Lib_IntVector_Intrinsics_vec128 v20 = st[2U]; + Lib_IntVector_Intrinsics_vec128 v30 = st[3U]; + Lib_IntVector_Intrinsics_vec128 + v0_ = Lib_IntVector_Intrinsics_vec128_interleave_low32(v00, v10); + Lib_IntVector_Intrinsics_vec128 + v1_ = Lib_IntVector_Intrinsics_vec128_interleave_high32(v00, v10); + Lib_IntVector_Intrinsics_vec128 + v2_ = Lib_IntVector_Intrinsics_vec128_interleave_low32(v20, v30); + Lib_IntVector_Intrinsics_vec128 + v3_ = Lib_IntVector_Intrinsics_vec128_interleave_high32(v20, v30); + Lib_IntVector_Intrinsics_vec128 + v0__ = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_, v2_); + Lib_IntVector_Intrinsics_vec128 + v1__ = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_, v2_); + Lib_IntVector_Intrinsics_vec128 + v2__ = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_, v3_); + Lib_IntVector_Intrinsics_vec128 + v3__ = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_, v3_); + Lib_IntVector_Intrinsics_vec128 v0__0 = v0__; + Lib_IntVector_Intrinsics_vec128 v2__0 = v2__; + Lib_IntVector_Intrinsics_vec128 v1__0 = v1__; + Lib_IntVector_Intrinsics_vec128 v3__0 = v3__; + Lib_IntVector_Intrinsics_vec128 st0_ = v0__0; + Lib_IntVector_Intrinsics_vec128 st1_ = v1__0; + Lib_IntVector_Intrinsics_vec128 st2_ = v2__0; + Lib_IntVector_Intrinsics_vec128 st3_ = v3__0; + Lib_IntVector_Intrinsics_vec128 v0 = st[4U]; + Lib_IntVector_Intrinsics_vec128 v1 = st[5U]; + Lib_IntVector_Intrinsics_vec128 v2 = st[6U]; + Lib_IntVector_Intrinsics_vec128 v3 = st[7U]; + Lib_IntVector_Intrinsics_vec128 + v0_0 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v0, v1); + Lib_IntVector_Intrinsics_vec128 + v1_0 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v0, v1); + Lib_IntVector_Intrinsics_vec128 + v2_0 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v2, v3); + Lib_IntVector_Intrinsics_vec128 + v3_0 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v2, v3); + Lib_IntVector_Intrinsics_vec128 + v0__1 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec128 + v1__1 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec128 + v2__1 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec128 + v3__1 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec128 v0__2 = v0__1; + Lib_IntVector_Intrinsics_vec128 v2__2 = v2__1; + Lib_IntVector_Intrinsics_vec128 v1__2 = v1__1; + Lib_IntVector_Intrinsics_vec128 v3__2 = v3__1; + Lib_IntVector_Intrinsics_vec128 st4_ = v0__2; + Lib_IntVector_Intrinsics_vec128 st5_ = v1__2; + Lib_IntVector_Intrinsics_vec128 st6_ = v2__2; + Lib_IntVector_Intrinsics_vec128 st7_ = v3__2; + st[0U] = st0_; + st[1U] = st4_; + st[2U] = st1_; + st[3U] = st5_; + st[4U] = st2_; + st[5U] = st6_; + st[6U] = st3_; + st[7U] = st7_; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + Lib_IntVector_Intrinsics_vec128_store32_be(hbuf + i * (uint32_t)16U, st[i]); + } + uint8_t *b31 = rb.snd.snd.snd; + uint8_t *b2 = rb.snd.snd.fst; + uint8_t *b1 = rb.snd.fst; + uint8_t *b0 = rb.fst; + memcpy(b0, hbuf, (uint32_t)28U * sizeof (uint8_t)); + memcpy(b1, hbuf + (uint32_t)32U, (uint32_t)28U * sizeof (uint8_t)); + memcpy(b2, hbuf + (uint32_t)64U, (uint32_t)28U * sizeof (uint8_t)); + memcpy(b31, hbuf + (uint32_t)96U, (uint32_t)28U * sizeof (uint8_t)); +} + +static inline void +sha256_update4( + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ block, + Lib_IntVector_Intrinsics_vec128 *hash +) +{ + Lib_IntVector_Intrinsics_vec128 hash_old[8U]; + for (uint32_t _i = 0U; _i < (uint32_t)8U; ++_i) + hash_old[_i] = Lib_IntVector_Intrinsics_vec128_zero; + Lib_IntVector_Intrinsics_vec128 ws[16U]; + for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i) + ws[_i] = Lib_IntVector_Intrinsics_vec128_zero; + memcpy(hash_old, hash, (uint32_t)8U * sizeof (Lib_IntVector_Intrinsics_vec128)); + uint8_t *b3 = block.snd.snd.snd; + uint8_t *b2 = block.snd.snd.fst; + uint8_t *b10 = block.snd.fst; + uint8_t *b00 = block.fst; + ws[0U] = Lib_IntVector_Intrinsics_vec128_load32_be(b00); + ws[1U] = Lib_IntVector_Intrinsics_vec128_load32_be(b10); + ws[2U] = Lib_IntVector_Intrinsics_vec128_load32_be(b2); + ws[3U] = Lib_IntVector_Intrinsics_vec128_load32_be(b3); + ws[4U] = Lib_IntVector_Intrinsics_vec128_load32_be(b00 + (uint32_t)16U); + ws[5U] = Lib_IntVector_Intrinsics_vec128_load32_be(b10 + (uint32_t)16U); + ws[6U] = Lib_IntVector_Intrinsics_vec128_load32_be(b2 + (uint32_t)16U); + ws[7U] = Lib_IntVector_Intrinsics_vec128_load32_be(b3 + (uint32_t)16U); + ws[8U] = Lib_IntVector_Intrinsics_vec128_load32_be(b00 + (uint32_t)32U); + ws[9U] = Lib_IntVector_Intrinsics_vec128_load32_be(b10 + (uint32_t)32U); + ws[10U] = Lib_IntVector_Intrinsics_vec128_load32_be(b2 + (uint32_t)32U); + ws[11U] = Lib_IntVector_Intrinsics_vec128_load32_be(b3 + (uint32_t)32U); + ws[12U] = Lib_IntVector_Intrinsics_vec128_load32_be(b00 + (uint32_t)48U); + ws[13U] = Lib_IntVector_Intrinsics_vec128_load32_be(b10 + (uint32_t)48U); + ws[14U] = Lib_IntVector_Intrinsics_vec128_load32_be(b2 + (uint32_t)48U); + ws[15U] = Lib_IntVector_Intrinsics_vec128_load32_be(b3 + (uint32_t)48U); + Lib_IntVector_Intrinsics_vec128 v00 = ws[0U]; + Lib_IntVector_Intrinsics_vec128 v10 = ws[1U]; + Lib_IntVector_Intrinsics_vec128 v20 = ws[2U]; + Lib_IntVector_Intrinsics_vec128 v30 = ws[3U]; + Lib_IntVector_Intrinsics_vec128 + v0_ = Lib_IntVector_Intrinsics_vec128_interleave_low32(v00, v10); + Lib_IntVector_Intrinsics_vec128 + v1_ = Lib_IntVector_Intrinsics_vec128_interleave_high32(v00, v10); + Lib_IntVector_Intrinsics_vec128 + v2_ = Lib_IntVector_Intrinsics_vec128_interleave_low32(v20, v30); + Lib_IntVector_Intrinsics_vec128 + v3_ = Lib_IntVector_Intrinsics_vec128_interleave_high32(v20, v30); + Lib_IntVector_Intrinsics_vec128 + v0__ = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_, v2_); + Lib_IntVector_Intrinsics_vec128 + v1__ = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_, v2_); + Lib_IntVector_Intrinsics_vec128 + v2__ = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_, v3_); + Lib_IntVector_Intrinsics_vec128 + v3__ = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_, v3_); + Lib_IntVector_Intrinsics_vec128 v0__0 = v0__; + Lib_IntVector_Intrinsics_vec128 v2__0 = v2__; + Lib_IntVector_Intrinsics_vec128 v1__0 = v1__; + Lib_IntVector_Intrinsics_vec128 v3__0 = v3__; + Lib_IntVector_Intrinsics_vec128 ws0 = v0__0; + Lib_IntVector_Intrinsics_vec128 ws1 = v1__0; + Lib_IntVector_Intrinsics_vec128 ws2 = v2__0; + Lib_IntVector_Intrinsics_vec128 ws3 = v3__0; + Lib_IntVector_Intrinsics_vec128 v01 = ws[4U]; + Lib_IntVector_Intrinsics_vec128 v11 = ws[5U]; + Lib_IntVector_Intrinsics_vec128 v21 = ws[6U]; + Lib_IntVector_Intrinsics_vec128 v31 = ws[7U]; + Lib_IntVector_Intrinsics_vec128 + v0_0 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v01, v11); + Lib_IntVector_Intrinsics_vec128 + v1_0 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v01, v11); + Lib_IntVector_Intrinsics_vec128 + v2_0 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v21, v31); + Lib_IntVector_Intrinsics_vec128 + v3_0 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v21, v31); + Lib_IntVector_Intrinsics_vec128 + v0__1 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec128 + v1__1 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec128 + v2__1 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec128 + v3__1 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec128 v0__2 = v0__1; + Lib_IntVector_Intrinsics_vec128 v2__2 = v2__1; + Lib_IntVector_Intrinsics_vec128 v1__2 = v1__1; + Lib_IntVector_Intrinsics_vec128 v3__2 = v3__1; + Lib_IntVector_Intrinsics_vec128 ws4 = v0__2; + Lib_IntVector_Intrinsics_vec128 ws5 = v1__2; + Lib_IntVector_Intrinsics_vec128 ws6 = v2__2; + Lib_IntVector_Intrinsics_vec128 ws7 = v3__2; + Lib_IntVector_Intrinsics_vec128 v02 = ws[8U]; + Lib_IntVector_Intrinsics_vec128 v12 = ws[9U]; + Lib_IntVector_Intrinsics_vec128 v22 = ws[10U]; + Lib_IntVector_Intrinsics_vec128 v32 = ws[11U]; + Lib_IntVector_Intrinsics_vec128 + v0_1 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v02, v12); + Lib_IntVector_Intrinsics_vec128 + v1_1 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v02, v12); + Lib_IntVector_Intrinsics_vec128 + v2_1 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v22, v32); + Lib_IntVector_Intrinsics_vec128 + v3_1 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v22, v32); + Lib_IntVector_Intrinsics_vec128 + v0__3 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_1, v2_1); + Lib_IntVector_Intrinsics_vec128 + v1__3 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_1, v2_1); + Lib_IntVector_Intrinsics_vec128 + v2__3 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_1, v3_1); + Lib_IntVector_Intrinsics_vec128 + v3__3 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_1, v3_1); + Lib_IntVector_Intrinsics_vec128 v0__4 = v0__3; + Lib_IntVector_Intrinsics_vec128 v2__4 = v2__3; + Lib_IntVector_Intrinsics_vec128 v1__4 = v1__3; + Lib_IntVector_Intrinsics_vec128 v3__4 = v3__3; + Lib_IntVector_Intrinsics_vec128 ws8 = v0__4; + Lib_IntVector_Intrinsics_vec128 ws9 = v1__4; + Lib_IntVector_Intrinsics_vec128 ws10 = v2__4; + Lib_IntVector_Intrinsics_vec128 ws11 = v3__4; + Lib_IntVector_Intrinsics_vec128 v0 = ws[12U]; + Lib_IntVector_Intrinsics_vec128 v1 = ws[13U]; + Lib_IntVector_Intrinsics_vec128 v2 = ws[14U]; + Lib_IntVector_Intrinsics_vec128 v3 = ws[15U]; + Lib_IntVector_Intrinsics_vec128 + v0_2 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v0, v1); + Lib_IntVector_Intrinsics_vec128 + v1_2 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v0, v1); + Lib_IntVector_Intrinsics_vec128 + v2_2 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v2, v3); + Lib_IntVector_Intrinsics_vec128 + v3_2 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v2, v3); + Lib_IntVector_Intrinsics_vec128 + v0__5 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_2, v2_2); + Lib_IntVector_Intrinsics_vec128 + v1__5 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_2, v2_2); + Lib_IntVector_Intrinsics_vec128 + v2__5 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_2, v3_2); + Lib_IntVector_Intrinsics_vec128 + v3__5 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_2, v3_2); + Lib_IntVector_Intrinsics_vec128 v0__6 = v0__5; + Lib_IntVector_Intrinsics_vec128 v2__6 = v2__5; + Lib_IntVector_Intrinsics_vec128 v1__6 = v1__5; + Lib_IntVector_Intrinsics_vec128 v3__6 = v3__5; + Lib_IntVector_Intrinsics_vec128 ws12 = v0__6; + Lib_IntVector_Intrinsics_vec128 ws13 = v1__6; + Lib_IntVector_Intrinsics_vec128 ws14 = v2__6; + Lib_IntVector_Intrinsics_vec128 ws15 = v3__6; + ws[0U] = ws0; + ws[1U] = ws1; + ws[2U] = ws2; + ws[3U] = ws3; + ws[4U] = ws4; + ws[5U] = ws5; + ws[6U] = ws6; + ws[7U] = ws7; + ws[8U] = ws8; + ws[9U] = ws9; + ws[10U] = ws10; + ws[11U] = ws11; + ws[12U] = ws12; + ws[13U] = ws13; + ws[14U] = ws14; + ws[15U] = ws15; + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t k_t = Hacl_Impl_SHA2_Generic_k224_256[(uint32_t)16U * i0 + i]; + Lib_IntVector_Intrinsics_vec128 ws_t = ws[i]; + Lib_IntVector_Intrinsics_vec128 a0 = hash[0U]; + Lib_IntVector_Intrinsics_vec128 b0 = hash[1U]; + Lib_IntVector_Intrinsics_vec128 c0 = hash[2U]; + Lib_IntVector_Intrinsics_vec128 d0 = hash[3U]; + Lib_IntVector_Intrinsics_vec128 e0 = hash[4U]; + Lib_IntVector_Intrinsics_vec128 f0 = hash[5U]; + Lib_IntVector_Intrinsics_vec128 g0 = hash[6U]; + Lib_IntVector_Intrinsics_vec128 h02 = hash[7U]; + Lib_IntVector_Intrinsics_vec128 k_e_t = Lib_IntVector_Intrinsics_vec128_load32(k_t); + Lib_IntVector_Intrinsics_vec128 + t1 = + Lib_IntVector_Intrinsics_vec128_add32(Lib_IntVector_Intrinsics_vec128_add32(Lib_IntVector_Intrinsics_vec128_add32(Lib_IntVector_Intrinsics_vec128_add32(h02, + Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_rotate_right32(e0, + (uint32_t)6U), + Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_rotate_right32(e0, + (uint32_t)11U), + Lib_IntVector_Intrinsics_vec128_rotate_right32(e0, (uint32_t)25U)))), + Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_and(e0, f0), + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_lognot(e0), g0))), + k_e_t), + ws_t); + Lib_IntVector_Intrinsics_vec128 + t2 = + Lib_IntVector_Intrinsics_vec128_add32(Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_rotate_right32(a0, + (uint32_t)2U), + Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_rotate_right32(a0, + (uint32_t)13U), + Lib_IntVector_Intrinsics_vec128_rotate_right32(a0, (uint32_t)22U))), + Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_and(a0, b0), + Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_and(a0, c0), + Lib_IntVector_Intrinsics_vec128_and(b0, c0)))); + Lib_IntVector_Intrinsics_vec128 a1 = Lib_IntVector_Intrinsics_vec128_add32(t1, t2); + Lib_IntVector_Intrinsics_vec128 b1 = a0; + Lib_IntVector_Intrinsics_vec128 c1 = b0; + Lib_IntVector_Intrinsics_vec128 d1 = c0; + Lib_IntVector_Intrinsics_vec128 e1 = Lib_IntVector_Intrinsics_vec128_add32(d0, t1); + Lib_IntVector_Intrinsics_vec128 f1 = e0; + Lib_IntVector_Intrinsics_vec128 g1 = f0; + Lib_IntVector_Intrinsics_vec128 h12 = g0; + hash[0U] = a1; + hash[1U] = b1; + hash[2U] = c1; + hash[3U] = d1; + hash[4U] = e1; + hash[5U] = f1; + hash[6U] = g1; + hash[7U] = h12; + } + if (i0 < (uint32_t)4U - (uint32_t)1U) + { + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + Lib_IntVector_Intrinsics_vec128 t16 = ws[i]; + Lib_IntVector_Intrinsics_vec128 t15 = ws[(i + (uint32_t)1U) % (uint32_t)16U]; + Lib_IntVector_Intrinsics_vec128 t7 = ws[(i + (uint32_t)9U) % (uint32_t)16U]; + Lib_IntVector_Intrinsics_vec128 t2 = ws[(i + (uint32_t)14U) % (uint32_t)16U]; + Lib_IntVector_Intrinsics_vec128 + s1 = + Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_rotate_right32(t2, + (uint32_t)17U), + Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_rotate_right32(t2, + (uint32_t)19U), + Lib_IntVector_Intrinsics_vec128_shift_right32(t2, (uint32_t)10U))); + Lib_IntVector_Intrinsics_vec128 + s0 = + Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_rotate_right32(t15, + (uint32_t)7U), + Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_rotate_right32(t15, + (uint32_t)18U), + Lib_IntVector_Intrinsics_vec128_shift_right32(t15, (uint32_t)3U))); + ws[i] = + Lib_IntVector_Intrinsics_vec128_add32(Lib_IntVector_Intrinsics_vec128_add32(Lib_IntVector_Intrinsics_vec128_add32(s1, + t7), + s0), + t16); + } + } + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + Lib_IntVector_Intrinsics_vec128 *os = hash; + Lib_IntVector_Intrinsics_vec128 + x = Lib_IntVector_Intrinsics_vec128_add32(hash[i], hash_old[i]); + os[i] = x; + } +} + +void +Hacl_SHA2_Vec128_sha256_4( + uint8_t *dst0, + uint8_t *dst1, + uint8_t *dst2, + uint8_t *dst3, + uint32_t input_len, + uint8_t *input0, + uint8_t *input1, + uint8_t *input2, + uint8_t *input3 +) +{ + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + ib = { .fst = input0, .snd = { .fst = input1, .snd = { .fst = input2, .snd = input3 } } }; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + rb = { .fst = dst0, .snd = { .fst = dst1, .snd = { .fst = dst2, .snd = dst3 } } }; + Lib_IntVector_Intrinsics_vec128 st[8U]; + for (uint32_t _i = 0U; _i < (uint32_t)8U; ++_i) + st[_i] = Lib_IntVector_Intrinsics_vec128_zero; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + Lib_IntVector_Intrinsics_vec128 *os = st; + uint32_t hi = Hacl_Impl_SHA2_Generic_h256[i]; + Lib_IntVector_Intrinsics_vec128 x = Lib_IntVector_Intrinsics_vec128_load32(hi); + os[i] = x; + } + uint32_t rem = input_len % (uint32_t)64U; + uint64_t len_ = (uint64_t)input_len; + uint32_t blocks0 = input_len / (uint32_t)64U; + for (uint32_t i = (uint32_t)0U; i < blocks0; i++) + { + uint8_t *b3 = ib.snd.snd.snd; + uint8_t *b2 = ib.snd.snd.fst; + uint8_t *b1 = ib.snd.fst; + uint8_t *b0 = ib.fst; + uint8_t *bl0 = b0 + i * (uint32_t)64U; + uint8_t *bl1 = b1 + i * (uint32_t)64U; + uint8_t *bl2 = b2 + i * (uint32_t)64U; + uint8_t *bl3 = b3 + i * (uint32_t)64U; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + mb = { .fst = bl0, .snd = { .fst = bl1, .snd = { .fst = bl2, .snd = bl3 } } }; + sha256_update4(mb, st); + } + uint32_t rem1 = input_len % (uint32_t)64U; + uint8_t *b3 = ib.snd.snd.snd; + uint8_t *b20 = ib.snd.snd.fst; + uint8_t *b10 = ib.snd.fst; + uint8_t *b00 = ib.fst; + uint8_t *bl0 = b00 + input_len - rem1; + uint8_t *bl1 = b10 + input_len - rem1; + uint8_t *bl2 = b20 + input_len - rem1; + uint8_t *bl3 = b3 + input_len - rem1; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + lb = { .fst = bl0, .snd = { .fst = bl1, .snd = { .fst = bl2, .snd = bl3 } } }; + uint32_t blocks; + if (rem + (uint32_t)8U + (uint32_t)1U <= (uint32_t)64U) + { + blocks = (uint32_t)1U; + } + else + { + blocks = (uint32_t)2U; + } + uint32_t fin = blocks * (uint32_t)64U; + uint8_t last[512U] = { 0U }; + uint8_t totlen_buf[8U] = { 0U }; + uint64_t total_len_bits = len_ << (uint32_t)3U; + store64_be(totlen_buf, total_len_bits); + uint8_t *b30 = lb.snd.snd.snd; + uint8_t *b21 = lb.snd.snd.fst; + uint8_t *b11 = lb.snd.fst; + uint8_t *b01 = lb.fst; + uint8_t *last00 = last; + uint8_t *last10 = last + (uint32_t)128U; + uint8_t *last2 = last + (uint32_t)256U; + uint8_t *last3 = last + (uint32_t)384U; + memcpy(last00, b01, rem * sizeof (uint8_t)); + last00[rem] = (uint8_t)0x80U; + memcpy(last00 + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + uint8_t *last010 = last00; + uint8_t *last110 = last00 + (uint32_t)64U; + K____uint8_t___uint8_t_ scrut = { .fst = last010, .snd = last110 }; + uint8_t *l00 = scrut.fst; + uint8_t *l01 = scrut.snd; + memcpy(last10, b11, rem * sizeof (uint8_t)); + last10[rem] = (uint8_t)0x80U; + memcpy(last10 + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + uint8_t *last011 = last10; + uint8_t *last111 = last10 + (uint32_t)64U; + K____uint8_t___uint8_t_ scrut0 = { .fst = last011, .snd = last111 }; + uint8_t *l10 = scrut0.fst; + uint8_t *l11 = scrut0.snd; + memcpy(last2, b21, rem * sizeof (uint8_t)); + last2[rem] = (uint8_t)0x80U; + memcpy(last2 + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + uint8_t *last012 = last2; + uint8_t *last112 = last2 + (uint32_t)64U; + K____uint8_t___uint8_t_ scrut1 = { .fst = last012, .snd = last112 }; + uint8_t *l20 = scrut1.fst; + uint8_t *l21 = scrut1.snd; + memcpy(last3, b30, rem * sizeof (uint8_t)); + last3[rem] = (uint8_t)0x80U; + memcpy(last3 + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + uint8_t *last01 = last3; + uint8_t *last11 = last3 + (uint32_t)64U; + K____uint8_t___uint8_t_ scrut2 = { .fst = last01, .snd = last11 }; + uint8_t *l30 = scrut2.fst; + uint8_t *l31 = scrut2.snd; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + mb0 = { .fst = l00, .snd = { .fst = l10, .snd = { .fst = l20, .snd = l30 } } }; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + mb1 = { .fst = l01, .snd = { .fst = l11, .snd = { .fst = l21, .snd = l31 } } }; + K___K____uint8_t__K____uint8_t__K____uint8_t___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + scrut3 = { .fst = mb0, .snd = mb1 }; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ last0 = scrut3.fst; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ last1 = scrut3.snd; + sha256_update4(last0, st); + if (blocks > (uint32_t)1U) + { + sha256_update4(last1, st); + } + KRML_CHECK_SIZE(sizeof (uint8_t), (uint32_t)4U * (uint32_t)8U * (uint32_t)4U); + uint8_t hbuf[(uint32_t)4U * (uint32_t)8U * (uint32_t)4U]; + memset(hbuf, 0U, (uint32_t)4U * (uint32_t)8U * (uint32_t)4U * sizeof (uint8_t)); + Lib_IntVector_Intrinsics_vec128 v00 = st[0U]; + Lib_IntVector_Intrinsics_vec128 v10 = st[1U]; + Lib_IntVector_Intrinsics_vec128 v20 = st[2U]; + Lib_IntVector_Intrinsics_vec128 v30 = st[3U]; + Lib_IntVector_Intrinsics_vec128 + v0_ = Lib_IntVector_Intrinsics_vec128_interleave_low32(v00, v10); + Lib_IntVector_Intrinsics_vec128 + v1_ = Lib_IntVector_Intrinsics_vec128_interleave_high32(v00, v10); + Lib_IntVector_Intrinsics_vec128 + v2_ = Lib_IntVector_Intrinsics_vec128_interleave_low32(v20, v30); + Lib_IntVector_Intrinsics_vec128 + v3_ = Lib_IntVector_Intrinsics_vec128_interleave_high32(v20, v30); + Lib_IntVector_Intrinsics_vec128 + v0__ = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_, v2_); + Lib_IntVector_Intrinsics_vec128 + v1__ = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_, v2_); + Lib_IntVector_Intrinsics_vec128 + v2__ = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_, v3_); + Lib_IntVector_Intrinsics_vec128 + v3__ = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_, v3_); + Lib_IntVector_Intrinsics_vec128 v0__0 = v0__; + Lib_IntVector_Intrinsics_vec128 v2__0 = v2__; + Lib_IntVector_Intrinsics_vec128 v1__0 = v1__; + Lib_IntVector_Intrinsics_vec128 v3__0 = v3__; + Lib_IntVector_Intrinsics_vec128 st0_ = v0__0; + Lib_IntVector_Intrinsics_vec128 st1_ = v1__0; + Lib_IntVector_Intrinsics_vec128 st2_ = v2__0; + Lib_IntVector_Intrinsics_vec128 st3_ = v3__0; + Lib_IntVector_Intrinsics_vec128 v0 = st[4U]; + Lib_IntVector_Intrinsics_vec128 v1 = st[5U]; + Lib_IntVector_Intrinsics_vec128 v2 = st[6U]; + Lib_IntVector_Intrinsics_vec128 v3 = st[7U]; + Lib_IntVector_Intrinsics_vec128 + v0_0 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v0, v1); + Lib_IntVector_Intrinsics_vec128 + v1_0 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v0, v1); + Lib_IntVector_Intrinsics_vec128 + v2_0 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v2, v3); + Lib_IntVector_Intrinsics_vec128 + v3_0 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v2, v3); + Lib_IntVector_Intrinsics_vec128 + v0__1 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec128 + v1__1 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec128 + v2__1 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec128 + v3__1 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec128 v0__2 = v0__1; + Lib_IntVector_Intrinsics_vec128 v2__2 = v2__1; + Lib_IntVector_Intrinsics_vec128 v1__2 = v1__1; + Lib_IntVector_Intrinsics_vec128 v3__2 = v3__1; + Lib_IntVector_Intrinsics_vec128 st4_ = v0__2; + Lib_IntVector_Intrinsics_vec128 st5_ = v1__2; + Lib_IntVector_Intrinsics_vec128 st6_ = v2__2; + Lib_IntVector_Intrinsics_vec128 st7_ = v3__2; + st[0U] = st0_; + st[1U] = st4_; + st[2U] = st1_; + st[3U] = st5_; + st[4U] = st2_; + st[5U] = st6_; + st[6U] = st3_; + st[7U] = st7_; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + Lib_IntVector_Intrinsics_vec128_store32_be(hbuf + i * (uint32_t)16U, st[i]); + } + uint8_t *b31 = rb.snd.snd.snd; + uint8_t *b2 = rb.snd.snd.fst; + uint8_t *b1 = rb.snd.fst; + uint8_t *b0 = rb.fst; + memcpy(b0, hbuf, (uint32_t)32U * sizeof (uint8_t)); + memcpy(b1, hbuf + (uint32_t)32U, (uint32_t)32U * sizeof (uint8_t)); + memcpy(b2, hbuf + (uint32_t)64U, (uint32_t)32U * sizeof (uint8_t)); + memcpy(b31, hbuf + (uint32_t)96U, (uint32_t)32U * sizeof (uint8_t)); +} + diff --git a/src/Hacl_SHA2_Vec256.c b/src/Hacl_SHA2_Vec256.c new file mode 100644 index 00000000..9c11f700 --- /dev/null +++ b/src/Hacl_SHA2_Vec256.c @@ -0,0 +1,2401 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "internal/Hacl_SHA2_Vec256.h" + + + +typedef struct ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t__s +{ + uint8_t *fst; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ snd; +} +___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_; + +typedef struct ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t__s +{ + uint8_t *fst; + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ snd; +} +___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_; + +typedef struct +___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t__s +{ + uint8_t *fst; + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ snd; +} +___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_; + +typedef struct +___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t__s +{ + uint8_t *fst; + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + snd; +} +___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_; + +static inline void +sha224_update8( + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + block, + Lib_IntVector_Intrinsics_vec256 *hash +) +{ + Lib_IntVector_Intrinsics_vec256 hash_old[8U]; + for (uint32_t _i = 0U; _i < (uint32_t)8U; ++_i) + hash_old[_i] = Lib_IntVector_Intrinsics_vec256_zero; + Lib_IntVector_Intrinsics_vec256 ws[16U]; + for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i) + ws[_i] = Lib_IntVector_Intrinsics_vec256_zero; + memcpy(hash_old, hash, (uint32_t)8U * sizeof (Lib_IntVector_Intrinsics_vec256)); + uint8_t *b7 = block.snd.snd.snd.snd.snd.snd.snd; + uint8_t *b6 = block.snd.snd.snd.snd.snd.snd.fst; + uint8_t *b5 = block.snd.snd.snd.snd.snd.fst; + uint8_t *b4 = block.snd.snd.snd.snd.fst; + uint8_t *b3 = block.snd.snd.snd.fst; + uint8_t *b2 = block.snd.snd.fst; + uint8_t *b10 = block.snd.fst; + uint8_t *b00 = block.fst; + ws[0U] = Lib_IntVector_Intrinsics_vec256_load32_be(b00); + ws[1U] = Lib_IntVector_Intrinsics_vec256_load32_be(b10); + ws[2U] = Lib_IntVector_Intrinsics_vec256_load32_be(b2); + ws[3U] = Lib_IntVector_Intrinsics_vec256_load32_be(b3); + ws[4U] = Lib_IntVector_Intrinsics_vec256_load32_be(b4); + ws[5U] = Lib_IntVector_Intrinsics_vec256_load32_be(b5); + ws[6U] = Lib_IntVector_Intrinsics_vec256_load32_be(b6); + ws[7U] = Lib_IntVector_Intrinsics_vec256_load32_be(b7); + ws[8U] = Lib_IntVector_Intrinsics_vec256_load32_be(b00 + (uint32_t)32U); + ws[9U] = Lib_IntVector_Intrinsics_vec256_load32_be(b10 + (uint32_t)32U); + ws[10U] = Lib_IntVector_Intrinsics_vec256_load32_be(b2 + (uint32_t)32U); + ws[11U] = Lib_IntVector_Intrinsics_vec256_load32_be(b3 + (uint32_t)32U); + ws[12U] = Lib_IntVector_Intrinsics_vec256_load32_be(b4 + (uint32_t)32U); + ws[13U] = Lib_IntVector_Intrinsics_vec256_load32_be(b5 + (uint32_t)32U); + ws[14U] = Lib_IntVector_Intrinsics_vec256_load32_be(b6 + (uint32_t)32U); + ws[15U] = Lib_IntVector_Intrinsics_vec256_load32_be(b7 + (uint32_t)32U); + Lib_IntVector_Intrinsics_vec256 v00 = ws[0U]; + Lib_IntVector_Intrinsics_vec256 v10 = ws[1U]; + Lib_IntVector_Intrinsics_vec256 v20 = ws[2U]; + Lib_IntVector_Intrinsics_vec256 v30 = ws[3U]; + Lib_IntVector_Intrinsics_vec256 v40 = ws[4U]; + Lib_IntVector_Intrinsics_vec256 v50 = ws[5U]; + Lib_IntVector_Intrinsics_vec256 v60 = ws[6U]; + Lib_IntVector_Intrinsics_vec256 v70 = ws[7U]; + Lib_IntVector_Intrinsics_vec256 + v0_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v00, v10); + Lib_IntVector_Intrinsics_vec256 + v1_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v00, v10); + Lib_IntVector_Intrinsics_vec256 + v2_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v20, v30); + Lib_IntVector_Intrinsics_vec256 + v3_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v20, v30); + Lib_IntVector_Intrinsics_vec256 + v4_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v40, v50); + Lib_IntVector_Intrinsics_vec256 + v5_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v40, v50); + Lib_IntVector_Intrinsics_vec256 + v6_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v60, v70); + Lib_IntVector_Intrinsics_vec256 + v7_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v60, v70); + Lib_IntVector_Intrinsics_vec256 v0_0 = v0_; + Lib_IntVector_Intrinsics_vec256 v1_0 = v1_; + Lib_IntVector_Intrinsics_vec256 v2_0 = v2_; + Lib_IntVector_Intrinsics_vec256 v3_0 = v3_; + Lib_IntVector_Intrinsics_vec256 v4_0 = v4_; + Lib_IntVector_Intrinsics_vec256 v5_0 = v5_; + Lib_IntVector_Intrinsics_vec256 v6_0 = v6_; + Lib_IntVector_Intrinsics_vec256 v7_0 = v7_; + Lib_IntVector_Intrinsics_vec256 + v0_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v2_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v1_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 + v3_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 + v4_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v4_0, v6_0); + Lib_IntVector_Intrinsics_vec256 + v6_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v4_0, v6_0); + Lib_IntVector_Intrinsics_vec256 + v5_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v5_0, v7_0); + Lib_IntVector_Intrinsics_vec256 + v7_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v5_0, v7_0); + Lib_IntVector_Intrinsics_vec256 v0_10 = v0_1; + Lib_IntVector_Intrinsics_vec256 v1_10 = v1_1; + Lib_IntVector_Intrinsics_vec256 v2_10 = v2_1; + Lib_IntVector_Intrinsics_vec256 v3_10 = v3_1; + Lib_IntVector_Intrinsics_vec256 v4_10 = v4_1; + Lib_IntVector_Intrinsics_vec256 v5_10 = v5_1; + Lib_IntVector_Intrinsics_vec256 v6_10 = v6_1; + Lib_IntVector_Intrinsics_vec256 v7_10 = v7_1; + Lib_IntVector_Intrinsics_vec256 + v0_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_10, v4_10); + Lib_IntVector_Intrinsics_vec256 + v4_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_10, v4_10); + Lib_IntVector_Intrinsics_vec256 + v1_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_10, v5_10); + Lib_IntVector_Intrinsics_vec256 + v5_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_10, v5_10); + Lib_IntVector_Intrinsics_vec256 + v2_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v2_10, v6_10); + Lib_IntVector_Intrinsics_vec256 + v6_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v2_10, v6_10); + Lib_IntVector_Intrinsics_vec256 + v3_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v3_10, v7_10); + Lib_IntVector_Intrinsics_vec256 + v7_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v3_10, v7_10); + Lib_IntVector_Intrinsics_vec256 v0_20 = v0_2; + Lib_IntVector_Intrinsics_vec256 v1_20 = v1_2; + Lib_IntVector_Intrinsics_vec256 v2_20 = v2_2; + Lib_IntVector_Intrinsics_vec256 v3_20 = v3_2; + Lib_IntVector_Intrinsics_vec256 v4_20 = v4_2; + Lib_IntVector_Intrinsics_vec256 v5_20 = v5_2; + Lib_IntVector_Intrinsics_vec256 v6_20 = v6_2; + Lib_IntVector_Intrinsics_vec256 v7_20 = v7_2; + Lib_IntVector_Intrinsics_vec256 v0_3 = v0_20; + Lib_IntVector_Intrinsics_vec256 v1_3 = v1_20; + Lib_IntVector_Intrinsics_vec256 v2_3 = v2_20; + Lib_IntVector_Intrinsics_vec256 v3_3 = v3_20; + Lib_IntVector_Intrinsics_vec256 v4_3 = v4_20; + Lib_IntVector_Intrinsics_vec256 v5_3 = v5_20; + Lib_IntVector_Intrinsics_vec256 v6_3 = v6_20; + Lib_IntVector_Intrinsics_vec256 v7_3 = v7_20; + Lib_IntVector_Intrinsics_vec256 ws0 = v0_3; + Lib_IntVector_Intrinsics_vec256 ws1 = v2_3; + Lib_IntVector_Intrinsics_vec256 ws2 = v1_3; + Lib_IntVector_Intrinsics_vec256 ws3 = v3_3; + Lib_IntVector_Intrinsics_vec256 ws4 = v4_3; + Lib_IntVector_Intrinsics_vec256 ws5 = v6_3; + Lib_IntVector_Intrinsics_vec256 ws6 = v5_3; + Lib_IntVector_Intrinsics_vec256 ws7 = v7_3; + Lib_IntVector_Intrinsics_vec256 v0 = ws[8U]; + Lib_IntVector_Intrinsics_vec256 v1 = ws[9U]; + Lib_IntVector_Intrinsics_vec256 v2 = ws[10U]; + Lib_IntVector_Intrinsics_vec256 v3 = ws[11U]; + Lib_IntVector_Intrinsics_vec256 v4 = ws[12U]; + Lib_IntVector_Intrinsics_vec256 v5 = ws[13U]; + Lib_IntVector_Intrinsics_vec256 v6 = ws[14U]; + Lib_IntVector_Intrinsics_vec256 v7 = ws[15U]; + Lib_IntVector_Intrinsics_vec256 + v0_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v0, v1); + Lib_IntVector_Intrinsics_vec256 + v1_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v0, v1); + Lib_IntVector_Intrinsics_vec256 + v2_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v2, v3); + Lib_IntVector_Intrinsics_vec256 + v3_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v2, v3); + Lib_IntVector_Intrinsics_vec256 + v4_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v4, v5); + Lib_IntVector_Intrinsics_vec256 + v5_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v4, v5); + Lib_IntVector_Intrinsics_vec256 + v6_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v6, v7); + Lib_IntVector_Intrinsics_vec256 + v7_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v6, v7); + Lib_IntVector_Intrinsics_vec256 v0_5 = v0_4; + Lib_IntVector_Intrinsics_vec256 v1_5 = v1_4; + Lib_IntVector_Intrinsics_vec256 v2_5 = v2_4; + Lib_IntVector_Intrinsics_vec256 v3_5 = v3_4; + Lib_IntVector_Intrinsics_vec256 v4_5 = v4_4; + Lib_IntVector_Intrinsics_vec256 v5_5 = v5_4; + Lib_IntVector_Intrinsics_vec256 v6_5 = v6_4; + Lib_IntVector_Intrinsics_vec256 v7_5 = v7_4; + Lib_IntVector_Intrinsics_vec256 + v0_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0_5, v2_5); + Lib_IntVector_Intrinsics_vec256 + v2_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0_5, v2_5); + Lib_IntVector_Intrinsics_vec256 + v1_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v1_5, v3_5); + Lib_IntVector_Intrinsics_vec256 + v3_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v1_5, v3_5); + Lib_IntVector_Intrinsics_vec256 + v4_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v4_5, v6_5); + Lib_IntVector_Intrinsics_vec256 + v6_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v4_5, v6_5); + Lib_IntVector_Intrinsics_vec256 + v5_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v5_5, v7_5); + Lib_IntVector_Intrinsics_vec256 + v7_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v5_5, v7_5); + Lib_IntVector_Intrinsics_vec256 v0_12 = v0_11; + Lib_IntVector_Intrinsics_vec256 v1_12 = v1_11; + Lib_IntVector_Intrinsics_vec256 v2_12 = v2_11; + Lib_IntVector_Intrinsics_vec256 v3_12 = v3_11; + Lib_IntVector_Intrinsics_vec256 v4_12 = v4_11; + Lib_IntVector_Intrinsics_vec256 v5_12 = v5_11; + Lib_IntVector_Intrinsics_vec256 v6_12 = v6_11; + Lib_IntVector_Intrinsics_vec256 v7_12 = v7_11; + Lib_IntVector_Intrinsics_vec256 + v0_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_12, v4_12); + Lib_IntVector_Intrinsics_vec256 + v4_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_12, v4_12); + Lib_IntVector_Intrinsics_vec256 + v1_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_12, v5_12); + Lib_IntVector_Intrinsics_vec256 + v5_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_12, v5_12); + Lib_IntVector_Intrinsics_vec256 + v2_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v2_12, v6_12); + Lib_IntVector_Intrinsics_vec256 + v6_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v2_12, v6_12); + Lib_IntVector_Intrinsics_vec256 + v3_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v3_12, v7_12); + Lib_IntVector_Intrinsics_vec256 + v7_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v3_12, v7_12); + Lib_IntVector_Intrinsics_vec256 v0_22 = v0_21; + Lib_IntVector_Intrinsics_vec256 v1_22 = v1_21; + Lib_IntVector_Intrinsics_vec256 v2_22 = v2_21; + Lib_IntVector_Intrinsics_vec256 v3_22 = v3_21; + Lib_IntVector_Intrinsics_vec256 v4_22 = v4_21; + Lib_IntVector_Intrinsics_vec256 v5_22 = v5_21; + Lib_IntVector_Intrinsics_vec256 v6_22 = v6_21; + Lib_IntVector_Intrinsics_vec256 v7_22 = v7_21; + Lib_IntVector_Intrinsics_vec256 v0_6 = v0_22; + Lib_IntVector_Intrinsics_vec256 v1_6 = v1_22; + Lib_IntVector_Intrinsics_vec256 v2_6 = v2_22; + Lib_IntVector_Intrinsics_vec256 v3_6 = v3_22; + Lib_IntVector_Intrinsics_vec256 v4_6 = v4_22; + Lib_IntVector_Intrinsics_vec256 v5_6 = v5_22; + Lib_IntVector_Intrinsics_vec256 v6_6 = v6_22; + Lib_IntVector_Intrinsics_vec256 v7_6 = v7_22; + Lib_IntVector_Intrinsics_vec256 ws8 = v0_6; + Lib_IntVector_Intrinsics_vec256 ws9 = v2_6; + Lib_IntVector_Intrinsics_vec256 ws10 = v1_6; + Lib_IntVector_Intrinsics_vec256 ws11 = v3_6; + Lib_IntVector_Intrinsics_vec256 ws12 = v4_6; + Lib_IntVector_Intrinsics_vec256 ws13 = v6_6; + Lib_IntVector_Intrinsics_vec256 ws14 = v5_6; + Lib_IntVector_Intrinsics_vec256 ws15 = v7_6; + ws[0U] = ws0; + ws[1U] = ws1; + ws[2U] = ws2; + ws[3U] = ws3; + ws[4U] = ws4; + ws[5U] = ws5; + ws[6U] = ws6; + ws[7U] = ws7; + ws[8U] = ws8; + ws[9U] = ws9; + ws[10U] = ws10; + ws[11U] = ws11; + ws[12U] = ws12; + ws[13U] = ws13; + ws[14U] = ws14; + ws[15U] = ws15; + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t k_t = Hacl_Impl_SHA2_Generic_k224_256[(uint32_t)16U * i0 + i]; + Lib_IntVector_Intrinsics_vec256 ws_t = ws[i]; + Lib_IntVector_Intrinsics_vec256 a0 = hash[0U]; + Lib_IntVector_Intrinsics_vec256 b0 = hash[1U]; + Lib_IntVector_Intrinsics_vec256 c0 = hash[2U]; + Lib_IntVector_Intrinsics_vec256 d0 = hash[3U]; + Lib_IntVector_Intrinsics_vec256 e0 = hash[4U]; + Lib_IntVector_Intrinsics_vec256 f0 = hash[5U]; + Lib_IntVector_Intrinsics_vec256 g0 = hash[6U]; + Lib_IntVector_Intrinsics_vec256 h02 = hash[7U]; + Lib_IntVector_Intrinsics_vec256 k_e_t = Lib_IntVector_Intrinsics_vec256_load32(k_t); + Lib_IntVector_Intrinsics_vec256 + t1 = + Lib_IntVector_Intrinsics_vec256_add32(Lib_IntVector_Intrinsics_vec256_add32(Lib_IntVector_Intrinsics_vec256_add32(Lib_IntVector_Intrinsics_vec256_add32(h02, + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right32(e0, + (uint32_t)6U), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right32(e0, + (uint32_t)11U), + Lib_IntVector_Intrinsics_vec256_rotate_right32(e0, (uint32_t)25U)))), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_and(e0, f0), + Lib_IntVector_Intrinsics_vec256_and(Lib_IntVector_Intrinsics_vec256_lognot(e0), g0))), + k_e_t), + ws_t); + Lib_IntVector_Intrinsics_vec256 + t2 = + Lib_IntVector_Intrinsics_vec256_add32(Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right32(a0, + (uint32_t)2U), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right32(a0, + (uint32_t)13U), + Lib_IntVector_Intrinsics_vec256_rotate_right32(a0, (uint32_t)22U))), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_and(a0, b0), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_and(a0, c0), + Lib_IntVector_Intrinsics_vec256_and(b0, c0)))); + Lib_IntVector_Intrinsics_vec256 a1 = Lib_IntVector_Intrinsics_vec256_add32(t1, t2); + Lib_IntVector_Intrinsics_vec256 b1 = a0; + Lib_IntVector_Intrinsics_vec256 c1 = b0; + Lib_IntVector_Intrinsics_vec256 d1 = c0; + Lib_IntVector_Intrinsics_vec256 e1 = Lib_IntVector_Intrinsics_vec256_add32(d0, t1); + Lib_IntVector_Intrinsics_vec256 f1 = e0; + Lib_IntVector_Intrinsics_vec256 g1 = f0; + Lib_IntVector_Intrinsics_vec256 h12 = g0; + hash[0U] = a1; + hash[1U] = b1; + hash[2U] = c1; + hash[3U] = d1; + hash[4U] = e1; + hash[5U] = f1; + hash[6U] = g1; + hash[7U] = h12; + } + if (i0 < (uint32_t)4U - (uint32_t)1U) + { + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + Lib_IntVector_Intrinsics_vec256 t16 = ws[i]; + Lib_IntVector_Intrinsics_vec256 t15 = ws[(i + (uint32_t)1U) % (uint32_t)16U]; + Lib_IntVector_Intrinsics_vec256 t7 = ws[(i + (uint32_t)9U) % (uint32_t)16U]; + Lib_IntVector_Intrinsics_vec256 t2 = ws[(i + (uint32_t)14U) % (uint32_t)16U]; + Lib_IntVector_Intrinsics_vec256 + s1 = + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right32(t2, + (uint32_t)17U), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right32(t2, + (uint32_t)19U), + Lib_IntVector_Intrinsics_vec256_shift_right32(t2, (uint32_t)10U))); + Lib_IntVector_Intrinsics_vec256 + s0 = + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right32(t15, + (uint32_t)7U), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right32(t15, + (uint32_t)18U), + Lib_IntVector_Intrinsics_vec256_shift_right32(t15, (uint32_t)3U))); + ws[i] = + Lib_IntVector_Intrinsics_vec256_add32(Lib_IntVector_Intrinsics_vec256_add32(Lib_IntVector_Intrinsics_vec256_add32(s1, + t7), + s0), + t16); + } + } + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + Lib_IntVector_Intrinsics_vec256 *os = hash; + Lib_IntVector_Intrinsics_vec256 + x = Lib_IntVector_Intrinsics_vec256_add32(hash[i], hash_old[i]); + os[i] = x; + } +} + +typedef struct +__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t__s +{ + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + fst; + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + snd; +} +__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_; + +void +Hacl_SHA2_Vec256_sha224_8( + uint8_t *dst0, + uint8_t *dst1, + uint8_t *dst2, + uint8_t *dst3, + uint8_t *dst4, + uint8_t *dst5, + uint8_t *dst6, + uint8_t *dst7, + uint32_t input_len, + uint8_t *input0, + uint8_t *input1, + uint8_t *input2, + uint8_t *input3, + uint8_t *input4, + uint8_t *input5, + uint8_t *input6, + uint8_t *input7 +) +{ + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + ib = + { + .fst = input0, + .snd = { + .fst = input1, + .snd = { + .fst = input2, + .snd = { + .fst = input3, + .snd = { + .fst = input4, + .snd = { .fst = input5, .snd = { .fst = input6, .snd = input7 } } + } + } + } + } + }; + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + rb = + { + .fst = dst0, + .snd = { + .fst = dst1, + .snd = { + .fst = dst2, + .snd = { + .fst = dst3, + .snd = { .fst = dst4, .snd = { .fst = dst5, .snd = { .fst = dst6, .snd = dst7 } } } + } + } + } + }; + Lib_IntVector_Intrinsics_vec256 st[8U]; + for (uint32_t _i = 0U; _i < (uint32_t)8U; ++_i) + st[_i] = Lib_IntVector_Intrinsics_vec256_zero; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + Lib_IntVector_Intrinsics_vec256 *os = st; + uint32_t hi = Hacl_Impl_SHA2_Generic_h224[i]; + Lib_IntVector_Intrinsics_vec256 x = Lib_IntVector_Intrinsics_vec256_load32(hi); + os[i] = x; + } + uint32_t rem = input_len % (uint32_t)64U; + uint64_t len_ = (uint64_t)input_len; + uint32_t blocks0 = input_len / (uint32_t)64U; + for (uint32_t i = (uint32_t)0U; i < blocks0; i++) + { + uint8_t *b7 = ib.snd.snd.snd.snd.snd.snd.snd; + uint8_t *b6 = ib.snd.snd.snd.snd.snd.snd.fst; + uint8_t *b5 = ib.snd.snd.snd.snd.snd.fst; + uint8_t *b4 = ib.snd.snd.snd.snd.fst; + uint8_t *b3 = ib.snd.snd.snd.fst; + uint8_t *b2 = ib.snd.snd.fst; + uint8_t *b1 = ib.snd.fst; + uint8_t *b0 = ib.fst; + uint8_t *bl0 = b0 + i * (uint32_t)64U; + uint8_t *bl1 = b1 + i * (uint32_t)64U; + uint8_t *bl2 = b2 + i * (uint32_t)64U; + uint8_t *bl3 = b3 + i * (uint32_t)64U; + uint8_t *bl4 = b4 + i * (uint32_t)64U; + uint8_t *bl5 = b5 + i * (uint32_t)64U; + uint8_t *bl6 = b6 + i * (uint32_t)64U; + uint8_t *bl7 = b7 + i * (uint32_t)64U; + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + mb = + { + .fst = bl0, + .snd = { + .fst = bl1, + .snd = { + .fst = bl2, + .snd = { + .fst = bl3, + .snd = { .fst = bl4, .snd = { .fst = bl5, .snd = { .fst = bl6, .snd = bl7 } } } + } + } + } + }; + sha224_update8(mb, st); + } + uint32_t rem1 = input_len % (uint32_t)64U; + uint8_t *b7 = ib.snd.snd.snd.snd.snd.snd.snd; + uint8_t *b60 = ib.snd.snd.snd.snd.snd.snd.fst; + uint8_t *b50 = ib.snd.snd.snd.snd.snd.fst; + uint8_t *b40 = ib.snd.snd.snd.snd.fst; + uint8_t *b30 = ib.snd.snd.snd.fst; + uint8_t *b20 = ib.snd.snd.fst; + uint8_t *b10 = ib.snd.fst; + uint8_t *b00 = ib.fst; + uint8_t *bl0 = b00 + input_len - rem1; + uint8_t *bl1 = b10 + input_len - rem1; + uint8_t *bl2 = b20 + input_len - rem1; + uint8_t *bl3 = b30 + input_len - rem1; + uint8_t *bl4 = b40 + input_len - rem1; + uint8_t *bl5 = b50 + input_len - rem1; + uint8_t *bl6 = b60 + input_len - rem1; + uint8_t *bl7 = b7 + input_len - rem1; + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + lb = + { + .fst = bl0, + .snd = { + .fst = bl1, + .snd = { + .fst = bl2, + .snd = { + .fst = bl3, + .snd = { .fst = bl4, .snd = { .fst = bl5, .snd = { .fst = bl6, .snd = bl7 } } } + } + } + } + }; + uint32_t blocks; + if (rem + (uint32_t)8U + (uint32_t)1U <= (uint32_t)64U) + { + blocks = (uint32_t)1U; + } + else + { + blocks = (uint32_t)2U; + } + uint32_t fin = blocks * (uint32_t)64U; + uint8_t last[1024U] = { 0U }; + uint8_t totlen_buf[8U] = { 0U }; + uint64_t total_len_bits = len_ << (uint32_t)3U; + store64_be(totlen_buf, total_len_bits); + uint8_t *b70 = lb.snd.snd.snd.snd.snd.snd.snd; + uint8_t *b61 = lb.snd.snd.snd.snd.snd.snd.fst; + uint8_t *b51 = lb.snd.snd.snd.snd.snd.fst; + uint8_t *b41 = lb.snd.snd.snd.snd.fst; + uint8_t *b31 = lb.snd.snd.snd.fst; + uint8_t *b21 = lb.snd.snd.fst; + uint8_t *b11 = lb.snd.fst; + uint8_t *b01 = lb.fst; + uint8_t *last00 = last; + uint8_t *last10 = last + (uint32_t)128U; + uint8_t *last2 = last + (uint32_t)256U; + uint8_t *last3 = last + (uint32_t)384U; + uint8_t *last4 = last + (uint32_t)512U; + uint8_t *last5 = last + (uint32_t)640U; + uint8_t *last6 = last + (uint32_t)768U; + uint8_t *last7 = last + (uint32_t)896U; + memcpy(last00, b01, rem * sizeof (uint8_t)); + last00[rem] = (uint8_t)0x80U; + memcpy(last00 + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + uint8_t *last010 = last00; + uint8_t *last110 = last00 + (uint32_t)64U; + K____uint8_t___uint8_t_ scrut = { .fst = last010, .snd = last110 }; + uint8_t *l00 = scrut.fst; + uint8_t *l01 = scrut.snd; + memcpy(last10, b11, rem * sizeof (uint8_t)); + last10[rem] = (uint8_t)0x80U; + memcpy(last10 + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + uint8_t *last011 = last10; + uint8_t *last111 = last10 + (uint32_t)64U; + K____uint8_t___uint8_t_ scrut0 = { .fst = last011, .snd = last111 }; + uint8_t *l10 = scrut0.fst; + uint8_t *l11 = scrut0.snd; + memcpy(last2, b21, rem * sizeof (uint8_t)); + last2[rem] = (uint8_t)0x80U; + memcpy(last2 + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + uint8_t *last012 = last2; + uint8_t *last112 = last2 + (uint32_t)64U; + K____uint8_t___uint8_t_ scrut1 = { .fst = last012, .snd = last112 }; + uint8_t *l20 = scrut1.fst; + uint8_t *l21 = scrut1.snd; + memcpy(last3, b31, rem * sizeof (uint8_t)); + last3[rem] = (uint8_t)0x80U; + memcpy(last3 + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + uint8_t *last013 = last3; + uint8_t *last113 = last3 + (uint32_t)64U; + K____uint8_t___uint8_t_ scrut2 = { .fst = last013, .snd = last113 }; + uint8_t *l30 = scrut2.fst; + uint8_t *l31 = scrut2.snd; + memcpy(last4, b41, rem * sizeof (uint8_t)); + last4[rem] = (uint8_t)0x80U; + memcpy(last4 + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + uint8_t *last014 = last4; + uint8_t *last114 = last4 + (uint32_t)64U; + K____uint8_t___uint8_t_ scrut3 = { .fst = last014, .snd = last114 }; + uint8_t *l40 = scrut3.fst; + uint8_t *l41 = scrut3.snd; + memcpy(last5, b51, rem * sizeof (uint8_t)); + last5[rem] = (uint8_t)0x80U; + memcpy(last5 + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + uint8_t *last015 = last5; + uint8_t *last115 = last5 + (uint32_t)64U; + K____uint8_t___uint8_t_ scrut4 = { .fst = last015, .snd = last115 }; + uint8_t *l50 = scrut4.fst; + uint8_t *l51 = scrut4.snd; + memcpy(last6, b61, rem * sizeof (uint8_t)); + last6[rem] = (uint8_t)0x80U; + memcpy(last6 + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + uint8_t *last016 = last6; + uint8_t *last116 = last6 + (uint32_t)64U; + K____uint8_t___uint8_t_ scrut5 = { .fst = last016, .snd = last116 }; + uint8_t *l60 = scrut5.fst; + uint8_t *l61 = scrut5.snd; + memcpy(last7, b70, rem * sizeof (uint8_t)); + last7[rem] = (uint8_t)0x80U; + memcpy(last7 + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + uint8_t *last01 = last7; + uint8_t *last11 = last7 + (uint32_t)64U; + K____uint8_t___uint8_t_ scrut6 = { .fst = last01, .snd = last11 }; + uint8_t *l70 = scrut6.fst; + uint8_t *l71 = scrut6.snd; + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + mb0 = + { + .fst = l00, + .snd = { + .fst = l10, + .snd = { + .fst = l20, + .snd = { + .fst = l30, + .snd = { .fst = l40, .snd = { .fst = l50, .snd = { .fst = l60, .snd = l70 } } } + } + } + } + }; + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + mb1 = + { + .fst = l01, + .snd = { + .fst = l11, + .snd = { + .fst = l21, + .snd = { + .fst = l31, + .snd = { .fst = l41, .snd = { .fst = l51, .snd = { .fst = l61, .snd = l71 } } } + } + } + } + }; + __K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + scrut7 = { .fst = mb0, .snd = mb1 }; + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + last0 = scrut7.fst; + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + last1 = scrut7.snd; + sha224_update8(last0, st); + if (blocks > (uint32_t)1U) + { + sha224_update8(last1, st); + } + KRML_CHECK_SIZE(sizeof (uint8_t), (uint32_t)8U * (uint32_t)8U * (uint32_t)4U); + uint8_t hbuf[(uint32_t)8U * (uint32_t)8U * (uint32_t)4U]; + memset(hbuf, 0U, (uint32_t)8U * (uint32_t)8U * (uint32_t)4U * sizeof (uint8_t)); + Lib_IntVector_Intrinsics_vec256 v0 = st[0U]; + Lib_IntVector_Intrinsics_vec256 v1 = st[1U]; + Lib_IntVector_Intrinsics_vec256 v2 = st[2U]; + Lib_IntVector_Intrinsics_vec256 v3 = st[3U]; + Lib_IntVector_Intrinsics_vec256 v4 = st[4U]; + Lib_IntVector_Intrinsics_vec256 v5 = st[5U]; + Lib_IntVector_Intrinsics_vec256 v6 = st[6U]; + Lib_IntVector_Intrinsics_vec256 v7 = st[7U]; + Lib_IntVector_Intrinsics_vec256 v0_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v0, v1); + Lib_IntVector_Intrinsics_vec256 + v1_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v0, v1); + Lib_IntVector_Intrinsics_vec256 v2_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v2, v3); + Lib_IntVector_Intrinsics_vec256 + v3_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v2, v3); + Lib_IntVector_Intrinsics_vec256 v4_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v4, v5); + Lib_IntVector_Intrinsics_vec256 + v5_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v4, v5); + Lib_IntVector_Intrinsics_vec256 v6_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v6, v7); + Lib_IntVector_Intrinsics_vec256 + v7_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v6, v7); + Lib_IntVector_Intrinsics_vec256 v0_0 = v0_; + Lib_IntVector_Intrinsics_vec256 v1_0 = v1_; + Lib_IntVector_Intrinsics_vec256 v2_0 = v2_; + Lib_IntVector_Intrinsics_vec256 v3_0 = v3_; + Lib_IntVector_Intrinsics_vec256 v4_0 = v4_; + Lib_IntVector_Intrinsics_vec256 v5_0 = v5_; + Lib_IntVector_Intrinsics_vec256 v6_0 = v6_; + Lib_IntVector_Intrinsics_vec256 v7_0 = v7_; + Lib_IntVector_Intrinsics_vec256 + v0_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v2_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v1_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 + v3_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 + v4_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v4_0, v6_0); + Lib_IntVector_Intrinsics_vec256 + v6_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v4_0, v6_0); + Lib_IntVector_Intrinsics_vec256 + v5_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v5_0, v7_0); + Lib_IntVector_Intrinsics_vec256 + v7_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v5_0, v7_0); + Lib_IntVector_Intrinsics_vec256 v0_10 = v0_1; + Lib_IntVector_Intrinsics_vec256 v1_10 = v1_1; + Lib_IntVector_Intrinsics_vec256 v2_10 = v2_1; + Lib_IntVector_Intrinsics_vec256 v3_10 = v3_1; + Lib_IntVector_Intrinsics_vec256 v4_10 = v4_1; + Lib_IntVector_Intrinsics_vec256 v5_10 = v5_1; + Lib_IntVector_Intrinsics_vec256 v6_10 = v6_1; + Lib_IntVector_Intrinsics_vec256 v7_10 = v7_1; + Lib_IntVector_Intrinsics_vec256 + v0_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_10, v4_10); + Lib_IntVector_Intrinsics_vec256 + v4_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_10, v4_10); + Lib_IntVector_Intrinsics_vec256 + v1_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_10, v5_10); + Lib_IntVector_Intrinsics_vec256 + v5_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_10, v5_10); + Lib_IntVector_Intrinsics_vec256 + v2_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v2_10, v6_10); + Lib_IntVector_Intrinsics_vec256 + v6_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v2_10, v6_10); + Lib_IntVector_Intrinsics_vec256 + v3_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v3_10, v7_10); + Lib_IntVector_Intrinsics_vec256 + v7_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v3_10, v7_10); + Lib_IntVector_Intrinsics_vec256 v0_20 = v0_2; + Lib_IntVector_Intrinsics_vec256 v1_20 = v1_2; + Lib_IntVector_Intrinsics_vec256 v2_20 = v2_2; + Lib_IntVector_Intrinsics_vec256 v3_20 = v3_2; + Lib_IntVector_Intrinsics_vec256 v4_20 = v4_2; + Lib_IntVector_Intrinsics_vec256 v5_20 = v5_2; + Lib_IntVector_Intrinsics_vec256 v6_20 = v6_2; + Lib_IntVector_Intrinsics_vec256 v7_20 = v7_2; + Lib_IntVector_Intrinsics_vec256 v0_3 = v0_20; + Lib_IntVector_Intrinsics_vec256 v1_3 = v1_20; + Lib_IntVector_Intrinsics_vec256 v2_3 = v2_20; + Lib_IntVector_Intrinsics_vec256 v3_3 = v3_20; + Lib_IntVector_Intrinsics_vec256 v4_3 = v4_20; + Lib_IntVector_Intrinsics_vec256 v5_3 = v5_20; + Lib_IntVector_Intrinsics_vec256 v6_3 = v6_20; + Lib_IntVector_Intrinsics_vec256 v7_3 = v7_20; + Lib_IntVector_Intrinsics_vec256 st0_ = v0_3; + Lib_IntVector_Intrinsics_vec256 st1_ = v2_3; + Lib_IntVector_Intrinsics_vec256 st2_ = v1_3; + Lib_IntVector_Intrinsics_vec256 st3_ = v3_3; + Lib_IntVector_Intrinsics_vec256 st4_ = v4_3; + Lib_IntVector_Intrinsics_vec256 st5_ = v6_3; + Lib_IntVector_Intrinsics_vec256 st6_ = v5_3; + Lib_IntVector_Intrinsics_vec256 st7_ = v7_3; + st[0U] = st0_; + st[1U] = st1_; + st[2U] = st2_; + st[3U] = st3_; + st[4U] = st4_; + st[5U] = st5_; + st[6U] = st6_; + st[7U] = st7_; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + Lib_IntVector_Intrinsics_vec256_store32_be(hbuf + i * (uint32_t)32U, st[i]); + } + uint8_t *b71 = rb.snd.snd.snd.snd.snd.snd.snd; + uint8_t *b6 = rb.snd.snd.snd.snd.snd.snd.fst; + uint8_t *b5 = rb.snd.snd.snd.snd.snd.fst; + uint8_t *b4 = rb.snd.snd.snd.snd.fst; + uint8_t *b3 = rb.snd.snd.snd.fst; + uint8_t *b2 = rb.snd.snd.fst; + uint8_t *b1 = rb.snd.fst; + uint8_t *b0 = rb.fst; + memcpy(b0, hbuf, (uint32_t)28U * sizeof (uint8_t)); + memcpy(b1, hbuf + (uint32_t)32U, (uint32_t)28U * sizeof (uint8_t)); + memcpy(b2, hbuf + (uint32_t)64U, (uint32_t)28U * sizeof (uint8_t)); + memcpy(b3, hbuf + (uint32_t)96U, (uint32_t)28U * sizeof (uint8_t)); + memcpy(b4, hbuf + (uint32_t)128U, (uint32_t)28U * sizeof (uint8_t)); + memcpy(b5, hbuf + (uint32_t)160U, (uint32_t)28U * sizeof (uint8_t)); + memcpy(b6, hbuf + (uint32_t)192U, (uint32_t)28U * sizeof (uint8_t)); + memcpy(b71, hbuf + (uint32_t)224U, (uint32_t)28U * sizeof (uint8_t)); +} + +static inline void +sha256_update8( + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + block, + Lib_IntVector_Intrinsics_vec256 *hash +) +{ + Lib_IntVector_Intrinsics_vec256 hash_old[8U]; + for (uint32_t _i = 0U; _i < (uint32_t)8U; ++_i) + hash_old[_i] = Lib_IntVector_Intrinsics_vec256_zero; + Lib_IntVector_Intrinsics_vec256 ws[16U]; + for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i) + ws[_i] = Lib_IntVector_Intrinsics_vec256_zero; + memcpy(hash_old, hash, (uint32_t)8U * sizeof (Lib_IntVector_Intrinsics_vec256)); + uint8_t *b7 = block.snd.snd.snd.snd.snd.snd.snd; + uint8_t *b6 = block.snd.snd.snd.snd.snd.snd.fst; + uint8_t *b5 = block.snd.snd.snd.snd.snd.fst; + uint8_t *b4 = block.snd.snd.snd.snd.fst; + uint8_t *b3 = block.snd.snd.snd.fst; + uint8_t *b2 = block.snd.snd.fst; + uint8_t *b10 = block.snd.fst; + uint8_t *b00 = block.fst; + ws[0U] = Lib_IntVector_Intrinsics_vec256_load32_be(b00); + ws[1U] = Lib_IntVector_Intrinsics_vec256_load32_be(b10); + ws[2U] = Lib_IntVector_Intrinsics_vec256_load32_be(b2); + ws[3U] = Lib_IntVector_Intrinsics_vec256_load32_be(b3); + ws[4U] = Lib_IntVector_Intrinsics_vec256_load32_be(b4); + ws[5U] = Lib_IntVector_Intrinsics_vec256_load32_be(b5); + ws[6U] = Lib_IntVector_Intrinsics_vec256_load32_be(b6); + ws[7U] = Lib_IntVector_Intrinsics_vec256_load32_be(b7); + ws[8U] = Lib_IntVector_Intrinsics_vec256_load32_be(b00 + (uint32_t)32U); + ws[9U] = Lib_IntVector_Intrinsics_vec256_load32_be(b10 + (uint32_t)32U); + ws[10U] = Lib_IntVector_Intrinsics_vec256_load32_be(b2 + (uint32_t)32U); + ws[11U] = Lib_IntVector_Intrinsics_vec256_load32_be(b3 + (uint32_t)32U); + ws[12U] = Lib_IntVector_Intrinsics_vec256_load32_be(b4 + (uint32_t)32U); + ws[13U] = Lib_IntVector_Intrinsics_vec256_load32_be(b5 + (uint32_t)32U); + ws[14U] = Lib_IntVector_Intrinsics_vec256_load32_be(b6 + (uint32_t)32U); + ws[15U] = Lib_IntVector_Intrinsics_vec256_load32_be(b7 + (uint32_t)32U); + Lib_IntVector_Intrinsics_vec256 v00 = ws[0U]; + Lib_IntVector_Intrinsics_vec256 v10 = ws[1U]; + Lib_IntVector_Intrinsics_vec256 v20 = ws[2U]; + Lib_IntVector_Intrinsics_vec256 v30 = ws[3U]; + Lib_IntVector_Intrinsics_vec256 v40 = ws[4U]; + Lib_IntVector_Intrinsics_vec256 v50 = ws[5U]; + Lib_IntVector_Intrinsics_vec256 v60 = ws[6U]; + Lib_IntVector_Intrinsics_vec256 v70 = ws[7U]; + Lib_IntVector_Intrinsics_vec256 + v0_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v00, v10); + Lib_IntVector_Intrinsics_vec256 + v1_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v00, v10); + Lib_IntVector_Intrinsics_vec256 + v2_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v20, v30); + Lib_IntVector_Intrinsics_vec256 + v3_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v20, v30); + Lib_IntVector_Intrinsics_vec256 + v4_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v40, v50); + Lib_IntVector_Intrinsics_vec256 + v5_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v40, v50); + Lib_IntVector_Intrinsics_vec256 + v6_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v60, v70); + Lib_IntVector_Intrinsics_vec256 + v7_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v60, v70); + Lib_IntVector_Intrinsics_vec256 v0_0 = v0_; + Lib_IntVector_Intrinsics_vec256 v1_0 = v1_; + Lib_IntVector_Intrinsics_vec256 v2_0 = v2_; + Lib_IntVector_Intrinsics_vec256 v3_0 = v3_; + Lib_IntVector_Intrinsics_vec256 v4_0 = v4_; + Lib_IntVector_Intrinsics_vec256 v5_0 = v5_; + Lib_IntVector_Intrinsics_vec256 v6_0 = v6_; + Lib_IntVector_Intrinsics_vec256 v7_0 = v7_; + Lib_IntVector_Intrinsics_vec256 + v0_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v2_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v1_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 + v3_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 + v4_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v4_0, v6_0); + Lib_IntVector_Intrinsics_vec256 + v6_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v4_0, v6_0); + Lib_IntVector_Intrinsics_vec256 + v5_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v5_0, v7_0); + Lib_IntVector_Intrinsics_vec256 + v7_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v5_0, v7_0); + Lib_IntVector_Intrinsics_vec256 v0_10 = v0_1; + Lib_IntVector_Intrinsics_vec256 v1_10 = v1_1; + Lib_IntVector_Intrinsics_vec256 v2_10 = v2_1; + Lib_IntVector_Intrinsics_vec256 v3_10 = v3_1; + Lib_IntVector_Intrinsics_vec256 v4_10 = v4_1; + Lib_IntVector_Intrinsics_vec256 v5_10 = v5_1; + Lib_IntVector_Intrinsics_vec256 v6_10 = v6_1; + Lib_IntVector_Intrinsics_vec256 v7_10 = v7_1; + Lib_IntVector_Intrinsics_vec256 + v0_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_10, v4_10); + Lib_IntVector_Intrinsics_vec256 + v4_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_10, v4_10); + Lib_IntVector_Intrinsics_vec256 + v1_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_10, v5_10); + Lib_IntVector_Intrinsics_vec256 + v5_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_10, v5_10); + Lib_IntVector_Intrinsics_vec256 + v2_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v2_10, v6_10); + Lib_IntVector_Intrinsics_vec256 + v6_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v2_10, v6_10); + Lib_IntVector_Intrinsics_vec256 + v3_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v3_10, v7_10); + Lib_IntVector_Intrinsics_vec256 + v7_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v3_10, v7_10); + Lib_IntVector_Intrinsics_vec256 v0_20 = v0_2; + Lib_IntVector_Intrinsics_vec256 v1_20 = v1_2; + Lib_IntVector_Intrinsics_vec256 v2_20 = v2_2; + Lib_IntVector_Intrinsics_vec256 v3_20 = v3_2; + Lib_IntVector_Intrinsics_vec256 v4_20 = v4_2; + Lib_IntVector_Intrinsics_vec256 v5_20 = v5_2; + Lib_IntVector_Intrinsics_vec256 v6_20 = v6_2; + Lib_IntVector_Intrinsics_vec256 v7_20 = v7_2; + Lib_IntVector_Intrinsics_vec256 v0_3 = v0_20; + Lib_IntVector_Intrinsics_vec256 v1_3 = v1_20; + Lib_IntVector_Intrinsics_vec256 v2_3 = v2_20; + Lib_IntVector_Intrinsics_vec256 v3_3 = v3_20; + Lib_IntVector_Intrinsics_vec256 v4_3 = v4_20; + Lib_IntVector_Intrinsics_vec256 v5_3 = v5_20; + Lib_IntVector_Intrinsics_vec256 v6_3 = v6_20; + Lib_IntVector_Intrinsics_vec256 v7_3 = v7_20; + Lib_IntVector_Intrinsics_vec256 ws0 = v0_3; + Lib_IntVector_Intrinsics_vec256 ws1 = v2_3; + Lib_IntVector_Intrinsics_vec256 ws2 = v1_3; + Lib_IntVector_Intrinsics_vec256 ws3 = v3_3; + Lib_IntVector_Intrinsics_vec256 ws4 = v4_3; + Lib_IntVector_Intrinsics_vec256 ws5 = v6_3; + Lib_IntVector_Intrinsics_vec256 ws6 = v5_3; + Lib_IntVector_Intrinsics_vec256 ws7 = v7_3; + Lib_IntVector_Intrinsics_vec256 v0 = ws[8U]; + Lib_IntVector_Intrinsics_vec256 v1 = ws[9U]; + Lib_IntVector_Intrinsics_vec256 v2 = ws[10U]; + Lib_IntVector_Intrinsics_vec256 v3 = ws[11U]; + Lib_IntVector_Intrinsics_vec256 v4 = ws[12U]; + Lib_IntVector_Intrinsics_vec256 v5 = ws[13U]; + Lib_IntVector_Intrinsics_vec256 v6 = ws[14U]; + Lib_IntVector_Intrinsics_vec256 v7 = ws[15U]; + Lib_IntVector_Intrinsics_vec256 + v0_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v0, v1); + Lib_IntVector_Intrinsics_vec256 + v1_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v0, v1); + Lib_IntVector_Intrinsics_vec256 + v2_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v2, v3); + Lib_IntVector_Intrinsics_vec256 + v3_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v2, v3); + Lib_IntVector_Intrinsics_vec256 + v4_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v4, v5); + Lib_IntVector_Intrinsics_vec256 + v5_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v4, v5); + Lib_IntVector_Intrinsics_vec256 + v6_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v6, v7); + Lib_IntVector_Intrinsics_vec256 + v7_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v6, v7); + Lib_IntVector_Intrinsics_vec256 v0_5 = v0_4; + Lib_IntVector_Intrinsics_vec256 v1_5 = v1_4; + Lib_IntVector_Intrinsics_vec256 v2_5 = v2_4; + Lib_IntVector_Intrinsics_vec256 v3_5 = v3_4; + Lib_IntVector_Intrinsics_vec256 v4_5 = v4_4; + Lib_IntVector_Intrinsics_vec256 v5_5 = v5_4; + Lib_IntVector_Intrinsics_vec256 v6_5 = v6_4; + Lib_IntVector_Intrinsics_vec256 v7_5 = v7_4; + Lib_IntVector_Intrinsics_vec256 + v0_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0_5, v2_5); + Lib_IntVector_Intrinsics_vec256 + v2_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0_5, v2_5); + Lib_IntVector_Intrinsics_vec256 + v1_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v1_5, v3_5); + Lib_IntVector_Intrinsics_vec256 + v3_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v1_5, v3_5); + Lib_IntVector_Intrinsics_vec256 + v4_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v4_5, v6_5); + Lib_IntVector_Intrinsics_vec256 + v6_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v4_5, v6_5); + Lib_IntVector_Intrinsics_vec256 + v5_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v5_5, v7_5); + Lib_IntVector_Intrinsics_vec256 + v7_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v5_5, v7_5); + Lib_IntVector_Intrinsics_vec256 v0_12 = v0_11; + Lib_IntVector_Intrinsics_vec256 v1_12 = v1_11; + Lib_IntVector_Intrinsics_vec256 v2_12 = v2_11; + Lib_IntVector_Intrinsics_vec256 v3_12 = v3_11; + Lib_IntVector_Intrinsics_vec256 v4_12 = v4_11; + Lib_IntVector_Intrinsics_vec256 v5_12 = v5_11; + Lib_IntVector_Intrinsics_vec256 v6_12 = v6_11; + Lib_IntVector_Intrinsics_vec256 v7_12 = v7_11; + Lib_IntVector_Intrinsics_vec256 + v0_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_12, v4_12); + Lib_IntVector_Intrinsics_vec256 + v4_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_12, v4_12); + Lib_IntVector_Intrinsics_vec256 + v1_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_12, v5_12); + Lib_IntVector_Intrinsics_vec256 + v5_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_12, v5_12); + Lib_IntVector_Intrinsics_vec256 + v2_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v2_12, v6_12); + Lib_IntVector_Intrinsics_vec256 + v6_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v2_12, v6_12); + Lib_IntVector_Intrinsics_vec256 + v3_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v3_12, v7_12); + Lib_IntVector_Intrinsics_vec256 + v7_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v3_12, v7_12); + Lib_IntVector_Intrinsics_vec256 v0_22 = v0_21; + Lib_IntVector_Intrinsics_vec256 v1_22 = v1_21; + Lib_IntVector_Intrinsics_vec256 v2_22 = v2_21; + Lib_IntVector_Intrinsics_vec256 v3_22 = v3_21; + Lib_IntVector_Intrinsics_vec256 v4_22 = v4_21; + Lib_IntVector_Intrinsics_vec256 v5_22 = v5_21; + Lib_IntVector_Intrinsics_vec256 v6_22 = v6_21; + Lib_IntVector_Intrinsics_vec256 v7_22 = v7_21; + Lib_IntVector_Intrinsics_vec256 v0_6 = v0_22; + Lib_IntVector_Intrinsics_vec256 v1_6 = v1_22; + Lib_IntVector_Intrinsics_vec256 v2_6 = v2_22; + Lib_IntVector_Intrinsics_vec256 v3_6 = v3_22; + Lib_IntVector_Intrinsics_vec256 v4_6 = v4_22; + Lib_IntVector_Intrinsics_vec256 v5_6 = v5_22; + Lib_IntVector_Intrinsics_vec256 v6_6 = v6_22; + Lib_IntVector_Intrinsics_vec256 v7_6 = v7_22; + Lib_IntVector_Intrinsics_vec256 ws8 = v0_6; + Lib_IntVector_Intrinsics_vec256 ws9 = v2_6; + Lib_IntVector_Intrinsics_vec256 ws10 = v1_6; + Lib_IntVector_Intrinsics_vec256 ws11 = v3_6; + Lib_IntVector_Intrinsics_vec256 ws12 = v4_6; + Lib_IntVector_Intrinsics_vec256 ws13 = v6_6; + Lib_IntVector_Intrinsics_vec256 ws14 = v5_6; + Lib_IntVector_Intrinsics_vec256 ws15 = v7_6; + ws[0U] = ws0; + ws[1U] = ws1; + ws[2U] = ws2; + ws[3U] = ws3; + ws[4U] = ws4; + ws[5U] = ws5; + ws[6U] = ws6; + ws[7U] = ws7; + ws[8U] = ws8; + ws[9U] = ws9; + ws[10U] = ws10; + ws[11U] = ws11; + ws[12U] = ws12; + ws[13U] = ws13; + ws[14U] = ws14; + ws[15U] = ws15; + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t k_t = Hacl_Impl_SHA2_Generic_k224_256[(uint32_t)16U * i0 + i]; + Lib_IntVector_Intrinsics_vec256 ws_t = ws[i]; + Lib_IntVector_Intrinsics_vec256 a0 = hash[0U]; + Lib_IntVector_Intrinsics_vec256 b0 = hash[1U]; + Lib_IntVector_Intrinsics_vec256 c0 = hash[2U]; + Lib_IntVector_Intrinsics_vec256 d0 = hash[3U]; + Lib_IntVector_Intrinsics_vec256 e0 = hash[4U]; + Lib_IntVector_Intrinsics_vec256 f0 = hash[5U]; + Lib_IntVector_Intrinsics_vec256 g0 = hash[6U]; + Lib_IntVector_Intrinsics_vec256 h02 = hash[7U]; + Lib_IntVector_Intrinsics_vec256 k_e_t = Lib_IntVector_Intrinsics_vec256_load32(k_t); + Lib_IntVector_Intrinsics_vec256 + t1 = + Lib_IntVector_Intrinsics_vec256_add32(Lib_IntVector_Intrinsics_vec256_add32(Lib_IntVector_Intrinsics_vec256_add32(Lib_IntVector_Intrinsics_vec256_add32(h02, + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right32(e0, + (uint32_t)6U), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right32(e0, + (uint32_t)11U), + Lib_IntVector_Intrinsics_vec256_rotate_right32(e0, (uint32_t)25U)))), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_and(e0, f0), + Lib_IntVector_Intrinsics_vec256_and(Lib_IntVector_Intrinsics_vec256_lognot(e0), g0))), + k_e_t), + ws_t); + Lib_IntVector_Intrinsics_vec256 + t2 = + Lib_IntVector_Intrinsics_vec256_add32(Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right32(a0, + (uint32_t)2U), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right32(a0, + (uint32_t)13U), + Lib_IntVector_Intrinsics_vec256_rotate_right32(a0, (uint32_t)22U))), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_and(a0, b0), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_and(a0, c0), + Lib_IntVector_Intrinsics_vec256_and(b0, c0)))); + Lib_IntVector_Intrinsics_vec256 a1 = Lib_IntVector_Intrinsics_vec256_add32(t1, t2); + Lib_IntVector_Intrinsics_vec256 b1 = a0; + Lib_IntVector_Intrinsics_vec256 c1 = b0; + Lib_IntVector_Intrinsics_vec256 d1 = c0; + Lib_IntVector_Intrinsics_vec256 e1 = Lib_IntVector_Intrinsics_vec256_add32(d0, t1); + Lib_IntVector_Intrinsics_vec256 f1 = e0; + Lib_IntVector_Intrinsics_vec256 g1 = f0; + Lib_IntVector_Intrinsics_vec256 h12 = g0; + hash[0U] = a1; + hash[1U] = b1; + hash[2U] = c1; + hash[3U] = d1; + hash[4U] = e1; + hash[5U] = f1; + hash[6U] = g1; + hash[7U] = h12; + } + if (i0 < (uint32_t)4U - (uint32_t)1U) + { + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + Lib_IntVector_Intrinsics_vec256 t16 = ws[i]; + Lib_IntVector_Intrinsics_vec256 t15 = ws[(i + (uint32_t)1U) % (uint32_t)16U]; + Lib_IntVector_Intrinsics_vec256 t7 = ws[(i + (uint32_t)9U) % (uint32_t)16U]; + Lib_IntVector_Intrinsics_vec256 t2 = ws[(i + (uint32_t)14U) % (uint32_t)16U]; + Lib_IntVector_Intrinsics_vec256 + s1 = + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right32(t2, + (uint32_t)17U), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right32(t2, + (uint32_t)19U), + Lib_IntVector_Intrinsics_vec256_shift_right32(t2, (uint32_t)10U))); + Lib_IntVector_Intrinsics_vec256 + s0 = + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right32(t15, + (uint32_t)7U), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right32(t15, + (uint32_t)18U), + Lib_IntVector_Intrinsics_vec256_shift_right32(t15, (uint32_t)3U))); + ws[i] = + Lib_IntVector_Intrinsics_vec256_add32(Lib_IntVector_Intrinsics_vec256_add32(Lib_IntVector_Intrinsics_vec256_add32(s1, + t7), + s0), + t16); + } + } + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + Lib_IntVector_Intrinsics_vec256 *os = hash; + Lib_IntVector_Intrinsics_vec256 + x = Lib_IntVector_Intrinsics_vec256_add32(hash[i], hash_old[i]); + os[i] = x; + } +} + +void +Hacl_SHA2_Vec256_sha256_8( + uint8_t *dst0, + uint8_t *dst1, + uint8_t *dst2, + uint8_t *dst3, + uint8_t *dst4, + uint8_t *dst5, + uint8_t *dst6, + uint8_t *dst7, + uint32_t input_len, + uint8_t *input0, + uint8_t *input1, + uint8_t *input2, + uint8_t *input3, + uint8_t *input4, + uint8_t *input5, + uint8_t *input6, + uint8_t *input7 +) +{ + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + ib = + { + .fst = input0, + .snd = { + .fst = input1, + .snd = { + .fst = input2, + .snd = { + .fst = input3, + .snd = { + .fst = input4, + .snd = { .fst = input5, .snd = { .fst = input6, .snd = input7 } } + } + } + } + } + }; + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + rb = + { + .fst = dst0, + .snd = { + .fst = dst1, + .snd = { + .fst = dst2, + .snd = { + .fst = dst3, + .snd = { .fst = dst4, .snd = { .fst = dst5, .snd = { .fst = dst6, .snd = dst7 } } } + } + } + } + }; + Lib_IntVector_Intrinsics_vec256 st[8U]; + for (uint32_t _i = 0U; _i < (uint32_t)8U; ++_i) + st[_i] = Lib_IntVector_Intrinsics_vec256_zero; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + Lib_IntVector_Intrinsics_vec256 *os = st; + uint32_t hi = Hacl_Impl_SHA2_Generic_h256[i]; + Lib_IntVector_Intrinsics_vec256 x = Lib_IntVector_Intrinsics_vec256_load32(hi); + os[i] = x; + } + uint32_t rem = input_len % (uint32_t)64U; + uint64_t len_ = (uint64_t)input_len; + uint32_t blocks0 = input_len / (uint32_t)64U; + for (uint32_t i = (uint32_t)0U; i < blocks0; i++) + { + uint8_t *b7 = ib.snd.snd.snd.snd.snd.snd.snd; + uint8_t *b6 = ib.snd.snd.snd.snd.snd.snd.fst; + uint8_t *b5 = ib.snd.snd.snd.snd.snd.fst; + uint8_t *b4 = ib.snd.snd.snd.snd.fst; + uint8_t *b3 = ib.snd.snd.snd.fst; + uint8_t *b2 = ib.snd.snd.fst; + uint8_t *b1 = ib.snd.fst; + uint8_t *b0 = ib.fst; + uint8_t *bl0 = b0 + i * (uint32_t)64U; + uint8_t *bl1 = b1 + i * (uint32_t)64U; + uint8_t *bl2 = b2 + i * (uint32_t)64U; + uint8_t *bl3 = b3 + i * (uint32_t)64U; + uint8_t *bl4 = b4 + i * (uint32_t)64U; + uint8_t *bl5 = b5 + i * (uint32_t)64U; + uint8_t *bl6 = b6 + i * (uint32_t)64U; + uint8_t *bl7 = b7 + i * (uint32_t)64U; + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + mb = + { + .fst = bl0, + .snd = { + .fst = bl1, + .snd = { + .fst = bl2, + .snd = { + .fst = bl3, + .snd = { .fst = bl4, .snd = { .fst = bl5, .snd = { .fst = bl6, .snd = bl7 } } } + } + } + } + }; + sha256_update8(mb, st); + } + uint32_t rem1 = input_len % (uint32_t)64U; + uint8_t *b7 = ib.snd.snd.snd.snd.snd.snd.snd; + uint8_t *b60 = ib.snd.snd.snd.snd.snd.snd.fst; + uint8_t *b50 = ib.snd.snd.snd.snd.snd.fst; + uint8_t *b40 = ib.snd.snd.snd.snd.fst; + uint8_t *b30 = ib.snd.snd.snd.fst; + uint8_t *b20 = ib.snd.snd.fst; + uint8_t *b10 = ib.snd.fst; + uint8_t *b00 = ib.fst; + uint8_t *bl0 = b00 + input_len - rem1; + uint8_t *bl1 = b10 + input_len - rem1; + uint8_t *bl2 = b20 + input_len - rem1; + uint8_t *bl3 = b30 + input_len - rem1; + uint8_t *bl4 = b40 + input_len - rem1; + uint8_t *bl5 = b50 + input_len - rem1; + uint8_t *bl6 = b60 + input_len - rem1; + uint8_t *bl7 = b7 + input_len - rem1; + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + lb = + { + .fst = bl0, + .snd = { + .fst = bl1, + .snd = { + .fst = bl2, + .snd = { + .fst = bl3, + .snd = { .fst = bl4, .snd = { .fst = bl5, .snd = { .fst = bl6, .snd = bl7 } } } + } + } + } + }; + uint32_t blocks; + if (rem + (uint32_t)8U + (uint32_t)1U <= (uint32_t)64U) + { + blocks = (uint32_t)1U; + } + else + { + blocks = (uint32_t)2U; + } + uint32_t fin = blocks * (uint32_t)64U; + uint8_t last[1024U] = { 0U }; + uint8_t totlen_buf[8U] = { 0U }; + uint64_t total_len_bits = len_ << (uint32_t)3U; + store64_be(totlen_buf, total_len_bits); + uint8_t *b70 = lb.snd.snd.snd.snd.snd.snd.snd; + uint8_t *b61 = lb.snd.snd.snd.snd.snd.snd.fst; + uint8_t *b51 = lb.snd.snd.snd.snd.snd.fst; + uint8_t *b41 = lb.snd.snd.snd.snd.fst; + uint8_t *b31 = lb.snd.snd.snd.fst; + uint8_t *b21 = lb.snd.snd.fst; + uint8_t *b11 = lb.snd.fst; + uint8_t *b01 = lb.fst; + uint8_t *last00 = last; + uint8_t *last10 = last + (uint32_t)128U; + uint8_t *last2 = last + (uint32_t)256U; + uint8_t *last3 = last + (uint32_t)384U; + uint8_t *last4 = last + (uint32_t)512U; + uint8_t *last5 = last + (uint32_t)640U; + uint8_t *last6 = last + (uint32_t)768U; + uint8_t *last7 = last + (uint32_t)896U; + memcpy(last00, b01, rem * sizeof (uint8_t)); + last00[rem] = (uint8_t)0x80U; + memcpy(last00 + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + uint8_t *last010 = last00; + uint8_t *last110 = last00 + (uint32_t)64U; + K____uint8_t___uint8_t_ scrut = { .fst = last010, .snd = last110 }; + uint8_t *l00 = scrut.fst; + uint8_t *l01 = scrut.snd; + memcpy(last10, b11, rem * sizeof (uint8_t)); + last10[rem] = (uint8_t)0x80U; + memcpy(last10 + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + uint8_t *last011 = last10; + uint8_t *last111 = last10 + (uint32_t)64U; + K____uint8_t___uint8_t_ scrut0 = { .fst = last011, .snd = last111 }; + uint8_t *l10 = scrut0.fst; + uint8_t *l11 = scrut0.snd; + memcpy(last2, b21, rem * sizeof (uint8_t)); + last2[rem] = (uint8_t)0x80U; + memcpy(last2 + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + uint8_t *last012 = last2; + uint8_t *last112 = last2 + (uint32_t)64U; + K____uint8_t___uint8_t_ scrut1 = { .fst = last012, .snd = last112 }; + uint8_t *l20 = scrut1.fst; + uint8_t *l21 = scrut1.snd; + memcpy(last3, b31, rem * sizeof (uint8_t)); + last3[rem] = (uint8_t)0x80U; + memcpy(last3 + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + uint8_t *last013 = last3; + uint8_t *last113 = last3 + (uint32_t)64U; + K____uint8_t___uint8_t_ scrut2 = { .fst = last013, .snd = last113 }; + uint8_t *l30 = scrut2.fst; + uint8_t *l31 = scrut2.snd; + memcpy(last4, b41, rem * sizeof (uint8_t)); + last4[rem] = (uint8_t)0x80U; + memcpy(last4 + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + uint8_t *last014 = last4; + uint8_t *last114 = last4 + (uint32_t)64U; + K____uint8_t___uint8_t_ scrut3 = { .fst = last014, .snd = last114 }; + uint8_t *l40 = scrut3.fst; + uint8_t *l41 = scrut3.snd; + memcpy(last5, b51, rem * sizeof (uint8_t)); + last5[rem] = (uint8_t)0x80U; + memcpy(last5 + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + uint8_t *last015 = last5; + uint8_t *last115 = last5 + (uint32_t)64U; + K____uint8_t___uint8_t_ scrut4 = { .fst = last015, .snd = last115 }; + uint8_t *l50 = scrut4.fst; + uint8_t *l51 = scrut4.snd; + memcpy(last6, b61, rem * sizeof (uint8_t)); + last6[rem] = (uint8_t)0x80U; + memcpy(last6 + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + uint8_t *last016 = last6; + uint8_t *last116 = last6 + (uint32_t)64U; + K____uint8_t___uint8_t_ scrut5 = { .fst = last016, .snd = last116 }; + uint8_t *l60 = scrut5.fst; + uint8_t *l61 = scrut5.snd; + memcpy(last7, b70, rem * sizeof (uint8_t)); + last7[rem] = (uint8_t)0x80U; + memcpy(last7 + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + uint8_t *last01 = last7; + uint8_t *last11 = last7 + (uint32_t)64U; + K____uint8_t___uint8_t_ scrut6 = { .fst = last01, .snd = last11 }; + uint8_t *l70 = scrut6.fst; + uint8_t *l71 = scrut6.snd; + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + mb0 = + { + .fst = l00, + .snd = { + .fst = l10, + .snd = { + .fst = l20, + .snd = { + .fst = l30, + .snd = { .fst = l40, .snd = { .fst = l50, .snd = { .fst = l60, .snd = l70 } } } + } + } + } + }; + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + mb1 = + { + .fst = l01, + .snd = { + .fst = l11, + .snd = { + .fst = l21, + .snd = { + .fst = l31, + .snd = { .fst = l41, .snd = { .fst = l51, .snd = { .fst = l61, .snd = l71 } } } + } + } + } + }; + __K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + scrut7 = { .fst = mb0, .snd = mb1 }; + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + last0 = scrut7.fst; + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + last1 = scrut7.snd; + sha256_update8(last0, st); + if (blocks > (uint32_t)1U) + { + sha256_update8(last1, st); + } + KRML_CHECK_SIZE(sizeof (uint8_t), (uint32_t)8U * (uint32_t)8U * (uint32_t)4U); + uint8_t hbuf[(uint32_t)8U * (uint32_t)8U * (uint32_t)4U]; + memset(hbuf, 0U, (uint32_t)8U * (uint32_t)8U * (uint32_t)4U * sizeof (uint8_t)); + Lib_IntVector_Intrinsics_vec256 v0 = st[0U]; + Lib_IntVector_Intrinsics_vec256 v1 = st[1U]; + Lib_IntVector_Intrinsics_vec256 v2 = st[2U]; + Lib_IntVector_Intrinsics_vec256 v3 = st[3U]; + Lib_IntVector_Intrinsics_vec256 v4 = st[4U]; + Lib_IntVector_Intrinsics_vec256 v5 = st[5U]; + Lib_IntVector_Intrinsics_vec256 v6 = st[6U]; + Lib_IntVector_Intrinsics_vec256 v7 = st[7U]; + Lib_IntVector_Intrinsics_vec256 v0_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v0, v1); + Lib_IntVector_Intrinsics_vec256 + v1_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v0, v1); + Lib_IntVector_Intrinsics_vec256 v2_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v2, v3); + Lib_IntVector_Intrinsics_vec256 + v3_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v2, v3); + Lib_IntVector_Intrinsics_vec256 v4_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v4, v5); + Lib_IntVector_Intrinsics_vec256 + v5_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v4, v5); + Lib_IntVector_Intrinsics_vec256 v6_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v6, v7); + Lib_IntVector_Intrinsics_vec256 + v7_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v6, v7); + Lib_IntVector_Intrinsics_vec256 v0_0 = v0_; + Lib_IntVector_Intrinsics_vec256 v1_0 = v1_; + Lib_IntVector_Intrinsics_vec256 v2_0 = v2_; + Lib_IntVector_Intrinsics_vec256 v3_0 = v3_; + Lib_IntVector_Intrinsics_vec256 v4_0 = v4_; + Lib_IntVector_Intrinsics_vec256 v5_0 = v5_; + Lib_IntVector_Intrinsics_vec256 v6_0 = v6_; + Lib_IntVector_Intrinsics_vec256 v7_0 = v7_; + Lib_IntVector_Intrinsics_vec256 + v0_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v2_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v1_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 + v3_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 + v4_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v4_0, v6_0); + Lib_IntVector_Intrinsics_vec256 + v6_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v4_0, v6_0); + Lib_IntVector_Intrinsics_vec256 + v5_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v5_0, v7_0); + Lib_IntVector_Intrinsics_vec256 + v7_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v5_0, v7_0); + Lib_IntVector_Intrinsics_vec256 v0_10 = v0_1; + Lib_IntVector_Intrinsics_vec256 v1_10 = v1_1; + Lib_IntVector_Intrinsics_vec256 v2_10 = v2_1; + Lib_IntVector_Intrinsics_vec256 v3_10 = v3_1; + Lib_IntVector_Intrinsics_vec256 v4_10 = v4_1; + Lib_IntVector_Intrinsics_vec256 v5_10 = v5_1; + Lib_IntVector_Intrinsics_vec256 v6_10 = v6_1; + Lib_IntVector_Intrinsics_vec256 v7_10 = v7_1; + Lib_IntVector_Intrinsics_vec256 + v0_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_10, v4_10); + Lib_IntVector_Intrinsics_vec256 + v4_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_10, v4_10); + Lib_IntVector_Intrinsics_vec256 + v1_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_10, v5_10); + Lib_IntVector_Intrinsics_vec256 + v5_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_10, v5_10); + Lib_IntVector_Intrinsics_vec256 + v2_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v2_10, v6_10); + Lib_IntVector_Intrinsics_vec256 + v6_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v2_10, v6_10); + Lib_IntVector_Intrinsics_vec256 + v3_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v3_10, v7_10); + Lib_IntVector_Intrinsics_vec256 + v7_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v3_10, v7_10); + Lib_IntVector_Intrinsics_vec256 v0_20 = v0_2; + Lib_IntVector_Intrinsics_vec256 v1_20 = v1_2; + Lib_IntVector_Intrinsics_vec256 v2_20 = v2_2; + Lib_IntVector_Intrinsics_vec256 v3_20 = v3_2; + Lib_IntVector_Intrinsics_vec256 v4_20 = v4_2; + Lib_IntVector_Intrinsics_vec256 v5_20 = v5_2; + Lib_IntVector_Intrinsics_vec256 v6_20 = v6_2; + Lib_IntVector_Intrinsics_vec256 v7_20 = v7_2; + Lib_IntVector_Intrinsics_vec256 v0_3 = v0_20; + Lib_IntVector_Intrinsics_vec256 v1_3 = v1_20; + Lib_IntVector_Intrinsics_vec256 v2_3 = v2_20; + Lib_IntVector_Intrinsics_vec256 v3_3 = v3_20; + Lib_IntVector_Intrinsics_vec256 v4_3 = v4_20; + Lib_IntVector_Intrinsics_vec256 v5_3 = v5_20; + Lib_IntVector_Intrinsics_vec256 v6_3 = v6_20; + Lib_IntVector_Intrinsics_vec256 v7_3 = v7_20; + Lib_IntVector_Intrinsics_vec256 st0_ = v0_3; + Lib_IntVector_Intrinsics_vec256 st1_ = v2_3; + Lib_IntVector_Intrinsics_vec256 st2_ = v1_3; + Lib_IntVector_Intrinsics_vec256 st3_ = v3_3; + Lib_IntVector_Intrinsics_vec256 st4_ = v4_3; + Lib_IntVector_Intrinsics_vec256 st5_ = v6_3; + Lib_IntVector_Intrinsics_vec256 st6_ = v5_3; + Lib_IntVector_Intrinsics_vec256 st7_ = v7_3; + st[0U] = st0_; + st[1U] = st1_; + st[2U] = st2_; + st[3U] = st3_; + st[4U] = st4_; + st[5U] = st5_; + st[6U] = st6_; + st[7U] = st7_; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + Lib_IntVector_Intrinsics_vec256_store32_be(hbuf + i * (uint32_t)32U, st[i]); + } + uint8_t *b71 = rb.snd.snd.snd.snd.snd.snd.snd; + uint8_t *b6 = rb.snd.snd.snd.snd.snd.snd.fst; + uint8_t *b5 = rb.snd.snd.snd.snd.snd.fst; + uint8_t *b4 = rb.snd.snd.snd.snd.fst; + uint8_t *b3 = rb.snd.snd.snd.fst; + uint8_t *b2 = rb.snd.snd.fst; + uint8_t *b1 = rb.snd.fst; + uint8_t *b0 = rb.fst; + memcpy(b0, hbuf, (uint32_t)32U * sizeof (uint8_t)); + memcpy(b1, hbuf + (uint32_t)32U, (uint32_t)32U * sizeof (uint8_t)); + memcpy(b2, hbuf + (uint32_t)64U, (uint32_t)32U * sizeof (uint8_t)); + memcpy(b3, hbuf + (uint32_t)96U, (uint32_t)32U * sizeof (uint8_t)); + memcpy(b4, hbuf + (uint32_t)128U, (uint32_t)32U * sizeof (uint8_t)); + memcpy(b5, hbuf + (uint32_t)160U, (uint32_t)32U * sizeof (uint8_t)); + memcpy(b6, hbuf + (uint32_t)192U, (uint32_t)32U * sizeof (uint8_t)); + memcpy(b71, hbuf + (uint32_t)224U, (uint32_t)32U * sizeof (uint8_t)); +} + +static inline void +sha384_update4( + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ block, + Lib_IntVector_Intrinsics_vec256 *hash +) +{ + Lib_IntVector_Intrinsics_vec256 hash_old[8U]; + for (uint32_t _i = 0U; _i < (uint32_t)8U; ++_i) + hash_old[_i] = Lib_IntVector_Intrinsics_vec256_zero; + Lib_IntVector_Intrinsics_vec256 ws[16U]; + for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i) + ws[_i] = Lib_IntVector_Intrinsics_vec256_zero; + memcpy(hash_old, hash, (uint32_t)8U * sizeof (Lib_IntVector_Intrinsics_vec256)); + uint8_t *b3 = block.snd.snd.snd; + uint8_t *b2 = block.snd.snd.fst; + uint8_t *b10 = block.snd.fst; + uint8_t *b00 = block.fst; + ws[0U] = Lib_IntVector_Intrinsics_vec256_load64_be(b00); + ws[1U] = Lib_IntVector_Intrinsics_vec256_load64_be(b10); + ws[2U] = Lib_IntVector_Intrinsics_vec256_load64_be(b2); + ws[3U] = Lib_IntVector_Intrinsics_vec256_load64_be(b3); + ws[4U] = Lib_IntVector_Intrinsics_vec256_load64_be(b00 + (uint32_t)32U); + ws[5U] = Lib_IntVector_Intrinsics_vec256_load64_be(b10 + (uint32_t)32U); + ws[6U] = Lib_IntVector_Intrinsics_vec256_load64_be(b2 + (uint32_t)32U); + ws[7U] = Lib_IntVector_Intrinsics_vec256_load64_be(b3 + (uint32_t)32U); + ws[8U] = Lib_IntVector_Intrinsics_vec256_load64_be(b00 + (uint32_t)64U); + ws[9U] = Lib_IntVector_Intrinsics_vec256_load64_be(b10 + (uint32_t)64U); + ws[10U] = Lib_IntVector_Intrinsics_vec256_load64_be(b2 + (uint32_t)64U); + ws[11U] = Lib_IntVector_Intrinsics_vec256_load64_be(b3 + (uint32_t)64U); + ws[12U] = Lib_IntVector_Intrinsics_vec256_load64_be(b00 + (uint32_t)96U); + ws[13U] = Lib_IntVector_Intrinsics_vec256_load64_be(b10 + (uint32_t)96U); + ws[14U] = Lib_IntVector_Intrinsics_vec256_load64_be(b2 + (uint32_t)96U); + ws[15U] = Lib_IntVector_Intrinsics_vec256_load64_be(b3 + (uint32_t)96U); + Lib_IntVector_Intrinsics_vec256 v00 = ws[0U]; + Lib_IntVector_Intrinsics_vec256 v10 = ws[1U]; + Lib_IntVector_Intrinsics_vec256 v20 = ws[2U]; + Lib_IntVector_Intrinsics_vec256 v30 = ws[3U]; + Lib_IntVector_Intrinsics_vec256 + v0_ = Lib_IntVector_Intrinsics_vec256_interleave_low64(v00, v10); + Lib_IntVector_Intrinsics_vec256 + v1_ = Lib_IntVector_Intrinsics_vec256_interleave_high64(v00, v10); + Lib_IntVector_Intrinsics_vec256 + v2_ = Lib_IntVector_Intrinsics_vec256_interleave_low64(v20, v30); + Lib_IntVector_Intrinsics_vec256 + v3_ = Lib_IntVector_Intrinsics_vec256_interleave_high64(v20, v30); + Lib_IntVector_Intrinsics_vec256 + v0__ = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_, v2_); + Lib_IntVector_Intrinsics_vec256 + v1__ = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_, v2_); + Lib_IntVector_Intrinsics_vec256 + v2__ = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_, v3_); + Lib_IntVector_Intrinsics_vec256 + v3__ = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_, v3_); + Lib_IntVector_Intrinsics_vec256 ws0 = v0__; + Lib_IntVector_Intrinsics_vec256 ws1 = v2__; + Lib_IntVector_Intrinsics_vec256 ws2 = v1__; + Lib_IntVector_Intrinsics_vec256 ws3 = v3__; + Lib_IntVector_Intrinsics_vec256 v01 = ws[4U]; + Lib_IntVector_Intrinsics_vec256 v11 = ws[5U]; + Lib_IntVector_Intrinsics_vec256 v21 = ws[6U]; + Lib_IntVector_Intrinsics_vec256 v31 = ws[7U]; + Lib_IntVector_Intrinsics_vec256 + v0_0 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v01, v11); + Lib_IntVector_Intrinsics_vec256 + v1_0 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v01, v11); + Lib_IntVector_Intrinsics_vec256 + v2_0 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v21, v31); + Lib_IntVector_Intrinsics_vec256 + v3_0 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v21, v31); + Lib_IntVector_Intrinsics_vec256 + v0__0 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v1__0 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v2__0 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 + v3__0 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 ws4 = v0__0; + Lib_IntVector_Intrinsics_vec256 ws5 = v2__0; + Lib_IntVector_Intrinsics_vec256 ws6 = v1__0; + Lib_IntVector_Intrinsics_vec256 ws7 = v3__0; + Lib_IntVector_Intrinsics_vec256 v02 = ws[8U]; + Lib_IntVector_Intrinsics_vec256 v12 = ws[9U]; + Lib_IntVector_Intrinsics_vec256 v22 = ws[10U]; + Lib_IntVector_Intrinsics_vec256 v32 = ws[11U]; + Lib_IntVector_Intrinsics_vec256 + v0_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v02, v12); + Lib_IntVector_Intrinsics_vec256 + v1_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v02, v12); + Lib_IntVector_Intrinsics_vec256 + v2_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v22, v32); + Lib_IntVector_Intrinsics_vec256 + v3_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v22, v32); + Lib_IntVector_Intrinsics_vec256 + v0__1 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_1, v2_1); + Lib_IntVector_Intrinsics_vec256 + v1__1 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_1, v2_1); + Lib_IntVector_Intrinsics_vec256 + v2__1 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_1, v3_1); + Lib_IntVector_Intrinsics_vec256 + v3__1 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_1, v3_1); + Lib_IntVector_Intrinsics_vec256 ws8 = v0__1; + Lib_IntVector_Intrinsics_vec256 ws9 = v2__1; + Lib_IntVector_Intrinsics_vec256 ws10 = v1__1; + Lib_IntVector_Intrinsics_vec256 ws11 = v3__1; + Lib_IntVector_Intrinsics_vec256 v0 = ws[12U]; + Lib_IntVector_Intrinsics_vec256 v1 = ws[13U]; + Lib_IntVector_Intrinsics_vec256 v2 = ws[14U]; + Lib_IntVector_Intrinsics_vec256 v3 = ws[15U]; + Lib_IntVector_Intrinsics_vec256 + v0_2 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0, v1); + Lib_IntVector_Intrinsics_vec256 + v1_2 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0, v1); + Lib_IntVector_Intrinsics_vec256 + v2_2 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v2, v3); + Lib_IntVector_Intrinsics_vec256 + v3_2 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v2, v3); + Lib_IntVector_Intrinsics_vec256 + v0__2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_2, v2_2); + Lib_IntVector_Intrinsics_vec256 + v1__2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_2, v2_2); + Lib_IntVector_Intrinsics_vec256 + v2__2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_2, v3_2); + Lib_IntVector_Intrinsics_vec256 + v3__2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_2, v3_2); + Lib_IntVector_Intrinsics_vec256 ws12 = v0__2; + Lib_IntVector_Intrinsics_vec256 ws13 = v2__2; + Lib_IntVector_Intrinsics_vec256 ws14 = v1__2; + Lib_IntVector_Intrinsics_vec256 ws15 = v3__2; + ws[0U] = ws0; + ws[1U] = ws1; + ws[2U] = ws2; + ws[3U] = ws3; + ws[4U] = ws4; + ws[5U] = ws5; + ws[6U] = ws6; + ws[7U] = ws7; + ws[8U] = ws8; + ws[9U] = ws9; + ws[10U] = ws10; + ws[11U] = ws11; + ws[12U] = ws12; + ws[13U] = ws13; + ws[14U] = ws14; + ws[15U] = ws15; + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)5U; i0++) + { + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint64_t k_t = Hacl_Impl_SHA2_Generic_k384_512[(uint32_t)16U * i0 + i]; + Lib_IntVector_Intrinsics_vec256 ws_t = ws[i]; + Lib_IntVector_Intrinsics_vec256 a0 = hash[0U]; + Lib_IntVector_Intrinsics_vec256 b0 = hash[1U]; + Lib_IntVector_Intrinsics_vec256 c0 = hash[2U]; + Lib_IntVector_Intrinsics_vec256 d0 = hash[3U]; + Lib_IntVector_Intrinsics_vec256 e0 = hash[4U]; + Lib_IntVector_Intrinsics_vec256 f0 = hash[5U]; + Lib_IntVector_Intrinsics_vec256 g0 = hash[6U]; + Lib_IntVector_Intrinsics_vec256 h02 = hash[7U]; + Lib_IntVector_Intrinsics_vec256 k_e_t = Lib_IntVector_Intrinsics_vec256_load64(k_t); + Lib_IntVector_Intrinsics_vec256 + t1 = + Lib_IntVector_Intrinsics_vec256_add64(Lib_IntVector_Intrinsics_vec256_add64(Lib_IntVector_Intrinsics_vec256_add64(Lib_IntVector_Intrinsics_vec256_add64(h02, + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right64(e0, + (uint32_t)14U), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right64(e0, + (uint32_t)18U), + Lib_IntVector_Intrinsics_vec256_rotate_right64(e0, (uint32_t)41U)))), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_and(e0, f0), + Lib_IntVector_Intrinsics_vec256_and(Lib_IntVector_Intrinsics_vec256_lognot(e0), g0))), + k_e_t), + ws_t); + Lib_IntVector_Intrinsics_vec256 + t2 = + Lib_IntVector_Intrinsics_vec256_add64(Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right64(a0, + (uint32_t)28U), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right64(a0, + (uint32_t)34U), + Lib_IntVector_Intrinsics_vec256_rotate_right64(a0, (uint32_t)39U))), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_and(a0, b0), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_and(a0, c0), + Lib_IntVector_Intrinsics_vec256_and(b0, c0)))); + Lib_IntVector_Intrinsics_vec256 a1 = Lib_IntVector_Intrinsics_vec256_add64(t1, t2); + Lib_IntVector_Intrinsics_vec256 b1 = a0; + Lib_IntVector_Intrinsics_vec256 c1 = b0; + Lib_IntVector_Intrinsics_vec256 d1 = c0; + Lib_IntVector_Intrinsics_vec256 e1 = Lib_IntVector_Intrinsics_vec256_add64(d0, t1); + Lib_IntVector_Intrinsics_vec256 f1 = e0; + Lib_IntVector_Intrinsics_vec256 g1 = f0; + Lib_IntVector_Intrinsics_vec256 h12 = g0; + hash[0U] = a1; + hash[1U] = b1; + hash[2U] = c1; + hash[3U] = d1; + hash[4U] = e1; + hash[5U] = f1; + hash[6U] = g1; + hash[7U] = h12; + } + if (i0 < (uint32_t)5U - (uint32_t)1U) + { + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + Lib_IntVector_Intrinsics_vec256 t16 = ws[i]; + Lib_IntVector_Intrinsics_vec256 t15 = ws[(i + (uint32_t)1U) % (uint32_t)16U]; + Lib_IntVector_Intrinsics_vec256 t7 = ws[(i + (uint32_t)9U) % (uint32_t)16U]; + Lib_IntVector_Intrinsics_vec256 t2 = ws[(i + (uint32_t)14U) % (uint32_t)16U]; + Lib_IntVector_Intrinsics_vec256 + s1 = + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right64(t2, + (uint32_t)19U), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right64(t2, + (uint32_t)61U), + Lib_IntVector_Intrinsics_vec256_shift_right64(t2, (uint32_t)6U))); + Lib_IntVector_Intrinsics_vec256 + s0 = + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right64(t15, + (uint32_t)1U), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right64(t15, + (uint32_t)8U), + Lib_IntVector_Intrinsics_vec256_shift_right64(t15, (uint32_t)7U))); + ws[i] = + Lib_IntVector_Intrinsics_vec256_add64(Lib_IntVector_Intrinsics_vec256_add64(Lib_IntVector_Intrinsics_vec256_add64(s1, + t7), + s0), + t16); + } + } + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + Lib_IntVector_Intrinsics_vec256 *os = hash; + Lib_IntVector_Intrinsics_vec256 + x = Lib_IntVector_Intrinsics_vec256_add64(hash[i], hash_old[i]); + os[i] = x; + } +} + +void +Hacl_SHA2_Vec256_sha384_4( + uint8_t *dst0, + uint8_t *dst1, + uint8_t *dst2, + uint8_t *dst3, + uint32_t input_len, + uint8_t *input0, + uint8_t *input1, + uint8_t *input2, + uint8_t *input3 +) +{ + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + ib = { .fst = input0, .snd = { .fst = input1, .snd = { .fst = input2, .snd = input3 } } }; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + rb = { .fst = dst0, .snd = { .fst = dst1, .snd = { .fst = dst2, .snd = dst3 } } }; + Lib_IntVector_Intrinsics_vec256 st[8U]; + for (uint32_t _i = 0U; _i < (uint32_t)8U; ++_i) + st[_i] = Lib_IntVector_Intrinsics_vec256_zero; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + Lib_IntVector_Intrinsics_vec256 *os = st; + uint64_t hi = Hacl_Impl_SHA2_Generic_h384[i]; + Lib_IntVector_Intrinsics_vec256 x = Lib_IntVector_Intrinsics_vec256_load64(hi); + os[i] = x; + } + uint32_t rem = input_len % (uint32_t)128U; + FStar_UInt128_uint128 len_ = FStar_UInt128_uint64_to_uint128((uint64_t)input_len); + uint32_t blocks0 = input_len / (uint32_t)128U; + for (uint32_t i = (uint32_t)0U; i < blocks0; i++) + { + uint8_t *b3 = ib.snd.snd.snd; + uint8_t *b2 = ib.snd.snd.fst; + uint8_t *b1 = ib.snd.fst; + uint8_t *b0 = ib.fst; + uint8_t *bl0 = b0 + i * (uint32_t)128U; + uint8_t *bl1 = b1 + i * (uint32_t)128U; + uint8_t *bl2 = b2 + i * (uint32_t)128U; + uint8_t *bl3 = b3 + i * (uint32_t)128U; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + mb = { .fst = bl0, .snd = { .fst = bl1, .snd = { .fst = bl2, .snd = bl3 } } }; + sha384_update4(mb, st); + } + uint32_t rem1 = input_len % (uint32_t)128U; + uint8_t *b3 = ib.snd.snd.snd; + uint8_t *b20 = ib.snd.snd.fst; + uint8_t *b10 = ib.snd.fst; + uint8_t *b00 = ib.fst; + uint8_t *bl0 = b00 + input_len - rem1; + uint8_t *bl1 = b10 + input_len - rem1; + uint8_t *bl2 = b20 + input_len - rem1; + uint8_t *bl3 = b3 + input_len - rem1; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + lb = { .fst = bl0, .snd = { .fst = bl1, .snd = { .fst = bl2, .snd = bl3 } } }; + uint32_t blocks; + if (rem + (uint32_t)16U + (uint32_t)1U <= (uint32_t)128U) + { + blocks = (uint32_t)1U; + } + else + { + blocks = (uint32_t)2U; + } + uint32_t fin = blocks * (uint32_t)128U; + uint8_t last[1024U] = { 0U }; + uint8_t totlen_buf[16U] = { 0U }; + FStar_UInt128_uint128 total_len_bits = FStar_UInt128_shift_left(len_, (uint32_t)3U); + store128_be(totlen_buf, total_len_bits); + uint8_t *b30 = lb.snd.snd.snd; + uint8_t *b21 = lb.snd.snd.fst; + uint8_t *b11 = lb.snd.fst; + uint8_t *b01 = lb.fst; + uint8_t *last00 = last; + uint8_t *last10 = last + (uint32_t)256U; + uint8_t *last2 = last + (uint32_t)512U; + uint8_t *last3 = last + (uint32_t)768U; + memcpy(last00, b01, rem * sizeof (uint8_t)); + last00[rem] = (uint8_t)0x80U; + memcpy(last00 + fin - (uint32_t)16U, totlen_buf, (uint32_t)16U * sizeof (uint8_t)); + uint8_t *last010 = last00; + uint8_t *last110 = last00 + (uint32_t)128U; + K____uint8_t___uint8_t_ scrut = { .fst = last010, .snd = last110 }; + uint8_t *l00 = scrut.fst; + uint8_t *l01 = scrut.snd; + memcpy(last10, b11, rem * sizeof (uint8_t)); + last10[rem] = (uint8_t)0x80U; + memcpy(last10 + fin - (uint32_t)16U, totlen_buf, (uint32_t)16U * sizeof (uint8_t)); + uint8_t *last011 = last10; + uint8_t *last111 = last10 + (uint32_t)128U; + K____uint8_t___uint8_t_ scrut0 = { .fst = last011, .snd = last111 }; + uint8_t *l10 = scrut0.fst; + uint8_t *l11 = scrut0.snd; + memcpy(last2, b21, rem * sizeof (uint8_t)); + last2[rem] = (uint8_t)0x80U; + memcpy(last2 + fin - (uint32_t)16U, totlen_buf, (uint32_t)16U * sizeof (uint8_t)); + uint8_t *last012 = last2; + uint8_t *last112 = last2 + (uint32_t)128U; + K____uint8_t___uint8_t_ scrut1 = { .fst = last012, .snd = last112 }; + uint8_t *l20 = scrut1.fst; + uint8_t *l21 = scrut1.snd; + memcpy(last3, b30, rem * sizeof (uint8_t)); + last3[rem] = (uint8_t)0x80U; + memcpy(last3 + fin - (uint32_t)16U, totlen_buf, (uint32_t)16U * sizeof (uint8_t)); + uint8_t *last01 = last3; + uint8_t *last11 = last3 + (uint32_t)128U; + K____uint8_t___uint8_t_ scrut2 = { .fst = last01, .snd = last11 }; + uint8_t *l30 = scrut2.fst; + uint8_t *l31 = scrut2.snd; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + mb0 = { .fst = l00, .snd = { .fst = l10, .snd = { .fst = l20, .snd = l30 } } }; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + mb1 = { .fst = l01, .snd = { .fst = l11, .snd = { .fst = l21, .snd = l31 } } }; + K___K____uint8_t__K____uint8_t__K____uint8_t___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + scrut3 = { .fst = mb0, .snd = mb1 }; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ last0 = scrut3.fst; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ last1 = scrut3.snd; + sha384_update4(last0, st); + if (blocks > (uint32_t)1U) + { + sha384_update4(last1, st); + } + KRML_CHECK_SIZE(sizeof (uint8_t), (uint32_t)4U * (uint32_t)8U * (uint32_t)8U); + uint8_t hbuf[(uint32_t)4U * (uint32_t)8U * (uint32_t)8U]; + memset(hbuf, 0U, (uint32_t)4U * (uint32_t)8U * (uint32_t)8U * sizeof (uint8_t)); + Lib_IntVector_Intrinsics_vec256 v00 = st[0U]; + Lib_IntVector_Intrinsics_vec256 v10 = st[1U]; + Lib_IntVector_Intrinsics_vec256 v20 = st[2U]; + Lib_IntVector_Intrinsics_vec256 v30 = st[3U]; + Lib_IntVector_Intrinsics_vec256 + v0_ = Lib_IntVector_Intrinsics_vec256_interleave_low64(v00, v10); + Lib_IntVector_Intrinsics_vec256 + v1_ = Lib_IntVector_Intrinsics_vec256_interleave_high64(v00, v10); + Lib_IntVector_Intrinsics_vec256 + v2_ = Lib_IntVector_Intrinsics_vec256_interleave_low64(v20, v30); + Lib_IntVector_Intrinsics_vec256 + v3_ = Lib_IntVector_Intrinsics_vec256_interleave_high64(v20, v30); + Lib_IntVector_Intrinsics_vec256 + v0__ = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_, v2_); + Lib_IntVector_Intrinsics_vec256 + v1__ = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_, v2_); + Lib_IntVector_Intrinsics_vec256 + v2__ = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_, v3_); + Lib_IntVector_Intrinsics_vec256 + v3__ = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_, v3_); + Lib_IntVector_Intrinsics_vec256 st0_ = v0__; + Lib_IntVector_Intrinsics_vec256 st1_ = v2__; + Lib_IntVector_Intrinsics_vec256 st2_ = v1__; + Lib_IntVector_Intrinsics_vec256 st3_ = v3__; + Lib_IntVector_Intrinsics_vec256 v0 = st[4U]; + Lib_IntVector_Intrinsics_vec256 v1 = st[5U]; + Lib_IntVector_Intrinsics_vec256 v2 = st[6U]; + Lib_IntVector_Intrinsics_vec256 v3 = st[7U]; + Lib_IntVector_Intrinsics_vec256 + v0_0 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0, v1); + Lib_IntVector_Intrinsics_vec256 + v1_0 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0, v1); + Lib_IntVector_Intrinsics_vec256 + v2_0 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v2, v3); + Lib_IntVector_Intrinsics_vec256 + v3_0 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v2, v3); + Lib_IntVector_Intrinsics_vec256 + v0__0 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v1__0 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v2__0 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 + v3__0 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 st4_ = v0__0; + Lib_IntVector_Intrinsics_vec256 st5_ = v2__0; + Lib_IntVector_Intrinsics_vec256 st6_ = v1__0; + Lib_IntVector_Intrinsics_vec256 st7_ = v3__0; + st[0U] = st0_; + st[1U] = st4_; + st[2U] = st1_; + st[3U] = st5_; + st[4U] = st2_; + st[5U] = st6_; + st[6U] = st3_; + st[7U] = st7_; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + Lib_IntVector_Intrinsics_vec256_store64_be(hbuf + i * (uint32_t)32U, st[i]); + } + uint8_t *b31 = rb.snd.snd.snd; + uint8_t *b2 = rb.snd.snd.fst; + uint8_t *b1 = rb.snd.fst; + uint8_t *b0 = rb.fst; + memcpy(b0, hbuf, (uint32_t)48U * sizeof (uint8_t)); + memcpy(b1, hbuf + (uint32_t)64U, (uint32_t)48U * sizeof (uint8_t)); + memcpy(b2, hbuf + (uint32_t)128U, (uint32_t)48U * sizeof (uint8_t)); + memcpy(b31, hbuf + (uint32_t)192U, (uint32_t)48U * sizeof (uint8_t)); +} + +static inline void +sha512_update4( + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ block, + Lib_IntVector_Intrinsics_vec256 *hash +) +{ + Lib_IntVector_Intrinsics_vec256 hash_old[8U]; + for (uint32_t _i = 0U; _i < (uint32_t)8U; ++_i) + hash_old[_i] = Lib_IntVector_Intrinsics_vec256_zero; + Lib_IntVector_Intrinsics_vec256 ws[16U]; + for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i) + ws[_i] = Lib_IntVector_Intrinsics_vec256_zero; + memcpy(hash_old, hash, (uint32_t)8U * sizeof (Lib_IntVector_Intrinsics_vec256)); + uint8_t *b3 = block.snd.snd.snd; + uint8_t *b2 = block.snd.snd.fst; + uint8_t *b10 = block.snd.fst; + uint8_t *b00 = block.fst; + ws[0U] = Lib_IntVector_Intrinsics_vec256_load64_be(b00); + ws[1U] = Lib_IntVector_Intrinsics_vec256_load64_be(b10); + ws[2U] = Lib_IntVector_Intrinsics_vec256_load64_be(b2); + ws[3U] = Lib_IntVector_Intrinsics_vec256_load64_be(b3); + ws[4U] = Lib_IntVector_Intrinsics_vec256_load64_be(b00 + (uint32_t)32U); + ws[5U] = Lib_IntVector_Intrinsics_vec256_load64_be(b10 + (uint32_t)32U); + ws[6U] = Lib_IntVector_Intrinsics_vec256_load64_be(b2 + (uint32_t)32U); + ws[7U] = Lib_IntVector_Intrinsics_vec256_load64_be(b3 + (uint32_t)32U); + ws[8U] = Lib_IntVector_Intrinsics_vec256_load64_be(b00 + (uint32_t)64U); + ws[9U] = Lib_IntVector_Intrinsics_vec256_load64_be(b10 + (uint32_t)64U); + ws[10U] = Lib_IntVector_Intrinsics_vec256_load64_be(b2 + (uint32_t)64U); + ws[11U] = Lib_IntVector_Intrinsics_vec256_load64_be(b3 + (uint32_t)64U); + ws[12U] = Lib_IntVector_Intrinsics_vec256_load64_be(b00 + (uint32_t)96U); + ws[13U] = Lib_IntVector_Intrinsics_vec256_load64_be(b10 + (uint32_t)96U); + ws[14U] = Lib_IntVector_Intrinsics_vec256_load64_be(b2 + (uint32_t)96U); + ws[15U] = Lib_IntVector_Intrinsics_vec256_load64_be(b3 + (uint32_t)96U); + Lib_IntVector_Intrinsics_vec256 v00 = ws[0U]; + Lib_IntVector_Intrinsics_vec256 v10 = ws[1U]; + Lib_IntVector_Intrinsics_vec256 v20 = ws[2U]; + Lib_IntVector_Intrinsics_vec256 v30 = ws[3U]; + Lib_IntVector_Intrinsics_vec256 + v0_ = Lib_IntVector_Intrinsics_vec256_interleave_low64(v00, v10); + Lib_IntVector_Intrinsics_vec256 + v1_ = Lib_IntVector_Intrinsics_vec256_interleave_high64(v00, v10); + Lib_IntVector_Intrinsics_vec256 + v2_ = Lib_IntVector_Intrinsics_vec256_interleave_low64(v20, v30); + Lib_IntVector_Intrinsics_vec256 + v3_ = Lib_IntVector_Intrinsics_vec256_interleave_high64(v20, v30); + Lib_IntVector_Intrinsics_vec256 + v0__ = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_, v2_); + Lib_IntVector_Intrinsics_vec256 + v1__ = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_, v2_); + Lib_IntVector_Intrinsics_vec256 + v2__ = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_, v3_); + Lib_IntVector_Intrinsics_vec256 + v3__ = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_, v3_); + Lib_IntVector_Intrinsics_vec256 ws0 = v0__; + Lib_IntVector_Intrinsics_vec256 ws1 = v2__; + Lib_IntVector_Intrinsics_vec256 ws2 = v1__; + Lib_IntVector_Intrinsics_vec256 ws3 = v3__; + Lib_IntVector_Intrinsics_vec256 v01 = ws[4U]; + Lib_IntVector_Intrinsics_vec256 v11 = ws[5U]; + Lib_IntVector_Intrinsics_vec256 v21 = ws[6U]; + Lib_IntVector_Intrinsics_vec256 v31 = ws[7U]; + Lib_IntVector_Intrinsics_vec256 + v0_0 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v01, v11); + Lib_IntVector_Intrinsics_vec256 + v1_0 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v01, v11); + Lib_IntVector_Intrinsics_vec256 + v2_0 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v21, v31); + Lib_IntVector_Intrinsics_vec256 + v3_0 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v21, v31); + Lib_IntVector_Intrinsics_vec256 + v0__0 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v1__0 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v2__0 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 + v3__0 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 ws4 = v0__0; + Lib_IntVector_Intrinsics_vec256 ws5 = v2__0; + Lib_IntVector_Intrinsics_vec256 ws6 = v1__0; + Lib_IntVector_Intrinsics_vec256 ws7 = v3__0; + Lib_IntVector_Intrinsics_vec256 v02 = ws[8U]; + Lib_IntVector_Intrinsics_vec256 v12 = ws[9U]; + Lib_IntVector_Intrinsics_vec256 v22 = ws[10U]; + Lib_IntVector_Intrinsics_vec256 v32 = ws[11U]; + Lib_IntVector_Intrinsics_vec256 + v0_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v02, v12); + Lib_IntVector_Intrinsics_vec256 + v1_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v02, v12); + Lib_IntVector_Intrinsics_vec256 + v2_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v22, v32); + Lib_IntVector_Intrinsics_vec256 + v3_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v22, v32); + Lib_IntVector_Intrinsics_vec256 + v0__1 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_1, v2_1); + Lib_IntVector_Intrinsics_vec256 + v1__1 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_1, v2_1); + Lib_IntVector_Intrinsics_vec256 + v2__1 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_1, v3_1); + Lib_IntVector_Intrinsics_vec256 + v3__1 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_1, v3_1); + Lib_IntVector_Intrinsics_vec256 ws8 = v0__1; + Lib_IntVector_Intrinsics_vec256 ws9 = v2__1; + Lib_IntVector_Intrinsics_vec256 ws10 = v1__1; + Lib_IntVector_Intrinsics_vec256 ws11 = v3__1; + Lib_IntVector_Intrinsics_vec256 v0 = ws[12U]; + Lib_IntVector_Intrinsics_vec256 v1 = ws[13U]; + Lib_IntVector_Intrinsics_vec256 v2 = ws[14U]; + Lib_IntVector_Intrinsics_vec256 v3 = ws[15U]; + Lib_IntVector_Intrinsics_vec256 + v0_2 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0, v1); + Lib_IntVector_Intrinsics_vec256 + v1_2 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0, v1); + Lib_IntVector_Intrinsics_vec256 + v2_2 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v2, v3); + Lib_IntVector_Intrinsics_vec256 + v3_2 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v2, v3); + Lib_IntVector_Intrinsics_vec256 + v0__2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_2, v2_2); + Lib_IntVector_Intrinsics_vec256 + v1__2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_2, v2_2); + Lib_IntVector_Intrinsics_vec256 + v2__2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_2, v3_2); + Lib_IntVector_Intrinsics_vec256 + v3__2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_2, v3_2); + Lib_IntVector_Intrinsics_vec256 ws12 = v0__2; + Lib_IntVector_Intrinsics_vec256 ws13 = v2__2; + Lib_IntVector_Intrinsics_vec256 ws14 = v1__2; + Lib_IntVector_Intrinsics_vec256 ws15 = v3__2; + ws[0U] = ws0; + ws[1U] = ws1; + ws[2U] = ws2; + ws[3U] = ws3; + ws[4U] = ws4; + ws[5U] = ws5; + ws[6U] = ws6; + ws[7U] = ws7; + ws[8U] = ws8; + ws[9U] = ws9; + ws[10U] = ws10; + ws[11U] = ws11; + ws[12U] = ws12; + ws[13U] = ws13; + ws[14U] = ws14; + ws[15U] = ws15; + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)5U; i0++) + { + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint64_t k_t = Hacl_Impl_SHA2_Generic_k384_512[(uint32_t)16U * i0 + i]; + Lib_IntVector_Intrinsics_vec256 ws_t = ws[i]; + Lib_IntVector_Intrinsics_vec256 a0 = hash[0U]; + Lib_IntVector_Intrinsics_vec256 b0 = hash[1U]; + Lib_IntVector_Intrinsics_vec256 c0 = hash[2U]; + Lib_IntVector_Intrinsics_vec256 d0 = hash[3U]; + Lib_IntVector_Intrinsics_vec256 e0 = hash[4U]; + Lib_IntVector_Intrinsics_vec256 f0 = hash[5U]; + Lib_IntVector_Intrinsics_vec256 g0 = hash[6U]; + Lib_IntVector_Intrinsics_vec256 h02 = hash[7U]; + Lib_IntVector_Intrinsics_vec256 k_e_t = Lib_IntVector_Intrinsics_vec256_load64(k_t); + Lib_IntVector_Intrinsics_vec256 + t1 = + Lib_IntVector_Intrinsics_vec256_add64(Lib_IntVector_Intrinsics_vec256_add64(Lib_IntVector_Intrinsics_vec256_add64(Lib_IntVector_Intrinsics_vec256_add64(h02, + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right64(e0, + (uint32_t)14U), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right64(e0, + (uint32_t)18U), + Lib_IntVector_Intrinsics_vec256_rotate_right64(e0, (uint32_t)41U)))), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_and(e0, f0), + Lib_IntVector_Intrinsics_vec256_and(Lib_IntVector_Intrinsics_vec256_lognot(e0), g0))), + k_e_t), + ws_t); + Lib_IntVector_Intrinsics_vec256 + t2 = + Lib_IntVector_Intrinsics_vec256_add64(Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right64(a0, + (uint32_t)28U), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right64(a0, + (uint32_t)34U), + Lib_IntVector_Intrinsics_vec256_rotate_right64(a0, (uint32_t)39U))), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_and(a0, b0), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_and(a0, c0), + Lib_IntVector_Intrinsics_vec256_and(b0, c0)))); + Lib_IntVector_Intrinsics_vec256 a1 = Lib_IntVector_Intrinsics_vec256_add64(t1, t2); + Lib_IntVector_Intrinsics_vec256 b1 = a0; + Lib_IntVector_Intrinsics_vec256 c1 = b0; + Lib_IntVector_Intrinsics_vec256 d1 = c0; + Lib_IntVector_Intrinsics_vec256 e1 = Lib_IntVector_Intrinsics_vec256_add64(d0, t1); + Lib_IntVector_Intrinsics_vec256 f1 = e0; + Lib_IntVector_Intrinsics_vec256 g1 = f0; + Lib_IntVector_Intrinsics_vec256 h12 = g0; + hash[0U] = a1; + hash[1U] = b1; + hash[2U] = c1; + hash[3U] = d1; + hash[4U] = e1; + hash[5U] = f1; + hash[6U] = g1; + hash[7U] = h12; + } + if (i0 < (uint32_t)5U - (uint32_t)1U) + { + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + Lib_IntVector_Intrinsics_vec256 t16 = ws[i]; + Lib_IntVector_Intrinsics_vec256 t15 = ws[(i + (uint32_t)1U) % (uint32_t)16U]; + Lib_IntVector_Intrinsics_vec256 t7 = ws[(i + (uint32_t)9U) % (uint32_t)16U]; + Lib_IntVector_Intrinsics_vec256 t2 = ws[(i + (uint32_t)14U) % (uint32_t)16U]; + Lib_IntVector_Intrinsics_vec256 + s1 = + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right64(t2, + (uint32_t)19U), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right64(t2, + (uint32_t)61U), + Lib_IntVector_Intrinsics_vec256_shift_right64(t2, (uint32_t)6U))); + Lib_IntVector_Intrinsics_vec256 + s0 = + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right64(t15, + (uint32_t)1U), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right64(t15, + (uint32_t)8U), + Lib_IntVector_Intrinsics_vec256_shift_right64(t15, (uint32_t)7U))); + ws[i] = + Lib_IntVector_Intrinsics_vec256_add64(Lib_IntVector_Intrinsics_vec256_add64(Lib_IntVector_Intrinsics_vec256_add64(s1, + t7), + s0), + t16); + } + } + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + Lib_IntVector_Intrinsics_vec256 *os = hash; + Lib_IntVector_Intrinsics_vec256 + x = Lib_IntVector_Intrinsics_vec256_add64(hash[i], hash_old[i]); + os[i] = x; + } +} + +void +Hacl_SHA2_Vec256_sha512_4( + uint8_t *dst0, + uint8_t *dst1, + uint8_t *dst2, + uint8_t *dst3, + uint32_t input_len, + uint8_t *input0, + uint8_t *input1, + uint8_t *input2, + uint8_t *input3 +) +{ + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + ib = { .fst = input0, .snd = { .fst = input1, .snd = { .fst = input2, .snd = input3 } } }; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + rb = { .fst = dst0, .snd = { .fst = dst1, .snd = { .fst = dst2, .snd = dst3 } } }; + Lib_IntVector_Intrinsics_vec256 st[8U]; + for (uint32_t _i = 0U; _i < (uint32_t)8U; ++_i) + st[_i] = Lib_IntVector_Intrinsics_vec256_zero; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + Lib_IntVector_Intrinsics_vec256 *os = st; + uint64_t hi = Hacl_Impl_SHA2_Generic_h512[i]; + Lib_IntVector_Intrinsics_vec256 x = Lib_IntVector_Intrinsics_vec256_load64(hi); + os[i] = x; + } + uint32_t rem = input_len % (uint32_t)128U; + FStar_UInt128_uint128 len_ = FStar_UInt128_uint64_to_uint128((uint64_t)input_len); + uint32_t blocks0 = input_len / (uint32_t)128U; + for (uint32_t i = (uint32_t)0U; i < blocks0; i++) + { + uint8_t *b3 = ib.snd.snd.snd; + uint8_t *b2 = ib.snd.snd.fst; + uint8_t *b1 = ib.snd.fst; + uint8_t *b0 = ib.fst; + uint8_t *bl0 = b0 + i * (uint32_t)128U; + uint8_t *bl1 = b1 + i * (uint32_t)128U; + uint8_t *bl2 = b2 + i * (uint32_t)128U; + uint8_t *bl3 = b3 + i * (uint32_t)128U; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + mb = { .fst = bl0, .snd = { .fst = bl1, .snd = { .fst = bl2, .snd = bl3 } } }; + sha512_update4(mb, st); + } + uint32_t rem1 = input_len % (uint32_t)128U; + uint8_t *b3 = ib.snd.snd.snd; + uint8_t *b20 = ib.snd.snd.fst; + uint8_t *b10 = ib.snd.fst; + uint8_t *b00 = ib.fst; + uint8_t *bl0 = b00 + input_len - rem1; + uint8_t *bl1 = b10 + input_len - rem1; + uint8_t *bl2 = b20 + input_len - rem1; + uint8_t *bl3 = b3 + input_len - rem1; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + lb = { .fst = bl0, .snd = { .fst = bl1, .snd = { .fst = bl2, .snd = bl3 } } }; + uint32_t blocks; + if (rem + (uint32_t)16U + (uint32_t)1U <= (uint32_t)128U) + { + blocks = (uint32_t)1U; + } + else + { + blocks = (uint32_t)2U; + } + uint32_t fin = blocks * (uint32_t)128U; + uint8_t last[1024U] = { 0U }; + uint8_t totlen_buf[16U] = { 0U }; + FStar_UInt128_uint128 total_len_bits = FStar_UInt128_shift_left(len_, (uint32_t)3U); + store128_be(totlen_buf, total_len_bits); + uint8_t *b30 = lb.snd.snd.snd; + uint8_t *b21 = lb.snd.snd.fst; + uint8_t *b11 = lb.snd.fst; + uint8_t *b01 = lb.fst; + uint8_t *last00 = last; + uint8_t *last10 = last + (uint32_t)256U; + uint8_t *last2 = last + (uint32_t)512U; + uint8_t *last3 = last + (uint32_t)768U; + memcpy(last00, b01, rem * sizeof (uint8_t)); + last00[rem] = (uint8_t)0x80U; + memcpy(last00 + fin - (uint32_t)16U, totlen_buf, (uint32_t)16U * sizeof (uint8_t)); + uint8_t *last010 = last00; + uint8_t *last110 = last00 + (uint32_t)128U; + K____uint8_t___uint8_t_ scrut = { .fst = last010, .snd = last110 }; + uint8_t *l00 = scrut.fst; + uint8_t *l01 = scrut.snd; + memcpy(last10, b11, rem * sizeof (uint8_t)); + last10[rem] = (uint8_t)0x80U; + memcpy(last10 + fin - (uint32_t)16U, totlen_buf, (uint32_t)16U * sizeof (uint8_t)); + uint8_t *last011 = last10; + uint8_t *last111 = last10 + (uint32_t)128U; + K____uint8_t___uint8_t_ scrut0 = { .fst = last011, .snd = last111 }; + uint8_t *l10 = scrut0.fst; + uint8_t *l11 = scrut0.snd; + memcpy(last2, b21, rem * sizeof (uint8_t)); + last2[rem] = (uint8_t)0x80U; + memcpy(last2 + fin - (uint32_t)16U, totlen_buf, (uint32_t)16U * sizeof (uint8_t)); + uint8_t *last012 = last2; + uint8_t *last112 = last2 + (uint32_t)128U; + K____uint8_t___uint8_t_ scrut1 = { .fst = last012, .snd = last112 }; + uint8_t *l20 = scrut1.fst; + uint8_t *l21 = scrut1.snd; + memcpy(last3, b30, rem * sizeof (uint8_t)); + last3[rem] = (uint8_t)0x80U; + memcpy(last3 + fin - (uint32_t)16U, totlen_buf, (uint32_t)16U * sizeof (uint8_t)); + uint8_t *last01 = last3; + uint8_t *last11 = last3 + (uint32_t)128U; + K____uint8_t___uint8_t_ scrut2 = { .fst = last01, .snd = last11 }; + uint8_t *l30 = scrut2.fst; + uint8_t *l31 = scrut2.snd; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + mb0 = { .fst = l00, .snd = { .fst = l10, .snd = { .fst = l20, .snd = l30 } } }; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + mb1 = { .fst = l01, .snd = { .fst = l11, .snd = { .fst = l21, .snd = l31 } } }; + K___K____uint8_t__K____uint8_t__K____uint8_t___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + scrut3 = { .fst = mb0, .snd = mb1 }; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ last0 = scrut3.fst; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ last1 = scrut3.snd; + sha512_update4(last0, st); + if (blocks > (uint32_t)1U) + { + sha512_update4(last1, st); + } + KRML_CHECK_SIZE(sizeof (uint8_t), (uint32_t)4U * (uint32_t)8U * (uint32_t)8U); + uint8_t hbuf[(uint32_t)4U * (uint32_t)8U * (uint32_t)8U]; + memset(hbuf, 0U, (uint32_t)4U * (uint32_t)8U * (uint32_t)8U * sizeof (uint8_t)); + Lib_IntVector_Intrinsics_vec256 v00 = st[0U]; + Lib_IntVector_Intrinsics_vec256 v10 = st[1U]; + Lib_IntVector_Intrinsics_vec256 v20 = st[2U]; + Lib_IntVector_Intrinsics_vec256 v30 = st[3U]; + Lib_IntVector_Intrinsics_vec256 + v0_ = Lib_IntVector_Intrinsics_vec256_interleave_low64(v00, v10); + Lib_IntVector_Intrinsics_vec256 + v1_ = Lib_IntVector_Intrinsics_vec256_interleave_high64(v00, v10); + Lib_IntVector_Intrinsics_vec256 + v2_ = Lib_IntVector_Intrinsics_vec256_interleave_low64(v20, v30); + Lib_IntVector_Intrinsics_vec256 + v3_ = Lib_IntVector_Intrinsics_vec256_interleave_high64(v20, v30); + Lib_IntVector_Intrinsics_vec256 + v0__ = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_, v2_); + Lib_IntVector_Intrinsics_vec256 + v1__ = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_, v2_); + Lib_IntVector_Intrinsics_vec256 + v2__ = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_, v3_); + Lib_IntVector_Intrinsics_vec256 + v3__ = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_, v3_); + Lib_IntVector_Intrinsics_vec256 st0_ = v0__; + Lib_IntVector_Intrinsics_vec256 st1_ = v2__; + Lib_IntVector_Intrinsics_vec256 st2_ = v1__; + Lib_IntVector_Intrinsics_vec256 st3_ = v3__; + Lib_IntVector_Intrinsics_vec256 v0 = st[4U]; + Lib_IntVector_Intrinsics_vec256 v1 = st[5U]; + Lib_IntVector_Intrinsics_vec256 v2 = st[6U]; + Lib_IntVector_Intrinsics_vec256 v3 = st[7U]; + Lib_IntVector_Intrinsics_vec256 + v0_0 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0, v1); + Lib_IntVector_Intrinsics_vec256 + v1_0 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0, v1); + Lib_IntVector_Intrinsics_vec256 + v2_0 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v2, v3); + Lib_IntVector_Intrinsics_vec256 + v3_0 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v2, v3); + Lib_IntVector_Intrinsics_vec256 + v0__0 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v1__0 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v2__0 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 + v3__0 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 st4_ = v0__0; + Lib_IntVector_Intrinsics_vec256 st5_ = v2__0; + Lib_IntVector_Intrinsics_vec256 st6_ = v1__0; + Lib_IntVector_Intrinsics_vec256 st7_ = v3__0; + st[0U] = st0_; + st[1U] = st4_; + st[2U] = st1_; + st[3U] = st5_; + st[4U] = st2_; + st[5U] = st6_; + st[6U] = st3_; + st[7U] = st7_; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + Lib_IntVector_Intrinsics_vec256_store64_be(hbuf + i * (uint32_t)32U, st[i]); + } + uint8_t *b31 = rb.snd.snd.snd; + uint8_t *b2 = rb.snd.snd.fst; + uint8_t *b1 = rb.snd.fst; + uint8_t *b0 = rb.fst; + memcpy(b0, hbuf, (uint32_t)64U * sizeof (uint8_t)); + memcpy(b1, hbuf + (uint32_t)64U, (uint32_t)64U * sizeof (uint8_t)); + memcpy(b2, hbuf + (uint32_t)128U, (uint32_t)64U * sizeof (uint8_t)); + memcpy(b31, hbuf + (uint32_t)192U, (uint32_t)64U * sizeof (uint8_t)); +} + diff --git a/src/Hacl_SHA3.c b/src/Hacl_SHA3.c new file mode 100644 index 00000000..e3e38553 --- /dev/null +++ b/src/Hacl_SHA3.c @@ -0,0 +1,304 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_SHA3.h" + + + +const +uint32_t +Hacl_Impl_SHA3_keccak_rotc[24U] = + { + (uint32_t)1U, (uint32_t)3U, (uint32_t)6U, (uint32_t)10U, (uint32_t)15U, (uint32_t)21U, + (uint32_t)28U, (uint32_t)36U, (uint32_t)45U, (uint32_t)55U, (uint32_t)2U, (uint32_t)14U, + (uint32_t)27U, (uint32_t)41U, (uint32_t)56U, (uint32_t)8U, (uint32_t)25U, (uint32_t)43U, + (uint32_t)62U, (uint32_t)18U, (uint32_t)39U, (uint32_t)61U, (uint32_t)20U, (uint32_t)44U + }; + +const +uint32_t +Hacl_Impl_SHA3_keccak_piln[24U] = + { + (uint32_t)10U, (uint32_t)7U, (uint32_t)11U, (uint32_t)17U, (uint32_t)18U, (uint32_t)3U, + (uint32_t)5U, (uint32_t)16U, (uint32_t)8U, (uint32_t)21U, (uint32_t)24U, (uint32_t)4U, + (uint32_t)15U, (uint32_t)23U, (uint32_t)19U, (uint32_t)13U, (uint32_t)12U, (uint32_t)2U, + (uint32_t)20U, (uint32_t)14U, (uint32_t)22U, (uint32_t)9U, (uint32_t)6U, (uint32_t)1U + }; + +const +uint64_t +Hacl_Impl_SHA3_keccak_rndc[24U] = + { + (uint64_t)0x0000000000000001U, (uint64_t)0x0000000000008082U, (uint64_t)0x800000000000808aU, + (uint64_t)0x8000000080008000U, (uint64_t)0x000000000000808bU, (uint64_t)0x0000000080000001U, + (uint64_t)0x8000000080008081U, (uint64_t)0x8000000000008009U, (uint64_t)0x000000000000008aU, + (uint64_t)0x0000000000000088U, (uint64_t)0x0000000080008009U, (uint64_t)0x000000008000000aU, + (uint64_t)0x000000008000808bU, (uint64_t)0x800000000000008bU, (uint64_t)0x8000000000008089U, + (uint64_t)0x8000000000008003U, (uint64_t)0x8000000000008002U, (uint64_t)0x8000000000000080U, + (uint64_t)0x000000000000800aU, (uint64_t)0x800000008000000aU, (uint64_t)0x8000000080008081U, + (uint64_t)0x8000000000008080U, (uint64_t)0x0000000080000001U, (uint64_t)0x8000000080008008U + }; + +inline uint64_t Hacl_Impl_SHA3_rotl(uint64_t a, uint32_t b) +{ + return a << b | a >> ((uint32_t)64U - b); +} + +void Hacl_Impl_SHA3_state_permute(uint64_t *s) +{ + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)24U; i0++) + { + uint64_t b[5U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)5U; i++) + { + b[i] = + s[i + + (uint32_t)0U] + ^ + (s[i + + (uint32_t)5U] + ^ (s[i + (uint32_t)10U] ^ (s[i + (uint32_t)15U] ^ s[i + (uint32_t)20U]))); + } + for (uint32_t i1 = (uint32_t)0U; i1 < (uint32_t)5U; i1++) + { + uint64_t uu____0 = b[(i1 + (uint32_t)4U) % (uint32_t)5U]; + uint64_t + _D = uu____0 ^ Hacl_Impl_SHA3_rotl(b[(i1 + (uint32_t)1U) % (uint32_t)5U], (uint32_t)1U); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)5U; i++) + { + s[i1 + (uint32_t)5U * i] = s[i1 + (uint32_t)5U * i] ^ _D; + } + } + Lib_Memzero0_memzero(b, (uint32_t)5U * sizeof (b[0U])); + uint64_t x = s[1U]; + uint64_t b0 = x; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)24U; i++) + { + uint32_t _Y = Hacl_Impl_SHA3_keccak_piln[i]; + uint32_t r = Hacl_Impl_SHA3_keccak_rotc[i]; + uint64_t temp = s[_Y]; + s[_Y] = Hacl_Impl_SHA3_rotl(b0, r); + b0 = temp; + } + Lib_Memzero0_memzero(&b0, (uint32_t)1U * sizeof ((&b0)[0U])); + uint64_t b1[25U] = { 0U }; + memcpy(b1, s, (uint32_t)25U * sizeof (uint64_t)); + for (uint32_t i1 = (uint32_t)0U; i1 < (uint32_t)5U; i1++) + { + for (uint32_t i = (uint32_t)0U; i < (uint32_t)5U; i++) + { + s[i + (uint32_t)5U * i1] = + b1[i + + (uint32_t)5U * i1] + ^ + (~b1[(i + (uint32_t)1U) + % (uint32_t)5U + + (uint32_t)5U * i1] + & b1[(i + (uint32_t)2U) % (uint32_t)5U + (uint32_t)5U * i1]); + } + } + Lib_Memzero0_memzero(b1, (uint32_t)25U * sizeof (b1[0U])); + uint64_t c = Hacl_Impl_SHA3_keccak_rndc[i0]; + s[0U] = s[0U] ^ c; + } +} + +void Hacl_Impl_SHA3_loadState(uint32_t rateInBytes, uint8_t *input, uint64_t *s) +{ + uint8_t b[200U] = { 0U }; + memcpy(b, input, rateInBytes * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)25U; i++) + { + uint64_t u = load64_le(b + i * (uint32_t)8U); + uint64_t x = u; + s[i] = s[i] ^ x; + } + Lib_Memzero0_memzero(b, (uint32_t)200U * sizeof (b[0U])); +} + +void Hacl_Impl_SHA3_storeState(uint32_t rateInBytes, uint64_t *s, uint8_t *res) +{ + uint8_t b[200U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)25U; i++) + { + uint64_t sj = s[i]; + store64_le(b + i * (uint32_t)8U, sj); + } + memcpy(res, b, rateInBytes * sizeof (uint8_t)); + Lib_Memzero0_memzero(b, (uint32_t)200U * sizeof (b[0U])); +} + +void +Hacl_Impl_SHA3_absorb( + uint64_t *s, + uint32_t rateInBytes, + uint32_t inputByteLen, + uint8_t *input, + uint8_t delimitedSuffix +) +{ + uint32_t nb = inputByteLen / rateInBytes; + uint32_t rem = inputByteLen % rateInBytes; + for (uint32_t i = (uint32_t)0U; i < nb; i++) + { + uint8_t *block = input + i * rateInBytes; + Hacl_Impl_SHA3_loadState(rateInBytes, block, s); + Hacl_Impl_SHA3_state_permute(s); + } + uint8_t *last = input + nb * rateInBytes; + KRML_CHECK_SIZE(sizeof (uint8_t), rateInBytes); + uint8_t b[rateInBytes]; + memset(b, 0U, rateInBytes * sizeof (uint8_t)); + memcpy(b, last, rem * sizeof (uint8_t)); + b[rem] = delimitedSuffix; + Hacl_Impl_SHA3_loadState(rateInBytes, b, s); + if (!((delimitedSuffix & (uint8_t)0x80U) == (uint8_t)0U) && rem == rateInBytes - (uint32_t)1U) + { + Hacl_Impl_SHA3_state_permute(s); + } + KRML_CHECK_SIZE(sizeof (uint8_t), rateInBytes); + uint8_t b1[rateInBytes]; + memset(b1, 0U, rateInBytes * sizeof (uint8_t)); + b1[rateInBytes - (uint32_t)1U] = (uint8_t)0x80U; + Hacl_Impl_SHA3_loadState(rateInBytes, b1, s); + Hacl_Impl_SHA3_state_permute(s); + Lib_Memzero0_memzero(b1, rateInBytes * sizeof (b1[0U])); + Lib_Memzero0_memzero(b, rateInBytes * sizeof (b[0U])); +} + +void +Hacl_Impl_SHA3_squeeze( + uint64_t *s, + uint32_t rateInBytes, + uint32_t outputByteLen, + uint8_t *output +) +{ + uint32_t outBlocks = outputByteLen / rateInBytes; + uint32_t remOut = outputByteLen % rateInBytes; + uint8_t *last = output + outputByteLen - remOut; + uint8_t *blocks = output; + for (uint32_t i = (uint32_t)0U; i < outBlocks; i++) + { + Hacl_Impl_SHA3_storeState(rateInBytes, s, blocks + i * rateInBytes); + Hacl_Impl_SHA3_state_permute(s); + } + Hacl_Impl_SHA3_storeState(remOut, s, last); +} + +void +Hacl_Impl_SHA3_keccak( + uint32_t rate, + uint32_t capacity, + uint32_t inputByteLen, + uint8_t *input, + uint8_t delimitedSuffix, + uint32_t outputByteLen, + uint8_t *output +) +{ + uint32_t rateInBytes = rate / (uint32_t)8U; + uint64_t s[25U] = { 0U }; + Hacl_Impl_SHA3_absorb(s, rateInBytes, inputByteLen, input, delimitedSuffix); + Hacl_Impl_SHA3_squeeze(s, rateInBytes, outputByteLen, output); +} + +void +Hacl_SHA3_shake128_hacl( + uint32_t inputByteLen, + uint8_t *input, + uint32_t outputByteLen, + uint8_t *output +) +{ + Hacl_Impl_SHA3_keccak((uint32_t)1344U, + (uint32_t)256U, + inputByteLen, + input, + (uint8_t)0x1FU, + outputByteLen, + output); +} + +void +Hacl_SHA3_shake256_hacl( + uint32_t inputByteLen, + uint8_t *input, + uint32_t outputByteLen, + uint8_t *output +) +{ + Hacl_Impl_SHA3_keccak((uint32_t)1088U, + (uint32_t)512U, + inputByteLen, + input, + (uint8_t)0x1FU, + outputByteLen, + output); +} + +void Hacl_SHA3_sha3_224(uint32_t inputByteLen, uint8_t *input, uint8_t *output) +{ + Hacl_Impl_SHA3_keccak((uint32_t)1152U, + (uint32_t)448U, + inputByteLen, + input, + (uint8_t)0x06U, + (uint32_t)28U, + output); +} + +void Hacl_SHA3_sha3_256(uint32_t inputByteLen, uint8_t *input, uint8_t *output) +{ + Hacl_Impl_SHA3_keccak((uint32_t)1088U, + (uint32_t)512U, + inputByteLen, + input, + (uint8_t)0x06U, + (uint32_t)32U, + output); +} + +void Hacl_SHA3_sha3_384(uint32_t inputByteLen, uint8_t *input, uint8_t *output) +{ + Hacl_Impl_SHA3_keccak((uint32_t)832U, + (uint32_t)768U, + inputByteLen, + input, + (uint8_t)0x06U, + (uint32_t)48U, + output); +} + +void Hacl_SHA3_sha3_512(uint32_t inputByteLen, uint8_t *input, uint8_t *output) +{ + Hacl_Impl_SHA3_keccak((uint32_t)576U, + (uint32_t)1024U, + inputByteLen, + input, + (uint8_t)0x06U, + (uint32_t)64U, + output); +} + diff --git a/src/Hacl_Salsa20.c b/src/Hacl_Salsa20.c new file mode 100644 index 00000000..044219e0 --- /dev/null +++ b/src/Hacl_Salsa20.c @@ -0,0 +1,429 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Salsa20.h" + + + +static inline void quarter_round(uint32_t *st, uint32_t a, uint32_t b, uint32_t c, uint32_t d) +{ + uint32_t sta = st[b]; + uint32_t stb0 = st[a]; + uint32_t std0 = st[d]; + uint32_t sta1 = sta ^ ((stb0 + std0) << (uint32_t)7U | (stb0 + std0) >> (uint32_t)25U); + st[b] = sta1; + uint32_t sta0 = st[c]; + uint32_t stb1 = st[b]; + uint32_t std1 = st[a]; + uint32_t sta10 = sta0 ^ ((stb1 + std1) << (uint32_t)9U | (stb1 + std1) >> (uint32_t)23U); + st[c] = sta10; + uint32_t sta2 = st[d]; + uint32_t stb2 = st[c]; + uint32_t std2 = st[b]; + uint32_t sta11 = sta2 ^ ((stb2 + std2) << (uint32_t)13U | (stb2 + std2) >> (uint32_t)19U); + st[d] = sta11; + uint32_t sta3 = st[a]; + uint32_t stb = st[d]; + uint32_t std = st[c]; + uint32_t sta12 = sta3 ^ ((stb + std) << (uint32_t)18U | (stb + std) >> (uint32_t)14U); + st[a] = sta12; +} + +static inline void double_round(uint32_t *st) +{ + quarter_round(st, (uint32_t)0U, (uint32_t)4U, (uint32_t)8U, (uint32_t)12U); + quarter_round(st, (uint32_t)5U, (uint32_t)9U, (uint32_t)13U, (uint32_t)1U); + quarter_round(st, (uint32_t)10U, (uint32_t)14U, (uint32_t)2U, (uint32_t)6U); + quarter_round(st, (uint32_t)15U, (uint32_t)3U, (uint32_t)7U, (uint32_t)11U); + quarter_round(st, (uint32_t)0U, (uint32_t)1U, (uint32_t)2U, (uint32_t)3U); + quarter_round(st, (uint32_t)5U, (uint32_t)6U, (uint32_t)7U, (uint32_t)4U); + quarter_round(st, (uint32_t)10U, (uint32_t)11U, (uint32_t)8U, (uint32_t)9U); + quarter_round(st, (uint32_t)15U, (uint32_t)12U, (uint32_t)13U, (uint32_t)14U); +} + +static inline void rounds(uint32_t *st) +{ + double_round(st); + double_round(st); + double_round(st); + double_round(st); + double_round(st); + double_round(st); + double_round(st); + double_round(st); + double_round(st); + double_round(st); +} + +static inline void salsa20_core(uint32_t *k, uint32_t *ctx, uint32_t ctr) +{ + memcpy(k, ctx, (uint32_t)16U * sizeof (uint32_t)); + uint32_t ctr_u32 = ctr; + k[8U] = k[8U] + ctr_u32; + rounds(k); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t *os = k; + uint32_t x = k[i] + ctx[i]; + os[i] = x; + } + k[8U] = k[8U] + ctr_u32; +} + +static inline void salsa20_key_block0(uint8_t *out, uint8_t *key, uint8_t *n) +{ + uint32_t ctx[16U] = { 0U }; + uint32_t k[16U] = { 0U }; + uint32_t k32[8U] = { 0U }; + uint32_t n32[2U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t *os = k32; + uint8_t *bj = key + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)2U; i++) + { + uint32_t *os = n32; + uint8_t *bj = n + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + ctx[0U] = (uint32_t)0x61707865U; + uint32_t *k0 = k32; + uint32_t *k1 = k32 + (uint32_t)4U; + memcpy(ctx + (uint32_t)1U, k0, (uint32_t)4U * sizeof (uint32_t)); + ctx[5U] = (uint32_t)0x3320646eU; + memcpy(ctx + (uint32_t)6U, n32, (uint32_t)2U * sizeof (uint32_t)); + ctx[8U] = (uint32_t)0U; + ctx[9U] = (uint32_t)0U; + ctx[10U] = (uint32_t)0x79622d32U; + memcpy(ctx + (uint32_t)11U, k1, (uint32_t)4U * sizeof (uint32_t)); + ctx[15U] = (uint32_t)0x6b206574U; + salsa20_core(k, ctx, (uint32_t)0U); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + store32_le(out + i * (uint32_t)4U, k[i]); + } +} + +static inline void +salsa20_encrypt( + uint32_t len, + uint8_t *out, + uint8_t *text, + uint8_t *key, + uint8_t *n, + uint32_t ctr +) +{ + uint32_t ctx[16U] = { 0U }; + uint32_t k32[8U] = { 0U }; + uint32_t n32[2U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t *os = k32; + uint8_t *bj = key + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)2U; i++) + { + uint32_t *os = n32; + uint8_t *bj = n + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + ctx[0U] = (uint32_t)0x61707865U; + uint32_t *k0 = k32; + uint32_t *k10 = k32 + (uint32_t)4U; + memcpy(ctx + (uint32_t)1U, k0, (uint32_t)4U * sizeof (uint32_t)); + ctx[5U] = (uint32_t)0x3320646eU; + memcpy(ctx + (uint32_t)6U, n32, (uint32_t)2U * sizeof (uint32_t)); + ctx[8U] = ctr; + ctx[9U] = (uint32_t)0U; + ctx[10U] = (uint32_t)0x79622d32U; + memcpy(ctx + (uint32_t)11U, k10, (uint32_t)4U * sizeof (uint32_t)); + ctx[15U] = (uint32_t)0x6b206574U; + uint32_t k[16U] = { 0U }; + uint32_t rem = len % (uint32_t)64U; + uint32_t nb = len / (uint32_t)64U; + uint32_t rem1 = len % (uint32_t)64U; + for (uint32_t i0 = (uint32_t)0U; i0 < nb; i0++) + { + uint8_t *uu____0 = out + i0 * (uint32_t)64U; + uint8_t *uu____1 = text + i0 * (uint32_t)64U; + uint32_t k1[16U] = { 0U }; + salsa20_core(k1, ctx, i0); + uint32_t bl[16U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t *os = bl; + uint8_t *bj = uu____1 + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t *os = bl; + uint32_t x = bl[i] ^ k1[i]; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + store32_le(uu____0 + i * (uint32_t)4U, bl[i]); + } + } + if (rem1 > (uint32_t)0U) + { + uint8_t *uu____2 = out + nb * (uint32_t)64U; + uint8_t *uu____3 = text + nb * (uint32_t)64U; + uint8_t plain[64U] = { 0U }; + memcpy(plain, uu____3, rem * sizeof (uint8_t)); + uint32_t k1[16U] = { 0U }; + salsa20_core(k1, ctx, nb); + uint32_t bl[16U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t *os = bl; + uint8_t *bj = plain + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t *os = bl; + uint32_t x = bl[i] ^ k1[i]; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + store32_le(plain + i * (uint32_t)4U, bl[i]); + } + memcpy(uu____2, plain, rem * sizeof (uint8_t)); + } +} + +static inline void +salsa20_decrypt( + uint32_t len, + uint8_t *out, + uint8_t *cipher, + uint8_t *key, + uint8_t *n, + uint32_t ctr +) +{ + uint32_t ctx[16U] = { 0U }; + uint32_t k32[8U] = { 0U }; + uint32_t n32[2U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t *os = k32; + uint8_t *bj = key + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)2U; i++) + { + uint32_t *os = n32; + uint8_t *bj = n + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + ctx[0U] = (uint32_t)0x61707865U; + uint32_t *k0 = k32; + uint32_t *k10 = k32 + (uint32_t)4U; + memcpy(ctx + (uint32_t)1U, k0, (uint32_t)4U * sizeof (uint32_t)); + ctx[5U] = (uint32_t)0x3320646eU; + memcpy(ctx + (uint32_t)6U, n32, (uint32_t)2U * sizeof (uint32_t)); + ctx[8U] = ctr; + ctx[9U] = (uint32_t)0U; + ctx[10U] = (uint32_t)0x79622d32U; + memcpy(ctx + (uint32_t)11U, k10, (uint32_t)4U * sizeof (uint32_t)); + ctx[15U] = (uint32_t)0x6b206574U; + uint32_t k[16U] = { 0U }; + uint32_t rem = len % (uint32_t)64U; + uint32_t nb = len / (uint32_t)64U; + uint32_t rem1 = len % (uint32_t)64U; + for (uint32_t i0 = (uint32_t)0U; i0 < nb; i0++) + { + uint8_t *uu____0 = out + i0 * (uint32_t)64U; + uint8_t *uu____1 = cipher + i0 * (uint32_t)64U; + uint32_t k1[16U] = { 0U }; + salsa20_core(k1, ctx, i0); + uint32_t bl[16U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t *os = bl; + uint8_t *bj = uu____1 + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t *os = bl; + uint32_t x = bl[i] ^ k1[i]; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + store32_le(uu____0 + i * (uint32_t)4U, bl[i]); + } + } + if (rem1 > (uint32_t)0U) + { + uint8_t *uu____2 = out + nb * (uint32_t)64U; + uint8_t *uu____3 = cipher + nb * (uint32_t)64U; + uint8_t plain[64U] = { 0U }; + memcpy(plain, uu____3, rem * sizeof (uint8_t)); + uint32_t k1[16U] = { 0U }; + salsa20_core(k1, ctx, nb); + uint32_t bl[16U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t *os = bl; + uint8_t *bj = plain + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t *os = bl; + uint32_t x = bl[i] ^ k1[i]; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + store32_le(plain + i * (uint32_t)4U, bl[i]); + } + memcpy(uu____2, plain, rem * sizeof (uint8_t)); + } +} + +static inline void hsalsa20(uint8_t *out, uint8_t *key, uint8_t *n) +{ + uint32_t ctx[16U] = { 0U }; + uint32_t k32[8U] = { 0U }; + uint32_t n32[4U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t *os = k32; + uint8_t *bj = key + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = n32; + uint8_t *bj = n + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + uint32_t *k0 = k32; + uint32_t *k1 = k32 + (uint32_t)4U; + ctx[0U] = (uint32_t)0x61707865U; + memcpy(ctx + (uint32_t)1U, k0, (uint32_t)4U * sizeof (uint32_t)); + ctx[5U] = (uint32_t)0x3320646eU; + memcpy(ctx + (uint32_t)6U, n32, (uint32_t)4U * sizeof (uint32_t)); + ctx[10U] = (uint32_t)0x79622d32U; + memcpy(ctx + (uint32_t)11U, k1, (uint32_t)4U * sizeof (uint32_t)); + ctx[15U] = (uint32_t)0x6b206574U; + rounds(ctx); + uint32_t r0 = ctx[0U]; + uint32_t r1 = ctx[5U]; + uint32_t r2 = ctx[10U]; + uint32_t r3 = ctx[15U]; + uint32_t r4 = ctx[6U]; + uint32_t r5 = ctx[7U]; + uint32_t r6 = ctx[8U]; + uint32_t r7 = ctx[9U]; + uint32_t res[8U] = { r0, r1, r2, r3, r4, r5, r6, r7 }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + store32_le(out + i * (uint32_t)4U, res[i]); + } +} + +void +Hacl_Salsa20_salsa20_encrypt( + uint32_t len, + uint8_t *out, + uint8_t *text, + uint8_t *key, + uint8_t *n, + uint32_t ctr +) +{ + salsa20_encrypt(len, out, text, key, n, ctr); +} + +void +Hacl_Salsa20_salsa20_decrypt( + uint32_t len, + uint8_t *out, + uint8_t *cipher, + uint8_t *key, + uint8_t *n, + uint32_t ctr +) +{ + salsa20_decrypt(len, out, cipher, key, n, ctr); +} + +void Hacl_Salsa20_salsa20_key_block0(uint8_t *out, uint8_t *key, uint8_t *n) +{ + salsa20_key_block0(out, key, n); +} + +void Hacl_Salsa20_hsalsa20(uint8_t *out, uint8_t *key, uint8_t *n) +{ + hsalsa20(out, key, n); +} + diff --git a/src/Hacl_Spec.c b/src/Hacl_Spec.c new file mode 100644 index 00000000..7dacd2c4 --- /dev/null +++ b/src/Hacl_Spec.c @@ -0,0 +1,53 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "internal/Hacl_Spec.h" + + + +Spec_Agile_Cipher_cipher_alg +Spec_Cipher_Expansion_cipher_alg_of_impl(Spec_Cipher_Expansion_impl i) +{ + switch (i) + { + case Spec_Cipher_Expansion_Hacl_CHACHA20: + { + return Spec_Agile_Cipher_CHACHA20; + } + case Spec_Cipher_Expansion_Vale_AES128: + { + return Spec_Agile_Cipher_AES128; + } + case Spec_Cipher_Expansion_Vale_AES256: + { + return Spec_Agile_Cipher_AES256; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + diff --git a/src/Hacl_Streaming_Blake2.c b/src/Hacl_Streaming_Blake2.c new file mode 100644 index 00000000..39523975 --- /dev/null +++ b/src/Hacl_Streaming_Blake2.c @@ -0,0 +1,1179 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Streaming_Blake2.h" + + + +uint32_t +Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_alg a, Hacl_Impl_Blake2_Core_m_spec m) +{ + switch (m) + { + case Hacl_Impl_Blake2_Core_M32: + { + switch (a) + { + case Spec_Blake2_Blake2S: + { + return (uint32_t)64U; + } + case Spec_Blake2_Blake2B: + { + return (uint32_t)128U; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + break; + } + case Hacl_Impl_Blake2_Core_M128: + { + switch (a) + { + case Spec_Blake2_Blake2S: + { + return (uint32_t)64U; + } + case Spec_Blake2_Blake2B: + { + return (uint32_t)128U; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + break; + } + case Hacl_Impl_Blake2_Core_M256: + { + switch (a) + { + case Spec_Blake2_Blake2S: + { + return (uint32_t)64U; + } + case Spec_Blake2_Blake2B: + { + return (uint32_t)128U; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + break; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +/* + State allocation function when there is no key +*/ +Hacl_Streaming_Blake2_blake2s_32_state *Hacl_Streaming_Blake2_blake2s_32_no_key_create_in() +{ + KRML_CHECK_SIZE(sizeof (uint8_t), + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M32)); + uint8_t + *buf = + KRML_HOST_CALLOC(Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32), + sizeof (uint8_t)); + uint32_t *wv = KRML_HOST_CALLOC((uint32_t)16U, sizeof (uint32_t)); + uint32_t *b = KRML_HOST_CALLOC((uint32_t)16U, sizeof (uint32_t)); + Hacl_Streaming_Blake2_blake2s_32_block_state block_state = { .fst = wv, .snd = b }; + Hacl_Streaming_Blake2_blake2s_32_state + s1 = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; + KRML_CHECK_SIZE(sizeof (Hacl_Streaming_Blake2_blake2s_32_state), (uint32_t)1U); + Hacl_Streaming_Blake2_blake2s_32_state + *p = KRML_HOST_MALLOC(sizeof (Hacl_Streaming_Blake2_blake2s_32_state)); + p[0U] = s1; + Hacl_Blake2s_32_blake2s_init(block_state.snd, (uint32_t)0U, (uint32_t)32U); + return p; +} + +/* + (Re-)initialization function when there is no key +*/ +void Hacl_Streaming_Blake2_blake2s_32_no_key_init(Hacl_Streaming_Blake2_blake2s_32_state *s1) +{ + Hacl_Streaming_Blake2_blake2s_32_state scrut = *s1; + uint8_t *buf = scrut.buf; + Hacl_Streaming_Blake2_blake2s_32_block_state block_state = scrut.block_state; + Hacl_Blake2s_32_blake2s_init(block_state.snd, (uint32_t)0U, (uint32_t)32U); + s1[0U] = + ( + (Hacl_Streaming_Blake2_blake2s_32_state){ + .block_state = block_state, + .buf = buf, + .total_len = (uint64_t)0U + } + ); +} + +/* + Update function when there is no key +*/ +void +Hacl_Streaming_Blake2_blake2s_32_no_key_update( + Hacl_Streaming_Blake2_blake2s_32_state *p, + uint8_t *data, + uint32_t len +) +{ + Hacl_Streaming_Blake2_blake2s_32_state s1 = *p; + uint64_t total_len = s1.total_len; + uint32_t sz; + if + ( + total_len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32) + == (uint64_t)0U + && total_len > (uint64_t)0U + ) + { + sz = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M32); + } + else + { + sz = + (uint32_t)(total_len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32)); + } + if + ( + len + <= Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M32) - sz + ) + { + Hacl_Streaming_Blake2_blake2s_32_state s2 = *p; + Hacl_Streaming_Blake2_blake2s_32_block_state block_state1 = s2.block_state; + uint8_t *buf = s2.buf; + uint64_t total_len1 = s2.total_len; + uint32_t sz1; + if + ( + total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32) + == (uint64_t)0U + && total_len1 > (uint64_t)0U + ) + { + sz1 = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M32); + } + else + { + sz1 = + (uint32_t)(total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32)); + } + uint8_t *buf2 = buf + sz1; + memcpy(buf2, data, len * sizeof (uint8_t)); + uint64_t total_len2 = total_len1 + (uint64_t)len; + *p + = + ( + (Hacl_Streaming_Blake2_blake2s_32_state){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len2 + } + ); + return; + } + if (sz == (uint32_t)0U) + { + Hacl_Streaming_Blake2_blake2s_32_state s2 = *p; + Hacl_Streaming_Blake2_blake2s_32_block_state block_state1 = s2.block_state; + uint8_t *buf = s2.buf; + uint64_t total_len1 = s2.total_len; + uint32_t sz1; + if + ( + total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32) + == (uint64_t)0U + && total_len1 > (uint64_t)0U + ) + { + sz1 = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M32); + } + else + { + sz1 = + (uint32_t)(total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32)); + } + if (!(sz1 == (uint32_t)0U)) + { + uint64_t prevlen = total_len1 - (uint64_t)sz1; + uint32_t + nb = + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32) + / (uint32_t)64U; + Hacl_Blake2s_32_blake2s_update_multi(Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32), + block_state1.fst, + block_state1.snd, + prevlen, + buf, + nb); + } + uint32_t ite; + if + ( + (uint64_t)len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32) + == (uint64_t)0U + && (uint64_t)len > (uint64_t)0U + ) + { + ite = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M32); + } + else + { + ite = + (uint32_t)((uint64_t)len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32)); + } + uint32_t + n_blocks = + (len - ite) + / Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M32); + uint32_t + data1_len = + n_blocks + * Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M32); + uint32_t data2_len = len - data1_len; + uint8_t *data1 = data; + uint8_t *data2 = data + data1_len; + uint32_t nb = data1_len / (uint32_t)64U; + Hacl_Blake2s_32_blake2s_update_multi(data1_len, + block_state1.fst, + block_state1.snd, + total_len1, + data1, + nb); + uint8_t *dst = buf; + memcpy(dst, data2, data2_len * sizeof (uint8_t)); + *p + = + ( + (Hacl_Streaming_Blake2_blake2s_32_state){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len1 + (uint64_t)len + } + ); + return; + } + uint32_t + diff = + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32) + - sz; + uint8_t *data1 = data; + uint8_t *data2 = data + diff; + Hacl_Streaming_Blake2_blake2s_32_state s2 = *p; + Hacl_Streaming_Blake2_blake2s_32_block_state block_state10 = s2.block_state; + uint8_t *buf0 = s2.buf; + uint64_t total_len10 = s2.total_len; + uint32_t sz10; + if + ( + total_len10 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32) + == (uint64_t)0U + && total_len10 > (uint64_t)0U + ) + { + sz10 = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M32); + } + else + { + sz10 = + (uint32_t)(total_len10 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32)); + } + uint8_t *buf2 = buf0 + sz10; + memcpy(buf2, data1, diff * sizeof (uint8_t)); + uint64_t total_len2 = total_len10 + (uint64_t)diff; + *p + = + ( + (Hacl_Streaming_Blake2_blake2s_32_state){ + .block_state = block_state10, + .buf = buf0, + .total_len = total_len2 + } + ); + Hacl_Streaming_Blake2_blake2s_32_state s20 = *p; + Hacl_Streaming_Blake2_blake2s_32_block_state block_state1 = s20.block_state; + uint8_t *buf = s20.buf; + uint64_t total_len1 = s20.total_len; + uint32_t sz1; + if + ( + total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32) + == (uint64_t)0U + && total_len1 > (uint64_t)0U + ) + { + sz1 = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M32); + } + else + { + sz1 = + (uint32_t)(total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32)); + } + if (!(sz1 == (uint32_t)0U)) + { + uint64_t prevlen = total_len1 - (uint64_t)sz1; + uint32_t + nb = + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32) + / (uint32_t)64U; + Hacl_Blake2s_32_blake2s_update_multi(Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32), + block_state1.fst, + block_state1.snd, + prevlen, + buf, + nb); + } + uint32_t ite; + if + ( + (uint64_t)(len - diff) + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32) + == (uint64_t)0U + && (uint64_t)(len - diff) > (uint64_t)0U + ) + { + ite = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M32); + } + else + { + ite = + (uint32_t)((uint64_t)(len - diff) + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32)); + } + uint32_t + n_blocks = + (len - diff - ite) + / Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M32); + uint32_t + data1_len = + n_blocks + * Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M32); + uint32_t data2_len = len - diff - data1_len; + uint8_t *data11 = data2; + uint8_t *data21 = data2 + data1_len; + uint32_t nb = data1_len / (uint32_t)64U; + Hacl_Blake2s_32_blake2s_update_multi(data1_len, + block_state1.fst, + block_state1.snd, + total_len1, + data11, + nb); + uint8_t *dst = buf; + memcpy(dst, data21, data2_len * sizeof (uint8_t)); + *p + = + ( + (Hacl_Streaming_Blake2_blake2s_32_state){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len1 + (uint64_t)(len - diff) + } + ); +} + +/* + Finish function when there is no key +*/ +void +Hacl_Streaming_Blake2_blake2s_32_no_key_finish( + Hacl_Streaming_Blake2_blake2s_32_state *p, + uint8_t *dst +) +{ + Hacl_Streaming_Blake2_blake2s_32_state scrut = *p; + Hacl_Streaming_Blake2_blake2s_32_block_state block_state = scrut.block_state; + uint8_t *buf_ = scrut.buf; + uint64_t total_len = scrut.total_len; + uint32_t r; + if + ( + total_len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32) + == (uint64_t)0U + && total_len > (uint64_t)0U + ) + { + r = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M32); + } + else + { + r = + (uint32_t)(total_len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32)); + } + uint8_t *buf_1 = buf_; + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)4U * (uint32_t)4U); + uint32_t wv[(uint32_t)4U * (uint32_t)4U]; + memset(wv, 0U, (uint32_t)4U * (uint32_t)4U * sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)4U * (uint32_t)4U); + uint32_t b[(uint32_t)4U * (uint32_t)4U]; + memset(b, 0U, (uint32_t)4U * (uint32_t)4U * sizeof (uint32_t)); + Hacl_Streaming_Blake2_blake2s_32_block_state tmp_block_state = { .fst = wv, .snd = b }; + uint32_t *src_b = block_state.snd; + uint32_t *dst_b = tmp_block_state.snd; + memcpy(dst_b, src_b, (uint32_t)16U * sizeof (uint32_t)); + uint64_t prev_len = total_len - (uint64_t)r; + uint32_t ite0; + if (r % (uint32_t)64U == (uint32_t)0U && r > (uint32_t)0U) + { + ite0 = (uint32_t)64U; + } + else + { + ite0 = r % (uint32_t)64U; + } + uint8_t *buf_last = buf_1 + r - ite0; + uint8_t *buf_multi = buf_1; + uint32_t ite1; + if + ( + (uint32_t)64U + == Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M32) + ) + { + ite1 = (uint32_t)0U; + } + else + { + uint32_t ite; + if (r % (uint32_t)64U == (uint32_t)0U && r > (uint32_t)0U) + { + ite = (uint32_t)64U; + } + else + { + ite = r % (uint32_t)64U; + } + ite1 = r - ite; + } + uint32_t nb = ite1 / (uint32_t)64U; + uint32_t ite2; + if + ( + (uint32_t)64U + == Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M32) + ) + { + ite2 = (uint32_t)0U; + } + else + { + uint32_t ite; + if (r % (uint32_t)64U == (uint32_t)0U && r > (uint32_t)0U) + { + ite = (uint32_t)64U; + } + else + { + ite = r % (uint32_t)64U; + } + ite2 = r - ite; + } + Hacl_Blake2s_32_blake2s_update_multi(ite2, + tmp_block_state.fst, + tmp_block_state.snd, + prev_len, + buf_multi, + nb); + uint32_t ite3; + if + ( + (uint32_t)64U + == Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M32) + ) + { + ite3 = r; + } + else if (r % (uint32_t)64U == (uint32_t)0U && r > (uint32_t)0U) + { + ite3 = (uint32_t)64U; + } + else + { + ite3 = r % (uint32_t)64U; + } + uint64_t prev_len_last = total_len - (uint64_t)ite3; + uint32_t ite4; + if + ( + (uint32_t)64U + == Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M32) + ) + { + ite4 = r; + } + else if (r % (uint32_t)64U == (uint32_t)0U && r > (uint32_t)0U) + { + ite4 = (uint32_t)64U; + } + else + { + ite4 = r % (uint32_t)64U; + } + uint32_t ite; + if + ( + (uint32_t)64U + == Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M32) + ) + { + ite = r; + } + else if (r % (uint32_t)64U == (uint32_t)0U && r > (uint32_t)0U) + { + ite = (uint32_t)64U; + } + else + { + ite = r % (uint32_t)64U; + } + Hacl_Blake2s_32_blake2s_update_last(ite4, + tmp_block_state.fst, + tmp_block_state.snd, + prev_len_last, + ite, + buf_last); + Hacl_Blake2s_32_blake2s_finish((uint32_t)32U, dst, tmp_block_state.snd); +} + +/* + Free state function when there is no key +*/ +void Hacl_Streaming_Blake2_blake2s_32_no_key_free(Hacl_Streaming_Blake2_blake2s_32_state *s1) +{ + Hacl_Streaming_Blake2_blake2s_32_state scrut = *s1; + uint8_t *buf = scrut.buf; + Hacl_Streaming_Blake2_blake2s_32_block_state block_state = scrut.block_state; + uint32_t *wv = block_state.fst; + uint32_t *b = block_state.snd; + KRML_HOST_FREE(wv); + KRML_HOST_FREE(b); + KRML_HOST_FREE(buf); + KRML_HOST_FREE(s1); +} + +/* + State allocation function when there is no key +*/ +Hacl_Streaming_Blake2_blake2b_32_state *Hacl_Streaming_Blake2_blake2b_32_no_key_create_in() +{ + KRML_CHECK_SIZE(sizeof (uint8_t), + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M32)); + uint8_t + *buf = + KRML_HOST_CALLOC(Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32), + sizeof (uint8_t)); + uint64_t *wv = KRML_HOST_CALLOC((uint32_t)16U, sizeof (uint64_t)); + uint64_t *b = KRML_HOST_CALLOC((uint32_t)16U, sizeof (uint64_t)); + Hacl_Streaming_Blake2_blake2b_32_block_state block_state = { .fst = wv, .snd = b }; + Hacl_Streaming_Blake2_blake2b_32_state + s1 = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; + KRML_CHECK_SIZE(sizeof (Hacl_Streaming_Blake2_blake2b_32_state), (uint32_t)1U); + Hacl_Streaming_Blake2_blake2b_32_state + *p = KRML_HOST_MALLOC(sizeof (Hacl_Streaming_Blake2_blake2b_32_state)); + p[0U] = s1; + Hacl_Blake2b_32_blake2b_init(block_state.snd, (uint32_t)0U, (uint32_t)64U); + return p; +} + +/* + (Re)-initialization function when there is no key +*/ +void Hacl_Streaming_Blake2_blake2b_32_no_key_init(Hacl_Streaming_Blake2_blake2b_32_state *s1) +{ + Hacl_Streaming_Blake2_blake2b_32_state scrut = *s1; + uint8_t *buf = scrut.buf; + Hacl_Streaming_Blake2_blake2b_32_block_state block_state = scrut.block_state; + Hacl_Blake2b_32_blake2b_init(block_state.snd, (uint32_t)0U, (uint32_t)64U); + s1[0U] = + ( + (Hacl_Streaming_Blake2_blake2b_32_state){ + .block_state = block_state, + .buf = buf, + .total_len = (uint64_t)0U + } + ); +} + +/* + Update function when there is no key +*/ +void +Hacl_Streaming_Blake2_blake2b_32_no_key_update( + Hacl_Streaming_Blake2_blake2b_32_state *p, + uint8_t *data, + uint32_t len +) +{ + Hacl_Streaming_Blake2_blake2b_32_state s1 = *p; + uint64_t total_len = s1.total_len; + uint32_t sz; + if + ( + total_len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32) + == (uint64_t)0U + && total_len > (uint64_t)0U + ) + { + sz = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M32); + } + else + { + sz = + (uint32_t)(total_len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32)); + } + if + ( + len + <= Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M32) - sz + ) + { + Hacl_Streaming_Blake2_blake2b_32_state s2 = *p; + Hacl_Streaming_Blake2_blake2b_32_block_state block_state1 = s2.block_state; + uint8_t *buf = s2.buf; + uint64_t total_len1 = s2.total_len; + uint32_t sz1; + if + ( + total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32) + == (uint64_t)0U + && total_len1 > (uint64_t)0U + ) + { + sz1 = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M32); + } + else + { + sz1 = + (uint32_t)(total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32)); + } + uint8_t *buf2 = buf + sz1; + memcpy(buf2, data, len * sizeof (uint8_t)); + uint64_t total_len2 = total_len1 + (uint64_t)len; + *p + = + ( + (Hacl_Streaming_Blake2_blake2b_32_state){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len2 + } + ); + return; + } + if (sz == (uint32_t)0U) + { + Hacl_Streaming_Blake2_blake2b_32_state s2 = *p; + Hacl_Streaming_Blake2_blake2b_32_block_state block_state1 = s2.block_state; + uint8_t *buf = s2.buf; + uint64_t total_len1 = s2.total_len; + uint32_t sz1; + if + ( + total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32) + == (uint64_t)0U + && total_len1 > (uint64_t)0U + ) + { + sz1 = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M32); + } + else + { + sz1 = + (uint32_t)(total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32)); + } + if (!(sz1 == (uint32_t)0U)) + { + uint64_t prevlen = total_len1 - (uint64_t)sz1; + uint32_t + nb = + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32) + / (uint32_t)128U; + Hacl_Blake2b_32_blake2b_update_multi(Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32), + block_state1.fst, + block_state1.snd, + FStar_UInt128_uint64_to_uint128(prevlen), + buf, + nb); + } + uint32_t ite; + if + ( + (uint64_t)len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32) + == (uint64_t)0U + && (uint64_t)len > (uint64_t)0U + ) + { + ite = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M32); + } + else + { + ite = + (uint32_t)((uint64_t)len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32)); + } + uint32_t + n_blocks = + (len - ite) + / Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M32); + uint32_t + data1_len = + n_blocks + * Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M32); + uint32_t data2_len = len - data1_len; + uint8_t *data1 = data; + uint8_t *data2 = data + data1_len; + uint32_t nb = data1_len / (uint32_t)128U; + Hacl_Blake2b_32_blake2b_update_multi(data1_len, + block_state1.fst, + block_state1.snd, + FStar_UInt128_uint64_to_uint128(total_len1), + data1, + nb); + uint8_t *dst = buf; + memcpy(dst, data2, data2_len * sizeof (uint8_t)); + *p + = + ( + (Hacl_Streaming_Blake2_blake2b_32_state){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len1 + (uint64_t)len + } + ); + return; + } + uint32_t + diff = + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32) + - sz; + uint8_t *data1 = data; + uint8_t *data2 = data + diff; + Hacl_Streaming_Blake2_blake2b_32_state s2 = *p; + Hacl_Streaming_Blake2_blake2b_32_block_state block_state10 = s2.block_state; + uint8_t *buf0 = s2.buf; + uint64_t total_len10 = s2.total_len; + uint32_t sz10; + if + ( + total_len10 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32) + == (uint64_t)0U + && total_len10 > (uint64_t)0U + ) + { + sz10 = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M32); + } + else + { + sz10 = + (uint32_t)(total_len10 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32)); + } + uint8_t *buf2 = buf0 + sz10; + memcpy(buf2, data1, diff * sizeof (uint8_t)); + uint64_t total_len2 = total_len10 + (uint64_t)diff; + *p + = + ( + (Hacl_Streaming_Blake2_blake2b_32_state){ + .block_state = block_state10, + .buf = buf0, + .total_len = total_len2 + } + ); + Hacl_Streaming_Blake2_blake2b_32_state s20 = *p; + Hacl_Streaming_Blake2_blake2b_32_block_state block_state1 = s20.block_state; + uint8_t *buf = s20.buf; + uint64_t total_len1 = s20.total_len; + uint32_t sz1; + if + ( + total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32) + == (uint64_t)0U + && total_len1 > (uint64_t)0U + ) + { + sz1 = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M32); + } + else + { + sz1 = + (uint32_t)(total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32)); + } + if (!(sz1 == (uint32_t)0U)) + { + uint64_t prevlen = total_len1 - (uint64_t)sz1; + uint32_t + nb = + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32) + / (uint32_t)128U; + Hacl_Blake2b_32_blake2b_update_multi(Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32), + block_state1.fst, + block_state1.snd, + FStar_UInt128_uint64_to_uint128(prevlen), + buf, + nb); + } + uint32_t ite; + if + ( + (uint64_t)(len - diff) + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32) + == (uint64_t)0U + && (uint64_t)(len - diff) > (uint64_t)0U + ) + { + ite = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M32); + } + else + { + ite = + (uint32_t)((uint64_t)(len - diff) + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32)); + } + uint32_t + n_blocks = + (len - diff - ite) + / Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M32); + uint32_t + data1_len = + n_blocks + * Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M32); + uint32_t data2_len = len - diff - data1_len; + uint8_t *data11 = data2; + uint8_t *data21 = data2 + data1_len; + uint32_t nb = data1_len / (uint32_t)128U; + Hacl_Blake2b_32_blake2b_update_multi(data1_len, + block_state1.fst, + block_state1.snd, + FStar_UInt128_uint64_to_uint128(total_len1), + data11, + nb); + uint8_t *dst = buf; + memcpy(dst, data21, data2_len * sizeof (uint8_t)); + *p + = + ( + (Hacl_Streaming_Blake2_blake2b_32_state){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len1 + (uint64_t)(len - diff) + } + ); +} + +/* + Finish function when there is no key +*/ +void +Hacl_Streaming_Blake2_blake2b_32_no_key_finish( + Hacl_Streaming_Blake2_blake2b_32_state *p, + uint8_t *dst +) +{ + Hacl_Streaming_Blake2_blake2b_32_state scrut = *p; + Hacl_Streaming_Blake2_blake2b_32_block_state block_state = scrut.block_state; + uint8_t *buf_ = scrut.buf; + uint64_t total_len = scrut.total_len; + uint32_t r; + if + ( + total_len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32) + == (uint64_t)0U + && total_len > (uint64_t)0U + ) + { + r = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M32); + } + else + { + r = + (uint32_t)(total_len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32)); + } + uint8_t *buf_1 = buf_; + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)4U * (uint32_t)4U); + uint64_t wv[(uint32_t)4U * (uint32_t)4U]; + memset(wv, 0U, (uint32_t)4U * (uint32_t)4U * sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)4U * (uint32_t)4U); + uint64_t b[(uint32_t)4U * (uint32_t)4U]; + memset(b, 0U, (uint32_t)4U * (uint32_t)4U * sizeof (uint64_t)); + Hacl_Streaming_Blake2_blake2b_32_block_state tmp_block_state = { .fst = wv, .snd = b }; + uint64_t *src_b = block_state.snd; + uint64_t *dst_b = tmp_block_state.snd; + memcpy(dst_b, src_b, (uint32_t)16U * sizeof (uint64_t)); + uint64_t prev_len = total_len - (uint64_t)r; + uint32_t ite0; + if (r % (uint32_t)128U == (uint32_t)0U && r > (uint32_t)0U) + { + ite0 = (uint32_t)128U; + } + else + { + ite0 = r % (uint32_t)128U; + } + uint8_t *buf_last = buf_1 + r - ite0; + uint8_t *buf_multi = buf_1; + uint32_t ite1; + if + ( + (uint32_t)128U + == Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M32) + ) + { + ite1 = (uint32_t)0U; + } + else + { + uint32_t ite; + if (r % (uint32_t)128U == (uint32_t)0U && r > (uint32_t)0U) + { + ite = (uint32_t)128U; + } + else + { + ite = r % (uint32_t)128U; + } + ite1 = r - ite; + } + uint32_t nb = ite1 / (uint32_t)128U; + uint32_t ite2; + if + ( + (uint32_t)128U + == Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M32) + ) + { + ite2 = (uint32_t)0U; + } + else + { + uint32_t ite; + if (r % (uint32_t)128U == (uint32_t)0U && r > (uint32_t)0U) + { + ite = (uint32_t)128U; + } + else + { + ite = r % (uint32_t)128U; + } + ite2 = r - ite; + } + Hacl_Blake2b_32_blake2b_update_multi(ite2, + tmp_block_state.fst, + tmp_block_state.snd, + FStar_UInt128_uint64_to_uint128(prev_len), + buf_multi, + nb); + uint32_t ite3; + if + ( + (uint32_t)128U + == Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M32) + ) + { + ite3 = r; + } + else if (r % (uint32_t)128U == (uint32_t)0U && r > (uint32_t)0U) + { + ite3 = (uint32_t)128U; + } + else + { + ite3 = r % (uint32_t)128U; + } + uint64_t prev_len_last = total_len - (uint64_t)ite3; + uint32_t ite4; + if + ( + (uint32_t)128U + == Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M32) + ) + { + ite4 = r; + } + else if (r % (uint32_t)128U == (uint32_t)0U && r > (uint32_t)0U) + { + ite4 = (uint32_t)128U; + } + else + { + ite4 = r % (uint32_t)128U; + } + uint32_t ite; + if + ( + (uint32_t)128U + == Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M32) + ) + { + ite = r; + } + else if (r % (uint32_t)128U == (uint32_t)0U && r > (uint32_t)0U) + { + ite = (uint32_t)128U; + } + else + { + ite = r % (uint32_t)128U; + } + Hacl_Blake2b_32_blake2b_update_last(ite4, + tmp_block_state.fst, + tmp_block_state.snd, + FStar_UInt128_uint64_to_uint128(prev_len_last), + ite, + buf_last); + Hacl_Blake2b_32_blake2b_finish((uint32_t)64U, dst, tmp_block_state.snd); +} + +/* + Free state function when there is no key +*/ +void Hacl_Streaming_Blake2_blake2b_32_no_key_free(Hacl_Streaming_Blake2_blake2b_32_state *s1) +{ + Hacl_Streaming_Blake2_blake2b_32_state scrut = *s1; + uint8_t *buf = scrut.buf; + Hacl_Streaming_Blake2_blake2b_32_block_state block_state = scrut.block_state; + uint64_t *wv = block_state.fst; + uint64_t *b = block_state.snd; + KRML_HOST_FREE(wv); + KRML_HOST_FREE(b); + KRML_HOST_FREE(buf); + KRML_HOST_FREE(s1); +} + diff --git a/src/Hacl_Streaming_Blake2b_256.c b/src/Hacl_Streaming_Blake2b_256.c new file mode 100644 index 00000000..930bae60 --- /dev/null +++ b/src/Hacl_Streaming_Blake2b_256.c @@ -0,0 +1,582 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Streaming_Blake2b_256.h" + + + +/* + State allocation function when there is no key +*/ +Hacl_Streaming_Blake2b_256_blake2b_256_state +*Hacl_Streaming_Blake2b_256_blake2b_256_no_key_create_in() +{ + KRML_CHECK_SIZE(sizeof (uint8_t), + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M256)); + uint8_t + *buf = + KRML_HOST_CALLOC(Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256), + sizeof (uint8_t)); + Lib_IntVector_Intrinsics_vec256 + *wv = KRML_HOST_MALLOC(sizeof (Lib_IntVector_Intrinsics_vec256) * (uint32_t)4U); + for (uint32_t _i = 0U; _i < (uint32_t)4U; ++_i) + wv[_i] = Lib_IntVector_Intrinsics_vec256_zero; + Lib_IntVector_Intrinsics_vec256 + *b = KRML_HOST_MALLOC(sizeof (Lib_IntVector_Intrinsics_vec256) * (uint32_t)4U); + for (uint32_t _i = 0U; _i < (uint32_t)4U; ++_i) + b[_i] = Lib_IntVector_Intrinsics_vec256_zero; + Hacl_Streaming_Blake2b_256_blake2b_256_block_state block_state = { .fst = wv, .snd = b }; + Hacl_Streaming_Blake2b_256_blake2b_256_state + s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; + KRML_CHECK_SIZE(sizeof (Hacl_Streaming_Blake2b_256_blake2b_256_state), (uint32_t)1U); + Hacl_Streaming_Blake2b_256_blake2b_256_state + *p = KRML_HOST_MALLOC(sizeof (Hacl_Streaming_Blake2b_256_blake2b_256_state)); + p[0U] = s; + Hacl_Blake2b_256_blake2b_init(block_state.snd, (uint32_t)0U, (uint32_t)64U); + return p; +} + +/* + (Re-)initialization function when there is no key +*/ +void +Hacl_Streaming_Blake2b_256_blake2b_256_no_key_init( + Hacl_Streaming_Blake2b_256_blake2b_256_state *s +) +{ + Hacl_Streaming_Blake2b_256_blake2b_256_state scrut = *s; + uint8_t *buf = scrut.buf; + Hacl_Streaming_Blake2b_256_blake2b_256_block_state block_state = scrut.block_state; + Hacl_Blake2b_256_blake2b_init(block_state.snd, (uint32_t)0U, (uint32_t)64U); + s[0U] = + ( + (Hacl_Streaming_Blake2b_256_blake2b_256_state){ + .block_state = block_state, + .buf = buf, + .total_len = (uint64_t)0U + } + ); +} + +/* + Update function when there is no key +*/ +void +Hacl_Streaming_Blake2b_256_blake2b_256_no_key_update( + Hacl_Streaming_Blake2b_256_blake2b_256_state *p, + uint8_t *data, + uint32_t len +) +{ + Hacl_Streaming_Blake2b_256_blake2b_256_state s = *p; + uint64_t total_len = s.total_len; + uint32_t sz; + if + ( + total_len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256) + == (uint64_t)0U + && total_len > (uint64_t)0U + ) + { + sz = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M256); + } + else + { + sz = + (uint32_t)(total_len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256)); + } + if + ( + len + <= Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M256) - sz + ) + { + Hacl_Streaming_Blake2b_256_blake2b_256_state s1 = *p; + Hacl_Streaming_Blake2b_256_blake2b_256_block_state block_state1 = s1.block_state; + uint8_t *buf = s1.buf; + uint64_t total_len1 = s1.total_len; + uint32_t sz1; + if + ( + total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256) + == (uint64_t)0U + && total_len1 > (uint64_t)0U + ) + { + sz1 = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M256); + } + else + { + sz1 = + (uint32_t)(total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256)); + } + uint8_t *buf2 = buf + sz1; + memcpy(buf2, data, len * sizeof (uint8_t)); + uint64_t total_len2 = total_len1 + (uint64_t)len; + *p + = + ( + (Hacl_Streaming_Blake2b_256_blake2b_256_state){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len2 + } + ); + return; + } + if (sz == (uint32_t)0U) + { + Hacl_Streaming_Blake2b_256_blake2b_256_state s1 = *p; + Hacl_Streaming_Blake2b_256_blake2b_256_block_state block_state1 = s1.block_state; + uint8_t *buf = s1.buf; + uint64_t total_len1 = s1.total_len; + uint32_t sz1; + if + ( + total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256) + == (uint64_t)0U + && total_len1 > (uint64_t)0U + ) + { + sz1 = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M256); + } + else + { + sz1 = + (uint32_t)(total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256)); + } + if (!(sz1 == (uint32_t)0U)) + { + uint64_t prevlen = total_len1 - (uint64_t)sz1; + uint32_t + nb = + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256) + / (uint32_t)128U; + Hacl_Blake2b_256_blake2b_update_multi(Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256), + block_state1.fst, + block_state1.snd, + FStar_UInt128_uint64_to_uint128(prevlen), + buf, + nb); + } + uint32_t ite; + if + ( + (uint64_t)len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256) + == (uint64_t)0U + && (uint64_t)len > (uint64_t)0U + ) + { + ite = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M256); + } + else + { + ite = + (uint32_t)((uint64_t)len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256)); + } + uint32_t + n_blocks = + (len - ite) + / Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M256); + uint32_t + data1_len = + n_blocks + * Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M256); + uint32_t data2_len = len - data1_len; + uint8_t *data1 = data; + uint8_t *data2 = data + data1_len; + uint32_t nb = data1_len / (uint32_t)128U; + Hacl_Blake2b_256_blake2b_update_multi(data1_len, + block_state1.fst, + block_state1.snd, + FStar_UInt128_uint64_to_uint128(total_len1), + data1, + nb); + uint8_t *dst = buf; + memcpy(dst, data2, data2_len * sizeof (uint8_t)); + *p + = + ( + (Hacl_Streaming_Blake2b_256_blake2b_256_state){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len1 + (uint64_t)len + } + ); + return; + } + uint32_t + diff = + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256) + - sz; + uint8_t *data1 = data; + uint8_t *data2 = data + diff; + Hacl_Streaming_Blake2b_256_blake2b_256_state s1 = *p; + Hacl_Streaming_Blake2b_256_blake2b_256_block_state block_state10 = s1.block_state; + uint8_t *buf0 = s1.buf; + uint64_t total_len10 = s1.total_len; + uint32_t sz10; + if + ( + total_len10 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256) + == (uint64_t)0U + && total_len10 > (uint64_t)0U + ) + { + sz10 = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M256); + } + else + { + sz10 = + (uint32_t)(total_len10 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256)); + } + uint8_t *buf2 = buf0 + sz10; + memcpy(buf2, data1, diff * sizeof (uint8_t)); + uint64_t total_len2 = total_len10 + (uint64_t)diff; + *p + = + ( + (Hacl_Streaming_Blake2b_256_blake2b_256_state){ + .block_state = block_state10, + .buf = buf0, + .total_len = total_len2 + } + ); + Hacl_Streaming_Blake2b_256_blake2b_256_state s10 = *p; + Hacl_Streaming_Blake2b_256_blake2b_256_block_state block_state1 = s10.block_state; + uint8_t *buf = s10.buf; + uint64_t total_len1 = s10.total_len; + uint32_t sz1; + if + ( + total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256) + == (uint64_t)0U + && total_len1 > (uint64_t)0U + ) + { + sz1 = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M256); + } + else + { + sz1 = + (uint32_t)(total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256)); + } + if (!(sz1 == (uint32_t)0U)) + { + uint64_t prevlen = total_len1 - (uint64_t)sz1; + uint32_t + nb = + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256) + / (uint32_t)128U; + Hacl_Blake2b_256_blake2b_update_multi(Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256), + block_state1.fst, + block_state1.snd, + FStar_UInt128_uint64_to_uint128(prevlen), + buf, + nb); + } + uint32_t ite; + if + ( + (uint64_t)(len - diff) + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256) + == (uint64_t)0U + && (uint64_t)(len - diff) > (uint64_t)0U + ) + { + ite = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M256); + } + else + { + ite = + (uint32_t)((uint64_t)(len - diff) + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256)); + } + uint32_t + n_blocks = + (len - diff - ite) + / Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M256); + uint32_t + data1_len = + n_blocks + * Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M256); + uint32_t data2_len = len - diff - data1_len; + uint8_t *data11 = data2; + uint8_t *data21 = data2 + data1_len; + uint32_t nb = data1_len / (uint32_t)128U; + Hacl_Blake2b_256_blake2b_update_multi(data1_len, + block_state1.fst, + block_state1.snd, + FStar_UInt128_uint64_to_uint128(total_len1), + data11, + nb); + uint8_t *dst = buf; + memcpy(dst, data21, data2_len * sizeof (uint8_t)); + *p + = + ( + (Hacl_Streaming_Blake2b_256_blake2b_256_state){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len1 + (uint64_t)(len - diff) + } + ); +} + +/* + Finish function when there is no key +*/ +void +Hacl_Streaming_Blake2b_256_blake2b_256_no_key_finish( + Hacl_Streaming_Blake2b_256_blake2b_256_state *p, + uint8_t *dst +) +{ + Hacl_Streaming_Blake2b_256_blake2b_256_state scrut = *p; + Hacl_Streaming_Blake2b_256_blake2b_256_block_state block_state = scrut.block_state; + uint8_t *buf_ = scrut.buf; + uint64_t total_len = scrut.total_len; + uint32_t r; + if + ( + total_len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256) + == (uint64_t)0U + && total_len > (uint64_t)0U + ) + { + r = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M256); + } + else + { + r = + (uint32_t)(total_len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256)); + } + uint8_t *buf_1 = buf_; + KRML_CHECK_SIZE(sizeof (Lib_IntVector_Intrinsics_vec256), (uint32_t)4U * (uint32_t)1U); + Lib_IntVector_Intrinsics_vec256 wv[(uint32_t)4U * (uint32_t)1U]; + for (uint32_t _i = 0U; _i < (uint32_t)4U * (uint32_t)1U; ++_i) + wv[_i] = Lib_IntVector_Intrinsics_vec256_zero; + KRML_CHECK_SIZE(sizeof (Lib_IntVector_Intrinsics_vec256), (uint32_t)4U * (uint32_t)1U); + Lib_IntVector_Intrinsics_vec256 b[(uint32_t)4U * (uint32_t)1U]; + for (uint32_t _i = 0U; _i < (uint32_t)4U * (uint32_t)1U; ++_i) + b[_i] = Lib_IntVector_Intrinsics_vec256_zero; + Hacl_Streaming_Blake2b_256_blake2b_256_block_state tmp_block_state = { .fst = wv, .snd = b }; + Lib_IntVector_Intrinsics_vec256 *src_b = block_state.snd; + Lib_IntVector_Intrinsics_vec256 *dst_b = tmp_block_state.snd; + memcpy(dst_b, src_b, (uint32_t)4U * sizeof (Lib_IntVector_Intrinsics_vec256)); + uint64_t prev_len = total_len - (uint64_t)r; + uint32_t ite0; + if (r % (uint32_t)128U == (uint32_t)0U && r > (uint32_t)0U) + { + ite0 = (uint32_t)128U; + } + else + { + ite0 = r % (uint32_t)128U; + } + uint8_t *buf_last = buf_1 + r - ite0; + uint8_t *buf_multi = buf_1; + uint32_t ite1; + if + ( + (uint32_t)128U + == Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M256) + ) + { + ite1 = (uint32_t)0U; + } + else + { + uint32_t ite; + if (r % (uint32_t)128U == (uint32_t)0U && r > (uint32_t)0U) + { + ite = (uint32_t)128U; + } + else + { + ite = r % (uint32_t)128U; + } + ite1 = r - ite; + } + uint32_t nb = ite1 / (uint32_t)128U; + uint32_t ite2; + if + ( + (uint32_t)128U + == Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M256) + ) + { + ite2 = (uint32_t)0U; + } + else + { + uint32_t ite; + if (r % (uint32_t)128U == (uint32_t)0U && r > (uint32_t)0U) + { + ite = (uint32_t)128U; + } + else + { + ite = r % (uint32_t)128U; + } + ite2 = r - ite; + } + Hacl_Blake2b_256_blake2b_update_multi(ite2, + tmp_block_state.fst, + tmp_block_state.snd, + FStar_UInt128_uint64_to_uint128(prev_len), + buf_multi, + nb); + uint32_t ite3; + if + ( + (uint32_t)128U + == Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M256) + ) + { + ite3 = r; + } + else if (r % (uint32_t)128U == (uint32_t)0U && r > (uint32_t)0U) + { + ite3 = (uint32_t)128U; + } + else + { + ite3 = r % (uint32_t)128U; + } + uint64_t prev_len_last = total_len - (uint64_t)ite3; + uint32_t ite4; + if + ( + (uint32_t)128U + == Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M256) + ) + { + ite4 = r; + } + else if (r % (uint32_t)128U == (uint32_t)0U && r > (uint32_t)0U) + { + ite4 = (uint32_t)128U; + } + else + { + ite4 = r % (uint32_t)128U; + } + uint32_t ite; + if + ( + (uint32_t)128U + == Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M256) + ) + { + ite = r; + } + else if (r % (uint32_t)128U == (uint32_t)0U && r > (uint32_t)0U) + { + ite = (uint32_t)128U; + } + else + { + ite = r % (uint32_t)128U; + } + Hacl_Blake2b_256_blake2b_update_last(ite4, + tmp_block_state.fst, + tmp_block_state.snd, + FStar_UInt128_uint64_to_uint128(prev_len_last), + ite, + buf_last); + Hacl_Blake2b_256_blake2b_finish((uint32_t)64U, dst, tmp_block_state.snd); +} + +/* + Free state function when there is no key +*/ +void +Hacl_Streaming_Blake2b_256_blake2b_256_no_key_free( + Hacl_Streaming_Blake2b_256_blake2b_256_state *s +) +{ + Hacl_Streaming_Blake2b_256_blake2b_256_state scrut = *s; + uint8_t *buf = scrut.buf; + Hacl_Streaming_Blake2b_256_blake2b_256_block_state block_state = scrut.block_state; + Lib_IntVector_Intrinsics_vec256 *wv = block_state.fst; + Lib_IntVector_Intrinsics_vec256 *b = block_state.snd; + KRML_HOST_FREE(wv); + KRML_HOST_FREE(b); + KRML_HOST_FREE(buf); + KRML_HOST_FREE(s); +} + diff --git a/src/Hacl_Streaming_Blake2s_128.c b/src/Hacl_Streaming_Blake2s_128.c new file mode 100644 index 00000000..018e9b15 --- /dev/null +++ b/src/Hacl_Streaming_Blake2s_128.c @@ -0,0 +1,582 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Streaming_Blake2s_128.h" + + + +/* + State allocation function when there is no key +*/ +Hacl_Streaming_Blake2s_128_blake2s_128_state +*Hacl_Streaming_Blake2s_128_blake2s_128_no_key_create_in() +{ + KRML_CHECK_SIZE(sizeof (uint8_t), + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M128)); + uint8_t + *buf = + KRML_HOST_CALLOC(Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128), + sizeof (uint8_t)); + Lib_IntVector_Intrinsics_vec128 + *wv = KRML_HOST_MALLOC(sizeof (Lib_IntVector_Intrinsics_vec128) * (uint32_t)4U); + for (uint32_t _i = 0U; _i < (uint32_t)4U; ++_i) + wv[_i] = Lib_IntVector_Intrinsics_vec128_zero; + Lib_IntVector_Intrinsics_vec128 + *b = KRML_HOST_MALLOC(sizeof (Lib_IntVector_Intrinsics_vec128) * (uint32_t)4U); + for (uint32_t _i = 0U; _i < (uint32_t)4U; ++_i) + b[_i] = Lib_IntVector_Intrinsics_vec128_zero; + Hacl_Streaming_Blake2s_128_blake2s_128_block_state block_state = { .fst = wv, .snd = b }; + Hacl_Streaming_Blake2s_128_blake2s_128_state + s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; + KRML_CHECK_SIZE(sizeof (Hacl_Streaming_Blake2s_128_blake2s_128_state), (uint32_t)1U); + Hacl_Streaming_Blake2s_128_blake2s_128_state + *p = KRML_HOST_MALLOC(sizeof (Hacl_Streaming_Blake2s_128_blake2s_128_state)); + p[0U] = s; + Hacl_Blake2s_128_blake2s_init(block_state.snd, (uint32_t)0U, (uint32_t)32U); + return p; +} + +/* + (Re-)initialization function when there is no key +*/ +void +Hacl_Streaming_Blake2s_128_blake2s_128_no_key_init( + Hacl_Streaming_Blake2s_128_blake2s_128_state *s +) +{ + Hacl_Streaming_Blake2s_128_blake2s_128_state scrut = *s; + uint8_t *buf = scrut.buf; + Hacl_Streaming_Blake2s_128_blake2s_128_block_state block_state = scrut.block_state; + Hacl_Blake2s_128_blake2s_init(block_state.snd, (uint32_t)0U, (uint32_t)32U); + s[0U] = + ( + (Hacl_Streaming_Blake2s_128_blake2s_128_state){ + .block_state = block_state, + .buf = buf, + .total_len = (uint64_t)0U + } + ); +} + +/* + Update function when there is no key +*/ +void +Hacl_Streaming_Blake2s_128_blake2s_128_no_key_update( + Hacl_Streaming_Blake2s_128_blake2s_128_state *p, + uint8_t *data, + uint32_t len +) +{ + Hacl_Streaming_Blake2s_128_blake2s_128_state s = *p; + uint64_t total_len = s.total_len; + uint32_t sz; + if + ( + total_len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128) + == (uint64_t)0U + && total_len > (uint64_t)0U + ) + { + sz = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M128); + } + else + { + sz = + (uint32_t)(total_len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128)); + } + if + ( + len + <= Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M128) - sz + ) + { + Hacl_Streaming_Blake2s_128_blake2s_128_state s1 = *p; + Hacl_Streaming_Blake2s_128_blake2s_128_block_state block_state1 = s1.block_state; + uint8_t *buf = s1.buf; + uint64_t total_len1 = s1.total_len; + uint32_t sz1; + if + ( + total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128) + == (uint64_t)0U + && total_len1 > (uint64_t)0U + ) + { + sz1 = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M128); + } + else + { + sz1 = + (uint32_t)(total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128)); + } + uint8_t *buf2 = buf + sz1; + memcpy(buf2, data, len * sizeof (uint8_t)); + uint64_t total_len2 = total_len1 + (uint64_t)len; + *p + = + ( + (Hacl_Streaming_Blake2s_128_blake2s_128_state){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len2 + } + ); + return; + } + if (sz == (uint32_t)0U) + { + Hacl_Streaming_Blake2s_128_blake2s_128_state s1 = *p; + Hacl_Streaming_Blake2s_128_blake2s_128_block_state block_state1 = s1.block_state; + uint8_t *buf = s1.buf; + uint64_t total_len1 = s1.total_len; + uint32_t sz1; + if + ( + total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128) + == (uint64_t)0U + && total_len1 > (uint64_t)0U + ) + { + sz1 = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M128); + } + else + { + sz1 = + (uint32_t)(total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128)); + } + if (!(sz1 == (uint32_t)0U)) + { + uint64_t prevlen = total_len1 - (uint64_t)sz1; + uint32_t + nb = + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128) + / (uint32_t)64U; + Hacl_Blake2s_128_blake2s_update_multi(Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128), + block_state1.fst, + block_state1.snd, + prevlen, + buf, + nb); + } + uint32_t ite; + if + ( + (uint64_t)len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128) + == (uint64_t)0U + && (uint64_t)len > (uint64_t)0U + ) + { + ite = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M128); + } + else + { + ite = + (uint32_t)((uint64_t)len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128)); + } + uint32_t + n_blocks = + (len - ite) + / Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M128); + uint32_t + data1_len = + n_blocks + * Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M128); + uint32_t data2_len = len - data1_len; + uint8_t *data1 = data; + uint8_t *data2 = data + data1_len; + uint32_t nb = data1_len / (uint32_t)64U; + Hacl_Blake2s_128_blake2s_update_multi(data1_len, + block_state1.fst, + block_state1.snd, + total_len1, + data1, + nb); + uint8_t *dst = buf; + memcpy(dst, data2, data2_len * sizeof (uint8_t)); + *p + = + ( + (Hacl_Streaming_Blake2s_128_blake2s_128_state){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len1 + (uint64_t)len + } + ); + return; + } + uint32_t + diff = + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128) + - sz; + uint8_t *data1 = data; + uint8_t *data2 = data + diff; + Hacl_Streaming_Blake2s_128_blake2s_128_state s1 = *p; + Hacl_Streaming_Blake2s_128_blake2s_128_block_state block_state10 = s1.block_state; + uint8_t *buf0 = s1.buf; + uint64_t total_len10 = s1.total_len; + uint32_t sz10; + if + ( + total_len10 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128) + == (uint64_t)0U + && total_len10 > (uint64_t)0U + ) + { + sz10 = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M128); + } + else + { + sz10 = + (uint32_t)(total_len10 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128)); + } + uint8_t *buf2 = buf0 + sz10; + memcpy(buf2, data1, diff * sizeof (uint8_t)); + uint64_t total_len2 = total_len10 + (uint64_t)diff; + *p + = + ( + (Hacl_Streaming_Blake2s_128_blake2s_128_state){ + .block_state = block_state10, + .buf = buf0, + .total_len = total_len2 + } + ); + Hacl_Streaming_Blake2s_128_blake2s_128_state s10 = *p; + Hacl_Streaming_Blake2s_128_blake2s_128_block_state block_state1 = s10.block_state; + uint8_t *buf = s10.buf; + uint64_t total_len1 = s10.total_len; + uint32_t sz1; + if + ( + total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128) + == (uint64_t)0U + && total_len1 > (uint64_t)0U + ) + { + sz1 = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M128); + } + else + { + sz1 = + (uint32_t)(total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128)); + } + if (!(sz1 == (uint32_t)0U)) + { + uint64_t prevlen = total_len1 - (uint64_t)sz1; + uint32_t + nb = + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128) + / (uint32_t)64U; + Hacl_Blake2s_128_blake2s_update_multi(Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128), + block_state1.fst, + block_state1.snd, + prevlen, + buf, + nb); + } + uint32_t ite; + if + ( + (uint64_t)(len - diff) + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128) + == (uint64_t)0U + && (uint64_t)(len - diff) > (uint64_t)0U + ) + { + ite = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M128); + } + else + { + ite = + (uint32_t)((uint64_t)(len - diff) + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128)); + } + uint32_t + n_blocks = + (len - diff - ite) + / Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M128); + uint32_t + data1_len = + n_blocks + * Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M128); + uint32_t data2_len = len - diff - data1_len; + uint8_t *data11 = data2; + uint8_t *data21 = data2 + data1_len; + uint32_t nb = data1_len / (uint32_t)64U; + Hacl_Blake2s_128_blake2s_update_multi(data1_len, + block_state1.fst, + block_state1.snd, + total_len1, + data11, + nb); + uint8_t *dst = buf; + memcpy(dst, data21, data2_len * sizeof (uint8_t)); + *p + = + ( + (Hacl_Streaming_Blake2s_128_blake2s_128_state){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len1 + (uint64_t)(len - diff) + } + ); +} + +/* + Finish function when there is no key +*/ +void +Hacl_Streaming_Blake2s_128_blake2s_128_no_key_finish( + Hacl_Streaming_Blake2s_128_blake2s_128_state *p, + uint8_t *dst +) +{ + Hacl_Streaming_Blake2s_128_blake2s_128_state scrut = *p; + Hacl_Streaming_Blake2s_128_blake2s_128_block_state block_state = scrut.block_state; + uint8_t *buf_ = scrut.buf; + uint64_t total_len = scrut.total_len; + uint32_t r; + if + ( + total_len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128) + == (uint64_t)0U + && total_len > (uint64_t)0U + ) + { + r = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M128); + } + else + { + r = + (uint32_t)(total_len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128)); + } + uint8_t *buf_1 = buf_; + KRML_CHECK_SIZE(sizeof (Lib_IntVector_Intrinsics_vec128), (uint32_t)4U * (uint32_t)1U); + Lib_IntVector_Intrinsics_vec128 wv[(uint32_t)4U * (uint32_t)1U]; + for (uint32_t _i = 0U; _i < (uint32_t)4U * (uint32_t)1U; ++_i) + wv[_i] = Lib_IntVector_Intrinsics_vec128_zero; + KRML_CHECK_SIZE(sizeof (Lib_IntVector_Intrinsics_vec128), (uint32_t)4U * (uint32_t)1U); + Lib_IntVector_Intrinsics_vec128 b[(uint32_t)4U * (uint32_t)1U]; + for (uint32_t _i = 0U; _i < (uint32_t)4U * (uint32_t)1U; ++_i) + b[_i] = Lib_IntVector_Intrinsics_vec128_zero; + Hacl_Streaming_Blake2s_128_blake2s_128_block_state tmp_block_state = { .fst = wv, .snd = b }; + Lib_IntVector_Intrinsics_vec128 *src_b = block_state.snd; + Lib_IntVector_Intrinsics_vec128 *dst_b = tmp_block_state.snd; + memcpy(dst_b, src_b, (uint32_t)4U * sizeof (Lib_IntVector_Intrinsics_vec128)); + uint64_t prev_len = total_len - (uint64_t)r; + uint32_t ite0; + if (r % (uint32_t)64U == (uint32_t)0U && r > (uint32_t)0U) + { + ite0 = (uint32_t)64U; + } + else + { + ite0 = r % (uint32_t)64U; + } + uint8_t *buf_last = buf_1 + r - ite0; + uint8_t *buf_multi = buf_1; + uint32_t ite1; + if + ( + (uint32_t)64U + == Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M128) + ) + { + ite1 = (uint32_t)0U; + } + else + { + uint32_t ite; + if (r % (uint32_t)64U == (uint32_t)0U && r > (uint32_t)0U) + { + ite = (uint32_t)64U; + } + else + { + ite = r % (uint32_t)64U; + } + ite1 = r - ite; + } + uint32_t nb = ite1 / (uint32_t)64U; + uint32_t ite2; + if + ( + (uint32_t)64U + == Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M128) + ) + { + ite2 = (uint32_t)0U; + } + else + { + uint32_t ite; + if (r % (uint32_t)64U == (uint32_t)0U && r > (uint32_t)0U) + { + ite = (uint32_t)64U; + } + else + { + ite = r % (uint32_t)64U; + } + ite2 = r - ite; + } + Hacl_Blake2s_128_blake2s_update_multi(ite2, + tmp_block_state.fst, + tmp_block_state.snd, + prev_len, + buf_multi, + nb); + uint32_t ite3; + if + ( + (uint32_t)64U + == Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M128) + ) + { + ite3 = r; + } + else if (r % (uint32_t)64U == (uint32_t)0U && r > (uint32_t)0U) + { + ite3 = (uint32_t)64U; + } + else + { + ite3 = r % (uint32_t)64U; + } + uint64_t prev_len_last = total_len - (uint64_t)ite3; + uint32_t ite4; + if + ( + (uint32_t)64U + == Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M128) + ) + { + ite4 = r; + } + else if (r % (uint32_t)64U == (uint32_t)0U && r > (uint32_t)0U) + { + ite4 = (uint32_t)64U; + } + else + { + ite4 = r % (uint32_t)64U; + } + uint32_t ite; + if + ( + (uint32_t)64U + == Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M128) + ) + { + ite = r; + } + else if (r % (uint32_t)64U == (uint32_t)0U && r > (uint32_t)0U) + { + ite = (uint32_t)64U; + } + else + { + ite = r % (uint32_t)64U; + } + Hacl_Blake2s_128_blake2s_update_last(ite4, + tmp_block_state.fst, + tmp_block_state.snd, + prev_len_last, + ite, + buf_last); + Hacl_Blake2s_128_blake2s_finish((uint32_t)32U, dst, tmp_block_state.snd); +} + +/* + Free state function when there is no key +*/ +void +Hacl_Streaming_Blake2s_128_blake2s_128_no_key_free( + Hacl_Streaming_Blake2s_128_blake2s_128_state *s +) +{ + Hacl_Streaming_Blake2s_128_blake2s_128_state scrut = *s; + uint8_t *buf = scrut.buf; + Hacl_Streaming_Blake2s_128_blake2s_128_block_state block_state = scrut.block_state; + Lib_IntVector_Intrinsics_vec128 *wv = block_state.fst; + Lib_IntVector_Intrinsics_vec128 *b = block_state.snd; + KRML_HOST_FREE(wv); + KRML_HOST_FREE(b); + KRML_HOST_FREE(buf); + KRML_HOST_FREE(s); +} + diff --git a/src/Hacl_Streaming_SHA1.c b/src/Hacl_Streaming_SHA1.c new file mode 100644 index 00000000..eed6cccb --- /dev/null +++ b/src/Hacl_Streaming_SHA1.c @@ -0,0 +1,277 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Streaming_SHA1.h" + +#include "internal/Hacl_Hash_SHA1.h" + +Hacl_Streaming_SHA2_state_sha2_224 *Hacl_Streaming_SHA1_legacy_create_in_sha1() +{ + uint8_t *buf = KRML_HOST_CALLOC((uint32_t)64U, sizeof (uint8_t)); + uint32_t *block_state = KRML_HOST_CALLOC((uint32_t)5U, sizeof (uint32_t)); + Hacl_Streaming_SHA2_state_sha2_224 + s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; + KRML_CHECK_SIZE(sizeof (Hacl_Streaming_SHA2_state_sha2_224), (uint32_t)1U); + Hacl_Streaming_SHA2_state_sha2_224 + *p = KRML_HOST_MALLOC(sizeof (Hacl_Streaming_SHA2_state_sha2_224)); + p[0U] = s; + Hacl_Hash_Core_SHA1_legacy_init(block_state); + return p; +} + +void Hacl_Streaming_SHA1_legacy_init_sha1(Hacl_Streaming_SHA2_state_sha2_224 *s) +{ + Hacl_Streaming_SHA2_state_sha2_224 scrut = *s; + uint8_t *buf = scrut.buf; + uint32_t *block_state = scrut.block_state; + Hacl_Hash_Core_SHA1_legacy_init(block_state); + s[0U] = + ( + (Hacl_Streaming_SHA2_state_sha2_224){ + .block_state = block_state, + .buf = buf, + .total_len = (uint64_t)0U + } + ); +} + +void +Hacl_Streaming_SHA1_legacy_update_sha1( + Hacl_Streaming_SHA2_state_sha2_224 *p, + uint8_t *data, + uint32_t len +) +{ + Hacl_Streaming_SHA2_state_sha2_224 s = *p; + uint64_t total_len = s.total_len; + uint32_t sz; + if (total_len % (uint64_t)(uint32_t)64U == (uint64_t)0U && total_len > (uint64_t)0U) + { + sz = (uint32_t)64U; + } + else + { + sz = (uint32_t)(total_len % (uint64_t)(uint32_t)64U); + } + if (len <= (uint32_t)64U - sz) + { + Hacl_Streaming_SHA2_state_sha2_224 s1 = *p; + uint32_t *block_state1 = s1.block_state; + uint8_t *buf = s1.buf; + uint64_t total_len1 = s1.total_len; + uint32_t sz1; + if (total_len1 % (uint64_t)(uint32_t)64U == (uint64_t)0U && total_len1 > (uint64_t)0U) + { + sz1 = (uint32_t)64U; + } + else + { + sz1 = (uint32_t)(total_len1 % (uint64_t)(uint32_t)64U); + } + uint8_t *buf2 = buf + sz1; + memcpy(buf2, data, len * sizeof (uint8_t)); + uint64_t total_len2 = total_len1 + (uint64_t)len; + *p + = + ( + (Hacl_Streaming_SHA2_state_sha2_224){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len2 + } + ); + return; + } + if (sz == (uint32_t)0U) + { + Hacl_Streaming_SHA2_state_sha2_224 s1 = *p; + uint32_t *block_state1 = s1.block_state; + uint8_t *buf = s1.buf; + uint64_t total_len1 = s1.total_len; + uint32_t sz1; + if (total_len1 % (uint64_t)(uint32_t)64U == (uint64_t)0U && total_len1 > (uint64_t)0U) + { + sz1 = (uint32_t)64U; + } + else + { + sz1 = (uint32_t)(total_len1 % (uint64_t)(uint32_t)64U); + } + if (!(sz1 == (uint32_t)0U)) + { + Hacl_Hash_SHA1_legacy_update_multi(block_state1, buf, (uint32_t)1U); + } + uint32_t ite; + if ((uint64_t)len % (uint64_t)(uint32_t)64U == (uint64_t)0U && (uint64_t)len > (uint64_t)0U) + { + ite = (uint32_t)64U; + } + else + { + ite = (uint32_t)((uint64_t)len % (uint64_t)(uint32_t)64U); + } + uint32_t n_blocks = (len - ite) / (uint32_t)64U; + uint32_t data1_len = n_blocks * (uint32_t)64U; + uint32_t data2_len = len - data1_len; + uint8_t *data1 = data; + uint8_t *data2 = data + data1_len; + Hacl_Hash_SHA1_legacy_update_multi(block_state1, data1, data1_len / (uint32_t)64U); + uint8_t *dst = buf; + memcpy(dst, data2, data2_len * sizeof (uint8_t)); + *p + = + ( + (Hacl_Streaming_SHA2_state_sha2_224){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len1 + (uint64_t)len + } + ); + return; + } + uint32_t diff = (uint32_t)64U - sz; + uint8_t *data1 = data; + uint8_t *data2 = data + diff; + Hacl_Streaming_SHA2_state_sha2_224 s1 = *p; + uint32_t *block_state10 = s1.block_state; + uint8_t *buf0 = s1.buf; + uint64_t total_len10 = s1.total_len; + uint32_t sz10; + if (total_len10 % (uint64_t)(uint32_t)64U == (uint64_t)0U && total_len10 > (uint64_t)0U) + { + sz10 = (uint32_t)64U; + } + else + { + sz10 = (uint32_t)(total_len10 % (uint64_t)(uint32_t)64U); + } + uint8_t *buf2 = buf0 + sz10; + memcpy(buf2, data1, diff * sizeof (uint8_t)); + uint64_t total_len2 = total_len10 + (uint64_t)diff; + *p + = + ( + (Hacl_Streaming_SHA2_state_sha2_224){ + .block_state = block_state10, + .buf = buf0, + .total_len = total_len2 + } + ); + Hacl_Streaming_SHA2_state_sha2_224 s10 = *p; + uint32_t *block_state1 = s10.block_state; + uint8_t *buf = s10.buf; + uint64_t total_len1 = s10.total_len; + uint32_t sz1; + if (total_len1 % (uint64_t)(uint32_t)64U == (uint64_t)0U && total_len1 > (uint64_t)0U) + { + sz1 = (uint32_t)64U; + } + else + { + sz1 = (uint32_t)(total_len1 % (uint64_t)(uint32_t)64U); + } + if (!(sz1 == (uint32_t)0U)) + { + Hacl_Hash_SHA1_legacy_update_multi(block_state1, buf, (uint32_t)1U); + } + uint32_t ite; + if + ( + (uint64_t)(len - diff) + % (uint64_t)(uint32_t)64U + == (uint64_t)0U + && (uint64_t)(len - diff) > (uint64_t)0U + ) + { + ite = (uint32_t)64U; + } + else + { + ite = (uint32_t)((uint64_t)(len - diff) % (uint64_t)(uint32_t)64U); + } + uint32_t n_blocks = (len - diff - ite) / (uint32_t)64U; + uint32_t data1_len = n_blocks * (uint32_t)64U; + uint32_t data2_len = len - diff - data1_len; + uint8_t *data11 = data2; + uint8_t *data21 = data2 + data1_len; + Hacl_Hash_SHA1_legacy_update_multi(block_state1, data11, data1_len / (uint32_t)64U); + uint8_t *dst = buf; + memcpy(dst, data21, data2_len * sizeof (uint8_t)); + *p + = + ( + (Hacl_Streaming_SHA2_state_sha2_224){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len1 + (uint64_t)(len - diff) + } + ); +} + +void +Hacl_Streaming_SHA1_legacy_finish_sha1(Hacl_Streaming_SHA2_state_sha2_224 *p, uint8_t *dst) +{ + Hacl_Streaming_SHA2_state_sha2_224 scrut = *p; + uint32_t *block_state = scrut.block_state; + uint8_t *buf_ = scrut.buf; + uint64_t total_len = scrut.total_len; + uint32_t r; + if (total_len % (uint64_t)(uint32_t)64U == (uint64_t)0U && total_len > (uint64_t)0U) + { + r = (uint32_t)64U; + } + else + { + r = (uint32_t)(total_len % (uint64_t)(uint32_t)64U); + } + uint8_t *buf_1 = buf_; + uint32_t tmp_block_state[5U] = { 0U }; + memcpy(tmp_block_state, block_state, (uint32_t)5U * sizeof (uint32_t)); + uint32_t ite; + if (r % (uint32_t)64U == (uint32_t)0U && r > (uint32_t)0U) + { + ite = (uint32_t)64U; + } + else + { + ite = r % (uint32_t)64U; + } + uint8_t *buf_last = buf_1 + r - ite; + uint8_t *buf_multi = buf_1; + Hacl_Hash_SHA1_legacy_update_multi(tmp_block_state, buf_multi, (uint32_t)0U); + uint64_t prev_len_last = total_len - (uint64_t)r; + Hacl_Hash_SHA1_legacy_update_last(tmp_block_state, prev_len_last, buf_last, r); + Hacl_Hash_Core_SHA1_legacy_finish(tmp_block_state, dst); +} + +void Hacl_Streaming_SHA1_legacy_free_sha1(Hacl_Streaming_SHA2_state_sha2_224 *s) +{ + Hacl_Streaming_SHA2_state_sha2_224 scrut = *s; + uint8_t *buf = scrut.buf; + uint32_t *block_state = scrut.block_state; + KRML_HOST_FREE(block_state); + KRML_HOST_FREE(buf); + KRML_HOST_FREE(s); +} + diff --git a/src/Hacl_Streaming_SHA2.c b/src/Hacl_Streaming_SHA2.c new file mode 100644 index 00000000..2b9af15d --- /dev/null +++ b/src/Hacl_Streaming_SHA2.c @@ -0,0 +1,1026 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Streaming_SHA2.h" + +#include "internal/Hacl_Hash_SHA2.h" + +Hacl_Streaming_SHA2_state_sha2_224 *Hacl_Streaming_SHA2_create_in_224() +{ + uint8_t *buf = KRML_HOST_CALLOC((uint32_t)64U, sizeof (uint8_t)); + uint32_t *block_state = KRML_HOST_CALLOC((uint32_t)8U, sizeof (uint32_t)); + Hacl_Streaming_SHA2_state_sha2_224 + s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; + KRML_CHECK_SIZE(sizeof (Hacl_Streaming_SHA2_state_sha2_224), (uint32_t)1U); + Hacl_Streaming_SHA2_state_sha2_224 + *p = KRML_HOST_MALLOC(sizeof (Hacl_Streaming_SHA2_state_sha2_224)); + p[0U] = s; + Hacl_Hash_Core_SHA2_init_224(block_state); + return p; +} + +void Hacl_Streaming_SHA2_init_224(Hacl_Streaming_SHA2_state_sha2_224 *s) +{ + Hacl_Streaming_SHA2_state_sha2_224 scrut = *s; + uint8_t *buf = scrut.buf; + uint32_t *block_state = scrut.block_state; + Hacl_Hash_Core_SHA2_init_224(block_state); + s[0U] = + ( + (Hacl_Streaming_SHA2_state_sha2_224){ + .block_state = block_state, + .buf = buf, + .total_len = (uint64_t)0U + } + ); +} + +void +Hacl_Streaming_SHA2_update_224( + Hacl_Streaming_SHA2_state_sha2_224 *p, + uint8_t *data, + uint32_t len +) +{ + Hacl_Streaming_SHA2_state_sha2_224 s = *p; + uint64_t total_len = s.total_len; + uint32_t sz; + if (total_len % (uint64_t)(uint32_t)64U == (uint64_t)0U && total_len > (uint64_t)0U) + { + sz = (uint32_t)64U; + } + else + { + sz = (uint32_t)(total_len % (uint64_t)(uint32_t)64U); + } + if (len <= (uint32_t)64U - sz) + { + Hacl_Streaming_SHA2_state_sha2_224 s1 = *p; + uint32_t *block_state1 = s1.block_state; + uint8_t *buf = s1.buf; + uint64_t total_len1 = s1.total_len; + uint32_t sz1; + if (total_len1 % (uint64_t)(uint32_t)64U == (uint64_t)0U && total_len1 > (uint64_t)0U) + { + sz1 = (uint32_t)64U; + } + else + { + sz1 = (uint32_t)(total_len1 % (uint64_t)(uint32_t)64U); + } + uint8_t *buf2 = buf + sz1; + memcpy(buf2, data, len * sizeof (uint8_t)); + uint64_t total_len2 = total_len1 + (uint64_t)len; + *p + = + ( + (Hacl_Streaming_SHA2_state_sha2_224){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len2 + } + ); + return; + } + if (sz == (uint32_t)0U) + { + Hacl_Streaming_SHA2_state_sha2_224 s1 = *p; + uint32_t *block_state1 = s1.block_state; + uint8_t *buf = s1.buf; + uint64_t total_len1 = s1.total_len; + uint32_t sz1; + if (total_len1 % (uint64_t)(uint32_t)64U == (uint64_t)0U && total_len1 > (uint64_t)0U) + { + sz1 = (uint32_t)64U; + } + else + { + sz1 = (uint32_t)(total_len1 % (uint64_t)(uint32_t)64U); + } + if (!(sz1 == (uint32_t)0U)) + { + Hacl_Hash_SHA2_update_multi_224(block_state1, buf, (uint32_t)1U); + } + uint32_t ite; + if ((uint64_t)len % (uint64_t)(uint32_t)64U == (uint64_t)0U && (uint64_t)len > (uint64_t)0U) + { + ite = (uint32_t)64U; + } + else + { + ite = (uint32_t)((uint64_t)len % (uint64_t)(uint32_t)64U); + } + uint32_t n_blocks = (len - ite) / (uint32_t)64U; + uint32_t data1_len = n_blocks * (uint32_t)64U; + uint32_t data2_len = len - data1_len; + uint8_t *data1 = data; + uint8_t *data2 = data + data1_len; + Hacl_Hash_SHA2_update_multi_224(block_state1, data1, data1_len / (uint32_t)64U); + uint8_t *dst = buf; + memcpy(dst, data2, data2_len * sizeof (uint8_t)); + *p + = + ( + (Hacl_Streaming_SHA2_state_sha2_224){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len1 + (uint64_t)len + } + ); + return; + } + uint32_t diff = (uint32_t)64U - sz; + uint8_t *data1 = data; + uint8_t *data2 = data + diff; + Hacl_Streaming_SHA2_state_sha2_224 s1 = *p; + uint32_t *block_state10 = s1.block_state; + uint8_t *buf0 = s1.buf; + uint64_t total_len10 = s1.total_len; + uint32_t sz10; + if (total_len10 % (uint64_t)(uint32_t)64U == (uint64_t)0U && total_len10 > (uint64_t)0U) + { + sz10 = (uint32_t)64U; + } + else + { + sz10 = (uint32_t)(total_len10 % (uint64_t)(uint32_t)64U); + } + uint8_t *buf2 = buf0 + sz10; + memcpy(buf2, data1, diff * sizeof (uint8_t)); + uint64_t total_len2 = total_len10 + (uint64_t)diff; + *p + = + ( + (Hacl_Streaming_SHA2_state_sha2_224){ + .block_state = block_state10, + .buf = buf0, + .total_len = total_len2 + } + ); + Hacl_Streaming_SHA2_state_sha2_224 s10 = *p; + uint32_t *block_state1 = s10.block_state; + uint8_t *buf = s10.buf; + uint64_t total_len1 = s10.total_len; + uint32_t sz1; + if (total_len1 % (uint64_t)(uint32_t)64U == (uint64_t)0U && total_len1 > (uint64_t)0U) + { + sz1 = (uint32_t)64U; + } + else + { + sz1 = (uint32_t)(total_len1 % (uint64_t)(uint32_t)64U); + } + if (!(sz1 == (uint32_t)0U)) + { + Hacl_Hash_SHA2_update_multi_224(block_state1, buf, (uint32_t)1U); + } + uint32_t ite; + if + ( + (uint64_t)(len - diff) + % (uint64_t)(uint32_t)64U + == (uint64_t)0U + && (uint64_t)(len - diff) > (uint64_t)0U + ) + { + ite = (uint32_t)64U; + } + else + { + ite = (uint32_t)((uint64_t)(len - diff) % (uint64_t)(uint32_t)64U); + } + uint32_t n_blocks = (len - diff - ite) / (uint32_t)64U; + uint32_t data1_len = n_blocks * (uint32_t)64U; + uint32_t data2_len = len - diff - data1_len; + uint8_t *data11 = data2; + uint8_t *data21 = data2 + data1_len; + Hacl_Hash_SHA2_update_multi_224(block_state1, data11, data1_len / (uint32_t)64U); + uint8_t *dst = buf; + memcpy(dst, data21, data2_len * sizeof (uint8_t)); + *p + = + ( + (Hacl_Streaming_SHA2_state_sha2_224){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len1 + (uint64_t)(len - diff) + } + ); +} + +void Hacl_Streaming_SHA2_finish_224(Hacl_Streaming_SHA2_state_sha2_224 *p, uint8_t *dst) +{ + Hacl_Streaming_SHA2_state_sha2_224 scrut = *p; + uint32_t *block_state = scrut.block_state; + uint8_t *buf_ = scrut.buf; + uint64_t total_len = scrut.total_len; + uint32_t r; + if (total_len % (uint64_t)(uint32_t)64U == (uint64_t)0U && total_len > (uint64_t)0U) + { + r = (uint32_t)64U; + } + else + { + r = (uint32_t)(total_len % (uint64_t)(uint32_t)64U); + } + uint8_t *buf_1 = buf_; + uint32_t tmp_block_state[8U] = { 0U }; + memcpy(tmp_block_state, block_state, (uint32_t)8U * sizeof (uint32_t)); + uint32_t ite; + if (r % (uint32_t)64U == (uint32_t)0U && r > (uint32_t)0U) + { + ite = (uint32_t)64U; + } + else + { + ite = r % (uint32_t)64U; + } + uint8_t *buf_last = buf_1 + r - ite; + uint8_t *buf_multi = buf_1; + Hacl_Hash_SHA2_update_multi_224(tmp_block_state, buf_multi, (uint32_t)0U); + uint64_t prev_len_last = total_len - (uint64_t)r; + Hacl_Hash_SHA2_update_last_224(tmp_block_state, prev_len_last, buf_last, r); + Hacl_Hash_Core_SHA2_finish_224(tmp_block_state, dst); +} + +void Hacl_Streaming_SHA2_free_224(Hacl_Streaming_SHA2_state_sha2_224 *s) +{ + Hacl_Streaming_SHA2_state_sha2_224 scrut = *s; + uint8_t *buf = scrut.buf; + uint32_t *block_state = scrut.block_state; + KRML_HOST_FREE(block_state); + KRML_HOST_FREE(buf); + KRML_HOST_FREE(s); +} + +Hacl_Streaming_SHA2_state_sha2_224 *Hacl_Streaming_SHA2_create_in_256() +{ + uint8_t *buf = KRML_HOST_CALLOC((uint32_t)64U, sizeof (uint8_t)); + uint32_t *block_state = KRML_HOST_CALLOC((uint32_t)8U, sizeof (uint32_t)); + Hacl_Streaming_SHA2_state_sha2_224 + s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; + KRML_CHECK_SIZE(sizeof (Hacl_Streaming_SHA2_state_sha2_224), (uint32_t)1U); + Hacl_Streaming_SHA2_state_sha2_224 + *p = KRML_HOST_MALLOC(sizeof (Hacl_Streaming_SHA2_state_sha2_224)); + p[0U] = s; + Hacl_Hash_Core_SHA2_init_256(block_state); + return p; +} + +void Hacl_Streaming_SHA2_init_256(Hacl_Streaming_SHA2_state_sha2_224 *s) +{ + Hacl_Streaming_SHA2_state_sha2_224 scrut = *s; + uint8_t *buf = scrut.buf; + uint32_t *block_state = scrut.block_state; + Hacl_Hash_Core_SHA2_init_256(block_state); + s[0U] = + ( + (Hacl_Streaming_SHA2_state_sha2_224){ + .block_state = block_state, + .buf = buf, + .total_len = (uint64_t)0U + } + ); +} + +void +Hacl_Streaming_SHA2_update_256( + Hacl_Streaming_SHA2_state_sha2_224 *p, + uint8_t *data, + uint32_t len +) +{ + Hacl_Streaming_SHA2_state_sha2_224 s = *p; + uint64_t total_len = s.total_len; + uint32_t sz; + if (total_len % (uint64_t)(uint32_t)64U == (uint64_t)0U && total_len > (uint64_t)0U) + { + sz = (uint32_t)64U; + } + else + { + sz = (uint32_t)(total_len % (uint64_t)(uint32_t)64U); + } + if (len <= (uint32_t)64U - sz) + { + Hacl_Streaming_SHA2_state_sha2_224 s1 = *p; + uint32_t *block_state1 = s1.block_state; + uint8_t *buf = s1.buf; + uint64_t total_len1 = s1.total_len; + uint32_t sz1; + if (total_len1 % (uint64_t)(uint32_t)64U == (uint64_t)0U && total_len1 > (uint64_t)0U) + { + sz1 = (uint32_t)64U; + } + else + { + sz1 = (uint32_t)(total_len1 % (uint64_t)(uint32_t)64U); + } + uint8_t *buf2 = buf + sz1; + memcpy(buf2, data, len * sizeof (uint8_t)); + uint64_t total_len2 = total_len1 + (uint64_t)len; + *p + = + ( + (Hacl_Streaming_SHA2_state_sha2_224){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len2 + } + ); + return; + } + if (sz == (uint32_t)0U) + { + Hacl_Streaming_SHA2_state_sha2_224 s1 = *p; + uint32_t *block_state1 = s1.block_state; + uint8_t *buf = s1.buf; + uint64_t total_len1 = s1.total_len; + uint32_t sz1; + if (total_len1 % (uint64_t)(uint32_t)64U == (uint64_t)0U && total_len1 > (uint64_t)0U) + { + sz1 = (uint32_t)64U; + } + else + { + sz1 = (uint32_t)(total_len1 % (uint64_t)(uint32_t)64U); + } + if (!(sz1 == (uint32_t)0U)) + { + Hacl_Hash_SHA2_update_multi_256(block_state1, buf, (uint32_t)1U); + } + uint32_t ite; + if ((uint64_t)len % (uint64_t)(uint32_t)64U == (uint64_t)0U && (uint64_t)len > (uint64_t)0U) + { + ite = (uint32_t)64U; + } + else + { + ite = (uint32_t)((uint64_t)len % (uint64_t)(uint32_t)64U); + } + uint32_t n_blocks = (len - ite) / (uint32_t)64U; + uint32_t data1_len = n_blocks * (uint32_t)64U; + uint32_t data2_len = len - data1_len; + uint8_t *data1 = data; + uint8_t *data2 = data + data1_len; + Hacl_Hash_SHA2_update_multi_256(block_state1, data1, data1_len / (uint32_t)64U); + uint8_t *dst = buf; + memcpy(dst, data2, data2_len * sizeof (uint8_t)); + *p + = + ( + (Hacl_Streaming_SHA2_state_sha2_224){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len1 + (uint64_t)len + } + ); + return; + } + uint32_t diff = (uint32_t)64U - sz; + uint8_t *data1 = data; + uint8_t *data2 = data + diff; + Hacl_Streaming_SHA2_state_sha2_224 s1 = *p; + uint32_t *block_state10 = s1.block_state; + uint8_t *buf0 = s1.buf; + uint64_t total_len10 = s1.total_len; + uint32_t sz10; + if (total_len10 % (uint64_t)(uint32_t)64U == (uint64_t)0U && total_len10 > (uint64_t)0U) + { + sz10 = (uint32_t)64U; + } + else + { + sz10 = (uint32_t)(total_len10 % (uint64_t)(uint32_t)64U); + } + uint8_t *buf2 = buf0 + sz10; + memcpy(buf2, data1, diff * sizeof (uint8_t)); + uint64_t total_len2 = total_len10 + (uint64_t)diff; + *p + = + ( + (Hacl_Streaming_SHA2_state_sha2_224){ + .block_state = block_state10, + .buf = buf0, + .total_len = total_len2 + } + ); + Hacl_Streaming_SHA2_state_sha2_224 s10 = *p; + uint32_t *block_state1 = s10.block_state; + uint8_t *buf = s10.buf; + uint64_t total_len1 = s10.total_len; + uint32_t sz1; + if (total_len1 % (uint64_t)(uint32_t)64U == (uint64_t)0U && total_len1 > (uint64_t)0U) + { + sz1 = (uint32_t)64U; + } + else + { + sz1 = (uint32_t)(total_len1 % (uint64_t)(uint32_t)64U); + } + if (!(sz1 == (uint32_t)0U)) + { + Hacl_Hash_SHA2_update_multi_256(block_state1, buf, (uint32_t)1U); + } + uint32_t ite; + if + ( + (uint64_t)(len - diff) + % (uint64_t)(uint32_t)64U + == (uint64_t)0U + && (uint64_t)(len - diff) > (uint64_t)0U + ) + { + ite = (uint32_t)64U; + } + else + { + ite = (uint32_t)((uint64_t)(len - diff) % (uint64_t)(uint32_t)64U); + } + uint32_t n_blocks = (len - diff - ite) / (uint32_t)64U; + uint32_t data1_len = n_blocks * (uint32_t)64U; + uint32_t data2_len = len - diff - data1_len; + uint8_t *data11 = data2; + uint8_t *data21 = data2 + data1_len; + Hacl_Hash_SHA2_update_multi_256(block_state1, data11, data1_len / (uint32_t)64U); + uint8_t *dst = buf; + memcpy(dst, data21, data2_len * sizeof (uint8_t)); + *p + = + ( + (Hacl_Streaming_SHA2_state_sha2_224){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len1 + (uint64_t)(len - diff) + } + ); +} + +void Hacl_Streaming_SHA2_finish_256(Hacl_Streaming_SHA2_state_sha2_224 *p, uint8_t *dst) +{ + Hacl_Streaming_SHA2_state_sha2_224 scrut = *p; + uint32_t *block_state = scrut.block_state; + uint8_t *buf_ = scrut.buf; + uint64_t total_len = scrut.total_len; + uint32_t r; + if (total_len % (uint64_t)(uint32_t)64U == (uint64_t)0U && total_len > (uint64_t)0U) + { + r = (uint32_t)64U; + } + else + { + r = (uint32_t)(total_len % (uint64_t)(uint32_t)64U); + } + uint8_t *buf_1 = buf_; + uint32_t tmp_block_state[8U] = { 0U }; + memcpy(tmp_block_state, block_state, (uint32_t)8U * sizeof (uint32_t)); + uint32_t ite; + if (r % (uint32_t)64U == (uint32_t)0U && r > (uint32_t)0U) + { + ite = (uint32_t)64U; + } + else + { + ite = r % (uint32_t)64U; + } + uint8_t *buf_last = buf_1 + r - ite; + uint8_t *buf_multi = buf_1; + Hacl_Hash_SHA2_update_multi_256(tmp_block_state, buf_multi, (uint32_t)0U); + uint64_t prev_len_last = total_len - (uint64_t)r; + Hacl_Hash_SHA2_update_last_256(tmp_block_state, prev_len_last, buf_last, r); + Hacl_Hash_Core_SHA2_finish_256(tmp_block_state, dst); +} + +void Hacl_Streaming_SHA2_free_256(Hacl_Streaming_SHA2_state_sha2_224 *s) +{ + Hacl_Streaming_SHA2_state_sha2_224 scrut = *s; + uint8_t *buf = scrut.buf; + uint32_t *block_state = scrut.block_state; + KRML_HOST_FREE(block_state); + KRML_HOST_FREE(buf); + KRML_HOST_FREE(s); +} + +Hacl_Streaming_SHA2_state_sha2_384 *Hacl_Streaming_SHA2_create_in_384() +{ + uint8_t *buf = KRML_HOST_CALLOC((uint32_t)128U, sizeof (uint8_t)); + uint64_t *block_state = KRML_HOST_CALLOC((uint32_t)8U, sizeof (uint64_t)); + Hacl_Streaming_SHA2_state_sha2_384 + s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; + KRML_CHECK_SIZE(sizeof (Hacl_Streaming_SHA2_state_sha2_384), (uint32_t)1U); + Hacl_Streaming_SHA2_state_sha2_384 + *p = KRML_HOST_MALLOC(sizeof (Hacl_Streaming_SHA2_state_sha2_384)); + p[0U] = s; + Hacl_Hash_Core_SHA2_init_384(block_state); + return p; +} + +void Hacl_Streaming_SHA2_init_384(Hacl_Streaming_SHA2_state_sha2_384 *s) +{ + Hacl_Streaming_SHA2_state_sha2_384 scrut = *s; + uint8_t *buf = scrut.buf; + uint64_t *block_state = scrut.block_state; + Hacl_Hash_Core_SHA2_init_384(block_state); + s[0U] = + ( + (Hacl_Streaming_SHA2_state_sha2_384){ + .block_state = block_state, + .buf = buf, + .total_len = (uint64_t)0U + } + ); +} + +void +Hacl_Streaming_SHA2_update_384( + Hacl_Streaming_SHA2_state_sha2_384 *p, + uint8_t *data, + uint32_t len +) +{ + Hacl_Streaming_SHA2_state_sha2_384 s = *p; + uint64_t total_len = s.total_len; + uint32_t sz; + if (total_len % (uint64_t)(uint32_t)128U == (uint64_t)0U && total_len > (uint64_t)0U) + { + sz = (uint32_t)128U; + } + else + { + sz = (uint32_t)(total_len % (uint64_t)(uint32_t)128U); + } + if (len <= (uint32_t)128U - sz) + { + Hacl_Streaming_SHA2_state_sha2_384 s1 = *p; + uint64_t *block_state1 = s1.block_state; + uint8_t *buf = s1.buf; + uint64_t total_len1 = s1.total_len; + uint32_t sz1; + if (total_len1 % (uint64_t)(uint32_t)128U == (uint64_t)0U && total_len1 > (uint64_t)0U) + { + sz1 = (uint32_t)128U; + } + else + { + sz1 = (uint32_t)(total_len1 % (uint64_t)(uint32_t)128U); + } + uint8_t *buf2 = buf + sz1; + memcpy(buf2, data, len * sizeof (uint8_t)); + uint64_t total_len2 = total_len1 + (uint64_t)len; + *p + = + ( + (Hacl_Streaming_SHA2_state_sha2_384){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len2 + } + ); + return; + } + if (sz == (uint32_t)0U) + { + Hacl_Streaming_SHA2_state_sha2_384 s1 = *p; + uint64_t *block_state1 = s1.block_state; + uint8_t *buf = s1.buf; + uint64_t total_len1 = s1.total_len; + uint32_t sz1; + if (total_len1 % (uint64_t)(uint32_t)128U == (uint64_t)0U && total_len1 > (uint64_t)0U) + { + sz1 = (uint32_t)128U; + } + else + { + sz1 = (uint32_t)(total_len1 % (uint64_t)(uint32_t)128U); + } + if (!(sz1 == (uint32_t)0U)) + { + Hacl_Hash_SHA2_update_multi_384(block_state1, buf, (uint32_t)1U); + } + uint32_t ite; + if ((uint64_t)len % (uint64_t)(uint32_t)128U == (uint64_t)0U && (uint64_t)len > (uint64_t)0U) + { + ite = (uint32_t)128U; + } + else + { + ite = (uint32_t)((uint64_t)len % (uint64_t)(uint32_t)128U); + } + uint32_t n_blocks = (len - ite) / (uint32_t)128U; + uint32_t data1_len = n_blocks * (uint32_t)128U; + uint32_t data2_len = len - data1_len; + uint8_t *data1 = data; + uint8_t *data2 = data + data1_len; + Hacl_Hash_SHA2_update_multi_384(block_state1, data1, data1_len / (uint32_t)128U); + uint8_t *dst = buf; + memcpy(dst, data2, data2_len * sizeof (uint8_t)); + *p + = + ( + (Hacl_Streaming_SHA2_state_sha2_384){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len1 + (uint64_t)len + } + ); + return; + } + uint32_t diff = (uint32_t)128U - sz; + uint8_t *data1 = data; + uint8_t *data2 = data + diff; + Hacl_Streaming_SHA2_state_sha2_384 s1 = *p; + uint64_t *block_state10 = s1.block_state; + uint8_t *buf0 = s1.buf; + uint64_t total_len10 = s1.total_len; + uint32_t sz10; + if (total_len10 % (uint64_t)(uint32_t)128U == (uint64_t)0U && total_len10 > (uint64_t)0U) + { + sz10 = (uint32_t)128U; + } + else + { + sz10 = (uint32_t)(total_len10 % (uint64_t)(uint32_t)128U); + } + uint8_t *buf2 = buf0 + sz10; + memcpy(buf2, data1, diff * sizeof (uint8_t)); + uint64_t total_len2 = total_len10 + (uint64_t)diff; + *p + = + ( + (Hacl_Streaming_SHA2_state_sha2_384){ + .block_state = block_state10, + .buf = buf0, + .total_len = total_len2 + } + ); + Hacl_Streaming_SHA2_state_sha2_384 s10 = *p; + uint64_t *block_state1 = s10.block_state; + uint8_t *buf = s10.buf; + uint64_t total_len1 = s10.total_len; + uint32_t sz1; + if (total_len1 % (uint64_t)(uint32_t)128U == (uint64_t)0U && total_len1 > (uint64_t)0U) + { + sz1 = (uint32_t)128U; + } + else + { + sz1 = (uint32_t)(total_len1 % (uint64_t)(uint32_t)128U); + } + if (!(sz1 == (uint32_t)0U)) + { + Hacl_Hash_SHA2_update_multi_384(block_state1, buf, (uint32_t)1U); + } + uint32_t ite; + if + ( + (uint64_t)(len - diff) + % (uint64_t)(uint32_t)128U + == (uint64_t)0U + && (uint64_t)(len - diff) > (uint64_t)0U + ) + { + ite = (uint32_t)128U; + } + else + { + ite = (uint32_t)((uint64_t)(len - diff) % (uint64_t)(uint32_t)128U); + } + uint32_t n_blocks = (len - diff - ite) / (uint32_t)128U; + uint32_t data1_len = n_blocks * (uint32_t)128U; + uint32_t data2_len = len - diff - data1_len; + uint8_t *data11 = data2; + uint8_t *data21 = data2 + data1_len; + Hacl_Hash_SHA2_update_multi_384(block_state1, data11, data1_len / (uint32_t)128U); + uint8_t *dst = buf; + memcpy(dst, data21, data2_len * sizeof (uint8_t)); + *p + = + ( + (Hacl_Streaming_SHA2_state_sha2_384){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len1 + (uint64_t)(len - diff) + } + ); +} + +void Hacl_Streaming_SHA2_finish_384(Hacl_Streaming_SHA2_state_sha2_384 *p, uint8_t *dst) +{ + Hacl_Streaming_SHA2_state_sha2_384 scrut = *p; + uint64_t *block_state = scrut.block_state; + uint8_t *buf_ = scrut.buf; + uint64_t total_len = scrut.total_len; + uint32_t r; + if (total_len % (uint64_t)(uint32_t)128U == (uint64_t)0U && total_len > (uint64_t)0U) + { + r = (uint32_t)128U; + } + else + { + r = (uint32_t)(total_len % (uint64_t)(uint32_t)128U); + } + uint8_t *buf_1 = buf_; + uint64_t tmp_block_state[8U] = { 0U }; + memcpy(tmp_block_state, block_state, (uint32_t)8U * sizeof (uint64_t)); + uint32_t ite; + if (r % (uint32_t)128U == (uint32_t)0U && r > (uint32_t)0U) + { + ite = (uint32_t)128U; + } + else + { + ite = r % (uint32_t)128U; + } + uint8_t *buf_last = buf_1 + r - ite; + uint8_t *buf_multi = buf_1; + Hacl_Hash_SHA2_update_multi_384(tmp_block_state, buf_multi, (uint32_t)0U); + uint64_t prev_len_last = total_len - (uint64_t)r; + Hacl_Hash_SHA2_update_last_384(tmp_block_state, + FStar_UInt128_uint64_to_uint128(prev_len_last), + buf_last, + r); + Hacl_Hash_Core_SHA2_finish_384(tmp_block_state, dst); +} + +void Hacl_Streaming_SHA2_free_384(Hacl_Streaming_SHA2_state_sha2_384 *s) +{ + Hacl_Streaming_SHA2_state_sha2_384 scrut = *s; + uint8_t *buf = scrut.buf; + uint64_t *block_state = scrut.block_state; + KRML_HOST_FREE(block_state); + KRML_HOST_FREE(buf); + KRML_HOST_FREE(s); +} + +Hacl_Streaming_SHA2_state_sha2_384 *Hacl_Streaming_SHA2_create_in_512() +{ + uint8_t *buf = KRML_HOST_CALLOC((uint32_t)128U, sizeof (uint8_t)); + uint64_t *block_state = KRML_HOST_CALLOC((uint32_t)8U, sizeof (uint64_t)); + Hacl_Streaming_SHA2_state_sha2_384 + s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; + KRML_CHECK_SIZE(sizeof (Hacl_Streaming_SHA2_state_sha2_384), (uint32_t)1U); + Hacl_Streaming_SHA2_state_sha2_384 + *p = KRML_HOST_MALLOC(sizeof (Hacl_Streaming_SHA2_state_sha2_384)); + p[0U] = s; + Hacl_Hash_Core_SHA2_init_512(block_state); + return p; +} + +void Hacl_Streaming_SHA2_init_512(Hacl_Streaming_SHA2_state_sha2_384 *s) +{ + Hacl_Streaming_SHA2_state_sha2_384 scrut = *s; + uint8_t *buf = scrut.buf; + uint64_t *block_state = scrut.block_state; + Hacl_Hash_Core_SHA2_init_512(block_state); + s[0U] = + ( + (Hacl_Streaming_SHA2_state_sha2_384){ + .block_state = block_state, + .buf = buf, + .total_len = (uint64_t)0U + } + ); +} + +void +Hacl_Streaming_SHA2_update_512( + Hacl_Streaming_SHA2_state_sha2_384 *p, + uint8_t *data, + uint32_t len +) +{ + Hacl_Streaming_SHA2_state_sha2_384 s = *p; + uint64_t total_len = s.total_len; + uint32_t sz; + if (total_len % (uint64_t)(uint32_t)128U == (uint64_t)0U && total_len > (uint64_t)0U) + { + sz = (uint32_t)128U; + } + else + { + sz = (uint32_t)(total_len % (uint64_t)(uint32_t)128U); + } + if (len <= (uint32_t)128U - sz) + { + Hacl_Streaming_SHA2_state_sha2_384 s1 = *p; + uint64_t *block_state1 = s1.block_state; + uint8_t *buf = s1.buf; + uint64_t total_len1 = s1.total_len; + uint32_t sz1; + if (total_len1 % (uint64_t)(uint32_t)128U == (uint64_t)0U && total_len1 > (uint64_t)0U) + { + sz1 = (uint32_t)128U; + } + else + { + sz1 = (uint32_t)(total_len1 % (uint64_t)(uint32_t)128U); + } + uint8_t *buf2 = buf + sz1; + memcpy(buf2, data, len * sizeof (uint8_t)); + uint64_t total_len2 = total_len1 + (uint64_t)len; + *p + = + ( + (Hacl_Streaming_SHA2_state_sha2_384){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len2 + } + ); + return; + } + if (sz == (uint32_t)0U) + { + Hacl_Streaming_SHA2_state_sha2_384 s1 = *p; + uint64_t *block_state1 = s1.block_state; + uint8_t *buf = s1.buf; + uint64_t total_len1 = s1.total_len; + uint32_t sz1; + if (total_len1 % (uint64_t)(uint32_t)128U == (uint64_t)0U && total_len1 > (uint64_t)0U) + { + sz1 = (uint32_t)128U; + } + else + { + sz1 = (uint32_t)(total_len1 % (uint64_t)(uint32_t)128U); + } + if (!(sz1 == (uint32_t)0U)) + { + Hacl_Hash_SHA2_update_multi_512(block_state1, buf, (uint32_t)1U); + } + uint32_t ite; + if ((uint64_t)len % (uint64_t)(uint32_t)128U == (uint64_t)0U && (uint64_t)len > (uint64_t)0U) + { + ite = (uint32_t)128U; + } + else + { + ite = (uint32_t)((uint64_t)len % (uint64_t)(uint32_t)128U); + } + uint32_t n_blocks = (len - ite) / (uint32_t)128U; + uint32_t data1_len = n_blocks * (uint32_t)128U; + uint32_t data2_len = len - data1_len; + uint8_t *data1 = data; + uint8_t *data2 = data + data1_len; + Hacl_Hash_SHA2_update_multi_512(block_state1, data1, data1_len / (uint32_t)128U); + uint8_t *dst = buf; + memcpy(dst, data2, data2_len * sizeof (uint8_t)); + *p + = + ( + (Hacl_Streaming_SHA2_state_sha2_384){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len1 + (uint64_t)len + } + ); + return; + } + uint32_t diff = (uint32_t)128U - sz; + uint8_t *data1 = data; + uint8_t *data2 = data + diff; + Hacl_Streaming_SHA2_state_sha2_384 s1 = *p; + uint64_t *block_state10 = s1.block_state; + uint8_t *buf0 = s1.buf; + uint64_t total_len10 = s1.total_len; + uint32_t sz10; + if (total_len10 % (uint64_t)(uint32_t)128U == (uint64_t)0U && total_len10 > (uint64_t)0U) + { + sz10 = (uint32_t)128U; + } + else + { + sz10 = (uint32_t)(total_len10 % (uint64_t)(uint32_t)128U); + } + uint8_t *buf2 = buf0 + sz10; + memcpy(buf2, data1, diff * sizeof (uint8_t)); + uint64_t total_len2 = total_len10 + (uint64_t)diff; + *p + = + ( + (Hacl_Streaming_SHA2_state_sha2_384){ + .block_state = block_state10, + .buf = buf0, + .total_len = total_len2 + } + ); + Hacl_Streaming_SHA2_state_sha2_384 s10 = *p; + uint64_t *block_state1 = s10.block_state; + uint8_t *buf = s10.buf; + uint64_t total_len1 = s10.total_len; + uint32_t sz1; + if (total_len1 % (uint64_t)(uint32_t)128U == (uint64_t)0U && total_len1 > (uint64_t)0U) + { + sz1 = (uint32_t)128U; + } + else + { + sz1 = (uint32_t)(total_len1 % (uint64_t)(uint32_t)128U); + } + if (!(sz1 == (uint32_t)0U)) + { + Hacl_Hash_SHA2_update_multi_512(block_state1, buf, (uint32_t)1U); + } + uint32_t ite; + if + ( + (uint64_t)(len - diff) + % (uint64_t)(uint32_t)128U + == (uint64_t)0U + && (uint64_t)(len - diff) > (uint64_t)0U + ) + { + ite = (uint32_t)128U; + } + else + { + ite = (uint32_t)((uint64_t)(len - diff) % (uint64_t)(uint32_t)128U); + } + uint32_t n_blocks = (len - diff - ite) / (uint32_t)128U; + uint32_t data1_len = n_blocks * (uint32_t)128U; + uint32_t data2_len = len - diff - data1_len; + uint8_t *data11 = data2; + uint8_t *data21 = data2 + data1_len; + Hacl_Hash_SHA2_update_multi_512(block_state1, data11, data1_len / (uint32_t)128U); + uint8_t *dst = buf; + memcpy(dst, data21, data2_len * sizeof (uint8_t)); + *p + = + ( + (Hacl_Streaming_SHA2_state_sha2_384){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len1 + (uint64_t)(len - diff) + } + ); +} + +void Hacl_Streaming_SHA2_finish_512(Hacl_Streaming_SHA2_state_sha2_384 *p, uint8_t *dst) +{ + Hacl_Streaming_SHA2_state_sha2_384 scrut = *p; + uint64_t *block_state = scrut.block_state; + uint8_t *buf_ = scrut.buf; + uint64_t total_len = scrut.total_len; + uint32_t r; + if (total_len % (uint64_t)(uint32_t)128U == (uint64_t)0U && total_len > (uint64_t)0U) + { + r = (uint32_t)128U; + } + else + { + r = (uint32_t)(total_len % (uint64_t)(uint32_t)128U); + } + uint8_t *buf_1 = buf_; + uint64_t tmp_block_state[8U] = { 0U }; + memcpy(tmp_block_state, block_state, (uint32_t)8U * sizeof (uint64_t)); + uint32_t ite; + if (r % (uint32_t)128U == (uint32_t)0U && r > (uint32_t)0U) + { + ite = (uint32_t)128U; + } + else + { + ite = r % (uint32_t)128U; + } + uint8_t *buf_last = buf_1 + r - ite; + uint8_t *buf_multi = buf_1; + Hacl_Hash_SHA2_update_multi_512(tmp_block_state, buf_multi, (uint32_t)0U); + uint64_t prev_len_last = total_len - (uint64_t)r; + Hacl_Hash_SHA2_update_last_512(tmp_block_state, + FStar_UInt128_uint64_to_uint128(prev_len_last), + buf_last, + r); + Hacl_Hash_Core_SHA2_finish_512(tmp_block_state, dst); +} + +void Hacl_Streaming_SHA2_free_512(Hacl_Streaming_SHA2_state_sha2_384 *s) +{ + Hacl_Streaming_SHA2_state_sha2_384 scrut = *s; + uint8_t *buf = scrut.buf; + uint64_t *block_state = scrut.block_state; + KRML_HOST_FREE(block_state); + KRML_HOST_FREE(buf); + KRML_HOST_FREE(s); +} + diff --git a/src/Lib_Memzero0.c b/src/Lib_Memzero0.c new file mode 100644 index 00000000..ef3060d4 --- /dev/null +++ b/src/Lib_Memzero0.c @@ -0,0 +1,53 @@ +#if defined(__has_include) +#if __has_include("config.h") +#include "config.h" +#endif +#endif + +#ifdef _WIN32 +#include +#endif + +#if (defined(__APPLE__) && defined(__MACH__)) || defined(__linux__) +#define __STDC_WANT_LIB_EXT1__ 1 +#include +#endif + +#ifdef __FreeBSD__ +#include +#endif + +#include +#include +#include +#include + +#include "Lib_Memzero0.h" +#include "kremlin/internal/target.h" + +/* The F* formalization talks about the number of elements in the array. The C + implementation wants a number of bytes in the array. KreMLin is aware of this + and inserts a sizeof multiplication. */ +void Lib_Memzero0_memzero(void *dst, uint64_t len) { + /* This is safe: kremlin checks at run-time (if needed) that all object sizes + fit within a size_t, so the size we receive has been checked at + allocation-time, possibly via KRML_CHECK_SIZE, to fit in a size_t. */ + size_t len_ = (size_t) len; + + #ifdef _WIN32 + SecureZeroMemory(dst, len); + #elif defined(__APPLE__) && defined(__MACH__) + memset_s(dst, len_, 0, len_); + #elif (defined(__linux__) && !defined(LINUX_NO_EXPLICIT_BZERO)) || defined(__FreeBSD__) + explicit_bzero(dst, len_); + #elif defined(__NetBSD__) + explicit_memset(dst, 0, len_); + #else + /* Default implementation for platforms with no particular support. */ + #warning "Your platform does not support any safe implementation of memzero -- consider a pull request!" + volatile unsigned char *volatile dst_ = (volatile unsigned char *volatile) dst; + size_t i = 0U; + while (i < len) + dst_[i++] = 0U; + #endif +} diff --git a/src/Lib_RandomBuffer_System.c b/src/Lib_RandomBuffer_System.c new file mode 100644 index 00000000..0d7924b4 --- /dev/null +++ b/src/Lib_RandomBuffer_System.c @@ -0,0 +1,62 @@ +#include "Lib_RandomBuffer_System.h" + +#if (defined(_WIN32) || defined(_WIN64)) + +#include +#include +#include +#include + +bool read_random_bytes(uint32_t len, uint8_t *buf) { + HCRYPTPROV ctxt; + if (!(CryptAcquireContext(&ctxt, NULL, NULL, PROV_RSA_FULL, + CRYPT_VERIFYCONTEXT))) { + DWORD error = GetLastError(); + /* printf("Cannot acquire crypto context: 0x%lx\n", error); */ + return false; + } + bool pass = true; + if (!(CryptGenRandom(ctxt, (uint64_t)len, buf))) { + /* printf("Cannot read random bytes\n"); */ + pass = false; + } + CryptReleaseContext(ctxt, 0); + return pass; +} + +#else + +/* assume POSIX here */ +#include +#include +#include +#include +#include + +bool read_random_bytes(uint32_t len, uint8_t *buf) { +#ifdef SYS_getrandom + ssize_t res = syscall(SYS_getrandom, buf, (size_t)len, 0); + if (res == -1) { + return false; + } +#else // !defined(SYS_getrandom) + int fd = open("/dev/urandom", O_RDONLY); + if (fd == -1) { + return false; + } + ssize_t res = read(fd, buf, (uint64_t)len); + close(fd); +#endif // defined(SYS_getrandom) + return ((size_t)res == (size_t)len); +} + +#endif + +// WARNING: this function is deprecated +bool Lib_RandomBuffer_System_randombytes(uint8_t *x, uint32_t len) { + return read_random_bytes(len, x); +} + +void Lib_RandomBuffer_System_crypto_random(uint8_t *x, uint32_t len) { + while(!read_random_bytes(len, x)) {} +} diff --git a/src/c89/EverCrypt_AEAD.c b/src/c89/EverCrypt_AEAD.c new file mode 100644 index 00000000..f4d0f114 --- /dev/null +++ b/src/c89/EverCrypt_AEAD.c @@ -0,0 +1,2302 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "EverCrypt_AEAD.h" + +#include "internal/Vale.h" + +typedef struct EverCrypt_AEAD_state_s_s +{ + Spec_Cipher_Expansion_impl impl; + uint8_t *ek; +} +EverCrypt_AEAD_state_s; + +bool EverCrypt_AEAD_uu___is_Ek(Spec_Agile_AEAD_alg a, EverCrypt_AEAD_state_s projectee) +{ + return true; +} + +Spec_Agile_AEAD_alg EverCrypt_AEAD_alg_of_state(EverCrypt_AEAD_state_s *s) +{ + EverCrypt_AEAD_state_s scrut = *s; + Spec_Cipher_Expansion_impl impl = scrut.impl; + switch (impl) + { + case Spec_Cipher_Expansion_Hacl_CHACHA20: + { + return Spec_Agile_AEAD_CHACHA20_POLY1305; + } + case Spec_Cipher_Expansion_Vale_AES128: + { + return Spec_Agile_AEAD_AES128_GCM; + } + case Spec_Cipher_Expansion_Vale_AES256: + { + return Spec_Agile_AEAD_AES256_GCM; + } + default: + { + KRML_HOST_PRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +static EverCrypt_Error_error_code +create_in_chacha20_poly1305(EverCrypt_AEAD_state_s **dst, uint8_t *k) +{ + uint8_t *ek = (uint8_t *)KRML_HOST_CALLOC((uint32_t)32U, sizeof (uint8_t)); + EverCrypt_AEAD_state_s lit; + lit.impl = Spec_Cipher_Expansion_Hacl_CHACHA20; + lit.ek = ek; + KRML_CHECK_SIZE(sizeof (EverCrypt_AEAD_state_s), (uint32_t)1U); + { + EverCrypt_AEAD_state_s + *p = (EverCrypt_AEAD_state_s *)KRML_HOST_MALLOC(sizeof (EverCrypt_AEAD_state_s)); + p[0U] = lit; + memcpy(ek, k, (uint32_t)32U * sizeof (uint8_t)); + dst[0U] = p; + return EverCrypt_Error_Success; + } +} + +static EverCrypt_Error_error_code +create_in_aes128_gcm(EverCrypt_AEAD_state_s **dst, uint8_t *k) +{ + bool has_aesni = EverCrypt_AutoConfig2_has_aesni(); + bool has_pclmulqdq = EverCrypt_AutoConfig2_has_pclmulqdq(); + bool has_avx = EverCrypt_AutoConfig2_has_avx(); + bool has_sse = EverCrypt_AutoConfig2_has_sse(); + bool has_movbe = EverCrypt_AutoConfig2_has_movbe(); + #if HACL_CAN_COMPILE_VALE + if (has_aesni && has_pclmulqdq && has_avx && has_sse && has_movbe) + { + uint8_t *ek = (uint8_t *)KRML_HOST_CALLOC((uint32_t)480U, sizeof (uint8_t)); + uint8_t *keys_b = ek; + uint8_t *hkeys_b = ek + (uint32_t)176U; + uint64_t scrut = aes128_key_expansion(k, keys_b); + uint64_t scrut0 = aes128_keyhash_init(keys_b, hkeys_b); + EverCrypt_AEAD_state_s lit; + lit.impl = Spec_Cipher_Expansion_Vale_AES128; + lit.ek = ek; + KRML_CHECK_SIZE(sizeof (EverCrypt_AEAD_state_s), (uint32_t)1U); + { + EverCrypt_AEAD_state_s + *p = (EverCrypt_AEAD_state_s *)KRML_HOST_MALLOC(sizeof (EverCrypt_AEAD_state_s)); + p[0U] = lit; + *dst = p; + return EverCrypt_Error_Success; + } + } + #endif + return EverCrypt_Error_UnsupportedAlgorithm; +} + +static EverCrypt_Error_error_code +create_in_aes256_gcm(EverCrypt_AEAD_state_s **dst, uint8_t *k) +{ + bool has_aesni = EverCrypt_AutoConfig2_has_aesni(); + bool has_pclmulqdq = EverCrypt_AutoConfig2_has_pclmulqdq(); + bool has_avx = EverCrypt_AutoConfig2_has_avx(); + bool has_sse = EverCrypt_AutoConfig2_has_sse(); + bool has_movbe = EverCrypt_AutoConfig2_has_movbe(); + #if HACL_CAN_COMPILE_VALE + if (has_aesni && has_pclmulqdq && has_avx && has_sse && has_movbe) + { + uint8_t *ek = (uint8_t *)KRML_HOST_CALLOC((uint32_t)544U, sizeof (uint8_t)); + uint8_t *keys_b = ek; + uint8_t *hkeys_b = ek + (uint32_t)240U; + uint64_t scrut = aes256_key_expansion(k, keys_b); + uint64_t scrut0 = aes256_keyhash_init(keys_b, hkeys_b); + EverCrypt_AEAD_state_s lit; + lit.impl = Spec_Cipher_Expansion_Vale_AES256; + lit.ek = ek; + KRML_CHECK_SIZE(sizeof (EverCrypt_AEAD_state_s), (uint32_t)1U); + { + EverCrypt_AEAD_state_s + *p = (EverCrypt_AEAD_state_s *)KRML_HOST_MALLOC(sizeof (EverCrypt_AEAD_state_s)); + p[0U] = lit; + *dst = p; + return EverCrypt_Error_Success; + } + } + #endif + return EverCrypt_Error_UnsupportedAlgorithm; +} + +EverCrypt_Error_error_code +EverCrypt_AEAD_create_in(Spec_Agile_AEAD_alg a, EverCrypt_AEAD_state_s **dst, uint8_t *k) +{ + switch (a) + { + case Spec_Agile_AEAD_AES128_GCM: + { + return create_in_aes128_gcm(dst, k); + } + case Spec_Agile_AEAD_AES256_GCM: + { + return create_in_aes256_gcm(dst, k); + } + case Spec_Agile_AEAD_CHACHA20_POLY1305: + { + return create_in_chacha20_poly1305(dst, k); + } + default: + { + return EverCrypt_Error_UnsupportedAlgorithm; + } + } +} + +static EverCrypt_Error_error_code +encrypt_aes128_gcm( + EverCrypt_AEAD_state_s *s, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *plain, + uint32_t plain_len, + uint8_t *cipher, + uint8_t *tag +) +{ + #if HACL_CAN_COMPILE_VALE + if (s == NULL) + { + return EverCrypt_Error_InvalidKey; + } + if (iv_len == (uint32_t)0U) + { + return EverCrypt_Error_InvalidIVLength; + } + { + EverCrypt_AEAD_state_s scrut = *s; + uint8_t *ek = scrut.ek; + uint8_t *scratch_b = ek + (uint32_t)304U; + uint8_t *ek1 = ek; + uint8_t *keys_b = ek1; + uint8_t *hkeys_b = ek1 + (uint32_t)176U; + uint8_t tmp_iv[16U] = { 0U }; + uint32_t len = iv_len / (uint32_t)16U; + uint32_t bytes_len = len * (uint32_t)16U; + uint8_t *iv_b = iv; + memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); + { + uint64_t + uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + uint8_t *inout_b = scratch_b; + uint8_t *abytes_b = scratch_b + (uint32_t)16U; + uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; + uint32_t plain_len_ = (uint32_t)(uint64_t)plain_len / (uint32_t)16U * (uint32_t)16U; + uint32_t auth_len_ = (uint32_t)(uint64_t)ad_len / (uint32_t)16U * (uint32_t)16U; + uint8_t *plain_b_ = plain; + uint8_t *out_b_ = cipher; + uint8_t *auth_b_ = ad; + memcpy(inout_b, + plain + plain_len_, + (uint32_t)(uint64_t)plain_len % (uint32_t)16U * sizeof (uint8_t)); + memcpy(abytes_b, + ad + auth_len_, + (uint32_t)(uint64_t)ad_len % (uint32_t)16U * sizeof (uint8_t)); + { + uint64_t len128x6 = (uint64_t)plain_len / (uint64_t)96U * (uint64_t)96U; + if (len128x6 / (uint64_t)16U >= (uint64_t)18U) + { + uint64_t len128_num = (uint64_t)plain_len / (uint64_t)16U * (uint64_t)16U - len128x6; + uint8_t *in128x6_b = plain_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = plain_b_ + (uint32_t)len128x6; + uint8_t *out128_b = out_b_ + (uint32_t)len128x6; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128x6_ = len128x6 / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t + scrut0 = + gcm128_encrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)plain_len, + scratch_b1, + tag); + } + else + { + uint32_t len128x61 = (uint32_t)0U; + uint64_t len128_num = (uint64_t)plain_len / (uint64_t)16U * (uint64_t)16U; + uint8_t *in128x6_b = plain_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = plain_b_ + len128x61; + uint8_t *out128_b = out_b_ + len128x61; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t len128x6_ = (uint64_t)0U; + uint64_t + scrut0 = + gcm128_encrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)plain_len, + scratch_b1, + tag); + } + memcpy(cipher + (uint32_t)(uint64_t)plain_len / (uint32_t)16U * (uint32_t)16U, + inout_b, + (uint32_t)(uint64_t)plain_len % (uint32_t)16U * sizeof (uint8_t)); + return EverCrypt_Error_Success; + } + } + } + #else + KRML_HOST_PRINTF("KreMLin abort at %s:%d\n%s\n", __FILE__, __LINE__, "statically unreachable"); + KRML_HOST_EXIT(255U); + #endif +} + +static EverCrypt_Error_error_code +encrypt_aes256_gcm( + EverCrypt_AEAD_state_s *s, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *plain, + uint32_t plain_len, + uint8_t *cipher, + uint8_t *tag +) +{ + #if HACL_CAN_COMPILE_VALE + if (s == NULL) + { + return EverCrypt_Error_InvalidKey; + } + if (iv_len == (uint32_t)0U) + { + return EverCrypt_Error_InvalidIVLength; + } + { + EverCrypt_AEAD_state_s scrut = *s; + uint8_t *ek = scrut.ek; + uint8_t *scratch_b = ek + (uint32_t)368U; + uint8_t *ek1 = ek; + uint8_t *keys_b = ek1; + uint8_t *hkeys_b = ek1 + (uint32_t)240U; + uint8_t tmp_iv[16U] = { 0U }; + uint32_t len = iv_len / (uint32_t)16U; + uint32_t bytes_len = len * (uint32_t)16U; + uint8_t *iv_b = iv; + memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); + { + uint64_t + uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + uint8_t *inout_b = scratch_b; + uint8_t *abytes_b = scratch_b + (uint32_t)16U; + uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; + uint32_t plain_len_ = (uint32_t)(uint64_t)plain_len / (uint32_t)16U * (uint32_t)16U; + uint32_t auth_len_ = (uint32_t)(uint64_t)ad_len / (uint32_t)16U * (uint32_t)16U; + uint8_t *plain_b_ = plain; + uint8_t *out_b_ = cipher; + uint8_t *auth_b_ = ad; + memcpy(inout_b, + plain + plain_len_, + (uint32_t)(uint64_t)plain_len % (uint32_t)16U * sizeof (uint8_t)); + memcpy(abytes_b, + ad + auth_len_, + (uint32_t)(uint64_t)ad_len % (uint32_t)16U * sizeof (uint8_t)); + { + uint64_t len128x6 = (uint64_t)plain_len / (uint64_t)96U * (uint64_t)96U; + if (len128x6 / (uint64_t)16U >= (uint64_t)18U) + { + uint64_t len128_num = (uint64_t)plain_len / (uint64_t)16U * (uint64_t)16U - len128x6; + uint8_t *in128x6_b = plain_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = plain_b_ + (uint32_t)len128x6; + uint8_t *out128_b = out_b_ + (uint32_t)len128x6; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128x6_ = len128x6 / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t + scrut0 = + gcm256_encrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)plain_len, + scratch_b1, + tag); + } + else + { + uint32_t len128x61 = (uint32_t)0U; + uint64_t len128_num = (uint64_t)plain_len / (uint64_t)16U * (uint64_t)16U; + uint8_t *in128x6_b = plain_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = plain_b_ + len128x61; + uint8_t *out128_b = out_b_ + len128x61; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t len128x6_ = (uint64_t)0U; + uint64_t + scrut0 = + gcm256_encrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)plain_len, + scratch_b1, + tag); + } + memcpy(cipher + (uint32_t)(uint64_t)plain_len / (uint32_t)16U * (uint32_t)16U, + inout_b, + (uint32_t)(uint64_t)plain_len % (uint32_t)16U * sizeof (uint8_t)); + return EverCrypt_Error_Success; + } + } + } + #else + KRML_HOST_PRINTF("KreMLin abort at %s:%d\n%s\n", __FILE__, __LINE__, "statically unreachable"); + KRML_HOST_EXIT(255U); + #endif +} + +EverCrypt_Error_error_code +EverCrypt_AEAD_encrypt( + EverCrypt_AEAD_state_s *s, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *plain, + uint32_t plain_len, + uint8_t *cipher, + uint8_t *tag +) +{ + if (s == NULL) + { + return EverCrypt_Error_InvalidKey; + } + { + EverCrypt_AEAD_state_s scrut = *s; + Spec_Cipher_Expansion_impl i = scrut.impl; + uint8_t *ek = scrut.ek; + switch (i) + { + case Spec_Cipher_Expansion_Vale_AES128: + { + return encrypt_aes128_gcm(s, iv, iv_len, ad, ad_len, plain, plain_len, cipher, tag); + } + case Spec_Cipher_Expansion_Vale_AES256: + { + return encrypt_aes256_gcm(s, iv, iv_len, ad, ad_len, plain, plain_len, cipher, tag); + } + case Spec_Cipher_Expansion_Hacl_CHACHA20: + { + if (iv_len != (uint32_t)12U) + { + return EverCrypt_Error_InvalidIVLength; + } + EverCrypt_Chacha20Poly1305_aead_encrypt(ek, + iv, + ad_len, + ad, + plain_len, + plain, + cipher, + tag); + return EverCrypt_Error_Success; + } + default: + { + KRML_HOST_PRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + } +} + +/* +WARNING: this function doesn't perform any dynamic + hardware check. You MUST make sure your hardware supports the + implementation of AESGCM. Besides, this function was not designed + for cross-compilation: if you compile it on a system which doesn't + support Vale, it will compile it to a function which makes the + program exit. +*/ +EverCrypt_Error_error_code +EverCrypt_AEAD_encrypt_expand_aes128_gcm_no_check( + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *plain, + uint32_t plain_len, + uint8_t *cipher, + uint8_t *tag +) +{ + #if HACL_CAN_COMPILE_VALE + uint8_t ek[480U] = { 0U }; + uint8_t *keys_b0 = ek; + uint8_t *hkeys_b0 = ek + (uint32_t)176U; + uint64_t scrut0 = aes128_key_expansion(k, keys_b0); + uint64_t scrut1 = aes128_keyhash_init(keys_b0, hkeys_b0); + EverCrypt_AEAD_state_s lit; + lit.impl = Spec_Cipher_Expansion_Vale_AES128; + lit.ek = ek; + { + EverCrypt_AEAD_state_s p = lit; + EverCrypt_AEAD_state_s *s = &p; + EverCrypt_Error_error_code r; + if (s == NULL) + { + r = EverCrypt_Error_InvalidKey; + } + else if (iv_len == (uint32_t)0U) + { + r = EverCrypt_Error_InvalidIVLength; + } + else + { + EverCrypt_AEAD_state_s scrut = *s; + uint8_t *ek0 = scrut.ek; + uint8_t *scratch_b = ek0 + (uint32_t)304U; + uint8_t *ek1 = ek0; + uint8_t *keys_b = ek1; + uint8_t *hkeys_b = ek1 + (uint32_t)176U; + uint8_t tmp_iv[16U] = { 0U }; + uint32_t len = iv_len / (uint32_t)16U; + uint32_t bytes_len = len * (uint32_t)16U; + uint8_t *iv_b = iv; + memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); + { + uint64_t + uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + uint8_t *inout_b = scratch_b; + uint8_t *abytes_b = scratch_b + (uint32_t)16U; + uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; + uint32_t plain_len_ = (uint32_t)(uint64_t)plain_len / (uint32_t)16U * (uint32_t)16U; + uint32_t auth_len_ = (uint32_t)(uint64_t)ad_len / (uint32_t)16U * (uint32_t)16U; + uint8_t *plain_b_ = plain; + uint8_t *out_b_ = cipher; + uint8_t *auth_b_ = ad; + memcpy(inout_b, + plain + plain_len_, + (uint32_t)(uint64_t)plain_len % (uint32_t)16U * sizeof (uint8_t)); + memcpy(abytes_b, + ad + auth_len_, + (uint32_t)(uint64_t)ad_len % (uint32_t)16U * sizeof (uint8_t)); + { + uint64_t len128x6 = (uint64_t)plain_len / (uint64_t)96U * (uint64_t)96U; + if (len128x6 / (uint64_t)16U >= (uint64_t)18U) + { + uint64_t len128_num = (uint64_t)plain_len / (uint64_t)16U * (uint64_t)16U - len128x6; + uint8_t *in128x6_b = plain_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = plain_b_ + (uint32_t)len128x6; + uint8_t *out128_b = out_b_ + (uint32_t)len128x6; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128x6_ = len128x6 / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t + scrut2 = + gcm128_encrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)plain_len, + scratch_b1, + tag); + } + else + { + uint32_t len128x61 = (uint32_t)0U; + uint64_t len128_num = (uint64_t)plain_len / (uint64_t)16U * (uint64_t)16U; + uint8_t *in128x6_b = plain_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = plain_b_ + len128x61; + uint8_t *out128_b = out_b_ + len128x61; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t len128x6_ = (uint64_t)0U; + uint64_t + scrut2 = + gcm128_encrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)plain_len, + scratch_b1, + tag); + } + memcpy(cipher + (uint32_t)(uint64_t)plain_len / (uint32_t)16U * (uint32_t)16U, + inout_b, + (uint32_t)(uint64_t)plain_len % (uint32_t)16U * sizeof (uint8_t)); + r = EverCrypt_Error_Success; + } + } + } + return EverCrypt_Error_Success; + } + #else + KRML_HOST_PRINTF("KreMLin abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "EverCrypt was compiled on a system which doesn\'t support Vale"); + KRML_HOST_EXIT(255U); + #endif +} + +/* +WARNING: this function doesn't perform any dynamic + hardware check. You MUST make sure your hardware supports the + implementation of AESGCM. Besides, this function was not designed + for cross-compilation: if you compile it on a system which doesn't + support Vale, it will compile it to a function which makes the + program exit. +*/ +EverCrypt_Error_error_code +EverCrypt_AEAD_encrypt_expand_aes256_gcm_no_check( + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *plain, + uint32_t plain_len, + uint8_t *cipher, + uint8_t *tag +) +{ + #if HACL_CAN_COMPILE_VALE + uint8_t ek[544U] = { 0U }; + uint8_t *keys_b0 = ek; + uint8_t *hkeys_b0 = ek + (uint32_t)240U; + uint64_t scrut0 = aes256_key_expansion(k, keys_b0); + uint64_t scrut1 = aes256_keyhash_init(keys_b0, hkeys_b0); + EverCrypt_AEAD_state_s lit; + lit.impl = Spec_Cipher_Expansion_Vale_AES256; + lit.ek = ek; + { + EverCrypt_AEAD_state_s p = lit; + EverCrypt_AEAD_state_s *s = &p; + EverCrypt_Error_error_code r; + if (s == NULL) + { + r = EverCrypt_Error_InvalidKey; + } + else if (iv_len == (uint32_t)0U) + { + r = EverCrypt_Error_InvalidIVLength; + } + else + { + EverCrypt_AEAD_state_s scrut = *s; + uint8_t *ek0 = scrut.ek; + uint8_t *scratch_b = ek0 + (uint32_t)368U; + uint8_t *ek1 = ek0; + uint8_t *keys_b = ek1; + uint8_t *hkeys_b = ek1 + (uint32_t)240U; + uint8_t tmp_iv[16U] = { 0U }; + uint32_t len = iv_len / (uint32_t)16U; + uint32_t bytes_len = len * (uint32_t)16U; + uint8_t *iv_b = iv; + memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); + { + uint64_t + uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + uint8_t *inout_b = scratch_b; + uint8_t *abytes_b = scratch_b + (uint32_t)16U; + uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; + uint32_t plain_len_ = (uint32_t)(uint64_t)plain_len / (uint32_t)16U * (uint32_t)16U; + uint32_t auth_len_ = (uint32_t)(uint64_t)ad_len / (uint32_t)16U * (uint32_t)16U; + uint8_t *plain_b_ = plain; + uint8_t *out_b_ = cipher; + uint8_t *auth_b_ = ad; + memcpy(inout_b, + plain + plain_len_, + (uint32_t)(uint64_t)plain_len % (uint32_t)16U * sizeof (uint8_t)); + memcpy(abytes_b, + ad + auth_len_, + (uint32_t)(uint64_t)ad_len % (uint32_t)16U * sizeof (uint8_t)); + { + uint64_t len128x6 = (uint64_t)plain_len / (uint64_t)96U * (uint64_t)96U; + if (len128x6 / (uint64_t)16U >= (uint64_t)18U) + { + uint64_t len128_num = (uint64_t)plain_len / (uint64_t)16U * (uint64_t)16U - len128x6; + uint8_t *in128x6_b = plain_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = plain_b_ + (uint32_t)len128x6; + uint8_t *out128_b = out_b_ + (uint32_t)len128x6; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128x6_ = len128x6 / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t + scrut2 = + gcm256_encrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)plain_len, + scratch_b1, + tag); + } + else + { + uint32_t len128x61 = (uint32_t)0U; + uint64_t len128_num = (uint64_t)plain_len / (uint64_t)16U * (uint64_t)16U; + uint8_t *in128x6_b = plain_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = plain_b_ + len128x61; + uint8_t *out128_b = out_b_ + len128x61; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t len128x6_ = (uint64_t)0U; + uint64_t + scrut2 = + gcm256_encrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)plain_len, + scratch_b1, + tag); + } + memcpy(cipher + (uint32_t)(uint64_t)plain_len / (uint32_t)16U * (uint32_t)16U, + inout_b, + (uint32_t)(uint64_t)plain_len % (uint32_t)16U * sizeof (uint8_t)); + r = EverCrypt_Error_Success; + } + } + } + return EverCrypt_Error_Success; + } + #else + KRML_HOST_PRINTF("KreMLin abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "EverCrypt was compiled on a system which doesn\'t support Vale"); + KRML_HOST_EXIT(255U); + #endif +} + +EverCrypt_Error_error_code +EverCrypt_AEAD_encrypt_expand_aes128_gcm( + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *plain, + uint32_t plain_len, + uint8_t *cipher, + uint8_t *tag +) +{ + bool has_pclmulqdq = EverCrypt_AutoConfig2_has_pclmulqdq(); + bool has_avx = EverCrypt_AutoConfig2_has_avx(); + bool has_sse = EverCrypt_AutoConfig2_has_sse(); + bool has_movbe = EverCrypt_AutoConfig2_has_movbe(); + bool has_aesni = EverCrypt_AutoConfig2_has_aesni(); + #if HACL_CAN_COMPILE_VALE + if (has_aesni && has_pclmulqdq && has_avx && has_sse && has_movbe) + { + uint8_t ek[480U] = { 0U }; + uint8_t *keys_b0 = ek; + uint8_t *hkeys_b0 = ek + (uint32_t)176U; + uint64_t scrut0 = aes128_key_expansion(k, keys_b0); + uint64_t scrut1 = aes128_keyhash_init(keys_b0, hkeys_b0); + EverCrypt_AEAD_state_s lit; + lit.impl = Spec_Cipher_Expansion_Vale_AES128; + lit.ek = ek; + { + EverCrypt_AEAD_state_s p = lit; + EverCrypt_AEAD_state_s *s = &p; + EverCrypt_Error_error_code r; + if (s == NULL) + { + r = EverCrypt_Error_InvalidKey; + } + else if (iv_len == (uint32_t)0U) + { + r = EverCrypt_Error_InvalidIVLength; + } + else + { + EverCrypt_AEAD_state_s scrut = *s; + uint8_t *ek0 = scrut.ek; + uint8_t *scratch_b = ek0 + (uint32_t)304U; + uint8_t *ek1 = ek0; + uint8_t *keys_b = ek1; + uint8_t *hkeys_b = ek1 + (uint32_t)176U; + uint8_t tmp_iv[16U] = { 0U }; + uint32_t len = iv_len / (uint32_t)16U; + uint32_t bytes_len = len * (uint32_t)16U; + uint8_t *iv_b = iv; + memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); + { + uint64_t + uu____0 = + compute_iv_stdcall(iv_b, + (uint64_t)iv_len, + (uint64_t)len, + tmp_iv, + tmp_iv, + hkeys_b); + uint8_t *inout_b = scratch_b; + uint8_t *abytes_b = scratch_b + (uint32_t)16U; + uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; + uint32_t plain_len_ = (uint32_t)(uint64_t)plain_len / (uint32_t)16U * (uint32_t)16U; + uint32_t auth_len_ = (uint32_t)(uint64_t)ad_len / (uint32_t)16U * (uint32_t)16U; + uint8_t *plain_b_ = plain; + uint8_t *out_b_ = cipher; + uint8_t *auth_b_ = ad; + memcpy(inout_b, + plain + plain_len_, + (uint32_t)(uint64_t)plain_len % (uint32_t)16U * sizeof (uint8_t)); + memcpy(abytes_b, + ad + auth_len_, + (uint32_t)(uint64_t)ad_len % (uint32_t)16U * sizeof (uint8_t)); + { + uint64_t len128x6 = (uint64_t)plain_len / (uint64_t)96U * (uint64_t)96U; + if (len128x6 / (uint64_t)16U >= (uint64_t)18U) + { + uint64_t len128_num = (uint64_t)plain_len / (uint64_t)16U * (uint64_t)16U - len128x6; + uint8_t *in128x6_b = plain_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = plain_b_ + (uint32_t)len128x6; + uint8_t *out128_b = out_b_ + (uint32_t)len128x6; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128x6_ = len128x6 / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t + scrut2 = + gcm128_encrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)plain_len, + scratch_b1, + tag); + } + else + { + uint32_t len128x61 = (uint32_t)0U; + uint64_t len128_num = (uint64_t)plain_len / (uint64_t)16U * (uint64_t)16U; + uint8_t *in128x6_b = plain_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = plain_b_ + len128x61; + uint8_t *out128_b = out_b_ + len128x61; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t len128x6_ = (uint64_t)0U; + uint64_t + scrut2 = + gcm128_encrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)plain_len, + scratch_b1, + tag); + } + memcpy(cipher + (uint32_t)(uint64_t)plain_len / (uint32_t)16U * (uint32_t)16U, + inout_b, + (uint32_t)(uint64_t)plain_len % (uint32_t)16U * sizeof (uint8_t)); + r = EverCrypt_Error_Success; + } + } + } + return EverCrypt_Error_Success; + } + } + #endif + return EverCrypt_Error_UnsupportedAlgorithm; +} + +EverCrypt_Error_error_code +EverCrypt_AEAD_encrypt_expand_aes256_gcm( + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *plain, + uint32_t plain_len, + uint8_t *cipher, + uint8_t *tag +) +{ + bool has_pclmulqdq = EverCrypt_AutoConfig2_has_pclmulqdq(); + bool has_avx = EverCrypt_AutoConfig2_has_avx(); + bool has_sse = EverCrypt_AutoConfig2_has_sse(); + bool has_movbe = EverCrypt_AutoConfig2_has_movbe(); + bool has_aesni = EverCrypt_AutoConfig2_has_aesni(); + #if HACL_CAN_COMPILE_VALE + if (has_aesni && has_pclmulqdq && has_avx && has_sse && has_movbe) + { + uint8_t ek[544U] = { 0U }; + uint8_t *keys_b0 = ek; + uint8_t *hkeys_b0 = ek + (uint32_t)240U; + uint64_t scrut0 = aes256_key_expansion(k, keys_b0); + uint64_t scrut1 = aes256_keyhash_init(keys_b0, hkeys_b0); + EverCrypt_AEAD_state_s lit; + lit.impl = Spec_Cipher_Expansion_Vale_AES256; + lit.ek = ek; + { + EverCrypt_AEAD_state_s p = lit; + EverCrypt_AEAD_state_s *s = &p; + EverCrypt_Error_error_code r; + if (s == NULL) + { + r = EverCrypt_Error_InvalidKey; + } + else if (iv_len == (uint32_t)0U) + { + r = EverCrypt_Error_InvalidIVLength; + } + else + { + EverCrypt_AEAD_state_s scrut = *s; + uint8_t *ek0 = scrut.ek; + uint8_t *scratch_b = ek0 + (uint32_t)368U; + uint8_t *ek1 = ek0; + uint8_t *keys_b = ek1; + uint8_t *hkeys_b = ek1 + (uint32_t)240U; + uint8_t tmp_iv[16U] = { 0U }; + uint32_t len = iv_len / (uint32_t)16U; + uint32_t bytes_len = len * (uint32_t)16U; + uint8_t *iv_b = iv; + memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); + { + uint64_t + uu____0 = + compute_iv_stdcall(iv_b, + (uint64_t)iv_len, + (uint64_t)len, + tmp_iv, + tmp_iv, + hkeys_b); + uint8_t *inout_b = scratch_b; + uint8_t *abytes_b = scratch_b + (uint32_t)16U; + uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; + uint32_t plain_len_ = (uint32_t)(uint64_t)plain_len / (uint32_t)16U * (uint32_t)16U; + uint32_t auth_len_ = (uint32_t)(uint64_t)ad_len / (uint32_t)16U * (uint32_t)16U; + uint8_t *plain_b_ = plain; + uint8_t *out_b_ = cipher; + uint8_t *auth_b_ = ad; + memcpy(inout_b, + plain + plain_len_, + (uint32_t)(uint64_t)plain_len % (uint32_t)16U * sizeof (uint8_t)); + memcpy(abytes_b, + ad + auth_len_, + (uint32_t)(uint64_t)ad_len % (uint32_t)16U * sizeof (uint8_t)); + { + uint64_t len128x6 = (uint64_t)plain_len / (uint64_t)96U * (uint64_t)96U; + if (len128x6 / (uint64_t)16U >= (uint64_t)18U) + { + uint64_t len128_num = (uint64_t)plain_len / (uint64_t)16U * (uint64_t)16U - len128x6; + uint8_t *in128x6_b = plain_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = plain_b_ + (uint32_t)len128x6; + uint8_t *out128_b = out_b_ + (uint32_t)len128x6; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128x6_ = len128x6 / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t + scrut2 = + gcm256_encrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)plain_len, + scratch_b1, + tag); + } + else + { + uint32_t len128x61 = (uint32_t)0U; + uint64_t len128_num = (uint64_t)plain_len / (uint64_t)16U * (uint64_t)16U; + uint8_t *in128x6_b = plain_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = plain_b_ + len128x61; + uint8_t *out128_b = out_b_ + len128x61; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t len128x6_ = (uint64_t)0U; + uint64_t + scrut2 = + gcm256_encrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)plain_len, + scratch_b1, + tag); + } + memcpy(cipher + (uint32_t)(uint64_t)plain_len / (uint32_t)16U * (uint32_t)16U, + inout_b, + (uint32_t)(uint64_t)plain_len % (uint32_t)16U * sizeof (uint8_t)); + r = EverCrypt_Error_Success; + } + } + } + return EverCrypt_Error_Success; + } + } + #endif + return EverCrypt_Error_UnsupportedAlgorithm; +} + +EverCrypt_Error_error_code +EverCrypt_AEAD_encrypt_expand_chacha20_poly1305( + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *plain, + uint32_t plain_len, + uint8_t *cipher, + uint8_t *tag +) +{ + uint8_t ek0[32U] = { 0U }; + EverCrypt_AEAD_state_s lit; + lit.impl = Spec_Cipher_Expansion_Hacl_CHACHA20; + lit.ek = ek0; + { + EverCrypt_AEAD_state_s p = lit; + EverCrypt_AEAD_state_s *s; + EverCrypt_AEAD_state_s scrut; + uint8_t *ek; + memcpy(ek0, k, (uint32_t)32U * sizeof (uint8_t)); + s = &p; + scrut = *s; + ek = scrut.ek; + EverCrypt_Chacha20Poly1305_aead_encrypt(ek, iv, ad_len, ad, plain_len, plain, cipher, tag); + return EverCrypt_Error_Success; + } +} + +EverCrypt_Error_error_code +EverCrypt_AEAD_encrypt_expand( + Spec_Agile_AEAD_alg a, + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *plain, + uint32_t plain_len, + uint8_t *cipher, + uint8_t *tag +) +{ + switch (a) + { + case Spec_Agile_AEAD_AES128_GCM: + { + return + EverCrypt_AEAD_encrypt_expand_aes128_gcm(k, + iv, + iv_len, + ad, + ad_len, + plain, + plain_len, + cipher, + tag); + } + case Spec_Agile_AEAD_AES256_GCM: + { + return + EverCrypt_AEAD_encrypt_expand_aes256_gcm(k, + iv, + iv_len, + ad, + ad_len, + plain, + plain_len, + cipher, + tag); + } + case Spec_Agile_AEAD_CHACHA20_POLY1305: + { + return + EverCrypt_AEAD_encrypt_expand_chacha20_poly1305(k, + iv, + iv_len, + ad, + ad_len, + plain, + plain_len, + cipher, + tag); + } + default: + { + KRML_HOST_PRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +static EverCrypt_Error_error_code +decrypt_aes128_gcm( + EverCrypt_AEAD_state_s *s, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *cipher, + uint32_t cipher_len, + uint8_t *tag, + uint8_t *dst +) +{ + #if HACL_CAN_COMPILE_VALE + if (s == NULL) + { + return EverCrypt_Error_InvalidKey; + } + if (iv_len == (uint32_t)0U) + { + return EverCrypt_Error_InvalidIVLength; + } + { + EverCrypt_AEAD_state_s scrut = *s; + uint8_t *ek = scrut.ek; + uint8_t *scratch_b = ek + (uint32_t)304U; + uint8_t *ek1 = ek; + uint8_t *keys_b = ek1; + uint8_t *hkeys_b = ek1 + (uint32_t)176U; + uint8_t tmp_iv[16U] = { 0U }; + uint32_t len = iv_len / (uint32_t)16U; + uint32_t bytes_len = len * (uint32_t)16U; + uint8_t *iv_b = iv; + memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); + { + uint64_t + uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + uint8_t *inout_b = scratch_b; + uint8_t *abytes_b = scratch_b + (uint32_t)16U; + uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; + uint32_t cipher_len_ = (uint32_t)(uint64_t)cipher_len / (uint32_t)16U * (uint32_t)16U; + uint32_t auth_len_ = (uint32_t)(uint64_t)ad_len / (uint32_t)16U * (uint32_t)16U; + uint8_t *cipher_b_ = cipher; + uint8_t *out_b_ = dst; + uint8_t *auth_b_ = ad; + memcpy(inout_b, + cipher + cipher_len_, + (uint32_t)(uint64_t)cipher_len % (uint32_t)16U * sizeof (uint8_t)); + memcpy(abytes_b, + ad + auth_len_, + (uint32_t)(uint64_t)ad_len % (uint32_t)16U * sizeof (uint8_t)); + { + uint64_t len128x6 = (uint64_t)cipher_len / (uint64_t)96U * (uint64_t)96U; + uint64_t c; + if (len128x6 / (uint64_t)16U >= (uint64_t)6U) + { + uint64_t len128_num = (uint64_t)cipher_len / (uint64_t)16U * (uint64_t)16U - len128x6; + uint8_t *in128x6_b = cipher_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = cipher_b_ + (uint32_t)len128x6; + uint8_t *out128_b = out_b_ + (uint32_t)len128x6; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128x6_ = len128x6 / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t + scrut0 = + gcm128_decrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)cipher_len, + scratch_b1, + tag); + uint64_t c0 = scrut0; + c = c0; + } + else + { + uint32_t len128x61 = (uint32_t)0U; + uint64_t len128_num = (uint64_t)cipher_len / (uint64_t)16U * (uint64_t)16U; + uint8_t *in128x6_b = cipher_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = cipher_b_ + len128x61; + uint8_t *out128_b = out_b_ + len128x61; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t len128x6_ = (uint64_t)0U; + uint64_t + scrut0 = + gcm128_decrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)cipher_len, + scratch_b1, + tag); + uint64_t c0 = scrut0; + c = c0; + } + memcpy(dst + (uint32_t)(uint64_t)cipher_len / (uint32_t)16U * (uint32_t)16U, + inout_b, + (uint32_t)(uint64_t)cipher_len % (uint32_t)16U * sizeof (uint8_t)); + { + uint64_t r = c; + if (r == (uint64_t)0U) + { + return EverCrypt_Error_Success; + } + return EverCrypt_Error_AuthenticationFailure; + } + } + } + } + #else + KRML_HOST_PRINTF("KreMLin abort at %s:%d\n%s\n", __FILE__, __LINE__, "statically unreachable"); + KRML_HOST_EXIT(255U); + #endif +} + +static EverCrypt_Error_error_code +decrypt_aes256_gcm( + EverCrypt_AEAD_state_s *s, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *cipher, + uint32_t cipher_len, + uint8_t *tag, + uint8_t *dst +) +{ + #if HACL_CAN_COMPILE_VALE + if (s == NULL) + { + return EverCrypt_Error_InvalidKey; + } + if (iv_len == (uint32_t)0U) + { + return EverCrypt_Error_InvalidIVLength; + } + { + EverCrypt_AEAD_state_s scrut = *s; + uint8_t *ek = scrut.ek; + uint8_t *scratch_b = ek + (uint32_t)368U; + uint8_t *ek1 = ek; + uint8_t *keys_b = ek1; + uint8_t *hkeys_b = ek1 + (uint32_t)240U; + uint8_t tmp_iv[16U] = { 0U }; + uint32_t len = iv_len / (uint32_t)16U; + uint32_t bytes_len = len * (uint32_t)16U; + uint8_t *iv_b = iv; + memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); + { + uint64_t + uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + uint8_t *inout_b = scratch_b; + uint8_t *abytes_b = scratch_b + (uint32_t)16U; + uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; + uint32_t cipher_len_ = (uint32_t)(uint64_t)cipher_len / (uint32_t)16U * (uint32_t)16U; + uint32_t auth_len_ = (uint32_t)(uint64_t)ad_len / (uint32_t)16U * (uint32_t)16U; + uint8_t *cipher_b_ = cipher; + uint8_t *out_b_ = dst; + uint8_t *auth_b_ = ad; + memcpy(inout_b, + cipher + cipher_len_, + (uint32_t)(uint64_t)cipher_len % (uint32_t)16U * sizeof (uint8_t)); + memcpy(abytes_b, + ad + auth_len_, + (uint32_t)(uint64_t)ad_len % (uint32_t)16U * sizeof (uint8_t)); + { + uint64_t len128x6 = (uint64_t)cipher_len / (uint64_t)96U * (uint64_t)96U; + uint64_t c; + if (len128x6 / (uint64_t)16U >= (uint64_t)6U) + { + uint64_t len128_num = (uint64_t)cipher_len / (uint64_t)16U * (uint64_t)16U - len128x6; + uint8_t *in128x6_b = cipher_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = cipher_b_ + (uint32_t)len128x6; + uint8_t *out128_b = out_b_ + (uint32_t)len128x6; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128x6_ = len128x6 / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t + scrut0 = + gcm256_decrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)cipher_len, + scratch_b1, + tag); + uint64_t c0 = scrut0; + c = c0; + } + else + { + uint32_t len128x61 = (uint32_t)0U; + uint64_t len128_num = (uint64_t)cipher_len / (uint64_t)16U * (uint64_t)16U; + uint8_t *in128x6_b = cipher_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = cipher_b_ + len128x61; + uint8_t *out128_b = out_b_ + len128x61; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t len128x6_ = (uint64_t)0U; + uint64_t + scrut0 = + gcm256_decrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)cipher_len, + scratch_b1, + tag); + uint64_t c0 = scrut0; + c = c0; + } + memcpy(dst + (uint32_t)(uint64_t)cipher_len / (uint32_t)16U * (uint32_t)16U, + inout_b, + (uint32_t)(uint64_t)cipher_len % (uint32_t)16U * sizeof (uint8_t)); + { + uint64_t r = c; + if (r == (uint64_t)0U) + { + return EverCrypt_Error_Success; + } + return EverCrypt_Error_AuthenticationFailure; + } + } + } + } + #else + KRML_HOST_PRINTF("KreMLin abort at %s:%d\n%s\n", __FILE__, __LINE__, "statically unreachable"); + KRML_HOST_EXIT(255U); + #endif +} + +static EverCrypt_Error_error_code +decrypt_chacha20_poly1305( + EverCrypt_AEAD_state_s *s, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *cipher, + uint32_t cipher_len, + uint8_t *tag, + uint8_t *dst +) +{ + if (s == NULL) + { + return EverCrypt_Error_InvalidKey; + } + if (iv_len != (uint32_t)12U) + { + return EverCrypt_Error_InvalidIVLength; + } + { + EverCrypt_AEAD_state_s scrut = *s; + uint8_t *ek = scrut.ek; + uint32_t + r = EverCrypt_Chacha20Poly1305_aead_decrypt(ek, iv, ad_len, ad, cipher_len, dst, cipher, tag); + if (r == (uint32_t)0U) + { + return EverCrypt_Error_Success; + } + return EverCrypt_Error_AuthenticationFailure; + } +} + +EverCrypt_Error_error_code +EverCrypt_AEAD_decrypt( + EverCrypt_AEAD_state_s *s, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *cipher, + uint32_t cipher_len, + uint8_t *tag, + uint8_t *dst +) +{ + if (s == NULL) + { + return EverCrypt_Error_InvalidKey; + } + { + EverCrypt_AEAD_state_s scrut = *s; + Spec_Cipher_Expansion_impl i = scrut.impl; + switch (i) + { + case Spec_Cipher_Expansion_Vale_AES128: + { + return decrypt_aes128_gcm(s, iv, iv_len, ad, ad_len, cipher, cipher_len, tag, dst); + } + case Spec_Cipher_Expansion_Vale_AES256: + { + return decrypt_aes256_gcm(s, iv, iv_len, ad, ad_len, cipher, cipher_len, tag, dst); + } + case Spec_Cipher_Expansion_Hacl_CHACHA20: + { + return decrypt_chacha20_poly1305(s, iv, iv_len, ad, ad_len, cipher, cipher_len, tag, dst); + } + default: + { + KRML_HOST_PRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + } +} + +/* +WARNING: this function doesn't perform any dynamic + hardware check. You MUST make sure your hardware supports the + implementation of AESGCM. Besides, this function was not designed + for cross-compilation: if you compile it on a system which doesn't + support Vale, it will compile it to a function which makes the + program exit. +*/ +EverCrypt_Error_error_code +EverCrypt_AEAD_decrypt_expand_aes128_gcm_no_check( + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *cipher, + uint32_t cipher_len, + uint8_t *tag, + uint8_t *dst +) +{ + #if HACL_CAN_COMPILE_VALE + uint8_t ek[480U] = { 0U }; + uint8_t *keys_b0 = ek; + uint8_t *hkeys_b0 = ek + (uint32_t)176U; + uint64_t scrut = aes128_key_expansion(k, keys_b0); + uint64_t scrut0 = aes128_keyhash_init(keys_b0, hkeys_b0); + EverCrypt_AEAD_state_s lit; + lit.impl = Spec_Cipher_Expansion_Vale_AES128; + lit.ek = ek; + { + EverCrypt_AEAD_state_s p = lit; + EverCrypt_AEAD_state_s *s = &p; + if (s == NULL) + { + return EverCrypt_Error_InvalidKey; + } + if (iv_len == (uint32_t)0U) + { + return EverCrypt_Error_InvalidIVLength; + } + { + EverCrypt_AEAD_state_s scrut1 = *s; + uint8_t *ek0 = scrut1.ek; + uint8_t *scratch_b = ek0 + (uint32_t)304U; + uint8_t *ek1 = ek0; + uint8_t *keys_b = ek1; + uint8_t *hkeys_b = ek1 + (uint32_t)176U; + uint8_t tmp_iv[16U] = { 0U }; + uint32_t len = iv_len / (uint32_t)16U; + uint32_t bytes_len = len * (uint32_t)16U; + uint8_t *iv_b = iv; + memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); + { + uint64_t + uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + uint8_t *inout_b = scratch_b; + uint8_t *abytes_b = scratch_b + (uint32_t)16U; + uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; + uint32_t cipher_len_ = (uint32_t)(uint64_t)cipher_len / (uint32_t)16U * (uint32_t)16U; + uint32_t auth_len_ = (uint32_t)(uint64_t)ad_len / (uint32_t)16U * (uint32_t)16U; + uint8_t *cipher_b_ = cipher; + uint8_t *out_b_ = dst; + uint8_t *auth_b_ = ad; + memcpy(inout_b, + cipher + cipher_len_, + (uint32_t)(uint64_t)cipher_len % (uint32_t)16U * sizeof (uint8_t)); + memcpy(abytes_b, + ad + auth_len_, + (uint32_t)(uint64_t)ad_len % (uint32_t)16U * sizeof (uint8_t)); + { + uint64_t len128x6 = (uint64_t)cipher_len / (uint64_t)96U * (uint64_t)96U; + uint64_t c; + if (len128x6 / (uint64_t)16U >= (uint64_t)6U) + { + uint64_t len128_num = (uint64_t)cipher_len / (uint64_t)16U * (uint64_t)16U - len128x6; + uint8_t *in128x6_b = cipher_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = cipher_b_ + (uint32_t)len128x6; + uint8_t *out128_b = out_b_ + (uint32_t)len128x6; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128x6_ = len128x6 / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t + scrut2 = + gcm128_decrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)cipher_len, + scratch_b1, + tag); + uint64_t c0 = scrut2; + c = c0; + } + else + { + uint32_t len128x61 = (uint32_t)0U; + uint64_t len128_num = (uint64_t)cipher_len / (uint64_t)16U * (uint64_t)16U; + uint8_t *in128x6_b = cipher_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = cipher_b_ + len128x61; + uint8_t *out128_b = out_b_ + len128x61; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t len128x6_ = (uint64_t)0U; + uint64_t + scrut2 = + gcm128_decrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)cipher_len, + scratch_b1, + tag); + uint64_t c0 = scrut2; + c = c0; + } + memcpy(dst + (uint32_t)(uint64_t)cipher_len / (uint32_t)16U * (uint32_t)16U, + inout_b, + (uint32_t)(uint64_t)cipher_len % (uint32_t)16U * sizeof (uint8_t)); + { + uint64_t r = c; + if (r == (uint64_t)0U) + { + return EverCrypt_Error_Success; + } + return EverCrypt_Error_AuthenticationFailure; + } + } + } + } + } + #else + KRML_HOST_PRINTF("KreMLin abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "EverCrypt was compiled on a system which doesn\'t support Vale"); + KRML_HOST_EXIT(255U); + #endif +} + +/* +WARNING: this function doesn't perform any dynamic + hardware check. You MUST make sure your hardware supports the + implementation of AESGCM. Besides, this function was not designed + for cross-compilation: if you compile it on a system which doesn't + support Vale, it will compile it to a function which makes the + program exit. +*/ +EverCrypt_Error_error_code +EverCrypt_AEAD_decrypt_expand_aes256_gcm_no_check( + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *cipher, + uint32_t cipher_len, + uint8_t *tag, + uint8_t *dst +) +{ + #if HACL_CAN_COMPILE_VALE + uint8_t ek[544U] = { 0U }; + uint8_t *keys_b0 = ek; + uint8_t *hkeys_b0 = ek + (uint32_t)240U; + uint64_t scrut = aes256_key_expansion(k, keys_b0); + uint64_t scrut0 = aes256_keyhash_init(keys_b0, hkeys_b0); + EverCrypt_AEAD_state_s lit; + lit.impl = Spec_Cipher_Expansion_Vale_AES256; + lit.ek = ek; + { + EverCrypt_AEAD_state_s p = lit; + EverCrypt_AEAD_state_s *s = &p; + if (s == NULL) + { + return EverCrypt_Error_InvalidKey; + } + if (iv_len == (uint32_t)0U) + { + return EverCrypt_Error_InvalidIVLength; + } + { + EverCrypt_AEAD_state_s scrut1 = *s; + uint8_t *ek0 = scrut1.ek; + uint8_t *scratch_b = ek0 + (uint32_t)368U; + uint8_t *ek1 = ek0; + uint8_t *keys_b = ek1; + uint8_t *hkeys_b = ek1 + (uint32_t)240U; + uint8_t tmp_iv[16U] = { 0U }; + uint32_t len = iv_len / (uint32_t)16U; + uint32_t bytes_len = len * (uint32_t)16U; + uint8_t *iv_b = iv; + memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); + { + uint64_t + uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + uint8_t *inout_b = scratch_b; + uint8_t *abytes_b = scratch_b + (uint32_t)16U; + uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; + uint32_t cipher_len_ = (uint32_t)(uint64_t)cipher_len / (uint32_t)16U * (uint32_t)16U; + uint32_t auth_len_ = (uint32_t)(uint64_t)ad_len / (uint32_t)16U * (uint32_t)16U; + uint8_t *cipher_b_ = cipher; + uint8_t *out_b_ = dst; + uint8_t *auth_b_ = ad; + memcpy(inout_b, + cipher + cipher_len_, + (uint32_t)(uint64_t)cipher_len % (uint32_t)16U * sizeof (uint8_t)); + memcpy(abytes_b, + ad + auth_len_, + (uint32_t)(uint64_t)ad_len % (uint32_t)16U * sizeof (uint8_t)); + { + uint64_t len128x6 = (uint64_t)cipher_len / (uint64_t)96U * (uint64_t)96U; + uint64_t c; + if (len128x6 / (uint64_t)16U >= (uint64_t)6U) + { + uint64_t len128_num = (uint64_t)cipher_len / (uint64_t)16U * (uint64_t)16U - len128x6; + uint8_t *in128x6_b = cipher_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = cipher_b_ + (uint32_t)len128x6; + uint8_t *out128_b = out_b_ + (uint32_t)len128x6; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128x6_ = len128x6 / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t + scrut2 = + gcm256_decrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)cipher_len, + scratch_b1, + tag); + uint64_t c0 = scrut2; + c = c0; + } + else + { + uint32_t len128x61 = (uint32_t)0U; + uint64_t len128_num = (uint64_t)cipher_len / (uint64_t)16U * (uint64_t)16U; + uint8_t *in128x6_b = cipher_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = cipher_b_ + len128x61; + uint8_t *out128_b = out_b_ + len128x61; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t len128x6_ = (uint64_t)0U; + uint64_t + scrut2 = + gcm256_decrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)cipher_len, + scratch_b1, + tag); + uint64_t c0 = scrut2; + c = c0; + } + memcpy(dst + (uint32_t)(uint64_t)cipher_len / (uint32_t)16U * (uint32_t)16U, + inout_b, + (uint32_t)(uint64_t)cipher_len % (uint32_t)16U * sizeof (uint8_t)); + { + uint64_t r = c; + if (r == (uint64_t)0U) + { + return EverCrypt_Error_Success; + } + return EverCrypt_Error_AuthenticationFailure; + } + } + } + } + } + #else + KRML_HOST_PRINTF("KreMLin abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "EverCrypt was compiled on a system which doesn\'t support Vale"); + KRML_HOST_EXIT(255U); + #endif +} + +EverCrypt_Error_error_code +EverCrypt_AEAD_decrypt_expand_aes128_gcm( + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *cipher, + uint32_t cipher_len, + uint8_t *tag, + uint8_t *dst +) +{ + bool has_pclmulqdq = EverCrypt_AutoConfig2_has_pclmulqdq(); + bool has_avx = EverCrypt_AutoConfig2_has_avx(); + bool has_sse = EverCrypt_AutoConfig2_has_sse(); + bool has_movbe = EverCrypt_AutoConfig2_has_movbe(); + bool has_aesni = EverCrypt_AutoConfig2_has_aesni(); + #if HACL_CAN_COMPILE_VALE + if (has_aesni && has_pclmulqdq && has_avx && has_sse && has_movbe) + { + uint8_t ek[480U] = { 0U }; + uint8_t *keys_b0 = ek; + uint8_t *hkeys_b0 = ek + (uint32_t)176U; + uint64_t scrut = aes128_key_expansion(k, keys_b0); + uint64_t scrut0 = aes128_keyhash_init(keys_b0, hkeys_b0); + EverCrypt_AEAD_state_s lit; + lit.impl = Spec_Cipher_Expansion_Vale_AES128; + lit.ek = ek; + { + EverCrypt_AEAD_state_s p = lit; + EverCrypt_AEAD_state_s *s = &p; + if (s == NULL) + { + return EverCrypt_Error_InvalidKey; + } + else if (iv_len == (uint32_t)0U) + { + return EverCrypt_Error_InvalidIVLength; + } + else + { + EverCrypt_AEAD_state_s scrut1 = *s; + uint8_t *ek0 = scrut1.ek; + uint8_t *scratch_b = ek0 + (uint32_t)304U; + uint8_t *ek1 = ek0; + uint8_t *keys_b = ek1; + uint8_t *hkeys_b = ek1 + (uint32_t)176U; + uint8_t tmp_iv[16U] = { 0U }; + uint32_t len = iv_len / (uint32_t)16U; + uint32_t bytes_len = len * (uint32_t)16U; + uint8_t *iv_b = iv; + memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); + { + uint64_t + uu____0 = + compute_iv_stdcall(iv_b, + (uint64_t)iv_len, + (uint64_t)len, + tmp_iv, + tmp_iv, + hkeys_b); + uint8_t *inout_b = scratch_b; + uint8_t *abytes_b = scratch_b + (uint32_t)16U; + uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; + uint32_t cipher_len_ = (uint32_t)(uint64_t)cipher_len / (uint32_t)16U * (uint32_t)16U; + uint32_t auth_len_ = (uint32_t)(uint64_t)ad_len / (uint32_t)16U * (uint32_t)16U; + uint8_t *cipher_b_ = cipher; + uint8_t *out_b_ = dst; + uint8_t *auth_b_ = ad; + memcpy(inout_b, + cipher + cipher_len_, + (uint32_t)(uint64_t)cipher_len % (uint32_t)16U * sizeof (uint8_t)); + memcpy(abytes_b, + ad + auth_len_, + (uint32_t)(uint64_t)ad_len % (uint32_t)16U * sizeof (uint8_t)); + { + uint64_t len128x6 = (uint64_t)cipher_len / (uint64_t)96U * (uint64_t)96U; + uint64_t c; + if (len128x6 / (uint64_t)16U >= (uint64_t)6U) + { + uint64_t len128_num = (uint64_t)cipher_len / (uint64_t)16U * (uint64_t)16U - len128x6; + uint8_t *in128x6_b = cipher_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = cipher_b_ + (uint32_t)len128x6; + uint8_t *out128_b = out_b_ + (uint32_t)len128x6; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128x6_ = len128x6 / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t + scrut2 = + gcm128_decrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)cipher_len, + scratch_b1, + tag); + uint64_t c0 = scrut2; + c = c0; + } + else + { + uint32_t len128x61 = (uint32_t)0U; + uint64_t len128_num = (uint64_t)cipher_len / (uint64_t)16U * (uint64_t)16U; + uint8_t *in128x6_b = cipher_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = cipher_b_ + len128x61; + uint8_t *out128_b = out_b_ + len128x61; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t len128x6_ = (uint64_t)0U; + uint64_t + scrut2 = + gcm128_decrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)cipher_len, + scratch_b1, + tag); + uint64_t c0 = scrut2; + c = c0; + } + memcpy(dst + (uint32_t)(uint64_t)cipher_len / (uint32_t)16U * (uint32_t)16U, + inout_b, + (uint32_t)(uint64_t)cipher_len % (uint32_t)16U * sizeof (uint8_t)); + { + uint64_t r = c; + if (r == (uint64_t)0U) + { + return EverCrypt_Error_Success; + } + else + { + return EverCrypt_Error_AuthenticationFailure; + } + } + } + } + } + } + } + #endif + return EverCrypt_Error_UnsupportedAlgorithm; +} + +EverCrypt_Error_error_code +EverCrypt_AEAD_decrypt_expand_aes256_gcm( + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *cipher, + uint32_t cipher_len, + uint8_t *tag, + uint8_t *dst +) +{ + bool has_pclmulqdq = EverCrypt_AutoConfig2_has_pclmulqdq(); + bool has_avx = EverCrypt_AutoConfig2_has_avx(); + bool has_sse = EverCrypt_AutoConfig2_has_sse(); + bool has_movbe = EverCrypt_AutoConfig2_has_movbe(); + bool has_aesni = EverCrypt_AutoConfig2_has_aesni(); + #if HACL_CAN_COMPILE_VALE + if (has_aesni && has_pclmulqdq && has_avx && has_sse && has_movbe) + { + uint8_t ek[544U] = { 0U }; + uint8_t *keys_b0 = ek; + uint8_t *hkeys_b0 = ek + (uint32_t)240U; + uint64_t scrut = aes256_key_expansion(k, keys_b0); + uint64_t scrut0 = aes256_keyhash_init(keys_b0, hkeys_b0); + EverCrypt_AEAD_state_s lit; + lit.impl = Spec_Cipher_Expansion_Vale_AES256; + lit.ek = ek; + { + EverCrypt_AEAD_state_s p = lit; + EverCrypt_AEAD_state_s *s = &p; + if (s == NULL) + { + return EverCrypt_Error_InvalidKey; + } + else if (iv_len == (uint32_t)0U) + { + return EverCrypt_Error_InvalidIVLength; + } + else + { + EverCrypt_AEAD_state_s scrut1 = *s; + uint8_t *ek0 = scrut1.ek; + uint8_t *scratch_b = ek0 + (uint32_t)368U; + uint8_t *ek1 = ek0; + uint8_t *keys_b = ek1; + uint8_t *hkeys_b = ek1 + (uint32_t)240U; + uint8_t tmp_iv[16U] = { 0U }; + uint32_t len = iv_len / (uint32_t)16U; + uint32_t bytes_len = len * (uint32_t)16U; + uint8_t *iv_b = iv; + memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); + { + uint64_t + uu____0 = + compute_iv_stdcall(iv_b, + (uint64_t)iv_len, + (uint64_t)len, + tmp_iv, + tmp_iv, + hkeys_b); + uint8_t *inout_b = scratch_b; + uint8_t *abytes_b = scratch_b + (uint32_t)16U; + uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; + uint32_t cipher_len_ = (uint32_t)(uint64_t)cipher_len / (uint32_t)16U * (uint32_t)16U; + uint32_t auth_len_ = (uint32_t)(uint64_t)ad_len / (uint32_t)16U * (uint32_t)16U; + uint8_t *cipher_b_ = cipher; + uint8_t *out_b_ = dst; + uint8_t *auth_b_ = ad; + memcpy(inout_b, + cipher + cipher_len_, + (uint32_t)(uint64_t)cipher_len % (uint32_t)16U * sizeof (uint8_t)); + memcpy(abytes_b, + ad + auth_len_, + (uint32_t)(uint64_t)ad_len % (uint32_t)16U * sizeof (uint8_t)); + { + uint64_t len128x6 = (uint64_t)cipher_len / (uint64_t)96U * (uint64_t)96U; + uint64_t c; + if (len128x6 / (uint64_t)16U >= (uint64_t)6U) + { + uint64_t len128_num = (uint64_t)cipher_len / (uint64_t)16U * (uint64_t)16U - len128x6; + uint8_t *in128x6_b = cipher_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = cipher_b_ + (uint32_t)len128x6; + uint8_t *out128_b = out_b_ + (uint32_t)len128x6; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128x6_ = len128x6 / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t + scrut2 = + gcm256_decrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)cipher_len, + scratch_b1, + tag); + uint64_t c0 = scrut2; + c = c0; + } + else + { + uint32_t len128x61 = (uint32_t)0U; + uint64_t len128_num = (uint64_t)cipher_len / (uint64_t)16U * (uint64_t)16U; + uint8_t *in128x6_b = cipher_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = cipher_b_ + len128x61; + uint8_t *out128_b = out_b_ + len128x61; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t len128x6_ = (uint64_t)0U; + uint64_t + scrut2 = + gcm256_decrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)cipher_len, + scratch_b1, + tag); + uint64_t c0 = scrut2; + c = c0; + } + memcpy(dst + (uint32_t)(uint64_t)cipher_len / (uint32_t)16U * (uint32_t)16U, + inout_b, + (uint32_t)(uint64_t)cipher_len % (uint32_t)16U * sizeof (uint8_t)); + { + uint64_t r = c; + if (r == (uint64_t)0U) + { + return EverCrypt_Error_Success; + } + else + { + return EverCrypt_Error_AuthenticationFailure; + } + } + } + } + } + } + } + #endif + return EverCrypt_Error_UnsupportedAlgorithm; +} + +EverCrypt_Error_error_code +EverCrypt_AEAD_decrypt_expand_chacha20_poly1305( + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *cipher, + uint32_t cipher_len, + uint8_t *tag, + uint8_t *dst +) +{ + uint8_t ek[32U] = { 0U }; + EverCrypt_AEAD_state_s lit; + lit.impl = Spec_Cipher_Expansion_Hacl_CHACHA20; + lit.ek = ek; + { + EverCrypt_AEAD_state_s p = lit; + EverCrypt_AEAD_state_s *s; + EverCrypt_Error_error_code r; + memcpy(ek, k, (uint32_t)32U * sizeof (uint8_t)); + s = &p; + r = decrypt_chacha20_poly1305(s, iv, iv_len, ad, ad_len, cipher, cipher_len, tag, dst); + return r; + } +} + +EverCrypt_Error_error_code +EverCrypt_AEAD_decrypt_expand( + Spec_Agile_AEAD_alg a, + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *cipher, + uint32_t cipher_len, + uint8_t *tag, + uint8_t *dst +) +{ + switch (a) + { + case Spec_Agile_AEAD_AES128_GCM: + { + return + EverCrypt_AEAD_decrypt_expand_aes128_gcm(k, + iv, + iv_len, + ad, + ad_len, + cipher, + cipher_len, + tag, + dst); + } + case Spec_Agile_AEAD_AES256_GCM: + { + return + EverCrypt_AEAD_decrypt_expand_aes256_gcm(k, + iv, + iv_len, + ad, + ad_len, + cipher, + cipher_len, + tag, + dst); + } + case Spec_Agile_AEAD_CHACHA20_POLY1305: + { + return + EverCrypt_AEAD_decrypt_expand_chacha20_poly1305(k, + iv, + iv_len, + ad, + ad_len, + cipher, + cipher_len, + tag, + dst); + } + default: + { + KRML_HOST_PRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +void EverCrypt_AEAD_free(EverCrypt_AEAD_state_s *s) +{ + EverCrypt_AEAD_state_s scrut = *s; + uint8_t *ek = scrut.ek; + KRML_HOST_FREE(ek); + KRML_HOST_FREE(s); +} + diff --git a/src/c89/EverCrypt_AutoConfig2.c b/src/c89/EverCrypt_AutoConfig2.c new file mode 100644 index 00000000..d3c85f6c --- /dev/null +++ b/src/c89/EverCrypt_AutoConfig2.c @@ -0,0 +1,330 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "EverCrypt_AutoConfig2.h" + +#include "internal/Vale.h" + +static bool cpu_has_shaext[1U] = { false }; + +static bool cpu_has_aesni[1U] = { false }; + +static bool cpu_has_pclmulqdq[1U] = { false }; + +static bool cpu_has_avx2[1U] = { false }; + +static bool cpu_has_avx[1U] = { false }; + +static bool cpu_has_bmi2[1U] = { false }; + +static bool cpu_has_adx[1U] = { false }; + +static bool cpu_has_sse[1U] = { false }; + +static bool cpu_has_movbe[1U] = { false }; + +static bool cpu_has_rdrand[1U] = { false }; + +static bool cpu_has_avx512[1U] = { false }; + +static bool user_wants_hacl[1U] = { true }; + +static bool user_wants_vale[1U] = { true }; + +static bool user_wants_openssl[1U] = { true }; + +static bool user_wants_bcrypt[1U] = { false }; + +bool EverCrypt_AutoConfig2_has_shaext() +{ + return cpu_has_shaext[0U]; +} + +bool EverCrypt_AutoConfig2_has_aesni() +{ + return cpu_has_aesni[0U]; +} + +bool EverCrypt_AutoConfig2_has_pclmulqdq() +{ + return cpu_has_pclmulqdq[0U]; +} + +bool EverCrypt_AutoConfig2_has_avx2() +{ + return cpu_has_avx2[0U]; +} + +bool EverCrypt_AutoConfig2_has_avx() +{ + return cpu_has_avx[0U]; +} + +bool EverCrypt_AutoConfig2_has_bmi2() +{ + return cpu_has_bmi2[0U]; +} + +bool EverCrypt_AutoConfig2_has_adx() +{ + return cpu_has_adx[0U]; +} + +bool EverCrypt_AutoConfig2_has_sse() +{ + return cpu_has_sse[0U]; +} + +bool EverCrypt_AutoConfig2_has_movbe() +{ + return cpu_has_movbe[0U]; +} + +bool EverCrypt_AutoConfig2_has_rdrand() +{ + return cpu_has_rdrand[0U]; +} + +bool EverCrypt_AutoConfig2_has_avx512() +{ + return cpu_has_avx512[0U]; +} + +KRML_DEPRECATED("") + +bool EverCrypt_AutoConfig2_wants_vale() +{ + return user_wants_vale[0U]; +} + +bool EverCrypt_AutoConfig2_wants_hacl() +{ + return user_wants_hacl[0U]; +} + +bool EverCrypt_AutoConfig2_wants_openssl() +{ + return user_wants_openssl[0U]; +} + +bool EverCrypt_AutoConfig2_wants_bcrypt() +{ + return user_wants_bcrypt[0U]; +} + +void EverCrypt_AutoConfig2_recall() +{ + +} + +void EverCrypt_AutoConfig2_init() +{ + #if HACL_CAN_COMPILE_VALE + uint64_t scrut = check_aesni(); + if (scrut != (uint64_t)0U) + { + cpu_has_aesni[0U] = true; + cpu_has_pclmulqdq[0U] = true; + } + { + uint64_t scrut0 = check_sha(); + if (scrut0 != (uint64_t)0U) + { + cpu_has_shaext[0U] = true; + } + { + uint64_t scrut1 = check_adx_bmi2(); + if (scrut1 != (uint64_t)0U) + { + cpu_has_bmi2[0U] = true; + cpu_has_adx[0U] = true; + } + { + uint64_t scrut2 = check_avx(); + if (scrut2 != (uint64_t)0U) + { + uint64_t scrut3 = check_osxsave(); + if (scrut3 != (uint64_t)0U) + { + uint64_t scrut4 = check_avx_xcr0(); + if (scrut4 != (uint64_t)0U) + { + cpu_has_avx[0U] = true; + } + } + } + { + uint64_t scrut3 = check_avx2(); + if (scrut3 != (uint64_t)0U) + { + uint64_t scrut4 = check_osxsave(); + if (scrut4 != (uint64_t)0U) + { + uint64_t scrut5 = check_avx_xcr0(); + if (scrut5 != (uint64_t)0U) + { + cpu_has_avx2[0U] = true; + } + } + } + { + uint64_t scrut4 = check_sse(); + if (scrut4 != (uint64_t)0U) + { + cpu_has_sse[0U] = true; + } + { + uint64_t scrut5 = check_movbe(); + if (scrut5 != (uint64_t)0U) + { + cpu_has_movbe[0U] = true; + } + { + uint64_t scrut6 = check_rdrand(); + if (scrut6 != (uint64_t)0U) + { + cpu_has_rdrand[0U] = true; + } + { + uint64_t scrut7 = check_avx512(); + if (scrut7 != (uint64_t)0U) + { + uint64_t scrut8 = check_osxsave(); + if (scrut8 != (uint64_t)0U) + { + uint64_t scrut9 = check_avx_xcr0(); + if (scrut9 != (uint64_t)0U) + { + uint64_t scrut10 = check_avx512_xcr0(); + if (scrut10 != (uint64_t)0U) + { + cpu_has_avx512[0U] = true; + } + } + } + } + } + } + } + } + } + } + } + } + #endif + user_wants_hacl[0U] = true; + user_wants_vale[0U] = true; + user_wants_bcrypt[0U] = false; + user_wants_openssl[0U] = true; +} + +void EverCrypt_AutoConfig2_disable_avx2() +{ + cpu_has_avx2[0U] = false; +} + +void EverCrypt_AutoConfig2_disable_avx() +{ + cpu_has_avx[0U] = false; +} + +void EverCrypt_AutoConfig2_disable_bmi2() +{ + cpu_has_bmi2[0U] = false; +} + +void EverCrypt_AutoConfig2_disable_adx() +{ + cpu_has_adx[0U] = false; +} + +void EverCrypt_AutoConfig2_disable_shaext() +{ + cpu_has_shaext[0U] = false; +} + +void EverCrypt_AutoConfig2_disable_aesni() +{ + cpu_has_aesni[0U] = false; +} + +void EverCrypt_AutoConfig2_disable_pclmulqdq() +{ + cpu_has_pclmulqdq[0U] = false; +} + +void EverCrypt_AutoConfig2_disable_sse() +{ + cpu_has_sse[0U] = false; +} + +void EverCrypt_AutoConfig2_disable_movbe() +{ + cpu_has_movbe[0U] = false; +} + +void EverCrypt_AutoConfig2_disable_rdrand() +{ + cpu_has_rdrand[0U] = false; +} + +void EverCrypt_AutoConfig2_disable_avx512() +{ + cpu_has_avx512[0U] = false; +} + +void EverCrypt_AutoConfig2_disable_vale() +{ + user_wants_vale[0U] = false; +} + +void EverCrypt_AutoConfig2_disable_hacl() +{ + user_wants_hacl[0U] = false; +} + +void EverCrypt_AutoConfig2_disable_openssl() +{ + user_wants_openssl[0U] = false; +} + +void EverCrypt_AutoConfig2_disable_bcrypt() +{ + user_wants_bcrypt[0U] = false; +} + +bool EverCrypt_AutoConfig2_has_vec128() +{ + bool avx = EverCrypt_AutoConfig2_has_avx(); + bool other = has_vec128_not_avx(); + return avx || other; +} + +bool EverCrypt_AutoConfig2_has_vec256() +{ + bool avx2 = EverCrypt_AutoConfig2_has_avx2(); + bool other = has_vec256_not_avx2(); + return avx2 || other; +} + diff --git a/src/c89/EverCrypt_CTR.c b/src/c89/EverCrypt_CTR.c new file mode 100644 index 00000000..34aa38bb --- /dev/null +++ b/src/c89/EverCrypt_CTR.c @@ -0,0 +1,405 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "EverCrypt_CTR.h" + +#include "internal/Vale.h" +#include "internal/Hacl_Spec.h" +#include "internal/Hacl_Chacha20.h" + +typedef struct EverCrypt_CTR_state_s_s +{ + Spec_Cipher_Expansion_impl i; + uint8_t *iv; + uint32_t iv_len; + uint8_t *xkey; + uint32_t ctr; +} +EverCrypt_CTR_state_s; + +bool +EverCrypt_CTR_uu___is_State(Spec_Agile_Cipher_cipher_alg a, EverCrypt_CTR_state_s projectee) +{ + return true; +} + +uint8_t EverCrypt_CTR_xor8(uint8_t a, uint8_t b) +{ + return a ^ b; +} + +Spec_Agile_Cipher_cipher_alg EverCrypt_CTR_alg_of_state(EverCrypt_CTR_state_s *s) +{ + EverCrypt_CTR_state_s scrut = *s; + Spec_Cipher_Expansion_impl i = scrut.i; + return Spec_Cipher_Expansion_cipher_alg_of_impl(i); +} + +static Spec_Cipher_Expansion_impl vale_impl_of_alg(Spec_Agile_Cipher_cipher_alg a) +{ + switch (a) + { + case Spec_Agile_Cipher_AES128: + { + return Spec_Cipher_Expansion_Vale_AES128; + } + case Spec_Agile_Cipher_AES256: + { + return Spec_Cipher_Expansion_Vale_AES256; + } + default: + { + KRML_HOST_PRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +EverCrypt_Error_error_code +EverCrypt_CTR_create_in( + Spec_Agile_Cipher_cipher_alg a, + EverCrypt_CTR_state_s **dst, + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint32_t c +) +{ + switch (a) + { + case Spec_Agile_Cipher_AES128: + { + bool has_aesni = EverCrypt_AutoConfig2_has_aesni(); + bool has_pclmulqdq = EverCrypt_AutoConfig2_has_pclmulqdq(); + bool has_avx = EverCrypt_AutoConfig2_has_avx(); + bool has_sse = EverCrypt_AutoConfig2_has_sse(); + if (iv_len < (uint32_t)12U) + { + return EverCrypt_Error_InvalidIVLength; + } + #if HACL_CAN_COMPILE_VALE + if (has_aesni && has_pclmulqdq && has_avx && has_sse) + { + uint8_t *ek = (uint8_t *)KRML_HOST_CALLOC((uint32_t)304U, sizeof (uint8_t)); + uint8_t *keys_b = ek; + uint8_t *hkeys_b = ek + (uint32_t)176U; + uint64_t scrut = aes128_key_expansion(k, keys_b); + uint64_t scrut0 = aes128_keyhash_init(keys_b, hkeys_b); + uint8_t *iv_ = (uint8_t *)KRML_HOST_CALLOC((uint32_t)16U, sizeof (uint8_t)); + memcpy(iv_, iv, iv_len * sizeof (uint8_t)); + { + EverCrypt_CTR_state_s lit; + lit.i = + vale_impl_of_alg(Spec_Cipher_Expansion_cipher_alg_of_impl(Spec_Cipher_Expansion_Vale_AES128)); + lit.iv = iv_; + lit.iv_len = iv_len; + lit.xkey = ek; + lit.ctr = c; + KRML_CHECK_SIZE(sizeof (EverCrypt_CTR_state_s), (uint32_t)1U); + { + EverCrypt_CTR_state_s + *p = (EverCrypt_CTR_state_s *)KRML_HOST_MALLOC(sizeof (EverCrypt_CTR_state_s)); + p[0U] = lit; + *dst = p; + return EverCrypt_Error_Success; + } + } + } + #endif + return EverCrypt_Error_UnsupportedAlgorithm; + } + case Spec_Agile_Cipher_AES256: + { + bool has_aesni = EverCrypt_AutoConfig2_has_aesni(); + bool has_pclmulqdq = EverCrypt_AutoConfig2_has_pclmulqdq(); + bool has_avx = EverCrypt_AutoConfig2_has_avx(); + bool has_sse = EverCrypt_AutoConfig2_has_sse(); + if (iv_len < (uint32_t)12U) + { + return EverCrypt_Error_InvalidIVLength; + } + #if HACL_CAN_COMPILE_VALE + if (has_aesni && has_pclmulqdq && has_avx && has_sse) + { + uint8_t *ek = (uint8_t *)KRML_HOST_CALLOC((uint32_t)368U, sizeof (uint8_t)); + uint8_t *keys_b = ek; + uint8_t *hkeys_b = ek + (uint32_t)240U; + uint64_t scrut = aes256_key_expansion(k, keys_b); + uint64_t scrut0 = aes256_keyhash_init(keys_b, hkeys_b); + uint8_t *iv_ = (uint8_t *)KRML_HOST_CALLOC((uint32_t)16U, sizeof (uint8_t)); + memcpy(iv_, iv, iv_len * sizeof (uint8_t)); + { + EverCrypt_CTR_state_s lit; + lit.i = + vale_impl_of_alg(Spec_Cipher_Expansion_cipher_alg_of_impl(Spec_Cipher_Expansion_Vale_AES256)); + lit.iv = iv_; + lit.iv_len = iv_len; + lit.xkey = ek; + lit.ctr = c; + KRML_CHECK_SIZE(sizeof (EverCrypt_CTR_state_s), (uint32_t)1U); + { + EverCrypt_CTR_state_s + *p = (EverCrypt_CTR_state_s *)KRML_HOST_MALLOC(sizeof (EverCrypt_CTR_state_s)); + p[0U] = lit; + *dst = p; + return EverCrypt_Error_Success; + } + } + } + #endif + return EverCrypt_Error_UnsupportedAlgorithm; + } + case Spec_Agile_Cipher_CHACHA20: + { + uint8_t *ek = (uint8_t *)KRML_HOST_CALLOC((uint32_t)32U, sizeof (uint8_t)); + memcpy(ek, k, (uint32_t)32U * sizeof (uint8_t)); + KRML_CHECK_SIZE(sizeof (uint8_t), iv_len); + { + uint8_t *iv_ = (uint8_t *)KRML_HOST_CALLOC(iv_len, sizeof (uint8_t)); + memcpy(iv_, iv, iv_len * sizeof (uint8_t)); + { + EverCrypt_CTR_state_s lit; + lit.i = Spec_Cipher_Expansion_Hacl_CHACHA20; + lit.iv = iv_; + lit.iv_len = (uint32_t)12U; + lit.xkey = ek; + lit.ctr = c; + KRML_CHECK_SIZE(sizeof (EverCrypt_CTR_state_s), (uint32_t)1U); + { + EverCrypt_CTR_state_s + *p = (EverCrypt_CTR_state_s *)KRML_HOST_MALLOC(sizeof (EverCrypt_CTR_state_s)); + p[0U] = lit; + *dst = p; + return EverCrypt_Error_Success; + } + } + } + break; + } + default: + { + KRML_HOST_PRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +void +EverCrypt_CTR_init( + EverCrypt_CTR_state_s *p, + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint32_t c +) +{ + EverCrypt_CTR_state_s scrut0 = *p; + uint8_t *ek = scrut0.xkey; + uint8_t *iv_ = scrut0.iv; + Spec_Cipher_Expansion_impl i = scrut0.i; + memcpy(iv_, iv, iv_len * sizeof (uint8_t)); + switch (i) + { + case Spec_Cipher_Expansion_Vale_AES128: + { + #if HACL_CAN_COMPILE_VALE + uint8_t *keys_b = ek; + uint8_t *hkeys_b = ek + (uint32_t)176U; + uint64_t scrut = aes128_key_expansion(k, keys_b); + uint64_t scrut1 = aes128_keyhash_init(keys_b, hkeys_b); + #endif + break; + } + case Spec_Cipher_Expansion_Vale_AES256: + { + #if HACL_CAN_COMPILE_VALE + uint8_t *keys_b = ek; + uint8_t *hkeys_b = ek + (uint32_t)240U; + uint64_t scrut = aes256_key_expansion(k, keys_b); + uint64_t scrut1 = aes256_keyhash_init(keys_b, hkeys_b); + #endif + break; + } + case Spec_Cipher_Expansion_Hacl_CHACHA20: + { + memcpy(ek, k, (uint32_t)32U * sizeof (uint8_t)); + break; + } + default: + { + KRML_HOST_PRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + { + EverCrypt_CTR_state_s lit; + lit.i = i; + lit.iv = iv_; + lit.iv_len = iv_len; + lit.xkey = ek; + lit.ctr = c; + *p = lit; + } +} + +void EverCrypt_CTR_update_block(EverCrypt_CTR_state_s *p, uint8_t *dst, uint8_t *src) +{ + EverCrypt_CTR_state_s scrut0 = *p; + Spec_Cipher_Expansion_impl i = scrut0.i; + uint8_t *iv = scrut0.iv; + uint8_t *ek = scrut0.xkey; + uint32_t c0 = scrut0.ctr; + switch (i) + { + case Spec_Cipher_Expansion_Vale_AES128: + { + #if HACL_CAN_COMPILE_VALE + EverCrypt_CTR_state_s scrut1 = *p; + uint32_t c01 = scrut1.ctr; + uint8_t *ek1 = scrut1.xkey; + uint32_t iv_len1 = scrut1.iv_len; + uint8_t *iv1 = scrut1.iv; + uint8_t ctr_block[16U] = { 0U }; + FStar_UInt128_uint128 uu____0; + FStar_UInt128_uint128 c; + uint8_t *uu____1; + memcpy(ctr_block, iv1, iv_len1 * sizeof (uint8_t)); + uu____0 = load128_be(ctr_block); + c = FStar_UInt128_add_mod(uu____0, FStar_UInt128_uint64_to_uint128((uint64_t)c01)); + store128_le(ctr_block, c); + uu____1 = ek1; + { + uint8_t inout_b[16U] = { 0U }; + uint32_t num_blocks = (uint32_t)(uint64_t)16U / (uint32_t)16U; + uint32_t num_bytes_ = num_blocks * (uint32_t)16U; + uint8_t *in_b_ = src; + uint8_t *out_b_ = dst; + uint64_t scrut; + uint32_t c1; + memcpy(inout_b, + src + num_bytes_, + (uint32_t)(uint64_t)16U % (uint32_t)16U * sizeof (uint8_t)); + scrut = + gctr128_bytes(in_b_, + (uint64_t)16U, + out_b_, + inout_b, + uu____1, + ctr_block, + (uint64_t)num_blocks); + memcpy(dst + num_bytes_, + inout_b, + (uint32_t)(uint64_t)16U % (uint32_t)16U * sizeof (uint8_t)); + c1 = c01 + (uint32_t)1U; + { + EverCrypt_CTR_state_s lit; + lit.i = Spec_Cipher_Expansion_Vale_AES128; + lit.iv = iv1; + lit.iv_len = iv_len1; + lit.xkey = ek1; + lit.ctr = c1; + *p = lit; + } + } + #endif + break; + } + case Spec_Cipher_Expansion_Vale_AES256: + { + #if HACL_CAN_COMPILE_VALE + EverCrypt_CTR_state_s scrut1 = *p; + uint32_t c01 = scrut1.ctr; + uint8_t *ek1 = scrut1.xkey; + uint32_t iv_len1 = scrut1.iv_len; + uint8_t *iv1 = scrut1.iv; + uint8_t ctr_block[16U] = { 0U }; + FStar_UInt128_uint128 uu____2; + FStar_UInt128_uint128 c; + uint8_t *uu____3; + memcpy(ctr_block, iv1, iv_len1 * sizeof (uint8_t)); + uu____2 = load128_be(ctr_block); + c = FStar_UInt128_add_mod(uu____2, FStar_UInt128_uint64_to_uint128((uint64_t)c01)); + store128_le(ctr_block, c); + uu____3 = ek1; + { + uint8_t inout_b[16U] = { 0U }; + uint32_t num_blocks = (uint32_t)(uint64_t)16U / (uint32_t)16U; + uint32_t num_bytes_ = num_blocks * (uint32_t)16U; + uint8_t *in_b_ = src; + uint8_t *out_b_ = dst; + uint64_t scrut; + uint32_t c1; + memcpy(inout_b, + src + num_bytes_, + (uint32_t)(uint64_t)16U % (uint32_t)16U * sizeof (uint8_t)); + scrut = + gctr256_bytes(in_b_, + (uint64_t)16U, + out_b_, + inout_b, + uu____3, + ctr_block, + (uint64_t)num_blocks); + memcpy(dst + num_bytes_, + inout_b, + (uint32_t)(uint64_t)16U % (uint32_t)16U * sizeof (uint8_t)); + c1 = c01 + (uint32_t)1U; + { + EverCrypt_CTR_state_s lit; + lit.i = Spec_Cipher_Expansion_Vale_AES256; + lit.iv = iv1; + lit.iv_len = iv_len1; + lit.xkey = ek1; + lit.ctr = c1; + *p = lit; + } + } + #endif + break; + } + case Spec_Cipher_Expansion_Hacl_CHACHA20: + { + uint32_t ctx[16U] = { 0U }; + Hacl_Impl_Chacha20_chacha20_init(ctx, ek, iv, (uint32_t)0U); + Hacl_Impl_Chacha20_chacha20_encrypt_block(ctx, dst, c0, src); + break; + } + default: + { + KRML_HOST_PRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +void EverCrypt_CTR_free(EverCrypt_CTR_state_s *p) +{ + EverCrypt_CTR_state_s scrut = *p; + uint8_t *iv = scrut.iv; + uint8_t *ek = scrut.xkey; + KRML_HOST_FREE(iv); + KRML_HOST_FREE(ek); + KRML_HOST_FREE(p); +} + diff --git a/src/c89/EverCrypt_Chacha20Poly1305.c b/src/c89/EverCrypt_Chacha20Poly1305.c new file mode 100644 index 00000000..a4116986 --- /dev/null +++ b/src/c89/EverCrypt_Chacha20Poly1305.c @@ -0,0 +1,92 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "EverCrypt_Chacha20Poly1305.h" + + + +void +EverCrypt_Chacha20Poly1305_aead_encrypt( + uint8_t *k, + uint8_t *n, + uint32_t aadlen, + uint8_t *aad, + uint32_t mlen, + uint8_t *m, + uint8_t *cipher, + uint8_t *tag +) +{ + bool avx2 = EverCrypt_AutoConfig2_has_avx2(); + bool avx = EverCrypt_AutoConfig2_has_avx(); + bool vec256 = EverCrypt_AutoConfig2_has_vec256(); + bool vec128 = EverCrypt_AutoConfig2_has_vec128(); + #if HACL_CAN_COMPILE_VEC256 + if (vec256) + { + Hacl_Chacha20Poly1305_256_aead_encrypt(k, n, aadlen, aad, mlen, m, cipher, tag); + return; + } + #endif + #if HACL_CAN_COMPILE_VEC128 + if (vec128) + { + Hacl_Chacha20Poly1305_128_aead_encrypt(k, n, aadlen, aad, mlen, m, cipher, tag); + return; + } + #endif + Hacl_Chacha20Poly1305_32_aead_encrypt(k, n, aadlen, aad, mlen, m, cipher, tag); +} + +uint32_t +EverCrypt_Chacha20Poly1305_aead_decrypt( + uint8_t *k, + uint8_t *n, + uint32_t aadlen, + uint8_t *aad, + uint32_t mlen, + uint8_t *m, + uint8_t *cipher, + uint8_t *tag +) +{ + bool avx2 = EverCrypt_AutoConfig2_has_avx2(); + bool avx = EverCrypt_AutoConfig2_has_avx(); + bool vec256 = EverCrypt_AutoConfig2_has_vec256(); + bool vec128 = EverCrypt_AutoConfig2_has_vec128(); + #if HACL_CAN_COMPILE_VEC256 + if (vec256) + { + return Hacl_Chacha20Poly1305_256_aead_decrypt(k, n, aadlen, aad, mlen, m, cipher, tag); + } + #endif + #if HACL_CAN_COMPILE_VEC128 + if (vec128) + { + return Hacl_Chacha20Poly1305_128_aead_decrypt(k, n, aadlen, aad, mlen, m, cipher, tag); + } + #endif + return Hacl_Chacha20Poly1305_32_aead_decrypt(k, n, aadlen, aad, mlen, m, cipher, tag); +} + diff --git a/src/c89/EverCrypt_Cipher.c b/src/c89/EverCrypt_Cipher.c new file mode 100644 index 00000000..a8324c00 --- /dev/null +++ b/src/c89/EverCrypt_Cipher.c @@ -0,0 +1,43 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "EverCrypt_Cipher.h" + +#include "internal/Hacl_Chacha20.h" + +void +EverCrypt_Cipher_chacha20( + uint32_t len, + uint8_t *dst, + uint8_t *src, + uint8_t *key, + uint8_t *iv, + uint32_t ctr +) +{ + uint32_t ctx[16U] = { 0U }; + Hacl_Impl_Chacha20_chacha20_init(ctx, key, iv, ctr); + Hacl_Impl_Chacha20_chacha20_update(ctx, len, dst, src); +} + diff --git a/src/c89/EverCrypt_Curve25519.c b/src/c89/EverCrypt_Curve25519.c new file mode 100644 index 00000000..71db562b --- /dev/null +++ b/src/c89/EverCrypt_Curve25519.c @@ -0,0 +1,70 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "EverCrypt_Curve25519.h" + + + +static inline bool has_adx_bmi2() +{ + bool has_bmi2 = EverCrypt_AutoConfig2_has_bmi2(); + bool has_adx = EverCrypt_AutoConfig2_has_adx(); + return has_bmi2 && has_adx; +} + +void EverCrypt_Curve25519_secret_to_public(uint8_t *pub, uint8_t *priv) +{ + #if HACL_CAN_COMPILE_VALE + if (has_adx_bmi2()) + { + Hacl_Curve25519_64_secret_to_public(pub, priv); + return; + } + #endif + Hacl_Curve25519_51_secret_to_public(pub, priv); +} + +void EverCrypt_Curve25519_scalarmult(uint8_t *shared, uint8_t *my_priv, uint8_t *their_pub) +{ + #if HACL_CAN_COMPILE_VALE + if (has_adx_bmi2()) + { + Hacl_Curve25519_64_scalarmult(shared, my_priv, their_pub); + return; + } + #endif + Hacl_Curve25519_51_scalarmult(shared, my_priv, their_pub); +} + +bool EverCrypt_Curve25519_ecdh(uint8_t *shared, uint8_t *my_priv, uint8_t *their_pub) +{ + #if HACL_CAN_COMPILE_VALE + if (has_adx_bmi2()) + { + return Hacl_Curve25519_64_ecdh(shared, my_priv, their_pub); + } + #endif + return Hacl_Curve25519_51_ecdh(shared, my_priv, their_pub); +} + diff --git a/src/c89/EverCrypt_DRBG.c b/src/c89/EverCrypt_DRBG.c new file mode 100644 index 00000000..95e464ae --- /dev/null +++ b/src/c89/EverCrypt_DRBG.c @@ -0,0 +1,2597 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "EverCrypt_DRBG.h" + + + +uint32_t EverCrypt_DRBG_reseed_interval = (uint32_t)1024U; + +uint32_t EverCrypt_DRBG_max_output_length = (uint32_t)65536U; + +uint32_t EverCrypt_DRBG_max_length = (uint32_t)65536U; + +uint32_t EverCrypt_DRBG_max_personalization_string_length = (uint32_t)65536U; + +uint32_t EverCrypt_DRBG_max_additional_input_length = (uint32_t)65536U; + +uint32_t EverCrypt_DRBG_min_length(Spec_Hash_Definitions_hash_alg a) +{ + switch (a) + { + case Spec_Hash_Definitions_SHA1: + { + return (uint32_t)16U; + } + case Spec_Hash_Definitions_SHA2_256: + { + return (uint32_t)32U; + } + case Spec_Hash_Definitions_SHA2_384: + { + return (uint32_t)32U; + } + case Spec_Hash_Definitions_SHA2_512: + { + return (uint32_t)32U; + } + default: + { + KRML_HOST_PRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +typedef struct EverCrypt_DRBG_state_s_s +{ + EverCrypt_DRBG_state_s_tags tag; + union { + Hacl_HMAC_DRBG_state case_SHA1_s; + Hacl_HMAC_DRBG_state case_SHA2_256_s; + Hacl_HMAC_DRBG_state case_SHA2_384_s; + Hacl_HMAC_DRBG_state case_SHA2_512_s; + } + val; +} +EverCrypt_DRBG_state_s; + +bool +EverCrypt_DRBG_uu___is_SHA1_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_DRBG_state_s projectee +) +{ + if (projectee.tag == EverCrypt_DRBG_SHA1_s) + { + return true; + } + return false; +} + +bool +EverCrypt_DRBG_uu___is_SHA2_256_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_DRBG_state_s projectee +) +{ + if (projectee.tag == EverCrypt_DRBG_SHA2_256_s) + { + return true; + } + return false; +} + +bool +EverCrypt_DRBG_uu___is_SHA2_384_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_DRBG_state_s projectee +) +{ + if (projectee.tag == EverCrypt_DRBG_SHA2_384_s) + { + return true; + } + return false; +} + +bool +EverCrypt_DRBG_uu___is_SHA2_512_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_DRBG_state_s projectee +) +{ + if (projectee.tag == EverCrypt_DRBG_SHA2_512_s) + { + return true; + } + return false; +} + +EverCrypt_DRBG_state_s *EverCrypt_DRBG_create(Spec_Hash_Definitions_hash_alg a) +{ + EverCrypt_DRBG_state_s st; + switch (a) + { + case Spec_Hash_Definitions_SHA1: + { + EverCrypt_DRBG_state_s lit0; + lit0.tag = EverCrypt_DRBG_SHA1_s; + { + uint8_t *k = (uint8_t *)KRML_HOST_CALLOC((uint32_t)20U, sizeof (uint8_t)); + uint8_t *v = (uint8_t *)KRML_HOST_CALLOC((uint32_t)20U, sizeof (uint8_t)); + uint32_t *ctr = (uint32_t *)KRML_HOST_MALLOC(sizeof (uint32_t)); + ctr[0U] = (uint32_t)1U; + { + Hacl_HMAC_DRBG_state lit; + lit.k = k; + lit.v = v; + lit.reseed_counter = ctr; + lit0.val.case_SHA1_s = lit; + st = lit0; + } + } + break; + } + case Spec_Hash_Definitions_SHA2_256: + { + EverCrypt_DRBG_state_s lit0; + lit0.tag = EverCrypt_DRBG_SHA2_256_s; + { + uint8_t *k = (uint8_t *)KRML_HOST_CALLOC((uint32_t)32U, sizeof (uint8_t)); + uint8_t *v = (uint8_t *)KRML_HOST_CALLOC((uint32_t)32U, sizeof (uint8_t)); + uint32_t *ctr = (uint32_t *)KRML_HOST_MALLOC(sizeof (uint32_t)); + ctr[0U] = (uint32_t)1U; + { + Hacl_HMAC_DRBG_state lit; + lit.k = k; + lit.v = v; + lit.reseed_counter = ctr; + lit0.val.case_SHA2_256_s = lit; + st = lit0; + } + } + break; + } + case Spec_Hash_Definitions_SHA2_384: + { + EverCrypt_DRBG_state_s lit0; + lit0.tag = EverCrypt_DRBG_SHA2_384_s; + { + uint8_t *k = (uint8_t *)KRML_HOST_CALLOC((uint32_t)48U, sizeof (uint8_t)); + uint8_t *v = (uint8_t *)KRML_HOST_CALLOC((uint32_t)48U, sizeof (uint8_t)); + uint32_t *ctr = (uint32_t *)KRML_HOST_MALLOC(sizeof (uint32_t)); + ctr[0U] = (uint32_t)1U; + { + Hacl_HMAC_DRBG_state lit; + lit.k = k; + lit.v = v; + lit.reseed_counter = ctr; + lit0.val.case_SHA2_384_s = lit; + st = lit0; + } + } + break; + } + case Spec_Hash_Definitions_SHA2_512: + { + EverCrypt_DRBG_state_s lit0; + lit0.tag = EverCrypt_DRBG_SHA2_512_s; + { + uint8_t *k = (uint8_t *)KRML_HOST_CALLOC((uint32_t)64U, sizeof (uint8_t)); + uint8_t *v = (uint8_t *)KRML_HOST_CALLOC((uint32_t)64U, sizeof (uint8_t)); + uint32_t *ctr = (uint32_t *)KRML_HOST_MALLOC(sizeof (uint32_t)); + ctr[0U] = (uint32_t)1U; + { + Hacl_HMAC_DRBG_state lit; + lit.k = k; + lit.v = v; + lit.reseed_counter = ctr; + lit0.val.case_SHA2_512_s = lit; + st = lit0; + } + } + break; + } + default: + { + KRML_HOST_PRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + KRML_CHECK_SIZE(sizeof (EverCrypt_DRBG_state_s), (uint32_t)1U); + { + EverCrypt_DRBG_state_s + *buf = (EverCrypt_DRBG_state_s *)KRML_HOST_MALLOC(sizeof (EverCrypt_DRBG_state_s)); + buf[0U] = st; + return buf; + } +} + +bool +EverCrypt_DRBG_instantiate_sha1( + EverCrypt_DRBG_state_s *st, + uint8_t *personalization_string, + uint32_t personalization_string_len +) +{ + if (personalization_string_len > Hacl_HMAC_DRBG_max_personalization_string_length) + { + return false; + } + { + uint32_t entropy_input_len = Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_SHA1); + uint32_t nonce_len = Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_SHA1) / (uint32_t)2U; + uint32_t min_entropy = entropy_input_len + nonce_len; + KRML_CHECK_SIZE(sizeof (uint8_t), min_entropy); + { + uint8_t entropy[min_entropy]; + memset(entropy, 0U, min_entropy * sizeof (uint8_t)); + { + bool ok = Lib_RandomBuffer_System_randombytes(entropy, min_entropy); + if (!ok) + { + return false; + } + { + uint8_t *entropy_input = entropy; + uint8_t *nonce = entropy + entropy_input_len; + EverCrypt_DRBG_state_s st_s = *st; + KRML_CHECK_SIZE(sizeof (uint8_t), + entropy_input_len + nonce_len + personalization_string_len); + { + uint8_t seed_material[entropy_input_len + nonce_len + personalization_string_len]; + memset(seed_material, + 0U, + (entropy_input_len + nonce_len + personalization_string_len) * sizeof (uint8_t)); + memcpy(seed_material, entropy_input, entropy_input_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len, nonce, nonce_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len + nonce_len, + personalization_string, + personalization_string_len * sizeof (uint8_t)); + { + Hacl_HMAC_DRBG_state scrut; + if (st_s.tag == EverCrypt_DRBG_SHA1_s) + { + scrut = st_s.val.case_SHA1_s; + } + else + { + scrut = + KRML_EABORT(Hacl_HMAC_DRBG_state, + "unreachable (pattern matches are exhaustive in F*)"); + } + { + uint8_t *k = scrut.k; + uint8_t *v = scrut.v; + uint32_t *ctr = scrut.reseed_counter; + memset(k, 0U, (uint32_t)20U * sizeof (uint8_t)); + memset(v, (uint8_t)1U, (uint32_t)20U * sizeof (uint8_t)); + ctr[0U] = (uint32_t)1U; + { + uint32_t + input_len = + (uint32_t)21U + + entropy_input_len + nonce_len + personalization_string_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + { + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + { + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)20U * sizeof (uint8_t)); + if + (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)21U, + seed_material, + (entropy_input_len + nonce_len + personalization_string_len) + * sizeof (uint8_t)); + } + input0[20U] = (uint8_t)0U; + EverCrypt_HMAC_compute_sha1(k_, k, (uint32_t)20U, input0, input_len); + EverCrypt_HMAC_compute_sha1(v, k_, (uint32_t)20U, v, (uint32_t)20U); + memcpy(k, k_, (uint32_t)20U * sizeof (uint8_t)); + if + (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + uint32_t + input_len0 = + (uint32_t)21U + + entropy_input_len + nonce_len + personalization_string_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + { + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + { + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)20U * sizeof (uint8_t)); + if + ( + entropy_input_len + + nonce_len + + personalization_string_len + != (uint32_t)0U + ) + { + memcpy(input + (uint32_t)21U, + seed_material, + (entropy_input_len + nonce_len + personalization_string_len) + * sizeof (uint8_t)); + } + input[20U] = (uint8_t)1U; + EverCrypt_HMAC_compute_sha1(k_0, k, (uint32_t)20U, input, input_len0); + EverCrypt_HMAC_compute_sha1(v, k_0, (uint32_t)20U, v, (uint32_t)20U); + memcpy(k, k_0, (uint32_t)20U * sizeof (uint8_t)); + } + } + } + return true; + } + } + } + } + } + } + } + } + } + } +} + +bool +EverCrypt_DRBG_instantiate_sha2_256( + EverCrypt_DRBG_state_s *st, + uint8_t *personalization_string, + uint32_t personalization_string_len +) +{ + if (personalization_string_len > Hacl_HMAC_DRBG_max_personalization_string_length) + { + return false; + } + { + uint32_t entropy_input_len = Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_SHA2_256); + uint32_t nonce_len = Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_SHA2_256) / (uint32_t)2U; + uint32_t min_entropy = entropy_input_len + nonce_len; + KRML_CHECK_SIZE(sizeof (uint8_t), min_entropy); + { + uint8_t entropy[min_entropy]; + memset(entropy, 0U, min_entropy * sizeof (uint8_t)); + { + bool ok = Lib_RandomBuffer_System_randombytes(entropy, min_entropy); + if (!ok) + { + return false; + } + { + uint8_t *entropy_input = entropy; + uint8_t *nonce = entropy + entropy_input_len; + EverCrypt_DRBG_state_s st_s = *st; + KRML_CHECK_SIZE(sizeof (uint8_t), + entropy_input_len + nonce_len + personalization_string_len); + { + uint8_t seed_material[entropy_input_len + nonce_len + personalization_string_len]; + memset(seed_material, + 0U, + (entropy_input_len + nonce_len + personalization_string_len) * sizeof (uint8_t)); + memcpy(seed_material, entropy_input, entropy_input_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len, nonce, nonce_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len + nonce_len, + personalization_string, + personalization_string_len * sizeof (uint8_t)); + { + Hacl_HMAC_DRBG_state scrut; + if (st_s.tag == EverCrypt_DRBG_SHA2_256_s) + { + scrut = st_s.val.case_SHA2_256_s; + } + else + { + scrut = + KRML_EABORT(Hacl_HMAC_DRBG_state, + "unreachable (pattern matches are exhaustive in F*)"); + } + { + uint8_t *k = scrut.k; + uint8_t *v = scrut.v; + uint32_t *ctr = scrut.reseed_counter; + memset(k, 0U, (uint32_t)32U * sizeof (uint8_t)); + memset(v, (uint8_t)1U, (uint32_t)32U * sizeof (uint8_t)); + ctr[0U] = (uint32_t)1U; + { + uint32_t + input_len = + (uint32_t)33U + + entropy_input_len + nonce_len + personalization_string_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + { + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + { + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)32U * sizeof (uint8_t)); + if + (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)33U, + seed_material, + (entropy_input_len + nonce_len + personalization_string_len) + * sizeof (uint8_t)); + } + input0[32U] = (uint8_t)0U; + EverCrypt_HMAC_compute_sha2_256(k_, k, (uint32_t)32U, input0, input_len); + EverCrypt_HMAC_compute_sha2_256(v, k_, (uint32_t)32U, v, (uint32_t)32U); + memcpy(k, k_, (uint32_t)32U * sizeof (uint8_t)); + if + (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + uint32_t + input_len0 = + (uint32_t)33U + + entropy_input_len + nonce_len + personalization_string_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + { + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + { + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)32U * sizeof (uint8_t)); + if + ( + entropy_input_len + + nonce_len + + personalization_string_len + != (uint32_t)0U + ) + { + memcpy(input + (uint32_t)33U, + seed_material, + (entropy_input_len + nonce_len + personalization_string_len) + * sizeof (uint8_t)); + } + input[32U] = (uint8_t)1U; + EverCrypt_HMAC_compute_sha2_256(k_0, + k, + (uint32_t)32U, + input, + input_len0); + EverCrypt_HMAC_compute_sha2_256(v, + k_0, + (uint32_t)32U, + v, + (uint32_t)32U); + memcpy(k, k_0, (uint32_t)32U * sizeof (uint8_t)); + } + } + } + return true; + } + } + } + } + } + } + } + } + } + } +} + +bool +EverCrypt_DRBG_instantiate_sha2_384( + EverCrypt_DRBG_state_s *st, + uint8_t *personalization_string, + uint32_t personalization_string_len +) +{ + if (personalization_string_len > Hacl_HMAC_DRBG_max_personalization_string_length) + { + return false; + } + { + uint32_t entropy_input_len = Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_SHA2_384); + uint32_t nonce_len = Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_SHA2_384) / (uint32_t)2U; + uint32_t min_entropy = entropy_input_len + nonce_len; + KRML_CHECK_SIZE(sizeof (uint8_t), min_entropy); + { + uint8_t entropy[min_entropy]; + memset(entropy, 0U, min_entropy * sizeof (uint8_t)); + { + bool ok = Lib_RandomBuffer_System_randombytes(entropy, min_entropy); + if (!ok) + { + return false; + } + { + uint8_t *entropy_input = entropy; + uint8_t *nonce = entropy + entropy_input_len; + EverCrypt_DRBG_state_s st_s = *st; + KRML_CHECK_SIZE(sizeof (uint8_t), + entropy_input_len + nonce_len + personalization_string_len); + { + uint8_t seed_material[entropy_input_len + nonce_len + personalization_string_len]; + memset(seed_material, + 0U, + (entropy_input_len + nonce_len + personalization_string_len) * sizeof (uint8_t)); + memcpy(seed_material, entropy_input, entropy_input_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len, nonce, nonce_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len + nonce_len, + personalization_string, + personalization_string_len * sizeof (uint8_t)); + { + Hacl_HMAC_DRBG_state scrut; + if (st_s.tag == EverCrypt_DRBG_SHA2_384_s) + { + scrut = st_s.val.case_SHA2_384_s; + } + else + { + scrut = + KRML_EABORT(Hacl_HMAC_DRBG_state, + "unreachable (pattern matches are exhaustive in F*)"); + } + { + uint8_t *k = scrut.k; + uint8_t *v = scrut.v; + uint32_t *ctr = scrut.reseed_counter; + memset(k, 0U, (uint32_t)48U * sizeof (uint8_t)); + memset(v, (uint8_t)1U, (uint32_t)48U * sizeof (uint8_t)); + ctr[0U] = (uint32_t)1U; + { + uint32_t + input_len = + (uint32_t)49U + + entropy_input_len + nonce_len + personalization_string_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + { + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + { + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)48U * sizeof (uint8_t)); + if + (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)49U, + seed_material, + (entropy_input_len + nonce_len + personalization_string_len) + * sizeof (uint8_t)); + } + input0[48U] = (uint8_t)0U; + EverCrypt_HMAC_compute_sha2_384(k_, k, (uint32_t)48U, input0, input_len); + EverCrypt_HMAC_compute_sha2_384(v, k_, (uint32_t)48U, v, (uint32_t)48U); + memcpy(k, k_, (uint32_t)48U * sizeof (uint8_t)); + if + (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + uint32_t + input_len0 = + (uint32_t)49U + + entropy_input_len + nonce_len + personalization_string_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + { + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + { + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)48U * sizeof (uint8_t)); + if + ( + entropy_input_len + + nonce_len + + personalization_string_len + != (uint32_t)0U + ) + { + memcpy(input + (uint32_t)49U, + seed_material, + (entropy_input_len + nonce_len + personalization_string_len) + * sizeof (uint8_t)); + } + input[48U] = (uint8_t)1U; + EverCrypt_HMAC_compute_sha2_384(k_0, + k, + (uint32_t)48U, + input, + input_len0); + EverCrypt_HMAC_compute_sha2_384(v, + k_0, + (uint32_t)48U, + v, + (uint32_t)48U); + memcpy(k, k_0, (uint32_t)48U * sizeof (uint8_t)); + } + } + } + return true; + } + } + } + } + } + } + } + } + } + } +} + +bool +EverCrypt_DRBG_instantiate_sha2_512( + EverCrypt_DRBG_state_s *st, + uint8_t *personalization_string, + uint32_t personalization_string_len +) +{ + if (personalization_string_len > Hacl_HMAC_DRBG_max_personalization_string_length) + { + return false; + } + { + uint32_t entropy_input_len = Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_SHA2_512); + uint32_t nonce_len = Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_SHA2_512) / (uint32_t)2U; + uint32_t min_entropy = entropy_input_len + nonce_len; + KRML_CHECK_SIZE(sizeof (uint8_t), min_entropy); + { + uint8_t entropy[min_entropy]; + memset(entropy, 0U, min_entropy * sizeof (uint8_t)); + { + bool ok = Lib_RandomBuffer_System_randombytes(entropy, min_entropy); + if (!ok) + { + return false; + } + { + uint8_t *entropy_input = entropy; + uint8_t *nonce = entropy + entropy_input_len; + EverCrypt_DRBG_state_s st_s = *st; + KRML_CHECK_SIZE(sizeof (uint8_t), + entropy_input_len + nonce_len + personalization_string_len); + { + uint8_t seed_material[entropy_input_len + nonce_len + personalization_string_len]; + memset(seed_material, + 0U, + (entropy_input_len + nonce_len + personalization_string_len) * sizeof (uint8_t)); + memcpy(seed_material, entropy_input, entropy_input_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len, nonce, nonce_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len + nonce_len, + personalization_string, + personalization_string_len * sizeof (uint8_t)); + { + Hacl_HMAC_DRBG_state scrut; + if (st_s.tag == EverCrypt_DRBG_SHA2_512_s) + { + scrut = st_s.val.case_SHA2_512_s; + } + else + { + scrut = + KRML_EABORT(Hacl_HMAC_DRBG_state, + "unreachable (pattern matches are exhaustive in F*)"); + } + { + uint8_t *k = scrut.k; + uint8_t *v = scrut.v; + uint32_t *ctr = scrut.reseed_counter; + memset(k, 0U, (uint32_t)64U * sizeof (uint8_t)); + memset(v, (uint8_t)1U, (uint32_t)64U * sizeof (uint8_t)); + ctr[0U] = (uint32_t)1U; + { + uint32_t + input_len = + (uint32_t)65U + + entropy_input_len + nonce_len + personalization_string_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + { + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + { + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)64U * sizeof (uint8_t)); + if + (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)65U, + seed_material, + (entropy_input_len + nonce_len + personalization_string_len) + * sizeof (uint8_t)); + } + input0[64U] = (uint8_t)0U; + EverCrypt_HMAC_compute_sha2_512(k_, k, (uint32_t)64U, input0, input_len); + EverCrypt_HMAC_compute_sha2_512(v, k_, (uint32_t)64U, v, (uint32_t)64U); + memcpy(k, k_, (uint32_t)64U * sizeof (uint8_t)); + if + (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + uint32_t + input_len0 = + (uint32_t)65U + + entropy_input_len + nonce_len + personalization_string_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + { + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + { + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)64U * sizeof (uint8_t)); + if + ( + entropy_input_len + + nonce_len + + personalization_string_len + != (uint32_t)0U + ) + { + memcpy(input + (uint32_t)65U, + seed_material, + (entropy_input_len + nonce_len + personalization_string_len) + * sizeof (uint8_t)); + } + input[64U] = (uint8_t)1U; + EverCrypt_HMAC_compute_sha2_512(k_0, + k, + (uint32_t)64U, + input, + input_len0); + EverCrypt_HMAC_compute_sha2_512(v, + k_0, + (uint32_t)64U, + v, + (uint32_t)64U); + memcpy(k, k_0, (uint32_t)64U * sizeof (uint8_t)); + } + } + } + return true; + } + } + } + } + } + } + } + } + } + } +} + +bool +EverCrypt_DRBG_reseed_sha1( + EverCrypt_DRBG_state_s *st, + uint8_t *additional_input, + uint32_t additional_input_len +) +{ + if (additional_input_len > Hacl_HMAC_DRBG_max_additional_input_length) + { + return false; + } + { + uint32_t entropy_input_len = Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_SHA1); + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len); + { + uint8_t entropy_input[entropy_input_len]; + memset(entropy_input, 0U, entropy_input_len * sizeof (uint8_t)); + { + bool ok = Lib_RandomBuffer_System_randombytes(entropy_input, entropy_input_len); + if (!ok) + { + return false; + } + { + EverCrypt_DRBG_state_s st_s = *st; + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len + additional_input_len); + { + uint8_t seed_material[entropy_input_len + additional_input_len]; + memset(seed_material, + 0U, + (entropy_input_len + additional_input_len) * sizeof (uint8_t)); + memcpy(seed_material, entropy_input, entropy_input_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len, + additional_input, + additional_input_len * sizeof (uint8_t)); + { + Hacl_HMAC_DRBG_state uu____0; + if (st_s.tag == EverCrypt_DRBG_SHA1_s) + { + uu____0 = st_s.val.case_SHA1_s; + } + else + { + uu____0 = + KRML_EABORT(Hacl_HMAC_DRBG_state, + "unreachable (pattern matches are exhaustive in F*)"); + } + { + uint8_t *k = uu____0.k; + uint8_t *v = uu____0.v; + uint32_t *ctr = uu____0.reseed_counter; + uint32_t input_len = (uint32_t)21U + entropy_input_len + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + { + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + { + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)20U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)21U, + seed_material, + (entropy_input_len + additional_input_len) * sizeof (uint8_t)); + } + input0[20U] = (uint8_t)0U; + EverCrypt_HMAC_compute_sha1(k_, k, (uint32_t)20U, input0, input_len); + EverCrypt_HMAC_compute_sha1(v, k_, (uint32_t)20U, v, (uint32_t)20U); + memcpy(k, k_, (uint32_t)20U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_len != (uint32_t)0U) + { + uint32_t + input_len0 = (uint32_t)21U + entropy_input_len + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + { + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + { + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)20U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)21U, + seed_material, + (entropy_input_len + additional_input_len) * sizeof (uint8_t)); + } + input[20U] = (uint8_t)1U; + EverCrypt_HMAC_compute_sha1(k_0, k, (uint32_t)20U, input, input_len0); + EverCrypt_HMAC_compute_sha1(v, k_0, (uint32_t)20U, v, (uint32_t)20U); + memcpy(k, k_0, (uint32_t)20U * sizeof (uint8_t)); + } + } + } + ctr[0U] = (uint32_t)1U; + return true; + } + } + } + } + } + } + } + } + } +} + +bool +EverCrypt_DRBG_reseed_sha2_256( + EverCrypt_DRBG_state_s *st, + uint8_t *additional_input, + uint32_t additional_input_len +) +{ + if (additional_input_len > Hacl_HMAC_DRBG_max_additional_input_length) + { + return false; + } + { + uint32_t entropy_input_len = Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_SHA2_256); + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len); + { + uint8_t entropy_input[entropy_input_len]; + memset(entropy_input, 0U, entropy_input_len * sizeof (uint8_t)); + { + bool ok = Lib_RandomBuffer_System_randombytes(entropy_input, entropy_input_len); + if (!ok) + { + return false; + } + { + EverCrypt_DRBG_state_s st_s = *st; + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len + additional_input_len); + { + uint8_t seed_material[entropy_input_len + additional_input_len]; + memset(seed_material, + 0U, + (entropy_input_len + additional_input_len) * sizeof (uint8_t)); + memcpy(seed_material, entropy_input, entropy_input_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len, + additional_input, + additional_input_len * sizeof (uint8_t)); + { + Hacl_HMAC_DRBG_state uu____0; + if (st_s.tag == EverCrypt_DRBG_SHA2_256_s) + { + uu____0 = st_s.val.case_SHA2_256_s; + } + else + { + uu____0 = + KRML_EABORT(Hacl_HMAC_DRBG_state, + "unreachable (pattern matches are exhaustive in F*)"); + } + { + uint8_t *k = uu____0.k; + uint8_t *v = uu____0.v; + uint32_t *ctr = uu____0.reseed_counter; + uint32_t input_len = (uint32_t)33U + entropy_input_len + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + { + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + { + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)32U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)33U, + seed_material, + (entropy_input_len + additional_input_len) * sizeof (uint8_t)); + } + input0[32U] = (uint8_t)0U; + EverCrypt_HMAC_compute_sha2_256(k_, k, (uint32_t)32U, input0, input_len); + EverCrypt_HMAC_compute_sha2_256(v, k_, (uint32_t)32U, v, (uint32_t)32U); + memcpy(k, k_, (uint32_t)32U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_len != (uint32_t)0U) + { + uint32_t + input_len0 = (uint32_t)33U + entropy_input_len + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + { + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + { + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)32U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)33U, + seed_material, + (entropy_input_len + additional_input_len) * sizeof (uint8_t)); + } + input[32U] = (uint8_t)1U; + EverCrypt_HMAC_compute_sha2_256(k_0, k, (uint32_t)32U, input, input_len0); + EverCrypt_HMAC_compute_sha2_256(v, k_0, (uint32_t)32U, v, (uint32_t)32U); + memcpy(k, k_0, (uint32_t)32U * sizeof (uint8_t)); + } + } + } + ctr[0U] = (uint32_t)1U; + return true; + } + } + } + } + } + } + } + } + } +} + +bool +EverCrypt_DRBG_reseed_sha2_384( + EverCrypt_DRBG_state_s *st, + uint8_t *additional_input, + uint32_t additional_input_len +) +{ + if (additional_input_len > Hacl_HMAC_DRBG_max_additional_input_length) + { + return false; + } + { + uint32_t entropy_input_len = Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_SHA2_384); + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len); + { + uint8_t entropy_input[entropy_input_len]; + memset(entropy_input, 0U, entropy_input_len * sizeof (uint8_t)); + { + bool ok = Lib_RandomBuffer_System_randombytes(entropy_input, entropy_input_len); + if (!ok) + { + return false; + } + { + EverCrypt_DRBG_state_s st_s = *st; + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len + additional_input_len); + { + uint8_t seed_material[entropy_input_len + additional_input_len]; + memset(seed_material, + 0U, + (entropy_input_len + additional_input_len) * sizeof (uint8_t)); + memcpy(seed_material, entropy_input, entropy_input_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len, + additional_input, + additional_input_len * sizeof (uint8_t)); + { + Hacl_HMAC_DRBG_state uu____0; + if (st_s.tag == EverCrypt_DRBG_SHA2_384_s) + { + uu____0 = st_s.val.case_SHA2_384_s; + } + else + { + uu____0 = + KRML_EABORT(Hacl_HMAC_DRBG_state, + "unreachable (pattern matches are exhaustive in F*)"); + } + { + uint8_t *k = uu____0.k; + uint8_t *v = uu____0.v; + uint32_t *ctr = uu____0.reseed_counter; + uint32_t input_len = (uint32_t)49U + entropy_input_len + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + { + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + { + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)48U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)49U, + seed_material, + (entropy_input_len + additional_input_len) * sizeof (uint8_t)); + } + input0[48U] = (uint8_t)0U; + EverCrypt_HMAC_compute_sha2_384(k_, k, (uint32_t)48U, input0, input_len); + EverCrypt_HMAC_compute_sha2_384(v, k_, (uint32_t)48U, v, (uint32_t)48U); + memcpy(k, k_, (uint32_t)48U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_len != (uint32_t)0U) + { + uint32_t + input_len0 = (uint32_t)49U + entropy_input_len + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + { + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + { + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)48U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)49U, + seed_material, + (entropy_input_len + additional_input_len) * sizeof (uint8_t)); + } + input[48U] = (uint8_t)1U; + EverCrypt_HMAC_compute_sha2_384(k_0, k, (uint32_t)48U, input, input_len0); + EverCrypt_HMAC_compute_sha2_384(v, k_0, (uint32_t)48U, v, (uint32_t)48U); + memcpy(k, k_0, (uint32_t)48U * sizeof (uint8_t)); + } + } + } + ctr[0U] = (uint32_t)1U; + return true; + } + } + } + } + } + } + } + } + } +} + +bool +EverCrypt_DRBG_reseed_sha2_512( + EverCrypt_DRBG_state_s *st, + uint8_t *additional_input, + uint32_t additional_input_len +) +{ + if (additional_input_len > Hacl_HMAC_DRBG_max_additional_input_length) + { + return false; + } + { + uint32_t entropy_input_len = Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_SHA2_512); + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len); + { + uint8_t entropy_input[entropy_input_len]; + memset(entropy_input, 0U, entropy_input_len * sizeof (uint8_t)); + { + bool ok = Lib_RandomBuffer_System_randombytes(entropy_input, entropy_input_len); + if (!ok) + { + return false; + } + { + EverCrypt_DRBG_state_s st_s = *st; + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len + additional_input_len); + { + uint8_t seed_material[entropy_input_len + additional_input_len]; + memset(seed_material, + 0U, + (entropy_input_len + additional_input_len) * sizeof (uint8_t)); + memcpy(seed_material, entropy_input, entropy_input_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len, + additional_input, + additional_input_len * sizeof (uint8_t)); + { + Hacl_HMAC_DRBG_state uu____0; + if (st_s.tag == EverCrypt_DRBG_SHA2_512_s) + { + uu____0 = st_s.val.case_SHA2_512_s; + } + else + { + uu____0 = + KRML_EABORT(Hacl_HMAC_DRBG_state, + "unreachable (pattern matches are exhaustive in F*)"); + } + { + uint8_t *k = uu____0.k; + uint8_t *v = uu____0.v; + uint32_t *ctr = uu____0.reseed_counter; + uint32_t input_len = (uint32_t)65U + entropy_input_len + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + { + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + { + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)64U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)65U, + seed_material, + (entropy_input_len + additional_input_len) * sizeof (uint8_t)); + } + input0[64U] = (uint8_t)0U; + EverCrypt_HMAC_compute_sha2_512(k_, k, (uint32_t)64U, input0, input_len); + EverCrypt_HMAC_compute_sha2_512(v, k_, (uint32_t)64U, v, (uint32_t)64U); + memcpy(k, k_, (uint32_t)64U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_len != (uint32_t)0U) + { + uint32_t + input_len0 = (uint32_t)65U + entropy_input_len + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + { + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + { + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)64U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)65U, + seed_material, + (entropy_input_len + additional_input_len) * sizeof (uint8_t)); + } + input[64U] = (uint8_t)1U; + EverCrypt_HMAC_compute_sha2_512(k_0, k, (uint32_t)64U, input, input_len0); + EverCrypt_HMAC_compute_sha2_512(v, k_0, (uint32_t)64U, v, (uint32_t)64U); + memcpy(k, k_0, (uint32_t)64U * sizeof (uint8_t)); + } + } + } + ctr[0U] = (uint32_t)1U; + return true; + } + } + } + } + } + } + } + } + } +} + +bool +EverCrypt_DRBG_generate_sha1( + uint8_t *output, + EverCrypt_DRBG_state_s *st, + uint32_t n, + uint8_t *additional_input, + uint32_t additional_input_len +) +{ + if + ( + additional_input_len + > Hacl_HMAC_DRBG_max_additional_input_length + || n > Hacl_HMAC_DRBG_max_output_length + ) + { + return false; + } + { + uint32_t entropy_input_len = Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_SHA1); + bool ok0; + if (additional_input_len > Hacl_HMAC_DRBG_max_additional_input_length) + { + ok0 = false; + } + else + { + uint32_t entropy_input_len1 = Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_SHA1); + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len1); + { + uint8_t entropy_input[entropy_input_len1]; + memset(entropy_input, 0U, entropy_input_len1 * sizeof (uint8_t)); + { + bool ok = Lib_RandomBuffer_System_randombytes(entropy_input, entropy_input_len1); + bool result; + if (!ok) + { + result = false; + } + else + { + EverCrypt_DRBG_state_s st_s = *st; + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len1 + additional_input_len); + { + uint8_t seed_material[entropy_input_len1 + additional_input_len]; + memset(seed_material, + 0U, + (entropy_input_len1 + additional_input_len) * sizeof (uint8_t)); + memcpy(seed_material, entropy_input, entropy_input_len1 * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len1, + additional_input, + additional_input_len * sizeof (uint8_t)); + { + Hacl_HMAC_DRBG_state uu____0; + if (st_s.tag == EverCrypt_DRBG_SHA1_s) + { + uu____0 = st_s.val.case_SHA1_s; + } + else + { + uu____0 = + KRML_EABORT(Hacl_HMAC_DRBG_state, + "unreachable (pattern matches are exhaustive in F*)"); + } + { + uint8_t *k = uu____0.k; + uint8_t *v = uu____0.v; + uint32_t *ctr = uu____0.reseed_counter; + uint32_t input_len = (uint32_t)21U + entropy_input_len1 + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + { + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + { + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)20U * sizeof (uint8_t)); + if (entropy_input_len1 + additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)21U, + seed_material, + (entropy_input_len1 + additional_input_len) * sizeof (uint8_t)); + } + input0[20U] = (uint8_t)0U; + EverCrypt_HMAC_compute_sha1(k_, k, (uint32_t)20U, input0, input_len); + EverCrypt_HMAC_compute_sha1(v, k_, (uint32_t)20U, v, (uint32_t)20U); + memcpy(k, k_, (uint32_t)20U * sizeof (uint8_t)); + if (entropy_input_len1 + additional_input_len != (uint32_t)0U) + { + uint32_t + input_len0 = (uint32_t)21U + entropy_input_len1 + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + { + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + { + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)20U * sizeof (uint8_t)); + if (entropy_input_len1 + additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)21U, + seed_material, + (entropy_input_len1 + additional_input_len) * sizeof (uint8_t)); + } + input[20U] = (uint8_t)1U; + EverCrypt_HMAC_compute_sha1(k_0, k, (uint32_t)20U, input, input_len0); + EverCrypt_HMAC_compute_sha1(v, k_0, (uint32_t)20U, v, (uint32_t)20U); + memcpy(k, k_0, (uint32_t)20U * sizeof (uint8_t)); + } + } + } + ctr[0U] = (uint32_t)1U; + result = true; + } + } + } + } + } + } + ok0 = result; + } + } + } + if (!ok0) + { + return false; + } + { + EverCrypt_DRBG_state_s st_s = *st; + Hacl_HMAC_DRBG_state x1; + if (st_s.tag == EverCrypt_DRBG_SHA1_s) + { + x1 = st_s.val.case_SHA1_s; + } + else + { + x1 = KRML_EABORT(Hacl_HMAC_DRBG_state, "unreachable (pattern matches are exhaustive in F*)"); + } + { + bool b; + if (x1.reseed_counter[0U] > Hacl_HMAC_DRBG_reseed_interval) + { + b = false; + } + else + { + Hacl_HMAC_DRBG_state scrut; + if (st_s.tag == EverCrypt_DRBG_SHA1_s) + { + scrut = st_s.val.case_SHA1_s; + } + else + { + scrut = + KRML_EABORT(Hacl_HMAC_DRBG_state, + "unreachable (pattern matches are exhaustive in F*)"); + } + { + uint8_t *k = scrut.k; + uint8_t *v = scrut.v; + uint32_t *ctr = scrut.reseed_counter; + if (additional_input_len > (uint32_t)0U) + { + uint32_t input_len = (uint32_t)21U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + { + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + { + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)20U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)21U, + additional_input, + additional_input_len * sizeof (uint8_t)); + } + input0[20U] = (uint8_t)0U; + EverCrypt_HMAC_compute_sha1(k_, k, (uint32_t)20U, input0, input_len); + EverCrypt_HMAC_compute_sha1(v, k_, (uint32_t)20U, v, (uint32_t)20U); + memcpy(k, k_, (uint32_t)20U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)21U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + { + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + { + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)20U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)21U, + additional_input, + additional_input_len * sizeof (uint8_t)); + } + input[20U] = (uint8_t)1U; + EverCrypt_HMAC_compute_sha1(k_0, k, (uint32_t)20U, input, input_len0); + EverCrypt_HMAC_compute_sha1(v, k_0, (uint32_t)20U, v, (uint32_t)20U); + memcpy(k, k_0, (uint32_t)20U * sizeof (uint8_t)); + } + } + } + } + } + } + { + uint8_t *output1 = output; + uint32_t max = n / (uint32_t)20U; + uint8_t *out = output1; + { + uint32_t i; + for (i = (uint32_t)0U; i < max; i++) + { + EverCrypt_HMAC_compute_sha1(v, k, (uint32_t)20U, v, (uint32_t)20U); + memcpy(out + i * (uint32_t)20U, v, (uint32_t)20U * sizeof (uint8_t)); + } + } + if (max * (uint32_t)20U < n) + { + uint8_t *block = output1 + max * (uint32_t)20U; + EverCrypt_HMAC_compute_sha1(v, k, (uint32_t)20U, v, (uint32_t)20U); + memcpy(block, v, (n - max * (uint32_t)20U) * sizeof (uint8_t)); + } + { + uint32_t input_len = (uint32_t)21U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + { + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + { + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)20U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)21U, + additional_input, + additional_input_len * sizeof (uint8_t)); + } + input0[20U] = (uint8_t)0U; + EverCrypt_HMAC_compute_sha1(k_, k, (uint32_t)20U, input0, input_len); + EverCrypt_HMAC_compute_sha1(v, k_, (uint32_t)20U, v, (uint32_t)20U); + memcpy(k, k_, (uint32_t)20U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)21U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + { + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + { + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)20U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)21U, + additional_input, + additional_input_len * sizeof (uint8_t)); + } + input[20U] = (uint8_t)1U; + EverCrypt_HMAC_compute_sha1(k_0, k, (uint32_t)20U, input, input_len0); + EverCrypt_HMAC_compute_sha1(v, k_0, (uint32_t)20U, v, (uint32_t)20U); + memcpy(k, k_0, (uint32_t)20U * sizeof (uint8_t)); + } + } + } + { + uint32_t old_ctr = ctr[0U]; + ctr[0U] = old_ctr + (uint32_t)1U; + b = true; + } + } + } + } + } + } + } + return true; + } + } + } +} + +bool +EverCrypt_DRBG_generate_sha2_256( + uint8_t *output, + EverCrypt_DRBG_state_s *st, + uint32_t n, + uint8_t *additional_input, + uint32_t additional_input_len +) +{ + if + ( + additional_input_len + > Hacl_HMAC_DRBG_max_additional_input_length + || n > Hacl_HMAC_DRBG_max_output_length + ) + { + return false; + } + { + uint32_t entropy_input_len = Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_SHA2_256); + bool ok0; + if (additional_input_len > Hacl_HMAC_DRBG_max_additional_input_length) + { + ok0 = false; + } + else + { + uint32_t entropy_input_len1 = Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_SHA2_256); + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len1); + { + uint8_t entropy_input[entropy_input_len1]; + memset(entropy_input, 0U, entropy_input_len1 * sizeof (uint8_t)); + { + bool ok = Lib_RandomBuffer_System_randombytes(entropy_input, entropy_input_len1); + bool result; + if (!ok) + { + result = false; + } + else + { + EverCrypt_DRBG_state_s st_s = *st; + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len1 + additional_input_len); + { + uint8_t seed_material[entropy_input_len1 + additional_input_len]; + memset(seed_material, + 0U, + (entropy_input_len1 + additional_input_len) * sizeof (uint8_t)); + memcpy(seed_material, entropy_input, entropy_input_len1 * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len1, + additional_input, + additional_input_len * sizeof (uint8_t)); + { + Hacl_HMAC_DRBG_state uu____0; + if (st_s.tag == EverCrypt_DRBG_SHA2_256_s) + { + uu____0 = st_s.val.case_SHA2_256_s; + } + else + { + uu____0 = + KRML_EABORT(Hacl_HMAC_DRBG_state, + "unreachable (pattern matches are exhaustive in F*)"); + } + { + uint8_t *k = uu____0.k; + uint8_t *v = uu____0.v; + uint32_t *ctr = uu____0.reseed_counter; + uint32_t input_len = (uint32_t)33U + entropy_input_len1 + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + { + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + { + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)32U * sizeof (uint8_t)); + if (entropy_input_len1 + additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)33U, + seed_material, + (entropy_input_len1 + additional_input_len) * sizeof (uint8_t)); + } + input0[32U] = (uint8_t)0U; + EverCrypt_HMAC_compute_sha2_256(k_, k, (uint32_t)32U, input0, input_len); + EverCrypt_HMAC_compute_sha2_256(v, k_, (uint32_t)32U, v, (uint32_t)32U); + memcpy(k, k_, (uint32_t)32U * sizeof (uint8_t)); + if (entropy_input_len1 + additional_input_len != (uint32_t)0U) + { + uint32_t + input_len0 = (uint32_t)33U + entropy_input_len1 + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + { + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + { + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)32U * sizeof (uint8_t)); + if (entropy_input_len1 + additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)33U, + seed_material, + (entropy_input_len1 + additional_input_len) * sizeof (uint8_t)); + } + input[32U] = (uint8_t)1U; + EverCrypt_HMAC_compute_sha2_256(k_0, + k, + (uint32_t)32U, + input, + input_len0); + EverCrypt_HMAC_compute_sha2_256(v, + k_0, + (uint32_t)32U, + v, + (uint32_t)32U); + memcpy(k, k_0, (uint32_t)32U * sizeof (uint8_t)); + } + } + } + ctr[0U] = (uint32_t)1U; + result = true; + } + } + } + } + } + } + ok0 = result; + } + } + } + if (!ok0) + { + return false; + } + { + EverCrypt_DRBG_state_s st_s = *st; + Hacl_HMAC_DRBG_state x1; + if (st_s.tag == EverCrypt_DRBG_SHA2_256_s) + { + x1 = st_s.val.case_SHA2_256_s; + } + else + { + x1 = KRML_EABORT(Hacl_HMAC_DRBG_state, "unreachable (pattern matches are exhaustive in F*)"); + } + { + bool b; + if (x1.reseed_counter[0U] > Hacl_HMAC_DRBG_reseed_interval) + { + b = false; + } + else + { + Hacl_HMAC_DRBG_state scrut; + if (st_s.tag == EverCrypt_DRBG_SHA2_256_s) + { + scrut = st_s.val.case_SHA2_256_s; + } + else + { + scrut = + KRML_EABORT(Hacl_HMAC_DRBG_state, + "unreachable (pattern matches are exhaustive in F*)"); + } + { + uint8_t *k = scrut.k; + uint8_t *v = scrut.v; + uint32_t *ctr = scrut.reseed_counter; + if (additional_input_len > (uint32_t)0U) + { + uint32_t input_len = (uint32_t)33U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + { + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + { + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)32U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)33U, + additional_input, + additional_input_len * sizeof (uint8_t)); + } + input0[32U] = (uint8_t)0U; + EverCrypt_HMAC_compute_sha2_256(k_, k, (uint32_t)32U, input0, input_len); + EverCrypt_HMAC_compute_sha2_256(v, k_, (uint32_t)32U, v, (uint32_t)32U); + memcpy(k, k_, (uint32_t)32U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)33U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + { + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + { + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)32U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)33U, + additional_input, + additional_input_len * sizeof (uint8_t)); + } + input[32U] = (uint8_t)1U; + EverCrypt_HMAC_compute_sha2_256(k_0, k, (uint32_t)32U, input, input_len0); + EverCrypt_HMAC_compute_sha2_256(v, k_0, (uint32_t)32U, v, (uint32_t)32U); + memcpy(k, k_0, (uint32_t)32U * sizeof (uint8_t)); + } + } + } + } + } + } + { + uint8_t *output1 = output; + uint32_t max = n / (uint32_t)32U; + uint8_t *out = output1; + { + uint32_t i; + for (i = (uint32_t)0U; i < max; i++) + { + EverCrypt_HMAC_compute_sha2_256(v, k, (uint32_t)32U, v, (uint32_t)32U); + memcpy(out + i * (uint32_t)32U, v, (uint32_t)32U * sizeof (uint8_t)); + } + } + if (max * (uint32_t)32U < n) + { + uint8_t *block = output1 + max * (uint32_t)32U; + EverCrypt_HMAC_compute_sha2_256(v, k, (uint32_t)32U, v, (uint32_t)32U); + memcpy(block, v, (n - max * (uint32_t)32U) * sizeof (uint8_t)); + } + { + uint32_t input_len = (uint32_t)33U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + { + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + { + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)32U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)33U, + additional_input, + additional_input_len * sizeof (uint8_t)); + } + input0[32U] = (uint8_t)0U; + EverCrypt_HMAC_compute_sha2_256(k_, k, (uint32_t)32U, input0, input_len); + EverCrypt_HMAC_compute_sha2_256(v, k_, (uint32_t)32U, v, (uint32_t)32U); + memcpy(k, k_, (uint32_t)32U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)33U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + { + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + { + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)32U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)33U, + additional_input, + additional_input_len * sizeof (uint8_t)); + } + input[32U] = (uint8_t)1U; + EverCrypt_HMAC_compute_sha2_256(k_0, k, (uint32_t)32U, input, input_len0); + EverCrypt_HMAC_compute_sha2_256(v, k_0, (uint32_t)32U, v, (uint32_t)32U); + memcpy(k, k_0, (uint32_t)32U * sizeof (uint8_t)); + } + } + } + { + uint32_t old_ctr = ctr[0U]; + ctr[0U] = old_ctr + (uint32_t)1U; + b = true; + } + } + } + } + } + } + } + return true; + } + } + } +} + +bool +EverCrypt_DRBG_generate_sha2_384( + uint8_t *output, + EverCrypt_DRBG_state_s *st, + uint32_t n, + uint8_t *additional_input, + uint32_t additional_input_len +) +{ + if + ( + additional_input_len + > Hacl_HMAC_DRBG_max_additional_input_length + || n > Hacl_HMAC_DRBG_max_output_length + ) + { + return false; + } + { + uint32_t entropy_input_len = Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_SHA2_384); + bool ok0; + if (additional_input_len > Hacl_HMAC_DRBG_max_additional_input_length) + { + ok0 = false; + } + else + { + uint32_t entropy_input_len1 = Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_SHA2_384); + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len1); + { + uint8_t entropy_input[entropy_input_len1]; + memset(entropy_input, 0U, entropy_input_len1 * sizeof (uint8_t)); + { + bool ok = Lib_RandomBuffer_System_randombytes(entropy_input, entropy_input_len1); + bool result; + if (!ok) + { + result = false; + } + else + { + EverCrypt_DRBG_state_s st_s = *st; + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len1 + additional_input_len); + { + uint8_t seed_material[entropy_input_len1 + additional_input_len]; + memset(seed_material, + 0U, + (entropy_input_len1 + additional_input_len) * sizeof (uint8_t)); + memcpy(seed_material, entropy_input, entropy_input_len1 * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len1, + additional_input, + additional_input_len * sizeof (uint8_t)); + { + Hacl_HMAC_DRBG_state uu____0; + if (st_s.tag == EverCrypt_DRBG_SHA2_384_s) + { + uu____0 = st_s.val.case_SHA2_384_s; + } + else + { + uu____0 = + KRML_EABORT(Hacl_HMAC_DRBG_state, + "unreachable (pattern matches are exhaustive in F*)"); + } + { + uint8_t *k = uu____0.k; + uint8_t *v = uu____0.v; + uint32_t *ctr = uu____0.reseed_counter; + uint32_t input_len = (uint32_t)49U + entropy_input_len1 + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + { + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + { + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)48U * sizeof (uint8_t)); + if (entropy_input_len1 + additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)49U, + seed_material, + (entropy_input_len1 + additional_input_len) * sizeof (uint8_t)); + } + input0[48U] = (uint8_t)0U; + EverCrypt_HMAC_compute_sha2_384(k_, k, (uint32_t)48U, input0, input_len); + EverCrypt_HMAC_compute_sha2_384(v, k_, (uint32_t)48U, v, (uint32_t)48U); + memcpy(k, k_, (uint32_t)48U * sizeof (uint8_t)); + if (entropy_input_len1 + additional_input_len != (uint32_t)0U) + { + uint32_t + input_len0 = (uint32_t)49U + entropy_input_len1 + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + { + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + { + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)48U * sizeof (uint8_t)); + if (entropy_input_len1 + additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)49U, + seed_material, + (entropy_input_len1 + additional_input_len) * sizeof (uint8_t)); + } + input[48U] = (uint8_t)1U; + EverCrypt_HMAC_compute_sha2_384(k_0, + k, + (uint32_t)48U, + input, + input_len0); + EverCrypt_HMAC_compute_sha2_384(v, + k_0, + (uint32_t)48U, + v, + (uint32_t)48U); + memcpy(k, k_0, (uint32_t)48U * sizeof (uint8_t)); + } + } + } + ctr[0U] = (uint32_t)1U; + result = true; + } + } + } + } + } + } + ok0 = result; + } + } + } + if (!ok0) + { + return false; + } + { + EverCrypt_DRBG_state_s st_s = *st; + Hacl_HMAC_DRBG_state x1; + if (st_s.tag == EverCrypt_DRBG_SHA2_384_s) + { + x1 = st_s.val.case_SHA2_384_s; + } + else + { + x1 = KRML_EABORT(Hacl_HMAC_DRBG_state, "unreachable (pattern matches are exhaustive in F*)"); + } + { + bool b; + if (x1.reseed_counter[0U] > Hacl_HMAC_DRBG_reseed_interval) + { + b = false; + } + else + { + Hacl_HMAC_DRBG_state scrut; + if (st_s.tag == EverCrypt_DRBG_SHA2_384_s) + { + scrut = st_s.val.case_SHA2_384_s; + } + else + { + scrut = + KRML_EABORT(Hacl_HMAC_DRBG_state, + "unreachable (pattern matches are exhaustive in F*)"); + } + { + uint8_t *k = scrut.k; + uint8_t *v = scrut.v; + uint32_t *ctr = scrut.reseed_counter; + if (additional_input_len > (uint32_t)0U) + { + uint32_t input_len = (uint32_t)49U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + { + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + { + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)48U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)49U, + additional_input, + additional_input_len * sizeof (uint8_t)); + } + input0[48U] = (uint8_t)0U; + EverCrypt_HMAC_compute_sha2_384(k_, k, (uint32_t)48U, input0, input_len); + EverCrypt_HMAC_compute_sha2_384(v, k_, (uint32_t)48U, v, (uint32_t)48U); + memcpy(k, k_, (uint32_t)48U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)49U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + { + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + { + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)48U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)49U, + additional_input, + additional_input_len * sizeof (uint8_t)); + } + input[48U] = (uint8_t)1U; + EverCrypt_HMAC_compute_sha2_384(k_0, k, (uint32_t)48U, input, input_len0); + EverCrypt_HMAC_compute_sha2_384(v, k_0, (uint32_t)48U, v, (uint32_t)48U); + memcpy(k, k_0, (uint32_t)48U * sizeof (uint8_t)); + } + } + } + } + } + } + { + uint8_t *output1 = output; + uint32_t max = n / (uint32_t)48U; + uint8_t *out = output1; + { + uint32_t i; + for (i = (uint32_t)0U; i < max; i++) + { + EverCrypt_HMAC_compute_sha2_384(v, k, (uint32_t)48U, v, (uint32_t)48U); + memcpy(out + i * (uint32_t)48U, v, (uint32_t)48U * sizeof (uint8_t)); + } + } + if (max * (uint32_t)48U < n) + { + uint8_t *block = output1 + max * (uint32_t)48U; + EverCrypt_HMAC_compute_sha2_384(v, k, (uint32_t)48U, v, (uint32_t)48U); + memcpy(block, v, (n - max * (uint32_t)48U) * sizeof (uint8_t)); + } + { + uint32_t input_len = (uint32_t)49U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + { + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + { + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)48U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)49U, + additional_input, + additional_input_len * sizeof (uint8_t)); + } + input0[48U] = (uint8_t)0U; + EverCrypt_HMAC_compute_sha2_384(k_, k, (uint32_t)48U, input0, input_len); + EverCrypt_HMAC_compute_sha2_384(v, k_, (uint32_t)48U, v, (uint32_t)48U); + memcpy(k, k_, (uint32_t)48U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)49U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + { + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + { + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)48U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)49U, + additional_input, + additional_input_len * sizeof (uint8_t)); + } + input[48U] = (uint8_t)1U; + EverCrypt_HMAC_compute_sha2_384(k_0, k, (uint32_t)48U, input, input_len0); + EverCrypt_HMAC_compute_sha2_384(v, k_0, (uint32_t)48U, v, (uint32_t)48U); + memcpy(k, k_0, (uint32_t)48U * sizeof (uint8_t)); + } + } + } + { + uint32_t old_ctr = ctr[0U]; + ctr[0U] = old_ctr + (uint32_t)1U; + b = true; + } + } + } + } + } + } + } + return true; + } + } + } +} + +bool +EverCrypt_DRBG_generate_sha2_512( + uint8_t *output, + EverCrypt_DRBG_state_s *st, + uint32_t n, + uint8_t *additional_input, + uint32_t additional_input_len +) +{ + if + ( + additional_input_len + > Hacl_HMAC_DRBG_max_additional_input_length + || n > Hacl_HMAC_DRBG_max_output_length + ) + { + return false; + } + { + uint32_t entropy_input_len = Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_SHA2_512); + bool ok0; + if (additional_input_len > Hacl_HMAC_DRBG_max_additional_input_length) + { + ok0 = false; + } + else + { + uint32_t entropy_input_len1 = Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_SHA2_512); + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len1); + { + uint8_t entropy_input[entropy_input_len1]; + memset(entropy_input, 0U, entropy_input_len1 * sizeof (uint8_t)); + { + bool ok = Lib_RandomBuffer_System_randombytes(entropy_input, entropy_input_len1); + bool result; + if (!ok) + { + result = false; + } + else + { + EverCrypt_DRBG_state_s st_s = *st; + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len1 + additional_input_len); + { + uint8_t seed_material[entropy_input_len1 + additional_input_len]; + memset(seed_material, + 0U, + (entropy_input_len1 + additional_input_len) * sizeof (uint8_t)); + memcpy(seed_material, entropy_input, entropy_input_len1 * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len1, + additional_input, + additional_input_len * sizeof (uint8_t)); + { + Hacl_HMAC_DRBG_state uu____0; + if (st_s.tag == EverCrypt_DRBG_SHA2_512_s) + { + uu____0 = st_s.val.case_SHA2_512_s; + } + else + { + uu____0 = + KRML_EABORT(Hacl_HMAC_DRBG_state, + "unreachable (pattern matches are exhaustive in F*)"); + } + { + uint8_t *k = uu____0.k; + uint8_t *v = uu____0.v; + uint32_t *ctr = uu____0.reseed_counter; + uint32_t input_len = (uint32_t)65U + entropy_input_len1 + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + { + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + { + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)64U * sizeof (uint8_t)); + if (entropy_input_len1 + additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)65U, + seed_material, + (entropy_input_len1 + additional_input_len) * sizeof (uint8_t)); + } + input0[64U] = (uint8_t)0U; + EverCrypt_HMAC_compute_sha2_512(k_, k, (uint32_t)64U, input0, input_len); + EverCrypt_HMAC_compute_sha2_512(v, k_, (uint32_t)64U, v, (uint32_t)64U); + memcpy(k, k_, (uint32_t)64U * sizeof (uint8_t)); + if (entropy_input_len1 + additional_input_len != (uint32_t)0U) + { + uint32_t + input_len0 = (uint32_t)65U + entropy_input_len1 + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + { + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + { + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)64U * sizeof (uint8_t)); + if (entropy_input_len1 + additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)65U, + seed_material, + (entropy_input_len1 + additional_input_len) * sizeof (uint8_t)); + } + input[64U] = (uint8_t)1U; + EverCrypt_HMAC_compute_sha2_512(k_0, + k, + (uint32_t)64U, + input, + input_len0); + EverCrypt_HMAC_compute_sha2_512(v, + k_0, + (uint32_t)64U, + v, + (uint32_t)64U); + memcpy(k, k_0, (uint32_t)64U * sizeof (uint8_t)); + } + } + } + ctr[0U] = (uint32_t)1U; + result = true; + } + } + } + } + } + } + ok0 = result; + } + } + } + if (!ok0) + { + return false; + } + { + EverCrypt_DRBG_state_s st_s = *st; + Hacl_HMAC_DRBG_state x1; + if (st_s.tag == EverCrypt_DRBG_SHA2_512_s) + { + x1 = st_s.val.case_SHA2_512_s; + } + else + { + x1 = KRML_EABORT(Hacl_HMAC_DRBG_state, "unreachable (pattern matches are exhaustive in F*)"); + } + { + bool b; + if (x1.reseed_counter[0U] > Hacl_HMAC_DRBG_reseed_interval) + { + b = false; + } + else + { + Hacl_HMAC_DRBG_state scrut; + if (st_s.tag == EverCrypt_DRBG_SHA2_512_s) + { + scrut = st_s.val.case_SHA2_512_s; + } + else + { + scrut = + KRML_EABORT(Hacl_HMAC_DRBG_state, + "unreachable (pattern matches are exhaustive in F*)"); + } + { + uint8_t *k = scrut.k; + uint8_t *v = scrut.v; + uint32_t *ctr = scrut.reseed_counter; + if (additional_input_len > (uint32_t)0U) + { + uint32_t input_len = (uint32_t)65U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + { + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + { + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)64U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)65U, + additional_input, + additional_input_len * sizeof (uint8_t)); + } + input0[64U] = (uint8_t)0U; + EverCrypt_HMAC_compute_sha2_512(k_, k, (uint32_t)64U, input0, input_len); + EverCrypt_HMAC_compute_sha2_512(v, k_, (uint32_t)64U, v, (uint32_t)64U); + memcpy(k, k_, (uint32_t)64U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)65U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + { + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + { + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)64U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)65U, + additional_input, + additional_input_len * sizeof (uint8_t)); + } + input[64U] = (uint8_t)1U; + EverCrypt_HMAC_compute_sha2_512(k_0, k, (uint32_t)64U, input, input_len0); + EverCrypt_HMAC_compute_sha2_512(v, k_0, (uint32_t)64U, v, (uint32_t)64U); + memcpy(k, k_0, (uint32_t)64U * sizeof (uint8_t)); + } + } + } + } + } + } + { + uint8_t *output1 = output; + uint32_t max = n / (uint32_t)64U; + uint8_t *out = output1; + { + uint32_t i; + for (i = (uint32_t)0U; i < max; i++) + { + EverCrypt_HMAC_compute_sha2_512(v, k, (uint32_t)64U, v, (uint32_t)64U); + memcpy(out + i * (uint32_t)64U, v, (uint32_t)64U * sizeof (uint8_t)); + } + } + if (max * (uint32_t)64U < n) + { + uint8_t *block = output1 + max * (uint32_t)64U; + EverCrypt_HMAC_compute_sha2_512(v, k, (uint32_t)64U, v, (uint32_t)64U); + memcpy(block, v, (n - max * (uint32_t)64U) * sizeof (uint8_t)); + } + { + uint32_t input_len = (uint32_t)65U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + { + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + { + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)64U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)65U, + additional_input, + additional_input_len * sizeof (uint8_t)); + } + input0[64U] = (uint8_t)0U; + EverCrypt_HMAC_compute_sha2_512(k_, k, (uint32_t)64U, input0, input_len); + EverCrypt_HMAC_compute_sha2_512(v, k_, (uint32_t)64U, v, (uint32_t)64U); + memcpy(k, k_, (uint32_t)64U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)65U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + { + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + { + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)64U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)65U, + additional_input, + additional_input_len * sizeof (uint8_t)); + } + input[64U] = (uint8_t)1U; + EverCrypt_HMAC_compute_sha2_512(k_0, k, (uint32_t)64U, input, input_len0); + EverCrypt_HMAC_compute_sha2_512(v, k_0, (uint32_t)64U, v, (uint32_t)64U); + memcpy(k, k_0, (uint32_t)64U * sizeof (uint8_t)); + } + } + } + { + uint32_t old_ctr = ctr[0U]; + ctr[0U] = old_ctr + (uint32_t)1U; + b = true; + } + } + } + } + } + } + } + return true; + } + } + } +} + +void EverCrypt_DRBG_uninstantiate_sha1(EverCrypt_DRBG_state_s *st) +{ + EverCrypt_DRBG_state_s st_s = *st; + Hacl_HMAC_DRBG_state s; + if (st_s.tag == EverCrypt_DRBG_SHA1_s) + { + s = st_s.val.case_SHA1_s; + } + else + { + s = KRML_EABORT(Hacl_HMAC_DRBG_state, "unreachable (pattern matches are exhaustive in F*)"); + } + { + uint8_t *k = s.k; + uint8_t *v = s.v; + uint32_t *ctr = s.reseed_counter; + Lib_Memzero0_memzero(k, (uint32_t)20U * sizeof (k[0U])); + Lib_Memzero0_memzero(v, (uint32_t)20U * sizeof (v[0U])); + ctr[0U] = (uint32_t)0U; + KRML_HOST_FREE(k); + KRML_HOST_FREE(v); + KRML_HOST_FREE(ctr); + KRML_HOST_FREE(st); + } +} + +void EverCrypt_DRBG_uninstantiate_sha2_256(EverCrypt_DRBG_state_s *st) +{ + EverCrypt_DRBG_state_s st_s = *st; + Hacl_HMAC_DRBG_state s; + if (st_s.tag == EverCrypt_DRBG_SHA2_256_s) + { + s = st_s.val.case_SHA2_256_s; + } + else + { + s = KRML_EABORT(Hacl_HMAC_DRBG_state, "unreachable (pattern matches are exhaustive in F*)"); + } + { + uint8_t *k = s.k; + uint8_t *v = s.v; + uint32_t *ctr = s.reseed_counter; + Lib_Memzero0_memzero(k, (uint32_t)32U * sizeof (k[0U])); + Lib_Memzero0_memzero(v, (uint32_t)32U * sizeof (v[0U])); + ctr[0U] = (uint32_t)0U; + KRML_HOST_FREE(k); + KRML_HOST_FREE(v); + KRML_HOST_FREE(ctr); + KRML_HOST_FREE(st); + } +} + +void EverCrypt_DRBG_uninstantiate_sha2_384(EverCrypt_DRBG_state_s *st) +{ + EverCrypt_DRBG_state_s st_s = *st; + Hacl_HMAC_DRBG_state s; + if (st_s.tag == EverCrypt_DRBG_SHA2_384_s) + { + s = st_s.val.case_SHA2_384_s; + } + else + { + s = KRML_EABORT(Hacl_HMAC_DRBG_state, "unreachable (pattern matches are exhaustive in F*)"); + } + { + uint8_t *k = s.k; + uint8_t *v = s.v; + uint32_t *ctr = s.reseed_counter; + Lib_Memzero0_memzero(k, (uint32_t)48U * sizeof (k[0U])); + Lib_Memzero0_memzero(v, (uint32_t)48U * sizeof (v[0U])); + ctr[0U] = (uint32_t)0U; + KRML_HOST_FREE(k); + KRML_HOST_FREE(v); + KRML_HOST_FREE(ctr); + KRML_HOST_FREE(st); + } +} + +void EverCrypt_DRBG_uninstantiate_sha2_512(EverCrypt_DRBG_state_s *st) +{ + EverCrypt_DRBG_state_s st_s = *st; + Hacl_HMAC_DRBG_state s; + if (st_s.tag == EverCrypt_DRBG_SHA2_512_s) + { + s = st_s.val.case_SHA2_512_s; + } + else + { + s = KRML_EABORT(Hacl_HMAC_DRBG_state, "unreachable (pattern matches are exhaustive in F*)"); + } + { + uint8_t *k = s.k; + uint8_t *v = s.v; + uint32_t *ctr = s.reseed_counter; + Lib_Memzero0_memzero(k, (uint32_t)64U * sizeof (k[0U])); + Lib_Memzero0_memzero(v, (uint32_t)64U * sizeof (v[0U])); + ctr[0U] = (uint32_t)0U; + KRML_HOST_FREE(k); + KRML_HOST_FREE(v); + KRML_HOST_FREE(ctr); + KRML_HOST_FREE(st); + } +} + +bool +EverCrypt_DRBG_instantiate( + EverCrypt_DRBG_state_s *st, + uint8_t *personalization_string, + uint32_t personalization_string_len +) +{ + EverCrypt_DRBG_state_s scrut = *st; + if (scrut.tag == EverCrypt_DRBG_SHA1_s) + { + return EverCrypt_DRBG_instantiate_sha1(st, personalization_string, personalization_string_len); + } + if (scrut.tag == EverCrypt_DRBG_SHA2_256_s) + { + return + EverCrypt_DRBG_instantiate_sha2_256(st, + personalization_string, + personalization_string_len); + } + if (scrut.tag == EverCrypt_DRBG_SHA2_384_s) + { + return + EverCrypt_DRBG_instantiate_sha2_384(st, + personalization_string, + personalization_string_len); + } + if (scrut.tag == EverCrypt_DRBG_SHA2_512_s) + { + return + EverCrypt_DRBG_instantiate_sha2_512(st, + personalization_string, + personalization_string_len); + } + KRML_HOST_PRINTF("KreMLin abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); +} + +bool +EverCrypt_DRBG_reseed( + EverCrypt_DRBG_state_s *st, + uint8_t *additional_input, + uint32_t additional_input_len +) +{ + EverCrypt_DRBG_state_s scrut = *st; + if (scrut.tag == EverCrypt_DRBG_SHA1_s) + { + return EverCrypt_DRBG_reseed_sha1(st, additional_input, additional_input_len); + } + if (scrut.tag == EverCrypt_DRBG_SHA2_256_s) + { + return EverCrypt_DRBG_reseed_sha2_256(st, additional_input, additional_input_len); + } + if (scrut.tag == EverCrypt_DRBG_SHA2_384_s) + { + return EverCrypt_DRBG_reseed_sha2_384(st, additional_input, additional_input_len); + } + if (scrut.tag == EverCrypt_DRBG_SHA2_512_s) + { + return EverCrypt_DRBG_reseed_sha2_512(st, additional_input, additional_input_len); + } + KRML_HOST_PRINTF("KreMLin abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); +} + +bool +EverCrypt_DRBG_generate( + uint8_t *output, + EverCrypt_DRBG_state_s *st, + uint32_t n, + uint8_t *additional_input, + uint32_t additional_input_len +) +{ + EverCrypt_DRBG_state_s scrut = *st; + if (scrut.tag == EverCrypt_DRBG_SHA1_s) + { + return EverCrypt_DRBG_generate_sha1(output, st, n, additional_input, additional_input_len); + } + if (scrut.tag == EverCrypt_DRBG_SHA2_256_s) + { + return EverCrypt_DRBG_generate_sha2_256(output, st, n, additional_input, additional_input_len); + } + if (scrut.tag == EverCrypt_DRBG_SHA2_384_s) + { + return EverCrypt_DRBG_generate_sha2_384(output, st, n, additional_input, additional_input_len); + } + if (scrut.tag == EverCrypt_DRBG_SHA2_512_s) + { + return EverCrypt_DRBG_generate_sha2_512(output, st, n, additional_input, additional_input_len); + } + KRML_HOST_PRINTF("KreMLin abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); +} + +void EverCrypt_DRBG_uninstantiate(EverCrypt_DRBG_state_s *st) +{ + EverCrypt_DRBG_state_s scrut = *st; + if (scrut.tag == EverCrypt_DRBG_SHA1_s) + { + EverCrypt_DRBG_uninstantiate_sha1(st); + return; + } + if (scrut.tag == EverCrypt_DRBG_SHA2_256_s) + { + EverCrypt_DRBG_uninstantiate_sha2_256(st); + return; + } + if (scrut.tag == EverCrypt_DRBG_SHA2_384_s) + { + EverCrypt_DRBG_uninstantiate_sha2_384(st); + return; + } + if (scrut.tag == EverCrypt_DRBG_SHA2_512_s) + { + EverCrypt_DRBG_uninstantiate_sha2_512(st); + return; + } + KRML_HOST_PRINTF("KreMLin abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); +} + diff --git a/src/c89/EverCrypt_Ed25519.c b/src/c89/EverCrypt_Ed25519.c new file mode 100644 index 00000000..09a2a0fd --- /dev/null +++ b/src/c89/EverCrypt_Ed25519.c @@ -0,0 +1,54 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "EverCrypt_Ed25519.h" + + + +void EverCrypt_Ed25519_sign(uint8_t *signature, uint8_t *secret, uint32_t len, uint8_t *msg) +{ + Hacl_Ed25519_sign(signature, secret, len, msg); +} + +bool EverCrypt_Ed25519_verify(uint8_t *pubkey, uint32_t len, uint8_t *msg, uint8_t *signature) +{ + return Hacl_Ed25519_verify(pubkey, len, msg, signature); +} + +void EverCrypt_Ed25519_secret_to_public(uint8_t *output, uint8_t *secret) +{ + Hacl_Ed25519_secret_to_public(output, secret); +} + +void EverCrypt_Ed25519_expand_keys(uint8_t *ks, uint8_t *secret) +{ + Hacl_Ed25519_expand_keys(ks, secret); +} + +void +EverCrypt_Ed25519_sign_expanded(uint8_t *signature, uint8_t *ks, uint32_t len, uint8_t *msg) +{ + Hacl_Ed25519_sign_expanded(signature, ks, len, msg); +} + diff --git a/src/c89/EverCrypt_Error.c b/src/c89/EverCrypt_Error.c new file mode 100644 index 00000000..1a311ad2 --- /dev/null +++ b/src/c89/EverCrypt_Error.c @@ -0,0 +1,118 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "EverCrypt_Error.h" + + + +bool EverCrypt_Error_uu___is_Success(EverCrypt_Error_error_code projectee) +{ + switch (projectee) + { + case EverCrypt_Error_Success: + { + return true; + } + default: + { + return false; + } + } +} + +bool EverCrypt_Error_uu___is_UnsupportedAlgorithm(EverCrypt_Error_error_code projectee) +{ + switch (projectee) + { + case EverCrypt_Error_UnsupportedAlgorithm: + { + return true; + } + default: + { + return false; + } + } +} + +bool EverCrypt_Error_uu___is_InvalidKey(EverCrypt_Error_error_code projectee) +{ + switch (projectee) + { + case EverCrypt_Error_InvalidKey: + { + return true; + } + default: + { + return false; + } + } +} + +bool EverCrypt_Error_uu___is_AuthenticationFailure(EverCrypt_Error_error_code projectee) +{ + switch (projectee) + { + case EverCrypt_Error_AuthenticationFailure: + { + return true; + } + default: + { + return false; + } + } +} + +bool EverCrypt_Error_uu___is_InvalidIVLength(EverCrypt_Error_error_code projectee) +{ + switch (projectee) + { + case EverCrypt_Error_InvalidIVLength: + { + return true; + } + default: + { + return false; + } + } +} + +bool EverCrypt_Error_uu___is_DecodeError(EverCrypt_Error_error_code projectee) +{ + switch (projectee) + { + case EverCrypt_Error_DecodeError: + { + return true; + } + default: + { + return false; + } + } +} + diff --git a/src/c89/EverCrypt_HKDF.c b/src/c89/EverCrypt_HKDF.c new file mode 100644 index 00000000..6477182e --- /dev/null +++ b/src/c89/EverCrypt_HKDF.c @@ -0,0 +1,580 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "EverCrypt_HKDF.h" + + + +void +EverCrypt_HKDF_expand_sha1( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +) +{ + uint32_t tlen = (uint32_t)20U; + uint32_t n = len / tlen; + uint8_t *output = okm; + KRML_CHECK_SIZE(sizeof (uint8_t), tlen + infolen + (uint32_t)1U); + { + uint8_t text[tlen + infolen + (uint32_t)1U]; + memset(text, 0U, (tlen + infolen + (uint32_t)1U) * sizeof (uint8_t)); + { + uint8_t *text0 = text + tlen; + uint8_t *tag = text; + uint8_t *ctr = text + tlen + infolen; + memcpy(text + tlen, info, infolen * sizeof (uint8_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < n; i++) + { + ctr[0U] = (uint8_t)(i + (uint32_t)1U); + if (i == (uint32_t)0U) + { + EverCrypt_HMAC_compute_sha1(tag, prk, prklen, text0, infolen + (uint32_t)1U); + } + else + { + EverCrypt_HMAC_compute_sha1(tag, prk, prklen, text, tlen + infolen + (uint32_t)1U); + } + memcpy(output + i * tlen, tag, tlen * sizeof (uint8_t)); + } + } + if (n * tlen < len) + { + ctr[0U] = (uint8_t)(n + (uint32_t)1U); + if (n == (uint32_t)0U) + { + EverCrypt_HMAC_compute_sha1(tag, prk, prklen, text0, infolen + (uint32_t)1U); + } + else + { + EverCrypt_HMAC_compute_sha1(tag, prk, prklen, text, tlen + infolen + (uint32_t)1U); + } + { + uint8_t *block = okm + n * tlen; + memcpy(block, tag, (len - n * tlen) * sizeof (uint8_t)); + } + } + } + } +} + +void +EverCrypt_HKDF_extract_sha1( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +) +{ + EverCrypt_HMAC_compute_sha1(prk, salt, saltlen, ikm, ikmlen); +} + +void +EverCrypt_HKDF_expand_sha2_256( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +) +{ + uint32_t tlen = (uint32_t)32U; + uint32_t n = len / tlen; + uint8_t *output = okm; + KRML_CHECK_SIZE(sizeof (uint8_t), tlen + infolen + (uint32_t)1U); + { + uint8_t text[tlen + infolen + (uint32_t)1U]; + memset(text, 0U, (tlen + infolen + (uint32_t)1U) * sizeof (uint8_t)); + { + uint8_t *text0 = text + tlen; + uint8_t *tag = text; + uint8_t *ctr = text + tlen + infolen; + memcpy(text + tlen, info, infolen * sizeof (uint8_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < n; i++) + { + ctr[0U] = (uint8_t)(i + (uint32_t)1U); + if (i == (uint32_t)0U) + { + EverCrypt_HMAC_compute_sha2_256(tag, prk, prklen, text0, infolen + (uint32_t)1U); + } + else + { + EverCrypt_HMAC_compute_sha2_256(tag, prk, prklen, text, tlen + infolen + (uint32_t)1U); + } + memcpy(output + i * tlen, tag, tlen * sizeof (uint8_t)); + } + } + if (n * tlen < len) + { + ctr[0U] = (uint8_t)(n + (uint32_t)1U); + if (n == (uint32_t)0U) + { + EverCrypt_HMAC_compute_sha2_256(tag, prk, prklen, text0, infolen + (uint32_t)1U); + } + else + { + EverCrypt_HMAC_compute_sha2_256(tag, prk, prklen, text, tlen + infolen + (uint32_t)1U); + } + { + uint8_t *block = okm + n * tlen; + memcpy(block, tag, (len - n * tlen) * sizeof (uint8_t)); + } + } + } + } +} + +void +EverCrypt_HKDF_extract_sha2_256( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +) +{ + EverCrypt_HMAC_compute_sha2_256(prk, salt, saltlen, ikm, ikmlen); +} + +void +EverCrypt_HKDF_expand_sha2_384( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +) +{ + uint32_t tlen = (uint32_t)48U; + uint32_t n = len / tlen; + uint8_t *output = okm; + KRML_CHECK_SIZE(sizeof (uint8_t), tlen + infolen + (uint32_t)1U); + { + uint8_t text[tlen + infolen + (uint32_t)1U]; + memset(text, 0U, (tlen + infolen + (uint32_t)1U) * sizeof (uint8_t)); + { + uint8_t *text0 = text + tlen; + uint8_t *tag = text; + uint8_t *ctr = text + tlen + infolen; + memcpy(text + tlen, info, infolen * sizeof (uint8_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < n; i++) + { + ctr[0U] = (uint8_t)(i + (uint32_t)1U); + if (i == (uint32_t)0U) + { + EverCrypt_HMAC_compute_sha2_384(tag, prk, prklen, text0, infolen + (uint32_t)1U); + } + else + { + EverCrypt_HMAC_compute_sha2_384(tag, prk, prklen, text, tlen + infolen + (uint32_t)1U); + } + memcpy(output + i * tlen, tag, tlen * sizeof (uint8_t)); + } + } + if (n * tlen < len) + { + ctr[0U] = (uint8_t)(n + (uint32_t)1U); + if (n == (uint32_t)0U) + { + EverCrypt_HMAC_compute_sha2_384(tag, prk, prklen, text0, infolen + (uint32_t)1U); + } + else + { + EverCrypt_HMAC_compute_sha2_384(tag, prk, prklen, text, tlen + infolen + (uint32_t)1U); + } + { + uint8_t *block = okm + n * tlen; + memcpy(block, tag, (len - n * tlen) * sizeof (uint8_t)); + } + } + } + } +} + +void +EverCrypt_HKDF_extract_sha2_384( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +) +{ + EverCrypt_HMAC_compute_sha2_384(prk, salt, saltlen, ikm, ikmlen); +} + +void +EverCrypt_HKDF_expand_sha2_512( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +) +{ + uint32_t tlen = (uint32_t)64U; + uint32_t n = len / tlen; + uint8_t *output = okm; + KRML_CHECK_SIZE(sizeof (uint8_t), tlen + infolen + (uint32_t)1U); + { + uint8_t text[tlen + infolen + (uint32_t)1U]; + memset(text, 0U, (tlen + infolen + (uint32_t)1U) * sizeof (uint8_t)); + { + uint8_t *text0 = text + tlen; + uint8_t *tag = text; + uint8_t *ctr = text + tlen + infolen; + memcpy(text + tlen, info, infolen * sizeof (uint8_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < n; i++) + { + ctr[0U] = (uint8_t)(i + (uint32_t)1U); + if (i == (uint32_t)0U) + { + EverCrypt_HMAC_compute_sha2_512(tag, prk, prklen, text0, infolen + (uint32_t)1U); + } + else + { + EverCrypt_HMAC_compute_sha2_512(tag, prk, prklen, text, tlen + infolen + (uint32_t)1U); + } + memcpy(output + i * tlen, tag, tlen * sizeof (uint8_t)); + } + } + if (n * tlen < len) + { + ctr[0U] = (uint8_t)(n + (uint32_t)1U); + if (n == (uint32_t)0U) + { + EverCrypt_HMAC_compute_sha2_512(tag, prk, prklen, text0, infolen + (uint32_t)1U); + } + else + { + EverCrypt_HMAC_compute_sha2_512(tag, prk, prklen, text, tlen + infolen + (uint32_t)1U); + } + { + uint8_t *block = okm + n * tlen; + memcpy(block, tag, (len - n * tlen) * sizeof (uint8_t)); + } + } + } + } +} + +void +EverCrypt_HKDF_extract_sha2_512( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +) +{ + EverCrypt_HMAC_compute_sha2_512(prk, salt, saltlen, ikm, ikmlen); +} + +void +EverCrypt_HKDF_expand_blake2s( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +) +{ + uint32_t tlen = (uint32_t)32U; + uint32_t n = len / tlen; + uint8_t *output = okm; + KRML_CHECK_SIZE(sizeof (uint8_t), tlen + infolen + (uint32_t)1U); + { + uint8_t text[tlen + infolen + (uint32_t)1U]; + memset(text, 0U, (tlen + infolen + (uint32_t)1U) * sizeof (uint8_t)); + { + uint8_t *text0 = text + tlen; + uint8_t *tag = text; + uint8_t *ctr = text + tlen + infolen; + memcpy(text + tlen, info, infolen * sizeof (uint8_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < n; i++) + { + ctr[0U] = (uint8_t)(i + (uint32_t)1U); + if (i == (uint32_t)0U) + { + EverCrypt_HMAC_compute_blake2s(tag, prk, prklen, text0, infolen + (uint32_t)1U); + } + else + { + EverCrypt_HMAC_compute_blake2s(tag, prk, prklen, text, tlen + infolen + (uint32_t)1U); + } + memcpy(output + i * tlen, tag, tlen * sizeof (uint8_t)); + } + } + if (n * tlen < len) + { + ctr[0U] = (uint8_t)(n + (uint32_t)1U); + if (n == (uint32_t)0U) + { + EverCrypt_HMAC_compute_blake2s(tag, prk, prklen, text0, infolen + (uint32_t)1U); + } + else + { + EverCrypt_HMAC_compute_blake2s(tag, prk, prklen, text, tlen + infolen + (uint32_t)1U); + } + { + uint8_t *block = okm + n * tlen; + memcpy(block, tag, (len - n * tlen) * sizeof (uint8_t)); + } + } + } + } +} + +void +EverCrypt_HKDF_extract_blake2s( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +) +{ + EverCrypt_HMAC_compute_blake2s(prk, salt, saltlen, ikm, ikmlen); +} + +void +EverCrypt_HKDF_expand_blake2b( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +) +{ + uint32_t tlen = (uint32_t)64U; + uint32_t n = len / tlen; + uint8_t *output = okm; + KRML_CHECK_SIZE(sizeof (uint8_t), tlen + infolen + (uint32_t)1U); + { + uint8_t text[tlen + infolen + (uint32_t)1U]; + memset(text, 0U, (tlen + infolen + (uint32_t)1U) * sizeof (uint8_t)); + { + uint8_t *text0 = text + tlen; + uint8_t *tag = text; + uint8_t *ctr = text + tlen + infolen; + memcpy(text + tlen, info, infolen * sizeof (uint8_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < n; i++) + { + ctr[0U] = (uint8_t)(i + (uint32_t)1U); + if (i == (uint32_t)0U) + { + EverCrypt_HMAC_compute_blake2b(tag, prk, prklen, text0, infolen + (uint32_t)1U); + } + else + { + EverCrypt_HMAC_compute_blake2b(tag, prk, prklen, text, tlen + infolen + (uint32_t)1U); + } + memcpy(output + i * tlen, tag, tlen * sizeof (uint8_t)); + } + } + if (n * tlen < len) + { + ctr[0U] = (uint8_t)(n + (uint32_t)1U); + if (n == (uint32_t)0U) + { + EverCrypt_HMAC_compute_blake2b(tag, prk, prklen, text0, infolen + (uint32_t)1U); + } + else + { + EverCrypt_HMAC_compute_blake2b(tag, prk, prklen, text, tlen + infolen + (uint32_t)1U); + } + { + uint8_t *block = okm + n * tlen; + memcpy(block, tag, (len - n * tlen) * sizeof (uint8_t)); + } + } + } + } +} + +void +EverCrypt_HKDF_extract_blake2b( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +) +{ + EverCrypt_HMAC_compute_blake2b(prk, salt, saltlen, ikm, ikmlen); +} + +void +EverCrypt_HKDF_expand( + Spec_Hash_Definitions_hash_alg a, + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +) +{ + switch (a) + { + case Spec_Hash_Definitions_SHA1: + { + EverCrypt_HKDF_expand_sha1(okm, prk, prklen, info, infolen, len); + break; + } + case Spec_Hash_Definitions_SHA2_256: + { + EverCrypt_HKDF_expand_sha2_256(okm, prk, prklen, info, infolen, len); + break; + } + case Spec_Hash_Definitions_SHA2_384: + { + EverCrypt_HKDF_expand_sha2_384(okm, prk, prklen, info, infolen, len); + break; + } + case Spec_Hash_Definitions_SHA2_512: + { + EverCrypt_HKDF_expand_sha2_512(okm, prk, prklen, info, infolen, len); + break; + } + case Spec_Hash_Definitions_Blake2S: + { + EverCrypt_HKDF_expand_blake2s(okm, prk, prklen, info, infolen, len); + break; + } + case Spec_Hash_Definitions_Blake2B: + { + EverCrypt_HKDF_expand_blake2b(okm, prk, prklen, info, infolen, len); + break; + } + default: + { + KRML_HOST_PRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +void +EverCrypt_HKDF_extract( + Spec_Hash_Definitions_hash_alg a, + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +) +{ + switch (a) + { + case Spec_Hash_Definitions_SHA1: + { + EverCrypt_HKDF_extract_sha1(prk, salt, saltlen, ikm, ikmlen); + break; + } + case Spec_Hash_Definitions_SHA2_256: + { + EverCrypt_HKDF_extract_sha2_256(prk, salt, saltlen, ikm, ikmlen); + break; + } + case Spec_Hash_Definitions_SHA2_384: + { + EverCrypt_HKDF_extract_sha2_384(prk, salt, saltlen, ikm, ikmlen); + break; + } + case Spec_Hash_Definitions_SHA2_512: + { + EverCrypt_HKDF_extract_sha2_512(prk, salt, saltlen, ikm, ikmlen); + break; + } + case Spec_Hash_Definitions_Blake2S: + { + EverCrypt_HKDF_extract_blake2s(prk, salt, saltlen, ikm, ikmlen); + break; + } + case Spec_Hash_Definitions_Blake2B: + { + EverCrypt_HKDF_extract_blake2b(prk, salt, saltlen, ikm, ikmlen); + break; + } + default: + { + KRML_HOST_PRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +KRML_DEPRECATED("expand") + +void +EverCrypt_HKDF_hkdf_expand( + Spec_Hash_Definitions_hash_alg a, + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +) +{ + EverCrypt_HKDF_expand(a, okm, prk, prklen, info, infolen, len); +} + +KRML_DEPRECATED("extract") + +void +EverCrypt_HKDF_hkdf_extract( + Spec_Hash_Definitions_hash_alg a, + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +) +{ + EverCrypt_HKDF_extract(a, prk, salt, saltlen, ikm, ikmlen); +} + diff --git a/src/c89/EverCrypt_HMAC.c b/src/c89/EverCrypt_HMAC.c new file mode 100644 index 00000000..9c3d8940 --- /dev/null +++ b/src/c89/EverCrypt_HMAC.c @@ -0,0 +1,1079 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "EverCrypt_HMAC.h" + +#include "internal/Hacl_Hash_SHA2.h" +#include "internal/Hacl_Hash_SHA1.h" +#include "internal/Hacl_Hash_Blake2.h" +#include "internal/Hacl_HMAC.h" + +void +EverCrypt_HMAC_compute_sha1( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +) +{ + uint32_t l = (uint32_t)64U; + KRML_CHECK_SIZE(sizeof (uint8_t), l); + { + uint8_t key_block[l]; + memset(key_block, 0U, l * sizeof (uint8_t)); + { + uint32_t i0; + if (key_len <= (uint32_t)64U) + { + i0 = key_len; + } + else + { + i0 = (uint32_t)20U; + } + { + uint8_t *nkey = key_block; + if (key_len <= (uint32_t)64U) + { + memcpy(nkey, key, key_len * sizeof (uint8_t)); + } + else + { + Hacl_Hash_SHA1_legacy_hash(key, key_len, nkey); + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + { + uint8_t ipad[l]; + memset(ipad, (uint8_t)0x36U, l * sizeof (uint8_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = ipad[i]; + uint8_t yi = key_block[i]; + ipad[i] = xi ^ yi; + } + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + { + uint8_t opad[l]; + memset(opad, (uint8_t)0x5cU, l * sizeof (uint8_t)); + { + uint32_t scrut[5]; + uint32_t *s; + uint8_t *dst1; + uint8_t *hash1; + { + uint32_t i; + for (i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = opad[i]; + uint8_t yi = key_block[i]; + opad[i] = xi ^ yi; + } + } + scrut[0U] = (uint32_t)0x67452301U; + scrut[1U] = (uint32_t)0xefcdab89U; + scrut[2U] = (uint32_t)0x98badcfeU; + scrut[3U] = (uint32_t)0x10325476U; + scrut[4U] = (uint32_t)0xc3d2e1f0U; + s = scrut; + dst1 = ipad; + Hacl_Hash_Core_SHA1_legacy_init(s); + if (data_len == (uint32_t)0U) + { + Hacl_Hash_SHA1_legacy_update_last(s, (uint64_t)0U, ipad, (uint32_t)64U); + } + else + { + Hacl_Hash_SHA1_legacy_update_multi(s, ipad, (uint32_t)1U); + Hacl_Hash_SHA1_legacy_update_last(s, (uint64_t)(uint32_t)64U, data, data_len); + } + Hacl_Hash_Core_SHA1_legacy_finish(s, dst1); + hash1 = ipad; + Hacl_Hash_Core_SHA1_legacy_init(s); + if ((uint32_t)20U == (uint32_t)0U) + { + Hacl_Hash_SHA1_legacy_update_last(s, (uint64_t)0U, opad, (uint32_t)64U); + } + else + { + Hacl_Hash_SHA1_legacy_update_multi(s, opad, (uint32_t)1U); + Hacl_Hash_SHA1_legacy_update_last(s, (uint64_t)(uint32_t)64U, hash1, (uint32_t)20U); + } + Hacl_Hash_Core_SHA1_legacy_finish(s, dst); + } + } + } + } + } + } +} + +void +EverCrypt_HMAC_compute_sha2_256( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +) +{ + uint32_t l = (uint32_t)64U; + KRML_CHECK_SIZE(sizeof (uint8_t), l); + { + uint8_t key_block[l]; + memset(key_block, 0U, l * sizeof (uint8_t)); + { + uint32_t i0; + if (key_len <= (uint32_t)64U) + { + i0 = key_len; + } + else + { + i0 = (uint32_t)32U; + } + { + uint8_t *nkey = key_block; + if (key_len <= (uint32_t)64U) + { + memcpy(nkey, key, key_len * sizeof (uint8_t)); + } + else + { + EverCrypt_Hash_hash_256(key, key_len, nkey); + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + { + uint8_t ipad[l]; + memset(ipad, (uint8_t)0x36U, l * sizeof (uint8_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = ipad[i]; + uint8_t yi = key_block[i]; + ipad[i] = xi ^ yi; + } + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + { + uint8_t opad[l]; + memset(opad, (uint8_t)0x5cU, l * sizeof (uint8_t)); + { + uint32_t scrut[8]; + uint32_t *s; + uint8_t *dst1; + uint8_t *hash1; + { + uint32_t i; + for (i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = opad[i]; + uint8_t yi = key_block[i]; + opad[i] = xi ^ yi; + } + } + scrut[0U] = (uint32_t)0x6a09e667U; + scrut[1U] = (uint32_t)0xbb67ae85U; + scrut[2U] = (uint32_t)0x3c6ef372U; + scrut[3U] = (uint32_t)0xa54ff53aU; + scrut[4U] = (uint32_t)0x510e527fU; + scrut[5U] = (uint32_t)0x9b05688cU; + scrut[6U] = (uint32_t)0x1f83d9abU; + scrut[7U] = (uint32_t)0x5be0cd19U; + s = scrut; + dst1 = ipad; + Hacl_Hash_Core_SHA2_init_256(s); + if (data_len == (uint32_t)0U) + { + EverCrypt_Hash_update_last_256(s, (uint64_t)0U, ipad, (uint32_t)64U); + } + else + { + EverCrypt_Hash_update_multi_256(s, ipad, (uint32_t)1U); + EverCrypt_Hash_update_last_256(s, (uint64_t)(uint32_t)64U, data, data_len); + } + Hacl_Hash_Core_SHA2_finish_256(s, dst1); + hash1 = ipad; + Hacl_Hash_Core_SHA2_init_256(s); + if ((uint32_t)32U == (uint32_t)0U) + { + EverCrypt_Hash_update_last_256(s, (uint64_t)0U, opad, (uint32_t)64U); + } + else + { + EverCrypt_Hash_update_multi_256(s, opad, (uint32_t)1U); + EverCrypt_Hash_update_last_256(s, (uint64_t)(uint32_t)64U, hash1, (uint32_t)32U); + } + Hacl_Hash_Core_SHA2_finish_256(s, dst); + } + } + } + } + } + } +} + +void +EverCrypt_HMAC_compute_sha2_384( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +) +{ + uint32_t l = (uint32_t)128U; + KRML_CHECK_SIZE(sizeof (uint8_t), l); + { + uint8_t key_block[l]; + memset(key_block, 0U, l * sizeof (uint8_t)); + { + uint32_t i0; + if (key_len <= (uint32_t)128U) + { + i0 = key_len; + } + else + { + i0 = (uint32_t)48U; + } + { + uint8_t *nkey = key_block; + if (key_len <= (uint32_t)128U) + { + memcpy(nkey, key, key_len * sizeof (uint8_t)); + } + else + { + Hacl_Hash_SHA2_hash_384(key, key_len, nkey); + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + { + uint8_t ipad[l]; + memset(ipad, (uint8_t)0x36U, l * sizeof (uint8_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = ipad[i]; + uint8_t yi = key_block[i]; + ipad[i] = xi ^ yi; + } + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + { + uint8_t opad[l]; + memset(opad, (uint8_t)0x5cU, l * sizeof (uint8_t)); + { + uint64_t scrut[8]; + uint64_t *s; + uint8_t *dst1; + uint8_t *hash1; + { + uint32_t i; + for (i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = opad[i]; + uint8_t yi = key_block[i]; + opad[i] = xi ^ yi; + } + } + scrut[0U] = (uint64_t)0xcbbb9d5dc1059ed8U; + scrut[1U] = (uint64_t)0x629a292a367cd507U; + scrut[2U] = (uint64_t)0x9159015a3070dd17U; + scrut[3U] = (uint64_t)0x152fecd8f70e5939U; + scrut[4U] = (uint64_t)0x67332667ffc00b31U; + scrut[5U] = (uint64_t)0x8eb44a8768581511U; + scrut[6U] = (uint64_t)0xdb0c2e0d64f98fa7U; + scrut[7U] = (uint64_t)0x47b5481dbefa4fa4U; + s = scrut; + dst1 = ipad; + Hacl_Hash_Core_SHA2_init_384(s); + if (data_len == (uint32_t)0U) + { + Hacl_Hash_SHA2_update_last_384(s, + FStar_UInt128_uint64_to_uint128((uint64_t)0U), + ipad, + (uint32_t)128U); + } + else + { + Hacl_Hash_SHA2_update_multi_384(s, ipad, (uint32_t)1U); + Hacl_Hash_SHA2_update_last_384(s, + FStar_UInt128_uint64_to_uint128((uint64_t)(uint32_t)128U), + data, + data_len); + } + Hacl_Hash_Core_SHA2_finish_384(s, dst1); + hash1 = ipad; + Hacl_Hash_Core_SHA2_init_384(s); + if ((uint32_t)48U == (uint32_t)0U) + { + Hacl_Hash_SHA2_update_last_384(s, + FStar_UInt128_uint64_to_uint128((uint64_t)0U), + opad, + (uint32_t)128U); + } + else + { + Hacl_Hash_SHA2_update_multi_384(s, opad, (uint32_t)1U); + Hacl_Hash_SHA2_update_last_384(s, + FStar_UInt128_uint64_to_uint128((uint64_t)(uint32_t)128U), + hash1, + (uint32_t)48U); + } + Hacl_Hash_Core_SHA2_finish_384(s, dst); + } + } + } + } + } + } +} + +void +EverCrypt_HMAC_compute_sha2_512( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +) +{ + uint32_t l = (uint32_t)128U; + KRML_CHECK_SIZE(sizeof (uint8_t), l); + { + uint8_t key_block[l]; + memset(key_block, 0U, l * sizeof (uint8_t)); + { + uint32_t i0; + if (key_len <= (uint32_t)128U) + { + i0 = key_len; + } + else + { + i0 = (uint32_t)64U; + } + { + uint8_t *nkey = key_block; + if (key_len <= (uint32_t)128U) + { + memcpy(nkey, key, key_len * sizeof (uint8_t)); + } + else + { + Hacl_Hash_SHA2_hash_512(key, key_len, nkey); + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + { + uint8_t ipad[l]; + memset(ipad, (uint8_t)0x36U, l * sizeof (uint8_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = ipad[i]; + uint8_t yi = key_block[i]; + ipad[i] = xi ^ yi; + } + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + { + uint8_t opad[l]; + memset(opad, (uint8_t)0x5cU, l * sizeof (uint8_t)); + { + uint64_t scrut[8]; + uint64_t *s; + uint8_t *dst1; + uint8_t *hash1; + { + uint32_t i; + for (i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = opad[i]; + uint8_t yi = key_block[i]; + opad[i] = xi ^ yi; + } + } + scrut[0U] = (uint64_t)0x6a09e667f3bcc908U; + scrut[1U] = (uint64_t)0xbb67ae8584caa73bU; + scrut[2U] = (uint64_t)0x3c6ef372fe94f82bU; + scrut[3U] = (uint64_t)0xa54ff53a5f1d36f1U; + scrut[4U] = (uint64_t)0x510e527fade682d1U; + scrut[5U] = (uint64_t)0x9b05688c2b3e6c1fU; + scrut[6U] = (uint64_t)0x1f83d9abfb41bd6bU; + scrut[7U] = (uint64_t)0x5be0cd19137e2179U; + s = scrut; + dst1 = ipad; + Hacl_Hash_Core_SHA2_init_512(s); + if (data_len == (uint32_t)0U) + { + Hacl_Hash_SHA2_update_last_512(s, + FStar_UInt128_uint64_to_uint128((uint64_t)0U), + ipad, + (uint32_t)128U); + } + else + { + Hacl_Hash_SHA2_update_multi_512(s, ipad, (uint32_t)1U); + Hacl_Hash_SHA2_update_last_512(s, + FStar_UInt128_uint64_to_uint128((uint64_t)(uint32_t)128U), + data, + data_len); + } + Hacl_Hash_Core_SHA2_finish_512(s, dst1); + hash1 = ipad; + Hacl_Hash_Core_SHA2_init_512(s); + if ((uint32_t)64U == (uint32_t)0U) + { + Hacl_Hash_SHA2_update_last_512(s, + FStar_UInt128_uint64_to_uint128((uint64_t)0U), + opad, + (uint32_t)128U); + } + else + { + Hacl_Hash_SHA2_update_multi_512(s, opad, (uint32_t)1U); + Hacl_Hash_SHA2_update_last_512(s, + FStar_UInt128_uint64_to_uint128((uint64_t)(uint32_t)128U), + hash1, + (uint32_t)64U); + } + Hacl_Hash_Core_SHA2_finish_512(s, dst); + } + } + } + } + } + } +} + +void +EverCrypt_HMAC_compute_blake2s( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +) +{ + uint32_t l = (uint32_t)64U; + KRML_CHECK_SIZE(sizeof (uint8_t), l); + { + uint8_t key_block[l]; + memset(key_block, 0U, l * sizeof (uint8_t)); + { + uint32_t i0; + if (key_len <= (uint32_t)64U) + { + i0 = key_len; + } + else + { + i0 = (uint32_t)32U; + } + { + uint8_t *nkey = key_block; + if (key_len <= (uint32_t)64U) + { + memcpy(nkey, key, key_len * sizeof (uint8_t)); + } + else + { + Hacl_Hash_Blake2_hash_blake2s_32(key, key_len, nkey); + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + { + uint8_t ipad[l]; + memset(ipad, (uint8_t)0x36U, l * sizeof (uint8_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = ipad[i]; + uint8_t yi = key_block[i]; + ipad[i] = xi ^ yi; + } + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + { + uint8_t opad[l]; + memset(opad, (uint8_t)0x5cU, l * sizeof (uint8_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = opad[i]; + uint8_t yi = key_block[i]; + opad[i] = xi ^ yi; + } + } + { + uint32_t s0[16U] = { 0U }; + uint32_t *r00 = s0 + (uint32_t)0U * (uint32_t)4U; + uint32_t *r10 = s0 + (uint32_t)1U * (uint32_t)4U; + uint32_t *r20 = s0 + (uint32_t)2U * (uint32_t)4U; + uint32_t *r30 = s0 + (uint32_t)3U * (uint32_t)4U; + uint32_t iv00 = Hacl_Impl_Blake2_Constants_ivTable_S[0U]; + uint32_t iv10 = Hacl_Impl_Blake2_Constants_ivTable_S[1U]; + uint32_t iv20 = Hacl_Impl_Blake2_Constants_ivTable_S[2U]; + uint32_t iv30 = Hacl_Impl_Blake2_Constants_ivTable_S[3U]; + uint32_t iv40 = Hacl_Impl_Blake2_Constants_ivTable_S[4U]; + uint32_t iv50 = Hacl_Impl_Blake2_Constants_ivTable_S[5U]; + uint32_t iv60 = Hacl_Impl_Blake2_Constants_ivTable_S[6U]; + uint32_t iv70 = Hacl_Impl_Blake2_Constants_ivTable_S[7U]; + uint32_t kk_shift_80; + uint32_t iv0_; + uint64_t es; + r20[0U] = iv00; + r20[1U] = iv10; + r20[2U] = iv20; + r20[3U] = iv30; + r30[0U] = iv40; + r30[1U] = iv50; + r30[2U] = iv60; + r30[3U] = iv70; + kk_shift_80 = (uint32_t)0U; + iv0_ = iv00 ^ ((uint32_t)0x01010000U ^ (kk_shift_80 ^ (uint32_t)32U)); + r00[0U] = iv0_; + r00[1U] = iv10; + r00[2U] = iv20; + r00[3U] = iv30; + r10[0U] = iv40; + r10[1U] = iv50; + r10[2U] = iv60; + r10[3U] = iv70; + es = (uint64_t)0U; + { + K____uint32_t__uint64_t scrut; + uint32_t *s; + uint8_t *dst1; + uint32_t *r01; + uint32_t *r11; + uint32_t *r21; + uint32_t *r31; + uint32_t iv01; + uint32_t iv11; + uint32_t iv21; + uint32_t iv31; + uint32_t iv41; + uint32_t iv51; + uint32_t iv61; + uint32_t iv71; + uint32_t kk_shift_81; + uint32_t iv0_0; + uint64_t ev0; + uint64_t ev10; + uint8_t *hash1; + uint32_t *r0; + uint32_t *r1; + uint32_t *r2; + uint32_t *r3; + uint32_t iv0; + uint32_t iv1; + uint32_t iv2; + uint32_t iv3; + uint32_t iv4; + uint32_t iv5; + uint32_t iv6; + uint32_t iv7; + uint32_t kk_shift_8; + uint32_t iv0_1; + uint64_t ev; + uint64_t ev11; + scrut.fst = s0; + scrut.snd = es; + s = scrut.fst; + dst1 = ipad; + r01 = s + (uint32_t)0U * (uint32_t)4U; + r11 = s + (uint32_t)1U * (uint32_t)4U; + r21 = s + (uint32_t)2U * (uint32_t)4U; + r31 = s + (uint32_t)3U * (uint32_t)4U; + iv01 = Hacl_Impl_Blake2_Constants_ivTable_S[0U]; + iv11 = Hacl_Impl_Blake2_Constants_ivTable_S[1U]; + iv21 = Hacl_Impl_Blake2_Constants_ivTable_S[2U]; + iv31 = Hacl_Impl_Blake2_Constants_ivTable_S[3U]; + iv41 = Hacl_Impl_Blake2_Constants_ivTable_S[4U]; + iv51 = Hacl_Impl_Blake2_Constants_ivTable_S[5U]; + iv61 = Hacl_Impl_Blake2_Constants_ivTable_S[6U]; + iv71 = Hacl_Impl_Blake2_Constants_ivTable_S[7U]; + r21[0U] = iv01; + r21[1U] = iv11; + r21[2U] = iv21; + r21[3U] = iv31; + r31[0U] = iv41; + r31[1U] = iv51; + r31[2U] = iv61; + r31[3U] = iv71; + kk_shift_81 = (uint32_t)0U; + iv0_0 = iv01 ^ ((uint32_t)0x01010000U ^ (kk_shift_81 ^ (uint32_t)32U)); + r01[0U] = iv0_0; + r01[1U] = iv11; + r01[2U] = iv21; + r01[3U] = iv31; + r11[0U] = iv41; + r11[1U] = iv51; + r11[2U] = iv61; + r11[3U] = iv71; + ev0 = (uint64_t)0U; + if (data_len == (uint32_t)0U) + { + uint64_t + ev1 = + Hacl_Hash_Blake2_update_last_blake2s_32(s, + ev0, + (uint64_t)0U, + ipad, + (uint32_t)64U); + ev10 = ev1; + } + else + { + uint64_t + ev1 = Hacl_Hash_Blake2_update_multi_blake2s_32(s, ev0, ipad, (uint32_t)1U); + uint64_t + ev2 = + Hacl_Hash_Blake2_update_last_blake2s_32(s, + ev1, + (uint64_t)(uint32_t)64U, + data, + data_len); + ev10 = ev2; + } + Hacl_Hash_Core_Blake2_finish_blake2s_32(s, ev10, dst1); + hash1 = ipad; + r0 = s + (uint32_t)0U * (uint32_t)4U; + r1 = s + (uint32_t)1U * (uint32_t)4U; + r2 = s + (uint32_t)2U * (uint32_t)4U; + r3 = s + (uint32_t)3U * (uint32_t)4U; + iv0 = Hacl_Impl_Blake2_Constants_ivTable_S[0U]; + iv1 = Hacl_Impl_Blake2_Constants_ivTable_S[1U]; + iv2 = Hacl_Impl_Blake2_Constants_ivTable_S[2U]; + iv3 = Hacl_Impl_Blake2_Constants_ivTable_S[3U]; + iv4 = Hacl_Impl_Blake2_Constants_ivTable_S[4U]; + iv5 = Hacl_Impl_Blake2_Constants_ivTable_S[5U]; + iv6 = Hacl_Impl_Blake2_Constants_ivTable_S[6U]; + iv7 = Hacl_Impl_Blake2_Constants_ivTable_S[7U]; + r2[0U] = iv0; + r2[1U] = iv1; + r2[2U] = iv2; + r2[3U] = iv3; + r3[0U] = iv4; + r3[1U] = iv5; + r3[2U] = iv6; + r3[3U] = iv7; + kk_shift_8 = (uint32_t)0U; + iv0_1 = iv0 ^ ((uint32_t)0x01010000U ^ (kk_shift_8 ^ (uint32_t)32U)); + r0[0U] = iv0_1; + r0[1U] = iv1; + r0[2U] = iv2; + r0[3U] = iv3; + r1[0U] = iv4; + r1[1U] = iv5; + r1[2U] = iv6; + r1[3U] = iv7; + ev = (uint64_t)0U; + if ((uint32_t)32U == (uint32_t)0U) + { + uint64_t + ev1 = + Hacl_Hash_Blake2_update_last_blake2s_32(s, + ev, + (uint64_t)0U, + opad, + (uint32_t)64U); + ev11 = ev1; + } + else + { + uint64_t + ev1 = Hacl_Hash_Blake2_update_multi_blake2s_32(s, ev, opad, (uint32_t)1U); + uint64_t + ev2 = + Hacl_Hash_Blake2_update_last_blake2s_32(s, + ev1, + (uint64_t)(uint32_t)64U, + hash1, + (uint32_t)32U); + ev11 = ev2; + } + Hacl_Hash_Core_Blake2_finish_blake2s_32(s, ev11, dst); + } + } + } + } + } + } + } +} + +void +EverCrypt_HMAC_compute_blake2b( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +) +{ + uint32_t l = (uint32_t)128U; + KRML_CHECK_SIZE(sizeof (uint8_t), l); + { + uint8_t key_block[l]; + memset(key_block, 0U, l * sizeof (uint8_t)); + { + uint32_t i0; + if (key_len <= (uint32_t)128U) + { + i0 = key_len; + } + else + { + i0 = (uint32_t)64U; + } + { + uint8_t *nkey = key_block; + if (key_len <= (uint32_t)128U) + { + memcpy(nkey, key, key_len * sizeof (uint8_t)); + } + else + { + Hacl_Hash_Blake2_hash_blake2b_32(key, key_len, nkey); + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + { + uint8_t ipad[l]; + memset(ipad, (uint8_t)0x36U, l * sizeof (uint8_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = ipad[i]; + uint8_t yi = key_block[i]; + ipad[i] = xi ^ yi; + } + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + { + uint8_t opad[l]; + memset(opad, (uint8_t)0x5cU, l * sizeof (uint8_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = opad[i]; + uint8_t yi = key_block[i]; + opad[i] = xi ^ yi; + } + } + { + uint64_t s0[16U] = { 0U }; + uint64_t *r00 = s0 + (uint32_t)0U * (uint32_t)4U; + uint64_t *r10 = s0 + (uint32_t)1U * (uint32_t)4U; + uint64_t *r20 = s0 + (uint32_t)2U * (uint32_t)4U; + uint64_t *r30 = s0 + (uint32_t)3U * (uint32_t)4U; + uint64_t iv00 = Hacl_Impl_Blake2_Constants_ivTable_B[0U]; + uint64_t iv10 = Hacl_Impl_Blake2_Constants_ivTable_B[1U]; + uint64_t iv20 = Hacl_Impl_Blake2_Constants_ivTable_B[2U]; + uint64_t iv30 = Hacl_Impl_Blake2_Constants_ivTable_B[3U]; + uint64_t iv40 = Hacl_Impl_Blake2_Constants_ivTable_B[4U]; + uint64_t iv50 = Hacl_Impl_Blake2_Constants_ivTable_B[5U]; + uint64_t iv60 = Hacl_Impl_Blake2_Constants_ivTable_B[6U]; + uint64_t iv70 = Hacl_Impl_Blake2_Constants_ivTable_B[7U]; + uint64_t kk_shift_80; + uint64_t iv0_; + FStar_UInt128_uint128 es; + r20[0U] = iv00; + r20[1U] = iv10; + r20[2U] = iv20; + r20[3U] = iv30; + r30[0U] = iv40; + r30[1U] = iv50; + r30[2U] = iv60; + r30[3U] = iv70; + kk_shift_80 = (uint64_t)(uint32_t)0U << (uint32_t)8U; + iv0_ = iv00 ^ ((uint64_t)0x01010000U ^ (kk_shift_80 ^ (uint64_t)(uint32_t)64U)); + r00[0U] = iv0_; + r00[1U] = iv10; + r00[2U] = iv20; + r00[3U] = iv30; + r10[0U] = iv40; + r10[1U] = iv50; + r10[2U] = iv60; + r10[3U] = iv70; + es = FStar_UInt128_uint64_to_uint128((uint64_t)0U); + { + K____uint64_t__FStar_UInt128_uint128 scrut; + uint64_t *s; + uint8_t *dst1; + uint64_t *r01; + uint64_t *r11; + uint64_t *r21; + uint64_t *r31; + uint64_t iv01; + uint64_t iv11; + uint64_t iv21; + uint64_t iv31; + uint64_t iv41; + uint64_t iv51; + uint64_t iv61; + uint64_t iv71; + uint64_t kk_shift_81; + uint64_t iv0_0; + FStar_UInt128_uint128 ev0; + FStar_UInt128_uint128 ev10; + uint8_t *hash1; + uint64_t *r0; + uint64_t *r1; + uint64_t *r2; + uint64_t *r3; + uint64_t iv0; + uint64_t iv1; + uint64_t iv2; + uint64_t iv3; + uint64_t iv4; + uint64_t iv5; + uint64_t iv6; + uint64_t iv7; + uint64_t kk_shift_8; + uint64_t iv0_1; + FStar_UInt128_uint128 ev; + FStar_UInt128_uint128 ev11; + scrut.fst = s0; + scrut.snd = es; + s = scrut.fst; + dst1 = ipad; + r01 = s + (uint32_t)0U * (uint32_t)4U; + r11 = s + (uint32_t)1U * (uint32_t)4U; + r21 = s + (uint32_t)2U * (uint32_t)4U; + r31 = s + (uint32_t)3U * (uint32_t)4U; + iv01 = Hacl_Impl_Blake2_Constants_ivTable_B[0U]; + iv11 = Hacl_Impl_Blake2_Constants_ivTable_B[1U]; + iv21 = Hacl_Impl_Blake2_Constants_ivTable_B[2U]; + iv31 = Hacl_Impl_Blake2_Constants_ivTable_B[3U]; + iv41 = Hacl_Impl_Blake2_Constants_ivTable_B[4U]; + iv51 = Hacl_Impl_Blake2_Constants_ivTable_B[5U]; + iv61 = Hacl_Impl_Blake2_Constants_ivTable_B[6U]; + iv71 = Hacl_Impl_Blake2_Constants_ivTable_B[7U]; + r21[0U] = iv01; + r21[1U] = iv11; + r21[2U] = iv21; + r21[3U] = iv31; + r31[0U] = iv41; + r31[1U] = iv51; + r31[2U] = iv61; + r31[3U] = iv71; + kk_shift_81 = (uint64_t)(uint32_t)0U << (uint32_t)8U; + iv0_0 = iv01 ^ ((uint64_t)0x01010000U ^ (kk_shift_81 ^ (uint64_t)(uint32_t)64U)); + r01[0U] = iv0_0; + r01[1U] = iv11; + r01[2U] = iv21; + r01[3U] = iv31; + r11[0U] = iv41; + r11[1U] = iv51; + r11[2U] = iv61; + r11[3U] = iv71; + ev0 = FStar_UInt128_uint64_to_uint128((uint64_t)0U); + if (data_len == (uint32_t)0U) + { + FStar_UInt128_uint128 + ev1 = + Hacl_Hash_Blake2_update_last_blake2b_32(s, + ev0, + FStar_UInt128_uint64_to_uint128((uint64_t)0U), + ipad, + (uint32_t)128U); + ev10 = ev1; + } + else + { + FStar_UInt128_uint128 + ev1 = Hacl_Hash_Blake2_update_multi_blake2b_32(s, ev0, ipad, (uint32_t)1U); + FStar_UInt128_uint128 + ev2 = + Hacl_Hash_Blake2_update_last_blake2b_32(s, + ev1, + FStar_UInt128_uint64_to_uint128((uint64_t)(uint32_t)128U), + data, + data_len); + ev10 = ev2; + } + Hacl_Hash_Core_Blake2_finish_blake2b_32(s, ev10, dst1); + hash1 = ipad; + r0 = s + (uint32_t)0U * (uint32_t)4U; + r1 = s + (uint32_t)1U * (uint32_t)4U; + r2 = s + (uint32_t)2U * (uint32_t)4U; + r3 = s + (uint32_t)3U * (uint32_t)4U; + iv0 = Hacl_Impl_Blake2_Constants_ivTable_B[0U]; + iv1 = Hacl_Impl_Blake2_Constants_ivTable_B[1U]; + iv2 = Hacl_Impl_Blake2_Constants_ivTable_B[2U]; + iv3 = Hacl_Impl_Blake2_Constants_ivTable_B[3U]; + iv4 = Hacl_Impl_Blake2_Constants_ivTable_B[4U]; + iv5 = Hacl_Impl_Blake2_Constants_ivTable_B[5U]; + iv6 = Hacl_Impl_Blake2_Constants_ivTable_B[6U]; + iv7 = Hacl_Impl_Blake2_Constants_ivTable_B[7U]; + r2[0U] = iv0; + r2[1U] = iv1; + r2[2U] = iv2; + r2[3U] = iv3; + r3[0U] = iv4; + r3[1U] = iv5; + r3[2U] = iv6; + r3[3U] = iv7; + kk_shift_8 = (uint64_t)(uint32_t)0U << (uint32_t)8U; + iv0_1 = iv0 ^ ((uint64_t)0x01010000U ^ (kk_shift_8 ^ (uint64_t)(uint32_t)64U)); + r0[0U] = iv0_1; + r0[1U] = iv1; + r0[2U] = iv2; + r0[3U] = iv3; + r1[0U] = iv4; + r1[1U] = iv5; + r1[2U] = iv6; + r1[3U] = iv7; + ev = FStar_UInt128_uint64_to_uint128((uint64_t)0U); + if ((uint32_t)64U == (uint32_t)0U) + { + FStar_UInt128_uint128 + ev1 = + Hacl_Hash_Blake2_update_last_blake2b_32(s, + ev, + FStar_UInt128_uint64_to_uint128((uint64_t)0U), + opad, + (uint32_t)128U); + ev11 = ev1; + } + else + { + FStar_UInt128_uint128 + ev1 = Hacl_Hash_Blake2_update_multi_blake2b_32(s, ev, opad, (uint32_t)1U); + FStar_UInt128_uint128 + ev2 = + Hacl_Hash_Blake2_update_last_blake2b_32(s, + ev1, + FStar_UInt128_uint64_to_uint128((uint64_t)(uint32_t)128U), + hash1, + (uint32_t)64U); + ev11 = ev2; + } + Hacl_Hash_Core_Blake2_finish_blake2b_32(s, ev11, dst); + } + } + } + } + } + } + } +} + +bool EverCrypt_HMAC_is_supported_alg(Spec_Hash_Definitions_hash_alg uu___) +{ + switch (uu___) + { + case Spec_Hash_Definitions_SHA1: + { + return true; + } + case Spec_Hash_Definitions_SHA2_256: + { + return true; + } + case Spec_Hash_Definitions_SHA2_384: + { + return true; + } + case Spec_Hash_Definitions_SHA2_512: + { + return true; + } + case Spec_Hash_Definitions_Blake2S: + { + return true; + } + case Spec_Hash_Definitions_Blake2B: + { + return true; + } + default: + { + return false; + } + } +} + +void +EverCrypt_HMAC_compute( + Spec_Hash_Definitions_hash_alg a, + uint8_t *mac, + uint8_t *key, + uint32_t keylen, + uint8_t *data, + uint32_t datalen +) +{ + switch (a) + { + case Spec_Hash_Definitions_SHA1: + { + EverCrypt_HMAC_compute_sha1(mac, key, keylen, data, datalen); + break; + } + case Spec_Hash_Definitions_SHA2_256: + { + EverCrypt_HMAC_compute_sha2_256(mac, key, keylen, data, datalen); + break; + } + case Spec_Hash_Definitions_SHA2_384: + { + EverCrypt_HMAC_compute_sha2_384(mac, key, keylen, data, datalen); + break; + } + case Spec_Hash_Definitions_SHA2_512: + { + EverCrypt_HMAC_compute_sha2_512(mac, key, keylen, data, datalen); + break; + } + case Spec_Hash_Definitions_Blake2S: + { + EverCrypt_HMAC_compute_blake2s(mac, key, keylen, data, datalen); + break; + } + case Spec_Hash_Definitions_Blake2B: + { + EverCrypt_HMAC_compute_blake2b(mac, key, keylen, data, datalen); + break; + } + default: + { + KRML_HOST_PRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + diff --git a/src/c89/EverCrypt_Hash.c b/src/c89/EverCrypt_Hash.c new file mode 100644 index 00000000..2a05c013 --- /dev/null +++ b/src/c89/EverCrypt_Hash.c @@ -0,0 +1,2192 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "EverCrypt_Hash.h" + +#include "internal/Vale.h" +#include "internal/Hacl_Hash_SHA2.h" +#include "internal/Hacl_Hash_SHA1.h" +#include "internal/Hacl_Hash_MD5.h" +#include "internal/Hacl_Hash_Blake2.h" + +C_String_t EverCrypt_Hash_string_of_alg(Spec_Hash_Definitions_hash_alg uu___) +{ + switch (uu___) + { + case Spec_Hash_Definitions_MD5: + { + return "MD5"; + } + case Spec_Hash_Definitions_SHA1: + { + return "SHA1"; + } + case Spec_Hash_Definitions_SHA2_224: + { + return "SHA2_224"; + } + case Spec_Hash_Definitions_SHA2_256: + { + return "SHA2_256"; + } + case Spec_Hash_Definitions_SHA2_384: + { + return "SHA2_384"; + } + case Spec_Hash_Definitions_SHA2_512: + { + return "SHA2_512"; + } + case Spec_Hash_Definitions_Blake2S: + { + return "Blake2S"; + } + case Spec_Hash_Definitions_Blake2B: + { + return "Blake2B"; + } + default: + { + KRML_HOST_PRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +bool +EverCrypt_Hash_uu___is_MD5_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_Hash_state_s projectee +) +{ + if (projectee.tag == EverCrypt_Hash_MD5_s) + { + return true; + } + return false; +} + +bool +EverCrypt_Hash_uu___is_SHA1_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_Hash_state_s projectee +) +{ + if (projectee.tag == EverCrypt_Hash_SHA1_s) + { + return true; + } + return false; +} + +bool +EverCrypt_Hash_uu___is_SHA2_224_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_Hash_state_s projectee +) +{ + if (projectee.tag == EverCrypt_Hash_SHA2_224_s) + { + return true; + } + return false; +} + +bool +EverCrypt_Hash_uu___is_SHA2_256_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_Hash_state_s projectee +) +{ + if (projectee.tag == EverCrypt_Hash_SHA2_256_s) + { + return true; + } + return false; +} + +bool +EverCrypt_Hash_uu___is_SHA2_384_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_Hash_state_s projectee +) +{ + if (projectee.tag == EverCrypt_Hash_SHA2_384_s) + { + return true; + } + return false; +} + +bool +EverCrypt_Hash_uu___is_SHA2_512_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_Hash_state_s projectee +) +{ + if (projectee.tag == EverCrypt_Hash_SHA2_512_s) + { + return true; + } + return false; +} + +bool +EverCrypt_Hash_uu___is_Blake2S_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_Hash_state_s projectee +) +{ + if (projectee.tag == EverCrypt_Hash_Blake2S_s) + { + return true; + } + return false; +} + +bool +EverCrypt_Hash_uu___is_Blake2B_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_Hash_state_s projectee +) +{ + if (projectee.tag == EverCrypt_Hash_Blake2B_s) + { + return true; + } + return false; +} + +Spec_Hash_Definitions_hash_alg EverCrypt_Hash_alg_of_state(EverCrypt_Hash_state_s *s) +{ + EverCrypt_Hash_state_s scrut = *s; + if (scrut.tag == EverCrypt_Hash_MD5_s) + { + return Spec_Hash_Definitions_MD5; + } + if (scrut.tag == EverCrypt_Hash_SHA1_s) + { + return Spec_Hash_Definitions_SHA1; + } + if (scrut.tag == EverCrypt_Hash_SHA2_224_s) + { + return Spec_Hash_Definitions_SHA2_224; + } + if (scrut.tag == EverCrypt_Hash_SHA2_256_s) + { + return Spec_Hash_Definitions_SHA2_256; + } + if (scrut.tag == EverCrypt_Hash_SHA2_384_s) + { + return Spec_Hash_Definitions_SHA2_384; + } + if (scrut.tag == EverCrypt_Hash_SHA2_512_s) + { + return Spec_Hash_Definitions_SHA2_512; + } + if (scrut.tag == EverCrypt_Hash_Blake2S_s) + { + return Spec_Hash_Definitions_Blake2S; + } + if (scrut.tag == EverCrypt_Hash_Blake2B_s) + { + return Spec_Hash_Definitions_Blake2B; + } + KRML_HOST_PRINTF("KreMLin abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); +} + +EverCrypt_Hash_state_s *EverCrypt_Hash_create_in(Spec_Hash_Definitions_hash_alg a) +{ + EverCrypt_Hash_state_s s; + switch (a) + { + case Spec_Hash_Definitions_MD5: + { + EverCrypt_Hash_state_s lit; + lit.tag = EverCrypt_Hash_MD5_s; + { + uint32_t *buf = (uint32_t *)KRML_HOST_CALLOC((uint32_t)4U, sizeof (uint32_t)); + lit.val.case_MD5_s = buf; + s = lit; + } + break; + } + case Spec_Hash_Definitions_SHA1: + { + EverCrypt_Hash_state_s lit; + lit.tag = EverCrypt_Hash_SHA1_s; + { + uint32_t *buf = (uint32_t *)KRML_HOST_CALLOC((uint32_t)5U, sizeof (uint32_t)); + lit.val.case_SHA1_s = buf; + s = lit; + } + break; + } + case Spec_Hash_Definitions_SHA2_224: + { + EverCrypt_Hash_state_s lit; + lit.tag = EverCrypt_Hash_SHA2_224_s; + { + uint32_t *buf = (uint32_t *)KRML_HOST_CALLOC((uint32_t)8U, sizeof (uint32_t)); + lit.val.case_SHA2_224_s = buf; + s = lit; + } + break; + } + case Spec_Hash_Definitions_SHA2_256: + { + EverCrypt_Hash_state_s lit; + lit.tag = EverCrypt_Hash_SHA2_256_s; + { + uint32_t *buf = (uint32_t *)KRML_HOST_CALLOC((uint32_t)8U, sizeof (uint32_t)); + lit.val.case_SHA2_256_s = buf; + s = lit; + } + break; + } + case Spec_Hash_Definitions_SHA2_384: + { + EverCrypt_Hash_state_s lit; + lit.tag = EverCrypt_Hash_SHA2_384_s; + { + uint64_t *buf = (uint64_t *)KRML_HOST_CALLOC((uint32_t)8U, sizeof (uint64_t)); + lit.val.case_SHA2_384_s = buf; + s = lit; + } + break; + } + case Spec_Hash_Definitions_SHA2_512: + { + EverCrypt_Hash_state_s lit; + lit.tag = EverCrypt_Hash_SHA2_512_s; + { + uint64_t *buf = (uint64_t *)KRML_HOST_CALLOC((uint32_t)8U, sizeof (uint64_t)); + lit.val.case_SHA2_512_s = buf; + s = lit; + } + break; + } + case Spec_Hash_Definitions_Blake2S: + { + EverCrypt_Hash_state_s lit; + lit.tag = EverCrypt_Hash_Blake2S_s; + { + uint32_t *buf = (uint32_t *)KRML_HOST_CALLOC((uint32_t)16U, sizeof (uint32_t)); + lit.val.case_Blake2S_s = buf; + s = lit; + } + break; + } + case Spec_Hash_Definitions_Blake2B: + { + EverCrypt_Hash_state_s lit; + lit.tag = EverCrypt_Hash_Blake2B_s; + { + uint64_t *buf = (uint64_t *)KRML_HOST_CALLOC((uint32_t)16U, sizeof (uint64_t)); + lit.val.case_Blake2B_s = buf; + s = lit; + } + break; + } + default: + { + KRML_HOST_PRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + KRML_CHECK_SIZE(sizeof (EverCrypt_Hash_state_s), (uint32_t)1U); + { + EverCrypt_Hash_state_s + *buf = (EverCrypt_Hash_state_s *)KRML_HOST_MALLOC(sizeof (EverCrypt_Hash_state_s)); + buf[0U] = s; + return buf; + } +} + +EverCrypt_Hash_state_s *EverCrypt_Hash_create(Spec_Hash_Definitions_hash_alg a) +{ + return EverCrypt_Hash_create_in(a); +} + +void EverCrypt_Hash_init(EverCrypt_Hash_state_s *s) +{ + EverCrypt_Hash_state_s scrut = *s; + if (scrut.tag == EverCrypt_Hash_MD5_s) + { + uint32_t *p1 = scrut.val.case_MD5_s; + Hacl_Hash_Core_MD5_legacy_init(p1); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA1_s) + { + uint32_t *p1 = scrut.val.case_SHA1_s; + Hacl_Hash_Core_SHA1_legacy_init(p1); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_224_s) + { + uint32_t *p1 = scrut.val.case_SHA2_224_s; + Hacl_Hash_Core_SHA2_init_224(p1); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_256_s) + { + uint32_t *p1 = scrut.val.case_SHA2_256_s; + Hacl_Hash_Core_SHA2_init_256(p1); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_384_s) + { + uint64_t *p1 = scrut.val.case_SHA2_384_s; + Hacl_Hash_Core_SHA2_init_384(p1); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_512_s) + { + uint64_t *p1 = scrut.val.case_SHA2_512_s; + Hacl_Hash_Core_SHA2_init_512(p1); + return; + } + if (scrut.tag == EverCrypt_Hash_Blake2S_s) + { + uint32_t *p1 = scrut.val.case_Blake2S_s; + uint32_t *r0 = p1 + (uint32_t)0U * (uint32_t)4U; + uint32_t *r1 = p1 + (uint32_t)1U * (uint32_t)4U; + uint32_t *r2 = p1 + (uint32_t)2U * (uint32_t)4U; + uint32_t *r3 = p1 + (uint32_t)3U * (uint32_t)4U; + uint32_t iv0 = Hacl_Impl_Blake2_Constants_ivTable_S[0U]; + uint32_t iv1 = Hacl_Impl_Blake2_Constants_ivTable_S[1U]; + uint32_t iv2 = Hacl_Impl_Blake2_Constants_ivTable_S[2U]; + uint32_t iv3 = Hacl_Impl_Blake2_Constants_ivTable_S[3U]; + uint32_t iv4 = Hacl_Impl_Blake2_Constants_ivTable_S[4U]; + uint32_t iv5 = Hacl_Impl_Blake2_Constants_ivTable_S[5U]; + uint32_t iv6 = Hacl_Impl_Blake2_Constants_ivTable_S[6U]; + uint32_t iv7 = Hacl_Impl_Blake2_Constants_ivTable_S[7U]; + uint32_t kk_shift_8; + uint32_t iv0_; + uint64_t uu____0; + r2[0U] = iv0; + r2[1U] = iv1; + r2[2U] = iv2; + r2[3U] = iv3; + r3[0U] = iv4; + r3[1U] = iv5; + r3[2U] = iv6; + r3[3U] = iv7; + kk_shift_8 = (uint32_t)0U; + iv0_ = iv0 ^ ((uint32_t)0x01010000U ^ (kk_shift_8 ^ (uint32_t)32U)); + r0[0U] = iv0_; + r0[1U] = iv1; + r0[2U] = iv2; + r0[3U] = iv3; + r1[0U] = iv4; + r1[1U] = iv5; + r1[2U] = iv6; + r1[3U] = iv7; + uu____0 = (uint64_t)0U; + return; + } + if (scrut.tag == EverCrypt_Hash_Blake2B_s) + { + uint64_t *p1 = scrut.val.case_Blake2B_s; + uint64_t *r0 = p1 + (uint32_t)0U * (uint32_t)4U; + uint64_t *r1 = p1 + (uint32_t)1U * (uint32_t)4U; + uint64_t *r2 = p1 + (uint32_t)2U * (uint32_t)4U; + uint64_t *r3 = p1 + (uint32_t)3U * (uint32_t)4U; + uint64_t iv0 = Hacl_Impl_Blake2_Constants_ivTable_B[0U]; + uint64_t iv1 = Hacl_Impl_Blake2_Constants_ivTable_B[1U]; + uint64_t iv2 = Hacl_Impl_Blake2_Constants_ivTable_B[2U]; + uint64_t iv3 = Hacl_Impl_Blake2_Constants_ivTable_B[3U]; + uint64_t iv4 = Hacl_Impl_Blake2_Constants_ivTable_B[4U]; + uint64_t iv5 = Hacl_Impl_Blake2_Constants_ivTable_B[5U]; + uint64_t iv6 = Hacl_Impl_Blake2_Constants_ivTable_B[6U]; + uint64_t iv7 = Hacl_Impl_Blake2_Constants_ivTable_B[7U]; + uint64_t kk_shift_8; + uint64_t iv0_; + FStar_UInt128_uint128 uu____1; + r2[0U] = iv0; + r2[1U] = iv1; + r2[2U] = iv2; + r2[3U] = iv3; + r3[0U] = iv4; + r3[1U] = iv5; + r3[2U] = iv6; + r3[3U] = iv7; + kk_shift_8 = (uint64_t)(uint32_t)0U << (uint32_t)8U; + iv0_ = iv0 ^ ((uint64_t)0x01010000U ^ (kk_shift_8 ^ (uint64_t)(uint32_t)64U)); + r0[0U] = iv0_; + r0[1U] = iv1; + r0[2U] = iv2; + r0[3U] = iv3; + r1[0U] = iv4; + r1[1U] = iv5; + r1[2U] = iv6; + r1[3U] = iv7; + uu____1 = FStar_UInt128_uint64_to_uint128((uint64_t)0U); + return; + } + KRML_HOST_PRINTF("KreMLin abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); +} + +static uint32_t +k224_256[64U] = + { + (uint32_t)0x428a2f98U, (uint32_t)0x71374491U, (uint32_t)0xb5c0fbcfU, (uint32_t)0xe9b5dba5U, + (uint32_t)0x3956c25bU, (uint32_t)0x59f111f1U, (uint32_t)0x923f82a4U, (uint32_t)0xab1c5ed5U, + (uint32_t)0xd807aa98U, (uint32_t)0x12835b01U, (uint32_t)0x243185beU, (uint32_t)0x550c7dc3U, + (uint32_t)0x72be5d74U, (uint32_t)0x80deb1feU, (uint32_t)0x9bdc06a7U, (uint32_t)0xc19bf174U, + (uint32_t)0xe49b69c1U, (uint32_t)0xefbe4786U, (uint32_t)0x0fc19dc6U, (uint32_t)0x240ca1ccU, + (uint32_t)0x2de92c6fU, (uint32_t)0x4a7484aaU, (uint32_t)0x5cb0a9dcU, (uint32_t)0x76f988daU, + (uint32_t)0x983e5152U, (uint32_t)0xa831c66dU, (uint32_t)0xb00327c8U, (uint32_t)0xbf597fc7U, + (uint32_t)0xc6e00bf3U, (uint32_t)0xd5a79147U, (uint32_t)0x06ca6351U, (uint32_t)0x14292967U, + (uint32_t)0x27b70a85U, (uint32_t)0x2e1b2138U, (uint32_t)0x4d2c6dfcU, (uint32_t)0x53380d13U, + (uint32_t)0x650a7354U, (uint32_t)0x766a0abbU, (uint32_t)0x81c2c92eU, (uint32_t)0x92722c85U, + (uint32_t)0xa2bfe8a1U, (uint32_t)0xa81a664bU, (uint32_t)0xc24b8b70U, (uint32_t)0xc76c51a3U, + (uint32_t)0xd192e819U, (uint32_t)0xd6990624U, (uint32_t)0xf40e3585U, (uint32_t)0x106aa070U, + (uint32_t)0x19a4c116U, (uint32_t)0x1e376c08U, (uint32_t)0x2748774cU, (uint32_t)0x34b0bcb5U, + (uint32_t)0x391c0cb3U, (uint32_t)0x4ed8aa4aU, (uint32_t)0x5b9cca4fU, (uint32_t)0x682e6ff3U, + (uint32_t)0x748f82eeU, (uint32_t)0x78a5636fU, (uint32_t)0x84c87814U, (uint32_t)0x8cc70208U, + (uint32_t)0x90befffaU, (uint32_t)0xa4506cebU, (uint32_t)0xbef9a3f7U, (uint32_t)0xc67178f2U + }; + +void EverCrypt_Hash_update_multi_256(uint32_t *s, uint8_t *blocks, uint32_t n) +{ + bool has_shaext = EverCrypt_AutoConfig2_has_shaext(); + bool has_sse = EverCrypt_AutoConfig2_has_sse(); + #if HACL_CAN_COMPILE_VALE + if (has_shaext && has_sse) + { + uint64_t n1 = (uint64_t)n; + uint64_t scrut = sha256_update(s, blocks, n1, k224_256); + return; + } + #endif + Hacl_Hash_SHA2_update_multi_256(s, blocks, n); +} + +void EverCrypt_Hash_update2(EverCrypt_Hash_state_s *s, uint64_t prevlen, uint8_t *block) +{ + EverCrypt_Hash_state_s scrut = *s; + if (scrut.tag == EverCrypt_Hash_MD5_s) + { + uint32_t *p1 = scrut.val.case_MD5_s; + Hacl_Hash_Core_MD5_legacy_update(p1, block); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA1_s) + { + uint32_t *p1 = scrut.val.case_SHA1_s; + Hacl_Hash_Core_SHA1_legacy_update(p1, block); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_224_s) + { + uint32_t *p1 = scrut.val.case_SHA2_224_s; + EverCrypt_Hash_update_multi_256(p1, block, (uint32_t)1U); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_256_s) + { + uint32_t *p1 = scrut.val.case_SHA2_256_s; + EverCrypt_Hash_update_multi_256(p1, block, (uint32_t)1U); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_384_s) + { + uint64_t *p1 = scrut.val.case_SHA2_384_s; + Hacl_Hash_Core_SHA2_update_384(p1, block); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_512_s) + { + uint64_t *p1 = scrut.val.case_SHA2_512_s; + Hacl_Hash_Core_SHA2_update_512(p1, block); + return; + } + if (scrut.tag == EverCrypt_Hash_Blake2S_s) + { + uint32_t *p1 = scrut.val.case_Blake2S_s; + uint64_t uu____0 = Hacl_Hash_Core_Blake2_update_blake2s_32(p1, prevlen, block); + return; + } + if (scrut.tag == EverCrypt_Hash_Blake2B_s) + { + uint64_t *p1 = scrut.val.case_Blake2B_s; + FStar_UInt128_uint128 + uu____1 = + Hacl_Hash_Core_Blake2_update_blake2b_32(p1, + FStar_UInt128_uint64_to_uint128(prevlen), + block); + return; + } + KRML_HOST_PRINTF("KreMLin abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); +} + +KRML_DEPRECATED("Use update2 instead") + +void EverCrypt_Hash_update(EverCrypt_Hash_state_s *s, uint8_t *block) +{ + EverCrypt_Hash_update2(s, (uint64_t)0U, block); +} + +void +EverCrypt_Hash_update_multi2( + EverCrypt_Hash_state_s *s, + uint64_t prevlen, + uint8_t *blocks, + uint32_t len +) +{ + EverCrypt_Hash_state_s scrut = *s; + if (scrut.tag == EverCrypt_Hash_MD5_s) + { + uint32_t *p1 = scrut.val.case_MD5_s; + uint32_t n = len / (uint32_t)64U; + Hacl_Hash_MD5_legacy_update_multi(p1, blocks, n); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA1_s) + { + uint32_t *p1 = scrut.val.case_SHA1_s; + uint32_t n = len / (uint32_t)64U; + Hacl_Hash_SHA1_legacy_update_multi(p1, blocks, n); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_224_s) + { + uint32_t *p1 = scrut.val.case_SHA2_224_s; + uint32_t n = len / (uint32_t)64U; + EverCrypt_Hash_update_multi_256(p1, blocks, n); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_256_s) + { + uint32_t *p1 = scrut.val.case_SHA2_256_s; + uint32_t n = len / (uint32_t)64U; + EverCrypt_Hash_update_multi_256(p1, blocks, n); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_384_s) + { + uint64_t *p1 = scrut.val.case_SHA2_384_s; + uint32_t n = len / (uint32_t)128U; + Hacl_Hash_SHA2_update_multi_384(p1, blocks, n); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_512_s) + { + uint64_t *p1 = scrut.val.case_SHA2_512_s; + uint32_t n = len / (uint32_t)128U; + Hacl_Hash_SHA2_update_multi_512(p1, blocks, n); + return; + } + if (scrut.tag == EverCrypt_Hash_Blake2S_s) + { + uint32_t *p1 = scrut.val.case_Blake2S_s; + uint32_t n = len / (uint32_t)64U; + uint64_t uu____0 = Hacl_Hash_Blake2_update_multi_blake2s_32(p1, prevlen, blocks, n); + return; + } + if (scrut.tag == EverCrypt_Hash_Blake2B_s) + { + uint64_t *p1 = scrut.val.case_Blake2B_s; + uint32_t n = len / (uint32_t)128U; + FStar_UInt128_uint128 + uu____1 = + Hacl_Hash_Blake2_update_multi_blake2b_32(p1, + FStar_UInt128_uint64_to_uint128(prevlen), + blocks, + n); + return; + } + KRML_HOST_PRINTF("KreMLin abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); +} + +KRML_DEPRECATED("Use update_multi2 instead") + +void EverCrypt_Hash_update_multi(EverCrypt_Hash_state_s *s, uint8_t *blocks, uint32_t len) +{ + EverCrypt_Hash_update_multi2(s, (uint64_t)0U, blocks, len); +} + +void +EverCrypt_Hash_update_last_256( + uint32_t *s, + uint64_t input, + uint8_t *input_len, + uint32_t input_len1 +) +{ + uint32_t blocks_n = input_len1 / (uint32_t)64U; + uint32_t blocks_len = blocks_n * (uint32_t)64U; + uint8_t *blocks = input_len; + uint32_t rest_len = input_len1 - blocks_len; + uint8_t *rest = input_len + blocks_len; + uint64_t total_input_len; + uint32_t pad_len; + uint32_t tmp_len; + EverCrypt_Hash_update_multi_256(s, blocks, blocks_n); + total_input_len = input + (uint64_t)input_len1; + pad_len = + (uint32_t)1U + + + ((uint32_t)128U - ((uint32_t)9U + (uint32_t)(total_input_len % (uint64_t)(uint32_t)64U))) + % (uint32_t)64U + + (uint32_t)8U; + tmp_len = rest_len + pad_len; + { + uint8_t tmp_twoblocks[128U] = { 0U }; + uint8_t *tmp = tmp_twoblocks; + uint8_t *tmp_rest = tmp; + uint8_t *tmp_pad = tmp + rest_len; + memcpy(tmp_rest, rest, rest_len * sizeof (uint8_t)); + Hacl_Hash_Core_SHA2_pad_256(total_input_len, tmp_pad); + EverCrypt_Hash_update_multi_256(s, tmp, tmp_len / (uint32_t)64U); + } +} + +void +EverCrypt_Hash_update_last2( + EverCrypt_Hash_state_s *s, + uint64_t prev_len, + uint8_t *last, + uint32_t last_len +) +{ + EverCrypt_Hash_state_s scrut = *s; + if (scrut.tag == EverCrypt_Hash_MD5_s) + { + uint32_t *p1 = scrut.val.case_MD5_s; + Hacl_Hash_MD5_legacy_update_last(p1, prev_len, last, last_len); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA1_s) + { + uint32_t *p1 = scrut.val.case_SHA1_s; + Hacl_Hash_SHA1_legacy_update_last(p1, prev_len, last, last_len); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_224_s) + { + uint32_t *p1 = scrut.val.case_SHA2_224_s; + EverCrypt_Hash_update_last_256(p1, prev_len, last, last_len); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_256_s) + { + uint32_t *p1 = scrut.val.case_SHA2_256_s; + EverCrypt_Hash_update_last_256(p1, prev_len, last, last_len); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_384_s) + { + uint64_t *p1 = scrut.val.case_SHA2_384_s; + Hacl_Hash_SHA2_update_last_384(p1, FStar_UInt128_uint64_to_uint128(prev_len), last, last_len); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_512_s) + { + uint64_t *p1 = scrut.val.case_SHA2_512_s; + Hacl_Hash_SHA2_update_last_512(p1, FStar_UInt128_uint64_to_uint128(prev_len), last, last_len); + return; + } + if (scrut.tag == EverCrypt_Hash_Blake2S_s) + { + uint32_t *p1 = scrut.val.case_Blake2S_s; + uint64_t x = Hacl_Hash_Blake2_update_last_blake2s_32(p1, prev_len, prev_len, last, last_len); + return; + } + if (scrut.tag == EverCrypt_Hash_Blake2B_s) + { + uint64_t *p1 = scrut.val.case_Blake2B_s; + FStar_UInt128_uint128 + x = + Hacl_Hash_Blake2_update_last_blake2b_32(p1, + FStar_UInt128_uint64_to_uint128(prev_len), + FStar_UInt128_uint64_to_uint128(prev_len), + last, + last_len); + return; + } + KRML_HOST_PRINTF("KreMLin abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); +} + +KRML_DEPRECATED("Use update_last2 instead") + +void EverCrypt_Hash_update_last(EverCrypt_Hash_state_s *s, uint8_t *last, uint64_t total_len) +{ + Spec_Hash_Definitions_hash_alg a = EverCrypt_Hash_alg_of_state(s); + uint32_t sw; + switch (a) + { + case Spec_Hash_Definitions_MD5: + { + sw = (uint32_t)64U; + break; + } + case Spec_Hash_Definitions_SHA1: + { + sw = (uint32_t)64U; + break; + } + case Spec_Hash_Definitions_SHA2_224: + { + sw = (uint32_t)64U; + break; + } + case Spec_Hash_Definitions_SHA2_256: + { + sw = (uint32_t)64U; + break; + } + case Spec_Hash_Definitions_SHA2_384: + { + sw = (uint32_t)128U; + break; + } + case Spec_Hash_Definitions_SHA2_512: + { + sw = (uint32_t)128U; + break; + } + case Spec_Hash_Definitions_Blake2S: + { + sw = (uint32_t)64U; + break; + } + case Spec_Hash_Definitions_Blake2B: + { + sw = (uint32_t)128U; + break; + } + default: + { + KRML_HOST_PRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + { + uint64_t last_len = total_len % (uint64_t)sw; + uint64_t prev_len = total_len - last_len; + EverCrypt_Hash_update_last2(s, prev_len, last, (uint32_t)last_len); + } +} + +void EverCrypt_Hash_finish(EverCrypt_Hash_state_s *s, uint8_t *dst) +{ + EverCrypt_Hash_state_s scrut = *s; + if (scrut.tag == EverCrypt_Hash_MD5_s) + { + uint32_t *p1 = scrut.val.case_MD5_s; + Hacl_Hash_Core_MD5_legacy_finish(p1, dst); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA1_s) + { + uint32_t *p1 = scrut.val.case_SHA1_s; + Hacl_Hash_Core_SHA1_legacy_finish(p1, dst); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_224_s) + { + uint32_t *p1 = scrut.val.case_SHA2_224_s; + Hacl_Hash_Core_SHA2_finish_224(p1, dst); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_256_s) + { + uint32_t *p1 = scrut.val.case_SHA2_256_s; + Hacl_Hash_Core_SHA2_finish_256(p1, dst); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_384_s) + { + uint64_t *p1 = scrut.val.case_SHA2_384_s; + Hacl_Hash_Core_SHA2_finish_384(p1, dst); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_512_s) + { + uint64_t *p1 = scrut.val.case_SHA2_512_s; + Hacl_Hash_Core_SHA2_finish_512(p1, dst); + return; + } + if (scrut.tag == EverCrypt_Hash_Blake2S_s) + { + uint32_t *p1 = scrut.val.case_Blake2S_s; + Hacl_Hash_Core_Blake2_finish_blake2s_32(p1, (uint64_t)0U, dst); + return; + } + if (scrut.tag == EverCrypt_Hash_Blake2B_s) + { + uint64_t *p1 = scrut.val.case_Blake2B_s; + Hacl_Hash_Core_Blake2_finish_blake2b_32(p1, + FStar_UInt128_uint64_to_uint128((uint64_t)0U), + dst); + return; + } + KRML_HOST_PRINTF("KreMLin abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); +} + +void EverCrypt_Hash_free(EverCrypt_Hash_state_s *s) +{ + EverCrypt_Hash_state_s scrut = *s; + if (scrut.tag == EverCrypt_Hash_MD5_s) + { + uint32_t *p1 = scrut.val.case_MD5_s; + KRML_HOST_FREE(p1); + } + else if (scrut.tag == EverCrypt_Hash_SHA1_s) + { + uint32_t *p1 = scrut.val.case_SHA1_s; + KRML_HOST_FREE(p1); + } + else if (scrut.tag == EverCrypt_Hash_SHA2_224_s) + { + uint32_t *p1 = scrut.val.case_SHA2_224_s; + KRML_HOST_FREE(p1); + } + else if (scrut.tag == EverCrypt_Hash_SHA2_256_s) + { + uint32_t *p1 = scrut.val.case_SHA2_256_s; + KRML_HOST_FREE(p1); + } + else if (scrut.tag == EverCrypt_Hash_SHA2_384_s) + { + uint64_t *p1 = scrut.val.case_SHA2_384_s; + KRML_HOST_FREE(p1); + } + else if (scrut.tag == EverCrypt_Hash_SHA2_512_s) + { + uint64_t *p1 = scrut.val.case_SHA2_512_s; + KRML_HOST_FREE(p1); + } + else if (scrut.tag == EverCrypt_Hash_Blake2S_s) + { + uint32_t *p1 = scrut.val.case_Blake2S_s; + KRML_HOST_FREE(p1); + } + else if (scrut.tag == EverCrypt_Hash_Blake2B_s) + { + uint64_t *p1 = scrut.val.case_Blake2B_s; + KRML_HOST_FREE(p1); + } + else + { + KRML_HOST_PRINTF("KreMLin abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); + } + KRML_HOST_FREE(s); +} + +void EverCrypt_Hash_copy(EverCrypt_Hash_state_s *s_src, EverCrypt_Hash_state_s *s_dst) +{ + EverCrypt_Hash_state_s scrut = *s_src; + if (scrut.tag == EverCrypt_Hash_MD5_s) + { + uint32_t *p_src = scrut.val.case_MD5_s; + EverCrypt_Hash_state_s x1 = *s_dst; + uint32_t *p_dst; + if (x1.tag == EverCrypt_Hash_MD5_s) + { + p_dst = x1.val.case_MD5_s; + } + else + { + p_dst = KRML_EABORT(uint32_t *, "unreachable (pattern matches are exhaustive in F*)"); + } + memcpy(p_dst, p_src, (uint32_t)4U * sizeof (uint32_t)); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA1_s) + { + uint32_t *p_src = scrut.val.case_SHA1_s; + EverCrypt_Hash_state_s x1 = *s_dst; + uint32_t *p_dst; + if (x1.tag == EverCrypt_Hash_SHA1_s) + { + p_dst = x1.val.case_SHA1_s; + } + else + { + p_dst = KRML_EABORT(uint32_t *, "unreachable (pattern matches are exhaustive in F*)"); + } + memcpy(p_dst, p_src, (uint32_t)5U * sizeof (uint32_t)); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_224_s) + { + uint32_t *p_src = scrut.val.case_SHA2_224_s; + EverCrypt_Hash_state_s x1 = *s_dst; + uint32_t *p_dst; + if (x1.tag == EverCrypt_Hash_SHA2_224_s) + { + p_dst = x1.val.case_SHA2_224_s; + } + else + { + p_dst = KRML_EABORT(uint32_t *, "unreachable (pattern matches are exhaustive in F*)"); + } + memcpy(p_dst, p_src, (uint32_t)8U * sizeof (uint32_t)); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_256_s) + { + uint32_t *p_src = scrut.val.case_SHA2_256_s; + EverCrypt_Hash_state_s x1 = *s_dst; + uint32_t *p_dst; + if (x1.tag == EverCrypt_Hash_SHA2_256_s) + { + p_dst = x1.val.case_SHA2_256_s; + } + else + { + p_dst = KRML_EABORT(uint32_t *, "unreachable (pattern matches are exhaustive in F*)"); + } + memcpy(p_dst, p_src, (uint32_t)8U * sizeof (uint32_t)); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_384_s) + { + uint64_t *p_src = scrut.val.case_SHA2_384_s; + EverCrypt_Hash_state_s x1 = *s_dst; + uint64_t *p_dst; + if (x1.tag == EverCrypt_Hash_SHA2_384_s) + { + p_dst = x1.val.case_SHA2_384_s; + } + else + { + p_dst = KRML_EABORT(uint64_t *, "unreachable (pattern matches are exhaustive in F*)"); + } + memcpy(p_dst, p_src, (uint32_t)8U * sizeof (uint64_t)); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_512_s) + { + uint64_t *p_src = scrut.val.case_SHA2_512_s; + EverCrypt_Hash_state_s x1 = *s_dst; + uint64_t *p_dst; + if (x1.tag == EverCrypt_Hash_SHA2_512_s) + { + p_dst = x1.val.case_SHA2_512_s; + } + else + { + p_dst = KRML_EABORT(uint64_t *, "unreachable (pattern matches are exhaustive in F*)"); + } + memcpy(p_dst, p_src, (uint32_t)8U * sizeof (uint64_t)); + return; + } + if (scrut.tag == EverCrypt_Hash_Blake2S_s) + { + uint32_t *p_src = scrut.val.case_Blake2S_s; + EverCrypt_Hash_state_s x1 = *s_dst; + uint32_t *p_dst; + if (x1.tag == EverCrypt_Hash_Blake2S_s) + { + p_dst = x1.val.case_Blake2S_s; + } + else + { + p_dst = KRML_EABORT(uint32_t *, "unreachable (pattern matches are exhaustive in F*)"); + } + memcpy(p_dst, p_src, (uint32_t)16U * sizeof (uint32_t)); + return; + } + if (scrut.tag == EverCrypt_Hash_Blake2B_s) + { + uint64_t *p_src = scrut.val.case_Blake2B_s; + EverCrypt_Hash_state_s x1 = *s_dst; + uint64_t *p_dst; + if (x1.tag == EverCrypt_Hash_Blake2B_s) + { + p_dst = x1.val.case_Blake2B_s; + } + else + { + p_dst = KRML_EABORT(uint64_t *, "unreachable (pattern matches are exhaustive in F*)"); + } + memcpy(p_dst, p_src, (uint32_t)16U * sizeof (uint64_t)); + return; + } + KRML_HOST_PRINTF("KreMLin abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); +} + +void EverCrypt_Hash_hash_256(uint8_t *input, uint32_t input_len, uint8_t *dst) +{ + uint32_t + scrut[8U] = + { + (uint32_t)0x6a09e667U, (uint32_t)0xbb67ae85U, (uint32_t)0x3c6ef372U, (uint32_t)0xa54ff53aU, + (uint32_t)0x510e527fU, (uint32_t)0x9b05688cU, (uint32_t)0x1f83d9abU, (uint32_t)0x5be0cd19U + }; + uint32_t *s = scrut; + uint32_t blocks_n0 = input_len / (uint32_t)64U; + uint32_t blocks_n1; + if (input_len % (uint32_t)64U == (uint32_t)0U && blocks_n0 > (uint32_t)0U) + { + blocks_n1 = blocks_n0 - (uint32_t)1U; + } + else + { + blocks_n1 = blocks_n0; + } + { + uint32_t blocks_len0 = blocks_n1 * (uint32_t)64U; + uint8_t *blocks0 = input; + uint32_t rest_len0 = input_len - blocks_len0; + uint8_t *rest0 = input + blocks_len0; + uint32_t blocks_n = blocks_n1; + uint32_t blocks_len = blocks_len0; + uint8_t *blocks = blocks0; + uint32_t rest_len = rest_len0; + uint8_t *rest = rest0; + EverCrypt_Hash_update_multi_256(s, blocks, blocks_n); + EverCrypt_Hash_update_last_256(s, (uint64_t)blocks_len, rest, rest_len); + Hacl_Hash_Core_SHA2_finish_256(s, dst); + } +} + +void EverCrypt_Hash_hash_224(uint8_t *input, uint32_t input_len, uint8_t *dst) +{ + uint32_t + scrut[8U] = + { + (uint32_t)0xc1059ed8U, (uint32_t)0x367cd507U, (uint32_t)0x3070dd17U, (uint32_t)0xf70e5939U, + (uint32_t)0xffc00b31U, (uint32_t)0x68581511U, (uint32_t)0x64f98fa7U, (uint32_t)0xbefa4fa4U + }; + uint32_t *s = scrut; + uint32_t blocks_n0 = input_len / (uint32_t)64U; + uint32_t blocks_n1; + if (input_len % (uint32_t)64U == (uint32_t)0U && blocks_n0 > (uint32_t)0U) + { + blocks_n1 = blocks_n0 - (uint32_t)1U; + } + else + { + blocks_n1 = blocks_n0; + } + { + uint32_t blocks_len0 = blocks_n1 * (uint32_t)64U; + uint8_t *blocks0 = input; + uint32_t rest_len0 = input_len - blocks_len0; + uint8_t *rest0 = input + blocks_len0; + uint32_t blocks_n = blocks_n1; + uint32_t blocks_len = blocks_len0; + uint8_t *blocks = blocks0; + uint32_t rest_len = rest_len0; + uint8_t *rest = rest0; + EverCrypt_Hash_update_multi_256(s, blocks, blocks_n); + EverCrypt_Hash_update_last_256(s, (uint64_t)blocks_len, rest, rest_len); + Hacl_Hash_Core_SHA2_finish_224(s, dst); + } +} + +void +EverCrypt_Hash_hash( + Spec_Hash_Definitions_hash_alg a, + uint8_t *dst, + uint8_t *input, + uint32_t len +) +{ + switch (a) + { + case Spec_Hash_Definitions_MD5: + { + Hacl_Hash_MD5_legacy_hash(input, len, dst); + break; + } + case Spec_Hash_Definitions_SHA1: + { + Hacl_Hash_SHA1_legacy_hash(input, len, dst); + break; + } + case Spec_Hash_Definitions_SHA2_224: + { + EverCrypt_Hash_hash_224(input, len, dst); + break; + } + case Spec_Hash_Definitions_SHA2_256: + { + EverCrypt_Hash_hash_256(input, len, dst); + break; + } + case Spec_Hash_Definitions_SHA2_384: + { + Hacl_Hash_SHA2_hash_384(input, len, dst); + break; + } + case Spec_Hash_Definitions_SHA2_512: + { + Hacl_Hash_SHA2_hash_512(input, len, dst); + break; + } + case Spec_Hash_Definitions_Blake2S: + { + Hacl_Hash_Blake2_hash_blake2s_32(input, len, dst); + break; + } + case Spec_Hash_Definitions_Blake2B: + { + Hacl_Hash_Blake2_hash_blake2b_32(input, len, dst); + break; + } + default: + { + KRML_HOST_PRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +uint32_t EverCrypt_Hash_Incremental_hash_len(Spec_Hash_Definitions_hash_alg a) +{ + switch (a) + { + case Spec_Hash_Definitions_MD5: + { + return (uint32_t)16U; + } + case Spec_Hash_Definitions_SHA1: + { + return (uint32_t)20U; + } + case Spec_Hash_Definitions_SHA2_224: + { + return (uint32_t)28U; + } + case Spec_Hash_Definitions_SHA2_256: + { + return (uint32_t)32U; + } + case Spec_Hash_Definitions_SHA2_384: + { + return (uint32_t)48U; + } + case Spec_Hash_Definitions_SHA2_512: + { + return (uint32_t)64U; + } + case Spec_Hash_Definitions_Blake2S: + { + return (uint32_t)32U; + } + case Spec_Hash_Definitions_Blake2B: + { + return (uint32_t)64U; + } + default: + { + KRML_HOST_PRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +uint32_t EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_hash_alg a) +{ + switch (a) + { + case Spec_Hash_Definitions_MD5: + { + return (uint32_t)64U; + } + case Spec_Hash_Definitions_SHA1: + { + return (uint32_t)64U; + } + case Spec_Hash_Definitions_SHA2_224: + { + return (uint32_t)64U; + } + case Spec_Hash_Definitions_SHA2_256: + { + return (uint32_t)64U; + } + case Spec_Hash_Definitions_SHA2_384: + { + return (uint32_t)128U; + } + case Spec_Hash_Definitions_SHA2_512: + { + return (uint32_t)128U; + } + case Spec_Hash_Definitions_Blake2S: + { + return (uint32_t)64U; + } + case Spec_Hash_Definitions_Blake2B: + { + return (uint32_t)128U; + } + default: + { + KRML_HOST_PRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ +*EverCrypt_Hash_Incremental_create_in(Spec_Hash_Definitions_hash_alg a) +{ + KRML_CHECK_SIZE(sizeof (uint8_t), EverCrypt_Hash_Incremental_block_len(a)); + { + uint8_t + *buf = (uint8_t *)KRML_HOST_CALLOC(EverCrypt_Hash_Incremental_block_len(a), sizeof (uint8_t)); + EverCrypt_Hash_state_s *block_state = EverCrypt_Hash_create_in(a); + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ s; + s.block_state = block_state; + s.buf = buf; + s.total_len = (uint64_t)0U; + KRML_CHECK_SIZE(sizeof (Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____), + (uint32_t)1U); + { + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ + *p = + (Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *)KRML_HOST_MALLOC(sizeof ( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ + )); + p[0U] = s; + EverCrypt_Hash_init(block_state); + return p; + } + } +} + +void +EverCrypt_Hash_Incremental_init(Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *s) +{ + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ scrut = *s; + uint8_t *buf = scrut.buf; + EverCrypt_Hash_state_s *block_state = scrut.block_state; + Spec_Hash_Definitions_hash_alg i = EverCrypt_Hash_alg_of_state(block_state); + EverCrypt_Hash_init(block_state); + { + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ lit; + lit.block_state = block_state; + lit.buf = buf; + lit.total_len = (uint64_t)0U; + s[0U] = lit; + } +} + +void +EverCrypt_Hash_Incremental_update( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *p, + uint8_t *data, + uint32_t len +) +{ + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ s = *p; + EverCrypt_Hash_state_s *block_state = s.block_state; + uint64_t total_len = s.total_len; + Spec_Hash_Definitions_hash_alg i1 = EverCrypt_Hash_alg_of_state(block_state); + uint32_t sz; + if + ( + total_len + % (uint64_t)EverCrypt_Hash_Incremental_block_len(i1) + == (uint64_t)0U + && total_len > (uint64_t)0U + ) + { + sz = EverCrypt_Hash_Incremental_block_len(i1); + } + else + { + sz = (uint32_t)(total_len % (uint64_t)EverCrypt_Hash_Incremental_block_len(i1)); + } + if (len <= EverCrypt_Hash_Incremental_block_len(i1) - sz) + { + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ s1 = *p; + EverCrypt_Hash_state_s *block_state1 = s1.block_state; + uint8_t *buf = s1.buf; + uint64_t total_len1 = s1.total_len; + Spec_Hash_Definitions_hash_alg i2 = EverCrypt_Hash_alg_of_state(block_state1); + uint32_t sz1; + if + ( + total_len1 + % (uint64_t)EverCrypt_Hash_Incremental_block_len(i2) + == (uint64_t)0U + && total_len1 > (uint64_t)0U + ) + { + sz1 = EverCrypt_Hash_Incremental_block_len(i2); + } + else + { + sz1 = (uint32_t)(total_len1 % (uint64_t)EverCrypt_Hash_Incremental_block_len(i2)); + } + { + uint8_t *buf2 = buf + sz1; + uint64_t total_len2; + memcpy(buf2, data, len * sizeof (uint8_t)); + total_len2 = total_len1 + (uint64_t)len; + { + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ lit; + lit.block_state = block_state1; + lit.buf = buf; + lit.total_len = total_len2; + *p = lit; + return; + } + } + } + if (sz == (uint32_t)0U) + { + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ s1 = *p; + EverCrypt_Hash_state_s *block_state1 = s1.block_state; + uint8_t *buf = s1.buf; + uint64_t total_len1 = s1.total_len; + Spec_Hash_Definitions_hash_alg i2 = EverCrypt_Hash_alg_of_state(block_state1); + uint32_t sz1; + if + ( + total_len1 + % (uint64_t)EverCrypt_Hash_Incremental_block_len(i2) + == (uint64_t)0U + && total_len1 > (uint64_t)0U + ) + { + sz1 = EverCrypt_Hash_Incremental_block_len(i2); + } + else + { + sz1 = (uint32_t)(total_len1 % (uint64_t)EverCrypt_Hash_Incremental_block_len(i2)); + } + { + uint32_t ite; + uint32_t n_blocks; + uint32_t data1_len; + uint32_t data2_len; + uint8_t *data1; + uint8_t *data2; + uint8_t *dst; + if (!(sz1 == (uint32_t)0U)) + { + uint64_t prevlen = total_len1 - (uint64_t)sz1; + EverCrypt_Hash_update_multi2(block_state1, + prevlen, + buf, + EverCrypt_Hash_Incremental_block_len(i2)); + } + if + ( + (uint64_t)len + % (uint64_t)EverCrypt_Hash_Incremental_block_len(i2) + == (uint64_t)0U + && (uint64_t)len > (uint64_t)0U + ) + { + ite = EverCrypt_Hash_Incremental_block_len(i2); + } + else + { + ite = (uint32_t)((uint64_t)len % (uint64_t)EverCrypt_Hash_Incremental_block_len(i2)); + } + n_blocks = (len - ite) / EverCrypt_Hash_Incremental_block_len(i2); + data1_len = n_blocks * EverCrypt_Hash_Incremental_block_len(i2); + data2_len = len - data1_len; + data1 = data; + data2 = data + data1_len; + EverCrypt_Hash_update_multi2(block_state1, total_len1, data1, data1_len); + dst = buf; + memcpy(dst, data2, data2_len * sizeof (uint8_t)); + { + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ lit; + lit.block_state = block_state1; + lit.buf = buf; + lit.total_len = total_len1 + (uint64_t)len; + *p = lit; + return; + } + } + } + { + uint32_t diff = EverCrypt_Hash_Incremental_block_len(i1) - sz; + uint8_t *data1 = data; + uint8_t *data2 = data + diff; + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ s10 = *p; + EverCrypt_Hash_state_s *block_state10 = s10.block_state; + uint8_t *buf0 = s10.buf; + uint64_t total_len10 = s10.total_len; + Spec_Hash_Definitions_hash_alg i20 = EverCrypt_Hash_alg_of_state(block_state10); + uint32_t sz10; + if + ( + total_len10 + % (uint64_t)EverCrypt_Hash_Incremental_block_len(i20) + == (uint64_t)0U + && total_len10 > (uint64_t)0U + ) + { + sz10 = EverCrypt_Hash_Incremental_block_len(i20); + } + else + { + sz10 = (uint32_t)(total_len10 % (uint64_t)EverCrypt_Hash_Incremental_block_len(i20)); + } + { + uint8_t *buf2 = buf0 + sz10; + uint64_t total_len2; + memcpy(buf2, data1, diff * sizeof (uint8_t)); + total_len2 = total_len10 + (uint64_t)diff; + { + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ lit; + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ s1; + EverCrypt_Hash_state_s *block_state1; + uint8_t *buf; + uint64_t total_len1; + Spec_Hash_Definitions_hash_alg i2; + uint32_t sz1; + uint32_t ite; + uint32_t n_blocks; + uint32_t data1_len; + uint32_t data2_len; + uint8_t *data11; + uint8_t *data21; + uint8_t *dst; + lit.block_state = block_state10; + lit.buf = buf0; + lit.total_len = total_len2; + *p = lit; + s1 = *p; + block_state1 = s1.block_state; + buf = s1.buf; + total_len1 = s1.total_len; + i2 = EverCrypt_Hash_alg_of_state(block_state1); + if + ( + total_len1 + % (uint64_t)EverCrypt_Hash_Incremental_block_len(i2) + == (uint64_t)0U + && total_len1 > (uint64_t)0U + ) + { + sz1 = EverCrypt_Hash_Incremental_block_len(i2); + } + else + { + sz1 = (uint32_t)(total_len1 % (uint64_t)EverCrypt_Hash_Incremental_block_len(i2)); + } + if (!(sz1 == (uint32_t)0U)) + { + uint64_t prevlen = total_len1 - (uint64_t)sz1; + EverCrypt_Hash_update_multi2(block_state1, + prevlen, + buf, + EverCrypt_Hash_Incremental_block_len(i2)); + } + if + ( + (uint64_t)(len - diff) + % (uint64_t)EverCrypt_Hash_Incremental_block_len(i2) + == (uint64_t)0U + && (uint64_t)(len - diff) > (uint64_t)0U + ) + { + ite = EverCrypt_Hash_Incremental_block_len(i2); + } + else + { + ite = + (uint32_t)((uint64_t)(len - diff) % (uint64_t)EverCrypt_Hash_Incremental_block_len(i2)); + } + n_blocks = (len - diff - ite) / EverCrypt_Hash_Incremental_block_len(i2); + data1_len = n_blocks * EverCrypt_Hash_Incremental_block_len(i2); + data2_len = len - diff - data1_len; + data11 = data2; + data21 = data2 + data1_len; + EverCrypt_Hash_update_multi2(block_state1, total_len1, data11, data1_len); + dst = buf; + memcpy(dst, data21, data2_len * sizeof (uint8_t)); + { + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ lit0; + lit0.block_state = block_state1; + lit0.buf = buf; + lit0.total_len = total_len1 + (uint64_t)(len - diff); + *p = lit0; + } + } + } + } +} + +void +EverCrypt_Hash_Incremental_finish_md5( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *p, + uint8_t *dst +) +{ + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ scrut = *p; + EverCrypt_Hash_state_s *block_state = scrut.block_state; + uint8_t *buf_ = scrut.buf; + uint64_t total_len = scrut.total_len; + uint32_t r; + if + ( + total_len + % (uint64_t)EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_MD5) + == (uint64_t)0U + && total_len > (uint64_t)0U + ) + { + r = EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_MD5); + } + else + { + r = + (uint32_t)(total_len + % (uint64_t)EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_MD5)); + } + { + uint8_t *buf_1 = buf_; + EverCrypt_Hash_state_s s; + s.tag = EverCrypt_Hash_MD5_s; + { + uint32_t buf[4U] = { 0U }; + s.val.case_MD5_s = buf; + { + EverCrypt_Hash_state_s tmp_block_state = s; + uint64_t prev_len; + uint32_t ite; + uint8_t *buf_last; + uint8_t *buf_multi; + uint64_t prev_len_last; + EverCrypt_Hash_copy(block_state, &tmp_block_state); + prev_len = total_len - (uint64_t)r; + if + ( + r + % EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_MD5) + == (uint32_t)0U + && r > (uint32_t)0U + ) + { + ite = EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_MD5); + } + else + { + ite = r % EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_MD5); + } + buf_last = buf_1 + r - ite; + buf_multi = buf_1; + EverCrypt_Hash_update_multi2(&tmp_block_state, prev_len, buf_multi, (uint32_t)0U); + prev_len_last = total_len - (uint64_t)r; + EverCrypt_Hash_update_last2(&tmp_block_state, prev_len_last, buf_last, r); + EverCrypt_Hash_finish(&tmp_block_state, dst); + } + } + } +} + +void +EverCrypt_Hash_Incremental_finish_sha1( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *p, + uint8_t *dst +) +{ + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ scrut = *p; + EverCrypt_Hash_state_s *block_state = scrut.block_state; + uint8_t *buf_ = scrut.buf; + uint64_t total_len = scrut.total_len; + uint32_t r; + if + ( + total_len + % (uint64_t)EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA1) + == (uint64_t)0U + && total_len > (uint64_t)0U + ) + { + r = EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA1); + } + else + { + r = + (uint32_t)(total_len + % (uint64_t)EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA1)); + } + { + uint8_t *buf_1 = buf_; + EverCrypt_Hash_state_s s; + s.tag = EverCrypt_Hash_SHA1_s; + { + uint32_t buf[5U] = { 0U }; + s.val.case_SHA1_s = buf; + { + EverCrypt_Hash_state_s tmp_block_state = s; + uint64_t prev_len; + uint32_t ite; + uint8_t *buf_last; + uint8_t *buf_multi; + uint64_t prev_len_last; + EverCrypt_Hash_copy(block_state, &tmp_block_state); + prev_len = total_len - (uint64_t)r; + if + ( + r + % EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA1) + == (uint32_t)0U + && r > (uint32_t)0U + ) + { + ite = EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA1); + } + else + { + ite = r % EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA1); + } + buf_last = buf_1 + r - ite; + buf_multi = buf_1; + EverCrypt_Hash_update_multi2(&tmp_block_state, prev_len, buf_multi, (uint32_t)0U); + prev_len_last = total_len - (uint64_t)r; + EverCrypt_Hash_update_last2(&tmp_block_state, prev_len_last, buf_last, r); + EverCrypt_Hash_finish(&tmp_block_state, dst); + } + } + } +} + +void +EverCrypt_Hash_Incremental_finish_sha224( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *p, + uint8_t *dst +) +{ + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ scrut = *p; + EverCrypt_Hash_state_s *block_state = scrut.block_state; + uint8_t *buf_ = scrut.buf; + uint64_t total_len = scrut.total_len; + uint32_t r; + if + ( + total_len + % (uint64_t)EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_224) + == (uint64_t)0U + && total_len > (uint64_t)0U + ) + { + r = EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_224); + } + else + { + r = + (uint32_t)(total_len + % (uint64_t)EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_224)); + } + { + uint8_t *buf_1 = buf_; + EverCrypt_Hash_state_s s; + s.tag = EverCrypt_Hash_SHA2_224_s; + { + uint32_t buf[8U] = { 0U }; + s.val.case_SHA2_224_s = buf; + { + EverCrypt_Hash_state_s tmp_block_state = s; + uint64_t prev_len; + uint32_t ite; + uint8_t *buf_last; + uint8_t *buf_multi; + uint64_t prev_len_last; + EverCrypt_Hash_copy(block_state, &tmp_block_state); + prev_len = total_len - (uint64_t)r; + if + ( + r + % EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_224) + == (uint32_t)0U + && r > (uint32_t)0U + ) + { + ite = EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_224); + } + else + { + ite = r % EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_224); + } + buf_last = buf_1 + r - ite; + buf_multi = buf_1; + EverCrypt_Hash_update_multi2(&tmp_block_state, prev_len, buf_multi, (uint32_t)0U); + prev_len_last = total_len - (uint64_t)r; + EverCrypt_Hash_update_last2(&tmp_block_state, prev_len_last, buf_last, r); + EverCrypt_Hash_finish(&tmp_block_state, dst); + } + } + } +} + +void +EverCrypt_Hash_Incremental_finish_sha256( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *p, + uint8_t *dst +) +{ + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ scrut = *p; + EverCrypt_Hash_state_s *block_state = scrut.block_state; + uint8_t *buf_ = scrut.buf; + uint64_t total_len = scrut.total_len; + uint32_t r; + if + ( + total_len + % (uint64_t)EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_256) + == (uint64_t)0U + && total_len > (uint64_t)0U + ) + { + r = EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_256); + } + else + { + r = + (uint32_t)(total_len + % (uint64_t)EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_256)); + } + { + uint8_t *buf_1 = buf_; + EverCrypt_Hash_state_s s; + s.tag = EverCrypt_Hash_SHA2_256_s; + { + uint32_t buf[8U] = { 0U }; + s.val.case_SHA2_256_s = buf; + { + EverCrypt_Hash_state_s tmp_block_state = s; + uint64_t prev_len; + uint32_t ite; + uint8_t *buf_last; + uint8_t *buf_multi; + uint64_t prev_len_last; + EverCrypt_Hash_copy(block_state, &tmp_block_state); + prev_len = total_len - (uint64_t)r; + if + ( + r + % EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_256) + == (uint32_t)0U + && r > (uint32_t)0U + ) + { + ite = EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_256); + } + else + { + ite = r % EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_256); + } + buf_last = buf_1 + r - ite; + buf_multi = buf_1; + EverCrypt_Hash_update_multi2(&tmp_block_state, prev_len, buf_multi, (uint32_t)0U); + prev_len_last = total_len - (uint64_t)r; + EverCrypt_Hash_update_last2(&tmp_block_state, prev_len_last, buf_last, r); + EverCrypt_Hash_finish(&tmp_block_state, dst); + } + } + } +} + +void +EverCrypt_Hash_Incremental_finish_sha384( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *p, + uint8_t *dst +) +{ + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ scrut = *p; + EverCrypt_Hash_state_s *block_state = scrut.block_state; + uint8_t *buf_ = scrut.buf; + uint64_t total_len = scrut.total_len; + uint32_t r; + if + ( + total_len + % (uint64_t)EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_384) + == (uint64_t)0U + && total_len > (uint64_t)0U + ) + { + r = EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_384); + } + else + { + r = + (uint32_t)(total_len + % (uint64_t)EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_384)); + } + { + uint8_t *buf_1 = buf_; + EverCrypt_Hash_state_s s; + s.tag = EverCrypt_Hash_SHA2_384_s; + { + uint64_t buf[8U] = { 0U }; + s.val.case_SHA2_384_s = buf; + { + EverCrypt_Hash_state_s tmp_block_state = s; + uint64_t prev_len; + uint32_t ite; + uint8_t *buf_last; + uint8_t *buf_multi; + uint64_t prev_len_last; + EverCrypt_Hash_copy(block_state, &tmp_block_state); + prev_len = total_len - (uint64_t)r; + if + ( + r + % EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_384) + == (uint32_t)0U + && r > (uint32_t)0U + ) + { + ite = EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_384); + } + else + { + ite = r % EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_384); + } + buf_last = buf_1 + r - ite; + buf_multi = buf_1; + EverCrypt_Hash_update_multi2(&tmp_block_state, prev_len, buf_multi, (uint32_t)0U); + prev_len_last = total_len - (uint64_t)r; + EverCrypt_Hash_update_last2(&tmp_block_state, prev_len_last, buf_last, r); + EverCrypt_Hash_finish(&tmp_block_state, dst); + } + } + } +} + +void +EverCrypt_Hash_Incremental_finish_sha512( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *p, + uint8_t *dst +) +{ + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ scrut = *p; + EverCrypt_Hash_state_s *block_state = scrut.block_state; + uint8_t *buf_ = scrut.buf; + uint64_t total_len = scrut.total_len; + uint32_t r; + if + ( + total_len + % (uint64_t)EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_512) + == (uint64_t)0U + && total_len > (uint64_t)0U + ) + { + r = EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_512); + } + else + { + r = + (uint32_t)(total_len + % (uint64_t)EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_512)); + } + { + uint8_t *buf_1 = buf_; + EverCrypt_Hash_state_s s; + s.tag = EverCrypt_Hash_SHA2_512_s; + { + uint64_t buf[8U] = { 0U }; + s.val.case_SHA2_512_s = buf; + { + EverCrypt_Hash_state_s tmp_block_state = s; + uint64_t prev_len; + uint32_t ite; + uint8_t *buf_last; + uint8_t *buf_multi; + uint64_t prev_len_last; + EverCrypt_Hash_copy(block_state, &tmp_block_state); + prev_len = total_len - (uint64_t)r; + if + ( + r + % EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_512) + == (uint32_t)0U + && r > (uint32_t)0U + ) + { + ite = EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_512); + } + else + { + ite = r % EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_512); + } + buf_last = buf_1 + r - ite; + buf_multi = buf_1; + EverCrypt_Hash_update_multi2(&tmp_block_state, prev_len, buf_multi, (uint32_t)0U); + prev_len_last = total_len - (uint64_t)r; + EverCrypt_Hash_update_last2(&tmp_block_state, prev_len_last, buf_last, r); + EverCrypt_Hash_finish(&tmp_block_state, dst); + } + } + } +} + +void +EverCrypt_Hash_Incremental_finish_blake2s( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *p, + uint8_t *dst +) +{ + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ scrut = *p; + EverCrypt_Hash_state_s *block_state = scrut.block_state; + uint8_t *buf_ = scrut.buf; + uint64_t total_len = scrut.total_len; + uint32_t r; + if + ( + total_len + % (uint64_t)EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_Blake2S) + == (uint64_t)0U + && total_len > (uint64_t)0U + ) + { + r = EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_Blake2S); + } + else + { + r = + (uint32_t)(total_len + % (uint64_t)EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_Blake2S)); + } + { + uint8_t *buf_1 = buf_; + EverCrypt_Hash_state_s s; + s.tag = EverCrypt_Hash_Blake2S_s; + { + uint32_t buf[16U] = { 0U }; + s.val.case_Blake2S_s = buf; + { + EverCrypt_Hash_state_s tmp_block_state = s; + uint64_t prev_len; + uint32_t ite; + uint8_t *buf_last; + uint8_t *buf_multi; + uint64_t prev_len_last; + EverCrypt_Hash_copy(block_state, &tmp_block_state); + prev_len = total_len - (uint64_t)r; + if + ( + r + % EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_Blake2S) + == (uint32_t)0U + && r > (uint32_t)0U + ) + { + ite = EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_Blake2S); + } + else + { + ite = r % EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_Blake2S); + } + buf_last = buf_1 + r - ite; + buf_multi = buf_1; + EverCrypt_Hash_update_multi2(&tmp_block_state, prev_len, buf_multi, (uint32_t)0U); + prev_len_last = total_len - (uint64_t)r; + EverCrypt_Hash_update_last2(&tmp_block_state, prev_len_last, buf_last, r); + EverCrypt_Hash_finish(&tmp_block_state, dst); + } + } + } +} + +void +EverCrypt_Hash_Incremental_finish_blake2b( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *p, + uint8_t *dst +) +{ + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ scrut = *p; + EverCrypt_Hash_state_s *block_state = scrut.block_state; + uint8_t *buf_ = scrut.buf; + uint64_t total_len = scrut.total_len; + uint32_t r; + if + ( + total_len + % (uint64_t)EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_Blake2B) + == (uint64_t)0U + && total_len > (uint64_t)0U + ) + { + r = EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_Blake2B); + } + else + { + r = + (uint32_t)(total_len + % (uint64_t)EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_Blake2B)); + } + { + uint8_t *buf_1 = buf_; + EverCrypt_Hash_state_s s; + s.tag = EverCrypt_Hash_Blake2B_s; + { + uint64_t buf[16U] = { 0U }; + s.val.case_Blake2B_s = buf; + { + EverCrypt_Hash_state_s tmp_block_state = s; + uint64_t prev_len; + uint32_t ite; + uint8_t *buf_last; + uint8_t *buf_multi; + uint64_t prev_len_last; + EverCrypt_Hash_copy(block_state, &tmp_block_state); + prev_len = total_len - (uint64_t)r; + if + ( + r + % EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_Blake2B) + == (uint32_t)0U + && r > (uint32_t)0U + ) + { + ite = EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_Blake2B); + } + else + { + ite = r % EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_Blake2B); + } + buf_last = buf_1 + r - ite; + buf_multi = buf_1; + EverCrypt_Hash_update_multi2(&tmp_block_state, prev_len, buf_multi, (uint32_t)0U); + prev_len_last = total_len - (uint64_t)r; + EverCrypt_Hash_update_last2(&tmp_block_state, prev_len_last, buf_last, r); + EverCrypt_Hash_finish(&tmp_block_state, dst); + } + } + } +} + +Spec_Hash_Definitions_hash_alg +EverCrypt_Hash_Incremental_alg_of_state( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *s +) +{ + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ scrut = *s; + EverCrypt_Hash_state_s *block_state = scrut.block_state; + return EverCrypt_Hash_alg_of_state(block_state); +} + +void +EverCrypt_Hash_Incremental_finish( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *s, + uint8_t *dst +) +{ + Spec_Hash_Definitions_hash_alg a1 = EverCrypt_Hash_Incremental_alg_of_state(s); + switch (a1) + { + case Spec_Hash_Definitions_MD5: + { + EverCrypt_Hash_Incremental_finish_md5(s, dst); + break; + } + case Spec_Hash_Definitions_SHA1: + { + EverCrypt_Hash_Incremental_finish_sha1(s, dst); + break; + } + case Spec_Hash_Definitions_SHA2_224: + { + EverCrypt_Hash_Incremental_finish_sha224(s, dst); + break; + } + case Spec_Hash_Definitions_SHA2_256: + { + EverCrypt_Hash_Incremental_finish_sha256(s, dst); + break; + } + case Spec_Hash_Definitions_SHA2_384: + { + EverCrypt_Hash_Incremental_finish_sha384(s, dst); + break; + } + case Spec_Hash_Definitions_SHA2_512: + { + EverCrypt_Hash_Incremental_finish_sha512(s, dst); + break; + } + case Spec_Hash_Definitions_Blake2S: + { + EverCrypt_Hash_Incremental_finish_blake2s(s, dst); + break; + } + case Spec_Hash_Definitions_Blake2B: + { + EverCrypt_Hash_Incremental_finish_blake2b(s, dst); + break; + } + default: + { + KRML_HOST_PRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +void +EverCrypt_Hash_Incremental_free(Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *s) +{ + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ scrut = *s; + uint8_t *buf = scrut.buf; + EverCrypt_Hash_state_s *block_state = scrut.block_state; + EverCrypt_Hash_free(block_state); + KRML_HOST_FREE(buf); + KRML_HOST_FREE(s); +} + diff --git a/src/c89/EverCrypt_Poly1305.c b/src/c89/EverCrypt_Poly1305.c new file mode 100644 index 00000000..a0fae2ca --- /dev/null +++ b/src/c89/EverCrypt_Poly1305.c @@ -0,0 +1,100 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "EverCrypt_Poly1305.h" + +#include "internal/Vale.h" + +static void poly1305_vale(uint8_t *dst, uint8_t *src, uint32_t len, uint8_t *key) +{ + uint8_t ctx[192U] = { 0U }; + uint32_t n_blocks; + uint32_t n_extra; + memcpy(ctx + (uint32_t)24U, key, (uint32_t)32U * sizeof (uint8_t)); + n_blocks = len / (uint32_t)16U; + n_extra = len % (uint32_t)16U; + { + uint8_t tmp[16U]; + if (n_extra == (uint32_t)0U) + { + uint64_t scrut = x64_poly1305(ctx, src, (uint64_t)len, (uint64_t)1U); + } + else + { + uint8_t init = (uint8_t)0U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + tmp[i] = init; + } + } + { + uint32_t len16 = n_blocks * (uint32_t)16U; + uint8_t *src16 = src; + memcpy(tmp, src + len16, n_extra * sizeof (uint8_t)); + { + uint64_t scrut = x64_poly1305(ctx, src16, (uint64_t)len16, (uint64_t)0U); + memcpy(ctx + (uint32_t)24U, key, (uint32_t)32U * sizeof (uint8_t)); + { + uint64_t scrut0 = x64_poly1305(ctx, tmp, (uint64_t)n_extra, (uint64_t)1U); + } + } + } + } + memcpy(dst, ctx, (uint32_t)16U * sizeof (uint8_t)); + } +} + +void EverCrypt_Poly1305_poly1305(uint8_t *dst, uint8_t *src, uint32_t len, uint8_t *key) +{ + bool avx2 = EverCrypt_AutoConfig2_has_avx2(); + bool avx = EverCrypt_AutoConfig2_has_avx(); + bool vec256 = EverCrypt_AutoConfig2_has_vec256(); + bool vec128 = EverCrypt_AutoConfig2_has_vec128(); + bool vale = EverCrypt_AutoConfig2_wants_vale(); + #if HACL_CAN_COMPILE_VEC256 + if (vec256) + { + Hacl_Poly1305_256_poly1305_mac(dst, len, src, key); + return; + } + #endif + #if HACL_CAN_COMPILE_VEC128 + if (vec128) + { + Hacl_Poly1305_128_poly1305_mac(dst, len, src, key); + return; + } + #endif + #if HACL_CAN_COMPILE_VALE + if (vale) + { + poly1305_vale(dst, src, len, key); + return; + } + #endif + Hacl_Poly1305_32_poly1305_mac(dst, len, src, key); +} + diff --git a/src/c89/Hacl_Bignum.c b/src/c89/Hacl_Bignum.c new file mode 100644 index 00000000..4cecba17 --- /dev/null +++ b/src/c89/Hacl_Bignum.c @@ -0,0 +1,3634 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "internal/Hacl_Bignum.h" + + + +void Hacl_Bignum_Convert_bn_from_bytes_be_uint64(uint32_t len, uint8_t *b, uint64_t *res) +{ + uint32_t bnLen = (len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)8U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + { + uint8_t tmp[tmpLen]; + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + memcpy(tmp + tmpLen - len, b, len * sizeof (uint8_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < bnLen; i++) + { + uint64_t *os = res; + uint64_t u = load64_be(tmp + (bnLen - i - (uint32_t)1U) * (uint32_t)8U); + uint64_t x = u; + os[i] = x; + } + } + } +} + +void Hacl_Bignum_Convert_bn_to_bytes_be_uint64(uint32_t len, uint64_t *b, uint8_t *res) +{ + uint32_t bnLen = (len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)8U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + { + uint8_t tmp[tmpLen]; + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + { + uint32_t numb = (uint32_t)8U; + { + uint32_t i; + for (i = (uint32_t)0U; i < bnLen; i++) + { + store64_be(tmp + i * numb, b[bnLen - i - (uint32_t)1U]); + } + } + memcpy(res, tmp + tmpLen - len, len * sizeof (uint8_t)); + } + } +} + +uint32_t Hacl_Bignum_Lib_bn_get_top_index_u32(uint32_t len, uint32_t *b) +{ + uint32_t priv = (uint32_t)0U; + { + uint32_t i; + for (i = (uint32_t)0U; i < len; i++) + { + uint32_t mask = FStar_UInt32_eq_mask(b[i], (uint32_t)0U); + priv = (mask & priv) | (~mask & i); + } + } + return priv; +} + +uint64_t Hacl_Bignum_Lib_bn_get_top_index_u64(uint32_t len, uint64_t *b) +{ + uint64_t priv = (uint64_t)0U; + { + uint32_t i; + for (i = (uint32_t)0U; i < len; i++) + { + uint64_t mask = FStar_UInt64_eq_mask(b[i], (uint64_t)0U); + priv = (mask & priv) | (~mask & (uint64_t)i); + } + } + return priv; +} + +uint32_t +Hacl_Bignum_Addition_bn_sub_eq_len_u32(uint32_t aLen, uint32_t *a, uint32_t *b, uint32_t *res) +{ + uint32_t c = (uint32_t)0U; + { + uint32_t i; + for (i = (uint32_t)0U; i < aLen / (uint32_t)4U; i++) + { + uint32_t t1 = a[(uint32_t)4U * i]; + uint32_t t20 = b[(uint32_t)4U * i]; + uint32_t *res_i0 = res + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, t20, res_i0); + { + uint32_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t10, t21, res_i1); + { + uint32_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t11, t22, res_i2); + { + uint32_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t12, t2, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = aLen / (uint32_t)4U * (uint32_t)4U; i < aLen; i++) + { + uint32_t t1 = a[i]; + uint32_t t2 = b[i]; + uint32_t *res_i = res + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, t2, res_i); + } + } + return c; +} + +uint64_t +Hacl_Bignum_Addition_bn_sub_eq_len_u64(uint32_t aLen, uint64_t *a, uint64_t *b, uint64_t *res) +{ + uint64_t c = (uint64_t)0U; + { + uint32_t i; + for (i = (uint32_t)0U; i < aLen / (uint32_t)4U; i++) + { + uint64_t t1 = a[(uint32_t)4U * i]; + uint64_t t20 = b[(uint32_t)4U * i]; + uint64_t *res_i0 = res + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, t20, res_i0); + { + uint64_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t10, t21, res_i1); + { + uint64_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t11, t22, res_i2); + { + uint64_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t12, t2, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = aLen / (uint32_t)4U * (uint32_t)4U; i < aLen; i++) + { + uint64_t t1 = a[i]; + uint64_t t2 = b[i]; + uint64_t *res_i = res + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, t2, res_i); + } + } + return c; +} + +uint32_t +Hacl_Bignum_Addition_bn_add_eq_len_u32(uint32_t aLen, uint32_t *a, uint32_t *b, uint32_t *res) +{ + uint32_t c = (uint32_t)0U; + { + uint32_t i; + for (i = (uint32_t)0U; i < aLen / (uint32_t)4U; i++) + { + uint32_t t1 = a[(uint32_t)4U * i]; + uint32_t t20 = b[(uint32_t)4U * i]; + uint32_t *res_i0 = res + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t1, t20, res_i0); + { + uint32_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t10, t21, res_i1); + { + uint32_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t11, t22, res_i2); + { + uint32_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t12, t2, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = aLen / (uint32_t)4U * (uint32_t)4U; i < aLen; i++) + { + uint32_t t1 = a[i]; + uint32_t t2 = b[i]; + uint32_t *res_i = res + i; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t1, t2, res_i); + } + } + return c; +} + +uint64_t +Hacl_Bignum_Addition_bn_add_eq_len_u64(uint32_t aLen, uint64_t *a, uint64_t *b, uint64_t *res) +{ + uint64_t c = (uint64_t)0U; + { + uint32_t i; + for (i = (uint32_t)0U; i < aLen / (uint32_t)4U; i++) + { + uint64_t t1 = a[(uint32_t)4U * i]; + uint64_t t20 = b[(uint32_t)4U * i]; + uint64_t *res_i0 = res + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t1, t20, res_i0); + { + uint64_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t10, t21, res_i1); + { + uint64_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t11, t22, res_i2); + { + uint64_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t12, t2, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = aLen / (uint32_t)4U * (uint32_t)4U; i < aLen; i++) + { + uint64_t t1 = a[i]; + uint64_t t2 = b[i]; + uint64_t *res_i = res + i; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t1, t2, res_i); + } + } + return c; +} + +static inline void +bn_mul_u32(uint32_t aLen, uint32_t *a, uint32_t bLen, uint32_t *b, uint32_t *res) +{ + uint32_t i; + memset(res, 0U, (aLen + bLen) * sizeof (uint32_t)); + for (i = (uint32_t)0U; i < bLen; i++) + { + uint32_t bj = b[i]; + uint32_t *res_j = res + i; + uint32_t c = (uint32_t)0U; + uint32_t r; + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < aLen / (uint32_t)4U; i0++) + { + uint32_t a_i = a[(uint32_t)4U * i0]; + uint32_t *res_i0 = res_j + (uint32_t)4U * i0; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, bj, c, res_i0); + { + uint32_t a_i0 = a[(uint32_t)4U * i0 + (uint32_t)1U]; + uint32_t *res_i1 = res_j + (uint32_t)4U * i0 + (uint32_t)1U; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i0, bj, c, res_i1); + { + uint32_t a_i1 = a[(uint32_t)4U * i0 + (uint32_t)2U]; + uint32_t *res_i2 = res_j + (uint32_t)4U * i0 + (uint32_t)2U; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i1, bj, c, res_i2); + { + uint32_t a_i2 = a[(uint32_t)4U * i0 + (uint32_t)3U]; + uint32_t *res_i = res_j + (uint32_t)4U * i0 + (uint32_t)3U; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i2, bj, c, res_i); + } + } + } + } + } + { + uint32_t i0; + for (i0 = aLen / (uint32_t)4U * (uint32_t)4U; i0 < aLen; i0++) + { + uint32_t a_i = a[i0]; + uint32_t *res_i = res_j + i0; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, bj, c, res_i); + } + } + r = c; + res[aLen + i] = r; + } +} + +static inline void +bn_mul_u64(uint32_t aLen, uint64_t *a, uint32_t bLen, uint64_t *b, uint64_t *res) +{ + uint32_t i; + memset(res, 0U, (aLen + bLen) * sizeof (uint64_t)); + for (i = (uint32_t)0U; i < bLen; i++) + { + uint64_t bj = b[i]; + uint64_t *res_j = res + i; + uint64_t c = (uint64_t)0U; + uint64_t r; + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < aLen / (uint32_t)4U; i0++) + { + uint64_t a_i = a[(uint32_t)4U * i0]; + uint64_t *res_i0 = res_j + (uint32_t)4U * i0; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, bj, c, res_i0); + { + uint64_t a_i0 = a[(uint32_t)4U * i0 + (uint32_t)1U]; + uint64_t *res_i1 = res_j + (uint32_t)4U * i0 + (uint32_t)1U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, bj, c, res_i1); + { + uint64_t a_i1 = a[(uint32_t)4U * i0 + (uint32_t)2U]; + uint64_t *res_i2 = res_j + (uint32_t)4U * i0 + (uint32_t)2U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, bj, c, res_i2); + { + uint64_t a_i2 = a[(uint32_t)4U * i0 + (uint32_t)3U]; + uint64_t *res_i = res_j + (uint32_t)4U * i0 + (uint32_t)3U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, bj, c, res_i); + } + } + } + } + } + { + uint32_t i0; + for (i0 = aLen / (uint32_t)4U * (uint32_t)4U; i0 < aLen; i0++) + { + uint64_t a_i = a[i0]; + uint64_t *res_i = res_j + i0; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, bj, c, res_i); + } + } + r = c; + res[aLen + i] = r; + } +} + +static inline void bn_sqr_u32(uint32_t aLen, uint32_t *a, uint32_t *res) +{ + uint32_t c0; + memset(res, 0U, (aLen + aLen) * sizeof (uint32_t)); + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < aLen; i0++) + { + uint32_t *ab = a; + uint32_t a_j = a[i0]; + uint32_t *res_j = res + i0; + uint32_t c = (uint32_t)0U; + { + uint32_t i; + for (i = (uint32_t)0U; i < i0 / (uint32_t)4U; i++) + { + uint32_t a_i = ab[(uint32_t)4U * i]; + uint32_t *res_i0 = res_j + (uint32_t)4U * i; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, a_j, c, res_i0); + { + uint32_t a_i0 = ab[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res_j + (uint32_t)4U * i + (uint32_t)1U; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i0, a_j, c, res_i1); + { + uint32_t a_i1 = ab[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res_j + (uint32_t)4U * i + (uint32_t)2U; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i1, a_j, c, res_i2); + { + uint32_t a_i2 = ab[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res_j + (uint32_t)4U * i + (uint32_t)3U; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i2, a_j, c, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = i0 / (uint32_t)4U * (uint32_t)4U; i < i0; i++) + { + uint32_t a_i = ab[i]; + uint32_t *res_i = res_j + i; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, a_j, c, res_i); + } + } + { + uint32_t r = c; + res[i0 + i0] = r; + } + } + } + c0 = Hacl_Bignum_Addition_bn_add_eq_len_u32(aLen + aLen, res, res, res); + KRML_CHECK_SIZE(sizeof (uint32_t), aLen + aLen); + { + uint32_t tmp[aLen + aLen]; + memset(tmp, 0U, (aLen + aLen) * sizeof (uint32_t)); + { + uint32_t c1; + { + uint32_t i; + for (i = (uint32_t)0U; i < aLen; i++) + { + uint64_t res1 = (uint64_t)a[i] * (uint64_t)a[i]; + uint32_t hi = (uint32_t)(res1 >> (uint32_t)32U); + uint32_t lo = (uint32_t)res1; + tmp[(uint32_t)2U * i] = lo; + tmp[(uint32_t)2U * i + (uint32_t)1U] = hi; + } + } + c1 = Hacl_Bignum_Addition_bn_add_eq_len_u32(aLen + aLen, res, tmp, res); + } + } +} + +static inline void bn_sqr_u64(uint32_t aLen, uint64_t *a, uint64_t *res) +{ + uint64_t c0; + memset(res, 0U, (aLen + aLen) * sizeof (uint64_t)); + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < aLen; i0++) + { + uint64_t *ab = a; + uint64_t a_j = a[i0]; + uint64_t *res_j = res + i0; + uint64_t c = (uint64_t)0U; + { + uint32_t i; + for (i = (uint32_t)0U; i < i0 / (uint32_t)4U; i++) + { + uint64_t a_i = ab[(uint32_t)4U * i]; + uint64_t *res_i0 = res_j + (uint32_t)4U * i; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, a_j, c, res_i0); + { + uint64_t a_i0 = ab[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res_j + (uint32_t)4U * i + (uint32_t)1U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, a_j, c, res_i1); + { + uint64_t a_i1 = ab[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res_j + (uint32_t)4U * i + (uint32_t)2U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, a_j, c, res_i2); + { + uint64_t a_i2 = ab[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res_j + (uint32_t)4U * i + (uint32_t)3U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, a_j, c, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = i0 / (uint32_t)4U * (uint32_t)4U; i < i0; i++) + { + uint64_t a_i = ab[i]; + uint64_t *res_i = res_j + i; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, a_j, c, res_i); + } + } + { + uint64_t r = c; + res[i0 + i0] = r; + } + } + } + c0 = Hacl_Bignum_Addition_bn_add_eq_len_u64(aLen + aLen, res, res, res); + KRML_CHECK_SIZE(sizeof (uint64_t), aLen + aLen); + { + uint64_t tmp[aLen + aLen]; + memset(tmp, 0U, (aLen + aLen) * sizeof (uint64_t)); + { + uint64_t c1; + { + uint32_t i; + for (i = (uint32_t)0U; i < aLen; i++) + { + FStar_UInt128_uint128 res1 = FStar_UInt128_mul_wide(a[i], a[i]); + uint64_t + hi = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(res1, (uint32_t)64U)); + uint64_t lo = FStar_UInt128_uint128_to_uint64(res1); + tmp[(uint32_t)2U * i] = lo; + tmp[(uint32_t)2U * i + (uint32_t)1U] = hi; + } + } + c1 = Hacl_Bignum_Addition_bn_add_eq_len_u64(aLen + aLen, res, tmp, res); + } + } +} + +void +Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint32( + uint32_t aLen, + uint32_t *a, + uint32_t *b, + uint32_t *tmp, + uint32_t *res +) +{ + if (aLen < (uint32_t)32U || aLen % (uint32_t)2U == (uint32_t)1U) + { + bn_mul_u32(aLen, a, aLen, b, res); + return; + } + { + uint32_t len2 = aLen / (uint32_t)2U; + uint32_t *a0 = a; + uint32_t *a1 = a + len2; + uint32_t *b0 = b; + uint32_t *b1 = b + len2; + uint32_t *t0 = tmp; + uint32_t *t1 = tmp + len2; + uint32_t *tmp_ = tmp + aLen; + uint32_t c0 = Hacl_Bignum_Addition_bn_sub_eq_len_u32(len2, a0, a1, tmp_); + uint32_t c10 = Hacl_Bignum_Addition_bn_sub_eq_len_u32(len2, a1, a0, t0); + uint32_t c00; + uint32_t c010; + uint32_t c11; + uint32_t c1; + uint32_t *t23; + uint32_t *tmp1; + uint32_t *r01; + uint32_t *r23; + uint32_t *r011; + uint32_t *r231; + uint32_t *t01; + uint32_t *t231; + uint32_t *t45; + uint32_t *t67; + uint32_t c2; + uint32_t c_sign; + uint32_t c3; + uint32_t c31; + uint32_t c4; + uint32_t c41; + uint32_t mask; + uint32_t c5; + uint32_t aLen2; + uint32_t *r0; + uint32_t r10; + uint32_t c9; + uint32_t c6; + uint32_t c7; + uint32_t *r; + uint32_t c01; + uint32_t r1; + uint32_t c8; + uint32_t c12; + uint32_t c13; + { + uint32_t i; + for (i = (uint32_t)0U; i < len2; i++) + { + uint32_t *os = t0; + uint32_t x = (((uint32_t)0U - c0) & t0[i]) | (~((uint32_t)0U - c0) & tmp_[i]); + os[i] = x; + } + } + c00 = c0; + c010 = Hacl_Bignum_Addition_bn_sub_eq_len_u32(len2, b0, b1, tmp_); + c11 = Hacl_Bignum_Addition_bn_sub_eq_len_u32(len2, b1, b0, t1); + { + uint32_t i; + for (i = (uint32_t)0U; i < len2; i++) + { + uint32_t *os = t1; + uint32_t x = (((uint32_t)0U - c010) & t1[i]) | (~((uint32_t)0U - c010) & tmp_[i]); + os[i] = x; + } + } + c1 = c010; + t23 = tmp + aLen; + tmp1 = tmp + aLen + aLen; + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint32(len2, t0, t1, tmp1, t23); + r01 = res; + r23 = res + aLen; + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint32(len2, a0, b0, tmp1, r01); + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint32(len2, a1, b1, tmp1, r23); + r011 = res; + r231 = res + aLen; + t01 = tmp; + t231 = tmp + aLen; + t45 = tmp + (uint32_t)2U * aLen; + t67 = tmp + (uint32_t)3U * aLen; + c2 = Hacl_Bignum_Addition_bn_add_eq_len_u32(aLen, r011, r231, t01); + c_sign = c00 ^ c1; + c3 = Hacl_Bignum_Addition_bn_sub_eq_len_u32(aLen, t01, t231, t67); + c31 = c2 - c3; + c4 = Hacl_Bignum_Addition_bn_add_eq_len_u32(aLen, t01, t231, t45); + c41 = c2 + c4; + mask = (uint32_t)0U - c_sign; + { + uint32_t i; + for (i = (uint32_t)0U; i < aLen; i++) + { + uint32_t *os = t45; + uint32_t x = (mask & t45[i]) | (~mask & t67[i]); + os[i] = x; + } + } + c5 = (mask & c41) | (~mask & c31); + aLen2 = aLen / (uint32_t)2U; + r0 = res + aLen2; + r10 = Hacl_Bignum_Addition_bn_add_eq_len_u32(aLen, r0, t45, r0); + c9 = r10; + c6 = c9; + c7 = c5 + c6; + r = res + aLen + aLen2; + c01 = Lib_IntTypes_Intrinsics_add_carry_u32((uint32_t)0U, r[0U], c7, r); + if ((uint32_t)1U < aLen + aLen - (aLen + aLen2)) + { + uint32_t rLen = aLen + aLen - (aLen + aLen2) - (uint32_t)1U; + uint32_t *a11 = r + (uint32_t)1U; + uint32_t *res1 = r + (uint32_t)1U; + uint32_t c = c01; + { + uint32_t i; + for (i = (uint32_t)0U; i < rLen / (uint32_t)4U; i++) + { + uint32_t t11 = a11[(uint32_t)4U * i]; + uint32_t *res_i0 = res1 + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t11, (uint32_t)0U, res_i0); + { + uint32_t t110 = a11[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res1 + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t110, (uint32_t)0U, res_i1); + { + uint32_t t111 = a11[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res1 + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t111, (uint32_t)0U, res_i2); + { + uint32_t t112 = a11[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res1 + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t112, (uint32_t)0U, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = rLen / (uint32_t)4U * (uint32_t)4U; i < rLen; i++) + { + uint32_t t11 = a11[i]; + uint32_t *res_i = res1 + i; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t11, (uint32_t)0U, res_i); + } + } + { + uint32_t c110 = c; + r1 = c110; + } + } + else + { + r1 = c01; + } + c8 = r1; + c12 = c8; + c13 = c12; + } +} + +void +Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint64( + uint32_t aLen, + uint64_t *a, + uint64_t *b, + uint64_t *tmp, + uint64_t *res +) +{ + if (aLen < (uint32_t)32U || aLen % (uint32_t)2U == (uint32_t)1U) + { + bn_mul_u64(aLen, a, aLen, b, res); + return; + } + { + uint32_t len2 = aLen / (uint32_t)2U; + uint64_t *a0 = a; + uint64_t *a1 = a + len2; + uint64_t *b0 = b; + uint64_t *b1 = b + len2; + uint64_t *t0 = tmp; + uint64_t *t1 = tmp + len2; + uint64_t *tmp_ = tmp + aLen; + uint64_t c0 = Hacl_Bignum_Addition_bn_sub_eq_len_u64(len2, a0, a1, tmp_); + uint64_t c10 = Hacl_Bignum_Addition_bn_sub_eq_len_u64(len2, a1, a0, t0); + uint64_t c00; + uint64_t c010; + uint64_t c11; + uint64_t c1; + uint64_t *t23; + uint64_t *tmp1; + uint64_t *r01; + uint64_t *r23; + uint64_t *r011; + uint64_t *r231; + uint64_t *t01; + uint64_t *t231; + uint64_t *t45; + uint64_t *t67; + uint64_t c2; + uint64_t c_sign; + uint64_t c3; + uint64_t c31; + uint64_t c4; + uint64_t c41; + uint64_t mask; + uint64_t c5; + uint32_t aLen2; + uint64_t *r0; + uint64_t r10; + uint64_t c9; + uint64_t c6; + uint64_t c7; + uint64_t *r; + uint64_t c01; + uint64_t r1; + uint64_t c8; + uint64_t c12; + uint64_t c13; + { + uint32_t i; + for (i = (uint32_t)0U; i < len2; i++) + { + uint64_t *os = t0; + uint64_t x = (((uint64_t)0U - c0) & t0[i]) | (~((uint64_t)0U - c0) & tmp_[i]); + os[i] = x; + } + } + c00 = c0; + c010 = Hacl_Bignum_Addition_bn_sub_eq_len_u64(len2, b0, b1, tmp_); + c11 = Hacl_Bignum_Addition_bn_sub_eq_len_u64(len2, b1, b0, t1); + { + uint32_t i; + for (i = (uint32_t)0U; i < len2; i++) + { + uint64_t *os = t1; + uint64_t x = (((uint64_t)0U - c010) & t1[i]) | (~((uint64_t)0U - c010) & tmp_[i]); + os[i] = x; + } + } + c1 = c010; + t23 = tmp + aLen; + tmp1 = tmp + aLen + aLen; + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint64(len2, t0, t1, tmp1, t23); + r01 = res; + r23 = res + aLen; + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint64(len2, a0, b0, tmp1, r01); + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint64(len2, a1, b1, tmp1, r23); + r011 = res; + r231 = res + aLen; + t01 = tmp; + t231 = tmp + aLen; + t45 = tmp + (uint32_t)2U * aLen; + t67 = tmp + (uint32_t)3U * aLen; + c2 = Hacl_Bignum_Addition_bn_add_eq_len_u64(aLen, r011, r231, t01); + c_sign = c00 ^ c1; + c3 = Hacl_Bignum_Addition_bn_sub_eq_len_u64(aLen, t01, t231, t67); + c31 = c2 - c3; + c4 = Hacl_Bignum_Addition_bn_add_eq_len_u64(aLen, t01, t231, t45); + c41 = c2 + c4; + mask = (uint64_t)0U - c_sign; + { + uint32_t i; + for (i = (uint32_t)0U; i < aLen; i++) + { + uint64_t *os = t45; + uint64_t x = (mask & t45[i]) | (~mask & t67[i]); + os[i] = x; + } + } + c5 = (mask & c41) | (~mask & c31); + aLen2 = aLen / (uint32_t)2U; + r0 = res + aLen2; + r10 = Hacl_Bignum_Addition_bn_add_eq_len_u64(aLen, r0, t45, r0); + c9 = r10; + c6 = c9; + c7 = c5 + c6; + r = res + aLen + aLen2; + c01 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, r[0U], c7, r); + if ((uint32_t)1U < aLen + aLen - (aLen + aLen2)) + { + uint32_t rLen = aLen + aLen - (aLen + aLen2) - (uint32_t)1U; + uint64_t *a11 = r + (uint32_t)1U; + uint64_t *res1 = r + (uint32_t)1U; + uint64_t c = c01; + { + uint32_t i; + for (i = (uint32_t)0U; i < rLen / (uint32_t)4U; i++) + { + uint64_t t11 = a11[(uint32_t)4U * i]; + uint64_t *res_i0 = res1 + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t11, (uint64_t)0U, res_i0); + { + uint64_t t110 = a11[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res1 + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t110, (uint64_t)0U, res_i1); + { + uint64_t t111 = a11[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res1 + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t111, (uint64_t)0U, res_i2); + { + uint64_t t112 = a11[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res1 + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t112, (uint64_t)0U, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = rLen / (uint32_t)4U * (uint32_t)4U; i < rLen; i++) + { + uint64_t t11 = a11[i]; + uint64_t *res_i = res1 + i; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t11, (uint64_t)0U, res_i); + } + } + { + uint64_t c110 = c; + r1 = c110; + } + } + else + { + r1 = c01; + } + c8 = r1; + c12 = c8; + c13 = c12; + } +} + +void +Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint32( + uint32_t aLen, + uint32_t *a, + uint32_t *tmp, + uint32_t *res +) +{ + if (aLen < (uint32_t)32U || aLen % (uint32_t)2U == (uint32_t)1U) + { + bn_sqr_u32(aLen, a, res); + return; + } + { + uint32_t len2 = aLen / (uint32_t)2U; + uint32_t *a0 = a; + uint32_t *a1 = a + len2; + uint32_t *t0 = tmp; + uint32_t *tmp_ = tmp + aLen; + uint32_t c0 = Hacl_Bignum_Addition_bn_sub_eq_len_u32(len2, a0, a1, tmp_); + uint32_t c1 = Hacl_Bignum_Addition_bn_sub_eq_len_u32(len2, a1, a0, t0); + uint32_t c00; + uint32_t *t23; + uint32_t *tmp1; + uint32_t *r01; + uint32_t *r23; + uint32_t *r011; + uint32_t *r231; + uint32_t *t01; + uint32_t *t231; + uint32_t *t45; + uint32_t c2; + uint32_t c3; + uint32_t c5; + uint32_t aLen2; + uint32_t *r0; + uint32_t r10; + uint32_t c4; + uint32_t c6; + uint32_t c7; + uint32_t *r; + uint32_t c01; + uint32_t r1; + uint32_t c8; + uint32_t c9; + uint32_t c10; + { + uint32_t i; + for (i = (uint32_t)0U; i < len2; i++) + { + uint32_t *os = t0; + uint32_t x = (((uint32_t)0U - c0) & t0[i]) | (~((uint32_t)0U - c0) & tmp_[i]); + os[i] = x; + } + } + c00 = c0; + t23 = tmp + aLen; + tmp1 = tmp + aLen + aLen; + Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint32(len2, t0, tmp1, t23); + r01 = res; + r23 = res + aLen; + Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint32(len2, a0, tmp1, r01); + Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint32(len2, a1, tmp1, r23); + r011 = res; + r231 = res + aLen; + t01 = tmp; + t231 = tmp + aLen; + t45 = tmp + (uint32_t)2U * aLen; + c2 = Hacl_Bignum_Addition_bn_add_eq_len_u32(aLen, r011, r231, t01); + c3 = Hacl_Bignum_Addition_bn_sub_eq_len_u32(aLen, t01, t231, t45); + c5 = c2 - c3; + aLen2 = aLen / (uint32_t)2U; + r0 = res + aLen2; + r10 = Hacl_Bignum_Addition_bn_add_eq_len_u32(aLen, r0, t45, r0); + c4 = r10; + c6 = c4; + c7 = c5 + c6; + r = res + aLen + aLen2; + c01 = Lib_IntTypes_Intrinsics_add_carry_u32((uint32_t)0U, r[0U], c7, r); + if ((uint32_t)1U < aLen + aLen - (aLen + aLen2)) + { + uint32_t rLen = aLen + aLen - (aLen + aLen2) - (uint32_t)1U; + uint32_t *a11 = r + (uint32_t)1U; + uint32_t *res1 = r + (uint32_t)1U; + uint32_t c = c01; + { + uint32_t i; + for (i = (uint32_t)0U; i < rLen / (uint32_t)4U; i++) + { + uint32_t t1 = a11[(uint32_t)4U * i]; + uint32_t *res_i0 = res1 + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t1, (uint32_t)0U, res_i0); + { + uint32_t t10 = a11[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res1 + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t10, (uint32_t)0U, res_i1); + { + uint32_t t11 = a11[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res1 + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t11, (uint32_t)0U, res_i2); + { + uint32_t t12 = a11[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res1 + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t12, (uint32_t)0U, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = rLen / (uint32_t)4U * (uint32_t)4U; i < rLen; i++) + { + uint32_t t1 = a11[i]; + uint32_t *res_i = res1 + i; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t1, (uint32_t)0U, res_i); + } + } + { + uint32_t c11 = c; + r1 = c11; + } + } + else + { + r1 = c01; + } + c8 = r1; + c9 = c8; + c10 = c9; + } +} + +void +Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint64( + uint32_t aLen, + uint64_t *a, + uint64_t *tmp, + uint64_t *res +) +{ + if (aLen < (uint32_t)32U || aLen % (uint32_t)2U == (uint32_t)1U) + { + bn_sqr_u64(aLen, a, res); + return; + } + { + uint32_t len2 = aLen / (uint32_t)2U; + uint64_t *a0 = a; + uint64_t *a1 = a + len2; + uint64_t *t0 = tmp; + uint64_t *tmp_ = tmp + aLen; + uint64_t c0 = Hacl_Bignum_Addition_bn_sub_eq_len_u64(len2, a0, a1, tmp_); + uint64_t c1 = Hacl_Bignum_Addition_bn_sub_eq_len_u64(len2, a1, a0, t0); + uint64_t c00; + uint64_t *t23; + uint64_t *tmp1; + uint64_t *r01; + uint64_t *r23; + uint64_t *r011; + uint64_t *r231; + uint64_t *t01; + uint64_t *t231; + uint64_t *t45; + uint64_t c2; + uint64_t c3; + uint64_t c5; + uint32_t aLen2; + uint64_t *r0; + uint64_t r10; + uint64_t c4; + uint64_t c6; + uint64_t c7; + uint64_t *r; + uint64_t c01; + uint64_t r1; + uint64_t c8; + uint64_t c9; + uint64_t c10; + { + uint32_t i; + for (i = (uint32_t)0U; i < len2; i++) + { + uint64_t *os = t0; + uint64_t x = (((uint64_t)0U - c0) & t0[i]) | (~((uint64_t)0U - c0) & tmp_[i]); + os[i] = x; + } + } + c00 = c0; + t23 = tmp + aLen; + tmp1 = tmp + aLen + aLen; + Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint64(len2, t0, tmp1, t23); + r01 = res; + r23 = res + aLen; + Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint64(len2, a0, tmp1, r01); + Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint64(len2, a1, tmp1, r23); + r011 = res; + r231 = res + aLen; + t01 = tmp; + t231 = tmp + aLen; + t45 = tmp + (uint32_t)2U * aLen; + c2 = Hacl_Bignum_Addition_bn_add_eq_len_u64(aLen, r011, r231, t01); + c3 = Hacl_Bignum_Addition_bn_sub_eq_len_u64(aLen, t01, t231, t45); + c5 = c2 - c3; + aLen2 = aLen / (uint32_t)2U; + r0 = res + aLen2; + r10 = Hacl_Bignum_Addition_bn_add_eq_len_u64(aLen, r0, t45, r0); + c4 = r10; + c6 = c4; + c7 = c5 + c6; + r = res + aLen + aLen2; + c01 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, r[0U], c7, r); + if ((uint32_t)1U < aLen + aLen - (aLen + aLen2)) + { + uint32_t rLen = aLen + aLen - (aLen + aLen2) - (uint32_t)1U; + uint64_t *a11 = r + (uint32_t)1U; + uint64_t *res1 = r + (uint32_t)1U; + uint64_t c = c01; + { + uint32_t i; + for (i = (uint32_t)0U; i < rLen / (uint32_t)4U; i++) + { + uint64_t t1 = a11[(uint32_t)4U * i]; + uint64_t *res_i0 = res1 + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t1, (uint64_t)0U, res_i0); + { + uint64_t t10 = a11[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res1 + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t10, (uint64_t)0U, res_i1); + { + uint64_t t11 = a11[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res1 + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t11, (uint64_t)0U, res_i2); + { + uint64_t t12 = a11[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res1 + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t12, (uint64_t)0U, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = rLen / (uint32_t)4U * (uint32_t)4U; i < rLen; i++) + { + uint64_t t1 = a11[i]; + uint64_t *res_i = res1 + i; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t1, (uint64_t)0U, res_i); + } + } + { + uint64_t c11 = c; + r1 = c11; + } + } + else + { + r1 = c01; + } + c8 = r1; + c9 = c8; + c10 = c9; + } +} + +void +Hacl_Bignum_bn_add_mod_n_u32( + uint32_t len1, + uint32_t *n, + uint32_t *a, + uint32_t *b, + uint32_t *res +) +{ + uint32_t c2 = (uint32_t)0U; + uint32_t c0; + { + uint32_t i; + for (i = (uint32_t)0U; i < len1 / (uint32_t)4U; i++) + { + uint32_t t1 = a[(uint32_t)4U * i]; + uint32_t t20 = b[(uint32_t)4U * i]; + uint32_t *res_i0 = res + (uint32_t)4U * i; + c2 = Lib_IntTypes_Intrinsics_add_carry_u32(c2, t1, t20, res_i0); + { + uint32_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c2 = Lib_IntTypes_Intrinsics_add_carry_u32(c2, t10, t21, res_i1); + { + uint32_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c2 = Lib_IntTypes_Intrinsics_add_carry_u32(c2, t11, t22, res_i2); + { + uint32_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c2 = Lib_IntTypes_Intrinsics_add_carry_u32(c2, t12, t2, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = len1 / (uint32_t)4U * (uint32_t)4U; i < len1; i++) + { + uint32_t t1 = a[i]; + uint32_t t2 = b[i]; + uint32_t *res_i = res + i; + c2 = Lib_IntTypes_Intrinsics_add_carry_u32(c2, t1, t2, res_i); + } + } + c0 = c2; + KRML_CHECK_SIZE(sizeof (uint32_t), len1); + { + uint32_t tmp[len1]; + memset(tmp, 0U, len1 * sizeof (uint32_t)); + { + uint32_t c3 = (uint32_t)0U; + uint32_t c1; + uint32_t c; + { + uint32_t i; + for (i = (uint32_t)0U; i < len1 / (uint32_t)4U; i++) + { + uint32_t t1 = res[(uint32_t)4U * i]; + uint32_t t20 = n[(uint32_t)4U * i]; + uint32_t *res_i0 = tmp + (uint32_t)4U * i; + c3 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c3, t1, t20, res_i0); + { + uint32_t t10 = res[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t t21 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = tmp + (uint32_t)4U * i + (uint32_t)1U; + c3 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c3, t10, t21, res_i1); + { + uint32_t t11 = res[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t t22 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = tmp + (uint32_t)4U * i + (uint32_t)2U; + c3 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c3, t11, t22, res_i2); + { + uint32_t t12 = res[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t t2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = tmp + (uint32_t)4U * i + (uint32_t)3U; + c3 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c3, t12, t2, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = len1 / (uint32_t)4U * (uint32_t)4U; i < len1; i++) + { + uint32_t t1 = res[i]; + uint32_t t2 = n[i]; + uint32_t *res_i = tmp + i; + c3 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c3, t1, t2, res_i); + } + } + c1 = c3; + c = c0 - c1; + { + uint32_t i; + for (i = (uint32_t)0U; i < len1; i++) + { + uint32_t *os = res; + uint32_t x = (c & res[i]) | (~c & tmp[i]); + os[i] = x; + } + } + } + } +} + +void +Hacl_Bignum_bn_add_mod_n_u64( + uint32_t len1, + uint64_t *n, + uint64_t *a, + uint64_t *b, + uint64_t *res +) +{ + uint64_t c2 = (uint64_t)0U; + uint64_t c0; + { + uint32_t i; + for (i = (uint32_t)0U; i < len1 / (uint32_t)4U; i++) + { + uint64_t t1 = a[(uint32_t)4U * i]; + uint64_t t20 = b[(uint32_t)4U * i]; + uint64_t *res_i0 = res + (uint32_t)4U * i; + c2 = Lib_IntTypes_Intrinsics_add_carry_u64(c2, t1, t20, res_i0); + { + uint64_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c2 = Lib_IntTypes_Intrinsics_add_carry_u64(c2, t10, t21, res_i1); + { + uint64_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c2 = Lib_IntTypes_Intrinsics_add_carry_u64(c2, t11, t22, res_i2); + { + uint64_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c2 = Lib_IntTypes_Intrinsics_add_carry_u64(c2, t12, t2, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = len1 / (uint32_t)4U * (uint32_t)4U; i < len1; i++) + { + uint64_t t1 = a[i]; + uint64_t t2 = b[i]; + uint64_t *res_i = res + i; + c2 = Lib_IntTypes_Intrinsics_add_carry_u64(c2, t1, t2, res_i); + } + } + c0 = c2; + KRML_CHECK_SIZE(sizeof (uint64_t), len1); + { + uint64_t tmp[len1]; + memset(tmp, 0U, len1 * sizeof (uint64_t)); + { + uint64_t c3 = (uint64_t)0U; + uint64_t c1; + uint64_t c; + { + uint32_t i; + for (i = (uint32_t)0U; i < len1 / (uint32_t)4U; i++) + { + uint64_t t1 = res[(uint32_t)4U * i]; + uint64_t t20 = n[(uint32_t)4U * i]; + uint64_t *res_i0 = tmp + (uint32_t)4U * i; + c3 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c3, t1, t20, res_i0); + { + uint64_t t10 = res[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t t21 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = tmp + (uint32_t)4U * i + (uint32_t)1U; + c3 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c3, t10, t21, res_i1); + { + uint64_t t11 = res[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t t22 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = tmp + (uint32_t)4U * i + (uint32_t)2U; + c3 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c3, t11, t22, res_i2); + { + uint64_t t12 = res[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t t2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = tmp + (uint32_t)4U * i + (uint32_t)3U; + c3 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c3, t12, t2, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = len1 / (uint32_t)4U * (uint32_t)4U; i < len1; i++) + { + uint64_t t1 = res[i]; + uint64_t t2 = n[i]; + uint64_t *res_i = tmp + i; + c3 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c3, t1, t2, res_i); + } + } + c1 = c3; + c = c0 - c1; + { + uint32_t i; + for (i = (uint32_t)0U; i < len1; i++) + { + uint64_t *os = res; + uint64_t x = (c & res[i]) | (~c & tmp[i]); + os[i] = x; + } + } + } + } +} + +void +Hacl_Bignum_bn_sub_mod_n_u32( + uint32_t len1, + uint32_t *n, + uint32_t *a, + uint32_t *b, + uint32_t *res +) +{ + uint32_t c2 = (uint32_t)0U; + uint32_t c0; + { + uint32_t i; + for (i = (uint32_t)0U; i < len1 / (uint32_t)4U; i++) + { + uint32_t t1 = a[(uint32_t)4U * i]; + uint32_t t20 = b[(uint32_t)4U * i]; + uint32_t *res_i0 = res + (uint32_t)4U * i; + c2 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c2, t1, t20, res_i0); + { + uint32_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c2 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c2, t10, t21, res_i1); + { + uint32_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c2 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c2, t11, t22, res_i2); + { + uint32_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c2 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c2, t12, t2, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = len1 / (uint32_t)4U * (uint32_t)4U; i < len1; i++) + { + uint32_t t1 = a[i]; + uint32_t t2 = b[i]; + uint32_t *res_i = res + i; + c2 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c2, t1, t2, res_i); + } + } + c0 = c2; + KRML_CHECK_SIZE(sizeof (uint32_t), len1); + { + uint32_t tmp[len1]; + memset(tmp, 0U, len1 * sizeof (uint32_t)); + { + uint32_t c3 = (uint32_t)0U; + uint32_t c1; + uint32_t c; + { + uint32_t i; + for (i = (uint32_t)0U; i < len1 / (uint32_t)4U; i++) + { + uint32_t t1 = res[(uint32_t)4U * i]; + uint32_t t20 = n[(uint32_t)4U * i]; + uint32_t *res_i0 = tmp + (uint32_t)4U * i; + c3 = Lib_IntTypes_Intrinsics_add_carry_u32(c3, t1, t20, res_i0); + { + uint32_t t10 = res[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t t21 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = tmp + (uint32_t)4U * i + (uint32_t)1U; + c3 = Lib_IntTypes_Intrinsics_add_carry_u32(c3, t10, t21, res_i1); + { + uint32_t t11 = res[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t t22 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = tmp + (uint32_t)4U * i + (uint32_t)2U; + c3 = Lib_IntTypes_Intrinsics_add_carry_u32(c3, t11, t22, res_i2); + { + uint32_t t12 = res[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t t2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = tmp + (uint32_t)4U * i + (uint32_t)3U; + c3 = Lib_IntTypes_Intrinsics_add_carry_u32(c3, t12, t2, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = len1 / (uint32_t)4U * (uint32_t)4U; i < len1; i++) + { + uint32_t t1 = res[i]; + uint32_t t2 = n[i]; + uint32_t *res_i = tmp + i; + c3 = Lib_IntTypes_Intrinsics_add_carry_u32(c3, t1, t2, res_i); + } + } + c1 = c3; + c = (uint32_t)0U - c0; + { + uint32_t i; + for (i = (uint32_t)0U; i < len1; i++) + { + uint32_t *os = res; + uint32_t x = (c & tmp[i]) | (~c & res[i]); + os[i] = x; + } + } + } + } +} + +void +Hacl_Bignum_bn_sub_mod_n_u64( + uint32_t len1, + uint64_t *n, + uint64_t *a, + uint64_t *b, + uint64_t *res +) +{ + uint64_t c2 = (uint64_t)0U; + uint64_t c0; + { + uint32_t i; + for (i = (uint32_t)0U; i < len1 / (uint32_t)4U; i++) + { + uint64_t t1 = a[(uint32_t)4U * i]; + uint64_t t20 = b[(uint32_t)4U * i]; + uint64_t *res_i0 = res + (uint32_t)4U * i; + c2 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c2, t1, t20, res_i0); + { + uint64_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c2 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c2, t10, t21, res_i1); + { + uint64_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c2 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c2, t11, t22, res_i2); + { + uint64_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c2 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c2, t12, t2, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = len1 / (uint32_t)4U * (uint32_t)4U; i < len1; i++) + { + uint64_t t1 = a[i]; + uint64_t t2 = b[i]; + uint64_t *res_i = res + i; + c2 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c2, t1, t2, res_i); + } + } + c0 = c2; + KRML_CHECK_SIZE(sizeof (uint64_t), len1); + { + uint64_t tmp[len1]; + memset(tmp, 0U, len1 * sizeof (uint64_t)); + { + uint64_t c3 = (uint64_t)0U; + uint64_t c1; + uint64_t c; + { + uint32_t i; + for (i = (uint32_t)0U; i < len1 / (uint32_t)4U; i++) + { + uint64_t t1 = res[(uint32_t)4U * i]; + uint64_t t20 = n[(uint32_t)4U * i]; + uint64_t *res_i0 = tmp + (uint32_t)4U * i; + c3 = Lib_IntTypes_Intrinsics_add_carry_u64(c3, t1, t20, res_i0); + { + uint64_t t10 = res[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t t21 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = tmp + (uint32_t)4U * i + (uint32_t)1U; + c3 = Lib_IntTypes_Intrinsics_add_carry_u64(c3, t10, t21, res_i1); + { + uint64_t t11 = res[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t t22 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = tmp + (uint32_t)4U * i + (uint32_t)2U; + c3 = Lib_IntTypes_Intrinsics_add_carry_u64(c3, t11, t22, res_i2); + { + uint64_t t12 = res[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t t2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = tmp + (uint32_t)4U * i + (uint32_t)3U; + c3 = Lib_IntTypes_Intrinsics_add_carry_u64(c3, t12, t2, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = len1 / (uint32_t)4U * (uint32_t)4U; i < len1; i++) + { + uint64_t t1 = res[i]; + uint64_t t2 = n[i]; + uint64_t *res_i = tmp + i; + c3 = Lib_IntTypes_Intrinsics_add_carry_u64(c3, t1, t2, res_i); + } + } + c1 = c3; + c = (uint64_t)0U - c0; + { + uint32_t i; + for (i = (uint32_t)0U; i < len1; i++) + { + uint64_t *os = res; + uint64_t x = (c & tmp[i]) | (~c & res[i]); + os[i] = x; + } + } + } + } +} + +uint32_t Hacl_Bignum_ModInvLimb_mod_inv_uint32(uint32_t n0) +{ + uint32_t alpha = (uint32_t)2147483648U; + uint32_t beta = n0; + uint32_t ub = (uint32_t)0U; + uint32_t vb = (uint32_t)0U; + ub = (uint32_t)1U; + vb = (uint32_t)0U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)32U; i++) + { + uint32_t us = ub; + uint32_t vs = vb; + uint32_t u_is_odd = (uint32_t)0U - (us & (uint32_t)1U); + uint32_t beta_if_u_is_odd = beta & u_is_odd; + ub = ((us ^ beta_if_u_is_odd) >> (uint32_t)1U) + (us & beta_if_u_is_odd); + { + uint32_t alpha_if_u_is_odd = alpha & u_is_odd; + vb = (vs >> (uint32_t)1U) + alpha_if_u_is_odd; + } + } + } + return vb; +} + +uint64_t Hacl_Bignum_ModInvLimb_mod_inv_uint64(uint64_t n0) +{ + uint64_t alpha = (uint64_t)9223372036854775808U; + uint64_t beta = n0; + uint64_t ub = (uint64_t)0U; + uint64_t vb = (uint64_t)0U; + ub = (uint64_t)1U; + vb = (uint64_t)0U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + uint64_t us = ub; + uint64_t vs = vb; + uint64_t u_is_odd = (uint64_t)0U - (us & (uint64_t)1U); + uint64_t beta_if_u_is_odd = beta & u_is_odd; + ub = ((us ^ beta_if_u_is_odd) >> (uint32_t)1U) + (us & beta_if_u_is_odd); + { + uint64_t alpha_if_u_is_odd = alpha & u_is_odd; + vb = (vs >> (uint32_t)1U) + alpha_if_u_is_odd; + } + } + } + return vb; +} + +uint32_t Hacl_Bignum_Montgomery_bn_check_modulus_u32(uint32_t len, uint32_t *n) +{ + KRML_CHECK_SIZE(sizeof (uint32_t), len); + { + uint32_t one[len]; + memset(one, 0U, len * sizeof (uint32_t)); + { + uint32_t bit0; + uint32_t m0; + memset(one, 0U, len * sizeof (uint32_t)); + one[0U] = (uint32_t)1U; + bit0 = n[0U] & (uint32_t)1U; + m0 = (uint32_t)0U - bit0; + { + uint32_t acc = (uint32_t)0U; + uint32_t m1; + { + uint32_t i; + for (i = (uint32_t)0U; i < len; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(one[i], n[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(one[i], n[i]); + acc = (beq & acc) | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + } + m1 = acc; + return m0 & m1; + } + } + } +} + +void +Hacl_Bignum_Montgomery_bn_precomp_r2_mod_n_u32( + uint32_t len, + uint32_t nBits, + uint32_t *n, + uint32_t *res +) +{ + uint32_t i0; + uint32_t j; + uint32_t i; + memset(res, 0U, len * sizeof (uint32_t)); + i0 = nBits / (uint32_t)32U; + j = nBits % (uint32_t)32U; + res[i0] = res[i0] | (uint32_t)1U << j; + for (i = (uint32_t)0U; i < (uint32_t)64U * len - nBits; i++) + { + Hacl_Bignum_bn_add_mod_n_u32(len, n, res, res, res); + } +} + +void +Hacl_Bignum_Montgomery_bn_mont_reduction_u32( + uint32_t len, + uint32_t *n, + uint32_t nInv, + uint32_t *c, + uint32_t *res +) +{ + uint32_t c00 = (uint32_t)0U; + uint32_t c0; + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < len; i0++) + { + uint32_t qj = nInv * c[i0]; + uint32_t *res_j0 = c + i0; + uint32_t c1 = (uint32_t)0U; + { + uint32_t i; + for (i = (uint32_t)0U; i < len / (uint32_t)4U; i++) + { + uint32_t a_i = n[(uint32_t)4U * i]; + uint32_t *res_i0 = res_j0 + (uint32_t)4U * i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, qj, c1, res_i0); + { + uint32_t a_i0 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res_j0 + (uint32_t)4U * i + (uint32_t)1U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i0, qj, c1, res_i1); + { + uint32_t a_i1 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res_j0 + (uint32_t)4U * i + (uint32_t)2U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i1, qj, c1, res_i2); + { + uint32_t a_i2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res_j0 + (uint32_t)4U * i + (uint32_t)3U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i2, qj, c1, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = len / (uint32_t)4U * (uint32_t)4U; i < len; i++) + { + uint32_t a_i = n[i]; + uint32_t *res_i = res_j0 + i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, qj, c1, res_i); + } + } + { + uint32_t r = c1; + uint32_t c10 = r; + uint32_t *resb = c + len + i0; + uint32_t res_j = c[len + i0]; + c00 = Lib_IntTypes_Intrinsics_add_carry_u32(c00, c10, res_j, resb); + } + } + } + memcpy(res, c + len, (len + len - len) * sizeof (uint32_t)); + c0 = c00; + KRML_CHECK_SIZE(sizeof (uint32_t), len); + { + uint32_t tmp[len]; + memset(tmp, 0U, len * sizeof (uint32_t)); + { + uint32_t c10 = (uint32_t)0U; + uint32_t c1; + uint32_t c2; + { + uint32_t i; + for (i = (uint32_t)0U; i < len / (uint32_t)4U; i++) + { + uint32_t t1 = res[(uint32_t)4U * i]; + uint32_t t20 = n[(uint32_t)4U * i]; + uint32_t *res_i0 = tmp + (uint32_t)4U * i; + c10 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c10, t1, t20, res_i0); + { + uint32_t t10 = res[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t t21 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = tmp + (uint32_t)4U * i + (uint32_t)1U; + c10 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c10, t10, t21, res_i1); + { + uint32_t t11 = res[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t t22 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = tmp + (uint32_t)4U * i + (uint32_t)2U; + c10 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c10, t11, t22, res_i2); + { + uint32_t t12 = res[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t t2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = tmp + (uint32_t)4U * i + (uint32_t)3U; + c10 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c10, t12, t2, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = len / (uint32_t)4U * (uint32_t)4U; i < len; i++) + { + uint32_t t1 = res[i]; + uint32_t t2 = n[i]; + uint32_t *res_i = tmp + i; + c10 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c10, t1, t2, res_i); + } + } + c1 = c10; + c2 = c0 - c1; + { + uint32_t i; + for (i = (uint32_t)0U; i < len; i++) + { + uint32_t *os = res; + uint32_t x = (c2 & res[i]) | (~c2 & tmp[i]); + os[i] = x; + } + } + } + } +} + +void +Hacl_Bignum_Montgomery_bn_to_mont_u32( + uint32_t len, + uint32_t *n, + uint32_t nInv, + uint32_t *r2, + uint32_t *a, + uint32_t *aM +) +{ + KRML_CHECK_SIZE(sizeof (uint32_t), len + len); + { + uint32_t c[len + len]; + memset(c, 0U, (len + len) * sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)4U * len); + { + uint32_t tmp[(uint32_t)4U * len]; + memset(tmp, 0U, (uint32_t)4U * len * sizeof (uint32_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint32(len, a, r2, tmp, c); + Hacl_Bignum_Montgomery_bn_mont_reduction_u32(len, n, nInv, c, aM); + } + } +} + +void +Hacl_Bignum_Montgomery_bn_from_mont_u32( + uint32_t len, + uint32_t *n, + uint32_t nInv_u64, + uint32_t *aM, + uint32_t *a +) +{ + KRML_CHECK_SIZE(sizeof (uint32_t), len + len); + { + uint32_t tmp[len + len]; + memset(tmp, 0U, (len + len) * sizeof (uint32_t)); + memcpy(tmp, aM, len * sizeof (uint32_t)); + Hacl_Bignum_Montgomery_bn_mont_reduction_u32(len, n, nInv_u64, tmp, a); + } +} + +void +Hacl_Bignum_Montgomery_bn_mont_mul_u32( + uint32_t len, + uint32_t *n, + uint32_t nInv_u64, + uint32_t *aM, + uint32_t *bM, + uint32_t *resM +) +{ + KRML_CHECK_SIZE(sizeof (uint32_t), len + len); + { + uint32_t c[len + len]; + memset(c, 0U, (len + len) * sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)4U * len); + { + uint32_t tmp[(uint32_t)4U * len]; + memset(tmp, 0U, (uint32_t)4U * len * sizeof (uint32_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint32(len, aM, bM, tmp, c); + Hacl_Bignum_Montgomery_bn_mont_reduction_u32(len, n, nInv_u64, c, resM); + } + } +} + +void +Hacl_Bignum_Montgomery_bn_mont_sqr_u32( + uint32_t len, + uint32_t *n, + uint32_t nInv_u64, + uint32_t *aM, + uint32_t *resM +) +{ + KRML_CHECK_SIZE(sizeof (uint32_t), len + len); + { + uint32_t c[len + len]; + memset(c, 0U, (len + len) * sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)4U * len); + { + uint32_t tmp[(uint32_t)4U * len]; + memset(tmp, 0U, (uint32_t)4U * len * sizeof (uint32_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint32(len, aM, tmp, c); + Hacl_Bignum_Montgomery_bn_mont_reduction_u32(len, n, nInv_u64, c, resM); + } + } +} + +uint64_t Hacl_Bignum_Montgomery_bn_check_modulus_u64(uint32_t len, uint64_t *n) +{ + KRML_CHECK_SIZE(sizeof (uint64_t), len); + { + uint64_t one[len]; + memset(one, 0U, len * sizeof (uint64_t)); + { + uint64_t bit0; + uint64_t m0; + memset(one, 0U, len * sizeof (uint64_t)); + one[0U] = (uint64_t)1U; + bit0 = n[0U] & (uint64_t)1U; + m0 = (uint64_t)0U - bit0; + { + uint64_t acc = (uint64_t)0U; + uint64_t m1; + { + uint32_t i; + for (i = (uint32_t)0U; i < len; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(one[i], n[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(one[i], n[i]); + acc = + (beq & acc) + | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + } + m1 = acc; + return m0 & m1; + } + } + } +} + +void +Hacl_Bignum_Montgomery_bn_precomp_r2_mod_n_u64( + uint32_t len, + uint32_t nBits, + uint64_t *n, + uint64_t *res +) +{ + uint32_t i0; + uint32_t j; + uint32_t i; + memset(res, 0U, len * sizeof (uint64_t)); + i0 = nBits / (uint32_t)64U; + j = nBits % (uint32_t)64U; + res[i0] = res[i0] | (uint64_t)1U << j; + for (i = (uint32_t)0U; i < (uint32_t)128U * len - nBits; i++) + { + Hacl_Bignum_bn_add_mod_n_u64(len, n, res, res, res); + } +} + +void +Hacl_Bignum_Montgomery_bn_mont_reduction_u64( + uint32_t len, + uint64_t *n, + uint64_t nInv, + uint64_t *c, + uint64_t *res +) +{ + uint64_t c00 = (uint64_t)0U; + uint64_t c0; + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < len; i0++) + { + uint64_t qj = nInv * c[i0]; + uint64_t *res_j0 = c + i0; + uint64_t c1 = (uint64_t)0U; + { + uint32_t i; + for (i = (uint32_t)0U; i < len / (uint32_t)4U; i++) + { + uint64_t a_i = n[(uint32_t)4U * i]; + uint64_t *res_i0 = res_j0 + (uint32_t)4U * i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c1, res_i0); + { + uint64_t a_i0 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res_j0 + (uint32_t)4U * i + (uint32_t)1U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, qj, c1, res_i1); + { + uint64_t a_i1 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res_j0 + (uint32_t)4U * i + (uint32_t)2U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, qj, c1, res_i2); + { + uint64_t a_i2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res_j0 + (uint32_t)4U * i + (uint32_t)3U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, qj, c1, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = len / (uint32_t)4U * (uint32_t)4U; i < len; i++) + { + uint64_t a_i = n[i]; + uint64_t *res_i = res_j0 + i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c1, res_i); + } + } + { + uint64_t r = c1; + uint64_t c10 = r; + uint64_t *resb = c + len + i0; + uint64_t res_j = c[len + i0]; + c00 = Lib_IntTypes_Intrinsics_add_carry_u64(c00, c10, res_j, resb); + } + } + } + memcpy(res, c + len, (len + len - len) * sizeof (uint64_t)); + c0 = c00; + KRML_CHECK_SIZE(sizeof (uint64_t), len); + { + uint64_t tmp[len]; + memset(tmp, 0U, len * sizeof (uint64_t)); + { + uint64_t c10 = (uint64_t)0U; + uint64_t c1; + uint64_t c2; + { + uint32_t i; + for (i = (uint32_t)0U; i < len / (uint32_t)4U; i++) + { + uint64_t t1 = res[(uint32_t)4U * i]; + uint64_t t20 = n[(uint32_t)4U * i]; + uint64_t *res_i0 = tmp + (uint32_t)4U * i; + c10 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c10, t1, t20, res_i0); + { + uint64_t t10 = res[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t t21 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = tmp + (uint32_t)4U * i + (uint32_t)1U; + c10 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c10, t10, t21, res_i1); + { + uint64_t t11 = res[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t t22 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = tmp + (uint32_t)4U * i + (uint32_t)2U; + c10 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c10, t11, t22, res_i2); + { + uint64_t t12 = res[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t t2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = tmp + (uint32_t)4U * i + (uint32_t)3U; + c10 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c10, t12, t2, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = len / (uint32_t)4U * (uint32_t)4U; i < len; i++) + { + uint64_t t1 = res[i]; + uint64_t t2 = n[i]; + uint64_t *res_i = tmp + i; + c10 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c10, t1, t2, res_i); + } + } + c1 = c10; + c2 = c0 - c1; + { + uint32_t i; + for (i = (uint32_t)0U; i < len; i++) + { + uint64_t *os = res; + uint64_t x = (c2 & res[i]) | (~c2 & tmp[i]); + os[i] = x; + } + } + } + } +} + +void +Hacl_Bignum_Montgomery_bn_to_mont_u64( + uint32_t len, + uint64_t *n, + uint64_t nInv, + uint64_t *r2, + uint64_t *a, + uint64_t *aM +) +{ + KRML_CHECK_SIZE(sizeof (uint64_t), len + len); + { + uint64_t c[len + len]; + memset(c, 0U, (len + len) * sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)4U * len); + { + uint64_t tmp[(uint32_t)4U * len]; + memset(tmp, 0U, (uint32_t)4U * len * sizeof (uint64_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint64(len, a, r2, tmp, c); + Hacl_Bignum_Montgomery_bn_mont_reduction_u64(len, n, nInv, c, aM); + } + } +} + +void +Hacl_Bignum_Montgomery_bn_from_mont_u64( + uint32_t len, + uint64_t *n, + uint64_t nInv_u64, + uint64_t *aM, + uint64_t *a +) +{ + KRML_CHECK_SIZE(sizeof (uint64_t), len + len); + { + uint64_t tmp[len + len]; + memset(tmp, 0U, (len + len) * sizeof (uint64_t)); + memcpy(tmp, aM, len * sizeof (uint64_t)); + Hacl_Bignum_Montgomery_bn_mont_reduction_u64(len, n, nInv_u64, tmp, a); + } +} + +void +Hacl_Bignum_Montgomery_bn_mont_mul_u64( + uint32_t len, + uint64_t *n, + uint64_t nInv_u64, + uint64_t *aM, + uint64_t *bM, + uint64_t *resM +) +{ + KRML_CHECK_SIZE(sizeof (uint64_t), len + len); + { + uint64_t c[len + len]; + memset(c, 0U, (len + len) * sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)4U * len); + { + uint64_t tmp[(uint32_t)4U * len]; + memset(tmp, 0U, (uint32_t)4U * len * sizeof (uint64_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint64(len, aM, bM, tmp, c); + Hacl_Bignum_Montgomery_bn_mont_reduction_u64(len, n, nInv_u64, c, resM); + } + } +} + +void +Hacl_Bignum_Montgomery_bn_mont_sqr_u64( + uint32_t len, + uint64_t *n, + uint64_t nInv_u64, + uint64_t *aM, + uint64_t *resM +) +{ + KRML_CHECK_SIZE(sizeof (uint64_t), len + len); + { + uint64_t c[len + len]; + memset(c, 0U, (len + len) * sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)4U * len); + { + uint64_t tmp[(uint32_t)4U * len]; + memset(tmp, 0U, (uint32_t)4U * len * sizeof (uint64_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint64(len, aM, tmp, c); + Hacl_Bignum_Montgomery_bn_mont_reduction_u64(len, n, nInv_u64, c, resM); + } + } +} + +static void +bn_almost_mont_reduction_u32( + uint32_t len, + uint32_t *n, + uint32_t nInv, + uint32_t *c, + uint32_t *res +) +{ + uint32_t c00 = (uint32_t)0U; + uint32_t c0; + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < len; i0++) + { + uint32_t qj = nInv * c[i0]; + uint32_t *res_j0 = c + i0; + uint32_t c1 = (uint32_t)0U; + { + uint32_t i; + for (i = (uint32_t)0U; i < len / (uint32_t)4U; i++) + { + uint32_t a_i = n[(uint32_t)4U * i]; + uint32_t *res_i0 = res_j0 + (uint32_t)4U * i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, qj, c1, res_i0); + { + uint32_t a_i0 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res_j0 + (uint32_t)4U * i + (uint32_t)1U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i0, qj, c1, res_i1); + { + uint32_t a_i1 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res_j0 + (uint32_t)4U * i + (uint32_t)2U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i1, qj, c1, res_i2); + { + uint32_t a_i2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res_j0 + (uint32_t)4U * i + (uint32_t)3U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i2, qj, c1, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = len / (uint32_t)4U * (uint32_t)4U; i < len; i++) + { + uint32_t a_i = n[i]; + uint32_t *res_i = res_j0 + i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, qj, c1, res_i); + } + } + { + uint32_t r = c1; + uint32_t c10 = r; + uint32_t *resb = c + len + i0; + uint32_t res_j = c[len + i0]; + c00 = Lib_IntTypes_Intrinsics_add_carry_u32(c00, c10, res_j, resb); + } + } + } + memcpy(res, c + len, (len + len - len) * sizeof (uint32_t)); + c0 = c00; + KRML_CHECK_SIZE(sizeof (uint32_t), len); + { + uint32_t tmp[len]; + memset(tmp, 0U, len * sizeof (uint32_t)); + { + uint32_t c1 = Hacl_Bignum_Addition_bn_sub_eq_len_u32(len, res, n, tmp); + uint32_t m = (uint32_t)0U - c0; + { + uint32_t i; + for (i = (uint32_t)0U; i < len; i++) + { + uint32_t *os = res; + uint32_t x = (m & tmp[i]) | (~m & res[i]); + os[i] = x; + } + } + } + } +} + +static void +bn_almost_mont_mul_u32( + uint32_t len, + uint32_t *n, + uint32_t nInv_u64, + uint32_t *aM, + uint32_t *bM, + uint32_t *resM +) +{ + KRML_CHECK_SIZE(sizeof (uint32_t), len + len); + { + uint32_t c[len + len]; + memset(c, 0U, (len + len) * sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)4U * len); + { + uint32_t tmp[(uint32_t)4U * len]; + memset(tmp, 0U, (uint32_t)4U * len * sizeof (uint32_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint32(len, aM, bM, tmp, c); + bn_almost_mont_reduction_u32(len, n, nInv_u64, c, resM); + } + } +} + +static void +bn_almost_mont_sqr_u32( + uint32_t len, + uint32_t *n, + uint32_t nInv_u64, + uint32_t *aM, + uint32_t *resM +) +{ + KRML_CHECK_SIZE(sizeof (uint32_t), len + len); + { + uint32_t c[len + len]; + memset(c, 0U, (len + len) * sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)4U * len); + { + uint32_t tmp[(uint32_t)4U * len]; + memset(tmp, 0U, (uint32_t)4U * len * sizeof (uint32_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint32(len, aM, tmp, c); + bn_almost_mont_reduction_u32(len, n, nInv_u64, c, resM); + } + } +} + +static void +bn_almost_mont_reduction_u64( + uint32_t len, + uint64_t *n, + uint64_t nInv, + uint64_t *c, + uint64_t *res +) +{ + uint64_t c00 = (uint64_t)0U; + uint64_t c0; + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < len; i0++) + { + uint64_t qj = nInv * c[i0]; + uint64_t *res_j0 = c + i0; + uint64_t c1 = (uint64_t)0U; + { + uint32_t i; + for (i = (uint32_t)0U; i < len / (uint32_t)4U; i++) + { + uint64_t a_i = n[(uint32_t)4U * i]; + uint64_t *res_i0 = res_j0 + (uint32_t)4U * i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c1, res_i0); + { + uint64_t a_i0 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res_j0 + (uint32_t)4U * i + (uint32_t)1U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, qj, c1, res_i1); + { + uint64_t a_i1 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res_j0 + (uint32_t)4U * i + (uint32_t)2U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, qj, c1, res_i2); + { + uint64_t a_i2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res_j0 + (uint32_t)4U * i + (uint32_t)3U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, qj, c1, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = len / (uint32_t)4U * (uint32_t)4U; i < len; i++) + { + uint64_t a_i = n[i]; + uint64_t *res_i = res_j0 + i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c1, res_i); + } + } + { + uint64_t r = c1; + uint64_t c10 = r; + uint64_t *resb = c + len + i0; + uint64_t res_j = c[len + i0]; + c00 = Lib_IntTypes_Intrinsics_add_carry_u64(c00, c10, res_j, resb); + } + } + } + memcpy(res, c + len, (len + len - len) * sizeof (uint64_t)); + c0 = c00; + KRML_CHECK_SIZE(sizeof (uint64_t), len); + { + uint64_t tmp[len]; + memset(tmp, 0U, len * sizeof (uint64_t)); + { + uint64_t c1 = Hacl_Bignum_Addition_bn_sub_eq_len_u64(len, res, n, tmp); + uint64_t m = (uint64_t)0U - c0; + { + uint32_t i; + for (i = (uint32_t)0U; i < len; i++) + { + uint64_t *os = res; + uint64_t x = (m & tmp[i]) | (~m & res[i]); + os[i] = x; + } + } + } + } +} + +static void +bn_almost_mont_mul_u64( + uint32_t len, + uint64_t *n, + uint64_t nInv_u64, + uint64_t *aM, + uint64_t *bM, + uint64_t *resM +) +{ + KRML_CHECK_SIZE(sizeof (uint64_t), len + len); + { + uint64_t c[len + len]; + memset(c, 0U, (len + len) * sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)4U * len); + { + uint64_t tmp[(uint32_t)4U * len]; + memset(tmp, 0U, (uint32_t)4U * len * sizeof (uint64_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint64(len, aM, bM, tmp, c); + bn_almost_mont_reduction_u64(len, n, nInv_u64, c, resM); + } + } +} + +static void +bn_almost_mont_sqr_u64( + uint32_t len, + uint64_t *n, + uint64_t nInv_u64, + uint64_t *aM, + uint64_t *resM +) +{ + KRML_CHECK_SIZE(sizeof (uint64_t), len + len); + { + uint64_t c[len + len]; + memset(c, 0U, (len + len) * sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)4U * len); + { + uint64_t tmp[(uint32_t)4U * len]; + memset(tmp, 0U, (uint32_t)4U * len * sizeof (uint64_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint64(len, aM, tmp, c); + bn_almost_mont_reduction_u64(len, n, nInv_u64, c, resM); + } + } +} + +uint32_t +Hacl_Bignum_Exponentiation_bn_check_mod_exp_u32( + uint32_t len, + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b +) +{ + KRML_CHECK_SIZE(sizeof (uint32_t), len); + { + uint32_t one[len]; + memset(one, 0U, len * sizeof (uint32_t)); + { + uint32_t bit0; + uint32_t m00; + memset(one, 0U, len * sizeof (uint32_t)); + one[0U] = (uint32_t)1U; + bit0 = n[0U] & (uint32_t)1U; + m00 = (uint32_t)0U - bit0; + { + uint32_t acc0 = (uint32_t)0U; + uint32_t m10; + uint32_t m0; + uint32_t bLen; + uint32_t m1; + { + uint32_t i; + for (i = (uint32_t)0U; i < len; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(one[i], n[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(one[i], n[i]); + acc0 = (beq & acc0) | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + } + m10 = acc0; + m0 = m00 & m10; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)32U + (uint32_t)1U; + } + if (bBits < (uint32_t)32U * bLen) + { + KRML_CHECK_SIZE(sizeof (uint32_t), bLen); + { + uint32_t b2[bLen]; + memset(b2, 0U, bLen * sizeof (uint32_t)); + { + uint32_t i0 = bBits / (uint32_t)32U; + uint32_t j = bBits % (uint32_t)32U; + b2[i0] = b2[i0] | (uint32_t)1U << j; + { + uint32_t acc = (uint32_t)0U; + { + uint32_t i; + for (i = (uint32_t)0U; i < bLen; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(b[i], b2[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(b[i], b2[i]); + acc = + (beq & acc) + | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + } + { + uint32_t res = acc; + m1 = res; + } + } + } + } + } + else + { + m1 = (uint32_t)0xFFFFFFFFU; + } + { + uint32_t acc = (uint32_t)0U; + uint32_t m2; + uint32_t m; + { + uint32_t i; + for (i = (uint32_t)0U; i < len; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(a[i], n[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(a[i], n[i]); + acc = (beq & acc) | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + } + m2 = acc; + m = m1 & m2; + return m0 & m; + } + } + } + } +} + +void +Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_precomp_u32( + uint32_t len, + uint32_t *n, + uint32_t mu, + uint32_t *r2, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + if (bBits < (uint32_t)200U) + { + KRML_CHECK_SIZE(sizeof (uint32_t), len); + { + uint32_t aM[len]; + memset(aM, 0U, len * sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), len + len); + { + uint32_t c[len + len]; + memset(c, 0U, (len + len) * sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)4U * len); + { + uint32_t tmp0[(uint32_t)4U * len]; + memset(tmp0, 0U, (uint32_t)4U * len * sizeof (uint32_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint32(len, a, r2, tmp0, c); + Hacl_Bignum_Montgomery_bn_mont_reduction_u32(len, n, mu, c, aM); + KRML_CHECK_SIZE(sizeof (uint32_t), len); + { + uint32_t resM[len]; + memset(resM, 0U, len * sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), len + len); + { + uint32_t tmp1[len + len]; + memset(tmp1, 0U, (len + len) * sizeof (uint32_t)); + memcpy(tmp1, r2, len * sizeof (uint32_t)); + Hacl_Bignum_Montgomery_bn_mont_reduction_u32(len, n, mu, tmp1, resM); + { + uint32_t i; + for (i = (uint32_t)0U; i < bBits; i++) + { + uint32_t i1 = i / (uint32_t)32U; + uint32_t j = i % (uint32_t)32U; + uint32_t tmp = b[i1]; + uint32_t bit = tmp >> j & (uint32_t)1U; + if (!(bit == (uint32_t)0U)) + { + bn_almost_mont_mul_u32(len, n, mu, resM, aM, resM); + } + bn_almost_mont_sqr_u32(len, n, mu, aM, aM); + } + } + KRML_CHECK_SIZE(sizeof (uint32_t), len + len); + { + uint32_t tmp[len + len]; + memset(tmp, 0U, (len + len) * sizeof (uint32_t)); + memcpy(tmp, resM, len * sizeof (uint32_t)); + Hacl_Bignum_Montgomery_bn_mont_reduction_u32(len, n, mu, tmp, res); + return; + } + } + } + } + } + } + } + KRML_CHECK_SIZE(sizeof (uint32_t), len); + { + uint32_t aM[len]; + memset(aM, 0U, len * sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), len + len); + { + uint32_t c[len + len]; + memset(c, 0U, (len + len) * sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)4U * len); + { + uint32_t tmp0[(uint32_t)4U * len]; + memset(tmp0, 0U, (uint32_t)4U * len * sizeof (uint32_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint32(len, a, r2, tmp0, c); + Hacl_Bignum_Montgomery_bn_mont_reduction_u32(len, n, mu, c, aM); + KRML_CHECK_SIZE(sizeof (uint32_t), len); + { + uint32_t resM[len]; + memset(resM, 0U, len * sizeof (uint32_t)); + { + uint32_t bLen; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)32U + (uint32_t)1U; + } + KRML_CHECK_SIZE(sizeof (uint32_t), len + len); + { + uint32_t tmp[len + len]; + memset(tmp, 0U, (len + len) * sizeof (uint32_t)); + memcpy(tmp, r2, len * sizeof (uint32_t)); + Hacl_Bignum_Montgomery_bn_mont_reduction_u32(len, n, mu, tmp, resM); + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)16U * len); + { + uint32_t table[(uint32_t)16U * len]; + memset(table, 0U, (uint32_t)16U * len * sizeof (uint32_t)); + { + uint32_t *t1; + memcpy(table, resM, len * sizeof (uint32_t)); + t1 = table + len; + memcpy(t1, aM, len * sizeof (uint32_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)14U; i++) + { + uint32_t *t11 = table + (i + (uint32_t)1U) * len; + uint32_t *t2 = table + (i + (uint32_t)2U) * len; + bn_almost_mont_mul_u32(len, n, mu, t11, aM, t2); + } + } + if (bBits % (uint32_t)4U != (uint32_t)0U) + { + uint32_t mask_l = (uint32_t)16U - (uint32_t)1U; + uint32_t i = bBits / (uint32_t)4U * (uint32_t)4U / (uint32_t)32U; + uint32_t j = bBits / (uint32_t)4U * (uint32_t)4U % (uint32_t)32U; + uint32_t p1 = b[i] >> j; + uint32_t ite; + if (i + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i + (uint32_t)1U] << ((uint32_t)32U - j); + } + else + { + ite = p1; + } + { + uint32_t bits_c = ite & mask_l; + uint32_t bits_l32 = bits_c; + uint32_t *a_bits_l = table + bits_l32 * len; + memcpy(resM, a_bits_l, len * sizeof (uint32_t)); + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < bBits / (uint32_t)4U; i++) + { + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + bn_almost_mont_sqr_u32(len, n, mu, resM, resM); + } + } + { + uint32_t bk = bBits - bBits % (uint32_t)4U; + uint32_t mask_l = (uint32_t)16U - (uint32_t)1U; + uint32_t i1 = (bk - (uint32_t)4U * i - (uint32_t)4U) / (uint32_t)32U; + uint32_t j = (bk - (uint32_t)4U * i - (uint32_t)4U) % (uint32_t)32U; + uint32_t p1 = b[i1] >> j; + uint32_t ite; + if (i1 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i1 + (uint32_t)1U] << ((uint32_t)32U - j); + } + else + { + ite = p1; + } + { + uint32_t bits_l = ite & mask_l; + KRML_CHECK_SIZE(sizeof (uint32_t), len); + { + uint32_t a_bits_l[len]; + memset(a_bits_l, 0U, len * sizeof (uint32_t)); + { + uint32_t bits_l32 = bits_l; + uint32_t *a_bits_l1 = table + bits_l32 * len; + memcpy(a_bits_l, a_bits_l1, len * sizeof (uint32_t)); + bn_almost_mont_mul_u32(len, n, mu, resM, a_bits_l, resM); + } + } + } + } + } + } + KRML_CHECK_SIZE(sizeof (uint32_t), len + len); + { + uint32_t tmp1[len + len]; + memset(tmp1, 0U, (len + len) * sizeof (uint32_t)); + memcpy(tmp1, resM, len * sizeof (uint32_t)); + Hacl_Bignum_Montgomery_bn_mont_reduction_u32(len, n, mu, tmp1, res); + } + } + } + } + } + } + } + } + } +} + +void +Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_precomp_u32( + uint32_t len, + uint32_t *n, + uint32_t mu, + uint32_t *r2, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + if (bBits < (uint32_t)200U) + { + KRML_CHECK_SIZE(sizeof (uint32_t), len); + { + uint32_t aM[len]; + memset(aM, 0U, len * sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), len + len); + { + uint32_t c[len + len]; + memset(c, 0U, (len + len) * sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)4U * len); + { + uint32_t tmp0[(uint32_t)4U * len]; + memset(tmp0, 0U, (uint32_t)4U * len * sizeof (uint32_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint32(len, a, r2, tmp0, c); + Hacl_Bignum_Montgomery_bn_mont_reduction_u32(len, n, mu, c, aM); + KRML_CHECK_SIZE(sizeof (uint32_t), len); + { + uint32_t resM[len]; + memset(resM, 0U, len * sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), len + len); + { + uint32_t tmp1[len + len]; + memset(tmp1, 0U, (len + len) * sizeof (uint32_t)); + memcpy(tmp1, r2, len * sizeof (uint32_t)); + Hacl_Bignum_Montgomery_bn_mont_reduction_u32(len, n, mu, tmp1, resM); + { + uint32_t sw = (uint32_t)0U; + uint32_t sw0; + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < bBits; i0++) + { + uint32_t i1 = (bBits - i0 - (uint32_t)1U) / (uint32_t)32U; + uint32_t j = (bBits - i0 - (uint32_t)1U) % (uint32_t)32U; + uint32_t tmp = b[i1]; + uint32_t bit = tmp >> j & (uint32_t)1U; + uint32_t sw1 = bit ^ sw; + { + uint32_t i; + for (i = (uint32_t)0U; i < len; i++) + { + uint32_t dummy = ((uint32_t)0U - sw1) & (resM[i] ^ aM[i]); + resM[i] = resM[i] ^ dummy; + aM[i] = aM[i] ^ dummy; + } + } + bn_almost_mont_mul_u32(len, n, mu, aM, resM, aM); + bn_almost_mont_sqr_u32(len, n, mu, resM, resM); + sw = bit; + } + } + sw0 = sw; + { + uint32_t i; + for (i = (uint32_t)0U; i < len; i++) + { + uint32_t dummy = ((uint32_t)0U - sw0) & (resM[i] ^ aM[i]); + resM[i] = resM[i] ^ dummy; + aM[i] = aM[i] ^ dummy; + } + } + KRML_CHECK_SIZE(sizeof (uint32_t), len + len); + { + uint32_t tmp[len + len]; + memset(tmp, 0U, (len + len) * sizeof (uint32_t)); + memcpy(tmp, resM, len * sizeof (uint32_t)); + Hacl_Bignum_Montgomery_bn_mont_reduction_u32(len, n, mu, tmp, res); + return; + } + } + } + } + } + } + } + } + KRML_CHECK_SIZE(sizeof (uint32_t), len); + { + uint32_t aM[len]; + memset(aM, 0U, len * sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), len + len); + { + uint32_t c0[len + len]; + memset(c0, 0U, (len + len) * sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)4U * len); + { + uint32_t tmp0[(uint32_t)4U * len]; + memset(tmp0, 0U, (uint32_t)4U * len * sizeof (uint32_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint32(len, a, r2, tmp0, c0); + Hacl_Bignum_Montgomery_bn_mont_reduction_u32(len, n, mu, c0, aM); + KRML_CHECK_SIZE(sizeof (uint32_t), len); + { + uint32_t resM[len]; + memset(resM, 0U, len * sizeof (uint32_t)); + { + uint32_t bLen; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)32U + (uint32_t)1U; + } + KRML_CHECK_SIZE(sizeof (uint32_t), len + len); + { + uint32_t tmp[len + len]; + memset(tmp, 0U, (len + len) * sizeof (uint32_t)); + memcpy(tmp, r2, len * sizeof (uint32_t)); + Hacl_Bignum_Montgomery_bn_mont_reduction_u32(len, n, mu, tmp, resM); + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)16U * len); + { + uint32_t table[(uint32_t)16U * len]; + memset(table, 0U, (uint32_t)16U * len * sizeof (uint32_t)); + { + uint32_t *t1; + memcpy(table, resM, len * sizeof (uint32_t)); + t1 = table + len; + memcpy(t1, aM, len * sizeof (uint32_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)14U; i++) + { + uint32_t *t11 = table + (i + (uint32_t)1U) * len; + uint32_t *t2 = table + (i + (uint32_t)2U) * len; + bn_almost_mont_mul_u32(len, n, mu, t11, aM, t2); + } + } + if (bBits % (uint32_t)4U != (uint32_t)0U) + { + uint32_t mask_l = (uint32_t)16U - (uint32_t)1U; + uint32_t i0 = bBits / (uint32_t)4U * (uint32_t)4U / (uint32_t)32U; + uint32_t j = bBits / (uint32_t)4U * (uint32_t)4U % (uint32_t)32U; + uint32_t p1 = b[i0] >> j; + uint32_t ite; + if (i0 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i0 + (uint32_t)1U] << ((uint32_t)32U - j); + } + else + { + ite = p1; + } + { + uint32_t bits_c = ite & mask_l; + memcpy(resM, table, len * sizeof (uint32_t)); + { + uint32_t i1; + for (i1 = (uint32_t)0U; i1 < (uint32_t)15U; i1++) + { + uint32_t c = FStar_UInt32_eq_mask(bits_c, i1 + (uint32_t)1U); + uint32_t *res_j = table + (i1 + (uint32_t)1U) * len; + { + uint32_t i; + for (i = (uint32_t)0U; i < len; i++) + { + uint32_t *os = resM; + uint32_t x = (c & res_j[i]) | (~c & resM[i]); + os[i] = x; + } + } + } + } + } + } + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < bBits / (uint32_t)4U; i0++) + { + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + bn_almost_mont_sqr_u32(len, n, mu, resM, resM); + } + } + { + uint32_t bk = bBits - bBits % (uint32_t)4U; + uint32_t mask_l = (uint32_t)16U - (uint32_t)1U; + uint32_t i1 = (bk - (uint32_t)4U * i0 - (uint32_t)4U) / (uint32_t)32U; + uint32_t j = (bk - (uint32_t)4U * i0 - (uint32_t)4U) % (uint32_t)32U; + uint32_t p1 = b[i1] >> j; + uint32_t ite; + if (i1 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i1 + (uint32_t)1U] << ((uint32_t)32U - j); + } + else + { + ite = p1; + } + { + uint32_t bits_l = ite & mask_l; + KRML_CHECK_SIZE(sizeof (uint32_t), len); + { + uint32_t a_bits_l[len]; + memset(a_bits_l, 0U, len * sizeof (uint32_t)); + memcpy(a_bits_l, table, len * sizeof (uint32_t)); + { + uint32_t i2; + for (i2 = (uint32_t)0U; i2 < (uint32_t)15U; i2++) + { + uint32_t c = FStar_UInt32_eq_mask(bits_l, i2 + (uint32_t)1U); + uint32_t *res_j = table + (i2 + (uint32_t)1U) * len; + { + uint32_t i; + for (i = (uint32_t)0U; i < len; i++) + { + uint32_t *os = a_bits_l; + uint32_t x = (c & res_j[i]) | (~c & a_bits_l[i]); + os[i] = x; + } + } + } + } + bn_almost_mont_mul_u32(len, n, mu, resM, a_bits_l, resM); + } + } + } + } + } + KRML_CHECK_SIZE(sizeof (uint32_t), len + len); + { + uint32_t tmp1[len + len]; + memset(tmp1, 0U, (len + len) * sizeof (uint32_t)); + memcpy(tmp1, resM, len * sizeof (uint32_t)); + Hacl_Bignum_Montgomery_bn_mont_reduction_u32(len, n, mu, tmp1, res); + } + } + } + } + } + } + } + } + } +} + +void +Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_u32( + uint32_t len, + uint32_t nBits, + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + KRML_CHECK_SIZE(sizeof (uint32_t), len); + { + uint32_t r2[len]; + memset(r2, 0U, len * sizeof (uint32_t)); + { + uint32_t mu; + Hacl_Bignum_Montgomery_bn_precomp_r2_mod_n_u32(len, nBits, n, r2); + mu = Hacl_Bignum_ModInvLimb_mod_inv_uint32(n[0U]); + Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_precomp_u32(len, n, mu, r2, a, bBits, b, res); + } + } +} + +void +Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_u32( + uint32_t len, + uint32_t nBits, + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + KRML_CHECK_SIZE(sizeof (uint32_t), len); + { + uint32_t r2[len]; + memset(r2, 0U, len * sizeof (uint32_t)); + { + uint32_t mu; + Hacl_Bignum_Montgomery_bn_precomp_r2_mod_n_u32(len, nBits, n, r2); + mu = Hacl_Bignum_ModInvLimb_mod_inv_uint32(n[0U]); + Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_precomp_u32(len, n, mu, r2, a, bBits, b, res); + } + } +} + +uint64_t +Hacl_Bignum_Exponentiation_bn_check_mod_exp_u64( + uint32_t len, + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b +) +{ + KRML_CHECK_SIZE(sizeof (uint64_t), len); + { + uint64_t one[len]; + memset(one, 0U, len * sizeof (uint64_t)); + { + uint64_t bit0; + uint64_t m00; + memset(one, 0U, len * sizeof (uint64_t)); + one[0U] = (uint64_t)1U; + bit0 = n[0U] & (uint64_t)1U; + m00 = (uint64_t)0U - bit0; + { + uint64_t acc0 = (uint64_t)0U; + uint64_t m10; + uint64_t m0; + uint32_t bLen; + uint64_t m1; + { + uint32_t i; + for (i = (uint32_t)0U; i < len; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(one[i], n[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(one[i], n[i]); + acc0 = + (beq & acc0) + | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + } + m10 = acc0; + m0 = m00 & m10; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + } + if (bBits < (uint32_t)64U * bLen) + { + KRML_CHECK_SIZE(sizeof (uint64_t), bLen); + { + uint64_t b2[bLen]; + memset(b2, 0U, bLen * sizeof (uint64_t)); + { + uint32_t i0 = bBits / (uint32_t)64U; + uint32_t j = bBits % (uint32_t)64U; + b2[i0] = b2[i0] | (uint64_t)1U << j; + { + uint64_t acc = (uint64_t)0U; + { + uint32_t i; + for (i = (uint32_t)0U; i < bLen; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(b[i], b2[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(b[i], b2[i]); + acc = + (beq & acc) + | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + } + { + uint64_t res = acc; + m1 = res; + } + } + } + } + } + else + { + m1 = (uint64_t)0xFFFFFFFFFFFFFFFFU; + } + { + uint64_t acc = (uint64_t)0U; + uint64_t m2; + uint64_t m; + { + uint32_t i; + for (i = (uint32_t)0U; i < len; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(a[i], n[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(a[i], n[i]); + acc = + (beq & acc) + | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + } + m2 = acc; + m = m1 & m2; + return m0 & m; + } + } + } + } +} + +void +Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_precomp_u64( + uint32_t len, + uint64_t *n, + uint64_t mu, + uint64_t *r2, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + if (bBits < (uint32_t)200U) + { + KRML_CHECK_SIZE(sizeof (uint64_t), len); + { + uint64_t aM[len]; + memset(aM, 0U, len * sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), len + len); + { + uint64_t c[len + len]; + memset(c, 0U, (len + len) * sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)4U * len); + { + uint64_t tmp0[(uint32_t)4U * len]; + memset(tmp0, 0U, (uint32_t)4U * len * sizeof (uint64_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint64(len, a, r2, tmp0, c); + Hacl_Bignum_Montgomery_bn_mont_reduction_u64(len, n, mu, c, aM); + KRML_CHECK_SIZE(sizeof (uint64_t), len); + { + uint64_t resM[len]; + memset(resM, 0U, len * sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), len + len); + { + uint64_t tmp1[len + len]; + memset(tmp1, 0U, (len + len) * sizeof (uint64_t)); + memcpy(tmp1, r2, len * sizeof (uint64_t)); + Hacl_Bignum_Montgomery_bn_mont_reduction_u64(len, n, mu, tmp1, resM); + { + uint32_t i; + for (i = (uint32_t)0U; i < bBits; i++) + { + uint32_t i1 = i / (uint32_t)64U; + uint32_t j = i % (uint32_t)64U; + uint64_t tmp = b[i1]; + uint64_t bit = tmp >> j & (uint64_t)1U; + if (!(bit == (uint64_t)0U)) + { + bn_almost_mont_mul_u64(len, n, mu, resM, aM, resM); + } + bn_almost_mont_sqr_u64(len, n, mu, aM, aM); + } + } + KRML_CHECK_SIZE(sizeof (uint64_t), len + len); + { + uint64_t tmp[len + len]; + memset(tmp, 0U, (len + len) * sizeof (uint64_t)); + memcpy(tmp, resM, len * sizeof (uint64_t)); + Hacl_Bignum_Montgomery_bn_mont_reduction_u64(len, n, mu, tmp, res); + return; + } + } + } + } + } + } + } + KRML_CHECK_SIZE(sizeof (uint64_t), len); + { + uint64_t aM[len]; + memset(aM, 0U, len * sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), len + len); + { + uint64_t c[len + len]; + memset(c, 0U, (len + len) * sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)4U * len); + { + uint64_t tmp0[(uint32_t)4U * len]; + memset(tmp0, 0U, (uint32_t)4U * len * sizeof (uint64_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint64(len, a, r2, tmp0, c); + Hacl_Bignum_Montgomery_bn_mont_reduction_u64(len, n, mu, c, aM); + KRML_CHECK_SIZE(sizeof (uint64_t), len); + { + uint64_t resM[len]; + memset(resM, 0U, len * sizeof (uint64_t)); + { + uint32_t bLen; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + } + KRML_CHECK_SIZE(sizeof (uint64_t), len + len); + { + uint64_t tmp[len + len]; + memset(tmp, 0U, (len + len) * sizeof (uint64_t)); + memcpy(tmp, r2, len * sizeof (uint64_t)); + Hacl_Bignum_Montgomery_bn_mont_reduction_u64(len, n, mu, tmp, resM); + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)16U * len); + { + uint64_t table[(uint32_t)16U * len]; + memset(table, 0U, (uint32_t)16U * len * sizeof (uint64_t)); + { + uint64_t *t1; + memcpy(table, resM, len * sizeof (uint64_t)); + t1 = table + len; + memcpy(t1, aM, len * sizeof (uint64_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)14U; i++) + { + uint64_t *t11 = table + (i + (uint32_t)1U) * len; + uint64_t *t2 = table + (i + (uint32_t)2U) * len; + bn_almost_mont_mul_u64(len, n, mu, t11, aM, t2); + } + } + if (bBits % (uint32_t)4U != (uint32_t)0U) + { + uint64_t mask_l = (uint64_t)16U - (uint64_t)1U; + uint32_t i = bBits / (uint32_t)4U * (uint32_t)4U / (uint32_t)64U; + uint32_t j = bBits / (uint32_t)4U * (uint32_t)4U % (uint32_t)64U; + uint64_t p1 = b[i] >> j; + uint64_t ite; + if (i + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i + (uint32_t)1U] << ((uint32_t)64U - j); + } + else + { + ite = p1; + } + { + uint64_t bits_c = ite & mask_l; + uint32_t bits_l32 = (uint32_t)bits_c; + uint64_t *a_bits_l = table + bits_l32 * len; + memcpy(resM, a_bits_l, len * sizeof (uint64_t)); + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < bBits / (uint32_t)4U; i++) + { + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + bn_almost_mont_sqr_u64(len, n, mu, resM, resM); + } + } + { + uint32_t bk = bBits - bBits % (uint32_t)4U; + uint64_t mask_l = (uint64_t)16U - (uint64_t)1U; + uint32_t i1 = (bk - (uint32_t)4U * i - (uint32_t)4U) / (uint32_t)64U; + uint32_t j = (bk - (uint32_t)4U * i - (uint32_t)4U) % (uint32_t)64U; + uint64_t p1 = b[i1] >> j; + uint64_t ite; + if (i1 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i1 + (uint32_t)1U] << ((uint32_t)64U - j); + } + else + { + ite = p1; + } + { + uint64_t bits_l = ite & mask_l; + KRML_CHECK_SIZE(sizeof (uint64_t), len); + { + uint64_t a_bits_l[len]; + memset(a_bits_l, 0U, len * sizeof (uint64_t)); + { + uint32_t bits_l32 = (uint32_t)bits_l; + uint64_t *a_bits_l1 = table + bits_l32 * len; + memcpy(a_bits_l, a_bits_l1, len * sizeof (uint64_t)); + bn_almost_mont_mul_u64(len, n, mu, resM, a_bits_l, resM); + } + } + } + } + } + } + KRML_CHECK_SIZE(sizeof (uint64_t), len + len); + { + uint64_t tmp1[len + len]; + memset(tmp1, 0U, (len + len) * sizeof (uint64_t)); + memcpy(tmp1, resM, len * sizeof (uint64_t)); + Hacl_Bignum_Montgomery_bn_mont_reduction_u64(len, n, mu, tmp1, res); + } + } + } + } + } + } + } + } + } +} + +void +Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_precomp_u64( + uint32_t len, + uint64_t *n, + uint64_t mu, + uint64_t *r2, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + if (bBits < (uint32_t)200U) + { + KRML_CHECK_SIZE(sizeof (uint64_t), len); + { + uint64_t aM[len]; + memset(aM, 0U, len * sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), len + len); + { + uint64_t c[len + len]; + memset(c, 0U, (len + len) * sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)4U * len); + { + uint64_t tmp0[(uint32_t)4U * len]; + memset(tmp0, 0U, (uint32_t)4U * len * sizeof (uint64_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint64(len, a, r2, tmp0, c); + Hacl_Bignum_Montgomery_bn_mont_reduction_u64(len, n, mu, c, aM); + KRML_CHECK_SIZE(sizeof (uint64_t), len); + { + uint64_t resM[len]; + memset(resM, 0U, len * sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), len + len); + { + uint64_t tmp1[len + len]; + memset(tmp1, 0U, (len + len) * sizeof (uint64_t)); + memcpy(tmp1, r2, len * sizeof (uint64_t)); + Hacl_Bignum_Montgomery_bn_mont_reduction_u64(len, n, mu, tmp1, resM); + { + uint64_t sw = (uint64_t)0U; + uint64_t sw0; + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < bBits; i0++) + { + uint32_t i1 = (bBits - i0 - (uint32_t)1U) / (uint32_t)64U; + uint32_t j = (bBits - i0 - (uint32_t)1U) % (uint32_t)64U; + uint64_t tmp = b[i1]; + uint64_t bit = tmp >> j & (uint64_t)1U; + uint64_t sw1 = bit ^ sw; + { + uint32_t i; + for (i = (uint32_t)0U; i < len; i++) + { + uint64_t dummy = ((uint64_t)0U - sw1) & (resM[i] ^ aM[i]); + resM[i] = resM[i] ^ dummy; + aM[i] = aM[i] ^ dummy; + } + } + bn_almost_mont_mul_u64(len, n, mu, aM, resM, aM); + bn_almost_mont_sqr_u64(len, n, mu, resM, resM); + sw = bit; + } + } + sw0 = sw; + { + uint32_t i; + for (i = (uint32_t)0U; i < len; i++) + { + uint64_t dummy = ((uint64_t)0U - sw0) & (resM[i] ^ aM[i]); + resM[i] = resM[i] ^ dummy; + aM[i] = aM[i] ^ dummy; + } + } + KRML_CHECK_SIZE(sizeof (uint64_t), len + len); + { + uint64_t tmp[len + len]; + memset(tmp, 0U, (len + len) * sizeof (uint64_t)); + memcpy(tmp, resM, len * sizeof (uint64_t)); + Hacl_Bignum_Montgomery_bn_mont_reduction_u64(len, n, mu, tmp, res); + return; + } + } + } + } + } + } + } + } + KRML_CHECK_SIZE(sizeof (uint64_t), len); + { + uint64_t aM[len]; + memset(aM, 0U, len * sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), len + len); + { + uint64_t c0[len + len]; + memset(c0, 0U, (len + len) * sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)4U * len); + { + uint64_t tmp0[(uint32_t)4U * len]; + memset(tmp0, 0U, (uint32_t)4U * len * sizeof (uint64_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint64(len, a, r2, tmp0, c0); + Hacl_Bignum_Montgomery_bn_mont_reduction_u64(len, n, mu, c0, aM); + KRML_CHECK_SIZE(sizeof (uint64_t), len); + { + uint64_t resM[len]; + memset(resM, 0U, len * sizeof (uint64_t)); + { + uint32_t bLen; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + } + KRML_CHECK_SIZE(sizeof (uint64_t), len + len); + { + uint64_t tmp[len + len]; + memset(tmp, 0U, (len + len) * sizeof (uint64_t)); + memcpy(tmp, r2, len * sizeof (uint64_t)); + Hacl_Bignum_Montgomery_bn_mont_reduction_u64(len, n, mu, tmp, resM); + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)16U * len); + { + uint64_t table[(uint32_t)16U * len]; + memset(table, 0U, (uint32_t)16U * len * sizeof (uint64_t)); + { + uint64_t *t1; + memcpy(table, resM, len * sizeof (uint64_t)); + t1 = table + len; + memcpy(t1, aM, len * sizeof (uint64_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)14U; i++) + { + uint64_t *t11 = table + (i + (uint32_t)1U) * len; + uint64_t *t2 = table + (i + (uint32_t)2U) * len; + bn_almost_mont_mul_u64(len, n, mu, t11, aM, t2); + } + } + if (bBits % (uint32_t)4U != (uint32_t)0U) + { + uint64_t mask_l = (uint64_t)16U - (uint64_t)1U; + uint32_t i0 = bBits / (uint32_t)4U * (uint32_t)4U / (uint32_t)64U; + uint32_t j = bBits / (uint32_t)4U * (uint32_t)4U % (uint32_t)64U; + uint64_t p1 = b[i0] >> j; + uint64_t ite; + if (i0 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i0 + (uint32_t)1U] << ((uint32_t)64U - j); + } + else + { + ite = p1; + } + { + uint64_t bits_c = ite & mask_l; + memcpy(resM, table, len * sizeof (uint64_t)); + { + uint32_t i1; + for (i1 = (uint32_t)0U; i1 < (uint32_t)15U; i1++) + { + uint64_t c = FStar_UInt64_eq_mask(bits_c, (uint64_t)(i1 + (uint32_t)1U)); + uint64_t *res_j = table + (i1 + (uint32_t)1U) * len; + { + uint32_t i; + for (i = (uint32_t)0U; i < len; i++) + { + uint64_t *os = resM; + uint64_t x = (c & res_j[i]) | (~c & resM[i]); + os[i] = x; + } + } + } + } + } + } + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < bBits / (uint32_t)4U; i0++) + { + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + bn_almost_mont_sqr_u64(len, n, mu, resM, resM); + } + } + { + uint32_t bk = bBits - bBits % (uint32_t)4U; + uint64_t mask_l = (uint64_t)16U - (uint64_t)1U; + uint32_t i1 = (bk - (uint32_t)4U * i0 - (uint32_t)4U) / (uint32_t)64U; + uint32_t j = (bk - (uint32_t)4U * i0 - (uint32_t)4U) % (uint32_t)64U; + uint64_t p1 = b[i1] >> j; + uint64_t ite; + if (i1 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i1 + (uint32_t)1U] << ((uint32_t)64U - j); + } + else + { + ite = p1; + } + { + uint64_t bits_l = ite & mask_l; + KRML_CHECK_SIZE(sizeof (uint64_t), len); + { + uint64_t a_bits_l[len]; + memset(a_bits_l, 0U, len * sizeof (uint64_t)); + memcpy(a_bits_l, table, len * sizeof (uint64_t)); + { + uint32_t i2; + for (i2 = (uint32_t)0U; i2 < (uint32_t)15U; i2++) + { + uint64_t + c = FStar_UInt64_eq_mask(bits_l, (uint64_t)(i2 + (uint32_t)1U)); + uint64_t *res_j = table + (i2 + (uint32_t)1U) * len; + { + uint32_t i; + for (i = (uint32_t)0U; i < len; i++) + { + uint64_t *os = a_bits_l; + uint64_t x = (c & res_j[i]) | (~c & a_bits_l[i]); + os[i] = x; + } + } + } + } + bn_almost_mont_mul_u64(len, n, mu, resM, a_bits_l, resM); + } + } + } + } + } + KRML_CHECK_SIZE(sizeof (uint64_t), len + len); + { + uint64_t tmp1[len + len]; + memset(tmp1, 0U, (len + len) * sizeof (uint64_t)); + memcpy(tmp1, resM, len * sizeof (uint64_t)); + Hacl_Bignum_Montgomery_bn_mont_reduction_u64(len, n, mu, tmp1, res); + } + } + } + } + } + } + } + } + } +} + +void +Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_u64( + uint32_t len, + uint32_t nBits, + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + KRML_CHECK_SIZE(sizeof (uint64_t), len); + { + uint64_t r2[len]; + memset(r2, 0U, len * sizeof (uint64_t)); + { + uint64_t mu; + Hacl_Bignum_Montgomery_bn_precomp_r2_mod_n_u64(len, nBits, n, r2); + mu = Hacl_Bignum_ModInvLimb_mod_inv_uint64(n[0U]); + Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_precomp_u64(len, n, mu, r2, a, bBits, b, res); + } + } +} + +void +Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_u64( + uint32_t len, + uint32_t nBits, + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + KRML_CHECK_SIZE(sizeof (uint64_t), len); + { + uint64_t r2[len]; + memset(r2, 0U, len * sizeof (uint64_t)); + { + uint64_t mu; + Hacl_Bignum_Montgomery_bn_precomp_r2_mod_n_u64(len, nBits, n, r2); + mu = Hacl_Bignum_ModInvLimb_mod_inv_uint64(n[0U]); + Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_precomp_u64(len, n, mu, r2, a, bBits, b, res); + } + } +} + diff --git a/src/c89/Hacl_Bignum256.c b/src/c89/Hacl_Bignum256.c new file mode 100644 index 00000000..d96cb4d3 --- /dev/null +++ b/src/c89/Hacl_Bignum256.c @@ -0,0 +1,2117 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Bignum256.h" + +#include "internal/Hacl_Bignum.h" + +/******************************************************************************* + +A verified 256-bit bignum library. + +This is a 64-bit optimized version, where bignums are represented as an array +of four unsigned 64-bit integers, i.e. uint64_t[4]. Furthermore, the +limbs are stored in little-endian format, i.e. the least significant limb is at +index 0. Each limb is stored in native format in memory. Example: + + uint64_t sixteen[4] = { 0x10; 0x00; 0x00; 0x00 } + +We strongly encourage users to go through the conversion functions, e.g. +bn_from_bytes_be, to i) not depend on internal representation choices and ii) +have the ability to switch easily to a 32-bit optimized version in the future. + +*******************************************************************************/ + +/************************/ +/* Arithmetic functions */ +/************************/ + + +/* +Write `a + b mod 2^256` in `res`. + + This functions returns the carry. + + The arguments a, b and res are meant to be 256-bit bignums, i.e. uint64_t[4] +*/ +uint64_t Hacl_Bignum256_add(uint64_t *a, uint64_t *b, uint64_t *res) +{ + uint64_t c = (uint64_t)0U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)1U; i++) + { + uint64_t t1 = a[(uint32_t)4U * i]; + uint64_t t20 = b[(uint32_t)4U * i]; + uint64_t *res_i0 = res + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t1, t20, res_i0); + { + uint64_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t10, t21, res_i1); + { + uint64_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t11, t22, res_i2); + { + uint64_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t12, t2, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = (uint32_t)4U; i < (uint32_t)4U; i++) + { + uint64_t t1 = a[i]; + uint64_t t2 = b[i]; + uint64_t *res_i = res + i; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t1, t2, res_i); + } + } + return c; +} + +/* +Write `a - b mod 2^256` in `res`. + + This functions returns the carry. + + The arguments a, b and res are meant to be 256-bit bignums, i.e. uint64_t[4] +*/ +uint64_t Hacl_Bignum256_sub(uint64_t *a, uint64_t *b, uint64_t *res) +{ + uint64_t c = (uint64_t)0U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)1U; i++) + { + uint64_t t1 = a[(uint32_t)4U * i]; + uint64_t t20 = b[(uint32_t)4U * i]; + uint64_t *res_i0 = res + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, t20, res_i0); + { + uint64_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t10, t21, res_i1); + { + uint64_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t11, t22, res_i2); + { + uint64_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t12, t2, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = (uint32_t)4U; i < (uint32_t)4U; i++) + { + uint64_t t1 = a[i]; + uint64_t t2 = b[i]; + uint64_t *res_i = res + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, t2, res_i); + } + } + return c; +} + +/* +Write `(a + b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be 256-bit bignums, i.e. uint64_t[4]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum256_add_mod(uint64_t *n, uint64_t *a, uint64_t *b, uint64_t *res) +{ + uint64_t c2 = (uint64_t)0U; + uint64_t c0; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)1U; i++) + { + uint64_t t1 = a[(uint32_t)4U * i]; + uint64_t t20 = b[(uint32_t)4U * i]; + uint64_t *res_i0 = res + (uint32_t)4U * i; + c2 = Lib_IntTypes_Intrinsics_add_carry_u64(c2, t1, t20, res_i0); + { + uint64_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c2 = Lib_IntTypes_Intrinsics_add_carry_u64(c2, t10, t21, res_i1); + { + uint64_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c2 = Lib_IntTypes_Intrinsics_add_carry_u64(c2, t11, t22, res_i2); + { + uint64_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c2 = Lib_IntTypes_Intrinsics_add_carry_u64(c2, t12, t2, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = (uint32_t)4U; i < (uint32_t)4U; i++) + { + uint64_t t1 = a[i]; + uint64_t t2 = b[i]; + uint64_t *res_i = res + i; + c2 = Lib_IntTypes_Intrinsics_add_carry_u64(c2, t1, t2, res_i); + } + } + c0 = c2; + { + uint64_t tmp[4U] = { 0U }; + uint64_t c3 = (uint64_t)0U; + uint64_t c1; + uint64_t c; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)1U; i++) + { + uint64_t t1 = res[(uint32_t)4U * i]; + uint64_t t20 = n[(uint32_t)4U * i]; + uint64_t *res_i0 = tmp + (uint32_t)4U * i; + c3 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c3, t1, t20, res_i0); + { + uint64_t t10 = res[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t t21 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = tmp + (uint32_t)4U * i + (uint32_t)1U; + c3 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c3, t10, t21, res_i1); + { + uint64_t t11 = res[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t t22 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = tmp + (uint32_t)4U * i + (uint32_t)2U; + c3 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c3, t11, t22, res_i2); + { + uint64_t t12 = res[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t t2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = tmp + (uint32_t)4U * i + (uint32_t)3U; + c3 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c3, t12, t2, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = (uint32_t)4U; i < (uint32_t)4U; i++) + { + uint64_t t1 = res[i]; + uint64_t t2 = n[i]; + uint64_t *res_i = tmp + i; + c3 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c3, t1, t2, res_i); + } + } + c1 = c3; + c = c0 - c1; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = res; + uint64_t x = (c & res[i]) | (~c & tmp[i]); + os[i] = x; + } + } + } +} + +/* +Write `(a - b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be 256-bit bignums, i.e. uint64_t[4]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum256_sub_mod(uint64_t *n, uint64_t *a, uint64_t *b, uint64_t *res) +{ + uint64_t c2 = (uint64_t)0U; + uint64_t c0; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)1U; i++) + { + uint64_t t1 = a[(uint32_t)4U * i]; + uint64_t t20 = b[(uint32_t)4U * i]; + uint64_t *res_i0 = res + (uint32_t)4U * i; + c2 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c2, t1, t20, res_i0); + { + uint64_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c2 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c2, t10, t21, res_i1); + { + uint64_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c2 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c2, t11, t22, res_i2); + { + uint64_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c2 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c2, t12, t2, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = (uint32_t)4U; i < (uint32_t)4U; i++) + { + uint64_t t1 = a[i]; + uint64_t t2 = b[i]; + uint64_t *res_i = res + i; + c2 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c2, t1, t2, res_i); + } + } + c0 = c2; + { + uint64_t tmp[4U] = { 0U }; + uint64_t c3 = (uint64_t)0U; + uint64_t c1; + uint64_t c; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)1U; i++) + { + uint64_t t1 = res[(uint32_t)4U * i]; + uint64_t t20 = n[(uint32_t)4U * i]; + uint64_t *res_i0 = tmp + (uint32_t)4U * i; + c3 = Lib_IntTypes_Intrinsics_add_carry_u64(c3, t1, t20, res_i0); + { + uint64_t t10 = res[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t t21 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = tmp + (uint32_t)4U * i + (uint32_t)1U; + c3 = Lib_IntTypes_Intrinsics_add_carry_u64(c3, t10, t21, res_i1); + { + uint64_t t11 = res[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t t22 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = tmp + (uint32_t)4U * i + (uint32_t)2U; + c3 = Lib_IntTypes_Intrinsics_add_carry_u64(c3, t11, t22, res_i2); + { + uint64_t t12 = res[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t t2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = tmp + (uint32_t)4U * i + (uint32_t)3U; + c3 = Lib_IntTypes_Intrinsics_add_carry_u64(c3, t12, t2, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = (uint32_t)4U; i < (uint32_t)4U; i++) + { + uint64_t t1 = res[i]; + uint64_t t2 = n[i]; + uint64_t *res_i = tmp + i; + c3 = Lib_IntTypes_Intrinsics_add_carry_u64(c3, t1, t2, res_i); + } + } + c1 = c3; + c = (uint64_t)0U - c0; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = res; + uint64_t x = (c & tmp[i]) | (~c & res[i]); + os[i] = x; + } + } + } +} + +/* +Write `a * b` in `res`. + + The arguments a and b are meant to be 256-bit bignums, i.e. uint64_t[4]. + The outparam res is meant to be a 512-bit bignum, i.e. uint64_t[8]. +*/ +void Hacl_Bignum256_mul(uint64_t *a, uint64_t *b, uint64_t *res) +{ + uint32_t i; + memset(res, 0U, (uint32_t)8U * sizeof (uint64_t)); + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t bj = b[i]; + uint64_t *res_j = res + i; + uint64_t c = (uint64_t)0U; + uint64_t r; + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < (uint32_t)1U; i0++) + { + uint64_t a_i = a[(uint32_t)4U * i0]; + uint64_t *res_i0 = res_j + (uint32_t)4U * i0; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, bj, c, res_i0); + { + uint64_t a_i0 = a[(uint32_t)4U * i0 + (uint32_t)1U]; + uint64_t *res_i1 = res_j + (uint32_t)4U * i0 + (uint32_t)1U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, bj, c, res_i1); + { + uint64_t a_i1 = a[(uint32_t)4U * i0 + (uint32_t)2U]; + uint64_t *res_i2 = res_j + (uint32_t)4U * i0 + (uint32_t)2U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, bj, c, res_i2); + { + uint64_t a_i2 = a[(uint32_t)4U * i0 + (uint32_t)3U]; + uint64_t *res_i = res_j + (uint32_t)4U * i0 + (uint32_t)3U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, bj, c, res_i); + } + } + } + } + } + { + uint32_t i0; + for (i0 = (uint32_t)4U; i0 < (uint32_t)4U; i0++) + { + uint64_t a_i = a[i0]; + uint64_t *res_i = res_j + i0; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, bj, c, res_i); + } + } + r = c; + res[(uint32_t)4U + i] = r; + } +} + +/* +Write `a * a` in `res`. + + The argument a is meant to be a 256-bit bignum, i.e. uint64_t[4]. + The outparam res is meant to be a 512-bit bignum, i.e. uint64_t[8]. +*/ +void Hacl_Bignum256_sqr(uint64_t *a, uint64_t *res) +{ + uint64_t c0; + memset(res, 0U, (uint32_t)8U * sizeof (uint64_t)); + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + uint64_t *ab = a; + uint64_t a_j = a[i0]; + uint64_t *res_j = res + i0; + uint64_t c = (uint64_t)0U; + { + uint32_t i; + for (i = (uint32_t)0U; i < i0 / (uint32_t)4U; i++) + { + uint64_t a_i = ab[(uint32_t)4U * i]; + uint64_t *res_i0 = res_j + (uint32_t)4U * i; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, a_j, c, res_i0); + { + uint64_t a_i0 = ab[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res_j + (uint32_t)4U * i + (uint32_t)1U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, a_j, c, res_i1); + { + uint64_t a_i1 = ab[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res_j + (uint32_t)4U * i + (uint32_t)2U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, a_j, c, res_i2); + { + uint64_t a_i2 = ab[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res_j + (uint32_t)4U * i + (uint32_t)3U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, a_j, c, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = i0 / (uint32_t)4U * (uint32_t)4U; i < i0; i++) + { + uint64_t a_i = ab[i]; + uint64_t *res_i = res_j + i; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, a_j, c, res_i); + } + } + { + uint64_t r = c; + res[i0 + i0] = r; + } + } + } + c0 = Hacl_Bignum_Addition_bn_add_eq_len_u64((uint32_t)8U, res, res, res); + { + uint64_t tmp[8U] = { 0U }; + uint64_t c1; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + FStar_UInt128_uint128 res1 = FStar_UInt128_mul_wide(a[i], a[i]); + uint64_t + hi = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(res1, (uint32_t)64U)); + uint64_t lo = FStar_UInt128_uint128_to_uint64(res1); + tmp[(uint32_t)2U * i] = lo; + tmp[(uint32_t)2U * i + (uint32_t)1U] = hi; + } + } + c1 = Hacl_Bignum_Addition_bn_add_eq_len_u64((uint32_t)8U, res, tmp, res); + } +} + +static inline void precompr2(uint32_t nBits, uint64_t *n, uint64_t *res) +{ + uint32_t i0; + uint32_t j; + uint32_t i; + memset(res, 0U, (uint32_t)4U * sizeof (uint64_t)); + i0 = nBits / (uint32_t)64U; + j = nBits % (uint32_t)64U; + res[i0] = res[i0] | (uint64_t)1U << j; + for (i = (uint32_t)0U; i < (uint32_t)512U - nBits; i++) + { + Hacl_Bignum256_add_mod(n, res, res, res); + } +} + +static inline void reduction(uint64_t *n, uint64_t nInv, uint64_t *c, uint64_t *res) +{ + uint64_t c00 = (uint64_t)0U; + uint64_t c0; + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + uint64_t qj = nInv * c[i0]; + uint64_t *res_j0 = c + i0; + uint64_t c1 = (uint64_t)0U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)1U; i++) + { + uint64_t a_i = n[(uint32_t)4U * i]; + uint64_t *res_i0 = res_j0 + (uint32_t)4U * i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c1, res_i0); + { + uint64_t a_i0 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res_j0 + (uint32_t)4U * i + (uint32_t)1U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, qj, c1, res_i1); + { + uint64_t a_i1 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res_j0 + (uint32_t)4U * i + (uint32_t)2U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, qj, c1, res_i2); + { + uint64_t a_i2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res_j0 + (uint32_t)4U * i + (uint32_t)3U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, qj, c1, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = (uint32_t)4U; i < (uint32_t)4U; i++) + { + uint64_t a_i = n[i]; + uint64_t *res_i = res_j0 + i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c1, res_i); + } + } + { + uint64_t r = c1; + uint64_t c10 = r; + uint64_t *resb = c + (uint32_t)4U + i0; + uint64_t res_j = c[(uint32_t)4U + i0]; + c00 = Lib_IntTypes_Intrinsics_add_carry_u64(c00, c10, res_j, resb); + } + } + } + memcpy(res, c + (uint32_t)4U, (uint32_t)4U * sizeof (uint64_t)); + c0 = c00; + { + uint64_t tmp[4U] = { 0U }; + uint64_t c10 = (uint64_t)0U; + uint64_t c1; + uint64_t c2; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)1U; i++) + { + uint64_t t1 = res[(uint32_t)4U * i]; + uint64_t t20 = n[(uint32_t)4U * i]; + uint64_t *res_i0 = tmp + (uint32_t)4U * i; + c10 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c10, t1, t20, res_i0); + { + uint64_t t10 = res[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t t21 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = tmp + (uint32_t)4U * i + (uint32_t)1U; + c10 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c10, t10, t21, res_i1); + { + uint64_t t11 = res[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t t22 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = tmp + (uint32_t)4U * i + (uint32_t)2U; + c10 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c10, t11, t22, res_i2); + { + uint64_t t12 = res[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t t2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = tmp + (uint32_t)4U * i + (uint32_t)3U; + c10 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c10, t12, t2, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = (uint32_t)4U; i < (uint32_t)4U; i++) + { + uint64_t t1 = res[i]; + uint64_t t2 = n[i]; + uint64_t *res_i = tmp + i; + c10 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c10, t1, t2, res_i); + } + } + c1 = c10; + c2 = c0 - c1; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = res; + uint64_t x = (c2 & res[i]) | (~c2 & tmp[i]); + os[i] = x; + } + } + } +} + +static inline void areduction(uint64_t *n, uint64_t nInv, uint64_t *c, uint64_t *res) +{ + uint64_t c00 = (uint64_t)0U; + uint64_t c0; + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + uint64_t qj = nInv * c[i0]; + uint64_t *res_j0 = c + i0; + uint64_t c1 = (uint64_t)0U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)1U; i++) + { + uint64_t a_i = n[(uint32_t)4U * i]; + uint64_t *res_i0 = res_j0 + (uint32_t)4U * i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c1, res_i0); + { + uint64_t a_i0 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res_j0 + (uint32_t)4U * i + (uint32_t)1U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, qj, c1, res_i1); + { + uint64_t a_i1 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res_j0 + (uint32_t)4U * i + (uint32_t)2U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, qj, c1, res_i2); + { + uint64_t a_i2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res_j0 + (uint32_t)4U * i + (uint32_t)3U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, qj, c1, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = (uint32_t)4U; i < (uint32_t)4U; i++) + { + uint64_t a_i = n[i]; + uint64_t *res_i = res_j0 + i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c1, res_i); + } + } + { + uint64_t r = c1; + uint64_t c10 = r; + uint64_t *resb = c + (uint32_t)4U + i0; + uint64_t res_j = c[(uint32_t)4U + i0]; + c00 = Lib_IntTypes_Intrinsics_add_carry_u64(c00, c10, res_j, resb); + } + } + } + memcpy(res, c + (uint32_t)4U, (uint32_t)4U * sizeof (uint64_t)); + c0 = c00; + { + uint64_t tmp[4U] = { 0U }; + uint64_t c1 = Hacl_Bignum256_sub(res, n, tmp); + uint64_t m = (uint64_t)0U - c0; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = res; + uint64_t x = (m & tmp[i]) | (~m & res[i]); + os[i] = x; + } + } + } +} + +static inline void +amont_mul(uint64_t *n, uint64_t nInv_u64, uint64_t *aM, uint64_t *bM, uint64_t *resM) +{ + uint64_t c[8U] = { 0U }; + memset(c, 0U, (uint32_t)8U * sizeof (uint64_t)); + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + uint64_t bj = bM[i0]; + uint64_t *res_j = c + i0; + uint64_t c1 = (uint64_t)0U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)1U; i++) + { + uint64_t a_i = aM[(uint32_t)4U * i]; + uint64_t *res_i0 = res_j + (uint32_t)4U * i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, bj, c1, res_i0); + { + uint64_t a_i0 = aM[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res_j + (uint32_t)4U * i + (uint32_t)1U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, bj, c1, res_i1); + { + uint64_t a_i1 = aM[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res_j + (uint32_t)4U * i + (uint32_t)2U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, bj, c1, res_i2); + { + uint64_t a_i2 = aM[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res_j + (uint32_t)4U * i + (uint32_t)3U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, bj, c1, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = (uint32_t)4U; i < (uint32_t)4U; i++) + { + uint64_t a_i = aM[i]; + uint64_t *res_i = res_j + i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, bj, c1, res_i); + } + } + { + uint64_t r = c1; + c[(uint32_t)4U + i0] = r; + } + } + } + areduction(n, nInv_u64, c, resM); +} + +static inline void amont_sqr(uint64_t *n, uint64_t nInv_u64, uint64_t *aM, uint64_t *resM) +{ + uint64_t c[8U] = { 0U }; + uint64_t c0; + memset(c, 0U, (uint32_t)8U * sizeof (uint64_t)); + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + uint64_t *ab = aM; + uint64_t a_j = aM[i0]; + uint64_t *res_j = c + i0; + uint64_t c1 = (uint64_t)0U; + { + uint32_t i; + for (i = (uint32_t)0U; i < i0 / (uint32_t)4U; i++) + { + uint64_t a_i = ab[(uint32_t)4U * i]; + uint64_t *res_i0 = res_j + (uint32_t)4U * i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, a_j, c1, res_i0); + { + uint64_t a_i0 = ab[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res_j + (uint32_t)4U * i + (uint32_t)1U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, a_j, c1, res_i1); + { + uint64_t a_i1 = ab[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res_j + (uint32_t)4U * i + (uint32_t)2U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, a_j, c1, res_i2); + { + uint64_t a_i2 = ab[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res_j + (uint32_t)4U * i + (uint32_t)3U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, a_j, c1, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = i0 / (uint32_t)4U * (uint32_t)4U; i < i0; i++) + { + uint64_t a_i = ab[i]; + uint64_t *res_i = res_j + i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, a_j, c1, res_i); + } + } + { + uint64_t r = c1; + c[i0 + i0] = r; + } + } + } + c0 = Hacl_Bignum_Addition_bn_add_eq_len_u64((uint32_t)8U, c, c, c); + { + uint64_t tmp[8U] = { 0U }; + uint64_t c1; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + FStar_UInt128_uint128 res = FStar_UInt128_mul_wide(aM[i], aM[i]); + uint64_t + hi = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(res, (uint32_t)64U)); + uint64_t lo = FStar_UInt128_uint128_to_uint64(res); + tmp[(uint32_t)2U * i] = lo; + tmp[(uint32_t)2U * i + (uint32_t)1U] = hi; + } + } + c1 = Hacl_Bignum_Addition_bn_add_eq_len_u64((uint32_t)8U, c, tmp, c); + areduction(n, nInv_u64, c, resM); + } +} + +static inline void +bn_slow_precomp(uint64_t *n, uint64_t mu, uint64_t *r2, uint64_t *a, uint64_t *res) +{ + uint64_t a_mod[4U] = { 0U }; + uint64_t a1[8U] = { 0U }; + memcpy(a1, a, (uint32_t)8U * sizeof (uint64_t)); + { + uint64_t c00 = (uint64_t)0U; + uint64_t c0; + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + uint64_t qj = mu * a1[i0]; + uint64_t *res_j0 = a1 + i0; + uint64_t c = (uint64_t)0U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)1U; i++) + { + uint64_t a_i = n[(uint32_t)4U * i]; + uint64_t *res_i0 = res_j0 + (uint32_t)4U * i; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c, res_i0); + { + uint64_t a_i0 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res_j0 + (uint32_t)4U * i + (uint32_t)1U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, qj, c, res_i1); + { + uint64_t a_i1 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res_j0 + (uint32_t)4U * i + (uint32_t)2U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, qj, c, res_i2); + { + uint64_t a_i2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res_j0 + (uint32_t)4U * i + (uint32_t)3U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, qj, c, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = (uint32_t)4U; i < (uint32_t)4U; i++) + { + uint64_t a_i = n[i]; + uint64_t *res_i = res_j0 + i; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c, res_i); + } + } + { + uint64_t r = c; + uint64_t c1 = r; + uint64_t *resb = a1 + (uint32_t)4U + i0; + uint64_t res_j = a1[(uint32_t)4U + i0]; + c00 = Lib_IntTypes_Intrinsics_add_carry_u64(c00, c1, res_j, resb); + } + } + } + memcpy(a_mod, a1 + (uint32_t)4U, (uint32_t)4U * sizeof (uint64_t)); + c0 = c00; + { + uint64_t tmp[4U] = { 0U }; + uint64_t c1 = Hacl_Bignum256_sub(a_mod, n, tmp); + uint64_t m = (uint64_t)0U - c0; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = a_mod; + uint64_t x = (m & tmp[i]) | (~m & a_mod[i]); + os[i] = x; + } + } + { + uint64_t c[8U] = { 0U }; + Hacl_Bignum256_mul(a_mod, r2, c); + reduction(n, mu, c, res); + } + } + } +} + +/* +Write `a mod n` in `res`. + + The argument a is meant to be a 512-bit bignum, i.e. uint64_t[8]. + The argument n and the outparam res are meant to be 256-bit bignums, i.e. uint64_t[4]. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • 1 < n + • n % 2 = 1 +*/ +bool Hacl_Bignum256_mod(uint64_t *n, uint64_t *a, uint64_t *res) +{ + uint64_t one[4U] = { 0U }; + uint64_t bit0; + uint64_t m0; + memset(one, 0U, (uint32_t)4U * sizeof (uint64_t)); + one[0U] = (uint64_t)1U; + bit0 = n[0U] & (uint64_t)1U; + m0 = (uint64_t)0U - bit0; + { + uint64_t acc = (uint64_t)0U; + uint64_t m1; + uint64_t is_valid_m; + uint32_t nBits; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(one[i], n[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(one[i], n[i]); + acc = (beq & acc) | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + } + m1 = acc; + is_valid_m = m0 & m1; + nBits = (uint32_t)64U * (uint32_t)Hacl_Bignum_Lib_bn_get_top_index_u64((uint32_t)4U, n); + if (is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU) + { + uint64_t r2[4U] = { 0U }; + precompr2(nBits, n, r2); + { + uint64_t mu = Hacl_Bignum_ModInvLimb_mod_inv_uint64(n[0U]); + bn_slow_precomp(n, mu, r2, a, res); + } + } + else + { + memset(res, 0U, (uint32_t)4U * sizeof (uint64_t)); + } + return is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU; + } +} + +static uint64_t exp_check(uint64_t *n, uint64_t *a, uint32_t bBits, uint64_t *b) +{ + uint64_t one[4U] = { 0U }; + uint64_t bit0; + uint64_t m00; + memset(one, 0U, (uint32_t)4U * sizeof (uint64_t)); + one[0U] = (uint64_t)1U; + bit0 = n[0U] & (uint64_t)1U; + m00 = (uint64_t)0U - bit0; + { + uint64_t acc0 = (uint64_t)0U; + uint64_t m10; + uint64_t m0; + uint32_t bLen; + uint64_t m1; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(one[i], n[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(one[i], n[i]); + acc0 = + (beq & acc0) + | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + } + m10 = acc0; + m0 = m00 & m10; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + } + if (bBits < (uint32_t)64U * bLen) + { + KRML_CHECK_SIZE(sizeof (uint64_t), bLen); + { + uint64_t b2[bLen]; + memset(b2, 0U, bLen * sizeof (uint64_t)); + { + uint32_t i0 = bBits / (uint32_t)64U; + uint32_t j = bBits % (uint32_t)64U; + b2[i0] = b2[i0] | (uint64_t)1U << j; + { + uint64_t acc = (uint64_t)0U; + { + uint32_t i; + for (i = (uint32_t)0U; i < bLen; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(b[i], b2[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(b[i], b2[i]); + acc = + (beq & acc) + | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + } + { + uint64_t res = acc; + m1 = res; + } + } + } + } + } + else + { + m1 = (uint64_t)0xFFFFFFFFFFFFFFFFU; + } + { + uint64_t acc = (uint64_t)0U; + uint64_t m2; + uint64_t m; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(a[i], n[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(a[i], n[i]); + acc = + (beq & acc) + | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + } + m2 = acc; + m = m1 & m2; + return m0 & m; + } + } +} + +static inline void +exp_vartime_precomp( + uint64_t *n, + uint64_t mu, + uint64_t *r2, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + if (bBits < (uint32_t)200U) + { + uint64_t aM[4U] = { 0U }; + uint64_t c[8U] = { 0U }; + Hacl_Bignum256_mul(a, r2, c); + reduction(n, mu, c, aM); + { + uint64_t resM[4U] = { 0U }; + uint64_t tmp0[8U] = { 0U }; + memcpy(tmp0, r2, (uint32_t)4U * sizeof (uint64_t)); + reduction(n, mu, tmp0, resM); + { + uint32_t i; + for (i = (uint32_t)0U; i < bBits; i++) + { + uint32_t i1 = i / (uint32_t)64U; + uint32_t j = i % (uint32_t)64U; + uint64_t tmp = b[i1]; + uint64_t bit = tmp >> j & (uint64_t)1U; + if (!(bit == (uint64_t)0U)) + { + amont_mul(n, mu, resM, aM, resM); + } + amont_sqr(n, mu, aM, aM); + } + } + { + uint64_t tmp[8U] = { 0U }; + memcpy(tmp, resM, (uint32_t)4U * sizeof (uint64_t)); + reduction(n, mu, tmp, res); + return; + } + } + } + { + uint64_t aM[4U] = { 0U }; + uint64_t c[8U] = { 0U }; + Hacl_Bignum256_mul(a, r2, c); + reduction(n, mu, c, aM); + { + uint64_t resM[4U] = { 0U }; + uint32_t bLen; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + } + { + uint64_t tmp[8U] = { 0U }; + memcpy(tmp, r2, (uint32_t)4U * sizeof (uint64_t)); + reduction(n, mu, tmp, resM); + { + uint64_t table[64U] = { 0U }; + uint64_t *t1; + memcpy(table, resM, (uint32_t)4U * sizeof (uint64_t)); + t1 = table + (uint32_t)4U; + memcpy(t1, aM, (uint32_t)4U * sizeof (uint64_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)14U; i++) + { + uint64_t *t11 = table + (i + (uint32_t)1U) * (uint32_t)4U; + uint64_t *t2 = table + (i + (uint32_t)2U) * (uint32_t)4U; + amont_mul(n, mu, t11, aM, t2); + } + } + if (bBits % (uint32_t)4U != (uint32_t)0U) + { + uint64_t mask_l = (uint64_t)16U - (uint64_t)1U; + uint32_t i = bBits / (uint32_t)4U * (uint32_t)4U / (uint32_t)64U; + uint32_t j = bBits / (uint32_t)4U * (uint32_t)4U % (uint32_t)64U; + uint64_t p1 = b[i] >> j; + uint64_t ite; + if (i + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i + (uint32_t)1U] << ((uint32_t)64U - j); + } + else + { + ite = p1; + } + { + uint64_t bits_c = ite & mask_l; + uint32_t bits_l32 = (uint32_t)bits_c; + uint64_t *a_bits_l = table + bits_l32 * (uint32_t)4U; + memcpy(resM, a_bits_l, (uint32_t)4U * sizeof (uint64_t)); + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < bBits / (uint32_t)4U; i++) + { + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + amont_sqr(n, mu, resM, resM); + } + } + { + uint32_t bk = bBits - bBits % (uint32_t)4U; + uint64_t mask_l = (uint64_t)16U - (uint64_t)1U; + uint32_t i1 = (bk - (uint32_t)4U * i - (uint32_t)4U) / (uint32_t)64U; + uint32_t j = (bk - (uint32_t)4U * i - (uint32_t)4U) % (uint32_t)64U; + uint64_t p1 = b[i1] >> j; + uint64_t ite; + if (i1 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i1 + (uint32_t)1U] << ((uint32_t)64U - j); + } + else + { + ite = p1; + } + { + uint64_t bits_l = ite & mask_l; + uint64_t a_bits_l[4U] = { 0U }; + uint32_t bits_l32 = (uint32_t)bits_l; + uint64_t *a_bits_l1 = table + bits_l32 * (uint32_t)4U; + memcpy(a_bits_l, a_bits_l1, (uint32_t)4U * sizeof (uint64_t)); + amont_mul(n, mu, resM, a_bits_l, resM); + } + } + } + } + { + uint64_t tmp0[8U] = { 0U }; + memcpy(tmp0, resM, (uint32_t)4U * sizeof (uint64_t)); + reduction(n, mu, tmp0, res); + } + } + } + } + } +} + +static inline void +exp_consttime_precomp( + uint64_t *n, + uint64_t mu, + uint64_t *r2, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + if (bBits < (uint32_t)200U) + { + uint64_t aM[4U] = { 0U }; + uint64_t c[8U] = { 0U }; + Hacl_Bignum256_mul(a, r2, c); + reduction(n, mu, c, aM); + { + uint64_t resM[4U] = { 0U }; + uint64_t tmp0[8U] = { 0U }; + memcpy(tmp0, r2, (uint32_t)4U * sizeof (uint64_t)); + reduction(n, mu, tmp0, resM); + { + uint64_t sw = (uint64_t)0U; + uint64_t sw0; + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < bBits; i0++) + { + uint32_t i1 = (bBits - i0 - (uint32_t)1U) / (uint32_t)64U; + uint32_t j = (bBits - i0 - (uint32_t)1U) % (uint32_t)64U; + uint64_t tmp = b[i1]; + uint64_t bit = tmp >> j & (uint64_t)1U; + uint64_t sw1 = bit ^ sw; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t dummy = ((uint64_t)0U - sw1) & (resM[i] ^ aM[i]); + resM[i] = resM[i] ^ dummy; + aM[i] = aM[i] ^ dummy; + } + } + amont_mul(n, mu, aM, resM, aM); + amont_sqr(n, mu, resM, resM); + sw = bit; + } + } + sw0 = sw; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t dummy = ((uint64_t)0U - sw0) & (resM[i] ^ aM[i]); + resM[i] = resM[i] ^ dummy; + aM[i] = aM[i] ^ dummy; + } + } + { + uint64_t tmp[8U] = { 0U }; + memcpy(tmp, resM, (uint32_t)4U * sizeof (uint64_t)); + reduction(n, mu, tmp, res); + return; + } + } + } + } + { + uint64_t aM[4U] = { 0U }; + uint64_t c0[8U] = { 0U }; + Hacl_Bignum256_mul(a, r2, c0); + reduction(n, mu, c0, aM); + { + uint64_t resM[4U] = { 0U }; + uint32_t bLen; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + } + { + uint64_t tmp[8U] = { 0U }; + memcpy(tmp, r2, (uint32_t)4U * sizeof (uint64_t)); + reduction(n, mu, tmp, resM); + { + uint64_t table[64U] = { 0U }; + uint64_t *t1; + memcpy(table, resM, (uint32_t)4U * sizeof (uint64_t)); + t1 = table + (uint32_t)4U; + memcpy(t1, aM, (uint32_t)4U * sizeof (uint64_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)14U; i++) + { + uint64_t *t11 = table + (i + (uint32_t)1U) * (uint32_t)4U; + uint64_t *t2 = table + (i + (uint32_t)2U) * (uint32_t)4U; + amont_mul(n, mu, t11, aM, t2); + } + } + if (bBits % (uint32_t)4U != (uint32_t)0U) + { + uint64_t mask_l = (uint64_t)16U - (uint64_t)1U; + uint32_t i0 = bBits / (uint32_t)4U * (uint32_t)4U / (uint32_t)64U; + uint32_t j = bBits / (uint32_t)4U * (uint32_t)4U % (uint32_t)64U; + uint64_t p1 = b[i0] >> j; + uint64_t ite; + if (i0 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i0 + (uint32_t)1U] << ((uint32_t)64U - j); + } + else + { + ite = p1; + } + { + uint64_t bits_c = ite & mask_l; + memcpy(resM, table, (uint32_t)4U * sizeof (uint64_t)); + { + uint32_t i1; + for (i1 = (uint32_t)0U; i1 < (uint32_t)15U; i1++) + { + uint64_t c = FStar_UInt64_eq_mask(bits_c, (uint64_t)(i1 + (uint32_t)1U)); + uint64_t *res_j = table + (i1 + (uint32_t)1U) * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = resM; + uint64_t x = (c & res_j[i]) | (~c & resM[i]); + os[i] = x; + } + } + } + } + } + } + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < bBits / (uint32_t)4U; i0++) + { + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + amont_sqr(n, mu, resM, resM); + } + } + { + uint32_t bk = bBits - bBits % (uint32_t)4U; + uint64_t mask_l = (uint64_t)16U - (uint64_t)1U; + uint32_t i1 = (bk - (uint32_t)4U * i0 - (uint32_t)4U) / (uint32_t)64U; + uint32_t j = (bk - (uint32_t)4U * i0 - (uint32_t)4U) % (uint32_t)64U; + uint64_t p1 = b[i1] >> j; + uint64_t ite; + if (i1 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i1 + (uint32_t)1U] << ((uint32_t)64U - j); + } + else + { + ite = p1; + } + { + uint64_t bits_l = ite & mask_l; + uint64_t a_bits_l[4U] = { 0U }; + memcpy(a_bits_l, table, (uint32_t)4U * sizeof (uint64_t)); + { + uint32_t i2; + for (i2 = (uint32_t)0U; i2 < (uint32_t)15U; i2++) + { + uint64_t c = FStar_UInt64_eq_mask(bits_l, (uint64_t)(i2 + (uint32_t)1U)); + uint64_t *res_j = table + (i2 + (uint32_t)1U) * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = a_bits_l; + uint64_t x = (c & res_j[i]) | (~c & a_bits_l[i]); + os[i] = x; + } + } + } + } + amont_mul(n, mu, resM, a_bits_l, resM); + } + } + } + } + { + uint64_t tmp0[8U] = { 0U }; + memcpy(tmp0, resM, (uint32_t)4U * sizeof (uint64_t)); + reduction(n, mu, tmp0, res); + } + } + } + } + } +} + +static inline void +exp_vartime( + uint32_t nBits, + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + uint64_t r2[4U] = { 0U }; + uint64_t mu; + precompr2(nBits, n, r2); + mu = Hacl_Bignum_ModInvLimb_mod_inv_uint64(n[0U]); + exp_vartime_precomp(n, mu, r2, a, bBits, b, res); +} + +static inline void +exp_consttime( + uint32_t nBits, + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + uint64_t r2[4U] = { 0U }; + uint64_t mu; + precompr2(nBits, n, r2); + mu = Hacl_Bignum_ModInvLimb_mod_inv_uint64(n[0U]); + exp_consttime_precomp(n, mu, r2, a, bBits, b, res); +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 256-bit bignums, i.e. uint64_t[4]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum256_mod_exp_vartime( + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + uint64_t is_valid_m = exp_check(n, a, bBits, b); + uint32_t + nBits = (uint32_t)64U * (uint32_t)Hacl_Bignum_Lib_bn_get_top_index_u64((uint32_t)4U, n); + if (is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU) + { + exp_vartime(nBits, n, a, bBits, b, res); + } + else + { + memset(res, 0U, (uint32_t)4U * sizeof (uint64_t)); + } + return is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU; +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 256-bit bignums, i.e. uint64_t[4]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum256_mod_exp_consttime( + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + uint64_t is_valid_m = exp_check(n, a, bBits, b); + uint32_t + nBits = (uint32_t)64U * (uint32_t)Hacl_Bignum_Lib_bn_get_top_index_u64((uint32_t)4U, n); + if (is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU) + { + exp_consttime(nBits, n, a, bBits, b, res); + } + else + { + memset(res, 0U, (uint32_t)4U * sizeof (uint64_t)); + } + return is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU; +} + +/* +Write `a ^ (-1) mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 256-bit bignums, i.e. uint64_t[4]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + + The function returns false if any of the following preconditions are violated, true otherwise. + • n % 2 = 1 + • 1 < n + • 0 < a + • a < n +*/ +bool Hacl_Bignum256_mod_inv_prime_vartime(uint64_t *n, uint64_t *a, uint64_t *res) +{ + uint64_t one[4U] = { 0U }; + uint64_t bit0; + uint64_t m00; + memset(one, 0U, (uint32_t)4U * sizeof (uint64_t)); + one[0U] = (uint64_t)1U; + bit0 = n[0U] & (uint64_t)1U; + m00 = (uint64_t)0U - bit0; + { + uint64_t acc0 = (uint64_t)0U; + uint64_t m10; + uint64_t m0; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(one[i], n[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(one[i], n[i]); + acc0 = + (beq & acc0) + | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + } + m10 = acc0; + m0 = m00 & m10; + { + uint64_t bn_zero[4U] = { 0U }; + uint64_t mask = (uint64_t)0xFFFFFFFFFFFFFFFFU; + uint64_t mask1; + uint64_t res10; + uint64_t m1; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t uu____0 = FStar_UInt64_eq_mask(a[i], bn_zero[i]); + mask = uu____0 & mask; + } + } + mask1 = mask; + res10 = mask1; + m1 = res10; + { + uint64_t acc = (uint64_t)0U; + uint64_t m2; + uint64_t is_valid_m; + uint32_t nBits; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(a[i], n[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(a[i], n[i]); + acc = + (beq & acc) + | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + } + m2 = acc; + is_valid_m = (m0 & ~m1) & m2; + nBits = (uint32_t)64U * (uint32_t)Hacl_Bignum_Lib_bn_get_top_index_u64((uint32_t)4U, n); + if (is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU) + { + uint64_t n2[4U] = { 0U }; + uint64_t + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64((uint64_t)0U, n[0U], (uint64_t)2U, n2); + uint64_t c1; + if ((uint32_t)1U < (uint32_t)4U) + { + uint32_t rLen = (uint32_t)3U; + uint64_t *a1 = n + (uint32_t)1U; + uint64_t *res1 = n2 + (uint32_t)1U; + uint64_t c = c0; + { + uint32_t i; + for (i = (uint32_t)0U; i < rLen / (uint32_t)4U; i++) + { + uint64_t t1 = a1[(uint32_t)4U * i]; + uint64_t *res_i0 = res1 + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, (uint64_t)0U, res_i0); + { + uint64_t t10 = a1[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res1 + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t10, (uint64_t)0U, res_i1); + { + uint64_t t11 = a1[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res1 + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t11, (uint64_t)0U, res_i2); + { + uint64_t t12 = a1[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res1 + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t12, (uint64_t)0U, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = rLen / (uint32_t)4U * (uint32_t)4U; i < rLen; i++) + { + uint64_t t1 = a1[i]; + uint64_t *res_i = res1 + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, (uint64_t)0U, res_i); + } + } + { + uint64_t c10 = c; + c1 = c10; + } + } + else + { + c1 = c0; + } + exp_vartime(nBits, n, a, (uint32_t)256U, n2, res); + } + else + { + memset(res, 0U, (uint32_t)4U * sizeof (uint64_t)); + } + return is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU; + } + } + } +} + + +/**********************************************/ +/* Arithmetic functions with precomputations. */ +/**********************************************/ + + +/* +Heap-allocate and initialize a montgomery context. + + The argument n is meant to be a 256-bit bignum, i.e. uint64_t[4]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n % 2 = 1 + • 1 < n + + The caller will need to call Hacl_Bignum256_mont_ctx_free on the return value + to avoid memory leaks. +*/ +Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *Hacl_Bignum256_mont_ctx_init(uint64_t *n) +{ + uint64_t *r2 = (uint64_t *)KRML_HOST_CALLOC((uint32_t)4U, sizeof (uint64_t)); + uint64_t *n1 = (uint64_t *)KRML_HOST_CALLOC((uint32_t)4U, sizeof (uint64_t)); + uint64_t *r21 = r2; + uint64_t *n11 = n1; + uint32_t nBits; + uint64_t mu; + memcpy(n11, n, (uint32_t)4U * sizeof (uint64_t)); + nBits = (uint32_t)64U * (uint32_t)Hacl_Bignum_Lib_bn_get_top_index_u64((uint32_t)4U, n); + precompr2(nBits, n, r21); + mu = Hacl_Bignum_ModInvLimb_mod_inv_uint64(n[0U]); + { + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 res; + res.len = (uint32_t)4U; + res.n = n11; + res.mu = mu; + res.r2 = r21; + KRML_CHECK_SIZE(sizeof (Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64), (uint32_t)1U); + { + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 + *buf = + (Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *)KRML_HOST_MALLOC(sizeof ( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 + )); + buf[0U] = res; + return buf; + } + } +} + +/* +Deallocate the memory previously allocated by Hacl_Bignum256_mont_ctx_init. + + The argument k is a montgomery context obtained through Hacl_Bignum256_mont_ctx_init. +*/ +void Hacl_Bignum256_mont_ctx_free(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + uint64_t *n = k1.n; + uint64_t *r2 = k1.r2; + KRML_HOST_FREE(n); + KRML_HOST_FREE(r2); + KRML_HOST_FREE(k); +} + +/* +Write `a mod n` in `res`. + + The argument a is meant to be a 512-bit bignum, i.e. uint64_t[8]. + The outparam res is meant to be a 256-bit bignum, i.e. uint64_t[4]. + The argument k is a montgomery context obtained through Hacl_Bignum256_mont_ctx_init. +*/ +void +Hacl_Bignum256_mod_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint64_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + bn_slow_precomp(k1.n, k1.mu, k1.r2, a, res); +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be 256-bit bignums, i.e. uint64_t[4]. + The argument k is a montgomery context obtained through Hacl_Bignum256_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum256_mod_exp_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + exp_vartime_precomp(k1.n, k1.mu, k1.r2, a, bBits, b, res); +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be 256-bit bignums, i.e. uint64_t[4]. + The argument k is a montgomery context obtained through Hacl_Bignum256_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime_*. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum256_mod_exp_consttime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + exp_consttime_precomp(k1.n, k1.mu, k1.r2, a, bBits, b, res); +} + +/* +Write `a ^ (-1) mod n` in `res`. + + The argument a and the outparam res are meant to be 256-bit bignums, i.e. uint64_t[4]. + The argument k is a montgomery context obtained through Hacl_Bignum256_mont_ctx_init. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + • 0 < a + • a < n +*/ +void +Hacl_Bignum256_mod_inv_prime_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint64_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + uint64_t n2[4U] = { 0U }; + uint64_t c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64((uint64_t)0U, k1.n[0U], (uint64_t)2U, n2); + uint64_t c1; + if ((uint32_t)1U < (uint32_t)4U) + { + uint32_t rLen = (uint32_t)3U; + uint64_t *a1 = k1.n + (uint32_t)1U; + uint64_t *res1 = n2 + (uint32_t)1U; + uint64_t c = c0; + { + uint32_t i; + for (i = (uint32_t)0U; i < rLen / (uint32_t)4U; i++) + { + uint64_t t1 = a1[(uint32_t)4U * i]; + uint64_t *res_i0 = res1 + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, (uint64_t)0U, res_i0); + { + uint64_t t10 = a1[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res1 + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t10, (uint64_t)0U, res_i1); + { + uint64_t t11 = a1[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res1 + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t11, (uint64_t)0U, res_i2); + { + uint64_t t12 = a1[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res1 + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t12, (uint64_t)0U, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = rLen / (uint32_t)4U * (uint32_t)4U; i < rLen; i++) + { + uint64_t t1 = a1[i]; + uint64_t *res_i = res1 + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, (uint64_t)0U, res_i); + } + } + { + uint64_t c10 = c; + c1 = c10; + } + } + else + { + c1 = c0; + } + exp_vartime_precomp(k1.n, k1.mu, k1.r2, a, (uint32_t)256U, n2, res); +} + + +/********************/ +/* Loads and stores */ +/********************/ + + +/* +Load a bid-endian bignum from memory. + + The argument b points to len bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint64_t *Hacl_Bignum256_new_bn_from_bytes_be(uint32_t len, uint8_t *b) +{ + if + ( + len + == (uint32_t)0U + || !((len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U <= (uint32_t)536870911U) + ) + { + return NULL; + } + KRML_CHECK_SIZE(sizeof (uint64_t), (len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U); + { + uint64_t + *res = + (uint64_t *)KRML_HOST_CALLOC((len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U, + sizeof (uint64_t)); + if (res == NULL) + { + return res; + } + { + uint64_t *res1 = res; + uint64_t *res2 = res1; + uint32_t bnLen = (len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)8U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + { + uint8_t tmp[tmpLen]; + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + memcpy(tmp + tmpLen - len, b, len * sizeof (uint8_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < bnLen; i++) + { + uint64_t *os = res2; + uint64_t u = load64_be(tmp + (bnLen - i - (uint32_t)1U) * (uint32_t)8U); + uint64_t x = u; + os[i] = x; + } + } + return res2; + } + } + } +} + +/* +Load a little-endian bignum from memory. + + The argument b points to len bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint64_t *Hacl_Bignum256_new_bn_from_bytes_le(uint32_t len, uint8_t *b) +{ + if + ( + len + == (uint32_t)0U + || !((len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U <= (uint32_t)536870911U) + ) + { + return NULL; + } + KRML_CHECK_SIZE(sizeof (uint64_t), (len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U); + { + uint64_t + *res = + (uint64_t *)KRML_HOST_CALLOC((len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U, + sizeof (uint64_t)); + if (res == NULL) + { + return res; + } + { + uint64_t *res1 = res; + uint64_t *res2 = res1; + uint32_t bnLen = (len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)8U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + { + uint8_t tmp[tmpLen]; + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + memcpy(tmp, b, len * sizeof (uint8_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < (len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; i++) + { + uint64_t *os = res2; + uint8_t *bj = tmp + i * (uint32_t)8U; + uint64_t u = load64_le(bj); + uint64_t r1 = u; + uint64_t x = r1; + os[i] = x; + } + } + return res2; + } + } + } +} + +/* +Serialize a bignum into big-endian memory. + + The argument b points to a 256-bit bignum. + The outparam res points to 32 bytes of valid memory. +*/ +void Hacl_Bignum256_bn_to_bytes_be(uint64_t *b, uint8_t *res) +{ + uint32_t bnLen = ((uint32_t)32U - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)8U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + { + uint8_t tmp[tmpLen]; + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + { + uint32_t numb = (uint32_t)8U; + { + uint32_t i; + for (i = (uint32_t)0U; i < bnLen; i++) + { + store64_be(tmp + i * numb, b[bnLen - i - (uint32_t)1U]); + } + } + memcpy(res, tmp + tmpLen - (uint32_t)32U, (uint32_t)32U * sizeof (uint8_t)); + } + } +} + +/* +Serialize a bignum into little-endian memory. + + The argument b points to a 256-bit bignum. + The outparam res points to 32 bytes of valid memory. +*/ +void Hacl_Bignum256_bn_to_bytes_le(uint64_t *b, uint8_t *res) +{ + uint32_t bnLen = ((uint32_t)32U - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)8U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + { + uint8_t tmp[tmpLen]; + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < bnLen; i++) + { + store64_le(tmp + i * (uint32_t)8U, b[i]); + } + } + memcpy(res, tmp, (uint32_t)32U * sizeof (uint8_t)); + } +} + + +/***************/ +/* Comparisons */ +/***************/ + + +/* +Returns 2^64 - 1 if a < b, otherwise returns 0. + + The arguments a and b are meant to be 256-bit bignums, i.e. uint64_t[4]. +*/ +uint64_t Hacl_Bignum256_lt_mask(uint64_t *a, uint64_t *b) +{ + uint64_t acc = (uint64_t)0U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(a[i], b[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(a[i], b[i]); + acc = (beq & acc) | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + } + return acc; +} + +/* +Returns 2^64 - 1 if a = b, otherwise returns 0. + + The arguments a and b are meant to be 256-bit bignums, i.e. uint64_t[4]. +*/ +uint64_t Hacl_Bignum256_eq_mask(uint64_t *a, uint64_t *b) +{ + uint64_t mask = (uint64_t)0xFFFFFFFFFFFFFFFFU; + uint64_t mask1; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t uu____0 = FStar_UInt64_eq_mask(a[i], b[i]); + mask = uu____0 & mask; + } + } + mask1 = mask; + return mask1; +} + diff --git a/src/c89/Hacl_Bignum256_32.c b/src/c89/Hacl_Bignum256_32.c new file mode 100644 index 00000000..061b95e9 --- /dev/null +++ b/src/c89/Hacl_Bignum256_32.c @@ -0,0 +1,2103 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Bignum256_32.h" + +#include "internal/Hacl_Bignum.h" + +/******************************************************************************* + +A verified 256-bit bignum library. + +This is a 32-bit optimized version, where bignums are represented as an array +of eight unsigned 32-bit integers, i.e. uint32_t[8]. Furthermore, the +limbs are stored in little-endian format, i.e. the least significant limb is at +index 0. Each limb is stored in native format in memory. Example: + + uint32_t sixteen[8] = { 0x10; 0x00; 0x00; 0x00; 0x00; 0x00; 0x00; 0x00 } + +We strongly encourage users to go through the conversion functions, e.g. +bn_from_bytes_be, to i) not depend on internal representation choices and ii) +have the ability to switch easily to a 64-bit optimized version in the future. + +*******************************************************************************/ + +/************************/ +/* Arithmetic functions */ +/************************/ + + +/* +Write `a + b mod 2^256` in `res`. + + This functions returns the carry. + + The arguments a, b and res are meant to be 256-bit bignums, i.e. uint32_t[8] +*/ +uint32_t Hacl_Bignum256_32_add(uint32_t *a, uint32_t *b, uint32_t *res) +{ + uint32_t c = (uint32_t)0U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)2U; i++) + { + uint32_t t1 = a[(uint32_t)4U * i]; + uint32_t t20 = b[(uint32_t)4U * i]; + uint32_t *res_i0 = res + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t1, t20, res_i0); + { + uint32_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t10, t21, res_i1); + { + uint32_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t11, t22, res_i2); + { + uint32_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t12, t2, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = (uint32_t)8U; i < (uint32_t)8U; i++) + { + uint32_t t1 = a[i]; + uint32_t t2 = b[i]; + uint32_t *res_i = res + i; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t1, t2, res_i); + } + } + return c; +} + +/* +Write `a - b mod 2^256` in `res`. + + This functions returns the carry. + + The arguments a, b and res are meant to be 256-bit bignums, i.e. uint32_t[8] +*/ +uint32_t Hacl_Bignum256_32_sub(uint32_t *a, uint32_t *b, uint32_t *res) +{ + uint32_t c = (uint32_t)0U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)2U; i++) + { + uint32_t t1 = a[(uint32_t)4U * i]; + uint32_t t20 = b[(uint32_t)4U * i]; + uint32_t *res_i0 = res + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, t20, res_i0); + { + uint32_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t10, t21, res_i1); + { + uint32_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t11, t22, res_i2); + { + uint32_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t12, t2, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = (uint32_t)8U; i < (uint32_t)8U; i++) + { + uint32_t t1 = a[i]; + uint32_t t2 = b[i]; + uint32_t *res_i = res + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, t2, res_i); + } + } + return c; +} + +/* +Write `(a + b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be 256-bit bignums, i.e. uint32_t[8]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum256_32_add_mod(uint32_t *n, uint32_t *a, uint32_t *b, uint32_t *res) +{ + uint32_t c2 = (uint32_t)0U; + uint32_t c0; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)2U; i++) + { + uint32_t t1 = a[(uint32_t)4U * i]; + uint32_t t20 = b[(uint32_t)4U * i]; + uint32_t *res_i0 = res + (uint32_t)4U * i; + c2 = Lib_IntTypes_Intrinsics_add_carry_u32(c2, t1, t20, res_i0); + { + uint32_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c2 = Lib_IntTypes_Intrinsics_add_carry_u32(c2, t10, t21, res_i1); + { + uint32_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c2 = Lib_IntTypes_Intrinsics_add_carry_u32(c2, t11, t22, res_i2); + { + uint32_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c2 = Lib_IntTypes_Intrinsics_add_carry_u32(c2, t12, t2, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = (uint32_t)8U; i < (uint32_t)8U; i++) + { + uint32_t t1 = a[i]; + uint32_t t2 = b[i]; + uint32_t *res_i = res + i; + c2 = Lib_IntTypes_Intrinsics_add_carry_u32(c2, t1, t2, res_i); + } + } + c0 = c2; + { + uint32_t tmp[8U] = { 0U }; + uint32_t c3 = (uint32_t)0U; + uint32_t c1; + uint32_t c; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)2U; i++) + { + uint32_t t1 = res[(uint32_t)4U * i]; + uint32_t t20 = n[(uint32_t)4U * i]; + uint32_t *res_i0 = tmp + (uint32_t)4U * i; + c3 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c3, t1, t20, res_i0); + { + uint32_t t10 = res[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t t21 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = tmp + (uint32_t)4U * i + (uint32_t)1U; + c3 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c3, t10, t21, res_i1); + { + uint32_t t11 = res[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t t22 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = tmp + (uint32_t)4U * i + (uint32_t)2U; + c3 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c3, t11, t22, res_i2); + { + uint32_t t12 = res[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t t2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = tmp + (uint32_t)4U * i + (uint32_t)3U; + c3 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c3, t12, t2, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = (uint32_t)8U; i < (uint32_t)8U; i++) + { + uint32_t t1 = res[i]; + uint32_t t2 = n[i]; + uint32_t *res_i = tmp + i; + c3 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c3, t1, t2, res_i); + } + } + c1 = c3; + c = c0 - c1; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t *os = res; + uint32_t x = (c & res[i]) | (~c & tmp[i]); + os[i] = x; + } + } + } +} + +/* +Write `(a - b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be 256-bit bignums, i.e. uint32_t[8]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum256_32_sub_mod(uint32_t *n, uint32_t *a, uint32_t *b, uint32_t *res) +{ + uint32_t c2 = (uint32_t)0U; + uint32_t c0; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)2U; i++) + { + uint32_t t1 = a[(uint32_t)4U * i]; + uint32_t t20 = b[(uint32_t)4U * i]; + uint32_t *res_i0 = res + (uint32_t)4U * i; + c2 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c2, t1, t20, res_i0); + { + uint32_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c2 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c2, t10, t21, res_i1); + { + uint32_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c2 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c2, t11, t22, res_i2); + { + uint32_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c2 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c2, t12, t2, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = (uint32_t)8U; i < (uint32_t)8U; i++) + { + uint32_t t1 = a[i]; + uint32_t t2 = b[i]; + uint32_t *res_i = res + i; + c2 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c2, t1, t2, res_i); + } + } + c0 = c2; + { + uint32_t tmp[8U] = { 0U }; + uint32_t c3 = (uint32_t)0U; + uint32_t c1; + uint32_t c; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)2U; i++) + { + uint32_t t1 = res[(uint32_t)4U * i]; + uint32_t t20 = n[(uint32_t)4U * i]; + uint32_t *res_i0 = tmp + (uint32_t)4U * i; + c3 = Lib_IntTypes_Intrinsics_add_carry_u32(c3, t1, t20, res_i0); + { + uint32_t t10 = res[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t t21 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = tmp + (uint32_t)4U * i + (uint32_t)1U; + c3 = Lib_IntTypes_Intrinsics_add_carry_u32(c3, t10, t21, res_i1); + { + uint32_t t11 = res[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t t22 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = tmp + (uint32_t)4U * i + (uint32_t)2U; + c3 = Lib_IntTypes_Intrinsics_add_carry_u32(c3, t11, t22, res_i2); + { + uint32_t t12 = res[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t t2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = tmp + (uint32_t)4U * i + (uint32_t)3U; + c3 = Lib_IntTypes_Intrinsics_add_carry_u32(c3, t12, t2, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = (uint32_t)8U; i < (uint32_t)8U; i++) + { + uint32_t t1 = res[i]; + uint32_t t2 = n[i]; + uint32_t *res_i = tmp + i; + c3 = Lib_IntTypes_Intrinsics_add_carry_u32(c3, t1, t2, res_i); + } + } + c1 = c3; + c = (uint32_t)0U - c0; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t *os = res; + uint32_t x = (c & tmp[i]) | (~c & res[i]); + os[i] = x; + } + } + } +} + +/* +Write `a * b` in `res`. + + The arguments a and b are meant to be 256-bit bignums, i.e. uint32_t[8]. + The outparam res is meant to be a 512-bit bignum, i.e. uint32_t[16]. +*/ +void Hacl_Bignum256_32_mul(uint32_t *a, uint32_t *b, uint32_t *res) +{ + uint32_t i; + memset(res, 0U, (uint32_t)16U * sizeof (uint32_t)); + for (i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t bj = b[i]; + uint32_t *res_j = res + i; + uint32_t c = (uint32_t)0U; + uint32_t r; + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < (uint32_t)2U; i0++) + { + uint32_t a_i = a[(uint32_t)4U * i0]; + uint32_t *res_i0 = res_j + (uint32_t)4U * i0; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, bj, c, res_i0); + { + uint32_t a_i0 = a[(uint32_t)4U * i0 + (uint32_t)1U]; + uint32_t *res_i1 = res_j + (uint32_t)4U * i0 + (uint32_t)1U; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i0, bj, c, res_i1); + { + uint32_t a_i1 = a[(uint32_t)4U * i0 + (uint32_t)2U]; + uint32_t *res_i2 = res_j + (uint32_t)4U * i0 + (uint32_t)2U; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i1, bj, c, res_i2); + { + uint32_t a_i2 = a[(uint32_t)4U * i0 + (uint32_t)3U]; + uint32_t *res_i = res_j + (uint32_t)4U * i0 + (uint32_t)3U; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i2, bj, c, res_i); + } + } + } + } + } + { + uint32_t i0; + for (i0 = (uint32_t)8U; i0 < (uint32_t)8U; i0++) + { + uint32_t a_i = a[i0]; + uint32_t *res_i = res_j + i0; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, bj, c, res_i); + } + } + r = c; + res[(uint32_t)8U + i] = r; + } +} + +/* +Write `a * a` in `res`. + + The argument a is meant to be a 256-bit bignum, i.e. uint32_t[8]. + The outparam res is meant to be a 512-bit bignum, i.e. uint32_t[16]. +*/ +void Hacl_Bignum256_32_sqr(uint32_t *a, uint32_t *res) +{ + uint32_t c0; + memset(res, 0U, (uint32_t)16U * sizeof (uint32_t)); + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < (uint32_t)8U; i0++) + { + uint32_t *ab = a; + uint32_t a_j = a[i0]; + uint32_t *res_j = res + i0; + uint32_t c = (uint32_t)0U; + { + uint32_t i; + for (i = (uint32_t)0U; i < i0 / (uint32_t)4U; i++) + { + uint32_t a_i = ab[(uint32_t)4U * i]; + uint32_t *res_i0 = res_j + (uint32_t)4U * i; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, a_j, c, res_i0); + { + uint32_t a_i0 = ab[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res_j + (uint32_t)4U * i + (uint32_t)1U; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i0, a_j, c, res_i1); + { + uint32_t a_i1 = ab[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res_j + (uint32_t)4U * i + (uint32_t)2U; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i1, a_j, c, res_i2); + { + uint32_t a_i2 = ab[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res_j + (uint32_t)4U * i + (uint32_t)3U; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i2, a_j, c, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = i0 / (uint32_t)4U * (uint32_t)4U; i < i0; i++) + { + uint32_t a_i = ab[i]; + uint32_t *res_i = res_j + i; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, a_j, c, res_i); + } + } + { + uint32_t r = c; + res[i0 + i0] = r; + } + } + } + c0 = Hacl_Bignum_Addition_bn_add_eq_len_u32((uint32_t)16U, res, res, res); + { + uint32_t tmp[16U] = { 0U }; + uint32_t c1; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint64_t res1 = (uint64_t)a[i] * (uint64_t)a[i]; + uint32_t hi = (uint32_t)(res1 >> (uint32_t)32U); + uint32_t lo = (uint32_t)res1; + tmp[(uint32_t)2U * i] = lo; + tmp[(uint32_t)2U * i + (uint32_t)1U] = hi; + } + } + c1 = Hacl_Bignum_Addition_bn_add_eq_len_u32((uint32_t)16U, res, tmp, res); + } +} + +static inline void precompr2(uint32_t nBits, uint32_t *n, uint32_t *res) +{ + uint32_t i0; + uint32_t j; + uint32_t i; + memset(res, 0U, (uint32_t)8U * sizeof (uint32_t)); + i0 = nBits / (uint32_t)32U; + j = nBits % (uint32_t)32U; + res[i0] = res[i0] | (uint32_t)1U << j; + for (i = (uint32_t)0U; i < (uint32_t)512U - nBits; i++) + { + Hacl_Bignum256_32_add_mod(n, res, res, res); + } +} + +static inline void reduction(uint32_t *n, uint32_t nInv, uint32_t *c, uint32_t *res) +{ + uint32_t c00 = (uint32_t)0U; + uint32_t c0; + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < (uint32_t)8U; i0++) + { + uint32_t qj = nInv * c[i0]; + uint32_t *res_j0 = c + i0; + uint32_t c1 = (uint32_t)0U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)2U; i++) + { + uint32_t a_i = n[(uint32_t)4U * i]; + uint32_t *res_i0 = res_j0 + (uint32_t)4U * i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, qj, c1, res_i0); + { + uint32_t a_i0 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res_j0 + (uint32_t)4U * i + (uint32_t)1U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i0, qj, c1, res_i1); + { + uint32_t a_i1 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res_j0 + (uint32_t)4U * i + (uint32_t)2U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i1, qj, c1, res_i2); + { + uint32_t a_i2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res_j0 + (uint32_t)4U * i + (uint32_t)3U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i2, qj, c1, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = (uint32_t)8U; i < (uint32_t)8U; i++) + { + uint32_t a_i = n[i]; + uint32_t *res_i = res_j0 + i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, qj, c1, res_i); + } + } + { + uint32_t r = c1; + uint32_t c10 = r; + uint32_t *resb = c + (uint32_t)8U + i0; + uint32_t res_j = c[(uint32_t)8U + i0]; + c00 = Lib_IntTypes_Intrinsics_add_carry_u32(c00, c10, res_j, resb); + } + } + } + memcpy(res, c + (uint32_t)8U, (uint32_t)8U * sizeof (uint32_t)); + c0 = c00; + { + uint32_t tmp[8U] = { 0U }; + uint32_t c10 = (uint32_t)0U; + uint32_t c1; + uint32_t c2; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)2U; i++) + { + uint32_t t1 = res[(uint32_t)4U * i]; + uint32_t t20 = n[(uint32_t)4U * i]; + uint32_t *res_i0 = tmp + (uint32_t)4U * i; + c10 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c10, t1, t20, res_i0); + { + uint32_t t10 = res[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t t21 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = tmp + (uint32_t)4U * i + (uint32_t)1U; + c10 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c10, t10, t21, res_i1); + { + uint32_t t11 = res[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t t22 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = tmp + (uint32_t)4U * i + (uint32_t)2U; + c10 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c10, t11, t22, res_i2); + { + uint32_t t12 = res[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t t2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = tmp + (uint32_t)4U * i + (uint32_t)3U; + c10 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c10, t12, t2, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = (uint32_t)8U; i < (uint32_t)8U; i++) + { + uint32_t t1 = res[i]; + uint32_t t2 = n[i]; + uint32_t *res_i = tmp + i; + c10 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c10, t1, t2, res_i); + } + } + c1 = c10; + c2 = c0 - c1; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t *os = res; + uint32_t x = (c2 & res[i]) | (~c2 & tmp[i]); + os[i] = x; + } + } + } +} + +static inline void areduction(uint32_t *n, uint32_t nInv, uint32_t *c, uint32_t *res) +{ + uint32_t c00 = (uint32_t)0U; + uint32_t c0; + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < (uint32_t)8U; i0++) + { + uint32_t qj = nInv * c[i0]; + uint32_t *res_j0 = c + i0; + uint32_t c1 = (uint32_t)0U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)2U; i++) + { + uint32_t a_i = n[(uint32_t)4U * i]; + uint32_t *res_i0 = res_j0 + (uint32_t)4U * i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, qj, c1, res_i0); + { + uint32_t a_i0 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res_j0 + (uint32_t)4U * i + (uint32_t)1U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i0, qj, c1, res_i1); + { + uint32_t a_i1 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res_j0 + (uint32_t)4U * i + (uint32_t)2U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i1, qj, c1, res_i2); + { + uint32_t a_i2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res_j0 + (uint32_t)4U * i + (uint32_t)3U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i2, qj, c1, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = (uint32_t)8U; i < (uint32_t)8U; i++) + { + uint32_t a_i = n[i]; + uint32_t *res_i = res_j0 + i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, qj, c1, res_i); + } + } + { + uint32_t r = c1; + uint32_t c10 = r; + uint32_t *resb = c + (uint32_t)8U + i0; + uint32_t res_j = c[(uint32_t)8U + i0]; + c00 = Lib_IntTypes_Intrinsics_add_carry_u32(c00, c10, res_j, resb); + } + } + } + memcpy(res, c + (uint32_t)8U, (uint32_t)8U * sizeof (uint32_t)); + c0 = c00; + { + uint32_t tmp[8U] = { 0U }; + uint32_t c1 = Hacl_Bignum256_32_sub(res, n, tmp); + uint32_t m = (uint32_t)0U - c0; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t *os = res; + uint32_t x = (m & tmp[i]) | (~m & res[i]); + os[i] = x; + } + } + } +} + +static inline void +amont_mul(uint32_t *n, uint32_t nInv_u64, uint32_t *aM, uint32_t *bM, uint32_t *resM) +{ + uint32_t c[16U] = { 0U }; + memset(c, 0U, (uint32_t)16U * sizeof (uint32_t)); + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < (uint32_t)8U; i0++) + { + uint32_t bj = bM[i0]; + uint32_t *res_j = c + i0; + uint32_t c1 = (uint32_t)0U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)2U; i++) + { + uint32_t a_i = aM[(uint32_t)4U * i]; + uint32_t *res_i0 = res_j + (uint32_t)4U * i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, bj, c1, res_i0); + { + uint32_t a_i0 = aM[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res_j + (uint32_t)4U * i + (uint32_t)1U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i0, bj, c1, res_i1); + { + uint32_t a_i1 = aM[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res_j + (uint32_t)4U * i + (uint32_t)2U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i1, bj, c1, res_i2); + { + uint32_t a_i2 = aM[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res_j + (uint32_t)4U * i + (uint32_t)3U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i2, bj, c1, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = (uint32_t)8U; i < (uint32_t)8U; i++) + { + uint32_t a_i = aM[i]; + uint32_t *res_i = res_j + i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, bj, c1, res_i); + } + } + { + uint32_t r = c1; + c[(uint32_t)8U + i0] = r; + } + } + } + areduction(n, nInv_u64, c, resM); +} + +static inline void amont_sqr(uint32_t *n, uint32_t nInv_u64, uint32_t *aM, uint32_t *resM) +{ + uint32_t c[16U] = { 0U }; + uint32_t c0; + memset(c, 0U, (uint32_t)16U * sizeof (uint32_t)); + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < (uint32_t)8U; i0++) + { + uint32_t *ab = aM; + uint32_t a_j = aM[i0]; + uint32_t *res_j = c + i0; + uint32_t c1 = (uint32_t)0U; + { + uint32_t i; + for (i = (uint32_t)0U; i < i0 / (uint32_t)4U; i++) + { + uint32_t a_i = ab[(uint32_t)4U * i]; + uint32_t *res_i0 = res_j + (uint32_t)4U * i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, a_j, c1, res_i0); + { + uint32_t a_i0 = ab[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res_j + (uint32_t)4U * i + (uint32_t)1U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i0, a_j, c1, res_i1); + { + uint32_t a_i1 = ab[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res_j + (uint32_t)4U * i + (uint32_t)2U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i1, a_j, c1, res_i2); + { + uint32_t a_i2 = ab[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res_j + (uint32_t)4U * i + (uint32_t)3U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i2, a_j, c1, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = i0 / (uint32_t)4U * (uint32_t)4U; i < i0; i++) + { + uint32_t a_i = ab[i]; + uint32_t *res_i = res_j + i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, a_j, c1, res_i); + } + } + { + uint32_t r = c1; + c[i0 + i0] = r; + } + } + } + c0 = Hacl_Bignum_Addition_bn_add_eq_len_u32((uint32_t)16U, c, c, c); + { + uint32_t tmp[16U] = { 0U }; + uint32_t c1; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint64_t res = (uint64_t)aM[i] * (uint64_t)aM[i]; + uint32_t hi = (uint32_t)(res >> (uint32_t)32U); + uint32_t lo = (uint32_t)res; + tmp[(uint32_t)2U * i] = lo; + tmp[(uint32_t)2U * i + (uint32_t)1U] = hi; + } + } + c1 = Hacl_Bignum_Addition_bn_add_eq_len_u32((uint32_t)16U, c, tmp, c); + areduction(n, nInv_u64, c, resM); + } +} + +static inline void +bn_slow_precomp(uint32_t *n, uint32_t mu, uint32_t *r2, uint32_t *a, uint32_t *res) +{ + uint32_t a_mod[8U] = { 0U }; + uint32_t a1[16U] = { 0U }; + memcpy(a1, a, (uint32_t)16U * sizeof (uint32_t)); + { + uint32_t c00 = (uint32_t)0U; + uint32_t c0; + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < (uint32_t)8U; i0++) + { + uint32_t qj = mu * a1[i0]; + uint32_t *res_j0 = a1 + i0; + uint32_t c = (uint32_t)0U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)2U; i++) + { + uint32_t a_i = n[(uint32_t)4U * i]; + uint32_t *res_i0 = res_j0 + (uint32_t)4U * i; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, qj, c, res_i0); + { + uint32_t a_i0 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res_j0 + (uint32_t)4U * i + (uint32_t)1U; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i0, qj, c, res_i1); + { + uint32_t a_i1 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res_j0 + (uint32_t)4U * i + (uint32_t)2U; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i1, qj, c, res_i2); + { + uint32_t a_i2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res_j0 + (uint32_t)4U * i + (uint32_t)3U; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i2, qj, c, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = (uint32_t)8U; i < (uint32_t)8U; i++) + { + uint32_t a_i = n[i]; + uint32_t *res_i = res_j0 + i; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, qj, c, res_i); + } + } + { + uint32_t r = c; + uint32_t c1 = r; + uint32_t *resb = a1 + (uint32_t)8U + i0; + uint32_t res_j = a1[(uint32_t)8U + i0]; + c00 = Lib_IntTypes_Intrinsics_add_carry_u32(c00, c1, res_j, resb); + } + } + } + memcpy(a_mod, a1 + (uint32_t)8U, (uint32_t)8U * sizeof (uint32_t)); + c0 = c00; + { + uint32_t tmp[8U] = { 0U }; + uint32_t c1 = Hacl_Bignum256_32_sub(a_mod, n, tmp); + uint32_t m = (uint32_t)0U - c0; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t *os = a_mod; + uint32_t x = (m & tmp[i]) | (~m & a_mod[i]); + os[i] = x; + } + } + { + uint32_t c[16U] = { 0U }; + Hacl_Bignum256_32_mul(a_mod, r2, c); + reduction(n, mu, c, res); + } + } + } +} + +/* +Write `a mod n` in `res`. + + The argument a is meant to be a 512-bit bignum, i.e. uint32_t[16]. + The argument n and the outparam res are meant to be 256-bit bignums, i.e. uint32_t[8]. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • 1 < n + • n % 2 = 1 +*/ +bool Hacl_Bignum256_32_mod(uint32_t *n, uint32_t *a, uint32_t *res) +{ + uint32_t one[8U] = { 0U }; + uint32_t bit0; + uint32_t m0; + memset(one, 0U, (uint32_t)8U * sizeof (uint32_t)); + one[0U] = (uint32_t)1U; + bit0 = n[0U] & (uint32_t)1U; + m0 = (uint32_t)0U - bit0; + { + uint32_t acc = (uint32_t)0U; + uint32_t m1; + uint32_t is_valid_m; + uint32_t nBits; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(one[i], n[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(one[i], n[i]); + acc = (beq & acc) | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + } + m1 = acc; + is_valid_m = m0 & m1; + nBits = (uint32_t)32U * Hacl_Bignum_Lib_bn_get_top_index_u32((uint32_t)8U, n); + if (is_valid_m == (uint32_t)0xFFFFFFFFU) + { + uint32_t r2[8U] = { 0U }; + precompr2(nBits, n, r2); + { + uint32_t mu = Hacl_Bignum_ModInvLimb_mod_inv_uint32(n[0U]); + bn_slow_precomp(n, mu, r2, a, res); + } + } + else + { + memset(res, 0U, (uint32_t)8U * sizeof (uint32_t)); + } + return is_valid_m == (uint32_t)0xFFFFFFFFU; + } +} + +static uint32_t exp_check(uint32_t *n, uint32_t *a, uint32_t bBits, uint32_t *b) +{ + uint32_t one[8U] = { 0U }; + uint32_t bit0; + uint32_t m00; + memset(one, 0U, (uint32_t)8U * sizeof (uint32_t)); + one[0U] = (uint32_t)1U; + bit0 = n[0U] & (uint32_t)1U; + m00 = (uint32_t)0U - bit0; + { + uint32_t acc0 = (uint32_t)0U; + uint32_t m10; + uint32_t m0; + uint32_t bLen; + uint32_t m1; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(one[i], n[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(one[i], n[i]); + acc0 = (beq & acc0) | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + } + m10 = acc0; + m0 = m00 & m10; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)32U + (uint32_t)1U; + } + if (bBits < (uint32_t)32U * bLen) + { + KRML_CHECK_SIZE(sizeof (uint32_t), bLen); + { + uint32_t b2[bLen]; + memset(b2, 0U, bLen * sizeof (uint32_t)); + { + uint32_t i0 = bBits / (uint32_t)32U; + uint32_t j = bBits % (uint32_t)32U; + b2[i0] = b2[i0] | (uint32_t)1U << j; + { + uint32_t acc = (uint32_t)0U; + { + uint32_t i; + for (i = (uint32_t)0U; i < bLen; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(b[i], b2[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(b[i], b2[i]); + acc = (beq & acc) | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + } + { + uint32_t res = acc; + m1 = res; + } + } + } + } + } + else + { + m1 = (uint32_t)0xFFFFFFFFU; + } + { + uint32_t acc = (uint32_t)0U; + uint32_t m2; + uint32_t m; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(a[i], n[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(a[i], n[i]); + acc = (beq & acc) | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + } + m2 = acc; + m = m1 & m2; + return m0 & m; + } + } +} + +static inline void +exp_vartime_precomp( + uint32_t *n, + uint32_t mu, + uint32_t *r2, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + if (bBits < (uint32_t)200U) + { + uint32_t aM[8U] = { 0U }; + uint32_t c[16U] = { 0U }; + Hacl_Bignum256_32_mul(a, r2, c); + reduction(n, mu, c, aM); + { + uint32_t resM[8U] = { 0U }; + uint32_t tmp0[16U] = { 0U }; + memcpy(tmp0, r2, (uint32_t)8U * sizeof (uint32_t)); + reduction(n, mu, tmp0, resM); + { + uint32_t i; + for (i = (uint32_t)0U; i < bBits; i++) + { + uint32_t i1 = i / (uint32_t)32U; + uint32_t j = i % (uint32_t)32U; + uint32_t tmp = b[i1]; + uint32_t bit = tmp >> j & (uint32_t)1U; + if (!(bit == (uint32_t)0U)) + { + amont_mul(n, mu, resM, aM, resM); + } + amont_sqr(n, mu, aM, aM); + } + } + { + uint32_t tmp[16U] = { 0U }; + memcpy(tmp, resM, (uint32_t)8U * sizeof (uint32_t)); + reduction(n, mu, tmp, res); + return; + } + } + } + { + uint32_t aM[8U] = { 0U }; + uint32_t c[16U] = { 0U }; + Hacl_Bignum256_32_mul(a, r2, c); + reduction(n, mu, c, aM); + { + uint32_t resM[8U] = { 0U }; + uint32_t bLen; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)32U + (uint32_t)1U; + } + { + uint32_t tmp[16U] = { 0U }; + memcpy(tmp, r2, (uint32_t)8U * sizeof (uint32_t)); + reduction(n, mu, tmp, resM); + { + uint32_t table[128U] = { 0U }; + uint32_t *t1; + memcpy(table, resM, (uint32_t)8U * sizeof (uint32_t)); + t1 = table + (uint32_t)8U; + memcpy(t1, aM, (uint32_t)8U * sizeof (uint32_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)14U; i++) + { + uint32_t *t11 = table + (i + (uint32_t)1U) * (uint32_t)8U; + uint32_t *t2 = table + (i + (uint32_t)2U) * (uint32_t)8U; + amont_mul(n, mu, t11, aM, t2); + } + } + if (bBits % (uint32_t)4U != (uint32_t)0U) + { + uint32_t mask_l = (uint32_t)16U - (uint32_t)1U; + uint32_t i = bBits / (uint32_t)4U * (uint32_t)4U / (uint32_t)32U; + uint32_t j = bBits / (uint32_t)4U * (uint32_t)4U % (uint32_t)32U; + uint32_t p1 = b[i] >> j; + uint32_t ite; + if (i + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i + (uint32_t)1U] << ((uint32_t)32U - j); + } + else + { + ite = p1; + } + { + uint32_t bits_c = ite & mask_l; + uint32_t bits_l32 = bits_c; + uint32_t *a_bits_l = table + bits_l32 * (uint32_t)8U; + memcpy(resM, a_bits_l, (uint32_t)8U * sizeof (uint32_t)); + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < bBits / (uint32_t)4U; i++) + { + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + amont_sqr(n, mu, resM, resM); + } + } + { + uint32_t bk = bBits - bBits % (uint32_t)4U; + uint32_t mask_l = (uint32_t)16U - (uint32_t)1U; + uint32_t i1 = (bk - (uint32_t)4U * i - (uint32_t)4U) / (uint32_t)32U; + uint32_t j = (bk - (uint32_t)4U * i - (uint32_t)4U) % (uint32_t)32U; + uint32_t p1 = b[i1] >> j; + uint32_t ite; + if (i1 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i1 + (uint32_t)1U] << ((uint32_t)32U - j); + } + else + { + ite = p1; + } + { + uint32_t bits_l = ite & mask_l; + uint32_t a_bits_l[8U] = { 0U }; + uint32_t bits_l32 = bits_l; + uint32_t *a_bits_l1 = table + bits_l32 * (uint32_t)8U; + memcpy(a_bits_l, a_bits_l1, (uint32_t)8U * sizeof (uint32_t)); + amont_mul(n, mu, resM, a_bits_l, resM); + } + } + } + } + { + uint32_t tmp0[16U] = { 0U }; + memcpy(tmp0, resM, (uint32_t)8U * sizeof (uint32_t)); + reduction(n, mu, tmp0, res); + } + } + } + } + } +} + +static inline void +exp_consttime_precomp( + uint32_t *n, + uint32_t mu, + uint32_t *r2, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + if (bBits < (uint32_t)200U) + { + uint32_t aM[8U] = { 0U }; + uint32_t c[16U] = { 0U }; + Hacl_Bignum256_32_mul(a, r2, c); + reduction(n, mu, c, aM); + { + uint32_t resM[8U] = { 0U }; + uint32_t tmp0[16U] = { 0U }; + memcpy(tmp0, r2, (uint32_t)8U * sizeof (uint32_t)); + reduction(n, mu, tmp0, resM); + { + uint32_t sw = (uint32_t)0U; + uint32_t sw0; + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < bBits; i0++) + { + uint32_t i1 = (bBits - i0 - (uint32_t)1U) / (uint32_t)32U; + uint32_t j = (bBits - i0 - (uint32_t)1U) % (uint32_t)32U; + uint32_t tmp = b[i1]; + uint32_t bit = tmp >> j & (uint32_t)1U; + uint32_t sw1 = bit ^ sw; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t dummy = ((uint32_t)0U - sw1) & (resM[i] ^ aM[i]); + resM[i] = resM[i] ^ dummy; + aM[i] = aM[i] ^ dummy; + } + } + amont_mul(n, mu, aM, resM, aM); + amont_sqr(n, mu, resM, resM); + sw = bit; + } + } + sw0 = sw; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t dummy = ((uint32_t)0U - sw0) & (resM[i] ^ aM[i]); + resM[i] = resM[i] ^ dummy; + aM[i] = aM[i] ^ dummy; + } + } + { + uint32_t tmp[16U] = { 0U }; + memcpy(tmp, resM, (uint32_t)8U * sizeof (uint32_t)); + reduction(n, mu, tmp, res); + return; + } + } + } + } + { + uint32_t aM[8U] = { 0U }; + uint32_t c0[16U] = { 0U }; + Hacl_Bignum256_32_mul(a, r2, c0); + reduction(n, mu, c0, aM); + { + uint32_t resM[8U] = { 0U }; + uint32_t bLen; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)32U + (uint32_t)1U; + } + { + uint32_t tmp[16U] = { 0U }; + memcpy(tmp, r2, (uint32_t)8U * sizeof (uint32_t)); + reduction(n, mu, tmp, resM); + { + uint32_t table[128U] = { 0U }; + uint32_t *t1; + memcpy(table, resM, (uint32_t)8U * sizeof (uint32_t)); + t1 = table + (uint32_t)8U; + memcpy(t1, aM, (uint32_t)8U * sizeof (uint32_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)14U; i++) + { + uint32_t *t11 = table + (i + (uint32_t)1U) * (uint32_t)8U; + uint32_t *t2 = table + (i + (uint32_t)2U) * (uint32_t)8U; + amont_mul(n, mu, t11, aM, t2); + } + } + if (bBits % (uint32_t)4U != (uint32_t)0U) + { + uint32_t mask_l = (uint32_t)16U - (uint32_t)1U; + uint32_t i0 = bBits / (uint32_t)4U * (uint32_t)4U / (uint32_t)32U; + uint32_t j = bBits / (uint32_t)4U * (uint32_t)4U % (uint32_t)32U; + uint32_t p1 = b[i0] >> j; + uint32_t ite; + if (i0 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i0 + (uint32_t)1U] << ((uint32_t)32U - j); + } + else + { + ite = p1; + } + { + uint32_t bits_c = ite & mask_l; + memcpy(resM, table, (uint32_t)8U * sizeof (uint32_t)); + { + uint32_t i1; + for (i1 = (uint32_t)0U; i1 < (uint32_t)15U; i1++) + { + uint32_t c = FStar_UInt32_eq_mask(bits_c, i1 + (uint32_t)1U); + uint32_t *res_j = table + (i1 + (uint32_t)1U) * (uint32_t)8U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t *os = resM; + uint32_t x = (c & res_j[i]) | (~c & resM[i]); + os[i] = x; + } + } + } + } + } + } + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < bBits / (uint32_t)4U; i0++) + { + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + amont_sqr(n, mu, resM, resM); + } + } + { + uint32_t bk = bBits - bBits % (uint32_t)4U; + uint32_t mask_l = (uint32_t)16U - (uint32_t)1U; + uint32_t i1 = (bk - (uint32_t)4U * i0 - (uint32_t)4U) / (uint32_t)32U; + uint32_t j = (bk - (uint32_t)4U * i0 - (uint32_t)4U) % (uint32_t)32U; + uint32_t p1 = b[i1] >> j; + uint32_t ite; + if (i1 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i1 + (uint32_t)1U] << ((uint32_t)32U - j); + } + else + { + ite = p1; + } + { + uint32_t bits_l = ite & mask_l; + uint32_t a_bits_l[8U] = { 0U }; + memcpy(a_bits_l, table, (uint32_t)8U * sizeof (uint32_t)); + { + uint32_t i2; + for (i2 = (uint32_t)0U; i2 < (uint32_t)15U; i2++) + { + uint32_t c = FStar_UInt32_eq_mask(bits_l, i2 + (uint32_t)1U); + uint32_t *res_j = table + (i2 + (uint32_t)1U) * (uint32_t)8U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t *os = a_bits_l; + uint32_t x = (c & res_j[i]) | (~c & a_bits_l[i]); + os[i] = x; + } + } + } + } + amont_mul(n, mu, resM, a_bits_l, resM); + } + } + } + } + { + uint32_t tmp0[16U] = { 0U }; + memcpy(tmp0, resM, (uint32_t)8U * sizeof (uint32_t)); + reduction(n, mu, tmp0, res); + } + } + } + } + } +} + +static inline void +exp_vartime( + uint32_t nBits, + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + uint32_t r2[8U] = { 0U }; + uint32_t mu; + precompr2(nBits, n, r2); + mu = Hacl_Bignum_ModInvLimb_mod_inv_uint32(n[0U]); + exp_vartime_precomp(n, mu, r2, a, bBits, b, res); +} + +static inline void +exp_consttime( + uint32_t nBits, + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + uint32_t r2[8U] = { 0U }; + uint32_t mu; + precompr2(nBits, n, r2); + mu = Hacl_Bignum_ModInvLimb_mod_inv_uint32(n[0U]); + exp_consttime_precomp(n, mu, r2, a, bBits, b, res); +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 256-bit bignums, i.e. uint32_t[8]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum256_32_mod_exp_vartime( + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + uint32_t is_valid_m = exp_check(n, a, bBits, b); + uint32_t nBits = (uint32_t)32U * Hacl_Bignum_Lib_bn_get_top_index_u32((uint32_t)8U, n); + if (is_valid_m == (uint32_t)0xFFFFFFFFU) + { + exp_vartime(nBits, n, a, bBits, b, res); + } + else + { + memset(res, 0U, (uint32_t)8U * sizeof (uint32_t)); + } + return is_valid_m == (uint32_t)0xFFFFFFFFU; +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 256-bit bignums, i.e. uint32_t[8]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum256_32_mod_exp_consttime( + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + uint32_t is_valid_m = exp_check(n, a, bBits, b); + uint32_t nBits = (uint32_t)32U * Hacl_Bignum_Lib_bn_get_top_index_u32((uint32_t)8U, n); + if (is_valid_m == (uint32_t)0xFFFFFFFFU) + { + exp_consttime(nBits, n, a, bBits, b, res); + } + else + { + memset(res, 0U, (uint32_t)8U * sizeof (uint32_t)); + } + return is_valid_m == (uint32_t)0xFFFFFFFFU; +} + +/* +Write `a ^ (-1) mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 256-bit bignums, i.e. uint32_t[8]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + + The function returns false if any of the following preconditions are violated, true otherwise. + • n % 2 = 1 + • 1 < n + • 0 < a + • a < n +*/ +bool Hacl_Bignum256_32_mod_inv_prime_vartime(uint32_t *n, uint32_t *a, uint32_t *res) +{ + uint32_t one[8U] = { 0U }; + uint32_t bit0; + uint32_t m00; + memset(one, 0U, (uint32_t)8U * sizeof (uint32_t)); + one[0U] = (uint32_t)1U; + bit0 = n[0U] & (uint32_t)1U; + m00 = (uint32_t)0U - bit0; + { + uint32_t acc0 = (uint32_t)0U; + uint32_t m10; + uint32_t m0; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(one[i], n[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(one[i], n[i]); + acc0 = (beq & acc0) | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + } + m10 = acc0; + m0 = m00 & m10; + { + uint32_t bn_zero[8U] = { 0U }; + uint32_t mask = (uint32_t)0xFFFFFFFFU; + uint32_t mask1; + uint32_t res10; + uint32_t m1; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t uu____0 = FStar_UInt32_eq_mask(a[i], bn_zero[i]); + mask = uu____0 & mask; + } + } + mask1 = mask; + res10 = mask1; + m1 = res10; + { + uint32_t acc = (uint32_t)0U; + uint32_t m2; + uint32_t is_valid_m; + uint32_t nBits; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(a[i], n[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(a[i], n[i]); + acc = (beq & acc) | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + } + m2 = acc; + is_valid_m = (m0 & ~m1) & m2; + nBits = (uint32_t)32U * Hacl_Bignum_Lib_bn_get_top_index_u32((uint32_t)8U, n); + if (is_valid_m == (uint32_t)0xFFFFFFFFU) + { + uint32_t n2[8U] = { 0U }; + uint32_t + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u32((uint32_t)0U, n[0U], (uint32_t)2U, n2); + uint32_t c1; + if ((uint32_t)1U < (uint32_t)8U) + { + uint32_t rLen = (uint32_t)7U; + uint32_t *a1 = n + (uint32_t)1U; + uint32_t *res1 = n2 + (uint32_t)1U; + uint32_t c = c0; + { + uint32_t i; + for (i = (uint32_t)0U; i < rLen / (uint32_t)4U; i++) + { + uint32_t t1 = a1[(uint32_t)4U * i]; + uint32_t *res_i0 = res1 + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, (uint32_t)0U, res_i0); + { + uint32_t t10 = a1[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res1 + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t10, (uint32_t)0U, res_i1); + { + uint32_t t11 = a1[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res1 + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t11, (uint32_t)0U, res_i2); + { + uint32_t t12 = a1[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res1 + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t12, (uint32_t)0U, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = rLen / (uint32_t)4U * (uint32_t)4U; i < rLen; i++) + { + uint32_t t1 = a1[i]; + uint32_t *res_i = res1 + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, (uint32_t)0U, res_i); + } + } + { + uint32_t c10 = c; + c1 = c10; + } + } + else + { + c1 = c0; + } + exp_vartime(nBits, n, a, (uint32_t)256U, n2, res); + } + else + { + memset(res, 0U, (uint32_t)8U * sizeof (uint32_t)); + } + return is_valid_m == (uint32_t)0xFFFFFFFFU; + } + } + } +} + + +/**********************************************/ +/* Arithmetic functions with precomputations. */ +/**********************************************/ + + +/* +Heap-allocate and initialize a montgomery context. + + The argument n is meant to be a 256-bit bignum, i.e. uint32_t[8]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n % 2 = 1 + • 1 < n + + The caller will need to call Hacl_Bignum256_mont_ctx_free on the return value + to avoid memory leaks. +*/ +Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *Hacl_Bignum256_32_mont_ctx_init(uint32_t *n) +{ + uint32_t *r2 = (uint32_t *)KRML_HOST_CALLOC((uint32_t)8U, sizeof (uint32_t)); + uint32_t *n1 = (uint32_t *)KRML_HOST_CALLOC((uint32_t)8U, sizeof (uint32_t)); + uint32_t *r21 = r2; + uint32_t *n11 = n1; + uint32_t nBits; + uint32_t mu; + memcpy(n11, n, (uint32_t)8U * sizeof (uint32_t)); + nBits = (uint32_t)32U * Hacl_Bignum_Lib_bn_get_top_index_u32((uint32_t)8U, n); + precompr2(nBits, n, r21); + mu = Hacl_Bignum_ModInvLimb_mod_inv_uint32(n[0U]); + { + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 res; + res.len = (uint32_t)8U; + res.n = n11; + res.mu = mu; + res.r2 = r21; + KRML_CHECK_SIZE(sizeof (Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32), (uint32_t)1U); + { + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 + *buf = + (Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *)KRML_HOST_MALLOC(sizeof ( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 + )); + buf[0U] = res; + return buf; + } + } +} + +/* +Deallocate the memory previously allocated by Hacl_Bignum256_mont_ctx_init. + + The argument k is a montgomery context obtained through Hacl_Bignum256_mont_ctx_init. +*/ +void Hacl_Bignum256_32_mont_ctx_free(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + uint32_t *n = k1.n; + uint32_t *r2 = k1.r2; + KRML_HOST_FREE(n); + KRML_HOST_FREE(r2); + KRML_HOST_FREE(k); +} + +/* +Write `a mod n` in `res`. + + The argument a is meant to be a 512-bit bignum, i.e. uint32_t[16]. + The outparam res is meant to be a 256-bit bignum, i.e. uint32_t[8]. + The argument k is a montgomery context obtained through Hacl_Bignum256_mont_ctx_init. +*/ +void +Hacl_Bignum256_32_mod_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + bn_slow_precomp(k1.n, k1.mu, k1.r2, a, res); +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be 256-bit bignums, i.e. uint32_t[8]. + The argument k is a montgomery context obtained through Hacl_Bignum256_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum256_32_mod_exp_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + exp_vartime_precomp(k1.n, k1.mu, k1.r2, a, bBits, b, res); +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be 256-bit bignums, i.e. uint32_t[8]. + The argument k is a montgomery context obtained through Hacl_Bignum256_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime_*. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum256_32_mod_exp_consttime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + exp_consttime_precomp(k1.n, k1.mu, k1.r2, a, bBits, b, res); +} + +/* +Write `a ^ (-1) mod n` in `res`. + + The argument a and the outparam res are meant to be 256-bit bignums, i.e. uint32_t[8]. + The argument k is a montgomery context obtained through Hacl_Bignum256_mont_ctx_init. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + • 0 < a + • a < n +*/ +void +Hacl_Bignum256_32_mod_inv_prime_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + uint32_t n2[8U] = { 0U }; + uint32_t c0 = Lib_IntTypes_Intrinsics_sub_borrow_u32((uint32_t)0U, k1.n[0U], (uint32_t)2U, n2); + uint32_t c1; + if ((uint32_t)1U < (uint32_t)8U) + { + uint32_t rLen = (uint32_t)7U; + uint32_t *a1 = k1.n + (uint32_t)1U; + uint32_t *res1 = n2 + (uint32_t)1U; + uint32_t c = c0; + { + uint32_t i; + for (i = (uint32_t)0U; i < rLen / (uint32_t)4U; i++) + { + uint32_t t1 = a1[(uint32_t)4U * i]; + uint32_t *res_i0 = res1 + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, (uint32_t)0U, res_i0); + { + uint32_t t10 = a1[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res1 + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t10, (uint32_t)0U, res_i1); + { + uint32_t t11 = a1[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res1 + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t11, (uint32_t)0U, res_i2); + { + uint32_t t12 = a1[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res1 + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t12, (uint32_t)0U, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = rLen / (uint32_t)4U * (uint32_t)4U; i < rLen; i++) + { + uint32_t t1 = a1[i]; + uint32_t *res_i = res1 + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, (uint32_t)0U, res_i); + } + } + { + uint32_t c10 = c; + c1 = c10; + } + } + else + { + c1 = c0; + } + exp_vartime_precomp(k1.n, k1.mu, k1.r2, a, (uint32_t)256U, n2, res); +} + + +/********************/ +/* Loads and stores */ +/********************/ + + +/* +Load a bid-endian bignum from memory. + + The argument b points to len bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint32_t *Hacl_Bignum256_32_new_bn_from_bytes_be(uint32_t len, uint8_t *b) +{ + if + ( + len + == (uint32_t)0U + || !((len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U <= (uint32_t)1073741823U) + ) + { + return NULL; + } + KRML_CHECK_SIZE(sizeof (uint32_t), (len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U); + { + uint32_t + *res = + (uint32_t *)KRML_HOST_CALLOC((len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U, + sizeof (uint32_t)); + if (res == NULL) + { + return res; + } + { + uint32_t *res1 = res; + uint32_t *res2 = res1; + uint32_t bnLen = (len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)4U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + { + uint8_t tmp[tmpLen]; + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + memcpy(tmp + tmpLen - len, b, len * sizeof (uint8_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < bnLen; i++) + { + uint32_t *os = res2; + uint32_t u = load32_be(tmp + (bnLen - i - (uint32_t)1U) * (uint32_t)4U); + uint32_t x = u; + os[i] = x; + } + } + return res2; + } + } + } +} + +/* +Load a little-endian bignum from memory. + + The argument b points to len bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint32_t *Hacl_Bignum256_32_new_bn_from_bytes_le(uint32_t len, uint8_t *b) +{ + if + ( + len + == (uint32_t)0U + || !((len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U <= (uint32_t)1073741823U) + ) + { + return NULL; + } + KRML_CHECK_SIZE(sizeof (uint32_t), (len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U); + { + uint32_t + *res = + (uint32_t *)KRML_HOST_CALLOC((len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U, + sizeof (uint32_t)); + if (res == NULL) + { + return res; + } + { + uint32_t *res1 = res; + uint32_t *res2 = res1; + uint32_t bnLen = (len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)4U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + { + uint8_t tmp[tmpLen]; + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + memcpy(tmp, b, len * sizeof (uint8_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < (len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U; i++) + { + uint32_t *os = res2; + uint8_t *bj = tmp + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r1 = u; + uint32_t x = r1; + os[i] = x; + } + } + return res2; + } + } + } +} + +/* +Serialize a bignum into big-endian memory. + + The argument b points to a 256-bit bignum. + The outparam res points to 32 bytes of valid memory. +*/ +void Hacl_Bignum256_32_bn_to_bytes_be(uint32_t *b, uint8_t *res) +{ + uint32_t bnLen = ((uint32_t)32U - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)4U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + { + uint8_t tmp[tmpLen]; + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + { + uint32_t numb = (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < bnLen; i++) + { + store32_be(tmp + i * numb, b[bnLen - i - (uint32_t)1U]); + } + } + memcpy(res, tmp + tmpLen - (uint32_t)32U, (uint32_t)32U * sizeof (uint8_t)); + } + } +} + +/* +Serialize a bignum into little-endian memory. + + The argument b points to a 256-bit bignum. + The outparam res points to 32 bytes of valid memory. +*/ +void Hacl_Bignum256_32_bn_to_bytes_le(uint32_t *b, uint8_t *res) +{ + uint32_t bnLen = ((uint32_t)32U - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)4U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + { + uint8_t tmp[tmpLen]; + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < bnLen; i++) + { + store32_le(tmp + i * (uint32_t)4U, b[i]); + } + } + memcpy(res, tmp, (uint32_t)32U * sizeof (uint8_t)); + } +} + + +/***************/ +/* Comparisons */ +/***************/ + + +/* +Returns 2^32 - 1 if a < b, otherwise returns 0. + + The arguments a and b are meant to be 256-bit bignums, i.e. uint32_t[8]. +*/ +uint32_t Hacl_Bignum256_32_lt_mask(uint32_t *a, uint32_t *b) +{ + uint32_t acc = (uint32_t)0U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(a[i], b[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(a[i], b[i]); + acc = (beq & acc) | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + } + return acc; +} + +/* +Returns 2^32 - 1 if a = b, otherwise returns 0. + + The arguments a and b are meant to be 256-bit bignums, i.e. uint32_t[8]. +*/ +uint32_t Hacl_Bignum256_32_eq_mask(uint32_t *a, uint32_t *b) +{ + uint32_t mask = (uint32_t)0xFFFFFFFFU; + uint32_t mask1; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t uu____0 = FStar_UInt32_eq_mask(a[i], b[i]); + mask = uu____0 & mask; + } + } + mask1 = mask; + return mask1; +} + diff --git a/src/c89/Hacl_Bignum32.c b/src/c89/Hacl_Bignum32.c new file mode 100644 index 00000000..c44c561e --- /dev/null +++ b/src/c89/Hacl_Bignum32.c @@ -0,0 +1,1050 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Bignum32.h" + +#include "internal/Hacl_Bignum.h" + +/******************************************************************************* + +A verified bignum library. + +This is a 32-bit optimized version, where bignums are represented as an array +of `len` unsigned 32-bit integers, i.e. uint32_t[len]. + +*******************************************************************************/ + +/************************/ +/* Arithmetic functions */ +/************************/ + + +/* +Write `a + b mod 2 ^ (32 * len)` in `res`. + + This functions returns the carry. + + The arguments a, b and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len] +*/ +uint32_t Hacl_Bignum32_add(uint32_t len, uint32_t *a, uint32_t *b, uint32_t *res) +{ + return Hacl_Bignum_Addition_bn_add_eq_len_u32(len, a, b, res); +} + +/* +Write `a - b mod 2 ^ (32 * len)` in `res`. + + This functions returns the carry. + + The arguments a, b and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len] +*/ +uint32_t Hacl_Bignum32_sub(uint32_t len, uint32_t *a, uint32_t *b, uint32_t *res) +{ + return Hacl_Bignum_Addition_bn_sub_eq_len_u32(len, a, b, res); +} + +/* +Write `(a + b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum32_add_mod(uint32_t len, uint32_t *n, uint32_t *a, uint32_t *b, uint32_t *res) +{ + Hacl_Bignum_bn_add_mod_n_u32(len, n, a, b, res); +} + +/* +Write `(a - b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum32_sub_mod(uint32_t len, uint32_t *n, uint32_t *a, uint32_t *b, uint32_t *res) +{ + Hacl_Bignum_bn_sub_mod_n_u32(len, n, a, b, res); +} + +/* +Write `a * b` in `res`. + + The arguments a and b are meant to be `len` limbs in size, i.e. uint32_t[len]. + The outparam res is meant to be `2*len` limbs in size, i.e. uint32_t[2*len]. +*/ +void Hacl_Bignum32_mul(uint32_t len, uint32_t *a, uint32_t *b, uint32_t *res) +{ + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)4U * len); + { + uint32_t tmp[(uint32_t)4U * len]; + memset(tmp, 0U, (uint32_t)4U * len * sizeof (uint32_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint32(len, a, b, tmp, res); + } +} + +/* +Write `a * a` in `res`. + + The argument a is meant to be `len` limbs in size, i.e. uint32_t[len]. + The outparam res is meant to be `2*len` limbs in size, i.e. uint32_t[2*len]. +*/ +void Hacl_Bignum32_sqr(uint32_t len, uint32_t *a, uint32_t *res) +{ + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)4U * len); + { + uint32_t tmp[(uint32_t)4U * len]; + memset(tmp, 0U, (uint32_t)4U * len * sizeof (uint32_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint32(len, a, tmp, res); + } +} + +static inline void +bn_slow_precomp( + uint32_t len, + uint32_t *n, + uint32_t mu, + uint32_t *r2, + uint32_t *a, + uint32_t *res +) +{ + KRML_CHECK_SIZE(sizeof (uint32_t), len); + { + uint32_t a_mod[len]; + memset(a_mod, 0U, len * sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), len + len); + { + uint32_t a1[len + len]; + memset(a1, 0U, (len + len) * sizeof (uint32_t)); + memcpy(a1, a, (len + len) * sizeof (uint32_t)); + { + uint32_t c00 = (uint32_t)0U; + uint32_t c0; + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < len; i0++) + { + uint32_t qj = mu * a1[i0]; + uint32_t *res_j0 = a1 + i0; + uint32_t c = (uint32_t)0U; + { + uint32_t i; + for (i = (uint32_t)0U; i < len / (uint32_t)4U; i++) + { + uint32_t a_i = n[(uint32_t)4U * i]; + uint32_t *res_i0 = res_j0 + (uint32_t)4U * i; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, qj, c, res_i0); + { + uint32_t a_i0 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res_j0 + (uint32_t)4U * i + (uint32_t)1U; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i0, qj, c, res_i1); + { + uint32_t a_i1 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res_j0 + (uint32_t)4U * i + (uint32_t)2U; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i1, qj, c, res_i2); + { + uint32_t a_i2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res_j0 + (uint32_t)4U * i + (uint32_t)3U; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i2, qj, c, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = len / (uint32_t)4U * (uint32_t)4U; i < len; i++) + { + uint32_t a_i = n[i]; + uint32_t *res_i = res_j0 + i; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, qj, c, res_i); + } + } + { + uint32_t r = c; + uint32_t c1 = r; + uint32_t *resb = a1 + len + i0; + uint32_t res_j = a1[len + i0]; + c00 = Lib_IntTypes_Intrinsics_add_carry_u32(c00, c1, res_j, resb); + } + } + } + memcpy(a_mod, a1 + len, (len + len - len) * sizeof (uint32_t)); + c0 = c00; + KRML_CHECK_SIZE(sizeof (uint32_t), len); + { + uint32_t tmp0[len]; + memset(tmp0, 0U, len * sizeof (uint32_t)); + { + uint32_t c1 = Hacl_Bignum_Addition_bn_sub_eq_len_u32(len, a_mod, n, tmp0); + uint32_t m = (uint32_t)0U - c0; + { + uint32_t i; + for (i = (uint32_t)0U; i < len; i++) + { + uint32_t *os = a_mod; + uint32_t x = (m & tmp0[i]) | (~m & a_mod[i]); + os[i] = x; + } + } + KRML_CHECK_SIZE(sizeof (uint32_t), len + len); + { + uint32_t c[len + len]; + memset(c, 0U, (len + len) * sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)4U * len); + { + uint32_t tmp[(uint32_t)4U * len]; + memset(tmp, 0U, (uint32_t)4U * len * sizeof (uint32_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint32(len, a_mod, r2, tmp, c); + Hacl_Bignum_Montgomery_bn_mont_reduction_u32(len, n, mu, c, res); + } + } + } + } + } + } + } +} + +/* +Write `a mod n` in `res`. + + The argument a is meant to be `2*len` limbs in size, i.e. uint32_t[2*len]. + The argument n and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • 1 < n + • n % 2 = 1 +*/ +bool Hacl_Bignum32_mod(uint32_t len, uint32_t *n, uint32_t *a, uint32_t *res) +{ + KRML_CHECK_SIZE(sizeof (uint32_t), len); + { + uint32_t one[len]; + memset(one, 0U, len * sizeof (uint32_t)); + { + uint32_t bit0; + uint32_t m0; + memset(one, 0U, len * sizeof (uint32_t)); + one[0U] = (uint32_t)1U; + bit0 = n[0U] & (uint32_t)1U; + m0 = (uint32_t)0U - bit0; + { + uint32_t acc = (uint32_t)0U; + uint32_t m1; + uint32_t is_valid_m; + uint32_t nBits; + { + uint32_t i; + for (i = (uint32_t)0U; i < len; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(one[i], n[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(one[i], n[i]); + acc = (beq & acc) | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + } + m1 = acc; + is_valid_m = m0 & m1; + nBits = (uint32_t)32U * Hacl_Bignum_Lib_bn_get_top_index_u32(len, n); + if (is_valid_m == (uint32_t)0xFFFFFFFFU) + { + KRML_CHECK_SIZE(sizeof (uint32_t), len); + { + uint32_t r2[len]; + memset(r2, 0U, len * sizeof (uint32_t)); + Hacl_Bignum_Montgomery_bn_precomp_r2_mod_n_u32(len, nBits, n, r2); + { + uint32_t mu = Hacl_Bignum_ModInvLimb_mod_inv_uint32(n[0U]); + bn_slow_precomp(len, n, mu, r2, a, res); + } + } + } + else + { + memset(res, 0U, len * sizeof (uint32_t)); + } + return is_valid_m == (uint32_t)0xFFFFFFFFU; + } + } + } +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum32_mod_exp_vartime( + uint32_t len, + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + uint32_t is_valid_m = Hacl_Bignum_Exponentiation_bn_check_mod_exp_u32(len, n, a, bBits, b); + uint32_t nBits = (uint32_t)32U * Hacl_Bignum_Lib_bn_get_top_index_u32(len, n); + if (is_valid_m == (uint32_t)0xFFFFFFFFU) + { + Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_u32(len, nBits, n, a, bBits, b, res); + } + else + { + memset(res, 0U, len * sizeof (uint32_t)); + } + return is_valid_m == (uint32_t)0xFFFFFFFFU; +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum32_mod_exp_consttime( + uint32_t len, + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + uint32_t is_valid_m = Hacl_Bignum_Exponentiation_bn_check_mod_exp_u32(len, n, a, bBits, b); + uint32_t nBits = (uint32_t)32U * Hacl_Bignum_Lib_bn_get_top_index_u32(len, n); + if (is_valid_m == (uint32_t)0xFFFFFFFFU) + { + Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_u32(len, nBits, n, a, bBits, b, res); + } + else + { + memset(res, 0U, len * sizeof (uint32_t)); + } + return is_valid_m == (uint32_t)0xFFFFFFFFU; +} + +/* +Write `a ^ (-1) mod n` in `res`. + + The arguments a, n and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • 0 < a + • a < n +*/ +bool Hacl_Bignum32_mod_inv_prime_vartime(uint32_t len, uint32_t *n, uint32_t *a, uint32_t *res) +{ + KRML_CHECK_SIZE(sizeof (uint32_t), len); + { + uint32_t one[len]; + memset(one, 0U, len * sizeof (uint32_t)); + { + uint32_t bit0; + uint32_t m00; + memset(one, 0U, len * sizeof (uint32_t)); + one[0U] = (uint32_t)1U; + bit0 = n[0U] & (uint32_t)1U; + m00 = (uint32_t)0U - bit0; + { + uint32_t acc0 = (uint32_t)0U; + uint32_t m10; + uint32_t m0; + { + uint32_t i; + for (i = (uint32_t)0U; i < len; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(one[i], n[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(one[i], n[i]); + acc0 = (beq & acc0) | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + } + m10 = acc0; + m0 = m00 & m10; + KRML_CHECK_SIZE(sizeof (uint32_t), len); + { + uint32_t bn_zero[len]; + memset(bn_zero, 0U, len * sizeof (uint32_t)); + { + uint32_t mask = (uint32_t)0xFFFFFFFFU; + uint32_t mask1; + uint32_t res10; + uint32_t m1; + { + uint32_t i; + for (i = (uint32_t)0U; i < len; i++) + { + uint32_t uu____0 = FStar_UInt32_eq_mask(a[i], bn_zero[i]); + mask = uu____0 & mask; + } + } + mask1 = mask; + res10 = mask1; + m1 = res10; + { + uint32_t acc = (uint32_t)0U; + uint32_t m2; + uint32_t is_valid_m; + uint32_t nBits; + { + uint32_t i; + for (i = (uint32_t)0U; i < len; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(a[i], n[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(a[i], n[i]); + acc = + (beq & acc) + | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + } + m2 = acc; + is_valid_m = (m0 & ~m1) & m2; + nBits = (uint32_t)32U * Hacl_Bignum_Lib_bn_get_top_index_u32(len, n); + if (is_valid_m == (uint32_t)0xFFFFFFFFU) + { + KRML_CHECK_SIZE(sizeof (uint32_t), len); + { + uint32_t n2[len]; + memset(n2, 0U, len * sizeof (uint32_t)); + { + uint32_t + c0 = + Lib_IntTypes_Intrinsics_sub_borrow_u32((uint32_t)0U, + n[0U], + (uint32_t)2U, + n2); + uint32_t c1; + if ((uint32_t)1U < len) + { + uint32_t rLen = len - (uint32_t)1U; + uint32_t *a1 = n + (uint32_t)1U; + uint32_t *res1 = n2 + (uint32_t)1U; + uint32_t c = c0; + { + uint32_t i; + for (i = (uint32_t)0U; i < rLen / (uint32_t)4U; i++) + { + uint32_t t1 = a1[(uint32_t)4U * i]; + uint32_t *res_i0 = res1 + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, (uint32_t)0U, res_i0); + { + uint32_t t10 = a1[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res1 + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t10, (uint32_t)0U, res_i1); + { + uint32_t t11 = a1[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res1 + (uint32_t)4U * i + (uint32_t)2U; + c = + Lib_IntTypes_Intrinsics_sub_borrow_u32(c, + t11, + (uint32_t)0U, + res_i2); + { + uint32_t t12 = a1[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res1 + (uint32_t)4U * i + (uint32_t)3U; + c = + Lib_IntTypes_Intrinsics_sub_borrow_u32(c, + t12, + (uint32_t)0U, + res_i); + } + } + } + } + } + { + uint32_t i; + for (i = rLen / (uint32_t)4U * (uint32_t)4U; i < rLen; i++) + { + uint32_t t1 = a1[i]; + uint32_t *res_i = res1 + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, (uint32_t)0U, res_i); + } + } + { + uint32_t c10 = c; + c1 = c10; + } + } + else + { + c1 = c0; + } + Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_u32(len, + nBits, + n, + a, + (uint32_t)32U * len, + n2, + res); + } + } + } + else + { + memset(res, 0U, len * sizeof (uint32_t)); + } + return is_valid_m == (uint32_t)0xFFFFFFFFU; + } + } + } + } + } + } +} + + +/**********************************************/ +/* Arithmetic functions with precomputations. */ +/**********************************************/ + + +/* +Heap-allocate and initialize a montgomery context. + + The argument n is meant to be `len` limbs in size, i.e. uint32_t[len]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n % 2 = 1 + • 1 < n + + The caller will need to call Hacl_Bignum32_mont_ctx_free on the return value + to avoid memory leaks. +*/ +Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 +*Hacl_Bignum32_mont_ctx_init(uint32_t len, uint32_t *n) +{ + KRML_CHECK_SIZE(sizeof (uint32_t), len); + { + uint32_t *r2 = (uint32_t *)KRML_HOST_CALLOC(len, sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), len); + { + uint32_t *n1 = (uint32_t *)KRML_HOST_CALLOC(len, sizeof (uint32_t)); + uint32_t *r21 = r2; + uint32_t *n11 = n1; + uint32_t nBits; + uint32_t mu; + memcpy(n11, n, len * sizeof (uint32_t)); + nBits = (uint32_t)32U * Hacl_Bignum_Lib_bn_get_top_index_u32(len, n); + Hacl_Bignum_Montgomery_bn_precomp_r2_mod_n_u32(len, nBits, n, r21); + mu = Hacl_Bignum_ModInvLimb_mod_inv_uint32(n[0U]); + { + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 res; + res.len = len; + res.n = n11; + res.mu = mu; + res.r2 = r21; + KRML_CHECK_SIZE(sizeof (Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32), (uint32_t)1U); + { + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 + *buf = + (Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *)KRML_HOST_MALLOC(sizeof ( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 + )); + buf[0U] = res; + return buf; + } + } + } + } +} + +/* +Deallocate the memory previously allocated by Hacl_Bignum32_mont_ctx_init. + + The argument k is a montgomery context obtained through Hacl_Bignum32_mont_ctx_init. +*/ +void Hacl_Bignum32_mont_ctx_free(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + uint32_t *n = k1.n; + uint32_t *r2 = k1.r2; + KRML_HOST_FREE(n); + KRML_HOST_FREE(r2); + KRML_HOST_FREE(k); +} + +/* +Write `a mod n` in `res`. + + The argument a is meant to be `2*len` limbs in size, i.e. uint32_t[2*len]. + The outparam res is meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_Bignum32_mont_ctx_init. +*/ +void +Hacl_Bignum32_mod_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k10 = *k; + uint32_t len1 = k10.len; + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + bn_slow_precomp(len1, k1.n, k1.mu, k1.r2, a, res); +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_Bignum32_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum32_mod_exp_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k10 = *k; + uint32_t len1 = k10.len; + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_precomp_u32(len1, + k1.n, + k1.mu, + k1.r2, + a, + bBits, + b, + res); +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_Bignum32_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime_*. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum32_mod_exp_consttime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k10 = *k; + uint32_t len1 = k10.len; + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_precomp_u32(len1, + k1.n, + k1.mu, + k1.r2, + a, + bBits, + b, + res); +} + +/* +Write `a ^ (-1) mod n` in `res`. + + The argument a and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_Bignum32_mont_ctx_init. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + • 0 < a + • a < n +*/ +void +Hacl_Bignum32_mod_inv_prime_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k10 = *k; + uint32_t len1 = k10.len; + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + KRML_CHECK_SIZE(sizeof (uint32_t), len1); + { + uint32_t n2[len1]; + memset(n2, 0U, len1 * sizeof (uint32_t)); + { + uint32_t + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u32((uint32_t)0U, k1.n[0U], (uint32_t)2U, n2); + uint32_t c1; + if ((uint32_t)1U < len1) + { + uint32_t rLen = len1 - (uint32_t)1U; + uint32_t *a1 = k1.n + (uint32_t)1U; + uint32_t *res1 = n2 + (uint32_t)1U; + uint32_t c = c0; + { + uint32_t i; + for (i = (uint32_t)0U; i < rLen / (uint32_t)4U; i++) + { + uint32_t t1 = a1[(uint32_t)4U * i]; + uint32_t *res_i0 = res1 + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, (uint32_t)0U, res_i0); + { + uint32_t t10 = a1[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res1 + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t10, (uint32_t)0U, res_i1); + { + uint32_t t11 = a1[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res1 + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t11, (uint32_t)0U, res_i2); + { + uint32_t t12 = a1[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res1 + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t12, (uint32_t)0U, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = rLen / (uint32_t)4U * (uint32_t)4U; i < rLen; i++) + { + uint32_t t1 = a1[i]; + uint32_t *res_i = res1 + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, (uint32_t)0U, res_i); + } + } + { + uint32_t c10 = c; + c1 = c10; + } + } + else + { + c1 = c0; + } + Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_precomp_u32(len1, + k1.n, + k1.mu, + k1.r2, + a, + (uint32_t)32U * len1, + n2, + res); + } + } +} + + +/********************/ +/* Loads and stores */ +/********************/ + + +/* +Load a bid-endian bignum from memory. + + The argument b points to `len` bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint32_t *Hacl_Bignum32_new_bn_from_bytes_be(uint32_t len, uint8_t *b) +{ + if + ( + len + == (uint32_t)0U + || !((len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U <= (uint32_t)1073741823U) + ) + { + return NULL; + } + KRML_CHECK_SIZE(sizeof (uint32_t), (len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U); + { + uint32_t + *res = + (uint32_t *)KRML_HOST_CALLOC((len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U, + sizeof (uint32_t)); + if (res == NULL) + { + return res; + } + { + uint32_t *res1 = res; + uint32_t *res2 = res1; + uint32_t bnLen = (len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)4U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + { + uint8_t tmp[tmpLen]; + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + memcpy(tmp + tmpLen - len, b, len * sizeof (uint8_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < bnLen; i++) + { + uint32_t *os = res2; + uint32_t u = load32_be(tmp + (bnLen - i - (uint32_t)1U) * (uint32_t)4U); + uint32_t x = u; + os[i] = x; + } + } + return res2; + } + } + } +} + +/* +Load a little-endian bignum from memory. + + The argument b points to `len` bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint32_t *Hacl_Bignum32_new_bn_from_bytes_le(uint32_t len, uint8_t *b) +{ + if + ( + len + == (uint32_t)0U + || !((len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U <= (uint32_t)1073741823U) + ) + { + return NULL; + } + KRML_CHECK_SIZE(sizeof (uint32_t), (len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U); + { + uint32_t + *res = + (uint32_t *)KRML_HOST_CALLOC((len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U, + sizeof (uint32_t)); + if (res == NULL) + { + return res; + } + { + uint32_t *res1 = res; + uint32_t *res2 = res1; + uint32_t bnLen = (len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)4U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + { + uint8_t tmp[tmpLen]; + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + memcpy(tmp, b, len * sizeof (uint8_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < (len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U; i++) + { + uint32_t *os = res2; + uint8_t *bj = tmp + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r1 = u; + uint32_t x = r1; + os[i] = x; + } + } + return res2; + } + } + } +} + +/* +Serialize a bignum into big-endian memory. + + The argument b points to a bignum of ⌈len / 4⌉ size. + The outparam res points to `len` bytes of valid memory. +*/ +void Hacl_Bignum32_bn_to_bytes_be(uint32_t len, uint32_t *b, uint8_t *res) +{ + uint32_t bnLen = (len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)4U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + { + uint8_t tmp[tmpLen]; + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + { + uint32_t numb = (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < bnLen; i++) + { + store32_be(tmp + i * numb, b[bnLen - i - (uint32_t)1U]); + } + } + memcpy(res, tmp + tmpLen - len, len * sizeof (uint8_t)); + } + } +} + +/* +Serialize a bignum into little-endian memory. + + The argument b points to a bignum of ⌈len / 4⌉ size. + The outparam res points to `len` bytes of valid memory. +*/ +void Hacl_Bignum32_bn_to_bytes_le(uint32_t len, uint32_t *b, uint8_t *res) +{ + uint32_t bnLen = (len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)4U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + { + uint8_t tmp[tmpLen]; + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < bnLen; i++) + { + store32_le(tmp + i * (uint32_t)4U, b[i]); + } + } + memcpy(res, tmp, len * sizeof (uint8_t)); + } +} + + +/***************/ +/* Comparisons */ +/***************/ + + +/* +Returns 2^32 - 1 if a < b, otherwise returns 0. + + The arguments a and b are meant to be `len` limbs in size, i.e. uint32_t[len]. +*/ +uint32_t Hacl_Bignum32_lt_mask(uint32_t len, uint32_t *a, uint32_t *b) +{ + uint32_t acc = (uint32_t)0U; + { + uint32_t i; + for (i = (uint32_t)0U; i < len; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(a[i], b[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(a[i], b[i]); + acc = (beq & acc) | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + } + return acc; +} + +/* +Returns 2^32 - 1 if a = b, otherwise returns 0. + + The arguments a and b are meant to be `len` limbs in size, i.e. uint32_t[len]. +*/ +uint32_t Hacl_Bignum32_eq_mask(uint32_t len, uint32_t *a, uint32_t *b) +{ + uint32_t mask = (uint32_t)0xFFFFFFFFU; + uint32_t mask1; + { + uint32_t i; + for (i = (uint32_t)0U; i < len; i++) + { + uint32_t uu____0 = FStar_UInt32_eq_mask(a[i], b[i]); + mask = uu____0 & mask; + } + } + mask1 = mask; + return mask1; +} + diff --git a/src/c89/Hacl_Bignum4096.c b/src/c89/Hacl_Bignum4096.c new file mode 100644 index 00000000..a07f2b1c --- /dev/null +++ b/src/c89/Hacl_Bignum4096.c @@ -0,0 +1,1904 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Bignum4096.h" + +#include "internal/Hacl_Bignum.h" + +/******************************************************************************* + +A verified 4096-bit bignum library. + +This is a 64-bit optimized version, where bignums are represented as an array +of sixty four unsigned 64-bit integers, i.e. uint64_t[64]. Furthermore, the +limbs are stored in little-endian format, i.e. the least significant limb is at +index 0. Each limb is stored in native format in memory. Example: + + uint64_t sixteen[64] = { 0x10 } + + (relying on the fact that when an initializer-list is provided, the remainder + of the object gets initialized as if it had static storage duration, i.e. with + zeroes) + +We strongly encourage users to go through the conversion functions, e.g. +bn_from_bytes_be, to i) not depend on internal representation choices and ii) +have the ability to switch easily to a 32-bit optimized version in the future. + +*******************************************************************************/ + +/************************/ +/* Arithmetic functions */ +/************************/ + + +/* +Write `a + b mod 2^4096` in `res`. + + This functions returns the carry. + + The arguments a, b and res are meant to be 4096-bit bignums, i.e. uint64_t[64] +*/ +uint64_t Hacl_Bignum4096_add(uint64_t *a, uint64_t *b, uint64_t *res) +{ + uint64_t c = (uint64_t)0U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint64_t t1 = a[(uint32_t)4U * i]; + uint64_t t20 = b[(uint32_t)4U * i]; + uint64_t *res_i0 = res + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t1, t20, res_i0); + { + uint64_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t10, t21, res_i1); + { + uint64_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t11, t22, res_i2); + { + uint64_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t12, t2, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = (uint32_t)64U; i < (uint32_t)64U; i++) + { + uint64_t t1 = a[i]; + uint64_t t2 = b[i]; + uint64_t *res_i = res + i; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t1, t2, res_i); + } + } + return c; +} + +/* +Write `a - b mod 2^4096` in `res`. + + This functions returns the carry. + + The arguments a, b and res are meant to be 4096-bit bignums, i.e. uint64_t[64] +*/ +uint64_t Hacl_Bignum4096_sub(uint64_t *a, uint64_t *b, uint64_t *res) +{ + uint64_t c = (uint64_t)0U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint64_t t1 = a[(uint32_t)4U * i]; + uint64_t t20 = b[(uint32_t)4U * i]; + uint64_t *res_i0 = res + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, t20, res_i0); + { + uint64_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t10, t21, res_i1); + { + uint64_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t11, t22, res_i2); + { + uint64_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t12, t2, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = (uint32_t)64U; i < (uint32_t)64U; i++) + { + uint64_t t1 = a[i]; + uint64_t t2 = b[i]; + uint64_t *res_i = res + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, t2, res_i); + } + } + return c; +} + +/* +Write `(a + b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be 4096-bit bignums, i.e. uint64_t[64]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum4096_add_mod(uint64_t *n, uint64_t *a, uint64_t *b, uint64_t *res) +{ + uint64_t c2 = (uint64_t)0U; + uint64_t c0; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint64_t t1 = a[(uint32_t)4U * i]; + uint64_t t20 = b[(uint32_t)4U * i]; + uint64_t *res_i0 = res + (uint32_t)4U * i; + c2 = Lib_IntTypes_Intrinsics_add_carry_u64(c2, t1, t20, res_i0); + { + uint64_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c2 = Lib_IntTypes_Intrinsics_add_carry_u64(c2, t10, t21, res_i1); + { + uint64_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c2 = Lib_IntTypes_Intrinsics_add_carry_u64(c2, t11, t22, res_i2); + { + uint64_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c2 = Lib_IntTypes_Intrinsics_add_carry_u64(c2, t12, t2, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = (uint32_t)64U; i < (uint32_t)64U; i++) + { + uint64_t t1 = a[i]; + uint64_t t2 = b[i]; + uint64_t *res_i = res + i; + c2 = Lib_IntTypes_Intrinsics_add_carry_u64(c2, t1, t2, res_i); + } + } + c0 = c2; + { + uint64_t tmp[64U] = { 0U }; + uint64_t c3 = (uint64_t)0U; + uint64_t c1; + uint64_t c; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint64_t t1 = res[(uint32_t)4U * i]; + uint64_t t20 = n[(uint32_t)4U * i]; + uint64_t *res_i0 = tmp + (uint32_t)4U * i; + c3 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c3, t1, t20, res_i0); + { + uint64_t t10 = res[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t t21 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = tmp + (uint32_t)4U * i + (uint32_t)1U; + c3 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c3, t10, t21, res_i1); + { + uint64_t t11 = res[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t t22 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = tmp + (uint32_t)4U * i + (uint32_t)2U; + c3 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c3, t11, t22, res_i2); + { + uint64_t t12 = res[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t t2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = tmp + (uint32_t)4U * i + (uint32_t)3U; + c3 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c3, t12, t2, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = (uint32_t)64U; i < (uint32_t)64U; i++) + { + uint64_t t1 = res[i]; + uint64_t t2 = n[i]; + uint64_t *res_i = tmp + i; + c3 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c3, t1, t2, res_i); + } + } + c1 = c3; + c = c0 - c1; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + uint64_t *os = res; + uint64_t x = (c & res[i]) | (~c & tmp[i]); + os[i] = x; + } + } + } +} + +/* +Write `(a - b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be 4096-bit bignums, i.e. uint64_t[64]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum4096_sub_mod(uint64_t *n, uint64_t *a, uint64_t *b, uint64_t *res) +{ + uint64_t c2 = (uint64_t)0U; + uint64_t c0; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint64_t t1 = a[(uint32_t)4U * i]; + uint64_t t20 = b[(uint32_t)4U * i]; + uint64_t *res_i0 = res + (uint32_t)4U * i; + c2 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c2, t1, t20, res_i0); + { + uint64_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c2 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c2, t10, t21, res_i1); + { + uint64_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c2 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c2, t11, t22, res_i2); + { + uint64_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c2 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c2, t12, t2, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = (uint32_t)64U; i < (uint32_t)64U; i++) + { + uint64_t t1 = a[i]; + uint64_t t2 = b[i]; + uint64_t *res_i = res + i; + c2 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c2, t1, t2, res_i); + } + } + c0 = c2; + { + uint64_t tmp[64U] = { 0U }; + uint64_t c3 = (uint64_t)0U; + uint64_t c1; + uint64_t c; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint64_t t1 = res[(uint32_t)4U * i]; + uint64_t t20 = n[(uint32_t)4U * i]; + uint64_t *res_i0 = tmp + (uint32_t)4U * i; + c3 = Lib_IntTypes_Intrinsics_add_carry_u64(c3, t1, t20, res_i0); + { + uint64_t t10 = res[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t t21 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = tmp + (uint32_t)4U * i + (uint32_t)1U; + c3 = Lib_IntTypes_Intrinsics_add_carry_u64(c3, t10, t21, res_i1); + { + uint64_t t11 = res[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t t22 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = tmp + (uint32_t)4U * i + (uint32_t)2U; + c3 = Lib_IntTypes_Intrinsics_add_carry_u64(c3, t11, t22, res_i2); + { + uint64_t t12 = res[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t t2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = tmp + (uint32_t)4U * i + (uint32_t)3U; + c3 = Lib_IntTypes_Intrinsics_add_carry_u64(c3, t12, t2, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = (uint32_t)64U; i < (uint32_t)64U; i++) + { + uint64_t t1 = res[i]; + uint64_t t2 = n[i]; + uint64_t *res_i = tmp + i; + c3 = Lib_IntTypes_Intrinsics_add_carry_u64(c3, t1, t2, res_i); + } + } + c1 = c3; + c = (uint64_t)0U - c0; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + uint64_t *os = res; + uint64_t x = (c & tmp[i]) | (~c & res[i]); + os[i] = x; + } + } + } +} + +/* +Write `a * b` in `res`. + + The arguments a and b are meant to be 4096-bit bignums, i.e. uint64_t[64]. + The outparam res is meant to be a 8192-bit bignum, i.e. uint64_t[128]. +*/ +void Hacl_Bignum4096_mul(uint64_t *a, uint64_t *b, uint64_t *res) +{ + uint64_t tmp[256U] = { 0U }; + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint64((uint32_t)64U, a, b, tmp, res); +} + +/* +Write `a * a` in `res`. + + The argument a is meant to be a 4096-bit bignum, i.e. uint64_t[64]. + The outparam res is meant to be a 8192-bit bignum, i.e. uint64_t[128]. +*/ +void Hacl_Bignum4096_sqr(uint64_t *a, uint64_t *res) +{ + uint64_t tmp[256U] = { 0U }; + Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint64((uint32_t)64U, a, tmp, res); +} + +static inline void precompr2(uint32_t nBits, uint64_t *n, uint64_t *res) +{ + uint32_t i0; + uint32_t j; + uint32_t i; + memset(res, 0U, (uint32_t)64U * sizeof (uint64_t)); + i0 = nBits / (uint32_t)64U; + j = nBits % (uint32_t)64U; + res[i0] = res[i0] | (uint64_t)1U << j; + for (i = (uint32_t)0U; i < (uint32_t)8192U - nBits; i++) + { + Hacl_Bignum4096_add_mod(n, res, res, res); + } +} + +static inline void reduction(uint64_t *n, uint64_t nInv, uint64_t *c, uint64_t *res) +{ + uint64_t c00 = (uint64_t)0U; + uint64_t c0; + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < (uint32_t)64U; i0++) + { + uint64_t qj = nInv * c[i0]; + uint64_t *res_j0 = c + i0; + uint64_t c1 = (uint64_t)0U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint64_t a_i = n[(uint32_t)4U * i]; + uint64_t *res_i0 = res_j0 + (uint32_t)4U * i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c1, res_i0); + { + uint64_t a_i0 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res_j0 + (uint32_t)4U * i + (uint32_t)1U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, qj, c1, res_i1); + { + uint64_t a_i1 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res_j0 + (uint32_t)4U * i + (uint32_t)2U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, qj, c1, res_i2); + { + uint64_t a_i2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res_j0 + (uint32_t)4U * i + (uint32_t)3U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, qj, c1, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = (uint32_t)64U; i < (uint32_t)64U; i++) + { + uint64_t a_i = n[i]; + uint64_t *res_i = res_j0 + i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c1, res_i); + } + } + { + uint64_t r = c1; + uint64_t c10 = r; + uint64_t *resb = c + (uint32_t)64U + i0; + uint64_t res_j = c[(uint32_t)64U + i0]; + c00 = Lib_IntTypes_Intrinsics_add_carry_u64(c00, c10, res_j, resb); + } + } + } + memcpy(res, c + (uint32_t)64U, (uint32_t)64U * sizeof (uint64_t)); + c0 = c00; + { + uint64_t tmp[64U] = { 0U }; + uint64_t c10 = (uint64_t)0U; + uint64_t c1; + uint64_t c2; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint64_t t1 = res[(uint32_t)4U * i]; + uint64_t t20 = n[(uint32_t)4U * i]; + uint64_t *res_i0 = tmp + (uint32_t)4U * i; + c10 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c10, t1, t20, res_i0); + { + uint64_t t10 = res[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t t21 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = tmp + (uint32_t)4U * i + (uint32_t)1U; + c10 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c10, t10, t21, res_i1); + { + uint64_t t11 = res[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t t22 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = tmp + (uint32_t)4U * i + (uint32_t)2U; + c10 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c10, t11, t22, res_i2); + { + uint64_t t12 = res[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t t2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = tmp + (uint32_t)4U * i + (uint32_t)3U; + c10 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c10, t12, t2, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = (uint32_t)64U; i < (uint32_t)64U; i++) + { + uint64_t t1 = res[i]; + uint64_t t2 = n[i]; + uint64_t *res_i = tmp + i; + c10 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c10, t1, t2, res_i); + } + } + c1 = c10; + c2 = c0 - c1; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + uint64_t *os = res; + uint64_t x = (c2 & res[i]) | (~c2 & tmp[i]); + os[i] = x; + } + } + } +} + +static inline void areduction(uint64_t *n, uint64_t nInv, uint64_t *c, uint64_t *res) +{ + uint64_t c00 = (uint64_t)0U; + uint64_t c0; + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < (uint32_t)64U; i0++) + { + uint64_t qj = nInv * c[i0]; + uint64_t *res_j0 = c + i0; + uint64_t c1 = (uint64_t)0U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint64_t a_i = n[(uint32_t)4U * i]; + uint64_t *res_i0 = res_j0 + (uint32_t)4U * i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c1, res_i0); + { + uint64_t a_i0 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res_j0 + (uint32_t)4U * i + (uint32_t)1U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, qj, c1, res_i1); + { + uint64_t a_i1 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res_j0 + (uint32_t)4U * i + (uint32_t)2U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, qj, c1, res_i2); + { + uint64_t a_i2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res_j0 + (uint32_t)4U * i + (uint32_t)3U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, qj, c1, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = (uint32_t)64U; i < (uint32_t)64U; i++) + { + uint64_t a_i = n[i]; + uint64_t *res_i = res_j0 + i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c1, res_i); + } + } + { + uint64_t r = c1; + uint64_t c10 = r; + uint64_t *resb = c + (uint32_t)64U + i0; + uint64_t res_j = c[(uint32_t)64U + i0]; + c00 = Lib_IntTypes_Intrinsics_add_carry_u64(c00, c10, res_j, resb); + } + } + } + memcpy(res, c + (uint32_t)64U, (uint32_t)64U * sizeof (uint64_t)); + c0 = c00; + { + uint64_t tmp[64U] = { 0U }; + uint64_t c1 = Hacl_Bignum4096_sub(res, n, tmp); + uint64_t m = (uint64_t)0U - c0; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + uint64_t *os = res; + uint64_t x = (m & tmp[i]) | (~m & res[i]); + os[i] = x; + } + } + } +} + +static inline void +amont_mul(uint64_t *n, uint64_t nInv_u64, uint64_t *aM, uint64_t *bM, uint64_t *resM) +{ + uint64_t c[128U] = { 0U }; + uint64_t tmp[256U] = { 0U }; + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint64((uint32_t)64U, aM, bM, tmp, c); + areduction(n, nInv_u64, c, resM); +} + +static inline void amont_sqr(uint64_t *n, uint64_t nInv_u64, uint64_t *aM, uint64_t *resM) +{ + uint64_t c[128U] = { 0U }; + uint64_t tmp[256U] = { 0U }; + Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint64((uint32_t)64U, aM, tmp, c); + areduction(n, nInv_u64, c, resM); +} + +static inline void +bn_slow_precomp(uint64_t *n, uint64_t mu, uint64_t *r2, uint64_t *a, uint64_t *res) +{ + uint64_t a_mod[64U] = { 0U }; + uint64_t a1[128U] = { 0U }; + memcpy(a1, a, (uint32_t)128U * sizeof (uint64_t)); + { + uint64_t c00 = (uint64_t)0U; + uint64_t c0; + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < (uint32_t)64U; i0++) + { + uint64_t qj = mu * a1[i0]; + uint64_t *res_j0 = a1 + i0; + uint64_t c = (uint64_t)0U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint64_t a_i = n[(uint32_t)4U * i]; + uint64_t *res_i0 = res_j0 + (uint32_t)4U * i; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c, res_i0); + { + uint64_t a_i0 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res_j0 + (uint32_t)4U * i + (uint32_t)1U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, qj, c, res_i1); + { + uint64_t a_i1 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res_j0 + (uint32_t)4U * i + (uint32_t)2U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, qj, c, res_i2); + { + uint64_t a_i2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res_j0 + (uint32_t)4U * i + (uint32_t)3U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, qj, c, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = (uint32_t)64U; i < (uint32_t)64U; i++) + { + uint64_t a_i = n[i]; + uint64_t *res_i = res_j0 + i; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c, res_i); + } + } + { + uint64_t r = c; + uint64_t c1 = r; + uint64_t *resb = a1 + (uint32_t)64U + i0; + uint64_t res_j = a1[(uint32_t)64U + i0]; + c00 = Lib_IntTypes_Intrinsics_add_carry_u64(c00, c1, res_j, resb); + } + } + } + memcpy(a_mod, a1 + (uint32_t)64U, (uint32_t)64U * sizeof (uint64_t)); + c0 = c00; + { + uint64_t tmp[64U] = { 0U }; + uint64_t c1 = Hacl_Bignum4096_sub(a_mod, n, tmp); + uint64_t m = (uint64_t)0U - c0; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + uint64_t *os = a_mod; + uint64_t x = (m & tmp[i]) | (~m & a_mod[i]); + os[i] = x; + } + } + { + uint64_t c[128U] = { 0U }; + Hacl_Bignum4096_mul(a_mod, r2, c); + reduction(n, mu, c, res); + } + } + } +} + +/* +Write `a mod n` in `res`. + + The argument a is meant to be a 8192-bit bignum, i.e. uint64_t[128]. + The argument n and the outparam res are meant to be 4096-bit bignums, i.e. uint64_t[64]. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • 1 < n + • n % 2 = 1 +*/ +bool Hacl_Bignum4096_mod(uint64_t *n, uint64_t *a, uint64_t *res) +{ + uint64_t one[64U] = { 0U }; + uint64_t bit0; + uint64_t m0; + memset(one, 0U, (uint32_t)64U * sizeof (uint64_t)); + one[0U] = (uint64_t)1U; + bit0 = n[0U] & (uint64_t)1U; + m0 = (uint64_t)0U - bit0; + { + uint64_t acc = (uint64_t)0U; + uint64_t m1; + uint64_t is_valid_m; + uint32_t nBits; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(one[i], n[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(one[i], n[i]); + acc = (beq & acc) | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + } + m1 = acc; + is_valid_m = m0 & m1; + nBits = (uint32_t)64U * (uint32_t)Hacl_Bignum_Lib_bn_get_top_index_u64((uint32_t)64U, n); + if (is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU) + { + uint64_t r2[64U] = { 0U }; + precompr2(nBits, n, r2); + { + uint64_t mu = Hacl_Bignum_ModInvLimb_mod_inv_uint64(n[0U]); + bn_slow_precomp(n, mu, r2, a, res); + } + } + else + { + memset(res, 0U, (uint32_t)64U * sizeof (uint64_t)); + } + return is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU; + } +} + +static uint64_t exp_check(uint64_t *n, uint64_t *a, uint32_t bBits, uint64_t *b) +{ + uint64_t one[64U] = { 0U }; + uint64_t bit0; + uint64_t m00; + memset(one, 0U, (uint32_t)64U * sizeof (uint64_t)); + one[0U] = (uint64_t)1U; + bit0 = n[0U] & (uint64_t)1U; + m00 = (uint64_t)0U - bit0; + { + uint64_t acc0 = (uint64_t)0U; + uint64_t m10; + uint64_t m0; + uint32_t bLen; + uint64_t m1; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(one[i], n[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(one[i], n[i]); + acc0 = + (beq & acc0) + | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + } + m10 = acc0; + m0 = m00 & m10; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + } + if (bBits < (uint32_t)64U * bLen) + { + KRML_CHECK_SIZE(sizeof (uint64_t), bLen); + { + uint64_t b2[bLen]; + memset(b2, 0U, bLen * sizeof (uint64_t)); + { + uint32_t i0 = bBits / (uint32_t)64U; + uint32_t j = bBits % (uint32_t)64U; + b2[i0] = b2[i0] | (uint64_t)1U << j; + { + uint64_t acc = (uint64_t)0U; + { + uint32_t i; + for (i = (uint32_t)0U; i < bLen; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(b[i], b2[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(b[i], b2[i]); + acc = + (beq & acc) + | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + } + { + uint64_t res = acc; + m1 = res; + } + } + } + } + } + else + { + m1 = (uint64_t)0xFFFFFFFFFFFFFFFFU; + } + { + uint64_t acc = (uint64_t)0U; + uint64_t m2; + uint64_t m; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(a[i], n[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(a[i], n[i]); + acc = + (beq & acc) + | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + } + m2 = acc; + m = m1 & m2; + return m0 & m; + } + } +} + +static inline void +exp_vartime_precomp( + uint64_t *n, + uint64_t mu, + uint64_t *r2, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + if (bBits < (uint32_t)200U) + { + uint64_t aM[64U] = { 0U }; + uint64_t c[128U] = { 0U }; + Hacl_Bignum4096_mul(a, r2, c); + reduction(n, mu, c, aM); + { + uint64_t resM[64U] = { 0U }; + uint64_t tmp0[128U] = { 0U }; + memcpy(tmp0, r2, (uint32_t)64U * sizeof (uint64_t)); + reduction(n, mu, tmp0, resM); + { + uint32_t i; + for (i = (uint32_t)0U; i < bBits; i++) + { + uint32_t i1 = i / (uint32_t)64U; + uint32_t j = i % (uint32_t)64U; + uint64_t tmp = b[i1]; + uint64_t bit = tmp >> j & (uint64_t)1U; + if (!(bit == (uint64_t)0U)) + { + amont_mul(n, mu, resM, aM, resM); + } + amont_sqr(n, mu, aM, aM); + } + } + { + uint64_t tmp[128U] = { 0U }; + memcpy(tmp, resM, (uint32_t)64U * sizeof (uint64_t)); + reduction(n, mu, tmp, res); + return; + } + } + } + { + uint64_t aM[64U] = { 0U }; + uint64_t c[128U] = { 0U }; + Hacl_Bignum4096_mul(a, r2, c); + reduction(n, mu, c, aM); + { + uint64_t resM[64U] = { 0U }; + uint32_t bLen; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + } + { + uint64_t tmp[128U] = { 0U }; + memcpy(tmp, r2, (uint32_t)64U * sizeof (uint64_t)); + reduction(n, mu, tmp, resM); + { + uint64_t table[1024U] = { 0U }; + uint64_t *t1; + memcpy(table, resM, (uint32_t)64U * sizeof (uint64_t)); + t1 = table + (uint32_t)64U; + memcpy(t1, aM, (uint32_t)64U * sizeof (uint64_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)14U; i++) + { + uint64_t *t11 = table + (i + (uint32_t)1U) * (uint32_t)64U; + uint64_t *t2 = table + (i + (uint32_t)2U) * (uint32_t)64U; + amont_mul(n, mu, t11, aM, t2); + } + } + if (bBits % (uint32_t)4U != (uint32_t)0U) + { + uint64_t mask_l = (uint64_t)16U - (uint64_t)1U; + uint32_t i = bBits / (uint32_t)4U * (uint32_t)4U / (uint32_t)64U; + uint32_t j = bBits / (uint32_t)4U * (uint32_t)4U % (uint32_t)64U; + uint64_t p1 = b[i] >> j; + uint64_t ite; + if (i + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i + (uint32_t)1U] << ((uint32_t)64U - j); + } + else + { + ite = p1; + } + { + uint64_t bits_c = ite & mask_l; + uint32_t bits_l32 = (uint32_t)bits_c; + uint64_t *a_bits_l = table + bits_l32 * (uint32_t)64U; + memcpy(resM, a_bits_l, (uint32_t)64U * sizeof (uint64_t)); + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < bBits / (uint32_t)4U; i++) + { + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + amont_sqr(n, mu, resM, resM); + } + } + { + uint32_t bk = bBits - bBits % (uint32_t)4U; + uint64_t mask_l = (uint64_t)16U - (uint64_t)1U; + uint32_t i1 = (bk - (uint32_t)4U * i - (uint32_t)4U) / (uint32_t)64U; + uint32_t j = (bk - (uint32_t)4U * i - (uint32_t)4U) % (uint32_t)64U; + uint64_t p1 = b[i1] >> j; + uint64_t ite; + if (i1 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i1 + (uint32_t)1U] << ((uint32_t)64U - j); + } + else + { + ite = p1; + } + { + uint64_t bits_l = ite & mask_l; + uint64_t a_bits_l[64U] = { 0U }; + uint32_t bits_l32 = (uint32_t)bits_l; + uint64_t *a_bits_l1 = table + bits_l32 * (uint32_t)64U; + memcpy(a_bits_l, a_bits_l1, (uint32_t)64U * sizeof (uint64_t)); + amont_mul(n, mu, resM, a_bits_l, resM); + } + } + } + } + { + uint64_t tmp0[128U] = { 0U }; + memcpy(tmp0, resM, (uint32_t)64U * sizeof (uint64_t)); + reduction(n, mu, tmp0, res); + } + } + } + } + } +} + +static inline void +exp_consttime_precomp( + uint64_t *n, + uint64_t mu, + uint64_t *r2, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + if (bBits < (uint32_t)200U) + { + uint64_t aM[64U] = { 0U }; + uint64_t c[128U] = { 0U }; + Hacl_Bignum4096_mul(a, r2, c); + reduction(n, mu, c, aM); + { + uint64_t resM[64U] = { 0U }; + uint64_t tmp0[128U] = { 0U }; + memcpy(tmp0, r2, (uint32_t)64U * sizeof (uint64_t)); + reduction(n, mu, tmp0, resM); + { + uint64_t sw = (uint64_t)0U; + uint64_t sw0; + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < bBits; i0++) + { + uint32_t i1 = (bBits - i0 - (uint32_t)1U) / (uint32_t)64U; + uint32_t j = (bBits - i0 - (uint32_t)1U) % (uint32_t)64U; + uint64_t tmp = b[i1]; + uint64_t bit = tmp >> j & (uint64_t)1U; + uint64_t sw1 = bit ^ sw; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + uint64_t dummy = ((uint64_t)0U - sw1) & (resM[i] ^ aM[i]); + resM[i] = resM[i] ^ dummy; + aM[i] = aM[i] ^ dummy; + } + } + amont_mul(n, mu, aM, resM, aM); + amont_sqr(n, mu, resM, resM); + sw = bit; + } + } + sw0 = sw; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + uint64_t dummy = ((uint64_t)0U - sw0) & (resM[i] ^ aM[i]); + resM[i] = resM[i] ^ dummy; + aM[i] = aM[i] ^ dummy; + } + } + { + uint64_t tmp[128U] = { 0U }; + memcpy(tmp, resM, (uint32_t)64U * sizeof (uint64_t)); + reduction(n, mu, tmp, res); + return; + } + } + } + } + { + uint64_t aM[64U] = { 0U }; + uint64_t c0[128U] = { 0U }; + Hacl_Bignum4096_mul(a, r2, c0); + reduction(n, mu, c0, aM); + { + uint64_t resM[64U] = { 0U }; + uint32_t bLen; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + } + { + uint64_t tmp[128U] = { 0U }; + memcpy(tmp, r2, (uint32_t)64U * sizeof (uint64_t)); + reduction(n, mu, tmp, resM); + { + uint64_t table[1024U] = { 0U }; + uint64_t *t1; + memcpy(table, resM, (uint32_t)64U * sizeof (uint64_t)); + t1 = table + (uint32_t)64U; + memcpy(t1, aM, (uint32_t)64U * sizeof (uint64_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)14U; i++) + { + uint64_t *t11 = table + (i + (uint32_t)1U) * (uint32_t)64U; + uint64_t *t2 = table + (i + (uint32_t)2U) * (uint32_t)64U; + amont_mul(n, mu, t11, aM, t2); + } + } + if (bBits % (uint32_t)4U != (uint32_t)0U) + { + uint64_t mask_l = (uint64_t)16U - (uint64_t)1U; + uint32_t i0 = bBits / (uint32_t)4U * (uint32_t)4U / (uint32_t)64U; + uint32_t j = bBits / (uint32_t)4U * (uint32_t)4U % (uint32_t)64U; + uint64_t p1 = b[i0] >> j; + uint64_t ite; + if (i0 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i0 + (uint32_t)1U] << ((uint32_t)64U - j); + } + else + { + ite = p1; + } + { + uint64_t bits_c = ite & mask_l; + memcpy(resM, table, (uint32_t)64U * sizeof (uint64_t)); + { + uint32_t i1; + for (i1 = (uint32_t)0U; i1 < (uint32_t)15U; i1++) + { + uint64_t c = FStar_UInt64_eq_mask(bits_c, (uint64_t)(i1 + (uint32_t)1U)); + uint64_t *res_j = table + (i1 + (uint32_t)1U) * (uint32_t)64U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + uint64_t *os = resM; + uint64_t x = (c & res_j[i]) | (~c & resM[i]); + os[i] = x; + } + } + } + } + } + } + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < bBits / (uint32_t)4U; i0++) + { + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + amont_sqr(n, mu, resM, resM); + } + } + { + uint32_t bk = bBits - bBits % (uint32_t)4U; + uint64_t mask_l = (uint64_t)16U - (uint64_t)1U; + uint32_t i1 = (bk - (uint32_t)4U * i0 - (uint32_t)4U) / (uint32_t)64U; + uint32_t j = (bk - (uint32_t)4U * i0 - (uint32_t)4U) % (uint32_t)64U; + uint64_t p1 = b[i1] >> j; + uint64_t ite; + if (i1 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i1 + (uint32_t)1U] << ((uint32_t)64U - j); + } + else + { + ite = p1; + } + { + uint64_t bits_l = ite & mask_l; + uint64_t a_bits_l[64U] = { 0U }; + memcpy(a_bits_l, table, (uint32_t)64U * sizeof (uint64_t)); + { + uint32_t i2; + for (i2 = (uint32_t)0U; i2 < (uint32_t)15U; i2++) + { + uint64_t c = FStar_UInt64_eq_mask(bits_l, (uint64_t)(i2 + (uint32_t)1U)); + uint64_t *res_j = table + (i2 + (uint32_t)1U) * (uint32_t)64U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + uint64_t *os = a_bits_l; + uint64_t x = (c & res_j[i]) | (~c & a_bits_l[i]); + os[i] = x; + } + } + } + } + amont_mul(n, mu, resM, a_bits_l, resM); + } + } + } + } + { + uint64_t tmp0[128U] = { 0U }; + memcpy(tmp0, resM, (uint32_t)64U * sizeof (uint64_t)); + reduction(n, mu, tmp0, res); + } + } + } + } + } +} + +static inline void +exp_vartime( + uint32_t nBits, + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + uint64_t r2[64U] = { 0U }; + uint64_t mu; + precompr2(nBits, n, r2); + mu = Hacl_Bignum_ModInvLimb_mod_inv_uint64(n[0U]); + exp_vartime_precomp(n, mu, r2, a, bBits, b, res); +} + +static inline void +exp_consttime( + uint32_t nBits, + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + uint64_t r2[64U] = { 0U }; + uint64_t mu; + precompr2(nBits, n, r2); + mu = Hacl_Bignum_ModInvLimb_mod_inv_uint64(n[0U]); + exp_consttime_precomp(n, mu, r2, a, bBits, b, res); +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 4096-bit bignums, i.e. uint64_t[64]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum4096_mod_exp_vartime( + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + uint64_t is_valid_m = exp_check(n, a, bBits, b); + uint32_t + nBits = (uint32_t)64U * (uint32_t)Hacl_Bignum_Lib_bn_get_top_index_u64((uint32_t)64U, n); + if (is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU) + { + exp_vartime(nBits, n, a, bBits, b, res); + } + else + { + memset(res, 0U, (uint32_t)64U * sizeof (uint64_t)); + } + return is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU; +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 4096-bit bignums, i.e. uint64_t[64]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum4096_mod_exp_consttime( + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + uint64_t is_valid_m = exp_check(n, a, bBits, b); + uint32_t + nBits = (uint32_t)64U * (uint32_t)Hacl_Bignum_Lib_bn_get_top_index_u64((uint32_t)64U, n); + if (is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU) + { + exp_consttime(nBits, n, a, bBits, b, res); + } + else + { + memset(res, 0U, (uint32_t)64U * sizeof (uint64_t)); + } + return is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU; +} + +/* +Write `a ^ (-1) mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 4096-bit bignums, i.e. uint64_t[64]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + + The function returns false if any of the following preconditions are violated, true otherwise. + • n % 2 = 1 + • 1 < n + • 0 < a + • a < n +*/ +bool Hacl_Bignum4096_mod_inv_prime_vartime(uint64_t *n, uint64_t *a, uint64_t *res) +{ + uint64_t one[64U] = { 0U }; + uint64_t bit0; + uint64_t m00; + memset(one, 0U, (uint32_t)64U * sizeof (uint64_t)); + one[0U] = (uint64_t)1U; + bit0 = n[0U] & (uint64_t)1U; + m00 = (uint64_t)0U - bit0; + { + uint64_t acc0 = (uint64_t)0U; + uint64_t m10; + uint64_t m0; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(one[i], n[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(one[i], n[i]); + acc0 = + (beq & acc0) + | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + } + m10 = acc0; + m0 = m00 & m10; + { + uint64_t bn_zero[64U] = { 0U }; + uint64_t mask = (uint64_t)0xFFFFFFFFFFFFFFFFU; + uint64_t mask1; + uint64_t res10; + uint64_t m1; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + uint64_t uu____0 = FStar_UInt64_eq_mask(a[i], bn_zero[i]); + mask = uu____0 & mask; + } + } + mask1 = mask; + res10 = mask1; + m1 = res10; + { + uint64_t acc = (uint64_t)0U; + uint64_t m2; + uint64_t is_valid_m; + uint32_t nBits; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(a[i], n[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(a[i], n[i]); + acc = + (beq & acc) + | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + } + m2 = acc; + is_valid_m = (m0 & ~m1) & m2; + nBits = (uint32_t)64U * (uint32_t)Hacl_Bignum_Lib_bn_get_top_index_u64((uint32_t)64U, n); + if (is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU) + { + uint64_t n2[64U] = { 0U }; + uint64_t + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64((uint64_t)0U, n[0U], (uint64_t)2U, n2); + uint64_t c1; + if ((uint32_t)1U < (uint32_t)64U) + { + uint32_t rLen = (uint32_t)63U; + uint64_t *a1 = n + (uint32_t)1U; + uint64_t *res1 = n2 + (uint32_t)1U; + uint64_t c = c0; + { + uint32_t i; + for (i = (uint32_t)0U; i < rLen / (uint32_t)4U; i++) + { + uint64_t t1 = a1[(uint32_t)4U * i]; + uint64_t *res_i0 = res1 + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, (uint64_t)0U, res_i0); + { + uint64_t t10 = a1[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res1 + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t10, (uint64_t)0U, res_i1); + { + uint64_t t11 = a1[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res1 + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t11, (uint64_t)0U, res_i2); + { + uint64_t t12 = a1[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res1 + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t12, (uint64_t)0U, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = rLen / (uint32_t)4U * (uint32_t)4U; i < rLen; i++) + { + uint64_t t1 = a1[i]; + uint64_t *res_i = res1 + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, (uint64_t)0U, res_i); + } + } + { + uint64_t c10 = c; + c1 = c10; + } + } + else + { + c1 = c0; + } + exp_vartime(nBits, n, a, (uint32_t)4096U, n2, res); + } + else + { + memset(res, 0U, (uint32_t)64U * sizeof (uint64_t)); + } + return is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU; + } + } + } +} + + +/**********************************************/ +/* Arithmetic functions with precomputations. */ +/**********************************************/ + + +/* +Heap-allocate and initialize a montgomery context. + + The argument n is meant to be a 4096-bit bignum, i.e. uint64_t[64]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n % 2 = 1 + • 1 < n + + The caller will need to call Hacl_Bignum4096_mont_ctx_free on the return value + to avoid memory leaks. +*/ +Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *Hacl_Bignum4096_mont_ctx_init(uint64_t *n) +{ + uint64_t *r2 = (uint64_t *)KRML_HOST_CALLOC((uint32_t)64U, sizeof (uint64_t)); + uint64_t *n1 = (uint64_t *)KRML_HOST_CALLOC((uint32_t)64U, sizeof (uint64_t)); + uint64_t *r21 = r2; + uint64_t *n11 = n1; + uint32_t nBits; + uint64_t mu; + memcpy(n11, n, (uint32_t)64U * sizeof (uint64_t)); + nBits = (uint32_t)64U * (uint32_t)Hacl_Bignum_Lib_bn_get_top_index_u64((uint32_t)64U, n); + precompr2(nBits, n, r21); + mu = Hacl_Bignum_ModInvLimb_mod_inv_uint64(n[0U]); + { + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 res; + res.len = (uint32_t)64U; + res.n = n11; + res.mu = mu; + res.r2 = r21; + KRML_CHECK_SIZE(sizeof (Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64), (uint32_t)1U); + { + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 + *buf = + (Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *)KRML_HOST_MALLOC(sizeof ( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 + )); + buf[0U] = res; + return buf; + } + } +} + +/* +Deallocate the memory previously allocated by Hacl_Bignum4096_mont_ctx_init. + + The argument k is a montgomery context obtained through Hacl_Bignum4096_mont_ctx_init. +*/ +void Hacl_Bignum4096_mont_ctx_free(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + uint64_t *n = k1.n; + uint64_t *r2 = k1.r2; + KRML_HOST_FREE(n); + KRML_HOST_FREE(r2); + KRML_HOST_FREE(k); +} + +/* +Write `a mod n` in `res`. + + The argument a is meant to be a 8192-bit bignum, i.e. uint64_t[128]. + The outparam res is meant to be a 4096-bit bignum, i.e. uint64_t[64]. + The argument k is a montgomery context obtained through Hacl_Bignum4096_mont_ctx_init. +*/ +void +Hacl_Bignum4096_mod_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint64_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + bn_slow_precomp(k1.n, k1.mu, k1.r2, a, res); +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be 4096-bit bignums, i.e. uint64_t[64]. + The argument k is a montgomery context obtained through Hacl_Bignum4096_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum4096_mod_exp_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + exp_vartime_precomp(k1.n, k1.mu, k1.r2, a, bBits, b, res); +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be 4096-bit bignums, i.e. uint64_t[64]. + The argument k is a montgomery context obtained through Hacl_Bignum4096_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime_*. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum4096_mod_exp_consttime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + exp_consttime_precomp(k1.n, k1.mu, k1.r2, a, bBits, b, res); +} + +/* +Write `a ^ (-1) mod n` in `res`. + + The argument a and the outparam res are meant to be 4096-bit bignums, i.e. uint64_t[64]. + The argument k is a montgomery context obtained through Hacl_Bignum4096_mont_ctx_init. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + • 0 < a + • a < n +*/ +void +Hacl_Bignum4096_mod_inv_prime_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint64_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + uint64_t n2[64U] = { 0U }; + uint64_t c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64((uint64_t)0U, k1.n[0U], (uint64_t)2U, n2); + uint64_t c1; + if ((uint32_t)1U < (uint32_t)64U) + { + uint32_t rLen = (uint32_t)63U; + uint64_t *a1 = k1.n + (uint32_t)1U; + uint64_t *res1 = n2 + (uint32_t)1U; + uint64_t c = c0; + { + uint32_t i; + for (i = (uint32_t)0U; i < rLen / (uint32_t)4U; i++) + { + uint64_t t1 = a1[(uint32_t)4U * i]; + uint64_t *res_i0 = res1 + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, (uint64_t)0U, res_i0); + { + uint64_t t10 = a1[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res1 + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t10, (uint64_t)0U, res_i1); + { + uint64_t t11 = a1[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res1 + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t11, (uint64_t)0U, res_i2); + { + uint64_t t12 = a1[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res1 + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t12, (uint64_t)0U, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = rLen / (uint32_t)4U * (uint32_t)4U; i < rLen; i++) + { + uint64_t t1 = a1[i]; + uint64_t *res_i = res1 + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, (uint64_t)0U, res_i); + } + } + { + uint64_t c10 = c; + c1 = c10; + } + } + else + { + c1 = c0; + } + exp_vartime_precomp(k1.n, k1.mu, k1.r2, a, (uint32_t)4096U, n2, res); +} + + +/********************/ +/* Loads and stores */ +/********************/ + + +/* +Load a bid-endian bignum from memory. + + The argument b points to len bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint64_t *Hacl_Bignum4096_new_bn_from_bytes_be(uint32_t len, uint8_t *b) +{ + if + ( + len + == (uint32_t)0U + || !((len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U <= (uint32_t)536870911U) + ) + { + return NULL; + } + KRML_CHECK_SIZE(sizeof (uint64_t), (len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U); + { + uint64_t + *res = + (uint64_t *)KRML_HOST_CALLOC((len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U, + sizeof (uint64_t)); + if (res == NULL) + { + return res; + } + { + uint64_t *res1 = res; + uint64_t *res2 = res1; + uint32_t bnLen = (len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)8U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + { + uint8_t tmp[tmpLen]; + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + memcpy(tmp + tmpLen - len, b, len * sizeof (uint8_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < bnLen; i++) + { + uint64_t *os = res2; + uint64_t u = load64_be(tmp + (bnLen - i - (uint32_t)1U) * (uint32_t)8U); + uint64_t x = u; + os[i] = x; + } + } + return res2; + } + } + } +} + +/* +Load a little-endian bignum from memory. + + The argument b points to len bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint64_t *Hacl_Bignum4096_new_bn_from_bytes_le(uint32_t len, uint8_t *b) +{ + if + ( + len + == (uint32_t)0U + || !((len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U <= (uint32_t)536870911U) + ) + { + return NULL; + } + KRML_CHECK_SIZE(sizeof (uint64_t), (len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U); + { + uint64_t + *res = + (uint64_t *)KRML_HOST_CALLOC((len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U, + sizeof (uint64_t)); + if (res == NULL) + { + return res; + } + { + uint64_t *res1 = res; + uint64_t *res2 = res1; + uint32_t bnLen = (len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)8U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + { + uint8_t tmp[tmpLen]; + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + memcpy(tmp, b, len * sizeof (uint8_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < (len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; i++) + { + uint64_t *os = res2; + uint8_t *bj = tmp + i * (uint32_t)8U; + uint64_t u = load64_le(bj); + uint64_t r1 = u; + uint64_t x = r1; + os[i] = x; + } + } + return res2; + } + } + } +} + +/* +Serialize a bignum into big-endian memory. + + The argument b points to a 4096-bit bignum. + The outparam res points to 512 bytes of valid memory. +*/ +void Hacl_Bignum4096_bn_to_bytes_be(uint64_t *b, uint8_t *res) +{ + uint32_t bnLen = ((uint32_t)512U - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)8U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + { + uint8_t tmp[tmpLen]; + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + { + uint32_t numb = (uint32_t)8U; + { + uint32_t i; + for (i = (uint32_t)0U; i < bnLen; i++) + { + store64_be(tmp + i * numb, b[bnLen - i - (uint32_t)1U]); + } + } + memcpy(res, tmp + tmpLen - (uint32_t)512U, (uint32_t)512U * sizeof (uint8_t)); + } + } +} + +/* +Serialize a bignum into little-endian memory. + + The argument b points to a 4096-bit bignum. + The outparam res points to 512 bytes of valid memory. +*/ +void Hacl_Bignum4096_bn_to_bytes_le(uint64_t *b, uint8_t *res) +{ + uint32_t bnLen = ((uint32_t)512U - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)8U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + { + uint8_t tmp[tmpLen]; + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < bnLen; i++) + { + store64_le(tmp + i * (uint32_t)8U, b[i]); + } + } + memcpy(res, tmp, (uint32_t)512U * sizeof (uint8_t)); + } +} + + +/***************/ +/* Comparisons */ +/***************/ + + +/* +Returns 2^64 - 1 if a < b, otherwise returns 0. + + The arguments a and b are meant to be 4096-bit bignums, i.e. uint64_t[64]. +*/ +uint64_t Hacl_Bignum4096_lt_mask(uint64_t *a, uint64_t *b) +{ + uint64_t acc = (uint64_t)0U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(a[i], b[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(a[i], b[i]); + acc = (beq & acc) | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + } + return acc; +} + +/* +Returns 2^64 - 1 if a = b, otherwise returns 0. + + The arguments a and b are meant to be 4096-bit bignums, i.e. uint64_t[64]. +*/ +uint64_t Hacl_Bignum4096_eq_mask(uint64_t *a, uint64_t *b) +{ + uint64_t mask = (uint64_t)0xFFFFFFFFFFFFFFFFU; + uint64_t mask1; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + uint64_t uu____0 = FStar_UInt64_eq_mask(a[i], b[i]); + mask = uu____0 & mask; + } + } + mask1 = mask; + return mask1; +} + diff --git a/src/c89/Hacl_Bignum4096_32.c b/src/c89/Hacl_Bignum4096_32.c new file mode 100644 index 00000000..58699a8b --- /dev/null +++ b/src/c89/Hacl_Bignum4096_32.c @@ -0,0 +1,1892 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Bignum4096_32.h" + +#include "internal/Hacl_Bignum.h" + +/******************************************************************************* + +A verified 4096-bit bignum library. + +This is a 32-bit optimized version, where bignums are represented as an array +of 128 unsigned 32-bit integers, i.e. uint32_t[128]. Furthermore, the +limbs are stored in little-endian format, i.e. the least significant limb is at +index 0. Each limb is stored in native format in memory. Example: + + uint32_t sixteen[128] = { 0x10 } + + (relying on the fact that when an initializer-list is provided, the remainder + of the object gets initialized as if it had static storage duration, i.e. with + zeroes) + +We strongly encourage users to go through the conversion functions, e.g. +bn_from_bytes_be, to i) not depend on internal representation choices and ii) +have the ability to switch easily to a 64-bit optimized version in the future. + +*******************************************************************************/ + +/************************/ +/* Arithmetic functions */ +/************************/ + + +/* +Write `a + b mod 2^4096` in `res`. + + This functions returns the carry. + + The arguments a, b and res are meant to be 4096-bit bignums, i.e. uint32_t[128] +*/ +uint32_t Hacl_Bignum4096_32_add(uint32_t *a, uint32_t *b, uint32_t *res) +{ + uint32_t c = (uint32_t)0U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)32U; i++) + { + uint32_t t1 = a[(uint32_t)4U * i]; + uint32_t t20 = b[(uint32_t)4U * i]; + uint32_t *res_i0 = res + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t1, t20, res_i0); + { + uint32_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t10, t21, res_i1); + { + uint32_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t11, t22, res_i2); + { + uint32_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t12, t2, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = (uint32_t)128U; i < (uint32_t)128U; i++) + { + uint32_t t1 = a[i]; + uint32_t t2 = b[i]; + uint32_t *res_i = res + i; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t1, t2, res_i); + } + } + return c; +} + +/* +Write `a - b mod 2^4096` in `res`. + + This functions returns the carry. + + The arguments a, b and res are meant to be 4096-bit bignums, i.e. uint32_t[128] +*/ +uint32_t Hacl_Bignum4096_32_sub(uint32_t *a, uint32_t *b, uint32_t *res) +{ + uint32_t c = (uint32_t)0U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)32U; i++) + { + uint32_t t1 = a[(uint32_t)4U * i]; + uint32_t t20 = b[(uint32_t)4U * i]; + uint32_t *res_i0 = res + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, t20, res_i0); + { + uint32_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t10, t21, res_i1); + { + uint32_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t11, t22, res_i2); + { + uint32_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t12, t2, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = (uint32_t)128U; i < (uint32_t)128U; i++) + { + uint32_t t1 = a[i]; + uint32_t t2 = b[i]; + uint32_t *res_i = res + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, t2, res_i); + } + } + return c; +} + +/* +Write `(a + b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be 4096-bit bignums, i.e. uint32_t[128]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum4096_32_add_mod(uint32_t *n, uint32_t *a, uint32_t *b, uint32_t *res) +{ + uint32_t c2 = (uint32_t)0U; + uint32_t c0; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)32U; i++) + { + uint32_t t1 = a[(uint32_t)4U * i]; + uint32_t t20 = b[(uint32_t)4U * i]; + uint32_t *res_i0 = res + (uint32_t)4U * i; + c2 = Lib_IntTypes_Intrinsics_add_carry_u32(c2, t1, t20, res_i0); + { + uint32_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c2 = Lib_IntTypes_Intrinsics_add_carry_u32(c2, t10, t21, res_i1); + { + uint32_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c2 = Lib_IntTypes_Intrinsics_add_carry_u32(c2, t11, t22, res_i2); + { + uint32_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c2 = Lib_IntTypes_Intrinsics_add_carry_u32(c2, t12, t2, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = (uint32_t)128U; i < (uint32_t)128U; i++) + { + uint32_t t1 = a[i]; + uint32_t t2 = b[i]; + uint32_t *res_i = res + i; + c2 = Lib_IntTypes_Intrinsics_add_carry_u32(c2, t1, t2, res_i); + } + } + c0 = c2; + { + uint32_t tmp[128U] = { 0U }; + uint32_t c3 = (uint32_t)0U; + uint32_t c1; + uint32_t c; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)32U; i++) + { + uint32_t t1 = res[(uint32_t)4U * i]; + uint32_t t20 = n[(uint32_t)4U * i]; + uint32_t *res_i0 = tmp + (uint32_t)4U * i; + c3 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c3, t1, t20, res_i0); + { + uint32_t t10 = res[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t t21 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = tmp + (uint32_t)4U * i + (uint32_t)1U; + c3 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c3, t10, t21, res_i1); + { + uint32_t t11 = res[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t t22 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = tmp + (uint32_t)4U * i + (uint32_t)2U; + c3 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c3, t11, t22, res_i2); + { + uint32_t t12 = res[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t t2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = tmp + (uint32_t)4U * i + (uint32_t)3U; + c3 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c3, t12, t2, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = (uint32_t)128U; i < (uint32_t)128U; i++) + { + uint32_t t1 = res[i]; + uint32_t t2 = n[i]; + uint32_t *res_i = tmp + i; + c3 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c3, t1, t2, res_i); + } + } + c1 = c3; + c = c0 - c1; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)128U; i++) + { + uint32_t *os = res; + uint32_t x = (c & res[i]) | (~c & tmp[i]); + os[i] = x; + } + } + } +} + +/* +Write `(a - b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be 4096-bit bignums, i.e. uint32_t[128]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum4096_32_sub_mod(uint32_t *n, uint32_t *a, uint32_t *b, uint32_t *res) +{ + uint32_t c2 = (uint32_t)0U; + uint32_t c0; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)32U; i++) + { + uint32_t t1 = a[(uint32_t)4U * i]; + uint32_t t20 = b[(uint32_t)4U * i]; + uint32_t *res_i0 = res + (uint32_t)4U * i; + c2 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c2, t1, t20, res_i0); + { + uint32_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c2 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c2, t10, t21, res_i1); + { + uint32_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c2 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c2, t11, t22, res_i2); + { + uint32_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c2 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c2, t12, t2, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = (uint32_t)128U; i < (uint32_t)128U; i++) + { + uint32_t t1 = a[i]; + uint32_t t2 = b[i]; + uint32_t *res_i = res + i; + c2 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c2, t1, t2, res_i); + } + } + c0 = c2; + { + uint32_t tmp[128U] = { 0U }; + uint32_t c3 = (uint32_t)0U; + uint32_t c1; + uint32_t c; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)32U; i++) + { + uint32_t t1 = res[(uint32_t)4U * i]; + uint32_t t20 = n[(uint32_t)4U * i]; + uint32_t *res_i0 = tmp + (uint32_t)4U * i; + c3 = Lib_IntTypes_Intrinsics_add_carry_u32(c3, t1, t20, res_i0); + { + uint32_t t10 = res[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t t21 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = tmp + (uint32_t)4U * i + (uint32_t)1U; + c3 = Lib_IntTypes_Intrinsics_add_carry_u32(c3, t10, t21, res_i1); + { + uint32_t t11 = res[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t t22 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = tmp + (uint32_t)4U * i + (uint32_t)2U; + c3 = Lib_IntTypes_Intrinsics_add_carry_u32(c3, t11, t22, res_i2); + { + uint32_t t12 = res[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t t2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = tmp + (uint32_t)4U * i + (uint32_t)3U; + c3 = Lib_IntTypes_Intrinsics_add_carry_u32(c3, t12, t2, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = (uint32_t)128U; i < (uint32_t)128U; i++) + { + uint32_t t1 = res[i]; + uint32_t t2 = n[i]; + uint32_t *res_i = tmp + i; + c3 = Lib_IntTypes_Intrinsics_add_carry_u32(c3, t1, t2, res_i); + } + } + c1 = c3; + c = (uint32_t)0U - c0; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)128U; i++) + { + uint32_t *os = res; + uint32_t x = (c & tmp[i]) | (~c & res[i]); + os[i] = x; + } + } + } +} + +/* +Write `a * b` in `res`. + + The arguments a and b are meant to be 4096-bit bignums, i.e. uint32_t[128]. + The outparam res is meant to be a 8192-bit bignum, i.e. uint32_t[256]. +*/ +void Hacl_Bignum4096_32_mul(uint32_t *a, uint32_t *b, uint32_t *res) +{ + uint32_t tmp[512U] = { 0U }; + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint32((uint32_t)128U, a, b, tmp, res); +} + +/* +Write `a * a` in `res`. + + The argument a is meant to be a 4096-bit bignum, i.e. uint32_t[128]. + The outparam res is meant to be a 8192-bit bignum, i.e. uint32_t[256]. +*/ +void Hacl_Bignum4096_32_sqr(uint32_t *a, uint32_t *res) +{ + uint32_t tmp[512U] = { 0U }; + Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint32((uint32_t)128U, a, tmp, res); +} + +static inline void precompr2(uint32_t nBits, uint32_t *n, uint32_t *res) +{ + uint32_t i0; + uint32_t j; + uint32_t i; + memset(res, 0U, (uint32_t)128U * sizeof (uint32_t)); + i0 = nBits / (uint32_t)32U; + j = nBits % (uint32_t)32U; + res[i0] = res[i0] | (uint32_t)1U << j; + for (i = (uint32_t)0U; i < (uint32_t)8192U - nBits; i++) + { + Hacl_Bignum4096_32_add_mod(n, res, res, res); + } +} + +static inline void reduction(uint32_t *n, uint32_t nInv, uint32_t *c, uint32_t *res) +{ + uint32_t c00 = (uint32_t)0U; + uint32_t c0; + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < (uint32_t)128U; i0++) + { + uint32_t qj = nInv * c[i0]; + uint32_t *res_j0 = c + i0; + uint32_t c1 = (uint32_t)0U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)32U; i++) + { + uint32_t a_i = n[(uint32_t)4U * i]; + uint32_t *res_i0 = res_j0 + (uint32_t)4U * i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, qj, c1, res_i0); + { + uint32_t a_i0 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res_j0 + (uint32_t)4U * i + (uint32_t)1U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i0, qj, c1, res_i1); + { + uint32_t a_i1 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res_j0 + (uint32_t)4U * i + (uint32_t)2U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i1, qj, c1, res_i2); + { + uint32_t a_i2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res_j0 + (uint32_t)4U * i + (uint32_t)3U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i2, qj, c1, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = (uint32_t)128U; i < (uint32_t)128U; i++) + { + uint32_t a_i = n[i]; + uint32_t *res_i = res_j0 + i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, qj, c1, res_i); + } + } + { + uint32_t r = c1; + uint32_t c10 = r; + uint32_t *resb = c + (uint32_t)128U + i0; + uint32_t res_j = c[(uint32_t)128U + i0]; + c00 = Lib_IntTypes_Intrinsics_add_carry_u32(c00, c10, res_j, resb); + } + } + } + memcpy(res, c + (uint32_t)128U, (uint32_t)128U * sizeof (uint32_t)); + c0 = c00; + { + uint32_t tmp[128U] = { 0U }; + uint32_t c10 = (uint32_t)0U; + uint32_t c1; + uint32_t c2; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)32U; i++) + { + uint32_t t1 = res[(uint32_t)4U * i]; + uint32_t t20 = n[(uint32_t)4U * i]; + uint32_t *res_i0 = tmp + (uint32_t)4U * i; + c10 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c10, t1, t20, res_i0); + { + uint32_t t10 = res[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t t21 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = tmp + (uint32_t)4U * i + (uint32_t)1U; + c10 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c10, t10, t21, res_i1); + { + uint32_t t11 = res[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t t22 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = tmp + (uint32_t)4U * i + (uint32_t)2U; + c10 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c10, t11, t22, res_i2); + { + uint32_t t12 = res[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t t2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = tmp + (uint32_t)4U * i + (uint32_t)3U; + c10 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c10, t12, t2, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = (uint32_t)128U; i < (uint32_t)128U; i++) + { + uint32_t t1 = res[i]; + uint32_t t2 = n[i]; + uint32_t *res_i = tmp + i; + c10 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c10, t1, t2, res_i); + } + } + c1 = c10; + c2 = c0 - c1; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)128U; i++) + { + uint32_t *os = res; + uint32_t x = (c2 & res[i]) | (~c2 & tmp[i]); + os[i] = x; + } + } + } +} + +static inline void areduction(uint32_t *n, uint32_t nInv, uint32_t *c, uint32_t *res) +{ + uint32_t c00 = (uint32_t)0U; + uint32_t c0; + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < (uint32_t)128U; i0++) + { + uint32_t qj = nInv * c[i0]; + uint32_t *res_j0 = c + i0; + uint32_t c1 = (uint32_t)0U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)32U; i++) + { + uint32_t a_i = n[(uint32_t)4U * i]; + uint32_t *res_i0 = res_j0 + (uint32_t)4U * i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, qj, c1, res_i0); + { + uint32_t a_i0 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res_j0 + (uint32_t)4U * i + (uint32_t)1U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i0, qj, c1, res_i1); + { + uint32_t a_i1 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res_j0 + (uint32_t)4U * i + (uint32_t)2U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i1, qj, c1, res_i2); + { + uint32_t a_i2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res_j0 + (uint32_t)4U * i + (uint32_t)3U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i2, qj, c1, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = (uint32_t)128U; i < (uint32_t)128U; i++) + { + uint32_t a_i = n[i]; + uint32_t *res_i = res_j0 + i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, qj, c1, res_i); + } + } + { + uint32_t r = c1; + uint32_t c10 = r; + uint32_t *resb = c + (uint32_t)128U + i0; + uint32_t res_j = c[(uint32_t)128U + i0]; + c00 = Lib_IntTypes_Intrinsics_add_carry_u32(c00, c10, res_j, resb); + } + } + } + memcpy(res, c + (uint32_t)128U, (uint32_t)128U * sizeof (uint32_t)); + c0 = c00; + { + uint32_t tmp[128U] = { 0U }; + uint32_t c1 = Hacl_Bignum4096_32_sub(res, n, tmp); + uint32_t m = (uint32_t)0U - c0; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)128U; i++) + { + uint32_t *os = res; + uint32_t x = (m & tmp[i]) | (~m & res[i]); + os[i] = x; + } + } + } +} + +static inline void +amont_mul(uint32_t *n, uint32_t nInv_u64, uint32_t *aM, uint32_t *bM, uint32_t *resM) +{ + uint32_t c[256U] = { 0U }; + uint32_t tmp[512U] = { 0U }; + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint32((uint32_t)128U, aM, bM, tmp, c); + areduction(n, nInv_u64, c, resM); +} + +static inline void amont_sqr(uint32_t *n, uint32_t nInv_u64, uint32_t *aM, uint32_t *resM) +{ + uint32_t c[256U] = { 0U }; + uint32_t tmp[512U] = { 0U }; + Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint32((uint32_t)128U, aM, tmp, c); + areduction(n, nInv_u64, c, resM); +} + +static inline void +bn_slow_precomp(uint32_t *n, uint32_t mu, uint32_t *r2, uint32_t *a, uint32_t *res) +{ + uint32_t a_mod[128U] = { 0U }; + uint32_t a1[256U] = { 0U }; + memcpy(a1, a, (uint32_t)256U * sizeof (uint32_t)); + { + uint32_t c00 = (uint32_t)0U; + uint32_t c0; + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < (uint32_t)128U; i0++) + { + uint32_t qj = mu * a1[i0]; + uint32_t *res_j0 = a1 + i0; + uint32_t c = (uint32_t)0U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)32U; i++) + { + uint32_t a_i = n[(uint32_t)4U * i]; + uint32_t *res_i0 = res_j0 + (uint32_t)4U * i; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, qj, c, res_i0); + { + uint32_t a_i0 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res_j0 + (uint32_t)4U * i + (uint32_t)1U; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i0, qj, c, res_i1); + { + uint32_t a_i1 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res_j0 + (uint32_t)4U * i + (uint32_t)2U; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i1, qj, c, res_i2); + { + uint32_t a_i2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res_j0 + (uint32_t)4U * i + (uint32_t)3U; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i2, qj, c, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = (uint32_t)128U; i < (uint32_t)128U; i++) + { + uint32_t a_i = n[i]; + uint32_t *res_i = res_j0 + i; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, qj, c, res_i); + } + } + { + uint32_t r = c; + uint32_t c1 = r; + uint32_t *resb = a1 + (uint32_t)128U + i0; + uint32_t res_j = a1[(uint32_t)128U + i0]; + c00 = Lib_IntTypes_Intrinsics_add_carry_u32(c00, c1, res_j, resb); + } + } + } + memcpy(a_mod, a1 + (uint32_t)128U, (uint32_t)128U * sizeof (uint32_t)); + c0 = c00; + { + uint32_t tmp[128U] = { 0U }; + uint32_t c1 = Hacl_Bignum4096_32_sub(a_mod, n, tmp); + uint32_t m = (uint32_t)0U - c0; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)128U; i++) + { + uint32_t *os = a_mod; + uint32_t x = (m & tmp[i]) | (~m & a_mod[i]); + os[i] = x; + } + } + { + uint32_t c[256U] = { 0U }; + Hacl_Bignum4096_32_mul(a_mod, r2, c); + reduction(n, mu, c, res); + } + } + } +} + +/* +Write `a mod n` in `res`. + + The argument a is meant to be a 8192-bit bignum, i.e. uint32_t[256]. + The argument n and the outparam res are meant to be 4096-bit bignums, i.e. uint32_t[128]. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • 1 < n + • n % 2 = 1 +*/ +bool Hacl_Bignum4096_32_mod(uint32_t *n, uint32_t *a, uint32_t *res) +{ + uint32_t one[128U] = { 0U }; + uint32_t bit0; + uint32_t m0; + memset(one, 0U, (uint32_t)128U * sizeof (uint32_t)); + one[0U] = (uint32_t)1U; + bit0 = n[0U] & (uint32_t)1U; + m0 = (uint32_t)0U - bit0; + { + uint32_t acc = (uint32_t)0U; + uint32_t m1; + uint32_t is_valid_m; + uint32_t nBits; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)128U; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(one[i], n[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(one[i], n[i]); + acc = (beq & acc) | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + } + m1 = acc; + is_valid_m = m0 & m1; + nBits = (uint32_t)32U * Hacl_Bignum_Lib_bn_get_top_index_u32((uint32_t)128U, n); + if (is_valid_m == (uint32_t)0xFFFFFFFFU) + { + uint32_t r2[128U] = { 0U }; + precompr2(nBits, n, r2); + { + uint32_t mu = Hacl_Bignum_ModInvLimb_mod_inv_uint32(n[0U]); + bn_slow_precomp(n, mu, r2, a, res); + } + } + else + { + memset(res, 0U, (uint32_t)128U * sizeof (uint32_t)); + } + return is_valid_m == (uint32_t)0xFFFFFFFFU; + } +} + +static uint32_t exp_check(uint32_t *n, uint32_t *a, uint32_t bBits, uint32_t *b) +{ + uint32_t one[128U] = { 0U }; + uint32_t bit0; + uint32_t m00; + memset(one, 0U, (uint32_t)128U * sizeof (uint32_t)); + one[0U] = (uint32_t)1U; + bit0 = n[0U] & (uint32_t)1U; + m00 = (uint32_t)0U - bit0; + { + uint32_t acc0 = (uint32_t)0U; + uint32_t m10; + uint32_t m0; + uint32_t bLen; + uint32_t m1; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)128U; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(one[i], n[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(one[i], n[i]); + acc0 = (beq & acc0) | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + } + m10 = acc0; + m0 = m00 & m10; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)32U + (uint32_t)1U; + } + if (bBits < (uint32_t)32U * bLen) + { + KRML_CHECK_SIZE(sizeof (uint32_t), bLen); + { + uint32_t b2[bLen]; + memset(b2, 0U, bLen * sizeof (uint32_t)); + { + uint32_t i0 = bBits / (uint32_t)32U; + uint32_t j = bBits % (uint32_t)32U; + b2[i0] = b2[i0] | (uint32_t)1U << j; + { + uint32_t acc = (uint32_t)0U; + { + uint32_t i; + for (i = (uint32_t)0U; i < bLen; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(b[i], b2[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(b[i], b2[i]); + acc = (beq & acc) | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + } + { + uint32_t res = acc; + m1 = res; + } + } + } + } + } + else + { + m1 = (uint32_t)0xFFFFFFFFU; + } + { + uint32_t acc = (uint32_t)0U; + uint32_t m2; + uint32_t m; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)128U; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(a[i], n[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(a[i], n[i]); + acc = (beq & acc) | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + } + m2 = acc; + m = m1 & m2; + return m0 & m; + } + } +} + +static inline void +exp_vartime_precomp( + uint32_t *n, + uint32_t mu, + uint32_t *r2, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + if (bBits < (uint32_t)200U) + { + uint32_t aM[128U] = { 0U }; + uint32_t c[256U] = { 0U }; + Hacl_Bignum4096_32_mul(a, r2, c); + reduction(n, mu, c, aM); + { + uint32_t resM[128U] = { 0U }; + uint32_t tmp0[256U] = { 0U }; + memcpy(tmp0, r2, (uint32_t)128U * sizeof (uint32_t)); + reduction(n, mu, tmp0, resM); + { + uint32_t i; + for (i = (uint32_t)0U; i < bBits; i++) + { + uint32_t i1 = i / (uint32_t)32U; + uint32_t j = i % (uint32_t)32U; + uint32_t tmp = b[i1]; + uint32_t bit = tmp >> j & (uint32_t)1U; + if (!(bit == (uint32_t)0U)) + { + amont_mul(n, mu, resM, aM, resM); + } + amont_sqr(n, mu, aM, aM); + } + } + { + uint32_t tmp[256U] = { 0U }; + memcpy(tmp, resM, (uint32_t)128U * sizeof (uint32_t)); + reduction(n, mu, tmp, res); + return; + } + } + } + { + uint32_t aM[128U] = { 0U }; + uint32_t c[256U] = { 0U }; + Hacl_Bignum4096_32_mul(a, r2, c); + reduction(n, mu, c, aM); + { + uint32_t resM[128U] = { 0U }; + uint32_t bLen; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)32U + (uint32_t)1U; + } + { + uint32_t tmp[256U] = { 0U }; + memcpy(tmp, r2, (uint32_t)128U * sizeof (uint32_t)); + reduction(n, mu, tmp, resM); + { + uint32_t table[2048U] = { 0U }; + uint32_t *t1; + memcpy(table, resM, (uint32_t)128U * sizeof (uint32_t)); + t1 = table + (uint32_t)128U; + memcpy(t1, aM, (uint32_t)128U * sizeof (uint32_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)14U; i++) + { + uint32_t *t11 = table + (i + (uint32_t)1U) * (uint32_t)128U; + uint32_t *t2 = table + (i + (uint32_t)2U) * (uint32_t)128U; + amont_mul(n, mu, t11, aM, t2); + } + } + if (bBits % (uint32_t)4U != (uint32_t)0U) + { + uint32_t mask_l = (uint32_t)16U - (uint32_t)1U; + uint32_t i = bBits / (uint32_t)4U * (uint32_t)4U / (uint32_t)32U; + uint32_t j = bBits / (uint32_t)4U * (uint32_t)4U % (uint32_t)32U; + uint32_t p1 = b[i] >> j; + uint32_t ite; + if (i + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i + (uint32_t)1U] << ((uint32_t)32U - j); + } + else + { + ite = p1; + } + { + uint32_t bits_c = ite & mask_l; + uint32_t bits_l32 = bits_c; + uint32_t *a_bits_l = table + bits_l32 * (uint32_t)128U; + memcpy(resM, a_bits_l, (uint32_t)128U * sizeof (uint32_t)); + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < bBits / (uint32_t)4U; i++) + { + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + amont_sqr(n, mu, resM, resM); + } + } + { + uint32_t bk = bBits - bBits % (uint32_t)4U; + uint32_t mask_l = (uint32_t)16U - (uint32_t)1U; + uint32_t i1 = (bk - (uint32_t)4U * i - (uint32_t)4U) / (uint32_t)32U; + uint32_t j = (bk - (uint32_t)4U * i - (uint32_t)4U) % (uint32_t)32U; + uint32_t p1 = b[i1] >> j; + uint32_t ite; + if (i1 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i1 + (uint32_t)1U] << ((uint32_t)32U - j); + } + else + { + ite = p1; + } + { + uint32_t bits_l = ite & mask_l; + uint32_t a_bits_l[128U] = { 0U }; + uint32_t bits_l32 = bits_l; + uint32_t *a_bits_l1 = table + bits_l32 * (uint32_t)128U; + memcpy(a_bits_l, a_bits_l1, (uint32_t)128U * sizeof (uint32_t)); + amont_mul(n, mu, resM, a_bits_l, resM); + } + } + } + } + { + uint32_t tmp0[256U] = { 0U }; + memcpy(tmp0, resM, (uint32_t)128U * sizeof (uint32_t)); + reduction(n, mu, tmp0, res); + } + } + } + } + } +} + +static inline void +exp_consttime_precomp( + uint32_t *n, + uint32_t mu, + uint32_t *r2, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + if (bBits < (uint32_t)200U) + { + uint32_t aM[128U] = { 0U }; + uint32_t c[256U] = { 0U }; + Hacl_Bignum4096_32_mul(a, r2, c); + reduction(n, mu, c, aM); + { + uint32_t resM[128U] = { 0U }; + uint32_t tmp0[256U] = { 0U }; + memcpy(tmp0, r2, (uint32_t)128U * sizeof (uint32_t)); + reduction(n, mu, tmp0, resM); + { + uint32_t sw = (uint32_t)0U; + uint32_t sw0; + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < bBits; i0++) + { + uint32_t i1 = (bBits - i0 - (uint32_t)1U) / (uint32_t)32U; + uint32_t j = (bBits - i0 - (uint32_t)1U) % (uint32_t)32U; + uint32_t tmp = b[i1]; + uint32_t bit = tmp >> j & (uint32_t)1U; + uint32_t sw1 = bit ^ sw; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)128U; i++) + { + uint32_t dummy = ((uint32_t)0U - sw1) & (resM[i] ^ aM[i]); + resM[i] = resM[i] ^ dummy; + aM[i] = aM[i] ^ dummy; + } + } + amont_mul(n, mu, aM, resM, aM); + amont_sqr(n, mu, resM, resM); + sw = bit; + } + } + sw0 = sw; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)128U; i++) + { + uint32_t dummy = ((uint32_t)0U - sw0) & (resM[i] ^ aM[i]); + resM[i] = resM[i] ^ dummy; + aM[i] = aM[i] ^ dummy; + } + } + { + uint32_t tmp[256U] = { 0U }; + memcpy(tmp, resM, (uint32_t)128U * sizeof (uint32_t)); + reduction(n, mu, tmp, res); + return; + } + } + } + } + { + uint32_t aM[128U] = { 0U }; + uint32_t c0[256U] = { 0U }; + Hacl_Bignum4096_32_mul(a, r2, c0); + reduction(n, mu, c0, aM); + { + uint32_t resM[128U] = { 0U }; + uint32_t bLen; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)32U + (uint32_t)1U; + } + { + uint32_t tmp[256U] = { 0U }; + memcpy(tmp, r2, (uint32_t)128U * sizeof (uint32_t)); + reduction(n, mu, tmp, resM); + { + uint32_t table[2048U] = { 0U }; + uint32_t *t1; + memcpy(table, resM, (uint32_t)128U * sizeof (uint32_t)); + t1 = table + (uint32_t)128U; + memcpy(t1, aM, (uint32_t)128U * sizeof (uint32_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)14U; i++) + { + uint32_t *t11 = table + (i + (uint32_t)1U) * (uint32_t)128U; + uint32_t *t2 = table + (i + (uint32_t)2U) * (uint32_t)128U; + amont_mul(n, mu, t11, aM, t2); + } + } + if (bBits % (uint32_t)4U != (uint32_t)0U) + { + uint32_t mask_l = (uint32_t)16U - (uint32_t)1U; + uint32_t i0 = bBits / (uint32_t)4U * (uint32_t)4U / (uint32_t)32U; + uint32_t j = bBits / (uint32_t)4U * (uint32_t)4U % (uint32_t)32U; + uint32_t p1 = b[i0] >> j; + uint32_t ite; + if (i0 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i0 + (uint32_t)1U] << ((uint32_t)32U - j); + } + else + { + ite = p1; + } + { + uint32_t bits_c = ite & mask_l; + memcpy(resM, table, (uint32_t)128U * sizeof (uint32_t)); + { + uint32_t i1; + for (i1 = (uint32_t)0U; i1 < (uint32_t)15U; i1++) + { + uint32_t c = FStar_UInt32_eq_mask(bits_c, i1 + (uint32_t)1U); + uint32_t *res_j = table + (i1 + (uint32_t)1U) * (uint32_t)128U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)128U; i++) + { + uint32_t *os = resM; + uint32_t x = (c & res_j[i]) | (~c & resM[i]); + os[i] = x; + } + } + } + } + } + } + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < bBits / (uint32_t)4U; i0++) + { + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + amont_sqr(n, mu, resM, resM); + } + } + { + uint32_t bk = bBits - bBits % (uint32_t)4U; + uint32_t mask_l = (uint32_t)16U - (uint32_t)1U; + uint32_t i1 = (bk - (uint32_t)4U * i0 - (uint32_t)4U) / (uint32_t)32U; + uint32_t j = (bk - (uint32_t)4U * i0 - (uint32_t)4U) % (uint32_t)32U; + uint32_t p1 = b[i1] >> j; + uint32_t ite; + if (i1 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i1 + (uint32_t)1U] << ((uint32_t)32U - j); + } + else + { + ite = p1; + } + { + uint32_t bits_l = ite & mask_l; + uint32_t a_bits_l[128U] = { 0U }; + memcpy(a_bits_l, table, (uint32_t)128U * sizeof (uint32_t)); + { + uint32_t i2; + for (i2 = (uint32_t)0U; i2 < (uint32_t)15U; i2++) + { + uint32_t c = FStar_UInt32_eq_mask(bits_l, i2 + (uint32_t)1U); + uint32_t *res_j = table + (i2 + (uint32_t)1U) * (uint32_t)128U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)128U; i++) + { + uint32_t *os = a_bits_l; + uint32_t x = (c & res_j[i]) | (~c & a_bits_l[i]); + os[i] = x; + } + } + } + } + amont_mul(n, mu, resM, a_bits_l, resM); + } + } + } + } + { + uint32_t tmp0[256U] = { 0U }; + memcpy(tmp0, resM, (uint32_t)128U * sizeof (uint32_t)); + reduction(n, mu, tmp0, res); + } + } + } + } + } +} + +static inline void +exp_vartime( + uint32_t nBits, + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + uint32_t r2[128U] = { 0U }; + uint32_t mu; + precompr2(nBits, n, r2); + mu = Hacl_Bignum_ModInvLimb_mod_inv_uint32(n[0U]); + exp_vartime_precomp(n, mu, r2, a, bBits, b, res); +} + +static inline void +exp_consttime( + uint32_t nBits, + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + uint32_t r2[128U] = { 0U }; + uint32_t mu; + precompr2(nBits, n, r2); + mu = Hacl_Bignum_ModInvLimb_mod_inv_uint32(n[0U]); + exp_consttime_precomp(n, mu, r2, a, bBits, b, res); +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 4096-bit bignums, i.e. uint32_t[128]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum4096_32_mod_exp_vartime( + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + uint32_t is_valid_m = exp_check(n, a, bBits, b); + uint32_t nBits = (uint32_t)32U * Hacl_Bignum_Lib_bn_get_top_index_u32((uint32_t)128U, n); + if (is_valid_m == (uint32_t)0xFFFFFFFFU) + { + exp_vartime(nBits, n, a, bBits, b, res); + } + else + { + memset(res, 0U, (uint32_t)128U * sizeof (uint32_t)); + } + return is_valid_m == (uint32_t)0xFFFFFFFFU; +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 4096-bit bignums, i.e. uint32_t[128]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum4096_32_mod_exp_consttime( + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + uint32_t is_valid_m = exp_check(n, a, bBits, b); + uint32_t nBits = (uint32_t)32U * Hacl_Bignum_Lib_bn_get_top_index_u32((uint32_t)128U, n); + if (is_valid_m == (uint32_t)0xFFFFFFFFU) + { + exp_consttime(nBits, n, a, bBits, b, res); + } + else + { + memset(res, 0U, (uint32_t)128U * sizeof (uint32_t)); + } + return is_valid_m == (uint32_t)0xFFFFFFFFU; +} + +/* +Write `a ^ (-1) mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 4096-bit bignums, i.e. uint32_t[128]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + + The function returns false if any of the following preconditions are violated, true otherwise. + • n % 2 = 1 + • 1 < n + • 0 < a + • a < n +*/ +bool Hacl_Bignum4096_32_mod_inv_prime_vartime(uint32_t *n, uint32_t *a, uint32_t *res) +{ + uint32_t one[128U] = { 0U }; + uint32_t bit0; + uint32_t m00; + memset(one, 0U, (uint32_t)128U * sizeof (uint32_t)); + one[0U] = (uint32_t)1U; + bit0 = n[0U] & (uint32_t)1U; + m00 = (uint32_t)0U - bit0; + { + uint32_t acc0 = (uint32_t)0U; + uint32_t m10; + uint32_t m0; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)128U; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(one[i], n[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(one[i], n[i]); + acc0 = (beq & acc0) | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + } + m10 = acc0; + m0 = m00 & m10; + { + uint32_t bn_zero[128U] = { 0U }; + uint32_t mask = (uint32_t)0xFFFFFFFFU; + uint32_t mask1; + uint32_t res10; + uint32_t m1; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)128U; i++) + { + uint32_t uu____0 = FStar_UInt32_eq_mask(a[i], bn_zero[i]); + mask = uu____0 & mask; + } + } + mask1 = mask; + res10 = mask1; + m1 = res10; + { + uint32_t acc = (uint32_t)0U; + uint32_t m2; + uint32_t is_valid_m; + uint32_t nBits; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)128U; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(a[i], n[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(a[i], n[i]); + acc = (beq & acc) | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + } + m2 = acc; + is_valid_m = (m0 & ~m1) & m2; + nBits = (uint32_t)32U * Hacl_Bignum_Lib_bn_get_top_index_u32((uint32_t)128U, n); + if (is_valid_m == (uint32_t)0xFFFFFFFFU) + { + uint32_t n2[128U] = { 0U }; + uint32_t + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u32((uint32_t)0U, n[0U], (uint32_t)2U, n2); + uint32_t c1; + if ((uint32_t)1U < (uint32_t)128U) + { + uint32_t rLen = (uint32_t)127U; + uint32_t *a1 = n + (uint32_t)1U; + uint32_t *res1 = n2 + (uint32_t)1U; + uint32_t c = c0; + { + uint32_t i; + for (i = (uint32_t)0U; i < rLen / (uint32_t)4U; i++) + { + uint32_t t1 = a1[(uint32_t)4U * i]; + uint32_t *res_i0 = res1 + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, (uint32_t)0U, res_i0); + { + uint32_t t10 = a1[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res1 + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t10, (uint32_t)0U, res_i1); + { + uint32_t t11 = a1[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res1 + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t11, (uint32_t)0U, res_i2); + { + uint32_t t12 = a1[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res1 + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t12, (uint32_t)0U, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = rLen / (uint32_t)4U * (uint32_t)4U; i < rLen; i++) + { + uint32_t t1 = a1[i]; + uint32_t *res_i = res1 + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, (uint32_t)0U, res_i); + } + } + { + uint32_t c10 = c; + c1 = c10; + } + } + else + { + c1 = c0; + } + exp_vartime(nBits, n, a, (uint32_t)4096U, n2, res); + } + else + { + memset(res, 0U, (uint32_t)128U * sizeof (uint32_t)); + } + return is_valid_m == (uint32_t)0xFFFFFFFFU; + } + } + } +} + + +/**********************************************/ +/* Arithmetic functions with precomputations. */ +/**********************************************/ + + +/* +Heap-allocate and initialize a montgomery context. + + The argument n is meant to be a 4096-bit bignum, i.e. uint32_t[128]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n % 2 = 1 + • 1 < n + + The caller will need to call Hacl_Bignum4096_mont_ctx_free on the return value + to avoid memory leaks. +*/ +Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *Hacl_Bignum4096_32_mont_ctx_init(uint32_t *n) +{ + uint32_t *r2 = (uint32_t *)KRML_HOST_CALLOC((uint32_t)128U, sizeof (uint32_t)); + uint32_t *n1 = (uint32_t *)KRML_HOST_CALLOC((uint32_t)128U, sizeof (uint32_t)); + uint32_t *r21 = r2; + uint32_t *n11 = n1; + uint32_t nBits; + uint32_t mu; + memcpy(n11, n, (uint32_t)128U * sizeof (uint32_t)); + nBits = (uint32_t)32U * Hacl_Bignum_Lib_bn_get_top_index_u32((uint32_t)128U, n); + precompr2(nBits, n, r21); + mu = Hacl_Bignum_ModInvLimb_mod_inv_uint32(n[0U]); + { + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 res; + res.len = (uint32_t)128U; + res.n = n11; + res.mu = mu; + res.r2 = r21; + KRML_CHECK_SIZE(sizeof (Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32), (uint32_t)1U); + { + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 + *buf = + (Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *)KRML_HOST_MALLOC(sizeof ( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 + )); + buf[0U] = res; + return buf; + } + } +} + +/* +Deallocate the memory previously allocated by Hacl_Bignum4096_mont_ctx_init. + + The argument k is a montgomery context obtained through Hacl_Bignum4096_mont_ctx_init. +*/ +void Hacl_Bignum4096_32_mont_ctx_free(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + uint32_t *n = k1.n; + uint32_t *r2 = k1.r2; + KRML_HOST_FREE(n); + KRML_HOST_FREE(r2); + KRML_HOST_FREE(k); +} + +/* +Write `a mod n` in `res`. + + The argument a is meant to be a 8192-bit bignum, i.e. uint32_t[256]. + The outparam res is meant to be a 4096-bit bignum, i.e. uint32_t[128]. + The argument k is a montgomery context obtained through Hacl_Bignum4096_mont_ctx_init. +*/ +void +Hacl_Bignum4096_32_mod_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + bn_slow_precomp(k1.n, k1.mu, k1.r2, a, res); +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be 4096-bit bignums, i.e. uint32_t[128]. + The argument k is a montgomery context obtained through Hacl_Bignum4096_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum4096_32_mod_exp_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + exp_vartime_precomp(k1.n, k1.mu, k1.r2, a, bBits, b, res); +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be 4096-bit bignums, i.e. uint32_t[128]. + The argument k is a montgomery context obtained through Hacl_Bignum4096_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime_*. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum4096_32_mod_exp_consttime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + exp_consttime_precomp(k1.n, k1.mu, k1.r2, a, bBits, b, res); +} + +/* +Write `a ^ (-1) mod n` in `res`. + + The argument a and the outparam res are meant to be 4096-bit bignums, i.e. uint32_t[128]. + The argument k is a montgomery context obtained through Hacl_Bignum4096_mont_ctx_init. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + • 0 < a + • a < n +*/ +void +Hacl_Bignum4096_32_mod_inv_prime_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + uint32_t n2[128U] = { 0U }; + uint32_t c0 = Lib_IntTypes_Intrinsics_sub_borrow_u32((uint32_t)0U, k1.n[0U], (uint32_t)2U, n2); + uint32_t c1; + if ((uint32_t)1U < (uint32_t)128U) + { + uint32_t rLen = (uint32_t)127U; + uint32_t *a1 = k1.n + (uint32_t)1U; + uint32_t *res1 = n2 + (uint32_t)1U; + uint32_t c = c0; + { + uint32_t i; + for (i = (uint32_t)0U; i < rLen / (uint32_t)4U; i++) + { + uint32_t t1 = a1[(uint32_t)4U * i]; + uint32_t *res_i0 = res1 + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, (uint32_t)0U, res_i0); + { + uint32_t t10 = a1[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res1 + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t10, (uint32_t)0U, res_i1); + { + uint32_t t11 = a1[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res1 + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t11, (uint32_t)0U, res_i2); + { + uint32_t t12 = a1[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res1 + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t12, (uint32_t)0U, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = rLen / (uint32_t)4U * (uint32_t)4U; i < rLen; i++) + { + uint32_t t1 = a1[i]; + uint32_t *res_i = res1 + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, (uint32_t)0U, res_i); + } + } + { + uint32_t c10 = c; + c1 = c10; + } + } + else + { + c1 = c0; + } + exp_vartime_precomp(k1.n, k1.mu, k1.r2, a, (uint32_t)4096U, n2, res); +} + + +/********************/ +/* Loads and stores */ +/********************/ + + +/* +Load a bid-endian bignum from memory. + + The argument b points to len bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint32_t *Hacl_Bignum4096_32_new_bn_from_bytes_be(uint32_t len, uint8_t *b) +{ + if + ( + len + == (uint32_t)0U + || !((len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U <= (uint32_t)1073741823U) + ) + { + return NULL; + } + KRML_CHECK_SIZE(sizeof (uint32_t), (len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U); + { + uint32_t + *res = + (uint32_t *)KRML_HOST_CALLOC((len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U, + sizeof (uint32_t)); + if (res == NULL) + { + return res; + } + { + uint32_t *res1 = res; + uint32_t *res2 = res1; + uint32_t bnLen = (len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)4U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + { + uint8_t tmp[tmpLen]; + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + memcpy(tmp + tmpLen - len, b, len * sizeof (uint8_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < bnLen; i++) + { + uint32_t *os = res2; + uint32_t u = load32_be(tmp + (bnLen - i - (uint32_t)1U) * (uint32_t)4U); + uint32_t x = u; + os[i] = x; + } + } + return res2; + } + } + } +} + +/* +Load a little-endian bignum from memory. + + The argument b points to len bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint32_t *Hacl_Bignum4096_32_new_bn_from_bytes_le(uint32_t len, uint8_t *b) +{ + if + ( + len + == (uint32_t)0U + || !((len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U <= (uint32_t)1073741823U) + ) + { + return NULL; + } + KRML_CHECK_SIZE(sizeof (uint32_t), (len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U); + { + uint32_t + *res = + (uint32_t *)KRML_HOST_CALLOC((len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U, + sizeof (uint32_t)); + if (res == NULL) + { + return res; + } + { + uint32_t *res1 = res; + uint32_t *res2 = res1; + uint32_t bnLen = (len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)4U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + { + uint8_t tmp[tmpLen]; + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + memcpy(tmp, b, len * sizeof (uint8_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < (len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U; i++) + { + uint32_t *os = res2; + uint8_t *bj = tmp + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r1 = u; + uint32_t x = r1; + os[i] = x; + } + } + return res2; + } + } + } +} + +/* +Serialize a bignum into big-endian memory. + + The argument b points to a 4096-bit bignum. + The outparam res points to 512 bytes of valid memory. +*/ +void Hacl_Bignum4096_32_bn_to_bytes_be(uint32_t *b, uint8_t *res) +{ + uint32_t bnLen = ((uint32_t)512U - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)4U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + { + uint8_t tmp[tmpLen]; + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + { + uint32_t numb = (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < bnLen; i++) + { + store32_be(tmp + i * numb, b[bnLen - i - (uint32_t)1U]); + } + } + memcpy(res, tmp + tmpLen - (uint32_t)512U, (uint32_t)512U * sizeof (uint8_t)); + } + } +} + +/* +Serialize a bignum into little-endian memory. + + The argument b points to a 4096-bit bignum. + The outparam res points to 512 bytes of valid memory. +*/ +void Hacl_Bignum4096_32_bn_to_bytes_le(uint32_t *b, uint8_t *res) +{ + uint32_t bnLen = ((uint32_t)512U - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)4U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + { + uint8_t tmp[tmpLen]; + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < bnLen; i++) + { + store32_le(tmp + i * (uint32_t)4U, b[i]); + } + } + memcpy(res, tmp, (uint32_t)512U * sizeof (uint8_t)); + } +} + + +/***************/ +/* Comparisons */ +/***************/ + + +/* +Returns 2^32 - 1 if a < b, otherwise returns 0. + + The arguments a and b are meant to be 4096-bit bignums, i.e. uint32_t[128]. +*/ +uint32_t Hacl_Bignum4096_32_lt_mask(uint32_t *a, uint32_t *b) +{ + uint32_t acc = (uint32_t)0U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)128U; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(a[i], b[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(a[i], b[i]); + acc = (beq & acc) | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + } + return acc; +} + +/* +Returns 2^32 - 1 if a = b, otherwise returns 0. + + The arguments a and b are meant to be 4096-bit bignums, i.e. uint32_t[128]. +*/ +uint32_t Hacl_Bignum4096_32_eq_mask(uint32_t *a, uint32_t *b) +{ + uint32_t mask = (uint32_t)0xFFFFFFFFU; + uint32_t mask1; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)128U; i++) + { + uint32_t uu____0 = FStar_UInt32_eq_mask(a[i], b[i]); + mask = uu____0 & mask; + } + } + mask1 = mask; + return mask1; +} + diff --git a/src/c89/Hacl_Bignum64.c b/src/c89/Hacl_Bignum64.c new file mode 100644 index 00000000..39a53cc0 --- /dev/null +++ b/src/c89/Hacl_Bignum64.c @@ -0,0 +1,1054 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Bignum64.h" + +#include "internal/Hacl_Bignum.h" + +/******************************************************************************* + +A verified bignum library. + +This is a 64-bit optimized version, where bignums are represented as an array +of `len` unsigned 64-bit integers, i.e. uint64_t[len]. + +*******************************************************************************/ + +/************************/ +/* Arithmetic functions */ +/************************/ + + +/* +Write `a + b mod 2 ^ (64 * len)` in `res`. + + This functions returns the carry. + + The arguments a, b and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len] +*/ +uint64_t Hacl_Bignum64_add(uint32_t len, uint64_t *a, uint64_t *b, uint64_t *res) +{ + return Hacl_Bignum_Addition_bn_add_eq_len_u64(len, a, b, res); +} + +/* +Write `a - b mod 2 ^ (64 * len)` in `res`. + + This functions returns the carry. + + The arguments a, b and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len] +*/ +uint64_t Hacl_Bignum64_sub(uint32_t len, uint64_t *a, uint64_t *b, uint64_t *res) +{ + return Hacl_Bignum_Addition_bn_sub_eq_len_u64(len, a, b, res); +} + +/* +Write `(a + b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum64_add_mod(uint32_t len, uint64_t *n, uint64_t *a, uint64_t *b, uint64_t *res) +{ + Hacl_Bignum_bn_add_mod_n_u64(len, n, a, b, res); +} + +/* +Write `(a - b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum64_sub_mod(uint32_t len, uint64_t *n, uint64_t *a, uint64_t *b, uint64_t *res) +{ + Hacl_Bignum_bn_sub_mod_n_u64(len, n, a, b, res); +} + +/* +Write `a * b` in `res`. + + The arguments a and b are meant to be `len` limbs in size, i.e. uint64_t[len]. + The outparam res is meant to be `2*len` limbs in size, i.e. uint64_t[2*len]. +*/ +void Hacl_Bignum64_mul(uint32_t len, uint64_t *a, uint64_t *b, uint64_t *res) +{ + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)4U * len); + { + uint64_t tmp[(uint32_t)4U * len]; + memset(tmp, 0U, (uint32_t)4U * len * sizeof (uint64_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint64(len, a, b, tmp, res); + } +} + +/* +Write `a * a` in `res`. + + The argument a is meant to be `len` limbs in size, i.e. uint64_t[len]. + The outparam res is meant to be `2*len` limbs in size, i.e. uint64_t[2*len]. +*/ +void Hacl_Bignum64_sqr(uint32_t len, uint64_t *a, uint64_t *res) +{ + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)4U * len); + { + uint64_t tmp[(uint32_t)4U * len]; + memset(tmp, 0U, (uint32_t)4U * len * sizeof (uint64_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint64(len, a, tmp, res); + } +} + +static inline void +bn_slow_precomp( + uint32_t len, + uint64_t *n, + uint64_t mu, + uint64_t *r2, + uint64_t *a, + uint64_t *res +) +{ + KRML_CHECK_SIZE(sizeof (uint64_t), len); + { + uint64_t a_mod[len]; + memset(a_mod, 0U, len * sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), len + len); + { + uint64_t a1[len + len]; + memset(a1, 0U, (len + len) * sizeof (uint64_t)); + memcpy(a1, a, (len + len) * sizeof (uint64_t)); + { + uint64_t c00 = (uint64_t)0U; + uint64_t c0; + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < len; i0++) + { + uint64_t qj = mu * a1[i0]; + uint64_t *res_j0 = a1 + i0; + uint64_t c = (uint64_t)0U; + { + uint32_t i; + for (i = (uint32_t)0U; i < len / (uint32_t)4U; i++) + { + uint64_t a_i = n[(uint32_t)4U * i]; + uint64_t *res_i0 = res_j0 + (uint32_t)4U * i; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c, res_i0); + { + uint64_t a_i0 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res_j0 + (uint32_t)4U * i + (uint32_t)1U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, qj, c, res_i1); + { + uint64_t a_i1 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res_j0 + (uint32_t)4U * i + (uint32_t)2U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, qj, c, res_i2); + { + uint64_t a_i2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res_j0 + (uint32_t)4U * i + (uint32_t)3U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, qj, c, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = len / (uint32_t)4U * (uint32_t)4U; i < len; i++) + { + uint64_t a_i = n[i]; + uint64_t *res_i = res_j0 + i; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c, res_i); + } + } + { + uint64_t r = c; + uint64_t c1 = r; + uint64_t *resb = a1 + len + i0; + uint64_t res_j = a1[len + i0]; + c00 = Lib_IntTypes_Intrinsics_add_carry_u64(c00, c1, res_j, resb); + } + } + } + memcpy(a_mod, a1 + len, (len + len - len) * sizeof (uint64_t)); + c0 = c00; + KRML_CHECK_SIZE(sizeof (uint64_t), len); + { + uint64_t tmp0[len]; + memset(tmp0, 0U, len * sizeof (uint64_t)); + { + uint64_t c1 = Hacl_Bignum_Addition_bn_sub_eq_len_u64(len, a_mod, n, tmp0); + uint64_t m = (uint64_t)0U - c0; + { + uint32_t i; + for (i = (uint32_t)0U; i < len; i++) + { + uint64_t *os = a_mod; + uint64_t x = (m & tmp0[i]) | (~m & a_mod[i]); + os[i] = x; + } + } + KRML_CHECK_SIZE(sizeof (uint64_t), len + len); + { + uint64_t c[len + len]; + memset(c, 0U, (len + len) * sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)4U * len); + { + uint64_t tmp[(uint32_t)4U * len]; + memset(tmp, 0U, (uint32_t)4U * len * sizeof (uint64_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint64(len, a_mod, r2, tmp, c); + Hacl_Bignum_Montgomery_bn_mont_reduction_u64(len, n, mu, c, res); + } + } + } + } + } + } + } +} + +/* +Write `a mod n` in `res`. + + The argument a is meant to be `2*len` limbs in size, i.e. uint64_t[2*len]. + The argument n and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len]. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • 1 < n + • n % 2 = 1 +*/ +bool Hacl_Bignum64_mod(uint32_t len, uint64_t *n, uint64_t *a, uint64_t *res) +{ + KRML_CHECK_SIZE(sizeof (uint64_t), len); + { + uint64_t one[len]; + memset(one, 0U, len * sizeof (uint64_t)); + { + uint64_t bit0; + uint64_t m0; + memset(one, 0U, len * sizeof (uint64_t)); + one[0U] = (uint64_t)1U; + bit0 = n[0U] & (uint64_t)1U; + m0 = (uint64_t)0U - bit0; + { + uint64_t acc = (uint64_t)0U; + uint64_t m1; + uint64_t is_valid_m; + uint32_t nBits; + { + uint32_t i; + for (i = (uint32_t)0U; i < len; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(one[i], n[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(one[i], n[i]); + acc = + (beq & acc) + | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + } + m1 = acc; + is_valid_m = m0 & m1; + nBits = (uint32_t)64U * (uint32_t)Hacl_Bignum_Lib_bn_get_top_index_u64(len, n); + if (is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU) + { + KRML_CHECK_SIZE(sizeof (uint64_t), len); + { + uint64_t r2[len]; + memset(r2, 0U, len * sizeof (uint64_t)); + Hacl_Bignum_Montgomery_bn_precomp_r2_mod_n_u64(len, nBits, n, r2); + { + uint64_t mu = Hacl_Bignum_ModInvLimb_mod_inv_uint64(n[0U]); + bn_slow_precomp(len, n, mu, r2, a, res); + } + } + } + else + { + memset(res, 0U, len * sizeof (uint64_t)); + } + return is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU; + } + } + } +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum64_mod_exp_vartime( + uint32_t len, + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + uint64_t is_valid_m = Hacl_Bignum_Exponentiation_bn_check_mod_exp_u64(len, n, a, bBits, b); + uint32_t nBits = (uint32_t)64U * (uint32_t)Hacl_Bignum_Lib_bn_get_top_index_u64(len, n); + if (is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU) + { + Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_u64(len, nBits, n, a, bBits, b, res); + } + else + { + memset(res, 0U, len * sizeof (uint64_t)); + } + return is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU; +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum64_mod_exp_consttime( + uint32_t len, + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + uint64_t is_valid_m = Hacl_Bignum_Exponentiation_bn_check_mod_exp_u64(len, n, a, bBits, b); + uint32_t nBits = (uint32_t)64U * (uint32_t)Hacl_Bignum_Lib_bn_get_top_index_u64(len, n); + if (is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU) + { + Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_u64(len, nBits, n, a, bBits, b, res); + } + else + { + memset(res, 0U, len * sizeof (uint64_t)); + } + return is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU; +} + +/* +Write `a ^ (-1) mod n` in `res`. + + The arguments a, n and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • 0 < a + • a < n +*/ +bool Hacl_Bignum64_mod_inv_prime_vartime(uint32_t len, uint64_t *n, uint64_t *a, uint64_t *res) +{ + KRML_CHECK_SIZE(sizeof (uint64_t), len); + { + uint64_t one[len]; + memset(one, 0U, len * sizeof (uint64_t)); + { + uint64_t bit0; + uint64_t m00; + memset(one, 0U, len * sizeof (uint64_t)); + one[0U] = (uint64_t)1U; + bit0 = n[0U] & (uint64_t)1U; + m00 = (uint64_t)0U - bit0; + { + uint64_t acc0 = (uint64_t)0U; + uint64_t m10; + uint64_t m0; + { + uint32_t i; + for (i = (uint32_t)0U; i < len; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(one[i], n[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(one[i], n[i]); + acc0 = + (beq & acc0) + | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + } + m10 = acc0; + m0 = m00 & m10; + KRML_CHECK_SIZE(sizeof (uint64_t), len); + { + uint64_t bn_zero[len]; + memset(bn_zero, 0U, len * sizeof (uint64_t)); + { + uint64_t mask = (uint64_t)0xFFFFFFFFFFFFFFFFU; + uint64_t mask1; + uint64_t res10; + uint64_t m1; + { + uint32_t i; + for (i = (uint32_t)0U; i < len; i++) + { + uint64_t uu____0 = FStar_UInt64_eq_mask(a[i], bn_zero[i]); + mask = uu____0 & mask; + } + } + mask1 = mask; + res10 = mask1; + m1 = res10; + { + uint64_t acc = (uint64_t)0U; + uint64_t m2; + uint64_t is_valid_m; + uint32_t nBits; + { + uint32_t i; + for (i = (uint32_t)0U; i < len; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(a[i], n[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(a[i], n[i]); + acc = + (beq & acc) + | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + } + m2 = acc; + is_valid_m = (m0 & ~m1) & m2; + nBits = (uint32_t)64U * (uint32_t)Hacl_Bignum_Lib_bn_get_top_index_u64(len, n); + if (is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU) + { + KRML_CHECK_SIZE(sizeof (uint64_t), len); + { + uint64_t n2[len]; + memset(n2, 0U, len * sizeof (uint64_t)); + { + uint64_t + c0 = + Lib_IntTypes_Intrinsics_sub_borrow_u64((uint64_t)0U, + n[0U], + (uint64_t)2U, + n2); + uint64_t c1; + if ((uint32_t)1U < len) + { + uint32_t rLen = len - (uint32_t)1U; + uint64_t *a1 = n + (uint32_t)1U; + uint64_t *res1 = n2 + (uint32_t)1U; + uint64_t c = c0; + { + uint32_t i; + for (i = (uint32_t)0U; i < rLen / (uint32_t)4U; i++) + { + uint64_t t1 = a1[(uint32_t)4U * i]; + uint64_t *res_i0 = res1 + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, (uint64_t)0U, res_i0); + { + uint64_t t10 = a1[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res1 + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t10, (uint64_t)0U, res_i1); + { + uint64_t t11 = a1[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res1 + (uint32_t)4U * i + (uint32_t)2U; + c = + Lib_IntTypes_Intrinsics_sub_borrow_u64(c, + t11, + (uint64_t)0U, + res_i2); + { + uint64_t t12 = a1[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res1 + (uint32_t)4U * i + (uint32_t)3U; + c = + Lib_IntTypes_Intrinsics_sub_borrow_u64(c, + t12, + (uint64_t)0U, + res_i); + } + } + } + } + } + { + uint32_t i; + for (i = rLen / (uint32_t)4U * (uint32_t)4U; i < rLen; i++) + { + uint64_t t1 = a1[i]; + uint64_t *res_i = res1 + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, (uint64_t)0U, res_i); + } + } + { + uint64_t c10 = c; + c1 = c10; + } + } + else + { + c1 = c0; + } + Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_u64(len, + nBits, + n, + a, + (uint32_t)64U * len, + n2, + res); + } + } + } + else + { + memset(res, 0U, len * sizeof (uint64_t)); + } + return is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU; + } + } + } + } + } + } +} + + +/**********************************************/ +/* Arithmetic functions with precomputations. */ +/**********************************************/ + + +/* +Heap-allocate and initialize a montgomery context. + + The argument n is meant to be `len` limbs in size, i.e. uint64_t[len]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n % 2 = 1 + • 1 < n + + The caller will need to call Hacl_Bignum64_mont_ctx_free on the return value + to avoid memory leaks. +*/ +Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 +*Hacl_Bignum64_mont_ctx_init(uint32_t len, uint64_t *n) +{ + KRML_CHECK_SIZE(sizeof (uint64_t), len); + { + uint64_t *r2 = (uint64_t *)KRML_HOST_CALLOC(len, sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), len); + { + uint64_t *n1 = (uint64_t *)KRML_HOST_CALLOC(len, sizeof (uint64_t)); + uint64_t *r21 = r2; + uint64_t *n11 = n1; + uint32_t nBits; + uint64_t mu; + memcpy(n11, n, len * sizeof (uint64_t)); + nBits = (uint32_t)64U * (uint32_t)Hacl_Bignum_Lib_bn_get_top_index_u64(len, n); + Hacl_Bignum_Montgomery_bn_precomp_r2_mod_n_u64(len, nBits, n, r21); + mu = Hacl_Bignum_ModInvLimb_mod_inv_uint64(n[0U]); + { + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 res; + res.len = len; + res.n = n11; + res.mu = mu; + res.r2 = r21; + KRML_CHECK_SIZE(sizeof (Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64), (uint32_t)1U); + { + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 + *buf = + (Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *)KRML_HOST_MALLOC(sizeof ( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 + )); + buf[0U] = res; + return buf; + } + } + } + } +} + +/* +Deallocate the memory previously allocated by Hacl_Bignum64_mont_ctx_init. + + The argument k is a montgomery context obtained through Hacl_Bignum64_mont_ctx_init. +*/ +void Hacl_Bignum64_mont_ctx_free(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + uint64_t *n = k1.n; + uint64_t *r2 = k1.r2; + KRML_HOST_FREE(n); + KRML_HOST_FREE(r2); + KRML_HOST_FREE(k); +} + +/* +Write `a mod n` in `res`. + + The argument a is meant to be `2*len` limbs in size, i.e. uint64_t[2*len]. + The outparam res is meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_Bignum64_mont_ctx_init. +*/ +void +Hacl_Bignum64_mod_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint64_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k10 = *k; + uint32_t len1 = k10.len; + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + bn_slow_precomp(len1, k1.n, k1.mu, k1.r2, a, res); +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_Bignum64_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum64_mod_exp_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k10 = *k; + uint32_t len1 = k10.len; + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_precomp_u64(len1, + k1.n, + k1.mu, + k1.r2, + a, + bBits, + b, + res); +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_Bignum64_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime_*. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum64_mod_exp_consttime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k10 = *k; + uint32_t len1 = k10.len; + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_precomp_u64(len1, + k1.n, + k1.mu, + k1.r2, + a, + bBits, + b, + res); +} + +/* +Write `a ^ (-1) mod n` in `res`. + + The argument a and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_Bignum64_mont_ctx_init. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + • 0 < a + • a < n +*/ +void +Hacl_Bignum64_mod_inv_prime_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint64_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k10 = *k; + uint32_t len1 = k10.len; + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + KRML_CHECK_SIZE(sizeof (uint64_t), len1); + { + uint64_t n2[len1]; + memset(n2, 0U, len1 * sizeof (uint64_t)); + { + uint64_t + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64((uint64_t)0U, k1.n[0U], (uint64_t)2U, n2); + uint64_t c1; + if ((uint32_t)1U < len1) + { + uint32_t rLen = len1 - (uint32_t)1U; + uint64_t *a1 = k1.n + (uint32_t)1U; + uint64_t *res1 = n2 + (uint32_t)1U; + uint64_t c = c0; + { + uint32_t i; + for (i = (uint32_t)0U; i < rLen / (uint32_t)4U; i++) + { + uint64_t t1 = a1[(uint32_t)4U * i]; + uint64_t *res_i0 = res1 + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, (uint64_t)0U, res_i0); + { + uint64_t t10 = a1[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res1 + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t10, (uint64_t)0U, res_i1); + { + uint64_t t11 = a1[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res1 + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t11, (uint64_t)0U, res_i2); + { + uint64_t t12 = a1[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res1 + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t12, (uint64_t)0U, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = rLen / (uint32_t)4U * (uint32_t)4U; i < rLen; i++) + { + uint64_t t1 = a1[i]; + uint64_t *res_i = res1 + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, (uint64_t)0U, res_i); + } + } + { + uint64_t c10 = c; + c1 = c10; + } + } + else + { + c1 = c0; + } + Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_precomp_u64(len1, + k1.n, + k1.mu, + k1.r2, + a, + (uint32_t)64U * len1, + n2, + res); + } + } +} + + +/********************/ +/* Loads and stores */ +/********************/ + + +/* +Load a bid-endian bignum from memory. + + The argument b points to `len` bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint64_t *Hacl_Bignum64_new_bn_from_bytes_be(uint32_t len, uint8_t *b) +{ + if + ( + len + == (uint32_t)0U + || !((len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U <= (uint32_t)536870911U) + ) + { + return NULL; + } + KRML_CHECK_SIZE(sizeof (uint64_t), (len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U); + { + uint64_t + *res = + (uint64_t *)KRML_HOST_CALLOC((len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U, + sizeof (uint64_t)); + if (res == NULL) + { + return res; + } + { + uint64_t *res1 = res; + uint64_t *res2 = res1; + uint32_t bnLen = (len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)8U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + { + uint8_t tmp[tmpLen]; + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + memcpy(tmp + tmpLen - len, b, len * sizeof (uint8_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < bnLen; i++) + { + uint64_t *os = res2; + uint64_t u = load64_be(tmp + (bnLen - i - (uint32_t)1U) * (uint32_t)8U); + uint64_t x = u; + os[i] = x; + } + } + return res2; + } + } + } +} + +/* +Load a little-endian bignum from memory. + + The argument b points to `len` bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint64_t *Hacl_Bignum64_new_bn_from_bytes_le(uint32_t len, uint8_t *b) +{ + if + ( + len + == (uint32_t)0U + || !((len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U <= (uint32_t)536870911U) + ) + { + return NULL; + } + KRML_CHECK_SIZE(sizeof (uint64_t), (len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U); + { + uint64_t + *res = + (uint64_t *)KRML_HOST_CALLOC((len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U, + sizeof (uint64_t)); + if (res == NULL) + { + return res; + } + { + uint64_t *res1 = res; + uint64_t *res2 = res1; + uint32_t bnLen = (len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)8U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + { + uint8_t tmp[tmpLen]; + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + memcpy(tmp, b, len * sizeof (uint8_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < (len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; i++) + { + uint64_t *os = res2; + uint8_t *bj = tmp + i * (uint32_t)8U; + uint64_t u = load64_le(bj); + uint64_t r1 = u; + uint64_t x = r1; + os[i] = x; + } + } + return res2; + } + } + } +} + +/* +Serialize a bignum into big-endian memory. + + The argument b points to a bignum of ⌈len / 8⌉ size. + The outparam res points to `len` bytes of valid memory. +*/ +void Hacl_Bignum64_bn_to_bytes_be(uint32_t len, uint64_t *b, uint8_t *res) +{ + uint32_t bnLen = (len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)8U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + { + uint8_t tmp[tmpLen]; + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + { + uint32_t numb = (uint32_t)8U; + { + uint32_t i; + for (i = (uint32_t)0U; i < bnLen; i++) + { + store64_be(tmp + i * numb, b[bnLen - i - (uint32_t)1U]); + } + } + memcpy(res, tmp + tmpLen - len, len * sizeof (uint8_t)); + } + } +} + +/* +Serialize a bignum into little-endian memory. + + The argument b points to a bignum of ⌈len / 8⌉ size. + The outparam res points to `len` bytes of valid memory. +*/ +void Hacl_Bignum64_bn_to_bytes_le(uint32_t len, uint64_t *b, uint8_t *res) +{ + uint32_t bnLen = (len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)8U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + { + uint8_t tmp[tmpLen]; + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < bnLen; i++) + { + store64_le(tmp + i * (uint32_t)8U, b[i]); + } + } + memcpy(res, tmp, len * sizeof (uint8_t)); + } +} + + +/***************/ +/* Comparisons */ +/***************/ + + +/* +Returns 2^64 - 1 if a < b, otherwise returns 0. + + The arguments a and b are meant to be `len` limbs in size, i.e. uint64_t[len]. +*/ +uint64_t Hacl_Bignum64_lt_mask(uint32_t len, uint64_t *a, uint64_t *b) +{ + uint64_t acc = (uint64_t)0U; + { + uint32_t i; + for (i = (uint32_t)0U; i < len; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(a[i], b[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(a[i], b[i]); + acc = (beq & acc) | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + } + return acc; +} + +/* +Returns 2^64 - 1 if a = b, otherwise returns 0. + + The arguments a and b are meant to be `len` limbs in size, i.e. uint64_t[len]. +*/ +uint64_t Hacl_Bignum64_eq_mask(uint32_t len, uint64_t *a, uint64_t *b) +{ + uint64_t mask = (uint64_t)0xFFFFFFFFFFFFFFFFU; + uint64_t mask1; + { + uint32_t i; + for (i = (uint32_t)0U; i < len; i++) + { + uint64_t uu____0 = FStar_UInt64_eq_mask(a[i], b[i]); + mask = uu____0 & mask; + } + } + mask1 = mask; + return mask1; +} + diff --git a/src/c89/Hacl_Chacha20.c b/src/c89/Hacl_Chacha20.c new file mode 100644 index 00000000..9b189036 --- /dev/null +++ b/src/c89/Hacl_Chacha20.c @@ -0,0 +1,282 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "internal/Hacl_Chacha20.h" + + + +const +uint32_t +Hacl_Impl_Chacha20_Vec_chacha20_constants[4U] = + { (uint32_t)0x61707865U, (uint32_t)0x3320646eU, (uint32_t)0x79622d32U, (uint32_t)0x6b206574U }; + +static inline void quarter_round(uint32_t *st, uint32_t a, uint32_t b, uint32_t c, uint32_t d) +{ + uint32_t sta0 = st[a]; + uint32_t stb0 = st[b]; + uint32_t std0 = st[d]; + uint32_t sta10 = sta0 + stb0; + uint32_t std10 = std0 ^ sta10; + uint32_t std20 = std10 << (uint32_t)16U | std10 >> (uint32_t)16U; + uint32_t sta2; + uint32_t stb1; + uint32_t std3; + uint32_t sta11; + uint32_t std11; + uint32_t std21; + uint32_t sta3; + uint32_t stb2; + uint32_t std4; + uint32_t sta12; + uint32_t std12; + uint32_t std22; + uint32_t sta; + uint32_t stb; + uint32_t std; + uint32_t sta1; + uint32_t std1; + uint32_t std2; + st[a] = sta10; + st[d] = std20; + sta2 = st[c]; + stb1 = st[d]; + std3 = st[b]; + sta11 = sta2 + stb1; + std11 = std3 ^ sta11; + std21 = std11 << (uint32_t)12U | std11 >> (uint32_t)20U; + st[c] = sta11; + st[b] = std21; + sta3 = st[a]; + stb2 = st[b]; + std4 = st[d]; + sta12 = sta3 + stb2; + std12 = std4 ^ sta12; + std22 = std12 << (uint32_t)8U | std12 >> (uint32_t)24U; + st[a] = sta12; + st[d] = std22; + sta = st[c]; + stb = st[d]; + std = st[b]; + sta1 = sta + stb; + std1 = std ^ sta1; + std2 = std1 << (uint32_t)7U | std1 >> (uint32_t)25U; + st[c] = sta1; + st[b] = std2; +} + +static inline void double_round(uint32_t *st) +{ + quarter_round(st, (uint32_t)0U, (uint32_t)4U, (uint32_t)8U, (uint32_t)12U); + quarter_round(st, (uint32_t)1U, (uint32_t)5U, (uint32_t)9U, (uint32_t)13U); + quarter_round(st, (uint32_t)2U, (uint32_t)6U, (uint32_t)10U, (uint32_t)14U); + quarter_round(st, (uint32_t)3U, (uint32_t)7U, (uint32_t)11U, (uint32_t)15U); + quarter_round(st, (uint32_t)0U, (uint32_t)5U, (uint32_t)10U, (uint32_t)15U); + quarter_round(st, (uint32_t)1U, (uint32_t)6U, (uint32_t)11U, (uint32_t)12U); + quarter_round(st, (uint32_t)2U, (uint32_t)7U, (uint32_t)8U, (uint32_t)13U); + quarter_round(st, (uint32_t)3U, (uint32_t)4U, (uint32_t)9U, (uint32_t)14U); +} + +static inline void rounds(uint32_t *st) +{ + double_round(st); + double_round(st); + double_round(st); + double_round(st); + double_round(st); + double_round(st); + double_round(st); + double_round(st); + double_round(st); + double_round(st); +} + +static inline void chacha20_core(uint32_t *k, uint32_t *ctx, uint32_t ctr) +{ + uint32_t ctr_u32; + memcpy(k, ctx, (uint32_t)16U * sizeof (uint32_t)); + ctr_u32 = ctr; + k[12U] = k[12U] + ctr_u32; + rounds(k); + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t *os = k; + uint32_t x = k[i] + ctx[i]; + os[i] = x; + } + } + k[12U] = k[12U] + ctr_u32; +} + +static const +uint32_t +chacha20_constants[4U] = + { (uint32_t)0x61707865U, (uint32_t)0x3320646eU, (uint32_t)0x79622d32U, (uint32_t)0x6b206574U }; + +void Hacl_Impl_Chacha20_chacha20_init(uint32_t *ctx, uint8_t *k, uint8_t *n, uint32_t ctr) +{ + uint32_t *uu____0 = ctx; + uint32_t *uu____1; + uint32_t *uu____2; + uint32_t i; + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + uint32_t *os = uu____0; + uint32_t x = chacha20_constants[i0]; + os[i0] = x; + } + } + uu____1 = ctx + (uint32_t)4U; + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < (uint32_t)8U; i0++) + { + uint32_t *os = uu____1; + uint8_t *bj = k + i0 * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i0] = x; + } + } + ctx[12U] = ctr; + uu____2 = ctx + (uint32_t)13U; + for (i = (uint32_t)0U; i < (uint32_t)3U; i++) + { + uint32_t *os = uu____2; + uint8_t *bj = n + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } +} + +void +Hacl_Impl_Chacha20_chacha20_encrypt_block( + uint32_t *ctx, + uint8_t *out, + uint32_t incr, + uint8_t *text +) +{ + uint32_t k[16U] = { 0U }; + chacha20_core(k, ctx, incr); + { + uint32_t bl[16U] = { 0U }; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t *os = bl; + uint8_t *bj = text + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t *os = bl; + uint32_t x = bl[i] ^ k[i]; + os[i] = x; + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + store32_le(out + i * (uint32_t)4U, bl[i]); + } + } + } +} + +static inline void +chacha20_encrypt_last(uint32_t *ctx, uint32_t len, uint8_t *out, uint32_t incr, uint8_t *text) +{ + uint8_t plain[64U] = { 0U }; + memcpy(plain, text, len * sizeof (uint8_t)); + Hacl_Impl_Chacha20_chacha20_encrypt_block(ctx, plain, incr, plain); + memcpy(out, plain, len * sizeof (uint8_t)); +} + +void +Hacl_Impl_Chacha20_chacha20_update(uint32_t *ctx, uint32_t len, uint8_t *out, uint8_t *text) +{ + uint32_t rem = len % (uint32_t)64U; + uint32_t nb = len / (uint32_t)64U; + uint32_t rem1 = len % (uint32_t)64U; + { + uint32_t i; + for (i = (uint32_t)0U; i < nb; i++) + { + Hacl_Impl_Chacha20_chacha20_encrypt_block(ctx, + out + i * (uint32_t)64U, + i, + text + i * (uint32_t)64U); + } + } + if (rem1 > (uint32_t)0U) + { + chacha20_encrypt_last(ctx, rem, out + nb * (uint32_t)64U, nb, text + nb * (uint32_t)64U); + } +} + +void +Hacl_Chacha20_chacha20_encrypt( + uint32_t len, + uint8_t *out, + uint8_t *text, + uint8_t *key, + uint8_t *n, + uint32_t ctr +) +{ + uint32_t ctx[16U] = { 0U }; + Hacl_Impl_Chacha20_chacha20_init(ctx, key, n, ctr); + Hacl_Impl_Chacha20_chacha20_update(ctx, len, out, text); +} + +void +Hacl_Chacha20_chacha20_decrypt( + uint32_t len, + uint8_t *out, + uint8_t *cipher, + uint8_t *key, + uint8_t *n, + uint32_t ctr +) +{ + uint32_t ctx[16U] = { 0U }; + Hacl_Impl_Chacha20_chacha20_init(ctx, key, n, ctr); + Hacl_Impl_Chacha20_chacha20_update(ctx, len, out, cipher); +} + diff --git a/src/c89/Hacl_Chacha20Poly1305_128.c b/src/c89/Hacl_Chacha20Poly1305_128.c new file mode 100644 index 00000000..722374c5 --- /dev/null +++ b/src/c89/Hacl_Chacha20Poly1305_128.c @@ -0,0 +1,1408 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Chacha20Poly1305_128.h" + +#include "internal/Hacl_Poly1305_128.h" + +static inline void +poly1305_padded_128(Lib_IntVector_Intrinsics_vec128 *ctx, uint32_t len, uint8_t *text) +{ + uint32_t n = len / (uint32_t)16U; + uint32_t r = len % (uint32_t)16U; + uint8_t *blocks = text; + uint8_t *rem = text + n * (uint32_t)16U; + Lib_IntVector_Intrinsics_vec128 *pre0 = ctx + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec128 *acc0 = ctx; + uint32_t sz_block = (uint32_t)32U; + uint32_t len0 = n * (uint32_t)16U / sz_block * sz_block; + uint8_t *t00 = blocks; + uint32_t len1; + uint8_t *t10; + uint32_t nb0; + uint32_t rem1; + if (len0 > (uint32_t)0U) + { + uint32_t bs = (uint32_t)32U; + uint8_t *text0 = t00; + Hacl_Impl_Poly1305_Field32xN_128_load_acc2(acc0, text0); + { + uint32_t len10 = len0 - bs; + uint8_t *text1 = t00 + bs; + uint32_t nb = len10 / bs; + { + uint32_t i; + for (i = (uint32_t)0U; i < nb; i++) + { + uint8_t *block = text1 + i * bs; + Lib_IntVector_Intrinsics_vec128 e[5U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)5U; ++_i) + e[_i] = Lib_IntVector_Intrinsics_vec128_zero; + } + { + Lib_IntVector_Intrinsics_vec128 b1 = Lib_IntVector_Intrinsics_vec128_load64_le(block); + Lib_IntVector_Intrinsics_vec128 + b2 = Lib_IntVector_Intrinsics_vec128_load64_le(block + (uint32_t)16U); + Lib_IntVector_Intrinsics_vec128 + lo = Lib_IntVector_Intrinsics_vec128_interleave_low64(b1, b2); + Lib_IntVector_Intrinsics_vec128 + hi = Lib_IntVector_Intrinsics_vec128_interleave_high64(b1, b2); + Lib_IntVector_Intrinsics_vec128 + f00 = + Lib_IntVector_Intrinsics_vec128_and(lo, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f15 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(lo, + (uint32_t)26U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f25 = + Lib_IntVector_Intrinsics_vec128_or(Lib_IntVector_Intrinsics_vec128_shift_right64(lo, + (uint32_t)52U), + Lib_IntVector_Intrinsics_vec128_shift_left64(Lib_IntVector_Intrinsics_vec128_and(hi, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3fffU)), + (uint32_t)12U)); + Lib_IntVector_Intrinsics_vec128 + f30 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(hi, + (uint32_t)14U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f40 = Lib_IntVector_Intrinsics_vec128_shift_right64(hi, (uint32_t)40U); + Lib_IntVector_Intrinsics_vec128 f0 = f00; + Lib_IntVector_Intrinsics_vec128 f1 = f15; + Lib_IntVector_Intrinsics_vec128 f2 = f25; + Lib_IntVector_Intrinsics_vec128 f3 = f30; + Lib_IntVector_Intrinsics_vec128 f41 = f40; + e[0U] = f0; + e[1U] = f1; + e[2U] = f2; + e[3U] = f3; + e[4U] = f41; + { + uint64_t b = (uint64_t)0x1000000U; + Lib_IntVector_Intrinsics_vec128 mask = Lib_IntVector_Intrinsics_vec128_load64(b); + Lib_IntVector_Intrinsics_vec128 f4 = e[4U]; + e[4U] = Lib_IntVector_Intrinsics_vec128_or(f4, mask); + { + Lib_IntVector_Intrinsics_vec128 *rn = pre0 + (uint32_t)10U; + Lib_IntVector_Intrinsics_vec128 *rn5 = pre0 + (uint32_t)15U; + Lib_IntVector_Intrinsics_vec128 r0 = rn[0U]; + Lib_IntVector_Intrinsics_vec128 r1 = rn[1U]; + Lib_IntVector_Intrinsics_vec128 r2 = rn[2U]; + Lib_IntVector_Intrinsics_vec128 r3 = rn[3U]; + Lib_IntVector_Intrinsics_vec128 r4 = rn[4U]; + Lib_IntVector_Intrinsics_vec128 r51 = rn5[1U]; + Lib_IntVector_Intrinsics_vec128 r52 = rn5[2U]; + Lib_IntVector_Intrinsics_vec128 r53 = rn5[3U]; + Lib_IntVector_Intrinsics_vec128 r54 = rn5[4U]; + Lib_IntVector_Intrinsics_vec128 f10 = acc0[0U]; + Lib_IntVector_Intrinsics_vec128 f110 = acc0[1U]; + Lib_IntVector_Intrinsics_vec128 f120 = acc0[2U]; + Lib_IntVector_Intrinsics_vec128 f130 = acc0[3U]; + Lib_IntVector_Intrinsics_vec128 f140 = acc0[4U]; + Lib_IntVector_Intrinsics_vec128 a0 = Lib_IntVector_Intrinsics_vec128_mul64(r0, f10); + Lib_IntVector_Intrinsics_vec128 a1 = Lib_IntVector_Intrinsics_vec128_mul64(r1, f10); + Lib_IntVector_Intrinsics_vec128 a2 = Lib_IntVector_Intrinsics_vec128_mul64(r2, f10); + Lib_IntVector_Intrinsics_vec128 a3 = Lib_IntVector_Intrinsics_vec128_mul64(r3, f10); + Lib_IntVector_Intrinsics_vec128 a4 = Lib_IntVector_Intrinsics_vec128_mul64(r4, f10); + Lib_IntVector_Intrinsics_vec128 + a01 = + Lib_IntVector_Intrinsics_vec128_add64(a0, + Lib_IntVector_Intrinsics_vec128_mul64(r54, f110)); + Lib_IntVector_Intrinsics_vec128 + a11 = + Lib_IntVector_Intrinsics_vec128_add64(a1, + Lib_IntVector_Intrinsics_vec128_mul64(r0, f110)); + Lib_IntVector_Intrinsics_vec128 + a21 = + Lib_IntVector_Intrinsics_vec128_add64(a2, + Lib_IntVector_Intrinsics_vec128_mul64(r1, f110)); + Lib_IntVector_Intrinsics_vec128 + a31 = + Lib_IntVector_Intrinsics_vec128_add64(a3, + Lib_IntVector_Intrinsics_vec128_mul64(r2, f110)); + Lib_IntVector_Intrinsics_vec128 + a41 = + Lib_IntVector_Intrinsics_vec128_add64(a4, + Lib_IntVector_Intrinsics_vec128_mul64(r3, f110)); + Lib_IntVector_Intrinsics_vec128 + a02 = + Lib_IntVector_Intrinsics_vec128_add64(a01, + Lib_IntVector_Intrinsics_vec128_mul64(r53, f120)); + Lib_IntVector_Intrinsics_vec128 + a12 = + Lib_IntVector_Intrinsics_vec128_add64(a11, + Lib_IntVector_Intrinsics_vec128_mul64(r54, f120)); + Lib_IntVector_Intrinsics_vec128 + a22 = + Lib_IntVector_Intrinsics_vec128_add64(a21, + Lib_IntVector_Intrinsics_vec128_mul64(r0, f120)); + Lib_IntVector_Intrinsics_vec128 + a32 = + Lib_IntVector_Intrinsics_vec128_add64(a31, + Lib_IntVector_Intrinsics_vec128_mul64(r1, f120)); + Lib_IntVector_Intrinsics_vec128 + a42 = + Lib_IntVector_Intrinsics_vec128_add64(a41, + Lib_IntVector_Intrinsics_vec128_mul64(r2, f120)); + Lib_IntVector_Intrinsics_vec128 + a03 = + Lib_IntVector_Intrinsics_vec128_add64(a02, + Lib_IntVector_Intrinsics_vec128_mul64(r52, f130)); + Lib_IntVector_Intrinsics_vec128 + a13 = + Lib_IntVector_Intrinsics_vec128_add64(a12, + Lib_IntVector_Intrinsics_vec128_mul64(r53, f130)); + Lib_IntVector_Intrinsics_vec128 + a23 = + Lib_IntVector_Intrinsics_vec128_add64(a22, + Lib_IntVector_Intrinsics_vec128_mul64(r54, f130)); + Lib_IntVector_Intrinsics_vec128 + a33 = + Lib_IntVector_Intrinsics_vec128_add64(a32, + Lib_IntVector_Intrinsics_vec128_mul64(r0, f130)); + Lib_IntVector_Intrinsics_vec128 + a43 = + Lib_IntVector_Intrinsics_vec128_add64(a42, + Lib_IntVector_Intrinsics_vec128_mul64(r1, f130)); + Lib_IntVector_Intrinsics_vec128 + a04 = + Lib_IntVector_Intrinsics_vec128_add64(a03, + Lib_IntVector_Intrinsics_vec128_mul64(r51, f140)); + Lib_IntVector_Intrinsics_vec128 + a14 = + Lib_IntVector_Intrinsics_vec128_add64(a13, + Lib_IntVector_Intrinsics_vec128_mul64(r52, f140)); + Lib_IntVector_Intrinsics_vec128 + a24 = + Lib_IntVector_Intrinsics_vec128_add64(a23, + Lib_IntVector_Intrinsics_vec128_mul64(r53, f140)); + Lib_IntVector_Intrinsics_vec128 + a34 = + Lib_IntVector_Intrinsics_vec128_add64(a33, + Lib_IntVector_Intrinsics_vec128_mul64(r54, f140)); + Lib_IntVector_Intrinsics_vec128 + a44 = + Lib_IntVector_Intrinsics_vec128_add64(a43, + Lib_IntVector_Intrinsics_vec128_mul64(r0, f140)); + Lib_IntVector_Intrinsics_vec128 t01 = a04; + Lib_IntVector_Intrinsics_vec128 t1 = a14; + Lib_IntVector_Intrinsics_vec128 t2 = a24; + Lib_IntVector_Intrinsics_vec128 t3 = a34; + Lib_IntVector_Intrinsics_vec128 t4 = a44; + Lib_IntVector_Intrinsics_vec128 + mask26 = Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec128 + z0 = Lib_IntVector_Intrinsics_vec128_shift_right64(t01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z1 = Lib_IntVector_Intrinsics_vec128_shift_right64(t3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + x0 = Lib_IntVector_Intrinsics_vec128_and(t01, mask26); + Lib_IntVector_Intrinsics_vec128 + x3 = Lib_IntVector_Intrinsics_vec128_and(t3, mask26); + Lib_IntVector_Intrinsics_vec128 x1 = Lib_IntVector_Intrinsics_vec128_add64(t1, z0); + Lib_IntVector_Intrinsics_vec128 x4 = Lib_IntVector_Intrinsics_vec128_add64(t4, z1); + Lib_IntVector_Intrinsics_vec128 + z01 = Lib_IntVector_Intrinsics_vec128_shift_right64(x1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z11 = Lib_IntVector_Intrinsics_vec128_shift_right64(x4, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + t = Lib_IntVector_Intrinsics_vec128_shift_left64(z11, (uint32_t)2U); + Lib_IntVector_Intrinsics_vec128 z12 = Lib_IntVector_Intrinsics_vec128_add64(z11, t); + Lib_IntVector_Intrinsics_vec128 + x11 = Lib_IntVector_Intrinsics_vec128_and(x1, mask26); + Lib_IntVector_Intrinsics_vec128 + x41 = Lib_IntVector_Intrinsics_vec128_and(x4, mask26); + Lib_IntVector_Intrinsics_vec128 x2 = Lib_IntVector_Intrinsics_vec128_add64(t2, z01); + Lib_IntVector_Intrinsics_vec128 + x01 = Lib_IntVector_Intrinsics_vec128_add64(x0, z12); + Lib_IntVector_Intrinsics_vec128 + z02 = Lib_IntVector_Intrinsics_vec128_shift_right64(x2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z13 = Lib_IntVector_Intrinsics_vec128_shift_right64(x01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + x21 = Lib_IntVector_Intrinsics_vec128_and(x2, mask26); + Lib_IntVector_Intrinsics_vec128 + x02 = Lib_IntVector_Intrinsics_vec128_and(x01, mask26); + Lib_IntVector_Intrinsics_vec128 + x31 = Lib_IntVector_Intrinsics_vec128_add64(x3, z02); + Lib_IntVector_Intrinsics_vec128 + x12 = Lib_IntVector_Intrinsics_vec128_add64(x11, z13); + Lib_IntVector_Intrinsics_vec128 + z03 = Lib_IntVector_Intrinsics_vec128_shift_right64(x31, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + x32 = Lib_IntVector_Intrinsics_vec128_and(x31, mask26); + Lib_IntVector_Intrinsics_vec128 + x42 = Lib_IntVector_Intrinsics_vec128_add64(x41, z03); + Lib_IntVector_Intrinsics_vec128 o00 = x02; + Lib_IntVector_Intrinsics_vec128 o10 = x12; + Lib_IntVector_Intrinsics_vec128 o20 = x21; + Lib_IntVector_Intrinsics_vec128 o30 = x32; + Lib_IntVector_Intrinsics_vec128 o40 = x42; + acc0[0U] = o00; + acc0[1U] = o10; + acc0[2U] = o20; + acc0[3U] = o30; + acc0[4U] = o40; + { + Lib_IntVector_Intrinsics_vec128 f100 = acc0[0U]; + Lib_IntVector_Intrinsics_vec128 f11 = acc0[1U]; + Lib_IntVector_Intrinsics_vec128 f12 = acc0[2U]; + Lib_IntVector_Intrinsics_vec128 f13 = acc0[3U]; + Lib_IntVector_Intrinsics_vec128 f14 = acc0[4U]; + Lib_IntVector_Intrinsics_vec128 f20 = e[0U]; + Lib_IntVector_Intrinsics_vec128 f21 = e[1U]; + Lib_IntVector_Intrinsics_vec128 f22 = e[2U]; + Lib_IntVector_Intrinsics_vec128 f23 = e[3U]; + Lib_IntVector_Intrinsics_vec128 f24 = e[4U]; + Lib_IntVector_Intrinsics_vec128 + o0 = Lib_IntVector_Intrinsics_vec128_add64(f100, f20); + Lib_IntVector_Intrinsics_vec128 + o1 = Lib_IntVector_Intrinsics_vec128_add64(f11, f21); + Lib_IntVector_Intrinsics_vec128 + o2 = Lib_IntVector_Intrinsics_vec128_add64(f12, f22); + Lib_IntVector_Intrinsics_vec128 + o3 = Lib_IntVector_Intrinsics_vec128_add64(f13, f23); + Lib_IntVector_Intrinsics_vec128 + o4 = Lib_IntVector_Intrinsics_vec128_add64(f14, f24); + acc0[0U] = o0; + acc0[1U] = o1; + acc0[2U] = o2; + acc0[3U] = o3; + acc0[4U] = o4; + } + } + } + } + } + } + Hacl_Impl_Poly1305_Field32xN_128_fmul_r2_normalize(acc0, pre0); + } + } + len1 = n * (uint32_t)16U - len0; + t10 = blocks + len0; + nb0 = len1 / (uint32_t)16U; + rem1 = len1 % (uint32_t)16U; + { + uint32_t i; + for (i = (uint32_t)0U; i < nb0; i++) + { + uint8_t *block = t10 + i * (uint32_t)16U; + Lib_IntVector_Intrinsics_vec128 e[5U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)5U; ++_i) + e[_i] = Lib_IntVector_Intrinsics_vec128_zero; + } + { + uint64_t u0 = load64_le(block); + uint64_t lo = u0; + uint64_t u = load64_le(block + (uint32_t)8U); + uint64_t hi = u; + Lib_IntVector_Intrinsics_vec128 f0 = Lib_IntVector_Intrinsics_vec128_load64(lo); + Lib_IntVector_Intrinsics_vec128 f1 = Lib_IntVector_Intrinsics_vec128_load64(hi); + Lib_IntVector_Intrinsics_vec128 + f010 = + Lib_IntVector_Intrinsics_vec128_and(f0, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f110 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(f0, + (uint32_t)26U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f20 = + Lib_IntVector_Intrinsics_vec128_or(Lib_IntVector_Intrinsics_vec128_shift_right64(f0, + (uint32_t)52U), + Lib_IntVector_Intrinsics_vec128_shift_left64(Lib_IntVector_Intrinsics_vec128_and(f1, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3fffU)), + (uint32_t)12U)); + Lib_IntVector_Intrinsics_vec128 + f30 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(f1, + (uint32_t)14U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f40 = Lib_IntVector_Intrinsics_vec128_shift_right64(f1, (uint32_t)40U); + Lib_IntVector_Intrinsics_vec128 f01 = f010; + Lib_IntVector_Intrinsics_vec128 f111 = f110; + Lib_IntVector_Intrinsics_vec128 f2 = f20; + Lib_IntVector_Intrinsics_vec128 f3 = f30; + Lib_IntVector_Intrinsics_vec128 f41 = f40; + e[0U] = f01; + e[1U] = f111; + e[2U] = f2; + e[3U] = f3; + e[4U] = f41; + { + uint64_t b = (uint64_t)0x1000000U; + Lib_IntVector_Intrinsics_vec128 mask = Lib_IntVector_Intrinsics_vec128_load64(b); + Lib_IntVector_Intrinsics_vec128 f4 = e[4U]; + e[4U] = Lib_IntVector_Intrinsics_vec128_or(f4, mask); + { + Lib_IntVector_Intrinsics_vec128 *r1 = pre0; + Lib_IntVector_Intrinsics_vec128 *r5 = pre0 + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec128 r0 = r1[0U]; + Lib_IntVector_Intrinsics_vec128 r11 = r1[1U]; + Lib_IntVector_Intrinsics_vec128 r2 = r1[2U]; + Lib_IntVector_Intrinsics_vec128 r3 = r1[3U]; + Lib_IntVector_Intrinsics_vec128 r4 = r1[4U]; + Lib_IntVector_Intrinsics_vec128 r51 = r5[1U]; + Lib_IntVector_Intrinsics_vec128 r52 = r5[2U]; + Lib_IntVector_Intrinsics_vec128 r53 = r5[3U]; + Lib_IntVector_Intrinsics_vec128 r54 = r5[4U]; + Lib_IntVector_Intrinsics_vec128 f10 = e[0U]; + Lib_IntVector_Intrinsics_vec128 f11 = e[1U]; + Lib_IntVector_Intrinsics_vec128 f12 = e[2U]; + Lib_IntVector_Intrinsics_vec128 f13 = e[3U]; + Lib_IntVector_Intrinsics_vec128 f14 = e[4U]; + Lib_IntVector_Intrinsics_vec128 a0 = acc0[0U]; + Lib_IntVector_Intrinsics_vec128 a1 = acc0[1U]; + Lib_IntVector_Intrinsics_vec128 a2 = acc0[2U]; + Lib_IntVector_Intrinsics_vec128 a3 = acc0[3U]; + Lib_IntVector_Intrinsics_vec128 a4 = acc0[4U]; + Lib_IntVector_Intrinsics_vec128 a01 = Lib_IntVector_Intrinsics_vec128_add64(a0, f10); + Lib_IntVector_Intrinsics_vec128 a11 = Lib_IntVector_Intrinsics_vec128_add64(a1, f11); + Lib_IntVector_Intrinsics_vec128 a21 = Lib_IntVector_Intrinsics_vec128_add64(a2, f12); + Lib_IntVector_Intrinsics_vec128 a31 = Lib_IntVector_Intrinsics_vec128_add64(a3, f13); + Lib_IntVector_Intrinsics_vec128 a41 = Lib_IntVector_Intrinsics_vec128_add64(a4, f14); + Lib_IntVector_Intrinsics_vec128 a02 = Lib_IntVector_Intrinsics_vec128_mul64(r0, a01); + Lib_IntVector_Intrinsics_vec128 a12 = Lib_IntVector_Intrinsics_vec128_mul64(r11, a01); + Lib_IntVector_Intrinsics_vec128 a22 = Lib_IntVector_Intrinsics_vec128_mul64(r2, a01); + Lib_IntVector_Intrinsics_vec128 a32 = Lib_IntVector_Intrinsics_vec128_mul64(r3, a01); + Lib_IntVector_Intrinsics_vec128 a42 = Lib_IntVector_Intrinsics_vec128_mul64(r4, a01); + Lib_IntVector_Intrinsics_vec128 + a03 = + Lib_IntVector_Intrinsics_vec128_add64(a02, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a11)); + Lib_IntVector_Intrinsics_vec128 + a13 = + Lib_IntVector_Intrinsics_vec128_add64(a12, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a11)); + Lib_IntVector_Intrinsics_vec128 + a23 = + Lib_IntVector_Intrinsics_vec128_add64(a22, + Lib_IntVector_Intrinsics_vec128_mul64(r11, a11)); + Lib_IntVector_Intrinsics_vec128 + a33 = + Lib_IntVector_Intrinsics_vec128_add64(a32, + Lib_IntVector_Intrinsics_vec128_mul64(r2, a11)); + Lib_IntVector_Intrinsics_vec128 + a43 = + Lib_IntVector_Intrinsics_vec128_add64(a42, + Lib_IntVector_Intrinsics_vec128_mul64(r3, a11)); + Lib_IntVector_Intrinsics_vec128 + a04 = + Lib_IntVector_Intrinsics_vec128_add64(a03, + Lib_IntVector_Intrinsics_vec128_mul64(r53, a21)); + Lib_IntVector_Intrinsics_vec128 + a14 = + Lib_IntVector_Intrinsics_vec128_add64(a13, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a21)); + Lib_IntVector_Intrinsics_vec128 + a24 = + Lib_IntVector_Intrinsics_vec128_add64(a23, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a21)); + Lib_IntVector_Intrinsics_vec128 + a34 = + Lib_IntVector_Intrinsics_vec128_add64(a33, + Lib_IntVector_Intrinsics_vec128_mul64(r11, a21)); + Lib_IntVector_Intrinsics_vec128 + a44 = + Lib_IntVector_Intrinsics_vec128_add64(a43, + Lib_IntVector_Intrinsics_vec128_mul64(r2, a21)); + Lib_IntVector_Intrinsics_vec128 + a05 = + Lib_IntVector_Intrinsics_vec128_add64(a04, + Lib_IntVector_Intrinsics_vec128_mul64(r52, a31)); + Lib_IntVector_Intrinsics_vec128 + a15 = + Lib_IntVector_Intrinsics_vec128_add64(a14, + Lib_IntVector_Intrinsics_vec128_mul64(r53, a31)); + Lib_IntVector_Intrinsics_vec128 + a25 = + Lib_IntVector_Intrinsics_vec128_add64(a24, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a31)); + Lib_IntVector_Intrinsics_vec128 + a35 = + Lib_IntVector_Intrinsics_vec128_add64(a34, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a31)); + Lib_IntVector_Intrinsics_vec128 + a45 = + Lib_IntVector_Intrinsics_vec128_add64(a44, + Lib_IntVector_Intrinsics_vec128_mul64(r11, a31)); + Lib_IntVector_Intrinsics_vec128 + a06 = + Lib_IntVector_Intrinsics_vec128_add64(a05, + Lib_IntVector_Intrinsics_vec128_mul64(r51, a41)); + Lib_IntVector_Intrinsics_vec128 + a16 = + Lib_IntVector_Intrinsics_vec128_add64(a15, + Lib_IntVector_Intrinsics_vec128_mul64(r52, a41)); + Lib_IntVector_Intrinsics_vec128 + a26 = + Lib_IntVector_Intrinsics_vec128_add64(a25, + Lib_IntVector_Intrinsics_vec128_mul64(r53, a41)); + Lib_IntVector_Intrinsics_vec128 + a36 = + Lib_IntVector_Intrinsics_vec128_add64(a35, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a41)); + Lib_IntVector_Intrinsics_vec128 + a46 = + Lib_IntVector_Intrinsics_vec128_add64(a45, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a41)); + Lib_IntVector_Intrinsics_vec128 t01 = a06; + Lib_IntVector_Intrinsics_vec128 t11 = a16; + Lib_IntVector_Intrinsics_vec128 t2 = a26; + Lib_IntVector_Intrinsics_vec128 t3 = a36; + Lib_IntVector_Intrinsics_vec128 t4 = a46; + Lib_IntVector_Intrinsics_vec128 + mask26 = Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec128 + z0 = Lib_IntVector_Intrinsics_vec128_shift_right64(t01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z1 = Lib_IntVector_Intrinsics_vec128_shift_right64(t3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x0 = Lib_IntVector_Intrinsics_vec128_and(t01, mask26); + Lib_IntVector_Intrinsics_vec128 x3 = Lib_IntVector_Intrinsics_vec128_and(t3, mask26); + Lib_IntVector_Intrinsics_vec128 x1 = Lib_IntVector_Intrinsics_vec128_add64(t11, z0); + Lib_IntVector_Intrinsics_vec128 x4 = Lib_IntVector_Intrinsics_vec128_add64(t4, z1); + Lib_IntVector_Intrinsics_vec128 + z01 = Lib_IntVector_Intrinsics_vec128_shift_right64(x1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z11 = Lib_IntVector_Intrinsics_vec128_shift_right64(x4, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + t = Lib_IntVector_Intrinsics_vec128_shift_left64(z11, (uint32_t)2U); + Lib_IntVector_Intrinsics_vec128 z12 = Lib_IntVector_Intrinsics_vec128_add64(z11, t); + Lib_IntVector_Intrinsics_vec128 x11 = Lib_IntVector_Intrinsics_vec128_and(x1, mask26); + Lib_IntVector_Intrinsics_vec128 x41 = Lib_IntVector_Intrinsics_vec128_and(x4, mask26); + Lib_IntVector_Intrinsics_vec128 x2 = Lib_IntVector_Intrinsics_vec128_add64(t2, z01); + Lib_IntVector_Intrinsics_vec128 x01 = Lib_IntVector_Intrinsics_vec128_add64(x0, z12); + Lib_IntVector_Intrinsics_vec128 + z02 = Lib_IntVector_Intrinsics_vec128_shift_right64(x2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z13 = Lib_IntVector_Intrinsics_vec128_shift_right64(x01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x21 = Lib_IntVector_Intrinsics_vec128_and(x2, mask26); + Lib_IntVector_Intrinsics_vec128 x02 = Lib_IntVector_Intrinsics_vec128_and(x01, mask26); + Lib_IntVector_Intrinsics_vec128 x31 = Lib_IntVector_Intrinsics_vec128_add64(x3, z02); + Lib_IntVector_Intrinsics_vec128 x12 = Lib_IntVector_Intrinsics_vec128_add64(x11, z13); + Lib_IntVector_Intrinsics_vec128 + z03 = Lib_IntVector_Intrinsics_vec128_shift_right64(x31, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x32 = Lib_IntVector_Intrinsics_vec128_and(x31, mask26); + Lib_IntVector_Intrinsics_vec128 x42 = Lib_IntVector_Intrinsics_vec128_add64(x41, z03); + Lib_IntVector_Intrinsics_vec128 o0 = x02; + Lib_IntVector_Intrinsics_vec128 o1 = x12; + Lib_IntVector_Intrinsics_vec128 o2 = x21; + Lib_IntVector_Intrinsics_vec128 o3 = x32; + Lib_IntVector_Intrinsics_vec128 o4 = x42; + acc0[0U] = o0; + acc0[1U] = o1; + acc0[2U] = o2; + acc0[3U] = o3; + acc0[4U] = o4; + } + } + } + } + } + if (rem1 > (uint32_t)0U) + { + uint8_t *last = t10 + nb0 * (uint32_t)16U; + Lib_IntVector_Intrinsics_vec128 e[5U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)5U; ++_i) + e[_i] = Lib_IntVector_Intrinsics_vec128_zero; + } + { + uint8_t tmp[16U] = { 0U }; + memcpy(tmp, last, rem1 * sizeof (uint8_t)); + { + uint64_t u0 = load64_le(tmp); + uint64_t lo = u0; + uint64_t u = load64_le(tmp + (uint32_t)8U); + uint64_t hi = u; + Lib_IntVector_Intrinsics_vec128 f0 = Lib_IntVector_Intrinsics_vec128_load64(lo); + Lib_IntVector_Intrinsics_vec128 f1 = Lib_IntVector_Intrinsics_vec128_load64(hi); + Lib_IntVector_Intrinsics_vec128 + f010 = + Lib_IntVector_Intrinsics_vec128_and(f0, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f110 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(f0, + (uint32_t)26U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f20 = + Lib_IntVector_Intrinsics_vec128_or(Lib_IntVector_Intrinsics_vec128_shift_right64(f0, + (uint32_t)52U), + Lib_IntVector_Intrinsics_vec128_shift_left64(Lib_IntVector_Intrinsics_vec128_and(f1, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3fffU)), + (uint32_t)12U)); + Lib_IntVector_Intrinsics_vec128 + f30 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(f1, + (uint32_t)14U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f40 = Lib_IntVector_Intrinsics_vec128_shift_right64(f1, (uint32_t)40U); + Lib_IntVector_Intrinsics_vec128 f01 = f010; + Lib_IntVector_Intrinsics_vec128 f111 = f110; + Lib_IntVector_Intrinsics_vec128 f2 = f20; + Lib_IntVector_Intrinsics_vec128 f3 = f30; + Lib_IntVector_Intrinsics_vec128 f4 = f40; + e[0U] = f01; + e[1U] = f111; + e[2U] = f2; + e[3U] = f3; + e[4U] = f4; + { + uint64_t b = (uint64_t)1U << rem1 * (uint32_t)8U % (uint32_t)26U; + Lib_IntVector_Intrinsics_vec128 mask = Lib_IntVector_Intrinsics_vec128_load64(b); + Lib_IntVector_Intrinsics_vec128 fi = e[rem1 * (uint32_t)8U / (uint32_t)26U]; + e[rem1 * (uint32_t)8U / (uint32_t)26U] = Lib_IntVector_Intrinsics_vec128_or(fi, mask); + { + Lib_IntVector_Intrinsics_vec128 *r1 = pre0; + Lib_IntVector_Intrinsics_vec128 *r5 = pre0 + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec128 r0 = r1[0U]; + Lib_IntVector_Intrinsics_vec128 r11 = r1[1U]; + Lib_IntVector_Intrinsics_vec128 r2 = r1[2U]; + Lib_IntVector_Intrinsics_vec128 r3 = r1[3U]; + Lib_IntVector_Intrinsics_vec128 r4 = r1[4U]; + Lib_IntVector_Intrinsics_vec128 r51 = r5[1U]; + Lib_IntVector_Intrinsics_vec128 r52 = r5[2U]; + Lib_IntVector_Intrinsics_vec128 r53 = r5[3U]; + Lib_IntVector_Intrinsics_vec128 r54 = r5[4U]; + Lib_IntVector_Intrinsics_vec128 f10 = e[0U]; + Lib_IntVector_Intrinsics_vec128 f11 = e[1U]; + Lib_IntVector_Intrinsics_vec128 f12 = e[2U]; + Lib_IntVector_Intrinsics_vec128 f13 = e[3U]; + Lib_IntVector_Intrinsics_vec128 f14 = e[4U]; + Lib_IntVector_Intrinsics_vec128 a0 = acc0[0U]; + Lib_IntVector_Intrinsics_vec128 a1 = acc0[1U]; + Lib_IntVector_Intrinsics_vec128 a2 = acc0[2U]; + Lib_IntVector_Intrinsics_vec128 a3 = acc0[3U]; + Lib_IntVector_Intrinsics_vec128 a4 = acc0[4U]; + Lib_IntVector_Intrinsics_vec128 a01 = Lib_IntVector_Intrinsics_vec128_add64(a0, f10); + Lib_IntVector_Intrinsics_vec128 a11 = Lib_IntVector_Intrinsics_vec128_add64(a1, f11); + Lib_IntVector_Intrinsics_vec128 a21 = Lib_IntVector_Intrinsics_vec128_add64(a2, f12); + Lib_IntVector_Intrinsics_vec128 a31 = Lib_IntVector_Intrinsics_vec128_add64(a3, f13); + Lib_IntVector_Intrinsics_vec128 a41 = Lib_IntVector_Intrinsics_vec128_add64(a4, f14); + Lib_IntVector_Intrinsics_vec128 a02 = Lib_IntVector_Intrinsics_vec128_mul64(r0, a01); + Lib_IntVector_Intrinsics_vec128 a12 = Lib_IntVector_Intrinsics_vec128_mul64(r11, a01); + Lib_IntVector_Intrinsics_vec128 a22 = Lib_IntVector_Intrinsics_vec128_mul64(r2, a01); + Lib_IntVector_Intrinsics_vec128 a32 = Lib_IntVector_Intrinsics_vec128_mul64(r3, a01); + Lib_IntVector_Intrinsics_vec128 a42 = Lib_IntVector_Intrinsics_vec128_mul64(r4, a01); + Lib_IntVector_Intrinsics_vec128 + a03 = + Lib_IntVector_Intrinsics_vec128_add64(a02, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a11)); + Lib_IntVector_Intrinsics_vec128 + a13 = + Lib_IntVector_Intrinsics_vec128_add64(a12, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a11)); + Lib_IntVector_Intrinsics_vec128 + a23 = + Lib_IntVector_Intrinsics_vec128_add64(a22, + Lib_IntVector_Intrinsics_vec128_mul64(r11, a11)); + Lib_IntVector_Intrinsics_vec128 + a33 = + Lib_IntVector_Intrinsics_vec128_add64(a32, + Lib_IntVector_Intrinsics_vec128_mul64(r2, a11)); + Lib_IntVector_Intrinsics_vec128 + a43 = + Lib_IntVector_Intrinsics_vec128_add64(a42, + Lib_IntVector_Intrinsics_vec128_mul64(r3, a11)); + Lib_IntVector_Intrinsics_vec128 + a04 = + Lib_IntVector_Intrinsics_vec128_add64(a03, + Lib_IntVector_Intrinsics_vec128_mul64(r53, a21)); + Lib_IntVector_Intrinsics_vec128 + a14 = + Lib_IntVector_Intrinsics_vec128_add64(a13, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a21)); + Lib_IntVector_Intrinsics_vec128 + a24 = + Lib_IntVector_Intrinsics_vec128_add64(a23, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a21)); + Lib_IntVector_Intrinsics_vec128 + a34 = + Lib_IntVector_Intrinsics_vec128_add64(a33, + Lib_IntVector_Intrinsics_vec128_mul64(r11, a21)); + Lib_IntVector_Intrinsics_vec128 + a44 = + Lib_IntVector_Intrinsics_vec128_add64(a43, + Lib_IntVector_Intrinsics_vec128_mul64(r2, a21)); + Lib_IntVector_Intrinsics_vec128 + a05 = + Lib_IntVector_Intrinsics_vec128_add64(a04, + Lib_IntVector_Intrinsics_vec128_mul64(r52, a31)); + Lib_IntVector_Intrinsics_vec128 + a15 = + Lib_IntVector_Intrinsics_vec128_add64(a14, + Lib_IntVector_Intrinsics_vec128_mul64(r53, a31)); + Lib_IntVector_Intrinsics_vec128 + a25 = + Lib_IntVector_Intrinsics_vec128_add64(a24, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a31)); + Lib_IntVector_Intrinsics_vec128 + a35 = + Lib_IntVector_Intrinsics_vec128_add64(a34, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a31)); + Lib_IntVector_Intrinsics_vec128 + a45 = + Lib_IntVector_Intrinsics_vec128_add64(a44, + Lib_IntVector_Intrinsics_vec128_mul64(r11, a31)); + Lib_IntVector_Intrinsics_vec128 + a06 = + Lib_IntVector_Intrinsics_vec128_add64(a05, + Lib_IntVector_Intrinsics_vec128_mul64(r51, a41)); + Lib_IntVector_Intrinsics_vec128 + a16 = + Lib_IntVector_Intrinsics_vec128_add64(a15, + Lib_IntVector_Intrinsics_vec128_mul64(r52, a41)); + Lib_IntVector_Intrinsics_vec128 + a26 = + Lib_IntVector_Intrinsics_vec128_add64(a25, + Lib_IntVector_Intrinsics_vec128_mul64(r53, a41)); + Lib_IntVector_Intrinsics_vec128 + a36 = + Lib_IntVector_Intrinsics_vec128_add64(a35, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a41)); + Lib_IntVector_Intrinsics_vec128 + a46 = + Lib_IntVector_Intrinsics_vec128_add64(a45, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a41)); + Lib_IntVector_Intrinsics_vec128 t01 = a06; + Lib_IntVector_Intrinsics_vec128 t11 = a16; + Lib_IntVector_Intrinsics_vec128 t2 = a26; + Lib_IntVector_Intrinsics_vec128 t3 = a36; + Lib_IntVector_Intrinsics_vec128 t4 = a46; + Lib_IntVector_Intrinsics_vec128 + mask26 = Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec128 + z0 = Lib_IntVector_Intrinsics_vec128_shift_right64(t01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z1 = Lib_IntVector_Intrinsics_vec128_shift_right64(t3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x0 = Lib_IntVector_Intrinsics_vec128_and(t01, mask26); + Lib_IntVector_Intrinsics_vec128 x3 = Lib_IntVector_Intrinsics_vec128_and(t3, mask26); + Lib_IntVector_Intrinsics_vec128 x1 = Lib_IntVector_Intrinsics_vec128_add64(t11, z0); + Lib_IntVector_Intrinsics_vec128 x4 = Lib_IntVector_Intrinsics_vec128_add64(t4, z1); + Lib_IntVector_Intrinsics_vec128 + z01 = Lib_IntVector_Intrinsics_vec128_shift_right64(x1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z11 = Lib_IntVector_Intrinsics_vec128_shift_right64(x4, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + t = Lib_IntVector_Intrinsics_vec128_shift_left64(z11, (uint32_t)2U); + Lib_IntVector_Intrinsics_vec128 z12 = Lib_IntVector_Intrinsics_vec128_add64(z11, t); + Lib_IntVector_Intrinsics_vec128 x11 = Lib_IntVector_Intrinsics_vec128_and(x1, mask26); + Lib_IntVector_Intrinsics_vec128 x41 = Lib_IntVector_Intrinsics_vec128_and(x4, mask26); + Lib_IntVector_Intrinsics_vec128 x2 = Lib_IntVector_Intrinsics_vec128_add64(t2, z01); + Lib_IntVector_Intrinsics_vec128 x01 = Lib_IntVector_Intrinsics_vec128_add64(x0, z12); + Lib_IntVector_Intrinsics_vec128 + z02 = Lib_IntVector_Intrinsics_vec128_shift_right64(x2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z13 = Lib_IntVector_Intrinsics_vec128_shift_right64(x01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x21 = Lib_IntVector_Intrinsics_vec128_and(x2, mask26); + Lib_IntVector_Intrinsics_vec128 x02 = Lib_IntVector_Intrinsics_vec128_and(x01, mask26); + Lib_IntVector_Intrinsics_vec128 x31 = Lib_IntVector_Intrinsics_vec128_add64(x3, z02); + Lib_IntVector_Intrinsics_vec128 x12 = Lib_IntVector_Intrinsics_vec128_add64(x11, z13); + Lib_IntVector_Intrinsics_vec128 + z03 = Lib_IntVector_Intrinsics_vec128_shift_right64(x31, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x32 = Lib_IntVector_Intrinsics_vec128_and(x31, mask26); + Lib_IntVector_Intrinsics_vec128 x42 = Lib_IntVector_Intrinsics_vec128_add64(x41, z03); + Lib_IntVector_Intrinsics_vec128 o0 = x02; + Lib_IntVector_Intrinsics_vec128 o1 = x12; + Lib_IntVector_Intrinsics_vec128 o2 = x21; + Lib_IntVector_Intrinsics_vec128 o3 = x32; + Lib_IntVector_Intrinsics_vec128 o4 = x42; + acc0[0U] = o0; + acc0[1U] = o1; + acc0[2U] = o2; + acc0[3U] = o3; + acc0[4U] = o4; + } + } + } + } + } + { + uint8_t tmp[16U] = { 0U }; + memcpy(tmp, rem, r * sizeof (uint8_t)); + if (r > (uint32_t)0U) + { + Lib_IntVector_Intrinsics_vec128 *pre = ctx + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec128 *acc = ctx; + Lib_IntVector_Intrinsics_vec128 e[5U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)5U; ++_i) + e[_i] = Lib_IntVector_Intrinsics_vec128_zero; + } + { + uint64_t u0 = load64_le(tmp); + uint64_t lo = u0; + uint64_t u = load64_le(tmp + (uint32_t)8U); + uint64_t hi = u; + Lib_IntVector_Intrinsics_vec128 f0 = Lib_IntVector_Intrinsics_vec128_load64(lo); + Lib_IntVector_Intrinsics_vec128 f1 = Lib_IntVector_Intrinsics_vec128_load64(hi); + Lib_IntVector_Intrinsics_vec128 + f010 = + Lib_IntVector_Intrinsics_vec128_and(f0, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f110 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(f0, + (uint32_t)26U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f20 = + Lib_IntVector_Intrinsics_vec128_or(Lib_IntVector_Intrinsics_vec128_shift_right64(f0, + (uint32_t)52U), + Lib_IntVector_Intrinsics_vec128_shift_left64(Lib_IntVector_Intrinsics_vec128_and(f1, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3fffU)), + (uint32_t)12U)); + Lib_IntVector_Intrinsics_vec128 + f30 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(f1, + (uint32_t)14U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f40 = Lib_IntVector_Intrinsics_vec128_shift_right64(f1, (uint32_t)40U); + Lib_IntVector_Intrinsics_vec128 f01 = f010; + Lib_IntVector_Intrinsics_vec128 f111 = f110; + Lib_IntVector_Intrinsics_vec128 f2 = f20; + Lib_IntVector_Intrinsics_vec128 f3 = f30; + Lib_IntVector_Intrinsics_vec128 f41 = f40; + uint64_t b; + Lib_IntVector_Intrinsics_vec128 mask; + Lib_IntVector_Intrinsics_vec128 f4; + Lib_IntVector_Intrinsics_vec128 *r1; + Lib_IntVector_Intrinsics_vec128 *r5; + Lib_IntVector_Intrinsics_vec128 r0; + Lib_IntVector_Intrinsics_vec128 r11; + Lib_IntVector_Intrinsics_vec128 r2; + Lib_IntVector_Intrinsics_vec128 r3; + Lib_IntVector_Intrinsics_vec128 r4; + Lib_IntVector_Intrinsics_vec128 r51; + Lib_IntVector_Intrinsics_vec128 r52; + Lib_IntVector_Intrinsics_vec128 r53; + Lib_IntVector_Intrinsics_vec128 r54; + Lib_IntVector_Intrinsics_vec128 f10; + Lib_IntVector_Intrinsics_vec128 f11; + Lib_IntVector_Intrinsics_vec128 f12; + Lib_IntVector_Intrinsics_vec128 f13; + Lib_IntVector_Intrinsics_vec128 f14; + Lib_IntVector_Intrinsics_vec128 a0; + Lib_IntVector_Intrinsics_vec128 a1; + Lib_IntVector_Intrinsics_vec128 a2; + Lib_IntVector_Intrinsics_vec128 a3; + Lib_IntVector_Intrinsics_vec128 a4; + Lib_IntVector_Intrinsics_vec128 a01; + Lib_IntVector_Intrinsics_vec128 a11; + Lib_IntVector_Intrinsics_vec128 a21; + Lib_IntVector_Intrinsics_vec128 a31; + Lib_IntVector_Intrinsics_vec128 a41; + Lib_IntVector_Intrinsics_vec128 a02; + Lib_IntVector_Intrinsics_vec128 a12; + Lib_IntVector_Intrinsics_vec128 a22; + Lib_IntVector_Intrinsics_vec128 a32; + Lib_IntVector_Intrinsics_vec128 a42; + Lib_IntVector_Intrinsics_vec128 a03; + Lib_IntVector_Intrinsics_vec128 a13; + Lib_IntVector_Intrinsics_vec128 a23; + Lib_IntVector_Intrinsics_vec128 a33; + Lib_IntVector_Intrinsics_vec128 a43; + Lib_IntVector_Intrinsics_vec128 a04; + Lib_IntVector_Intrinsics_vec128 a14; + Lib_IntVector_Intrinsics_vec128 a24; + Lib_IntVector_Intrinsics_vec128 a34; + Lib_IntVector_Intrinsics_vec128 a44; + Lib_IntVector_Intrinsics_vec128 a05; + Lib_IntVector_Intrinsics_vec128 a15; + Lib_IntVector_Intrinsics_vec128 a25; + Lib_IntVector_Intrinsics_vec128 a35; + Lib_IntVector_Intrinsics_vec128 a45; + Lib_IntVector_Intrinsics_vec128 a06; + Lib_IntVector_Intrinsics_vec128 a16; + Lib_IntVector_Intrinsics_vec128 a26; + Lib_IntVector_Intrinsics_vec128 a36; + Lib_IntVector_Intrinsics_vec128 a46; + Lib_IntVector_Intrinsics_vec128 t0; + Lib_IntVector_Intrinsics_vec128 t1; + Lib_IntVector_Intrinsics_vec128 t2; + Lib_IntVector_Intrinsics_vec128 t3; + Lib_IntVector_Intrinsics_vec128 t4; + Lib_IntVector_Intrinsics_vec128 mask26; + Lib_IntVector_Intrinsics_vec128 z0; + Lib_IntVector_Intrinsics_vec128 z1; + Lib_IntVector_Intrinsics_vec128 x0; + Lib_IntVector_Intrinsics_vec128 x3; + Lib_IntVector_Intrinsics_vec128 x1; + Lib_IntVector_Intrinsics_vec128 x4; + Lib_IntVector_Intrinsics_vec128 z01; + Lib_IntVector_Intrinsics_vec128 z11; + Lib_IntVector_Intrinsics_vec128 t; + Lib_IntVector_Intrinsics_vec128 z12; + Lib_IntVector_Intrinsics_vec128 x11; + Lib_IntVector_Intrinsics_vec128 x41; + Lib_IntVector_Intrinsics_vec128 x2; + Lib_IntVector_Intrinsics_vec128 x01; + Lib_IntVector_Intrinsics_vec128 z02; + Lib_IntVector_Intrinsics_vec128 z13; + Lib_IntVector_Intrinsics_vec128 x21; + Lib_IntVector_Intrinsics_vec128 x02; + Lib_IntVector_Intrinsics_vec128 x31; + Lib_IntVector_Intrinsics_vec128 x12; + Lib_IntVector_Intrinsics_vec128 z03; + Lib_IntVector_Intrinsics_vec128 x32; + Lib_IntVector_Intrinsics_vec128 x42; + Lib_IntVector_Intrinsics_vec128 o0; + Lib_IntVector_Intrinsics_vec128 o1; + Lib_IntVector_Intrinsics_vec128 o2; + Lib_IntVector_Intrinsics_vec128 o3; + Lib_IntVector_Intrinsics_vec128 o4; + e[0U] = f01; + e[1U] = f111; + e[2U] = f2; + e[3U] = f3; + e[4U] = f41; + b = (uint64_t)0x1000000U; + mask = Lib_IntVector_Intrinsics_vec128_load64(b); + f4 = e[4U]; + e[4U] = Lib_IntVector_Intrinsics_vec128_or(f4, mask); + r1 = pre; + r5 = pre + (uint32_t)5U; + r0 = r1[0U]; + r11 = r1[1U]; + r2 = r1[2U]; + r3 = r1[3U]; + r4 = r1[4U]; + r51 = r5[1U]; + r52 = r5[2U]; + r53 = r5[3U]; + r54 = r5[4U]; + f10 = e[0U]; + f11 = e[1U]; + f12 = e[2U]; + f13 = e[3U]; + f14 = e[4U]; + a0 = acc[0U]; + a1 = acc[1U]; + a2 = acc[2U]; + a3 = acc[3U]; + a4 = acc[4U]; + a01 = Lib_IntVector_Intrinsics_vec128_add64(a0, f10); + a11 = Lib_IntVector_Intrinsics_vec128_add64(a1, f11); + a21 = Lib_IntVector_Intrinsics_vec128_add64(a2, f12); + a31 = Lib_IntVector_Intrinsics_vec128_add64(a3, f13); + a41 = Lib_IntVector_Intrinsics_vec128_add64(a4, f14); + a02 = Lib_IntVector_Intrinsics_vec128_mul64(r0, a01); + a12 = Lib_IntVector_Intrinsics_vec128_mul64(r11, a01); + a22 = Lib_IntVector_Intrinsics_vec128_mul64(r2, a01); + a32 = Lib_IntVector_Intrinsics_vec128_mul64(r3, a01); + a42 = Lib_IntVector_Intrinsics_vec128_mul64(r4, a01); + a03 = + Lib_IntVector_Intrinsics_vec128_add64(a02, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a11)); + a13 = + Lib_IntVector_Intrinsics_vec128_add64(a12, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a11)); + a23 = + Lib_IntVector_Intrinsics_vec128_add64(a22, + Lib_IntVector_Intrinsics_vec128_mul64(r11, a11)); + a33 = + Lib_IntVector_Intrinsics_vec128_add64(a32, + Lib_IntVector_Intrinsics_vec128_mul64(r2, a11)); + a43 = + Lib_IntVector_Intrinsics_vec128_add64(a42, + Lib_IntVector_Intrinsics_vec128_mul64(r3, a11)); + a04 = + Lib_IntVector_Intrinsics_vec128_add64(a03, + Lib_IntVector_Intrinsics_vec128_mul64(r53, a21)); + a14 = + Lib_IntVector_Intrinsics_vec128_add64(a13, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a21)); + a24 = + Lib_IntVector_Intrinsics_vec128_add64(a23, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a21)); + a34 = + Lib_IntVector_Intrinsics_vec128_add64(a33, + Lib_IntVector_Intrinsics_vec128_mul64(r11, a21)); + a44 = + Lib_IntVector_Intrinsics_vec128_add64(a43, + Lib_IntVector_Intrinsics_vec128_mul64(r2, a21)); + a05 = + Lib_IntVector_Intrinsics_vec128_add64(a04, + Lib_IntVector_Intrinsics_vec128_mul64(r52, a31)); + a15 = + Lib_IntVector_Intrinsics_vec128_add64(a14, + Lib_IntVector_Intrinsics_vec128_mul64(r53, a31)); + a25 = + Lib_IntVector_Intrinsics_vec128_add64(a24, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a31)); + a35 = + Lib_IntVector_Intrinsics_vec128_add64(a34, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a31)); + a45 = + Lib_IntVector_Intrinsics_vec128_add64(a44, + Lib_IntVector_Intrinsics_vec128_mul64(r11, a31)); + a06 = + Lib_IntVector_Intrinsics_vec128_add64(a05, + Lib_IntVector_Intrinsics_vec128_mul64(r51, a41)); + a16 = + Lib_IntVector_Intrinsics_vec128_add64(a15, + Lib_IntVector_Intrinsics_vec128_mul64(r52, a41)); + a26 = + Lib_IntVector_Intrinsics_vec128_add64(a25, + Lib_IntVector_Intrinsics_vec128_mul64(r53, a41)); + a36 = + Lib_IntVector_Intrinsics_vec128_add64(a35, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a41)); + a46 = + Lib_IntVector_Intrinsics_vec128_add64(a45, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a41)); + t0 = a06; + t1 = a16; + t2 = a26; + t3 = a36; + t4 = a46; + mask26 = Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU); + z0 = Lib_IntVector_Intrinsics_vec128_shift_right64(t0, (uint32_t)26U); + z1 = Lib_IntVector_Intrinsics_vec128_shift_right64(t3, (uint32_t)26U); + x0 = Lib_IntVector_Intrinsics_vec128_and(t0, mask26); + x3 = Lib_IntVector_Intrinsics_vec128_and(t3, mask26); + x1 = Lib_IntVector_Intrinsics_vec128_add64(t1, z0); + x4 = Lib_IntVector_Intrinsics_vec128_add64(t4, z1); + z01 = Lib_IntVector_Intrinsics_vec128_shift_right64(x1, (uint32_t)26U); + z11 = Lib_IntVector_Intrinsics_vec128_shift_right64(x4, (uint32_t)26U); + t = Lib_IntVector_Intrinsics_vec128_shift_left64(z11, (uint32_t)2U); + z12 = Lib_IntVector_Intrinsics_vec128_add64(z11, t); + x11 = Lib_IntVector_Intrinsics_vec128_and(x1, mask26); + x41 = Lib_IntVector_Intrinsics_vec128_and(x4, mask26); + x2 = Lib_IntVector_Intrinsics_vec128_add64(t2, z01); + x01 = Lib_IntVector_Intrinsics_vec128_add64(x0, z12); + z02 = Lib_IntVector_Intrinsics_vec128_shift_right64(x2, (uint32_t)26U); + z13 = Lib_IntVector_Intrinsics_vec128_shift_right64(x01, (uint32_t)26U); + x21 = Lib_IntVector_Intrinsics_vec128_and(x2, mask26); + x02 = Lib_IntVector_Intrinsics_vec128_and(x01, mask26); + x31 = Lib_IntVector_Intrinsics_vec128_add64(x3, z02); + x12 = Lib_IntVector_Intrinsics_vec128_add64(x11, z13); + z03 = Lib_IntVector_Intrinsics_vec128_shift_right64(x31, (uint32_t)26U); + x32 = Lib_IntVector_Intrinsics_vec128_and(x31, mask26); + x42 = Lib_IntVector_Intrinsics_vec128_add64(x41, z03); + o0 = x02; + o1 = x12; + o2 = x21; + o3 = x32; + o4 = x42; + acc[0U] = o0; + acc[1U] = o1; + acc[2U] = o2; + acc[3U] = o3; + acc[4U] = o4; + return; + } + } + } +} + +static inline void +poly1305_do_128( + uint8_t *k, + uint32_t aadlen, + uint8_t *aad, + uint32_t mlen, + uint8_t *m, + uint8_t *out +) +{ + Lib_IntVector_Intrinsics_vec128 ctx[25U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)25U; ++_i) + ctx[_i] = Lib_IntVector_Intrinsics_vec128_zero; + } + { + uint8_t block[16U] = { 0U }; + Lib_IntVector_Intrinsics_vec128 *pre; + Lib_IntVector_Intrinsics_vec128 *acc; + Hacl_Poly1305_128_poly1305_init(ctx, k); + if (aadlen != (uint32_t)0U) + { + poly1305_padded_128(ctx, aadlen, aad); + } + if (mlen != (uint32_t)0U) + { + poly1305_padded_128(ctx, mlen, m); + } + store64_le(block, (uint64_t)aadlen); + store64_le(block + (uint32_t)8U, (uint64_t)mlen); + pre = ctx + (uint32_t)5U; + acc = ctx; + { + Lib_IntVector_Intrinsics_vec128 e[5U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)5U; ++_i) + e[_i] = Lib_IntVector_Intrinsics_vec128_zero; + } + { + uint64_t u0 = load64_le(block); + uint64_t lo = u0; + uint64_t u = load64_le(block + (uint32_t)8U); + uint64_t hi = u; + Lib_IntVector_Intrinsics_vec128 f0 = Lib_IntVector_Intrinsics_vec128_load64(lo); + Lib_IntVector_Intrinsics_vec128 f1 = Lib_IntVector_Intrinsics_vec128_load64(hi); + Lib_IntVector_Intrinsics_vec128 + f010 = + Lib_IntVector_Intrinsics_vec128_and(f0, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f110 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(f0, + (uint32_t)26U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f20 = + Lib_IntVector_Intrinsics_vec128_or(Lib_IntVector_Intrinsics_vec128_shift_right64(f0, + (uint32_t)52U), + Lib_IntVector_Intrinsics_vec128_shift_left64(Lib_IntVector_Intrinsics_vec128_and(f1, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3fffU)), + (uint32_t)12U)); + Lib_IntVector_Intrinsics_vec128 + f30 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(f1, + (uint32_t)14U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f40 = Lib_IntVector_Intrinsics_vec128_shift_right64(f1, (uint32_t)40U); + Lib_IntVector_Intrinsics_vec128 f01 = f010; + Lib_IntVector_Intrinsics_vec128 f111 = f110; + Lib_IntVector_Intrinsics_vec128 f2 = f20; + Lib_IntVector_Intrinsics_vec128 f3 = f30; + Lib_IntVector_Intrinsics_vec128 f41 = f40; + uint64_t b; + Lib_IntVector_Intrinsics_vec128 mask; + Lib_IntVector_Intrinsics_vec128 f4; + Lib_IntVector_Intrinsics_vec128 *r; + Lib_IntVector_Intrinsics_vec128 *r5; + Lib_IntVector_Intrinsics_vec128 r0; + Lib_IntVector_Intrinsics_vec128 r1; + Lib_IntVector_Intrinsics_vec128 r2; + Lib_IntVector_Intrinsics_vec128 r3; + Lib_IntVector_Intrinsics_vec128 r4; + Lib_IntVector_Intrinsics_vec128 r51; + Lib_IntVector_Intrinsics_vec128 r52; + Lib_IntVector_Intrinsics_vec128 r53; + Lib_IntVector_Intrinsics_vec128 r54; + Lib_IntVector_Intrinsics_vec128 f10; + Lib_IntVector_Intrinsics_vec128 f11; + Lib_IntVector_Intrinsics_vec128 f12; + Lib_IntVector_Intrinsics_vec128 f13; + Lib_IntVector_Intrinsics_vec128 f14; + Lib_IntVector_Intrinsics_vec128 a0; + Lib_IntVector_Intrinsics_vec128 a1; + Lib_IntVector_Intrinsics_vec128 a2; + Lib_IntVector_Intrinsics_vec128 a3; + Lib_IntVector_Intrinsics_vec128 a4; + Lib_IntVector_Intrinsics_vec128 a01; + Lib_IntVector_Intrinsics_vec128 a11; + Lib_IntVector_Intrinsics_vec128 a21; + Lib_IntVector_Intrinsics_vec128 a31; + Lib_IntVector_Intrinsics_vec128 a41; + Lib_IntVector_Intrinsics_vec128 a02; + Lib_IntVector_Intrinsics_vec128 a12; + Lib_IntVector_Intrinsics_vec128 a22; + Lib_IntVector_Intrinsics_vec128 a32; + Lib_IntVector_Intrinsics_vec128 a42; + Lib_IntVector_Intrinsics_vec128 a03; + Lib_IntVector_Intrinsics_vec128 a13; + Lib_IntVector_Intrinsics_vec128 a23; + Lib_IntVector_Intrinsics_vec128 a33; + Lib_IntVector_Intrinsics_vec128 a43; + Lib_IntVector_Intrinsics_vec128 a04; + Lib_IntVector_Intrinsics_vec128 a14; + Lib_IntVector_Intrinsics_vec128 a24; + Lib_IntVector_Intrinsics_vec128 a34; + Lib_IntVector_Intrinsics_vec128 a44; + Lib_IntVector_Intrinsics_vec128 a05; + Lib_IntVector_Intrinsics_vec128 a15; + Lib_IntVector_Intrinsics_vec128 a25; + Lib_IntVector_Intrinsics_vec128 a35; + Lib_IntVector_Intrinsics_vec128 a45; + Lib_IntVector_Intrinsics_vec128 a06; + Lib_IntVector_Intrinsics_vec128 a16; + Lib_IntVector_Intrinsics_vec128 a26; + Lib_IntVector_Intrinsics_vec128 a36; + Lib_IntVector_Intrinsics_vec128 a46; + Lib_IntVector_Intrinsics_vec128 t0; + Lib_IntVector_Intrinsics_vec128 t1; + Lib_IntVector_Intrinsics_vec128 t2; + Lib_IntVector_Intrinsics_vec128 t3; + Lib_IntVector_Intrinsics_vec128 t4; + Lib_IntVector_Intrinsics_vec128 mask26; + Lib_IntVector_Intrinsics_vec128 z0; + Lib_IntVector_Intrinsics_vec128 z1; + Lib_IntVector_Intrinsics_vec128 x0; + Lib_IntVector_Intrinsics_vec128 x3; + Lib_IntVector_Intrinsics_vec128 x1; + Lib_IntVector_Intrinsics_vec128 x4; + Lib_IntVector_Intrinsics_vec128 z01; + Lib_IntVector_Intrinsics_vec128 z11; + Lib_IntVector_Intrinsics_vec128 t; + Lib_IntVector_Intrinsics_vec128 z12; + Lib_IntVector_Intrinsics_vec128 x11; + Lib_IntVector_Intrinsics_vec128 x41; + Lib_IntVector_Intrinsics_vec128 x2; + Lib_IntVector_Intrinsics_vec128 x01; + Lib_IntVector_Intrinsics_vec128 z02; + Lib_IntVector_Intrinsics_vec128 z13; + Lib_IntVector_Intrinsics_vec128 x21; + Lib_IntVector_Intrinsics_vec128 x02; + Lib_IntVector_Intrinsics_vec128 x31; + Lib_IntVector_Intrinsics_vec128 x12; + Lib_IntVector_Intrinsics_vec128 z03; + Lib_IntVector_Intrinsics_vec128 x32; + Lib_IntVector_Intrinsics_vec128 x42; + Lib_IntVector_Intrinsics_vec128 o0; + Lib_IntVector_Intrinsics_vec128 o1; + Lib_IntVector_Intrinsics_vec128 o2; + Lib_IntVector_Intrinsics_vec128 o3; + Lib_IntVector_Intrinsics_vec128 o4; + e[0U] = f01; + e[1U] = f111; + e[2U] = f2; + e[3U] = f3; + e[4U] = f41; + b = (uint64_t)0x1000000U; + mask = Lib_IntVector_Intrinsics_vec128_load64(b); + f4 = e[4U]; + e[4U] = Lib_IntVector_Intrinsics_vec128_or(f4, mask); + r = pre; + r5 = pre + (uint32_t)5U; + r0 = r[0U]; + r1 = r[1U]; + r2 = r[2U]; + r3 = r[3U]; + r4 = r[4U]; + r51 = r5[1U]; + r52 = r5[2U]; + r53 = r5[3U]; + r54 = r5[4U]; + f10 = e[0U]; + f11 = e[1U]; + f12 = e[2U]; + f13 = e[3U]; + f14 = e[4U]; + a0 = acc[0U]; + a1 = acc[1U]; + a2 = acc[2U]; + a3 = acc[3U]; + a4 = acc[4U]; + a01 = Lib_IntVector_Intrinsics_vec128_add64(a0, f10); + a11 = Lib_IntVector_Intrinsics_vec128_add64(a1, f11); + a21 = Lib_IntVector_Intrinsics_vec128_add64(a2, f12); + a31 = Lib_IntVector_Intrinsics_vec128_add64(a3, f13); + a41 = Lib_IntVector_Intrinsics_vec128_add64(a4, f14); + a02 = Lib_IntVector_Intrinsics_vec128_mul64(r0, a01); + a12 = Lib_IntVector_Intrinsics_vec128_mul64(r1, a01); + a22 = Lib_IntVector_Intrinsics_vec128_mul64(r2, a01); + a32 = Lib_IntVector_Intrinsics_vec128_mul64(r3, a01); + a42 = Lib_IntVector_Intrinsics_vec128_mul64(r4, a01); + a03 = + Lib_IntVector_Intrinsics_vec128_add64(a02, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a11)); + a13 = + Lib_IntVector_Intrinsics_vec128_add64(a12, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a11)); + a23 = + Lib_IntVector_Intrinsics_vec128_add64(a22, + Lib_IntVector_Intrinsics_vec128_mul64(r1, a11)); + a33 = + Lib_IntVector_Intrinsics_vec128_add64(a32, + Lib_IntVector_Intrinsics_vec128_mul64(r2, a11)); + a43 = + Lib_IntVector_Intrinsics_vec128_add64(a42, + Lib_IntVector_Intrinsics_vec128_mul64(r3, a11)); + a04 = + Lib_IntVector_Intrinsics_vec128_add64(a03, + Lib_IntVector_Intrinsics_vec128_mul64(r53, a21)); + a14 = + Lib_IntVector_Intrinsics_vec128_add64(a13, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a21)); + a24 = + Lib_IntVector_Intrinsics_vec128_add64(a23, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a21)); + a34 = + Lib_IntVector_Intrinsics_vec128_add64(a33, + Lib_IntVector_Intrinsics_vec128_mul64(r1, a21)); + a44 = + Lib_IntVector_Intrinsics_vec128_add64(a43, + Lib_IntVector_Intrinsics_vec128_mul64(r2, a21)); + a05 = + Lib_IntVector_Intrinsics_vec128_add64(a04, + Lib_IntVector_Intrinsics_vec128_mul64(r52, a31)); + a15 = + Lib_IntVector_Intrinsics_vec128_add64(a14, + Lib_IntVector_Intrinsics_vec128_mul64(r53, a31)); + a25 = + Lib_IntVector_Intrinsics_vec128_add64(a24, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a31)); + a35 = + Lib_IntVector_Intrinsics_vec128_add64(a34, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a31)); + a45 = + Lib_IntVector_Intrinsics_vec128_add64(a44, + Lib_IntVector_Intrinsics_vec128_mul64(r1, a31)); + a06 = + Lib_IntVector_Intrinsics_vec128_add64(a05, + Lib_IntVector_Intrinsics_vec128_mul64(r51, a41)); + a16 = + Lib_IntVector_Intrinsics_vec128_add64(a15, + Lib_IntVector_Intrinsics_vec128_mul64(r52, a41)); + a26 = + Lib_IntVector_Intrinsics_vec128_add64(a25, + Lib_IntVector_Intrinsics_vec128_mul64(r53, a41)); + a36 = + Lib_IntVector_Intrinsics_vec128_add64(a35, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a41)); + a46 = + Lib_IntVector_Intrinsics_vec128_add64(a45, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a41)); + t0 = a06; + t1 = a16; + t2 = a26; + t3 = a36; + t4 = a46; + mask26 = Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU); + z0 = Lib_IntVector_Intrinsics_vec128_shift_right64(t0, (uint32_t)26U); + z1 = Lib_IntVector_Intrinsics_vec128_shift_right64(t3, (uint32_t)26U); + x0 = Lib_IntVector_Intrinsics_vec128_and(t0, mask26); + x3 = Lib_IntVector_Intrinsics_vec128_and(t3, mask26); + x1 = Lib_IntVector_Intrinsics_vec128_add64(t1, z0); + x4 = Lib_IntVector_Intrinsics_vec128_add64(t4, z1); + z01 = Lib_IntVector_Intrinsics_vec128_shift_right64(x1, (uint32_t)26U); + z11 = Lib_IntVector_Intrinsics_vec128_shift_right64(x4, (uint32_t)26U); + t = Lib_IntVector_Intrinsics_vec128_shift_left64(z11, (uint32_t)2U); + z12 = Lib_IntVector_Intrinsics_vec128_add64(z11, t); + x11 = Lib_IntVector_Intrinsics_vec128_and(x1, mask26); + x41 = Lib_IntVector_Intrinsics_vec128_and(x4, mask26); + x2 = Lib_IntVector_Intrinsics_vec128_add64(t2, z01); + x01 = Lib_IntVector_Intrinsics_vec128_add64(x0, z12); + z02 = Lib_IntVector_Intrinsics_vec128_shift_right64(x2, (uint32_t)26U); + z13 = Lib_IntVector_Intrinsics_vec128_shift_right64(x01, (uint32_t)26U); + x21 = Lib_IntVector_Intrinsics_vec128_and(x2, mask26); + x02 = Lib_IntVector_Intrinsics_vec128_and(x01, mask26); + x31 = Lib_IntVector_Intrinsics_vec128_add64(x3, z02); + x12 = Lib_IntVector_Intrinsics_vec128_add64(x11, z13); + z03 = Lib_IntVector_Intrinsics_vec128_shift_right64(x31, (uint32_t)26U); + x32 = Lib_IntVector_Intrinsics_vec128_and(x31, mask26); + x42 = Lib_IntVector_Intrinsics_vec128_add64(x41, z03); + o0 = x02; + o1 = x12; + o2 = x21; + o3 = x32; + o4 = x42; + acc[0U] = o0; + acc[1U] = o1; + acc[2U] = o2; + acc[3U] = o3; + acc[4U] = o4; + Hacl_Poly1305_128_poly1305_finish(out, k, ctx); + } + } + } +} + +void +Hacl_Chacha20Poly1305_128_aead_encrypt( + uint8_t *k, + uint8_t *n, + uint32_t aadlen, + uint8_t *aad, + uint32_t mlen, + uint8_t *m, + uint8_t *cipher, + uint8_t *mac +) +{ + Hacl_Chacha20_Vec128_chacha20_encrypt_128(mlen, cipher, m, k, n, (uint32_t)1U); + { + uint8_t tmp[64U] = { 0U }; + uint8_t *key; + Hacl_Chacha20_Vec128_chacha20_encrypt_128((uint32_t)64U, tmp, tmp, k, n, (uint32_t)0U); + key = tmp; + poly1305_do_128(key, aadlen, aad, mlen, cipher, mac); + } +} + +uint32_t +Hacl_Chacha20Poly1305_128_aead_decrypt( + uint8_t *k, + uint8_t *n, + uint32_t aadlen, + uint8_t *aad, + uint32_t mlen, + uint8_t *m, + uint8_t *cipher, + uint8_t *mac +) +{ + uint8_t computed_mac[16U] = { 0U }; + uint8_t tmp[64U] = { 0U }; + uint8_t *key; + Hacl_Chacha20_Vec128_chacha20_encrypt_128((uint32_t)64U, tmp, tmp, k, n, (uint32_t)0U); + key = tmp; + poly1305_do_128(key, aadlen, aad, mlen, cipher, computed_mac); + { + uint8_t res0 = (uint8_t)255U; + uint8_t z; + uint32_t res; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint8_t uu____0 = FStar_UInt8_eq_mask(computed_mac[i], mac[i]); + res0 = uu____0 & res0; + } + } + z = res0; + if (z == (uint8_t)255U) + { + Hacl_Chacha20_Vec128_chacha20_encrypt_128(mlen, m, cipher, k, n, (uint32_t)1U); + res = (uint32_t)0U; + } + else + { + res = (uint32_t)1U; + } + return res; + } +} + diff --git a/src/c89/Hacl_Chacha20Poly1305_256.c b/src/c89/Hacl_Chacha20Poly1305_256.c new file mode 100644 index 00000000..e61c5275 --- /dev/null +++ b/src/c89/Hacl_Chacha20Poly1305_256.c @@ -0,0 +1,1409 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Chacha20Poly1305_256.h" + +#include "internal/Hacl_Poly1305_256.h" + +static inline void +poly1305_padded_256(Lib_IntVector_Intrinsics_vec256 *ctx, uint32_t len, uint8_t *text) +{ + uint32_t n = len / (uint32_t)16U; + uint32_t r = len % (uint32_t)16U; + uint8_t *blocks = text; + uint8_t *rem = text + n * (uint32_t)16U; + Lib_IntVector_Intrinsics_vec256 *pre0 = ctx + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec256 *acc0 = ctx; + uint32_t sz_block = (uint32_t)64U; + uint32_t len0 = n * (uint32_t)16U / sz_block * sz_block; + uint8_t *t00 = blocks; + uint32_t len1; + uint8_t *t10; + uint32_t nb0; + uint32_t rem1; + if (len0 > (uint32_t)0U) + { + uint32_t bs = (uint32_t)64U; + uint8_t *text0 = t00; + Hacl_Impl_Poly1305_Field32xN_256_load_acc4(acc0, text0); + { + uint32_t len10 = len0 - bs; + uint8_t *text1 = t00 + bs; + uint32_t nb = len10 / bs; + { + uint32_t i; + for (i = (uint32_t)0U; i < nb; i++) + { + uint8_t *block = text1 + i * bs; + Lib_IntVector_Intrinsics_vec256 e[5U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)5U; ++_i) + e[_i] = Lib_IntVector_Intrinsics_vec256_zero; + } + { + Lib_IntVector_Intrinsics_vec256 lo = Lib_IntVector_Intrinsics_vec256_load64_le(block); + Lib_IntVector_Intrinsics_vec256 + hi = Lib_IntVector_Intrinsics_vec256_load64_le(block + (uint32_t)32U); + Lib_IntVector_Intrinsics_vec256 + mask260 = Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec256 + m0 = Lib_IntVector_Intrinsics_vec256_interleave_low128(lo, hi); + Lib_IntVector_Intrinsics_vec256 + m1 = Lib_IntVector_Intrinsics_vec256_interleave_high128(lo, hi); + Lib_IntVector_Intrinsics_vec256 + m2 = Lib_IntVector_Intrinsics_vec256_shift_right(m0, (uint32_t)48U); + Lib_IntVector_Intrinsics_vec256 + m3 = Lib_IntVector_Intrinsics_vec256_shift_right(m1, (uint32_t)48U); + Lib_IntVector_Intrinsics_vec256 + m4 = Lib_IntVector_Intrinsics_vec256_interleave_high64(m0, m1); + Lib_IntVector_Intrinsics_vec256 + t010 = Lib_IntVector_Intrinsics_vec256_interleave_low64(m0, m1); + Lib_IntVector_Intrinsics_vec256 + t30 = Lib_IntVector_Intrinsics_vec256_interleave_low64(m2, m3); + Lib_IntVector_Intrinsics_vec256 + t20 = Lib_IntVector_Intrinsics_vec256_shift_right64(t30, (uint32_t)4U); + Lib_IntVector_Intrinsics_vec256 o20 = Lib_IntVector_Intrinsics_vec256_and(t20, mask260); + Lib_IntVector_Intrinsics_vec256 + t11 = Lib_IntVector_Intrinsics_vec256_shift_right64(t010, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 o10 = Lib_IntVector_Intrinsics_vec256_and(t11, mask260); + Lib_IntVector_Intrinsics_vec256 o5 = Lib_IntVector_Intrinsics_vec256_and(t010, mask260); + Lib_IntVector_Intrinsics_vec256 + t31 = Lib_IntVector_Intrinsics_vec256_shift_right64(t30, (uint32_t)30U); + Lib_IntVector_Intrinsics_vec256 o30 = Lib_IntVector_Intrinsics_vec256_and(t31, mask260); + Lib_IntVector_Intrinsics_vec256 + o40 = Lib_IntVector_Intrinsics_vec256_shift_right64(m4, (uint32_t)40U); + Lib_IntVector_Intrinsics_vec256 o00 = o5; + Lib_IntVector_Intrinsics_vec256 o11 = o10; + Lib_IntVector_Intrinsics_vec256 o21 = o20; + Lib_IntVector_Intrinsics_vec256 o31 = o30; + Lib_IntVector_Intrinsics_vec256 o41 = o40; + e[0U] = o00; + e[1U] = o11; + e[2U] = o21; + e[3U] = o31; + e[4U] = o41; + { + uint64_t b = (uint64_t)0x1000000U; + Lib_IntVector_Intrinsics_vec256 mask = Lib_IntVector_Intrinsics_vec256_load64(b); + Lib_IntVector_Intrinsics_vec256 f4 = e[4U]; + e[4U] = Lib_IntVector_Intrinsics_vec256_or(f4, mask); + { + Lib_IntVector_Intrinsics_vec256 *rn = pre0 + (uint32_t)10U; + Lib_IntVector_Intrinsics_vec256 *rn5 = pre0 + (uint32_t)15U; + Lib_IntVector_Intrinsics_vec256 r0 = rn[0U]; + Lib_IntVector_Intrinsics_vec256 r1 = rn[1U]; + Lib_IntVector_Intrinsics_vec256 r2 = rn[2U]; + Lib_IntVector_Intrinsics_vec256 r3 = rn[3U]; + Lib_IntVector_Intrinsics_vec256 r4 = rn[4U]; + Lib_IntVector_Intrinsics_vec256 r51 = rn5[1U]; + Lib_IntVector_Intrinsics_vec256 r52 = rn5[2U]; + Lib_IntVector_Intrinsics_vec256 r53 = rn5[3U]; + Lib_IntVector_Intrinsics_vec256 r54 = rn5[4U]; + Lib_IntVector_Intrinsics_vec256 f10 = acc0[0U]; + Lib_IntVector_Intrinsics_vec256 f110 = acc0[1U]; + Lib_IntVector_Intrinsics_vec256 f120 = acc0[2U]; + Lib_IntVector_Intrinsics_vec256 f130 = acc0[3U]; + Lib_IntVector_Intrinsics_vec256 f140 = acc0[4U]; + Lib_IntVector_Intrinsics_vec256 a0 = Lib_IntVector_Intrinsics_vec256_mul64(r0, f10); + Lib_IntVector_Intrinsics_vec256 a1 = Lib_IntVector_Intrinsics_vec256_mul64(r1, f10); + Lib_IntVector_Intrinsics_vec256 a2 = Lib_IntVector_Intrinsics_vec256_mul64(r2, f10); + Lib_IntVector_Intrinsics_vec256 a3 = Lib_IntVector_Intrinsics_vec256_mul64(r3, f10); + Lib_IntVector_Intrinsics_vec256 a4 = Lib_IntVector_Intrinsics_vec256_mul64(r4, f10); + Lib_IntVector_Intrinsics_vec256 + a01 = + Lib_IntVector_Intrinsics_vec256_add64(a0, + Lib_IntVector_Intrinsics_vec256_mul64(r54, f110)); + Lib_IntVector_Intrinsics_vec256 + a11 = + Lib_IntVector_Intrinsics_vec256_add64(a1, + Lib_IntVector_Intrinsics_vec256_mul64(r0, f110)); + Lib_IntVector_Intrinsics_vec256 + a21 = + Lib_IntVector_Intrinsics_vec256_add64(a2, + Lib_IntVector_Intrinsics_vec256_mul64(r1, f110)); + Lib_IntVector_Intrinsics_vec256 + a31 = + Lib_IntVector_Intrinsics_vec256_add64(a3, + Lib_IntVector_Intrinsics_vec256_mul64(r2, f110)); + Lib_IntVector_Intrinsics_vec256 + a41 = + Lib_IntVector_Intrinsics_vec256_add64(a4, + Lib_IntVector_Intrinsics_vec256_mul64(r3, f110)); + Lib_IntVector_Intrinsics_vec256 + a02 = + Lib_IntVector_Intrinsics_vec256_add64(a01, + Lib_IntVector_Intrinsics_vec256_mul64(r53, f120)); + Lib_IntVector_Intrinsics_vec256 + a12 = + Lib_IntVector_Intrinsics_vec256_add64(a11, + Lib_IntVector_Intrinsics_vec256_mul64(r54, f120)); + Lib_IntVector_Intrinsics_vec256 + a22 = + Lib_IntVector_Intrinsics_vec256_add64(a21, + Lib_IntVector_Intrinsics_vec256_mul64(r0, f120)); + Lib_IntVector_Intrinsics_vec256 + a32 = + Lib_IntVector_Intrinsics_vec256_add64(a31, + Lib_IntVector_Intrinsics_vec256_mul64(r1, f120)); + Lib_IntVector_Intrinsics_vec256 + a42 = + Lib_IntVector_Intrinsics_vec256_add64(a41, + Lib_IntVector_Intrinsics_vec256_mul64(r2, f120)); + Lib_IntVector_Intrinsics_vec256 + a03 = + Lib_IntVector_Intrinsics_vec256_add64(a02, + Lib_IntVector_Intrinsics_vec256_mul64(r52, f130)); + Lib_IntVector_Intrinsics_vec256 + a13 = + Lib_IntVector_Intrinsics_vec256_add64(a12, + Lib_IntVector_Intrinsics_vec256_mul64(r53, f130)); + Lib_IntVector_Intrinsics_vec256 + a23 = + Lib_IntVector_Intrinsics_vec256_add64(a22, + Lib_IntVector_Intrinsics_vec256_mul64(r54, f130)); + Lib_IntVector_Intrinsics_vec256 + a33 = + Lib_IntVector_Intrinsics_vec256_add64(a32, + Lib_IntVector_Intrinsics_vec256_mul64(r0, f130)); + Lib_IntVector_Intrinsics_vec256 + a43 = + Lib_IntVector_Intrinsics_vec256_add64(a42, + Lib_IntVector_Intrinsics_vec256_mul64(r1, f130)); + Lib_IntVector_Intrinsics_vec256 + a04 = + Lib_IntVector_Intrinsics_vec256_add64(a03, + Lib_IntVector_Intrinsics_vec256_mul64(r51, f140)); + Lib_IntVector_Intrinsics_vec256 + a14 = + Lib_IntVector_Intrinsics_vec256_add64(a13, + Lib_IntVector_Intrinsics_vec256_mul64(r52, f140)); + Lib_IntVector_Intrinsics_vec256 + a24 = + Lib_IntVector_Intrinsics_vec256_add64(a23, + Lib_IntVector_Intrinsics_vec256_mul64(r53, f140)); + Lib_IntVector_Intrinsics_vec256 + a34 = + Lib_IntVector_Intrinsics_vec256_add64(a33, + Lib_IntVector_Intrinsics_vec256_mul64(r54, f140)); + Lib_IntVector_Intrinsics_vec256 + a44 = + Lib_IntVector_Intrinsics_vec256_add64(a43, + Lib_IntVector_Intrinsics_vec256_mul64(r0, f140)); + Lib_IntVector_Intrinsics_vec256 t01 = a04; + Lib_IntVector_Intrinsics_vec256 t1 = a14; + Lib_IntVector_Intrinsics_vec256 t2 = a24; + Lib_IntVector_Intrinsics_vec256 t3 = a34; + Lib_IntVector_Intrinsics_vec256 t4 = a44; + Lib_IntVector_Intrinsics_vec256 + mask26 = Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec256 + z0 = Lib_IntVector_Intrinsics_vec256_shift_right64(t01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z1 = Lib_IntVector_Intrinsics_vec256_shift_right64(t3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + x0 = Lib_IntVector_Intrinsics_vec256_and(t01, mask26); + Lib_IntVector_Intrinsics_vec256 + x3 = Lib_IntVector_Intrinsics_vec256_and(t3, mask26); + Lib_IntVector_Intrinsics_vec256 x1 = Lib_IntVector_Intrinsics_vec256_add64(t1, z0); + Lib_IntVector_Intrinsics_vec256 x4 = Lib_IntVector_Intrinsics_vec256_add64(t4, z1); + Lib_IntVector_Intrinsics_vec256 + z01 = Lib_IntVector_Intrinsics_vec256_shift_right64(x1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z11 = Lib_IntVector_Intrinsics_vec256_shift_right64(x4, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + t = Lib_IntVector_Intrinsics_vec256_shift_left64(z11, (uint32_t)2U); + Lib_IntVector_Intrinsics_vec256 z12 = Lib_IntVector_Intrinsics_vec256_add64(z11, t); + Lib_IntVector_Intrinsics_vec256 + x11 = Lib_IntVector_Intrinsics_vec256_and(x1, mask26); + Lib_IntVector_Intrinsics_vec256 + x41 = Lib_IntVector_Intrinsics_vec256_and(x4, mask26); + Lib_IntVector_Intrinsics_vec256 x2 = Lib_IntVector_Intrinsics_vec256_add64(t2, z01); + Lib_IntVector_Intrinsics_vec256 + x01 = Lib_IntVector_Intrinsics_vec256_add64(x0, z12); + Lib_IntVector_Intrinsics_vec256 + z02 = Lib_IntVector_Intrinsics_vec256_shift_right64(x2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z13 = Lib_IntVector_Intrinsics_vec256_shift_right64(x01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + x21 = Lib_IntVector_Intrinsics_vec256_and(x2, mask26); + Lib_IntVector_Intrinsics_vec256 + x02 = Lib_IntVector_Intrinsics_vec256_and(x01, mask26); + Lib_IntVector_Intrinsics_vec256 + x31 = Lib_IntVector_Intrinsics_vec256_add64(x3, z02); + Lib_IntVector_Intrinsics_vec256 + x12 = Lib_IntVector_Intrinsics_vec256_add64(x11, z13); + Lib_IntVector_Intrinsics_vec256 + z03 = Lib_IntVector_Intrinsics_vec256_shift_right64(x31, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + x32 = Lib_IntVector_Intrinsics_vec256_and(x31, mask26); + Lib_IntVector_Intrinsics_vec256 + x42 = Lib_IntVector_Intrinsics_vec256_add64(x41, z03); + Lib_IntVector_Intrinsics_vec256 o01 = x02; + Lib_IntVector_Intrinsics_vec256 o12 = x12; + Lib_IntVector_Intrinsics_vec256 o22 = x21; + Lib_IntVector_Intrinsics_vec256 o32 = x32; + Lib_IntVector_Intrinsics_vec256 o42 = x42; + acc0[0U] = o01; + acc0[1U] = o12; + acc0[2U] = o22; + acc0[3U] = o32; + acc0[4U] = o42; + { + Lib_IntVector_Intrinsics_vec256 f100 = acc0[0U]; + Lib_IntVector_Intrinsics_vec256 f11 = acc0[1U]; + Lib_IntVector_Intrinsics_vec256 f12 = acc0[2U]; + Lib_IntVector_Intrinsics_vec256 f13 = acc0[3U]; + Lib_IntVector_Intrinsics_vec256 f14 = acc0[4U]; + Lib_IntVector_Intrinsics_vec256 f20 = e[0U]; + Lib_IntVector_Intrinsics_vec256 f21 = e[1U]; + Lib_IntVector_Intrinsics_vec256 f22 = e[2U]; + Lib_IntVector_Intrinsics_vec256 f23 = e[3U]; + Lib_IntVector_Intrinsics_vec256 f24 = e[4U]; + Lib_IntVector_Intrinsics_vec256 + o0 = Lib_IntVector_Intrinsics_vec256_add64(f100, f20); + Lib_IntVector_Intrinsics_vec256 + o1 = Lib_IntVector_Intrinsics_vec256_add64(f11, f21); + Lib_IntVector_Intrinsics_vec256 + o2 = Lib_IntVector_Intrinsics_vec256_add64(f12, f22); + Lib_IntVector_Intrinsics_vec256 + o3 = Lib_IntVector_Intrinsics_vec256_add64(f13, f23); + Lib_IntVector_Intrinsics_vec256 + o4 = Lib_IntVector_Intrinsics_vec256_add64(f14, f24); + acc0[0U] = o0; + acc0[1U] = o1; + acc0[2U] = o2; + acc0[3U] = o3; + acc0[4U] = o4; + } + } + } + } + } + } + Hacl_Impl_Poly1305_Field32xN_256_fmul_r4_normalize(acc0, pre0); + } + } + len1 = n * (uint32_t)16U - len0; + t10 = blocks + len0; + nb0 = len1 / (uint32_t)16U; + rem1 = len1 % (uint32_t)16U; + { + uint32_t i; + for (i = (uint32_t)0U; i < nb0; i++) + { + uint8_t *block = t10 + i * (uint32_t)16U; + Lib_IntVector_Intrinsics_vec256 e[5U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)5U; ++_i) + e[_i] = Lib_IntVector_Intrinsics_vec256_zero; + } + { + uint64_t u0 = load64_le(block); + uint64_t lo = u0; + uint64_t u = load64_le(block + (uint32_t)8U); + uint64_t hi = u; + Lib_IntVector_Intrinsics_vec256 f0 = Lib_IntVector_Intrinsics_vec256_load64(lo); + Lib_IntVector_Intrinsics_vec256 f1 = Lib_IntVector_Intrinsics_vec256_load64(hi); + Lib_IntVector_Intrinsics_vec256 + f010 = + Lib_IntVector_Intrinsics_vec256_and(f0, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f110 = + Lib_IntVector_Intrinsics_vec256_and(Lib_IntVector_Intrinsics_vec256_shift_right64(f0, + (uint32_t)26U), + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f20 = + Lib_IntVector_Intrinsics_vec256_or(Lib_IntVector_Intrinsics_vec256_shift_right64(f0, + (uint32_t)52U), + Lib_IntVector_Intrinsics_vec256_shift_left64(Lib_IntVector_Intrinsics_vec256_and(f1, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3fffU)), + (uint32_t)12U)); + Lib_IntVector_Intrinsics_vec256 + f30 = + Lib_IntVector_Intrinsics_vec256_and(Lib_IntVector_Intrinsics_vec256_shift_right64(f1, + (uint32_t)14U), + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f40 = Lib_IntVector_Intrinsics_vec256_shift_right64(f1, (uint32_t)40U); + Lib_IntVector_Intrinsics_vec256 f01 = f010; + Lib_IntVector_Intrinsics_vec256 f111 = f110; + Lib_IntVector_Intrinsics_vec256 f2 = f20; + Lib_IntVector_Intrinsics_vec256 f3 = f30; + Lib_IntVector_Intrinsics_vec256 f41 = f40; + e[0U] = f01; + e[1U] = f111; + e[2U] = f2; + e[3U] = f3; + e[4U] = f41; + { + uint64_t b = (uint64_t)0x1000000U; + Lib_IntVector_Intrinsics_vec256 mask = Lib_IntVector_Intrinsics_vec256_load64(b); + Lib_IntVector_Intrinsics_vec256 f4 = e[4U]; + e[4U] = Lib_IntVector_Intrinsics_vec256_or(f4, mask); + { + Lib_IntVector_Intrinsics_vec256 *r1 = pre0; + Lib_IntVector_Intrinsics_vec256 *r5 = pre0 + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec256 r0 = r1[0U]; + Lib_IntVector_Intrinsics_vec256 r11 = r1[1U]; + Lib_IntVector_Intrinsics_vec256 r2 = r1[2U]; + Lib_IntVector_Intrinsics_vec256 r3 = r1[3U]; + Lib_IntVector_Intrinsics_vec256 r4 = r1[4U]; + Lib_IntVector_Intrinsics_vec256 r51 = r5[1U]; + Lib_IntVector_Intrinsics_vec256 r52 = r5[2U]; + Lib_IntVector_Intrinsics_vec256 r53 = r5[3U]; + Lib_IntVector_Intrinsics_vec256 r54 = r5[4U]; + Lib_IntVector_Intrinsics_vec256 f10 = e[0U]; + Lib_IntVector_Intrinsics_vec256 f11 = e[1U]; + Lib_IntVector_Intrinsics_vec256 f12 = e[2U]; + Lib_IntVector_Intrinsics_vec256 f13 = e[3U]; + Lib_IntVector_Intrinsics_vec256 f14 = e[4U]; + Lib_IntVector_Intrinsics_vec256 a0 = acc0[0U]; + Lib_IntVector_Intrinsics_vec256 a1 = acc0[1U]; + Lib_IntVector_Intrinsics_vec256 a2 = acc0[2U]; + Lib_IntVector_Intrinsics_vec256 a3 = acc0[3U]; + Lib_IntVector_Intrinsics_vec256 a4 = acc0[4U]; + Lib_IntVector_Intrinsics_vec256 a01 = Lib_IntVector_Intrinsics_vec256_add64(a0, f10); + Lib_IntVector_Intrinsics_vec256 a11 = Lib_IntVector_Intrinsics_vec256_add64(a1, f11); + Lib_IntVector_Intrinsics_vec256 a21 = Lib_IntVector_Intrinsics_vec256_add64(a2, f12); + Lib_IntVector_Intrinsics_vec256 a31 = Lib_IntVector_Intrinsics_vec256_add64(a3, f13); + Lib_IntVector_Intrinsics_vec256 a41 = Lib_IntVector_Intrinsics_vec256_add64(a4, f14); + Lib_IntVector_Intrinsics_vec256 a02 = Lib_IntVector_Intrinsics_vec256_mul64(r0, a01); + Lib_IntVector_Intrinsics_vec256 a12 = Lib_IntVector_Intrinsics_vec256_mul64(r11, a01); + Lib_IntVector_Intrinsics_vec256 a22 = Lib_IntVector_Intrinsics_vec256_mul64(r2, a01); + Lib_IntVector_Intrinsics_vec256 a32 = Lib_IntVector_Intrinsics_vec256_mul64(r3, a01); + Lib_IntVector_Intrinsics_vec256 a42 = Lib_IntVector_Intrinsics_vec256_mul64(r4, a01); + Lib_IntVector_Intrinsics_vec256 + a03 = + Lib_IntVector_Intrinsics_vec256_add64(a02, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a11)); + Lib_IntVector_Intrinsics_vec256 + a13 = + Lib_IntVector_Intrinsics_vec256_add64(a12, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a11)); + Lib_IntVector_Intrinsics_vec256 + a23 = + Lib_IntVector_Intrinsics_vec256_add64(a22, + Lib_IntVector_Intrinsics_vec256_mul64(r11, a11)); + Lib_IntVector_Intrinsics_vec256 + a33 = + Lib_IntVector_Intrinsics_vec256_add64(a32, + Lib_IntVector_Intrinsics_vec256_mul64(r2, a11)); + Lib_IntVector_Intrinsics_vec256 + a43 = + Lib_IntVector_Intrinsics_vec256_add64(a42, + Lib_IntVector_Intrinsics_vec256_mul64(r3, a11)); + Lib_IntVector_Intrinsics_vec256 + a04 = + Lib_IntVector_Intrinsics_vec256_add64(a03, + Lib_IntVector_Intrinsics_vec256_mul64(r53, a21)); + Lib_IntVector_Intrinsics_vec256 + a14 = + Lib_IntVector_Intrinsics_vec256_add64(a13, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a21)); + Lib_IntVector_Intrinsics_vec256 + a24 = + Lib_IntVector_Intrinsics_vec256_add64(a23, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a21)); + Lib_IntVector_Intrinsics_vec256 + a34 = + Lib_IntVector_Intrinsics_vec256_add64(a33, + Lib_IntVector_Intrinsics_vec256_mul64(r11, a21)); + Lib_IntVector_Intrinsics_vec256 + a44 = + Lib_IntVector_Intrinsics_vec256_add64(a43, + Lib_IntVector_Intrinsics_vec256_mul64(r2, a21)); + Lib_IntVector_Intrinsics_vec256 + a05 = + Lib_IntVector_Intrinsics_vec256_add64(a04, + Lib_IntVector_Intrinsics_vec256_mul64(r52, a31)); + Lib_IntVector_Intrinsics_vec256 + a15 = + Lib_IntVector_Intrinsics_vec256_add64(a14, + Lib_IntVector_Intrinsics_vec256_mul64(r53, a31)); + Lib_IntVector_Intrinsics_vec256 + a25 = + Lib_IntVector_Intrinsics_vec256_add64(a24, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a31)); + Lib_IntVector_Intrinsics_vec256 + a35 = + Lib_IntVector_Intrinsics_vec256_add64(a34, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a31)); + Lib_IntVector_Intrinsics_vec256 + a45 = + Lib_IntVector_Intrinsics_vec256_add64(a44, + Lib_IntVector_Intrinsics_vec256_mul64(r11, a31)); + Lib_IntVector_Intrinsics_vec256 + a06 = + Lib_IntVector_Intrinsics_vec256_add64(a05, + Lib_IntVector_Intrinsics_vec256_mul64(r51, a41)); + Lib_IntVector_Intrinsics_vec256 + a16 = + Lib_IntVector_Intrinsics_vec256_add64(a15, + Lib_IntVector_Intrinsics_vec256_mul64(r52, a41)); + Lib_IntVector_Intrinsics_vec256 + a26 = + Lib_IntVector_Intrinsics_vec256_add64(a25, + Lib_IntVector_Intrinsics_vec256_mul64(r53, a41)); + Lib_IntVector_Intrinsics_vec256 + a36 = + Lib_IntVector_Intrinsics_vec256_add64(a35, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a41)); + Lib_IntVector_Intrinsics_vec256 + a46 = + Lib_IntVector_Intrinsics_vec256_add64(a45, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a41)); + Lib_IntVector_Intrinsics_vec256 t01 = a06; + Lib_IntVector_Intrinsics_vec256 t11 = a16; + Lib_IntVector_Intrinsics_vec256 t2 = a26; + Lib_IntVector_Intrinsics_vec256 t3 = a36; + Lib_IntVector_Intrinsics_vec256 t4 = a46; + Lib_IntVector_Intrinsics_vec256 + mask26 = Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec256 + z0 = Lib_IntVector_Intrinsics_vec256_shift_right64(t01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z1 = Lib_IntVector_Intrinsics_vec256_shift_right64(t3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x0 = Lib_IntVector_Intrinsics_vec256_and(t01, mask26); + Lib_IntVector_Intrinsics_vec256 x3 = Lib_IntVector_Intrinsics_vec256_and(t3, mask26); + Lib_IntVector_Intrinsics_vec256 x1 = Lib_IntVector_Intrinsics_vec256_add64(t11, z0); + Lib_IntVector_Intrinsics_vec256 x4 = Lib_IntVector_Intrinsics_vec256_add64(t4, z1); + Lib_IntVector_Intrinsics_vec256 + z01 = Lib_IntVector_Intrinsics_vec256_shift_right64(x1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z11 = Lib_IntVector_Intrinsics_vec256_shift_right64(x4, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + t = Lib_IntVector_Intrinsics_vec256_shift_left64(z11, (uint32_t)2U); + Lib_IntVector_Intrinsics_vec256 z12 = Lib_IntVector_Intrinsics_vec256_add64(z11, t); + Lib_IntVector_Intrinsics_vec256 x11 = Lib_IntVector_Intrinsics_vec256_and(x1, mask26); + Lib_IntVector_Intrinsics_vec256 x41 = Lib_IntVector_Intrinsics_vec256_and(x4, mask26); + Lib_IntVector_Intrinsics_vec256 x2 = Lib_IntVector_Intrinsics_vec256_add64(t2, z01); + Lib_IntVector_Intrinsics_vec256 x01 = Lib_IntVector_Intrinsics_vec256_add64(x0, z12); + Lib_IntVector_Intrinsics_vec256 + z02 = Lib_IntVector_Intrinsics_vec256_shift_right64(x2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z13 = Lib_IntVector_Intrinsics_vec256_shift_right64(x01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x21 = Lib_IntVector_Intrinsics_vec256_and(x2, mask26); + Lib_IntVector_Intrinsics_vec256 x02 = Lib_IntVector_Intrinsics_vec256_and(x01, mask26); + Lib_IntVector_Intrinsics_vec256 x31 = Lib_IntVector_Intrinsics_vec256_add64(x3, z02); + Lib_IntVector_Intrinsics_vec256 x12 = Lib_IntVector_Intrinsics_vec256_add64(x11, z13); + Lib_IntVector_Intrinsics_vec256 + z03 = Lib_IntVector_Intrinsics_vec256_shift_right64(x31, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x32 = Lib_IntVector_Intrinsics_vec256_and(x31, mask26); + Lib_IntVector_Intrinsics_vec256 x42 = Lib_IntVector_Intrinsics_vec256_add64(x41, z03); + Lib_IntVector_Intrinsics_vec256 o0 = x02; + Lib_IntVector_Intrinsics_vec256 o1 = x12; + Lib_IntVector_Intrinsics_vec256 o2 = x21; + Lib_IntVector_Intrinsics_vec256 o3 = x32; + Lib_IntVector_Intrinsics_vec256 o4 = x42; + acc0[0U] = o0; + acc0[1U] = o1; + acc0[2U] = o2; + acc0[3U] = o3; + acc0[4U] = o4; + } + } + } + } + } + if (rem1 > (uint32_t)0U) + { + uint8_t *last = t10 + nb0 * (uint32_t)16U; + Lib_IntVector_Intrinsics_vec256 e[5U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)5U; ++_i) + e[_i] = Lib_IntVector_Intrinsics_vec256_zero; + } + { + uint8_t tmp[16U] = { 0U }; + memcpy(tmp, last, rem1 * sizeof (uint8_t)); + { + uint64_t u0 = load64_le(tmp); + uint64_t lo = u0; + uint64_t u = load64_le(tmp + (uint32_t)8U); + uint64_t hi = u; + Lib_IntVector_Intrinsics_vec256 f0 = Lib_IntVector_Intrinsics_vec256_load64(lo); + Lib_IntVector_Intrinsics_vec256 f1 = Lib_IntVector_Intrinsics_vec256_load64(hi); + Lib_IntVector_Intrinsics_vec256 + f010 = + Lib_IntVector_Intrinsics_vec256_and(f0, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f110 = + Lib_IntVector_Intrinsics_vec256_and(Lib_IntVector_Intrinsics_vec256_shift_right64(f0, + (uint32_t)26U), + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f20 = + Lib_IntVector_Intrinsics_vec256_or(Lib_IntVector_Intrinsics_vec256_shift_right64(f0, + (uint32_t)52U), + Lib_IntVector_Intrinsics_vec256_shift_left64(Lib_IntVector_Intrinsics_vec256_and(f1, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3fffU)), + (uint32_t)12U)); + Lib_IntVector_Intrinsics_vec256 + f30 = + Lib_IntVector_Intrinsics_vec256_and(Lib_IntVector_Intrinsics_vec256_shift_right64(f1, + (uint32_t)14U), + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f40 = Lib_IntVector_Intrinsics_vec256_shift_right64(f1, (uint32_t)40U); + Lib_IntVector_Intrinsics_vec256 f01 = f010; + Lib_IntVector_Intrinsics_vec256 f111 = f110; + Lib_IntVector_Intrinsics_vec256 f2 = f20; + Lib_IntVector_Intrinsics_vec256 f3 = f30; + Lib_IntVector_Intrinsics_vec256 f4 = f40; + e[0U] = f01; + e[1U] = f111; + e[2U] = f2; + e[3U] = f3; + e[4U] = f4; + { + uint64_t b = (uint64_t)1U << rem1 * (uint32_t)8U % (uint32_t)26U; + Lib_IntVector_Intrinsics_vec256 mask = Lib_IntVector_Intrinsics_vec256_load64(b); + Lib_IntVector_Intrinsics_vec256 fi = e[rem1 * (uint32_t)8U / (uint32_t)26U]; + e[rem1 * (uint32_t)8U / (uint32_t)26U] = Lib_IntVector_Intrinsics_vec256_or(fi, mask); + { + Lib_IntVector_Intrinsics_vec256 *r1 = pre0; + Lib_IntVector_Intrinsics_vec256 *r5 = pre0 + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec256 r0 = r1[0U]; + Lib_IntVector_Intrinsics_vec256 r11 = r1[1U]; + Lib_IntVector_Intrinsics_vec256 r2 = r1[2U]; + Lib_IntVector_Intrinsics_vec256 r3 = r1[3U]; + Lib_IntVector_Intrinsics_vec256 r4 = r1[4U]; + Lib_IntVector_Intrinsics_vec256 r51 = r5[1U]; + Lib_IntVector_Intrinsics_vec256 r52 = r5[2U]; + Lib_IntVector_Intrinsics_vec256 r53 = r5[3U]; + Lib_IntVector_Intrinsics_vec256 r54 = r5[4U]; + Lib_IntVector_Intrinsics_vec256 f10 = e[0U]; + Lib_IntVector_Intrinsics_vec256 f11 = e[1U]; + Lib_IntVector_Intrinsics_vec256 f12 = e[2U]; + Lib_IntVector_Intrinsics_vec256 f13 = e[3U]; + Lib_IntVector_Intrinsics_vec256 f14 = e[4U]; + Lib_IntVector_Intrinsics_vec256 a0 = acc0[0U]; + Lib_IntVector_Intrinsics_vec256 a1 = acc0[1U]; + Lib_IntVector_Intrinsics_vec256 a2 = acc0[2U]; + Lib_IntVector_Intrinsics_vec256 a3 = acc0[3U]; + Lib_IntVector_Intrinsics_vec256 a4 = acc0[4U]; + Lib_IntVector_Intrinsics_vec256 a01 = Lib_IntVector_Intrinsics_vec256_add64(a0, f10); + Lib_IntVector_Intrinsics_vec256 a11 = Lib_IntVector_Intrinsics_vec256_add64(a1, f11); + Lib_IntVector_Intrinsics_vec256 a21 = Lib_IntVector_Intrinsics_vec256_add64(a2, f12); + Lib_IntVector_Intrinsics_vec256 a31 = Lib_IntVector_Intrinsics_vec256_add64(a3, f13); + Lib_IntVector_Intrinsics_vec256 a41 = Lib_IntVector_Intrinsics_vec256_add64(a4, f14); + Lib_IntVector_Intrinsics_vec256 a02 = Lib_IntVector_Intrinsics_vec256_mul64(r0, a01); + Lib_IntVector_Intrinsics_vec256 a12 = Lib_IntVector_Intrinsics_vec256_mul64(r11, a01); + Lib_IntVector_Intrinsics_vec256 a22 = Lib_IntVector_Intrinsics_vec256_mul64(r2, a01); + Lib_IntVector_Intrinsics_vec256 a32 = Lib_IntVector_Intrinsics_vec256_mul64(r3, a01); + Lib_IntVector_Intrinsics_vec256 a42 = Lib_IntVector_Intrinsics_vec256_mul64(r4, a01); + Lib_IntVector_Intrinsics_vec256 + a03 = + Lib_IntVector_Intrinsics_vec256_add64(a02, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a11)); + Lib_IntVector_Intrinsics_vec256 + a13 = + Lib_IntVector_Intrinsics_vec256_add64(a12, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a11)); + Lib_IntVector_Intrinsics_vec256 + a23 = + Lib_IntVector_Intrinsics_vec256_add64(a22, + Lib_IntVector_Intrinsics_vec256_mul64(r11, a11)); + Lib_IntVector_Intrinsics_vec256 + a33 = + Lib_IntVector_Intrinsics_vec256_add64(a32, + Lib_IntVector_Intrinsics_vec256_mul64(r2, a11)); + Lib_IntVector_Intrinsics_vec256 + a43 = + Lib_IntVector_Intrinsics_vec256_add64(a42, + Lib_IntVector_Intrinsics_vec256_mul64(r3, a11)); + Lib_IntVector_Intrinsics_vec256 + a04 = + Lib_IntVector_Intrinsics_vec256_add64(a03, + Lib_IntVector_Intrinsics_vec256_mul64(r53, a21)); + Lib_IntVector_Intrinsics_vec256 + a14 = + Lib_IntVector_Intrinsics_vec256_add64(a13, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a21)); + Lib_IntVector_Intrinsics_vec256 + a24 = + Lib_IntVector_Intrinsics_vec256_add64(a23, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a21)); + Lib_IntVector_Intrinsics_vec256 + a34 = + Lib_IntVector_Intrinsics_vec256_add64(a33, + Lib_IntVector_Intrinsics_vec256_mul64(r11, a21)); + Lib_IntVector_Intrinsics_vec256 + a44 = + Lib_IntVector_Intrinsics_vec256_add64(a43, + Lib_IntVector_Intrinsics_vec256_mul64(r2, a21)); + Lib_IntVector_Intrinsics_vec256 + a05 = + Lib_IntVector_Intrinsics_vec256_add64(a04, + Lib_IntVector_Intrinsics_vec256_mul64(r52, a31)); + Lib_IntVector_Intrinsics_vec256 + a15 = + Lib_IntVector_Intrinsics_vec256_add64(a14, + Lib_IntVector_Intrinsics_vec256_mul64(r53, a31)); + Lib_IntVector_Intrinsics_vec256 + a25 = + Lib_IntVector_Intrinsics_vec256_add64(a24, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a31)); + Lib_IntVector_Intrinsics_vec256 + a35 = + Lib_IntVector_Intrinsics_vec256_add64(a34, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a31)); + Lib_IntVector_Intrinsics_vec256 + a45 = + Lib_IntVector_Intrinsics_vec256_add64(a44, + Lib_IntVector_Intrinsics_vec256_mul64(r11, a31)); + Lib_IntVector_Intrinsics_vec256 + a06 = + Lib_IntVector_Intrinsics_vec256_add64(a05, + Lib_IntVector_Intrinsics_vec256_mul64(r51, a41)); + Lib_IntVector_Intrinsics_vec256 + a16 = + Lib_IntVector_Intrinsics_vec256_add64(a15, + Lib_IntVector_Intrinsics_vec256_mul64(r52, a41)); + Lib_IntVector_Intrinsics_vec256 + a26 = + Lib_IntVector_Intrinsics_vec256_add64(a25, + Lib_IntVector_Intrinsics_vec256_mul64(r53, a41)); + Lib_IntVector_Intrinsics_vec256 + a36 = + Lib_IntVector_Intrinsics_vec256_add64(a35, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a41)); + Lib_IntVector_Intrinsics_vec256 + a46 = + Lib_IntVector_Intrinsics_vec256_add64(a45, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a41)); + Lib_IntVector_Intrinsics_vec256 t01 = a06; + Lib_IntVector_Intrinsics_vec256 t11 = a16; + Lib_IntVector_Intrinsics_vec256 t2 = a26; + Lib_IntVector_Intrinsics_vec256 t3 = a36; + Lib_IntVector_Intrinsics_vec256 t4 = a46; + Lib_IntVector_Intrinsics_vec256 + mask26 = Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec256 + z0 = Lib_IntVector_Intrinsics_vec256_shift_right64(t01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z1 = Lib_IntVector_Intrinsics_vec256_shift_right64(t3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x0 = Lib_IntVector_Intrinsics_vec256_and(t01, mask26); + Lib_IntVector_Intrinsics_vec256 x3 = Lib_IntVector_Intrinsics_vec256_and(t3, mask26); + Lib_IntVector_Intrinsics_vec256 x1 = Lib_IntVector_Intrinsics_vec256_add64(t11, z0); + Lib_IntVector_Intrinsics_vec256 x4 = Lib_IntVector_Intrinsics_vec256_add64(t4, z1); + Lib_IntVector_Intrinsics_vec256 + z01 = Lib_IntVector_Intrinsics_vec256_shift_right64(x1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z11 = Lib_IntVector_Intrinsics_vec256_shift_right64(x4, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + t = Lib_IntVector_Intrinsics_vec256_shift_left64(z11, (uint32_t)2U); + Lib_IntVector_Intrinsics_vec256 z12 = Lib_IntVector_Intrinsics_vec256_add64(z11, t); + Lib_IntVector_Intrinsics_vec256 x11 = Lib_IntVector_Intrinsics_vec256_and(x1, mask26); + Lib_IntVector_Intrinsics_vec256 x41 = Lib_IntVector_Intrinsics_vec256_and(x4, mask26); + Lib_IntVector_Intrinsics_vec256 x2 = Lib_IntVector_Intrinsics_vec256_add64(t2, z01); + Lib_IntVector_Intrinsics_vec256 x01 = Lib_IntVector_Intrinsics_vec256_add64(x0, z12); + Lib_IntVector_Intrinsics_vec256 + z02 = Lib_IntVector_Intrinsics_vec256_shift_right64(x2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z13 = Lib_IntVector_Intrinsics_vec256_shift_right64(x01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x21 = Lib_IntVector_Intrinsics_vec256_and(x2, mask26); + Lib_IntVector_Intrinsics_vec256 x02 = Lib_IntVector_Intrinsics_vec256_and(x01, mask26); + Lib_IntVector_Intrinsics_vec256 x31 = Lib_IntVector_Intrinsics_vec256_add64(x3, z02); + Lib_IntVector_Intrinsics_vec256 x12 = Lib_IntVector_Intrinsics_vec256_add64(x11, z13); + Lib_IntVector_Intrinsics_vec256 + z03 = Lib_IntVector_Intrinsics_vec256_shift_right64(x31, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x32 = Lib_IntVector_Intrinsics_vec256_and(x31, mask26); + Lib_IntVector_Intrinsics_vec256 x42 = Lib_IntVector_Intrinsics_vec256_add64(x41, z03); + Lib_IntVector_Intrinsics_vec256 o0 = x02; + Lib_IntVector_Intrinsics_vec256 o1 = x12; + Lib_IntVector_Intrinsics_vec256 o2 = x21; + Lib_IntVector_Intrinsics_vec256 o3 = x32; + Lib_IntVector_Intrinsics_vec256 o4 = x42; + acc0[0U] = o0; + acc0[1U] = o1; + acc0[2U] = o2; + acc0[3U] = o3; + acc0[4U] = o4; + } + } + } + } + } + { + uint8_t tmp[16U] = { 0U }; + memcpy(tmp, rem, r * sizeof (uint8_t)); + if (r > (uint32_t)0U) + { + Lib_IntVector_Intrinsics_vec256 *pre = ctx + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec256 *acc = ctx; + Lib_IntVector_Intrinsics_vec256 e[5U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)5U; ++_i) + e[_i] = Lib_IntVector_Intrinsics_vec256_zero; + } + { + uint64_t u0 = load64_le(tmp); + uint64_t lo = u0; + uint64_t u = load64_le(tmp + (uint32_t)8U); + uint64_t hi = u; + Lib_IntVector_Intrinsics_vec256 f0 = Lib_IntVector_Intrinsics_vec256_load64(lo); + Lib_IntVector_Intrinsics_vec256 f1 = Lib_IntVector_Intrinsics_vec256_load64(hi); + Lib_IntVector_Intrinsics_vec256 + f010 = + Lib_IntVector_Intrinsics_vec256_and(f0, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f110 = + Lib_IntVector_Intrinsics_vec256_and(Lib_IntVector_Intrinsics_vec256_shift_right64(f0, + (uint32_t)26U), + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f20 = + Lib_IntVector_Intrinsics_vec256_or(Lib_IntVector_Intrinsics_vec256_shift_right64(f0, + (uint32_t)52U), + Lib_IntVector_Intrinsics_vec256_shift_left64(Lib_IntVector_Intrinsics_vec256_and(f1, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3fffU)), + (uint32_t)12U)); + Lib_IntVector_Intrinsics_vec256 + f30 = + Lib_IntVector_Intrinsics_vec256_and(Lib_IntVector_Intrinsics_vec256_shift_right64(f1, + (uint32_t)14U), + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f40 = Lib_IntVector_Intrinsics_vec256_shift_right64(f1, (uint32_t)40U); + Lib_IntVector_Intrinsics_vec256 f01 = f010; + Lib_IntVector_Intrinsics_vec256 f111 = f110; + Lib_IntVector_Intrinsics_vec256 f2 = f20; + Lib_IntVector_Intrinsics_vec256 f3 = f30; + Lib_IntVector_Intrinsics_vec256 f41 = f40; + uint64_t b; + Lib_IntVector_Intrinsics_vec256 mask; + Lib_IntVector_Intrinsics_vec256 f4; + Lib_IntVector_Intrinsics_vec256 *r1; + Lib_IntVector_Intrinsics_vec256 *r5; + Lib_IntVector_Intrinsics_vec256 r0; + Lib_IntVector_Intrinsics_vec256 r11; + Lib_IntVector_Intrinsics_vec256 r2; + Lib_IntVector_Intrinsics_vec256 r3; + Lib_IntVector_Intrinsics_vec256 r4; + Lib_IntVector_Intrinsics_vec256 r51; + Lib_IntVector_Intrinsics_vec256 r52; + Lib_IntVector_Intrinsics_vec256 r53; + Lib_IntVector_Intrinsics_vec256 r54; + Lib_IntVector_Intrinsics_vec256 f10; + Lib_IntVector_Intrinsics_vec256 f11; + Lib_IntVector_Intrinsics_vec256 f12; + Lib_IntVector_Intrinsics_vec256 f13; + Lib_IntVector_Intrinsics_vec256 f14; + Lib_IntVector_Intrinsics_vec256 a0; + Lib_IntVector_Intrinsics_vec256 a1; + Lib_IntVector_Intrinsics_vec256 a2; + Lib_IntVector_Intrinsics_vec256 a3; + Lib_IntVector_Intrinsics_vec256 a4; + Lib_IntVector_Intrinsics_vec256 a01; + Lib_IntVector_Intrinsics_vec256 a11; + Lib_IntVector_Intrinsics_vec256 a21; + Lib_IntVector_Intrinsics_vec256 a31; + Lib_IntVector_Intrinsics_vec256 a41; + Lib_IntVector_Intrinsics_vec256 a02; + Lib_IntVector_Intrinsics_vec256 a12; + Lib_IntVector_Intrinsics_vec256 a22; + Lib_IntVector_Intrinsics_vec256 a32; + Lib_IntVector_Intrinsics_vec256 a42; + Lib_IntVector_Intrinsics_vec256 a03; + Lib_IntVector_Intrinsics_vec256 a13; + Lib_IntVector_Intrinsics_vec256 a23; + Lib_IntVector_Intrinsics_vec256 a33; + Lib_IntVector_Intrinsics_vec256 a43; + Lib_IntVector_Intrinsics_vec256 a04; + Lib_IntVector_Intrinsics_vec256 a14; + Lib_IntVector_Intrinsics_vec256 a24; + Lib_IntVector_Intrinsics_vec256 a34; + Lib_IntVector_Intrinsics_vec256 a44; + Lib_IntVector_Intrinsics_vec256 a05; + Lib_IntVector_Intrinsics_vec256 a15; + Lib_IntVector_Intrinsics_vec256 a25; + Lib_IntVector_Intrinsics_vec256 a35; + Lib_IntVector_Intrinsics_vec256 a45; + Lib_IntVector_Intrinsics_vec256 a06; + Lib_IntVector_Intrinsics_vec256 a16; + Lib_IntVector_Intrinsics_vec256 a26; + Lib_IntVector_Intrinsics_vec256 a36; + Lib_IntVector_Intrinsics_vec256 a46; + Lib_IntVector_Intrinsics_vec256 t0; + Lib_IntVector_Intrinsics_vec256 t1; + Lib_IntVector_Intrinsics_vec256 t2; + Lib_IntVector_Intrinsics_vec256 t3; + Lib_IntVector_Intrinsics_vec256 t4; + Lib_IntVector_Intrinsics_vec256 mask26; + Lib_IntVector_Intrinsics_vec256 z0; + Lib_IntVector_Intrinsics_vec256 z1; + Lib_IntVector_Intrinsics_vec256 x0; + Lib_IntVector_Intrinsics_vec256 x3; + Lib_IntVector_Intrinsics_vec256 x1; + Lib_IntVector_Intrinsics_vec256 x4; + Lib_IntVector_Intrinsics_vec256 z01; + Lib_IntVector_Intrinsics_vec256 z11; + Lib_IntVector_Intrinsics_vec256 t; + Lib_IntVector_Intrinsics_vec256 z12; + Lib_IntVector_Intrinsics_vec256 x11; + Lib_IntVector_Intrinsics_vec256 x41; + Lib_IntVector_Intrinsics_vec256 x2; + Lib_IntVector_Intrinsics_vec256 x01; + Lib_IntVector_Intrinsics_vec256 z02; + Lib_IntVector_Intrinsics_vec256 z13; + Lib_IntVector_Intrinsics_vec256 x21; + Lib_IntVector_Intrinsics_vec256 x02; + Lib_IntVector_Intrinsics_vec256 x31; + Lib_IntVector_Intrinsics_vec256 x12; + Lib_IntVector_Intrinsics_vec256 z03; + Lib_IntVector_Intrinsics_vec256 x32; + Lib_IntVector_Intrinsics_vec256 x42; + Lib_IntVector_Intrinsics_vec256 o0; + Lib_IntVector_Intrinsics_vec256 o1; + Lib_IntVector_Intrinsics_vec256 o2; + Lib_IntVector_Intrinsics_vec256 o3; + Lib_IntVector_Intrinsics_vec256 o4; + e[0U] = f01; + e[1U] = f111; + e[2U] = f2; + e[3U] = f3; + e[4U] = f41; + b = (uint64_t)0x1000000U; + mask = Lib_IntVector_Intrinsics_vec256_load64(b); + f4 = e[4U]; + e[4U] = Lib_IntVector_Intrinsics_vec256_or(f4, mask); + r1 = pre; + r5 = pre + (uint32_t)5U; + r0 = r1[0U]; + r11 = r1[1U]; + r2 = r1[2U]; + r3 = r1[3U]; + r4 = r1[4U]; + r51 = r5[1U]; + r52 = r5[2U]; + r53 = r5[3U]; + r54 = r5[4U]; + f10 = e[0U]; + f11 = e[1U]; + f12 = e[2U]; + f13 = e[3U]; + f14 = e[4U]; + a0 = acc[0U]; + a1 = acc[1U]; + a2 = acc[2U]; + a3 = acc[3U]; + a4 = acc[4U]; + a01 = Lib_IntVector_Intrinsics_vec256_add64(a0, f10); + a11 = Lib_IntVector_Intrinsics_vec256_add64(a1, f11); + a21 = Lib_IntVector_Intrinsics_vec256_add64(a2, f12); + a31 = Lib_IntVector_Intrinsics_vec256_add64(a3, f13); + a41 = Lib_IntVector_Intrinsics_vec256_add64(a4, f14); + a02 = Lib_IntVector_Intrinsics_vec256_mul64(r0, a01); + a12 = Lib_IntVector_Intrinsics_vec256_mul64(r11, a01); + a22 = Lib_IntVector_Intrinsics_vec256_mul64(r2, a01); + a32 = Lib_IntVector_Intrinsics_vec256_mul64(r3, a01); + a42 = Lib_IntVector_Intrinsics_vec256_mul64(r4, a01); + a03 = + Lib_IntVector_Intrinsics_vec256_add64(a02, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a11)); + a13 = + Lib_IntVector_Intrinsics_vec256_add64(a12, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a11)); + a23 = + Lib_IntVector_Intrinsics_vec256_add64(a22, + Lib_IntVector_Intrinsics_vec256_mul64(r11, a11)); + a33 = + Lib_IntVector_Intrinsics_vec256_add64(a32, + Lib_IntVector_Intrinsics_vec256_mul64(r2, a11)); + a43 = + Lib_IntVector_Intrinsics_vec256_add64(a42, + Lib_IntVector_Intrinsics_vec256_mul64(r3, a11)); + a04 = + Lib_IntVector_Intrinsics_vec256_add64(a03, + Lib_IntVector_Intrinsics_vec256_mul64(r53, a21)); + a14 = + Lib_IntVector_Intrinsics_vec256_add64(a13, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a21)); + a24 = + Lib_IntVector_Intrinsics_vec256_add64(a23, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a21)); + a34 = + Lib_IntVector_Intrinsics_vec256_add64(a33, + Lib_IntVector_Intrinsics_vec256_mul64(r11, a21)); + a44 = + Lib_IntVector_Intrinsics_vec256_add64(a43, + Lib_IntVector_Intrinsics_vec256_mul64(r2, a21)); + a05 = + Lib_IntVector_Intrinsics_vec256_add64(a04, + Lib_IntVector_Intrinsics_vec256_mul64(r52, a31)); + a15 = + Lib_IntVector_Intrinsics_vec256_add64(a14, + Lib_IntVector_Intrinsics_vec256_mul64(r53, a31)); + a25 = + Lib_IntVector_Intrinsics_vec256_add64(a24, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a31)); + a35 = + Lib_IntVector_Intrinsics_vec256_add64(a34, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a31)); + a45 = + Lib_IntVector_Intrinsics_vec256_add64(a44, + Lib_IntVector_Intrinsics_vec256_mul64(r11, a31)); + a06 = + Lib_IntVector_Intrinsics_vec256_add64(a05, + Lib_IntVector_Intrinsics_vec256_mul64(r51, a41)); + a16 = + Lib_IntVector_Intrinsics_vec256_add64(a15, + Lib_IntVector_Intrinsics_vec256_mul64(r52, a41)); + a26 = + Lib_IntVector_Intrinsics_vec256_add64(a25, + Lib_IntVector_Intrinsics_vec256_mul64(r53, a41)); + a36 = + Lib_IntVector_Intrinsics_vec256_add64(a35, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a41)); + a46 = + Lib_IntVector_Intrinsics_vec256_add64(a45, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a41)); + t0 = a06; + t1 = a16; + t2 = a26; + t3 = a36; + t4 = a46; + mask26 = Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU); + z0 = Lib_IntVector_Intrinsics_vec256_shift_right64(t0, (uint32_t)26U); + z1 = Lib_IntVector_Intrinsics_vec256_shift_right64(t3, (uint32_t)26U); + x0 = Lib_IntVector_Intrinsics_vec256_and(t0, mask26); + x3 = Lib_IntVector_Intrinsics_vec256_and(t3, mask26); + x1 = Lib_IntVector_Intrinsics_vec256_add64(t1, z0); + x4 = Lib_IntVector_Intrinsics_vec256_add64(t4, z1); + z01 = Lib_IntVector_Intrinsics_vec256_shift_right64(x1, (uint32_t)26U); + z11 = Lib_IntVector_Intrinsics_vec256_shift_right64(x4, (uint32_t)26U); + t = Lib_IntVector_Intrinsics_vec256_shift_left64(z11, (uint32_t)2U); + z12 = Lib_IntVector_Intrinsics_vec256_add64(z11, t); + x11 = Lib_IntVector_Intrinsics_vec256_and(x1, mask26); + x41 = Lib_IntVector_Intrinsics_vec256_and(x4, mask26); + x2 = Lib_IntVector_Intrinsics_vec256_add64(t2, z01); + x01 = Lib_IntVector_Intrinsics_vec256_add64(x0, z12); + z02 = Lib_IntVector_Intrinsics_vec256_shift_right64(x2, (uint32_t)26U); + z13 = Lib_IntVector_Intrinsics_vec256_shift_right64(x01, (uint32_t)26U); + x21 = Lib_IntVector_Intrinsics_vec256_and(x2, mask26); + x02 = Lib_IntVector_Intrinsics_vec256_and(x01, mask26); + x31 = Lib_IntVector_Intrinsics_vec256_add64(x3, z02); + x12 = Lib_IntVector_Intrinsics_vec256_add64(x11, z13); + z03 = Lib_IntVector_Intrinsics_vec256_shift_right64(x31, (uint32_t)26U); + x32 = Lib_IntVector_Intrinsics_vec256_and(x31, mask26); + x42 = Lib_IntVector_Intrinsics_vec256_add64(x41, z03); + o0 = x02; + o1 = x12; + o2 = x21; + o3 = x32; + o4 = x42; + acc[0U] = o0; + acc[1U] = o1; + acc[2U] = o2; + acc[3U] = o3; + acc[4U] = o4; + return; + } + } + } +} + +static inline void +poly1305_do_256( + uint8_t *k, + uint32_t aadlen, + uint8_t *aad, + uint32_t mlen, + uint8_t *m, + uint8_t *out +) +{ + Lib_IntVector_Intrinsics_vec256 ctx[25U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)25U; ++_i) + ctx[_i] = Lib_IntVector_Intrinsics_vec256_zero; + } + { + uint8_t block[16U] = { 0U }; + Lib_IntVector_Intrinsics_vec256 *pre; + Lib_IntVector_Intrinsics_vec256 *acc; + Hacl_Poly1305_256_poly1305_init(ctx, k); + if (aadlen != (uint32_t)0U) + { + poly1305_padded_256(ctx, aadlen, aad); + } + if (mlen != (uint32_t)0U) + { + poly1305_padded_256(ctx, mlen, m); + } + store64_le(block, (uint64_t)aadlen); + store64_le(block + (uint32_t)8U, (uint64_t)mlen); + pre = ctx + (uint32_t)5U; + acc = ctx; + { + Lib_IntVector_Intrinsics_vec256 e[5U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)5U; ++_i) + e[_i] = Lib_IntVector_Intrinsics_vec256_zero; + } + { + uint64_t u0 = load64_le(block); + uint64_t lo = u0; + uint64_t u = load64_le(block + (uint32_t)8U); + uint64_t hi = u; + Lib_IntVector_Intrinsics_vec256 f0 = Lib_IntVector_Intrinsics_vec256_load64(lo); + Lib_IntVector_Intrinsics_vec256 f1 = Lib_IntVector_Intrinsics_vec256_load64(hi); + Lib_IntVector_Intrinsics_vec256 + f010 = + Lib_IntVector_Intrinsics_vec256_and(f0, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f110 = + Lib_IntVector_Intrinsics_vec256_and(Lib_IntVector_Intrinsics_vec256_shift_right64(f0, + (uint32_t)26U), + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f20 = + Lib_IntVector_Intrinsics_vec256_or(Lib_IntVector_Intrinsics_vec256_shift_right64(f0, + (uint32_t)52U), + Lib_IntVector_Intrinsics_vec256_shift_left64(Lib_IntVector_Intrinsics_vec256_and(f1, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3fffU)), + (uint32_t)12U)); + Lib_IntVector_Intrinsics_vec256 + f30 = + Lib_IntVector_Intrinsics_vec256_and(Lib_IntVector_Intrinsics_vec256_shift_right64(f1, + (uint32_t)14U), + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f40 = Lib_IntVector_Intrinsics_vec256_shift_right64(f1, (uint32_t)40U); + Lib_IntVector_Intrinsics_vec256 f01 = f010; + Lib_IntVector_Intrinsics_vec256 f111 = f110; + Lib_IntVector_Intrinsics_vec256 f2 = f20; + Lib_IntVector_Intrinsics_vec256 f3 = f30; + Lib_IntVector_Intrinsics_vec256 f41 = f40; + uint64_t b; + Lib_IntVector_Intrinsics_vec256 mask; + Lib_IntVector_Intrinsics_vec256 f4; + Lib_IntVector_Intrinsics_vec256 *r; + Lib_IntVector_Intrinsics_vec256 *r5; + Lib_IntVector_Intrinsics_vec256 r0; + Lib_IntVector_Intrinsics_vec256 r1; + Lib_IntVector_Intrinsics_vec256 r2; + Lib_IntVector_Intrinsics_vec256 r3; + Lib_IntVector_Intrinsics_vec256 r4; + Lib_IntVector_Intrinsics_vec256 r51; + Lib_IntVector_Intrinsics_vec256 r52; + Lib_IntVector_Intrinsics_vec256 r53; + Lib_IntVector_Intrinsics_vec256 r54; + Lib_IntVector_Intrinsics_vec256 f10; + Lib_IntVector_Intrinsics_vec256 f11; + Lib_IntVector_Intrinsics_vec256 f12; + Lib_IntVector_Intrinsics_vec256 f13; + Lib_IntVector_Intrinsics_vec256 f14; + Lib_IntVector_Intrinsics_vec256 a0; + Lib_IntVector_Intrinsics_vec256 a1; + Lib_IntVector_Intrinsics_vec256 a2; + Lib_IntVector_Intrinsics_vec256 a3; + Lib_IntVector_Intrinsics_vec256 a4; + Lib_IntVector_Intrinsics_vec256 a01; + Lib_IntVector_Intrinsics_vec256 a11; + Lib_IntVector_Intrinsics_vec256 a21; + Lib_IntVector_Intrinsics_vec256 a31; + Lib_IntVector_Intrinsics_vec256 a41; + Lib_IntVector_Intrinsics_vec256 a02; + Lib_IntVector_Intrinsics_vec256 a12; + Lib_IntVector_Intrinsics_vec256 a22; + Lib_IntVector_Intrinsics_vec256 a32; + Lib_IntVector_Intrinsics_vec256 a42; + Lib_IntVector_Intrinsics_vec256 a03; + Lib_IntVector_Intrinsics_vec256 a13; + Lib_IntVector_Intrinsics_vec256 a23; + Lib_IntVector_Intrinsics_vec256 a33; + Lib_IntVector_Intrinsics_vec256 a43; + Lib_IntVector_Intrinsics_vec256 a04; + Lib_IntVector_Intrinsics_vec256 a14; + Lib_IntVector_Intrinsics_vec256 a24; + Lib_IntVector_Intrinsics_vec256 a34; + Lib_IntVector_Intrinsics_vec256 a44; + Lib_IntVector_Intrinsics_vec256 a05; + Lib_IntVector_Intrinsics_vec256 a15; + Lib_IntVector_Intrinsics_vec256 a25; + Lib_IntVector_Intrinsics_vec256 a35; + Lib_IntVector_Intrinsics_vec256 a45; + Lib_IntVector_Intrinsics_vec256 a06; + Lib_IntVector_Intrinsics_vec256 a16; + Lib_IntVector_Intrinsics_vec256 a26; + Lib_IntVector_Intrinsics_vec256 a36; + Lib_IntVector_Intrinsics_vec256 a46; + Lib_IntVector_Intrinsics_vec256 t0; + Lib_IntVector_Intrinsics_vec256 t1; + Lib_IntVector_Intrinsics_vec256 t2; + Lib_IntVector_Intrinsics_vec256 t3; + Lib_IntVector_Intrinsics_vec256 t4; + Lib_IntVector_Intrinsics_vec256 mask26; + Lib_IntVector_Intrinsics_vec256 z0; + Lib_IntVector_Intrinsics_vec256 z1; + Lib_IntVector_Intrinsics_vec256 x0; + Lib_IntVector_Intrinsics_vec256 x3; + Lib_IntVector_Intrinsics_vec256 x1; + Lib_IntVector_Intrinsics_vec256 x4; + Lib_IntVector_Intrinsics_vec256 z01; + Lib_IntVector_Intrinsics_vec256 z11; + Lib_IntVector_Intrinsics_vec256 t; + Lib_IntVector_Intrinsics_vec256 z12; + Lib_IntVector_Intrinsics_vec256 x11; + Lib_IntVector_Intrinsics_vec256 x41; + Lib_IntVector_Intrinsics_vec256 x2; + Lib_IntVector_Intrinsics_vec256 x01; + Lib_IntVector_Intrinsics_vec256 z02; + Lib_IntVector_Intrinsics_vec256 z13; + Lib_IntVector_Intrinsics_vec256 x21; + Lib_IntVector_Intrinsics_vec256 x02; + Lib_IntVector_Intrinsics_vec256 x31; + Lib_IntVector_Intrinsics_vec256 x12; + Lib_IntVector_Intrinsics_vec256 z03; + Lib_IntVector_Intrinsics_vec256 x32; + Lib_IntVector_Intrinsics_vec256 x42; + Lib_IntVector_Intrinsics_vec256 o0; + Lib_IntVector_Intrinsics_vec256 o1; + Lib_IntVector_Intrinsics_vec256 o2; + Lib_IntVector_Intrinsics_vec256 o3; + Lib_IntVector_Intrinsics_vec256 o4; + e[0U] = f01; + e[1U] = f111; + e[2U] = f2; + e[3U] = f3; + e[4U] = f41; + b = (uint64_t)0x1000000U; + mask = Lib_IntVector_Intrinsics_vec256_load64(b); + f4 = e[4U]; + e[4U] = Lib_IntVector_Intrinsics_vec256_or(f4, mask); + r = pre; + r5 = pre + (uint32_t)5U; + r0 = r[0U]; + r1 = r[1U]; + r2 = r[2U]; + r3 = r[3U]; + r4 = r[4U]; + r51 = r5[1U]; + r52 = r5[2U]; + r53 = r5[3U]; + r54 = r5[4U]; + f10 = e[0U]; + f11 = e[1U]; + f12 = e[2U]; + f13 = e[3U]; + f14 = e[4U]; + a0 = acc[0U]; + a1 = acc[1U]; + a2 = acc[2U]; + a3 = acc[3U]; + a4 = acc[4U]; + a01 = Lib_IntVector_Intrinsics_vec256_add64(a0, f10); + a11 = Lib_IntVector_Intrinsics_vec256_add64(a1, f11); + a21 = Lib_IntVector_Intrinsics_vec256_add64(a2, f12); + a31 = Lib_IntVector_Intrinsics_vec256_add64(a3, f13); + a41 = Lib_IntVector_Intrinsics_vec256_add64(a4, f14); + a02 = Lib_IntVector_Intrinsics_vec256_mul64(r0, a01); + a12 = Lib_IntVector_Intrinsics_vec256_mul64(r1, a01); + a22 = Lib_IntVector_Intrinsics_vec256_mul64(r2, a01); + a32 = Lib_IntVector_Intrinsics_vec256_mul64(r3, a01); + a42 = Lib_IntVector_Intrinsics_vec256_mul64(r4, a01); + a03 = + Lib_IntVector_Intrinsics_vec256_add64(a02, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a11)); + a13 = + Lib_IntVector_Intrinsics_vec256_add64(a12, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a11)); + a23 = + Lib_IntVector_Intrinsics_vec256_add64(a22, + Lib_IntVector_Intrinsics_vec256_mul64(r1, a11)); + a33 = + Lib_IntVector_Intrinsics_vec256_add64(a32, + Lib_IntVector_Intrinsics_vec256_mul64(r2, a11)); + a43 = + Lib_IntVector_Intrinsics_vec256_add64(a42, + Lib_IntVector_Intrinsics_vec256_mul64(r3, a11)); + a04 = + Lib_IntVector_Intrinsics_vec256_add64(a03, + Lib_IntVector_Intrinsics_vec256_mul64(r53, a21)); + a14 = + Lib_IntVector_Intrinsics_vec256_add64(a13, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a21)); + a24 = + Lib_IntVector_Intrinsics_vec256_add64(a23, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a21)); + a34 = + Lib_IntVector_Intrinsics_vec256_add64(a33, + Lib_IntVector_Intrinsics_vec256_mul64(r1, a21)); + a44 = + Lib_IntVector_Intrinsics_vec256_add64(a43, + Lib_IntVector_Intrinsics_vec256_mul64(r2, a21)); + a05 = + Lib_IntVector_Intrinsics_vec256_add64(a04, + Lib_IntVector_Intrinsics_vec256_mul64(r52, a31)); + a15 = + Lib_IntVector_Intrinsics_vec256_add64(a14, + Lib_IntVector_Intrinsics_vec256_mul64(r53, a31)); + a25 = + Lib_IntVector_Intrinsics_vec256_add64(a24, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a31)); + a35 = + Lib_IntVector_Intrinsics_vec256_add64(a34, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a31)); + a45 = + Lib_IntVector_Intrinsics_vec256_add64(a44, + Lib_IntVector_Intrinsics_vec256_mul64(r1, a31)); + a06 = + Lib_IntVector_Intrinsics_vec256_add64(a05, + Lib_IntVector_Intrinsics_vec256_mul64(r51, a41)); + a16 = + Lib_IntVector_Intrinsics_vec256_add64(a15, + Lib_IntVector_Intrinsics_vec256_mul64(r52, a41)); + a26 = + Lib_IntVector_Intrinsics_vec256_add64(a25, + Lib_IntVector_Intrinsics_vec256_mul64(r53, a41)); + a36 = + Lib_IntVector_Intrinsics_vec256_add64(a35, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a41)); + a46 = + Lib_IntVector_Intrinsics_vec256_add64(a45, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a41)); + t0 = a06; + t1 = a16; + t2 = a26; + t3 = a36; + t4 = a46; + mask26 = Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU); + z0 = Lib_IntVector_Intrinsics_vec256_shift_right64(t0, (uint32_t)26U); + z1 = Lib_IntVector_Intrinsics_vec256_shift_right64(t3, (uint32_t)26U); + x0 = Lib_IntVector_Intrinsics_vec256_and(t0, mask26); + x3 = Lib_IntVector_Intrinsics_vec256_and(t3, mask26); + x1 = Lib_IntVector_Intrinsics_vec256_add64(t1, z0); + x4 = Lib_IntVector_Intrinsics_vec256_add64(t4, z1); + z01 = Lib_IntVector_Intrinsics_vec256_shift_right64(x1, (uint32_t)26U); + z11 = Lib_IntVector_Intrinsics_vec256_shift_right64(x4, (uint32_t)26U); + t = Lib_IntVector_Intrinsics_vec256_shift_left64(z11, (uint32_t)2U); + z12 = Lib_IntVector_Intrinsics_vec256_add64(z11, t); + x11 = Lib_IntVector_Intrinsics_vec256_and(x1, mask26); + x41 = Lib_IntVector_Intrinsics_vec256_and(x4, mask26); + x2 = Lib_IntVector_Intrinsics_vec256_add64(t2, z01); + x01 = Lib_IntVector_Intrinsics_vec256_add64(x0, z12); + z02 = Lib_IntVector_Intrinsics_vec256_shift_right64(x2, (uint32_t)26U); + z13 = Lib_IntVector_Intrinsics_vec256_shift_right64(x01, (uint32_t)26U); + x21 = Lib_IntVector_Intrinsics_vec256_and(x2, mask26); + x02 = Lib_IntVector_Intrinsics_vec256_and(x01, mask26); + x31 = Lib_IntVector_Intrinsics_vec256_add64(x3, z02); + x12 = Lib_IntVector_Intrinsics_vec256_add64(x11, z13); + z03 = Lib_IntVector_Intrinsics_vec256_shift_right64(x31, (uint32_t)26U); + x32 = Lib_IntVector_Intrinsics_vec256_and(x31, mask26); + x42 = Lib_IntVector_Intrinsics_vec256_add64(x41, z03); + o0 = x02; + o1 = x12; + o2 = x21; + o3 = x32; + o4 = x42; + acc[0U] = o0; + acc[1U] = o1; + acc[2U] = o2; + acc[3U] = o3; + acc[4U] = o4; + Hacl_Poly1305_256_poly1305_finish(out, k, ctx); + } + } + } +} + +void +Hacl_Chacha20Poly1305_256_aead_encrypt( + uint8_t *k, + uint8_t *n, + uint32_t aadlen, + uint8_t *aad, + uint32_t mlen, + uint8_t *m, + uint8_t *cipher, + uint8_t *mac +) +{ + Hacl_Chacha20_Vec256_chacha20_encrypt_256(mlen, cipher, m, k, n, (uint32_t)1U); + { + uint8_t tmp[64U] = { 0U }; + uint8_t *key; + Hacl_Chacha20_Vec256_chacha20_encrypt_256((uint32_t)64U, tmp, tmp, k, n, (uint32_t)0U); + key = tmp; + poly1305_do_256(key, aadlen, aad, mlen, cipher, mac); + } +} + +uint32_t +Hacl_Chacha20Poly1305_256_aead_decrypt( + uint8_t *k, + uint8_t *n, + uint32_t aadlen, + uint8_t *aad, + uint32_t mlen, + uint8_t *m, + uint8_t *cipher, + uint8_t *mac +) +{ + uint8_t computed_mac[16U] = { 0U }; + uint8_t tmp[64U] = { 0U }; + uint8_t *key; + Hacl_Chacha20_Vec256_chacha20_encrypt_256((uint32_t)64U, tmp, tmp, k, n, (uint32_t)0U); + key = tmp; + poly1305_do_256(key, aadlen, aad, mlen, cipher, computed_mac); + { + uint8_t res0 = (uint8_t)255U; + uint8_t z; + uint32_t res; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint8_t uu____0 = FStar_UInt8_eq_mask(computed_mac[i], mac[i]); + res0 = uu____0 & res0; + } + } + z = res0; + if (z == (uint8_t)255U) + { + Hacl_Chacha20_Vec256_chacha20_encrypt_256(mlen, m, cipher, k, n, (uint32_t)1U); + res = (uint32_t)0U; + } + else + { + res = (uint32_t)1U; + } + return res; + } +} + diff --git a/src/c89/Hacl_Chacha20Poly1305_32.c b/src/c89/Hacl_Chacha20Poly1305_32.c new file mode 100644 index 00000000..40023e83 --- /dev/null +++ b/src/c89/Hacl_Chacha20Poly1305_32.c @@ -0,0 +1,811 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Chacha20Poly1305_32.h" + + + +static inline void poly1305_padded_32(uint64_t *ctx, uint32_t len, uint8_t *text) +{ + uint32_t n = len / (uint32_t)16U; + uint32_t r = len % (uint32_t)16U; + uint8_t *blocks = text; + uint8_t *rem = text + n * (uint32_t)16U; + uint64_t *pre0 = ctx + (uint32_t)5U; + uint64_t *acc0 = ctx; + uint32_t nb = n * (uint32_t)16U / (uint32_t)16U; + uint32_t rem1 = n * (uint32_t)16U % (uint32_t)16U; + { + uint32_t i; + for (i = (uint32_t)0U; i < nb; i++) + { + uint8_t *block = blocks + i * (uint32_t)16U; + uint64_t e[5U] = { 0U }; + uint64_t u0 = load64_le(block); + uint64_t lo = u0; + uint64_t u = load64_le(block + (uint32_t)8U); + uint64_t hi = u; + uint64_t f0 = lo; + uint64_t f1 = hi; + uint64_t f010 = f0 & (uint64_t)0x3ffffffU; + uint64_t f110 = f0 >> (uint32_t)26U & (uint64_t)0x3ffffffU; + uint64_t f20 = f0 >> (uint32_t)52U | (f1 & (uint64_t)0x3fffU) << (uint32_t)12U; + uint64_t f30 = f1 >> (uint32_t)14U & (uint64_t)0x3ffffffU; + uint64_t f40 = f1 >> (uint32_t)40U; + uint64_t f01 = f010; + uint64_t f111 = f110; + uint64_t f2 = f20; + uint64_t f3 = f30; + uint64_t f41 = f40; + e[0U] = f01; + e[1U] = f111; + e[2U] = f2; + e[3U] = f3; + e[4U] = f41; + { + uint64_t b = (uint64_t)0x1000000U; + uint64_t mask = b; + uint64_t f4 = e[4U]; + e[4U] = f4 | mask; + { + uint64_t *r1 = pre0; + uint64_t *r5 = pre0 + (uint32_t)5U; + uint64_t r0 = r1[0U]; + uint64_t r11 = r1[1U]; + uint64_t r2 = r1[2U]; + uint64_t r3 = r1[3U]; + uint64_t r4 = r1[4U]; + uint64_t r51 = r5[1U]; + uint64_t r52 = r5[2U]; + uint64_t r53 = r5[3U]; + uint64_t r54 = r5[4U]; + uint64_t f10 = e[0U]; + uint64_t f11 = e[1U]; + uint64_t f12 = e[2U]; + uint64_t f13 = e[3U]; + uint64_t f14 = e[4U]; + uint64_t a0 = acc0[0U]; + uint64_t a1 = acc0[1U]; + uint64_t a2 = acc0[2U]; + uint64_t a3 = acc0[3U]; + uint64_t a4 = acc0[4U]; + uint64_t a01 = a0 + f10; + uint64_t a11 = a1 + f11; + uint64_t a21 = a2 + f12; + uint64_t a31 = a3 + f13; + uint64_t a41 = a4 + f14; + uint64_t a02 = r0 * a01; + uint64_t a12 = r11 * a01; + uint64_t a22 = r2 * a01; + uint64_t a32 = r3 * a01; + uint64_t a42 = r4 * a01; + uint64_t a03 = a02 + r54 * a11; + uint64_t a13 = a12 + r0 * a11; + uint64_t a23 = a22 + r11 * a11; + uint64_t a33 = a32 + r2 * a11; + uint64_t a43 = a42 + r3 * a11; + uint64_t a04 = a03 + r53 * a21; + uint64_t a14 = a13 + r54 * a21; + uint64_t a24 = a23 + r0 * a21; + uint64_t a34 = a33 + r11 * a21; + uint64_t a44 = a43 + r2 * a21; + uint64_t a05 = a04 + r52 * a31; + uint64_t a15 = a14 + r53 * a31; + uint64_t a25 = a24 + r54 * a31; + uint64_t a35 = a34 + r0 * a31; + uint64_t a45 = a44 + r11 * a31; + uint64_t a06 = a05 + r51 * a41; + uint64_t a16 = a15 + r52 * a41; + uint64_t a26 = a25 + r53 * a41; + uint64_t a36 = a35 + r54 * a41; + uint64_t a46 = a45 + r0 * a41; + uint64_t t0 = a06; + uint64_t t1 = a16; + uint64_t t2 = a26; + uint64_t t3 = a36; + uint64_t t4 = a46; + uint64_t mask26 = (uint64_t)0x3ffffffU; + uint64_t z0 = t0 >> (uint32_t)26U; + uint64_t z1 = t3 >> (uint32_t)26U; + uint64_t x0 = t0 & mask26; + uint64_t x3 = t3 & mask26; + uint64_t x1 = t1 + z0; + uint64_t x4 = t4 + z1; + uint64_t z01 = x1 >> (uint32_t)26U; + uint64_t z11 = x4 >> (uint32_t)26U; + uint64_t t = z11 << (uint32_t)2U; + uint64_t z12 = z11 + t; + uint64_t x11 = x1 & mask26; + uint64_t x41 = x4 & mask26; + uint64_t x2 = t2 + z01; + uint64_t x01 = x0 + z12; + uint64_t z02 = x2 >> (uint32_t)26U; + uint64_t z13 = x01 >> (uint32_t)26U; + uint64_t x21 = x2 & mask26; + uint64_t x02 = x01 & mask26; + uint64_t x31 = x3 + z02; + uint64_t x12 = x11 + z13; + uint64_t z03 = x31 >> (uint32_t)26U; + uint64_t x32 = x31 & mask26; + uint64_t x42 = x41 + z03; + uint64_t o0 = x02; + uint64_t o1 = x12; + uint64_t o2 = x21; + uint64_t o3 = x32; + uint64_t o4 = x42; + acc0[0U] = o0; + acc0[1U] = o1; + acc0[2U] = o2; + acc0[3U] = o3; + acc0[4U] = o4; + } + } + } + } + if (rem1 > (uint32_t)0U) + { + uint8_t *last = blocks + nb * (uint32_t)16U; + uint64_t e[5U] = { 0U }; + uint8_t tmp[16U] = { 0U }; + memcpy(tmp, last, rem1 * sizeof (uint8_t)); + { + uint64_t u0 = load64_le(tmp); + uint64_t lo = u0; + uint64_t u = load64_le(tmp + (uint32_t)8U); + uint64_t hi = u; + uint64_t f0 = lo; + uint64_t f1 = hi; + uint64_t f010 = f0 & (uint64_t)0x3ffffffU; + uint64_t f110 = f0 >> (uint32_t)26U & (uint64_t)0x3ffffffU; + uint64_t f20 = f0 >> (uint32_t)52U | (f1 & (uint64_t)0x3fffU) << (uint32_t)12U; + uint64_t f30 = f1 >> (uint32_t)14U & (uint64_t)0x3ffffffU; + uint64_t f40 = f1 >> (uint32_t)40U; + uint64_t f01 = f010; + uint64_t f111 = f110; + uint64_t f2 = f20; + uint64_t f3 = f30; + uint64_t f4 = f40; + e[0U] = f01; + e[1U] = f111; + e[2U] = f2; + e[3U] = f3; + e[4U] = f4; + { + uint64_t b = (uint64_t)1U << rem1 * (uint32_t)8U % (uint32_t)26U; + uint64_t mask = b; + uint64_t fi = e[rem1 * (uint32_t)8U / (uint32_t)26U]; + e[rem1 * (uint32_t)8U / (uint32_t)26U] = fi | mask; + { + uint64_t *r1 = pre0; + uint64_t *r5 = pre0 + (uint32_t)5U; + uint64_t r0 = r1[0U]; + uint64_t r11 = r1[1U]; + uint64_t r2 = r1[2U]; + uint64_t r3 = r1[3U]; + uint64_t r4 = r1[4U]; + uint64_t r51 = r5[1U]; + uint64_t r52 = r5[2U]; + uint64_t r53 = r5[3U]; + uint64_t r54 = r5[4U]; + uint64_t f10 = e[0U]; + uint64_t f11 = e[1U]; + uint64_t f12 = e[2U]; + uint64_t f13 = e[3U]; + uint64_t f14 = e[4U]; + uint64_t a0 = acc0[0U]; + uint64_t a1 = acc0[1U]; + uint64_t a2 = acc0[2U]; + uint64_t a3 = acc0[3U]; + uint64_t a4 = acc0[4U]; + uint64_t a01 = a0 + f10; + uint64_t a11 = a1 + f11; + uint64_t a21 = a2 + f12; + uint64_t a31 = a3 + f13; + uint64_t a41 = a4 + f14; + uint64_t a02 = r0 * a01; + uint64_t a12 = r11 * a01; + uint64_t a22 = r2 * a01; + uint64_t a32 = r3 * a01; + uint64_t a42 = r4 * a01; + uint64_t a03 = a02 + r54 * a11; + uint64_t a13 = a12 + r0 * a11; + uint64_t a23 = a22 + r11 * a11; + uint64_t a33 = a32 + r2 * a11; + uint64_t a43 = a42 + r3 * a11; + uint64_t a04 = a03 + r53 * a21; + uint64_t a14 = a13 + r54 * a21; + uint64_t a24 = a23 + r0 * a21; + uint64_t a34 = a33 + r11 * a21; + uint64_t a44 = a43 + r2 * a21; + uint64_t a05 = a04 + r52 * a31; + uint64_t a15 = a14 + r53 * a31; + uint64_t a25 = a24 + r54 * a31; + uint64_t a35 = a34 + r0 * a31; + uint64_t a45 = a44 + r11 * a31; + uint64_t a06 = a05 + r51 * a41; + uint64_t a16 = a15 + r52 * a41; + uint64_t a26 = a25 + r53 * a41; + uint64_t a36 = a35 + r54 * a41; + uint64_t a46 = a45 + r0 * a41; + uint64_t t0 = a06; + uint64_t t1 = a16; + uint64_t t2 = a26; + uint64_t t3 = a36; + uint64_t t4 = a46; + uint64_t mask26 = (uint64_t)0x3ffffffU; + uint64_t z0 = t0 >> (uint32_t)26U; + uint64_t z1 = t3 >> (uint32_t)26U; + uint64_t x0 = t0 & mask26; + uint64_t x3 = t3 & mask26; + uint64_t x1 = t1 + z0; + uint64_t x4 = t4 + z1; + uint64_t z01 = x1 >> (uint32_t)26U; + uint64_t z11 = x4 >> (uint32_t)26U; + uint64_t t = z11 << (uint32_t)2U; + uint64_t z12 = z11 + t; + uint64_t x11 = x1 & mask26; + uint64_t x41 = x4 & mask26; + uint64_t x2 = t2 + z01; + uint64_t x01 = x0 + z12; + uint64_t z02 = x2 >> (uint32_t)26U; + uint64_t z13 = x01 >> (uint32_t)26U; + uint64_t x21 = x2 & mask26; + uint64_t x02 = x01 & mask26; + uint64_t x31 = x3 + z02; + uint64_t x12 = x11 + z13; + uint64_t z03 = x31 >> (uint32_t)26U; + uint64_t x32 = x31 & mask26; + uint64_t x42 = x41 + z03; + uint64_t o0 = x02; + uint64_t o1 = x12; + uint64_t o2 = x21; + uint64_t o3 = x32; + uint64_t o4 = x42; + acc0[0U] = o0; + acc0[1U] = o1; + acc0[2U] = o2; + acc0[3U] = o3; + acc0[4U] = o4; + } + } + } + } + { + uint8_t tmp[16U] = { 0U }; + memcpy(tmp, rem, r * sizeof (uint8_t)); + if (r > (uint32_t)0U) + { + uint64_t *pre = ctx + (uint32_t)5U; + uint64_t *acc = ctx; + uint64_t e[5U] = { 0U }; + uint64_t u0 = load64_le(tmp); + uint64_t lo = u0; + uint64_t u = load64_le(tmp + (uint32_t)8U); + uint64_t hi = u; + uint64_t f0 = lo; + uint64_t f1 = hi; + uint64_t f010 = f0 & (uint64_t)0x3ffffffU; + uint64_t f110 = f0 >> (uint32_t)26U & (uint64_t)0x3ffffffU; + uint64_t f20 = f0 >> (uint32_t)52U | (f1 & (uint64_t)0x3fffU) << (uint32_t)12U; + uint64_t f30 = f1 >> (uint32_t)14U & (uint64_t)0x3ffffffU; + uint64_t f40 = f1 >> (uint32_t)40U; + uint64_t f01 = f010; + uint64_t f111 = f110; + uint64_t f2 = f20; + uint64_t f3 = f30; + uint64_t f41 = f40; + uint64_t b; + uint64_t mask; + uint64_t f4; + uint64_t *r1; + uint64_t *r5; + uint64_t r0; + uint64_t r11; + uint64_t r2; + uint64_t r3; + uint64_t r4; + uint64_t r51; + uint64_t r52; + uint64_t r53; + uint64_t r54; + uint64_t f10; + uint64_t f11; + uint64_t f12; + uint64_t f13; + uint64_t f14; + uint64_t a0; + uint64_t a1; + uint64_t a2; + uint64_t a3; + uint64_t a4; + uint64_t a01; + uint64_t a11; + uint64_t a21; + uint64_t a31; + uint64_t a41; + uint64_t a02; + uint64_t a12; + uint64_t a22; + uint64_t a32; + uint64_t a42; + uint64_t a03; + uint64_t a13; + uint64_t a23; + uint64_t a33; + uint64_t a43; + uint64_t a04; + uint64_t a14; + uint64_t a24; + uint64_t a34; + uint64_t a44; + uint64_t a05; + uint64_t a15; + uint64_t a25; + uint64_t a35; + uint64_t a45; + uint64_t a06; + uint64_t a16; + uint64_t a26; + uint64_t a36; + uint64_t a46; + uint64_t t0; + uint64_t t1; + uint64_t t2; + uint64_t t3; + uint64_t t4; + uint64_t mask26; + uint64_t z0; + uint64_t z1; + uint64_t x0; + uint64_t x3; + uint64_t x1; + uint64_t x4; + uint64_t z01; + uint64_t z11; + uint64_t t; + uint64_t z12; + uint64_t x11; + uint64_t x41; + uint64_t x2; + uint64_t x01; + uint64_t z02; + uint64_t z13; + uint64_t x21; + uint64_t x02; + uint64_t x31; + uint64_t x12; + uint64_t z03; + uint64_t x32; + uint64_t x42; + uint64_t o0; + uint64_t o1; + uint64_t o2; + uint64_t o3; + uint64_t o4; + e[0U] = f01; + e[1U] = f111; + e[2U] = f2; + e[3U] = f3; + e[4U] = f41; + b = (uint64_t)0x1000000U; + mask = b; + f4 = e[4U]; + e[4U] = f4 | mask; + r1 = pre; + r5 = pre + (uint32_t)5U; + r0 = r1[0U]; + r11 = r1[1U]; + r2 = r1[2U]; + r3 = r1[3U]; + r4 = r1[4U]; + r51 = r5[1U]; + r52 = r5[2U]; + r53 = r5[3U]; + r54 = r5[4U]; + f10 = e[0U]; + f11 = e[1U]; + f12 = e[2U]; + f13 = e[3U]; + f14 = e[4U]; + a0 = acc[0U]; + a1 = acc[1U]; + a2 = acc[2U]; + a3 = acc[3U]; + a4 = acc[4U]; + a01 = a0 + f10; + a11 = a1 + f11; + a21 = a2 + f12; + a31 = a3 + f13; + a41 = a4 + f14; + a02 = r0 * a01; + a12 = r11 * a01; + a22 = r2 * a01; + a32 = r3 * a01; + a42 = r4 * a01; + a03 = a02 + r54 * a11; + a13 = a12 + r0 * a11; + a23 = a22 + r11 * a11; + a33 = a32 + r2 * a11; + a43 = a42 + r3 * a11; + a04 = a03 + r53 * a21; + a14 = a13 + r54 * a21; + a24 = a23 + r0 * a21; + a34 = a33 + r11 * a21; + a44 = a43 + r2 * a21; + a05 = a04 + r52 * a31; + a15 = a14 + r53 * a31; + a25 = a24 + r54 * a31; + a35 = a34 + r0 * a31; + a45 = a44 + r11 * a31; + a06 = a05 + r51 * a41; + a16 = a15 + r52 * a41; + a26 = a25 + r53 * a41; + a36 = a35 + r54 * a41; + a46 = a45 + r0 * a41; + t0 = a06; + t1 = a16; + t2 = a26; + t3 = a36; + t4 = a46; + mask26 = (uint64_t)0x3ffffffU; + z0 = t0 >> (uint32_t)26U; + z1 = t3 >> (uint32_t)26U; + x0 = t0 & mask26; + x3 = t3 & mask26; + x1 = t1 + z0; + x4 = t4 + z1; + z01 = x1 >> (uint32_t)26U; + z11 = x4 >> (uint32_t)26U; + t = z11 << (uint32_t)2U; + z12 = z11 + t; + x11 = x1 & mask26; + x41 = x4 & mask26; + x2 = t2 + z01; + x01 = x0 + z12; + z02 = x2 >> (uint32_t)26U; + z13 = x01 >> (uint32_t)26U; + x21 = x2 & mask26; + x02 = x01 & mask26; + x31 = x3 + z02; + x12 = x11 + z13; + z03 = x31 >> (uint32_t)26U; + x32 = x31 & mask26; + x42 = x41 + z03; + o0 = x02; + o1 = x12; + o2 = x21; + o3 = x32; + o4 = x42; + acc[0U] = o0; + acc[1U] = o1; + acc[2U] = o2; + acc[3U] = o3; + acc[4U] = o4; + return; + } + } +} + +static inline void +poly1305_do_32( + uint8_t *k, + uint32_t aadlen, + uint8_t *aad, + uint32_t mlen, + uint8_t *m, + uint8_t *out +) +{ + uint64_t ctx[25U] = { 0U }; + uint8_t block[16U] = { 0U }; + uint64_t *pre; + uint64_t *acc; + Hacl_Poly1305_32_poly1305_init(ctx, k); + if (aadlen != (uint32_t)0U) + { + poly1305_padded_32(ctx, aadlen, aad); + } + if (mlen != (uint32_t)0U) + { + poly1305_padded_32(ctx, mlen, m); + } + store64_le(block, (uint64_t)aadlen); + store64_le(block + (uint32_t)8U, (uint64_t)mlen); + pre = ctx + (uint32_t)5U; + acc = ctx; + { + uint64_t e[5U] = { 0U }; + uint64_t u0 = load64_le(block); + uint64_t lo = u0; + uint64_t u = load64_le(block + (uint32_t)8U); + uint64_t hi = u; + uint64_t f0 = lo; + uint64_t f1 = hi; + uint64_t f010 = f0 & (uint64_t)0x3ffffffU; + uint64_t f110 = f0 >> (uint32_t)26U & (uint64_t)0x3ffffffU; + uint64_t f20 = f0 >> (uint32_t)52U | (f1 & (uint64_t)0x3fffU) << (uint32_t)12U; + uint64_t f30 = f1 >> (uint32_t)14U & (uint64_t)0x3ffffffU; + uint64_t f40 = f1 >> (uint32_t)40U; + uint64_t f01 = f010; + uint64_t f111 = f110; + uint64_t f2 = f20; + uint64_t f3 = f30; + uint64_t f41 = f40; + uint64_t b; + uint64_t mask; + uint64_t f4; + uint64_t *r; + uint64_t *r5; + uint64_t r0; + uint64_t r1; + uint64_t r2; + uint64_t r3; + uint64_t r4; + uint64_t r51; + uint64_t r52; + uint64_t r53; + uint64_t r54; + uint64_t f10; + uint64_t f11; + uint64_t f12; + uint64_t f13; + uint64_t f14; + uint64_t a0; + uint64_t a1; + uint64_t a2; + uint64_t a3; + uint64_t a4; + uint64_t a01; + uint64_t a11; + uint64_t a21; + uint64_t a31; + uint64_t a41; + uint64_t a02; + uint64_t a12; + uint64_t a22; + uint64_t a32; + uint64_t a42; + uint64_t a03; + uint64_t a13; + uint64_t a23; + uint64_t a33; + uint64_t a43; + uint64_t a04; + uint64_t a14; + uint64_t a24; + uint64_t a34; + uint64_t a44; + uint64_t a05; + uint64_t a15; + uint64_t a25; + uint64_t a35; + uint64_t a45; + uint64_t a06; + uint64_t a16; + uint64_t a26; + uint64_t a36; + uint64_t a46; + uint64_t t0; + uint64_t t1; + uint64_t t2; + uint64_t t3; + uint64_t t4; + uint64_t mask26; + uint64_t z0; + uint64_t z1; + uint64_t x0; + uint64_t x3; + uint64_t x1; + uint64_t x4; + uint64_t z01; + uint64_t z11; + uint64_t t; + uint64_t z12; + uint64_t x11; + uint64_t x41; + uint64_t x2; + uint64_t x01; + uint64_t z02; + uint64_t z13; + uint64_t x21; + uint64_t x02; + uint64_t x31; + uint64_t x12; + uint64_t z03; + uint64_t x32; + uint64_t x42; + uint64_t o0; + uint64_t o1; + uint64_t o2; + uint64_t o3; + uint64_t o4; + e[0U] = f01; + e[1U] = f111; + e[2U] = f2; + e[3U] = f3; + e[4U] = f41; + b = (uint64_t)0x1000000U; + mask = b; + f4 = e[4U]; + e[4U] = f4 | mask; + r = pre; + r5 = pre + (uint32_t)5U; + r0 = r[0U]; + r1 = r[1U]; + r2 = r[2U]; + r3 = r[3U]; + r4 = r[4U]; + r51 = r5[1U]; + r52 = r5[2U]; + r53 = r5[3U]; + r54 = r5[4U]; + f10 = e[0U]; + f11 = e[1U]; + f12 = e[2U]; + f13 = e[3U]; + f14 = e[4U]; + a0 = acc[0U]; + a1 = acc[1U]; + a2 = acc[2U]; + a3 = acc[3U]; + a4 = acc[4U]; + a01 = a0 + f10; + a11 = a1 + f11; + a21 = a2 + f12; + a31 = a3 + f13; + a41 = a4 + f14; + a02 = r0 * a01; + a12 = r1 * a01; + a22 = r2 * a01; + a32 = r3 * a01; + a42 = r4 * a01; + a03 = a02 + r54 * a11; + a13 = a12 + r0 * a11; + a23 = a22 + r1 * a11; + a33 = a32 + r2 * a11; + a43 = a42 + r3 * a11; + a04 = a03 + r53 * a21; + a14 = a13 + r54 * a21; + a24 = a23 + r0 * a21; + a34 = a33 + r1 * a21; + a44 = a43 + r2 * a21; + a05 = a04 + r52 * a31; + a15 = a14 + r53 * a31; + a25 = a24 + r54 * a31; + a35 = a34 + r0 * a31; + a45 = a44 + r1 * a31; + a06 = a05 + r51 * a41; + a16 = a15 + r52 * a41; + a26 = a25 + r53 * a41; + a36 = a35 + r54 * a41; + a46 = a45 + r0 * a41; + t0 = a06; + t1 = a16; + t2 = a26; + t3 = a36; + t4 = a46; + mask26 = (uint64_t)0x3ffffffU; + z0 = t0 >> (uint32_t)26U; + z1 = t3 >> (uint32_t)26U; + x0 = t0 & mask26; + x3 = t3 & mask26; + x1 = t1 + z0; + x4 = t4 + z1; + z01 = x1 >> (uint32_t)26U; + z11 = x4 >> (uint32_t)26U; + t = z11 << (uint32_t)2U; + z12 = z11 + t; + x11 = x1 & mask26; + x41 = x4 & mask26; + x2 = t2 + z01; + x01 = x0 + z12; + z02 = x2 >> (uint32_t)26U; + z13 = x01 >> (uint32_t)26U; + x21 = x2 & mask26; + x02 = x01 & mask26; + x31 = x3 + z02; + x12 = x11 + z13; + z03 = x31 >> (uint32_t)26U; + x32 = x31 & mask26; + x42 = x41 + z03; + o0 = x02; + o1 = x12; + o2 = x21; + o3 = x32; + o4 = x42; + acc[0U] = o0; + acc[1U] = o1; + acc[2U] = o2; + acc[3U] = o3; + acc[4U] = o4; + Hacl_Poly1305_32_poly1305_finish(out, k, ctx); + } +} + +void +Hacl_Chacha20Poly1305_32_aead_encrypt( + uint8_t *k, + uint8_t *n, + uint32_t aadlen, + uint8_t *aad, + uint32_t mlen, + uint8_t *m, + uint8_t *cipher, + uint8_t *mac +) +{ + Hacl_Chacha20_chacha20_encrypt(mlen, cipher, m, k, n, (uint32_t)1U); + { + uint8_t tmp[64U] = { 0U }; + uint8_t *key; + Hacl_Chacha20_chacha20_encrypt((uint32_t)64U, tmp, tmp, k, n, (uint32_t)0U); + key = tmp; + poly1305_do_32(key, aadlen, aad, mlen, cipher, mac); + } +} + +uint32_t +Hacl_Chacha20Poly1305_32_aead_decrypt( + uint8_t *k, + uint8_t *n, + uint32_t aadlen, + uint8_t *aad, + uint32_t mlen, + uint8_t *m, + uint8_t *cipher, + uint8_t *mac +) +{ + uint8_t computed_mac[16U] = { 0U }; + uint8_t tmp[64U] = { 0U }; + uint8_t *key; + Hacl_Chacha20_chacha20_encrypt((uint32_t)64U, tmp, tmp, k, n, (uint32_t)0U); + key = tmp; + poly1305_do_32(key, aadlen, aad, mlen, cipher, computed_mac); + { + uint8_t res0 = (uint8_t)255U; + uint8_t z; + uint32_t res; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint8_t uu____0 = FStar_UInt8_eq_mask(computed_mac[i], mac[i]); + res0 = uu____0 & res0; + } + } + z = res0; + if (z == (uint8_t)255U) + { + Hacl_Chacha20_chacha20_encrypt(mlen, m, cipher, k, n, (uint32_t)1U); + res = (uint32_t)0U; + } + else + { + res = (uint32_t)1U; + } + return res; + } +} + diff --git a/src/c89/Hacl_Chacha20_Vec128.c b/src/c89/Hacl_Chacha20_Vec128.c new file mode 100644 index 00000000..24a050af --- /dev/null +++ b/src/c89/Hacl_Chacha20_Vec128.c @@ -0,0 +1,937 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Chacha20_Vec128.h" + +#include "internal/Hacl_Chacha20.h" + +static inline void double_round_128(Lib_IntVector_Intrinsics_vec128 *st) +{ + Lib_IntVector_Intrinsics_vec128 std0; + Lib_IntVector_Intrinsics_vec128 std1; + Lib_IntVector_Intrinsics_vec128 std2; + Lib_IntVector_Intrinsics_vec128 std3; + Lib_IntVector_Intrinsics_vec128 std4; + Lib_IntVector_Intrinsics_vec128 std5; + Lib_IntVector_Intrinsics_vec128 std6; + Lib_IntVector_Intrinsics_vec128 std7; + Lib_IntVector_Intrinsics_vec128 std8; + Lib_IntVector_Intrinsics_vec128 std9; + Lib_IntVector_Intrinsics_vec128 std10; + Lib_IntVector_Intrinsics_vec128 std11; + Lib_IntVector_Intrinsics_vec128 std12; + Lib_IntVector_Intrinsics_vec128 std13; + Lib_IntVector_Intrinsics_vec128 std14; + Lib_IntVector_Intrinsics_vec128 std15; + Lib_IntVector_Intrinsics_vec128 std16; + Lib_IntVector_Intrinsics_vec128 std17; + Lib_IntVector_Intrinsics_vec128 std18; + Lib_IntVector_Intrinsics_vec128 std19; + Lib_IntVector_Intrinsics_vec128 std20; + Lib_IntVector_Intrinsics_vec128 std21; + Lib_IntVector_Intrinsics_vec128 std22; + Lib_IntVector_Intrinsics_vec128 std23; + Lib_IntVector_Intrinsics_vec128 std24; + Lib_IntVector_Intrinsics_vec128 std25; + Lib_IntVector_Intrinsics_vec128 std26; + Lib_IntVector_Intrinsics_vec128 std27; + Lib_IntVector_Intrinsics_vec128 std28; + Lib_IntVector_Intrinsics_vec128 std29; + Lib_IntVector_Intrinsics_vec128 std30; + Lib_IntVector_Intrinsics_vec128 std; + st[0U] = Lib_IntVector_Intrinsics_vec128_add32(st[0U], st[4U]); + std0 = Lib_IntVector_Intrinsics_vec128_xor(st[12U], st[0U]); + st[12U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std0, (uint32_t)16U); + st[8U] = Lib_IntVector_Intrinsics_vec128_add32(st[8U], st[12U]); + std1 = Lib_IntVector_Intrinsics_vec128_xor(st[4U], st[8U]); + st[4U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std1, (uint32_t)12U); + st[0U] = Lib_IntVector_Intrinsics_vec128_add32(st[0U], st[4U]); + std2 = Lib_IntVector_Intrinsics_vec128_xor(st[12U], st[0U]); + st[12U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std2, (uint32_t)8U); + st[8U] = Lib_IntVector_Intrinsics_vec128_add32(st[8U], st[12U]); + std3 = Lib_IntVector_Intrinsics_vec128_xor(st[4U], st[8U]); + st[4U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std3, (uint32_t)7U); + st[1U] = Lib_IntVector_Intrinsics_vec128_add32(st[1U], st[5U]); + std4 = Lib_IntVector_Intrinsics_vec128_xor(st[13U], st[1U]); + st[13U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std4, (uint32_t)16U); + st[9U] = Lib_IntVector_Intrinsics_vec128_add32(st[9U], st[13U]); + std5 = Lib_IntVector_Intrinsics_vec128_xor(st[5U], st[9U]); + st[5U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std5, (uint32_t)12U); + st[1U] = Lib_IntVector_Intrinsics_vec128_add32(st[1U], st[5U]); + std6 = Lib_IntVector_Intrinsics_vec128_xor(st[13U], st[1U]); + st[13U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std6, (uint32_t)8U); + st[9U] = Lib_IntVector_Intrinsics_vec128_add32(st[9U], st[13U]); + std7 = Lib_IntVector_Intrinsics_vec128_xor(st[5U], st[9U]); + st[5U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std7, (uint32_t)7U); + st[2U] = Lib_IntVector_Intrinsics_vec128_add32(st[2U], st[6U]); + std8 = Lib_IntVector_Intrinsics_vec128_xor(st[14U], st[2U]); + st[14U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std8, (uint32_t)16U); + st[10U] = Lib_IntVector_Intrinsics_vec128_add32(st[10U], st[14U]); + std9 = Lib_IntVector_Intrinsics_vec128_xor(st[6U], st[10U]); + st[6U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std9, (uint32_t)12U); + st[2U] = Lib_IntVector_Intrinsics_vec128_add32(st[2U], st[6U]); + std10 = Lib_IntVector_Intrinsics_vec128_xor(st[14U], st[2U]); + st[14U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std10, (uint32_t)8U); + st[10U] = Lib_IntVector_Intrinsics_vec128_add32(st[10U], st[14U]); + std11 = Lib_IntVector_Intrinsics_vec128_xor(st[6U], st[10U]); + st[6U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std11, (uint32_t)7U); + st[3U] = Lib_IntVector_Intrinsics_vec128_add32(st[3U], st[7U]); + std12 = Lib_IntVector_Intrinsics_vec128_xor(st[15U], st[3U]); + st[15U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std12, (uint32_t)16U); + st[11U] = Lib_IntVector_Intrinsics_vec128_add32(st[11U], st[15U]); + std13 = Lib_IntVector_Intrinsics_vec128_xor(st[7U], st[11U]); + st[7U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std13, (uint32_t)12U); + st[3U] = Lib_IntVector_Intrinsics_vec128_add32(st[3U], st[7U]); + std14 = Lib_IntVector_Intrinsics_vec128_xor(st[15U], st[3U]); + st[15U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std14, (uint32_t)8U); + st[11U] = Lib_IntVector_Intrinsics_vec128_add32(st[11U], st[15U]); + std15 = Lib_IntVector_Intrinsics_vec128_xor(st[7U], st[11U]); + st[7U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std15, (uint32_t)7U); + st[0U] = Lib_IntVector_Intrinsics_vec128_add32(st[0U], st[5U]); + std16 = Lib_IntVector_Intrinsics_vec128_xor(st[15U], st[0U]); + st[15U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std16, (uint32_t)16U); + st[10U] = Lib_IntVector_Intrinsics_vec128_add32(st[10U], st[15U]); + std17 = Lib_IntVector_Intrinsics_vec128_xor(st[5U], st[10U]); + st[5U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std17, (uint32_t)12U); + st[0U] = Lib_IntVector_Intrinsics_vec128_add32(st[0U], st[5U]); + std18 = Lib_IntVector_Intrinsics_vec128_xor(st[15U], st[0U]); + st[15U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std18, (uint32_t)8U); + st[10U] = Lib_IntVector_Intrinsics_vec128_add32(st[10U], st[15U]); + std19 = Lib_IntVector_Intrinsics_vec128_xor(st[5U], st[10U]); + st[5U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std19, (uint32_t)7U); + st[1U] = Lib_IntVector_Intrinsics_vec128_add32(st[1U], st[6U]); + std20 = Lib_IntVector_Intrinsics_vec128_xor(st[12U], st[1U]); + st[12U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std20, (uint32_t)16U); + st[11U] = Lib_IntVector_Intrinsics_vec128_add32(st[11U], st[12U]); + std21 = Lib_IntVector_Intrinsics_vec128_xor(st[6U], st[11U]); + st[6U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std21, (uint32_t)12U); + st[1U] = Lib_IntVector_Intrinsics_vec128_add32(st[1U], st[6U]); + std22 = Lib_IntVector_Intrinsics_vec128_xor(st[12U], st[1U]); + st[12U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std22, (uint32_t)8U); + st[11U] = Lib_IntVector_Intrinsics_vec128_add32(st[11U], st[12U]); + std23 = Lib_IntVector_Intrinsics_vec128_xor(st[6U], st[11U]); + st[6U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std23, (uint32_t)7U); + st[2U] = Lib_IntVector_Intrinsics_vec128_add32(st[2U], st[7U]); + std24 = Lib_IntVector_Intrinsics_vec128_xor(st[13U], st[2U]); + st[13U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std24, (uint32_t)16U); + st[8U] = Lib_IntVector_Intrinsics_vec128_add32(st[8U], st[13U]); + std25 = Lib_IntVector_Intrinsics_vec128_xor(st[7U], st[8U]); + st[7U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std25, (uint32_t)12U); + st[2U] = Lib_IntVector_Intrinsics_vec128_add32(st[2U], st[7U]); + std26 = Lib_IntVector_Intrinsics_vec128_xor(st[13U], st[2U]); + st[13U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std26, (uint32_t)8U); + st[8U] = Lib_IntVector_Intrinsics_vec128_add32(st[8U], st[13U]); + std27 = Lib_IntVector_Intrinsics_vec128_xor(st[7U], st[8U]); + st[7U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std27, (uint32_t)7U); + st[3U] = Lib_IntVector_Intrinsics_vec128_add32(st[3U], st[4U]); + std28 = Lib_IntVector_Intrinsics_vec128_xor(st[14U], st[3U]); + st[14U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std28, (uint32_t)16U); + st[9U] = Lib_IntVector_Intrinsics_vec128_add32(st[9U], st[14U]); + std29 = Lib_IntVector_Intrinsics_vec128_xor(st[4U], st[9U]); + st[4U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std29, (uint32_t)12U); + st[3U] = Lib_IntVector_Intrinsics_vec128_add32(st[3U], st[4U]); + std30 = Lib_IntVector_Intrinsics_vec128_xor(st[14U], st[3U]); + st[14U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std30, (uint32_t)8U); + st[9U] = Lib_IntVector_Intrinsics_vec128_add32(st[9U], st[14U]); + std = Lib_IntVector_Intrinsics_vec128_xor(st[4U], st[9U]); + st[4U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std, (uint32_t)7U); +} + +static inline void +chacha20_core_128( + Lib_IntVector_Intrinsics_vec128 *k, + Lib_IntVector_Intrinsics_vec128 *ctx, + uint32_t ctr +) +{ + uint32_t ctr_u32; + Lib_IntVector_Intrinsics_vec128 cv; + memcpy(k, ctx, (uint32_t)16U * sizeof (Lib_IntVector_Intrinsics_vec128)); + ctr_u32 = (uint32_t)4U * ctr; + cv = Lib_IntVector_Intrinsics_vec128_load32(ctr_u32); + k[12U] = Lib_IntVector_Intrinsics_vec128_add32(k[12U], cv); + double_round_128(k); + double_round_128(k); + double_round_128(k); + double_round_128(k); + double_round_128(k); + double_round_128(k); + double_round_128(k); + double_round_128(k); + double_round_128(k); + double_round_128(k); + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + Lib_IntVector_Intrinsics_vec128 *os = k; + Lib_IntVector_Intrinsics_vec128 x = Lib_IntVector_Intrinsics_vec128_add32(k[i], ctx[i]); + os[i] = x; + } + } + k[12U] = Lib_IntVector_Intrinsics_vec128_add32(k[12U], cv); +} + +static inline void +chacha20_init_128(Lib_IntVector_Intrinsics_vec128 *ctx, uint8_t *k, uint8_t *n, uint32_t ctr) +{ + uint32_t ctx1[16U] = { 0U }; + uint32_t *uu____0 = ctx1; + uint32_t *uu____1; + uint32_t *uu____2; + Lib_IntVector_Intrinsics_vec128 ctr1; + Lib_IntVector_Intrinsics_vec128 c12; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = uu____0; + uint32_t x = Hacl_Impl_Chacha20_Vec_chacha20_constants[i]; + os[i] = x; + } + } + uu____1 = ctx1 + (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t *os = uu____1; + uint8_t *bj = k + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + } + ctx1[12U] = ctr; + uu____2 = ctx1 + (uint32_t)13U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)3U; i++) + { + uint32_t *os = uu____2; + uint8_t *bj = n + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + Lib_IntVector_Intrinsics_vec128 *os = ctx; + uint32_t x = ctx1[i]; + Lib_IntVector_Intrinsics_vec128 x0 = Lib_IntVector_Intrinsics_vec128_load32(x); + os[i] = x0; + } + } + ctr1 = + Lib_IntVector_Intrinsics_vec128_load32s((uint32_t)0U, + (uint32_t)1U, + (uint32_t)2U, + (uint32_t)3U); + c12 = ctx[12U]; + ctx[12U] = Lib_IntVector_Intrinsics_vec128_add32(c12, ctr1); +} + +void +Hacl_Chacha20_Vec128_chacha20_encrypt_128( + uint32_t len, + uint8_t *out, + uint8_t *text, + uint8_t *key, + uint8_t *n, + uint32_t ctr +) +{ + Lib_IntVector_Intrinsics_vec128 ctx[16U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)16U; ++_i) + ctx[_i] = Lib_IntVector_Intrinsics_vec128_zero; + } + { + uint32_t rem; + uint32_t nb; + uint32_t rem1; + chacha20_init_128(ctx, key, n, ctr); + rem = len % (uint32_t)256U; + nb = len / (uint32_t)256U; + rem1 = len % (uint32_t)256U; + { + uint32_t i; + for (i = (uint32_t)0U; i < nb; i++) + { + uint8_t *uu____0 = out + i * (uint32_t)256U; + uint8_t *uu____1 = text + i * (uint32_t)256U; + Lib_IntVector_Intrinsics_vec128 k[16U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)16U; ++_i) + k[_i] = Lib_IntVector_Intrinsics_vec128_zero; + } + chacha20_core_128(k, ctx, i); + { + Lib_IntVector_Intrinsics_vec128 st0 = k[0U]; + Lib_IntVector_Intrinsics_vec128 st1 = k[1U]; + Lib_IntVector_Intrinsics_vec128 st2 = k[2U]; + Lib_IntVector_Intrinsics_vec128 st3 = k[3U]; + Lib_IntVector_Intrinsics_vec128 st4 = k[4U]; + Lib_IntVector_Intrinsics_vec128 st5 = k[5U]; + Lib_IntVector_Intrinsics_vec128 st6 = k[6U]; + Lib_IntVector_Intrinsics_vec128 st7 = k[7U]; + Lib_IntVector_Intrinsics_vec128 st8 = k[8U]; + Lib_IntVector_Intrinsics_vec128 st9 = k[9U]; + Lib_IntVector_Intrinsics_vec128 st10 = k[10U]; + Lib_IntVector_Intrinsics_vec128 st11 = k[11U]; + Lib_IntVector_Intrinsics_vec128 st12 = k[12U]; + Lib_IntVector_Intrinsics_vec128 st13 = k[13U]; + Lib_IntVector_Intrinsics_vec128 st14 = k[14U]; + Lib_IntVector_Intrinsics_vec128 st15 = k[15U]; + Lib_IntVector_Intrinsics_vec128 + v0_ = Lib_IntVector_Intrinsics_vec128_interleave_low32(st0, st1); + Lib_IntVector_Intrinsics_vec128 + v1_ = Lib_IntVector_Intrinsics_vec128_interleave_high32(st0, st1); + Lib_IntVector_Intrinsics_vec128 + v2_ = Lib_IntVector_Intrinsics_vec128_interleave_low32(st2, st3); + Lib_IntVector_Intrinsics_vec128 + v3_ = Lib_IntVector_Intrinsics_vec128_interleave_high32(st2, st3); + Lib_IntVector_Intrinsics_vec128 + v0__ = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_, v2_); + Lib_IntVector_Intrinsics_vec128 + v1__ = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_, v2_); + Lib_IntVector_Intrinsics_vec128 + v2__ = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_, v3_); + Lib_IntVector_Intrinsics_vec128 + v3__ = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_, v3_); + Lib_IntVector_Intrinsics_vec128 v0__0 = v0__; + Lib_IntVector_Intrinsics_vec128 v2__0 = v2__; + Lib_IntVector_Intrinsics_vec128 v1__0 = v1__; + Lib_IntVector_Intrinsics_vec128 v3__0 = v3__; + Lib_IntVector_Intrinsics_vec128 v0 = v0__0; + Lib_IntVector_Intrinsics_vec128 v1 = v1__0; + Lib_IntVector_Intrinsics_vec128 v2 = v2__0; + Lib_IntVector_Intrinsics_vec128 v3 = v3__0; + Lib_IntVector_Intrinsics_vec128 + v0_0 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st4, st5); + Lib_IntVector_Intrinsics_vec128 + v1_0 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st4, st5); + Lib_IntVector_Intrinsics_vec128 + v2_0 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st6, st7); + Lib_IntVector_Intrinsics_vec128 + v3_0 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st6, st7); + Lib_IntVector_Intrinsics_vec128 + v0__1 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec128 + v1__1 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec128 + v2__1 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec128 + v3__1 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec128 v0__2 = v0__1; + Lib_IntVector_Intrinsics_vec128 v2__2 = v2__1; + Lib_IntVector_Intrinsics_vec128 v1__2 = v1__1; + Lib_IntVector_Intrinsics_vec128 v3__2 = v3__1; + Lib_IntVector_Intrinsics_vec128 v4 = v0__2; + Lib_IntVector_Intrinsics_vec128 v5 = v1__2; + Lib_IntVector_Intrinsics_vec128 v6 = v2__2; + Lib_IntVector_Intrinsics_vec128 v7 = v3__2; + Lib_IntVector_Intrinsics_vec128 + v0_1 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st8, st9); + Lib_IntVector_Intrinsics_vec128 + v1_1 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st8, st9); + Lib_IntVector_Intrinsics_vec128 + v2_1 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st10, st11); + Lib_IntVector_Intrinsics_vec128 + v3_1 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st10, st11); + Lib_IntVector_Intrinsics_vec128 + v0__3 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_1, v2_1); + Lib_IntVector_Intrinsics_vec128 + v1__3 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_1, v2_1); + Lib_IntVector_Intrinsics_vec128 + v2__3 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_1, v3_1); + Lib_IntVector_Intrinsics_vec128 + v3__3 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_1, v3_1); + Lib_IntVector_Intrinsics_vec128 v0__4 = v0__3; + Lib_IntVector_Intrinsics_vec128 v2__4 = v2__3; + Lib_IntVector_Intrinsics_vec128 v1__4 = v1__3; + Lib_IntVector_Intrinsics_vec128 v3__4 = v3__3; + Lib_IntVector_Intrinsics_vec128 v8 = v0__4; + Lib_IntVector_Intrinsics_vec128 v9 = v1__4; + Lib_IntVector_Intrinsics_vec128 v10 = v2__4; + Lib_IntVector_Intrinsics_vec128 v11 = v3__4; + Lib_IntVector_Intrinsics_vec128 + v0_2 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st12, st13); + Lib_IntVector_Intrinsics_vec128 + v1_2 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st12, st13); + Lib_IntVector_Intrinsics_vec128 + v2_2 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st14, st15); + Lib_IntVector_Intrinsics_vec128 + v3_2 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st14, st15); + Lib_IntVector_Intrinsics_vec128 + v0__5 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_2, v2_2); + Lib_IntVector_Intrinsics_vec128 + v1__5 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_2, v2_2); + Lib_IntVector_Intrinsics_vec128 + v2__5 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_2, v3_2); + Lib_IntVector_Intrinsics_vec128 + v3__5 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_2, v3_2); + Lib_IntVector_Intrinsics_vec128 v0__6 = v0__5; + Lib_IntVector_Intrinsics_vec128 v2__6 = v2__5; + Lib_IntVector_Intrinsics_vec128 v1__6 = v1__5; + Lib_IntVector_Intrinsics_vec128 v3__6 = v3__5; + Lib_IntVector_Intrinsics_vec128 v12 = v0__6; + Lib_IntVector_Intrinsics_vec128 v13 = v1__6; + Lib_IntVector_Intrinsics_vec128 v14 = v2__6; + Lib_IntVector_Intrinsics_vec128 v15 = v3__6; + k[0U] = v0; + k[1U] = v4; + k[2U] = v8; + k[3U] = v12; + k[4U] = v1; + k[5U] = v5; + k[6U] = v9; + k[7U] = v13; + k[8U] = v2; + k[9U] = v6; + k[10U] = v10; + k[11U] = v14; + k[12U] = v3; + k[13U] = v7; + k[14U] = v11; + k[15U] = v15; + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < (uint32_t)16U; i0++) + { + Lib_IntVector_Intrinsics_vec128 + x = Lib_IntVector_Intrinsics_vec128_load32_le(uu____1 + i0 * (uint32_t)16U); + Lib_IntVector_Intrinsics_vec128 y = Lib_IntVector_Intrinsics_vec128_xor(x, k[i0]); + Lib_IntVector_Intrinsics_vec128_store32_le(uu____0 + i0 * (uint32_t)16U, y); + } + } + } + } + } + if (rem1 > (uint32_t)0U) + { + uint8_t *uu____2 = out + nb * (uint32_t)256U; + uint8_t *uu____3 = text + nb * (uint32_t)256U; + uint8_t plain[256U] = { 0U }; + memcpy(plain, uu____3, rem * sizeof (uint8_t)); + { + Lib_IntVector_Intrinsics_vec128 k[16U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)16U; ++_i) + k[_i] = Lib_IntVector_Intrinsics_vec128_zero; + } + chacha20_core_128(k, ctx, nb); + { + Lib_IntVector_Intrinsics_vec128 st0 = k[0U]; + Lib_IntVector_Intrinsics_vec128 st1 = k[1U]; + Lib_IntVector_Intrinsics_vec128 st2 = k[2U]; + Lib_IntVector_Intrinsics_vec128 st3 = k[3U]; + Lib_IntVector_Intrinsics_vec128 st4 = k[4U]; + Lib_IntVector_Intrinsics_vec128 st5 = k[5U]; + Lib_IntVector_Intrinsics_vec128 st6 = k[6U]; + Lib_IntVector_Intrinsics_vec128 st7 = k[7U]; + Lib_IntVector_Intrinsics_vec128 st8 = k[8U]; + Lib_IntVector_Intrinsics_vec128 st9 = k[9U]; + Lib_IntVector_Intrinsics_vec128 st10 = k[10U]; + Lib_IntVector_Intrinsics_vec128 st11 = k[11U]; + Lib_IntVector_Intrinsics_vec128 st12 = k[12U]; + Lib_IntVector_Intrinsics_vec128 st13 = k[13U]; + Lib_IntVector_Intrinsics_vec128 st14 = k[14U]; + Lib_IntVector_Intrinsics_vec128 st15 = k[15U]; + Lib_IntVector_Intrinsics_vec128 + v0_ = Lib_IntVector_Intrinsics_vec128_interleave_low32(st0, st1); + Lib_IntVector_Intrinsics_vec128 + v1_ = Lib_IntVector_Intrinsics_vec128_interleave_high32(st0, st1); + Lib_IntVector_Intrinsics_vec128 + v2_ = Lib_IntVector_Intrinsics_vec128_interleave_low32(st2, st3); + Lib_IntVector_Intrinsics_vec128 + v3_ = Lib_IntVector_Intrinsics_vec128_interleave_high32(st2, st3); + Lib_IntVector_Intrinsics_vec128 + v0__ = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_, v2_); + Lib_IntVector_Intrinsics_vec128 + v1__ = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_, v2_); + Lib_IntVector_Intrinsics_vec128 + v2__ = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_, v3_); + Lib_IntVector_Intrinsics_vec128 + v3__ = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_, v3_); + Lib_IntVector_Intrinsics_vec128 v0__0 = v0__; + Lib_IntVector_Intrinsics_vec128 v2__0 = v2__; + Lib_IntVector_Intrinsics_vec128 v1__0 = v1__; + Lib_IntVector_Intrinsics_vec128 v3__0 = v3__; + Lib_IntVector_Intrinsics_vec128 v0 = v0__0; + Lib_IntVector_Intrinsics_vec128 v1 = v1__0; + Lib_IntVector_Intrinsics_vec128 v2 = v2__0; + Lib_IntVector_Intrinsics_vec128 v3 = v3__0; + Lib_IntVector_Intrinsics_vec128 + v0_0 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st4, st5); + Lib_IntVector_Intrinsics_vec128 + v1_0 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st4, st5); + Lib_IntVector_Intrinsics_vec128 + v2_0 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st6, st7); + Lib_IntVector_Intrinsics_vec128 + v3_0 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st6, st7); + Lib_IntVector_Intrinsics_vec128 + v0__1 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec128 + v1__1 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec128 + v2__1 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec128 + v3__1 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec128 v0__2 = v0__1; + Lib_IntVector_Intrinsics_vec128 v2__2 = v2__1; + Lib_IntVector_Intrinsics_vec128 v1__2 = v1__1; + Lib_IntVector_Intrinsics_vec128 v3__2 = v3__1; + Lib_IntVector_Intrinsics_vec128 v4 = v0__2; + Lib_IntVector_Intrinsics_vec128 v5 = v1__2; + Lib_IntVector_Intrinsics_vec128 v6 = v2__2; + Lib_IntVector_Intrinsics_vec128 v7 = v3__2; + Lib_IntVector_Intrinsics_vec128 + v0_1 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st8, st9); + Lib_IntVector_Intrinsics_vec128 + v1_1 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st8, st9); + Lib_IntVector_Intrinsics_vec128 + v2_1 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st10, st11); + Lib_IntVector_Intrinsics_vec128 + v3_1 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st10, st11); + Lib_IntVector_Intrinsics_vec128 + v0__3 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_1, v2_1); + Lib_IntVector_Intrinsics_vec128 + v1__3 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_1, v2_1); + Lib_IntVector_Intrinsics_vec128 + v2__3 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_1, v3_1); + Lib_IntVector_Intrinsics_vec128 + v3__3 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_1, v3_1); + Lib_IntVector_Intrinsics_vec128 v0__4 = v0__3; + Lib_IntVector_Intrinsics_vec128 v2__4 = v2__3; + Lib_IntVector_Intrinsics_vec128 v1__4 = v1__3; + Lib_IntVector_Intrinsics_vec128 v3__4 = v3__3; + Lib_IntVector_Intrinsics_vec128 v8 = v0__4; + Lib_IntVector_Intrinsics_vec128 v9 = v1__4; + Lib_IntVector_Intrinsics_vec128 v10 = v2__4; + Lib_IntVector_Intrinsics_vec128 v11 = v3__4; + Lib_IntVector_Intrinsics_vec128 + v0_2 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st12, st13); + Lib_IntVector_Intrinsics_vec128 + v1_2 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st12, st13); + Lib_IntVector_Intrinsics_vec128 + v2_2 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st14, st15); + Lib_IntVector_Intrinsics_vec128 + v3_2 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st14, st15); + Lib_IntVector_Intrinsics_vec128 + v0__5 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_2, v2_2); + Lib_IntVector_Intrinsics_vec128 + v1__5 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_2, v2_2); + Lib_IntVector_Intrinsics_vec128 + v2__5 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_2, v3_2); + Lib_IntVector_Intrinsics_vec128 + v3__5 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_2, v3_2); + Lib_IntVector_Intrinsics_vec128 v0__6 = v0__5; + Lib_IntVector_Intrinsics_vec128 v2__6 = v2__5; + Lib_IntVector_Intrinsics_vec128 v1__6 = v1__5; + Lib_IntVector_Intrinsics_vec128 v3__6 = v3__5; + Lib_IntVector_Intrinsics_vec128 v12 = v0__6; + Lib_IntVector_Intrinsics_vec128 v13 = v1__6; + Lib_IntVector_Intrinsics_vec128 v14 = v2__6; + Lib_IntVector_Intrinsics_vec128 v15 = v3__6; + k[0U] = v0; + k[1U] = v4; + k[2U] = v8; + k[3U] = v12; + k[4U] = v1; + k[5U] = v5; + k[6U] = v9; + k[7U] = v13; + k[8U] = v2; + k[9U] = v6; + k[10U] = v10; + k[11U] = v14; + k[12U] = v3; + k[13U] = v7; + k[14U] = v11; + k[15U] = v15; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + Lib_IntVector_Intrinsics_vec128 + x = Lib_IntVector_Intrinsics_vec128_load32_le(plain + i * (uint32_t)16U); + Lib_IntVector_Intrinsics_vec128 y = Lib_IntVector_Intrinsics_vec128_xor(x, k[i]); + Lib_IntVector_Intrinsics_vec128_store32_le(plain + i * (uint32_t)16U, y); + } + } + memcpy(uu____2, plain, rem * sizeof (uint8_t)); + } + } + } + } +} + +void +Hacl_Chacha20_Vec128_chacha20_decrypt_128( + uint32_t len, + uint8_t *out, + uint8_t *cipher, + uint8_t *key, + uint8_t *n, + uint32_t ctr +) +{ + Lib_IntVector_Intrinsics_vec128 ctx[16U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)16U; ++_i) + ctx[_i] = Lib_IntVector_Intrinsics_vec128_zero; + } + { + uint32_t rem; + uint32_t nb; + uint32_t rem1; + chacha20_init_128(ctx, key, n, ctr); + rem = len % (uint32_t)256U; + nb = len / (uint32_t)256U; + rem1 = len % (uint32_t)256U; + { + uint32_t i; + for (i = (uint32_t)0U; i < nb; i++) + { + uint8_t *uu____0 = out + i * (uint32_t)256U; + uint8_t *uu____1 = cipher + i * (uint32_t)256U; + Lib_IntVector_Intrinsics_vec128 k[16U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)16U; ++_i) + k[_i] = Lib_IntVector_Intrinsics_vec128_zero; + } + chacha20_core_128(k, ctx, i); + { + Lib_IntVector_Intrinsics_vec128 st0 = k[0U]; + Lib_IntVector_Intrinsics_vec128 st1 = k[1U]; + Lib_IntVector_Intrinsics_vec128 st2 = k[2U]; + Lib_IntVector_Intrinsics_vec128 st3 = k[3U]; + Lib_IntVector_Intrinsics_vec128 st4 = k[4U]; + Lib_IntVector_Intrinsics_vec128 st5 = k[5U]; + Lib_IntVector_Intrinsics_vec128 st6 = k[6U]; + Lib_IntVector_Intrinsics_vec128 st7 = k[7U]; + Lib_IntVector_Intrinsics_vec128 st8 = k[8U]; + Lib_IntVector_Intrinsics_vec128 st9 = k[9U]; + Lib_IntVector_Intrinsics_vec128 st10 = k[10U]; + Lib_IntVector_Intrinsics_vec128 st11 = k[11U]; + Lib_IntVector_Intrinsics_vec128 st12 = k[12U]; + Lib_IntVector_Intrinsics_vec128 st13 = k[13U]; + Lib_IntVector_Intrinsics_vec128 st14 = k[14U]; + Lib_IntVector_Intrinsics_vec128 st15 = k[15U]; + Lib_IntVector_Intrinsics_vec128 + v0_ = Lib_IntVector_Intrinsics_vec128_interleave_low32(st0, st1); + Lib_IntVector_Intrinsics_vec128 + v1_ = Lib_IntVector_Intrinsics_vec128_interleave_high32(st0, st1); + Lib_IntVector_Intrinsics_vec128 + v2_ = Lib_IntVector_Intrinsics_vec128_interleave_low32(st2, st3); + Lib_IntVector_Intrinsics_vec128 + v3_ = Lib_IntVector_Intrinsics_vec128_interleave_high32(st2, st3); + Lib_IntVector_Intrinsics_vec128 + v0__ = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_, v2_); + Lib_IntVector_Intrinsics_vec128 + v1__ = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_, v2_); + Lib_IntVector_Intrinsics_vec128 + v2__ = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_, v3_); + Lib_IntVector_Intrinsics_vec128 + v3__ = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_, v3_); + Lib_IntVector_Intrinsics_vec128 v0__0 = v0__; + Lib_IntVector_Intrinsics_vec128 v2__0 = v2__; + Lib_IntVector_Intrinsics_vec128 v1__0 = v1__; + Lib_IntVector_Intrinsics_vec128 v3__0 = v3__; + Lib_IntVector_Intrinsics_vec128 v0 = v0__0; + Lib_IntVector_Intrinsics_vec128 v1 = v1__0; + Lib_IntVector_Intrinsics_vec128 v2 = v2__0; + Lib_IntVector_Intrinsics_vec128 v3 = v3__0; + Lib_IntVector_Intrinsics_vec128 + v0_0 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st4, st5); + Lib_IntVector_Intrinsics_vec128 + v1_0 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st4, st5); + Lib_IntVector_Intrinsics_vec128 + v2_0 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st6, st7); + Lib_IntVector_Intrinsics_vec128 + v3_0 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st6, st7); + Lib_IntVector_Intrinsics_vec128 + v0__1 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec128 + v1__1 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec128 + v2__1 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec128 + v3__1 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec128 v0__2 = v0__1; + Lib_IntVector_Intrinsics_vec128 v2__2 = v2__1; + Lib_IntVector_Intrinsics_vec128 v1__2 = v1__1; + Lib_IntVector_Intrinsics_vec128 v3__2 = v3__1; + Lib_IntVector_Intrinsics_vec128 v4 = v0__2; + Lib_IntVector_Intrinsics_vec128 v5 = v1__2; + Lib_IntVector_Intrinsics_vec128 v6 = v2__2; + Lib_IntVector_Intrinsics_vec128 v7 = v3__2; + Lib_IntVector_Intrinsics_vec128 + v0_1 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st8, st9); + Lib_IntVector_Intrinsics_vec128 + v1_1 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st8, st9); + Lib_IntVector_Intrinsics_vec128 + v2_1 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st10, st11); + Lib_IntVector_Intrinsics_vec128 + v3_1 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st10, st11); + Lib_IntVector_Intrinsics_vec128 + v0__3 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_1, v2_1); + Lib_IntVector_Intrinsics_vec128 + v1__3 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_1, v2_1); + Lib_IntVector_Intrinsics_vec128 + v2__3 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_1, v3_1); + Lib_IntVector_Intrinsics_vec128 + v3__3 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_1, v3_1); + Lib_IntVector_Intrinsics_vec128 v0__4 = v0__3; + Lib_IntVector_Intrinsics_vec128 v2__4 = v2__3; + Lib_IntVector_Intrinsics_vec128 v1__4 = v1__3; + Lib_IntVector_Intrinsics_vec128 v3__4 = v3__3; + Lib_IntVector_Intrinsics_vec128 v8 = v0__4; + Lib_IntVector_Intrinsics_vec128 v9 = v1__4; + Lib_IntVector_Intrinsics_vec128 v10 = v2__4; + Lib_IntVector_Intrinsics_vec128 v11 = v3__4; + Lib_IntVector_Intrinsics_vec128 + v0_2 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st12, st13); + Lib_IntVector_Intrinsics_vec128 + v1_2 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st12, st13); + Lib_IntVector_Intrinsics_vec128 + v2_2 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st14, st15); + Lib_IntVector_Intrinsics_vec128 + v3_2 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st14, st15); + Lib_IntVector_Intrinsics_vec128 + v0__5 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_2, v2_2); + Lib_IntVector_Intrinsics_vec128 + v1__5 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_2, v2_2); + Lib_IntVector_Intrinsics_vec128 + v2__5 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_2, v3_2); + Lib_IntVector_Intrinsics_vec128 + v3__5 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_2, v3_2); + Lib_IntVector_Intrinsics_vec128 v0__6 = v0__5; + Lib_IntVector_Intrinsics_vec128 v2__6 = v2__5; + Lib_IntVector_Intrinsics_vec128 v1__6 = v1__5; + Lib_IntVector_Intrinsics_vec128 v3__6 = v3__5; + Lib_IntVector_Intrinsics_vec128 v12 = v0__6; + Lib_IntVector_Intrinsics_vec128 v13 = v1__6; + Lib_IntVector_Intrinsics_vec128 v14 = v2__6; + Lib_IntVector_Intrinsics_vec128 v15 = v3__6; + k[0U] = v0; + k[1U] = v4; + k[2U] = v8; + k[3U] = v12; + k[4U] = v1; + k[5U] = v5; + k[6U] = v9; + k[7U] = v13; + k[8U] = v2; + k[9U] = v6; + k[10U] = v10; + k[11U] = v14; + k[12U] = v3; + k[13U] = v7; + k[14U] = v11; + k[15U] = v15; + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < (uint32_t)16U; i0++) + { + Lib_IntVector_Intrinsics_vec128 + x = Lib_IntVector_Intrinsics_vec128_load32_le(uu____1 + i0 * (uint32_t)16U); + Lib_IntVector_Intrinsics_vec128 y = Lib_IntVector_Intrinsics_vec128_xor(x, k[i0]); + Lib_IntVector_Intrinsics_vec128_store32_le(uu____0 + i0 * (uint32_t)16U, y); + } + } + } + } + } + if (rem1 > (uint32_t)0U) + { + uint8_t *uu____2 = out + nb * (uint32_t)256U; + uint8_t *uu____3 = cipher + nb * (uint32_t)256U; + uint8_t plain[256U] = { 0U }; + memcpy(plain, uu____3, rem * sizeof (uint8_t)); + { + Lib_IntVector_Intrinsics_vec128 k[16U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)16U; ++_i) + k[_i] = Lib_IntVector_Intrinsics_vec128_zero; + } + chacha20_core_128(k, ctx, nb); + { + Lib_IntVector_Intrinsics_vec128 st0 = k[0U]; + Lib_IntVector_Intrinsics_vec128 st1 = k[1U]; + Lib_IntVector_Intrinsics_vec128 st2 = k[2U]; + Lib_IntVector_Intrinsics_vec128 st3 = k[3U]; + Lib_IntVector_Intrinsics_vec128 st4 = k[4U]; + Lib_IntVector_Intrinsics_vec128 st5 = k[5U]; + Lib_IntVector_Intrinsics_vec128 st6 = k[6U]; + Lib_IntVector_Intrinsics_vec128 st7 = k[7U]; + Lib_IntVector_Intrinsics_vec128 st8 = k[8U]; + Lib_IntVector_Intrinsics_vec128 st9 = k[9U]; + Lib_IntVector_Intrinsics_vec128 st10 = k[10U]; + Lib_IntVector_Intrinsics_vec128 st11 = k[11U]; + Lib_IntVector_Intrinsics_vec128 st12 = k[12U]; + Lib_IntVector_Intrinsics_vec128 st13 = k[13U]; + Lib_IntVector_Intrinsics_vec128 st14 = k[14U]; + Lib_IntVector_Intrinsics_vec128 st15 = k[15U]; + Lib_IntVector_Intrinsics_vec128 + v0_ = Lib_IntVector_Intrinsics_vec128_interleave_low32(st0, st1); + Lib_IntVector_Intrinsics_vec128 + v1_ = Lib_IntVector_Intrinsics_vec128_interleave_high32(st0, st1); + Lib_IntVector_Intrinsics_vec128 + v2_ = Lib_IntVector_Intrinsics_vec128_interleave_low32(st2, st3); + Lib_IntVector_Intrinsics_vec128 + v3_ = Lib_IntVector_Intrinsics_vec128_interleave_high32(st2, st3); + Lib_IntVector_Intrinsics_vec128 + v0__ = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_, v2_); + Lib_IntVector_Intrinsics_vec128 + v1__ = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_, v2_); + Lib_IntVector_Intrinsics_vec128 + v2__ = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_, v3_); + Lib_IntVector_Intrinsics_vec128 + v3__ = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_, v3_); + Lib_IntVector_Intrinsics_vec128 v0__0 = v0__; + Lib_IntVector_Intrinsics_vec128 v2__0 = v2__; + Lib_IntVector_Intrinsics_vec128 v1__0 = v1__; + Lib_IntVector_Intrinsics_vec128 v3__0 = v3__; + Lib_IntVector_Intrinsics_vec128 v0 = v0__0; + Lib_IntVector_Intrinsics_vec128 v1 = v1__0; + Lib_IntVector_Intrinsics_vec128 v2 = v2__0; + Lib_IntVector_Intrinsics_vec128 v3 = v3__0; + Lib_IntVector_Intrinsics_vec128 + v0_0 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st4, st5); + Lib_IntVector_Intrinsics_vec128 + v1_0 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st4, st5); + Lib_IntVector_Intrinsics_vec128 + v2_0 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st6, st7); + Lib_IntVector_Intrinsics_vec128 + v3_0 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st6, st7); + Lib_IntVector_Intrinsics_vec128 + v0__1 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec128 + v1__1 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec128 + v2__1 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec128 + v3__1 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec128 v0__2 = v0__1; + Lib_IntVector_Intrinsics_vec128 v2__2 = v2__1; + Lib_IntVector_Intrinsics_vec128 v1__2 = v1__1; + Lib_IntVector_Intrinsics_vec128 v3__2 = v3__1; + Lib_IntVector_Intrinsics_vec128 v4 = v0__2; + Lib_IntVector_Intrinsics_vec128 v5 = v1__2; + Lib_IntVector_Intrinsics_vec128 v6 = v2__2; + Lib_IntVector_Intrinsics_vec128 v7 = v3__2; + Lib_IntVector_Intrinsics_vec128 + v0_1 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st8, st9); + Lib_IntVector_Intrinsics_vec128 + v1_1 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st8, st9); + Lib_IntVector_Intrinsics_vec128 + v2_1 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st10, st11); + Lib_IntVector_Intrinsics_vec128 + v3_1 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st10, st11); + Lib_IntVector_Intrinsics_vec128 + v0__3 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_1, v2_1); + Lib_IntVector_Intrinsics_vec128 + v1__3 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_1, v2_1); + Lib_IntVector_Intrinsics_vec128 + v2__3 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_1, v3_1); + Lib_IntVector_Intrinsics_vec128 + v3__3 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_1, v3_1); + Lib_IntVector_Intrinsics_vec128 v0__4 = v0__3; + Lib_IntVector_Intrinsics_vec128 v2__4 = v2__3; + Lib_IntVector_Intrinsics_vec128 v1__4 = v1__3; + Lib_IntVector_Intrinsics_vec128 v3__4 = v3__3; + Lib_IntVector_Intrinsics_vec128 v8 = v0__4; + Lib_IntVector_Intrinsics_vec128 v9 = v1__4; + Lib_IntVector_Intrinsics_vec128 v10 = v2__4; + Lib_IntVector_Intrinsics_vec128 v11 = v3__4; + Lib_IntVector_Intrinsics_vec128 + v0_2 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st12, st13); + Lib_IntVector_Intrinsics_vec128 + v1_2 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st12, st13); + Lib_IntVector_Intrinsics_vec128 + v2_2 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st14, st15); + Lib_IntVector_Intrinsics_vec128 + v3_2 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st14, st15); + Lib_IntVector_Intrinsics_vec128 + v0__5 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_2, v2_2); + Lib_IntVector_Intrinsics_vec128 + v1__5 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_2, v2_2); + Lib_IntVector_Intrinsics_vec128 + v2__5 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_2, v3_2); + Lib_IntVector_Intrinsics_vec128 + v3__5 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_2, v3_2); + Lib_IntVector_Intrinsics_vec128 v0__6 = v0__5; + Lib_IntVector_Intrinsics_vec128 v2__6 = v2__5; + Lib_IntVector_Intrinsics_vec128 v1__6 = v1__5; + Lib_IntVector_Intrinsics_vec128 v3__6 = v3__5; + Lib_IntVector_Intrinsics_vec128 v12 = v0__6; + Lib_IntVector_Intrinsics_vec128 v13 = v1__6; + Lib_IntVector_Intrinsics_vec128 v14 = v2__6; + Lib_IntVector_Intrinsics_vec128 v15 = v3__6; + k[0U] = v0; + k[1U] = v4; + k[2U] = v8; + k[3U] = v12; + k[4U] = v1; + k[5U] = v5; + k[6U] = v9; + k[7U] = v13; + k[8U] = v2; + k[9U] = v6; + k[10U] = v10; + k[11U] = v14; + k[12U] = v3; + k[13U] = v7; + k[14U] = v11; + k[15U] = v15; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + Lib_IntVector_Intrinsics_vec128 + x = Lib_IntVector_Intrinsics_vec128_load32_le(plain + i * (uint32_t)16U); + Lib_IntVector_Intrinsics_vec128 y = Lib_IntVector_Intrinsics_vec128_xor(x, k[i]); + Lib_IntVector_Intrinsics_vec128_store32_le(plain + i * (uint32_t)16U, y); + } + } + memcpy(uu____2, plain, rem * sizeof (uint8_t)); + } + } + } + } +} + diff --git a/src/c89/Hacl_Chacha20_Vec256.c b/src/c89/Hacl_Chacha20_Vec256.c new file mode 100644 index 00000000..2f3650dc --- /dev/null +++ b/src/c89/Hacl_Chacha20_Vec256.c @@ -0,0 +1,1325 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Chacha20_Vec256.h" + +#include "internal/Hacl_Chacha20.h" + +static inline void double_round_256(Lib_IntVector_Intrinsics_vec256 *st) +{ + Lib_IntVector_Intrinsics_vec256 std0; + Lib_IntVector_Intrinsics_vec256 std1; + Lib_IntVector_Intrinsics_vec256 std2; + Lib_IntVector_Intrinsics_vec256 std3; + Lib_IntVector_Intrinsics_vec256 std4; + Lib_IntVector_Intrinsics_vec256 std5; + Lib_IntVector_Intrinsics_vec256 std6; + Lib_IntVector_Intrinsics_vec256 std7; + Lib_IntVector_Intrinsics_vec256 std8; + Lib_IntVector_Intrinsics_vec256 std9; + Lib_IntVector_Intrinsics_vec256 std10; + Lib_IntVector_Intrinsics_vec256 std11; + Lib_IntVector_Intrinsics_vec256 std12; + Lib_IntVector_Intrinsics_vec256 std13; + Lib_IntVector_Intrinsics_vec256 std14; + Lib_IntVector_Intrinsics_vec256 std15; + Lib_IntVector_Intrinsics_vec256 std16; + Lib_IntVector_Intrinsics_vec256 std17; + Lib_IntVector_Intrinsics_vec256 std18; + Lib_IntVector_Intrinsics_vec256 std19; + Lib_IntVector_Intrinsics_vec256 std20; + Lib_IntVector_Intrinsics_vec256 std21; + Lib_IntVector_Intrinsics_vec256 std22; + Lib_IntVector_Intrinsics_vec256 std23; + Lib_IntVector_Intrinsics_vec256 std24; + Lib_IntVector_Intrinsics_vec256 std25; + Lib_IntVector_Intrinsics_vec256 std26; + Lib_IntVector_Intrinsics_vec256 std27; + Lib_IntVector_Intrinsics_vec256 std28; + Lib_IntVector_Intrinsics_vec256 std29; + Lib_IntVector_Intrinsics_vec256 std30; + Lib_IntVector_Intrinsics_vec256 std; + st[0U] = Lib_IntVector_Intrinsics_vec256_add32(st[0U], st[4U]); + std0 = Lib_IntVector_Intrinsics_vec256_xor(st[12U], st[0U]); + st[12U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std0, (uint32_t)16U); + st[8U] = Lib_IntVector_Intrinsics_vec256_add32(st[8U], st[12U]); + std1 = Lib_IntVector_Intrinsics_vec256_xor(st[4U], st[8U]); + st[4U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std1, (uint32_t)12U); + st[0U] = Lib_IntVector_Intrinsics_vec256_add32(st[0U], st[4U]); + std2 = Lib_IntVector_Intrinsics_vec256_xor(st[12U], st[0U]); + st[12U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std2, (uint32_t)8U); + st[8U] = Lib_IntVector_Intrinsics_vec256_add32(st[8U], st[12U]); + std3 = Lib_IntVector_Intrinsics_vec256_xor(st[4U], st[8U]); + st[4U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std3, (uint32_t)7U); + st[1U] = Lib_IntVector_Intrinsics_vec256_add32(st[1U], st[5U]); + std4 = Lib_IntVector_Intrinsics_vec256_xor(st[13U], st[1U]); + st[13U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std4, (uint32_t)16U); + st[9U] = Lib_IntVector_Intrinsics_vec256_add32(st[9U], st[13U]); + std5 = Lib_IntVector_Intrinsics_vec256_xor(st[5U], st[9U]); + st[5U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std5, (uint32_t)12U); + st[1U] = Lib_IntVector_Intrinsics_vec256_add32(st[1U], st[5U]); + std6 = Lib_IntVector_Intrinsics_vec256_xor(st[13U], st[1U]); + st[13U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std6, (uint32_t)8U); + st[9U] = Lib_IntVector_Intrinsics_vec256_add32(st[9U], st[13U]); + std7 = Lib_IntVector_Intrinsics_vec256_xor(st[5U], st[9U]); + st[5U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std7, (uint32_t)7U); + st[2U] = Lib_IntVector_Intrinsics_vec256_add32(st[2U], st[6U]); + std8 = Lib_IntVector_Intrinsics_vec256_xor(st[14U], st[2U]); + st[14U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std8, (uint32_t)16U); + st[10U] = Lib_IntVector_Intrinsics_vec256_add32(st[10U], st[14U]); + std9 = Lib_IntVector_Intrinsics_vec256_xor(st[6U], st[10U]); + st[6U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std9, (uint32_t)12U); + st[2U] = Lib_IntVector_Intrinsics_vec256_add32(st[2U], st[6U]); + std10 = Lib_IntVector_Intrinsics_vec256_xor(st[14U], st[2U]); + st[14U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std10, (uint32_t)8U); + st[10U] = Lib_IntVector_Intrinsics_vec256_add32(st[10U], st[14U]); + std11 = Lib_IntVector_Intrinsics_vec256_xor(st[6U], st[10U]); + st[6U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std11, (uint32_t)7U); + st[3U] = Lib_IntVector_Intrinsics_vec256_add32(st[3U], st[7U]); + std12 = Lib_IntVector_Intrinsics_vec256_xor(st[15U], st[3U]); + st[15U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std12, (uint32_t)16U); + st[11U] = Lib_IntVector_Intrinsics_vec256_add32(st[11U], st[15U]); + std13 = Lib_IntVector_Intrinsics_vec256_xor(st[7U], st[11U]); + st[7U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std13, (uint32_t)12U); + st[3U] = Lib_IntVector_Intrinsics_vec256_add32(st[3U], st[7U]); + std14 = Lib_IntVector_Intrinsics_vec256_xor(st[15U], st[3U]); + st[15U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std14, (uint32_t)8U); + st[11U] = Lib_IntVector_Intrinsics_vec256_add32(st[11U], st[15U]); + std15 = Lib_IntVector_Intrinsics_vec256_xor(st[7U], st[11U]); + st[7U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std15, (uint32_t)7U); + st[0U] = Lib_IntVector_Intrinsics_vec256_add32(st[0U], st[5U]); + std16 = Lib_IntVector_Intrinsics_vec256_xor(st[15U], st[0U]); + st[15U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std16, (uint32_t)16U); + st[10U] = Lib_IntVector_Intrinsics_vec256_add32(st[10U], st[15U]); + std17 = Lib_IntVector_Intrinsics_vec256_xor(st[5U], st[10U]); + st[5U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std17, (uint32_t)12U); + st[0U] = Lib_IntVector_Intrinsics_vec256_add32(st[0U], st[5U]); + std18 = Lib_IntVector_Intrinsics_vec256_xor(st[15U], st[0U]); + st[15U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std18, (uint32_t)8U); + st[10U] = Lib_IntVector_Intrinsics_vec256_add32(st[10U], st[15U]); + std19 = Lib_IntVector_Intrinsics_vec256_xor(st[5U], st[10U]); + st[5U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std19, (uint32_t)7U); + st[1U] = Lib_IntVector_Intrinsics_vec256_add32(st[1U], st[6U]); + std20 = Lib_IntVector_Intrinsics_vec256_xor(st[12U], st[1U]); + st[12U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std20, (uint32_t)16U); + st[11U] = Lib_IntVector_Intrinsics_vec256_add32(st[11U], st[12U]); + std21 = Lib_IntVector_Intrinsics_vec256_xor(st[6U], st[11U]); + st[6U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std21, (uint32_t)12U); + st[1U] = Lib_IntVector_Intrinsics_vec256_add32(st[1U], st[6U]); + std22 = Lib_IntVector_Intrinsics_vec256_xor(st[12U], st[1U]); + st[12U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std22, (uint32_t)8U); + st[11U] = Lib_IntVector_Intrinsics_vec256_add32(st[11U], st[12U]); + std23 = Lib_IntVector_Intrinsics_vec256_xor(st[6U], st[11U]); + st[6U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std23, (uint32_t)7U); + st[2U] = Lib_IntVector_Intrinsics_vec256_add32(st[2U], st[7U]); + std24 = Lib_IntVector_Intrinsics_vec256_xor(st[13U], st[2U]); + st[13U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std24, (uint32_t)16U); + st[8U] = Lib_IntVector_Intrinsics_vec256_add32(st[8U], st[13U]); + std25 = Lib_IntVector_Intrinsics_vec256_xor(st[7U], st[8U]); + st[7U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std25, (uint32_t)12U); + st[2U] = Lib_IntVector_Intrinsics_vec256_add32(st[2U], st[7U]); + std26 = Lib_IntVector_Intrinsics_vec256_xor(st[13U], st[2U]); + st[13U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std26, (uint32_t)8U); + st[8U] = Lib_IntVector_Intrinsics_vec256_add32(st[8U], st[13U]); + std27 = Lib_IntVector_Intrinsics_vec256_xor(st[7U], st[8U]); + st[7U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std27, (uint32_t)7U); + st[3U] = Lib_IntVector_Intrinsics_vec256_add32(st[3U], st[4U]); + std28 = Lib_IntVector_Intrinsics_vec256_xor(st[14U], st[3U]); + st[14U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std28, (uint32_t)16U); + st[9U] = Lib_IntVector_Intrinsics_vec256_add32(st[9U], st[14U]); + std29 = Lib_IntVector_Intrinsics_vec256_xor(st[4U], st[9U]); + st[4U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std29, (uint32_t)12U); + st[3U] = Lib_IntVector_Intrinsics_vec256_add32(st[3U], st[4U]); + std30 = Lib_IntVector_Intrinsics_vec256_xor(st[14U], st[3U]); + st[14U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std30, (uint32_t)8U); + st[9U] = Lib_IntVector_Intrinsics_vec256_add32(st[9U], st[14U]); + std = Lib_IntVector_Intrinsics_vec256_xor(st[4U], st[9U]); + st[4U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std, (uint32_t)7U); +} + +static inline void +chacha20_core_256( + Lib_IntVector_Intrinsics_vec256 *k, + Lib_IntVector_Intrinsics_vec256 *ctx, + uint32_t ctr +) +{ + uint32_t ctr_u32; + Lib_IntVector_Intrinsics_vec256 cv; + memcpy(k, ctx, (uint32_t)16U * sizeof (Lib_IntVector_Intrinsics_vec256)); + ctr_u32 = (uint32_t)8U * ctr; + cv = Lib_IntVector_Intrinsics_vec256_load32(ctr_u32); + k[12U] = Lib_IntVector_Intrinsics_vec256_add32(k[12U], cv); + double_round_256(k); + double_round_256(k); + double_round_256(k); + double_round_256(k); + double_round_256(k); + double_round_256(k); + double_round_256(k); + double_round_256(k); + double_round_256(k); + double_round_256(k); + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + Lib_IntVector_Intrinsics_vec256 *os = k; + Lib_IntVector_Intrinsics_vec256 x = Lib_IntVector_Intrinsics_vec256_add32(k[i], ctx[i]); + os[i] = x; + } + } + k[12U] = Lib_IntVector_Intrinsics_vec256_add32(k[12U], cv); +} + +static inline void +chacha20_init_256(Lib_IntVector_Intrinsics_vec256 *ctx, uint8_t *k, uint8_t *n, uint32_t ctr) +{ + uint32_t ctx1[16U] = { 0U }; + uint32_t *uu____0 = ctx1; + uint32_t *uu____1; + uint32_t *uu____2; + Lib_IntVector_Intrinsics_vec256 ctr1; + Lib_IntVector_Intrinsics_vec256 c12; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = uu____0; + uint32_t x = Hacl_Impl_Chacha20_Vec_chacha20_constants[i]; + os[i] = x; + } + } + uu____1 = ctx1 + (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t *os = uu____1; + uint8_t *bj = k + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + } + ctx1[12U] = ctr; + uu____2 = ctx1 + (uint32_t)13U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)3U; i++) + { + uint32_t *os = uu____2; + uint8_t *bj = n + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + Lib_IntVector_Intrinsics_vec256 *os = ctx; + uint32_t x = ctx1[i]; + Lib_IntVector_Intrinsics_vec256 x0 = Lib_IntVector_Intrinsics_vec256_load32(x); + os[i] = x0; + } + } + ctr1 = + Lib_IntVector_Intrinsics_vec256_load32s((uint32_t)0U, + (uint32_t)1U, + (uint32_t)2U, + (uint32_t)3U, + (uint32_t)4U, + (uint32_t)5U, + (uint32_t)6U, + (uint32_t)7U); + c12 = ctx[12U]; + ctx[12U] = Lib_IntVector_Intrinsics_vec256_add32(c12, ctr1); +} + +void +Hacl_Chacha20_Vec256_chacha20_encrypt_256( + uint32_t len, + uint8_t *out, + uint8_t *text, + uint8_t *key, + uint8_t *n, + uint32_t ctr +) +{ + Lib_IntVector_Intrinsics_vec256 ctx[16U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)16U; ++_i) + ctx[_i] = Lib_IntVector_Intrinsics_vec256_zero; + } + { + uint32_t rem; + uint32_t nb; + uint32_t rem1; + chacha20_init_256(ctx, key, n, ctr); + rem = len % (uint32_t)512U; + nb = len / (uint32_t)512U; + rem1 = len % (uint32_t)512U; + { + uint32_t i; + for (i = (uint32_t)0U; i < nb; i++) + { + uint8_t *uu____0 = out + i * (uint32_t)512U; + uint8_t *uu____1 = text + i * (uint32_t)512U; + Lib_IntVector_Intrinsics_vec256 k[16U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)16U; ++_i) + k[_i] = Lib_IntVector_Intrinsics_vec256_zero; + } + chacha20_core_256(k, ctx, i); + { + Lib_IntVector_Intrinsics_vec256 st0 = k[0U]; + Lib_IntVector_Intrinsics_vec256 st1 = k[1U]; + Lib_IntVector_Intrinsics_vec256 st2 = k[2U]; + Lib_IntVector_Intrinsics_vec256 st3 = k[3U]; + Lib_IntVector_Intrinsics_vec256 st4 = k[4U]; + Lib_IntVector_Intrinsics_vec256 st5 = k[5U]; + Lib_IntVector_Intrinsics_vec256 st6 = k[6U]; + Lib_IntVector_Intrinsics_vec256 st7 = k[7U]; + Lib_IntVector_Intrinsics_vec256 st8 = k[8U]; + Lib_IntVector_Intrinsics_vec256 st9 = k[9U]; + Lib_IntVector_Intrinsics_vec256 st10 = k[10U]; + Lib_IntVector_Intrinsics_vec256 st11 = k[11U]; + Lib_IntVector_Intrinsics_vec256 st12 = k[12U]; + Lib_IntVector_Intrinsics_vec256 st13 = k[13U]; + Lib_IntVector_Intrinsics_vec256 st14 = k[14U]; + Lib_IntVector_Intrinsics_vec256 st15 = k[15U]; + Lib_IntVector_Intrinsics_vec256 v00 = st0; + Lib_IntVector_Intrinsics_vec256 v16 = st1; + Lib_IntVector_Intrinsics_vec256 v20 = st2; + Lib_IntVector_Intrinsics_vec256 v30 = st3; + Lib_IntVector_Intrinsics_vec256 v40 = st4; + Lib_IntVector_Intrinsics_vec256 v50 = st5; + Lib_IntVector_Intrinsics_vec256 v60 = st6; + Lib_IntVector_Intrinsics_vec256 v70 = st7; + Lib_IntVector_Intrinsics_vec256 + v0_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v00, v16); + Lib_IntVector_Intrinsics_vec256 + v1_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v00, v16); + Lib_IntVector_Intrinsics_vec256 + v2_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v20, v30); + Lib_IntVector_Intrinsics_vec256 + v3_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v20, v30); + Lib_IntVector_Intrinsics_vec256 + v4_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v40, v50); + Lib_IntVector_Intrinsics_vec256 + v5_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v40, v50); + Lib_IntVector_Intrinsics_vec256 + v6_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v60, v70); + Lib_IntVector_Intrinsics_vec256 + v7_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v60, v70); + Lib_IntVector_Intrinsics_vec256 v0_0 = v0_; + Lib_IntVector_Intrinsics_vec256 v1_0 = v1_; + Lib_IntVector_Intrinsics_vec256 v2_0 = v2_; + Lib_IntVector_Intrinsics_vec256 v3_0 = v3_; + Lib_IntVector_Intrinsics_vec256 v4_0 = v4_; + Lib_IntVector_Intrinsics_vec256 v5_0 = v5_; + Lib_IntVector_Intrinsics_vec256 v6_0 = v6_; + Lib_IntVector_Intrinsics_vec256 v7_0 = v7_; + Lib_IntVector_Intrinsics_vec256 + v0_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v2_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v1_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 + v3_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 + v4_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v4_0, v6_0); + Lib_IntVector_Intrinsics_vec256 + v6_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v4_0, v6_0); + Lib_IntVector_Intrinsics_vec256 + v5_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v5_0, v7_0); + Lib_IntVector_Intrinsics_vec256 + v7_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v5_0, v7_0); + Lib_IntVector_Intrinsics_vec256 v0_10 = v0_1; + Lib_IntVector_Intrinsics_vec256 v1_10 = v1_1; + Lib_IntVector_Intrinsics_vec256 v2_10 = v2_1; + Lib_IntVector_Intrinsics_vec256 v3_10 = v3_1; + Lib_IntVector_Intrinsics_vec256 v4_10 = v4_1; + Lib_IntVector_Intrinsics_vec256 v5_10 = v5_1; + Lib_IntVector_Intrinsics_vec256 v6_10 = v6_1; + Lib_IntVector_Intrinsics_vec256 v7_10 = v7_1; + Lib_IntVector_Intrinsics_vec256 + v0_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_10, v4_10); + Lib_IntVector_Intrinsics_vec256 + v4_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_10, v4_10); + Lib_IntVector_Intrinsics_vec256 + v1_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_10, v5_10); + Lib_IntVector_Intrinsics_vec256 + v5_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_10, v5_10); + Lib_IntVector_Intrinsics_vec256 + v2_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v2_10, v6_10); + Lib_IntVector_Intrinsics_vec256 + v6_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v2_10, v6_10); + Lib_IntVector_Intrinsics_vec256 + v3_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v3_10, v7_10); + Lib_IntVector_Intrinsics_vec256 + v7_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v3_10, v7_10); + Lib_IntVector_Intrinsics_vec256 v0_20 = v0_2; + Lib_IntVector_Intrinsics_vec256 v1_20 = v1_2; + Lib_IntVector_Intrinsics_vec256 v2_20 = v2_2; + Lib_IntVector_Intrinsics_vec256 v3_20 = v3_2; + Lib_IntVector_Intrinsics_vec256 v4_20 = v4_2; + Lib_IntVector_Intrinsics_vec256 v5_20 = v5_2; + Lib_IntVector_Intrinsics_vec256 v6_20 = v6_2; + Lib_IntVector_Intrinsics_vec256 v7_20 = v7_2; + Lib_IntVector_Intrinsics_vec256 v0_3 = v0_20; + Lib_IntVector_Intrinsics_vec256 v1_3 = v1_20; + Lib_IntVector_Intrinsics_vec256 v2_3 = v2_20; + Lib_IntVector_Intrinsics_vec256 v3_3 = v3_20; + Lib_IntVector_Intrinsics_vec256 v4_3 = v4_20; + Lib_IntVector_Intrinsics_vec256 v5_3 = v5_20; + Lib_IntVector_Intrinsics_vec256 v6_3 = v6_20; + Lib_IntVector_Intrinsics_vec256 v7_3 = v7_20; + Lib_IntVector_Intrinsics_vec256 v0 = v0_3; + Lib_IntVector_Intrinsics_vec256 v1 = v2_3; + Lib_IntVector_Intrinsics_vec256 v2 = v1_3; + Lib_IntVector_Intrinsics_vec256 v3 = v3_3; + Lib_IntVector_Intrinsics_vec256 v4 = v4_3; + Lib_IntVector_Intrinsics_vec256 v5 = v6_3; + Lib_IntVector_Intrinsics_vec256 v6 = v5_3; + Lib_IntVector_Intrinsics_vec256 v7 = v7_3; + Lib_IntVector_Intrinsics_vec256 v01 = st8; + Lib_IntVector_Intrinsics_vec256 v110 = st9; + Lib_IntVector_Intrinsics_vec256 v21 = st10; + Lib_IntVector_Intrinsics_vec256 v31 = st11; + Lib_IntVector_Intrinsics_vec256 v41 = st12; + Lib_IntVector_Intrinsics_vec256 v51 = st13; + Lib_IntVector_Intrinsics_vec256 v61 = st14; + Lib_IntVector_Intrinsics_vec256 v71 = st15; + Lib_IntVector_Intrinsics_vec256 + v0_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v01, v110); + Lib_IntVector_Intrinsics_vec256 + v1_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v01, v110); + Lib_IntVector_Intrinsics_vec256 + v2_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v21, v31); + Lib_IntVector_Intrinsics_vec256 + v3_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v21, v31); + Lib_IntVector_Intrinsics_vec256 + v4_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v41, v51); + Lib_IntVector_Intrinsics_vec256 + v5_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v41, v51); + Lib_IntVector_Intrinsics_vec256 + v6_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v61, v71); + Lib_IntVector_Intrinsics_vec256 + v7_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v61, v71); + Lib_IntVector_Intrinsics_vec256 v0_5 = v0_4; + Lib_IntVector_Intrinsics_vec256 v1_5 = v1_4; + Lib_IntVector_Intrinsics_vec256 v2_5 = v2_4; + Lib_IntVector_Intrinsics_vec256 v3_5 = v3_4; + Lib_IntVector_Intrinsics_vec256 v4_5 = v4_4; + Lib_IntVector_Intrinsics_vec256 v5_5 = v5_4; + Lib_IntVector_Intrinsics_vec256 v6_5 = v6_4; + Lib_IntVector_Intrinsics_vec256 v7_5 = v7_4; + Lib_IntVector_Intrinsics_vec256 + v0_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0_5, v2_5); + Lib_IntVector_Intrinsics_vec256 + v2_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0_5, v2_5); + Lib_IntVector_Intrinsics_vec256 + v1_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v1_5, v3_5); + Lib_IntVector_Intrinsics_vec256 + v3_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v1_5, v3_5); + Lib_IntVector_Intrinsics_vec256 + v4_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v4_5, v6_5); + Lib_IntVector_Intrinsics_vec256 + v6_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v4_5, v6_5); + Lib_IntVector_Intrinsics_vec256 + v5_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v5_5, v7_5); + Lib_IntVector_Intrinsics_vec256 + v7_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v5_5, v7_5); + Lib_IntVector_Intrinsics_vec256 v0_12 = v0_11; + Lib_IntVector_Intrinsics_vec256 v1_12 = v1_11; + Lib_IntVector_Intrinsics_vec256 v2_12 = v2_11; + Lib_IntVector_Intrinsics_vec256 v3_12 = v3_11; + Lib_IntVector_Intrinsics_vec256 v4_12 = v4_11; + Lib_IntVector_Intrinsics_vec256 v5_12 = v5_11; + Lib_IntVector_Intrinsics_vec256 v6_12 = v6_11; + Lib_IntVector_Intrinsics_vec256 v7_12 = v7_11; + Lib_IntVector_Intrinsics_vec256 + v0_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_12, v4_12); + Lib_IntVector_Intrinsics_vec256 + v4_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_12, v4_12); + Lib_IntVector_Intrinsics_vec256 + v1_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_12, v5_12); + Lib_IntVector_Intrinsics_vec256 + v5_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_12, v5_12); + Lib_IntVector_Intrinsics_vec256 + v2_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v2_12, v6_12); + Lib_IntVector_Intrinsics_vec256 + v6_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v2_12, v6_12); + Lib_IntVector_Intrinsics_vec256 + v3_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v3_12, v7_12); + Lib_IntVector_Intrinsics_vec256 + v7_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v3_12, v7_12); + Lib_IntVector_Intrinsics_vec256 v0_22 = v0_21; + Lib_IntVector_Intrinsics_vec256 v1_22 = v1_21; + Lib_IntVector_Intrinsics_vec256 v2_22 = v2_21; + Lib_IntVector_Intrinsics_vec256 v3_22 = v3_21; + Lib_IntVector_Intrinsics_vec256 v4_22 = v4_21; + Lib_IntVector_Intrinsics_vec256 v5_22 = v5_21; + Lib_IntVector_Intrinsics_vec256 v6_22 = v6_21; + Lib_IntVector_Intrinsics_vec256 v7_22 = v7_21; + Lib_IntVector_Intrinsics_vec256 v0_6 = v0_22; + Lib_IntVector_Intrinsics_vec256 v1_6 = v1_22; + Lib_IntVector_Intrinsics_vec256 v2_6 = v2_22; + Lib_IntVector_Intrinsics_vec256 v3_6 = v3_22; + Lib_IntVector_Intrinsics_vec256 v4_6 = v4_22; + Lib_IntVector_Intrinsics_vec256 v5_6 = v5_22; + Lib_IntVector_Intrinsics_vec256 v6_6 = v6_22; + Lib_IntVector_Intrinsics_vec256 v7_6 = v7_22; + Lib_IntVector_Intrinsics_vec256 v8 = v0_6; + Lib_IntVector_Intrinsics_vec256 v9 = v2_6; + Lib_IntVector_Intrinsics_vec256 v10 = v1_6; + Lib_IntVector_Intrinsics_vec256 v11 = v3_6; + Lib_IntVector_Intrinsics_vec256 v12 = v4_6; + Lib_IntVector_Intrinsics_vec256 v13 = v6_6; + Lib_IntVector_Intrinsics_vec256 v14 = v5_6; + Lib_IntVector_Intrinsics_vec256 v15 = v7_6; + k[0U] = v0; + k[1U] = v8; + k[2U] = v1; + k[3U] = v9; + k[4U] = v2; + k[5U] = v10; + k[6U] = v3; + k[7U] = v11; + k[8U] = v4; + k[9U] = v12; + k[10U] = v5; + k[11U] = v13; + k[12U] = v6; + k[13U] = v14; + k[14U] = v7; + k[15U] = v15; + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < (uint32_t)16U; i0++) + { + Lib_IntVector_Intrinsics_vec256 + x = Lib_IntVector_Intrinsics_vec256_load32_le(uu____1 + i0 * (uint32_t)32U); + Lib_IntVector_Intrinsics_vec256 y = Lib_IntVector_Intrinsics_vec256_xor(x, k[i0]); + Lib_IntVector_Intrinsics_vec256_store32_le(uu____0 + i0 * (uint32_t)32U, y); + } + } + } + } + } + if (rem1 > (uint32_t)0U) + { + uint8_t *uu____2 = out + nb * (uint32_t)512U; + uint8_t *uu____3 = text + nb * (uint32_t)512U; + uint8_t plain[512U] = { 0U }; + memcpy(plain, uu____3, rem * sizeof (uint8_t)); + { + Lib_IntVector_Intrinsics_vec256 k[16U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)16U; ++_i) + k[_i] = Lib_IntVector_Intrinsics_vec256_zero; + } + chacha20_core_256(k, ctx, nb); + { + Lib_IntVector_Intrinsics_vec256 st0 = k[0U]; + Lib_IntVector_Intrinsics_vec256 st1 = k[1U]; + Lib_IntVector_Intrinsics_vec256 st2 = k[2U]; + Lib_IntVector_Intrinsics_vec256 st3 = k[3U]; + Lib_IntVector_Intrinsics_vec256 st4 = k[4U]; + Lib_IntVector_Intrinsics_vec256 st5 = k[5U]; + Lib_IntVector_Intrinsics_vec256 st6 = k[6U]; + Lib_IntVector_Intrinsics_vec256 st7 = k[7U]; + Lib_IntVector_Intrinsics_vec256 st8 = k[8U]; + Lib_IntVector_Intrinsics_vec256 st9 = k[9U]; + Lib_IntVector_Intrinsics_vec256 st10 = k[10U]; + Lib_IntVector_Intrinsics_vec256 st11 = k[11U]; + Lib_IntVector_Intrinsics_vec256 st12 = k[12U]; + Lib_IntVector_Intrinsics_vec256 st13 = k[13U]; + Lib_IntVector_Intrinsics_vec256 st14 = k[14U]; + Lib_IntVector_Intrinsics_vec256 st15 = k[15U]; + Lib_IntVector_Intrinsics_vec256 v00 = st0; + Lib_IntVector_Intrinsics_vec256 v16 = st1; + Lib_IntVector_Intrinsics_vec256 v20 = st2; + Lib_IntVector_Intrinsics_vec256 v30 = st3; + Lib_IntVector_Intrinsics_vec256 v40 = st4; + Lib_IntVector_Intrinsics_vec256 v50 = st5; + Lib_IntVector_Intrinsics_vec256 v60 = st6; + Lib_IntVector_Intrinsics_vec256 v70 = st7; + Lib_IntVector_Intrinsics_vec256 + v0_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v00, v16); + Lib_IntVector_Intrinsics_vec256 + v1_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v00, v16); + Lib_IntVector_Intrinsics_vec256 + v2_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v20, v30); + Lib_IntVector_Intrinsics_vec256 + v3_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v20, v30); + Lib_IntVector_Intrinsics_vec256 + v4_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v40, v50); + Lib_IntVector_Intrinsics_vec256 + v5_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v40, v50); + Lib_IntVector_Intrinsics_vec256 + v6_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v60, v70); + Lib_IntVector_Intrinsics_vec256 + v7_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v60, v70); + Lib_IntVector_Intrinsics_vec256 v0_0 = v0_; + Lib_IntVector_Intrinsics_vec256 v1_0 = v1_; + Lib_IntVector_Intrinsics_vec256 v2_0 = v2_; + Lib_IntVector_Intrinsics_vec256 v3_0 = v3_; + Lib_IntVector_Intrinsics_vec256 v4_0 = v4_; + Lib_IntVector_Intrinsics_vec256 v5_0 = v5_; + Lib_IntVector_Intrinsics_vec256 v6_0 = v6_; + Lib_IntVector_Intrinsics_vec256 v7_0 = v7_; + Lib_IntVector_Intrinsics_vec256 + v0_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v2_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v1_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 + v3_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 + v4_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v4_0, v6_0); + Lib_IntVector_Intrinsics_vec256 + v6_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v4_0, v6_0); + Lib_IntVector_Intrinsics_vec256 + v5_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v5_0, v7_0); + Lib_IntVector_Intrinsics_vec256 + v7_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v5_0, v7_0); + Lib_IntVector_Intrinsics_vec256 v0_10 = v0_1; + Lib_IntVector_Intrinsics_vec256 v1_10 = v1_1; + Lib_IntVector_Intrinsics_vec256 v2_10 = v2_1; + Lib_IntVector_Intrinsics_vec256 v3_10 = v3_1; + Lib_IntVector_Intrinsics_vec256 v4_10 = v4_1; + Lib_IntVector_Intrinsics_vec256 v5_10 = v5_1; + Lib_IntVector_Intrinsics_vec256 v6_10 = v6_1; + Lib_IntVector_Intrinsics_vec256 v7_10 = v7_1; + Lib_IntVector_Intrinsics_vec256 + v0_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_10, v4_10); + Lib_IntVector_Intrinsics_vec256 + v4_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_10, v4_10); + Lib_IntVector_Intrinsics_vec256 + v1_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_10, v5_10); + Lib_IntVector_Intrinsics_vec256 + v5_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_10, v5_10); + Lib_IntVector_Intrinsics_vec256 + v2_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v2_10, v6_10); + Lib_IntVector_Intrinsics_vec256 + v6_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v2_10, v6_10); + Lib_IntVector_Intrinsics_vec256 + v3_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v3_10, v7_10); + Lib_IntVector_Intrinsics_vec256 + v7_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v3_10, v7_10); + Lib_IntVector_Intrinsics_vec256 v0_20 = v0_2; + Lib_IntVector_Intrinsics_vec256 v1_20 = v1_2; + Lib_IntVector_Intrinsics_vec256 v2_20 = v2_2; + Lib_IntVector_Intrinsics_vec256 v3_20 = v3_2; + Lib_IntVector_Intrinsics_vec256 v4_20 = v4_2; + Lib_IntVector_Intrinsics_vec256 v5_20 = v5_2; + Lib_IntVector_Intrinsics_vec256 v6_20 = v6_2; + Lib_IntVector_Intrinsics_vec256 v7_20 = v7_2; + Lib_IntVector_Intrinsics_vec256 v0_3 = v0_20; + Lib_IntVector_Intrinsics_vec256 v1_3 = v1_20; + Lib_IntVector_Intrinsics_vec256 v2_3 = v2_20; + Lib_IntVector_Intrinsics_vec256 v3_3 = v3_20; + Lib_IntVector_Intrinsics_vec256 v4_3 = v4_20; + Lib_IntVector_Intrinsics_vec256 v5_3 = v5_20; + Lib_IntVector_Intrinsics_vec256 v6_3 = v6_20; + Lib_IntVector_Intrinsics_vec256 v7_3 = v7_20; + Lib_IntVector_Intrinsics_vec256 v0 = v0_3; + Lib_IntVector_Intrinsics_vec256 v1 = v2_3; + Lib_IntVector_Intrinsics_vec256 v2 = v1_3; + Lib_IntVector_Intrinsics_vec256 v3 = v3_3; + Lib_IntVector_Intrinsics_vec256 v4 = v4_3; + Lib_IntVector_Intrinsics_vec256 v5 = v6_3; + Lib_IntVector_Intrinsics_vec256 v6 = v5_3; + Lib_IntVector_Intrinsics_vec256 v7 = v7_3; + Lib_IntVector_Intrinsics_vec256 v01 = st8; + Lib_IntVector_Intrinsics_vec256 v110 = st9; + Lib_IntVector_Intrinsics_vec256 v21 = st10; + Lib_IntVector_Intrinsics_vec256 v31 = st11; + Lib_IntVector_Intrinsics_vec256 v41 = st12; + Lib_IntVector_Intrinsics_vec256 v51 = st13; + Lib_IntVector_Intrinsics_vec256 v61 = st14; + Lib_IntVector_Intrinsics_vec256 v71 = st15; + Lib_IntVector_Intrinsics_vec256 + v0_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v01, v110); + Lib_IntVector_Intrinsics_vec256 + v1_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v01, v110); + Lib_IntVector_Intrinsics_vec256 + v2_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v21, v31); + Lib_IntVector_Intrinsics_vec256 + v3_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v21, v31); + Lib_IntVector_Intrinsics_vec256 + v4_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v41, v51); + Lib_IntVector_Intrinsics_vec256 + v5_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v41, v51); + Lib_IntVector_Intrinsics_vec256 + v6_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v61, v71); + Lib_IntVector_Intrinsics_vec256 + v7_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v61, v71); + Lib_IntVector_Intrinsics_vec256 v0_5 = v0_4; + Lib_IntVector_Intrinsics_vec256 v1_5 = v1_4; + Lib_IntVector_Intrinsics_vec256 v2_5 = v2_4; + Lib_IntVector_Intrinsics_vec256 v3_5 = v3_4; + Lib_IntVector_Intrinsics_vec256 v4_5 = v4_4; + Lib_IntVector_Intrinsics_vec256 v5_5 = v5_4; + Lib_IntVector_Intrinsics_vec256 v6_5 = v6_4; + Lib_IntVector_Intrinsics_vec256 v7_5 = v7_4; + Lib_IntVector_Intrinsics_vec256 + v0_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0_5, v2_5); + Lib_IntVector_Intrinsics_vec256 + v2_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0_5, v2_5); + Lib_IntVector_Intrinsics_vec256 + v1_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v1_5, v3_5); + Lib_IntVector_Intrinsics_vec256 + v3_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v1_5, v3_5); + Lib_IntVector_Intrinsics_vec256 + v4_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v4_5, v6_5); + Lib_IntVector_Intrinsics_vec256 + v6_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v4_5, v6_5); + Lib_IntVector_Intrinsics_vec256 + v5_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v5_5, v7_5); + Lib_IntVector_Intrinsics_vec256 + v7_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v5_5, v7_5); + Lib_IntVector_Intrinsics_vec256 v0_12 = v0_11; + Lib_IntVector_Intrinsics_vec256 v1_12 = v1_11; + Lib_IntVector_Intrinsics_vec256 v2_12 = v2_11; + Lib_IntVector_Intrinsics_vec256 v3_12 = v3_11; + Lib_IntVector_Intrinsics_vec256 v4_12 = v4_11; + Lib_IntVector_Intrinsics_vec256 v5_12 = v5_11; + Lib_IntVector_Intrinsics_vec256 v6_12 = v6_11; + Lib_IntVector_Intrinsics_vec256 v7_12 = v7_11; + Lib_IntVector_Intrinsics_vec256 + v0_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_12, v4_12); + Lib_IntVector_Intrinsics_vec256 + v4_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_12, v4_12); + Lib_IntVector_Intrinsics_vec256 + v1_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_12, v5_12); + Lib_IntVector_Intrinsics_vec256 + v5_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_12, v5_12); + Lib_IntVector_Intrinsics_vec256 + v2_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v2_12, v6_12); + Lib_IntVector_Intrinsics_vec256 + v6_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v2_12, v6_12); + Lib_IntVector_Intrinsics_vec256 + v3_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v3_12, v7_12); + Lib_IntVector_Intrinsics_vec256 + v7_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v3_12, v7_12); + Lib_IntVector_Intrinsics_vec256 v0_22 = v0_21; + Lib_IntVector_Intrinsics_vec256 v1_22 = v1_21; + Lib_IntVector_Intrinsics_vec256 v2_22 = v2_21; + Lib_IntVector_Intrinsics_vec256 v3_22 = v3_21; + Lib_IntVector_Intrinsics_vec256 v4_22 = v4_21; + Lib_IntVector_Intrinsics_vec256 v5_22 = v5_21; + Lib_IntVector_Intrinsics_vec256 v6_22 = v6_21; + Lib_IntVector_Intrinsics_vec256 v7_22 = v7_21; + Lib_IntVector_Intrinsics_vec256 v0_6 = v0_22; + Lib_IntVector_Intrinsics_vec256 v1_6 = v1_22; + Lib_IntVector_Intrinsics_vec256 v2_6 = v2_22; + Lib_IntVector_Intrinsics_vec256 v3_6 = v3_22; + Lib_IntVector_Intrinsics_vec256 v4_6 = v4_22; + Lib_IntVector_Intrinsics_vec256 v5_6 = v5_22; + Lib_IntVector_Intrinsics_vec256 v6_6 = v6_22; + Lib_IntVector_Intrinsics_vec256 v7_6 = v7_22; + Lib_IntVector_Intrinsics_vec256 v8 = v0_6; + Lib_IntVector_Intrinsics_vec256 v9 = v2_6; + Lib_IntVector_Intrinsics_vec256 v10 = v1_6; + Lib_IntVector_Intrinsics_vec256 v11 = v3_6; + Lib_IntVector_Intrinsics_vec256 v12 = v4_6; + Lib_IntVector_Intrinsics_vec256 v13 = v6_6; + Lib_IntVector_Intrinsics_vec256 v14 = v5_6; + Lib_IntVector_Intrinsics_vec256 v15 = v7_6; + k[0U] = v0; + k[1U] = v8; + k[2U] = v1; + k[3U] = v9; + k[4U] = v2; + k[5U] = v10; + k[6U] = v3; + k[7U] = v11; + k[8U] = v4; + k[9U] = v12; + k[10U] = v5; + k[11U] = v13; + k[12U] = v6; + k[13U] = v14; + k[14U] = v7; + k[15U] = v15; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + Lib_IntVector_Intrinsics_vec256 + x = Lib_IntVector_Intrinsics_vec256_load32_le(plain + i * (uint32_t)32U); + Lib_IntVector_Intrinsics_vec256 y = Lib_IntVector_Intrinsics_vec256_xor(x, k[i]); + Lib_IntVector_Intrinsics_vec256_store32_le(plain + i * (uint32_t)32U, y); + } + } + memcpy(uu____2, plain, rem * sizeof (uint8_t)); + } + } + } + } +} + +void +Hacl_Chacha20_Vec256_chacha20_decrypt_256( + uint32_t len, + uint8_t *out, + uint8_t *cipher, + uint8_t *key, + uint8_t *n, + uint32_t ctr +) +{ + Lib_IntVector_Intrinsics_vec256 ctx[16U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)16U; ++_i) + ctx[_i] = Lib_IntVector_Intrinsics_vec256_zero; + } + { + uint32_t rem; + uint32_t nb; + uint32_t rem1; + chacha20_init_256(ctx, key, n, ctr); + rem = len % (uint32_t)512U; + nb = len / (uint32_t)512U; + rem1 = len % (uint32_t)512U; + { + uint32_t i; + for (i = (uint32_t)0U; i < nb; i++) + { + uint8_t *uu____0 = out + i * (uint32_t)512U; + uint8_t *uu____1 = cipher + i * (uint32_t)512U; + Lib_IntVector_Intrinsics_vec256 k[16U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)16U; ++_i) + k[_i] = Lib_IntVector_Intrinsics_vec256_zero; + } + chacha20_core_256(k, ctx, i); + { + Lib_IntVector_Intrinsics_vec256 st0 = k[0U]; + Lib_IntVector_Intrinsics_vec256 st1 = k[1U]; + Lib_IntVector_Intrinsics_vec256 st2 = k[2U]; + Lib_IntVector_Intrinsics_vec256 st3 = k[3U]; + Lib_IntVector_Intrinsics_vec256 st4 = k[4U]; + Lib_IntVector_Intrinsics_vec256 st5 = k[5U]; + Lib_IntVector_Intrinsics_vec256 st6 = k[6U]; + Lib_IntVector_Intrinsics_vec256 st7 = k[7U]; + Lib_IntVector_Intrinsics_vec256 st8 = k[8U]; + Lib_IntVector_Intrinsics_vec256 st9 = k[9U]; + Lib_IntVector_Intrinsics_vec256 st10 = k[10U]; + Lib_IntVector_Intrinsics_vec256 st11 = k[11U]; + Lib_IntVector_Intrinsics_vec256 st12 = k[12U]; + Lib_IntVector_Intrinsics_vec256 st13 = k[13U]; + Lib_IntVector_Intrinsics_vec256 st14 = k[14U]; + Lib_IntVector_Intrinsics_vec256 st15 = k[15U]; + Lib_IntVector_Intrinsics_vec256 v00 = st0; + Lib_IntVector_Intrinsics_vec256 v16 = st1; + Lib_IntVector_Intrinsics_vec256 v20 = st2; + Lib_IntVector_Intrinsics_vec256 v30 = st3; + Lib_IntVector_Intrinsics_vec256 v40 = st4; + Lib_IntVector_Intrinsics_vec256 v50 = st5; + Lib_IntVector_Intrinsics_vec256 v60 = st6; + Lib_IntVector_Intrinsics_vec256 v70 = st7; + Lib_IntVector_Intrinsics_vec256 + v0_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v00, v16); + Lib_IntVector_Intrinsics_vec256 + v1_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v00, v16); + Lib_IntVector_Intrinsics_vec256 + v2_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v20, v30); + Lib_IntVector_Intrinsics_vec256 + v3_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v20, v30); + Lib_IntVector_Intrinsics_vec256 + v4_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v40, v50); + Lib_IntVector_Intrinsics_vec256 + v5_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v40, v50); + Lib_IntVector_Intrinsics_vec256 + v6_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v60, v70); + Lib_IntVector_Intrinsics_vec256 + v7_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v60, v70); + Lib_IntVector_Intrinsics_vec256 v0_0 = v0_; + Lib_IntVector_Intrinsics_vec256 v1_0 = v1_; + Lib_IntVector_Intrinsics_vec256 v2_0 = v2_; + Lib_IntVector_Intrinsics_vec256 v3_0 = v3_; + Lib_IntVector_Intrinsics_vec256 v4_0 = v4_; + Lib_IntVector_Intrinsics_vec256 v5_0 = v5_; + Lib_IntVector_Intrinsics_vec256 v6_0 = v6_; + Lib_IntVector_Intrinsics_vec256 v7_0 = v7_; + Lib_IntVector_Intrinsics_vec256 + v0_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v2_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v1_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 + v3_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 + v4_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v4_0, v6_0); + Lib_IntVector_Intrinsics_vec256 + v6_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v4_0, v6_0); + Lib_IntVector_Intrinsics_vec256 + v5_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v5_0, v7_0); + Lib_IntVector_Intrinsics_vec256 + v7_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v5_0, v7_0); + Lib_IntVector_Intrinsics_vec256 v0_10 = v0_1; + Lib_IntVector_Intrinsics_vec256 v1_10 = v1_1; + Lib_IntVector_Intrinsics_vec256 v2_10 = v2_1; + Lib_IntVector_Intrinsics_vec256 v3_10 = v3_1; + Lib_IntVector_Intrinsics_vec256 v4_10 = v4_1; + Lib_IntVector_Intrinsics_vec256 v5_10 = v5_1; + Lib_IntVector_Intrinsics_vec256 v6_10 = v6_1; + Lib_IntVector_Intrinsics_vec256 v7_10 = v7_1; + Lib_IntVector_Intrinsics_vec256 + v0_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_10, v4_10); + Lib_IntVector_Intrinsics_vec256 + v4_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_10, v4_10); + Lib_IntVector_Intrinsics_vec256 + v1_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_10, v5_10); + Lib_IntVector_Intrinsics_vec256 + v5_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_10, v5_10); + Lib_IntVector_Intrinsics_vec256 + v2_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v2_10, v6_10); + Lib_IntVector_Intrinsics_vec256 + v6_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v2_10, v6_10); + Lib_IntVector_Intrinsics_vec256 + v3_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v3_10, v7_10); + Lib_IntVector_Intrinsics_vec256 + v7_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v3_10, v7_10); + Lib_IntVector_Intrinsics_vec256 v0_20 = v0_2; + Lib_IntVector_Intrinsics_vec256 v1_20 = v1_2; + Lib_IntVector_Intrinsics_vec256 v2_20 = v2_2; + Lib_IntVector_Intrinsics_vec256 v3_20 = v3_2; + Lib_IntVector_Intrinsics_vec256 v4_20 = v4_2; + Lib_IntVector_Intrinsics_vec256 v5_20 = v5_2; + Lib_IntVector_Intrinsics_vec256 v6_20 = v6_2; + Lib_IntVector_Intrinsics_vec256 v7_20 = v7_2; + Lib_IntVector_Intrinsics_vec256 v0_3 = v0_20; + Lib_IntVector_Intrinsics_vec256 v1_3 = v1_20; + Lib_IntVector_Intrinsics_vec256 v2_3 = v2_20; + Lib_IntVector_Intrinsics_vec256 v3_3 = v3_20; + Lib_IntVector_Intrinsics_vec256 v4_3 = v4_20; + Lib_IntVector_Intrinsics_vec256 v5_3 = v5_20; + Lib_IntVector_Intrinsics_vec256 v6_3 = v6_20; + Lib_IntVector_Intrinsics_vec256 v7_3 = v7_20; + Lib_IntVector_Intrinsics_vec256 v0 = v0_3; + Lib_IntVector_Intrinsics_vec256 v1 = v2_3; + Lib_IntVector_Intrinsics_vec256 v2 = v1_3; + Lib_IntVector_Intrinsics_vec256 v3 = v3_3; + Lib_IntVector_Intrinsics_vec256 v4 = v4_3; + Lib_IntVector_Intrinsics_vec256 v5 = v6_3; + Lib_IntVector_Intrinsics_vec256 v6 = v5_3; + Lib_IntVector_Intrinsics_vec256 v7 = v7_3; + Lib_IntVector_Intrinsics_vec256 v01 = st8; + Lib_IntVector_Intrinsics_vec256 v110 = st9; + Lib_IntVector_Intrinsics_vec256 v21 = st10; + Lib_IntVector_Intrinsics_vec256 v31 = st11; + Lib_IntVector_Intrinsics_vec256 v41 = st12; + Lib_IntVector_Intrinsics_vec256 v51 = st13; + Lib_IntVector_Intrinsics_vec256 v61 = st14; + Lib_IntVector_Intrinsics_vec256 v71 = st15; + Lib_IntVector_Intrinsics_vec256 + v0_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v01, v110); + Lib_IntVector_Intrinsics_vec256 + v1_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v01, v110); + Lib_IntVector_Intrinsics_vec256 + v2_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v21, v31); + Lib_IntVector_Intrinsics_vec256 + v3_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v21, v31); + Lib_IntVector_Intrinsics_vec256 + v4_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v41, v51); + Lib_IntVector_Intrinsics_vec256 + v5_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v41, v51); + Lib_IntVector_Intrinsics_vec256 + v6_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v61, v71); + Lib_IntVector_Intrinsics_vec256 + v7_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v61, v71); + Lib_IntVector_Intrinsics_vec256 v0_5 = v0_4; + Lib_IntVector_Intrinsics_vec256 v1_5 = v1_4; + Lib_IntVector_Intrinsics_vec256 v2_5 = v2_4; + Lib_IntVector_Intrinsics_vec256 v3_5 = v3_4; + Lib_IntVector_Intrinsics_vec256 v4_5 = v4_4; + Lib_IntVector_Intrinsics_vec256 v5_5 = v5_4; + Lib_IntVector_Intrinsics_vec256 v6_5 = v6_4; + Lib_IntVector_Intrinsics_vec256 v7_5 = v7_4; + Lib_IntVector_Intrinsics_vec256 + v0_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0_5, v2_5); + Lib_IntVector_Intrinsics_vec256 + v2_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0_5, v2_5); + Lib_IntVector_Intrinsics_vec256 + v1_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v1_5, v3_5); + Lib_IntVector_Intrinsics_vec256 + v3_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v1_5, v3_5); + Lib_IntVector_Intrinsics_vec256 + v4_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v4_5, v6_5); + Lib_IntVector_Intrinsics_vec256 + v6_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v4_5, v6_5); + Lib_IntVector_Intrinsics_vec256 + v5_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v5_5, v7_5); + Lib_IntVector_Intrinsics_vec256 + v7_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v5_5, v7_5); + Lib_IntVector_Intrinsics_vec256 v0_12 = v0_11; + Lib_IntVector_Intrinsics_vec256 v1_12 = v1_11; + Lib_IntVector_Intrinsics_vec256 v2_12 = v2_11; + Lib_IntVector_Intrinsics_vec256 v3_12 = v3_11; + Lib_IntVector_Intrinsics_vec256 v4_12 = v4_11; + Lib_IntVector_Intrinsics_vec256 v5_12 = v5_11; + Lib_IntVector_Intrinsics_vec256 v6_12 = v6_11; + Lib_IntVector_Intrinsics_vec256 v7_12 = v7_11; + Lib_IntVector_Intrinsics_vec256 + v0_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_12, v4_12); + Lib_IntVector_Intrinsics_vec256 + v4_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_12, v4_12); + Lib_IntVector_Intrinsics_vec256 + v1_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_12, v5_12); + Lib_IntVector_Intrinsics_vec256 + v5_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_12, v5_12); + Lib_IntVector_Intrinsics_vec256 + v2_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v2_12, v6_12); + Lib_IntVector_Intrinsics_vec256 + v6_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v2_12, v6_12); + Lib_IntVector_Intrinsics_vec256 + v3_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v3_12, v7_12); + Lib_IntVector_Intrinsics_vec256 + v7_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v3_12, v7_12); + Lib_IntVector_Intrinsics_vec256 v0_22 = v0_21; + Lib_IntVector_Intrinsics_vec256 v1_22 = v1_21; + Lib_IntVector_Intrinsics_vec256 v2_22 = v2_21; + Lib_IntVector_Intrinsics_vec256 v3_22 = v3_21; + Lib_IntVector_Intrinsics_vec256 v4_22 = v4_21; + Lib_IntVector_Intrinsics_vec256 v5_22 = v5_21; + Lib_IntVector_Intrinsics_vec256 v6_22 = v6_21; + Lib_IntVector_Intrinsics_vec256 v7_22 = v7_21; + Lib_IntVector_Intrinsics_vec256 v0_6 = v0_22; + Lib_IntVector_Intrinsics_vec256 v1_6 = v1_22; + Lib_IntVector_Intrinsics_vec256 v2_6 = v2_22; + Lib_IntVector_Intrinsics_vec256 v3_6 = v3_22; + Lib_IntVector_Intrinsics_vec256 v4_6 = v4_22; + Lib_IntVector_Intrinsics_vec256 v5_6 = v5_22; + Lib_IntVector_Intrinsics_vec256 v6_6 = v6_22; + Lib_IntVector_Intrinsics_vec256 v7_6 = v7_22; + Lib_IntVector_Intrinsics_vec256 v8 = v0_6; + Lib_IntVector_Intrinsics_vec256 v9 = v2_6; + Lib_IntVector_Intrinsics_vec256 v10 = v1_6; + Lib_IntVector_Intrinsics_vec256 v11 = v3_6; + Lib_IntVector_Intrinsics_vec256 v12 = v4_6; + Lib_IntVector_Intrinsics_vec256 v13 = v6_6; + Lib_IntVector_Intrinsics_vec256 v14 = v5_6; + Lib_IntVector_Intrinsics_vec256 v15 = v7_6; + k[0U] = v0; + k[1U] = v8; + k[2U] = v1; + k[3U] = v9; + k[4U] = v2; + k[5U] = v10; + k[6U] = v3; + k[7U] = v11; + k[8U] = v4; + k[9U] = v12; + k[10U] = v5; + k[11U] = v13; + k[12U] = v6; + k[13U] = v14; + k[14U] = v7; + k[15U] = v15; + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < (uint32_t)16U; i0++) + { + Lib_IntVector_Intrinsics_vec256 + x = Lib_IntVector_Intrinsics_vec256_load32_le(uu____1 + i0 * (uint32_t)32U); + Lib_IntVector_Intrinsics_vec256 y = Lib_IntVector_Intrinsics_vec256_xor(x, k[i0]); + Lib_IntVector_Intrinsics_vec256_store32_le(uu____0 + i0 * (uint32_t)32U, y); + } + } + } + } + } + if (rem1 > (uint32_t)0U) + { + uint8_t *uu____2 = out + nb * (uint32_t)512U; + uint8_t *uu____3 = cipher + nb * (uint32_t)512U; + uint8_t plain[512U] = { 0U }; + memcpy(plain, uu____3, rem * sizeof (uint8_t)); + { + Lib_IntVector_Intrinsics_vec256 k[16U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)16U; ++_i) + k[_i] = Lib_IntVector_Intrinsics_vec256_zero; + } + chacha20_core_256(k, ctx, nb); + { + Lib_IntVector_Intrinsics_vec256 st0 = k[0U]; + Lib_IntVector_Intrinsics_vec256 st1 = k[1U]; + Lib_IntVector_Intrinsics_vec256 st2 = k[2U]; + Lib_IntVector_Intrinsics_vec256 st3 = k[3U]; + Lib_IntVector_Intrinsics_vec256 st4 = k[4U]; + Lib_IntVector_Intrinsics_vec256 st5 = k[5U]; + Lib_IntVector_Intrinsics_vec256 st6 = k[6U]; + Lib_IntVector_Intrinsics_vec256 st7 = k[7U]; + Lib_IntVector_Intrinsics_vec256 st8 = k[8U]; + Lib_IntVector_Intrinsics_vec256 st9 = k[9U]; + Lib_IntVector_Intrinsics_vec256 st10 = k[10U]; + Lib_IntVector_Intrinsics_vec256 st11 = k[11U]; + Lib_IntVector_Intrinsics_vec256 st12 = k[12U]; + Lib_IntVector_Intrinsics_vec256 st13 = k[13U]; + Lib_IntVector_Intrinsics_vec256 st14 = k[14U]; + Lib_IntVector_Intrinsics_vec256 st15 = k[15U]; + Lib_IntVector_Intrinsics_vec256 v00 = st0; + Lib_IntVector_Intrinsics_vec256 v16 = st1; + Lib_IntVector_Intrinsics_vec256 v20 = st2; + Lib_IntVector_Intrinsics_vec256 v30 = st3; + Lib_IntVector_Intrinsics_vec256 v40 = st4; + Lib_IntVector_Intrinsics_vec256 v50 = st5; + Lib_IntVector_Intrinsics_vec256 v60 = st6; + Lib_IntVector_Intrinsics_vec256 v70 = st7; + Lib_IntVector_Intrinsics_vec256 + v0_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v00, v16); + Lib_IntVector_Intrinsics_vec256 + v1_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v00, v16); + Lib_IntVector_Intrinsics_vec256 + v2_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v20, v30); + Lib_IntVector_Intrinsics_vec256 + v3_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v20, v30); + Lib_IntVector_Intrinsics_vec256 + v4_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v40, v50); + Lib_IntVector_Intrinsics_vec256 + v5_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v40, v50); + Lib_IntVector_Intrinsics_vec256 + v6_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v60, v70); + Lib_IntVector_Intrinsics_vec256 + v7_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v60, v70); + Lib_IntVector_Intrinsics_vec256 v0_0 = v0_; + Lib_IntVector_Intrinsics_vec256 v1_0 = v1_; + Lib_IntVector_Intrinsics_vec256 v2_0 = v2_; + Lib_IntVector_Intrinsics_vec256 v3_0 = v3_; + Lib_IntVector_Intrinsics_vec256 v4_0 = v4_; + Lib_IntVector_Intrinsics_vec256 v5_0 = v5_; + Lib_IntVector_Intrinsics_vec256 v6_0 = v6_; + Lib_IntVector_Intrinsics_vec256 v7_0 = v7_; + Lib_IntVector_Intrinsics_vec256 + v0_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v2_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v1_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 + v3_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 + v4_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v4_0, v6_0); + Lib_IntVector_Intrinsics_vec256 + v6_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v4_0, v6_0); + Lib_IntVector_Intrinsics_vec256 + v5_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v5_0, v7_0); + Lib_IntVector_Intrinsics_vec256 + v7_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v5_0, v7_0); + Lib_IntVector_Intrinsics_vec256 v0_10 = v0_1; + Lib_IntVector_Intrinsics_vec256 v1_10 = v1_1; + Lib_IntVector_Intrinsics_vec256 v2_10 = v2_1; + Lib_IntVector_Intrinsics_vec256 v3_10 = v3_1; + Lib_IntVector_Intrinsics_vec256 v4_10 = v4_1; + Lib_IntVector_Intrinsics_vec256 v5_10 = v5_1; + Lib_IntVector_Intrinsics_vec256 v6_10 = v6_1; + Lib_IntVector_Intrinsics_vec256 v7_10 = v7_1; + Lib_IntVector_Intrinsics_vec256 + v0_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_10, v4_10); + Lib_IntVector_Intrinsics_vec256 + v4_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_10, v4_10); + Lib_IntVector_Intrinsics_vec256 + v1_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_10, v5_10); + Lib_IntVector_Intrinsics_vec256 + v5_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_10, v5_10); + Lib_IntVector_Intrinsics_vec256 + v2_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v2_10, v6_10); + Lib_IntVector_Intrinsics_vec256 + v6_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v2_10, v6_10); + Lib_IntVector_Intrinsics_vec256 + v3_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v3_10, v7_10); + Lib_IntVector_Intrinsics_vec256 + v7_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v3_10, v7_10); + Lib_IntVector_Intrinsics_vec256 v0_20 = v0_2; + Lib_IntVector_Intrinsics_vec256 v1_20 = v1_2; + Lib_IntVector_Intrinsics_vec256 v2_20 = v2_2; + Lib_IntVector_Intrinsics_vec256 v3_20 = v3_2; + Lib_IntVector_Intrinsics_vec256 v4_20 = v4_2; + Lib_IntVector_Intrinsics_vec256 v5_20 = v5_2; + Lib_IntVector_Intrinsics_vec256 v6_20 = v6_2; + Lib_IntVector_Intrinsics_vec256 v7_20 = v7_2; + Lib_IntVector_Intrinsics_vec256 v0_3 = v0_20; + Lib_IntVector_Intrinsics_vec256 v1_3 = v1_20; + Lib_IntVector_Intrinsics_vec256 v2_3 = v2_20; + Lib_IntVector_Intrinsics_vec256 v3_3 = v3_20; + Lib_IntVector_Intrinsics_vec256 v4_3 = v4_20; + Lib_IntVector_Intrinsics_vec256 v5_3 = v5_20; + Lib_IntVector_Intrinsics_vec256 v6_3 = v6_20; + Lib_IntVector_Intrinsics_vec256 v7_3 = v7_20; + Lib_IntVector_Intrinsics_vec256 v0 = v0_3; + Lib_IntVector_Intrinsics_vec256 v1 = v2_3; + Lib_IntVector_Intrinsics_vec256 v2 = v1_3; + Lib_IntVector_Intrinsics_vec256 v3 = v3_3; + Lib_IntVector_Intrinsics_vec256 v4 = v4_3; + Lib_IntVector_Intrinsics_vec256 v5 = v6_3; + Lib_IntVector_Intrinsics_vec256 v6 = v5_3; + Lib_IntVector_Intrinsics_vec256 v7 = v7_3; + Lib_IntVector_Intrinsics_vec256 v01 = st8; + Lib_IntVector_Intrinsics_vec256 v110 = st9; + Lib_IntVector_Intrinsics_vec256 v21 = st10; + Lib_IntVector_Intrinsics_vec256 v31 = st11; + Lib_IntVector_Intrinsics_vec256 v41 = st12; + Lib_IntVector_Intrinsics_vec256 v51 = st13; + Lib_IntVector_Intrinsics_vec256 v61 = st14; + Lib_IntVector_Intrinsics_vec256 v71 = st15; + Lib_IntVector_Intrinsics_vec256 + v0_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v01, v110); + Lib_IntVector_Intrinsics_vec256 + v1_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v01, v110); + Lib_IntVector_Intrinsics_vec256 + v2_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v21, v31); + Lib_IntVector_Intrinsics_vec256 + v3_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v21, v31); + Lib_IntVector_Intrinsics_vec256 + v4_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v41, v51); + Lib_IntVector_Intrinsics_vec256 + v5_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v41, v51); + Lib_IntVector_Intrinsics_vec256 + v6_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v61, v71); + Lib_IntVector_Intrinsics_vec256 + v7_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v61, v71); + Lib_IntVector_Intrinsics_vec256 v0_5 = v0_4; + Lib_IntVector_Intrinsics_vec256 v1_5 = v1_4; + Lib_IntVector_Intrinsics_vec256 v2_5 = v2_4; + Lib_IntVector_Intrinsics_vec256 v3_5 = v3_4; + Lib_IntVector_Intrinsics_vec256 v4_5 = v4_4; + Lib_IntVector_Intrinsics_vec256 v5_5 = v5_4; + Lib_IntVector_Intrinsics_vec256 v6_5 = v6_4; + Lib_IntVector_Intrinsics_vec256 v7_5 = v7_4; + Lib_IntVector_Intrinsics_vec256 + v0_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0_5, v2_5); + Lib_IntVector_Intrinsics_vec256 + v2_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0_5, v2_5); + Lib_IntVector_Intrinsics_vec256 + v1_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v1_5, v3_5); + Lib_IntVector_Intrinsics_vec256 + v3_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v1_5, v3_5); + Lib_IntVector_Intrinsics_vec256 + v4_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v4_5, v6_5); + Lib_IntVector_Intrinsics_vec256 + v6_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v4_5, v6_5); + Lib_IntVector_Intrinsics_vec256 + v5_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v5_5, v7_5); + Lib_IntVector_Intrinsics_vec256 + v7_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v5_5, v7_5); + Lib_IntVector_Intrinsics_vec256 v0_12 = v0_11; + Lib_IntVector_Intrinsics_vec256 v1_12 = v1_11; + Lib_IntVector_Intrinsics_vec256 v2_12 = v2_11; + Lib_IntVector_Intrinsics_vec256 v3_12 = v3_11; + Lib_IntVector_Intrinsics_vec256 v4_12 = v4_11; + Lib_IntVector_Intrinsics_vec256 v5_12 = v5_11; + Lib_IntVector_Intrinsics_vec256 v6_12 = v6_11; + Lib_IntVector_Intrinsics_vec256 v7_12 = v7_11; + Lib_IntVector_Intrinsics_vec256 + v0_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_12, v4_12); + Lib_IntVector_Intrinsics_vec256 + v4_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_12, v4_12); + Lib_IntVector_Intrinsics_vec256 + v1_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_12, v5_12); + Lib_IntVector_Intrinsics_vec256 + v5_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_12, v5_12); + Lib_IntVector_Intrinsics_vec256 + v2_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v2_12, v6_12); + Lib_IntVector_Intrinsics_vec256 + v6_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v2_12, v6_12); + Lib_IntVector_Intrinsics_vec256 + v3_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v3_12, v7_12); + Lib_IntVector_Intrinsics_vec256 + v7_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v3_12, v7_12); + Lib_IntVector_Intrinsics_vec256 v0_22 = v0_21; + Lib_IntVector_Intrinsics_vec256 v1_22 = v1_21; + Lib_IntVector_Intrinsics_vec256 v2_22 = v2_21; + Lib_IntVector_Intrinsics_vec256 v3_22 = v3_21; + Lib_IntVector_Intrinsics_vec256 v4_22 = v4_21; + Lib_IntVector_Intrinsics_vec256 v5_22 = v5_21; + Lib_IntVector_Intrinsics_vec256 v6_22 = v6_21; + Lib_IntVector_Intrinsics_vec256 v7_22 = v7_21; + Lib_IntVector_Intrinsics_vec256 v0_6 = v0_22; + Lib_IntVector_Intrinsics_vec256 v1_6 = v1_22; + Lib_IntVector_Intrinsics_vec256 v2_6 = v2_22; + Lib_IntVector_Intrinsics_vec256 v3_6 = v3_22; + Lib_IntVector_Intrinsics_vec256 v4_6 = v4_22; + Lib_IntVector_Intrinsics_vec256 v5_6 = v5_22; + Lib_IntVector_Intrinsics_vec256 v6_6 = v6_22; + Lib_IntVector_Intrinsics_vec256 v7_6 = v7_22; + Lib_IntVector_Intrinsics_vec256 v8 = v0_6; + Lib_IntVector_Intrinsics_vec256 v9 = v2_6; + Lib_IntVector_Intrinsics_vec256 v10 = v1_6; + Lib_IntVector_Intrinsics_vec256 v11 = v3_6; + Lib_IntVector_Intrinsics_vec256 v12 = v4_6; + Lib_IntVector_Intrinsics_vec256 v13 = v6_6; + Lib_IntVector_Intrinsics_vec256 v14 = v5_6; + Lib_IntVector_Intrinsics_vec256 v15 = v7_6; + k[0U] = v0; + k[1U] = v8; + k[2U] = v1; + k[3U] = v9; + k[4U] = v2; + k[5U] = v10; + k[6U] = v3; + k[7U] = v11; + k[8U] = v4; + k[9U] = v12; + k[10U] = v5; + k[11U] = v13; + k[12U] = v6; + k[13U] = v14; + k[14U] = v7; + k[15U] = v15; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + Lib_IntVector_Intrinsics_vec256 + x = Lib_IntVector_Intrinsics_vec256_load32_le(plain + i * (uint32_t)32U); + Lib_IntVector_Intrinsics_vec256 y = Lib_IntVector_Intrinsics_vec256_xor(x, k[i]); + Lib_IntVector_Intrinsics_vec256_store32_le(plain + i * (uint32_t)32U, y); + } + } + memcpy(uu____2, plain, rem * sizeof (uint8_t)); + } + } + } + } +} + diff --git a/src/c89/Hacl_Curve25519_51.c b/src/c89/Hacl_Curve25519_51.c new file mode 100644 index 00000000..caee96bd --- /dev/null +++ b/src/c89/Hacl_Curve25519_51.c @@ -0,0 +1,365 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "internal/Hacl_Curve25519_51.h" + + + +static const uint8_t g25519[32U] = { (uint8_t)9U }; + +static void point_add_and_double(uint64_t *q, uint64_t *p01_tmp1, FStar_UInt128_uint128 *tmp2) +{ + uint64_t *nq = p01_tmp1; + uint64_t *nq_p1 = p01_tmp1 + (uint32_t)10U; + uint64_t *tmp1 = p01_tmp1 + (uint32_t)20U; + uint64_t *x1 = q; + uint64_t *x2 = nq; + uint64_t *z2 = nq + (uint32_t)5U; + uint64_t *z3 = nq_p1 + (uint32_t)5U; + uint64_t *a = tmp1; + uint64_t *b = tmp1 + (uint32_t)5U; + uint64_t *ab = tmp1; + uint64_t *dc = tmp1 + (uint32_t)10U; + uint64_t *x3; + uint64_t *z31; + uint64_t *d0; + uint64_t *c0; + uint64_t *a1; + uint64_t *b1; + uint64_t *d; + uint64_t *c; + uint64_t *ab1; + uint64_t *dc1; + Hacl_Impl_Curve25519_Field51_fadd(a, x2, z2); + Hacl_Impl_Curve25519_Field51_fsub(b, x2, z2); + x3 = nq_p1; + z31 = nq_p1 + (uint32_t)5U; + d0 = dc; + c0 = dc + (uint32_t)5U; + Hacl_Impl_Curve25519_Field51_fadd(c0, x3, z31); + Hacl_Impl_Curve25519_Field51_fsub(d0, x3, z31); + Hacl_Impl_Curve25519_Field51_fmul2(dc, dc, ab, tmp2); + Hacl_Impl_Curve25519_Field51_fadd(x3, d0, c0); + Hacl_Impl_Curve25519_Field51_fsub(z31, d0, c0); + a1 = tmp1; + b1 = tmp1 + (uint32_t)5U; + d = tmp1 + (uint32_t)10U; + c = tmp1 + (uint32_t)15U; + ab1 = tmp1; + dc1 = tmp1 + (uint32_t)10U; + Hacl_Impl_Curve25519_Field51_fsqr2(dc1, ab1, tmp2); + Hacl_Impl_Curve25519_Field51_fsqr2(nq_p1, nq_p1, tmp2); + a1[0U] = c[0U]; + a1[1U] = c[1U]; + a1[2U] = c[2U]; + a1[3U] = c[3U]; + a1[4U] = c[4U]; + Hacl_Impl_Curve25519_Field51_fsub(c, d, c); + Hacl_Impl_Curve25519_Field51_fmul1(b1, c, (uint64_t)121665U); + Hacl_Impl_Curve25519_Field51_fadd(b1, b1, d); + Hacl_Impl_Curve25519_Field51_fmul2(nq, dc1, ab1, tmp2); + Hacl_Impl_Curve25519_Field51_fmul(z3, z3, x1, tmp2); +} + +static void point_double(uint64_t *nq, uint64_t *tmp1, FStar_UInt128_uint128 *tmp2) +{ + uint64_t *x2 = nq; + uint64_t *z2 = nq + (uint32_t)5U; + uint64_t *a = tmp1; + uint64_t *b = tmp1 + (uint32_t)5U; + uint64_t *d = tmp1 + (uint32_t)10U; + uint64_t *c = tmp1 + (uint32_t)15U; + uint64_t *ab = tmp1; + uint64_t *dc = tmp1 + (uint32_t)10U; + Hacl_Impl_Curve25519_Field51_fadd(a, x2, z2); + Hacl_Impl_Curve25519_Field51_fsub(b, x2, z2); + Hacl_Impl_Curve25519_Field51_fsqr2(dc, ab, tmp2); + a[0U] = c[0U]; + a[1U] = c[1U]; + a[2U] = c[2U]; + a[3U] = c[3U]; + a[4U] = c[4U]; + Hacl_Impl_Curve25519_Field51_fsub(c, d, c); + Hacl_Impl_Curve25519_Field51_fmul1(b, c, (uint64_t)121665U); + Hacl_Impl_Curve25519_Field51_fadd(b, b, d); + Hacl_Impl_Curve25519_Field51_fmul2(nq, dc, ab, tmp2); +} + +static void montgomery_ladder(uint64_t *out, uint8_t *key, uint64_t *init) +{ + FStar_UInt128_uint128 tmp2[10U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)10U; ++_i) + tmp2[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U); + } + { + uint64_t p01_tmp1_swap[41U] = { 0U }; + uint64_t *p0 = p01_tmp1_swap; + uint64_t *p01 = p01_tmp1_swap; + uint64_t *p03 = p01; + uint64_t *p11 = p01 + (uint32_t)10U; + uint64_t *x0; + uint64_t *z0; + uint64_t *p01_tmp1; + uint64_t *p01_tmp11; + uint64_t *nq10; + uint64_t *nq_p11; + uint64_t *swap; + uint64_t sw0; + uint64_t *nq1; + uint64_t *tmp1; + memcpy(p11, init, (uint32_t)10U * sizeof (uint64_t)); + x0 = p03; + z0 = p03 + (uint32_t)5U; + x0[0U] = (uint64_t)1U; + x0[1U] = (uint64_t)0U; + x0[2U] = (uint64_t)0U; + x0[3U] = (uint64_t)0U; + x0[4U] = (uint64_t)0U; + z0[0U] = (uint64_t)0U; + z0[1U] = (uint64_t)0U; + z0[2U] = (uint64_t)0U; + z0[3U] = (uint64_t)0U; + z0[4U] = (uint64_t)0U; + p01_tmp1 = p01_tmp1_swap; + p01_tmp11 = p01_tmp1_swap; + nq10 = p01_tmp1_swap; + nq_p11 = p01_tmp1_swap + (uint32_t)10U; + swap = p01_tmp1_swap + (uint32_t)40U; + Hacl_Impl_Curve25519_Field51_cswap2((uint64_t)1U, nq10, nq_p11); + point_add_and_double(init, p01_tmp11, tmp2); + swap[0U] = (uint64_t)1U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)251U; i++) + { + uint64_t *p01_tmp12 = p01_tmp1_swap; + uint64_t *swap1 = p01_tmp1_swap + (uint32_t)40U; + uint64_t *nq2 = p01_tmp12; + uint64_t *nq_p12 = p01_tmp12 + (uint32_t)10U; + uint64_t + bit = + (uint64_t)(key[((uint32_t)253U - i) + / (uint32_t)8U] + >> ((uint32_t)253U - i) % (uint32_t)8U + & (uint8_t)1U); + uint64_t sw = swap1[0U] ^ bit; + Hacl_Impl_Curve25519_Field51_cswap2(sw, nq2, nq_p12); + point_add_and_double(init, p01_tmp12, tmp2); + swap1[0U] = bit; + } + } + sw0 = swap[0U]; + Hacl_Impl_Curve25519_Field51_cswap2(sw0, nq10, nq_p11); + nq1 = p01_tmp1; + tmp1 = p01_tmp1 + (uint32_t)20U; + point_double(nq1, tmp1, tmp2); + point_double(nq1, tmp1, tmp2); + point_double(nq1, tmp1, tmp2); + memcpy(out, p0, (uint32_t)10U * sizeof (uint64_t)); + } +} + +void +Hacl_Curve25519_51_fsquare_times( + uint64_t *o, + uint64_t *inp, + FStar_UInt128_uint128 *tmp, + uint32_t n +) +{ + uint32_t i; + Hacl_Impl_Curve25519_Field51_fsqr(o, inp, tmp); + for (i = (uint32_t)0U; i < n - (uint32_t)1U; i++) + { + Hacl_Impl_Curve25519_Field51_fsqr(o, o, tmp); + } +} + +void Hacl_Curve25519_51_finv(uint64_t *o, uint64_t *i, FStar_UInt128_uint128 *tmp) +{ + uint64_t t1[20U] = { 0U }; + uint64_t *a1 = t1; + uint64_t *b10 = t1 + (uint32_t)5U; + uint64_t *t010 = t1 + (uint32_t)15U; + FStar_UInt128_uint128 *tmp10 = tmp; + uint64_t *b11; + uint64_t *c10; + uint64_t *t011; + FStar_UInt128_uint128 *tmp11; + uint64_t *b1; + uint64_t *c1; + uint64_t *t01; + FStar_UInt128_uint128 *tmp1; + uint64_t *a; + uint64_t *t0; + Hacl_Curve25519_51_fsquare_times(a1, i, tmp10, (uint32_t)1U); + Hacl_Curve25519_51_fsquare_times(t010, a1, tmp10, (uint32_t)2U); + Hacl_Impl_Curve25519_Field51_fmul(b10, t010, i, tmp); + Hacl_Impl_Curve25519_Field51_fmul(a1, b10, a1, tmp); + Hacl_Curve25519_51_fsquare_times(t010, a1, tmp10, (uint32_t)1U); + Hacl_Impl_Curve25519_Field51_fmul(b10, t010, b10, tmp); + Hacl_Curve25519_51_fsquare_times(t010, b10, tmp10, (uint32_t)5U); + Hacl_Impl_Curve25519_Field51_fmul(b10, t010, b10, tmp); + b11 = t1 + (uint32_t)5U; + c10 = t1 + (uint32_t)10U; + t011 = t1 + (uint32_t)15U; + tmp11 = tmp; + Hacl_Curve25519_51_fsquare_times(t011, b11, tmp11, (uint32_t)10U); + Hacl_Impl_Curve25519_Field51_fmul(c10, t011, b11, tmp); + Hacl_Curve25519_51_fsquare_times(t011, c10, tmp11, (uint32_t)20U); + Hacl_Impl_Curve25519_Field51_fmul(t011, t011, c10, tmp); + Hacl_Curve25519_51_fsquare_times(t011, t011, tmp11, (uint32_t)10U); + Hacl_Impl_Curve25519_Field51_fmul(b11, t011, b11, tmp); + Hacl_Curve25519_51_fsquare_times(t011, b11, tmp11, (uint32_t)50U); + Hacl_Impl_Curve25519_Field51_fmul(c10, t011, b11, tmp); + b1 = t1 + (uint32_t)5U; + c1 = t1 + (uint32_t)10U; + t01 = t1 + (uint32_t)15U; + tmp1 = tmp; + Hacl_Curve25519_51_fsquare_times(t01, c1, tmp1, (uint32_t)100U); + Hacl_Impl_Curve25519_Field51_fmul(t01, t01, c1, tmp); + Hacl_Curve25519_51_fsquare_times(t01, t01, tmp1, (uint32_t)50U); + Hacl_Impl_Curve25519_Field51_fmul(t01, t01, b1, tmp); + Hacl_Curve25519_51_fsquare_times(t01, t01, tmp1, (uint32_t)5U); + a = t1; + t0 = t1 + (uint32_t)15U; + Hacl_Impl_Curve25519_Field51_fmul(o, t0, a, tmp); +} + +static void encode_point(uint8_t *o, uint64_t *i) +{ + uint64_t *x = i; + uint64_t *z = i + (uint32_t)5U; + uint64_t tmp[5U] = { 0U }; + uint64_t u64s[4U] = { 0U }; + FStar_UInt128_uint128 tmp_w[10U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)10U; ++_i) + tmp_w[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U); + } + Hacl_Curve25519_51_finv(tmp, z, tmp_w); + Hacl_Impl_Curve25519_Field51_fmul(tmp, tmp, x, tmp_w); + Hacl_Impl_Curve25519_Field51_store_felem(u64s, tmp); + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + store64_le(o + i0 * (uint32_t)8U, u64s[i0]); + } + } +} + +void Hacl_Curve25519_51_scalarmult(uint8_t *out, uint8_t *priv, uint8_t *pub) +{ + uint64_t init[10U] = { 0U }; + uint64_t tmp[4U] = { 0U }; + uint64_t tmp3; + uint64_t *x; + uint64_t *z; + uint64_t f0l; + uint64_t f0h; + uint64_t f1l; + uint64_t f1h; + uint64_t f2l; + uint64_t f2h; + uint64_t f3l; + uint64_t f3h; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = tmp; + uint8_t *bj = pub + i * (uint32_t)8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x0 = r; + os[i] = x0; + } + } + tmp3 = tmp[3U]; + tmp[3U] = tmp3 & (uint64_t)0x7fffffffffffffffU; + x = init; + z = init + (uint32_t)5U; + z[0U] = (uint64_t)1U; + z[1U] = (uint64_t)0U; + z[2U] = (uint64_t)0U; + z[3U] = (uint64_t)0U; + z[4U] = (uint64_t)0U; + f0l = tmp[0U] & (uint64_t)0x7ffffffffffffU; + f0h = tmp[0U] >> (uint32_t)51U; + f1l = (tmp[1U] & (uint64_t)0x3fffffffffU) << (uint32_t)13U; + f1h = tmp[1U] >> (uint32_t)38U; + f2l = (tmp[2U] & (uint64_t)0x1ffffffU) << (uint32_t)26U; + f2h = tmp[2U] >> (uint32_t)25U; + f3l = (tmp[3U] & (uint64_t)0xfffU) << (uint32_t)39U; + f3h = tmp[3U] >> (uint32_t)12U; + x[0U] = f0l; + x[1U] = f0h | f1l; + x[2U] = f1h | f2l; + x[3U] = f2h | f3l; + x[4U] = f3h; + montgomery_ladder(init, priv, init); + encode_point(out, init); +} + +void Hacl_Curve25519_51_secret_to_public(uint8_t *pub, uint8_t *priv) +{ + uint8_t basepoint[32U] = { 0U }; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)32U; i++) + { + uint8_t *os = basepoint; + uint8_t x = g25519[i]; + os[i] = x; + } + } + Hacl_Curve25519_51_scalarmult(pub, priv, basepoint); +} + +bool Hacl_Curve25519_51_ecdh(uint8_t *out, uint8_t *priv, uint8_t *pub) +{ + uint8_t zeros[32U] = { 0U }; + Hacl_Curve25519_51_scalarmult(out, priv, pub); + { + uint8_t res = (uint8_t)255U; + uint8_t z; + bool r; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)32U; i++) + { + uint8_t uu____0 = FStar_UInt8_eq_mask(out[i], zeros[i]); + res = uu____0 & res; + } + } + z = res; + r = z == (uint8_t)255U; + return !r; + } +} + diff --git a/src/c89/Hacl_Curve25519_64.c b/src/c89/Hacl_Curve25519_64.c new file mode 100644 index 00000000..1ab27231 --- /dev/null +++ b/src/c89/Hacl_Curve25519_64.c @@ -0,0 +1,461 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Curve25519_64.h" + +#include "internal/Vale.h" +#include "curve25519-inline.h" +static inline uint64_t add_scalar0(uint64_t *out, uint64_t *f1, uint64_t f2) +{ + #if HACL_CAN_COMPILE_INLINE_ASM + return add_scalar(out, f1, f2); + #else + uint64_t scrut = add_scalar_e(out, f1, f2); + return scrut; + #endif +} + +static inline void fadd0(uint64_t *out, uint64_t *f1, uint64_t *f2) +{ + #if HACL_CAN_COMPILE_INLINE_ASM + fadd(out, f1, f2); + #else + uint64_t uu____0 = fadd_e(out, f1, f2); + #endif +} + +static inline void fsub0(uint64_t *out, uint64_t *f1, uint64_t *f2) +{ + #if HACL_CAN_COMPILE_INLINE_ASM + fsub(out, f1, f2); + #else + uint64_t uu____0 = fsub_e(out, f1, f2); + #endif +} + +static inline void fmul0(uint64_t *out, uint64_t *f1, uint64_t *f2, uint64_t *tmp) +{ + #if HACL_CAN_COMPILE_INLINE_ASM + fmul(out, f1, f2, tmp); + #else + uint64_t uu____0 = fmul_e(tmp, f1, out, f2); + #endif +} + +static inline void fmul20(uint64_t *out, uint64_t *f1, uint64_t *f2, uint64_t *tmp) +{ + #if HACL_CAN_COMPILE_INLINE_ASM + fmul2(out, f1, f2, tmp); + #else + uint64_t uu____0 = fmul2_e(tmp, f1, out, f2); + #endif +} + +static inline void fmul_scalar0(uint64_t *out, uint64_t *f1, uint64_t f2) +{ + #if HACL_CAN_COMPILE_INLINE_ASM + fmul_scalar(out, f1, f2); + #else + uint64_t uu____0 = fmul_scalar_e(out, f1, f2); + #endif +} + +static inline void fsqr0(uint64_t *out, uint64_t *f1, uint64_t *tmp) +{ + #if HACL_CAN_COMPILE_INLINE_ASM + fsqr(out, f1, tmp); + #else + uint64_t uu____0 = fsqr_e(tmp, f1, out); + #endif +} + +static inline void fsqr20(uint64_t *out, uint64_t *f, uint64_t *tmp) +{ + #if HACL_CAN_COMPILE_INLINE_ASM + fsqr2(out, f, tmp); + #else + uint64_t uu____0 = fsqr2_e(tmp, f, out); + #endif +} + +static inline void cswap20(uint64_t bit, uint64_t *p1, uint64_t *p2) +{ + #if HACL_CAN_COMPILE_INLINE_ASM + cswap2(bit, p1, p2); + #else + uint64_t uu____0 = cswap2_e(bit, p1, p2); + #endif +} + +static const uint8_t g25519[32U] = { (uint8_t)9U }; + +static void point_add_and_double(uint64_t *q, uint64_t *p01_tmp1, uint64_t *tmp2) +{ + uint64_t *nq = p01_tmp1; + uint64_t *nq_p1 = p01_tmp1 + (uint32_t)8U; + uint64_t *tmp1 = p01_tmp1 + (uint32_t)16U; + uint64_t *x1 = q; + uint64_t *x2 = nq; + uint64_t *z2 = nq + (uint32_t)4U; + uint64_t *z3 = nq_p1 + (uint32_t)4U; + uint64_t *a = tmp1; + uint64_t *b = tmp1 + (uint32_t)4U; + uint64_t *ab = tmp1; + uint64_t *dc = tmp1 + (uint32_t)8U; + uint64_t *x3; + uint64_t *z31; + uint64_t *d0; + uint64_t *c0; + uint64_t *a1; + uint64_t *b1; + uint64_t *d; + uint64_t *c; + uint64_t *ab1; + uint64_t *dc1; + fadd0(a, x2, z2); + fsub0(b, x2, z2); + x3 = nq_p1; + z31 = nq_p1 + (uint32_t)4U; + d0 = dc; + c0 = dc + (uint32_t)4U; + fadd0(c0, x3, z31); + fsub0(d0, x3, z31); + fmul20(dc, dc, ab, tmp2); + fadd0(x3, d0, c0); + fsub0(z31, d0, c0); + a1 = tmp1; + b1 = tmp1 + (uint32_t)4U; + d = tmp1 + (uint32_t)8U; + c = tmp1 + (uint32_t)12U; + ab1 = tmp1; + dc1 = tmp1 + (uint32_t)8U; + fsqr20(dc1, ab1, tmp2); + fsqr20(nq_p1, nq_p1, tmp2); + a1[0U] = c[0U]; + a1[1U] = c[1U]; + a1[2U] = c[2U]; + a1[3U] = c[3U]; + fsub0(c, d, c); + fmul_scalar0(b1, c, (uint64_t)121665U); + fadd0(b1, b1, d); + fmul20(nq, dc1, ab1, tmp2); + fmul0(z3, z3, x1, tmp2); +} + +static void point_double(uint64_t *nq, uint64_t *tmp1, uint64_t *tmp2) +{ + uint64_t *x2 = nq; + uint64_t *z2 = nq + (uint32_t)4U; + uint64_t *a = tmp1; + uint64_t *b = tmp1 + (uint32_t)4U; + uint64_t *d = tmp1 + (uint32_t)8U; + uint64_t *c = tmp1 + (uint32_t)12U; + uint64_t *ab = tmp1; + uint64_t *dc = tmp1 + (uint32_t)8U; + fadd0(a, x2, z2); + fsub0(b, x2, z2); + fsqr20(dc, ab, tmp2); + a[0U] = c[0U]; + a[1U] = c[1U]; + a[2U] = c[2U]; + a[3U] = c[3U]; + fsub0(c, d, c); + fmul_scalar0(b, c, (uint64_t)121665U); + fadd0(b, b, d); + fmul20(nq, dc, ab, tmp2); +} + +static void montgomery_ladder(uint64_t *out, uint8_t *key, uint64_t *init) +{ + uint64_t tmp2[16U] = { 0U }; + uint64_t p01_tmp1_swap[33U] = { 0U }; + uint64_t *p0 = p01_tmp1_swap; + uint64_t *p01 = p01_tmp1_swap; + uint64_t *p03 = p01; + uint64_t *p11 = p01 + (uint32_t)8U; + uint64_t *x0; + uint64_t *z0; + uint64_t *p01_tmp1; + uint64_t *p01_tmp11; + uint64_t *nq10; + uint64_t *nq_p11; + uint64_t *swap; + uint64_t sw0; + uint64_t *nq1; + uint64_t *tmp1; + memcpy(p11, init, (uint32_t)8U * sizeof (uint64_t)); + x0 = p03; + z0 = p03 + (uint32_t)4U; + x0[0U] = (uint64_t)1U; + x0[1U] = (uint64_t)0U; + x0[2U] = (uint64_t)0U; + x0[3U] = (uint64_t)0U; + z0[0U] = (uint64_t)0U; + z0[1U] = (uint64_t)0U; + z0[2U] = (uint64_t)0U; + z0[3U] = (uint64_t)0U; + p01_tmp1 = p01_tmp1_swap; + p01_tmp11 = p01_tmp1_swap; + nq10 = p01_tmp1_swap; + nq_p11 = p01_tmp1_swap + (uint32_t)8U; + swap = p01_tmp1_swap + (uint32_t)32U; + cswap20((uint64_t)1U, nq10, nq_p11); + point_add_and_double(init, p01_tmp11, tmp2); + swap[0U] = (uint64_t)1U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)251U; i++) + { + uint64_t *p01_tmp12 = p01_tmp1_swap; + uint64_t *swap1 = p01_tmp1_swap + (uint32_t)32U; + uint64_t *nq2 = p01_tmp12; + uint64_t *nq_p12 = p01_tmp12 + (uint32_t)8U; + uint64_t + bit = + (uint64_t)(key[((uint32_t)253U - i) + / (uint32_t)8U] + >> ((uint32_t)253U - i) % (uint32_t)8U + & (uint8_t)1U); + uint64_t sw = swap1[0U] ^ bit; + cswap20(sw, nq2, nq_p12); + point_add_and_double(init, p01_tmp12, tmp2); + swap1[0U] = bit; + } + } + sw0 = swap[0U]; + cswap20(sw0, nq10, nq_p11); + nq1 = p01_tmp1; + tmp1 = p01_tmp1 + (uint32_t)16U; + point_double(nq1, tmp1, tmp2); + point_double(nq1, tmp1, tmp2); + point_double(nq1, tmp1, tmp2); + memcpy(out, p0, (uint32_t)8U * sizeof (uint64_t)); +} + +static void fsquare_times(uint64_t *o, uint64_t *inp, uint64_t *tmp, uint32_t n) +{ + uint32_t i; + fsqr0(o, inp, tmp); + for (i = (uint32_t)0U; i < n - (uint32_t)1U; i++) + { + fsqr0(o, o, tmp); + } +} + +static void finv(uint64_t *o, uint64_t *i, uint64_t *tmp) +{ + uint64_t t1[16U] = { 0U }; + uint64_t *a1 = t1; + uint64_t *b10 = t1 + (uint32_t)4U; + uint64_t *t010 = t1 + (uint32_t)12U; + uint64_t *tmp10 = tmp; + uint64_t *b11; + uint64_t *c10; + uint64_t *t011; + uint64_t *tmp11; + uint64_t *b1; + uint64_t *c1; + uint64_t *t01; + uint64_t *tmp1; + uint64_t *a; + uint64_t *t0; + fsquare_times(a1, i, tmp10, (uint32_t)1U); + fsquare_times(t010, a1, tmp10, (uint32_t)2U); + fmul0(b10, t010, i, tmp); + fmul0(a1, b10, a1, tmp); + fsquare_times(t010, a1, tmp10, (uint32_t)1U); + fmul0(b10, t010, b10, tmp); + fsquare_times(t010, b10, tmp10, (uint32_t)5U); + fmul0(b10, t010, b10, tmp); + b11 = t1 + (uint32_t)4U; + c10 = t1 + (uint32_t)8U; + t011 = t1 + (uint32_t)12U; + tmp11 = tmp; + fsquare_times(t011, b11, tmp11, (uint32_t)10U); + fmul0(c10, t011, b11, tmp); + fsquare_times(t011, c10, tmp11, (uint32_t)20U); + fmul0(t011, t011, c10, tmp); + fsquare_times(t011, t011, tmp11, (uint32_t)10U); + fmul0(b11, t011, b11, tmp); + fsquare_times(t011, b11, tmp11, (uint32_t)50U); + fmul0(c10, t011, b11, tmp); + b1 = t1 + (uint32_t)4U; + c1 = t1 + (uint32_t)8U; + t01 = t1 + (uint32_t)12U; + tmp1 = tmp; + fsquare_times(t01, c1, tmp1, (uint32_t)100U); + fmul0(t01, t01, c1, tmp); + fsquare_times(t01, t01, tmp1, (uint32_t)50U); + fmul0(t01, t01, b1, tmp); + fsquare_times(t01, t01, tmp1, (uint32_t)5U); + a = t1; + t0 = t1 + (uint32_t)12U; + fmul0(o, t0, a, tmp); +} + +static void store_felem(uint64_t *b, uint64_t *f) +{ + uint64_t f30 = f[3U]; + uint64_t top_bit0 = f30 >> (uint32_t)63U; + uint64_t carry0; + uint64_t f31; + uint64_t top_bit; + uint64_t carry; + uint64_t f0; + uint64_t f1; + uint64_t f2; + uint64_t f3; + uint64_t m0; + uint64_t m1; + uint64_t m2; + uint64_t m3; + uint64_t mask; + uint64_t f0_; + uint64_t f1_; + uint64_t f2_; + uint64_t f3_; + uint64_t o0; + uint64_t o1; + uint64_t o2; + uint64_t o3; + f[3U] = f30 & (uint64_t)0x7fffffffffffffffU; + carry0 = add_scalar0(f, f, (uint64_t)19U * top_bit0); + f31 = f[3U]; + top_bit = f31 >> (uint32_t)63U; + f[3U] = f31 & (uint64_t)0x7fffffffffffffffU; + carry = add_scalar0(f, f, (uint64_t)19U * top_bit); + f0 = f[0U]; + f1 = f[1U]; + f2 = f[2U]; + f3 = f[3U]; + m0 = FStar_UInt64_gte_mask(f0, (uint64_t)0xffffffffffffffedU); + m1 = FStar_UInt64_eq_mask(f1, (uint64_t)0xffffffffffffffffU); + m2 = FStar_UInt64_eq_mask(f2, (uint64_t)0xffffffffffffffffU); + m3 = FStar_UInt64_eq_mask(f3, (uint64_t)0x7fffffffffffffffU); + mask = ((m0 & m1) & m2) & m3; + f0_ = f0 - (mask & (uint64_t)0xffffffffffffffedU); + f1_ = f1 - (mask & (uint64_t)0xffffffffffffffffU); + f2_ = f2 - (mask & (uint64_t)0xffffffffffffffffU); + f3_ = f3 - (mask & (uint64_t)0x7fffffffffffffffU); + o0 = f0_; + o1 = f1_; + o2 = f2_; + o3 = f3_; + b[0U] = o0; + b[1U] = o1; + b[2U] = o2; + b[3U] = o3; +} + +static void encode_point(uint8_t *o, uint64_t *i) +{ + uint64_t *x = i; + uint64_t *z = i + (uint32_t)4U; + uint64_t tmp[4U] = { 0U }; + uint64_t u64s[4U] = { 0U }; + uint64_t tmp_w[16U] = { 0U }; + finv(tmp, z, tmp_w); + fmul0(tmp, tmp, x, tmp_w); + store_felem(u64s, tmp); + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + store64_le(o + i0 * (uint32_t)8U, u64s[i0]); + } + } +} + +void Hacl_Curve25519_64_scalarmult(uint8_t *out, uint8_t *priv, uint8_t *pub) +{ + uint64_t init[8U] = { 0U }; + uint64_t tmp[4U] = { 0U }; + uint64_t tmp3; + uint64_t *x; + uint64_t *z; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = tmp; + uint8_t *bj = pub + i * (uint32_t)8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x0 = r; + os[i] = x0; + } + } + tmp3 = tmp[3U]; + tmp[3U] = tmp3 & (uint64_t)0x7fffffffffffffffU; + x = init; + z = init + (uint32_t)4U; + z[0U] = (uint64_t)1U; + z[1U] = (uint64_t)0U; + z[2U] = (uint64_t)0U; + z[3U] = (uint64_t)0U; + x[0U] = tmp[0U]; + x[1U] = tmp[1U]; + x[2U] = tmp[2U]; + x[3U] = tmp[3U]; + montgomery_ladder(init, priv, init); + encode_point(out, init); +} + +void Hacl_Curve25519_64_secret_to_public(uint8_t *pub, uint8_t *priv) +{ + uint8_t basepoint[32U] = { 0U }; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)32U; i++) + { + uint8_t *os = basepoint; + uint8_t x = g25519[i]; + os[i] = x; + } + } + Hacl_Curve25519_64_scalarmult(pub, priv, basepoint); +} + +bool Hacl_Curve25519_64_ecdh(uint8_t *out, uint8_t *priv, uint8_t *pub) +{ + uint8_t zeros[32U] = { 0U }; + Hacl_Curve25519_64_scalarmult(out, priv, pub); + { + uint8_t res = (uint8_t)255U; + uint8_t z; + bool r; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)32U; i++) + { + uint8_t uu____0 = FStar_UInt8_eq_mask(out[i], zeros[i]); + res = uu____0 & res; + } + } + z = res; + r = z == (uint8_t)255U; + return !r; + } +} + diff --git a/src/c89/Hacl_Ed25519.c b/src/c89/Hacl_Ed25519.c new file mode 100644 index 00000000..8483756c --- /dev/null +++ b/src/c89/Hacl_Ed25519.c @@ -0,0 +1,2048 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "internal/Hacl_Ed25519.h" + +#include "internal/Hacl_Hash_SHA2.h" +#include "internal/Hacl_Curve25519_51.h" + +static inline void fsum(uint64_t *a, uint64_t *b) +{ + Hacl_Impl_Curve25519_Field51_fadd(a, a, b); +} + +static inline void fdifference(uint64_t *a, uint64_t *b) +{ + Hacl_Impl_Curve25519_Field51_fsub(a, b, a); +} + +void Hacl_Bignum25519_reduce_513(uint64_t *a) +{ + uint64_t f0 = a[0U]; + uint64_t f1 = a[1U]; + uint64_t f2 = a[2U]; + uint64_t f3 = a[3U]; + uint64_t f4 = a[4U]; + uint64_t l_ = f0 + (uint64_t)0U; + uint64_t tmp0 = l_ & (uint64_t)0x7ffffffffffffU; + uint64_t c0 = l_ >> (uint32_t)51U; + uint64_t l_0 = f1 + c0; + uint64_t tmp1 = l_0 & (uint64_t)0x7ffffffffffffU; + uint64_t c1 = l_0 >> (uint32_t)51U; + uint64_t l_1 = f2 + c1; + uint64_t tmp2 = l_1 & (uint64_t)0x7ffffffffffffU; + uint64_t c2 = l_1 >> (uint32_t)51U; + uint64_t l_2 = f3 + c2; + uint64_t tmp3 = l_2 & (uint64_t)0x7ffffffffffffU; + uint64_t c3 = l_2 >> (uint32_t)51U; + uint64_t l_3 = f4 + c3; + uint64_t tmp4 = l_3 & (uint64_t)0x7ffffffffffffU; + uint64_t c4 = l_3 >> (uint32_t)51U; + uint64_t l_4 = tmp0 + c4 * (uint64_t)19U; + uint64_t tmp0_ = l_4 & (uint64_t)0x7ffffffffffffU; + uint64_t c5 = l_4 >> (uint32_t)51U; + a[0U] = tmp0_; + a[1U] = tmp1 + c5; + a[2U] = tmp2; + a[3U] = tmp3; + a[4U] = tmp4; +} + +static inline void fmul0(uint64_t *output, uint64_t *input, uint64_t *input2) +{ + FStar_UInt128_uint128 tmp[10U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)10U; ++_i) + tmp[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U); + } + Hacl_Impl_Curve25519_Field51_fmul(output, input, input2, tmp); +} + +static inline void times_2(uint64_t *out, uint64_t *a) +{ + uint64_t a0 = a[0U]; + uint64_t a1 = a[1U]; + uint64_t a2 = a[2U]; + uint64_t a3 = a[3U]; + uint64_t a4 = a[4U]; + uint64_t o0 = (uint64_t)2U * a0; + uint64_t o1 = (uint64_t)2U * a1; + uint64_t o2 = (uint64_t)2U * a2; + uint64_t o3 = (uint64_t)2U * a3; + uint64_t o4 = (uint64_t)2U * a4; + out[0U] = o0; + out[1U] = o1; + out[2U] = o2; + out[3U] = o3; + out[4U] = o4; +} + +static inline void times_d(uint64_t *out, uint64_t *a) +{ + uint64_t d[5U] = { 0U }; + d[0U] = (uint64_t)0x00034dca135978a3U; + d[1U] = (uint64_t)0x0001a8283b156ebdU; + d[2U] = (uint64_t)0x0005e7a26001c029U; + d[3U] = (uint64_t)0x000739c663a03cbbU; + d[4U] = (uint64_t)0x00052036cee2b6ffU; + fmul0(out, d, a); +} + +static inline void times_2d(uint64_t *out, uint64_t *a) +{ + uint64_t d2[5U] = { 0U }; + d2[0U] = (uint64_t)0x00069b9426b2f159U; + d2[1U] = (uint64_t)0x00035050762add7aU; + d2[2U] = (uint64_t)0x0003cf44c0038052U; + d2[3U] = (uint64_t)0x0006738cc7407977U; + d2[4U] = (uint64_t)0x0002406d9dc56dffU; + fmul0(out, d2, a); +} + +static inline void fsquare(uint64_t *out, uint64_t *a) +{ + FStar_UInt128_uint128 tmp[5U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)5U; ++_i) + tmp[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U); + } + Hacl_Impl_Curve25519_Field51_fsqr(out, a, tmp); +} + +static inline void fsquare_times(uint64_t *output, uint64_t *input, uint32_t count) +{ + FStar_UInt128_uint128 tmp[5U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)5U; ++_i) + tmp[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U); + } + Hacl_Curve25519_51_fsquare_times(output, input, tmp, count); +} + +static inline void fsquare_times_inplace(uint64_t *output, uint32_t count) +{ + FStar_UInt128_uint128 tmp[5U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)5U; ++_i) + tmp[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U); + } + Hacl_Curve25519_51_fsquare_times(output, output, tmp, count); +} + +void Hacl_Bignum25519_inverse(uint64_t *out, uint64_t *a) +{ + FStar_UInt128_uint128 tmp[10U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)10U; ++_i) + tmp[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U); + } + Hacl_Curve25519_51_finv(out, a, tmp); +} + +static inline void reduce(uint64_t *out) +{ + uint64_t o0 = out[0U]; + uint64_t o1 = out[1U]; + uint64_t o2 = out[2U]; + uint64_t o3 = out[3U]; + uint64_t o4 = out[4U]; + uint64_t l_ = o0 + (uint64_t)0U; + uint64_t tmp0 = l_ & (uint64_t)0x7ffffffffffffU; + uint64_t c0 = l_ >> (uint32_t)51U; + uint64_t l_0 = o1 + c0; + uint64_t tmp1 = l_0 & (uint64_t)0x7ffffffffffffU; + uint64_t c1 = l_0 >> (uint32_t)51U; + uint64_t l_1 = o2 + c1; + uint64_t tmp2 = l_1 & (uint64_t)0x7ffffffffffffU; + uint64_t c2 = l_1 >> (uint32_t)51U; + uint64_t l_2 = o3 + c2; + uint64_t tmp3 = l_2 & (uint64_t)0x7ffffffffffffU; + uint64_t c3 = l_2 >> (uint32_t)51U; + uint64_t l_3 = o4 + c3; + uint64_t tmp4 = l_3 & (uint64_t)0x7ffffffffffffU; + uint64_t c4 = l_3 >> (uint32_t)51U; + uint64_t l_4 = tmp0 + c4 * (uint64_t)19U; + uint64_t tmp0_ = l_4 & (uint64_t)0x7ffffffffffffU; + uint64_t c5 = l_4 >> (uint32_t)51U; + uint64_t f0 = tmp0_; + uint64_t f1 = tmp1 + c5; + uint64_t f2 = tmp2; + uint64_t f3 = tmp3; + uint64_t f4 = tmp4; + uint64_t m0 = FStar_UInt64_gte_mask(f0, (uint64_t)0x7ffffffffffedU); + uint64_t m1 = FStar_UInt64_eq_mask(f1, (uint64_t)0x7ffffffffffffU); + uint64_t m2 = FStar_UInt64_eq_mask(f2, (uint64_t)0x7ffffffffffffU); + uint64_t m3 = FStar_UInt64_eq_mask(f3, (uint64_t)0x7ffffffffffffU); + uint64_t m4 = FStar_UInt64_eq_mask(f4, (uint64_t)0x7ffffffffffffU); + uint64_t mask = (((m0 & m1) & m2) & m3) & m4; + uint64_t f0_ = f0 - (mask & (uint64_t)0x7ffffffffffedU); + uint64_t f1_ = f1 - (mask & (uint64_t)0x7ffffffffffffU); + uint64_t f2_ = f2 - (mask & (uint64_t)0x7ffffffffffffU); + uint64_t f3_ = f3 - (mask & (uint64_t)0x7ffffffffffffU); + uint64_t f4_ = f4 - (mask & (uint64_t)0x7ffffffffffffU); + uint64_t f01 = f0_; + uint64_t f11 = f1_; + uint64_t f21 = f2_; + uint64_t f31 = f3_; + uint64_t f41 = f4_; + out[0U] = f01; + out[1U] = f11; + out[2U] = f21; + out[3U] = f31; + out[4U] = f41; +} + +void Hacl_Bignum25519_load_51(uint64_t *output, uint8_t *input) +{ + uint64_t u64s[4U] = { 0U }; + uint64_t u64s3; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = u64s; + uint8_t *bj = input + i * (uint32_t)8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x; + } + } + u64s3 = u64s[3U]; + u64s[3U] = u64s3 & (uint64_t)0x7fffffffffffffffU; + output[0U] = u64s[0U] & (uint64_t)0x7ffffffffffffU; + output[1U] = u64s[0U] >> (uint32_t)51U | (u64s[1U] & (uint64_t)0x3fffffffffU) << (uint32_t)13U; + output[2U] = u64s[1U] >> (uint32_t)38U | (u64s[2U] & (uint64_t)0x1ffffffU) << (uint32_t)26U; + output[3U] = u64s[2U] >> (uint32_t)25U | (u64s[3U] & (uint64_t)0xfffU) << (uint32_t)39U; + output[4U] = u64s[3U] >> (uint32_t)12U; +} + +void Hacl_Bignum25519_store_51(uint8_t *output, uint64_t *input) +{ + uint64_t u64s[4U] = { 0U }; + Hacl_Impl_Curve25519_Field51_store_felem(u64s, input); + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + store64_le(output + i * (uint32_t)8U, u64s[i]); + } + } +} + +static inline void point_double(uint64_t *out, uint64_t *p) +{ + uint64_t tmp[30U] = { 0U }; + uint64_t *tmp2 = tmp + (uint32_t)5U; + uint64_t *tmp3 = tmp + (uint32_t)10U; + uint64_t *tmp4 = tmp + (uint32_t)15U; + uint64_t *tmp6 = tmp + (uint32_t)25U; + uint64_t *x3 = out; + uint64_t *y3 = out + (uint32_t)5U; + uint64_t *z3 = out + (uint32_t)10U; + uint64_t *t3 = out + (uint32_t)15U; + uint64_t *tmp110 = tmp; + uint64_t *tmp210 = tmp + (uint32_t)5U; + uint64_t *tmp310 = tmp + (uint32_t)10U; + uint64_t *tmp410 = tmp + (uint32_t)15U; + uint64_t *x10 = p; + uint64_t *y10 = p + (uint32_t)5U; + uint64_t *z1 = p + (uint32_t)10U; + uint64_t *tmp11; + uint64_t *tmp21; + uint64_t *tmp31; + uint64_t *tmp41; + uint64_t *tmp51; + uint64_t *tmp61; + uint64_t *x1; + uint64_t *y1; + fsquare(tmp110, x10); + fsquare(tmp210, y10); + fsquare(tmp310, z1); + times_2(tmp410, tmp310); + memcpy(tmp310, tmp110, (uint32_t)5U * sizeof (uint64_t)); + fsum(tmp310, tmp210); + tmp11 = tmp; + tmp21 = tmp + (uint32_t)5U; + tmp31 = tmp + (uint32_t)10U; + tmp41 = tmp + (uint32_t)15U; + tmp51 = tmp + (uint32_t)20U; + tmp61 = tmp + (uint32_t)25U; + x1 = p; + y1 = p + (uint32_t)5U; + memcpy(tmp51, x1, (uint32_t)5U * sizeof (uint64_t)); + fsum(tmp51, y1); + fsquare(tmp61, tmp51); + memcpy(tmp51, tmp31, (uint32_t)5U * sizeof (uint64_t)); + Hacl_Bignum25519_reduce_513(tmp51); + fdifference(tmp61, tmp51); + fdifference(tmp21, tmp11); + Hacl_Bignum25519_reduce_513(tmp21); + Hacl_Bignum25519_reduce_513(tmp41); + fsum(tmp41, tmp21); + fmul0(x3, tmp4, tmp6); + fmul0(y3, tmp2, tmp3); + fmul0(t3, tmp6, tmp3); + fmul0(z3, tmp4, tmp2); +} + +void Hacl_Impl_Ed25519_PointAdd_point_add(uint64_t *out, uint64_t *p, uint64_t *q) +{ + uint64_t tmp[30U] = { 0U }; + uint64_t *tmp10 = tmp; + uint64_t *tmp20 = tmp + (uint32_t)5U; + uint64_t *tmp30 = tmp + (uint32_t)10U; + uint64_t *tmp40 = tmp + (uint32_t)15U; + uint64_t *x1 = p; + uint64_t *y1 = p + (uint32_t)5U; + uint64_t *x2 = q; + uint64_t *y2 = q + (uint32_t)5U; + uint64_t *tmp11; + uint64_t *tmp2; + uint64_t *tmp3; + uint64_t *tmp41; + uint64_t *tmp50; + uint64_t *tmp60; + uint64_t *z1; + uint64_t *t1; + uint64_t *z2; + uint64_t *t2; + uint64_t *tmp1; + uint64_t *tmp4; + uint64_t *tmp5; + uint64_t *tmp6; + uint64_t *x3; + uint64_t *y3; + uint64_t *z3; + uint64_t *t3; + memcpy(tmp10, x1, (uint32_t)5U * sizeof (uint64_t)); + memcpy(tmp20, x2, (uint32_t)5U * sizeof (uint64_t)); + fdifference(tmp10, y1); + fdifference(tmp20, y2); + fmul0(tmp30, tmp10, tmp20); + memcpy(tmp10, y1, (uint32_t)5U * sizeof (uint64_t)); + memcpy(tmp20, y2, (uint32_t)5U * sizeof (uint64_t)); + fsum(tmp10, x1); + fsum(tmp20, x2); + fmul0(tmp40, tmp10, tmp20); + tmp11 = tmp; + tmp2 = tmp + (uint32_t)5U; + tmp3 = tmp + (uint32_t)10U; + tmp41 = tmp + (uint32_t)15U; + tmp50 = tmp + (uint32_t)20U; + tmp60 = tmp + (uint32_t)25U; + z1 = p + (uint32_t)10U; + t1 = p + (uint32_t)15U; + z2 = q + (uint32_t)10U; + t2 = q + (uint32_t)15U; + times_2d(tmp11, t1); + fmul0(tmp2, tmp11, t2); + times_2(tmp11, z1); + fmul0(tmp50, tmp11, z2); + memcpy(tmp11, tmp3, (uint32_t)5U * sizeof (uint64_t)); + memcpy(tmp60, tmp2, (uint32_t)5U * sizeof (uint64_t)); + fdifference(tmp11, tmp41); + fdifference(tmp60, tmp50); + fsum(tmp50, tmp2); + fsum(tmp41, tmp3); + tmp1 = tmp; + tmp4 = tmp + (uint32_t)15U; + tmp5 = tmp + (uint32_t)20U; + tmp6 = tmp + (uint32_t)25U; + x3 = out; + y3 = out + (uint32_t)5U; + z3 = out + (uint32_t)10U; + t3 = out + (uint32_t)15U; + fmul0(x3, tmp1, tmp6); + fmul0(y3, tmp5, tmp4); + fmul0(t3, tmp1, tmp4); + fmul0(z3, tmp6, tmp5); +} + +void Hacl_Impl_Ed25519_Ladder_point_mul(uint64_t *result, uint8_t *scalar, uint64_t *q) +{ + uint64_t bscalar[4U] = { 0U }; + uint64_t *x0; + uint64_t *y; + uint64_t *z; + uint64_t *t; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = bscalar; + uint8_t *bj = scalar + i * (uint32_t)8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x; + } + } + x0 = result; + y = result + (uint32_t)5U; + z = result + (uint32_t)10U; + t = result + (uint32_t)15U; + x0[0U] = (uint64_t)0U; + x0[1U] = (uint64_t)0U; + x0[2U] = (uint64_t)0U; + x0[3U] = (uint64_t)0U; + x0[4U] = (uint64_t)0U; + y[0U] = (uint64_t)1U; + y[1U] = (uint64_t)0U; + y[2U] = (uint64_t)0U; + y[3U] = (uint64_t)0U; + y[4U] = (uint64_t)0U; + z[0U] = (uint64_t)1U; + z[1U] = (uint64_t)0U; + z[2U] = (uint64_t)0U; + z[3U] = (uint64_t)0U; + z[4U] = (uint64_t)0U; + t[0U] = (uint64_t)0U; + t[1U] = (uint64_t)0U; + t[2U] = (uint64_t)0U; + t[3U] = (uint64_t)0U; + t[4U] = (uint64_t)0U; + { + uint64_t table[320U] = { 0U }; + uint64_t *t1; + memcpy(table, result, (uint32_t)20U * sizeof (uint64_t)); + t1 = table + (uint32_t)20U; + memcpy(t1, q, (uint32_t)20U * sizeof (uint64_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)14U; i++) + { + uint64_t *t11 = table + (i + (uint32_t)1U) * (uint32_t)20U; + uint64_t *t2 = table + (i + (uint32_t)2U) * (uint32_t)20U; + Hacl_Impl_Ed25519_PointAdd_point_add(t2, t11, q); + } + } + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < (uint32_t)64U; i0++) + { + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + point_double(result, result); + } + } + { + uint32_t bk = (uint32_t)256U; + uint64_t mask_l = (uint64_t)16U - (uint64_t)1U; + uint32_t i1 = (bk - (uint32_t)4U * i0 - (uint32_t)4U) / (uint32_t)64U; + uint32_t j = (bk - (uint32_t)4U * i0 - (uint32_t)4U) % (uint32_t)64U; + uint64_t p1 = bscalar[i1] >> j; + uint64_t ite; + if (i1 + (uint32_t)1U < (uint32_t)4U && (uint32_t)0U < j) + { + ite = p1 | bscalar[i1 + (uint32_t)1U] << ((uint32_t)64U - j); + } + else + { + ite = p1; + } + { + uint64_t bits_l = ite & mask_l; + uint64_t a_bits_l[20U] = { 0U }; + memcpy(a_bits_l, table, (uint32_t)20U * sizeof (uint64_t)); + { + uint32_t i2; + for (i2 = (uint32_t)0U; i2 < (uint32_t)15U; i2++) + { + uint64_t c = FStar_UInt64_eq_mask(bits_l, (uint64_t)(i2 + (uint32_t)1U)); + uint64_t *res_j = table + (i2 + (uint32_t)1U) * (uint32_t)20U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)20U; i++) + { + uint64_t *os = a_bits_l; + uint64_t x = (c & res_j[i]) | (~c & a_bits_l[i]); + os[i] = x; + } + } + } + } + Hacl_Impl_Ed25519_PointAdd_point_add(result, result, a_bits_l); + } + } + } + } + } +} + +static inline void point_mul_g(uint64_t *result, uint8_t *scalar) +{ + uint64_t g[20U] = { 0U }; + uint64_t *gx = g; + uint64_t *gy = g + (uint32_t)5U; + uint64_t *gz = g + (uint32_t)10U; + uint64_t *gt = g + (uint32_t)15U; + gx[0U] = (uint64_t)0x00062d608f25d51aU; + gx[1U] = (uint64_t)0x000412a4b4f6592aU; + gx[2U] = (uint64_t)0x00075b7171a4b31dU; + gx[3U] = (uint64_t)0x0001ff60527118feU; + gx[4U] = (uint64_t)0x000216936d3cd6e5U; + gy[0U] = (uint64_t)0x0006666666666658U; + gy[1U] = (uint64_t)0x0004ccccccccccccU; + gy[2U] = (uint64_t)0x0001999999999999U; + gy[3U] = (uint64_t)0x0003333333333333U; + gy[4U] = (uint64_t)0x0006666666666666U; + gz[0U] = (uint64_t)1U; + gz[1U] = (uint64_t)0U; + gz[2U] = (uint64_t)0U; + gz[3U] = (uint64_t)0U; + gz[4U] = (uint64_t)0U; + gt[0U] = (uint64_t)0x00068ab3a5b7dda3U; + gt[1U] = (uint64_t)0x00000eea2a5eadbbU; + gt[2U] = (uint64_t)0x0002af8df483c27eU; + gt[3U] = (uint64_t)0x000332b375274732U; + gt[4U] = (uint64_t)0x00067875f0fd78b7U; + Hacl_Impl_Ed25519_Ladder_point_mul(result, scalar, g); +} + +static inline void +point_mul_double_vartime( + uint64_t *result, + uint8_t *scalar1, + uint64_t *q1, + uint8_t *scalar2, + uint64_t *q2 +) +{ + uint64_t bscalar1[4U] = { 0U }; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = bscalar1; + uint8_t *bj = scalar1 + i * (uint32_t)8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x; + } + } + { + uint64_t bscalar2[4U] = { 0U }; + uint64_t *x; + uint64_t *y; + uint64_t *z; + uint64_t *t; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = bscalar2; + uint8_t *bj = scalar2 + i * (uint32_t)8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x0 = r; + os[i] = x0; + } + } + x = result; + y = result + (uint32_t)5U; + z = result + (uint32_t)10U; + t = result + (uint32_t)15U; + x[0U] = (uint64_t)0U; + x[1U] = (uint64_t)0U; + x[2U] = (uint64_t)0U; + x[3U] = (uint64_t)0U; + x[4U] = (uint64_t)0U; + y[0U] = (uint64_t)1U; + y[1U] = (uint64_t)0U; + y[2U] = (uint64_t)0U; + y[3U] = (uint64_t)0U; + y[4U] = (uint64_t)0U; + z[0U] = (uint64_t)1U; + z[1U] = (uint64_t)0U; + z[2U] = (uint64_t)0U; + z[3U] = (uint64_t)0U; + z[4U] = (uint64_t)0U; + t[0U] = (uint64_t)0U; + t[1U] = (uint64_t)0U; + t[2U] = (uint64_t)0U; + t[3U] = (uint64_t)0U; + t[4U] = (uint64_t)0U; + { + uint64_t table1[320U] = { 0U }; + uint64_t *t10; + memcpy(table1, result, (uint32_t)20U * sizeof (uint64_t)); + t10 = table1 + (uint32_t)20U; + memcpy(t10, q1, (uint32_t)20U * sizeof (uint64_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)14U; i++) + { + uint64_t *t11 = table1 + (i + (uint32_t)1U) * (uint32_t)20U; + uint64_t *t2 = table1 + (i + (uint32_t)2U) * (uint32_t)20U; + Hacl_Impl_Ed25519_PointAdd_point_add(t2, t11, q1); + } + } + { + uint64_t table2[320U] = { 0U }; + uint64_t *t1; + memcpy(table2, result, (uint32_t)20U * sizeof (uint64_t)); + t1 = table2 + (uint32_t)20U; + memcpy(t1, q2, (uint32_t)20U * sizeof (uint64_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)14U; i++) + { + uint64_t *t11 = table2 + (i + (uint32_t)1U) * (uint32_t)20U; + uint64_t *t2 = table2 + (i + (uint32_t)2U) * (uint32_t)20U; + Hacl_Impl_Ed25519_PointAdd_point_add(t2, t11, q2); + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + point_double(result, result); + } + } + { + uint32_t bk = (uint32_t)256U; + uint64_t mask_l0 = (uint64_t)16U - (uint64_t)1U; + uint32_t i10 = (bk - (uint32_t)4U * i - (uint32_t)4U) / (uint32_t)64U; + uint32_t j0 = (bk - (uint32_t)4U * i - (uint32_t)4U) % (uint32_t)64U; + uint64_t p10 = bscalar1[i10] >> j0; + uint64_t ite0; + if (i10 + (uint32_t)1U < (uint32_t)4U && (uint32_t)0U < j0) + { + ite0 = p10 | bscalar1[i10 + (uint32_t)1U] << ((uint32_t)64U - j0); + } + else + { + ite0 = p10; + } + { + uint64_t bits_l = ite0 & mask_l0; + uint64_t a_bits_l0[20U] = { 0U }; + uint32_t bits_l320 = (uint32_t)bits_l; + uint64_t *a_bits_l1 = table1 + bits_l320 * (uint32_t)20U; + memcpy(a_bits_l0, a_bits_l1, (uint32_t)20U * sizeof (uint64_t)); + Hacl_Impl_Ed25519_PointAdd_point_add(result, result, a_bits_l0); + { + uint32_t bk0 = (uint32_t)256U; + uint64_t mask_l = (uint64_t)16U - (uint64_t)1U; + uint32_t i1 = (bk0 - (uint32_t)4U * i - (uint32_t)4U) / (uint32_t)64U; + uint32_t j = (bk0 - (uint32_t)4U * i - (uint32_t)4U) % (uint32_t)64U; + uint64_t p1 = bscalar2[i1] >> j; + uint64_t ite; + if (i1 + (uint32_t)1U < (uint32_t)4U && (uint32_t)0U < j) + { + ite = p1 | bscalar2[i1 + (uint32_t)1U] << ((uint32_t)64U - j); + } + else + { + ite = p1; + } + { + uint64_t bits_l0 = ite & mask_l; + uint64_t a_bits_l[20U] = { 0U }; + uint32_t bits_l32 = (uint32_t)bits_l0; + uint64_t *a_bits_l10 = table2 + bits_l32 * (uint32_t)20U; + memcpy(a_bits_l, a_bits_l10, (uint32_t)20U * sizeof (uint64_t)); + Hacl_Impl_Ed25519_PointAdd_point_add(result, result, a_bits_l); + } + } + } + } + } + } + } + } + } +} + +static inline void +point_mul_g_double_vartime(uint64_t *result, uint8_t *scalar1, uint8_t *scalar2, uint64_t *q2) +{ + uint64_t g[20U] = { 0U }; + uint64_t *gx = g; + uint64_t *gy = g + (uint32_t)5U; + uint64_t *gz = g + (uint32_t)10U; + uint64_t *gt = g + (uint32_t)15U; + gx[0U] = (uint64_t)0x00062d608f25d51aU; + gx[1U] = (uint64_t)0x000412a4b4f6592aU; + gx[2U] = (uint64_t)0x00075b7171a4b31dU; + gx[3U] = (uint64_t)0x0001ff60527118feU; + gx[4U] = (uint64_t)0x000216936d3cd6e5U; + gy[0U] = (uint64_t)0x0006666666666658U; + gy[1U] = (uint64_t)0x0004ccccccccccccU; + gy[2U] = (uint64_t)0x0001999999999999U; + gy[3U] = (uint64_t)0x0003333333333333U; + gy[4U] = (uint64_t)0x0006666666666666U; + gz[0U] = (uint64_t)1U; + gz[1U] = (uint64_t)0U; + gz[2U] = (uint64_t)0U; + gz[3U] = (uint64_t)0U; + gz[4U] = (uint64_t)0U; + gt[0U] = (uint64_t)0x00068ab3a5b7dda3U; + gt[1U] = (uint64_t)0x00000eea2a5eadbbU; + gt[2U] = (uint64_t)0x0002af8df483c27eU; + gt[3U] = (uint64_t)0x000332b375274732U; + gt[4U] = (uint64_t)0x00067875f0fd78b7U; + point_mul_double_vartime(result, scalar1, g, scalar2, q2); +} + +void Hacl_Impl_Ed25519_PointCompress_point_compress(uint8_t *z, uint64_t *p) +{ + uint64_t tmp[15U] = { 0U }; + uint64_t *x = tmp + (uint32_t)5U; + uint64_t *out = tmp + (uint32_t)10U; + uint64_t *zinv1 = tmp; + uint64_t *x1 = tmp + (uint32_t)5U; + uint64_t *out1 = tmp + (uint32_t)10U; + uint64_t *px = p; + uint64_t *py = p + (uint32_t)5U; + uint64_t *pz = p + (uint32_t)10U; + uint64_t x0; + uint64_t b; + uint8_t xbyte; + uint8_t o31; + Hacl_Bignum25519_inverse(zinv1, pz); + fmul0(x1, px, zinv1); + reduce(x1); + fmul0(out1, py, zinv1); + Hacl_Bignum25519_reduce_513(out1); + x0 = x[0U]; + b = x0 & (uint64_t)1U; + Hacl_Bignum25519_store_51(z, out); + xbyte = (uint8_t)b; + o31 = z[31U]; + z[31U] = o31 + (xbyte << (uint32_t)7U); +} + +static inline void secret_expand(uint8_t *expanded, uint8_t *secret) +{ + uint8_t *h_low; + uint8_t h_low0; + uint8_t h_low31; + Hacl_Hash_SHA2_hash_512(secret, (uint32_t)32U, expanded); + h_low = expanded; + h_low0 = h_low[0U]; + h_low31 = h_low[31U]; + h_low[0U] = h_low0 & (uint8_t)0xf8U; + h_low[31U] = (h_low31 & (uint8_t)127U) | (uint8_t)64U; +} + +static inline void secret_to_public(uint8_t *out, uint8_t *secret) +{ + uint8_t expanded_secret[64U] = { 0U }; + uint64_t res[20U] = { 0U }; + uint8_t *a; + secret_expand(expanded_secret, secret); + a = expanded_secret; + point_mul_g(res, a); + Hacl_Impl_Ed25519_PointCompress_point_compress(out, res); +} + +static inline void barrett_reduction(uint64_t *z, uint64_t *t) +{ + uint64_t t0 = t[0U]; + uint64_t t1 = t[1U]; + uint64_t t2 = t[2U]; + uint64_t t3 = t[3U]; + uint64_t t4 = t[4U]; + uint64_t t5 = t[5U]; + uint64_t t6 = t[6U]; + uint64_t t7 = t[7U]; + uint64_t t8 = t[8U]; + uint64_t t9 = t[9U]; + uint64_t m00 = (uint64_t)0x12631a5cf5d3edU; + uint64_t m10 = (uint64_t)0xf9dea2f79cd658U; + uint64_t m20 = (uint64_t)0x000000000014deU; + uint64_t m30 = (uint64_t)0x00000000000000U; + uint64_t m40 = (uint64_t)0x00000010000000U; + uint64_t m0 = m00; + uint64_t m1 = m10; + uint64_t m2 = m20; + uint64_t m3 = m30; + uint64_t m4 = m40; + uint64_t m010 = (uint64_t)0x9ce5a30a2c131bU; + uint64_t m110 = (uint64_t)0x215d086329a7edU; + uint64_t m210 = (uint64_t)0xffffffffeb2106U; + uint64_t m310 = (uint64_t)0xffffffffffffffU; + uint64_t m410 = (uint64_t)0x00000fffffffffU; + uint64_t mu0 = m010; + uint64_t mu1 = m110; + uint64_t mu2 = m210; + uint64_t mu3 = m310; + uint64_t mu4 = m410; + uint64_t y_ = (t5 & (uint64_t)0xffffffU) << (uint32_t)32U; + uint64_t x_ = t4 >> (uint32_t)24U; + uint64_t z00 = x_ | y_; + uint64_t y_0 = (t6 & (uint64_t)0xffffffU) << (uint32_t)32U; + uint64_t x_0 = t5 >> (uint32_t)24U; + uint64_t z10 = x_0 | y_0; + uint64_t y_1 = (t7 & (uint64_t)0xffffffU) << (uint32_t)32U; + uint64_t x_1 = t6 >> (uint32_t)24U; + uint64_t z20 = x_1 | y_1; + uint64_t y_2 = (t8 & (uint64_t)0xffffffU) << (uint32_t)32U; + uint64_t x_2 = t7 >> (uint32_t)24U; + uint64_t z30 = x_2 | y_2; + uint64_t y_3 = (t9 & (uint64_t)0xffffffU) << (uint32_t)32U; + uint64_t x_3 = t8 >> (uint32_t)24U; + uint64_t z40 = x_3 | y_3; + uint64_t q0 = z00; + uint64_t q1 = z10; + uint64_t q2 = z20; + uint64_t q3 = z30; + uint64_t q4 = z40; + FStar_UInt128_uint128 xy000 = FStar_UInt128_mul_wide(q0, mu0); + FStar_UInt128_uint128 xy010 = FStar_UInt128_mul_wide(q0, mu1); + FStar_UInt128_uint128 xy020 = FStar_UInt128_mul_wide(q0, mu2); + FStar_UInt128_uint128 xy030 = FStar_UInt128_mul_wide(q0, mu3); + FStar_UInt128_uint128 xy040 = FStar_UInt128_mul_wide(q0, mu4); + FStar_UInt128_uint128 xy100 = FStar_UInt128_mul_wide(q1, mu0); + FStar_UInt128_uint128 xy110 = FStar_UInt128_mul_wide(q1, mu1); + FStar_UInt128_uint128 xy120 = FStar_UInt128_mul_wide(q1, mu2); + FStar_UInt128_uint128 xy130 = FStar_UInt128_mul_wide(q1, mu3); + FStar_UInt128_uint128 xy14 = FStar_UInt128_mul_wide(q1, mu4); + FStar_UInt128_uint128 xy200 = FStar_UInt128_mul_wide(q2, mu0); + FStar_UInt128_uint128 xy210 = FStar_UInt128_mul_wide(q2, mu1); + FStar_UInt128_uint128 xy220 = FStar_UInt128_mul_wide(q2, mu2); + FStar_UInt128_uint128 xy23 = FStar_UInt128_mul_wide(q2, mu3); + FStar_UInt128_uint128 xy24 = FStar_UInt128_mul_wide(q2, mu4); + FStar_UInt128_uint128 xy300 = FStar_UInt128_mul_wide(q3, mu0); + FStar_UInt128_uint128 xy310 = FStar_UInt128_mul_wide(q3, mu1); + FStar_UInt128_uint128 xy32 = FStar_UInt128_mul_wide(q3, mu2); + FStar_UInt128_uint128 xy33 = FStar_UInt128_mul_wide(q3, mu3); + FStar_UInt128_uint128 xy34 = FStar_UInt128_mul_wide(q3, mu4); + FStar_UInt128_uint128 xy400 = FStar_UInt128_mul_wide(q4, mu0); + FStar_UInt128_uint128 xy41 = FStar_UInt128_mul_wide(q4, mu1); + FStar_UInt128_uint128 xy42 = FStar_UInt128_mul_wide(q4, mu2); + FStar_UInt128_uint128 xy43 = FStar_UInt128_mul_wide(q4, mu3); + FStar_UInt128_uint128 xy44 = FStar_UInt128_mul_wide(q4, mu4); + FStar_UInt128_uint128 z01 = xy000; + FStar_UInt128_uint128 z11 = FStar_UInt128_add_mod(xy010, xy100); + FStar_UInt128_uint128 z21 = FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy020, xy110), xy200); + FStar_UInt128_uint128 + z31 = + FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy030, xy120), xy210), + xy300); + FStar_UInt128_uint128 + z41 = + FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy040, + xy130), + xy220), + xy310), + xy400); + FStar_UInt128_uint128 + z5 = + FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy14, xy23), xy32), + xy41); + FStar_UInt128_uint128 z6 = FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy24, xy33), xy42); + FStar_UInt128_uint128 z7 = FStar_UInt128_add_mod(xy34, xy43); + FStar_UInt128_uint128 z8 = xy44; + FStar_UInt128_uint128 carry0 = FStar_UInt128_shift_right(z01, (uint32_t)56U); + FStar_UInt128_uint128 c00 = carry0; + FStar_UInt128_uint128 + carry1 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z11, c00), (uint32_t)56U); + uint64_t + t100 = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z11, c00)) + & (uint64_t)0xffffffffffffffU; + FStar_UInt128_uint128 c10 = carry1; + FStar_UInt128_uint128 + carry2 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z21, c10), (uint32_t)56U); + uint64_t + t101 = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z21, c10)) + & (uint64_t)0xffffffffffffffU; + FStar_UInt128_uint128 c20 = carry2; + FStar_UInt128_uint128 + carry3 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z31, c20), (uint32_t)56U); + uint64_t + t102 = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z31, c20)) + & (uint64_t)0xffffffffffffffU; + FStar_UInt128_uint128 c30 = carry3; + FStar_UInt128_uint128 + carry4 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z41, c30), (uint32_t)56U); + uint64_t + t103 = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z41, c30)) + & (uint64_t)0xffffffffffffffU; + FStar_UInt128_uint128 c40 = carry4; + uint64_t t410 = t103; + FStar_UInt128_uint128 + carry5 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z5, c40), (uint32_t)56U); + uint64_t + t104 = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z5, c40)) + & (uint64_t)0xffffffffffffffU; + FStar_UInt128_uint128 c5 = carry5; + uint64_t t51 = t104; + FStar_UInt128_uint128 + carry6 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z6, c5), (uint32_t)56U); + uint64_t + t105 = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z6, c5)) + & (uint64_t)0xffffffffffffffU; + FStar_UInt128_uint128 c6 = carry6; + uint64_t t61 = t105; + FStar_UInt128_uint128 + carry7 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z7, c6), (uint32_t)56U); + uint64_t + t106 = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z7, c6)) + & (uint64_t)0xffffffffffffffU; + FStar_UInt128_uint128 c7 = carry7; + uint64_t t71 = t106; + FStar_UInt128_uint128 + carry8 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z8, c7), (uint32_t)56U); + uint64_t + t107 = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z8, c7)) + & (uint64_t)0xffffffffffffffU; + FStar_UInt128_uint128 c8 = carry8; + uint64_t t81 = t107; + uint64_t t91 = FStar_UInt128_uint128_to_uint64(c8); + uint64_t qmu4_ = t410; + uint64_t qmu5_ = t51; + uint64_t qmu6_ = t61; + uint64_t qmu7_ = t71; + uint64_t qmu8_ = t81; + uint64_t qmu9_ = t91; + uint64_t y_4 = (qmu5_ & (uint64_t)0xffffffffffU) << (uint32_t)16U; + uint64_t x_4 = qmu4_ >> (uint32_t)40U; + uint64_t z02 = x_4 | y_4; + uint64_t y_5 = (qmu6_ & (uint64_t)0xffffffffffU) << (uint32_t)16U; + uint64_t x_5 = qmu5_ >> (uint32_t)40U; + uint64_t z12 = x_5 | y_5; + uint64_t y_6 = (qmu7_ & (uint64_t)0xffffffffffU) << (uint32_t)16U; + uint64_t x_6 = qmu6_ >> (uint32_t)40U; + uint64_t z22 = x_6 | y_6; + uint64_t y_7 = (qmu8_ & (uint64_t)0xffffffffffU) << (uint32_t)16U; + uint64_t x_7 = qmu7_ >> (uint32_t)40U; + uint64_t z32 = x_7 | y_7; + uint64_t y_8 = (qmu9_ & (uint64_t)0xffffffffffU) << (uint32_t)16U; + uint64_t x_8 = qmu8_ >> (uint32_t)40U; + uint64_t z42 = x_8 | y_8; + uint64_t qdiv0 = z02; + uint64_t qdiv1 = z12; + uint64_t qdiv2 = z22; + uint64_t qdiv3 = z32; + uint64_t qdiv4 = z42; + uint64_t r0 = t0; + uint64_t r1 = t1; + uint64_t r2 = t2; + uint64_t r3 = t3; + uint64_t r4 = t4 & (uint64_t)0xffffffffffU; + FStar_UInt128_uint128 xy00 = FStar_UInt128_mul_wide(qdiv0, m0); + FStar_UInt128_uint128 xy01 = FStar_UInt128_mul_wide(qdiv0, m1); + FStar_UInt128_uint128 xy02 = FStar_UInt128_mul_wide(qdiv0, m2); + FStar_UInt128_uint128 xy03 = FStar_UInt128_mul_wide(qdiv0, m3); + FStar_UInt128_uint128 xy04 = FStar_UInt128_mul_wide(qdiv0, m4); + FStar_UInt128_uint128 xy10 = FStar_UInt128_mul_wide(qdiv1, m0); + FStar_UInt128_uint128 xy11 = FStar_UInt128_mul_wide(qdiv1, m1); + FStar_UInt128_uint128 xy12 = FStar_UInt128_mul_wide(qdiv1, m2); + FStar_UInt128_uint128 xy13 = FStar_UInt128_mul_wide(qdiv1, m3); + FStar_UInt128_uint128 xy20 = FStar_UInt128_mul_wide(qdiv2, m0); + FStar_UInt128_uint128 xy21 = FStar_UInt128_mul_wide(qdiv2, m1); + FStar_UInt128_uint128 xy22 = FStar_UInt128_mul_wide(qdiv2, m2); + FStar_UInt128_uint128 xy30 = FStar_UInt128_mul_wide(qdiv3, m0); + FStar_UInt128_uint128 xy31 = FStar_UInt128_mul_wide(qdiv3, m1); + FStar_UInt128_uint128 xy40 = FStar_UInt128_mul_wide(qdiv4, m0); + FStar_UInt128_uint128 carry9 = FStar_UInt128_shift_right(xy00, (uint32_t)56U); + uint64_t t108 = FStar_UInt128_uint128_to_uint64(xy00) & (uint64_t)0xffffffffffffffU; + FStar_UInt128_uint128 c0 = carry9; + uint64_t t010 = t108; + FStar_UInt128_uint128 + carry10 = + FStar_UInt128_shift_right(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy01, xy10), c0), + (uint32_t)56U); + uint64_t + t109 = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy01, xy10), c0)) + & (uint64_t)0xffffffffffffffU; + FStar_UInt128_uint128 c11 = carry10; + uint64_t t110 = t109; + FStar_UInt128_uint128 + carry11 = + FStar_UInt128_shift_right(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy02, + xy11), + xy20), + c11), + (uint32_t)56U); + uint64_t + t1010 = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy02, + xy11), + xy20), + c11)) + & (uint64_t)0xffffffffffffffU; + FStar_UInt128_uint128 c21 = carry11; + uint64_t t210 = t1010; + FStar_UInt128_uint128 + carry = + FStar_UInt128_shift_right(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy03, + xy12), + xy21), + xy30), + c21), + (uint32_t)56U); + uint64_t + t1011 = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy03, + xy12), + xy21), + xy30), + c21)) + & (uint64_t)0xffffffffffffffU; + FStar_UInt128_uint128 c31 = carry; + uint64_t t310 = t1011; + uint64_t + t411 = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy04, + xy13), + xy22), + xy31), + xy40), + c31)) + & (uint64_t)0xffffffffffU; + uint64_t qmul0 = t010; + uint64_t qmul1 = t110; + uint64_t qmul2 = t210; + uint64_t qmul3 = t310; + uint64_t qmul4 = t411; + uint64_t b5 = (r0 - qmul0) >> (uint32_t)63U; + uint64_t t1012 = (b5 << (uint32_t)56U) + r0 - qmul0; + uint64_t c1 = b5; + uint64_t t011 = t1012; + uint64_t b6 = (r1 - (qmul1 + c1)) >> (uint32_t)63U; + uint64_t t1013 = (b6 << (uint32_t)56U) + r1 - (qmul1 + c1); + uint64_t c2 = b6; + uint64_t t111 = t1013; + uint64_t b7 = (r2 - (qmul2 + c2)) >> (uint32_t)63U; + uint64_t t1014 = (b7 << (uint32_t)56U) + r2 - (qmul2 + c2); + uint64_t c3 = b7; + uint64_t t211 = t1014; + uint64_t b8 = (r3 - (qmul3 + c3)) >> (uint32_t)63U; + uint64_t t1015 = (b8 << (uint32_t)56U) + r3 - (qmul3 + c3); + uint64_t c4 = b8; + uint64_t t311 = t1015; + uint64_t b9 = (r4 - (qmul4 + c4)) >> (uint32_t)63U; + uint64_t t1016 = (b9 << (uint32_t)40U) + r4 - (qmul4 + c4); + uint64_t t412 = t1016; + uint64_t s0 = t011; + uint64_t s1 = t111; + uint64_t s2 = t211; + uint64_t s3 = t311; + uint64_t s4 = t412; + uint64_t m01 = (uint64_t)0x12631a5cf5d3edU; + uint64_t m11 = (uint64_t)0xf9dea2f79cd658U; + uint64_t m21 = (uint64_t)0x000000000014deU; + uint64_t m31 = (uint64_t)0x00000000000000U; + uint64_t m41 = (uint64_t)0x00000010000000U; + uint64_t y0 = m01; + uint64_t y1 = m11; + uint64_t y2 = m21; + uint64_t y3 = m31; + uint64_t y4 = m41; + uint64_t b10 = (s0 - y0) >> (uint32_t)63U; + uint64_t t1017 = (b10 << (uint32_t)56U) + s0 - y0; + uint64_t b0 = b10; + uint64_t t01 = t1017; + uint64_t b11 = (s1 - (y1 + b0)) >> (uint32_t)63U; + uint64_t t1018 = (b11 << (uint32_t)56U) + s1 - (y1 + b0); + uint64_t b1 = b11; + uint64_t t11 = t1018; + uint64_t b12 = (s2 - (y2 + b1)) >> (uint32_t)63U; + uint64_t t1019 = (b12 << (uint32_t)56U) + s2 - (y2 + b1); + uint64_t b2 = b12; + uint64_t t21 = t1019; + uint64_t b13 = (s3 - (y3 + b2)) >> (uint32_t)63U; + uint64_t t1020 = (b13 << (uint32_t)56U) + s3 - (y3 + b2); + uint64_t b3 = b13; + uint64_t t31 = t1020; + uint64_t b = (s4 - (y4 + b3)) >> (uint32_t)63U; + uint64_t t10 = (b << (uint32_t)56U) + s4 - (y4 + b3); + uint64_t b4 = b; + uint64_t t41 = t10; + uint64_t mask = b4 - (uint64_t)1U; + uint64_t z03 = s0 ^ (mask & (s0 ^ t01)); + uint64_t z13 = s1 ^ (mask & (s1 ^ t11)); + uint64_t z23 = s2 ^ (mask & (s2 ^ t21)); + uint64_t z33 = s3 ^ (mask & (s3 ^ t31)); + uint64_t z43 = s4 ^ (mask & (s4 ^ t41)); + uint64_t z04 = z03; + uint64_t z14 = z13; + uint64_t z24 = z23; + uint64_t z34 = z33; + uint64_t z44 = z43; + uint64_t o0 = z04; + uint64_t o1 = z14; + uint64_t o2 = z24; + uint64_t o3 = z34; + uint64_t o4 = z44; + uint64_t z0 = o0; + uint64_t z1 = o1; + uint64_t z2 = o2; + uint64_t z3 = o3; + uint64_t z4 = o4; + z[0U] = z0; + z[1U] = z1; + z[2U] = z2; + z[3U] = z3; + z[4U] = z4; +} + +static inline void mul_modq(uint64_t *out, uint64_t *x, uint64_t *y) +{ + uint64_t tmp[10U] = { 0U }; + uint64_t x0 = x[0U]; + uint64_t x1 = x[1U]; + uint64_t x2 = x[2U]; + uint64_t x3 = x[3U]; + uint64_t x4 = x[4U]; + uint64_t y0 = y[0U]; + uint64_t y1 = y[1U]; + uint64_t y2 = y[2U]; + uint64_t y3 = y[3U]; + uint64_t y4 = y[4U]; + FStar_UInt128_uint128 xy00 = FStar_UInt128_mul_wide(x0, y0); + FStar_UInt128_uint128 xy01 = FStar_UInt128_mul_wide(x0, y1); + FStar_UInt128_uint128 xy02 = FStar_UInt128_mul_wide(x0, y2); + FStar_UInt128_uint128 xy03 = FStar_UInt128_mul_wide(x0, y3); + FStar_UInt128_uint128 xy04 = FStar_UInt128_mul_wide(x0, y4); + FStar_UInt128_uint128 xy10 = FStar_UInt128_mul_wide(x1, y0); + FStar_UInt128_uint128 xy11 = FStar_UInt128_mul_wide(x1, y1); + FStar_UInt128_uint128 xy12 = FStar_UInt128_mul_wide(x1, y2); + FStar_UInt128_uint128 xy13 = FStar_UInt128_mul_wide(x1, y3); + FStar_UInt128_uint128 xy14 = FStar_UInt128_mul_wide(x1, y4); + FStar_UInt128_uint128 xy20 = FStar_UInt128_mul_wide(x2, y0); + FStar_UInt128_uint128 xy21 = FStar_UInt128_mul_wide(x2, y1); + FStar_UInt128_uint128 xy22 = FStar_UInt128_mul_wide(x2, y2); + FStar_UInt128_uint128 xy23 = FStar_UInt128_mul_wide(x2, y3); + FStar_UInt128_uint128 xy24 = FStar_UInt128_mul_wide(x2, y4); + FStar_UInt128_uint128 xy30 = FStar_UInt128_mul_wide(x3, y0); + FStar_UInt128_uint128 xy31 = FStar_UInt128_mul_wide(x3, y1); + FStar_UInt128_uint128 xy32 = FStar_UInt128_mul_wide(x3, y2); + FStar_UInt128_uint128 xy33 = FStar_UInt128_mul_wide(x3, y3); + FStar_UInt128_uint128 xy34 = FStar_UInt128_mul_wide(x3, y4); + FStar_UInt128_uint128 xy40 = FStar_UInt128_mul_wide(x4, y0); + FStar_UInt128_uint128 xy41 = FStar_UInt128_mul_wide(x4, y1); + FStar_UInt128_uint128 xy42 = FStar_UInt128_mul_wide(x4, y2); + FStar_UInt128_uint128 xy43 = FStar_UInt128_mul_wide(x4, y3); + FStar_UInt128_uint128 xy44 = FStar_UInt128_mul_wide(x4, y4); + FStar_UInt128_uint128 z00 = xy00; + FStar_UInt128_uint128 z10 = FStar_UInt128_add_mod(xy01, xy10); + FStar_UInt128_uint128 z20 = FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy02, xy11), xy20); + FStar_UInt128_uint128 + z30 = + FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy03, xy12), xy21), + xy30); + FStar_UInt128_uint128 + z40 = + FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy04, + xy13), + xy22), + xy31), + xy40); + FStar_UInt128_uint128 + z50 = + FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy14, xy23), xy32), + xy41); + FStar_UInt128_uint128 z60 = FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy24, xy33), xy42); + FStar_UInt128_uint128 z70 = FStar_UInt128_add_mod(xy34, xy43); + FStar_UInt128_uint128 z80 = xy44; + FStar_UInt128_uint128 carry0 = FStar_UInt128_shift_right(z00, (uint32_t)56U); + uint64_t t10 = FStar_UInt128_uint128_to_uint64(z00) & (uint64_t)0xffffffffffffffU; + FStar_UInt128_uint128 c0 = carry0; + uint64_t t0 = t10; + FStar_UInt128_uint128 + carry1 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z10, c0), (uint32_t)56U); + uint64_t + t11 = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z10, c0)) + & (uint64_t)0xffffffffffffffU; + FStar_UInt128_uint128 c1 = carry1; + uint64_t t1 = t11; + FStar_UInt128_uint128 + carry2 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z20, c1), (uint32_t)56U); + uint64_t + t12 = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z20, c1)) + & (uint64_t)0xffffffffffffffU; + FStar_UInt128_uint128 c2 = carry2; + uint64_t t2 = t12; + FStar_UInt128_uint128 + carry3 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z30, c2), (uint32_t)56U); + uint64_t + t13 = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z30, c2)) + & (uint64_t)0xffffffffffffffU; + FStar_UInt128_uint128 c3 = carry3; + uint64_t t3 = t13; + FStar_UInt128_uint128 + carry4 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z40, c3), (uint32_t)56U); + uint64_t + t14 = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z40, c3)) + & (uint64_t)0xffffffffffffffU; + FStar_UInt128_uint128 c4 = carry4; + uint64_t t4 = t14; + FStar_UInt128_uint128 + carry5 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z50, c4), (uint32_t)56U); + uint64_t + t15 = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z50, c4)) + & (uint64_t)0xffffffffffffffU; + FStar_UInt128_uint128 c5 = carry5; + uint64_t t5 = t15; + FStar_UInt128_uint128 + carry6 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z60, c5), (uint32_t)56U); + uint64_t + t16 = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z60, c5)) + & (uint64_t)0xffffffffffffffU; + FStar_UInt128_uint128 c6 = carry6; + uint64_t t6 = t16; + FStar_UInt128_uint128 + carry7 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z70, c6), (uint32_t)56U); + uint64_t + t17 = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z70, c6)) + & (uint64_t)0xffffffffffffffU; + FStar_UInt128_uint128 c7 = carry7; + uint64_t t7 = t17; + FStar_UInt128_uint128 + carry = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z80, c7), (uint32_t)56U); + uint64_t + t = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z80, c7)) + & (uint64_t)0xffffffffffffffU; + FStar_UInt128_uint128 c8 = carry; + uint64_t t8 = t; + uint64_t t9 = FStar_UInt128_uint128_to_uint64(c8); + uint64_t z0 = t0; + uint64_t z1 = t1; + uint64_t z2 = t2; + uint64_t z3 = t3; + uint64_t z4 = t4; + uint64_t z5 = t5; + uint64_t z6 = t6; + uint64_t z7 = t7; + uint64_t z8 = t8; + uint64_t z9 = t9; + tmp[0U] = z0; + tmp[1U] = z1; + tmp[2U] = z2; + tmp[3U] = z3; + tmp[4U] = z4; + tmp[5U] = z5; + tmp[6U] = z6; + tmp[7U] = z7; + tmp[8U] = z8; + tmp[9U] = z9; + barrett_reduction(out, tmp); +} + +static inline void add_modq(uint64_t *out, uint64_t *x, uint64_t *y) +{ + uint64_t x0 = x[0U]; + uint64_t x1 = x[1U]; + uint64_t x2 = x[2U]; + uint64_t x3 = x[3U]; + uint64_t x4 = x[4U]; + uint64_t y0 = y[0U]; + uint64_t y1 = y[1U]; + uint64_t y2 = y[2U]; + uint64_t y3 = y[3U]; + uint64_t y4 = y[4U]; + uint64_t carry0 = (x0 + y0) >> (uint32_t)56U; + uint64_t t0 = (x0 + y0) & (uint64_t)0xffffffffffffffU; + uint64_t t00 = t0; + uint64_t c0 = carry0; + uint64_t carry1 = (x1 + y1 + c0) >> (uint32_t)56U; + uint64_t t1 = (x1 + y1 + c0) & (uint64_t)0xffffffffffffffU; + uint64_t t10 = t1; + uint64_t c1 = carry1; + uint64_t carry2 = (x2 + y2 + c1) >> (uint32_t)56U; + uint64_t t2 = (x2 + y2 + c1) & (uint64_t)0xffffffffffffffU; + uint64_t t20 = t2; + uint64_t c2 = carry2; + uint64_t carry = (x3 + y3 + c2) >> (uint32_t)56U; + uint64_t t3 = (x3 + y3 + c2) & (uint64_t)0xffffffffffffffU; + uint64_t t30 = t3; + uint64_t c3 = carry; + uint64_t t4 = x4 + y4 + c3; + uint64_t m0 = (uint64_t)0x12631a5cf5d3edU; + uint64_t m1 = (uint64_t)0xf9dea2f79cd658U; + uint64_t m2 = (uint64_t)0x000000000014deU; + uint64_t m3 = (uint64_t)0x00000000000000U; + uint64_t m4 = (uint64_t)0x00000010000000U; + uint64_t y01 = m0; + uint64_t y11 = m1; + uint64_t y21 = m2; + uint64_t y31 = m3; + uint64_t y41 = m4; + uint64_t b5 = (t00 - y01) >> (uint32_t)63U; + uint64_t t5 = (b5 << (uint32_t)56U) + t00 - y01; + uint64_t b0 = b5; + uint64_t t01 = t5; + uint64_t b6 = (t10 - (y11 + b0)) >> (uint32_t)63U; + uint64_t t6 = (b6 << (uint32_t)56U) + t10 - (y11 + b0); + uint64_t b1 = b6; + uint64_t t11 = t6; + uint64_t b7 = (t20 - (y21 + b1)) >> (uint32_t)63U; + uint64_t t7 = (b7 << (uint32_t)56U) + t20 - (y21 + b1); + uint64_t b2 = b7; + uint64_t t21 = t7; + uint64_t b8 = (t30 - (y31 + b2)) >> (uint32_t)63U; + uint64_t t8 = (b8 << (uint32_t)56U) + t30 - (y31 + b2); + uint64_t b3 = b8; + uint64_t t31 = t8; + uint64_t b = (t4 - (y41 + b3)) >> (uint32_t)63U; + uint64_t t = (b << (uint32_t)56U) + t4 - (y41 + b3); + uint64_t b4 = b; + uint64_t t41 = t; + uint64_t mask = b4 - (uint64_t)1U; + uint64_t z00 = t00 ^ (mask & (t00 ^ t01)); + uint64_t z10 = t10 ^ (mask & (t10 ^ t11)); + uint64_t z20 = t20 ^ (mask & (t20 ^ t21)); + uint64_t z30 = t30 ^ (mask & (t30 ^ t31)); + uint64_t z40 = t4 ^ (mask & (t4 ^ t41)); + uint64_t z01 = z00; + uint64_t z11 = z10; + uint64_t z21 = z20; + uint64_t z31 = z30; + uint64_t z41 = z40; + uint64_t o0 = z01; + uint64_t o1 = z11; + uint64_t o2 = z21; + uint64_t o3 = z31; + uint64_t o4 = z41; + uint64_t z0 = o0; + uint64_t z1 = o1; + uint64_t z2 = o2; + uint64_t z3 = o3; + uint64_t z4 = o4; + out[0U] = z0; + out[1U] = z1; + out[2U] = z2; + out[3U] = z3; + out[4U] = z4; +} + +static inline void load_64_bytes(uint64_t *out, uint8_t *b) +{ + uint8_t *b80 = b; + uint64_t u = load64_le(b80); + uint64_t z = u; + uint64_t b0 = z & (uint64_t)0xffffffffffffffU; + uint8_t *b81 = b + (uint32_t)7U; + uint64_t u0 = load64_le(b81); + uint64_t z0 = u0; + uint64_t b1 = z0 & (uint64_t)0xffffffffffffffU; + uint8_t *b82 = b + (uint32_t)14U; + uint64_t u1 = load64_le(b82); + uint64_t z1 = u1; + uint64_t b2 = z1 & (uint64_t)0xffffffffffffffU; + uint8_t *b83 = b + (uint32_t)21U; + uint64_t u2 = load64_le(b83); + uint64_t z2 = u2; + uint64_t b3 = z2 & (uint64_t)0xffffffffffffffU; + uint8_t *b84 = b + (uint32_t)28U; + uint64_t u3 = load64_le(b84); + uint64_t z3 = u3; + uint64_t b4 = z3 & (uint64_t)0xffffffffffffffU; + uint8_t *b85 = b + (uint32_t)35U; + uint64_t u4 = load64_le(b85); + uint64_t z4 = u4; + uint64_t b5 = z4 & (uint64_t)0xffffffffffffffU; + uint8_t *b86 = b + (uint32_t)42U; + uint64_t u5 = load64_le(b86); + uint64_t z5 = u5; + uint64_t b6 = z5 & (uint64_t)0xffffffffffffffU; + uint8_t *b87 = b + (uint32_t)49U; + uint64_t u6 = load64_le(b87); + uint64_t z6 = u6; + uint64_t b7 = z6 & (uint64_t)0xffffffffffffffU; + uint8_t *b8 = b + (uint32_t)56U; + uint64_t u7 = load64_le(b8); + uint64_t z7 = u7; + uint64_t b88 = z7 & (uint64_t)0xffffffffffffffU; + uint8_t b63 = b[63U]; + uint64_t b9 = (uint64_t)b63; + out[0U] = b0; + out[1U] = b1; + out[2U] = b2; + out[3U] = b3; + out[4U] = b4; + out[5U] = b5; + out[6U] = b6; + out[7U] = b7; + out[8U] = b88; + out[9U] = b9; +} + +static inline void load_32_bytes(uint64_t *out, uint8_t *b) +{ + uint8_t *b80 = b; + uint64_t u0 = load64_le(b80); + uint64_t z = u0; + uint64_t b0 = z & (uint64_t)0xffffffffffffffU; + uint8_t *b81 = b + (uint32_t)7U; + uint64_t u1 = load64_le(b81); + uint64_t z0 = u1; + uint64_t b1 = z0 & (uint64_t)0xffffffffffffffU; + uint8_t *b82 = b + (uint32_t)14U; + uint64_t u2 = load64_le(b82); + uint64_t z1 = u2; + uint64_t b2 = z1 & (uint64_t)0xffffffffffffffU; + uint8_t *b8 = b + (uint32_t)21U; + uint64_t u3 = load64_le(b8); + uint64_t z2 = u3; + uint64_t b3 = z2 & (uint64_t)0xffffffffffffffU; + uint32_t u = load32_le(b + (uint32_t)28U); + uint32_t b4 = u; + uint64_t b41 = (uint64_t)b4; + out[0U] = b0; + out[1U] = b1; + out[2U] = b2; + out[3U] = b3; + out[4U] = b41; +} + +static inline void store_56(uint8_t *out, uint64_t *b) +{ + uint64_t b0 = b[0U]; + uint64_t b1 = b[1U]; + uint64_t b2 = b[2U]; + uint64_t b3 = b[3U]; + uint64_t b4 = b[4U]; + uint32_t b4_ = (uint32_t)b4; + uint8_t *b80 = out; + uint8_t *b81; + uint8_t *b82; + uint8_t *b8; + store64_le(b80, b0); + b81 = out + (uint32_t)7U; + store64_le(b81, b1); + b82 = out + (uint32_t)14U; + store64_le(b82, b2); + b8 = out + (uint32_t)21U; + store64_le(b8, b3); + store32_le(out + (uint32_t)28U, b4_); +} + +static inline void sha512_pre_msg(uint8_t *hash, uint8_t *prefix, uint32_t len, uint8_t *input) +{ + uint8_t buf[128U] = { 0U }; + uint64_t block_state[8U] = { 0U }; + Hacl_Streaming_SHA2_state_sha2_384 s; + s.block_state = block_state; + s.buf = buf; + s.total_len = (uint64_t)0U; + { + Hacl_Streaming_SHA2_state_sha2_384 p = s; + Hacl_Streaming_SHA2_state_sha2_384 *st; + Hacl_Hash_Core_SHA2_init_512(block_state); + st = &p; + Hacl_Streaming_SHA2_update_512(st, prefix, (uint32_t)32U); + Hacl_Streaming_SHA2_update_512(st, input, len); + Hacl_Streaming_SHA2_finish_512(st, hash); + } +} + +static inline void +sha512_pre_pre2_msg( + uint8_t *hash, + uint8_t *prefix, + uint8_t *prefix2, + uint32_t len, + uint8_t *input +) +{ + uint8_t buf[128U] = { 0U }; + uint64_t block_state[8U] = { 0U }; + Hacl_Streaming_SHA2_state_sha2_384 s; + s.block_state = block_state; + s.buf = buf; + s.total_len = (uint64_t)0U; + { + Hacl_Streaming_SHA2_state_sha2_384 p = s; + Hacl_Streaming_SHA2_state_sha2_384 *st; + Hacl_Hash_Core_SHA2_init_512(block_state); + st = &p; + Hacl_Streaming_SHA2_update_512(st, prefix, (uint32_t)32U); + Hacl_Streaming_SHA2_update_512(st, prefix2, (uint32_t)32U); + Hacl_Streaming_SHA2_update_512(st, input, len); + Hacl_Streaming_SHA2_finish_512(st, hash); + } +} + +static inline void +sha512_modq_pre(uint64_t *out, uint8_t *prefix, uint32_t len, uint8_t *input) +{ + uint64_t tmp[10U] = { 0U }; + uint8_t hash[64U] = { 0U }; + sha512_pre_msg(hash, prefix, len, input); + load_64_bytes(tmp, hash); + barrett_reduction(out, tmp); +} + +static inline void +sha512_modq_pre_pre2( + uint64_t *out, + uint8_t *prefix, + uint8_t *prefix2, + uint32_t len, + uint8_t *input +) +{ + uint64_t tmp[10U] = { 0U }; + uint8_t hash[64U] = { 0U }; + sha512_pre_pre2_msg(hash, prefix, prefix2, len, input); + load_64_bytes(tmp, hash); + barrett_reduction(out, tmp); +} + +static inline void point_mul_g_compress(uint8_t *out, uint8_t *s) +{ + uint64_t tmp[20U] = { 0U }; + point_mul_g(tmp, s); + Hacl_Impl_Ed25519_PointCompress_point_compress(out, tmp); +} + +static inline void sign_expanded(uint8_t *signature, uint8_t *ks, uint32_t msg, uint8_t *len) +{ + uint8_t tmp_bytes[160U] = { 0U }; + uint64_t tmp_ints[25U] = { 0U }; + uint8_t *rs_ = tmp_bytes + (uint32_t)32U; + uint8_t *s_ = tmp_bytes + (uint32_t)64U; + uint8_t *tmp_public = tmp_bytes; + uint8_t *tmp_xsecret = tmp_bytes + (uint32_t)96U; + uint64_t *r0; + uint8_t *prefix; + uint8_t *rs_1; + uint64_t *r1; + memcpy(tmp_public, ks, (uint32_t)32U * sizeof (uint8_t)); + memcpy(tmp_xsecret, ks + (uint32_t)32U, (uint32_t)64U * sizeof (uint8_t)); + r0 = tmp_ints; + prefix = tmp_bytes + (uint32_t)128U; + sha512_modq_pre(r0, prefix, msg, len); + rs_1 = tmp_bytes + (uint32_t)32U; + r1 = tmp_ints; + { + uint8_t rb[32U] = { 0U }; + uint64_t *h0; + uint8_t *a__; + uint8_t *rs_10; + uint64_t *r; + uint64_t *aq; + uint64_t *ha; + uint64_t *s; + uint64_t *h; + uint8_t *s_1; + uint8_t *a; + store_56(rb, r1); + point_mul_g_compress(rs_1, rb); + h0 = tmp_ints + (uint32_t)20U; + a__ = tmp_bytes; + rs_10 = tmp_bytes + (uint32_t)32U; + sha512_modq_pre_pre2(h0, rs_10, a__, msg, len); + r = tmp_ints; + aq = tmp_ints + (uint32_t)5U; + ha = tmp_ints + (uint32_t)10U; + s = tmp_ints + (uint32_t)15U; + h = tmp_ints + (uint32_t)20U; + s_1 = tmp_bytes + (uint32_t)64U; + a = tmp_bytes + (uint32_t)96U; + load_32_bytes(aq, a); + mul_modq(ha, h, aq); + add_modq(s, r, ha); + store_56(s_1, s); + memcpy(signature, rs_, (uint32_t)32U * sizeof (uint8_t)); + memcpy(signature + (uint32_t)32U, s_, (uint32_t)32U * sizeof (uint8_t)); + } +} + +static inline void pow2_252m2(uint64_t *out, uint64_t *z) +{ + uint64_t buf[20U] = { 0U }; + uint64_t *a0 = buf; + uint64_t *t00 = buf + (uint32_t)5U; + uint64_t *b0 = buf + (uint32_t)10U; + uint64_t *c0 = buf + (uint32_t)15U; + uint64_t *a; + uint64_t *t0; + uint64_t *b; + uint64_t *c; + fsquare_times(a0, z, (uint32_t)1U); + fsquare_times(t00, a0, (uint32_t)2U); + fmul0(b0, t00, z); + fmul0(a0, b0, a0); + fsquare_times(t00, a0, (uint32_t)1U); + fmul0(b0, t00, b0); + fsquare_times(t00, b0, (uint32_t)5U); + fmul0(b0, t00, b0); + fsquare_times(t00, b0, (uint32_t)10U); + fmul0(c0, t00, b0); + fsquare_times(t00, c0, (uint32_t)20U); + fmul0(t00, t00, c0); + fsquare_times_inplace(t00, (uint32_t)10U); + fmul0(b0, t00, b0); + fsquare_times(t00, b0, (uint32_t)50U); + a = buf; + t0 = buf + (uint32_t)5U; + b = buf + (uint32_t)10U; + c = buf + (uint32_t)15U; + fsquare_times(a, z, (uint32_t)1U); + fmul0(c, t0, b); + fsquare_times(t0, c, (uint32_t)100U); + fmul0(t0, t0, c); + fsquare_times_inplace(t0, (uint32_t)50U); + fmul0(t0, t0, b); + fsquare_times_inplace(t0, (uint32_t)2U); + fmul0(out, t0, a); +} + +static inline bool is_0(uint64_t *x) +{ + uint64_t x0 = x[0U]; + uint64_t x1 = x[1U]; + uint64_t x2 = x[2U]; + uint64_t x3 = x[3U]; + uint64_t x4 = x[4U]; + return + x0 + == (uint64_t)0U + && x1 == (uint64_t)0U + && x2 == (uint64_t)0U + && x3 == (uint64_t)0U + && x4 == (uint64_t)0U; +} + +static inline void mul_modp_sqrt_m1(uint64_t *x) +{ + uint64_t sqrt_m1[5U] = { 0U }; + sqrt_m1[0U] = (uint64_t)0x00061b274a0ea0b0U; + sqrt_m1[1U] = (uint64_t)0x0000d5a5fc8f189dU; + sqrt_m1[2U] = (uint64_t)0x0007ef5e9cbd0c60U; + sqrt_m1[3U] = (uint64_t)0x00078595a6804c9eU; + sqrt_m1[4U] = (uint64_t)0x0002b8324804fc1dU; + fmul0(x, x, sqrt_m1); +} + +static inline bool recover_x(uint64_t *x, uint64_t *y, uint64_t sign) +{ + uint64_t tmp[20U] = { 0U }; + uint64_t *x2 = tmp; + uint64_t x00 = y[0U]; + uint64_t x1 = y[1U]; + uint64_t x21 = y[2U]; + uint64_t x30 = y[3U]; + uint64_t x4 = y[4U]; + bool + b = + x00 + >= (uint64_t)0x7ffffffffffedU + && x1 == (uint64_t)0x7ffffffffffffU + && x21 == (uint64_t)0x7ffffffffffffU + && x30 == (uint64_t)0x7ffffffffffffU + && x4 == (uint64_t)0x7ffffffffffffU; + bool res; + if (b) + { + res = false; + } + else + { + uint64_t tmp1[25U] = { 0U }; + uint64_t *one = tmp1; + uint64_t *y2 = tmp1 + (uint32_t)5U; + uint64_t *dyyi = tmp1 + (uint32_t)10U; + uint64_t *dyy = tmp1 + (uint32_t)15U; + one[0U] = (uint64_t)1U; + one[1U] = (uint64_t)0U; + one[2U] = (uint64_t)0U; + one[3U] = (uint64_t)0U; + one[4U] = (uint64_t)0U; + fsquare(y2, y); + times_d(dyy, y2); + fsum(dyy, one); + Hacl_Bignum25519_reduce_513(dyy); + Hacl_Bignum25519_inverse(dyyi, dyy); + fdifference(one, y2); + fmul0(x2, one, dyyi); + reduce(x2); + { + bool x2_is_0 = is_0(x2); + uint8_t z; + if (x2_is_0) + { + if (sign == (uint64_t)0U) + { + x[0U] = (uint64_t)0U; + x[1U] = (uint64_t)0U; + x[2U] = (uint64_t)0U; + x[3U] = (uint64_t)0U; + x[4U] = (uint64_t)0U; + z = (uint8_t)1U; + } + else + { + z = (uint8_t)0U; + } + } + else + { + z = (uint8_t)2U; + } + if (z == (uint8_t)0U) + { + res = false; + } + else if (z == (uint8_t)1U) + { + res = true; + } + else + { + uint64_t *x210 = tmp; + uint64_t *x31 = tmp + (uint32_t)5U; + uint64_t *t00 = tmp + (uint32_t)10U; + uint64_t *t10 = tmp + (uint32_t)15U; + pow2_252m2(x31, x210); + fsquare(t00, x31); + memcpy(t10, x210, (uint32_t)5U * sizeof (uint64_t)); + fdifference(t10, t00); + Hacl_Bignum25519_reduce_513(t10); + reduce(t10); + { + bool t1_is_0 = is_0(t10); + if (!t1_is_0) + { + mul_modp_sqrt_m1(x31); + } + { + uint64_t *x211 = tmp; + uint64_t *x3 = tmp + (uint32_t)5U; + uint64_t *t01 = tmp + (uint32_t)10U; + uint64_t *t1 = tmp + (uint32_t)15U; + fsquare(t01, x3); + memcpy(t1, x211, (uint32_t)5U * sizeof (uint64_t)); + fdifference(t1, t01); + Hacl_Bignum25519_reduce_513(t1); + reduce(t1); + { + bool z1 = is_0(t1); + if (z1 == false) + { + res = false; + } + else + { + uint64_t *x32 = tmp + (uint32_t)5U; + uint64_t *t0 = tmp + (uint32_t)10U; + reduce(x32); + { + uint64_t x0 = x32[0U]; + uint64_t x01 = x0 & (uint64_t)1U; + if (!(x01 == sign)) + { + t0[0U] = (uint64_t)0U; + t0[1U] = (uint64_t)0U; + t0[2U] = (uint64_t)0U; + t0[3U] = (uint64_t)0U; + t0[4U] = (uint64_t)0U; + fdifference(x32, t0); + Hacl_Bignum25519_reduce_513(x32); + reduce(x32); + } + memcpy(x, x32, (uint32_t)5U * sizeof (uint64_t)); + res = true; + } + } + } + } + } + } + } + } + { + bool res0 = res; + return res0; + } +} + +bool Hacl_Impl_Ed25519_PointDecompress_point_decompress(uint64_t *out, uint8_t *s) +{ + uint64_t tmp[10U] = { 0U }; + uint64_t *y = tmp; + uint64_t *x = tmp + (uint32_t)5U; + uint8_t s31 = s[31U]; + uint8_t z0 = s31 >> (uint32_t)7U; + uint64_t sign = (uint64_t)z0; + bool z; + bool res0; + bool res; + Hacl_Bignum25519_load_51(y, s); + z = recover_x(x, y, sign); + if (z == false) + { + res0 = false; + } + else + { + uint64_t *outx = out; + uint64_t *outy = out + (uint32_t)5U; + uint64_t *outz = out + (uint32_t)10U; + uint64_t *outt = out + (uint32_t)15U; + memcpy(outx, x, (uint32_t)5U * sizeof (uint64_t)); + memcpy(outy, y, (uint32_t)5U * sizeof (uint64_t)); + outz[0U] = (uint64_t)1U; + outz[1U] = (uint64_t)0U; + outz[2U] = (uint64_t)0U; + outz[3U] = (uint64_t)0U; + outz[4U] = (uint64_t)0U; + fmul0(outt, x, y); + res0 = true; + } + res = res0; + return res; +} + +static inline bool gte_q(uint64_t *s) +{ + uint64_t s0 = s[0U]; + uint64_t s1 = s[1U]; + uint64_t s2 = s[2U]; + uint64_t s3 = s[3U]; + uint64_t s4 = s[4U]; + if (s4 > (uint64_t)0x00000010000000U) + { + return true; + } + if (s4 < (uint64_t)0x00000010000000U) + { + return false; + } + if (s3 > (uint64_t)0x00000000000000U) + { + return true; + } + if (s2 > (uint64_t)0x000000000014deU) + { + return true; + } + if (s2 < (uint64_t)0x000000000014deU) + { + return false; + } + if (s1 > (uint64_t)0xf9dea2f79cd658U) + { + return true; + } + if (s1 < (uint64_t)0xf9dea2f79cd658U) + { + return false; + } + if (s0 >= (uint64_t)0x12631a5cf5d3edU) + { + return true; + } + return false; +} + +static inline bool eq(uint64_t *a, uint64_t *b) +{ + uint64_t a0 = a[0U]; + uint64_t a1 = a[1U]; + uint64_t a2 = a[2U]; + uint64_t a3 = a[3U]; + uint64_t a4 = a[4U]; + uint64_t b0 = b[0U]; + uint64_t b1 = b[1U]; + uint64_t b2 = b[2U]; + uint64_t b3 = b[3U]; + uint64_t b4 = b[4U]; + return a0 == b0 && a1 == b1 && a2 == b2 && a3 == b3 && a4 == b4; +} + +bool Hacl_Impl_Ed25519_PointEqual_point_equal(uint64_t *p, uint64_t *q) +{ + uint64_t tmp[20U] = { 0U }; + uint64_t *pxqz = tmp; + uint64_t *qxpz = tmp + (uint32_t)5U; + bool b; + bool res; + fmul0(pxqz, p, q + (uint32_t)10U); + reduce(pxqz); + fmul0(qxpz, q, p + (uint32_t)10U); + reduce(qxpz); + b = eq(pxqz, qxpz); + if (b) + { + uint64_t *pyqz = tmp + (uint32_t)10U; + uint64_t *qypz = tmp + (uint32_t)15U; + fmul0(pyqz, p + (uint32_t)5U, q + (uint32_t)10U); + reduce(pyqz); + fmul0(qypz, q + (uint32_t)5U, p + (uint32_t)10U); + reduce(qypz); + res = eq(pyqz, qypz); + } + else + { + res = false; + } + return res; +} + +void Hacl_Impl_Ed25519_PointNegate_point_negate(uint64_t *p, uint64_t *out) +{ + uint64_t zero[5U] = { 0U }; + uint64_t *x; + uint64_t *y; + uint64_t *z; + uint64_t *t; + uint64_t *x1; + uint64_t *y1; + uint64_t *z1; + uint64_t *t1; + zero[0U] = (uint64_t)0U; + zero[1U] = (uint64_t)0U; + zero[2U] = (uint64_t)0U; + zero[3U] = (uint64_t)0U; + zero[4U] = (uint64_t)0U; + x = p; + y = p + (uint32_t)5U; + z = p + (uint32_t)10U; + t = p + (uint32_t)15U; + x1 = out; + y1 = out + (uint32_t)5U; + z1 = out + (uint32_t)10U; + t1 = out + (uint32_t)15U; + memcpy(x1, x, (uint32_t)5U * sizeof (uint64_t)); + fdifference(x1, zero); + Hacl_Bignum25519_reduce_513(x1); + memcpy(y1, y, (uint32_t)5U * sizeof (uint64_t)); + memcpy(z1, z, (uint32_t)5U * sizeof (uint64_t)); + memcpy(t1, t, (uint32_t)5U * sizeof (uint64_t)); + fdifference(t1, zero); + Hacl_Bignum25519_reduce_513(t1); +} + +void Hacl_Ed25519_sign(uint8_t *signature, uint8_t *priv, uint32_t len, uint8_t *msg) +{ + uint8_t ks[96U] = { 0U }; + secret_expand(ks + (uint32_t)32U, priv); + secret_to_public(ks, priv); + sign_expanded(signature, ks, len, msg); +} + +bool Hacl_Ed25519_verify(uint8_t *pub, uint32_t len, uint8_t *msg, uint8_t *signature) +{ + uint64_t tmp[45U] = { 0U }; + uint8_t tmp_[32U] = { 0U }; + uint64_t *a_ = tmp; + uint64_t *r_ = tmp + (uint32_t)20U; + bool b = Hacl_Impl_Ed25519_PointDecompress_point_decompress(a_, pub); + bool res; + if (b) + { + uint8_t *rs = signature; + bool b_ = Hacl_Impl_Ed25519_PointDecompress_point_decompress(r_, rs); + if (b_) + { + uint8_t *rs1 = signature; + uint64_t *a_1 = tmp; + uint64_t *r_1 = tmp + (uint32_t)20U; + uint64_t *s = tmp + (uint32_t)40U; + load_32_bytes(s, signature + (uint32_t)32U); + { + bool b__ = gte_q(s); + if (b__) + { + res = false; + } + else + { + uint64_t r_2[5U] = { 0U }; + sha512_modq_pre_pre2(r_2, rs1, pub, len, msg); + store_56(tmp_, r_2); + { + uint8_t *uu____0 = signature + (uint32_t)32U; + uint64_t tmp1[40U] = { 0U }; + uint64_t *a_neg = tmp1; + uint64_t *exp_d = tmp1 + (uint32_t)20U; + Hacl_Impl_Ed25519_PointNegate_point_negate(a_1, a_neg); + point_mul_g_double_vartime(exp_d, uu____0, tmp_, a_neg); + { + uint64_t *exp_d0 = tmp1 + (uint32_t)20U; + bool b1 = Hacl_Impl_Ed25519_PointEqual_point_equal(exp_d0, r_1); + res = b1; + } + } + } + } + } + else + { + res = false; + } + } + else + { + res = false; + } + { + bool res0 = res; + return res0; + } +} + +void Hacl_Ed25519_secret_to_public(uint8_t *pub, uint8_t *priv) +{ + secret_to_public(pub, priv); +} + +void Hacl_Ed25519_expand_keys(uint8_t *ks, uint8_t *priv) +{ + secret_expand(ks + (uint32_t)32U, priv); + secret_to_public(ks, priv); +} + +void Hacl_Ed25519_sign_expanded(uint8_t *signature, uint8_t *ks, uint32_t len, uint8_t *msg) +{ + sign_expanded(signature, ks, len, msg); +} + diff --git a/src/c89/Hacl_GenericField32.c b/src/c89/Hacl_GenericField32.c new file mode 100644 index 00000000..d8bacd9c --- /dev/null +++ b/src/c89/Hacl_GenericField32.c @@ -0,0 +1,707 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_GenericField32.h" + +#include "internal/Hacl_Bignum.h" + +/******************************************************************************* + +A verified field arithmetic library. + +This is a 32-bit optimized version, where bignums are represented as an array +of `len` unsigned 32-bit integers, i.e. uint32_t[len]. + +All the arithmetic operations are performed in the Montgomery domain. + +All the functions below preserve the following invariant for a bignum `aM` in +Montgomery form. + • aM < n + +*******************************************************************************/ + + +/* +Check whether this library will work for a modulus `n`. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n +*/ +bool Hacl_GenericField32_field_modulus_check(uint32_t len, uint32_t *n) +{ + uint32_t m = Hacl_Bignum_Montgomery_bn_check_modulus_u32(len, n); + return m == (uint32_t)0xFFFFFFFFU; +} + +/* +Heap-allocate and initialize a montgomery context. + + The argument n is meant to be `len` limbs in size, i.e. uint32_t[len]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n % 2 = 1 + • 1 < n + + The caller will need to call Hacl_GenericField32_field_free on the return value + to avoid memory leaks. +*/ +Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 +*Hacl_GenericField32_field_init(uint32_t len, uint32_t *n) +{ + KRML_CHECK_SIZE(sizeof (uint32_t), len); + { + uint32_t *r2 = (uint32_t *)KRML_HOST_CALLOC(len, sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), len); + { + uint32_t *n1 = (uint32_t *)KRML_HOST_CALLOC(len, sizeof (uint32_t)); + uint32_t *r21 = r2; + uint32_t *n11 = n1; + uint32_t nBits; + uint32_t mu; + memcpy(n11, n, len * sizeof (uint32_t)); + nBits = (uint32_t)32U * Hacl_Bignum_Lib_bn_get_top_index_u32(len, n); + Hacl_Bignum_Montgomery_bn_precomp_r2_mod_n_u32(len, nBits, n, r21); + mu = Hacl_Bignum_ModInvLimb_mod_inv_uint32(n[0U]); + { + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 res; + res.len = len; + res.n = n11; + res.mu = mu; + res.r2 = r21; + KRML_CHECK_SIZE(sizeof (Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32), (uint32_t)1U); + { + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 + *buf = + (Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *)KRML_HOST_MALLOC(sizeof ( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 + )); + buf[0U] = res; + return buf; + } + } + } + } +} + +/* +Deallocate the memory previously allocated by Hacl_GenericField32_field_init. + + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. +*/ +void Hacl_GenericField32_field_free(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + uint32_t *n = k1.n; + uint32_t *r2 = k1.r2; + KRML_HOST_FREE(n); + KRML_HOST_FREE(r2); + KRML_HOST_FREE(k); +} + +/* +Return the size of a modulus `n` in limbs. + + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. +*/ +uint32_t Hacl_GenericField32_field_get_len(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + return k1.len; +} + +/* +Convert a bignum from the regular representation to the Montgomery representation. + + Write `a * R mod n` in `aM`. + + The argument a and the outparam aM are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. +*/ +void +Hacl_GenericField32_to_field( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t *aM +) +{ + uint32_t len1 = Hacl_GenericField32_field_get_len(k); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + Hacl_Bignum_Montgomery_bn_to_mont_u32(len1, k1.n, k1.mu, k1.r2, a, aM); +} + +/* +Convert a result back from the Montgomery representation to the regular representation. + + Write `aM / R mod n` in `a`, i.e. + Hacl_GenericField32_from_field(k, Hacl_GenericField32_to_field(k, a)) == a % n + + The argument aM and the outparam a are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. +*/ +void +Hacl_GenericField32_from_field( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *aM, + uint32_t *a +) +{ + uint32_t len1 = Hacl_GenericField32_field_get_len(k); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + Hacl_Bignum_Montgomery_bn_from_mont_u32(len1, k1.n, k1.mu, aM, a); +} + +/* +Write `aM + bM mod n` in `cM`. + + The arguments aM, bM, and the outparam cM are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. +*/ +void +Hacl_GenericField32_add( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *aM, + uint32_t *bM, + uint32_t *cM +) +{ + uint32_t len1 = Hacl_GenericField32_field_get_len(k); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + Hacl_Bignum_bn_add_mod_n_u32(len1, k1.n, aM, bM, cM); +} + +/* +Write `aM - bM mod n` to `cM`. + + The arguments aM, bM, and the outparam cM are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. +*/ +void +Hacl_GenericField32_sub( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *aM, + uint32_t *bM, + uint32_t *cM +) +{ + uint32_t len1 = Hacl_GenericField32_field_get_len(k); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + Hacl_Bignum_bn_sub_mod_n_u32(len1, k1.n, aM, bM, cM); +} + +/* +Write `aM * bM mod n` in `cM`. + + The arguments aM, bM, and the outparam cM are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. +*/ +void +Hacl_GenericField32_mul( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *aM, + uint32_t *bM, + uint32_t *cM +) +{ + uint32_t len1 = Hacl_GenericField32_field_get_len(k); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + Hacl_Bignum_Montgomery_bn_mont_mul_u32(len1, k1.n, k1.mu, aM, bM, cM); +} + +/* +Write `aM * aM mod n` in `cM`. + + The argument aM and the outparam cM are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. +*/ +void +Hacl_GenericField32_sqr( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *aM, + uint32_t *cM +) +{ + uint32_t len1 = Hacl_GenericField32_field_get_len(k); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + Hacl_Bignum_Montgomery_bn_mont_sqr_u32(len1, k1.n, k1.mu, aM, cM); +} + +/* +Convert a bignum `one` to its Montgomery representation. + + The outparam oneM is meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. +*/ +void Hacl_GenericField32_one(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, uint32_t *oneM) +{ + uint32_t len1 = Hacl_GenericField32_field_get_len(k); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + Hacl_Bignum_Montgomery_bn_from_mont_u32(len1, k1.n, k1.mu, k1.r2, oneM); +} + +/* +Write `aM ^ b mod n` in `resM`. + + The argument aM and the outparam resM are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + This function is constant-time over its argument b, at the cost of a slower + execution time than exp_vartime. + + Before calling this function, the caller will need to ensure that the following + precondition is observed. + • b < pow2 bBits +*/ +void +Hacl_GenericField32_exp_consttime( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *aM, + uint32_t bBits, + uint32_t *b, + uint32_t *resM +) +{ + uint32_t len1 = Hacl_GenericField32_field_get_len(k); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + KRML_CHECK_SIZE(sizeof (uint32_t), k1.len); + { + uint32_t aMc[k1.len]; + memset(aMc, 0U, k1.len * sizeof (uint32_t)); + memcpy(aMc, aM, k1.len * sizeof (uint32_t)); + if (bBits < (uint32_t)200U) + { + Hacl_Bignum_Montgomery_bn_from_mont_u32(len1, k1.n, k1.mu, k1.r2, resM); + { + uint32_t sw = (uint32_t)0U; + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < bBits; i0++) + { + uint32_t i1 = (bBits - i0 - (uint32_t)1U) / (uint32_t)32U; + uint32_t j = (bBits - i0 - (uint32_t)1U) % (uint32_t)32U; + uint32_t tmp = b[i1]; + uint32_t bit = tmp >> j & (uint32_t)1U; + uint32_t sw1 = bit ^ sw; + { + uint32_t i; + for (i = (uint32_t)0U; i < len1; i++) + { + uint32_t dummy = ((uint32_t)0U - sw1) & (resM[i] ^ aMc[i]); + resM[i] = resM[i] ^ dummy; + aMc[i] = aMc[i] ^ dummy; + } + } + Hacl_Bignum_Montgomery_bn_mont_mul_u32(len1, k1.n, k1.mu, aMc, resM, aMc); + Hacl_Bignum_Montgomery_bn_mont_sqr_u32(len1, k1.n, k1.mu, resM, resM); + sw = bit; + } + } + { + uint32_t sw0 = sw; + { + uint32_t i; + for (i = (uint32_t)0U; i < len1; i++) + { + uint32_t dummy = ((uint32_t)0U - sw0) & (resM[i] ^ aMc[i]); + resM[i] = resM[i] ^ dummy; + aMc[i] = aMc[i] ^ dummy; + } + } + } + } + } + else + { + uint32_t bLen; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)32U + (uint32_t)1U; + } + Hacl_Bignum_Montgomery_bn_from_mont_u32(len1, k1.n, k1.mu, k1.r2, resM); + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)16U * len1); + { + uint32_t table[(uint32_t)16U * len1]; + memset(table, 0U, (uint32_t)16U * len1 * sizeof (uint32_t)); + memcpy(table, resM, len1 * sizeof (uint32_t)); + { + uint32_t *t1 = table + len1; + memcpy(t1, aMc, len1 * sizeof (uint32_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)14U; i++) + { + uint32_t *t11 = table + (i + (uint32_t)1U) * len1; + uint32_t *t2 = table + (i + (uint32_t)2U) * len1; + Hacl_Bignum_Montgomery_bn_mont_mul_u32(len1, k1.n, k1.mu, t11, aMc, t2); + } + } + if (bBits % (uint32_t)4U != (uint32_t)0U) + { + uint32_t mask_l = (uint32_t)16U - (uint32_t)1U; + uint32_t i0 = bBits / (uint32_t)4U * (uint32_t)4U / (uint32_t)32U; + uint32_t j = bBits / (uint32_t)4U * (uint32_t)4U % (uint32_t)32U; + uint32_t p1 = b[i0] >> j; + uint32_t ite; + if (i0 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i0 + (uint32_t)1U] << ((uint32_t)32U - j); + } + else + { + ite = p1; + } + { + uint32_t bits_c = ite & mask_l; + memcpy(resM, table, len1 * sizeof (uint32_t)); + { + uint32_t i1; + for (i1 = (uint32_t)0U; i1 < (uint32_t)15U; i1++) + { + uint32_t c = FStar_UInt32_eq_mask(bits_c, i1 + (uint32_t)1U); + uint32_t *res_j = table + (i1 + (uint32_t)1U) * len1; + { + uint32_t i; + for (i = (uint32_t)0U; i < len1; i++) + { + uint32_t *os = resM; + uint32_t x = (c & res_j[i]) | (~c & resM[i]); + os[i] = x; + } + } + } + } + } + } + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < bBits / (uint32_t)4U; i0++) + { + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + Hacl_Bignum_Montgomery_bn_mont_sqr_u32(len1, k1.n, k1.mu, resM, resM); + } + } + { + uint32_t bk = bBits - bBits % (uint32_t)4U; + uint32_t mask_l = (uint32_t)16U - (uint32_t)1U; + uint32_t i1 = (bk - (uint32_t)4U * i0 - (uint32_t)4U) / (uint32_t)32U; + uint32_t j = (bk - (uint32_t)4U * i0 - (uint32_t)4U) % (uint32_t)32U; + uint32_t p1 = b[i1] >> j; + uint32_t ite; + if (i1 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i1 + (uint32_t)1U] << ((uint32_t)32U - j); + } + else + { + ite = p1; + } + { + uint32_t bits_l = ite & mask_l; + KRML_CHECK_SIZE(sizeof (uint32_t), len1); + { + uint32_t a_bits_l[len1]; + memset(a_bits_l, 0U, len1 * sizeof (uint32_t)); + memcpy(a_bits_l, table, len1 * sizeof (uint32_t)); + { + uint32_t i2; + for (i2 = (uint32_t)0U; i2 < (uint32_t)15U; i2++) + { + uint32_t c = FStar_UInt32_eq_mask(bits_l, i2 + (uint32_t)1U); + uint32_t *res_j = table + (i2 + (uint32_t)1U) * len1; + { + uint32_t i; + for (i = (uint32_t)0U; i < len1; i++) + { + uint32_t *os = a_bits_l; + uint32_t x = (c & res_j[i]) | (~c & a_bits_l[i]); + os[i] = x; + } + } + } + } + Hacl_Bignum_Montgomery_bn_mont_mul_u32(len1, k1.n, k1.mu, resM, a_bits_l, resM); + } + } + } + } + } + } + } + } + } +} + +/* +Write `aM ^ b mod n` in `resM`. + + The argument aM and the outparam resM are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + The function is *NOT* constant-time on the argument b. See the + exp_consttime function for constant-time variant. + + Before calling this function, the caller will need to ensure that the following + precondition is observed. + • b < pow2 bBits +*/ +void +Hacl_GenericField32_exp_vartime( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *aM, + uint32_t bBits, + uint32_t *b, + uint32_t *resM +) +{ + uint32_t len1 = Hacl_GenericField32_field_get_len(k); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + KRML_CHECK_SIZE(sizeof (uint32_t), k1.len); + { + uint32_t aMc[k1.len]; + memset(aMc, 0U, k1.len * sizeof (uint32_t)); + memcpy(aMc, aM, k1.len * sizeof (uint32_t)); + if (bBits < (uint32_t)200U) + { + Hacl_Bignum_Montgomery_bn_from_mont_u32(len1, k1.n, k1.mu, k1.r2, resM); + { + uint32_t i; + for (i = (uint32_t)0U; i < bBits; i++) + { + uint32_t i1 = i / (uint32_t)32U; + uint32_t j = i % (uint32_t)32U; + uint32_t tmp = b[i1]; + uint32_t bit = tmp >> j & (uint32_t)1U; + if (!(bit == (uint32_t)0U)) + { + Hacl_Bignum_Montgomery_bn_mont_mul_u32(len1, k1.n, k1.mu, resM, aMc, resM); + } + Hacl_Bignum_Montgomery_bn_mont_sqr_u32(len1, k1.n, k1.mu, aMc, aMc); + } + } + } + else + { + uint32_t bLen; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)32U + (uint32_t)1U; + } + Hacl_Bignum_Montgomery_bn_from_mont_u32(len1, k1.n, k1.mu, k1.r2, resM); + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)16U * len1); + { + uint32_t table[(uint32_t)16U * len1]; + memset(table, 0U, (uint32_t)16U * len1 * sizeof (uint32_t)); + memcpy(table, resM, len1 * sizeof (uint32_t)); + { + uint32_t *t1 = table + len1; + memcpy(t1, aMc, len1 * sizeof (uint32_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)14U; i++) + { + uint32_t *t11 = table + (i + (uint32_t)1U) * len1; + uint32_t *t2 = table + (i + (uint32_t)2U) * len1; + Hacl_Bignum_Montgomery_bn_mont_mul_u32(len1, k1.n, k1.mu, t11, aMc, t2); + } + } + if (bBits % (uint32_t)4U != (uint32_t)0U) + { + uint32_t mask_l = (uint32_t)16U - (uint32_t)1U; + uint32_t i = bBits / (uint32_t)4U * (uint32_t)4U / (uint32_t)32U; + uint32_t j = bBits / (uint32_t)4U * (uint32_t)4U % (uint32_t)32U; + uint32_t p1 = b[i] >> j; + uint32_t ite; + if (i + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i + (uint32_t)1U] << ((uint32_t)32U - j); + } + else + { + ite = p1; + } + { + uint32_t bits_c = ite & mask_l; + uint32_t bits_l32 = bits_c; + uint32_t *a_bits_l = table + bits_l32 * len1; + memcpy(resM, a_bits_l, len1 * sizeof (uint32_t)); + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < bBits / (uint32_t)4U; i++) + { + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + Hacl_Bignum_Montgomery_bn_mont_sqr_u32(len1, k1.n, k1.mu, resM, resM); + } + } + { + uint32_t bk = bBits - bBits % (uint32_t)4U; + uint32_t mask_l = (uint32_t)16U - (uint32_t)1U; + uint32_t i1 = (bk - (uint32_t)4U * i - (uint32_t)4U) / (uint32_t)32U; + uint32_t j = (bk - (uint32_t)4U * i - (uint32_t)4U) % (uint32_t)32U; + uint32_t p1 = b[i1] >> j; + uint32_t ite; + if (i1 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i1 + (uint32_t)1U] << ((uint32_t)32U - j); + } + else + { + ite = p1; + } + { + uint32_t bits_l = ite & mask_l; + KRML_CHECK_SIZE(sizeof (uint32_t), len1); + { + uint32_t a_bits_l[len1]; + memset(a_bits_l, 0U, len1 * sizeof (uint32_t)); + { + uint32_t bits_l32 = bits_l; + uint32_t *a_bits_l1 = table + bits_l32 * len1; + memcpy(a_bits_l, a_bits_l1, len1 * sizeof (uint32_t)); + Hacl_Bignum_Montgomery_bn_mont_mul_u32(len1, + k1.n, + k1.mu, + resM, + a_bits_l, + resM); + } + } + } + } + } + } + } + } + } + } +} + +/* +Write `aM ^ (-1) mod n` in `aInvM`. + + The argument aM and the outparam aInvM are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + • 0 < aM +*/ +void +Hacl_GenericField32_inverse( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *aM, + uint32_t *aInvM +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + uint32_t len1 = k1.len; + KRML_CHECK_SIZE(sizeof (uint32_t), len1); + { + uint32_t n2[len1]; + memset(n2, 0U, len1 * sizeof (uint32_t)); + { + uint32_t + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u32((uint32_t)0U, k1.n[0U], (uint32_t)2U, n2); + uint32_t c1; + if ((uint32_t)1U < len1) + { + uint32_t rLen = len1 - (uint32_t)1U; + uint32_t *a1 = k1.n + (uint32_t)1U; + uint32_t *res1 = n2 + (uint32_t)1U; + uint32_t c = c0; + { + uint32_t i; + for (i = (uint32_t)0U; i < rLen / (uint32_t)4U; i++) + { + uint32_t t1 = a1[(uint32_t)4U * i]; + uint32_t *res_i0 = res1 + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, (uint32_t)0U, res_i0); + { + uint32_t t10 = a1[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res1 + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t10, (uint32_t)0U, res_i1); + { + uint32_t t11 = a1[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res1 + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t11, (uint32_t)0U, res_i2); + { + uint32_t t12 = a1[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res1 + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t12, (uint32_t)0U, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = rLen / (uint32_t)4U * (uint32_t)4U; i < rLen; i++) + { + uint32_t t1 = a1[i]; + uint32_t *res_i = res1 + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, (uint32_t)0U, res_i); + } + } + { + uint32_t c10 = c; + c1 = c10; + } + } + else + { + c1 = c0; + } + Hacl_GenericField32_exp_vartime(k, aM, k1.len * (uint32_t)32U, n2, aInvM); + } + } +} + diff --git a/src/c89/Hacl_GenericField64.c b/src/c89/Hacl_GenericField64.c new file mode 100644 index 00000000..6e12fca7 --- /dev/null +++ b/src/c89/Hacl_GenericField64.c @@ -0,0 +1,707 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_GenericField64.h" + +#include "internal/Hacl_Bignum.h" + +/******************************************************************************* + +A verified field arithmetic library. + +This is a 64-bit optimized version, where bignums are represented as an array +of `len` unsigned 64-bit integers, i.e. uint64_t[len]. + +All the arithmetic operations are performed in the Montgomery domain. + +All the functions below preserve the following invariant for a bignum `aM` in +Montgomery form. + • aM < n + +*******************************************************************************/ + + +/* +Check whether this library will work for a modulus `n`. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n +*/ +bool Hacl_GenericField64_field_modulus_check(uint32_t len, uint64_t *n) +{ + uint64_t m = Hacl_Bignum_Montgomery_bn_check_modulus_u64(len, n); + return m == (uint64_t)0xFFFFFFFFFFFFFFFFU; +} + +/* +Heap-allocate and initialize a montgomery context. + + The argument n is meant to be `len` limbs in size, i.e. uint64_t[len]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n % 2 = 1 + • 1 < n + + The caller will need to call Hacl_GenericField64_field_free on the return value + to avoid memory leaks. +*/ +Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 +*Hacl_GenericField64_field_init(uint32_t len, uint64_t *n) +{ + KRML_CHECK_SIZE(sizeof (uint64_t), len); + { + uint64_t *r2 = (uint64_t *)KRML_HOST_CALLOC(len, sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), len); + { + uint64_t *n1 = (uint64_t *)KRML_HOST_CALLOC(len, sizeof (uint64_t)); + uint64_t *r21 = r2; + uint64_t *n11 = n1; + uint32_t nBits; + uint64_t mu; + memcpy(n11, n, len * sizeof (uint64_t)); + nBits = (uint32_t)64U * (uint32_t)Hacl_Bignum_Lib_bn_get_top_index_u64(len, n); + Hacl_Bignum_Montgomery_bn_precomp_r2_mod_n_u64(len, nBits, n, r21); + mu = Hacl_Bignum_ModInvLimb_mod_inv_uint64(n[0U]); + { + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 res; + res.len = len; + res.n = n11; + res.mu = mu; + res.r2 = r21; + KRML_CHECK_SIZE(sizeof (Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64), (uint32_t)1U); + { + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 + *buf = + (Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *)KRML_HOST_MALLOC(sizeof ( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 + )); + buf[0U] = res; + return buf; + } + } + } + } +} + +/* +Deallocate the memory previously allocated by Hacl_GenericField64_field_init. + + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. +*/ +void Hacl_GenericField64_field_free(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + uint64_t *n = k1.n; + uint64_t *r2 = k1.r2; + KRML_HOST_FREE(n); + KRML_HOST_FREE(r2); + KRML_HOST_FREE(k); +} + +/* +Return the size of a modulus `n` in limbs. + + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. +*/ +uint32_t Hacl_GenericField64_field_get_len(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + return k1.len; +} + +/* +Convert a bignum from the regular representation to the Montgomery representation. + + Write `a * R mod n` in `aM`. + + The argument a and the outparam aM are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. +*/ +void +Hacl_GenericField64_to_field( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint64_t *aM +) +{ + uint32_t len1 = Hacl_GenericField64_field_get_len(k); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + Hacl_Bignum_Montgomery_bn_to_mont_u64(len1, k1.n, k1.mu, k1.r2, a, aM); +} + +/* +Convert a result back from the Montgomery representation to the regular representation. + + Write `aM / R mod n` in `a`, i.e. + Hacl_GenericField64_from_field(k, Hacl_GenericField64_to_field(k, a)) == a % n + + The argument aM and the outparam a are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. +*/ +void +Hacl_GenericField64_from_field( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *aM, + uint64_t *a +) +{ + uint32_t len1 = Hacl_GenericField64_field_get_len(k); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + Hacl_Bignum_Montgomery_bn_from_mont_u64(len1, k1.n, k1.mu, aM, a); +} + +/* +Write `aM + bM mod n` in `cM`. + + The arguments aM, bM, and the outparam cM are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. +*/ +void +Hacl_GenericField64_add( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *aM, + uint64_t *bM, + uint64_t *cM +) +{ + uint32_t len1 = Hacl_GenericField64_field_get_len(k); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + Hacl_Bignum_bn_add_mod_n_u64(len1, k1.n, aM, bM, cM); +} + +/* +Write `aM - bM mod n` to `cM`. + + The arguments aM, bM, and the outparam cM are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. +*/ +void +Hacl_GenericField64_sub( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *aM, + uint64_t *bM, + uint64_t *cM +) +{ + uint32_t len1 = Hacl_GenericField64_field_get_len(k); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + Hacl_Bignum_bn_sub_mod_n_u64(len1, k1.n, aM, bM, cM); +} + +/* +Write `aM * bM mod n` in `cM`. + + The arguments aM, bM, and the outparam cM are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. +*/ +void +Hacl_GenericField64_mul( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *aM, + uint64_t *bM, + uint64_t *cM +) +{ + uint32_t len1 = Hacl_GenericField64_field_get_len(k); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + Hacl_Bignum_Montgomery_bn_mont_mul_u64(len1, k1.n, k1.mu, aM, bM, cM); +} + +/* +Write `aM * aM mod n` in `cM`. + + The argument aM and the outparam cM are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. +*/ +void +Hacl_GenericField64_sqr( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *aM, + uint64_t *cM +) +{ + uint32_t len1 = Hacl_GenericField64_field_get_len(k); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + Hacl_Bignum_Montgomery_bn_mont_sqr_u64(len1, k1.n, k1.mu, aM, cM); +} + +/* +Convert a bignum `one` to its Montgomery representation. + + The outparam oneM is meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. +*/ +void Hacl_GenericField64_one(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, uint64_t *oneM) +{ + uint32_t len1 = Hacl_GenericField64_field_get_len(k); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + Hacl_Bignum_Montgomery_bn_from_mont_u64(len1, k1.n, k1.mu, k1.r2, oneM); +} + +/* +Write `aM ^ b mod n` in `resM`. + + The argument aM and the outparam resM are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + This function is constant-time over its argument b, at the cost of a slower + execution time than exp_vartime. + + Before calling this function, the caller will need to ensure that the following + precondition is observed. + • b < pow2 bBits +*/ +void +Hacl_GenericField64_exp_consttime( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *aM, + uint32_t bBits, + uint64_t *b, + uint64_t *resM +) +{ + uint32_t len1 = Hacl_GenericField64_field_get_len(k); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + KRML_CHECK_SIZE(sizeof (uint64_t), k1.len); + { + uint64_t aMc[k1.len]; + memset(aMc, 0U, k1.len * sizeof (uint64_t)); + memcpy(aMc, aM, k1.len * sizeof (uint64_t)); + if (bBits < (uint32_t)200U) + { + Hacl_Bignum_Montgomery_bn_from_mont_u64(len1, k1.n, k1.mu, k1.r2, resM); + { + uint64_t sw = (uint64_t)0U; + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < bBits; i0++) + { + uint32_t i1 = (bBits - i0 - (uint32_t)1U) / (uint32_t)64U; + uint32_t j = (bBits - i0 - (uint32_t)1U) % (uint32_t)64U; + uint64_t tmp = b[i1]; + uint64_t bit = tmp >> j & (uint64_t)1U; + uint64_t sw1 = bit ^ sw; + { + uint32_t i; + for (i = (uint32_t)0U; i < len1; i++) + { + uint64_t dummy = ((uint64_t)0U - sw1) & (resM[i] ^ aMc[i]); + resM[i] = resM[i] ^ dummy; + aMc[i] = aMc[i] ^ dummy; + } + } + Hacl_Bignum_Montgomery_bn_mont_mul_u64(len1, k1.n, k1.mu, aMc, resM, aMc); + Hacl_Bignum_Montgomery_bn_mont_sqr_u64(len1, k1.n, k1.mu, resM, resM); + sw = bit; + } + } + { + uint64_t sw0 = sw; + { + uint32_t i; + for (i = (uint32_t)0U; i < len1; i++) + { + uint64_t dummy = ((uint64_t)0U - sw0) & (resM[i] ^ aMc[i]); + resM[i] = resM[i] ^ dummy; + aMc[i] = aMc[i] ^ dummy; + } + } + } + } + } + else + { + uint32_t bLen; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + } + Hacl_Bignum_Montgomery_bn_from_mont_u64(len1, k1.n, k1.mu, k1.r2, resM); + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)16U * len1); + { + uint64_t table[(uint32_t)16U * len1]; + memset(table, 0U, (uint32_t)16U * len1 * sizeof (uint64_t)); + memcpy(table, resM, len1 * sizeof (uint64_t)); + { + uint64_t *t1 = table + len1; + memcpy(t1, aMc, len1 * sizeof (uint64_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)14U; i++) + { + uint64_t *t11 = table + (i + (uint32_t)1U) * len1; + uint64_t *t2 = table + (i + (uint32_t)2U) * len1; + Hacl_Bignum_Montgomery_bn_mont_mul_u64(len1, k1.n, k1.mu, t11, aMc, t2); + } + } + if (bBits % (uint32_t)4U != (uint32_t)0U) + { + uint64_t mask_l = (uint64_t)16U - (uint64_t)1U; + uint32_t i0 = bBits / (uint32_t)4U * (uint32_t)4U / (uint32_t)64U; + uint32_t j = bBits / (uint32_t)4U * (uint32_t)4U % (uint32_t)64U; + uint64_t p1 = b[i0] >> j; + uint64_t ite; + if (i0 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i0 + (uint32_t)1U] << ((uint32_t)64U - j); + } + else + { + ite = p1; + } + { + uint64_t bits_c = ite & mask_l; + memcpy(resM, table, len1 * sizeof (uint64_t)); + { + uint32_t i1; + for (i1 = (uint32_t)0U; i1 < (uint32_t)15U; i1++) + { + uint64_t c = FStar_UInt64_eq_mask(bits_c, (uint64_t)(i1 + (uint32_t)1U)); + uint64_t *res_j = table + (i1 + (uint32_t)1U) * len1; + { + uint32_t i; + for (i = (uint32_t)0U; i < len1; i++) + { + uint64_t *os = resM; + uint64_t x = (c & res_j[i]) | (~c & resM[i]); + os[i] = x; + } + } + } + } + } + } + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < bBits / (uint32_t)4U; i0++) + { + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + Hacl_Bignum_Montgomery_bn_mont_sqr_u64(len1, k1.n, k1.mu, resM, resM); + } + } + { + uint32_t bk = bBits - bBits % (uint32_t)4U; + uint64_t mask_l = (uint64_t)16U - (uint64_t)1U; + uint32_t i1 = (bk - (uint32_t)4U * i0 - (uint32_t)4U) / (uint32_t)64U; + uint32_t j = (bk - (uint32_t)4U * i0 - (uint32_t)4U) % (uint32_t)64U; + uint64_t p1 = b[i1] >> j; + uint64_t ite; + if (i1 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i1 + (uint32_t)1U] << ((uint32_t)64U - j); + } + else + { + ite = p1; + } + { + uint64_t bits_l = ite & mask_l; + KRML_CHECK_SIZE(sizeof (uint64_t), len1); + { + uint64_t a_bits_l[len1]; + memset(a_bits_l, 0U, len1 * sizeof (uint64_t)); + memcpy(a_bits_l, table, len1 * sizeof (uint64_t)); + { + uint32_t i2; + for (i2 = (uint32_t)0U; i2 < (uint32_t)15U; i2++) + { + uint64_t c = FStar_UInt64_eq_mask(bits_l, (uint64_t)(i2 + (uint32_t)1U)); + uint64_t *res_j = table + (i2 + (uint32_t)1U) * len1; + { + uint32_t i; + for (i = (uint32_t)0U; i < len1; i++) + { + uint64_t *os = a_bits_l; + uint64_t x = (c & res_j[i]) | (~c & a_bits_l[i]); + os[i] = x; + } + } + } + } + Hacl_Bignum_Montgomery_bn_mont_mul_u64(len1, k1.n, k1.mu, resM, a_bits_l, resM); + } + } + } + } + } + } + } + } + } +} + +/* +Write `aM ^ b mod n` in `resM`. + + The argument aM and the outparam resM are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + The function is *NOT* constant-time on the argument b. See the + exp_consttime function for constant-time variant. + + Before calling this function, the caller will need to ensure that the following + precondition is observed. + • b < pow2 bBits +*/ +void +Hacl_GenericField64_exp_vartime( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *aM, + uint32_t bBits, + uint64_t *b, + uint64_t *resM +) +{ + uint32_t len1 = Hacl_GenericField64_field_get_len(k); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + KRML_CHECK_SIZE(sizeof (uint64_t), k1.len); + { + uint64_t aMc[k1.len]; + memset(aMc, 0U, k1.len * sizeof (uint64_t)); + memcpy(aMc, aM, k1.len * sizeof (uint64_t)); + if (bBits < (uint32_t)200U) + { + Hacl_Bignum_Montgomery_bn_from_mont_u64(len1, k1.n, k1.mu, k1.r2, resM); + { + uint32_t i; + for (i = (uint32_t)0U; i < bBits; i++) + { + uint32_t i1 = i / (uint32_t)64U; + uint32_t j = i % (uint32_t)64U; + uint64_t tmp = b[i1]; + uint64_t bit = tmp >> j & (uint64_t)1U; + if (!(bit == (uint64_t)0U)) + { + Hacl_Bignum_Montgomery_bn_mont_mul_u64(len1, k1.n, k1.mu, resM, aMc, resM); + } + Hacl_Bignum_Montgomery_bn_mont_sqr_u64(len1, k1.n, k1.mu, aMc, aMc); + } + } + } + else + { + uint32_t bLen; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + } + Hacl_Bignum_Montgomery_bn_from_mont_u64(len1, k1.n, k1.mu, k1.r2, resM); + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)16U * len1); + { + uint64_t table[(uint32_t)16U * len1]; + memset(table, 0U, (uint32_t)16U * len1 * sizeof (uint64_t)); + memcpy(table, resM, len1 * sizeof (uint64_t)); + { + uint64_t *t1 = table + len1; + memcpy(t1, aMc, len1 * sizeof (uint64_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)14U; i++) + { + uint64_t *t11 = table + (i + (uint32_t)1U) * len1; + uint64_t *t2 = table + (i + (uint32_t)2U) * len1; + Hacl_Bignum_Montgomery_bn_mont_mul_u64(len1, k1.n, k1.mu, t11, aMc, t2); + } + } + if (bBits % (uint32_t)4U != (uint32_t)0U) + { + uint64_t mask_l = (uint64_t)16U - (uint64_t)1U; + uint32_t i = bBits / (uint32_t)4U * (uint32_t)4U / (uint32_t)64U; + uint32_t j = bBits / (uint32_t)4U * (uint32_t)4U % (uint32_t)64U; + uint64_t p1 = b[i] >> j; + uint64_t ite; + if (i + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i + (uint32_t)1U] << ((uint32_t)64U - j); + } + else + { + ite = p1; + } + { + uint64_t bits_c = ite & mask_l; + uint32_t bits_l32 = (uint32_t)bits_c; + uint64_t *a_bits_l = table + bits_l32 * len1; + memcpy(resM, a_bits_l, len1 * sizeof (uint64_t)); + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < bBits / (uint32_t)4U; i++) + { + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + Hacl_Bignum_Montgomery_bn_mont_sqr_u64(len1, k1.n, k1.mu, resM, resM); + } + } + { + uint32_t bk = bBits - bBits % (uint32_t)4U; + uint64_t mask_l = (uint64_t)16U - (uint64_t)1U; + uint32_t i1 = (bk - (uint32_t)4U * i - (uint32_t)4U) / (uint32_t)64U; + uint32_t j = (bk - (uint32_t)4U * i - (uint32_t)4U) % (uint32_t)64U; + uint64_t p1 = b[i1] >> j; + uint64_t ite; + if (i1 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i1 + (uint32_t)1U] << ((uint32_t)64U - j); + } + else + { + ite = p1; + } + { + uint64_t bits_l = ite & mask_l; + KRML_CHECK_SIZE(sizeof (uint64_t), len1); + { + uint64_t a_bits_l[len1]; + memset(a_bits_l, 0U, len1 * sizeof (uint64_t)); + { + uint32_t bits_l32 = (uint32_t)bits_l; + uint64_t *a_bits_l1 = table + bits_l32 * len1; + memcpy(a_bits_l, a_bits_l1, len1 * sizeof (uint64_t)); + Hacl_Bignum_Montgomery_bn_mont_mul_u64(len1, + k1.n, + k1.mu, + resM, + a_bits_l, + resM); + } + } + } + } + } + } + } + } + } + } +} + +/* +Write `aM ^ (-1) mod n` in `aInvM`. + + The argument aM and the outparam aInvM are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + • 0 < aM +*/ +void +Hacl_GenericField64_inverse( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *aM, + uint64_t *aInvM +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + uint32_t len1 = k1.len; + KRML_CHECK_SIZE(sizeof (uint64_t), len1); + { + uint64_t n2[len1]; + memset(n2, 0U, len1 * sizeof (uint64_t)); + { + uint64_t + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64((uint64_t)0U, k1.n[0U], (uint64_t)2U, n2); + uint64_t c1; + if ((uint32_t)1U < len1) + { + uint32_t rLen = len1 - (uint32_t)1U; + uint64_t *a1 = k1.n + (uint32_t)1U; + uint64_t *res1 = n2 + (uint32_t)1U; + uint64_t c = c0; + { + uint32_t i; + for (i = (uint32_t)0U; i < rLen / (uint32_t)4U; i++) + { + uint64_t t1 = a1[(uint32_t)4U * i]; + uint64_t *res_i0 = res1 + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, (uint64_t)0U, res_i0); + { + uint64_t t10 = a1[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res1 + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t10, (uint64_t)0U, res_i1); + { + uint64_t t11 = a1[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res1 + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t11, (uint64_t)0U, res_i2); + { + uint64_t t12 = a1[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res1 + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t12, (uint64_t)0U, res_i); + } + } + } + } + } + { + uint32_t i; + for (i = rLen / (uint32_t)4U * (uint32_t)4U; i < rLen; i++) + { + uint64_t t1 = a1[i]; + uint64_t *res_i = res1 + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, (uint64_t)0U, res_i); + } + } + { + uint64_t c10 = c; + c1 = c10; + } + } + else + { + c1 = c0; + } + Hacl_GenericField64_exp_vartime(k, aM, k1.len * (uint32_t)64U, n2, aInvM); + } + } +} + diff --git a/src/c89/Hacl_HKDF.c b/src/c89/Hacl_HKDF.c new file mode 100644 index 00000000..14a51288 --- /dev/null +++ b/src/c89/Hacl_HKDF.c @@ -0,0 +1,308 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_HKDF.h" + + + +void +Hacl_HKDF_expand_sha2_256( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +) +{ + uint32_t tlen = (uint32_t)32U; + uint32_t n = len / tlen; + uint8_t *output = okm; + KRML_CHECK_SIZE(sizeof (uint8_t), tlen + infolen + (uint32_t)1U); + { + uint8_t text[tlen + infolen + (uint32_t)1U]; + memset(text, 0U, (tlen + infolen + (uint32_t)1U) * sizeof (uint8_t)); + { + uint8_t *text0 = text + tlen; + uint8_t *tag = text; + uint8_t *ctr = text + tlen + infolen; + memcpy(text + tlen, info, infolen * sizeof (uint8_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < n; i++) + { + ctr[0U] = (uint8_t)(i + (uint32_t)1U); + if (i == (uint32_t)0U) + { + Hacl_HMAC_compute_sha2_256(tag, prk, prklen, text0, infolen + (uint32_t)1U); + } + else + { + Hacl_HMAC_compute_sha2_256(tag, prk, prklen, text, tlen + infolen + (uint32_t)1U); + } + memcpy(output + i * tlen, tag, tlen * sizeof (uint8_t)); + } + } + if (n * tlen < len) + { + ctr[0U] = (uint8_t)(n + (uint32_t)1U); + if (n == (uint32_t)0U) + { + Hacl_HMAC_compute_sha2_256(tag, prk, prklen, text0, infolen + (uint32_t)1U); + } + else + { + Hacl_HMAC_compute_sha2_256(tag, prk, prklen, text, tlen + infolen + (uint32_t)1U); + } + { + uint8_t *block = okm + n * tlen; + memcpy(block, tag, (len - n * tlen) * sizeof (uint8_t)); + } + } + } + } +} + +void +Hacl_HKDF_extract_sha2_256( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +) +{ + Hacl_HMAC_compute_sha2_256(prk, salt, saltlen, ikm, ikmlen); +} + +void +Hacl_HKDF_expand_sha2_512( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +) +{ + uint32_t tlen = (uint32_t)64U; + uint32_t n = len / tlen; + uint8_t *output = okm; + KRML_CHECK_SIZE(sizeof (uint8_t), tlen + infolen + (uint32_t)1U); + { + uint8_t text[tlen + infolen + (uint32_t)1U]; + memset(text, 0U, (tlen + infolen + (uint32_t)1U) * sizeof (uint8_t)); + { + uint8_t *text0 = text + tlen; + uint8_t *tag = text; + uint8_t *ctr = text + tlen + infolen; + memcpy(text + tlen, info, infolen * sizeof (uint8_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < n; i++) + { + ctr[0U] = (uint8_t)(i + (uint32_t)1U); + if (i == (uint32_t)0U) + { + Hacl_HMAC_compute_sha2_512(tag, prk, prklen, text0, infolen + (uint32_t)1U); + } + else + { + Hacl_HMAC_compute_sha2_512(tag, prk, prklen, text, tlen + infolen + (uint32_t)1U); + } + memcpy(output + i * tlen, tag, tlen * sizeof (uint8_t)); + } + } + if (n * tlen < len) + { + ctr[0U] = (uint8_t)(n + (uint32_t)1U); + if (n == (uint32_t)0U) + { + Hacl_HMAC_compute_sha2_512(tag, prk, prklen, text0, infolen + (uint32_t)1U); + } + else + { + Hacl_HMAC_compute_sha2_512(tag, prk, prklen, text, tlen + infolen + (uint32_t)1U); + } + { + uint8_t *block = okm + n * tlen; + memcpy(block, tag, (len - n * tlen) * sizeof (uint8_t)); + } + } + } + } +} + +void +Hacl_HKDF_extract_sha2_512( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +) +{ + Hacl_HMAC_compute_sha2_512(prk, salt, saltlen, ikm, ikmlen); +} + +void +Hacl_HKDF_expand_blake2s_32( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +) +{ + uint32_t tlen = (uint32_t)32U; + uint32_t n = len / tlen; + uint8_t *output = okm; + KRML_CHECK_SIZE(sizeof (uint8_t), tlen + infolen + (uint32_t)1U); + { + uint8_t text[tlen + infolen + (uint32_t)1U]; + memset(text, 0U, (tlen + infolen + (uint32_t)1U) * sizeof (uint8_t)); + { + uint8_t *text0 = text + tlen; + uint8_t *tag = text; + uint8_t *ctr = text + tlen + infolen; + memcpy(text + tlen, info, infolen * sizeof (uint8_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < n; i++) + { + ctr[0U] = (uint8_t)(i + (uint32_t)1U); + if (i == (uint32_t)0U) + { + Hacl_HMAC_compute_blake2s_32(tag, prk, prklen, text0, infolen + (uint32_t)1U); + } + else + { + Hacl_HMAC_compute_blake2s_32(tag, prk, prklen, text, tlen + infolen + (uint32_t)1U); + } + memcpy(output + i * tlen, tag, tlen * sizeof (uint8_t)); + } + } + if (n * tlen < len) + { + ctr[0U] = (uint8_t)(n + (uint32_t)1U); + if (n == (uint32_t)0U) + { + Hacl_HMAC_compute_blake2s_32(tag, prk, prklen, text0, infolen + (uint32_t)1U); + } + else + { + Hacl_HMAC_compute_blake2s_32(tag, prk, prklen, text, tlen + infolen + (uint32_t)1U); + } + { + uint8_t *block = okm + n * tlen; + memcpy(block, tag, (len - n * tlen) * sizeof (uint8_t)); + } + } + } + } +} + +void +Hacl_HKDF_extract_blake2s_32( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +) +{ + Hacl_HMAC_compute_blake2s_32(prk, salt, saltlen, ikm, ikmlen); +} + +void +Hacl_HKDF_expand_blake2b_32( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +) +{ + uint32_t tlen = (uint32_t)64U; + uint32_t n = len / tlen; + uint8_t *output = okm; + KRML_CHECK_SIZE(sizeof (uint8_t), tlen + infolen + (uint32_t)1U); + { + uint8_t text[tlen + infolen + (uint32_t)1U]; + memset(text, 0U, (tlen + infolen + (uint32_t)1U) * sizeof (uint8_t)); + { + uint8_t *text0 = text + tlen; + uint8_t *tag = text; + uint8_t *ctr = text + tlen + infolen; + memcpy(text + tlen, info, infolen * sizeof (uint8_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < n; i++) + { + ctr[0U] = (uint8_t)(i + (uint32_t)1U); + if (i == (uint32_t)0U) + { + Hacl_HMAC_compute_blake2b_32(tag, prk, prklen, text0, infolen + (uint32_t)1U); + } + else + { + Hacl_HMAC_compute_blake2b_32(tag, prk, prklen, text, tlen + infolen + (uint32_t)1U); + } + memcpy(output + i * tlen, tag, tlen * sizeof (uint8_t)); + } + } + if (n * tlen < len) + { + ctr[0U] = (uint8_t)(n + (uint32_t)1U); + if (n == (uint32_t)0U) + { + Hacl_HMAC_compute_blake2b_32(tag, prk, prklen, text0, infolen + (uint32_t)1U); + } + else + { + Hacl_HMAC_compute_blake2b_32(tag, prk, prklen, text, tlen + infolen + (uint32_t)1U); + } + { + uint8_t *block = okm + n * tlen; + memcpy(block, tag, (len - n * tlen) * sizeof (uint8_t)); + } + } + } + } +} + +void +Hacl_HKDF_extract_blake2b_32( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +) +{ + Hacl_HMAC_compute_blake2b_32(prk, salt, saltlen, ikm, ikmlen); +} + diff --git a/src/c89/Hacl_HMAC.c b/src/c89/Hacl_HMAC.c new file mode 100644 index 00000000..e6b1b60c --- /dev/null +++ b/src/c89/Hacl_HMAC.c @@ -0,0 +1,993 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "internal/Hacl_HMAC.h" + +#include "internal/Hacl_Hash_SHA2.h" +#include "internal/Hacl_Hash_SHA1.h" +#include "internal/Hacl_Hash_Blake2.h" + +void +Hacl_HMAC_legacy_compute_sha1( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +) +{ + uint32_t l = (uint32_t)64U; + KRML_CHECK_SIZE(sizeof (uint8_t), l); + { + uint8_t key_block[l]; + memset(key_block, 0U, l * sizeof (uint8_t)); + { + uint32_t i0; + if (key_len <= (uint32_t)64U) + { + i0 = key_len; + } + else + { + i0 = (uint32_t)20U; + } + { + uint8_t *nkey = key_block; + if (key_len <= (uint32_t)64U) + { + memcpy(nkey, key, key_len * sizeof (uint8_t)); + } + else + { + Hacl_Hash_SHA1_legacy_hash(key, key_len, nkey); + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + { + uint8_t ipad[l]; + memset(ipad, (uint8_t)0x36U, l * sizeof (uint8_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = ipad[i]; + uint8_t yi = key_block[i]; + ipad[i] = xi ^ yi; + } + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + { + uint8_t opad[l]; + memset(opad, (uint8_t)0x5cU, l * sizeof (uint8_t)); + { + uint32_t scrut[5]; + uint32_t *s; + uint8_t *dst1; + uint8_t *hash1; + { + uint32_t i; + for (i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = opad[i]; + uint8_t yi = key_block[i]; + opad[i] = xi ^ yi; + } + } + scrut[0U] = (uint32_t)0x67452301U; + scrut[1U] = (uint32_t)0xefcdab89U; + scrut[2U] = (uint32_t)0x98badcfeU; + scrut[3U] = (uint32_t)0x10325476U; + scrut[4U] = (uint32_t)0xc3d2e1f0U; + s = scrut; + dst1 = ipad; + Hacl_Hash_Core_SHA1_legacy_init(s); + if (data_len == (uint32_t)0U) + { + Hacl_Hash_SHA1_legacy_update_last(s, (uint64_t)0U, ipad, (uint32_t)64U); + } + else + { + Hacl_Hash_SHA1_legacy_update_multi(s, ipad, (uint32_t)1U); + Hacl_Hash_SHA1_legacy_update_last(s, (uint64_t)(uint32_t)64U, data, data_len); + } + Hacl_Hash_Core_SHA1_legacy_finish(s, dst1); + hash1 = ipad; + Hacl_Hash_Core_SHA1_legacy_init(s); + if ((uint32_t)20U == (uint32_t)0U) + { + Hacl_Hash_SHA1_legacy_update_last(s, (uint64_t)0U, opad, (uint32_t)64U); + } + else + { + Hacl_Hash_SHA1_legacy_update_multi(s, opad, (uint32_t)1U); + Hacl_Hash_SHA1_legacy_update_last(s, (uint64_t)(uint32_t)64U, hash1, (uint32_t)20U); + } + Hacl_Hash_Core_SHA1_legacy_finish(s, dst); + } + } + } + } + } + } +} + +void +Hacl_HMAC_compute_sha2_256( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +) +{ + uint32_t l = (uint32_t)64U; + KRML_CHECK_SIZE(sizeof (uint8_t), l); + { + uint8_t key_block[l]; + memset(key_block, 0U, l * sizeof (uint8_t)); + { + uint32_t i0; + if (key_len <= (uint32_t)64U) + { + i0 = key_len; + } + else + { + i0 = (uint32_t)32U; + } + { + uint8_t *nkey = key_block; + if (key_len <= (uint32_t)64U) + { + memcpy(nkey, key, key_len * sizeof (uint8_t)); + } + else + { + Hacl_Hash_SHA2_hash_256(key, key_len, nkey); + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + { + uint8_t ipad[l]; + memset(ipad, (uint8_t)0x36U, l * sizeof (uint8_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = ipad[i]; + uint8_t yi = key_block[i]; + ipad[i] = xi ^ yi; + } + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + { + uint8_t opad[l]; + memset(opad, (uint8_t)0x5cU, l * sizeof (uint8_t)); + { + uint32_t scrut[8]; + uint32_t *s; + uint8_t *dst1; + uint8_t *hash1; + { + uint32_t i; + for (i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = opad[i]; + uint8_t yi = key_block[i]; + opad[i] = xi ^ yi; + } + } + scrut[0U] = (uint32_t)0x6a09e667U; + scrut[1U] = (uint32_t)0xbb67ae85U; + scrut[2U] = (uint32_t)0x3c6ef372U; + scrut[3U] = (uint32_t)0xa54ff53aU; + scrut[4U] = (uint32_t)0x510e527fU; + scrut[5U] = (uint32_t)0x9b05688cU; + scrut[6U] = (uint32_t)0x1f83d9abU; + scrut[7U] = (uint32_t)0x5be0cd19U; + s = scrut; + dst1 = ipad; + Hacl_Hash_Core_SHA2_init_256(s); + if (data_len == (uint32_t)0U) + { + Hacl_Hash_SHA2_update_last_256(s, (uint64_t)0U, ipad, (uint32_t)64U); + } + else + { + Hacl_Hash_SHA2_update_multi_256(s, ipad, (uint32_t)1U); + Hacl_Hash_SHA2_update_last_256(s, (uint64_t)(uint32_t)64U, data, data_len); + } + Hacl_Hash_Core_SHA2_finish_256(s, dst1); + hash1 = ipad; + Hacl_Hash_Core_SHA2_init_256(s); + if ((uint32_t)32U == (uint32_t)0U) + { + Hacl_Hash_SHA2_update_last_256(s, (uint64_t)0U, opad, (uint32_t)64U); + } + else + { + Hacl_Hash_SHA2_update_multi_256(s, opad, (uint32_t)1U); + Hacl_Hash_SHA2_update_last_256(s, (uint64_t)(uint32_t)64U, hash1, (uint32_t)32U); + } + Hacl_Hash_Core_SHA2_finish_256(s, dst); + } + } + } + } + } + } +} + +void +Hacl_HMAC_compute_sha2_384( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +) +{ + uint32_t l = (uint32_t)128U; + KRML_CHECK_SIZE(sizeof (uint8_t), l); + { + uint8_t key_block[l]; + memset(key_block, 0U, l * sizeof (uint8_t)); + { + uint32_t i0; + if (key_len <= (uint32_t)128U) + { + i0 = key_len; + } + else + { + i0 = (uint32_t)48U; + } + { + uint8_t *nkey = key_block; + if (key_len <= (uint32_t)128U) + { + memcpy(nkey, key, key_len * sizeof (uint8_t)); + } + else + { + Hacl_Hash_SHA2_hash_384(key, key_len, nkey); + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + { + uint8_t ipad[l]; + memset(ipad, (uint8_t)0x36U, l * sizeof (uint8_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = ipad[i]; + uint8_t yi = key_block[i]; + ipad[i] = xi ^ yi; + } + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + { + uint8_t opad[l]; + memset(opad, (uint8_t)0x5cU, l * sizeof (uint8_t)); + { + uint64_t scrut[8]; + uint64_t *s; + uint8_t *dst1; + uint8_t *hash1; + { + uint32_t i; + for (i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = opad[i]; + uint8_t yi = key_block[i]; + opad[i] = xi ^ yi; + } + } + scrut[0U] = (uint64_t)0xcbbb9d5dc1059ed8U; + scrut[1U] = (uint64_t)0x629a292a367cd507U; + scrut[2U] = (uint64_t)0x9159015a3070dd17U; + scrut[3U] = (uint64_t)0x152fecd8f70e5939U; + scrut[4U] = (uint64_t)0x67332667ffc00b31U; + scrut[5U] = (uint64_t)0x8eb44a8768581511U; + scrut[6U] = (uint64_t)0xdb0c2e0d64f98fa7U; + scrut[7U] = (uint64_t)0x47b5481dbefa4fa4U; + s = scrut; + dst1 = ipad; + Hacl_Hash_Core_SHA2_init_384(s); + if (data_len == (uint32_t)0U) + { + Hacl_Hash_SHA2_update_last_384(s, + FStar_UInt128_uint64_to_uint128((uint64_t)0U), + ipad, + (uint32_t)128U); + } + else + { + Hacl_Hash_SHA2_update_multi_384(s, ipad, (uint32_t)1U); + Hacl_Hash_SHA2_update_last_384(s, + FStar_UInt128_uint64_to_uint128((uint64_t)(uint32_t)128U), + data, + data_len); + } + Hacl_Hash_Core_SHA2_finish_384(s, dst1); + hash1 = ipad; + Hacl_Hash_Core_SHA2_init_384(s); + if ((uint32_t)48U == (uint32_t)0U) + { + Hacl_Hash_SHA2_update_last_384(s, + FStar_UInt128_uint64_to_uint128((uint64_t)0U), + opad, + (uint32_t)128U); + } + else + { + Hacl_Hash_SHA2_update_multi_384(s, opad, (uint32_t)1U); + Hacl_Hash_SHA2_update_last_384(s, + FStar_UInt128_uint64_to_uint128((uint64_t)(uint32_t)128U), + hash1, + (uint32_t)48U); + } + Hacl_Hash_Core_SHA2_finish_384(s, dst); + } + } + } + } + } + } +} + +void +Hacl_HMAC_compute_sha2_512( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +) +{ + uint32_t l = (uint32_t)128U; + KRML_CHECK_SIZE(sizeof (uint8_t), l); + { + uint8_t key_block[l]; + memset(key_block, 0U, l * sizeof (uint8_t)); + { + uint32_t i0; + if (key_len <= (uint32_t)128U) + { + i0 = key_len; + } + else + { + i0 = (uint32_t)64U; + } + { + uint8_t *nkey = key_block; + if (key_len <= (uint32_t)128U) + { + memcpy(nkey, key, key_len * sizeof (uint8_t)); + } + else + { + Hacl_Hash_SHA2_hash_512(key, key_len, nkey); + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + { + uint8_t ipad[l]; + memset(ipad, (uint8_t)0x36U, l * sizeof (uint8_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = ipad[i]; + uint8_t yi = key_block[i]; + ipad[i] = xi ^ yi; + } + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + { + uint8_t opad[l]; + memset(opad, (uint8_t)0x5cU, l * sizeof (uint8_t)); + { + uint64_t scrut[8]; + uint64_t *s; + uint8_t *dst1; + uint8_t *hash1; + { + uint32_t i; + for (i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = opad[i]; + uint8_t yi = key_block[i]; + opad[i] = xi ^ yi; + } + } + scrut[0U] = (uint64_t)0x6a09e667f3bcc908U; + scrut[1U] = (uint64_t)0xbb67ae8584caa73bU; + scrut[2U] = (uint64_t)0x3c6ef372fe94f82bU; + scrut[3U] = (uint64_t)0xa54ff53a5f1d36f1U; + scrut[4U] = (uint64_t)0x510e527fade682d1U; + scrut[5U] = (uint64_t)0x9b05688c2b3e6c1fU; + scrut[6U] = (uint64_t)0x1f83d9abfb41bd6bU; + scrut[7U] = (uint64_t)0x5be0cd19137e2179U; + s = scrut; + dst1 = ipad; + Hacl_Hash_Core_SHA2_init_512(s); + if (data_len == (uint32_t)0U) + { + Hacl_Hash_SHA2_update_last_512(s, + FStar_UInt128_uint64_to_uint128((uint64_t)0U), + ipad, + (uint32_t)128U); + } + else + { + Hacl_Hash_SHA2_update_multi_512(s, ipad, (uint32_t)1U); + Hacl_Hash_SHA2_update_last_512(s, + FStar_UInt128_uint64_to_uint128((uint64_t)(uint32_t)128U), + data, + data_len); + } + Hacl_Hash_Core_SHA2_finish_512(s, dst1); + hash1 = ipad; + Hacl_Hash_Core_SHA2_init_512(s); + if ((uint32_t)64U == (uint32_t)0U) + { + Hacl_Hash_SHA2_update_last_512(s, + FStar_UInt128_uint64_to_uint128((uint64_t)0U), + opad, + (uint32_t)128U); + } + else + { + Hacl_Hash_SHA2_update_multi_512(s, opad, (uint32_t)1U); + Hacl_Hash_SHA2_update_last_512(s, + FStar_UInt128_uint64_to_uint128((uint64_t)(uint32_t)128U), + hash1, + (uint32_t)64U); + } + Hacl_Hash_Core_SHA2_finish_512(s, dst); + } + } + } + } + } + } +} + +void +Hacl_HMAC_compute_blake2s_32( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +) +{ + uint32_t l = (uint32_t)64U; + KRML_CHECK_SIZE(sizeof (uint8_t), l); + { + uint8_t key_block[l]; + memset(key_block, 0U, l * sizeof (uint8_t)); + { + uint32_t i0; + if (key_len <= (uint32_t)64U) + { + i0 = key_len; + } + else + { + i0 = (uint32_t)32U; + } + { + uint8_t *nkey = key_block; + if (key_len <= (uint32_t)64U) + { + memcpy(nkey, key, key_len * sizeof (uint8_t)); + } + else + { + Hacl_Hash_Blake2_hash_blake2s_32(key, key_len, nkey); + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + { + uint8_t ipad[l]; + memset(ipad, (uint8_t)0x36U, l * sizeof (uint8_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = ipad[i]; + uint8_t yi = key_block[i]; + ipad[i] = xi ^ yi; + } + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + { + uint8_t opad[l]; + memset(opad, (uint8_t)0x5cU, l * sizeof (uint8_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = opad[i]; + uint8_t yi = key_block[i]; + opad[i] = xi ^ yi; + } + } + { + uint32_t s0[16U] = { 0U }; + uint32_t *r00 = s0 + (uint32_t)0U * (uint32_t)4U; + uint32_t *r10 = s0 + (uint32_t)1U * (uint32_t)4U; + uint32_t *r20 = s0 + (uint32_t)2U * (uint32_t)4U; + uint32_t *r30 = s0 + (uint32_t)3U * (uint32_t)4U; + uint32_t iv00 = Hacl_Impl_Blake2_Constants_ivTable_S[0U]; + uint32_t iv10 = Hacl_Impl_Blake2_Constants_ivTable_S[1U]; + uint32_t iv20 = Hacl_Impl_Blake2_Constants_ivTable_S[2U]; + uint32_t iv30 = Hacl_Impl_Blake2_Constants_ivTable_S[3U]; + uint32_t iv40 = Hacl_Impl_Blake2_Constants_ivTable_S[4U]; + uint32_t iv50 = Hacl_Impl_Blake2_Constants_ivTable_S[5U]; + uint32_t iv60 = Hacl_Impl_Blake2_Constants_ivTable_S[6U]; + uint32_t iv70 = Hacl_Impl_Blake2_Constants_ivTable_S[7U]; + uint32_t kk_shift_80; + uint32_t iv0_; + uint64_t es; + r20[0U] = iv00; + r20[1U] = iv10; + r20[2U] = iv20; + r20[3U] = iv30; + r30[0U] = iv40; + r30[1U] = iv50; + r30[2U] = iv60; + r30[3U] = iv70; + kk_shift_80 = (uint32_t)0U; + iv0_ = iv00 ^ ((uint32_t)0x01010000U ^ (kk_shift_80 ^ (uint32_t)32U)); + r00[0U] = iv0_; + r00[1U] = iv10; + r00[2U] = iv20; + r00[3U] = iv30; + r10[0U] = iv40; + r10[1U] = iv50; + r10[2U] = iv60; + r10[3U] = iv70; + es = (uint64_t)0U; + { + K____uint32_t__uint64_t scrut; + uint32_t *s; + uint8_t *dst1; + uint32_t *r01; + uint32_t *r11; + uint32_t *r21; + uint32_t *r31; + uint32_t iv01; + uint32_t iv11; + uint32_t iv21; + uint32_t iv31; + uint32_t iv41; + uint32_t iv51; + uint32_t iv61; + uint32_t iv71; + uint32_t kk_shift_81; + uint32_t iv0_0; + uint64_t ev0; + uint64_t ev10; + uint8_t *hash1; + uint32_t *r0; + uint32_t *r1; + uint32_t *r2; + uint32_t *r3; + uint32_t iv0; + uint32_t iv1; + uint32_t iv2; + uint32_t iv3; + uint32_t iv4; + uint32_t iv5; + uint32_t iv6; + uint32_t iv7; + uint32_t kk_shift_8; + uint32_t iv0_1; + uint64_t ev; + uint64_t ev11; + scrut.fst = s0; + scrut.snd = es; + s = scrut.fst; + dst1 = ipad; + r01 = s + (uint32_t)0U * (uint32_t)4U; + r11 = s + (uint32_t)1U * (uint32_t)4U; + r21 = s + (uint32_t)2U * (uint32_t)4U; + r31 = s + (uint32_t)3U * (uint32_t)4U; + iv01 = Hacl_Impl_Blake2_Constants_ivTable_S[0U]; + iv11 = Hacl_Impl_Blake2_Constants_ivTable_S[1U]; + iv21 = Hacl_Impl_Blake2_Constants_ivTable_S[2U]; + iv31 = Hacl_Impl_Blake2_Constants_ivTable_S[3U]; + iv41 = Hacl_Impl_Blake2_Constants_ivTable_S[4U]; + iv51 = Hacl_Impl_Blake2_Constants_ivTable_S[5U]; + iv61 = Hacl_Impl_Blake2_Constants_ivTable_S[6U]; + iv71 = Hacl_Impl_Blake2_Constants_ivTable_S[7U]; + r21[0U] = iv01; + r21[1U] = iv11; + r21[2U] = iv21; + r21[3U] = iv31; + r31[0U] = iv41; + r31[1U] = iv51; + r31[2U] = iv61; + r31[3U] = iv71; + kk_shift_81 = (uint32_t)0U; + iv0_0 = iv01 ^ ((uint32_t)0x01010000U ^ (kk_shift_81 ^ (uint32_t)32U)); + r01[0U] = iv0_0; + r01[1U] = iv11; + r01[2U] = iv21; + r01[3U] = iv31; + r11[0U] = iv41; + r11[1U] = iv51; + r11[2U] = iv61; + r11[3U] = iv71; + ev0 = (uint64_t)0U; + if (data_len == (uint32_t)0U) + { + uint64_t + ev1 = + Hacl_Hash_Blake2_update_last_blake2s_32(s, + ev0, + (uint64_t)0U, + ipad, + (uint32_t)64U); + ev10 = ev1; + } + else + { + uint64_t + ev1 = Hacl_Hash_Blake2_update_multi_blake2s_32(s, ev0, ipad, (uint32_t)1U); + uint64_t + ev2 = + Hacl_Hash_Blake2_update_last_blake2s_32(s, + ev1, + (uint64_t)(uint32_t)64U, + data, + data_len); + ev10 = ev2; + } + Hacl_Hash_Core_Blake2_finish_blake2s_32(s, ev10, dst1); + hash1 = ipad; + r0 = s + (uint32_t)0U * (uint32_t)4U; + r1 = s + (uint32_t)1U * (uint32_t)4U; + r2 = s + (uint32_t)2U * (uint32_t)4U; + r3 = s + (uint32_t)3U * (uint32_t)4U; + iv0 = Hacl_Impl_Blake2_Constants_ivTable_S[0U]; + iv1 = Hacl_Impl_Blake2_Constants_ivTable_S[1U]; + iv2 = Hacl_Impl_Blake2_Constants_ivTable_S[2U]; + iv3 = Hacl_Impl_Blake2_Constants_ivTable_S[3U]; + iv4 = Hacl_Impl_Blake2_Constants_ivTable_S[4U]; + iv5 = Hacl_Impl_Blake2_Constants_ivTable_S[5U]; + iv6 = Hacl_Impl_Blake2_Constants_ivTable_S[6U]; + iv7 = Hacl_Impl_Blake2_Constants_ivTable_S[7U]; + r2[0U] = iv0; + r2[1U] = iv1; + r2[2U] = iv2; + r2[3U] = iv3; + r3[0U] = iv4; + r3[1U] = iv5; + r3[2U] = iv6; + r3[3U] = iv7; + kk_shift_8 = (uint32_t)0U; + iv0_1 = iv0 ^ ((uint32_t)0x01010000U ^ (kk_shift_8 ^ (uint32_t)32U)); + r0[0U] = iv0_1; + r0[1U] = iv1; + r0[2U] = iv2; + r0[3U] = iv3; + r1[0U] = iv4; + r1[1U] = iv5; + r1[2U] = iv6; + r1[3U] = iv7; + ev = (uint64_t)0U; + if ((uint32_t)32U == (uint32_t)0U) + { + uint64_t + ev1 = + Hacl_Hash_Blake2_update_last_blake2s_32(s, + ev, + (uint64_t)0U, + opad, + (uint32_t)64U); + ev11 = ev1; + } + else + { + uint64_t + ev1 = Hacl_Hash_Blake2_update_multi_blake2s_32(s, ev, opad, (uint32_t)1U); + uint64_t + ev2 = + Hacl_Hash_Blake2_update_last_blake2s_32(s, + ev1, + (uint64_t)(uint32_t)64U, + hash1, + (uint32_t)32U); + ev11 = ev2; + } + Hacl_Hash_Core_Blake2_finish_blake2s_32(s, ev11, dst); + } + } + } + } + } + } + } +} + +void +Hacl_HMAC_compute_blake2b_32( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +) +{ + uint32_t l = (uint32_t)128U; + KRML_CHECK_SIZE(sizeof (uint8_t), l); + { + uint8_t key_block[l]; + memset(key_block, 0U, l * sizeof (uint8_t)); + { + uint32_t i0; + if (key_len <= (uint32_t)128U) + { + i0 = key_len; + } + else + { + i0 = (uint32_t)64U; + } + { + uint8_t *nkey = key_block; + if (key_len <= (uint32_t)128U) + { + memcpy(nkey, key, key_len * sizeof (uint8_t)); + } + else + { + Hacl_Hash_Blake2_hash_blake2b_32(key, key_len, nkey); + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + { + uint8_t ipad[l]; + memset(ipad, (uint8_t)0x36U, l * sizeof (uint8_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = ipad[i]; + uint8_t yi = key_block[i]; + ipad[i] = xi ^ yi; + } + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + { + uint8_t opad[l]; + memset(opad, (uint8_t)0x5cU, l * sizeof (uint8_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = opad[i]; + uint8_t yi = key_block[i]; + opad[i] = xi ^ yi; + } + } + { + uint64_t s0[16U] = { 0U }; + uint64_t *r00 = s0 + (uint32_t)0U * (uint32_t)4U; + uint64_t *r10 = s0 + (uint32_t)1U * (uint32_t)4U; + uint64_t *r20 = s0 + (uint32_t)2U * (uint32_t)4U; + uint64_t *r30 = s0 + (uint32_t)3U * (uint32_t)4U; + uint64_t iv00 = Hacl_Impl_Blake2_Constants_ivTable_B[0U]; + uint64_t iv10 = Hacl_Impl_Blake2_Constants_ivTable_B[1U]; + uint64_t iv20 = Hacl_Impl_Blake2_Constants_ivTable_B[2U]; + uint64_t iv30 = Hacl_Impl_Blake2_Constants_ivTable_B[3U]; + uint64_t iv40 = Hacl_Impl_Blake2_Constants_ivTable_B[4U]; + uint64_t iv50 = Hacl_Impl_Blake2_Constants_ivTable_B[5U]; + uint64_t iv60 = Hacl_Impl_Blake2_Constants_ivTable_B[6U]; + uint64_t iv70 = Hacl_Impl_Blake2_Constants_ivTable_B[7U]; + uint64_t kk_shift_80; + uint64_t iv0_; + FStar_UInt128_uint128 es; + r20[0U] = iv00; + r20[1U] = iv10; + r20[2U] = iv20; + r20[3U] = iv30; + r30[0U] = iv40; + r30[1U] = iv50; + r30[2U] = iv60; + r30[3U] = iv70; + kk_shift_80 = (uint64_t)(uint32_t)0U << (uint32_t)8U; + iv0_ = iv00 ^ ((uint64_t)0x01010000U ^ (kk_shift_80 ^ (uint64_t)(uint32_t)64U)); + r00[0U] = iv0_; + r00[1U] = iv10; + r00[2U] = iv20; + r00[3U] = iv30; + r10[0U] = iv40; + r10[1U] = iv50; + r10[2U] = iv60; + r10[3U] = iv70; + es = FStar_UInt128_uint64_to_uint128((uint64_t)0U); + { + K____uint64_t__FStar_UInt128_uint128 scrut; + uint64_t *s; + uint8_t *dst1; + uint64_t *r01; + uint64_t *r11; + uint64_t *r21; + uint64_t *r31; + uint64_t iv01; + uint64_t iv11; + uint64_t iv21; + uint64_t iv31; + uint64_t iv41; + uint64_t iv51; + uint64_t iv61; + uint64_t iv71; + uint64_t kk_shift_81; + uint64_t iv0_0; + FStar_UInt128_uint128 ev0; + FStar_UInt128_uint128 ev10; + uint8_t *hash1; + uint64_t *r0; + uint64_t *r1; + uint64_t *r2; + uint64_t *r3; + uint64_t iv0; + uint64_t iv1; + uint64_t iv2; + uint64_t iv3; + uint64_t iv4; + uint64_t iv5; + uint64_t iv6; + uint64_t iv7; + uint64_t kk_shift_8; + uint64_t iv0_1; + FStar_UInt128_uint128 ev; + FStar_UInt128_uint128 ev11; + scrut.fst = s0; + scrut.snd = es; + s = scrut.fst; + dst1 = ipad; + r01 = s + (uint32_t)0U * (uint32_t)4U; + r11 = s + (uint32_t)1U * (uint32_t)4U; + r21 = s + (uint32_t)2U * (uint32_t)4U; + r31 = s + (uint32_t)3U * (uint32_t)4U; + iv01 = Hacl_Impl_Blake2_Constants_ivTable_B[0U]; + iv11 = Hacl_Impl_Blake2_Constants_ivTable_B[1U]; + iv21 = Hacl_Impl_Blake2_Constants_ivTable_B[2U]; + iv31 = Hacl_Impl_Blake2_Constants_ivTable_B[3U]; + iv41 = Hacl_Impl_Blake2_Constants_ivTable_B[4U]; + iv51 = Hacl_Impl_Blake2_Constants_ivTable_B[5U]; + iv61 = Hacl_Impl_Blake2_Constants_ivTable_B[6U]; + iv71 = Hacl_Impl_Blake2_Constants_ivTable_B[7U]; + r21[0U] = iv01; + r21[1U] = iv11; + r21[2U] = iv21; + r21[3U] = iv31; + r31[0U] = iv41; + r31[1U] = iv51; + r31[2U] = iv61; + r31[3U] = iv71; + kk_shift_81 = (uint64_t)(uint32_t)0U << (uint32_t)8U; + iv0_0 = iv01 ^ ((uint64_t)0x01010000U ^ (kk_shift_81 ^ (uint64_t)(uint32_t)64U)); + r01[0U] = iv0_0; + r01[1U] = iv11; + r01[2U] = iv21; + r01[3U] = iv31; + r11[0U] = iv41; + r11[1U] = iv51; + r11[2U] = iv61; + r11[3U] = iv71; + ev0 = FStar_UInt128_uint64_to_uint128((uint64_t)0U); + if (data_len == (uint32_t)0U) + { + FStar_UInt128_uint128 + ev1 = + Hacl_Hash_Blake2_update_last_blake2b_32(s, + ev0, + FStar_UInt128_uint64_to_uint128((uint64_t)0U), + ipad, + (uint32_t)128U); + ev10 = ev1; + } + else + { + FStar_UInt128_uint128 + ev1 = Hacl_Hash_Blake2_update_multi_blake2b_32(s, ev0, ipad, (uint32_t)1U); + FStar_UInt128_uint128 + ev2 = + Hacl_Hash_Blake2_update_last_blake2b_32(s, + ev1, + FStar_UInt128_uint64_to_uint128((uint64_t)(uint32_t)128U), + data, + data_len); + ev10 = ev2; + } + Hacl_Hash_Core_Blake2_finish_blake2b_32(s, ev10, dst1); + hash1 = ipad; + r0 = s + (uint32_t)0U * (uint32_t)4U; + r1 = s + (uint32_t)1U * (uint32_t)4U; + r2 = s + (uint32_t)2U * (uint32_t)4U; + r3 = s + (uint32_t)3U * (uint32_t)4U; + iv0 = Hacl_Impl_Blake2_Constants_ivTable_B[0U]; + iv1 = Hacl_Impl_Blake2_Constants_ivTable_B[1U]; + iv2 = Hacl_Impl_Blake2_Constants_ivTable_B[2U]; + iv3 = Hacl_Impl_Blake2_Constants_ivTable_B[3U]; + iv4 = Hacl_Impl_Blake2_Constants_ivTable_B[4U]; + iv5 = Hacl_Impl_Blake2_Constants_ivTable_B[5U]; + iv6 = Hacl_Impl_Blake2_Constants_ivTable_B[6U]; + iv7 = Hacl_Impl_Blake2_Constants_ivTable_B[7U]; + r2[0U] = iv0; + r2[1U] = iv1; + r2[2U] = iv2; + r2[3U] = iv3; + r3[0U] = iv4; + r3[1U] = iv5; + r3[2U] = iv6; + r3[3U] = iv7; + kk_shift_8 = (uint64_t)(uint32_t)0U << (uint32_t)8U; + iv0_1 = iv0 ^ ((uint64_t)0x01010000U ^ (kk_shift_8 ^ (uint64_t)(uint32_t)64U)); + r0[0U] = iv0_1; + r0[1U] = iv1; + r0[2U] = iv2; + r0[3U] = iv3; + r1[0U] = iv4; + r1[1U] = iv5; + r1[2U] = iv6; + r1[3U] = iv7; + ev = FStar_UInt128_uint64_to_uint128((uint64_t)0U); + if ((uint32_t)64U == (uint32_t)0U) + { + FStar_UInt128_uint128 + ev1 = + Hacl_Hash_Blake2_update_last_blake2b_32(s, + ev, + FStar_UInt128_uint64_to_uint128((uint64_t)0U), + opad, + (uint32_t)128U); + ev11 = ev1; + } + else + { + FStar_UInt128_uint128 + ev1 = Hacl_Hash_Blake2_update_multi_blake2b_32(s, ev, opad, (uint32_t)1U); + FStar_UInt128_uint128 + ev2 = + Hacl_Hash_Blake2_update_last_blake2b_32(s, + ev1, + FStar_UInt128_uint64_to_uint128((uint64_t)(uint32_t)128U), + hash1, + (uint32_t)64U); + ev11 = ev2; + } + Hacl_Hash_Core_Blake2_finish_blake2b_32(s, ev11, dst); + } + } + } + } + } + } + } +} + diff --git a/src/c89/Hacl_HMAC_DRBG.c b/src/c89/Hacl_HMAC_DRBG.c new file mode 100644 index 00000000..20803788 --- /dev/null +++ b/src/c89/Hacl_HMAC_DRBG.c @@ -0,0 +1,1337 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_HMAC_DRBG.h" + + + +uint32_t Hacl_HMAC_DRBG_reseed_interval = (uint32_t)1024U; + +uint32_t Hacl_HMAC_DRBG_max_output_length = (uint32_t)65536U; + +uint32_t Hacl_HMAC_DRBG_max_length = (uint32_t)65536U; + +uint32_t Hacl_HMAC_DRBG_max_personalization_string_length = (uint32_t)65536U; + +uint32_t Hacl_HMAC_DRBG_max_additional_input_length = (uint32_t)65536U; + +uint32_t Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_hash_alg a) +{ + switch (a) + { + case Spec_Hash_Definitions_SHA1: + { + return (uint32_t)16U; + } + case Spec_Hash_Definitions_SHA2_256: + { + return (uint32_t)32U; + } + case Spec_Hash_Definitions_SHA2_384: + { + return (uint32_t)32U; + } + case Spec_Hash_Definitions_SHA2_512: + { + return (uint32_t)32U; + } + default: + { + KRML_HOST_PRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +bool +Hacl_HMAC_DRBG_uu___is_State(Spec_Hash_Definitions_hash_alg a, Hacl_HMAC_DRBG_state projectee) +{ + return true; +} + +Hacl_HMAC_DRBG_state Hacl_HMAC_DRBG_create_in(Spec_Hash_Definitions_hash_alg a) +{ + uint8_t *k; + switch (a) + { + case Spec_Hash_Definitions_SHA1: + { + uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC((uint32_t)20U, sizeof (uint8_t)); + k = buf; + break; + } + case Spec_Hash_Definitions_SHA2_256: + { + uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC((uint32_t)32U, sizeof (uint8_t)); + k = buf; + break; + } + case Spec_Hash_Definitions_SHA2_384: + { + uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC((uint32_t)48U, sizeof (uint8_t)); + k = buf; + break; + } + case Spec_Hash_Definitions_SHA2_512: + { + uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC((uint32_t)64U, sizeof (uint8_t)); + k = buf; + break; + } + default: + { + KRML_HOST_PRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + { + uint8_t *v; + switch (a) + { + case Spec_Hash_Definitions_SHA1: + { + uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC((uint32_t)20U, sizeof (uint8_t)); + v = buf; + break; + } + case Spec_Hash_Definitions_SHA2_256: + { + uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC((uint32_t)32U, sizeof (uint8_t)); + v = buf; + break; + } + case Spec_Hash_Definitions_SHA2_384: + { + uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC((uint32_t)48U, sizeof (uint8_t)); + v = buf; + break; + } + case Spec_Hash_Definitions_SHA2_512: + { + uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC((uint32_t)64U, sizeof (uint8_t)); + v = buf; + break; + } + default: + { + KRML_HOST_PRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + { + uint32_t *ctr = (uint32_t *)KRML_HOST_MALLOC(sizeof (uint32_t)); + ctr[0U] = (uint32_t)1U; + { + Hacl_HMAC_DRBG_state lit; + lit.k = k; + lit.v = v; + lit.reseed_counter = ctr; + return lit; + } + } + } +} + +void +Hacl_HMAC_DRBG_instantiate( + Spec_Hash_Definitions_hash_alg a, + Hacl_HMAC_DRBG_state st, + uint32_t entropy_input_len, + uint8_t *entropy_input, + uint32_t nonce_len, + uint8_t *nonce, + uint32_t personalization_string_len, + uint8_t *personalization_string +) +{ + switch (a) + { + case Spec_Hash_Definitions_SHA1: + { + KRML_CHECK_SIZE(sizeof (uint8_t), + entropy_input_len + nonce_len + personalization_string_len); + { + uint8_t seed_material[entropy_input_len + nonce_len + personalization_string_len]; + memset(seed_material, + 0U, + (entropy_input_len + nonce_len + personalization_string_len) * sizeof (uint8_t)); + { + uint8_t *k; + uint8_t *v; + uint32_t *ctr; + memcpy(seed_material, entropy_input, entropy_input_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len, nonce, nonce_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len + nonce_len, + personalization_string, + personalization_string_len * sizeof (uint8_t)); + k = st.k; + v = st.v; + ctr = st.reseed_counter; + memset(k, 0U, (uint32_t)20U * sizeof (uint8_t)); + memset(v, (uint8_t)1U, (uint32_t)20U * sizeof (uint8_t)); + ctr[0U] = (uint32_t)1U; + { + uint32_t + input_len = (uint32_t)21U + entropy_input_len + nonce_len + personalization_string_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + { + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + { + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)20U * sizeof (uint8_t)); + if (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)21U, + seed_material, + (entropy_input_len + nonce_len + personalization_string_len) + * sizeof (uint8_t)); + } + input0[20U] = (uint8_t)0U; + Hacl_HMAC_legacy_compute_sha1(k_, k, (uint32_t)20U, input0, input_len); + Hacl_HMAC_legacy_compute_sha1(v, k_, (uint32_t)20U, v, (uint32_t)20U); + memcpy(k, k_, (uint32_t)20U * sizeof (uint8_t)); + if (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + uint32_t + input_len0 = + (uint32_t)21U + + entropy_input_len + nonce_len + personalization_string_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + { + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + { + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)20U * sizeof (uint8_t)); + if + (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)21U, + seed_material, + (entropy_input_len + nonce_len + personalization_string_len) + * sizeof (uint8_t)); + } + input[20U] = (uint8_t)1U; + Hacl_HMAC_legacy_compute_sha1(k_0, k, (uint32_t)20U, input, input_len0); + Hacl_HMAC_legacy_compute_sha1(v, k_0, (uint32_t)20U, v, (uint32_t)20U); + memcpy(k, k_0, (uint32_t)20U * sizeof (uint8_t)); + } + } + } + } + } + } + } + } + break; + } + case Spec_Hash_Definitions_SHA2_256: + { + KRML_CHECK_SIZE(sizeof (uint8_t), + entropy_input_len + nonce_len + personalization_string_len); + { + uint8_t seed_material[entropy_input_len + nonce_len + personalization_string_len]; + memset(seed_material, + 0U, + (entropy_input_len + nonce_len + personalization_string_len) * sizeof (uint8_t)); + { + uint8_t *k; + uint8_t *v; + uint32_t *ctr; + memcpy(seed_material, entropy_input, entropy_input_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len, nonce, nonce_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len + nonce_len, + personalization_string, + personalization_string_len * sizeof (uint8_t)); + k = st.k; + v = st.v; + ctr = st.reseed_counter; + memset(k, 0U, (uint32_t)32U * sizeof (uint8_t)); + memset(v, (uint8_t)1U, (uint32_t)32U * sizeof (uint8_t)); + ctr[0U] = (uint32_t)1U; + { + uint32_t + input_len = (uint32_t)33U + entropy_input_len + nonce_len + personalization_string_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + { + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + { + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)32U * sizeof (uint8_t)); + if (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)33U, + seed_material, + (entropy_input_len + nonce_len + personalization_string_len) + * sizeof (uint8_t)); + } + input0[32U] = (uint8_t)0U; + Hacl_HMAC_compute_sha2_256(k_, k, (uint32_t)32U, input0, input_len); + Hacl_HMAC_compute_sha2_256(v, k_, (uint32_t)32U, v, (uint32_t)32U); + memcpy(k, k_, (uint32_t)32U * sizeof (uint8_t)); + if (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + uint32_t + input_len0 = + (uint32_t)33U + + entropy_input_len + nonce_len + personalization_string_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + { + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + { + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)32U * sizeof (uint8_t)); + if + (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)33U, + seed_material, + (entropy_input_len + nonce_len + personalization_string_len) + * sizeof (uint8_t)); + } + input[32U] = (uint8_t)1U; + Hacl_HMAC_compute_sha2_256(k_0, k, (uint32_t)32U, input, input_len0); + Hacl_HMAC_compute_sha2_256(v, k_0, (uint32_t)32U, v, (uint32_t)32U); + memcpy(k, k_0, (uint32_t)32U * sizeof (uint8_t)); + } + } + } + } + } + } + } + } + break; + } + case Spec_Hash_Definitions_SHA2_384: + { + KRML_CHECK_SIZE(sizeof (uint8_t), + entropy_input_len + nonce_len + personalization_string_len); + { + uint8_t seed_material[entropy_input_len + nonce_len + personalization_string_len]; + memset(seed_material, + 0U, + (entropy_input_len + nonce_len + personalization_string_len) * sizeof (uint8_t)); + { + uint8_t *k; + uint8_t *v; + uint32_t *ctr; + memcpy(seed_material, entropy_input, entropy_input_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len, nonce, nonce_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len + nonce_len, + personalization_string, + personalization_string_len * sizeof (uint8_t)); + k = st.k; + v = st.v; + ctr = st.reseed_counter; + memset(k, 0U, (uint32_t)48U * sizeof (uint8_t)); + memset(v, (uint8_t)1U, (uint32_t)48U * sizeof (uint8_t)); + ctr[0U] = (uint32_t)1U; + { + uint32_t + input_len = (uint32_t)49U + entropy_input_len + nonce_len + personalization_string_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + { + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + { + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)48U * sizeof (uint8_t)); + if (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)49U, + seed_material, + (entropy_input_len + nonce_len + personalization_string_len) + * sizeof (uint8_t)); + } + input0[48U] = (uint8_t)0U; + Hacl_HMAC_compute_sha2_384(k_, k, (uint32_t)48U, input0, input_len); + Hacl_HMAC_compute_sha2_384(v, k_, (uint32_t)48U, v, (uint32_t)48U); + memcpy(k, k_, (uint32_t)48U * sizeof (uint8_t)); + if (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + uint32_t + input_len0 = + (uint32_t)49U + + entropy_input_len + nonce_len + personalization_string_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + { + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + { + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)48U * sizeof (uint8_t)); + if + (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)49U, + seed_material, + (entropy_input_len + nonce_len + personalization_string_len) + * sizeof (uint8_t)); + } + input[48U] = (uint8_t)1U; + Hacl_HMAC_compute_sha2_384(k_0, k, (uint32_t)48U, input, input_len0); + Hacl_HMAC_compute_sha2_384(v, k_0, (uint32_t)48U, v, (uint32_t)48U); + memcpy(k, k_0, (uint32_t)48U * sizeof (uint8_t)); + } + } + } + } + } + } + } + } + break; + } + case Spec_Hash_Definitions_SHA2_512: + { + KRML_CHECK_SIZE(sizeof (uint8_t), + entropy_input_len + nonce_len + personalization_string_len); + { + uint8_t seed_material[entropy_input_len + nonce_len + personalization_string_len]; + memset(seed_material, + 0U, + (entropy_input_len + nonce_len + personalization_string_len) * sizeof (uint8_t)); + { + uint8_t *k; + uint8_t *v; + uint32_t *ctr; + memcpy(seed_material, entropy_input, entropy_input_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len, nonce, nonce_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len + nonce_len, + personalization_string, + personalization_string_len * sizeof (uint8_t)); + k = st.k; + v = st.v; + ctr = st.reseed_counter; + memset(k, 0U, (uint32_t)64U * sizeof (uint8_t)); + memset(v, (uint8_t)1U, (uint32_t)64U * sizeof (uint8_t)); + ctr[0U] = (uint32_t)1U; + { + uint32_t + input_len = (uint32_t)65U + entropy_input_len + nonce_len + personalization_string_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + { + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + { + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)64U * sizeof (uint8_t)); + if (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)65U, + seed_material, + (entropy_input_len + nonce_len + personalization_string_len) + * sizeof (uint8_t)); + } + input0[64U] = (uint8_t)0U; + Hacl_HMAC_compute_sha2_512(k_, k, (uint32_t)64U, input0, input_len); + Hacl_HMAC_compute_sha2_512(v, k_, (uint32_t)64U, v, (uint32_t)64U); + memcpy(k, k_, (uint32_t)64U * sizeof (uint8_t)); + if (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + uint32_t + input_len0 = + (uint32_t)65U + + entropy_input_len + nonce_len + personalization_string_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + { + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + { + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)64U * sizeof (uint8_t)); + if + (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)65U, + seed_material, + (entropy_input_len + nonce_len + personalization_string_len) + * sizeof (uint8_t)); + } + input[64U] = (uint8_t)1U; + Hacl_HMAC_compute_sha2_512(k_0, k, (uint32_t)64U, input, input_len0); + Hacl_HMAC_compute_sha2_512(v, k_0, (uint32_t)64U, v, (uint32_t)64U); + memcpy(k, k_0, (uint32_t)64U * sizeof (uint8_t)); + } + } + } + } + } + } + } + } + break; + } + default: + { + KRML_HOST_PRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +void +Hacl_HMAC_DRBG_reseed( + Spec_Hash_Definitions_hash_alg a, + Hacl_HMAC_DRBG_state st, + uint32_t entropy_input_len, + uint8_t *entropy_input, + uint32_t additional_input_input_len, + uint8_t *additional_input_input +) +{ + switch (a) + { + case Spec_Hash_Definitions_SHA1: + { + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len + additional_input_input_len); + { + uint8_t seed_material[entropy_input_len + additional_input_input_len]; + memset(seed_material, + 0U, + (entropy_input_len + additional_input_input_len) * sizeof (uint8_t)); + { + Hacl_HMAC_DRBG_state uu____0; + uint8_t *k; + uint8_t *v; + uint32_t *ctr; + memcpy(seed_material, entropy_input, entropy_input_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len, + additional_input_input, + additional_input_input_len * sizeof (uint8_t)); + uu____0 = st; + k = uu____0.k; + v = uu____0.v; + ctr = uu____0.reseed_counter; + { + uint32_t input_len = (uint32_t)21U + entropy_input_len + additional_input_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + { + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + { + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)20U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)21U, + seed_material, + (entropy_input_len + additional_input_input_len) * sizeof (uint8_t)); + } + input0[20U] = (uint8_t)0U; + Hacl_HMAC_legacy_compute_sha1(k_, k, (uint32_t)20U, input0, input_len); + Hacl_HMAC_legacy_compute_sha1(v, k_, (uint32_t)20U, v, (uint32_t)20U); + memcpy(k, k_, (uint32_t)20U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_input_len != (uint32_t)0U) + { + uint32_t + input_len0 = (uint32_t)21U + entropy_input_len + additional_input_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + { + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + { + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)20U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)21U, + seed_material, + (entropy_input_len + additional_input_input_len) * sizeof (uint8_t)); + } + input[20U] = (uint8_t)1U; + Hacl_HMAC_legacy_compute_sha1(k_0, k, (uint32_t)20U, input, input_len0); + Hacl_HMAC_legacy_compute_sha1(v, k_0, (uint32_t)20U, v, (uint32_t)20U); + memcpy(k, k_0, (uint32_t)20U * sizeof (uint8_t)); + } + } + } + ctr[0U] = (uint32_t)1U; + } + } + } + } + } + break; + } + case Spec_Hash_Definitions_SHA2_256: + { + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len + additional_input_input_len); + { + uint8_t seed_material[entropy_input_len + additional_input_input_len]; + memset(seed_material, + 0U, + (entropy_input_len + additional_input_input_len) * sizeof (uint8_t)); + { + Hacl_HMAC_DRBG_state uu____1; + uint8_t *k; + uint8_t *v; + uint32_t *ctr; + memcpy(seed_material, entropy_input, entropy_input_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len, + additional_input_input, + additional_input_input_len * sizeof (uint8_t)); + uu____1 = st; + k = uu____1.k; + v = uu____1.v; + ctr = uu____1.reseed_counter; + { + uint32_t input_len = (uint32_t)33U + entropy_input_len + additional_input_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + { + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + { + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)32U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)33U, + seed_material, + (entropy_input_len + additional_input_input_len) * sizeof (uint8_t)); + } + input0[32U] = (uint8_t)0U; + Hacl_HMAC_compute_sha2_256(k_, k, (uint32_t)32U, input0, input_len); + Hacl_HMAC_compute_sha2_256(v, k_, (uint32_t)32U, v, (uint32_t)32U); + memcpy(k, k_, (uint32_t)32U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_input_len != (uint32_t)0U) + { + uint32_t + input_len0 = (uint32_t)33U + entropy_input_len + additional_input_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + { + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + { + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)32U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)33U, + seed_material, + (entropy_input_len + additional_input_input_len) * sizeof (uint8_t)); + } + input[32U] = (uint8_t)1U; + Hacl_HMAC_compute_sha2_256(k_0, k, (uint32_t)32U, input, input_len0); + Hacl_HMAC_compute_sha2_256(v, k_0, (uint32_t)32U, v, (uint32_t)32U); + memcpy(k, k_0, (uint32_t)32U * sizeof (uint8_t)); + } + } + } + ctr[0U] = (uint32_t)1U; + } + } + } + } + } + break; + } + case Spec_Hash_Definitions_SHA2_384: + { + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len + additional_input_input_len); + { + uint8_t seed_material[entropy_input_len + additional_input_input_len]; + memset(seed_material, + 0U, + (entropy_input_len + additional_input_input_len) * sizeof (uint8_t)); + { + Hacl_HMAC_DRBG_state uu____2; + uint8_t *k; + uint8_t *v; + uint32_t *ctr; + memcpy(seed_material, entropy_input, entropy_input_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len, + additional_input_input, + additional_input_input_len * sizeof (uint8_t)); + uu____2 = st; + k = uu____2.k; + v = uu____2.v; + ctr = uu____2.reseed_counter; + { + uint32_t input_len = (uint32_t)49U + entropy_input_len + additional_input_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + { + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + { + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)48U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)49U, + seed_material, + (entropy_input_len + additional_input_input_len) * sizeof (uint8_t)); + } + input0[48U] = (uint8_t)0U; + Hacl_HMAC_compute_sha2_384(k_, k, (uint32_t)48U, input0, input_len); + Hacl_HMAC_compute_sha2_384(v, k_, (uint32_t)48U, v, (uint32_t)48U); + memcpy(k, k_, (uint32_t)48U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_input_len != (uint32_t)0U) + { + uint32_t + input_len0 = (uint32_t)49U + entropy_input_len + additional_input_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + { + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + { + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)48U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)49U, + seed_material, + (entropy_input_len + additional_input_input_len) * sizeof (uint8_t)); + } + input[48U] = (uint8_t)1U; + Hacl_HMAC_compute_sha2_384(k_0, k, (uint32_t)48U, input, input_len0); + Hacl_HMAC_compute_sha2_384(v, k_0, (uint32_t)48U, v, (uint32_t)48U); + memcpy(k, k_0, (uint32_t)48U * sizeof (uint8_t)); + } + } + } + ctr[0U] = (uint32_t)1U; + } + } + } + } + } + break; + } + case Spec_Hash_Definitions_SHA2_512: + { + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len + additional_input_input_len); + { + uint8_t seed_material[entropy_input_len + additional_input_input_len]; + memset(seed_material, + 0U, + (entropy_input_len + additional_input_input_len) * sizeof (uint8_t)); + { + Hacl_HMAC_DRBG_state uu____3; + uint8_t *k; + uint8_t *v; + uint32_t *ctr; + memcpy(seed_material, entropy_input, entropy_input_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len, + additional_input_input, + additional_input_input_len * sizeof (uint8_t)); + uu____3 = st; + k = uu____3.k; + v = uu____3.v; + ctr = uu____3.reseed_counter; + { + uint32_t input_len = (uint32_t)65U + entropy_input_len + additional_input_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + { + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + { + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)64U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)65U, + seed_material, + (entropy_input_len + additional_input_input_len) * sizeof (uint8_t)); + } + input0[64U] = (uint8_t)0U; + Hacl_HMAC_compute_sha2_512(k_, k, (uint32_t)64U, input0, input_len); + Hacl_HMAC_compute_sha2_512(v, k_, (uint32_t)64U, v, (uint32_t)64U); + memcpy(k, k_, (uint32_t)64U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_input_len != (uint32_t)0U) + { + uint32_t + input_len0 = (uint32_t)65U + entropy_input_len + additional_input_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + { + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + { + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)64U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)65U, + seed_material, + (entropy_input_len + additional_input_input_len) * sizeof (uint8_t)); + } + input[64U] = (uint8_t)1U; + Hacl_HMAC_compute_sha2_512(k_0, k, (uint32_t)64U, input, input_len0); + Hacl_HMAC_compute_sha2_512(v, k_0, (uint32_t)64U, v, (uint32_t)64U); + memcpy(k, k_0, (uint32_t)64U * sizeof (uint8_t)); + } + } + } + ctr[0U] = (uint32_t)1U; + } + } + } + } + } + break; + } + default: + { + KRML_HOST_PRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +bool +Hacl_HMAC_DRBG_generate( + Spec_Hash_Definitions_hash_alg a, + uint8_t *output, + Hacl_HMAC_DRBG_state st, + uint32_t n, + uint32_t additional_input_len, + uint8_t *additional_input +) +{ + switch (a) + { + case Spec_Hash_Definitions_SHA1: + { + if (st.reseed_counter[0U] > Hacl_HMAC_DRBG_reseed_interval) + { + return false; + } + { + uint8_t *k = st.k; + uint8_t *v = st.v; + uint32_t *ctr = st.reseed_counter; + if (additional_input_len > (uint32_t)0U) + { + uint32_t input_len = (uint32_t)21U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + { + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + { + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)20U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)21U, + additional_input, + additional_input_len * sizeof (uint8_t)); + } + input0[20U] = (uint8_t)0U; + Hacl_HMAC_legacy_compute_sha1(k_, k, (uint32_t)20U, input0, input_len); + Hacl_HMAC_legacy_compute_sha1(v, k_, (uint32_t)20U, v, (uint32_t)20U); + memcpy(k, k_, (uint32_t)20U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)21U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + { + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + { + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)20U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)21U, + additional_input, + additional_input_len * sizeof (uint8_t)); + } + input[20U] = (uint8_t)1U; + Hacl_HMAC_legacy_compute_sha1(k_0, k, (uint32_t)20U, input, input_len0); + Hacl_HMAC_legacy_compute_sha1(v, k_0, (uint32_t)20U, v, (uint32_t)20U); + memcpy(k, k_0, (uint32_t)20U * sizeof (uint8_t)); + } + } + } + } + } + } + { + uint8_t *output1 = output; + uint32_t max = n / (uint32_t)20U; + uint8_t *out = output1; + { + uint32_t i; + for (i = (uint32_t)0U; i < max; i++) + { + Hacl_HMAC_legacy_compute_sha1(v, k, (uint32_t)20U, v, (uint32_t)20U); + memcpy(out + i * (uint32_t)20U, v, (uint32_t)20U * sizeof (uint8_t)); + } + } + if (max * (uint32_t)20U < n) + { + uint8_t *block = output1 + max * (uint32_t)20U; + Hacl_HMAC_legacy_compute_sha1(v, k, (uint32_t)20U, v, (uint32_t)20U); + memcpy(block, v, (n - max * (uint32_t)20U) * sizeof (uint8_t)); + } + { + uint32_t input_len = (uint32_t)21U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + { + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + { + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)20U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)21U, + additional_input, + additional_input_len * sizeof (uint8_t)); + } + input0[20U] = (uint8_t)0U; + Hacl_HMAC_legacy_compute_sha1(k_, k, (uint32_t)20U, input0, input_len); + Hacl_HMAC_legacy_compute_sha1(v, k_, (uint32_t)20U, v, (uint32_t)20U); + memcpy(k, k_, (uint32_t)20U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)21U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + { + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + { + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)20U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)21U, + additional_input, + additional_input_len * sizeof (uint8_t)); + } + input[20U] = (uint8_t)1U; + Hacl_HMAC_legacy_compute_sha1(k_0, k, (uint32_t)20U, input, input_len0); + Hacl_HMAC_legacy_compute_sha1(v, k_0, (uint32_t)20U, v, (uint32_t)20U); + memcpy(k, k_0, (uint32_t)20U * sizeof (uint8_t)); + } + } + } + { + uint32_t old_ctr = ctr[0U]; + ctr[0U] = old_ctr + (uint32_t)1U; + return true; + } + } + } + } + } + } + break; + } + case Spec_Hash_Definitions_SHA2_256: + { + if (st.reseed_counter[0U] > Hacl_HMAC_DRBG_reseed_interval) + { + return false; + } + { + uint8_t *k = st.k; + uint8_t *v = st.v; + uint32_t *ctr = st.reseed_counter; + if (additional_input_len > (uint32_t)0U) + { + uint32_t input_len = (uint32_t)33U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + { + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + { + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)32U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)33U, + additional_input, + additional_input_len * sizeof (uint8_t)); + } + input0[32U] = (uint8_t)0U; + Hacl_HMAC_compute_sha2_256(k_, k, (uint32_t)32U, input0, input_len); + Hacl_HMAC_compute_sha2_256(v, k_, (uint32_t)32U, v, (uint32_t)32U); + memcpy(k, k_, (uint32_t)32U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)33U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + { + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + { + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)32U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)33U, + additional_input, + additional_input_len * sizeof (uint8_t)); + } + input[32U] = (uint8_t)1U; + Hacl_HMAC_compute_sha2_256(k_0, k, (uint32_t)32U, input, input_len0); + Hacl_HMAC_compute_sha2_256(v, k_0, (uint32_t)32U, v, (uint32_t)32U); + memcpy(k, k_0, (uint32_t)32U * sizeof (uint8_t)); + } + } + } + } + } + } + { + uint8_t *output1 = output; + uint32_t max = n / (uint32_t)32U; + uint8_t *out = output1; + { + uint32_t i; + for (i = (uint32_t)0U; i < max; i++) + { + Hacl_HMAC_compute_sha2_256(v, k, (uint32_t)32U, v, (uint32_t)32U); + memcpy(out + i * (uint32_t)32U, v, (uint32_t)32U * sizeof (uint8_t)); + } + } + if (max * (uint32_t)32U < n) + { + uint8_t *block = output1 + max * (uint32_t)32U; + Hacl_HMAC_compute_sha2_256(v, k, (uint32_t)32U, v, (uint32_t)32U); + memcpy(block, v, (n - max * (uint32_t)32U) * sizeof (uint8_t)); + } + { + uint32_t input_len = (uint32_t)33U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + { + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + { + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)32U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)33U, + additional_input, + additional_input_len * sizeof (uint8_t)); + } + input0[32U] = (uint8_t)0U; + Hacl_HMAC_compute_sha2_256(k_, k, (uint32_t)32U, input0, input_len); + Hacl_HMAC_compute_sha2_256(v, k_, (uint32_t)32U, v, (uint32_t)32U); + memcpy(k, k_, (uint32_t)32U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)33U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + { + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + { + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)32U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)33U, + additional_input, + additional_input_len * sizeof (uint8_t)); + } + input[32U] = (uint8_t)1U; + Hacl_HMAC_compute_sha2_256(k_0, k, (uint32_t)32U, input, input_len0); + Hacl_HMAC_compute_sha2_256(v, k_0, (uint32_t)32U, v, (uint32_t)32U); + memcpy(k, k_0, (uint32_t)32U * sizeof (uint8_t)); + } + } + } + { + uint32_t old_ctr = ctr[0U]; + ctr[0U] = old_ctr + (uint32_t)1U; + return true; + } + } + } + } + } + } + break; + } + case Spec_Hash_Definitions_SHA2_384: + { + if (st.reseed_counter[0U] > Hacl_HMAC_DRBG_reseed_interval) + { + return false; + } + { + uint8_t *k = st.k; + uint8_t *v = st.v; + uint32_t *ctr = st.reseed_counter; + if (additional_input_len > (uint32_t)0U) + { + uint32_t input_len = (uint32_t)49U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + { + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + { + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)48U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)49U, + additional_input, + additional_input_len * sizeof (uint8_t)); + } + input0[48U] = (uint8_t)0U; + Hacl_HMAC_compute_sha2_384(k_, k, (uint32_t)48U, input0, input_len); + Hacl_HMAC_compute_sha2_384(v, k_, (uint32_t)48U, v, (uint32_t)48U); + memcpy(k, k_, (uint32_t)48U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)49U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + { + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + { + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)48U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)49U, + additional_input, + additional_input_len * sizeof (uint8_t)); + } + input[48U] = (uint8_t)1U; + Hacl_HMAC_compute_sha2_384(k_0, k, (uint32_t)48U, input, input_len0); + Hacl_HMAC_compute_sha2_384(v, k_0, (uint32_t)48U, v, (uint32_t)48U); + memcpy(k, k_0, (uint32_t)48U * sizeof (uint8_t)); + } + } + } + } + } + } + { + uint8_t *output1 = output; + uint32_t max = n / (uint32_t)48U; + uint8_t *out = output1; + { + uint32_t i; + for (i = (uint32_t)0U; i < max; i++) + { + Hacl_HMAC_compute_sha2_384(v, k, (uint32_t)48U, v, (uint32_t)48U); + memcpy(out + i * (uint32_t)48U, v, (uint32_t)48U * sizeof (uint8_t)); + } + } + if (max * (uint32_t)48U < n) + { + uint8_t *block = output1 + max * (uint32_t)48U; + Hacl_HMAC_compute_sha2_384(v, k, (uint32_t)48U, v, (uint32_t)48U); + memcpy(block, v, (n - max * (uint32_t)48U) * sizeof (uint8_t)); + } + { + uint32_t input_len = (uint32_t)49U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + { + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + { + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)48U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)49U, + additional_input, + additional_input_len * sizeof (uint8_t)); + } + input0[48U] = (uint8_t)0U; + Hacl_HMAC_compute_sha2_384(k_, k, (uint32_t)48U, input0, input_len); + Hacl_HMAC_compute_sha2_384(v, k_, (uint32_t)48U, v, (uint32_t)48U); + memcpy(k, k_, (uint32_t)48U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)49U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + { + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + { + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)48U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)49U, + additional_input, + additional_input_len * sizeof (uint8_t)); + } + input[48U] = (uint8_t)1U; + Hacl_HMAC_compute_sha2_384(k_0, k, (uint32_t)48U, input, input_len0); + Hacl_HMAC_compute_sha2_384(v, k_0, (uint32_t)48U, v, (uint32_t)48U); + memcpy(k, k_0, (uint32_t)48U * sizeof (uint8_t)); + } + } + } + { + uint32_t old_ctr = ctr[0U]; + ctr[0U] = old_ctr + (uint32_t)1U; + return true; + } + } + } + } + } + } + break; + } + case Spec_Hash_Definitions_SHA2_512: + { + if (st.reseed_counter[0U] > Hacl_HMAC_DRBG_reseed_interval) + { + return false; + } + { + uint8_t *k = st.k; + uint8_t *v = st.v; + uint32_t *ctr = st.reseed_counter; + if (additional_input_len > (uint32_t)0U) + { + uint32_t input_len = (uint32_t)65U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + { + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + { + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)64U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)65U, + additional_input, + additional_input_len * sizeof (uint8_t)); + } + input0[64U] = (uint8_t)0U; + Hacl_HMAC_compute_sha2_512(k_, k, (uint32_t)64U, input0, input_len); + Hacl_HMAC_compute_sha2_512(v, k_, (uint32_t)64U, v, (uint32_t)64U); + memcpy(k, k_, (uint32_t)64U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)65U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + { + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + { + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)64U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)65U, + additional_input, + additional_input_len * sizeof (uint8_t)); + } + input[64U] = (uint8_t)1U; + Hacl_HMAC_compute_sha2_512(k_0, k, (uint32_t)64U, input, input_len0); + Hacl_HMAC_compute_sha2_512(v, k_0, (uint32_t)64U, v, (uint32_t)64U); + memcpy(k, k_0, (uint32_t)64U * sizeof (uint8_t)); + } + } + } + } + } + } + { + uint8_t *output1 = output; + uint32_t max = n / (uint32_t)64U; + uint8_t *out = output1; + { + uint32_t i; + for (i = (uint32_t)0U; i < max; i++) + { + Hacl_HMAC_compute_sha2_512(v, k, (uint32_t)64U, v, (uint32_t)64U); + memcpy(out + i * (uint32_t)64U, v, (uint32_t)64U * sizeof (uint8_t)); + } + } + if (max * (uint32_t)64U < n) + { + uint8_t *block = output1 + max * (uint32_t)64U; + Hacl_HMAC_compute_sha2_512(v, k, (uint32_t)64U, v, (uint32_t)64U); + memcpy(block, v, (n - max * (uint32_t)64U) * sizeof (uint8_t)); + } + { + uint32_t input_len = (uint32_t)65U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + { + uint8_t input0[input_len]; + memset(input0, 0U, input_len * sizeof (uint8_t)); + { + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)64U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)65U, + additional_input, + additional_input_len * sizeof (uint8_t)); + } + input0[64U] = (uint8_t)0U; + Hacl_HMAC_compute_sha2_512(k_, k, (uint32_t)64U, input0, input_len); + Hacl_HMAC_compute_sha2_512(v, k_, (uint32_t)64U, v, (uint32_t)64U); + memcpy(k, k_, (uint32_t)64U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)65U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + { + uint8_t input[input_len0]; + memset(input, 0U, input_len0 * sizeof (uint8_t)); + { + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)64U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)65U, + additional_input, + additional_input_len * sizeof (uint8_t)); + } + input[64U] = (uint8_t)1U; + Hacl_HMAC_compute_sha2_512(k_0, k, (uint32_t)64U, input, input_len0); + Hacl_HMAC_compute_sha2_512(v, k_0, (uint32_t)64U, v, (uint32_t)64U); + memcpy(k, k_0, (uint32_t)64U * sizeof (uint8_t)); + } + } + } + { + uint32_t old_ctr = ctr[0U]; + ctr[0U] = old_ctr + (uint32_t)1U; + return true; + } + } + } + } + } + } + break; + } + default: + { + KRML_HOST_PRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + diff --git a/src/c89/Hacl_Hash_Base.c b/src/c89/Hacl_Hash_Base.c new file mode 100644 index 00000000..9f7e83bc --- /dev/null +++ b/src/c89/Hacl_Hash_Base.c @@ -0,0 +1,204 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Hash_Base.h" + + + +uint32_t Hacl_Hash_Definitions_word_len(Spec_Hash_Definitions_hash_alg a) +{ + switch (a) + { + case Spec_Hash_Definitions_MD5: + { + return (uint32_t)4U; + } + case Spec_Hash_Definitions_SHA1: + { + return (uint32_t)4U; + } + case Spec_Hash_Definitions_SHA2_224: + { + return (uint32_t)4U; + } + case Spec_Hash_Definitions_SHA2_256: + { + return (uint32_t)4U; + } + case Spec_Hash_Definitions_SHA2_384: + { + return (uint32_t)8U; + } + case Spec_Hash_Definitions_SHA2_512: + { + return (uint32_t)8U; + } + case Spec_Hash_Definitions_Blake2S: + { + return (uint32_t)4U; + } + case Spec_Hash_Definitions_Blake2B: + { + return (uint32_t)8U; + } + default: + { + KRML_HOST_PRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +uint32_t Hacl_Hash_Definitions_block_len(Spec_Hash_Definitions_hash_alg a) +{ + switch (a) + { + case Spec_Hash_Definitions_MD5: + { + return (uint32_t)64U; + } + case Spec_Hash_Definitions_SHA1: + { + return (uint32_t)64U; + } + case Spec_Hash_Definitions_SHA2_224: + { + return (uint32_t)64U; + } + case Spec_Hash_Definitions_SHA2_256: + { + return (uint32_t)64U; + } + case Spec_Hash_Definitions_SHA2_384: + { + return (uint32_t)128U; + } + case Spec_Hash_Definitions_SHA2_512: + { + return (uint32_t)128U; + } + case Spec_Hash_Definitions_Blake2S: + { + return (uint32_t)64U; + } + case Spec_Hash_Definitions_Blake2B: + { + return (uint32_t)128U; + } + default: + { + KRML_HOST_PRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +uint32_t Hacl_Hash_Definitions_hash_word_len(Spec_Hash_Definitions_hash_alg a) +{ + switch (a) + { + case Spec_Hash_Definitions_MD5: + { + return (uint32_t)4U; + } + case Spec_Hash_Definitions_SHA1: + { + return (uint32_t)5U; + } + case Spec_Hash_Definitions_SHA2_224: + { + return (uint32_t)7U; + } + case Spec_Hash_Definitions_SHA2_256: + { + return (uint32_t)8U; + } + case Spec_Hash_Definitions_SHA2_384: + { + return (uint32_t)6U; + } + case Spec_Hash_Definitions_SHA2_512: + { + return (uint32_t)8U; + } + case Spec_Hash_Definitions_Blake2S: + { + return (uint32_t)8U; + } + case Spec_Hash_Definitions_Blake2B: + { + return (uint32_t)8U; + } + default: + { + KRML_HOST_PRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +uint32_t Hacl_Hash_Definitions_hash_len(Spec_Hash_Definitions_hash_alg a) +{ + switch (a) + { + case Spec_Hash_Definitions_MD5: + { + return (uint32_t)16U; + } + case Spec_Hash_Definitions_SHA1: + { + return (uint32_t)20U; + } + case Spec_Hash_Definitions_SHA2_224: + { + return (uint32_t)28U; + } + case Spec_Hash_Definitions_SHA2_256: + { + return (uint32_t)32U; + } + case Spec_Hash_Definitions_SHA2_384: + { + return (uint32_t)48U; + } + case Spec_Hash_Definitions_SHA2_512: + { + return (uint32_t)64U; + } + case Spec_Hash_Definitions_Blake2S: + { + return (uint32_t)32U; + } + case Spec_Hash_Definitions_Blake2B: + { + return (uint32_t)64U; + } + default: + { + KRML_HOST_PRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + diff --git a/src/c89/Hacl_Hash_Blake2.c b/src/c89/Hacl_Hash_Blake2.c new file mode 100644 index 00000000..a4feb691 --- /dev/null +++ b/src/c89/Hacl_Hash_Blake2.c @@ -0,0 +1,5452 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "internal/Hacl_Hash_Blake2.h" + + + +uint64_t Hacl_Hash_Core_Blake2_update_blake2s_32(uint32_t *s, uint64_t totlen, uint8_t *block) +{ + uint32_t wv[16U] = { 0U }; + uint64_t totlen1 = totlen + (uint64_t)(uint32_t)64U; + uint32_t m_w[16U] = { 0U }; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t *os = m_w; + uint8_t *bj = block + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + } + { + uint32_t mask[4U] = { 0U }; + uint32_t wv_14 = (uint32_t)0U; + uint32_t wv_15 = (uint32_t)0U; + uint32_t *wv3; + uint32_t *s00; + uint32_t *s16; + uint32_t *r00; + uint32_t *r10; + uint32_t *r20; + uint32_t *r30; + mask[0U] = (uint32_t)totlen1; + mask[1U] = (uint32_t)(totlen1 >> (uint32_t)32U); + mask[2U] = wv_14; + mask[3U] = wv_15; + memcpy(wv, s, (uint32_t)4U * (uint32_t)4U * sizeof (uint32_t)); + wv3 = wv + (uint32_t)3U * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv3; + uint32_t x = wv3[i] ^ mask[i]; + os[i] = x; + } + } + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < (uint32_t)10U; i0++) + { + uint32_t start_idx = i0 % (uint32_t)10U * (uint32_t)16U; + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)4U * (uint32_t)4U); + { + uint32_t m_st[(uint32_t)4U * (uint32_t)4U]; + memset(m_st, 0U, (uint32_t)4U * (uint32_t)4U * sizeof (uint32_t)); + { + uint32_t *r0 = m_st + (uint32_t)0U * (uint32_t)4U; + uint32_t *r1 = m_st + (uint32_t)1U * (uint32_t)4U; + uint32_t *r21 = m_st + (uint32_t)2U * (uint32_t)4U; + uint32_t *r31 = m_st + (uint32_t)3U * (uint32_t)4U; + uint32_t s0 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx]; + uint32_t s1 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)1U]; + uint32_t s2 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)2U]; + uint32_t s3 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)3U]; + uint32_t s4 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)4U]; + uint32_t s5 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)5U]; + uint32_t s6 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)6U]; + uint32_t s7 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)7U]; + uint32_t s8 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)8U]; + uint32_t s9 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)9U]; + uint32_t s10 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)10U]; + uint32_t s11 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)11U]; + uint32_t s12 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)12U]; + uint32_t s13 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)13U]; + uint32_t s14 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)14U]; + uint32_t s15 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)15U]; + uint32_t uu____0 = m_w[s2]; + uint32_t uu____1 = m_w[s4]; + uint32_t uu____2 = m_w[s6]; + r0[0U] = m_w[s0]; + r0[1U] = uu____0; + r0[2U] = uu____1; + r0[3U] = uu____2; + { + uint32_t uu____3 = m_w[s3]; + uint32_t uu____4 = m_w[s5]; + uint32_t uu____5 = m_w[s7]; + r1[0U] = m_w[s1]; + r1[1U] = uu____3; + r1[2U] = uu____4; + r1[3U] = uu____5; + { + uint32_t uu____6 = m_w[s10]; + uint32_t uu____7 = m_w[s12]; + uint32_t uu____8 = m_w[s14]; + r21[0U] = m_w[s8]; + r21[1U] = uu____6; + r21[2U] = uu____7; + r21[3U] = uu____8; + { + uint32_t uu____9 = m_w[s11]; + uint32_t uu____10 = m_w[s13]; + uint32_t uu____11 = m_w[s15]; + r31[0U] = m_w[s9]; + r31[1U] = uu____9; + r31[2U] = uu____10; + r31[3U] = uu____11; + { + uint32_t *x = m_st + (uint32_t)0U * (uint32_t)4U; + uint32_t *y = m_st + (uint32_t)1U * (uint32_t)4U; + uint32_t *z = m_st + (uint32_t)2U * (uint32_t)4U; + uint32_t *w = m_st + (uint32_t)3U * (uint32_t)4U; + uint32_t a = (uint32_t)0U; + uint32_t b0 = (uint32_t)1U; + uint32_t c0 = (uint32_t)2U; + uint32_t d0 = (uint32_t)3U; + uint32_t *wv_a0 = wv + a * (uint32_t)4U; + uint32_t *wv_b0 = wv + b0 * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a0; + uint32_t x1 = wv_a0[i] + wv_b0[i]; + os[i] = x1; + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a0; + uint32_t x1 = wv_a0[i] + x[i]; + os[i] = x1; + } + } + { + uint32_t *wv_a1 = wv + d0 * (uint32_t)4U; + uint32_t *wv_b1 = wv + a * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a1; + uint32_t x1 = wv_a1[i] ^ wv_b1[i]; + os[i] = x1; + } + } + { + uint32_t *r12 = wv_a1; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = r12; + uint32_t x1 = r12[i]; + uint32_t x10 = x1 >> (uint32_t)16U | x1 << (uint32_t)16U; + os[i] = x10; + } + } + { + uint32_t *wv_a2 = wv + c0 * (uint32_t)4U; + uint32_t *wv_b2 = wv + d0 * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a2; + uint32_t x1 = wv_a2[i] + wv_b2[i]; + os[i] = x1; + } + } + { + uint32_t *wv_a3 = wv + b0 * (uint32_t)4U; + uint32_t *wv_b3 = wv + c0 * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a3; + uint32_t x1 = wv_a3[i] ^ wv_b3[i]; + os[i] = x1; + } + } + { + uint32_t *r13 = wv_a3; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = r13; + uint32_t x1 = r13[i]; + uint32_t x10 = x1 >> (uint32_t)12U | x1 << (uint32_t)20U; + os[i] = x10; + } + } + { + uint32_t *wv_a4 = wv + a * (uint32_t)4U; + uint32_t *wv_b4 = wv + b0 * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a4; + uint32_t x1 = wv_a4[i] + wv_b4[i]; + os[i] = x1; + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a4; + uint32_t x1 = wv_a4[i] + y[i]; + os[i] = x1; + } + } + { + uint32_t *wv_a5 = wv + d0 * (uint32_t)4U; + uint32_t *wv_b5 = wv + a * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a5; + uint32_t x1 = wv_a5[i] ^ wv_b5[i]; + os[i] = x1; + } + } + { + uint32_t *r14 = wv_a5; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = r14; + uint32_t x1 = r14[i]; + uint32_t x10 = x1 >> (uint32_t)8U | x1 << (uint32_t)24U; + os[i] = x10; + } + } + { + uint32_t *wv_a6 = wv + c0 * (uint32_t)4U; + uint32_t *wv_b6 = wv + d0 * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a6; + uint32_t x1 = wv_a6[i] + wv_b6[i]; + os[i] = x1; + } + } + { + uint32_t *wv_a7 = wv + b0 * (uint32_t)4U; + uint32_t *wv_b7 = wv + c0 * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a7; + uint32_t x1 = wv_a7[i] ^ wv_b7[i]; + os[i] = x1; + } + } + { + uint32_t *r15 = wv_a7; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = r15; + uint32_t x1 = r15[i]; + uint32_t + x10 = x1 >> (uint32_t)7U | x1 << (uint32_t)25U; + os[i] = x10; + } + } + { + uint32_t *r16 = wv + (uint32_t)1U * (uint32_t)4U; + uint32_t *r22 = wv + (uint32_t)2U * (uint32_t)4U; + uint32_t *r32 = wv + (uint32_t)3U * (uint32_t)4U; + uint32_t *r110 = r16; + uint32_t x00 = r110[1U]; + uint32_t + x10 = r110[((uint32_t)1U + (uint32_t)1U) % (uint32_t)4U]; + uint32_t + x20 = r110[((uint32_t)1U + (uint32_t)2U) % (uint32_t)4U]; + uint32_t + x30 = r110[((uint32_t)1U + (uint32_t)3U) % (uint32_t)4U]; + r110[0U] = x00; + r110[1U] = x10; + r110[2U] = x20; + r110[3U] = x30; + { + uint32_t *r111 = r22; + uint32_t x01 = r111[2U]; + uint32_t + x11 = + r111[((uint32_t)2U + (uint32_t)1U) + % (uint32_t)4U]; + uint32_t + x21 = + r111[((uint32_t)2U + (uint32_t)2U) + % (uint32_t)4U]; + uint32_t + x31 = + r111[((uint32_t)2U + (uint32_t)3U) + % (uint32_t)4U]; + r111[0U] = x01; + r111[1U] = x11; + r111[2U] = x21; + r111[3U] = x31; + { + uint32_t *r112 = r32; + uint32_t x02 = r112[3U]; + uint32_t + x12 = + r112[((uint32_t)3U + (uint32_t)1U) + % (uint32_t)4U]; + uint32_t + x22 = + r112[((uint32_t)3U + (uint32_t)2U) + % (uint32_t)4U]; + uint32_t + x32 = + r112[((uint32_t)3U + (uint32_t)3U) + % (uint32_t)4U]; + r112[0U] = x02; + r112[1U] = x12; + r112[2U] = x22; + r112[3U] = x32; + { + uint32_t a0 = (uint32_t)0U; + uint32_t b = (uint32_t)1U; + uint32_t c = (uint32_t)2U; + uint32_t d = (uint32_t)3U; + uint32_t *wv_a = wv + a0 * (uint32_t)4U; + uint32_t *wv_b8 = wv + b * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a; + uint32_t x1 = wv_a[i] + wv_b8[i]; + os[i] = x1; + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a; + uint32_t x1 = wv_a[i] + z[i]; + os[i] = x1; + } + } + { + uint32_t *wv_a8 = wv + d * (uint32_t)4U; + uint32_t *wv_b9 = wv + a0 * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a8; + uint32_t x1 = wv_a8[i] ^ wv_b9[i]; + os[i] = x1; + } + } + { + uint32_t *r17 = wv_a8; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint32_t *os = r17; + uint32_t x1 = r17[i]; + uint32_t + x13 = + x1 + >> (uint32_t)16U + | x1 << (uint32_t)16U; + os[i] = x13; + } + } + { + uint32_t *wv_a9 = wv + c * (uint32_t)4U; + uint32_t *wv_b10 = wv + d * (uint32_t)4U; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint32_t *os = wv_a9; + uint32_t x1 = wv_a9[i] + wv_b10[i]; + os[i] = x1; + } + } + { + uint32_t *wv_a10 = wv + b * (uint32_t)4U; + uint32_t *wv_b11 = wv + c * (uint32_t)4U; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint32_t *os = wv_a10; + uint32_t x1 = wv_a10[i] ^ wv_b11[i]; + os[i] = x1; + } + } + { + uint32_t *r18 = wv_a10; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint32_t *os = r18; + uint32_t x1 = r18[i]; + uint32_t + x13 = + x1 + >> (uint32_t)12U + | x1 << (uint32_t)20U; + os[i] = x13; + } + } + { + uint32_t + *wv_a11 = wv + a0 * (uint32_t)4U; + uint32_t + *wv_b12 = wv + b * (uint32_t)4U; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint32_t *os = wv_a11; + uint32_t + x1 = wv_a11[i] + wv_b12[i]; + os[i] = x1; + } + } + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint32_t *os = wv_a11; + uint32_t x1 = wv_a11[i] + w[i]; + os[i] = x1; + } + } + { + uint32_t + *wv_a12 = wv + d * (uint32_t)4U; + uint32_t + *wv_b13 = wv + a0 * (uint32_t)4U; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint32_t *os = wv_a12; + uint32_t + x1 = wv_a12[i] ^ wv_b13[i]; + os[i] = x1; + } + } + { + uint32_t *r19 = wv_a12; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint32_t *os = r19; + uint32_t x1 = r19[i]; + uint32_t + x13 = + x1 + >> (uint32_t)8U + | x1 << (uint32_t)24U; + os[i] = x13; + } + } + { + uint32_t + *wv_a13 = wv + c * (uint32_t)4U; + uint32_t + *wv_b14 = wv + d * (uint32_t)4U; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint32_t *os = wv_a13; + uint32_t + x1 = wv_a13[i] + wv_b14[i]; + os[i] = x1; + } + } + { + uint32_t + *wv_a14 = + wv + + b * (uint32_t)4U; + uint32_t + *wv_b = wv + c * (uint32_t)4U; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint32_t *os = wv_a14; + uint32_t + x1 = wv_a14[i] ^ wv_b[i]; + os[i] = x1; + } + } + { + uint32_t *r113 = wv_a14; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint32_t *os = r113; + uint32_t x1 = r113[i]; + uint32_t + x13 = + x1 + >> (uint32_t)7U + | x1 << (uint32_t)25U; + os[i] = x13; + } + } + { + uint32_t + *r114 = + wv + + + (uint32_t)1U + * (uint32_t)4U; + uint32_t + *r2 = + wv + + + (uint32_t)2U + * (uint32_t)4U; + uint32_t + *r3 = + wv + + + (uint32_t)3U + * (uint32_t)4U; + uint32_t *r11 = r114; + uint32_t x03 = r11[3U]; + uint32_t + x13 = + r11[((uint32_t)3U + + (uint32_t)1U) + % (uint32_t)4U]; + uint32_t + x23 = + r11[((uint32_t)3U + + (uint32_t)2U) + % (uint32_t)4U]; + uint32_t + x33 = + r11[((uint32_t)3U + + (uint32_t)3U) + % (uint32_t)4U]; + r11[0U] = x03; + r11[1U] = x13; + r11[2U] = x23; + r11[3U] = x33; + { + uint32_t *r115 = r2; + uint32_t x04 = r115[2U]; + uint32_t + x14 = + r115[((uint32_t)2U + + (uint32_t)1U) + % (uint32_t)4U]; + uint32_t + x24 = + r115[((uint32_t)2U + + (uint32_t)2U) + % (uint32_t)4U]; + uint32_t + x34 = + r115[((uint32_t)2U + + (uint32_t)3U) + % (uint32_t)4U]; + r115[0U] = x04; + r115[1U] = x14; + r115[2U] = x24; + r115[3U] = x34; + { + uint32_t *r116 = r3; + uint32_t + x0 = r116[1U]; + uint32_t + x1 = + r116[((uint32_t)1U + + (uint32_t)1U) + % (uint32_t)4U]; + uint32_t + x2 = + r116[((uint32_t)1U + + (uint32_t)2U) + % (uint32_t)4U]; + uint32_t + x3 = + r116[((uint32_t)1U + + (uint32_t)3U) + % (uint32_t)4U]; + r116[0U] = x0; + r116[1U] = x1; + r116[2U] = x2; + r116[3U] = x3; + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + s00 = s + (uint32_t)0U * (uint32_t)4U; + s16 = s + (uint32_t)1U * (uint32_t)4U; + r00 = wv + (uint32_t)0U * (uint32_t)4U; + r10 = wv + (uint32_t)1U * (uint32_t)4U; + r20 = wv + (uint32_t)2U * (uint32_t)4U; + r30 = wv + (uint32_t)3U * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = s00; + uint32_t x = s00[i] ^ r00[i]; + os[i] = x; + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = s00; + uint32_t x = s00[i] ^ r20[i]; + os[i] = x; + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = s16; + uint32_t x = s16[i] ^ r10[i]; + os[i] = x; + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = s16; + uint32_t x = s16[i] ^ r30[i]; + os[i] = x; + } + } + return totlen1; + } +} + +void Hacl_Hash_Core_Blake2_finish_blake2s_32(uint32_t *s, uint64_t ev, uint8_t *dst) +{ + uint32_t double_row = (uint32_t)2U * ((uint32_t)4U * (uint32_t)4U); + KRML_CHECK_SIZE(sizeof (uint8_t), double_row); + { + uint8_t b[double_row]; + memset(b, 0U, double_row * sizeof (uint8_t)); + { + uint8_t *first = b; + uint8_t *second = b + (uint32_t)4U * (uint32_t)4U; + uint32_t *row0 = s + (uint32_t)0U * (uint32_t)4U; + uint32_t *row1 = s + (uint32_t)1U * (uint32_t)4U; + uint8_t *final; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + store32_le(first + i * (uint32_t)4U, row0[i]); + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + store32_le(second + i * (uint32_t)4U, row1[i]); + } + } + final = b; + memcpy(dst, final, (uint32_t)32U * sizeof (uint8_t)); + Lib_Memzero0_memzero(b, double_row * sizeof (b[0U])); + } + } +} + +FStar_UInt128_uint128 +Hacl_Hash_Core_Blake2_update_blake2b_32( + uint64_t *s, + FStar_UInt128_uint128 totlen, + uint8_t *block +) +{ + uint64_t wv[16U] = { 0U }; + FStar_UInt128_uint128 + totlen1 = + FStar_UInt128_add_mod(totlen, + FStar_UInt128_uint64_to_uint128((uint64_t)(uint32_t)128U)); + uint64_t m_w[16U] = { 0U }; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint64_t *os = m_w; + uint8_t *bj = block + i * (uint32_t)8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x; + } + } + { + uint64_t mask[4U] = { 0U }; + uint64_t wv_14 = (uint64_t)0U; + uint64_t wv_15 = (uint64_t)0U; + uint64_t *wv3; + uint64_t *s00; + uint64_t *s16; + uint64_t *r00; + uint64_t *r10; + uint64_t *r20; + uint64_t *r30; + mask[0U] = FStar_UInt128_uint128_to_uint64(totlen1); + mask[1U] = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(totlen1, (uint32_t)64U)); + mask[2U] = wv_14; + mask[3U] = wv_15; + memcpy(wv, s, (uint32_t)4U * (uint32_t)4U * sizeof (uint64_t)); + wv3 = wv + (uint32_t)3U * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv3; + uint64_t x = wv3[i] ^ mask[i]; + os[i] = x; + } + } + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < (uint32_t)12U; i0++) + { + uint32_t start_idx = i0 % (uint32_t)10U * (uint32_t)16U; + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)4U * (uint32_t)4U); + { + uint64_t m_st[(uint32_t)4U * (uint32_t)4U]; + memset(m_st, 0U, (uint32_t)4U * (uint32_t)4U * sizeof (uint64_t)); + { + uint64_t *r0 = m_st + (uint32_t)0U * (uint32_t)4U; + uint64_t *r1 = m_st + (uint32_t)1U * (uint32_t)4U; + uint64_t *r21 = m_st + (uint32_t)2U * (uint32_t)4U; + uint64_t *r31 = m_st + (uint32_t)3U * (uint32_t)4U; + uint32_t s0 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx]; + uint32_t s1 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)1U]; + uint32_t s2 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)2U]; + uint32_t s3 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)3U]; + uint32_t s4 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)4U]; + uint32_t s5 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)5U]; + uint32_t s6 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)6U]; + uint32_t s7 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)7U]; + uint32_t s8 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)8U]; + uint32_t s9 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)9U]; + uint32_t s10 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)10U]; + uint32_t s11 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)11U]; + uint32_t s12 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)12U]; + uint32_t s13 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)13U]; + uint32_t s14 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)14U]; + uint32_t s15 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)15U]; + uint64_t uu____0 = m_w[s2]; + uint64_t uu____1 = m_w[s4]; + uint64_t uu____2 = m_w[s6]; + r0[0U] = m_w[s0]; + r0[1U] = uu____0; + r0[2U] = uu____1; + r0[3U] = uu____2; + { + uint64_t uu____3 = m_w[s3]; + uint64_t uu____4 = m_w[s5]; + uint64_t uu____5 = m_w[s7]; + r1[0U] = m_w[s1]; + r1[1U] = uu____3; + r1[2U] = uu____4; + r1[3U] = uu____5; + { + uint64_t uu____6 = m_w[s10]; + uint64_t uu____7 = m_w[s12]; + uint64_t uu____8 = m_w[s14]; + r21[0U] = m_w[s8]; + r21[1U] = uu____6; + r21[2U] = uu____7; + r21[3U] = uu____8; + { + uint64_t uu____9 = m_w[s11]; + uint64_t uu____10 = m_w[s13]; + uint64_t uu____11 = m_w[s15]; + r31[0U] = m_w[s9]; + r31[1U] = uu____9; + r31[2U] = uu____10; + r31[3U] = uu____11; + { + uint64_t *x = m_st + (uint32_t)0U * (uint32_t)4U; + uint64_t *y = m_st + (uint32_t)1U * (uint32_t)4U; + uint64_t *z = m_st + (uint32_t)2U * (uint32_t)4U; + uint64_t *w = m_st + (uint32_t)3U * (uint32_t)4U; + uint32_t a = (uint32_t)0U; + uint32_t b0 = (uint32_t)1U; + uint32_t c0 = (uint32_t)2U; + uint32_t d0 = (uint32_t)3U; + uint64_t *wv_a0 = wv + a * (uint32_t)4U; + uint64_t *wv_b0 = wv + b0 * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a0; + uint64_t x1 = wv_a0[i] + wv_b0[i]; + os[i] = x1; + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a0; + uint64_t x1 = wv_a0[i] + x[i]; + os[i] = x1; + } + } + { + uint64_t *wv_a1 = wv + d0 * (uint32_t)4U; + uint64_t *wv_b1 = wv + a * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a1; + uint64_t x1 = wv_a1[i] ^ wv_b1[i]; + os[i] = x1; + } + } + { + uint64_t *r12 = wv_a1; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = r12; + uint64_t x1 = r12[i]; + uint64_t x10 = x1 >> (uint32_t)32U | x1 << (uint32_t)32U; + os[i] = x10; + } + } + { + uint64_t *wv_a2 = wv + c0 * (uint32_t)4U; + uint64_t *wv_b2 = wv + d0 * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a2; + uint64_t x1 = wv_a2[i] + wv_b2[i]; + os[i] = x1; + } + } + { + uint64_t *wv_a3 = wv + b0 * (uint32_t)4U; + uint64_t *wv_b3 = wv + c0 * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a3; + uint64_t x1 = wv_a3[i] ^ wv_b3[i]; + os[i] = x1; + } + } + { + uint64_t *r13 = wv_a3; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = r13; + uint64_t x1 = r13[i]; + uint64_t x10 = x1 >> (uint32_t)24U | x1 << (uint32_t)40U; + os[i] = x10; + } + } + { + uint64_t *wv_a4 = wv + a * (uint32_t)4U; + uint64_t *wv_b4 = wv + b0 * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a4; + uint64_t x1 = wv_a4[i] + wv_b4[i]; + os[i] = x1; + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a4; + uint64_t x1 = wv_a4[i] + y[i]; + os[i] = x1; + } + } + { + uint64_t *wv_a5 = wv + d0 * (uint32_t)4U; + uint64_t *wv_b5 = wv + a * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a5; + uint64_t x1 = wv_a5[i] ^ wv_b5[i]; + os[i] = x1; + } + } + { + uint64_t *r14 = wv_a5; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = r14; + uint64_t x1 = r14[i]; + uint64_t x10 = x1 >> (uint32_t)16U | x1 << (uint32_t)48U; + os[i] = x10; + } + } + { + uint64_t *wv_a6 = wv + c0 * (uint32_t)4U; + uint64_t *wv_b6 = wv + d0 * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a6; + uint64_t x1 = wv_a6[i] + wv_b6[i]; + os[i] = x1; + } + } + { + uint64_t *wv_a7 = wv + b0 * (uint32_t)4U; + uint64_t *wv_b7 = wv + c0 * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a7; + uint64_t x1 = wv_a7[i] ^ wv_b7[i]; + os[i] = x1; + } + } + { + uint64_t *r15 = wv_a7; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = r15; + uint64_t x1 = r15[i]; + uint64_t + x10 = x1 >> (uint32_t)63U | x1 << (uint32_t)1U; + os[i] = x10; + } + } + { + uint64_t *r16 = wv + (uint32_t)1U * (uint32_t)4U; + uint64_t *r22 = wv + (uint32_t)2U * (uint32_t)4U; + uint64_t *r32 = wv + (uint32_t)3U * (uint32_t)4U; + uint64_t *r110 = r16; + uint64_t x00 = r110[1U]; + uint64_t + x10 = r110[((uint32_t)1U + (uint32_t)1U) % (uint32_t)4U]; + uint64_t + x20 = r110[((uint32_t)1U + (uint32_t)2U) % (uint32_t)4U]; + uint64_t + x30 = r110[((uint32_t)1U + (uint32_t)3U) % (uint32_t)4U]; + r110[0U] = x00; + r110[1U] = x10; + r110[2U] = x20; + r110[3U] = x30; + { + uint64_t *r111 = r22; + uint64_t x01 = r111[2U]; + uint64_t + x11 = + r111[((uint32_t)2U + (uint32_t)1U) + % (uint32_t)4U]; + uint64_t + x21 = + r111[((uint32_t)2U + (uint32_t)2U) + % (uint32_t)4U]; + uint64_t + x31 = + r111[((uint32_t)2U + (uint32_t)3U) + % (uint32_t)4U]; + r111[0U] = x01; + r111[1U] = x11; + r111[2U] = x21; + r111[3U] = x31; + { + uint64_t *r112 = r32; + uint64_t x02 = r112[3U]; + uint64_t + x12 = + r112[((uint32_t)3U + (uint32_t)1U) + % (uint32_t)4U]; + uint64_t + x22 = + r112[((uint32_t)3U + (uint32_t)2U) + % (uint32_t)4U]; + uint64_t + x32 = + r112[((uint32_t)3U + (uint32_t)3U) + % (uint32_t)4U]; + r112[0U] = x02; + r112[1U] = x12; + r112[2U] = x22; + r112[3U] = x32; + { + uint32_t a0 = (uint32_t)0U; + uint32_t b = (uint32_t)1U; + uint32_t c = (uint32_t)2U; + uint32_t d = (uint32_t)3U; + uint64_t *wv_a = wv + a0 * (uint32_t)4U; + uint64_t *wv_b8 = wv + b * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a; + uint64_t x1 = wv_a[i] + wv_b8[i]; + os[i] = x1; + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a; + uint64_t x1 = wv_a[i] + z[i]; + os[i] = x1; + } + } + { + uint64_t *wv_a8 = wv + d * (uint32_t)4U; + uint64_t *wv_b9 = wv + a0 * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a8; + uint64_t x1 = wv_a8[i] ^ wv_b9[i]; + os[i] = x1; + } + } + { + uint64_t *r17 = wv_a8; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint64_t *os = r17; + uint64_t x1 = r17[i]; + uint64_t + x13 = + x1 + >> (uint32_t)32U + | x1 << (uint32_t)32U; + os[i] = x13; + } + } + { + uint64_t *wv_a9 = wv + c * (uint32_t)4U; + uint64_t *wv_b10 = wv + d * (uint32_t)4U; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint64_t *os = wv_a9; + uint64_t x1 = wv_a9[i] + wv_b10[i]; + os[i] = x1; + } + } + { + uint64_t *wv_a10 = wv + b * (uint32_t)4U; + uint64_t *wv_b11 = wv + c * (uint32_t)4U; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint64_t *os = wv_a10; + uint64_t x1 = wv_a10[i] ^ wv_b11[i]; + os[i] = x1; + } + } + { + uint64_t *r18 = wv_a10; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint64_t *os = r18; + uint64_t x1 = r18[i]; + uint64_t + x13 = + x1 + >> (uint32_t)24U + | x1 << (uint32_t)40U; + os[i] = x13; + } + } + { + uint64_t + *wv_a11 = wv + a0 * (uint32_t)4U; + uint64_t + *wv_b12 = wv + b * (uint32_t)4U; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint64_t *os = wv_a11; + uint64_t + x1 = wv_a11[i] + wv_b12[i]; + os[i] = x1; + } + } + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint64_t *os = wv_a11; + uint64_t x1 = wv_a11[i] + w[i]; + os[i] = x1; + } + } + { + uint64_t + *wv_a12 = wv + d * (uint32_t)4U; + uint64_t + *wv_b13 = wv + a0 * (uint32_t)4U; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint64_t *os = wv_a12; + uint64_t + x1 = wv_a12[i] ^ wv_b13[i]; + os[i] = x1; + } + } + { + uint64_t *r19 = wv_a12; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint64_t *os = r19; + uint64_t x1 = r19[i]; + uint64_t + x13 = + x1 + >> (uint32_t)16U + | x1 << (uint32_t)48U; + os[i] = x13; + } + } + { + uint64_t + *wv_a13 = wv + c * (uint32_t)4U; + uint64_t + *wv_b14 = wv + d * (uint32_t)4U; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint64_t *os = wv_a13; + uint64_t + x1 = wv_a13[i] + wv_b14[i]; + os[i] = x1; + } + } + { + uint64_t + *wv_a14 = + wv + + b * (uint32_t)4U; + uint64_t + *wv_b = wv + c * (uint32_t)4U; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint64_t *os = wv_a14; + uint64_t + x1 = wv_a14[i] ^ wv_b[i]; + os[i] = x1; + } + } + { + uint64_t *r113 = wv_a14; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint64_t *os = r113; + uint64_t x1 = r113[i]; + uint64_t + x13 = + x1 + >> (uint32_t)63U + | x1 << (uint32_t)1U; + os[i] = x13; + } + } + { + uint64_t + *r114 = + wv + + + (uint32_t)1U + * (uint32_t)4U; + uint64_t + *r2 = + wv + + + (uint32_t)2U + * (uint32_t)4U; + uint64_t + *r3 = + wv + + + (uint32_t)3U + * (uint32_t)4U; + uint64_t *r11 = r114; + uint64_t x03 = r11[3U]; + uint64_t + x13 = + r11[((uint32_t)3U + + (uint32_t)1U) + % (uint32_t)4U]; + uint64_t + x23 = + r11[((uint32_t)3U + + (uint32_t)2U) + % (uint32_t)4U]; + uint64_t + x33 = + r11[((uint32_t)3U + + (uint32_t)3U) + % (uint32_t)4U]; + r11[0U] = x03; + r11[1U] = x13; + r11[2U] = x23; + r11[3U] = x33; + { + uint64_t *r115 = r2; + uint64_t x04 = r115[2U]; + uint64_t + x14 = + r115[((uint32_t)2U + + (uint32_t)1U) + % (uint32_t)4U]; + uint64_t + x24 = + r115[((uint32_t)2U + + (uint32_t)2U) + % (uint32_t)4U]; + uint64_t + x34 = + r115[((uint32_t)2U + + (uint32_t)3U) + % (uint32_t)4U]; + r115[0U] = x04; + r115[1U] = x14; + r115[2U] = x24; + r115[3U] = x34; + { + uint64_t *r116 = r3; + uint64_t + x0 = r116[1U]; + uint64_t + x1 = + r116[((uint32_t)1U + + (uint32_t)1U) + % (uint32_t)4U]; + uint64_t + x2 = + r116[((uint32_t)1U + + (uint32_t)2U) + % (uint32_t)4U]; + uint64_t + x3 = + r116[((uint32_t)1U + + (uint32_t)3U) + % (uint32_t)4U]; + r116[0U] = x0; + r116[1U] = x1; + r116[2U] = x2; + r116[3U] = x3; + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + s00 = s + (uint32_t)0U * (uint32_t)4U; + s16 = s + (uint32_t)1U * (uint32_t)4U; + r00 = wv + (uint32_t)0U * (uint32_t)4U; + r10 = wv + (uint32_t)1U * (uint32_t)4U; + r20 = wv + (uint32_t)2U * (uint32_t)4U; + r30 = wv + (uint32_t)3U * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = s00; + uint64_t x = s00[i] ^ r00[i]; + os[i] = x; + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = s00; + uint64_t x = s00[i] ^ r20[i]; + os[i] = x; + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = s16; + uint64_t x = s16[i] ^ r10[i]; + os[i] = x; + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = s16; + uint64_t x = s16[i] ^ r30[i]; + os[i] = x; + } + } + return totlen1; + } +} + +void +Hacl_Hash_Core_Blake2_finish_blake2b_32(uint64_t *s, FStar_UInt128_uint128 ev, uint8_t *dst) +{ + uint32_t double_row = (uint32_t)2U * ((uint32_t)4U * (uint32_t)8U); + KRML_CHECK_SIZE(sizeof (uint8_t), double_row); + { + uint8_t b[double_row]; + memset(b, 0U, double_row * sizeof (uint8_t)); + { + uint8_t *first = b; + uint8_t *second = b + (uint32_t)4U * (uint32_t)8U; + uint64_t *row0 = s + (uint32_t)0U * (uint32_t)4U; + uint64_t *row1 = s + (uint32_t)1U * (uint32_t)4U; + uint8_t *final; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + store64_le(first + i * (uint32_t)8U, row0[i]); + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + store64_le(second + i * (uint32_t)8U, row1[i]); + } + } + final = b; + memcpy(dst, final, (uint32_t)64U * sizeof (uint8_t)); + Lib_Memzero0_memzero(b, double_row * sizeof (b[0U])); + } + } +} + +uint64_t +Hacl_Hash_Blake2_update_multi_blake2s_32( + uint32_t *s, + uint64_t ev, + uint8_t *blocks, + uint32_t n_blocks +) +{ + { + uint32_t i; + for (i = (uint32_t)0U; i < n_blocks; i++) + { + uint32_t sz = (uint32_t)64U; + uint8_t *block = blocks + sz * i; + uint64_t + v_ = + Hacl_Hash_Core_Blake2_update_blake2s_32(s, + ev + (uint64_t)i * (uint64_t)(uint32_t)64U, + block); + } + } + return ev + (uint64_t)n_blocks * (uint64_t)(uint32_t)64U; +} + +FStar_UInt128_uint128 +Hacl_Hash_Blake2_update_multi_blake2b_32( + uint64_t *s, + FStar_UInt128_uint128 ev, + uint8_t *blocks, + uint32_t n_blocks +) +{ + { + uint32_t i; + for (i = (uint32_t)0U; i < n_blocks; i++) + { + uint32_t sz = (uint32_t)128U; + uint8_t *block = blocks + sz * i; + FStar_UInt128_uint128 + v_ = + Hacl_Hash_Core_Blake2_update_blake2b_32(s, + FStar_UInt128_add_mod(ev, + FStar_UInt128_uint64_to_uint128((uint64_t)i * (uint64_t)(uint32_t)128U)), + block); + } + } + return + FStar_UInt128_add_mod(ev, + FStar_UInt128_uint64_to_uint128((uint64_t)n_blocks * (uint64_t)(uint32_t)128U)); +} + +uint64_t +Hacl_Hash_Blake2_update_last_blake2s_32( + uint32_t *s, + uint64_t ev, + uint64_t prev_len, + uint8_t *input, + uint32_t input_len +) +{ + uint32_t blocks_n = input_len / (uint32_t)64U; + uint32_t blocks_len0 = blocks_n * (uint32_t)64U; + uint32_t rest_len0 = input_len - blocks_len0; + K___uint32_t_uint32_t_uint32_t scrut0; + if (rest_len0 == (uint32_t)0U && blocks_n > (uint32_t)0U) + { + uint32_t blocks_n1 = blocks_n - (uint32_t)1U; + uint32_t blocks_len1 = blocks_len0 - (uint32_t)64U; + uint32_t rest_len1 = (uint32_t)64U; + K___uint32_t_uint32_t_uint32_t lit; + lit.fst = blocks_n1; + lit.snd = blocks_len1; + lit.thd = rest_len1; + scrut0 = lit; + } + else + { + K___uint32_t_uint32_t_uint32_t lit; + lit.fst = blocks_n; + lit.snd = blocks_len0; + lit.thd = rest_len0; + scrut0 = lit; + } + { + uint32_t num_blocks0 = scrut0.fst; + uint32_t blocks_len = scrut0.snd; + uint32_t rest_len1 = scrut0.thd; + uint8_t *blocks0 = input; + uint8_t *rest0 = input + blocks_len; + K___uint32_t_uint32_t_uint32_t__uint8_t___uint8_t_ lit; + K___uint32_t_uint32_t_uint32_t__uint8_t___uint8_t_ scrut; + uint32_t num_blocks; + uint32_t rest_len; + uint8_t *blocks; + uint8_t *rest; + uint64_t ev_; + lit.fst = num_blocks0; + lit.snd = blocks_len; + lit.thd = rest_len1; + lit.f3 = blocks0; + lit.f4 = rest0; + scrut = lit; + num_blocks = scrut.fst; + rest_len = scrut.thd; + blocks = scrut.f3; + rest = scrut.f4; + ev_ = Hacl_Hash_Blake2_update_multi_blake2s_32(s, ev, blocks, num_blocks); + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)4U * (uint32_t)4U); + { + uint32_t wv[(uint32_t)4U * (uint32_t)4U]; + memset(wv, 0U, (uint32_t)4U * (uint32_t)4U * sizeof (uint32_t)); + { + uint8_t tmp[64U] = { 0U }; + uint8_t *tmp_rest = tmp; + uint64_t totlen; + memcpy(tmp_rest, rest, rest_len * sizeof (uint8_t)); + totlen = ev_ + (uint64_t)rest_len; + { + uint32_t m_w[16U] = { 0U }; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t *os = m_w; + uint8_t *bj = tmp + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + } + { + uint32_t mask[4U] = { 0U }; + uint32_t wv_14 = (uint32_t)0xFFFFFFFFU; + uint32_t wv_15 = (uint32_t)0U; + uint32_t *wv3; + uint32_t *s00; + uint32_t *s16; + uint32_t *r00; + uint32_t *r10; + uint32_t *r20; + uint32_t *r30; + mask[0U] = (uint32_t)totlen; + mask[1U] = (uint32_t)(totlen >> (uint32_t)32U); + mask[2U] = wv_14; + mask[3U] = wv_15; + memcpy(wv, s, (uint32_t)4U * (uint32_t)4U * sizeof (uint32_t)); + wv3 = wv + (uint32_t)3U * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv3; + uint32_t x = wv3[i] ^ mask[i]; + os[i] = x; + } + } + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < (uint32_t)10U; i0++) + { + uint32_t start_idx = i0 % (uint32_t)10U * (uint32_t)16U; + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)4U * (uint32_t)4U); + { + uint32_t m_st[(uint32_t)4U * (uint32_t)4U]; + memset(m_st, 0U, (uint32_t)4U * (uint32_t)4U * sizeof (uint32_t)); + { + uint32_t *r0 = m_st + (uint32_t)0U * (uint32_t)4U; + uint32_t *r1 = m_st + (uint32_t)1U * (uint32_t)4U; + uint32_t *r21 = m_st + (uint32_t)2U * (uint32_t)4U; + uint32_t *r31 = m_st + (uint32_t)3U * (uint32_t)4U; + uint32_t s0 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx]; + uint32_t s1 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)1U]; + uint32_t s2 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)2U]; + uint32_t s3 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)3U]; + uint32_t s4 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)4U]; + uint32_t s5 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)5U]; + uint32_t s6 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)6U]; + uint32_t s7 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)7U]; + uint32_t s8 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)8U]; + uint32_t s9 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)9U]; + uint32_t s10 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)10U]; + uint32_t s11 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)11U]; + uint32_t s12 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)12U]; + uint32_t s13 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)13U]; + uint32_t s14 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)14U]; + uint32_t s15 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)15U]; + uint32_t uu____0 = m_w[s2]; + uint32_t uu____1 = m_w[s4]; + uint32_t uu____2 = m_w[s6]; + r0[0U] = m_w[s0]; + r0[1U] = uu____0; + r0[2U] = uu____1; + r0[3U] = uu____2; + { + uint32_t uu____3 = m_w[s3]; + uint32_t uu____4 = m_w[s5]; + uint32_t uu____5 = m_w[s7]; + r1[0U] = m_w[s1]; + r1[1U] = uu____3; + r1[2U] = uu____4; + r1[3U] = uu____5; + { + uint32_t uu____6 = m_w[s10]; + uint32_t uu____7 = m_w[s12]; + uint32_t uu____8 = m_w[s14]; + r21[0U] = m_w[s8]; + r21[1U] = uu____6; + r21[2U] = uu____7; + r21[3U] = uu____8; + { + uint32_t uu____9 = m_w[s11]; + uint32_t uu____10 = m_w[s13]; + uint32_t uu____11 = m_w[s15]; + r31[0U] = m_w[s9]; + r31[1U] = uu____9; + r31[2U] = uu____10; + r31[3U] = uu____11; + { + uint32_t *x = m_st + (uint32_t)0U * (uint32_t)4U; + uint32_t *y = m_st + (uint32_t)1U * (uint32_t)4U; + uint32_t *z = m_st + (uint32_t)2U * (uint32_t)4U; + uint32_t *w = m_st + (uint32_t)3U * (uint32_t)4U; + uint32_t a = (uint32_t)0U; + uint32_t b0 = (uint32_t)1U; + uint32_t c0 = (uint32_t)2U; + uint32_t d0 = (uint32_t)3U; + uint32_t *wv_a0 = wv + a * (uint32_t)4U; + uint32_t *wv_b0 = wv + b0 * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a0; + uint32_t x1 = wv_a0[i] + wv_b0[i]; + os[i] = x1; + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a0; + uint32_t x1 = wv_a0[i] + x[i]; + os[i] = x1; + } + } + { + uint32_t *wv_a1 = wv + d0 * (uint32_t)4U; + uint32_t *wv_b1 = wv + a * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a1; + uint32_t x1 = wv_a1[i] ^ wv_b1[i]; + os[i] = x1; + } + } + { + uint32_t *r12 = wv_a1; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = r12; + uint32_t x1 = r12[i]; + uint32_t x10 = x1 >> (uint32_t)16U | x1 << (uint32_t)16U; + os[i] = x10; + } + } + { + uint32_t *wv_a2 = wv + c0 * (uint32_t)4U; + uint32_t *wv_b2 = wv + d0 * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a2; + uint32_t x1 = wv_a2[i] + wv_b2[i]; + os[i] = x1; + } + } + { + uint32_t *wv_a3 = wv + b0 * (uint32_t)4U; + uint32_t *wv_b3 = wv + c0 * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a3; + uint32_t x1 = wv_a3[i] ^ wv_b3[i]; + os[i] = x1; + } + } + { + uint32_t *r13 = wv_a3; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = r13; + uint32_t x1 = r13[i]; + uint32_t x10 = x1 >> (uint32_t)12U | x1 << (uint32_t)20U; + os[i] = x10; + } + } + { + uint32_t *wv_a4 = wv + a * (uint32_t)4U; + uint32_t *wv_b4 = wv + b0 * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a4; + uint32_t x1 = wv_a4[i] + wv_b4[i]; + os[i] = x1; + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a4; + uint32_t x1 = wv_a4[i] + y[i]; + os[i] = x1; + } + } + { + uint32_t *wv_a5 = wv + d0 * (uint32_t)4U; + uint32_t *wv_b5 = wv + a * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a5; + uint32_t x1 = wv_a5[i] ^ wv_b5[i]; + os[i] = x1; + } + } + { + uint32_t *r14 = wv_a5; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = r14; + uint32_t x1 = r14[i]; + uint32_t + x10 = x1 >> (uint32_t)8U | x1 << (uint32_t)24U; + os[i] = x10; + } + } + { + uint32_t *wv_a6 = wv + c0 * (uint32_t)4U; + uint32_t *wv_b6 = wv + d0 * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a6; + uint32_t x1 = wv_a6[i] + wv_b6[i]; + os[i] = x1; + } + } + { + uint32_t *wv_a7 = wv + b0 * (uint32_t)4U; + uint32_t *wv_b7 = wv + c0 * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a7; + uint32_t x1 = wv_a7[i] ^ wv_b7[i]; + os[i] = x1; + } + } + { + uint32_t *r15 = wv_a7; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = r15; + uint32_t x1 = r15[i]; + uint32_t + x10 = x1 >> (uint32_t)7U | x1 << (uint32_t)25U; + os[i] = x10; + } + } + { + uint32_t + *r16 = wv + (uint32_t)1U * (uint32_t)4U; + uint32_t + *r22 = wv + (uint32_t)2U * (uint32_t)4U; + uint32_t + *r32 = wv + (uint32_t)3U * (uint32_t)4U; + uint32_t *r110 = r16; + uint32_t x00 = r110[1U]; + uint32_t + x10 = + r110[((uint32_t)1U + (uint32_t)1U) + % (uint32_t)4U]; + uint32_t + x20 = + r110[((uint32_t)1U + (uint32_t)2U) + % (uint32_t)4U]; + uint32_t + x30 = + r110[((uint32_t)1U + (uint32_t)3U) + % (uint32_t)4U]; + r110[0U] = x00; + r110[1U] = x10; + r110[2U] = x20; + r110[3U] = x30; + { + uint32_t *r111 = r22; + uint32_t x01 = r111[2U]; + uint32_t + x11 = + r111[((uint32_t)2U + (uint32_t)1U) + % (uint32_t)4U]; + uint32_t + x21 = + r111[((uint32_t)2U + (uint32_t)2U) + % (uint32_t)4U]; + uint32_t + x31 = + r111[((uint32_t)2U + (uint32_t)3U) + % (uint32_t)4U]; + r111[0U] = x01; + r111[1U] = x11; + r111[2U] = x21; + r111[3U] = x31; + { + uint32_t *r112 = r32; + uint32_t x02 = r112[3U]; + uint32_t + x12 = + r112[((uint32_t)3U + (uint32_t)1U) + % (uint32_t)4U]; + uint32_t + x22 = + r112[((uint32_t)3U + (uint32_t)2U) + % (uint32_t)4U]; + uint32_t + x32 = + r112[((uint32_t)3U + (uint32_t)3U) + % (uint32_t)4U]; + r112[0U] = x02; + r112[1U] = x12; + r112[2U] = x22; + r112[3U] = x32; + { + uint32_t a0 = (uint32_t)0U; + uint32_t b = (uint32_t)1U; + uint32_t c = (uint32_t)2U; + uint32_t d = (uint32_t)3U; + uint32_t *wv_a = wv + a0 * (uint32_t)4U; + uint32_t *wv_b8 = wv + b * (uint32_t)4U; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint32_t *os = wv_a; + uint32_t x1 = wv_a[i] + wv_b8[i]; + os[i] = x1; + } + } + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint32_t *os = wv_a; + uint32_t x1 = wv_a[i] + z[i]; + os[i] = x1; + } + } + { + uint32_t *wv_a8 = wv + d * (uint32_t)4U; + uint32_t + *wv_b9 = wv + a0 * (uint32_t)4U; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint32_t *os = wv_a8; + uint32_t x1 = wv_a8[i] ^ wv_b9[i]; + os[i] = x1; + } + } + { + uint32_t *r17 = wv_a8; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint32_t *os = r17; + uint32_t x1 = r17[i]; + uint32_t + x13 = + x1 + >> (uint32_t)16U + | x1 << (uint32_t)16U; + os[i] = x13; + } + } + { + uint32_t + *wv_a9 = wv + c * (uint32_t)4U; + uint32_t + *wv_b10 = wv + d * (uint32_t)4U; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint32_t *os = wv_a9; + uint32_t + x1 = wv_a9[i] + wv_b10[i]; + os[i] = x1; + } + } + { + uint32_t + *wv_a10 = wv + b * (uint32_t)4U; + uint32_t + *wv_b11 = wv + c * (uint32_t)4U; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint32_t *os = wv_a10; + uint32_t + x1 = wv_a10[i] ^ wv_b11[i]; + os[i] = x1; + } + } + { + uint32_t *r18 = wv_a10; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint32_t *os = r18; + uint32_t x1 = r18[i]; + uint32_t + x13 = + x1 + >> (uint32_t)12U + | x1 << (uint32_t)20U; + os[i] = x13; + } + } + { + uint32_t + *wv_a11 = + wv + + a0 * (uint32_t)4U; + uint32_t + *wv_b12 = + wv + + b * (uint32_t)4U; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint32_t *os = wv_a11; + uint32_t + x1 = wv_a11[i] + wv_b12[i]; + os[i] = x1; + } + } + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint32_t *os = wv_a11; + uint32_t + x1 = wv_a11[i] + w[i]; + os[i] = x1; + } + } + { + uint32_t + *wv_a12 = + wv + + d * (uint32_t)4U; + uint32_t + *wv_b13 = + wv + + a0 * (uint32_t)4U; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint32_t *os = wv_a12; + uint32_t + x1 = + wv_a12[i] + ^ wv_b13[i]; + os[i] = x1; + } + } + { + uint32_t *r19 = wv_a12; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint32_t *os = r19; + uint32_t x1 = r19[i]; + uint32_t + x13 = + x1 + >> (uint32_t)8U + | + x1 + << (uint32_t)24U; + os[i] = x13; + } + } + { + uint32_t + *wv_a13 = + wv + + c * (uint32_t)4U; + uint32_t + *wv_b14 = + wv + + d * (uint32_t)4U; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint32_t + *os = wv_a13; + uint32_t + x1 = + wv_a13[i] + + wv_b14[i]; + os[i] = x1; + } + } + { + uint32_t + *wv_a14 = + wv + + b * (uint32_t)4U; + uint32_t + *wv_b = + wv + + c * (uint32_t)4U; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint32_t + *os = wv_a14; + uint32_t + x1 = + wv_a14[i] + ^ wv_b[i]; + os[i] = x1; + } + } + { + uint32_t + *r113 = wv_a14; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint32_t + *os = r113; + uint32_t + x1 = r113[i]; + uint32_t + x13 = + x1 + >> + (uint32_t)7U + | + x1 + << + (uint32_t)25U; + os[i] = x13; + } + } + { + uint32_t + *r114 = + wv + + + (uint32_t)1U + * (uint32_t)4U; + uint32_t + *r2 = + wv + + + (uint32_t)2U + * (uint32_t)4U; + uint32_t + *r3 = + wv + + + (uint32_t)3U + * (uint32_t)4U; + uint32_t + *r11 = r114; + uint32_t + x03 = r11[3U]; + uint32_t + x13 = + r11[((uint32_t)3U + + (uint32_t)1U) + % (uint32_t)4U]; + uint32_t + x23 = + r11[((uint32_t)3U + + (uint32_t)2U) + % (uint32_t)4U]; + uint32_t + x33 = + r11[((uint32_t)3U + + (uint32_t)3U) + % (uint32_t)4U]; + r11[0U] = x03; + r11[1U] = x13; + r11[2U] = x23; + r11[3U] = x33; + { + uint32_t + *r115 = r2; + uint32_t + x04 = r115[2U]; + uint32_t + x14 = + r115[((uint32_t)2U + + (uint32_t)1U) + % (uint32_t)4U]; + uint32_t + x24 = + r115[((uint32_t)2U + + (uint32_t)2U) + % (uint32_t)4U]; + uint32_t + x34 = + r115[((uint32_t)2U + + (uint32_t)3U) + % (uint32_t)4U]; + r115[0U] = x04; + r115[1U] = x14; + r115[2U] = x24; + r115[3U] = x34; + { + uint32_t + *r116 = r3; + uint32_t + x0 = r116[1U]; + uint32_t + x1 = + r116[((uint32_t)1U + + + (uint32_t)1U) + % + (uint32_t)4U]; + uint32_t + x2 = + r116[((uint32_t)1U + + + (uint32_t)2U) + % + (uint32_t)4U]; + uint32_t + x3 = + r116[((uint32_t)1U + + + (uint32_t)3U) + % + (uint32_t)4U]; + r116[0U] = x0; + r116[1U] = x1; + r116[2U] = x2; + r116[3U] = x3; + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + s00 = s + (uint32_t)0U * (uint32_t)4U; + s16 = s + (uint32_t)1U * (uint32_t)4U; + r00 = wv + (uint32_t)0U * (uint32_t)4U; + r10 = wv + (uint32_t)1U * (uint32_t)4U; + r20 = wv + (uint32_t)2U * (uint32_t)4U; + r30 = wv + (uint32_t)3U * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = s00; + uint32_t x = s00[i] ^ r00[i]; + os[i] = x; + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = s00; + uint32_t x = s00[i] ^ r20[i]; + os[i] = x; + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = s16; + uint32_t x = s16[i] ^ r10[i]; + os[i] = x; + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = s16; + uint32_t x = s16[i] ^ r30[i]; + os[i] = x; + } + } + return (uint64_t)0U; + } + } + } + } + } +} + +FStar_UInt128_uint128 +Hacl_Hash_Blake2_update_last_blake2b_32( + uint64_t *s, + FStar_UInt128_uint128 ev, + FStar_UInt128_uint128 prev_len, + uint8_t *input, + uint32_t input_len +) +{ + uint32_t blocks_n = input_len / (uint32_t)128U; + uint32_t blocks_len0 = blocks_n * (uint32_t)128U; + uint32_t rest_len0 = input_len - blocks_len0; + K___uint32_t_uint32_t_uint32_t scrut0; + if (rest_len0 == (uint32_t)0U && blocks_n > (uint32_t)0U) + { + uint32_t blocks_n1 = blocks_n - (uint32_t)1U; + uint32_t blocks_len1 = blocks_len0 - (uint32_t)128U; + uint32_t rest_len1 = (uint32_t)128U; + K___uint32_t_uint32_t_uint32_t lit; + lit.fst = blocks_n1; + lit.snd = blocks_len1; + lit.thd = rest_len1; + scrut0 = lit; + } + else + { + K___uint32_t_uint32_t_uint32_t lit; + lit.fst = blocks_n; + lit.snd = blocks_len0; + lit.thd = rest_len0; + scrut0 = lit; + } + { + uint32_t num_blocks0 = scrut0.fst; + uint32_t blocks_len = scrut0.snd; + uint32_t rest_len1 = scrut0.thd; + uint8_t *blocks0 = input; + uint8_t *rest0 = input + blocks_len; + K___uint32_t_uint32_t_uint32_t__uint8_t___uint8_t_ lit; + K___uint32_t_uint32_t_uint32_t__uint8_t___uint8_t_ scrut; + uint32_t num_blocks; + uint32_t rest_len; + uint8_t *blocks; + uint8_t *rest; + FStar_UInt128_uint128 ev_; + lit.fst = num_blocks0; + lit.snd = blocks_len; + lit.thd = rest_len1; + lit.f3 = blocks0; + lit.f4 = rest0; + scrut = lit; + num_blocks = scrut.fst; + rest_len = scrut.thd; + blocks = scrut.f3; + rest = scrut.f4; + ev_ = Hacl_Hash_Blake2_update_multi_blake2b_32(s, ev, blocks, num_blocks); + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)4U * (uint32_t)4U); + { + uint64_t wv[(uint32_t)4U * (uint32_t)4U]; + memset(wv, 0U, (uint32_t)4U * (uint32_t)4U * sizeof (uint64_t)); + { + uint8_t tmp[128U] = { 0U }; + uint8_t *tmp_rest = tmp; + FStar_UInt128_uint128 totlen; + memcpy(tmp_rest, rest, rest_len * sizeof (uint8_t)); + totlen = FStar_UInt128_add_mod(ev_, FStar_UInt128_uint64_to_uint128((uint64_t)rest_len)); + { + uint64_t m_w[16U] = { 0U }; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint64_t *os = m_w; + uint8_t *bj = tmp + i * (uint32_t)8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x; + } + } + { + uint64_t mask[4U] = { 0U }; + uint64_t wv_14 = (uint64_t)0xFFFFFFFFFFFFFFFFU; + uint64_t wv_15 = (uint64_t)0U; + uint64_t *wv3; + uint64_t *s00; + uint64_t *s16; + uint64_t *r00; + uint64_t *r10; + uint64_t *r20; + uint64_t *r30; + mask[0U] = FStar_UInt128_uint128_to_uint64(totlen); + mask[1U] = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(totlen, (uint32_t)64U)); + mask[2U] = wv_14; + mask[3U] = wv_15; + memcpy(wv, s, (uint32_t)4U * (uint32_t)4U * sizeof (uint64_t)); + wv3 = wv + (uint32_t)3U * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv3; + uint64_t x = wv3[i] ^ mask[i]; + os[i] = x; + } + } + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < (uint32_t)12U; i0++) + { + uint32_t start_idx = i0 % (uint32_t)10U * (uint32_t)16U; + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)4U * (uint32_t)4U); + { + uint64_t m_st[(uint32_t)4U * (uint32_t)4U]; + memset(m_st, 0U, (uint32_t)4U * (uint32_t)4U * sizeof (uint64_t)); + { + uint64_t *r0 = m_st + (uint32_t)0U * (uint32_t)4U; + uint64_t *r1 = m_st + (uint32_t)1U * (uint32_t)4U; + uint64_t *r21 = m_st + (uint32_t)2U * (uint32_t)4U; + uint64_t *r31 = m_st + (uint32_t)3U * (uint32_t)4U; + uint32_t s0 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx]; + uint32_t s1 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)1U]; + uint32_t s2 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)2U]; + uint32_t s3 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)3U]; + uint32_t s4 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)4U]; + uint32_t s5 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)5U]; + uint32_t s6 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)6U]; + uint32_t s7 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)7U]; + uint32_t s8 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)8U]; + uint32_t s9 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)9U]; + uint32_t s10 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)10U]; + uint32_t s11 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)11U]; + uint32_t s12 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)12U]; + uint32_t s13 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)13U]; + uint32_t s14 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)14U]; + uint32_t s15 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)15U]; + uint64_t uu____0 = m_w[s2]; + uint64_t uu____1 = m_w[s4]; + uint64_t uu____2 = m_w[s6]; + r0[0U] = m_w[s0]; + r0[1U] = uu____0; + r0[2U] = uu____1; + r0[3U] = uu____2; + { + uint64_t uu____3 = m_w[s3]; + uint64_t uu____4 = m_w[s5]; + uint64_t uu____5 = m_w[s7]; + r1[0U] = m_w[s1]; + r1[1U] = uu____3; + r1[2U] = uu____4; + r1[3U] = uu____5; + { + uint64_t uu____6 = m_w[s10]; + uint64_t uu____7 = m_w[s12]; + uint64_t uu____8 = m_w[s14]; + r21[0U] = m_w[s8]; + r21[1U] = uu____6; + r21[2U] = uu____7; + r21[3U] = uu____8; + { + uint64_t uu____9 = m_w[s11]; + uint64_t uu____10 = m_w[s13]; + uint64_t uu____11 = m_w[s15]; + r31[0U] = m_w[s9]; + r31[1U] = uu____9; + r31[2U] = uu____10; + r31[3U] = uu____11; + { + uint64_t *x = m_st + (uint32_t)0U * (uint32_t)4U; + uint64_t *y = m_st + (uint32_t)1U * (uint32_t)4U; + uint64_t *z = m_st + (uint32_t)2U * (uint32_t)4U; + uint64_t *w = m_st + (uint32_t)3U * (uint32_t)4U; + uint32_t a = (uint32_t)0U; + uint32_t b0 = (uint32_t)1U; + uint32_t c0 = (uint32_t)2U; + uint32_t d0 = (uint32_t)3U; + uint64_t *wv_a0 = wv + a * (uint32_t)4U; + uint64_t *wv_b0 = wv + b0 * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a0; + uint64_t x1 = wv_a0[i] + wv_b0[i]; + os[i] = x1; + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a0; + uint64_t x1 = wv_a0[i] + x[i]; + os[i] = x1; + } + } + { + uint64_t *wv_a1 = wv + d0 * (uint32_t)4U; + uint64_t *wv_b1 = wv + a * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a1; + uint64_t x1 = wv_a1[i] ^ wv_b1[i]; + os[i] = x1; + } + } + { + uint64_t *r12 = wv_a1; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = r12; + uint64_t x1 = r12[i]; + uint64_t x10 = x1 >> (uint32_t)32U | x1 << (uint32_t)32U; + os[i] = x10; + } + } + { + uint64_t *wv_a2 = wv + c0 * (uint32_t)4U; + uint64_t *wv_b2 = wv + d0 * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a2; + uint64_t x1 = wv_a2[i] + wv_b2[i]; + os[i] = x1; + } + } + { + uint64_t *wv_a3 = wv + b0 * (uint32_t)4U; + uint64_t *wv_b3 = wv + c0 * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a3; + uint64_t x1 = wv_a3[i] ^ wv_b3[i]; + os[i] = x1; + } + } + { + uint64_t *r13 = wv_a3; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = r13; + uint64_t x1 = r13[i]; + uint64_t x10 = x1 >> (uint32_t)24U | x1 << (uint32_t)40U; + os[i] = x10; + } + } + { + uint64_t *wv_a4 = wv + a * (uint32_t)4U; + uint64_t *wv_b4 = wv + b0 * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a4; + uint64_t x1 = wv_a4[i] + wv_b4[i]; + os[i] = x1; + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a4; + uint64_t x1 = wv_a4[i] + y[i]; + os[i] = x1; + } + } + { + uint64_t *wv_a5 = wv + d0 * (uint32_t)4U; + uint64_t *wv_b5 = wv + a * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a5; + uint64_t x1 = wv_a5[i] ^ wv_b5[i]; + os[i] = x1; + } + } + { + uint64_t *r14 = wv_a5; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = r14; + uint64_t x1 = r14[i]; + uint64_t + x10 = x1 >> (uint32_t)16U | x1 << (uint32_t)48U; + os[i] = x10; + } + } + { + uint64_t *wv_a6 = wv + c0 * (uint32_t)4U; + uint64_t *wv_b6 = wv + d0 * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a6; + uint64_t x1 = wv_a6[i] + wv_b6[i]; + os[i] = x1; + } + } + { + uint64_t *wv_a7 = wv + b0 * (uint32_t)4U; + uint64_t *wv_b7 = wv + c0 * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a7; + uint64_t x1 = wv_a7[i] ^ wv_b7[i]; + os[i] = x1; + } + } + { + uint64_t *r15 = wv_a7; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = r15; + uint64_t x1 = r15[i]; + uint64_t + x10 = x1 >> (uint32_t)63U | x1 << (uint32_t)1U; + os[i] = x10; + } + } + { + uint64_t + *r16 = wv + (uint32_t)1U * (uint32_t)4U; + uint64_t + *r22 = wv + (uint32_t)2U * (uint32_t)4U; + uint64_t + *r32 = wv + (uint32_t)3U * (uint32_t)4U; + uint64_t *r110 = r16; + uint64_t x00 = r110[1U]; + uint64_t + x10 = + r110[((uint32_t)1U + (uint32_t)1U) + % (uint32_t)4U]; + uint64_t + x20 = + r110[((uint32_t)1U + (uint32_t)2U) + % (uint32_t)4U]; + uint64_t + x30 = + r110[((uint32_t)1U + (uint32_t)3U) + % (uint32_t)4U]; + r110[0U] = x00; + r110[1U] = x10; + r110[2U] = x20; + r110[3U] = x30; + { + uint64_t *r111 = r22; + uint64_t x01 = r111[2U]; + uint64_t + x11 = + r111[((uint32_t)2U + (uint32_t)1U) + % (uint32_t)4U]; + uint64_t + x21 = + r111[((uint32_t)2U + (uint32_t)2U) + % (uint32_t)4U]; + uint64_t + x31 = + r111[((uint32_t)2U + (uint32_t)3U) + % (uint32_t)4U]; + r111[0U] = x01; + r111[1U] = x11; + r111[2U] = x21; + r111[3U] = x31; + { + uint64_t *r112 = r32; + uint64_t x02 = r112[3U]; + uint64_t + x12 = + r112[((uint32_t)3U + (uint32_t)1U) + % (uint32_t)4U]; + uint64_t + x22 = + r112[((uint32_t)3U + (uint32_t)2U) + % (uint32_t)4U]; + uint64_t + x32 = + r112[((uint32_t)3U + (uint32_t)3U) + % (uint32_t)4U]; + r112[0U] = x02; + r112[1U] = x12; + r112[2U] = x22; + r112[3U] = x32; + { + uint32_t a0 = (uint32_t)0U; + uint32_t b = (uint32_t)1U; + uint32_t c = (uint32_t)2U; + uint32_t d = (uint32_t)3U; + uint64_t *wv_a = wv + a0 * (uint32_t)4U; + uint64_t *wv_b8 = wv + b * (uint32_t)4U; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint64_t *os = wv_a; + uint64_t x1 = wv_a[i] + wv_b8[i]; + os[i] = x1; + } + } + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint64_t *os = wv_a; + uint64_t x1 = wv_a[i] + z[i]; + os[i] = x1; + } + } + { + uint64_t *wv_a8 = wv + d * (uint32_t)4U; + uint64_t + *wv_b9 = wv + a0 * (uint32_t)4U; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint64_t *os = wv_a8; + uint64_t x1 = wv_a8[i] ^ wv_b9[i]; + os[i] = x1; + } + } + { + uint64_t *r17 = wv_a8; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint64_t *os = r17; + uint64_t x1 = r17[i]; + uint64_t + x13 = + x1 + >> (uint32_t)32U + | x1 << (uint32_t)32U; + os[i] = x13; + } + } + { + uint64_t + *wv_a9 = wv + c * (uint32_t)4U; + uint64_t + *wv_b10 = wv + d * (uint32_t)4U; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint64_t *os = wv_a9; + uint64_t + x1 = wv_a9[i] + wv_b10[i]; + os[i] = x1; + } + } + { + uint64_t + *wv_a10 = wv + b * (uint32_t)4U; + uint64_t + *wv_b11 = wv + c * (uint32_t)4U; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint64_t *os = wv_a10; + uint64_t + x1 = wv_a10[i] ^ wv_b11[i]; + os[i] = x1; + } + } + { + uint64_t *r18 = wv_a10; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint64_t *os = r18; + uint64_t x1 = r18[i]; + uint64_t + x13 = + x1 + >> (uint32_t)24U + | x1 << (uint32_t)40U; + os[i] = x13; + } + } + { + uint64_t + *wv_a11 = + wv + + a0 * (uint32_t)4U; + uint64_t + *wv_b12 = + wv + + b * (uint32_t)4U; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint64_t *os = wv_a11; + uint64_t + x1 = wv_a11[i] + wv_b12[i]; + os[i] = x1; + } + } + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint64_t *os = wv_a11; + uint64_t + x1 = wv_a11[i] + w[i]; + os[i] = x1; + } + } + { + uint64_t + *wv_a12 = + wv + + d * (uint32_t)4U; + uint64_t + *wv_b13 = + wv + + a0 * (uint32_t)4U; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint64_t *os = wv_a12; + uint64_t + x1 = + wv_a12[i] + ^ wv_b13[i]; + os[i] = x1; + } + } + { + uint64_t *r19 = wv_a12; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint64_t *os = r19; + uint64_t x1 = r19[i]; + uint64_t + x13 = + x1 + >> (uint32_t)16U + | + x1 + << (uint32_t)48U; + os[i] = x13; + } + } + { + uint64_t + *wv_a13 = + wv + + c * (uint32_t)4U; + uint64_t + *wv_b14 = + wv + + d * (uint32_t)4U; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint64_t + *os = wv_a13; + uint64_t + x1 = + wv_a13[i] + + wv_b14[i]; + os[i] = x1; + } + } + { + uint64_t + *wv_a14 = + wv + + b * (uint32_t)4U; + uint64_t + *wv_b = + wv + + c * (uint32_t)4U; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint64_t + *os = wv_a14; + uint64_t + x1 = + wv_a14[i] + ^ wv_b[i]; + os[i] = x1; + } + } + { + uint64_t + *r113 = wv_a14; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint64_t + *os = r113; + uint64_t + x1 = r113[i]; + uint64_t + x13 = + x1 + >> + (uint32_t)63U + | + x1 + << + (uint32_t)1U; + os[i] = x13; + } + } + { + uint64_t + *r114 = + wv + + + (uint32_t)1U + * (uint32_t)4U; + uint64_t + *r2 = + wv + + + (uint32_t)2U + * (uint32_t)4U; + uint64_t + *r3 = + wv + + + (uint32_t)3U + * (uint32_t)4U; + uint64_t + *r11 = r114; + uint64_t + x03 = r11[3U]; + uint64_t + x13 = + r11[((uint32_t)3U + + (uint32_t)1U) + % (uint32_t)4U]; + uint64_t + x23 = + r11[((uint32_t)3U + + (uint32_t)2U) + % (uint32_t)4U]; + uint64_t + x33 = + r11[((uint32_t)3U + + (uint32_t)3U) + % (uint32_t)4U]; + r11[0U] = x03; + r11[1U] = x13; + r11[2U] = x23; + r11[3U] = x33; + { + uint64_t + *r115 = r2; + uint64_t + x04 = r115[2U]; + uint64_t + x14 = + r115[((uint32_t)2U + + (uint32_t)1U) + % (uint32_t)4U]; + uint64_t + x24 = + r115[((uint32_t)2U + + (uint32_t)2U) + % (uint32_t)4U]; + uint64_t + x34 = + r115[((uint32_t)2U + + (uint32_t)3U) + % (uint32_t)4U]; + r115[0U] = x04; + r115[1U] = x14; + r115[2U] = x24; + r115[3U] = x34; + { + uint64_t + *r116 = r3; + uint64_t + x0 = r116[1U]; + uint64_t + x1 = + r116[((uint32_t)1U + + + (uint32_t)1U) + % + (uint32_t)4U]; + uint64_t + x2 = + r116[((uint32_t)1U + + + (uint32_t)2U) + % + (uint32_t)4U]; + uint64_t + x3 = + r116[((uint32_t)1U + + + (uint32_t)3U) + % + (uint32_t)4U]; + r116[0U] = x0; + r116[1U] = x1; + r116[2U] = x2; + r116[3U] = x3; + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + s00 = s + (uint32_t)0U * (uint32_t)4U; + s16 = s + (uint32_t)1U * (uint32_t)4U; + r00 = wv + (uint32_t)0U * (uint32_t)4U; + r10 = wv + (uint32_t)1U * (uint32_t)4U; + r20 = wv + (uint32_t)2U * (uint32_t)4U; + r30 = wv + (uint32_t)3U * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = s00; + uint64_t x = s00[i] ^ r00[i]; + os[i] = x; + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = s00; + uint64_t x = s00[i] ^ r20[i]; + os[i] = x; + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = s16; + uint64_t x = s16[i] ^ r10[i]; + os[i] = x; + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = s16; + uint64_t x = s16[i] ^ r30[i]; + os[i] = x; + } + } + return FStar_UInt128_uint64_to_uint128((uint64_t)0U); + } + } + } + } + } +} + +void Hacl_Hash_Blake2_hash_blake2s_32(uint8_t *input, uint32_t input_len, uint8_t *dst) +{ + Hacl_Blake2s_32_blake2s((uint32_t)32U, dst, input_len, input, (uint32_t)0U, NULL); +} + +void Hacl_Hash_Blake2_hash_blake2b_32(uint8_t *input, uint32_t input_len, uint8_t *dst) +{ + Hacl_Blake2b_32_blake2b((uint32_t)64U, dst, input_len, input, (uint32_t)0U, NULL); +} + +static inline void +blake2b_update_block( + uint64_t *wv, + uint64_t *hash, + bool flag, + FStar_UInt128_uint128 totlen, + uint8_t *d +) +{ + uint64_t m_w[16U] = { 0U }; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint64_t *os = m_w; + uint8_t *bj = d + i * (uint32_t)8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x; + } + } + { + uint64_t mask[4U] = { 0U }; + uint64_t wv_14; + if (flag) + { + wv_14 = (uint64_t)0xFFFFFFFFFFFFFFFFU; + } + else + { + wv_14 = (uint64_t)0U; + } + { + uint64_t wv_15 = (uint64_t)0U; + uint64_t *wv3; + uint64_t *s00; + uint64_t *s16; + uint64_t *r00; + uint64_t *r10; + uint64_t *r20; + uint64_t *r30; + mask[0U] = FStar_UInt128_uint128_to_uint64(totlen); + mask[1U] = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(totlen, (uint32_t)64U)); + mask[2U] = wv_14; + mask[3U] = wv_15; + memcpy(wv, hash, (uint32_t)4U * (uint32_t)4U * sizeof (uint64_t)); + wv3 = wv + (uint32_t)3U * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv3; + uint64_t x = wv3[i] ^ mask[i]; + os[i] = x; + } + } + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < (uint32_t)12U; i0++) + { + uint32_t start_idx = i0 % (uint32_t)10U * (uint32_t)16U; + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)4U * (uint32_t)4U); + { + uint64_t m_st[(uint32_t)4U * (uint32_t)4U]; + memset(m_st, 0U, (uint32_t)4U * (uint32_t)4U * sizeof (uint64_t)); + { + uint64_t *r0 = m_st + (uint32_t)0U * (uint32_t)4U; + uint64_t *r1 = m_st + (uint32_t)1U * (uint32_t)4U; + uint64_t *r21 = m_st + (uint32_t)2U * (uint32_t)4U; + uint64_t *r31 = m_st + (uint32_t)3U * (uint32_t)4U; + uint32_t s0 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx]; + uint32_t s1 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)1U]; + uint32_t s2 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)2U]; + uint32_t s3 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)3U]; + uint32_t s4 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)4U]; + uint32_t s5 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)5U]; + uint32_t s6 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)6U]; + uint32_t s7 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)7U]; + uint32_t s8 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)8U]; + uint32_t s9 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)9U]; + uint32_t s10 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)10U]; + uint32_t s11 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)11U]; + uint32_t s12 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)12U]; + uint32_t s13 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)13U]; + uint32_t s14 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)14U]; + uint32_t s15 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)15U]; + uint64_t uu____0 = m_w[s2]; + uint64_t uu____1 = m_w[s4]; + uint64_t uu____2 = m_w[s6]; + r0[0U] = m_w[s0]; + r0[1U] = uu____0; + r0[2U] = uu____1; + r0[3U] = uu____2; + { + uint64_t uu____3 = m_w[s3]; + uint64_t uu____4 = m_w[s5]; + uint64_t uu____5 = m_w[s7]; + r1[0U] = m_w[s1]; + r1[1U] = uu____3; + r1[2U] = uu____4; + r1[3U] = uu____5; + { + uint64_t uu____6 = m_w[s10]; + uint64_t uu____7 = m_w[s12]; + uint64_t uu____8 = m_w[s14]; + r21[0U] = m_w[s8]; + r21[1U] = uu____6; + r21[2U] = uu____7; + r21[3U] = uu____8; + { + uint64_t uu____9 = m_w[s11]; + uint64_t uu____10 = m_w[s13]; + uint64_t uu____11 = m_w[s15]; + r31[0U] = m_w[s9]; + r31[1U] = uu____9; + r31[2U] = uu____10; + r31[3U] = uu____11; + { + uint64_t *x = m_st + (uint32_t)0U * (uint32_t)4U; + uint64_t *y = m_st + (uint32_t)1U * (uint32_t)4U; + uint64_t *z = m_st + (uint32_t)2U * (uint32_t)4U; + uint64_t *w = m_st + (uint32_t)3U * (uint32_t)4U; + uint32_t a = (uint32_t)0U; + uint32_t b0 = (uint32_t)1U; + uint32_t c0 = (uint32_t)2U; + uint32_t d10 = (uint32_t)3U; + uint64_t *wv_a0 = wv + a * (uint32_t)4U; + uint64_t *wv_b0 = wv + b0 * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a0; + uint64_t x1 = wv_a0[i] + wv_b0[i]; + os[i] = x1; + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a0; + uint64_t x1 = wv_a0[i] + x[i]; + os[i] = x1; + } + } + { + uint64_t *wv_a1 = wv + d10 * (uint32_t)4U; + uint64_t *wv_b1 = wv + a * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a1; + uint64_t x1 = wv_a1[i] ^ wv_b1[i]; + os[i] = x1; + } + } + { + uint64_t *r12 = wv_a1; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = r12; + uint64_t x1 = r12[i]; + uint64_t x10 = x1 >> (uint32_t)32U | x1 << (uint32_t)32U; + os[i] = x10; + } + } + { + uint64_t *wv_a2 = wv + c0 * (uint32_t)4U; + uint64_t *wv_b2 = wv + d10 * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a2; + uint64_t x1 = wv_a2[i] + wv_b2[i]; + os[i] = x1; + } + } + { + uint64_t *wv_a3 = wv + b0 * (uint32_t)4U; + uint64_t *wv_b3 = wv + c0 * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a3; + uint64_t x1 = wv_a3[i] ^ wv_b3[i]; + os[i] = x1; + } + } + { + uint64_t *r13 = wv_a3; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = r13; + uint64_t x1 = r13[i]; + uint64_t x10 = x1 >> (uint32_t)24U | x1 << (uint32_t)40U; + os[i] = x10; + } + } + { + uint64_t *wv_a4 = wv + a * (uint32_t)4U; + uint64_t *wv_b4 = wv + b0 * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a4; + uint64_t x1 = wv_a4[i] + wv_b4[i]; + os[i] = x1; + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a4; + uint64_t x1 = wv_a4[i] + y[i]; + os[i] = x1; + } + } + { + uint64_t *wv_a5 = wv + d10 * (uint32_t)4U; + uint64_t *wv_b5 = wv + a * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a5; + uint64_t x1 = wv_a5[i] ^ wv_b5[i]; + os[i] = x1; + } + } + { + uint64_t *r14 = wv_a5; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = r14; + uint64_t x1 = r14[i]; + uint64_t x10 = x1 >> (uint32_t)16U | x1 << (uint32_t)48U; + os[i] = x10; + } + } + { + uint64_t *wv_a6 = wv + c0 * (uint32_t)4U; + uint64_t *wv_b6 = wv + d10 * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a6; + uint64_t x1 = wv_a6[i] + wv_b6[i]; + os[i] = x1; + } + } + { + uint64_t *wv_a7 = wv + b0 * (uint32_t)4U; + uint64_t *wv_b7 = wv + c0 * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a7; + uint64_t x1 = wv_a7[i] ^ wv_b7[i]; + os[i] = x1; + } + } + { + uint64_t *r15 = wv_a7; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = r15; + uint64_t x1 = r15[i]; + uint64_t + x10 = x1 >> (uint32_t)63U | x1 << (uint32_t)1U; + os[i] = x10; + } + } + { + uint64_t *r16 = wv + (uint32_t)1U * (uint32_t)4U; + uint64_t *r22 = wv + (uint32_t)2U * (uint32_t)4U; + uint64_t *r32 = wv + (uint32_t)3U * (uint32_t)4U; + uint64_t *r110 = r16; + uint64_t x00 = r110[1U]; + uint64_t + x10 = + r110[((uint32_t)1U + (uint32_t)1U) + % (uint32_t)4U]; + uint64_t + x20 = + r110[((uint32_t)1U + (uint32_t)2U) + % (uint32_t)4U]; + uint64_t + x30 = + r110[((uint32_t)1U + (uint32_t)3U) + % (uint32_t)4U]; + r110[0U] = x00; + r110[1U] = x10; + r110[2U] = x20; + r110[3U] = x30; + { + uint64_t *r111 = r22; + uint64_t x01 = r111[2U]; + uint64_t + x11 = + r111[((uint32_t)2U + (uint32_t)1U) + % (uint32_t)4U]; + uint64_t + x21 = + r111[((uint32_t)2U + (uint32_t)2U) + % (uint32_t)4U]; + uint64_t + x31 = + r111[((uint32_t)2U + (uint32_t)3U) + % (uint32_t)4U]; + r111[0U] = x01; + r111[1U] = x11; + r111[2U] = x21; + r111[3U] = x31; + { + uint64_t *r112 = r32; + uint64_t x02 = r112[3U]; + uint64_t + x12 = + r112[((uint32_t)3U + (uint32_t)1U) + % (uint32_t)4U]; + uint64_t + x22 = + r112[((uint32_t)3U + (uint32_t)2U) + % (uint32_t)4U]; + uint64_t + x32 = + r112[((uint32_t)3U + (uint32_t)3U) + % (uint32_t)4U]; + r112[0U] = x02; + r112[1U] = x12; + r112[2U] = x22; + r112[3U] = x32; + { + uint32_t a0 = (uint32_t)0U; + uint32_t b = (uint32_t)1U; + uint32_t c = (uint32_t)2U; + uint32_t d1 = (uint32_t)3U; + uint64_t *wv_a = wv + a0 * (uint32_t)4U; + uint64_t *wv_b8 = wv + b * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a; + uint64_t x1 = wv_a[i] + wv_b8[i]; + os[i] = x1; + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a; + uint64_t x1 = wv_a[i] + z[i]; + os[i] = x1; + } + } + { + uint64_t *wv_a8 = wv + d1 * (uint32_t)4U; + uint64_t *wv_b9 = wv + a0 * (uint32_t)4U; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint64_t *os = wv_a8; + uint64_t x1 = wv_a8[i] ^ wv_b9[i]; + os[i] = x1; + } + } + { + uint64_t *r17 = wv_a8; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint64_t *os = r17; + uint64_t x1 = r17[i]; + uint64_t + x13 = + x1 + >> (uint32_t)32U + | x1 << (uint32_t)32U; + os[i] = x13; + } + } + { + uint64_t *wv_a9 = wv + c * (uint32_t)4U; + uint64_t *wv_b10 = wv + d1 * (uint32_t)4U; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint64_t *os = wv_a9; + uint64_t x1 = wv_a9[i] + wv_b10[i]; + os[i] = x1; + } + } + { + uint64_t + *wv_a10 = wv + b * (uint32_t)4U; + uint64_t + *wv_b11 = wv + c * (uint32_t)4U; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint64_t *os = wv_a10; + uint64_t x1 = wv_a10[i] ^ wv_b11[i]; + os[i] = x1; + } + } + { + uint64_t *r18 = wv_a10; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint64_t *os = r18; + uint64_t x1 = r18[i]; + uint64_t + x13 = + x1 + >> (uint32_t)24U + | x1 << (uint32_t)40U; + os[i] = x13; + } + } + { + uint64_t + *wv_a11 = wv + a0 * (uint32_t)4U; + uint64_t + *wv_b12 = wv + b * (uint32_t)4U; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint64_t *os = wv_a11; + uint64_t + x1 = wv_a11[i] + wv_b12[i]; + os[i] = x1; + } + } + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint64_t *os = wv_a11; + uint64_t x1 = wv_a11[i] + w[i]; + os[i] = x1; + } + } + { + uint64_t + *wv_a12 = wv + d1 * (uint32_t)4U; + uint64_t + *wv_b13 = wv + a0 * (uint32_t)4U; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint64_t *os = wv_a12; + uint64_t + x1 = wv_a12[i] ^ wv_b13[i]; + os[i] = x1; + } + } + { + uint64_t *r19 = wv_a12; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint64_t *os = r19; + uint64_t x1 = r19[i]; + uint64_t + x13 = + x1 + >> (uint32_t)16U + | x1 << (uint32_t)48U; + os[i] = x13; + } + } + { + uint64_t + *wv_a13 = + wv + + c * (uint32_t)4U; + uint64_t + *wv_b14 = + wv + + d1 * (uint32_t)4U; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint64_t *os = wv_a13; + uint64_t + x1 = wv_a13[i] + wv_b14[i]; + os[i] = x1; + } + } + { + uint64_t + *wv_a14 = + wv + + b * (uint32_t)4U; + uint64_t + *wv_b = + wv + + c * (uint32_t)4U; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint64_t *os = wv_a14; + uint64_t + x1 = wv_a14[i] ^ wv_b[i]; + os[i] = x1; + } + } + { + uint64_t *r113 = wv_a14; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint64_t *os = r113; + uint64_t x1 = r113[i]; + uint64_t + x13 = + x1 + >> (uint32_t)63U + | x1 << (uint32_t)1U; + os[i] = x13; + } + } + { + uint64_t + *r114 = + wv + + + (uint32_t)1U + * (uint32_t)4U; + uint64_t + *r2 = + wv + + + (uint32_t)2U + * (uint32_t)4U; + uint64_t + *r3 = + wv + + + (uint32_t)3U + * (uint32_t)4U; + uint64_t *r11 = r114; + uint64_t x03 = r11[3U]; + uint64_t + x13 = + r11[((uint32_t)3U + + (uint32_t)1U) + % (uint32_t)4U]; + uint64_t + x23 = + r11[((uint32_t)3U + + (uint32_t)2U) + % (uint32_t)4U]; + uint64_t + x33 = + r11[((uint32_t)3U + + (uint32_t)3U) + % (uint32_t)4U]; + r11[0U] = x03; + r11[1U] = x13; + r11[2U] = x23; + r11[3U] = x33; + { + uint64_t *r115 = r2; + uint64_t + x04 = r115[2U]; + uint64_t + x14 = + r115[((uint32_t)2U + + (uint32_t)1U) + % (uint32_t)4U]; + uint64_t + x24 = + r115[((uint32_t)2U + + (uint32_t)2U) + % (uint32_t)4U]; + uint64_t + x34 = + r115[((uint32_t)2U + + (uint32_t)3U) + % (uint32_t)4U]; + r115[0U] = x04; + r115[1U] = x14; + r115[2U] = x24; + r115[3U] = x34; + { + uint64_t *r116 = r3; + uint64_t + x0 = r116[1U]; + uint64_t + x1 = + r116[((uint32_t)1U + + (uint32_t)1U) + % (uint32_t)4U]; + uint64_t + x2 = + r116[((uint32_t)1U + + (uint32_t)2U) + % (uint32_t)4U]; + uint64_t + x3 = + r116[((uint32_t)1U + + (uint32_t)3U) + % (uint32_t)4U]; + r116[0U] = x0; + r116[1U] = x1; + r116[2U] = x2; + r116[3U] = x3; + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + s00 = hash + (uint32_t)0U * (uint32_t)4U; + s16 = hash + (uint32_t)1U * (uint32_t)4U; + r00 = wv + (uint32_t)0U * (uint32_t)4U; + r10 = wv + (uint32_t)1U * (uint32_t)4U; + r20 = wv + (uint32_t)2U * (uint32_t)4U; + r30 = wv + (uint32_t)3U * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = s00; + uint64_t x = s00[i] ^ r00[i]; + os[i] = x; + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = s00; + uint64_t x = s00[i] ^ r20[i]; + os[i] = x; + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = s16; + uint64_t x = s16[i] ^ r10[i]; + os[i] = x; + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = s16; + uint64_t x = s16[i] ^ r30[i]; + os[i] = x; + } + } + } + } +} + +void Hacl_Blake2b_32_blake2b_init(uint64_t *hash, uint32_t kk, uint32_t nn) +{ + uint64_t *r0 = hash + (uint32_t)0U * (uint32_t)4U; + uint64_t *r1 = hash + (uint32_t)1U * (uint32_t)4U; + uint64_t *r2 = hash + (uint32_t)2U * (uint32_t)4U; + uint64_t *r3 = hash + (uint32_t)3U * (uint32_t)4U; + uint64_t iv0 = Hacl_Impl_Blake2_Constants_ivTable_B[0U]; + uint64_t iv1 = Hacl_Impl_Blake2_Constants_ivTable_B[1U]; + uint64_t iv2 = Hacl_Impl_Blake2_Constants_ivTable_B[2U]; + uint64_t iv3 = Hacl_Impl_Blake2_Constants_ivTable_B[3U]; + uint64_t iv4 = Hacl_Impl_Blake2_Constants_ivTable_B[4U]; + uint64_t iv5 = Hacl_Impl_Blake2_Constants_ivTable_B[5U]; + uint64_t iv6 = Hacl_Impl_Blake2_Constants_ivTable_B[6U]; + uint64_t iv7 = Hacl_Impl_Blake2_Constants_ivTable_B[7U]; + uint64_t kk_shift_8; + uint64_t iv0_; + r2[0U] = iv0; + r2[1U] = iv1; + r2[2U] = iv2; + r2[3U] = iv3; + r3[0U] = iv4; + r3[1U] = iv5; + r3[2U] = iv6; + r3[3U] = iv7; + kk_shift_8 = (uint64_t)kk << (uint32_t)8U; + iv0_ = iv0 ^ ((uint64_t)0x01010000U ^ (kk_shift_8 ^ (uint64_t)nn)); + r0[0U] = iv0_; + r0[1U] = iv1; + r0[2U] = iv2; + r0[3U] = iv3; + r1[0U] = iv4; + r1[1U] = iv5; + r1[2U] = iv6; + r1[3U] = iv7; +} + +void +Hacl_Blake2b_32_blake2b_update_key( + uint64_t *wv, + uint64_t *hash, + uint32_t kk, + uint8_t *k, + uint32_t ll +) +{ + FStar_UInt128_uint128 lb = FStar_UInt128_uint64_to_uint128((uint64_t)(uint32_t)128U); + uint8_t b[128U] = { 0U }; + memcpy(b, k, kk * sizeof (uint8_t)); + if (ll == (uint32_t)0U) + { + blake2b_update_block(wv, hash, true, lb, b); + } + else + { + blake2b_update_block(wv, hash, false, lb, b); + } + Lib_Memzero0_memzero(b, (uint32_t)128U * sizeof (b[0U])); +} + +void +Hacl_Blake2b_32_blake2b_update_multi( + uint32_t len, + uint64_t *wv, + uint64_t *hash, + FStar_UInt128_uint128 prev, + uint8_t *blocks, + uint32_t nb +) +{ + uint32_t i; + for (i = (uint32_t)0U; i < nb; i++) + { + FStar_UInt128_uint128 + totlen = + FStar_UInt128_add_mod(prev, + FStar_UInt128_uint64_to_uint128((uint64_t)((i + (uint32_t)1U) * (uint32_t)128U))); + uint8_t *b = blocks + i * (uint32_t)128U; + blake2b_update_block(wv, hash, false, totlen, b); + } +} + +void +Hacl_Blake2b_32_blake2b_update_last( + uint32_t len, + uint64_t *wv, + uint64_t *hash, + FStar_UInt128_uint128 prev, + uint32_t rem, + uint8_t *d +) +{ + uint8_t b[128U] = { 0U }; + uint8_t *last = d + len - rem; + FStar_UInt128_uint128 totlen; + memcpy(b, last, rem * sizeof (uint8_t)); + totlen = FStar_UInt128_add_mod(prev, FStar_UInt128_uint64_to_uint128((uint64_t)len)); + blake2b_update_block(wv, hash, true, totlen, b); + Lib_Memzero0_memzero(b, (uint32_t)128U * sizeof (b[0U])); +} + +static inline void +blake2b_update_blocks( + uint32_t len, + uint64_t *wv, + uint64_t *hash, + FStar_UInt128_uint128 prev, + uint8_t *blocks +) +{ + uint32_t nb0 = len / (uint32_t)128U; + uint32_t rem0 = len % (uint32_t)128U; + K___uint32_t_uint32_t scrut; + if (rem0 == (uint32_t)0U && nb0 > (uint32_t)0U) + { + uint32_t nb_ = nb0 - (uint32_t)1U; + uint32_t rem_ = (uint32_t)128U; + K___uint32_t_uint32_t lit; + lit.fst = nb_; + lit.snd = rem_; + scrut = lit; + } + else + { + K___uint32_t_uint32_t lit; + lit.fst = nb0; + lit.snd = rem0; + scrut = lit; + } + { + uint32_t nb = scrut.fst; + uint32_t rem = scrut.snd; + Hacl_Blake2b_32_blake2b_update_multi(len, wv, hash, prev, blocks, nb); + Hacl_Blake2b_32_blake2b_update_last(len, wv, hash, prev, rem, blocks); + } +} + +static inline void +blake2b_update(uint64_t *wv, uint64_t *hash, uint32_t kk, uint8_t *k, uint32_t ll, uint8_t *d) +{ + FStar_UInt128_uint128 lb = FStar_UInt128_uint64_to_uint128((uint64_t)(uint32_t)128U); + if (kk > (uint32_t)0U) + { + Hacl_Blake2b_32_blake2b_update_key(wv, hash, kk, k, ll); + if (!(ll == (uint32_t)0U)) + { + blake2b_update_blocks(ll, wv, hash, lb, d); + return; + } + return; + } + blake2b_update_blocks(ll, + wv, + hash, + FStar_UInt128_uint64_to_uint128((uint64_t)(uint32_t)0U), + d); +} + +void Hacl_Blake2b_32_blake2b_finish(uint32_t nn, uint8_t *output, uint64_t *hash) +{ + uint32_t double_row = (uint32_t)2U * ((uint32_t)4U * (uint32_t)8U); + KRML_CHECK_SIZE(sizeof (uint8_t), double_row); + { + uint8_t b[double_row]; + memset(b, 0U, double_row * sizeof (uint8_t)); + { + uint8_t *first = b; + uint8_t *second = b + (uint32_t)4U * (uint32_t)8U; + uint64_t *row0 = hash + (uint32_t)0U * (uint32_t)4U; + uint64_t *row1 = hash + (uint32_t)1U * (uint32_t)4U; + uint8_t *final; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + store64_le(first + i * (uint32_t)8U, row0[i]); + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + store64_le(second + i * (uint32_t)8U, row1[i]); + } + } + final = b; + memcpy(output, final, nn * sizeof (uint8_t)); + Lib_Memzero0_memzero(b, double_row * sizeof (b[0U])); + } + } +} + +void +Hacl_Blake2b_32_blake2b( + uint32_t nn, + uint8_t *output, + uint32_t ll, + uint8_t *d, + uint32_t kk, + uint8_t *k +) +{ + uint32_t stlen = (uint32_t)4U * (uint32_t)4U; + uint64_t stzero = (uint64_t)0U; + KRML_CHECK_SIZE(sizeof (uint64_t), stlen); + { + uint64_t b[stlen]; + { + uint32_t _i; + for (_i = 0U; _i < stlen; ++_i) + b[_i] = stzero; + } + KRML_CHECK_SIZE(sizeof (uint64_t), stlen); + { + uint64_t b1[stlen]; + { + uint32_t _i; + for (_i = 0U; _i < stlen; ++_i) + b1[_i] = stzero; + } + Hacl_Blake2b_32_blake2b_init(b, kk, nn); + blake2b_update(b1, b, kk, k, ll, d); + Hacl_Blake2b_32_blake2b_finish(nn, output, b); + Lib_Memzero0_memzero(b1, stlen * sizeof (b1[0U])); + Lib_Memzero0_memzero(b, stlen * sizeof (b[0U])); + } + } +} + +static inline void +blake2s_update_block(uint32_t *wv, uint32_t *hash, bool flag, uint64_t totlen, uint8_t *d) +{ + uint32_t m_w[16U] = { 0U }; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t *os = m_w; + uint8_t *bj = d + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + } + { + uint32_t mask[4U] = { 0U }; + uint32_t wv_14; + if (flag) + { + wv_14 = (uint32_t)0xFFFFFFFFU; + } + else + { + wv_14 = (uint32_t)0U; + } + { + uint32_t wv_15 = (uint32_t)0U; + uint32_t *wv3; + uint32_t *s00; + uint32_t *s16; + uint32_t *r00; + uint32_t *r10; + uint32_t *r20; + uint32_t *r30; + mask[0U] = (uint32_t)totlen; + mask[1U] = (uint32_t)(totlen >> (uint32_t)32U); + mask[2U] = wv_14; + mask[3U] = wv_15; + memcpy(wv, hash, (uint32_t)4U * (uint32_t)4U * sizeof (uint32_t)); + wv3 = wv + (uint32_t)3U * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv3; + uint32_t x = wv3[i] ^ mask[i]; + os[i] = x; + } + } + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < (uint32_t)10U; i0++) + { + uint32_t start_idx = i0 % (uint32_t)10U * (uint32_t)16U; + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)4U * (uint32_t)4U); + { + uint32_t m_st[(uint32_t)4U * (uint32_t)4U]; + memset(m_st, 0U, (uint32_t)4U * (uint32_t)4U * sizeof (uint32_t)); + { + uint32_t *r0 = m_st + (uint32_t)0U * (uint32_t)4U; + uint32_t *r1 = m_st + (uint32_t)1U * (uint32_t)4U; + uint32_t *r21 = m_st + (uint32_t)2U * (uint32_t)4U; + uint32_t *r31 = m_st + (uint32_t)3U * (uint32_t)4U; + uint32_t s0 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx]; + uint32_t s1 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)1U]; + uint32_t s2 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)2U]; + uint32_t s3 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)3U]; + uint32_t s4 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)4U]; + uint32_t s5 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)5U]; + uint32_t s6 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)6U]; + uint32_t s7 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)7U]; + uint32_t s8 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)8U]; + uint32_t s9 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)9U]; + uint32_t s10 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)10U]; + uint32_t s11 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)11U]; + uint32_t s12 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)12U]; + uint32_t s13 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)13U]; + uint32_t s14 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)14U]; + uint32_t s15 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)15U]; + uint32_t uu____0 = m_w[s2]; + uint32_t uu____1 = m_w[s4]; + uint32_t uu____2 = m_w[s6]; + r0[0U] = m_w[s0]; + r0[1U] = uu____0; + r0[2U] = uu____1; + r0[3U] = uu____2; + { + uint32_t uu____3 = m_w[s3]; + uint32_t uu____4 = m_w[s5]; + uint32_t uu____5 = m_w[s7]; + r1[0U] = m_w[s1]; + r1[1U] = uu____3; + r1[2U] = uu____4; + r1[3U] = uu____5; + { + uint32_t uu____6 = m_w[s10]; + uint32_t uu____7 = m_w[s12]; + uint32_t uu____8 = m_w[s14]; + r21[0U] = m_w[s8]; + r21[1U] = uu____6; + r21[2U] = uu____7; + r21[3U] = uu____8; + { + uint32_t uu____9 = m_w[s11]; + uint32_t uu____10 = m_w[s13]; + uint32_t uu____11 = m_w[s15]; + r31[0U] = m_w[s9]; + r31[1U] = uu____9; + r31[2U] = uu____10; + r31[3U] = uu____11; + { + uint32_t *x = m_st + (uint32_t)0U * (uint32_t)4U; + uint32_t *y = m_st + (uint32_t)1U * (uint32_t)4U; + uint32_t *z = m_st + (uint32_t)2U * (uint32_t)4U; + uint32_t *w = m_st + (uint32_t)3U * (uint32_t)4U; + uint32_t a = (uint32_t)0U; + uint32_t b0 = (uint32_t)1U; + uint32_t c0 = (uint32_t)2U; + uint32_t d10 = (uint32_t)3U; + uint32_t *wv_a0 = wv + a * (uint32_t)4U; + uint32_t *wv_b0 = wv + b0 * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a0; + uint32_t x1 = wv_a0[i] + wv_b0[i]; + os[i] = x1; + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a0; + uint32_t x1 = wv_a0[i] + x[i]; + os[i] = x1; + } + } + { + uint32_t *wv_a1 = wv + d10 * (uint32_t)4U; + uint32_t *wv_b1 = wv + a * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a1; + uint32_t x1 = wv_a1[i] ^ wv_b1[i]; + os[i] = x1; + } + } + { + uint32_t *r12 = wv_a1; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = r12; + uint32_t x1 = r12[i]; + uint32_t x10 = x1 >> (uint32_t)16U | x1 << (uint32_t)16U; + os[i] = x10; + } + } + { + uint32_t *wv_a2 = wv + c0 * (uint32_t)4U; + uint32_t *wv_b2 = wv + d10 * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a2; + uint32_t x1 = wv_a2[i] + wv_b2[i]; + os[i] = x1; + } + } + { + uint32_t *wv_a3 = wv + b0 * (uint32_t)4U; + uint32_t *wv_b3 = wv + c0 * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a3; + uint32_t x1 = wv_a3[i] ^ wv_b3[i]; + os[i] = x1; + } + } + { + uint32_t *r13 = wv_a3; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = r13; + uint32_t x1 = r13[i]; + uint32_t x10 = x1 >> (uint32_t)12U | x1 << (uint32_t)20U; + os[i] = x10; + } + } + { + uint32_t *wv_a4 = wv + a * (uint32_t)4U; + uint32_t *wv_b4 = wv + b0 * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a4; + uint32_t x1 = wv_a4[i] + wv_b4[i]; + os[i] = x1; + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a4; + uint32_t x1 = wv_a4[i] + y[i]; + os[i] = x1; + } + } + { + uint32_t *wv_a5 = wv + d10 * (uint32_t)4U; + uint32_t *wv_b5 = wv + a * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a5; + uint32_t x1 = wv_a5[i] ^ wv_b5[i]; + os[i] = x1; + } + } + { + uint32_t *r14 = wv_a5; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = r14; + uint32_t x1 = r14[i]; + uint32_t x10 = x1 >> (uint32_t)8U | x1 << (uint32_t)24U; + os[i] = x10; + } + } + { + uint32_t *wv_a6 = wv + c0 * (uint32_t)4U; + uint32_t *wv_b6 = wv + d10 * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a6; + uint32_t x1 = wv_a6[i] + wv_b6[i]; + os[i] = x1; + } + } + { + uint32_t *wv_a7 = wv + b0 * (uint32_t)4U; + uint32_t *wv_b7 = wv + c0 * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a7; + uint32_t x1 = wv_a7[i] ^ wv_b7[i]; + os[i] = x1; + } + } + { + uint32_t *r15 = wv_a7; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = r15; + uint32_t x1 = r15[i]; + uint32_t + x10 = x1 >> (uint32_t)7U | x1 << (uint32_t)25U; + os[i] = x10; + } + } + { + uint32_t *r16 = wv + (uint32_t)1U * (uint32_t)4U; + uint32_t *r22 = wv + (uint32_t)2U * (uint32_t)4U; + uint32_t *r32 = wv + (uint32_t)3U * (uint32_t)4U; + uint32_t *r110 = r16; + uint32_t x00 = r110[1U]; + uint32_t + x10 = + r110[((uint32_t)1U + (uint32_t)1U) + % (uint32_t)4U]; + uint32_t + x20 = + r110[((uint32_t)1U + (uint32_t)2U) + % (uint32_t)4U]; + uint32_t + x30 = + r110[((uint32_t)1U + (uint32_t)3U) + % (uint32_t)4U]; + r110[0U] = x00; + r110[1U] = x10; + r110[2U] = x20; + r110[3U] = x30; + { + uint32_t *r111 = r22; + uint32_t x01 = r111[2U]; + uint32_t + x11 = + r111[((uint32_t)2U + (uint32_t)1U) + % (uint32_t)4U]; + uint32_t + x21 = + r111[((uint32_t)2U + (uint32_t)2U) + % (uint32_t)4U]; + uint32_t + x31 = + r111[((uint32_t)2U + (uint32_t)3U) + % (uint32_t)4U]; + r111[0U] = x01; + r111[1U] = x11; + r111[2U] = x21; + r111[3U] = x31; + { + uint32_t *r112 = r32; + uint32_t x02 = r112[3U]; + uint32_t + x12 = + r112[((uint32_t)3U + (uint32_t)1U) + % (uint32_t)4U]; + uint32_t + x22 = + r112[((uint32_t)3U + (uint32_t)2U) + % (uint32_t)4U]; + uint32_t + x32 = + r112[((uint32_t)3U + (uint32_t)3U) + % (uint32_t)4U]; + r112[0U] = x02; + r112[1U] = x12; + r112[2U] = x22; + r112[3U] = x32; + { + uint32_t a0 = (uint32_t)0U; + uint32_t b = (uint32_t)1U; + uint32_t c = (uint32_t)2U; + uint32_t d1 = (uint32_t)3U; + uint32_t *wv_a = wv + a0 * (uint32_t)4U; + uint32_t *wv_b8 = wv + b * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a; + uint32_t x1 = wv_a[i] + wv_b8[i]; + os[i] = x1; + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a; + uint32_t x1 = wv_a[i] + z[i]; + os[i] = x1; + } + } + { + uint32_t *wv_a8 = wv + d1 * (uint32_t)4U; + uint32_t *wv_b9 = wv + a0 * (uint32_t)4U; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint32_t *os = wv_a8; + uint32_t x1 = wv_a8[i] ^ wv_b9[i]; + os[i] = x1; + } + } + { + uint32_t *r17 = wv_a8; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint32_t *os = r17; + uint32_t x1 = r17[i]; + uint32_t + x13 = + x1 + >> (uint32_t)16U + | x1 << (uint32_t)16U; + os[i] = x13; + } + } + { + uint32_t *wv_a9 = wv + c * (uint32_t)4U; + uint32_t *wv_b10 = wv + d1 * (uint32_t)4U; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint32_t *os = wv_a9; + uint32_t x1 = wv_a9[i] + wv_b10[i]; + os[i] = x1; + } + } + { + uint32_t + *wv_a10 = wv + b * (uint32_t)4U; + uint32_t + *wv_b11 = wv + c * (uint32_t)4U; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint32_t *os = wv_a10; + uint32_t x1 = wv_a10[i] ^ wv_b11[i]; + os[i] = x1; + } + } + { + uint32_t *r18 = wv_a10; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint32_t *os = r18; + uint32_t x1 = r18[i]; + uint32_t + x13 = + x1 + >> (uint32_t)12U + | x1 << (uint32_t)20U; + os[i] = x13; + } + } + { + uint32_t + *wv_a11 = wv + a0 * (uint32_t)4U; + uint32_t + *wv_b12 = wv + b * (uint32_t)4U; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint32_t *os = wv_a11; + uint32_t + x1 = wv_a11[i] + wv_b12[i]; + os[i] = x1; + } + } + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint32_t *os = wv_a11; + uint32_t x1 = wv_a11[i] + w[i]; + os[i] = x1; + } + } + { + uint32_t + *wv_a12 = wv + d1 * (uint32_t)4U; + uint32_t + *wv_b13 = wv + a0 * (uint32_t)4U; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint32_t *os = wv_a12; + uint32_t + x1 = wv_a12[i] ^ wv_b13[i]; + os[i] = x1; + } + } + { + uint32_t *r19 = wv_a12; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint32_t *os = r19; + uint32_t x1 = r19[i]; + uint32_t + x13 = + x1 + >> (uint32_t)8U + | x1 << (uint32_t)24U; + os[i] = x13; + } + } + { + uint32_t + *wv_a13 = + wv + + c * (uint32_t)4U; + uint32_t + *wv_b14 = + wv + + d1 * (uint32_t)4U; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint32_t *os = wv_a13; + uint32_t + x1 = wv_a13[i] + wv_b14[i]; + os[i] = x1; + } + } + { + uint32_t + *wv_a14 = + wv + + b * (uint32_t)4U; + uint32_t + *wv_b = + wv + + c * (uint32_t)4U; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint32_t *os = wv_a14; + uint32_t + x1 = wv_a14[i] ^ wv_b[i]; + os[i] = x1; + } + } + { + uint32_t *r113 = wv_a14; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < (uint32_t)4U; + i++) + { + uint32_t *os = r113; + uint32_t x1 = r113[i]; + uint32_t + x13 = + x1 + >> (uint32_t)7U + | + x1 + << (uint32_t)25U; + os[i] = x13; + } + } + { + uint32_t + *r114 = + wv + + + (uint32_t)1U + * (uint32_t)4U; + uint32_t + *r2 = + wv + + + (uint32_t)2U + * (uint32_t)4U; + uint32_t + *r3 = + wv + + + (uint32_t)3U + * (uint32_t)4U; + uint32_t *r11 = r114; + uint32_t x03 = r11[3U]; + uint32_t + x13 = + r11[((uint32_t)3U + + (uint32_t)1U) + % (uint32_t)4U]; + uint32_t + x23 = + r11[((uint32_t)3U + + (uint32_t)2U) + % (uint32_t)4U]; + uint32_t + x33 = + r11[((uint32_t)3U + + (uint32_t)3U) + % (uint32_t)4U]; + r11[0U] = x03; + r11[1U] = x13; + r11[2U] = x23; + r11[3U] = x33; + { + uint32_t *r115 = r2; + uint32_t + x04 = r115[2U]; + uint32_t + x14 = + r115[((uint32_t)2U + + (uint32_t)1U) + % (uint32_t)4U]; + uint32_t + x24 = + r115[((uint32_t)2U + + (uint32_t)2U) + % (uint32_t)4U]; + uint32_t + x34 = + r115[((uint32_t)2U + + (uint32_t)3U) + % (uint32_t)4U]; + r115[0U] = x04; + r115[1U] = x14; + r115[2U] = x24; + r115[3U] = x34; + { + uint32_t *r116 = r3; + uint32_t + x0 = r116[1U]; + uint32_t + x1 = + r116[((uint32_t)1U + + (uint32_t)1U) + % (uint32_t)4U]; + uint32_t + x2 = + r116[((uint32_t)1U + + (uint32_t)2U) + % (uint32_t)4U]; + uint32_t + x3 = + r116[((uint32_t)1U + + (uint32_t)3U) + % (uint32_t)4U]; + r116[0U] = x0; + r116[1U] = x1; + r116[2U] = x2; + r116[3U] = x3; + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + s00 = hash + (uint32_t)0U * (uint32_t)4U; + s16 = hash + (uint32_t)1U * (uint32_t)4U; + r00 = wv + (uint32_t)0U * (uint32_t)4U; + r10 = wv + (uint32_t)1U * (uint32_t)4U; + r20 = wv + (uint32_t)2U * (uint32_t)4U; + r30 = wv + (uint32_t)3U * (uint32_t)4U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = s00; + uint32_t x = s00[i] ^ r00[i]; + os[i] = x; + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = s00; + uint32_t x = s00[i] ^ r20[i]; + os[i] = x; + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = s16; + uint32_t x = s16[i] ^ r10[i]; + os[i] = x; + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = s16; + uint32_t x = s16[i] ^ r30[i]; + os[i] = x; + } + } + } + } +} + +inline void Hacl_Blake2s_32_blake2s_init(uint32_t *hash, uint32_t kk, uint32_t nn) +{ + uint32_t *r0 = hash + (uint32_t)0U * (uint32_t)4U; + uint32_t *r1 = hash + (uint32_t)1U * (uint32_t)4U; + uint32_t *r2 = hash + (uint32_t)2U * (uint32_t)4U; + uint32_t *r3 = hash + (uint32_t)3U * (uint32_t)4U; + uint32_t iv0 = Hacl_Impl_Blake2_Constants_ivTable_S[0U]; + uint32_t iv1 = Hacl_Impl_Blake2_Constants_ivTable_S[1U]; + uint32_t iv2 = Hacl_Impl_Blake2_Constants_ivTable_S[2U]; + uint32_t iv3 = Hacl_Impl_Blake2_Constants_ivTable_S[3U]; + uint32_t iv4 = Hacl_Impl_Blake2_Constants_ivTable_S[4U]; + uint32_t iv5 = Hacl_Impl_Blake2_Constants_ivTable_S[5U]; + uint32_t iv6 = Hacl_Impl_Blake2_Constants_ivTable_S[6U]; + uint32_t iv7 = Hacl_Impl_Blake2_Constants_ivTable_S[7U]; + uint32_t kk_shift_8; + uint32_t iv0_; + r2[0U] = iv0; + r2[1U] = iv1; + r2[2U] = iv2; + r2[3U] = iv3; + r3[0U] = iv4; + r3[1U] = iv5; + r3[2U] = iv6; + r3[3U] = iv7; + kk_shift_8 = kk << (uint32_t)8U; + iv0_ = iv0 ^ ((uint32_t)0x01010000U ^ (kk_shift_8 ^ nn)); + r0[0U] = iv0_; + r0[1U] = iv1; + r0[2U] = iv2; + r0[3U] = iv3; + r1[0U] = iv4; + r1[1U] = iv5; + r1[2U] = iv6; + r1[3U] = iv7; +} + +void +Hacl_Blake2s_32_blake2s_update_key( + uint32_t *wv, + uint32_t *hash, + uint32_t kk, + uint8_t *k, + uint32_t ll +) +{ + uint64_t lb = (uint64_t)(uint32_t)64U; + uint8_t b[64U] = { 0U }; + memcpy(b, k, kk * sizeof (uint8_t)); + if (ll == (uint32_t)0U) + { + blake2s_update_block(wv, hash, true, lb, b); + } + else + { + blake2s_update_block(wv, hash, false, lb, b); + } + Lib_Memzero0_memzero(b, (uint32_t)64U * sizeof (b[0U])); +} + +void +Hacl_Blake2s_32_blake2s_update_multi( + uint32_t len, + uint32_t *wv, + uint32_t *hash, + uint64_t prev, + uint8_t *blocks, + uint32_t nb +) +{ + uint32_t i; + for (i = (uint32_t)0U; i < nb; i++) + { + uint64_t totlen = prev + (uint64_t)((i + (uint32_t)1U) * (uint32_t)64U); + uint8_t *b = blocks + i * (uint32_t)64U; + blake2s_update_block(wv, hash, false, totlen, b); + } +} + +void +Hacl_Blake2s_32_blake2s_update_last( + uint32_t len, + uint32_t *wv, + uint32_t *hash, + uint64_t prev, + uint32_t rem, + uint8_t *d +) +{ + uint8_t b[64U] = { 0U }; + uint8_t *last = d + len - rem; + uint64_t totlen; + memcpy(b, last, rem * sizeof (uint8_t)); + totlen = prev + (uint64_t)len; + blake2s_update_block(wv, hash, true, totlen, b); + Lib_Memzero0_memzero(b, (uint32_t)64U * sizeof (b[0U])); +} + +static inline void +blake2s_update_blocks( + uint32_t len, + uint32_t *wv, + uint32_t *hash, + uint64_t prev, + uint8_t *blocks +) +{ + uint32_t nb0 = len / (uint32_t)64U; + uint32_t rem0 = len % (uint32_t)64U; + K___uint32_t_uint32_t scrut; + if (rem0 == (uint32_t)0U && nb0 > (uint32_t)0U) + { + uint32_t nb_ = nb0 - (uint32_t)1U; + uint32_t rem_ = (uint32_t)64U; + K___uint32_t_uint32_t lit; + lit.fst = nb_; + lit.snd = rem_; + scrut = lit; + } + else + { + K___uint32_t_uint32_t lit; + lit.fst = nb0; + lit.snd = rem0; + scrut = lit; + } + { + uint32_t nb = scrut.fst; + uint32_t rem = scrut.snd; + Hacl_Blake2s_32_blake2s_update_multi(len, wv, hash, prev, blocks, nb); + Hacl_Blake2s_32_blake2s_update_last(len, wv, hash, prev, rem, blocks); + } +} + +static inline void +blake2s_update(uint32_t *wv, uint32_t *hash, uint32_t kk, uint8_t *k, uint32_t ll, uint8_t *d) +{ + uint64_t lb = (uint64_t)(uint32_t)64U; + if (kk > (uint32_t)0U) + { + Hacl_Blake2s_32_blake2s_update_key(wv, hash, kk, k, ll); + if (!(ll == (uint32_t)0U)) + { + blake2s_update_blocks(ll, wv, hash, lb, d); + return; + } + return; + } + blake2s_update_blocks(ll, wv, hash, (uint64_t)(uint32_t)0U, d); +} + +void Hacl_Blake2s_32_blake2s_finish(uint32_t nn, uint8_t *output, uint32_t *hash) +{ + uint32_t double_row = (uint32_t)2U * ((uint32_t)4U * (uint32_t)4U); + KRML_CHECK_SIZE(sizeof (uint8_t), double_row); + { + uint8_t b[double_row]; + memset(b, 0U, double_row * sizeof (uint8_t)); + { + uint8_t *first = b; + uint8_t *second = b + (uint32_t)4U * (uint32_t)4U; + uint32_t *row0 = hash + (uint32_t)0U * (uint32_t)4U; + uint32_t *row1 = hash + (uint32_t)1U * (uint32_t)4U; + uint8_t *final; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + store32_le(first + i * (uint32_t)4U, row0[i]); + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + store32_le(second + i * (uint32_t)4U, row1[i]); + } + } + final = b; + memcpy(output, final, nn * sizeof (uint8_t)); + Lib_Memzero0_memzero(b, double_row * sizeof (b[0U])); + } + } +} + +void +Hacl_Blake2s_32_blake2s( + uint32_t nn, + uint8_t *output, + uint32_t ll, + uint8_t *d, + uint32_t kk, + uint8_t *k +) +{ + uint32_t stlen = (uint32_t)4U * (uint32_t)4U; + uint32_t stzero = (uint32_t)0U; + KRML_CHECK_SIZE(sizeof (uint32_t), stlen); + { + uint32_t b[stlen]; + { + uint32_t _i; + for (_i = 0U; _i < stlen; ++_i) + b[_i] = stzero; + } + KRML_CHECK_SIZE(sizeof (uint32_t), stlen); + { + uint32_t b1[stlen]; + { + uint32_t _i; + for (_i = 0U; _i < stlen; ++_i) + b1[_i] = stzero; + } + Hacl_Blake2s_32_blake2s_init(b, kk, nn); + blake2s_update(b1, b, kk, k, ll, d); + Hacl_Blake2s_32_blake2s_finish(nn, output, b); + Lib_Memzero0_memzero(b1, stlen * sizeof (b1[0U])); + Lib_Memzero0_memzero(b, stlen * sizeof (b[0U])); + } + } +} + diff --git a/src/c89/Hacl_Hash_Blake2b_256.c b/src/c89/Hacl_Hash_Blake2b_256.c new file mode 100644 index 00000000..9c22d0eb --- /dev/null +++ b/src/c89/Hacl_Hash_Blake2b_256.c @@ -0,0 +1,1376 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "internal/Hacl_Hash_Blake2b_256.h" + +#include "internal/Hacl_Hash_Blake2.h" + +static FStar_UInt128_uint128 +update_blake2b_256( + Lib_IntVector_Intrinsics_vec256 *s, + FStar_UInt128_uint128 totlen, + uint8_t *block +) +{ + Lib_IntVector_Intrinsics_vec256 wv[4U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)4U; ++_i) + wv[_i] = Lib_IntVector_Intrinsics_vec256_zero; + } + { + FStar_UInt128_uint128 + totlen1 = + FStar_UInt128_add_mod(totlen, + FStar_UInt128_uint64_to_uint128((uint64_t)(uint32_t)128U)); + uint64_t m_w[16U] = { 0U }; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint64_t *os = m_w; + uint8_t *bj = block + i * (uint32_t)8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x; + } + } + { + Lib_IntVector_Intrinsics_vec256 mask = Lib_IntVector_Intrinsics_vec256_zero; + uint64_t wv_14 = (uint64_t)0U; + uint64_t wv_15 = (uint64_t)0U; + Lib_IntVector_Intrinsics_vec256 *wv3; + Lib_IntVector_Intrinsics_vec256 *s00; + Lib_IntVector_Intrinsics_vec256 *s16; + Lib_IntVector_Intrinsics_vec256 *r00; + Lib_IntVector_Intrinsics_vec256 *r10; + Lib_IntVector_Intrinsics_vec256 *r20; + Lib_IntVector_Intrinsics_vec256 *r30; + mask = + Lib_IntVector_Intrinsics_vec256_load64s(FStar_UInt128_uint128_to_uint64(totlen1), + FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(totlen1, (uint32_t)64U)), + wv_14, + wv_15); + memcpy(wv, s, (uint32_t)4U * (uint32_t)1U * sizeof (Lib_IntVector_Intrinsics_vec256)); + wv3 = wv + (uint32_t)3U * (uint32_t)1U; + wv3[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv3[0U], mask); + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)12U; i++) + { + uint32_t start_idx = i % (uint32_t)10U * (uint32_t)16U; + KRML_CHECK_SIZE(sizeof (Lib_IntVector_Intrinsics_vec256), (uint32_t)4U * (uint32_t)1U); + { + Lib_IntVector_Intrinsics_vec256 m_st[(uint32_t)4U * (uint32_t)1U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)4U * (uint32_t)1U; ++_i) + m_st[_i] = Lib_IntVector_Intrinsics_vec256_zero; + } + { + Lib_IntVector_Intrinsics_vec256 *r0 = m_st + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r1 = m_st + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r21 = m_st + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r31 = m_st + (uint32_t)3U * (uint32_t)1U; + uint32_t s0 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx]; + uint32_t s1 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)1U]; + uint32_t s2 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)2U]; + uint32_t s3 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)3U]; + uint32_t s4 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)4U]; + uint32_t s5 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)5U]; + uint32_t s6 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)6U]; + uint32_t s7 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)7U]; + uint32_t s8 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)8U]; + uint32_t s9 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)9U]; + uint32_t s10 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)10U]; + uint32_t s11 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)11U]; + uint32_t s12 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)12U]; + uint32_t s13 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)13U]; + uint32_t s14 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)14U]; + uint32_t s15 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)15U]; + r0[0U] = Lib_IntVector_Intrinsics_vec256_load64s(m_w[s0], m_w[s2], m_w[s4], m_w[s6]); + r1[0U] = Lib_IntVector_Intrinsics_vec256_load64s(m_w[s1], m_w[s3], m_w[s5], m_w[s7]); + r21[0U] = + Lib_IntVector_Intrinsics_vec256_load64s(m_w[s8], + m_w[s10], + m_w[s12], + m_w[s14]); + r31[0U] = + Lib_IntVector_Intrinsics_vec256_load64s(m_w[s9], + m_w[s11], + m_w[s13], + m_w[s15]); + { + Lib_IntVector_Intrinsics_vec256 *x = m_st + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *y = m_st + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *z = m_st + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *w = m_st + (uint32_t)3U * (uint32_t)1U; + uint32_t a = (uint32_t)0U; + uint32_t b0 = (uint32_t)1U; + uint32_t c0 = (uint32_t)2U; + uint32_t d0 = (uint32_t)3U; + Lib_IntVector_Intrinsics_vec256 *wv_a0 = wv + a * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b0 = wv + b0 * (uint32_t)1U; + wv_a0[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a0[0U], wv_b0[0U]); + wv_a0[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a0[0U], x[0U]); + { + Lib_IntVector_Intrinsics_vec256 *wv_a1 = wv + d0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b1 = wv + a * (uint32_t)1U; + wv_a1[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv_a1[0U], wv_b1[0U]); + wv_a1[0U] = + Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a1[0U], + (uint32_t)32U); + { + Lib_IntVector_Intrinsics_vec256 *wv_a2 = wv + c0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b2 = wv + d0 * (uint32_t)1U; + wv_a2[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a2[0U], wv_b2[0U]); + { + Lib_IntVector_Intrinsics_vec256 *wv_a3 = wv + b0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b3 = wv + c0 * (uint32_t)1U; + wv_a3[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv_a3[0U], wv_b3[0U]); + wv_a3[0U] = + Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a3[0U], + (uint32_t)24U); + { + Lib_IntVector_Intrinsics_vec256 *wv_a4 = wv + a * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b4 = wv + b0 * (uint32_t)1U; + wv_a4[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a4[0U], wv_b4[0U]); + wv_a4[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a4[0U], y[0U]); + { + Lib_IntVector_Intrinsics_vec256 *wv_a5 = wv + d0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b5 = wv + a * (uint32_t)1U; + wv_a5[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv_a5[0U], wv_b5[0U]); + wv_a5[0U] = + Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a5[0U], + (uint32_t)16U); + { + Lib_IntVector_Intrinsics_vec256 *wv_a6 = wv + c0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b6 = wv + d0 * (uint32_t)1U; + wv_a6[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a6[0U], wv_b6[0U]); + { + Lib_IntVector_Intrinsics_vec256 *wv_a7 = wv + b0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b7 = wv + c0 * (uint32_t)1U; + wv_a7[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv_a7[0U], wv_b7[0U]); + wv_a7[0U] = + Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a7[0U], + (uint32_t)63U); + { + Lib_IntVector_Intrinsics_vec256 + *r11 = wv + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 + *r22 = wv + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 + *r32 = wv + (uint32_t)3U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 v00 = r11[0U]; + Lib_IntVector_Intrinsics_vec256 + v1 = + Lib_IntVector_Intrinsics_vec256_rotate_right_lanes64(v00, + (uint32_t)1U); + r11[0U] = v1; + { + Lib_IntVector_Intrinsics_vec256 v01 = r22[0U]; + Lib_IntVector_Intrinsics_vec256 + v10 = + Lib_IntVector_Intrinsics_vec256_rotate_right_lanes64(v01, + (uint32_t)2U); + r22[0U] = v10; + { + Lib_IntVector_Intrinsics_vec256 v02 = r32[0U]; + Lib_IntVector_Intrinsics_vec256 + v11 = + Lib_IntVector_Intrinsics_vec256_rotate_right_lanes64(v02, + (uint32_t)3U); + r32[0U] = v11; + { + uint32_t a0 = (uint32_t)0U; + uint32_t b = (uint32_t)1U; + uint32_t c = (uint32_t)2U; + uint32_t d = (uint32_t)3U; + Lib_IntVector_Intrinsics_vec256 + *wv_a = wv + a0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 + *wv_b8 = wv + b * (uint32_t)1U; + wv_a[0U] = + Lib_IntVector_Intrinsics_vec256_add64(wv_a[0U], + wv_b8[0U]); + wv_a[0U] = + Lib_IntVector_Intrinsics_vec256_add64(wv_a[0U], + z[0U]); + { + Lib_IntVector_Intrinsics_vec256 + *wv_a8 = wv + d * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 + *wv_b9 = wv + a0 * (uint32_t)1U; + wv_a8[0U] = + Lib_IntVector_Intrinsics_vec256_xor(wv_a8[0U], + wv_b9[0U]); + wv_a8[0U] = + Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a8[0U], + (uint32_t)32U); + { + Lib_IntVector_Intrinsics_vec256 + *wv_a9 = wv + c * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 + *wv_b10 = wv + d * (uint32_t)1U; + wv_a9[0U] = + Lib_IntVector_Intrinsics_vec256_add64(wv_a9[0U], + wv_b10[0U]); + { + Lib_IntVector_Intrinsics_vec256 + *wv_a10 = wv + b * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 + *wv_b11 = wv + c * (uint32_t)1U; + wv_a10[0U] = + Lib_IntVector_Intrinsics_vec256_xor(wv_a10[0U], + wv_b11[0U]); + wv_a10[0U] = + Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a10[0U], + (uint32_t)24U); + { + Lib_IntVector_Intrinsics_vec256 + *wv_a11 = wv + a0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 + *wv_b12 = wv + b * (uint32_t)1U; + wv_a11[0U] = + Lib_IntVector_Intrinsics_vec256_add64(wv_a11[0U], + wv_b12[0U]); + wv_a11[0U] = + Lib_IntVector_Intrinsics_vec256_add64(wv_a11[0U], + w[0U]); + { + Lib_IntVector_Intrinsics_vec256 + *wv_a12 = wv + d * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 + *wv_b13 = wv + a0 * (uint32_t)1U; + wv_a12[0U] = + Lib_IntVector_Intrinsics_vec256_xor(wv_a12[0U], + wv_b13[0U]); + wv_a12[0U] = + Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a12[0U], + (uint32_t)16U); + { + Lib_IntVector_Intrinsics_vec256 + *wv_a13 = wv + c * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 + *wv_b14 = wv + d * (uint32_t)1U; + wv_a13[0U] = + Lib_IntVector_Intrinsics_vec256_add64(wv_a13[0U], + wv_b14[0U]); + { + Lib_IntVector_Intrinsics_vec256 + *wv_a14 = wv + b * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 + *wv_b = wv + c * (uint32_t)1U; + wv_a14[0U] = + Lib_IntVector_Intrinsics_vec256_xor(wv_a14[0U], + wv_b[0U]); + wv_a14[0U] = + Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a14[0U], + (uint32_t)63U); + { + Lib_IntVector_Intrinsics_vec256 + *r12 = wv + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 + *r2 = wv + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 + *r3 = wv + (uint32_t)3U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 v0 = r12[0U]; + Lib_IntVector_Intrinsics_vec256 + v12 = + Lib_IntVector_Intrinsics_vec256_rotate_right_lanes64(v0, + (uint32_t)3U); + r12[0U] = v12; + { + Lib_IntVector_Intrinsics_vec256 + v03 = r2[0U]; + Lib_IntVector_Intrinsics_vec256 + v13 = + Lib_IntVector_Intrinsics_vec256_rotate_right_lanes64(v03, + (uint32_t)2U); + r2[0U] = v13; + { + Lib_IntVector_Intrinsics_vec256 + v04 = r3[0U]; + Lib_IntVector_Intrinsics_vec256 + v14 = + Lib_IntVector_Intrinsics_vec256_rotate_right_lanes64(v04, + (uint32_t)1U); + r3[0U] = v14; + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + s00 = s + (uint32_t)0U * (uint32_t)1U; + s16 = s + (uint32_t)1U * (uint32_t)1U; + r00 = wv + (uint32_t)0U * (uint32_t)1U; + r10 = wv + (uint32_t)1U * (uint32_t)1U; + r20 = wv + (uint32_t)2U * (uint32_t)1U; + r30 = wv + (uint32_t)3U * (uint32_t)1U; + s00[0U] = Lib_IntVector_Intrinsics_vec256_xor(s00[0U], r00[0U]); + s00[0U] = Lib_IntVector_Intrinsics_vec256_xor(s00[0U], r20[0U]); + s16[0U] = Lib_IntVector_Intrinsics_vec256_xor(s16[0U], r10[0U]); + s16[0U] = Lib_IntVector_Intrinsics_vec256_xor(s16[0U], r30[0U]); + return totlen1; + } + } +} + +void +Hacl_Hash_Blake2b_256_finish_blake2b_256( + Lib_IntVector_Intrinsics_vec256 *s, + FStar_UInt128_uint128 ev, + uint8_t *dst +) +{ + uint32_t double_row = (uint32_t)2U * ((uint32_t)4U * (uint32_t)8U); + KRML_CHECK_SIZE(sizeof (uint8_t), double_row); + { + uint8_t b[double_row]; + memset(b, 0U, double_row * sizeof (uint8_t)); + { + uint8_t *first = b; + uint8_t *second = b + (uint32_t)4U * (uint32_t)8U; + Lib_IntVector_Intrinsics_vec256 *row0 = s + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *row1 = s + (uint32_t)1U * (uint32_t)1U; + uint8_t *final; + Lib_IntVector_Intrinsics_vec256_store64_le(first, row0[0U]); + Lib_IntVector_Intrinsics_vec256_store64_le(second, row1[0U]); + final = b; + memcpy(dst, final, (uint32_t)64U * sizeof (uint8_t)); + Lib_Memzero0_memzero(b, double_row * sizeof (b[0U])); + } + } +} + +FStar_UInt128_uint128 +Hacl_Hash_Blake2b_256_update_multi_blake2b_256( + Lib_IntVector_Intrinsics_vec256 *s, + FStar_UInt128_uint128 ev, + uint8_t *blocks, + uint32_t n_blocks +) +{ + { + uint32_t i; + for (i = (uint32_t)0U; i < n_blocks; i++) + { + uint32_t sz = (uint32_t)128U; + uint8_t *block = blocks + sz * i; + FStar_UInt128_uint128 + v_ = + update_blake2b_256(s, + FStar_UInt128_add_mod(ev, + FStar_UInt128_uint64_to_uint128((uint64_t)i * (uint64_t)(uint32_t)128U)), + block); + } + } + return + FStar_UInt128_add_mod(ev, + FStar_UInt128_uint64_to_uint128((uint64_t)n_blocks * (uint64_t)(uint32_t)128U)); +} + +FStar_UInt128_uint128 +Hacl_Hash_Blake2b_256_update_last_blake2b_256( + Lib_IntVector_Intrinsics_vec256 *s, + FStar_UInt128_uint128 ev, + FStar_UInt128_uint128 prev_len, + uint8_t *input, + uint32_t input_len +) +{ + uint32_t blocks_n = input_len / (uint32_t)128U; + uint32_t blocks_len0 = blocks_n * (uint32_t)128U; + uint32_t rest_len0 = input_len - blocks_len0; + K___uint32_t_uint32_t_uint32_t scrut0; + if (rest_len0 == (uint32_t)0U && blocks_n > (uint32_t)0U) + { + uint32_t blocks_n1 = blocks_n - (uint32_t)1U; + uint32_t blocks_len1 = blocks_len0 - (uint32_t)128U; + uint32_t rest_len1 = (uint32_t)128U; + K___uint32_t_uint32_t_uint32_t lit; + lit.fst = blocks_n1; + lit.snd = blocks_len1; + lit.thd = rest_len1; + scrut0 = lit; + } + else + { + K___uint32_t_uint32_t_uint32_t lit; + lit.fst = blocks_n; + lit.snd = blocks_len0; + lit.thd = rest_len0; + scrut0 = lit; + } + { + uint32_t num_blocks0 = scrut0.fst; + uint32_t blocks_len = scrut0.snd; + uint32_t rest_len1 = scrut0.thd; + uint8_t *blocks0 = input; + uint8_t *rest0 = input + blocks_len; + K___uint32_t_uint32_t_uint32_t__uint8_t___uint8_t_ lit; + K___uint32_t_uint32_t_uint32_t__uint8_t___uint8_t_ scrut; + uint32_t num_blocks; + uint32_t rest_len; + uint8_t *blocks; + uint8_t *rest; + FStar_UInt128_uint128 ev_; + lit.fst = num_blocks0; + lit.snd = blocks_len; + lit.thd = rest_len1; + lit.f3 = blocks0; + lit.f4 = rest0; + scrut = lit; + num_blocks = scrut.fst; + rest_len = scrut.thd; + blocks = scrut.f3; + rest = scrut.f4; + ev_ = Hacl_Hash_Blake2b_256_update_multi_blake2b_256(s, ev, blocks, num_blocks); + KRML_CHECK_SIZE(sizeof (Lib_IntVector_Intrinsics_vec256), (uint32_t)4U * (uint32_t)1U); + { + Lib_IntVector_Intrinsics_vec256 wv[(uint32_t)4U * (uint32_t)1U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)4U * (uint32_t)1U; ++_i) + wv[_i] = Lib_IntVector_Intrinsics_vec256_zero; + } + { + uint8_t tmp[128U] = { 0U }; + uint8_t *tmp_rest = tmp; + FStar_UInt128_uint128 totlen; + memcpy(tmp_rest, rest, rest_len * sizeof (uint8_t)); + totlen = FStar_UInt128_add_mod(ev_, FStar_UInt128_uint64_to_uint128((uint64_t)rest_len)); + { + uint64_t m_w[16U] = { 0U }; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint64_t *os = m_w; + uint8_t *bj = tmp + i * (uint32_t)8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x; + } + } + { + Lib_IntVector_Intrinsics_vec256 mask = Lib_IntVector_Intrinsics_vec256_zero; + uint64_t wv_14 = (uint64_t)0xFFFFFFFFFFFFFFFFU; + uint64_t wv_15 = (uint64_t)0U; + Lib_IntVector_Intrinsics_vec256 *wv3; + Lib_IntVector_Intrinsics_vec256 *s00; + Lib_IntVector_Intrinsics_vec256 *s16; + Lib_IntVector_Intrinsics_vec256 *r00; + Lib_IntVector_Intrinsics_vec256 *r10; + Lib_IntVector_Intrinsics_vec256 *r20; + Lib_IntVector_Intrinsics_vec256 *r30; + mask = + Lib_IntVector_Intrinsics_vec256_load64s(FStar_UInt128_uint128_to_uint64(totlen), + FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(totlen, (uint32_t)64U)), + wv_14, + wv_15); + memcpy(wv, s, (uint32_t)4U * (uint32_t)1U * sizeof (Lib_IntVector_Intrinsics_vec256)); + wv3 = wv + (uint32_t)3U * (uint32_t)1U; + wv3[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv3[0U], mask); + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)12U; i++) + { + uint32_t start_idx = i % (uint32_t)10U * (uint32_t)16U; + KRML_CHECK_SIZE(sizeof (Lib_IntVector_Intrinsics_vec256), + (uint32_t)4U * (uint32_t)1U); + { + Lib_IntVector_Intrinsics_vec256 m_st[(uint32_t)4U * (uint32_t)1U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)4U * (uint32_t)1U; ++_i) + m_st[_i] = Lib_IntVector_Intrinsics_vec256_zero; + } + { + Lib_IntVector_Intrinsics_vec256 *r0 = m_st + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r1 = m_st + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r21 = m_st + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r31 = m_st + (uint32_t)3U * (uint32_t)1U; + uint32_t s0 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx]; + uint32_t s1 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)1U]; + uint32_t s2 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)2U]; + uint32_t s3 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)3U]; + uint32_t s4 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)4U]; + uint32_t s5 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)5U]; + uint32_t s6 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)6U]; + uint32_t s7 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)7U]; + uint32_t s8 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)8U]; + uint32_t s9 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)9U]; + uint32_t s10 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)10U]; + uint32_t s11 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)11U]; + uint32_t s12 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)12U]; + uint32_t s13 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)13U]; + uint32_t s14 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)14U]; + uint32_t s15 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)15U]; + r0[0U] = + Lib_IntVector_Intrinsics_vec256_load64s(m_w[s0], + m_w[s2], + m_w[s4], + m_w[s6]); + r1[0U] = + Lib_IntVector_Intrinsics_vec256_load64s(m_w[s1], + m_w[s3], + m_w[s5], + m_w[s7]); + r21[0U] = + Lib_IntVector_Intrinsics_vec256_load64s(m_w[s8], + m_w[s10], + m_w[s12], + m_w[s14]); + r31[0U] = + Lib_IntVector_Intrinsics_vec256_load64s(m_w[s9], + m_w[s11], + m_w[s13], + m_w[s15]); + { + Lib_IntVector_Intrinsics_vec256 *x = m_st + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *y = m_st + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *z = m_st + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *w = m_st + (uint32_t)3U * (uint32_t)1U; + uint32_t a = (uint32_t)0U; + uint32_t b0 = (uint32_t)1U; + uint32_t c0 = (uint32_t)2U; + uint32_t d0 = (uint32_t)3U; + Lib_IntVector_Intrinsics_vec256 *wv_a0 = wv + a * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b0 = wv + b0 * (uint32_t)1U; + wv_a0[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a0[0U], wv_b0[0U]); + wv_a0[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a0[0U], x[0U]); + { + Lib_IntVector_Intrinsics_vec256 *wv_a1 = wv + d0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b1 = wv + a * (uint32_t)1U; + wv_a1[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv_a1[0U], wv_b1[0U]); + wv_a1[0U] = + Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a1[0U], + (uint32_t)32U); + { + Lib_IntVector_Intrinsics_vec256 *wv_a2 = wv + c0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b2 = wv + d0 * (uint32_t)1U; + wv_a2[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a2[0U], wv_b2[0U]); + { + Lib_IntVector_Intrinsics_vec256 *wv_a3 = wv + b0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b3 = wv + c0 * (uint32_t)1U; + wv_a3[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv_a3[0U], wv_b3[0U]); + wv_a3[0U] = + Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a3[0U], + (uint32_t)24U); + { + Lib_IntVector_Intrinsics_vec256 *wv_a4 = wv + a * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b4 = wv + b0 * (uint32_t)1U; + wv_a4[0U] = + Lib_IntVector_Intrinsics_vec256_add64(wv_a4[0U], + wv_b4[0U]); + wv_a4[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a4[0U], y[0U]); + { + Lib_IntVector_Intrinsics_vec256 *wv_a5 = wv + d0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b5 = wv + a * (uint32_t)1U; + wv_a5[0U] = + Lib_IntVector_Intrinsics_vec256_xor(wv_a5[0U], + wv_b5[0U]); + wv_a5[0U] = + Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a5[0U], + (uint32_t)16U); + { + Lib_IntVector_Intrinsics_vec256 *wv_a6 = wv + c0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b6 = wv + d0 * (uint32_t)1U; + wv_a6[0U] = + Lib_IntVector_Intrinsics_vec256_add64(wv_a6[0U], + wv_b6[0U]); + { + Lib_IntVector_Intrinsics_vec256 *wv_a7 = wv + b0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b7 = wv + c0 * (uint32_t)1U; + wv_a7[0U] = + Lib_IntVector_Intrinsics_vec256_xor(wv_a7[0U], + wv_b7[0U]); + wv_a7[0U] = + Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a7[0U], + (uint32_t)63U); + { + Lib_IntVector_Intrinsics_vec256 + *r11 = wv + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 + *r22 = wv + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 + *r32 = wv + (uint32_t)3U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 v00 = r11[0U]; + Lib_IntVector_Intrinsics_vec256 + v1 = + Lib_IntVector_Intrinsics_vec256_rotate_right_lanes64(v00, + (uint32_t)1U); + r11[0U] = v1; + { + Lib_IntVector_Intrinsics_vec256 v01 = r22[0U]; + Lib_IntVector_Intrinsics_vec256 + v10 = + Lib_IntVector_Intrinsics_vec256_rotate_right_lanes64(v01, + (uint32_t)2U); + r22[0U] = v10; + { + Lib_IntVector_Intrinsics_vec256 v02 = r32[0U]; + Lib_IntVector_Intrinsics_vec256 + v11 = + Lib_IntVector_Intrinsics_vec256_rotate_right_lanes64(v02, + (uint32_t)3U); + r32[0U] = v11; + { + uint32_t a0 = (uint32_t)0U; + uint32_t b = (uint32_t)1U; + uint32_t c = (uint32_t)2U; + uint32_t d = (uint32_t)3U; + Lib_IntVector_Intrinsics_vec256 + *wv_a = wv + a0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 + *wv_b8 = wv + b * (uint32_t)1U; + wv_a[0U] = + Lib_IntVector_Intrinsics_vec256_add64(wv_a[0U], + wv_b8[0U]); + wv_a[0U] = + Lib_IntVector_Intrinsics_vec256_add64(wv_a[0U], + z[0U]); + { + Lib_IntVector_Intrinsics_vec256 + *wv_a8 = wv + d * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 + *wv_b9 = wv + a0 * (uint32_t)1U; + wv_a8[0U] = + Lib_IntVector_Intrinsics_vec256_xor(wv_a8[0U], + wv_b9[0U]); + wv_a8[0U] = + Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a8[0U], + (uint32_t)32U); + { + Lib_IntVector_Intrinsics_vec256 + *wv_a9 = wv + c * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 + *wv_b10 = wv + d * (uint32_t)1U; + wv_a9[0U] = + Lib_IntVector_Intrinsics_vec256_add64(wv_a9[0U], + wv_b10[0U]); + { + Lib_IntVector_Intrinsics_vec256 + *wv_a10 = wv + b * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 + *wv_b11 = wv + c * (uint32_t)1U; + wv_a10[0U] = + Lib_IntVector_Intrinsics_vec256_xor(wv_a10[0U], + wv_b11[0U]); + wv_a10[0U] = + Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a10[0U], + (uint32_t)24U); + { + Lib_IntVector_Intrinsics_vec256 + *wv_a11 = wv + a0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 + *wv_b12 = wv + b * (uint32_t)1U; + wv_a11[0U] = + Lib_IntVector_Intrinsics_vec256_add64(wv_a11[0U], + wv_b12[0U]); + wv_a11[0U] = + Lib_IntVector_Intrinsics_vec256_add64(wv_a11[0U], + w[0U]); + { + Lib_IntVector_Intrinsics_vec256 + *wv_a12 = wv + d * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 + *wv_b13 = wv + a0 * (uint32_t)1U; + wv_a12[0U] = + Lib_IntVector_Intrinsics_vec256_xor(wv_a12[0U], + wv_b13[0U]); + wv_a12[0U] = + Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a12[0U], + (uint32_t)16U); + { + Lib_IntVector_Intrinsics_vec256 + *wv_a13 = wv + c * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 + *wv_b14 = wv + d * (uint32_t)1U; + wv_a13[0U] = + Lib_IntVector_Intrinsics_vec256_add64(wv_a13[0U], + wv_b14[0U]); + { + Lib_IntVector_Intrinsics_vec256 + *wv_a14 = wv + b * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 + *wv_b = wv + c * (uint32_t)1U; + wv_a14[0U] = + Lib_IntVector_Intrinsics_vec256_xor(wv_a14[0U], + wv_b[0U]); + wv_a14[0U] = + Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a14[0U], + (uint32_t)63U); + { + Lib_IntVector_Intrinsics_vec256 + *r12 = wv + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 + *r2 = wv + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 + *r3 = wv + (uint32_t)3U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 + v0 = r12[0U]; + Lib_IntVector_Intrinsics_vec256 + v12 = + Lib_IntVector_Intrinsics_vec256_rotate_right_lanes64(v0, + (uint32_t)3U); + r12[0U] = v12; + { + Lib_IntVector_Intrinsics_vec256 + v03 = r2[0U]; + Lib_IntVector_Intrinsics_vec256 + v13 = + Lib_IntVector_Intrinsics_vec256_rotate_right_lanes64(v03, + (uint32_t)2U); + r2[0U] = v13; + { + Lib_IntVector_Intrinsics_vec256 + v04 = r3[0U]; + Lib_IntVector_Intrinsics_vec256 + v14 = + Lib_IntVector_Intrinsics_vec256_rotate_right_lanes64(v04, + (uint32_t)1U); + r3[0U] = v14; + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + s00 = s + (uint32_t)0U * (uint32_t)1U; + s16 = s + (uint32_t)1U * (uint32_t)1U; + r00 = wv + (uint32_t)0U * (uint32_t)1U; + r10 = wv + (uint32_t)1U * (uint32_t)1U; + r20 = wv + (uint32_t)2U * (uint32_t)1U; + r30 = wv + (uint32_t)3U * (uint32_t)1U; + s00[0U] = Lib_IntVector_Intrinsics_vec256_xor(s00[0U], r00[0U]); + s00[0U] = Lib_IntVector_Intrinsics_vec256_xor(s00[0U], r20[0U]); + s16[0U] = Lib_IntVector_Intrinsics_vec256_xor(s16[0U], r10[0U]); + s16[0U] = Lib_IntVector_Intrinsics_vec256_xor(s16[0U], r30[0U]); + return FStar_UInt128_uint64_to_uint128((uint64_t)0U); + } + } + } + } + } +} + +void Hacl_Hash_Blake2b_256_hash_blake2b_256(uint8_t *input, uint32_t input_len, uint8_t *dst) +{ + Hacl_Blake2b_256_blake2b((uint32_t)64U, dst, input_len, input, (uint32_t)0U, NULL); +} + +static inline void +blake2b_update_block( + Lib_IntVector_Intrinsics_vec256 *wv, + Lib_IntVector_Intrinsics_vec256 *hash, + bool flag, + FStar_UInt128_uint128 totlen, + uint8_t *d +) +{ + uint64_t m_w[16U] = { 0U }; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint64_t *os = m_w; + uint8_t *bj = d + i * (uint32_t)8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x; + } + } + { + Lib_IntVector_Intrinsics_vec256 mask = Lib_IntVector_Intrinsics_vec256_zero; + uint64_t wv_14; + if (flag) + { + wv_14 = (uint64_t)0xFFFFFFFFFFFFFFFFU; + } + else + { + wv_14 = (uint64_t)0U; + } + { + uint64_t wv_15 = (uint64_t)0U; + Lib_IntVector_Intrinsics_vec256 *wv3; + Lib_IntVector_Intrinsics_vec256 *s00; + Lib_IntVector_Intrinsics_vec256 *s16; + Lib_IntVector_Intrinsics_vec256 *r00; + Lib_IntVector_Intrinsics_vec256 *r10; + Lib_IntVector_Intrinsics_vec256 *r20; + Lib_IntVector_Intrinsics_vec256 *r30; + mask = + Lib_IntVector_Intrinsics_vec256_load64s(FStar_UInt128_uint128_to_uint64(totlen), + FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(totlen, (uint32_t)64U)), + wv_14, + wv_15); + memcpy(wv, hash, (uint32_t)4U * (uint32_t)1U * sizeof (Lib_IntVector_Intrinsics_vec256)); + wv3 = wv + (uint32_t)3U * (uint32_t)1U; + wv3[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv3[0U], mask); + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)12U; i++) + { + uint32_t start_idx = i % (uint32_t)10U * (uint32_t)16U; + KRML_CHECK_SIZE(sizeof (Lib_IntVector_Intrinsics_vec256), (uint32_t)4U * (uint32_t)1U); + { + Lib_IntVector_Intrinsics_vec256 m_st[(uint32_t)4U * (uint32_t)1U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)4U * (uint32_t)1U; ++_i) + m_st[_i] = Lib_IntVector_Intrinsics_vec256_zero; + } + { + Lib_IntVector_Intrinsics_vec256 *r0 = m_st + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r1 = m_st + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r21 = m_st + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r31 = m_st + (uint32_t)3U * (uint32_t)1U; + uint32_t s0 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx]; + uint32_t s1 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)1U]; + uint32_t s2 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)2U]; + uint32_t s3 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)3U]; + uint32_t s4 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)4U]; + uint32_t s5 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)5U]; + uint32_t s6 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)6U]; + uint32_t s7 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)7U]; + uint32_t s8 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)8U]; + uint32_t s9 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)9U]; + uint32_t s10 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)10U]; + uint32_t s11 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)11U]; + uint32_t s12 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)12U]; + uint32_t s13 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)13U]; + uint32_t s14 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)14U]; + uint32_t s15 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)15U]; + r0[0U] = Lib_IntVector_Intrinsics_vec256_load64s(m_w[s0], m_w[s2], m_w[s4], m_w[s6]); + r1[0U] = Lib_IntVector_Intrinsics_vec256_load64s(m_w[s1], m_w[s3], m_w[s5], m_w[s7]); + r21[0U] = + Lib_IntVector_Intrinsics_vec256_load64s(m_w[s8], + m_w[s10], + m_w[s12], + m_w[s14]); + r31[0U] = + Lib_IntVector_Intrinsics_vec256_load64s(m_w[s9], + m_w[s11], + m_w[s13], + m_w[s15]); + { + Lib_IntVector_Intrinsics_vec256 *x = m_st + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *y = m_st + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *z = m_st + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *w = m_st + (uint32_t)3U * (uint32_t)1U; + uint32_t a = (uint32_t)0U; + uint32_t b0 = (uint32_t)1U; + uint32_t c0 = (uint32_t)2U; + uint32_t d10 = (uint32_t)3U; + Lib_IntVector_Intrinsics_vec256 *wv_a0 = wv + a * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b0 = wv + b0 * (uint32_t)1U; + wv_a0[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a0[0U], wv_b0[0U]); + wv_a0[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a0[0U], x[0U]); + { + Lib_IntVector_Intrinsics_vec256 *wv_a1 = wv + d10 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b1 = wv + a * (uint32_t)1U; + wv_a1[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv_a1[0U], wv_b1[0U]); + wv_a1[0U] = + Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a1[0U], + (uint32_t)32U); + { + Lib_IntVector_Intrinsics_vec256 *wv_a2 = wv + c0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b2 = wv + d10 * (uint32_t)1U; + wv_a2[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a2[0U], wv_b2[0U]); + { + Lib_IntVector_Intrinsics_vec256 *wv_a3 = wv + b0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b3 = wv + c0 * (uint32_t)1U; + wv_a3[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv_a3[0U], wv_b3[0U]); + wv_a3[0U] = + Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a3[0U], + (uint32_t)24U); + { + Lib_IntVector_Intrinsics_vec256 *wv_a4 = wv + a * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b4 = wv + b0 * (uint32_t)1U; + wv_a4[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a4[0U], wv_b4[0U]); + wv_a4[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a4[0U], y[0U]); + { + Lib_IntVector_Intrinsics_vec256 *wv_a5 = wv + d10 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b5 = wv + a * (uint32_t)1U; + wv_a5[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv_a5[0U], wv_b5[0U]); + wv_a5[0U] = + Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a5[0U], + (uint32_t)16U); + { + Lib_IntVector_Intrinsics_vec256 *wv_a6 = wv + c0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b6 = wv + d10 * (uint32_t)1U; + wv_a6[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a6[0U], wv_b6[0U]); + { + Lib_IntVector_Intrinsics_vec256 *wv_a7 = wv + b0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b7 = wv + c0 * (uint32_t)1U; + wv_a7[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv_a7[0U], wv_b7[0U]); + wv_a7[0U] = + Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a7[0U], + (uint32_t)63U); + { + Lib_IntVector_Intrinsics_vec256 + *r11 = wv + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 + *r22 = wv + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 + *r32 = wv + (uint32_t)3U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 v00 = r11[0U]; + Lib_IntVector_Intrinsics_vec256 + v1 = + Lib_IntVector_Intrinsics_vec256_rotate_right_lanes64(v00, + (uint32_t)1U); + r11[0U] = v1; + { + Lib_IntVector_Intrinsics_vec256 v01 = r22[0U]; + Lib_IntVector_Intrinsics_vec256 + v10 = + Lib_IntVector_Intrinsics_vec256_rotate_right_lanes64(v01, + (uint32_t)2U); + r22[0U] = v10; + { + Lib_IntVector_Intrinsics_vec256 v02 = r32[0U]; + Lib_IntVector_Intrinsics_vec256 + v11 = + Lib_IntVector_Intrinsics_vec256_rotate_right_lanes64(v02, + (uint32_t)3U); + r32[0U] = v11; + { + uint32_t a0 = (uint32_t)0U; + uint32_t b = (uint32_t)1U; + uint32_t c = (uint32_t)2U; + uint32_t d1 = (uint32_t)3U; + Lib_IntVector_Intrinsics_vec256 + *wv_a = wv + a0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 + *wv_b8 = wv + b * (uint32_t)1U; + wv_a[0U] = + Lib_IntVector_Intrinsics_vec256_add64(wv_a[0U], + wv_b8[0U]); + wv_a[0U] = + Lib_IntVector_Intrinsics_vec256_add64(wv_a[0U], + z[0U]); + { + Lib_IntVector_Intrinsics_vec256 + *wv_a8 = wv + d1 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 + *wv_b9 = wv + a0 * (uint32_t)1U; + wv_a8[0U] = + Lib_IntVector_Intrinsics_vec256_xor(wv_a8[0U], + wv_b9[0U]); + wv_a8[0U] = + Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a8[0U], + (uint32_t)32U); + { + Lib_IntVector_Intrinsics_vec256 + *wv_a9 = wv + c * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 + *wv_b10 = wv + d1 * (uint32_t)1U; + wv_a9[0U] = + Lib_IntVector_Intrinsics_vec256_add64(wv_a9[0U], + wv_b10[0U]); + { + Lib_IntVector_Intrinsics_vec256 + *wv_a10 = wv + b * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 + *wv_b11 = wv + c * (uint32_t)1U; + wv_a10[0U] = + Lib_IntVector_Intrinsics_vec256_xor(wv_a10[0U], + wv_b11[0U]); + wv_a10[0U] = + Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a10[0U], + (uint32_t)24U); + { + Lib_IntVector_Intrinsics_vec256 + *wv_a11 = wv + a0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 + *wv_b12 = wv + b * (uint32_t)1U; + wv_a11[0U] = + Lib_IntVector_Intrinsics_vec256_add64(wv_a11[0U], + wv_b12[0U]); + wv_a11[0U] = + Lib_IntVector_Intrinsics_vec256_add64(wv_a11[0U], + w[0U]); + { + Lib_IntVector_Intrinsics_vec256 + *wv_a12 = wv + d1 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 + *wv_b13 = wv + a0 * (uint32_t)1U; + wv_a12[0U] = + Lib_IntVector_Intrinsics_vec256_xor(wv_a12[0U], + wv_b13[0U]); + wv_a12[0U] = + Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a12[0U], + (uint32_t)16U); + { + Lib_IntVector_Intrinsics_vec256 + *wv_a13 = wv + c * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 + *wv_b14 = wv + d1 * (uint32_t)1U; + wv_a13[0U] = + Lib_IntVector_Intrinsics_vec256_add64(wv_a13[0U], + wv_b14[0U]); + { + Lib_IntVector_Intrinsics_vec256 + *wv_a14 = wv + b * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 + *wv_b = wv + c * (uint32_t)1U; + wv_a14[0U] = + Lib_IntVector_Intrinsics_vec256_xor(wv_a14[0U], + wv_b[0U]); + wv_a14[0U] = + Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a14[0U], + (uint32_t)63U); + { + Lib_IntVector_Intrinsics_vec256 + *r12 = wv + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 + *r2 = wv + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 + *r3 = wv + (uint32_t)3U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 v0 = r12[0U]; + Lib_IntVector_Intrinsics_vec256 + v12 = + Lib_IntVector_Intrinsics_vec256_rotate_right_lanes64(v0, + (uint32_t)3U); + r12[0U] = v12; + { + Lib_IntVector_Intrinsics_vec256 + v03 = r2[0U]; + Lib_IntVector_Intrinsics_vec256 + v13 = + Lib_IntVector_Intrinsics_vec256_rotate_right_lanes64(v03, + (uint32_t)2U); + r2[0U] = v13; + { + Lib_IntVector_Intrinsics_vec256 + v04 = r3[0U]; + Lib_IntVector_Intrinsics_vec256 + v14 = + Lib_IntVector_Intrinsics_vec256_rotate_right_lanes64(v04, + (uint32_t)1U); + r3[0U] = v14; + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + s00 = hash + (uint32_t)0U * (uint32_t)1U; + s16 = hash + (uint32_t)1U * (uint32_t)1U; + r00 = wv + (uint32_t)0U * (uint32_t)1U; + r10 = wv + (uint32_t)1U * (uint32_t)1U; + r20 = wv + (uint32_t)2U * (uint32_t)1U; + r30 = wv + (uint32_t)3U * (uint32_t)1U; + s00[0U] = Lib_IntVector_Intrinsics_vec256_xor(s00[0U], r00[0U]); + s00[0U] = Lib_IntVector_Intrinsics_vec256_xor(s00[0U], r20[0U]); + s16[0U] = Lib_IntVector_Intrinsics_vec256_xor(s16[0U], r10[0U]); + s16[0U] = Lib_IntVector_Intrinsics_vec256_xor(s16[0U], r30[0U]); + } + } +} + +void +Hacl_Blake2b_256_blake2b_init(Lib_IntVector_Intrinsics_vec256 *hash, uint32_t kk, uint32_t nn) +{ + Lib_IntVector_Intrinsics_vec256 *r0 = hash + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r1 = hash + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r2 = hash + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r3 = hash + (uint32_t)3U * (uint32_t)1U; + uint64_t iv0 = Hacl_Impl_Blake2_Constants_ivTable_B[0U]; + uint64_t iv1 = Hacl_Impl_Blake2_Constants_ivTable_B[1U]; + uint64_t iv2 = Hacl_Impl_Blake2_Constants_ivTable_B[2U]; + uint64_t iv3 = Hacl_Impl_Blake2_Constants_ivTable_B[3U]; + uint64_t iv4 = Hacl_Impl_Blake2_Constants_ivTable_B[4U]; + uint64_t iv5 = Hacl_Impl_Blake2_Constants_ivTable_B[5U]; + uint64_t iv6 = Hacl_Impl_Blake2_Constants_ivTable_B[6U]; + uint64_t iv7 = Hacl_Impl_Blake2_Constants_ivTable_B[7U]; + uint64_t kk_shift_8; + uint64_t iv0_; + r2[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv0, iv1, iv2, iv3); + r3[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv4, iv5, iv6, iv7); + kk_shift_8 = (uint64_t)kk << (uint32_t)8U; + iv0_ = iv0 ^ ((uint64_t)0x01010000U ^ (kk_shift_8 ^ (uint64_t)nn)); + r0[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv0_, iv1, iv2, iv3); + r1[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv4, iv5, iv6, iv7); +} + +void +Hacl_Blake2b_256_blake2b_update_key( + Lib_IntVector_Intrinsics_vec256 *wv, + Lib_IntVector_Intrinsics_vec256 *hash, + uint32_t kk, + uint8_t *k, + uint32_t ll +) +{ + FStar_UInt128_uint128 lb = FStar_UInt128_uint64_to_uint128((uint64_t)(uint32_t)128U); + uint8_t b[128U] = { 0U }; + memcpy(b, k, kk * sizeof (uint8_t)); + if (ll == (uint32_t)0U) + { + blake2b_update_block(wv, hash, true, lb, b); + } + else + { + blake2b_update_block(wv, hash, false, lb, b); + } + Lib_Memzero0_memzero(b, (uint32_t)128U * sizeof (b[0U])); +} + +void +Hacl_Blake2b_256_blake2b_update_multi( + uint32_t len, + Lib_IntVector_Intrinsics_vec256 *wv, + Lib_IntVector_Intrinsics_vec256 *hash, + FStar_UInt128_uint128 prev, + uint8_t *blocks, + uint32_t nb +) +{ + uint32_t i; + for (i = (uint32_t)0U; i < nb; i++) + { + FStar_UInt128_uint128 + totlen = + FStar_UInt128_add_mod(prev, + FStar_UInt128_uint64_to_uint128((uint64_t)((i + (uint32_t)1U) * (uint32_t)128U))); + uint8_t *b = blocks + i * (uint32_t)128U; + blake2b_update_block(wv, hash, false, totlen, b); + } +} + +void +Hacl_Blake2b_256_blake2b_update_last( + uint32_t len, + Lib_IntVector_Intrinsics_vec256 *wv, + Lib_IntVector_Intrinsics_vec256 *hash, + FStar_UInt128_uint128 prev, + uint32_t rem, + uint8_t *d +) +{ + uint8_t b[128U] = { 0U }; + uint8_t *last = d + len - rem; + FStar_UInt128_uint128 totlen; + memcpy(b, last, rem * sizeof (uint8_t)); + totlen = FStar_UInt128_add_mod(prev, FStar_UInt128_uint64_to_uint128((uint64_t)len)); + blake2b_update_block(wv, hash, true, totlen, b); + Lib_Memzero0_memzero(b, (uint32_t)128U * sizeof (b[0U])); +} + +static inline void +blake2b_update_blocks( + uint32_t len, + Lib_IntVector_Intrinsics_vec256 *wv, + Lib_IntVector_Intrinsics_vec256 *hash, + FStar_UInt128_uint128 prev, + uint8_t *blocks +) +{ + uint32_t nb0 = len / (uint32_t)128U; + uint32_t rem0 = len % (uint32_t)128U; + K___uint32_t_uint32_t scrut; + if (rem0 == (uint32_t)0U && nb0 > (uint32_t)0U) + { + uint32_t nb_ = nb0 - (uint32_t)1U; + uint32_t rem_ = (uint32_t)128U; + K___uint32_t_uint32_t lit; + lit.fst = nb_; + lit.snd = rem_; + scrut = lit; + } + else + { + K___uint32_t_uint32_t lit; + lit.fst = nb0; + lit.snd = rem0; + scrut = lit; + } + { + uint32_t nb = scrut.fst; + uint32_t rem = scrut.snd; + Hacl_Blake2b_256_blake2b_update_multi(len, wv, hash, prev, blocks, nb); + Hacl_Blake2b_256_blake2b_update_last(len, wv, hash, prev, rem, blocks); + } +} + +static inline void +blake2b_update( + Lib_IntVector_Intrinsics_vec256 *wv, + Lib_IntVector_Intrinsics_vec256 *hash, + uint32_t kk, + uint8_t *k, + uint32_t ll, + uint8_t *d +) +{ + FStar_UInt128_uint128 lb = FStar_UInt128_uint64_to_uint128((uint64_t)(uint32_t)128U); + if (kk > (uint32_t)0U) + { + Hacl_Blake2b_256_blake2b_update_key(wv, hash, kk, k, ll); + if (!(ll == (uint32_t)0U)) + { + blake2b_update_blocks(ll, wv, hash, lb, d); + return; + } + return; + } + blake2b_update_blocks(ll, + wv, + hash, + FStar_UInt128_uint64_to_uint128((uint64_t)(uint32_t)0U), + d); +} + +void +Hacl_Blake2b_256_blake2b_finish( + uint32_t nn, + uint8_t *output, + Lib_IntVector_Intrinsics_vec256 *hash +) +{ + uint32_t double_row = (uint32_t)2U * ((uint32_t)4U * (uint32_t)8U); + KRML_CHECK_SIZE(sizeof (uint8_t), double_row); + { + uint8_t b[double_row]; + memset(b, 0U, double_row * sizeof (uint8_t)); + { + uint8_t *first = b; + uint8_t *second = b + (uint32_t)4U * (uint32_t)8U; + Lib_IntVector_Intrinsics_vec256 *row0 = hash + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *row1 = hash + (uint32_t)1U * (uint32_t)1U; + uint8_t *final; + Lib_IntVector_Intrinsics_vec256_store64_le(first, row0[0U]); + Lib_IntVector_Intrinsics_vec256_store64_le(second, row1[0U]); + final = b; + memcpy(output, final, nn * sizeof (uint8_t)); + Lib_Memzero0_memzero(b, double_row * sizeof (b[0U])); + } + } +} + +void +Hacl_Blake2b_256_blake2b( + uint32_t nn, + uint8_t *output, + uint32_t ll, + uint8_t *d, + uint32_t kk, + uint8_t *k +) +{ + uint32_t stlen = (uint32_t)4U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 stzero = Lib_IntVector_Intrinsics_vec256_zero; + KRML_CHECK_SIZE(sizeof (Lib_IntVector_Intrinsics_vec256), stlen); + { + Lib_IntVector_Intrinsics_vec256 b[stlen]; + { + uint32_t _i; + for (_i = 0U; _i < stlen; ++_i) + b[_i] = stzero; + } + KRML_CHECK_SIZE(sizeof (Lib_IntVector_Intrinsics_vec256), stlen); + { + Lib_IntVector_Intrinsics_vec256 b1[stlen]; + { + uint32_t _i; + for (_i = 0U; _i < stlen; ++_i) + b1[_i] = stzero; + } + Hacl_Blake2b_256_blake2b_init(b, kk, nn); + blake2b_update(b1, b, kk, k, ll, d); + Hacl_Blake2b_256_blake2b_finish(nn, output, b); + Lib_Memzero0_memzero(b1, stlen * sizeof (b1[0U])); + Lib_Memzero0_memzero(b, stlen * sizeof (b[0U])); + } + } +} + diff --git a/src/c89/Hacl_Hash_Blake2s_128.c b/src/c89/Hacl_Hash_Blake2s_128.c new file mode 100644 index 00000000..bbd0959d --- /dev/null +++ b/src/c89/Hacl_Hash_Blake2s_128.c @@ -0,0 +1,1355 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "internal/Hacl_Hash_Blake2s_128.h" + +#include "internal/Hacl_Hash_Blake2.h" + +static uint64_t +update_blake2s_128(Lib_IntVector_Intrinsics_vec128 *s, uint64_t totlen, uint8_t *block) +{ + Lib_IntVector_Intrinsics_vec128 wv[4U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)4U; ++_i) + wv[_i] = Lib_IntVector_Intrinsics_vec128_zero; + } + { + uint64_t totlen1 = totlen + (uint64_t)(uint32_t)64U; + uint32_t m_w[16U] = { 0U }; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t *os = m_w; + uint8_t *bj = block + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + } + { + Lib_IntVector_Intrinsics_vec128 mask = Lib_IntVector_Intrinsics_vec128_zero; + uint32_t wv_14 = (uint32_t)0U; + uint32_t wv_15 = (uint32_t)0U; + Lib_IntVector_Intrinsics_vec128 *wv3; + Lib_IntVector_Intrinsics_vec128 *s00; + Lib_IntVector_Intrinsics_vec128 *s16; + Lib_IntVector_Intrinsics_vec128 *r00; + Lib_IntVector_Intrinsics_vec128 *r10; + Lib_IntVector_Intrinsics_vec128 *r20; + Lib_IntVector_Intrinsics_vec128 *r30; + mask = + Lib_IntVector_Intrinsics_vec128_load32s((uint32_t)totlen1, + (uint32_t)(totlen1 >> (uint32_t)32U), + wv_14, + wv_15); + memcpy(wv, s, (uint32_t)4U * (uint32_t)1U * sizeof (Lib_IntVector_Intrinsics_vec128)); + wv3 = wv + (uint32_t)3U * (uint32_t)1U; + wv3[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv3[0U], mask); + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)10U; i++) + { + uint32_t start_idx = i % (uint32_t)10U * (uint32_t)16U; + KRML_CHECK_SIZE(sizeof (Lib_IntVector_Intrinsics_vec128), (uint32_t)4U * (uint32_t)1U); + { + Lib_IntVector_Intrinsics_vec128 m_st[(uint32_t)4U * (uint32_t)1U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)4U * (uint32_t)1U; ++_i) + m_st[_i] = Lib_IntVector_Intrinsics_vec128_zero; + } + { + Lib_IntVector_Intrinsics_vec128 *r0 = m_st + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r1 = m_st + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r21 = m_st + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r31 = m_st + (uint32_t)3U * (uint32_t)1U; + uint32_t s0 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx]; + uint32_t s1 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)1U]; + uint32_t s2 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)2U]; + uint32_t s3 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)3U]; + uint32_t s4 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)4U]; + uint32_t s5 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)5U]; + uint32_t s6 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)6U]; + uint32_t s7 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)7U]; + uint32_t s8 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)8U]; + uint32_t s9 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)9U]; + uint32_t s10 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)10U]; + uint32_t s11 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)11U]; + uint32_t s12 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)12U]; + uint32_t s13 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)13U]; + uint32_t s14 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)14U]; + uint32_t s15 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)15U]; + r0[0U] = Lib_IntVector_Intrinsics_vec128_load32s(m_w[s0], m_w[s2], m_w[s4], m_w[s6]); + r1[0U] = Lib_IntVector_Intrinsics_vec128_load32s(m_w[s1], m_w[s3], m_w[s5], m_w[s7]); + r21[0U] = + Lib_IntVector_Intrinsics_vec128_load32s(m_w[s8], + m_w[s10], + m_w[s12], + m_w[s14]); + r31[0U] = + Lib_IntVector_Intrinsics_vec128_load32s(m_w[s9], + m_w[s11], + m_w[s13], + m_w[s15]); + { + Lib_IntVector_Intrinsics_vec128 *x = m_st + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *y = m_st + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *z = m_st + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *w = m_st + (uint32_t)3U * (uint32_t)1U; + uint32_t a = (uint32_t)0U; + uint32_t b0 = (uint32_t)1U; + uint32_t c0 = (uint32_t)2U; + uint32_t d0 = (uint32_t)3U; + Lib_IntVector_Intrinsics_vec128 *wv_a0 = wv + a * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b0 = wv + b0 * (uint32_t)1U; + wv_a0[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a0[0U], wv_b0[0U]); + wv_a0[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a0[0U], x[0U]); + { + Lib_IntVector_Intrinsics_vec128 *wv_a1 = wv + d0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b1 = wv + a * (uint32_t)1U; + wv_a1[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv_a1[0U], wv_b1[0U]); + wv_a1[0U] = + Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a1[0U], + (uint32_t)16U); + { + Lib_IntVector_Intrinsics_vec128 *wv_a2 = wv + c0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b2 = wv + d0 * (uint32_t)1U; + wv_a2[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a2[0U], wv_b2[0U]); + { + Lib_IntVector_Intrinsics_vec128 *wv_a3 = wv + b0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b3 = wv + c0 * (uint32_t)1U; + wv_a3[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv_a3[0U], wv_b3[0U]); + wv_a3[0U] = + Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a3[0U], + (uint32_t)12U); + { + Lib_IntVector_Intrinsics_vec128 *wv_a4 = wv + a * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b4 = wv + b0 * (uint32_t)1U; + wv_a4[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a4[0U], wv_b4[0U]); + wv_a4[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a4[0U], y[0U]); + { + Lib_IntVector_Intrinsics_vec128 *wv_a5 = wv + d0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b5 = wv + a * (uint32_t)1U; + wv_a5[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv_a5[0U], wv_b5[0U]); + wv_a5[0U] = + Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a5[0U], + (uint32_t)8U); + { + Lib_IntVector_Intrinsics_vec128 *wv_a6 = wv + c0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b6 = wv + d0 * (uint32_t)1U; + wv_a6[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a6[0U], wv_b6[0U]); + { + Lib_IntVector_Intrinsics_vec128 *wv_a7 = wv + b0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b7 = wv + c0 * (uint32_t)1U; + wv_a7[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv_a7[0U], wv_b7[0U]); + wv_a7[0U] = + Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a7[0U], + (uint32_t)7U); + { + Lib_IntVector_Intrinsics_vec128 + *r11 = wv + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 + *r22 = wv + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 + *r32 = wv + (uint32_t)3U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 v00 = r11[0U]; + Lib_IntVector_Intrinsics_vec128 + v1 = + Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(v00, + (uint32_t)1U); + r11[0U] = v1; + { + Lib_IntVector_Intrinsics_vec128 v01 = r22[0U]; + Lib_IntVector_Intrinsics_vec128 + v10 = + Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(v01, + (uint32_t)2U); + r22[0U] = v10; + { + Lib_IntVector_Intrinsics_vec128 v02 = r32[0U]; + Lib_IntVector_Intrinsics_vec128 + v11 = + Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(v02, + (uint32_t)3U); + r32[0U] = v11; + { + uint32_t a0 = (uint32_t)0U; + uint32_t b = (uint32_t)1U; + uint32_t c = (uint32_t)2U; + uint32_t d = (uint32_t)3U; + Lib_IntVector_Intrinsics_vec128 + *wv_a = wv + a0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 + *wv_b8 = wv + b * (uint32_t)1U; + wv_a[0U] = + Lib_IntVector_Intrinsics_vec128_add32(wv_a[0U], + wv_b8[0U]); + wv_a[0U] = + Lib_IntVector_Intrinsics_vec128_add32(wv_a[0U], + z[0U]); + { + Lib_IntVector_Intrinsics_vec128 + *wv_a8 = wv + d * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 + *wv_b9 = wv + a0 * (uint32_t)1U; + wv_a8[0U] = + Lib_IntVector_Intrinsics_vec128_xor(wv_a8[0U], + wv_b9[0U]); + wv_a8[0U] = + Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a8[0U], + (uint32_t)16U); + { + Lib_IntVector_Intrinsics_vec128 + *wv_a9 = wv + c * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 + *wv_b10 = wv + d * (uint32_t)1U; + wv_a9[0U] = + Lib_IntVector_Intrinsics_vec128_add32(wv_a9[0U], + wv_b10[0U]); + { + Lib_IntVector_Intrinsics_vec128 + *wv_a10 = wv + b * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 + *wv_b11 = wv + c * (uint32_t)1U; + wv_a10[0U] = + Lib_IntVector_Intrinsics_vec128_xor(wv_a10[0U], + wv_b11[0U]); + wv_a10[0U] = + Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a10[0U], + (uint32_t)12U); + { + Lib_IntVector_Intrinsics_vec128 + *wv_a11 = wv + a0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 + *wv_b12 = wv + b * (uint32_t)1U; + wv_a11[0U] = + Lib_IntVector_Intrinsics_vec128_add32(wv_a11[0U], + wv_b12[0U]); + wv_a11[0U] = + Lib_IntVector_Intrinsics_vec128_add32(wv_a11[0U], + w[0U]); + { + Lib_IntVector_Intrinsics_vec128 + *wv_a12 = wv + d * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 + *wv_b13 = wv + a0 * (uint32_t)1U; + wv_a12[0U] = + Lib_IntVector_Intrinsics_vec128_xor(wv_a12[0U], + wv_b13[0U]); + wv_a12[0U] = + Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a12[0U], + (uint32_t)8U); + { + Lib_IntVector_Intrinsics_vec128 + *wv_a13 = wv + c * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 + *wv_b14 = wv + d * (uint32_t)1U; + wv_a13[0U] = + Lib_IntVector_Intrinsics_vec128_add32(wv_a13[0U], + wv_b14[0U]); + { + Lib_IntVector_Intrinsics_vec128 + *wv_a14 = wv + b * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 + *wv_b = wv + c * (uint32_t)1U; + wv_a14[0U] = + Lib_IntVector_Intrinsics_vec128_xor(wv_a14[0U], + wv_b[0U]); + wv_a14[0U] = + Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a14[0U], + (uint32_t)7U); + { + Lib_IntVector_Intrinsics_vec128 + *r12 = wv + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 + *r2 = wv + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 + *r3 = wv + (uint32_t)3U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 v0 = r12[0U]; + Lib_IntVector_Intrinsics_vec128 + v12 = + Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(v0, + (uint32_t)3U); + r12[0U] = v12; + { + Lib_IntVector_Intrinsics_vec128 + v03 = r2[0U]; + Lib_IntVector_Intrinsics_vec128 + v13 = + Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(v03, + (uint32_t)2U); + r2[0U] = v13; + { + Lib_IntVector_Intrinsics_vec128 + v04 = r3[0U]; + Lib_IntVector_Intrinsics_vec128 + v14 = + Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(v04, + (uint32_t)1U); + r3[0U] = v14; + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + s00 = s + (uint32_t)0U * (uint32_t)1U; + s16 = s + (uint32_t)1U * (uint32_t)1U; + r00 = wv + (uint32_t)0U * (uint32_t)1U; + r10 = wv + (uint32_t)1U * (uint32_t)1U; + r20 = wv + (uint32_t)2U * (uint32_t)1U; + r30 = wv + (uint32_t)3U * (uint32_t)1U; + s00[0U] = Lib_IntVector_Intrinsics_vec128_xor(s00[0U], r00[0U]); + s00[0U] = Lib_IntVector_Intrinsics_vec128_xor(s00[0U], r20[0U]); + s16[0U] = Lib_IntVector_Intrinsics_vec128_xor(s16[0U], r10[0U]); + s16[0U] = Lib_IntVector_Intrinsics_vec128_xor(s16[0U], r30[0U]); + return totlen1; + } + } +} + +void +Hacl_Hash_Blake2s_128_finish_blake2s_128( + Lib_IntVector_Intrinsics_vec128 *s, + uint64_t ev, + uint8_t *dst +) +{ + uint32_t double_row = (uint32_t)2U * ((uint32_t)4U * (uint32_t)4U); + KRML_CHECK_SIZE(sizeof (uint8_t), double_row); + { + uint8_t b[double_row]; + memset(b, 0U, double_row * sizeof (uint8_t)); + { + uint8_t *first = b; + uint8_t *second = b + (uint32_t)4U * (uint32_t)4U; + Lib_IntVector_Intrinsics_vec128 *row0 = s + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *row1 = s + (uint32_t)1U * (uint32_t)1U; + uint8_t *final; + Lib_IntVector_Intrinsics_vec128_store32_le(first, row0[0U]); + Lib_IntVector_Intrinsics_vec128_store32_le(second, row1[0U]); + final = b; + memcpy(dst, final, (uint32_t)32U * sizeof (uint8_t)); + Lib_Memzero0_memzero(b, double_row * sizeof (b[0U])); + } + } +} + +uint64_t +Hacl_Hash_Blake2s_128_update_multi_blake2s_128( + Lib_IntVector_Intrinsics_vec128 *s, + uint64_t ev, + uint8_t *blocks, + uint32_t n_blocks +) +{ + { + uint32_t i; + for (i = (uint32_t)0U; i < n_blocks; i++) + { + uint32_t sz = (uint32_t)64U; + uint8_t *block = blocks + sz * i; + uint64_t v_ = update_blake2s_128(s, ev + (uint64_t)i * (uint64_t)(uint32_t)64U, block); + } + } + return ev + (uint64_t)n_blocks * (uint64_t)(uint32_t)64U; +} + +uint64_t +Hacl_Hash_Blake2s_128_update_last_blake2s_128( + Lib_IntVector_Intrinsics_vec128 *s, + uint64_t ev, + uint64_t prev_len, + uint8_t *input, + uint32_t input_len +) +{ + uint32_t blocks_n = input_len / (uint32_t)64U; + uint32_t blocks_len0 = blocks_n * (uint32_t)64U; + uint32_t rest_len0 = input_len - blocks_len0; + K___uint32_t_uint32_t_uint32_t scrut0; + if (rest_len0 == (uint32_t)0U && blocks_n > (uint32_t)0U) + { + uint32_t blocks_n1 = blocks_n - (uint32_t)1U; + uint32_t blocks_len1 = blocks_len0 - (uint32_t)64U; + uint32_t rest_len1 = (uint32_t)64U; + K___uint32_t_uint32_t_uint32_t lit; + lit.fst = blocks_n1; + lit.snd = blocks_len1; + lit.thd = rest_len1; + scrut0 = lit; + } + else + { + K___uint32_t_uint32_t_uint32_t lit; + lit.fst = blocks_n; + lit.snd = blocks_len0; + lit.thd = rest_len0; + scrut0 = lit; + } + { + uint32_t num_blocks0 = scrut0.fst; + uint32_t blocks_len = scrut0.snd; + uint32_t rest_len1 = scrut0.thd; + uint8_t *blocks0 = input; + uint8_t *rest0 = input + blocks_len; + K___uint32_t_uint32_t_uint32_t__uint8_t___uint8_t_ lit; + K___uint32_t_uint32_t_uint32_t__uint8_t___uint8_t_ scrut; + uint32_t num_blocks; + uint32_t rest_len; + uint8_t *blocks; + uint8_t *rest; + uint64_t ev_; + lit.fst = num_blocks0; + lit.snd = blocks_len; + lit.thd = rest_len1; + lit.f3 = blocks0; + lit.f4 = rest0; + scrut = lit; + num_blocks = scrut.fst; + rest_len = scrut.thd; + blocks = scrut.f3; + rest = scrut.f4; + ev_ = Hacl_Hash_Blake2s_128_update_multi_blake2s_128(s, ev, blocks, num_blocks); + KRML_CHECK_SIZE(sizeof (Lib_IntVector_Intrinsics_vec128), (uint32_t)4U * (uint32_t)1U); + { + Lib_IntVector_Intrinsics_vec128 wv[(uint32_t)4U * (uint32_t)1U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)4U * (uint32_t)1U; ++_i) + wv[_i] = Lib_IntVector_Intrinsics_vec128_zero; + } + { + uint8_t tmp[64U] = { 0U }; + uint8_t *tmp_rest = tmp; + uint64_t totlen; + memcpy(tmp_rest, rest, rest_len * sizeof (uint8_t)); + totlen = ev_ + (uint64_t)rest_len; + { + uint32_t m_w[16U] = { 0U }; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t *os = m_w; + uint8_t *bj = tmp + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + } + { + Lib_IntVector_Intrinsics_vec128 mask = Lib_IntVector_Intrinsics_vec128_zero; + uint32_t wv_14 = (uint32_t)0xFFFFFFFFU; + uint32_t wv_15 = (uint32_t)0U; + Lib_IntVector_Intrinsics_vec128 *wv3; + Lib_IntVector_Intrinsics_vec128 *s00; + Lib_IntVector_Intrinsics_vec128 *s16; + Lib_IntVector_Intrinsics_vec128 *r00; + Lib_IntVector_Intrinsics_vec128 *r10; + Lib_IntVector_Intrinsics_vec128 *r20; + Lib_IntVector_Intrinsics_vec128 *r30; + mask = + Lib_IntVector_Intrinsics_vec128_load32s((uint32_t)totlen, + (uint32_t)(totlen >> (uint32_t)32U), + wv_14, + wv_15); + memcpy(wv, s, (uint32_t)4U * (uint32_t)1U * sizeof (Lib_IntVector_Intrinsics_vec128)); + wv3 = wv + (uint32_t)3U * (uint32_t)1U; + wv3[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv3[0U], mask); + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)10U; i++) + { + uint32_t start_idx = i % (uint32_t)10U * (uint32_t)16U; + KRML_CHECK_SIZE(sizeof (Lib_IntVector_Intrinsics_vec128), + (uint32_t)4U * (uint32_t)1U); + { + Lib_IntVector_Intrinsics_vec128 m_st[(uint32_t)4U * (uint32_t)1U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)4U * (uint32_t)1U; ++_i) + m_st[_i] = Lib_IntVector_Intrinsics_vec128_zero; + } + { + Lib_IntVector_Intrinsics_vec128 *r0 = m_st + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r1 = m_st + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r21 = m_st + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r31 = m_st + (uint32_t)3U * (uint32_t)1U; + uint32_t s0 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx]; + uint32_t s1 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)1U]; + uint32_t s2 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)2U]; + uint32_t s3 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)3U]; + uint32_t s4 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)4U]; + uint32_t s5 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)5U]; + uint32_t s6 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)6U]; + uint32_t s7 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)7U]; + uint32_t s8 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)8U]; + uint32_t s9 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)9U]; + uint32_t s10 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)10U]; + uint32_t s11 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)11U]; + uint32_t s12 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)12U]; + uint32_t s13 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)13U]; + uint32_t s14 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)14U]; + uint32_t s15 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)15U]; + r0[0U] = + Lib_IntVector_Intrinsics_vec128_load32s(m_w[s0], + m_w[s2], + m_w[s4], + m_w[s6]); + r1[0U] = + Lib_IntVector_Intrinsics_vec128_load32s(m_w[s1], + m_w[s3], + m_w[s5], + m_w[s7]); + r21[0U] = + Lib_IntVector_Intrinsics_vec128_load32s(m_w[s8], + m_w[s10], + m_w[s12], + m_w[s14]); + r31[0U] = + Lib_IntVector_Intrinsics_vec128_load32s(m_w[s9], + m_w[s11], + m_w[s13], + m_w[s15]); + { + Lib_IntVector_Intrinsics_vec128 *x = m_st + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *y = m_st + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *z = m_st + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *w = m_st + (uint32_t)3U * (uint32_t)1U; + uint32_t a = (uint32_t)0U; + uint32_t b0 = (uint32_t)1U; + uint32_t c0 = (uint32_t)2U; + uint32_t d0 = (uint32_t)3U; + Lib_IntVector_Intrinsics_vec128 *wv_a0 = wv + a * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b0 = wv + b0 * (uint32_t)1U; + wv_a0[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a0[0U], wv_b0[0U]); + wv_a0[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a0[0U], x[0U]); + { + Lib_IntVector_Intrinsics_vec128 *wv_a1 = wv + d0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b1 = wv + a * (uint32_t)1U; + wv_a1[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv_a1[0U], wv_b1[0U]); + wv_a1[0U] = + Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a1[0U], + (uint32_t)16U); + { + Lib_IntVector_Intrinsics_vec128 *wv_a2 = wv + c0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b2 = wv + d0 * (uint32_t)1U; + wv_a2[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a2[0U], wv_b2[0U]); + { + Lib_IntVector_Intrinsics_vec128 *wv_a3 = wv + b0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b3 = wv + c0 * (uint32_t)1U; + wv_a3[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv_a3[0U], wv_b3[0U]); + wv_a3[0U] = + Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a3[0U], + (uint32_t)12U); + { + Lib_IntVector_Intrinsics_vec128 *wv_a4 = wv + a * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b4 = wv + b0 * (uint32_t)1U; + wv_a4[0U] = + Lib_IntVector_Intrinsics_vec128_add32(wv_a4[0U], + wv_b4[0U]); + wv_a4[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a4[0U], y[0U]); + { + Lib_IntVector_Intrinsics_vec128 *wv_a5 = wv + d0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b5 = wv + a * (uint32_t)1U; + wv_a5[0U] = + Lib_IntVector_Intrinsics_vec128_xor(wv_a5[0U], + wv_b5[0U]); + wv_a5[0U] = + Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a5[0U], + (uint32_t)8U); + { + Lib_IntVector_Intrinsics_vec128 *wv_a6 = wv + c0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b6 = wv + d0 * (uint32_t)1U; + wv_a6[0U] = + Lib_IntVector_Intrinsics_vec128_add32(wv_a6[0U], + wv_b6[0U]); + { + Lib_IntVector_Intrinsics_vec128 *wv_a7 = wv + b0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b7 = wv + c0 * (uint32_t)1U; + wv_a7[0U] = + Lib_IntVector_Intrinsics_vec128_xor(wv_a7[0U], + wv_b7[0U]); + wv_a7[0U] = + Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a7[0U], + (uint32_t)7U); + { + Lib_IntVector_Intrinsics_vec128 + *r11 = wv + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 + *r22 = wv + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 + *r32 = wv + (uint32_t)3U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 v00 = r11[0U]; + Lib_IntVector_Intrinsics_vec128 + v1 = + Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(v00, + (uint32_t)1U); + r11[0U] = v1; + { + Lib_IntVector_Intrinsics_vec128 v01 = r22[0U]; + Lib_IntVector_Intrinsics_vec128 + v10 = + Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(v01, + (uint32_t)2U); + r22[0U] = v10; + { + Lib_IntVector_Intrinsics_vec128 v02 = r32[0U]; + Lib_IntVector_Intrinsics_vec128 + v11 = + Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(v02, + (uint32_t)3U); + r32[0U] = v11; + { + uint32_t a0 = (uint32_t)0U; + uint32_t b = (uint32_t)1U; + uint32_t c = (uint32_t)2U; + uint32_t d = (uint32_t)3U; + Lib_IntVector_Intrinsics_vec128 + *wv_a = wv + a0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 + *wv_b8 = wv + b * (uint32_t)1U; + wv_a[0U] = + Lib_IntVector_Intrinsics_vec128_add32(wv_a[0U], + wv_b8[0U]); + wv_a[0U] = + Lib_IntVector_Intrinsics_vec128_add32(wv_a[0U], + z[0U]); + { + Lib_IntVector_Intrinsics_vec128 + *wv_a8 = wv + d * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 + *wv_b9 = wv + a0 * (uint32_t)1U; + wv_a8[0U] = + Lib_IntVector_Intrinsics_vec128_xor(wv_a8[0U], + wv_b9[0U]); + wv_a8[0U] = + Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a8[0U], + (uint32_t)16U); + { + Lib_IntVector_Intrinsics_vec128 + *wv_a9 = wv + c * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 + *wv_b10 = wv + d * (uint32_t)1U; + wv_a9[0U] = + Lib_IntVector_Intrinsics_vec128_add32(wv_a9[0U], + wv_b10[0U]); + { + Lib_IntVector_Intrinsics_vec128 + *wv_a10 = wv + b * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 + *wv_b11 = wv + c * (uint32_t)1U; + wv_a10[0U] = + Lib_IntVector_Intrinsics_vec128_xor(wv_a10[0U], + wv_b11[0U]); + wv_a10[0U] = + Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a10[0U], + (uint32_t)12U); + { + Lib_IntVector_Intrinsics_vec128 + *wv_a11 = wv + a0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 + *wv_b12 = wv + b * (uint32_t)1U; + wv_a11[0U] = + Lib_IntVector_Intrinsics_vec128_add32(wv_a11[0U], + wv_b12[0U]); + wv_a11[0U] = + Lib_IntVector_Intrinsics_vec128_add32(wv_a11[0U], + w[0U]); + { + Lib_IntVector_Intrinsics_vec128 + *wv_a12 = wv + d * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 + *wv_b13 = wv + a0 * (uint32_t)1U; + wv_a12[0U] = + Lib_IntVector_Intrinsics_vec128_xor(wv_a12[0U], + wv_b13[0U]); + wv_a12[0U] = + Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a12[0U], + (uint32_t)8U); + { + Lib_IntVector_Intrinsics_vec128 + *wv_a13 = wv + c * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 + *wv_b14 = wv + d * (uint32_t)1U; + wv_a13[0U] = + Lib_IntVector_Intrinsics_vec128_add32(wv_a13[0U], + wv_b14[0U]); + { + Lib_IntVector_Intrinsics_vec128 + *wv_a14 = wv + b * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 + *wv_b = wv + c * (uint32_t)1U; + wv_a14[0U] = + Lib_IntVector_Intrinsics_vec128_xor(wv_a14[0U], + wv_b[0U]); + wv_a14[0U] = + Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a14[0U], + (uint32_t)7U); + { + Lib_IntVector_Intrinsics_vec128 + *r12 = wv + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 + *r2 = wv + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 + *r3 = wv + (uint32_t)3U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 + v0 = r12[0U]; + Lib_IntVector_Intrinsics_vec128 + v12 = + Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(v0, + (uint32_t)3U); + r12[0U] = v12; + { + Lib_IntVector_Intrinsics_vec128 + v03 = r2[0U]; + Lib_IntVector_Intrinsics_vec128 + v13 = + Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(v03, + (uint32_t)2U); + r2[0U] = v13; + { + Lib_IntVector_Intrinsics_vec128 + v04 = r3[0U]; + Lib_IntVector_Intrinsics_vec128 + v14 = + Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(v04, + (uint32_t)1U); + r3[0U] = v14; + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + s00 = s + (uint32_t)0U * (uint32_t)1U; + s16 = s + (uint32_t)1U * (uint32_t)1U; + r00 = wv + (uint32_t)0U * (uint32_t)1U; + r10 = wv + (uint32_t)1U * (uint32_t)1U; + r20 = wv + (uint32_t)2U * (uint32_t)1U; + r30 = wv + (uint32_t)3U * (uint32_t)1U; + s00[0U] = Lib_IntVector_Intrinsics_vec128_xor(s00[0U], r00[0U]); + s00[0U] = Lib_IntVector_Intrinsics_vec128_xor(s00[0U], r20[0U]); + s16[0U] = Lib_IntVector_Intrinsics_vec128_xor(s16[0U], r10[0U]); + s16[0U] = Lib_IntVector_Intrinsics_vec128_xor(s16[0U], r30[0U]); + return (uint64_t)0U; + } + } + } + } + } +} + +void Hacl_Hash_Blake2s_128_hash_blake2s_128(uint8_t *input, uint32_t input_len, uint8_t *dst) +{ + Hacl_Blake2s_128_blake2s((uint32_t)32U, dst, input_len, input, (uint32_t)0U, NULL); +} + +static inline void +blake2s_update_block( + Lib_IntVector_Intrinsics_vec128 *wv, + Lib_IntVector_Intrinsics_vec128 *hash, + bool flag, + uint64_t totlen, + uint8_t *d +) +{ + uint32_t m_w[16U] = { 0U }; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t *os = m_w; + uint8_t *bj = d + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + } + { + Lib_IntVector_Intrinsics_vec128 mask = Lib_IntVector_Intrinsics_vec128_zero; + uint32_t wv_14; + if (flag) + { + wv_14 = (uint32_t)0xFFFFFFFFU; + } + else + { + wv_14 = (uint32_t)0U; + } + { + uint32_t wv_15 = (uint32_t)0U; + Lib_IntVector_Intrinsics_vec128 *wv3; + Lib_IntVector_Intrinsics_vec128 *s00; + Lib_IntVector_Intrinsics_vec128 *s16; + Lib_IntVector_Intrinsics_vec128 *r00; + Lib_IntVector_Intrinsics_vec128 *r10; + Lib_IntVector_Intrinsics_vec128 *r20; + Lib_IntVector_Intrinsics_vec128 *r30; + mask = + Lib_IntVector_Intrinsics_vec128_load32s((uint32_t)totlen, + (uint32_t)(totlen >> (uint32_t)32U), + wv_14, + wv_15); + memcpy(wv, hash, (uint32_t)4U * (uint32_t)1U * sizeof (Lib_IntVector_Intrinsics_vec128)); + wv3 = wv + (uint32_t)3U * (uint32_t)1U; + wv3[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv3[0U], mask); + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)10U; i++) + { + uint32_t start_idx = i % (uint32_t)10U * (uint32_t)16U; + KRML_CHECK_SIZE(sizeof (Lib_IntVector_Intrinsics_vec128), (uint32_t)4U * (uint32_t)1U); + { + Lib_IntVector_Intrinsics_vec128 m_st[(uint32_t)4U * (uint32_t)1U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)4U * (uint32_t)1U; ++_i) + m_st[_i] = Lib_IntVector_Intrinsics_vec128_zero; + } + { + Lib_IntVector_Intrinsics_vec128 *r0 = m_st + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r1 = m_st + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r21 = m_st + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r31 = m_st + (uint32_t)3U * (uint32_t)1U; + uint32_t s0 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx]; + uint32_t s1 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)1U]; + uint32_t s2 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)2U]; + uint32_t s3 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)3U]; + uint32_t s4 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)4U]; + uint32_t s5 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)5U]; + uint32_t s6 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)6U]; + uint32_t s7 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)7U]; + uint32_t s8 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)8U]; + uint32_t s9 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)9U]; + uint32_t s10 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)10U]; + uint32_t s11 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)11U]; + uint32_t s12 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)12U]; + uint32_t s13 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)13U]; + uint32_t s14 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)14U]; + uint32_t s15 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)15U]; + r0[0U] = Lib_IntVector_Intrinsics_vec128_load32s(m_w[s0], m_w[s2], m_w[s4], m_w[s6]); + r1[0U] = Lib_IntVector_Intrinsics_vec128_load32s(m_w[s1], m_w[s3], m_w[s5], m_w[s7]); + r21[0U] = + Lib_IntVector_Intrinsics_vec128_load32s(m_w[s8], + m_w[s10], + m_w[s12], + m_w[s14]); + r31[0U] = + Lib_IntVector_Intrinsics_vec128_load32s(m_w[s9], + m_w[s11], + m_w[s13], + m_w[s15]); + { + Lib_IntVector_Intrinsics_vec128 *x = m_st + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *y = m_st + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *z = m_st + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *w = m_st + (uint32_t)3U * (uint32_t)1U; + uint32_t a = (uint32_t)0U; + uint32_t b0 = (uint32_t)1U; + uint32_t c0 = (uint32_t)2U; + uint32_t d10 = (uint32_t)3U; + Lib_IntVector_Intrinsics_vec128 *wv_a0 = wv + a * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b0 = wv + b0 * (uint32_t)1U; + wv_a0[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a0[0U], wv_b0[0U]); + wv_a0[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a0[0U], x[0U]); + { + Lib_IntVector_Intrinsics_vec128 *wv_a1 = wv + d10 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b1 = wv + a * (uint32_t)1U; + wv_a1[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv_a1[0U], wv_b1[0U]); + wv_a1[0U] = + Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a1[0U], + (uint32_t)16U); + { + Lib_IntVector_Intrinsics_vec128 *wv_a2 = wv + c0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b2 = wv + d10 * (uint32_t)1U; + wv_a2[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a2[0U], wv_b2[0U]); + { + Lib_IntVector_Intrinsics_vec128 *wv_a3 = wv + b0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b3 = wv + c0 * (uint32_t)1U; + wv_a3[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv_a3[0U], wv_b3[0U]); + wv_a3[0U] = + Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a3[0U], + (uint32_t)12U); + { + Lib_IntVector_Intrinsics_vec128 *wv_a4 = wv + a * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b4 = wv + b0 * (uint32_t)1U; + wv_a4[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a4[0U], wv_b4[0U]); + wv_a4[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a4[0U], y[0U]); + { + Lib_IntVector_Intrinsics_vec128 *wv_a5 = wv + d10 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b5 = wv + a * (uint32_t)1U; + wv_a5[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv_a5[0U], wv_b5[0U]); + wv_a5[0U] = + Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a5[0U], + (uint32_t)8U); + { + Lib_IntVector_Intrinsics_vec128 *wv_a6 = wv + c0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b6 = wv + d10 * (uint32_t)1U; + wv_a6[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a6[0U], wv_b6[0U]); + { + Lib_IntVector_Intrinsics_vec128 *wv_a7 = wv + b0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b7 = wv + c0 * (uint32_t)1U; + wv_a7[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv_a7[0U], wv_b7[0U]); + wv_a7[0U] = + Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a7[0U], + (uint32_t)7U); + { + Lib_IntVector_Intrinsics_vec128 + *r11 = wv + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 + *r22 = wv + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 + *r32 = wv + (uint32_t)3U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 v00 = r11[0U]; + Lib_IntVector_Intrinsics_vec128 + v1 = + Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(v00, + (uint32_t)1U); + r11[0U] = v1; + { + Lib_IntVector_Intrinsics_vec128 v01 = r22[0U]; + Lib_IntVector_Intrinsics_vec128 + v10 = + Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(v01, + (uint32_t)2U); + r22[0U] = v10; + { + Lib_IntVector_Intrinsics_vec128 v02 = r32[0U]; + Lib_IntVector_Intrinsics_vec128 + v11 = + Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(v02, + (uint32_t)3U); + r32[0U] = v11; + { + uint32_t a0 = (uint32_t)0U; + uint32_t b = (uint32_t)1U; + uint32_t c = (uint32_t)2U; + uint32_t d1 = (uint32_t)3U; + Lib_IntVector_Intrinsics_vec128 + *wv_a = wv + a0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 + *wv_b8 = wv + b * (uint32_t)1U; + wv_a[0U] = + Lib_IntVector_Intrinsics_vec128_add32(wv_a[0U], + wv_b8[0U]); + wv_a[0U] = + Lib_IntVector_Intrinsics_vec128_add32(wv_a[0U], + z[0U]); + { + Lib_IntVector_Intrinsics_vec128 + *wv_a8 = wv + d1 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 + *wv_b9 = wv + a0 * (uint32_t)1U; + wv_a8[0U] = + Lib_IntVector_Intrinsics_vec128_xor(wv_a8[0U], + wv_b9[0U]); + wv_a8[0U] = + Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a8[0U], + (uint32_t)16U); + { + Lib_IntVector_Intrinsics_vec128 + *wv_a9 = wv + c * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 + *wv_b10 = wv + d1 * (uint32_t)1U; + wv_a9[0U] = + Lib_IntVector_Intrinsics_vec128_add32(wv_a9[0U], + wv_b10[0U]); + { + Lib_IntVector_Intrinsics_vec128 + *wv_a10 = wv + b * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 + *wv_b11 = wv + c * (uint32_t)1U; + wv_a10[0U] = + Lib_IntVector_Intrinsics_vec128_xor(wv_a10[0U], + wv_b11[0U]); + wv_a10[0U] = + Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a10[0U], + (uint32_t)12U); + { + Lib_IntVector_Intrinsics_vec128 + *wv_a11 = wv + a0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 + *wv_b12 = wv + b * (uint32_t)1U; + wv_a11[0U] = + Lib_IntVector_Intrinsics_vec128_add32(wv_a11[0U], + wv_b12[0U]); + wv_a11[0U] = + Lib_IntVector_Intrinsics_vec128_add32(wv_a11[0U], + w[0U]); + { + Lib_IntVector_Intrinsics_vec128 + *wv_a12 = wv + d1 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 + *wv_b13 = wv + a0 * (uint32_t)1U; + wv_a12[0U] = + Lib_IntVector_Intrinsics_vec128_xor(wv_a12[0U], + wv_b13[0U]); + wv_a12[0U] = + Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a12[0U], + (uint32_t)8U); + { + Lib_IntVector_Intrinsics_vec128 + *wv_a13 = wv + c * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 + *wv_b14 = wv + d1 * (uint32_t)1U; + wv_a13[0U] = + Lib_IntVector_Intrinsics_vec128_add32(wv_a13[0U], + wv_b14[0U]); + { + Lib_IntVector_Intrinsics_vec128 + *wv_a14 = wv + b * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 + *wv_b = wv + c * (uint32_t)1U; + wv_a14[0U] = + Lib_IntVector_Intrinsics_vec128_xor(wv_a14[0U], + wv_b[0U]); + wv_a14[0U] = + Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a14[0U], + (uint32_t)7U); + { + Lib_IntVector_Intrinsics_vec128 + *r12 = wv + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 + *r2 = wv + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 + *r3 = wv + (uint32_t)3U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 v0 = r12[0U]; + Lib_IntVector_Intrinsics_vec128 + v12 = + Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(v0, + (uint32_t)3U); + r12[0U] = v12; + { + Lib_IntVector_Intrinsics_vec128 + v03 = r2[0U]; + Lib_IntVector_Intrinsics_vec128 + v13 = + Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(v03, + (uint32_t)2U); + r2[0U] = v13; + { + Lib_IntVector_Intrinsics_vec128 + v04 = r3[0U]; + Lib_IntVector_Intrinsics_vec128 + v14 = + Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(v04, + (uint32_t)1U); + r3[0U] = v14; + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + s00 = hash + (uint32_t)0U * (uint32_t)1U; + s16 = hash + (uint32_t)1U * (uint32_t)1U; + r00 = wv + (uint32_t)0U * (uint32_t)1U; + r10 = wv + (uint32_t)1U * (uint32_t)1U; + r20 = wv + (uint32_t)2U * (uint32_t)1U; + r30 = wv + (uint32_t)3U * (uint32_t)1U; + s00[0U] = Lib_IntVector_Intrinsics_vec128_xor(s00[0U], r00[0U]); + s00[0U] = Lib_IntVector_Intrinsics_vec128_xor(s00[0U], r20[0U]); + s16[0U] = Lib_IntVector_Intrinsics_vec128_xor(s16[0U], r10[0U]); + s16[0U] = Lib_IntVector_Intrinsics_vec128_xor(s16[0U], r30[0U]); + } + } +} + +void +Hacl_Blake2s_128_blake2s_init(Lib_IntVector_Intrinsics_vec128 *hash, uint32_t kk, uint32_t nn) +{ + Lib_IntVector_Intrinsics_vec128 *r0 = hash + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r1 = hash + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r2 = hash + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r3 = hash + (uint32_t)3U * (uint32_t)1U; + uint32_t iv0 = Hacl_Impl_Blake2_Constants_ivTable_S[0U]; + uint32_t iv1 = Hacl_Impl_Blake2_Constants_ivTable_S[1U]; + uint32_t iv2 = Hacl_Impl_Blake2_Constants_ivTable_S[2U]; + uint32_t iv3 = Hacl_Impl_Blake2_Constants_ivTable_S[3U]; + uint32_t iv4 = Hacl_Impl_Blake2_Constants_ivTable_S[4U]; + uint32_t iv5 = Hacl_Impl_Blake2_Constants_ivTable_S[5U]; + uint32_t iv6 = Hacl_Impl_Blake2_Constants_ivTable_S[6U]; + uint32_t iv7 = Hacl_Impl_Blake2_Constants_ivTable_S[7U]; + uint32_t kk_shift_8; + uint32_t iv0_; + r2[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv0, iv1, iv2, iv3); + r3[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv4, iv5, iv6, iv7); + kk_shift_8 = kk << (uint32_t)8U; + iv0_ = iv0 ^ ((uint32_t)0x01010000U ^ (kk_shift_8 ^ nn)); + r0[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv0_, iv1, iv2, iv3); + r1[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv4, iv5, iv6, iv7); +} + +void +Hacl_Blake2s_128_blake2s_update_key( + Lib_IntVector_Intrinsics_vec128 *wv, + Lib_IntVector_Intrinsics_vec128 *hash, + uint32_t kk, + uint8_t *k, + uint32_t ll +) +{ + uint64_t lb = (uint64_t)(uint32_t)64U; + uint8_t b[64U] = { 0U }; + memcpy(b, k, kk * sizeof (uint8_t)); + if (ll == (uint32_t)0U) + { + blake2s_update_block(wv, hash, true, lb, b); + } + else + { + blake2s_update_block(wv, hash, false, lb, b); + } + Lib_Memzero0_memzero(b, (uint32_t)64U * sizeof (b[0U])); +} + +void +Hacl_Blake2s_128_blake2s_update_multi( + uint32_t len, + Lib_IntVector_Intrinsics_vec128 *wv, + Lib_IntVector_Intrinsics_vec128 *hash, + uint64_t prev, + uint8_t *blocks, + uint32_t nb +) +{ + uint32_t i; + for (i = (uint32_t)0U; i < nb; i++) + { + uint64_t totlen = prev + (uint64_t)((i + (uint32_t)1U) * (uint32_t)64U); + uint8_t *b = blocks + i * (uint32_t)64U; + blake2s_update_block(wv, hash, false, totlen, b); + } +} + +void +Hacl_Blake2s_128_blake2s_update_last( + uint32_t len, + Lib_IntVector_Intrinsics_vec128 *wv, + Lib_IntVector_Intrinsics_vec128 *hash, + uint64_t prev, + uint32_t rem, + uint8_t *d +) +{ + uint8_t b[64U] = { 0U }; + uint8_t *last = d + len - rem; + uint64_t totlen; + memcpy(b, last, rem * sizeof (uint8_t)); + totlen = prev + (uint64_t)len; + blake2s_update_block(wv, hash, true, totlen, b); + Lib_Memzero0_memzero(b, (uint32_t)64U * sizeof (b[0U])); +} + +static inline void +blake2s_update_blocks( + uint32_t len, + Lib_IntVector_Intrinsics_vec128 *wv, + Lib_IntVector_Intrinsics_vec128 *hash, + uint64_t prev, + uint8_t *blocks +) +{ + uint32_t nb0 = len / (uint32_t)64U; + uint32_t rem0 = len % (uint32_t)64U; + K___uint32_t_uint32_t scrut; + if (rem0 == (uint32_t)0U && nb0 > (uint32_t)0U) + { + uint32_t nb_ = nb0 - (uint32_t)1U; + uint32_t rem_ = (uint32_t)64U; + K___uint32_t_uint32_t lit; + lit.fst = nb_; + lit.snd = rem_; + scrut = lit; + } + else + { + K___uint32_t_uint32_t lit; + lit.fst = nb0; + lit.snd = rem0; + scrut = lit; + } + { + uint32_t nb = scrut.fst; + uint32_t rem = scrut.snd; + Hacl_Blake2s_128_blake2s_update_multi(len, wv, hash, prev, blocks, nb); + Hacl_Blake2s_128_blake2s_update_last(len, wv, hash, prev, rem, blocks); + } +} + +static inline void +blake2s_update( + Lib_IntVector_Intrinsics_vec128 *wv, + Lib_IntVector_Intrinsics_vec128 *hash, + uint32_t kk, + uint8_t *k, + uint32_t ll, + uint8_t *d +) +{ + uint64_t lb = (uint64_t)(uint32_t)64U; + if (kk > (uint32_t)0U) + { + Hacl_Blake2s_128_blake2s_update_key(wv, hash, kk, k, ll); + if (!(ll == (uint32_t)0U)) + { + blake2s_update_blocks(ll, wv, hash, lb, d); + return; + } + return; + } + blake2s_update_blocks(ll, wv, hash, (uint64_t)(uint32_t)0U, d); +} + +void +Hacl_Blake2s_128_blake2s_finish( + uint32_t nn, + uint8_t *output, + Lib_IntVector_Intrinsics_vec128 *hash +) +{ + uint32_t double_row = (uint32_t)2U * ((uint32_t)4U * (uint32_t)4U); + KRML_CHECK_SIZE(sizeof (uint8_t), double_row); + { + uint8_t b[double_row]; + memset(b, 0U, double_row * sizeof (uint8_t)); + { + uint8_t *first = b; + uint8_t *second = b + (uint32_t)4U * (uint32_t)4U; + Lib_IntVector_Intrinsics_vec128 *row0 = hash + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *row1 = hash + (uint32_t)1U * (uint32_t)1U; + uint8_t *final; + Lib_IntVector_Intrinsics_vec128_store32_le(first, row0[0U]); + Lib_IntVector_Intrinsics_vec128_store32_le(second, row1[0U]); + final = b; + memcpy(output, final, nn * sizeof (uint8_t)); + Lib_Memzero0_memzero(b, double_row * sizeof (b[0U])); + } + } +} + +void +Hacl_Blake2s_128_blake2s( + uint32_t nn, + uint8_t *output, + uint32_t ll, + uint8_t *d, + uint32_t kk, + uint8_t *k +) +{ + uint32_t stlen = (uint32_t)4U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 stzero = Lib_IntVector_Intrinsics_vec128_zero; + KRML_CHECK_SIZE(sizeof (Lib_IntVector_Intrinsics_vec128), stlen); + { + Lib_IntVector_Intrinsics_vec128 b[stlen]; + { + uint32_t _i; + for (_i = 0U; _i < stlen; ++_i) + b[_i] = stzero; + } + KRML_CHECK_SIZE(sizeof (Lib_IntVector_Intrinsics_vec128), stlen); + { + Lib_IntVector_Intrinsics_vec128 b1[stlen]; + { + uint32_t _i; + for (_i = 0U; _i < stlen; ++_i) + b1[_i] = stzero; + } + Hacl_Blake2s_128_blake2s_init(b, kk, nn); + blake2s_update(b1, b, kk, k, ll, d); + Hacl_Blake2s_128_blake2s_finish(nn, output, b); + Lib_Memzero0_memzero(b1, stlen * sizeof (b1[0U])); + Lib_Memzero0_memzero(b, stlen * sizeof (b[0U])); + } + } +} + diff --git a/src/c89/Hacl_Hash_MD5.c b/src/c89/Hacl_Hash_MD5.c new file mode 100644 index 00000000..ce0305c6 --- /dev/null +++ b/src/c89/Hacl_Hash_MD5.c @@ -0,0 +1,1732 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "internal/Hacl_Hash_MD5.h" + + + +static uint32_t +_h0[4U] = + { (uint32_t)0x67452301U, (uint32_t)0xefcdab89U, (uint32_t)0x98badcfeU, (uint32_t)0x10325476U }; + +static uint32_t +_t[64U] = + { + (uint32_t)0xd76aa478U, (uint32_t)0xe8c7b756U, (uint32_t)0x242070dbU, (uint32_t)0xc1bdceeeU, + (uint32_t)0xf57c0fafU, (uint32_t)0x4787c62aU, (uint32_t)0xa8304613U, (uint32_t)0xfd469501U, + (uint32_t)0x698098d8U, (uint32_t)0x8b44f7afU, (uint32_t)0xffff5bb1U, (uint32_t)0x895cd7beU, + (uint32_t)0x6b901122U, (uint32_t)0xfd987193U, (uint32_t)0xa679438eU, (uint32_t)0x49b40821U, + (uint32_t)0xf61e2562U, (uint32_t)0xc040b340U, (uint32_t)0x265e5a51U, (uint32_t)0xe9b6c7aaU, + (uint32_t)0xd62f105dU, (uint32_t)0x02441453U, (uint32_t)0xd8a1e681U, (uint32_t)0xe7d3fbc8U, + (uint32_t)0x21e1cde6U, (uint32_t)0xc33707d6U, (uint32_t)0xf4d50d87U, (uint32_t)0x455a14edU, + (uint32_t)0xa9e3e905U, (uint32_t)0xfcefa3f8U, (uint32_t)0x676f02d9U, (uint32_t)0x8d2a4c8aU, + (uint32_t)0xfffa3942U, (uint32_t)0x8771f681U, (uint32_t)0x6d9d6122U, (uint32_t)0xfde5380cU, + (uint32_t)0xa4beea44U, (uint32_t)0x4bdecfa9U, (uint32_t)0xf6bb4b60U, (uint32_t)0xbebfbc70U, + (uint32_t)0x289b7ec6U, (uint32_t)0xeaa127faU, (uint32_t)0xd4ef3085U, (uint32_t)0x4881d05U, + (uint32_t)0xd9d4d039U, (uint32_t)0xe6db99e5U, (uint32_t)0x1fa27cf8U, (uint32_t)0xc4ac5665U, + (uint32_t)0xf4292244U, (uint32_t)0x432aff97U, (uint32_t)0xab9423a7U, (uint32_t)0xfc93a039U, + (uint32_t)0x655b59c3U, (uint32_t)0x8f0ccc92U, (uint32_t)0xffeff47dU, (uint32_t)0x85845dd1U, + (uint32_t)0x6fa87e4fU, (uint32_t)0xfe2ce6e0U, (uint32_t)0xa3014314U, (uint32_t)0x4e0811a1U, + (uint32_t)0xf7537e82U, (uint32_t)0xbd3af235U, (uint32_t)0x2ad7d2bbU, (uint32_t)0xeb86d391U + }; + +void Hacl_Hash_Core_MD5_legacy_init(uint32_t *s) +{ + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + s[i] = _h0[i]; + } +} + +void Hacl_Hash_Core_MD5_legacy_update(uint32_t *abcd, uint8_t *x) +{ + uint32_t aa = abcd[0U]; + uint32_t bb = abcd[1U]; + uint32_t cc = abcd[2U]; + uint32_t dd = abcd[3U]; + uint32_t va0 = abcd[0U]; + uint32_t vb0 = abcd[1U]; + uint32_t vc0 = abcd[2U]; + uint32_t vd0 = abcd[3U]; + uint8_t *b0 = x; + uint32_t u0 = load32_le(b0); + uint32_t xk0 = u0; + uint32_t ti0 = _t[0U]; + uint32_t + v0 = + vb0 + + + ((va0 + ((vb0 & vc0) | (~vb0 & vd0)) + xk0 + ti0) + << (uint32_t)7U + | (va0 + ((vb0 & vc0) | (~vb0 & vd0)) + xk0 + ti0) >> (uint32_t)25U); + uint32_t va1; + uint32_t vb1; + uint32_t vc1; + uint32_t vd1; + uint8_t *b1; + uint32_t u1; + uint32_t xk1; + uint32_t ti1; + uint32_t v1; + uint32_t va2; + uint32_t vb2; + uint32_t vc2; + uint32_t vd2; + uint8_t *b2; + uint32_t u2; + uint32_t xk2; + uint32_t ti2; + uint32_t v2; + uint32_t va3; + uint32_t vb3; + uint32_t vc3; + uint32_t vd3; + uint8_t *b3; + uint32_t u3; + uint32_t xk3; + uint32_t ti3; + uint32_t v3; + uint32_t va4; + uint32_t vb4; + uint32_t vc4; + uint32_t vd4; + uint8_t *b4; + uint32_t u4; + uint32_t xk4; + uint32_t ti4; + uint32_t v4; + uint32_t va5; + uint32_t vb5; + uint32_t vc5; + uint32_t vd5; + uint8_t *b5; + uint32_t u5; + uint32_t xk5; + uint32_t ti5; + uint32_t v5; + uint32_t va6; + uint32_t vb6; + uint32_t vc6; + uint32_t vd6; + uint8_t *b6; + uint32_t u6; + uint32_t xk6; + uint32_t ti6; + uint32_t v6; + uint32_t va7; + uint32_t vb7; + uint32_t vc7; + uint32_t vd7; + uint8_t *b7; + uint32_t u7; + uint32_t xk7; + uint32_t ti7; + uint32_t v7; + uint32_t va8; + uint32_t vb8; + uint32_t vc8; + uint32_t vd8; + uint8_t *b8; + uint32_t u8; + uint32_t xk8; + uint32_t ti8; + uint32_t v8; + uint32_t va9; + uint32_t vb9; + uint32_t vc9; + uint32_t vd9; + uint8_t *b9; + uint32_t u9; + uint32_t xk9; + uint32_t ti9; + uint32_t v9; + uint32_t va10; + uint32_t vb10; + uint32_t vc10; + uint32_t vd10; + uint8_t *b10; + uint32_t u10; + uint32_t xk10; + uint32_t ti10; + uint32_t v10; + uint32_t va11; + uint32_t vb11; + uint32_t vc11; + uint32_t vd11; + uint8_t *b11; + uint32_t u11; + uint32_t xk11; + uint32_t ti11; + uint32_t v11; + uint32_t va12; + uint32_t vb12; + uint32_t vc12; + uint32_t vd12; + uint8_t *b12; + uint32_t u12; + uint32_t xk12; + uint32_t ti12; + uint32_t v12; + uint32_t va13; + uint32_t vb13; + uint32_t vc13; + uint32_t vd13; + uint8_t *b13; + uint32_t u13; + uint32_t xk13; + uint32_t ti13; + uint32_t v13; + uint32_t va14; + uint32_t vb14; + uint32_t vc14; + uint32_t vd14; + uint8_t *b14; + uint32_t u14; + uint32_t xk14; + uint32_t ti14; + uint32_t v14; + uint32_t va15; + uint32_t vb15; + uint32_t vc15; + uint32_t vd15; + uint8_t *b15; + uint32_t u15; + uint32_t xk15; + uint32_t ti15; + uint32_t v15; + uint32_t va16; + uint32_t vb16; + uint32_t vc16; + uint32_t vd16; + uint8_t *b16; + uint32_t u16; + uint32_t xk16; + uint32_t ti16; + uint32_t v16; + uint32_t va17; + uint32_t vb17; + uint32_t vc17; + uint32_t vd17; + uint8_t *b17; + uint32_t u17; + uint32_t xk17; + uint32_t ti17; + uint32_t v17; + uint32_t va18; + uint32_t vb18; + uint32_t vc18; + uint32_t vd18; + uint8_t *b18; + uint32_t u18; + uint32_t xk18; + uint32_t ti18; + uint32_t v18; + uint32_t va19; + uint32_t vb19; + uint32_t vc19; + uint32_t vd19; + uint8_t *b19; + uint32_t u19; + uint32_t xk19; + uint32_t ti19; + uint32_t v19; + uint32_t va20; + uint32_t vb20; + uint32_t vc20; + uint32_t vd20; + uint8_t *b20; + uint32_t u20; + uint32_t xk20; + uint32_t ti20; + uint32_t v20; + uint32_t va21; + uint32_t vb21; + uint32_t vc21; + uint32_t vd21; + uint8_t *b21; + uint32_t u21; + uint32_t xk21; + uint32_t ti21; + uint32_t v21; + uint32_t va22; + uint32_t vb22; + uint32_t vc22; + uint32_t vd22; + uint8_t *b22; + uint32_t u22; + uint32_t xk22; + uint32_t ti22; + uint32_t v22; + uint32_t va23; + uint32_t vb23; + uint32_t vc23; + uint32_t vd23; + uint8_t *b23; + uint32_t u23; + uint32_t xk23; + uint32_t ti23; + uint32_t v23; + uint32_t va24; + uint32_t vb24; + uint32_t vc24; + uint32_t vd24; + uint8_t *b24; + uint32_t u24; + uint32_t xk24; + uint32_t ti24; + uint32_t v24; + uint32_t va25; + uint32_t vb25; + uint32_t vc25; + uint32_t vd25; + uint8_t *b25; + uint32_t u25; + uint32_t xk25; + uint32_t ti25; + uint32_t v25; + uint32_t va26; + uint32_t vb26; + uint32_t vc26; + uint32_t vd26; + uint8_t *b26; + uint32_t u26; + uint32_t xk26; + uint32_t ti26; + uint32_t v26; + uint32_t va27; + uint32_t vb27; + uint32_t vc27; + uint32_t vd27; + uint8_t *b27; + uint32_t u27; + uint32_t xk27; + uint32_t ti27; + uint32_t v27; + uint32_t va28; + uint32_t vb28; + uint32_t vc28; + uint32_t vd28; + uint8_t *b28; + uint32_t u28; + uint32_t xk28; + uint32_t ti28; + uint32_t v28; + uint32_t va29; + uint32_t vb29; + uint32_t vc29; + uint32_t vd29; + uint8_t *b29; + uint32_t u29; + uint32_t xk29; + uint32_t ti29; + uint32_t v29; + uint32_t va30; + uint32_t vb30; + uint32_t vc30; + uint32_t vd30; + uint8_t *b30; + uint32_t u30; + uint32_t xk30; + uint32_t ti30; + uint32_t v30; + uint32_t va31; + uint32_t vb31; + uint32_t vc31; + uint32_t vd31; + uint8_t *b31; + uint32_t u31; + uint32_t xk31; + uint32_t ti31; + uint32_t v31; + uint32_t va32; + uint32_t vb32; + uint32_t vc32; + uint32_t vd32; + uint8_t *b32; + uint32_t u32; + uint32_t xk32; + uint32_t ti32; + uint32_t v32; + uint32_t va33; + uint32_t vb33; + uint32_t vc33; + uint32_t vd33; + uint8_t *b33; + uint32_t u33; + uint32_t xk33; + uint32_t ti33; + uint32_t v33; + uint32_t va34; + uint32_t vb34; + uint32_t vc34; + uint32_t vd34; + uint8_t *b34; + uint32_t u34; + uint32_t xk34; + uint32_t ti34; + uint32_t v34; + uint32_t va35; + uint32_t vb35; + uint32_t vc35; + uint32_t vd35; + uint8_t *b35; + uint32_t u35; + uint32_t xk35; + uint32_t ti35; + uint32_t v35; + uint32_t va36; + uint32_t vb36; + uint32_t vc36; + uint32_t vd36; + uint8_t *b36; + uint32_t u36; + uint32_t xk36; + uint32_t ti36; + uint32_t v36; + uint32_t va37; + uint32_t vb37; + uint32_t vc37; + uint32_t vd37; + uint8_t *b37; + uint32_t u37; + uint32_t xk37; + uint32_t ti37; + uint32_t v37; + uint32_t va38; + uint32_t vb38; + uint32_t vc38; + uint32_t vd38; + uint8_t *b38; + uint32_t u38; + uint32_t xk38; + uint32_t ti38; + uint32_t v38; + uint32_t va39; + uint32_t vb39; + uint32_t vc39; + uint32_t vd39; + uint8_t *b39; + uint32_t u39; + uint32_t xk39; + uint32_t ti39; + uint32_t v39; + uint32_t va40; + uint32_t vb40; + uint32_t vc40; + uint32_t vd40; + uint8_t *b40; + uint32_t u40; + uint32_t xk40; + uint32_t ti40; + uint32_t v40; + uint32_t va41; + uint32_t vb41; + uint32_t vc41; + uint32_t vd41; + uint8_t *b41; + uint32_t u41; + uint32_t xk41; + uint32_t ti41; + uint32_t v41; + uint32_t va42; + uint32_t vb42; + uint32_t vc42; + uint32_t vd42; + uint8_t *b42; + uint32_t u42; + uint32_t xk42; + uint32_t ti42; + uint32_t v42; + uint32_t va43; + uint32_t vb43; + uint32_t vc43; + uint32_t vd43; + uint8_t *b43; + uint32_t u43; + uint32_t xk43; + uint32_t ti43; + uint32_t v43; + uint32_t va44; + uint32_t vb44; + uint32_t vc44; + uint32_t vd44; + uint8_t *b44; + uint32_t u44; + uint32_t xk44; + uint32_t ti44; + uint32_t v44; + uint32_t va45; + uint32_t vb45; + uint32_t vc45; + uint32_t vd45; + uint8_t *b45; + uint32_t u45; + uint32_t xk45; + uint32_t ti45; + uint32_t v45; + uint32_t va46; + uint32_t vb46; + uint32_t vc46; + uint32_t vd46; + uint8_t *b46; + uint32_t u46; + uint32_t xk46; + uint32_t ti46; + uint32_t v46; + uint32_t va47; + uint32_t vb47; + uint32_t vc47; + uint32_t vd47; + uint8_t *b47; + uint32_t u47; + uint32_t xk47; + uint32_t ti47; + uint32_t v47; + uint32_t va48; + uint32_t vb48; + uint32_t vc48; + uint32_t vd48; + uint8_t *b48; + uint32_t u48; + uint32_t xk48; + uint32_t ti48; + uint32_t v48; + uint32_t va49; + uint32_t vb49; + uint32_t vc49; + uint32_t vd49; + uint8_t *b49; + uint32_t u49; + uint32_t xk49; + uint32_t ti49; + uint32_t v49; + uint32_t va50; + uint32_t vb50; + uint32_t vc50; + uint32_t vd50; + uint8_t *b50; + uint32_t u50; + uint32_t xk50; + uint32_t ti50; + uint32_t v50; + uint32_t va51; + uint32_t vb51; + uint32_t vc51; + uint32_t vd51; + uint8_t *b51; + uint32_t u51; + uint32_t xk51; + uint32_t ti51; + uint32_t v51; + uint32_t va52; + uint32_t vb52; + uint32_t vc52; + uint32_t vd52; + uint8_t *b52; + uint32_t u52; + uint32_t xk52; + uint32_t ti52; + uint32_t v52; + uint32_t va53; + uint32_t vb53; + uint32_t vc53; + uint32_t vd53; + uint8_t *b53; + uint32_t u53; + uint32_t xk53; + uint32_t ti53; + uint32_t v53; + uint32_t va54; + uint32_t vb54; + uint32_t vc54; + uint32_t vd54; + uint8_t *b54; + uint32_t u54; + uint32_t xk54; + uint32_t ti54; + uint32_t v54; + uint32_t va55; + uint32_t vb55; + uint32_t vc55; + uint32_t vd55; + uint8_t *b55; + uint32_t u55; + uint32_t xk55; + uint32_t ti55; + uint32_t v55; + uint32_t va56; + uint32_t vb56; + uint32_t vc56; + uint32_t vd56; + uint8_t *b56; + uint32_t u56; + uint32_t xk56; + uint32_t ti56; + uint32_t v56; + uint32_t va57; + uint32_t vb57; + uint32_t vc57; + uint32_t vd57; + uint8_t *b57; + uint32_t u57; + uint32_t xk57; + uint32_t ti57; + uint32_t v57; + uint32_t va58; + uint32_t vb58; + uint32_t vc58; + uint32_t vd58; + uint8_t *b58; + uint32_t u58; + uint32_t xk58; + uint32_t ti58; + uint32_t v58; + uint32_t va59; + uint32_t vb59; + uint32_t vc59; + uint32_t vd59; + uint8_t *b59; + uint32_t u59; + uint32_t xk59; + uint32_t ti59; + uint32_t v59; + uint32_t va60; + uint32_t vb60; + uint32_t vc60; + uint32_t vd60; + uint8_t *b60; + uint32_t u60; + uint32_t xk60; + uint32_t ti60; + uint32_t v60; + uint32_t va61; + uint32_t vb61; + uint32_t vc61; + uint32_t vd61; + uint8_t *b61; + uint32_t u61; + uint32_t xk61; + uint32_t ti61; + uint32_t v61; + uint32_t va62; + uint32_t vb62; + uint32_t vc62; + uint32_t vd62; + uint8_t *b62; + uint32_t u62; + uint32_t xk62; + uint32_t ti62; + uint32_t v62; + uint32_t va; + uint32_t vb; + uint32_t vc; + uint32_t vd; + uint8_t *b63; + uint32_t u; + uint32_t xk; + uint32_t ti; + uint32_t v; + uint32_t a; + uint32_t b; + uint32_t c; + uint32_t d; + abcd[0U] = v0; + va1 = abcd[3U]; + vb1 = abcd[0U]; + vc1 = abcd[1U]; + vd1 = abcd[2U]; + b1 = x + (uint32_t)4U; + u1 = load32_le(b1); + xk1 = u1; + ti1 = _t[1U]; + v1 = + vb1 + + + ((va1 + ((vb1 & vc1) | (~vb1 & vd1)) + xk1 + ti1) + << (uint32_t)12U + | (va1 + ((vb1 & vc1) | (~vb1 & vd1)) + xk1 + ti1) >> (uint32_t)20U); + abcd[3U] = v1; + va2 = abcd[2U]; + vb2 = abcd[3U]; + vc2 = abcd[0U]; + vd2 = abcd[1U]; + b2 = x + (uint32_t)8U; + u2 = load32_le(b2); + xk2 = u2; + ti2 = _t[2U]; + v2 = + vb2 + + + ((va2 + ((vb2 & vc2) | (~vb2 & vd2)) + xk2 + ti2) + << (uint32_t)17U + | (va2 + ((vb2 & vc2) | (~vb2 & vd2)) + xk2 + ti2) >> (uint32_t)15U); + abcd[2U] = v2; + va3 = abcd[1U]; + vb3 = abcd[2U]; + vc3 = abcd[3U]; + vd3 = abcd[0U]; + b3 = x + (uint32_t)12U; + u3 = load32_le(b3); + xk3 = u3; + ti3 = _t[3U]; + v3 = + vb3 + + + ((va3 + ((vb3 & vc3) | (~vb3 & vd3)) + xk3 + ti3) + << (uint32_t)22U + | (va3 + ((vb3 & vc3) | (~vb3 & vd3)) + xk3 + ti3) >> (uint32_t)10U); + abcd[1U] = v3; + va4 = abcd[0U]; + vb4 = abcd[1U]; + vc4 = abcd[2U]; + vd4 = abcd[3U]; + b4 = x + (uint32_t)16U; + u4 = load32_le(b4); + xk4 = u4; + ti4 = _t[4U]; + v4 = + vb4 + + + ((va4 + ((vb4 & vc4) | (~vb4 & vd4)) + xk4 + ti4) + << (uint32_t)7U + | (va4 + ((vb4 & vc4) | (~vb4 & vd4)) + xk4 + ti4) >> (uint32_t)25U); + abcd[0U] = v4; + va5 = abcd[3U]; + vb5 = abcd[0U]; + vc5 = abcd[1U]; + vd5 = abcd[2U]; + b5 = x + (uint32_t)20U; + u5 = load32_le(b5); + xk5 = u5; + ti5 = _t[5U]; + v5 = + vb5 + + + ((va5 + ((vb5 & vc5) | (~vb5 & vd5)) + xk5 + ti5) + << (uint32_t)12U + | (va5 + ((vb5 & vc5) | (~vb5 & vd5)) + xk5 + ti5) >> (uint32_t)20U); + abcd[3U] = v5; + va6 = abcd[2U]; + vb6 = abcd[3U]; + vc6 = abcd[0U]; + vd6 = abcd[1U]; + b6 = x + (uint32_t)24U; + u6 = load32_le(b6); + xk6 = u6; + ti6 = _t[6U]; + v6 = + vb6 + + + ((va6 + ((vb6 & vc6) | (~vb6 & vd6)) + xk6 + ti6) + << (uint32_t)17U + | (va6 + ((vb6 & vc6) | (~vb6 & vd6)) + xk6 + ti6) >> (uint32_t)15U); + abcd[2U] = v6; + va7 = abcd[1U]; + vb7 = abcd[2U]; + vc7 = abcd[3U]; + vd7 = abcd[0U]; + b7 = x + (uint32_t)28U; + u7 = load32_le(b7); + xk7 = u7; + ti7 = _t[7U]; + v7 = + vb7 + + + ((va7 + ((vb7 & vc7) | (~vb7 & vd7)) + xk7 + ti7) + << (uint32_t)22U + | (va7 + ((vb7 & vc7) | (~vb7 & vd7)) + xk7 + ti7) >> (uint32_t)10U); + abcd[1U] = v7; + va8 = abcd[0U]; + vb8 = abcd[1U]; + vc8 = abcd[2U]; + vd8 = abcd[3U]; + b8 = x + (uint32_t)32U; + u8 = load32_le(b8); + xk8 = u8; + ti8 = _t[8U]; + v8 = + vb8 + + + ((va8 + ((vb8 & vc8) | (~vb8 & vd8)) + xk8 + ti8) + << (uint32_t)7U + | (va8 + ((vb8 & vc8) | (~vb8 & vd8)) + xk8 + ti8) >> (uint32_t)25U); + abcd[0U] = v8; + va9 = abcd[3U]; + vb9 = abcd[0U]; + vc9 = abcd[1U]; + vd9 = abcd[2U]; + b9 = x + (uint32_t)36U; + u9 = load32_le(b9); + xk9 = u9; + ti9 = _t[9U]; + v9 = + vb9 + + + ((va9 + ((vb9 & vc9) | (~vb9 & vd9)) + xk9 + ti9) + << (uint32_t)12U + | (va9 + ((vb9 & vc9) | (~vb9 & vd9)) + xk9 + ti9) >> (uint32_t)20U); + abcd[3U] = v9; + va10 = abcd[2U]; + vb10 = abcd[3U]; + vc10 = abcd[0U]; + vd10 = abcd[1U]; + b10 = x + (uint32_t)40U; + u10 = load32_le(b10); + xk10 = u10; + ti10 = _t[10U]; + v10 = + vb10 + + + ((va10 + ((vb10 & vc10) | (~vb10 & vd10)) + xk10 + ti10) + << (uint32_t)17U + | (va10 + ((vb10 & vc10) | (~vb10 & vd10)) + xk10 + ti10) >> (uint32_t)15U); + abcd[2U] = v10; + va11 = abcd[1U]; + vb11 = abcd[2U]; + vc11 = abcd[3U]; + vd11 = abcd[0U]; + b11 = x + (uint32_t)44U; + u11 = load32_le(b11); + xk11 = u11; + ti11 = _t[11U]; + v11 = + vb11 + + + ((va11 + ((vb11 & vc11) | (~vb11 & vd11)) + xk11 + ti11) + << (uint32_t)22U + | (va11 + ((vb11 & vc11) | (~vb11 & vd11)) + xk11 + ti11) >> (uint32_t)10U); + abcd[1U] = v11; + va12 = abcd[0U]; + vb12 = abcd[1U]; + vc12 = abcd[2U]; + vd12 = abcd[3U]; + b12 = x + (uint32_t)48U; + u12 = load32_le(b12); + xk12 = u12; + ti12 = _t[12U]; + v12 = + vb12 + + + ((va12 + ((vb12 & vc12) | (~vb12 & vd12)) + xk12 + ti12) + << (uint32_t)7U + | (va12 + ((vb12 & vc12) | (~vb12 & vd12)) + xk12 + ti12) >> (uint32_t)25U); + abcd[0U] = v12; + va13 = abcd[3U]; + vb13 = abcd[0U]; + vc13 = abcd[1U]; + vd13 = abcd[2U]; + b13 = x + (uint32_t)52U; + u13 = load32_le(b13); + xk13 = u13; + ti13 = _t[13U]; + v13 = + vb13 + + + ((va13 + ((vb13 & vc13) | (~vb13 & vd13)) + xk13 + ti13) + << (uint32_t)12U + | (va13 + ((vb13 & vc13) | (~vb13 & vd13)) + xk13 + ti13) >> (uint32_t)20U); + abcd[3U] = v13; + va14 = abcd[2U]; + vb14 = abcd[3U]; + vc14 = abcd[0U]; + vd14 = abcd[1U]; + b14 = x + (uint32_t)56U; + u14 = load32_le(b14); + xk14 = u14; + ti14 = _t[14U]; + v14 = + vb14 + + + ((va14 + ((vb14 & vc14) | (~vb14 & vd14)) + xk14 + ti14) + << (uint32_t)17U + | (va14 + ((vb14 & vc14) | (~vb14 & vd14)) + xk14 + ti14) >> (uint32_t)15U); + abcd[2U] = v14; + va15 = abcd[1U]; + vb15 = abcd[2U]; + vc15 = abcd[3U]; + vd15 = abcd[0U]; + b15 = x + (uint32_t)60U; + u15 = load32_le(b15); + xk15 = u15; + ti15 = _t[15U]; + v15 = + vb15 + + + ((va15 + ((vb15 & vc15) | (~vb15 & vd15)) + xk15 + ti15) + << (uint32_t)22U + | (va15 + ((vb15 & vc15) | (~vb15 & vd15)) + xk15 + ti15) >> (uint32_t)10U); + abcd[1U] = v15; + va16 = abcd[0U]; + vb16 = abcd[1U]; + vc16 = abcd[2U]; + vd16 = abcd[3U]; + b16 = x + (uint32_t)4U; + u16 = load32_le(b16); + xk16 = u16; + ti16 = _t[16U]; + v16 = + vb16 + + + ((va16 + ((vb16 & vd16) | (vc16 & ~vd16)) + xk16 + ti16) + << (uint32_t)5U + | (va16 + ((vb16 & vd16) | (vc16 & ~vd16)) + xk16 + ti16) >> (uint32_t)27U); + abcd[0U] = v16; + va17 = abcd[3U]; + vb17 = abcd[0U]; + vc17 = abcd[1U]; + vd17 = abcd[2U]; + b17 = x + (uint32_t)24U; + u17 = load32_le(b17); + xk17 = u17; + ti17 = _t[17U]; + v17 = + vb17 + + + ((va17 + ((vb17 & vd17) | (vc17 & ~vd17)) + xk17 + ti17) + << (uint32_t)9U + | (va17 + ((vb17 & vd17) | (vc17 & ~vd17)) + xk17 + ti17) >> (uint32_t)23U); + abcd[3U] = v17; + va18 = abcd[2U]; + vb18 = abcd[3U]; + vc18 = abcd[0U]; + vd18 = abcd[1U]; + b18 = x + (uint32_t)44U; + u18 = load32_le(b18); + xk18 = u18; + ti18 = _t[18U]; + v18 = + vb18 + + + ((va18 + ((vb18 & vd18) | (vc18 & ~vd18)) + xk18 + ti18) + << (uint32_t)14U + | (va18 + ((vb18 & vd18) | (vc18 & ~vd18)) + xk18 + ti18) >> (uint32_t)18U); + abcd[2U] = v18; + va19 = abcd[1U]; + vb19 = abcd[2U]; + vc19 = abcd[3U]; + vd19 = abcd[0U]; + b19 = x; + u19 = load32_le(b19); + xk19 = u19; + ti19 = _t[19U]; + v19 = + vb19 + + + ((va19 + ((vb19 & vd19) | (vc19 & ~vd19)) + xk19 + ti19) + << (uint32_t)20U + | (va19 + ((vb19 & vd19) | (vc19 & ~vd19)) + xk19 + ti19) >> (uint32_t)12U); + abcd[1U] = v19; + va20 = abcd[0U]; + vb20 = abcd[1U]; + vc20 = abcd[2U]; + vd20 = abcd[3U]; + b20 = x + (uint32_t)20U; + u20 = load32_le(b20); + xk20 = u20; + ti20 = _t[20U]; + v20 = + vb20 + + + ((va20 + ((vb20 & vd20) | (vc20 & ~vd20)) + xk20 + ti20) + << (uint32_t)5U + | (va20 + ((vb20 & vd20) | (vc20 & ~vd20)) + xk20 + ti20) >> (uint32_t)27U); + abcd[0U] = v20; + va21 = abcd[3U]; + vb21 = abcd[0U]; + vc21 = abcd[1U]; + vd21 = abcd[2U]; + b21 = x + (uint32_t)40U; + u21 = load32_le(b21); + xk21 = u21; + ti21 = _t[21U]; + v21 = + vb21 + + + ((va21 + ((vb21 & vd21) | (vc21 & ~vd21)) + xk21 + ti21) + << (uint32_t)9U + | (va21 + ((vb21 & vd21) | (vc21 & ~vd21)) + xk21 + ti21) >> (uint32_t)23U); + abcd[3U] = v21; + va22 = abcd[2U]; + vb22 = abcd[3U]; + vc22 = abcd[0U]; + vd22 = abcd[1U]; + b22 = x + (uint32_t)60U; + u22 = load32_le(b22); + xk22 = u22; + ti22 = _t[22U]; + v22 = + vb22 + + + ((va22 + ((vb22 & vd22) | (vc22 & ~vd22)) + xk22 + ti22) + << (uint32_t)14U + | (va22 + ((vb22 & vd22) | (vc22 & ~vd22)) + xk22 + ti22) >> (uint32_t)18U); + abcd[2U] = v22; + va23 = abcd[1U]; + vb23 = abcd[2U]; + vc23 = abcd[3U]; + vd23 = abcd[0U]; + b23 = x + (uint32_t)16U; + u23 = load32_le(b23); + xk23 = u23; + ti23 = _t[23U]; + v23 = + vb23 + + + ((va23 + ((vb23 & vd23) | (vc23 & ~vd23)) + xk23 + ti23) + << (uint32_t)20U + | (va23 + ((vb23 & vd23) | (vc23 & ~vd23)) + xk23 + ti23) >> (uint32_t)12U); + abcd[1U] = v23; + va24 = abcd[0U]; + vb24 = abcd[1U]; + vc24 = abcd[2U]; + vd24 = abcd[3U]; + b24 = x + (uint32_t)36U; + u24 = load32_le(b24); + xk24 = u24; + ti24 = _t[24U]; + v24 = + vb24 + + + ((va24 + ((vb24 & vd24) | (vc24 & ~vd24)) + xk24 + ti24) + << (uint32_t)5U + | (va24 + ((vb24 & vd24) | (vc24 & ~vd24)) + xk24 + ti24) >> (uint32_t)27U); + abcd[0U] = v24; + va25 = abcd[3U]; + vb25 = abcd[0U]; + vc25 = abcd[1U]; + vd25 = abcd[2U]; + b25 = x + (uint32_t)56U; + u25 = load32_le(b25); + xk25 = u25; + ti25 = _t[25U]; + v25 = + vb25 + + + ((va25 + ((vb25 & vd25) | (vc25 & ~vd25)) + xk25 + ti25) + << (uint32_t)9U + | (va25 + ((vb25 & vd25) | (vc25 & ~vd25)) + xk25 + ti25) >> (uint32_t)23U); + abcd[3U] = v25; + va26 = abcd[2U]; + vb26 = abcd[3U]; + vc26 = abcd[0U]; + vd26 = abcd[1U]; + b26 = x + (uint32_t)12U; + u26 = load32_le(b26); + xk26 = u26; + ti26 = _t[26U]; + v26 = + vb26 + + + ((va26 + ((vb26 & vd26) | (vc26 & ~vd26)) + xk26 + ti26) + << (uint32_t)14U + | (va26 + ((vb26 & vd26) | (vc26 & ~vd26)) + xk26 + ti26) >> (uint32_t)18U); + abcd[2U] = v26; + va27 = abcd[1U]; + vb27 = abcd[2U]; + vc27 = abcd[3U]; + vd27 = abcd[0U]; + b27 = x + (uint32_t)32U; + u27 = load32_le(b27); + xk27 = u27; + ti27 = _t[27U]; + v27 = + vb27 + + + ((va27 + ((vb27 & vd27) | (vc27 & ~vd27)) + xk27 + ti27) + << (uint32_t)20U + | (va27 + ((vb27 & vd27) | (vc27 & ~vd27)) + xk27 + ti27) >> (uint32_t)12U); + abcd[1U] = v27; + va28 = abcd[0U]; + vb28 = abcd[1U]; + vc28 = abcd[2U]; + vd28 = abcd[3U]; + b28 = x + (uint32_t)52U; + u28 = load32_le(b28); + xk28 = u28; + ti28 = _t[28U]; + v28 = + vb28 + + + ((va28 + ((vb28 & vd28) | (vc28 & ~vd28)) + xk28 + ti28) + << (uint32_t)5U + | (va28 + ((vb28 & vd28) | (vc28 & ~vd28)) + xk28 + ti28) >> (uint32_t)27U); + abcd[0U] = v28; + va29 = abcd[3U]; + vb29 = abcd[0U]; + vc29 = abcd[1U]; + vd29 = abcd[2U]; + b29 = x + (uint32_t)8U; + u29 = load32_le(b29); + xk29 = u29; + ti29 = _t[29U]; + v29 = + vb29 + + + ((va29 + ((vb29 & vd29) | (vc29 & ~vd29)) + xk29 + ti29) + << (uint32_t)9U + | (va29 + ((vb29 & vd29) | (vc29 & ~vd29)) + xk29 + ti29) >> (uint32_t)23U); + abcd[3U] = v29; + va30 = abcd[2U]; + vb30 = abcd[3U]; + vc30 = abcd[0U]; + vd30 = abcd[1U]; + b30 = x + (uint32_t)28U; + u30 = load32_le(b30); + xk30 = u30; + ti30 = _t[30U]; + v30 = + vb30 + + + ((va30 + ((vb30 & vd30) | (vc30 & ~vd30)) + xk30 + ti30) + << (uint32_t)14U + | (va30 + ((vb30 & vd30) | (vc30 & ~vd30)) + xk30 + ti30) >> (uint32_t)18U); + abcd[2U] = v30; + va31 = abcd[1U]; + vb31 = abcd[2U]; + vc31 = abcd[3U]; + vd31 = abcd[0U]; + b31 = x + (uint32_t)48U; + u31 = load32_le(b31); + xk31 = u31; + ti31 = _t[31U]; + v31 = + vb31 + + + ((va31 + ((vb31 & vd31) | (vc31 & ~vd31)) + xk31 + ti31) + << (uint32_t)20U + | (va31 + ((vb31 & vd31) | (vc31 & ~vd31)) + xk31 + ti31) >> (uint32_t)12U); + abcd[1U] = v31; + va32 = abcd[0U]; + vb32 = abcd[1U]; + vc32 = abcd[2U]; + vd32 = abcd[3U]; + b32 = x + (uint32_t)20U; + u32 = load32_le(b32); + xk32 = u32; + ti32 = _t[32U]; + v32 = + vb32 + + + ((va32 + (vb32 ^ (vc32 ^ vd32)) + xk32 + ti32) + << (uint32_t)4U + | (va32 + (vb32 ^ (vc32 ^ vd32)) + xk32 + ti32) >> (uint32_t)28U); + abcd[0U] = v32; + va33 = abcd[3U]; + vb33 = abcd[0U]; + vc33 = abcd[1U]; + vd33 = abcd[2U]; + b33 = x + (uint32_t)32U; + u33 = load32_le(b33); + xk33 = u33; + ti33 = _t[33U]; + v33 = + vb33 + + + ((va33 + (vb33 ^ (vc33 ^ vd33)) + xk33 + ti33) + << (uint32_t)11U + | (va33 + (vb33 ^ (vc33 ^ vd33)) + xk33 + ti33) >> (uint32_t)21U); + abcd[3U] = v33; + va34 = abcd[2U]; + vb34 = abcd[3U]; + vc34 = abcd[0U]; + vd34 = abcd[1U]; + b34 = x + (uint32_t)44U; + u34 = load32_le(b34); + xk34 = u34; + ti34 = _t[34U]; + v34 = + vb34 + + + ((va34 + (vb34 ^ (vc34 ^ vd34)) + xk34 + ti34) + << (uint32_t)16U + | (va34 + (vb34 ^ (vc34 ^ vd34)) + xk34 + ti34) >> (uint32_t)16U); + abcd[2U] = v34; + va35 = abcd[1U]; + vb35 = abcd[2U]; + vc35 = abcd[3U]; + vd35 = abcd[0U]; + b35 = x + (uint32_t)56U; + u35 = load32_le(b35); + xk35 = u35; + ti35 = _t[35U]; + v35 = + vb35 + + + ((va35 + (vb35 ^ (vc35 ^ vd35)) + xk35 + ti35) + << (uint32_t)23U + | (va35 + (vb35 ^ (vc35 ^ vd35)) + xk35 + ti35) >> (uint32_t)9U); + abcd[1U] = v35; + va36 = abcd[0U]; + vb36 = abcd[1U]; + vc36 = abcd[2U]; + vd36 = abcd[3U]; + b36 = x + (uint32_t)4U; + u36 = load32_le(b36); + xk36 = u36; + ti36 = _t[36U]; + v36 = + vb36 + + + ((va36 + (vb36 ^ (vc36 ^ vd36)) + xk36 + ti36) + << (uint32_t)4U + | (va36 + (vb36 ^ (vc36 ^ vd36)) + xk36 + ti36) >> (uint32_t)28U); + abcd[0U] = v36; + va37 = abcd[3U]; + vb37 = abcd[0U]; + vc37 = abcd[1U]; + vd37 = abcd[2U]; + b37 = x + (uint32_t)16U; + u37 = load32_le(b37); + xk37 = u37; + ti37 = _t[37U]; + v37 = + vb37 + + + ((va37 + (vb37 ^ (vc37 ^ vd37)) + xk37 + ti37) + << (uint32_t)11U + | (va37 + (vb37 ^ (vc37 ^ vd37)) + xk37 + ti37) >> (uint32_t)21U); + abcd[3U] = v37; + va38 = abcd[2U]; + vb38 = abcd[3U]; + vc38 = abcd[0U]; + vd38 = abcd[1U]; + b38 = x + (uint32_t)28U; + u38 = load32_le(b38); + xk38 = u38; + ti38 = _t[38U]; + v38 = + vb38 + + + ((va38 + (vb38 ^ (vc38 ^ vd38)) + xk38 + ti38) + << (uint32_t)16U + | (va38 + (vb38 ^ (vc38 ^ vd38)) + xk38 + ti38) >> (uint32_t)16U); + abcd[2U] = v38; + va39 = abcd[1U]; + vb39 = abcd[2U]; + vc39 = abcd[3U]; + vd39 = abcd[0U]; + b39 = x + (uint32_t)40U; + u39 = load32_le(b39); + xk39 = u39; + ti39 = _t[39U]; + v39 = + vb39 + + + ((va39 + (vb39 ^ (vc39 ^ vd39)) + xk39 + ti39) + << (uint32_t)23U + | (va39 + (vb39 ^ (vc39 ^ vd39)) + xk39 + ti39) >> (uint32_t)9U); + abcd[1U] = v39; + va40 = abcd[0U]; + vb40 = abcd[1U]; + vc40 = abcd[2U]; + vd40 = abcd[3U]; + b40 = x + (uint32_t)52U; + u40 = load32_le(b40); + xk40 = u40; + ti40 = _t[40U]; + v40 = + vb40 + + + ((va40 + (vb40 ^ (vc40 ^ vd40)) + xk40 + ti40) + << (uint32_t)4U + | (va40 + (vb40 ^ (vc40 ^ vd40)) + xk40 + ti40) >> (uint32_t)28U); + abcd[0U] = v40; + va41 = abcd[3U]; + vb41 = abcd[0U]; + vc41 = abcd[1U]; + vd41 = abcd[2U]; + b41 = x; + u41 = load32_le(b41); + xk41 = u41; + ti41 = _t[41U]; + v41 = + vb41 + + + ((va41 + (vb41 ^ (vc41 ^ vd41)) + xk41 + ti41) + << (uint32_t)11U + | (va41 + (vb41 ^ (vc41 ^ vd41)) + xk41 + ti41) >> (uint32_t)21U); + abcd[3U] = v41; + va42 = abcd[2U]; + vb42 = abcd[3U]; + vc42 = abcd[0U]; + vd42 = abcd[1U]; + b42 = x + (uint32_t)12U; + u42 = load32_le(b42); + xk42 = u42; + ti42 = _t[42U]; + v42 = + vb42 + + + ((va42 + (vb42 ^ (vc42 ^ vd42)) + xk42 + ti42) + << (uint32_t)16U + | (va42 + (vb42 ^ (vc42 ^ vd42)) + xk42 + ti42) >> (uint32_t)16U); + abcd[2U] = v42; + va43 = abcd[1U]; + vb43 = abcd[2U]; + vc43 = abcd[3U]; + vd43 = abcd[0U]; + b43 = x + (uint32_t)24U; + u43 = load32_le(b43); + xk43 = u43; + ti43 = _t[43U]; + v43 = + vb43 + + + ((va43 + (vb43 ^ (vc43 ^ vd43)) + xk43 + ti43) + << (uint32_t)23U + | (va43 + (vb43 ^ (vc43 ^ vd43)) + xk43 + ti43) >> (uint32_t)9U); + abcd[1U] = v43; + va44 = abcd[0U]; + vb44 = abcd[1U]; + vc44 = abcd[2U]; + vd44 = abcd[3U]; + b44 = x + (uint32_t)36U; + u44 = load32_le(b44); + xk44 = u44; + ti44 = _t[44U]; + v44 = + vb44 + + + ((va44 + (vb44 ^ (vc44 ^ vd44)) + xk44 + ti44) + << (uint32_t)4U + | (va44 + (vb44 ^ (vc44 ^ vd44)) + xk44 + ti44) >> (uint32_t)28U); + abcd[0U] = v44; + va45 = abcd[3U]; + vb45 = abcd[0U]; + vc45 = abcd[1U]; + vd45 = abcd[2U]; + b45 = x + (uint32_t)48U; + u45 = load32_le(b45); + xk45 = u45; + ti45 = _t[45U]; + v45 = + vb45 + + + ((va45 + (vb45 ^ (vc45 ^ vd45)) + xk45 + ti45) + << (uint32_t)11U + | (va45 + (vb45 ^ (vc45 ^ vd45)) + xk45 + ti45) >> (uint32_t)21U); + abcd[3U] = v45; + va46 = abcd[2U]; + vb46 = abcd[3U]; + vc46 = abcd[0U]; + vd46 = abcd[1U]; + b46 = x + (uint32_t)60U; + u46 = load32_le(b46); + xk46 = u46; + ti46 = _t[46U]; + v46 = + vb46 + + + ((va46 + (vb46 ^ (vc46 ^ vd46)) + xk46 + ti46) + << (uint32_t)16U + | (va46 + (vb46 ^ (vc46 ^ vd46)) + xk46 + ti46) >> (uint32_t)16U); + abcd[2U] = v46; + va47 = abcd[1U]; + vb47 = abcd[2U]; + vc47 = abcd[3U]; + vd47 = abcd[0U]; + b47 = x + (uint32_t)8U; + u47 = load32_le(b47); + xk47 = u47; + ti47 = _t[47U]; + v47 = + vb47 + + + ((va47 + (vb47 ^ (vc47 ^ vd47)) + xk47 + ti47) + << (uint32_t)23U + | (va47 + (vb47 ^ (vc47 ^ vd47)) + xk47 + ti47) >> (uint32_t)9U); + abcd[1U] = v47; + va48 = abcd[0U]; + vb48 = abcd[1U]; + vc48 = abcd[2U]; + vd48 = abcd[3U]; + b48 = x; + u48 = load32_le(b48); + xk48 = u48; + ti48 = _t[48U]; + v48 = + vb48 + + + ((va48 + (vc48 ^ (vb48 | ~vd48)) + xk48 + ti48) + << (uint32_t)6U + | (va48 + (vc48 ^ (vb48 | ~vd48)) + xk48 + ti48) >> (uint32_t)26U); + abcd[0U] = v48; + va49 = abcd[3U]; + vb49 = abcd[0U]; + vc49 = abcd[1U]; + vd49 = abcd[2U]; + b49 = x + (uint32_t)28U; + u49 = load32_le(b49); + xk49 = u49; + ti49 = _t[49U]; + v49 = + vb49 + + + ((va49 + (vc49 ^ (vb49 | ~vd49)) + xk49 + ti49) + << (uint32_t)10U + | (va49 + (vc49 ^ (vb49 | ~vd49)) + xk49 + ti49) >> (uint32_t)22U); + abcd[3U] = v49; + va50 = abcd[2U]; + vb50 = abcd[3U]; + vc50 = abcd[0U]; + vd50 = abcd[1U]; + b50 = x + (uint32_t)56U; + u50 = load32_le(b50); + xk50 = u50; + ti50 = _t[50U]; + v50 = + vb50 + + + ((va50 + (vc50 ^ (vb50 | ~vd50)) + xk50 + ti50) + << (uint32_t)15U + | (va50 + (vc50 ^ (vb50 | ~vd50)) + xk50 + ti50) >> (uint32_t)17U); + abcd[2U] = v50; + va51 = abcd[1U]; + vb51 = abcd[2U]; + vc51 = abcd[3U]; + vd51 = abcd[0U]; + b51 = x + (uint32_t)20U; + u51 = load32_le(b51); + xk51 = u51; + ti51 = _t[51U]; + v51 = + vb51 + + + ((va51 + (vc51 ^ (vb51 | ~vd51)) + xk51 + ti51) + << (uint32_t)21U + | (va51 + (vc51 ^ (vb51 | ~vd51)) + xk51 + ti51) >> (uint32_t)11U); + abcd[1U] = v51; + va52 = abcd[0U]; + vb52 = abcd[1U]; + vc52 = abcd[2U]; + vd52 = abcd[3U]; + b52 = x + (uint32_t)48U; + u52 = load32_le(b52); + xk52 = u52; + ti52 = _t[52U]; + v52 = + vb52 + + + ((va52 + (vc52 ^ (vb52 | ~vd52)) + xk52 + ti52) + << (uint32_t)6U + | (va52 + (vc52 ^ (vb52 | ~vd52)) + xk52 + ti52) >> (uint32_t)26U); + abcd[0U] = v52; + va53 = abcd[3U]; + vb53 = abcd[0U]; + vc53 = abcd[1U]; + vd53 = abcd[2U]; + b53 = x + (uint32_t)12U; + u53 = load32_le(b53); + xk53 = u53; + ti53 = _t[53U]; + v53 = + vb53 + + + ((va53 + (vc53 ^ (vb53 | ~vd53)) + xk53 + ti53) + << (uint32_t)10U + | (va53 + (vc53 ^ (vb53 | ~vd53)) + xk53 + ti53) >> (uint32_t)22U); + abcd[3U] = v53; + va54 = abcd[2U]; + vb54 = abcd[3U]; + vc54 = abcd[0U]; + vd54 = abcd[1U]; + b54 = x + (uint32_t)40U; + u54 = load32_le(b54); + xk54 = u54; + ti54 = _t[54U]; + v54 = + vb54 + + + ((va54 + (vc54 ^ (vb54 | ~vd54)) + xk54 + ti54) + << (uint32_t)15U + | (va54 + (vc54 ^ (vb54 | ~vd54)) + xk54 + ti54) >> (uint32_t)17U); + abcd[2U] = v54; + va55 = abcd[1U]; + vb55 = abcd[2U]; + vc55 = abcd[3U]; + vd55 = abcd[0U]; + b55 = x + (uint32_t)4U; + u55 = load32_le(b55); + xk55 = u55; + ti55 = _t[55U]; + v55 = + vb55 + + + ((va55 + (vc55 ^ (vb55 | ~vd55)) + xk55 + ti55) + << (uint32_t)21U + | (va55 + (vc55 ^ (vb55 | ~vd55)) + xk55 + ti55) >> (uint32_t)11U); + abcd[1U] = v55; + va56 = abcd[0U]; + vb56 = abcd[1U]; + vc56 = abcd[2U]; + vd56 = abcd[3U]; + b56 = x + (uint32_t)32U; + u56 = load32_le(b56); + xk56 = u56; + ti56 = _t[56U]; + v56 = + vb56 + + + ((va56 + (vc56 ^ (vb56 | ~vd56)) + xk56 + ti56) + << (uint32_t)6U + | (va56 + (vc56 ^ (vb56 | ~vd56)) + xk56 + ti56) >> (uint32_t)26U); + abcd[0U] = v56; + va57 = abcd[3U]; + vb57 = abcd[0U]; + vc57 = abcd[1U]; + vd57 = abcd[2U]; + b57 = x + (uint32_t)60U; + u57 = load32_le(b57); + xk57 = u57; + ti57 = _t[57U]; + v57 = + vb57 + + + ((va57 + (vc57 ^ (vb57 | ~vd57)) + xk57 + ti57) + << (uint32_t)10U + | (va57 + (vc57 ^ (vb57 | ~vd57)) + xk57 + ti57) >> (uint32_t)22U); + abcd[3U] = v57; + va58 = abcd[2U]; + vb58 = abcd[3U]; + vc58 = abcd[0U]; + vd58 = abcd[1U]; + b58 = x + (uint32_t)24U; + u58 = load32_le(b58); + xk58 = u58; + ti58 = _t[58U]; + v58 = + vb58 + + + ((va58 + (vc58 ^ (vb58 | ~vd58)) + xk58 + ti58) + << (uint32_t)15U + | (va58 + (vc58 ^ (vb58 | ~vd58)) + xk58 + ti58) >> (uint32_t)17U); + abcd[2U] = v58; + va59 = abcd[1U]; + vb59 = abcd[2U]; + vc59 = abcd[3U]; + vd59 = abcd[0U]; + b59 = x + (uint32_t)52U; + u59 = load32_le(b59); + xk59 = u59; + ti59 = _t[59U]; + v59 = + vb59 + + + ((va59 + (vc59 ^ (vb59 | ~vd59)) + xk59 + ti59) + << (uint32_t)21U + | (va59 + (vc59 ^ (vb59 | ~vd59)) + xk59 + ti59) >> (uint32_t)11U); + abcd[1U] = v59; + va60 = abcd[0U]; + vb60 = abcd[1U]; + vc60 = abcd[2U]; + vd60 = abcd[3U]; + b60 = x + (uint32_t)16U; + u60 = load32_le(b60); + xk60 = u60; + ti60 = _t[60U]; + v60 = + vb60 + + + ((va60 + (vc60 ^ (vb60 | ~vd60)) + xk60 + ti60) + << (uint32_t)6U + | (va60 + (vc60 ^ (vb60 | ~vd60)) + xk60 + ti60) >> (uint32_t)26U); + abcd[0U] = v60; + va61 = abcd[3U]; + vb61 = abcd[0U]; + vc61 = abcd[1U]; + vd61 = abcd[2U]; + b61 = x + (uint32_t)44U; + u61 = load32_le(b61); + xk61 = u61; + ti61 = _t[61U]; + v61 = + vb61 + + + ((va61 + (vc61 ^ (vb61 | ~vd61)) + xk61 + ti61) + << (uint32_t)10U + | (va61 + (vc61 ^ (vb61 | ~vd61)) + xk61 + ti61) >> (uint32_t)22U); + abcd[3U] = v61; + va62 = abcd[2U]; + vb62 = abcd[3U]; + vc62 = abcd[0U]; + vd62 = abcd[1U]; + b62 = x + (uint32_t)8U; + u62 = load32_le(b62); + xk62 = u62; + ti62 = _t[62U]; + v62 = + vb62 + + + ((va62 + (vc62 ^ (vb62 | ~vd62)) + xk62 + ti62) + << (uint32_t)15U + | (va62 + (vc62 ^ (vb62 | ~vd62)) + xk62 + ti62) >> (uint32_t)17U); + abcd[2U] = v62; + va = abcd[1U]; + vb = abcd[2U]; + vc = abcd[3U]; + vd = abcd[0U]; + b63 = x + (uint32_t)36U; + u = load32_le(b63); + xk = u; + ti = _t[63U]; + v = + vb + + + ((va + (vc ^ (vb | ~vd)) + xk + ti) + << (uint32_t)21U + | (va + (vc ^ (vb | ~vd)) + xk + ti) >> (uint32_t)11U); + abcd[1U] = v; + a = abcd[0U]; + b = abcd[1U]; + c = abcd[2U]; + d = abcd[3U]; + abcd[0U] = a + aa; + abcd[1U] = b + bb; + abcd[2U] = c + cc; + abcd[3U] = d + dd; +} + +static void legacy_pad(uint64_t len, uint8_t *dst) +{ + uint8_t *dst1 = dst; + uint8_t *dst2; + uint8_t *dst3; + dst1[0U] = (uint8_t)0x80U; + dst2 = dst + (uint32_t)1U; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < + ((uint32_t)128U - ((uint32_t)9U + (uint32_t)(len % (uint64_t)(uint32_t)64U))) + % (uint32_t)64U; + i++) + { + dst2[i] = (uint8_t)0U; + } + } + dst3 = + dst + + + (uint32_t)1U + + + ((uint32_t)128U - ((uint32_t)9U + (uint32_t)(len % (uint64_t)(uint32_t)64U))) + % (uint32_t)64U; + store64_le(dst3, len << (uint32_t)3U); +} + +void Hacl_Hash_Core_MD5_legacy_finish(uint32_t *s, uint8_t *dst) +{ + uint32_t *uu____0 = s; + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + store32_le(dst + i * (uint32_t)4U, uu____0[i]); + } +} + +void Hacl_Hash_MD5_legacy_update_multi(uint32_t *s, uint8_t *blocks, uint32_t n_blocks) +{ + uint32_t i; + for (i = (uint32_t)0U; i < n_blocks; i++) + { + uint32_t sz = (uint32_t)64U; + uint8_t *block = blocks + sz * i; + Hacl_Hash_Core_MD5_legacy_update(s, block); + } +} + +void +Hacl_Hash_MD5_legacy_update_last( + uint32_t *s, + uint64_t prev_len, + uint8_t *input, + uint32_t input_len +) +{ + uint32_t blocks_n = input_len / (uint32_t)64U; + uint32_t blocks_len = blocks_n * (uint32_t)64U; + uint8_t *blocks = input; + uint32_t rest_len = input_len - blocks_len; + uint8_t *rest = input + blocks_len; + uint64_t total_input_len; + uint32_t pad_len; + uint32_t tmp_len; + Hacl_Hash_MD5_legacy_update_multi(s, blocks, blocks_n); + total_input_len = prev_len + (uint64_t)input_len; + pad_len = + (uint32_t)1U + + + ((uint32_t)128U - ((uint32_t)9U + (uint32_t)(total_input_len % (uint64_t)(uint32_t)64U))) + % (uint32_t)64U + + (uint32_t)8U; + tmp_len = rest_len + pad_len; + { + uint8_t tmp_twoblocks[128U] = { 0U }; + uint8_t *tmp = tmp_twoblocks; + uint8_t *tmp_rest = tmp; + uint8_t *tmp_pad = tmp + rest_len; + memcpy(tmp_rest, rest, rest_len * sizeof (uint8_t)); + legacy_pad(total_input_len, tmp_pad); + Hacl_Hash_MD5_legacy_update_multi(s, tmp, tmp_len / (uint32_t)64U); + } +} + +typedef uint32_t *___uint32_t____; + +void Hacl_Hash_MD5_legacy_hash(uint8_t *input, uint32_t input_len, uint8_t *dst) +{ + uint32_t + scrut[4U] = + { (uint32_t)0x67452301U, (uint32_t)0xefcdab89U, (uint32_t)0x98badcfeU, (uint32_t)0x10325476U }; + uint32_t *s = scrut; + uint32_t blocks_n0 = input_len / (uint32_t)64U; + uint32_t blocks_n1; + if (input_len % (uint32_t)64U == (uint32_t)0U && blocks_n0 > (uint32_t)0U) + { + blocks_n1 = blocks_n0 - (uint32_t)1U; + } + else + { + blocks_n1 = blocks_n0; + } + { + uint32_t blocks_len0 = blocks_n1 * (uint32_t)64U; + uint8_t *blocks0 = input; + uint32_t rest_len0 = input_len - blocks_len0; + uint8_t *rest0 = input + blocks_len0; + uint32_t blocks_n = blocks_n1; + uint32_t blocks_len = blocks_len0; + uint8_t *blocks = blocks0; + uint32_t rest_len = rest_len0; + uint8_t *rest = rest0; + Hacl_Hash_MD5_legacy_update_multi(s, blocks, blocks_n); + Hacl_Hash_MD5_legacy_update_last(s, (uint64_t)blocks_len, rest, rest_len); + Hacl_Hash_Core_MD5_legacy_finish(s, dst); + } +} + diff --git a/src/c89/Hacl_Hash_SHA1.c b/src/c89/Hacl_Hash_SHA1.c new file mode 100644 index 00000000..63502b32 --- /dev/null +++ b/src/c89/Hacl_Hash_SHA1.c @@ -0,0 +1,276 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "internal/Hacl_Hash_SHA1.h" + + + +static uint32_t +_h0[5U] = + { + (uint32_t)0x67452301U, (uint32_t)0xefcdab89U, (uint32_t)0x98badcfeU, (uint32_t)0x10325476U, + (uint32_t)0xc3d2e1f0U + }; + +void Hacl_Hash_Core_SHA1_legacy_init(uint32_t *s) +{ + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)5U; i++) + { + s[i] = _h0[i]; + } +} + +void Hacl_Hash_Core_SHA1_legacy_update(uint32_t *h, uint8_t *l) +{ + uint32_t ha = h[0U]; + uint32_t hb = h[1U]; + uint32_t hc = h[2U]; + uint32_t hd = h[3U]; + uint32_t he = h[4U]; + uint32_t _w[80U] = { 0U }; + uint32_t sta; + uint32_t stb; + uint32_t stc; + uint32_t std; + uint32_t ste; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)80U; i++) + { + uint32_t v; + if (i < (uint32_t)16U) + { + uint8_t *b = l + i * (uint32_t)4U; + uint32_t u = load32_be(b); + v = u; + } + else + { + uint32_t wmit3 = _w[i - (uint32_t)3U]; + uint32_t wmit8 = _w[i - (uint32_t)8U]; + uint32_t wmit14 = _w[i - (uint32_t)14U]; + uint32_t wmit16 = _w[i - (uint32_t)16U]; + v = + (wmit3 ^ (wmit8 ^ (wmit14 ^ wmit16))) + << (uint32_t)1U + | (wmit3 ^ (wmit8 ^ (wmit14 ^ wmit16))) >> (uint32_t)31U; + } + _w[i] = v; + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)80U; i++) + { + uint32_t _a = h[0U]; + uint32_t _b = h[1U]; + uint32_t _c = h[2U]; + uint32_t _d = h[3U]; + uint32_t _e = h[4U]; + uint32_t wmit = _w[i]; + uint32_t ite0; + if (i < (uint32_t)20U) + { + ite0 = (_b & _c) ^ (~_b & _d); + } + else if ((uint32_t)39U < i && i < (uint32_t)60U) + { + ite0 = (_b & _c) ^ ((_b & _d) ^ (_c & _d)); + } + else + { + ite0 = _b ^ (_c ^ _d); + } + { + uint32_t ite; + if (i < (uint32_t)20U) + { + ite = (uint32_t)0x5a827999U; + } + else if (i < (uint32_t)40U) + { + ite = (uint32_t)0x6ed9eba1U; + } + else if (i < (uint32_t)60U) + { + ite = (uint32_t)0x8f1bbcdcU; + } + else + { + ite = (uint32_t)0xca62c1d6U; + } + { + uint32_t _T = (_a << (uint32_t)5U | _a >> (uint32_t)27U) + ite0 + _e + ite + wmit; + h[0U] = _T; + h[1U] = _a; + h[2U] = _b << (uint32_t)30U | _b >> (uint32_t)2U; + h[3U] = _c; + h[4U] = _d; + } + } + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)80U; i++) + { + _w[i] = (uint32_t)0U; + } + } + sta = h[0U]; + stb = h[1U]; + stc = h[2U]; + std = h[3U]; + ste = h[4U]; + h[0U] = sta + ha; + h[1U] = stb + hb; + h[2U] = stc + hc; + h[3U] = std + hd; + h[4U] = ste + he; +} + +static void legacy_pad(uint64_t len, uint8_t *dst) +{ + uint8_t *dst1 = dst; + uint8_t *dst2; + uint8_t *dst3; + dst1[0U] = (uint8_t)0x80U; + dst2 = dst + (uint32_t)1U; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < + ((uint32_t)128U - ((uint32_t)9U + (uint32_t)(len % (uint64_t)(uint32_t)64U))) + % (uint32_t)64U; + i++) + { + dst2[i] = (uint8_t)0U; + } + } + dst3 = + dst + + + (uint32_t)1U + + + ((uint32_t)128U - ((uint32_t)9U + (uint32_t)(len % (uint64_t)(uint32_t)64U))) + % (uint32_t)64U; + store64_be(dst3, len << (uint32_t)3U); +} + +void Hacl_Hash_Core_SHA1_legacy_finish(uint32_t *s, uint8_t *dst) +{ + uint32_t *uu____0 = s; + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)5U; i++) + { + store32_be(dst + i * (uint32_t)4U, uu____0[i]); + } +} + +void Hacl_Hash_SHA1_legacy_update_multi(uint32_t *s, uint8_t *blocks, uint32_t n_blocks) +{ + uint32_t i; + for (i = (uint32_t)0U; i < n_blocks; i++) + { + uint32_t sz = (uint32_t)64U; + uint8_t *block = blocks + sz * i; + Hacl_Hash_Core_SHA1_legacy_update(s, block); + } +} + +void +Hacl_Hash_SHA1_legacy_update_last( + uint32_t *s, + uint64_t prev_len, + uint8_t *input, + uint32_t input_len +) +{ + uint32_t blocks_n = input_len / (uint32_t)64U; + uint32_t blocks_len = blocks_n * (uint32_t)64U; + uint8_t *blocks = input; + uint32_t rest_len = input_len - blocks_len; + uint8_t *rest = input + blocks_len; + uint64_t total_input_len; + uint32_t pad_len; + uint32_t tmp_len; + Hacl_Hash_SHA1_legacy_update_multi(s, blocks, blocks_n); + total_input_len = prev_len + (uint64_t)input_len; + pad_len = + (uint32_t)1U + + + ((uint32_t)128U - ((uint32_t)9U + (uint32_t)(total_input_len % (uint64_t)(uint32_t)64U))) + % (uint32_t)64U + + (uint32_t)8U; + tmp_len = rest_len + pad_len; + { + uint8_t tmp_twoblocks[128U] = { 0U }; + uint8_t *tmp = tmp_twoblocks; + uint8_t *tmp_rest = tmp; + uint8_t *tmp_pad = tmp + rest_len; + memcpy(tmp_rest, rest, rest_len * sizeof (uint8_t)); + legacy_pad(total_input_len, tmp_pad); + Hacl_Hash_SHA1_legacy_update_multi(s, tmp, tmp_len / (uint32_t)64U); + } +} + +void Hacl_Hash_SHA1_legacy_hash(uint8_t *input, uint32_t input_len, uint8_t *dst) +{ + uint32_t + scrut[5U] = + { + (uint32_t)0x67452301U, (uint32_t)0xefcdab89U, (uint32_t)0x98badcfeU, (uint32_t)0x10325476U, + (uint32_t)0xc3d2e1f0U + }; + uint32_t *s = scrut; + uint32_t blocks_n0 = input_len / (uint32_t)64U; + uint32_t blocks_n1; + if (input_len % (uint32_t)64U == (uint32_t)0U && blocks_n0 > (uint32_t)0U) + { + blocks_n1 = blocks_n0 - (uint32_t)1U; + } + else + { + blocks_n1 = blocks_n0; + } + { + uint32_t blocks_len0 = blocks_n1 * (uint32_t)64U; + uint8_t *blocks0 = input; + uint32_t rest_len0 = input_len - blocks_len0; + uint8_t *rest0 = input + blocks_len0; + uint32_t blocks_n = blocks_n1; + uint32_t blocks_len = blocks_len0; + uint8_t *blocks = blocks0; + uint32_t rest_len = rest_len0; + uint8_t *rest = rest0; + Hacl_Hash_SHA1_legacy_update_multi(s, blocks, blocks_n); + Hacl_Hash_SHA1_legacy_update_last(s, (uint64_t)blocks_len, rest, rest_len); + Hacl_Hash_Core_SHA1_legacy_finish(s, dst); + } +} + diff --git a/src/c89/Hacl_Hash_SHA2.c b/src/c89/Hacl_Hash_SHA2.c new file mode 100644 index 00000000..e3b3fc8b --- /dev/null +++ b/src/c89/Hacl_Hash_SHA2.c @@ -0,0 +1,1019 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "internal/Hacl_Hash_SHA2.h" + + + +static uint32_t +h224[8U] = + { + (uint32_t)0xc1059ed8U, (uint32_t)0x367cd507U, (uint32_t)0x3070dd17U, (uint32_t)0xf70e5939U, + (uint32_t)0xffc00b31U, (uint32_t)0x68581511U, (uint32_t)0x64f98fa7U, (uint32_t)0xbefa4fa4U + }; + +static uint32_t +h256[8U] = + { + (uint32_t)0x6a09e667U, (uint32_t)0xbb67ae85U, (uint32_t)0x3c6ef372U, (uint32_t)0xa54ff53aU, + (uint32_t)0x510e527fU, (uint32_t)0x9b05688cU, (uint32_t)0x1f83d9abU, (uint32_t)0x5be0cd19U + }; + +static uint64_t +h384[8U] = + { + (uint64_t)0xcbbb9d5dc1059ed8U, (uint64_t)0x629a292a367cd507U, (uint64_t)0x9159015a3070dd17U, + (uint64_t)0x152fecd8f70e5939U, (uint64_t)0x67332667ffc00b31U, (uint64_t)0x8eb44a8768581511U, + (uint64_t)0xdb0c2e0d64f98fa7U, (uint64_t)0x47b5481dbefa4fa4U + }; + +static uint64_t +h512[8U] = + { + (uint64_t)0x6a09e667f3bcc908U, (uint64_t)0xbb67ae8584caa73bU, (uint64_t)0x3c6ef372fe94f82bU, + (uint64_t)0xa54ff53a5f1d36f1U, (uint64_t)0x510e527fade682d1U, (uint64_t)0x9b05688c2b3e6c1fU, + (uint64_t)0x1f83d9abfb41bd6bU, (uint64_t)0x5be0cd19137e2179U + }; + +static uint32_t +k224_256[64U] = + { + (uint32_t)0x428a2f98U, (uint32_t)0x71374491U, (uint32_t)0xb5c0fbcfU, (uint32_t)0xe9b5dba5U, + (uint32_t)0x3956c25bU, (uint32_t)0x59f111f1U, (uint32_t)0x923f82a4U, (uint32_t)0xab1c5ed5U, + (uint32_t)0xd807aa98U, (uint32_t)0x12835b01U, (uint32_t)0x243185beU, (uint32_t)0x550c7dc3U, + (uint32_t)0x72be5d74U, (uint32_t)0x80deb1feU, (uint32_t)0x9bdc06a7U, (uint32_t)0xc19bf174U, + (uint32_t)0xe49b69c1U, (uint32_t)0xefbe4786U, (uint32_t)0x0fc19dc6U, (uint32_t)0x240ca1ccU, + (uint32_t)0x2de92c6fU, (uint32_t)0x4a7484aaU, (uint32_t)0x5cb0a9dcU, (uint32_t)0x76f988daU, + (uint32_t)0x983e5152U, (uint32_t)0xa831c66dU, (uint32_t)0xb00327c8U, (uint32_t)0xbf597fc7U, + (uint32_t)0xc6e00bf3U, (uint32_t)0xd5a79147U, (uint32_t)0x06ca6351U, (uint32_t)0x14292967U, + (uint32_t)0x27b70a85U, (uint32_t)0x2e1b2138U, (uint32_t)0x4d2c6dfcU, (uint32_t)0x53380d13U, + (uint32_t)0x650a7354U, (uint32_t)0x766a0abbU, (uint32_t)0x81c2c92eU, (uint32_t)0x92722c85U, + (uint32_t)0xa2bfe8a1U, (uint32_t)0xa81a664bU, (uint32_t)0xc24b8b70U, (uint32_t)0xc76c51a3U, + (uint32_t)0xd192e819U, (uint32_t)0xd6990624U, (uint32_t)0xf40e3585U, (uint32_t)0x106aa070U, + (uint32_t)0x19a4c116U, (uint32_t)0x1e376c08U, (uint32_t)0x2748774cU, (uint32_t)0x34b0bcb5U, + (uint32_t)0x391c0cb3U, (uint32_t)0x4ed8aa4aU, (uint32_t)0x5b9cca4fU, (uint32_t)0x682e6ff3U, + (uint32_t)0x748f82eeU, (uint32_t)0x78a5636fU, (uint32_t)0x84c87814U, (uint32_t)0x8cc70208U, + (uint32_t)0x90befffaU, (uint32_t)0xa4506cebU, (uint32_t)0xbef9a3f7U, (uint32_t)0xc67178f2U + }; + +static uint64_t +k384_512[80U] = + { + (uint64_t)0x428a2f98d728ae22U, (uint64_t)0x7137449123ef65cdU, (uint64_t)0xb5c0fbcfec4d3b2fU, + (uint64_t)0xe9b5dba58189dbbcU, (uint64_t)0x3956c25bf348b538U, (uint64_t)0x59f111f1b605d019U, + (uint64_t)0x923f82a4af194f9bU, (uint64_t)0xab1c5ed5da6d8118U, (uint64_t)0xd807aa98a3030242U, + (uint64_t)0x12835b0145706fbeU, (uint64_t)0x243185be4ee4b28cU, (uint64_t)0x550c7dc3d5ffb4e2U, + (uint64_t)0x72be5d74f27b896fU, (uint64_t)0x80deb1fe3b1696b1U, (uint64_t)0x9bdc06a725c71235U, + (uint64_t)0xc19bf174cf692694U, (uint64_t)0xe49b69c19ef14ad2U, (uint64_t)0xefbe4786384f25e3U, + (uint64_t)0x0fc19dc68b8cd5b5U, (uint64_t)0x240ca1cc77ac9c65U, (uint64_t)0x2de92c6f592b0275U, + (uint64_t)0x4a7484aa6ea6e483U, (uint64_t)0x5cb0a9dcbd41fbd4U, (uint64_t)0x76f988da831153b5U, + (uint64_t)0x983e5152ee66dfabU, (uint64_t)0xa831c66d2db43210U, (uint64_t)0xb00327c898fb213fU, + (uint64_t)0xbf597fc7beef0ee4U, (uint64_t)0xc6e00bf33da88fc2U, (uint64_t)0xd5a79147930aa725U, + (uint64_t)0x06ca6351e003826fU, (uint64_t)0x142929670a0e6e70U, (uint64_t)0x27b70a8546d22ffcU, + (uint64_t)0x2e1b21385c26c926U, (uint64_t)0x4d2c6dfc5ac42aedU, (uint64_t)0x53380d139d95b3dfU, + (uint64_t)0x650a73548baf63deU, (uint64_t)0x766a0abb3c77b2a8U, (uint64_t)0x81c2c92e47edaee6U, + (uint64_t)0x92722c851482353bU, (uint64_t)0xa2bfe8a14cf10364U, (uint64_t)0xa81a664bbc423001U, + (uint64_t)0xc24b8b70d0f89791U, (uint64_t)0xc76c51a30654be30U, (uint64_t)0xd192e819d6ef5218U, + (uint64_t)0xd69906245565a910U, (uint64_t)0xf40e35855771202aU, (uint64_t)0x106aa07032bbd1b8U, + (uint64_t)0x19a4c116b8d2d0c8U, (uint64_t)0x1e376c085141ab53U, (uint64_t)0x2748774cdf8eeb99U, + (uint64_t)0x34b0bcb5e19b48a8U, (uint64_t)0x391c0cb3c5c95a63U, (uint64_t)0x4ed8aa4ae3418acbU, + (uint64_t)0x5b9cca4f7763e373U, (uint64_t)0x682e6ff3d6b2b8a3U, (uint64_t)0x748f82ee5defb2fcU, + (uint64_t)0x78a5636f43172f60U, (uint64_t)0x84c87814a1f0ab72U, (uint64_t)0x8cc702081a6439ecU, + (uint64_t)0x90befffa23631e28U, (uint64_t)0xa4506cebde82bde9U, (uint64_t)0xbef9a3f7b2c67915U, + (uint64_t)0xc67178f2e372532bU, (uint64_t)0xca273eceea26619cU, (uint64_t)0xd186b8c721c0c207U, + (uint64_t)0xeada7dd6cde0eb1eU, (uint64_t)0xf57d4f7fee6ed178U, (uint64_t)0x06f067aa72176fbaU, + (uint64_t)0x0a637dc5a2c898a6U, (uint64_t)0x113f9804bef90daeU, (uint64_t)0x1b710b35131c471bU, + (uint64_t)0x28db77f523047d84U, (uint64_t)0x32caab7b40c72493U, (uint64_t)0x3c9ebe0a15c9bebcU, + (uint64_t)0x431d67c49c100d4cU, (uint64_t)0x4cc5d4becb3e42b6U, (uint64_t)0x597f299cfc657e2aU, + (uint64_t)0x5fcb6fab3ad6faecU, (uint64_t)0x6c44198c4a475817U + }; + +void Hacl_Hash_Core_SHA2_init_224(uint32_t *s) +{ + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + s[i] = h224[i]; + } +} + +void Hacl_Hash_Core_SHA2_init_256(uint32_t *s) +{ + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + s[i] = h256[i]; + } +} + +void Hacl_Hash_Core_SHA2_init_384(uint64_t *s) +{ + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + s[i] = h384[i]; + } +} + +void Hacl_Hash_Core_SHA2_init_512(uint64_t *s) +{ + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + s[i] = h512[i]; + } +} + +static void update_224(uint32_t *hash, uint8_t *block) +{ + uint32_t hash1[8U] = { 0U }; + uint32_t computed_ws[64U] = { 0U }; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + if (i < (uint32_t)16U) + { + uint8_t *b = block + i * (uint32_t)4U; + uint32_t u = load32_be(b); + computed_ws[i] = u; + } + else + { + uint32_t t16 = computed_ws[i - (uint32_t)16U]; + uint32_t t15 = computed_ws[i - (uint32_t)15U]; + uint32_t t7 = computed_ws[i - (uint32_t)7U]; + uint32_t t2 = computed_ws[i - (uint32_t)2U]; + uint32_t + s1 = + (t2 >> (uint32_t)17U | t2 << (uint32_t)15U) + ^ ((t2 >> (uint32_t)19U | t2 << (uint32_t)13U) ^ t2 >> (uint32_t)10U); + uint32_t + s0 = + (t15 >> (uint32_t)7U | t15 << (uint32_t)25U) + ^ ((t15 >> (uint32_t)18U | t15 << (uint32_t)14U) ^ t15 >> (uint32_t)3U); + uint32_t w = s1 + t7 + s0 + t16; + computed_ws[i] = w; + } + } + } + memcpy(hash1, hash, (uint32_t)8U * sizeof (uint32_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + uint32_t a0 = hash1[0U]; + uint32_t b0 = hash1[1U]; + uint32_t c0 = hash1[2U]; + uint32_t d0 = hash1[3U]; + uint32_t e0 = hash1[4U]; + uint32_t f0 = hash1[5U]; + uint32_t g0 = hash1[6U]; + uint32_t h02 = hash1[7U]; + uint32_t w = computed_ws[i]; + uint32_t + t1 = + h02 + + + ((e0 >> (uint32_t)6U | e0 << (uint32_t)26U) + ^ + ((e0 >> (uint32_t)11U | e0 << (uint32_t)21U) + ^ (e0 >> (uint32_t)25U | e0 << (uint32_t)7U))) + + ((e0 & f0) ^ (~e0 & g0)) + + k224_256[i] + + w; + uint32_t + t2 = + ((a0 >> (uint32_t)2U | a0 << (uint32_t)30U) + ^ + ((a0 >> (uint32_t)13U | a0 << (uint32_t)19U) + ^ (a0 >> (uint32_t)22U | a0 << (uint32_t)10U))) + + ((a0 & b0) ^ ((a0 & c0) ^ (b0 & c0))); + hash1[0U] = t1 + t2; + hash1[1U] = a0; + hash1[2U] = b0; + hash1[3U] = c0; + hash1[4U] = d0 + t1; + hash1[5U] = e0; + hash1[6U] = f0; + hash1[7U] = g0; + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t xi = hash[i]; + uint32_t yi = hash1[i]; + hash[i] = xi + yi; + } + } +} + +static void update_256(uint32_t *hash, uint8_t *block) +{ + uint32_t hash1[8U] = { 0U }; + uint32_t computed_ws[64U] = { 0U }; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + if (i < (uint32_t)16U) + { + uint8_t *b = block + i * (uint32_t)4U; + uint32_t u = load32_be(b); + computed_ws[i] = u; + } + else + { + uint32_t t16 = computed_ws[i - (uint32_t)16U]; + uint32_t t15 = computed_ws[i - (uint32_t)15U]; + uint32_t t7 = computed_ws[i - (uint32_t)7U]; + uint32_t t2 = computed_ws[i - (uint32_t)2U]; + uint32_t + s1 = + (t2 >> (uint32_t)17U | t2 << (uint32_t)15U) + ^ ((t2 >> (uint32_t)19U | t2 << (uint32_t)13U) ^ t2 >> (uint32_t)10U); + uint32_t + s0 = + (t15 >> (uint32_t)7U | t15 << (uint32_t)25U) + ^ ((t15 >> (uint32_t)18U | t15 << (uint32_t)14U) ^ t15 >> (uint32_t)3U); + uint32_t w = s1 + t7 + s0 + t16; + computed_ws[i] = w; + } + } + } + memcpy(hash1, hash, (uint32_t)8U * sizeof (uint32_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + uint32_t a0 = hash1[0U]; + uint32_t b0 = hash1[1U]; + uint32_t c0 = hash1[2U]; + uint32_t d0 = hash1[3U]; + uint32_t e0 = hash1[4U]; + uint32_t f0 = hash1[5U]; + uint32_t g0 = hash1[6U]; + uint32_t h02 = hash1[7U]; + uint32_t w = computed_ws[i]; + uint32_t + t1 = + h02 + + + ((e0 >> (uint32_t)6U | e0 << (uint32_t)26U) + ^ + ((e0 >> (uint32_t)11U | e0 << (uint32_t)21U) + ^ (e0 >> (uint32_t)25U | e0 << (uint32_t)7U))) + + ((e0 & f0) ^ (~e0 & g0)) + + k224_256[i] + + w; + uint32_t + t2 = + ((a0 >> (uint32_t)2U | a0 << (uint32_t)30U) + ^ + ((a0 >> (uint32_t)13U | a0 << (uint32_t)19U) + ^ (a0 >> (uint32_t)22U | a0 << (uint32_t)10U))) + + ((a0 & b0) ^ ((a0 & c0) ^ (b0 & c0))); + hash1[0U] = t1 + t2; + hash1[1U] = a0; + hash1[2U] = b0; + hash1[3U] = c0; + hash1[4U] = d0 + t1; + hash1[5U] = e0; + hash1[6U] = f0; + hash1[7U] = g0; + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t xi = hash[i]; + uint32_t yi = hash1[i]; + hash[i] = xi + yi; + } + } +} + +void Hacl_Hash_Core_SHA2_update_384(uint64_t *hash, uint8_t *block) +{ + uint64_t hash1[8U] = { 0U }; + uint64_t computed_ws[80U] = { 0U }; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)80U; i++) + { + if (i < (uint32_t)16U) + { + uint8_t *b = block + i * (uint32_t)8U; + uint64_t u = load64_be(b); + computed_ws[i] = u; + } + else + { + uint64_t t16 = computed_ws[i - (uint32_t)16U]; + uint64_t t15 = computed_ws[i - (uint32_t)15U]; + uint64_t t7 = computed_ws[i - (uint32_t)7U]; + uint64_t t2 = computed_ws[i - (uint32_t)2U]; + uint64_t + s1 = + (t2 >> (uint32_t)19U | t2 << (uint32_t)45U) + ^ ((t2 >> (uint32_t)61U | t2 << (uint32_t)3U) ^ t2 >> (uint32_t)6U); + uint64_t + s0 = + (t15 >> (uint32_t)1U | t15 << (uint32_t)63U) + ^ ((t15 >> (uint32_t)8U | t15 << (uint32_t)56U) ^ t15 >> (uint32_t)7U); + uint64_t w = s1 + t7 + s0 + t16; + computed_ws[i] = w; + } + } + } + memcpy(hash1, hash, (uint32_t)8U * sizeof (uint64_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)80U; i++) + { + uint64_t a0 = hash1[0U]; + uint64_t b0 = hash1[1U]; + uint64_t c0 = hash1[2U]; + uint64_t d0 = hash1[3U]; + uint64_t e0 = hash1[4U]; + uint64_t f0 = hash1[5U]; + uint64_t g0 = hash1[6U]; + uint64_t h02 = hash1[7U]; + uint64_t w = computed_ws[i]; + uint64_t + t1 = + h02 + + + ((e0 >> (uint32_t)14U | e0 << (uint32_t)50U) + ^ + ((e0 >> (uint32_t)18U | e0 << (uint32_t)46U) + ^ (e0 >> (uint32_t)41U | e0 << (uint32_t)23U))) + + ((e0 & f0) ^ (~e0 & g0)) + + k384_512[i] + + w; + uint64_t + t2 = + ((a0 >> (uint32_t)28U | a0 << (uint32_t)36U) + ^ + ((a0 >> (uint32_t)34U | a0 << (uint32_t)30U) + ^ (a0 >> (uint32_t)39U | a0 << (uint32_t)25U))) + + ((a0 & b0) ^ ((a0 & c0) ^ (b0 & c0))); + hash1[0U] = t1 + t2; + hash1[1U] = a0; + hash1[2U] = b0; + hash1[3U] = c0; + hash1[4U] = d0 + t1; + hash1[5U] = e0; + hash1[6U] = f0; + hash1[7U] = g0; + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint64_t xi = hash[i]; + uint64_t yi = hash1[i]; + hash[i] = xi + yi; + } + } +} + +void Hacl_Hash_Core_SHA2_update_512(uint64_t *hash, uint8_t *block) +{ + uint64_t hash1[8U] = { 0U }; + uint64_t computed_ws[80U] = { 0U }; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)80U; i++) + { + if (i < (uint32_t)16U) + { + uint8_t *b = block + i * (uint32_t)8U; + uint64_t u = load64_be(b); + computed_ws[i] = u; + } + else + { + uint64_t t16 = computed_ws[i - (uint32_t)16U]; + uint64_t t15 = computed_ws[i - (uint32_t)15U]; + uint64_t t7 = computed_ws[i - (uint32_t)7U]; + uint64_t t2 = computed_ws[i - (uint32_t)2U]; + uint64_t + s1 = + (t2 >> (uint32_t)19U | t2 << (uint32_t)45U) + ^ ((t2 >> (uint32_t)61U | t2 << (uint32_t)3U) ^ t2 >> (uint32_t)6U); + uint64_t + s0 = + (t15 >> (uint32_t)1U | t15 << (uint32_t)63U) + ^ ((t15 >> (uint32_t)8U | t15 << (uint32_t)56U) ^ t15 >> (uint32_t)7U); + uint64_t w = s1 + t7 + s0 + t16; + computed_ws[i] = w; + } + } + } + memcpy(hash1, hash, (uint32_t)8U * sizeof (uint64_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)80U; i++) + { + uint64_t a0 = hash1[0U]; + uint64_t b0 = hash1[1U]; + uint64_t c0 = hash1[2U]; + uint64_t d0 = hash1[3U]; + uint64_t e0 = hash1[4U]; + uint64_t f0 = hash1[5U]; + uint64_t g0 = hash1[6U]; + uint64_t h02 = hash1[7U]; + uint64_t w = computed_ws[i]; + uint64_t + t1 = + h02 + + + ((e0 >> (uint32_t)14U | e0 << (uint32_t)50U) + ^ + ((e0 >> (uint32_t)18U | e0 << (uint32_t)46U) + ^ (e0 >> (uint32_t)41U | e0 << (uint32_t)23U))) + + ((e0 & f0) ^ (~e0 & g0)) + + k384_512[i] + + w; + uint64_t + t2 = + ((a0 >> (uint32_t)28U | a0 << (uint32_t)36U) + ^ + ((a0 >> (uint32_t)34U | a0 << (uint32_t)30U) + ^ (a0 >> (uint32_t)39U | a0 << (uint32_t)25U))) + + ((a0 & b0) ^ ((a0 & c0) ^ (b0 & c0))); + hash1[0U] = t1 + t2; + hash1[1U] = a0; + hash1[2U] = b0; + hash1[3U] = c0; + hash1[4U] = d0 + t1; + hash1[5U] = e0; + hash1[6U] = f0; + hash1[7U] = g0; + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint64_t xi = hash[i]; + uint64_t yi = hash1[i]; + hash[i] = xi + yi; + } + } +} + +static void pad_224(uint64_t len, uint8_t *dst) +{ + uint8_t *dst1 = dst; + uint8_t *dst2; + uint8_t *dst3; + dst1[0U] = (uint8_t)0x80U; + dst2 = dst + (uint32_t)1U; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < + ((uint32_t)128U - ((uint32_t)9U + (uint32_t)(len % (uint64_t)(uint32_t)64U))) + % (uint32_t)64U; + i++) + { + dst2[i] = (uint8_t)0U; + } + } + dst3 = + dst + + + (uint32_t)1U + + + ((uint32_t)128U - ((uint32_t)9U + (uint32_t)(len % (uint64_t)(uint32_t)64U))) + % (uint32_t)64U; + store64_be(dst3, len << (uint32_t)3U); +} + +void Hacl_Hash_Core_SHA2_pad_256(uint64_t len, uint8_t *dst) +{ + uint8_t *dst1 = dst; + uint8_t *dst2; + uint8_t *dst3; + dst1[0U] = (uint8_t)0x80U; + dst2 = dst + (uint32_t)1U; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < + ((uint32_t)128U - ((uint32_t)9U + (uint32_t)(len % (uint64_t)(uint32_t)64U))) + % (uint32_t)64U; + i++) + { + dst2[i] = (uint8_t)0U; + } + } + dst3 = + dst + + + (uint32_t)1U + + + ((uint32_t)128U - ((uint32_t)9U + (uint32_t)(len % (uint64_t)(uint32_t)64U))) + % (uint32_t)64U; + store64_be(dst3, len << (uint32_t)3U); +} + +static void pad_384(FStar_UInt128_uint128 len, uint8_t *dst) +{ + uint8_t *dst1 = dst; + uint8_t *dst2; + uint8_t *dst3; + FStar_UInt128_uint128 len_; + dst1[0U] = (uint8_t)0x80U; + dst2 = dst + (uint32_t)1U; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < + ((uint32_t)256U + - + ((uint32_t)17U + + (uint32_t)(FStar_UInt128_uint128_to_uint64(len) % (uint64_t)(uint32_t)128U))) + % (uint32_t)128U; + i++) + { + dst2[i] = (uint8_t)0U; + } + } + dst3 = + dst + + + (uint32_t)1U + + + ((uint32_t)256U + - + ((uint32_t)17U + + (uint32_t)(FStar_UInt128_uint128_to_uint64(len) % (uint64_t)(uint32_t)128U))) + % (uint32_t)128U; + len_ = FStar_UInt128_shift_left(len, (uint32_t)3U); + store128_be(dst3, len_); +} + +static void pad_512(FStar_UInt128_uint128 len, uint8_t *dst) +{ + uint8_t *dst1 = dst; + uint8_t *dst2; + uint8_t *dst3; + FStar_UInt128_uint128 len_; + dst1[0U] = (uint8_t)0x80U; + dst2 = dst + (uint32_t)1U; + { + uint32_t i; + for + (i + = (uint32_t)0U; + i + < + ((uint32_t)256U + - + ((uint32_t)17U + + (uint32_t)(FStar_UInt128_uint128_to_uint64(len) % (uint64_t)(uint32_t)128U))) + % (uint32_t)128U; + i++) + { + dst2[i] = (uint8_t)0U; + } + } + dst3 = + dst + + + (uint32_t)1U + + + ((uint32_t)256U + - + ((uint32_t)17U + + (uint32_t)(FStar_UInt128_uint128_to_uint64(len) % (uint64_t)(uint32_t)128U))) + % (uint32_t)128U; + len_ = FStar_UInt128_shift_left(len, (uint32_t)3U); + store128_be(dst3, len_); +} + +void Hacl_Hash_Core_SHA2_finish_224(uint32_t *s, uint8_t *dst) +{ + uint32_t *uu____0 = s; + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)7U; i++) + { + store32_be(dst + i * (uint32_t)4U, uu____0[i]); + } +} + +void Hacl_Hash_Core_SHA2_finish_256(uint32_t *s, uint8_t *dst) +{ + uint32_t *uu____0 = s; + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + store32_be(dst + i * (uint32_t)4U, uu____0[i]); + } +} + +void Hacl_Hash_Core_SHA2_finish_384(uint64_t *s, uint8_t *dst) +{ + uint64_t *uu____0 = s; + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)6U; i++) + { + store64_be(dst + i * (uint32_t)8U, uu____0[i]); + } +} + +void Hacl_Hash_Core_SHA2_finish_512(uint64_t *s, uint8_t *dst) +{ + uint64_t *uu____0 = s; + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + store64_be(dst + i * (uint32_t)8U, uu____0[i]); + } +} + +void Hacl_Hash_SHA2_update_multi_224(uint32_t *s, uint8_t *blocks, uint32_t n_blocks) +{ + uint32_t i; + for (i = (uint32_t)0U; i < n_blocks; i++) + { + uint32_t sz = (uint32_t)64U; + uint8_t *block = blocks + sz * i; + update_224(s, block); + } +} + +void Hacl_Hash_SHA2_update_multi_256(uint32_t *s, uint8_t *blocks, uint32_t n_blocks) +{ + uint32_t i; + for (i = (uint32_t)0U; i < n_blocks; i++) + { + uint32_t sz = (uint32_t)64U; + uint8_t *block = blocks + sz * i; + update_256(s, block); + } +} + +void Hacl_Hash_SHA2_update_multi_384(uint64_t *s, uint8_t *blocks, uint32_t n_blocks) +{ + uint32_t i; + for (i = (uint32_t)0U; i < n_blocks; i++) + { + uint32_t sz = (uint32_t)128U; + uint8_t *block = blocks + sz * i; + Hacl_Hash_Core_SHA2_update_384(s, block); + } +} + +void Hacl_Hash_SHA2_update_multi_512(uint64_t *s, uint8_t *blocks, uint32_t n_blocks) +{ + uint32_t i; + for (i = (uint32_t)0U; i < n_blocks; i++) + { + uint32_t sz = (uint32_t)128U; + uint8_t *block = blocks + sz * i; + Hacl_Hash_Core_SHA2_update_512(s, block); + } +} + +void +Hacl_Hash_SHA2_update_last_224( + uint32_t *s, + uint64_t prev_len, + uint8_t *input, + uint32_t input_len +) +{ + uint32_t blocks_n = input_len / (uint32_t)64U; + uint32_t blocks_len = blocks_n * (uint32_t)64U; + uint8_t *blocks = input; + uint32_t rest_len = input_len - blocks_len; + uint8_t *rest = input + blocks_len; + uint64_t total_input_len; + uint32_t pad_len; + uint32_t tmp_len; + Hacl_Hash_SHA2_update_multi_224(s, blocks, blocks_n); + total_input_len = prev_len + (uint64_t)input_len; + pad_len = + (uint32_t)1U + + + ((uint32_t)128U - ((uint32_t)9U + (uint32_t)(total_input_len % (uint64_t)(uint32_t)64U))) + % (uint32_t)64U + + (uint32_t)8U; + tmp_len = rest_len + pad_len; + { + uint8_t tmp_twoblocks[128U] = { 0U }; + uint8_t *tmp = tmp_twoblocks; + uint8_t *tmp_rest = tmp; + uint8_t *tmp_pad = tmp + rest_len; + memcpy(tmp_rest, rest, rest_len * sizeof (uint8_t)); + pad_224(total_input_len, tmp_pad); + Hacl_Hash_SHA2_update_multi_224(s, tmp, tmp_len / (uint32_t)64U); + } +} + +void +Hacl_Hash_SHA2_update_last_256( + uint32_t *s, + uint64_t prev_len, + uint8_t *input, + uint32_t input_len +) +{ + uint32_t blocks_n = input_len / (uint32_t)64U; + uint32_t blocks_len = blocks_n * (uint32_t)64U; + uint8_t *blocks = input; + uint32_t rest_len = input_len - blocks_len; + uint8_t *rest = input + blocks_len; + uint64_t total_input_len; + uint32_t pad_len; + uint32_t tmp_len; + Hacl_Hash_SHA2_update_multi_256(s, blocks, blocks_n); + total_input_len = prev_len + (uint64_t)input_len; + pad_len = + (uint32_t)1U + + + ((uint32_t)128U - ((uint32_t)9U + (uint32_t)(total_input_len % (uint64_t)(uint32_t)64U))) + % (uint32_t)64U + + (uint32_t)8U; + tmp_len = rest_len + pad_len; + { + uint8_t tmp_twoblocks[128U] = { 0U }; + uint8_t *tmp = tmp_twoblocks; + uint8_t *tmp_rest = tmp; + uint8_t *tmp_pad = tmp + rest_len; + memcpy(tmp_rest, rest, rest_len * sizeof (uint8_t)); + Hacl_Hash_Core_SHA2_pad_256(total_input_len, tmp_pad); + Hacl_Hash_SHA2_update_multi_256(s, tmp, tmp_len / (uint32_t)64U); + } +} + +void +Hacl_Hash_SHA2_update_last_384( + uint64_t *s, + FStar_UInt128_uint128 prev_len, + uint8_t *input, + uint32_t input_len +) +{ + uint32_t blocks_n = input_len / (uint32_t)128U; + uint32_t blocks_len = blocks_n * (uint32_t)128U; + uint8_t *blocks = input; + uint32_t rest_len = input_len - blocks_len; + uint8_t *rest = input + blocks_len; + FStar_UInt128_uint128 total_input_len; + uint32_t pad_len; + uint32_t tmp_len; + Hacl_Hash_SHA2_update_multi_384(s, blocks, blocks_n); + total_input_len = + FStar_UInt128_add(prev_len, + FStar_UInt128_uint64_to_uint128((uint64_t)input_len)); + pad_len = + (uint32_t)1U + + + ((uint32_t)256U + - + ((uint32_t)17U + + (uint32_t)(FStar_UInt128_uint128_to_uint64(total_input_len) % (uint64_t)(uint32_t)128U))) + % (uint32_t)128U + + (uint32_t)16U; + tmp_len = rest_len + pad_len; + { + uint8_t tmp_twoblocks[256U] = { 0U }; + uint8_t *tmp = tmp_twoblocks; + uint8_t *tmp_rest = tmp; + uint8_t *tmp_pad = tmp + rest_len; + memcpy(tmp_rest, rest, rest_len * sizeof (uint8_t)); + pad_384(total_input_len, tmp_pad); + Hacl_Hash_SHA2_update_multi_384(s, tmp, tmp_len / (uint32_t)128U); + } +} + +void +Hacl_Hash_SHA2_update_last_512( + uint64_t *s, + FStar_UInt128_uint128 prev_len, + uint8_t *input, + uint32_t input_len +) +{ + uint32_t blocks_n = input_len / (uint32_t)128U; + uint32_t blocks_len = blocks_n * (uint32_t)128U; + uint8_t *blocks = input; + uint32_t rest_len = input_len - blocks_len; + uint8_t *rest = input + blocks_len; + FStar_UInt128_uint128 total_input_len; + uint32_t pad_len; + uint32_t tmp_len; + Hacl_Hash_SHA2_update_multi_512(s, blocks, blocks_n); + total_input_len = + FStar_UInt128_add(prev_len, + FStar_UInt128_uint64_to_uint128((uint64_t)input_len)); + pad_len = + (uint32_t)1U + + + ((uint32_t)256U + - + ((uint32_t)17U + + (uint32_t)(FStar_UInt128_uint128_to_uint64(total_input_len) % (uint64_t)(uint32_t)128U))) + % (uint32_t)128U + + (uint32_t)16U; + tmp_len = rest_len + pad_len; + { + uint8_t tmp_twoblocks[256U] = { 0U }; + uint8_t *tmp = tmp_twoblocks; + uint8_t *tmp_rest = tmp; + uint8_t *tmp_pad = tmp + rest_len; + memcpy(tmp_rest, rest, rest_len * sizeof (uint8_t)); + pad_512(total_input_len, tmp_pad); + Hacl_Hash_SHA2_update_multi_512(s, tmp, tmp_len / (uint32_t)128U); + } +} + +void Hacl_Hash_SHA2_hash_224(uint8_t *input, uint32_t input_len, uint8_t *dst) +{ + uint32_t + scrut[8U] = + { + (uint32_t)0xc1059ed8U, (uint32_t)0x367cd507U, (uint32_t)0x3070dd17U, (uint32_t)0xf70e5939U, + (uint32_t)0xffc00b31U, (uint32_t)0x68581511U, (uint32_t)0x64f98fa7U, (uint32_t)0xbefa4fa4U + }; + uint32_t *s = scrut; + uint32_t blocks_n0 = input_len / (uint32_t)64U; + uint32_t blocks_n1; + if (input_len % (uint32_t)64U == (uint32_t)0U && blocks_n0 > (uint32_t)0U) + { + blocks_n1 = blocks_n0 - (uint32_t)1U; + } + else + { + blocks_n1 = blocks_n0; + } + { + uint32_t blocks_len0 = blocks_n1 * (uint32_t)64U; + uint8_t *blocks0 = input; + uint32_t rest_len0 = input_len - blocks_len0; + uint8_t *rest0 = input + blocks_len0; + uint32_t blocks_n = blocks_n1; + uint32_t blocks_len = blocks_len0; + uint8_t *blocks = blocks0; + uint32_t rest_len = rest_len0; + uint8_t *rest = rest0; + Hacl_Hash_SHA2_update_multi_224(s, blocks, blocks_n); + Hacl_Hash_SHA2_update_last_224(s, (uint64_t)blocks_len, rest, rest_len); + Hacl_Hash_Core_SHA2_finish_224(s, dst); + } +} + +void Hacl_Hash_SHA2_hash_256(uint8_t *input, uint32_t input_len, uint8_t *dst) +{ + uint32_t + scrut[8U] = + { + (uint32_t)0x6a09e667U, (uint32_t)0xbb67ae85U, (uint32_t)0x3c6ef372U, (uint32_t)0xa54ff53aU, + (uint32_t)0x510e527fU, (uint32_t)0x9b05688cU, (uint32_t)0x1f83d9abU, (uint32_t)0x5be0cd19U + }; + uint32_t *s = scrut; + uint32_t blocks_n0 = input_len / (uint32_t)64U; + uint32_t blocks_n1; + if (input_len % (uint32_t)64U == (uint32_t)0U && blocks_n0 > (uint32_t)0U) + { + blocks_n1 = blocks_n0 - (uint32_t)1U; + } + else + { + blocks_n1 = blocks_n0; + } + { + uint32_t blocks_len0 = blocks_n1 * (uint32_t)64U; + uint8_t *blocks0 = input; + uint32_t rest_len0 = input_len - blocks_len0; + uint8_t *rest0 = input + blocks_len0; + uint32_t blocks_n = blocks_n1; + uint32_t blocks_len = blocks_len0; + uint8_t *blocks = blocks0; + uint32_t rest_len = rest_len0; + uint8_t *rest = rest0; + Hacl_Hash_SHA2_update_multi_256(s, blocks, blocks_n); + Hacl_Hash_SHA2_update_last_256(s, (uint64_t)blocks_len, rest, rest_len); + Hacl_Hash_Core_SHA2_finish_256(s, dst); + } +} + +typedef uint64_t *___uint64_t____; + +void Hacl_Hash_SHA2_hash_384(uint8_t *input, uint32_t input_len, uint8_t *dst) +{ + uint64_t + scrut[8U] = + { + (uint64_t)0xcbbb9d5dc1059ed8U, (uint64_t)0x629a292a367cd507U, (uint64_t)0x9159015a3070dd17U, + (uint64_t)0x152fecd8f70e5939U, (uint64_t)0x67332667ffc00b31U, (uint64_t)0x8eb44a8768581511U, + (uint64_t)0xdb0c2e0d64f98fa7U, (uint64_t)0x47b5481dbefa4fa4U + }; + uint64_t *s = scrut; + uint32_t blocks_n0 = input_len / (uint32_t)128U; + uint32_t blocks_n1; + if (input_len % (uint32_t)128U == (uint32_t)0U && blocks_n0 > (uint32_t)0U) + { + blocks_n1 = blocks_n0 - (uint32_t)1U; + } + else + { + blocks_n1 = blocks_n0; + } + { + uint32_t blocks_len0 = blocks_n1 * (uint32_t)128U; + uint8_t *blocks0 = input; + uint32_t rest_len0 = input_len - blocks_len0; + uint8_t *rest0 = input + blocks_len0; + uint32_t blocks_n = blocks_n1; + uint32_t blocks_len = blocks_len0; + uint8_t *blocks = blocks0; + uint32_t rest_len = rest_len0; + uint8_t *rest = rest0; + Hacl_Hash_SHA2_update_multi_384(s, blocks, blocks_n); + Hacl_Hash_SHA2_update_last_384(s, + FStar_UInt128_uint64_to_uint128((uint64_t)blocks_len), + rest, + rest_len); + Hacl_Hash_Core_SHA2_finish_384(s, dst); + } +} + +void Hacl_Hash_SHA2_hash_512(uint8_t *input, uint32_t input_len, uint8_t *dst) +{ + uint64_t + scrut[8U] = + { + (uint64_t)0x6a09e667f3bcc908U, (uint64_t)0xbb67ae8584caa73bU, (uint64_t)0x3c6ef372fe94f82bU, + (uint64_t)0xa54ff53a5f1d36f1U, (uint64_t)0x510e527fade682d1U, (uint64_t)0x9b05688c2b3e6c1fU, + (uint64_t)0x1f83d9abfb41bd6bU, (uint64_t)0x5be0cd19137e2179U + }; + uint64_t *s = scrut; + uint32_t blocks_n0 = input_len / (uint32_t)128U; + uint32_t blocks_n1; + if (input_len % (uint32_t)128U == (uint32_t)0U && blocks_n0 > (uint32_t)0U) + { + blocks_n1 = blocks_n0 - (uint32_t)1U; + } + else + { + blocks_n1 = blocks_n0; + } + { + uint32_t blocks_len0 = blocks_n1 * (uint32_t)128U; + uint8_t *blocks0 = input; + uint32_t rest_len0 = input_len - blocks_len0; + uint8_t *rest0 = input + blocks_len0; + uint32_t blocks_n = blocks_n1; + uint32_t blocks_len = blocks_len0; + uint8_t *blocks = blocks0; + uint32_t rest_len = rest_len0; + uint8_t *rest = rest0; + Hacl_Hash_SHA2_update_multi_512(s, blocks, blocks_n); + Hacl_Hash_SHA2_update_last_512(s, + FStar_UInt128_uint64_to_uint128((uint64_t)blocks_len), + rest, + rest_len); + Hacl_Hash_Core_SHA2_finish_512(s, dst); + } +} + diff --git a/src/c89/Hacl_NaCl.c b/src/c89/Hacl_NaCl.c new file mode 100644 index 00000000..34a8e418 --- /dev/null +++ b/src/c89/Hacl_NaCl.c @@ -0,0 +1,444 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_NaCl.h" + + + +static void secretbox_init(uint8_t *xkeys, uint8_t *k, uint8_t *n) +{ + uint8_t *subkey = xkeys; + uint8_t *aekey = xkeys + (uint32_t)32U; + uint8_t *n0 = n; + uint8_t *n1 = n + (uint32_t)16U; + Hacl_Salsa20_hsalsa20(subkey, k, n0); + Hacl_Salsa20_salsa20_key_block0(aekey, subkey, n1); +} + +static void +secretbox_detached(uint32_t mlen, uint8_t *c, uint8_t *tag, uint8_t *k, uint8_t *n, uint8_t *m) +{ + uint8_t xkeys[96U] = { 0U }; + uint8_t *mkey; + secretbox_init(xkeys, k, n); + mkey = xkeys + (uint32_t)32U; + { + uint8_t *n1 = n + (uint32_t)16U; + uint8_t *subkey = xkeys; + uint8_t *ekey0 = xkeys + (uint32_t)64U; + uint32_t mlen0; + if (mlen <= (uint32_t)32U) + { + mlen0 = mlen; + } + else + { + mlen0 = (uint32_t)32U; + } + { + uint32_t mlen1 = mlen - mlen0; + uint8_t *m0 = m; + uint8_t *m1 = m + mlen0; + uint8_t block0[32U] = { 0U }; + uint8_t *c0; + uint8_t *c1; + memcpy(block0, m0, mlen0 * sizeof (uint8_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)32U; i++) + { + uint8_t *os = block0; + uint8_t x = block0[i] ^ ekey0[i]; + os[i] = x; + } + } + c0 = c; + c1 = c + mlen0; + memcpy(c0, block0, mlen0 * sizeof (uint8_t)); + Hacl_Salsa20_salsa20_encrypt(mlen1, c1, m1, subkey, n1, (uint32_t)1U); + Hacl_Poly1305_32_poly1305_mac(tag, mlen, c, mkey); + } + } +} + +static uint32_t +secretbox_open_detached( + uint32_t mlen, + uint8_t *m, + uint8_t *k, + uint8_t *n, + uint8_t *c, + uint8_t *tag +) +{ + uint8_t xkeys[96U] = { 0U }; + uint8_t *mkey; + secretbox_init(xkeys, k, n); + mkey = xkeys + (uint32_t)32U; + { + uint8_t tag_[16U] = { 0U }; + Hacl_Poly1305_32_poly1305_mac(tag_, mlen, c, mkey); + { + uint8_t res0 = (uint8_t)255U; + uint8_t z; + uint32_t res; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint8_t uu____0 = FStar_UInt8_eq_mask(tag[i], tag_[i]); + res0 = uu____0 & res0; + } + } + z = res0; + if (z == (uint8_t)255U) + { + uint8_t *subkey = xkeys; + uint8_t *ekey0 = xkeys + (uint32_t)64U; + uint8_t *n1 = n + (uint32_t)16U; + uint32_t mlen0; + if (mlen <= (uint32_t)32U) + { + mlen0 = mlen; + } + else + { + mlen0 = (uint32_t)32U; + } + { + uint32_t mlen1 = mlen - mlen0; + uint8_t *c0 = c; + uint8_t *c1 = c + mlen0; + uint8_t block0[32U] = { 0U }; + memcpy(block0, c0, mlen0 * sizeof (uint8_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)32U; i++) + { + uint8_t *os = block0; + uint8_t x = block0[i] ^ ekey0[i]; + os[i] = x; + } + } + { + uint8_t *m0 = m; + uint8_t *m1 = m + mlen0; + memcpy(m0, block0, mlen0 * sizeof (uint8_t)); + Hacl_Salsa20_salsa20_decrypt(mlen1, m1, c1, subkey, n1, (uint32_t)1U); + res = (uint32_t)0U; + } + } + } + else + { + res = (uint32_t)0xffffffffU; + } + return res; + } + } +} + +static void secretbox_easy(uint32_t mlen, uint8_t *c, uint8_t *k, uint8_t *n, uint8_t *m) +{ + uint8_t *tag = c; + uint8_t *cip = c + (uint32_t)16U; + secretbox_detached(mlen, cip, tag, k, n, m); +} + +static uint32_t +secretbox_open_easy(uint32_t mlen, uint8_t *m, uint8_t *k, uint8_t *n, uint8_t *c) +{ + uint8_t *tag = c; + uint8_t *cip = c + (uint32_t)16U; + return secretbox_open_detached(mlen, m, k, n, cip, tag); +} + +static inline uint32_t box_beforenm(uint8_t *k, uint8_t *pk, uint8_t *sk) +{ + uint8_t n0[16U] = { 0U }; + bool r = Hacl_Curve25519_51_ecdh(k, sk, pk); + if (r) + { + Hacl_Salsa20_hsalsa20(k, k, n0); + return (uint32_t)0U; + } + return (uint32_t)0xffffffffU; +} + +static inline uint32_t +box_detached_afternm( + uint32_t mlen, + uint8_t *c, + uint8_t *tag, + uint8_t *k, + uint8_t *n, + uint8_t *m +) +{ + secretbox_detached(mlen, c, tag, k, n, m); + return (uint32_t)0U; +} + +static inline uint32_t +box_detached( + uint32_t mlen, + uint8_t *c, + uint8_t *tag, + uint8_t *sk, + uint8_t *pk, + uint8_t *n, + uint8_t *m +) +{ + uint8_t k[32U] = { 0U }; + uint32_t r = box_beforenm(k, pk, sk); + if (r == (uint32_t)0U) + { + return box_detached_afternm(mlen, c, tag, k, n, m); + } + return (uint32_t)0xffffffffU; +} + +static inline uint32_t +box_open_detached_afternm( + uint32_t mlen, + uint8_t *m, + uint8_t *k, + uint8_t *n, + uint8_t *c, + uint8_t *tag +) +{ + return secretbox_open_detached(mlen, m, k, n, c, tag); +} + +static inline uint32_t +box_open_detached( + uint32_t mlen, + uint8_t *m, + uint8_t *pk, + uint8_t *sk, + uint8_t *n, + uint8_t *c, + uint8_t *tag +) +{ + uint8_t k[32U] = { 0U }; + uint32_t r = box_beforenm(k, pk, sk); + if (r == (uint32_t)0U) + { + return box_open_detached_afternm(mlen, m, k, n, c, tag); + } + return (uint32_t)0xffffffffU; +} + +static inline uint32_t +box_easy_afternm(uint32_t mlen, uint8_t *c, uint8_t *k, uint8_t *n, uint8_t *m) +{ + uint8_t *tag = c; + uint8_t *cip = c + (uint32_t)16U; + uint32_t res = box_detached_afternm(mlen, cip, tag, k, n, m); + return res; +} + +static inline uint32_t +box_easy(uint32_t mlen, uint8_t *c, uint8_t *sk, uint8_t *pk, uint8_t *n, uint8_t *m) +{ + uint8_t *tag = c; + uint8_t *cip = c + (uint32_t)16U; + uint32_t res = box_detached(mlen, cip, tag, sk, pk, n, m); + return res; +} + +static inline uint32_t +box_open_easy_afternm(uint32_t mlen, uint8_t *m, uint8_t *k, uint8_t *n, uint8_t *c) +{ + uint8_t *tag = c; + uint8_t *cip = c + (uint32_t)16U; + return box_open_detached_afternm(mlen, m, k, n, cip, tag); +} + +static inline uint32_t +box_open_easy(uint32_t mlen, uint8_t *m, uint8_t *pk, uint8_t *sk, uint8_t *n, uint8_t *c) +{ + uint8_t *tag = c; + uint8_t *cip = c + (uint32_t)16U; + return box_open_detached(mlen, m, pk, sk, n, cip, tag); +} + +uint32_t +Hacl_NaCl_crypto_secretbox_detached( + uint8_t *c, + uint8_t *tag, + uint8_t *m, + uint32_t mlen, + uint8_t *n, + uint8_t *k +) +{ + secretbox_detached(mlen, c, tag, k, n, m); + return (uint32_t)0U; +} + +uint32_t +Hacl_NaCl_crypto_secretbox_open_detached( + uint8_t *m, + uint8_t *c, + uint8_t *tag, + uint32_t mlen, + uint8_t *n, + uint8_t *k +) +{ + return secretbox_open_detached(mlen, m, k, n, c, tag); +} + +uint32_t +Hacl_NaCl_crypto_secretbox_easy(uint8_t *c, uint8_t *m, uint32_t mlen, uint8_t *n, uint8_t *k) +{ + secretbox_easy(mlen, c, k, n, m); + return (uint32_t)0U; +} + +uint32_t +Hacl_NaCl_crypto_secretbox_open_easy( + uint8_t *m, + uint8_t *c, + uint32_t clen, + uint8_t *n, + uint8_t *k +) +{ + return secretbox_open_easy(clen - (uint32_t)16U, m, k, n, c); +} + +uint32_t Hacl_NaCl_crypto_box_beforenm(uint8_t *k, uint8_t *pk, uint8_t *sk) +{ + return box_beforenm(k, pk, sk); +} + +uint32_t +Hacl_NaCl_crypto_box_detached_afternm( + uint8_t *c, + uint8_t *tag, + uint8_t *m, + uint32_t mlen, + uint8_t *n, + uint8_t *k +) +{ + return box_detached_afternm(mlen, c, tag, k, n, m); +} + +uint32_t +Hacl_NaCl_crypto_box_detached( + uint8_t *c, + uint8_t *tag, + uint8_t *m, + uint32_t mlen, + uint8_t *n, + uint8_t *pk, + uint8_t *sk +) +{ + return box_detached(mlen, c, tag, sk, pk, n, m); +} + +uint32_t +Hacl_NaCl_crypto_box_open_detached_afternm( + uint8_t *m, + uint8_t *c, + uint8_t *tag, + uint32_t mlen, + uint8_t *n, + uint8_t *k +) +{ + return box_open_detached_afternm(mlen, m, k, n, c, tag); +} + +uint32_t +Hacl_NaCl_crypto_box_open_detached( + uint8_t *m, + uint8_t *c, + uint8_t *tag, + uint32_t mlen, + uint8_t *n, + uint8_t *pk, + uint8_t *sk +) +{ + return box_open_detached(mlen, m, pk, sk, n, c, tag); +} + +uint32_t +Hacl_NaCl_crypto_box_easy_afternm( + uint8_t *c, + uint8_t *m, + uint32_t mlen, + uint8_t *n, + uint8_t *k +) +{ + return box_easy_afternm(mlen, c, k, n, m); +} + +uint32_t +Hacl_NaCl_crypto_box_easy( + uint8_t *c, + uint8_t *m, + uint32_t mlen, + uint8_t *n, + uint8_t *pk, + uint8_t *sk +) +{ + return box_easy(mlen, c, sk, pk, n, m); +} + +uint32_t +Hacl_NaCl_crypto_box_open_easy_afternm( + uint8_t *m, + uint8_t *c, + uint32_t clen, + uint8_t *n, + uint8_t *k +) +{ + return box_open_easy_afternm(clen - (uint32_t)16U, m, k, n, c); +} + +uint32_t +Hacl_NaCl_crypto_box_open_easy( + uint8_t *m, + uint8_t *c, + uint32_t clen, + uint8_t *n, + uint8_t *pk, + uint8_t *sk +) +{ + return box_open_easy(clen - (uint32_t)16U, m, pk, sk, n, c); +} + diff --git a/src/c89/Hacl_P256.c b/src/c89/Hacl_P256.c new file mode 100644 index 00000000..b547345f --- /dev/null +++ b/src/c89/Hacl_P256.c @@ -0,0 +1,3663 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "internal/Hacl_P256.h" + +#include "internal/Hacl_Spec.h" + +static uint64_t isZero_uint64_CT(uint64_t *f) +{ + uint64_t a0 = f[0U]; + uint64_t a1 = f[1U]; + uint64_t a2 = f[2U]; + uint64_t a3 = f[3U]; + uint64_t r0 = FStar_UInt64_eq_mask(a0, (uint64_t)0U); + uint64_t r1 = FStar_UInt64_eq_mask(a1, (uint64_t)0U); + uint64_t r2 = FStar_UInt64_eq_mask(a2, (uint64_t)0U); + uint64_t r3 = FStar_UInt64_eq_mask(a3, (uint64_t)0U); + uint64_t r01 = r0 & r1; + uint64_t r23 = r2 & r3; + return r01 & r23; +} + +static uint64_t compare_felem(uint64_t *a, uint64_t *b) +{ + uint64_t a_0 = a[0U]; + uint64_t a_1 = a[1U]; + uint64_t a_2 = a[2U]; + uint64_t a_3 = a[3U]; + uint64_t b_0 = b[0U]; + uint64_t b_1 = b[1U]; + uint64_t b_2 = b[2U]; + uint64_t b_3 = b[3U]; + uint64_t r_0 = FStar_UInt64_eq_mask(a_0, b_0); + uint64_t r_1 = FStar_UInt64_eq_mask(a_1, b_1); + uint64_t r_2 = FStar_UInt64_eq_mask(a_2, b_2); + uint64_t r_3 = FStar_UInt64_eq_mask(a_3, b_3); + uint64_t r01 = r_0 & r_1; + uint64_t r23 = r_2 & r_3; + return r01 & r23; +} + +static void copy_conditional(uint64_t *out, uint64_t *x, uint64_t mask) +{ + uint64_t out_0 = out[0U]; + uint64_t out_1 = out[1U]; + uint64_t out_2 = out[2U]; + uint64_t out_3 = out[3U]; + uint64_t x_0 = x[0U]; + uint64_t x_1 = x[1U]; + uint64_t x_2 = x[2U]; + uint64_t x_3 = x[3U]; + uint64_t r_0 = out_0 ^ (mask & (out_0 ^ x_0)); + uint64_t r_1 = out_1 ^ (mask & (out_1 ^ x_1)); + uint64_t r_2 = out_2 ^ (mask & (out_2 ^ x_2)); + uint64_t r_3 = out_3 ^ (mask & (out_3 ^ x_3)); + out[0U] = r_0; + out[1U] = r_1; + out[2U] = r_2; + out[3U] = r_3; +} + +static uint64_t add4(uint64_t *x, uint64_t *y, uint64_t *result) +{ + uint64_t *r0 = result; + uint64_t *r1 = result + (uint32_t)1U; + uint64_t *r2 = result + (uint32_t)2U; + uint64_t *r3 = result + (uint32_t)3U; + uint64_t cc0 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, x[0U], y[0U], r0); + uint64_t cc1 = Lib_IntTypes_Intrinsics_add_carry_u64(cc0, x[1U], y[1U], r1); + uint64_t cc2 = Lib_IntTypes_Intrinsics_add_carry_u64(cc1, x[2U], y[2U], r2); + uint64_t cc3 = Lib_IntTypes_Intrinsics_add_carry_u64(cc2, x[3U], y[3U], r3); + return cc3; +} + +static uint64_t add4_with_carry(uint64_t c, uint64_t *x, uint64_t *y, uint64_t *result) +{ + uint64_t *r0 = result; + uint64_t *r1 = result + (uint32_t)1U; + uint64_t *r2 = result + (uint32_t)2U; + uint64_t *r3 = result + (uint32_t)3U; + uint64_t cc = Lib_IntTypes_Intrinsics_add_carry_u64(c, x[0U], y[0U], r0); + uint64_t cc1 = Lib_IntTypes_Intrinsics_add_carry_u64(cc, x[1U], y[1U], r1); + uint64_t cc2 = Lib_IntTypes_Intrinsics_add_carry_u64(cc1, x[2U], y[2U], r2); + uint64_t cc3 = Lib_IntTypes_Intrinsics_add_carry_u64(cc2, x[3U], y[3U], r3); + return cc3; +} + +static uint64_t add8(uint64_t *x, uint64_t *y, uint64_t *result) +{ + uint64_t *a0 = x; + uint64_t *a1 = x + (uint32_t)4U; + uint64_t *b0 = y; + uint64_t *b1 = y + (uint32_t)4U; + uint64_t *c0 = result; + uint64_t *c1 = result + (uint32_t)4U; + uint64_t carry0 = add4(a0, b0, c0); + uint64_t carry1 = add4_with_carry(carry0, a1, b1, c1); + return carry1; +} + +static uint64_t +add4_variables( + uint64_t *x, + uint64_t cin, + uint64_t y0, + uint64_t y1, + uint64_t y2, + uint64_t y3, + uint64_t *result +) +{ + uint64_t *r0 = result; + uint64_t *r1 = result + (uint32_t)1U; + uint64_t *r2 = result + (uint32_t)2U; + uint64_t *r3 = result + (uint32_t)3U; + uint64_t cc = Lib_IntTypes_Intrinsics_add_carry_u64(cin, x[0U], y0, r0); + uint64_t cc1 = Lib_IntTypes_Intrinsics_add_carry_u64(cc, x[1U], y1, r1); + uint64_t cc2 = Lib_IntTypes_Intrinsics_add_carry_u64(cc1, x[2U], y2, r2); + uint64_t cc3 = Lib_IntTypes_Intrinsics_add_carry_u64(cc2, x[3U], y3, r3); + return cc3; +} + +static uint64_t sub4_il(uint64_t *x, const uint64_t *y, uint64_t *result) +{ + uint64_t *r0 = result; + uint64_t *r1 = result + (uint32_t)1U; + uint64_t *r2 = result + (uint32_t)2U; + uint64_t *r3 = result + (uint32_t)3U; + uint64_t cc = Lib_IntTypes_Intrinsics_sub_borrow_u64((uint64_t)0U, x[0U], y[0U], r0); + uint64_t cc1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(cc, x[1U], y[1U], r1); + uint64_t cc2 = Lib_IntTypes_Intrinsics_sub_borrow_u64(cc1, x[2U], y[2U], r2); + uint64_t cc3 = Lib_IntTypes_Intrinsics_sub_borrow_u64(cc2, x[3U], y[3U], r3); + return cc3; +} + +static uint64_t sub4(uint64_t *x, uint64_t *y, uint64_t *result) +{ + uint64_t *r0 = result; + uint64_t *r1 = result + (uint32_t)1U; + uint64_t *r2 = result + (uint32_t)2U; + uint64_t *r3 = result + (uint32_t)3U; + uint64_t cc = Lib_IntTypes_Intrinsics_sub_borrow_u64((uint64_t)0U, x[0U], y[0U], r0); + uint64_t cc1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(cc, x[1U], y[1U], r1); + uint64_t cc2 = Lib_IntTypes_Intrinsics_sub_borrow_u64(cc1, x[2U], y[2U], r2); + uint64_t cc3 = Lib_IntTypes_Intrinsics_sub_borrow_u64(cc2, x[3U], y[3U], r3); + return cc3; +} + +static void mul64(uint64_t x, uint64_t y, uint64_t *result, uint64_t *temp) +{ + FStar_UInt128_uint128 res = FStar_UInt128_mul_wide(x, y); + uint64_t l0 = FStar_UInt128_uint128_to_uint64(res); + uint64_t h0 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(res, (uint32_t)64U)); + result[0U] = l0; + temp[0U] = h0; +} + +static void sq(uint64_t *f, uint64_t *out) +{ + uint64_t wb[17U] = { 0U }; + uint64_t *tb = wb; + uint64_t *memory = wb + (uint32_t)5U; + uint64_t *b0 = out; + uint64_t f01 = f[0U]; + uint64_t f310 = f[3U]; + uint64_t *o30 = b0 + (uint32_t)3U; + uint64_t *temp1 = tb; + uint64_t f02 = f[0U]; + uint64_t f12 = f[1U]; + uint64_t f22 = f[2U]; + uint64_t *o01 = b0; + uint64_t *o10 = b0 + (uint32_t)1U; + uint64_t *o20 = b0 + (uint32_t)2U; + uint64_t h_00; + uint64_t l0; + uint64_t c10; + uint64_t h_10; + uint64_t l10; + uint64_t c20; + uint64_t h_20; + uint64_t l3; + uint64_t c30; + uint64_t temp0; + uint64_t c0; + uint64_t *b1; + uint64_t *temp2; + uint64_t *tempBufferResult0; + uint64_t f11; + uint64_t f210; + uint64_t f311; + uint64_t *o00; + uint64_t *o11; + uint64_t *o21; + uint64_t *o31; + uint64_t h_01; + uint64_t l4; + uint64_t c12; + uint64_t h_11; + uint64_t l11; + uint64_t c22; + uint64_t h_21; + uint64_t l20; + uint64_t c31; + uint64_t h_30; + uint64_t c40; + uint64_t c1; + uint64_t *b2; + uint64_t *temp3; + uint64_t *tempBufferResult1; + uint64_t f21; + uint64_t f312; + uint64_t *o02; + uint64_t *o12; + uint64_t *o22; + uint64_t *o32; + uint64_t h_0; + uint64_t l5; + uint64_t c110; + uint64_t h_1; + uint64_t l12; + uint64_t c23; + uint64_t h_2; + uint64_t l21; + uint64_t c32; + uint64_t h_31; + uint64_t c41; + uint64_t c2; + uint64_t *b3; + uint64_t *temp; + uint64_t *tempBufferResult; + uint64_t f31; + uint64_t *o0; + uint64_t *o1; + uint64_t *o2; + uint64_t *o3; + uint64_t h; + uint64_t l; + uint64_t c11; + uint64_t h4; + uint64_t l1; + uint64_t c21; + uint64_t h5; + uint64_t l2; + uint64_t c33; + uint64_t h_3; + uint64_t c4; + uint64_t c3; + mul64(f02, f02, o01, temp1); + h_00 = temp1[0U]; + mul64(f02, f12, o10, temp1); + l0 = o10[0U]; + memory[0U] = l0; + memory[1U] = temp1[0U]; + c10 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l0, h_00, o10); + h_10 = temp1[0U]; + mul64(f02, f22, o20, temp1); + l10 = o20[0U]; + memory[2U] = l10; + memory[3U] = temp1[0U]; + c20 = Lib_IntTypes_Intrinsics_add_carry_u64(c10, l10, h_10, o20); + h_20 = temp1[0U]; + mul64(f01, f310, o30, temp1); + l3 = o30[0U]; + memory[4U] = l3; + memory[5U] = temp1[0U]; + c30 = Lib_IntTypes_Intrinsics_add_carry_u64(c20, l3, h_20, o30); + temp0 = temp1[0U]; + c0 = c30 + temp0; + out[4U] = c0; + b1 = out + (uint32_t)1U; + temp2 = tb; + tempBufferResult0 = tb + (uint32_t)1U; + f11 = f[1U]; + f210 = f[2U]; + f311 = f[3U]; + o00 = tempBufferResult0; + o11 = tempBufferResult0 + (uint32_t)1U; + o21 = tempBufferResult0 + (uint32_t)2U; + o31 = tempBufferResult0 + (uint32_t)3U; + o00[0U] = memory[0U]; + h_01 = memory[1U]; + mul64(f11, f11, o11, temp2); + l4 = o11[0U]; + c12 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l4, h_01, o11); + h_11 = temp2[0U]; + mul64(f11, f210, o21, temp2); + l11 = o21[0U]; + memory[6U] = l11; + memory[7U] = temp2[0U]; + c22 = Lib_IntTypes_Intrinsics_add_carry_u64(c12, l11, h_11, o21); + h_21 = temp2[0U]; + mul64(f11, f311, o31, temp2); + l20 = o31[0U]; + memory[8U] = l20; + memory[9U] = temp2[0U]; + c31 = Lib_IntTypes_Intrinsics_add_carry_u64(c22, l20, h_21, o31); + h_30 = temp2[0U]; + c40 = add4(tempBufferResult0, b1, b1); + c1 = c31 + h_30 + c40; + out[5U] = c1; + b2 = out + (uint32_t)2U; + temp3 = tb; + tempBufferResult1 = tb + (uint32_t)1U; + f21 = f[2U]; + f312 = f[3U]; + o02 = tempBufferResult1; + o12 = tempBufferResult1 + (uint32_t)1U; + o22 = tempBufferResult1 + (uint32_t)2U; + o32 = tempBufferResult1 + (uint32_t)3U; + o02[0U] = memory[2U]; + h_0 = memory[3U]; + o12[0U] = memory[6U]; + l5 = o12[0U]; + c110 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l5, h_0, o12); + h_1 = memory[7U]; + mul64(f21, f21, o22, temp3); + l12 = o22[0U]; + c23 = Lib_IntTypes_Intrinsics_add_carry_u64(c110, l12, h_1, o22); + h_2 = temp3[0U]; + mul64(f21, f312, o32, temp3); + l21 = o32[0U]; + memory[10U] = l21; + memory[11U] = temp3[0U]; + c32 = Lib_IntTypes_Intrinsics_add_carry_u64(c23, l21, h_2, o32); + h_31 = temp3[0U]; + c41 = add4(tempBufferResult1, b2, b2); + c2 = c32 + h_31 + c41; + out[6U] = c2; + b3 = out + (uint32_t)3U; + temp = tb; + tempBufferResult = tb + (uint32_t)1U; + f31 = f[3U]; + o0 = tempBufferResult; + o1 = tempBufferResult + (uint32_t)1U; + o2 = tempBufferResult + (uint32_t)2U; + o3 = tempBufferResult + (uint32_t)3U; + o0[0U] = memory[4U]; + h = memory[5U]; + o1[0U] = memory[8U]; + l = o1[0U]; + c11 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l, h, o1); + h4 = memory[9U]; + o2[0U] = memory[10U]; + l1 = o2[0U]; + c21 = Lib_IntTypes_Intrinsics_add_carry_u64(c11, l1, h4, o2); + h5 = memory[11U]; + mul64(f31, f31, o3, temp); + l2 = o3[0U]; + c33 = Lib_IntTypes_Intrinsics_add_carry_u64(c21, l2, h5, o3); + h_3 = temp[0U]; + c4 = add4(tempBufferResult, b3, b3); + c3 = c33 + h_3 + c4; + out[7U] = c3; +} + +static void cmovznz4(uint64_t cin, uint64_t *x, uint64_t *y, uint64_t *r) +{ + uint64_t mask = ~FStar_UInt64_eq_mask(cin, (uint64_t)0U); + uint64_t r0 = (y[0U] & mask) | (x[0U] & ~mask); + uint64_t r1 = (y[1U] & mask) | (x[1U] & ~mask); + uint64_t r2 = (y[2U] & mask) | (x[2U] & ~mask); + uint64_t r3 = (y[3U] & mask) | (x[3U] & ~mask); + r[0U] = r0; + r[1U] = r1; + r[2U] = r2; + r[3U] = r3; +} + +static void shift_256_impl(uint64_t *i, uint64_t *o) +{ + o[0U] = (uint64_t)0U; + o[1U] = (uint64_t)0U; + o[2U] = (uint64_t)0U; + o[3U] = (uint64_t)0U; + o[4U] = i[0U]; + o[5U] = i[1U]; + o[6U] = i[2U]; + o[7U] = i[3U]; +} + +static void shift8(uint64_t *t, uint64_t *out) +{ + uint64_t t1 = t[1U]; + uint64_t t2 = t[2U]; + uint64_t t3 = t[3U]; + uint64_t t4 = t[4U]; + uint64_t t5 = t[5U]; + uint64_t t6 = t[6U]; + uint64_t t7 = t[7U]; + out[0U] = t1; + out[1U] = t2; + out[2U] = t3; + out[3U] = t4; + out[4U] = t5; + out[5U] = t6; + out[6U] = t7; + out[7U] = (uint64_t)0U; +} + +static void uploadZeroImpl(uint64_t *f) +{ + f[0U] = (uint64_t)0U; + f[1U] = (uint64_t)0U; + f[2U] = (uint64_t)0U; + f[3U] = (uint64_t)0U; +} + +static void uploadOneImpl(uint64_t *f) +{ + f[0U] = (uint64_t)1U; + f[1U] = (uint64_t)0U; + f[2U] = (uint64_t)0U; + f[3U] = (uint64_t)0U; +} + +void Hacl_Impl_P256_LowLevel_toUint8(uint64_t *i, uint8_t *o) +{ + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + store64_be(o + i0 * (uint32_t)8U, i[i0]); + } +} + +void Hacl_Impl_P256_LowLevel_changeEndian(uint64_t *i) +{ + uint64_t zero = i[0U]; + uint64_t one = i[1U]; + uint64_t two = i[2U]; + uint64_t three = i[3U]; + i[0U] = three; + i[1U] = two; + i[2U] = one; + i[3U] = zero; +} + +void Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(uint8_t *i, uint64_t *o) +{ + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + uint64_t *os = o; + uint8_t *bj = i + i0 * (uint32_t)8U; + uint64_t u = load64_be(bj); + uint64_t r = u; + uint64_t x = r; + os[i0] = x; + } + } + Hacl_Impl_P256_LowLevel_changeEndian(o); +} + +static const +uint64_t +prime256_buffer[4U] = + { + (uint64_t)0xffffffffffffffffU, + (uint64_t)0xffffffffU, + (uint64_t)0U, + (uint64_t)0xffffffff00000001U + }; + +static void reduction_prime_2prime_impl(uint64_t *x, uint64_t *result) +{ + uint64_t tempBuffer[4U] = { 0U }; + uint64_t c = sub4_il(x, prime256_buffer, tempBuffer); + cmovznz4(c, tempBuffer, x, result); +} + +static void p256_add(uint64_t *arg1, uint64_t *arg2, uint64_t *out) +{ + uint64_t t = add4(arg1, arg2, out); + uint64_t tempBuffer[4U] = { 0U }; + uint64_t tempBufferForSubborrow = (uint64_t)0U; + uint64_t c = sub4_il(out, prime256_buffer, tempBuffer); + uint64_t + carry = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t, (uint64_t)0U, &tempBufferForSubborrow); + cmovznz4(carry, tempBuffer, out, out); +} + +static void p256_double(uint64_t *arg1, uint64_t *out) +{ + uint64_t t = add4(arg1, arg1, out); + uint64_t tempBuffer[4U] = { 0U }; + uint64_t tempBufferForSubborrow = (uint64_t)0U; + uint64_t c = sub4_il(out, prime256_buffer, tempBuffer); + uint64_t + carry = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t, (uint64_t)0U, &tempBufferForSubborrow); + cmovznz4(carry, tempBuffer, out, out); +} + +static void p256_sub(uint64_t *arg1, uint64_t *arg2, uint64_t *out) +{ + uint64_t t = sub4(arg1, arg2, out); + uint64_t t0 = (uint64_t)0U - t; + uint64_t t1 = ((uint64_t)0U - t) >> (uint32_t)32U; + uint64_t t2 = (uint64_t)0U; + uint64_t t3 = t - (t << (uint32_t)32U); + uint64_t c = add4_variables(out, (uint64_t)0U, t0, t1, t2, t3, out); +} + +static void montgomery_multiplication_buffer_by_one(uint64_t *a, uint64_t *result) +{ + uint64_t t[8U] = { 0U }; + uint64_t *t_low = t; + uint64_t round2[8U] = { 0U }; + uint64_t round4[8U] = { 0U }; + memcpy(t_low, a, (uint32_t)4U * sizeof (uint64_t)); + { + uint64_t tempRound[8U] = { 0U }; + uint64_t t20[8U] = { 0U }; + uint64_t t30[8U] = { 0U }; + uint64_t t10 = t[0U]; + uint64_t *result040 = t20; + uint64_t temp1 = (uint64_t)0U; + uint64_t f10 = prime256_buffer[1U]; + uint64_t f20 = prime256_buffer[2U]; + uint64_t f30 = prime256_buffer[3U]; + uint64_t *o00 = result040; + uint64_t *o10 = result040 + (uint32_t)1U; + uint64_t *o20 = result040 + (uint32_t)2U; + uint64_t *o30 = result040 + (uint32_t)3U; + uint64_t f010 = prime256_buffer[0U]; + uint64_t h0; + uint64_t l0; + uint64_t c10; + uint64_t h1; + uint64_t l1; + uint64_t c20; + uint64_t h2; + uint64_t l2; + uint64_t c30; + uint64_t temp00; + uint64_t c0; + uint64_t uu____0; + mul64(f010, t10, o00, &temp1); + h0 = temp1; + mul64(f10, t10, o10, &temp1); + l0 = o10[0U]; + c10 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l0, h0, o10); + h1 = temp1; + mul64(f20, t10, o20, &temp1); + l1 = o20[0U]; + c20 = Lib_IntTypes_Intrinsics_add_carry_u64(c10, l1, h1, o20); + h2 = temp1; + mul64(f30, t10, o30, &temp1); + l2 = o30[0U]; + c30 = Lib_IntTypes_Intrinsics_add_carry_u64(c20, l2, h2, o30); + temp00 = temp1; + c0 = c30 + temp00; + t20[4U] = c0; + uu____0 = add8(t, t20, t30); + shift8(t30, tempRound); + { + uint64_t t21[8U] = { 0U }; + uint64_t t31[8U] = { 0U }; + uint64_t t11 = tempRound[0U]; + uint64_t *result041 = t21; + uint64_t temp2 = (uint64_t)0U; + uint64_t f11 = prime256_buffer[1U]; + uint64_t f21 = prime256_buffer[2U]; + uint64_t f31 = prime256_buffer[3U]; + uint64_t *o01 = result041; + uint64_t *o11 = result041 + (uint32_t)1U; + uint64_t *o21 = result041 + (uint32_t)2U; + uint64_t *o31 = result041 + (uint32_t)3U; + uint64_t f011 = prime256_buffer[0U]; + uint64_t h3; + uint64_t l3; + uint64_t c11; + uint64_t h4; + uint64_t l4; + uint64_t c21; + uint64_t h5; + uint64_t l5; + uint64_t c31; + uint64_t temp01; + uint64_t c4; + uint64_t uu____1; + mul64(f011, t11, o01, &temp2); + h3 = temp2; + mul64(f11, t11, o11, &temp2); + l3 = o11[0U]; + c11 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l3, h3, o11); + h4 = temp2; + mul64(f21, t11, o21, &temp2); + l4 = o21[0U]; + c21 = Lib_IntTypes_Intrinsics_add_carry_u64(c11, l4, h4, o21); + h5 = temp2; + mul64(f31, t11, o31, &temp2); + l5 = o31[0U]; + c31 = Lib_IntTypes_Intrinsics_add_carry_u64(c21, l5, h5, o31); + temp01 = temp2; + c4 = c31 + temp01; + t21[4U] = c4; + uu____1 = add8(tempRound, t21, t31); + shift8(t31, round2); + { + uint64_t tempRound0[8U] = { 0U }; + uint64_t t2[8U] = { 0U }; + uint64_t t32[8U] = { 0U }; + uint64_t t12 = round2[0U]; + uint64_t *result042 = t2; + uint64_t temp3 = (uint64_t)0U; + uint64_t f12 = prime256_buffer[1U]; + uint64_t f22 = prime256_buffer[2U]; + uint64_t f32 = prime256_buffer[3U]; + uint64_t *o02 = result042; + uint64_t *o12 = result042 + (uint32_t)1U; + uint64_t *o22 = result042 + (uint32_t)2U; + uint64_t *o32 = result042 + (uint32_t)3U; + uint64_t f012 = prime256_buffer[0U]; + uint64_t h6; + uint64_t l6; + uint64_t c12; + uint64_t h7; + uint64_t l7; + uint64_t c22; + uint64_t h8; + uint64_t l8; + uint64_t c32; + uint64_t temp02; + uint64_t c5; + uint64_t uu____2; + mul64(f012, t12, o02, &temp3); + h6 = temp3; + mul64(f12, t12, o12, &temp3); + l6 = o12[0U]; + c12 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l6, h6, o12); + h7 = temp3; + mul64(f22, t12, o22, &temp3); + l7 = o22[0U]; + c22 = Lib_IntTypes_Intrinsics_add_carry_u64(c12, l7, h7, o22); + h8 = temp3; + mul64(f32, t12, o32, &temp3); + l8 = o32[0U]; + c32 = Lib_IntTypes_Intrinsics_add_carry_u64(c22, l8, h8, o32); + temp02 = temp3; + c5 = c32 + temp02; + t2[4U] = c5; + uu____2 = add8(round2, t2, t32); + shift8(t32, tempRound0); + { + uint64_t t22[8U] = { 0U }; + uint64_t t3[8U] = { 0U }; + uint64_t t1 = tempRound0[0U]; + uint64_t *result04 = t22; + uint64_t temp = (uint64_t)0U; + uint64_t f1 = prime256_buffer[1U]; + uint64_t f2 = prime256_buffer[2U]; + uint64_t f3 = prime256_buffer[3U]; + uint64_t *o0 = result04; + uint64_t *o1 = result04 + (uint32_t)1U; + uint64_t *o2 = result04 + (uint32_t)2U; + uint64_t *o3 = result04 + (uint32_t)3U; + uint64_t f01 = prime256_buffer[0U]; + uint64_t h9; + uint64_t l9; + uint64_t c1; + uint64_t h10; + uint64_t l10; + uint64_t c2; + uint64_t h; + uint64_t l; + uint64_t c3; + uint64_t temp0; + uint64_t c6; + uint64_t uu____3; + mul64(f01, t1, o0, &temp); + h9 = temp; + mul64(f1, t1, o1, &temp); + l9 = o1[0U]; + c1 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l9, h9, o1); + h10 = temp; + mul64(f2, t1, o2, &temp); + l10 = o2[0U]; + c2 = Lib_IntTypes_Intrinsics_add_carry_u64(c1, l10, h10, o2); + h = temp; + mul64(f3, t1, o3, &temp); + l = o3[0U]; + c3 = Lib_IntTypes_Intrinsics_add_carry_u64(c2, l, h, o3); + temp0 = temp; + c6 = c3 + temp0; + t22[4U] = c6; + uu____3 = add8(tempRound0, t22, t3); + shift8(t3, round4); + { + uint64_t tempBuffer[4U] = { 0U }; + uint64_t tempBufferForSubborrow = (uint64_t)0U; + uint64_t cin = round4[4U]; + uint64_t *x_ = round4; + uint64_t c = sub4_il(x_, prime256_buffer, tempBuffer); + uint64_t + carry = + Lib_IntTypes_Intrinsics_sub_borrow_u64(c, + cin, + (uint64_t)0U, + &tempBufferForSubborrow); + cmovznz4(carry, tempBuffer, x_, result); + } + } + } + } + } +} + +static void montgomery_multiplication_buffer(uint64_t *a, uint64_t *b, uint64_t *result) +{ + uint64_t t[8U] = { 0U }; + uint64_t round2[8U] = { 0U }; + uint64_t round4[8U] = { 0U }; + uint64_t f0 = a[0U]; + uint64_t f10 = a[1U]; + uint64_t f20 = a[2U]; + uint64_t f30 = a[3U]; + uint64_t *b0 = t; + uint64_t temp2 = (uint64_t)0U; + uint64_t f110 = b[1U]; + uint64_t f210 = b[2U]; + uint64_t f310 = b[3U]; + uint64_t *o00 = b0; + uint64_t *o10 = b0 + (uint32_t)1U; + uint64_t *o20 = b0 + (uint32_t)2U; + uint64_t *o30 = b0 + (uint32_t)3U; + uint64_t f020 = b[0U]; + uint64_t h0; + uint64_t l0; + uint64_t c10; + uint64_t h1; + uint64_t l1; + uint64_t c20; + uint64_t h2; + uint64_t l2; + uint64_t c30; + uint64_t temp00; + uint64_t c0; + uint64_t *b1; + mul64(f020, f0, o00, &temp2); + h0 = temp2; + mul64(f110, f0, o10, &temp2); + l0 = o10[0U]; + c10 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l0, h0, o10); + h1 = temp2; + mul64(f210, f0, o20, &temp2); + l1 = o20[0U]; + c20 = Lib_IntTypes_Intrinsics_add_carry_u64(c10, l1, h1, o20); + h2 = temp2; + mul64(f310, f0, o30, &temp2); + l2 = o30[0U]; + c30 = Lib_IntTypes_Intrinsics_add_carry_u64(c20, l2, h2, o30); + temp00 = temp2; + c0 = c30 + temp00; + t[4U] = c0; + b1 = t + (uint32_t)1U; + { + uint64_t temp3[4U] = { 0U }; + uint64_t temp10 = (uint64_t)0U; + uint64_t f111 = b[1U]; + uint64_t f211 = b[2U]; + uint64_t f311 = b[3U]; + uint64_t *o01 = temp3; + uint64_t *o11 = temp3 + (uint32_t)1U; + uint64_t *o21 = temp3 + (uint32_t)2U; + uint64_t *o31 = temp3 + (uint32_t)3U; + uint64_t f021 = b[0U]; + uint64_t h3; + uint64_t l3; + uint64_t c12; + uint64_t h4; + uint64_t l4; + uint64_t c22; + uint64_t h5; + uint64_t l5; + uint64_t c31; + uint64_t temp01; + uint64_t c4; + uint64_t c32; + uint64_t c13; + uint64_t *b2; + mul64(f021, f10, o01, &temp10); + h3 = temp10; + mul64(f111, f10, o11, &temp10); + l3 = o11[0U]; + c12 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l3, h3, o11); + h4 = temp10; + mul64(f211, f10, o21, &temp10); + l4 = o21[0U]; + c22 = Lib_IntTypes_Intrinsics_add_carry_u64(c12, l4, h4, o21); + h5 = temp10; + mul64(f311, f10, o31, &temp10); + l5 = o31[0U]; + c31 = Lib_IntTypes_Intrinsics_add_carry_u64(c22, l5, h5, o31); + temp01 = temp10; + c4 = c31 + temp01; + c32 = add4(temp3, b1, b1); + c13 = c4 + c32; + t[5U] = c13; + b2 = t + (uint32_t)2U; + { + uint64_t temp4[4U] = { 0U }; + uint64_t temp11 = (uint64_t)0U; + uint64_t f112 = b[1U]; + uint64_t f212 = b[2U]; + uint64_t f312 = b[3U]; + uint64_t *o02 = temp4; + uint64_t *o12 = temp4 + (uint32_t)1U; + uint64_t *o22 = temp4 + (uint32_t)2U; + uint64_t *o32 = temp4 + (uint32_t)3U; + uint64_t f022 = b[0U]; + uint64_t h6; + uint64_t l6; + uint64_t c110; + uint64_t h7; + uint64_t l7; + uint64_t c23; + uint64_t h8; + uint64_t l8; + uint64_t c33; + uint64_t temp02; + uint64_t c5; + uint64_t c34; + uint64_t c24; + uint64_t *b3; + mul64(f022, f20, o02, &temp11); + h6 = temp11; + mul64(f112, f20, o12, &temp11); + l6 = o12[0U]; + c110 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l6, h6, o12); + h7 = temp11; + mul64(f212, f20, o22, &temp11); + l7 = o22[0U]; + c23 = Lib_IntTypes_Intrinsics_add_carry_u64(c110, l7, h7, o22); + h8 = temp11; + mul64(f312, f20, o32, &temp11); + l8 = o32[0U]; + c33 = Lib_IntTypes_Intrinsics_add_carry_u64(c23, l8, h8, o32); + temp02 = temp11; + c5 = c33 + temp02; + c34 = add4(temp4, b2, b2); + c24 = c5 + c34; + t[6U] = c24; + b3 = t + (uint32_t)3U; + { + uint64_t temp5[4U] = { 0U }; + uint64_t temp1 = (uint64_t)0U; + uint64_t f11 = b[1U]; + uint64_t f21 = b[2U]; + uint64_t f31 = b[3U]; + uint64_t *o03 = temp5; + uint64_t *o13 = temp5 + (uint32_t)1U; + uint64_t *o23 = temp5 + (uint32_t)2U; + uint64_t *o33 = temp5 + (uint32_t)3U; + uint64_t f02 = b[0U]; + uint64_t h9; + uint64_t l9; + uint64_t c11; + uint64_t h10; + uint64_t l10; + uint64_t c21; + uint64_t h11; + uint64_t l11; + uint64_t c35; + uint64_t temp03; + uint64_t c6; + uint64_t c36; + uint64_t c37; + mul64(f02, f30, o03, &temp1); + h9 = temp1; + mul64(f11, f30, o13, &temp1); + l9 = o13[0U]; + c11 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l9, h9, o13); + h10 = temp1; + mul64(f21, f30, o23, &temp1); + l10 = o23[0U]; + c21 = Lib_IntTypes_Intrinsics_add_carry_u64(c11, l10, h10, o23); + h11 = temp1; + mul64(f31, f30, o33, &temp1); + l11 = o33[0U]; + c35 = Lib_IntTypes_Intrinsics_add_carry_u64(c21, l11, h11, o33); + temp03 = temp1; + c6 = c35 + temp03; + c36 = add4(temp5, b3, b3); + c37 = c6 + c36; + t[7U] = c37; + { + uint64_t tempRound[8U] = { 0U }; + uint64_t t20[8U] = { 0U }; + uint64_t t30[8U] = { 0U }; + uint64_t t10 = t[0U]; + uint64_t *result040 = t20; + uint64_t temp6 = (uint64_t)0U; + uint64_t f12 = prime256_buffer[1U]; + uint64_t f22 = prime256_buffer[2U]; + uint64_t f32 = prime256_buffer[3U]; + uint64_t *o04 = result040; + uint64_t *o14 = result040 + (uint32_t)1U; + uint64_t *o24 = result040 + (uint32_t)2U; + uint64_t *o34 = result040 + (uint32_t)3U; + uint64_t f010 = prime256_buffer[0U]; + uint64_t h12; + uint64_t l12; + uint64_t c14; + uint64_t h13; + uint64_t l13; + uint64_t c25; + uint64_t h14; + uint64_t l14; + uint64_t c38; + uint64_t temp04; + uint64_t c7; + uint64_t uu____0; + mul64(f010, t10, o04, &temp6); + h12 = temp6; + mul64(f12, t10, o14, &temp6); + l12 = o14[0U]; + c14 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l12, h12, o14); + h13 = temp6; + mul64(f22, t10, o24, &temp6); + l13 = o24[0U]; + c25 = Lib_IntTypes_Intrinsics_add_carry_u64(c14, l13, h13, o24); + h14 = temp6; + mul64(f32, t10, o34, &temp6); + l14 = o34[0U]; + c38 = Lib_IntTypes_Intrinsics_add_carry_u64(c25, l14, h14, o34); + temp04 = temp6; + c7 = c38 + temp04; + t20[4U] = c7; + uu____0 = add8(t, t20, t30); + shift8(t30, tempRound); + { + uint64_t t21[8U] = { 0U }; + uint64_t t31[8U] = { 0U }; + uint64_t t11 = tempRound[0U]; + uint64_t *result041 = t21; + uint64_t temp7 = (uint64_t)0U; + uint64_t f13 = prime256_buffer[1U]; + uint64_t f23 = prime256_buffer[2U]; + uint64_t f33 = prime256_buffer[3U]; + uint64_t *o05 = result041; + uint64_t *o15 = result041 + (uint32_t)1U; + uint64_t *o25 = result041 + (uint32_t)2U; + uint64_t *o35 = result041 + (uint32_t)3U; + uint64_t f011 = prime256_buffer[0U]; + uint64_t h15; + uint64_t l15; + uint64_t c15; + uint64_t h16; + uint64_t l16; + uint64_t c26; + uint64_t h17; + uint64_t l17; + uint64_t c39; + uint64_t temp05; + uint64_t c8; + uint64_t uu____1; + mul64(f011, t11, o05, &temp7); + h15 = temp7; + mul64(f13, t11, o15, &temp7); + l15 = o15[0U]; + c15 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l15, h15, o15); + h16 = temp7; + mul64(f23, t11, o25, &temp7); + l16 = o25[0U]; + c26 = Lib_IntTypes_Intrinsics_add_carry_u64(c15, l16, h16, o25); + h17 = temp7; + mul64(f33, t11, o35, &temp7); + l17 = o35[0U]; + c39 = Lib_IntTypes_Intrinsics_add_carry_u64(c26, l17, h17, o35); + temp05 = temp7; + c8 = c39 + temp05; + t21[4U] = c8; + uu____1 = add8(tempRound, t21, t31); + shift8(t31, round2); + { + uint64_t tempRound0[8U] = { 0U }; + uint64_t t2[8U] = { 0U }; + uint64_t t32[8U] = { 0U }; + uint64_t t12 = round2[0U]; + uint64_t *result042 = t2; + uint64_t temp8 = (uint64_t)0U; + uint64_t f14 = prime256_buffer[1U]; + uint64_t f24 = prime256_buffer[2U]; + uint64_t f34 = prime256_buffer[3U]; + uint64_t *o06 = result042; + uint64_t *o16 = result042 + (uint32_t)1U; + uint64_t *o26 = result042 + (uint32_t)2U; + uint64_t *o36 = result042 + (uint32_t)3U; + uint64_t f012 = prime256_buffer[0U]; + uint64_t h18; + uint64_t l18; + uint64_t c16; + uint64_t h19; + uint64_t l19; + uint64_t c27; + uint64_t h20; + uint64_t l20; + uint64_t c310; + uint64_t temp06; + uint64_t c9; + uint64_t uu____2; + mul64(f012, t12, o06, &temp8); + h18 = temp8; + mul64(f14, t12, o16, &temp8); + l18 = o16[0U]; + c16 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l18, h18, o16); + h19 = temp8; + mul64(f24, t12, o26, &temp8); + l19 = o26[0U]; + c27 = Lib_IntTypes_Intrinsics_add_carry_u64(c16, l19, h19, o26); + h20 = temp8; + mul64(f34, t12, o36, &temp8); + l20 = o36[0U]; + c310 = Lib_IntTypes_Intrinsics_add_carry_u64(c27, l20, h20, o36); + temp06 = temp8; + c9 = c310 + temp06; + t2[4U] = c9; + uu____2 = add8(round2, t2, t32); + shift8(t32, tempRound0); + { + uint64_t t22[8U] = { 0U }; + uint64_t t3[8U] = { 0U }; + uint64_t t1 = tempRound0[0U]; + uint64_t *result04 = t22; + uint64_t temp = (uint64_t)0U; + uint64_t f1 = prime256_buffer[1U]; + uint64_t f2 = prime256_buffer[2U]; + uint64_t f3 = prime256_buffer[3U]; + uint64_t *o0 = result04; + uint64_t *o1 = result04 + (uint32_t)1U; + uint64_t *o2 = result04 + (uint32_t)2U; + uint64_t *o3 = result04 + (uint32_t)3U; + uint64_t f01 = prime256_buffer[0U]; + uint64_t h21; + uint64_t l21; + uint64_t c1; + uint64_t h22; + uint64_t l22; + uint64_t c2; + uint64_t h; + uint64_t l; + uint64_t c3; + uint64_t temp0; + uint64_t c17; + uint64_t uu____3; + mul64(f01, t1, o0, &temp); + h21 = temp; + mul64(f1, t1, o1, &temp); + l21 = o1[0U]; + c1 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l21, h21, o1); + h22 = temp; + mul64(f2, t1, o2, &temp); + l22 = o2[0U]; + c2 = Lib_IntTypes_Intrinsics_add_carry_u64(c1, l22, h22, o2); + h = temp; + mul64(f3, t1, o3, &temp); + l = o3[0U]; + c3 = Lib_IntTypes_Intrinsics_add_carry_u64(c2, l, h, o3); + temp0 = temp; + c17 = c3 + temp0; + t22[4U] = c17; + uu____3 = add8(tempRound0, t22, t3); + shift8(t3, round4); + { + uint64_t tempBuffer[4U] = { 0U }; + uint64_t tempBufferForSubborrow = (uint64_t)0U; + uint64_t cin = round4[4U]; + uint64_t *x_ = round4; + uint64_t c = sub4_il(x_, prime256_buffer, tempBuffer); + uint64_t + carry = + Lib_IntTypes_Intrinsics_sub_borrow_u64(c, + cin, + (uint64_t)0U, + &tempBufferForSubborrow); + cmovznz4(carry, tempBuffer, x_, result); + } + } + } + } + } + } + } + } +} + +static void montgomery_square_buffer(uint64_t *a, uint64_t *result) +{ + uint64_t t[8U] = { 0U }; + uint64_t round2[8U] = { 0U }; + uint64_t round4[8U] = { 0U }; + sq(a, t); + { + uint64_t tempRound[8U] = { 0U }; + uint64_t t20[8U] = { 0U }; + uint64_t t30[8U] = { 0U }; + uint64_t t10 = t[0U]; + uint64_t *result040 = t20; + uint64_t temp1 = (uint64_t)0U; + uint64_t f10 = prime256_buffer[1U]; + uint64_t f20 = prime256_buffer[2U]; + uint64_t f30 = prime256_buffer[3U]; + uint64_t *o00 = result040; + uint64_t *o10 = result040 + (uint32_t)1U; + uint64_t *o20 = result040 + (uint32_t)2U; + uint64_t *o30 = result040 + (uint32_t)3U; + uint64_t f010 = prime256_buffer[0U]; + uint64_t h0; + uint64_t l0; + uint64_t c10; + uint64_t h1; + uint64_t l1; + uint64_t c20; + uint64_t h2; + uint64_t l2; + uint64_t c30; + uint64_t temp00; + uint64_t c0; + uint64_t uu____0; + mul64(f010, t10, o00, &temp1); + h0 = temp1; + mul64(f10, t10, o10, &temp1); + l0 = o10[0U]; + c10 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l0, h0, o10); + h1 = temp1; + mul64(f20, t10, o20, &temp1); + l1 = o20[0U]; + c20 = Lib_IntTypes_Intrinsics_add_carry_u64(c10, l1, h1, o20); + h2 = temp1; + mul64(f30, t10, o30, &temp1); + l2 = o30[0U]; + c30 = Lib_IntTypes_Intrinsics_add_carry_u64(c20, l2, h2, o30); + temp00 = temp1; + c0 = c30 + temp00; + t20[4U] = c0; + uu____0 = add8(t, t20, t30); + shift8(t30, tempRound); + { + uint64_t t21[8U] = { 0U }; + uint64_t t31[8U] = { 0U }; + uint64_t t11 = tempRound[0U]; + uint64_t *result041 = t21; + uint64_t temp2 = (uint64_t)0U; + uint64_t f11 = prime256_buffer[1U]; + uint64_t f21 = prime256_buffer[2U]; + uint64_t f31 = prime256_buffer[3U]; + uint64_t *o01 = result041; + uint64_t *o11 = result041 + (uint32_t)1U; + uint64_t *o21 = result041 + (uint32_t)2U; + uint64_t *o31 = result041 + (uint32_t)3U; + uint64_t f011 = prime256_buffer[0U]; + uint64_t h3; + uint64_t l3; + uint64_t c11; + uint64_t h4; + uint64_t l4; + uint64_t c21; + uint64_t h5; + uint64_t l5; + uint64_t c31; + uint64_t temp01; + uint64_t c4; + uint64_t uu____1; + mul64(f011, t11, o01, &temp2); + h3 = temp2; + mul64(f11, t11, o11, &temp2); + l3 = o11[0U]; + c11 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l3, h3, o11); + h4 = temp2; + mul64(f21, t11, o21, &temp2); + l4 = o21[0U]; + c21 = Lib_IntTypes_Intrinsics_add_carry_u64(c11, l4, h4, o21); + h5 = temp2; + mul64(f31, t11, o31, &temp2); + l5 = o31[0U]; + c31 = Lib_IntTypes_Intrinsics_add_carry_u64(c21, l5, h5, o31); + temp01 = temp2; + c4 = c31 + temp01; + t21[4U] = c4; + uu____1 = add8(tempRound, t21, t31); + shift8(t31, round2); + { + uint64_t tempRound0[8U] = { 0U }; + uint64_t t2[8U] = { 0U }; + uint64_t t32[8U] = { 0U }; + uint64_t t12 = round2[0U]; + uint64_t *result042 = t2; + uint64_t temp3 = (uint64_t)0U; + uint64_t f12 = prime256_buffer[1U]; + uint64_t f22 = prime256_buffer[2U]; + uint64_t f32 = prime256_buffer[3U]; + uint64_t *o02 = result042; + uint64_t *o12 = result042 + (uint32_t)1U; + uint64_t *o22 = result042 + (uint32_t)2U; + uint64_t *o32 = result042 + (uint32_t)3U; + uint64_t f012 = prime256_buffer[0U]; + uint64_t h6; + uint64_t l6; + uint64_t c12; + uint64_t h7; + uint64_t l7; + uint64_t c22; + uint64_t h8; + uint64_t l8; + uint64_t c32; + uint64_t temp02; + uint64_t c5; + uint64_t uu____2; + mul64(f012, t12, o02, &temp3); + h6 = temp3; + mul64(f12, t12, o12, &temp3); + l6 = o12[0U]; + c12 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l6, h6, o12); + h7 = temp3; + mul64(f22, t12, o22, &temp3); + l7 = o22[0U]; + c22 = Lib_IntTypes_Intrinsics_add_carry_u64(c12, l7, h7, o22); + h8 = temp3; + mul64(f32, t12, o32, &temp3); + l8 = o32[0U]; + c32 = Lib_IntTypes_Intrinsics_add_carry_u64(c22, l8, h8, o32); + temp02 = temp3; + c5 = c32 + temp02; + t2[4U] = c5; + uu____2 = add8(round2, t2, t32); + shift8(t32, tempRound0); + { + uint64_t t22[8U] = { 0U }; + uint64_t t3[8U] = { 0U }; + uint64_t t1 = tempRound0[0U]; + uint64_t *result04 = t22; + uint64_t temp = (uint64_t)0U; + uint64_t f1 = prime256_buffer[1U]; + uint64_t f2 = prime256_buffer[2U]; + uint64_t f3 = prime256_buffer[3U]; + uint64_t *o0 = result04; + uint64_t *o1 = result04 + (uint32_t)1U; + uint64_t *o2 = result04 + (uint32_t)2U; + uint64_t *o3 = result04 + (uint32_t)3U; + uint64_t f01 = prime256_buffer[0U]; + uint64_t h9; + uint64_t l9; + uint64_t c1; + uint64_t h10; + uint64_t l10; + uint64_t c2; + uint64_t h; + uint64_t l; + uint64_t c3; + uint64_t temp0; + uint64_t c6; + uint64_t uu____3; + mul64(f01, t1, o0, &temp); + h9 = temp; + mul64(f1, t1, o1, &temp); + l9 = o1[0U]; + c1 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l9, h9, o1); + h10 = temp; + mul64(f2, t1, o2, &temp); + l10 = o2[0U]; + c2 = Lib_IntTypes_Intrinsics_add_carry_u64(c1, l10, h10, o2); + h = temp; + mul64(f3, t1, o3, &temp); + l = o3[0U]; + c3 = Lib_IntTypes_Intrinsics_add_carry_u64(c2, l, h, o3); + temp0 = temp; + c6 = c3 + temp0; + t22[4U] = c6; + uu____3 = add8(tempRound0, t22, t3); + shift8(t3, round4); + { + uint64_t tempBuffer[4U] = { 0U }; + uint64_t tempBufferForSubborrow = (uint64_t)0U; + uint64_t cin = round4[4U]; + uint64_t *x_ = round4; + uint64_t c = sub4_il(x_, prime256_buffer, tempBuffer); + uint64_t + carry = + Lib_IntTypes_Intrinsics_sub_borrow_u64(c, + cin, + (uint64_t)0U, + &tempBufferForSubborrow); + cmovznz4(carry, tempBuffer, x_, result); + } + } + } + } + } +} + +static void fsquarePowN(uint32_t n, uint64_t *a) +{ + uint32_t i; + for (i = (uint32_t)0U; i < n; i++) + { + montgomery_square_buffer(a, a); + } +} + +static void fsquarePowNminusOne(uint32_t n, uint64_t *a, uint64_t *b) +{ + uint32_t i; + b[0U] = (uint64_t)1U; + b[1U] = (uint64_t)18446744069414584320U; + b[2U] = (uint64_t)18446744073709551615U; + b[3U] = (uint64_t)4294967294U; + for (i = (uint32_t)0U; i < n; i++) + { + montgomery_multiplication_buffer(b, a, b); + montgomery_square_buffer(a, a); + } +} + +static void exponent(uint64_t *a, uint64_t *result, uint64_t *tempBuffer) +{ + uint64_t *buffer_norm_1 = tempBuffer; + uint64_t *buffer_result1 = tempBuffer + (uint32_t)4U; + uint64_t *buffer_result2 = tempBuffer + (uint32_t)8U; + uint64_t *buffer_norm_3 = tempBuffer + (uint32_t)12U; + uint64_t *buffer_result3 = tempBuffer + (uint32_t)16U; + uint64_t *buffer_a0; + uint64_t *buffer_b0; + uint64_t *buffer_a; + uint64_t *buffer_b; + memcpy(buffer_norm_1, a, (uint32_t)4U * sizeof (uint64_t)); + buffer_a0 = buffer_norm_1; + buffer_b0 = buffer_norm_1 + (uint32_t)4U; + fsquarePowNminusOne((uint32_t)32U, buffer_a0, buffer_b0); + fsquarePowN((uint32_t)224U, buffer_b0); + memcpy(buffer_result2, a, (uint32_t)4U * sizeof (uint64_t)); + fsquarePowN((uint32_t)192U, buffer_result2); + memcpy(buffer_norm_3, a, (uint32_t)4U * sizeof (uint64_t)); + buffer_a = buffer_norm_3; + buffer_b = buffer_norm_3 + (uint32_t)4U; + fsquarePowNminusOne((uint32_t)94U, buffer_a, buffer_b); + fsquarePowN((uint32_t)2U, buffer_b); + montgomery_multiplication_buffer(buffer_result1, buffer_result2, buffer_result1); + montgomery_multiplication_buffer(buffer_result1, buffer_result3, buffer_result1); + montgomery_multiplication_buffer(buffer_result1, a, buffer_result1); + memcpy(result, buffer_result1, (uint32_t)4U * sizeof (uint64_t)); +} + +static void cube(uint64_t *a, uint64_t *result) +{ + montgomery_square_buffer(a, result); + montgomery_multiplication_buffer(result, a, result); +} + +static void multByTwo(uint64_t *a, uint64_t *out) +{ + p256_add(a, a, out); +} + +static void multByThree(uint64_t *a, uint64_t *result) +{ + multByTwo(a, result); + p256_add(a, result, result); +} + +static void multByFour(uint64_t *a, uint64_t *result) +{ + multByTwo(a, result); + multByTwo(result, result); +} + +static void multByEight(uint64_t *a, uint64_t *result) +{ + multByTwo(a, result); + multByTwo(result, result); + multByTwo(result, result); +} + +static uint64_t store_high_low_u(uint32_t high, uint32_t low) +{ + uint64_t as_uint64_high = (uint64_t)high; + uint64_t as_uint64_high1 = as_uint64_high << (uint32_t)32U; + uint64_t as_uint64_low = (uint64_t)low; + return as_uint64_low ^ as_uint64_high1; +} + +static void solinas_reduction_impl(uint64_t *i, uint64_t *o) +{ + uint64_t tempBuffer[36U] = { 0U }; + uint64_t i0 = i[0U]; + uint64_t i1 = i[1U]; + uint64_t i2 = i[2U]; + uint64_t i3 = i[3U]; + uint64_t i4 = i[4U]; + uint64_t i5 = i[5U]; + uint64_t i6 = i[6U]; + uint64_t i7 = i[7U]; + uint32_t c0 = (uint32_t)i0; + uint32_t c1 = (uint32_t)(i0 >> (uint32_t)32U); + uint32_t c2 = (uint32_t)i1; + uint32_t c3 = (uint32_t)(i1 >> (uint32_t)32U); + uint32_t c4 = (uint32_t)i2; + uint32_t c5 = (uint32_t)(i2 >> (uint32_t)32U); + uint32_t c6 = (uint32_t)i3; + uint32_t c7 = (uint32_t)(i3 >> (uint32_t)32U); + uint32_t c8 = (uint32_t)i4; + uint32_t c9 = (uint32_t)(i4 >> (uint32_t)32U); + uint32_t c10 = (uint32_t)i5; + uint32_t c11 = (uint32_t)(i5 >> (uint32_t)32U); + uint32_t c12 = (uint32_t)i6; + uint32_t c13 = (uint32_t)(i6 >> (uint32_t)32U); + uint32_t c14 = (uint32_t)i7; + uint32_t c15 = (uint32_t)(i7 >> (uint32_t)32U); + uint64_t *t010 = tempBuffer; + uint64_t *t110 = tempBuffer + (uint32_t)4U; + uint64_t *t210 = tempBuffer + (uint32_t)8U; + uint64_t *t310 = tempBuffer + (uint32_t)12U; + uint64_t *t410 = tempBuffer + (uint32_t)16U; + uint64_t *t510 = tempBuffer + (uint32_t)20U; + uint64_t *t610 = tempBuffer + (uint32_t)24U; + uint64_t *t710 = tempBuffer + (uint32_t)28U; + uint64_t *t810 = tempBuffer + (uint32_t)32U; + uint64_t b00 = store_high_low_u(c1, c0); + uint64_t b10 = store_high_low_u(c3, c2); + uint64_t b20 = store_high_low_u(c5, c4); + uint64_t b30 = store_high_low_u(c7, c6); + uint64_t b01; + uint64_t b11; + uint64_t b21; + uint64_t b31; + uint64_t b02; + uint64_t b12; + uint64_t b22; + uint64_t b32; + uint64_t b03; + uint64_t b13; + uint64_t b23; + uint64_t b33; + uint64_t b04; + uint64_t b14; + uint64_t b24; + uint64_t b34; + uint64_t b05; + uint64_t b15; + uint64_t b25; + uint64_t b35; + uint64_t b06; + uint64_t b16; + uint64_t b26; + uint64_t b36; + uint64_t b07; + uint64_t b17; + uint64_t b27; + uint64_t b37; + uint64_t b0; + uint64_t b1; + uint64_t b2; + uint64_t b3; + uint64_t *t01; + uint64_t *t11; + uint64_t *t21; + uint64_t *t31; + uint64_t *t41; + uint64_t *t51; + uint64_t *t61; + uint64_t *t71; + uint64_t *t81; + t010[0U] = b00; + t010[1U] = b10; + t010[2U] = b20; + t010[3U] = b30; + reduction_prime_2prime_impl(t010, t010); + b01 = (uint64_t)0U; + b11 = store_high_low_u(c11, (uint32_t)0U); + b21 = store_high_low_u(c13, c12); + b31 = store_high_low_u(c15, c14); + t110[0U] = b01; + t110[1U] = b11; + t110[2U] = b21; + t110[3U] = b31; + reduction_prime_2prime_impl(t110, t110); + b02 = (uint64_t)0U; + b12 = store_high_low_u(c12, (uint32_t)0U); + b22 = store_high_low_u(c14, c13); + b32 = store_high_low_u((uint32_t)0U, c15); + t210[0U] = b02; + t210[1U] = b12; + t210[2U] = b22; + t210[3U] = b32; + b03 = store_high_low_u(c9, c8); + b13 = store_high_low_u((uint32_t)0U, c10); + b23 = (uint64_t)0U; + b33 = store_high_low_u(c15, c14); + t310[0U] = b03; + t310[1U] = b13; + t310[2U] = b23; + t310[3U] = b33; + reduction_prime_2prime_impl(t310, t310); + b04 = store_high_low_u(c10, c9); + b14 = store_high_low_u(c13, c11); + b24 = store_high_low_u(c15, c14); + b34 = store_high_low_u(c8, c13); + t410[0U] = b04; + t410[1U] = b14; + t410[2U] = b24; + t410[3U] = b34; + reduction_prime_2prime_impl(t410, t410); + b05 = store_high_low_u(c12, c11); + b15 = store_high_low_u((uint32_t)0U, c13); + b25 = (uint64_t)0U; + b35 = store_high_low_u(c10, c8); + t510[0U] = b05; + t510[1U] = b15; + t510[2U] = b25; + t510[3U] = b35; + reduction_prime_2prime_impl(t510, t510); + b06 = store_high_low_u(c13, c12); + b16 = store_high_low_u(c15, c14); + b26 = (uint64_t)0U; + b36 = store_high_low_u(c11, c9); + t610[0U] = b06; + t610[1U] = b16; + t610[2U] = b26; + t610[3U] = b36; + reduction_prime_2prime_impl(t610, t610); + b07 = store_high_low_u(c14, c13); + b17 = store_high_low_u(c8, c15); + b27 = store_high_low_u(c10, c9); + b37 = store_high_low_u(c12, (uint32_t)0U); + t710[0U] = b07; + t710[1U] = b17; + t710[2U] = b27; + t710[3U] = b37; + reduction_prime_2prime_impl(t710, t710); + b0 = store_high_low_u(c15, c14); + b1 = store_high_low_u(c9, (uint32_t)0U); + b2 = store_high_low_u(c11, c10); + b3 = store_high_low_u(c13, (uint32_t)0U); + t810[0U] = b0; + t810[1U] = b1; + t810[2U] = b2; + t810[3U] = b3; + reduction_prime_2prime_impl(t810, t810); + t01 = tempBuffer; + t11 = tempBuffer + (uint32_t)4U; + t21 = tempBuffer + (uint32_t)8U; + t31 = tempBuffer + (uint32_t)12U; + t41 = tempBuffer + (uint32_t)16U; + t51 = tempBuffer + (uint32_t)20U; + t61 = tempBuffer + (uint32_t)24U; + t71 = tempBuffer + (uint32_t)28U; + t81 = tempBuffer + (uint32_t)32U; + p256_double(t21, t21); + p256_double(t11, t11); + p256_add(t01, t11, o); + p256_add(t21, o, o); + p256_add(t31, o, o); + p256_add(t41, o, o); + p256_sub(o, t51, o); + p256_sub(o, t61, o); + p256_sub(o, t71, o); + p256_sub(o, t81, o); +} + +static void +point_double_a_b_g( + uint64_t *p, + uint64_t *alpha, + uint64_t *beta, + uint64_t *gamma, + uint64_t *delta, + uint64_t *tempBuffer +) +{ + uint64_t *pX = p; + uint64_t *pY = p + (uint32_t)4U; + uint64_t *pZ = p + (uint32_t)8U; + uint64_t *a0 = tempBuffer; + uint64_t *a1 = tempBuffer + (uint32_t)4U; + uint64_t *alpha0 = tempBuffer + (uint32_t)8U; + montgomery_square_buffer(pZ, delta); + montgomery_square_buffer(pY, gamma); + montgomery_multiplication_buffer(pX, gamma, beta); + p256_sub(pX, delta, a0); + p256_add(pX, delta, a1); + montgomery_multiplication_buffer(a0, a1, alpha0); + multByThree(alpha0, alpha); +} + +static void +point_double_x3( + uint64_t *x3, + uint64_t *alpha, + uint64_t *fourBeta, + uint64_t *beta, + uint64_t *eightBeta +) +{ + montgomery_square_buffer(alpha, x3); + multByFour(beta, fourBeta); + multByTwo(fourBeta, eightBeta); + p256_sub(x3, eightBeta, x3); +} + +static void +point_double_z3(uint64_t *z3, uint64_t *pY, uint64_t *pZ, uint64_t *gamma, uint64_t *delta) +{ + p256_add(pY, pZ, z3); + montgomery_square_buffer(z3, z3); + p256_sub(z3, gamma, z3); + p256_sub(z3, delta, z3); +} + +static void +point_double_y3( + uint64_t *y3, + uint64_t *x3, + uint64_t *alpha, + uint64_t *gamma, + uint64_t *eightGamma, + uint64_t *fourBeta +) +{ + p256_sub(fourBeta, x3, y3); + montgomery_multiplication_buffer(alpha, y3, y3); + montgomery_square_buffer(gamma, gamma); + multByEight(gamma, eightGamma); + p256_sub(y3, eightGamma, y3); +} + +static void point_double(uint64_t *p, uint64_t *result, uint64_t *tempBuffer) +{ + uint64_t *pY = p + (uint32_t)4U; + uint64_t *pZ = p + (uint32_t)8U; + uint64_t *x3 = result; + uint64_t *y3 = result + (uint32_t)4U; + uint64_t *z3 = result + (uint32_t)8U; + uint64_t *delta = tempBuffer; + uint64_t *gamma = tempBuffer + (uint32_t)4U; + uint64_t *beta = tempBuffer + (uint32_t)8U; + uint64_t *alpha = tempBuffer + (uint32_t)16U; + uint64_t *fourBeta = tempBuffer + (uint32_t)20U; + uint64_t *eightBeta = tempBuffer + (uint32_t)24U; + uint64_t *eightGamma = tempBuffer + (uint32_t)28U; + uint64_t *tmp = tempBuffer + (uint32_t)32U; + point_double_a_b_g(p, alpha, beta, gamma, delta, tmp); + point_double_x3(x3, alpha, fourBeta, beta, eightBeta); + point_double_z3(z3, pY, pZ, gamma, delta); + point_double_y3(y3, x3, alpha, gamma, eightGamma, fourBeta); +} + +static void +copy_point_conditional( + uint64_t *x3_out, + uint64_t *y3_out, + uint64_t *z3_out, + uint64_t *p, + uint64_t *maskPoint +) +{ + uint64_t *z = maskPoint + (uint32_t)8U; + uint64_t mask = isZero_uint64_CT(z); + uint64_t *p_x = p; + uint64_t *p_y = p + (uint32_t)4U; + uint64_t *p_z = p + (uint32_t)8U; + copy_conditional(x3_out, p_x, mask); + copy_conditional(y3_out, p_y, mask); + copy_conditional(z3_out, p_z, mask); +} + +static void point_add(uint64_t *p, uint64_t *q, uint64_t *result, uint64_t *tempBuffer) +{ + uint64_t *tempBuffer16 = tempBuffer; + uint64_t *u1 = tempBuffer + (uint32_t)16U; + uint64_t *u2 = tempBuffer + (uint32_t)20U; + uint64_t *s1 = tempBuffer + (uint32_t)24U; + uint64_t *s2 = tempBuffer + (uint32_t)28U; + uint64_t *h = tempBuffer + (uint32_t)32U; + uint64_t *r = tempBuffer + (uint32_t)36U; + uint64_t *uh = tempBuffer + (uint32_t)40U; + uint64_t *hCube = tempBuffer + (uint32_t)44U; + uint64_t *tempBuffer28 = tempBuffer + (uint32_t)60U; + uint64_t *pX = p; + uint64_t *pY = p + (uint32_t)4U; + uint64_t *pZ0 = p + (uint32_t)8U; + uint64_t *qX = q; + uint64_t *qY = q + (uint32_t)4U; + uint64_t *qZ0 = q + (uint32_t)8U; + uint64_t *z2Square = tempBuffer16; + uint64_t *z1Square = tempBuffer16 + (uint32_t)4U; + uint64_t *z2Cube = tempBuffer16 + (uint32_t)8U; + uint64_t *z1Cube = tempBuffer16 + (uint32_t)12U; + uint64_t *temp; + uint64_t *pZ; + uint64_t *qZ; + uint64_t *tempBuffer161; + uint64_t *x3_out1; + uint64_t *y3_out1; + uint64_t *z3_out1; + uint64_t *rSquare; + uint64_t *rH; + uint64_t *twoUh; + uint64_t *s1hCube; + uint64_t *u1hx3; + uint64_t *ru1hx3; + uint64_t *z1z2; + montgomery_square_buffer(qZ0, z2Square); + montgomery_square_buffer(pZ0, z1Square); + montgomery_multiplication_buffer(z2Square, qZ0, z2Cube); + montgomery_multiplication_buffer(z1Square, pZ0, z1Cube); + montgomery_multiplication_buffer(z2Square, pX, u1); + montgomery_multiplication_buffer(z1Square, qX, u2); + montgomery_multiplication_buffer(z2Cube, pY, s1); + montgomery_multiplication_buffer(z1Cube, qY, s2); + temp = tempBuffer16; + p256_sub(u2, u1, h); + p256_sub(s2, s1, r); + montgomery_square_buffer(h, temp); + montgomery_multiplication_buffer(temp, u1, uh); + montgomery_multiplication_buffer(temp, h, hCube); + pZ = p + (uint32_t)8U; + qZ = q + (uint32_t)8U; + tempBuffer161 = tempBuffer28; + x3_out1 = tempBuffer28 + (uint32_t)16U; + y3_out1 = tempBuffer28 + (uint32_t)20U; + z3_out1 = tempBuffer28 + (uint32_t)24U; + rSquare = tempBuffer161; + rH = tempBuffer161 + (uint32_t)4U; + twoUh = tempBuffer161 + (uint32_t)8U; + montgomery_square_buffer(r, rSquare); + p256_sub(rSquare, hCube, rH); + multByTwo(uh, twoUh); + p256_sub(rH, twoUh, x3_out1); + s1hCube = tempBuffer161; + u1hx3 = tempBuffer161 + (uint32_t)4U; + ru1hx3 = tempBuffer161 + (uint32_t)8U; + montgomery_multiplication_buffer(s1, hCube, s1hCube); + p256_sub(uh, x3_out1, u1hx3); + montgomery_multiplication_buffer(u1hx3, r, ru1hx3); + p256_sub(ru1hx3, s1hCube, y3_out1); + z1z2 = tempBuffer161; + montgomery_multiplication_buffer(pZ, qZ, z1z2); + montgomery_multiplication_buffer(z1z2, h, z3_out1); + copy_point_conditional(x3_out1, y3_out1, z3_out1, q, p); + copy_point_conditional(x3_out1, y3_out1, z3_out1, p, q); + memcpy(result, x3_out1, (uint32_t)4U * sizeof (uint64_t)); + memcpy(result + (uint32_t)4U, y3_out1, (uint32_t)4U * sizeof (uint64_t)); + memcpy(result + (uint32_t)8U, z3_out1, (uint32_t)4U * sizeof (uint64_t)); +} + +static void pointToDomain(uint64_t *p, uint64_t *result) +{ + uint64_t *p_x = p; + uint64_t *p_y = p + (uint32_t)4U; + uint64_t *p_z = p + (uint32_t)8U; + uint64_t *r_x = result; + uint64_t *r_y = result + (uint32_t)4U; + uint64_t *r_z = result + (uint32_t)8U; + uint64_t multBuffer[8U] = { 0U }; + shift_256_impl(p_x, multBuffer); + solinas_reduction_impl(multBuffer, r_x); + { + uint64_t multBuffer0[8U] = { 0U }; + shift_256_impl(p_y, multBuffer0); + solinas_reduction_impl(multBuffer0, r_y); + { + uint64_t multBuffer1[8U] = { 0U }; + shift_256_impl(p_z, multBuffer1); + solinas_reduction_impl(multBuffer1, r_z); + } + } +} + +static void copy_point(uint64_t *p, uint64_t *result) +{ + memcpy(result, p, (uint32_t)12U * sizeof (uint64_t)); +} + +uint64_t Hacl_Impl_P256_Core_isPointAtInfinityPrivate(uint64_t *p) +{ + uint64_t z0 = p[8U]; + uint64_t z1 = p[9U]; + uint64_t z2 = p[10U]; + uint64_t z3 = p[11U]; + uint64_t z0_zero = FStar_UInt64_eq_mask(z0, (uint64_t)0U); + uint64_t z1_zero = FStar_UInt64_eq_mask(z1, (uint64_t)0U); + uint64_t z2_zero = FStar_UInt64_eq_mask(z2, (uint64_t)0U); + uint64_t z3_zero = FStar_UInt64_eq_mask(z3, (uint64_t)0U); + return (z0_zero & z1_zero) & (z2_zero & z3_zero); +} + +static inline void cswap(uint64_t bit, uint64_t *p1, uint64_t *p2) +{ + uint64_t mask = (uint64_t)0U - bit; + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)12U; i++) + { + uint64_t dummy = mask & (p1[i] ^ p2[i]); + p1[i] = p1[i] ^ dummy; + p2[i] = p2[i] ^ dummy; + } +} + +static void norm(uint64_t *p, uint64_t *resultPoint, uint64_t *tempBuffer) +{ + uint64_t *xf = p; + uint64_t *yf = p + (uint32_t)4U; + uint64_t *zf = p + (uint32_t)8U; + uint64_t *z2f = tempBuffer + (uint32_t)4U; + uint64_t *z3f = tempBuffer + (uint32_t)8U; + uint64_t *tempBuffer20 = tempBuffer + (uint32_t)12U; + montgomery_square_buffer(zf, z2f); + montgomery_multiplication_buffer(z2f, zf, z3f); + exponent(z2f, z2f, tempBuffer20); + exponent(z3f, z3f, tempBuffer20); + montgomery_multiplication_buffer(xf, z2f, z2f); + montgomery_multiplication_buffer(yf, z3f, z3f); + { + uint64_t zeroBuffer[4U] = { 0U }; + uint64_t *resultX = resultPoint; + uint64_t *resultY = resultPoint + (uint32_t)4U; + uint64_t *resultZ = resultPoint + (uint32_t)8U; + uint64_t bit = Hacl_Impl_P256_Core_isPointAtInfinityPrivate(p); + montgomery_multiplication_buffer_by_one(z2f, resultX); + montgomery_multiplication_buffer_by_one(z3f, resultY); + uploadOneImpl(resultZ); + copy_conditional(resultZ, zeroBuffer, bit); + } +} + +static void normX(uint64_t *p, uint64_t *result, uint64_t *tempBuffer) +{ + uint64_t *xf = p; + uint64_t *zf = p + (uint32_t)8U; + uint64_t *z2f = tempBuffer + (uint32_t)4U; + uint64_t *tempBuffer20 = tempBuffer + (uint32_t)12U; + montgomery_square_buffer(zf, z2f); + exponent(z2f, z2f, tempBuffer20); + montgomery_multiplication_buffer(z2f, xf, z2f); + montgomery_multiplication_buffer_by_one(z2f, result); +} + +static void zero_buffer(uint64_t *p) +{ + p[0U] = (uint64_t)0U; + p[1U] = (uint64_t)0U; + p[2U] = (uint64_t)0U; + p[3U] = (uint64_t)0U; + p[4U] = (uint64_t)0U; + p[5U] = (uint64_t)0U; + p[6U] = (uint64_t)0U; + p[7U] = (uint64_t)0U; + p[8U] = (uint64_t)0U; + p[9U] = (uint64_t)0U; + p[10U] = (uint64_t)0U; + p[11U] = (uint64_t)0U; +} + +static void +scalarMultiplicationL(uint64_t *p, uint64_t *result, uint8_t *scalar, uint64_t *tempBuffer) +{ + uint64_t *q = tempBuffer; + uint64_t *buff; + zero_buffer(q); + buff = tempBuffer + (uint32_t)12U; + pointToDomain(p, result); + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)256U; i++) + { + uint32_t bit0 = (uint32_t)255U - i; + uint64_t + bit = + (uint64_t)(scalar[(uint32_t)31U - bit0 / (uint32_t)8U] >> bit0 % (uint32_t)8U & (uint8_t)1U); + cswap(bit, q, result); + point_add(q, result, result, buff); + point_double(q, q, buff); + cswap(bit, q, result); + } + } + norm(q, result, buff); +} + +static void +scalarMultiplicationC( + uint64_t *p, + uint64_t *result, + const uint8_t *scalar, + uint64_t *tempBuffer +) +{ + uint64_t *q = tempBuffer; + uint64_t *buff; + zero_buffer(q); + buff = tempBuffer + (uint32_t)12U; + pointToDomain(p, result); + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)256U; i++) + { + uint32_t bit0 = (uint32_t)255U - i; + uint64_t + bit = + (uint64_t)(scalar[(uint32_t)31U - bit0 / (uint32_t)8U] >> bit0 % (uint32_t)8U & (uint8_t)1U); + cswap(bit, q, result); + point_add(q, result, result, buff); + point_double(q, q, buff); + cswap(bit, q, result); + } + } + norm(q, result, buff); +} + +static void uploadBasePoint(uint64_t *p) +{ + p[0U] = (uint64_t)8784043285714375740U; + p[1U] = (uint64_t)8483257759279461889U; + p[2U] = (uint64_t)8789745728267363600U; + p[3U] = (uint64_t)1770019616739251654U; + p[4U] = (uint64_t)15992936863339206154U; + p[5U] = (uint64_t)10037038012062884956U; + p[6U] = (uint64_t)15197544864945402661U; + p[7U] = (uint64_t)9615747158586711429U; + p[8U] = (uint64_t)1U; + p[9U] = (uint64_t)18446744069414584320U; + p[10U] = (uint64_t)18446744073709551615U; + p[11U] = (uint64_t)4294967294U; +} + +static void +scalarMultiplicationWithoutNorm( + uint64_t *p, + uint64_t *result, + uint8_t *scalar, + uint64_t *tempBuffer +) +{ + uint64_t *q = tempBuffer; + uint64_t *buff; + zero_buffer(q); + buff = tempBuffer + (uint32_t)12U; + pointToDomain(p, result); + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)256U; i++) + { + uint32_t bit0 = (uint32_t)255U - i; + uint64_t + bit = + (uint64_t)(scalar[(uint32_t)31U - bit0 / (uint32_t)8U] >> bit0 % (uint32_t)8U & (uint8_t)1U); + cswap(bit, q, result); + point_add(q, result, result, buff); + point_double(q, q, buff); + cswap(bit, q, result); + } + } + copy_point(q, result); +} + +void +Hacl_Impl_P256_Core_secretToPublic(uint64_t *result, uint8_t *scalar, uint64_t *tempBuffer) +{ + uint64_t basePoint[12U] = { 0U }; + uint64_t *q; + uint64_t *buff; + uploadBasePoint(basePoint); + q = tempBuffer; + buff = tempBuffer + (uint32_t)12U; + zero_buffer(q); + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)256U; i++) + { + uint32_t bit0 = (uint32_t)255U - i; + uint64_t + bit = + (uint64_t)(scalar[(uint32_t)31U - bit0 / (uint32_t)8U] >> bit0 % (uint32_t)8U & (uint8_t)1U); + cswap(bit, q, basePoint); + point_add(q, basePoint, basePoint, buff); + point_double(q, q, buff); + cswap(bit, q, basePoint); + } + } + norm(q, result, buff); +} + +static void secretToPublicWithoutNorm(uint64_t *result, uint8_t *scalar, uint64_t *tempBuffer) +{ + uint64_t basePoint[12U] = { 0U }; + uint64_t *q; + uint64_t *buff; + uploadBasePoint(basePoint); + q = tempBuffer; + buff = tempBuffer + (uint32_t)12U; + zero_buffer(q); + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)256U; i++) + { + uint32_t bit0 = (uint32_t)255U - i; + uint64_t + bit = + (uint64_t)(scalar[(uint32_t)31U - bit0 / (uint32_t)8U] >> bit0 % (uint32_t)8U & (uint8_t)1U); + cswap(bit, q, basePoint); + point_add(q, basePoint, basePoint, buff); + point_double(q, q, buff); + cswap(bit, q, basePoint); + } + } + copy_point(q, result); +} + +static const +uint64_t +prime256order_buffer[4U] = + { + (uint64_t)17562291160714782033U, + (uint64_t)13611842547513532036U, + (uint64_t)18446744073709551615U, + (uint64_t)18446744069414584320U + }; + +static const +uint8_t +order_inverse_buffer[32U] = + { + (uint8_t)79U, (uint8_t)37U, (uint8_t)99U, (uint8_t)252U, (uint8_t)194U, (uint8_t)202U, + (uint8_t)185U, (uint8_t)243U, (uint8_t)132U, (uint8_t)158U, (uint8_t)23U, (uint8_t)167U, + (uint8_t)173U, (uint8_t)250U, (uint8_t)230U, (uint8_t)188U, (uint8_t)255U, (uint8_t)255U, + (uint8_t)255U, (uint8_t)255U, (uint8_t)255U, (uint8_t)255U, (uint8_t)255U, (uint8_t)255U, + (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)255U, (uint8_t)255U, (uint8_t)255U, + (uint8_t)255U + }; + +static const +uint8_t +order_buffer[32U] = + { + (uint8_t)255U, (uint8_t)255U, (uint8_t)255U, (uint8_t)255U, (uint8_t)0U, (uint8_t)0U, + (uint8_t)0U, (uint8_t)0U, (uint8_t)255U, (uint8_t)255U, (uint8_t)255U, (uint8_t)255U, + (uint8_t)255U, (uint8_t)255U, (uint8_t)255U, (uint8_t)255U, (uint8_t)188U, (uint8_t)230U, + (uint8_t)250U, (uint8_t)173U, (uint8_t)167U, (uint8_t)23U, (uint8_t)158U, (uint8_t)132U, + (uint8_t)243U, (uint8_t)185U, (uint8_t)202U, (uint8_t)194U, (uint8_t)252U, (uint8_t)99U, + (uint8_t)37U, (uint8_t)81U + }; + +static void montgomery_multiplication_round(uint64_t *t, uint64_t *round, uint64_t k0) +{ + uint64_t temp = (uint64_t)0U; + uint64_t y = (uint64_t)0U; + uint64_t t2[8U] = { 0U }; + uint64_t t3[8U] = { 0U }; + uint64_t t1 = t[0U]; + uint64_t y_; + uint64_t *result04; + mul64(t1, k0, &y, &temp); + y_ = y; + result04 = t2; + { + uint64_t temp1 = (uint64_t)0U; + uint64_t f1 = prime256order_buffer[1U]; + uint64_t f2 = prime256order_buffer[2U]; + uint64_t f3 = prime256order_buffer[3U]; + uint64_t *o0 = result04; + uint64_t *o1 = result04 + (uint32_t)1U; + uint64_t *o2 = result04 + (uint32_t)2U; + uint64_t *o3 = result04 + (uint32_t)3U; + uint64_t f01 = prime256order_buffer[0U]; + uint64_t h0; + uint64_t l0; + uint64_t c1; + uint64_t h1; + uint64_t l1; + uint64_t c2; + uint64_t h; + uint64_t l; + uint64_t c3; + uint64_t temp0; + uint64_t c; + uint64_t uu____0; + mul64(f01, y_, o0, &temp1); + h0 = temp1; + mul64(f1, y_, o1, &temp1); + l0 = o1[0U]; + c1 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l0, h0, o1); + h1 = temp1; + mul64(f2, y_, o2, &temp1); + l1 = o2[0U]; + c2 = Lib_IntTypes_Intrinsics_add_carry_u64(c1, l1, h1, o2); + h = temp1; + mul64(f3, y_, o3, &temp1); + l = o3[0U]; + c3 = Lib_IntTypes_Intrinsics_add_carry_u64(c2, l, h, o3); + temp0 = temp1; + c = c3 + temp0; + t2[4U] = c; + uu____0 = add8(t, t2, t3); + shift8(t3, round); + } +} + +static void montgomery_multiplication_round_twice(uint64_t *t, uint64_t *result, uint64_t k0) +{ + uint64_t tempRound[8U] = { 0U }; + montgomery_multiplication_round(t, tempRound, k0); + montgomery_multiplication_round(tempRound, result, k0); +} + +static void reduction_prime_2prime_with_carry(uint64_t *x, uint64_t *result) +{ + uint64_t tempBuffer[4U] = { 0U }; + uint64_t tempBufferForSubborrow = (uint64_t)0U; + uint64_t cin = x[4U]; + uint64_t *x_ = x; + uint64_t c = sub4_il(x_, prime256order_buffer, tempBuffer); + uint64_t + carry = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, cin, (uint64_t)0U, &tempBufferForSubborrow); + cmovznz4(carry, tempBuffer, x_, result); +} + +static void reduction_prime_2prime_order(uint64_t *x, uint64_t *result) +{ + uint64_t tempBuffer[4U] = { 0U }; + uint64_t c = sub4_il(x, prime256order_buffer, tempBuffer); + cmovznz4(c, tempBuffer, x, result); +} + +static void montgomery_multiplication_ecdsa_module(uint64_t *a, uint64_t *b, uint64_t *result) +{ + uint64_t t[8U] = { 0U }; + uint64_t round2[8U] = { 0U }; + uint64_t round4[8U] = { 0U }; + uint64_t prime_p256_orderBuffer[4U] = { 0U }; + uint64_t k0 = (uint64_t)14758798090332847183U; + uint64_t f0 = a[0U]; + uint64_t f1 = a[1U]; + uint64_t f2 = a[2U]; + uint64_t f3 = a[3U]; + uint64_t *b0 = t; + uint64_t temp2 = (uint64_t)0U; + uint64_t f110 = b[1U]; + uint64_t f210 = b[2U]; + uint64_t f310 = b[3U]; + uint64_t *o00 = b0; + uint64_t *o10 = b0 + (uint32_t)1U; + uint64_t *o20 = b0 + (uint32_t)2U; + uint64_t *o30 = b0 + (uint32_t)3U; + uint64_t f020 = b[0U]; + uint64_t h0; + uint64_t l0; + uint64_t c10; + uint64_t h1; + uint64_t l1; + uint64_t c20; + uint64_t h2; + uint64_t l2; + uint64_t c30; + uint64_t temp00; + uint64_t c0; + uint64_t *b1; + mul64(f020, f0, o00, &temp2); + h0 = temp2; + mul64(f110, f0, o10, &temp2); + l0 = o10[0U]; + c10 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l0, h0, o10); + h1 = temp2; + mul64(f210, f0, o20, &temp2); + l1 = o20[0U]; + c20 = Lib_IntTypes_Intrinsics_add_carry_u64(c10, l1, h1, o20); + h2 = temp2; + mul64(f310, f0, o30, &temp2); + l2 = o30[0U]; + c30 = Lib_IntTypes_Intrinsics_add_carry_u64(c20, l2, h2, o30); + temp00 = temp2; + c0 = c30 + temp00; + t[4U] = c0; + b1 = t + (uint32_t)1U; + { + uint64_t temp3[4U] = { 0U }; + uint64_t temp10 = (uint64_t)0U; + uint64_t f111 = b[1U]; + uint64_t f211 = b[2U]; + uint64_t f311 = b[3U]; + uint64_t *o01 = temp3; + uint64_t *o11 = temp3 + (uint32_t)1U; + uint64_t *o21 = temp3 + (uint32_t)2U; + uint64_t *o31 = temp3 + (uint32_t)3U; + uint64_t f021 = b[0U]; + uint64_t h3; + uint64_t l3; + uint64_t c12; + uint64_t h4; + uint64_t l4; + uint64_t c22; + uint64_t h5; + uint64_t l5; + uint64_t c31; + uint64_t temp01; + uint64_t c4; + uint64_t c32; + uint64_t c1; + uint64_t *b2; + mul64(f021, f1, o01, &temp10); + h3 = temp10; + mul64(f111, f1, o11, &temp10); + l3 = o11[0U]; + c12 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l3, h3, o11); + h4 = temp10; + mul64(f211, f1, o21, &temp10); + l4 = o21[0U]; + c22 = Lib_IntTypes_Intrinsics_add_carry_u64(c12, l4, h4, o21); + h5 = temp10; + mul64(f311, f1, o31, &temp10); + l5 = o31[0U]; + c31 = Lib_IntTypes_Intrinsics_add_carry_u64(c22, l5, h5, o31); + temp01 = temp10; + c4 = c31 + temp01; + c32 = add4(temp3, b1, b1); + c1 = c4 + c32; + t[5U] = c1; + b2 = t + (uint32_t)2U; + { + uint64_t temp4[4U] = { 0U }; + uint64_t temp11 = (uint64_t)0U; + uint64_t f112 = b[1U]; + uint64_t f212 = b[2U]; + uint64_t f312 = b[3U]; + uint64_t *o02 = temp4; + uint64_t *o12 = temp4 + (uint32_t)1U; + uint64_t *o22 = temp4 + (uint32_t)2U; + uint64_t *o32 = temp4 + (uint32_t)3U; + uint64_t f022 = b[0U]; + uint64_t h6; + uint64_t l6; + uint64_t c110; + uint64_t h7; + uint64_t l7; + uint64_t c23; + uint64_t h8; + uint64_t l8; + uint64_t c33; + uint64_t temp02; + uint64_t c5; + uint64_t c34; + uint64_t c2; + uint64_t *b3; + mul64(f022, f2, o02, &temp11); + h6 = temp11; + mul64(f112, f2, o12, &temp11); + l6 = o12[0U]; + c110 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l6, h6, o12); + h7 = temp11; + mul64(f212, f2, o22, &temp11); + l7 = o22[0U]; + c23 = Lib_IntTypes_Intrinsics_add_carry_u64(c110, l7, h7, o22); + h8 = temp11; + mul64(f312, f2, o32, &temp11); + l8 = o32[0U]; + c33 = Lib_IntTypes_Intrinsics_add_carry_u64(c23, l8, h8, o32); + temp02 = temp11; + c5 = c33 + temp02; + c34 = add4(temp4, b2, b2); + c2 = c5 + c34; + t[6U] = c2; + b3 = t + (uint32_t)3U; + { + uint64_t temp[4U] = { 0U }; + uint64_t temp1 = (uint64_t)0U; + uint64_t f11 = b[1U]; + uint64_t f21 = b[2U]; + uint64_t f31 = b[3U]; + uint64_t *o0 = temp; + uint64_t *o1 = temp + (uint32_t)1U; + uint64_t *o2 = temp + (uint32_t)2U; + uint64_t *o3 = temp + (uint32_t)3U; + uint64_t f02 = b[0U]; + uint64_t h9; + uint64_t l9; + uint64_t c11; + uint64_t h10; + uint64_t l10; + uint64_t c21; + uint64_t h; + uint64_t l; + uint64_t c35; + uint64_t temp0; + uint64_t c; + uint64_t c36; + uint64_t c3; + mul64(f02, f3, o0, &temp1); + h9 = temp1; + mul64(f11, f3, o1, &temp1); + l9 = o1[0U]; + c11 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l9, h9, o1); + h10 = temp1; + mul64(f21, f3, o2, &temp1); + l10 = o2[0U]; + c21 = Lib_IntTypes_Intrinsics_add_carry_u64(c11, l10, h10, o2); + h = temp1; + mul64(f31, f3, o3, &temp1); + l = o3[0U]; + c35 = Lib_IntTypes_Intrinsics_add_carry_u64(c21, l, h, o3); + temp0 = temp1; + c = c35 + temp0; + c36 = add4(temp, b3, b3); + c3 = c + c36; + t[7U] = c3; + montgomery_multiplication_round_twice(t, round2, k0); + montgomery_multiplication_round_twice(round2, round4, k0); + reduction_prime_2prime_with_carry(round4, result); + } + } + } +} + +static void bufferToJac(uint64_t *p, uint64_t *result) +{ + uint64_t *partPoint = result; + memcpy(partPoint, p, (uint32_t)8U * sizeof (uint64_t)); + result[8U] = (uint64_t)1U; + result[9U] = (uint64_t)0U; + result[10U] = (uint64_t)0U; + result[11U] = (uint64_t)0U; +} + +/* + The input of the function is considered to be public, +thus this code is not secret independent with respect to the operations done over the input. +*/ +static bool isPointAtInfinityPublic(uint64_t *p) +{ + uint64_t z0 = p[8U]; + uint64_t z1 = p[9U]; + uint64_t z2 = p[10U]; + uint64_t z3 = p[11U]; + bool z0_zero = z0 == (uint64_t)0U; + bool z1_zero = z1 == (uint64_t)0U; + bool z2_zero = z2 == (uint64_t)0U; + bool z3_zero = z3 == (uint64_t)0U; + return z0_zero && z1_zero && z2_zero && z3_zero; +} + +/* + The input of the function is considered to be public, +thus this code is not secret independent with respect to the operations done over the input. +*/ +static bool isPointOnCurvePublic(uint64_t *p) +{ + uint64_t y2Buffer[4U] = { 0U }; + uint64_t xBuffer[4U] = { 0U }; + uint64_t *x = p; + uint64_t *y = p + (uint32_t)4U; + uint64_t multBuffer0[8U] = { 0U }; + shift_256_impl(y, multBuffer0); + solinas_reduction_impl(multBuffer0, y2Buffer); + montgomery_square_buffer(y2Buffer, y2Buffer); + { + uint64_t xToDomainBuffer[4U] = { 0U }; + uint64_t minusThreeXBuffer[4U] = { 0U }; + uint64_t p256_constant[4U] = { 0U }; + uint64_t multBuffer[8U] = { 0U }; + uint64_t r; + shift_256_impl(x, multBuffer); + solinas_reduction_impl(multBuffer, xToDomainBuffer); + montgomery_square_buffer(xToDomainBuffer, xBuffer); + montgomery_multiplication_buffer(xBuffer, xToDomainBuffer, xBuffer); + multByThree(xToDomainBuffer, minusThreeXBuffer); + p256_sub(xBuffer, minusThreeXBuffer, xBuffer); + p256_constant[0U] = (uint64_t)15608596021259845087U; + p256_constant[1U] = (uint64_t)12461466548982526096U; + p256_constant[2U] = (uint64_t)16546823903870267094U; + p256_constant[3U] = (uint64_t)15866188208926050356U; + p256_add(xBuffer, p256_constant, xBuffer); + r = compare_felem(y2Buffer, xBuffer); + return !(r == (uint64_t)0U); + } +} + +static bool isCoordinateValid(uint64_t *p) +{ + uint64_t tempBuffer[4U] = { 0U }; + uint64_t *x = p; + uint64_t *y = p + (uint32_t)4U; + uint64_t carryX = sub4_il(x, prime256_buffer, tempBuffer); + uint64_t carryY = sub4_il(y, prime256_buffer, tempBuffer); + bool lessX = carryX == (uint64_t)1U; + bool lessY = carryY == (uint64_t)1U; + return lessX && lessY; +} + +/* + The input of the function is considered to be public, +thus this code is not secret independent with respect to the operations done over the input. +*/ +static bool isOrderCorrect(uint64_t *p, uint64_t *tempBuffer) +{ + uint64_t multResult[12U] = { 0U }; + uint64_t pBuffer[12U] = { 0U }; + bool result; + memcpy(pBuffer, p, (uint32_t)12U * sizeof (uint64_t)); + scalarMultiplicationC(pBuffer, multResult, order_buffer, tempBuffer); + result = isPointAtInfinityPublic(multResult); + return result; +} + +/* + The input of the function is considered to be public, +thus this code is not secret independent with respect to the operations done over the input. +*/ +static bool verifyQValidCurvePoint(uint64_t *pubKeyAsPoint, uint64_t *tempBuffer) +{ + bool coordinatesValid = isCoordinateValid(pubKeyAsPoint); + if (!coordinatesValid) + { + return false; + } + { + bool belongsToCurve = isPointOnCurvePublic(pubKeyAsPoint); + bool orderCorrect = isOrderCorrect(pubKeyAsPoint, tempBuffer); + return coordinatesValid && belongsToCurve && orderCorrect; + } +} + +static bool isMoreThanZeroLessThanOrder(uint8_t *x) +{ + uint64_t xAsFelem[4U] = { 0U }; + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(x, xAsFelem); + { + uint64_t tempBuffer[4U] = { 0U }; + uint64_t carry = sub4_il(xAsFelem, prime256order_buffer, tempBuffer); + uint64_t less = FStar_UInt64_eq_mask(carry, (uint64_t)1U); + uint64_t more = isZero_uint64_CT(xAsFelem); + uint64_t notMore = ~more; + uint64_t result = less & notMore; + return ~result == (uint64_t)0U; + } +} + +/* + The pub(lic)_key input of the function is considered to be public, + thus this code is not secret independent with respect to the operations done over this variable. +*/ +uint64_t Hacl_Impl_P256_DH__ecp256dh_r(uint64_t *result, uint64_t *pubKey, uint8_t *scalar) +{ + uint64_t tempBuffer[100U] = { 0U }; + uint64_t publicKeyBuffer[12U] = { 0U }; + bool publicKeyCorrect; + uint64_t ite; + bufferToJac(pubKey, publicKeyBuffer); + publicKeyCorrect = verifyQValidCurvePoint(publicKeyBuffer, tempBuffer); + if (publicKeyCorrect) + { + scalarMultiplicationL(publicKeyBuffer, result, scalar, tempBuffer); + { + uint64_t flag = Hacl_Impl_P256_Core_isPointAtInfinityPrivate(result); + ite = flag; + } + } + else + { + ite = (uint64_t)18446744073709551615U; + } + return ite; +} + +static inline void cswap0(uint64_t bit, uint64_t *p1, uint64_t *p2) +{ + uint64_t mask = (uint64_t)0U - bit; + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t dummy = mask & (p1[i] ^ p2[i]); + p1[i] = p1[i] ^ dummy; + p2[i] = p2[i] ^ dummy; + } +} + +static void montgomery_ladder_exponent(uint64_t *r) +{ + uint64_t p[4U] = { 0U }; + p[0U] = (uint64_t)884452912994769583U; + p[1U] = (uint64_t)4834901526196019579U; + p[2U] = (uint64_t)0U; + p[3U] = (uint64_t)4294967295U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)256U; i++) + { + uint32_t bit0 = (uint32_t)255U - i; + uint64_t + bit = + (uint64_t)(order_inverse_buffer[bit0 / (uint32_t)8U] >> bit0 % (uint32_t)8U & (uint8_t)1U); + cswap0(bit, p, r); + montgomery_multiplication_ecdsa_module(p, r, r); + montgomery_multiplication_ecdsa_module(p, p, p); + cswap0(bit, p, r); + } + } + memcpy(r, p, (uint32_t)4U * sizeof (uint64_t)); +} + +static void fromDomainImpl(uint64_t *a, uint64_t *result) +{ + uint64_t one[4U] = { 0U }; + uploadOneImpl(one); + montgomery_multiplication_ecdsa_module(one, a, result); +} + +static void multPowerPartial(uint64_t *a, uint64_t *b, uint64_t *result) +{ + uint64_t buffFromDB[4U] = { 0U }; + fromDomainImpl(b, buffFromDB); + fromDomainImpl(buffFromDB, buffFromDB); + montgomery_multiplication_ecdsa_module(a, buffFromDB, result); +} + +/* + The input of the function is considered to be public, +thus this code is not secret independent with respect to the operations done over the input. +*/ +static bool isMoreThanZeroLessThanOrderMinusOne(uint64_t *f) +{ + uint64_t tempBuffer[4U] = { 0U }; + uint64_t carry = sub4_il(f, prime256order_buffer, tempBuffer); + bool less = carry == (uint64_t)1U; + uint64_t f0 = f[0U]; + uint64_t f1 = f[1U]; + uint64_t f2 = f[2U]; + uint64_t f3 = f[3U]; + bool z0_zero = f0 == (uint64_t)0U; + bool z1_zero = f1 == (uint64_t)0U; + bool z2_zero = f2 == (uint64_t)0U; + bool z3_zero = f3 == (uint64_t)0U; + bool more = z0_zero && z1_zero && z2_zero && z3_zero; + return less && !more; +} + +/* + The input of the function is considered to be public, +thus this code is not secret independent with respect to the operations done over the input. +*/ +static bool compare_felem_bool(uint64_t *a, uint64_t *b) +{ + uint64_t a_0 = a[0U]; + uint64_t a_1 = a[1U]; + uint64_t a_2 = a[2U]; + uint64_t a_3 = a[3U]; + uint64_t b_0 = b[0U]; + uint64_t b_1 = b[1U]; + uint64_t b_2 = b[2U]; + uint64_t b_3 = b[3U]; + return a_0 == b_0 && a_1 == b_1 && a_2 == b_2 && a_3 == b_3; +} + +/* + The input of the function is considered to be public, +thus this code is not secret independent with respect to the operations done over the input. +*/ +static bool +ecdsa_verification_( + Spec_ECDSA_hash_alg_ecdsa alg, + uint64_t *pubKey, + uint64_t *r, + uint64_t *s, + uint32_t mLen, + uint8_t *m +) +{ + uint64_t tempBufferU64[120U] = { 0U }; + uint64_t *publicKeyBuffer = tempBufferU64; + uint64_t *hashAsFelem = tempBufferU64 + (uint32_t)12U; + uint64_t *tempBuffer = tempBufferU64 + (uint32_t)16U; + uint64_t *xBuffer = tempBufferU64 + (uint32_t)116U; + bool publicKeyCorrect; + bool ite; + bufferToJac(pubKey, publicKeyBuffer); + publicKeyCorrect = verifyQValidCurvePoint(publicKeyBuffer, tempBuffer); + if (publicKeyCorrect == false) + { + ite = false; + } + else + { + bool isRCorrect = isMoreThanZeroLessThanOrderMinusOne(r); + bool isSCorrect = isMoreThanZeroLessThanOrderMinusOne(s); + bool step1 = isRCorrect && isSCorrect; + if (step1 == false) + { + ite = false; + } + else + { + uint8_t tempBufferU8[64U] = { 0U }; + uint8_t *bufferU1 = tempBufferU8; + uint8_t *bufferU2 = tempBufferU8 + (uint32_t)32U; + uint32_t sz; + if (alg.tag == Spec_ECDSA_NoHash) + { + sz = mLen; + } + else if (alg.tag == Spec_ECDSA_Hash) + { + Spec_Hash_Definitions_hash_alg a = alg._0; + switch (a) + { + case Spec_Hash_Definitions_MD5: + { + sz = (uint32_t)16U; + break; + } + case Spec_Hash_Definitions_SHA1: + { + sz = (uint32_t)20U; + break; + } + case Spec_Hash_Definitions_SHA2_224: + { + sz = (uint32_t)28U; + break; + } + case Spec_Hash_Definitions_SHA2_256: + { + sz = (uint32_t)32U; + break; + } + case Spec_Hash_Definitions_SHA2_384: + { + sz = (uint32_t)48U; + break; + } + case Spec_Hash_Definitions_SHA2_512: + { + sz = (uint32_t)64U; + break; + } + case Spec_Hash_Definitions_Blake2S: + { + sz = (uint32_t)32U; + break; + } + case Spec_Hash_Definitions_Blake2B: + { + sz = (uint32_t)64U; + break; + } + default: + { + KRML_HOST_PRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + } + else + { + sz = KRML_EABORT(uint32_t, "unreachable (pattern matches are exhaustive in F*)"); + } + KRML_CHECK_SIZE(sizeof (uint8_t), sz); + { + uint8_t mHash[sz]; + memset(mHash, 0U, sz * sizeof (uint8_t)); + if (alg.tag == Spec_ECDSA_NoHash) + { + memcpy(mHash, m, sz * sizeof (uint8_t)); + } + else if (alg.tag == Spec_ECDSA_Hash) + { + Spec_Hash_Definitions_hash_alg a = alg._0; + switch (a) + { + case Spec_Hash_Definitions_SHA2_256: + { + Hacl_Hash_SHA2_hash_256(m, mLen, mHash); + break; + } + case Spec_Hash_Definitions_SHA2_384: + { + Hacl_Hash_SHA2_hash_384(m, mLen, mHash); + break; + } + case Spec_Hash_Definitions_SHA2_512: + { + Hacl_Hash_SHA2_hash_512(m, mLen, mHash); + break; + } + default: + { + KRML_HOST_PRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + } + else + { + KRML_HOST_PRINTF("KreMLin abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); + } + { + uint8_t *cutHash = mHash; + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(cutHash, hashAsFelem); + reduction_prime_2prime_order(hashAsFelem, hashAsFelem); + { + uint64_t tempBuffer1[12U] = { 0U }; + uint64_t *inverseS = tempBuffer1; + uint64_t *u1 = tempBuffer1 + (uint32_t)4U; + uint64_t *u2 = tempBuffer1 + (uint32_t)8U; + fromDomainImpl(s, inverseS); + montgomery_ladder_exponent(inverseS); + multPowerPartial(inverseS, hashAsFelem, u1); + multPowerPartial(inverseS, r, u2); + Hacl_Impl_P256_LowLevel_changeEndian(u1); + Hacl_Impl_P256_LowLevel_changeEndian(u2); + Hacl_Impl_P256_LowLevel_toUint8(u1, bufferU1); + Hacl_Impl_P256_LowLevel_toUint8(u2, bufferU2); + { + uint64_t pointSum[12U] = { 0U }; + uint64_t points[24U] = { 0U }; + uint64_t *buff = tempBuffer + (uint32_t)12U; + uint64_t *pointU1G = points; + uint64_t *pointU2Q0 = points + (uint32_t)12U; + secretToPublicWithoutNorm(pointU1G, bufferU1, tempBuffer); + scalarMultiplicationWithoutNorm(publicKeyBuffer, pointU2Q0, bufferU2, tempBuffer); + { + uint64_t *pointU1G0 = points; + uint64_t *pointU2Q = points + (uint32_t)12U; + uint64_t tmp[112U] = { 0U }; + uint64_t *tmpForNorm = tmp; + uint64_t *result0Norm = tmp + (uint32_t)88U; + uint64_t *result1Norm = tmp + (uint32_t)100U; + uint64_t *pointU1G1 = points; + uint64_t *pointU2Q1 = points + (uint32_t)12U; + norm(pointU1G1, result0Norm, tmpForNorm); + norm(pointU2Q1, result1Norm, tmpForNorm); + { + uint64_t *x0 = result0Norm; + uint64_t *y0 = result0Norm + (uint32_t)4U; + uint64_t *z0 = result0Norm + (uint32_t)8U; + uint64_t *x1 = result1Norm; + uint64_t *y1 = result1Norm + (uint32_t)4U; + uint64_t *z1 = result1Norm + (uint32_t)8U; + bool xEqual = compare_felem_bool(x0, x1); + bool yEqual = compare_felem_bool(y0, y1); + bool zEqual = compare_felem_bool(z0, z1); + bool equalX = xEqual && yEqual && zEqual; + bool equalX0 = equalX; + if (equalX0) + { + point_double(pointU1G0, pointSum, buff); + } + else + { + point_add(pointU1G0, pointU2Q, pointSum, buff); + } + norm(pointSum, pointSum, buff); + { + bool resultIsPAI = isPointAtInfinityPublic(pointSum); + uint64_t *xCoordinateSum = pointSum; + memcpy(xBuffer, xCoordinateSum, (uint32_t)4U * sizeof (uint64_t)); + reduction_prime_2prime_order(xBuffer, xBuffer); + { + bool r1 = !resultIsPAI; + bool state = r1; + if (state == false) + { + ite = false; + } + else + { + bool result = compare_felem_bool(xBuffer, r); + ite = result; + } + } + } + } + } + } + } + } + } + } + } + return ite; +} + +static uint64_t +ecdsa_signature_core( + Spec_ECDSA_hash_alg_ecdsa alg, + uint64_t *r, + uint64_t *s, + uint32_t mLen, + uint8_t *m, + uint64_t *privKeyAsFelem, + uint8_t *k +) +{ + uint64_t hashAsFelem[4U] = { 0U }; + uint64_t tempBuffer[100U] = { 0U }; + uint64_t kAsFelem[4U] = { 0U }; + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(k, kAsFelem); + { + uint32_t sz; + if (alg.tag == Spec_ECDSA_NoHash) + { + sz = mLen; + } + else if (alg.tag == Spec_ECDSA_Hash) + { + Spec_Hash_Definitions_hash_alg a = alg._0; + switch (a) + { + case Spec_Hash_Definitions_MD5: + { + sz = (uint32_t)16U; + break; + } + case Spec_Hash_Definitions_SHA1: + { + sz = (uint32_t)20U; + break; + } + case Spec_Hash_Definitions_SHA2_224: + { + sz = (uint32_t)28U; + break; + } + case Spec_Hash_Definitions_SHA2_256: + { + sz = (uint32_t)32U; + break; + } + case Spec_Hash_Definitions_SHA2_384: + { + sz = (uint32_t)48U; + break; + } + case Spec_Hash_Definitions_SHA2_512: + { + sz = (uint32_t)64U; + break; + } + case Spec_Hash_Definitions_Blake2S: + { + sz = (uint32_t)32U; + break; + } + case Spec_Hash_Definitions_Blake2B: + { + sz = (uint32_t)64U; + break; + } + default: + { + KRML_HOST_PRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + } + else + { + sz = KRML_EABORT(uint32_t, "unreachable (pattern matches are exhaustive in F*)"); + } + KRML_CHECK_SIZE(sizeof (uint8_t), sz); + { + uint8_t mHash[sz]; + memset(mHash, 0U, sz * sizeof (uint8_t)); + { + uint8_t *cutHash; + if (alg.tag == Spec_ECDSA_NoHash) + { + memcpy(mHash, m, sz * sizeof (uint8_t)); + } + else if (alg.tag == Spec_ECDSA_Hash) + { + Spec_Hash_Definitions_hash_alg a = alg._0; + switch (a) + { + case Spec_Hash_Definitions_SHA2_256: + { + Hacl_Hash_SHA2_hash_256(m, mLen, mHash); + break; + } + case Spec_Hash_Definitions_SHA2_384: + { + Hacl_Hash_SHA2_hash_384(m, mLen, mHash); + break; + } + case Spec_Hash_Definitions_SHA2_512: + { + Hacl_Hash_SHA2_hash_512(m, mLen, mHash); + break; + } + default: + { + KRML_HOST_PRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + } + else + { + KRML_HOST_PRINTF("KreMLin abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); + } + cutHash = mHash; + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(cutHash, hashAsFelem); + reduction_prime_2prime_order(hashAsFelem, hashAsFelem); + { + uint64_t result[12U] = { 0U }; + uint64_t *tempForNorm = tempBuffer; + uint64_t step5Flag; + secretToPublicWithoutNorm(result, k, tempBuffer); + normX(result, r, tempForNorm); + reduction_prime_2prime_order(r, r); + step5Flag = isZero_uint64_CT(r); + { + uint64_t rda[4U] = { 0U }; + uint64_t zBuffer[4U] = { 0U }; + uint64_t kInv[4U] = { 0U }; + uint64_t t; + montgomery_multiplication_ecdsa_module(r, privKeyAsFelem, rda); + fromDomainImpl(hashAsFelem, zBuffer); + t = add4(rda, zBuffer, zBuffer); + { + uint64_t tempBuffer1[4U] = { 0U }; + uint64_t tempBufferForSubborrow = (uint64_t)0U; + uint64_t c = sub4_il(zBuffer, prime256order_buffer, tempBuffer1); + uint64_t + carry = + Lib_IntTypes_Intrinsics_sub_borrow_u64(c, + t, + (uint64_t)0U, + &tempBufferForSubborrow); + uint64_t sIsZero; + cmovznz4(carry, tempBuffer1, zBuffer, zBuffer); + memcpy(kInv, kAsFelem, (uint32_t)4U * sizeof (uint64_t)); + montgomery_ladder_exponent(kInv); + montgomery_multiplication_ecdsa_module(zBuffer, kInv, s); + sIsZero = isZero_uint64_CT(s); + return step5Flag | sIsZero; + } + } + } + } + } + } +} + +static inline void cswap1(uint64_t bit, uint64_t *p1, uint64_t *p2) +{ + uint64_t mask = (uint64_t)0U - bit; + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t dummy = mask & (p1[i] ^ p2[i]); + p1[i] = p1[i] ^ dummy; + p2[i] = p2[i] ^ dummy; + } +} + +static void montgomery_ladder_power(uint64_t *a, const uint8_t *scalar, uint64_t *result) +{ + uint64_t p[4U] = { 0U }; + p[0U] = (uint64_t)1U; + p[1U] = (uint64_t)18446744069414584320U; + p[2U] = (uint64_t)18446744073709551615U; + p[3U] = (uint64_t)4294967294U; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)256U; i++) + { + uint32_t bit0 = (uint32_t)255U - i; + uint64_t bit = (uint64_t)(scalar[bit0 / (uint32_t)8U] >> bit0 % (uint32_t)8U & (uint8_t)1U); + cswap1(bit, p, a); + montgomery_multiplication_buffer(p, a, a); + montgomery_square_buffer(p, p); + cswap1(bit, p, a); + } + } + memcpy(result, p, (uint32_t)4U * sizeof (uint64_t)); +} + +static const +uint8_t +sqPower_buffer[32U] = + { + (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, + (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)64U, (uint8_t)0U, (uint8_t)0U, + (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, + (uint8_t)0U, (uint8_t)0U, (uint8_t)64U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)192U, + (uint8_t)255U, (uint8_t)255U, (uint8_t)255U, (uint8_t)63U + }; + +static void computeYFromX(uint64_t *x, uint64_t *result, uint64_t sign) +{ + uint64_t aCoordinateBuffer[4U] = { 0U }; + uint64_t bCoordinateBuffer[4U] = { 0U }; + uint64_t word; + uint64_t bitToCheck; + uint64_t flag; + aCoordinateBuffer[0U] = (uint64_t)18446744073709551612U; + aCoordinateBuffer[1U] = (uint64_t)17179869183U; + aCoordinateBuffer[2U] = (uint64_t)0U; + aCoordinateBuffer[3U] = (uint64_t)18446744056529682436U; + bCoordinateBuffer[0U] = (uint64_t)15608596021259845087U; + bCoordinateBuffer[1U] = (uint64_t)12461466548982526096U; + bCoordinateBuffer[2U] = (uint64_t)16546823903870267094U; + bCoordinateBuffer[3U] = (uint64_t)15866188208926050356U; + montgomery_multiplication_buffer(aCoordinateBuffer, x, aCoordinateBuffer); + cube(x, result); + p256_add(result, aCoordinateBuffer, result); + p256_add(result, bCoordinateBuffer, result); + uploadZeroImpl(aCoordinateBuffer); + montgomery_ladder_power(result, sqPower_buffer, result); + montgomery_multiplication_buffer_by_one(result, result); + p256_sub(aCoordinateBuffer, result, bCoordinateBuffer); + word = result[0U]; + bitToCheck = word & (uint64_t)1U; + flag = FStar_UInt64_eq_mask(bitToCheck, sign); + cmovznz4(flag, bCoordinateBuffer, result, result); +} + + +/******************************************************************************* + +ECDSA and ECDH functions over the P-256 NIST curve. + +This module implements signing and verification, key validation, conversions +between various point representations, and ECDH key agreement. + +*******************************************************************************/ + +/**************/ +/* Signatures */ +/**************/ + +/* + Per the standard, a hash function *shall* be used. Therefore, we recommend + using one of the three combined hash-and-sign variants. +*/ + +/* +Hash the message with SHA2-256, then sign the resulting digest with the P256 signature function. + +Input: result buffer: uint8[64], + m buffer: uint8 [mLen], + priv(ate)Key: uint8[32], + k (nonce): uint32[32]. + + Output: bool, where True stands for the correct signature generation. False value means that an error has occurred. + + The private key and the nonce are expected to be more than 0 and less than the curve order. +*/ +bool +Hacl_P256_ecdsa_sign_p256_sha2( + uint8_t *result, + uint32_t mLen, + uint8_t *m, + uint8_t *privKey, + uint8_t *k +) +{ + uint64_t privKeyAsFelem[4U] = { 0U }; + uint64_t r[4U] = { 0U }; + uint64_t s[4U] = { 0U }; + uint8_t *resultR = result; + uint8_t *resultS = result + (uint32_t)32U; + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(privKey, privKeyAsFelem); + { + Spec_ECDSA_hash_alg_ecdsa lit; + uint64_t flag; + lit.tag = Spec_ECDSA_Hash; + lit._0 = Spec_Hash_Definitions_SHA2_256; + flag = ecdsa_signature_core(lit, r, s, mLen, m, privKeyAsFelem, k); + Hacl_Impl_P256_LowLevel_changeEndian(r); + Hacl_Impl_P256_LowLevel_toUint8(r, resultR); + Hacl_Impl_P256_LowLevel_changeEndian(s); + Hacl_Impl_P256_LowLevel_toUint8(s, resultS); + return flag == (uint64_t)0U; + } +} + +/* +Hash the message with SHA2-384, then sign the resulting digest with the P256 signature function. + +Input: result buffer: uint8[64], + m buffer: uint8 [mLen], + priv(ate)Key: uint8[32], + k (nonce): uint32[32]. + + Output: bool, where True stands for the correct signature generation. False value means that an error has occurred. + + The private key and the nonce are expected to be more than 0 and less than the curve order. +*/ +bool +Hacl_P256_ecdsa_sign_p256_sha384( + uint8_t *result, + uint32_t mLen, + uint8_t *m, + uint8_t *privKey, + uint8_t *k +) +{ + uint64_t privKeyAsFelem[4U] = { 0U }; + uint64_t r[4U] = { 0U }; + uint64_t s[4U] = { 0U }; + uint8_t *resultR = result; + uint8_t *resultS = result + (uint32_t)32U; + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(privKey, privKeyAsFelem); + { + Spec_ECDSA_hash_alg_ecdsa lit; + uint64_t flag; + lit.tag = Spec_ECDSA_Hash; + lit._0 = Spec_Hash_Definitions_SHA2_384; + flag = ecdsa_signature_core(lit, r, s, mLen, m, privKeyAsFelem, k); + Hacl_Impl_P256_LowLevel_changeEndian(r); + Hacl_Impl_P256_LowLevel_toUint8(r, resultR); + Hacl_Impl_P256_LowLevel_changeEndian(s); + Hacl_Impl_P256_LowLevel_toUint8(s, resultS); + return flag == (uint64_t)0U; + } +} + +/* +Hash the message with SHA2-512, then sign the resulting digest with the P256 signature function. + +Input: result buffer: uint8[64], + m buffer: uint8 [mLen], + priv(ate)Key: uint8[32], + k (nonce): uint32[32]. + + Output: bool, where True stands for the correct signature generation. False value means that an error has occurred. + + The private key and the nonce are expected to be more than 0 and less than the curve order. +*/ +bool +Hacl_P256_ecdsa_sign_p256_sha512( + uint8_t *result, + uint32_t mLen, + uint8_t *m, + uint8_t *privKey, + uint8_t *k +) +{ + uint64_t privKeyAsFelem[4U] = { 0U }; + uint64_t r[4U] = { 0U }; + uint64_t s[4U] = { 0U }; + uint8_t *resultR = result; + uint8_t *resultS = result + (uint32_t)32U; + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(privKey, privKeyAsFelem); + { + Spec_ECDSA_hash_alg_ecdsa lit; + uint64_t flag; + lit.tag = Spec_ECDSA_Hash; + lit._0 = Spec_Hash_Definitions_SHA2_512; + flag = ecdsa_signature_core(lit, r, s, mLen, m, privKeyAsFelem, k); + Hacl_Impl_P256_LowLevel_changeEndian(r); + Hacl_Impl_P256_LowLevel_toUint8(r, resultR); + Hacl_Impl_P256_LowLevel_changeEndian(s); + Hacl_Impl_P256_LowLevel_toUint8(s, resultS); + return flag == (uint64_t)0U; + } +} + +/* +P256 signature WITHOUT hashing first. + +This function is intended to receive a hash of the input. For convenience, we +recommend using one of the hash-and-sign combined functions above. + +The argument `m` MUST be at least 32 bytes (i.e. `mLen >= 32`). + +NOTE: The equivalent functions in OpenSSL and Fiat-Crypto both accept inputs +smaller than 32 bytes. These libraries left-pad the input with enough zeroes to +reach the minimum 32 byte size. Clients who need behavior identical to OpenSSL +need to perform the left-padding themselves. + +Input: result buffer: uint8[64], + m buffer: uint8 [mLen], + priv(ate)Key: uint8[32], + k (nonce): uint32[32]. + + Output: bool, where True stands for the correct signature generation. False value means that an error has occurred. + + The private key and the nonce are expected to be more than 0 and less than the curve order. + + The message m is expected to be hashed by a strong hash function, the lenght of the message is expected to be 32 bytes and more. +*/ +bool +Hacl_P256_ecdsa_sign_p256_without_hash( + uint8_t *result, + uint32_t mLen, + uint8_t *m, + uint8_t *privKey, + uint8_t *k +) +{ + uint64_t privKeyAsFelem[4U] = { 0U }; + uint64_t r[4U] = { 0U }; + uint64_t s[4U] = { 0U }; + uint8_t *resultR = result; + uint8_t *resultS = result + (uint32_t)32U; + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(privKey, privKeyAsFelem); + { + Spec_ECDSA_hash_alg_ecdsa lit; + uint64_t flag; + lit.tag = Spec_ECDSA_NoHash; + flag = ecdsa_signature_core(lit, r, s, mLen, m, privKeyAsFelem, k); + Hacl_Impl_P256_LowLevel_changeEndian(r); + Hacl_Impl_P256_LowLevel_toUint8(r, resultR); + Hacl_Impl_P256_LowLevel_changeEndian(s); + Hacl_Impl_P256_LowLevel_toUint8(s, resultS); + return flag == (uint64_t)0U; + } +} + + +/****************/ +/* Verification */ +/****************/ + +/* + Verify a message signature. These functions internally validate the public key using validate_public_key. +*/ + + +/* + The input of the function is considered to be public, + thus this code is not secret independent with respect to the operations done over the input. + + Input: m buffer: uint8 [mLen], + pub(lic)Key: uint8[64], + r: uint8[32], + s: uint8[32]. + + Output: bool, where true stands for the correct signature verification. +*/ +bool +Hacl_P256_ecdsa_verif_p256_sha2( + uint32_t mLen, + uint8_t *m, + uint8_t *pubKey, + uint8_t *r, + uint8_t *s +) +{ + uint64_t publicKeyAsFelem[8U] = { 0U }; + uint64_t *publicKeyFelemX = publicKeyAsFelem; + uint64_t *publicKeyFelemY = publicKeyAsFelem + (uint32_t)4U; + uint64_t rAsFelem[4U] = { 0U }; + uint64_t sAsFelem[4U] = { 0U }; + uint8_t *pubKeyX = pubKey; + uint8_t *pubKeyY = pubKey + (uint32_t)32U; + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(pubKeyX, publicKeyFelemX); + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(pubKeyY, publicKeyFelemY); + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(r, rAsFelem); + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(s, sAsFelem); + { + Spec_ECDSA_hash_alg_ecdsa lit; + bool result; + lit.tag = Spec_ECDSA_Hash; + lit._0 = Spec_Hash_Definitions_SHA2_256; + result = ecdsa_verification_(lit, publicKeyAsFelem, rAsFelem, sAsFelem, mLen, m); + return result; + } +} + +/* + The input of the function is considered to be public, + thus this code is not secret independent with respect to the operations done over the input. + + Input: m buffer: uint8 [mLen], + pub(lic)Key: uint8[64], + r: uint8[32], + s: uint8[32]. + + Output: bool, where true stands for the correct signature verification. +*/ +bool +Hacl_P256_ecdsa_verif_p256_sha384( + uint32_t mLen, + uint8_t *m, + uint8_t *pubKey, + uint8_t *r, + uint8_t *s +) +{ + uint64_t publicKeyAsFelem[8U] = { 0U }; + uint64_t *publicKeyFelemX = publicKeyAsFelem; + uint64_t *publicKeyFelemY = publicKeyAsFelem + (uint32_t)4U; + uint64_t rAsFelem[4U] = { 0U }; + uint64_t sAsFelem[4U] = { 0U }; + uint8_t *pubKeyX = pubKey; + uint8_t *pubKeyY = pubKey + (uint32_t)32U; + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(pubKeyX, publicKeyFelemX); + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(pubKeyY, publicKeyFelemY); + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(r, rAsFelem); + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(s, sAsFelem); + { + Spec_ECDSA_hash_alg_ecdsa lit; + bool result; + lit.tag = Spec_ECDSA_Hash; + lit._0 = Spec_Hash_Definitions_SHA2_384; + result = ecdsa_verification_(lit, publicKeyAsFelem, rAsFelem, sAsFelem, mLen, m); + return result; + } +} + +/* + The input of the function is considered to be public, + thus this code is not secret independent with respect to the operations done over the input. + + Input: m buffer: uint8 [mLen], + pub(lic)Key: uint8[64], + r: uint8[32], + s: uint8[32]. + + Output: bool, where true stands for the correct signature verification. +*/ +bool +Hacl_P256_ecdsa_verif_p256_sha512( + uint32_t mLen, + uint8_t *m, + uint8_t *pubKey, + uint8_t *r, + uint8_t *s +) +{ + uint64_t publicKeyAsFelem[8U] = { 0U }; + uint64_t *publicKeyFelemX = publicKeyAsFelem; + uint64_t *publicKeyFelemY = publicKeyAsFelem + (uint32_t)4U; + uint64_t rAsFelem[4U] = { 0U }; + uint64_t sAsFelem[4U] = { 0U }; + uint8_t *pubKeyX = pubKey; + uint8_t *pubKeyY = pubKey + (uint32_t)32U; + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(pubKeyX, publicKeyFelemX); + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(pubKeyY, publicKeyFelemY); + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(r, rAsFelem); + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(s, sAsFelem); + { + Spec_ECDSA_hash_alg_ecdsa lit; + bool result; + lit.tag = Spec_ECDSA_Hash; + lit._0 = Spec_Hash_Definitions_SHA2_512; + result = ecdsa_verification_(lit, publicKeyAsFelem, rAsFelem, sAsFelem, mLen, m); + return result; + } +} + +/* + The input of the function is considered to be public, + thus this code is not secret independent with respect to the operations done over the input. + + Input: m buffer: uint8 [mLen], + pub(lic)Key: uint8[64], + r: uint8[32], + s: uint8[32]. + + Output: bool, where true stands for the correct signature verification. + + The message m is expected to be hashed by a strong hash function, the lenght of the message is expected to be 32 bytes and more. +*/ +bool +Hacl_P256_ecdsa_verif_without_hash( + uint32_t mLen, + uint8_t *m, + uint8_t *pubKey, + uint8_t *r, + uint8_t *s +) +{ + uint64_t publicKeyAsFelem[8U] = { 0U }; + uint64_t *publicKeyFelemX = publicKeyAsFelem; + uint64_t *publicKeyFelemY = publicKeyAsFelem + (uint32_t)4U; + uint64_t rAsFelem[4U] = { 0U }; + uint64_t sAsFelem[4U] = { 0U }; + uint8_t *pubKeyX = pubKey; + uint8_t *pubKeyY = pubKey + (uint32_t)32U; + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(pubKeyX, publicKeyFelemX); + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(pubKeyY, publicKeyFelemY); + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(r, rAsFelem); + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(s, sAsFelem); + { + Spec_ECDSA_hash_alg_ecdsa lit; + bool result; + lit.tag = Spec_ECDSA_NoHash; + result = ecdsa_verification_(lit, publicKeyAsFelem, rAsFelem, sAsFelem, mLen, m); + return result; + } +} + + +/******************/ +/* Key validation */ +/******************/ + + +/* +Validate a public key. + + + The input of the function is considered to be public, + thus this code is not secret independent with respect to the operations done over the input. + + Input: pub(lic)Key: uint8[64]. + + Output: bool, where 0 stands for the public key to be correct with respect to SP 800-56A: + Verify that the public key is not the “point at infinity”, represented as O. + Verify that the affine x and y coordinates of the point represented by the public key are in the range [0, p – 1] where p is the prime defining the finite field. + Verify that y2 = x3 + ax + b where a and b are the coefficients of the curve equation. + Verify that nQ = O (the point at infinity), where n is the order of the curve and Q is the public key point. + + The last extract is taken from : https://neilmadden.blog/2017/05/17/so-how-do-you-validate-nist-ecdh-public-keys/ +*/ +bool Hacl_P256_validate_public_key(uint8_t *pubKey) +{ + uint8_t *pubKeyX = pubKey; + uint8_t *pubKeyY = pubKey + (uint32_t)32U; + uint64_t tempBuffer[120U] = { 0U }; + uint64_t *tempBufferV = tempBuffer; + uint64_t *publicKeyJ = tempBuffer + (uint32_t)100U; + uint64_t *publicKeyB = tempBuffer + (uint32_t)112U; + uint64_t *publicKeyX = publicKeyB; + uint64_t *publicKeyY = publicKeyB + (uint32_t)4U; + bool r; + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(pubKeyX, publicKeyX); + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(pubKeyY, publicKeyY); + bufferToJac(publicKeyB, publicKeyJ); + r = verifyQValidCurvePoint(publicKeyJ, tempBufferV); + return r; +} + +/* +Validate a private key, e.g. prior to signing. + +Input: scalar: uint8[32]. + + Output: bool, where true stands for the scalar to be more than 0 and less than order. +*/ +bool Hacl_P256_validate_private_key(uint8_t *x) +{ + return isMoreThanZeroLessThanOrder(x); +} + + +/*****************************************/ +/* Point representations and conversions */ +/*****************************************/ + +/* + Elliptic curve points have 2 32-byte coordinates (x, y) and can be represented in 3 ways: + + - "raw" form (64 bytes): the concatenation of the 2 coordinates, also known as "internal" + - "compressed" form (33 bytes): first the sign byte of y (either 0x02 or 0x03), followed by x + - "uncompressed" form (65 bytes): first a constant byte (always 0x04), followed by the "raw" form + + For all of the conversation functions below, the input and output MUST NOT overlap. +*/ + + +/* +Convert 65-byte uncompressed to raw. + +The function errors out if the first byte is incorrect, or if the resulting point is invalid. + + + + Input: a point in not compressed form (uint8[65]), + result: uint8[64] (internal point representation). + + Output: bool, where true stands for the correct decompression. + +*/ +bool Hacl_P256_uncompressed_to_raw(uint8_t *b, uint8_t *result) +{ + uint8_t compressionIdentifier = b[0U]; + bool correctIdentifier = (uint8_t)4U == compressionIdentifier; + if (correctIdentifier) + { + memcpy(result, b + (uint32_t)1U, (uint32_t)64U * sizeof (uint8_t)); + } + return correctIdentifier; +} + +/* +Convert 33-byte compressed to raw. + +The function errors out if the first byte is incorrect, or if the resulting point is invalid. + +Input: a point in compressed form (uint8[33]), + result: uint8[64] (internal point representation). + + Output: bool, where true stands for the correct decompression. + +*/ +bool Hacl_P256_compressed_to_raw(uint8_t *b, uint8_t *result) +{ + uint64_t temp[8U] = { 0U }; + uint64_t *t0 = temp; + uint64_t *t1 = temp + (uint32_t)4U; + uint8_t compressedIdentifier = b[0U]; + uint8_t correctIdentifier2 = FStar_UInt8_eq_mask((uint8_t)2U, compressedIdentifier); + uint8_t correctIdentifier3 = FStar_UInt8_eq_mask((uint8_t)3U, compressedIdentifier); + uint8_t isIdentifierCorrect = correctIdentifier2 | correctIdentifier3; + bool flag = isIdentifierCorrect == (uint8_t)255U; + if (flag) + { + uint8_t *x = b + (uint32_t)1U; + memcpy(result, x, (uint32_t)32U * sizeof (uint8_t)); + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(x, t0); + { + uint64_t tempBuffer[4U] = { 0U }; + uint64_t carry = sub4_il(t0, prime256_buffer, tempBuffer); + bool lessThanPrimeXCoordinate = carry == (uint64_t)1U; + if (!lessThanPrimeXCoordinate) + { + return false; + } + { + uint64_t multBuffer[8U] = { 0U }; + shift_256_impl(t0, multBuffer); + solinas_reduction_impl(multBuffer, t0); + { + uint64_t identifierBit = (uint64_t)(compressedIdentifier & (uint8_t)1U); + computeYFromX(t0, t1, identifierBit); + Hacl_Impl_P256_LowLevel_changeEndian(t1); + Hacl_Impl_P256_LowLevel_toUint8(t1, result + (uint32_t)32U); + return true; + } + } + } + } + return false; +} + +/* +Convert raw to 65-byte uncompressed. + +This function effectively prepends a 0x04 byte. + +Input: a point buffer (internal representation: uint8[64]), + result: a point in not compressed form (uint8[65]). +*/ +void Hacl_P256_raw_to_uncompressed(uint8_t *b, uint8_t *result) +{ + uint8_t *to = result + (uint32_t)1U; + memcpy(to, b, (uint32_t)64U * sizeof (uint8_t)); + result[0U] = (uint8_t)4U; +} + +/* +Convert raw to 33-byte compressed. + + Input: `b`, the pointer buffer in internal representation, of type `uint8[64]` + Output: `result`, a point in compressed form, of type `uint8[33]` + +*/ +void Hacl_P256_raw_to_compressed(uint8_t *b, uint8_t *result) +{ + uint8_t *y = b + (uint32_t)32U; + uint8_t lastWordY = y[31U]; + uint8_t lastBitY = lastWordY & (uint8_t)1U; + uint8_t identifier = lastBitY + (uint8_t)2U; + memcpy(result + (uint32_t)1U, b, (uint32_t)32U * sizeof (uint8_t)); + result[0U] = identifier; +} + + +/******************/ +/* ECDH agreement */ +/******************/ + +/* +Convert a private key into a raw public key. + +This function performs no key validation. + + Input: `scalar`, the private key, of type `uint8[32]`. + Output: `result`, the public key, of type `uint8[64]`. + Returns: + - `true`, for success, meaning the public key is not a point at infinity + - `false`, otherwise. + + `scalar` and `result` MUST NOT overlap. +*/ +bool Hacl_P256_dh_initiator(uint8_t *result, uint8_t *scalar) +{ + uint64_t tempBuffer[100U] = { 0U }; + uint64_t resultBuffer[12U] = { 0U }; + uint64_t *resultBufferX = resultBuffer; + uint64_t *resultBufferY = resultBuffer + (uint32_t)4U; + uint8_t *resultX = result; + uint8_t *resultY = result + (uint32_t)32U; + uint64_t flag; + Hacl_Impl_P256_Core_secretToPublic(resultBuffer, scalar, tempBuffer); + flag = Hacl_Impl_P256_Core_isPointAtInfinityPrivate(resultBuffer); + Hacl_Impl_P256_LowLevel_changeEndian(resultBufferX); + Hacl_Impl_P256_LowLevel_changeEndian(resultBufferY); + Hacl_Impl_P256_LowLevel_toUint8(resultBufferX, resultX); + Hacl_Impl_P256_LowLevel_toUint8(resultBufferY, resultY); + return flag == (uint64_t)0U; +} + +/* +ECDH key agreement. + +This function takes a 32-byte secret key, another party's 64-byte raw public +key, and computeds the 64-byte ECDH shared key. + +This function ONLY validates the public key. + + The pub(lic)_key input of the function is considered to be public, + thus this code is not secret independent with respect to the operations done over this variable. + + Input: result: uint8[64], + pub(lic)Key: uint8[64], + scalar: uint8[32]. + + Output: bool, where True stands for the correct key generation. False value means that an error has occurred (possibly the provided public key was incorrect or the result represents point at infinity). + +*/ +bool Hacl_P256_dh_responder(uint8_t *result, uint8_t *pubKey, uint8_t *scalar) +{ + uint64_t resultBufferFelem[12U] = { 0U }; + uint64_t *resultBufferFelemX = resultBufferFelem; + uint64_t *resultBufferFelemY = resultBufferFelem + (uint32_t)4U; + uint8_t *resultX = result; + uint8_t *resultY = result + (uint32_t)32U; + uint64_t publicKeyAsFelem[8U] = { 0U }; + uint64_t *publicKeyFelemX = publicKeyAsFelem; + uint64_t *publicKeyFelemY = publicKeyAsFelem + (uint32_t)4U; + uint8_t *pubKeyX = pubKey; + uint8_t *pubKeyY = pubKey + (uint32_t)32U; + uint64_t flag; + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(pubKeyX, publicKeyFelemX); + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(pubKeyY, publicKeyFelemY); + flag = Hacl_Impl_P256_DH__ecp256dh_r(resultBufferFelem, publicKeyAsFelem, scalar); + Hacl_Impl_P256_LowLevel_changeEndian(resultBufferFelemX); + Hacl_Impl_P256_LowLevel_changeEndian(resultBufferFelemY); + Hacl_Impl_P256_LowLevel_toUint8(resultBufferFelemX, resultX); + Hacl_Impl_P256_LowLevel_toUint8(resultBufferFelemY, resultY); + return flag == (uint64_t)0U; +} + diff --git a/src/c89/Hacl_Poly1305_128.c b/src/c89/Hacl_Poly1305_128.c new file mode 100644 index 00000000..5d47362e --- /dev/null +++ b/src/c89/Hacl_Poly1305_128.c @@ -0,0 +1,1951 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "internal/Hacl_Poly1305_128.h" + + + +void +Hacl_Impl_Poly1305_Field32xN_128_load_acc2(Lib_IntVector_Intrinsics_vec128 *acc, uint8_t *b) +{ + Lib_IntVector_Intrinsics_vec128 e[5U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)5U; ++_i) + e[_i] = Lib_IntVector_Intrinsics_vec128_zero; + } + { + Lib_IntVector_Intrinsics_vec128 b10 = Lib_IntVector_Intrinsics_vec128_load64_le(b); + Lib_IntVector_Intrinsics_vec128 + b2 = Lib_IntVector_Intrinsics_vec128_load64_le(b + (uint32_t)16U); + Lib_IntVector_Intrinsics_vec128 lo = Lib_IntVector_Intrinsics_vec128_interleave_low64(b10, b2); + Lib_IntVector_Intrinsics_vec128 + hi = Lib_IntVector_Intrinsics_vec128_interleave_high64(b10, b2); + Lib_IntVector_Intrinsics_vec128 + f00 = + Lib_IntVector_Intrinsics_vec128_and(lo, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f10 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(lo, + (uint32_t)26U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f20 = + Lib_IntVector_Intrinsics_vec128_or(Lib_IntVector_Intrinsics_vec128_shift_right64(lo, + (uint32_t)52U), + Lib_IntVector_Intrinsics_vec128_shift_left64(Lib_IntVector_Intrinsics_vec128_and(hi, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3fffU)), + (uint32_t)12U)); + Lib_IntVector_Intrinsics_vec128 + f30 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(hi, + (uint32_t)14U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f40 = Lib_IntVector_Intrinsics_vec128_shift_right64(hi, (uint32_t)40U); + Lib_IntVector_Intrinsics_vec128 f02 = f00; + Lib_IntVector_Intrinsics_vec128 f12 = f10; + Lib_IntVector_Intrinsics_vec128 f22 = f20; + Lib_IntVector_Intrinsics_vec128 f32 = f30; + Lib_IntVector_Intrinsics_vec128 f42 = f40; + uint64_t b1; + Lib_IntVector_Intrinsics_vec128 mask; + Lib_IntVector_Intrinsics_vec128 f43; + Lib_IntVector_Intrinsics_vec128 acc0; + Lib_IntVector_Intrinsics_vec128 acc1; + Lib_IntVector_Intrinsics_vec128 acc2; + Lib_IntVector_Intrinsics_vec128 acc3; + Lib_IntVector_Intrinsics_vec128 acc4; + Lib_IntVector_Intrinsics_vec128 e0; + Lib_IntVector_Intrinsics_vec128 e1; + Lib_IntVector_Intrinsics_vec128 e2; + Lib_IntVector_Intrinsics_vec128 e3; + Lib_IntVector_Intrinsics_vec128 e4; + Lib_IntVector_Intrinsics_vec128 f0; + Lib_IntVector_Intrinsics_vec128 f1; + Lib_IntVector_Intrinsics_vec128 f2; + Lib_IntVector_Intrinsics_vec128 f3; + Lib_IntVector_Intrinsics_vec128 f4; + Lib_IntVector_Intrinsics_vec128 f01; + Lib_IntVector_Intrinsics_vec128 f11; + Lib_IntVector_Intrinsics_vec128 f21; + Lib_IntVector_Intrinsics_vec128 f31; + Lib_IntVector_Intrinsics_vec128 f41; + Lib_IntVector_Intrinsics_vec128 acc01; + Lib_IntVector_Intrinsics_vec128 acc11; + Lib_IntVector_Intrinsics_vec128 acc21; + Lib_IntVector_Intrinsics_vec128 acc31; + Lib_IntVector_Intrinsics_vec128 acc41; + e[0U] = f02; + e[1U] = f12; + e[2U] = f22; + e[3U] = f32; + e[4U] = f42; + b1 = (uint64_t)0x1000000U; + mask = Lib_IntVector_Intrinsics_vec128_load64(b1); + f43 = e[4U]; + e[4U] = Lib_IntVector_Intrinsics_vec128_or(f43, mask); + acc0 = acc[0U]; + acc1 = acc[1U]; + acc2 = acc[2U]; + acc3 = acc[3U]; + acc4 = acc[4U]; + e0 = e[0U]; + e1 = e[1U]; + e2 = e[2U]; + e3 = e[3U]; + e4 = e[4U]; + f0 = Lib_IntVector_Intrinsics_vec128_insert64(acc0, (uint64_t)0U, (uint32_t)1U); + f1 = Lib_IntVector_Intrinsics_vec128_insert64(acc1, (uint64_t)0U, (uint32_t)1U); + f2 = Lib_IntVector_Intrinsics_vec128_insert64(acc2, (uint64_t)0U, (uint32_t)1U); + f3 = Lib_IntVector_Intrinsics_vec128_insert64(acc3, (uint64_t)0U, (uint32_t)1U); + f4 = Lib_IntVector_Intrinsics_vec128_insert64(acc4, (uint64_t)0U, (uint32_t)1U); + f01 = Lib_IntVector_Intrinsics_vec128_add64(f0, e0); + f11 = Lib_IntVector_Intrinsics_vec128_add64(f1, e1); + f21 = Lib_IntVector_Intrinsics_vec128_add64(f2, e2); + f31 = Lib_IntVector_Intrinsics_vec128_add64(f3, e3); + f41 = Lib_IntVector_Intrinsics_vec128_add64(f4, e4); + acc01 = f01; + acc11 = f11; + acc21 = f21; + acc31 = f31; + acc41 = f41; + acc[0U] = acc01; + acc[1U] = acc11; + acc[2U] = acc21; + acc[3U] = acc31; + acc[4U] = acc41; + } +} + +void +Hacl_Impl_Poly1305_Field32xN_128_fmul_r2_normalize( + Lib_IntVector_Intrinsics_vec128 *out, + Lib_IntVector_Intrinsics_vec128 *p +) +{ + Lib_IntVector_Intrinsics_vec128 *r = p; + Lib_IntVector_Intrinsics_vec128 *r2 = p + (uint32_t)10U; + Lib_IntVector_Intrinsics_vec128 a0 = out[0U]; + Lib_IntVector_Intrinsics_vec128 a1 = out[1U]; + Lib_IntVector_Intrinsics_vec128 a2 = out[2U]; + Lib_IntVector_Intrinsics_vec128 a3 = out[3U]; + Lib_IntVector_Intrinsics_vec128 a4 = out[4U]; + Lib_IntVector_Intrinsics_vec128 r10 = r[0U]; + Lib_IntVector_Intrinsics_vec128 r11 = r[1U]; + Lib_IntVector_Intrinsics_vec128 r12 = r[2U]; + Lib_IntVector_Intrinsics_vec128 r13 = r[3U]; + Lib_IntVector_Intrinsics_vec128 r14 = r[4U]; + Lib_IntVector_Intrinsics_vec128 r20 = r2[0U]; + Lib_IntVector_Intrinsics_vec128 r21 = r2[1U]; + Lib_IntVector_Intrinsics_vec128 r22 = r2[2U]; + Lib_IntVector_Intrinsics_vec128 r23 = r2[3U]; + Lib_IntVector_Intrinsics_vec128 r24 = r2[4U]; + Lib_IntVector_Intrinsics_vec128 + r201 = Lib_IntVector_Intrinsics_vec128_interleave_low64(r20, r10); + Lib_IntVector_Intrinsics_vec128 + r211 = Lib_IntVector_Intrinsics_vec128_interleave_low64(r21, r11); + Lib_IntVector_Intrinsics_vec128 + r221 = Lib_IntVector_Intrinsics_vec128_interleave_low64(r22, r12); + Lib_IntVector_Intrinsics_vec128 + r231 = Lib_IntVector_Intrinsics_vec128_interleave_low64(r23, r13); + Lib_IntVector_Intrinsics_vec128 + r241 = Lib_IntVector_Intrinsics_vec128_interleave_low64(r24, r14); + Lib_IntVector_Intrinsics_vec128 + r251 = Lib_IntVector_Intrinsics_vec128_smul64(r211, (uint64_t)5U); + Lib_IntVector_Intrinsics_vec128 + r252 = Lib_IntVector_Intrinsics_vec128_smul64(r221, (uint64_t)5U); + Lib_IntVector_Intrinsics_vec128 + r253 = Lib_IntVector_Intrinsics_vec128_smul64(r231, (uint64_t)5U); + Lib_IntVector_Intrinsics_vec128 + r254 = Lib_IntVector_Intrinsics_vec128_smul64(r241, (uint64_t)5U); + Lib_IntVector_Intrinsics_vec128 a01 = Lib_IntVector_Intrinsics_vec128_mul64(r201, a0); + Lib_IntVector_Intrinsics_vec128 a11 = Lib_IntVector_Intrinsics_vec128_mul64(r211, a0); + Lib_IntVector_Intrinsics_vec128 a21 = Lib_IntVector_Intrinsics_vec128_mul64(r221, a0); + Lib_IntVector_Intrinsics_vec128 a31 = Lib_IntVector_Intrinsics_vec128_mul64(r231, a0); + Lib_IntVector_Intrinsics_vec128 a41 = Lib_IntVector_Intrinsics_vec128_mul64(r241, a0); + Lib_IntVector_Intrinsics_vec128 + a02 = + Lib_IntVector_Intrinsics_vec128_add64(a01, + Lib_IntVector_Intrinsics_vec128_mul64(r254, a1)); + Lib_IntVector_Intrinsics_vec128 + a12 = + Lib_IntVector_Intrinsics_vec128_add64(a11, + Lib_IntVector_Intrinsics_vec128_mul64(r201, a1)); + Lib_IntVector_Intrinsics_vec128 + a22 = + Lib_IntVector_Intrinsics_vec128_add64(a21, + Lib_IntVector_Intrinsics_vec128_mul64(r211, a1)); + Lib_IntVector_Intrinsics_vec128 + a32 = + Lib_IntVector_Intrinsics_vec128_add64(a31, + Lib_IntVector_Intrinsics_vec128_mul64(r221, a1)); + Lib_IntVector_Intrinsics_vec128 + a42 = + Lib_IntVector_Intrinsics_vec128_add64(a41, + Lib_IntVector_Intrinsics_vec128_mul64(r231, a1)); + Lib_IntVector_Intrinsics_vec128 + a03 = + Lib_IntVector_Intrinsics_vec128_add64(a02, + Lib_IntVector_Intrinsics_vec128_mul64(r253, a2)); + Lib_IntVector_Intrinsics_vec128 + a13 = + Lib_IntVector_Intrinsics_vec128_add64(a12, + Lib_IntVector_Intrinsics_vec128_mul64(r254, a2)); + Lib_IntVector_Intrinsics_vec128 + a23 = + Lib_IntVector_Intrinsics_vec128_add64(a22, + Lib_IntVector_Intrinsics_vec128_mul64(r201, a2)); + Lib_IntVector_Intrinsics_vec128 + a33 = + Lib_IntVector_Intrinsics_vec128_add64(a32, + Lib_IntVector_Intrinsics_vec128_mul64(r211, a2)); + Lib_IntVector_Intrinsics_vec128 + a43 = + Lib_IntVector_Intrinsics_vec128_add64(a42, + Lib_IntVector_Intrinsics_vec128_mul64(r221, a2)); + Lib_IntVector_Intrinsics_vec128 + a04 = + Lib_IntVector_Intrinsics_vec128_add64(a03, + Lib_IntVector_Intrinsics_vec128_mul64(r252, a3)); + Lib_IntVector_Intrinsics_vec128 + a14 = + Lib_IntVector_Intrinsics_vec128_add64(a13, + Lib_IntVector_Intrinsics_vec128_mul64(r253, a3)); + Lib_IntVector_Intrinsics_vec128 + a24 = + Lib_IntVector_Intrinsics_vec128_add64(a23, + Lib_IntVector_Intrinsics_vec128_mul64(r254, a3)); + Lib_IntVector_Intrinsics_vec128 + a34 = + Lib_IntVector_Intrinsics_vec128_add64(a33, + Lib_IntVector_Intrinsics_vec128_mul64(r201, a3)); + Lib_IntVector_Intrinsics_vec128 + a44 = + Lib_IntVector_Intrinsics_vec128_add64(a43, + Lib_IntVector_Intrinsics_vec128_mul64(r211, a3)); + Lib_IntVector_Intrinsics_vec128 + a05 = + Lib_IntVector_Intrinsics_vec128_add64(a04, + Lib_IntVector_Intrinsics_vec128_mul64(r251, a4)); + Lib_IntVector_Intrinsics_vec128 + a15 = + Lib_IntVector_Intrinsics_vec128_add64(a14, + Lib_IntVector_Intrinsics_vec128_mul64(r252, a4)); + Lib_IntVector_Intrinsics_vec128 + a25 = + Lib_IntVector_Intrinsics_vec128_add64(a24, + Lib_IntVector_Intrinsics_vec128_mul64(r253, a4)); + Lib_IntVector_Intrinsics_vec128 + a35 = + Lib_IntVector_Intrinsics_vec128_add64(a34, + Lib_IntVector_Intrinsics_vec128_mul64(r254, a4)); + Lib_IntVector_Intrinsics_vec128 + a45 = + Lib_IntVector_Intrinsics_vec128_add64(a44, + Lib_IntVector_Intrinsics_vec128_mul64(r201, a4)); + Lib_IntVector_Intrinsics_vec128 t0 = a05; + Lib_IntVector_Intrinsics_vec128 t1 = a15; + Lib_IntVector_Intrinsics_vec128 t2 = a25; + Lib_IntVector_Intrinsics_vec128 t3 = a35; + Lib_IntVector_Intrinsics_vec128 t4 = a45; + Lib_IntVector_Intrinsics_vec128 + mask26 = Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec128 + z0 = Lib_IntVector_Intrinsics_vec128_shift_right64(t0, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z1 = Lib_IntVector_Intrinsics_vec128_shift_right64(t3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x0 = Lib_IntVector_Intrinsics_vec128_and(t0, mask26); + Lib_IntVector_Intrinsics_vec128 x3 = Lib_IntVector_Intrinsics_vec128_and(t3, mask26); + Lib_IntVector_Intrinsics_vec128 x1 = Lib_IntVector_Intrinsics_vec128_add64(t1, z0); + Lib_IntVector_Intrinsics_vec128 x4 = Lib_IntVector_Intrinsics_vec128_add64(t4, z1); + Lib_IntVector_Intrinsics_vec128 + z01 = Lib_IntVector_Intrinsics_vec128_shift_right64(x1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z11 = Lib_IntVector_Intrinsics_vec128_shift_right64(x4, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + t = Lib_IntVector_Intrinsics_vec128_shift_left64(z11, (uint32_t)2U); + Lib_IntVector_Intrinsics_vec128 z12 = Lib_IntVector_Intrinsics_vec128_add64(z11, t); + Lib_IntVector_Intrinsics_vec128 x11 = Lib_IntVector_Intrinsics_vec128_and(x1, mask26); + Lib_IntVector_Intrinsics_vec128 x41 = Lib_IntVector_Intrinsics_vec128_and(x4, mask26); + Lib_IntVector_Intrinsics_vec128 x2 = Lib_IntVector_Intrinsics_vec128_add64(t2, z01); + Lib_IntVector_Intrinsics_vec128 x01 = Lib_IntVector_Intrinsics_vec128_add64(x0, z12); + Lib_IntVector_Intrinsics_vec128 + z02 = Lib_IntVector_Intrinsics_vec128_shift_right64(x2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z13 = Lib_IntVector_Intrinsics_vec128_shift_right64(x01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x21 = Lib_IntVector_Intrinsics_vec128_and(x2, mask26); + Lib_IntVector_Intrinsics_vec128 x02 = Lib_IntVector_Intrinsics_vec128_and(x01, mask26); + Lib_IntVector_Intrinsics_vec128 x31 = Lib_IntVector_Intrinsics_vec128_add64(x3, z02); + Lib_IntVector_Intrinsics_vec128 x12 = Lib_IntVector_Intrinsics_vec128_add64(x11, z13); + Lib_IntVector_Intrinsics_vec128 + z03 = Lib_IntVector_Intrinsics_vec128_shift_right64(x31, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x32 = Lib_IntVector_Intrinsics_vec128_and(x31, mask26); + Lib_IntVector_Intrinsics_vec128 x42 = Lib_IntVector_Intrinsics_vec128_add64(x41, z03); + Lib_IntVector_Intrinsics_vec128 o0 = x02; + Lib_IntVector_Intrinsics_vec128 o10 = x12; + Lib_IntVector_Intrinsics_vec128 o20 = x21; + Lib_IntVector_Intrinsics_vec128 o30 = x32; + Lib_IntVector_Intrinsics_vec128 o40 = x42; + Lib_IntVector_Intrinsics_vec128 + o01 = + Lib_IntVector_Intrinsics_vec128_add64(o0, + Lib_IntVector_Intrinsics_vec128_interleave_high64(o0, o0)); + Lib_IntVector_Intrinsics_vec128 + o11 = + Lib_IntVector_Intrinsics_vec128_add64(o10, + Lib_IntVector_Intrinsics_vec128_interleave_high64(o10, o10)); + Lib_IntVector_Intrinsics_vec128 + o21 = + Lib_IntVector_Intrinsics_vec128_add64(o20, + Lib_IntVector_Intrinsics_vec128_interleave_high64(o20, o20)); + Lib_IntVector_Intrinsics_vec128 + o31 = + Lib_IntVector_Intrinsics_vec128_add64(o30, + Lib_IntVector_Intrinsics_vec128_interleave_high64(o30, o30)); + Lib_IntVector_Intrinsics_vec128 + o41 = + Lib_IntVector_Intrinsics_vec128_add64(o40, + Lib_IntVector_Intrinsics_vec128_interleave_high64(o40, o40)); + Lib_IntVector_Intrinsics_vec128 + l = Lib_IntVector_Intrinsics_vec128_add64(o01, Lib_IntVector_Intrinsics_vec128_zero); + Lib_IntVector_Intrinsics_vec128 + tmp0 = + Lib_IntVector_Intrinsics_vec128_and(l, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + c0 = Lib_IntVector_Intrinsics_vec128_shift_right64(l, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 l0 = Lib_IntVector_Intrinsics_vec128_add64(o11, c0); + Lib_IntVector_Intrinsics_vec128 + tmp1 = + Lib_IntVector_Intrinsics_vec128_and(l0, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + c1 = Lib_IntVector_Intrinsics_vec128_shift_right64(l0, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 l1 = Lib_IntVector_Intrinsics_vec128_add64(o21, c1); + Lib_IntVector_Intrinsics_vec128 + tmp2 = + Lib_IntVector_Intrinsics_vec128_and(l1, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + c2 = Lib_IntVector_Intrinsics_vec128_shift_right64(l1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 l2 = Lib_IntVector_Intrinsics_vec128_add64(o31, c2); + Lib_IntVector_Intrinsics_vec128 + tmp3 = + Lib_IntVector_Intrinsics_vec128_and(l2, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + c3 = Lib_IntVector_Intrinsics_vec128_shift_right64(l2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 l3 = Lib_IntVector_Intrinsics_vec128_add64(o41, c3); + Lib_IntVector_Intrinsics_vec128 + tmp4 = + Lib_IntVector_Intrinsics_vec128_and(l3, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + c4 = Lib_IntVector_Intrinsics_vec128_shift_right64(l3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + o00 = + Lib_IntVector_Intrinsics_vec128_add64(tmp0, + Lib_IntVector_Intrinsics_vec128_smul64(c4, (uint64_t)5U)); + Lib_IntVector_Intrinsics_vec128 o1 = tmp1; + Lib_IntVector_Intrinsics_vec128 o2 = tmp2; + Lib_IntVector_Intrinsics_vec128 o3 = tmp3; + Lib_IntVector_Intrinsics_vec128 o4 = tmp4; + out[0U] = o00; + out[1U] = o1; + out[2U] = o2; + out[3U] = o3; + out[4U] = o4; +} + +uint32_t Hacl_Poly1305_128_blocklen = (uint32_t)16U; + +void Hacl_Poly1305_128_poly1305_init(Lib_IntVector_Intrinsics_vec128 *ctx, uint8_t *key) +{ + Lib_IntVector_Intrinsics_vec128 *acc = ctx; + Lib_IntVector_Intrinsics_vec128 *pre = ctx + (uint32_t)5U; + uint8_t *kr = key; + uint64_t u0; + uint64_t lo; + uint64_t u; + uint64_t hi; + uint64_t mask0; + uint64_t mask1; + uint64_t lo1; + uint64_t hi1; + Lib_IntVector_Intrinsics_vec128 *r; + Lib_IntVector_Intrinsics_vec128 *r5; + Lib_IntVector_Intrinsics_vec128 *rn; + Lib_IntVector_Intrinsics_vec128 *rn_5; + Lib_IntVector_Intrinsics_vec128 r_vec0; + Lib_IntVector_Intrinsics_vec128 r_vec1; + Lib_IntVector_Intrinsics_vec128 f00; + Lib_IntVector_Intrinsics_vec128 f15; + Lib_IntVector_Intrinsics_vec128 f25; + Lib_IntVector_Intrinsics_vec128 f30; + Lib_IntVector_Intrinsics_vec128 f40; + Lib_IntVector_Intrinsics_vec128 f0; + Lib_IntVector_Intrinsics_vec128 f1; + Lib_IntVector_Intrinsics_vec128 f2; + Lib_IntVector_Intrinsics_vec128 f3; + Lib_IntVector_Intrinsics_vec128 f4; + Lib_IntVector_Intrinsics_vec128 f200; + Lib_IntVector_Intrinsics_vec128 f210; + Lib_IntVector_Intrinsics_vec128 f220; + Lib_IntVector_Intrinsics_vec128 f230; + Lib_IntVector_Intrinsics_vec128 f240; + Lib_IntVector_Intrinsics_vec128 r0; + Lib_IntVector_Intrinsics_vec128 r1; + Lib_IntVector_Intrinsics_vec128 r2; + Lib_IntVector_Intrinsics_vec128 r3; + Lib_IntVector_Intrinsics_vec128 r4; + Lib_IntVector_Intrinsics_vec128 r51; + Lib_IntVector_Intrinsics_vec128 r52; + Lib_IntVector_Intrinsics_vec128 r53; + Lib_IntVector_Intrinsics_vec128 r54; + Lib_IntVector_Intrinsics_vec128 f10; + Lib_IntVector_Intrinsics_vec128 f11; + Lib_IntVector_Intrinsics_vec128 f12; + Lib_IntVector_Intrinsics_vec128 f13; + Lib_IntVector_Intrinsics_vec128 f14; + Lib_IntVector_Intrinsics_vec128 a0; + Lib_IntVector_Intrinsics_vec128 a1; + Lib_IntVector_Intrinsics_vec128 a2; + Lib_IntVector_Intrinsics_vec128 a3; + Lib_IntVector_Intrinsics_vec128 a4; + Lib_IntVector_Intrinsics_vec128 a01; + Lib_IntVector_Intrinsics_vec128 a11; + Lib_IntVector_Intrinsics_vec128 a21; + Lib_IntVector_Intrinsics_vec128 a31; + Lib_IntVector_Intrinsics_vec128 a41; + Lib_IntVector_Intrinsics_vec128 a02; + Lib_IntVector_Intrinsics_vec128 a12; + Lib_IntVector_Intrinsics_vec128 a22; + Lib_IntVector_Intrinsics_vec128 a32; + Lib_IntVector_Intrinsics_vec128 a42; + Lib_IntVector_Intrinsics_vec128 a03; + Lib_IntVector_Intrinsics_vec128 a13; + Lib_IntVector_Intrinsics_vec128 a23; + Lib_IntVector_Intrinsics_vec128 a33; + Lib_IntVector_Intrinsics_vec128 a43; + Lib_IntVector_Intrinsics_vec128 a04; + Lib_IntVector_Intrinsics_vec128 a14; + Lib_IntVector_Intrinsics_vec128 a24; + Lib_IntVector_Intrinsics_vec128 a34; + Lib_IntVector_Intrinsics_vec128 a44; + Lib_IntVector_Intrinsics_vec128 t0; + Lib_IntVector_Intrinsics_vec128 t1; + Lib_IntVector_Intrinsics_vec128 t2; + Lib_IntVector_Intrinsics_vec128 t3; + Lib_IntVector_Intrinsics_vec128 t4; + Lib_IntVector_Intrinsics_vec128 mask26; + Lib_IntVector_Intrinsics_vec128 z0; + Lib_IntVector_Intrinsics_vec128 z1; + Lib_IntVector_Intrinsics_vec128 x0; + Lib_IntVector_Intrinsics_vec128 x3; + Lib_IntVector_Intrinsics_vec128 x1; + Lib_IntVector_Intrinsics_vec128 x4; + Lib_IntVector_Intrinsics_vec128 z01; + Lib_IntVector_Intrinsics_vec128 z11; + Lib_IntVector_Intrinsics_vec128 t; + Lib_IntVector_Intrinsics_vec128 z12; + Lib_IntVector_Intrinsics_vec128 x11; + Lib_IntVector_Intrinsics_vec128 x41; + Lib_IntVector_Intrinsics_vec128 x2; + Lib_IntVector_Intrinsics_vec128 x01; + Lib_IntVector_Intrinsics_vec128 z02; + Lib_IntVector_Intrinsics_vec128 z13; + Lib_IntVector_Intrinsics_vec128 x21; + Lib_IntVector_Intrinsics_vec128 x02; + Lib_IntVector_Intrinsics_vec128 x31; + Lib_IntVector_Intrinsics_vec128 x12; + Lib_IntVector_Intrinsics_vec128 z03; + Lib_IntVector_Intrinsics_vec128 x32; + Lib_IntVector_Intrinsics_vec128 x42; + Lib_IntVector_Intrinsics_vec128 o0; + Lib_IntVector_Intrinsics_vec128 o1; + Lib_IntVector_Intrinsics_vec128 o2; + Lib_IntVector_Intrinsics_vec128 o3; + Lib_IntVector_Intrinsics_vec128 o4; + Lib_IntVector_Intrinsics_vec128 f20; + Lib_IntVector_Intrinsics_vec128 f21; + Lib_IntVector_Intrinsics_vec128 f22; + Lib_IntVector_Intrinsics_vec128 f23; + Lib_IntVector_Intrinsics_vec128 f24; + acc[0U] = Lib_IntVector_Intrinsics_vec128_zero; + acc[1U] = Lib_IntVector_Intrinsics_vec128_zero; + acc[2U] = Lib_IntVector_Intrinsics_vec128_zero; + acc[3U] = Lib_IntVector_Intrinsics_vec128_zero; + acc[4U] = Lib_IntVector_Intrinsics_vec128_zero; + u0 = load64_le(kr); + lo = u0; + u = load64_le(kr + (uint32_t)8U); + hi = u; + mask0 = (uint64_t)0x0ffffffc0fffffffU; + mask1 = (uint64_t)0x0ffffffc0ffffffcU; + lo1 = lo & mask0; + hi1 = hi & mask1; + r = pre; + r5 = pre + (uint32_t)5U; + rn = pre + (uint32_t)10U; + rn_5 = pre + (uint32_t)15U; + r_vec0 = Lib_IntVector_Intrinsics_vec128_load64(lo1); + r_vec1 = Lib_IntVector_Intrinsics_vec128_load64(hi1); + f00 = + Lib_IntVector_Intrinsics_vec128_and(r_vec0, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + f15 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(r_vec0, + (uint32_t)26U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + f25 = + Lib_IntVector_Intrinsics_vec128_or(Lib_IntVector_Intrinsics_vec128_shift_right64(r_vec0, + (uint32_t)52U), + Lib_IntVector_Intrinsics_vec128_shift_left64(Lib_IntVector_Intrinsics_vec128_and(r_vec1, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3fffU)), + (uint32_t)12U)); + f30 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(r_vec1, + (uint32_t)14U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + f40 = Lib_IntVector_Intrinsics_vec128_shift_right64(r_vec1, (uint32_t)40U); + f0 = f00; + f1 = f15; + f2 = f25; + f3 = f30; + f4 = f40; + r[0U] = f0; + r[1U] = f1; + r[2U] = f2; + r[3U] = f3; + r[4U] = f4; + f200 = r[0U]; + f210 = r[1U]; + f220 = r[2U]; + f230 = r[3U]; + f240 = r[4U]; + r5[0U] = Lib_IntVector_Intrinsics_vec128_smul64(f200, (uint64_t)5U); + r5[1U] = Lib_IntVector_Intrinsics_vec128_smul64(f210, (uint64_t)5U); + r5[2U] = Lib_IntVector_Intrinsics_vec128_smul64(f220, (uint64_t)5U); + r5[3U] = Lib_IntVector_Intrinsics_vec128_smul64(f230, (uint64_t)5U); + r5[4U] = Lib_IntVector_Intrinsics_vec128_smul64(f240, (uint64_t)5U); + r0 = r[0U]; + r1 = r[1U]; + r2 = r[2U]; + r3 = r[3U]; + r4 = r[4U]; + r51 = r5[1U]; + r52 = r5[2U]; + r53 = r5[3U]; + r54 = r5[4U]; + f10 = r[0U]; + f11 = r[1U]; + f12 = r[2U]; + f13 = r[3U]; + f14 = r[4U]; + a0 = Lib_IntVector_Intrinsics_vec128_mul64(r0, f10); + a1 = Lib_IntVector_Intrinsics_vec128_mul64(r1, f10); + a2 = Lib_IntVector_Intrinsics_vec128_mul64(r2, f10); + a3 = Lib_IntVector_Intrinsics_vec128_mul64(r3, f10); + a4 = Lib_IntVector_Intrinsics_vec128_mul64(r4, f10); + a01 = + Lib_IntVector_Intrinsics_vec128_add64(a0, + Lib_IntVector_Intrinsics_vec128_mul64(r54, f11)); + a11 = Lib_IntVector_Intrinsics_vec128_add64(a1, Lib_IntVector_Intrinsics_vec128_mul64(r0, f11)); + a21 = Lib_IntVector_Intrinsics_vec128_add64(a2, Lib_IntVector_Intrinsics_vec128_mul64(r1, f11)); + a31 = Lib_IntVector_Intrinsics_vec128_add64(a3, Lib_IntVector_Intrinsics_vec128_mul64(r2, f11)); + a41 = Lib_IntVector_Intrinsics_vec128_add64(a4, Lib_IntVector_Intrinsics_vec128_mul64(r3, f11)); + a02 = + Lib_IntVector_Intrinsics_vec128_add64(a01, + Lib_IntVector_Intrinsics_vec128_mul64(r53, f12)); + a12 = + Lib_IntVector_Intrinsics_vec128_add64(a11, + Lib_IntVector_Intrinsics_vec128_mul64(r54, f12)); + a22 = + Lib_IntVector_Intrinsics_vec128_add64(a21, + Lib_IntVector_Intrinsics_vec128_mul64(r0, f12)); + a32 = + Lib_IntVector_Intrinsics_vec128_add64(a31, + Lib_IntVector_Intrinsics_vec128_mul64(r1, f12)); + a42 = + Lib_IntVector_Intrinsics_vec128_add64(a41, + Lib_IntVector_Intrinsics_vec128_mul64(r2, f12)); + a03 = + Lib_IntVector_Intrinsics_vec128_add64(a02, + Lib_IntVector_Intrinsics_vec128_mul64(r52, f13)); + a13 = + Lib_IntVector_Intrinsics_vec128_add64(a12, + Lib_IntVector_Intrinsics_vec128_mul64(r53, f13)); + a23 = + Lib_IntVector_Intrinsics_vec128_add64(a22, + Lib_IntVector_Intrinsics_vec128_mul64(r54, f13)); + a33 = + Lib_IntVector_Intrinsics_vec128_add64(a32, + Lib_IntVector_Intrinsics_vec128_mul64(r0, f13)); + a43 = + Lib_IntVector_Intrinsics_vec128_add64(a42, + Lib_IntVector_Intrinsics_vec128_mul64(r1, f13)); + a04 = + Lib_IntVector_Intrinsics_vec128_add64(a03, + Lib_IntVector_Intrinsics_vec128_mul64(r51, f14)); + a14 = + Lib_IntVector_Intrinsics_vec128_add64(a13, + Lib_IntVector_Intrinsics_vec128_mul64(r52, f14)); + a24 = + Lib_IntVector_Intrinsics_vec128_add64(a23, + Lib_IntVector_Intrinsics_vec128_mul64(r53, f14)); + a34 = + Lib_IntVector_Intrinsics_vec128_add64(a33, + Lib_IntVector_Intrinsics_vec128_mul64(r54, f14)); + a44 = + Lib_IntVector_Intrinsics_vec128_add64(a43, + Lib_IntVector_Intrinsics_vec128_mul64(r0, f14)); + t0 = a04; + t1 = a14; + t2 = a24; + t3 = a34; + t4 = a44; + mask26 = Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU); + z0 = Lib_IntVector_Intrinsics_vec128_shift_right64(t0, (uint32_t)26U); + z1 = Lib_IntVector_Intrinsics_vec128_shift_right64(t3, (uint32_t)26U); + x0 = Lib_IntVector_Intrinsics_vec128_and(t0, mask26); + x3 = Lib_IntVector_Intrinsics_vec128_and(t3, mask26); + x1 = Lib_IntVector_Intrinsics_vec128_add64(t1, z0); + x4 = Lib_IntVector_Intrinsics_vec128_add64(t4, z1); + z01 = Lib_IntVector_Intrinsics_vec128_shift_right64(x1, (uint32_t)26U); + z11 = Lib_IntVector_Intrinsics_vec128_shift_right64(x4, (uint32_t)26U); + t = Lib_IntVector_Intrinsics_vec128_shift_left64(z11, (uint32_t)2U); + z12 = Lib_IntVector_Intrinsics_vec128_add64(z11, t); + x11 = Lib_IntVector_Intrinsics_vec128_and(x1, mask26); + x41 = Lib_IntVector_Intrinsics_vec128_and(x4, mask26); + x2 = Lib_IntVector_Intrinsics_vec128_add64(t2, z01); + x01 = Lib_IntVector_Intrinsics_vec128_add64(x0, z12); + z02 = Lib_IntVector_Intrinsics_vec128_shift_right64(x2, (uint32_t)26U); + z13 = Lib_IntVector_Intrinsics_vec128_shift_right64(x01, (uint32_t)26U); + x21 = Lib_IntVector_Intrinsics_vec128_and(x2, mask26); + x02 = Lib_IntVector_Intrinsics_vec128_and(x01, mask26); + x31 = Lib_IntVector_Intrinsics_vec128_add64(x3, z02); + x12 = Lib_IntVector_Intrinsics_vec128_add64(x11, z13); + z03 = Lib_IntVector_Intrinsics_vec128_shift_right64(x31, (uint32_t)26U); + x32 = Lib_IntVector_Intrinsics_vec128_and(x31, mask26); + x42 = Lib_IntVector_Intrinsics_vec128_add64(x41, z03); + o0 = x02; + o1 = x12; + o2 = x21; + o3 = x32; + o4 = x42; + rn[0U] = o0; + rn[1U] = o1; + rn[2U] = o2; + rn[3U] = o3; + rn[4U] = o4; + f20 = rn[0U]; + f21 = rn[1U]; + f22 = rn[2U]; + f23 = rn[3U]; + f24 = rn[4U]; + rn_5[0U] = Lib_IntVector_Intrinsics_vec128_smul64(f20, (uint64_t)5U); + rn_5[1U] = Lib_IntVector_Intrinsics_vec128_smul64(f21, (uint64_t)5U); + rn_5[2U] = Lib_IntVector_Intrinsics_vec128_smul64(f22, (uint64_t)5U); + rn_5[3U] = Lib_IntVector_Intrinsics_vec128_smul64(f23, (uint64_t)5U); + rn_5[4U] = Lib_IntVector_Intrinsics_vec128_smul64(f24, (uint64_t)5U); +} + +void Hacl_Poly1305_128_poly1305_update1(Lib_IntVector_Intrinsics_vec128 *ctx, uint8_t *text) +{ + Lib_IntVector_Intrinsics_vec128 *pre = ctx + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec128 *acc = ctx; + Lib_IntVector_Intrinsics_vec128 e[5U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)5U; ++_i) + e[_i] = Lib_IntVector_Intrinsics_vec128_zero; + } + { + uint64_t u0 = load64_le(text); + uint64_t lo = u0; + uint64_t u = load64_le(text + (uint32_t)8U); + uint64_t hi = u; + Lib_IntVector_Intrinsics_vec128 f0 = Lib_IntVector_Intrinsics_vec128_load64(lo); + Lib_IntVector_Intrinsics_vec128 f1 = Lib_IntVector_Intrinsics_vec128_load64(hi); + Lib_IntVector_Intrinsics_vec128 + f010 = + Lib_IntVector_Intrinsics_vec128_and(f0, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f110 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(f0, + (uint32_t)26U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f20 = + Lib_IntVector_Intrinsics_vec128_or(Lib_IntVector_Intrinsics_vec128_shift_right64(f0, + (uint32_t)52U), + Lib_IntVector_Intrinsics_vec128_shift_left64(Lib_IntVector_Intrinsics_vec128_and(f1, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3fffU)), + (uint32_t)12U)); + Lib_IntVector_Intrinsics_vec128 + f30 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(f1, + (uint32_t)14U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f40 = Lib_IntVector_Intrinsics_vec128_shift_right64(f1, (uint32_t)40U); + Lib_IntVector_Intrinsics_vec128 f01 = f010; + Lib_IntVector_Intrinsics_vec128 f111 = f110; + Lib_IntVector_Intrinsics_vec128 f2 = f20; + Lib_IntVector_Intrinsics_vec128 f3 = f30; + Lib_IntVector_Intrinsics_vec128 f41 = f40; + uint64_t b; + Lib_IntVector_Intrinsics_vec128 mask; + Lib_IntVector_Intrinsics_vec128 f4; + Lib_IntVector_Intrinsics_vec128 *r; + Lib_IntVector_Intrinsics_vec128 *r5; + Lib_IntVector_Intrinsics_vec128 r0; + Lib_IntVector_Intrinsics_vec128 r1; + Lib_IntVector_Intrinsics_vec128 r2; + Lib_IntVector_Intrinsics_vec128 r3; + Lib_IntVector_Intrinsics_vec128 r4; + Lib_IntVector_Intrinsics_vec128 r51; + Lib_IntVector_Intrinsics_vec128 r52; + Lib_IntVector_Intrinsics_vec128 r53; + Lib_IntVector_Intrinsics_vec128 r54; + Lib_IntVector_Intrinsics_vec128 f10; + Lib_IntVector_Intrinsics_vec128 f11; + Lib_IntVector_Intrinsics_vec128 f12; + Lib_IntVector_Intrinsics_vec128 f13; + Lib_IntVector_Intrinsics_vec128 f14; + Lib_IntVector_Intrinsics_vec128 a0; + Lib_IntVector_Intrinsics_vec128 a1; + Lib_IntVector_Intrinsics_vec128 a2; + Lib_IntVector_Intrinsics_vec128 a3; + Lib_IntVector_Intrinsics_vec128 a4; + Lib_IntVector_Intrinsics_vec128 a01; + Lib_IntVector_Intrinsics_vec128 a11; + Lib_IntVector_Intrinsics_vec128 a21; + Lib_IntVector_Intrinsics_vec128 a31; + Lib_IntVector_Intrinsics_vec128 a41; + Lib_IntVector_Intrinsics_vec128 a02; + Lib_IntVector_Intrinsics_vec128 a12; + Lib_IntVector_Intrinsics_vec128 a22; + Lib_IntVector_Intrinsics_vec128 a32; + Lib_IntVector_Intrinsics_vec128 a42; + Lib_IntVector_Intrinsics_vec128 a03; + Lib_IntVector_Intrinsics_vec128 a13; + Lib_IntVector_Intrinsics_vec128 a23; + Lib_IntVector_Intrinsics_vec128 a33; + Lib_IntVector_Intrinsics_vec128 a43; + Lib_IntVector_Intrinsics_vec128 a04; + Lib_IntVector_Intrinsics_vec128 a14; + Lib_IntVector_Intrinsics_vec128 a24; + Lib_IntVector_Intrinsics_vec128 a34; + Lib_IntVector_Intrinsics_vec128 a44; + Lib_IntVector_Intrinsics_vec128 a05; + Lib_IntVector_Intrinsics_vec128 a15; + Lib_IntVector_Intrinsics_vec128 a25; + Lib_IntVector_Intrinsics_vec128 a35; + Lib_IntVector_Intrinsics_vec128 a45; + Lib_IntVector_Intrinsics_vec128 a06; + Lib_IntVector_Intrinsics_vec128 a16; + Lib_IntVector_Intrinsics_vec128 a26; + Lib_IntVector_Intrinsics_vec128 a36; + Lib_IntVector_Intrinsics_vec128 a46; + Lib_IntVector_Intrinsics_vec128 t0; + Lib_IntVector_Intrinsics_vec128 t1; + Lib_IntVector_Intrinsics_vec128 t2; + Lib_IntVector_Intrinsics_vec128 t3; + Lib_IntVector_Intrinsics_vec128 t4; + Lib_IntVector_Intrinsics_vec128 mask26; + Lib_IntVector_Intrinsics_vec128 z0; + Lib_IntVector_Intrinsics_vec128 z1; + Lib_IntVector_Intrinsics_vec128 x0; + Lib_IntVector_Intrinsics_vec128 x3; + Lib_IntVector_Intrinsics_vec128 x1; + Lib_IntVector_Intrinsics_vec128 x4; + Lib_IntVector_Intrinsics_vec128 z01; + Lib_IntVector_Intrinsics_vec128 z11; + Lib_IntVector_Intrinsics_vec128 t; + Lib_IntVector_Intrinsics_vec128 z12; + Lib_IntVector_Intrinsics_vec128 x11; + Lib_IntVector_Intrinsics_vec128 x41; + Lib_IntVector_Intrinsics_vec128 x2; + Lib_IntVector_Intrinsics_vec128 x01; + Lib_IntVector_Intrinsics_vec128 z02; + Lib_IntVector_Intrinsics_vec128 z13; + Lib_IntVector_Intrinsics_vec128 x21; + Lib_IntVector_Intrinsics_vec128 x02; + Lib_IntVector_Intrinsics_vec128 x31; + Lib_IntVector_Intrinsics_vec128 x12; + Lib_IntVector_Intrinsics_vec128 z03; + Lib_IntVector_Intrinsics_vec128 x32; + Lib_IntVector_Intrinsics_vec128 x42; + Lib_IntVector_Intrinsics_vec128 o0; + Lib_IntVector_Intrinsics_vec128 o1; + Lib_IntVector_Intrinsics_vec128 o2; + Lib_IntVector_Intrinsics_vec128 o3; + Lib_IntVector_Intrinsics_vec128 o4; + e[0U] = f01; + e[1U] = f111; + e[2U] = f2; + e[3U] = f3; + e[4U] = f41; + b = (uint64_t)0x1000000U; + mask = Lib_IntVector_Intrinsics_vec128_load64(b); + f4 = e[4U]; + e[4U] = Lib_IntVector_Intrinsics_vec128_or(f4, mask); + r = pre; + r5 = pre + (uint32_t)5U; + r0 = r[0U]; + r1 = r[1U]; + r2 = r[2U]; + r3 = r[3U]; + r4 = r[4U]; + r51 = r5[1U]; + r52 = r5[2U]; + r53 = r5[3U]; + r54 = r5[4U]; + f10 = e[0U]; + f11 = e[1U]; + f12 = e[2U]; + f13 = e[3U]; + f14 = e[4U]; + a0 = acc[0U]; + a1 = acc[1U]; + a2 = acc[2U]; + a3 = acc[3U]; + a4 = acc[4U]; + a01 = Lib_IntVector_Intrinsics_vec128_add64(a0, f10); + a11 = Lib_IntVector_Intrinsics_vec128_add64(a1, f11); + a21 = Lib_IntVector_Intrinsics_vec128_add64(a2, f12); + a31 = Lib_IntVector_Intrinsics_vec128_add64(a3, f13); + a41 = Lib_IntVector_Intrinsics_vec128_add64(a4, f14); + a02 = Lib_IntVector_Intrinsics_vec128_mul64(r0, a01); + a12 = Lib_IntVector_Intrinsics_vec128_mul64(r1, a01); + a22 = Lib_IntVector_Intrinsics_vec128_mul64(r2, a01); + a32 = Lib_IntVector_Intrinsics_vec128_mul64(r3, a01); + a42 = Lib_IntVector_Intrinsics_vec128_mul64(r4, a01); + a03 = + Lib_IntVector_Intrinsics_vec128_add64(a02, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a11)); + a13 = + Lib_IntVector_Intrinsics_vec128_add64(a12, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a11)); + a23 = + Lib_IntVector_Intrinsics_vec128_add64(a22, + Lib_IntVector_Intrinsics_vec128_mul64(r1, a11)); + a33 = + Lib_IntVector_Intrinsics_vec128_add64(a32, + Lib_IntVector_Intrinsics_vec128_mul64(r2, a11)); + a43 = + Lib_IntVector_Intrinsics_vec128_add64(a42, + Lib_IntVector_Intrinsics_vec128_mul64(r3, a11)); + a04 = + Lib_IntVector_Intrinsics_vec128_add64(a03, + Lib_IntVector_Intrinsics_vec128_mul64(r53, a21)); + a14 = + Lib_IntVector_Intrinsics_vec128_add64(a13, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a21)); + a24 = + Lib_IntVector_Intrinsics_vec128_add64(a23, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a21)); + a34 = + Lib_IntVector_Intrinsics_vec128_add64(a33, + Lib_IntVector_Intrinsics_vec128_mul64(r1, a21)); + a44 = + Lib_IntVector_Intrinsics_vec128_add64(a43, + Lib_IntVector_Intrinsics_vec128_mul64(r2, a21)); + a05 = + Lib_IntVector_Intrinsics_vec128_add64(a04, + Lib_IntVector_Intrinsics_vec128_mul64(r52, a31)); + a15 = + Lib_IntVector_Intrinsics_vec128_add64(a14, + Lib_IntVector_Intrinsics_vec128_mul64(r53, a31)); + a25 = + Lib_IntVector_Intrinsics_vec128_add64(a24, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a31)); + a35 = + Lib_IntVector_Intrinsics_vec128_add64(a34, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a31)); + a45 = + Lib_IntVector_Intrinsics_vec128_add64(a44, + Lib_IntVector_Intrinsics_vec128_mul64(r1, a31)); + a06 = + Lib_IntVector_Intrinsics_vec128_add64(a05, + Lib_IntVector_Intrinsics_vec128_mul64(r51, a41)); + a16 = + Lib_IntVector_Intrinsics_vec128_add64(a15, + Lib_IntVector_Intrinsics_vec128_mul64(r52, a41)); + a26 = + Lib_IntVector_Intrinsics_vec128_add64(a25, + Lib_IntVector_Intrinsics_vec128_mul64(r53, a41)); + a36 = + Lib_IntVector_Intrinsics_vec128_add64(a35, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a41)); + a46 = + Lib_IntVector_Intrinsics_vec128_add64(a45, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a41)); + t0 = a06; + t1 = a16; + t2 = a26; + t3 = a36; + t4 = a46; + mask26 = Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU); + z0 = Lib_IntVector_Intrinsics_vec128_shift_right64(t0, (uint32_t)26U); + z1 = Lib_IntVector_Intrinsics_vec128_shift_right64(t3, (uint32_t)26U); + x0 = Lib_IntVector_Intrinsics_vec128_and(t0, mask26); + x3 = Lib_IntVector_Intrinsics_vec128_and(t3, mask26); + x1 = Lib_IntVector_Intrinsics_vec128_add64(t1, z0); + x4 = Lib_IntVector_Intrinsics_vec128_add64(t4, z1); + z01 = Lib_IntVector_Intrinsics_vec128_shift_right64(x1, (uint32_t)26U); + z11 = Lib_IntVector_Intrinsics_vec128_shift_right64(x4, (uint32_t)26U); + t = Lib_IntVector_Intrinsics_vec128_shift_left64(z11, (uint32_t)2U); + z12 = Lib_IntVector_Intrinsics_vec128_add64(z11, t); + x11 = Lib_IntVector_Intrinsics_vec128_and(x1, mask26); + x41 = Lib_IntVector_Intrinsics_vec128_and(x4, mask26); + x2 = Lib_IntVector_Intrinsics_vec128_add64(t2, z01); + x01 = Lib_IntVector_Intrinsics_vec128_add64(x0, z12); + z02 = Lib_IntVector_Intrinsics_vec128_shift_right64(x2, (uint32_t)26U); + z13 = Lib_IntVector_Intrinsics_vec128_shift_right64(x01, (uint32_t)26U); + x21 = Lib_IntVector_Intrinsics_vec128_and(x2, mask26); + x02 = Lib_IntVector_Intrinsics_vec128_and(x01, mask26); + x31 = Lib_IntVector_Intrinsics_vec128_add64(x3, z02); + x12 = Lib_IntVector_Intrinsics_vec128_add64(x11, z13); + z03 = Lib_IntVector_Intrinsics_vec128_shift_right64(x31, (uint32_t)26U); + x32 = Lib_IntVector_Intrinsics_vec128_and(x31, mask26); + x42 = Lib_IntVector_Intrinsics_vec128_add64(x41, z03); + o0 = x02; + o1 = x12; + o2 = x21; + o3 = x32; + o4 = x42; + acc[0U] = o0; + acc[1U] = o1; + acc[2U] = o2; + acc[3U] = o3; + acc[4U] = o4; + } +} + +void +Hacl_Poly1305_128_poly1305_update( + Lib_IntVector_Intrinsics_vec128 *ctx, + uint32_t len, + uint8_t *text +) +{ + Lib_IntVector_Intrinsics_vec128 *pre = ctx + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec128 *acc = ctx; + uint32_t sz_block = (uint32_t)32U; + uint32_t len0 = len / sz_block * sz_block; + uint8_t *t0 = text; + uint32_t len1; + uint8_t *t10; + uint32_t nb0; + uint32_t rem; + if (len0 > (uint32_t)0U) + { + uint32_t bs = (uint32_t)32U; + uint8_t *text0 = t0; + Hacl_Impl_Poly1305_Field32xN_128_load_acc2(acc, text0); + { + uint32_t len10 = len0 - bs; + uint8_t *text1 = t0 + bs; + uint32_t nb = len10 / bs; + { + uint32_t i; + for (i = (uint32_t)0U; i < nb; i++) + { + uint8_t *block = text1 + i * bs; + Lib_IntVector_Intrinsics_vec128 e[5U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)5U; ++_i) + e[_i] = Lib_IntVector_Intrinsics_vec128_zero; + } + { + Lib_IntVector_Intrinsics_vec128 b1 = Lib_IntVector_Intrinsics_vec128_load64_le(block); + Lib_IntVector_Intrinsics_vec128 + b2 = Lib_IntVector_Intrinsics_vec128_load64_le(block + (uint32_t)16U); + Lib_IntVector_Intrinsics_vec128 + lo = Lib_IntVector_Intrinsics_vec128_interleave_low64(b1, b2); + Lib_IntVector_Intrinsics_vec128 + hi = Lib_IntVector_Intrinsics_vec128_interleave_high64(b1, b2); + Lib_IntVector_Intrinsics_vec128 + f00 = + Lib_IntVector_Intrinsics_vec128_and(lo, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f15 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(lo, + (uint32_t)26U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f25 = + Lib_IntVector_Intrinsics_vec128_or(Lib_IntVector_Intrinsics_vec128_shift_right64(lo, + (uint32_t)52U), + Lib_IntVector_Intrinsics_vec128_shift_left64(Lib_IntVector_Intrinsics_vec128_and(hi, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3fffU)), + (uint32_t)12U)); + Lib_IntVector_Intrinsics_vec128 + f30 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(hi, + (uint32_t)14U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f40 = Lib_IntVector_Intrinsics_vec128_shift_right64(hi, (uint32_t)40U); + Lib_IntVector_Intrinsics_vec128 f0 = f00; + Lib_IntVector_Intrinsics_vec128 f1 = f15; + Lib_IntVector_Intrinsics_vec128 f2 = f25; + Lib_IntVector_Intrinsics_vec128 f3 = f30; + Lib_IntVector_Intrinsics_vec128 f41 = f40; + e[0U] = f0; + e[1U] = f1; + e[2U] = f2; + e[3U] = f3; + e[4U] = f41; + { + uint64_t b = (uint64_t)0x1000000U; + Lib_IntVector_Intrinsics_vec128 mask = Lib_IntVector_Intrinsics_vec128_load64(b); + Lib_IntVector_Intrinsics_vec128 f4 = e[4U]; + e[4U] = Lib_IntVector_Intrinsics_vec128_or(f4, mask); + { + Lib_IntVector_Intrinsics_vec128 *rn = pre + (uint32_t)10U; + Lib_IntVector_Intrinsics_vec128 *rn5 = pre + (uint32_t)15U; + Lib_IntVector_Intrinsics_vec128 r0 = rn[0U]; + Lib_IntVector_Intrinsics_vec128 r1 = rn[1U]; + Lib_IntVector_Intrinsics_vec128 r2 = rn[2U]; + Lib_IntVector_Intrinsics_vec128 r3 = rn[3U]; + Lib_IntVector_Intrinsics_vec128 r4 = rn[4U]; + Lib_IntVector_Intrinsics_vec128 r51 = rn5[1U]; + Lib_IntVector_Intrinsics_vec128 r52 = rn5[2U]; + Lib_IntVector_Intrinsics_vec128 r53 = rn5[3U]; + Lib_IntVector_Intrinsics_vec128 r54 = rn5[4U]; + Lib_IntVector_Intrinsics_vec128 f10 = acc[0U]; + Lib_IntVector_Intrinsics_vec128 f110 = acc[1U]; + Lib_IntVector_Intrinsics_vec128 f120 = acc[2U]; + Lib_IntVector_Intrinsics_vec128 f130 = acc[3U]; + Lib_IntVector_Intrinsics_vec128 f140 = acc[4U]; + Lib_IntVector_Intrinsics_vec128 a0 = Lib_IntVector_Intrinsics_vec128_mul64(r0, f10); + Lib_IntVector_Intrinsics_vec128 a1 = Lib_IntVector_Intrinsics_vec128_mul64(r1, f10); + Lib_IntVector_Intrinsics_vec128 a2 = Lib_IntVector_Intrinsics_vec128_mul64(r2, f10); + Lib_IntVector_Intrinsics_vec128 a3 = Lib_IntVector_Intrinsics_vec128_mul64(r3, f10); + Lib_IntVector_Intrinsics_vec128 a4 = Lib_IntVector_Intrinsics_vec128_mul64(r4, f10); + Lib_IntVector_Intrinsics_vec128 + a01 = + Lib_IntVector_Intrinsics_vec128_add64(a0, + Lib_IntVector_Intrinsics_vec128_mul64(r54, f110)); + Lib_IntVector_Intrinsics_vec128 + a11 = + Lib_IntVector_Intrinsics_vec128_add64(a1, + Lib_IntVector_Intrinsics_vec128_mul64(r0, f110)); + Lib_IntVector_Intrinsics_vec128 + a21 = + Lib_IntVector_Intrinsics_vec128_add64(a2, + Lib_IntVector_Intrinsics_vec128_mul64(r1, f110)); + Lib_IntVector_Intrinsics_vec128 + a31 = + Lib_IntVector_Intrinsics_vec128_add64(a3, + Lib_IntVector_Intrinsics_vec128_mul64(r2, f110)); + Lib_IntVector_Intrinsics_vec128 + a41 = + Lib_IntVector_Intrinsics_vec128_add64(a4, + Lib_IntVector_Intrinsics_vec128_mul64(r3, f110)); + Lib_IntVector_Intrinsics_vec128 + a02 = + Lib_IntVector_Intrinsics_vec128_add64(a01, + Lib_IntVector_Intrinsics_vec128_mul64(r53, f120)); + Lib_IntVector_Intrinsics_vec128 + a12 = + Lib_IntVector_Intrinsics_vec128_add64(a11, + Lib_IntVector_Intrinsics_vec128_mul64(r54, f120)); + Lib_IntVector_Intrinsics_vec128 + a22 = + Lib_IntVector_Intrinsics_vec128_add64(a21, + Lib_IntVector_Intrinsics_vec128_mul64(r0, f120)); + Lib_IntVector_Intrinsics_vec128 + a32 = + Lib_IntVector_Intrinsics_vec128_add64(a31, + Lib_IntVector_Intrinsics_vec128_mul64(r1, f120)); + Lib_IntVector_Intrinsics_vec128 + a42 = + Lib_IntVector_Intrinsics_vec128_add64(a41, + Lib_IntVector_Intrinsics_vec128_mul64(r2, f120)); + Lib_IntVector_Intrinsics_vec128 + a03 = + Lib_IntVector_Intrinsics_vec128_add64(a02, + Lib_IntVector_Intrinsics_vec128_mul64(r52, f130)); + Lib_IntVector_Intrinsics_vec128 + a13 = + Lib_IntVector_Intrinsics_vec128_add64(a12, + Lib_IntVector_Intrinsics_vec128_mul64(r53, f130)); + Lib_IntVector_Intrinsics_vec128 + a23 = + Lib_IntVector_Intrinsics_vec128_add64(a22, + Lib_IntVector_Intrinsics_vec128_mul64(r54, f130)); + Lib_IntVector_Intrinsics_vec128 + a33 = + Lib_IntVector_Intrinsics_vec128_add64(a32, + Lib_IntVector_Intrinsics_vec128_mul64(r0, f130)); + Lib_IntVector_Intrinsics_vec128 + a43 = + Lib_IntVector_Intrinsics_vec128_add64(a42, + Lib_IntVector_Intrinsics_vec128_mul64(r1, f130)); + Lib_IntVector_Intrinsics_vec128 + a04 = + Lib_IntVector_Intrinsics_vec128_add64(a03, + Lib_IntVector_Intrinsics_vec128_mul64(r51, f140)); + Lib_IntVector_Intrinsics_vec128 + a14 = + Lib_IntVector_Intrinsics_vec128_add64(a13, + Lib_IntVector_Intrinsics_vec128_mul64(r52, f140)); + Lib_IntVector_Intrinsics_vec128 + a24 = + Lib_IntVector_Intrinsics_vec128_add64(a23, + Lib_IntVector_Intrinsics_vec128_mul64(r53, f140)); + Lib_IntVector_Intrinsics_vec128 + a34 = + Lib_IntVector_Intrinsics_vec128_add64(a33, + Lib_IntVector_Intrinsics_vec128_mul64(r54, f140)); + Lib_IntVector_Intrinsics_vec128 + a44 = + Lib_IntVector_Intrinsics_vec128_add64(a43, + Lib_IntVector_Intrinsics_vec128_mul64(r0, f140)); + Lib_IntVector_Intrinsics_vec128 t01 = a04; + Lib_IntVector_Intrinsics_vec128 t1 = a14; + Lib_IntVector_Intrinsics_vec128 t2 = a24; + Lib_IntVector_Intrinsics_vec128 t3 = a34; + Lib_IntVector_Intrinsics_vec128 t4 = a44; + Lib_IntVector_Intrinsics_vec128 + mask26 = Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec128 + z0 = Lib_IntVector_Intrinsics_vec128_shift_right64(t01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z1 = Lib_IntVector_Intrinsics_vec128_shift_right64(t3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + x0 = Lib_IntVector_Intrinsics_vec128_and(t01, mask26); + Lib_IntVector_Intrinsics_vec128 + x3 = Lib_IntVector_Intrinsics_vec128_and(t3, mask26); + Lib_IntVector_Intrinsics_vec128 x1 = Lib_IntVector_Intrinsics_vec128_add64(t1, z0); + Lib_IntVector_Intrinsics_vec128 x4 = Lib_IntVector_Intrinsics_vec128_add64(t4, z1); + Lib_IntVector_Intrinsics_vec128 + z01 = Lib_IntVector_Intrinsics_vec128_shift_right64(x1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z11 = Lib_IntVector_Intrinsics_vec128_shift_right64(x4, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + t = Lib_IntVector_Intrinsics_vec128_shift_left64(z11, (uint32_t)2U); + Lib_IntVector_Intrinsics_vec128 z12 = Lib_IntVector_Intrinsics_vec128_add64(z11, t); + Lib_IntVector_Intrinsics_vec128 + x11 = Lib_IntVector_Intrinsics_vec128_and(x1, mask26); + Lib_IntVector_Intrinsics_vec128 + x41 = Lib_IntVector_Intrinsics_vec128_and(x4, mask26); + Lib_IntVector_Intrinsics_vec128 x2 = Lib_IntVector_Intrinsics_vec128_add64(t2, z01); + Lib_IntVector_Intrinsics_vec128 + x01 = Lib_IntVector_Intrinsics_vec128_add64(x0, z12); + Lib_IntVector_Intrinsics_vec128 + z02 = Lib_IntVector_Intrinsics_vec128_shift_right64(x2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z13 = Lib_IntVector_Intrinsics_vec128_shift_right64(x01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + x21 = Lib_IntVector_Intrinsics_vec128_and(x2, mask26); + Lib_IntVector_Intrinsics_vec128 + x02 = Lib_IntVector_Intrinsics_vec128_and(x01, mask26); + Lib_IntVector_Intrinsics_vec128 + x31 = Lib_IntVector_Intrinsics_vec128_add64(x3, z02); + Lib_IntVector_Intrinsics_vec128 + x12 = Lib_IntVector_Intrinsics_vec128_add64(x11, z13); + Lib_IntVector_Intrinsics_vec128 + z03 = Lib_IntVector_Intrinsics_vec128_shift_right64(x31, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + x32 = Lib_IntVector_Intrinsics_vec128_and(x31, mask26); + Lib_IntVector_Intrinsics_vec128 + x42 = Lib_IntVector_Intrinsics_vec128_add64(x41, z03); + Lib_IntVector_Intrinsics_vec128 o00 = x02; + Lib_IntVector_Intrinsics_vec128 o10 = x12; + Lib_IntVector_Intrinsics_vec128 o20 = x21; + Lib_IntVector_Intrinsics_vec128 o30 = x32; + Lib_IntVector_Intrinsics_vec128 o40 = x42; + acc[0U] = o00; + acc[1U] = o10; + acc[2U] = o20; + acc[3U] = o30; + acc[4U] = o40; + { + Lib_IntVector_Intrinsics_vec128 f100 = acc[0U]; + Lib_IntVector_Intrinsics_vec128 f11 = acc[1U]; + Lib_IntVector_Intrinsics_vec128 f12 = acc[2U]; + Lib_IntVector_Intrinsics_vec128 f13 = acc[3U]; + Lib_IntVector_Intrinsics_vec128 f14 = acc[4U]; + Lib_IntVector_Intrinsics_vec128 f20 = e[0U]; + Lib_IntVector_Intrinsics_vec128 f21 = e[1U]; + Lib_IntVector_Intrinsics_vec128 f22 = e[2U]; + Lib_IntVector_Intrinsics_vec128 f23 = e[3U]; + Lib_IntVector_Intrinsics_vec128 f24 = e[4U]; + Lib_IntVector_Intrinsics_vec128 + o0 = Lib_IntVector_Intrinsics_vec128_add64(f100, f20); + Lib_IntVector_Intrinsics_vec128 + o1 = Lib_IntVector_Intrinsics_vec128_add64(f11, f21); + Lib_IntVector_Intrinsics_vec128 + o2 = Lib_IntVector_Intrinsics_vec128_add64(f12, f22); + Lib_IntVector_Intrinsics_vec128 + o3 = Lib_IntVector_Intrinsics_vec128_add64(f13, f23); + Lib_IntVector_Intrinsics_vec128 + o4 = Lib_IntVector_Intrinsics_vec128_add64(f14, f24); + acc[0U] = o0; + acc[1U] = o1; + acc[2U] = o2; + acc[3U] = o3; + acc[4U] = o4; + } + } + } + } + } + } + Hacl_Impl_Poly1305_Field32xN_128_fmul_r2_normalize(acc, pre); + } + } + len1 = len - len0; + t10 = text + len0; + nb0 = len1 / (uint32_t)16U; + rem = len1 % (uint32_t)16U; + { + uint32_t i; + for (i = (uint32_t)0U; i < nb0; i++) + { + uint8_t *block = t10 + i * (uint32_t)16U; + Lib_IntVector_Intrinsics_vec128 e[5U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)5U; ++_i) + e[_i] = Lib_IntVector_Intrinsics_vec128_zero; + } + { + uint64_t u0 = load64_le(block); + uint64_t lo = u0; + uint64_t u = load64_le(block + (uint32_t)8U); + uint64_t hi = u; + Lib_IntVector_Intrinsics_vec128 f0 = Lib_IntVector_Intrinsics_vec128_load64(lo); + Lib_IntVector_Intrinsics_vec128 f1 = Lib_IntVector_Intrinsics_vec128_load64(hi); + Lib_IntVector_Intrinsics_vec128 + f010 = + Lib_IntVector_Intrinsics_vec128_and(f0, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f110 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(f0, + (uint32_t)26U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f20 = + Lib_IntVector_Intrinsics_vec128_or(Lib_IntVector_Intrinsics_vec128_shift_right64(f0, + (uint32_t)52U), + Lib_IntVector_Intrinsics_vec128_shift_left64(Lib_IntVector_Intrinsics_vec128_and(f1, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3fffU)), + (uint32_t)12U)); + Lib_IntVector_Intrinsics_vec128 + f30 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(f1, + (uint32_t)14U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f40 = Lib_IntVector_Intrinsics_vec128_shift_right64(f1, (uint32_t)40U); + Lib_IntVector_Intrinsics_vec128 f01 = f010; + Lib_IntVector_Intrinsics_vec128 f111 = f110; + Lib_IntVector_Intrinsics_vec128 f2 = f20; + Lib_IntVector_Intrinsics_vec128 f3 = f30; + Lib_IntVector_Intrinsics_vec128 f41 = f40; + e[0U] = f01; + e[1U] = f111; + e[2U] = f2; + e[3U] = f3; + e[4U] = f41; + { + uint64_t b = (uint64_t)0x1000000U; + Lib_IntVector_Intrinsics_vec128 mask = Lib_IntVector_Intrinsics_vec128_load64(b); + Lib_IntVector_Intrinsics_vec128 f4 = e[4U]; + e[4U] = Lib_IntVector_Intrinsics_vec128_or(f4, mask); + { + Lib_IntVector_Intrinsics_vec128 *r = pre; + Lib_IntVector_Intrinsics_vec128 *r5 = pre + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec128 r0 = r[0U]; + Lib_IntVector_Intrinsics_vec128 r1 = r[1U]; + Lib_IntVector_Intrinsics_vec128 r2 = r[2U]; + Lib_IntVector_Intrinsics_vec128 r3 = r[3U]; + Lib_IntVector_Intrinsics_vec128 r4 = r[4U]; + Lib_IntVector_Intrinsics_vec128 r51 = r5[1U]; + Lib_IntVector_Intrinsics_vec128 r52 = r5[2U]; + Lib_IntVector_Intrinsics_vec128 r53 = r5[3U]; + Lib_IntVector_Intrinsics_vec128 r54 = r5[4U]; + Lib_IntVector_Intrinsics_vec128 f10 = e[0U]; + Lib_IntVector_Intrinsics_vec128 f11 = e[1U]; + Lib_IntVector_Intrinsics_vec128 f12 = e[2U]; + Lib_IntVector_Intrinsics_vec128 f13 = e[3U]; + Lib_IntVector_Intrinsics_vec128 f14 = e[4U]; + Lib_IntVector_Intrinsics_vec128 a0 = acc[0U]; + Lib_IntVector_Intrinsics_vec128 a1 = acc[1U]; + Lib_IntVector_Intrinsics_vec128 a2 = acc[2U]; + Lib_IntVector_Intrinsics_vec128 a3 = acc[3U]; + Lib_IntVector_Intrinsics_vec128 a4 = acc[4U]; + Lib_IntVector_Intrinsics_vec128 a01 = Lib_IntVector_Intrinsics_vec128_add64(a0, f10); + Lib_IntVector_Intrinsics_vec128 a11 = Lib_IntVector_Intrinsics_vec128_add64(a1, f11); + Lib_IntVector_Intrinsics_vec128 a21 = Lib_IntVector_Intrinsics_vec128_add64(a2, f12); + Lib_IntVector_Intrinsics_vec128 a31 = Lib_IntVector_Intrinsics_vec128_add64(a3, f13); + Lib_IntVector_Intrinsics_vec128 a41 = Lib_IntVector_Intrinsics_vec128_add64(a4, f14); + Lib_IntVector_Intrinsics_vec128 a02 = Lib_IntVector_Intrinsics_vec128_mul64(r0, a01); + Lib_IntVector_Intrinsics_vec128 a12 = Lib_IntVector_Intrinsics_vec128_mul64(r1, a01); + Lib_IntVector_Intrinsics_vec128 a22 = Lib_IntVector_Intrinsics_vec128_mul64(r2, a01); + Lib_IntVector_Intrinsics_vec128 a32 = Lib_IntVector_Intrinsics_vec128_mul64(r3, a01); + Lib_IntVector_Intrinsics_vec128 a42 = Lib_IntVector_Intrinsics_vec128_mul64(r4, a01); + Lib_IntVector_Intrinsics_vec128 + a03 = + Lib_IntVector_Intrinsics_vec128_add64(a02, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a11)); + Lib_IntVector_Intrinsics_vec128 + a13 = + Lib_IntVector_Intrinsics_vec128_add64(a12, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a11)); + Lib_IntVector_Intrinsics_vec128 + a23 = + Lib_IntVector_Intrinsics_vec128_add64(a22, + Lib_IntVector_Intrinsics_vec128_mul64(r1, a11)); + Lib_IntVector_Intrinsics_vec128 + a33 = + Lib_IntVector_Intrinsics_vec128_add64(a32, + Lib_IntVector_Intrinsics_vec128_mul64(r2, a11)); + Lib_IntVector_Intrinsics_vec128 + a43 = + Lib_IntVector_Intrinsics_vec128_add64(a42, + Lib_IntVector_Intrinsics_vec128_mul64(r3, a11)); + Lib_IntVector_Intrinsics_vec128 + a04 = + Lib_IntVector_Intrinsics_vec128_add64(a03, + Lib_IntVector_Intrinsics_vec128_mul64(r53, a21)); + Lib_IntVector_Intrinsics_vec128 + a14 = + Lib_IntVector_Intrinsics_vec128_add64(a13, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a21)); + Lib_IntVector_Intrinsics_vec128 + a24 = + Lib_IntVector_Intrinsics_vec128_add64(a23, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a21)); + Lib_IntVector_Intrinsics_vec128 + a34 = + Lib_IntVector_Intrinsics_vec128_add64(a33, + Lib_IntVector_Intrinsics_vec128_mul64(r1, a21)); + Lib_IntVector_Intrinsics_vec128 + a44 = + Lib_IntVector_Intrinsics_vec128_add64(a43, + Lib_IntVector_Intrinsics_vec128_mul64(r2, a21)); + Lib_IntVector_Intrinsics_vec128 + a05 = + Lib_IntVector_Intrinsics_vec128_add64(a04, + Lib_IntVector_Intrinsics_vec128_mul64(r52, a31)); + Lib_IntVector_Intrinsics_vec128 + a15 = + Lib_IntVector_Intrinsics_vec128_add64(a14, + Lib_IntVector_Intrinsics_vec128_mul64(r53, a31)); + Lib_IntVector_Intrinsics_vec128 + a25 = + Lib_IntVector_Intrinsics_vec128_add64(a24, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a31)); + Lib_IntVector_Intrinsics_vec128 + a35 = + Lib_IntVector_Intrinsics_vec128_add64(a34, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a31)); + Lib_IntVector_Intrinsics_vec128 + a45 = + Lib_IntVector_Intrinsics_vec128_add64(a44, + Lib_IntVector_Intrinsics_vec128_mul64(r1, a31)); + Lib_IntVector_Intrinsics_vec128 + a06 = + Lib_IntVector_Intrinsics_vec128_add64(a05, + Lib_IntVector_Intrinsics_vec128_mul64(r51, a41)); + Lib_IntVector_Intrinsics_vec128 + a16 = + Lib_IntVector_Intrinsics_vec128_add64(a15, + Lib_IntVector_Intrinsics_vec128_mul64(r52, a41)); + Lib_IntVector_Intrinsics_vec128 + a26 = + Lib_IntVector_Intrinsics_vec128_add64(a25, + Lib_IntVector_Intrinsics_vec128_mul64(r53, a41)); + Lib_IntVector_Intrinsics_vec128 + a36 = + Lib_IntVector_Intrinsics_vec128_add64(a35, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a41)); + Lib_IntVector_Intrinsics_vec128 + a46 = + Lib_IntVector_Intrinsics_vec128_add64(a45, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a41)); + Lib_IntVector_Intrinsics_vec128 t01 = a06; + Lib_IntVector_Intrinsics_vec128 t11 = a16; + Lib_IntVector_Intrinsics_vec128 t2 = a26; + Lib_IntVector_Intrinsics_vec128 t3 = a36; + Lib_IntVector_Intrinsics_vec128 t4 = a46; + Lib_IntVector_Intrinsics_vec128 + mask26 = Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec128 + z0 = Lib_IntVector_Intrinsics_vec128_shift_right64(t01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z1 = Lib_IntVector_Intrinsics_vec128_shift_right64(t3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x0 = Lib_IntVector_Intrinsics_vec128_and(t01, mask26); + Lib_IntVector_Intrinsics_vec128 x3 = Lib_IntVector_Intrinsics_vec128_and(t3, mask26); + Lib_IntVector_Intrinsics_vec128 x1 = Lib_IntVector_Intrinsics_vec128_add64(t11, z0); + Lib_IntVector_Intrinsics_vec128 x4 = Lib_IntVector_Intrinsics_vec128_add64(t4, z1); + Lib_IntVector_Intrinsics_vec128 + z01 = Lib_IntVector_Intrinsics_vec128_shift_right64(x1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z11 = Lib_IntVector_Intrinsics_vec128_shift_right64(x4, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + t = Lib_IntVector_Intrinsics_vec128_shift_left64(z11, (uint32_t)2U); + Lib_IntVector_Intrinsics_vec128 z12 = Lib_IntVector_Intrinsics_vec128_add64(z11, t); + Lib_IntVector_Intrinsics_vec128 x11 = Lib_IntVector_Intrinsics_vec128_and(x1, mask26); + Lib_IntVector_Intrinsics_vec128 x41 = Lib_IntVector_Intrinsics_vec128_and(x4, mask26); + Lib_IntVector_Intrinsics_vec128 x2 = Lib_IntVector_Intrinsics_vec128_add64(t2, z01); + Lib_IntVector_Intrinsics_vec128 x01 = Lib_IntVector_Intrinsics_vec128_add64(x0, z12); + Lib_IntVector_Intrinsics_vec128 + z02 = Lib_IntVector_Intrinsics_vec128_shift_right64(x2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z13 = Lib_IntVector_Intrinsics_vec128_shift_right64(x01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x21 = Lib_IntVector_Intrinsics_vec128_and(x2, mask26); + Lib_IntVector_Intrinsics_vec128 x02 = Lib_IntVector_Intrinsics_vec128_and(x01, mask26); + Lib_IntVector_Intrinsics_vec128 x31 = Lib_IntVector_Intrinsics_vec128_add64(x3, z02); + Lib_IntVector_Intrinsics_vec128 x12 = Lib_IntVector_Intrinsics_vec128_add64(x11, z13); + Lib_IntVector_Intrinsics_vec128 + z03 = Lib_IntVector_Intrinsics_vec128_shift_right64(x31, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x32 = Lib_IntVector_Intrinsics_vec128_and(x31, mask26); + Lib_IntVector_Intrinsics_vec128 x42 = Lib_IntVector_Intrinsics_vec128_add64(x41, z03); + Lib_IntVector_Intrinsics_vec128 o0 = x02; + Lib_IntVector_Intrinsics_vec128 o1 = x12; + Lib_IntVector_Intrinsics_vec128 o2 = x21; + Lib_IntVector_Intrinsics_vec128 o3 = x32; + Lib_IntVector_Intrinsics_vec128 o4 = x42; + acc[0U] = o0; + acc[1U] = o1; + acc[2U] = o2; + acc[3U] = o3; + acc[4U] = o4; + } + } + } + } + } + if (rem > (uint32_t)0U) + { + uint8_t *last = t10 + nb0 * (uint32_t)16U; + Lib_IntVector_Intrinsics_vec128 e[5U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)5U; ++_i) + e[_i] = Lib_IntVector_Intrinsics_vec128_zero; + } + { + uint8_t tmp[16U] = { 0U }; + uint64_t u0; + uint64_t lo; + uint64_t u; + uint64_t hi; + Lib_IntVector_Intrinsics_vec128 f0; + Lib_IntVector_Intrinsics_vec128 f1; + Lib_IntVector_Intrinsics_vec128 f010; + Lib_IntVector_Intrinsics_vec128 f110; + Lib_IntVector_Intrinsics_vec128 f20; + Lib_IntVector_Intrinsics_vec128 f30; + Lib_IntVector_Intrinsics_vec128 f40; + Lib_IntVector_Intrinsics_vec128 f01; + Lib_IntVector_Intrinsics_vec128 f111; + Lib_IntVector_Intrinsics_vec128 f2; + Lib_IntVector_Intrinsics_vec128 f3; + Lib_IntVector_Intrinsics_vec128 f4; + uint64_t b; + Lib_IntVector_Intrinsics_vec128 mask; + Lib_IntVector_Intrinsics_vec128 fi; + Lib_IntVector_Intrinsics_vec128 *r; + Lib_IntVector_Intrinsics_vec128 *r5; + Lib_IntVector_Intrinsics_vec128 r0; + Lib_IntVector_Intrinsics_vec128 r1; + Lib_IntVector_Intrinsics_vec128 r2; + Lib_IntVector_Intrinsics_vec128 r3; + Lib_IntVector_Intrinsics_vec128 r4; + Lib_IntVector_Intrinsics_vec128 r51; + Lib_IntVector_Intrinsics_vec128 r52; + Lib_IntVector_Intrinsics_vec128 r53; + Lib_IntVector_Intrinsics_vec128 r54; + Lib_IntVector_Intrinsics_vec128 f10; + Lib_IntVector_Intrinsics_vec128 f11; + Lib_IntVector_Intrinsics_vec128 f12; + Lib_IntVector_Intrinsics_vec128 f13; + Lib_IntVector_Intrinsics_vec128 f14; + Lib_IntVector_Intrinsics_vec128 a0; + Lib_IntVector_Intrinsics_vec128 a1; + Lib_IntVector_Intrinsics_vec128 a2; + Lib_IntVector_Intrinsics_vec128 a3; + Lib_IntVector_Intrinsics_vec128 a4; + Lib_IntVector_Intrinsics_vec128 a01; + Lib_IntVector_Intrinsics_vec128 a11; + Lib_IntVector_Intrinsics_vec128 a21; + Lib_IntVector_Intrinsics_vec128 a31; + Lib_IntVector_Intrinsics_vec128 a41; + Lib_IntVector_Intrinsics_vec128 a02; + Lib_IntVector_Intrinsics_vec128 a12; + Lib_IntVector_Intrinsics_vec128 a22; + Lib_IntVector_Intrinsics_vec128 a32; + Lib_IntVector_Intrinsics_vec128 a42; + Lib_IntVector_Intrinsics_vec128 a03; + Lib_IntVector_Intrinsics_vec128 a13; + Lib_IntVector_Intrinsics_vec128 a23; + Lib_IntVector_Intrinsics_vec128 a33; + Lib_IntVector_Intrinsics_vec128 a43; + Lib_IntVector_Intrinsics_vec128 a04; + Lib_IntVector_Intrinsics_vec128 a14; + Lib_IntVector_Intrinsics_vec128 a24; + Lib_IntVector_Intrinsics_vec128 a34; + Lib_IntVector_Intrinsics_vec128 a44; + Lib_IntVector_Intrinsics_vec128 a05; + Lib_IntVector_Intrinsics_vec128 a15; + Lib_IntVector_Intrinsics_vec128 a25; + Lib_IntVector_Intrinsics_vec128 a35; + Lib_IntVector_Intrinsics_vec128 a45; + Lib_IntVector_Intrinsics_vec128 a06; + Lib_IntVector_Intrinsics_vec128 a16; + Lib_IntVector_Intrinsics_vec128 a26; + Lib_IntVector_Intrinsics_vec128 a36; + Lib_IntVector_Intrinsics_vec128 a46; + Lib_IntVector_Intrinsics_vec128 t01; + Lib_IntVector_Intrinsics_vec128 t11; + Lib_IntVector_Intrinsics_vec128 t2; + Lib_IntVector_Intrinsics_vec128 t3; + Lib_IntVector_Intrinsics_vec128 t4; + Lib_IntVector_Intrinsics_vec128 mask26; + Lib_IntVector_Intrinsics_vec128 z0; + Lib_IntVector_Intrinsics_vec128 z1; + Lib_IntVector_Intrinsics_vec128 x0; + Lib_IntVector_Intrinsics_vec128 x3; + Lib_IntVector_Intrinsics_vec128 x1; + Lib_IntVector_Intrinsics_vec128 x4; + Lib_IntVector_Intrinsics_vec128 z01; + Lib_IntVector_Intrinsics_vec128 z11; + Lib_IntVector_Intrinsics_vec128 t; + Lib_IntVector_Intrinsics_vec128 z12; + Lib_IntVector_Intrinsics_vec128 x11; + Lib_IntVector_Intrinsics_vec128 x41; + Lib_IntVector_Intrinsics_vec128 x2; + Lib_IntVector_Intrinsics_vec128 x01; + Lib_IntVector_Intrinsics_vec128 z02; + Lib_IntVector_Intrinsics_vec128 z13; + Lib_IntVector_Intrinsics_vec128 x21; + Lib_IntVector_Intrinsics_vec128 x02; + Lib_IntVector_Intrinsics_vec128 x31; + Lib_IntVector_Intrinsics_vec128 x12; + Lib_IntVector_Intrinsics_vec128 z03; + Lib_IntVector_Intrinsics_vec128 x32; + Lib_IntVector_Intrinsics_vec128 x42; + Lib_IntVector_Intrinsics_vec128 o0; + Lib_IntVector_Intrinsics_vec128 o1; + Lib_IntVector_Intrinsics_vec128 o2; + Lib_IntVector_Intrinsics_vec128 o3; + Lib_IntVector_Intrinsics_vec128 o4; + memcpy(tmp, last, rem * sizeof (uint8_t)); + u0 = load64_le(tmp); + lo = u0; + u = load64_le(tmp + (uint32_t)8U); + hi = u; + f0 = Lib_IntVector_Intrinsics_vec128_load64(lo); + f1 = Lib_IntVector_Intrinsics_vec128_load64(hi); + f010 = + Lib_IntVector_Intrinsics_vec128_and(f0, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + f110 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(f0, + (uint32_t)26U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + f20 = + Lib_IntVector_Intrinsics_vec128_or(Lib_IntVector_Intrinsics_vec128_shift_right64(f0, + (uint32_t)52U), + Lib_IntVector_Intrinsics_vec128_shift_left64(Lib_IntVector_Intrinsics_vec128_and(f1, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3fffU)), + (uint32_t)12U)); + f30 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(f1, + (uint32_t)14U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + f40 = Lib_IntVector_Intrinsics_vec128_shift_right64(f1, (uint32_t)40U); + f01 = f010; + f111 = f110; + f2 = f20; + f3 = f30; + f4 = f40; + e[0U] = f01; + e[1U] = f111; + e[2U] = f2; + e[3U] = f3; + e[4U] = f4; + b = (uint64_t)1U << rem * (uint32_t)8U % (uint32_t)26U; + mask = Lib_IntVector_Intrinsics_vec128_load64(b); + fi = e[rem * (uint32_t)8U / (uint32_t)26U]; + e[rem * (uint32_t)8U / (uint32_t)26U] = Lib_IntVector_Intrinsics_vec128_or(fi, mask); + r = pre; + r5 = pre + (uint32_t)5U; + r0 = r[0U]; + r1 = r[1U]; + r2 = r[2U]; + r3 = r[3U]; + r4 = r[4U]; + r51 = r5[1U]; + r52 = r5[2U]; + r53 = r5[3U]; + r54 = r5[4U]; + f10 = e[0U]; + f11 = e[1U]; + f12 = e[2U]; + f13 = e[3U]; + f14 = e[4U]; + a0 = acc[0U]; + a1 = acc[1U]; + a2 = acc[2U]; + a3 = acc[3U]; + a4 = acc[4U]; + a01 = Lib_IntVector_Intrinsics_vec128_add64(a0, f10); + a11 = Lib_IntVector_Intrinsics_vec128_add64(a1, f11); + a21 = Lib_IntVector_Intrinsics_vec128_add64(a2, f12); + a31 = Lib_IntVector_Intrinsics_vec128_add64(a3, f13); + a41 = Lib_IntVector_Intrinsics_vec128_add64(a4, f14); + a02 = Lib_IntVector_Intrinsics_vec128_mul64(r0, a01); + a12 = Lib_IntVector_Intrinsics_vec128_mul64(r1, a01); + a22 = Lib_IntVector_Intrinsics_vec128_mul64(r2, a01); + a32 = Lib_IntVector_Intrinsics_vec128_mul64(r3, a01); + a42 = Lib_IntVector_Intrinsics_vec128_mul64(r4, a01); + a03 = + Lib_IntVector_Intrinsics_vec128_add64(a02, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a11)); + a13 = + Lib_IntVector_Intrinsics_vec128_add64(a12, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a11)); + a23 = + Lib_IntVector_Intrinsics_vec128_add64(a22, + Lib_IntVector_Intrinsics_vec128_mul64(r1, a11)); + a33 = + Lib_IntVector_Intrinsics_vec128_add64(a32, + Lib_IntVector_Intrinsics_vec128_mul64(r2, a11)); + a43 = + Lib_IntVector_Intrinsics_vec128_add64(a42, + Lib_IntVector_Intrinsics_vec128_mul64(r3, a11)); + a04 = + Lib_IntVector_Intrinsics_vec128_add64(a03, + Lib_IntVector_Intrinsics_vec128_mul64(r53, a21)); + a14 = + Lib_IntVector_Intrinsics_vec128_add64(a13, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a21)); + a24 = + Lib_IntVector_Intrinsics_vec128_add64(a23, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a21)); + a34 = + Lib_IntVector_Intrinsics_vec128_add64(a33, + Lib_IntVector_Intrinsics_vec128_mul64(r1, a21)); + a44 = + Lib_IntVector_Intrinsics_vec128_add64(a43, + Lib_IntVector_Intrinsics_vec128_mul64(r2, a21)); + a05 = + Lib_IntVector_Intrinsics_vec128_add64(a04, + Lib_IntVector_Intrinsics_vec128_mul64(r52, a31)); + a15 = + Lib_IntVector_Intrinsics_vec128_add64(a14, + Lib_IntVector_Intrinsics_vec128_mul64(r53, a31)); + a25 = + Lib_IntVector_Intrinsics_vec128_add64(a24, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a31)); + a35 = + Lib_IntVector_Intrinsics_vec128_add64(a34, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a31)); + a45 = + Lib_IntVector_Intrinsics_vec128_add64(a44, + Lib_IntVector_Intrinsics_vec128_mul64(r1, a31)); + a06 = + Lib_IntVector_Intrinsics_vec128_add64(a05, + Lib_IntVector_Intrinsics_vec128_mul64(r51, a41)); + a16 = + Lib_IntVector_Intrinsics_vec128_add64(a15, + Lib_IntVector_Intrinsics_vec128_mul64(r52, a41)); + a26 = + Lib_IntVector_Intrinsics_vec128_add64(a25, + Lib_IntVector_Intrinsics_vec128_mul64(r53, a41)); + a36 = + Lib_IntVector_Intrinsics_vec128_add64(a35, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a41)); + a46 = + Lib_IntVector_Intrinsics_vec128_add64(a45, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a41)); + t01 = a06; + t11 = a16; + t2 = a26; + t3 = a36; + t4 = a46; + mask26 = Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU); + z0 = Lib_IntVector_Intrinsics_vec128_shift_right64(t01, (uint32_t)26U); + z1 = Lib_IntVector_Intrinsics_vec128_shift_right64(t3, (uint32_t)26U); + x0 = Lib_IntVector_Intrinsics_vec128_and(t01, mask26); + x3 = Lib_IntVector_Intrinsics_vec128_and(t3, mask26); + x1 = Lib_IntVector_Intrinsics_vec128_add64(t11, z0); + x4 = Lib_IntVector_Intrinsics_vec128_add64(t4, z1); + z01 = Lib_IntVector_Intrinsics_vec128_shift_right64(x1, (uint32_t)26U); + z11 = Lib_IntVector_Intrinsics_vec128_shift_right64(x4, (uint32_t)26U); + t = Lib_IntVector_Intrinsics_vec128_shift_left64(z11, (uint32_t)2U); + z12 = Lib_IntVector_Intrinsics_vec128_add64(z11, t); + x11 = Lib_IntVector_Intrinsics_vec128_and(x1, mask26); + x41 = Lib_IntVector_Intrinsics_vec128_and(x4, mask26); + x2 = Lib_IntVector_Intrinsics_vec128_add64(t2, z01); + x01 = Lib_IntVector_Intrinsics_vec128_add64(x0, z12); + z02 = Lib_IntVector_Intrinsics_vec128_shift_right64(x2, (uint32_t)26U); + z13 = Lib_IntVector_Intrinsics_vec128_shift_right64(x01, (uint32_t)26U); + x21 = Lib_IntVector_Intrinsics_vec128_and(x2, mask26); + x02 = Lib_IntVector_Intrinsics_vec128_and(x01, mask26); + x31 = Lib_IntVector_Intrinsics_vec128_add64(x3, z02); + x12 = Lib_IntVector_Intrinsics_vec128_add64(x11, z13); + z03 = Lib_IntVector_Intrinsics_vec128_shift_right64(x31, (uint32_t)26U); + x32 = Lib_IntVector_Intrinsics_vec128_and(x31, mask26); + x42 = Lib_IntVector_Intrinsics_vec128_add64(x41, z03); + o0 = x02; + o1 = x12; + o2 = x21; + o3 = x32; + o4 = x42; + acc[0U] = o0; + acc[1U] = o1; + acc[2U] = o2; + acc[3U] = o3; + acc[4U] = o4; + return; + } + } +} + +void +Hacl_Poly1305_128_poly1305_finish( + uint8_t *tag, + uint8_t *key, + Lib_IntVector_Intrinsics_vec128 *ctx +) +{ + Lib_IntVector_Intrinsics_vec128 *acc = ctx; + uint8_t *ks = key + (uint32_t)16U; + Lib_IntVector_Intrinsics_vec128 f00 = acc[0U]; + Lib_IntVector_Intrinsics_vec128 f13 = acc[1U]; + Lib_IntVector_Intrinsics_vec128 f23 = acc[2U]; + Lib_IntVector_Intrinsics_vec128 f33 = acc[3U]; + Lib_IntVector_Intrinsics_vec128 f40 = acc[4U]; + Lib_IntVector_Intrinsics_vec128 + l0 = Lib_IntVector_Intrinsics_vec128_add64(f00, Lib_IntVector_Intrinsics_vec128_zero); + Lib_IntVector_Intrinsics_vec128 + tmp00 = + Lib_IntVector_Intrinsics_vec128_and(l0, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + c00 = Lib_IntVector_Intrinsics_vec128_shift_right64(l0, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 l1 = Lib_IntVector_Intrinsics_vec128_add64(f13, c00); + Lib_IntVector_Intrinsics_vec128 + tmp10 = + Lib_IntVector_Intrinsics_vec128_and(l1, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + c10 = Lib_IntVector_Intrinsics_vec128_shift_right64(l1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 l2 = Lib_IntVector_Intrinsics_vec128_add64(f23, c10); + Lib_IntVector_Intrinsics_vec128 + tmp20 = + Lib_IntVector_Intrinsics_vec128_and(l2, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + c20 = Lib_IntVector_Intrinsics_vec128_shift_right64(l2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 l3 = Lib_IntVector_Intrinsics_vec128_add64(f33, c20); + Lib_IntVector_Intrinsics_vec128 + tmp30 = + Lib_IntVector_Intrinsics_vec128_and(l3, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + c30 = Lib_IntVector_Intrinsics_vec128_shift_right64(l3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 l4 = Lib_IntVector_Intrinsics_vec128_add64(f40, c30); + Lib_IntVector_Intrinsics_vec128 + tmp40 = + Lib_IntVector_Intrinsics_vec128_and(l4, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + c40 = Lib_IntVector_Intrinsics_vec128_shift_right64(l4, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + f010 = + Lib_IntVector_Intrinsics_vec128_add64(tmp00, + Lib_IntVector_Intrinsics_vec128_smul64(c40, (uint64_t)5U)); + Lib_IntVector_Intrinsics_vec128 f110 = tmp10; + Lib_IntVector_Intrinsics_vec128 f210 = tmp20; + Lib_IntVector_Intrinsics_vec128 f310 = tmp30; + Lib_IntVector_Intrinsics_vec128 f410 = tmp40; + Lib_IntVector_Intrinsics_vec128 + l = Lib_IntVector_Intrinsics_vec128_add64(f010, Lib_IntVector_Intrinsics_vec128_zero); + Lib_IntVector_Intrinsics_vec128 + tmp0 = + Lib_IntVector_Intrinsics_vec128_and(l, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + c0 = Lib_IntVector_Intrinsics_vec128_shift_right64(l, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 l5 = Lib_IntVector_Intrinsics_vec128_add64(f110, c0); + Lib_IntVector_Intrinsics_vec128 + tmp1 = + Lib_IntVector_Intrinsics_vec128_and(l5, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + c1 = Lib_IntVector_Intrinsics_vec128_shift_right64(l5, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 l6 = Lib_IntVector_Intrinsics_vec128_add64(f210, c1); + Lib_IntVector_Intrinsics_vec128 + tmp2 = + Lib_IntVector_Intrinsics_vec128_and(l6, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + c2 = Lib_IntVector_Intrinsics_vec128_shift_right64(l6, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 l7 = Lib_IntVector_Intrinsics_vec128_add64(f310, c2); + Lib_IntVector_Intrinsics_vec128 + tmp3 = + Lib_IntVector_Intrinsics_vec128_and(l7, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + c3 = Lib_IntVector_Intrinsics_vec128_shift_right64(l7, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 l8 = Lib_IntVector_Intrinsics_vec128_add64(f410, c3); + Lib_IntVector_Intrinsics_vec128 + tmp4 = + Lib_IntVector_Intrinsics_vec128_and(l8, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + c4 = Lib_IntVector_Intrinsics_vec128_shift_right64(l8, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + f02 = + Lib_IntVector_Intrinsics_vec128_add64(tmp0, + Lib_IntVector_Intrinsics_vec128_smul64(c4, (uint64_t)5U)); + Lib_IntVector_Intrinsics_vec128 f12 = tmp1; + Lib_IntVector_Intrinsics_vec128 f22 = tmp2; + Lib_IntVector_Intrinsics_vec128 f32 = tmp3; + Lib_IntVector_Intrinsics_vec128 f42 = tmp4; + Lib_IntVector_Intrinsics_vec128 + mh = Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec128 + ml = Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3fffffbU); + Lib_IntVector_Intrinsics_vec128 mask = Lib_IntVector_Intrinsics_vec128_eq64(f42, mh); + Lib_IntVector_Intrinsics_vec128 + mask1 = + Lib_IntVector_Intrinsics_vec128_and(mask, + Lib_IntVector_Intrinsics_vec128_eq64(f32, mh)); + Lib_IntVector_Intrinsics_vec128 + mask2 = + Lib_IntVector_Intrinsics_vec128_and(mask1, + Lib_IntVector_Intrinsics_vec128_eq64(f22, mh)); + Lib_IntVector_Intrinsics_vec128 + mask3 = + Lib_IntVector_Intrinsics_vec128_and(mask2, + Lib_IntVector_Intrinsics_vec128_eq64(f12, mh)); + Lib_IntVector_Intrinsics_vec128 + mask4 = + Lib_IntVector_Intrinsics_vec128_and(mask3, + Lib_IntVector_Intrinsics_vec128_lognot(Lib_IntVector_Intrinsics_vec128_gt64(ml, f02))); + Lib_IntVector_Intrinsics_vec128 ph = Lib_IntVector_Intrinsics_vec128_and(mask4, mh); + Lib_IntVector_Intrinsics_vec128 pl = Lib_IntVector_Intrinsics_vec128_and(mask4, ml); + Lib_IntVector_Intrinsics_vec128 o0 = Lib_IntVector_Intrinsics_vec128_sub64(f02, pl); + Lib_IntVector_Intrinsics_vec128 o1 = Lib_IntVector_Intrinsics_vec128_sub64(f12, ph); + Lib_IntVector_Intrinsics_vec128 o2 = Lib_IntVector_Intrinsics_vec128_sub64(f22, ph); + Lib_IntVector_Intrinsics_vec128 o3 = Lib_IntVector_Intrinsics_vec128_sub64(f32, ph); + Lib_IntVector_Intrinsics_vec128 o4 = Lib_IntVector_Intrinsics_vec128_sub64(f42, ph); + Lib_IntVector_Intrinsics_vec128 f011 = o0; + Lib_IntVector_Intrinsics_vec128 f111 = o1; + Lib_IntVector_Intrinsics_vec128 f211 = o2; + Lib_IntVector_Intrinsics_vec128 f311 = o3; + Lib_IntVector_Intrinsics_vec128 f411 = o4; + Lib_IntVector_Intrinsics_vec128 f0; + Lib_IntVector_Intrinsics_vec128 f1; + Lib_IntVector_Intrinsics_vec128 f2; + Lib_IntVector_Intrinsics_vec128 f3; + Lib_IntVector_Intrinsics_vec128 f4; + uint64_t f01; + uint64_t f112; + uint64_t f212; + uint64_t f312; + uint64_t f41; + uint64_t lo0; + uint64_t hi0; + uint64_t f10; + uint64_t f11; + uint64_t u0; + uint64_t lo; + uint64_t u; + uint64_t hi; + uint64_t f20; + uint64_t f21; + uint64_t r0; + uint64_t r1; + uint64_t c; + uint64_t r11; + uint64_t f30; + uint64_t f31; + acc[0U] = f011; + acc[1U] = f111; + acc[2U] = f211; + acc[3U] = f311; + acc[4U] = f411; + f0 = acc[0U]; + f1 = acc[1U]; + f2 = acc[2U]; + f3 = acc[3U]; + f4 = acc[4U]; + f01 = Lib_IntVector_Intrinsics_vec128_extract64(f0, (uint32_t)0U); + f112 = Lib_IntVector_Intrinsics_vec128_extract64(f1, (uint32_t)0U); + f212 = Lib_IntVector_Intrinsics_vec128_extract64(f2, (uint32_t)0U); + f312 = Lib_IntVector_Intrinsics_vec128_extract64(f3, (uint32_t)0U); + f41 = Lib_IntVector_Intrinsics_vec128_extract64(f4, (uint32_t)0U); + lo0 = (f01 | f112 << (uint32_t)26U) | f212 << (uint32_t)52U; + hi0 = (f212 >> (uint32_t)12U | f312 << (uint32_t)14U) | f41 << (uint32_t)40U; + f10 = lo0; + f11 = hi0; + u0 = load64_le(ks); + lo = u0; + u = load64_le(ks + (uint32_t)8U); + hi = u; + f20 = lo; + f21 = hi; + r0 = f10 + f20; + r1 = f11 + f21; + c = (r0 ^ ((r0 ^ f20) | ((r0 - f20) ^ f20))) >> (uint32_t)63U; + r11 = r1 + c; + f30 = r0; + f31 = r11; + store64_le(tag, f30); + store64_le(tag + (uint32_t)8U, f31); +} + +void Hacl_Poly1305_128_poly1305_mac(uint8_t *tag, uint32_t len, uint8_t *text, uint8_t *key) +{ + Lib_IntVector_Intrinsics_vec128 ctx[25U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)25U; ++_i) + ctx[_i] = Lib_IntVector_Intrinsics_vec128_zero; + } + Hacl_Poly1305_128_poly1305_init(ctx, key); + Hacl_Poly1305_128_poly1305_update(ctx, len, text); + Hacl_Poly1305_128_poly1305_finish(tag, key, ctx); +} + diff --git a/src/c89/Hacl_Poly1305_256.c b/src/c89/Hacl_Poly1305_256.c new file mode 100644 index 00000000..1f276144 --- /dev/null +++ b/src/c89/Hacl_Poly1305_256.c @@ -0,0 +1,2472 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "internal/Hacl_Poly1305_256.h" + + + +void +Hacl_Impl_Poly1305_Field32xN_256_load_acc4(Lib_IntVector_Intrinsics_vec256 *acc, uint8_t *b) +{ + Lib_IntVector_Intrinsics_vec256 e[5U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)5U; ++_i) + e[_i] = Lib_IntVector_Intrinsics_vec256_zero; + } + { + Lib_IntVector_Intrinsics_vec256 lo = Lib_IntVector_Intrinsics_vec256_load64_le(b); + Lib_IntVector_Intrinsics_vec256 + hi = Lib_IntVector_Intrinsics_vec256_load64_le(b + (uint32_t)32U); + Lib_IntVector_Intrinsics_vec256 + mask26 = Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec256 m0 = Lib_IntVector_Intrinsics_vec256_interleave_low128(lo, hi); + Lib_IntVector_Intrinsics_vec256 + m1 = Lib_IntVector_Intrinsics_vec256_interleave_high128(lo, hi); + Lib_IntVector_Intrinsics_vec256 + m2 = Lib_IntVector_Intrinsics_vec256_shift_right(m0, (uint32_t)48U); + Lib_IntVector_Intrinsics_vec256 + m3 = Lib_IntVector_Intrinsics_vec256_shift_right(m1, (uint32_t)48U); + Lib_IntVector_Intrinsics_vec256 m4 = Lib_IntVector_Intrinsics_vec256_interleave_high64(m0, m1); + Lib_IntVector_Intrinsics_vec256 t0 = Lib_IntVector_Intrinsics_vec256_interleave_low64(m0, m1); + Lib_IntVector_Intrinsics_vec256 t3 = Lib_IntVector_Intrinsics_vec256_interleave_low64(m2, m3); + Lib_IntVector_Intrinsics_vec256 + t2 = Lib_IntVector_Intrinsics_vec256_shift_right64(t3, (uint32_t)4U); + Lib_IntVector_Intrinsics_vec256 o20 = Lib_IntVector_Intrinsics_vec256_and(t2, mask26); + Lib_IntVector_Intrinsics_vec256 + t1 = Lib_IntVector_Intrinsics_vec256_shift_right64(t0, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 o10 = Lib_IntVector_Intrinsics_vec256_and(t1, mask26); + Lib_IntVector_Intrinsics_vec256 o5 = Lib_IntVector_Intrinsics_vec256_and(t0, mask26); + Lib_IntVector_Intrinsics_vec256 + t31 = Lib_IntVector_Intrinsics_vec256_shift_right64(t3, (uint32_t)30U); + Lib_IntVector_Intrinsics_vec256 o30 = Lib_IntVector_Intrinsics_vec256_and(t31, mask26); + Lib_IntVector_Intrinsics_vec256 + o40 = Lib_IntVector_Intrinsics_vec256_shift_right64(m4, (uint32_t)40U); + Lib_IntVector_Intrinsics_vec256 o0 = o5; + Lib_IntVector_Intrinsics_vec256 o1 = o10; + Lib_IntVector_Intrinsics_vec256 o2 = o20; + Lib_IntVector_Intrinsics_vec256 o3 = o30; + Lib_IntVector_Intrinsics_vec256 o4 = o40; + uint64_t b1; + Lib_IntVector_Intrinsics_vec256 mask; + Lib_IntVector_Intrinsics_vec256 f40; + Lib_IntVector_Intrinsics_vec256 acc0; + Lib_IntVector_Intrinsics_vec256 acc1; + Lib_IntVector_Intrinsics_vec256 acc2; + Lib_IntVector_Intrinsics_vec256 acc3; + Lib_IntVector_Intrinsics_vec256 acc4; + Lib_IntVector_Intrinsics_vec256 e0; + Lib_IntVector_Intrinsics_vec256 e1; + Lib_IntVector_Intrinsics_vec256 e2; + Lib_IntVector_Intrinsics_vec256 e3; + Lib_IntVector_Intrinsics_vec256 e4; + Lib_IntVector_Intrinsics_vec256 r0; + Lib_IntVector_Intrinsics_vec256 r1; + Lib_IntVector_Intrinsics_vec256 r2; + Lib_IntVector_Intrinsics_vec256 r3; + Lib_IntVector_Intrinsics_vec256 r4; + Lib_IntVector_Intrinsics_vec256 r01; + Lib_IntVector_Intrinsics_vec256 r11; + Lib_IntVector_Intrinsics_vec256 r21; + Lib_IntVector_Intrinsics_vec256 r31; + Lib_IntVector_Intrinsics_vec256 r41; + Lib_IntVector_Intrinsics_vec256 f0; + Lib_IntVector_Intrinsics_vec256 f1; + Lib_IntVector_Intrinsics_vec256 f2; + Lib_IntVector_Intrinsics_vec256 f3; + Lib_IntVector_Intrinsics_vec256 f4; + Lib_IntVector_Intrinsics_vec256 acc01; + Lib_IntVector_Intrinsics_vec256 acc11; + Lib_IntVector_Intrinsics_vec256 acc21; + Lib_IntVector_Intrinsics_vec256 acc31; + Lib_IntVector_Intrinsics_vec256 acc41; + e[0U] = o0; + e[1U] = o1; + e[2U] = o2; + e[3U] = o3; + e[4U] = o4; + b1 = (uint64_t)0x1000000U; + mask = Lib_IntVector_Intrinsics_vec256_load64(b1); + f40 = e[4U]; + e[4U] = Lib_IntVector_Intrinsics_vec256_or(f40, mask); + acc0 = acc[0U]; + acc1 = acc[1U]; + acc2 = acc[2U]; + acc3 = acc[3U]; + acc4 = acc[4U]; + e0 = e[0U]; + e1 = e[1U]; + e2 = e[2U]; + e3 = e[3U]; + e4 = e[4U]; + r0 = Lib_IntVector_Intrinsics_vec256_zero; + r1 = Lib_IntVector_Intrinsics_vec256_zero; + r2 = Lib_IntVector_Intrinsics_vec256_zero; + r3 = Lib_IntVector_Intrinsics_vec256_zero; + r4 = Lib_IntVector_Intrinsics_vec256_zero; + r01 = + Lib_IntVector_Intrinsics_vec256_insert64(r0, + Lib_IntVector_Intrinsics_vec256_extract64(acc0, (uint32_t)0U), + (uint32_t)0U); + r11 = + Lib_IntVector_Intrinsics_vec256_insert64(r1, + Lib_IntVector_Intrinsics_vec256_extract64(acc1, (uint32_t)0U), + (uint32_t)0U); + r21 = + Lib_IntVector_Intrinsics_vec256_insert64(r2, + Lib_IntVector_Intrinsics_vec256_extract64(acc2, (uint32_t)0U), + (uint32_t)0U); + r31 = + Lib_IntVector_Intrinsics_vec256_insert64(r3, + Lib_IntVector_Intrinsics_vec256_extract64(acc3, (uint32_t)0U), + (uint32_t)0U); + r41 = + Lib_IntVector_Intrinsics_vec256_insert64(r4, + Lib_IntVector_Intrinsics_vec256_extract64(acc4, (uint32_t)0U), + (uint32_t)0U); + f0 = Lib_IntVector_Intrinsics_vec256_add64(r01, e0); + f1 = Lib_IntVector_Intrinsics_vec256_add64(r11, e1); + f2 = Lib_IntVector_Intrinsics_vec256_add64(r21, e2); + f3 = Lib_IntVector_Intrinsics_vec256_add64(r31, e3); + f4 = Lib_IntVector_Intrinsics_vec256_add64(r41, e4); + acc01 = f0; + acc11 = f1; + acc21 = f2; + acc31 = f3; + acc41 = f4; + acc[0U] = acc01; + acc[1U] = acc11; + acc[2U] = acc21; + acc[3U] = acc31; + acc[4U] = acc41; + } +} + +void +Hacl_Impl_Poly1305_Field32xN_256_fmul_r4_normalize( + Lib_IntVector_Intrinsics_vec256 *out, + Lib_IntVector_Intrinsics_vec256 *p +) +{ + Lib_IntVector_Intrinsics_vec256 *r = p; + Lib_IntVector_Intrinsics_vec256 *r_5 = p + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec256 *r4 = p + (uint32_t)10U; + Lib_IntVector_Intrinsics_vec256 a0 = out[0U]; + Lib_IntVector_Intrinsics_vec256 a1 = out[1U]; + Lib_IntVector_Intrinsics_vec256 a2 = out[2U]; + Lib_IntVector_Intrinsics_vec256 a3 = out[3U]; + Lib_IntVector_Intrinsics_vec256 a4 = out[4U]; + Lib_IntVector_Intrinsics_vec256 r10 = r[0U]; + Lib_IntVector_Intrinsics_vec256 r11 = r[1U]; + Lib_IntVector_Intrinsics_vec256 r12 = r[2U]; + Lib_IntVector_Intrinsics_vec256 r13 = r[3U]; + Lib_IntVector_Intrinsics_vec256 r14 = r[4U]; + Lib_IntVector_Intrinsics_vec256 r151 = r_5[1U]; + Lib_IntVector_Intrinsics_vec256 r152 = r_5[2U]; + Lib_IntVector_Intrinsics_vec256 r153 = r_5[3U]; + Lib_IntVector_Intrinsics_vec256 r154 = r_5[4U]; + Lib_IntVector_Intrinsics_vec256 r40 = r4[0U]; + Lib_IntVector_Intrinsics_vec256 r41 = r4[1U]; + Lib_IntVector_Intrinsics_vec256 r42 = r4[2U]; + Lib_IntVector_Intrinsics_vec256 r43 = r4[3U]; + Lib_IntVector_Intrinsics_vec256 r44 = r4[4U]; + Lib_IntVector_Intrinsics_vec256 a010 = Lib_IntVector_Intrinsics_vec256_mul64(r10, r10); + Lib_IntVector_Intrinsics_vec256 a110 = Lib_IntVector_Intrinsics_vec256_mul64(r11, r10); + Lib_IntVector_Intrinsics_vec256 a210 = Lib_IntVector_Intrinsics_vec256_mul64(r12, r10); + Lib_IntVector_Intrinsics_vec256 a310 = Lib_IntVector_Intrinsics_vec256_mul64(r13, r10); + Lib_IntVector_Intrinsics_vec256 a410 = Lib_IntVector_Intrinsics_vec256_mul64(r14, r10); + Lib_IntVector_Intrinsics_vec256 + a020 = + Lib_IntVector_Intrinsics_vec256_add64(a010, + Lib_IntVector_Intrinsics_vec256_mul64(r154, r11)); + Lib_IntVector_Intrinsics_vec256 + a120 = + Lib_IntVector_Intrinsics_vec256_add64(a110, + Lib_IntVector_Intrinsics_vec256_mul64(r10, r11)); + Lib_IntVector_Intrinsics_vec256 + a220 = + Lib_IntVector_Intrinsics_vec256_add64(a210, + Lib_IntVector_Intrinsics_vec256_mul64(r11, r11)); + Lib_IntVector_Intrinsics_vec256 + a320 = + Lib_IntVector_Intrinsics_vec256_add64(a310, + Lib_IntVector_Intrinsics_vec256_mul64(r12, r11)); + Lib_IntVector_Intrinsics_vec256 + a420 = + Lib_IntVector_Intrinsics_vec256_add64(a410, + Lib_IntVector_Intrinsics_vec256_mul64(r13, r11)); + Lib_IntVector_Intrinsics_vec256 + a030 = + Lib_IntVector_Intrinsics_vec256_add64(a020, + Lib_IntVector_Intrinsics_vec256_mul64(r153, r12)); + Lib_IntVector_Intrinsics_vec256 + a130 = + Lib_IntVector_Intrinsics_vec256_add64(a120, + Lib_IntVector_Intrinsics_vec256_mul64(r154, r12)); + Lib_IntVector_Intrinsics_vec256 + a230 = + Lib_IntVector_Intrinsics_vec256_add64(a220, + Lib_IntVector_Intrinsics_vec256_mul64(r10, r12)); + Lib_IntVector_Intrinsics_vec256 + a330 = + Lib_IntVector_Intrinsics_vec256_add64(a320, + Lib_IntVector_Intrinsics_vec256_mul64(r11, r12)); + Lib_IntVector_Intrinsics_vec256 + a430 = + Lib_IntVector_Intrinsics_vec256_add64(a420, + Lib_IntVector_Intrinsics_vec256_mul64(r12, r12)); + Lib_IntVector_Intrinsics_vec256 + a040 = + Lib_IntVector_Intrinsics_vec256_add64(a030, + Lib_IntVector_Intrinsics_vec256_mul64(r152, r13)); + Lib_IntVector_Intrinsics_vec256 + a140 = + Lib_IntVector_Intrinsics_vec256_add64(a130, + Lib_IntVector_Intrinsics_vec256_mul64(r153, r13)); + Lib_IntVector_Intrinsics_vec256 + a240 = + Lib_IntVector_Intrinsics_vec256_add64(a230, + Lib_IntVector_Intrinsics_vec256_mul64(r154, r13)); + Lib_IntVector_Intrinsics_vec256 + a340 = + Lib_IntVector_Intrinsics_vec256_add64(a330, + Lib_IntVector_Intrinsics_vec256_mul64(r10, r13)); + Lib_IntVector_Intrinsics_vec256 + a440 = + Lib_IntVector_Intrinsics_vec256_add64(a430, + Lib_IntVector_Intrinsics_vec256_mul64(r11, r13)); + Lib_IntVector_Intrinsics_vec256 + a050 = + Lib_IntVector_Intrinsics_vec256_add64(a040, + Lib_IntVector_Intrinsics_vec256_mul64(r151, r14)); + Lib_IntVector_Intrinsics_vec256 + a150 = + Lib_IntVector_Intrinsics_vec256_add64(a140, + Lib_IntVector_Intrinsics_vec256_mul64(r152, r14)); + Lib_IntVector_Intrinsics_vec256 + a250 = + Lib_IntVector_Intrinsics_vec256_add64(a240, + Lib_IntVector_Intrinsics_vec256_mul64(r153, r14)); + Lib_IntVector_Intrinsics_vec256 + a350 = + Lib_IntVector_Intrinsics_vec256_add64(a340, + Lib_IntVector_Intrinsics_vec256_mul64(r154, r14)); + Lib_IntVector_Intrinsics_vec256 + a450 = + Lib_IntVector_Intrinsics_vec256_add64(a440, + Lib_IntVector_Intrinsics_vec256_mul64(r10, r14)); + Lib_IntVector_Intrinsics_vec256 t00 = a050; + Lib_IntVector_Intrinsics_vec256 t10 = a150; + Lib_IntVector_Intrinsics_vec256 t20 = a250; + Lib_IntVector_Intrinsics_vec256 t30 = a350; + Lib_IntVector_Intrinsics_vec256 t40 = a450; + Lib_IntVector_Intrinsics_vec256 + mask260 = Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec256 + z00 = Lib_IntVector_Intrinsics_vec256_shift_right64(t00, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z10 = Lib_IntVector_Intrinsics_vec256_shift_right64(t30, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x00 = Lib_IntVector_Intrinsics_vec256_and(t00, mask260); + Lib_IntVector_Intrinsics_vec256 x30 = Lib_IntVector_Intrinsics_vec256_and(t30, mask260); + Lib_IntVector_Intrinsics_vec256 x10 = Lib_IntVector_Intrinsics_vec256_add64(t10, z00); + Lib_IntVector_Intrinsics_vec256 x40 = Lib_IntVector_Intrinsics_vec256_add64(t40, z10); + Lib_IntVector_Intrinsics_vec256 + z010 = Lib_IntVector_Intrinsics_vec256_shift_right64(x10, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z110 = Lib_IntVector_Intrinsics_vec256_shift_right64(x40, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + t5 = Lib_IntVector_Intrinsics_vec256_shift_left64(z110, (uint32_t)2U); + Lib_IntVector_Intrinsics_vec256 z12 = Lib_IntVector_Intrinsics_vec256_add64(z110, t5); + Lib_IntVector_Intrinsics_vec256 x110 = Lib_IntVector_Intrinsics_vec256_and(x10, mask260); + Lib_IntVector_Intrinsics_vec256 x410 = Lib_IntVector_Intrinsics_vec256_and(x40, mask260); + Lib_IntVector_Intrinsics_vec256 x20 = Lib_IntVector_Intrinsics_vec256_add64(t20, z010); + Lib_IntVector_Intrinsics_vec256 x010 = Lib_IntVector_Intrinsics_vec256_add64(x00, z12); + Lib_IntVector_Intrinsics_vec256 + z020 = Lib_IntVector_Intrinsics_vec256_shift_right64(x20, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z130 = Lib_IntVector_Intrinsics_vec256_shift_right64(x010, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x210 = Lib_IntVector_Intrinsics_vec256_and(x20, mask260); + Lib_IntVector_Intrinsics_vec256 x020 = Lib_IntVector_Intrinsics_vec256_and(x010, mask260); + Lib_IntVector_Intrinsics_vec256 x310 = Lib_IntVector_Intrinsics_vec256_add64(x30, z020); + Lib_IntVector_Intrinsics_vec256 x120 = Lib_IntVector_Intrinsics_vec256_add64(x110, z130); + Lib_IntVector_Intrinsics_vec256 + z030 = Lib_IntVector_Intrinsics_vec256_shift_right64(x310, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x320 = Lib_IntVector_Intrinsics_vec256_and(x310, mask260); + Lib_IntVector_Intrinsics_vec256 x420 = Lib_IntVector_Intrinsics_vec256_add64(x410, z030); + Lib_IntVector_Intrinsics_vec256 r20 = x020; + Lib_IntVector_Intrinsics_vec256 r21 = x120; + Lib_IntVector_Intrinsics_vec256 r22 = x210; + Lib_IntVector_Intrinsics_vec256 r23 = x320; + Lib_IntVector_Intrinsics_vec256 r24 = x420; + Lib_IntVector_Intrinsics_vec256 a011 = Lib_IntVector_Intrinsics_vec256_mul64(r10, r20); + Lib_IntVector_Intrinsics_vec256 a111 = Lib_IntVector_Intrinsics_vec256_mul64(r11, r20); + Lib_IntVector_Intrinsics_vec256 a211 = Lib_IntVector_Intrinsics_vec256_mul64(r12, r20); + Lib_IntVector_Intrinsics_vec256 a311 = Lib_IntVector_Intrinsics_vec256_mul64(r13, r20); + Lib_IntVector_Intrinsics_vec256 a411 = Lib_IntVector_Intrinsics_vec256_mul64(r14, r20); + Lib_IntVector_Intrinsics_vec256 + a021 = + Lib_IntVector_Intrinsics_vec256_add64(a011, + Lib_IntVector_Intrinsics_vec256_mul64(r154, r21)); + Lib_IntVector_Intrinsics_vec256 + a121 = + Lib_IntVector_Intrinsics_vec256_add64(a111, + Lib_IntVector_Intrinsics_vec256_mul64(r10, r21)); + Lib_IntVector_Intrinsics_vec256 + a221 = + Lib_IntVector_Intrinsics_vec256_add64(a211, + Lib_IntVector_Intrinsics_vec256_mul64(r11, r21)); + Lib_IntVector_Intrinsics_vec256 + a321 = + Lib_IntVector_Intrinsics_vec256_add64(a311, + Lib_IntVector_Intrinsics_vec256_mul64(r12, r21)); + Lib_IntVector_Intrinsics_vec256 + a421 = + Lib_IntVector_Intrinsics_vec256_add64(a411, + Lib_IntVector_Intrinsics_vec256_mul64(r13, r21)); + Lib_IntVector_Intrinsics_vec256 + a031 = + Lib_IntVector_Intrinsics_vec256_add64(a021, + Lib_IntVector_Intrinsics_vec256_mul64(r153, r22)); + Lib_IntVector_Intrinsics_vec256 + a131 = + Lib_IntVector_Intrinsics_vec256_add64(a121, + Lib_IntVector_Intrinsics_vec256_mul64(r154, r22)); + Lib_IntVector_Intrinsics_vec256 + a231 = + Lib_IntVector_Intrinsics_vec256_add64(a221, + Lib_IntVector_Intrinsics_vec256_mul64(r10, r22)); + Lib_IntVector_Intrinsics_vec256 + a331 = + Lib_IntVector_Intrinsics_vec256_add64(a321, + Lib_IntVector_Intrinsics_vec256_mul64(r11, r22)); + Lib_IntVector_Intrinsics_vec256 + a431 = + Lib_IntVector_Intrinsics_vec256_add64(a421, + Lib_IntVector_Intrinsics_vec256_mul64(r12, r22)); + Lib_IntVector_Intrinsics_vec256 + a041 = + Lib_IntVector_Intrinsics_vec256_add64(a031, + Lib_IntVector_Intrinsics_vec256_mul64(r152, r23)); + Lib_IntVector_Intrinsics_vec256 + a141 = + Lib_IntVector_Intrinsics_vec256_add64(a131, + Lib_IntVector_Intrinsics_vec256_mul64(r153, r23)); + Lib_IntVector_Intrinsics_vec256 + a241 = + Lib_IntVector_Intrinsics_vec256_add64(a231, + Lib_IntVector_Intrinsics_vec256_mul64(r154, r23)); + Lib_IntVector_Intrinsics_vec256 + a341 = + Lib_IntVector_Intrinsics_vec256_add64(a331, + Lib_IntVector_Intrinsics_vec256_mul64(r10, r23)); + Lib_IntVector_Intrinsics_vec256 + a441 = + Lib_IntVector_Intrinsics_vec256_add64(a431, + Lib_IntVector_Intrinsics_vec256_mul64(r11, r23)); + Lib_IntVector_Intrinsics_vec256 + a051 = + Lib_IntVector_Intrinsics_vec256_add64(a041, + Lib_IntVector_Intrinsics_vec256_mul64(r151, r24)); + Lib_IntVector_Intrinsics_vec256 + a151 = + Lib_IntVector_Intrinsics_vec256_add64(a141, + Lib_IntVector_Intrinsics_vec256_mul64(r152, r24)); + Lib_IntVector_Intrinsics_vec256 + a251 = + Lib_IntVector_Intrinsics_vec256_add64(a241, + Lib_IntVector_Intrinsics_vec256_mul64(r153, r24)); + Lib_IntVector_Intrinsics_vec256 + a351 = + Lib_IntVector_Intrinsics_vec256_add64(a341, + Lib_IntVector_Intrinsics_vec256_mul64(r154, r24)); + Lib_IntVector_Intrinsics_vec256 + a451 = + Lib_IntVector_Intrinsics_vec256_add64(a441, + Lib_IntVector_Intrinsics_vec256_mul64(r10, r24)); + Lib_IntVector_Intrinsics_vec256 t01 = a051; + Lib_IntVector_Intrinsics_vec256 t11 = a151; + Lib_IntVector_Intrinsics_vec256 t21 = a251; + Lib_IntVector_Intrinsics_vec256 t31 = a351; + Lib_IntVector_Intrinsics_vec256 t41 = a451; + Lib_IntVector_Intrinsics_vec256 + mask261 = Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec256 + z04 = Lib_IntVector_Intrinsics_vec256_shift_right64(t01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z14 = Lib_IntVector_Intrinsics_vec256_shift_right64(t31, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x03 = Lib_IntVector_Intrinsics_vec256_and(t01, mask261); + Lib_IntVector_Intrinsics_vec256 x33 = Lib_IntVector_Intrinsics_vec256_and(t31, mask261); + Lib_IntVector_Intrinsics_vec256 x13 = Lib_IntVector_Intrinsics_vec256_add64(t11, z04); + Lib_IntVector_Intrinsics_vec256 x43 = Lib_IntVector_Intrinsics_vec256_add64(t41, z14); + Lib_IntVector_Intrinsics_vec256 + z011 = Lib_IntVector_Intrinsics_vec256_shift_right64(x13, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z111 = Lib_IntVector_Intrinsics_vec256_shift_right64(x43, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + t6 = Lib_IntVector_Intrinsics_vec256_shift_left64(z111, (uint32_t)2U); + Lib_IntVector_Intrinsics_vec256 z120 = Lib_IntVector_Intrinsics_vec256_add64(z111, t6); + Lib_IntVector_Intrinsics_vec256 x111 = Lib_IntVector_Intrinsics_vec256_and(x13, mask261); + Lib_IntVector_Intrinsics_vec256 x411 = Lib_IntVector_Intrinsics_vec256_and(x43, mask261); + Lib_IntVector_Intrinsics_vec256 x22 = Lib_IntVector_Intrinsics_vec256_add64(t21, z011); + Lib_IntVector_Intrinsics_vec256 x011 = Lib_IntVector_Intrinsics_vec256_add64(x03, z120); + Lib_IntVector_Intrinsics_vec256 + z021 = Lib_IntVector_Intrinsics_vec256_shift_right64(x22, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z131 = Lib_IntVector_Intrinsics_vec256_shift_right64(x011, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x211 = Lib_IntVector_Intrinsics_vec256_and(x22, mask261); + Lib_IntVector_Intrinsics_vec256 x021 = Lib_IntVector_Intrinsics_vec256_and(x011, mask261); + Lib_IntVector_Intrinsics_vec256 x311 = Lib_IntVector_Intrinsics_vec256_add64(x33, z021); + Lib_IntVector_Intrinsics_vec256 x121 = Lib_IntVector_Intrinsics_vec256_add64(x111, z131); + Lib_IntVector_Intrinsics_vec256 + z031 = Lib_IntVector_Intrinsics_vec256_shift_right64(x311, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x321 = Lib_IntVector_Intrinsics_vec256_and(x311, mask261); + Lib_IntVector_Intrinsics_vec256 x421 = Lib_IntVector_Intrinsics_vec256_add64(x411, z031); + Lib_IntVector_Intrinsics_vec256 r30 = x021; + Lib_IntVector_Intrinsics_vec256 r31 = x121; + Lib_IntVector_Intrinsics_vec256 r32 = x211; + Lib_IntVector_Intrinsics_vec256 r33 = x321; + Lib_IntVector_Intrinsics_vec256 r34 = x421; + Lib_IntVector_Intrinsics_vec256 + v12120 = Lib_IntVector_Intrinsics_vec256_interleave_low64(r20, r10); + Lib_IntVector_Intrinsics_vec256 + v34340 = Lib_IntVector_Intrinsics_vec256_interleave_low64(r40, r30); + Lib_IntVector_Intrinsics_vec256 + r12340 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v34340, v12120); + Lib_IntVector_Intrinsics_vec256 + v12121 = Lib_IntVector_Intrinsics_vec256_interleave_low64(r21, r11); + Lib_IntVector_Intrinsics_vec256 + v34341 = Lib_IntVector_Intrinsics_vec256_interleave_low64(r41, r31); + Lib_IntVector_Intrinsics_vec256 + r12341 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v34341, v12121); + Lib_IntVector_Intrinsics_vec256 + v12122 = Lib_IntVector_Intrinsics_vec256_interleave_low64(r22, r12); + Lib_IntVector_Intrinsics_vec256 + v34342 = Lib_IntVector_Intrinsics_vec256_interleave_low64(r42, r32); + Lib_IntVector_Intrinsics_vec256 + r12342 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v34342, v12122); + Lib_IntVector_Intrinsics_vec256 + v12123 = Lib_IntVector_Intrinsics_vec256_interleave_low64(r23, r13); + Lib_IntVector_Intrinsics_vec256 + v34343 = Lib_IntVector_Intrinsics_vec256_interleave_low64(r43, r33); + Lib_IntVector_Intrinsics_vec256 + r12343 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v34343, v12123); + Lib_IntVector_Intrinsics_vec256 + v12124 = Lib_IntVector_Intrinsics_vec256_interleave_low64(r24, r14); + Lib_IntVector_Intrinsics_vec256 + v34344 = Lib_IntVector_Intrinsics_vec256_interleave_low64(r44, r34); + Lib_IntVector_Intrinsics_vec256 + r12344 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v34344, v12124); + Lib_IntVector_Intrinsics_vec256 + r123451 = Lib_IntVector_Intrinsics_vec256_smul64(r12341, (uint64_t)5U); + Lib_IntVector_Intrinsics_vec256 + r123452 = Lib_IntVector_Intrinsics_vec256_smul64(r12342, (uint64_t)5U); + Lib_IntVector_Intrinsics_vec256 + r123453 = Lib_IntVector_Intrinsics_vec256_smul64(r12343, (uint64_t)5U); + Lib_IntVector_Intrinsics_vec256 + r123454 = Lib_IntVector_Intrinsics_vec256_smul64(r12344, (uint64_t)5U); + Lib_IntVector_Intrinsics_vec256 a01 = Lib_IntVector_Intrinsics_vec256_mul64(r12340, a0); + Lib_IntVector_Intrinsics_vec256 a11 = Lib_IntVector_Intrinsics_vec256_mul64(r12341, a0); + Lib_IntVector_Intrinsics_vec256 a21 = Lib_IntVector_Intrinsics_vec256_mul64(r12342, a0); + Lib_IntVector_Intrinsics_vec256 a31 = Lib_IntVector_Intrinsics_vec256_mul64(r12343, a0); + Lib_IntVector_Intrinsics_vec256 a41 = Lib_IntVector_Intrinsics_vec256_mul64(r12344, a0); + Lib_IntVector_Intrinsics_vec256 + a02 = + Lib_IntVector_Intrinsics_vec256_add64(a01, + Lib_IntVector_Intrinsics_vec256_mul64(r123454, a1)); + Lib_IntVector_Intrinsics_vec256 + a12 = + Lib_IntVector_Intrinsics_vec256_add64(a11, + Lib_IntVector_Intrinsics_vec256_mul64(r12340, a1)); + Lib_IntVector_Intrinsics_vec256 + a22 = + Lib_IntVector_Intrinsics_vec256_add64(a21, + Lib_IntVector_Intrinsics_vec256_mul64(r12341, a1)); + Lib_IntVector_Intrinsics_vec256 + a32 = + Lib_IntVector_Intrinsics_vec256_add64(a31, + Lib_IntVector_Intrinsics_vec256_mul64(r12342, a1)); + Lib_IntVector_Intrinsics_vec256 + a42 = + Lib_IntVector_Intrinsics_vec256_add64(a41, + Lib_IntVector_Intrinsics_vec256_mul64(r12343, a1)); + Lib_IntVector_Intrinsics_vec256 + a03 = + Lib_IntVector_Intrinsics_vec256_add64(a02, + Lib_IntVector_Intrinsics_vec256_mul64(r123453, a2)); + Lib_IntVector_Intrinsics_vec256 + a13 = + Lib_IntVector_Intrinsics_vec256_add64(a12, + Lib_IntVector_Intrinsics_vec256_mul64(r123454, a2)); + Lib_IntVector_Intrinsics_vec256 + a23 = + Lib_IntVector_Intrinsics_vec256_add64(a22, + Lib_IntVector_Intrinsics_vec256_mul64(r12340, a2)); + Lib_IntVector_Intrinsics_vec256 + a33 = + Lib_IntVector_Intrinsics_vec256_add64(a32, + Lib_IntVector_Intrinsics_vec256_mul64(r12341, a2)); + Lib_IntVector_Intrinsics_vec256 + a43 = + Lib_IntVector_Intrinsics_vec256_add64(a42, + Lib_IntVector_Intrinsics_vec256_mul64(r12342, a2)); + Lib_IntVector_Intrinsics_vec256 + a04 = + Lib_IntVector_Intrinsics_vec256_add64(a03, + Lib_IntVector_Intrinsics_vec256_mul64(r123452, a3)); + Lib_IntVector_Intrinsics_vec256 + a14 = + Lib_IntVector_Intrinsics_vec256_add64(a13, + Lib_IntVector_Intrinsics_vec256_mul64(r123453, a3)); + Lib_IntVector_Intrinsics_vec256 + a24 = + Lib_IntVector_Intrinsics_vec256_add64(a23, + Lib_IntVector_Intrinsics_vec256_mul64(r123454, a3)); + Lib_IntVector_Intrinsics_vec256 + a34 = + Lib_IntVector_Intrinsics_vec256_add64(a33, + Lib_IntVector_Intrinsics_vec256_mul64(r12340, a3)); + Lib_IntVector_Intrinsics_vec256 + a44 = + Lib_IntVector_Intrinsics_vec256_add64(a43, + Lib_IntVector_Intrinsics_vec256_mul64(r12341, a3)); + Lib_IntVector_Intrinsics_vec256 + a05 = + Lib_IntVector_Intrinsics_vec256_add64(a04, + Lib_IntVector_Intrinsics_vec256_mul64(r123451, a4)); + Lib_IntVector_Intrinsics_vec256 + a15 = + Lib_IntVector_Intrinsics_vec256_add64(a14, + Lib_IntVector_Intrinsics_vec256_mul64(r123452, a4)); + Lib_IntVector_Intrinsics_vec256 + a25 = + Lib_IntVector_Intrinsics_vec256_add64(a24, + Lib_IntVector_Intrinsics_vec256_mul64(r123453, a4)); + Lib_IntVector_Intrinsics_vec256 + a35 = + Lib_IntVector_Intrinsics_vec256_add64(a34, + Lib_IntVector_Intrinsics_vec256_mul64(r123454, a4)); + Lib_IntVector_Intrinsics_vec256 + a45 = + Lib_IntVector_Intrinsics_vec256_add64(a44, + Lib_IntVector_Intrinsics_vec256_mul64(r12340, a4)); + Lib_IntVector_Intrinsics_vec256 t0 = a05; + Lib_IntVector_Intrinsics_vec256 t1 = a15; + Lib_IntVector_Intrinsics_vec256 t2 = a25; + Lib_IntVector_Intrinsics_vec256 t3 = a35; + Lib_IntVector_Intrinsics_vec256 t4 = a45; + Lib_IntVector_Intrinsics_vec256 + mask26 = Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec256 + z0 = Lib_IntVector_Intrinsics_vec256_shift_right64(t0, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z1 = Lib_IntVector_Intrinsics_vec256_shift_right64(t3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x0 = Lib_IntVector_Intrinsics_vec256_and(t0, mask26); + Lib_IntVector_Intrinsics_vec256 x3 = Lib_IntVector_Intrinsics_vec256_and(t3, mask26); + Lib_IntVector_Intrinsics_vec256 x1 = Lib_IntVector_Intrinsics_vec256_add64(t1, z0); + Lib_IntVector_Intrinsics_vec256 x4 = Lib_IntVector_Intrinsics_vec256_add64(t4, z1); + Lib_IntVector_Intrinsics_vec256 + z01 = Lib_IntVector_Intrinsics_vec256_shift_right64(x1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z11 = Lib_IntVector_Intrinsics_vec256_shift_right64(x4, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + t = Lib_IntVector_Intrinsics_vec256_shift_left64(z11, (uint32_t)2U); + Lib_IntVector_Intrinsics_vec256 z121 = Lib_IntVector_Intrinsics_vec256_add64(z11, t); + Lib_IntVector_Intrinsics_vec256 x11 = Lib_IntVector_Intrinsics_vec256_and(x1, mask26); + Lib_IntVector_Intrinsics_vec256 x41 = Lib_IntVector_Intrinsics_vec256_and(x4, mask26); + Lib_IntVector_Intrinsics_vec256 x2 = Lib_IntVector_Intrinsics_vec256_add64(t2, z01); + Lib_IntVector_Intrinsics_vec256 x01 = Lib_IntVector_Intrinsics_vec256_add64(x0, z121); + Lib_IntVector_Intrinsics_vec256 + z02 = Lib_IntVector_Intrinsics_vec256_shift_right64(x2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z13 = Lib_IntVector_Intrinsics_vec256_shift_right64(x01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x21 = Lib_IntVector_Intrinsics_vec256_and(x2, mask26); + Lib_IntVector_Intrinsics_vec256 x02 = Lib_IntVector_Intrinsics_vec256_and(x01, mask26); + Lib_IntVector_Intrinsics_vec256 x31 = Lib_IntVector_Intrinsics_vec256_add64(x3, z02); + Lib_IntVector_Intrinsics_vec256 x12 = Lib_IntVector_Intrinsics_vec256_add64(x11, z13); + Lib_IntVector_Intrinsics_vec256 + z03 = Lib_IntVector_Intrinsics_vec256_shift_right64(x31, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x32 = Lib_IntVector_Intrinsics_vec256_and(x31, mask26); + Lib_IntVector_Intrinsics_vec256 x42 = Lib_IntVector_Intrinsics_vec256_add64(x41, z03); + Lib_IntVector_Intrinsics_vec256 o0 = x02; + Lib_IntVector_Intrinsics_vec256 o10 = x12; + Lib_IntVector_Intrinsics_vec256 o20 = x21; + Lib_IntVector_Intrinsics_vec256 o30 = x32; + Lib_IntVector_Intrinsics_vec256 o40 = x42; + Lib_IntVector_Intrinsics_vec256 + v00 = Lib_IntVector_Intrinsics_vec256_interleave_high128(o0, o0); + Lib_IntVector_Intrinsics_vec256 v10 = Lib_IntVector_Intrinsics_vec256_add64(o0, v00); + Lib_IntVector_Intrinsics_vec256 + v10h = Lib_IntVector_Intrinsics_vec256_interleave_high64(v10, v10); + Lib_IntVector_Intrinsics_vec256 v20 = Lib_IntVector_Intrinsics_vec256_add64(v10, v10h); + Lib_IntVector_Intrinsics_vec256 + v01 = Lib_IntVector_Intrinsics_vec256_interleave_high128(o10, o10); + Lib_IntVector_Intrinsics_vec256 v11 = Lib_IntVector_Intrinsics_vec256_add64(o10, v01); + Lib_IntVector_Intrinsics_vec256 + v11h = Lib_IntVector_Intrinsics_vec256_interleave_high64(v11, v11); + Lib_IntVector_Intrinsics_vec256 v21 = Lib_IntVector_Intrinsics_vec256_add64(v11, v11h); + Lib_IntVector_Intrinsics_vec256 + v02 = Lib_IntVector_Intrinsics_vec256_interleave_high128(o20, o20); + Lib_IntVector_Intrinsics_vec256 v12 = Lib_IntVector_Intrinsics_vec256_add64(o20, v02); + Lib_IntVector_Intrinsics_vec256 + v12h = Lib_IntVector_Intrinsics_vec256_interleave_high64(v12, v12); + Lib_IntVector_Intrinsics_vec256 v22 = Lib_IntVector_Intrinsics_vec256_add64(v12, v12h); + Lib_IntVector_Intrinsics_vec256 + v03 = Lib_IntVector_Intrinsics_vec256_interleave_high128(o30, o30); + Lib_IntVector_Intrinsics_vec256 v13 = Lib_IntVector_Intrinsics_vec256_add64(o30, v03); + Lib_IntVector_Intrinsics_vec256 + v13h = Lib_IntVector_Intrinsics_vec256_interleave_high64(v13, v13); + Lib_IntVector_Intrinsics_vec256 v23 = Lib_IntVector_Intrinsics_vec256_add64(v13, v13h); + Lib_IntVector_Intrinsics_vec256 + v04 = Lib_IntVector_Intrinsics_vec256_interleave_high128(o40, o40); + Lib_IntVector_Intrinsics_vec256 v14 = Lib_IntVector_Intrinsics_vec256_add64(o40, v04); + Lib_IntVector_Intrinsics_vec256 + v14h = Lib_IntVector_Intrinsics_vec256_interleave_high64(v14, v14); + Lib_IntVector_Intrinsics_vec256 v24 = Lib_IntVector_Intrinsics_vec256_add64(v14, v14h); + Lib_IntVector_Intrinsics_vec256 + l = Lib_IntVector_Intrinsics_vec256_add64(v20, Lib_IntVector_Intrinsics_vec256_zero); + Lib_IntVector_Intrinsics_vec256 + tmp0 = + Lib_IntVector_Intrinsics_vec256_and(l, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + c0 = Lib_IntVector_Intrinsics_vec256_shift_right64(l, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 l0 = Lib_IntVector_Intrinsics_vec256_add64(v21, c0); + Lib_IntVector_Intrinsics_vec256 + tmp1 = + Lib_IntVector_Intrinsics_vec256_and(l0, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + c1 = Lib_IntVector_Intrinsics_vec256_shift_right64(l0, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 l1 = Lib_IntVector_Intrinsics_vec256_add64(v22, c1); + Lib_IntVector_Intrinsics_vec256 + tmp2 = + Lib_IntVector_Intrinsics_vec256_and(l1, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + c2 = Lib_IntVector_Intrinsics_vec256_shift_right64(l1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 l2 = Lib_IntVector_Intrinsics_vec256_add64(v23, c2); + Lib_IntVector_Intrinsics_vec256 + tmp3 = + Lib_IntVector_Intrinsics_vec256_and(l2, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + c3 = Lib_IntVector_Intrinsics_vec256_shift_right64(l2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 l3 = Lib_IntVector_Intrinsics_vec256_add64(v24, c3); + Lib_IntVector_Intrinsics_vec256 + tmp4 = + Lib_IntVector_Intrinsics_vec256_and(l3, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + c4 = Lib_IntVector_Intrinsics_vec256_shift_right64(l3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + o00 = + Lib_IntVector_Intrinsics_vec256_add64(tmp0, + Lib_IntVector_Intrinsics_vec256_smul64(c4, (uint64_t)5U)); + Lib_IntVector_Intrinsics_vec256 o1 = tmp1; + Lib_IntVector_Intrinsics_vec256 o2 = tmp2; + Lib_IntVector_Intrinsics_vec256 o3 = tmp3; + Lib_IntVector_Intrinsics_vec256 o4 = tmp4; + out[0U] = o00; + out[1U] = o1; + out[2U] = o2; + out[3U] = o3; + out[4U] = o4; +} + +uint32_t Hacl_Poly1305_256_blocklen = (uint32_t)16U; + +void Hacl_Poly1305_256_poly1305_init(Lib_IntVector_Intrinsics_vec256 *ctx, uint8_t *key) +{ + Lib_IntVector_Intrinsics_vec256 *acc = ctx; + Lib_IntVector_Intrinsics_vec256 *pre = ctx + (uint32_t)5U; + uint8_t *kr = key; + uint64_t u0; + uint64_t lo; + uint64_t u; + uint64_t hi; + uint64_t mask0; + uint64_t mask1; + uint64_t lo1; + uint64_t hi1; + Lib_IntVector_Intrinsics_vec256 *r; + Lib_IntVector_Intrinsics_vec256 *r5; + Lib_IntVector_Intrinsics_vec256 *rn; + Lib_IntVector_Intrinsics_vec256 *rn_5; + Lib_IntVector_Intrinsics_vec256 r_vec0; + Lib_IntVector_Intrinsics_vec256 r_vec1; + Lib_IntVector_Intrinsics_vec256 f00; + Lib_IntVector_Intrinsics_vec256 f15; + Lib_IntVector_Intrinsics_vec256 f25; + Lib_IntVector_Intrinsics_vec256 f30; + Lib_IntVector_Intrinsics_vec256 f40; + Lib_IntVector_Intrinsics_vec256 f0; + Lib_IntVector_Intrinsics_vec256 f1; + Lib_IntVector_Intrinsics_vec256 f2; + Lib_IntVector_Intrinsics_vec256 f3; + Lib_IntVector_Intrinsics_vec256 f4; + Lib_IntVector_Intrinsics_vec256 f200; + Lib_IntVector_Intrinsics_vec256 f210; + Lib_IntVector_Intrinsics_vec256 f220; + Lib_IntVector_Intrinsics_vec256 f230; + Lib_IntVector_Intrinsics_vec256 f240; + Lib_IntVector_Intrinsics_vec256 r00; + Lib_IntVector_Intrinsics_vec256 r10; + Lib_IntVector_Intrinsics_vec256 r20; + Lib_IntVector_Intrinsics_vec256 r30; + Lib_IntVector_Intrinsics_vec256 r40; + Lib_IntVector_Intrinsics_vec256 r510; + Lib_IntVector_Intrinsics_vec256 r520; + Lib_IntVector_Intrinsics_vec256 r530; + Lib_IntVector_Intrinsics_vec256 r540; + Lib_IntVector_Intrinsics_vec256 f100; + Lib_IntVector_Intrinsics_vec256 f110; + Lib_IntVector_Intrinsics_vec256 f120; + Lib_IntVector_Intrinsics_vec256 f130; + Lib_IntVector_Intrinsics_vec256 f140; + Lib_IntVector_Intrinsics_vec256 a00; + Lib_IntVector_Intrinsics_vec256 a10; + Lib_IntVector_Intrinsics_vec256 a20; + Lib_IntVector_Intrinsics_vec256 a30; + Lib_IntVector_Intrinsics_vec256 a40; + Lib_IntVector_Intrinsics_vec256 a010; + Lib_IntVector_Intrinsics_vec256 a110; + Lib_IntVector_Intrinsics_vec256 a210; + Lib_IntVector_Intrinsics_vec256 a310; + Lib_IntVector_Intrinsics_vec256 a410; + Lib_IntVector_Intrinsics_vec256 a020; + Lib_IntVector_Intrinsics_vec256 a120; + Lib_IntVector_Intrinsics_vec256 a220; + Lib_IntVector_Intrinsics_vec256 a320; + Lib_IntVector_Intrinsics_vec256 a420; + Lib_IntVector_Intrinsics_vec256 a030; + Lib_IntVector_Intrinsics_vec256 a130; + Lib_IntVector_Intrinsics_vec256 a230; + Lib_IntVector_Intrinsics_vec256 a330; + Lib_IntVector_Intrinsics_vec256 a430; + Lib_IntVector_Intrinsics_vec256 a040; + Lib_IntVector_Intrinsics_vec256 a140; + Lib_IntVector_Intrinsics_vec256 a240; + Lib_IntVector_Intrinsics_vec256 a340; + Lib_IntVector_Intrinsics_vec256 a440; + Lib_IntVector_Intrinsics_vec256 t00; + Lib_IntVector_Intrinsics_vec256 t10; + Lib_IntVector_Intrinsics_vec256 t20; + Lib_IntVector_Intrinsics_vec256 t30; + Lib_IntVector_Intrinsics_vec256 t40; + Lib_IntVector_Intrinsics_vec256 mask260; + Lib_IntVector_Intrinsics_vec256 z00; + Lib_IntVector_Intrinsics_vec256 z10; + Lib_IntVector_Intrinsics_vec256 x00; + Lib_IntVector_Intrinsics_vec256 x30; + Lib_IntVector_Intrinsics_vec256 x10; + Lib_IntVector_Intrinsics_vec256 x40; + Lib_IntVector_Intrinsics_vec256 z010; + Lib_IntVector_Intrinsics_vec256 z110; + Lib_IntVector_Intrinsics_vec256 t5; + Lib_IntVector_Intrinsics_vec256 z120; + Lib_IntVector_Intrinsics_vec256 x110; + Lib_IntVector_Intrinsics_vec256 x410; + Lib_IntVector_Intrinsics_vec256 x20; + Lib_IntVector_Intrinsics_vec256 x010; + Lib_IntVector_Intrinsics_vec256 z020; + Lib_IntVector_Intrinsics_vec256 z130; + Lib_IntVector_Intrinsics_vec256 x210; + Lib_IntVector_Intrinsics_vec256 x020; + Lib_IntVector_Intrinsics_vec256 x310; + Lib_IntVector_Intrinsics_vec256 x120; + Lib_IntVector_Intrinsics_vec256 z030; + Lib_IntVector_Intrinsics_vec256 x320; + Lib_IntVector_Intrinsics_vec256 x420; + Lib_IntVector_Intrinsics_vec256 o00; + Lib_IntVector_Intrinsics_vec256 o10; + Lib_IntVector_Intrinsics_vec256 o20; + Lib_IntVector_Intrinsics_vec256 o30; + Lib_IntVector_Intrinsics_vec256 o40; + Lib_IntVector_Intrinsics_vec256 f201; + Lib_IntVector_Intrinsics_vec256 f211; + Lib_IntVector_Intrinsics_vec256 f221; + Lib_IntVector_Intrinsics_vec256 f231; + Lib_IntVector_Intrinsics_vec256 f241; + Lib_IntVector_Intrinsics_vec256 r0; + Lib_IntVector_Intrinsics_vec256 r1; + Lib_IntVector_Intrinsics_vec256 r2; + Lib_IntVector_Intrinsics_vec256 r3; + Lib_IntVector_Intrinsics_vec256 r4; + Lib_IntVector_Intrinsics_vec256 r51; + Lib_IntVector_Intrinsics_vec256 r52; + Lib_IntVector_Intrinsics_vec256 r53; + Lib_IntVector_Intrinsics_vec256 r54; + Lib_IntVector_Intrinsics_vec256 f10; + Lib_IntVector_Intrinsics_vec256 f11; + Lib_IntVector_Intrinsics_vec256 f12; + Lib_IntVector_Intrinsics_vec256 f13; + Lib_IntVector_Intrinsics_vec256 f14; + Lib_IntVector_Intrinsics_vec256 a0; + Lib_IntVector_Intrinsics_vec256 a1; + Lib_IntVector_Intrinsics_vec256 a2; + Lib_IntVector_Intrinsics_vec256 a3; + Lib_IntVector_Intrinsics_vec256 a4; + Lib_IntVector_Intrinsics_vec256 a01; + Lib_IntVector_Intrinsics_vec256 a11; + Lib_IntVector_Intrinsics_vec256 a21; + Lib_IntVector_Intrinsics_vec256 a31; + Lib_IntVector_Intrinsics_vec256 a41; + Lib_IntVector_Intrinsics_vec256 a02; + Lib_IntVector_Intrinsics_vec256 a12; + Lib_IntVector_Intrinsics_vec256 a22; + Lib_IntVector_Intrinsics_vec256 a32; + Lib_IntVector_Intrinsics_vec256 a42; + Lib_IntVector_Intrinsics_vec256 a03; + Lib_IntVector_Intrinsics_vec256 a13; + Lib_IntVector_Intrinsics_vec256 a23; + Lib_IntVector_Intrinsics_vec256 a33; + Lib_IntVector_Intrinsics_vec256 a43; + Lib_IntVector_Intrinsics_vec256 a04; + Lib_IntVector_Intrinsics_vec256 a14; + Lib_IntVector_Intrinsics_vec256 a24; + Lib_IntVector_Intrinsics_vec256 a34; + Lib_IntVector_Intrinsics_vec256 a44; + Lib_IntVector_Intrinsics_vec256 t0; + Lib_IntVector_Intrinsics_vec256 t1; + Lib_IntVector_Intrinsics_vec256 t2; + Lib_IntVector_Intrinsics_vec256 t3; + Lib_IntVector_Intrinsics_vec256 t4; + Lib_IntVector_Intrinsics_vec256 mask26; + Lib_IntVector_Intrinsics_vec256 z0; + Lib_IntVector_Intrinsics_vec256 z1; + Lib_IntVector_Intrinsics_vec256 x0; + Lib_IntVector_Intrinsics_vec256 x3; + Lib_IntVector_Intrinsics_vec256 x1; + Lib_IntVector_Intrinsics_vec256 x4; + Lib_IntVector_Intrinsics_vec256 z01; + Lib_IntVector_Intrinsics_vec256 z11; + Lib_IntVector_Intrinsics_vec256 t; + Lib_IntVector_Intrinsics_vec256 z12; + Lib_IntVector_Intrinsics_vec256 x11; + Lib_IntVector_Intrinsics_vec256 x41; + Lib_IntVector_Intrinsics_vec256 x2; + Lib_IntVector_Intrinsics_vec256 x01; + Lib_IntVector_Intrinsics_vec256 z02; + Lib_IntVector_Intrinsics_vec256 z13; + Lib_IntVector_Intrinsics_vec256 x21; + Lib_IntVector_Intrinsics_vec256 x02; + Lib_IntVector_Intrinsics_vec256 x31; + Lib_IntVector_Intrinsics_vec256 x12; + Lib_IntVector_Intrinsics_vec256 z03; + Lib_IntVector_Intrinsics_vec256 x32; + Lib_IntVector_Intrinsics_vec256 x42; + Lib_IntVector_Intrinsics_vec256 o0; + Lib_IntVector_Intrinsics_vec256 o1; + Lib_IntVector_Intrinsics_vec256 o2; + Lib_IntVector_Intrinsics_vec256 o3; + Lib_IntVector_Intrinsics_vec256 o4; + Lib_IntVector_Intrinsics_vec256 f20; + Lib_IntVector_Intrinsics_vec256 f21; + Lib_IntVector_Intrinsics_vec256 f22; + Lib_IntVector_Intrinsics_vec256 f23; + Lib_IntVector_Intrinsics_vec256 f24; + acc[0U] = Lib_IntVector_Intrinsics_vec256_zero; + acc[1U] = Lib_IntVector_Intrinsics_vec256_zero; + acc[2U] = Lib_IntVector_Intrinsics_vec256_zero; + acc[3U] = Lib_IntVector_Intrinsics_vec256_zero; + acc[4U] = Lib_IntVector_Intrinsics_vec256_zero; + u0 = load64_le(kr); + lo = u0; + u = load64_le(kr + (uint32_t)8U); + hi = u; + mask0 = (uint64_t)0x0ffffffc0fffffffU; + mask1 = (uint64_t)0x0ffffffc0ffffffcU; + lo1 = lo & mask0; + hi1 = hi & mask1; + r = pre; + r5 = pre + (uint32_t)5U; + rn = pre + (uint32_t)10U; + rn_5 = pre + (uint32_t)15U; + r_vec0 = Lib_IntVector_Intrinsics_vec256_load64(lo1); + r_vec1 = Lib_IntVector_Intrinsics_vec256_load64(hi1); + f00 = + Lib_IntVector_Intrinsics_vec256_and(r_vec0, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + f15 = + Lib_IntVector_Intrinsics_vec256_and(Lib_IntVector_Intrinsics_vec256_shift_right64(r_vec0, + (uint32_t)26U), + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + f25 = + Lib_IntVector_Intrinsics_vec256_or(Lib_IntVector_Intrinsics_vec256_shift_right64(r_vec0, + (uint32_t)52U), + Lib_IntVector_Intrinsics_vec256_shift_left64(Lib_IntVector_Intrinsics_vec256_and(r_vec1, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3fffU)), + (uint32_t)12U)); + f30 = + Lib_IntVector_Intrinsics_vec256_and(Lib_IntVector_Intrinsics_vec256_shift_right64(r_vec1, + (uint32_t)14U), + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + f40 = Lib_IntVector_Intrinsics_vec256_shift_right64(r_vec1, (uint32_t)40U); + f0 = f00; + f1 = f15; + f2 = f25; + f3 = f30; + f4 = f40; + r[0U] = f0; + r[1U] = f1; + r[2U] = f2; + r[3U] = f3; + r[4U] = f4; + f200 = r[0U]; + f210 = r[1U]; + f220 = r[2U]; + f230 = r[3U]; + f240 = r[4U]; + r5[0U] = Lib_IntVector_Intrinsics_vec256_smul64(f200, (uint64_t)5U); + r5[1U] = Lib_IntVector_Intrinsics_vec256_smul64(f210, (uint64_t)5U); + r5[2U] = Lib_IntVector_Intrinsics_vec256_smul64(f220, (uint64_t)5U); + r5[3U] = Lib_IntVector_Intrinsics_vec256_smul64(f230, (uint64_t)5U); + r5[4U] = Lib_IntVector_Intrinsics_vec256_smul64(f240, (uint64_t)5U); + r00 = r[0U]; + r10 = r[1U]; + r20 = r[2U]; + r30 = r[3U]; + r40 = r[4U]; + r510 = r5[1U]; + r520 = r5[2U]; + r530 = r5[3U]; + r540 = r5[4U]; + f100 = r[0U]; + f110 = r[1U]; + f120 = r[2U]; + f130 = r[3U]; + f140 = r[4U]; + a00 = Lib_IntVector_Intrinsics_vec256_mul64(r00, f100); + a10 = Lib_IntVector_Intrinsics_vec256_mul64(r10, f100); + a20 = Lib_IntVector_Intrinsics_vec256_mul64(r20, f100); + a30 = Lib_IntVector_Intrinsics_vec256_mul64(r30, f100); + a40 = Lib_IntVector_Intrinsics_vec256_mul64(r40, f100); + a010 = + Lib_IntVector_Intrinsics_vec256_add64(a00, + Lib_IntVector_Intrinsics_vec256_mul64(r540, f110)); + a110 = + Lib_IntVector_Intrinsics_vec256_add64(a10, + Lib_IntVector_Intrinsics_vec256_mul64(r00, f110)); + a210 = + Lib_IntVector_Intrinsics_vec256_add64(a20, + Lib_IntVector_Intrinsics_vec256_mul64(r10, f110)); + a310 = + Lib_IntVector_Intrinsics_vec256_add64(a30, + Lib_IntVector_Intrinsics_vec256_mul64(r20, f110)); + a410 = + Lib_IntVector_Intrinsics_vec256_add64(a40, + Lib_IntVector_Intrinsics_vec256_mul64(r30, f110)); + a020 = + Lib_IntVector_Intrinsics_vec256_add64(a010, + Lib_IntVector_Intrinsics_vec256_mul64(r530, f120)); + a120 = + Lib_IntVector_Intrinsics_vec256_add64(a110, + Lib_IntVector_Intrinsics_vec256_mul64(r540, f120)); + a220 = + Lib_IntVector_Intrinsics_vec256_add64(a210, + Lib_IntVector_Intrinsics_vec256_mul64(r00, f120)); + a320 = + Lib_IntVector_Intrinsics_vec256_add64(a310, + Lib_IntVector_Intrinsics_vec256_mul64(r10, f120)); + a420 = + Lib_IntVector_Intrinsics_vec256_add64(a410, + Lib_IntVector_Intrinsics_vec256_mul64(r20, f120)); + a030 = + Lib_IntVector_Intrinsics_vec256_add64(a020, + Lib_IntVector_Intrinsics_vec256_mul64(r520, f130)); + a130 = + Lib_IntVector_Intrinsics_vec256_add64(a120, + Lib_IntVector_Intrinsics_vec256_mul64(r530, f130)); + a230 = + Lib_IntVector_Intrinsics_vec256_add64(a220, + Lib_IntVector_Intrinsics_vec256_mul64(r540, f130)); + a330 = + Lib_IntVector_Intrinsics_vec256_add64(a320, + Lib_IntVector_Intrinsics_vec256_mul64(r00, f130)); + a430 = + Lib_IntVector_Intrinsics_vec256_add64(a420, + Lib_IntVector_Intrinsics_vec256_mul64(r10, f130)); + a040 = + Lib_IntVector_Intrinsics_vec256_add64(a030, + Lib_IntVector_Intrinsics_vec256_mul64(r510, f140)); + a140 = + Lib_IntVector_Intrinsics_vec256_add64(a130, + Lib_IntVector_Intrinsics_vec256_mul64(r520, f140)); + a240 = + Lib_IntVector_Intrinsics_vec256_add64(a230, + Lib_IntVector_Intrinsics_vec256_mul64(r530, f140)); + a340 = + Lib_IntVector_Intrinsics_vec256_add64(a330, + Lib_IntVector_Intrinsics_vec256_mul64(r540, f140)); + a440 = + Lib_IntVector_Intrinsics_vec256_add64(a430, + Lib_IntVector_Intrinsics_vec256_mul64(r00, f140)); + t00 = a040; + t10 = a140; + t20 = a240; + t30 = a340; + t40 = a440; + mask260 = Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU); + z00 = Lib_IntVector_Intrinsics_vec256_shift_right64(t00, (uint32_t)26U); + z10 = Lib_IntVector_Intrinsics_vec256_shift_right64(t30, (uint32_t)26U); + x00 = Lib_IntVector_Intrinsics_vec256_and(t00, mask260); + x30 = Lib_IntVector_Intrinsics_vec256_and(t30, mask260); + x10 = Lib_IntVector_Intrinsics_vec256_add64(t10, z00); + x40 = Lib_IntVector_Intrinsics_vec256_add64(t40, z10); + z010 = Lib_IntVector_Intrinsics_vec256_shift_right64(x10, (uint32_t)26U); + z110 = Lib_IntVector_Intrinsics_vec256_shift_right64(x40, (uint32_t)26U); + t5 = Lib_IntVector_Intrinsics_vec256_shift_left64(z110, (uint32_t)2U); + z120 = Lib_IntVector_Intrinsics_vec256_add64(z110, t5); + x110 = Lib_IntVector_Intrinsics_vec256_and(x10, mask260); + x410 = Lib_IntVector_Intrinsics_vec256_and(x40, mask260); + x20 = Lib_IntVector_Intrinsics_vec256_add64(t20, z010); + x010 = Lib_IntVector_Intrinsics_vec256_add64(x00, z120); + z020 = Lib_IntVector_Intrinsics_vec256_shift_right64(x20, (uint32_t)26U); + z130 = Lib_IntVector_Intrinsics_vec256_shift_right64(x010, (uint32_t)26U); + x210 = Lib_IntVector_Intrinsics_vec256_and(x20, mask260); + x020 = Lib_IntVector_Intrinsics_vec256_and(x010, mask260); + x310 = Lib_IntVector_Intrinsics_vec256_add64(x30, z020); + x120 = Lib_IntVector_Intrinsics_vec256_add64(x110, z130); + z030 = Lib_IntVector_Intrinsics_vec256_shift_right64(x310, (uint32_t)26U); + x320 = Lib_IntVector_Intrinsics_vec256_and(x310, mask260); + x420 = Lib_IntVector_Intrinsics_vec256_add64(x410, z030); + o00 = x020; + o10 = x120; + o20 = x210; + o30 = x320; + o40 = x420; + rn[0U] = o00; + rn[1U] = o10; + rn[2U] = o20; + rn[3U] = o30; + rn[4U] = o40; + f201 = rn[0U]; + f211 = rn[1U]; + f221 = rn[2U]; + f231 = rn[3U]; + f241 = rn[4U]; + rn_5[0U] = Lib_IntVector_Intrinsics_vec256_smul64(f201, (uint64_t)5U); + rn_5[1U] = Lib_IntVector_Intrinsics_vec256_smul64(f211, (uint64_t)5U); + rn_5[2U] = Lib_IntVector_Intrinsics_vec256_smul64(f221, (uint64_t)5U); + rn_5[3U] = Lib_IntVector_Intrinsics_vec256_smul64(f231, (uint64_t)5U); + rn_5[4U] = Lib_IntVector_Intrinsics_vec256_smul64(f241, (uint64_t)5U); + r0 = rn[0U]; + r1 = rn[1U]; + r2 = rn[2U]; + r3 = rn[3U]; + r4 = rn[4U]; + r51 = rn_5[1U]; + r52 = rn_5[2U]; + r53 = rn_5[3U]; + r54 = rn_5[4U]; + f10 = rn[0U]; + f11 = rn[1U]; + f12 = rn[2U]; + f13 = rn[3U]; + f14 = rn[4U]; + a0 = Lib_IntVector_Intrinsics_vec256_mul64(r0, f10); + a1 = Lib_IntVector_Intrinsics_vec256_mul64(r1, f10); + a2 = Lib_IntVector_Intrinsics_vec256_mul64(r2, f10); + a3 = Lib_IntVector_Intrinsics_vec256_mul64(r3, f10); + a4 = Lib_IntVector_Intrinsics_vec256_mul64(r4, f10); + a01 = + Lib_IntVector_Intrinsics_vec256_add64(a0, + Lib_IntVector_Intrinsics_vec256_mul64(r54, f11)); + a11 = Lib_IntVector_Intrinsics_vec256_add64(a1, Lib_IntVector_Intrinsics_vec256_mul64(r0, f11)); + a21 = Lib_IntVector_Intrinsics_vec256_add64(a2, Lib_IntVector_Intrinsics_vec256_mul64(r1, f11)); + a31 = Lib_IntVector_Intrinsics_vec256_add64(a3, Lib_IntVector_Intrinsics_vec256_mul64(r2, f11)); + a41 = Lib_IntVector_Intrinsics_vec256_add64(a4, Lib_IntVector_Intrinsics_vec256_mul64(r3, f11)); + a02 = + Lib_IntVector_Intrinsics_vec256_add64(a01, + Lib_IntVector_Intrinsics_vec256_mul64(r53, f12)); + a12 = + Lib_IntVector_Intrinsics_vec256_add64(a11, + Lib_IntVector_Intrinsics_vec256_mul64(r54, f12)); + a22 = + Lib_IntVector_Intrinsics_vec256_add64(a21, + Lib_IntVector_Intrinsics_vec256_mul64(r0, f12)); + a32 = + Lib_IntVector_Intrinsics_vec256_add64(a31, + Lib_IntVector_Intrinsics_vec256_mul64(r1, f12)); + a42 = + Lib_IntVector_Intrinsics_vec256_add64(a41, + Lib_IntVector_Intrinsics_vec256_mul64(r2, f12)); + a03 = + Lib_IntVector_Intrinsics_vec256_add64(a02, + Lib_IntVector_Intrinsics_vec256_mul64(r52, f13)); + a13 = + Lib_IntVector_Intrinsics_vec256_add64(a12, + Lib_IntVector_Intrinsics_vec256_mul64(r53, f13)); + a23 = + Lib_IntVector_Intrinsics_vec256_add64(a22, + Lib_IntVector_Intrinsics_vec256_mul64(r54, f13)); + a33 = + Lib_IntVector_Intrinsics_vec256_add64(a32, + Lib_IntVector_Intrinsics_vec256_mul64(r0, f13)); + a43 = + Lib_IntVector_Intrinsics_vec256_add64(a42, + Lib_IntVector_Intrinsics_vec256_mul64(r1, f13)); + a04 = + Lib_IntVector_Intrinsics_vec256_add64(a03, + Lib_IntVector_Intrinsics_vec256_mul64(r51, f14)); + a14 = + Lib_IntVector_Intrinsics_vec256_add64(a13, + Lib_IntVector_Intrinsics_vec256_mul64(r52, f14)); + a24 = + Lib_IntVector_Intrinsics_vec256_add64(a23, + Lib_IntVector_Intrinsics_vec256_mul64(r53, f14)); + a34 = + Lib_IntVector_Intrinsics_vec256_add64(a33, + Lib_IntVector_Intrinsics_vec256_mul64(r54, f14)); + a44 = + Lib_IntVector_Intrinsics_vec256_add64(a43, + Lib_IntVector_Intrinsics_vec256_mul64(r0, f14)); + t0 = a04; + t1 = a14; + t2 = a24; + t3 = a34; + t4 = a44; + mask26 = Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU); + z0 = Lib_IntVector_Intrinsics_vec256_shift_right64(t0, (uint32_t)26U); + z1 = Lib_IntVector_Intrinsics_vec256_shift_right64(t3, (uint32_t)26U); + x0 = Lib_IntVector_Intrinsics_vec256_and(t0, mask26); + x3 = Lib_IntVector_Intrinsics_vec256_and(t3, mask26); + x1 = Lib_IntVector_Intrinsics_vec256_add64(t1, z0); + x4 = Lib_IntVector_Intrinsics_vec256_add64(t4, z1); + z01 = Lib_IntVector_Intrinsics_vec256_shift_right64(x1, (uint32_t)26U); + z11 = Lib_IntVector_Intrinsics_vec256_shift_right64(x4, (uint32_t)26U); + t = Lib_IntVector_Intrinsics_vec256_shift_left64(z11, (uint32_t)2U); + z12 = Lib_IntVector_Intrinsics_vec256_add64(z11, t); + x11 = Lib_IntVector_Intrinsics_vec256_and(x1, mask26); + x41 = Lib_IntVector_Intrinsics_vec256_and(x4, mask26); + x2 = Lib_IntVector_Intrinsics_vec256_add64(t2, z01); + x01 = Lib_IntVector_Intrinsics_vec256_add64(x0, z12); + z02 = Lib_IntVector_Intrinsics_vec256_shift_right64(x2, (uint32_t)26U); + z13 = Lib_IntVector_Intrinsics_vec256_shift_right64(x01, (uint32_t)26U); + x21 = Lib_IntVector_Intrinsics_vec256_and(x2, mask26); + x02 = Lib_IntVector_Intrinsics_vec256_and(x01, mask26); + x31 = Lib_IntVector_Intrinsics_vec256_add64(x3, z02); + x12 = Lib_IntVector_Intrinsics_vec256_add64(x11, z13); + z03 = Lib_IntVector_Intrinsics_vec256_shift_right64(x31, (uint32_t)26U); + x32 = Lib_IntVector_Intrinsics_vec256_and(x31, mask26); + x42 = Lib_IntVector_Intrinsics_vec256_add64(x41, z03); + o0 = x02; + o1 = x12; + o2 = x21; + o3 = x32; + o4 = x42; + rn[0U] = o0; + rn[1U] = o1; + rn[2U] = o2; + rn[3U] = o3; + rn[4U] = o4; + f20 = rn[0U]; + f21 = rn[1U]; + f22 = rn[2U]; + f23 = rn[3U]; + f24 = rn[4U]; + rn_5[0U] = Lib_IntVector_Intrinsics_vec256_smul64(f20, (uint64_t)5U); + rn_5[1U] = Lib_IntVector_Intrinsics_vec256_smul64(f21, (uint64_t)5U); + rn_5[2U] = Lib_IntVector_Intrinsics_vec256_smul64(f22, (uint64_t)5U); + rn_5[3U] = Lib_IntVector_Intrinsics_vec256_smul64(f23, (uint64_t)5U); + rn_5[4U] = Lib_IntVector_Intrinsics_vec256_smul64(f24, (uint64_t)5U); +} + +void Hacl_Poly1305_256_poly1305_update1(Lib_IntVector_Intrinsics_vec256 *ctx, uint8_t *text) +{ + Lib_IntVector_Intrinsics_vec256 *pre = ctx + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec256 *acc = ctx; + Lib_IntVector_Intrinsics_vec256 e[5U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)5U; ++_i) + e[_i] = Lib_IntVector_Intrinsics_vec256_zero; + } + { + uint64_t u0 = load64_le(text); + uint64_t lo = u0; + uint64_t u = load64_le(text + (uint32_t)8U); + uint64_t hi = u; + Lib_IntVector_Intrinsics_vec256 f0 = Lib_IntVector_Intrinsics_vec256_load64(lo); + Lib_IntVector_Intrinsics_vec256 f1 = Lib_IntVector_Intrinsics_vec256_load64(hi); + Lib_IntVector_Intrinsics_vec256 + f010 = + Lib_IntVector_Intrinsics_vec256_and(f0, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f110 = + Lib_IntVector_Intrinsics_vec256_and(Lib_IntVector_Intrinsics_vec256_shift_right64(f0, + (uint32_t)26U), + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f20 = + Lib_IntVector_Intrinsics_vec256_or(Lib_IntVector_Intrinsics_vec256_shift_right64(f0, + (uint32_t)52U), + Lib_IntVector_Intrinsics_vec256_shift_left64(Lib_IntVector_Intrinsics_vec256_and(f1, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3fffU)), + (uint32_t)12U)); + Lib_IntVector_Intrinsics_vec256 + f30 = + Lib_IntVector_Intrinsics_vec256_and(Lib_IntVector_Intrinsics_vec256_shift_right64(f1, + (uint32_t)14U), + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f40 = Lib_IntVector_Intrinsics_vec256_shift_right64(f1, (uint32_t)40U); + Lib_IntVector_Intrinsics_vec256 f01 = f010; + Lib_IntVector_Intrinsics_vec256 f111 = f110; + Lib_IntVector_Intrinsics_vec256 f2 = f20; + Lib_IntVector_Intrinsics_vec256 f3 = f30; + Lib_IntVector_Intrinsics_vec256 f41 = f40; + uint64_t b; + Lib_IntVector_Intrinsics_vec256 mask; + Lib_IntVector_Intrinsics_vec256 f4; + Lib_IntVector_Intrinsics_vec256 *r; + Lib_IntVector_Intrinsics_vec256 *r5; + Lib_IntVector_Intrinsics_vec256 r0; + Lib_IntVector_Intrinsics_vec256 r1; + Lib_IntVector_Intrinsics_vec256 r2; + Lib_IntVector_Intrinsics_vec256 r3; + Lib_IntVector_Intrinsics_vec256 r4; + Lib_IntVector_Intrinsics_vec256 r51; + Lib_IntVector_Intrinsics_vec256 r52; + Lib_IntVector_Intrinsics_vec256 r53; + Lib_IntVector_Intrinsics_vec256 r54; + Lib_IntVector_Intrinsics_vec256 f10; + Lib_IntVector_Intrinsics_vec256 f11; + Lib_IntVector_Intrinsics_vec256 f12; + Lib_IntVector_Intrinsics_vec256 f13; + Lib_IntVector_Intrinsics_vec256 f14; + Lib_IntVector_Intrinsics_vec256 a0; + Lib_IntVector_Intrinsics_vec256 a1; + Lib_IntVector_Intrinsics_vec256 a2; + Lib_IntVector_Intrinsics_vec256 a3; + Lib_IntVector_Intrinsics_vec256 a4; + Lib_IntVector_Intrinsics_vec256 a01; + Lib_IntVector_Intrinsics_vec256 a11; + Lib_IntVector_Intrinsics_vec256 a21; + Lib_IntVector_Intrinsics_vec256 a31; + Lib_IntVector_Intrinsics_vec256 a41; + Lib_IntVector_Intrinsics_vec256 a02; + Lib_IntVector_Intrinsics_vec256 a12; + Lib_IntVector_Intrinsics_vec256 a22; + Lib_IntVector_Intrinsics_vec256 a32; + Lib_IntVector_Intrinsics_vec256 a42; + Lib_IntVector_Intrinsics_vec256 a03; + Lib_IntVector_Intrinsics_vec256 a13; + Lib_IntVector_Intrinsics_vec256 a23; + Lib_IntVector_Intrinsics_vec256 a33; + Lib_IntVector_Intrinsics_vec256 a43; + Lib_IntVector_Intrinsics_vec256 a04; + Lib_IntVector_Intrinsics_vec256 a14; + Lib_IntVector_Intrinsics_vec256 a24; + Lib_IntVector_Intrinsics_vec256 a34; + Lib_IntVector_Intrinsics_vec256 a44; + Lib_IntVector_Intrinsics_vec256 a05; + Lib_IntVector_Intrinsics_vec256 a15; + Lib_IntVector_Intrinsics_vec256 a25; + Lib_IntVector_Intrinsics_vec256 a35; + Lib_IntVector_Intrinsics_vec256 a45; + Lib_IntVector_Intrinsics_vec256 a06; + Lib_IntVector_Intrinsics_vec256 a16; + Lib_IntVector_Intrinsics_vec256 a26; + Lib_IntVector_Intrinsics_vec256 a36; + Lib_IntVector_Intrinsics_vec256 a46; + Lib_IntVector_Intrinsics_vec256 t0; + Lib_IntVector_Intrinsics_vec256 t1; + Lib_IntVector_Intrinsics_vec256 t2; + Lib_IntVector_Intrinsics_vec256 t3; + Lib_IntVector_Intrinsics_vec256 t4; + Lib_IntVector_Intrinsics_vec256 mask26; + Lib_IntVector_Intrinsics_vec256 z0; + Lib_IntVector_Intrinsics_vec256 z1; + Lib_IntVector_Intrinsics_vec256 x0; + Lib_IntVector_Intrinsics_vec256 x3; + Lib_IntVector_Intrinsics_vec256 x1; + Lib_IntVector_Intrinsics_vec256 x4; + Lib_IntVector_Intrinsics_vec256 z01; + Lib_IntVector_Intrinsics_vec256 z11; + Lib_IntVector_Intrinsics_vec256 t; + Lib_IntVector_Intrinsics_vec256 z12; + Lib_IntVector_Intrinsics_vec256 x11; + Lib_IntVector_Intrinsics_vec256 x41; + Lib_IntVector_Intrinsics_vec256 x2; + Lib_IntVector_Intrinsics_vec256 x01; + Lib_IntVector_Intrinsics_vec256 z02; + Lib_IntVector_Intrinsics_vec256 z13; + Lib_IntVector_Intrinsics_vec256 x21; + Lib_IntVector_Intrinsics_vec256 x02; + Lib_IntVector_Intrinsics_vec256 x31; + Lib_IntVector_Intrinsics_vec256 x12; + Lib_IntVector_Intrinsics_vec256 z03; + Lib_IntVector_Intrinsics_vec256 x32; + Lib_IntVector_Intrinsics_vec256 x42; + Lib_IntVector_Intrinsics_vec256 o0; + Lib_IntVector_Intrinsics_vec256 o1; + Lib_IntVector_Intrinsics_vec256 o2; + Lib_IntVector_Intrinsics_vec256 o3; + Lib_IntVector_Intrinsics_vec256 o4; + e[0U] = f01; + e[1U] = f111; + e[2U] = f2; + e[3U] = f3; + e[4U] = f41; + b = (uint64_t)0x1000000U; + mask = Lib_IntVector_Intrinsics_vec256_load64(b); + f4 = e[4U]; + e[4U] = Lib_IntVector_Intrinsics_vec256_or(f4, mask); + r = pre; + r5 = pre + (uint32_t)5U; + r0 = r[0U]; + r1 = r[1U]; + r2 = r[2U]; + r3 = r[3U]; + r4 = r[4U]; + r51 = r5[1U]; + r52 = r5[2U]; + r53 = r5[3U]; + r54 = r5[4U]; + f10 = e[0U]; + f11 = e[1U]; + f12 = e[2U]; + f13 = e[3U]; + f14 = e[4U]; + a0 = acc[0U]; + a1 = acc[1U]; + a2 = acc[2U]; + a3 = acc[3U]; + a4 = acc[4U]; + a01 = Lib_IntVector_Intrinsics_vec256_add64(a0, f10); + a11 = Lib_IntVector_Intrinsics_vec256_add64(a1, f11); + a21 = Lib_IntVector_Intrinsics_vec256_add64(a2, f12); + a31 = Lib_IntVector_Intrinsics_vec256_add64(a3, f13); + a41 = Lib_IntVector_Intrinsics_vec256_add64(a4, f14); + a02 = Lib_IntVector_Intrinsics_vec256_mul64(r0, a01); + a12 = Lib_IntVector_Intrinsics_vec256_mul64(r1, a01); + a22 = Lib_IntVector_Intrinsics_vec256_mul64(r2, a01); + a32 = Lib_IntVector_Intrinsics_vec256_mul64(r3, a01); + a42 = Lib_IntVector_Intrinsics_vec256_mul64(r4, a01); + a03 = + Lib_IntVector_Intrinsics_vec256_add64(a02, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a11)); + a13 = + Lib_IntVector_Intrinsics_vec256_add64(a12, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a11)); + a23 = + Lib_IntVector_Intrinsics_vec256_add64(a22, + Lib_IntVector_Intrinsics_vec256_mul64(r1, a11)); + a33 = + Lib_IntVector_Intrinsics_vec256_add64(a32, + Lib_IntVector_Intrinsics_vec256_mul64(r2, a11)); + a43 = + Lib_IntVector_Intrinsics_vec256_add64(a42, + Lib_IntVector_Intrinsics_vec256_mul64(r3, a11)); + a04 = + Lib_IntVector_Intrinsics_vec256_add64(a03, + Lib_IntVector_Intrinsics_vec256_mul64(r53, a21)); + a14 = + Lib_IntVector_Intrinsics_vec256_add64(a13, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a21)); + a24 = + Lib_IntVector_Intrinsics_vec256_add64(a23, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a21)); + a34 = + Lib_IntVector_Intrinsics_vec256_add64(a33, + Lib_IntVector_Intrinsics_vec256_mul64(r1, a21)); + a44 = + Lib_IntVector_Intrinsics_vec256_add64(a43, + Lib_IntVector_Intrinsics_vec256_mul64(r2, a21)); + a05 = + Lib_IntVector_Intrinsics_vec256_add64(a04, + Lib_IntVector_Intrinsics_vec256_mul64(r52, a31)); + a15 = + Lib_IntVector_Intrinsics_vec256_add64(a14, + Lib_IntVector_Intrinsics_vec256_mul64(r53, a31)); + a25 = + Lib_IntVector_Intrinsics_vec256_add64(a24, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a31)); + a35 = + Lib_IntVector_Intrinsics_vec256_add64(a34, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a31)); + a45 = + Lib_IntVector_Intrinsics_vec256_add64(a44, + Lib_IntVector_Intrinsics_vec256_mul64(r1, a31)); + a06 = + Lib_IntVector_Intrinsics_vec256_add64(a05, + Lib_IntVector_Intrinsics_vec256_mul64(r51, a41)); + a16 = + Lib_IntVector_Intrinsics_vec256_add64(a15, + Lib_IntVector_Intrinsics_vec256_mul64(r52, a41)); + a26 = + Lib_IntVector_Intrinsics_vec256_add64(a25, + Lib_IntVector_Intrinsics_vec256_mul64(r53, a41)); + a36 = + Lib_IntVector_Intrinsics_vec256_add64(a35, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a41)); + a46 = + Lib_IntVector_Intrinsics_vec256_add64(a45, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a41)); + t0 = a06; + t1 = a16; + t2 = a26; + t3 = a36; + t4 = a46; + mask26 = Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU); + z0 = Lib_IntVector_Intrinsics_vec256_shift_right64(t0, (uint32_t)26U); + z1 = Lib_IntVector_Intrinsics_vec256_shift_right64(t3, (uint32_t)26U); + x0 = Lib_IntVector_Intrinsics_vec256_and(t0, mask26); + x3 = Lib_IntVector_Intrinsics_vec256_and(t3, mask26); + x1 = Lib_IntVector_Intrinsics_vec256_add64(t1, z0); + x4 = Lib_IntVector_Intrinsics_vec256_add64(t4, z1); + z01 = Lib_IntVector_Intrinsics_vec256_shift_right64(x1, (uint32_t)26U); + z11 = Lib_IntVector_Intrinsics_vec256_shift_right64(x4, (uint32_t)26U); + t = Lib_IntVector_Intrinsics_vec256_shift_left64(z11, (uint32_t)2U); + z12 = Lib_IntVector_Intrinsics_vec256_add64(z11, t); + x11 = Lib_IntVector_Intrinsics_vec256_and(x1, mask26); + x41 = Lib_IntVector_Intrinsics_vec256_and(x4, mask26); + x2 = Lib_IntVector_Intrinsics_vec256_add64(t2, z01); + x01 = Lib_IntVector_Intrinsics_vec256_add64(x0, z12); + z02 = Lib_IntVector_Intrinsics_vec256_shift_right64(x2, (uint32_t)26U); + z13 = Lib_IntVector_Intrinsics_vec256_shift_right64(x01, (uint32_t)26U); + x21 = Lib_IntVector_Intrinsics_vec256_and(x2, mask26); + x02 = Lib_IntVector_Intrinsics_vec256_and(x01, mask26); + x31 = Lib_IntVector_Intrinsics_vec256_add64(x3, z02); + x12 = Lib_IntVector_Intrinsics_vec256_add64(x11, z13); + z03 = Lib_IntVector_Intrinsics_vec256_shift_right64(x31, (uint32_t)26U); + x32 = Lib_IntVector_Intrinsics_vec256_and(x31, mask26); + x42 = Lib_IntVector_Intrinsics_vec256_add64(x41, z03); + o0 = x02; + o1 = x12; + o2 = x21; + o3 = x32; + o4 = x42; + acc[0U] = o0; + acc[1U] = o1; + acc[2U] = o2; + acc[3U] = o3; + acc[4U] = o4; + } +} + +void +Hacl_Poly1305_256_poly1305_update( + Lib_IntVector_Intrinsics_vec256 *ctx, + uint32_t len, + uint8_t *text +) +{ + Lib_IntVector_Intrinsics_vec256 *pre = ctx + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec256 *acc = ctx; + uint32_t sz_block = (uint32_t)64U; + uint32_t len0 = len / sz_block * sz_block; + uint8_t *t0 = text; + uint32_t len1; + uint8_t *t10; + uint32_t nb0; + uint32_t rem; + if (len0 > (uint32_t)0U) + { + uint32_t bs = (uint32_t)64U; + uint8_t *text0 = t0; + Hacl_Impl_Poly1305_Field32xN_256_load_acc4(acc, text0); + { + uint32_t len10 = len0 - bs; + uint8_t *text1 = t0 + bs; + uint32_t nb = len10 / bs; + { + uint32_t i; + for (i = (uint32_t)0U; i < nb; i++) + { + uint8_t *block = text1 + i * bs; + Lib_IntVector_Intrinsics_vec256 e[5U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)5U; ++_i) + e[_i] = Lib_IntVector_Intrinsics_vec256_zero; + } + { + Lib_IntVector_Intrinsics_vec256 lo = Lib_IntVector_Intrinsics_vec256_load64_le(block); + Lib_IntVector_Intrinsics_vec256 + hi = Lib_IntVector_Intrinsics_vec256_load64_le(block + (uint32_t)32U); + Lib_IntVector_Intrinsics_vec256 + mask260 = Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec256 + m0 = Lib_IntVector_Intrinsics_vec256_interleave_low128(lo, hi); + Lib_IntVector_Intrinsics_vec256 + m1 = Lib_IntVector_Intrinsics_vec256_interleave_high128(lo, hi); + Lib_IntVector_Intrinsics_vec256 + m2 = Lib_IntVector_Intrinsics_vec256_shift_right(m0, (uint32_t)48U); + Lib_IntVector_Intrinsics_vec256 + m3 = Lib_IntVector_Intrinsics_vec256_shift_right(m1, (uint32_t)48U); + Lib_IntVector_Intrinsics_vec256 + m4 = Lib_IntVector_Intrinsics_vec256_interleave_high64(m0, m1); + Lib_IntVector_Intrinsics_vec256 + t010 = Lib_IntVector_Intrinsics_vec256_interleave_low64(m0, m1); + Lib_IntVector_Intrinsics_vec256 + t30 = Lib_IntVector_Intrinsics_vec256_interleave_low64(m2, m3); + Lib_IntVector_Intrinsics_vec256 + t20 = Lib_IntVector_Intrinsics_vec256_shift_right64(t30, (uint32_t)4U); + Lib_IntVector_Intrinsics_vec256 o20 = Lib_IntVector_Intrinsics_vec256_and(t20, mask260); + Lib_IntVector_Intrinsics_vec256 + t11 = Lib_IntVector_Intrinsics_vec256_shift_right64(t010, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 o10 = Lib_IntVector_Intrinsics_vec256_and(t11, mask260); + Lib_IntVector_Intrinsics_vec256 o5 = Lib_IntVector_Intrinsics_vec256_and(t010, mask260); + Lib_IntVector_Intrinsics_vec256 + t31 = Lib_IntVector_Intrinsics_vec256_shift_right64(t30, (uint32_t)30U); + Lib_IntVector_Intrinsics_vec256 o30 = Lib_IntVector_Intrinsics_vec256_and(t31, mask260); + Lib_IntVector_Intrinsics_vec256 + o40 = Lib_IntVector_Intrinsics_vec256_shift_right64(m4, (uint32_t)40U); + Lib_IntVector_Intrinsics_vec256 o00 = o5; + Lib_IntVector_Intrinsics_vec256 o11 = o10; + Lib_IntVector_Intrinsics_vec256 o21 = o20; + Lib_IntVector_Intrinsics_vec256 o31 = o30; + Lib_IntVector_Intrinsics_vec256 o41 = o40; + e[0U] = o00; + e[1U] = o11; + e[2U] = o21; + e[3U] = o31; + e[4U] = o41; + { + uint64_t b = (uint64_t)0x1000000U; + Lib_IntVector_Intrinsics_vec256 mask = Lib_IntVector_Intrinsics_vec256_load64(b); + Lib_IntVector_Intrinsics_vec256 f4 = e[4U]; + e[4U] = Lib_IntVector_Intrinsics_vec256_or(f4, mask); + { + Lib_IntVector_Intrinsics_vec256 *rn = pre + (uint32_t)10U; + Lib_IntVector_Intrinsics_vec256 *rn5 = pre + (uint32_t)15U; + Lib_IntVector_Intrinsics_vec256 r0 = rn[0U]; + Lib_IntVector_Intrinsics_vec256 r1 = rn[1U]; + Lib_IntVector_Intrinsics_vec256 r2 = rn[2U]; + Lib_IntVector_Intrinsics_vec256 r3 = rn[3U]; + Lib_IntVector_Intrinsics_vec256 r4 = rn[4U]; + Lib_IntVector_Intrinsics_vec256 r51 = rn5[1U]; + Lib_IntVector_Intrinsics_vec256 r52 = rn5[2U]; + Lib_IntVector_Intrinsics_vec256 r53 = rn5[3U]; + Lib_IntVector_Intrinsics_vec256 r54 = rn5[4U]; + Lib_IntVector_Intrinsics_vec256 f10 = acc[0U]; + Lib_IntVector_Intrinsics_vec256 f110 = acc[1U]; + Lib_IntVector_Intrinsics_vec256 f120 = acc[2U]; + Lib_IntVector_Intrinsics_vec256 f130 = acc[3U]; + Lib_IntVector_Intrinsics_vec256 f140 = acc[4U]; + Lib_IntVector_Intrinsics_vec256 a0 = Lib_IntVector_Intrinsics_vec256_mul64(r0, f10); + Lib_IntVector_Intrinsics_vec256 a1 = Lib_IntVector_Intrinsics_vec256_mul64(r1, f10); + Lib_IntVector_Intrinsics_vec256 a2 = Lib_IntVector_Intrinsics_vec256_mul64(r2, f10); + Lib_IntVector_Intrinsics_vec256 a3 = Lib_IntVector_Intrinsics_vec256_mul64(r3, f10); + Lib_IntVector_Intrinsics_vec256 a4 = Lib_IntVector_Intrinsics_vec256_mul64(r4, f10); + Lib_IntVector_Intrinsics_vec256 + a01 = + Lib_IntVector_Intrinsics_vec256_add64(a0, + Lib_IntVector_Intrinsics_vec256_mul64(r54, f110)); + Lib_IntVector_Intrinsics_vec256 + a11 = + Lib_IntVector_Intrinsics_vec256_add64(a1, + Lib_IntVector_Intrinsics_vec256_mul64(r0, f110)); + Lib_IntVector_Intrinsics_vec256 + a21 = + Lib_IntVector_Intrinsics_vec256_add64(a2, + Lib_IntVector_Intrinsics_vec256_mul64(r1, f110)); + Lib_IntVector_Intrinsics_vec256 + a31 = + Lib_IntVector_Intrinsics_vec256_add64(a3, + Lib_IntVector_Intrinsics_vec256_mul64(r2, f110)); + Lib_IntVector_Intrinsics_vec256 + a41 = + Lib_IntVector_Intrinsics_vec256_add64(a4, + Lib_IntVector_Intrinsics_vec256_mul64(r3, f110)); + Lib_IntVector_Intrinsics_vec256 + a02 = + Lib_IntVector_Intrinsics_vec256_add64(a01, + Lib_IntVector_Intrinsics_vec256_mul64(r53, f120)); + Lib_IntVector_Intrinsics_vec256 + a12 = + Lib_IntVector_Intrinsics_vec256_add64(a11, + Lib_IntVector_Intrinsics_vec256_mul64(r54, f120)); + Lib_IntVector_Intrinsics_vec256 + a22 = + Lib_IntVector_Intrinsics_vec256_add64(a21, + Lib_IntVector_Intrinsics_vec256_mul64(r0, f120)); + Lib_IntVector_Intrinsics_vec256 + a32 = + Lib_IntVector_Intrinsics_vec256_add64(a31, + Lib_IntVector_Intrinsics_vec256_mul64(r1, f120)); + Lib_IntVector_Intrinsics_vec256 + a42 = + Lib_IntVector_Intrinsics_vec256_add64(a41, + Lib_IntVector_Intrinsics_vec256_mul64(r2, f120)); + Lib_IntVector_Intrinsics_vec256 + a03 = + Lib_IntVector_Intrinsics_vec256_add64(a02, + Lib_IntVector_Intrinsics_vec256_mul64(r52, f130)); + Lib_IntVector_Intrinsics_vec256 + a13 = + Lib_IntVector_Intrinsics_vec256_add64(a12, + Lib_IntVector_Intrinsics_vec256_mul64(r53, f130)); + Lib_IntVector_Intrinsics_vec256 + a23 = + Lib_IntVector_Intrinsics_vec256_add64(a22, + Lib_IntVector_Intrinsics_vec256_mul64(r54, f130)); + Lib_IntVector_Intrinsics_vec256 + a33 = + Lib_IntVector_Intrinsics_vec256_add64(a32, + Lib_IntVector_Intrinsics_vec256_mul64(r0, f130)); + Lib_IntVector_Intrinsics_vec256 + a43 = + Lib_IntVector_Intrinsics_vec256_add64(a42, + Lib_IntVector_Intrinsics_vec256_mul64(r1, f130)); + Lib_IntVector_Intrinsics_vec256 + a04 = + Lib_IntVector_Intrinsics_vec256_add64(a03, + Lib_IntVector_Intrinsics_vec256_mul64(r51, f140)); + Lib_IntVector_Intrinsics_vec256 + a14 = + Lib_IntVector_Intrinsics_vec256_add64(a13, + Lib_IntVector_Intrinsics_vec256_mul64(r52, f140)); + Lib_IntVector_Intrinsics_vec256 + a24 = + Lib_IntVector_Intrinsics_vec256_add64(a23, + Lib_IntVector_Intrinsics_vec256_mul64(r53, f140)); + Lib_IntVector_Intrinsics_vec256 + a34 = + Lib_IntVector_Intrinsics_vec256_add64(a33, + Lib_IntVector_Intrinsics_vec256_mul64(r54, f140)); + Lib_IntVector_Intrinsics_vec256 + a44 = + Lib_IntVector_Intrinsics_vec256_add64(a43, + Lib_IntVector_Intrinsics_vec256_mul64(r0, f140)); + Lib_IntVector_Intrinsics_vec256 t01 = a04; + Lib_IntVector_Intrinsics_vec256 t1 = a14; + Lib_IntVector_Intrinsics_vec256 t2 = a24; + Lib_IntVector_Intrinsics_vec256 t3 = a34; + Lib_IntVector_Intrinsics_vec256 t4 = a44; + Lib_IntVector_Intrinsics_vec256 + mask26 = Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec256 + z0 = Lib_IntVector_Intrinsics_vec256_shift_right64(t01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z1 = Lib_IntVector_Intrinsics_vec256_shift_right64(t3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + x0 = Lib_IntVector_Intrinsics_vec256_and(t01, mask26); + Lib_IntVector_Intrinsics_vec256 + x3 = Lib_IntVector_Intrinsics_vec256_and(t3, mask26); + Lib_IntVector_Intrinsics_vec256 x1 = Lib_IntVector_Intrinsics_vec256_add64(t1, z0); + Lib_IntVector_Intrinsics_vec256 x4 = Lib_IntVector_Intrinsics_vec256_add64(t4, z1); + Lib_IntVector_Intrinsics_vec256 + z01 = Lib_IntVector_Intrinsics_vec256_shift_right64(x1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z11 = Lib_IntVector_Intrinsics_vec256_shift_right64(x4, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + t = Lib_IntVector_Intrinsics_vec256_shift_left64(z11, (uint32_t)2U); + Lib_IntVector_Intrinsics_vec256 z12 = Lib_IntVector_Intrinsics_vec256_add64(z11, t); + Lib_IntVector_Intrinsics_vec256 + x11 = Lib_IntVector_Intrinsics_vec256_and(x1, mask26); + Lib_IntVector_Intrinsics_vec256 + x41 = Lib_IntVector_Intrinsics_vec256_and(x4, mask26); + Lib_IntVector_Intrinsics_vec256 x2 = Lib_IntVector_Intrinsics_vec256_add64(t2, z01); + Lib_IntVector_Intrinsics_vec256 + x01 = Lib_IntVector_Intrinsics_vec256_add64(x0, z12); + Lib_IntVector_Intrinsics_vec256 + z02 = Lib_IntVector_Intrinsics_vec256_shift_right64(x2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z13 = Lib_IntVector_Intrinsics_vec256_shift_right64(x01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + x21 = Lib_IntVector_Intrinsics_vec256_and(x2, mask26); + Lib_IntVector_Intrinsics_vec256 + x02 = Lib_IntVector_Intrinsics_vec256_and(x01, mask26); + Lib_IntVector_Intrinsics_vec256 + x31 = Lib_IntVector_Intrinsics_vec256_add64(x3, z02); + Lib_IntVector_Intrinsics_vec256 + x12 = Lib_IntVector_Intrinsics_vec256_add64(x11, z13); + Lib_IntVector_Intrinsics_vec256 + z03 = Lib_IntVector_Intrinsics_vec256_shift_right64(x31, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + x32 = Lib_IntVector_Intrinsics_vec256_and(x31, mask26); + Lib_IntVector_Intrinsics_vec256 + x42 = Lib_IntVector_Intrinsics_vec256_add64(x41, z03); + Lib_IntVector_Intrinsics_vec256 o01 = x02; + Lib_IntVector_Intrinsics_vec256 o12 = x12; + Lib_IntVector_Intrinsics_vec256 o22 = x21; + Lib_IntVector_Intrinsics_vec256 o32 = x32; + Lib_IntVector_Intrinsics_vec256 o42 = x42; + acc[0U] = o01; + acc[1U] = o12; + acc[2U] = o22; + acc[3U] = o32; + acc[4U] = o42; + { + Lib_IntVector_Intrinsics_vec256 f100 = acc[0U]; + Lib_IntVector_Intrinsics_vec256 f11 = acc[1U]; + Lib_IntVector_Intrinsics_vec256 f12 = acc[2U]; + Lib_IntVector_Intrinsics_vec256 f13 = acc[3U]; + Lib_IntVector_Intrinsics_vec256 f14 = acc[4U]; + Lib_IntVector_Intrinsics_vec256 f20 = e[0U]; + Lib_IntVector_Intrinsics_vec256 f21 = e[1U]; + Lib_IntVector_Intrinsics_vec256 f22 = e[2U]; + Lib_IntVector_Intrinsics_vec256 f23 = e[3U]; + Lib_IntVector_Intrinsics_vec256 f24 = e[4U]; + Lib_IntVector_Intrinsics_vec256 + o0 = Lib_IntVector_Intrinsics_vec256_add64(f100, f20); + Lib_IntVector_Intrinsics_vec256 + o1 = Lib_IntVector_Intrinsics_vec256_add64(f11, f21); + Lib_IntVector_Intrinsics_vec256 + o2 = Lib_IntVector_Intrinsics_vec256_add64(f12, f22); + Lib_IntVector_Intrinsics_vec256 + o3 = Lib_IntVector_Intrinsics_vec256_add64(f13, f23); + Lib_IntVector_Intrinsics_vec256 + o4 = Lib_IntVector_Intrinsics_vec256_add64(f14, f24); + acc[0U] = o0; + acc[1U] = o1; + acc[2U] = o2; + acc[3U] = o3; + acc[4U] = o4; + } + } + } + } + } + } + Hacl_Impl_Poly1305_Field32xN_256_fmul_r4_normalize(acc, pre); + } + } + len1 = len - len0; + t10 = text + len0; + nb0 = len1 / (uint32_t)16U; + rem = len1 % (uint32_t)16U; + { + uint32_t i; + for (i = (uint32_t)0U; i < nb0; i++) + { + uint8_t *block = t10 + i * (uint32_t)16U; + Lib_IntVector_Intrinsics_vec256 e[5U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)5U; ++_i) + e[_i] = Lib_IntVector_Intrinsics_vec256_zero; + } + { + uint64_t u0 = load64_le(block); + uint64_t lo = u0; + uint64_t u = load64_le(block + (uint32_t)8U); + uint64_t hi = u; + Lib_IntVector_Intrinsics_vec256 f0 = Lib_IntVector_Intrinsics_vec256_load64(lo); + Lib_IntVector_Intrinsics_vec256 f1 = Lib_IntVector_Intrinsics_vec256_load64(hi); + Lib_IntVector_Intrinsics_vec256 + f010 = + Lib_IntVector_Intrinsics_vec256_and(f0, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f110 = + Lib_IntVector_Intrinsics_vec256_and(Lib_IntVector_Intrinsics_vec256_shift_right64(f0, + (uint32_t)26U), + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f20 = + Lib_IntVector_Intrinsics_vec256_or(Lib_IntVector_Intrinsics_vec256_shift_right64(f0, + (uint32_t)52U), + Lib_IntVector_Intrinsics_vec256_shift_left64(Lib_IntVector_Intrinsics_vec256_and(f1, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3fffU)), + (uint32_t)12U)); + Lib_IntVector_Intrinsics_vec256 + f30 = + Lib_IntVector_Intrinsics_vec256_and(Lib_IntVector_Intrinsics_vec256_shift_right64(f1, + (uint32_t)14U), + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f40 = Lib_IntVector_Intrinsics_vec256_shift_right64(f1, (uint32_t)40U); + Lib_IntVector_Intrinsics_vec256 f01 = f010; + Lib_IntVector_Intrinsics_vec256 f111 = f110; + Lib_IntVector_Intrinsics_vec256 f2 = f20; + Lib_IntVector_Intrinsics_vec256 f3 = f30; + Lib_IntVector_Intrinsics_vec256 f41 = f40; + e[0U] = f01; + e[1U] = f111; + e[2U] = f2; + e[3U] = f3; + e[4U] = f41; + { + uint64_t b = (uint64_t)0x1000000U; + Lib_IntVector_Intrinsics_vec256 mask = Lib_IntVector_Intrinsics_vec256_load64(b); + Lib_IntVector_Intrinsics_vec256 f4 = e[4U]; + e[4U] = Lib_IntVector_Intrinsics_vec256_or(f4, mask); + { + Lib_IntVector_Intrinsics_vec256 *r = pre; + Lib_IntVector_Intrinsics_vec256 *r5 = pre + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec256 r0 = r[0U]; + Lib_IntVector_Intrinsics_vec256 r1 = r[1U]; + Lib_IntVector_Intrinsics_vec256 r2 = r[2U]; + Lib_IntVector_Intrinsics_vec256 r3 = r[3U]; + Lib_IntVector_Intrinsics_vec256 r4 = r[4U]; + Lib_IntVector_Intrinsics_vec256 r51 = r5[1U]; + Lib_IntVector_Intrinsics_vec256 r52 = r5[2U]; + Lib_IntVector_Intrinsics_vec256 r53 = r5[3U]; + Lib_IntVector_Intrinsics_vec256 r54 = r5[4U]; + Lib_IntVector_Intrinsics_vec256 f10 = e[0U]; + Lib_IntVector_Intrinsics_vec256 f11 = e[1U]; + Lib_IntVector_Intrinsics_vec256 f12 = e[2U]; + Lib_IntVector_Intrinsics_vec256 f13 = e[3U]; + Lib_IntVector_Intrinsics_vec256 f14 = e[4U]; + Lib_IntVector_Intrinsics_vec256 a0 = acc[0U]; + Lib_IntVector_Intrinsics_vec256 a1 = acc[1U]; + Lib_IntVector_Intrinsics_vec256 a2 = acc[2U]; + Lib_IntVector_Intrinsics_vec256 a3 = acc[3U]; + Lib_IntVector_Intrinsics_vec256 a4 = acc[4U]; + Lib_IntVector_Intrinsics_vec256 a01 = Lib_IntVector_Intrinsics_vec256_add64(a0, f10); + Lib_IntVector_Intrinsics_vec256 a11 = Lib_IntVector_Intrinsics_vec256_add64(a1, f11); + Lib_IntVector_Intrinsics_vec256 a21 = Lib_IntVector_Intrinsics_vec256_add64(a2, f12); + Lib_IntVector_Intrinsics_vec256 a31 = Lib_IntVector_Intrinsics_vec256_add64(a3, f13); + Lib_IntVector_Intrinsics_vec256 a41 = Lib_IntVector_Intrinsics_vec256_add64(a4, f14); + Lib_IntVector_Intrinsics_vec256 a02 = Lib_IntVector_Intrinsics_vec256_mul64(r0, a01); + Lib_IntVector_Intrinsics_vec256 a12 = Lib_IntVector_Intrinsics_vec256_mul64(r1, a01); + Lib_IntVector_Intrinsics_vec256 a22 = Lib_IntVector_Intrinsics_vec256_mul64(r2, a01); + Lib_IntVector_Intrinsics_vec256 a32 = Lib_IntVector_Intrinsics_vec256_mul64(r3, a01); + Lib_IntVector_Intrinsics_vec256 a42 = Lib_IntVector_Intrinsics_vec256_mul64(r4, a01); + Lib_IntVector_Intrinsics_vec256 + a03 = + Lib_IntVector_Intrinsics_vec256_add64(a02, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a11)); + Lib_IntVector_Intrinsics_vec256 + a13 = + Lib_IntVector_Intrinsics_vec256_add64(a12, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a11)); + Lib_IntVector_Intrinsics_vec256 + a23 = + Lib_IntVector_Intrinsics_vec256_add64(a22, + Lib_IntVector_Intrinsics_vec256_mul64(r1, a11)); + Lib_IntVector_Intrinsics_vec256 + a33 = + Lib_IntVector_Intrinsics_vec256_add64(a32, + Lib_IntVector_Intrinsics_vec256_mul64(r2, a11)); + Lib_IntVector_Intrinsics_vec256 + a43 = + Lib_IntVector_Intrinsics_vec256_add64(a42, + Lib_IntVector_Intrinsics_vec256_mul64(r3, a11)); + Lib_IntVector_Intrinsics_vec256 + a04 = + Lib_IntVector_Intrinsics_vec256_add64(a03, + Lib_IntVector_Intrinsics_vec256_mul64(r53, a21)); + Lib_IntVector_Intrinsics_vec256 + a14 = + Lib_IntVector_Intrinsics_vec256_add64(a13, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a21)); + Lib_IntVector_Intrinsics_vec256 + a24 = + Lib_IntVector_Intrinsics_vec256_add64(a23, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a21)); + Lib_IntVector_Intrinsics_vec256 + a34 = + Lib_IntVector_Intrinsics_vec256_add64(a33, + Lib_IntVector_Intrinsics_vec256_mul64(r1, a21)); + Lib_IntVector_Intrinsics_vec256 + a44 = + Lib_IntVector_Intrinsics_vec256_add64(a43, + Lib_IntVector_Intrinsics_vec256_mul64(r2, a21)); + Lib_IntVector_Intrinsics_vec256 + a05 = + Lib_IntVector_Intrinsics_vec256_add64(a04, + Lib_IntVector_Intrinsics_vec256_mul64(r52, a31)); + Lib_IntVector_Intrinsics_vec256 + a15 = + Lib_IntVector_Intrinsics_vec256_add64(a14, + Lib_IntVector_Intrinsics_vec256_mul64(r53, a31)); + Lib_IntVector_Intrinsics_vec256 + a25 = + Lib_IntVector_Intrinsics_vec256_add64(a24, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a31)); + Lib_IntVector_Intrinsics_vec256 + a35 = + Lib_IntVector_Intrinsics_vec256_add64(a34, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a31)); + Lib_IntVector_Intrinsics_vec256 + a45 = + Lib_IntVector_Intrinsics_vec256_add64(a44, + Lib_IntVector_Intrinsics_vec256_mul64(r1, a31)); + Lib_IntVector_Intrinsics_vec256 + a06 = + Lib_IntVector_Intrinsics_vec256_add64(a05, + Lib_IntVector_Intrinsics_vec256_mul64(r51, a41)); + Lib_IntVector_Intrinsics_vec256 + a16 = + Lib_IntVector_Intrinsics_vec256_add64(a15, + Lib_IntVector_Intrinsics_vec256_mul64(r52, a41)); + Lib_IntVector_Intrinsics_vec256 + a26 = + Lib_IntVector_Intrinsics_vec256_add64(a25, + Lib_IntVector_Intrinsics_vec256_mul64(r53, a41)); + Lib_IntVector_Intrinsics_vec256 + a36 = + Lib_IntVector_Intrinsics_vec256_add64(a35, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a41)); + Lib_IntVector_Intrinsics_vec256 + a46 = + Lib_IntVector_Intrinsics_vec256_add64(a45, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a41)); + Lib_IntVector_Intrinsics_vec256 t01 = a06; + Lib_IntVector_Intrinsics_vec256 t11 = a16; + Lib_IntVector_Intrinsics_vec256 t2 = a26; + Lib_IntVector_Intrinsics_vec256 t3 = a36; + Lib_IntVector_Intrinsics_vec256 t4 = a46; + Lib_IntVector_Intrinsics_vec256 + mask26 = Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec256 + z0 = Lib_IntVector_Intrinsics_vec256_shift_right64(t01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z1 = Lib_IntVector_Intrinsics_vec256_shift_right64(t3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x0 = Lib_IntVector_Intrinsics_vec256_and(t01, mask26); + Lib_IntVector_Intrinsics_vec256 x3 = Lib_IntVector_Intrinsics_vec256_and(t3, mask26); + Lib_IntVector_Intrinsics_vec256 x1 = Lib_IntVector_Intrinsics_vec256_add64(t11, z0); + Lib_IntVector_Intrinsics_vec256 x4 = Lib_IntVector_Intrinsics_vec256_add64(t4, z1); + Lib_IntVector_Intrinsics_vec256 + z01 = Lib_IntVector_Intrinsics_vec256_shift_right64(x1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z11 = Lib_IntVector_Intrinsics_vec256_shift_right64(x4, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + t = Lib_IntVector_Intrinsics_vec256_shift_left64(z11, (uint32_t)2U); + Lib_IntVector_Intrinsics_vec256 z12 = Lib_IntVector_Intrinsics_vec256_add64(z11, t); + Lib_IntVector_Intrinsics_vec256 x11 = Lib_IntVector_Intrinsics_vec256_and(x1, mask26); + Lib_IntVector_Intrinsics_vec256 x41 = Lib_IntVector_Intrinsics_vec256_and(x4, mask26); + Lib_IntVector_Intrinsics_vec256 x2 = Lib_IntVector_Intrinsics_vec256_add64(t2, z01); + Lib_IntVector_Intrinsics_vec256 x01 = Lib_IntVector_Intrinsics_vec256_add64(x0, z12); + Lib_IntVector_Intrinsics_vec256 + z02 = Lib_IntVector_Intrinsics_vec256_shift_right64(x2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z13 = Lib_IntVector_Intrinsics_vec256_shift_right64(x01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x21 = Lib_IntVector_Intrinsics_vec256_and(x2, mask26); + Lib_IntVector_Intrinsics_vec256 x02 = Lib_IntVector_Intrinsics_vec256_and(x01, mask26); + Lib_IntVector_Intrinsics_vec256 x31 = Lib_IntVector_Intrinsics_vec256_add64(x3, z02); + Lib_IntVector_Intrinsics_vec256 x12 = Lib_IntVector_Intrinsics_vec256_add64(x11, z13); + Lib_IntVector_Intrinsics_vec256 + z03 = Lib_IntVector_Intrinsics_vec256_shift_right64(x31, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x32 = Lib_IntVector_Intrinsics_vec256_and(x31, mask26); + Lib_IntVector_Intrinsics_vec256 x42 = Lib_IntVector_Intrinsics_vec256_add64(x41, z03); + Lib_IntVector_Intrinsics_vec256 o0 = x02; + Lib_IntVector_Intrinsics_vec256 o1 = x12; + Lib_IntVector_Intrinsics_vec256 o2 = x21; + Lib_IntVector_Intrinsics_vec256 o3 = x32; + Lib_IntVector_Intrinsics_vec256 o4 = x42; + acc[0U] = o0; + acc[1U] = o1; + acc[2U] = o2; + acc[3U] = o3; + acc[4U] = o4; + } + } + } + } + } + if (rem > (uint32_t)0U) + { + uint8_t *last = t10 + nb0 * (uint32_t)16U; + Lib_IntVector_Intrinsics_vec256 e[5U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)5U; ++_i) + e[_i] = Lib_IntVector_Intrinsics_vec256_zero; + } + { + uint8_t tmp[16U] = { 0U }; + uint64_t u0; + uint64_t lo; + uint64_t u; + uint64_t hi; + Lib_IntVector_Intrinsics_vec256 f0; + Lib_IntVector_Intrinsics_vec256 f1; + Lib_IntVector_Intrinsics_vec256 f010; + Lib_IntVector_Intrinsics_vec256 f110; + Lib_IntVector_Intrinsics_vec256 f20; + Lib_IntVector_Intrinsics_vec256 f30; + Lib_IntVector_Intrinsics_vec256 f40; + Lib_IntVector_Intrinsics_vec256 f01; + Lib_IntVector_Intrinsics_vec256 f111; + Lib_IntVector_Intrinsics_vec256 f2; + Lib_IntVector_Intrinsics_vec256 f3; + Lib_IntVector_Intrinsics_vec256 f4; + uint64_t b; + Lib_IntVector_Intrinsics_vec256 mask; + Lib_IntVector_Intrinsics_vec256 fi; + Lib_IntVector_Intrinsics_vec256 *r; + Lib_IntVector_Intrinsics_vec256 *r5; + Lib_IntVector_Intrinsics_vec256 r0; + Lib_IntVector_Intrinsics_vec256 r1; + Lib_IntVector_Intrinsics_vec256 r2; + Lib_IntVector_Intrinsics_vec256 r3; + Lib_IntVector_Intrinsics_vec256 r4; + Lib_IntVector_Intrinsics_vec256 r51; + Lib_IntVector_Intrinsics_vec256 r52; + Lib_IntVector_Intrinsics_vec256 r53; + Lib_IntVector_Intrinsics_vec256 r54; + Lib_IntVector_Intrinsics_vec256 f10; + Lib_IntVector_Intrinsics_vec256 f11; + Lib_IntVector_Intrinsics_vec256 f12; + Lib_IntVector_Intrinsics_vec256 f13; + Lib_IntVector_Intrinsics_vec256 f14; + Lib_IntVector_Intrinsics_vec256 a0; + Lib_IntVector_Intrinsics_vec256 a1; + Lib_IntVector_Intrinsics_vec256 a2; + Lib_IntVector_Intrinsics_vec256 a3; + Lib_IntVector_Intrinsics_vec256 a4; + Lib_IntVector_Intrinsics_vec256 a01; + Lib_IntVector_Intrinsics_vec256 a11; + Lib_IntVector_Intrinsics_vec256 a21; + Lib_IntVector_Intrinsics_vec256 a31; + Lib_IntVector_Intrinsics_vec256 a41; + Lib_IntVector_Intrinsics_vec256 a02; + Lib_IntVector_Intrinsics_vec256 a12; + Lib_IntVector_Intrinsics_vec256 a22; + Lib_IntVector_Intrinsics_vec256 a32; + Lib_IntVector_Intrinsics_vec256 a42; + Lib_IntVector_Intrinsics_vec256 a03; + Lib_IntVector_Intrinsics_vec256 a13; + Lib_IntVector_Intrinsics_vec256 a23; + Lib_IntVector_Intrinsics_vec256 a33; + Lib_IntVector_Intrinsics_vec256 a43; + Lib_IntVector_Intrinsics_vec256 a04; + Lib_IntVector_Intrinsics_vec256 a14; + Lib_IntVector_Intrinsics_vec256 a24; + Lib_IntVector_Intrinsics_vec256 a34; + Lib_IntVector_Intrinsics_vec256 a44; + Lib_IntVector_Intrinsics_vec256 a05; + Lib_IntVector_Intrinsics_vec256 a15; + Lib_IntVector_Intrinsics_vec256 a25; + Lib_IntVector_Intrinsics_vec256 a35; + Lib_IntVector_Intrinsics_vec256 a45; + Lib_IntVector_Intrinsics_vec256 a06; + Lib_IntVector_Intrinsics_vec256 a16; + Lib_IntVector_Intrinsics_vec256 a26; + Lib_IntVector_Intrinsics_vec256 a36; + Lib_IntVector_Intrinsics_vec256 a46; + Lib_IntVector_Intrinsics_vec256 t01; + Lib_IntVector_Intrinsics_vec256 t11; + Lib_IntVector_Intrinsics_vec256 t2; + Lib_IntVector_Intrinsics_vec256 t3; + Lib_IntVector_Intrinsics_vec256 t4; + Lib_IntVector_Intrinsics_vec256 mask26; + Lib_IntVector_Intrinsics_vec256 z0; + Lib_IntVector_Intrinsics_vec256 z1; + Lib_IntVector_Intrinsics_vec256 x0; + Lib_IntVector_Intrinsics_vec256 x3; + Lib_IntVector_Intrinsics_vec256 x1; + Lib_IntVector_Intrinsics_vec256 x4; + Lib_IntVector_Intrinsics_vec256 z01; + Lib_IntVector_Intrinsics_vec256 z11; + Lib_IntVector_Intrinsics_vec256 t; + Lib_IntVector_Intrinsics_vec256 z12; + Lib_IntVector_Intrinsics_vec256 x11; + Lib_IntVector_Intrinsics_vec256 x41; + Lib_IntVector_Intrinsics_vec256 x2; + Lib_IntVector_Intrinsics_vec256 x01; + Lib_IntVector_Intrinsics_vec256 z02; + Lib_IntVector_Intrinsics_vec256 z13; + Lib_IntVector_Intrinsics_vec256 x21; + Lib_IntVector_Intrinsics_vec256 x02; + Lib_IntVector_Intrinsics_vec256 x31; + Lib_IntVector_Intrinsics_vec256 x12; + Lib_IntVector_Intrinsics_vec256 z03; + Lib_IntVector_Intrinsics_vec256 x32; + Lib_IntVector_Intrinsics_vec256 x42; + Lib_IntVector_Intrinsics_vec256 o0; + Lib_IntVector_Intrinsics_vec256 o1; + Lib_IntVector_Intrinsics_vec256 o2; + Lib_IntVector_Intrinsics_vec256 o3; + Lib_IntVector_Intrinsics_vec256 o4; + memcpy(tmp, last, rem * sizeof (uint8_t)); + u0 = load64_le(tmp); + lo = u0; + u = load64_le(tmp + (uint32_t)8U); + hi = u; + f0 = Lib_IntVector_Intrinsics_vec256_load64(lo); + f1 = Lib_IntVector_Intrinsics_vec256_load64(hi); + f010 = + Lib_IntVector_Intrinsics_vec256_and(f0, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + f110 = + Lib_IntVector_Intrinsics_vec256_and(Lib_IntVector_Intrinsics_vec256_shift_right64(f0, + (uint32_t)26U), + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + f20 = + Lib_IntVector_Intrinsics_vec256_or(Lib_IntVector_Intrinsics_vec256_shift_right64(f0, + (uint32_t)52U), + Lib_IntVector_Intrinsics_vec256_shift_left64(Lib_IntVector_Intrinsics_vec256_and(f1, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3fffU)), + (uint32_t)12U)); + f30 = + Lib_IntVector_Intrinsics_vec256_and(Lib_IntVector_Intrinsics_vec256_shift_right64(f1, + (uint32_t)14U), + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + f40 = Lib_IntVector_Intrinsics_vec256_shift_right64(f1, (uint32_t)40U); + f01 = f010; + f111 = f110; + f2 = f20; + f3 = f30; + f4 = f40; + e[0U] = f01; + e[1U] = f111; + e[2U] = f2; + e[3U] = f3; + e[4U] = f4; + b = (uint64_t)1U << rem * (uint32_t)8U % (uint32_t)26U; + mask = Lib_IntVector_Intrinsics_vec256_load64(b); + fi = e[rem * (uint32_t)8U / (uint32_t)26U]; + e[rem * (uint32_t)8U / (uint32_t)26U] = Lib_IntVector_Intrinsics_vec256_or(fi, mask); + r = pre; + r5 = pre + (uint32_t)5U; + r0 = r[0U]; + r1 = r[1U]; + r2 = r[2U]; + r3 = r[3U]; + r4 = r[4U]; + r51 = r5[1U]; + r52 = r5[2U]; + r53 = r5[3U]; + r54 = r5[4U]; + f10 = e[0U]; + f11 = e[1U]; + f12 = e[2U]; + f13 = e[3U]; + f14 = e[4U]; + a0 = acc[0U]; + a1 = acc[1U]; + a2 = acc[2U]; + a3 = acc[3U]; + a4 = acc[4U]; + a01 = Lib_IntVector_Intrinsics_vec256_add64(a0, f10); + a11 = Lib_IntVector_Intrinsics_vec256_add64(a1, f11); + a21 = Lib_IntVector_Intrinsics_vec256_add64(a2, f12); + a31 = Lib_IntVector_Intrinsics_vec256_add64(a3, f13); + a41 = Lib_IntVector_Intrinsics_vec256_add64(a4, f14); + a02 = Lib_IntVector_Intrinsics_vec256_mul64(r0, a01); + a12 = Lib_IntVector_Intrinsics_vec256_mul64(r1, a01); + a22 = Lib_IntVector_Intrinsics_vec256_mul64(r2, a01); + a32 = Lib_IntVector_Intrinsics_vec256_mul64(r3, a01); + a42 = Lib_IntVector_Intrinsics_vec256_mul64(r4, a01); + a03 = + Lib_IntVector_Intrinsics_vec256_add64(a02, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a11)); + a13 = + Lib_IntVector_Intrinsics_vec256_add64(a12, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a11)); + a23 = + Lib_IntVector_Intrinsics_vec256_add64(a22, + Lib_IntVector_Intrinsics_vec256_mul64(r1, a11)); + a33 = + Lib_IntVector_Intrinsics_vec256_add64(a32, + Lib_IntVector_Intrinsics_vec256_mul64(r2, a11)); + a43 = + Lib_IntVector_Intrinsics_vec256_add64(a42, + Lib_IntVector_Intrinsics_vec256_mul64(r3, a11)); + a04 = + Lib_IntVector_Intrinsics_vec256_add64(a03, + Lib_IntVector_Intrinsics_vec256_mul64(r53, a21)); + a14 = + Lib_IntVector_Intrinsics_vec256_add64(a13, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a21)); + a24 = + Lib_IntVector_Intrinsics_vec256_add64(a23, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a21)); + a34 = + Lib_IntVector_Intrinsics_vec256_add64(a33, + Lib_IntVector_Intrinsics_vec256_mul64(r1, a21)); + a44 = + Lib_IntVector_Intrinsics_vec256_add64(a43, + Lib_IntVector_Intrinsics_vec256_mul64(r2, a21)); + a05 = + Lib_IntVector_Intrinsics_vec256_add64(a04, + Lib_IntVector_Intrinsics_vec256_mul64(r52, a31)); + a15 = + Lib_IntVector_Intrinsics_vec256_add64(a14, + Lib_IntVector_Intrinsics_vec256_mul64(r53, a31)); + a25 = + Lib_IntVector_Intrinsics_vec256_add64(a24, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a31)); + a35 = + Lib_IntVector_Intrinsics_vec256_add64(a34, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a31)); + a45 = + Lib_IntVector_Intrinsics_vec256_add64(a44, + Lib_IntVector_Intrinsics_vec256_mul64(r1, a31)); + a06 = + Lib_IntVector_Intrinsics_vec256_add64(a05, + Lib_IntVector_Intrinsics_vec256_mul64(r51, a41)); + a16 = + Lib_IntVector_Intrinsics_vec256_add64(a15, + Lib_IntVector_Intrinsics_vec256_mul64(r52, a41)); + a26 = + Lib_IntVector_Intrinsics_vec256_add64(a25, + Lib_IntVector_Intrinsics_vec256_mul64(r53, a41)); + a36 = + Lib_IntVector_Intrinsics_vec256_add64(a35, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a41)); + a46 = + Lib_IntVector_Intrinsics_vec256_add64(a45, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a41)); + t01 = a06; + t11 = a16; + t2 = a26; + t3 = a36; + t4 = a46; + mask26 = Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU); + z0 = Lib_IntVector_Intrinsics_vec256_shift_right64(t01, (uint32_t)26U); + z1 = Lib_IntVector_Intrinsics_vec256_shift_right64(t3, (uint32_t)26U); + x0 = Lib_IntVector_Intrinsics_vec256_and(t01, mask26); + x3 = Lib_IntVector_Intrinsics_vec256_and(t3, mask26); + x1 = Lib_IntVector_Intrinsics_vec256_add64(t11, z0); + x4 = Lib_IntVector_Intrinsics_vec256_add64(t4, z1); + z01 = Lib_IntVector_Intrinsics_vec256_shift_right64(x1, (uint32_t)26U); + z11 = Lib_IntVector_Intrinsics_vec256_shift_right64(x4, (uint32_t)26U); + t = Lib_IntVector_Intrinsics_vec256_shift_left64(z11, (uint32_t)2U); + z12 = Lib_IntVector_Intrinsics_vec256_add64(z11, t); + x11 = Lib_IntVector_Intrinsics_vec256_and(x1, mask26); + x41 = Lib_IntVector_Intrinsics_vec256_and(x4, mask26); + x2 = Lib_IntVector_Intrinsics_vec256_add64(t2, z01); + x01 = Lib_IntVector_Intrinsics_vec256_add64(x0, z12); + z02 = Lib_IntVector_Intrinsics_vec256_shift_right64(x2, (uint32_t)26U); + z13 = Lib_IntVector_Intrinsics_vec256_shift_right64(x01, (uint32_t)26U); + x21 = Lib_IntVector_Intrinsics_vec256_and(x2, mask26); + x02 = Lib_IntVector_Intrinsics_vec256_and(x01, mask26); + x31 = Lib_IntVector_Intrinsics_vec256_add64(x3, z02); + x12 = Lib_IntVector_Intrinsics_vec256_add64(x11, z13); + z03 = Lib_IntVector_Intrinsics_vec256_shift_right64(x31, (uint32_t)26U); + x32 = Lib_IntVector_Intrinsics_vec256_and(x31, mask26); + x42 = Lib_IntVector_Intrinsics_vec256_add64(x41, z03); + o0 = x02; + o1 = x12; + o2 = x21; + o3 = x32; + o4 = x42; + acc[0U] = o0; + acc[1U] = o1; + acc[2U] = o2; + acc[3U] = o3; + acc[4U] = o4; + return; + } + } +} + +void +Hacl_Poly1305_256_poly1305_finish( + uint8_t *tag, + uint8_t *key, + Lib_IntVector_Intrinsics_vec256 *ctx +) +{ + Lib_IntVector_Intrinsics_vec256 *acc = ctx; + uint8_t *ks = key + (uint32_t)16U; + Lib_IntVector_Intrinsics_vec256 f00 = acc[0U]; + Lib_IntVector_Intrinsics_vec256 f13 = acc[1U]; + Lib_IntVector_Intrinsics_vec256 f23 = acc[2U]; + Lib_IntVector_Intrinsics_vec256 f33 = acc[3U]; + Lib_IntVector_Intrinsics_vec256 f40 = acc[4U]; + Lib_IntVector_Intrinsics_vec256 + l0 = Lib_IntVector_Intrinsics_vec256_add64(f00, Lib_IntVector_Intrinsics_vec256_zero); + Lib_IntVector_Intrinsics_vec256 + tmp00 = + Lib_IntVector_Intrinsics_vec256_and(l0, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + c00 = Lib_IntVector_Intrinsics_vec256_shift_right64(l0, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 l1 = Lib_IntVector_Intrinsics_vec256_add64(f13, c00); + Lib_IntVector_Intrinsics_vec256 + tmp10 = + Lib_IntVector_Intrinsics_vec256_and(l1, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + c10 = Lib_IntVector_Intrinsics_vec256_shift_right64(l1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 l2 = Lib_IntVector_Intrinsics_vec256_add64(f23, c10); + Lib_IntVector_Intrinsics_vec256 + tmp20 = + Lib_IntVector_Intrinsics_vec256_and(l2, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + c20 = Lib_IntVector_Intrinsics_vec256_shift_right64(l2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 l3 = Lib_IntVector_Intrinsics_vec256_add64(f33, c20); + Lib_IntVector_Intrinsics_vec256 + tmp30 = + Lib_IntVector_Intrinsics_vec256_and(l3, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + c30 = Lib_IntVector_Intrinsics_vec256_shift_right64(l3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 l4 = Lib_IntVector_Intrinsics_vec256_add64(f40, c30); + Lib_IntVector_Intrinsics_vec256 + tmp40 = + Lib_IntVector_Intrinsics_vec256_and(l4, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + c40 = Lib_IntVector_Intrinsics_vec256_shift_right64(l4, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + f010 = + Lib_IntVector_Intrinsics_vec256_add64(tmp00, + Lib_IntVector_Intrinsics_vec256_smul64(c40, (uint64_t)5U)); + Lib_IntVector_Intrinsics_vec256 f110 = tmp10; + Lib_IntVector_Intrinsics_vec256 f210 = tmp20; + Lib_IntVector_Intrinsics_vec256 f310 = tmp30; + Lib_IntVector_Intrinsics_vec256 f410 = tmp40; + Lib_IntVector_Intrinsics_vec256 + l = Lib_IntVector_Intrinsics_vec256_add64(f010, Lib_IntVector_Intrinsics_vec256_zero); + Lib_IntVector_Intrinsics_vec256 + tmp0 = + Lib_IntVector_Intrinsics_vec256_and(l, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + c0 = Lib_IntVector_Intrinsics_vec256_shift_right64(l, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 l5 = Lib_IntVector_Intrinsics_vec256_add64(f110, c0); + Lib_IntVector_Intrinsics_vec256 + tmp1 = + Lib_IntVector_Intrinsics_vec256_and(l5, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + c1 = Lib_IntVector_Intrinsics_vec256_shift_right64(l5, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 l6 = Lib_IntVector_Intrinsics_vec256_add64(f210, c1); + Lib_IntVector_Intrinsics_vec256 + tmp2 = + Lib_IntVector_Intrinsics_vec256_and(l6, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + c2 = Lib_IntVector_Intrinsics_vec256_shift_right64(l6, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 l7 = Lib_IntVector_Intrinsics_vec256_add64(f310, c2); + Lib_IntVector_Intrinsics_vec256 + tmp3 = + Lib_IntVector_Intrinsics_vec256_and(l7, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + c3 = Lib_IntVector_Intrinsics_vec256_shift_right64(l7, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 l8 = Lib_IntVector_Intrinsics_vec256_add64(f410, c3); + Lib_IntVector_Intrinsics_vec256 + tmp4 = + Lib_IntVector_Intrinsics_vec256_and(l8, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + c4 = Lib_IntVector_Intrinsics_vec256_shift_right64(l8, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + f02 = + Lib_IntVector_Intrinsics_vec256_add64(tmp0, + Lib_IntVector_Intrinsics_vec256_smul64(c4, (uint64_t)5U)); + Lib_IntVector_Intrinsics_vec256 f12 = tmp1; + Lib_IntVector_Intrinsics_vec256 f22 = tmp2; + Lib_IntVector_Intrinsics_vec256 f32 = tmp3; + Lib_IntVector_Intrinsics_vec256 f42 = tmp4; + Lib_IntVector_Intrinsics_vec256 + mh = Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec256 + ml = Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3fffffbU); + Lib_IntVector_Intrinsics_vec256 mask = Lib_IntVector_Intrinsics_vec256_eq64(f42, mh); + Lib_IntVector_Intrinsics_vec256 + mask1 = + Lib_IntVector_Intrinsics_vec256_and(mask, + Lib_IntVector_Intrinsics_vec256_eq64(f32, mh)); + Lib_IntVector_Intrinsics_vec256 + mask2 = + Lib_IntVector_Intrinsics_vec256_and(mask1, + Lib_IntVector_Intrinsics_vec256_eq64(f22, mh)); + Lib_IntVector_Intrinsics_vec256 + mask3 = + Lib_IntVector_Intrinsics_vec256_and(mask2, + Lib_IntVector_Intrinsics_vec256_eq64(f12, mh)); + Lib_IntVector_Intrinsics_vec256 + mask4 = + Lib_IntVector_Intrinsics_vec256_and(mask3, + Lib_IntVector_Intrinsics_vec256_lognot(Lib_IntVector_Intrinsics_vec256_gt64(ml, f02))); + Lib_IntVector_Intrinsics_vec256 ph = Lib_IntVector_Intrinsics_vec256_and(mask4, mh); + Lib_IntVector_Intrinsics_vec256 pl = Lib_IntVector_Intrinsics_vec256_and(mask4, ml); + Lib_IntVector_Intrinsics_vec256 o0 = Lib_IntVector_Intrinsics_vec256_sub64(f02, pl); + Lib_IntVector_Intrinsics_vec256 o1 = Lib_IntVector_Intrinsics_vec256_sub64(f12, ph); + Lib_IntVector_Intrinsics_vec256 o2 = Lib_IntVector_Intrinsics_vec256_sub64(f22, ph); + Lib_IntVector_Intrinsics_vec256 o3 = Lib_IntVector_Intrinsics_vec256_sub64(f32, ph); + Lib_IntVector_Intrinsics_vec256 o4 = Lib_IntVector_Intrinsics_vec256_sub64(f42, ph); + Lib_IntVector_Intrinsics_vec256 f011 = o0; + Lib_IntVector_Intrinsics_vec256 f111 = o1; + Lib_IntVector_Intrinsics_vec256 f211 = o2; + Lib_IntVector_Intrinsics_vec256 f311 = o3; + Lib_IntVector_Intrinsics_vec256 f411 = o4; + Lib_IntVector_Intrinsics_vec256 f0; + Lib_IntVector_Intrinsics_vec256 f1; + Lib_IntVector_Intrinsics_vec256 f2; + Lib_IntVector_Intrinsics_vec256 f3; + Lib_IntVector_Intrinsics_vec256 f4; + uint64_t f01; + uint64_t f112; + uint64_t f212; + uint64_t f312; + uint64_t f41; + uint64_t lo0; + uint64_t hi0; + uint64_t f10; + uint64_t f11; + uint64_t u0; + uint64_t lo; + uint64_t u; + uint64_t hi; + uint64_t f20; + uint64_t f21; + uint64_t r0; + uint64_t r1; + uint64_t c; + uint64_t r11; + uint64_t f30; + uint64_t f31; + acc[0U] = f011; + acc[1U] = f111; + acc[2U] = f211; + acc[3U] = f311; + acc[4U] = f411; + f0 = acc[0U]; + f1 = acc[1U]; + f2 = acc[2U]; + f3 = acc[3U]; + f4 = acc[4U]; + f01 = Lib_IntVector_Intrinsics_vec256_extract64(f0, (uint32_t)0U); + f112 = Lib_IntVector_Intrinsics_vec256_extract64(f1, (uint32_t)0U); + f212 = Lib_IntVector_Intrinsics_vec256_extract64(f2, (uint32_t)0U); + f312 = Lib_IntVector_Intrinsics_vec256_extract64(f3, (uint32_t)0U); + f41 = Lib_IntVector_Intrinsics_vec256_extract64(f4, (uint32_t)0U); + lo0 = (f01 | f112 << (uint32_t)26U) | f212 << (uint32_t)52U; + hi0 = (f212 >> (uint32_t)12U | f312 << (uint32_t)14U) | f41 << (uint32_t)40U; + f10 = lo0; + f11 = hi0; + u0 = load64_le(ks); + lo = u0; + u = load64_le(ks + (uint32_t)8U); + hi = u; + f20 = lo; + f21 = hi; + r0 = f10 + f20; + r1 = f11 + f21; + c = (r0 ^ ((r0 ^ f20) | ((r0 - f20) ^ f20))) >> (uint32_t)63U; + r11 = r1 + c; + f30 = r0; + f31 = r11; + store64_le(tag, f30); + store64_le(tag + (uint32_t)8U, f31); +} + +void Hacl_Poly1305_256_poly1305_mac(uint8_t *tag, uint32_t len, uint8_t *text, uint8_t *key) +{ + Lib_IntVector_Intrinsics_vec256 ctx[25U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)25U; ++_i) + ctx[_i] = Lib_IntVector_Intrinsics_vec256_zero; + } + Hacl_Poly1305_256_poly1305_init(ctx, key); + Hacl_Poly1305_256_poly1305_update(ctx, len, text); + Hacl_Poly1305_256_poly1305_finish(tag, key, ctx); +} + diff --git a/src/c89/Hacl_Poly1305_32.c b/src/c89/Hacl_Poly1305_32.c new file mode 100644 index 00000000..21b37395 --- /dev/null +++ b/src/c89/Hacl_Poly1305_32.c @@ -0,0 +1,829 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Poly1305_32.h" + + + +uint32_t Hacl_Poly1305_32_blocklen = (uint32_t)16U; + +void Hacl_Poly1305_32_poly1305_init(uint64_t *ctx, uint8_t *key) +{ + uint64_t *acc = ctx; + uint64_t *pre = ctx + (uint32_t)5U; + uint8_t *kr = key; + uint64_t u0; + uint64_t lo; + uint64_t u; + uint64_t hi; + uint64_t mask0; + uint64_t mask1; + uint64_t lo1; + uint64_t hi1; + uint64_t *r; + uint64_t *r5; + uint64_t *rn; + uint64_t *rn_5; + uint64_t r_vec0; + uint64_t r_vec1; + uint64_t f00; + uint64_t f10; + uint64_t f25; + uint64_t f30; + uint64_t f40; + uint64_t f0; + uint64_t f1; + uint64_t f2; + uint64_t f3; + uint64_t f4; + uint64_t f20; + uint64_t f21; + uint64_t f22; + uint64_t f23; + uint64_t f24; + acc[0U] = (uint64_t)0U; + acc[1U] = (uint64_t)0U; + acc[2U] = (uint64_t)0U; + acc[3U] = (uint64_t)0U; + acc[4U] = (uint64_t)0U; + u0 = load64_le(kr); + lo = u0; + u = load64_le(kr + (uint32_t)8U); + hi = u; + mask0 = (uint64_t)0x0ffffffc0fffffffU; + mask1 = (uint64_t)0x0ffffffc0ffffffcU; + lo1 = lo & mask0; + hi1 = hi & mask1; + r = pre; + r5 = pre + (uint32_t)5U; + rn = pre + (uint32_t)10U; + rn_5 = pre + (uint32_t)15U; + r_vec0 = lo1; + r_vec1 = hi1; + f00 = r_vec0 & (uint64_t)0x3ffffffU; + f10 = r_vec0 >> (uint32_t)26U & (uint64_t)0x3ffffffU; + f25 = r_vec0 >> (uint32_t)52U | (r_vec1 & (uint64_t)0x3fffU) << (uint32_t)12U; + f30 = r_vec1 >> (uint32_t)14U & (uint64_t)0x3ffffffU; + f40 = r_vec1 >> (uint32_t)40U; + f0 = f00; + f1 = f10; + f2 = f25; + f3 = f30; + f4 = f40; + r[0U] = f0; + r[1U] = f1; + r[2U] = f2; + r[3U] = f3; + r[4U] = f4; + f20 = r[0U]; + f21 = r[1U]; + f22 = r[2U]; + f23 = r[3U]; + f24 = r[4U]; + r5[0U] = f20 * (uint64_t)5U; + r5[1U] = f21 * (uint64_t)5U; + r5[2U] = f22 * (uint64_t)5U; + r5[3U] = f23 * (uint64_t)5U; + r5[4U] = f24 * (uint64_t)5U; + rn[0U] = r[0U]; + rn[1U] = r[1U]; + rn[2U] = r[2U]; + rn[3U] = r[3U]; + rn[4U] = r[4U]; + rn_5[0U] = r5[0U]; + rn_5[1U] = r5[1U]; + rn_5[2U] = r5[2U]; + rn_5[3U] = r5[3U]; + rn_5[4U] = r5[4U]; +} + +void Hacl_Poly1305_32_poly1305_update1(uint64_t *ctx, uint8_t *text) +{ + uint64_t *pre = ctx + (uint32_t)5U; + uint64_t *acc = ctx; + uint64_t e[5U] = { 0U }; + uint64_t u0 = load64_le(text); + uint64_t lo = u0; + uint64_t u = load64_le(text + (uint32_t)8U); + uint64_t hi = u; + uint64_t f0 = lo; + uint64_t f1 = hi; + uint64_t f010 = f0 & (uint64_t)0x3ffffffU; + uint64_t f110 = f0 >> (uint32_t)26U & (uint64_t)0x3ffffffU; + uint64_t f20 = f0 >> (uint32_t)52U | (f1 & (uint64_t)0x3fffU) << (uint32_t)12U; + uint64_t f30 = f1 >> (uint32_t)14U & (uint64_t)0x3ffffffU; + uint64_t f40 = f1 >> (uint32_t)40U; + uint64_t f01 = f010; + uint64_t f111 = f110; + uint64_t f2 = f20; + uint64_t f3 = f30; + uint64_t f41 = f40; + uint64_t b; + uint64_t mask; + uint64_t f4; + uint64_t *r; + uint64_t *r5; + uint64_t r0; + uint64_t r1; + uint64_t r2; + uint64_t r3; + uint64_t r4; + uint64_t r51; + uint64_t r52; + uint64_t r53; + uint64_t r54; + uint64_t f10; + uint64_t f11; + uint64_t f12; + uint64_t f13; + uint64_t f14; + uint64_t a0; + uint64_t a1; + uint64_t a2; + uint64_t a3; + uint64_t a4; + uint64_t a01; + uint64_t a11; + uint64_t a21; + uint64_t a31; + uint64_t a41; + uint64_t a02; + uint64_t a12; + uint64_t a22; + uint64_t a32; + uint64_t a42; + uint64_t a03; + uint64_t a13; + uint64_t a23; + uint64_t a33; + uint64_t a43; + uint64_t a04; + uint64_t a14; + uint64_t a24; + uint64_t a34; + uint64_t a44; + uint64_t a05; + uint64_t a15; + uint64_t a25; + uint64_t a35; + uint64_t a45; + uint64_t a06; + uint64_t a16; + uint64_t a26; + uint64_t a36; + uint64_t a46; + uint64_t t0; + uint64_t t1; + uint64_t t2; + uint64_t t3; + uint64_t t4; + uint64_t mask26; + uint64_t z0; + uint64_t z1; + uint64_t x0; + uint64_t x3; + uint64_t x1; + uint64_t x4; + uint64_t z01; + uint64_t z11; + uint64_t t; + uint64_t z12; + uint64_t x11; + uint64_t x41; + uint64_t x2; + uint64_t x01; + uint64_t z02; + uint64_t z13; + uint64_t x21; + uint64_t x02; + uint64_t x31; + uint64_t x12; + uint64_t z03; + uint64_t x32; + uint64_t x42; + uint64_t o0; + uint64_t o1; + uint64_t o2; + uint64_t o3; + uint64_t o4; + e[0U] = f01; + e[1U] = f111; + e[2U] = f2; + e[3U] = f3; + e[4U] = f41; + b = (uint64_t)0x1000000U; + mask = b; + f4 = e[4U]; + e[4U] = f4 | mask; + r = pre; + r5 = pre + (uint32_t)5U; + r0 = r[0U]; + r1 = r[1U]; + r2 = r[2U]; + r3 = r[3U]; + r4 = r[4U]; + r51 = r5[1U]; + r52 = r5[2U]; + r53 = r5[3U]; + r54 = r5[4U]; + f10 = e[0U]; + f11 = e[1U]; + f12 = e[2U]; + f13 = e[3U]; + f14 = e[4U]; + a0 = acc[0U]; + a1 = acc[1U]; + a2 = acc[2U]; + a3 = acc[3U]; + a4 = acc[4U]; + a01 = a0 + f10; + a11 = a1 + f11; + a21 = a2 + f12; + a31 = a3 + f13; + a41 = a4 + f14; + a02 = r0 * a01; + a12 = r1 * a01; + a22 = r2 * a01; + a32 = r3 * a01; + a42 = r4 * a01; + a03 = a02 + r54 * a11; + a13 = a12 + r0 * a11; + a23 = a22 + r1 * a11; + a33 = a32 + r2 * a11; + a43 = a42 + r3 * a11; + a04 = a03 + r53 * a21; + a14 = a13 + r54 * a21; + a24 = a23 + r0 * a21; + a34 = a33 + r1 * a21; + a44 = a43 + r2 * a21; + a05 = a04 + r52 * a31; + a15 = a14 + r53 * a31; + a25 = a24 + r54 * a31; + a35 = a34 + r0 * a31; + a45 = a44 + r1 * a31; + a06 = a05 + r51 * a41; + a16 = a15 + r52 * a41; + a26 = a25 + r53 * a41; + a36 = a35 + r54 * a41; + a46 = a45 + r0 * a41; + t0 = a06; + t1 = a16; + t2 = a26; + t3 = a36; + t4 = a46; + mask26 = (uint64_t)0x3ffffffU; + z0 = t0 >> (uint32_t)26U; + z1 = t3 >> (uint32_t)26U; + x0 = t0 & mask26; + x3 = t3 & mask26; + x1 = t1 + z0; + x4 = t4 + z1; + z01 = x1 >> (uint32_t)26U; + z11 = x4 >> (uint32_t)26U; + t = z11 << (uint32_t)2U; + z12 = z11 + t; + x11 = x1 & mask26; + x41 = x4 & mask26; + x2 = t2 + z01; + x01 = x0 + z12; + z02 = x2 >> (uint32_t)26U; + z13 = x01 >> (uint32_t)26U; + x21 = x2 & mask26; + x02 = x01 & mask26; + x31 = x3 + z02; + x12 = x11 + z13; + z03 = x31 >> (uint32_t)26U; + x32 = x31 & mask26; + x42 = x41 + z03; + o0 = x02; + o1 = x12; + o2 = x21; + o3 = x32; + o4 = x42; + acc[0U] = o0; + acc[1U] = o1; + acc[2U] = o2; + acc[3U] = o3; + acc[4U] = o4; +} + +void Hacl_Poly1305_32_poly1305_update(uint64_t *ctx, uint32_t len, uint8_t *text) +{ + uint64_t *pre = ctx + (uint32_t)5U; + uint64_t *acc = ctx; + uint32_t nb = len / (uint32_t)16U; + uint32_t rem = len % (uint32_t)16U; + { + uint32_t i; + for (i = (uint32_t)0U; i < nb; i++) + { + uint8_t *block = text + i * (uint32_t)16U; + uint64_t e[5U] = { 0U }; + uint64_t u0 = load64_le(block); + uint64_t lo = u0; + uint64_t u = load64_le(block + (uint32_t)8U); + uint64_t hi = u; + uint64_t f0 = lo; + uint64_t f1 = hi; + uint64_t f010 = f0 & (uint64_t)0x3ffffffU; + uint64_t f110 = f0 >> (uint32_t)26U & (uint64_t)0x3ffffffU; + uint64_t f20 = f0 >> (uint32_t)52U | (f1 & (uint64_t)0x3fffU) << (uint32_t)12U; + uint64_t f30 = f1 >> (uint32_t)14U & (uint64_t)0x3ffffffU; + uint64_t f40 = f1 >> (uint32_t)40U; + uint64_t f01 = f010; + uint64_t f111 = f110; + uint64_t f2 = f20; + uint64_t f3 = f30; + uint64_t f41 = f40; + e[0U] = f01; + e[1U] = f111; + e[2U] = f2; + e[3U] = f3; + e[4U] = f41; + { + uint64_t b = (uint64_t)0x1000000U; + uint64_t mask = b; + uint64_t f4 = e[4U]; + e[4U] = f4 | mask; + { + uint64_t *r = pre; + uint64_t *r5 = pre + (uint32_t)5U; + uint64_t r0 = r[0U]; + uint64_t r1 = r[1U]; + uint64_t r2 = r[2U]; + uint64_t r3 = r[3U]; + uint64_t r4 = r[4U]; + uint64_t r51 = r5[1U]; + uint64_t r52 = r5[2U]; + uint64_t r53 = r5[3U]; + uint64_t r54 = r5[4U]; + uint64_t f10 = e[0U]; + uint64_t f11 = e[1U]; + uint64_t f12 = e[2U]; + uint64_t f13 = e[3U]; + uint64_t f14 = e[4U]; + uint64_t a0 = acc[0U]; + uint64_t a1 = acc[1U]; + uint64_t a2 = acc[2U]; + uint64_t a3 = acc[3U]; + uint64_t a4 = acc[4U]; + uint64_t a01 = a0 + f10; + uint64_t a11 = a1 + f11; + uint64_t a21 = a2 + f12; + uint64_t a31 = a3 + f13; + uint64_t a41 = a4 + f14; + uint64_t a02 = r0 * a01; + uint64_t a12 = r1 * a01; + uint64_t a22 = r2 * a01; + uint64_t a32 = r3 * a01; + uint64_t a42 = r4 * a01; + uint64_t a03 = a02 + r54 * a11; + uint64_t a13 = a12 + r0 * a11; + uint64_t a23 = a22 + r1 * a11; + uint64_t a33 = a32 + r2 * a11; + uint64_t a43 = a42 + r3 * a11; + uint64_t a04 = a03 + r53 * a21; + uint64_t a14 = a13 + r54 * a21; + uint64_t a24 = a23 + r0 * a21; + uint64_t a34 = a33 + r1 * a21; + uint64_t a44 = a43 + r2 * a21; + uint64_t a05 = a04 + r52 * a31; + uint64_t a15 = a14 + r53 * a31; + uint64_t a25 = a24 + r54 * a31; + uint64_t a35 = a34 + r0 * a31; + uint64_t a45 = a44 + r1 * a31; + uint64_t a06 = a05 + r51 * a41; + uint64_t a16 = a15 + r52 * a41; + uint64_t a26 = a25 + r53 * a41; + uint64_t a36 = a35 + r54 * a41; + uint64_t a46 = a45 + r0 * a41; + uint64_t t0 = a06; + uint64_t t1 = a16; + uint64_t t2 = a26; + uint64_t t3 = a36; + uint64_t t4 = a46; + uint64_t mask26 = (uint64_t)0x3ffffffU; + uint64_t z0 = t0 >> (uint32_t)26U; + uint64_t z1 = t3 >> (uint32_t)26U; + uint64_t x0 = t0 & mask26; + uint64_t x3 = t3 & mask26; + uint64_t x1 = t1 + z0; + uint64_t x4 = t4 + z1; + uint64_t z01 = x1 >> (uint32_t)26U; + uint64_t z11 = x4 >> (uint32_t)26U; + uint64_t t = z11 << (uint32_t)2U; + uint64_t z12 = z11 + t; + uint64_t x11 = x1 & mask26; + uint64_t x41 = x4 & mask26; + uint64_t x2 = t2 + z01; + uint64_t x01 = x0 + z12; + uint64_t z02 = x2 >> (uint32_t)26U; + uint64_t z13 = x01 >> (uint32_t)26U; + uint64_t x21 = x2 & mask26; + uint64_t x02 = x01 & mask26; + uint64_t x31 = x3 + z02; + uint64_t x12 = x11 + z13; + uint64_t z03 = x31 >> (uint32_t)26U; + uint64_t x32 = x31 & mask26; + uint64_t x42 = x41 + z03; + uint64_t o0 = x02; + uint64_t o1 = x12; + uint64_t o2 = x21; + uint64_t o3 = x32; + uint64_t o4 = x42; + acc[0U] = o0; + acc[1U] = o1; + acc[2U] = o2; + acc[3U] = o3; + acc[4U] = o4; + } + } + } + } + if (rem > (uint32_t)0U) + { + uint8_t *last = text + nb * (uint32_t)16U; + uint64_t e[5U] = { 0U }; + uint8_t tmp[16U] = { 0U }; + uint64_t u0; + uint64_t lo; + uint64_t u; + uint64_t hi; + uint64_t f0; + uint64_t f1; + uint64_t f010; + uint64_t f110; + uint64_t f20; + uint64_t f30; + uint64_t f40; + uint64_t f01; + uint64_t f111; + uint64_t f2; + uint64_t f3; + uint64_t f4; + uint64_t b; + uint64_t mask; + uint64_t fi; + uint64_t *r; + uint64_t *r5; + uint64_t r0; + uint64_t r1; + uint64_t r2; + uint64_t r3; + uint64_t r4; + uint64_t r51; + uint64_t r52; + uint64_t r53; + uint64_t r54; + uint64_t f10; + uint64_t f11; + uint64_t f12; + uint64_t f13; + uint64_t f14; + uint64_t a0; + uint64_t a1; + uint64_t a2; + uint64_t a3; + uint64_t a4; + uint64_t a01; + uint64_t a11; + uint64_t a21; + uint64_t a31; + uint64_t a41; + uint64_t a02; + uint64_t a12; + uint64_t a22; + uint64_t a32; + uint64_t a42; + uint64_t a03; + uint64_t a13; + uint64_t a23; + uint64_t a33; + uint64_t a43; + uint64_t a04; + uint64_t a14; + uint64_t a24; + uint64_t a34; + uint64_t a44; + uint64_t a05; + uint64_t a15; + uint64_t a25; + uint64_t a35; + uint64_t a45; + uint64_t a06; + uint64_t a16; + uint64_t a26; + uint64_t a36; + uint64_t a46; + uint64_t t0; + uint64_t t1; + uint64_t t2; + uint64_t t3; + uint64_t t4; + uint64_t mask26; + uint64_t z0; + uint64_t z1; + uint64_t x0; + uint64_t x3; + uint64_t x1; + uint64_t x4; + uint64_t z01; + uint64_t z11; + uint64_t t; + uint64_t z12; + uint64_t x11; + uint64_t x41; + uint64_t x2; + uint64_t x01; + uint64_t z02; + uint64_t z13; + uint64_t x21; + uint64_t x02; + uint64_t x31; + uint64_t x12; + uint64_t z03; + uint64_t x32; + uint64_t x42; + uint64_t o0; + uint64_t o1; + uint64_t o2; + uint64_t o3; + uint64_t o4; + memcpy(tmp, last, rem * sizeof (uint8_t)); + u0 = load64_le(tmp); + lo = u0; + u = load64_le(tmp + (uint32_t)8U); + hi = u; + f0 = lo; + f1 = hi; + f010 = f0 & (uint64_t)0x3ffffffU; + f110 = f0 >> (uint32_t)26U & (uint64_t)0x3ffffffU; + f20 = f0 >> (uint32_t)52U | (f1 & (uint64_t)0x3fffU) << (uint32_t)12U; + f30 = f1 >> (uint32_t)14U & (uint64_t)0x3ffffffU; + f40 = f1 >> (uint32_t)40U; + f01 = f010; + f111 = f110; + f2 = f20; + f3 = f30; + f4 = f40; + e[0U] = f01; + e[1U] = f111; + e[2U] = f2; + e[3U] = f3; + e[4U] = f4; + b = (uint64_t)1U << rem * (uint32_t)8U % (uint32_t)26U; + mask = b; + fi = e[rem * (uint32_t)8U / (uint32_t)26U]; + e[rem * (uint32_t)8U / (uint32_t)26U] = fi | mask; + r = pre; + r5 = pre + (uint32_t)5U; + r0 = r[0U]; + r1 = r[1U]; + r2 = r[2U]; + r3 = r[3U]; + r4 = r[4U]; + r51 = r5[1U]; + r52 = r5[2U]; + r53 = r5[3U]; + r54 = r5[4U]; + f10 = e[0U]; + f11 = e[1U]; + f12 = e[2U]; + f13 = e[3U]; + f14 = e[4U]; + a0 = acc[0U]; + a1 = acc[1U]; + a2 = acc[2U]; + a3 = acc[3U]; + a4 = acc[4U]; + a01 = a0 + f10; + a11 = a1 + f11; + a21 = a2 + f12; + a31 = a3 + f13; + a41 = a4 + f14; + a02 = r0 * a01; + a12 = r1 * a01; + a22 = r2 * a01; + a32 = r3 * a01; + a42 = r4 * a01; + a03 = a02 + r54 * a11; + a13 = a12 + r0 * a11; + a23 = a22 + r1 * a11; + a33 = a32 + r2 * a11; + a43 = a42 + r3 * a11; + a04 = a03 + r53 * a21; + a14 = a13 + r54 * a21; + a24 = a23 + r0 * a21; + a34 = a33 + r1 * a21; + a44 = a43 + r2 * a21; + a05 = a04 + r52 * a31; + a15 = a14 + r53 * a31; + a25 = a24 + r54 * a31; + a35 = a34 + r0 * a31; + a45 = a44 + r1 * a31; + a06 = a05 + r51 * a41; + a16 = a15 + r52 * a41; + a26 = a25 + r53 * a41; + a36 = a35 + r54 * a41; + a46 = a45 + r0 * a41; + t0 = a06; + t1 = a16; + t2 = a26; + t3 = a36; + t4 = a46; + mask26 = (uint64_t)0x3ffffffU; + z0 = t0 >> (uint32_t)26U; + z1 = t3 >> (uint32_t)26U; + x0 = t0 & mask26; + x3 = t3 & mask26; + x1 = t1 + z0; + x4 = t4 + z1; + z01 = x1 >> (uint32_t)26U; + z11 = x4 >> (uint32_t)26U; + t = z11 << (uint32_t)2U; + z12 = z11 + t; + x11 = x1 & mask26; + x41 = x4 & mask26; + x2 = t2 + z01; + x01 = x0 + z12; + z02 = x2 >> (uint32_t)26U; + z13 = x01 >> (uint32_t)26U; + x21 = x2 & mask26; + x02 = x01 & mask26; + x31 = x3 + z02; + x12 = x11 + z13; + z03 = x31 >> (uint32_t)26U; + x32 = x31 & mask26; + x42 = x41 + z03; + o0 = x02; + o1 = x12; + o2 = x21; + o3 = x32; + o4 = x42; + acc[0U] = o0; + acc[1U] = o1; + acc[2U] = o2; + acc[3U] = o3; + acc[4U] = o4; + return; + } +} + +void Hacl_Poly1305_32_poly1305_finish(uint8_t *tag, uint8_t *key, uint64_t *ctx) +{ + uint64_t *acc = ctx; + uint8_t *ks = key + (uint32_t)16U; + uint64_t f00 = acc[0U]; + uint64_t f13 = acc[1U]; + uint64_t f23 = acc[2U]; + uint64_t f33 = acc[3U]; + uint64_t f40 = acc[4U]; + uint64_t l0 = f00 + (uint64_t)0U; + uint64_t tmp00 = l0 & (uint64_t)0x3ffffffU; + uint64_t c00 = l0 >> (uint32_t)26U; + uint64_t l1 = f13 + c00; + uint64_t tmp10 = l1 & (uint64_t)0x3ffffffU; + uint64_t c10 = l1 >> (uint32_t)26U; + uint64_t l2 = f23 + c10; + uint64_t tmp20 = l2 & (uint64_t)0x3ffffffU; + uint64_t c20 = l2 >> (uint32_t)26U; + uint64_t l3 = f33 + c20; + uint64_t tmp30 = l3 & (uint64_t)0x3ffffffU; + uint64_t c30 = l3 >> (uint32_t)26U; + uint64_t l4 = f40 + c30; + uint64_t tmp40 = l4 & (uint64_t)0x3ffffffU; + uint64_t c40 = l4 >> (uint32_t)26U; + uint64_t f010 = tmp00 + c40 * (uint64_t)5U; + uint64_t f110 = tmp10; + uint64_t f210 = tmp20; + uint64_t f310 = tmp30; + uint64_t f410 = tmp40; + uint64_t l = f010 + (uint64_t)0U; + uint64_t tmp0 = l & (uint64_t)0x3ffffffU; + uint64_t c0 = l >> (uint32_t)26U; + uint64_t l5 = f110 + c0; + uint64_t tmp1 = l5 & (uint64_t)0x3ffffffU; + uint64_t c1 = l5 >> (uint32_t)26U; + uint64_t l6 = f210 + c1; + uint64_t tmp2 = l6 & (uint64_t)0x3ffffffU; + uint64_t c2 = l6 >> (uint32_t)26U; + uint64_t l7 = f310 + c2; + uint64_t tmp3 = l7 & (uint64_t)0x3ffffffU; + uint64_t c3 = l7 >> (uint32_t)26U; + uint64_t l8 = f410 + c3; + uint64_t tmp4 = l8 & (uint64_t)0x3ffffffU; + uint64_t c4 = l8 >> (uint32_t)26U; + uint64_t f02 = tmp0 + c4 * (uint64_t)5U; + uint64_t f12 = tmp1; + uint64_t f22 = tmp2; + uint64_t f32 = tmp3; + uint64_t f42 = tmp4; + uint64_t mh = (uint64_t)0x3ffffffU; + uint64_t ml = (uint64_t)0x3fffffbU; + uint64_t mask = FStar_UInt64_eq_mask(f42, mh); + uint64_t mask1 = mask & FStar_UInt64_eq_mask(f32, mh); + uint64_t mask2 = mask1 & FStar_UInt64_eq_mask(f22, mh); + uint64_t mask3 = mask2 & FStar_UInt64_eq_mask(f12, mh); + uint64_t mask4 = mask3 & ~~FStar_UInt64_gte_mask(f02, ml); + uint64_t ph = mask4 & mh; + uint64_t pl = mask4 & ml; + uint64_t o0 = f02 - pl; + uint64_t o1 = f12 - ph; + uint64_t o2 = f22 - ph; + uint64_t o3 = f32 - ph; + uint64_t o4 = f42 - ph; + uint64_t f011 = o0; + uint64_t f111 = o1; + uint64_t f211 = o2; + uint64_t f311 = o3; + uint64_t f411 = o4; + uint64_t f0; + uint64_t f1; + uint64_t f2; + uint64_t f3; + uint64_t f4; + uint64_t f01; + uint64_t f112; + uint64_t f212; + uint64_t f312; + uint64_t f41; + uint64_t lo0; + uint64_t hi0; + uint64_t f10; + uint64_t f11; + uint64_t u0; + uint64_t lo; + uint64_t u; + uint64_t hi; + uint64_t f20; + uint64_t f21; + uint64_t r0; + uint64_t r1; + uint64_t c; + uint64_t r11; + uint64_t f30; + uint64_t f31; + acc[0U] = f011; + acc[1U] = f111; + acc[2U] = f211; + acc[3U] = f311; + acc[4U] = f411; + f0 = acc[0U]; + f1 = acc[1U]; + f2 = acc[2U]; + f3 = acc[3U]; + f4 = acc[4U]; + f01 = f0; + f112 = f1; + f212 = f2; + f312 = f3; + f41 = f4; + lo0 = (f01 | f112 << (uint32_t)26U) | f212 << (uint32_t)52U; + hi0 = (f212 >> (uint32_t)12U | f312 << (uint32_t)14U) | f41 << (uint32_t)40U; + f10 = lo0; + f11 = hi0; + u0 = load64_le(ks); + lo = u0; + u = load64_le(ks + (uint32_t)8U); + hi = u; + f20 = lo; + f21 = hi; + r0 = f10 + f20; + r1 = f11 + f21; + c = (r0 ^ ((r0 ^ f20) | ((r0 - f20) ^ f20))) >> (uint32_t)63U; + r11 = r1 + c; + f30 = r0; + f31 = r11; + store64_le(tag, f30); + store64_le(tag + (uint32_t)8U, f31); +} + +void Hacl_Poly1305_32_poly1305_mac(uint8_t *tag, uint32_t len, uint8_t *text, uint8_t *key) +{ + uint64_t ctx[25U] = { 0U }; + Hacl_Poly1305_32_poly1305_init(ctx, key); + Hacl_Poly1305_32_poly1305_update(ctx, len, text); + Hacl_Poly1305_32_poly1305_finish(tag, key, ctx); +} + diff --git a/src/c89/Hacl_RSAPSS.c b/src/c89/Hacl_RSAPSS.c new file mode 100644 index 00000000..79ad2c5d --- /dev/null +++ b/src/c89/Hacl_RSAPSS.c @@ -0,0 +1,1023 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_RSAPSS.h" + +#include "internal/Hacl_Bignum.h" + +static inline uint32_t hash_len(Spec_Hash_Definitions_hash_alg a) +{ + switch (a) + { + case Spec_Hash_Definitions_MD5: + { + return (uint32_t)16U; + } + case Spec_Hash_Definitions_SHA1: + { + return (uint32_t)20U; + } + case Spec_Hash_Definitions_SHA2_224: + { + return (uint32_t)28U; + } + case Spec_Hash_Definitions_SHA2_256: + { + return (uint32_t)32U; + } + case Spec_Hash_Definitions_SHA2_384: + { + return (uint32_t)48U; + } + case Spec_Hash_Definitions_SHA2_512: + { + return (uint32_t)64U; + } + case Spec_Hash_Definitions_Blake2S: + { + return (uint32_t)32U; + } + case Spec_Hash_Definitions_Blake2B: + { + return (uint32_t)64U; + } + default: + { + KRML_HOST_PRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +static inline void +hash(Spec_Hash_Definitions_hash_alg a, uint8_t *mHash, uint32_t msgLen, uint8_t *msg) +{ + switch (a) + { + case Spec_Hash_Definitions_SHA2_256: + { + Hacl_Hash_SHA2_hash_256(msg, msgLen, mHash); + break; + } + case Spec_Hash_Definitions_SHA2_384: + { + Hacl_Hash_SHA2_hash_384(msg, msgLen, mHash); + break; + } + case Spec_Hash_Definitions_SHA2_512: + { + Hacl_Hash_SHA2_hash_512(msg, msgLen, mHash); + break; + } + default: + { + KRML_HOST_PRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +static inline void +mgf_hash( + Spec_Hash_Definitions_hash_alg a, + uint32_t len, + uint8_t *mgfseed, + uint32_t maskLen, + uint8_t *res +) +{ + KRML_CHECK_SIZE(sizeof (uint8_t), len + (uint32_t)4U); + { + uint8_t mgfseed_counter[len + (uint32_t)4U]; + memset(mgfseed_counter, 0U, (len + (uint32_t)4U) * sizeof (uint8_t)); + { + uint32_t hLen; + uint32_t n; + uint32_t accLen; + memcpy(mgfseed_counter, mgfseed, len * sizeof (uint8_t)); + hLen = hash_len(a); + n = (maskLen - (uint32_t)1U) / hLen + (uint32_t)1U; + accLen = n * hLen; + KRML_CHECK_SIZE(sizeof (uint8_t), accLen); + { + uint8_t acc[accLen]; + memset(acc, 0U, accLen * sizeof (uint8_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < n; i++) + { + uint8_t *acc_i = acc + i * hLen; + uint8_t *c = mgfseed_counter + len; + c[0U] = (uint8_t)(i >> (uint32_t)24U); + c[1U] = (uint8_t)(i >> (uint32_t)16U); + c[2U] = (uint8_t)(i >> (uint32_t)8U); + c[3U] = (uint8_t)i; + hash(a, acc_i, len + (uint32_t)4U, mgfseed_counter); + } + } + memcpy(res, acc, maskLen * sizeof (uint8_t)); + } + } + } +} + +static inline uint64_t check_num_bits_u64(uint32_t bs, uint64_t *b) +{ + uint32_t bLen = (bs - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + if (bs == (uint32_t)64U * bLen) + { + return (uint64_t)0xFFFFFFFFFFFFFFFFU; + } + KRML_CHECK_SIZE(sizeof (uint64_t), bLen); + { + uint64_t b2[bLen]; + memset(b2, 0U, bLen * sizeof (uint64_t)); + { + uint32_t i0 = bs / (uint32_t)64U; + uint32_t j = bs % (uint32_t)64U; + b2[i0] = b2[i0] | (uint64_t)1U << j; + { + uint64_t acc = (uint64_t)0U; + { + uint32_t i; + for (i = (uint32_t)0U; i < bLen; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(b[i], b2[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(b[i], b2[i]); + acc = + (beq & acc) + | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + } + { + uint64_t res = acc; + return res; + } + } + } + } +} + +static inline uint64_t check_modulus_u64(uint32_t modBits, uint64_t *n) +{ + uint32_t nLen = (modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint64_t bits0 = n[0U] & (uint64_t)1U; + uint64_t m0 = (uint64_t)0U - bits0; + KRML_CHECK_SIZE(sizeof (uint64_t), nLen); + { + uint64_t b2[nLen]; + memset(b2, 0U, nLen * sizeof (uint64_t)); + { + uint32_t i = (modBits - (uint32_t)1U) / (uint32_t)64U; + uint32_t j = (modBits - (uint32_t)1U) % (uint32_t)64U; + b2[i] = b2[i] | (uint64_t)1U << j; + { + uint64_t acc = (uint64_t)0U; + uint64_t res; + uint64_t m1; + uint64_t m2; + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < nLen; i0++) + { + uint64_t beq = FStar_UInt64_eq_mask(b2[i0], n[i0]); + uint64_t blt = ~FStar_UInt64_gte_mask(b2[i0], n[i0]); + acc = + (beq & acc) + | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + } + res = acc; + m1 = res; + m2 = check_num_bits_u64(modBits, n); + return m0 & (m1 & m2); + } + } + } +} + +static inline uint64_t check_exponent_u64(uint32_t eBits, uint64_t *e) +{ + uint32_t eLen = (eBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + KRML_CHECK_SIZE(sizeof (uint64_t), eLen); + { + uint64_t bn_zero[eLen]; + memset(bn_zero, 0U, eLen * sizeof (uint64_t)); + { + uint64_t mask = (uint64_t)0xFFFFFFFFFFFFFFFFU; + uint64_t mask1; + uint64_t res; + uint64_t m0; + uint64_t m1; + { + uint32_t i; + for (i = (uint32_t)0U; i < eLen; i++) + { + uint64_t uu____0 = FStar_UInt64_eq_mask(e[i], bn_zero[i]); + mask = uu____0 & mask; + } + } + mask1 = mask; + res = mask1; + m0 = res; + m1 = check_num_bits_u64(eBits, e); + return ~m0 & m1; + } + } +} + +static inline void +pss_encode( + Spec_Hash_Definitions_hash_alg a, + uint32_t saltLen, + uint8_t *salt, + uint32_t msgLen, + uint8_t *msg, + uint32_t emBits, + uint8_t *em +) +{ + uint32_t hLen = hash_len(a); + KRML_CHECK_SIZE(sizeof (uint8_t), hLen); + { + uint8_t m1Hash[hLen]; + memset(m1Hash, 0U, hLen * sizeof (uint8_t)); + { + uint32_t m1Len = (uint32_t)8U + hLen + saltLen; + KRML_CHECK_SIZE(sizeof (uint8_t), m1Len); + { + uint8_t m1[m1Len]; + memset(m1, 0U, m1Len * sizeof (uint8_t)); + { + uint32_t emLen; + uint32_t dbLen; + hash(a, m1 + (uint32_t)8U, msgLen, msg); + memcpy(m1 + (uint32_t)8U + hLen, salt, saltLen * sizeof (uint8_t)); + hash(a, m1Hash, m1Len, m1); + emLen = (emBits - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + dbLen = emLen - hLen - (uint32_t)1U; + KRML_CHECK_SIZE(sizeof (uint8_t), dbLen); + { + uint8_t db[dbLen]; + memset(db, 0U, dbLen * sizeof (uint8_t)); + { + uint32_t last_before_salt = dbLen - saltLen - (uint32_t)1U; + db[last_before_salt] = (uint8_t)1U; + memcpy(db + last_before_salt + (uint32_t)1U, salt, saltLen * sizeof (uint8_t)); + KRML_CHECK_SIZE(sizeof (uint8_t), dbLen); + { + uint8_t dbMask[dbLen]; + memset(dbMask, 0U, dbLen * sizeof (uint8_t)); + { + uint32_t msBits; + mgf_hash(a, hLen, m1Hash, dbLen, dbMask); + { + uint32_t i; + for (i = (uint32_t)0U; i < dbLen; i++) + { + uint8_t *os = db; + uint8_t x = db[i] ^ dbMask[i]; + os[i] = x; + } + } + msBits = emBits % (uint32_t)8U; + if (msBits > (uint32_t)0U) + { + db[0U] = db[0U] & (uint8_t)0xffU >> ((uint32_t)8U - msBits); + } + memcpy(em, db, dbLen * sizeof (uint8_t)); + memcpy(em + dbLen, m1Hash, hLen * sizeof (uint8_t)); + em[emLen - (uint32_t)1U] = (uint8_t)0xbcU; + } + } + } + } + } + } + } + } +} + +static inline bool +pss_verify( + Spec_Hash_Definitions_hash_alg a, + uint32_t saltLen, + uint32_t msgLen, + uint8_t *msg, + uint32_t emBits, + uint8_t *em +) +{ + uint32_t emLen = (emBits - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t msBits = emBits % (uint32_t)8U; + uint8_t em_0; + if (msBits > (uint32_t)0U) + { + em_0 = em[0U] & (uint8_t)0xffU << msBits; + } + else + { + em_0 = (uint8_t)0U; + } + { + uint8_t em_last = em[emLen - (uint32_t)1U]; + if (emLen < saltLen + hash_len(a) + (uint32_t)2U) + { + return false; + } + if (!(em_last == (uint8_t)0xbcU && em_0 == (uint8_t)0U)) + { + return false; + } + { + uint32_t emLen1 = (emBits - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t hLen = hash_len(a); + KRML_CHECK_SIZE(sizeof (uint8_t), hLen); + { + uint8_t m1Hash0[hLen]; + memset(m1Hash0, 0U, hLen * sizeof (uint8_t)); + { + uint32_t dbLen = emLen1 - hLen - (uint32_t)1U; + uint8_t *maskedDB = em; + uint8_t *m1Hash = em + dbLen; + KRML_CHECK_SIZE(sizeof (uint8_t), dbLen); + { + uint8_t dbMask[dbLen]; + memset(dbMask, 0U, dbLen * sizeof (uint8_t)); + mgf_hash(a, hLen, m1Hash, dbLen, dbMask); + { + uint32_t i; + for (i = (uint32_t)0U; i < dbLen; i++) + { + uint8_t *os = dbMask; + uint8_t x = dbMask[i] ^ maskedDB[i]; + os[i] = x; + } + } + { + uint32_t msBits1 = emBits % (uint32_t)8U; + if (msBits1 > (uint32_t)0U) + { + dbMask[0U] = dbMask[0U] & (uint8_t)0xffU >> ((uint32_t)8U - msBits1); + } + { + uint32_t padLen = emLen1 - saltLen - hLen - (uint32_t)1U; + KRML_CHECK_SIZE(sizeof (uint8_t), padLen); + { + uint8_t pad2[padLen]; + memset(pad2, 0U, padLen * sizeof (uint8_t)); + pad2[padLen - (uint32_t)1U] = (uint8_t)0x01U; + { + uint8_t *pad = dbMask; + uint8_t *salt = dbMask + padLen; + uint8_t res = (uint8_t)255U; + { + uint32_t i; + for (i = (uint32_t)0U; i < padLen; i++) + { + uint8_t uu____0 = FStar_UInt8_eq_mask(pad[i], pad2[i]); + res = uu____0 & res; + } + } + { + uint8_t z = res; + if (!(z == (uint8_t)255U)) + { + return false; + } + { + uint32_t m1Len = (uint32_t)8U + hLen + saltLen; + KRML_CHECK_SIZE(sizeof (uint8_t), m1Len); + { + uint8_t m1[m1Len]; + memset(m1, 0U, m1Len * sizeof (uint8_t)); + hash(a, m1 + (uint32_t)8U, msgLen, msg); + memcpy(m1 + (uint32_t)8U + hLen, salt, saltLen * sizeof (uint8_t)); + hash(a, m1Hash0, m1Len, m1); + { + uint8_t res0 = (uint8_t)255U; + { + uint32_t i; + for (i = (uint32_t)0U; i < hLen; i++) + { + uint8_t uu____1 = FStar_UInt8_eq_mask(m1Hash0[i], m1Hash[i]); + res0 = uu____1 & res0; + } + } + { + uint8_t z0 = res0; + return z0 == (uint8_t)255U; + } + } + } + } + } + } + } + } + } + } + } + } + } + } +} + +static inline bool +load_pkey(uint32_t modBits, uint32_t eBits, uint8_t *nb, uint8_t *eb, uint64_t *pkey) +{ + uint32_t nbLen = (modBits - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t ebLen = (eBits - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t nLen = (modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint64_t *n = pkey; + uint64_t *r2 = pkey + nLen; + uint64_t *e = pkey + nLen + nLen; + uint64_t m0; + uint64_t m1; + uint64_t m; + Hacl_Bignum_Convert_bn_from_bytes_be_uint64(nbLen, nb, n); + Hacl_Bignum_Montgomery_bn_precomp_r2_mod_n_u64((modBits - (uint32_t)1U) + / (uint32_t)64U + + (uint32_t)1U, + modBits - (uint32_t)1U, + n, + r2); + Hacl_Bignum_Convert_bn_from_bytes_be_uint64(ebLen, eb, e); + m0 = check_modulus_u64(modBits, n); + m1 = check_exponent_u64(eBits, e); + m = m0 & m1; + return m == (uint64_t)0xFFFFFFFFFFFFFFFFU; +} + +static inline bool +load_skey( + uint32_t modBits, + uint32_t eBits, + uint32_t dBits, + uint8_t *nb, + uint8_t *eb, + uint8_t *db, + uint64_t *skey +) +{ + uint32_t dbLen = (dBits - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t nLen = (modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint32_t eLen = (eBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint32_t pkeyLen = nLen + nLen + eLen; + uint64_t *pkey = skey; + uint64_t *d = skey + pkeyLen; + bool b = load_pkey(modBits, eBits, nb, eb, pkey); + uint64_t m1; + Hacl_Bignum_Convert_bn_from_bytes_be_uint64(dbLen, db, d); + m1 = check_exponent_u64(dBits, d); + return b && m1 == (uint64_t)0xFFFFFFFFFFFFFFFFU; +} + +bool +Hacl_RSAPSS_rsapss_sign( + Spec_Hash_Definitions_hash_alg a, + uint32_t modBits, + uint32_t eBits, + uint32_t dBits, + uint64_t *skey, + uint32_t saltLen, + uint8_t *salt, + uint32_t msgLen, + uint8_t *msg, + uint8_t *sgnt +) +{ + uint32_t hLen = hash_len(a); + bool + b = + saltLen + <= (uint32_t)0xffffffffU - hLen - (uint32_t)8U + && + saltLen + + hLen + + (uint32_t)2U + <= (modBits - (uint32_t)1U - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + if (b) + { + uint32_t nLen = (modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + KRML_CHECK_SIZE(sizeof (uint64_t), nLen); + { + uint64_t m[nLen]; + memset(m, 0U, nLen * sizeof (uint64_t)); + { + uint32_t emBits = modBits - (uint32_t)1U; + uint32_t emLen = (emBits - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + KRML_CHECK_SIZE(sizeof (uint8_t), emLen); + { + uint8_t em[emLen]; + memset(em, 0U, emLen * sizeof (uint8_t)); + pss_encode(a, saltLen, salt, msgLen, msg, emBits, em); + Hacl_Bignum_Convert_bn_from_bytes_be_uint64(emLen, em, m); + { + uint32_t nLen1 = (modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint32_t k = (modBits - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + KRML_CHECK_SIZE(sizeof (uint64_t), nLen1); + { + uint64_t s[nLen1]; + memset(s, 0U, nLen1 * sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), nLen1); + { + uint64_t m_[nLen1]; + memset(m_, 0U, nLen1 * sizeof (uint64_t)); + { + uint32_t nLen2 = (modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint32_t eLen = (eBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint64_t *n = skey; + uint64_t *r2 = skey + nLen2; + uint64_t *e = skey + nLen2 + nLen2; + uint64_t *d = skey + nLen2 + nLen2 + eLen; + uint64_t mu = Hacl_Bignum_ModInvLimb_mod_inv_uint64(n[0U]); + Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_precomp_u64((modBits + - (uint32_t)1U) + / (uint32_t)64U + + (uint32_t)1U, + n, + mu, + r2, + m, + dBits, + d, + s); + { + uint64_t mu0 = Hacl_Bignum_ModInvLimb_mod_inv_uint64(n[0U]); + Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_precomp_u64((modBits + - (uint32_t)1U) + / (uint32_t)64U + + (uint32_t)1U, + n, + mu0, + r2, + s, + eBits, + e, + m_); + { + uint64_t mask = (uint64_t)0xFFFFFFFFFFFFFFFFU; + { + uint32_t i; + for (i = (uint32_t)0U; i < nLen2; i++) + { + uint64_t uu____0 = FStar_UInt64_eq_mask(m[i], m_[i]); + mask = uu____0 & mask; + } + } + { + uint64_t mask1 = mask; + uint64_t eq_m = mask1; + { + uint32_t i; + for (i = (uint32_t)0U; i < nLen2; i++) + { + uint64_t *os = s; + uint64_t x = s[i]; + uint64_t x0 = eq_m & x; + os[i] = x0; + } + } + { + bool eq_b = eq_m == (uint64_t)0xFFFFFFFFFFFFFFFFU; + Hacl_Bignum_Convert_bn_to_bytes_be_uint64(k, s, sgnt); + { + bool eq_b0 = eq_b; + return eq_b0; + } + } + } + } + } + } + } + } + } + } + } + } + } + return false; +} + +bool +Hacl_RSAPSS_rsapss_verify( + Spec_Hash_Definitions_hash_alg a, + uint32_t modBits, + uint32_t eBits, + uint64_t *pkey, + uint32_t saltLen, + uint32_t sgntLen, + uint8_t *sgnt, + uint32_t msgLen, + uint8_t *msg +) +{ + uint32_t hLen = hash_len(a); + bool + b = + saltLen + <= (uint32_t)0xffffffffU - hLen - (uint32_t)8U + && sgntLen == (modBits - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + if (b) + { + uint32_t nLen = (modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + KRML_CHECK_SIZE(sizeof (uint64_t), nLen); + { + uint64_t m[nLen]; + memset(m, 0U, nLen * sizeof (uint64_t)); + { + uint32_t nLen1 = (modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint32_t k = (modBits - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + KRML_CHECK_SIZE(sizeof (uint64_t), nLen1); + { + uint64_t s[nLen1]; + memset(s, 0U, nLen1 * sizeof (uint64_t)); + Hacl_Bignum_Convert_bn_from_bytes_be_uint64(k, sgnt, s); + { + uint32_t nLen2 = (modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint64_t *n = pkey; + uint64_t *r2 = pkey + nLen2; + uint64_t *e = pkey + nLen2 + nLen2; + uint64_t acc = (uint64_t)0U; + { + uint32_t i; + for (i = (uint32_t)0U; i < nLen2; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(s[i], n[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(s[i], n[i]); + acc = + (beq & acc) + | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + } + { + uint64_t mask = acc; + bool res; + if (mask == (uint64_t)0xFFFFFFFFFFFFFFFFU) + { + uint64_t mu = Hacl_Bignum_ModInvLimb_mod_inv_uint64(n[0U]); + Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_precomp_u64((modBits - (uint32_t)1U) + / (uint32_t)64U + + (uint32_t)1U, + n, + mu, + r2, + s, + eBits, + e, + m); + { + bool ite; + if (!((modBits - (uint32_t)1U) % (uint32_t)8U == (uint32_t)0U)) + { + ite = true; + } + else + { + uint32_t i = (modBits - (uint32_t)1U) / (uint32_t)64U; + uint32_t j = (modBits - (uint32_t)1U) % (uint32_t)64U; + uint64_t tmp = m[i]; + uint64_t get_bit = tmp >> j & (uint64_t)1U; + ite = get_bit == (uint64_t)0U; + } + if (ite) + { + res = true; + } + else + { + res = false; + } + } + } + else + { + res = false; + } + { + bool b1 = res; + bool b10 = b1; + if (b10) + { + uint32_t emBits = modBits - (uint32_t)1U; + uint32_t emLen = (emBits - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + KRML_CHECK_SIZE(sizeof (uint8_t), emLen); + { + uint8_t em[emLen]; + memset(em, 0U, emLen * sizeof (uint8_t)); + { + uint64_t *m1 = m; + Hacl_Bignum_Convert_bn_to_bytes_be_uint64(emLen, m1, em); + { + bool res0 = pss_verify(a, saltLen, msgLen, msg, emBits, em); + return res0; + } + } + } + } + return false; + } + } + } + } + } + } + } + return false; +} + +uint64_t +*Hacl_RSAPSS_new_rsapss_load_pkey(uint32_t modBits, uint32_t eBits, uint8_t *nb, uint8_t *eb) +{ + bool ite; + if ((uint32_t)1U < modBits && (uint32_t)0U < eBits) + { + uint32_t nLen = (modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint32_t eLen = (eBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + ite = + nLen + <= (uint32_t)33554431U + && eLen <= (uint32_t)67108863U + && nLen + nLen <= (uint32_t)0xffffffffU - eLen; + } + else + { + ite = false; + } + if (!ite) + { + return NULL; + } + { + uint32_t nLen = (modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint32_t eLen = (eBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint32_t pkeyLen = nLen + nLen + eLen; + KRML_CHECK_SIZE(sizeof (uint64_t), pkeyLen); + { + uint64_t *pkey = (uint64_t *)KRML_HOST_CALLOC(pkeyLen, sizeof (uint64_t)); + if (pkey == NULL) + { + return pkey; + } + { + uint64_t *pkey1 = pkey; + uint64_t *pkey2 = pkey1; + uint32_t nbLen = (modBits - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t ebLen = (eBits - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t nLen1 = (modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint64_t *n = pkey2; + uint64_t *r2 = pkey2 + nLen1; + uint64_t *e = pkey2 + nLen1 + nLen1; + Hacl_Bignum_Convert_bn_from_bytes_be_uint64(nbLen, nb, n); + Hacl_Bignum_Montgomery_bn_precomp_r2_mod_n_u64((modBits - (uint32_t)1U) + / (uint32_t)64U + + (uint32_t)1U, + modBits - (uint32_t)1U, + n, + r2); + Hacl_Bignum_Convert_bn_from_bytes_be_uint64(ebLen, eb, e); + { + uint64_t m0 = check_modulus_u64(modBits, n); + uint64_t m1 = check_exponent_u64(eBits, e); + uint64_t m = m0 & m1; + bool b = m == (uint64_t)0xFFFFFFFFFFFFFFFFU; + if (b) + { + return pkey2; + } + return NULL; + } + } + } + } +} + +uint64_t +*Hacl_RSAPSS_new_rsapss_load_skey( + uint32_t modBits, + uint32_t eBits, + uint32_t dBits, + uint8_t *nb, + uint8_t *eb, + uint8_t *db +) +{ + bool ite0; + if ((uint32_t)1U < modBits && (uint32_t)0U < eBits) + { + uint32_t nLen = (modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint32_t eLen = (eBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + ite0 = + nLen + <= (uint32_t)33554431U + && eLen <= (uint32_t)67108863U + && nLen + nLen <= (uint32_t)0xffffffffU - eLen; + } + else + { + ite0 = false; + } + { + bool ite; + if (ite0 && (uint32_t)0U < dBits) + { + uint32_t nLen = (modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint32_t eLen = (eBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint32_t dLen = (dBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + ite = + dLen + <= (uint32_t)67108863U + && (uint32_t)2U * nLen <= (uint32_t)0xffffffffU - eLen - dLen; + } + else + { + ite = false; + } + if (!ite) + { + return NULL; + } + { + uint32_t nLen = (modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint32_t eLen = (eBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint32_t dLen = (dBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint32_t skeyLen = nLen + nLen + eLen + dLen; + KRML_CHECK_SIZE(sizeof (uint64_t), skeyLen); + { + uint64_t *skey = (uint64_t *)KRML_HOST_CALLOC(skeyLen, sizeof (uint64_t)); + if (skey == NULL) + { + return skey; + } + { + uint64_t *skey1 = skey; + uint64_t *skey2 = skey1; + uint32_t dbLen = (dBits - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t nLen1 = (modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint32_t eLen1 = (eBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint32_t pkeyLen = nLen1 + nLen1 + eLen1; + uint64_t *pkey = skey2; + uint64_t *d = skey2 + pkeyLen; + uint32_t nbLen1 = (modBits - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t ebLen1 = (eBits - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t nLen2 = (modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint64_t *n = pkey; + uint64_t *r2 = pkey + nLen2; + uint64_t *e = pkey + nLen2 + nLen2; + Hacl_Bignum_Convert_bn_from_bytes_be_uint64(nbLen1, nb, n); + Hacl_Bignum_Montgomery_bn_precomp_r2_mod_n_u64((modBits - (uint32_t)1U) + / (uint32_t)64U + + (uint32_t)1U, + modBits - (uint32_t)1U, + n, + r2); + Hacl_Bignum_Convert_bn_from_bytes_be_uint64(ebLen1, eb, e); + { + uint64_t m0 = check_modulus_u64(modBits, n); + uint64_t m10 = check_exponent_u64(eBits, e); + uint64_t m = m0 & m10; + bool b = m == (uint64_t)0xFFFFFFFFFFFFFFFFU; + Hacl_Bignum_Convert_bn_from_bytes_be_uint64(dbLen, db, d); + { + uint64_t m1 = check_exponent_u64(dBits, d); + bool b0 = b && m1 == (uint64_t)0xFFFFFFFFFFFFFFFFU; + if (b0) + { + return skey2; + } + return NULL; + } + } + } + } + } + } +} + +bool +Hacl_RSAPSS_rsapss_skey_sign( + Spec_Hash_Definitions_hash_alg a, + uint32_t modBits, + uint32_t eBits, + uint32_t dBits, + uint8_t *nb, + uint8_t *eb, + uint8_t *db, + uint32_t saltLen, + uint8_t *salt, + uint32_t msgLen, + uint8_t *msg, + uint8_t *sgnt +) +{ + KRML_CHECK_SIZE(sizeof (uint64_t), + (uint32_t)2U + * ((modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U) + + (eBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U + + (dBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U); + { + uint64_t + skey[(uint32_t)2U + * ((modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U) + + (eBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U + + (dBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U]; + memset(skey, + 0U, + ((uint32_t)2U + * ((modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U) + + (eBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U + + (dBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U) + * sizeof (uint64_t)); + { + bool b = load_skey(modBits, eBits, dBits, nb, eb, db, skey); + if (b) + { + return + Hacl_RSAPSS_rsapss_sign(a, + modBits, + eBits, + dBits, + skey, + saltLen, + salt, + msgLen, + msg, + sgnt); + } + return false; + } + } +} + +bool +Hacl_RSAPSS_rsapss_pkey_verify( + Spec_Hash_Definitions_hash_alg a, + uint32_t modBits, + uint32_t eBits, + uint8_t *nb, + uint8_t *eb, + uint32_t saltLen, + uint32_t sgntLen, + uint8_t *sgnt, + uint32_t msgLen, + uint8_t *msg +) +{ + KRML_CHECK_SIZE(sizeof (uint64_t), + (uint32_t)2U + * ((modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U) + + (eBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U); + { + uint64_t + pkey[(uint32_t)2U + * ((modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U) + + (eBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U]; + memset(pkey, + 0U, + ((uint32_t)2U + * ((modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U) + + (eBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U) + * sizeof (uint64_t)); + { + bool b = load_pkey(modBits, eBits, nb, eb, pkey); + if (b) + { + return + Hacl_RSAPSS_rsapss_verify(a, + modBits, + eBits, + pkey, + saltLen, + sgntLen, + sgnt, + msgLen, + msg); + } + return false; + } + } +} + diff --git a/src/c89/Hacl_SHA2_Vec128.c b/src/c89/Hacl_SHA2_Vec128.c new file mode 100644 index 00000000..91ea3859 --- /dev/null +++ b/src/c89/Hacl_SHA2_Vec128.c @@ -0,0 +1,1368 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_SHA2_Vec128.h" + +#include "internal/Hacl_SHA2_Vec256.h" + +static inline void +sha224_update4( + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ block, + Lib_IntVector_Intrinsics_vec128 *hash +) +{ + Lib_IntVector_Intrinsics_vec128 hash_old[8U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)8U; ++_i) + hash_old[_i] = Lib_IntVector_Intrinsics_vec128_zero; + } + { + Lib_IntVector_Intrinsics_vec128 ws[16U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)16U; ++_i) + ws[_i] = Lib_IntVector_Intrinsics_vec128_zero; + } + { + uint8_t *b3; + uint8_t *b2; + uint8_t *b10; + uint8_t *b00; + Lib_IntVector_Intrinsics_vec128 v00; + Lib_IntVector_Intrinsics_vec128 v10; + Lib_IntVector_Intrinsics_vec128 v20; + Lib_IntVector_Intrinsics_vec128 v30; + Lib_IntVector_Intrinsics_vec128 v0_; + Lib_IntVector_Intrinsics_vec128 v1_; + Lib_IntVector_Intrinsics_vec128 v2_; + Lib_IntVector_Intrinsics_vec128 v3_; + Lib_IntVector_Intrinsics_vec128 v0__; + Lib_IntVector_Intrinsics_vec128 v1__; + Lib_IntVector_Intrinsics_vec128 v2__; + Lib_IntVector_Intrinsics_vec128 v3__; + Lib_IntVector_Intrinsics_vec128 v0__0; + Lib_IntVector_Intrinsics_vec128 v2__0; + Lib_IntVector_Intrinsics_vec128 v1__0; + Lib_IntVector_Intrinsics_vec128 v3__0; + Lib_IntVector_Intrinsics_vec128 ws0; + Lib_IntVector_Intrinsics_vec128 ws1; + Lib_IntVector_Intrinsics_vec128 ws2; + Lib_IntVector_Intrinsics_vec128 ws3; + Lib_IntVector_Intrinsics_vec128 v01; + Lib_IntVector_Intrinsics_vec128 v11; + Lib_IntVector_Intrinsics_vec128 v21; + Lib_IntVector_Intrinsics_vec128 v31; + Lib_IntVector_Intrinsics_vec128 v0_0; + Lib_IntVector_Intrinsics_vec128 v1_0; + Lib_IntVector_Intrinsics_vec128 v2_0; + Lib_IntVector_Intrinsics_vec128 v3_0; + Lib_IntVector_Intrinsics_vec128 v0__1; + Lib_IntVector_Intrinsics_vec128 v1__1; + Lib_IntVector_Intrinsics_vec128 v2__1; + Lib_IntVector_Intrinsics_vec128 v3__1; + Lib_IntVector_Intrinsics_vec128 v0__2; + Lib_IntVector_Intrinsics_vec128 v2__2; + Lib_IntVector_Intrinsics_vec128 v1__2; + Lib_IntVector_Intrinsics_vec128 v3__2; + Lib_IntVector_Intrinsics_vec128 ws4; + Lib_IntVector_Intrinsics_vec128 ws5; + Lib_IntVector_Intrinsics_vec128 ws6; + Lib_IntVector_Intrinsics_vec128 ws7; + Lib_IntVector_Intrinsics_vec128 v02; + Lib_IntVector_Intrinsics_vec128 v12; + Lib_IntVector_Intrinsics_vec128 v22; + Lib_IntVector_Intrinsics_vec128 v32; + Lib_IntVector_Intrinsics_vec128 v0_1; + Lib_IntVector_Intrinsics_vec128 v1_1; + Lib_IntVector_Intrinsics_vec128 v2_1; + Lib_IntVector_Intrinsics_vec128 v3_1; + Lib_IntVector_Intrinsics_vec128 v0__3; + Lib_IntVector_Intrinsics_vec128 v1__3; + Lib_IntVector_Intrinsics_vec128 v2__3; + Lib_IntVector_Intrinsics_vec128 v3__3; + Lib_IntVector_Intrinsics_vec128 v0__4; + Lib_IntVector_Intrinsics_vec128 v2__4; + Lib_IntVector_Intrinsics_vec128 v1__4; + Lib_IntVector_Intrinsics_vec128 v3__4; + Lib_IntVector_Intrinsics_vec128 ws8; + Lib_IntVector_Intrinsics_vec128 ws9; + Lib_IntVector_Intrinsics_vec128 ws10; + Lib_IntVector_Intrinsics_vec128 ws11; + Lib_IntVector_Intrinsics_vec128 v0; + Lib_IntVector_Intrinsics_vec128 v1; + Lib_IntVector_Intrinsics_vec128 v2; + Lib_IntVector_Intrinsics_vec128 v3; + Lib_IntVector_Intrinsics_vec128 v0_2; + Lib_IntVector_Intrinsics_vec128 v1_2; + Lib_IntVector_Intrinsics_vec128 v2_2; + Lib_IntVector_Intrinsics_vec128 v3_2; + Lib_IntVector_Intrinsics_vec128 v0__5; + Lib_IntVector_Intrinsics_vec128 v1__5; + Lib_IntVector_Intrinsics_vec128 v2__5; + Lib_IntVector_Intrinsics_vec128 v3__5; + Lib_IntVector_Intrinsics_vec128 v0__6; + Lib_IntVector_Intrinsics_vec128 v2__6; + Lib_IntVector_Intrinsics_vec128 v1__6; + Lib_IntVector_Intrinsics_vec128 v3__6; + Lib_IntVector_Intrinsics_vec128 ws12; + Lib_IntVector_Intrinsics_vec128 ws13; + Lib_IntVector_Intrinsics_vec128 ws14; + Lib_IntVector_Intrinsics_vec128 ws15; + memcpy(hash_old, hash, (uint32_t)8U * sizeof (Lib_IntVector_Intrinsics_vec128)); + b3 = block.snd.snd.snd; + b2 = block.snd.snd.fst; + b10 = block.snd.fst; + b00 = block.fst; + ws[0U] = Lib_IntVector_Intrinsics_vec128_load32_be(b00); + ws[1U] = Lib_IntVector_Intrinsics_vec128_load32_be(b10); + ws[2U] = Lib_IntVector_Intrinsics_vec128_load32_be(b2); + ws[3U] = Lib_IntVector_Intrinsics_vec128_load32_be(b3); + ws[4U] = Lib_IntVector_Intrinsics_vec128_load32_be(b00 + (uint32_t)16U); + ws[5U] = Lib_IntVector_Intrinsics_vec128_load32_be(b10 + (uint32_t)16U); + ws[6U] = Lib_IntVector_Intrinsics_vec128_load32_be(b2 + (uint32_t)16U); + ws[7U] = Lib_IntVector_Intrinsics_vec128_load32_be(b3 + (uint32_t)16U); + ws[8U] = Lib_IntVector_Intrinsics_vec128_load32_be(b00 + (uint32_t)32U); + ws[9U] = Lib_IntVector_Intrinsics_vec128_load32_be(b10 + (uint32_t)32U); + ws[10U] = Lib_IntVector_Intrinsics_vec128_load32_be(b2 + (uint32_t)32U); + ws[11U] = Lib_IntVector_Intrinsics_vec128_load32_be(b3 + (uint32_t)32U); + ws[12U] = Lib_IntVector_Intrinsics_vec128_load32_be(b00 + (uint32_t)48U); + ws[13U] = Lib_IntVector_Intrinsics_vec128_load32_be(b10 + (uint32_t)48U); + ws[14U] = Lib_IntVector_Intrinsics_vec128_load32_be(b2 + (uint32_t)48U); + ws[15U] = Lib_IntVector_Intrinsics_vec128_load32_be(b3 + (uint32_t)48U); + v00 = ws[0U]; + v10 = ws[1U]; + v20 = ws[2U]; + v30 = ws[3U]; + v0_ = Lib_IntVector_Intrinsics_vec128_interleave_low32(v00, v10); + v1_ = Lib_IntVector_Intrinsics_vec128_interleave_high32(v00, v10); + v2_ = Lib_IntVector_Intrinsics_vec128_interleave_low32(v20, v30); + v3_ = Lib_IntVector_Intrinsics_vec128_interleave_high32(v20, v30); + v0__ = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_, v2_); + v1__ = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_, v2_); + v2__ = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_, v3_); + v3__ = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_, v3_); + v0__0 = v0__; + v2__0 = v2__; + v1__0 = v1__; + v3__0 = v3__; + ws0 = v0__0; + ws1 = v1__0; + ws2 = v2__0; + ws3 = v3__0; + v01 = ws[4U]; + v11 = ws[5U]; + v21 = ws[6U]; + v31 = ws[7U]; + v0_0 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v01, v11); + v1_0 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v01, v11); + v2_0 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v21, v31); + v3_0 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v21, v31); + v0__1 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_0, v2_0); + v1__1 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_0, v2_0); + v2__1 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_0, v3_0); + v3__1 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_0, v3_0); + v0__2 = v0__1; + v2__2 = v2__1; + v1__2 = v1__1; + v3__2 = v3__1; + ws4 = v0__2; + ws5 = v1__2; + ws6 = v2__2; + ws7 = v3__2; + v02 = ws[8U]; + v12 = ws[9U]; + v22 = ws[10U]; + v32 = ws[11U]; + v0_1 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v02, v12); + v1_1 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v02, v12); + v2_1 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v22, v32); + v3_1 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v22, v32); + v0__3 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_1, v2_1); + v1__3 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_1, v2_1); + v2__3 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_1, v3_1); + v3__3 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_1, v3_1); + v0__4 = v0__3; + v2__4 = v2__3; + v1__4 = v1__3; + v3__4 = v3__3; + ws8 = v0__4; + ws9 = v1__4; + ws10 = v2__4; + ws11 = v3__4; + v0 = ws[12U]; + v1 = ws[13U]; + v2 = ws[14U]; + v3 = ws[15U]; + v0_2 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v0, v1); + v1_2 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v0, v1); + v2_2 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v2, v3); + v3_2 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v2, v3); + v0__5 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_2, v2_2); + v1__5 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_2, v2_2); + v2__5 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_2, v3_2); + v3__5 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_2, v3_2); + v0__6 = v0__5; + v2__6 = v2__5; + v1__6 = v1__5; + v3__6 = v3__5; + ws12 = v0__6; + ws13 = v1__6; + ws14 = v2__6; + ws15 = v3__6; + ws[0U] = ws0; + ws[1U] = ws1; + ws[2U] = ws2; + ws[3U] = ws3; + ws[4U] = ws4; + ws[5U] = ws5; + ws[6U] = ws6; + ws[7U] = ws7; + ws[8U] = ws8; + ws[9U] = ws9; + ws[10U] = ws10; + ws[11U] = ws11; + ws[12U] = ws12; + ws[13U] = ws13; + ws[14U] = ws14; + ws[15U] = ws15; + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t k_t = Hacl_Impl_SHA2_Generic_k224_256[(uint32_t)16U * i0 + i]; + Lib_IntVector_Intrinsics_vec128 ws_t = ws[i]; + Lib_IntVector_Intrinsics_vec128 a0 = hash[0U]; + Lib_IntVector_Intrinsics_vec128 b0 = hash[1U]; + Lib_IntVector_Intrinsics_vec128 c0 = hash[2U]; + Lib_IntVector_Intrinsics_vec128 d0 = hash[3U]; + Lib_IntVector_Intrinsics_vec128 e0 = hash[4U]; + Lib_IntVector_Intrinsics_vec128 f0 = hash[5U]; + Lib_IntVector_Intrinsics_vec128 g0 = hash[6U]; + Lib_IntVector_Intrinsics_vec128 h02 = hash[7U]; + Lib_IntVector_Intrinsics_vec128 k_e_t = Lib_IntVector_Intrinsics_vec128_load32(k_t); + Lib_IntVector_Intrinsics_vec128 + t1 = + Lib_IntVector_Intrinsics_vec128_add32(Lib_IntVector_Intrinsics_vec128_add32(Lib_IntVector_Intrinsics_vec128_add32(Lib_IntVector_Intrinsics_vec128_add32(h02, + Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_rotate_right32(e0, + (uint32_t)6U), + Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_rotate_right32(e0, + (uint32_t)11U), + Lib_IntVector_Intrinsics_vec128_rotate_right32(e0, (uint32_t)25U)))), + Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_and(e0, + f0), + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_lognot(e0), + g0))), + k_e_t), + ws_t); + Lib_IntVector_Intrinsics_vec128 + t2 = + Lib_IntVector_Intrinsics_vec128_add32(Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_rotate_right32(a0, + (uint32_t)2U), + Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_rotate_right32(a0, + (uint32_t)13U), + Lib_IntVector_Intrinsics_vec128_rotate_right32(a0, (uint32_t)22U))), + Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_and(a0, b0), + Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_and(a0, c0), + Lib_IntVector_Intrinsics_vec128_and(b0, c0)))); + Lib_IntVector_Intrinsics_vec128 a1 = Lib_IntVector_Intrinsics_vec128_add32(t1, t2); + Lib_IntVector_Intrinsics_vec128 b1 = a0; + Lib_IntVector_Intrinsics_vec128 c1 = b0; + Lib_IntVector_Intrinsics_vec128 d1 = c0; + Lib_IntVector_Intrinsics_vec128 e1 = Lib_IntVector_Intrinsics_vec128_add32(d0, t1); + Lib_IntVector_Intrinsics_vec128 f1 = e0; + Lib_IntVector_Intrinsics_vec128 g1 = f0; + Lib_IntVector_Intrinsics_vec128 h12 = g0; + hash[0U] = a1; + hash[1U] = b1; + hash[2U] = c1; + hash[3U] = d1; + hash[4U] = e1; + hash[5U] = f1; + hash[6U] = g1; + hash[7U] = h12; + } + } + if (i0 < (uint32_t)4U - (uint32_t)1U) + { + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + Lib_IntVector_Intrinsics_vec128 t16 = ws[i]; + Lib_IntVector_Intrinsics_vec128 t15 = ws[(i + (uint32_t)1U) % (uint32_t)16U]; + Lib_IntVector_Intrinsics_vec128 t7 = ws[(i + (uint32_t)9U) % (uint32_t)16U]; + Lib_IntVector_Intrinsics_vec128 t2 = ws[(i + (uint32_t)14U) % (uint32_t)16U]; + Lib_IntVector_Intrinsics_vec128 + s1 = + Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_rotate_right32(t2, + (uint32_t)17U), + Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_rotate_right32(t2, + (uint32_t)19U), + Lib_IntVector_Intrinsics_vec128_shift_right32(t2, (uint32_t)10U))); + Lib_IntVector_Intrinsics_vec128 + s0 = + Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_rotate_right32(t15, + (uint32_t)7U), + Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_rotate_right32(t15, + (uint32_t)18U), + Lib_IntVector_Intrinsics_vec128_shift_right32(t15, (uint32_t)3U))); + ws[i] = + Lib_IntVector_Intrinsics_vec128_add32(Lib_IntVector_Intrinsics_vec128_add32(Lib_IntVector_Intrinsics_vec128_add32(s1, + t7), + s0), + t16); + } + } + } + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + Lib_IntVector_Intrinsics_vec128 *os = hash; + Lib_IntVector_Intrinsics_vec128 + x = Lib_IntVector_Intrinsics_vec128_add32(hash[i], hash_old[i]); + os[i] = x; + } + } + } + } +} + +void +Hacl_SHA2_Vec128_sha224_4( + uint8_t *dst0, + uint8_t *dst1, + uint8_t *dst2, + uint8_t *dst3, + uint32_t input_len, + uint8_t *input0, + uint8_t *input1, + uint8_t *input2, + uint8_t *input3 +) +{ + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ ib; + ib.fst = input0; + ib.snd.fst = input1; + ib.snd.snd.fst = input2; + ib.snd.snd.snd = input3; + { + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ rb; + rb.fst = dst0; + rb.snd.fst = dst1; + rb.snd.snd.fst = dst2; + rb.snd.snd.snd = dst3; + { + Lib_IntVector_Intrinsics_vec128 st[8U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)8U; ++_i) + st[_i] = Lib_IntVector_Intrinsics_vec128_zero; + } + { + uint32_t rem; + uint64_t len_; + uint32_t blocks0; + uint32_t rem1; + uint8_t *b30; + uint8_t *b20; + uint8_t *b10; + uint8_t *b00; + uint8_t *bl0; + uint8_t *bl10; + uint8_t *bl20; + uint8_t *bl30; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + Lib_IntVector_Intrinsics_vec128 *os = st; + uint32_t hi = Hacl_Impl_SHA2_Generic_h224[i]; + Lib_IntVector_Intrinsics_vec128 x = Lib_IntVector_Intrinsics_vec128_load32(hi); + os[i] = x; + } + } + rem = input_len % (uint32_t)64U; + len_ = (uint64_t)input_len; + blocks0 = input_len / (uint32_t)64U; + { + uint32_t i; + for (i = (uint32_t)0U; i < blocks0; i++) + { + uint8_t *b3 = ib.snd.snd.snd; + uint8_t *b2 = ib.snd.snd.fst; + uint8_t *b1 = ib.snd.fst; + uint8_t *b0 = ib.fst; + uint8_t *bl00 = b0 + i * (uint32_t)64U; + uint8_t *bl1 = b1 + i * (uint32_t)64U; + uint8_t *bl2 = b2 + i * (uint32_t)64U; + uint8_t *bl3 = b3 + i * (uint32_t)64U; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ lit; + lit.fst = bl00; + lit.snd.fst = bl1; + lit.snd.snd.fst = bl2; + lit.snd.snd.snd = bl3; + { + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ mb = lit; + sha224_update4(mb, st); + } + } + } + rem1 = input_len % (uint32_t)64U; + b30 = ib.snd.snd.snd; + b20 = ib.snd.snd.fst; + b10 = ib.snd.fst; + b00 = ib.fst; + bl0 = b00 + input_len - rem1; + bl10 = b10 + input_len - rem1; + bl20 = b20 + input_len - rem1; + bl30 = b30 + input_len - rem1; + { + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ lit0; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ lb; + lit0.fst = bl0; + lit0.snd.fst = bl10; + lit0.snd.snd.fst = bl20; + lit0.snd.snd.snd = bl30; + lb = lit0; + { + uint32_t blocks; + if (rem + (uint32_t)8U + (uint32_t)1U <= (uint32_t)64U) + { + blocks = (uint32_t)1U; + } + else + { + blocks = (uint32_t)2U; + } + { + uint32_t fin = blocks * (uint32_t)64U; + uint8_t last[512U] = { 0U }; + uint8_t totlen_buf[8U] = { 0U }; + uint64_t total_len_bits = len_ << (uint32_t)3U; + uint8_t *b31; + uint8_t *b21; + uint8_t *b11; + uint8_t *b01; + uint8_t *last00; + uint8_t *last10; + uint8_t *last2; + uint8_t *last3; + uint8_t *last010; + uint8_t *last110; + store64_be(totlen_buf, total_len_bits); + b31 = lb.snd.snd.snd; + b21 = lb.snd.snd.fst; + b11 = lb.snd.fst; + b01 = lb.fst; + last00 = last; + last10 = last + (uint32_t)128U; + last2 = last + (uint32_t)256U; + last3 = last + (uint32_t)384U; + memcpy(last00, b01, rem * sizeof (uint8_t)); + last00[rem] = (uint8_t)0x80U; + memcpy(last00 + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + last010 = last00; + last110 = last00 + (uint32_t)64U; + { + K____uint8_t___uint8_t_ lit1; + K____uint8_t___uint8_t_ scrut0; + uint8_t *l00; + uint8_t *l01; + uint8_t *last011; + uint8_t *last111; + lit1.fst = last010; + lit1.snd = last110; + scrut0 = lit1; + l00 = scrut0.fst; + l01 = scrut0.snd; + memcpy(last10, b11, rem * sizeof (uint8_t)); + last10[rem] = (uint8_t)0x80U; + memcpy(last10 + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + last011 = last10; + last111 = last10 + (uint32_t)64U; + { + K____uint8_t___uint8_t_ lit2; + K____uint8_t___uint8_t_ scrut1; + uint8_t *l10; + uint8_t *l11; + uint8_t *last012; + uint8_t *last112; + lit2.fst = last011; + lit2.snd = last111; + scrut1 = lit2; + l10 = scrut1.fst; + l11 = scrut1.snd; + memcpy(last2, b21, rem * sizeof (uint8_t)); + last2[rem] = (uint8_t)0x80U; + memcpy(last2 + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + last012 = last2; + last112 = last2 + (uint32_t)64U; + { + K____uint8_t___uint8_t_ lit3; + K____uint8_t___uint8_t_ scrut2; + uint8_t *l20; + uint8_t *l21; + uint8_t *last01; + uint8_t *last11; + lit3.fst = last012; + lit3.snd = last112; + scrut2 = lit3; + l20 = scrut2.fst; + l21 = scrut2.snd; + memcpy(last3, b31, rem * sizeof (uint8_t)); + last3[rem] = (uint8_t)0x80U; + memcpy(last3 + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + last01 = last3; + last11 = last3 + (uint32_t)64U; + { + K____uint8_t___uint8_t_ lit4; + K____uint8_t___uint8_t_ scrut3; + uint8_t *l30; + uint8_t *l31; + lit4.fst = last01; + lit4.snd = last11; + scrut3 = lit4; + l30 = scrut3.fst; + l31 = scrut3.snd; + { + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ mb0; + mb0.fst = l00; + mb0.snd.fst = l10; + mb0.snd.snd.fst = l20; + mb0.snd.snd.snd = l30; + { + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ mb1; + mb1.fst = l01; + mb1.snd.fst = l11; + mb1.snd.snd.fst = l21; + mb1.snd.snd.snd = l31; + { + K___K____uint8_t__K____uint8_t__K____uint8_t___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + lit; + K___K____uint8_t__K____uint8_t__K____uint8_t___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + scrut; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ last0; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ last1; + lit.fst = mb0; + lit.snd = mb1; + scrut = lit; + last0 = scrut.fst; + last1 = scrut.snd; + sha224_update4(last0, st); + if (blocks > (uint32_t)1U) + { + sha224_update4(last1, st); + } + KRML_CHECK_SIZE(sizeof (uint8_t), + (uint32_t)4U * (uint32_t)8U * (uint32_t)4U); + { + uint8_t hbuf[(uint32_t)4U * (uint32_t)8U * (uint32_t)4U]; + memset(hbuf, + 0U, + (uint32_t)4U * (uint32_t)8U * (uint32_t)4U * sizeof (uint8_t)); + { + Lib_IntVector_Intrinsics_vec128 v00 = st[0U]; + Lib_IntVector_Intrinsics_vec128 v10 = st[1U]; + Lib_IntVector_Intrinsics_vec128 v20 = st[2U]; + Lib_IntVector_Intrinsics_vec128 v30 = st[3U]; + Lib_IntVector_Intrinsics_vec128 + v0_ = Lib_IntVector_Intrinsics_vec128_interleave_low32(v00, v10); + Lib_IntVector_Intrinsics_vec128 + v1_ = Lib_IntVector_Intrinsics_vec128_interleave_high32(v00, v10); + Lib_IntVector_Intrinsics_vec128 + v2_ = Lib_IntVector_Intrinsics_vec128_interleave_low32(v20, v30); + Lib_IntVector_Intrinsics_vec128 + v3_ = Lib_IntVector_Intrinsics_vec128_interleave_high32(v20, v30); + Lib_IntVector_Intrinsics_vec128 + v0__ = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_, v2_); + Lib_IntVector_Intrinsics_vec128 + v1__ = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_, v2_); + Lib_IntVector_Intrinsics_vec128 + v2__ = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_, v3_); + Lib_IntVector_Intrinsics_vec128 + v3__ = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_, v3_); + Lib_IntVector_Intrinsics_vec128 v0__0 = v0__; + Lib_IntVector_Intrinsics_vec128 v2__0 = v2__; + Lib_IntVector_Intrinsics_vec128 v1__0 = v1__; + Lib_IntVector_Intrinsics_vec128 v3__0 = v3__; + Lib_IntVector_Intrinsics_vec128 st0_ = v0__0; + Lib_IntVector_Intrinsics_vec128 st1_ = v1__0; + Lib_IntVector_Intrinsics_vec128 st2_ = v2__0; + Lib_IntVector_Intrinsics_vec128 st3_ = v3__0; + Lib_IntVector_Intrinsics_vec128 v0 = st[4U]; + Lib_IntVector_Intrinsics_vec128 v1 = st[5U]; + Lib_IntVector_Intrinsics_vec128 v2 = st[6U]; + Lib_IntVector_Intrinsics_vec128 v3 = st[7U]; + Lib_IntVector_Intrinsics_vec128 + v0_0 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v0, v1); + Lib_IntVector_Intrinsics_vec128 + v1_0 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v0, v1); + Lib_IntVector_Intrinsics_vec128 + v2_0 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v2, v3); + Lib_IntVector_Intrinsics_vec128 + v3_0 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v2, v3); + Lib_IntVector_Intrinsics_vec128 + v0__1 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec128 + v1__1 = + Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_0, + v2_0); + Lib_IntVector_Intrinsics_vec128 + v2__1 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec128 + v3__1 = + Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_0, + v3_0); + Lib_IntVector_Intrinsics_vec128 v0__2 = v0__1; + Lib_IntVector_Intrinsics_vec128 v2__2 = v2__1; + Lib_IntVector_Intrinsics_vec128 v1__2 = v1__1; + Lib_IntVector_Intrinsics_vec128 v3__2 = v3__1; + Lib_IntVector_Intrinsics_vec128 st4_ = v0__2; + Lib_IntVector_Intrinsics_vec128 st5_ = v1__2; + Lib_IntVector_Intrinsics_vec128 st6_ = v2__2; + Lib_IntVector_Intrinsics_vec128 st7_ = v3__2; + uint8_t *b3; + uint8_t *b2; + uint8_t *b1; + uint8_t *b0; + st[0U] = st0_; + st[1U] = st4_; + st[2U] = st1_; + st[3U] = st5_; + st[4U] = st2_; + st[5U] = st6_; + st[6U] = st3_; + st[7U] = st7_; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + Lib_IntVector_Intrinsics_vec128_store32_be(hbuf + + i * (uint32_t)16U, + st[i]); + } + } + b3 = rb.snd.snd.snd; + b2 = rb.snd.snd.fst; + b1 = rb.snd.fst; + b0 = rb.fst; + memcpy(b0, hbuf, (uint32_t)28U * sizeof (uint8_t)); + memcpy(b1, hbuf + (uint32_t)32U, (uint32_t)28U * sizeof (uint8_t)); + memcpy(b2, hbuf + (uint32_t)64U, (uint32_t)28U * sizeof (uint8_t)); + memcpy(b3, hbuf + (uint32_t)96U, (uint32_t)28U * sizeof (uint8_t)); + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } +} + +static inline void +sha256_update4( + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ block, + Lib_IntVector_Intrinsics_vec128 *hash +) +{ + Lib_IntVector_Intrinsics_vec128 hash_old[8U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)8U; ++_i) + hash_old[_i] = Lib_IntVector_Intrinsics_vec128_zero; + } + { + Lib_IntVector_Intrinsics_vec128 ws[16U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)16U; ++_i) + ws[_i] = Lib_IntVector_Intrinsics_vec128_zero; + } + { + uint8_t *b3; + uint8_t *b2; + uint8_t *b10; + uint8_t *b00; + Lib_IntVector_Intrinsics_vec128 v00; + Lib_IntVector_Intrinsics_vec128 v10; + Lib_IntVector_Intrinsics_vec128 v20; + Lib_IntVector_Intrinsics_vec128 v30; + Lib_IntVector_Intrinsics_vec128 v0_; + Lib_IntVector_Intrinsics_vec128 v1_; + Lib_IntVector_Intrinsics_vec128 v2_; + Lib_IntVector_Intrinsics_vec128 v3_; + Lib_IntVector_Intrinsics_vec128 v0__; + Lib_IntVector_Intrinsics_vec128 v1__; + Lib_IntVector_Intrinsics_vec128 v2__; + Lib_IntVector_Intrinsics_vec128 v3__; + Lib_IntVector_Intrinsics_vec128 v0__0; + Lib_IntVector_Intrinsics_vec128 v2__0; + Lib_IntVector_Intrinsics_vec128 v1__0; + Lib_IntVector_Intrinsics_vec128 v3__0; + Lib_IntVector_Intrinsics_vec128 ws0; + Lib_IntVector_Intrinsics_vec128 ws1; + Lib_IntVector_Intrinsics_vec128 ws2; + Lib_IntVector_Intrinsics_vec128 ws3; + Lib_IntVector_Intrinsics_vec128 v01; + Lib_IntVector_Intrinsics_vec128 v11; + Lib_IntVector_Intrinsics_vec128 v21; + Lib_IntVector_Intrinsics_vec128 v31; + Lib_IntVector_Intrinsics_vec128 v0_0; + Lib_IntVector_Intrinsics_vec128 v1_0; + Lib_IntVector_Intrinsics_vec128 v2_0; + Lib_IntVector_Intrinsics_vec128 v3_0; + Lib_IntVector_Intrinsics_vec128 v0__1; + Lib_IntVector_Intrinsics_vec128 v1__1; + Lib_IntVector_Intrinsics_vec128 v2__1; + Lib_IntVector_Intrinsics_vec128 v3__1; + Lib_IntVector_Intrinsics_vec128 v0__2; + Lib_IntVector_Intrinsics_vec128 v2__2; + Lib_IntVector_Intrinsics_vec128 v1__2; + Lib_IntVector_Intrinsics_vec128 v3__2; + Lib_IntVector_Intrinsics_vec128 ws4; + Lib_IntVector_Intrinsics_vec128 ws5; + Lib_IntVector_Intrinsics_vec128 ws6; + Lib_IntVector_Intrinsics_vec128 ws7; + Lib_IntVector_Intrinsics_vec128 v02; + Lib_IntVector_Intrinsics_vec128 v12; + Lib_IntVector_Intrinsics_vec128 v22; + Lib_IntVector_Intrinsics_vec128 v32; + Lib_IntVector_Intrinsics_vec128 v0_1; + Lib_IntVector_Intrinsics_vec128 v1_1; + Lib_IntVector_Intrinsics_vec128 v2_1; + Lib_IntVector_Intrinsics_vec128 v3_1; + Lib_IntVector_Intrinsics_vec128 v0__3; + Lib_IntVector_Intrinsics_vec128 v1__3; + Lib_IntVector_Intrinsics_vec128 v2__3; + Lib_IntVector_Intrinsics_vec128 v3__3; + Lib_IntVector_Intrinsics_vec128 v0__4; + Lib_IntVector_Intrinsics_vec128 v2__4; + Lib_IntVector_Intrinsics_vec128 v1__4; + Lib_IntVector_Intrinsics_vec128 v3__4; + Lib_IntVector_Intrinsics_vec128 ws8; + Lib_IntVector_Intrinsics_vec128 ws9; + Lib_IntVector_Intrinsics_vec128 ws10; + Lib_IntVector_Intrinsics_vec128 ws11; + Lib_IntVector_Intrinsics_vec128 v0; + Lib_IntVector_Intrinsics_vec128 v1; + Lib_IntVector_Intrinsics_vec128 v2; + Lib_IntVector_Intrinsics_vec128 v3; + Lib_IntVector_Intrinsics_vec128 v0_2; + Lib_IntVector_Intrinsics_vec128 v1_2; + Lib_IntVector_Intrinsics_vec128 v2_2; + Lib_IntVector_Intrinsics_vec128 v3_2; + Lib_IntVector_Intrinsics_vec128 v0__5; + Lib_IntVector_Intrinsics_vec128 v1__5; + Lib_IntVector_Intrinsics_vec128 v2__5; + Lib_IntVector_Intrinsics_vec128 v3__5; + Lib_IntVector_Intrinsics_vec128 v0__6; + Lib_IntVector_Intrinsics_vec128 v2__6; + Lib_IntVector_Intrinsics_vec128 v1__6; + Lib_IntVector_Intrinsics_vec128 v3__6; + Lib_IntVector_Intrinsics_vec128 ws12; + Lib_IntVector_Intrinsics_vec128 ws13; + Lib_IntVector_Intrinsics_vec128 ws14; + Lib_IntVector_Intrinsics_vec128 ws15; + memcpy(hash_old, hash, (uint32_t)8U * sizeof (Lib_IntVector_Intrinsics_vec128)); + b3 = block.snd.snd.snd; + b2 = block.snd.snd.fst; + b10 = block.snd.fst; + b00 = block.fst; + ws[0U] = Lib_IntVector_Intrinsics_vec128_load32_be(b00); + ws[1U] = Lib_IntVector_Intrinsics_vec128_load32_be(b10); + ws[2U] = Lib_IntVector_Intrinsics_vec128_load32_be(b2); + ws[3U] = Lib_IntVector_Intrinsics_vec128_load32_be(b3); + ws[4U] = Lib_IntVector_Intrinsics_vec128_load32_be(b00 + (uint32_t)16U); + ws[5U] = Lib_IntVector_Intrinsics_vec128_load32_be(b10 + (uint32_t)16U); + ws[6U] = Lib_IntVector_Intrinsics_vec128_load32_be(b2 + (uint32_t)16U); + ws[7U] = Lib_IntVector_Intrinsics_vec128_load32_be(b3 + (uint32_t)16U); + ws[8U] = Lib_IntVector_Intrinsics_vec128_load32_be(b00 + (uint32_t)32U); + ws[9U] = Lib_IntVector_Intrinsics_vec128_load32_be(b10 + (uint32_t)32U); + ws[10U] = Lib_IntVector_Intrinsics_vec128_load32_be(b2 + (uint32_t)32U); + ws[11U] = Lib_IntVector_Intrinsics_vec128_load32_be(b3 + (uint32_t)32U); + ws[12U] = Lib_IntVector_Intrinsics_vec128_load32_be(b00 + (uint32_t)48U); + ws[13U] = Lib_IntVector_Intrinsics_vec128_load32_be(b10 + (uint32_t)48U); + ws[14U] = Lib_IntVector_Intrinsics_vec128_load32_be(b2 + (uint32_t)48U); + ws[15U] = Lib_IntVector_Intrinsics_vec128_load32_be(b3 + (uint32_t)48U); + v00 = ws[0U]; + v10 = ws[1U]; + v20 = ws[2U]; + v30 = ws[3U]; + v0_ = Lib_IntVector_Intrinsics_vec128_interleave_low32(v00, v10); + v1_ = Lib_IntVector_Intrinsics_vec128_interleave_high32(v00, v10); + v2_ = Lib_IntVector_Intrinsics_vec128_interleave_low32(v20, v30); + v3_ = Lib_IntVector_Intrinsics_vec128_interleave_high32(v20, v30); + v0__ = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_, v2_); + v1__ = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_, v2_); + v2__ = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_, v3_); + v3__ = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_, v3_); + v0__0 = v0__; + v2__0 = v2__; + v1__0 = v1__; + v3__0 = v3__; + ws0 = v0__0; + ws1 = v1__0; + ws2 = v2__0; + ws3 = v3__0; + v01 = ws[4U]; + v11 = ws[5U]; + v21 = ws[6U]; + v31 = ws[7U]; + v0_0 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v01, v11); + v1_0 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v01, v11); + v2_0 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v21, v31); + v3_0 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v21, v31); + v0__1 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_0, v2_0); + v1__1 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_0, v2_0); + v2__1 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_0, v3_0); + v3__1 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_0, v3_0); + v0__2 = v0__1; + v2__2 = v2__1; + v1__2 = v1__1; + v3__2 = v3__1; + ws4 = v0__2; + ws5 = v1__2; + ws6 = v2__2; + ws7 = v3__2; + v02 = ws[8U]; + v12 = ws[9U]; + v22 = ws[10U]; + v32 = ws[11U]; + v0_1 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v02, v12); + v1_1 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v02, v12); + v2_1 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v22, v32); + v3_1 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v22, v32); + v0__3 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_1, v2_1); + v1__3 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_1, v2_1); + v2__3 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_1, v3_1); + v3__3 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_1, v3_1); + v0__4 = v0__3; + v2__4 = v2__3; + v1__4 = v1__3; + v3__4 = v3__3; + ws8 = v0__4; + ws9 = v1__4; + ws10 = v2__4; + ws11 = v3__4; + v0 = ws[12U]; + v1 = ws[13U]; + v2 = ws[14U]; + v3 = ws[15U]; + v0_2 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v0, v1); + v1_2 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v0, v1); + v2_2 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v2, v3); + v3_2 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v2, v3); + v0__5 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_2, v2_2); + v1__5 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_2, v2_2); + v2__5 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_2, v3_2); + v3__5 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_2, v3_2); + v0__6 = v0__5; + v2__6 = v2__5; + v1__6 = v1__5; + v3__6 = v3__5; + ws12 = v0__6; + ws13 = v1__6; + ws14 = v2__6; + ws15 = v3__6; + ws[0U] = ws0; + ws[1U] = ws1; + ws[2U] = ws2; + ws[3U] = ws3; + ws[4U] = ws4; + ws[5U] = ws5; + ws[6U] = ws6; + ws[7U] = ws7; + ws[8U] = ws8; + ws[9U] = ws9; + ws[10U] = ws10; + ws[11U] = ws11; + ws[12U] = ws12; + ws[13U] = ws13; + ws[14U] = ws14; + ws[15U] = ws15; + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t k_t = Hacl_Impl_SHA2_Generic_k224_256[(uint32_t)16U * i0 + i]; + Lib_IntVector_Intrinsics_vec128 ws_t = ws[i]; + Lib_IntVector_Intrinsics_vec128 a0 = hash[0U]; + Lib_IntVector_Intrinsics_vec128 b0 = hash[1U]; + Lib_IntVector_Intrinsics_vec128 c0 = hash[2U]; + Lib_IntVector_Intrinsics_vec128 d0 = hash[3U]; + Lib_IntVector_Intrinsics_vec128 e0 = hash[4U]; + Lib_IntVector_Intrinsics_vec128 f0 = hash[5U]; + Lib_IntVector_Intrinsics_vec128 g0 = hash[6U]; + Lib_IntVector_Intrinsics_vec128 h02 = hash[7U]; + Lib_IntVector_Intrinsics_vec128 k_e_t = Lib_IntVector_Intrinsics_vec128_load32(k_t); + Lib_IntVector_Intrinsics_vec128 + t1 = + Lib_IntVector_Intrinsics_vec128_add32(Lib_IntVector_Intrinsics_vec128_add32(Lib_IntVector_Intrinsics_vec128_add32(Lib_IntVector_Intrinsics_vec128_add32(h02, + Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_rotate_right32(e0, + (uint32_t)6U), + Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_rotate_right32(e0, + (uint32_t)11U), + Lib_IntVector_Intrinsics_vec128_rotate_right32(e0, (uint32_t)25U)))), + Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_and(e0, + f0), + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_lognot(e0), + g0))), + k_e_t), + ws_t); + Lib_IntVector_Intrinsics_vec128 + t2 = + Lib_IntVector_Intrinsics_vec128_add32(Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_rotate_right32(a0, + (uint32_t)2U), + Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_rotate_right32(a0, + (uint32_t)13U), + Lib_IntVector_Intrinsics_vec128_rotate_right32(a0, (uint32_t)22U))), + Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_and(a0, b0), + Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_and(a0, c0), + Lib_IntVector_Intrinsics_vec128_and(b0, c0)))); + Lib_IntVector_Intrinsics_vec128 a1 = Lib_IntVector_Intrinsics_vec128_add32(t1, t2); + Lib_IntVector_Intrinsics_vec128 b1 = a0; + Lib_IntVector_Intrinsics_vec128 c1 = b0; + Lib_IntVector_Intrinsics_vec128 d1 = c0; + Lib_IntVector_Intrinsics_vec128 e1 = Lib_IntVector_Intrinsics_vec128_add32(d0, t1); + Lib_IntVector_Intrinsics_vec128 f1 = e0; + Lib_IntVector_Intrinsics_vec128 g1 = f0; + Lib_IntVector_Intrinsics_vec128 h12 = g0; + hash[0U] = a1; + hash[1U] = b1; + hash[2U] = c1; + hash[3U] = d1; + hash[4U] = e1; + hash[5U] = f1; + hash[6U] = g1; + hash[7U] = h12; + } + } + if (i0 < (uint32_t)4U - (uint32_t)1U) + { + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + Lib_IntVector_Intrinsics_vec128 t16 = ws[i]; + Lib_IntVector_Intrinsics_vec128 t15 = ws[(i + (uint32_t)1U) % (uint32_t)16U]; + Lib_IntVector_Intrinsics_vec128 t7 = ws[(i + (uint32_t)9U) % (uint32_t)16U]; + Lib_IntVector_Intrinsics_vec128 t2 = ws[(i + (uint32_t)14U) % (uint32_t)16U]; + Lib_IntVector_Intrinsics_vec128 + s1 = + Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_rotate_right32(t2, + (uint32_t)17U), + Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_rotate_right32(t2, + (uint32_t)19U), + Lib_IntVector_Intrinsics_vec128_shift_right32(t2, (uint32_t)10U))); + Lib_IntVector_Intrinsics_vec128 + s0 = + Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_rotate_right32(t15, + (uint32_t)7U), + Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_rotate_right32(t15, + (uint32_t)18U), + Lib_IntVector_Intrinsics_vec128_shift_right32(t15, (uint32_t)3U))); + ws[i] = + Lib_IntVector_Intrinsics_vec128_add32(Lib_IntVector_Intrinsics_vec128_add32(Lib_IntVector_Intrinsics_vec128_add32(s1, + t7), + s0), + t16); + } + } + } + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + Lib_IntVector_Intrinsics_vec128 *os = hash; + Lib_IntVector_Intrinsics_vec128 + x = Lib_IntVector_Intrinsics_vec128_add32(hash[i], hash_old[i]); + os[i] = x; + } + } + } + } +} + +void +Hacl_SHA2_Vec128_sha256_4( + uint8_t *dst0, + uint8_t *dst1, + uint8_t *dst2, + uint8_t *dst3, + uint32_t input_len, + uint8_t *input0, + uint8_t *input1, + uint8_t *input2, + uint8_t *input3 +) +{ + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ ib; + ib.fst = input0; + ib.snd.fst = input1; + ib.snd.snd.fst = input2; + ib.snd.snd.snd = input3; + { + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ rb; + rb.fst = dst0; + rb.snd.fst = dst1; + rb.snd.snd.fst = dst2; + rb.snd.snd.snd = dst3; + { + Lib_IntVector_Intrinsics_vec128 st[8U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)8U; ++_i) + st[_i] = Lib_IntVector_Intrinsics_vec128_zero; + } + { + uint32_t rem; + uint64_t len_; + uint32_t blocks0; + uint32_t rem1; + uint8_t *b30; + uint8_t *b20; + uint8_t *b10; + uint8_t *b00; + uint8_t *bl0; + uint8_t *bl10; + uint8_t *bl20; + uint8_t *bl30; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + Lib_IntVector_Intrinsics_vec128 *os = st; + uint32_t hi = Hacl_Impl_SHA2_Generic_h256[i]; + Lib_IntVector_Intrinsics_vec128 x = Lib_IntVector_Intrinsics_vec128_load32(hi); + os[i] = x; + } + } + rem = input_len % (uint32_t)64U; + len_ = (uint64_t)input_len; + blocks0 = input_len / (uint32_t)64U; + { + uint32_t i; + for (i = (uint32_t)0U; i < blocks0; i++) + { + uint8_t *b3 = ib.snd.snd.snd; + uint8_t *b2 = ib.snd.snd.fst; + uint8_t *b1 = ib.snd.fst; + uint8_t *b0 = ib.fst; + uint8_t *bl00 = b0 + i * (uint32_t)64U; + uint8_t *bl1 = b1 + i * (uint32_t)64U; + uint8_t *bl2 = b2 + i * (uint32_t)64U; + uint8_t *bl3 = b3 + i * (uint32_t)64U; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ lit; + lit.fst = bl00; + lit.snd.fst = bl1; + lit.snd.snd.fst = bl2; + lit.snd.snd.snd = bl3; + { + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ mb = lit; + sha256_update4(mb, st); + } + } + } + rem1 = input_len % (uint32_t)64U; + b30 = ib.snd.snd.snd; + b20 = ib.snd.snd.fst; + b10 = ib.snd.fst; + b00 = ib.fst; + bl0 = b00 + input_len - rem1; + bl10 = b10 + input_len - rem1; + bl20 = b20 + input_len - rem1; + bl30 = b30 + input_len - rem1; + { + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ lit0; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ lb; + lit0.fst = bl0; + lit0.snd.fst = bl10; + lit0.snd.snd.fst = bl20; + lit0.snd.snd.snd = bl30; + lb = lit0; + { + uint32_t blocks; + if (rem + (uint32_t)8U + (uint32_t)1U <= (uint32_t)64U) + { + blocks = (uint32_t)1U; + } + else + { + blocks = (uint32_t)2U; + } + { + uint32_t fin = blocks * (uint32_t)64U; + uint8_t last[512U] = { 0U }; + uint8_t totlen_buf[8U] = { 0U }; + uint64_t total_len_bits = len_ << (uint32_t)3U; + uint8_t *b31; + uint8_t *b21; + uint8_t *b11; + uint8_t *b01; + uint8_t *last00; + uint8_t *last10; + uint8_t *last2; + uint8_t *last3; + uint8_t *last010; + uint8_t *last110; + store64_be(totlen_buf, total_len_bits); + b31 = lb.snd.snd.snd; + b21 = lb.snd.snd.fst; + b11 = lb.snd.fst; + b01 = lb.fst; + last00 = last; + last10 = last + (uint32_t)128U; + last2 = last + (uint32_t)256U; + last3 = last + (uint32_t)384U; + memcpy(last00, b01, rem * sizeof (uint8_t)); + last00[rem] = (uint8_t)0x80U; + memcpy(last00 + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + last010 = last00; + last110 = last00 + (uint32_t)64U; + { + K____uint8_t___uint8_t_ lit1; + K____uint8_t___uint8_t_ scrut0; + uint8_t *l00; + uint8_t *l01; + uint8_t *last011; + uint8_t *last111; + lit1.fst = last010; + lit1.snd = last110; + scrut0 = lit1; + l00 = scrut0.fst; + l01 = scrut0.snd; + memcpy(last10, b11, rem * sizeof (uint8_t)); + last10[rem] = (uint8_t)0x80U; + memcpy(last10 + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + last011 = last10; + last111 = last10 + (uint32_t)64U; + { + K____uint8_t___uint8_t_ lit2; + K____uint8_t___uint8_t_ scrut1; + uint8_t *l10; + uint8_t *l11; + uint8_t *last012; + uint8_t *last112; + lit2.fst = last011; + lit2.snd = last111; + scrut1 = lit2; + l10 = scrut1.fst; + l11 = scrut1.snd; + memcpy(last2, b21, rem * sizeof (uint8_t)); + last2[rem] = (uint8_t)0x80U; + memcpy(last2 + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + last012 = last2; + last112 = last2 + (uint32_t)64U; + { + K____uint8_t___uint8_t_ lit3; + K____uint8_t___uint8_t_ scrut2; + uint8_t *l20; + uint8_t *l21; + uint8_t *last01; + uint8_t *last11; + lit3.fst = last012; + lit3.snd = last112; + scrut2 = lit3; + l20 = scrut2.fst; + l21 = scrut2.snd; + memcpy(last3, b31, rem * sizeof (uint8_t)); + last3[rem] = (uint8_t)0x80U; + memcpy(last3 + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + last01 = last3; + last11 = last3 + (uint32_t)64U; + { + K____uint8_t___uint8_t_ lit4; + K____uint8_t___uint8_t_ scrut3; + uint8_t *l30; + uint8_t *l31; + lit4.fst = last01; + lit4.snd = last11; + scrut3 = lit4; + l30 = scrut3.fst; + l31 = scrut3.snd; + { + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ mb0; + mb0.fst = l00; + mb0.snd.fst = l10; + mb0.snd.snd.fst = l20; + mb0.snd.snd.snd = l30; + { + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ mb1; + mb1.fst = l01; + mb1.snd.fst = l11; + mb1.snd.snd.fst = l21; + mb1.snd.snd.snd = l31; + { + K___K____uint8_t__K____uint8_t__K____uint8_t___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + lit; + K___K____uint8_t__K____uint8_t__K____uint8_t___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + scrut; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ last0; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ last1; + lit.fst = mb0; + lit.snd = mb1; + scrut = lit; + last0 = scrut.fst; + last1 = scrut.snd; + sha256_update4(last0, st); + if (blocks > (uint32_t)1U) + { + sha256_update4(last1, st); + } + KRML_CHECK_SIZE(sizeof (uint8_t), + (uint32_t)4U * (uint32_t)8U * (uint32_t)4U); + { + uint8_t hbuf[(uint32_t)4U * (uint32_t)8U * (uint32_t)4U]; + memset(hbuf, + 0U, + (uint32_t)4U * (uint32_t)8U * (uint32_t)4U * sizeof (uint8_t)); + { + Lib_IntVector_Intrinsics_vec128 v00 = st[0U]; + Lib_IntVector_Intrinsics_vec128 v10 = st[1U]; + Lib_IntVector_Intrinsics_vec128 v20 = st[2U]; + Lib_IntVector_Intrinsics_vec128 v30 = st[3U]; + Lib_IntVector_Intrinsics_vec128 + v0_ = Lib_IntVector_Intrinsics_vec128_interleave_low32(v00, v10); + Lib_IntVector_Intrinsics_vec128 + v1_ = Lib_IntVector_Intrinsics_vec128_interleave_high32(v00, v10); + Lib_IntVector_Intrinsics_vec128 + v2_ = Lib_IntVector_Intrinsics_vec128_interleave_low32(v20, v30); + Lib_IntVector_Intrinsics_vec128 + v3_ = Lib_IntVector_Intrinsics_vec128_interleave_high32(v20, v30); + Lib_IntVector_Intrinsics_vec128 + v0__ = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_, v2_); + Lib_IntVector_Intrinsics_vec128 + v1__ = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_, v2_); + Lib_IntVector_Intrinsics_vec128 + v2__ = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_, v3_); + Lib_IntVector_Intrinsics_vec128 + v3__ = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_, v3_); + Lib_IntVector_Intrinsics_vec128 v0__0 = v0__; + Lib_IntVector_Intrinsics_vec128 v2__0 = v2__; + Lib_IntVector_Intrinsics_vec128 v1__0 = v1__; + Lib_IntVector_Intrinsics_vec128 v3__0 = v3__; + Lib_IntVector_Intrinsics_vec128 st0_ = v0__0; + Lib_IntVector_Intrinsics_vec128 st1_ = v1__0; + Lib_IntVector_Intrinsics_vec128 st2_ = v2__0; + Lib_IntVector_Intrinsics_vec128 st3_ = v3__0; + Lib_IntVector_Intrinsics_vec128 v0 = st[4U]; + Lib_IntVector_Intrinsics_vec128 v1 = st[5U]; + Lib_IntVector_Intrinsics_vec128 v2 = st[6U]; + Lib_IntVector_Intrinsics_vec128 v3 = st[7U]; + Lib_IntVector_Intrinsics_vec128 + v0_0 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v0, v1); + Lib_IntVector_Intrinsics_vec128 + v1_0 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v0, v1); + Lib_IntVector_Intrinsics_vec128 + v2_0 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v2, v3); + Lib_IntVector_Intrinsics_vec128 + v3_0 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v2, v3); + Lib_IntVector_Intrinsics_vec128 + v0__1 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec128 + v1__1 = + Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_0, + v2_0); + Lib_IntVector_Intrinsics_vec128 + v2__1 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec128 + v3__1 = + Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_0, + v3_0); + Lib_IntVector_Intrinsics_vec128 v0__2 = v0__1; + Lib_IntVector_Intrinsics_vec128 v2__2 = v2__1; + Lib_IntVector_Intrinsics_vec128 v1__2 = v1__1; + Lib_IntVector_Intrinsics_vec128 v3__2 = v3__1; + Lib_IntVector_Intrinsics_vec128 st4_ = v0__2; + Lib_IntVector_Intrinsics_vec128 st5_ = v1__2; + Lib_IntVector_Intrinsics_vec128 st6_ = v2__2; + Lib_IntVector_Intrinsics_vec128 st7_ = v3__2; + uint8_t *b3; + uint8_t *b2; + uint8_t *b1; + uint8_t *b0; + st[0U] = st0_; + st[1U] = st4_; + st[2U] = st1_; + st[3U] = st5_; + st[4U] = st2_; + st[5U] = st6_; + st[6U] = st3_; + st[7U] = st7_; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + Lib_IntVector_Intrinsics_vec128_store32_be(hbuf + + i * (uint32_t)16U, + st[i]); + } + } + b3 = rb.snd.snd.snd; + b2 = rb.snd.snd.fst; + b1 = rb.snd.fst; + b0 = rb.fst; + memcpy(b0, hbuf, (uint32_t)32U * sizeof (uint8_t)); + memcpy(b1, hbuf + (uint32_t)32U, (uint32_t)32U * sizeof (uint8_t)); + memcpy(b2, hbuf + (uint32_t)64U, (uint32_t)32U * sizeof (uint8_t)); + memcpy(b3, hbuf + (uint32_t)96U, (uint32_t)32U * sizeof (uint8_t)); + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } +} + diff --git a/src/c89/Hacl_SHA2_Vec256.c b/src/c89/Hacl_SHA2_Vec256.c new file mode 100644 index 00000000..299deff1 --- /dev/null +++ b/src/c89/Hacl_SHA2_Vec256.c @@ -0,0 +1,3505 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "internal/Hacl_SHA2_Vec256.h" + + + +typedef struct ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t__s +{ + uint8_t *fst; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ snd; +} +___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_; + +typedef struct ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t__s +{ + uint8_t *fst; + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ snd; +} +___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_; + +typedef struct +___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t__s +{ + uint8_t *fst; + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ snd; +} +___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_; + +typedef struct +___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t__s +{ + uint8_t *fst; + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + snd; +} +___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_; + +static inline void +sha224_update8( + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + block, + Lib_IntVector_Intrinsics_vec256 *hash +) +{ + Lib_IntVector_Intrinsics_vec256 hash_old[8U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)8U; ++_i) + hash_old[_i] = Lib_IntVector_Intrinsics_vec256_zero; + } + { + Lib_IntVector_Intrinsics_vec256 ws[16U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)16U; ++_i) + ws[_i] = Lib_IntVector_Intrinsics_vec256_zero; + } + { + uint8_t *b7; + uint8_t *b6; + uint8_t *b5; + uint8_t *b4; + uint8_t *b3; + uint8_t *b2; + uint8_t *b10; + uint8_t *b00; + Lib_IntVector_Intrinsics_vec256 v00; + Lib_IntVector_Intrinsics_vec256 v10; + Lib_IntVector_Intrinsics_vec256 v20; + Lib_IntVector_Intrinsics_vec256 v30; + Lib_IntVector_Intrinsics_vec256 v40; + Lib_IntVector_Intrinsics_vec256 v50; + Lib_IntVector_Intrinsics_vec256 v60; + Lib_IntVector_Intrinsics_vec256 v70; + Lib_IntVector_Intrinsics_vec256 v0_; + Lib_IntVector_Intrinsics_vec256 v1_; + Lib_IntVector_Intrinsics_vec256 v2_; + Lib_IntVector_Intrinsics_vec256 v3_; + Lib_IntVector_Intrinsics_vec256 v4_; + Lib_IntVector_Intrinsics_vec256 v5_; + Lib_IntVector_Intrinsics_vec256 v6_; + Lib_IntVector_Intrinsics_vec256 v7_; + Lib_IntVector_Intrinsics_vec256 v0_0; + Lib_IntVector_Intrinsics_vec256 v1_0; + Lib_IntVector_Intrinsics_vec256 v2_0; + Lib_IntVector_Intrinsics_vec256 v3_0; + Lib_IntVector_Intrinsics_vec256 v4_0; + Lib_IntVector_Intrinsics_vec256 v5_0; + Lib_IntVector_Intrinsics_vec256 v6_0; + Lib_IntVector_Intrinsics_vec256 v7_0; + Lib_IntVector_Intrinsics_vec256 v0_1; + Lib_IntVector_Intrinsics_vec256 v2_1; + Lib_IntVector_Intrinsics_vec256 v1_1; + Lib_IntVector_Intrinsics_vec256 v3_1; + Lib_IntVector_Intrinsics_vec256 v4_1; + Lib_IntVector_Intrinsics_vec256 v6_1; + Lib_IntVector_Intrinsics_vec256 v5_1; + Lib_IntVector_Intrinsics_vec256 v7_1; + Lib_IntVector_Intrinsics_vec256 v0_10; + Lib_IntVector_Intrinsics_vec256 v1_10; + Lib_IntVector_Intrinsics_vec256 v2_10; + Lib_IntVector_Intrinsics_vec256 v3_10; + Lib_IntVector_Intrinsics_vec256 v4_10; + Lib_IntVector_Intrinsics_vec256 v5_10; + Lib_IntVector_Intrinsics_vec256 v6_10; + Lib_IntVector_Intrinsics_vec256 v7_10; + Lib_IntVector_Intrinsics_vec256 v0_2; + Lib_IntVector_Intrinsics_vec256 v4_2; + Lib_IntVector_Intrinsics_vec256 v1_2; + Lib_IntVector_Intrinsics_vec256 v5_2; + Lib_IntVector_Intrinsics_vec256 v2_2; + Lib_IntVector_Intrinsics_vec256 v6_2; + Lib_IntVector_Intrinsics_vec256 v3_2; + Lib_IntVector_Intrinsics_vec256 v7_2; + Lib_IntVector_Intrinsics_vec256 v0_20; + Lib_IntVector_Intrinsics_vec256 v1_20; + Lib_IntVector_Intrinsics_vec256 v2_20; + Lib_IntVector_Intrinsics_vec256 v3_20; + Lib_IntVector_Intrinsics_vec256 v4_20; + Lib_IntVector_Intrinsics_vec256 v5_20; + Lib_IntVector_Intrinsics_vec256 v6_20; + Lib_IntVector_Intrinsics_vec256 v7_20; + Lib_IntVector_Intrinsics_vec256 v0_3; + Lib_IntVector_Intrinsics_vec256 v1_3; + Lib_IntVector_Intrinsics_vec256 v2_3; + Lib_IntVector_Intrinsics_vec256 v3_3; + Lib_IntVector_Intrinsics_vec256 v4_3; + Lib_IntVector_Intrinsics_vec256 v5_3; + Lib_IntVector_Intrinsics_vec256 v6_3; + Lib_IntVector_Intrinsics_vec256 v7_3; + Lib_IntVector_Intrinsics_vec256 ws0; + Lib_IntVector_Intrinsics_vec256 ws1; + Lib_IntVector_Intrinsics_vec256 ws2; + Lib_IntVector_Intrinsics_vec256 ws3; + Lib_IntVector_Intrinsics_vec256 ws4; + Lib_IntVector_Intrinsics_vec256 ws5; + Lib_IntVector_Intrinsics_vec256 ws6; + Lib_IntVector_Intrinsics_vec256 ws7; + Lib_IntVector_Intrinsics_vec256 v0; + Lib_IntVector_Intrinsics_vec256 v1; + Lib_IntVector_Intrinsics_vec256 v2; + Lib_IntVector_Intrinsics_vec256 v3; + Lib_IntVector_Intrinsics_vec256 v4; + Lib_IntVector_Intrinsics_vec256 v5; + Lib_IntVector_Intrinsics_vec256 v6; + Lib_IntVector_Intrinsics_vec256 v7; + Lib_IntVector_Intrinsics_vec256 v0_4; + Lib_IntVector_Intrinsics_vec256 v1_4; + Lib_IntVector_Intrinsics_vec256 v2_4; + Lib_IntVector_Intrinsics_vec256 v3_4; + Lib_IntVector_Intrinsics_vec256 v4_4; + Lib_IntVector_Intrinsics_vec256 v5_4; + Lib_IntVector_Intrinsics_vec256 v6_4; + Lib_IntVector_Intrinsics_vec256 v7_4; + Lib_IntVector_Intrinsics_vec256 v0_5; + Lib_IntVector_Intrinsics_vec256 v1_5; + Lib_IntVector_Intrinsics_vec256 v2_5; + Lib_IntVector_Intrinsics_vec256 v3_5; + Lib_IntVector_Intrinsics_vec256 v4_5; + Lib_IntVector_Intrinsics_vec256 v5_5; + Lib_IntVector_Intrinsics_vec256 v6_5; + Lib_IntVector_Intrinsics_vec256 v7_5; + Lib_IntVector_Intrinsics_vec256 v0_11; + Lib_IntVector_Intrinsics_vec256 v2_11; + Lib_IntVector_Intrinsics_vec256 v1_11; + Lib_IntVector_Intrinsics_vec256 v3_11; + Lib_IntVector_Intrinsics_vec256 v4_11; + Lib_IntVector_Intrinsics_vec256 v6_11; + Lib_IntVector_Intrinsics_vec256 v5_11; + Lib_IntVector_Intrinsics_vec256 v7_11; + Lib_IntVector_Intrinsics_vec256 v0_12; + Lib_IntVector_Intrinsics_vec256 v1_12; + Lib_IntVector_Intrinsics_vec256 v2_12; + Lib_IntVector_Intrinsics_vec256 v3_12; + Lib_IntVector_Intrinsics_vec256 v4_12; + Lib_IntVector_Intrinsics_vec256 v5_12; + Lib_IntVector_Intrinsics_vec256 v6_12; + Lib_IntVector_Intrinsics_vec256 v7_12; + Lib_IntVector_Intrinsics_vec256 v0_21; + Lib_IntVector_Intrinsics_vec256 v4_21; + Lib_IntVector_Intrinsics_vec256 v1_21; + Lib_IntVector_Intrinsics_vec256 v5_21; + Lib_IntVector_Intrinsics_vec256 v2_21; + Lib_IntVector_Intrinsics_vec256 v6_21; + Lib_IntVector_Intrinsics_vec256 v3_21; + Lib_IntVector_Intrinsics_vec256 v7_21; + Lib_IntVector_Intrinsics_vec256 v0_22; + Lib_IntVector_Intrinsics_vec256 v1_22; + Lib_IntVector_Intrinsics_vec256 v2_22; + Lib_IntVector_Intrinsics_vec256 v3_22; + Lib_IntVector_Intrinsics_vec256 v4_22; + Lib_IntVector_Intrinsics_vec256 v5_22; + Lib_IntVector_Intrinsics_vec256 v6_22; + Lib_IntVector_Intrinsics_vec256 v7_22; + Lib_IntVector_Intrinsics_vec256 v0_6; + Lib_IntVector_Intrinsics_vec256 v1_6; + Lib_IntVector_Intrinsics_vec256 v2_6; + Lib_IntVector_Intrinsics_vec256 v3_6; + Lib_IntVector_Intrinsics_vec256 v4_6; + Lib_IntVector_Intrinsics_vec256 v5_6; + Lib_IntVector_Intrinsics_vec256 v6_6; + Lib_IntVector_Intrinsics_vec256 v7_6; + Lib_IntVector_Intrinsics_vec256 ws8; + Lib_IntVector_Intrinsics_vec256 ws9; + Lib_IntVector_Intrinsics_vec256 ws10; + Lib_IntVector_Intrinsics_vec256 ws11; + Lib_IntVector_Intrinsics_vec256 ws12; + Lib_IntVector_Intrinsics_vec256 ws13; + Lib_IntVector_Intrinsics_vec256 ws14; + Lib_IntVector_Intrinsics_vec256 ws15; + memcpy(hash_old, hash, (uint32_t)8U * sizeof (Lib_IntVector_Intrinsics_vec256)); + b7 = block.snd.snd.snd.snd.snd.snd.snd; + b6 = block.snd.snd.snd.snd.snd.snd.fst; + b5 = block.snd.snd.snd.snd.snd.fst; + b4 = block.snd.snd.snd.snd.fst; + b3 = block.snd.snd.snd.fst; + b2 = block.snd.snd.fst; + b10 = block.snd.fst; + b00 = block.fst; + ws[0U] = Lib_IntVector_Intrinsics_vec256_load32_be(b00); + ws[1U] = Lib_IntVector_Intrinsics_vec256_load32_be(b10); + ws[2U] = Lib_IntVector_Intrinsics_vec256_load32_be(b2); + ws[3U] = Lib_IntVector_Intrinsics_vec256_load32_be(b3); + ws[4U] = Lib_IntVector_Intrinsics_vec256_load32_be(b4); + ws[5U] = Lib_IntVector_Intrinsics_vec256_load32_be(b5); + ws[6U] = Lib_IntVector_Intrinsics_vec256_load32_be(b6); + ws[7U] = Lib_IntVector_Intrinsics_vec256_load32_be(b7); + ws[8U] = Lib_IntVector_Intrinsics_vec256_load32_be(b00 + (uint32_t)32U); + ws[9U] = Lib_IntVector_Intrinsics_vec256_load32_be(b10 + (uint32_t)32U); + ws[10U] = Lib_IntVector_Intrinsics_vec256_load32_be(b2 + (uint32_t)32U); + ws[11U] = Lib_IntVector_Intrinsics_vec256_load32_be(b3 + (uint32_t)32U); + ws[12U] = Lib_IntVector_Intrinsics_vec256_load32_be(b4 + (uint32_t)32U); + ws[13U] = Lib_IntVector_Intrinsics_vec256_load32_be(b5 + (uint32_t)32U); + ws[14U] = Lib_IntVector_Intrinsics_vec256_load32_be(b6 + (uint32_t)32U); + ws[15U] = Lib_IntVector_Intrinsics_vec256_load32_be(b7 + (uint32_t)32U); + v00 = ws[0U]; + v10 = ws[1U]; + v20 = ws[2U]; + v30 = ws[3U]; + v40 = ws[4U]; + v50 = ws[5U]; + v60 = ws[6U]; + v70 = ws[7U]; + v0_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v00, v10); + v1_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v00, v10); + v2_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v20, v30); + v3_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v20, v30); + v4_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v40, v50); + v5_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v40, v50); + v6_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v60, v70); + v7_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v60, v70); + v0_0 = v0_; + v1_0 = v1_; + v2_0 = v2_; + v3_0 = v3_; + v4_0 = v4_; + v5_0 = v5_; + v6_0 = v6_; + v7_0 = v7_; + v0_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0_0, v2_0); + v2_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0_0, v2_0); + v1_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v1_0, v3_0); + v3_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v1_0, v3_0); + v4_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v4_0, v6_0); + v6_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v4_0, v6_0); + v5_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v5_0, v7_0); + v7_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v5_0, v7_0); + v0_10 = v0_1; + v1_10 = v1_1; + v2_10 = v2_1; + v3_10 = v3_1; + v4_10 = v4_1; + v5_10 = v5_1; + v6_10 = v6_1; + v7_10 = v7_1; + v0_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_10, v4_10); + v4_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_10, v4_10); + v1_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_10, v5_10); + v5_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_10, v5_10); + v2_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v2_10, v6_10); + v6_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v2_10, v6_10); + v3_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v3_10, v7_10); + v7_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v3_10, v7_10); + v0_20 = v0_2; + v1_20 = v1_2; + v2_20 = v2_2; + v3_20 = v3_2; + v4_20 = v4_2; + v5_20 = v5_2; + v6_20 = v6_2; + v7_20 = v7_2; + v0_3 = v0_20; + v1_3 = v1_20; + v2_3 = v2_20; + v3_3 = v3_20; + v4_3 = v4_20; + v5_3 = v5_20; + v6_3 = v6_20; + v7_3 = v7_20; + ws0 = v0_3; + ws1 = v2_3; + ws2 = v1_3; + ws3 = v3_3; + ws4 = v4_3; + ws5 = v6_3; + ws6 = v5_3; + ws7 = v7_3; + v0 = ws[8U]; + v1 = ws[9U]; + v2 = ws[10U]; + v3 = ws[11U]; + v4 = ws[12U]; + v5 = ws[13U]; + v6 = ws[14U]; + v7 = ws[15U]; + v0_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v0, v1); + v1_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v0, v1); + v2_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v2, v3); + v3_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v2, v3); + v4_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v4, v5); + v5_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v4, v5); + v6_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v6, v7); + v7_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v6, v7); + v0_5 = v0_4; + v1_5 = v1_4; + v2_5 = v2_4; + v3_5 = v3_4; + v4_5 = v4_4; + v5_5 = v5_4; + v6_5 = v6_4; + v7_5 = v7_4; + v0_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0_5, v2_5); + v2_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0_5, v2_5); + v1_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v1_5, v3_5); + v3_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v1_5, v3_5); + v4_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v4_5, v6_5); + v6_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v4_5, v6_5); + v5_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v5_5, v7_5); + v7_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v5_5, v7_5); + v0_12 = v0_11; + v1_12 = v1_11; + v2_12 = v2_11; + v3_12 = v3_11; + v4_12 = v4_11; + v5_12 = v5_11; + v6_12 = v6_11; + v7_12 = v7_11; + v0_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_12, v4_12); + v4_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_12, v4_12); + v1_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_12, v5_12); + v5_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_12, v5_12); + v2_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v2_12, v6_12); + v6_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v2_12, v6_12); + v3_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v3_12, v7_12); + v7_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v3_12, v7_12); + v0_22 = v0_21; + v1_22 = v1_21; + v2_22 = v2_21; + v3_22 = v3_21; + v4_22 = v4_21; + v5_22 = v5_21; + v6_22 = v6_21; + v7_22 = v7_21; + v0_6 = v0_22; + v1_6 = v1_22; + v2_6 = v2_22; + v3_6 = v3_22; + v4_6 = v4_22; + v5_6 = v5_22; + v6_6 = v6_22; + v7_6 = v7_22; + ws8 = v0_6; + ws9 = v2_6; + ws10 = v1_6; + ws11 = v3_6; + ws12 = v4_6; + ws13 = v6_6; + ws14 = v5_6; + ws15 = v7_6; + ws[0U] = ws0; + ws[1U] = ws1; + ws[2U] = ws2; + ws[3U] = ws3; + ws[4U] = ws4; + ws[5U] = ws5; + ws[6U] = ws6; + ws[7U] = ws7; + ws[8U] = ws8; + ws[9U] = ws9; + ws[10U] = ws10; + ws[11U] = ws11; + ws[12U] = ws12; + ws[13U] = ws13; + ws[14U] = ws14; + ws[15U] = ws15; + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t k_t = Hacl_Impl_SHA2_Generic_k224_256[(uint32_t)16U * i0 + i]; + Lib_IntVector_Intrinsics_vec256 ws_t = ws[i]; + Lib_IntVector_Intrinsics_vec256 a0 = hash[0U]; + Lib_IntVector_Intrinsics_vec256 b0 = hash[1U]; + Lib_IntVector_Intrinsics_vec256 c0 = hash[2U]; + Lib_IntVector_Intrinsics_vec256 d0 = hash[3U]; + Lib_IntVector_Intrinsics_vec256 e0 = hash[4U]; + Lib_IntVector_Intrinsics_vec256 f0 = hash[5U]; + Lib_IntVector_Intrinsics_vec256 g0 = hash[6U]; + Lib_IntVector_Intrinsics_vec256 h02 = hash[7U]; + Lib_IntVector_Intrinsics_vec256 k_e_t = Lib_IntVector_Intrinsics_vec256_load32(k_t); + Lib_IntVector_Intrinsics_vec256 + t1 = + Lib_IntVector_Intrinsics_vec256_add32(Lib_IntVector_Intrinsics_vec256_add32(Lib_IntVector_Intrinsics_vec256_add32(Lib_IntVector_Intrinsics_vec256_add32(h02, + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right32(e0, + (uint32_t)6U), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right32(e0, + (uint32_t)11U), + Lib_IntVector_Intrinsics_vec256_rotate_right32(e0, (uint32_t)25U)))), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_and(e0, + f0), + Lib_IntVector_Intrinsics_vec256_and(Lib_IntVector_Intrinsics_vec256_lognot(e0), + g0))), + k_e_t), + ws_t); + Lib_IntVector_Intrinsics_vec256 + t2 = + Lib_IntVector_Intrinsics_vec256_add32(Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right32(a0, + (uint32_t)2U), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right32(a0, + (uint32_t)13U), + Lib_IntVector_Intrinsics_vec256_rotate_right32(a0, (uint32_t)22U))), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_and(a0, b0), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_and(a0, c0), + Lib_IntVector_Intrinsics_vec256_and(b0, c0)))); + Lib_IntVector_Intrinsics_vec256 a1 = Lib_IntVector_Intrinsics_vec256_add32(t1, t2); + Lib_IntVector_Intrinsics_vec256 b1 = a0; + Lib_IntVector_Intrinsics_vec256 c1 = b0; + Lib_IntVector_Intrinsics_vec256 d1 = c0; + Lib_IntVector_Intrinsics_vec256 e1 = Lib_IntVector_Intrinsics_vec256_add32(d0, t1); + Lib_IntVector_Intrinsics_vec256 f1 = e0; + Lib_IntVector_Intrinsics_vec256 g1 = f0; + Lib_IntVector_Intrinsics_vec256 h12 = g0; + hash[0U] = a1; + hash[1U] = b1; + hash[2U] = c1; + hash[3U] = d1; + hash[4U] = e1; + hash[5U] = f1; + hash[6U] = g1; + hash[7U] = h12; + } + } + if (i0 < (uint32_t)4U - (uint32_t)1U) + { + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + Lib_IntVector_Intrinsics_vec256 t16 = ws[i]; + Lib_IntVector_Intrinsics_vec256 t15 = ws[(i + (uint32_t)1U) % (uint32_t)16U]; + Lib_IntVector_Intrinsics_vec256 t7 = ws[(i + (uint32_t)9U) % (uint32_t)16U]; + Lib_IntVector_Intrinsics_vec256 t2 = ws[(i + (uint32_t)14U) % (uint32_t)16U]; + Lib_IntVector_Intrinsics_vec256 + s1 = + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right32(t2, + (uint32_t)17U), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right32(t2, + (uint32_t)19U), + Lib_IntVector_Intrinsics_vec256_shift_right32(t2, (uint32_t)10U))); + Lib_IntVector_Intrinsics_vec256 + s0 = + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right32(t15, + (uint32_t)7U), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right32(t15, + (uint32_t)18U), + Lib_IntVector_Intrinsics_vec256_shift_right32(t15, (uint32_t)3U))); + ws[i] = + Lib_IntVector_Intrinsics_vec256_add32(Lib_IntVector_Intrinsics_vec256_add32(Lib_IntVector_Intrinsics_vec256_add32(s1, + t7), + s0), + t16); + } + } + } + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + Lib_IntVector_Intrinsics_vec256 *os = hash; + Lib_IntVector_Intrinsics_vec256 + x = Lib_IntVector_Intrinsics_vec256_add32(hash[i], hash_old[i]); + os[i] = x; + } + } + } + } +} + +typedef struct +__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t__s +{ + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + fst; + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + snd; +} +__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_; + +void +Hacl_SHA2_Vec256_sha224_8( + uint8_t *dst0, + uint8_t *dst1, + uint8_t *dst2, + uint8_t *dst3, + uint8_t *dst4, + uint8_t *dst5, + uint8_t *dst6, + uint8_t *dst7, + uint32_t input_len, + uint8_t *input0, + uint8_t *input1, + uint8_t *input2, + uint8_t *input3, + uint8_t *input4, + uint8_t *input5, + uint8_t *input6, + uint8_t *input7 +) +{ + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + ib; + ib.fst = input0; + ib.snd.fst = input1; + ib.snd.snd.fst = input2; + ib.snd.snd.snd.fst = input3; + ib.snd.snd.snd.snd.fst = input4; + ib.snd.snd.snd.snd.snd.fst = input5; + ib.snd.snd.snd.snd.snd.snd.fst = input6; + ib.snd.snd.snd.snd.snd.snd.snd = input7; + { + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + rb; + rb.fst = dst0; + rb.snd.fst = dst1; + rb.snd.snd.fst = dst2; + rb.snd.snd.snd.fst = dst3; + rb.snd.snd.snd.snd.fst = dst4; + rb.snd.snd.snd.snd.snd.fst = dst5; + rb.snd.snd.snd.snd.snd.snd.fst = dst6; + rb.snd.snd.snd.snd.snd.snd.snd = dst7; + { + Lib_IntVector_Intrinsics_vec256 st[8U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)8U; ++_i) + st[_i] = Lib_IntVector_Intrinsics_vec256_zero; + } + { + uint32_t rem; + uint64_t len_; + uint32_t blocks0; + uint32_t rem1; + uint8_t *b70; + uint8_t *b60; + uint8_t *b50; + uint8_t *b40; + uint8_t *b30; + uint8_t *b20; + uint8_t *b10; + uint8_t *b00; + uint8_t *bl0; + uint8_t *bl10; + uint8_t *bl20; + uint8_t *bl30; + uint8_t *bl40; + uint8_t *bl50; + uint8_t *bl60; + uint8_t *bl70; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + Lib_IntVector_Intrinsics_vec256 *os = st; + uint32_t hi = Hacl_Impl_SHA2_Generic_h224[i]; + Lib_IntVector_Intrinsics_vec256 x = Lib_IntVector_Intrinsics_vec256_load32(hi); + os[i] = x; + } + } + rem = input_len % (uint32_t)64U; + len_ = (uint64_t)input_len; + blocks0 = input_len / (uint32_t)64U; + { + uint32_t i; + for (i = (uint32_t)0U; i < blocks0; i++) + { + uint8_t *b7 = ib.snd.snd.snd.snd.snd.snd.snd; + uint8_t *b6 = ib.snd.snd.snd.snd.snd.snd.fst; + uint8_t *b5 = ib.snd.snd.snd.snd.snd.fst; + uint8_t *b4 = ib.snd.snd.snd.snd.fst; + uint8_t *b3 = ib.snd.snd.snd.fst; + uint8_t *b2 = ib.snd.snd.fst; + uint8_t *b1 = ib.snd.fst; + uint8_t *b0 = ib.fst; + uint8_t *bl00 = b0 + i * (uint32_t)64U; + uint8_t *bl1 = b1 + i * (uint32_t)64U; + uint8_t *bl2 = b2 + i * (uint32_t)64U; + uint8_t *bl3 = b3 + i * (uint32_t)64U; + uint8_t *bl4 = b4 + i * (uint32_t)64U; + uint8_t *bl5 = b5 + i * (uint32_t)64U; + uint8_t *bl6 = b6 + i * (uint32_t)64U; + uint8_t *bl7 = b7 + i * (uint32_t)64U; + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + lit; + lit.fst = bl00; + lit.snd.fst = bl1; + lit.snd.snd.fst = bl2; + lit.snd.snd.snd.fst = bl3; + lit.snd.snd.snd.snd.fst = bl4; + lit.snd.snd.snd.snd.snd.fst = bl5; + lit.snd.snd.snd.snd.snd.snd.fst = bl6; + lit.snd.snd.snd.snd.snd.snd.snd = bl7; + { + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + mb = lit; + sha224_update8(mb, st); + } + } + } + rem1 = input_len % (uint32_t)64U; + b70 = ib.snd.snd.snd.snd.snd.snd.snd; + b60 = ib.snd.snd.snd.snd.snd.snd.fst; + b50 = ib.snd.snd.snd.snd.snd.fst; + b40 = ib.snd.snd.snd.snd.fst; + b30 = ib.snd.snd.snd.fst; + b20 = ib.snd.snd.fst; + b10 = ib.snd.fst; + b00 = ib.fst; + bl0 = b00 + input_len - rem1; + bl10 = b10 + input_len - rem1; + bl20 = b20 + input_len - rem1; + bl30 = b30 + input_len - rem1; + bl40 = b40 + input_len - rem1; + bl50 = b50 + input_len - rem1; + bl60 = b60 + input_len - rem1; + bl70 = b70 + input_len - rem1; + { + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + lit0; + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + lb; + lit0.fst = bl0; + lit0.snd.fst = bl10; + lit0.snd.snd.fst = bl20; + lit0.snd.snd.snd.fst = bl30; + lit0.snd.snd.snd.snd.fst = bl40; + lit0.snd.snd.snd.snd.snd.fst = bl50; + lit0.snd.snd.snd.snd.snd.snd.fst = bl60; + lit0.snd.snd.snd.snd.snd.snd.snd = bl70; + lb = lit0; + { + uint32_t blocks; + if (rem + (uint32_t)8U + (uint32_t)1U <= (uint32_t)64U) + { + blocks = (uint32_t)1U; + } + else + { + blocks = (uint32_t)2U; + } + { + uint32_t fin = blocks * (uint32_t)64U; + uint8_t last[1024U] = { 0U }; + uint8_t totlen_buf[8U] = { 0U }; + uint64_t total_len_bits = len_ << (uint32_t)3U; + uint8_t *b71; + uint8_t *b61; + uint8_t *b51; + uint8_t *b41; + uint8_t *b31; + uint8_t *b21; + uint8_t *b11; + uint8_t *b01; + uint8_t *last00; + uint8_t *last10; + uint8_t *last2; + uint8_t *last3; + uint8_t *last4; + uint8_t *last5; + uint8_t *last6; + uint8_t *last7; + uint8_t *last010; + uint8_t *last110; + store64_be(totlen_buf, total_len_bits); + b71 = lb.snd.snd.snd.snd.snd.snd.snd; + b61 = lb.snd.snd.snd.snd.snd.snd.fst; + b51 = lb.snd.snd.snd.snd.snd.fst; + b41 = lb.snd.snd.snd.snd.fst; + b31 = lb.snd.snd.snd.fst; + b21 = lb.snd.snd.fst; + b11 = lb.snd.fst; + b01 = lb.fst; + last00 = last; + last10 = last + (uint32_t)128U; + last2 = last + (uint32_t)256U; + last3 = last + (uint32_t)384U; + last4 = last + (uint32_t)512U; + last5 = last + (uint32_t)640U; + last6 = last + (uint32_t)768U; + last7 = last + (uint32_t)896U; + memcpy(last00, b01, rem * sizeof (uint8_t)); + last00[rem] = (uint8_t)0x80U; + memcpy(last00 + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + last010 = last00; + last110 = last00 + (uint32_t)64U; + { + K____uint8_t___uint8_t_ lit1; + K____uint8_t___uint8_t_ scrut0; + uint8_t *l00; + uint8_t *l01; + uint8_t *last011; + uint8_t *last111; + lit1.fst = last010; + lit1.snd = last110; + scrut0 = lit1; + l00 = scrut0.fst; + l01 = scrut0.snd; + memcpy(last10, b11, rem * sizeof (uint8_t)); + last10[rem] = (uint8_t)0x80U; + memcpy(last10 + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + last011 = last10; + last111 = last10 + (uint32_t)64U; + { + K____uint8_t___uint8_t_ lit2; + K____uint8_t___uint8_t_ scrut1; + uint8_t *l10; + uint8_t *l11; + uint8_t *last012; + uint8_t *last112; + lit2.fst = last011; + lit2.snd = last111; + scrut1 = lit2; + l10 = scrut1.fst; + l11 = scrut1.snd; + memcpy(last2, b21, rem * sizeof (uint8_t)); + last2[rem] = (uint8_t)0x80U; + memcpy(last2 + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + last012 = last2; + last112 = last2 + (uint32_t)64U; + { + K____uint8_t___uint8_t_ lit3; + K____uint8_t___uint8_t_ scrut2; + uint8_t *l20; + uint8_t *l21; + uint8_t *last013; + uint8_t *last113; + lit3.fst = last012; + lit3.snd = last112; + scrut2 = lit3; + l20 = scrut2.fst; + l21 = scrut2.snd; + memcpy(last3, b31, rem * sizeof (uint8_t)); + last3[rem] = (uint8_t)0x80U; + memcpy(last3 + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + last013 = last3; + last113 = last3 + (uint32_t)64U; + { + K____uint8_t___uint8_t_ lit4; + K____uint8_t___uint8_t_ scrut3; + uint8_t *l30; + uint8_t *l31; + uint8_t *last014; + uint8_t *last114; + lit4.fst = last013; + lit4.snd = last113; + scrut3 = lit4; + l30 = scrut3.fst; + l31 = scrut3.snd; + memcpy(last4, b41, rem * sizeof (uint8_t)); + last4[rem] = (uint8_t)0x80U; + memcpy(last4 + fin - (uint32_t)8U, + totlen_buf, + (uint32_t)8U * sizeof (uint8_t)); + last014 = last4; + last114 = last4 + (uint32_t)64U; + { + K____uint8_t___uint8_t_ lit5; + K____uint8_t___uint8_t_ scrut4; + uint8_t *l40; + uint8_t *l41; + uint8_t *last015; + uint8_t *last115; + lit5.fst = last014; + lit5.snd = last114; + scrut4 = lit5; + l40 = scrut4.fst; + l41 = scrut4.snd; + memcpy(last5, b51, rem * sizeof (uint8_t)); + last5[rem] = (uint8_t)0x80U; + memcpy(last5 + fin - (uint32_t)8U, + totlen_buf, + (uint32_t)8U * sizeof (uint8_t)); + last015 = last5; + last115 = last5 + (uint32_t)64U; + { + K____uint8_t___uint8_t_ lit6; + K____uint8_t___uint8_t_ scrut5; + uint8_t *l50; + uint8_t *l51; + uint8_t *last016; + uint8_t *last116; + lit6.fst = last015; + lit6.snd = last115; + scrut5 = lit6; + l50 = scrut5.fst; + l51 = scrut5.snd; + memcpy(last6, b61, rem * sizeof (uint8_t)); + last6[rem] = (uint8_t)0x80U; + memcpy(last6 + fin - (uint32_t)8U, + totlen_buf, + (uint32_t)8U * sizeof (uint8_t)); + last016 = last6; + last116 = last6 + (uint32_t)64U; + { + K____uint8_t___uint8_t_ lit7; + K____uint8_t___uint8_t_ scrut6; + uint8_t *l60; + uint8_t *l61; + uint8_t *last01; + uint8_t *last11; + lit7.fst = last016; + lit7.snd = last116; + scrut6 = lit7; + l60 = scrut6.fst; + l61 = scrut6.snd; + memcpy(last7, b71, rem * sizeof (uint8_t)); + last7[rem] = (uint8_t)0x80U; + memcpy(last7 + fin - (uint32_t)8U, + totlen_buf, + (uint32_t)8U * sizeof (uint8_t)); + last01 = last7; + last11 = last7 + (uint32_t)64U; + { + K____uint8_t___uint8_t_ lit8; + K____uint8_t___uint8_t_ scrut7; + uint8_t *l70; + uint8_t *l71; + lit8.fst = last01; + lit8.snd = last11; + scrut7 = lit8; + l70 = scrut7.fst; + l71 = scrut7.snd; + { + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + mb0; + mb0.fst = l00; + mb0.snd.fst = l10; + mb0.snd.snd.fst = l20; + mb0.snd.snd.snd.fst = l30; + mb0.snd.snd.snd.snd.fst = l40; + mb0.snd.snd.snd.snd.snd.fst = l50; + mb0.snd.snd.snd.snd.snd.snd.fst = l60; + mb0.snd.snd.snd.snd.snd.snd.snd = l70; + { + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + mb1; + mb1.fst = l01; + mb1.snd.fst = l11; + mb1.snd.snd.fst = l21; + mb1.snd.snd.snd.fst = l31; + mb1.snd.snd.snd.snd.fst = l41; + mb1.snd.snd.snd.snd.snd.fst = l51; + mb1.snd.snd.snd.snd.snd.snd.fst = l61; + mb1.snd.snd.snd.snd.snd.snd.snd = l71; + { + __K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + lit; + __K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + scrut; + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + last0; + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + last1; + lit.fst = mb0; + lit.snd = mb1; + scrut = lit; + last0 = scrut.fst; + last1 = scrut.snd; + sha224_update8(last0, st); + if (blocks > (uint32_t)1U) + { + sha224_update8(last1, st); + } + KRML_CHECK_SIZE(sizeof (uint8_t), + (uint32_t)8U * (uint32_t)8U * (uint32_t)4U); + { + uint8_t hbuf[(uint32_t)8U * (uint32_t)8U * (uint32_t)4U]; + memset(hbuf, + 0U, + (uint32_t)8U + * (uint32_t)8U + * (uint32_t)4U + * sizeof (uint8_t)); + { + Lib_IntVector_Intrinsics_vec256 v0 = st[0U]; + Lib_IntVector_Intrinsics_vec256 v1 = st[1U]; + Lib_IntVector_Intrinsics_vec256 v2 = st[2U]; + Lib_IntVector_Intrinsics_vec256 v3 = st[3U]; + Lib_IntVector_Intrinsics_vec256 v4 = st[4U]; + Lib_IntVector_Intrinsics_vec256 v5 = st[5U]; + Lib_IntVector_Intrinsics_vec256 v6 = st[6U]; + Lib_IntVector_Intrinsics_vec256 v7 = st[7U]; + Lib_IntVector_Intrinsics_vec256 + v0_ = + Lib_IntVector_Intrinsics_vec256_interleave_low32(v0, + v1); + Lib_IntVector_Intrinsics_vec256 + v1_ = + Lib_IntVector_Intrinsics_vec256_interleave_high32(v0, + v1); + Lib_IntVector_Intrinsics_vec256 + v2_ = + Lib_IntVector_Intrinsics_vec256_interleave_low32(v2, + v3); + Lib_IntVector_Intrinsics_vec256 + v3_ = + Lib_IntVector_Intrinsics_vec256_interleave_high32(v2, + v3); + Lib_IntVector_Intrinsics_vec256 + v4_ = + Lib_IntVector_Intrinsics_vec256_interleave_low32(v4, + v5); + Lib_IntVector_Intrinsics_vec256 + v5_ = + Lib_IntVector_Intrinsics_vec256_interleave_high32(v4, + v5); + Lib_IntVector_Intrinsics_vec256 + v6_ = + Lib_IntVector_Intrinsics_vec256_interleave_low32(v6, + v7); + Lib_IntVector_Intrinsics_vec256 + v7_ = + Lib_IntVector_Intrinsics_vec256_interleave_high32(v6, + v7); + Lib_IntVector_Intrinsics_vec256 v0_0 = v0_; + Lib_IntVector_Intrinsics_vec256 v1_0 = v1_; + Lib_IntVector_Intrinsics_vec256 v2_0 = v2_; + Lib_IntVector_Intrinsics_vec256 v3_0 = v3_; + Lib_IntVector_Intrinsics_vec256 v4_0 = v4_; + Lib_IntVector_Intrinsics_vec256 v5_0 = v5_; + Lib_IntVector_Intrinsics_vec256 v6_0 = v6_; + Lib_IntVector_Intrinsics_vec256 v7_0 = v7_; + Lib_IntVector_Intrinsics_vec256 + v0_1 = + Lib_IntVector_Intrinsics_vec256_interleave_low64(v0_0, + v2_0); + Lib_IntVector_Intrinsics_vec256 + v2_1 = + Lib_IntVector_Intrinsics_vec256_interleave_high64(v0_0, + v2_0); + Lib_IntVector_Intrinsics_vec256 + v1_1 = + Lib_IntVector_Intrinsics_vec256_interleave_low64(v1_0, + v3_0); + Lib_IntVector_Intrinsics_vec256 + v3_1 = + Lib_IntVector_Intrinsics_vec256_interleave_high64(v1_0, + v3_0); + Lib_IntVector_Intrinsics_vec256 + v4_1 = + Lib_IntVector_Intrinsics_vec256_interleave_low64(v4_0, + v6_0); + Lib_IntVector_Intrinsics_vec256 + v6_1 = + Lib_IntVector_Intrinsics_vec256_interleave_high64(v4_0, + v6_0); + Lib_IntVector_Intrinsics_vec256 + v5_1 = + Lib_IntVector_Intrinsics_vec256_interleave_low64(v5_0, + v7_0); + Lib_IntVector_Intrinsics_vec256 + v7_1 = + Lib_IntVector_Intrinsics_vec256_interleave_high64(v5_0, + v7_0); + Lib_IntVector_Intrinsics_vec256 v0_10 = v0_1; + Lib_IntVector_Intrinsics_vec256 v1_10 = v1_1; + Lib_IntVector_Intrinsics_vec256 v2_10 = v2_1; + Lib_IntVector_Intrinsics_vec256 v3_10 = v3_1; + Lib_IntVector_Intrinsics_vec256 v4_10 = v4_1; + Lib_IntVector_Intrinsics_vec256 v5_10 = v5_1; + Lib_IntVector_Intrinsics_vec256 v6_10 = v6_1; + Lib_IntVector_Intrinsics_vec256 v7_10 = v7_1; + Lib_IntVector_Intrinsics_vec256 + v0_2 = + Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_10, + v4_10); + Lib_IntVector_Intrinsics_vec256 + v4_2 = + Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_10, + v4_10); + Lib_IntVector_Intrinsics_vec256 + v1_2 = + Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_10, + v5_10); + Lib_IntVector_Intrinsics_vec256 + v5_2 = + Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_10, + v5_10); + Lib_IntVector_Intrinsics_vec256 + v2_2 = + Lib_IntVector_Intrinsics_vec256_interleave_low128(v2_10, + v6_10); + Lib_IntVector_Intrinsics_vec256 + v6_2 = + Lib_IntVector_Intrinsics_vec256_interleave_high128(v2_10, + v6_10); + Lib_IntVector_Intrinsics_vec256 + v3_2 = + Lib_IntVector_Intrinsics_vec256_interleave_low128(v3_10, + v7_10); + Lib_IntVector_Intrinsics_vec256 + v7_2 = + Lib_IntVector_Intrinsics_vec256_interleave_high128(v3_10, + v7_10); + Lib_IntVector_Intrinsics_vec256 v0_20 = v0_2; + Lib_IntVector_Intrinsics_vec256 v1_20 = v1_2; + Lib_IntVector_Intrinsics_vec256 v2_20 = v2_2; + Lib_IntVector_Intrinsics_vec256 v3_20 = v3_2; + Lib_IntVector_Intrinsics_vec256 v4_20 = v4_2; + Lib_IntVector_Intrinsics_vec256 v5_20 = v5_2; + Lib_IntVector_Intrinsics_vec256 v6_20 = v6_2; + Lib_IntVector_Intrinsics_vec256 v7_20 = v7_2; + Lib_IntVector_Intrinsics_vec256 v0_3 = v0_20; + Lib_IntVector_Intrinsics_vec256 v1_3 = v1_20; + Lib_IntVector_Intrinsics_vec256 v2_3 = v2_20; + Lib_IntVector_Intrinsics_vec256 v3_3 = v3_20; + Lib_IntVector_Intrinsics_vec256 v4_3 = v4_20; + Lib_IntVector_Intrinsics_vec256 v5_3 = v5_20; + Lib_IntVector_Intrinsics_vec256 v6_3 = v6_20; + Lib_IntVector_Intrinsics_vec256 v7_3 = v7_20; + Lib_IntVector_Intrinsics_vec256 st0_ = v0_3; + Lib_IntVector_Intrinsics_vec256 st1_ = v2_3; + Lib_IntVector_Intrinsics_vec256 st2_ = v1_3; + Lib_IntVector_Intrinsics_vec256 st3_ = v3_3; + Lib_IntVector_Intrinsics_vec256 st4_ = v4_3; + Lib_IntVector_Intrinsics_vec256 st5_ = v6_3; + Lib_IntVector_Intrinsics_vec256 st6_ = v5_3; + Lib_IntVector_Intrinsics_vec256 st7_ = v7_3; + uint8_t *b7; + uint8_t *b6; + uint8_t *b5; + uint8_t *b4; + uint8_t *b3; + uint8_t *b2; + uint8_t *b1; + uint8_t *b0; + st[0U] = st0_; + st[1U] = st1_; + st[2U] = st2_; + st[3U] = st3_; + st[4U] = st4_; + st[5U] = st5_; + st[6U] = st6_; + st[7U] = st7_; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + Lib_IntVector_Intrinsics_vec256_store32_be(hbuf + + i * (uint32_t)32U, + st[i]); + } + } + b7 = rb.snd.snd.snd.snd.snd.snd.snd; + b6 = rb.snd.snd.snd.snd.snd.snd.fst; + b5 = rb.snd.snd.snd.snd.snd.fst; + b4 = rb.snd.snd.snd.snd.fst; + b3 = rb.snd.snd.snd.fst; + b2 = rb.snd.snd.fst; + b1 = rb.snd.fst; + b0 = rb.fst; + memcpy(b0, hbuf, (uint32_t)28U * sizeof (uint8_t)); + memcpy(b1, + hbuf + (uint32_t)32U, + (uint32_t)28U * sizeof (uint8_t)); + memcpy(b2, + hbuf + (uint32_t)64U, + (uint32_t)28U * sizeof (uint8_t)); + memcpy(b3, + hbuf + (uint32_t)96U, + (uint32_t)28U * sizeof (uint8_t)); + memcpy(b4, + hbuf + (uint32_t)128U, + (uint32_t)28U * sizeof (uint8_t)); + memcpy(b5, + hbuf + (uint32_t)160U, + (uint32_t)28U * sizeof (uint8_t)); + memcpy(b6, + hbuf + (uint32_t)192U, + (uint32_t)28U * sizeof (uint8_t)); + memcpy(b7, + hbuf + (uint32_t)224U, + (uint32_t)28U * sizeof (uint8_t)); + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } +} + +static inline void +sha256_update8( + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + block, + Lib_IntVector_Intrinsics_vec256 *hash +) +{ + Lib_IntVector_Intrinsics_vec256 hash_old[8U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)8U; ++_i) + hash_old[_i] = Lib_IntVector_Intrinsics_vec256_zero; + } + { + Lib_IntVector_Intrinsics_vec256 ws[16U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)16U; ++_i) + ws[_i] = Lib_IntVector_Intrinsics_vec256_zero; + } + { + uint8_t *b7; + uint8_t *b6; + uint8_t *b5; + uint8_t *b4; + uint8_t *b3; + uint8_t *b2; + uint8_t *b10; + uint8_t *b00; + Lib_IntVector_Intrinsics_vec256 v00; + Lib_IntVector_Intrinsics_vec256 v10; + Lib_IntVector_Intrinsics_vec256 v20; + Lib_IntVector_Intrinsics_vec256 v30; + Lib_IntVector_Intrinsics_vec256 v40; + Lib_IntVector_Intrinsics_vec256 v50; + Lib_IntVector_Intrinsics_vec256 v60; + Lib_IntVector_Intrinsics_vec256 v70; + Lib_IntVector_Intrinsics_vec256 v0_; + Lib_IntVector_Intrinsics_vec256 v1_; + Lib_IntVector_Intrinsics_vec256 v2_; + Lib_IntVector_Intrinsics_vec256 v3_; + Lib_IntVector_Intrinsics_vec256 v4_; + Lib_IntVector_Intrinsics_vec256 v5_; + Lib_IntVector_Intrinsics_vec256 v6_; + Lib_IntVector_Intrinsics_vec256 v7_; + Lib_IntVector_Intrinsics_vec256 v0_0; + Lib_IntVector_Intrinsics_vec256 v1_0; + Lib_IntVector_Intrinsics_vec256 v2_0; + Lib_IntVector_Intrinsics_vec256 v3_0; + Lib_IntVector_Intrinsics_vec256 v4_0; + Lib_IntVector_Intrinsics_vec256 v5_0; + Lib_IntVector_Intrinsics_vec256 v6_0; + Lib_IntVector_Intrinsics_vec256 v7_0; + Lib_IntVector_Intrinsics_vec256 v0_1; + Lib_IntVector_Intrinsics_vec256 v2_1; + Lib_IntVector_Intrinsics_vec256 v1_1; + Lib_IntVector_Intrinsics_vec256 v3_1; + Lib_IntVector_Intrinsics_vec256 v4_1; + Lib_IntVector_Intrinsics_vec256 v6_1; + Lib_IntVector_Intrinsics_vec256 v5_1; + Lib_IntVector_Intrinsics_vec256 v7_1; + Lib_IntVector_Intrinsics_vec256 v0_10; + Lib_IntVector_Intrinsics_vec256 v1_10; + Lib_IntVector_Intrinsics_vec256 v2_10; + Lib_IntVector_Intrinsics_vec256 v3_10; + Lib_IntVector_Intrinsics_vec256 v4_10; + Lib_IntVector_Intrinsics_vec256 v5_10; + Lib_IntVector_Intrinsics_vec256 v6_10; + Lib_IntVector_Intrinsics_vec256 v7_10; + Lib_IntVector_Intrinsics_vec256 v0_2; + Lib_IntVector_Intrinsics_vec256 v4_2; + Lib_IntVector_Intrinsics_vec256 v1_2; + Lib_IntVector_Intrinsics_vec256 v5_2; + Lib_IntVector_Intrinsics_vec256 v2_2; + Lib_IntVector_Intrinsics_vec256 v6_2; + Lib_IntVector_Intrinsics_vec256 v3_2; + Lib_IntVector_Intrinsics_vec256 v7_2; + Lib_IntVector_Intrinsics_vec256 v0_20; + Lib_IntVector_Intrinsics_vec256 v1_20; + Lib_IntVector_Intrinsics_vec256 v2_20; + Lib_IntVector_Intrinsics_vec256 v3_20; + Lib_IntVector_Intrinsics_vec256 v4_20; + Lib_IntVector_Intrinsics_vec256 v5_20; + Lib_IntVector_Intrinsics_vec256 v6_20; + Lib_IntVector_Intrinsics_vec256 v7_20; + Lib_IntVector_Intrinsics_vec256 v0_3; + Lib_IntVector_Intrinsics_vec256 v1_3; + Lib_IntVector_Intrinsics_vec256 v2_3; + Lib_IntVector_Intrinsics_vec256 v3_3; + Lib_IntVector_Intrinsics_vec256 v4_3; + Lib_IntVector_Intrinsics_vec256 v5_3; + Lib_IntVector_Intrinsics_vec256 v6_3; + Lib_IntVector_Intrinsics_vec256 v7_3; + Lib_IntVector_Intrinsics_vec256 ws0; + Lib_IntVector_Intrinsics_vec256 ws1; + Lib_IntVector_Intrinsics_vec256 ws2; + Lib_IntVector_Intrinsics_vec256 ws3; + Lib_IntVector_Intrinsics_vec256 ws4; + Lib_IntVector_Intrinsics_vec256 ws5; + Lib_IntVector_Intrinsics_vec256 ws6; + Lib_IntVector_Intrinsics_vec256 ws7; + Lib_IntVector_Intrinsics_vec256 v0; + Lib_IntVector_Intrinsics_vec256 v1; + Lib_IntVector_Intrinsics_vec256 v2; + Lib_IntVector_Intrinsics_vec256 v3; + Lib_IntVector_Intrinsics_vec256 v4; + Lib_IntVector_Intrinsics_vec256 v5; + Lib_IntVector_Intrinsics_vec256 v6; + Lib_IntVector_Intrinsics_vec256 v7; + Lib_IntVector_Intrinsics_vec256 v0_4; + Lib_IntVector_Intrinsics_vec256 v1_4; + Lib_IntVector_Intrinsics_vec256 v2_4; + Lib_IntVector_Intrinsics_vec256 v3_4; + Lib_IntVector_Intrinsics_vec256 v4_4; + Lib_IntVector_Intrinsics_vec256 v5_4; + Lib_IntVector_Intrinsics_vec256 v6_4; + Lib_IntVector_Intrinsics_vec256 v7_4; + Lib_IntVector_Intrinsics_vec256 v0_5; + Lib_IntVector_Intrinsics_vec256 v1_5; + Lib_IntVector_Intrinsics_vec256 v2_5; + Lib_IntVector_Intrinsics_vec256 v3_5; + Lib_IntVector_Intrinsics_vec256 v4_5; + Lib_IntVector_Intrinsics_vec256 v5_5; + Lib_IntVector_Intrinsics_vec256 v6_5; + Lib_IntVector_Intrinsics_vec256 v7_5; + Lib_IntVector_Intrinsics_vec256 v0_11; + Lib_IntVector_Intrinsics_vec256 v2_11; + Lib_IntVector_Intrinsics_vec256 v1_11; + Lib_IntVector_Intrinsics_vec256 v3_11; + Lib_IntVector_Intrinsics_vec256 v4_11; + Lib_IntVector_Intrinsics_vec256 v6_11; + Lib_IntVector_Intrinsics_vec256 v5_11; + Lib_IntVector_Intrinsics_vec256 v7_11; + Lib_IntVector_Intrinsics_vec256 v0_12; + Lib_IntVector_Intrinsics_vec256 v1_12; + Lib_IntVector_Intrinsics_vec256 v2_12; + Lib_IntVector_Intrinsics_vec256 v3_12; + Lib_IntVector_Intrinsics_vec256 v4_12; + Lib_IntVector_Intrinsics_vec256 v5_12; + Lib_IntVector_Intrinsics_vec256 v6_12; + Lib_IntVector_Intrinsics_vec256 v7_12; + Lib_IntVector_Intrinsics_vec256 v0_21; + Lib_IntVector_Intrinsics_vec256 v4_21; + Lib_IntVector_Intrinsics_vec256 v1_21; + Lib_IntVector_Intrinsics_vec256 v5_21; + Lib_IntVector_Intrinsics_vec256 v2_21; + Lib_IntVector_Intrinsics_vec256 v6_21; + Lib_IntVector_Intrinsics_vec256 v3_21; + Lib_IntVector_Intrinsics_vec256 v7_21; + Lib_IntVector_Intrinsics_vec256 v0_22; + Lib_IntVector_Intrinsics_vec256 v1_22; + Lib_IntVector_Intrinsics_vec256 v2_22; + Lib_IntVector_Intrinsics_vec256 v3_22; + Lib_IntVector_Intrinsics_vec256 v4_22; + Lib_IntVector_Intrinsics_vec256 v5_22; + Lib_IntVector_Intrinsics_vec256 v6_22; + Lib_IntVector_Intrinsics_vec256 v7_22; + Lib_IntVector_Intrinsics_vec256 v0_6; + Lib_IntVector_Intrinsics_vec256 v1_6; + Lib_IntVector_Intrinsics_vec256 v2_6; + Lib_IntVector_Intrinsics_vec256 v3_6; + Lib_IntVector_Intrinsics_vec256 v4_6; + Lib_IntVector_Intrinsics_vec256 v5_6; + Lib_IntVector_Intrinsics_vec256 v6_6; + Lib_IntVector_Intrinsics_vec256 v7_6; + Lib_IntVector_Intrinsics_vec256 ws8; + Lib_IntVector_Intrinsics_vec256 ws9; + Lib_IntVector_Intrinsics_vec256 ws10; + Lib_IntVector_Intrinsics_vec256 ws11; + Lib_IntVector_Intrinsics_vec256 ws12; + Lib_IntVector_Intrinsics_vec256 ws13; + Lib_IntVector_Intrinsics_vec256 ws14; + Lib_IntVector_Intrinsics_vec256 ws15; + memcpy(hash_old, hash, (uint32_t)8U * sizeof (Lib_IntVector_Intrinsics_vec256)); + b7 = block.snd.snd.snd.snd.snd.snd.snd; + b6 = block.snd.snd.snd.snd.snd.snd.fst; + b5 = block.snd.snd.snd.snd.snd.fst; + b4 = block.snd.snd.snd.snd.fst; + b3 = block.snd.snd.snd.fst; + b2 = block.snd.snd.fst; + b10 = block.snd.fst; + b00 = block.fst; + ws[0U] = Lib_IntVector_Intrinsics_vec256_load32_be(b00); + ws[1U] = Lib_IntVector_Intrinsics_vec256_load32_be(b10); + ws[2U] = Lib_IntVector_Intrinsics_vec256_load32_be(b2); + ws[3U] = Lib_IntVector_Intrinsics_vec256_load32_be(b3); + ws[4U] = Lib_IntVector_Intrinsics_vec256_load32_be(b4); + ws[5U] = Lib_IntVector_Intrinsics_vec256_load32_be(b5); + ws[6U] = Lib_IntVector_Intrinsics_vec256_load32_be(b6); + ws[7U] = Lib_IntVector_Intrinsics_vec256_load32_be(b7); + ws[8U] = Lib_IntVector_Intrinsics_vec256_load32_be(b00 + (uint32_t)32U); + ws[9U] = Lib_IntVector_Intrinsics_vec256_load32_be(b10 + (uint32_t)32U); + ws[10U] = Lib_IntVector_Intrinsics_vec256_load32_be(b2 + (uint32_t)32U); + ws[11U] = Lib_IntVector_Intrinsics_vec256_load32_be(b3 + (uint32_t)32U); + ws[12U] = Lib_IntVector_Intrinsics_vec256_load32_be(b4 + (uint32_t)32U); + ws[13U] = Lib_IntVector_Intrinsics_vec256_load32_be(b5 + (uint32_t)32U); + ws[14U] = Lib_IntVector_Intrinsics_vec256_load32_be(b6 + (uint32_t)32U); + ws[15U] = Lib_IntVector_Intrinsics_vec256_load32_be(b7 + (uint32_t)32U); + v00 = ws[0U]; + v10 = ws[1U]; + v20 = ws[2U]; + v30 = ws[3U]; + v40 = ws[4U]; + v50 = ws[5U]; + v60 = ws[6U]; + v70 = ws[7U]; + v0_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v00, v10); + v1_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v00, v10); + v2_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v20, v30); + v3_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v20, v30); + v4_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v40, v50); + v5_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v40, v50); + v6_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v60, v70); + v7_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v60, v70); + v0_0 = v0_; + v1_0 = v1_; + v2_0 = v2_; + v3_0 = v3_; + v4_0 = v4_; + v5_0 = v5_; + v6_0 = v6_; + v7_0 = v7_; + v0_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0_0, v2_0); + v2_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0_0, v2_0); + v1_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v1_0, v3_0); + v3_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v1_0, v3_0); + v4_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v4_0, v6_0); + v6_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v4_0, v6_0); + v5_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v5_0, v7_0); + v7_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v5_0, v7_0); + v0_10 = v0_1; + v1_10 = v1_1; + v2_10 = v2_1; + v3_10 = v3_1; + v4_10 = v4_1; + v5_10 = v5_1; + v6_10 = v6_1; + v7_10 = v7_1; + v0_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_10, v4_10); + v4_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_10, v4_10); + v1_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_10, v5_10); + v5_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_10, v5_10); + v2_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v2_10, v6_10); + v6_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v2_10, v6_10); + v3_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v3_10, v7_10); + v7_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v3_10, v7_10); + v0_20 = v0_2; + v1_20 = v1_2; + v2_20 = v2_2; + v3_20 = v3_2; + v4_20 = v4_2; + v5_20 = v5_2; + v6_20 = v6_2; + v7_20 = v7_2; + v0_3 = v0_20; + v1_3 = v1_20; + v2_3 = v2_20; + v3_3 = v3_20; + v4_3 = v4_20; + v5_3 = v5_20; + v6_3 = v6_20; + v7_3 = v7_20; + ws0 = v0_3; + ws1 = v2_3; + ws2 = v1_3; + ws3 = v3_3; + ws4 = v4_3; + ws5 = v6_3; + ws6 = v5_3; + ws7 = v7_3; + v0 = ws[8U]; + v1 = ws[9U]; + v2 = ws[10U]; + v3 = ws[11U]; + v4 = ws[12U]; + v5 = ws[13U]; + v6 = ws[14U]; + v7 = ws[15U]; + v0_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v0, v1); + v1_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v0, v1); + v2_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v2, v3); + v3_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v2, v3); + v4_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v4, v5); + v5_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v4, v5); + v6_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v6, v7); + v7_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v6, v7); + v0_5 = v0_4; + v1_5 = v1_4; + v2_5 = v2_4; + v3_5 = v3_4; + v4_5 = v4_4; + v5_5 = v5_4; + v6_5 = v6_4; + v7_5 = v7_4; + v0_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0_5, v2_5); + v2_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0_5, v2_5); + v1_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v1_5, v3_5); + v3_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v1_5, v3_5); + v4_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v4_5, v6_5); + v6_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v4_5, v6_5); + v5_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v5_5, v7_5); + v7_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v5_5, v7_5); + v0_12 = v0_11; + v1_12 = v1_11; + v2_12 = v2_11; + v3_12 = v3_11; + v4_12 = v4_11; + v5_12 = v5_11; + v6_12 = v6_11; + v7_12 = v7_11; + v0_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_12, v4_12); + v4_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_12, v4_12); + v1_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_12, v5_12); + v5_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_12, v5_12); + v2_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v2_12, v6_12); + v6_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v2_12, v6_12); + v3_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v3_12, v7_12); + v7_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v3_12, v7_12); + v0_22 = v0_21; + v1_22 = v1_21; + v2_22 = v2_21; + v3_22 = v3_21; + v4_22 = v4_21; + v5_22 = v5_21; + v6_22 = v6_21; + v7_22 = v7_21; + v0_6 = v0_22; + v1_6 = v1_22; + v2_6 = v2_22; + v3_6 = v3_22; + v4_6 = v4_22; + v5_6 = v5_22; + v6_6 = v6_22; + v7_6 = v7_22; + ws8 = v0_6; + ws9 = v2_6; + ws10 = v1_6; + ws11 = v3_6; + ws12 = v4_6; + ws13 = v6_6; + ws14 = v5_6; + ws15 = v7_6; + ws[0U] = ws0; + ws[1U] = ws1; + ws[2U] = ws2; + ws[3U] = ws3; + ws[4U] = ws4; + ws[5U] = ws5; + ws[6U] = ws6; + ws[7U] = ws7; + ws[8U] = ws8; + ws[9U] = ws9; + ws[10U] = ws10; + ws[11U] = ws11; + ws[12U] = ws12; + ws[13U] = ws13; + ws[14U] = ws14; + ws[15U] = ws15; + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t k_t = Hacl_Impl_SHA2_Generic_k224_256[(uint32_t)16U * i0 + i]; + Lib_IntVector_Intrinsics_vec256 ws_t = ws[i]; + Lib_IntVector_Intrinsics_vec256 a0 = hash[0U]; + Lib_IntVector_Intrinsics_vec256 b0 = hash[1U]; + Lib_IntVector_Intrinsics_vec256 c0 = hash[2U]; + Lib_IntVector_Intrinsics_vec256 d0 = hash[3U]; + Lib_IntVector_Intrinsics_vec256 e0 = hash[4U]; + Lib_IntVector_Intrinsics_vec256 f0 = hash[5U]; + Lib_IntVector_Intrinsics_vec256 g0 = hash[6U]; + Lib_IntVector_Intrinsics_vec256 h02 = hash[7U]; + Lib_IntVector_Intrinsics_vec256 k_e_t = Lib_IntVector_Intrinsics_vec256_load32(k_t); + Lib_IntVector_Intrinsics_vec256 + t1 = + Lib_IntVector_Intrinsics_vec256_add32(Lib_IntVector_Intrinsics_vec256_add32(Lib_IntVector_Intrinsics_vec256_add32(Lib_IntVector_Intrinsics_vec256_add32(h02, + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right32(e0, + (uint32_t)6U), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right32(e0, + (uint32_t)11U), + Lib_IntVector_Intrinsics_vec256_rotate_right32(e0, (uint32_t)25U)))), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_and(e0, + f0), + Lib_IntVector_Intrinsics_vec256_and(Lib_IntVector_Intrinsics_vec256_lognot(e0), + g0))), + k_e_t), + ws_t); + Lib_IntVector_Intrinsics_vec256 + t2 = + Lib_IntVector_Intrinsics_vec256_add32(Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right32(a0, + (uint32_t)2U), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right32(a0, + (uint32_t)13U), + Lib_IntVector_Intrinsics_vec256_rotate_right32(a0, (uint32_t)22U))), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_and(a0, b0), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_and(a0, c0), + Lib_IntVector_Intrinsics_vec256_and(b0, c0)))); + Lib_IntVector_Intrinsics_vec256 a1 = Lib_IntVector_Intrinsics_vec256_add32(t1, t2); + Lib_IntVector_Intrinsics_vec256 b1 = a0; + Lib_IntVector_Intrinsics_vec256 c1 = b0; + Lib_IntVector_Intrinsics_vec256 d1 = c0; + Lib_IntVector_Intrinsics_vec256 e1 = Lib_IntVector_Intrinsics_vec256_add32(d0, t1); + Lib_IntVector_Intrinsics_vec256 f1 = e0; + Lib_IntVector_Intrinsics_vec256 g1 = f0; + Lib_IntVector_Intrinsics_vec256 h12 = g0; + hash[0U] = a1; + hash[1U] = b1; + hash[2U] = c1; + hash[3U] = d1; + hash[4U] = e1; + hash[5U] = f1; + hash[6U] = g1; + hash[7U] = h12; + } + } + if (i0 < (uint32_t)4U - (uint32_t)1U) + { + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + Lib_IntVector_Intrinsics_vec256 t16 = ws[i]; + Lib_IntVector_Intrinsics_vec256 t15 = ws[(i + (uint32_t)1U) % (uint32_t)16U]; + Lib_IntVector_Intrinsics_vec256 t7 = ws[(i + (uint32_t)9U) % (uint32_t)16U]; + Lib_IntVector_Intrinsics_vec256 t2 = ws[(i + (uint32_t)14U) % (uint32_t)16U]; + Lib_IntVector_Intrinsics_vec256 + s1 = + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right32(t2, + (uint32_t)17U), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right32(t2, + (uint32_t)19U), + Lib_IntVector_Intrinsics_vec256_shift_right32(t2, (uint32_t)10U))); + Lib_IntVector_Intrinsics_vec256 + s0 = + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right32(t15, + (uint32_t)7U), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right32(t15, + (uint32_t)18U), + Lib_IntVector_Intrinsics_vec256_shift_right32(t15, (uint32_t)3U))); + ws[i] = + Lib_IntVector_Intrinsics_vec256_add32(Lib_IntVector_Intrinsics_vec256_add32(Lib_IntVector_Intrinsics_vec256_add32(s1, + t7), + s0), + t16); + } + } + } + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + Lib_IntVector_Intrinsics_vec256 *os = hash; + Lib_IntVector_Intrinsics_vec256 + x = Lib_IntVector_Intrinsics_vec256_add32(hash[i], hash_old[i]); + os[i] = x; + } + } + } + } +} + +void +Hacl_SHA2_Vec256_sha256_8( + uint8_t *dst0, + uint8_t *dst1, + uint8_t *dst2, + uint8_t *dst3, + uint8_t *dst4, + uint8_t *dst5, + uint8_t *dst6, + uint8_t *dst7, + uint32_t input_len, + uint8_t *input0, + uint8_t *input1, + uint8_t *input2, + uint8_t *input3, + uint8_t *input4, + uint8_t *input5, + uint8_t *input6, + uint8_t *input7 +) +{ + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + ib; + ib.fst = input0; + ib.snd.fst = input1; + ib.snd.snd.fst = input2; + ib.snd.snd.snd.fst = input3; + ib.snd.snd.snd.snd.fst = input4; + ib.snd.snd.snd.snd.snd.fst = input5; + ib.snd.snd.snd.snd.snd.snd.fst = input6; + ib.snd.snd.snd.snd.snd.snd.snd = input7; + { + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + rb; + rb.fst = dst0; + rb.snd.fst = dst1; + rb.snd.snd.fst = dst2; + rb.snd.snd.snd.fst = dst3; + rb.snd.snd.snd.snd.fst = dst4; + rb.snd.snd.snd.snd.snd.fst = dst5; + rb.snd.snd.snd.snd.snd.snd.fst = dst6; + rb.snd.snd.snd.snd.snd.snd.snd = dst7; + { + Lib_IntVector_Intrinsics_vec256 st[8U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)8U; ++_i) + st[_i] = Lib_IntVector_Intrinsics_vec256_zero; + } + { + uint32_t rem; + uint64_t len_; + uint32_t blocks0; + uint32_t rem1; + uint8_t *b70; + uint8_t *b60; + uint8_t *b50; + uint8_t *b40; + uint8_t *b30; + uint8_t *b20; + uint8_t *b10; + uint8_t *b00; + uint8_t *bl0; + uint8_t *bl10; + uint8_t *bl20; + uint8_t *bl30; + uint8_t *bl40; + uint8_t *bl50; + uint8_t *bl60; + uint8_t *bl70; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + Lib_IntVector_Intrinsics_vec256 *os = st; + uint32_t hi = Hacl_Impl_SHA2_Generic_h256[i]; + Lib_IntVector_Intrinsics_vec256 x = Lib_IntVector_Intrinsics_vec256_load32(hi); + os[i] = x; + } + } + rem = input_len % (uint32_t)64U; + len_ = (uint64_t)input_len; + blocks0 = input_len / (uint32_t)64U; + { + uint32_t i; + for (i = (uint32_t)0U; i < blocks0; i++) + { + uint8_t *b7 = ib.snd.snd.snd.snd.snd.snd.snd; + uint8_t *b6 = ib.snd.snd.snd.snd.snd.snd.fst; + uint8_t *b5 = ib.snd.snd.snd.snd.snd.fst; + uint8_t *b4 = ib.snd.snd.snd.snd.fst; + uint8_t *b3 = ib.snd.snd.snd.fst; + uint8_t *b2 = ib.snd.snd.fst; + uint8_t *b1 = ib.snd.fst; + uint8_t *b0 = ib.fst; + uint8_t *bl00 = b0 + i * (uint32_t)64U; + uint8_t *bl1 = b1 + i * (uint32_t)64U; + uint8_t *bl2 = b2 + i * (uint32_t)64U; + uint8_t *bl3 = b3 + i * (uint32_t)64U; + uint8_t *bl4 = b4 + i * (uint32_t)64U; + uint8_t *bl5 = b5 + i * (uint32_t)64U; + uint8_t *bl6 = b6 + i * (uint32_t)64U; + uint8_t *bl7 = b7 + i * (uint32_t)64U; + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + lit; + lit.fst = bl00; + lit.snd.fst = bl1; + lit.snd.snd.fst = bl2; + lit.snd.snd.snd.fst = bl3; + lit.snd.snd.snd.snd.fst = bl4; + lit.snd.snd.snd.snd.snd.fst = bl5; + lit.snd.snd.snd.snd.snd.snd.fst = bl6; + lit.snd.snd.snd.snd.snd.snd.snd = bl7; + { + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + mb = lit; + sha256_update8(mb, st); + } + } + } + rem1 = input_len % (uint32_t)64U; + b70 = ib.snd.snd.snd.snd.snd.snd.snd; + b60 = ib.snd.snd.snd.snd.snd.snd.fst; + b50 = ib.snd.snd.snd.snd.snd.fst; + b40 = ib.snd.snd.snd.snd.fst; + b30 = ib.snd.snd.snd.fst; + b20 = ib.snd.snd.fst; + b10 = ib.snd.fst; + b00 = ib.fst; + bl0 = b00 + input_len - rem1; + bl10 = b10 + input_len - rem1; + bl20 = b20 + input_len - rem1; + bl30 = b30 + input_len - rem1; + bl40 = b40 + input_len - rem1; + bl50 = b50 + input_len - rem1; + bl60 = b60 + input_len - rem1; + bl70 = b70 + input_len - rem1; + { + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + lit0; + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + lb; + lit0.fst = bl0; + lit0.snd.fst = bl10; + lit0.snd.snd.fst = bl20; + lit0.snd.snd.snd.fst = bl30; + lit0.snd.snd.snd.snd.fst = bl40; + lit0.snd.snd.snd.snd.snd.fst = bl50; + lit0.snd.snd.snd.snd.snd.snd.fst = bl60; + lit0.snd.snd.snd.snd.snd.snd.snd = bl70; + lb = lit0; + { + uint32_t blocks; + if (rem + (uint32_t)8U + (uint32_t)1U <= (uint32_t)64U) + { + blocks = (uint32_t)1U; + } + else + { + blocks = (uint32_t)2U; + } + { + uint32_t fin = blocks * (uint32_t)64U; + uint8_t last[1024U] = { 0U }; + uint8_t totlen_buf[8U] = { 0U }; + uint64_t total_len_bits = len_ << (uint32_t)3U; + uint8_t *b71; + uint8_t *b61; + uint8_t *b51; + uint8_t *b41; + uint8_t *b31; + uint8_t *b21; + uint8_t *b11; + uint8_t *b01; + uint8_t *last00; + uint8_t *last10; + uint8_t *last2; + uint8_t *last3; + uint8_t *last4; + uint8_t *last5; + uint8_t *last6; + uint8_t *last7; + uint8_t *last010; + uint8_t *last110; + store64_be(totlen_buf, total_len_bits); + b71 = lb.snd.snd.snd.snd.snd.snd.snd; + b61 = lb.snd.snd.snd.snd.snd.snd.fst; + b51 = lb.snd.snd.snd.snd.snd.fst; + b41 = lb.snd.snd.snd.snd.fst; + b31 = lb.snd.snd.snd.fst; + b21 = lb.snd.snd.fst; + b11 = lb.snd.fst; + b01 = lb.fst; + last00 = last; + last10 = last + (uint32_t)128U; + last2 = last + (uint32_t)256U; + last3 = last + (uint32_t)384U; + last4 = last + (uint32_t)512U; + last5 = last + (uint32_t)640U; + last6 = last + (uint32_t)768U; + last7 = last + (uint32_t)896U; + memcpy(last00, b01, rem * sizeof (uint8_t)); + last00[rem] = (uint8_t)0x80U; + memcpy(last00 + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + last010 = last00; + last110 = last00 + (uint32_t)64U; + { + K____uint8_t___uint8_t_ lit1; + K____uint8_t___uint8_t_ scrut0; + uint8_t *l00; + uint8_t *l01; + uint8_t *last011; + uint8_t *last111; + lit1.fst = last010; + lit1.snd = last110; + scrut0 = lit1; + l00 = scrut0.fst; + l01 = scrut0.snd; + memcpy(last10, b11, rem * sizeof (uint8_t)); + last10[rem] = (uint8_t)0x80U; + memcpy(last10 + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + last011 = last10; + last111 = last10 + (uint32_t)64U; + { + K____uint8_t___uint8_t_ lit2; + K____uint8_t___uint8_t_ scrut1; + uint8_t *l10; + uint8_t *l11; + uint8_t *last012; + uint8_t *last112; + lit2.fst = last011; + lit2.snd = last111; + scrut1 = lit2; + l10 = scrut1.fst; + l11 = scrut1.snd; + memcpy(last2, b21, rem * sizeof (uint8_t)); + last2[rem] = (uint8_t)0x80U; + memcpy(last2 + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + last012 = last2; + last112 = last2 + (uint32_t)64U; + { + K____uint8_t___uint8_t_ lit3; + K____uint8_t___uint8_t_ scrut2; + uint8_t *l20; + uint8_t *l21; + uint8_t *last013; + uint8_t *last113; + lit3.fst = last012; + lit3.snd = last112; + scrut2 = lit3; + l20 = scrut2.fst; + l21 = scrut2.snd; + memcpy(last3, b31, rem * sizeof (uint8_t)); + last3[rem] = (uint8_t)0x80U; + memcpy(last3 + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + last013 = last3; + last113 = last3 + (uint32_t)64U; + { + K____uint8_t___uint8_t_ lit4; + K____uint8_t___uint8_t_ scrut3; + uint8_t *l30; + uint8_t *l31; + uint8_t *last014; + uint8_t *last114; + lit4.fst = last013; + lit4.snd = last113; + scrut3 = lit4; + l30 = scrut3.fst; + l31 = scrut3.snd; + memcpy(last4, b41, rem * sizeof (uint8_t)); + last4[rem] = (uint8_t)0x80U; + memcpy(last4 + fin - (uint32_t)8U, + totlen_buf, + (uint32_t)8U * sizeof (uint8_t)); + last014 = last4; + last114 = last4 + (uint32_t)64U; + { + K____uint8_t___uint8_t_ lit5; + K____uint8_t___uint8_t_ scrut4; + uint8_t *l40; + uint8_t *l41; + uint8_t *last015; + uint8_t *last115; + lit5.fst = last014; + lit5.snd = last114; + scrut4 = lit5; + l40 = scrut4.fst; + l41 = scrut4.snd; + memcpy(last5, b51, rem * sizeof (uint8_t)); + last5[rem] = (uint8_t)0x80U; + memcpy(last5 + fin - (uint32_t)8U, + totlen_buf, + (uint32_t)8U * sizeof (uint8_t)); + last015 = last5; + last115 = last5 + (uint32_t)64U; + { + K____uint8_t___uint8_t_ lit6; + K____uint8_t___uint8_t_ scrut5; + uint8_t *l50; + uint8_t *l51; + uint8_t *last016; + uint8_t *last116; + lit6.fst = last015; + lit6.snd = last115; + scrut5 = lit6; + l50 = scrut5.fst; + l51 = scrut5.snd; + memcpy(last6, b61, rem * sizeof (uint8_t)); + last6[rem] = (uint8_t)0x80U; + memcpy(last6 + fin - (uint32_t)8U, + totlen_buf, + (uint32_t)8U * sizeof (uint8_t)); + last016 = last6; + last116 = last6 + (uint32_t)64U; + { + K____uint8_t___uint8_t_ lit7; + K____uint8_t___uint8_t_ scrut6; + uint8_t *l60; + uint8_t *l61; + uint8_t *last01; + uint8_t *last11; + lit7.fst = last016; + lit7.snd = last116; + scrut6 = lit7; + l60 = scrut6.fst; + l61 = scrut6.snd; + memcpy(last7, b71, rem * sizeof (uint8_t)); + last7[rem] = (uint8_t)0x80U; + memcpy(last7 + fin - (uint32_t)8U, + totlen_buf, + (uint32_t)8U * sizeof (uint8_t)); + last01 = last7; + last11 = last7 + (uint32_t)64U; + { + K____uint8_t___uint8_t_ lit8; + K____uint8_t___uint8_t_ scrut7; + uint8_t *l70; + uint8_t *l71; + lit8.fst = last01; + lit8.snd = last11; + scrut7 = lit8; + l70 = scrut7.fst; + l71 = scrut7.snd; + { + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + mb0; + mb0.fst = l00; + mb0.snd.fst = l10; + mb0.snd.snd.fst = l20; + mb0.snd.snd.snd.fst = l30; + mb0.snd.snd.snd.snd.fst = l40; + mb0.snd.snd.snd.snd.snd.fst = l50; + mb0.snd.snd.snd.snd.snd.snd.fst = l60; + mb0.snd.snd.snd.snd.snd.snd.snd = l70; + { + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + mb1; + mb1.fst = l01; + mb1.snd.fst = l11; + mb1.snd.snd.fst = l21; + mb1.snd.snd.snd.fst = l31; + mb1.snd.snd.snd.snd.fst = l41; + mb1.snd.snd.snd.snd.snd.fst = l51; + mb1.snd.snd.snd.snd.snd.snd.fst = l61; + mb1.snd.snd.snd.snd.snd.snd.snd = l71; + { + __K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + lit; + __K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + scrut; + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + last0; + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + last1; + lit.fst = mb0; + lit.snd = mb1; + scrut = lit; + last0 = scrut.fst; + last1 = scrut.snd; + sha256_update8(last0, st); + if (blocks > (uint32_t)1U) + { + sha256_update8(last1, st); + } + KRML_CHECK_SIZE(sizeof (uint8_t), + (uint32_t)8U * (uint32_t)8U * (uint32_t)4U); + { + uint8_t hbuf[(uint32_t)8U * (uint32_t)8U * (uint32_t)4U]; + memset(hbuf, + 0U, + (uint32_t)8U + * (uint32_t)8U + * (uint32_t)4U + * sizeof (uint8_t)); + { + Lib_IntVector_Intrinsics_vec256 v0 = st[0U]; + Lib_IntVector_Intrinsics_vec256 v1 = st[1U]; + Lib_IntVector_Intrinsics_vec256 v2 = st[2U]; + Lib_IntVector_Intrinsics_vec256 v3 = st[3U]; + Lib_IntVector_Intrinsics_vec256 v4 = st[4U]; + Lib_IntVector_Intrinsics_vec256 v5 = st[5U]; + Lib_IntVector_Intrinsics_vec256 v6 = st[6U]; + Lib_IntVector_Intrinsics_vec256 v7 = st[7U]; + Lib_IntVector_Intrinsics_vec256 + v0_ = + Lib_IntVector_Intrinsics_vec256_interleave_low32(v0, + v1); + Lib_IntVector_Intrinsics_vec256 + v1_ = + Lib_IntVector_Intrinsics_vec256_interleave_high32(v0, + v1); + Lib_IntVector_Intrinsics_vec256 + v2_ = + Lib_IntVector_Intrinsics_vec256_interleave_low32(v2, + v3); + Lib_IntVector_Intrinsics_vec256 + v3_ = + Lib_IntVector_Intrinsics_vec256_interleave_high32(v2, + v3); + Lib_IntVector_Intrinsics_vec256 + v4_ = + Lib_IntVector_Intrinsics_vec256_interleave_low32(v4, + v5); + Lib_IntVector_Intrinsics_vec256 + v5_ = + Lib_IntVector_Intrinsics_vec256_interleave_high32(v4, + v5); + Lib_IntVector_Intrinsics_vec256 + v6_ = + Lib_IntVector_Intrinsics_vec256_interleave_low32(v6, + v7); + Lib_IntVector_Intrinsics_vec256 + v7_ = + Lib_IntVector_Intrinsics_vec256_interleave_high32(v6, + v7); + Lib_IntVector_Intrinsics_vec256 v0_0 = v0_; + Lib_IntVector_Intrinsics_vec256 v1_0 = v1_; + Lib_IntVector_Intrinsics_vec256 v2_0 = v2_; + Lib_IntVector_Intrinsics_vec256 v3_0 = v3_; + Lib_IntVector_Intrinsics_vec256 v4_0 = v4_; + Lib_IntVector_Intrinsics_vec256 v5_0 = v5_; + Lib_IntVector_Intrinsics_vec256 v6_0 = v6_; + Lib_IntVector_Intrinsics_vec256 v7_0 = v7_; + Lib_IntVector_Intrinsics_vec256 + v0_1 = + Lib_IntVector_Intrinsics_vec256_interleave_low64(v0_0, + v2_0); + Lib_IntVector_Intrinsics_vec256 + v2_1 = + Lib_IntVector_Intrinsics_vec256_interleave_high64(v0_0, + v2_0); + Lib_IntVector_Intrinsics_vec256 + v1_1 = + Lib_IntVector_Intrinsics_vec256_interleave_low64(v1_0, + v3_0); + Lib_IntVector_Intrinsics_vec256 + v3_1 = + Lib_IntVector_Intrinsics_vec256_interleave_high64(v1_0, + v3_0); + Lib_IntVector_Intrinsics_vec256 + v4_1 = + Lib_IntVector_Intrinsics_vec256_interleave_low64(v4_0, + v6_0); + Lib_IntVector_Intrinsics_vec256 + v6_1 = + Lib_IntVector_Intrinsics_vec256_interleave_high64(v4_0, + v6_0); + Lib_IntVector_Intrinsics_vec256 + v5_1 = + Lib_IntVector_Intrinsics_vec256_interleave_low64(v5_0, + v7_0); + Lib_IntVector_Intrinsics_vec256 + v7_1 = + Lib_IntVector_Intrinsics_vec256_interleave_high64(v5_0, + v7_0); + Lib_IntVector_Intrinsics_vec256 v0_10 = v0_1; + Lib_IntVector_Intrinsics_vec256 v1_10 = v1_1; + Lib_IntVector_Intrinsics_vec256 v2_10 = v2_1; + Lib_IntVector_Intrinsics_vec256 v3_10 = v3_1; + Lib_IntVector_Intrinsics_vec256 v4_10 = v4_1; + Lib_IntVector_Intrinsics_vec256 v5_10 = v5_1; + Lib_IntVector_Intrinsics_vec256 v6_10 = v6_1; + Lib_IntVector_Intrinsics_vec256 v7_10 = v7_1; + Lib_IntVector_Intrinsics_vec256 + v0_2 = + Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_10, + v4_10); + Lib_IntVector_Intrinsics_vec256 + v4_2 = + Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_10, + v4_10); + Lib_IntVector_Intrinsics_vec256 + v1_2 = + Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_10, + v5_10); + Lib_IntVector_Intrinsics_vec256 + v5_2 = + Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_10, + v5_10); + Lib_IntVector_Intrinsics_vec256 + v2_2 = + Lib_IntVector_Intrinsics_vec256_interleave_low128(v2_10, + v6_10); + Lib_IntVector_Intrinsics_vec256 + v6_2 = + Lib_IntVector_Intrinsics_vec256_interleave_high128(v2_10, + v6_10); + Lib_IntVector_Intrinsics_vec256 + v3_2 = + Lib_IntVector_Intrinsics_vec256_interleave_low128(v3_10, + v7_10); + Lib_IntVector_Intrinsics_vec256 + v7_2 = + Lib_IntVector_Intrinsics_vec256_interleave_high128(v3_10, + v7_10); + Lib_IntVector_Intrinsics_vec256 v0_20 = v0_2; + Lib_IntVector_Intrinsics_vec256 v1_20 = v1_2; + Lib_IntVector_Intrinsics_vec256 v2_20 = v2_2; + Lib_IntVector_Intrinsics_vec256 v3_20 = v3_2; + Lib_IntVector_Intrinsics_vec256 v4_20 = v4_2; + Lib_IntVector_Intrinsics_vec256 v5_20 = v5_2; + Lib_IntVector_Intrinsics_vec256 v6_20 = v6_2; + Lib_IntVector_Intrinsics_vec256 v7_20 = v7_2; + Lib_IntVector_Intrinsics_vec256 v0_3 = v0_20; + Lib_IntVector_Intrinsics_vec256 v1_3 = v1_20; + Lib_IntVector_Intrinsics_vec256 v2_3 = v2_20; + Lib_IntVector_Intrinsics_vec256 v3_3 = v3_20; + Lib_IntVector_Intrinsics_vec256 v4_3 = v4_20; + Lib_IntVector_Intrinsics_vec256 v5_3 = v5_20; + Lib_IntVector_Intrinsics_vec256 v6_3 = v6_20; + Lib_IntVector_Intrinsics_vec256 v7_3 = v7_20; + Lib_IntVector_Intrinsics_vec256 st0_ = v0_3; + Lib_IntVector_Intrinsics_vec256 st1_ = v2_3; + Lib_IntVector_Intrinsics_vec256 st2_ = v1_3; + Lib_IntVector_Intrinsics_vec256 st3_ = v3_3; + Lib_IntVector_Intrinsics_vec256 st4_ = v4_3; + Lib_IntVector_Intrinsics_vec256 st5_ = v6_3; + Lib_IntVector_Intrinsics_vec256 st6_ = v5_3; + Lib_IntVector_Intrinsics_vec256 st7_ = v7_3; + uint8_t *b7; + uint8_t *b6; + uint8_t *b5; + uint8_t *b4; + uint8_t *b3; + uint8_t *b2; + uint8_t *b1; + uint8_t *b0; + st[0U] = st0_; + st[1U] = st1_; + st[2U] = st2_; + st[3U] = st3_; + st[4U] = st4_; + st[5U] = st5_; + st[6U] = st6_; + st[7U] = st7_; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + Lib_IntVector_Intrinsics_vec256_store32_be(hbuf + + i * (uint32_t)32U, + st[i]); + } + } + b7 = rb.snd.snd.snd.snd.snd.snd.snd; + b6 = rb.snd.snd.snd.snd.snd.snd.fst; + b5 = rb.snd.snd.snd.snd.snd.fst; + b4 = rb.snd.snd.snd.snd.fst; + b3 = rb.snd.snd.snd.fst; + b2 = rb.snd.snd.fst; + b1 = rb.snd.fst; + b0 = rb.fst; + memcpy(b0, hbuf, (uint32_t)32U * sizeof (uint8_t)); + memcpy(b1, + hbuf + (uint32_t)32U, + (uint32_t)32U * sizeof (uint8_t)); + memcpy(b2, + hbuf + (uint32_t)64U, + (uint32_t)32U * sizeof (uint8_t)); + memcpy(b3, + hbuf + (uint32_t)96U, + (uint32_t)32U * sizeof (uint8_t)); + memcpy(b4, + hbuf + (uint32_t)128U, + (uint32_t)32U * sizeof (uint8_t)); + memcpy(b5, + hbuf + (uint32_t)160U, + (uint32_t)32U * sizeof (uint8_t)); + memcpy(b6, + hbuf + (uint32_t)192U, + (uint32_t)32U * sizeof (uint8_t)); + memcpy(b7, + hbuf + (uint32_t)224U, + (uint32_t)32U * sizeof (uint8_t)); + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } +} + +static inline void +sha384_update4( + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ block, + Lib_IntVector_Intrinsics_vec256 *hash +) +{ + Lib_IntVector_Intrinsics_vec256 hash_old[8U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)8U; ++_i) + hash_old[_i] = Lib_IntVector_Intrinsics_vec256_zero; + } + { + Lib_IntVector_Intrinsics_vec256 ws[16U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)16U; ++_i) + ws[_i] = Lib_IntVector_Intrinsics_vec256_zero; + } + { + uint8_t *b3; + uint8_t *b2; + uint8_t *b10; + uint8_t *b00; + Lib_IntVector_Intrinsics_vec256 v00; + Lib_IntVector_Intrinsics_vec256 v10; + Lib_IntVector_Intrinsics_vec256 v20; + Lib_IntVector_Intrinsics_vec256 v30; + Lib_IntVector_Intrinsics_vec256 v0_; + Lib_IntVector_Intrinsics_vec256 v1_; + Lib_IntVector_Intrinsics_vec256 v2_; + Lib_IntVector_Intrinsics_vec256 v3_; + Lib_IntVector_Intrinsics_vec256 v0__; + Lib_IntVector_Intrinsics_vec256 v1__; + Lib_IntVector_Intrinsics_vec256 v2__; + Lib_IntVector_Intrinsics_vec256 v3__; + Lib_IntVector_Intrinsics_vec256 ws0; + Lib_IntVector_Intrinsics_vec256 ws1; + Lib_IntVector_Intrinsics_vec256 ws2; + Lib_IntVector_Intrinsics_vec256 ws3; + Lib_IntVector_Intrinsics_vec256 v01; + Lib_IntVector_Intrinsics_vec256 v11; + Lib_IntVector_Intrinsics_vec256 v21; + Lib_IntVector_Intrinsics_vec256 v31; + Lib_IntVector_Intrinsics_vec256 v0_0; + Lib_IntVector_Intrinsics_vec256 v1_0; + Lib_IntVector_Intrinsics_vec256 v2_0; + Lib_IntVector_Intrinsics_vec256 v3_0; + Lib_IntVector_Intrinsics_vec256 v0__0; + Lib_IntVector_Intrinsics_vec256 v1__0; + Lib_IntVector_Intrinsics_vec256 v2__0; + Lib_IntVector_Intrinsics_vec256 v3__0; + Lib_IntVector_Intrinsics_vec256 ws4; + Lib_IntVector_Intrinsics_vec256 ws5; + Lib_IntVector_Intrinsics_vec256 ws6; + Lib_IntVector_Intrinsics_vec256 ws7; + Lib_IntVector_Intrinsics_vec256 v02; + Lib_IntVector_Intrinsics_vec256 v12; + Lib_IntVector_Intrinsics_vec256 v22; + Lib_IntVector_Intrinsics_vec256 v32; + Lib_IntVector_Intrinsics_vec256 v0_1; + Lib_IntVector_Intrinsics_vec256 v1_1; + Lib_IntVector_Intrinsics_vec256 v2_1; + Lib_IntVector_Intrinsics_vec256 v3_1; + Lib_IntVector_Intrinsics_vec256 v0__1; + Lib_IntVector_Intrinsics_vec256 v1__1; + Lib_IntVector_Intrinsics_vec256 v2__1; + Lib_IntVector_Intrinsics_vec256 v3__1; + Lib_IntVector_Intrinsics_vec256 ws8; + Lib_IntVector_Intrinsics_vec256 ws9; + Lib_IntVector_Intrinsics_vec256 ws10; + Lib_IntVector_Intrinsics_vec256 ws11; + Lib_IntVector_Intrinsics_vec256 v0; + Lib_IntVector_Intrinsics_vec256 v1; + Lib_IntVector_Intrinsics_vec256 v2; + Lib_IntVector_Intrinsics_vec256 v3; + Lib_IntVector_Intrinsics_vec256 v0_2; + Lib_IntVector_Intrinsics_vec256 v1_2; + Lib_IntVector_Intrinsics_vec256 v2_2; + Lib_IntVector_Intrinsics_vec256 v3_2; + Lib_IntVector_Intrinsics_vec256 v0__2; + Lib_IntVector_Intrinsics_vec256 v1__2; + Lib_IntVector_Intrinsics_vec256 v2__2; + Lib_IntVector_Intrinsics_vec256 v3__2; + Lib_IntVector_Intrinsics_vec256 ws12; + Lib_IntVector_Intrinsics_vec256 ws13; + Lib_IntVector_Intrinsics_vec256 ws14; + Lib_IntVector_Intrinsics_vec256 ws15; + memcpy(hash_old, hash, (uint32_t)8U * sizeof (Lib_IntVector_Intrinsics_vec256)); + b3 = block.snd.snd.snd; + b2 = block.snd.snd.fst; + b10 = block.snd.fst; + b00 = block.fst; + ws[0U] = Lib_IntVector_Intrinsics_vec256_load64_be(b00); + ws[1U] = Lib_IntVector_Intrinsics_vec256_load64_be(b10); + ws[2U] = Lib_IntVector_Intrinsics_vec256_load64_be(b2); + ws[3U] = Lib_IntVector_Intrinsics_vec256_load64_be(b3); + ws[4U] = Lib_IntVector_Intrinsics_vec256_load64_be(b00 + (uint32_t)32U); + ws[5U] = Lib_IntVector_Intrinsics_vec256_load64_be(b10 + (uint32_t)32U); + ws[6U] = Lib_IntVector_Intrinsics_vec256_load64_be(b2 + (uint32_t)32U); + ws[7U] = Lib_IntVector_Intrinsics_vec256_load64_be(b3 + (uint32_t)32U); + ws[8U] = Lib_IntVector_Intrinsics_vec256_load64_be(b00 + (uint32_t)64U); + ws[9U] = Lib_IntVector_Intrinsics_vec256_load64_be(b10 + (uint32_t)64U); + ws[10U] = Lib_IntVector_Intrinsics_vec256_load64_be(b2 + (uint32_t)64U); + ws[11U] = Lib_IntVector_Intrinsics_vec256_load64_be(b3 + (uint32_t)64U); + ws[12U] = Lib_IntVector_Intrinsics_vec256_load64_be(b00 + (uint32_t)96U); + ws[13U] = Lib_IntVector_Intrinsics_vec256_load64_be(b10 + (uint32_t)96U); + ws[14U] = Lib_IntVector_Intrinsics_vec256_load64_be(b2 + (uint32_t)96U); + ws[15U] = Lib_IntVector_Intrinsics_vec256_load64_be(b3 + (uint32_t)96U); + v00 = ws[0U]; + v10 = ws[1U]; + v20 = ws[2U]; + v30 = ws[3U]; + v0_ = Lib_IntVector_Intrinsics_vec256_interleave_low64(v00, v10); + v1_ = Lib_IntVector_Intrinsics_vec256_interleave_high64(v00, v10); + v2_ = Lib_IntVector_Intrinsics_vec256_interleave_low64(v20, v30); + v3_ = Lib_IntVector_Intrinsics_vec256_interleave_high64(v20, v30); + v0__ = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_, v2_); + v1__ = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_, v2_); + v2__ = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_, v3_); + v3__ = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_, v3_); + ws0 = v0__; + ws1 = v2__; + ws2 = v1__; + ws3 = v3__; + v01 = ws[4U]; + v11 = ws[5U]; + v21 = ws[6U]; + v31 = ws[7U]; + v0_0 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v01, v11); + v1_0 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v01, v11); + v2_0 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v21, v31); + v3_0 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v21, v31); + v0__0 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_0, v2_0); + v1__0 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_0, v2_0); + v2__0 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_0, v3_0); + v3__0 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_0, v3_0); + ws4 = v0__0; + ws5 = v2__0; + ws6 = v1__0; + ws7 = v3__0; + v02 = ws[8U]; + v12 = ws[9U]; + v22 = ws[10U]; + v32 = ws[11U]; + v0_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v02, v12); + v1_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v02, v12); + v2_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v22, v32); + v3_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v22, v32); + v0__1 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_1, v2_1); + v1__1 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_1, v2_1); + v2__1 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_1, v3_1); + v3__1 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_1, v3_1); + ws8 = v0__1; + ws9 = v2__1; + ws10 = v1__1; + ws11 = v3__1; + v0 = ws[12U]; + v1 = ws[13U]; + v2 = ws[14U]; + v3 = ws[15U]; + v0_2 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0, v1); + v1_2 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0, v1); + v2_2 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v2, v3); + v3_2 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v2, v3); + v0__2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_2, v2_2); + v1__2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_2, v2_2); + v2__2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_2, v3_2); + v3__2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_2, v3_2); + ws12 = v0__2; + ws13 = v2__2; + ws14 = v1__2; + ws15 = v3__2; + ws[0U] = ws0; + ws[1U] = ws1; + ws[2U] = ws2; + ws[3U] = ws3; + ws[4U] = ws4; + ws[5U] = ws5; + ws[6U] = ws6; + ws[7U] = ws7; + ws[8U] = ws8; + ws[9U] = ws9; + ws[10U] = ws10; + ws[11U] = ws11; + ws[12U] = ws12; + ws[13U] = ws13; + ws[14U] = ws14; + ws[15U] = ws15; + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < (uint32_t)5U; i0++) + { + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint64_t k_t = Hacl_Impl_SHA2_Generic_k384_512[(uint32_t)16U * i0 + i]; + Lib_IntVector_Intrinsics_vec256 ws_t = ws[i]; + Lib_IntVector_Intrinsics_vec256 a0 = hash[0U]; + Lib_IntVector_Intrinsics_vec256 b0 = hash[1U]; + Lib_IntVector_Intrinsics_vec256 c0 = hash[2U]; + Lib_IntVector_Intrinsics_vec256 d0 = hash[3U]; + Lib_IntVector_Intrinsics_vec256 e0 = hash[4U]; + Lib_IntVector_Intrinsics_vec256 f0 = hash[5U]; + Lib_IntVector_Intrinsics_vec256 g0 = hash[6U]; + Lib_IntVector_Intrinsics_vec256 h02 = hash[7U]; + Lib_IntVector_Intrinsics_vec256 k_e_t = Lib_IntVector_Intrinsics_vec256_load64(k_t); + Lib_IntVector_Intrinsics_vec256 + t1 = + Lib_IntVector_Intrinsics_vec256_add64(Lib_IntVector_Intrinsics_vec256_add64(Lib_IntVector_Intrinsics_vec256_add64(Lib_IntVector_Intrinsics_vec256_add64(h02, + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right64(e0, + (uint32_t)14U), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right64(e0, + (uint32_t)18U), + Lib_IntVector_Intrinsics_vec256_rotate_right64(e0, (uint32_t)41U)))), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_and(e0, + f0), + Lib_IntVector_Intrinsics_vec256_and(Lib_IntVector_Intrinsics_vec256_lognot(e0), + g0))), + k_e_t), + ws_t); + Lib_IntVector_Intrinsics_vec256 + t2 = + Lib_IntVector_Intrinsics_vec256_add64(Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right64(a0, + (uint32_t)28U), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right64(a0, + (uint32_t)34U), + Lib_IntVector_Intrinsics_vec256_rotate_right64(a0, (uint32_t)39U))), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_and(a0, b0), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_and(a0, c0), + Lib_IntVector_Intrinsics_vec256_and(b0, c0)))); + Lib_IntVector_Intrinsics_vec256 a1 = Lib_IntVector_Intrinsics_vec256_add64(t1, t2); + Lib_IntVector_Intrinsics_vec256 b1 = a0; + Lib_IntVector_Intrinsics_vec256 c1 = b0; + Lib_IntVector_Intrinsics_vec256 d1 = c0; + Lib_IntVector_Intrinsics_vec256 e1 = Lib_IntVector_Intrinsics_vec256_add64(d0, t1); + Lib_IntVector_Intrinsics_vec256 f1 = e0; + Lib_IntVector_Intrinsics_vec256 g1 = f0; + Lib_IntVector_Intrinsics_vec256 h12 = g0; + hash[0U] = a1; + hash[1U] = b1; + hash[2U] = c1; + hash[3U] = d1; + hash[4U] = e1; + hash[5U] = f1; + hash[6U] = g1; + hash[7U] = h12; + } + } + if (i0 < (uint32_t)5U - (uint32_t)1U) + { + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + Lib_IntVector_Intrinsics_vec256 t16 = ws[i]; + Lib_IntVector_Intrinsics_vec256 t15 = ws[(i + (uint32_t)1U) % (uint32_t)16U]; + Lib_IntVector_Intrinsics_vec256 t7 = ws[(i + (uint32_t)9U) % (uint32_t)16U]; + Lib_IntVector_Intrinsics_vec256 t2 = ws[(i + (uint32_t)14U) % (uint32_t)16U]; + Lib_IntVector_Intrinsics_vec256 + s1 = + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right64(t2, + (uint32_t)19U), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right64(t2, + (uint32_t)61U), + Lib_IntVector_Intrinsics_vec256_shift_right64(t2, (uint32_t)6U))); + Lib_IntVector_Intrinsics_vec256 + s0 = + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right64(t15, + (uint32_t)1U), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right64(t15, + (uint32_t)8U), + Lib_IntVector_Intrinsics_vec256_shift_right64(t15, (uint32_t)7U))); + ws[i] = + Lib_IntVector_Intrinsics_vec256_add64(Lib_IntVector_Intrinsics_vec256_add64(Lib_IntVector_Intrinsics_vec256_add64(s1, + t7), + s0), + t16); + } + } + } + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + Lib_IntVector_Intrinsics_vec256 *os = hash; + Lib_IntVector_Intrinsics_vec256 + x = Lib_IntVector_Intrinsics_vec256_add64(hash[i], hash_old[i]); + os[i] = x; + } + } + } + } +} + +void +Hacl_SHA2_Vec256_sha384_4( + uint8_t *dst0, + uint8_t *dst1, + uint8_t *dst2, + uint8_t *dst3, + uint32_t input_len, + uint8_t *input0, + uint8_t *input1, + uint8_t *input2, + uint8_t *input3 +) +{ + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ ib; + ib.fst = input0; + ib.snd.fst = input1; + ib.snd.snd.fst = input2; + ib.snd.snd.snd = input3; + { + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ rb; + rb.fst = dst0; + rb.snd.fst = dst1; + rb.snd.snd.fst = dst2; + rb.snd.snd.snd = dst3; + { + Lib_IntVector_Intrinsics_vec256 st[8U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)8U; ++_i) + st[_i] = Lib_IntVector_Intrinsics_vec256_zero; + } + { + uint32_t rem; + FStar_UInt128_uint128 len_; + uint32_t blocks0; + uint32_t rem1; + uint8_t *b30; + uint8_t *b20; + uint8_t *b10; + uint8_t *b00; + uint8_t *bl0; + uint8_t *bl10; + uint8_t *bl20; + uint8_t *bl30; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + Lib_IntVector_Intrinsics_vec256 *os = st; + uint64_t hi = Hacl_Impl_SHA2_Generic_h384[i]; + Lib_IntVector_Intrinsics_vec256 x = Lib_IntVector_Intrinsics_vec256_load64(hi); + os[i] = x; + } + } + rem = input_len % (uint32_t)128U; + len_ = FStar_UInt128_uint64_to_uint128((uint64_t)input_len); + blocks0 = input_len / (uint32_t)128U; + { + uint32_t i; + for (i = (uint32_t)0U; i < blocks0; i++) + { + uint8_t *b3 = ib.snd.snd.snd; + uint8_t *b2 = ib.snd.snd.fst; + uint8_t *b1 = ib.snd.fst; + uint8_t *b0 = ib.fst; + uint8_t *bl00 = b0 + i * (uint32_t)128U; + uint8_t *bl1 = b1 + i * (uint32_t)128U; + uint8_t *bl2 = b2 + i * (uint32_t)128U; + uint8_t *bl3 = b3 + i * (uint32_t)128U; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ lit; + lit.fst = bl00; + lit.snd.fst = bl1; + lit.snd.snd.fst = bl2; + lit.snd.snd.snd = bl3; + { + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ mb = lit; + sha384_update4(mb, st); + } + } + } + rem1 = input_len % (uint32_t)128U; + b30 = ib.snd.snd.snd; + b20 = ib.snd.snd.fst; + b10 = ib.snd.fst; + b00 = ib.fst; + bl0 = b00 + input_len - rem1; + bl10 = b10 + input_len - rem1; + bl20 = b20 + input_len - rem1; + bl30 = b30 + input_len - rem1; + { + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ lit0; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ lb; + lit0.fst = bl0; + lit0.snd.fst = bl10; + lit0.snd.snd.fst = bl20; + lit0.snd.snd.snd = bl30; + lb = lit0; + { + uint32_t blocks; + if (rem + (uint32_t)16U + (uint32_t)1U <= (uint32_t)128U) + { + blocks = (uint32_t)1U; + } + else + { + blocks = (uint32_t)2U; + } + { + uint32_t fin = blocks * (uint32_t)128U; + uint8_t last[1024U] = { 0U }; + uint8_t totlen_buf[16U] = { 0U }; + FStar_UInt128_uint128 total_len_bits = FStar_UInt128_shift_left(len_, (uint32_t)3U); + uint8_t *b31; + uint8_t *b21; + uint8_t *b11; + uint8_t *b01; + uint8_t *last00; + uint8_t *last10; + uint8_t *last2; + uint8_t *last3; + uint8_t *last010; + uint8_t *last110; + store128_be(totlen_buf, total_len_bits); + b31 = lb.snd.snd.snd; + b21 = lb.snd.snd.fst; + b11 = lb.snd.fst; + b01 = lb.fst; + last00 = last; + last10 = last + (uint32_t)256U; + last2 = last + (uint32_t)512U; + last3 = last + (uint32_t)768U; + memcpy(last00, b01, rem * sizeof (uint8_t)); + last00[rem] = (uint8_t)0x80U; + memcpy(last00 + fin - (uint32_t)16U, totlen_buf, (uint32_t)16U * sizeof (uint8_t)); + last010 = last00; + last110 = last00 + (uint32_t)128U; + { + K____uint8_t___uint8_t_ lit1; + K____uint8_t___uint8_t_ scrut0; + uint8_t *l00; + uint8_t *l01; + uint8_t *last011; + uint8_t *last111; + lit1.fst = last010; + lit1.snd = last110; + scrut0 = lit1; + l00 = scrut0.fst; + l01 = scrut0.snd; + memcpy(last10, b11, rem * sizeof (uint8_t)); + last10[rem] = (uint8_t)0x80U; + memcpy(last10 + fin - (uint32_t)16U, totlen_buf, (uint32_t)16U * sizeof (uint8_t)); + last011 = last10; + last111 = last10 + (uint32_t)128U; + { + K____uint8_t___uint8_t_ lit2; + K____uint8_t___uint8_t_ scrut1; + uint8_t *l10; + uint8_t *l11; + uint8_t *last012; + uint8_t *last112; + lit2.fst = last011; + lit2.snd = last111; + scrut1 = lit2; + l10 = scrut1.fst; + l11 = scrut1.snd; + memcpy(last2, b21, rem * sizeof (uint8_t)); + last2[rem] = (uint8_t)0x80U; + memcpy(last2 + fin - (uint32_t)16U, totlen_buf, (uint32_t)16U * sizeof (uint8_t)); + last012 = last2; + last112 = last2 + (uint32_t)128U; + { + K____uint8_t___uint8_t_ lit3; + K____uint8_t___uint8_t_ scrut2; + uint8_t *l20; + uint8_t *l21; + uint8_t *last01; + uint8_t *last11; + lit3.fst = last012; + lit3.snd = last112; + scrut2 = lit3; + l20 = scrut2.fst; + l21 = scrut2.snd; + memcpy(last3, b31, rem * sizeof (uint8_t)); + last3[rem] = (uint8_t)0x80U; + memcpy(last3 + fin - (uint32_t)16U, + totlen_buf, + (uint32_t)16U * sizeof (uint8_t)); + last01 = last3; + last11 = last3 + (uint32_t)128U; + { + K____uint8_t___uint8_t_ lit4; + K____uint8_t___uint8_t_ scrut3; + uint8_t *l30; + uint8_t *l31; + lit4.fst = last01; + lit4.snd = last11; + scrut3 = lit4; + l30 = scrut3.fst; + l31 = scrut3.snd; + { + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ mb0; + mb0.fst = l00; + mb0.snd.fst = l10; + mb0.snd.snd.fst = l20; + mb0.snd.snd.snd = l30; + { + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ mb1; + mb1.fst = l01; + mb1.snd.fst = l11; + mb1.snd.snd.fst = l21; + mb1.snd.snd.snd = l31; + { + K___K____uint8_t__K____uint8_t__K____uint8_t___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + lit; + K___K____uint8_t__K____uint8_t__K____uint8_t___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + scrut; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ last0; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ last1; + lit.fst = mb0; + lit.snd = mb1; + scrut = lit; + last0 = scrut.fst; + last1 = scrut.snd; + sha384_update4(last0, st); + if (blocks > (uint32_t)1U) + { + sha384_update4(last1, st); + } + KRML_CHECK_SIZE(sizeof (uint8_t), + (uint32_t)4U * (uint32_t)8U * (uint32_t)8U); + { + uint8_t hbuf[(uint32_t)4U * (uint32_t)8U * (uint32_t)8U]; + memset(hbuf, + 0U, + (uint32_t)4U * (uint32_t)8U * (uint32_t)8U * sizeof (uint8_t)); + { + Lib_IntVector_Intrinsics_vec256 v00 = st[0U]; + Lib_IntVector_Intrinsics_vec256 v10 = st[1U]; + Lib_IntVector_Intrinsics_vec256 v20 = st[2U]; + Lib_IntVector_Intrinsics_vec256 v30 = st[3U]; + Lib_IntVector_Intrinsics_vec256 + v0_ = Lib_IntVector_Intrinsics_vec256_interleave_low64(v00, v10); + Lib_IntVector_Intrinsics_vec256 + v1_ = Lib_IntVector_Intrinsics_vec256_interleave_high64(v00, v10); + Lib_IntVector_Intrinsics_vec256 + v2_ = Lib_IntVector_Intrinsics_vec256_interleave_low64(v20, v30); + Lib_IntVector_Intrinsics_vec256 + v3_ = Lib_IntVector_Intrinsics_vec256_interleave_high64(v20, v30); + Lib_IntVector_Intrinsics_vec256 + v0__ = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_, v2_); + Lib_IntVector_Intrinsics_vec256 + v1__ = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_, v2_); + Lib_IntVector_Intrinsics_vec256 + v2__ = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_, v3_); + Lib_IntVector_Intrinsics_vec256 + v3__ = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_, v3_); + Lib_IntVector_Intrinsics_vec256 st0_ = v0__; + Lib_IntVector_Intrinsics_vec256 st1_ = v2__; + Lib_IntVector_Intrinsics_vec256 st2_ = v1__; + Lib_IntVector_Intrinsics_vec256 st3_ = v3__; + Lib_IntVector_Intrinsics_vec256 v0 = st[4U]; + Lib_IntVector_Intrinsics_vec256 v1 = st[5U]; + Lib_IntVector_Intrinsics_vec256 v2 = st[6U]; + Lib_IntVector_Intrinsics_vec256 v3 = st[7U]; + Lib_IntVector_Intrinsics_vec256 + v0_0 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0, v1); + Lib_IntVector_Intrinsics_vec256 + v1_0 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0, v1); + Lib_IntVector_Intrinsics_vec256 + v2_0 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v2, v3); + Lib_IntVector_Intrinsics_vec256 + v3_0 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v2, v3); + Lib_IntVector_Intrinsics_vec256 + v0__0 = + Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_0, + v2_0); + Lib_IntVector_Intrinsics_vec256 + v1__0 = + Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_0, + v2_0); + Lib_IntVector_Intrinsics_vec256 + v2__0 = + Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_0, + v3_0); + Lib_IntVector_Intrinsics_vec256 + v3__0 = + Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_0, + v3_0); + Lib_IntVector_Intrinsics_vec256 st4_ = v0__0; + Lib_IntVector_Intrinsics_vec256 st5_ = v2__0; + Lib_IntVector_Intrinsics_vec256 st6_ = v1__0; + Lib_IntVector_Intrinsics_vec256 st7_ = v3__0; + uint8_t *b3; + uint8_t *b2; + uint8_t *b1; + uint8_t *b0; + st[0U] = st0_; + st[1U] = st4_; + st[2U] = st1_; + st[3U] = st5_; + st[4U] = st2_; + st[5U] = st6_; + st[6U] = st3_; + st[7U] = st7_; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + Lib_IntVector_Intrinsics_vec256_store64_be(hbuf + + i * (uint32_t)32U, + st[i]); + } + } + b3 = rb.snd.snd.snd; + b2 = rb.snd.snd.fst; + b1 = rb.snd.fst; + b0 = rb.fst; + memcpy(b0, hbuf, (uint32_t)48U * sizeof (uint8_t)); + memcpy(b1, hbuf + (uint32_t)64U, (uint32_t)48U * sizeof (uint8_t)); + memcpy(b2, hbuf + (uint32_t)128U, (uint32_t)48U * sizeof (uint8_t)); + memcpy(b3, hbuf + (uint32_t)192U, (uint32_t)48U * sizeof (uint8_t)); + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } +} + +static inline void +sha512_update4( + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ block, + Lib_IntVector_Intrinsics_vec256 *hash +) +{ + Lib_IntVector_Intrinsics_vec256 hash_old[8U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)8U; ++_i) + hash_old[_i] = Lib_IntVector_Intrinsics_vec256_zero; + } + { + Lib_IntVector_Intrinsics_vec256 ws[16U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)16U; ++_i) + ws[_i] = Lib_IntVector_Intrinsics_vec256_zero; + } + { + uint8_t *b3; + uint8_t *b2; + uint8_t *b10; + uint8_t *b00; + Lib_IntVector_Intrinsics_vec256 v00; + Lib_IntVector_Intrinsics_vec256 v10; + Lib_IntVector_Intrinsics_vec256 v20; + Lib_IntVector_Intrinsics_vec256 v30; + Lib_IntVector_Intrinsics_vec256 v0_; + Lib_IntVector_Intrinsics_vec256 v1_; + Lib_IntVector_Intrinsics_vec256 v2_; + Lib_IntVector_Intrinsics_vec256 v3_; + Lib_IntVector_Intrinsics_vec256 v0__; + Lib_IntVector_Intrinsics_vec256 v1__; + Lib_IntVector_Intrinsics_vec256 v2__; + Lib_IntVector_Intrinsics_vec256 v3__; + Lib_IntVector_Intrinsics_vec256 ws0; + Lib_IntVector_Intrinsics_vec256 ws1; + Lib_IntVector_Intrinsics_vec256 ws2; + Lib_IntVector_Intrinsics_vec256 ws3; + Lib_IntVector_Intrinsics_vec256 v01; + Lib_IntVector_Intrinsics_vec256 v11; + Lib_IntVector_Intrinsics_vec256 v21; + Lib_IntVector_Intrinsics_vec256 v31; + Lib_IntVector_Intrinsics_vec256 v0_0; + Lib_IntVector_Intrinsics_vec256 v1_0; + Lib_IntVector_Intrinsics_vec256 v2_0; + Lib_IntVector_Intrinsics_vec256 v3_0; + Lib_IntVector_Intrinsics_vec256 v0__0; + Lib_IntVector_Intrinsics_vec256 v1__0; + Lib_IntVector_Intrinsics_vec256 v2__0; + Lib_IntVector_Intrinsics_vec256 v3__0; + Lib_IntVector_Intrinsics_vec256 ws4; + Lib_IntVector_Intrinsics_vec256 ws5; + Lib_IntVector_Intrinsics_vec256 ws6; + Lib_IntVector_Intrinsics_vec256 ws7; + Lib_IntVector_Intrinsics_vec256 v02; + Lib_IntVector_Intrinsics_vec256 v12; + Lib_IntVector_Intrinsics_vec256 v22; + Lib_IntVector_Intrinsics_vec256 v32; + Lib_IntVector_Intrinsics_vec256 v0_1; + Lib_IntVector_Intrinsics_vec256 v1_1; + Lib_IntVector_Intrinsics_vec256 v2_1; + Lib_IntVector_Intrinsics_vec256 v3_1; + Lib_IntVector_Intrinsics_vec256 v0__1; + Lib_IntVector_Intrinsics_vec256 v1__1; + Lib_IntVector_Intrinsics_vec256 v2__1; + Lib_IntVector_Intrinsics_vec256 v3__1; + Lib_IntVector_Intrinsics_vec256 ws8; + Lib_IntVector_Intrinsics_vec256 ws9; + Lib_IntVector_Intrinsics_vec256 ws10; + Lib_IntVector_Intrinsics_vec256 ws11; + Lib_IntVector_Intrinsics_vec256 v0; + Lib_IntVector_Intrinsics_vec256 v1; + Lib_IntVector_Intrinsics_vec256 v2; + Lib_IntVector_Intrinsics_vec256 v3; + Lib_IntVector_Intrinsics_vec256 v0_2; + Lib_IntVector_Intrinsics_vec256 v1_2; + Lib_IntVector_Intrinsics_vec256 v2_2; + Lib_IntVector_Intrinsics_vec256 v3_2; + Lib_IntVector_Intrinsics_vec256 v0__2; + Lib_IntVector_Intrinsics_vec256 v1__2; + Lib_IntVector_Intrinsics_vec256 v2__2; + Lib_IntVector_Intrinsics_vec256 v3__2; + Lib_IntVector_Intrinsics_vec256 ws12; + Lib_IntVector_Intrinsics_vec256 ws13; + Lib_IntVector_Intrinsics_vec256 ws14; + Lib_IntVector_Intrinsics_vec256 ws15; + memcpy(hash_old, hash, (uint32_t)8U * sizeof (Lib_IntVector_Intrinsics_vec256)); + b3 = block.snd.snd.snd; + b2 = block.snd.snd.fst; + b10 = block.snd.fst; + b00 = block.fst; + ws[0U] = Lib_IntVector_Intrinsics_vec256_load64_be(b00); + ws[1U] = Lib_IntVector_Intrinsics_vec256_load64_be(b10); + ws[2U] = Lib_IntVector_Intrinsics_vec256_load64_be(b2); + ws[3U] = Lib_IntVector_Intrinsics_vec256_load64_be(b3); + ws[4U] = Lib_IntVector_Intrinsics_vec256_load64_be(b00 + (uint32_t)32U); + ws[5U] = Lib_IntVector_Intrinsics_vec256_load64_be(b10 + (uint32_t)32U); + ws[6U] = Lib_IntVector_Intrinsics_vec256_load64_be(b2 + (uint32_t)32U); + ws[7U] = Lib_IntVector_Intrinsics_vec256_load64_be(b3 + (uint32_t)32U); + ws[8U] = Lib_IntVector_Intrinsics_vec256_load64_be(b00 + (uint32_t)64U); + ws[9U] = Lib_IntVector_Intrinsics_vec256_load64_be(b10 + (uint32_t)64U); + ws[10U] = Lib_IntVector_Intrinsics_vec256_load64_be(b2 + (uint32_t)64U); + ws[11U] = Lib_IntVector_Intrinsics_vec256_load64_be(b3 + (uint32_t)64U); + ws[12U] = Lib_IntVector_Intrinsics_vec256_load64_be(b00 + (uint32_t)96U); + ws[13U] = Lib_IntVector_Intrinsics_vec256_load64_be(b10 + (uint32_t)96U); + ws[14U] = Lib_IntVector_Intrinsics_vec256_load64_be(b2 + (uint32_t)96U); + ws[15U] = Lib_IntVector_Intrinsics_vec256_load64_be(b3 + (uint32_t)96U); + v00 = ws[0U]; + v10 = ws[1U]; + v20 = ws[2U]; + v30 = ws[3U]; + v0_ = Lib_IntVector_Intrinsics_vec256_interleave_low64(v00, v10); + v1_ = Lib_IntVector_Intrinsics_vec256_interleave_high64(v00, v10); + v2_ = Lib_IntVector_Intrinsics_vec256_interleave_low64(v20, v30); + v3_ = Lib_IntVector_Intrinsics_vec256_interleave_high64(v20, v30); + v0__ = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_, v2_); + v1__ = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_, v2_); + v2__ = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_, v3_); + v3__ = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_, v3_); + ws0 = v0__; + ws1 = v2__; + ws2 = v1__; + ws3 = v3__; + v01 = ws[4U]; + v11 = ws[5U]; + v21 = ws[6U]; + v31 = ws[7U]; + v0_0 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v01, v11); + v1_0 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v01, v11); + v2_0 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v21, v31); + v3_0 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v21, v31); + v0__0 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_0, v2_0); + v1__0 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_0, v2_0); + v2__0 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_0, v3_0); + v3__0 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_0, v3_0); + ws4 = v0__0; + ws5 = v2__0; + ws6 = v1__0; + ws7 = v3__0; + v02 = ws[8U]; + v12 = ws[9U]; + v22 = ws[10U]; + v32 = ws[11U]; + v0_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v02, v12); + v1_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v02, v12); + v2_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v22, v32); + v3_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v22, v32); + v0__1 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_1, v2_1); + v1__1 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_1, v2_1); + v2__1 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_1, v3_1); + v3__1 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_1, v3_1); + ws8 = v0__1; + ws9 = v2__1; + ws10 = v1__1; + ws11 = v3__1; + v0 = ws[12U]; + v1 = ws[13U]; + v2 = ws[14U]; + v3 = ws[15U]; + v0_2 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0, v1); + v1_2 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0, v1); + v2_2 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v2, v3); + v3_2 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v2, v3); + v0__2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_2, v2_2); + v1__2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_2, v2_2); + v2__2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_2, v3_2); + v3__2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_2, v3_2); + ws12 = v0__2; + ws13 = v2__2; + ws14 = v1__2; + ws15 = v3__2; + ws[0U] = ws0; + ws[1U] = ws1; + ws[2U] = ws2; + ws[3U] = ws3; + ws[4U] = ws4; + ws[5U] = ws5; + ws[6U] = ws6; + ws[7U] = ws7; + ws[8U] = ws8; + ws[9U] = ws9; + ws[10U] = ws10; + ws[11U] = ws11; + ws[12U] = ws12; + ws[13U] = ws13; + ws[14U] = ws14; + ws[15U] = ws15; + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < (uint32_t)5U; i0++) + { + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint64_t k_t = Hacl_Impl_SHA2_Generic_k384_512[(uint32_t)16U * i0 + i]; + Lib_IntVector_Intrinsics_vec256 ws_t = ws[i]; + Lib_IntVector_Intrinsics_vec256 a0 = hash[0U]; + Lib_IntVector_Intrinsics_vec256 b0 = hash[1U]; + Lib_IntVector_Intrinsics_vec256 c0 = hash[2U]; + Lib_IntVector_Intrinsics_vec256 d0 = hash[3U]; + Lib_IntVector_Intrinsics_vec256 e0 = hash[4U]; + Lib_IntVector_Intrinsics_vec256 f0 = hash[5U]; + Lib_IntVector_Intrinsics_vec256 g0 = hash[6U]; + Lib_IntVector_Intrinsics_vec256 h02 = hash[7U]; + Lib_IntVector_Intrinsics_vec256 k_e_t = Lib_IntVector_Intrinsics_vec256_load64(k_t); + Lib_IntVector_Intrinsics_vec256 + t1 = + Lib_IntVector_Intrinsics_vec256_add64(Lib_IntVector_Intrinsics_vec256_add64(Lib_IntVector_Intrinsics_vec256_add64(Lib_IntVector_Intrinsics_vec256_add64(h02, + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right64(e0, + (uint32_t)14U), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right64(e0, + (uint32_t)18U), + Lib_IntVector_Intrinsics_vec256_rotate_right64(e0, (uint32_t)41U)))), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_and(e0, + f0), + Lib_IntVector_Intrinsics_vec256_and(Lib_IntVector_Intrinsics_vec256_lognot(e0), + g0))), + k_e_t), + ws_t); + Lib_IntVector_Intrinsics_vec256 + t2 = + Lib_IntVector_Intrinsics_vec256_add64(Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right64(a0, + (uint32_t)28U), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right64(a0, + (uint32_t)34U), + Lib_IntVector_Intrinsics_vec256_rotate_right64(a0, (uint32_t)39U))), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_and(a0, b0), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_and(a0, c0), + Lib_IntVector_Intrinsics_vec256_and(b0, c0)))); + Lib_IntVector_Intrinsics_vec256 a1 = Lib_IntVector_Intrinsics_vec256_add64(t1, t2); + Lib_IntVector_Intrinsics_vec256 b1 = a0; + Lib_IntVector_Intrinsics_vec256 c1 = b0; + Lib_IntVector_Intrinsics_vec256 d1 = c0; + Lib_IntVector_Intrinsics_vec256 e1 = Lib_IntVector_Intrinsics_vec256_add64(d0, t1); + Lib_IntVector_Intrinsics_vec256 f1 = e0; + Lib_IntVector_Intrinsics_vec256 g1 = f0; + Lib_IntVector_Intrinsics_vec256 h12 = g0; + hash[0U] = a1; + hash[1U] = b1; + hash[2U] = c1; + hash[3U] = d1; + hash[4U] = e1; + hash[5U] = f1; + hash[6U] = g1; + hash[7U] = h12; + } + } + if (i0 < (uint32_t)5U - (uint32_t)1U) + { + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + Lib_IntVector_Intrinsics_vec256 t16 = ws[i]; + Lib_IntVector_Intrinsics_vec256 t15 = ws[(i + (uint32_t)1U) % (uint32_t)16U]; + Lib_IntVector_Intrinsics_vec256 t7 = ws[(i + (uint32_t)9U) % (uint32_t)16U]; + Lib_IntVector_Intrinsics_vec256 t2 = ws[(i + (uint32_t)14U) % (uint32_t)16U]; + Lib_IntVector_Intrinsics_vec256 + s1 = + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right64(t2, + (uint32_t)19U), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right64(t2, + (uint32_t)61U), + Lib_IntVector_Intrinsics_vec256_shift_right64(t2, (uint32_t)6U))); + Lib_IntVector_Intrinsics_vec256 + s0 = + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right64(t15, + (uint32_t)1U), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right64(t15, + (uint32_t)8U), + Lib_IntVector_Intrinsics_vec256_shift_right64(t15, (uint32_t)7U))); + ws[i] = + Lib_IntVector_Intrinsics_vec256_add64(Lib_IntVector_Intrinsics_vec256_add64(Lib_IntVector_Intrinsics_vec256_add64(s1, + t7), + s0), + t16); + } + } + } + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + Lib_IntVector_Intrinsics_vec256 *os = hash; + Lib_IntVector_Intrinsics_vec256 + x = Lib_IntVector_Intrinsics_vec256_add64(hash[i], hash_old[i]); + os[i] = x; + } + } + } + } +} + +void +Hacl_SHA2_Vec256_sha512_4( + uint8_t *dst0, + uint8_t *dst1, + uint8_t *dst2, + uint8_t *dst3, + uint32_t input_len, + uint8_t *input0, + uint8_t *input1, + uint8_t *input2, + uint8_t *input3 +) +{ + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ ib; + ib.fst = input0; + ib.snd.fst = input1; + ib.snd.snd.fst = input2; + ib.snd.snd.snd = input3; + { + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ rb; + rb.fst = dst0; + rb.snd.fst = dst1; + rb.snd.snd.fst = dst2; + rb.snd.snd.snd = dst3; + { + Lib_IntVector_Intrinsics_vec256 st[8U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)8U; ++_i) + st[_i] = Lib_IntVector_Intrinsics_vec256_zero; + } + { + uint32_t rem; + FStar_UInt128_uint128 len_; + uint32_t blocks0; + uint32_t rem1; + uint8_t *b30; + uint8_t *b20; + uint8_t *b10; + uint8_t *b00; + uint8_t *bl0; + uint8_t *bl10; + uint8_t *bl20; + uint8_t *bl30; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + Lib_IntVector_Intrinsics_vec256 *os = st; + uint64_t hi = Hacl_Impl_SHA2_Generic_h512[i]; + Lib_IntVector_Intrinsics_vec256 x = Lib_IntVector_Intrinsics_vec256_load64(hi); + os[i] = x; + } + } + rem = input_len % (uint32_t)128U; + len_ = FStar_UInt128_uint64_to_uint128((uint64_t)input_len); + blocks0 = input_len / (uint32_t)128U; + { + uint32_t i; + for (i = (uint32_t)0U; i < blocks0; i++) + { + uint8_t *b3 = ib.snd.snd.snd; + uint8_t *b2 = ib.snd.snd.fst; + uint8_t *b1 = ib.snd.fst; + uint8_t *b0 = ib.fst; + uint8_t *bl00 = b0 + i * (uint32_t)128U; + uint8_t *bl1 = b1 + i * (uint32_t)128U; + uint8_t *bl2 = b2 + i * (uint32_t)128U; + uint8_t *bl3 = b3 + i * (uint32_t)128U; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ lit; + lit.fst = bl00; + lit.snd.fst = bl1; + lit.snd.snd.fst = bl2; + lit.snd.snd.snd = bl3; + { + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ mb = lit; + sha512_update4(mb, st); + } + } + } + rem1 = input_len % (uint32_t)128U; + b30 = ib.snd.snd.snd; + b20 = ib.snd.snd.fst; + b10 = ib.snd.fst; + b00 = ib.fst; + bl0 = b00 + input_len - rem1; + bl10 = b10 + input_len - rem1; + bl20 = b20 + input_len - rem1; + bl30 = b30 + input_len - rem1; + { + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ lit0; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ lb; + lit0.fst = bl0; + lit0.snd.fst = bl10; + lit0.snd.snd.fst = bl20; + lit0.snd.snd.snd = bl30; + lb = lit0; + { + uint32_t blocks; + if (rem + (uint32_t)16U + (uint32_t)1U <= (uint32_t)128U) + { + blocks = (uint32_t)1U; + } + else + { + blocks = (uint32_t)2U; + } + { + uint32_t fin = blocks * (uint32_t)128U; + uint8_t last[1024U] = { 0U }; + uint8_t totlen_buf[16U] = { 0U }; + FStar_UInt128_uint128 total_len_bits = FStar_UInt128_shift_left(len_, (uint32_t)3U); + uint8_t *b31; + uint8_t *b21; + uint8_t *b11; + uint8_t *b01; + uint8_t *last00; + uint8_t *last10; + uint8_t *last2; + uint8_t *last3; + uint8_t *last010; + uint8_t *last110; + store128_be(totlen_buf, total_len_bits); + b31 = lb.snd.snd.snd; + b21 = lb.snd.snd.fst; + b11 = lb.snd.fst; + b01 = lb.fst; + last00 = last; + last10 = last + (uint32_t)256U; + last2 = last + (uint32_t)512U; + last3 = last + (uint32_t)768U; + memcpy(last00, b01, rem * sizeof (uint8_t)); + last00[rem] = (uint8_t)0x80U; + memcpy(last00 + fin - (uint32_t)16U, totlen_buf, (uint32_t)16U * sizeof (uint8_t)); + last010 = last00; + last110 = last00 + (uint32_t)128U; + { + K____uint8_t___uint8_t_ lit1; + K____uint8_t___uint8_t_ scrut0; + uint8_t *l00; + uint8_t *l01; + uint8_t *last011; + uint8_t *last111; + lit1.fst = last010; + lit1.snd = last110; + scrut0 = lit1; + l00 = scrut0.fst; + l01 = scrut0.snd; + memcpy(last10, b11, rem * sizeof (uint8_t)); + last10[rem] = (uint8_t)0x80U; + memcpy(last10 + fin - (uint32_t)16U, totlen_buf, (uint32_t)16U * sizeof (uint8_t)); + last011 = last10; + last111 = last10 + (uint32_t)128U; + { + K____uint8_t___uint8_t_ lit2; + K____uint8_t___uint8_t_ scrut1; + uint8_t *l10; + uint8_t *l11; + uint8_t *last012; + uint8_t *last112; + lit2.fst = last011; + lit2.snd = last111; + scrut1 = lit2; + l10 = scrut1.fst; + l11 = scrut1.snd; + memcpy(last2, b21, rem * sizeof (uint8_t)); + last2[rem] = (uint8_t)0x80U; + memcpy(last2 + fin - (uint32_t)16U, totlen_buf, (uint32_t)16U * sizeof (uint8_t)); + last012 = last2; + last112 = last2 + (uint32_t)128U; + { + K____uint8_t___uint8_t_ lit3; + K____uint8_t___uint8_t_ scrut2; + uint8_t *l20; + uint8_t *l21; + uint8_t *last01; + uint8_t *last11; + lit3.fst = last012; + lit3.snd = last112; + scrut2 = lit3; + l20 = scrut2.fst; + l21 = scrut2.snd; + memcpy(last3, b31, rem * sizeof (uint8_t)); + last3[rem] = (uint8_t)0x80U; + memcpy(last3 + fin - (uint32_t)16U, + totlen_buf, + (uint32_t)16U * sizeof (uint8_t)); + last01 = last3; + last11 = last3 + (uint32_t)128U; + { + K____uint8_t___uint8_t_ lit4; + K____uint8_t___uint8_t_ scrut3; + uint8_t *l30; + uint8_t *l31; + lit4.fst = last01; + lit4.snd = last11; + scrut3 = lit4; + l30 = scrut3.fst; + l31 = scrut3.snd; + { + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ mb0; + mb0.fst = l00; + mb0.snd.fst = l10; + mb0.snd.snd.fst = l20; + mb0.snd.snd.snd = l30; + { + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ mb1; + mb1.fst = l01; + mb1.snd.fst = l11; + mb1.snd.snd.fst = l21; + mb1.snd.snd.snd = l31; + { + K___K____uint8_t__K____uint8_t__K____uint8_t___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + lit; + K___K____uint8_t__K____uint8_t__K____uint8_t___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + scrut; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ last0; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ last1; + lit.fst = mb0; + lit.snd = mb1; + scrut = lit; + last0 = scrut.fst; + last1 = scrut.snd; + sha512_update4(last0, st); + if (blocks > (uint32_t)1U) + { + sha512_update4(last1, st); + } + KRML_CHECK_SIZE(sizeof (uint8_t), + (uint32_t)4U * (uint32_t)8U * (uint32_t)8U); + { + uint8_t hbuf[(uint32_t)4U * (uint32_t)8U * (uint32_t)8U]; + memset(hbuf, + 0U, + (uint32_t)4U * (uint32_t)8U * (uint32_t)8U * sizeof (uint8_t)); + { + Lib_IntVector_Intrinsics_vec256 v00 = st[0U]; + Lib_IntVector_Intrinsics_vec256 v10 = st[1U]; + Lib_IntVector_Intrinsics_vec256 v20 = st[2U]; + Lib_IntVector_Intrinsics_vec256 v30 = st[3U]; + Lib_IntVector_Intrinsics_vec256 + v0_ = Lib_IntVector_Intrinsics_vec256_interleave_low64(v00, v10); + Lib_IntVector_Intrinsics_vec256 + v1_ = Lib_IntVector_Intrinsics_vec256_interleave_high64(v00, v10); + Lib_IntVector_Intrinsics_vec256 + v2_ = Lib_IntVector_Intrinsics_vec256_interleave_low64(v20, v30); + Lib_IntVector_Intrinsics_vec256 + v3_ = Lib_IntVector_Intrinsics_vec256_interleave_high64(v20, v30); + Lib_IntVector_Intrinsics_vec256 + v0__ = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_, v2_); + Lib_IntVector_Intrinsics_vec256 + v1__ = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_, v2_); + Lib_IntVector_Intrinsics_vec256 + v2__ = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_, v3_); + Lib_IntVector_Intrinsics_vec256 + v3__ = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_, v3_); + Lib_IntVector_Intrinsics_vec256 st0_ = v0__; + Lib_IntVector_Intrinsics_vec256 st1_ = v2__; + Lib_IntVector_Intrinsics_vec256 st2_ = v1__; + Lib_IntVector_Intrinsics_vec256 st3_ = v3__; + Lib_IntVector_Intrinsics_vec256 v0 = st[4U]; + Lib_IntVector_Intrinsics_vec256 v1 = st[5U]; + Lib_IntVector_Intrinsics_vec256 v2 = st[6U]; + Lib_IntVector_Intrinsics_vec256 v3 = st[7U]; + Lib_IntVector_Intrinsics_vec256 + v0_0 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0, v1); + Lib_IntVector_Intrinsics_vec256 + v1_0 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0, v1); + Lib_IntVector_Intrinsics_vec256 + v2_0 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v2, v3); + Lib_IntVector_Intrinsics_vec256 + v3_0 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v2, v3); + Lib_IntVector_Intrinsics_vec256 + v0__0 = + Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_0, + v2_0); + Lib_IntVector_Intrinsics_vec256 + v1__0 = + Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_0, + v2_0); + Lib_IntVector_Intrinsics_vec256 + v2__0 = + Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_0, + v3_0); + Lib_IntVector_Intrinsics_vec256 + v3__0 = + Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_0, + v3_0); + Lib_IntVector_Intrinsics_vec256 st4_ = v0__0; + Lib_IntVector_Intrinsics_vec256 st5_ = v2__0; + Lib_IntVector_Intrinsics_vec256 st6_ = v1__0; + Lib_IntVector_Intrinsics_vec256 st7_ = v3__0; + uint8_t *b3; + uint8_t *b2; + uint8_t *b1; + uint8_t *b0; + st[0U] = st0_; + st[1U] = st4_; + st[2U] = st1_; + st[3U] = st5_; + st[4U] = st2_; + st[5U] = st6_; + st[6U] = st3_; + st[7U] = st7_; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + Lib_IntVector_Intrinsics_vec256_store64_be(hbuf + + i * (uint32_t)32U, + st[i]); + } + } + b3 = rb.snd.snd.snd; + b2 = rb.snd.snd.fst; + b1 = rb.snd.fst; + b0 = rb.fst; + memcpy(b0, hbuf, (uint32_t)64U * sizeof (uint8_t)); + memcpy(b1, hbuf + (uint32_t)64U, (uint32_t)64U * sizeof (uint8_t)); + memcpy(b2, hbuf + (uint32_t)128U, (uint32_t)64U * sizeof (uint8_t)); + memcpy(b3, hbuf + (uint32_t)192U, (uint32_t)64U * sizeof (uint8_t)); + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } +} + diff --git a/src/c89/Hacl_SHA3.c b/src/c89/Hacl_SHA3.c new file mode 100644 index 00000000..9d463233 --- /dev/null +++ b/src/c89/Hacl_SHA3.c @@ -0,0 +1,346 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_SHA3.h" + + + +const +uint32_t +Hacl_Impl_SHA3_keccak_rotc[24U] = + { + (uint32_t)1U, (uint32_t)3U, (uint32_t)6U, (uint32_t)10U, (uint32_t)15U, (uint32_t)21U, + (uint32_t)28U, (uint32_t)36U, (uint32_t)45U, (uint32_t)55U, (uint32_t)2U, (uint32_t)14U, + (uint32_t)27U, (uint32_t)41U, (uint32_t)56U, (uint32_t)8U, (uint32_t)25U, (uint32_t)43U, + (uint32_t)62U, (uint32_t)18U, (uint32_t)39U, (uint32_t)61U, (uint32_t)20U, (uint32_t)44U + }; + +const +uint32_t +Hacl_Impl_SHA3_keccak_piln[24U] = + { + (uint32_t)10U, (uint32_t)7U, (uint32_t)11U, (uint32_t)17U, (uint32_t)18U, (uint32_t)3U, + (uint32_t)5U, (uint32_t)16U, (uint32_t)8U, (uint32_t)21U, (uint32_t)24U, (uint32_t)4U, + (uint32_t)15U, (uint32_t)23U, (uint32_t)19U, (uint32_t)13U, (uint32_t)12U, (uint32_t)2U, + (uint32_t)20U, (uint32_t)14U, (uint32_t)22U, (uint32_t)9U, (uint32_t)6U, (uint32_t)1U + }; + +const +uint64_t +Hacl_Impl_SHA3_keccak_rndc[24U] = + { + (uint64_t)0x0000000000000001U, (uint64_t)0x0000000000008082U, (uint64_t)0x800000000000808aU, + (uint64_t)0x8000000080008000U, (uint64_t)0x000000000000808bU, (uint64_t)0x0000000080000001U, + (uint64_t)0x8000000080008081U, (uint64_t)0x8000000000008009U, (uint64_t)0x000000000000008aU, + (uint64_t)0x0000000000000088U, (uint64_t)0x0000000080008009U, (uint64_t)0x000000008000000aU, + (uint64_t)0x000000008000808bU, (uint64_t)0x800000000000008bU, (uint64_t)0x8000000000008089U, + (uint64_t)0x8000000000008003U, (uint64_t)0x8000000000008002U, (uint64_t)0x8000000000000080U, + (uint64_t)0x000000000000800aU, (uint64_t)0x800000008000000aU, (uint64_t)0x8000000080008081U, + (uint64_t)0x8000000000008080U, (uint64_t)0x0000000080000001U, (uint64_t)0x8000000080008008U + }; + +inline uint64_t Hacl_Impl_SHA3_rotl(uint64_t a, uint32_t b) +{ + return a << b | a >> ((uint32_t)64U - b); +} + +void Hacl_Impl_SHA3_state_permute(uint64_t *s) +{ + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < (uint32_t)24U; i0++) + { + uint64_t b[5U] = { 0U }; + uint64_t x; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)5U; i++) + { + b[i] = + s[i + + (uint32_t)0U] + ^ + (s[i + + (uint32_t)5U] + ^ (s[i + (uint32_t)10U] ^ (s[i + (uint32_t)15U] ^ s[i + (uint32_t)20U]))); + } + } + { + uint32_t i1; + for (i1 = (uint32_t)0U; i1 < (uint32_t)5U; i1++) + { + uint64_t uu____0 = b[(i1 + (uint32_t)4U) % (uint32_t)5U]; + uint64_t + _D = uu____0 ^ Hacl_Impl_SHA3_rotl(b[(i1 + (uint32_t)1U) % (uint32_t)5U], (uint32_t)1U); + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)5U; i++) + { + s[i1 + (uint32_t)5U * i] = s[i1 + (uint32_t)5U * i] ^ _D; + } + } + } + } + Lib_Memzero0_memzero(b, (uint32_t)5U * sizeof (b[0U])); + x = s[1U]; + { + uint64_t b0 = x; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)24U; i++) + { + uint32_t _Y = Hacl_Impl_SHA3_keccak_piln[i]; + uint32_t r = Hacl_Impl_SHA3_keccak_rotc[i]; + uint64_t temp = s[_Y]; + s[_Y] = Hacl_Impl_SHA3_rotl(b0, r); + b0 = temp; + } + } + Lib_Memzero0_memzero(&b0, (uint32_t)1U * sizeof ((&b0)[0U])); + { + uint64_t b1[25U] = { 0U }; + uint64_t c; + memcpy(b1, s, (uint32_t)25U * sizeof (uint64_t)); + { + uint32_t i1; + for (i1 = (uint32_t)0U; i1 < (uint32_t)5U; i1++) + { + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)5U; i++) + { + s[i + (uint32_t)5U * i1] = + b1[i + + (uint32_t)5U * i1] + ^ + (~b1[(i + (uint32_t)1U) + % (uint32_t)5U + + (uint32_t)5U * i1] + & b1[(i + (uint32_t)2U) % (uint32_t)5U + (uint32_t)5U * i1]); + } + } + } + } + Lib_Memzero0_memzero(b1, (uint32_t)25U * sizeof (b1[0U])); + c = Hacl_Impl_SHA3_keccak_rndc[i0]; + s[0U] = s[0U] ^ c; + } + } + } +} + +void Hacl_Impl_SHA3_loadState(uint32_t rateInBytes, uint8_t *input, uint64_t *s) +{ + uint8_t b[200U] = { 0U }; + memcpy(b, input, rateInBytes * sizeof (uint8_t)); + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)25U; i++) + { + uint64_t u = load64_le(b + i * (uint32_t)8U); + uint64_t x = u; + s[i] = s[i] ^ x; + } + } + Lib_Memzero0_memzero(b, (uint32_t)200U * sizeof (b[0U])); +} + +void Hacl_Impl_SHA3_storeState(uint32_t rateInBytes, uint64_t *s, uint8_t *res) +{ + uint8_t b[200U] = { 0U }; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)25U; i++) + { + uint64_t sj = s[i]; + store64_le(b + i * (uint32_t)8U, sj); + } + } + memcpy(res, b, rateInBytes * sizeof (uint8_t)); + Lib_Memzero0_memzero(b, (uint32_t)200U * sizeof (b[0U])); +} + +void +Hacl_Impl_SHA3_absorb( + uint64_t *s, + uint32_t rateInBytes, + uint32_t inputByteLen, + uint8_t *input, + uint8_t delimitedSuffix +) +{ + uint32_t nb = inputByteLen / rateInBytes; + uint32_t rem = inputByteLen % rateInBytes; + uint8_t *last; + { + uint32_t i; + for (i = (uint32_t)0U; i < nb; i++) + { + uint8_t *block = input + i * rateInBytes; + Hacl_Impl_SHA3_loadState(rateInBytes, block, s); + Hacl_Impl_SHA3_state_permute(s); + } + } + last = input + nb * rateInBytes; + KRML_CHECK_SIZE(sizeof (uint8_t), rateInBytes); + { + uint8_t b[rateInBytes]; + memset(b, 0U, rateInBytes * sizeof (uint8_t)); + memcpy(b, last, rem * sizeof (uint8_t)); + b[rem] = delimitedSuffix; + Hacl_Impl_SHA3_loadState(rateInBytes, b, s); + if (!((delimitedSuffix & (uint8_t)0x80U) == (uint8_t)0U) && rem == rateInBytes - (uint32_t)1U) + { + Hacl_Impl_SHA3_state_permute(s); + } + KRML_CHECK_SIZE(sizeof (uint8_t), rateInBytes); + { + uint8_t b1[rateInBytes]; + memset(b1, 0U, rateInBytes * sizeof (uint8_t)); + b1[rateInBytes - (uint32_t)1U] = (uint8_t)0x80U; + Hacl_Impl_SHA3_loadState(rateInBytes, b1, s); + Hacl_Impl_SHA3_state_permute(s); + Lib_Memzero0_memzero(b1, rateInBytes * sizeof (b1[0U])); + Lib_Memzero0_memzero(b, rateInBytes * sizeof (b[0U])); + } + } +} + +void +Hacl_Impl_SHA3_squeeze( + uint64_t *s, + uint32_t rateInBytes, + uint32_t outputByteLen, + uint8_t *output +) +{ + uint32_t outBlocks = outputByteLen / rateInBytes; + uint32_t remOut = outputByteLen % rateInBytes; + uint8_t *last = output + outputByteLen - remOut; + uint8_t *blocks = output; + { + uint32_t i; + for (i = (uint32_t)0U; i < outBlocks; i++) + { + Hacl_Impl_SHA3_storeState(rateInBytes, s, blocks + i * rateInBytes); + Hacl_Impl_SHA3_state_permute(s); + } + } + Hacl_Impl_SHA3_storeState(remOut, s, last); +} + +void +Hacl_Impl_SHA3_keccak( + uint32_t rate, + uint32_t capacity, + uint32_t inputByteLen, + uint8_t *input, + uint8_t delimitedSuffix, + uint32_t outputByteLen, + uint8_t *output +) +{ + uint32_t rateInBytes = rate / (uint32_t)8U; + uint64_t s[25U] = { 0U }; + Hacl_Impl_SHA3_absorb(s, rateInBytes, inputByteLen, input, delimitedSuffix); + Hacl_Impl_SHA3_squeeze(s, rateInBytes, outputByteLen, output); +} + +void +Hacl_SHA3_shake128_hacl( + uint32_t inputByteLen, + uint8_t *input, + uint32_t outputByteLen, + uint8_t *output +) +{ + Hacl_Impl_SHA3_keccak((uint32_t)1344U, + (uint32_t)256U, + inputByteLen, + input, + (uint8_t)0x1FU, + outputByteLen, + output); +} + +void +Hacl_SHA3_shake256_hacl( + uint32_t inputByteLen, + uint8_t *input, + uint32_t outputByteLen, + uint8_t *output +) +{ + Hacl_Impl_SHA3_keccak((uint32_t)1088U, + (uint32_t)512U, + inputByteLen, + input, + (uint8_t)0x1FU, + outputByteLen, + output); +} + +void Hacl_SHA3_sha3_224(uint32_t inputByteLen, uint8_t *input, uint8_t *output) +{ + Hacl_Impl_SHA3_keccak((uint32_t)1152U, + (uint32_t)448U, + inputByteLen, + input, + (uint8_t)0x06U, + (uint32_t)28U, + output); +} + +void Hacl_SHA3_sha3_256(uint32_t inputByteLen, uint8_t *input, uint8_t *output) +{ + Hacl_Impl_SHA3_keccak((uint32_t)1088U, + (uint32_t)512U, + inputByteLen, + input, + (uint8_t)0x06U, + (uint32_t)32U, + output); +} + +void Hacl_SHA3_sha3_384(uint32_t inputByteLen, uint8_t *input, uint8_t *output) +{ + Hacl_Impl_SHA3_keccak((uint32_t)832U, + (uint32_t)768U, + inputByteLen, + input, + (uint8_t)0x06U, + (uint32_t)48U, + output); +} + +void Hacl_SHA3_sha3_512(uint32_t inputByteLen, uint8_t *input, uint8_t *output) +{ + Hacl_Impl_SHA3_keccak((uint32_t)576U, + (uint32_t)1024U, + inputByteLen, + input, + (uint8_t)0x06U, + (uint32_t)64U, + output); +} + diff --git a/src/c89/Hacl_Salsa20.c b/src/c89/Hacl_Salsa20.c new file mode 100644 index 00000000..bb13d119 --- /dev/null +++ b/src/c89/Hacl_Salsa20.c @@ -0,0 +1,557 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Salsa20.h" + + + +static inline void quarter_round(uint32_t *st, uint32_t a, uint32_t b, uint32_t c, uint32_t d) +{ + uint32_t sta0 = st[b]; + uint32_t stb0 = st[a]; + uint32_t std0 = st[d]; + uint32_t sta10 = sta0 ^ ((stb0 + std0) << (uint32_t)7U | (stb0 + std0) >> (uint32_t)25U); + uint32_t sta2; + uint32_t stb1; + uint32_t std1; + uint32_t sta11; + uint32_t sta3; + uint32_t stb2; + uint32_t std2; + uint32_t sta12; + uint32_t sta; + uint32_t stb; + uint32_t std; + uint32_t sta1; + st[b] = sta10; + sta2 = st[c]; + stb1 = st[b]; + std1 = st[a]; + sta11 = sta2 ^ ((stb1 + std1) << (uint32_t)9U | (stb1 + std1) >> (uint32_t)23U); + st[c] = sta11; + sta3 = st[d]; + stb2 = st[c]; + std2 = st[b]; + sta12 = sta3 ^ ((stb2 + std2) << (uint32_t)13U | (stb2 + std2) >> (uint32_t)19U); + st[d] = sta12; + sta = st[a]; + stb = st[d]; + std = st[c]; + sta1 = sta ^ ((stb + std) << (uint32_t)18U | (stb + std) >> (uint32_t)14U); + st[a] = sta1; +} + +static inline void double_round(uint32_t *st) +{ + quarter_round(st, (uint32_t)0U, (uint32_t)4U, (uint32_t)8U, (uint32_t)12U); + quarter_round(st, (uint32_t)5U, (uint32_t)9U, (uint32_t)13U, (uint32_t)1U); + quarter_round(st, (uint32_t)10U, (uint32_t)14U, (uint32_t)2U, (uint32_t)6U); + quarter_round(st, (uint32_t)15U, (uint32_t)3U, (uint32_t)7U, (uint32_t)11U); + quarter_round(st, (uint32_t)0U, (uint32_t)1U, (uint32_t)2U, (uint32_t)3U); + quarter_round(st, (uint32_t)5U, (uint32_t)6U, (uint32_t)7U, (uint32_t)4U); + quarter_round(st, (uint32_t)10U, (uint32_t)11U, (uint32_t)8U, (uint32_t)9U); + quarter_round(st, (uint32_t)15U, (uint32_t)12U, (uint32_t)13U, (uint32_t)14U); +} + +static inline void rounds(uint32_t *st) +{ + double_round(st); + double_round(st); + double_round(st); + double_round(st); + double_round(st); + double_round(st); + double_round(st); + double_round(st); + double_round(st); + double_round(st); +} + +static inline void salsa20_core(uint32_t *k, uint32_t *ctx, uint32_t ctr) +{ + uint32_t ctr_u32; + memcpy(k, ctx, (uint32_t)16U * sizeof (uint32_t)); + ctr_u32 = ctr; + k[8U] = k[8U] + ctr_u32; + rounds(k); + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t *os = k; + uint32_t x = k[i] + ctx[i]; + os[i] = x; + } + } + k[8U] = k[8U] + ctr_u32; +} + +static inline void salsa20_key_block0(uint8_t *out, uint8_t *key, uint8_t *n) +{ + uint32_t ctx[16U] = { 0U }; + uint32_t k[16U] = { 0U }; + uint32_t k32[8U] = { 0U }; + uint32_t n32[2U] = { 0U }; + uint32_t *k0; + uint32_t *k1; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t *os = k32; + uint8_t *bj = key + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)2U; i++) + { + uint32_t *os = n32; + uint8_t *bj = n + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + } + ctx[0U] = (uint32_t)0x61707865U; + k0 = k32; + k1 = k32 + (uint32_t)4U; + memcpy(ctx + (uint32_t)1U, k0, (uint32_t)4U * sizeof (uint32_t)); + ctx[5U] = (uint32_t)0x3320646eU; + memcpy(ctx + (uint32_t)6U, n32, (uint32_t)2U * sizeof (uint32_t)); + ctx[8U] = (uint32_t)0U; + ctx[9U] = (uint32_t)0U; + ctx[10U] = (uint32_t)0x79622d32U; + memcpy(ctx + (uint32_t)11U, k1, (uint32_t)4U * sizeof (uint32_t)); + ctx[15U] = (uint32_t)0x6b206574U; + salsa20_core(k, ctx, (uint32_t)0U); + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + store32_le(out + i * (uint32_t)4U, k[i]); + } + } +} + +static inline void +salsa20_encrypt( + uint32_t len, + uint8_t *out, + uint8_t *text, + uint8_t *key, + uint8_t *n, + uint32_t ctr +) +{ + uint32_t ctx[16U] = { 0U }; + uint32_t k32[8U] = { 0U }; + uint32_t n32[2U] = { 0U }; + uint32_t *k0; + uint32_t *k10; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t *os = k32; + uint8_t *bj = key + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)2U; i++) + { + uint32_t *os = n32; + uint8_t *bj = n + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + } + ctx[0U] = (uint32_t)0x61707865U; + k0 = k32; + k10 = k32 + (uint32_t)4U; + memcpy(ctx + (uint32_t)1U, k0, (uint32_t)4U * sizeof (uint32_t)); + ctx[5U] = (uint32_t)0x3320646eU; + memcpy(ctx + (uint32_t)6U, n32, (uint32_t)2U * sizeof (uint32_t)); + ctx[8U] = ctr; + ctx[9U] = (uint32_t)0U; + ctx[10U] = (uint32_t)0x79622d32U; + memcpy(ctx + (uint32_t)11U, k10, (uint32_t)4U * sizeof (uint32_t)); + ctx[15U] = (uint32_t)0x6b206574U; + { + uint32_t k[16U] = { 0U }; + uint32_t rem = len % (uint32_t)64U; + uint32_t nb = len / (uint32_t)64U; + uint32_t rem1 = len % (uint32_t)64U; + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < nb; i0++) + { + uint8_t *uu____0 = out + i0 * (uint32_t)64U; + uint8_t *uu____1 = text + i0 * (uint32_t)64U; + uint32_t k1[16U] = { 0U }; + salsa20_core(k1, ctx, i0); + { + uint32_t bl[16U] = { 0U }; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t *os = bl; + uint8_t *bj = uu____1 + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t *os = bl; + uint32_t x = bl[i] ^ k1[i]; + os[i] = x; + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + store32_le(uu____0 + i * (uint32_t)4U, bl[i]); + } + } + } + } + } + if (rem1 > (uint32_t)0U) + { + uint8_t *uu____2 = out + nb * (uint32_t)64U; + uint8_t *uu____3 = text + nb * (uint32_t)64U; + uint8_t plain[64U] = { 0U }; + memcpy(plain, uu____3, rem * sizeof (uint8_t)); + { + uint32_t k1[16U] = { 0U }; + salsa20_core(k1, ctx, nb); + { + uint32_t bl[16U] = { 0U }; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t *os = bl; + uint8_t *bj = plain + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t *os = bl; + uint32_t x = bl[i] ^ k1[i]; + os[i] = x; + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + store32_le(plain + i * (uint32_t)4U, bl[i]); + } + } + memcpy(uu____2, plain, rem * sizeof (uint8_t)); + } + } + } + } +} + +static inline void +salsa20_decrypt( + uint32_t len, + uint8_t *out, + uint8_t *cipher, + uint8_t *key, + uint8_t *n, + uint32_t ctr +) +{ + uint32_t ctx[16U] = { 0U }; + uint32_t k32[8U] = { 0U }; + uint32_t n32[2U] = { 0U }; + uint32_t *k0; + uint32_t *k10; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t *os = k32; + uint8_t *bj = key + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)2U; i++) + { + uint32_t *os = n32; + uint8_t *bj = n + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + } + ctx[0U] = (uint32_t)0x61707865U; + k0 = k32; + k10 = k32 + (uint32_t)4U; + memcpy(ctx + (uint32_t)1U, k0, (uint32_t)4U * sizeof (uint32_t)); + ctx[5U] = (uint32_t)0x3320646eU; + memcpy(ctx + (uint32_t)6U, n32, (uint32_t)2U * sizeof (uint32_t)); + ctx[8U] = ctr; + ctx[9U] = (uint32_t)0U; + ctx[10U] = (uint32_t)0x79622d32U; + memcpy(ctx + (uint32_t)11U, k10, (uint32_t)4U * sizeof (uint32_t)); + ctx[15U] = (uint32_t)0x6b206574U; + { + uint32_t k[16U] = { 0U }; + uint32_t rem = len % (uint32_t)64U; + uint32_t nb = len / (uint32_t)64U; + uint32_t rem1 = len % (uint32_t)64U; + { + uint32_t i0; + for (i0 = (uint32_t)0U; i0 < nb; i0++) + { + uint8_t *uu____0 = out + i0 * (uint32_t)64U; + uint8_t *uu____1 = cipher + i0 * (uint32_t)64U; + uint32_t k1[16U] = { 0U }; + salsa20_core(k1, ctx, i0); + { + uint32_t bl[16U] = { 0U }; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t *os = bl; + uint8_t *bj = uu____1 + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t *os = bl; + uint32_t x = bl[i] ^ k1[i]; + os[i] = x; + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + store32_le(uu____0 + i * (uint32_t)4U, bl[i]); + } + } + } + } + } + if (rem1 > (uint32_t)0U) + { + uint8_t *uu____2 = out + nb * (uint32_t)64U; + uint8_t *uu____3 = cipher + nb * (uint32_t)64U; + uint8_t plain[64U] = { 0U }; + memcpy(plain, uu____3, rem * sizeof (uint8_t)); + { + uint32_t k1[16U] = { 0U }; + salsa20_core(k1, ctx, nb); + { + uint32_t bl[16U] = { 0U }; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t *os = bl; + uint8_t *bj = plain + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t *os = bl; + uint32_t x = bl[i] ^ k1[i]; + os[i] = x; + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + store32_le(plain + i * (uint32_t)4U, bl[i]); + } + } + memcpy(uu____2, plain, rem * sizeof (uint8_t)); + } + } + } + } +} + +static inline void hsalsa20(uint8_t *out, uint8_t *key, uint8_t *n) +{ + uint32_t ctx[16U] = { 0U }; + uint32_t k32[8U] = { 0U }; + uint32_t n32[4U] = { 0U }; + uint32_t *k0; + uint32_t *k1; + uint32_t r0; + uint32_t r1; + uint32_t r2; + uint32_t r3; + uint32_t r4; + uint32_t r5; + uint32_t r6; + uint32_t r7; + uint32_t res[8]; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t *os = k32; + uint8_t *bj = key + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + } + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = n32; + uint8_t *bj = n + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + } + k0 = k32; + k1 = k32 + (uint32_t)4U; + ctx[0U] = (uint32_t)0x61707865U; + memcpy(ctx + (uint32_t)1U, k0, (uint32_t)4U * sizeof (uint32_t)); + ctx[5U] = (uint32_t)0x3320646eU; + memcpy(ctx + (uint32_t)6U, n32, (uint32_t)4U * sizeof (uint32_t)); + ctx[10U] = (uint32_t)0x79622d32U; + memcpy(ctx + (uint32_t)11U, k1, (uint32_t)4U * sizeof (uint32_t)); + ctx[15U] = (uint32_t)0x6b206574U; + rounds(ctx); + r0 = ctx[0U]; + r1 = ctx[5U]; + r2 = ctx[10U]; + r3 = ctx[15U]; + r4 = ctx[6U]; + r5 = ctx[7U]; + r6 = ctx[8U]; + r7 = ctx[9U]; + res[0U] = r0; + res[1U] = r1; + res[2U] = r2; + res[3U] = r3; + res[4U] = r4; + res[5U] = r5; + res[6U] = r6; + res[7U] = r7; + { + uint32_t i; + for (i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + store32_le(out + i * (uint32_t)4U, res[i]); + } + } +} + +void +Hacl_Salsa20_salsa20_encrypt( + uint32_t len, + uint8_t *out, + uint8_t *text, + uint8_t *key, + uint8_t *n, + uint32_t ctr +) +{ + salsa20_encrypt(len, out, text, key, n, ctr); +} + +void +Hacl_Salsa20_salsa20_decrypt( + uint32_t len, + uint8_t *out, + uint8_t *cipher, + uint8_t *key, + uint8_t *n, + uint32_t ctr +) +{ + salsa20_decrypt(len, out, cipher, key, n, ctr); +} + +void Hacl_Salsa20_salsa20_key_block0(uint8_t *out, uint8_t *key, uint8_t *n) +{ + salsa20_key_block0(out, key, n); +} + +void Hacl_Salsa20_hsalsa20(uint8_t *out, uint8_t *key, uint8_t *n) +{ + hsalsa20(out, key, n); +} + diff --git a/src/c89/Hacl_Spec.c b/src/c89/Hacl_Spec.c new file mode 100644 index 00000000..048eacbd --- /dev/null +++ b/src/c89/Hacl_Spec.c @@ -0,0 +1,53 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "internal/Hacl_Spec.h" + + + +Spec_Agile_Cipher_cipher_alg +Spec_Cipher_Expansion_cipher_alg_of_impl(Spec_Cipher_Expansion_impl i) +{ + switch (i) + { + case Spec_Cipher_Expansion_Hacl_CHACHA20: + { + return Spec_Agile_Cipher_CHACHA20; + } + case Spec_Cipher_Expansion_Vale_AES128: + { + return Spec_Agile_Cipher_AES128; + } + case Spec_Cipher_Expansion_Vale_AES256: + { + return Spec_Agile_Cipher_AES256; + } + default: + { + KRML_HOST_PRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + diff --git a/src/c89/Hacl_Streaming_Blake2.c b/src/c89/Hacl_Streaming_Blake2.c new file mode 100644 index 00000000..a815c3e1 --- /dev/null +++ b/src/c89/Hacl_Streaming_Blake2.c @@ -0,0 +1,1305 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Streaming_Blake2.h" + + + +uint32_t +Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_alg a, Hacl_Impl_Blake2_Core_m_spec m) +{ + switch (m) + { + case Hacl_Impl_Blake2_Core_M32: + { + switch (a) + { + case Spec_Blake2_Blake2S: + { + return (uint32_t)64U; + } + case Spec_Blake2_Blake2B: + { + return (uint32_t)128U; + } + default: + { + KRML_HOST_PRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + break; + } + case Hacl_Impl_Blake2_Core_M128: + { + switch (a) + { + case Spec_Blake2_Blake2S: + { + return (uint32_t)64U; + } + case Spec_Blake2_Blake2B: + { + return (uint32_t)128U; + } + default: + { + KRML_HOST_PRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + break; + } + case Hacl_Impl_Blake2_Core_M256: + { + switch (a) + { + case Spec_Blake2_Blake2S: + { + return (uint32_t)64U; + } + case Spec_Blake2_Blake2B: + { + return (uint32_t)128U; + } + default: + { + KRML_HOST_PRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + break; + } + default: + { + KRML_HOST_PRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +/* + State allocation function when there is no key +*/ +Hacl_Streaming_Blake2_blake2s_32_state *Hacl_Streaming_Blake2_blake2s_32_no_key_create_in() +{ + KRML_CHECK_SIZE(sizeof (uint8_t), + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M32)); + { + uint8_t + *buf = + (uint8_t *)KRML_HOST_CALLOC(Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32), + sizeof (uint8_t)); + uint32_t *wv = (uint32_t *)KRML_HOST_CALLOC((uint32_t)16U, sizeof (uint32_t)); + uint32_t *b = (uint32_t *)KRML_HOST_CALLOC((uint32_t)16U, sizeof (uint32_t)); + Hacl_Streaming_Blake2_blake2s_32_block_state lit; + Hacl_Streaming_Blake2_blake2s_32_block_state block_state; + lit.fst = wv; + lit.snd = b; + block_state = lit; + { + Hacl_Streaming_Blake2_blake2s_32_state s1; + s1.block_state = block_state; + s1.buf = buf; + s1.total_len = (uint64_t)0U; + KRML_CHECK_SIZE(sizeof (Hacl_Streaming_Blake2_blake2s_32_state), (uint32_t)1U); + { + Hacl_Streaming_Blake2_blake2s_32_state + *p = + (Hacl_Streaming_Blake2_blake2s_32_state *)KRML_HOST_MALLOC(sizeof ( + Hacl_Streaming_Blake2_blake2s_32_state + )); + p[0U] = s1; + Hacl_Blake2s_32_blake2s_init(block_state.snd, (uint32_t)0U, (uint32_t)32U); + return p; + } + } + } +} + +/* + (Re-)initialization function when there is no key +*/ +void Hacl_Streaming_Blake2_blake2s_32_no_key_init(Hacl_Streaming_Blake2_blake2s_32_state *s1) +{ + Hacl_Streaming_Blake2_blake2s_32_state scrut = *s1; + uint8_t *buf = scrut.buf; + Hacl_Streaming_Blake2_blake2s_32_block_state block_state = scrut.block_state; + Hacl_Blake2s_32_blake2s_init(block_state.snd, (uint32_t)0U, (uint32_t)32U); + { + Hacl_Streaming_Blake2_blake2s_32_state lit; + lit.block_state = block_state; + lit.buf = buf; + lit.total_len = (uint64_t)0U; + s1[0U] = lit; + } +} + +/* + Update function when there is no key +*/ +void +Hacl_Streaming_Blake2_blake2s_32_no_key_update( + Hacl_Streaming_Blake2_blake2s_32_state *p, + uint8_t *data, + uint32_t len +) +{ + Hacl_Streaming_Blake2_blake2s_32_state s1 = *p; + uint64_t total_len = s1.total_len; + uint32_t sz; + if + ( + total_len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32) + == (uint64_t)0U + && total_len > (uint64_t)0U + ) + { + sz = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M32); + } + else + { + sz = + (uint32_t)(total_len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32)); + } + if + ( + len + <= Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M32) - sz + ) + { + Hacl_Streaming_Blake2_blake2s_32_state s2 = *p; + Hacl_Streaming_Blake2_blake2s_32_block_state block_state1 = s2.block_state; + uint8_t *buf = s2.buf; + uint64_t total_len1 = s2.total_len; + uint32_t sz1; + if + ( + total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32) + == (uint64_t)0U + && total_len1 > (uint64_t)0U + ) + { + sz1 = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M32); + } + else + { + sz1 = + (uint32_t)(total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32)); + } + { + uint8_t *buf2 = buf + sz1; + uint64_t total_len2; + memcpy(buf2, data, len * sizeof (uint8_t)); + total_len2 = total_len1 + (uint64_t)len; + { + Hacl_Streaming_Blake2_blake2s_32_state lit; + lit.block_state = block_state1; + lit.buf = buf; + lit.total_len = total_len2; + *p = lit; + return; + } + } + } + if (sz == (uint32_t)0U) + { + Hacl_Streaming_Blake2_blake2s_32_state s2 = *p; + Hacl_Streaming_Blake2_blake2s_32_block_state block_state1 = s2.block_state; + uint8_t *buf = s2.buf; + uint64_t total_len1 = s2.total_len; + uint32_t sz1; + if + ( + total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32) + == (uint64_t)0U + && total_len1 > (uint64_t)0U + ) + { + sz1 = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M32); + } + else + { + sz1 = + (uint32_t)(total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32)); + } + { + uint32_t ite; + uint32_t n_blocks; + uint32_t data1_len; + uint32_t data2_len; + uint8_t *data1; + uint8_t *data2; + uint32_t nb0; + uint8_t *dst; + if (!(sz1 == (uint32_t)0U)) + { + uint64_t prevlen = total_len1 - (uint64_t)sz1; + uint32_t + nb = + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32) + / (uint32_t)64U; + Hacl_Blake2s_32_blake2s_update_multi(Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32), + block_state1.fst, + block_state1.snd, + prevlen, + buf, + nb); + } + if + ( + (uint64_t)len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32) + == (uint64_t)0U + && (uint64_t)len > (uint64_t)0U + ) + { + ite = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M32); + } + else + { + ite = + (uint32_t)((uint64_t)len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32)); + } + n_blocks = + (len - ite) + / Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M32); + data1_len = + n_blocks + * Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M32); + data2_len = len - data1_len; + data1 = data; + data2 = data + data1_len; + nb0 = data1_len / (uint32_t)64U; + Hacl_Blake2s_32_blake2s_update_multi(data1_len, + block_state1.fst, + block_state1.snd, + total_len1, + data1, + nb0); + dst = buf; + memcpy(dst, data2, data2_len * sizeof (uint8_t)); + { + Hacl_Streaming_Blake2_blake2s_32_state lit; + lit.block_state = block_state1; + lit.buf = buf; + lit.total_len = total_len1 + (uint64_t)len; + *p = lit; + return; + } + } + } + { + uint32_t + diff = + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32) + - sz; + uint8_t *data1 = data; + uint8_t *data2 = data + diff; + Hacl_Streaming_Blake2_blake2s_32_state s20 = *p; + Hacl_Streaming_Blake2_blake2s_32_block_state block_state10 = s20.block_state; + uint8_t *buf0 = s20.buf; + uint64_t total_len10 = s20.total_len; + uint32_t sz10; + if + ( + total_len10 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32) + == (uint64_t)0U + && total_len10 > (uint64_t)0U + ) + { + sz10 = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M32); + } + else + { + sz10 = + (uint32_t)(total_len10 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32)); + } + { + uint8_t *buf2 = buf0 + sz10; + uint64_t total_len2; + memcpy(buf2, data1, diff * sizeof (uint8_t)); + total_len2 = total_len10 + (uint64_t)diff; + { + Hacl_Streaming_Blake2_blake2s_32_state lit; + Hacl_Streaming_Blake2_blake2s_32_state s2; + Hacl_Streaming_Blake2_blake2s_32_block_state block_state1; + uint8_t *buf; + uint64_t total_len1; + uint32_t sz1; + uint32_t ite; + uint32_t n_blocks; + uint32_t data1_len; + uint32_t data2_len; + uint8_t *data11; + uint8_t *data21; + uint32_t nb0; + uint8_t *dst; + lit.block_state = block_state10; + lit.buf = buf0; + lit.total_len = total_len2; + *p = lit; + s2 = *p; + block_state1 = s2.block_state; + buf = s2.buf; + total_len1 = s2.total_len; + if + ( + total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32) + == (uint64_t)0U + && total_len1 > (uint64_t)0U + ) + { + sz1 = + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32); + } + else + { + sz1 = + (uint32_t)(total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32)); + } + if (!(sz1 == (uint32_t)0U)) + { + uint64_t prevlen = total_len1 - (uint64_t)sz1; + uint32_t + nb = + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32) + / (uint32_t)64U; + Hacl_Blake2s_32_blake2s_update_multi(Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32), + block_state1.fst, + block_state1.snd, + prevlen, + buf, + nb); + } + if + ( + (uint64_t)(len - diff) + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32) + == (uint64_t)0U + && (uint64_t)(len - diff) > (uint64_t)0U + ) + { + ite = + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32); + } + else + { + ite = + (uint32_t)((uint64_t)(len - diff) + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32)); + } + n_blocks = + (len - diff - ite) + / Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M32); + data1_len = + n_blocks + * Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M32); + data2_len = len - diff - data1_len; + data11 = data2; + data21 = data2 + data1_len; + nb0 = data1_len / (uint32_t)64U; + Hacl_Blake2s_32_blake2s_update_multi(data1_len, + block_state1.fst, + block_state1.snd, + total_len1, + data11, + nb0); + dst = buf; + memcpy(dst, data21, data2_len * sizeof (uint8_t)); + { + Hacl_Streaming_Blake2_blake2s_32_state lit0; + lit0.block_state = block_state1; + lit0.buf = buf; + lit0.total_len = total_len1 + (uint64_t)(len - diff); + *p = lit0; + } + } + } + } +} + +/* + Finish function when there is no key +*/ +void +Hacl_Streaming_Blake2_blake2s_32_no_key_finish( + Hacl_Streaming_Blake2_blake2s_32_state *p, + uint8_t *dst +) +{ + Hacl_Streaming_Blake2_blake2s_32_state scrut = *p; + Hacl_Streaming_Blake2_blake2s_32_block_state block_state = scrut.block_state; + uint8_t *buf_ = scrut.buf; + uint64_t total_len = scrut.total_len; + uint32_t r; + if + ( + total_len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32) + == (uint64_t)0U + && total_len > (uint64_t)0U + ) + { + r = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M32); + } + else + { + r = + (uint32_t)(total_len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32)); + } + { + uint8_t *buf_1 = buf_; + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)4U * (uint32_t)4U); + { + uint32_t wv[(uint32_t)4U * (uint32_t)4U]; + memset(wv, 0U, (uint32_t)4U * (uint32_t)4U * sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)4U * (uint32_t)4U); + { + uint32_t b[(uint32_t)4U * (uint32_t)4U]; + memset(b, 0U, (uint32_t)4U * (uint32_t)4U * sizeof (uint32_t)); + { + Hacl_Streaming_Blake2_blake2s_32_block_state lit; + Hacl_Streaming_Blake2_blake2s_32_block_state tmp_block_state; + uint32_t *src_b; + uint32_t *dst_b; + uint64_t prev_len; + uint32_t ite0; + uint8_t *buf_last; + uint8_t *buf_multi; + uint32_t ite1; + uint32_t nb; + uint32_t ite2; + uint32_t ite3; + uint64_t prev_len_last; + uint32_t ite4; + uint32_t ite; + lit.fst = wv; + lit.snd = b; + tmp_block_state = lit; + src_b = block_state.snd; + dst_b = tmp_block_state.snd; + memcpy(dst_b, src_b, (uint32_t)16U * sizeof (uint32_t)); + prev_len = total_len - (uint64_t)r; + if (r % (uint32_t)64U == (uint32_t)0U && r > (uint32_t)0U) + { + ite0 = (uint32_t)64U; + } + else + { + ite0 = r % (uint32_t)64U; + } + buf_last = buf_1 + r - ite0; + buf_multi = buf_1; + if + ( + (uint32_t)64U + == + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32) + ) + { + ite1 = (uint32_t)0U; + } + else + { + uint32_t ite5; + if (r % (uint32_t)64U == (uint32_t)0U && r > (uint32_t)0U) + { + ite5 = (uint32_t)64U; + } + else + { + ite5 = r % (uint32_t)64U; + } + ite1 = r - ite5; + } + nb = ite1 / (uint32_t)64U; + if + ( + (uint32_t)64U + == + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32) + ) + { + ite2 = (uint32_t)0U; + } + else + { + uint32_t ite5; + if (r % (uint32_t)64U == (uint32_t)0U && r > (uint32_t)0U) + { + ite5 = (uint32_t)64U; + } + else + { + ite5 = r % (uint32_t)64U; + } + ite2 = r - ite5; + } + Hacl_Blake2s_32_blake2s_update_multi(ite2, + tmp_block_state.fst, + tmp_block_state.snd, + prev_len, + buf_multi, + nb); + if + ( + (uint32_t)64U + == + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32) + ) + { + ite3 = r; + } + else if (r % (uint32_t)64U == (uint32_t)0U && r > (uint32_t)0U) + { + ite3 = (uint32_t)64U; + } + else + { + ite3 = r % (uint32_t)64U; + } + prev_len_last = total_len - (uint64_t)ite3; + if + ( + (uint32_t)64U + == + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32) + ) + { + ite4 = r; + } + else if (r % (uint32_t)64U == (uint32_t)0U && r > (uint32_t)0U) + { + ite4 = (uint32_t)64U; + } + else + { + ite4 = r % (uint32_t)64U; + } + if + ( + (uint32_t)64U + == + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32) + ) + { + ite = r; + } + else if (r % (uint32_t)64U == (uint32_t)0U && r > (uint32_t)0U) + { + ite = (uint32_t)64U; + } + else + { + ite = r % (uint32_t)64U; + } + Hacl_Blake2s_32_blake2s_update_last(ite4, + tmp_block_state.fst, + tmp_block_state.snd, + prev_len_last, + ite, + buf_last); + Hacl_Blake2s_32_blake2s_finish((uint32_t)32U, dst, tmp_block_state.snd); + } + } + } + } +} + +/* + Free state function when there is no key +*/ +void Hacl_Streaming_Blake2_blake2s_32_no_key_free(Hacl_Streaming_Blake2_blake2s_32_state *s1) +{ + Hacl_Streaming_Blake2_blake2s_32_state scrut = *s1; + uint8_t *buf = scrut.buf; + Hacl_Streaming_Blake2_blake2s_32_block_state block_state = scrut.block_state; + uint32_t *wv = block_state.fst; + uint32_t *b = block_state.snd; + KRML_HOST_FREE(wv); + KRML_HOST_FREE(b); + KRML_HOST_FREE(buf); + KRML_HOST_FREE(s1); +} + +/* + State allocation function when there is no key +*/ +Hacl_Streaming_Blake2_blake2b_32_state *Hacl_Streaming_Blake2_blake2b_32_no_key_create_in() +{ + KRML_CHECK_SIZE(sizeof (uint8_t), + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M32)); + { + uint8_t + *buf = + (uint8_t *)KRML_HOST_CALLOC(Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32), + sizeof (uint8_t)); + uint64_t *wv = (uint64_t *)KRML_HOST_CALLOC((uint32_t)16U, sizeof (uint64_t)); + uint64_t *b = (uint64_t *)KRML_HOST_CALLOC((uint32_t)16U, sizeof (uint64_t)); + Hacl_Streaming_Blake2_blake2b_32_block_state lit; + Hacl_Streaming_Blake2_blake2b_32_block_state block_state; + lit.fst = wv; + lit.snd = b; + block_state = lit; + { + Hacl_Streaming_Blake2_blake2b_32_state s1; + s1.block_state = block_state; + s1.buf = buf; + s1.total_len = (uint64_t)0U; + KRML_CHECK_SIZE(sizeof (Hacl_Streaming_Blake2_blake2b_32_state), (uint32_t)1U); + { + Hacl_Streaming_Blake2_blake2b_32_state + *p = + (Hacl_Streaming_Blake2_blake2b_32_state *)KRML_HOST_MALLOC(sizeof ( + Hacl_Streaming_Blake2_blake2b_32_state + )); + p[0U] = s1; + Hacl_Blake2b_32_blake2b_init(block_state.snd, (uint32_t)0U, (uint32_t)64U); + return p; + } + } + } +} + +/* + (Re)-initialization function when there is no key +*/ +void Hacl_Streaming_Blake2_blake2b_32_no_key_init(Hacl_Streaming_Blake2_blake2b_32_state *s1) +{ + Hacl_Streaming_Blake2_blake2b_32_state scrut = *s1; + uint8_t *buf = scrut.buf; + Hacl_Streaming_Blake2_blake2b_32_block_state block_state = scrut.block_state; + Hacl_Blake2b_32_blake2b_init(block_state.snd, (uint32_t)0U, (uint32_t)64U); + { + Hacl_Streaming_Blake2_blake2b_32_state lit; + lit.block_state = block_state; + lit.buf = buf; + lit.total_len = (uint64_t)0U; + s1[0U] = lit; + } +} + +/* + Update function when there is no key +*/ +void +Hacl_Streaming_Blake2_blake2b_32_no_key_update( + Hacl_Streaming_Blake2_blake2b_32_state *p, + uint8_t *data, + uint32_t len +) +{ + Hacl_Streaming_Blake2_blake2b_32_state s1 = *p; + uint64_t total_len = s1.total_len; + uint32_t sz; + if + ( + total_len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32) + == (uint64_t)0U + && total_len > (uint64_t)0U + ) + { + sz = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M32); + } + else + { + sz = + (uint32_t)(total_len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32)); + } + if + ( + len + <= Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M32) - sz + ) + { + Hacl_Streaming_Blake2_blake2b_32_state s2 = *p; + Hacl_Streaming_Blake2_blake2b_32_block_state block_state1 = s2.block_state; + uint8_t *buf = s2.buf; + uint64_t total_len1 = s2.total_len; + uint32_t sz1; + if + ( + total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32) + == (uint64_t)0U + && total_len1 > (uint64_t)0U + ) + { + sz1 = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M32); + } + else + { + sz1 = + (uint32_t)(total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32)); + } + { + uint8_t *buf2 = buf + sz1; + uint64_t total_len2; + memcpy(buf2, data, len * sizeof (uint8_t)); + total_len2 = total_len1 + (uint64_t)len; + { + Hacl_Streaming_Blake2_blake2b_32_state lit; + lit.block_state = block_state1; + lit.buf = buf; + lit.total_len = total_len2; + *p = lit; + return; + } + } + } + if (sz == (uint32_t)0U) + { + Hacl_Streaming_Blake2_blake2b_32_state s2 = *p; + Hacl_Streaming_Blake2_blake2b_32_block_state block_state1 = s2.block_state; + uint8_t *buf = s2.buf; + uint64_t total_len1 = s2.total_len; + uint32_t sz1; + if + ( + total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32) + == (uint64_t)0U + && total_len1 > (uint64_t)0U + ) + { + sz1 = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M32); + } + else + { + sz1 = + (uint32_t)(total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32)); + } + { + uint32_t ite; + uint32_t n_blocks; + uint32_t data1_len; + uint32_t data2_len; + uint8_t *data1; + uint8_t *data2; + uint32_t nb0; + uint8_t *dst; + if (!(sz1 == (uint32_t)0U)) + { + uint64_t prevlen = total_len1 - (uint64_t)sz1; + uint32_t + nb = + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32) + / (uint32_t)128U; + Hacl_Blake2b_32_blake2b_update_multi(Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32), + block_state1.fst, + block_state1.snd, + FStar_UInt128_uint64_to_uint128(prevlen), + buf, + nb); + } + if + ( + (uint64_t)len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32) + == (uint64_t)0U + && (uint64_t)len > (uint64_t)0U + ) + { + ite = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M32); + } + else + { + ite = + (uint32_t)((uint64_t)len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32)); + } + n_blocks = + (len - ite) + / Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M32); + data1_len = + n_blocks + * Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M32); + data2_len = len - data1_len; + data1 = data; + data2 = data + data1_len; + nb0 = data1_len / (uint32_t)128U; + Hacl_Blake2b_32_blake2b_update_multi(data1_len, + block_state1.fst, + block_state1.snd, + FStar_UInt128_uint64_to_uint128(total_len1), + data1, + nb0); + dst = buf; + memcpy(dst, data2, data2_len * sizeof (uint8_t)); + { + Hacl_Streaming_Blake2_blake2b_32_state lit; + lit.block_state = block_state1; + lit.buf = buf; + lit.total_len = total_len1 + (uint64_t)len; + *p = lit; + return; + } + } + } + { + uint32_t + diff = + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32) + - sz; + uint8_t *data1 = data; + uint8_t *data2 = data + diff; + Hacl_Streaming_Blake2_blake2b_32_state s20 = *p; + Hacl_Streaming_Blake2_blake2b_32_block_state block_state10 = s20.block_state; + uint8_t *buf0 = s20.buf; + uint64_t total_len10 = s20.total_len; + uint32_t sz10; + if + ( + total_len10 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32) + == (uint64_t)0U + && total_len10 > (uint64_t)0U + ) + { + sz10 = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M32); + } + else + { + sz10 = + (uint32_t)(total_len10 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32)); + } + { + uint8_t *buf2 = buf0 + sz10; + uint64_t total_len2; + memcpy(buf2, data1, diff * sizeof (uint8_t)); + total_len2 = total_len10 + (uint64_t)diff; + { + Hacl_Streaming_Blake2_blake2b_32_state lit; + Hacl_Streaming_Blake2_blake2b_32_state s2; + Hacl_Streaming_Blake2_blake2b_32_block_state block_state1; + uint8_t *buf; + uint64_t total_len1; + uint32_t sz1; + uint32_t ite; + uint32_t n_blocks; + uint32_t data1_len; + uint32_t data2_len; + uint8_t *data11; + uint8_t *data21; + uint32_t nb0; + uint8_t *dst; + lit.block_state = block_state10; + lit.buf = buf0; + lit.total_len = total_len2; + *p = lit; + s2 = *p; + block_state1 = s2.block_state; + buf = s2.buf; + total_len1 = s2.total_len; + if + ( + total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32) + == (uint64_t)0U + && total_len1 > (uint64_t)0U + ) + { + sz1 = + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32); + } + else + { + sz1 = + (uint32_t)(total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32)); + } + if (!(sz1 == (uint32_t)0U)) + { + uint64_t prevlen = total_len1 - (uint64_t)sz1; + uint32_t + nb = + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32) + / (uint32_t)128U; + Hacl_Blake2b_32_blake2b_update_multi(Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32), + block_state1.fst, + block_state1.snd, + FStar_UInt128_uint64_to_uint128(prevlen), + buf, + nb); + } + if + ( + (uint64_t)(len - diff) + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32) + == (uint64_t)0U + && (uint64_t)(len - diff) > (uint64_t)0U + ) + { + ite = + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32); + } + else + { + ite = + (uint32_t)((uint64_t)(len - diff) + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32)); + } + n_blocks = + (len - diff - ite) + / Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M32); + data1_len = + n_blocks + * Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M32); + data2_len = len - diff - data1_len; + data11 = data2; + data21 = data2 + data1_len; + nb0 = data1_len / (uint32_t)128U; + Hacl_Blake2b_32_blake2b_update_multi(data1_len, + block_state1.fst, + block_state1.snd, + FStar_UInt128_uint64_to_uint128(total_len1), + data11, + nb0); + dst = buf; + memcpy(dst, data21, data2_len * sizeof (uint8_t)); + { + Hacl_Streaming_Blake2_blake2b_32_state lit0; + lit0.block_state = block_state1; + lit0.buf = buf; + lit0.total_len = total_len1 + (uint64_t)(len - diff); + *p = lit0; + } + } + } + } +} + +/* + Finish function when there is no key +*/ +void +Hacl_Streaming_Blake2_blake2b_32_no_key_finish( + Hacl_Streaming_Blake2_blake2b_32_state *p, + uint8_t *dst +) +{ + Hacl_Streaming_Blake2_blake2b_32_state scrut = *p; + Hacl_Streaming_Blake2_blake2b_32_block_state block_state = scrut.block_state; + uint8_t *buf_ = scrut.buf; + uint64_t total_len = scrut.total_len; + uint32_t r; + if + ( + total_len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32) + == (uint64_t)0U + && total_len > (uint64_t)0U + ) + { + r = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M32); + } + else + { + r = + (uint32_t)(total_len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32)); + } + { + uint8_t *buf_1 = buf_; + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)4U * (uint32_t)4U); + { + uint64_t wv[(uint32_t)4U * (uint32_t)4U]; + memset(wv, 0U, (uint32_t)4U * (uint32_t)4U * sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)4U * (uint32_t)4U); + { + uint64_t b[(uint32_t)4U * (uint32_t)4U]; + memset(b, 0U, (uint32_t)4U * (uint32_t)4U * sizeof (uint64_t)); + { + Hacl_Streaming_Blake2_blake2b_32_block_state lit; + Hacl_Streaming_Blake2_blake2b_32_block_state tmp_block_state; + uint64_t *src_b; + uint64_t *dst_b; + uint64_t prev_len; + uint32_t ite0; + uint8_t *buf_last; + uint8_t *buf_multi; + uint32_t ite1; + uint32_t nb; + uint32_t ite2; + uint32_t ite3; + uint64_t prev_len_last; + uint32_t ite4; + uint32_t ite; + lit.fst = wv; + lit.snd = b; + tmp_block_state = lit; + src_b = block_state.snd; + dst_b = tmp_block_state.snd; + memcpy(dst_b, src_b, (uint32_t)16U * sizeof (uint64_t)); + prev_len = total_len - (uint64_t)r; + if (r % (uint32_t)128U == (uint32_t)0U && r > (uint32_t)0U) + { + ite0 = (uint32_t)128U; + } + else + { + ite0 = r % (uint32_t)128U; + } + buf_last = buf_1 + r - ite0; + buf_multi = buf_1; + if + ( + (uint32_t)128U + == + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32) + ) + { + ite1 = (uint32_t)0U; + } + else + { + uint32_t ite5; + if (r % (uint32_t)128U == (uint32_t)0U && r > (uint32_t)0U) + { + ite5 = (uint32_t)128U; + } + else + { + ite5 = r % (uint32_t)128U; + } + ite1 = r - ite5; + } + nb = ite1 / (uint32_t)128U; + if + ( + (uint32_t)128U + == + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32) + ) + { + ite2 = (uint32_t)0U; + } + else + { + uint32_t ite5; + if (r % (uint32_t)128U == (uint32_t)0U && r > (uint32_t)0U) + { + ite5 = (uint32_t)128U; + } + else + { + ite5 = r % (uint32_t)128U; + } + ite2 = r - ite5; + } + Hacl_Blake2b_32_blake2b_update_multi(ite2, + tmp_block_state.fst, + tmp_block_state.snd, + FStar_UInt128_uint64_to_uint128(prev_len), + buf_multi, + nb); + if + ( + (uint32_t)128U + == + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32) + ) + { + ite3 = r; + } + else if (r % (uint32_t)128U == (uint32_t)0U && r > (uint32_t)0U) + { + ite3 = (uint32_t)128U; + } + else + { + ite3 = r % (uint32_t)128U; + } + prev_len_last = total_len - (uint64_t)ite3; + if + ( + (uint32_t)128U + == + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32) + ) + { + ite4 = r; + } + else if (r % (uint32_t)128U == (uint32_t)0U && r > (uint32_t)0U) + { + ite4 = (uint32_t)128U; + } + else + { + ite4 = r % (uint32_t)128U; + } + if + ( + (uint32_t)128U + == + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32) + ) + { + ite = r; + } + else if (r % (uint32_t)128U == (uint32_t)0U && r > (uint32_t)0U) + { + ite = (uint32_t)128U; + } + else + { + ite = r % (uint32_t)128U; + } + Hacl_Blake2b_32_blake2b_update_last(ite4, + tmp_block_state.fst, + tmp_block_state.snd, + FStar_UInt128_uint64_to_uint128(prev_len_last), + ite, + buf_last); + Hacl_Blake2b_32_blake2b_finish((uint32_t)64U, dst, tmp_block_state.snd); + } + } + } + } +} + +/* + Free state function when there is no key +*/ +void Hacl_Streaming_Blake2_blake2b_32_no_key_free(Hacl_Streaming_Blake2_blake2b_32_state *s1) +{ + Hacl_Streaming_Blake2_blake2b_32_state scrut = *s1; + uint8_t *buf = scrut.buf; + Hacl_Streaming_Blake2_blake2b_32_block_state block_state = scrut.block_state; + uint64_t *wv = block_state.fst; + uint64_t *b = block_state.snd; + KRML_HOST_FREE(wv); + KRML_HOST_FREE(b); + KRML_HOST_FREE(buf); + KRML_HOST_FREE(s1); +} + diff --git a/src/c89/Hacl_Streaming_Blake2b_256.c b/src/c89/Hacl_Streaming_Blake2b_256.c new file mode 100644 index 00000000..80d58b25 --- /dev/null +++ b/src/c89/Hacl_Streaming_Blake2b_256.c @@ -0,0 +1,667 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Streaming_Blake2b_256.h" + + + +/* + State allocation function when there is no key +*/ +Hacl_Streaming_Blake2b_256_blake2b_256_state +*Hacl_Streaming_Blake2b_256_blake2b_256_no_key_create_in() +{ + KRML_CHECK_SIZE(sizeof (uint8_t), + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M256)); + { + uint8_t + *buf = + (uint8_t *)KRML_HOST_CALLOC(Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256), + sizeof (uint8_t)); + Lib_IntVector_Intrinsics_vec256 + *wv = + (Lib_IntVector_Intrinsics_vec256 *)KRML_HOST_MALLOC(sizeof (Lib_IntVector_Intrinsics_vec256) + * (uint32_t)4U); + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)4U; ++_i) + wv[_i] = Lib_IntVector_Intrinsics_vec256_zero; + } + { + Lib_IntVector_Intrinsics_vec256 + *b = + (Lib_IntVector_Intrinsics_vec256 *)KRML_HOST_MALLOC(sizeof (Lib_IntVector_Intrinsics_vec256) + * (uint32_t)4U); + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)4U; ++_i) + b[_i] = Lib_IntVector_Intrinsics_vec256_zero; + } + { + Hacl_Streaming_Blake2b_256_blake2b_256_block_state lit; + Hacl_Streaming_Blake2b_256_blake2b_256_block_state block_state; + lit.fst = wv; + lit.snd = b; + block_state = lit; + { + Hacl_Streaming_Blake2b_256_blake2b_256_state s; + s.block_state = block_state; + s.buf = buf; + s.total_len = (uint64_t)0U; + KRML_CHECK_SIZE(sizeof (Hacl_Streaming_Blake2b_256_blake2b_256_state), (uint32_t)1U); + { + Hacl_Streaming_Blake2b_256_blake2b_256_state + *p = + (Hacl_Streaming_Blake2b_256_blake2b_256_state *)KRML_HOST_MALLOC(sizeof ( + Hacl_Streaming_Blake2b_256_blake2b_256_state + )); + p[0U] = s; + Hacl_Blake2b_256_blake2b_init(block_state.snd, (uint32_t)0U, (uint32_t)64U); + return p; + } + } + } + } + } +} + +/* + (Re-)initialization function when there is no key +*/ +void +Hacl_Streaming_Blake2b_256_blake2b_256_no_key_init( + Hacl_Streaming_Blake2b_256_blake2b_256_state *s +) +{ + Hacl_Streaming_Blake2b_256_blake2b_256_state scrut = *s; + uint8_t *buf = scrut.buf; + Hacl_Streaming_Blake2b_256_blake2b_256_block_state block_state = scrut.block_state; + Hacl_Blake2b_256_blake2b_init(block_state.snd, (uint32_t)0U, (uint32_t)64U); + { + Hacl_Streaming_Blake2b_256_blake2b_256_state lit; + lit.block_state = block_state; + lit.buf = buf; + lit.total_len = (uint64_t)0U; + s[0U] = lit; + } +} + +/* + Update function when there is no key +*/ +void +Hacl_Streaming_Blake2b_256_blake2b_256_no_key_update( + Hacl_Streaming_Blake2b_256_blake2b_256_state *p, + uint8_t *data, + uint32_t len +) +{ + Hacl_Streaming_Blake2b_256_blake2b_256_state s = *p; + uint64_t total_len = s.total_len; + uint32_t sz; + if + ( + total_len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256) + == (uint64_t)0U + && total_len > (uint64_t)0U + ) + { + sz = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M256); + } + else + { + sz = + (uint32_t)(total_len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256)); + } + if + ( + len + <= Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M256) - sz + ) + { + Hacl_Streaming_Blake2b_256_blake2b_256_state s1 = *p; + Hacl_Streaming_Blake2b_256_blake2b_256_block_state block_state1 = s1.block_state; + uint8_t *buf = s1.buf; + uint64_t total_len1 = s1.total_len; + uint32_t sz1; + if + ( + total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256) + == (uint64_t)0U + && total_len1 > (uint64_t)0U + ) + { + sz1 = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M256); + } + else + { + sz1 = + (uint32_t)(total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256)); + } + { + uint8_t *buf2 = buf + sz1; + uint64_t total_len2; + memcpy(buf2, data, len * sizeof (uint8_t)); + total_len2 = total_len1 + (uint64_t)len; + { + Hacl_Streaming_Blake2b_256_blake2b_256_state lit; + lit.block_state = block_state1; + lit.buf = buf; + lit.total_len = total_len2; + *p = lit; + return; + } + } + } + if (sz == (uint32_t)0U) + { + Hacl_Streaming_Blake2b_256_blake2b_256_state s1 = *p; + Hacl_Streaming_Blake2b_256_blake2b_256_block_state block_state1 = s1.block_state; + uint8_t *buf = s1.buf; + uint64_t total_len1 = s1.total_len; + uint32_t sz1; + if + ( + total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256) + == (uint64_t)0U + && total_len1 > (uint64_t)0U + ) + { + sz1 = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M256); + } + else + { + sz1 = + (uint32_t)(total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256)); + } + { + uint32_t ite; + uint32_t n_blocks; + uint32_t data1_len; + uint32_t data2_len; + uint8_t *data1; + uint8_t *data2; + uint32_t nb0; + uint8_t *dst; + if (!(sz1 == (uint32_t)0U)) + { + uint64_t prevlen = total_len1 - (uint64_t)sz1; + uint32_t + nb = + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256) + / (uint32_t)128U; + Hacl_Blake2b_256_blake2b_update_multi(Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256), + block_state1.fst, + block_state1.snd, + FStar_UInt128_uint64_to_uint128(prevlen), + buf, + nb); + } + if + ( + (uint64_t)len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256) + == (uint64_t)0U + && (uint64_t)len > (uint64_t)0U + ) + { + ite = + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256); + } + else + { + ite = + (uint32_t)((uint64_t)len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256)); + } + n_blocks = + (len - ite) + / Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M256); + data1_len = + n_blocks + * Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M256); + data2_len = len - data1_len; + data1 = data; + data2 = data + data1_len; + nb0 = data1_len / (uint32_t)128U; + Hacl_Blake2b_256_blake2b_update_multi(data1_len, + block_state1.fst, + block_state1.snd, + FStar_UInt128_uint64_to_uint128(total_len1), + data1, + nb0); + dst = buf; + memcpy(dst, data2, data2_len * sizeof (uint8_t)); + { + Hacl_Streaming_Blake2b_256_blake2b_256_state lit; + lit.block_state = block_state1; + lit.buf = buf; + lit.total_len = total_len1 + (uint64_t)len; + *p = lit; + return; + } + } + } + { + uint32_t + diff = + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256) + - sz; + uint8_t *data1 = data; + uint8_t *data2 = data + diff; + Hacl_Streaming_Blake2b_256_blake2b_256_state s10 = *p; + Hacl_Streaming_Blake2b_256_blake2b_256_block_state block_state10 = s10.block_state; + uint8_t *buf0 = s10.buf; + uint64_t total_len10 = s10.total_len; + uint32_t sz10; + if + ( + total_len10 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256) + == (uint64_t)0U + && total_len10 > (uint64_t)0U + ) + { + sz10 = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M256); + } + else + { + sz10 = + (uint32_t)(total_len10 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256)); + } + { + uint8_t *buf2 = buf0 + sz10; + uint64_t total_len2; + memcpy(buf2, data1, diff * sizeof (uint8_t)); + total_len2 = total_len10 + (uint64_t)diff; + { + Hacl_Streaming_Blake2b_256_blake2b_256_state lit; + Hacl_Streaming_Blake2b_256_blake2b_256_state s1; + Hacl_Streaming_Blake2b_256_blake2b_256_block_state block_state1; + uint8_t *buf; + uint64_t total_len1; + uint32_t sz1; + uint32_t ite; + uint32_t n_blocks; + uint32_t data1_len; + uint32_t data2_len; + uint8_t *data11; + uint8_t *data21; + uint32_t nb0; + uint8_t *dst; + lit.block_state = block_state10; + lit.buf = buf0; + lit.total_len = total_len2; + *p = lit; + s1 = *p; + block_state1 = s1.block_state; + buf = s1.buf; + total_len1 = s1.total_len; + if + ( + total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256) + == (uint64_t)0U + && total_len1 > (uint64_t)0U + ) + { + sz1 = + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256); + } + else + { + sz1 = + (uint32_t)(total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256)); + } + if (!(sz1 == (uint32_t)0U)) + { + uint64_t prevlen = total_len1 - (uint64_t)sz1; + uint32_t + nb = + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256) + / (uint32_t)128U; + Hacl_Blake2b_256_blake2b_update_multi(Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256), + block_state1.fst, + block_state1.snd, + FStar_UInt128_uint64_to_uint128(prevlen), + buf, + nb); + } + if + ( + (uint64_t)(len - diff) + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256) + == (uint64_t)0U + && (uint64_t)(len - diff) > (uint64_t)0U + ) + { + ite = + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256); + } + else + { + ite = + (uint32_t)((uint64_t)(len - diff) + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256)); + } + n_blocks = + (len - diff - ite) + / Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M256); + data1_len = + n_blocks + * Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M256); + data2_len = len - diff - data1_len; + data11 = data2; + data21 = data2 + data1_len; + nb0 = data1_len / (uint32_t)128U; + Hacl_Blake2b_256_blake2b_update_multi(data1_len, + block_state1.fst, + block_state1.snd, + FStar_UInt128_uint64_to_uint128(total_len1), + data11, + nb0); + dst = buf; + memcpy(dst, data21, data2_len * sizeof (uint8_t)); + { + Hacl_Streaming_Blake2b_256_blake2b_256_state lit0; + lit0.block_state = block_state1; + lit0.buf = buf; + lit0.total_len = total_len1 + (uint64_t)(len - diff); + *p = lit0; + } + } + } + } +} + +/* + Finish function when there is no key +*/ +void +Hacl_Streaming_Blake2b_256_blake2b_256_no_key_finish( + Hacl_Streaming_Blake2b_256_blake2b_256_state *p, + uint8_t *dst +) +{ + Hacl_Streaming_Blake2b_256_blake2b_256_state scrut = *p; + Hacl_Streaming_Blake2b_256_blake2b_256_block_state block_state = scrut.block_state; + uint8_t *buf_ = scrut.buf; + uint64_t total_len = scrut.total_len; + uint32_t r; + if + ( + total_len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256) + == (uint64_t)0U + && total_len > (uint64_t)0U + ) + { + r = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M256); + } + else + { + r = + (uint32_t)(total_len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256)); + } + { + uint8_t *buf_1 = buf_; + KRML_CHECK_SIZE(sizeof (Lib_IntVector_Intrinsics_vec256), (uint32_t)4U * (uint32_t)1U); + { + Lib_IntVector_Intrinsics_vec256 wv[(uint32_t)4U * (uint32_t)1U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)4U * (uint32_t)1U; ++_i) + wv[_i] = Lib_IntVector_Intrinsics_vec256_zero; + } + KRML_CHECK_SIZE(sizeof (Lib_IntVector_Intrinsics_vec256), (uint32_t)4U * (uint32_t)1U); + { + Lib_IntVector_Intrinsics_vec256 b[(uint32_t)4U * (uint32_t)1U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)4U * (uint32_t)1U; ++_i) + b[_i] = Lib_IntVector_Intrinsics_vec256_zero; + } + { + Hacl_Streaming_Blake2b_256_blake2b_256_block_state lit; + Hacl_Streaming_Blake2b_256_blake2b_256_block_state tmp_block_state; + Lib_IntVector_Intrinsics_vec256 *src_b; + Lib_IntVector_Intrinsics_vec256 *dst_b; + uint64_t prev_len; + uint32_t ite0; + uint8_t *buf_last; + uint8_t *buf_multi; + uint32_t ite1; + uint32_t nb; + uint32_t ite2; + uint32_t ite3; + uint64_t prev_len_last; + uint32_t ite4; + uint32_t ite; + lit.fst = wv; + lit.snd = b; + tmp_block_state = lit; + src_b = block_state.snd; + dst_b = tmp_block_state.snd; + memcpy(dst_b, src_b, (uint32_t)4U * sizeof (Lib_IntVector_Intrinsics_vec256)); + prev_len = total_len - (uint64_t)r; + if (r % (uint32_t)128U == (uint32_t)0U && r > (uint32_t)0U) + { + ite0 = (uint32_t)128U; + } + else + { + ite0 = r % (uint32_t)128U; + } + buf_last = buf_1 + r - ite0; + buf_multi = buf_1; + if + ( + (uint32_t)128U + == + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256) + ) + { + ite1 = (uint32_t)0U; + } + else + { + uint32_t ite5; + if (r % (uint32_t)128U == (uint32_t)0U && r > (uint32_t)0U) + { + ite5 = (uint32_t)128U; + } + else + { + ite5 = r % (uint32_t)128U; + } + ite1 = r - ite5; + } + nb = ite1 / (uint32_t)128U; + if + ( + (uint32_t)128U + == + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256) + ) + { + ite2 = (uint32_t)0U; + } + else + { + uint32_t ite5; + if (r % (uint32_t)128U == (uint32_t)0U && r > (uint32_t)0U) + { + ite5 = (uint32_t)128U; + } + else + { + ite5 = r % (uint32_t)128U; + } + ite2 = r - ite5; + } + Hacl_Blake2b_256_blake2b_update_multi(ite2, + tmp_block_state.fst, + tmp_block_state.snd, + FStar_UInt128_uint64_to_uint128(prev_len), + buf_multi, + nb); + if + ( + (uint32_t)128U + == + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256) + ) + { + ite3 = r; + } + else if (r % (uint32_t)128U == (uint32_t)0U && r > (uint32_t)0U) + { + ite3 = (uint32_t)128U; + } + else + { + ite3 = r % (uint32_t)128U; + } + prev_len_last = total_len - (uint64_t)ite3; + if + ( + (uint32_t)128U + == + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256) + ) + { + ite4 = r; + } + else if (r % (uint32_t)128U == (uint32_t)0U && r > (uint32_t)0U) + { + ite4 = (uint32_t)128U; + } + else + { + ite4 = r % (uint32_t)128U; + } + if + ( + (uint32_t)128U + == + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256) + ) + { + ite = r; + } + else if (r % (uint32_t)128U == (uint32_t)0U && r > (uint32_t)0U) + { + ite = (uint32_t)128U; + } + else + { + ite = r % (uint32_t)128U; + } + Hacl_Blake2b_256_blake2b_update_last(ite4, + tmp_block_state.fst, + tmp_block_state.snd, + FStar_UInt128_uint64_to_uint128(prev_len_last), + ite, + buf_last); + Hacl_Blake2b_256_blake2b_finish((uint32_t)64U, dst, tmp_block_state.snd); + } + } + } + } +} + +/* + Free state function when there is no key +*/ +void +Hacl_Streaming_Blake2b_256_blake2b_256_no_key_free( + Hacl_Streaming_Blake2b_256_blake2b_256_state *s +) +{ + Hacl_Streaming_Blake2b_256_blake2b_256_state scrut = *s; + uint8_t *buf = scrut.buf; + Hacl_Streaming_Blake2b_256_blake2b_256_block_state block_state = scrut.block_state; + Lib_IntVector_Intrinsics_vec256 *wv = block_state.fst; + Lib_IntVector_Intrinsics_vec256 *b = block_state.snd; + KRML_HOST_FREE(wv); + KRML_HOST_FREE(b); + KRML_HOST_FREE(buf); + KRML_HOST_FREE(s); +} + diff --git a/src/c89/Hacl_Streaming_Blake2s_128.c b/src/c89/Hacl_Streaming_Blake2s_128.c new file mode 100644 index 00000000..dc6307a2 --- /dev/null +++ b/src/c89/Hacl_Streaming_Blake2s_128.c @@ -0,0 +1,667 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Streaming_Blake2s_128.h" + + + +/* + State allocation function when there is no key +*/ +Hacl_Streaming_Blake2s_128_blake2s_128_state +*Hacl_Streaming_Blake2s_128_blake2s_128_no_key_create_in() +{ + KRML_CHECK_SIZE(sizeof (uint8_t), + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M128)); + { + uint8_t + *buf = + (uint8_t *)KRML_HOST_CALLOC(Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128), + sizeof (uint8_t)); + Lib_IntVector_Intrinsics_vec128 + *wv = + (Lib_IntVector_Intrinsics_vec128 *)KRML_HOST_MALLOC(sizeof (Lib_IntVector_Intrinsics_vec128) + * (uint32_t)4U); + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)4U; ++_i) + wv[_i] = Lib_IntVector_Intrinsics_vec128_zero; + } + { + Lib_IntVector_Intrinsics_vec128 + *b = + (Lib_IntVector_Intrinsics_vec128 *)KRML_HOST_MALLOC(sizeof (Lib_IntVector_Intrinsics_vec128) + * (uint32_t)4U); + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)4U; ++_i) + b[_i] = Lib_IntVector_Intrinsics_vec128_zero; + } + { + Hacl_Streaming_Blake2s_128_blake2s_128_block_state lit; + Hacl_Streaming_Blake2s_128_blake2s_128_block_state block_state; + lit.fst = wv; + lit.snd = b; + block_state = lit; + { + Hacl_Streaming_Blake2s_128_blake2s_128_state s; + s.block_state = block_state; + s.buf = buf; + s.total_len = (uint64_t)0U; + KRML_CHECK_SIZE(sizeof (Hacl_Streaming_Blake2s_128_blake2s_128_state), (uint32_t)1U); + { + Hacl_Streaming_Blake2s_128_blake2s_128_state + *p = + (Hacl_Streaming_Blake2s_128_blake2s_128_state *)KRML_HOST_MALLOC(sizeof ( + Hacl_Streaming_Blake2s_128_blake2s_128_state + )); + p[0U] = s; + Hacl_Blake2s_128_blake2s_init(block_state.snd, (uint32_t)0U, (uint32_t)32U); + return p; + } + } + } + } + } +} + +/* + (Re-)initialization function when there is no key +*/ +void +Hacl_Streaming_Blake2s_128_blake2s_128_no_key_init( + Hacl_Streaming_Blake2s_128_blake2s_128_state *s +) +{ + Hacl_Streaming_Blake2s_128_blake2s_128_state scrut = *s; + uint8_t *buf = scrut.buf; + Hacl_Streaming_Blake2s_128_blake2s_128_block_state block_state = scrut.block_state; + Hacl_Blake2s_128_blake2s_init(block_state.snd, (uint32_t)0U, (uint32_t)32U); + { + Hacl_Streaming_Blake2s_128_blake2s_128_state lit; + lit.block_state = block_state; + lit.buf = buf; + lit.total_len = (uint64_t)0U; + s[0U] = lit; + } +} + +/* + Update function when there is no key +*/ +void +Hacl_Streaming_Blake2s_128_blake2s_128_no_key_update( + Hacl_Streaming_Blake2s_128_blake2s_128_state *p, + uint8_t *data, + uint32_t len +) +{ + Hacl_Streaming_Blake2s_128_blake2s_128_state s = *p; + uint64_t total_len = s.total_len; + uint32_t sz; + if + ( + total_len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128) + == (uint64_t)0U + && total_len > (uint64_t)0U + ) + { + sz = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M128); + } + else + { + sz = + (uint32_t)(total_len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128)); + } + if + ( + len + <= Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M128) - sz + ) + { + Hacl_Streaming_Blake2s_128_blake2s_128_state s1 = *p; + Hacl_Streaming_Blake2s_128_blake2s_128_block_state block_state1 = s1.block_state; + uint8_t *buf = s1.buf; + uint64_t total_len1 = s1.total_len; + uint32_t sz1; + if + ( + total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128) + == (uint64_t)0U + && total_len1 > (uint64_t)0U + ) + { + sz1 = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M128); + } + else + { + sz1 = + (uint32_t)(total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128)); + } + { + uint8_t *buf2 = buf + sz1; + uint64_t total_len2; + memcpy(buf2, data, len * sizeof (uint8_t)); + total_len2 = total_len1 + (uint64_t)len; + { + Hacl_Streaming_Blake2s_128_blake2s_128_state lit; + lit.block_state = block_state1; + lit.buf = buf; + lit.total_len = total_len2; + *p = lit; + return; + } + } + } + if (sz == (uint32_t)0U) + { + Hacl_Streaming_Blake2s_128_blake2s_128_state s1 = *p; + Hacl_Streaming_Blake2s_128_blake2s_128_block_state block_state1 = s1.block_state; + uint8_t *buf = s1.buf; + uint64_t total_len1 = s1.total_len; + uint32_t sz1; + if + ( + total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128) + == (uint64_t)0U + && total_len1 > (uint64_t)0U + ) + { + sz1 = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M128); + } + else + { + sz1 = + (uint32_t)(total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128)); + } + { + uint32_t ite; + uint32_t n_blocks; + uint32_t data1_len; + uint32_t data2_len; + uint8_t *data1; + uint8_t *data2; + uint32_t nb0; + uint8_t *dst; + if (!(sz1 == (uint32_t)0U)) + { + uint64_t prevlen = total_len1 - (uint64_t)sz1; + uint32_t + nb = + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128) + / (uint32_t)64U; + Hacl_Blake2s_128_blake2s_update_multi(Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128), + block_state1.fst, + block_state1.snd, + prevlen, + buf, + nb); + } + if + ( + (uint64_t)len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128) + == (uint64_t)0U + && (uint64_t)len > (uint64_t)0U + ) + { + ite = + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128); + } + else + { + ite = + (uint32_t)((uint64_t)len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128)); + } + n_blocks = + (len - ite) + / Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M128); + data1_len = + n_blocks + * Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M128); + data2_len = len - data1_len; + data1 = data; + data2 = data + data1_len; + nb0 = data1_len / (uint32_t)64U; + Hacl_Blake2s_128_blake2s_update_multi(data1_len, + block_state1.fst, + block_state1.snd, + total_len1, + data1, + nb0); + dst = buf; + memcpy(dst, data2, data2_len * sizeof (uint8_t)); + { + Hacl_Streaming_Blake2s_128_blake2s_128_state lit; + lit.block_state = block_state1; + lit.buf = buf; + lit.total_len = total_len1 + (uint64_t)len; + *p = lit; + return; + } + } + } + { + uint32_t + diff = + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128) + - sz; + uint8_t *data1 = data; + uint8_t *data2 = data + diff; + Hacl_Streaming_Blake2s_128_blake2s_128_state s10 = *p; + Hacl_Streaming_Blake2s_128_blake2s_128_block_state block_state10 = s10.block_state; + uint8_t *buf0 = s10.buf; + uint64_t total_len10 = s10.total_len; + uint32_t sz10; + if + ( + total_len10 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128) + == (uint64_t)0U + && total_len10 > (uint64_t)0U + ) + { + sz10 = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M128); + } + else + { + sz10 = + (uint32_t)(total_len10 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128)); + } + { + uint8_t *buf2 = buf0 + sz10; + uint64_t total_len2; + memcpy(buf2, data1, diff * sizeof (uint8_t)); + total_len2 = total_len10 + (uint64_t)diff; + { + Hacl_Streaming_Blake2s_128_blake2s_128_state lit; + Hacl_Streaming_Blake2s_128_blake2s_128_state s1; + Hacl_Streaming_Blake2s_128_blake2s_128_block_state block_state1; + uint8_t *buf; + uint64_t total_len1; + uint32_t sz1; + uint32_t ite; + uint32_t n_blocks; + uint32_t data1_len; + uint32_t data2_len; + uint8_t *data11; + uint8_t *data21; + uint32_t nb0; + uint8_t *dst; + lit.block_state = block_state10; + lit.buf = buf0; + lit.total_len = total_len2; + *p = lit; + s1 = *p; + block_state1 = s1.block_state; + buf = s1.buf; + total_len1 = s1.total_len; + if + ( + total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128) + == (uint64_t)0U + && total_len1 > (uint64_t)0U + ) + { + sz1 = + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128); + } + else + { + sz1 = + (uint32_t)(total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128)); + } + if (!(sz1 == (uint32_t)0U)) + { + uint64_t prevlen = total_len1 - (uint64_t)sz1; + uint32_t + nb = + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128) + / (uint32_t)64U; + Hacl_Blake2s_128_blake2s_update_multi(Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128), + block_state1.fst, + block_state1.snd, + prevlen, + buf, + nb); + } + if + ( + (uint64_t)(len - diff) + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128) + == (uint64_t)0U + && (uint64_t)(len - diff) > (uint64_t)0U + ) + { + ite = + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128); + } + else + { + ite = + (uint32_t)((uint64_t)(len - diff) + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128)); + } + n_blocks = + (len - diff - ite) + / Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M128); + data1_len = + n_blocks + * Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M128); + data2_len = len - diff - data1_len; + data11 = data2; + data21 = data2 + data1_len; + nb0 = data1_len / (uint32_t)64U; + Hacl_Blake2s_128_blake2s_update_multi(data1_len, + block_state1.fst, + block_state1.snd, + total_len1, + data11, + nb0); + dst = buf; + memcpy(dst, data21, data2_len * sizeof (uint8_t)); + { + Hacl_Streaming_Blake2s_128_blake2s_128_state lit0; + lit0.block_state = block_state1; + lit0.buf = buf; + lit0.total_len = total_len1 + (uint64_t)(len - diff); + *p = lit0; + } + } + } + } +} + +/* + Finish function when there is no key +*/ +void +Hacl_Streaming_Blake2s_128_blake2s_128_no_key_finish( + Hacl_Streaming_Blake2s_128_blake2s_128_state *p, + uint8_t *dst +) +{ + Hacl_Streaming_Blake2s_128_blake2s_128_state scrut = *p; + Hacl_Streaming_Blake2s_128_blake2s_128_block_state block_state = scrut.block_state; + uint8_t *buf_ = scrut.buf; + uint64_t total_len = scrut.total_len; + uint32_t r; + if + ( + total_len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128) + == (uint64_t)0U + && total_len > (uint64_t)0U + ) + { + r = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M128); + } + else + { + r = + (uint32_t)(total_len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128)); + } + { + uint8_t *buf_1 = buf_; + KRML_CHECK_SIZE(sizeof (Lib_IntVector_Intrinsics_vec128), (uint32_t)4U * (uint32_t)1U); + { + Lib_IntVector_Intrinsics_vec128 wv[(uint32_t)4U * (uint32_t)1U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)4U * (uint32_t)1U; ++_i) + wv[_i] = Lib_IntVector_Intrinsics_vec128_zero; + } + KRML_CHECK_SIZE(sizeof (Lib_IntVector_Intrinsics_vec128), (uint32_t)4U * (uint32_t)1U); + { + Lib_IntVector_Intrinsics_vec128 b[(uint32_t)4U * (uint32_t)1U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)4U * (uint32_t)1U; ++_i) + b[_i] = Lib_IntVector_Intrinsics_vec128_zero; + } + { + Hacl_Streaming_Blake2s_128_blake2s_128_block_state lit; + Hacl_Streaming_Blake2s_128_blake2s_128_block_state tmp_block_state; + Lib_IntVector_Intrinsics_vec128 *src_b; + Lib_IntVector_Intrinsics_vec128 *dst_b; + uint64_t prev_len; + uint32_t ite0; + uint8_t *buf_last; + uint8_t *buf_multi; + uint32_t ite1; + uint32_t nb; + uint32_t ite2; + uint32_t ite3; + uint64_t prev_len_last; + uint32_t ite4; + uint32_t ite; + lit.fst = wv; + lit.snd = b; + tmp_block_state = lit; + src_b = block_state.snd; + dst_b = tmp_block_state.snd; + memcpy(dst_b, src_b, (uint32_t)4U * sizeof (Lib_IntVector_Intrinsics_vec128)); + prev_len = total_len - (uint64_t)r; + if (r % (uint32_t)64U == (uint32_t)0U && r > (uint32_t)0U) + { + ite0 = (uint32_t)64U; + } + else + { + ite0 = r % (uint32_t)64U; + } + buf_last = buf_1 + r - ite0; + buf_multi = buf_1; + if + ( + (uint32_t)64U + == + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128) + ) + { + ite1 = (uint32_t)0U; + } + else + { + uint32_t ite5; + if (r % (uint32_t)64U == (uint32_t)0U && r > (uint32_t)0U) + { + ite5 = (uint32_t)64U; + } + else + { + ite5 = r % (uint32_t)64U; + } + ite1 = r - ite5; + } + nb = ite1 / (uint32_t)64U; + if + ( + (uint32_t)64U + == + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128) + ) + { + ite2 = (uint32_t)0U; + } + else + { + uint32_t ite5; + if (r % (uint32_t)64U == (uint32_t)0U && r > (uint32_t)0U) + { + ite5 = (uint32_t)64U; + } + else + { + ite5 = r % (uint32_t)64U; + } + ite2 = r - ite5; + } + Hacl_Blake2s_128_blake2s_update_multi(ite2, + tmp_block_state.fst, + tmp_block_state.snd, + prev_len, + buf_multi, + nb); + if + ( + (uint32_t)64U + == + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128) + ) + { + ite3 = r; + } + else if (r % (uint32_t)64U == (uint32_t)0U && r > (uint32_t)0U) + { + ite3 = (uint32_t)64U; + } + else + { + ite3 = r % (uint32_t)64U; + } + prev_len_last = total_len - (uint64_t)ite3; + if + ( + (uint32_t)64U + == + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128) + ) + { + ite4 = r; + } + else if (r % (uint32_t)64U == (uint32_t)0U && r > (uint32_t)0U) + { + ite4 = (uint32_t)64U; + } + else + { + ite4 = r % (uint32_t)64U; + } + if + ( + (uint32_t)64U + == + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128) + ) + { + ite = r; + } + else if (r % (uint32_t)64U == (uint32_t)0U && r > (uint32_t)0U) + { + ite = (uint32_t)64U; + } + else + { + ite = r % (uint32_t)64U; + } + Hacl_Blake2s_128_blake2s_update_last(ite4, + tmp_block_state.fst, + tmp_block_state.snd, + prev_len_last, + ite, + buf_last); + Hacl_Blake2s_128_blake2s_finish((uint32_t)32U, dst, tmp_block_state.snd); + } + } + } + } +} + +/* + Free state function when there is no key +*/ +void +Hacl_Streaming_Blake2s_128_blake2s_128_no_key_free( + Hacl_Streaming_Blake2s_128_blake2s_128_state *s +) +{ + Hacl_Streaming_Blake2s_128_blake2s_128_state scrut = *s; + uint8_t *buf = scrut.buf; + Hacl_Streaming_Blake2s_128_blake2s_128_block_state block_state = scrut.block_state; + Lib_IntVector_Intrinsics_vec128 *wv = block_state.fst; + Lib_IntVector_Intrinsics_vec128 *b = block_state.snd; + KRML_HOST_FREE(wv); + KRML_HOST_FREE(b); + KRML_HOST_FREE(buf); + KRML_HOST_FREE(s); +} + diff --git a/src/c89/Hacl_Streaming_SHA1.c b/src/c89/Hacl_Streaming_SHA1.c new file mode 100644 index 00000000..0823c114 --- /dev/null +++ b/src/c89/Hacl_Streaming_SHA1.c @@ -0,0 +1,306 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Streaming_SHA1.h" + +#include "internal/Hacl_Hash_SHA1.h" + +Hacl_Streaming_SHA2_state_sha2_224 *Hacl_Streaming_SHA1_legacy_create_in_sha1() +{ + uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC((uint32_t)64U, sizeof (uint8_t)); + uint32_t *block_state = (uint32_t *)KRML_HOST_CALLOC((uint32_t)5U, sizeof (uint32_t)); + Hacl_Streaming_SHA2_state_sha2_224 s; + s.block_state = block_state; + s.buf = buf; + s.total_len = (uint64_t)0U; + KRML_CHECK_SIZE(sizeof (Hacl_Streaming_SHA2_state_sha2_224), (uint32_t)1U); + { + Hacl_Streaming_SHA2_state_sha2_224 + *p = + (Hacl_Streaming_SHA2_state_sha2_224 *)KRML_HOST_MALLOC(sizeof ( + Hacl_Streaming_SHA2_state_sha2_224 + )); + p[0U] = s; + Hacl_Hash_Core_SHA1_legacy_init(block_state); + return p; + } +} + +void Hacl_Streaming_SHA1_legacy_init_sha1(Hacl_Streaming_SHA2_state_sha2_224 *s) +{ + Hacl_Streaming_SHA2_state_sha2_224 scrut = *s; + uint8_t *buf = scrut.buf; + uint32_t *block_state = scrut.block_state; + Hacl_Hash_Core_SHA1_legacy_init(block_state); + { + Hacl_Streaming_SHA2_state_sha2_224 lit; + lit.block_state = block_state; + lit.buf = buf; + lit.total_len = (uint64_t)0U; + s[0U] = lit; + } +} + +void +Hacl_Streaming_SHA1_legacy_update_sha1( + Hacl_Streaming_SHA2_state_sha2_224 *p, + uint8_t *data, + uint32_t len +) +{ + Hacl_Streaming_SHA2_state_sha2_224 s = *p; + uint64_t total_len = s.total_len; + uint32_t sz; + if (total_len % (uint64_t)(uint32_t)64U == (uint64_t)0U && total_len > (uint64_t)0U) + { + sz = (uint32_t)64U; + } + else + { + sz = (uint32_t)(total_len % (uint64_t)(uint32_t)64U); + } + if (len <= (uint32_t)64U - sz) + { + Hacl_Streaming_SHA2_state_sha2_224 s1 = *p; + uint32_t *block_state1 = s1.block_state; + uint8_t *buf = s1.buf; + uint64_t total_len1 = s1.total_len; + uint32_t sz1; + if (total_len1 % (uint64_t)(uint32_t)64U == (uint64_t)0U && total_len1 > (uint64_t)0U) + { + sz1 = (uint32_t)64U; + } + else + { + sz1 = (uint32_t)(total_len1 % (uint64_t)(uint32_t)64U); + } + { + uint8_t *buf2 = buf + sz1; + uint64_t total_len2; + memcpy(buf2, data, len * sizeof (uint8_t)); + total_len2 = total_len1 + (uint64_t)len; + { + Hacl_Streaming_SHA2_state_sha2_224 lit; + lit.block_state = block_state1; + lit.buf = buf; + lit.total_len = total_len2; + *p = lit; + return; + } + } + } + if (sz == (uint32_t)0U) + { + Hacl_Streaming_SHA2_state_sha2_224 s1 = *p; + uint32_t *block_state1 = s1.block_state; + uint8_t *buf = s1.buf; + uint64_t total_len1 = s1.total_len; + uint32_t sz1; + if (total_len1 % (uint64_t)(uint32_t)64U == (uint64_t)0U && total_len1 > (uint64_t)0U) + { + sz1 = (uint32_t)64U; + } + else + { + sz1 = (uint32_t)(total_len1 % (uint64_t)(uint32_t)64U); + } + { + uint32_t ite; + uint32_t n_blocks; + uint32_t data1_len; + uint32_t data2_len; + uint8_t *data1; + uint8_t *data2; + uint8_t *dst; + if (!(sz1 == (uint32_t)0U)) + { + Hacl_Hash_SHA1_legacy_update_multi(block_state1, buf, (uint32_t)1U); + } + if ((uint64_t)len % (uint64_t)(uint32_t)64U == (uint64_t)0U && (uint64_t)len > (uint64_t)0U) + { + ite = (uint32_t)64U; + } + else + { + ite = (uint32_t)((uint64_t)len % (uint64_t)(uint32_t)64U); + } + n_blocks = (len - ite) / (uint32_t)64U; + data1_len = n_blocks * (uint32_t)64U; + data2_len = len - data1_len; + data1 = data; + data2 = data + data1_len; + Hacl_Hash_SHA1_legacy_update_multi(block_state1, data1, data1_len / (uint32_t)64U); + dst = buf; + memcpy(dst, data2, data2_len * sizeof (uint8_t)); + { + Hacl_Streaming_SHA2_state_sha2_224 lit; + lit.block_state = block_state1; + lit.buf = buf; + lit.total_len = total_len1 + (uint64_t)len; + *p = lit; + return; + } + } + } + { + uint32_t diff = (uint32_t)64U - sz; + uint8_t *data1 = data; + uint8_t *data2 = data + diff; + Hacl_Streaming_SHA2_state_sha2_224 s10 = *p; + uint32_t *block_state10 = s10.block_state; + uint8_t *buf0 = s10.buf; + uint64_t total_len10 = s10.total_len; + uint32_t sz10; + if (total_len10 % (uint64_t)(uint32_t)64U == (uint64_t)0U && total_len10 > (uint64_t)0U) + { + sz10 = (uint32_t)64U; + } + else + { + sz10 = (uint32_t)(total_len10 % (uint64_t)(uint32_t)64U); + } + { + uint8_t *buf2 = buf0 + sz10; + uint64_t total_len2; + memcpy(buf2, data1, diff * sizeof (uint8_t)); + total_len2 = total_len10 + (uint64_t)diff; + { + Hacl_Streaming_SHA2_state_sha2_224 lit; + Hacl_Streaming_SHA2_state_sha2_224 s1; + uint32_t *block_state1; + uint8_t *buf; + uint64_t total_len1; + uint32_t sz1; + uint32_t ite; + uint32_t n_blocks; + uint32_t data1_len; + uint32_t data2_len; + uint8_t *data11; + uint8_t *data21; + uint8_t *dst; + lit.block_state = block_state10; + lit.buf = buf0; + lit.total_len = total_len2; + *p = lit; + s1 = *p; + block_state1 = s1.block_state; + buf = s1.buf; + total_len1 = s1.total_len; + if (total_len1 % (uint64_t)(uint32_t)64U == (uint64_t)0U && total_len1 > (uint64_t)0U) + { + sz1 = (uint32_t)64U; + } + else + { + sz1 = (uint32_t)(total_len1 % (uint64_t)(uint32_t)64U); + } + if (!(sz1 == (uint32_t)0U)) + { + Hacl_Hash_SHA1_legacy_update_multi(block_state1, buf, (uint32_t)1U); + } + if + ( + (uint64_t)(len - diff) + % (uint64_t)(uint32_t)64U + == (uint64_t)0U + && (uint64_t)(len - diff) > (uint64_t)0U + ) + { + ite = (uint32_t)64U; + } + else + { + ite = (uint32_t)((uint64_t)(len - diff) % (uint64_t)(uint32_t)64U); + } + n_blocks = (len - diff - ite) / (uint32_t)64U; + data1_len = n_blocks * (uint32_t)64U; + data2_len = len - diff - data1_len; + data11 = data2; + data21 = data2 + data1_len; + Hacl_Hash_SHA1_legacy_update_multi(block_state1, data11, data1_len / (uint32_t)64U); + dst = buf; + memcpy(dst, data21, data2_len * sizeof (uint8_t)); + { + Hacl_Streaming_SHA2_state_sha2_224 lit0; + lit0.block_state = block_state1; + lit0.buf = buf; + lit0.total_len = total_len1 + (uint64_t)(len - diff); + *p = lit0; + } + } + } + } +} + +void +Hacl_Streaming_SHA1_legacy_finish_sha1(Hacl_Streaming_SHA2_state_sha2_224 *p, uint8_t *dst) +{ + Hacl_Streaming_SHA2_state_sha2_224 scrut = *p; + uint32_t *block_state = scrut.block_state; + uint8_t *buf_ = scrut.buf; + uint64_t total_len = scrut.total_len; + uint32_t r; + if (total_len % (uint64_t)(uint32_t)64U == (uint64_t)0U && total_len > (uint64_t)0U) + { + r = (uint32_t)64U; + } + else + { + r = (uint32_t)(total_len % (uint64_t)(uint32_t)64U); + } + { + uint8_t *buf_1 = buf_; + uint32_t tmp_block_state[5U] = { 0U }; + uint32_t ite; + uint8_t *buf_last; + uint8_t *buf_multi; + uint64_t prev_len_last; + memcpy(tmp_block_state, block_state, (uint32_t)5U * sizeof (uint32_t)); + if (r % (uint32_t)64U == (uint32_t)0U && r > (uint32_t)0U) + { + ite = (uint32_t)64U; + } + else + { + ite = r % (uint32_t)64U; + } + buf_last = buf_1 + r - ite; + buf_multi = buf_1; + Hacl_Hash_SHA1_legacy_update_multi(tmp_block_state, buf_multi, (uint32_t)0U); + prev_len_last = total_len - (uint64_t)r; + Hacl_Hash_SHA1_legacy_update_last(tmp_block_state, prev_len_last, buf_last, r); + Hacl_Hash_Core_SHA1_legacy_finish(tmp_block_state, dst); + } +} + +void Hacl_Streaming_SHA1_legacy_free_sha1(Hacl_Streaming_SHA2_state_sha2_224 *s) +{ + Hacl_Streaming_SHA2_state_sha2_224 scrut = *s; + uint8_t *buf = scrut.buf; + uint32_t *block_state = scrut.block_state; + KRML_HOST_FREE(block_state); + KRML_HOST_FREE(buf); + KRML_HOST_FREE(s); +} + diff --git a/src/c89/Hacl_Streaming_SHA2.c b/src/c89/Hacl_Streaming_SHA2.c new file mode 100644 index 00000000..cda67e1f --- /dev/null +++ b/src/c89/Hacl_Streaming_SHA2.c @@ -0,0 +1,1142 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Streaming_SHA2.h" + +#include "internal/Hacl_Hash_SHA2.h" + +Hacl_Streaming_SHA2_state_sha2_224 *Hacl_Streaming_SHA2_create_in_224() +{ + uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC((uint32_t)64U, sizeof (uint8_t)); + uint32_t *block_state = (uint32_t *)KRML_HOST_CALLOC((uint32_t)8U, sizeof (uint32_t)); + Hacl_Streaming_SHA2_state_sha2_224 s; + s.block_state = block_state; + s.buf = buf; + s.total_len = (uint64_t)0U; + KRML_CHECK_SIZE(sizeof (Hacl_Streaming_SHA2_state_sha2_224), (uint32_t)1U); + { + Hacl_Streaming_SHA2_state_sha2_224 + *p = + (Hacl_Streaming_SHA2_state_sha2_224 *)KRML_HOST_MALLOC(sizeof ( + Hacl_Streaming_SHA2_state_sha2_224 + )); + p[0U] = s; + Hacl_Hash_Core_SHA2_init_224(block_state); + return p; + } +} + +void Hacl_Streaming_SHA2_init_224(Hacl_Streaming_SHA2_state_sha2_224 *s) +{ + Hacl_Streaming_SHA2_state_sha2_224 scrut = *s; + uint8_t *buf = scrut.buf; + uint32_t *block_state = scrut.block_state; + Hacl_Hash_Core_SHA2_init_224(block_state); + { + Hacl_Streaming_SHA2_state_sha2_224 lit; + lit.block_state = block_state; + lit.buf = buf; + lit.total_len = (uint64_t)0U; + s[0U] = lit; + } +} + +void +Hacl_Streaming_SHA2_update_224( + Hacl_Streaming_SHA2_state_sha2_224 *p, + uint8_t *data, + uint32_t len +) +{ + Hacl_Streaming_SHA2_state_sha2_224 s = *p; + uint64_t total_len = s.total_len; + uint32_t sz; + if (total_len % (uint64_t)(uint32_t)64U == (uint64_t)0U && total_len > (uint64_t)0U) + { + sz = (uint32_t)64U; + } + else + { + sz = (uint32_t)(total_len % (uint64_t)(uint32_t)64U); + } + if (len <= (uint32_t)64U - sz) + { + Hacl_Streaming_SHA2_state_sha2_224 s1 = *p; + uint32_t *block_state1 = s1.block_state; + uint8_t *buf = s1.buf; + uint64_t total_len1 = s1.total_len; + uint32_t sz1; + if (total_len1 % (uint64_t)(uint32_t)64U == (uint64_t)0U && total_len1 > (uint64_t)0U) + { + sz1 = (uint32_t)64U; + } + else + { + sz1 = (uint32_t)(total_len1 % (uint64_t)(uint32_t)64U); + } + { + uint8_t *buf2 = buf + sz1; + uint64_t total_len2; + memcpy(buf2, data, len * sizeof (uint8_t)); + total_len2 = total_len1 + (uint64_t)len; + { + Hacl_Streaming_SHA2_state_sha2_224 lit; + lit.block_state = block_state1; + lit.buf = buf; + lit.total_len = total_len2; + *p = lit; + return; + } + } + } + if (sz == (uint32_t)0U) + { + Hacl_Streaming_SHA2_state_sha2_224 s1 = *p; + uint32_t *block_state1 = s1.block_state; + uint8_t *buf = s1.buf; + uint64_t total_len1 = s1.total_len; + uint32_t sz1; + if (total_len1 % (uint64_t)(uint32_t)64U == (uint64_t)0U && total_len1 > (uint64_t)0U) + { + sz1 = (uint32_t)64U; + } + else + { + sz1 = (uint32_t)(total_len1 % (uint64_t)(uint32_t)64U); + } + { + uint32_t ite; + uint32_t n_blocks; + uint32_t data1_len; + uint32_t data2_len; + uint8_t *data1; + uint8_t *data2; + uint8_t *dst; + if (!(sz1 == (uint32_t)0U)) + { + Hacl_Hash_SHA2_update_multi_224(block_state1, buf, (uint32_t)1U); + } + if ((uint64_t)len % (uint64_t)(uint32_t)64U == (uint64_t)0U && (uint64_t)len > (uint64_t)0U) + { + ite = (uint32_t)64U; + } + else + { + ite = (uint32_t)((uint64_t)len % (uint64_t)(uint32_t)64U); + } + n_blocks = (len - ite) / (uint32_t)64U; + data1_len = n_blocks * (uint32_t)64U; + data2_len = len - data1_len; + data1 = data; + data2 = data + data1_len; + Hacl_Hash_SHA2_update_multi_224(block_state1, data1, data1_len / (uint32_t)64U); + dst = buf; + memcpy(dst, data2, data2_len * sizeof (uint8_t)); + { + Hacl_Streaming_SHA2_state_sha2_224 lit; + lit.block_state = block_state1; + lit.buf = buf; + lit.total_len = total_len1 + (uint64_t)len; + *p = lit; + return; + } + } + } + { + uint32_t diff = (uint32_t)64U - sz; + uint8_t *data1 = data; + uint8_t *data2 = data + diff; + Hacl_Streaming_SHA2_state_sha2_224 s10 = *p; + uint32_t *block_state10 = s10.block_state; + uint8_t *buf0 = s10.buf; + uint64_t total_len10 = s10.total_len; + uint32_t sz10; + if (total_len10 % (uint64_t)(uint32_t)64U == (uint64_t)0U && total_len10 > (uint64_t)0U) + { + sz10 = (uint32_t)64U; + } + else + { + sz10 = (uint32_t)(total_len10 % (uint64_t)(uint32_t)64U); + } + { + uint8_t *buf2 = buf0 + sz10; + uint64_t total_len2; + memcpy(buf2, data1, diff * sizeof (uint8_t)); + total_len2 = total_len10 + (uint64_t)diff; + { + Hacl_Streaming_SHA2_state_sha2_224 lit; + Hacl_Streaming_SHA2_state_sha2_224 s1; + uint32_t *block_state1; + uint8_t *buf; + uint64_t total_len1; + uint32_t sz1; + uint32_t ite; + uint32_t n_blocks; + uint32_t data1_len; + uint32_t data2_len; + uint8_t *data11; + uint8_t *data21; + uint8_t *dst; + lit.block_state = block_state10; + lit.buf = buf0; + lit.total_len = total_len2; + *p = lit; + s1 = *p; + block_state1 = s1.block_state; + buf = s1.buf; + total_len1 = s1.total_len; + if (total_len1 % (uint64_t)(uint32_t)64U == (uint64_t)0U && total_len1 > (uint64_t)0U) + { + sz1 = (uint32_t)64U; + } + else + { + sz1 = (uint32_t)(total_len1 % (uint64_t)(uint32_t)64U); + } + if (!(sz1 == (uint32_t)0U)) + { + Hacl_Hash_SHA2_update_multi_224(block_state1, buf, (uint32_t)1U); + } + if + ( + (uint64_t)(len - diff) + % (uint64_t)(uint32_t)64U + == (uint64_t)0U + && (uint64_t)(len - diff) > (uint64_t)0U + ) + { + ite = (uint32_t)64U; + } + else + { + ite = (uint32_t)((uint64_t)(len - diff) % (uint64_t)(uint32_t)64U); + } + n_blocks = (len - diff - ite) / (uint32_t)64U; + data1_len = n_blocks * (uint32_t)64U; + data2_len = len - diff - data1_len; + data11 = data2; + data21 = data2 + data1_len; + Hacl_Hash_SHA2_update_multi_224(block_state1, data11, data1_len / (uint32_t)64U); + dst = buf; + memcpy(dst, data21, data2_len * sizeof (uint8_t)); + { + Hacl_Streaming_SHA2_state_sha2_224 lit0; + lit0.block_state = block_state1; + lit0.buf = buf; + lit0.total_len = total_len1 + (uint64_t)(len - diff); + *p = lit0; + } + } + } + } +} + +void Hacl_Streaming_SHA2_finish_224(Hacl_Streaming_SHA2_state_sha2_224 *p, uint8_t *dst) +{ + Hacl_Streaming_SHA2_state_sha2_224 scrut = *p; + uint32_t *block_state = scrut.block_state; + uint8_t *buf_ = scrut.buf; + uint64_t total_len = scrut.total_len; + uint32_t r; + if (total_len % (uint64_t)(uint32_t)64U == (uint64_t)0U && total_len > (uint64_t)0U) + { + r = (uint32_t)64U; + } + else + { + r = (uint32_t)(total_len % (uint64_t)(uint32_t)64U); + } + { + uint8_t *buf_1 = buf_; + uint32_t tmp_block_state[8U] = { 0U }; + uint32_t ite; + uint8_t *buf_last; + uint8_t *buf_multi; + uint64_t prev_len_last; + memcpy(tmp_block_state, block_state, (uint32_t)8U * sizeof (uint32_t)); + if (r % (uint32_t)64U == (uint32_t)0U && r > (uint32_t)0U) + { + ite = (uint32_t)64U; + } + else + { + ite = r % (uint32_t)64U; + } + buf_last = buf_1 + r - ite; + buf_multi = buf_1; + Hacl_Hash_SHA2_update_multi_224(tmp_block_state, buf_multi, (uint32_t)0U); + prev_len_last = total_len - (uint64_t)r; + Hacl_Hash_SHA2_update_last_224(tmp_block_state, prev_len_last, buf_last, r); + Hacl_Hash_Core_SHA2_finish_224(tmp_block_state, dst); + } +} + +void Hacl_Streaming_SHA2_free_224(Hacl_Streaming_SHA2_state_sha2_224 *s) +{ + Hacl_Streaming_SHA2_state_sha2_224 scrut = *s; + uint8_t *buf = scrut.buf; + uint32_t *block_state = scrut.block_state; + KRML_HOST_FREE(block_state); + KRML_HOST_FREE(buf); + KRML_HOST_FREE(s); +} + +Hacl_Streaming_SHA2_state_sha2_224 *Hacl_Streaming_SHA2_create_in_256() +{ + uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC((uint32_t)64U, sizeof (uint8_t)); + uint32_t *block_state = (uint32_t *)KRML_HOST_CALLOC((uint32_t)8U, sizeof (uint32_t)); + Hacl_Streaming_SHA2_state_sha2_224 s; + s.block_state = block_state; + s.buf = buf; + s.total_len = (uint64_t)0U; + KRML_CHECK_SIZE(sizeof (Hacl_Streaming_SHA2_state_sha2_224), (uint32_t)1U); + { + Hacl_Streaming_SHA2_state_sha2_224 + *p = + (Hacl_Streaming_SHA2_state_sha2_224 *)KRML_HOST_MALLOC(sizeof ( + Hacl_Streaming_SHA2_state_sha2_224 + )); + p[0U] = s; + Hacl_Hash_Core_SHA2_init_256(block_state); + return p; + } +} + +void Hacl_Streaming_SHA2_init_256(Hacl_Streaming_SHA2_state_sha2_224 *s) +{ + Hacl_Streaming_SHA2_state_sha2_224 scrut = *s; + uint8_t *buf = scrut.buf; + uint32_t *block_state = scrut.block_state; + Hacl_Hash_Core_SHA2_init_256(block_state); + { + Hacl_Streaming_SHA2_state_sha2_224 lit; + lit.block_state = block_state; + lit.buf = buf; + lit.total_len = (uint64_t)0U; + s[0U] = lit; + } +} + +void +Hacl_Streaming_SHA2_update_256( + Hacl_Streaming_SHA2_state_sha2_224 *p, + uint8_t *data, + uint32_t len +) +{ + Hacl_Streaming_SHA2_state_sha2_224 s = *p; + uint64_t total_len = s.total_len; + uint32_t sz; + if (total_len % (uint64_t)(uint32_t)64U == (uint64_t)0U && total_len > (uint64_t)0U) + { + sz = (uint32_t)64U; + } + else + { + sz = (uint32_t)(total_len % (uint64_t)(uint32_t)64U); + } + if (len <= (uint32_t)64U - sz) + { + Hacl_Streaming_SHA2_state_sha2_224 s1 = *p; + uint32_t *block_state1 = s1.block_state; + uint8_t *buf = s1.buf; + uint64_t total_len1 = s1.total_len; + uint32_t sz1; + if (total_len1 % (uint64_t)(uint32_t)64U == (uint64_t)0U && total_len1 > (uint64_t)0U) + { + sz1 = (uint32_t)64U; + } + else + { + sz1 = (uint32_t)(total_len1 % (uint64_t)(uint32_t)64U); + } + { + uint8_t *buf2 = buf + sz1; + uint64_t total_len2; + memcpy(buf2, data, len * sizeof (uint8_t)); + total_len2 = total_len1 + (uint64_t)len; + { + Hacl_Streaming_SHA2_state_sha2_224 lit; + lit.block_state = block_state1; + lit.buf = buf; + lit.total_len = total_len2; + *p = lit; + return; + } + } + } + if (sz == (uint32_t)0U) + { + Hacl_Streaming_SHA2_state_sha2_224 s1 = *p; + uint32_t *block_state1 = s1.block_state; + uint8_t *buf = s1.buf; + uint64_t total_len1 = s1.total_len; + uint32_t sz1; + if (total_len1 % (uint64_t)(uint32_t)64U == (uint64_t)0U && total_len1 > (uint64_t)0U) + { + sz1 = (uint32_t)64U; + } + else + { + sz1 = (uint32_t)(total_len1 % (uint64_t)(uint32_t)64U); + } + { + uint32_t ite; + uint32_t n_blocks; + uint32_t data1_len; + uint32_t data2_len; + uint8_t *data1; + uint8_t *data2; + uint8_t *dst; + if (!(sz1 == (uint32_t)0U)) + { + Hacl_Hash_SHA2_update_multi_256(block_state1, buf, (uint32_t)1U); + } + if ((uint64_t)len % (uint64_t)(uint32_t)64U == (uint64_t)0U && (uint64_t)len > (uint64_t)0U) + { + ite = (uint32_t)64U; + } + else + { + ite = (uint32_t)((uint64_t)len % (uint64_t)(uint32_t)64U); + } + n_blocks = (len - ite) / (uint32_t)64U; + data1_len = n_blocks * (uint32_t)64U; + data2_len = len - data1_len; + data1 = data; + data2 = data + data1_len; + Hacl_Hash_SHA2_update_multi_256(block_state1, data1, data1_len / (uint32_t)64U); + dst = buf; + memcpy(dst, data2, data2_len * sizeof (uint8_t)); + { + Hacl_Streaming_SHA2_state_sha2_224 lit; + lit.block_state = block_state1; + lit.buf = buf; + lit.total_len = total_len1 + (uint64_t)len; + *p = lit; + return; + } + } + } + { + uint32_t diff = (uint32_t)64U - sz; + uint8_t *data1 = data; + uint8_t *data2 = data + diff; + Hacl_Streaming_SHA2_state_sha2_224 s10 = *p; + uint32_t *block_state10 = s10.block_state; + uint8_t *buf0 = s10.buf; + uint64_t total_len10 = s10.total_len; + uint32_t sz10; + if (total_len10 % (uint64_t)(uint32_t)64U == (uint64_t)0U && total_len10 > (uint64_t)0U) + { + sz10 = (uint32_t)64U; + } + else + { + sz10 = (uint32_t)(total_len10 % (uint64_t)(uint32_t)64U); + } + { + uint8_t *buf2 = buf0 + sz10; + uint64_t total_len2; + memcpy(buf2, data1, diff * sizeof (uint8_t)); + total_len2 = total_len10 + (uint64_t)diff; + { + Hacl_Streaming_SHA2_state_sha2_224 lit; + Hacl_Streaming_SHA2_state_sha2_224 s1; + uint32_t *block_state1; + uint8_t *buf; + uint64_t total_len1; + uint32_t sz1; + uint32_t ite; + uint32_t n_blocks; + uint32_t data1_len; + uint32_t data2_len; + uint8_t *data11; + uint8_t *data21; + uint8_t *dst; + lit.block_state = block_state10; + lit.buf = buf0; + lit.total_len = total_len2; + *p = lit; + s1 = *p; + block_state1 = s1.block_state; + buf = s1.buf; + total_len1 = s1.total_len; + if (total_len1 % (uint64_t)(uint32_t)64U == (uint64_t)0U && total_len1 > (uint64_t)0U) + { + sz1 = (uint32_t)64U; + } + else + { + sz1 = (uint32_t)(total_len1 % (uint64_t)(uint32_t)64U); + } + if (!(sz1 == (uint32_t)0U)) + { + Hacl_Hash_SHA2_update_multi_256(block_state1, buf, (uint32_t)1U); + } + if + ( + (uint64_t)(len - diff) + % (uint64_t)(uint32_t)64U + == (uint64_t)0U + && (uint64_t)(len - diff) > (uint64_t)0U + ) + { + ite = (uint32_t)64U; + } + else + { + ite = (uint32_t)((uint64_t)(len - diff) % (uint64_t)(uint32_t)64U); + } + n_blocks = (len - diff - ite) / (uint32_t)64U; + data1_len = n_blocks * (uint32_t)64U; + data2_len = len - diff - data1_len; + data11 = data2; + data21 = data2 + data1_len; + Hacl_Hash_SHA2_update_multi_256(block_state1, data11, data1_len / (uint32_t)64U); + dst = buf; + memcpy(dst, data21, data2_len * sizeof (uint8_t)); + { + Hacl_Streaming_SHA2_state_sha2_224 lit0; + lit0.block_state = block_state1; + lit0.buf = buf; + lit0.total_len = total_len1 + (uint64_t)(len - diff); + *p = lit0; + } + } + } + } +} + +void Hacl_Streaming_SHA2_finish_256(Hacl_Streaming_SHA2_state_sha2_224 *p, uint8_t *dst) +{ + Hacl_Streaming_SHA2_state_sha2_224 scrut = *p; + uint32_t *block_state = scrut.block_state; + uint8_t *buf_ = scrut.buf; + uint64_t total_len = scrut.total_len; + uint32_t r; + if (total_len % (uint64_t)(uint32_t)64U == (uint64_t)0U && total_len > (uint64_t)0U) + { + r = (uint32_t)64U; + } + else + { + r = (uint32_t)(total_len % (uint64_t)(uint32_t)64U); + } + { + uint8_t *buf_1 = buf_; + uint32_t tmp_block_state[8U] = { 0U }; + uint32_t ite; + uint8_t *buf_last; + uint8_t *buf_multi; + uint64_t prev_len_last; + memcpy(tmp_block_state, block_state, (uint32_t)8U * sizeof (uint32_t)); + if (r % (uint32_t)64U == (uint32_t)0U && r > (uint32_t)0U) + { + ite = (uint32_t)64U; + } + else + { + ite = r % (uint32_t)64U; + } + buf_last = buf_1 + r - ite; + buf_multi = buf_1; + Hacl_Hash_SHA2_update_multi_256(tmp_block_state, buf_multi, (uint32_t)0U); + prev_len_last = total_len - (uint64_t)r; + Hacl_Hash_SHA2_update_last_256(tmp_block_state, prev_len_last, buf_last, r); + Hacl_Hash_Core_SHA2_finish_256(tmp_block_state, dst); + } +} + +void Hacl_Streaming_SHA2_free_256(Hacl_Streaming_SHA2_state_sha2_224 *s) +{ + Hacl_Streaming_SHA2_state_sha2_224 scrut = *s; + uint8_t *buf = scrut.buf; + uint32_t *block_state = scrut.block_state; + KRML_HOST_FREE(block_state); + KRML_HOST_FREE(buf); + KRML_HOST_FREE(s); +} + +Hacl_Streaming_SHA2_state_sha2_384 *Hacl_Streaming_SHA2_create_in_384() +{ + uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC((uint32_t)128U, sizeof (uint8_t)); + uint64_t *block_state = (uint64_t *)KRML_HOST_CALLOC((uint32_t)8U, sizeof (uint64_t)); + Hacl_Streaming_SHA2_state_sha2_384 s; + s.block_state = block_state; + s.buf = buf; + s.total_len = (uint64_t)0U; + KRML_CHECK_SIZE(sizeof (Hacl_Streaming_SHA2_state_sha2_384), (uint32_t)1U); + { + Hacl_Streaming_SHA2_state_sha2_384 + *p = + (Hacl_Streaming_SHA2_state_sha2_384 *)KRML_HOST_MALLOC(sizeof ( + Hacl_Streaming_SHA2_state_sha2_384 + )); + p[0U] = s; + Hacl_Hash_Core_SHA2_init_384(block_state); + return p; + } +} + +void Hacl_Streaming_SHA2_init_384(Hacl_Streaming_SHA2_state_sha2_384 *s) +{ + Hacl_Streaming_SHA2_state_sha2_384 scrut = *s; + uint8_t *buf = scrut.buf; + uint64_t *block_state = scrut.block_state; + Hacl_Hash_Core_SHA2_init_384(block_state); + { + Hacl_Streaming_SHA2_state_sha2_384 lit; + lit.block_state = block_state; + lit.buf = buf; + lit.total_len = (uint64_t)0U; + s[0U] = lit; + } +} + +void +Hacl_Streaming_SHA2_update_384( + Hacl_Streaming_SHA2_state_sha2_384 *p, + uint8_t *data, + uint32_t len +) +{ + Hacl_Streaming_SHA2_state_sha2_384 s = *p; + uint64_t total_len = s.total_len; + uint32_t sz; + if (total_len % (uint64_t)(uint32_t)128U == (uint64_t)0U && total_len > (uint64_t)0U) + { + sz = (uint32_t)128U; + } + else + { + sz = (uint32_t)(total_len % (uint64_t)(uint32_t)128U); + } + if (len <= (uint32_t)128U - sz) + { + Hacl_Streaming_SHA2_state_sha2_384 s1 = *p; + uint64_t *block_state1 = s1.block_state; + uint8_t *buf = s1.buf; + uint64_t total_len1 = s1.total_len; + uint32_t sz1; + if (total_len1 % (uint64_t)(uint32_t)128U == (uint64_t)0U && total_len1 > (uint64_t)0U) + { + sz1 = (uint32_t)128U; + } + else + { + sz1 = (uint32_t)(total_len1 % (uint64_t)(uint32_t)128U); + } + { + uint8_t *buf2 = buf + sz1; + uint64_t total_len2; + memcpy(buf2, data, len * sizeof (uint8_t)); + total_len2 = total_len1 + (uint64_t)len; + { + Hacl_Streaming_SHA2_state_sha2_384 lit; + lit.block_state = block_state1; + lit.buf = buf; + lit.total_len = total_len2; + *p = lit; + return; + } + } + } + if (sz == (uint32_t)0U) + { + Hacl_Streaming_SHA2_state_sha2_384 s1 = *p; + uint64_t *block_state1 = s1.block_state; + uint8_t *buf = s1.buf; + uint64_t total_len1 = s1.total_len; + uint32_t sz1; + if (total_len1 % (uint64_t)(uint32_t)128U == (uint64_t)0U && total_len1 > (uint64_t)0U) + { + sz1 = (uint32_t)128U; + } + else + { + sz1 = (uint32_t)(total_len1 % (uint64_t)(uint32_t)128U); + } + { + uint32_t ite; + uint32_t n_blocks; + uint32_t data1_len; + uint32_t data2_len; + uint8_t *data1; + uint8_t *data2; + uint8_t *dst; + if (!(sz1 == (uint32_t)0U)) + { + Hacl_Hash_SHA2_update_multi_384(block_state1, buf, (uint32_t)1U); + } + if ((uint64_t)len % (uint64_t)(uint32_t)128U == (uint64_t)0U && (uint64_t)len > (uint64_t)0U) + { + ite = (uint32_t)128U; + } + else + { + ite = (uint32_t)((uint64_t)len % (uint64_t)(uint32_t)128U); + } + n_blocks = (len - ite) / (uint32_t)128U; + data1_len = n_blocks * (uint32_t)128U; + data2_len = len - data1_len; + data1 = data; + data2 = data + data1_len; + Hacl_Hash_SHA2_update_multi_384(block_state1, data1, data1_len / (uint32_t)128U); + dst = buf; + memcpy(dst, data2, data2_len * sizeof (uint8_t)); + { + Hacl_Streaming_SHA2_state_sha2_384 lit; + lit.block_state = block_state1; + lit.buf = buf; + lit.total_len = total_len1 + (uint64_t)len; + *p = lit; + return; + } + } + } + { + uint32_t diff = (uint32_t)128U - sz; + uint8_t *data1 = data; + uint8_t *data2 = data + diff; + Hacl_Streaming_SHA2_state_sha2_384 s10 = *p; + uint64_t *block_state10 = s10.block_state; + uint8_t *buf0 = s10.buf; + uint64_t total_len10 = s10.total_len; + uint32_t sz10; + if (total_len10 % (uint64_t)(uint32_t)128U == (uint64_t)0U && total_len10 > (uint64_t)0U) + { + sz10 = (uint32_t)128U; + } + else + { + sz10 = (uint32_t)(total_len10 % (uint64_t)(uint32_t)128U); + } + { + uint8_t *buf2 = buf0 + sz10; + uint64_t total_len2; + memcpy(buf2, data1, diff * sizeof (uint8_t)); + total_len2 = total_len10 + (uint64_t)diff; + { + Hacl_Streaming_SHA2_state_sha2_384 lit; + Hacl_Streaming_SHA2_state_sha2_384 s1; + uint64_t *block_state1; + uint8_t *buf; + uint64_t total_len1; + uint32_t sz1; + uint32_t ite; + uint32_t n_blocks; + uint32_t data1_len; + uint32_t data2_len; + uint8_t *data11; + uint8_t *data21; + uint8_t *dst; + lit.block_state = block_state10; + lit.buf = buf0; + lit.total_len = total_len2; + *p = lit; + s1 = *p; + block_state1 = s1.block_state; + buf = s1.buf; + total_len1 = s1.total_len; + if (total_len1 % (uint64_t)(uint32_t)128U == (uint64_t)0U && total_len1 > (uint64_t)0U) + { + sz1 = (uint32_t)128U; + } + else + { + sz1 = (uint32_t)(total_len1 % (uint64_t)(uint32_t)128U); + } + if (!(sz1 == (uint32_t)0U)) + { + Hacl_Hash_SHA2_update_multi_384(block_state1, buf, (uint32_t)1U); + } + if + ( + (uint64_t)(len - diff) + % (uint64_t)(uint32_t)128U + == (uint64_t)0U + && (uint64_t)(len - diff) > (uint64_t)0U + ) + { + ite = (uint32_t)128U; + } + else + { + ite = (uint32_t)((uint64_t)(len - diff) % (uint64_t)(uint32_t)128U); + } + n_blocks = (len - diff - ite) / (uint32_t)128U; + data1_len = n_blocks * (uint32_t)128U; + data2_len = len - diff - data1_len; + data11 = data2; + data21 = data2 + data1_len; + Hacl_Hash_SHA2_update_multi_384(block_state1, data11, data1_len / (uint32_t)128U); + dst = buf; + memcpy(dst, data21, data2_len * sizeof (uint8_t)); + { + Hacl_Streaming_SHA2_state_sha2_384 lit0; + lit0.block_state = block_state1; + lit0.buf = buf; + lit0.total_len = total_len1 + (uint64_t)(len - diff); + *p = lit0; + } + } + } + } +} + +void Hacl_Streaming_SHA2_finish_384(Hacl_Streaming_SHA2_state_sha2_384 *p, uint8_t *dst) +{ + Hacl_Streaming_SHA2_state_sha2_384 scrut = *p; + uint64_t *block_state = scrut.block_state; + uint8_t *buf_ = scrut.buf; + uint64_t total_len = scrut.total_len; + uint32_t r; + if (total_len % (uint64_t)(uint32_t)128U == (uint64_t)0U && total_len > (uint64_t)0U) + { + r = (uint32_t)128U; + } + else + { + r = (uint32_t)(total_len % (uint64_t)(uint32_t)128U); + } + { + uint8_t *buf_1 = buf_; + uint64_t tmp_block_state[8U] = { 0U }; + uint32_t ite; + uint8_t *buf_last; + uint8_t *buf_multi; + uint64_t prev_len_last; + memcpy(tmp_block_state, block_state, (uint32_t)8U * sizeof (uint64_t)); + if (r % (uint32_t)128U == (uint32_t)0U && r > (uint32_t)0U) + { + ite = (uint32_t)128U; + } + else + { + ite = r % (uint32_t)128U; + } + buf_last = buf_1 + r - ite; + buf_multi = buf_1; + Hacl_Hash_SHA2_update_multi_384(tmp_block_state, buf_multi, (uint32_t)0U); + prev_len_last = total_len - (uint64_t)r; + Hacl_Hash_SHA2_update_last_384(tmp_block_state, + FStar_UInt128_uint64_to_uint128(prev_len_last), + buf_last, + r); + Hacl_Hash_Core_SHA2_finish_384(tmp_block_state, dst); + } +} + +void Hacl_Streaming_SHA2_free_384(Hacl_Streaming_SHA2_state_sha2_384 *s) +{ + Hacl_Streaming_SHA2_state_sha2_384 scrut = *s; + uint8_t *buf = scrut.buf; + uint64_t *block_state = scrut.block_state; + KRML_HOST_FREE(block_state); + KRML_HOST_FREE(buf); + KRML_HOST_FREE(s); +} + +Hacl_Streaming_SHA2_state_sha2_384 *Hacl_Streaming_SHA2_create_in_512() +{ + uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC((uint32_t)128U, sizeof (uint8_t)); + uint64_t *block_state = (uint64_t *)KRML_HOST_CALLOC((uint32_t)8U, sizeof (uint64_t)); + Hacl_Streaming_SHA2_state_sha2_384 s; + s.block_state = block_state; + s.buf = buf; + s.total_len = (uint64_t)0U; + KRML_CHECK_SIZE(sizeof (Hacl_Streaming_SHA2_state_sha2_384), (uint32_t)1U); + { + Hacl_Streaming_SHA2_state_sha2_384 + *p = + (Hacl_Streaming_SHA2_state_sha2_384 *)KRML_HOST_MALLOC(sizeof ( + Hacl_Streaming_SHA2_state_sha2_384 + )); + p[0U] = s; + Hacl_Hash_Core_SHA2_init_512(block_state); + return p; + } +} + +void Hacl_Streaming_SHA2_init_512(Hacl_Streaming_SHA2_state_sha2_384 *s) +{ + Hacl_Streaming_SHA2_state_sha2_384 scrut = *s; + uint8_t *buf = scrut.buf; + uint64_t *block_state = scrut.block_state; + Hacl_Hash_Core_SHA2_init_512(block_state); + { + Hacl_Streaming_SHA2_state_sha2_384 lit; + lit.block_state = block_state; + lit.buf = buf; + lit.total_len = (uint64_t)0U; + s[0U] = lit; + } +} + +void +Hacl_Streaming_SHA2_update_512( + Hacl_Streaming_SHA2_state_sha2_384 *p, + uint8_t *data, + uint32_t len +) +{ + Hacl_Streaming_SHA2_state_sha2_384 s = *p; + uint64_t total_len = s.total_len; + uint32_t sz; + if (total_len % (uint64_t)(uint32_t)128U == (uint64_t)0U && total_len > (uint64_t)0U) + { + sz = (uint32_t)128U; + } + else + { + sz = (uint32_t)(total_len % (uint64_t)(uint32_t)128U); + } + if (len <= (uint32_t)128U - sz) + { + Hacl_Streaming_SHA2_state_sha2_384 s1 = *p; + uint64_t *block_state1 = s1.block_state; + uint8_t *buf = s1.buf; + uint64_t total_len1 = s1.total_len; + uint32_t sz1; + if (total_len1 % (uint64_t)(uint32_t)128U == (uint64_t)0U && total_len1 > (uint64_t)0U) + { + sz1 = (uint32_t)128U; + } + else + { + sz1 = (uint32_t)(total_len1 % (uint64_t)(uint32_t)128U); + } + { + uint8_t *buf2 = buf + sz1; + uint64_t total_len2; + memcpy(buf2, data, len * sizeof (uint8_t)); + total_len2 = total_len1 + (uint64_t)len; + { + Hacl_Streaming_SHA2_state_sha2_384 lit; + lit.block_state = block_state1; + lit.buf = buf; + lit.total_len = total_len2; + *p = lit; + return; + } + } + } + if (sz == (uint32_t)0U) + { + Hacl_Streaming_SHA2_state_sha2_384 s1 = *p; + uint64_t *block_state1 = s1.block_state; + uint8_t *buf = s1.buf; + uint64_t total_len1 = s1.total_len; + uint32_t sz1; + if (total_len1 % (uint64_t)(uint32_t)128U == (uint64_t)0U && total_len1 > (uint64_t)0U) + { + sz1 = (uint32_t)128U; + } + else + { + sz1 = (uint32_t)(total_len1 % (uint64_t)(uint32_t)128U); + } + { + uint32_t ite; + uint32_t n_blocks; + uint32_t data1_len; + uint32_t data2_len; + uint8_t *data1; + uint8_t *data2; + uint8_t *dst; + if (!(sz1 == (uint32_t)0U)) + { + Hacl_Hash_SHA2_update_multi_512(block_state1, buf, (uint32_t)1U); + } + if ((uint64_t)len % (uint64_t)(uint32_t)128U == (uint64_t)0U && (uint64_t)len > (uint64_t)0U) + { + ite = (uint32_t)128U; + } + else + { + ite = (uint32_t)((uint64_t)len % (uint64_t)(uint32_t)128U); + } + n_blocks = (len - ite) / (uint32_t)128U; + data1_len = n_blocks * (uint32_t)128U; + data2_len = len - data1_len; + data1 = data; + data2 = data + data1_len; + Hacl_Hash_SHA2_update_multi_512(block_state1, data1, data1_len / (uint32_t)128U); + dst = buf; + memcpy(dst, data2, data2_len * sizeof (uint8_t)); + { + Hacl_Streaming_SHA2_state_sha2_384 lit; + lit.block_state = block_state1; + lit.buf = buf; + lit.total_len = total_len1 + (uint64_t)len; + *p = lit; + return; + } + } + } + { + uint32_t diff = (uint32_t)128U - sz; + uint8_t *data1 = data; + uint8_t *data2 = data + diff; + Hacl_Streaming_SHA2_state_sha2_384 s10 = *p; + uint64_t *block_state10 = s10.block_state; + uint8_t *buf0 = s10.buf; + uint64_t total_len10 = s10.total_len; + uint32_t sz10; + if (total_len10 % (uint64_t)(uint32_t)128U == (uint64_t)0U && total_len10 > (uint64_t)0U) + { + sz10 = (uint32_t)128U; + } + else + { + sz10 = (uint32_t)(total_len10 % (uint64_t)(uint32_t)128U); + } + { + uint8_t *buf2 = buf0 + sz10; + uint64_t total_len2; + memcpy(buf2, data1, diff * sizeof (uint8_t)); + total_len2 = total_len10 + (uint64_t)diff; + { + Hacl_Streaming_SHA2_state_sha2_384 lit; + Hacl_Streaming_SHA2_state_sha2_384 s1; + uint64_t *block_state1; + uint8_t *buf; + uint64_t total_len1; + uint32_t sz1; + uint32_t ite; + uint32_t n_blocks; + uint32_t data1_len; + uint32_t data2_len; + uint8_t *data11; + uint8_t *data21; + uint8_t *dst; + lit.block_state = block_state10; + lit.buf = buf0; + lit.total_len = total_len2; + *p = lit; + s1 = *p; + block_state1 = s1.block_state; + buf = s1.buf; + total_len1 = s1.total_len; + if (total_len1 % (uint64_t)(uint32_t)128U == (uint64_t)0U && total_len1 > (uint64_t)0U) + { + sz1 = (uint32_t)128U; + } + else + { + sz1 = (uint32_t)(total_len1 % (uint64_t)(uint32_t)128U); + } + if (!(sz1 == (uint32_t)0U)) + { + Hacl_Hash_SHA2_update_multi_512(block_state1, buf, (uint32_t)1U); + } + if + ( + (uint64_t)(len - diff) + % (uint64_t)(uint32_t)128U + == (uint64_t)0U + && (uint64_t)(len - diff) > (uint64_t)0U + ) + { + ite = (uint32_t)128U; + } + else + { + ite = (uint32_t)((uint64_t)(len - diff) % (uint64_t)(uint32_t)128U); + } + n_blocks = (len - diff - ite) / (uint32_t)128U; + data1_len = n_blocks * (uint32_t)128U; + data2_len = len - diff - data1_len; + data11 = data2; + data21 = data2 + data1_len; + Hacl_Hash_SHA2_update_multi_512(block_state1, data11, data1_len / (uint32_t)128U); + dst = buf; + memcpy(dst, data21, data2_len * sizeof (uint8_t)); + { + Hacl_Streaming_SHA2_state_sha2_384 lit0; + lit0.block_state = block_state1; + lit0.buf = buf; + lit0.total_len = total_len1 + (uint64_t)(len - diff); + *p = lit0; + } + } + } + } +} + +void Hacl_Streaming_SHA2_finish_512(Hacl_Streaming_SHA2_state_sha2_384 *p, uint8_t *dst) +{ + Hacl_Streaming_SHA2_state_sha2_384 scrut = *p; + uint64_t *block_state = scrut.block_state; + uint8_t *buf_ = scrut.buf; + uint64_t total_len = scrut.total_len; + uint32_t r; + if (total_len % (uint64_t)(uint32_t)128U == (uint64_t)0U && total_len > (uint64_t)0U) + { + r = (uint32_t)128U; + } + else + { + r = (uint32_t)(total_len % (uint64_t)(uint32_t)128U); + } + { + uint8_t *buf_1 = buf_; + uint64_t tmp_block_state[8U] = { 0U }; + uint32_t ite; + uint8_t *buf_last; + uint8_t *buf_multi; + uint64_t prev_len_last; + memcpy(tmp_block_state, block_state, (uint32_t)8U * sizeof (uint64_t)); + if (r % (uint32_t)128U == (uint32_t)0U && r > (uint32_t)0U) + { + ite = (uint32_t)128U; + } + else + { + ite = r % (uint32_t)128U; + } + buf_last = buf_1 + r - ite; + buf_multi = buf_1; + Hacl_Hash_SHA2_update_multi_512(tmp_block_state, buf_multi, (uint32_t)0U); + prev_len_last = total_len - (uint64_t)r; + Hacl_Hash_SHA2_update_last_512(tmp_block_state, + FStar_UInt128_uint64_to_uint128(prev_len_last), + buf_last, + r); + Hacl_Hash_Core_SHA2_finish_512(tmp_block_state, dst); + } +} + +void Hacl_Streaming_SHA2_free_512(Hacl_Streaming_SHA2_state_sha2_384 *s) +{ + Hacl_Streaming_SHA2_state_sha2_384 scrut = *s; + uint8_t *buf = scrut.buf; + uint64_t *block_state = scrut.block_state; + KRML_HOST_FREE(block_state); + KRML_HOST_FREE(buf); + KRML_HOST_FREE(s); +} + diff --git a/src/c89/Lib_Memzero0.c b/src/c89/Lib_Memzero0.c new file mode 100644 index 00000000..ef3060d4 --- /dev/null +++ b/src/c89/Lib_Memzero0.c @@ -0,0 +1,53 @@ +#if defined(__has_include) +#if __has_include("config.h") +#include "config.h" +#endif +#endif + +#ifdef _WIN32 +#include +#endif + +#if (defined(__APPLE__) && defined(__MACH__)) || defined(__linux__) +#define __STDC_WANT_LIB_EXT1__ 1 +#include +#endif + +#ifdef __FreeBSD__ +#include +#endif + +#include +#include +#include +#include + +#include "Lib_Memzero0.h" +#include "kremlin/internal/target.h" + +/* The F* formalization talks about the number of elements in the array. The C + implementation wants a number of bytes in the array. KreMLin is aware of this + and inserts a sizeof multiplication. */ +void Lib_Memzero0_memzero(void *dst, uint64_t len) { + /* This is safe: kremlin checks at run-time (if needed) that all object sizes + fit within a size_t, so the size we receive has been checked at + allocation-time, possibly via KRML_CHECK_SIZE, to fit in a size_t. */ + size_t len_ = (size_t) len; + + #ifdef _WIN32 + SecureZeroMemory(dst, len); + #elif defined(__APPLE__) && defined(__MACH__) + memset_s(dst, len_, 0, len_); + #elif (defined(__linux__) && !defined(LINUX_NO_EXPLICIT_BZERO)) || defined(__FreeBSD__) + explicit_bzero(dst, len_); + #elif defined(__NetBSD__) + explicit_memset(dst, 0, len_); + #else + /* Default implementation for platforms with no particular support. */ + #warning "Your platform does not support any safe implementation of memzero -- consider a pull request!" + volatile unsigned char *volatile dst_ = (volatile unsigned char *volatile) dst; + size_t i = 0U; + while (i < len) + dst_[i++] = 0U; + #endif +} diff --git a/src/c89/Lib_RandomBuffer_System.c b/src/c89/Lib_RandomBuffer_System.c new file mode 100644 index 00000000..0d7924b4 --- /dev/null +++ b/src/c89/Lib_RandomBuffer_System.c @@ -0,0 +1,62 @@ +#include "Lib_RandomBuffer_System.h" + +#if (defined(_WIN32) || defined(_WIN64)) + +#include +#include +#include +#include + +bool read_random_bytes(uint32_t len, uint8_t *buf) { + HCRYPTPROV ctxt; + if (!(CryptAcquireContext(&ctxt, NULL, NULL, PROV_RSA_FULL, + CRYPT_VERIFYCONTEXT))) { + DWORD error = GetLastError(); + /* printf("Cannot acquire crypto context: 0x%lx\n", error); */ + return false; + } + bool pass = true; + if (!(CryptGenRandom(ctxt, (uint64_t)len, buf))) { + /* printf("Cannot read random bytes\n"); */ + pass = false; + } + CryptReleaseContext(ctxt, 0); + return pass; +} + +#else + +/* assume POSIX here */ +#include +#include +#include +#include +#include + +bool read_random_bytes(uint32_t len, uint8_t *buf) { +#ifdef SYS_getrandom + ssize_t res = syscall(SYS_getrandom, buf, (size_t)len, 0); + if (res == -1) { + return false; + } +#else // !defined(SYS_getrandom) + int fd = open("/dev/urandom", O_RDONLY); + if (fd == -1) { + return false; + } + ssize_t res = read(fd, buf, (uint64_t)len); + close(fd); +#endif // defined(SYS_getrandom) + return ((size_t)res == (size_t)len); +} + +#endif + +// WARNING: this function is deprecated +bool Lib_RandomBuffer_System_randombytes(uint8_t *x, uint32_t len) { + return read_random_bytes(len, x); +} + +void Lib_RandomBuffer_System_crypto_random(uint8_t *x, uint32_t len) { + while(!read_random_bytes(len, x)) {} +} diff --git a/src/msvc/EverCrypt_AEAD.c b/src/msvc/EverCrypt_AEAD.c new file mode 100644 index 00000000..bd5c04d7 --- /dev/null +++ b/src/msvc/EverCrypt_AEAD.c @@ -0,0 +1,2134 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "EverCrypt_AEAD.h" + +#include "internal/Vale.h" +#include "internal/Hacl_Kremlib.h" + +typedef struct EverCrypt_AEAD_state_s_s +{ + Spec_Cipher_Expansion_impl impl; + uint8_t *ek; +} +EverCrypt_AEAD_state_s; + +bool EverCrypt_AEAD_uu___is_Ek(Spec_Agile_AEAD_alg a, EverCrypt_AEAD_state_s projectee) +{ + return true; +} + +Spec_Agile_AEAD_alg EverCrypt_AEAD_alg_of_state(EverCrypt_AEAD_state_s *s) +{ + EverCrypt_AEAD_state_s scrut = *s; + Spec_Cipher_Expansion_impl impl = scrut.impl; + switch (impl) + { + case Spec_Cipher_Expansion_Hacl_CHACHA20: + { + return Spec_Agile_AEAD_CHACHA20_POLY1305; + } + case Spec_Cipher_Expansion_Vale_AES128: + { + return Spec_Agile_AEAD_AES128_GCM; + } + case Spec_Cipher_Expansion_Vale_AES256: + { + return Spec_Agile_AEAD_AES256_GCM; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +static EverCrypt_Error_error_code +create_in_chacha20_poly1305(EverCrypt_AEAD_state_s **dst, uint8_t *k) +{ + uint8_t *ek = KRML_HOST_CALLOC((uint32_t)32U, sizeof (uint8_t)); + KRML_CHECK_SIZE(sizeof (EverCrypt_AEAD_state_s), (uint32_t)1U); + EverCrypt_AEAD_state_s *p = KRML_HOST_MALLOC(sizeof (EverCrypt_AEAD_state_s)); + p[0U] = ((EverCrypt_AEAD_state_s){ .impl = Spec_Cipher_Expansion_Hacl_CHACHA20, .ek = ek }); + memcpy(ek, k, (uint32_t)32U * sizeof (uint8_t)); + dst[0U] = p; + return EverCrypt_Error_Success; +} + +static EverCrypt_Error_error_code +create_in_aes128_gcm(EverCrypt_AEAD_state_s **dst, uint8_t *k) +{ + bool has_aesni = EverCrypt_AutoConfig2_has_aesni(); + bool has_pclmulqdq = EverCrypt_AutoConfig2_has_pclmulqdq(); + bool has_avx = EverCrypt_AutoConfig2_has_avx(); + bool has_sse = EverCrypt_AutoConfig2_has_sse(); + bool has_movbe = EverCrypt_AutoConfig2_has_movbe(); + #if HACL_CAN_COMPILE_VALE + if (has_aesni && has_pclmulqdq && has_avx && has_sse && has_movbe) + { + uint8_t *ek = KRML_HOST_CALLOC((uint32_t)480U, sizeof (uint8_t)); + uint8_t *keys_b = ek; + uint8_t *hkeys_b = ek + (uint32_t)176U; + uint64_t scrut = aes128_key_expansion(k, keys_b); + uint64_t scrut0 = aes128_keyhash_init(keys_b, hkeys_b); + KRML_CHECK_SIZE(sizeof (EverCrypt_AEAD_state_s), (uint32_t)1U); + EverCrypt_AEAD_state_s *p = KRML_HOST_MALLOC(sizeof (EverCrypt_AEAD_state_s)); + p[0U] = ((EverCrypt_AEAD_state_s){ .impl = Spec_Cipher_Expansion_Vale_AES128, .ek = ek }); + *dst = p; + return EverCrypt_Error_Success; + } + #endif + return EverCrypt_Error_UnsupportedAlgorithm; +} + +static EverCrypt_Error_error_code +create_in_aes256_gcm(EverCrypt_AEAD_state_s **dst, uint8_t *k) +{ + bool has_aesni = EverCrypt_AutoConfig2_has_aesni(); + bool has_pclmulqdq = EverCrypt_AutoConfig2_has_pclmulqdq(); + bool has_avx = EverCrypt_AutoConfig2_has_avx(); + bool has_sse = EverCrypt_AutoConfig2_has_sse(); + bool has_movbe = EverCrypt_AutoConfig2_has_movbe(); + #if HACL_CAN_COMPILE_VALE + if (has_aesni && has_pclmulqdq && has_avx && has_sse && has_movbe) + { + uint8_t *ek = KRML_HOST_CALLOC((uint32_t)544U, sizeof (uint8_t)); + uint8_t *keys_b = ek; + uint8_t *hkeys_b = ek + (uint32_t)240U; + uint64_t scrut = aes256_key_expansion(k, keys_b); + uint64_t scrut0 = aes256_keyhash_init(keys_b, hkeys_b); + KRML_CHECK_SIZE(sizeof (EverCrypt_AEAD_state_s), (uint32_t)1U); + EverCrypt_AEAD_state_s *p = KRML_HOST_MALLOC(sizeof (EverCrypt_AEAD_state_s)); + p[0U] = ((EverCrypt_AEAD_state_s){ .impl = Spec_Cipher_Expansion_Vale_AES256, .ek = ek }); + *dst = p; + return EverCrypt_Error_Success; + } + #endif + return EverCrypt_Error_UnsupportedAlgorithm; +} + +EverCrypt_Error_error_code +EverCrypt_AEAD_create_in(Spec_Agile_AEAD_alg a, EverCrypt_AEAD_state_s **dst, uint8_t *k) +{ + switch (a) + { + case Spec_Agile_AEAD_AES128_GCM: + { + return create_in_aes128_gcm(dst, k); + } + case Spec_Agile_AEAD_AES256_GCM: + { + return create_in_aes256_gcm(dst, k); + } + case Spec_Agile_AEAD_CHACHA20_POLY1305: + { + return create_in_chacha20_poly1305(dst, k); + } + default: + { + return EverCrypt_Error_UnsupportedAlgorithm; + } + } +} + +static EverCrypt_Error_error_code +encrypt_aes128_gcm( + EverCrypt_AEAD_state_s *s, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *plain, + uint32_t plain_len, + uint8_t *cipher, + uint8_t *tag +) +{ + #if HACL_CAN_COMPILE_VALE + if (s == NULL) + { + return EverCrypt_Error_InvalidKey; + } + if (iv_len == (uint32_t)0U) + { + return EverCrypt_Error_InvalidIVLength; + } + EverCrypt_AEAD_state_s scrut = *s; + uint8_t *ek = scrut.ek; + uint8_t *scratch_b = ek + (uint32_t)304U; + uint8_t *ek1 = ek; + uint8_t *keys_b = ek1; + uint8_t *hkeys_b = ek1 + (uint32_t)176U; + uint8_t tmp_iv[16U] = { 0U }; + uint32_t len = iv_len / (uint32_t)16U; + uint32_t bytes_len = len * (uint32_t)16U; + uint8_t *iv_b = iv; + memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); + uint64_t + uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + uint8_t *inout_b = scratch_b; + uint8_t *abytes_b = scratch_b + (uint32_t)16U; + uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; + uint32_t plain_len_ = (uint32_t)(uint64_t)plain_len / (uint32_t)16U * (uint32_t)16U; + uint32_t auth_len_ = (uint32_t)(uint64_t)ad_len / (uint32_t)16U * (uint32_t)16U; + uint8_t *plain_b_ = plain; + uint8_t *out_b_ = cipher; + uint8_t *auth_b_ = ad; + memcpy(inout_b, + plain + plain_len_, + (uint32_t)(uint64_t)plain_len % (uint32_t)16U * sizeof (uint8_t)); + memcpy(abytes_b, + ad + auth_len_, + (uint32_t)(uint64_t)ad_len % (uint32_t)16U * sizeof (uint8_t)); + uint64_t len128x6 = (uint64_t)plain_len / (uint64_t)96U * (uint64_t)96U; + if (len128x6 / (uint64_t)16U >= (uint64_t)18U) + { + uint64_t len128_num = (uint64_t)plain_len / (uint64_t)16U * (uint64_t)16U - len128x6; + uint8_t *in128x6_b = plain_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = plain_b_ + (uint32_t)len128x6; + uint8_t *out128_b = out_b_ + (uint32_t)len128x6; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128x6_ = len128x6 / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t + scrut0 = + gcm128_encrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)plain_len, + scratch_b1, + tag); + } + else + { + uint32_t len128x61 = (uint32_t)0U; + uint64_t len128_num = (uint64_t)plain_len / (uint64_t)16U * (uint64_t)16U; + uint8_t *in128x6_b = plain_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = plain_b_ + len128x61; + uint8_t *out128_b = out_b_ + len128x61; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t len128x6_ = (uint64_t)0U; + uint64_t + scrut0 = + gcm128_encrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)plain_len, + scratch_b1, + tag); + } + memcpy(cipher + (uint32_t)(uint64_t)plain_len / (uint32_t)16U * (uint32_t)16U, + inout_b, + (uint32_t)(uint64_t)plain_len % (uint32_t)16U * sizeof (uint8_t)); + return EverCrypt_Error_Success; + #else + KRML_HOST_EPRINTF("KreMLin abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "statically unreachable"); + KRML_HOST_EXIT(255U); + #endif +} + +static EverCrypt_Error_error_code +encrypt_aes256_gcm( + EverCrypt_AEAD_state_s *s, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *plain, + uint32_t plain_len, + uint8_t *cipher, + uint8_t *tag +) +{ + #if HACL_CAN_COMPILE_VALE + if (s == NULL) + { + return EverCrypt_Error_InvalidKey; + } + if (iv_len == (uint32_t)0U) + { + return EverCrypt_Error_InvalidIVLength; + } + EverCrypt_AEAD_state_s scrut = *s; + uint8_t *ek = scrut.ek; + uint8_t *scratch_b = ek + (uint32_t)368U; + uint8_t *ek1 = ek; + uint8_t *keys_b = ek1; + uint8_t *hkeys_b = ek1 + (uint32_t)240U; + uint8_t tmp_iv[16U] = { 0U }; + uint32_t len = iv_len / (uint32_t)16U; + uint32_t bytes_len = len * (uint32_t)16U; + uint8_t *iv_b = iv; + memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); + uint64_t + uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + uint8_t *inout_b = scratch_b; + uint8_t *abytes_b = scratch_b + (uint32_t)16U; + uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; + uint32_t plain_len_ = (uint32_t)(uint64_t)plain_len / (uint32_t)16U * (uint32_t)16U; + uint32_t auth_len_ = (uint32_t)(uint64_t)ad_len / (uint32_t)16U * (uint32_t)16U; + uint8_t *plain_b_ = plain; + uint8_t *out_b_ = cipher; + uint8_t *auth_b_ = ad; + memcpy(inout_b, + plain + plain_len_, + (uint32_t)(uint64_t)plain_len % (uint32_t)16U * sizeof (uint8_t)); + memcpy(abytes_b, + ad + auth_len_, + (uint32_t)(uint64_t)ad_len % (uint32_t)16U * sizeof (uint8_t)); + uint64_t len128x6 = (uint64_t)plain_len / (uint64_t)96U * (uint64_t)96U; + if (len128x6 / (uint64_t)16U >= (uint64_t)18U) + { + uint64_t len128_num = (uint64_t)plain_len / (uint64_t)16U * (uint64_t)16U - len128x6; + uint8_t *in128x6_b = plain_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = plain_b_ + (uint32_t)len128x6; + uint8_t *out128_b = out_b_ + (uint32_t)len128x6; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128x6_ = len128x6 / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t + scrut0 = + gcm256_encrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)plain_len, + scratch_b1, + tag); + } + else + { + uint32_t len128x61 = (uint32_t)0U; + uint64_t len128_num = (uint64_t)plain_len / (uint64_t)16U * (uint64_t)16U; + uint8_t *in128x6_b = plain_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = plain_b_ + len128x61; + uint8_t *out128_b = out_b_ + len128x61; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t len128x6_ = (uint64_t)0U; + uint64_t + scrut0 = + gcm256_encrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)plain_len, + scratch_b1, + tag); + } + memcpy(cipher + (uint32_t)(uint64_t)plain_len / (uint32_t)16U * (uint32_t)16U, + inout_b, + (uint32_t)(uint64_t)plain_len % (uint32_t)16U * sizeof (uint8_t)); + return EverCrypt_Error_Success; + #else + KRML_HOST_EPRINTF("KreMLin abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "statically unreachable"); + KRML_HOST_EXIT(255U); + #endif +} + +EverCrypt_Error_error_code +EverCrypt_AEAD_encrypt( + EverCrypt_AEAD_state_s *s, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *plain, + uint32_t plain_len, + uint8_t *cipher, + uint8_t *tag +) +{ + if (s == NULL) + { + return EverCrypt_Error_InvalidKey; + } + EverCrypt_AEAD_state_s scrut = *s; + Spec_Cipher_Expansion_impl i = scrut.impl; + uint8_t *ek = scrut.ek; + switch (i) + { + case Spec_Cipher_Expansion_Vale_AES128: + { + return encrypt_aes128_gcm(s, iv, iv_len, ad, ad_len, plain, plain_len, cipher, tag); + } + case Spec_Cipher_Expansion_Vale_AES256: + { + return encrypt_aes256_gcm(s, iv, iv_len, ad, ad_len, plain, plain_len, cipher, tag); + } + case Spec_Cipher_Expansion_Hacl_CHACHA20: + { + if (iv_len != (uint32_t)12U) + { + return EverCrypt_Error_InvalidIVLength; + } + EverCrypt_Chacha20Poly1305_aead_encrypt(ek, iv, ad_len, ad, plain_len, plain, cipher, tag); + return EverCrypt_Error_Success; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +/* +WARNING: this function doesn't perform any dynamic + hardware check. You MUST make sure your hardware supports the + implementation of AESGCM. Besides, this function was not designed + for cross-compilation: if you compile it on a system which doesn't + support Vale, it will compile it to a function which makes the + program exit. +*/ +EverCrypt_Error_error_code +EverCrypt_AEAD_encrypt_expand_aes128_gcm_no_check( + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *plain, + uint32_t plain_len, + uint8_t *cipher, + uint8_t *tag +) +{ + #if HACL_CAN_COMPILE_VALE + uint8_t ek[480U] = { 0U }; + uint8_t *keys_b0 = ek; + uint8_t *hkeys_b0 = ek + (uint32_t)176U; + uint64_t scrut0 = aes128_key_expansion(k, keys_b0); + uint64_t scrut1 = aes128_keyhash_init(keys_b0, hkeys_b0); + EverCrypt_AEAD_state_s p = { .impl = Spec_Cipher_Expansion_Vale_AES128, .ek = ek }; + EverCrypt_AEAD_state_s *s = &p; + EverCrypt_Error_error_code r; + if (s == NULL) + { + r = EverCrypt_Error_InvalidKey; + } + else if (iv_len == (uint32_t)0U) + { + r = EverCrypt_Error_InvalidIVLength; + } + else + { + EverCrypt_AEAD_state_s scrut = *s; + uint8_t *ek0 = scrut.ek; + uint8_t *scratch_b = ek0 + (uint32_t)304U; + uint8_t *ek1 = ek0; + uint8_t *keys_b = ek1; + uint8_t *hkeys_b = ek1 + (uint32_t)176U; + uint8_t tmp_iv[16U] = { 0U }; + uint32_t len = iv_len / (uint32_t)16U; + uint32_t bytes_len = len * (uint32_t)16U; + uint8_t *iv_b = iv; + memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); + uint64_t + uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + uint8_t *inout_b = scratch_b; + uint8_t *abytes_b = scratch_b + (uint32_t)16U; + uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; + uint32_t plain_len_ = (uint32_t)(uint64_t)plain_len / (uint32_t)16U * (uint32_t)16U; + uint32_t auth_len_ = (uint32_t)(uint64_t)ad_len / (uint32_t)16U * (uint32_t)16U; + uint8_t *plain_b_ = plain; + uint8_t *out_b_ = cipher; + uint8_t *auth_b_ = ad; + memcpy(inout_b, + plain + plain_len_, + (uint32_t)(uint64_t)plain_len % (uint32_t)16U * sizeof (uint8_t)); + memcpy(abytes_b, + ad + auth_len_, + (uint32_t)(uint64_t)ad_len % (uint32_t)16U * sizeof (uint8_t)); + uint64_t len128x6 = (uint64_t)plain_len / (uint64_t)96U * (uint64_t)96U; + if (len128x6 / (uint64_t)16U >= (uint64_t)18U) + { + uint64_t len128_num = (uint64_t)plain_len / (uint64_t)16U * (uint64_t)16U - len128x6; + uint8_t *in128x6_b = plain_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = plain_b_ + (uint32_t)len128x6; + uint8_t *out128_b = out_b_ + (uint32_t)len128x6; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128x6_ = len128x6 / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t + scrut2 = + gcm128_encrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)plain_len, + scratch_b1, + tag); + } + else + { + uint32_t len128x61 = (uint32_t)0U; + uint64_t len128_num = (uint64_t)plain_len / (uint64_t)16U * (uint64_t)16U; + uint8_t *in128x6_b = plain_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = plain_b_ + len128x61; + uint8_t *out128_b = out_b_ + len128x61; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t len128x6_ = (uint64_t)0U; + uint64_t + scrut2 = + gcm128_encrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)plain_len, + scratch_b1, + tag); + } + memcpy(cipher + (uint32_t)(uint64_t)plain_len / (uint32_t)16U * (uint32_t)16U, + inout_b, + (uint32_t)(uint64_t)plain_len % (uint32_t)16U * sizeof (uint8_t)); + r = EverCrypt_Error_Success; + } + return EverCrypt_Error_Success; + #else + KRML_HOST_EPRINTF("KreMLin abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "EverCrypt was compiled on a system which doesn\'t support Vale"); + KRML_HOST_EXIT(255U); + #endif +} + +/* +WARNING: this function doesn't perform any dynamic + hardware check. You MUST make sure your hardware supports the + implementation of AESGCM. Besides, this function was not designed + for cross-compilation: if you compile it on a system which doesn't + support Vale, it will compile it to a function which makes the + program exit. +*/ +EverCrypt_Error_error_code +EverCrypt_AEAD_encrypt_expand_aes256_gcm_no_check( + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *plain, + uint32_t plain_len, + uint8_t *cipher, + uint8_t *tag +) +{ + #if HACL_CAN_COMPILE_VALE + uint8_t ek[544U] = { 0U }; + uint8_t *keys_b0 = ek; + uint8_t *hkeys_b0 = ek + (uint32_t)240U; + uint64_t scrut0 = aes256_key_expansion(k, keys_b0); + uint64_t scrut1 = aes256_keyhash_init(keys_b0, hkeys_b0); + EverCrypt_AEAD_state_s p = { .impl = Spec_Cipher_Expansion_Vale_AES256, .ek = ek }; + EverCrypt_AEAD_state_s *s = &p; + EverCrypt_Error_error_code r; + if (s == NULL) + { + r = EverCrypt_Error_InvalidKey; + } + else if (iv_len == (uint32_t)0U) + { + r = EverCrypt_Error_InvalidIVLength; + } + else + { + EverCrypt_AEAD_state_s scrut = *s; + uint8_t *ek0 = scrut.ek; + uint8_t *scratch_b = ek0 + (uint32_t)368U; + uint8_t *ek1 = ek0; + uint8_t *keys_b = ek1; + uint8_t *hkeys_b = ek1 + (uint32_t)240U; + uint8_t tmp_iv[16U] = { 0U }; + uint32_t len = iv_len / (uint32_t)16U; + uint32_t bytes_len = len * (uint32_t)16U; + uint8_t *iv_b = iv; + memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); + uint64_t + uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + uint8_t *inout_b = scratch_b; + uint8_t *abytes_b = scratch_b + (uint32_t)16U; + uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; + uint32_t plain_len_ = (uint32_t)(uint64_t)plain_len / (uint32_t)16U * (uint32_t)16U; + uint32_t auth_len_ = (uint32_t)(uint64_t)ad_len / (uint32_t)16U * (uint32_t)16U; + uint8_t *plain_b_ = plain; + uint8_t *out_b_ = cipher; + uint8_t *auth_b_ = ad; + memcpy(inout_b, + plain + plain_len_, + (uint32_t)(uint64_t)plain_len % (uint32_t)16U * sizeof (uint8_t)); + memcpy(abytes_b, + ad + auth_len_, + (uint32_t)(uint64_t)ad_len % (uint32_t)16U * sizeof (uint8_t)); + uint64_t len128x6 = (uint64_t)plain_len / (uint64_t)96U * (uint64_t)96U; + if (len128x6 / (uint64_t)16U >= (uint64_t)18U) + { + uint64_t len128_num = (uint64_t)plain_len / (uint64_t)16U * (uint64_t)16U - len128x6; + uint8_t *in128x6_b = plain_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = plain_b_ + (uint32_t)len128x6; + uint8_t *out128_b = out_b_ + (uint32_t)len128x6; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128x6_ = len128x6 / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t + scrut2 = + gcm256_encrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)plain_len, + scratch_b1, + tag); + } + else + { + uint32_t len128x61 = (uint32_t)0U; + uint64_t len128_num = (uint64_t)plain_len / (uint64_t)16U * (uint64_t)16U; + uint8_t *in128x6_b = plain_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = plain_b_ + len128x61; + uint8_t *out128_b = out_b_ + len128x61; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t len128x6_ = (uint64_t)0U; + uint64_t + scrut2 = + gcm256_encrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)plain_len, + scratch_b1, + tag); + } + memcpy(cipher + (uint32_t)(uint64_t)plain_len / (uint32_t)16U * (uint32_t)16U, + inout_b, + (uint32_t)(uint64_t)plain_len % (uint32_t)16U * sizeof (uint8_t)); + r = EverCrypt_Error_Success; + } + return EverCrypt_Error_Success; + #else + KRML_HOST_EPRINTF("KreMLin abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "EverCrypt was compiled on a system which doesn\'t support Vale"); + KRML_HOST_EXIT(255U); + #endif +} + +EverCrypt_Error_error_code +EverCrypt_AEAD_encrypt_expand_aes128_gcm( + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *plain, + uint32_t plain_len, + uint8_t *cipher, + uint8_t *tag +) +{ + bool has_pclmulqdq = EverCrypt_AutoConfig2_has_pclmulqdq(); + bool has_avx = EverCrypt_AutoConfig2_has_avx(); + bool has_sse = EverCrypt_AutoConfig2_has_sse(); + bool has_movbe = EverCrypt_AutoConfig2_has_movbe(); + bool has_aesni = EverCrypt_AutoConfig2_has_aesni(); + #if HACL_CAN_COMPILE_VALE + if (has_aesni && has_pclmulqdq && has_avx && has_sse && has_movbe) + { + uint8_t ek[480U] = { 0U }; + uint8_t *keys_b0 = ek; + uint8_t *hkeys_b0 = ek + (uint32_t)176U; + uint64_t scrut0 = aes128_key_expansion(k, keys_b0); + uint64_t scrut1 = aes128_keyhash_init(keys_b0, hkeys_b0); + EverCrypt_AEAD_state_s p = { .impl = Spec_Cipher_Expansion_Vale_AES128, .ek = ek }; + EverCrypt_AEAD_state_s *s = &p; + EverCrypt_Error_error_code r; + if (s == NULL) + { + r = EverCrypt_Error_InvalidKey; + } + else if (iv_len == (uint32_t)0U) + { + r = EverCrypt_Error_InvalidIVLength; + } + else + { + EverCrypt_AEAD_state_s scrut = *s; + uint8_t *ek0 = scrut.ek; + uint8_t *scratch_b = ek0 + (uint32_t)304U; + uint8_t *ek1 = ek0; + uint8_t *keys_b = ek1; + uint8_t *hkeys_b = ek1 + (uint32_t)176U; + uint8_t tmp_iv[16U] = { 0U }; + uint32_t len = iv_len / (uint32_t)16U; + uint32_t bytes_len = len * (uint32_t)16U; + uint8_t *iv_b = iv; + memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); + uint64_t + uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + uint8_t *inout_b = scratch_b; + uint8_t *abytes_b = scratch_b + (uint32_t)16U; + uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; + uint32_t plain_len_ = (uint32_t)(uint64_t)plain_len / (uint32_t)16U * (uint32_t)16U; + uint32_t auth_len_ = (uint32_t)(uint64_t)ad_len / (uint32_t)16U * (uint32_t)16U; + uint8_t *plain_b_ = plain; + uint8_t *out_b_ = cipher; + uint8_t *auth_b_ = ad; + memcpy(inout_b, + plain + plain_len_, + (uint32_t)(uint64_t)plain_len % (uint32_t)16U * sizeof (uint8_t)); + memcpy(abytes_b, + ad + auth_len_, + (uint32_t)(uint64_t)ad_len % (uint32_t)16U * sizeof (uint8_t)); + uint64_t len128x6 = (uint64_t)plain_len / (uint64_t)96U * (uint64_t)96U; + if (len128x6 / (uint64_t)16U >= (uint64_t)18U) + { + uint64_t len128_num = (uint64_t)plain_len / (uint64_t)16U * (uint64_t)16U - len128x6; + uint8_t *in128x6_b = plain_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = plain_b_ + (uint32_t)len128x6; + uint8_t *out128_b = out_b_ + (uint32_t)len128x6; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128x6_ = len128x6 / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t + scrut2 = + gcm128_encrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)plain_len, + scratch_b1, + tag); + } + else + { + uint32_t len128x61 = (uint32_t)0U; + uint64_t len128_num = (uint64_t)plain_len / (uint64_t)16U * (uint64_t)16U; + uint8_t *in128x6_b = plain_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = plain_b_ + len128x61; + uint8_t *out128_b = out_b_ + len128x61; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t len128x6_ = (uint64_t)0U; + uint64_t + scrut2 = + gcm128_encrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)plain_len, + scratch_b1, + tag); + } + memcpy(cipher + (uint32_t)(uint64_t)plain_len / (uint32_t)16U * (uint32_t)16U, + inout_b, + (uint32_t)(uint64_t)plain_len % (uint32_t)16U * sizeof (uint8_t)); + r = EverCrypt_Error_Success; + } + return EverCrypt_Error_Success; + } + #endif + return EverCrypt_Error_UnsupportedAlgorithm; +} + +EverCrypt_Error_error_code +EverCrypt_AEAD_encrypt_expand_aes256_gcm( + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *plain, + uint32_t plain_len, + uint8_t *cipher, + uint8_t *tag +) +{ + bool has_pclmulqdq = EverCrypt_AutoConfig2_has_pclmulqdq(); + bool has_avx = EverCrypt_AutoConfig2_has_avx(); + bool has_sse = EverCrypt_AutoConfig2_has_sse(); + bool has_movbe = EverCrypt_AutoConfig2_has_movbe(); + bool has_aesni = EverCrypt_AutoConfig2_has_aesni(); + #if HACL_CAN_COMPILE_VALE + if (has_aesni && has_pclmulqdq && has_avx && has_sse && has_movbe) + { + uint8_t ek[544U] = { 0U }; + uint8_t *keys_b0 = ek; + uint8_t *hkeys_b0 = ek + (uint32_t)240U; + uint64_t scrut0 = aes256_key_expansion(k, keys_b0); + uint64_t scrut1 = aes256_keyhash_init(keys_b0, hkeys_b0); + EverCrypt_AEAD_state_s p = { .impl = Spec_Cipher_Expansion_Vale_AES256, .ek = ek }; + EverCrypt_AEAD_state_s *s = &p; + EverCrypt_Error_error_code r; + if (s == NULL) + { + r = EverCrypt_Error_InvalidKey; + } + else if (iv_len == (uint32_t)0U) + { + r = EverCrypt_Error_InvalidIVLength; + } + else + { + EverCrypt_AEAD_state_s scrut = *s; + uint8_t *ek0 = scrut.ek; + uint8_t *scratch_b = ek0 + (uint32_t)368U; + uint8_t *ek1 = ek0; + uint8_t *keys_b = ek1; + uint8_t *hkeys_b = ek1 + (uint32_t)240U; + uint8_t tmp_iv[16U] = { 0U }; + uint32_t len = iv_len / (uint32_t)16U; + uint32_t bytes_len = len * (uint32_t)16U; + uint8_t *iv_b = iv; + memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); + uint64_t + uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + uint8_t *inout_b = scratch_b; + uint8_t *abytes_b = scratch_b + (uint32_t)16U; + uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; + uint32_t plain_len_ = (uint32_t)(uint64_t)plain_len / (uint32_t)16U * (uint32_t)16U; + uint32_t auth_len_ = (uint32_t)(uint64_t)ad_len / (uint32_t)16U * (uint32_t)16U; + uint8_t *plain_b_ = plain; + uint8_t *out_b_ = cipher; + uint8_t *auth_b_ = ad; + memcpy(inout_b, + plain + plain_len_, + (uint32_t)(uint64_t)plain_len % (uint32_t)16U * sizeof (uint8_t)); + memcpy(abytes_b, + ad + auth_len_, + (uint32_t)(uint64_t)ad_len % (uint32_t)16U * sizeof (uint8_t)); + uint64_t len128x6 = (uint64_t)plain_len / (uint64_t)96U * (uint64_t)96U; + if (len128x6 / (uint64_t)16U >= (uint64_t)18U) + { + uint64_t len128_num = (uint64_t)plain_len / (uint64_t)16U * (uint64_t)16U - len128x6; + uint8_t *in128x6_b = plain_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = plain_b_ + (uint32_t)len128x6; + uint8_t *out128_b = out_b_ + (uint32_t)len128x6; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128x6_ = len128x6 / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t + scrut2 = + gcm256_encrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)plain_len, + scratch_b1, + tag); + } + else + { + uint32_t len128x61 = (uint32_t)0U; + uint64_t len128_num = (uint64_t)plain_len / (uint64_t)16U * (uint64_t)16U; + uint8_t *in128x6_b = plain_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = plain_b_ + len128x61; + uint8_t *out128_b = out_b_ + len128x61; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t len128x6_ = (uint64_t)0U; + uint64_t + scrut2 = + gcm256_encrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)plain_len, + scratch_b1, + tag); + } + memcpy(cipher + (uint32_t)(uint64_t)plain_len / (uint32_t)16U * (uint32_t)16U, + inout_b, + (uint32_t)(uint64_t)plain_len % (uint32_t)16U * sizeof (uint8_t)); + r = EverCrypt_Error_Success; + } + return EverCrypt_Error_Success; + } + #endif + return EverCrypt_Error_UnsupportedAlgorithm; +} + +EverCrypt_Error_error_code +EverCrypt_AEAD_encrypt_expand_chacha20_poly1305( + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *plain, + uint32_t plain_len, + uint8_t *cipher, + uint8_t *tag +) +{ + uint8_t ek[32U] = { 0U }; + EverCrypt_AEAD_state_s p = { .impl = Spec_Cipher_Expansion_Hacl_CHACHA20, .ek = ek }; + memcpy(ek, k, (uint32_t)32U * sizeof (uint8_t)); + EverCrypt_AEAD_state_s *s = &p; + EverCrypt_AEAD_state_s scrut = *s; + uint8_t *ek0 = scrut.ek; + EverCrypt_Chacha20Poly1305_aead_encrypt(ek0, iv, ad_len, ad, plain_len, plain, cipher, tag); + return EverCrypt_Error_Success; +} + +EverCrypt_Error_error_code +EverCrypt_AEAD_encrypt_expand( + Spec_Agile_AEAD_alg a, + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *plain, + uint32_t plain_len, + uint8_t *cipher, + uint8_t *tag +) +{ + switch (a) + { + case Spec_Agile_AEAD_AES128_GCM: + { + return + EverCrypt_AEAD_encrypt_expand_aes128_gcm(k, + iv, + iv_len, + ad, + ad_len, + plain, + plain_len, + cipher, + tag); + } + case Spec_Agile_AEAD_AES256_GCM: + { + return + EverCrypt_AEAD_encrypt_expand_aes256_gcm(k, + iv, + iv_len, + ad, + ad_len, + plain, + plain_len, + cipher, + tag); + } + case Spec_Agile_AEAD_CHACHA20_POLY1305: + { + return + EverCrypt_AEAD_encrypt_expand_chacha20_poly1305(k, + iv, + iv_len, + ad, + ad_len, + plain, + plain_len, + cipher, + tag); + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +static EverCrypt_Error_error_code +decrypt_aes128_gcm( + EverCrypt_AEAD_state_s *s, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *cipher, + uint32_t cipher_len, + uint8_t *tag, + uint8_t *dst +) +{ + #if HACL_CAN_COMPILE_VALE + if (s == NULL) + { + return EverCrypt_Error_InvalidKey; + } + if (iv_len == (uint32_t)0U) + { + return EverCrypt_Error_InvalidIVLength; + } + EverCrypt_AEAD_state_s scrut = *s; + uint8_t *ek = scrut.ek; + uint8_t *scratch_b = ek + (uint32_t)304U; + uint8_t *ek1 = ek; + uint8_t *keys_b = ek1; + uint8_t *hkeys_b = ek1 + (uint32_t)176U; + uint8_t tmp_iv[16U] = { 0U }; + uint32_t len = iv_len / (uint32_t)16U; + uint32_t bytes_len = len * (uint32_t)16U; + uint8_t *iv_b = iv; + memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); + uint64_t + uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + uint8_t *inout_b = scratch_b; + uint8_t *abytes_b = scratch_b + (uint32_t)16U; + uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; + uint32_t cipher_len_ = (uint32_t)(uint64_t)cipher_len / (uint32_t)16U * (uint32_t)16U; + uint32_t auth_len_ = (uint32_t)(uint64_t)ad_len / (uint32_t)16U * (uint32_t)16U; + uint8_t *cipher_b_ = cipher; + uint8_t *out_b_ = dst; + uint8_t *auth_b_ = ad; + memcpy(inout_b, + cipher + cipher_len_, + (uint32_t)(uint64_t)cipher_len % (uint32_t)16U * sizeof (uint8_t)); + memcpy(abytes_b, + ad + auth_len_, + (uint32_t)(uint64_t)ad_len % (uint32_t)16U * sizeof (uint8_t)); + uint64_t len128x6 = (uint64_t)cipher_len / (uint64_t)96U * (uint64_t)96U; + uint64_t c; + if (len128x6 / (uint64_t)16U >= (uint64_t)6U) + { + uint64_t len128_num = (uint64_t)cipher_len / (uint64_t)16U * (uint64_t)16U - len128x6; + uint8_t *in128x6_b = cipher_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = cipher_b_ + (uint32_t)len128x6; + uint8_t *out128_b = out_b_ + (uint32_t)len128x6; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128x6_ = len128x6 / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t + scrut0 = + gcm128_decrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)cipher_len, + scratch_b1, + tag); + uint64_t c0 = scrut0; + c = c0; + } + else + { + uint32_t len128x61 = (uint32_t)0U; + uint64_t len128_num = (uint64_t)cipher_len / (uint64_t)16U * (uint64_t)16U; + uint8_t *in128x6_b = cipher_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = cipher_b_ + len128x61; + uint8_t *out128_b = out_b_ + len128x61; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t len128x6_ = (uint64_t)0U; + uint64_t + scrut0 = + gcm128_decrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)cipher_len, + scratch_b1, + tag); + uint64_t c0 = scrut0; + c = c0; + } + memcpy(dst + (uint32_t)(uint64_t)cipher_len / (uint32_t)16U * (uint32_t)16U, + inout_b, + (uint32_t)(uint64_t)cipher_len % (uint32_t)16U * sizeof (uint8_t)); + uint64_t r = c; + if (r == (uint64_t)0U) + { + return EverCrypt_Error_Success; + } + return EverCrypt_Error_AuthenticationFailure; + #else + KRML_HOST_EPRINTF("KreMLin abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "statically unreachable"); + KRML_HOST_EXIT(255U); + #endif +} + +static EverCrypt_Error_error_code +decrypt_aes256_gcm( + EverCrypt_AEAD_state_s *s, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *cipher, + uint32_t cipher_len, + uint8_t *tag, + uint8_t *dst +) +{ + #if HACL_CAN_COMPILE_VALE + if (s == NULL) + { + return EverCrypt_Error_InvalidKey; + } + if (iv_len == (uint32_t)0U) + { + return EverCrypt_Error_InvalidIVLength; + } + EverCrypt_AEAD_state_s scrut = *s; + uint8_t *ek = scrut.ek; + uint8_t *scratch_b = ek + (uint32_t)368U; + uint8_t *ek1 = ek; + uint8_t *keys_b = ek1; + uint8_t *hkeys_b = ek1 + (uint32_t)240U; + uint8_t tmp_iv[16U] = { 0U }; + uint32_t len = iv_len / (uint32_t)16U; + uint32_t bytes_len = len * (uint32_t)16U; + uint8_t *iv_b = iv; + memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); + uint64_t + uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + uint8_t *inout_b = scratch_b; + uint8_t *abytes_b = scratch_b + (uint32_t)16U; + uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; + uint32_t cipher_len_ = (uint32_t)(uint64_t)cipher_len / (uint32_t)16U * (uint32_t)16U; + uint32_t auth_len_ = (uint32_t)(uint64_t)ad_len / (uint32_t)16U * (uint32_t)16U; + uint8_t *cipher_b_ = cipher; + uint8_t *out_b_ = dst; + uint8_t *auth_b_ = ad; + memcpy(inout_b, + cipher + cipher_len_, + (uint32_t)(uint64_t)cipher_len % (uint32_t)16U * sizeof (uint8_t)); + memcpy(abytes_b, + ad + auth_len_, + (uint32_t)(uint64_t)ad_len % (uint32_t)16U * sizeof (uint8_t)); + uint64_t len128x6 = (uint64_t)cipher_len / (uint64_t)96U * (uint64_t)96U; + uint64_t c; + if (len128x6 / (uint64_t)16U >= (uint64_t)6U) + { + uint64_t len128_num = (uint64_t)cipher_len / (uint64_t)16U * (uint64_t)16U - len128x6; + uint8_t *in128x6_b = cipher_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = cipher_b_ + (uint32_t)len128x6; + uint8_t *out128_b = out_b_ + (uint32_t)len128x6; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128x6_ = len128x6 / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t + scrut0 = + gcm256_decrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)cipher_len, + scratch_b1, + tag); + uint64_t c0 = scrut0; + c = c0; + } + else + { + uint32_t len128x61 = (uint32_t)0U; + uint64_t len128_num = (uint64_t)cipher_len / (uint64_t)16U * (uint64_t)16U; + uint8_t *in128x6_b = cipher_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = cipher_b_ + len128x61; + uint8_t *out128_b = out_b_ + len128x61; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t len128x6_ = (uint64_t)0U; + uint64_t + scrut0 = + gcm256_decrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)cipher_len, + scratch_b1, + tag); + uint64_t c0 = scrut0; + c = c0; + } + memcpy(dst + (uint32_t)(uint64_t)cipher_len / (uint32_t)16U * (uint32_t)16U, + inout_b, + (uint32_t)(uint64_t)cipher_len % (uint32_t)16U * sizeof (uint8_t)); + uint64_t r = c; + if (r == (uint64_t)0U) + { + return EverCrypt_Error_Success; + } + return EverCrypt_Error_AuthenticationFailure; + #else + KRML_HOST_EPRINTF("KreMLin abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "statically unreachable"); + KRML_HOST_EXIT(255U); + #endif +} + +static EverCrypt_Error_error_code +decrypt_chacha20_poly1305( + EverCrypt_AEAD_state_s *s, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *cipher, + uint32_t cipher_len, + uint8_t *tag, + uint8_t *dst +) +{ + if (s == NULL) + { + return EverCrypt_Error_InvalidKey; + } + if (iv_len != (uint32_t)12U) + { + return EverCrypt_Error_InvalidIVLength; + } + EverCrypt_AEAD_state_s scrut = *s; + uint8_t *ek = scrut.ek; + uint32_t + r = EverCrypt_Chacha20Poly1305_aead_decrypt(ek, iv, ad_len, ad, cipher_len, dst, cipher, tag); + if (r == (uint32_t)0U) + { + return EverCrypt_Error_Success; + } + return EverCrypt_Error_AuthenticationFailure; +} + +EverCrypt_Error_error_code +EverCrypt_AEAD_decrypt( + EverCrypt_AEAD_state_s *s, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *cipher, + uint32_t cipher_len, + uint8_t *tag, + uint8_t *dst +) +{ + if (s == NULL) + { + return EverCrypt_Error_InvalidKey; + } + EverCrypt_AEAD_state_s scrut = *s; + Spec_Cipher_Expansion_impl i = scrut.impl; + switch (i) + { + case Spec_Cipher_Expansion_Vale_AES128: + { + return decrypt_aes128_gcm(s, iv, iv_len, ad, ad_len, cipher, cipher_len, tag, dst); + } + case Spec_Cipher_Expansion_Vale_AES256: + { + return decrypt_aes256_gcm(s, iv, iv_len, ad, ad_len, cipher, cipher_len, tag, dst); + } + case Spec_Cipher_Expansion_Hacl_CHACHA20: + { + return decrypt_chacha20_poly1305(s, iv, iv_len, ad, ad_len, cipher, cipher_len, tag, dst); + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +/* +WARNING: this function doesn't perform any dynamic + hardware check. You MUST make sure your hardware supports the + implementation of AESGCM. Besides, this function was not designed + for cross-compilation: if you compile it on a system which doesn't + support Vale, it will compile it to a function which makes the + program exit. +*/ +EverCrypt_Error_error_code +EverCrypt_AEAD_decrypt_expand_aes128_gcm_no_check( + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *cipher, + uint32_t cipher_len, + uint8_t *tag, + uint8_t *dst +) +{ + #if HACL_CAN_COMPILE_VALE + uint8_t ek[480U] = { 0U }; + uint8_t *keys_b0 = ek; + uint8_t *hkeys_b0 = ek + (uint32_t)176U; + uint64_t scrut = aes128_key_expansion(k, keys_b0); + uint64_t scrut0 = aes128_keyhash_init(keys_b0, hkeys_b0); + EverCrypt_AEAD_state_s p = { .impl = Spec_Cipher_Expansion_Vale_AES128, .ek = ek }; + EverCrypt_AEAD_state_s *s = &p; + if (s == NULL) + { + return EverCrypt_Error_InvalidKey; + } + if (iv_len == (uint32_t)0U) + { + return EverCrypt_Error_InvalidIVLength; + } + EverCrypt_AEAD_state_s scrut1 = *s; + uint8_t *ek0 = scrut1.ek; + uint8_t *scratch_b = ek0 + (uint32_t)304U; + uint8_t *ek1 = ek0; + uint8_t *keys_b = ek1; + uint8_t *hkeys_b = ek1 + (uint32_t)176U; + uint8_t tmp_iv[16U] = { 0U }; + uint32_t len = iv_len / (uint32_t)16U; + uint32_t bytes_len = len * (uint32_t)16U; + uint8_t *iv_b = iv; + memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); + uint64_t + uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + uint8_t *inout_b = scratch_b; + uint8_t *abytes_b = scratch_b + (uint32_t)16U; + uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; + uint32_t cipher_len_ = (uint32_t)(uint64_t)cipher_len / (uint32_t)16U * (uint32_t)16U; + uint32_t auth_len_ = (uint32_t)(uint64_t)ad_len / (uint32_t)16U * (uint32_t)16U; + uint8_t *cipher_b_ = cipher; + uint8_t *out_b_ = dst; + uint8_t *auth_b_ = ad; + memcpy(inout_b, + cipher + cipher_len_, + (uint32_t)(uint64_t)cipher_len % (uint32_t)16U * sizeof (uint8_t)); + memcpy(abytes_b, + ad + auth_len_, + (uint32_t)(uint64_t)ad_len % (uint32_t)16U * sizeof (uint8_t)); + uint64_t len128x6 = (uint64_t)cipher_len / (uint64_t)96U * (uint64_t)96U; + uint64_t c; + if (len128x6 / (uint64_t)16U >= (uint64_t)6U) + { + uint64_t len128_num = (uint64_t)cipher_len / (uint64_t)16U * (uint64_t)16U - len128x6; + uint8_t *in128x6_b = cipher_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = cipher_b_ + (uint32_t)len128x6; + uint8_t *out128_b = out_b_ + (uint32_t)len128x6; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128x6_ = len128x6 / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t + scrut2 = + gcm128_decrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)cipher_len, + scratch_b1, + tag); + uint64_t c0 = scrut2; + c = c0; + } + else + { + uint32_t len128x61 = (uint32_t)0U; + uint64_t len128_num = (uint64_t)cipher_len / (uint64_t)16U * (uint64_t)16U; + uint8_t *in128x6_b = cipher_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = cipher_b_ + len128x61; + uint8_t *out128_b = out_b_ + len128x61; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t len128x6_ = (uint64_t)0U; + uint64_t + scrut2 = + gcm128_decrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)cipher_len, + scratch_b1, + tag); + uint64_t c0 = scrut2; + c = c0; + } + memcpy(dst + (uint32_t)(uint64_t)cipher_len / (uint32_t)16U * (uint32_t)16U, + inout_b, + (uint32_t)(uint64_t)cipher_len % (uint32_t)16U * sizeof (uint8_t)); + uint64_t r = c; + if (r == (uint64_t)0U) + { + return EverCrypt_Error_Success; + } + return EverCrypt_Error_AuthenticationFailure; + #else + KRML_HOST_EPRINTF("KreMLin abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "EverCrypt was compiled on a system which doesn\'t support Vale"); + KRML_HOST_EXIT(255U); + #endif +} + +/* +WARNING: this function doesn't perform any dynamic + hardware check. You MUST make sure your hardware supports the + implementation of AESGCM. Besides, this function was not designed + for cross-compilation: if you compile it on a system which doesn't + support Vale, it will compile it to a function which makes the + program exit. +*/ +EverCrypt_Error_error_code +EverCrypt_AEAD_decrypt_expand_aes256_gcm_no_check( + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *cipher, + uint32_t cipher_len, + uint8_t *tag, + uint8_t *dst +) +{ + #if HACL_CAN_COMPILE_VALE + uint8_t ek[544U] = { 0U }; + uint8_t *keys_b0 = ek; + uint8_t *hkeys_b0 = ek + (uint32_t)240U; + uint64_t scrut = aes256_key_expansion(k, keys_b0); + uint64_t scrut0 = aes256_keyhash_init(keys_b0, hkeys_b0); + EverCrypt_AEAD_state_s p = { .impl = Spec_Cipher_Expansion_Vale_AES256, .ek = ek }; + EverCrypt_AEAD_state_s *s = &p; + if (s == NULL) + { + return EverCrypt_Error_InvalidKey; + } + if (iv_len == (uint32_t)0U) + { + return EverCrypt_Error_InvalidIVLength; + } + EverCrypt_AEAD_state_s scrut1 = *s; + uint8_t *ek0 = scrut1.ek; + uint8_t *scratch_b = ek0 + (uint32_t)368U; + uint8_t *ek1 = ek0; + uint8_t *keys_b = ek1; + uint8_t *hkeys_b = ek1 + (uint32_t)240U; + uint8_t tmp_iv[16U] = { 0U }; + uint32_t len = iv_len / (uint32_t)16U; + uint32_t bytes_len = len * (uint32_t)16U; + uint8_t *iv_b = iv; + memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); + uint64_t + uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + uint8_t *inout_b = scratch_b; + uint8_t *abytes_b = scratch_b + (uint32_t)16U; + uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; + uint32_t cipher_len_ = (uint32_t)(uint64_t)cipher_len / (uint32_t)16U * (uint32_t)16U; + uint32_t auth_len_ = (uint32_t)(uint64_t)ad_len / (uint32_t)16U * (uint32_t)16U; + uint8_t *cipher_b_ = cipher; + uint8_t *out_b_ = dst; + uint8_t *auth_b_ = ad; + memcpy(inout_b, + cipher + cipher_len_, + (uint32_t)(uint64_t)cipher_len % (uint32_t)16U * sizeof (uint8_t)); + memcpy(abytes_b, + ad + auth_len_, + (uint32_t)(uint64_t)ad_len % (uint32_t)16U * sizeof (uint8_t)); + uint64_t len128x6 = (uint64_t)cipher_len / (uint64_t)96U * (uint64_t)96U; + uint64_t c; + if (len128x6 / (uint64_t)16U >= (uint64_t)6U) + { + uint64_t len128_num = (uint64_t)cipher_len / (uint64_t)16U * (uint64_t)16U - len128x6; + uint8_t *in128x6_b = cipher_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = cipher_b_ + (uint32_t)len128x6; + uint8_t *out128_b = out_b_ + (uint32_t)len128x6; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128x6_ = len128x6 / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t + scrut2 = + gcm256_decrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)cipher_len, + scratch_b1, + tag); + uint64_t c0 = scrut2; + c = c0; + } + else + { + uint32_t len128x61 = (uint32_t)0U; + uint64_t len128_num = (uint64_t)cipher_len / (uint64_t)16U * (uint64_t)16U; + uint8_t *in128x6_b = cipher_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = cipher_b_ + len128x61; + uint8_t *out128_b = out_b_ + len128x61; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t len128x6_ = (uint64_t)0U; + uint64_t + scrut2 = + gcm256_decrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)cipher_len, + scratch_b1, + tag); + uint64_t c0 = scrut2; + c = c0; + } + memcpy(dst + (uint32_t)(uint64_t)cipher_len / (uint32_t)16U * (uint32_t)16U, + inout_b, + (uint32_t)(uint64_t)cipher_len % (uint32_t)16U * sizeof (uint8_t)); + uint64_t r = c; + if (r == (uint64_t)0U) + { + return EverCrypt_Error_Success; + } + return EverCrypt_Error_AuthenticationFailure; + #else + KRML_HOST_EPRINTF("KreMLin abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "EverCrypt was compiled on a system which doesn\'t support Vale"); + KRML_HOST_EXIT(255U); + #endif +} + +EverCrypt_Error_error_code +EverCrypt_AEAD_decrypt_expand_aes128_gcm( + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *cipher, + uint32_t cipher_len, + uint8_t *tag, + uint8_t *dst +) +{ + bool has_pclmulqdq = EverCrypt_AutoConfig2_has_pclmulqdq(); + bool has_avx = EverCrypt_AutoConfig2_has_avx(); + bool has_sse = EverCrypt_AutoConfig2_has_sse(); + bool has_movbe = EverCrypt_AutoConfig2_has_movbe(); + bool has_aesni = EverCrypt_AutoConfig2_has_aesni(); + #if HACL_CAN_COMPILE_VALE + if (has_aesni && has_pclmulqdq && has_avx && has_sse && has_movbe) + { + uint8_t ek[480U] = { 0U }; + uint8_t *keys_b0 = ek; + uint8_t *hkeys_b0 = ek + (uint32_t)176U; + uint64_t scrut = aes128_key_expansion(k, keys_b0); + uint64_t scrut0 = aes128_keyhash_init(keys_b0, hkeys_b0); + EverCrypt_AEAD_state_s p = { .impl = Spec_Cipher_Expansion_Vale_AES128, .ek = ek }; + EverCrypt_AEAD_state_s *s = &p; + if (s == NULL) + { + return EverCrypt_Error_InvalidKey; + } + else if (iv_len == (uint32_t)0U) + { + return EverCrypt_Error_InvalidIVLength; + } + else + { + EverCrypt_AEAD_state_s scrut1 = *s; + uint8_t *ek0 = scrut1.ek; + uint8_t *scratch_b = ek0 + (uint32_t)304U; + uint8_t *ek1 = ek0; + uint8_t *keys_b = ek1; + uint8_t *hkeys_b = ek1 + (uint32_t)176U; + uint8_t tmp_iv[16U] = { 0U }; + uint32_t len = iv_len / (uint32_t)16U; + uint32_t bytes_len = len * (uint32_t)16U; + uint8_t *iv_b = iv; + memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); + uint64_t + uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + uint8_t *inout_b = scratch_b; + uint8_t *abytes_b = scratch_b + (uint32_t)16U; + uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; + uint32_t cipher_len_ = (uint32_t)(uint64_t)cipher_len / (uint32_t)16U * (uint32_t)16U; + uint32_t auth_len_ = (uint32_t)(uint64_t)ad_len / (uint32_t)16U * (uint32_t)16U; + uint8_t *cipher_b_ = cipher; + uint8_t *out_b_ = dst; + uint8_t *auth_b_ = ad; + memcpy(inout_b, + cipher + cipher_len_, + (uint32_t)(uint64_t)cipher_len % (uint32_t)16U * sizeof (uint8_t)); + memcpy(abytes_b, + ad + auth_len_, + (uint32_t)(uint64_t)ad_len % (uint32_t)16U * sizeof (uint8_t)); + uint64_t len128x6 = (uint64_t)cipher_len / (uint64_t)96U * (uint64_t)96U; + uint64_t c; + if (len128x6 / (uint64_t)16U >= (uint64_t)6U) + { + uint64_t len128_num = (uint64_t)cipher_len / (uint64_t)16U * (uint64_t)16U - len128x6; + uint8_t *in128x6_b = cipher_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = cipher_b_ + (uint32_t)len128x6; + uint8_t *out128_b = out_b_ + (uint32_t)len128x6; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128x6_ = len128x6 / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t + scrut2 = + gcm128_decrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)cipher_len, + scratch_b1, + tag); + uint64_t c0 = scrut2; + c = c0; + } + else + { + uint32_t len128x61 = (uint32_t)0U; + uint64_t len128_num = (uint64_t)cipher_len / (uint64_t)16U * (uint64_t)16U; + uint8_t *in128x6_b = cipher_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = cipher_b_ + len128x61; + uint8_t *out128_b = out_b_ + len128x61; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t len128x6_ = (uint64_t)0U; + uint64_t + scrut2 = + gcm128_decrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)cipher_len, + scratch_b1, + tag); + uint64_t c0 = scrut2; + c = c0; + } + memcpy(dst + (uint32_t)(uint64_t)cipher_len / (uint32_t)16U * (uint32_t)16U, + inout_b, + (uint32_t)(uint64_t)cipher_len % (uint32_t)16U * sizeof (uint8_t)); + uint64_t r = c; + if (r == (uint64_t)0U) + { + return EverCrypt_Error_Success; + } + else + { + return EverCrypt_Error_AuthenticationFailure; + } + } + } + #endif + return EverCrypt_Error_UnsupportedAlgorithm; +} + +EverCrypt_Error_error_code +EverCrypt_AEAD_decrypt_expand_aes256_gcm( + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *cipher, + uint32_t cipher_len, + uint8_t *tag, + uint8_t *dst +) +{ + bool has_pclmulqdq = EverCrypt_AutoConfig2_has_pclmulqdq(); + bool has_avx = EverCrypt_AutoConfig2_has_avx(); + bool has_sse = EverCrypt_AutoConfig2_has_sse(); + bool has_movbe = EverCrypt_AutoConfig2_has_movbe(); + bool has_aesni = EverCrypt_AutoConfig2_has_aesni(); + #if HACL_CAN_COMPILE_VALE + if (has_aesni && has_pclmulqdq && has_avx && has_sse && has_movbe) + { + uint8_t ek[544U] = { 0U }; + uint8_t *keys_b0 = ek; + uint8_t *hkeys_b0 = ek + (uint32_t)240U; + uint64_t scrut = aes256_key_expansion(k, keys_b0); + uint64_t scrut0 = aes256_keyhash_init(keys_b0, hkeys_b0); + EverCrypt_AEAD_state_s p = { .impl = Spec_Cipher_Expansion_Vale_AES256, .ek = ek }; + EverCrypt_AEAD_state_s *s = &p; + if (s == NULL) + { + return EverCrypt_Error_InvalidKey; + } + else if (iv_len == (uint32_t)0U) + { + return EverCrypt_Error_InvalidIVLength; + } + else + { + EverCrypt_AEAD_state_s scrut1 = *s; + uint8_t *ek0 = scrut1.ek; + uint8_t *scratch_b = ek0 + (uint32_t)368U; + uint8_t *ek1 = ek0; + uint8_t *keys_b = ek1; + uint8_t *hkeys_b = ek1 + (uint32_t)240U; + uint8_t tmp_iv[16U] = { 0U }; + uint32_t len = iv_len / (uint32_t)16U; + uint32_t bytes_len = len * (uint32_t)16U; + uint8_t *iv_b = iv; + memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); + uint64_t + uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + uint8_t *inout_b = scratch_b; + uint8_t *abytes_b = scratch_b + (uint32_t)16U; + uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; + uint32_t cipher_len_ = (uint32_t)(uint64_t)cipher_len / (uint32_t)16U * (uint32_t)16U; + uint32_t auth_len_ = (uint32_t)(uint64_t)ad_len / (uint32_t)16U * (uint32_t)16U; + uint8_t *cipher_b_ = cipher; + uint8_t *out_b_ = dst; + uint8_t *auth_b_ = ad; + memcpy(inout_b, + cipher + cipher_len_, + (uint32_t)(uint64_t)cipher_len % (uint32_t)16U * sizeof (uint8_t)); + memcpy(abytes_b, + ad + auth_len_, + (uint32_t)(uint64_t)ad_len % (uint32_t)16U * sizeof (uint8_t)); + uint64_t len128x6 = (uint64_t)cipher_len / (uint64_t)96U * (uint64_t)96U; + uint64_t c; + if (len128x6 / (uint64_t)16U >= (uint64_t)6U) + { + uint64_t len128_num = (uint64_t)cipher_len / (uint64_t)16U * (uint64_t)16U - len128x6; + uint8_t *in128x6_b = cipher_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = cipher_b_ + (uint32_t)len128x6; + uint8_t *out128_b = out_b_ + (uint32_t)len128x6; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128x6_ = len128x6 / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t + scrut2 = + gcm256_decrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)cipher_len, + scratch_b1, + tag); + uint64_t c0 = scrut2; + c = c0; + } + else + { + uint32_t len128x61 = (uint32_t)0U; + uint64_t len128_num = (uint64_t)cipher_len / (uint64_t)16U * (uint64_t)16U; + uint8_t *in128x6_b = cipher_b_; + uint8_t *out128x6_b = out_b_; + uint8_t *in128_b = cipher_b_ + len128x61; + uint8_t *out128_b = out_b_ + len128x61; + uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; + uint64_t len128_num_ = len128_num / (uint64_t)16U; + uint64_t len128x6_ = (uint64_t)0U; + uint64_t + scrut2 = + gcm256_decrypt_opt(auth_b_, + (uint64_t)ad_len, + auth_num, + keys_b, + tmp_iv, + hkeys_b, + abytes_b, + in128x6_b, + out128x6_b, + len128x6_, + in128_b, + out128_b, + len128_num_, + inout_b, + (uint64_t)cipher_len, + scratch_b1, + tag); + uint64_t c0 = scrut2; + c = c0; + } + memcpy(dst + (uint32_t)(uint64_t)cipher_len / (uint32_t)16U * (uint32_t)16U, + inout_b, + (uint32_t)(uint64_t)cipher_len % (uint32_t)16U * sizeof (uint8_t)); + uint64_t r = c; + if (r == (uint64_t)0U) + { + return EverCrypt_Error_Success; + } + else + { + return EverCrypt_Error_AuthenticationFailure; + } + } + } + #endif + return EverCrypt_Error_UnsupportedAlgorithm; +} + +EverCrypt_Error_error_code +EverCrypt_AEAD_decrypt_expand_chacha20_poly1305( + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *cipher, + uint32_t cipher_len, + uint8_t *tag, + uint8_t *dst +) +{ + uint8_t ek[32U] = { 0U }; + EverCrypt_AEAD_state_s p = { .impl = Spec_Cipher_Expansion_Hacl_CHACHA20, .ek = ek }; + memcpy(ek, k, (uint32_t)32U * sizeof (uint8_t)); + EverCrypt_AEAD_state_s *s = &p; + EverCrypt_Error_error_code + r = decrypt_chacha20_poly1305(s, iv, iv_len, ad, ad_len, cipher, cipher_len, tag, dst); + return r; +} + +EverCrypt_Error_error_code +EverCrypt_AEAD_decrypt_expand( + Spec_Agile_AEAD_alg a, + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint8_t *ad, + uint32_t ad_len, + uint8_t *cipher, + uint32_t cipher_len, + uint8_t *tag, + uint8_t *dst +) +{ + switch (a) + { + case Spec_Agile_AEAD_AES128_GCM: + { + return + EverCrypt_AEAD_decrypt_expand_aes128_gcm(k, + iv, + iv_len, + ad, + ad_len, + cipher, + cipher_len, + tag, + dst); + } + case Spec_Agile_AEAD_AES256_GCM: + { + return + EverCrypt_AEAD_decrypt_expand_aes256_gcm(k, + iv, + iv_len, + ad, + ad_len, + cipher, + cipher_len, + tag, + dst); + } + case Spec_Agile_AEAD_CHACHA20_POLY1305: + { + return + EverCrypt_AEAD_decrypt_expand_chacha20_poly1305(k, + iv, + iv_len, + ad, + ad_len, + cipher, + cipher_len, + tag, + dst); + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +void EverCrypt_AEAD_free(EverCrypt_AEAD_state_s *s) +{ + EverCrypt_AEAD_state_s scrut = *s; + uint8_t *ek = scrut.ek; + KRML_HOST_FREE(ek); + KRML_HOST_FREE(s); +} + diff --git a/src/msvc/EverCrypt_AutoConfig2.c b/src/msvc/EverCrypt_AutoConfig2.c new file mode 100644 index 00000000..d64ceb6f --- /dev/null +++ b/src/msvc/EverCrypt_AutoConfig2.c @@ -0,0 +1,314 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "EverCrypt_AutoConfig2.h" + +#include "internal/Vale.h" + +static bool cpu_has_shaext[1U] = { false }; + +static bool cpu_has_aesni[1U] = { false }; + +static bool cpu_has_pclmulqdq[1U] = { false }; + +static bool cpu_has_avx2[1U] = { false }; + +static bool cpu_has_avx[1U] = { false }; + +static bool cpu_has_bmi2[1U] = { false }; + +static bool cpu_has_adx[1U] = { false }; + +static bool cpu_has_sse[1U] = { false }; + +static bool cpu_has_movbe[1U] = { false }; + +static bool cpu_has_rdrand[1U] = { false }; + +static bool cpu_has_avx512[1U] = { false }; + +static bool user_wants_hacl[1U] = { true }; + +static bool user_wants_vale[1U] = { true }; + +static bool user_wants_openssl[1U] = { true }; + +static bool user_wants_bcrypt[1U] = { false }; + +bool EverCrypt_AutoConfig2_has_shaext() +{ + return cpu_has_shaext[0U]; +} + +bool EverCrypt_AutoConfig2_has_aesni() +{ + return cpu_has_aesni[0U]; +} + +bool EverCrypt_AutoConfig2_has_pclmulqdq() +{ + return cpu_has_pclmulqdq[0U]; +} + +bool EverCrypt_AutoConfig2_has_avx2() +{ + return cpu_has_avx2[0U]; +} + +bool EverCrypt_AutoConfig2_has_avx() +{ + return cpu_has_avx[0U]; +} + +bool EverCrypt_AutoConfig2_has_bmi2() +{ + return cpu_has_bmi2[0U]; +} + +bool EverCrypt_AutoConfig2_has_adx() +{ + return cpu_has_adx[0U]; +} + +bool EverCrypt_AutoConfig2_has_sse() +{ + return cpu_has_sse[0U]; +} + +bool EverCrypt_AutoConfig2_has_movbe() +{ + return cpu_has_movbe[0U]; +} + +bool EverCrypt_AutoConfig2_has_rdrand() +{ + return cpu_has_rdrand[0U]; +} + +bool EverCrypt_AutoConfig2_has_avx512() +{ + return cpu_has_avx512[0U]; +} + +KRML_DEPRECATED("") + +bool EverCrypt_AutoConfig2_wants_vale() +{ + return user_wants_vale[0U]; +} + +bool EverCrypt_AutoConfig2_wants_hacl() +{ + return user_wants_hacl[0U]; +} + +bool EverCrypt_AutoConfig2_wants_openssl() +{ + return user_wants_openssl[0U]; +} + +bool EverCrypt_AutoConfig2_wants_bcrypt() +{ + return user_wants_bcrypt[0U]; +} + +void EverCrypt_AutoConfig2_recall() +{ + +} + +void EverCrypt_AutoConfig2_init() +{ + #if HACL_CAN_COMPILE_VALE + uint64_t scrut = check_aesni(); + if (scrut != (uint64_t)0U) + { + cpu_has_aesni[0U] = true; + cpu_has_pclmulqdq[0U] = true; + } + uint64_t scrut0 = check_sha(); + if (scrut0 != (uint64_t)0U) + { + cpu_has_shaext[0U] = true; + } + uint64_t scrut1 = check_adx_bmi2(); + if (scrut1 != (uint64_t)0U) + { + cpu_has_bmi2[0U] = true; + cpu_has_adx[0U] = true; + } + uint64_t scrut2 = check_avx(); + if (scrut2 != (uint64_t)0U) + { + uint64_t scrut3 = check_osxsave(); + if (scrut3 != (uint64_t)0U) + { + uint64_t scrut4 = check_avx_xcr0(); + if (scrut4 != (uint64_t)0U) + { + cpu_has_avx[0U] = true; + } + } + } + uint64_t scrut3 = check_avx2(); + if (scrut3 != (uint64_t)0U) + { + uint64_t scrut4 = check_osxsave(); + if (scrut4 != (uint64_t)0U) + { + uint64_t scrut5 = check_avx_xcr0(); + if (scrut5 != (uint64_t)0U) + { + cpu_has_avx2[0U] = true; + } + } + } + uint64_t scrut4 = check_sse(); + if (scrut4 != (uint64_t)0U) + { + cpu_has_sse[0U] = true; + } + uint64_t scrut5 = check_movbe(); + if (scrut5 != (uint64_t)0U) + { + cpu_has_movbe[0U] = true; + } + uint64_t scrut6 = check_rdrand(); + if (scrut6 != (uint64_t)0U) + { + cpu_has_rdrand[0U] = true; + } + uint64_t scrut7 = check_avx512(); + if (scrut7 != (uint64_t)0U) + { + uint64_t scrut8 = check_osxsave(); + if (scrut8 != (uint64_t)0U) + { + uint64_t scrut9 = check_avx_xcr0(); + if (scrut9 != (uint64_t)0U) + { + uint64_t scrut10 = check_avx512_xcr0(); + if (scrut10 != (uint64_t)0U) + { + cpu_has_avx512[0U] = true; + } + } + } + } + #endif + user_wants_hacl[0U] = true; + user_wants_vale[0U] = true; + user_wants_bcrypt[0U] = false; + user_wants_openssl[0U] = true; +} + +void EverCrypt_AutoConfig2_disable_avx2() +{ + cpu_has_avx2[0U] = false; +} + +void EverCrypt_AutoConfig2_disable_avx() +{ + cpu_has_avx[0U] = false; +} + +void EverCrypt_AutoConfig2_disable_bmi2() +{ + cpu_has_bmi2[0U] = false; +} + +void EverCrypt_AutoConfig2_disable_adx() +{ + cpu_has_adx[0U] = false; +} + +void EverCrypt_AutoConfig2_disable_shaext() +{ + cpu_has_shaext[0U] = false; +} + +void EverCrypt_AutoConfig2_disable_aesni() +{ + cpu_has_aesni[0U] = false; +} + +void EverCrypt_AutoConfig2_disable_pclmulqdq() +{ + cpu_has_pclmulqdq[0U] = false; +} + +void EverCrypt_AutoConfig2_disable_sse() +{ + cpu_has_sse[0U] = false; +} + +void EverCrypt_AutoConfig2_disable_movbe() +{ + cpu_has_movbe[0U] = false; +} + +void EverCrypt_AutoConfig2_disable_rdrand() +{ + cpu_has_rdrand[0U] = false; +} + +void EverCrypt_AutoConfig2_disable_avx512() +{ + cpu_has_avx512[0U] = false; +} + +void EverCrypt_AutoConfig2_disable_vale() +{ + user_wants_vale[0U] = false; +} + +void EverCrypt_AutoConfig2_disable_hacl() +{ + user_wants_hacl[0U] = false; +} + +void EverCrypt_AutoConfig2_disable_openssl() +{ + user_wants_openssl[0U] = false; +} + +void EverCrypt_AutoConfig2_disable_bcrypt() +{ + user_wants_bcrypt[0U] = false; +} + +bool EverCrypt_AutoConfig2_has_vec128() +{ + bool avx = EverCrypt_AutoConfig2_has_avx(); + bool other = has_vec128_not_avx(); + return avx || other; +} + +bool EverCrypt_AutoConfig2_has_vec256() +{ + bool avx2 = EverCrypt_AutoConfig2_has_avx2(); + bool other = has_vec256_not_avx2(); + return avx2 || other; +} + diff --git a/src/msvc/EverCrypt_CTR.c b/src/msvc/EverCrypt_CTR.c new file mode 100644 index 00000000..eac92464 --- /dev/null +++ b/src/msvc/EverCrypt_CTR.c @@ -0,0 +1,383 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "EverCrypt_CTR.h" + +#include "internal/Vale.h" +#include "internal/Hacl_Spec.h" +#include "internal/Hacl_Chacha20.h" + +typedef struct EverCrypt_CTR_state_s_s +{ + Spec_Cipher_Expansion_impl i; + uint8_t *iv; + uint32_t iv_len; + uint8_t *xkey; + uint32_t ctr; +} +EverCrypt_CTR_state_s; + +bool +EverCrypt_CTR_uu___is_State(Spec_Agile_Cipher_cipher_alg a, EverCrypt_CTR_state_s projectee) +{ + return true; +} + +uint8_t EverCrypt_CTR_xor8(uint8_t a, uint8_t b) +{ + return a ^ b; +} + +Spec_Agile_Cipher_cipher_alg EverCrypt_CTR_alg_of_state(EverCrypt_CTR_state_s *s) +{ + EverCrypt_CTR_state_s scrut = *s; + Spec_Cipher_Expansion_impl i = scrut.i; + return Spec_Cipher_Expansion_cipher_alg_of_impl(i); +} + +static Spec_Cipher_Expansion_impl vale_impl_of_alg(Spec_Agile_Cipher_cipher_alg a) +{ + switch (a) + { + case Spec_Agile_Cipher_AES128: + { + return Spec_Cipher_Expansion_Vale_AES128; + } + case Spec_Agile_Cipher_AES256: + { + return Spec_Cipher_Expansion_Vale_AES256; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +EverCrypt_Error_error_code +EverCrypt_CTR_create_in( + Spec_Agile_Cipher_cipher_alg a, + EverCrypt_CTR_state_s **dst, + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint32_t c +) +{ + switch (a) + { + case Spec_Agile_Cipher_AES128: + { + bool has_aesni = EverCrypt_AutoConfig2_has_aesni(); + bool has_pclmulqdq = EverCrypt_AutoConfig2_has_pclmulqdq(); + bool has_avx = EverCrypt_AutoConfig2_has_avx(); + bool has_sse = EverCrypt_AutoConfig2_has_sse(); + if (iv_len < (uint32_t)12U) + { + return EverCrypt_Error_InvalidIVLength; + } + #if HACL_CAN_COMPILE_VALE + if (has_aesni && has_pclmulqdq && has_avx && has_sse) + { + uint8_t *ek = KRML_HOST_CALLOC((uint32_t)304U, sizeof (uint8_t)); + uint8_t *keys_b = ek; + uint8_t *hkeys_b = ek + (uint32_t)176U; + uint64_t scrut = aes128_key_expansion(k, keys_b); + uint64_t scrut0 = aes128_keyhash_init(keys_b, hkeys_b); + uint8_t *iv_ = KRML_HOST_CALLOC((uint32_t)16U, sizeof (uint8_t)); + memcpy(iv_, iv, iv_len * sizeof (uint8_t)); + KRML_CHECK_SIZE(sizeof (EverCrypt_CTR_state_s), (uint32_t)1U); + EverCrypt_CTR_state_s *p = KRML_HOST_MALLOC(sizeof (EverCrypt_CTR_state_s)); + p[0U] + = + ( + (EverCrypt_CTR_state_s){ + .i = vale_impl_of_alg(Spec_Cipher_Expansion_cipher_alg_of_impl(Spec_Cipher_Expansion_Vale_AES128)), + .iv = iv_, + .iv_len = iv_len, + .xkey = ek, + .ctr = c + } + ); + *dst = p; + return EverCrypt_Error_Success; + } + #endif + return EverCrypt_Error_UnsupportedAlgorithm; + } + case Spec_Agile_Cipher_AES256: + { + bool has_aesni = EverCrypt_AutoConfig2_has_aesni(); + bool has_pclmulqdq = EverCrypt_AutoConfig2_has_pclmulqdq(); + bool has_avx = EverCrypt_AutoConfig2_has_avx(); + bool has_sse = EverCrypt_AutoConfig2_has_sse(); + if (iv_len < (uint32_t)12U) + { + return EverCrypt_Error_InvalidIVLength; + } + #if HACL_CAN_COMPILE_VALE + if (has_aesni && has_pclmulqdq && has_avx && has_sse) + { + uint8_t *ek = KRML_HOST_CALLOC((uint32_t)368U, sizeof (uint8_t)); + uint8_t *keys_b = ek; + uint8_t *hkeys_b = ek + (uint32_t)240U; + uint64_t scrut = aes256_key_expansion(k, keys_b); + uint64_t scrut0 = aes256_keyhash_init(keys_b, hkeys_b); + uint8_t *iv_ = KRML_HOST_CALLOC((uint32_t)16U, sizeof (uint8_t)); + memcpy(iv_, iv, iv_len * sizeof (uint8_t)); + KRML_CHECK_SIZE(sizeof (EverCrypt_CTR_state_s), (uint32_t)1U); + EverCrypt_CTR_state_s *p = KRML_HOST_MALLOC(sizeof (EverCrypt_CTR_state_s)); + p[0U] + = + ( + (EverCrypt_CTR_state_s){ + .i = vale_impl_of_alg(Spec_Cipher_Expansion_cipher_alg_of_impl(Spec_Cipher_Expansion_Vale_AES256)), + .iv = iv_, + .iv_len = iv_len, + .xkey = ek, + .ctr = c + } + ); + *dst = p; + return EverCrypt_Error_Success; + } + #endif + return EverCrypt_Error_UnsupportedAlgorithm; + } + case Spec_Agile_Cipher_CHACHA20: + { + uint8_t *ek = KRML_HOST_CALLOC((uint32_t)32U, sizeof (uint8_t)); + memcpy(ek, k, (uint32_t)32U * sizeof (uint8_t)); + KRML_CHECK_SIZE(sizeof (uint8_t), iv_len); + uint8_t *iv_ = KRML_HOST_CALLOC(iv_len, sizeof (uint8_t)); + memcpy(iv_, iv, iv_len * sizeof (uint8_t)); + KRML_CHECK_SIZE(sizeof (EverCrypt_CTR_state_s), (uint32_t)1U); + EverCrypt_CTR_state_s *p = KRML_HOST_MALLOC(sizeof (EverCrypt_CTR_state_s)); + p[0U] + = + ( + (EverCrypt_CTR_state_s){ + .i = Spec_Cipher_Expansion_Hacl_CHACHA20, + .iv = iv_, + .iv_len = (uint32_t)12U, + .xkey = ek, + .ctr = c + } + ); + *dst = p; + return EverCrypt_Error_Success; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +void +EverCrypt_CTR_init( + EverCrypt_CTR_state_s *p, + uint8_t *k, + uint8_t *iv, + uint32_t iv_len, + uint32_t c +) +{ + EverCrypt_CTR_state_s scrut0 = *p; + uint8_t *ek = scrut0.xkey; + uint8_t *iv_ = scrut0.iv; + Spec_Cipher_Expansion_impl i = scrut0.i; + memcpy(iv_, iv, iv_len * sizeof (uint8_t)); + switch (i) + { + case Spec_Cipher_Expansion_Vale_AES128: + { + #if HACL_CAN_COMPILE_VALE + uint8_t *keys_b = ek; + uint8_t *hkeys_b = ek + (uint32_t)176U; + uint64_t scrut = aes128_key_expansion(k, keys_b); + uint64_t scrut1 = aes128_keyhash_init(keys_b, hkeys_b); + #endif + break; + } + case Spec_Cipher_Expansion_Vale_AES256: + { + #if HACL_CAN_COMPILE_VALE + uint8_t *keys_b = ek; + uint8_t *hkeys_b = ek + (uint32_t)240U; + uint64_t scrut = aes256_key_expansion(k, keys_b); + uint64_t scrut1 = aes256_keyhash_init(keys_b, hkeys_b); + #endif + break; + } + case Spec_Cipher_Expansion_Hacl_CHACHA20: + { + memcpy(ek, k, (uint32_t)32U * sizeof (uint8_t)); + break; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + *p = ((EverCrypt_CTR_state_s){ .i = i, .iv = iv_, .iv_len = iv_len, .xkey = ek, .ctr = c }); +} + +void EverCrypt_CTR_update_block(EverCrypt_CTR_state_s *p, uint8_t *dst, uint8_t *src) +{ + EverCrypt_CTR_state_s scrut = *p; + Spec_Cipher_Expansion_impl i = scrut.i; + uint8_t *iv = scrut.iv; + uint8_t *ek = scrut.xkey; + uint32_t c0 = scrut.ctr; + switch (i) + { + case Spec_Cipher_Expansion_Vale_AES128: + { + #if HACL_CAN_COMPILE_VALE + EverCrypt_CTR_state_s scrut0 = *p; + uint32_t c01 = scrut0.ctr; + uint8_t *ek1 = scrut0.xkey; + uint32_t iv_len1 = scrut0.iv_len; + uint8_t *iv1 = scrut0.iv; + uint8_t ctr_block[16U] = { 0U }; + memcpy(ctr_block, iv1, iv_len1 * sizeof (uint8_t)); + FStar_UInt128_uint128 uu____0 = load128_be(ctr_block); + FStar_UInt128_uint128 + c = FStar_UInt128_add_mod(uu____0, FStar_UInt128_uint64_to_uint128((uint64_t)c01)); + store128_le(ctr_block, c); + uint8_t *uu____1 = ek1; + uint8_t inout_b[16U] = { 0U }; + uint32_t num_blocks = (uint32_t)(uint64_t)16U / (uint32_t)16U; + uint32_t num_bytes_ = num_blocks * (uint32_t)16U; + uint8_t *in_b_ = src; + uint8_t *out_b_ = dst; + memcpy(inout_b, + src + num_bytes_, + (uint32_t)(uint64_t)16U % (uint32_t)16U * sizeof (uint8_t)); + uint64_t + scrut1 = + gctr128_bytes(in_b_, + (uint64_t)16U, + out_b_, + inout_b, + uu____1, + ctr_block, + (uint64_t)num_blocks); + memcpy(dst + num_bytes_, + inout_b, + (uint32_t)(uint64_t)16U % (uint32_t)16U * sizeof (uint8_t)); + uint32_t c1 = c01 + (uint32_t)1U; + *p + = + ( + (EverCrypt_CTR_state_s){ + .i = Spec_Cipher_Expansion_Vale_AES128, + .iv = iv1, + .iv_len = iv_len1, + .xkey = ek1, + .ctr = c1 + } + ); + #endif + break; + } + case Spec_Cipher_Expansion_Vale_AES256: + { + #if HACL_CAN_COMPILE_VALE + EverCrypt_CTR_state_s scrut0 = *p; + uint32_t c01 = scrut0.ctr; + uint8_t *ek1 = scrut0.xkey; + uint32_t iv_len1 = scrut0.iv_len; + uint8_t *iv1 = scrut0.iv; + uint8_t ctr_block[16U] = { 0U }; + memcpy(ctr_block, iv1, iv_len1 * sizeof (uint8_t)); + FStar_UInt128_uint128 uu____2 = load128_be(ctr_block); + FStar_UInt128_uint128 + c = FStar_UInt128_add_mod(uu____2, FStar_UInt128_uint64_to_uint128((uint64_t)c01)); + store128_le(ctr_block, c); + uint8_t *uu____3 = ek1; + uint8_t inout_b[16U] = { 0U }; + uint32_t num_blocks = (uint32_t)(uint64_t)16U / (uint32_t)16U; + uint32_t num_bytes_ = num_blocks * (uint32_t)16U; + uint8_t *in_b_ = src; + uint8_t *out_b_ = dst; + memcpy(inout_b, + src + num_bytes_, + (uint32_t)(uint64_t)16U % (uint32_t)16U * sizeof (uint8_t)); + uint64_t + scrut1 = + gctr256_bytes(in_b_, + (uint64_t)16U, + out_b_, + inout_b, + uu____3, + ctr_block, + (uint64_t)num_blocks); + memcpy(dst + num_bytes_, + inout_b, + (uint32_t)(uint64_t)16U % (uint32_t)16U * sizeof (uint8_t)); + uint32_t c1 = c01 + (uint32_t)1U; + *p + = + ( + (EverCrypt_CTR_state_s){ + .i = Spec_Cipher_Expansion_Vale_AES256, + .iv = iv1, + .iv_len = iv_len1, + .xkey = ek1, + .ctr = c1 + } + ); + #endif + break; + } + case Spec_Cipher_Expansion_Hacl_CHACHA20: + { + uint32_t ctx[16U] = { 0U }; + Hacl_Impl_Chacha20_chacha20_init(ctx, ek, iv, (uint32_t)0U); + Hacl_Impl_Chacha20_chacha20_encrypt_block(ctx, dst, c0, src); + break; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +void EverCrypt_CTR_free(EverCrypt_CTR_state_s *p) +{ + EverCrypt_CTR_state_s scrut = *p; + uint8_t *iv = scrut.iv; + uint8_t *ek = scrut.xkey; + KRML_HOST_FREE(iv); + KRML_HOST_FREE(ek); + KRML_HOST_FREE(p); +} + diff --git a/src/msvc/EverCrypt_Chacha20Poly1305.c b/src/msvc/EverCrypt_Chacha20Poly1305.c new file mode 100644 index 00000000..a4116986 --- /dev/null +++ b/src/msvc/EverCrypt_Chacha20Poly1305.c @@ -0,0 +1,92 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "EverCrypt_Chacha20Poly1305.h" + + + +void +EverCrypt_Chacha20Poly1305_aead_encrypt( + uint8_t *k, + uint8_t *n, + uint32_t aadlen, + uint8_t *aad, + uint32_t mlen, + uint8_t *m, + uint8_t *cipher, + uint8_t *tag +) +{ + bool avx2 = EverCrypt_AutoConfig2_has_avx2(); + bool avx = EverCrypt_AutoConfig2_has_avx(); + bool vec256 = EverCrypt_AutoConfig2_has_vec256(); + bool vec128 = EverCrypt_AutoConfig2_has_vec128(); + #if HACL_CAN_COMPILE_VEC256 + if (vec256) + { + Hacl_Chacha20Poly1305_256_aead_encrypt(k, n, aadlen, aad, mlen, m, cipher, tag); + return; + } + #endif + #if HACL_CAN_COMPILE_VEC128 + if (vec128) + { + Hacl_Chacha20Poly1305_128_aead_encrypt(k, n, aadlen, aad, mlen, m, cipher, tag); + return; + } + #endif + Hacl_Chacha20Poly1305_32_aead_encrypt(k, n, aadlen, aad, mlen, m, cipher, tag); +} + +uint32_t +EverCrypt_Chacha20Poly1305_aead_decrypt( + uint8_t *k, + uint8_t *n, + uint32_t aadlen, + uint8_t *aad, + uint32_t mlen, + uint8_t *m, + uint8_t *cipher, + uint8_t *tag +) +{ + bool avx2 = EverCrypt_AutoConfig2_has_avx2(); + bool avx = EverCrypt_AutoConfig2_has_avx(); + bool vec256 = EverCrypt_AutoConfig2_has_vec256(); + bool vec128 = EverCrypt_AutoConfig2_has_vec128(); + #if HACL_CAN_COMPILE_VEC256 + if (vec256) + { + return Hacl_Chacha20Poly1305_256_aead_decrypt(k, n, aadlen, aad, mlen, m, cipher, tag); + } + #endif + #if HACL_CAN_COMPILE_VEC128 + if (vec128) + { + return Hacl_Chacha20Poly1305_128_aead_decrypt(k, n, aadlen, aad, mlen, m, cipher, tag); + } + #endif + return Hacl_Chacha20Poly1305_32_aead_decrypt(k, n, aadlen, aad, mlen, m, cipher, tag); +} + diff --git a/src/msvc/EverCrypt_Cipher.c b/src/msvc/EverCrypt_Cipher.c new file mode 100644 index 00000000..a8324c00 --- /dev/null +++ b/src/msvc/EverCrypt_Cipher.c @@ -0,0 +1,43 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "EverCrypt_Cipher.h" + +#include "internal/Hacl_Chacha20.h" + +void +EverCrypt_Cipher_chacha20( + uint32_t len, + uint8_t *dst, + uint8_t *src, + uint8_t *key, + uint8_t *iv, + uint32_t ctr +) +{ + uint32_t ctx[16U] = { 0U }; + Hacl_Impl_Chacha20_chacha20_init(ctx, key, iv, ctr); + Hacl_Impl_Chacha20_chacha20_update(ctx, len, dst, src); +} + diff --git a/src/msvc/EverCrypt_Curve25519.c b/src/msvc/EverCrypt_Curve25519.c new file mode 100644 index 00000000..71db562b --- /dev/null +++ b/src/msvc/EverCrypt_Curve25519.c @@ -0,0 +1,70 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "EverCrypt_Curve25519.h" + + + +static inline bool has_adx_bmi2() +{ + bool has_bmi2 = EverCrypt_AutoConfig2_has_bmi2(); + bool has_adx = EverCrypt_AutoConfig2_has_adx(); + return has_bmi2 && has_adx; +} + +void EverCrypt_Curve25519_secret_to_public(uint8_t *pub, uint8_t *priv) +{ + #if HACL_CAN_COMPILE_VALE + if (has_adx_bmi2()) + { + Hacl_Curve25519_64_secret_to_public(pub, priv); + return; + } + #endif + Hacl_Curve25519_51_secret_to_public(pub, priv); +} + +void EverCrypt_Curve25519_scalarmult(uint8_t *shared, uint8_t *my_priv, uint8_t *their_pub) +{ + #if HACL_CAN_COMPILE_VALE + if (has_adx_bmi2()) + { + Hacl_Curve25519_64_scalarmult(shared, my_priv, their_pub); + return; + } + #endif + Hacl_Curve25519_51_scalarmult(shared, my_priv, their_pub); +} + +bool EverCrypt_Curve25519_ecdh(uint8_t *shared, uint8_t *my_priv, uint8_t *their_pub) +{ + #if HACL_CAN_COMPILE_VALE + if (has_adx_bmi2()) + { + return Hacl_Curve25519_64_ecdh(shared, my_priv, their_pub); + } + #endif + return Hacl_Curve25519_51_ecdh(shared, my_priv, their_pub); +} + diff --git a/src/msvc/EverCrypt_DRBG.c b/src/msvc/EverCrypt_DRBG.c new file mode 100644 index 00000000..caa5f587 --- /dev/null +++ b/src/msvc/EverCrypt_DRBG.c @@ -0,0 +1,2018 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "EverCrypt_DRBG.h" + + + +uint32_t EverCrypt_DRBG_reseed_interval = (uint32_t)1024U; + +uint32_t EverCrypt_DRBG_max_output_length = (uint32_t)65536U; + +uint32_t EverCrypt_DRBG_max_length = (uint32_t)65536U; + +uint32_t EverCrypt_DRBG_max_personalization_string_length = (uint32_t)65536U; + +uint32_t EverCrypt_DRBG_max_additional_input_length = (uint32_t)65536U; + +uint32_t EverCrypt_DRBG_min_length(Spec_Hash_Definitions_hash_alg a) +{ + switch (a) + { + case Spec_Hash_Definitions_SHA1: + { + return (uint32_t)16U; + } + case Spec_Hash_Definitions_SHA2_256: + { + return (uint32_t)32U; + } + case Spec_Hash_Definitions_SHA2_384: + { + return (uint32_t)32U; + } + case Spec_Hash_Definitions_SHA2_512: + { + return (uint32_t)32U; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +typedef struct EverCrypt_DRBG_state_s_s +{ + EverCrypt_DRBG_state_s_tags tag; + union { + Hacl_HMAC_DRBG_state case_SHA1_s; + Hacl_HMAC_DRBG_state case_SHA2_256_s; + Hacl_HMAC_DRBG_state case_SHA2_384_s; + Hacl_HMAC_DRBG_state case_SHA2_512_s; + } + ; +} +EverCrypt_DRBG_state_s; + +bool +EverCrypt_DRBG_uu___is_SHA1_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_DRBG_state_s projectee +) +{ + if (projectee.tag == EverCrypt_DRBG_SHA1_s) + { + return true; + } + return false; +} + +bool +EverCrypt_DRBG_uu___is_SHA2_256_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_DRBG_state_s projectee +) +{ + if (projectee.tag == EverCrypt_DRBG_SHA2_256_s) + { + return true; + } + return false; +} + +bool +EverCrypt_DRBG_uu___is_SHA2_384_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_DRBG_state_s projectee +) +{ + if (projectee.tag == EverCrypt_DRBG_SHA2_384_s) + { + return true; + } + return false; +} + +bool +EverCrypt_DRBG_uu___is_SHA2_512_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_DRBG_state_s projectee +) +{ + if (projectee.tag == EverCrypt_DRBG_SHA2_512_s) + { + return true; + } + return false; +} + +EverCrypt_DRBG_state_s *EverCrypt_DRBG_create(Spec_Hash_Definitions_hash_alg a) +{ + EverCrypt_DRBG_state_s st; + switch (a) + { + case Spec_Hash_Definitions_SHA1: + { + uint8_t *k = KRML_HOST_CALLOC((uint32_t)20U, sizeof (uint8_t)); + uint8_t *v = KRML_HOST_CALLOC((uint32_t)20U, sizeof (uint8_t)); + uint32_t *ctr = KRML_HOST_MALLOC(sizeof (uint32_t)); + ctr[0U] = (uint32_t)1U; + st = + ( + (EverCrypt_DRBG_state_s){ + .tag = EverCrypt_DRBG_SHA1_s, + { .case_SHA1_s = { .k = k, .v = v, .reseed_counter = ctr } } + } + ); + break; + } + case Spec_Hash_Definitions_SHA2_256: + { + uint8_t *k = KRML_HOST_CALLOC((uint32_t)32U, sizeof (uint8_t)); + uint8_t *v = KRML_HOST_CALLOC((uint32_t)32U, sizeof (uint8_t)); + uint32_t *ctr = KRML_HOST_MALLOC(sizeof (uint32_t)); + ctr[0U] = (uint32_t)1U; + st = + ( + (EverCrypt_DRBG_state_s){ + .tag = EverCrypt_DRBG_SHA2_256_s, + { .case_SHA2_256_s = { .k = k, .v = v, .reseed_counter = ctr } } + } + ); + break; + } + case Spec_Hash_Definitions_SHA2_384: + { + uint8_t *k = KRML_HOST_CALLOC((uint32_t)48U, sizeof (uint8_t)); + uint8_t *v = KRML_HOST_CALLOC((uint32_t)48U, sizeof (uint8_t)); + uint32_t *ctr = KRML_HOST_MALLOC(sizeof (uint32_t)); + ctr[0U] = (uint32_t)1U; + st = + ( + (EverCrypt_DRBG_state_s){ + .tag = EverCrypt_DRBG_SHA2_384_s, + { .case_SHA2_384_s = { .k = k, .v = v, .reseed_counter = ctr } } + } + ); + break; + } + case Spec_Hash_Definitions_SHA2_512: + { + uint8_t *k = KRML_HOST_CALLOC((uint32_t)64U, sizeof (uint8_t)); + uint8_t *v = KRML_HOST_CALLOC((uint32_t)64U, sizeof (uint8_t)); + uint32_t *ctr = KRML_HOST_MALLOC(sizeof (uint32_t)); + ctr[0U] = (uint32_t)1U; + st = + ( + (EverCrypt_DRBG_state_s){ + .tag = EverCrypt_DRBG_SHA2_512_s, + { .case_SHA2_512_s = { .k = k, .v = v, .reseed_counter = ctr } } + } + ); + break; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + KRML_CHECK_SIZE(sizeof (EverCrypt_DRBG_state_s), (uint32_t)1U); + EverCrypt_DRBG_state_s *buf = KRML_HOST_MALLOC(sizeof (EverCrypt_DRBG_state_s)); + buf[0U] = st; + return buf; +} + +bool +EverCrypt_DRBG_instantiate_sha1( + EverCrypt_DRBG_state_s *st, + uint8_t *personalization_string, + uint32_t personalization_string_len +) +{ + if (personalization_string_len > Hacl_HMAC_DRBG_max_personalization_string_length) + { + return false; + } + uint32_t entropy_input_len = Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_SHA1); + uint32_t nonce_len = Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_SHA1) / (uint32_t)2U; + uint32_t min_entropy = entropy_input_len + nonce_len; + KRML_CHECK_SIZE(sizeof (uint8_t), min_entropy); + uint8_t *entropy = alloca(min_entropy * sizeof (uint8_t)); + memset(entropy, 0U, min_entropy * sizeof (uint8_t)); + bool ok = Lib_RandomBuffer_System_randombytes(entropy, min_entropy); + if (!ok) + { + return false; + } + uint8_t *entropy_input = entropy; + uint8_t *nonce = entropy + entropy_input_len; + EverCrypt_DRBG_state_s st_s = *st; + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len + nonce_len + personalization_string_len); + uint8_t + *seed_material = + alloca((entropy_input_len + nonce_len + personalization_string_len) * sizeof (uint8_t)); + memset(seed_material, + 0U, + (entropy_input_len + nonce_len + personalization_string_len) * sizeof (uint8_t)); + memcpy(seed_material, entropy_input, entropy_input_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len, nonce, nonce_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len + nonce_len, + personalization_string, + personalization_string_len * sizeof (uint8_t)); + Hacl_HMAC_DRBG_state scrut; + if (st_s.tag == EverCrypt_DRBG_SHA1_s) + { + scrut = st_s.case_SHA1_s; + } + else + { + scrut = KRML_EABORT(Hacl_HMAC_DRBG_state, "unreachable (pattern matches are exhaustive in F*)"); + } + uint8_t *k = scrut.k; + uint8_t *v = scrut.v; + uint32_t *ctr = scrut.reseed_counter; + memset(k, 0U, (uint32_t)20U * sizeof (uint8_t)); + memset(v, (uint8_t)1U, (uint32_t)20U * sizeof (uint8_t)); + ctr[0U] = (uint32_t)1U; + uint32_t + input_len = (uint32_t)21U + entropy_input_len + nonce_len + personalization_string_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t *input0 = alloca(input_len * sizeof (uint8_t)); + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)20U * sizeof (uint8_t)); + if (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)21U, + seed_material, + (entropy_input_len + nonce_len + personalization_string_len) * sizeof (uint8_t)); + } + input0[20U] = (uint8_t)0U; + EverCrypt_HMAC_compute_sha1(k_, k, (uint32_t)20U, input0, input_len); + EverCrypt_HMAC_compute_sha1(v, k_, (uint32_t)20U, v, (uint32_t)20U); + memcpy(k, k_, (uint32_t)20U * sizeof (uint8_t)); + if (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + uint32_t + input_len0 = (uint32_t)21U + entropy_input_len + nonce_len + personalization_string_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t *input = alloca(input_len0 * sizeof (uint8_t)); + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)20U * sizeof (uint8_t)); + if (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)21U, + seed_material, + (entropy_input_len + nonce_len + personalization_string_len) * sizeof (uint8_t)); + } + input[20U] = (uint8_t)1U; + EverCrypt_HMAC_compute_sha1(k_0, k, (uint32_t)20U, input, input_len0); + EverCrypt_HMAC_compute_sha1(v, k_0, (uint32_t)20U, v, (uint32_t)20U); + memcpy(k, k_0, (uint32_t)20U * sizeof (uint8_t)); + } + return true; +} + +bool +EverCrypt_DRBG_instantiate_sha2_256( + EverCrypt_DRBG_state_s *st, + uint8_t *personalization_string, + uint32_t personalization_string_len +) +{ + if (personalization_string_len > Hacl_HMAC_DRBG_max_personalization_string_length) + { + return false; + } + uint32_t entropy_input_len = Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_SHA2_256); + uint32_t nonce_len = Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_SHA2_256) / (uint32_t)2U; + uint32_t min_entropy = entropy_input_len + nonce_len; + KRML_CHECK_SIZE(sizeof (uint8_t), min_entropy); + uint8_t *entropy = alloca(min_entropy * sizeof (uint8_t)); + memset(entropy, 0U, min_entropy * sizeof (uint8_t)); + bool ok = Lib_RandomBuffer_System_randombytes(entropy, min_entropy); + if (!ok) + { + return false; + } + uint8_t *entropy_input = entropy; + uint8_t *nonce = entropy + entropy_input_len; + EverCrypt_DRBG_state_s st_s = *st; + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len + nonce_len + personalization_string_len); + uint8_t + *seed_material = + alloca((entropy_input_len + nonce_len + personalization_string_len) * sizeof (uint8_t)); + memset(seed_material, + 0U, + (entropy_input_len + nonce_len + personalization_string_len) * sizeof (uint8_t)); + memcpy(seed_material, entropy_input, entropy_input_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len, nonce, nonce_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len + nonce_len, + personalization_string, + personalization_string_len * sizeof (uint8_t)); + Hacl_HMAC_DRBG_state scrut; + if (st_s.tag == EverCrypt_DRBG_SHA2_256_s) + { + scrut = st_s.case_SHA2_256_s; + } + else + { + scrut = KRML_EABORT(Hacl_HMAC_DRBG_state, "unreachable (pattern matches are exhaustive in F*)"); + } + uint8_t *k = scrut.k; + uint8_t *v = scrut.v; + uint32_t *ctr = scrut.reseed_counter; + memset(k, 0U, (uint32_t)32U * sizeof (uint8_t)); + memset(v, (uint8_t)1U, (uint32_t)32U * sizeof (uint8_t)); + ctr[0U] = (uint32_t)1U; + uint32_t + input_len = (uint32_t)33U + entropy_input_len + nonce_len + personalization_string_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t *input0 = alloca(input_len * sizeof (uint8_t)); + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)32U * sizeof (uint8_t)); + if (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)33U, + seed_material, + (entropy_input_len + nonce_len + personalization_string_len) * sizeof (uint8_t)); + } + input0[32U] = (uint8_t)0U; + EverCrypt_HMAC_compute_sha2_256(k_, k, (uint32_t)32U, input0, input_len); + EverCrypt_HMAC_compute_sha2_256(v, k_, (uint32_t)32U, v, (uint32_t)32U); + memcpy(k, k_, (uint32_t)32U * sizeof (uint8_t)); + if (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + uint32_t + input_len0 = (uint32_t)33U + entropy_input_len + nonce_len + personalization_string_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t *input = alloca(input_len0 * sizeof (uint8_t)); + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)32U * sizeof (uint8_t)); + if (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)33U, + seed_material, + (entropy_input_len + nonce_len + personalization_string_len) * sizeof (uint8_t)); + } + input[32U] = (uint8_t)1U; + EverCrypt_HMAC_compute_sha2_256(k_0, k, (uint32_t)32U, input, input_len0); + EverCrypt_HMAC_compute_sha2_256(v, k_0, (uint32_t)32U, v, (uint32_t)32U); + memcpy(k, k_0, (uint32_t)32U * sizeof (uint8_t)); + } + return true; +} + +bool +EverCrypt_DRBG_instantiate_sha2_384( + EverCrypt_DRBG_state_s *st, + uint8_t *personalization_string, + uint32_t personalization_string_len +) +{ + if (personalization_string_len > Hacl_HMAC_DRBG_max_personalization_string_length) + { + return false; + } + uint32_t entropy_input_len = Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_SHA2_384); + uint32_t nonce_len = Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_SHA2_384) / (uint32_t)2U; + uint32_t min_entropy = entropy_input_len + nonce_len; + KRML_CHECK_SIZE(sizeof (uint8_t), min_entropy); + uint8_t *entropy = alloca(min_entropy * sizeof (uint8_t)); + memset(entropy, 0U, min_entropy * sizeof (uint8_t)); + bool ok = Lib_RandomBuffer_System_randombytes(entropy, min_entropy); + if (!ok) + { + return false; + } + uint8_t *entropy_input = entropy; + uint8_t *nonce = entropy + entropy_input_len; + EverCrypt_DRBG_state_s st_s = *st; + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len + nonce_len + personalization_string_len); + uint8_t + *seed_material = + alloca((entropy_input_len + nonce_len + personalization_string_len) * sizeof (uint8_t)); + memset(seed_material, + 0U, + (entropy_input_len + nonce_len + personalization_string_len) * sizeof (uint8_t)); + memcpy(seed_material, entropy_input, entropy_input_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len, nonce, nonce_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len + nonce_len, + personalization_string, + personalization_string_len * sizeof (uint8_t)); + Hacl_HMAC_DRBG_state scrut; + if (st_s.tag == EverCrypt_DRBG_SHA2_384_s) + { + scrut = st_s.case_SHA2_384_s; + } + else + { + scrut = KRML_EABORT(Hacl_HMAC_DRBG_state, "unreachable (pattern matches are exhaustive in F*)"); + } + uint8_t *k = scrut.k; + uint8_t *v = scrut.v; + uint32_t *ctr = scrut.reseed_counter; + memset(k, 0U, (uint32_t)48U * sizeof (uint8_t)); + memset(v, (uint8_t)1U, (uint32_t)48U * sizeof (uint8_t)); + ctr[0U] = (uint32_t)1U; + uint32_t + input_len = (uint32_t)49U + entropy_input_len + nonce_len + personalization_string_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t *input0 = alloca(input_len * sizeof (uint8_t)); + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)48U * sizeof (uint8_t)); + if (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)49U, + seed_material, + (entropy_input_len + nonce_len + personalization_string_len) * sizeof (uint8_t)); + } + input0[48U] = (uint8_t)0U; + EverCrypt_HMAC_compute_sha2_384(k_, k, (uint32_t)48U, input0, input_len); + EverCrypt_HMAC_compute_sha2_384(v, k_, (uint32_t)48U, v, (uint32_t)48U); + memcpy(k, k_, (uint32_t)48U * sizeof (uint8_t)); + if (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + uint32_t + input_len0 = (uint32_t)49U + entropy_input_len + nonce_len + personalization_string_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t *input = alloca(input_len0 * sizeof (uint8_t)); + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)48U * sizeof (uint8_t)); + if (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)49U, + seed_material, + (entropy_input_len + nonce_len + personalization_string_len) * sizeof (uint8_t)); + } + input[48U] = (uint8_t)1U; + EverCrypt_HMAC_compute_sha2_384(k_0, k, (uint32_t)48U, input, input_len0); + EverCrypt_HMAC_compute_sha2_384(v, k_0, (uint32_t)48U, v, (uint32_t)48U); + memcpy(k, k_0, (uint32_t)48U * sizeof (uint8_t)); + } + return true; +} + +bool +EverCrypt_DRBG_instantiate_sha2_512( + EverCrypt_DRBG_state_s *st, + uint8_t *personalization_string, + uint32_t personalization_string_len +) +{ + if (personalization_string_len > Hacl_HMAC_DRBG_max_personalization_string_length) + { + return false; + } + uint32_t entropy_input_len = Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_SHA2_512); + uint32_t nonce_len = Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_SHA2_512) / (uint32_t)2U; + uint32_t min_entropy = entropy_input_len + nonce_len; + KRML_CHECK_SIZE(sizeof (uint8_t), min_entropy); + uint8_t *entropy = alloca(min_entropy * sizeof (uint8_t)); + memset(entropy, 0U, min_entropy * sizeof (uint8_t)); + bool ok = Lib_RandomBuffer_System_randombytes(entropy, min_entropy); + if (!ok) + { + return false; + } + uint8_t *entropy_input = entropy; + uint8_t *nonce = entropy + entropy_input_len; + EverCrypt_DRBG_state_s st_s = *st; + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len + nonce_len + personalization_string_len); + uint8_t + *seed_material = + alloca((entropy_input_len + nonce_len + personalization_string_len) * sizeof (uint8_t)); + memset(seed_material, + 0U, + (entropy_input_len + nonce_len + personalization_string_len) * sizeof (uint8_t)); + memcpy(seed_material, entropy_input, entropy_input_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len, nonce, nonce_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len + nonce_len, + personalization_string, + personalization_string_len * sizeof (uint8_t)); + Hacl_HMAC_DRBG_state scrut; + if (st_s.tag == EverCrypt_DRBG_SHA2_512_s) + { + scrut = st_s.case_SHA2_512_s; + } + else + { + scrut = KRML_EABORT(Hacl_HMAC_DRBG_state, "unreachable (pattern matches are exhaustive in F*)"); + } + uint8_t *k = scrut.k; + uint8_t *v = scrut.v; + uint32_t *ctr = scrut.reseed_counter; + memset(k, 0U, (uint32_t)64U * sizeof (uint8_t)); + memset(v, (uint8_t)1U, (uint32_t)64U * sizeof (uint8_t)); + ctr[0U] = (uint32_t)1U; + uint32_t + input_len = (uint32_t)65U + entropy_input_len + nonce_len + personalization_string_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t *input0 = alloca(input_len * sizeof (uint8_t)); + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)64U * sizeof (uint8_t)); + if (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)65U, + seed_material, + (entropy_input_len + nonce_len + personalization_string_len) * sizeof (uint8_t)); + } + input0[64U] = (uint8_t)0U; + EverCrypt_HMAC_compute_sha2_512(k_, k, (uint32_t)64U, input0, input_len); + EverCrypt_HMAC_compute_sha2_512(v, k_, (uint32_t)64U, v, (uint32_t)64U); + memcpy(k, k_, (uint32_t)64U * sizeof (uint8_t)); + if (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + uint32_t + input_len0 = (uint32_t)65U + entropy_input_len + nonce_len + personalization_string_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t *input = alloca(input_len0 * sizeof (uint8_t)); + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)64U * sizeof (uint8_t)); + if (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)65U, + seed_material, + (entropy_input_len + nonce_len + personalization_string_len) * sizeof (uint8_t)); + } + input[64U] = (uint8_t)1U; + EverCrypt_HMAC_compute_sha2_512(k_0, k, (uint32_t)64U, input, input_len0); + EverCrypt_HMAC_compute_sha2_512(v, k_0, (uint32_t)64U, v, (uint32_t)64U); + memcpy(k, k_0, (uint32_t)64U * sizeof (uint8_t)); + } + return true; +} + +bool +EverCrypt_DRBG_reseed_sha1( + EverCrypt_DRBG_state_s *st, + uint8_t *additional_input, + uint32_t additional_input_len +) +{ + if (additional_input_len > Hacl_HMAC_DRBG_max_additional_input_length) + { + return false; + } + uint32_t entropy_input_len = Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_SHA1); + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len); + uint8_t *entropy_input = alloca(entropy_input_len * sizeof (uint8_t)); + memset(entropy_input, 0U, entropy_input_len * sizeof (uint8_t)); + bool ok = Lib_RandomBuffer_System_randombytes(entropy_input, entropy_input_len); + if (!ok) + { + return false; + } + EverCrypt_DRBG_state_s st_s = *st; + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len + additional_input_len); + uint8_t *seed_material = alloca((entropy_input_len + additional_input_len) * sizeof (uint8_t)); + memset(seed_material, 0U, (entropy_input_len + additional_input_len) * sizeof (uint8_t)); + memcpy(seed_material, entropy_input, entropy_input_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len, + additional_input, + additional_input_len * sizeof (uint8_t)); + Hacl_HMAC_DRBG_state uu____0; + if (st_s.tag == EverCrypt_DRBG_SHA1_s) + { + uu____0 = st_s.case_SHA1_s; + } + else + { + uu____0 = + KRML_EABORT(Hacl_HMAC_DRBG_state, + "unreachable (pattern matches are exhaustive in F*)"); + } + uint8_t *k = uu____0.k; + uint8_t *v = uu____0.v; + uint32_t *ctr = uu____0.reseed_counter; + uint32_t input_len = (uint32_t)21U + entropy_input_len + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t *input0 = alloca(input_len * sizeof (uint8_t)); + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)20U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)21U, + seed_material, + (entropy_input_len + additional_input_len) * sizeof (uint8_t)); + } + input0[20U] = (uint8_t)0U; + EverCrypt_HMAC_compute_sha1(k_, k, (uint32_t)20U, input0, input_len); + EverCrypt_HMAC_compute_sha1(v, k_, (uint32_t)20U, v, (uint32_t)20U); + memcpy(k, k_, (uint32_t)20U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)21U + entropy_input_len + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t *input = alloca(input_len0 * sizeof (uint8_t)); + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)20U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)21U, + seed_material, + (entropy_input_len + additional_input_len) * sizeof (uint8_t)); + } + input[20U] = (uint8_t)1U; + EverCrypt_HMAC_compute_sha1(k_0, k, (uint32_t)20U, input, input_len0); + EverCrypt_HMAC_compute_sha1(v, k_0, (uint32_t)20U, v, (uint32_t)20U); + memcpy(k, k_0, (uint32_t)20U * sizeof (uint8_t)); + } + ctr[0U] = (uint32_t)1U; + return true; +} + +bool +EverCrypt_DRBG_reseed_sha2_256( + EverCrypt_DRBG_state_s *st, + uint8_t *additional_input, + uint32_t additional_input_len +) +{ + if (additional_input_len > Hacl_HMAC_DRBG_max_additional_input_length) + { + return false; + } + uint32_t entropy_input_len = Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_SHA2_256); + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len); + uint8_t *entropy_input = alloca(entropy_input_len * sizeof (uint8_t)); + memset(entropy_input, 0U, entropy_input_len * sizeof (uint8_t)); + bool ok = Lib_RandomBuffer_System_randombytes(entropy_input, entropy_input_len); + if (!ok) + { + return false; + } + EverCrypt_DRBG_state_s st_s = *st; + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len + additional_input_len); + uint8_t *seed_material = alloca((entropy_input_len + additional_input_len) * sizeof (uint8_t)); + memset(seed_material, 0U, (entropy_input_len + additional_input_len) * sizeof (uint8_t)); + memcpy(seed_material, entropy_input, entropy_input_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len, + additional_input, + additional_input_len * sizeof (uint8_t)); + Hacl_HMAC_DRBG_state uu____0; + if (st_s.tag == EverCrypt_DRBG_SHA2_256_s) + { + uu____0 = st_s.case_SHA2_256_s; + } + else + { + uu____0 = + KRML_EABORT(Hacl_HMAC_DRBG_state, + "unreachable (pattern matches are exhaustive in F*)"); + } + uint8_t *k = uu____0.k; + uint8_t *v = uu____0.v; + uint32_t *ctr = uu____0.reseed_counter; + uint32_t input_len = (uint32_t)33U + entropy_input_len + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t *input0 = alloca(input_len * sizeof (uint8_t)); + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)32U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)33U, + seed_material, + (entropy_input_len + additional_input_len) * sizeof (uint8_t)); + } + input0[32U] = (uint8_t)0U; + EverCrypt_HMAC_compute_sha2_256(k_, k, (uint32_t)32U, input0, input_len); + EverCrypt_HMAC_compute_sha2_256(v, k_, (uint32_t)32U, v, (uint32_t)32U); + memcpy(k, k_, (uint32_t)32U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)33U + entropy_input_len + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t *input = alloca(input_len0 * sizeof (uint8_t)); + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)32U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)33U, + seed_material, + (entropy_input_len + additional_input_len) * sizeof (uint8_t)); + } + input[32U] = (uint8_t)1U; + EverCrypt_HMAC_compute_sha2_256(k_0, k, (uint32_t)32U, input, input_len0); + EverCrypt_HMAC_compute_sha2_256(v, k_0, (uint32_t)32U, v, (uint32_t)32U); + memcpy(k, k_0, (uint32_t)32U * sizeof (uint8_t)); + } + ctr[0U] = (uint32_t)1U; + return true; +} + +bool +EverCrypt_DRBG_reseed_sha2_384( + EverCrypt_DRBG_state_s *st, + uint8_t *additional_input, + uint32_t additional_input_len +) +{ + if (additional_input_len > Hacl_HMAC_DRBG_max_additional_input_length) + { + return false; + } + uint32_t entropy_input_len = Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_SHA2_384); + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len); + uint8_t *entropy_input = alloca(entropy_input_len * sizeof (uint8_t)); + memset(entropy_input, 0U, entropy_input_len * sizeof (uint8_t)); + bool ok = Lib_RandomBuffer_System_randombytes(entropy_input, entropy_input_len); + if (!ok) + { + return false; + } + EverCrypt_DRBG_state_s st_s = *st; + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len + additional_input_len); + uint8_t *seed_material = alloca((entropy_input_len + additional_input_len) * sizeof (uint8_t)); + memset(seed_material, 0U, (entropy_input_len + additional_input_len) * sizeof (uint8_t)); + memcpy(seed_material, entropy_input, entropy_input_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len, + additional_input, + additional_input_len * sizeof (uint8_t)); + Hacl_HMAC_DRBG_state uu____0; + if (st_s.tag == EverCrypt_DRBG_SHA2_384_s) + { + uu____0 = st_s.case_SHA2_384_s; + } + else + { + uu____0 = + KRML_EABORT(Hacl_HMAC_DRBG_state, + "unreachable (pattern matches are exhaustive in F*)"); + } + uint8_t *k = uu____0.k; + uint8_t *v = uu____0.v; + uint32_t *ctr = uu____0.reseed_counter; + uint32_t input_len = (uint32_t)49U + entropy_input_len + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t *input0 = alloca(input_len * sizeof (uint8_t)); + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)48U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)49U, + seed_material, + (entropy_input_len + additional_input_len) * sizeof (uint8_t)); + } + input0[48U] = (uint8_t)0U; + EverCrypt_HMAC_compute_sha2_384(k_, k, (uint32_t)48U, input0, input_len); + EverCrypt_HMAC_compute_sha2_384(v, k_, (uint32_t)48U, v, (uint32_t)48U); + memcpy(k, k_, (uint32_t)48U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)49U + entropy_input_len + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t *input = alloca(input_len0 * sizeof (uint8_t)); + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)48U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)49U, + seed_material, + (entropy_input_len + additional_input_len) * sizeof (uint8_t)); + } + input[48U] = (uint8_t)1U; + EverCrypt_HMAC_compute_sha2_384(k_0, k, (uint32_t)48U, input, input_len0); + EverCrypt_HMAC_compute_sha2_384(v, k_0, (uint32_t)48U, v, (uint32_t)48U); + memcpy(k, k_0, (uint32_t)48U * sizeof (uint8_t)); + } + ctr[0U] = (uint32_t)1U; + return true; +} + +bool +EverCrypt_DRBG_reseed_sha2_512( + EverCrypt_DRBG_state_s *st, + uint8_t *additional_input, + uint32_t additional_input_len +) +{ + if (additional_input_len > Hacl_HMAC_DRBG_max_additional_input_length) + { + return false; + } + uint32_t entropy_input_len = Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_SHA2_512); + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len); + uint8_t *entropy_input = alloca(entropy_input_len * sizeof (uint8_t)); + memset(entropy_input, 0U, entropy_input_len * sizeof (uint8_t)); + bool ok = Lib_RandomBuffer_System_randombytes(entropy_input, entropy_input_len); + if (!ok) + { + return false; + } + EverCrypt_DRBG_state_s st_s = *st; + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len + additional_input_len); + uint8_t *seed_material = alloca((entropy_input_len + additional_input_len) * sizeof (uint8_t)); + memset(seed_material, 0U, (entropy_input_len + additional_input_len) * sizeof (uint8_t)); + memcpy(seed_material, entropy_input, entropy_input_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len, + additional_input, + additional_input_len * sizeof (uint8_t)); + Hacl_HMAC_DRBG_state uu____0; + if (st_s.tag == EverCrypt_DRBG_SHA2_512_s) + { + uu____0 = st_s.case_SHA2_512_s; + } + else + { + uu____0 = + KRML_EABORT(Hacl_HMAC_DRBG_state, + "unreachable (pattern matches are exhaustive in F*)"); + } + uint8_t *k = uu____0.k; + uint8_t *v = uu____0.v; + uint32_t *ctr = uu____0.reseed_counter; + uint32_t input_len = (uint32_t)65U + entropy_input_len + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t *input0 = alloca(input_len * sizeof (uint8_t)); + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)64U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)65U, + seed_material, + (entropy_input_len + additional_input_len) * sizeof (uint8_t)); + } + input0[64U] = (uint8_t)0U; + EverCrypt_HMAC_compute_sha2_512(k_, k, (uint32_t)64U, input0, input_len); + EverCrypt_HMAC_compute_sha2_512(v, k_, (uint32_t)64U, v, (uint32_t)64U); + memcpy(k, k_, (uint32_t)64U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)65U + entropy_input_len + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t *input = alloca(input_len0 * sizeof (uint8_t)); + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)64U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)65U, + seed_material, + (entropy_input_len + additional_input_len) * sizeof (uint8_t)); + } + input[64U] = (uint8_t)1U; + EverCrypt_HMAC_compute_sha2_512(k_0, k, (uint32_t)64U, input, input_len0); + EverCrypt_HMAC_compute_sha2_512(v, k_0, (uint32_t)64U, v, (uint32_t)64U); + memcpy(k, k_0, (uint32_t)64U * sizeof (uint8_t)); + } + ctr[0U] = (uint32_t)1U; + return true; +} + +bool +EverCrypt_DRBG_generate_sha1( + uint8_t *output, + EverCrypt_DRBG_state_s *st, + uint32_t n, + uint8_t *additional_input, + uint32_t additional_input_len +) +{ + if + ( + additional_input_len + > Hacl_HMAC_DRBG_max_additional_input_length + || n > Hacl_HMAC_DRBG_max_output_length + ) + { + return false; + } + uint32_t entropy_input_len = Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_SHA1); + bool ok0; + if (additional_input_len > Hacl_HMAC_DRBG_max_additional_input_length) + { + ok0 = false; + } + else + { + uint32_t entropy_input_len1 = Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_SHA1); + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len1); + uint8_t *entropy_input = alloca(entropy_input_len1 * sizeof (uint8_t)); + memset(entropy_input, 0U, entropy_input_len1 * sizeof (uint8_t)); + bool ok = Lib_RandomBuffer_System_randombytes(entropy_input, entropy_input_len1); + bool result; + if (!ok) + { + result = false; + } + else + { + EverCrypt_DRBG_state_s st_s = *st; + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len1 + additional_input_len); + uint8_t + *seed_material = alloca((entropy_input_len1 + additional_input_len) * sizeof (uint8_t)); + memset(seed_material, 0U, (entropy_input_len1 + additional_input_len) * sizeof (uint8_t)); + memcpy(seed_material, entropy_input, entropy_input_len1 * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len1, + additional_input, + additional_input_len * sizeof (uint8_t)); + Hacl_HMAC_DRBG_state uu____0; + if (st_s.tag == EverCrypt_DRBG_SHA1_s) + { + uu____0 = st_s.case_SHA1_s; + } + else + { + uu____0 = + KRML_EABORT(Hacl_HMAC_DRBG_state, + "unreachable (pattern matches are exhaustive in F*)"); + } + uint8_t *k = uu____0.k; + uint8_t *v = uu____0.v; + uint32_t *ctr = uu____0.reseed_counter; + uint32_t input_len = (uint32_t)21U + entropy_input_len1 + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t *input0 = alloca(input_len * sizeof (uint8_t)); + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)20U * sizeof (uint8_t)); + if (entropy_input_len1 + additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)21U, + seed_material, + (entropy_input_len1 + additional_input_len) * sizeof (uint8_t)); + } + input0[20U] = (uint8_t)0U; + EverCrypt_HMAC_compute_sha1(k_, k, (uint32_t)20U, input0, input_len); + EverCrypt_HMAC_compute_sha1(v, k_, (uint32_t)20U, v, (uint32_t)20U); + memcpy(k, k_, (uint32_t)20U * sizeof (uint8_t)); + if (entropy_input_len1 + additional_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)21U + entropy_input_len1 + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t *input = alloca(input_len0 * sizeof (uint8_t)); + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)20U * sizeof (uint8_t)); + if (entropy_input_len1 + additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)21U, + seed_material, + (entropy_input_len1 + additional_input_len) * sizeof (uint8_t)); + } + input[20U] = (uint8_t)1U; + EverCrypt_HMAC_compute_sha1(k_0, k, (uint32_t)20U, input, input_len0); + EverCrypt_HMAC_compute_sha1(v, k_0, (uint32_t)20U, v, (uint32_t)20U); + memcpy(k, k_0, (uint32_t)20U * sizeof (uint8_t)); + } + ctr[0U] = (uint32_t)1U; + result = true; + } + ok0 = result; + } + if (!ok0) + { + return false; + } + EverCrypt_DRBG_state_s st_s = *st; + Hacl_HMAC_DRBG_state x1; + if (st_s.tag == EverCrypt_DRBG_SHA1_s) + { + x1 = st_s.case_SHA1_s; + } + else + { + x1 = KRML_EABORT(Hacl_HMAC_DRBG_state, "unreachable (pattern matches are exhaustive in F*)"); + } + bool b; + if (x1.reseed_counter[0U] > Hacl_HMAC_DRBG_reseed_interval) + { + b = false; + } + else + { + Hacl_HMAC_DRBG_state scrut; + if (st_s.tag == EverCrypt_DRBG_SHA1_s) + { + scrut = st_s.case_SHA1_s; + } + else + { + scrut = + KRML_EABORT(Hacl_HMAC_DRBG_state, + "unreachable (pattern matches are exhaustive in F*)"); + } + uint8_t *k = scrut.k; + uint8_t *v = scrut.v; + uint32_t *ctr = scrut.reseed_counter; + if (additional_input_len > (uint32_t)0U) + { + uint32_t input_len = (uint32_t)21U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t *input0 = alloca(input_len * sizeof (uint8_t)); + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)20U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)21U, additional_input, additional_input_len * sizeof (uint8_t)); + } + input0[20U] = (uint8_t)0U; + EverCrypt_HMAC_compute_sha1(k_, k, (uint32_t)20U, input0, input_len); + EverCrypt_HMAC_compute_sha1(v, k_, (uint32_t)20U, v, (uint32_t)20U); + memcpy(k, k_, (uint32_t)20U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)21U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t *input = alloca(input_len0 * sizeof (uint8_t)); + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)20U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)21U, additional_input, additional_input_len * sizeof (uint8_t)); + } + input[20U] = (uint8_t)1U; + EverCrypt_HMAC_compute_sha1(k_0, k, (uint32_t)20U, input, input_len0); + EverCrypt_HMAC_compute_sha1(v, k_0, (uint32_t)20U, v, (uint32_t)20U); + memcpy(k, k_0, (uint32_t)20U * sizeof (uint8_t)); + } + } + uint8_t *output1 = output; + uint32_t max = n / (uint32_t)20U; + uint8_t *out = output1; + for (uint32_t i = (uint32_t)0U; i < max; i++) + { + EverCrypt_HMAC_compute_sha1(v, k, (uint32_t)20U, v, (uint32_t)20U); + memcpy(out + i * (uint32_t)20U, v, (uint32_t)20U * sizeof (uint8_t)); + } + if (max * (uint32_t)20U < n) + { + uint8_t *block = output1 + max * (uint32_t)20U; + EverCrypt_HMAC_compute_sha1(v, k, (uint32_t)20U, v, (uint32_t)20U); + memcpy(block, v, (n - max * (uint32_t)20U) * sizeof (uint8_t)); + } + uint32_t input_len = (uint32_t)21U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t *input0 = alloca(input_len * sizeof (uint8_t)); + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)20U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)21U, additional_input, additional_input_len * sizeof (uint8_t)); + } + input0[20U] = (uint8_t)0U; + EverCrypt_HMAC_compute_sha1(k_, k, (uint32_t)20U, input0, input_len); + EverCrypt_HMAC_compute_sha1(v, k_, (uint32_t)20U, v, (uint32_t)20U); + memcpy(k, k_, (uint32_t)20U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)21U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t *input = alloca(input_len0 * sizeof (uint8_t)); + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)20U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)21U, additional_input, additional_input_len * sizeof (uint8_t)); + } + input[20U] = (uint8_t)1U; + EverCrypt_HMAC_compute_sha1(k_0, k, (uint32_t)20U, input, input_len0); + EverCrypt_HMAC_compute_sha1(v, k_0, (uint32_t)20U, v, (uint32_t)20U); + memcpy(k, k_0, (uint32_t)20U * sizeof (uint8_t)); + } + uint32_t old_ctr = ctr[0U]; + ctr[0U] = old_ctr + (uint32_t)1U; + b = true; + } + return true; +} + +bool +EverCrypt_DRBG_generate_sha2_256( + uint8_t *output, + EverCrypt_DRBG_state_s *st, + uint32_t n, + uint8_t *additional_input, + uint32_t additional_input_len +) +{ + if + ( + additional_input_len + > Hacl_HMAC_DRBG_max_additional_input_length + || n > Hacl_HMAC_DRBG_max_output_length + ) + { + return false; + } + uint32_t entropy_input_len = Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_SHA2_256); + bool ok0; + if (additional_input_len > Hacl_HMAC_DRBG_max_additional_input_length) + { + ok0 = false; + } + else + { + uint32_t entropy_input_len1 = Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_SHA2_256); + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len1); + uint8_t *entropy_input = alloca(entropy_input_len1 * sizeof (uint8_t)); + memset(entropy_input, 0U, entropy_input_len1 * sizeof (uint8_t)); + bool ok = Lib_RandomBuffer_System_randombytes(entropy_input, entropy_input_len1); + bool result; + if (!ok) + { + result = false; + } + else + { + EverCrypt_DRBG_state_s st_s = *st; + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len1 + additional_input_len); + uint8_t + *seed_material = alloca((entropy_input_len1 + additional_input_len) * sizeof (uint8_t)); + memset(seed_material, 0U, (entropy_input_len1 + additional_input_len) * sizeof (uint8_t)); + memcpy(seed_material, entropy_input, entropy_input_len1 * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len1, + additional_input, + additional_input_len * sizeof (uint8_t)); + Hacl_HMAC_DRBG_state uu____0; + if (st_s.tag == EverCrypt_DRBG_SHA2_256_s) + { + uu____0 = st_s.case_SHA2_256_s; + } + else + { + uu____0 = + KRML_EABORT(Hacl_HMAC_DRBG_state, + "unreachable (pattern matches are exhaustive in F*)"); + } + uint8_t *k = uu____0.k; + uint8_t *v = uu____0.v; + uint32_t *ctr = uu____0.reseed_counter; + uint32_t input_len = (uint32_t)33U + entropy_input_len1 + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t *input0 = alloca(input_len * sizeof (uint8_t)); + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)32U * sizeof (uint8_t)); + if (entropy_input_len1 + additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)33U, + seed_material, + (entropy_input_len1 + additional_input_len) * sizeof (uint8_t)); + } + input0[32U] = (uint8_t)0U; + EverCrypt_HMAC_compute_sha2_256(k_, k, (uint32_t)32U, input0, input_len); + EverCrypt_HMAC_compute_sha2_256(v, k_, (uint32_t)32U, v, (uint32_t)32U); + memcpy(k, k_, (uint32_t)32U * sizeof (uint8_t)); + if (entropy_input_len1 + additional_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)33U + entropy_input_len1 + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t *input = alloca(input_len0 * sizeof (uint8_t)); + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)32U * sizeof (uint8_t)); + if (entropy_input_len1 + additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)33U, + seed_material, + (entropy_input_len1 + additional_input_len) * sizeof (uint8_t)); + } + input[32U] = (uint8_t)1U; + EverCrypt_HMAC_compute_sha2_256(k_0, k, (uint32_t)32U, input, input_len0); + EverCrypt_HMAC_compute_sha2_256(v, k_0, (uint32_t)32U, v, (uint32_t)32U); + memcpy(k, k_0, (uint32_t)32U * sizeof (uint8_t)); + } + ctr[0U] = (uint32_t)1U; + result = true; + } + ok0 = result; + } + if (!ok0) + { + return false; + } + EverCrypt_DRBG_state_s st_s = *st; + Hacl_HMAC_DRBG_state x1; + if (st_s.tag == EverCrypt_DRBG_SHA2_256_s) + { + x1 = st_s.case_SHA2_256_s; + } + else + { + x1 = KRML_EABORT(Hacl_HMAC_DRBG_state, "unreachable (pattern matches are exhaustive in F*)"); + } + bool b; + if (x1.reseed_counter[0U] > Hacl_HMAC_DRBG_reseed_interval) + { + b = false; + } + else + { + Hacl_HMAC_DRBG_state scrut; + if (st_s.tag == EverCrypt_DRBG_SHA2_256_s) + { + scrut = st_s.case_SHA2_256_s; + } + else + { + scrut = + KRML_EABORT(Hacl_HMAC_DRBG_state, + "unreachable (pattern matches are exhaustive in F*)"); + } + uint8_t *k = scrut.k; + uint8_t *v = scrut.v; + uint32_t *ctr = scrut.reseed_counter; + if (additional_input_len > (uint32_t)0U) + { + uint32_t input_len = (uint32_t)33U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t *input0 = alloca(input_len * sizeof (uint8_t)); + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)32U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)33U, additional_input, additional_input_len * sizeof (uint8_t)); + } + input0[32U] = (uint8_t)0U; + EverCrypt_HMAC_compute_sha2_256(k_, k, (uint32_t)32U, input0, input_len); + EverCrypt_HMAC_compute_sha2_256(v, k_, (uint32_t)32U, v, (uint32_t)32U); + memcpy(k, k_, (uint32_t)32U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)33U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t *input = alloca(input_len0 * sizeof (uint8_t)); + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)32U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)33U, additional_input, additional_input_len * sizeof (uint8_t)); + } + input[32U] = (uint8_t)1U; + EverCrypt_HMAC_compute_sha2_256(k_0, k, (uint32_t)32U, input, input_len0); + EverCrypt_HMAC_compute_sha2_256(v, k_0, (uint32_t)32U, v, (uint32_t)32U); + memcpy(k, k_0, (uint32_t)32U * sizeof (uint8_t)); + } + } + uint8_t *output1 = output; + uint32_t max = n / (uint32_t)32U; + uint8_t *out = output1; + for (uint32_t i = (uint32_t)0U; i < max; i++) + { + EverCrypt_HMAC_compute_sha2_256(v, k, (uint32_t)32U, v, (uint32_t)32U); + memcpy(out + i * (uint32_t)32U, v, (uint32_t)32U * sizeof (uint8_t)); + } + if (max * (uint32_t)32U < n) + { + uint8_t *block = output1 + max * (uint32_t)32U; + EverCrypt_HMAC_compute_sha2_256(v, k, (uint32_t)32U, v, (uint32_t)32U); + memcpy(block, v, (n - max * (uint32_t)32U) * sizeof (uint8_t)); + } + uint32_t input_len = (uint32_t)33U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t *input0 = alloca(input_len * sizeof (uint8_t)); + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)32U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)33U, additional_input, additional_input_len * sizeof (uint8_t)); + } + input0[32U] = (uint8_t)0U; + EverCrypt_HMAC_compute_sha2_256(k_, k, (uint32_t)32U, input0, input_len); + EverCrypt_HMAC_compute_sha2_256(v, k_, (uint32_t)32U, v, (uint32_t)32U); + memcpy(k, k_, (uint32_t)32U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)33U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t *input = alloca(input_len0 * sizeof (uint8_t)); + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)32U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)33U, additional_input, additional_input_len * sizeof (uint8_t)); + } + input[32U] = (uint8_t)1U; + EverCrypt_HMAC_compute_sha2_256(k_0, k, (uint32_t)32U, input, input_len0); + EverCrypt_HMAC_compute_sha2_256(v, k_0, (uint32_t)32U, v, (uint32_t)32U); + memcpy(k, k_0, (uint32_t)32U * sizeof (uint8_t)); + } + uint32_t old_ctr = ctr[0U]; + ctr[0U] = old_ctr + (uint32_t)1U; + b = true; + } + return true; +} + +bool +EverCrypt_DRBG_generate_sha2_384( + uint8_t *output, + EverCrypt_DRBG_state_s *st, + uint32_t n, + uint8_t *additional_input, + uint32_t additional_input_len +) +{ + if + ( + additional_input_len + > Hacl_HMAC_DRBG_max_additional_input_length + || n > Hacl_HMAC_DRBG_max_output_length + ) + { + return false; + } + uint32_t entropy_input_len = Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_SHA2_384); + bool ok0; + if (additional_input_len > Hacl_HMAC_DRBG_max_additional_input_length) + { + ok0 = false; + } + else + { + uint32_t entropy_input_len1 = Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_SHA2_384); + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len1); + uint8_t *entropy_input = alloca(entropy_input_len1 * sizeof (uint8_t)); + memset(entropy_input, 0U, entropy_input_len1 * sizeof (uint8_t)); + bool ok = Lib_RandomBuffer_System_randombytes(entropy_input, entropy_input_len1); + bool result; + if (!ok) + { + result = false; + } + else + { + EverCrypt_DRBG_state_s st_s = *st; + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len1 + additional_input_len); + uint8_t + *seed_material = alloca((entropy_input_len1 + additional_input_len) * sizeof (uint8_t)); + memset(seed_material, 0U, (entropy_input_len1 + additional_input_len) * sizeof (uint8_t)); + memcpy(seed_material, entropy_input, entropy_input_len1 * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len1, + additional_input, + additional_input_len * sizeof (uint8_t)); + Hacl_HMAC_DRBG_state uu____0; + if (st_s.tag == EverCrypt_DRBG_SHA2_384_s) + { + uu____0 = st_s.case_SHA2_384_s; + } + else + { + uu____0 = + KRML_EABORT(Hacl_HMAC_DRBG_state, + "unreachable (pattern matches are exhaustive in F*)"); + } + uint8_t *k = uu____0.k; + uint8_t *v = uu____0.v; + uint32_t *ctr = uu____0.reseed_counter; + uint32_t input_len = (uint32_t)49U + entropy_input_len1 + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t *input0 = alloca(input_len * sizeof (uint8_t)); + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)48U * sizeof (uint8_t)); + if (entropy_input_len1 + additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)49U, + seed_material, + (entropy_input_len1 + additional_input_len) * sizeof (uint8_t)); + } + input0[48U] = (uint8_t)0U; + EverCrypt_HMAC_compute_sha2_384(k_, k, (uint32_t)48U, input0, input_len); + EverCrypt_HMAC_compute_sha2_384(v, k_, (uint32_t)48U, v, (uint32_t)48U); + memcpy(k, k_, (uint32_t)48U * sizeof (uint8_t)); + if (entropy_input_len1 + additional_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)49U + entropy_input_len1 + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t *input = alloca(input_len0 * sizeof (uint8_t)); + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)48U * sizeof (uint8_t)); + if (entropy_input_len1 + additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)49U, + seed_material, + (entropy_input_len1 + additional_input_len) * sizeof (uint8_t)); + } + input[48U] = (uint8_t)1U; + EverCrypt_HMAC_compute_sha2_384(k_0, k, (uint32_t)48U, input, input_len0); + EverCrypt_HMAC_compute_sha2_384(v, k_0, (uint32_t)48U, v, (uint32_t)48U); + memcpy(k, k_0, (uint32_t)48U * sizeof (uint8_t)); + } + ctr[0U] = (uint32_t)1U; + result = true; + } + ok0 = result; + } + if (!ok0) + { + return false; + } + EverCrypt_DRBG_state_s st_s = *st; + Hacl_HMAC_DRBG_state x1; + if (st_s.tag == EverCrypt_DRBG_SHA2_384_s) + { + x1 = st_s.case_SHA2_384_s; + } + else + { + x1 = KRML_EABORT(Hacl_HMAC_DRBG_state, "unreachable (pattern matches are exhaustive in F*)"); + } + bool b; + if (x1.reseed_counter[0U] > Hacl_HMAC_DRBG_reseed_interval) + { + b = false; + } + else + { + Hacl_HMAC_DRBG_state scrut; + if (st_s.tag == EverCrypt_DRBG_SHA2_384_s) + { + scrut = st_s.case_SHA2_384_s; + } + else + { + scrut = + KRML_EABORT(Hacl_HMAC_DRBG_state, + "unreachable (pattern matches are exhaustive in F*)"); + } + uint8_t *k = scrut.k; + uint8_t *v = scrut.v; + uint32_t *ctr = scrut.reseed_counter; + if (additional_input_len > (uint32_t)0U) + { + uint32_t input_len = (uint32_t)49U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t *input0 = alloca(input_len * sizeof (uint8_t)); + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)48U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)49U, additional_input, additional_input_len * sizeof (uint8_t)); + } + input0[48U] = (uint8_t)0U; + EverCrypt_HMAC_compute_sha2_384(k_, k, (uint32_t)48U, input0, input_len); + EverCrypt_HMAC_compute_sha2_384(v, k_, (uint32_t)48U, v, (uint32_t)48U); + memcpy(k, k_, (uint32_t)48U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)49U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t *input = alloca(input_len0 * sizeof (uint8_t)); + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)48U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)49U, additional_input, additional_input_len * sizeof (uint8_t)); + } + input[48U] = (uint8_t)1U; + EverCrypt_HMAC_compute_sha2_384(k_0, k, (uint32_t)48U, input, input_len0); + EverCrypt_HMAC_compute_sha2_384(v, k_0, (uint32_t)48U, v, (uint32_t)48U); + memcpy(k, k_0, (uint32_t)48U * sizeof (uint8_t)); + } + } + uint8_t *output1 = output; + uint32_t max = n / (uint32_t)48U; + uint8_t *out = output1; + for (uint32_t i = (uint32_t)0U; i < max; i++) + { + EverCrypt_HMAC_compute_sha2_384(v, k, (uint32_t)48U, v, (uint32_t)48U); + memcpy(out + i * (uint32_t)48U, v, (uint32_t)48U * sizeof (uint8_t)); + } + if (max * (uint32_t)48U < n) + { + uint8_t *block = output1 + max * (uint32_t)48U; + EverCrypt_HMAC_compute_sha2_384(v, k, (uint32_t)48U, v, (uint32_t)48U); + memcpy(block, v, (n - max * (uint32_t)48U) * sizeof (uint8_t)); + } + uint32_t input_len = (uint32_t)49U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t *input0 = alloca(input_len * sizeof (uint8_t)); + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)48U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)49U, additional_input, additional_input_len * sizeof (uint8_t)); + } + input0[48U] = (uint8_t)0U; + EverCrypt_HMAC_compute_sha2_384(k_, k, (uint32_t)48U, input0, input_len); + EverCrypt_HMAC_compute_sha2_384(v, k_, (uint32_t)48U, v, (uint32_t)48U); + memcpy(k, k_, (uint32_t)48U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)49U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t *input = alloca(input_len0 * sizeof (uint8_t)); + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)48U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)49U, additional_input, additional_input_len * sizeof (uint8_t)); + } + input[48U] = (uint8_t)1U; + EverCrypt_HMAC_compute_sha2_384(k_0, k, (uint32_t)48U, input, input_len0); + EverCrypt_HMAC_compute_sha2_384(v, k_0, (uint32_t)48U, v, (uint32_t)48U); + memcpy(k, k_0, (uint32_t)48U * sizeof (uint8_t)); + } + uint32_t old_ctr = ctr[0U]; + ctr[0U] = old_ctr + (uint32_t)1U; + b = true; + } + return true; +} + +bool +EverCrypt_DRBG_generate_sha2_512( + uint8_t *output, + EverCrypt_DRBG_state_s *st, + uint32_t n, + uint8_t *additional_input, + uint32_t additional_input_len +) +{ + if + ( + additional_input_len + > Hacl_HMAC_DRBG_max_additional_input_length + || n > Hacl_HMAC_DRBG_max_output_length + ) + { + return false; + } + uint32_t entropy_input_len = Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_SHA2_512); + bool ok0; + if (additional_input_len > Hacl_HMAC_DRBG_max_additional_input_length) + { + ok0 = false; + } + else + { + uint32_t entropy_input_len1 = Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_SHA2_512); + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len1); + uint8_t *entropy_input = alloca(entropy_input_len1 * sizeof (uint8_t)); + memset(entropy_input, 0U, entropy_input_len1 * sizeof (uint8_t)); + bool ok = Lib_RandomBuffer_System_randombytes(entropy_input, entropy_input_len1); + bool result; + if (!ok) + { + result = false; + } + else + { + EverCrypt_DRBG_state_s st_s = *st; + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len1 + additional_input_len); + uint8_t + *seed_material = alloca((entropy_input_len1 + additional_input_len) * sizeof (uint8_t)); + memset(seed_material, 0U, (entropy_input_len1 + additional_input_len) * sizeof (uint8_t)); + memcpy(seed_material, entropy_input, entropy_input_len1 * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len1, + additional_input, + additional_input_len * sizeof (uint8_t)); + Hacl_HMAC_DRBG_state uu____0; + if (st_s.tag == EverCrypt_DRBG_SHA2_512_s) + { + uu____0 = st_s.case_SHA2_512_s; + } + else + { + uu____0 = + KRML_EABORT(Hacl_HMAC_DRBG_state, + "unreachable (pattern matches are exhaustive in F*)"); + } + uint8_t *k = uu____0.k; + uint8_t *v = uu____0.v; + uint32_t *ctr = uu____0.reseed_counter; + uint32_t input_len = (uint32_t)65U + entropy_input_len1 + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t *input0 = alloca(input_len * sizeof (uint8_t)); + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)64U * sizeof (uint8_t)); + if (entropy_input_len1 + additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)65U, + seed_material, + (entropy_input_len1 + additional_input_len) * sizeof (uint8_t)); + } + input0[64U] = (uint8_t)0U; + EverCrypt_HMAC_compute_sha2_512(k_, k, (uint32_t)64U, input0, input_len); + EverCrypt_HMAC_compute_sha2_512(v, k_, (uint32_t)64U, v, (uint32_t)64U); + memcpy(k, k_, (uint32_t)64U * sizeof (uint8_t)); + if (entropy_input_len1 + additional_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)65U + entropy_input_len1 + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t *input = alloca(input_len0 * sizeof (uint8_t)); + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)64U * sizeof (uint8_t)); + if (entropy_input_len1 + additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)65U, + seed_material, + (entropy_input_len1 + additional_input_len) * sizeof (uint8_t)); + } + input[64U] = (uint8_t)1U; + EverCrypt_HMAC_compute_sha2_512(k_0, k, (uint32_t)64U, input, input_len0); + EverCrypt_HMAC_compute_sha2_512(v, k_0, (uint32_t)64U, v, (uint32_t)64U); + memcpy(k, k_0, (uint32_t)64U * sizeof (uint8_t)); + } + ctr[0U] = (uint32_t)1U; + result = true; + } + ok0 = result; + } + if (!ok0) + { + return false; + } + EverCrypt_DRBG_state_s st_s = *st; + Hacl_HMAC_DRBG_state x1; + if (st_s.tag == EverCrypt_DRBG_SHA2_512_s) + { + x1 = st_s.case_SHA2_512_s; + } + else + { + x1 = KRML_EABORT(Hacl_HMAC_DRBG_state, "unreachable (pattern matches are exhaustive in F*)"); + } + bool b; + if (x1.reseed_counter[0U] > Hacl_HMAC_DRBG_reseed_interval) + { + b = false; + } + else + { + Hacl_HMAC_DRBG_state scrut; + if (st_s.tag == EverCrypt_DRBG_SHA2_512_s) + { + scrut = st_s.case_SHA2_512_s; + } + else + { + scrut = + KRML_EABORT(Hacl_HMAC_DRBG_state, + "unreachable (pattern matches are exhaustive in F*)"); + } + uint8_t *k = scrut.k; + uint8_t *v = scrut.v; + uint32_t *ctr = scrut.reseed_counter; + if (additional_input_len > (uint32_t)0U) + { + uint32_t input_len = (uint32_t)65U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t *input0 = alloca(input_len * sizeof (uint8_t)); + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)64U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)65U, additional_input, additional_input_len * sizeof (uint8_t)); + } + input0[64U] = (uint8_t)0U; + EverCrypt_HMAC_compute_sha2_512(k_, k, (uint32_t)64U, input0, input_len); + EverCrypt_HMAC_compute_sha2_512(v, k_, (uint32_t)64U, v, (uint32_t)64U); + memcpy(k, k_, (uint32_t)64U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)65U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t *input = alloca(input_len0 * sizeof (uint8_t)); + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)64U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)65U, additional_input, additional_input_len * sizeof (uint8_t)); + } + input[64U] = (uint8_t)1U; + EverCrypt_HMAC_compute_sha2_512(k_0, k, (uint32_t)64U, input, input_len0); + EverCrypt_HMAC_compute_sha2_512(v, k_0, (uint32_t)64U, v, (uint32_t)64U); + memcpy(k, k_0, (uint32_t)64U * sizeof (uint8_t)); + } + } + uint8_t *output1 = output; + uint32_t max = n / (uint32_t)64U; + uint8_t *out = output1; + for (uint32_t i = (uint32_t)0U; i < max; i++) + { + EverCrypt_HMAC_compute_sha2_512(v, k, (uint32_t)64U, v, (uint32_t)64U); + memcpy(out + i * (uint32_t)64U, v, (uint32_t)64U * sizeof (uint8_t)); + } + if (max * (uint32_t)64U < n) + { + uint8_t *block = output1 + max * (uint32_t)64U; + EverCrypt_HMAC_compute_sha2_512(v, k, (uint32_t)64U, v, (uint32_t)64U); + memcpy(block, v, (n - max * (uint32_t)64U) * sizeof (uint8_t)); + } + uint32_t input_len = (uint32_t)65U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t *input0 = alloca(input_len * sizeof (uint8_t)); + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)64U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)65U, additional_input, additional_input_len * sizeof (uint8_t)); + } + input0[64U] = (uint8_t)0U; + EverCrypt_HMAC_compute_sha2_512(k_, k, (uint32_t)64U, input0, input_len); + EverCrypt_HMAC_compute_sha2_512(v, k_, (uint32_t)64U, v, (uint32_t)64U); + memcpy(k, k_, (uint32_t)64U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)65U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t *input = alloca(input_len0 * sizeof (uint8_t)); + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)64U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)65U, additional_input, additional_input_len * sizeof (uint8_t)); + } + input[64U] = (uint8_t)1U; + EverCrypt_HMAC_compute_sha2_512(k_0, k, (uint32_t)64U, input, input_len0); + EverCrypt_HMAC_compute_sha2_512(v, k_0, (uint32_t)64U, v, (uint32_t)64U); + memcpy(k, k_0, (uint32_t)64U * sizeof (uint8_t)); + } + uint32_t old_ctr = ctr[0U]; + ctr[0U] = old_ctr + (uint32_t)1U; + b = true; + } + return true; +} + +void EverCrypt_DRBG_uninstantiate_sha1(EverCrypt_DRBG_state_s *st) +{ + EverCrypt_DRBG_state_s st_s = *st; + Hacl_HMAC_DRBG_state s; + if (st_s.tag == EverCrypt_DRBG_SHA1_s) + { + s = st_s.case_SHA1_s; + } + else + { + s = KRML_EABORT(Hacl_HMAC_DRBG_state, "unreachable (pattern matches are exhaustive in F*)"); + } + uint8_t *k = s.k; + uint8_t *v = s.v; + uint32_t *ctr = s.reseed_counter; + Lib_Memzero0_memzero(k, (uint32_t)20U * sizeof (k[0U])); + Lib_Memzero0_memzero(v, (uint32_t)20U * sizeof (v[0U])); + ctr[0U] = (uint32_t)0U; + KRML_HOST_FREE(k); + KRML_HOST_FREE(v); + KRML_HOST_FREE(ctr); + KRML_HOST_FREE(st); +} + +void EverCrypt_DRBG_uninstantiate_sha2_256(EverCrypt_DRBG_state_s *st) +{ + EverCrypt_DRBG_state_s st_s = *st; + Hacl_HMAC_DRBG_state s; + if (st_s.tag == EverCrypt_DRBG_SHA2_256_s) + { + s = st_s.case_SHA2_256_s; + } + else + { + s = KRML_EABORT(Hacl_HMAC_DRBG_state, "unreachable (pattern matches are exhaustive in F*)"); + } + uint8_t *k = s.k; + uint8_t *v = s.v; + uint32_t *ctr = s.reseed_counter; + Lib_Memzero0_memzero(k, (uint32_t)32U * sizeof (k[0U])); + Lib_Memzero0_memzero(v, (uint32_t)32U * sizeof (v[0U])); + ctr[0U] = (uint32_t)0U; + KRML_HOST_FREE(k); + KRML_HOST_FREE(v); + KRML_HOST_FREE(ctr); + KRML_HOST_FREE(st); +} + +void EverCrypt_DRBG_uninstantiate_sha2_384(EverCrypt_DRBG_state_s *st) +{ + EverCrypt_DRBG_state_s st_s = *st; + Hacl_HMAC_DRBG_state s; + if (st_s.tag == EverCrypt_DRBG_SHA2_384_s) + { + s = st_s.case_SHA2_384_s; + } + else + { + s = KRML_EABORT(Hacl_HMAC_DRBG_state, "unreachable (pattern matches are exhaustive in F*)"); + } + uint8_t *k = s.k; + uint8_t *v = s.v; + uint32_t *ctr = s.reseed_counter; + Lib_Memzero0_memzero(k, (uint32_t)48U * sizeof (k[0U])); + Lib_Memzero0_memzero(v, (uint32_t)48U * sizeof (v[0U])); + ctr[0U] = (uint32_t)0U; + KRML_HOST_FREE(k); + KRML_HOST_FREE(v); + KRML_HOST_FREE(ctr); + KRML_HOST_FREE(st); +} + +void EverCrypt_DRBG_uninstantiate_sha2_512(EverCrypt_DRBG_state_s *st) +{ + EverCrypt_DRBG_state_s st_s = *st; + Hacl_HMAC_DRBG_state s; + if (st_s.tag == EverCrypt_DRBG_SHA2_512_s) + { + s = st_s.case_SHA2_512_s; + } + else + { + s = KRML_EABORT(Hacl_HMAC_DRBG_state, "unreachable (pattern matches are exhaustive in F*)"); + } + uint8_t *k = s.k; + uint8_t *v = s.v; + uint32_t *ctr = s.reseed_counter; + Lib_Memzero0_memzero(k, (uint32_t)64U * sizeof (k[0U])); + Lib_Memzero0_memzero(v, (uint32_t)64U * sizeof (v[0U])); + ctr[0U] = (uint32_t)0U; + KRML_HOST_FREE(k); + KRML_HOST_FREE(v); + KRML_HOST_FREE(ctr); + KRML_HOST_FREE(st); +} + +bool +EverCrypt_DRBG_instantiate( + EverCrypt_DRBG_state_s *st, + uint8_t *personalization_string, + uint32_t personalization_string_len +) +{ + EverCrypt_DRBG_state_s scrut = *st; + if (scrut.tag == EverCrypt_DRBG_SHA1_s) + { + return EverCrypt_DRBG_instantiate_sha1(st, personalization_string, personalization_string_len); + } + if (scrut.tag == EverCrypt_DRBG_SHA2_256_s) + { + return + EverCrypt_DRBG_instantiate_sha2_256(st, + personalization_string, + personalization_string_len); + } + if (scrut.tag == EverCrypt_DRBG_SHA2_384_s) + { + return + EverCrypt_DRBG_instantiate_sha2_384(st, + personalization_string, + personalization_string_len); + } + if (scrut.tag == EverCrypt_DRBG_SHA2_512_s) + { + return + EverCrypt_DRBG_instantiate_sha2_512(st, + personalization_string, + personalization_string_len); + } + KRML_HOST_EPRINTF("KreMLin abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); +} + +bool +EverCrypt_DRBG_reseed( + EverCrypt_DRBG_state_s *st, + uint8_t *additional_input, + uint32_t additional_input_len +) +{ + EverCrypt_DRBG_state_s scrut = *st; + if (scrut.tag == EverCrypt_DRBG_SHA1_s) + { + return EverCrypt_DRBG_reseed_sha1(st, additional_input, additional_input_len); + } + if (scrut.tag == EverCrypt_DRBG_SHA2_256_s) + { + return EverCrypt_DRBG_reseed_sha2_256(st, additional_input, additional_input_len); + } + if (scrut.tag == EverCrypt_DRBG_SHA2_384_s) + { + return EverCrypt_DRBG_reseed_sha2_384(st, additional_input, additional_input_len); + } + if (scrut.tag == EverCrypt_DRBG_SHA2_512_s) + { + return EverCrypt_DRBG_reseed_sha2_512(st, additional_input, additional_input_len); + } + KRML_HOST_EPRINTF("KreMLin abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); +} + +bool +EverCrypt_DRBG_generate( + uint8_t *output, + EverCrypt_DRBG_state_s *st, + uint32_t n, + uint8_t *additional_input, + uint32_t additional_input_len +) +{ + EverCrypt_DRBG_state_s scrut = *st; + if (scrut.tag == EverCrypt_DRBG_SHA1_s) + { + return EverCrypt_DRBG_generate_sha1(output, st, n, additional_input, additional_input_len); + } + if (scrut.tag == EverCrypt_DRBG_SHA2_256_s) + { + return EverCrypt_DRBG_generate_sha2_256(output, st, n, additional_input, additional_input_len); + } + if (scrut.tag == EverCrypt_DRBG_SHA2_384_s) + { + return EverCrypt_DRBG_generate_sha2_384(output, st, n, additional_input, additional_input_len); + } + if (scrut.tag == EverCrypt_DRBG_SHA2_512_s) + { + return EverCrypt_DRBG_generate_sha2_512(output, st, n, additional_input, additional_input_len); + } + KRML_HOST_EPRINTF("KreMLin abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); +} + +void EverCrypt_DRBG_uninstantiate(EverCrypt_DRBG_state_s *st) +{ + EverCrypt_DRBG_state_s scrut = *st; + if (scrut.tag == EverCrypt_DRBG_SHA1_s) + { + EverCrypt_DRBG_uninstantiate_sha1(st); + return; + } + if (scrut.tag == EverCrypt_DRBG_SHA2_256_s) + { + EverCrypt_DRBG_uninstantiate_sha2_256(st); + return; + } + if (scrut.tag == EverCrypt_DRBG_SHA2_384_s) + { + EverCrypt_DRBG_uninstantiate_sha2_384(st); + return; + } + if (scrut.tag == EverCrypt_DRBG_SHA2_512_s) + { + EverCrypt_DRBG_uninstantiate_sha2_512(st); + return; + } + KRML_HOST_EPRINTF("KreMLin abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); +} + diff --git a/src/msvc/EverCrypt_Ed25519.c b/src/msvc/EverCrypt_Ed25519.c new file mode 100644 index 00000000..09a2a0fd --- /dev/null +++ b/src/msvc/EverCrypt_Ed25519.c @@ -0,0 +1,54 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "EverCrypt_Ed25519.h" + + + +void EverCrypt_Ed25519_sign(uint8_t *signature, uint8_t *secret, uint32_t len, uint8_t *msg) +{ + Hacl_Ed25519_sign(signature, secret, len, msg); +} + +bool EverCrypt_Ed25519_verify(uint8_t *pubkey, uint32_t len, uint8_t *msg, uint8_t *signature) +{ + return Hacl_Ed25519_verify(pubkey, len, msg, signature); +} + +void EverCrypt_Ed25519_secret_to_public(uint8_t *output, uint8_t *secret) +{ + Hacl_Ed25519_secret_to_public(output, secret); +} + +void EverCrypt_Ed25519_expand_keys(uint8_t *ks, uint8_t *secret) +{ + Hacl_Ed25519_expand_keys(ks, secret); +} + +void +EverCrypt_Ed25519_sign_expanded(uint8_t *signature, uint8_t *ks, uint32_t len, uint8_t *msg) +{ + Hacl_Ed25519_sign_expanded(signature, ks, len, msg); +} + diff --git a/src/msvc/EverCrypt_Error.c b/src/msvc/EverCrypt_Error.c new file mode 100644 index 00000000..1a311ad2 --- /dev/null +++ b/src/msvc/EverCrypt_Error.c @@ -0,0 +1,118 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "EverCrypt_Error.h" + + + +bool EverCrypt_Error_uu___is_Success(EverCrypt_Error_error_code projectee) +{ + switch (projectee) + { + case EverCrypt_Error_Success: + { + return true; + } + default: + { + return false; + } + } +} + +bool EverCrypt_Error_uu___is_UnsupportedAlgorithm(EverCrypt_Error_error_code projectee) +{ + switch (projectee) + { + case EverCrypt_Error_UnsupportedAlgorithm: + { + return true; + } + default: + { + return false; + } + } +} + +bool EverCrypt_Error_uu___is_InvalidKey(EverCrypt_Error_error_code projectee) +{ + switch (projectee) + { + case EverCrypt_Error_InvalidKey: + { + return true; + } + default: + { + return false; + } + } +} + +bool EverCrypt_Error_uu___is_AuthenticationFailure(EverCrypt_Error_error_code projectee) +{ + switch (projectee) + { + case EverCrypt_Error_AuthenticationFailure: + { + return true; + } + default: + { + return false; + } + } +} + +bool EverCrypt_Error_uu___is_InvalidIVLength(EverCrypt_Error_error_code projectee) +{ + switch (projectee) + { + case EverCrypt_Error_InvalidIVLength: + { + return true; + } + default: + { + return false; + } + } +} + +bool EverCrypt_Error_uu___is_DecodeError(EverCrypt_Error_error_code projectee) +{ + switch (projectee) + { + case EverCrypt_Error_DecodeError: + { + return true; + } + default: + { + return false; + } + } +} + diff --git a/src/msvc/EverCrypt_HKDF.c b/src/msvc/EverCrypt_HKDF.c new file mode 100644 index 00000000..bb544ea1 --- /dev/null +++ b/src/msvc/EverCrypt_HKDF.c @@ -0,0 +1,526 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "EverCrypt_HKDF.h" + + + +void +EverCrypt_HKDF_expand_sha1( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +) +{ + uint32_t tlen = (uint32_t)20U; + uint32_t n = len / tlen; + uint8_t *output = okm; + KRML_CHECK_SIZE(sizeof (uint8_t), tlen + infolen + (uint32_t)1U); + uint8_t *text = alloca((tlen + infolen + (uint32_t)1U) * sizeof (uint8_t)); + memset(text, 0U, (tlen + infolen + (uint32_t)1U) * sizeof (uint8_t)); + uint8_t *text0 = text + tlen; + uint8_t *tag = text; + uint8_t *ctr = text + tlen + infolen; + memcpy(text + tlen, info, infolen * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < n; i++) + { + ctr[0U] = (uint8_t)(i + (uint32_t)1U); + if (i == (uint32_t)0U) + { + EverCrypt_HMAC_compute_sha1(tag, prk, prklen, text0, infolen + (uint32_t)1U); + } + else + { + EverCrypt_HMAC_compute_sha1(tag, prk, prklen, text, tlen + infolen + (uint32_t)1U); + } + memcpy(output + i * tlen, tag, tlen * sizeof (uint8_t)); + } + if (n * tlen < len) + { + ctr[0U] = (uint8_t)(n + (uint32_t)1U); + if (n == (uint32_t)0U) + { + EverCrypt_HMAC_compute_sha1(tag, prk, prklen, text0, infolen + (uint32_t)1U); + } + else + { + EverCrypt_HMAC_compute_sha1(tag, prk, prklen, text, tlen + infolen + (uint32_t)1U); + } + uint8_t *block = okm + n * tlen; + memcpy(block, tag, (len - n * tlen) * sizeof (uint8_t)); + } +} + +void +EverCrypt_HKDF_extract_sha1( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +) +{ + EverCrypt_HMAC_compute_sha1(prk, salt, saltlen, ikm, ikmlen); +} + +void +EverCrypt_HKDF_expand_sha2_256( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +) +{ + uint32_t tlen = (uint32_t)32U; + uint32_t n = len / tlen; + uint8_t *output = okm; + KRML_CHECK_SIZE(sizeof (uint8_t), tlen + infolen + (uint32_t)1U); + uint8_t *text = alloca((tlen + infolen + (uint32_t)1U) * sizeof (uint8_t)); + memset(text, 0U, (tlen + infolen + (uint32_t)1U) * sizeof (uint8_t)); + uint8_t *text0 = text + tlen; + uint8_t *tag = text; + uint8_t *ctr = text + tlen + infolen; + memcpy(text + tlen, info, infolen * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < n; i++) + { + ctr[0U] = (uint8_t)(i + (uint32_t)1U); + if (i == (uint32_t)0U) + { + EverCrypt_HMAC_compute_sha2_256(tag, prk, prklen, text0, infolen + (uint32_t)1U); + } + else + { + EverCrypt_HMAC_compute_sha2_256(tag, prk, prklen, text, tlen + infolen + (uint32_t)1U); + } + memcpy(output + i * tlen, tag, tlen * sizeof (uint8_t)); + } + if (n * tlen < len) + { + ctr[0U] = (uint8_t)(n + (uint32_t)1U); + if (n == (uint32_t)0U) + { + EverCrypt_HMAC_compute_sha2_256(tag, prk, prklen, text0, infolen + (uint32_t)1U); + } + else + { + EverCrypt_HMAC_compute_sha2_256(tag, prk, prklen, text, tlen + infolen + (uint32_t)1U); + } + uint8_t *block = okm + n * tlen; + memcpy(block, tag, (len - n * tlen) * sizeof (uint8_t)); + } +} + +void +EverCrypt_HKDF_extract_sha2_256( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +) +{ + EverCrypt_HMAC_compute_sha2_256(prk, salt, saltlen, ikm, ikmlen); +} + +void +EverCrypt_HKDF_expand_sha2_384( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +) +{ + uint32_t tlen = (uint32_t)48U; + uint32_t n = len / tlen; + uint8_t *output = okm; + KRML_CHECK_SIZE(sizeof (uint8_t), tlen + infolen + (uint32_t)1U); + uint8_t *text = alloca((tlen + infolen + (uint32_t)1U) * sizeof (uint8_t)); + memset(text, 0U, (tlen + infolen + (uint32_t)1U) * sizeof (uint8_t)); + uint8_t *text0 = text + tlen; + uint8_t *tag = text; + uint8_t *ctr = text + tlen + infolen; + memcpy(text + tlen, info, infolen * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < n; i++) + { + ctr[0U] = (uint8_t)(i + (uint32_t)1U); + if (i == (uint32_t)0U) + { + EverCrypt_HMAC_compute_sha2_384(tag, prk, prklen, text0, infolen + (uint32_t)1U); + } + else + { + EverCrypt_HMAC_compute_sha2_384(tag, prk, prklen, text, tlen + infolen + (uint32_t)1U); + } + memcpy(output + i * tlen, tag, tlen * sizeof (uint8_t)); + } + if (n * tlen < len) + { + ctr[0U] = (uint8_t)(n + (uint32_t)1U); + if (n == (uint32_t)0U) + { + EverCrypt_HMAC_compute_sha2_384(tag, prk, prklen, text0, infolen + (uint32_t)1U); + } + else + { + EverCrypt_HMAC_compute_sha2_384(tag, prk, prklen, text, tlen + infolen + (uint32_t)1U); + } + uint8_t *block = okm + n * tlen; + memcpy(block, tag, (len - n * tlen) * sizeof (uint8_t)); + } +} + +void +EverCrypt_HKDF_extract_sha2_384( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +) +{ + EverCrypt_HMAC_compute_sha2_384(prk, salt, saltlen, ikm, ikmlen); +} + +void +EverCrypt_HKDF_expand_sha2_512( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +) +{ + uint32_t tlen = (uint32_t)64U; + uint32_t n = len / tlen; + uint8_t *output = okm; + KRML_CHECK_SIZE(sizeof (uint8_t), tlen + infolen + (uint32_t)1U); + uint8_t *text = alloca((tlen + infolen + (uint32_t)1U) * sizeof (uint8_t)); + memset(text, 0U, (tlen + infolen + (uint32_t)1U) * sizeof (uint8_t)); + uint8_t *text0 = text + tlen; + uint8_t *tag = text; + uint8_t *ctr = text + tlen + infolen; + memcpy(text + tlen, info, infolen * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < n; i++) + { + ctr[0U] = (uint8_t)(i + (uint32_t)1U); + if (i == (uint32_t)0U) + { + EverCrypt_HMAC_compute_sha2_512(tag, prk, prklen, text0, infolen + (uint32_t)1U); + } + else + { + EverCrypt_HMAC_compute_sha2_512(tag, prk, prklen, text, tlen + infolen + (uint32_t)1U); + } + memcpy(output + i * tlen, tag, tlen * sizeof (uint8_t)); + } + if (n * tlen < len) + { + ctr[0U] = (uint8_t)(n + (uint32_t)1U); + if (n == (uint32_t)0U) + { + EverCrypt_HMAC_compute_sha2_512(tag, prk, prklen, text0, infolen + (uint32_t)1U); + } + else + { + EverCrypt_HMAC_compute_sha2_512(tag, prk, prklen, text, tlen + infolen + (uint32_t)1U); + } + uint8_t *block = okm + n * tlen; + memcpy(block, tag, (len - n * tlen) * sizeof (uint8_t)); + } +} + +void +EverCrypt_HKDF_extract_sha2_512( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +) +{ + EverCrypt_HMAC_compute_sha2_512(prk, salt, saltlen, ikm, ikmlen); +} + +void +EverCrypt_HKDF_expand_blake2s( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +) +{ + uint32_t tlen = (uint32_t)32U; + uint32_t n = len / tlen; + uint8_t *output = okm; + KRML_CHECK_SIZE(sizeof (uint8_t), tlen + infolen + (uint32_t)1U); + uint8_t *text = alloca((tlen + infolen + (uint32_t)1U) * sizeof (uint8_t)); + memset(text, 0U, (tlen + infolen + (uint32_t)1U) * sizeof (uint8_t)); + uint8_t *text0 = text + tlen; + uint8_t *tag = text; + uint8_t *ctr = text + tlen + infolen; + memcpy(text + tlen, info, infolen * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < n; i++) + { + ctr[0U] = (uint8_t)(i + (uint32_t)1U); + if (i == (uint32_t)0U) + { + EverCrypt_HMAC_compute_blake2s(tag, prk, prklen, text0, infolen + (uint32_t)1U); + } + else + { + EverCrypt_HMAC_compute_blake2s(tag, prk, prklen, text, tlen + infolen + (uint32_t)1U); + } + memcpy(output + i * tlen, tag, tlen * sizeof (uint8_t)); + } + if (n * tlen < len) + { + ctr[0U] = (uint8_t)(n + (uint32_t)1U); + if (n == (uint32_t)0U) + { + EverCrypt_HMAC_compute_blake2s(tag, prk, prklen, text0, infolen + (uint32_t)1U); + } + else + { + EverCrypt_HMAC_compute_blake2s(tag, prk, prklen, text, tlen + infolen + (uint32_t)1U); + } + uint8_t *block = okm + n * tlen; + memcpy(block, tag, (len - n * tlen) * sizeof (uint8_t)); + } +} + +void +EverCrypt_HKDF_extract_blake2s( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +) +{ + EverCrypt_HMAC_compute_blake2s(prk, salt, saltlen, ikm, ikmlen); +} + +void +EverCrypt_HKDF_expand_blake2b( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +) +{ + uint32_t tlen = (uint32_t)64U; + uint32_t n = len / tlen; + uint8_t *output = okm; + KRML_CHECK_SIZE(sizeof (uint8_t), tlen + infolen + (uint32_t)1U); + uint8_t *text = alloca((tlen + infolen + (uint32_t)1U) * sizeof (uint8_t)); + memset(text, 0U, (tlen + infolen + (uint32_t)1U) * sizeof (uint8_t)); + uint8_t *text0 = text + tlen; + uint8_t *tag = text; + uint8_t *ctr = text + tlen + infolen; + memcpy(text + tlen, info, infolen * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < n; i++) + { + ctr[0U] = (uint8_t)(i + (uint32_t)1U); + if (i == (uint32_t)0U) + { + EverCrypt_HMAC_compute_blake2b(tag, prk, prklen, text0, infolen + (uint32_t)1U); + } + else + { + EverCrypt_HMAC_compute_blake2b(tag, prk, prklen, text, tlen + infolen + (uint32_t)1U); + } + memcpy(output + i * tlen, tag, tlen * sizeof (uint8_t)); + } + if (n * tlen < len) + { + ctr[0U] = (uint8_t)(n + (uint32_t)1U); + if (n == (uint32_t)0U) + { + EverCrypt_HMAC_compute_blake2b(tag, prk, prklen, text0, infolen + (uint32_t)1U); + } + else + { + EverCrypt_HMAC_compute_blake2b(tag, prk, prklen, text, tlen + infolen + (uint32_t)1U); + } + uint8_t *block = okm + n * tlen; + memcpy(block, tag, (len - n * tlen) * sizeof (uint8_t)); + } +} + +void +EverCrypt_HKDF_extract_blake2b( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +) +{ + EverCrypt_HMAC_compute_blake2b(prk, salt, saltlen, ikm, ikmlen); +} + +void +EverCrypt_HKDF_expand( + Spec_Hash_Definitions_hash_alg a, + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +) +{ + switch (a) + { + case Spec_Hash_Definitions_SHA1: + { + EverCrypt_HKDF_expand_sha1(okm, prk, prklen, info, infolen, len); + break; + } + case Spec_Hash_Definitions_SHA2_256: + { + EverCrypt_HKDF_expand_sha2_256(okm, prk, prklen, info, infolen, len); + break; + } + case Spec_Hash_Definitions_SHA2_384: + { + EverCrypt_HKDF_expand_sha2_384(okm, prk, prklen, info, infolen, len); + break; + } + case Spec_Hash_Definitions_SHA2_512: + { + EverCrypt_HKDF_expand_sha2_512(okm, prk, prklen, info, infolen, len); + break; + } + case Spec_Hash_Definitions_Blake2S: + { + EverCrypt_HKDF_expand_blake2s(okm, prk, prklen, info, infolen, len); + break; + } + case Spec_Hash_Definitions_Blake2B: + { + EverCrypt_HKDF_expand_blake2b(okm, prk, prklen, info, infolen, len); + break; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +void +EverCrypt_HKDF_extract( + Spec_Hash_Definitions_hash_alg a, + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +) +{ + switch (a) + { + case Spec_Hash_Definitions_SHA1: + { + EverCrypt_HKDF_extract_sha1(prk, salt, saltlen, ikm, ikmlen); + break; + } + case Spec_Hash_Definitions_SHA2_256: + { + EverCrypt_HKDF_extract_sha2_256(prk, salt, saltlen, ikm, ikmlen); + break; + } + case Spec_Hash_Definitions_SHA2_384: + { + EverCrypt_HKDF_extract_sha2_384(prk, salt, saltlen, ikm, ikmlen); + break; + } + case Spec_Hash_Definitions_SHA2_512: + { + EverCrypt_HKDF_extract_sha2_512(prk, salt, saltlen, ikm, ikmlen); + break; + } + case Spec_Hash_Definitions_Blake2S: + { + EverCrypt_HKDF_extract_blake2s(prk, salt, saltlen, ikm, ikmlen); + break; + } + case Spec_Hash_Definitions_Blake2B: + { + EverCrypt_HKDF_extract_blake2b(prk, salt, saltlen, ikm, ikmlen); + break; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +KRML_DEPRECATED("expand") + +void +EverCrypt_HKDF_hkdf_expand( + Spec_Hash_Definitions_hash_alg a, + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +) +{ + EverCrypt_HKDF_expand(a, okm, prk, prklen, info, infolen, len); +} + +KRML_DEPRECATED("extract") + +void +EverCrypt_HKDF_hkdf_extract( + Spec_Hash_Definitions_hash_alg a, + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +) +{ + EverCrypt_HKDF_extract(a, prk, salt, saltlen, ikm, ikmlen); +} + diff --git a/src/msvc/EverCrypt_HMAC.c b/src/msvc/EverCrypt_HMAC.c new file mode 100644 index 00000000..7586643e --- /dev/null +++ b/src/msvc/EverCrypt_HMAC.c @@ -0,0 +1,855 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "EverCrypt_HMAC.h" + +#include "internal/Hacl_Hash_SHA2.h" +#include "internal/Hacl_Hash_SHA1.h" +#include "internal/Hacl_Hash_Blake2.h" +#include "internal/Hacl_HMAC.h" + +void +EverCrypt_HMAC_compute_sha1( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +) +{ + uint32_t l = (uint32_t)64U; + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t *key_block = alloca(l * sizeof (uint8_t)); + memset(key_block, 0U, l * sizeof (uint8_t)); + uint32_t i0; + if (key_len <= (uint32_t)64U) + { + i0 = key_len; + } + else + { + i0 = (uint32_t)20U; + } + uint8_t *nkey = key_block; + if (key_len <= (uint32_t)64U) + { + memcpy(nkey, key, key_len * sizeof (uint8_t)); + } + else + { + Hacl_Hash_SHA1_legacy_hash(key, key_len, nkey); + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t *ipad = alloca(l * sizeof (uint8_t)); + memset(ipad, (uint8_t)0x36U, l * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = ipad[i]; + uint8_t yi = key_block[i]; + ipad[i] = xi ^ yi; + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t *opad = alloca(l * sizeof (uint8_t)); + memset(opad, (uint8_t)0x5cU, l * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = opad[i]; + uint8_t yi = key_block[i]; + opad[i] = xi ^ yi; + } + uint32_t + scrut[5U] = + { + (uint32_t)0x67452301U, (uint32_t)0xefcdab89U, (uint32_t)0x98badcfeU, (uint32_t)0x10325476U, + (uint32_t)0xc3d2e1f0U + }; + uint32_t *s = scrut; + uint8_t *dst1 = ipad; + Hacl_Hash_Core_SHA1_legacy_init(s); + if (data_len == (uint32_t)0U) + { + Hacl_Hash_SHA1_legacy_update_last(s, (uint64_t)0U, ipad, (uint32_t)64U); + } + else + { + Hacl_Hash_SHA1_legacy_update_multi(s, ipad, (uint32_t)1U); + Hacl_Hash_SHA1_legacy_update_last(s, (uint64_t)(uint32_t)64U, data, data_len); + } + Hacl_Hash_Core_SHA1_legacy_finish(s, dst1); + uint8_t *hash1 = ipad; + Hacl_Hash_Core_SHA1_legacy_init(s); + if ((uint32_t)20U == (uint32_t)0U) + { + Hacl_Hash_SHA1_legacy_update_last(s, (uint64_t)0U, opad, (uint32_t)64U); + } + else + { + Hacl_Hash_SHA1_legacy_update_multi(s, opad, (uint32_t)1U); + Hacl_Hash_SHA1_legacy_update_last(s, (uint64_t)(uint32_t)64U, hash1, (uint32_t)20U); + } + Hacl_Hash_Core_SHA1_legacy_finish(s, dst); +} + +void +EverCrypt_HMAC_compute_sha2_256( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +) +{ + uint32_t l = (uint32_t)64U; + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t *key_block = alloca(l * sizeof (uint8_t)); + memset(key_block, 0U, l * sizeof (uint8_t)); + uint32_t i0; + if (key_len <= (uint32_t)64U) + { + i0 = key_len; + } + else + { + i0 = (uint32_t)32U; + } + uint8_t *nkey = key_block; + if (key_len <= (uint32_t)64U) + { + memcpy(nkey, key, key_len * sizeof (uint8_t)); + } + else + { + EverCrypt_Hash_hash_256(key, key_len, nkey); + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t *ipad = alloca(l * sizeof (uint8_t)); + memset(ipad, (uint8_t)0x36U, l * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = ipad[i]; + uint8_t yi = key_block[i]; + ipad[i] = xi ^ yi; + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t *opad = alloca(l * sizeof (uint8_t)); + memset(opad, (uint8_t)0x5cU, l * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = opad[i]; + uint8_t yi = key_block[i]; + opad[i] = xi ^ yi; + } + uint32_t + scrut[8U] = + { + (uint32_t)0x6a09e667U, (uint32_t)0xbb67ae85U, (uint32_t)0x3c6ef372U, (uint32_t)0xa54ff53aU, + (uint32_t)0x510e527fU, (uint32_t)0x9b05688cU, (uint32_t)0x1f83d9abU, (uint32_t)0x5be0cd19U + }; + uint32_t *s = scrut; + uint8_t *dst1 = ipad; + Hacl_Hash_Core_SHA2_init_256(s); + if (data_len == (uint32_t)0U) + { + EverCrypt_Hash_update_last_256(s, (uint64_t)0U, ipad, (uint32_t)64U); + } + else + { + EverCrypt_Hash_update_multi_256(s, ipad, (uint32_t)1U); + EverCrypt_Hash_update_last_256(s, (uint64_t)(uint32_t)64U, data, data_len); + } + Hacl_Hash_Core_SHA2_finish_256(s, dst1); + uint8_t *hash1 = ipad; + Hacl_Hash_Core_SHA2_init_256(s); + if ((uint32_t)32U == (uint32_t)0U) + { + EverCrypt_Hash_update_last_256(s, (uint64_t)0U, opad, (uint32_t)64U); + } + else + { + EverCrypt_Hash_update_multi_256(s, opad, (uint32_t)1U); + EverCrypt_Hash_update_last_256(s, (uint64_t)(uint32_t)64U, hash1, (uint32_t)32U); + } + Hacl_Hash_Core_SHA2_finish_256(s, dst); +} + +void +EverCrypt_HMAC_compute_sha2_384( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +) +{ + uint32_t l = (uint32_t)128U; + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t *key_block = alloca(l * sizeof (uint8_t)); + memset(key_block, 0U, l * sizeof (uint8_t)); + uint32_t i0; + if (key_len <= (uint32_t)128U) + { + i0 = key_len; + } + else + { + i0 = (uint32_t)48U; + } + uint8_t *nkey = key_block; + if (key_len <= (uint32_t)128U) + { + memcpy(nkey, key, key_len * sizeof (uint8_t)); + } + else + { + Hacl_Hash_SHA2_hash_384(key, key_len, nkey); + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t *ipad = alloca(l * sizeof (uint8_t)); + memset(ipad, (uint8_t)0x36U, l * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = ipad[i]; + uint8_t yi = key_block[i]; + ipad[i] = xi ^ yi; + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t *opad = alloca(l * sizeof (uint8_t)); + memset(opad, (uint8_t)0x5cU, l * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = opad[i]; + uint8_t yi = key_block[i]; + opad[i] = xi ^ yi; + } + uint64_t + scrut[8U] = + { + (uint64_t)0xcbbb9d5dc1059ed8U, (uint64_t)0x629a292a367cd507U, (uint64_t)0x9159015a3070dd17U, + (uint64_t)0x152fecd8f70e5939U, (uint64_t)0x67332667ffc00b31U, (uint64_t)0x8eb44a8768581511U, + (uint64_t)0xdb0c2e0d64f98fa7U, (uint64_t)0x47b5481dbefa4fa4U + }; + uint64_t *s = scrut; + uint8_t *dst1 = ipad; + Hacl_Hash_Core_SHA2_init_384(s); + if (data_len == (uint32_t)0U) + { + Hacl_Hash_SHA2_update_last_384(s, + FStar_UInt128_uint64_to_uint128((uint64_t)0U), + ipad, + (uint32_t)128U); + } + else + { + Hacl_Hash_SHA2_update_multi_384(s, ipad, (uint32_t)1U); + Hacl_Hash_SHA2_update_last_384(s, + FStar_UInt128_uint64_to_uint128((uint64_t)(uint32_t)128U), + data, + data_len); + } + Hacl_Hash_Core_SHA2_finish_384(s, dst1); + uint8_t *hash1 = ipad; + Hacl_Hash_Core_SHA2_init_384(s); + if ((uint32_t)48U == (uint32_t)0U) + { + Hacl_Hash_SHA2_update_last_384(s, + FStar_UInt128_uint64_to_uint128((uint64_t)0U), + opad, + (uint32_t)128U); + } + else + { + Hacl_Hash_SHA2_update_multi_384(s, opad, (uint32_t)1U); + Hacl_Hash_SHA2_update_last_384(s, + FStar_UInt128_uint64_to_uint128((uint64_t)(uint32_t)128U), + hash1, + (uint32_t)48U); + } + Hacl_Hash_Core_SHA2_finish_384(s, dst); +} + +void +EverCrypt_HMAC_compute_sha2_512( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +) +{ + uint32_t l = (uint32_t)128U; + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t *key_block = alloca(l * sizeof (uint8_t)); + memset(key_block, 0U, l * sizeof (uint8_t)); + uint32_t i0; + if (key_len <= (uint32_t)128U) + { + i0 = key_len; + } + else + { + i0 = (uint32_t)64U; + } + uint8_t *nkey = key_block; + if (key_len <= (uint32_t)128U) + { + memcpy(nkey, key, key_len * sizeof (uint8_t)); + } + else + { + Hacl_Hash_SHA2_hash_512(key, key_len, nkey); + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t *ipad = alloca(l * sizeof (uint8_t)); + memset(ipad, (uint8_t)0x36U, l * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = ipad[i]; + uint8_t yi = key_block[i]; + ipad[i] = xi ^ yi; + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t *opad = alloca(l * sizeof (uint8_t)); + memset(opad, (uint8_t)0x5cU, l * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = opad[i]; + uint8_t yi = key_block[i]; + opad[i] = xi ^ yi; + } + uint64_t + scrut[8U] = + { + (uint64_t)0x6a09e667f3bcc908U, (uint64_t)0xbb67ae8584caa73bU, (uint64_t)0x3c6ef372fe94f82bU, + (uint64_t)0xa54ff53a5f1d36f1U, (uint64_t)0x510e527fade682d1U, (uint64_t)0x9b05688c2b3e6c1fU, + (uint64_t)0x1f83d9abfb41bd6bU, (uint64_t)0x5be0cd19137e2179U + }; + uint64_t *s = scrut; + uint8_t *dst1 = ipad; + Hacl_Hash_Core_SHA2_init_512(s); + if (data_len == (uint32_t)0U) + { + Hacl_Hash_SHA2_update_last_512(s, + FStar_UInt128_uint64_to_uint128((uint64_t)0U), + ipad, + (uint32_t)128U); + } + else + { + Hacl_Hash_SHA2_update_multi_512(s, ipad, (uint32_t)1U); + Hacl_Hash_SHA2_update_last_512(s, + FStar_UInt128_uint64_to_uint128((uint64_t)(uint32_t)128U), + data, + data_len); + } + Hacl_Hash_Core_SHA2_finish_512(s, dst1); + uint8_t *hash1 = ipad; + Hacl_Hash_Core_SHA2_init_512(s); + if ((uint32_t)64U == (uint32_t)0U) + { + Hacl_Hash_SHA2_update_last_512(s, + FStar_UInt128_uint64_to_uint128((uint64_t)0U), + opad, + (uint32_t)128U); + } + else + { + Hacl_Hash_SHA2_update_multi_512(s, opad, (uint32_t)1U); + Hacl_Hash_SHA2_update_last_512(s, + FStar_UInt128_uint64_to_uint128((uint64_t)(uint32_t)128U), + hash1, + (uint32_t)64U); + } + Hacl_Hash_Core_SHA2_finish_512(s, dst); +} + +void +EverCrypt_HMAC_compute_blake2s( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +) +{ + uint32_t l = (uint32_t)64U; + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t *key_block = alloca(l * sizeof (uint8_t)); + memset(key_block, 0U, l * sizeof (uint8_t)); + uint32_t i0; + if (key_len <= (uint32_t)64U) + { + i0 = key_len; + } + else + { + i0 = (uint32_t)32U; + } + uint8_t *nkey = key_block; + if (key_len <= (uint32_t)64U) + { + memcpy(nkey, key, key_len * sizeof (uint8_t)); + } + else + { + Hacl_Hash_Blake2_hash_blake2s_32(key, key_len, nkey); + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t *ipad = alloca(l * sizeof (uint8_t)); + memset(ipad, (uint8_t)0x36U, l * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = ipad[i]; + uint8_t yi = key_block[i]; + ipad[i] = xi ^ yi; + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t *opad = alloca(l * sizeof (uint8_t)); + memset(opad, (uint8_t)0x5cU, l * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = opad[i]; + uint8_t yi = key_block[i]; + opad[i] = xi ^ yi; + } + uint32_t s[16U] = { 0U }; + uint32_t *r00 = s + (uint32_t)0U * (uint32_t)4U; + uint32_t *r10 = s + (uint32_t)1U * (uint32_t)4U; + uint32_t *r20 = s + (uint32_t)2U * (uint32_t)4U; + uint32_t *r30 = s + (uint32_t)3U * (uint32_t)4U; + uint32_t iv00 = Hacl_Impl_Blake2_Constants_ivTable_S[0U]; + uint32_t iv10 = Hacl_Impl_Blake2_Constants_ivTable_S[1U]; + uint32_t iv20 = Hacl_Impl_Blake2_Constants_ivTable_S[2U]; + uint32_t iv30 = Hacl_Impl_Blake2_Constants_ivTable_S[3U]; + uint32_t iv40 = Hacl_Impl_Blake2_Constants_ivTable_S[4U]; + uint32_t iv50 = Hacl_Impl_Blake2_Constants_ivTable_S[5U]; + uint32_t iv60 = Hacl_Impl_Blake2_Constants_ivTable_S[6U]; + uint32_t iv70 = Hacl_Impl_Blake2_Constants_ivTable_S[7U]; + r20[0U] = iv00; + r20[1U] = iv10; + r20[2U] = iv20; + r20[3U] = iv30; + r30[0U] = iv40; + r30[1U] = iv50; + r30[2U] = iv60; + r30[3U] = iv70; + uint32_t kk_shift_80 = (uint32_t)0U; + uint32_t iv0_ = iv00 ^ ((uint32_t)0x01010000U ^ (kk_shift_80 ^ (uint32_t)32U)); + r00[0U] = iv0_; + r00[1U] = iv10; + r00[2U] = iv20; + r00[3U] = iv30; + r10[0U] = iv40; + r10[1U] = iv50; + r10[2U] = iv60; + r10[3U] = iv70; + uint64_t es = (uint64_t)0U; + K____uint32_t__uint64_t scrut = { .fst = s, .snd = es }; + uint32_t *s0 = scrut.fst; + uint8_t *dst1 = ipad; + uint32_t *r01 = s0 + (uint32_t)0U * (uint32_t)4U; + uint32_t *r11 = s0 + (uint32_t)1U * (uint32_t)4U; + uint32_t *r21 = s0 + (uint32_t)2U * (uint32_t)4U; + uint32_t *r31 = s0 + (uint32_t)3U * (uint32_t)4U; + uint32_t iv01 = Hacl_Impl_Blake2_Constants_ivTable_S[0U]; + uint32_t iv11 = Hacl_Impl_Blake2_Constants_ivTable_S[1U]; + uint32_t iv21 = Hacl_Impl_Blake2_Constants_ivTable_S[2U]; + uint32_t iv31 = Hacl_Impl_Blake2_Constants_ivTable_S[3U]; + uint32_t iv41 = Hacl_Impl_Blake2_Constants_ivTable_S[4U]; + uint32_t iv51 = Hacl_Impl_Blake2_Constants_ivTable_S[5U]; + uint32_t iv61 = Hacl_Impl_Blake2_Constants_ivTable_S[6U]; + uint32_t iv71 = Hacl_Impl_Blake2_Constants_ivTable_S[7U]; + r21[0U] = iv01; + r21[1U] = iv11; + r21[2U] = iv21; + r21[3U] = iv31; + r31[0U] = iv41; + r31[1U] = iv51; + r31[2U] = iv61; + r31[3U] = iv71; + uint32_t kk_shift_81 = (uint32_t)0U; + uint32_t iv0_0 = iv01 ^ ((uint32_t)0x01010000U ^ (kk_shift_81 ^ (uint32_t)32U)); + r01[0U] = iv0_0; + r01[1U] = iv11; + r01[2U] = iv21; + r01[3U] = iv31; + r11[0U] = iv41; + r11[1U] = iv51; + r11[2U] = iv61; + r11[3U] = iv71; + uint64_t ev = (uint64_t)0U; + uint64_t ev10; + if (data_len == (uint32_t)0U) + { + uint64_t + ev1 = Hacl_Hash_Blake2_update_last_blake2s_32(s0, ev, (uint64_t)0U, ipad, (uint32_t)64U); + ev10 = ev1; + } + else + { + uint64_t ev1 = Hacl_Hash_Blake2_update_multi_blake2s_32(s0, ev, ipad, (uint32_t)1U); + uint64_t + ev2 = Hacl_Hash_Blake2_update_last_blake2s_32(s0, ev1, (uint64_t)(uint32_t)64U, data, data_len); + ev10 = ev2; + } + Hacl_Hash_Core_Blake2_finish_blake2s_32(s0, ev10, dst1); + uint8_t *hash1 = ipad; + uint32_t *r0 = s0 + (uint32_t)0U * (uint32_t)4U; + uint32_t *r1 = s0 + (uint32_t)1U * (uint32_t)4U; + uint32_t *r2 = s0 + (uint32_t)2U * (uint32_t)4U; + uint32_t *r3 = s0 + (uint32_t)3U * (uint32_t)4U; + uint32_t iv0 = Hacl_Impl_Blake2_Constants_ivTable_S[0U]; + uint32_t iv1 = Hacl_Impl_Blake2_Constants_ivTable_S[1U]; + uint32_t iv2 = Hacl_Impl_Blake2_Constants_ivTable_S[2U]; + uint32_t iv3 = Hacl_Impl_Blake2_Constants_ivTable_S[3U]; + uint32_t iv4 = Hacl_Impl_Blake2_Constants_ivTable_S[4U]; + uint32_t iv5 = Hacl_Impl_Blake2_Constants_ivTable_S[5U]; + uint32_t iv6 = Hacl_Impl_Blake2_Constants_ivTable_S[6U]; + uint32_t iv7 = Hacl_Impl_Blake2_Constants_ivTable_S[7U]; + r2[0U] = iv0; + r2[1U] = iv1; + r2[2U] = iv2; + r2[3U] = iv3; + r3[0U] = iv4; + r3[1U] = iv5; + r3[2U] = iv6; + r3[3U] = iv7; + uint32_t kk_shift_8 = (uint32_t)0U; + uint32_t iv0_1 = iv0 ^ ((uint32_t)0x01010000U ^ (kk_shift_8 ^ (uint32_t)32U)); + r0[0U] = iv0_1; + r0[1U] = iv1; + r0[2U] = iv2; + r0[3U] = iv3; + r1[0U] = iv4; + r1[1U] = iv5; + r1[2U] = iv6; + r1[3U] = iv7; + uint64_t ev0 = (uint64_t)0U; + uint64_t ev11; + if ((uint32_t)32U == (uint32_t)0U) + { + uint64_t + ev1 = Hacl_Hash_Blake2_update_last_blake2s_32(s0, ev0, (uint64_t)0U, opad, (uint32_t)64U); + ev11 = ev1; + } + else + { + uint64_t ev1 = Hacl_Hash_Blake2_update_multi_blake2s_32(s0, ev0, opad, (uint32_t)1U); + uint64_t + ev2 = + Hacl_Hash_Blake2_update_last_blake2s_32(s0, + ev1, + (uint64_t)(uint32_t)64U, + hash1, + (uint32_t)32U); + ev11 = ev2; + } + Hacl_Hash_Core_Blake2_finish_blake2s_32(s0, ev11, dst); +} + +void +EverCrypt_HMAC_compute_blake2b( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +) +{ + uint32_t l = (uint32_t)128U; + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t *key_block = alloca(l * sizeof (uint8_t)); + memset(key_block, 0U, l * sizeof (uint8_t)); + uint32_t i0; + if (key_len <= (uint32_t)128U) + { + i0 = key_len; + } + else + { + i0 = (uint32_t)64U; + } + uint8_t *nkey = key_block; + if (key_len <= (uint32_t)128U) + { + memcpy(nkey, key, key_len * sizeof (uint8_t)); + } + else + { + Hacl_Hash_Blake2_hash_blake2b_32(key, key_len, nkey); + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t *ipad = alloca(l * sizeof (uint8_t)); + memset(ipad, (uint8_t)0x36U, l * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = ipad[i]; + uint8_t yi = key_block[i]; + ipad[i] = xi ^ yi; + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t *opad = alloca(l * sizeof (uint8_t)); + memset(opad, (uint8_t)0x5cU, l * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = opad[i]; + uint8_t yi = key_block[i]; + opad[i] = xi ^ yi; + } + uint64_t s[16U] = { 0U }; + uint64_t *r00 = s + (uint32_t)0U * (uint32_t)4U; + uint64_t *r10 = s + (uint32_t)1U * (uint32_t)4U; + uint64_t *r20 = s + (uint32_t)2U * (uint32_t)4U; + uint64_t *r30 = s + (uint32_t)3U * (uint32_t)4U; + uint64_t iv00 = Hacl_Impl_Blake2_Constants_ivTable_B[0U]; + uint64_t iv10 = Hacl_Impl_Blake2_Constants_ivTable_B[1U]; + uint64_t iv20 = Hacl_Impl_Blake2_Constants_ivTable_B[2U]; + uint64_t iv30 = Hacl_Impl_Blake2_Constants_ivTable_B[3U]; + uint64_t iv40 = Hacl_Impl_Blake2_Constants_ivTable_B[4U]; + uint64_t iv50 = Hacl_Impl_Blake2_Constants_ivTable_B[5U]; + uint64_t iv60 = Hacl_Impl_Blake2_Constants_ivTable_B[6U]; + uint64_t iv70 = Hacl_Impl_Blake2_Constants_ivTable_B[7U]; + r20[0U] = iv00; + r20[1U] = iv10; + r20[2U] = iv20; + r20[3U] = iv30; + r30[0U] = iv40; + r30[1U] = iv50; + r30[2U] = iv60; + r30[3U] = iv70; + uint64_t kk_shift_80 = (uint64_t)(uint32_t)0U << (uint32_t)8U; + uint64_t iv0_ = iv00 ^ ((uint64_t)0x01010000U ^ (kk_shift_80 ^ (uint64_t)(uint32_t)64U)); + r00[0U] = iv0_; + r00[1U] = iv10; + r00[2U] = iv20; + r00[3U] = iv30; + r10[0U] = iv40; + r10[1U] = iv50; + r10[2U] = iv60; + r10[3U] = iv70; + FStar_UInt128_uint128 es = FStar_UInt128_uint64_to_uint128((uint64_t)0U); + K____uint64_t__FStar_UInt128_uint128 scrut = { .fst = s, .snd = es }; + uint64_t *s0 = scrut.fst; + uint8_t *dst1 = ipad; + uint64_t *r01 = s0 + (uint32_t)0U * (uint32_t)4U; + uint64_t *r11 = s0 + (uint32_t)1U * (uint32_t)4U; + uint64_t *r21 = s0 + (uint32_t)2U * (uint32_t)4U; + uint64_t *r31 = s0 + (uint32_t)3U * (uint32_t)4U; + uint64_t iv01 = Hacl_Impl_Blake2_Constants_ivTable_B[0U]; + uint64_t iv11 = Hacl_Impl_Blake2_Constants_ivTable_B[1U]; + uint64_t iv21 = Hacl_Impl_Blake2_Constants_ivTable_B[2U]; + uint64_t iv31 = Hacl_Impl_Blake2_Constants_ivTable_B[3U]; + uint64_t iv41 = Hacl_Impl_Blake2_Constants_ivTable_B[4U]; + uint64_t iv51 = Hacl_Impl_Blake2_Constants_ivTable_B[5U]; + uint64_t iv61 = Hacl_Impl_Blake2_Constants_ivTable_B[6U]; + uint64_t iv71 = Hacl_Impl_Blake2_Constants_ivTable_B[7U]; + r21[0U] = iv01; + r21[1U] = iv11; + r21[2U] = iv21; + r21[3U] = iv31; + r31[0U] = iv41; + r31[1U] = iv51; + r31[2U] = iv61; + r31[3U] = iv71; + uint64_t kk_shift_81 = (uint64_t)(uint32_t)0U << (uint32_t)8U; + uint64_t iv0_0 = iv01 ^ ((uint64_t)0x01010000U ^ (kk_shift_81 ^ (uint64_t)(uint32_t)64U)); + r01[0U] = iv0_0; + r01[1U] = iv11; + r01[2U] = iv21; + r01[3U] = iv31; + r11[0U] = iv41; + r11[1U] = iv51; + r11[2U] = iv61; + r11[3U] = iv71; + FStar_UInt128_uint128 ev = FStar_UInt128_uint64_to_uint128((uint64_t)0U); + FStar_UInt128_uint128 ev10; + if (data_len == (uint32_t)0U) + { + FStar_UInt128_uint128 + ev1 = + Hacl_Hash_Blake2_update_last_blake2b_32(s0, + ev, + FStar_UInt128_uint64_to_uint128((uint64_t)0U), + ipad, + (uint32_t)128U); + ev10 = ev1; + } + else + { + FStar_UInt128_uint128 + ev1 = Hacl_Hash_Blake2_update_multi_blake2b_32(s0, ev, ipad, (uint32_t)1U); + FStar_UInt128_uint128 + ev2 = + Hacl_Hash_Blake2_update_last_blake2b_32(s0, + ev1, + FStar_UInt128_uint64_to_uint128((uint64_t)(uint32_t)128U), + data, + data_len); + ev10 = ev2; + } + Hacl_Hash_Core_Blake2_finish_blake2b_32(s0, ev10, dst1); + uint8_t *hash1 = ipad; + uint64_t *r0 = s0 + (uint32_t)0U * (uint32_t)4U; + uint64_t *r1 = s0 + (uint32_t)1U * (uint32_t)4U; + uint64_t *r2 = s0 + (uint32_t)2U * (uint32_t)4U; + uint64_t *r3 = s0 + (uint32_t)3U * (uint32_t)4U; + uint64_t iv0 = Hacl_Impl_Blake2_Constants_ivTable_B[0U]; + uint64_t iv1 = Hacl_Impl_Blake2_Constants_ivTable_B[1U]; + uint64_t iv2 = Hacl_Impl_Blake2_Constants_ivTable_B[2U]; + uint64_t iv3 = Hacl_Impl_Blake2_Constants_ivTable_B[3U]; + uint64_t iv4 = Hacl_Impl_Blake2_Constants_ivTable_B[4U]; + uint64_t iv5 = Hacl_Impl_Blake2_Constants_ivTable_B[5U]; + uint64_t iv6 = Hacl_Impl_Blake2_Constants_ivTable_B[6U]; + uint64_t iv7 = Hacl_Impl_Blake2_Constants_ivTable_B[7U]; + r2[0U] = iv0; + r2[1U] = iv1; + r2[2U] = iv2; + r2[3U] = iv3; + r3[0U] = iv4; + r3[1U] = iv5; + r3[2U] = iv6; + r3[3U] = iv7; + uint64_t kk_shift_8 = (uint64_t)(uint32_t)0U << (uint32_t)8U; + uint64_t iv0_1 = iv0 ^ ((uint64_t)0x01010000U ^ (kk_shift_8 ^ (uint64_t)(uint32_t)64U)); + r0[0U] = iv0_1; + r0[1U] = iv1; + r0[2U] = iv2; + r0[3U] = iv3; + r1[0U] = iv4; + r1[1U] = iv5; + r1[2U] = iv6; + r1[3U] = iv7; + FStar_UInt128_uint128 ev0 = FStar_UInt128_uint64_to_uint128((uint64_t)0U); + FStar_UInt128_uint128 ev11; + if ((uint32_t)64U == (uint32_t)0U) + { + FStar_UInt128_uint128 + ev1 = + Hacl_Hash_Blake2_update_last_blake2b_32(s0, + ev0, + FStar_UInt128_uint64_to_uint128((uint64_t)0U), + opad, + (uint32_t)128U); + ev11 = ev1; + } + else + { + FStar_UInt128_uint128 + ev1 = Hacl_Hash_Blake2_update_multi_blake2b_32(s0, ev0, opad, (uint32_t)1U); + FStar_UInt128_uint128 + ev2 = + Hacl_Hash_Blake2_update_last_blake2b_32(s0, + ev1, + FStar_UInt128_uint64_to_uint128((uint64_t)(uint32_t)128U), + hash1, + (uint32_t)64U); + ev11 = ev2; + } + Hacl_Hash_Core_Blake2_finish_blake2b_32(s0, ev11, dst); +} + +bool EverCrypt_HMAC_is_supported_alg(Spec_Hash_Definitions_hash_alg uu___) +{ + switch (uu___) + { + case Spec_Hash_Definitions_SHA1: + { + return true; + } + case Spec_Hash_Definitions_SHA2_256: + { + return true; + } + case Spec_Hash_Definitions_SHA2_384: + { + return true; + } + case Spec_Hash_Definitions_SHA2_512: + { + return true; + } + case Spec_Hash_Definitions_Blake2S: + { + return true; + } + case Spec_Hash_Definitions_Blake2B: + { + return true; + } + default: + { + return false; + } + } +} + +void +EverCrypt_HMAC_compute( + Spec_Hash_Definitions_hash_alg a, + uint8_t *mac, + uint8_t *key, + uint32_t keylen, + uint8_t *data, + uint32_t datalen +) +{ + switch (a) + { + case Spec_Hash_Definitions_SHA1: + { + EverCrypt_HMAC_compute_sha1(mac, key, keylen, data, datalen); + break; + } + case Spec_Hash_Definitions_SHA2_256: + { + EverCrypt_HMAC_compute_sha2_256(mac, key, keylen, data, datalen); + break; + } + case Spec_Hash_Definitions_SHA2_384: + { + EverCrypt_HMAC_compute_sha2_384(mac, key, keylen, data, datalen); + break; + } + case Spec_Hash_Definitions_SHA2_512: + { + EverCrypt_HMAC_compute_sha2_512(mac, key, keylen, data, datalen); + break; + } + case Spec_Hash_Definitions_Blake2S: + { + EverCrypt_HMAC_compute_blake2s(mac, key, keylen, data, datalen); + break; + } + case Spec_Hash_Definitions_Blake2B: + { + EverCrypt_HMAC_compute_blake2b(mac, key, keylen, data, datalen); + break; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + diff --git a/src/msvc/EverCrypt_Hash.c b/src/msvc/EverCrypt_Hash.c new file mode 100644 index 00000000..5ad6288b --- /dev/null +++ b/src/msvc/EverCrypt_Hash.c @@ -0,0 +1,2012 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "EverCrypt_Hash.h" + +#include "internal/Vale.h" +#include "internal/Hacl_Hash_SHA2.h" +#include "internal/Hacl_Hash_SHA1.h" +#include "internal/Hacl_Hash_MD5.h" +#include "internal/Hacl_Hash_Blake2.h" + +C_String_t EverCrypt_Hash_string_of_alg(Spec_Hash_Definitions_hash_alg uu___) +{ + switch (uu___) + { + case Spec_Hash_Definitions_MD5: + { + return "MD5"; + } + case Spec_Hash_Definitions_SHA1: + { + return "SHA1"; + } + case Spec_Hash_Definitions_SHA2_224: + { + return "SHA2_224"; + } + case Spec_Hash_Definitions_SHA2_256: + { + return "SHA2_256"; + } + case Spec_Hash_Definitions_SHA2_384: + { + return "SHA2_384"; + } + case Spec_Hash_Definitions_SHA2_512: + { + return "SHA2_512"; + } + case Spec_Hash_Definitions_Blake2S: + { + return "Blake2S"; + } + case Spec_Hash_Definitions_Blake2B: + { + return "Blake2B"; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +bool +EverCrypt_Hash_uu___is_MD5_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_Hash_state_s projectee +) +{ + if (projectee.tag == EverCrypt_Hash_MD5_s) + { + return true; + } + return false; +} + +bool +EverCrypt_Hash_uu___is_SHA1_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_Hash_state_s projectee +) +{ + if (projectee.tag == EverCrypt_Hash_SHA1_s) + { + return true; + } + return false; +} + +bool +EverCrypt_Hash_uu___is_SHA2_224_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_Hash_state_s projectee +) +{ + if (projectee.tag == EverCrypt_Hash_SHA2_224_s) + { + return true; + } + return false; +} + +bool +EverCrypt_Hash_uu___is_SHA2_256_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_Hash_state_s projectee +) +{ + if (projectee.tag == EverCrypt_Hash_SHA2_256_s) + { + return true; + } + return false; +} + +bool +EverCrypt_Hash_uu___is_SHA2_384_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_Hash_state_s projectee +) +{ + if (projectee.tag == EverCrypt_Hash_SHA2_384_s) + { + return true; + } + return false; +} + +bool +EverCrypt_Hash_uu___is_SHA2_512_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_Hash_state_s projectee +) +{ + if (projectee.tag == EverCrypt_Hash_SHA2_512_s) + { + return true; + } + return false; +} + +bool +EverCrypt_Hash_uu___is_Blake2S_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_Hash_state_s projectee +) +{ + if (projectee.tag == EverCrypt_Hash_Blake2S_s) + { + return true; + } + return false; +} + +bool +EverCrypt_Hash_uu___is_Blake2B_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_Hash_state_s projectee +) +{ + if (projectee.tag == EverCrypt_Hash_Blake2B_s) + { + return true; + } + return false; +} + +Spec_Hash_Definitions_hash_alg EverCrypt_Hash_alg_of_state(EverCrypt_Hash_state_s *s) +{ + EverCrypt_Hash_state_s scrut = *s; + if (scrut.tag == EverCrypt_Hash_MD5_s) + { + return Spec_Hash_Definitions_MD5; + } + if (scrut.tag == EverCrypt_Hash_SHA1_s) + { + return Spec_Hash_Definitions_SHA1; + } + if (scrut.tag == EverCrypt_Hash_SHA2_224_s) + { + return Spec_Hash_Definitions_SHA2_224; + } + if (scrut.tag == EverCrypt_Hash_SHA2_256_s) + { + return Spec_Hash_Definitions_SHA2_256; + } + if (scrut.tag == EverCrypt_Hash_SHA2_384_s) + { + return Spec_Hash_Definitions_SHA2_384; + } + if (scrut.tag == EverCrypt_Hash_SHA2_512_s) + { + return Spec_Hash_Definitions_SHA2_512; + } + if (scrut.tag == EverCrypt_Hash_Blake2S_s) + { + return Spec_Hash_Definitions_Blake2S; + } + if (scrut.tag == EverCrypt_Hash_Blake2B_s) + { + return Spec_Hash_Definitions_Blake2B; + } + KRML_HOST_EPRINTF("KreMLin abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); +} + +EverCrypt_Hash_state_s *EverCrypt_Hash_create_in(Spec_Hash_Definitions_hash_alg a) +{ + EverCrypt_Hash_state_s s; + switch (a) + { + case Spec_Hash_Definitions_MD5: + { + uint32_t *buf = KRML_HOST_CALLOC((uint32_t)4U, sizeof (uint32_t)); + s = ((EverCrypt_Hash_state_s){ .tag = EverCrypt_Hash_MD5_s, { .case_MD5_s = buf } }); + break; + } + case Spec_Hash_Definitions_SHA1: + { + uint32_t *buf = KRML_HOST_CALLOC((uint32_t)5U, sizeof (uint32_t)); + s = ((EverCrypt_Hash_state_s){ .tag = EverCrypt_Hash_SHA1_s, { .case_SHA1_s = buf } }); + break; + } + case Spec_Hash_Definitions_SHA2_224: + { + uint32_t *buf = KRML_HOST_CALLOC((uint32_t)8U, sizeof (uint32_t)); + s = + ((EverCrypt_Hash_state_s){ .tag = EverCrypt_Hash_SHA2_224_s, { .case_SHA2_224_s = buf } }); + break; + } + case Spec_Hash_Definitions_SHA2_256: + { + uint32_t *buf = KRML_HOST_CALLOC((uint32_t)8U, sizeof (uint32_t)); + s = + ((EverCrypt_Hash_state_s){ .tag = EverCrypt_Hash_SHA2_256_s, { .case_SHA2_256_s = buf } }); + break; + } + case Spec_Hash_Definitions_SHA2_384: + { + uint64_t *buf = KRML_HOST_CALLOC((uint32_t)8U, sizeof (uint64_t)); + s = + ((EverCrypt_Hash_state_s){ .tag = EverCrypt_Hash_SHA2_384_s, { .case_SHA2_384_s = buf } }); + break; + } + case Spec_Hash_Definitions_SHA2_512: + { + uint64_t *buf = KRML_HOST_CALLOC((uint32_t)8U, sizeof (uint64_t)); + s = + ((EverCrypt_Hash_state_s){ .tag = EverCrypt_Hash_SHA2_512_s, { .case_SHA2_512_s = buf } }); + break; + } + case Spec_Hash_Definitions_Blake2S: + { + uint32_t *buf = KRML_HOST_CALLOC((uint32_t)16U, sizeof (uint32_t)); + s = ((EverCrypt_Hash_state_s){ .tag = EverCrypt_Hash_Blake2S_s, { .case_Blake2S_s = buf } }); + break; + } + case Spec_Hash_Definitions_Blake2B: + { + uint64_t *buf = KRML_HOST_CALLOC((uint32_t)16U, sizeof (uint64_t)); + s = ((EverCrypt_Hash_state_s){ .tag = EverCrypt_Hash_Blake2B_s, { .case_Blake2B_s = buf } }); + break; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + KRML_CHECK_SIZE(sizeof (EverCrypt_Hash_state_s), (uint32_t)1U); + EverCrypt_Hash_state_s *buf = KRML_HOST_MALLOC(sizeof (EverCrypt_Hash_state_s)); + buf[0U] = s; + return buf; +} + +EverCrypt_Hash_state_s *EverCrypt_Hash_create(Spec_Hash_Definitions_hash_alg a) +{ + return EverCrypt_Hash_create_in(a); +} + +void EverCrypt_Hash_init(EverCrypt_Hash_state_s *s) +{ + EverCrypt_Hash_state_s scrut = *s; + if (scrut.tag == EverCrypt_Hash_MD5_s) + { + uint32_t *p1 = scrut.case_MD5_s; + Hacl_Hash_Core_MD5_legacy_init(p1); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA1_s) + { + uint32_t *p1 = scrut.case_SHA1_s; + Hacl_Hash_Core_SHA1_legacy_init(p1); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_224_s) + { + uint32_t *p1 = scrut.case_SHA2_224_s; + Hacl_Hash_Core_SHA2_init_224(p1); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_256_s) + { + uint32_t *p1 = scrut.case_SHA2_256_s; + Hacl_Hash_Core_SHA2_init_256(p1); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_384_s) + { + uint64_t *p1 = scrut.case_SHA2_384_s; + Hacl_Hash_Core_SHA2_init_384(p1); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_512_s) + { + uint64_t *p1 = scrut.case_SHA2_512_s; + Hacl_Hash_Core_SHA2_init_512(p1); + return; + } + if (scrut.tag == EverCrypt_Hash_Blake2S_s) + { + uint32_t *p1 = scrut.case_Blake2S_s; + uint32_t *r0 = p1 + (uint32_t)0U * (uint32_t)4U; + uint32_t *r1 = p1 + (uint32_t)1U * (uint32_t)4U; + uint32_t *r2 = p1 + (uint32_t)2U * (uint32_t)4U; + uint32_t *r3 = p1 + (uint32_t)3U * (uint32_t)4U; + uint32_t iv0 = Hacl_Impl_Blake2_Constants_ivTable_S[0U]; + uint32_t iv1 = Hacl_Impl_Blake2_Constants_ivTable_S[1U]; + uint32_t iv2 = Hacl_Impl_Blake2_Constants_ivTable_S[2U]; + uint32_t iv3 = Hacl_Impl_Blake2_Constants_ivTable_S[3U]; + uint32_t iv4 = Hacl_Impl_Blake2_Constants_ivTable_S[4U]; + uint32_t iv5 = Hacl_Impl_Blake2_Constants_ivTable_S[5U]; + uint32_t iv6 = Hacl_Impl_Blake2_Constants_ivTable_S[6U]; + uint32_t iv7 = Hacl_Impl_Blake2_Constants_ivTable_S[7U]; + r2[0U] = iv0; + r2[1U] = iv1; + r2[2U] = iv2; + r2[3U] = iv3; + r3[0U] = iv4; + r3[1U] = iv5; + r3[2U] = iv6; + r3[3U] = iv7; + uint32_t kk_shift_8 = (uint32_t)0U; + uint32_t iv0_ = iv0 ^ ((uint32_t)0x01010000U ^ (kk_shift_8 ^ (uint32_t)32U)); + r0[0U] = iv0_; + r0[1U] = iv1; + r0[2U] = iv2; + r0[3U] = iv3; + r1[0U] = iv4; + r1[1U] = iv5; + r1[2U] = iv6; + r1[3U] = iv7; + uint64_t uu____0 = (uint64_t)0U; + return; + } + if (scrut.tag == EverCrypt_Hash_Blake2B_s) + { + uint64_t *p1 = scrut.case_Blake2B_s; + uint64_t *r0 = p1 + (uint32_t)0U * (uint32_t)4U; + uint64_t *r1 = p1 + (uint32_t)1U * (uint32_t)4U; + uint64_t *r2 = p1 + (uint32_t)2U * (uint32_t)4U; + uint64_t *r3 = p1 + (uint32_t)3U * (uint32_t)4U; + uint64_t iv0 = Hacl_Impl_Blake2_Constants_ivTable_B[0U]; + uint64_t iv1 = Hacl_Impl_Blake2_Constants_ivTable_B[1U]; + uint64_t iv2 = Hacl_Impl_Blake2_Constants_ivTable_B[2U]; + uint64_t iv3 = Hacl_Impl_Blake2_Constants_ivTable_B[3U]; + uint64_t iv4 = Hacl_Impl_Blake2_Constants_ivTable_B[4U]; + uint64_t iv5 = Hacl_Impl_Blake2_Constants_ivTable_B[5U]; + uint64_t iv6 = Hacl_Impl_Blake2_Constants_ivTable_B[6U]; + uint64_t iv7 = Hacl_Impl_Blake2_Constants_ivTable_B[7U]; + r2[0U] = iv0; + r2[1U] = iv1; + r2[2U] = iv2; + r2[3U] = iv3; + r3[0U] = iv4; + r3[1U] = iv5; + r3[2U] = iv6; + r3[3U] = iv7; + uint64_t kk_shift_8 = (uint64_t)(uint32_t)0U << (uint32_t)8U; + uint64_t iv0_ = iv0 ^ ((uint64_t)0x01010000U ^ (kk_shift_8 ^ (uint64_t)(uint32_t)64U)); + r0[0U] = iv0_; + r0[1U] = iv1; + r0[2U] = iv2; + r0[3U] = iv3; + r1[0U] = iv4; + r1[1U] = iv5; + r1[2U] = iv6; + r1[3U] = iv7; + FStar_UInt128_uint128 uu____1 = FStar_UInt128_uint64_to_uint128((uint64_t)0U); + return; + } + KRML_HOST_EPRINTF("KreMLin abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); +} + +static uint32_t +k224_256[64U] = + { + (uint32_t)0x428a2f98U, (uint32_t)0x71374491U, (uint32_t)0xb5c0fbcfU, (uint32_t)0xe9b5dba5U, + (uint32_t)0x3956c25bU, (uint32_t)0x59f111f1U, (uint32_t)0x923f82a4U, (uint32_t)0xab1c5ed5U, + (uint32_t)0xd807aa98U, (uint32_t)0x12835b01U, (uint32_t)0x243185beU, (uint32_t)0x550c7dc3U, + (uint32_t)0x72be5d74U, (uint32_t)0x80deb1feU, (uint32_t)0x9bdc06a7U, (uint32_t)0xc19bf174U, + (uint32_t)0xe49b69c1U, (uint32_t)0xefbe4786U, (uint32_t)0x0fc19dc6U, (uint32_t)0x240ca1ccU, + (uint32_t)0x2de92c6fU, (uint32_t)0x4a7484aaU, (uint32_t)0x5cb0a9dcU, (uint32_t)0x76f988daU, + (uint32_t)0x983e5152U, (uint32_t)0xa831c66dU, (uint32_t)0xb00327c8U, (uint32_t)0xbf597fc7U, + (uint32_t)0xc6e00bf3U, (uint32_t)0xd5a79147U, (uint32_t)0x06ca6351U, (uint32_t)0x14292967U, + (uint32_t)0x27b70a85U, (uint32_t)0x2e1b2138U, (uint32_t)0x4d2c6dfcU, (uint32_t)0x53380d13U, + (uint32_t)0x650a7354U, (uint32_t)0x766a0abbU, (uint32_t)0x81c2c92eU, (uint32_t)0x92722c85U, + (uint32_t)0xa2bfe8a1U, (uint32_t)0xa81a664bU, (uint32_t)0xc24b8b70U, (uint32_t)0xc76c51a3U, + (uint32_t)0xd192e819U, (uint32_t)0xd6990624U, (uint32_t)0xf40e3585U, (uint32_t)0x106aa070U, + (uint32_t)0x19a4c116U, (uint32_t)0x1e376c08U, (uint32_t)0x2748774cU, (uint32_t)0x34b0bcb5U, + (uint32_t)0x391c0cb3U, (uint32_t)0x4ed8aa4aU, (uint32_t)0x5b9cca4fU, (uint32_t)0x682e6ff3U, + (uint32_t)0x748f82eeU, (uint32_t)0x78a5636fU, (uint32_t)0x84c87814U, (uint32_t)0x8cc70208U, + (uint32_t)0x90befffaU, (uint32_t)0xa4506cebU, (uint32_t)0xbef9a3f7U, (uint32_t)0xc67178f2U + }; + +void EverCrypt_Hash_update_multi_256(uint32_t *s, uint8_t *blocks, uint32_t n) +{ + bool has_shaext = EverCrypt_AutoConfig2_has_shaext(); + bool has_sse = EverCrypt_AutoConfig2_has_sse(); + #if HACL_CAN_COMPILE_VALE + if (has_shaext && has_sse) + { + uint64_t n1 = (uint64_t)n; + uint64_t scrut = sha256_update(s, blocks, n1, k224_256); + return; + } + #endif + Hacl_Hash_SHA2_update_multi_256(s, blocks, n); +} + +void EverCrypt_Hash_update2(EverCrypt_Hash_state_s *s, uint64_t prevlen, uint8_t *block) +{ + EverCrypt_Hash_state_s scrut = *s; + if (scrut.tag == EverCrypt_Hash_MD5_s) + { + uint32_t *p1 = scrut.case_MD5_s; + Hacl_Hash_Core_MD5_legacy_update(p1, block); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA1_s) + { + uint32_t *p1 = scrut.case_SHA1_s; + Hacl_Hash_Core_SHA1_legacy_update(p1, block); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_224_s) + { + uint32_t *p1 = scrut.case_SHA2_224_s; + EverCrypt_Hash_update_multi_256(p1, block, (uint32_t)1U); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_256_s) + { + uint32_t *p1 = scrut.case_SHA2_256_s; + EverCrypt_Hash_update_multi_256(p1, block, (uint32_t)1U); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_384_s) + { + uint64_t *p1 = scrut.case_SHA2_384_s; + Hacl_Hash_Core_SHA2_update_384(p1, block); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_512_s) + { + uint64_t *p1 = scrut.case_SHA2_512_s; + Hacl_Hash_Core_SHA2_update_512(p1, block); + return; + } + if (scrut.tag == EverCrypt_Hash_Blake2S_s) + { + uint32_t *p1 = scrut.case_Blake2S_s; + uint64_t uu____0 = Hacl_Hash_Core_Blake2_update_blake2s_32(p1, prevlen, block); + return; + } + if (scrut.tag == EverCrypt_Hash_Blake2B_s) + { + uint64_t *p1 = scrut.case_Blake2B_s; + FStar_UInt128_uint128 + uu____1 = + Hacl_Hash_Core_Blake2_update_blake2b_32(p1, + FStar_UInt128_uint64_to_uint128(prevlen), + block); + return; + } + KRML_HOST_EPRINTF("KreMLin abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); +} + +KRML_DEPRECATED("Use update2 instead") + +void EverCrypt_Hash_update(EverCrypt_Hash_state_s *s, uint8_t *block) +{ + EverCrypt_Hash_update2(s, (uint64_t)0U, block); +} + +void +EverCrypt_Hash_update_multi2( + EverCrypt_Hash_state_s *s, + uint64_t prevlen, + uint8_t *blocks, + uint32_t len +) +{ + EverCrypt_Hash_state_s scrut = *s; + if (scrut.tag == EverCrypt_Hash_MD5_s) + { + uint32_t *p1 = scrut.case_MD5_s; + uint32_t n = len / (uint32_t)64U; + Hacl_Hash_MD5_legacy_update_multi(p1, blocks, n); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA1_s) + { + uint32_t *p1 = scrut.case_SHA1_s; + uint32_t n = len / (uint32_t)64U; + Hacl_Hash_SHA1_legacy_update_multi(p1, blocks, n); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_224_s) + { + uint32_t *p1 = scrut.case_SHA2_224_s; + uint32_t n = len / (uint32_t)64U; + EverCrypt_Hash_update_multi_256(p1, blocks, n); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_256_s) + { + uint32_t *p1 = scrut.case_SHA2_256_s; + uint32_t n = len / (uint32_t)64U; + EverCrypt_Hash_update_multi_256(p1, blocks, n); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_384_s) + { + uint64_t *p1 = scrut.case_SHA2_384_s; + uint32_t n = len / (uint32_t)128U; + Hacl_Hash_SHA2_update_multi_384(p1, blocks, n); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_512_s) + { + uint64_t *p1 = scrut.case_SHA2_512_s; + uint32_t n = len / (uint32_t)128U; + Hacl_Hash_SHA2_update_multi_512(p1, blocks, n); + return; + } + if (scrut.tag == EverCrypt_Hash_Blake2S_s) + { + uint32_t *p1 = scrut.case_Blake2S_s; + uint32_t n = len / (uint32_t)64U; + uint64_t uu____0 = Hacl_Hash_Blake2_update_multi_blake2s_32(p1, prevlen, blocks, n); + return; + } + if (scrut.tag == EverCrypt_Hash_Blake2B_s) + { + uint64_t *p1 = scrut.case_Blake2B_s; + uint32_t n = len / (uint32_t)128U; + FStar_UInt128_uint128 + uu____1 = + Hacl_Hash_Blake2_update_multi_blake2b_32(p1, + FStar_UInt128_uint64_to_uint128(prevlen), + blocks, + n); + return; + } + KRML_HOST_EPRINTF("KreMLin abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); +} + +KRML_DEPRECATED("Use update_multi2 instead") + +void EverCrypt_Hash_update_multi(EverCrypt_Hash_state_s *s, uint8_t *blocks, uint32_t len) +{ + EverCrypt_Hash_update_multi2(s, (uint64_t)0U, blocks, len); +} + +void +EverCrypt_Hash_update_last_256( + uint32_t *s, + uint64_t input, + uint8_t *input_len, + uint32_t input_len1 +) +{ + uint32_t blocks_n = input_len1 / (uint32_t)64U; + uint32_t blocks_len = blocks_n * (uint32_t)64U; + uint8_t *blocks = input_len; + uint32_t rest_len = input_len1 - blocks_len; + uint8_t *rest = input_len + blocks_len; + EverCrypt_Hash_update_multi_256(s, blocks, blocks_n); + uint64_t total_input_len = input + (uint64_t)input_len1; + uint32_t + pad_len = + (uint32_t)1U + + + ((uint32_t)128U - ((uint32_t)9U + (uint32_t)(total_input_len % (uint64_t)(uint32_t)64U))) + % (uint32_t)64U + + (uint32_t)8U; + uint32_t tmp_len = rest_len + pad_len; + uint8_t tmp_twoblocks[128U] = { 0U }; + uint8_t *tmp = tmp_twoblocks; + uint8_t *tmp_rest = tmp; + uint8_t *tmp_pad = tmp + rest_len; + memcpy(tmp_rest, rest, rest_len * sizeof (uint8_t)); + Hacl_Hash_Core_SHA2_pad_256(total_input_len, tmp_pad); + EverCrypt_Hash_update_multi_256(s, tmp, tmp_len / (uint32_t)64U); +} + +void +EverCrypt_Hash_update_last2( + EverCrypt_Hash_state_s *s, + uint64_t prev_len, + uint8_t *last, + uint32_t last_len +) +{ + EverCrypt_Hash_state_s scrut = *s; + if (scrut.tag == EverCrypt_Hash_MD5_s) + { + uint32_t *p1 = scrut.case_MD5_s; + Hacl_Hash_MD5_legacy_update_last(p1, prev_len, last, last_len); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA1_s) + { + uint32_t *p1 = scrut.case_SHA1_s; + Hacl_Hash_SHA1_legacy_update_last(p1, prev_len, last, last_len); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_224_s) + { + uint32_t *p1 = scrut.case_SHA2_224_s; + EverCrypt_Hash_update_last_256(p1, prev_len, last, last_len); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_256_s) + { + uint32_t *p1 = scrut.case_SHA2_256_s; + EverCrypt_Hash_update_last_256(p1, prev_len, last, last_len); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_384_s) + { + uint64_t *p1 = scrut.case_SHA2_384_s; + Hacl_Hash_SHA2_update_last_384(p1, FStar_UInt128_uint64_to_uint128(prev_len), last, last_len); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_512_s) + { + uint64_t *p1 = scrut.case_SHA2_512_s; + Hacl_Hash_SHA2_update_last_512(p1, FStar_UInt128_uint64_to_uint128(prev_len), last, last_len); + return; + } + if (scrut.tag == EverCrypt_Hash_Blake2S_s) + { + uint32_t *p1 = scrut.case_Blake2S_s; + uint64_t x = Hacl_Hash_Blake2_update_last_blake2s_32(p1, prev_len, prev_len, last, last_len); + return; + } + if (scrut.tag == EverCrypt_Hash_Blake2B_s) + { + uint64_t *p1 = scrut.case_Blake2B_s; + FStar_UInt128_uint128 + x = + Hacl_Hash_Blake2_update_last_blake2b_32(p1, + FStar_UInt128_uint64_to_uint128(prev_len), + FStar_UInt128_uint64_to_uint128(prev_len), + last, + last_len); + return; + } + KRML_HOST_EPRINTF("KreMLin abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); +} + +KRML_DEPRECATED("Use update_last2 instead") + +void EverCrypt_Hash_update_last(EverCrypt_Hash_state_s *s, uint8_t *last, uint64_t total_len) +{ + Spec_Hash_Definitions_hash_alg a = EverCrypt_Hash_alg_of_state(s); + uint32_t sw; + switch (a) + { + case Spec_Hash_Definitions_MD5: + { + sw = (uint32_t)64U; + break; + } + case Spec_Hash_Definitions_SHA1: + { + sw = (uint32_t)64U; + break; + } + case Spec_Hash_Definitions_SHA2_224: + { + sw = (uint32_t)64U; + break; + } + case Spec_Hash_Definitions_SHA2_256: + { + sw = (uint32_t)64U; + break; + } + case Spec_Hash_Definitions_SHA2_384: + { + sw = (uint32_t)128U; + break; + } + case Spec_Hash_Definitions_SHA2_512: + { + sw = (uint32_t)128U; + break; + } + case Spec_Hash_Definitions_Blake2S: + { + sw = (uint32_t)64U; + break; + } + case Spec_Hash_Definitions_Blake2B: + { + sw = (uint32_t)128U; + break; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + uint64_t last_len = total_len % (uint64_t)sw; + uint64_t prev_len = total_len - last_len; + EverCrypt_Hash_update_last2(s, prev_len, last, (uint32_t)last_len); +} + +void EverCrypt_Hash_finish(EverCrypt_Hash_state_s *s, uint8_t *dst) +{ + EverCrypt_Hash_state_s scrut = *s; + if (scrut.tag == EverCrypt_Hash_MD5_s) + { + uint32_t *p1 = scrut.case_MD5_s; + Hacl_Hash_Core_MD5_legacy_finish(p1, dst); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA1_s) + { + uint32_t *p1 = scrut.case_SHA1_s; + Hacl_Hash_Core_SHA1_legacy_finish(p1, dst); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_224_s) + { + uint32_t *p1 = scrut.case_SHA2_224_s; + Hacl_Hash_Core_SHA2_finish_224(p1, dst); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_256_s) + { + uint32_t *p1 = scrut.case_SHA2_256_s; + Hacl_Hash_Core_SHA2_finish_256(p1, dst); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_384_s) + { + uint64_t *p1 = scrut.case_SHA2_384_s; + Hacl_Hash_Core_SHA2_finish_384(p1, dst); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_512_s) + { + uint64_t *p1 = scrut.case_SHA2_512_s; + Hacl_Hash_Core_SHA2_finish_512(p1, dst); + return; + } + if (scrut.tag == EverCrypt_Hash_Blake2S_s) + { + uint32_t *p1 = scrut.case_Blake2S_s; + Hacl_Hash_Core_Blake2_finish_blake2s_32(p1, (uint64_t)0U, dst); + return; + } + if (scrut.tag == EverCrypt_Hash_Blake2B_s) + { + uint64_t *p1 = scrut.case_Blake2B_s; + Hacl_Hash_Core_Blake2_finish_blake2b_32(p1, + FStar_UInt128_uint64_to_uint128((uint64_t)0U), + dst); + return; + } + KRML_HOST_EPRINTF("KreMLin abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); +} + +void EverCrypt_Hash_free(EverCrypt_Hash_state_s *s) +{ + EverCrypt_Hash_state_s scrut = *s; + if (scrut.tag == EverCrypt_Hash_MD5_s) + { + uint32_t *p1 = scrut.case_MD5_s; + KRML_HOST_FREE(p1); + } + else if (scrut.tag == EverCrypt_Hash_SHA1_s) + { + uint32_t *p1 = scrut.case_SHA1_s; + KRML_HOST_FREE(p1); + } + else if (scrut.tag == EverCrypt_Hash_SHA2_224_s) + { + uint32_t *p1 = scrut.case_SHA2_224_s; + KRML_HOST_FREE(p1); + } + else if (scrut.tag == EverCrypt_Hash_SHA2_256_s) + { + uint32_t *p1 = scrut.case_SHA2_256_s; + KRML_HOST_FREE(p1); + } + else if (scrut.tag == EverCrypt_Hash_SHA2_384_s) + { + uint64_t *p1 = scrut.case_SHA2_384_s; + KRML_HOST_FREE(p1); + } + else if (scrut.tag == EverCrypt_Hash_SHA2_512_s) + { + uint64_t *p1 = scrut.case_SHA2_512_s; + KRML_HOST_FREE(p1); + } + else if (scrut.tag == EverCrypt_Hash_Blake2S_s) + { + uint32_t *p1 = scrut.case_Blake2S_s; + KRML_HOST_FREE(p1); + } + else if (scrut.tag == EverCrypt_Hash_Blake2B_s) + { + uint64_t *p1 = scrut.case_Blake2B_s; + KRML_HOST_FREE(p1); + } + else + { + KRML_HOST_EPRINTF("KreMLin abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); + } + KRML_HOST_FREE(s); +} + +void EverCrypt_Hash_copy(EverCrypt_Hash_state_s *s_src, EverCrypt_Hash_state_s *s_dst) +{ + EverCrypt_Hash_state_s scrut = *s_src; + if (scrut.tag == EverCrypt_Hash_MD5_s) + { + uint32_t *p_src = scrut.case_MD5_s; + EverCrypt_Hash_state_s x1 = *s_dst; + uint32_t *p_dst; + if (x1.tag == EverCrypt_Hash_MD5_s) + { + p_dst = x1.case_MD5_s; + } + else + { + p_dst = KRML_EABORT(uint32_t *, "unreachable (pattern matches are exhaustive in F*)"); + } + memcpy(p_dst, p_src, (uint32_t)4U * sizeof (uint32_t)); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA1_s) + { + uint32_t *p_src = scrut.case_SHA1_s; + EverCrypt_Hash_state_s x1 = *s_dst; + uint32_t *p_dst; + if (x1.tag == EverCrypt_Hash_SHA1_s) + { + p_dst = x1.case_SHA1_s; + } + else + { + p_dst = KRML_EABORT(uint32_t *, "unreachable (pattern matches are exhaustive in F*)"); + } + memcpy(p_dst, p_src, (uint32_t)5U * sizeof (uint32_t)); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_224_s) + { + uint32_t *p_src = scrut.case_SHA2_224_s; + EverCrypt_Hash_state_s x1 = *s_dst; + uint32_t *p_dst; + if (x1.tag == EverCrypt_Hash_SHA2_224_s) + { + p_dst = x1.case_SHA2_224_s; + } + else + { + p_dst = KRML_EABORT(uint32_t *, "unreachable (pattern matches are exhaustive in F*)"); + } + memcpy(p_dst, p_src, (uint32_t)8U * sizeof (uint32_t)); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_256_s) + { + uint32_t *p_src = scrut.case_SHA2_256_s; + EverCrypt_Hash_state_s x1 = *s_dst; + uint32_t *p_dst; + if (x1.tag == EverCrypt_Hash_SHA2_256_s) + { + p_dst = x1.case_SHA2_256_s; + } + else + { + p_dst = KRML_EABORT(uint32_t *, "unreachable (pattern matches are exhaustive in F*)"); + } + memcpy(p_dst, p_src, (uint32_t)8U * sizeof (uint32_t)); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_384_s) + { + uint64_t *p_src = scrut.case_SHA2_384_s; + EverCrypt_Hash_state_s x1 = *s_dst; + uint64_t *p_dst; + if (x1.tag == EverCrypt_Hash_SHA2_384_s) + { + p_dst = x1.case_SHA2_384_s; + } + else + { + p_dst = KRML_EABORT(uint64_t *, "unreachable (pattern matches are exhaustive in F*)"); + } + memcpy(p_dst, p_src, (uint32_t)8U * sizeof (uint64_t)); + return; + } + if (scrut.tag == EverCrypt_Hash_SHA2_512_s) + { + uint64_t *p_src = scrut.case_SHA2_512_s; + EverCrypt_Hash_state_s x1 = *s_dst; + uint64_t *p_dst; + if (x1.tag == EverCrypt_Hash_SHA2_512_s) + { + p_dst = x1.case_SHA2_512_s; + } + else + { + p_dst = KRML_EABORT(uint64_t *, "unreachable (pattern matches are exhaustive in F*)"); + } + memcpy(p_dst, p_src, (uint32_t)8U * sizeof (uint64_t)); + return; + } + if (scrut.tag == EverCrypt_Hash_Blake2S_s) + { + uint32_t *p_src = scrut.case_Blake2S_s; + EverCrypt_Hash_state_s x1 = *s_dst; + uint32_t *p_dst; + if (x1.tag == EverCrypt_Hash_Blake2S_s) + { + p_dst = x1.case_Blake2S_s; + } + else + { + p_dst = KRML_EABORT(uint32_t *, "unreachable (pattern matches are exhaustive in F*)"); + } + memcpy(p_dst, p_src, (uint32_t)16U * sizeof (uint32_t)); + return; + } + if (scrut.tag == EverCrypt_Hash_Blake2B_s) + { + uint64_t *p_src = scrut.case_Blake2B_s; + EverCrypt_Hash_state_s x1 = *s_dst; + uint64_t *p_dst; + if (x1.tag == EverCrypt_Hash_Blake2B_s) + { + p_dst = x1.case_Blake2B_s; + } + else + { + p_dst = KRML_EABORT(uint64_t *, "unreachable (pattern matches are exhaustive in F*)"); + } + memcpy(p_dst, p_src, (uint32_t)16U * sizeof (uint64_t)); + return; + } + KRML_HOST_EPRINTF("KreMLin abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); +} + +void EverCrypt_Hash_hash_256(uint8_t *input, uint32_t input_len, uint8_t *dst) +{ + uint32_t + scrut[8U] = + { + (uint32_t)0x6a09e667U, (uint32_t)0xbb67ae85U, (uint32_t)0x3c6ef372U, (uint32_t)0xa54ff53aU, + (uint32_t)0x510e527fU, (uint32_t)0x9b05688cU, (uint32_t)0x1f83d9abU, (uint32_t)0x5be0cd19U + }; + uint32_t *s = scrut; + uint32_t blocks_n0 = input_len / (uint32_t)64U; + uint32_t blocks_n1; + if (input_len % (uint32_t)64U == (uint32_t)0U && blocks_n0 > (uint32_t)0U) + { + blocks_n1 = blocks_n0 - (uint32_t)1U; + } + else + { + blocks_n1 = blocks_n0; + } + uint32_t blocks_len0 = blocks_n1 * (uint32_t)64U; + uint8_t *blocks0 = input; + uint32_t rest_len0 = input_len - blocks_len0; + uint8_t *rest0 = input + blocks_len0; + uint32_t blocks_n = blocks_n1; + uint32_t blocks_len = blocks_len0; + uint8_t *blocks = blocks0; + uint32_t rest_len = rest_len0; + uint8_t *rest = rest0; + EverCrypt_Hash_update_multi_256(s, blocks, blocks_n); + EverCrypt_Hash_update_last_256(s, (uint64_t)blocks_len, rest, rest_len); + Hacl_Hash_Core_SHA2_finish_256(s, dst); +} + +void EverCrypt_Hash_hash_224(uint8_t *input, uint32_t input_len, uint8_t *dst) +{ + uint32_t + scrut[8U] = + { + (uint32_t)0xc1059ed8U, (uint32_t)0x367cd507U, (uint32_t)0x3070dd17U, (uint32_t)0xf70e5939U, + (uint32_t)0xffc00b31U, (uint32_t)0x68581511U, (uint32_t)0x64f98fa7U, (uint32_t)0xbefa4fa4U + }; + uint32_t *s = scrut; + uint32_t blocks_n0 = input_len / (uint32_t)64U; + uint32_t blocks_n1; + if (input_len % (uint32_t)64U == (uint32_t)0U && blocks_n0 > (uint32_t)0U) + { + blocks_n1 = blocks_n0 - (uint32_t)1U; + } + else + { + blocks_n1 = blocks_n0; + } + uint32_t blocks_len0 = blocks_n1 * (uint32_t)64U; + uint8_t *blocks0 = input; + uint32_t rest_len0 = input_len - blocks_len0; + uint8_t *rest0 = input + blocks_len0; + uint32_t blocks_n = blocks_n1; + uint32_t blocks_len = blocks_len0; + uint8_t *blocks = blocks0; + uint32_t rest_len = rest_len0; + uint8_t *rest = rest0; + EverCrypt_Hash_update_multi_256(s, blocks, blocks_n); + EverCrypt_Hash_update_last_256(s, (uint64_t)blocks_len, rest, rest_len); + Hacl_Hash_Core_SHA2_finish_224(s, dst); +} + +void +EverCrypt_Hash_hash( + Spec_Hash_Definitions_hash_alg a, + uint8_t *dst, + uint8_t *input, + uint32_t len +) +{ + switch (a) + { + case Spec_Hash_Definitions_MD5: + { + Hacl_Hash_MD5_legacy_hash(input, len, dst); + break; + } + case Spec_Hash_Definitions_SHA1: + { + Hacl_Hash_SHA1_legacy_hash(input, len, dst); + break; + } + case Spec_Hash_Definitions_SHA2_224: + { + EverCrypt_Hash_hash_224(input, len, dst); + break; + } + case Spec_Hash_Definitions_SHA2_256: + { + EverCrypt_Hash_hash_256(input, len, dst); + break; + } + case Spec_Hash_Definitions_SHA2_384: + { + Hacl_Hash_SHA2_hash_384(input, len, dst); + break; + } + case Spec_Hash_Definitions_SHA2_512: + { + Hacl_Hash_SHA2_hash_512(input, len, dst); + break; + } + case Spec_Hash_Definitions_Blake2S: + { + Hacl_Hash_Blake2_hash_blake2s_32(input, len, dst); + break; + } + case Spec_Hash_Definitions_Blake2B: + { + Hacl_Hash_Blake2_hash_blake2b_32(input, len, dst); + break; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +uint32_t EverCrypt_Hash_Incremental_hash_len(Spec_Hash_Definitions_hash_alg a) +{ + switch (a) + { + case Spec_Hash_Definitions_MD5: + { + return (uint32_t)16U; + } + case Spec_Hash_Definitions_SHA1: + { + return (uint32_t)20U; + } + case Spec_Hash_Definitions_SHA2_224: + { + return (uint32_t)28U; + } + case Spec_Hash_Definitions_SHA2_256: + { + return (uint32_t)32U; + } + case Spec_Hash_Definitions_SHA2_384: + { + return (uint32_t)48U; + } + case Spec_Hash_Definitions_SHA2_512: + { + return (uint32_t)64U; + } + case Spec_Hash_Definitions_Blake2S: + { + return (uint32_t)32U; + } + case Spec_Hash_Definitions_Blake2B: + { + return (uint32_t)64U; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +uint32_t EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_hash_alg a) +{ + switch (a) + { + case Spec_Hash_Definitions_MD5: + { + return (uint32_t)64U; + } + case Spec_Hash_Definitions_SHA1: + { + return (uint32_t)64U; + } + case Spec_Hash_Definitions_SHA2_224: + { + return (uint32_t)64U; + } + case Spec_Hash_Definitions_SHA2_256: + { + return (uint32_t)64U; + } + case Spec_Hash_Definitions_SHA2_384: + { + return (uint32_t)128U; + } + case Spec_Hash_Definitions_SHA2_512: + { + return (uint32_t)128U; + } + case Spec_Hash_Definitions_Blake2S: + { + return (uint32_t)64U; + } + case Spec_Hash_Definitions_Blake2B: + { + return (uint32_t)128U; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ +*EverCrypt_Hash_Incremental_create_in(Spec_Hash_Definitions_hash_alg a) +{ + KRML_CHECK_SIZE(sizeof (uint8_t), EverCrypt_Hash_Incremental_block_len(a)); + uint8_t *buf = KRML_HOST_CALLOC(EverCrypt_Hash_Incremental_block_len(a), sizeof (uint8_t)); + EverCrypt_Hash_state_s *block_state = EverCrypt_Hash_create_in(a); + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ + s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; + KRML_CHECK_SIZE(sizeof (Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____), + (uint32_t)1U); + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ + *p = KRML_HOST_MALLOC(sizeof (Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____)); + p[0U] = s; + EverCrypt_Hash_init(block_state); + return p; +} + +void +EverCrypt_Hash_Incremental_init(Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *s) +{ + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ scrut = *s; + uint8_t *buf = scrut.buf; + EverCrypt_Hash_state_s *block_state = scrut.block_state; + Spec_Hash_Definitions_hash_alg i = EverCrypt_Hash_alg_of_state(block_state); + EverCrypt_Hash_init(block_state); + s[0U] = + ( + (Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____){ + .block_state = block_state, + .buf = buf, + .total_len = (uint64_t)0U + } + ); +} + +void +EverCrypt_Hash_Incremental_update( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *p, + uint8_t *data, + uint32_t len +) +{ + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ s = *p; + EverCrypt_Hash_state_s *block_state = s.block_state; + uint64_t total_len = s.total_len; + Spec_Hash_Definitions_hash_alg i1 = EverCrypt_Hash_alg_of_state(block_state); + uint32_t sz; + if + ( + total_len + % (uint64_t)EverCrypt_Hash_Incremental_block_len(i1) + == (uint64_t)0U + && total_len > (uint64_t)0U + ) + { + sz = EverCrypt_Hash_Incremental_block_len(i1); + } + else + { + sz = (uint32_t)(total_len % (uint64_t)EverCrypt_Hash_Incremental_block_len(i1)); + } + if (len <= EverCrypt_Hash_Incremental_block_len(i1) - sz) + { + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ s1 = *p; + EverCrypt_Hash_state_s *block_state1 = s1.block_state; + uint8_t *buf = s1.buf; + uint64_t total_len1 = s1.total_len; + Spec_Hash_Definitions_hash_alg i2 = EverCrypt_Hash_alg_of_state(block_state1); + uint32_t sz1; + if + ( + total_len1 + % (uint64_t)EverCrypt_Hash_Incremental_block_len(i2) + == (uint64_t)0U + && total_len1 > (uint64_t)0U + ) + { + sz1 = EverCrypt_Hash_Incremental_block_len(i2); + } + else + { + sz1 = (uint32_t)(total_len1 % (uint64_t)EverCrypt_Hash_Incremental_block_len(i2)); + } + uint8_t *buf2 = buf + sz1; + memcpy(buf2, data, len * sizeof (uint8_t)); + uint64_t total_len2 = total_len1 + (uint64_t)len; + *p + = + ( + (Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len2 + } + ); + return; + } + if (sz == (uint32_t)0U) + { + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ s1 = *p; + EverCrypt_Hash_state_s *block_state1 = s1.block_state; + uint8_t *buf = s1.buf; + uint64_t total_len1 = s1.total_len; + Spec_Hash_Definitions_hash_alg i2 = EverCrypt_Hash_alg_of_state(block_state1); + uint32_t sz1; + if + ( + total_len1 + % (uint64_t)EverCrypt_Hash_Incremental_block_len(i2) + == (uint64_t)0U + && total_len1 > (uint64_t)0U + ) + { + sz1 = EverCrypt_Hash_Incremental_block_len(i2); + } + else + { + sz1 = (uint32_t)(total_len1 % (uint64_t)EverCrypt_Hash_Incremental_block_len(i2)); + } + if (!(sz1 == (uint32_t)0U)) + { + uint64_t prevlen = total_len1 - (uint64_t)sz1; + EverCrypt_Hash_update_multi2(block_state1, + prevlen, + buf, + EverCrypt_Hash_Incremental_block_len(i2)); + } + uint32_t ite; + if + ( + (uint64_t)len + % (uint64_t)EverCrypt_Hash_Incremental_block_len(i2) + == (uint64_t)0U + && (uint64_t)len > (uint64_t)0U + ) + { + ite = EverCrypt_Hash_Incremental_block_len(i2); + } + else + { + ite = (uint32_t)((uint64_t)len % (uint64_t)EverCrypt_Hash_Incremental_block_len(i2)); + } + uint32_t n_blocks = (len - ite) / EverCrypt_Hash_Incremental_block_len(i2); + uint32_t data1_len = n_blocks * EverCrypt_Hash_Incremental_block_len(i2); + uint32_t data2_len = len - data1_len; + uint8_t *data1 = data; + uint8_t *data2 = data + data1_len; + EverCrypt_Hash_update_multi2(block_state1, total_len1, data1, data1_len); + uint8_t *dst = buf; + memcpy(dst, data2, data2_len * sizeof (uint8_t)); + *p + = + ( + (Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len1 + (uint64_t)len + } + ); + return; + } + uint32_t diff = EverCrypt_Hash_Incremental_block_len(i1) - sz; + uint8_t *data1 = data; + uint8_t *data2 = data + diff; + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ s1 = *p; + EverCrypt_Hash_state_s *block_state10 = s1.block_state; + uint8_t *buf0 = s1.buf; + uint64_t total_len10 = s1.total_len; + Spec_Hash_Definitions_hash_alg i20 = EverCrypt_Hash_alg_of_state(block_state10); + uint32_t sz10; + if + ( + total_len10 + % (uint64_t)EverCrypt_Hash_Incremental_block_len(i20) + == (uint64_t)0U + && total_len10 > (uint64_t)0U + ) + { + sz10 = EverCrypt_Hash_Incremental_block_len(i20); + } + else + { + sz10 = (uint32_t)(total_len10 % (uint64_t)EverCrypt_Hash_Incremental_block_len(i20)); + } + uint8_t *buf2 = buf0 + sz10; + memcpy(buf2, data1, diff * sizeof (uint8_t)); + uint64_t total_len2 = total_len10 + (uint64_t)diff; + *p + = + ( + (Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____){ + .block_state = block_state10, + .buf = buf0, + .total_len = total_len2 + } + ); + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ s10 = *p; + EverCrypt_Hash_state_s *block_state1 = s10.block_state; + uint8_t *buf = s10.buf; + uint64_t total_len1 = s10.total_len; + Spec_Hash_Definitions_hash_alg i2 = EverCrypt_Hash_alg_of_state(block_state1); + uint32_t sz1; + if + ( + total_len1 + % (uint64_t)EverCrypt_Hash_Incremental_block_len(i2) + == (uint64_t)0U + && total_len1 > (uint64_t)0U + ) + { + sz1 = EverCrypt_Hash_Incremental_block_len(i2); + } + else + { + sz1 = (uint32_t)(total_len1 % (uint64_t)EverCrypt_Hash_Incremental_block_len(i2)); + } + if (!(sz1 == (uint32_t)0U)) + { + uint64_t prevlen = total_len1 - (uint64_t)sz1; + EverCrypt_Hash_update_multi2(block_state1, + prevlen, + buf, + EverCrypt_Hash_Incremental_block_len(i2)); + } + uint32_t ite; + if + ( + (uint64_t)(len - diff) + % (uint64_t)EverCrypt_Hash_Incremental_block_len(i2) + == (uint64_t)0U + && (uint64_t)(len - diff) > (uint64_t)0U + ) + { + ite = EverCrypt_Hash_Incremental_block_len(i2); + } + else + { + ite = (uint32_t)((uint64_t)(len - diff) % (uint64_t)EverCrypt_Hash_Incremental_block_len(i2)); + } + uint32_t n_blocks = (len - diff - ite) / EverCrypt_Hash_Incremental_block_len(i2); + uint32_t data1_len = n_blocks * EverCrypt_Hash_Incremental_block_len(i2); + uint32_t data2_len = len - diff - data1_len; + uint8_t *data11 = data2; + uint8_t *data21 = data2 + data1_len; + EverCrypt_Hash_update_multi2(block_state1, total_len1, data11, data1_len); + uint8_t *dst = buf; + memcpy(dst, data21, data2_len * sizeof (uint8_t)); + *p + = + ( + (Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len1 + (uint64_t)(len - diff) + } + ); +} + +void +EverCrypt_Hash_Incremental_finish_md5( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *p, + uint8_t *dst +) +{ + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ scrut = *p; + EverCrypt_Hash_state_s *block_state = scrut.block_state; + uint8_t *buf_ = scrut.buf; + uint64_t total_len = scrut.total_len; + uint32_t r; + if + ( + total_len + % (uint64_t)EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_MD5) + == (uint64_t)0U + && total_len > (uint64_t)0U + ) + { + r = EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_MD5); + } + else + { + r = + (uint32_t)(total_len + % (uint64_t)EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_MD5)); + } + uint8_t *buf_1 = buf_; + uint32_t buf[4U] = { 0U }; + EverCrypt_Hash_state_s s = { .tag = EverCrypt_Hash_MD5_s, { .case_MD5_s = buf } }; + EverCrypt_Hash_state_s tmp_block_state = s; + EverCrypt_Hash_copy(block_state, &tmp_block_state); + uint64_t prev_len = total_len - (uint64_t)r; + uint32_t ite; + if + ( + r + % EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_MD5) + == (uint32_t)0U + && r > (uint32_t)0U + ) + { + ite = EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_MD5); + } + else + { + ite = r % EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_MD5); + } + uint8_t *buf_last = buf_1 + r - ite; + uint8_t *buf_multi = buf_1; + EverCrypt_Hash_update_multi2(&tmp_block_state, prev_len, buf_multi, (uint32_t)0U); + uint64_t prev_len_last = total_len - (uint64_t)r; + EverCrypt_Hash_update_last2(&tmp_block_state, prev_len_last, buf_last, r); + EverCrypt_Hash_finish(&tmp_block_state, dst); +} + +void +EverCrypt_Hash_Incremental_finish_sha1( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *p, + uint8_t *dst +) +{ + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ scrut = *p; + EverCrypt_Hash_state_s *block_state = scrut.block_state; + uint8_t *buf_ = scrut.buf; + uint64_t total_len = scrut.total_len; + uint32_t r; + if + ( + total_len + % (uint64_t)EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA1) + == (uint64_t)0U + && total_len > (uint64_t)0U + ) + { + r = EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA1); + } + else + { + r = + (uint32_t)(total_len + % (uint64_t)EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA1)); + } + uint8_t *buf_1 = buf_; + uint32_t buf[5U] = { 0U }; + EverCrypt_Hash_state_s s = { .tag = EverCrypt_Hash_SHA1_s, { .case_SHA1_s = buf } }; + EverCrypt_Hash_state_s tmp_block_state = s; + EverCrypt_Hash_copy(block_state, &tmp_block_state); + uint64_t prev_len = total_len - (uint64_t)r; + uint32_t ite; + if + ( + r + % EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA1) + == (uint32_t)0U + && r > (uint32_t)0U + ) + { + ite = EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA1); + } + else + { + ite = r % EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA1); + } + uint8_t *buf_last = buf_1 + r - ite; + uint8_t *buf_multi = buf_1; + EverCrypt_Hash_update_multi2(&tmp_block_state, prev_len, buf_multi, (uint32_t)0U); + uint64_t prev_len_last = total_len - (uint64_t)r; + EverCrypt_Hash_update_last2(&tmp_block_state, prev_len_last, buf_last, r); + EverCrypt_Hash_finish(&tmp_block_state, dst); +} + +void +EverCrypt_Hash_Incremental_finish_sha224( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *p, + uint8_t *dst +) +{ + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ scrut = *p; + EverCrypt_Hash_state_s *block_state = scrut.block_state; + uint8_t *buf_ = scrut.buf; + uint64_t total_len = scrut.total_len; + uint32_t r; + if + ( + total_len + % (uint64_t)EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_224) + == (uint64_t)0U + && total_len > (uint64_t)0U + ) + { + r = EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_224); + } + else + { + r = + (uint32_t)(total_len + % (uint64_t)EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_224)); + } + uint8_t *buf_1 = buf_; + uint32_t buf[8U] = { 0U }; + EverCrypt_Hash_state_s s = { .tag = EverCrypt_Hash_SHA2_224_s, { .case_SHA2_224_s = buf } }; + EverCrypt_Hash_state_s tmp_block_state = s; + EverCrypt_Hash_copy(block_state, &tmp_block_state); + uint64_t prev_len = total_len - (uint64_t)r; + uint32_t ite; + if + ( + r + % EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_224) + == (uint32_t)0U + && r > (uint32_t)0U + ) + { + ite = EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_224); + } + else + { + ite = r % EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_224); + } + uint8_t *buf_last = buf_1 + r - ite; + uint8_t *buf_multi = buf_1; + EverCrypt_Hash_update_multi2(&tmp_block_state, prev_len, buf_multi, (uint32_t)0U); + uint64_t prev_len_last = total_len - (uint64_t)r; + EverCrypt_Hash_update_last2(&tmp_block_state, prev_len_last, buf_last, r); + EverCrypt_Hash_finish(&tmp_block_state, dst); +} + +void +EverCrypt_Hash_Incremental_finish_sha256( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *p, + uint8_t *dst +) +{ + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ scrut = *p; + EverCrypt_Hash_state_s *block_state = scrut.block_state; + uint8_t *buf_ = scrut.buf; + uint64_t total_len = scrut.total_len; + uint32_t r; + if + ( + total_len + % (uint64_t)EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_256) + == (uint64_t)0U + && total_len > (uint64_t)0U + ) + { + r = EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_256); + } + else + { + r = + (uint32_t)(total_len + % (uint64_t)EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_256)); + } + uint8_t *buf_1 = buf_; + uint32_t buf[8U] = { 0U }; + EverCrypt_Hash_state_s s = { .tag = EverCrypt_Hash_SHA2_256_s, { .case_SHA2_256_s = buf } }; + EverCrypt_Hash_state_s tmp_block_state = s; + EverCrypt_Hash_copy(block_state, &tmp_block_state); + uint64_t prev_len = total_len - (uint64_t)r; + uint32_t ite; + if + ( + r + % EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_256) + == (uint32_t)0U + && r > (uint32_t)0U + ) + { + ite = EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_256); + } + else + { + ite = r % EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_256); + } + uint8_t *buf_last = buf_1 + r - ite; + uint8_t *buf_multi = buf_1; + EverCrypt_Hash_update_multi2(&tmp_block_state, prev_len, buf_multi, (uint32_t)0U); + uint64_t prev_len_last = total_len - (uint64_t)r; + EverCrypt_Hash_update_last2(&tmp_block_state, prev_len_last, buf_last, r); + EverCrypt_Hash_finish(&tmp_block_state, dst); +} + +void +EverCrypt_Hash_Incremental_finish_sha384( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *p, + uint8_t *dst +) +{ + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ scrut = *p; + EverCrypt_Hash_state_s *block_state = scrut.block_state; + uint8_t *buf_ = scrut.buf; + uint64_t total_len = scrut.total_len; + uint32_t r; + if + ( + total_len + % (uint64_t)EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_384) + == (uint64_t)0U + && total_len > (uint64_t)0U + ) + { + r = EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_384); + } + else + { + r = + (uint32_t)(total_len + % (uint64_t)EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_384)); + } + uint8_t *buf_1 = buf_; + uint64_t buf[8U] = { 0U }; + EverCrypt_Hash_state_s s = { .tag = EverCrypt_Hash_SHA2_384_s, { .case_SHA2_384_s = buf } }; + EverCrypt_Hash_state_s tmp_block_state = s; + EverCrypt_Hash_copy(block_state, &tmp_block_state); + uint64_t prev_len = total_len - (uint64_t)r; + uint32_t ite; + if + ( + r + % EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_384) + == (uint32_t)0U + && r > (uint32_t)0U + ) + { + ite = EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_384); + } + else + { + ite = r % EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_384); + } + uint8_t *buf_last = buf_1 + r - ite; + uint8_t *buf_multi = buf_1; + EverCrypt_Hash_update_multi2(&tmp_block_state, prev_len, buf_multi, (uint32_t)0U); + uint64_t prev_len_last = total_len - (uint64_t)r; + EverCrypt_Hash_update_last2(&tmp_block_state, prev_len_last, buf_last, r); + EverCrypt_Hash_finish(&tmp_block_state, dst); +} + +void +EverCrypt_Hash_Incremental_finish_sha512( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *p, + uint8_t *dst +) +{ + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ scrut = *p; + EverCrypt_Hash_state_s *block_state = scrut.block_state; + uint8_t *buf_ = scrut.buf; + uint64_t total_len = scrut.total_len; + uint32_t r; + if + ( + total_len + % (uint64_t)EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_512) + == (uint64_t)0U + && total_len > (uint64_t)0U + ) + { + r = EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_512); + } + else + { + r = + (uint32_t)(total_len + % (uint64_t)EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_512)); + } + uint8_t *buf_1 = buf_; + uint64_t buf[8U] = { 0U }; + EverCrypt_Hash_state_s s = { .tag = EverCrypt_Hash_SHA2_512_s, { .case_SHA2_512_s = buf } }; + EverCrypt_Hash_state_s tmp_block_state = s; + EverCrypt_Hash_copy(block_state, &tmp_block_state); + uint64_t prev_len = total_len - (uint64_t)r; + uint32_t ite; + if + ( + r + % EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_512) + == (uint32_t)0U + && r > (uint32_t)0U + ) + { + ite = EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_512); + } + else + { + ite = r % EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_SHA2_512); + } + uint8_t *buf_last = buf_1 + r - ite; + uint8_t *buf_multi = buf_1; + EverCrypt_Hash_update_multi2(&tmp_block_state, prev_len, buf_multi, (uint32_t)0U); + uint64_t prev_len_last = total_len - (uint64_t)r; + EverCrypt_Hash_update_last2(&tmp_block_state, prev_len_last, buf_last, r); + EverCrypt_Hash_finish(&tmp_block_state, dst); +} + +void +EverCrypt_Hash_Incremental_finish_blake2s( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *p, + uint8_t *dst +) +{ + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ scrut = *p; + EverCrypt_Hash_state_s *block_state = scrut.block_state; + uint8_t *buf_ = scrut.buf; + uint64_t total_len = scrut.total_len; + uint32_t r; + if + ( + total_len + % (uint64_t)EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_Blake2S) + == (uint64_t)0U + && total_len > (uint64_t)0U + ) + { + r = EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_Blake2S); + } + else + { + r = + (uint32_t)(total_len + % (uint64_t)EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_Blake2S)); + } + uint8_t *buf_1 = buf_; + uint32_t buf[16U] = { 0U }; + EverCrypt_Hash_state_s s = { .tag = EverCrypt_Hash_Blake2S_s, { .case_Blake2S_s = buf } }; + EverCrypt_Hash_state_s tmp_block_state = s; + EverCrypt_Hash_copy(block_state, &tmp_block_state); + uint64_t prev_len = total_len - (uint64_t)r; + uint32_t ite; + if + ( + r + % EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_Blake2S) + == (uint32_t)0U + && r > (uint32_t)0U + ) + { + ite = EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_Blake2S); + } + else + { + ite = r % EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_Blake2S); + } + uint8_t *buf_last = buf_1 + r - ite; + uint8_t *buf_multi = buf_1; + EverCrypt_Hash_update_multi2(&tmp_block_state, prev_len, buf_multi, (uint32_t)0U); + uint64_t prev_len_last = total_len - (uint64_t)r; + EverCrypt_Hash_update_last2(&tmp_block_state, prev_len_last, buf_last, r); + EverCrypt_Hash_finish(&tmp_block_state, dst); +} + +void +EverCrypt_Hash_Incremental_finish_blake2b( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *p, + uint8_t *dst +) +{ + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ scrut = *p; + EverCrypt_Hash_state_s *block_state = scrut.block_state; + uint8_t *buf_ = scrut.buf; + uint64_t total_len = scrut.total_len; + uint32_t r; + if + ( + total_len + % (uint64_t)EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_Blake2B) + == (uint64_t)0U + && total_len > (uint64_t)0U + ) + { + r = EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_Blake2B); + } + else + { + r = + (uint32_t)(total_len + % (uint64_t)EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_Blake2B)); + } + uint8_t *buf_1 = buf_; + uint64_t buf[16U] = { 0U }; + EverCrypt_Hash_state_s s = { .tag = EverCrypt_Hash_Blake2B_s, { .case_Blake2B_s = buf } }; + EverCrypt_Hash_state_s tmp_block_state = s; + EverCrypt_Hash_copy(block_state, &tmp_block_state); + uint64_t prev_len = total_len - (uint64_t)r; + uint32_t ite; + if + ( + r + % EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_Blake2B) + == (uint32_t)0U + && r > (uint32_t)0U + ) + { + ite = EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_Blake2B); + } + else + { + ite = r % EverCrypt_Hash_Incremental_block_len(Spec_Hash_Definitions_Blake2B); + } + uint8_t *buf_last = buf_1 + r - ite; + uint8_t *buf_multi = buf_1; + EverCrypt_Hash_update_multi2(&tmp_block_state, prev_len, buf_multi, (uint32_t)0U); + uint64_t prev_len_last = total_len - (uint64_t)r; + EverCrypt_Hash_update_last2(&tmp_block_state, prev_len_last, buf_last, r); + EverCrypt_Hash_finish(&tmp_block_state, dst); +} + +Spec_Hash_Definitions_hash_alg +EverCrypt_Hash_Incremental_alg_of_state( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *s +) +{ + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ scrut = *s; + EverCrypt_Hash_state_s *block_state = scrut.block_state; + return EverCrypt_Hash_alg_of_state(block_state); +} + +void +EverCrypt_Hash_Incremental_finish( + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *s, + uint8_t *dst +) +{ + Spec_Hash_Definitions_hash_alg a1 = EverCrypt_Hash_Incremental_alg_of_state(s); + switch (a1) + { + case Spec_Hash_Definitions_MD5: + { + EverCrypt_Hash_Incremental_finish_md5(s, dst); + break; + } + case Spec_Hash_Definitions_SHA1: + { + EverCrypt_Hash_Incremental_finish_sha1(s, dst); + break; + } + case Spec_Hash_Definitions_SHA2_224: + { + EverCrypt_Hash_Incremental_finish_sha224(s, dst); + break; + } + case Spec_Hash_Definitions_SHA2_256: + { + EverCrypt_Hash_Incremental_finish_sha256(s, dst); + break; + } + case Spec_Hash_Definitions_SHA2_384: + { + EverCrypt_Hash_Incremental_finish_sha384(s, dst); + break; + } + case Spec_Hash_Definitions_SHA2_512: + { + EverCrypt_Hash_Incremental_finish_sha512(s, dst); + break; + } + case Spec_Hash_Definitions_Blake2S: + { + EverCrypt_Hash_Incremental_finish_blake2s(s, dst); + break; + } + case Spec_Hash_Definitions_Blake2B: + { + EverCrypt_Hash_Incremental_finish_blake2b(s, dst); + break; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +void +EverCrypt_Hash_Incremental_free(Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ *s) +{ + Hacl_Streaming_Functor_state_s___EverCrypt_Hash_state_s____ scrut = *s; + uint8_t *buf = scrut.buf; + EverCrypt_Hash_state_s *block_state = scrut.block_state; + EverCrypt_Hash_free(block_state); + KRML_HOST_FREE(buf); + KRML_HOST_FREE(s); +} + diff --git a/src/msvc/EverCrypt_Poly1305.c b/src/msvc/EverCrypt_Poly1305.c new file mode 100644 index 00000000..90a392d3 --- /dev/null +++ b/src/msvc/EverCrypt_Poly1305.c @@ -0,0 +1,87 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "EverCrypt_Poly1305.h" + +#include "internal/Vale.h" + +static void poly1305_vale(uint8_t *dst, uint8_t *src, uint32_t len, uint8_t *key) +{ + uint8_t ctx[192U] = { 0U }; + memcpy(ctx + (uint32_t)24U, key, (uint32_t)32U * sizeof (uint8_t)); + uint32_t n_blocks = len / (uint32_t)16U; + uint32_t n_extra = len % (uint32_t)16U; + uint8_t tmp[16U]; + if (n_extra == (uint32_t)0U) + { + uint64_t scrut = x64_poly1305(ctx, src, (uint64_t)len, (uint64_t)1U); + } + else + { + uint8_t init = (uint8_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + tmp[i] = init; + } + uint32_t len16 = n_blocks * (uint32_t)16U; + uint8_t *src16 = src; + memcpy(tmp, src + len16, n_extra * sizeof (uint8_t)); + uint64_t scrut = x64_poly1305(ctx, src16, (uint64_t)len16, (uint64_t)0U); + memcpy(ctx + (uint32_t)24U, key, (uint32_t)32U * sizeof (uint8_t)); + uint64_t scrut0 = x64_poly1305(ctx, tmp, (uint64_t)n_extra, (uint64_t)1U); + } + memcpy(dst, ctx, (uint32_t)16U * sizeof (uint8_t)); +} + +void EverCrypt_Poly1305_poly1305(uint8_t *dst, uint8_t *src, uint32_t len, uint8_t *key) +{ + bool avx2 = EverCrypt_AutoConfig2_has_avx2(); + bool avx = EverCrypt_AutoConfig2_has_avx(); + bool vec256 = EverCrypt_AutoConfig2_has_vec256(); + bool vec128 = EverCrypt_AutoConfig2_has_vec128(); + bool vale = EverCrypt_AutoConfig2_wants_vale(); + #if HACL_CAN_COMPILE_VEC256 + if (vec256) + { + Hacl_Poly1305_256_poly1305_mac(dst, len, src, key); + return; + } + #endif + #if HACL_CAN_COMPILE_VEC128 + if (vec128) + { + Hacl_Poly1305_128_poly1305_mac(dst, len, src, key); + return; + } + #endif + #if HACL_CAN_COMPILE_VALE + if (vale) + { + poly1305_vale(dst, src, len, key); + return; + } + #endif + Hacl_Poly1305_32_poly1305_mac(dst, len, src, key); +} + diff --git a/src/msvc/Hacl_Bignum.c b/src/msvc/Hacl_Bignum.c new file mode 100644 index 00000000..aba6628a --- /dev/null +++ b/src/msvc/Hacl_Bignum.c @@ -0,0 +1,2594 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "internal/Hacl_Bignum.h" + +#include "internal/Hacl_Kremlib.h" + +void Hacl_Bignum_Convert_bn_from_bytes_be_uint64(uint32_t len, uint8_t *b, uint64_t *res) +{ + uint32_t bnLen = (len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)8U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + uint8_t *tmp = alloca(tmpLen * sizeof (uint8_t)); + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + memcpy(tmp + tmpLen - len, b, len * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < bnLen; i++) + { + uint64_t *os = res; + uint64_t u = load64_be(tmp + (bnLen - i - (uint32_t)1U) * (uint32_t)8U); + uint64_t x = u; + os[i] = x; + } +} + +void Hacl_Bignum_Convert_bn_to_bytes_be_uint64(uint32_t len, uint64_t *b, uint8_t *res) +{ + uint32_t bnLen = (len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)8U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + uint8_t *tmp = alloca(tmpLen * sizeof (uint8_t)); + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + uint32_t numb = (uint32_t)8U; + for (uint32_t i = (uint32_t)0U; i < bnLen; i++) + { + store64_be(tmp + i * numb, b[bnLen - i - (uint32_t)1U]); + } + memcpy(res, tmp + tmpLen - len, len * sizeof (uint8_t)); +} + +uint32_t Hacl_Bignum_Lib_bn_get_top_index_u32(uint32_t len, uint32_t *b) +{ + uint32_t priv = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint32_t mask = FStar_UInt32_eq_mask(b[i], (uint32_t)0U); + priv = (mask & priv) | (~mask & i); + } + return priv; +} + +uint64_t Hacl_Bignum_Lib_bn_get_top_index_u64(uint32_t len, uint64_t *b) +{ + uint64_t priv = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint64_t mask = FStar_UInt64_eq_mask(b[i], (uint64_t)0U); + priv = (mask & priv) | (~mask & (uint64_t)i); + } + return priv; +} + +uint32_t +Hacl_Bignum_Addition_bn_sub_eq_len_u32(uint32_t aLen, uint32_t *a, uint32_t *b, uint32_t *res) +{ + uint32_t c = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < aLen / (uint32_t)4U; i++) + { + uint32_t t1 = a[(uint32_t)4U * i]; + uint32_t t20 = b[(uint32_t)4U * i]; + uint32_t *res_i0 = res + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, t20, res_i0); + uint32_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t10, t21, res_i1); + uint32_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t11, t22, res_i2); + uint32_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t12, t2, res_i); + } + for (uint32_t i = aLen / (uint32_t)4U * (uint32_t)4U; i < aLen; i++) + { + uint32_t t1 = a[i]; + uint32_t t2 = b[i]; + uint32_t *res_i = res + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, t2, res_i); + } + return c; +} + +uint64_t +Hacl_Bignum_Addition_bn_sub_eq_len_u64(uint32_t aLen, uint64_t *a, uint64_t *b, uint64_t *res) +{ + uint64_t c = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < aLen / (uint32_t)4U; i++) + { + uint64_t t1 = a[(uint32_t)4U * i]; + uint64_t t20 = b[(uint32_t)4U * i]; + uint64_t *res_i0 = res + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, t20, res_i0); + uint64_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t10, t21, res_i1); + uint64_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t11, t22, res_i2); + uint64_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t12, t2, res_i); + } + for (uint32_t i = aLen / (uint32_t)4U * (uint32_t)4U; i < aLen; i++) + { + uint64_t t1 = a[i]; + uint64_t t2 = b[i]; + uint64_t *res_i = res + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, t2, res_i); + } + return c; +} + +uint32_t +Hacl_Bignum_Addition_bn_add_eq_len_u32(uint32_t aLen, uint32_t *a, uint32_t *b, uint32_t *res) +{ + uint32_t c = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < aLen / (uint32_t)4U; i++) + { + uint32_t t1 = a[(uint32_t)4U * i]; + uint32_t t20 = b[(uint32_t)4U * i]; + uint32_t *res_i0 = res + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t1, t20, res_i0); + uint32_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t10, t21, res_i1); + uint32_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t11, t22, res_i2); + uint32_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t12, t2, res_i); + } + for (uint32_t i = aLen / (uint32_t)4U * (uint32_t)4U; i < aLen; i++) + { + uint32_t t1 = a[i]; + uint32_t t2 = b[i]; + uint32_t *res_i = res + i; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t1, t2, res_i); + } + return c; +} + +uint64_t +Hacl_Bignum_Addition_bn_add_eq_len_u64(uint32_t aLen, uint64_t *a, uint64_t *b, uint64_t *res) +{ + uint64_t c = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < aLen / (uint32_t)4U; i++) + { + uint64_t t1 = a[(uint32_t)4U * i]; + uint64_t t20 = b[(uint32_t)4U * i]; + uint64_t *res_i0 = res + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t1, t20, res_i0); + uint64_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t10, t21, res_i1); + uint64_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t11, t22, res_i2); + uint64_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t12, t2, res_i); + } + for (uint32_t i = aLen / (uint32_t)4U * (uint32_t)4U; i < aLen; i++) + { + uint64_t t1 = a[i]; + uint64_t t2 = b[i]; + uint64_t *res_i = res + i; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t1, t2, res_i); + } + return c; +} + +static inline void +bn_mul_u32(uint32_t aLen, uint32_t *a, uint32_t bLen, uint32_t *b, uint32_t *res) +{ + memset(res, 0U, (aLen + bLen) * sizeof (uint32_t)); + for (uint32_t i0 = (uint32_t)0U; i0 < bLen; i0++) + { + uint32_t bj = b[i0]; + uint32_t *res_j = res + i0; + uint32_t c = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < aLen / (uint32_t)4U; i++) + { + uint32_t a_i = a[(uint32_t)4U * i]; + uint32_t *res_i0 = res_j + (uint32_t)4U * i; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, bj, c, res_i0); + uint32_t a_i0 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res_j + (uint32_t)4U * i + (uint32_t)1U; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i0, bj, c, res_i1); + uint32_t a_i1 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res_j + (uint32_t)4U * i + (uint32_t)2U; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i1, bj, c, res_i2); + uint32_t a_i2 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res_j + (uint32_t)4U * i + (uint32_t)3U; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i2, bj, c, res_i); + } + for (uint32_t i = aLen / (uint32_t)4U * (uint32_t)4U; i < aLen; i++) + { + uint32_t a_i = a[i]; + uint32_t *res_i = res_j + i; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, bj, c, res_i); + } + uint32_t r = c; + res[aLen + i0] = r; + } +} + +static inline void +bn_mul_u64(uint32_t aLen, uint64_t *a, uint32_t bLen, uint64_t *b, uint64_t *res) +{ + memset(res, 0U, (aLen + bLen) * sizeof (uint64_t)); + for (uint32_t i0 = (uint32_t)0U; i0 < bLen; i0++) + { + uint64_t bj = b[i0]; + uint64_t *res_j = res + i0; + uint64_t c = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < aLen / (uint32_t)4U; i++) + { + uint64_t a_i = a[(uint32_t)4U * i]; + uint64_t *res_i0 = res_j + (uint32_t)4U * i; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, bj, c, res_i0); + uint64_t a_i0 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res_j + (uint32_t)4U * i + (uint32_t)1U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, bj, c, res_i1); + uint64_t a_i1 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res_j + (uint32_t)4U * i + (uint32_t)2U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, bj, c, res_i2); + uint64_t a_i2 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res_j + (uint32_t)4U * i + (uint32_t)3U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, bj, c, res_i); + } + for (uint32_t i = aLen / (uint32_t)4U * (uint32_t)4U; i < aLen; i++) + { + uint64_t a_i = a[i]; + uint64_t *res_i = res_j + i; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, bj, c, res_i); + } + uint64_t r = c; + res[aLen + i0] = r; + } +} + +static inline void bn_sqr_u32(uint32_t aLen, uint32_t *a, uint32_t *res) +{ + memset(res, 0U, (aLen + aLen) * sizeof (uint32_t)); + for (uint32_t i0 = (uint32_t)0U; i0 < aLen; i0++) + { + uint32_t *ab = a; + uint32_t a_j = a[i0]; + uint32_t *res_j = res + i0; + uint32_t c = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < i0 / (uint32_t)4U; i++) + { + uint32_t a_i = ab[(uint32_t)4U * i]; + uint32_t *res_i0 = res_j + (uint32_t)4U * i; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, a_j, c, res_i0); + uint32_t a_i0 = ab[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res_j + (uint32_t)4U * i + (uint32_t)1U; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i0, a_j, c, res_i1); + uint32_t a_i1 = ab[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res_j + (uint32_t)4U * i + (uint32_t)2U; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i1, a_j, c, res_i2); + uint32_t a_i2 = ab[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res_j + (uint32_t)4U * i + (uint32_t)3U; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i2, a_j, c, res_i); + } + for (uint32_t i = i0 / (uint32_t)4U * (uint32_t)4U; i < i0; i++) + { + uint32_t a_i = ab[i]; + uint32_t *res_i = res_j + i; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, a_j, c, res_i); + } + uint32_t r = c; + res[i0 + i0] = r; + } + uint32_t c0 = Hacl_Bignum_Addition_bn_add_eq_len_u32(aLen + aLen, res, res, res); + KRML_CHECK_SIZE(sizeof (uint32_t), aLen + aLen); + uint32_t *tmp = alloca((aLen + aLen) * sizeof (uint32_t)); + memset(tmp, 0U, (aLen + aLen) * sizeof (uint32_t)); + for (uint32_t i = (uint32_t)0U; i < aLen; i++) + { + uint64_t res1 = (uint64_t)a[i] * (uint64_t)a[i]; + uint32_t hi = (uint32_t)(res1 >> (uint32_t)32U); + uint32_t lo = (uint32_t)res1; + tmp[(uint32_t)2U * i] = lo; + tmp[(uint32_t)2U * i + (uint32_t)1U] = hi; + } + uint32_t c1 = Hacl_Bignum_Addition_bn_add_eq_len_u32(aLen + aLen, res, tmp, res); +} + +static inline void bn_sqr_u64(uint32_t aLen, uint64_t *a, uint64_t *res) +{ + memset(res, 0U, (aLen + aLen) * sizeof (uint64_t)); + for (uint32_t i0 = (uint32_t)0U; i0 < aLen; i0++) + { + uint64_t *ab = a; + uint64_t a_j = a[i0]; + uint64_t *res_j = res + i0; + uint64_t c = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < i0 / (uint32_t)4U; i++) + { + uint64_t a_i = ab[(uint32_t)4U * i]; + uint64_t *res_i0 = res_j + (uint32_t)4U * i; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, a_j, c, res_i0); + uint64_t a_i0 = ab[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res_j + (uint32_t)4U * i + (uint32_t)1U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, a_j, c, res_i1); + uint64_t a_i1 = ab[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res_j + (uint32_t)4U * i + (uint32_t)2U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, a_j, c, res_i2); + uint64_t a_i2 = ab[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res_j + (uint32_t)4U * i + (uint32_t)3U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, a_j, c, res_i); + } + for (uint32_t i = i0 / (uint32_t)4U * (uint32_t)4U; i < i0; i++) + { + uint64_t a_i = ab[i]; + uint64_t *res_i = res_j + i; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, a_j, c, res_i); + } + uint64_t r = c; + res[i0 + i0] = r; + } + uint64_t c0 = Hacl_Bignum_Addition_bn_add_eq_len_u64(aLen + aLen, res, res, res); + KRML_CHECK_SIZE(sizeof (uint64_t), aLen + aLen); + uint64_t *tmp = alloca((aLen + aLen) * sizeof (uint64_t)); + memset(tmp, 0U, (aLen + aLen) * sizeof (uint64_t)); + for (uint32_t i = (uint32_t)0U; i < aLen; i++) + { + FStar_UInt128_uint128 res1 = FStar_UInt128_mul_wide(a[i], a[i]); + uint64_t hi = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(res1, (uint32_t)64U)); + uint64_t lo = FStar_UInt128_uint128_to_uint64(res1); + tmp[(uint32_t)2U * i] = lo; + tmp[(uint32_t)2U * i + (uint32_t)1U] = hi; + } + uint64_t c1 = Hacl_Bignum_Addition_bn_add_eq_len_u64(aLen + aLen, res, tmp, res); +} + +void +Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint32( + uint32_t aLen, + uint32_t *a, + uint32_t *b, + uint32_t *tmp, + uint32_t *res +) +{ + if (aLen < (uint32_t)32U || aLen % (uint32_t)2U == (uint32_t)1U) + { + bn_mul_u32(aLen, a, aLen, b, res); + return; + } + uint32_t len2 = aLen / (uint32_t)2U; + uint32_t *a0 = a; + uint32_t *a1 = a + len2; + uint32_t *b0 = b; + uint32_t *b1 = b + len2; + uint32_t *t0 = tmp; + uint32_t *t1 = tmp + len2; + uint32_t *tmp_ = tmp + aLen; + uint32_t c0 = Hacl_Bignum_Addition_bn_sub_eq_len_u32(len2, a0, a1, tmp_); + uint32_t c10 = Hacl_Bignum_Addition_bn_sub_eq_len_u32(len2, a1, a0, t0); + for (uint32_t i = (uint32_t)0U; i < len2; i++) + { + uint32_t *os = t0; + uint32_t x = (((uint32_t)0U - c0) & t0[i]) | (~((uint32_t)0U - c0) & tmp_[i]); + os[i] = x; + } + uint32_t c00 = c0; + uint32_t c010 = Hacl_Bignum_Addition_bn_sub_eq_len_u32(len2, b0, b1, tmp_); + uint32_t c1 = Hacl_Bignum_Addition_bn_sub_eq_len_u32(len2, b1, b0, t1); + for (uint32_t i = (uint32_t)0U; i < len2; i++) + { + uint32_t *os = t1; + uint32_t x = (((uint32_t)0U - c010) & t1[i]) | (~((uint32_t)0U - c010) & tmp_[i]); + os[i] = x; + } + uint32_t c11 = c010; + uint32_t *t23 = tmp + aLen; + uint32_t *tmp1 = tmp + aLen + aLen; + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint32(len2, t0, t1, tmp1, t23); + uint32_t *r01 = res; + uint32_t *r23 = res + aLen; + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint32(len2, a0, b0, tmp1, r01); + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint32(len2, a1, b1, tmp1, r23); + uint32_t *r011 = res; + uint32_t *r231 = res + aLen; + uint32_t *t01 = tmp; + uint32_t *t231 = tmp + aLen; + uint32_t *t45 = tmp + (uint32_t)2U * aLen; + uint32_t *t67 = tmp + (uint32_t)3U * aLen; + uint32_t c2 = Hacl_Bignum_Addition_bn_add_eq_len_u32(aLen, r011, r231, t01); + uint32_t c_sign = c00 ^ c11; + uint32_t c3 = Hacl_Bignum_Addition_bn_sub_eq_len_u32(aLen, t01, t231, t67); + uint32_t c31 = c2 - c3; + uint32_t c4 = Hacl_Bignum_Addition_bn_add_eq_len_u32(aLen, t01, t231, t45); + uint32_t c41 = c2 + c4; + uint32_t mask = (uint32_t)0U - c_sign; + for (uint32_t i = (uint32_t)0U; i < aLen; i++) + { + uint32_t *os = t45; + uint32_t x = (mask & t45[i]) | (~mask & t67[i]); + os[i] = x; + } + uint32_t c5 = (mask & c41) | (~mask & c31); + uint32_t aLen2 = aLen / (uint32_t)2U; + uint32_t *r0 = res + aLen2; + uint32_t r10 = Hacl_Bignum_Addition_bn_add_eq_len_u32(aLen, r0, t45, r0); + uint32_t c6 = r10; + uint32_t c60 = c6; + uint32_t c7 = c5 + c60; + uint32_t *r = res + aLen + aLen2; + uint32_t c01 = Lib_IntTypes_Intrinsics_add_carry_u32((uint32_t)0U, r[0U], c7, r); + uint32_t r1; + if ((uint32_t)1U < aLen + aLen - (aLen + aLen2)) + { + uint32_t rLen = aLen + aLen - (aLen + aLen2) - (uint32_t)1U; + uint32_t *a11 = r + (uint32_t)1U; + uint32_t *res1 = r + (uint32_t)1U; + uint32_t c = c01; + for (uint32_t i = (uint32_t)0U; i < rLen / (uint32_t)4U; i++) + { + uint32_t t11 = a11[(uint32_t)4U * i]; + uint32_t *res_i0 = res1 + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t11, (uint32_t)0U, res_i0); + uint32_t t110 = a11[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res1 + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t110, (uint32_t)0U, res_i1); + uint32_t t111 = a11[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res1 + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t111, (uint32_t)0U, res_i2); + uint32_t t112 = a11[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res1 + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t112, (uint32_t)0U, res_i); + } + for (uint32_t i = rLen / (uint32_t)4U * (uint32_t)4U; i < rLen; i++) + { + uint32_t t11 = a11[i]; + uint32_t *res_i = res1 + i; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t11, (uint32_t)0U, res_i); + } + uint32_t c110 = c; + r1 = c110; + } + else + { + r1 = c01; + } + uint32_t c8 = r1; + uint32_t c = c8; + uint32_t c9 = c; +} + +void +Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint64( + uint32_t aLen, + uint64_t *a, + uint64_t *b, + uint64_t *tmp, + uint64_t *res +) +{ + if (aLen < (uint32_t)32U || aLen % (uint32_t)2U == (uint32_t)1U) + { + bn_mul_u64(aLen, a, aLen, b, res); + return; + } + uint32_t len2 = aLen / (uint32_t)2U; + uint64_t *a0 = a; + uint64_t *a1 = a + len2; + uint64_t *b0 = b; + uint64_t *b1 = b + len2; + uint64_t *t0 = tmp; + uint64_t *t1 = tmp + len2; + uint64_t *tmp_ = tmp + aLen; + uint64_t c0 = Hacl_Bignum_Addition_bn_sub_eq_len_u64(len2, a0, a1, tmp_); + uint64_t c10 = Hacl_Bignum_Addition_bn_sub_eq_len_u64(len2, a1, a0, t0); + for (uint32_t i = (uint32_t)0U; i < len2; i++) + { + uint64_t *os = t0; + uint64_t x = (((uint64_t)0U - c0) & t0[i]) | (~((uint64_t)0U - c0) & tmp_[i]); + os[i] = x; + } + uint64_t c00 = c0; + uint64_t c010 = Hacl_Bignum_Addition_bn_sub_eq_len_u64(len2, b0, b1, tmp_); + uint64_t c1 = Hacl_Bignum_Addition_bn_sub_eq_len_u64(len2, b1, b0, t1); + for (uint32_t i = (uint32_t)0U; i < len2; i++) + { + uint64_t *os = t1; + uint64_t x = (((uint64_t)0U - c010) & t1[i]) | (~((uint64_t)0U - c010) & tmp_[i]); + os[i] = x; + } + uint64_t c11 = c010; + uint64_t *t23 = tmp + aLen; + uint64_t *tmp1 = tmp + aLen + aLen; + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint64(len2, t0, t1, tmp1, t23); + uint64_t *r01 = res; + uint64_t *r23 = res + aLen; + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint64(len2, a0, b0, tmp1, r01); + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint64(len2, a1, b1, tmp1, r23); + uint64_t *r011 = res; + uint64_t *r231 = res + aLen; + uint64_t *t01 = tmp; + uint64_t *t231 = tmp + aLen; + uint64_t *t45 = tmp + (uint32_t)2U * aLen; + uint64_t *t67 = tmp + (uint32_t)3U * aLen; + uint64_t c2 = Hacl_Bignum_Addition_bn_add_eq_len_u64(aLen, r011, r231, t01); + uint64_t c_sign = c00 ^ c11; + uint64_t c3 = Hacl_Bignum_Addition_bn_sub_eq_len_u64(aLen, t01, t231, t67); + uint64_t c31 = c2 - c3; + uint64_t c4 = Hacl_Bignum_Addition_bn_add_eq_len_u64(aLen, t01, t231, t45); + uint64_t c41 = c2 + c4; + uint64_t mask = (uint64_t)0U - c_sign; + for (uint32_t i = (uint32_t)0U; i < aLen; i++) + { + uint64_t *os = t45; + uint64_t x = (mask & t45[i]) | (~mask & t67[i]); + os[i] = x; + } + uint64_t c5 = (mask & c41) | (~mask & c31); + uint32_t aLen2 = aLen / (uint32_t)2U; + uint64_t *r0 = res + aLen2; + uint64_t r10 = Hacl_Bignum_Addition_bn_add_eq_len_u64(aLen, r0, t45, r0); + uint64_t c6 = r10; + uint64_t c60 = c6; + uint64_t c7 = c5 + c60; + uint64_t *r = res + aLen + aLen2; + uint64_t c01 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, r[0U], c7, r); + uint64_t r1; + if ((uint32_t)1U < aLen + aLen - (aLen + aLen2)) + { + uint32_t rLen = aLen + aLen - (aLen + aLen2) - (uint32_t)1U; + uint64_t *a11 = r + (uint32_t)1U; + uint64_t *res1 = r + (uint32_t)1U; + uint64_t c = c01; + for (uint32_t i = (uint32_t)0U; i < rLen / (uint32_t)4U; i++) + { + uint64_t t11 = a11[(uint32_t)4U * i]; + uint64_t *res_i0 = res1 + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t11, (uint64_t)0U, res_i0); + uint64_t t110 = a11[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res1 + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t110, (uint64_t)0U, res_i1); + uint64_t t111 = a11[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res1 + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t111, (uint64_t)0U, res_i2); + uint64_t t112 = a11[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res1 + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t112, (uint64_t)0U, res_i); + } + for (uint32_t i = rLen / (uint32_t)4U * (uint32_t)4U; i < rLen; i++) + { + uint64_t t11 = a11[i]; + uint64_t *res_i = res1 + i; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t11, (uint64_t)0U, res_i); + } + uint64_t c110 = c; + r1 = c110; + } + else + { + r1 = c01; + } + uint64_t c8 = r1; + uint64_t c = c8; + uint64_t c9 = c; +} + +void +Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint32( + uint32_t aLen, + uint32_t *a, + uint32_t *tmp, + uint32_t *res +) +{ + if (aLen < (uint32_t)32U || aLen % (uint32_t)2U == (uint32_t)1U) + { + bn_sqr_u32(aLen, a, res); + return; + } + uint32_t len2 = aLen / (uint32_t)2U; + uint32_t *a0 = a; + uint32_t *a1 = a + len2; + uint32_t *t0 = tmp; + uint32_t *tmp_ = tmp + aLen; + uint32_t c0 = Hacl_Bignum_Addition_bn_sub_eq_len_u32(len2, a0, a1, tmp_); + uint32_t c1 = Hacl_Bignum_Addition_bn_sub_eq_len_u32(len2, a1, a0, t0); + for (uint32_t i = (uint32_t)0U; i < len2; i++) + { + uint32_t *os = t0; + uint32_t x = (((uint32_t)0U - c0) & t0[i]) | (~((uint32_t)0U - c0) & tmp_[i]); + os[i] = x; + } + uint32_t c00 = c0; + uint32_t *t23 = tmp + aLen; + uint32_t *tmp1 = tmp + aLen + aLen; + Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint32(len2, t0, tmp1, t23); + uint32_t *r01 = res; + uint32_t *r23 = res + aLen; + Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint32(len2, a0, tmp1, r01); + Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint32(len2, a1, tmp1, r23); + uint32_t *r011 = res; + uint32_t *r231 = res + aLen; + uint32_t *t01 = tmp; + uint32_t *t231 = tmp + aLen; + uint32_t *t45 = tmp + (uint32_t)2U * aLen; + uint32_t c2 = Hacl_Bignum_Addition_bn_add_eq_len_u32(aLen, r011, r231, t01); + uint32_t c3 = Hacl_Bignum_Addition_bn_sub_eq_len_u32(aLen, t01, t231, t45); + uint32_t c5 = c2 - c3; + uint32_t aLen2 = aLen / (uint32_t)2U; + uint32_t *r0 = res + aLen2; + uint32_t r10 = Hacl_Bignum_Addition_bn_add_eq_len_u32(aLen, r0, t45, r0); + uint32_t c4 = r10; + uint32_t c6 = c4; + uint32_t c7 = c5 + c6; + uint32_t *r = res + aLen + aLen2; + uint32_t c01 = Lib_IntTypes_Intrinsics_add_carry_u32((uint32_t)0U, r[0U], c7, r); + uint32_t r1; + if ((uint32_t)1U < aLen + aLen - (aLen + aLen2)) + { + uint32_t rLen = aLen + aLen - (aLen + aLen2) - (uint32_t)1U; + uint32_t *a11 = r + (uint32_t)1U; + uint32_t *res1 = r + (uint32_t)1U; + uint32_t c = c01; + for (uint32_t i = (uint32_t)0U; i < rLen / (uint32_t)4U; i++) + { + uint32_t t1 = a11[(uint32_t)4U * i]; + uint32_t *res_i0 = res1 + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t1, (uint32_t)0U, res_i0); + uint32_t t10 = a11[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res1 + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t10, (uint32_t)0U, res_i1); + uint32_t t11 = a11[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res1 + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t11, (uint32_t)0U, res_i2); + uint32_t t12 = a11[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res1 + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t12, (uint32_t)0U, res_i); + } + for (uint32_t i = rLen / (uint32_t)4U * (uint32_t)4U; i < rLen; i++) + { + uint32_t t1 = a11[i]; + uint32_t *res_i = res1 + i; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t1, (uint32_t)0U, res_i); + } + uint32_t c10 = c; + r1 = c10; + } + else + { + r1 = c01; + } + uint32_t c8 = r1; + uint32_t c = c8; + uint32_t c9 = c; +} + +void +Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint64( + uint32_t aLen, + uint64_t *a, + uint64_t *tmp, + uint64_t *res +) +{ + if (aLen < (uint32_t)32U || aLen % (uint32_t)2U == (uint32_t)1U) + { + bn_sqr_u64(aLen, a, res); + return; + } + uint32_t len2 = aLen / (uint32_t)2U; + uint64_t *a0 = a; + uint64_t *a1 = a + len2; + uint64_t *t0 = tmp; + uint64_t *tmp_ = tmp + aLen; + uint64_t c0 = Hacl_Bignum_Addition_bn_sub_eq_len_u64(len2, a0, a1, tmp_); + uint64_t c1 = Hacl_Bignum_Addition_bn_sub_eq_len_u64(len2, a1, a0, t0); + for (uint32_t i = (uint32_t)0U; i < len2; i++) + { + uint64_t *os = t0; + uint64_t x = (((uint64_t)0U - c0) & t0[i]) | (~((uint64_t)0U - c0) & tmp_[i]); + os[i] = x; + } + uint64_t c00 = c0; + uint64_t *t23 = tmp + aLen; + uint64_t *tmp1 = tmp + aLen + aLen; + Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint64(len2, t0, tmp1, t23); + uint64_t *r01 = res; + uint64_t *r23 = res + aLen; + Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint64(len2, a0, tmp1, r01); + Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint64(len2, a1, tmp1, r23); + uint64_t *r011 = res; + uint64_t *r231 = res + aLen; + uint64_t *t01 = tmp; + uint64_t *t231 = tmp + aLen; + uint64_t *t45 = tmp + (uint32_t)2U * aLen; + uint64_t c2 = Hacl_Bignum_Addition_bn_add_eq_len_u64(aLen, r011, r231, t01); + uint64_t c3 = Hacl_Bignum_Addition_bn_sub_eq_len_u64(aLen, t01, t231, t45); + uint64_t c5 = c2 - c3; + uint32_t aLen2 = aLen / (uint32_t)2U; + uint64_t *r0 = res + aLen2; + uint64_t r10 = Hacl_Bignum_Addition_bn_add_eq_len_u64(aLen, r0, t45, r0); + uint64_t c4 = r10; + uint64_t c6 = c4; + uint64_t c7 = c5 + c6; + uint64_t *r = res + aLen + aLen2; + uint64_t c01 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, r[0U], c7, r); + uint64_t r1; + if ((uint32_t)1U < aLen + aLen - (aLen + aLen2)) + { + uint32_t rLen = aLen + aLen - (aLen + aLen2) - (uint32_t)1U; + uint64_t *a11 = r + (uint32_t)1U; + uint64_t *res1 = r + (uint32_t)1U; + uint64_t c = c01; + for (uint32_t i = (uint32_t)0U; i < rLen / (uint32_t)4U; i++) + { + uint64_t t1 = a11[(uint32_t)4U * i]; + uint64_t *res_i0 = res1 + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t1, (uint64_t)0U, res_i0); + uint64_t t10 = a11[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res1 + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t10, (uint64_t)0U, res_i1); + uint64_t t11 = a11[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res1 + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t11, (uint64_t)0U, res_i2); + uint64_t t12 = a11[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res1 + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t12, (uint64_t)0U, res_i); + } + for (uint32_t i = rLen / (uint32_t)4U * (uint32_t)4U; i < rLen; i++) + { + uint64_t t1 = a11[i]; + uint64_t *res_i = res1 + i; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t1, (uint64_t)0U, res_i); + } + uint64_t c10 = c; + r1 = c10; + } + else + { + r1 = c01; + } + uint64_t c8 = r1; + uint64_t c = c8; + uint64_t c9 = c; +} + +void +Hacl_Bignum_bn_add_mod_n_u32( + uint32_t len1, + uint32_t *n, + uint32_t *a, + uint32_t *b, + uint32_t *res +) +{ + uint32_t c0 = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < len1 / (uint32_t)4U; i++) + { + uint32_t t1 = a[(uint32_t)4U * i]; + uint32_t t20 = b[(uint32_t)4U * i]; + uint32_t *res_i0 = res + (uint32_t)4U * i; + c0 = Lib_IntTypes_Intrinsics_add_carry_u32(c0, t1, t20, res_i0); + uint32_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c0 = Lib_IntTypes_Intrinsics_add_carry_u32(c0, t10, t21, res_i1); + uint32_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c0 = Lib_IntTypes_Intrinsics_add_carry_u32(c0, t11, t22, res_i2); + uint32_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c0 = Lib_IntTypes_Intrinsics_add_carry_u32(c0, t12, t2, res_i); + } + for (uint32_t i = len1 / (uint32_t)4U * (uint32_t)4U; i < len1; i++) + { + uint32_t t1 = a[i]; + uint32_t t2 = b[i]; + uint32_t *res_i = res + i; + c0 = Lib_IntTypes_Intrinsics_add_carry_u32(c0, t1, t2, res_i); + } + uint32_t c00 = c0; + KRML_CHECK_SIZE(sizeof (uint32_t), len1); + uint32_t *tmp = alloca(len1 * sizeof (uint32_t)); + memset(tmp, 0U, len1 * sizeof (uint32_t)); + uint32_t c = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < len1 / (uint32_t)4U; i++) + { + uint32_t t1 = res[(uint32_t)4U * i]; + uint32_t t20 = n[(uint32_t)4U * i]; + uint32_t *res_i0 = tmp + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, t20, res_i0); + uint32_t t10 = res[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t t21 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = tmp + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t10, t21, res_i1); + uint32_t t11 = res[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t t22 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = tmp + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t11, t22, res_i2); + uint32_t t12 = res[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t t2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = tmp + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t12, t2, res_i); + } + for (uint32_t i = len1 / (uint32_t)4U * (uint32_t)4U; i < len1; i++) + { + uint32_t t1 = res[i]; + uint32_t t2 = n[i]; + uint32_t *res_i = tmp + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, t2, res_i); + } + uint32_t c1 = c; + uint32_t c2 = c00 - c1; + for (uint32_t i = (uint32_t)0U; i < len1; i++) + { + uint32_t *os = res; + uint32_t x = (c2 & res[i]) | (~c2 & tmp[i]); + os[i] = x; + } +} + +void +Hacl_Bignum_bn_add_mod_n_u64( + uint32_t len1, + uint64_t *n, + uint64_t *a, + uint64_t *b, + uint64_t *res +) +{ + uint64_t c0 = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < len1 / (uint32_t)4U; i++) + { + uint64_t t1 = a[(uint32_t)4U * i]; + uint64_t t20 = b[(uint32_t)4U * i]; + uint64_t *res_i0 = res + (uint32_t)4U * i; + c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, t1, t20, res_i0); + uint64_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, t10, t21, res_i1); + uint64_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, t11, t22, res_i2); + uint64_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, t12, t2, res_i); + } + for (uint32_t i = len1 / (uint32_t)4U * (uint32_t)4U; i < len1; i++) + { + uint64_t t1 = a[i]; + uint64_t t2 = b[i]; + uint64_t *res_i = res + i; + c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, t1, t2, res_i); + } + uint64_t c00 = c0; + KRML_CHECK_SIZE(sizeof (uint64_t), len1); + uint64_t *tmp = alloca(len1 * sizeof (uint64_t)); + memset(tmp, 0U, len1 * sizeof (uint64_t)); + uint64_t c = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < len1 / (uint32_t)4U; i++) + { + uint64_t t1 = res[(uint32_t)4U * i]; + uint64_t t20 = n[(uint32_t)4U * i]; + uint64_t *res_i0 = tmp + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, t20, res_i0); + uint64_t t10 = res[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t t21 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = tmp + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t10, t21, res_i1); + uint64_t t11 = res[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t t22 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = tmp + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t11, t22, res_i2); + uint64_t t12 = res[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t t2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = tmp + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t12, t2, res_i); + } + for (uint32_t i = len1 / (uint32_t)4U * (uint32_t)4U; i < len1; i++) + { + uint64_t t1 = res[i]; + uint64_t t2 = n[i]; + uint64_t *res_i = tmp + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, t2, res_i); + } + uint64_t c1 = c; + uint64_t c2 = c00 - c1; + for (uint32_t i = (uint32_t)0U; i < len1; i++) + { + uint64_t *os = res; + uint64_t x = (c2 & res[i]) | (~c2 & tmp[i]); + os[i] = x; + } +} + +void +Hacl_Bignum_bn_sub_mod_n_u32( + uint32_t len1, + uint32_t *n, + uint32_t *a, + uint32_t *b, + uint32_t *res +) +{ + uint32_t c0 = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < len1 / (uint32_t)4U; i++) + { + uint32_t t1 = a[(uint32_t)4U * i]; + uint32_t t20 = b[(uint32_t)4U * i]; + uint32_t *res_i0 = res + (uint32_t)4U * i; + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c0, t1, t20, res_i0); + uint32_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c0, t10, t21, res_i1); + uint32_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c0, t11, t22, res_i2); + uint32_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c0, t12, t2, res_i); + } + for (uint32_t i = len1 / (uint32_t)4U * (uint32_t)4U; i < len1; i++) + { + uint32_t t1 = a[i]; + uint32_t t2 = b[i]; + uint32_t *res_i = res + i; + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c0, t1, t2, res_i); + } + uint32_t c00 = c0; + KRML_CHECK_SIZE(sizeof (uint32_t), len1); + uint32_t *tmp = alloca(len1 * sizeof (uint32_t)); + memset(tmp, 0U, len1 * sizeof (uint32_t)); + uint32_t c = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < len1 / (uint32_t)4U; i++) + { + uint32_t t1 = res[(uint32_t)4U * i]; + uint32_t t20 = n[(uint32_t)4U * i]; + uint32_t *res_i0 = tmp + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t1, t20, res_i0); + uint32_t t10 = res[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t t21 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = tmp + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t10, t21, res_i1); + uint32_t t11 = res[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t t22 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = tmp + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t11, t22, res_i2); + uint32_t t12 = res[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t t2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = tmp + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t12, t2, res_i); + } + for (uint32_t i = len1 / (uint32_t)4U * (uint32_t)4U; i < len1; i++) + { + uint32_t t1 = res[i]; + uint32_t t2 = n[i]; + uint32_t *res_i = tmp + i; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t1, t2, res_i); + } + uint32_t c1 = c; + uint32_t c2 = (uint32_t)0U - c00; + for (uint32_t i = (uint32_t)0U; i < len1; i++) + { + uint32_t *os = res; + uint32_t x = (c2 & tmp[i]) | (~c2 & res[i]); + os[i] = x; + } +} + +void +Hacl_Bignum_bn_sub_mod_n_u64( + uint32_t len1, + uint64_t *n, + uint64_t *a, + uint64_t *b, + uint64_t *res +) +{ + uint64_t c0 = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < len1 / (uint32_t)4U; i++) + { + uint64_t t1 = a[(uint32_t)4U * i]; + uint64_t t20 = b[(uint32_t)4U * i]; + uint64_t *res_i0 = res + (uint32_t)4U * i; + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c0, t1, t20, res_i0); + uint64_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c0, t10, t21, res_i1); + uint64_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c0, t11, t22, res_i2); + uint64_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c0, t12, t2, res_i); + } + for (uint32_t i = len1 / (uint32_t)4U * (uint32_t)4U; i < len1; i++) + { + uint64_t t1 = a[i]; + uint64_t t2 = b[i]; + uint64_t *res_i = res + i; + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c0, t1, t2, res_i); + } + uint64_t c00 = c0; + KRML_CHECK_SIZE(sizeof (uint64_t), len1); + uint64_t *tmp = alloca(len1 * sizeof (uint64_t)); + memset(tmp, 0U, len1 * sizeof (uint64_t)); + uint64_t c = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < len1 / (uint32_t)4U; i++) + { + uint64_t t1 = res[(uint32_t)4U * i]; + uint64_t t20 = n[(uint32_t)4U * i]; + uint64_t *res_i0 = tmp + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t1, t20, res_i0); + uint64_t t10 = res[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t t21 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = tmp + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t10, t21, res_i1); + uint64_t t11 = res[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t t22 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = tmp + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t11, t22, res_i2); + uint64_t t12 = res[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t t2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = tmp + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t12, t2, res_i); + } + for (uint32_t i = len1 / (uint32_t)4U * (uint32_t)4U; i < len1; i++) + { + uint64_t t1 = res[i]; + uint64_t t2 = n[i]; + uint64_t *res_i = tmp + i; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t1, t2, res_i); + } + uint64_t c1 = c; + uint64_t c2 = (uint64_t)0U - c00; + for (uint32_t i = (uint32_t)0U; i < len1; i++) + { + uint64_t *os = res; + uint64_t x = (c2 & tmp[i]) | (~c2 & res[i]); + os[i] = x; + } +} + +uint32_t Hacl_Bignum_ModInvLimb_mod_inv_uint32(uint32_t n0) +{ + uint32_t alpha = (uint32_t)2147483648U; + uint32_t beta = n0; + uint32_t ub = (uint32_t)0U; + uint32_t vb = (uint32_t)0U; + ub = (uint32_t)1U; + vb = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)32U; i++) + { + uint32_t us = ub; + uint32_t vs = vb; + uint32_t u_is_odd = (uint32_t)0U - (us & (uint32_t)1U); + uint32_t beta_if_u_is_odd = beta & u_is_odd; + ub = ((us ^ beta_if_u_is_odd) >> (uint32_t)1U) + (us & beta_if_u_is_odd); + uint32_t alpha_if_u_is_odd = alpha & u_is_odd; + vb = (vs >> (uint32_t)1U) + alpha_if_u_is_odd; + } + return vb; +} + +uint64_t Hacl_Bignum_ModInvLimb_mod_inv_uint64(uint64_t n0) +{ + uint64_t alpha = (uint64_t)9223372036854775808U; + uint64_t beta = n0; + uint64_t ub = (uint64_t)0U; + uint64_t vb = (uint64_t)0U; + ub = (uint64_t)1U; + vb = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + uint64_t us = ub; + uint64_t vs = vb; + uint64_t u_is_odd = (uint64_t)0U - (us & (uint64_t)1U); + uint64_t beta_if_u_is_odd = beta & u_is_odd; + ub = ((us ^ beta_if_u_is_odd) >> (uint32_t)1U) + (us & beta_if_u_is_odd); + uint64_t alpha_if_u_is_odd = alpha & u_is_odd; + vb = (vs >> (uint32_t)1U) + alpha_if_u_is_odd; + } + return vb; +} + +uint32_t Hacl_Bignum_Montgomery_bn_check_modulus_u32(uint32_t len, uint32_t *n) +{ + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t *one = alloca(len * sizeof (uint32_t)); + memset(one, 0U, len * sizeof (uint32_t)); + memset(one, 0U, len * sizeof (uint32_t)); + one[0U] = (uint32_t)1U; + uint32_t bit0 = n[0U] & (uint32_t)1U; + uint32_t m0 = (uint32_t)0U - bit0; + uint32_t acc = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(one[i], n[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(one[i], n[i]); + acc = (beq & acc) | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + uint32_t m1 = acc; + return m0 & m1; +} + +void +Hacl_Bignum_Montgomery_bn_precomp_r2_mod_n_u32( + uint32_t len, + uint32_t nBits, + uint32_t *n, + uint32_t *res +) +{ + memset(res, 0U, len * sizeof (uint32_t)); + uint32_t i = nBits / (uint32_t)32U; + uint32_t j = nBits % (uint32_t)32U; + res[i] = res[i] | (uint32_t)1U << j; + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)64U * len - nBits; i0++) + { + Hacl_Bignum_bn_add_mod_n_u32(len, n, res, res, res); + } +} + +void +Hacl_Bignum_Montgomery_bn_mont_reduction_u32( + uint32_t len, + uint32_t *n, + uint32_t nInv, + uint32_t *c, + uint32_t *res +) +{ + uint32_t c0 = (uint32_t)0U; + for (uint32_t i0 = (uint32_t)0U; i0 < len; i0++) + { + uint32_t qj = nInv * c[i0]; + uint32_t *res_j0 = c + i0; + uint32_t c1 = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < len / (uint32_t)4U; i++) + { + uint32_t a_i = n[(uint32_t)4U * i]; + uint32_t *res_i0 = res_j0 + (uint32_t)4U * i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, qj, c1, res_i0); + uint32_t a_i0 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res_j0 + (uint32_t)4U * i + (uint32_t)1U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i0, qj, c1, res_i1); + uint32_t a_i1 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res_j0 + (uint32_t)4U * i + (uint32_t)2U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i1, qj, c1, res_i2); + uint32_t a_i2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res_j0 + (uint32_t)4U * i + (uint32_t)3U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i2, qj, c1, res_i); + } + for (uint32_t i = len / (uint32_t)4U * (uint32_t)4U; i < len; i++) + { + uint32_t a_i = n[i]; + uint32_t *res_i = res_j0 + i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, qj, c1, res_i); + } + uint32_t r = c1; + uint32_t c10 = r; + uint32_t *resb = c + len + i0; + uint32_t res_j = c[len + i0]; + c0 = Lib_IntTypes_Intrinsics_add_carry_u32(c0, c10, res_j, resb); + } + memcpy(res, c + len, (len + len - len) * sizeof (uint32_t)); + uint32_t c00 = c0; + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t *tmp = alloca(len * sizeof (uint32_t)); + memset(tmp, 0U, len * sizeof (uint32_t)); + uint32_t c1 = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < len / (uint32_t)4U; i++) + { + uint32_t t1 = res[(uint32_t)4U * i]; + uint32_t t20 = n[(uint32_t)4U * i]; + uint32_t *res_i0 = tmp + (uint32_t)4U * i; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c1, t1, t20, res_i0); + uint32_t t10 = res[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t t21 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = tmp + (uint32_t)4U * i + (uint32_t)1U; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c1, t10, t21, res_i1); + uint32_t t11 = res[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t t22 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = tmp + (uint32_t)4U * i + (uint32_t)2U; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c1, t11, t22, res_i2); + uint32_t t12 = res[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t t2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = tmp + (uint32_t)4U * i + (uint32_t)3U; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c1, t12, t2, res_i); + } + for (uint32_t i = len / (uint32_t)4U * (uint32_t)4U; i < len; i++) + { + uint32_t t1 = res[i]; + uint32_t t2 = n[i]; + uint32_t *res_i = tmp + i; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c1, t1, t2, res_i); + } + uint32_t c10 = c1; + uint32_t c2 = c00 - c10; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint32_t *os = res; + uint32_t x = (c2 & res[i]) | (~c2 & tmp[i]); + os[i] = x; + } +} + +void +Hacl_Bignum_Montgomery_bn_to_mont_u32( + uint32_t len, + uint32_t *n, + uint32_t nInv, + uint32_t *r2, + uint32_t *a, + uint32_t *aM +) +{ + KRML_CHECK_SIZE(sizeof (uint32_t), len + len); + uint32_t *c = alloca((len + len) * sizeof (uint32_t)); + memset(c, 0U, (len + len) * sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)4U * len); + uint32_t *tmp = alloca((uint32_t)4U * len * sizeof (uint32_t)); + memset(tmp, 0U, (uint32_t)4U * len * sizeof (uint32_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint32(len, a, r2, tmp, c); + Hacl_Bignum_Montgomery_bn_mont_reduction_u32(len, n, nInv, c, aM); +} + +void +Hacl_Bignum_Montgomery_bn_from_mont_u32( + uint32_t len, + uint32_t *n, + uint32_t nInv_u64, + uint32_t *aM, + uint32_t *a +) +{ + KRML_CHECK_SIZE(sizeof (uint32_t), len + len); + uint32_t *tmp = alloca((len + len) * sizeof (uint32_t)); + memset(tmp, 0U, (len + len) * sizeof (uint32_t)); + memcpy(tmp, aM, len * sizeof (uint32_t)); + Hacl_Bignum_Montgomery_bn_mont_reduction_u32(len, n, nInv_u64, tmp, a); +} + +void +Hacl_Bignum_Montgomery_bn_mont_mul_u32( + uint32_t len, + uint32_t *n, + uint32_t nInv_u64, + uint32_t *aM, + uint32_t *bM, + uint32_t *resM +) +{ + KRML_CHECK_SIZE(sizeof (uint32_t), len + len); + uint32_t *c = alloca((len + len) * sizeof (uint32_t)); + memset(c, 0U, (len + len) * sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)4U * len); + uint32_t *tmp = alloca((uint32_t)4U * len * sizeof (uint32_t)); + memset(tmp, 0U, (uint32_t)4U * len * sizeof (uint32_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint32(len, aM, bM, tmp, c); + Hacl_Bignum_Montgomery_bn_mont_reduction_u32(len, n, nInv_u64, c, resM); +} + +void +Hacl_Bignum_Montgomery_bn_mont_sqr_u32( + uint32_t len, + uint32_t *n, + uint32_t nInv_u64, + uint32_t *aM, + uint32_t *resM +) +{ + KRML_CHECK_SIZE(sizeof (uint32_t), len + len); + uint32_t *c = alloca((len + len) * sizeof (uint32_t)); + memset(c, 0U, (len + len) * sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)4U * len); + uint32_t *tmp = alloca((uint32_t)4U * len * sizeof (uint32_t)); + memset(tmp, 0U, (uint32_t)4U * len * sizeof (uint32_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint32(len, aM, tmp, c); + Hacl_Bignum_Montgomery_bn_mont_reduction_u32(len, n, nInv_u64, c, resM); +} + +uint64_t Hacl_Bignum_Montgomery_bn_check_modulus_u64(uint32_t len, uint64_t *n) +{ + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t *one = alloca(len * sizeof (uint64_t)); + memset(one, 0U, len * sizeof (uint64_t)); + memset(one, 0U, len * sizeof (uint64_t)); + one[0U] = (uint64_t)1U; + uint64_t bit0 = n[0U] & (uint64_t)1U; + uint64_t m0 = (uint64_t)0U - bit0; + uint64_t acc = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(one[i], n[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(one[i], n[i]); + acc = (beq & acc) | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + uint64_t m1 = acc; + return m0 & m1; +} + +void +Hacl_Bignum_Montgomery_bn_precomp_r2_mod_n_u64( + uint32_t len, + uint32_t nBits, + uint64_t *n, + uint64_t *res +) +{ + memset(res, 0U, len * sizeof (uint64_t)); + uint32_t i = nBits / (uint32_t)64U; + uint32_t j = nBits % (uint32_t)64U; + res[i] = res[i] | (uint64_t)1U << j; + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)128U * len - nBits; i0++) + { + Hacl_Bignum_bn_add_mod_n_u64(len, n, res, res, res); + } +} + +void +Hacl_Bignum_Montgomery_bn_mont_reduction_u64( + uint32_t len, + uint64_t *n, + uint64_t nInv, + uint64_t *c, + uint64_t *res +) +{ + uint64_t c0 = (uint64_t)0U; + for (uint32_t i0 = (uint32_t)0U; i0 < len; i0++) + { + uint64_t qj = nInv * c[i0]; + uint64_t *res_j0 = c + i0; + uint64_t c1 = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < len / (uint32_t)4U; i++) + { + uint64_t a_i = n[(uint32_t)4U * i]; + uint64_t *res_i0 = res_j0 + (uint32_t)4U * i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c1, res_i0); + uint64_t a_i0 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res_j0 + (uint32_t)4U * i + (uint32_t)1U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, qj, c1, res_i1); + uint64_t a_i1 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res_j0 + (uint32_t)4U * i + (uint32_t)2U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, qj, c1, res_i2); + uint64_t a_i2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res_j0 + (uint32_t)4U * i + (uint32_t)3U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, qj, c1, res_i); + } + for (uint32_t i = len / (uint32_t)4U * (uint32_t)4U; i < len; i++) + { + uint64_t a_i = n[i]; + uint64_t *res_i = res_j0 + i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c1, res_i); + } + uint64_t r = c1; + uint64_t c10 = r; + uint64_t *resb = c + len + i0; + uint64_t res_j = c[len + i0]; + c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, c10, res_j, resb); + } + memcpy(res, c + len, (len + len - len) * sizeof (uint64_t)); + uint64_t c00 = c0; + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t *tmp = alloca(len * sizeof (uint64_t)); + memset(tmp, 0U, len * sizeof (uint64_t)); + uint64_t c1 = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < len / (uint32_t)4U; i++) + { + uint64_t t1 = res[(uint32_t)4U * i]; + uint64_t t20 = n[(uint32_t)4U * i]; + uint64_t *res_i0 = tmp + (uint32_t)4U * i; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t1, t20, res_i0); + uint64_t t10 = res[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t t21 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = tmp + (uint32_t)4U * i + (uint32_t)1U; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t10, t21, res_i1); + uint64_t t11 = res[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t t22 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = tmp + (uint32_t)4U * i + (uint32_t)2U; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t11, t22, res_i2); + uint64_t t12 = res[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t t2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = tmp + (uint32_t)4U * i + (uint32_t)3U; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t12, t2, res_i); + } + for (uint32_t i = len / (uint32_t)4U * (uint32_t)4U; i < len; i++) + { + uint64_t t1 = res[i]; + uint64_t t2 = n[i]; + uint64_t *res_i = tmp + i; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t1, t2, res_i); + } + uint64_t c10 = c1; + uint64_t c2 = c00 - c10; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint64_t *os = res; + uint64_t x = (c2 & res[i]) | (~c2 & tmp[i]); + os[i] = x; + } +} + +void +Hacl_Bignum_Montgomery_bn_to_mont_u64( + uint32_t len, + uint64_t *n, + uint64_t nInv, + uint64_t *r2, + uint64_t *a, + uint64_t *aM +) +{ + KRML_CHECK_SIZE(sizeof (uint64_t), len + len); + uint64_t *c = alloca((len + len) * sizeof (uint64_t)); + memset(c, 0U, (len + len) * sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)4U * len); + uint64_t *tmp = alloca((uint32_t)4U * len * sizeof (uint64_t)); + memset(tmp, 0U, (uint32_t)4U * len * sizeof (uint64_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint64(len, a, r2, tmp, c); + Hacl_Bignum_Montgomery_bn_mont_reduction_u64(len, n, nInv, c, aM); +} + +void +Hacl_Bignum_Montgomery_bn_from_mont_u64( + uint32_t len, + uint64_t *n, + uint64_t nInv_u64, + uint64_t *aM, + uint64_t *a +) +{ + KRML_CHECK_SIZE(sizeof (uint64_t), len + len); + uint64_t *tmp = alloca((len + len) * sizeof (uint64_t)); + memset(tmp, 0U, (len + len) * sizeof (uint64_t)); + memcpy(tmp, aM, len * sizeof (uint64_t)); + Hacl_Bignum_Montgomery_bn_mont_reduction_u64(len, n, nInv_u64, tmp, a); +} + +void +Hacl_Bignum_Montgomery_bn_mont_mul_u64( + uint32_t len, + uint64_t *n, + uint64_t nInv_u64, + uint64_t *aM, + uint64_t *bM, + uint64_t *resM +) +{ + KRML_CHECK_SIZE(sizeof (uint64_t), len + len); + uint64_t *c = alloca((len + len) * sizeof (uint64_t)); + memset(c, 0U, (len + len) * sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)4U * len); + uint64_t *tmp = alloca((uint32_t)4U * len * sizeof (uint64_t)); + memset(tmp, 0U, (uint32_t)4U * len * sizeof (uint64_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint64(len, aM, bM, tmp, c); + Hacl_Bignum_Montgomery_bn_mont_reduction_u64(len, n, nInv_u64, c, resM); +} + +void +Hacl_Bignum_Montgomery_bn_mont_sqr_u64( + uint32_t len, + uint64_t *n, + uint64_t nInv_u64, + uint64_t *aM, + uint64_t *resM +) +{ + KRML_CHECK_SIZE(sizeof (uint64_t), len + len); + uint64_t *c = alloca((len + len) * sizeof (uint64_t)); + memset(c, 0U, (len + len) * sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)4U * len); + uint64_t *tmp = alloca((uint32_t)4U * len * sizeof (uint64_t)); + memset(tmp, 0U, (uint32_t)4U * len * sizeof (uint64_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint64(len, aM, tmp, c); + Hacl_Bignum_Montgomery_bn_mont_reduction_u64(len, n, nInv_u64, c, resM); +} + +static void +bn_almost_mont_reduction_u32( + uint32_t len, + uint32_t *n, + uint32_t nInv, + uint32_t *c, + uint32_t *res +) +{ + uint32_t c0 = (uint32_t)0U; + for (uint32_t i0 = (uint32_t)0U; i0 < len; i0++) + { + uint32_t qj = nInv * c[i0]; + uint32_t *res_j0 = c + i0; + uint32_t c1 = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < len / (uint32_t)4U; i++) + { + uint32_t a_i = n[(uint32_t)4U * i]; + uint32_t *res_i0 = res_j0 + (uint32_t)4U * i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, qj, c1, res_i0); + uint32_t a_i0 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res_j0 + (uint32_t)4U * i + (uint32_t)1U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i0, qj, c1, res_i1); + uint32_t a_i1 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res_j0 + (uint32_t)4U * i + (uint32_t)2U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i1, qj, c1, res_i2); + uint32_t a_i2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res_j0 + (uint32_t)4U * i + (uint32_t)3U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i2, qj, c1, res_i); + } + for (uint32_t i = len / (uint32_t)4U * (uint32_t)4U; i < len; i++) + { + uint32_t a_i = n[i]; + uint32_t *res_i = res_j0 + i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, qj, c1, res_i); + } + uint32_t r = c1; + uint32_t c10 = r; + uint32_t *resb = c + len + i0; + uint32_t res_j = c[len + i0]; + c0 = Lib_IntTypes_Intrinsics_add_carry_u32(c0, c10, res_j, resb); + } + memcpy(res, c + len, (len + len - len) * sizeof (uint32_t)); + uint32_t c00 = c0; + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t *tmp = alloca(len * sizeof (uint32_t)); + memset(tmp, 0U, len * sizeof (uint32_t)); + uint32_t c1 = Hacl_Bignum_Addition_bn_sub_eq_len_u32(len, res, n, tmp); + uint32_t m = (uint32_t)0U - c00; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint32_t *os = res; + uint32_t x = (m & tmp[i]) | (~m & res[i]); + os[i] = x; + } +} + +static void +bn_almost_mont_mul_u32( + uint32_t len, + uint32_t *n, + uint32_t nInv_u64, + uint32_t *aM, + uint32_t *bM, + uint32_t *resM +) +{ + KRML_CHECK_SIZE(sizeof (uint32_t), len + len); + uint32_t *c = alloca((len + len) * sizeof (uint32_t)); + memset(c, 0U, (len + len) * sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)4U * len); + uint32_t *tmp = alloca((uint32_t)4U * len * sizeof (uint32_t)); + memset(tmp, 0U, (uint32_t)4U * len * sizeof (uint32_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint32(len, aM, bM, tmp, c); + bn_almost_mont_reduction_u32(len, n, nInv_u64, c, resM); +} + +static void +bn_almost_mont_sqr_u32( + uint32_t len, + uint32_t *n, + uint32_t nInv_u64, + uint32_t *aM, + uint32_t *resM +) +{ + KRML_CHECK_SIZE(sizeof (uint32_t), len + len); + uint32_t *c = alloca((len + len) * sizeof (uint32_t)); + memset(c, 0U, (len + len) * sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)4U * len); + uint32_t *tmp = alloca((uint32_t)4U * len * sizeof (uint32_t)); + memset(tmp, 0U, (uint32_t)4U * len * sizeof (uint32_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint32(len, aM, tmp, c); + bn_almost_mont_reduction_u32(len, n, nInv_u64, c, resM); +} + +static void +bn_almost_mont_reduction_u64( + uint32_t len, + uint64_t *n, + uint64_t nInv, + uint64_t *c, + uint64_t *res +) +{ + uint64_t c0 = (uint64_t)0U; + for (uint32_t i0 = (uint32_t)0U; i0 < len; i0++) + { + uint64_t qj = nInv * c[i0]; + uint64_t *res_j0 = c + i0; + uint64_t c1 = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < len / (uint32_t)4U; i++) + { + uint64_t a_i = n[(uint32_t)4U * i]; + uint64_t *res_i0 = res_j0 + (uint32_t)4U * i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c1, res_i0); + uint64_t a_i0 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res_j0 + (uint32_t)4U * i + (uint32_t)1U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, qj, c1, res_i1); + uint64_t a_i1 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res_j0 + (uint32_t)4U * i + (uint32_t)2U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, qj, c1, res_i2); + uint64_t a_i2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res_j0 + (uint32_t)4U * i + (uint32_t)3U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, qj, c1, res_i); + } + for (uint32_t i = len / (uint32_t)4U * (uint32_t)4U; i < len; i++) + { + uint64_t a_i = n[i]; + uint64_t *res_i = res_j0 + i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c1, res_i); + } + uint64_t r = c1; + uint64_t c10 = r; + uint64_t *resb = c + len + i0; + uint64_t res_j = c[len + i0]; + c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, c10, res_j, resb); + } + memcpy(res, c + len, (len + len - len) * sizeof (uint64_t)); + uint64_t c00 = c0; + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t *tmp = alloca(len * sizeof (uint64_t)); + memset(tmp, 0U, len * sizeof (uint64_t)); + uint64_t c1 = Hacl_Bignum_Addition_bn_sub_eq_len_u64(len, res, n, tmp); + uint64_t m = (uint64_t)0U - c00; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint64_t *os = res; + uint64_t x = (m & tmp[i]) | (~m & res[i]); + os[i] = x; + } +} + +static void +bn_almost_mont_mul_u64( + uint32_t len, + uint64_t *n, + uint64_t nInv_u64, + uint64_t *aM, + uint64_t *bM, + uint64_t *resM +) +{ + KRML_CHECK_SIZE(sizeof (uint64_t), len + len); + uint64_t *c = alloca((len + len) * sizeof (uint64_t)); + memset(c, 0U, (len + len) * sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)4U * len); + uint64_t *tmp = alloca((uint32_t)4U * len * sizeof (uint64_t)); + memset(tmp, 0U, (uint32_t)4U * len * sizeof (uint64_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint64(len, aM, bM, tmp, c); + bn_almost_mont_reduction_u64(len, n, nInv_u64, c, resM); +} + +static void +bn_almost_mont_sqr_u64( + uint32_t len, + uint64_t *n, + uint64_t nInv_u64, + uint64_t *aM, + uint64_t *resM +) +{ + KRML_CHECK_SIZE(sizeof (uint64_t), len + len); + uint64_t *c = alloca((len + len) * sizeof (uint64_t)); + memset(c, 0U, (len + len) * sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)4U * len); + uint64_t *tmp = alloca((uint32_t)4U * len * sizeof (uint64_t)); + memset(tmp, 0U, (uint32_t)4U * len * sizeof (uint64_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint64(len, aM, tmp, c); + bn_almost_mont_reduction_u64(len, n, nInv_u64, c, resM); +} + +uint32_t +Hacl_Bignum_Exponentiation_bn_check_mod_exp_u32( + uint32_t len, + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b +) +{ + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t *one = alloca(len * sizeof (uint32_t)); + memset(one, 0U, len * sizeof (uint32_t)); + memset(one, 0U, len * sizeof (uint32_t)); + one[0U] = (uint32_t)1U; + uint32_t bit0 = n[0U] & (uint32_t)1U; + uint32_t m0 = (uint32_t)0U - bit0; + uint32_t acc0 = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(one[i], n[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(one[i], n[i]); + acc0 = (beq & acc0) | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + uint32_t m10 = acc0; + uint32_t m00 = m0 & m10; + uint32_t bLen; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)32U + (uint32_t)1U; + } + uint32_t m1; + if (bBits < (uint32_t)32U * bLen) + { + KRML_CHECK_SIZE(sizeof (uint32_t), bLen); + uint32_t *b2 = alloca(bLen * sizeof (uint32_t)); + memset(b2, 0U, bLen * sizeof (uint32_t)); + uint32_t i0 = bBits / (uint32_t)32U; + uint32_t j = bBits % (uint32_t)32U; + b2[i0] = b2[i0] | (uint32_t)1U << j; + uint32_t acc = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < bLen; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(b[i], b2[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(b[i], b2[i]); + acc = (beq & acc) | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + uint32_t res = acc; + m1 = res; + } + else + { + m1 = (uint32_t)0xFFFFFFFFU; + } + uint32_t acc = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(a[i], n[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(a[i], n[i]); + acc = (beq & acc) | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + uint32_t m2 = acc; + uint32_t m = m1 & m2; + return m00 & m; +} + +void +Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_precomp_u32( + uint32_t len, + uint32_t *n, + uint32_t mu, + uint32_t *r2, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + if (bBits < (uint32_t)200U) + { + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t *aM = alloca(len * sizeof (uint32_t)); + memset(aM, 0U, len * sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), len + len); + uint32_t *c = alloca((len + len) * sizeof (uint32_t)); + memset(c, 0U, (len + len) * sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)4U * len); + uint32_t *tmp0 = alloca((uint32_t)4U * len * sizeof (uint32_t)); + memset(tmp0, 0U, (uint32_t)4U * len * sizeof (uint32_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint32(len, a, r2, tmp0, c); + Hacl_Bignum_Montgomery_bn_mont_reduction_u32(len, n, mu, c, aM); + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t *resM = alloca(len * sizeof (uint32_t)); + memset(resM, 0U, len * sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), len + len); + uint32_t *tmp1 = alloca((len + len) * sizeof (uint32_t)); + memset(tmp1, 0U, (len + len) * sizeof (uint32_t)); + memcpy(tmp1, r2, len * sizeof (uint32_t)); + Hacl_Bignum_Montgomery_bn_mont_reduction_u32(len, n, mu, tmp1, resM); + for (uint32_t i = (uint32_t)0U; i < bBits; i++) + { + uint32_t i1 = i / (uint32_t)32U; + uint32_t j = i % (uint32_t)32U; + uint32_t tmp = b[i1]; + uint32_t bit = tmp >> j & (uint32_t)1U; + if (!(bit == (uint32_t)0U)) + { + bn_almost_mont_mul_u32(len, n, mu, resM, aM, resM); + } + bn_almost_mont_sqr_u32(len, n, mu, aM, aM); + } + KRML_CHECK_SIZE(sizeof (uint32_t), len + len); + uint32_t *tmp = alloca((len + len) * sizeof (uint32_t)); + memset(tmp, 0U, (len + len) * sizeof (uint32_t)); + memcpy(tmp, resM, len * sizeof (uint32_t)); + Hacl_Bignum_Montgomery_bn_mont_reduction_u32(len, n, mu, tmp, res); + return; + } + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t *aM = alloca(len * sizeof (uint32_t)); + memset(aM, 0U, len * sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), len + len); + uint32_t *c = alloca((len + len) * sizeof (uint32_t)); + memset(c, 0U, (len + len) * sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)4U * len); + uint32_t *tmp0 = alloca((uint32_t)4U * len * sizeof (uint32_t)); + memset(tmp0, 0U, (uint32_t)4U * len * sizeof (uint32_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint32(len, a, r2, tmp0, c); + Hacl_Bignum_Montgomery_bn_mont_reduction_u32(len, n, mu, c, aM); + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t *resM = alloca(len * sizeof (uint32_t)); + memset(resM, 0U, len * sizeof (uint32_t)); + uint32_t bLen; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)32U + (uint32_t)1U; + } + KRML_CHECK_SIZE(sizeof (uint32_t), len + len); + uint32_t *tmp = alloca((len + len) * sizeof (uint32_t)); + memset(tmp, 0U, (len + len) * sizeof (uint32_t)); + memcpy(tmp, r2, len * sizeof (uint32_t)); + Hacl_Bignum_Montgomery_bn_mont_reduction_u32(len, n, mu, tmp, resM); + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)16U * len); + uint32_t *table = alloca((uint32_t)16U * len * sizeof (uint32_t)); + memset(table, 0U, (uint32_t)16U * len * sizeof (uint32_t)); + memcpy(table, resM, len * sizeof (uint32_t)); + uint32_t *t1 = table + len; + memcpy(t1, aM, len * sizeof (uint32_t)); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)14U; i++) + { + uint32_t *t11 = table + (i + (uint32_t)1U) * len; + uint32_t *t2 = table + (i + (uint32_t)2U) * len; + bn_almost_mont_mul_u32(len, n, mu, t11, aM, t2); + } + if (bBits % (uint32_t)4U != (uint32_t)0U) + { + uint32_t mask_l = (uint32_t)16U - (uint32_t)1U; + uint32_t i = bBits / (uint32_t)4U * (uint32_t)4U / (uint32_t)32U; + uint32_t j = bBits / (uint32_t)4U * (uint32_t)4U % (uint32_t)32U; + uint32_t p1 = b[i] >> j; + uint32_t ite; + if (i + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i + (uint32_t)1U] << ((uint32_t)32U - j); + } + else + { + ite = p1; + } + uint32_t bits_c = ite & mask_l; + uint32_t bits_l32 = bits_c; + uint32_t *a_bits_l = table + bits_l32 * len; + memcpy(resM, a_bits_l, len * sizeof (uint32_t)); + } + for (uint32_t i = (uint32_t)0U; i < bBits / (uint32_t)4U; i++) + { + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + bn_almost_mont_sqr_u32(len, n, mu, resM, resM); + } + uint32_t bk = bBits - bBits % (uint32_t)4U; + uint32_t mask_l = (uint32_t)16U - (uint32_t)1U; + uint32_t i1 = (bk - (uint32_t)4U * i - (uint32_t)4U) / (uint32_t)32U; + uint32_t j = (bk - (uint32_t)4U * i - (uint32_t)4U) % (uint32_t)32U; + uint32_t p1 = b[i1] >> j; + uint32_t ite; + if (i1 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i1 + (uint32_t)1U] << ((uint32_t)32U - j); + } + else + { + ite = p1; + } + uint32_t bits_l = ite & mask_l; + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t *a_bits_l = alloca(len * sizeof (uint32_t)); + memset(a_bits_l, 0U, len * sizeof (uint32_t)); + uint32_t bits_l32 = bits_l; + uint32_t *a_bits_l1 = table + bits_l32 * len; + memcpy(a_bits_l, a_bits_l1, len * sizeof (uint32_t)); + bn_almost_mont_mul_u32(len, n, mu, resM, a_bits_l, resM); + } + KRML_CHECK_SIZE(sizeof (uint32_t), len + len); + uint32_t *tmp1 = alloca((len + len) * sizeof (uint32_t)); + memset(tmp1, 0U, (len + len) * sizeof (uint32_t)); + memcpy(tmp1, resM, len * sizeof (uint32_t)); + Hacl_Bignum_Montgomery_bn_mont_reduction_u32(len, n, mu, tmp1, res); +} + +void +Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_precomp_u32( + uint32_t len, + uint32_t *n, + uint32_t mu, + uint32_t *r2, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + if (bBits < (uint32_t)200U) + { + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t *aM = alloca(len * sizeof (uint32_t)); + memset(aM, 0U, len * sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), len + len); + uint32_t *c = alloca((len + len) * sizeof (uint32_t)); + memset(c, 0U, (len + len) * sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)4U * len); + uint32_t *tmp0 = alloca((uint32_t)4U * len * sizeof (uint32_t)); + memset(tmp0, 0U, (uint32_t)4U * len * sizeof (uint32_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint32(len, a, r2, tmp0, c); + Hacl_Bignum_Montgomery_bn_mont_reduction_u32(len, n, mu, c, aM); + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t *resM = alloca(len * sizeof (uint32_t)); + memset(resM, 0U, len * sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), len + len); + uint32_t *tmp1 = alloca((len + len) * sizeof (uint32_t)); + memset(tmp1, 0U, (len + len) * sizeof (uint32_t)); + memcpy(tmp1, r2, len * sizeof (uint32_t)); + Hacl_Bignum_Montgomery_bn_mont_reduction_u32(len, n, mu, tmp1, resM); + uint32_t sw = (uint32_t)0U; + for (uint32_t i0 = (uint32_t)0U; i0 < bBits; i0++) + { + uint32_t i1 = (bBits - i0 - (uint32_t)1U) / (uint32_t)32U; + uint32_t j = (bBits - i0 - (uint32_t)1U) % (uint32_t)32U; + uint32_t tmp = b[i1]; + uint32_t bit = tmp >> j & (uint32_t)1U; + uint32_t sw1 = bit ^ sw; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint32_t dummy = ((uint32_t)0U - sw1) & (resM[i] ^ aM[i]); + resM[i] = resM[i] ^ dummy; + aM[i] = aM[i] ^ dummy; + } + bn_almost_mont_mul_u32(len, n, mu, aM, resM, aM); + bn_almost_mont_sqr_u32(len, n, mu, resM, resM); + sw = bit; + } + uint32_t sw0 = sw; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint32_t dummy = ((uint32_t)0U - sw0) & (resM[i] ^ aM[i]); + resM[i] = resM[i] ^ dummy; + aM[i] = aM[i] ^ dummy; + } + KRML_CHECK_SIZE(sizeof (uint32_t), len + len); + uint32_t *tmp = alloca((len + len) * sizeof (uint32_t)); + memset(tmp, 0U, (len + len) * sizeof (uint32_t)); + memcpy(tmp, resM, len * sizeof (uint32_t)); + Hacl_Bignum_Montgomery_bn_mont_reduction_u32(len, n, mu, tmp, res); + return; + } + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t *aM = alloca(len * sizeof (uint32_t)); + memset(aM, 0U, len * sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), len + len); + uint32_t *c0 = alloca((len + len) * sizeof (uint32_t)); + memset(c0, 0U, (len + len) * sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)4U * len); + uint32_t *tmp0 = alloca((uint32_t)4U * len * sizeof (uint32_t)); + memset(tmp0, 0U, (uint32_t)4U * len * sizeof (uint32_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint32(len, a, r2, tmp0, c0); + Hacl_Bignum_Montgomery_bn_mont_reduction_u32(len, n, mu, c0, aM); + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t *resM = alloca(len * sizeof (uint32_t)); + memset(resM, 0U, len * sizeof (uint32_t)); + uint32_t bLen; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)32U + (uint32_t)1U; + } + KRML_CHECK_SIZE(sizeof (uint32_t), len + len); + uint32_t *tmp = alloca((len + len) * sizeof (uint32_t)); + memset(tmp, 0U, (len + len) * sizeof (uint32_t)); + memcpy(tmp, r2, len * sizeof (uint32_t)); + Hacl_Bignum_Montgomery_bn_mont_reduction_u32(len, n, mu, tmp, resM); + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)16U * len); + uint32_t *table = alloca((uint32_t)16U * len * sizeof (uint32_t)); + memset(table, 0U, (uint32_t)16U * len * sizeof (uint32_t)); + memcpy(table, resM, len * sizeof (uint32_t)); + uint32_t *t1 = table + len; + memcpy(t1, aM, len * sizeof (uint32_t)); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)14U; i++) + { + uint32_t *t11 = table + (i + (uint32_t)1U) * len; + uint32_t *t2 = table + (i + (uint32_t)2U) * len; + bn_almost_mont_mul_u32(len, n, mu, t11, aM, t2); + } + if (bBits % (uint32_t)4U != (uint32_t)0U) + { + uint32_t mask_l = (uint32_t)16U - (uint32_t)1U; + uint32_t i0 = bBits / (uint32_t)4U * (uint32_t)4U / (uint32_t)32U; + uint32_t j = bBits / (uint32_t)4U * (uint32_t)4U % (uint32_t)32U; + uint32_t p1 = b[i0] >> j; + uint32_t ite; + if (i0 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i0 + (uint32_t)1U] << ((uint32_t)32U - j); + } + else + { + ite = p1; + } + uint32_t bits_c = ite & mask_l; + memcpy(resM, table, len * sizeof (uint32_t)); + for (uint32_t i1 = (uint32_t)0U; i1 < (uint32_t)15U; i1++) + { + uint32_t c = FStar_UInt32_eq_mask(bits_c, i1 + (uint32_t)1U); + uint32_t *res_j = table + (i1 + (uint32_t)1U) * len; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint32_t *os = resM; + uint32_t x = (c & res_j[i]) | (~c & resM[i]); + os[i] = x; + } + } + } + for (uint32_t i0 = (uint32_t)0U; i0 < bBits / (uint32_t)4U; i0++) + { + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + bn_almost_mont_sqr_u32(len, n, mu, resM, resM); + } + uint32_t bk = bBits - bBits % (uint32_t)4U; + uint32_t mask_l = (uint32_t)16U - (uint32_t)1U; + uint32_t i1 = (bk - (uint32_t)4U * i0 - (uint32_t)4U) / (uint32_t)32U; + uint32_t j = (bk - (uint32_t)4U * i0 - (uint32_t)4U) % (uint32_t)32U; + uint32_t p1 = b[i1] >> j; + uint32_t ite; + if (i1 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i1 + (uint32_t)1U] << ((uint32_t)32U - j); + } + else + { + ite = p1; + } + uint32_t bits_l = ite & mask_l; + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t *a_bits_l = alloca(len * sizeof (uint32_t)); + memset(a_bits_l, 0U, len * sizeof (uint32_t)); + memcpy(a_bits_l, table, len * sizeof (uint32_t)); + for (uint32_t i2 = (uint32_t)0U; i2 < (uint32_t)15U; i2++) + { + uint32_t c = FStar_UInt32_eq_mask(bits_l, i2 + (uint32_t)1U); + uint32_t *res_j = table + (i2 + (uint32_t)1U) * len; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint32_t *os = a_bits_l; + uint32_t x = (c & res_j[i]) | (~c & a_bits_l[i]); + os[i] = x; + } + } + bn_almost_mont_mul_u32(len, n, mu, resM, a_bits_l, resM); + } + KRML_CHECK_SIZE(sizeof (uint32_t), len + len); + uint32_t *tmp1 = alloca((len + len) * sizeof (uint32_t)); + memset(tmp1, 0U, (len + len) * sizeof (uint32_t)); + memcpy(tmp1, resM, len * sizeof (uint32_t)); + Hacl_Bignum_Montgomery_bn_mont_reduction_u32(len, n, mu, tmp1, res); +} + +void +Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_u32( + uint32_t len, + uint32_t nBits, + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t *r2 = alloca(len * sizeof (uint32_t)); + memset(r2, 0U, len * sizeof (uint32_t)); + Hacl_Bignum_Montgomery_bn_precomp_r2_mod_n_u32(len, nBits, n, r2); + uint32_t mu = Hacl_Bignum_ModInvLimb_mod_inv_uint32(n[0U]); + Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_precomp_u32(len, n, mu, r2, a, bBits, b, res); +} + +void +Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_u32( + uint32_t len, + uint32_t nBits, + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t *r2 = alloca(len * sizeof (uint32_t)); + memset(r2, 0U, len * sizeof (uint32_t)); + Hacl_Bignum_Montgomery_bn_precomp_r2_mod_n_u32(len, nBits, n, r2); + uint32_t mu = Hacl_Bignum_ModInvLimb_mod_inv_uint32(n[0U]); + Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_precomp_u32(len, n, mu, r2, a, bBits, b, res); +} + +uint64_t +Hacl_Bignum_Exponentiation_bn_check_mod_exp_u64( + uint32_t len, + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b +) +{ + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t *one = alloca(len * sizeof (uint64_t)); + memset(one, 0U, len * sizeof (uint64_t)); + memset(one, 0U, len * sizeof (uint64_t)); + one[0U] = (uint64_t)1U; + uint64_t bit0 = n[0U] & (uint64_t)1U; + uint64_t m0 = (uint64_t)0U - bit0; + uint64_t acc0 = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(one[i], n[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(one[i], n[i]); + acc0 = (beq & acc0) | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + uint64_t m10 = acc0; + uint64_t m00 = m0 & m10; + uint32_t bLen; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + } + uint64_t m1; + if (bBits < (uint32_t)64U * bLen) + { + KRML_CHECK_SIZE(sizeof (uint64_t), bLen); + uint64_t *b2 = alloca(bLen * sizeof (uint64_t)); + memset(b2, 0U, bLen * sizeof (uint64_t)); + uint32_t i0 = bBits / (uint32_t)64U; + uint32_t j = bBits % (uint32_t)64U; + b2[i0] = b2[i0] | (uint64_t)1U << j; + uint64_t acc = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < bLen; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(b[i], b2[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(b[i], b2[i]); + acc = (beq & acc) | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + uint64_t res = acc; + m1 = res; + } + else + { + m1 = (uint64_t)0xFFFFFFFFFFFFFFFFU; + } + uint64_t acc = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(a[i], n[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(a[i], n[i]); + acc = (beq & acc) | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + uint64_t m2 = acc; + uint64_t m = m1 & m2; + return m00 & m; +} + +void +Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_precomp_u64( + uint32_t len, + uint64_t *n, + uint64_t mu, + uint64_t *r2, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + if (bBits < (uint32_t)200U) + { + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t *aM = alloca(len * sizeof (uint64_t)); + memset(aM, 0U, len * sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), len + len); + uint64_t *c = alloca((len + len) * sizeof (uint64_t)); + memset(c, 0U, (len + len) * sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)4U * len); + uint64_t *tmp0 = alloca((uint32_t)4U * len * sizeof (uint64_t)); + memset(tmp0, 0U, (uint32_t)4U * len * sizeof (uint64_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint64(len, a, r2, tmp0, c); + Hacl_Bignum_Montgomery_bn_mont_reduction_u64(len, n, mu, c, aM); + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t *resM = alloca(len * sizeof (uint64_t)); + memset(resM, 0U, len * sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), len + len); + uint64_t *tmp1 = alloca((len + len) * sizeof (uint64_t)); + memset(tmp1, 0U, (len + len) * sizeof (uint64_t)); + memcpy(tmp1, r2, len * sizeof (uint64_t)); + Hacl_Bignum_Montgomery_bn_mont_reduction_u64(len, n, mu, tmp1, resM); + for (uint32_t i = (uint32_t)0U; i < bBits; i++) + { + uint32_t i1 = i / (uint32_t)64U; + uint32_t j = i % (uint32_t)64U; + uint64_t tmp = b[i1]; + uint64_t bit = tmp >> j & (uint64_t)1U; + if (!(bit == (uint64_t)0U)) + { + bn_almost_mont_mul_u64(len, n, mu, resM, aM, resM); + } + bn_almost_mont_sqr_u64(len, n, mu, aM, aM); + } + KRML_CHECK_SIZE(sizeof (uint64_t), len + len); + uint64_t *tmp = alloca((len + len) * sizeof (uint64_t)); + memset(tmp, 0U, (len + len) * sizeof (uint64_t)); + memcpy(tmp, resM, len * sizeof (uint64_t)); + Hacl_Bignum_Montgomery_bn_mont_reduction_u64(len, n, mu, tmp, res); + return; + } + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t *aM = alloca(len * sizeof (uint64_t)); + memset(aM, 0U, len * sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), len + len); + uint64_t *c = alloca((len + len) * sizeof (uint64_t)); + memset(c, 0U, (len + len) * sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)4U * len); + uint64_t *tmp0 = alloca((uint32_t)4U * len * sizeof (uint64_t)); + memset(tmp0, 0U, (uint32_t)4U * len * sizeof (uint64_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint64(len, a, r2, tmp0, c); + Hacl_Bignum_Montgomery_bn_mont_reduction_u64(len, n, mu, c, aM); + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t *resM = alloca(len * sizeof (uint64_t)); + memset(resM, 0U, len * sizeof (uint64_t)); + uint32_t bLen; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + } + KRML_CHECK_SIZE(sizeof (uint64_t), len + len); + uint64_t *tmp = alloca((len + len) * sizeof (uint64_t)); + memset(tmp, 0U, (len + len) * sizeof (uint64_t)); + memcpy(tmp, r2, len * sizeof (uint64_t)); + Hacl_Bignum_Montgomery_bn_mont_reduction_u64(len, n, mu, tmp, resM); + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)16U * len); + uint64_t *table = alloca((uint32_t)16U * len * sizeof (uint64_t)); + memset(table, 0U, (uint32_t)16U * len * sizeof (uint64_t)); + memcpy(table, resM, len * sizeof (uint64_t)); + uint64_t *t1 = table + len; + memcpy(t1, aM, len * sizeof (uint64_t)); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)14U; i++) + { + uint64_t *t11 = table + (i + (uint32_t)1U) * len; + uint64_t *t2 = table + (i + (uint32_t)2U) * len; + bn_almost_mont_mul_u64(len, n, mu, t11, aM, t2); + } + if (bBits % (uint32_t)4U != (uint32_t)0U) + { + uint64_t mask_l = (uint64_t)16U - (uint64_t)1U; + uint32_t i = bBits / (uint32_t)4U * (uint32_t)4U / (uint32_t)64U; + uint32_t j = bBits / (uint32_t)4U * (uint32_t)4U % (uint32_t)64U; + uint64_t p1 = b[i] >> j; + uint64_t ite; + if (i + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i + (uint32_t)1U] << ((uint32_t)64U - j); + } + else + { + ite = p1; + } + uint64_t bits_c = ite & mask_l; + uint32_t bits_l32 = (uint32_t)bits_c; + uint64_t *a_bits_l = table + bits_l32 * len; + memcpy(resM, a_bits_l, len * sizeof (uint64_t)); + } + for (uint32_t i = (uint32_t)0U; i < bBits / (uint32_t)4U; i++) + { + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + bn_almost_mont_sqr_u64(len, n, mu, resM, resM); + } + uint32_t bk = bBits - bBits % (uint32_t)4U; + uint64_t mask_l = (uint64_t)16U - (uint64_t)1U; + uint32_t i1 = (bk - (uint32_t)4U * i - (uint32_t)4U) / (uint32_t)64U; + uint32_t j = (bk - (uint32_t)4U * i - (uint32_t)4U) % (uint32_t)64U; + uint64_t p1 = b[i1] >> j; + uint64_t ite; + if (i1 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i1 + (uint32_t)1U] << ((uint32_t)64U - j); + } + else + { + ite = p1; + } + uint64_t bits_l = ite & mask_l; + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t *a_bits_l = alloca(len * sizeof (uint64_t)); + memset(a_bits_l, 0U, len * sizeof (uint64_t)); + uint32_t bits_l32 = (uint32_t)bits_l; + uint64_t *a_bits_l1 = table + bits_l32 * len; + memcpy(a_bits_l, a_bits_l1, len * sizeof (uint64_t)); + bn_almost_mont_mul_u64(len, n, mu, resM, a_bits_l, resM); + } + KRML_CHECK_SIZE(sizeof (uint64_t), len + len); + uint64_t *tmp1 = alloca((len + len) * sizeof (uint64_t)); + memset(tmp1, 0U, (len + len) * sizeof (uint64_t)); + memcpy(tmp1, resM, len * sizeof (uint64_t)); + Hacl_Bignum_Montgomery_bn_mont_reduction_u64(len, n, mu, tmp1, res); +} + +void +Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_precomp_u64( + uint32_t len, + uint64_t *n, + uint64_t mu, + uint64_t *r2, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + if (bBits < (uint32_t)200U) + { + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t *aM = alloca(len * sizeof (uint64_t)); + memset(aM, 0U, len * sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), len + len); + uint64_t *c = alloca((len + len) * sizeof (uint64_t)); + memset(c, 0U, (len + len) * sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)4U * len); + uint64_t *tmp0 = alloca((uint32_t)4U * len * sizeof (uint64_t)); + memset(tmp0, 0U, (uint32_t)4U * len * sizeof (uint64_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint64(len, a, r2, tmp0, c); + Hacl_Bignum_Montgomery_bn_mont_reduction_u64(len, n, mu, c, aM); + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t *resM = alloca(len * sizeof (uint64_t)); + memset(resM, 0U, len * sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), len + len); + uint64_t *tmp1 = alloca((len + len) * sizeof (uint64_t)); + memset(tmp1, 0U, (len + len) * sizeof (uint64_t)); + memcpy(tmp1, r2, len * sizeof (uint64_t)); + Hacl_Bignum_Montgomery_bn_mont_reduction_u64(len, n, mu, tmp1, resM); + uint64_t sw = (uint64_t)0U; + for (uint32_t i0 = (uint32_t)0U; i0 < bBits; i0++) + { + uint32_t i1 = (bBits - i0 - (uint32_t)1U) / (uint32_t)64U; + uint32_t j = (bBits - i0 - (uint32_t)1U) % (uint32_t)64U; + uint64_t tmp = b[i1]; + uint64_t bit = tmp >> j & (uint64_t)1U; + uint64_t sw1 = bit ^ sw; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint64_t dummy = ((uint64_t)0U - sw1) & (resM[i] ^ aM[i]); + resM[i] = resM[i] ^ dummy; + aM[i] = aM[i] ^ dummy; + } + bn_almost_mont_mul_u64(len, n, mu, aM, resM, aM); + bn_almost_mont_sqr_u64(len, n, mu, resM, resM); + sw = bit; + } + uint64_t sw0 = sw; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint64_t dummy = ((uint64_t)0U - sw0) & (resM[i] ^ aM[i]); + resM[i] = resM[i] ^ dummy; + aM[i] = aM[i] ^ dummy; + } + KRML_CHECK_SIZE(sizeof (uint64_t), len + len); + uint64_t *tmp = alloca((len + len) * sizeof (uint64_t)); + memset(tmp, 0U, (len + len) * sizeof (uint64_t)); + memcpy(tmp, resM, len * sizeof (uint64_t)); + Hacl_Bignum_Montgomery_bn_mont_reduction_u64(len, n, mu, tmp, res); + return; + } + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t *aM = alloca(len * sizeof (uint64_t)); + memset(aM, 0U, len * sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), len + len); + uint64_t *c0 = alloca((len + len) * sizeof (uint64_t)); + memset(c0, 0U, (len + len) * sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)4U * len); + uint64_t *tmp0 = alloca((uint32_t)4U * len * sizeof (uint64_t)); + memset(tmp0, 0U, (uint32_t)4U * len * sizeof (uint64_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint64(len, a, r2, tmp0, c0); + Hacl_Bignum_Montgomery_bn_mont_reduction_u64(len, n, mu, c0, aM); + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t *resM = alloca(len * sizeof (uint64_t)); + memset(resM, 0U, len * sizeof (uint64_t)); + uint32_t bLen; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + } + KRML_CHECK_SIZE(sizeof (uint64_t), len + len); + uint64_t *tmp = alloca((len + len) * sizeof (uint64_t)); + memset(tmp, 0U, (len + len) * sizeof (uint64_t)); + memcpy(tmp, r2, len * sizeof (uint64_t)); + Hacl_Bignum_Montgomery_bn_mont_reduction_u64(len, n, mu, tmp, resM); + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)16U * len); + uint64_t *table = alloca((uint32_t)16U * len * sizeof (uint64_t)); + memset(table, 0U, (uint32_t)16U * len * sizeof (uint64_t)); + memcpy(table, resM, len * sizeof (uint64_t)); + uint64_t *t1 = table + len; + memcpy(t1, aM, len * sizeof (uint64_t)); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)14U; i++) + { + uint64_t *t11 = table + (i + (uint32_t)1U) * len; + uint64_t *t2 = table + (i + (uint32_t)2U) * len; + bn_almost_mont_mul_u64(len, n, mu, t11, aM, t2); + } + if (bBits % (uint32_t)4U != (uint32_t)0U) + { + uint64_t mask_l = (uint64_t)16U - (uint64_t)1U; + uint32_t i0 = bBits / (uint32_t)4U * (uint32_t)4U / (uint32_t)64U; + uint32_t j = bBits / (uint32_t)4U * (uint32_t)4U % (uint32_t)64U; + uint64_t p1 = b[i0] >> j; + uint64_t ite; + if (i0 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i0 + (uint32_t)1U] << ((uint32_t)64U - j); + } + else + { + ite = p1; + } + uint64_t bits_c = ite & mask_l; + memcpy(resM, table, len * sizeof (uint64_t)); + for (uint32_t i1 = (uint32_t)0U; i1 < (uint32_t)15U; i1++) + { + uint64_t c = FStar_UInt64_eq_mask(bits_c, (uint64_t)(i1 + (uint32_t)1U)); + uint64_t *res_j = table + (i1 + (uint32_t)1U) * len; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint64_t *os = resM; + uint64_t x = (c & res_j[i]) | (~c & resM[i]); + os[i] = x; + } + } + } + for (uint32_t i0 = (uint32_t)0U; i0 < bBits / (uint32_t)4U; i0++) + { + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + bn_almost_mont_sqr_u64(len, n, mu, resM, resM); + } + uint32_t bk = bBits - bBits % (uint32_t)4U; + uint64_t mask_l = (uint64_t)16U - (uint64_t)1U; + uint32_t i1 = (bk - (uint32_t)4U * i0 - (uint32_t)4U) / (uint32_t)64U; + uint32_t j = (bk - (uint32_t)4U * i0 - (uint32_t)4U) % (uint32_t)64U; + uint64_t p1 = b[i1] >> j; + uint64_t ite; + if (i1 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i1 + (uint32_t)1U] << ((uint32_t)64U - j); + } + else + { + ite = p1; + } + uint64_t bits_l = ite & mask_l; + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t *a_bits_l = alloca(len * sizeof (uint64_t)); + memset(a_bits_l, 0U, len * sizeof (uint64_t)); + memcpy(a_bits_l, table, len * sizeof (uint64_t)); + for (uint32_t i2 = (uint32_t)0U; i2 < (uint32_t)15U; i2++) + { + uint64_t c = FStar_UInt64_eq_mask(bits_l, (uint64_t)(i2 + (uint32_t)1U)); + uint64_t *res_j = table + (i2 + (uint32_t)1U) * len; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint64_t *os = a_bits_l; + uint64_t x = (c & res_j[i]) | (~c & a_bits_l[i]); + os[i] = x; + } + } + bn_almost_mont_mul_u64(len, n, mu, resM, a_bits_l, resM); + } + KRML_CHECK_SIZE(sizeof (uint64_t), len + len); + uint64_t *tmp1 = alloca((len + len) * sizeof (uint64_t)); + memset(tmp1, 0U, (len + len) * sizeof (uint64_t)); + memcpy(tmp1, resM, len * sizeof (uint64_t)); + Hacl_Bignum_Montgomery_bn_mont_reduction_u64(len, n, mu, tmp1, res); +} + +void +Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_u64( + uint32_t len, + uint32_t nBits, + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t *r2 = alloca(len * sizeof (uint64_t)); + memset(r2, 0U, len * sizeof (uint64_t)); + Hacl_Bignum_Montgomery_bn_precomp_r2_mod_n_u64(len, nBits, n, r2); + uint64_t mu = Hacl_Bignum_ModInvLimb_mod_inv_uint64(n[0U]); + Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_precomp_u64(len, n, mu, r2, a, bBits, b, res); +} + +void +Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_u64( + uint32_t len, + uint32_t nBits, + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t *r2 = alloca(len * sizeof (uint64_t)); + memset(r2, 0U, len * sizeof (uint64_t)); + Hacl_Bignum_Montgomery_bn_precomp_r2_mod_n_u64(len, nBits, n, r2); + uint64_t mu = Hacl_Bignum_ModInvLimb_mod_inv_uint64(n[0U]); + Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_precomp_u64(len, n, mu, r2, a, bBits, b, res); +} + diff --git a/src/msvc/Hacl_Bignum256.c b/src/msvc/Hacl_Bignum256.c new file mode 100644 index 00000000..79367393 --- /dev/null +++ b/src/msvc/Hacl_Bignum256.c @@ -0,0 +1,1617 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Bignum256.h" + +#include "internal/Hacl_Kremlib.h" +#include "internal/Hacl_Bignum.h" + +/******************************************************************************* + +A verified 256-bit bignum library. + +This is a 64-bit optimized version, where bignums are represented as an array +of four unsigned 64-bit integers, i.e. uint64_t[4]. Furthermore, the +limbs are stored in little-endian format, i.e. the least significant limb is at +index 0. Each limb is stored in native format in memory. Example: + + uint64_t sixteen[4] = { 0x10; 0x00; 0x00; 0x00 } + +We strongly encourage users to go through the conversion functions, e.g. +bn_from_bytes_be, to i) not depend on internal representation choices and ii) +have the ability to switch easily to a 32-bit optimized version in the future. + +*******************************************************************************/ + +/************************/ +/* Arithmetic functions */ +/************************/ + + +/* +Write `a + b mod 2^256` in `res`. + + This functions returns the carry. + + The arguments a, b and res are meant to be 256-bit bignums, i.e. uint64_t[4] +*/ +uint64_t Hacl_Bignum256_add(uint64_t *a, uint64_t *b, uint64_t *res) +{ + uint64_t c = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)1U; i++) + { + uint64_t t1 = a[(uint32_t)4U * i]; + uint64_t t20 = b[(uint32_t)4U * i]; + uint64_t *res_i0 = res + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t1, t20, res_i0); + uint64_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t10, t21, res_i1); + uint64_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t11, t22, res_i2); + uint64_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t12, t2, res_i); + } + for (uint32_t i = (uint32_t)4U; i < (uint32_t)4U; i++) + { + uint64_t t1 = a[i]; + uint64_t t2 = b[i]; + uint64_t *res_i = res + i; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t1, t2, res_i); + } + return c; +} + +/* +Write `a - b mod 2^256` in `res`. + + This functions returns the carry. + + The arguments a, b and res are meant to be 256-bit bignums, i.e. uint64_t[4] +*/ +uint64_t Hacl_Bignum256_sub(uint64_t *a, uint64_t *b, uint64_t *res) +{ + uint64_t c = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)1U; i++) + { + uint64_t t1 = a[(uint32_t)4U * i]; + uint64_t t20 = b[(uint32_t)4U * i]; + uint64_t *res_i0 = res + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, t20, res_i0); + uint64_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t10, t21, res_i1); + uint64_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t11, t22, res_i2); + uint64_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t12, t2, res_i); + } + for (uint32_t i = (uint32_t)4U; i < (uint32_t)4U; i++) + { + uint64_t t1 = a[i]; + uint64_t t2 = b[i]; + uint64_t *res_i = res + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, t2, res_i); + } + return c; +} + +/* +Write `(a + b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be 256-bit bignums, i.e. uint64_t[4]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum256_add_mod(uint64_t *n, uint64_t *a, uint64_t *b, uint64_t *res) +{ + uint64_t c0 = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)1U; i++) + { + uint64_t t1 = a[(uint32_t)4U * i]; + uint64_t t20 = b[(uint32_t)4U * i]; + uint64_t *res_i0 = res + (uint32_t)4U * i; + c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, t1, t20, res_i0); + uint64_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, t10, t21, res_i1); + uint64_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, t11, t22, res_i2); + uint64_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, t12, t2, res_i); + } + for (uint32_t i = (uint32_t)4U; i < (uint32_t)4U; i++) + { + uint64_t t1 = a[i]; + uint64_t t2 = b[i]; + uint64_t *res_i = res + i; + c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, t1, t2, res_i); + } + uint64_t c00 = c0; + uint64_t tmp[4U] = { 0U }; + uint64_t c = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)1U; i++) + { + uint64_t t1 = res[(uint32_t)4U * i]; + uint64_t t20 = n[(uint32_t)4U * i]; + uint64_t *res_i0 = tmp + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, t20, res_i0); + uint64_t t10 = res[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t t21 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = tmp + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t10, t21, res_i1); + uint64_t t11 = res[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t t22 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = tmp + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t11, t22, res_i2); + uint64_t t12 = res[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t t2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = tmp + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t12, t2, res_i); + } + for (uint32_t i = (uint32_t)4U; i < (uint32_t)4U; i++) + { + uint64_t t1 = res[i]; + uint64_t t2 = n[i]; + uint64_t *res_i = tmp + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, t2, res_i); + } + uint64_t c1 = c; + uint64_t c2 = c00 - c1; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = res; + uint64_t x = (c2 & res[i]) | (~c2 & tmp[i]); + os[i] = x; + } +} + +/* +Write `(a - b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be 256-bit bignums, i.e. uint64_t[4]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum256_sub_mod(uint64_t *n, uint64_t *a, uint64_t *b, uint64_t *res) +{ + uint64_t c0 = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)1U; i++) + { + uint64_t t1 = a[(uint32_t)4U * i]; + uint64_t t20 = b[(uint32_t)4U * i]; + uint64_t *res_i0 = res + (uint32_t)4U * i; + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c0, t1, t20, res_i0); + uint64_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c0, t10, t21, res_i1); + uint64_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c0, t11, t22, res_i2); + uint64_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c0, t12, t2, res_i); + } + for (uint32_t i = (uint32_t)4U; i < (uint32_t)4U; i++) + { + uint64_t t1 = a[i]; + uint64_t t2 = b[i]; + uint64_t *res_i = res + i; + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c0, t1, t2, res_i); + } + uint64_t c00 = c0; + uint64_t tmp[4U] = { 0U }; + uint64_t c = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)1U; i++) + { + uint64_t t1 = res[(uint32_t)4U * i]; + uint64_t t20 = n[(uint32_t)4U * i]; + uint64_t *res_i0 = tmp + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t1, t20, res_i0); + uint64_t t10 = res[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t t21 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = tmp + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t10, t21, res_i1); + uint64_t t11 = res[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t t22 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = tmp + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t11, t22, res_i2); + uint64_t t12 = res[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t t2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = tmp + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t12, t2, res_i); + } + for (uint32_t i = (uint32_t)4U; i < (uint32_t)4U; i++) + { + uint64_t t1 = res[i]; + uint64_t t2 = n[i]; + uint64_t *res_i = tmp + i; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t1, t2, res_i); + } + uint64_t c1 = c; + uint64_t c2 = (uint64_t)0U - c00; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = res; + uint64_t x = (c2 & tmp[i]) | (~c2 & res[i]); + os[i] = x; + } +} + +/* +Write `a * b` in `res`. + + The arguments a and b are meant to be 256-bit bignums, i.e. uint64_t[4]. + The outparam res is meant to be a 512-bit bignum, i.e. uint64_t[8]. +*/ +void Hacl_Bignum256_mul(uint64_t *a, uint64_t *b, uint64_t *res) +{ + memset(res, 0U, (uint32_t)8U * sizeof (uint64_t)); + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + uint64_t bj = b[i0]; + uint64_t *res_j = res + i0; + uint64_t c = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)1U; i++) + { + uint64_t a_i = a[(uint32_t)4U * i]; + uint64_t *res_i0 = res_j + (uint32_t)4U * i; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, bj, c, res_i0); + uint64_t a_i0 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res_j + (uint32_t)4U * i + (uint32_t)1U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, bj, c, res_i1); + uint64_t a_i1 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res_j + (uint32_t)4U * i + (uint32_t)2U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, bj, c, res_i2); + uint64_t a_i2 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res_j + (uint32_t)4U * i + (uint32_t)3U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, bj, c, res_i); + } + for (uint32_t i = (uint32_t)4U; i < (uint32_t)4U; i++) + { + uint64_t a_i = a[i]; + uint64_t *res_i = res_j + i; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, bj, c, res_i); + } + uint64_t r = c; + res[(uint32_t)4U + i0] = r; + } +} + +/* +Write `a * a` in `res`. + + The argument a is meant to be a 256-bit bignum, i.e. uint64_t[4]. + The outparam res is meant to be a 512-bit bignum, i.e. uint64_t[8]. +*/ +void Hacl_Bignum256_sqr(uint64_t *a, uint64_t *res) +{ + memset(res, 0U, (uint32_t)8U * sizeof (uint64_t)); + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + uint64_t *ab = a; + uint64_t a_j = a[i0]; + uint64_t *res_j = res + i0; + uint64_t c = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < i0 / (uint32_t)4U; i++) + { + uint64_t a_i = ab[(uint32_t)4U * i]; + uint64_t *res_i0 = res_j + (uint32_t)4U * i; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, a_j, c, res_i0); + uint64_t a_i0 = ab[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res_j + (uint32_t)4U * i + (uint32_t)1U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, a_j, c, res_i1); + uint64_t a_i1 = ab[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res_j + (uint32_t)4U * i + (uint32_t)2U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, a_j, c, res_i2); + uint64_t a_i2 = ab[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res_j + (uint32_t)4U * i + (uint32_t)3U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, a_j, c, res_i); + } + for (uint32_t i = i0 / (uint32_t)4U * (uint32_t)4U; i < i0; i++) + { + uint64_t a_i = ab[i]; + uint64_t *res_i = res_j + i; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, a_j, c, res_i); + } + uint64_t r = c; + res[i0 + i0] = r; + } + uint64_t c0 = Hacl_Bignum_Addition_bn_add_eq_len_u64((uint32_t)8U, res, res, res); + uint64_t tmp[8U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + FStar_UInt128_uint128 res1 = FStar_UInt128_mul_wide(a[i], a[i]); + uint64_t hi = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(res1, (uint32_t)64U)); + uint64_t lo = FStar_UInt128_uint128_to_uint64(res1); + tmp[(uint32_t)2U * i] = lo; + tmp[(uint32_t)2U * i + (uint32_t)1U] = hi; + } + uint64_t c1 = Hacl_Bignum_Addition_bn_add_eq_len_u64((uint32_t)8U, res, tmp, res); +} + +static inline void precompr2(uint32_t nBits, uint64_t *n, uint64_t *res) +{ + memset(res, 0U, (uint32_t)4U * sizeof (uint64_t)); + uint32_t i = nBits / (uint32_t)64U; + uint32_t j = nBits % (uint32_t)64U; + res[i] = res[i] | (uint64_t)1U << j; + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)512U - nBits; i0++) + { + Hacl_Bignum256_add_mod(n, res, res, res); + } +} + +static inline void reduction(uint64_t *n, uint64_t nInv, uint64_t *c, uint64_t *res) +{ + uint64_t c0 = (uint64_t)0U; + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + uint64_t qj = nInv * c[i0]; + uint64_t *res_j0 = c + i0; + uint64_t c1 = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)1U; i++) + { + uint64_t a_i = n[(uint32_t)4U * i]; + uint64_t *res_i0 = res_j0 + (uint32_t)4U * i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c1, res_i0); + uint64_t a_i0 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res_j0 + (uint32_t)4U * i + (uint32_t)1U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, qj, c1, res_i1); + uint64_t a_i1 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res_j0 + (uint32_t)4U * i + (uint32_t)2U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, qj, c1, res_i2); + uint64_t a_i2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res_j0 + (uint32_t)4U * i + (uint32_t)3U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, qj, c1, res_i); + } + for (uint32_t i = (uint32_t)4U; i < (uint32_t)4U; i++) + { + uint64_t a_i = n[i]; + uint64_t *res_i = res_j0 + i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c1, res_i); + } + uint64_t r = c1; + uint64_t c10 = r; + uint64_t *resb = c + (uint32_t)4U + i0; + uint64_t res_j = c[(uint32_t)4U + i0]; + c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, c10, res_j, resb); + } + memcpy(res, c + (uint32_t)4U, (uint32_t)4U * sizeof (uint64_t)); + uint64_t c00 = c0; + uint64_t tmp[4U] = { 0U }; + uint64_t c1 = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)1U; i++) + { + uint64_t t1 = res[(uint32_t)4U * i]; + uint64_t t20 = n[(uint32_t)4U * i]; + uint64_t *res_i0 = tmp + (uint32_t)4U * i; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t1, t20, res_i0); + uint64_t t10 = res[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t t21 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = tmp + (uint32_t)4U * i + (uint32_t)1U; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t10, t21, res_i1); + uint64_t t11 = res[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t t22 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = tmp + (uint32_t)4U * i + (uint32_t)2U; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t11, t22, res_i2); + uint64_t t12 = res[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t t2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = tmp + (uint32_t)4U * i + (uint32_t)3U; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t12, t2, res_i); + } + for (uint32_t i = (uint32_t)4U; i < (uint32_t)4U; i++) + { + uint64_t t1 = res[i]; + uint64_t t2 = n[i]; + uint64_t *res_i = tmp + i; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t1, t2, res_i); + } + uint64_t c10 = c1; + uint64_t c2 = c00 - c10; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = res; + uint64_t x = (c2 & res[i]) | (~c2 & tmp[i]); + os[i] = x; + } +} + +static inline void areduction(uint64_t *n, uint64_t nInv, uint64_t *c, uint64_t *res) +{ + uint64_t c0 = (uint64_t)0U; + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + uint64_t qj = nInv * c[i0]; + uint64_t *res_j0 = c + i0; + uint64_t c1 = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)1U; i++) + { + uint64_t a_i = n[(uint32_t)4U * i]; + uint64_t *res_i0 = res_j0 + (uint32_t)4U * i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c1, res_i0); + uint64_t a_i0 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res_j0 + (uint32_t)4U * i + (uint32_t)1U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, qj, c1, res_i1); + uint64_t a_i1 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res_j0 + (uint32_t)4U * i + (uint32_t)2U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, qj, c1, res_i2); + uint64_t a_i2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res_j0 + (uint32_t)4U * i + (uint32_t)3U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, qj, c1, res_i); + } + for (uint32_t i = (uint32_t)4U; i < (uint32_t)4U; i++) + { + uint64_t a_i = n[i]; + uint64_t *res_i = res_j0 + i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c1, res_i); + } + uint64_t r = c1; + uint64_t c10 = r; + uint64_t *resb = c + (uint32_t)4U + i0; + uint64_t res_j = c[(uint32_t)4U + i0]; + c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, c10, res_j, resb); + } + memcpy(res, c + (uint32_t)4U, (uint32_t)4U * sizeof (uint64_t)); + uint64_t c00 = c0; + uint64_t tmp[4U] = { 0U }; + uint64_t c1 = Hacl_Bignum256_sub(res, n, tmp); + uint64_t m = (uint64_t)0U - c00; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = res; + uint64_t x = (m & tmp[i]) | (~m & res[i]); + os[i] = x; + } +} + +static inline void +amont_mul(uint64_t *n, uint64_t nInv_u64, uint64_t *aM, uint64_t *bM, uint64_t *resM) +{ + uint64_t c[8U] = { 0U }; + memset(c, 0U, (uint32_t)8U * sizeof (uint64_t)); + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + uint64_t bj = bM[i0]; + uint64_t *res_j = c + i0; + uint64_t c1 = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)1U; i++) + { + uint64_t a_i = aM[(uint32_t)4U * i]; + uint64_t *res_i0 = res_j + (uint32_t)4U * i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, bj, c1, res_i0); + uint64_t a_i0 = aM[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res_j + (uint32_t)4U * i + (uint32_t)1U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, bj, c1, res_i1); + uint64_t a_i1 = aM[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res_j + (uint32_t)4U * i + (uint32_t)2U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, bj, c1, res_i2); + uint64_t a_i2 = aM[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res_j + (uint32_t)4U * i + (uint32_t)3U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, bj, c1, res_i); + } + for (uint32_t i = (uint32_t)4U; i < (uint32_t)4U; i++) + { + uint64_t a_i = aM[i]; + uint64_t *res_i = res_j + i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, bj, c1, res_i); + } + uint64_t r = c1; + c[(uint32_t)4U + i0] = r; + } + areduction(n, nInv_u64, c, resM); +} + +static inline void amont_sqr(uint64_t *n, uint64_t nInv_u64, uint64_t *aM, uint64_t *resM) +{ + uint64_t c[8U] = { 0U }; + memset(c, 0U, (uint32_t)8U * sizeof (uint64_t)); + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + uint64_t *ab = aM; + uint64_t a_j = aM[i0]; + uint64_t *res_j = c + i0; + uint64_t c1 = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < i0 / (uint32_t)4U; i++) + { + uint64_t a_i = ab[(uint32_t)4U * i]; + uint64_t *res_i0 = res_j + (uint32_t)4U * i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, a_j, c1, res_i0); + uint64_t a_i0 = ab[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res_j + (uint32_t)4U * i + (uint32_t)1U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, a_j, c1, res_i1); + uint64_t a_i1 = ab[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res_j + (uint32_t)4U * i + (uint32_t)2U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, a_j, c1, res_i2); + uint64_t a_i2 = ab[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res_j + (uint32_t)4U * i + (uint32_t)3U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, a_j, c1, res_i); + } + for (uint32_t i = i0 / (uint32_t)4U * (uint32_t)4U; i < i0; i++) + { + uint64_t a_i = ab[i]; + uint64_t *res_i = res_j + i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, a_j, c1, res_i); + } + uint64_t r = c1; + c[i0 + i0] = r; + } + uint64_t c0 = Hacl_Bignum_Addition_bn_add_eq_len_u64((uint32_t)8U, c, c, c); + uint64_t tmp[8U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + FStar_UInt128_uint128 res = FStar_UInt128_mul_wide(aM[i], aM[i]); + uint64_t hi = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(res, (uint32_t)64U)); + uint64_t lo = FStar_UInt128_uint128_to_uint64(res); + tmp[(uint32_t)2U * i] = lo; + tmp[(uint32_t)2U * i + (uint32_t)1U] = hi; + } + uint64_t c1 = Hacl_Bignum_Addition_bn_add_eq_len_u64((uint32_t)8U, c, tmp, c); + areduction(n, nInv_u64, c, resM); +} + +static inline void +bn_slow_precomp(uint64_t *n, uint64_t mu, uint64_t *r2, uint64_t *a, uint64_t *res) +{ + uint64_t a_mod[4U] = { 0U }; + uint64_t a1[8U] = { 0U }; + memcpy(a1, a, (uint32_t)8U * sizeof (uint64_t)); + uint64_t c0 = (uint64_t)0U; + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + uint64_t qj = mu * a1[i0]; + uint64_t *res_j0 = a1 + i0; + uint64_t c = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)1U; i++) + { + uint64_t a_i = n[(uint32_t)4U * i]; + uint64_t *res_i0 = res_j0 + (uint32_t)4U * i; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c, res_i0); + uint64_t a_i0 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res_j0 + (uint32_t)4U * i + (uint32_t)1U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, qj, c, res_i1); + uint64_t a_i1 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res_j0 + (uint32_t)4U * i + (uint32_t)2U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, qj, c, res_i2); + uint64_t a_i2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res_j0 + (uint32_t)4U * i + (uint32_t)3U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, qj, c, res_i); + } + for (uint32_t i = (uint32_t)4U; i < (uint32_t)4U; i++) + { + uint64_t a_i = n[i]; + uint64_t *res_i = res_j0 + i; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c, res_i); + } + uint64_t r = c; + uint64_t c1 = r; + uint64_t *resb = a1 + (uint32_t)4U + i0; + uint64_t res_j = a1[(uint32_t)4U + i0]; + c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, c1, res_j, resb); + } + memcpy(a_mod, a1 + (uint32_t)4U, (uint32_t)4U * sizeof (uint64_t)); + uint64_t c00 = c0; + uint64_t tmp[4U] = { 0U }; + uint64_t c1 = Hacl_Bignum256_sub(a_mod, n, tmp); + uint64_t m = (uint64_t)0U - c00; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = a_mod; + uint64_t x = (m & tmp[i]) | (~m & a_mod[i]); + os[i] = x; + } + uint64_t c[8U] = { 0U }; + Hacl_Bignum256_mul(a_mod, r2, c); + reduction(n, mu, c, res); +} + +/* +Write `a mod n` in `res`. + + The argument a is meant to be a 512-bit bignum, i.e. uint64_t[8]. + The argument n and the outparam res are meant to be 256-bit bignums, i.e. uint64_t[4]. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • 1 < n + • n % 2 = 1 +*/ +bool Hacl_Bignum256_mod(uint64_t *n, uint64_t *a, uint64_t *res) +{ + uint64_t one[4U] = { 0U }; + memset(one, 0U, (uint32_t)4U * sizeof (uint64_t)); + one[0U] = (uint64_t)1U; + uint64_t bit0 = n[0U] & (uint64_t)1U; + uint64_t m0 = (uint64_t)0U - bit0; + uint64_t acc = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(one[i], n[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(one[i], n[i]); + acc = (beq & acc) | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + uint64_t m1 = acc; + uint64_t is_valid_m = m0 & m1; + uint32_t + nBits = (uint32_t)64U * (uint32_t)Hacl_Bignum_Lib_bn_get_top_index_u64((uint32_t)4U, n); + if (is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU) + { + uint64_t r2[4U] = { 0U }; + precompr2(nBits, n, r2); + uint64_t mu = Hacl_Bignum_ModInvLimb_mod_inv_uint64(n[0U]); + bn_slow_precomp(n, mu, r2, a, res); + } + else + { + memset(res, 0U, (uint32_t)4U * sizeof (uint64_t)); + } + return is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU; +} + +static uint64_t exp_check(uint64_t *n, uint64_t *a, uint32_t bBits, uint64_t *b) +{ + uint64_t one[4U] = { 0U }; + memset(one, 0U, (uint32_t)4U * sizeof (uint64_t)); + one[0U] = (uint64_t)1U; + uint64_t bit0 = n[0U] & (uint64_t)1U; + uint64_t m0 = (uint64_t)0U - bit0; + uint64_t acc0 = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(one[i], n[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(one[i], n[i]); + acc0 = (beq & acc0) | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + uint64_t m10 = acc0; + uint64_t m00 = m0 & m10; + uint32_t bLen; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + } + uint64_t m1; + if (bBits < (uint32_t)64U * bLen) + { + KRML_CHECK_SIZE(sizeof (uint64_t), bLen); + uint64_t *b2 = alloca(bLen * sizeof (uint64_t)); + memset(b2, 0U, bLen * sizeof (uint64_t)); + uint32_t i0 = bBits / (uint32_t)64U; + uint32_t j = bBits % (uint32_t)64U; + b2[i0] = b2[i0] | (uint64_t)1U << j; + uint64_t acc = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < bLen; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(b[i], b2[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(b[i], b2[i]); + acc = (beq & acc) | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + uint64_t res = acc; + m1 = res; + } + else + { + m1 = (uint64_t)0xFFFFFFFFFFFFFFFFU; + } + uint64_t acc = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(a[i], n[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(a[i], n[i]); + acc = (beq & acc) | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + uint64_t m2 = acc; + uint64_t m = m1 & m2; + return m00 & m; +} + +static inline void +exp_vartime_precomp( + uint64_t *n, + uint64_t mu, + uint64_t *r2, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + if (bBits < (uint32_t)200U) + { + uint64_t aM[4U] = { 0U }; + uint64_t c[8U] = { 0U }; + Hacl_Bignum256_mul(a, r2, c); + reduction(n, mu, c, aM); + uint64_t resM[4U] = { 0U }; + uint64_t tmp0[8U] = { 0U }; + memcpy(tmp0, r2, (uint32_t)4U * sizeof (uint64_t)); + reduction(n, mu, tmp0, resM); + for (uint32_t i = (uint32_t)0U; i < bBits; i++) + { + uint32_t i1 = i / (uint32_t)64U; + uint32_t j = i % (uint32_t)64U; + uint64_t tmp = b[i1]; + uint64_t bit = tmp >> j & (uint64_t)1U; + if (!(bit == (uint64_t)0U)) + { + amont_mul(n, mu, resM, aM, resM); + } + amont_sqr(n, mu, aM, aM); + } + uint64_t tmp[8U] = { 0U }; + memcpy(tmp, resM, (uint32_t)4U * sizeof (uint64_t)); + reduction(n, mu, tmp, res); + return; + } + uint64_t aM[4U] = { 0U }; + uint64_t c[8U] = { 0U }; + Hacl_Bignum256_mul(a, r2, c); + reduction(n, mu, c, aM); + uint64_t resM[4U] = { 0U }; + uint32_t bLen; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + } + uint64_t tmp[8U] = { 0U }; + memcpy(tmp, r2, (uint32_t)4U * sizeof (uint64_t)); + reduction(n, mu, tmp, resM); + uint64_t table[64U] = { 0U }; + memcpy(table, resM, (uint32_t)4U * sizeof (uint64_t)); + uint64_t *t1 = table + (uint32_t)4U; + memcpy(t1, aM, (uint32_t)4U * sizeof (uint64_t)); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)14U; i++) + { + uint64_t *t11 = table + (i + (uint32_t)1U) * (uint32_t)4U; + uint64_t *t2 = table + (i + (uint32_t)2U) * (uint32_t)4U; + amont_mul(n, mu, t11, aM, t2); + } + if (bBits % (uint32_t)4U != (uint32_t)0U) + { + uint64_t mask_l = (uint64_t)16U - (uint64_t)1U; + uint32_t i = bBits / (uint32_t)4U * (uint32_t)4U / (uint32_t)64U; + uint32_t j = bBits / (uint32_t)4U * (uint32_t)4U % (uint32_t)64U; + uint64_t p1 = b[i] >> j; + uint64_t ite; + if (i + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i + (uint32_t)1U] << ((uint32_t)64U - j); + } + else + { + ite = p1; + } + uint64_t bits_c = ite & mask_l; + uint32_t bits_l32 = (uint32_t)bits_c; + uint64_t *a_bits_l = table + bits_l32 * (uint32_t)4U; + memcpy(resM, a_bits_l, (uint32_t)4U * sizeof (uint64_t)); + } + for (uint32_t i = (uint32_t)0U; i < bBits / (uint32_t)4U; i++) + { + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + amont_sqr(n, mu, resM, resM); + } + uint32_t bk = bBits - bBits % (uint32_t)4U; + uint64_t mask_l = (uint64_t)16U - (uint64_t)1U; + uint32_t i1 = (bk - (uint32_t)4U * i - (uint32_t)4U) / (uint32_t)64U; + uint32_t j = (bk - (uint32_t)4U * i - (uint32_t)4U) % (uint32_t)64U; + uint64_t p1 = b[i1] >> j; + uint64_t ite; + if (i1 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i1 + (uint32_t)1U] << ((uint32_t)64U - j); + } + else + { + ite = p1; + } + uint64_t bits_l = ite & mask_l; + uint64_t a_bits_l[4U] = { 0U }; + uint32_t bits_l32 = (uint32_t)bits_l; + uint64_t *a_bits_l1 = table + bits_l32 * (uint32_t)4U; + memcpy(a_bits_l, a_bits_l1, (uint32_t)4U * sizeof (uint64_t)); + amont_mul(n, mu, resM, a_bits_l, resM); + } + uint64_t tmp0[8U] = { 0U }; + memcpy(tmp0, resM, (uint32_t)4U * sizeof (uint64_t)); + reduction(n, mu, tmp0, res); +} + +static inline void +exp_consttime_precomp( + uint64_t *n, + uint64_t mu, + uint64_t *r2, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + if (bBits < (uint32_t)200U) + { + uint64_t aM[4U] = { 0U }; + uint64_t c[8U] = { 0U }; + Hacl_Bignum256_mul(a, r2, c); + reduction(n, mu, c, aM); + uint64_t resM[4U] = { 0U }; + uint64_t tmp0[8U] = { 0U }; + memcpy(tmp0, r2, (uint32_t)4U * sizeof (uint64_t)); + reduction(n, mu, tmp0, resM); + uint64_t sw = (uint64_t)0U; + for (uint32_t i0 = (uint32_t)0U; i0 < bBits; i0++) + { + uint32_t i1 = (bBits - i0 - (uint32_t)1U) / (uint32_t)64U; + uint32_t j = (bBits - i0 - (uint32_t)1U) % (uint32_t)64U; + uint64_t tmp = b[i1]; + uint64_t bit = tmp >> j & (uint64_t)1U; + uint64_t sw1 = bit ^ sw; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t dummy = ((uint64_t)0U - sw1) & (resM[i] ^ aM[i]); + resM[i] = resM[i] ^ dummy; + aM[i] = aM[i] ^ dummy; + } + amont_mul(n, mu, aM, resM, aM); + amont_sqr(n, mu, resM, resM); + sw = bit; + } + uint64_t sw0 = sw; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t dummy = ((uint64_t)0U - sw0) & (resM[i] ^ aM[i]); + resM[i] = resM[i] ^ dummy; + aM[i] = aM[i] ^ dummy; + } + uint64_t tmp[8U] = { 0U }; + memcpy(tmp, resM, (uint32_t)4U * sizeof (uint64_t)); + reduction(n, mu, tmp, res); + return; + } + uint64_t aM[4U] = { 0U }; + uint64_t c0[8U] = { 0U }; + Hacl_Bignum256_mul(a, r2, c0); + reduction(n, mu, c0, aM); + uint64_t resM[4U] = { 0U }; + uint32_t bLen; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + } + uint64_t tmp[8U] = { 0U }; + memcpy(tmp, r2, (uint32_t)4U * sizeof (uint64_t)); + reduction(n, mu, tmp, resM); + uint64_t table[64U] = { 0U }; + memcpy(table, resM, (uint32_t)4U * sizeof (uint64_t)); + uint64_t *t1 = table + (uint32_t)4U; + memcpy(t1, aM, (uint32_t)4U * sizeof (uint64_t)); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)14U; i++) + { + uint64_t *t11 = table + (i + (uint32_t)1U) * (uint32_t)4U; + uint64_t *t2 = table + (i + (uint32_t)2U) * (uint32_t)4U; + amont_mul(n, mu, t11, aM, t2); + } + if (bBits % (uint32_t)4U != (uint32_t)0U) + { + uint64_t mask_l = (uint64_t)16U - (uint64_t)1U; + uint32_t i0 = bBits / (uint32_t)4U * (uint32_t)4U / (uint32_t)64U; + uint32_t j = bBits / (uint32_t)4U * (uint32_t)4U % (uint32_t)64U; + uint64_t p1 = b[i0] >> j; + uint64_t ite; + if (i0 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i0 + (uint32_t)1U] << ((uint32_t)64U - j); + } + else + { + ite = p1; + } + uint64_t bits_c = ite & mask_l; + memcpy(resM, table, (uint32_t)4U * sizeof (uint64_t)); + for (uint32_t i1 = (uint32_t)0U; i1 < (uint32_t)15U; i1++) + { + uint64_t c = FStar_UInt64_eq_mask(bits_c, (uint64_t)(i1 + (uint32_t)1U)); + uint64_t *res_j = table + (i1 + (uint32_t)1U) * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = resM; + uint64_t x = (c & res_j[i]) | (~c & resM[i]); + os[i] = x; + } + } + } + for (uint32_t i0 = (uint32_t)0U; i0 < bBits / (uint32_t)4U; i0++) + { + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + amont_sqr(n, mu, resM, resM); + } + uint32_t bk = bBits - bBits % (uint32_t)4U; + uint64_t mask_l = (uint64_t)16U - (uint64_t)1U; + uint32_t i1 = (bk - (uint32_t)4U * i0 - (uint32_t)4U) / (uint32_t)64U; + uint32_t j = (bk - (uint32_t)4U * i0 - (uint32_t)4U) % (uint32_t)64U; + uint64_t p1 = b[i1] >> j; + uint64_t ite; + if (i1 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i1 + (uint32_t)1U] << ((uint32_t)64U - j); + } + else + { + ite = p1; + } + uint64_t bits_l = ite & mask_l; + uint64_t a_bits_l[4U] = { 0U }; + memcpy(a_bits_l, table, (uint32_t)4U * sizeof (uint64_t)); + for (uint32_t i2 = (uint32_t)0U; i2 < (uint32_t)15U; i2++) + { + uint64_t c = FStar_UInt64_eq_mask(bits_l, (uint64_t)(i2 + (uint32_t)1U)); + uint64_t *res_j = table + (i2 + (uint32_t)1U) * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = a_bits_l; + uint64_t x = (c & res_j[i]) | (~c & a_bits_l[i]); + os[i] = x; + } + } + amont_mul(n, mu, resM, a_bits_l, resM); + } + uint64_t tmp0[8U] = { 0U }; + memcpy(tmp0, resM, (uint32_t)4U * sizeof (uint64_t)); + reduction(n, mu, tmp0, res); +} + +static inline void +exp_vartime( + uint32_t nBits, + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + uint64_t r2[4U] = { 0U }; + precompr2(nBits, n, r2); + uint64_t mu = Hacl_Bignum_ModInvLimb_mod_inv_uint64(n[0U]); + exp_vartime_precomp(n, mu, r2, a, bBits, b, res); +} + +static inline void +exp_consttime( + uint32_t nBits, + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + uint64_t r2[4U] = { 0U }; + precompr2(nBits, n, r2); + uint64_t mu = Hacl_Bignum_ModInvLimb_mod_inv_uint64(n[0U]); + exp_consttime_precomp(n, mu, r2, a, bBits, b, res); +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 256-bit bignums, i.e. uint64_t[4]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum256_mod_exp_vartime( + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + uint64_t is_valid_m = exp_check(n, a, bBits, b); + uint32_t + nBits = (uint32_t)64U * (uint32_t)Hacl_Bignum_Lib_bn_get_top_index_u64((uint32_t)4U, n); + if (is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU) + { + exp_vartime(nBits, n, a, bBits, b, res); + } + else + { + memset(res, 0U, (uint32_t)4U * sizeof (uint64_t)); + } + return is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU; +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 256-bit bignums, i.e. uint64_t[4]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum256_mod_exp_consttime( + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + uint64_t is_valid_m = exp_check(n, a, bBits, b); + uint32_t + nBits = (uint32_t)64U * (uint32_t)Hacl_Bignum_Lib_bn_get_top_index_u64((uint32_t)4U, n); + if (is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU) + { + exp_consttime(nBits, n, a, bBits, b, res); + } + else + { + memset(res, 0U, (uint32_t)4U * sizeof (uint64_t)); + } + return is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU; +} + +/* +Write `a ^ (-1) mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 256-bit bignums, i.e. uint64_t[4]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + + The function returns false if any of the following preconditions are violated, true otherwise. + • n % 2 = 1 + • 1 < n + • 0 < a + • a < n +*/ +bool Hacl_Bignum256_mod_inv_prime_vartime(uint64_t *n, uint64_t *a, uint64_t *res) +{ + uint64_t one[4U] = { 0U }; + memset(one, 0U, (uint32_t)4U * sizeof (uint64_t)); + one[0U] = (uint64_t)1U; + uint64_t bit0 = n[0U] & (uint64_t)1U; + uint64_t m0 = (uint64_t)0U - bit0; + uint64_t acc0 = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(one[i], n[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(one[i], n[i]); + acc0 = (beq & acc0) | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + uint64_t m1 = acc0; + uint64_t m00 = m0 & m1; + uint64_t bn_zero[4U] = { 0U }; + uint64_t mask = (uint64_t)0xFFFFFFFFFFFFFFFFU; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t uu____0 = FStar_UInt64_eq_mask(a[i], bn_zero[i]); + mask = uu____0 & mask; + } + uint64_t mask1 = mask; + uint64_t res10 = mask1; + uint64_t m10 = res10; + uint64_t acc = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(a[i], n[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(a[i], n[i]); + acc = (beq & acc) | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + uint64_t m2 = acc; + uint64_t is_valid_m = (m00 & ~m10) & m2; + uint32_t + nBits = (uint32_t)64U * (uint32_t)Hacl_Bignum_Lib_bn_get_top_index_u64((uint32_t)4U, n); + if (is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU) + { + uint64_t n2[4U] = { 0U }; + uint64_t c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64((uint64_t)0U, n[0U], (uint64_t)2U, n2); + uint64_t c1; + if ((uint32_t)1U < (uint32_t)4U) + { + uint32_t rLen = (uint32_t)3U; + uint64_t *a1 = n + (uint32_t)1U; + uint64_t *res1 = n2 + (uint32_t)1U; + uint64_t c = c0; + for (uint32_t i = (uint32_t)0U; i < rLen / (uint32_t)4U; i++) + { + uint64_t t1 = a1[(uint32_t)4U * i]; + uint64_t *res_i0 = res1 + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, (uint64_t)0U, res_i0); + uint64_t t10 = a1[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res1 + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t10, (uint64_t)0U, res_i1); + uint64_t t11 = a1[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res1 + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t11, (uint64_t)0U, res_i2); + uint64_t t12 = a1[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res1 + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t12, (uint64_t)0U, res_i); + } + for (uint32_t i = rLen / (uint32_t)4U * (uint32_t)4U; i < rLen; i++) + { + uint64_t t1 = a1[i]; + uint64_t *res_i = res1 + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, (uint64_t)0U, res_i); + } + uint64_t c10 = c; + c1 = c10; + } + else + { + c1 = c0; + } + exp_vartime(nBits, n, a, (uint32_t)256U, n2, res); + } + else + { + memset(res, 0U, (uint32_t)4U * sizeof (uint64_t)); + } + return is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU; +} + + +/**********************************************/ +/* Arithmetic functions with precomputations. */ +/**********************************************/ + + +/* +Heap-allocate and initialize a montgomery context. + + The argument n is meant to be a 256-bit bignum, i.e. uint64_t[4]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n % 2 = 1 + • 1 < n + + The caller will need to call Hacl_Bignum256_mont_ctx_free on the return value + to avoid memory leaks. +*/ +Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *Hacl_Bignum256_mont_ctx_init(uint64_t *n) +{ + uint64_t *r2 = KRML_HOST_CALLOC((uint32_t)4U, sizeof (uint64_t)); + uint64_t *n1 = KRML_HOST_CALLOC((uint32_t)4U, sizeof (uint64_t)); + uint64_t *r21 = r2; + uint64_t *n11 = n1; + memcpy(n11, n, (uint32_t)4U * sizeof (uint64_t)); + uint32_t + nBits = (uint32_t)64U * (uint32_t)Hacl_Bignum_Lib_bn_get_top_index_u64((uint32_t)4U, n); + precompr2(nBits, n, r21); + uint64_t mu = Hacl_Bignum_ModInvLimb_mod_inv_uint64(n[0U]); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 + res = { .len = (uint32_t)4U, .n = n11, .mu = mu, .r2 = r21 }; + KRML_CHECK_SIZE(sizeof (Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64), (uint32_t)1U); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 + *buf = KRML_HOST_MALLOC(sizeof (Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64)); + buf[0U] = res; + return buf; +} + +/* +Deallocate the memory previously allocated by Hacl_Bignum256_mont_ctx_init. + + The argument k is a montgomery context obtained through Hacl_Bignum256_mont_ctx_init. +*/ +void Hacl_Bignum256_mont_ctx_free(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + uint64_t *n = k1.n; + uint64_t *r2 = k1.r2; + KRML_HOST_FREE(n); + KRML_HOST_FREE(r2); + KRML_HOST_FREE(k); +} + +/* +Write `a mod n` in `res`. + + The argument a is meant to be a 512-bit bignum, i.e. uint64_t[8]. + The outparam res is meant to be a 256-bit bignum, i.e. uint64_t[4]. + The argument k is a montgomery context obtained through Hacl_Bignum256_mont_ctx_init. +*/ +void +Hacl_Bignum256_mod_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint64_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + bn_slow_precomp(k1.n, k1.mu, k1.r2, a, res); +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be 256-bit bignums, i.e. uint64_t[4]. + The argument k is a montgomery context obtained through Hacl_Bignum256_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum256_mod_exp_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + exp_vartime_precomp(k1.n, k1.mu, k1.r2, a, bBits, b, res); +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be 256-bit bignums, i.e. uint64_t[4]. + The argument k is a montgomery context obtained through Hacl_Bignum256_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime_*. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum256_mod_exp_consttime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + exp_consttime_precomp(k1.n, k1.mu, k1.r2, a, bBits, b, res); +} + +/* +Write `a ^ (-1) mod n` in `res`. + + The argument a and the outparam res are meant to be 256-bit bignums, i.e. uint64_t[4]. + The argument k is a montgomery context obtained through Hacl_Bignum256_mont_ctx_init. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + • 0 < a + • a < n +*/ +void +Hacl_Bignum256_mod_inv_prime_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint64_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + uint64_t n2[4U] = { 0U }; + uint64_t c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64((uint64_t)0U, k1.n[0U], (uint64_t)2U, n2); + uint64_t c1; + if ((uint32_t)1U < (uint32_t)4U) + { + uint32_t rLen = (uint32_t)3U; + uint64_t *a1 = k1.n + (uint32_t)1U; + uint64_t *res1 = n2 + (uint32_t)1U; + uint64_t c = c0; + for (uint32_t i = (uint32_t)0U; i < rLen / (uint32_t)4U; i++) + { + uint64_t t1 = a1[(uint32_t)4U * i]; + uint64_t *res_i0 = res1 + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, (uint64_t)0U, res_i0); + uint64_t t10 = a1[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res1 + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t10, (uint64_t)0U, res_i1); + uint64_t t11 = a1[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res1 + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t11, (uint64_t)0U, res_i2); + uint64_t t12 = a1[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res1 + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t12, (uint64_t)0U, res_i); + } + for (uint32_t i = rLen / (uint32_t)4U * (uint32_t)4U; i < rLen; i++) + { + uint64_t t1 = a1[i]; + uint64_t *res_i = res1 + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, (uint64_t)0U, res_i); + } + uint64_t c10 = c; + c1 = c10; + } + else + { + c1 = c0; + } + exp_vartime_precomp(k1.n, k1.mu, k1.r2, a, (uint32_t)256U, n2, res); +} + + +/********************/ +/* Loads and stores */ +/********************/ + + +/* +Load a bid-endian bignum from memory. + + The argument b points to len bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint64_t *Hacl_Bignum256_new_bn_from_bytes_be(uint32_t len, uint8_t *b) +{ + if + ( + len + == (uint32_t)0U + || !((len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U <= (uint32_t)536870911U) + ) + { + return NULL; + } + KRML_CHECK_SIZE(sizeof (uint64_t), (len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U); + uint64_t + *res = KRML_HOST_CALLOC((len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U, sizeof (uint64_t)); + if (res == NULL) + { + return res; + } + uint64_t *res1 = res; + uint64_t *res2 = res1; + uint32_t bnLen = (len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)8U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + uint8_t *tmp = alloca(tmpLen * sizeof (uint8_t)); + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + memcpy(tmp + tmpLen - len, b, len * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < bnLen; i++) + { + uint64_t *os = res2; + uint64_t u = load64_be(tmp + (bnLen - i - (uint32_t)1U) * (uint32_t)8U); + uint64_t x = u; + os[i] = x; + } + return res2; +} + +/* +Load a little-endian bignum from memory. + + The argument b points to len bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint64_t *Hacl_Bignum256_new_bn_from_bytes_le(uint32_t len, uint8_t *b) +{ + if + ( + len + == (uint32_t)0U + || !((len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U <= (uint32_t)536870911U) + ) + { + return NULL; + } + KRML_CHECK_SIZE(sizeof (uint64_t), (len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U); + uint64_t + *res = KRML_HOST_CALLOC((len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U, sizeof (uint64_t)); + if (res == NULL) + { + return res; + } + uint64_t *res1 = res; + uint64_t *res2 = res1; + uint32_t bnLen = (len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)8U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + uint8_t *tmp = alloca(tmpLen * sizeof (uint8_t)); + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + memcpy(tmp, b, len * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < (len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; i++) + { + uint64_t *os = res2; + uint8_t *bj = tmp + i * (uint32_t)8U; + uint64_t u = load64_le(bj); + uint64_t r1 = u; + uint64_t x = r1; + os[i] = x; + } + return res2; +} + +/* +Serialize a bignum into big-endian memory. + + The argument b points to a 256-bit bignum. + The outparam res points to 32 bytes of valid memory. +*/ +void Hacl_Bignum256_bn_to_bytes_be(uint64_t *b, uint8_t *res) +{ + uint32_t bnLen = ((uint32_t)32U - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)8U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + uint8_t *tmp = alloca(tmpLen * sizeof (uint8_t)); + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + uint32_t numb = (uint32_t)8U; + for (uint32_t i = (uint32_t)0U; i < bnLen; i++) + { + store64_be(tmp + i * numb, b[bnLen - i - (uint32_t)1U]); + } + memcpy(res, tmp + tmpLen - (uint32_t)32U, (uint32_t)32U * sizeof (uint8_t)); +} + +/* +Serialize a bignum into little-endian memory. + + The argument b points to a 256-bit bignum. + The outparam res points to 32 bytes of valid memory. +*/ +void Hacl_Bignum256_bn_to_bytes_le(uint64_t *b, uint8_t *res) +{ + uint32_t bnLen = ((uint32_t)32U - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)8U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + uint8_t *tmp = alloca(tmpLen * sizeof (uint8_t)); + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < bnLen; i++) + { + store64_le(tmp + i * (uint32_t)8U, b[i]); + } + memcpy(res, tmp, (uint32_t)32U * sizeof (uint8_t)); +} + + +/***************/ +/* Comparisons */ +/***************/ + + +/* +Returns 2^64 - 1 if a < b, otherwise returns 0. + + The arguments a and b are meant to be 256-bit bignums, i.e. uint64_t[4]. +*/ +uint64_t Hacl_Bignum256_lt_mask(uint64_t *a, uint64_t *b) +{ + uint64_t acc = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(a[i], b[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(a[i], b[i]); + acc = (beq & acc) | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + return acc; +} + +/* +Returns 2^64 - 1 if a = b, otherwise returns 0. + + The arguments a and b are meant to be 256-bit bignums, i.e. uint64_t[4]. +*/ +uint64_t Hacl_Bignum256_eq_mask(uint64_t *a, uint64_t *b) +{ + uint64_t mask = (uint64_t)0xFFFFFFFFFFFFFFFFU; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t uu____0 = FStar_UInt64_eq_mask(a[i], b[i]); + mask = uu____0 & mask; + } + uint64_t mask1 = mask; + return mask1; +} + diff --git a/src/msvc/Hacl_Bignum256_32.c b/src/msvc/Hacl_Bignum256_32.c new file mode 100644 index 00000000..d1cd73c3 --- /dev/null +++ b/src/msvc/Hacl_Bignum256_32.c @@ -0,0 +1,1612 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Bignum256_32.h" + +#include "internal/Hacl_Kremlib.h" +#include "internal/Hacl_Bignum.h" + +/******************************************************************************* + +A verified 256-bit bignum library. + +This is a 32-bit optimized version, where bignums are represented as an array +of eight unsigned 32-bit integers, i.e. uint32_t[8]. Furthermore, the +limbs are stored in little-endian format, i.e. the least significant limb is at +index 0. Each limb is stored in native format in memory. Example: + + uint32_t sixteen[8] = { 0x10; 0x00; 0x00; 0x00; 0x00; 0x00; 0x00; 0x00 } + +We strongly encourage users to go through the conversion functions, e.g. +bn_from_bytes_be, to i) not depend on internal representation choices and ii) +have the ability to switch easily to a 64-bit optimized version in the future. + +*******************************************************************************/ + +/************************/ +/* Arithmetic functions */ +/************************/ + + +/* +Write `a + b mod 2^256` in `res`. + + This functions returns the carry. + + The arguments a, b and res are meant to be 256-bit bignums, i.e. uint32_t[8] +*/ +uint32_t Hacl_Bignum256_32_add(uint32_t *a, uint32_t *b, uint32_t *res) +{ + uint32_t c = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)2U; i++) + { + uint32_t t1 = a[(uint32_t)4U * i]; + uint32_t t20 = b[(uint32_t)4U * i]; + uint32_t *res_i0 = res + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t1, t20, res_i0); + uint32_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t10, t21, res_i1); + uint32_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t11, t22, res_i2); + uint32_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t12, t2, res_i); + } + for (uint32_t i = (uint32_t)8U; i < (uint32_t)8U; i++) + { + uint32_t t1 = a[i]; + uint32_t t2 = b[i]; + uint32_t *res_i = res + i; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t1, t2, res_i); + } + return c; +} + +/* +Write `a - b mod 2^256` in `res`. + + This functions returns the carry. + + The arguments a, b and res are meant to be 256-bit bignums, i.e. uint32_t[8] +*/ +uint32_t Hacl_Bignum256_32_sub(uint32_t *a, uint32_t *b, uint32_t *res) +{ + uint32_t c = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)2U; i++) + { + uint32_t t1 = a[(uint32_t)4U * i]; + uint32_t t20 = b[(uint32_t)4U * i]; + uint32_t *res_i0 = res + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, t20, res_i0); + uint32_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t10, t21, res_i1); + uint32_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t11, t22, res_i2); + uint32_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t12, t2, res_i); + } + for (uint32_t i = (uint32_t)8U; i < (uint32_t)8U; i++) + { + uint32_t t1 = a[i]; + uint32_t t2 = b[i]; + uint32_t *res_i = res + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, t2, res_i); + } + return c; +} + +/* +Write `(a + b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be 256-bit bignums, i.e. uint32_t[8]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum256_32_add_mod(uint32_t *n, uint32_t *a, uint32_t *b, uint32_t *res) +{ + uint32_t c0 = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)2U; i++) + { + uint32_t t1 = a[(uint32_t)4U * i]; + uint32_t t20 = b[(uint32_t)4U * i]; + uint32_t *res_i0 = res + (uint32_t)4U * i; + c0 = Lib_IntTypes_Intrinsics_add_carry_u32(c0, t1, t20, res_i0); + uint32_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c0 = Lib_IntTypes_Intrinsics_add_carry_u32(c0, t10, t21, res_i1); + uint32_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c0 = Lib_IntTypes_Intrinsics_add_carry_u32(c0, t11, t22, res_i2); + uint32_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c0 = Lib_IntTypes_Intrinsics_add_carry_u32(c0, t12, t2, res_i); + } + for (uint32_t i = (uint32_t)8U; i < (uint32_t)8U; i++) + { + uint32_t t1 = a[i]; + uint32_t t2 = b[i]; + uint32_t *res_i = res + i; + c0 = Lib_IntTypes_Intrinsics_add_carry_u32(c0, t1, t2, res_i); + } + uint32_t c00 = c0; + uint32_t tmp[8U] = { 0U }; + uint32_t c = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)2U; i++) + { + uint32_t t1 = res[(uint32_t)4U * i]; + uint32_t t20 = n[(uint32_t)4U * i]; + uint32_t *res_i0 = tmp + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, t20, res_i0); + uint32_t t10 = res[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t t21 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = tmp + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t10, t21, res_i1); + uint32_t t11 = res[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t t22 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = tmp + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t11, t22, res_i2); + uint32_t t12 = res[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t t2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = tmp + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t12, t2, res_i); + } + for (uint32_t i = (uint32_t)8U; i < (uint32_t)8U; i++) + { + uint32_t t1 = res[i]; + uint32_t t2 = n[i]; + uint32_t *res_i = tmp + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, t2, res_i); + } + uint32_t c1 = c; + uint32_t c2 = c00 - c1; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t *os = res; + uint32_t x = (c2 & res[i]) | (~c2 & tmp[i]); + os[i] = x; + } +} + +/* +Write `(a - b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be 256-bit bignums, i.e. uint32_t[8]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum256_32_sub_mod(uint32_t *n, uint32_t *a, uint32_t *b, uint32_t *res) +{ + uint32_t c0 = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)2U; i++) + { + uint32_t t1 = a[(uint32_t)4U * i]; + uint32_t t20 = b[(uint32_t)4U * i]; + uint32_t *res_i0 = res + (uint32_t)4U * i; + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c0, t1, t20, res_i0); + uint32_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c0, t10, t21, res_i1); + uint32_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c0, t11, t22, res_i2); + uint32_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c0, t12, t2, res_i); + } + for (uint32_t i = (uint32_t)8U; i < (uint32_t)8U; i++) + { + uint32_t t1 = a[i]; + uint32_t t2 = b[i]; + uint32_t *res_i = res + i; + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c0, t1, t2, res_i); + } + uint32_t c00 = c0; + uint32_t tmp[8U] = { 0U }; + uint32_t c = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)2U; i++) + { + uint32_t t1 = res[(uint32_t)4U * i]; + uint32_t t20 = n[(uint32_t)4U * i]; + uint32_t *res_i0 = tmp + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t1, t20, res_i0); + uint32_t t10 = res[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t t21 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = tmp + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t10, t21, res_i1); + uint32_t t11 = res[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t t22 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = tmp + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t11, t22, res_i2); + uint32_t t12 = res[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t t2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = tmp + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t12, t2, res_i); + } + for (uint32_t i = (uint32_t)8U; i < (uint32_t)8U; i++) + { + uint32_t t1 = res[i]; + uint32_t t2 = n[i]; + uint32_t *res_i = tmp + i; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t1, t2, res_i); + } + uint32_t c1 = c; + uint32_t c2 = (uint32_t)0U - c00; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t *os = res; + uint32_t x = (c2 & tmp[i]) | (~c2 & res[i]); + os[i] = x; + } +} + +/* +Write `a * b` in `res`. + + The arguments a and b are meant to be 256-bit bignums, i.e. uint32_t[8]. + The outparam res is meant to be a 512-bit bignum, i.e. uint32_t[16]. +*/ +void Hacl_Bignum256_32_mul(uint32_t *a, uint32_t *b, uint32_t *res) +{ + memset(res, 0U, (uint32_t)16U * sizeof (uint32_t)); + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)8U; i0++) + { + uint32_t bj = b[i0]; + uint32_t *res_j = res + i0; + uint32_t c = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)2U; i++) + { + uint32_t a_i = a[(uint32_t)4U * i]; + uint32_t *res_i0 = res_j + (uint32_t)4U * i; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, bj, c, res_i0); + uint32_t a_i0 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res_j + (uint32_t)4U * i + (uint32_t)1U; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i0, bj, c, res_i1); + uint32_t a_i1 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res_j + (uint32_t)4U * i + (uint32_t)2U; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i1, bj, c, res_i2); + uint32_t a_i2 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res_j + (uint32_t)4U * i + (uint32_t)3U; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i2, bj, c, res_i); + } + for (uint32_t i = (uint32_t)8U; i < (uint32_t)8U; i++) + { + uint32_t a_i = a[i]; + uint32_t *res_i = res_j + i; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, bj, c, res_i); + } + uint32_t r = c; + res[(uint32_t)8U + i0] = r; + } +} + +/* +Write `a * a` in `res`. + + The argument a is meant to be a 256-bit bignum, i.e. uint32_t[8]. + The outparam res is meant to be a 512-bit bignum, i.e. uint32_t[16]. +*/ +void Hacl_Bignum256_32_sqr(uint32_t *a, uint32_t *res) +{ + memset(res, 0U, (uint32_t)16U * sizeof (uint32_t)); + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)8U; i0++) + { + uint32_t *ab = a; + uint32_t a_j = a[i0]; + uint32_t *res_j = res + i0; + uint32_t c = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < i0 / (uint32_t)4U; i++) + { + uint32_t a_i = ab[(uint32_t)4U * i]; + uint32_t *res_i0 = res_j + (uint32_t)4U * i; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, a_j, c, res_i0); + uint32_t a_i0 = ab[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res_j + (uint32_t)4U * i + (uint32_t)1U; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i0, a_j, c, res_i1); + uint32_t a_i1 = ab[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res_j + (uint32_t)4U * i + (uint32_t)2U; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i1, a_j, c, res_i2); + uint32_t a_i2 = ab[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res_j + (uint32_t)4U * i + (uint32_t)3U; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i2, a_j, c, res_i); + } + for (uint32_t i = i0 / (uint32_t)4U * (uint32_t)4U; i < i0; i++) + { + uint32_t a_i = ab[i]; + uint32_t *res_i = res_j + i; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, a_j, c, res_i); + } + uint32_t r = c; + res[i0 + i0] = r; + } + uint32_t c0 = Hacl_Bignum_Addition_bn_add_eq_len_u32((uint32_t)16U, res, res, res); + uint32_t tmp[16U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint64_t res1 = (uint64_t)a[i] * (uint64_t)a[i]; + uint32_t hi = (uint32_t)(res1 >> (uint32_t)32U); + uint32_t lo = (uint32_t)res1; + tmp[(uint32_t)2U * i] = lo; + tmp[(uint32_t)2U * i + (uint32_t)1U] = hi; + } + uint32_t c1 = Hacl_Bignum_Addition_bn_add_eq_len_u32((uint32_t)16U, res, tmp, res); +} + +static inline void precompr2(uint32_t nBits, uint32_t *n, uint32_t *res) +{ + memset(res, 0U, (uint32_t)8U * sizeof (uint32_t)); + uint32_t i = nBits / (uint32_t)32U; + uint32_t j = nBits % (uint32_t)32U; + res[i] = res[i] | (uint32_t)1U << j; + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)512U - nBits; i0++) + { + Hacl_Bignum256_32_add_mod(n, res, res, res); + } +} + +static inline void reduction(uint32_t *n, uint32_t nInv, uint32_t *c, uint32_t *res) +{ + uint32_t c0 = (uint32_t)0U; + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)8U; i0++) + { + uint32_t qj = nInv * c[i0]; + uint32_t *res_j0 = c + i0; + uint32_t c1 = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)2U; i++) + { + uint32_t a_i = n[(uint32_t)4U * i]; + uint32_t *res_i0 = res_j0 + (uint32_t)4U * i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, qj, c1, res_i0); + uint32_t a_i0 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res_j0 + (uint32_t)4U * i + (uint32_t)1U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i0, qj, c1, res_i1); + uint32_t a_i1 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res_j0 + (uint32_t)4U * i + (uint32_t)2U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i1, qj, c1, res_i2); + uint32_t a_i2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res_j0 + (uint32_t)4U * i + (uint32_t)3U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i2, qj, c1, res_i); + } + for (uint32_t i = (uint32_t)8U; i < (uint32_t)8U; i++) + { + uint32_t a_i = n[i]; + uint32_t *res_i = res_j0 + i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, qj, c1, res_i); + } + uint32_t r = c1; + uint32_t c10 = r; + uint32_t *resb = c + (uint32_t)8U + i0; + uint32_t res_j = c[(uint32_t)8U + i0]; + c0 = Lib_IntTypes_Intrinsics_add_carry_u32(c0, c10, res_j, resb); + } + memcpy(res, c + (uint32_t)8U, (uint32_t)8U * sizeof (uint32_t)); + uint32_t c00 = c0; + uint32_t tmp[8U] = { 0U }; + uint32_t c1 = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)2U; i++) + { + uint32_t t1 = res[(uint32_t)4U * i]; + uint32_t t20 = n[(uint32_t)4U * i]; + uint32_t *res_i0 = tmp + (uint32_t)4U * i; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c1, t1, t20, res_i0); + uint32_t t10 = res[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t t21 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = tmp + (uint32_t)4U * i + (uint32_t)1U; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c1, t10, t21, res_i1); + uint32_t t11 = res[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t t22 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = tmp + (uint32_t)4U * i + (uint32_t)2U; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c1, t11, t22, res_i2); + uint32_t t12 = res[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t t2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = tmp + (uint32_t)4U * i + (uint32_t)3U; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c1, t12, t2, res_i); + } + for (uint32_t i = (uint32_t)8U; i < (uint32_t)8U; i++) + { + uint32_t t1 = res[i]; + uint32_t t2 = n[i]; + uint32_t *res_i = tmp + i; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c1, t1, t2, res_i); + } + uint32_t c10 = c1; + uint32_t c2 = c00 - c10; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t *os = res; + uint32_t x = (c2 & res[i]) | (~c2 & tmp[i]); + os[i] = x; + } +} + +static inline void areduction(uint32_t *n, uint32_t nInv, uint32_t *c, uint32_t *res) +{ + uint32_t c0 = (uint32_t)0U; + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)8U; i0++) + { + uint32_t qj = nInv * c[i0]; + uint32_t *res_j0 = c + i0; + uint32_t c1 = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)2U; i++) + { + uint32_t a_i = n[(uint32_t)4U * i]; + uint32_t *res_i0 = res_j0 + (uint32_t)4U * i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, qj, c1, res_i0); + uint32_t a_i0 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res_j0 + (uint32_t)4U * i + (uint32_t)1U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i0, qj, c1, res_i1); + uint32_t a_i1 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res_j0 + (uint32_t)4U * i + (uint32_t)2U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i1, qj, c1, res_i2); + uint32_t a_i2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res_j0 + (uint32_t)4U * i + (uint32_t)3U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i2, qj, c1, res_i); + } + for (uint32_t i = (uint32_t)8U; i < (uint32_t)8U; i++) + { + uint32_t a_i = n[i]; + uint32_t *res_i = res_j0 + i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, qj, c1, res_i); + } + uint32_t r = c1; + uint32_t c10 = r; + uint32_t *resb = c + (uint32_t)8U + i0; + uint32_t res_j = c[(uint32_t)8U + i0]; + c0 = Lib_IntTypes_Intrinsics_add_carry_u32(c0, c10, res_j, resb); + } + memcpy(res, c + (uint32_t)8U, (uint32_t)8U * sizeof (uint32_t)); + uint32_t c00 = c0; + uint32_t tmp[8U] = { 0U }; + uint32_t c1 = Hacl_Bignum256_32_sub(res, n, tmp); + uint32_t m = (uint32_t)0U - c00; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t *os = res; + uint32_t x = (m & tmp[i]) | (~m & res[i]); + os[i] = x; + } +} + +static inline void +amont_mul(uint32_t *n, uint32_t nInv_u64, uint32_t *aM, uint32_t *bM, uint32_t *resM) +{ + uint32_t c[16U] = { 0U }; + memset(c, 0U, (uint32_t)16U * sizeof (uint32_t)); + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)8U; i0++) + { + uint32_t bj = bM[i0]; + uint32_t *res_j = c + i0; + uint32_t c1 = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)2U; i++) + { + uint32_t a_i = aM[(uint32_t)4U * i]; + uint32_t *res_i0 = res_j + (uint32_t)4U * i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, bj, c1, res_i0); + uint32_t a_i0 = aM[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res_j + (uint32_t)4U * i + (uint32_t)1U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i0, bj, c1, res_i1); + uint32_t a_i1 = aM[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res_j + (uint32_t)4U * i + (uint32_t)2U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i1, bj, c1, res_i2); + uint32_t a_i2 = aM[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res_j + (uint32_t)4U * i + (uint32_t)3U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i2, bj, c1, res_i); + } + for (uint32_t i = (uint32_t)8U; i < (uint32_t)8U; i++) + { + uint32_t a_i = aM[i]; + uint32_t *res_i = res_j + i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, bj, c1, res_i); + } + uint32_t r = c1; + c[(uint32_t)8U + i0] = r; + } + areduction(n, nInv_u64, c, resM); +} + +static inline void amont_sqr(uint32_t *n, uint32_t nInv_u64, uint32_t *aM, uint32_t *resM) +{ + uint32_t c[16U] = { 0U }; + memset(c, 0U, (uint32_t)16U * sizeof (uint32_t)); + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)8U; i0++) + { + uint32_t *ab = aM; + uint32_t a_j = aM[i0]; + uint32_t *res_j = c + i0; + uint32_t c1 = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < i0 / (uint32_t)4U; i++) + { + uint32_t a_i = ab[(uint32_t)4U * i]; + uint32_t *res_i0 = res_j + (uint32_t)4U * i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, a_j, c1, res_i0); + uint32_t a_i0 = ab[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res_j + (uint32_t)4U * i + (uint32_t)1U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i0, a_j, c1, res_i1); + uint32_t a_i1 = ab[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res_j + (uint32_t)4U * i + (uint32_t)2U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i1, a_j, c1, res_i2); + uint32_t a_i2 = ab[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res_j + (uint32_t)4U * i + (uint32_t)3U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i2, a_j, c1, res_i); + } + for (uint32_t i = i0 / (uint32_t)4U * (uint32_t)4U; i < i0; i++) + { + uint32_t a_i = ab[i]; + uint32_t *res_i = res_j + i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, a_j, c1, res_i); + } + uint32_t r = c1; + c[i0 + i0] = r; + } + uint32_t c0 = Hacl_Bignum_Addition_bn_add_eq_len_u32((uint32_t)16U, c, c, c); + uint32_t tmp[16U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint64_t res = (uint64_t)aM[i] * (uint64_t)aM[i]; + uint32_t hi = (uint32_t)(res >> (uint32_t)32U); + uint32_t lo = (uint32_t)res; + tmp[(uint32_t)2U * i] = lo; + tmp[(uint32_t)2U * i + (uint32_t)1U] = hi; + } + uint32_t c1 = Hacl_Bignum_Addition_bn_add_eq_len_u32((uint32_t)16U, c, tmp, c); + areduction(n, nInv_u64, c, resM); +} + +static inline void +bn_slow_precomp(uint32_t *n, uint32_t mu, uint32_t *r2, uint32_t *a, uint32_t *res) +{ + uint32_t a_mod[8U] = { 0U }; + uint32_t a1[16U] = { 0U }; + memcpy(a1, a, (uint32_t)16U * sizeof (uint32_t)); + uint32_t c0 = (uint32_t)0U; + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)8U; i0++) + { + uint32_t qj = mu * a1[i0]; + uint32_t *res_j0 = a1 + i0; + uint32_t c = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)2U; i++) + { + uint32_t a_i = n[(uint32_t)4U * i]; + uint32_t *res_i0 = res_j0 + (uint32_t)4U * i; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, qj, c, res_i0); + uint32_t a_i0 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res_j0 + (uint32_t)4U * i + (uint32_t)1U; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i0, qj, c, res_i1); + uint32_t a_i1 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res_j0 + (uint32_t)4U * i + (uint32_t)2U; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i1, qj, c, res_i2); + uint32_t a_i2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res_j0 + (uint32_t)4U * i + (uint32_t)3U; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i2, qj, c, res_i); + } + for (uint32_t i = (uint32_t)8U; i < (uint32_t)8U; i++) + { + uint32_t a_i = n[i]; + uint32_t *res_i = res_j0 + i; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, qj, c, res_i); + } + uint32_t r = c; + uint32_t c1 = r; + uint32_t *resb = a1 + (uint32_t)8U + i0; + uint32_t res_j = a1[(uint32_t)8U + i0]; + c0 = Lib_IntTypes_Intrinsics_add_carry_u32(c0, c1, res_j, resb); + } + memcpy(a_mod, a1 + (uint32_t)8U, (uint32_t)8U * sizeof (uint32_t)); + uint32_t c00 = c0; + uint32_t tmp[8U] = { 0U }; + uint32_t c1 = Hacl_Bignum256_32_sub(a_mod, n, tmp); + uint32_t m = (uint32_t)0U - c00; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t *os = a_mod; + uint32_t x = (m & tmp[i]) | (~m & a_mod[i]); + os[i] = x; + } + uint32_t c[16U] = { 0U }; + Hacl_Bignum256_32_mul(a_mod, r2, c); + reduction(n, mu, c, res); +} + +/* +Write `a mod n` in `res`. + + The argument a is meant to be a 512-bit bignum, i.e. uint32_t[16]. + The argument n and the outparam res are meant to be 256-bit bignums, i.e. uint32_t[8]. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • 1 < n + • n % 2 = 1 +*/ +bool Hacl_Bignum256_32_mod(uint32_t *n, uint32_t *a, uint32_t *res) +{ + uint32_t one[8U] = { 0U }; + memset(one, 0U, (uint32_t)8U * sizeof (uint32_t)); + one[0U] = (uint32_t)1U; + uint32_t bit0 = n[0U] & (uint32_t)1U; + uint32_t m0 = (uint32_t)0U - bit0; + uint32_t acc = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(one[i], n[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(one[i], n[i]); + acc = (beq & acc) | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + uint32_t m1 = acc; + uint32_t is_valid_m = m0 & m1; + uint32_t nBits = (uint32_t)32U * Hacl_Bignum_Lib_bn_get_top_index_u32((uint32_t)8U, n); + if (is_valid_m == (uint32_t)0xFFFFFFFFU) + { + uint32_t r2[8U] = { 0U }; + precompr2(nBits, n, r2); + uint32_t mu = Hacl_Bignum_ModInvLimb_mod_inv_uint32(n[0U]); + bn_slow_precomp(n, mu, r2, a, res); + } + else + { + memset(res, 0U, (uint32_t)8U * sizeof (uint32_t)); + } + return is_valid_m == (uint32_t)0xFFFFFFFFU; +} + +static uint32_t exp_check(uint32_t *n, uint32_t *a, uint32_t bBits, uint32_t *b) +{ + uint32_t one[8U] = { 0U }; + memset(one, 0U, (uint32_t)8U * sizeof (uint32_t)); + one[0U] = (uint32_t)1U; + uint32_t bit0 = n[0U] & (uint32_t)1U; + uint32_t m0 = (uint32_t)0U - bit0; + uint32_t acc0 = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(one[i], n[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(one[i], n[i]); + acc0 = (beq & acc0) | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + uint32_t m10 = acc0; + uint32_t m00 = m0 & m10; + uint32_t bLen; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)32U + (uint32_t)1U; + } + uint32_t m1; + if (bBits < (uint32_t)32U * bLen) + { + KRML_CHECK_SIZE(sizeof (uint32_t), bLen); + uint32_t *b2 = alloca(bLen * sizeof (uint32_t)); + memset(b2, 0U, bLen * sizeof (uint32_t)); + uint32_t i0 = bBits / (uint32_t)32U; + uint32_t j = bBits % (uint32_t)32U; + b2[i0] = b2[i0] | (uint32_t)1U << j; + uint32_t acc = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < bLen; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(b[i], b2[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(b[i], b2[i]); + acc = (beq & acc) | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + uint32_t res = acc; + m1 = res; + } + else + { + m1 = (uint32_t)0xFFFFFFFFU; + } + uint32_t acc = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(a[i], n[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(a[i], n[i]); + acc = (beq & acc) | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + uint32_t m2 = acc; + uint32_t m = m1 & m2; + return m00 & m; +} + +static inline void +exp_vartime_precomp( + uint32_t *n, + uint32_t mu, + uint32_t *r2, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + if (bBits < (uint32_t)200U) + { + uint32_t aM[8U] = { 0U }; + uint32_t c[16U] = { 0U }; + Hacl_Bignum256_32_mul(a, r2, c); + reduction(n, mu, c, aM); + uint32_t resM[8U] = { 0U }; + uint32_t tmp0[16U] = { 0U }; + memcpy(tmp0, r2, (uint32_t)8U * sizeof (uint32_t)); + reduction(n, mu, tmp0, resM); + for (uint32_t i = (uint32_t)0U; i < bBits; i++) + { + uint32_t i1 = i / (uint32_t)32U; + uint32_t j = i % (uint32_t)32U; + uint32_t tmp = b[i1]; + uint32_t bit = tmp >> j & (uint32_t)1U; + if (!(bit == (uint32_t)0U)) + { + amont_mul(n, mu, resM, aM, resM); + } + amont_sqr(n, mu, aM, aM); + } + uint32_t tmp[16U] = { 0U }; + memcpy(tmp, resM, (uint32_t)8U * sizeof (uint32_t)); + reduction(n, mu, tmp, res); + return; + } + uint32_t aM[8U] = { 0U }; + uint32_t c[16U] = { 0U }; + Hacl_Bignum256_32_mul(a, r2, c); + reduction(n, mu, c, aM); + uint32_t resM[8U] = { 0U }; + uint32_t bLen; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)32U + (uint32_t)1U; + } + uint32_t tmp[16U] = { 0U }; + memcpy(tmp, r2, (uint32_t)8U * sizeof (uint32_t)); + reduction(n, mu, tmp, resM); + uint32_t table[128U] = { 0U }; + memcpy(table, resM, (uint32_t)8U * sizeof (uint32_t)); + uint32_t *t1 = table + (uint32_t)8U; + memcpy(t1, aM, (uint32_t)8U * sizeof (uint32_t)); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)14U; i++) + { + uint32_t *t11 = table + (i + (uint32_t)1U) * (uint32_t)8U; + uint32_t *t2 = table + (i + (uint32_t)2U) * (uint32_t)8U; + amont_mul(n, mu, t11, aM, t2); + } + if (bBits % (uint32_t)4U != (uint32_t)0U) + { + uint32_t mask_l = (uint32_t)16U - (uint32_t)1U; + uint32_t i = bBits / (uint32_t)4U * (uint32_t)4U / (uint32_t)32U; + uint32_t j = bBits / (uint32_t)4U * (uint32_t)4U % (uint32_t)32U; + uint32_t p1 = b[i] >> j; + uint32_t ite; + if (i + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i + (uint32_t)1U] << ((uint32_t)32U - j); + } + else + { + ite = p1; + } + uint32_t bits_c = ite & mask_l; + uint32_t bits_l32 = bits_c; + uint32_t *a_bits_l = table + bits_l32 * (uint32_t)8U; + memcpy(resM, a_bits_l, (uint32_t)8U * sizeof (uint32_t)); + } + for (uint32_t i = (uint32_t)0U; i < bBits / (uint32_t)4U; i++) + { + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + amont_sqr(n, mu, resM, resM); + } + uint32_t bk = bBits - bBits % (uint32_t)4U; + uint32_t mask_l = (uint32_t)16U - (uint32_t)1U; + uint32_t i1 = (bk - (uint32_t)4U * i - (uint32_t)4U) / (uint32_t)32U; + uint32_t j = (bk - (uint32_t)4U * i - (uint32_t)4U) % (uint32_t)32U; + uint32_t p1 = b[i1] >> j; + uint32_t ite; + if (i1 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i1 + (uint32_t)1U] << ((uint32_t)32U - j); + } + else + { + ite = p1; + } + uint32_t bits_l = ite & mask_l; + uint32_t a_bits_l[8U] = { 0U }; + uint32_t bits_l32 = bits_l; + uint32_t *a_bits_l1 = table + bits_l32 * (uint32_t)8U; + memcpy(a_bits_l, a_bits_l1, (uint32_t)8U * sizeof (uint32_t)); + amont_mul(n, mu, resM, a_bits_l, resM); + } + uint32_t tmp0[16U] = { 0U }; + memcpy(tmp0, resM, (uint32_t)8U * sizeof (uint32_t)); + reduction(n, mu, tmp0, res); +} + +static inline void +exp_consttime_precomp( + uint32_t *n, + uint32_t mu, + uint32_t *r2, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + if (bBits < (uint32_t)200U) + { + uint32_t aM[8U] = { 0U }; + uint32_t c[16U] = { 0U }; + Hacl_Bignum256_32_mul(a, r2, c); + reduction(n, mu, c, aM); + uint32_t resM[8U] = { 0U }; + uint32_t tmp0[16U] = { 0U }; + memcpy(tmp0, r2, (uint32_t)8U * sizeof (uint32_t)); + reduction(n, mu, tmp0, resM); + uint32_t sw = (uint32_t)0U; + for (uint32_t i0 = (uint32_t)0U; i0 < bBits; i0++) + { + uint32_t i1 = (bBits - i0 - (uint32_t)1U) / (uint32_t)32U; + uint32_t j = (bBits - i0 - (uint32_t)1U) % (uint32_t)32U; + uint32_t tmp = b[i1]; + uint32_t bit = tmp >> j & (uint32_t)1U; + uint32_t sw1 = bit ^ sw; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t dummy = ((uint32_t)0U - sw1) & (resM[i] ^ aM[i]); + resM[i] = resM[i] ^ dummy; + aM[i] = aM[i] ^ dummy; + } + amont_mul(n, mu, aM, resM, aM); + amont_sqr(n, mu, resM, resM); + sw = bit; + } + uint32_t sw0 = sw; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t dummy = ((uint32_t)0U - sw0) & (resM[i] ^ aM[i]); + resM[i] = resM[i] ^ dummy; + aM[i] = aM[i] ^ dummy; + } + uint32_t tmp[16U] = { 0U }; + memcpy(tmp, resM, (uint32_t)8U * sizeof (uint32_t)); + reduction(n, mu, tmp, res); + return; + } + uint32_t aM[8U] = { 0U }; + uint32_t c0[16U] = { 0U }; + Hacl_Bignum256_32_mul(a, r2, c0); + reduction(n, mu, c0, aM); + uint32_t resM[8U] = { 0U }; + uint32_t bLen; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)32U + (uint32_t)1U; + } + uint32_t tmp[16U] = { 0U }; + memcpy(tmp, r2, (uint32_t)8U * sizeof (uint32_t)); + reduction(n, mu, tmp, resM); + uint32_t table[128U] = { 0U }; + memcpy(table, resM, (uint32_t)8U * sizeof (uint32_t)); + uint32_t *t1 = table + (uint32_t)8U; + memcpy(t1, aM, (uint32_t)8U * sizeof (uint32_t)); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)14U; i++) + { + uint32_t *t11 = table + (i + (uint32_t)1U) * (uint32_t)8U; + uint32_t *t2 = table + (i + (uint32_t)2U) * (uint32_t)8U; + amont_mul(n, mu, t11, aM, t2); + } + if (bBits % (uint32_t)4U != (uint32_t)0U) + { + uint32_t mask_l = (uint32_t)16U - (uint32_t)1U; + uint32_t i0 = bBits / (uint32_t)4U * (uint32_t)4U / (uint32_t)32U; + uint32_t j = bBits / (uint32_t)4U * (uint32_t)4U % (uint32_t)32U; + uint32_t p1 = b[i0] >> j; + uint32_t ite; + if (i0 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i0 + (uint32_t)1U] << ((uint32_t)32U - j); + } + else + { + ite = p1; + } + uint32_t bits_c = ite & mask_l; + memcpy(resM, table, (uint32_t)8U * sizeof (uint32_t)); + for (uint32_t i1 = (uint32_t)0U; i1 < (uint32_t)15U; i1++) + { + uint32_t c = FStar_UInt32_eq_mask(bits_c, i1 + (uint32_t)1U); + uint32_t *res_j = table + (i1 + (uint32_t)1U) * (uint32_t)8U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t *os = resM; + uint32_t x = (c & res_j[i]) | (~c & resM[i]); + os[i] = x; + } + } + } + for (uint32_t i0 = (uint32_t)0U; i0 < bBits / (uint32_t)4U; i0++) + { + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + amont_sqr(n, mu, resM, resM); + } + uint32_t bk = bBits - bBits % (uint32_t)4U; + uint32_t mask_l = (uint32_t)16U - (uint32_t)1U; + uint32_t i1 = (bk - (uint32_t)4U * i0 - (uint32_t)4U) / (uint32_t)32U; + uint32_t j = (bk - (uint32_t)4U * i0 - (uint32_t)4U) % (uint32_t)32U; + uint32_t p1 = b[i1] >> j; + uint32_t ite; + if (i1 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i1 + (uint32_t)1U] << ((uint32_t)32U - j); + } + else + { + ite = p1; + } + uint32_t bits_l = ite & mask_l; + uint32_t a_bits_l[8U] = { 0U }; + memcpy(a_bits_l, table, (uint32_t)8U * sizeof (uint32_t)); + for (uint32_t i2 = (uint32_t)0U; i2 < (uint32_t)15U; i2++) + { + uint32_t c = FStar_UInt32_eq_mask(bits_l, i2 + (uint32_t)1U); + uint32_t *res_j = table + (i2 + (uint32_t)1U) * (uint32_t)8U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t *os = a_bits_l; + uint32_t x = (c & res_j[i]) | (~c & a_bits_l[i]); + os[i] = x; + } + } + amont_mul(n, mu, resM, a_bits_l, resM); + } + uint32_t tmp0[16U] = { 0U }; + memcpy(tmp0, resM, (uint32_t)8U * sizeof (uint32_t)); + reduction(n, mu, tmp0, res); +} + +static inline void +exp_vartime( + uint32_t nBits, + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + uint32_t r2[8U] = { 0U }; + precompr2(nBits, n, r2); + uint32_t mu = Hacl_Bignum_ModInvLimb_mod_inv_uint32(n[0U]); + exp_vartime_precomp(n, mu, r2, a, bBits, b, res); +} + +static inline void +exp_consttime( + uint32_t nBits, + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + uint32_t r2[8U] = { 0U }; + precompr2(nBits, n, r2); + uint32_t mu = Hacl_Bignum_ModInvLimb_mod_inv_uint32(n[0U]); + exp_consttime_precomp(n, mu, r2, a, bBits, b, res); +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 256-bit bignums, i.e. uint32_t[8]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum256_32_mod_exp_vartime( + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + uint32_t is_valid_m = exp_check(n, a, bBits, b); + uint32_t nBits = (uint32_t)32U * Hacl_Bignum_Lib_bn_get_top_index_u32((uint32_t)8U, n); + if (is_valid_m == (uint32_t)0xFFFFFFFFU) + { + exp_vartime(nBits, n, a, bBits, b, res); + } + else + { + memset(res, 0U, (uint32_t)8U * sizeof (uint32_t)); + } + return is_valid_m == (uint32_t)0xFFFFFFFFU; +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 256-bit bignums, i.e. uint32_t[8]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum256_32_mod_exp_consttime( + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + uint32_t is_valid_m = exp_check(n, a, bBits, b); + uint32_t nBits = (uint32_t)32U * Hacl_Bignum_Lib_bn_get_top_index_u32((uint32_t)8U, n); + if (is_valid_m == (uint32_t)0xFFFFFFFFU) + { + exp_consttime(nBits, n, a, bBits, b, res); + } + else + { + memset(res, 0U, (uint32_t)8U * sizeof (uint32_t)); + } + return is_valid_m == (uint32_t)0xFFFFFFFFU; +} + +/* +Write `a ^ (-1) mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 256-bit bignums, i.e. uint32_t[8]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + + The function returns false if any of the following preconditions are violated, true otherwise. + • n % 2 = 1 + • 1 < n + • 0 < a + • a < n +*/ +bool Hacl_Bignum256_32_mod_inv_prime_vartime(uint32_t *n, uint32_t *a, uint32_t *res) +{ + uint32_t one[8U] = { 0U }; + memset(one, 0U, (uint32_t)8U * sizeof (uint32_t)); + one[0U] = (uint32_t)1U; + uint32_t bit0 = n[0U] & (uint32_t)1U; + uint32_t m0 = (uint32_t)0U - bit0; + uint32_t acc0 = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(one[i], n[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(one[i], n[i]); + acc0 = (beq & acc0) | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + uint32_t m1 = acc0; + uint32_t m00 = m0 & m1; + uint32_t bn_zero[8U] = { 0U }; + uint32_t mask = (uint32_t)0xFFFFFFFFU; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t uu____0 = FStar_UInt32_eq_mask(a[i], bn_zero[i]); + mask = uu____0 & mask; + } + uint32_t mask1 = mask; + uint32_t res10 = mask1; + uint32_t m10 = res10; + uint32_t acc = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(a[i], n[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(a[i], n[i]); + acc = (beq & acc) | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + uint32_t m2 = acc; + uint32_t is_valid_m = (m00 & ~m10) & m2; + uint32_t nBits = (uint32_t)32U * Hacl_Bignum_Lib_bn_get_top_index_u32((uint32_t)8U, n); + if (is_valid_m == (uint32_t)0xFFFFFFFFU) + { + uint32_t n2[8U] = { 0U }; + uint32_t c0 = Lib_IntTypes_Intrinsics_sub_borrow_u32((uint32_t)0U, n[0U], (uint32_t)2U, n2); + uint32_t c1; + if ((uint32_t)1U < (uint32_t)8U) + { + uint32_t rLen = (uint32_t)7U; + uint32_t *a1 = n + (uint32_t)1U; + uint32_t *res1 = n2 + (uint32_t)1U; + uint32_t c = c0; + for (uint32_t i = (uint32_t)0U; i < rLen / (uint32_t)4U; i++) + { + uint32_t t1 = a1[(uint32_t)4U * i]; + uint32_t *res_i0 = res1 + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, (uint32_t)0U, res_i0); + uint32_t t10 = a1[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res1 + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t10, (uint32_t)0U, res_i1); + uint32_t t11 = a1[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res1 + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t11, (uint32_t)0U, res_i2); + uint32_t t12 = a1[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res1 + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t12, (uint32_t)0U, res_i); + } + for (uint32_t i = rLen / (uint32_t)4U * (uint32_t)4U; i < rLen; i++) + { + uint32_t t1 = a1[i]; + uint32_t *res_i = res1 + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, (uint32_t)0U, res_i); + } + uint32_t c10 = c; + c1 = c10; + } + else + { + c1 = c0; + } + exp_vartime(nBits, n, a, (uint32_t)256U, n2, res); + } + else + { + memset(res, 0U, (uint32_t)8U * sizeof (uint32_t)); + } + return is_valid_m == (uint32_t)0xFFFFFFFFU; +} + + +/**********************************************/ +/* Arithmetic functions with precomputations. */ +/**********************************************/ + + +/* +Heap-allocate and initialize a montgomery context. + + The argument n is meant to be a 256-bit bignum, i.e. uint32_t[8]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n % 2 = 1 + • 1 < n + + The caller will need to call Hacl_Bignum256_mont_ctx_free on the return value + to avoid memory leaks. +*/ +Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *Hacl_Bignum256_32_mont_ctx_init(uint32_t *n) +{ + uint32_t *r2 = KRML_HOST_CALLOC((uint32_t)8U, sizeof (uint32_t)); + uint32_t *n1 = KRML_HOST_CALLOC((uint32_t)8U, sizeof (uint32_t)); + uint32_t *r21 = r2; + uint32_t *n11 = n1; + memcpy(n11, n, (uint32_t)8U * sizeof (uint32_t)); + uint32_t nBits = (uint32_t)32U * Hacl_Bignum_Lib_bn_get_top_index_u32((uint32_t)8U, n); + precompr2(nBits, n, r21); + uint32_t mu = Hacl_Bignum_ModInvLimb_mod_inv_uint32(n[0U]); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 + res = { .len = (uint32_t)8U, .n = n11, .mu = mu, .r2 = r21 }; + KRML_CHECK_SIZE(sizeof (Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32), (uint32_t)1U); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 + *buf = KRML_HOST_MALLOC(sizeof (Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32)); + buf[0U] = res; + return buf; +} + +/* +Deallocate the memory previously allocated by Hacl_Bignum256_mont_ctx_init. + + The argument k is a montgomery context obtained through Hacl_Bignum256_mont_ctx_init. +*/ +void Hacl_Bignum256_32_mont_ctx_free(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + uint32_t *n = k1.n; + uint32_t *r2 = k1.r2; + KRML_HOST_FREE(n); + KRML_HOST_FREE(r2); + KRML_HOST_FREE(k); +} + +/* +Write `a mod n` in `res`. + + The argument a is meant to be a 512-bit bignum, i.e. uint32_t[16]. + The outparam res is meant to be a 256-bit bignum, i.e. uint32_t[8]. + The argument k is a montgomery context obtained through Hacl_Bignum256_mont_ctx_init. +*/ +void +Hacl_Bignum256_32_mod_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + bn_slow_precomp(k1.n, k1.mu, k1.r2, a, res); +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be 256-bit bignums, i.e. uint32_t[8]. + The argument k is a montgomery context obtained through Hacl_Bignum256_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum256_32_mod_exp_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + exp_vartime_precomp(k1.n, k1.mu, k1.r2, a, bBits, b, res); +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be 256-bit bignums, i.e. uint32_t[8]. + The argument k is a montgomery context obtained through Hacl_Bignum256_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime_*. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum256_32_mod_exp_consttime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + exp_consttime_precomp(k1.n, k1.mu, k1.r2, a, bBits, b, res); +} + +/* +Write `a ^ (-1) mod n` in `res`. + + The argument a and the outparam res are meant to be 256-bit bignums, i.e. uint32_t[8]. + The argument k is a montgomery context obtained through Hacl_Bignum256_mont_ctx_init. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + • 0 < a + • a < n +*/ +void +Hacl_Bignum256_32_mod_inv_prime_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + uint32_t n2[8U] = { 0U }; + uint32_t c0 = Lib_IntTypes_Intrinsics_sub_borrow_u32((uint32_t)0U, k1.n[0U], (uint32_t)2U, n2); + uint32_t c1; + if ((uint32_t)1U < (uint32_t)8U) + { + uint32_t rLen = (uint32_t)7U; + uint32_t *a1 = k1.n + (uint32_t)1U; + uint32_t *res1 = n2 + (uint32_t)1U; + uint32_t c = c0; + for (uint32_t i = (uint32_t)0U; i < rLen / (uint32_t)4U; i++) + { + uint32_t t1 = a1[(uint32_t)4U * i]; + uint32_t *res_i0 = res1 + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, (uint32_t)0U, res_i0); + uint32_t t10 = a1[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res1 + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t10, (uint32_t)0U, res_i1); + uint32_t t11 = a1[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res1 + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t11, (uint32_t)0U, res_i2); + uint32_t t12 = a1[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res1 + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t12, (uint32_t)0U, res_i); + } + for (uint32_t i = rLen / (uint32_t)4U * (uint32_t)4U; i < rLen; i++) + { + uint32_t t1 = a1[i]; + uint32_t *res_i = res1 + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, (uint32_t)0U, res_i); + } + uint32_t c10 = c; + c1 = c10; + } + else + { + c1 = c0; + } + exp_vartime_precomp(k1.n, k1.mu, k1.r2, a, (uint32_t)256U, n2, res); +} + + +/********************/ +/* Loads and stores */ +/********************/ + + +/* +Load a bid-endian bignum from memory. + + The argument b points to len bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint32_t *Hacl_Bignum256_32_new_bn_from_bytes_be(uint32_t len, uint8_t *b) +{ + if + ( + len + == (uint32_t)0U + || !((len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U <= (uint32_t)1073741823U) + ) + { + return NULL; + } + KRML_CHECK_SIZE(sizeof (uint32_t), (len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U); + uint32_t + *res = KRML_HOST_CALLOC((len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U, sizeof (uint32_t)); + if (res == NULL) + { + return res; + } + uint32_t *res1 = res; + uint32_t *res2 = res1; + uint32_t bnLen = (len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)4U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + uint8_t *tmp = alloca(tmpLen * sizeof (uint8_t)); + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + memcpy(tmp + tmpLen - len, b, len * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < bnLen; i++) + { + uint32_t *os = res2; + uint32_t u = load32_be(tmp + (bnLen - i - (uint32_t)1U) * (uint32_t)4U); + uint32_t x = u; + os[i] = x; + } + return res2; +} + +/* +Load a little-endian bignum from memory. + + The argument b points to len bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint32_t *Hacl_Bignum256_32_new_bn_from_bytes_le(uint32_t len, uint8_t *b) +{ + if + ( + len + == (uint32_t)0U + || !((len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U <= (uint32_t)1073741823U) + ) + { + return NULL; + } + KRML_CHECK_SIZE(sizeof (uint32_t), (len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U); + uint32_t + *res = KRML_HOST_CALLOC((len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U, sizeof (uint32_t)); + if (res == NULL) + { + return res; + } + uint32_t *res1 = res; + uint32_t *res2 = res1; + uint32_t bnLen = (len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)4U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + uint8_t *tmp = alloca(tmpLen * sizeof (uint8_t)); + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + memcpy(tmp, b, len * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < (len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U; i++) + { + uint32_t *os = res2; + uint8_t *bj = tmp + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r1 = u; + uint32_t x = r1; + os[i] = x; + } + return res2; +} + +/* +Serialize a bignum into big-endian memory. + + The argument b points to a 256-bit bignum. + The outparam res points to 32 bytes of valid memory. +*/ +void Hacl_Bignum256_32_bn_to_bytes_be(uint32_t *b, uint8_t *res) +{ + uint32_t bnLen = ((uint32_t)32U - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)4U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + uint8_t *tmp = alloca(tmpLen * sizeof (uint8_t)); + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + uint32_t numb = (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < bnLen; i++) + { + store32_be(tmp + i * numb, b[bnLen - i - (uint32_t)1U]); + } + memcpy(res, tmp + tmpLen - (uint32_t)32U, (uint32_t)32U * sizeof (uint8_t)); +} + +/* +Serialize a bignum into little-endian memory. + + The argument b points to a 256-bit bignum. + The outparam res points to 32 bytes of valid memory. +*/ +void Hacl_Bignum256_32_bn_to_bytes_le(uint32_t *b, uint8_t *res) +{ + uint32_t bnLen = ((uint32_t)32U - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)4U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + uint8_t *tmp = alloca(tmpLen * sizeof (uint8_t)); + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < bnLen; i++) + { + store32_le(tmp + i * (uint32_t)4U, b[i]); + } + memcpy(res, tmp, (uint32_t)32U * sizeof (uint8_t)); +} + + +/***************/ +/* Comparisons */ +/***************/ + + +/* +Returns 2^32 - 1 if a < b, otherwise returns 0. + + The arguments a and b are meant to be 256-bit bignums, i.e. uint32_t[8]. +*/ +uint32_t Hacl_Bignum256_32_lt_mask(uint32_t *a, uint32_t *b) +{ + uint32_t acc = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(a[i], b[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(a[i], b[i]); + acc = (beq & acc) | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + return acc; +} + +/* +Returns 2^32 - 1 if a = b, otherwise returns 0. + + The arguments a and b are meant to be 256-bit bignums, i.e. uint32_t[8]. +*/ +uint32_t Hacl_Bignum256_32_eq_mask(uint32_t *a, uint32_t *b) +{ + uint32_t mask = (uint32_t)0xFFFFFFFFU; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t uu____0 = FStar_UInt32_eq_mask(a[i], b[i]); + mask = uu____0 & mask; + } + uint32_t mask1 = mask; + return mask1; +} + diff --git a/src/msvc/Hacl_Bignum32.c b/src/msvc/Hacl_Bignum32.c new file mode 100644 index 00000000..b1486e1d --- /dev/null +++ b/src/msvc/Hacl_Bignum32.c @@ -0,0 +1,853 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Bignum32.h" + +#include "internal/Hacl_Kremlib.h" +#include "internal/Hacl_Bignum.h" + +/******************************************************************************* + +A verified bignum library. + +This is a 32-bit optimized version, where bignums are represented as an array +of `len` unsigned 32-bit integers, i.e. uint32_t[len]. + +*******************************************************************************/ + +/************************/ +/* Arithmetic functions */ +/************************/ + + +/* +Write `a + b mod 2 ^ (32 * len)` in `res`. + + This functions returns the carry. + + The arguments a, b and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len] +*/ +uint32_t Hacl_Bignum32_add(uint32_t len, uint32_t *a, uint32_t *b, uint32_t *res) +{ + return Hacl_Bignum_Addition_bn_add_eq_len_u32(len, a, b, res); +} + +/* +Write `a - b mod 2 ^ (32 * len)` in `res`. + + This functions returns the carry. + + The arguments a, b and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len] +*/ +uint32_t Hacl_Bignum32_sub(uint32_t len, uint32_t *a, uint32_t *b, uint32_t *res) +{ + return Hacl_Bignum_Addition_bn_sub_eq_len_u32(len, a, b, res); +} + +/* +Write `(a + b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum32_add_mod(uint32_t len, uint32_t *n, uint32_t *a, uint32_t *b, uint32_t *res) +{ + Hacl_Bignum_bn_add_mod_n_u32(len, n, a, b, res); +} + +/* +Write `(a - b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum32_sub_mod(uint32_t len, uint32_t *n, uint32_t *a, uint32_t *b, uint32_t *res) +{ + Hacl_Bignum_bn_sub_mod_n_u32(len, n, a, b, res); +} + +/* +Write `a * b` in `res`. + + The arguments a and b are meant to be `len` limbs in size, i.e. uint32_t[len]. + The outparam res is meant to be `2*len` limbs in size, i.e. uint32_t[2*len]. +*/ +void Hacl_Bignum32_mul(uint32_t len, uint32_t *a, uint32_t *b, uint32_t *res) +{ + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)4U * len); + uint32_t *tmp = alloca((uint32_t)4U * len * sizeof (uint32_t)); + memset(tmp, 0U, (uint32_t)4U * len * sizeof (uint32_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint32(len, a, b, tmp, res); +} + +/* +Write `a * a` in `res`. + + The argument a is meant to be `len` limbs in size, i.e. uint32_t[len]. + The outparam res is meant to be `2*len` limbs in size, i.e. uint32_t[2*len]. +*/ +void Hacl_Bignum32_sqr(uint32_t len, uint32_t *a, uint32_t *res) +{ + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)4U * len); + uint32_t *tmp = alloca((uint32_t)4U * len * sizeof (uint32_t)); + memset(tmp, 0U, (uint32_t)4U * len * sizeof (uint32_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint32(len, a, tmp, res); +} + +static inline void +bn_slow_precomp( + uint32_t len, + uint32_t *n, + uint32_t mu, + uint32_t *r2, + uint32_t *a, + uint32_t *res +) +{ + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t *a_mod = alloca(len * sizeof (uint32_t)); + memset(a_mod, 0U, len * sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), len + len); + uint32_t *a1 = alloca((len + len) * sizeof (uint32_t)); + memset(a1, 0U, (len + len) * sizeof (uint32_t)); + memcpy(a1, a, (len + len) * sizeof (uint32_t)); + uint32_t c0 = (uint32_t)0U; + for (uint32_t i0 = (uint32_t)0U; i0 < len; i0++) + { + uint32_t qj = mu * a1[i0]; + uint32_t *res_j0 = a1 + i0; + uint32_t c = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < len / (uint32_t)4U; i++) + { + uint32_t a_i = n[(uint32_t)4U * i]; + uint32_t *res_i0 = res_j0 + (uint32_t)4U * i; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, qj, c, res_i0); + uint32_t a_i0 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res_j0 + (uint32_t)4U * i + (uint32_t)1U; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i0, qj, c, res_i1); + uint32_t a_i1 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res_j0 + (uint32_t)4U * i + (uint32_t)2U; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i1, qj, c, res_i2); + uint32_t a_i2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res_j0 + (uint32_t)4U * i + (uint32_t)3U; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i2, qj, c, res_i); + } + for (uint32_t i = len / (uint32_t)4U * (uint32_t)4U; i < len; i++) + { + uint32_t a_i = n[i]; + uint32_t *res_i = res_j0 + i; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, qj, c, res_i); + } + uint32_t r = c; + uint32_t c1 = r; + uint32_t *resb = a1 + len + i0; + uint32_t res_j = a1[len + i0]; + c0 = Lib_IntTypes_Intrinsics_add_carry_u32(c0, c1, res_j, resb); + } + memcpy(a_mod, a1 + len, (len + len - len) * sizeof (uint32_t)); + uint32_t c00 = c0; + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t *tmp0 = alloca(len * sizeof (uint32_t)); + memset(tmp0, 0U, len * sizeof (uint32_t)); + uint32_t c1 = Hacl_Bignum_Addition_bn_sub_eq_len_u32(len, a_mod, n, tmp0); + uint32_t m = (uint32_t)0U - c00; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint32_t *os = a_mod; + uint32_t x = (m & tmp0[i]) | (~m & a_mod[i]); + os[i] = x; + } + KRML_CHECK_SIZE(sizeof (uint32_t), len + len); + uint32_t *c = alloca((len + len) * sizeof (uint32_t)); + memset(c, 0U, (len + len) * sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)4U * len); + uint32_t *tmp = alloca((uint32_t)4U * len * sizeof (uint32_t)); + memset(tmp, 0U, (uint32_t)4U * len * sizeof (uint32_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint32(len, a_mod, r2, tmp, c); + Hacl_Bignum_Montgomery_bn_mont_reduction_u32(len, n, mu, c, res); +} + +/* +Write `a mod n` in `res`. + + The argument a is meant to be `2*len` limbs in size, i.e. uint32_t[2*len]. + The argument n and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • 1 < n + • n % 2 = 1 +*/ +bool Hacl_Bignum32_mod(uint32_t len, uint32_t *n, uint32_t *a, uint32_t *res) +{ + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t *one = alloca(len * sizeof (uint32_t)); + memset(one, 0U, len * sizeof (uint32_t)); + memset(one, 0U, len * sizeof (uint32_t)); + one[0U] = (uint32_t)1U; + uint32_t bit0 = n[0U] & (uint32_t)1U; + uint32_t m0 = (uint32_t)0U - bit0; + uint32_t acc = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(one[i], n[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(one[i], n[i]); + acc = (beq & acc) | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + uint32_t m1 = acc; + uint32_t is_valid_m = m0 & m1; + uint32_t nBits = (uint32_t)32U * Hacl_Bignum_Lib_bn_get_top_index_u32(len, n); + if (is_valid_m == (uint32_t)0xFFFFFFFFU) + { + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t *r2 = alloca(len * sizeof (uint32_t)); + memset(r2, 0U, len * sizeof (uint32_t)); + Hacl_Bignum_Montgomery_bn_precomp_r2_mod_n_u32(len, nBits, n, r2); + uint32_t mu = Hacl_Bignum_ModInvLimb_mod_inv_uint32(n[0U]); + bn_slow_precomp(len, n, mu, r2, a, res); + } + else + { + memset(res, 0U, len * sizeof (uint32_t)); + } + return is_valid_m == (uint32_t)0xFFFFFFFFU; +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum32_mod_exp_vartime( + uint32_t len, + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + uint32_t is_valid_m = Hacl_Bignum_Exponentiation_bn_check_mod_exp_u32(len, n, a, bBits, b); + uint32_t nBits = (uint32_t)32U * Hacl_Bignum_Lib_bn_get_top_index_u32(len, n); + if (is_valid_m == (uint32_t)0xFFFFFFFFU) + { + Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_u32(len, nBits, n, a, bBits, b, res); + } + else + { + memset(res, 0U, len * sizeof (uint32_t)); + } + return is_valid_m == (uint32_t)0xFFFFFFFFU; +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum32_mod_exp_consttime( + uint32_t len, + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + uint32_t is_valid_m = Hacl_Bignum_Exponentiation_bn_check_mod_exp_u32(len, n, a, bBits, b); + uint32_t nBits = (uint32_t)32U * Hacl_Bignum_Lib_bn_get_top_index_u32(len, n); + if (is_valid_m == (uint32_t)0xFFFFFFFFU) + { + Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_u32(len, nBits, n, a, bBits, b, res); + } + else + { + memset(res, 0U, len * sizeof (uint32_t)); + } + return is_valid_m == (uint32_t)0xFFFFFFFFU; +} + +/* +Write `a ^ (-1) mod n` in `res`. + + The arguments a, n and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • 0 < a + • a < n +*/ +bool Hacl_Bignum32_mod_inv_prime_vartime(uint32_t len, uint32_t *n, uint32_t *a, uint32_t *res) +{ + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t *one = alloca(len * sizeof (uint32_t)); + memset(one, 0U, len * sizeof (uint32_t)); + memset(one, 0U, len * sizeof (uint32_t)); + one[0U] = (uint32_t)1U; + uint32_t bit0 = n[0U] & (uint32_t)1U; + uint32_t m0 = (uint32_t)0U - bit0; + uint32_t acc0 = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(one[i], n[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(one[i], n[i]); + acc0 = (beq & acc0) | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + uint32_t m1 = acc0; + uint32_t m00 = m0 & m1; + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t *bn_zero = alloca(len * sizeof (uint32_t)); + memset(bn_zero, 0U, len * sizeof (uint32_t)); + uint32_t mask = (uint32_t)0xFFFFFFFFU; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint32_t uu____0 = FStar_UInt32_eq_mask(a[i], bn_zero[i]); + mask = uu____0 & mask; + } + uint32_t mask1 = mask; + uint32_t res10 = mask1; + uint32_t m10 = res10; + uint32_t acc = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(a[i], n[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(a[i], n[i]); + acc = (beq & acc) | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + uint32_t m2 = acc; + uint32_t is_valid_m = (m00 & ~m10) & m2; + uint32_t nBits = (uint32_t)32U * Hacl_Bignum_Lib_bn_get_top_index_u32(len, n); + if (is_valid_m == (uint32_t)0xFFFFFFFFU) + { + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t *n2 = alloca(len * sizeof (uint32_t)); + memset(n2, 0U, len * sizeof (uint32_t)); + uint32_t c0 = Lib_IntTypes_Intrinsics_sub_borrow_u32((uint32_t)0U, n[0U], (uint32_t)2U, n2); + uint32_t c1; + if ((uint32_t)1U < len) + { + uint32_t rLen = len - (uint32_t)1U; + uint32_t *a1 = n + (uint32_t)1U; + uint32_t *res1 = n2 + (uint32_t)1U; + uint32_t c = c0; + for (uint32_t i = (uint32_t)0U; i < rLen / (uint32_t)4U; i++) + { + uint32_t t1 = a1[(uint32_t)4U * i]; + uint32_t *res_i0 = res1 + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, (uint32_t)0U, res_i0); + uint32_t t10 = a1[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res1 + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t10, (uint32_t)0U, res_i1); + uint32_t t11 = a1[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res1 + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t11, (uint32_t)0U, res_i2); + uint32_t t12 = a1[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res1 + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t12, (uint32_t)0U, res_i); + } + for (uint32_t i = rLen / (uint32_t)4U * (uint32_t)4U; i < rLen; i++) + { + uint32_t t1 = a1[i]; + uint32_t *res_i = res1 + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, (uint32_t)0U, res_i); + } + uint32_t c10 = c; + c1 = c10; + } + else + { + c1 = c0; + } + Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_u32(len, + nBits, + n, + a, + (uint32_t)32U * len, + n2, + res); + } + else + { + memset(res, 0U, len * sizeof (uint32_t)); + } + return is_valid_m == (uint32_t)0xFFFFFFFFU; +} + + +/**********************************************/ +/* Arithmetic functions with precomputations. */ +/**********************************************/ + + +/* +Heap-allocate and initialize a montgomery context. + + The argument n is meant to be `len` limbs in size, i.e. uint32_t[len]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n % 2 = 1 + • 1 < n + + The caller will need to call Hacl_Bignum32_mont_ctx_free on the return value + to avoid memory leaks. +*/ +Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 +*Hacl_Bignum32_mont_ctx_init(uint32_t len, uint32_t *n) +{ + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t *r2 = KRML_HOST_CALLOC(len, sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t *n1 = KRML_HOST_CALLOC(len, sizeof (uint32_t)); + uint32_t *r21 = r2; + uint32_t *n11 = n1; + memcpy(n11, n, len * sizeof (uint32_t)); + uint32_t nBits = (uint32_t)32U * Hacl_Bignum_Lib_bn_get_top_index_u32(len, n); + Hacl_Bignum_Montgomery_bn_precomp_r2_mod_n_u32(len, nBits, n, r21); + uint32_t mu = Hacl_Bignum_ModInvLimb_mod_inv_uint32(n[0U]); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 res = { .len = len, .n = n11, .mu = mu, .r2 = r21 }; + KRML_CHECK_SIZE(sizeof (Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32), (uint32_t)1U); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 + *buf = KRML_HOST_MALLOC(sizeof (Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32)); + buf[0U] = res; + return buf; +} + +/* +Deallocate the memory previously allocated by Hacl_Bignum32_mont_ctx_init. + + The argument k is a montgomery context obtained through Hacl_Bignum32_mont_ctx_init. +*/ +void Hacl_Bignum32_mont_ctx_free(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + uint32_t *n = k1.n; + uint32_t *r2 = k1.r2; + KRML_HOST_FREE(n); + KRML_HOST_FREE(r2); + KRML_HOST_FREE(k); +} + +/* +Write `a mod n` in `res`. + + The argument a is meant to be `2*len` limbs in size, i.e. uint32_t[2*len]. + The outparam res is meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_Bignum32_mont_ctx_init. +*/ +void +Hacl_Bignum32_mod_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k10 = *k; + uint32_t len1 = k10.len; + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + bn_slow_precomp(len1, k1.n, k1.mu, k1.r2, a, res); +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_Bignum32_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum32_mod_exp_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k10 = *k; + uint32_t len1 = k10.len; + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_precomp_u32(len1, + k1.n, + k1.mu, + k1.r2, + a, + bBits, + b, + res); +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_Bignum32_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime_*. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum32_mod_exp_consttime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k10 = *k; + uint32_t len1 = k10.len; + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_precomp_u32(len1, + k1.n, + k1.mu, + k1.r2, + a, + bBits, + b, + res); +} + +/* +Write `a ^ (-1) mod n` in `res`. + + The argument a and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_Bignum32_mont_ctx_init. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + • 0 < a + • a < n +*/ +void +Hacl_Bignum32_mod_inv_prime_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k10 = *k; + uint32_t len1 = k10.len; + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + KRML_CHECK_SIZE(sizeof (uint32_t), len1); + uint32_t *n2 = alloca(len1 * sizeof (uint32_t)); + memset(n2, 0U, len1 * sizeof (uint32_t)); + uint32_t c0 = Lib_IntTypes_Intrinsics_sub_borrow_u32((uint32_t)0U, k1.n[0U], (uint32_t)2U, n2); + uint32_t c1; + if ((uint32_t)1U < len1) + { + uint32_t rLen = len1 - (uint32_t)1U; + uint32_t *a1 = k1.n + (uint32_t)1U; + uint32_t *res1 = n2 + (uint32_t)1U; + uint32_t c = c0; + for (uint32_t i = (uint32_t)0U; i < rLen / (uint32_t)4U; i++) + { + uint32_t t1 = a1[(uint32_t)4U * i]; + uint32_t *res_i0 = res1 + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, (uint32_t)0U, res_i0); + uint32_t t10 = a1[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res1 + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t10, (uint32_t)0U, res_i1); + uint32_t t11 = a1[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res1 + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t11, (uint32_t)0U, res_i2); + uint32_t t12 = a1[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res1 + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t12, (uint32_t)0U, res_i); + } + for (uint32_t i = rLen / (uint32_t)4U * (uint32_t)4U; i < rLen; i++) + { + uint32_t t1 = a1[i]; + uint32_t *res_i = res1 + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, (uint32_t)0U, res_i); + } + uint32_t c10 = c; + c1 = c10; + } + else + { + c1 = c0; + } + Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_precomp_u32(len1, + k1.n, + k1.mu, + k1.r2, + a, + (uint32_t)32U * len1, + n2, + res); +} + + +/********************/ +/* Loads and stores */ +/********************/ + + +/* +Load a bid-endian bignum from memory. + + The argument b points to `len` bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint32_t *Hacl_Bignum32_new_bn_from_bytes_be(uint32_t len, uint8_t *b) +{ + if + ( + len + == (uint32_t)0U + || !((len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U <= (uint32_t)1073741823U) + ) + { + return NULL; + } + KRML_CHECK_SIZE(sizeof (uint32_t), (len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U); + uint32_t + *res = KRML_HOST_CALLOC((len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U, sizeof (uint32_t)); + if (res == NULL) + { + return res; + } + uint32_t *res1 = res; + uint32_t *res2 = res1; + uint32_t bnLen = (len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)4U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + uint8_t *tmp = alloca(tmpLen * sizeof (uint8_t)); + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + memcpy(tmp + tmpLen - len, b, len * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < bnLen; i++) + { + uint32_t *os = res2; + uint32_t u = load32_be(tmp + (bnLen - i - (uint32_t)1U) * (uint32_t)4U); + uint32_t x = u; + os[i] = x; + } + return res2; +} + +/* +Load a little-endian bignum from memory. + + The argument b points to `len` bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint32_t *Hacl_Bignum32_new_bn_from_bytes_le(uint32_t len, uint8_t *b) +{ + if + ( + len + == (uint32_t)0U + || !((len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U <= (uint32_t)1073741823U) + ) + { + return NULL; + } + KRML_CHECK_SIZE(sizeof (uint32_t), (len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U); + uint32_t + *res = KRML_HOST_CALLOC((len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U, sizeof (uint32_t)); + if (res == NULL) + { + return res; + } + uint32_t *res1 = res; + uint32_t *res2 = res1; + uint32_t bnLen = (len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)4U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + uint8_t *tmp = alloca(tmpLen * sizeof (uint8_t)); + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + memcpy(tmp, b, len * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < (len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U; i++) + { + uint32_t *os = res2; + uint8_t *bj = tmp + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r1 = u; + uint32_t x = r1; + os[i] = x; + } + return res2; +} + +/* +Serialize a bignum into big-endian memory. + + The argument b points to a bignum of ⌈len / 4⌉ size. + The outparam res points to `len` bytes of valid memory. +*/ +void Hacl_Bignum32_bn_to_bytes_be(uint32_t len, uint32_t *b, uint8_t *res) +{ + uint32_t bnLen = (len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)4U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + uint8_t *tmp = alloca(tmpLen * sizeof (uint8_t)); + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + uint32_t numb = (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < bnLen; i++) + { + store32_be(tmp + i * numb, b[bnLen - i - (uint32_t)1U]); + } + memcpy(res, tmp + tmpLen - len, len * sizeof (uint8_t)); +} + +/* +Serialize a bignum into little-endian memory. + + The argument b points to a bignum of ⌈len / 4⌉ size. + The outparam res points to `len` bytes of valid memory. +*/ +void Hacl_Bignum32_bn_to_bytes_le(uint32_t len, uint32_t *b, uint8_t *res) +{ + uint32_t bnLen = (len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)4U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + uint8_t *tmp = alloca(tmpLen * sizeof (uint8_t)); + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < bnLen; i++) + { + store32_le(tmp + i * (uint32_t)4U, b[i]); + } + memcpy(res, tmp, len * sizeof (uint8_t)); +} + + +/***************/ +/* Comparisons */ +/***************/ + + +/* +Returns 2^32 - 1 if a < b, otherwise returns 0. + + The arguments a and b are meant to be `len` limbs in size, i.e. uint32_t[len]. +*/ +uint32_t Hacl_Bignum32_lt_mask(uint32_t len, uint32_t *a, uint32_t *b) +{ + uint32_t acc = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(a[i], b[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(a[i], b[i]); + acc = (beq & acc) | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + return acc; +} + +/* +Returns 2^32 - 1 if a = b, otherwise returns 0. + + The arguments a and b are meant to be `len` limbs in size, i.e. uint32_t[len]. +*/ +uint32_t Hacl_Bignum32_eq_mask(uint32_t len, uint32_t *a, uint32_t *b) +{ + uint32_t mask = (uint32_t)0xFFFFFFFFU; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint32_t uu____0 = FStar_UInt32_eq_mask(a[i], b[i]); + mask = uu____0 & mask; + } + uint32_t mask1 = mask; + return mask1; +} + diff --git a/src/msvc/Hacl_Bignum4096.c b/src/msvc/Hacl_Bignum4096.c new file mode 100644 index 00000000..c470bc78 --- /dev/null +++ b/src/msvc/Hacl_Bignum4096.c @@ -0,0 +1,1485 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Bignum4096.h" + +#include "internal/Hacl_Kremlib.h" +#include "internal/Hacl_Bignum.h" + +/******************************************************************************* + +A verified 4096-bit bignum library. + +This is a 64-bit optimized version, where bignums are represented as an array +of sixty four unsigned 64-bit integers, i.e. uint64_t[64]. Furthermore, the +limbs are stored in little-endian format, i.e. the least significant limb is at +index 0. Each limb is stored in native format in memory. Example: + + uint64_t sixteen[64] = { 0x10 } + + (relying on the fact that when an initializer-list is provided, the remainder + of the object gets initialized as if it had static storage duration, i.e. with + zeroes) + +We strongly encourage users to go through the conversion functions, e.g. +bn_from_bytes_be, to i) not depend on internal representation choices and ii) +have the ability to switch easily to a 32-bit optimized version in the future. + +*******************************************************************************/ + +/************************/ +/* Arithmetic functions */ +/************************/ + + +/* +Write `a + b mod 2^4096` in `res`. + + This functions returns the carry. + + The arguments a, b and res are meant to be 4096-bit bignums, i.e. uint64_t[64] +*/ +uint64_t Hacl_Bignum4096_add(uint64_t *a, uint64_t *b, uint64_t *res) +{ + uint64_t c = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint64_t t1 = a[(uint32_t)4U * i]; + uint64_t t20 = b[(uint32_t)4U * i]; + uint64_t *res_i0 = res + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t1, t20, res_i0); + uint64_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t10, t21, res_i1); + uint64_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t11, t22, res_i2); + uint64_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t12, t2, res_i); + } + for (uint32_t i = (uint32_t)64U; i < (uint32_t)64U; i++) + { + uint64_t t1 = a[i]; + uint64_t t2 = b[i]; + uint64_t *res_i = res + i; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t1, t2, res_i); + } + return c; +} + +/* +Write `a - b mod 2^4096` in `res`. + + This functions returns the carry. + + The arguments a, b and res are meant to be 4096-bit bignums, i.e. uint64_t[64] +*/ +uint64_t Hacl_Bignum4096_sub(uint64_t *a, uint64_t *b, uint64_t *res) +{ + uint64_t c = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint64_t t1 = a[(uint32_t)4U * i]; + uint64_t t20 = b[(uint32_t)4U * i]; + uint64_t *res_i0 = res + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, t20, res_i0); + uint64_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t10, t21, res_i1); + uint64_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t11, t22, res_i2); + uint64_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t12, t2, res_i); + } + for (uint32_t i = (uint32_t)64U; i < (uint32_t)64U; i++) + { + uint64_t t1 = a[i]; + uint64_t t2 = b[i]; + uint64_t *res_i = res + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, t2, res_i); + } + return c; +} + +/* +Write `(a + b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be 4096-bit bignums, i.e. uint64_t[64]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum4096_add_mod(uint64_t *n, uint64_t *a, uint64_t *b, uint64_t *res) +{ + uint64_t c0 = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint64_t t1 = a[(uint32_t)4U * i]; + uint64_t t20 = b[(uint32_t)4U * i]; + uint64_t *res_i0 = res + (uint32_t)4U * i; + c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, t1, t20, res_i0); + uint64_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, t10, t21, res_i1); + uint64_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, t11, t22, res_i2); + uint64_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, t12, t2, res_i); + } + for (uint32_t i = (uint32_t)64U; i < (uint32_t)64U; i++) + { + uint64_t t1 = a[i]; + uint64_t t2 = b[i]; + uint64_t *res_i = res + i; + c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, t1, t2, res_i); + } + uint64_t c00 = c0; + uint64_t tmp[64U] = { 0U }; + uint64_t c = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint64_t t1 = res[(uint32_t)4U * i]; + uint64_t t20 = n[(uint32_t)4U * i]; + uint64_t *res_i0 = tmp + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, t20, res_i0); + uint64_t t10 = res[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t t21 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = tmp + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t10, t21, res_i1); + uint64_t t11 = res[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t t22 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = tmp + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t11, t22, res_i2); + uint64_t t12 = res[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t t2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = tmp + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t12, t2, res_i); + } + for (uint32_t i = (uint32_t)64U; i < (uint32_t)64U; i++) + { + uint64_t t1 = res[i]; + uint64_t t2 = n[i]; + uint64_t *res_i = tmp + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, t2, res_i); + } + uint64_t c1 = c; + uint64_t c2 = c00 - c1; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + uint64_t *os = res; + uint64_t x = (c2 & res[i]) | (~c2 & tmp[i]); + os[i] = x; + } +} + +/* +Write `(a - b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be 4096-bit bignums, i.e. uint64_t[64]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum4096_sub_mod(uint64_t *n, uint64_t *a, uint64_t *b, uint64_t *res) +{ + uint64_t c0 = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint64_t t1 = a[(uint32_t)4U * i]; + uint64_t t20 = b[(uint32_t)4U * i]; + uint64_t *res_i0 = res + (uint32_t)4U * i; + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c0, t1, t20, res_i0); + uint64_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c0, t10, t21, res_i1); + uint64_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c0, t11, t22, res_i2); + uint64_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c0, t12, t2, res_i); + } + for (uint32_t i = (uint32_t)64U; i < (uint32_t)64U; i++) + { + uint64_t t1 = a[i]; + uint64_t t2 = b[i]; + uint64_t *res_i = res + i; + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c0, t1, t2, res_i); + } + uint64_t c00 = c0; + uint64_t tmp[64U] = { 0U }; + uint64_t c = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint64_t t1 = res[(uint32_t)4U * i]; + uint64_t t20 = n[(uint32_t)4U * i]; + uint64_t *res_i0 = tmp + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t1, t20, res_i0); + uint64_t t10 = res[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t t21 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = tmp + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t10, t21, res_i1); + uint64_t t11 = res[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t t22 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = tmp + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t11, t22, res_i2); + uint64_t t12 = res[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t t2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = tmp + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t12, t2, res_i); + } + for (uint32_t i = (uint32_t)64U; i < (uint32_t)64U; i++) + { + uint64_t t1 = res[i]; + uint64_t t2 = n[i]; + uint64_t *res_i = tmp + i; + c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t1, t2, res_i); + } + uint64_t c1 = c; + uint64_t c2 = (uint64_t)0U - c00; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + uint64_t *os = res; + uint64_t x = (c2 & tmp[i]) | (~c2 & res[i]); + os[i] = x; + } +} + +/* +Write `a * b` in `res`. + + The arguments a and b are meant to be 4096-bit bignums, i.e. uint64_t[64]. + The outparam res is meant to be a 8192-bit bignum, i.e. uint64_t[128]. +*/ +void Hacl_Bignum4096_mul(uint64_t *a, uint64_t *b, uint64_t *res) +{ + uint64_t tmp[256U] = { 0U }; + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint64((uint32_t)64U, a, b, tmp, res); +} + +/* +Write `a * a` in `res`. + + The argument a is meant to be a 4096-bit bignum, i.e. uint64_t[64]. + The outparam res is meant to be a 8192-bit bignum, i.e. uint64_t[128]. +*/ +void Hacl_Bignum4096_sqr(uint64_t *a, uint64_t *res) +{ + uint64_t tmp[256U] = { 0U }; + Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint64((uint32_t)64U, a, tmp, res); +} + +static inline void precompr2(uint32_t nBits, uint64_t *n, uint64_t *res) +{ + memset(res, 0U, (uint32_t)64U * sizeof (uint64_t)); + uint32_t i = nBits / (uint32_t)64U; + uint32_t j = nBits % (uint32_t)64U; + res[i] = res[i] | (uint64_t)1U << j; + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)8192U - nBits; i0++) + { + Hacl_Bignum4096_add_mod(n, res, res, res); + } +} + +static inline void reduction(uint64_t *n, uint64_t nInv, uint64_t *c, uint64_t *res) +{ + uint64_t c0 = (uint64_t)0U; + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)64U; i0++) + { + uint64_t qj = nInv * c[i0]; + uint64_t *res_j0 = c + i0; + uint64_t c1 = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint64_t a_i = n[(uint32_t)4U * i]; + uint64_t *res_i0 = res_j0 + (uint32_t)4U * i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c1, res_i0); + uint64_t a_i0 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res_j0 + (uint32_t)4U * i + (uint32_t)1U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, qj, c1, res_i1); + uint64_t a_i1 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res_j0 + (uint32_t)4U * i + (uint32_t)2U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, qj, c1, res_i2); + uint64_t a_i2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res_j0 + (uint32_t)4U * i + (uint32_t)3U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, qj, c1, res_i); + } + for (uint32_t i = (uint32_t)64U; i < (uint32_t)64U; i++) + { + uint64_t a_i = n[i]; + uint64_t *res_i = res_j0 + i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c1, res_i); + } + uint64_t r = c1; + uint64_t c10 = r; + uint64_t *resb = c + (uint32_t)64U + i0; + uint64_t res_j = c[(uint32_t)64U + i0]; + c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, c10, res_j, resb); + } + memcpy(res, c + (uint32_t)64U, (uint32_t)64U * sizeof (uint64_t)); + uint64_t c00 = c0; + uint64_t tmp[64U] = { 0U }; + uint64_t c1 = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint64_t t1 = res[(uint32_t)4U * i]; + uint64_t t20 = n[(uint32_t)4U * i]; + uint64_t *res_i0 = tmp + (uint32_t)4U * i; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t1, t20, res_i0); + uint64_t t10 = res[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t t21 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = tmp + (uint32_t)4U * i + (uint32_t)1U; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t10, t21, res_i1); + uint64_t t11 = res[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t t22 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = tmp + (uint32_t)4U * i + (uint32_t)2U; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t11, t22, res_i2); + uint64_t t12 = res[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t t2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = tmp + (uint32_t)4U * i + (uint32_t)3U; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t12, t2, res_i); + } + for (uint32_t i = (uint32_t)64U; i < (uint32_t)64U; i++) + { + uint64_t t1 = res[i]; + uint64_t t2 = n[i]; + uint64_t *res_i = tmp + i; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t1, t2, res_i); + } + uint64_t c10 = c1; + uint64_t c2 = c00 - c10; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + uint64_t *os = res; + uint64_t x = (c2 & res[i]) | (~c2 & tmp[i]); + os[i] = x; + } +} + +static inline void areduction(uint64_t *n, uint64_t nInv, uint64_t *c, uint64_t *res) +{ + uint64_t c0 = (uint64_t)0U; + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)64U; i0++) + { + uint64_t qj = nInv * c[i0]; + uint64_t *res_j0 = c + i0; + uint64_t c1 = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint64_t a_i = n[(uint32_t)4U * i]; + uint64_t *res_i0 = res_j0 + (uint32_t)4U * i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c1, res_i0); + uint64_t a_i0 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res_j0 + (uint32_t)4U * i + (uint32_t)1U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, qj, c1, res_i1); + uint64_t a_i1 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res_j0 + (uint32_t)4U * i + (uint32_t)2U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, qj, c1, res_i2); + uint64_t a_i2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res_j0 + (uint32_t)4U * i + (uint32_t)3U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, qj, c1, res_i); + } + for (uint32_t i = (uint32_t)64U; i < (uint32_t)64U; i++) + { + uint64_t a_i = n[i]; + uint64_t *res_i = res_j0 + i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c1, res_i); + } + uint64_t r = c1; + uint64_t c10 = r; + uint64_t *resb = c + (uint32_t)64U + i0; + uint64_t res_j = c[(uint32_t)64U + i0]; + c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, c10, res_j, resb); + } + memcpy(res, c + (uint32_t)64U, (uint32_t)64U * sizeof (uint64_t)); + uint64_t c00 = c0; + uint64_t tmp[64U] = { 0U }; + uint64_t c1 = Hacl_Bignum4096_sub(res, n, tmp); + uint64_t m = (uint64_t)0U - c00; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + uint64_t *os = res; + uint64_t x = (m & tmp[i]) | (~m & res[i]); + os[i] = x; + } +} + +static inline void +amont_mul(uint64_t *n, uint64_t nInv_u64, uint64_t *aM, uint64_t *bM, uint64_t *resM) +{ + uint64_t c[128U] = { 0U }; + uint64_t tmp[256U] = { 0U }; + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint64((uint32_t)64U, aM, bM, tmp, c); + areduction(n, nInv_u64, c, resM); +} + +static inline void amont_sqr(uint64_t *n, uint64_t nInv_u64, uint64_t *aM, uint64_t *resM) +{ + uint64_t c[128U] = { 0U }; + uint64_t tmp[256U] = { 0U }; + Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint64((uint32_t)64U, aM, tmp, c); + areduction(n, nInv_u64, c, resM); +} + +static inline void +bn_slow_precomp(uint64_t *n, uint64_t mu, uint64_t *r2, uint64_t *a, uint64_t *res) +{ + uint64_t a_mod[64U] = { 0U }; + uint64_t a1[128U] = { 0U }; + memcpy(a1, a, (uint32_t)128U * sizeof (uint64_t)); + uint64_t c0 = (uint64_t)0U; + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)64U; i0++) + { + uint64_t qj = mu * a1[i0]; + uint64_t *res_j0 = a1 + i0; + uint64_t c = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint64_t a_i = n[(uint32_t)4U * i]; + uint64_t *res_i0 = res_j0 + (uint32_t)4U * i; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c, res_i0); + uint64_t a_i0 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res_j0 + (uint32_t)4U * i + (uint32_t)1U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, qj, c, res_i1); + uint64_t a_i1 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res_j0 + (uint32_t)4U * i + (uint32_t)2U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, qj, c, res_i2); + uint64_t a_i2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res_j0 + (uint32_t)4U * i + (uint32_t)3U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, qj, c, res_i); + } + for (uint32_t i = (uint32_t)64U; i < (uint32_t)64U; i++) + { + uint64_t a_i = n[i]; + uint64_t *res_i = res_j0 + i; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c, res_i); + } + uint64_t r = c; + uint64_t c1 = r; + uint64_t *resb = a1 + (uint32_t)64U + i0; + uint64_t res_j = a1[(uint32_t)64U + i0]; + c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, c1, res_j, resb); + } + memcpy(a_mod, a1 + (uint32_t)64U, (uint32_t)64U * sizeof (uint64_t)); + uint64_t c00 = c0; + uint64_t tmp[64U] = { 0U }; + uint64_t c1 = Hacl_Bignum4096_sub(a_mod, n, tmp); + uint64_t m = (uint64_t)0U - c00; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + uint64_t *os = a_mod; + uint64_t x = (m & tmp[i]) | (~m & a_mod[i]); + os[i] = x; + } + uint64_t c[128U] = { 0U }; + Hacl_Bignum4096_mul(a_mod, r2, c); + reduction(n, mu, c, res); +} + +/* +Write `a mod n` in `res`. + + The argument a is meant to be a 8192-bit bignum, i.e. uint64_t[128]. + The argument n and the outparam res are meant to be 4096-bit bignums, i.e. uint64_t[64]. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • 1 < n + • n % 2 = 1 +*/ +bool Hacl_Bignum4096_mod(uint64_t *n, uint64_t *a, uint64_t *res) +{ + uint64_t one[64U] = { 0U }; + memset(one, 0U, (uint32_t)64U * sizeof (uint64_t)); + one[0U] = (uint64_t)1U; + uint64_t bit0 = n[0U] & (uint64_t)1U; + uint64_t m0 = (uint64_t)0U - bit0; + uint64_t acc = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(one[i], n[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(one[i], n[i]); + acc = (beq & acc) | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + uint64_t m1 = acc; + uint64_t is_valid_m = m0 & m1; + uint32_t + nBits = (uint32_t)64U * (uint32_t)Hacl_Bignum_Lib_bn_get_top_index_u64((uint32_t)64U, n); + if (is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU) + { + uint64_t r2[64U] = { 0U }; + precompr2(nBits, n, r2); + uint64_t mu = Hacl_Bignum_ModInvLimb_mod_inv_uint64(n[0U]); + bn_slow_precomp(n, mu, r2, a, res); + } + else + { + memset(res, 0U, (uint32_t)64U * sizeof (uint64_t)); + } + return is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU; +} + +static uint64_t exp_check(uint64_t *n, uint64_t *a, uint32_t bBits, uint64_t *b) +{ + uint64_t one[64U] = { 0U }; + memset(one, 0U, (uint32_t)64U * sizeof (uint64_t)); + one[0U] = (uint64_t)1U; + uint64_t bit0 = n[0U] & (uint64_t)1U; + uint64_t m0 = (uint64_t)0U - bit0; + uint64_t acc0 = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(one[i], n[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(one[i], n[i]); + acc0 = (beq & acc0) | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + uint64_t m10 = acc0; + uint64_t m00 = m0 & m10; + uint32_t bLen; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + } + uint64_t m1; + if (bBits < (uint32_t)64U * bLen) + { + KRML_CHECK_SIZE(sizeof (uint64_t), bLen); + uint64_t *b2 = alloca(bLen * sizeof (uint64_t)); + memset(b2, 0U, bLen * sizeof (uint64_t)); + uint32_t i0 = bBits / (uint32_t)64U; + uint32_t j = bBits % (uint32_t)64U; + b2[i0] = b2[i0] | (uint64_t)1U << j; + uint64_t acc = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < bLen; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(b[i], b2[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(b[i], b2[i]); + acc = (beq & acc) | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + uint64_t res = acc; + m1 = res; + } + else + { + m1 = (uint64_t)0xFFFFFFFFFFFFFFFFU; + } + uint64_t acc = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(a[i], n[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(a[i], n[i]); + acc = (beq & acc) | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + uint64_t m2 = acc; + uint64_t m = m1 & m2; + return m00 & m; +} + +static inline void +exp_vartime_precomp( + uint64_t *n, + uint64_t mu, + uint64_t *r2, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + if (bBits < (uint32_t)200U) + { + uint64_t aM[64U] = { 0U }; + uint64_t c[128U] = { 0U }; + Hacl_Bignum4096_mul(a, r2, c); + reduction(n, mu, c, aM); + uint64_t resM[64U] = { 0U }; + uint64_t tmp0[128U] = { 0U }; + memcpy(tmp0, r2, (uint32_t)64U * sizeof (uint64_t)); + reduction(n, mu, tmp0, resM); + for (uint32_t i = (uint32_t)0U; i < bBits; i++) + { + uint32_t i1 = i / (uint32_t)64U; + uint32_t j = i % (uint32_t)64U; + uint64_t tmp = b[i1]; + uint64_t bit = tmp >> j & (uint64_t)1U; + if (!(bit == (uint64_t)0U)) + { + amont_mul(n, mu, resM, aM, resM); + } + amont_sqr(n, mu, aM, aM); + } + uint64_t tmp[128U] = { 0U }; + memcpy(tmp, resM, (uint32_t)64U * sizeof (uint64_t)); + reduction(n, mu, tmp, res); + return; + } + uint64_t aM[64U] = { 0U }; + uint64_t c[128U] = { 0U }; + Hacl_Bignum4096_mul(a, r2, c); + reduction(n, mu, c, aM); + uint64_t resM[64U] = { 0U }; + uint32_t bLen; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + } + uint64_t tmp[128U] = { 0U }; + memcpy(tmp, r2, (uint32_t)64U * sizeof (uint64_t)); + reduction(n, mu, tmp, resM); + uint64_t table[1024U] = { 0U }; + memcpy(table, resM, (uint32_t)64U * sizeof (uint64_t)); + uint64_t *t1 = table + (uint32_t)64U; + memcpy(t1, aM, (uint32_t)64U * sizeof (uint64_t)); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)14U; i++) + { + uint64_t *t11 = table + (i + (uint32_t)1U) * (uint32_t)64U; + uint64_t *t2 = table + (i + (uint32_t)2U) * (uint32_t)64U; + amont_mul(n, mu, t11, aM, t2); + } + if (bBits % (uint32_t)4U != (uint32_t)0U) + { + uint64_t mask_l = (uint64_t)16U - (uint64_t)1U; + uint32_t i = bBits / (uint32_t)4U * (uint32_t)4U / (uint32_t)64U; + uint32_t j = bBits / (uint32_t)4U * (uint32_t)4U % (uint32_t)64U; + uint64_t p1 = b[i] >> j; + uint64_t ite; + if (i + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i + (uint32_t)1U] << ((uint32_t)64U - j); + } + else + { + ite = p1; + } + uint64_t bits_c = ite & mask_l; + uint32_t bits_l32 = (uint32_t)bits_c; + uint64_t *a_bits_l = table + bits_l32 * (uint32_t)64U; + memcpy(resM, a_bits_l, (uint32_t)64U * sizeof (uint64_t)); + } + for (uint32_t i = (uint32_t)0U; i < bBits / (uint32_t)4U; i++) + { + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + amont_sqr(n, mu, resM, resM); + } + uint32_t bk = bBits - bBits % (uint32_t)4U; + uint64_t mask_l = (uint64_t)16U - (uint64_t)1U; + uint32_t i1 = (bk - (uint32_t)4U * i - (uint32_t)4U) / (uint32_t)64U; + uint32_t j = (bk - (uint32_t)4U * i - (uint32_t)4U) % (uint32_t)64U; + uint64_t p1 = b[i1] >> j; + uint64_t ite; + if (i1 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i1 + (uint32_t)1U] << ((uint32_t)64U - j); + } + else + { + ite = p1; + } + uint64_t bits_l = ite & mask_l; + uint64_t a_bits_l[64U] = { 0U }; + uint32_t bits_l32 = (uint32_t)bits_l; + uint64_t *a_bits_l1 = table + bits_l32 * (uint32_t)64U; + memcpy(a_bits_l, a_bits_l1, (uint32_t)64U * sizeof (uint64_t)); + amont_mul(n, mu, resM, a_bits_l, resM); + } + uint64_t tmp0[128U] = { 0U }; + memcpy(tmp0, resM, (uint32_t)64U * sizeof (uint64_t)); + reduction(n, mu, tmp0, res); +} + +static inline void +exp_consttime_precomp( + uint64_t *n, + uint64_t mu, + uint64_t *r2, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + if (bBits < (uint32_t)200U) + { + uint64_t aM[64U] = { 0U }; + uint64_t c[128U] = { 0U }; + Hacl_Bignum4096_mul(a, r2, c); + reduction(n, mu, c, aM); + uint64_t resM[64U] = { 0U }; + uint64_t tmp0[128U] = { 0U }; + memcpy(tmp0, r2, (uint32_t)64U * sizeof (uint64_t)); + reduction(n, mu, tmp0, resM); + uint64_t sw = (uint64_t)0U; + for (uint32_t i0 = (uint32_t)0U; i0 < bBits; i0++) + { + uint32_t i1 = (bBits - i0 - (uint32_t)1U) / (uint32_t)64U; + uint32_t j = (bBits - i0 - (uint32_t)1U) % (uint32_t)64U; + uint64_t tmp = b[i1]; + uint64_t bit = tmp >> j & (uint64_t)1U; + uint64_t sw1 = bit ^ sw; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + uint64_t dummy = ((uint64_t)0U - sw1) & (resM[i] ^ aM[i]); + resM[i] = resM[i] ^ dummy; + aM[i] = aM[i] ^ dummy; + } + amont_mul(n, mu, aM, resM, aM); + amont_sqr(n, mu, resM, resM); + sw = bit; + } + uint64_t sw0 = sw; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + uint64_t dummy = ((uint64_t)0U - sw0) & (resM[i] ^ aM[i]); + resM[i] = resM[i] ^ dummy; + aM[i] = aM[i] ^ dummy; + } + uint64_t tmp[128U] = { 0U }; + memcpy(tmp, resM, (uint32_t)64U * sizeof (uint64_t)); + reduction(n, mu, tmp, res); + return; + } + uint64_t aM[64U] = { 0U }; + uint64_t c0[128U] = { 0U }; + Hacl_Bignum4096_mul(a, r2, c0); + reduction(n, mu, c0, aM); + uint64_t resM[64U] = { 0U }; + uint32_t bLen; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + } + uint64_t tmp[128U] = { 0U }; + memcpy(tmp, r2, (uint32_t)64U * sizeof (uint64_t)); + reduction(n, mu, tmp, resM); + uint64_t table[1024U] = { 0U }; + memcpy(table, resM, (uint32_t)64U * sizeof (uint64_t)); + uint64_t *t1 = table + (uint32_t)64U; + memcpy(t1, aM, (uint32_t)64U * sizeof (uint64_t)); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)14U; i++) + { + uint64_t *t11 = table + (i + (uint32_t)1U) * (uint32_t)64U; + uint64_t *t2 = table + (i + (uint32_t)2U) * (uint32_t)64U; + amont_mul(n, mu, t11, aM, t2); + } + if (bBits % (uint32_t)4U != (uint32_t)0U) + { + uint64_t mask_l = (uint64_t)16U - (uint64_t)1U; + uint32_t i0 = bBits / (uint32_t)4U * (uint32_t)4U / (uint32_t)64U; + uint32_t j = bBits / (uint32_t)4U * (uint32_t)4U % (uint32_t)64U; + uint64_t p1 = b[i0] >> j; + uint64_t ite; + if (i0 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i0 + (uint32_t)1U] << ((uint32_t)64U - j); + } + else + { + ite = p1; + } + uint64_t bits_c = ite & mask_l; + memcpy(resM, table, (uint32_t)64U * sizeof (uint64_t)); + for (uint32_t i1 = (uint32_t)0U; i1 < (uint32_t)15U; i1++) + { + uint64_t c = FStar_UInt64_eq_mask(bits_c, (uint64_t)(i1 + (uint32_t)1U)); + uint64_t *res_j = table + (i1 + (uint32_t)1U) * (uint32_t)64U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + uint64_t *os = resM; + uint64_t x = (c & res_j[i]) | (~c & resM[i]); + os[i] = x; + } + } + } + for (uint32_t i0 = (uint32_t)0U; i0 < bBits / (uint32_t)4U; i0++) + { + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + amont_sqr(n, mu, resM, resM); + } + uint32_t bk = bBits - bBits % (uint32_t)4U; + uint64_t mask_l = (uint64_t)16U - (uint64_t)1U; + uint32_t i1 = (bk - (uint32_t)4U * i0 - (uint32_t)4U) / (uint32_t)64U; + uint32_t j = (bk - (uint32_t)4U * i0 - (uint32_t)4U) % (uint32_t)64U; + uint64_t p1 = b[i1] >> j; + uint64_t ite; + if (i1 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i1 + (uint32_t)1U] << ((uint32_t)64U - j); + } + else + { + ite = p1; + } + uint64_t bits_l = ite & mask_l; + uint64_t a_bits_l[64U] = { 0U }; + memcpy(a_bits_l, table, (uint32_t)64U * sizeof (uint64_t)); + for (uint32_t i2 = (uint32_t)0U; i2 < (uint32_t)15U; i2++) + { + uint64_t c = FStar_UInt64_eq_mask(bits_l, (uint64_t)(i2 + (uint32_t)1U)); + uint64_t *res_j = table + (i2 + (uint32_t)1U) * (uint32_t)64U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + uint64_t *os = a_bits_l; + uint64_t x = (c & res_j[i]) | (~c & a_bits_l[i]); + os[i] = x; + } + } + amont_mul(n, mu, resM, a_bits_l, resM); + } + uint64_t tmp0[128U] = { 0U }; + memcpy(tmp0, resM, (uint32_t)64U * sizeof (uint64_t)); + reduction(n, mu, tmp0, res); +} + +static inline void +exp_vartime( + uint32_t nBits, + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + uint64_t r2[64U] = { 0U }; + precompr2(nBits, n, r2); + uint64_t mu = Hacl_Bignum_ModInvLimb_mod_inv_uint64(n[0U]); + exp_vartime_precomp(n, mu, r2, a, bBits, b, res); +} + +static inline void +exp_consttime( + uint32_t nBits, + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + uint64_t r2[64U] = { 0U }; + precompr2(nBits, n, r2); + uint64_t mu = Hacl_Bignum_ModInvLimb_mod_inv_uint64(n[0U]); + exp_consttime_precomp(n, mu, r2, a, bBits, b, res); +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 4096-bit bignums, i.e. uint64_t[64]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum4096_mod_exp_vartime( + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + uint64_t is_valid_m = exp_check(n, a, bBits, b); + uint32_t + nBits = (uint32_t)64U * (uint32_t)Hacl_Bignum_Lib_bn_get_top_index_u64((uint32_t)64U, n); + if (is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU) + { + exp_vartime(nBits, n, a, bBits, b, res); + } + else + { + memset(res, 0U, (uint32_t)64U * sizeof (uint64_t)); + } + return is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU; +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 4096-bit bignums, i.e. uint64_t[64]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum4096_mod_exp_consttime( + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + uint64_t is_valid_m = exp_check(n, a, bBits, b); + uint32_t + nBits = (uint32_t)64U * (uint32_t)Hacl_Bignum_Lib_bn_get_top_index_u64((uint32_t)64U, n); + if (is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU) + { + exp_consttime(nBits, n, a, bBits, b, res); + } + else + { + memset(res, 0U, (uint32_t)64U * sizeof (uint64_t)); + } + return is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU; +} + +/* +Write `a ^ (-1) mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 4096-bit bignums, i.e. uint64_t[64]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + + The function returns false if any of the following preconditions are violated, true otherwise. + • n % 2 = 1 + • 1 < n + • 0 < a + • a < n +*/ +bool Hacl_Bignum4096_mod_inv_prime_vartime(uint64_t *n, uint64_t *a, uint64_t *res) +{ + uint64_t one[64U] = { 0U }; + memset(one, 0U, (uint32_t)64U * sizeof (uint64_t)); + one[0U] = (uint64_t)1U; + uint64_t bit0 = n[0U] & (uint64_t)1U; + uint64_t m0 = (uint64_t)0U - bit0; + uint64_t acc0 = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(one[i], n[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(one[i], n[i]); + acc0 = (beq & acc0) | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + uint64_t m1 = acc0; + uint64_t m00 = m0 & m1; + uint64_t bn_zero[64U] = { 0U }; + uint64_t mask = (uint64_t)0xFFFFFFFFFFFFFFFFU; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + uint64_t uu____0 = FStar_UInt64_eq_mask(a[i], bn_zero[i]); + mask = uu____0 & mask; + } + uint64_t mask1 = mask; + uint64_t res10 = mask1; + uint64_t m10 = res10; + uint64_t acc = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(a[i], n[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(a[i], n[i]); + acc = (beq & acc) | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + uint64_t m2 = acc; + uint64_t is_valid_m = (m00 & ~m10) & m2; + uint32_t + nBits = (uint32_t)64U * (uint32_t)Hacl_Bignum_Lib_bn_get_top_index_u64((uint32_t)64U, n); + if (is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU) + { + uint64_t n2[64U] = { 0U }; + uint64_t c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64((uint64_t)0U, n[0U], (uint64_t)2U, n2); + uint64_t c1; + if ((uint32_t)1U < (uint32_t)64U) + { + uint32_t rLen = (uint32_t)63U; + uint64_t *a1 = n + (uint32_t)1U; + uint64_t *res1 = n2 + (uint32_t)1U; + uint64_t c = c0; + for (uint32_t i = (uint32_t)0U; i < rLen / (uint32_t)4U; i++) + { + uint64_t t1 = a1[(uint32_t)4U * i]; + uint64_t *res_i0 = res1 + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, (uint64_t)0U, res_i0); + uint64_t t10 = a1[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res1 + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t10, (uint64_t)0U, res_i1); + uint64_t t11 = a1[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res1 + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t11, (uint64_t)0U, res_i2); + uint64_t t12 = a1[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res1 + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t12, (uint64_t)0U, res_i); + } + for (uint32_t i = rLen / (uint32_t)4U * (uint32_t)4U; i < rLen; i++) + { + uint64_t t1 = a1[i]; + uint64_t *res_i = res1 + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, (uint64_t)0U, res_i); + } + uint64_t c10 = c; + c1 = c10; + } + else + { + c1 = c0; + } + exp_vartime(nBits, n, a, (uint32_t)4096U, n2, res); + } + else + { + memset(res, 0U, (uint32_t)64U * sizeof (uint64_t)); + } + return is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU; +} + + +/**********************************************/ +/* Arithmetic functions with precomputations. */ +/**********************************************/ + + +/* +Heap-allocate and initialize a montgomery context. + + The argument n is meant to be a 4096-bit bignum, i.e. uint64_t[64]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n % 2 = 1 + • 1 < n + + The caller will need to call Hacl_Bignum4096_mont_ctx_free on the return value + to avoid memory leaks. +*/ +Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *Hacl_Bignum4096_mont_ctx_init(uint64_t *n) +{ + uint64_t *r2 = KRML_HOST_CALLOC((uint32_t)64U, sizeof (uint64_t)); + uint64_t *n1 = KRML_HOST_CALLOC((uint32_t)64U, sizeof (uint64_t)); + uint64_t *r21 = r2; + uint64_t *n11 = n1; + memcpy(n11, n, (uint32_t)64U * sizeof (uint64_t)); + uint32_t + nBits = (uint32_t)64U * (uint32_t)Hacl_Bignum_Lib_bn_get_top_index_u64((uint32_t)64U, n); + precompr2(nBits, n, r21); + uint64_t mu = Hacl_Bignum_ModInvLimb_mod_inv_uint64(n[0U]); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 + res = { .len = (uint32_t)64U, .n = n11, .mu = mu, .r2 = r21 }; + KRML_CHECK_SIZE(sizeof (Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64), (uint32_t)1U); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 + *buf = KRML_HOST_MALLOC(sizeof (Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64)); + buf[0U] = res; + return buf; +} + +/* +Deallocate the memory previously allocated by Hacl_Bignum4096_mont_ctx_init. + + The argument k is a montgomery context obtained through Hacl_Bignum4096_mont_ctx_init. +*/ +void Hacl_Bignum4096_mont_ctx_free(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + uint64_t *n = k1.n; + uint64_t *r2 = k1.r2; + KRML_HOST_FREE(n); + KRML_HOST_FREE(r2); + KRML_HOST_FREE(k); +} + +/* +Write `a mod n` in `res`. + + The argument a is meant to be a 8192-bit bignum, i.e. uint64_t[128]. + The outparam res is meant to be a 4096-bit bignum, i.e. uint64_t[64]. + The argument k is a montgomery context obtained through Hacl_Bignum4096_mont_ctx_init. +*/ +void +Hacl_Bignum4096_mod_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint64_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + bn_slow_precomp(k1.n, k1.mu, k1.r2, a, res); +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be 4096-bit bignums, i.e. uint64_t[64]. + The argument k is a montgomery context obtained through Hacl_Bignum4096_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum4096_mod_exp_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + exp_vartime_precomp(k1.n, k1.mu, k1.r2, a, bBits, b, res); +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be 4096-bit bignums, i.e. uint64_t[64]. + The argument k is a montgomery context obtained through Hacl_Bignum4096_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime_*. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum4096_mod_exp_consttime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + exp_consttime_precomp(k1.n, k1.mu, k1.r2, a, bBits, b, res); +} + +/* +Write `a ^ (-1) mod n` in `res`. + + The argument a and the outparam res are meant to be 4096-bit bignums, i.e. uint64_t[64]. + The argument k is a montgomery context obtained through Hacl_Bignum4096_mont_ctx_init. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + • 0 < a + • a < n +*/ +void +Hacl_Bignum4096_mod_inv_prime_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint64_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + uint64_t n2[64U] = { 0U }; + uint64_t c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64((uint64_t)0U, k1.n[0U], (uint64_t)2U, n2); + uint64_t c1; + if ((uint32_t)1U < (uint32_t)64U) + { + uint32_t rLen = (uint32_t)63U; + uint64_t *a1 = k1.n + (uint32_t)1U; + uint64_t *res1 = n2 + (uint32_t)1U; + uint64_t c = c0; + for (uint32_t i = (uint32_t)0U; i < rLen / (uint32_t)4U; i++) + { + uint64_t t1 = a1[(uint32_t)4U * i]; + uint64_t *res_i0 = res1 + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, (uint64_t)0U, res_i0); + uint64_t t10 = a1[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res1 + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t10, (uint64_t)0U, res_i1); + uint64_t t11 = a1[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res1 + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t11, (uint64_t)0U, res_i2); + uint64_t t12 = a1[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res1 + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t12, (uint64_t)0U, res_i); + } + for (uint32_t i = rLen / (uint32_t)4U * (uint32_t)4U; i < rLen; i++) + { + uint64_t t1 = a1[i]; + uint64_t *res_i = res1 + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, (uint64_t)0U, res_i); + } + uint64_t c10 = c; + c1 = c10; + } + else + { + c1 = c0; + } + exp_vartime_precomp(k1.n, k1.mu, k1.r2, a, (uint32_t)4096U, n2, res); +} + + +/********************/ +/* Loads and stores */ +/********************/ + + +/* +Load a bid-endian bignum from memory. + + The argument b points to len bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint64_t *Hacl_Bignum4096_new_bn_from_bytes_be(uint32_t len, uint8_t *b) +{ + if + ( + len + == (uint32_t)0U + || !((len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U <= (uint32_t)536870911U) + ) + { + return NULL; + } + KRML_CHECK_SIZE(sizeof (uint64_t), (len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U); + uint64_t + *res = KRML_HOST_CALLOC((len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U, sizeof (uint64_t)); + if (res == NULL) + { + return res; + } + uint64_t *res1 = res; + uint64_t *res2 = res1; + uint32_t bnLen = (len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)8U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + uint8_t *tmp = alloca(tmpLen * sizeof (uint8_t)); + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + memcpy(tmp + tmpLen - len, b, len * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < bnLen; i++) + { + uint64_t *os = res2; + uint64_t u = load64_be(tmp + (bnLen - i - (uint32_t)1U) * (uint32_t)8U); + uint64_t x = u; + os[i] = x; + } + return res2; +} + +/* +Load a little-endian bignum from memory. + + The argument b points to len bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint64_t *Hacl_Bignum4096_new_bn_from_bytes_le(uint32_t len, uint8_t *b) +{ + if + ( + len + == (uint32_t)0U + || !((len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U <= (uint32_t)536870911U) + ) + { + return NULL; + } + KRML_CHECK_SIZE(sizeof (uint64_t), (len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U); + uint64_t + *res = KRML_HOST_CALLOC((len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U, sizeof (uint64_t)); + if (res == NULL) + { + return res; + } + uint64_t *res1 = res; + uint64_t *res2 = res1; + uint32_t bnLen = (len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)8U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + uint8_t *tmp = alloca(tmpLen * sizeof (uint8_t)); + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + memcpy(tmp, b, len * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < (len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; i++) + { + uint64_t *os = res2; + uint8_t *bj = tmp + i * (uint32_t)8U; + uint64_t u = load64_le(bj); + uint64_t r1 = u; + uint64_t x = r1; + os[i] = x; + } + return res2; +} + +/* +Serialize a bignum into big-endian memory. + + The argument b points to a 4096-bit bignum. + The outparam res points to 512 bytes of valid memory. +*/ +void Hacl_Bignum4096_bn_to_bytes_be(uint64_t *b, uint8_t *res) +{ + uint32_t bnLen = ((uint32_t)512U - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)8U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + uint8_t *tmp = alloca(tmpLen * sizeof (uint8_t)); + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + uint32_t numb = (uint32_t)8U; + for (uint32_t i = (uint32_t)0U; i < bnLen; i++) + { + store64_be(tmp + i * numb, b[bnLen - i - (uint32_t)1U]); + } + memcpy(res, tmp + tmpLen - (uint32_t)512U, (uint32_t)512U * sizeof (uint8_t)); +} + +/* +Serialize a bignum into little-endian memory. + + The argument b points to a 4096-bit bignum. + The outparam res points to 512 bytes of valid memory. +*/ +void Hacl_Bignum4096_bn_to_bytes_le(uint64_t *b, uint8_t *res) +{ + uint32_t bnLen = ((uint32_t)512U - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)8U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + uint8_t *tmp = alloca(tmpLen * sizeof (uint8_t)); + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < bnLen; i++) + { + store64_le(tmp + i * (uint32_t)8U, b[i]); + } + memcpy(res, tmp, (uint32_t)512U * sizeof (uint8_t)); +} + + +/***************/ +/* Comparisons */ +/***************/ + + +/* +Returns 2^64 - 1 if a < b, otherwise returns 0. + + The arguments a and b are meant to be 4096-bit bignums, i.e. uint64_t[64]. +*/ +uint64_t Hacl_Bignum4096_lt_mask(uint64_t *a, uint64_t *b) +{ + uint64_t acc = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(a[i], b[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(a[i], b[i]); + acc = (beq & acc) | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + return acc; +} + +/* +Returns 2^64 - 1 if a = b, otherwise returns 0. + + The arguments a and b are meant to be 4096-bit bignums, i.e. uint64_t[64]. +*/ +uint64_t Hacl_Bignum4096_eq_mask(uint64_t *a, uint64_t *b) +{ + uint64_t mask = (uint64_t)0xFFFFFFFFFFFFFFFFU; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + uint64_t uu____0 = FStar_UInt64_eq_mask(a[i], b[i]); + mask = uu____0 & mask; + } + uint64_t mask1 = mask; + return mask1; +} + diff --git a/src/msvc/Hacl_Bignum4096_32.c b/src/msvc/Hacl_Bignum4096_32.c new file mode 100644 index 00000000..aa4f28d5 --- /dev/null +++ b/src/msvc/Hacl_Bignum4096_32.c @@ -0,0 +1,1480 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Bignum4096_32.h" + +#include "internal/Hacl_Kremlib.h" +#include "internal/Hacl_Bignum.h" + +/******************************************************************************* + +A verified 4096-bit bignum library. + +This is a 32-bit optimized version, where bignums are represented as an array +of 128 unsigned 32-bit integers, i.e. uint32_t[128]. Furthermore, the +limbs are stored in little-endian format, i.e. the least significant limb is at +index 0. Each limb is stored in native format in memory. Example: + + uint32_t sixteen[128] = { 0x10 } + + (relying on the fact that when an initializer-list is provided, the remainder + of the object gets initialized as if it had static storage duration, i.e. with + zeroes) + +We strongly encourage users to go through the conversion functions, e.g. +bn_from_bytes_be, to i) not depend on internal representation choices and ii) +have the ability to switch easily to a 64-bit optimized version in the future. + +*******************************************************************************/ + +/************************/ +/* Arithmetic functions */ +/************************/ + + +/* +Write `a + b mod 2^4096` in `res`. + + This functions returns the carry. + + The arguments a, b and res are meant to be 4096-bit bignums, i.e. uint32_t[128] +*/ +uint32_t Hacl_Bignum4096_32_add(uint32_t *a, uint32_t *b, uint32_t *res) +{ + uint32_t c = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)32U; i++) + { + uint32_t t1 = a[(uint32_t)4U * i]; + uint32_t t20 = b[(uint32_t)4U * i]; + uint32_t *res_i0 = res + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t1, t20, res_i0); + uint32_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t10, t21, res_i1); + uint32_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t11, t22, res_i2); + uint32_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t12, t2, res_i); + } + for (uint32_t i = (uint32_t)128U; i < (uint32_t)128U; i++) + { + uint32_t t1 = a[i]; + uint32_t t2 = b[i]; + uint32_t *res_i = res + i; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t1, t2, res_i); + } + return c; +} + +/* +Write `a - b mod 2^4096` in `res`. + + This functions returns the carry. + + The arguments a, b and res are meant to be 4096-bit bignums, i.e. uint32_t[128] +*/ +uint32_t Hacl_Bignum4096_32_sub(uint32_t *a, uint32_t *b, uint32_t *res) +{ + uint32_t c = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)32U; i++) + { + uint32_t t1 = a[(uint32_t)4U * i]; + uint32_t t20 = b[(uint32_t)4U * i]; + uint32_t *res_i0 = res + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, t20, res_i0); + uint32_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t10, t21, res_i1); + uint32_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t11, t22, res_i2); + uint32_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t12, t2, res_i); + } + for (uint32_t i = (uint32_t)128U; i < (uint32_t)128U; i++) + { + uint32_t t1 = a[i]; + uint32_t t2 = b[i]; + uint32_t *res_i = res + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, t2, res_i); + } + return c; +} + +/* +Write `(a + b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be 4096-bit bignums, i.e. uint32_t[128]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum4096_32_add_mod(uint32_t *n, uint32_t *a, uint32_t *b, uint32_t *res) +{ + uint32_t c0 = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)32U; i++) + { + uint32_t t1 = a[(uint32_t)4U * i]; + uint32_t t20 = b[(uint32_t)4U * i]; + uint32_t *res_i0 = res + (uint32_t)4U * i; + c0 = Lib_IntTypes_Intrinsics_add_carry_u32(c0, t1, t20, res_i0); + uint32_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c0 = Lib_IntTypes_Intrinsics_add_carry_u32(c0, t10, t21, res_i1); + uint32_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c0 = Lib_IntTypes_Intrinsics_add_carry_u32(c0, t11, t22, res_i2); + uint32_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c0 = Lib_IntTypes_Intrinsics_add_carry_u32(c0, t12, t2, res_i); + } + for (uint32_t i = (uint32_t)128U; i < (uint32_t)128U; i++) + { + uint32_t t1 = a[i]; + uint32_t t2 = b[i]; + uint32_t *res_i = res + i; + c0 = Lib_IntTypes_Intrinsics_add_carry_u32(c0, t1, t2, res_i); + } + uint32_t c00 = c0; + uint32_t tmp[128U] = { 0U }; + uint32_t c = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)32U; i++) + { + uint32_t t1 = res[(uint32_t)4U * i]; + uint32_t t20 = n[(uint32_t)4U * i]; + uint32_t *res_i0 = tmp + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, t20, res_i0); + uint32_t t10 = res[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t t21 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = tmp + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t10, t21, res_i1); + uint32_t t11 = res[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t t22 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = tmp + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t11, t22, res_i2); + uint32_t t12 = res[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t t2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = tmp + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t12, t2, res_i); + } + for (uint32_t i = (uint32_t)128U; i < (uint32_t)128U; i++) + { + uint32_t t1 = res[i]; + uint32_t t2 = n[i]; + uint32_t *res_i = tmp + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, t2, res_i); + } + uint32_t c1 = c; + uint32_t c2 = c00 - c1; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)128U; i++) + { + uint32_t *os = res; + uint32_t x = (c2 & res[i]) | (~c2 & tmp[i]); + os[i] = x; + } +} + +/* +Write `(a - b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be 4096-bit bignums, i.e. uint32_t[128]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum4096_32_sub_mod(uint32_t *n, uint32_t *a, uint32_t *b, uint32_t *res) +{ + uint32_t c0 = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)32U; i++) + { + uint32_t t1 = a[(uint32_t)4U * i]; + uint32_t t20 = b[(uint32_t)4U * i]; + uint32_t *res_i0 = res + (uint32_t)4U * i; + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c0, t1, t20, res_i0); + uint32_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c0, t10, t21, res_i1); + uint32_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c0, t11, t22, res_i2); + uint32_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c0, t12, t2, res_i); + } + for (uint32_t i = (uint32_t)128U; i < (uint32_t)128U; i++) + { + uint32_t t1 = a[i]; + uint32_t t2 = b[i]; + uint32_t *res_i = res + i; + c0 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c0, t1, t2, res_i); + } + uint32_t c00 = c0; + uint32_t tmp[128U] = { 0U }; + uint32_t c = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)32U; i++) + { + uint32_t t1 = res[(uint32_t)4U * i]; + uint32_t t20 = n[(uint32_t)4U * i]; + uint32_t *res_i0 = tmp + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t1, t20, res_i0); + uint32_t t10 = res[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t t21 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = tmp + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t10, t21, res_i1); + uint32_t t11 = res[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t t22 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = tmp + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t11, t22, res_i2); + uint32_t t12 = res[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t t2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = tmp + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t12, t2, res_i); + } + for (uint32_t i = (uint32_t)128U; i < (uint32_t)128U; i++) + { + uint32_t t1 = res[i]; + uint32_t t2 = n[i]; + uint32_t *res_i = tmp + i; + c = Lib_IntTypes_Intrinsics_add_carry_u32(c, t1, t2, res_i); + } + uint32_t c1 = c; + uint32_t c2 = (uint32_t)0U - c00; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)128U; i++) + { + uint32_t *os = res; + uint32_t x = (c2 & tmp[i]) | (~c2 & res[i]); + os[i] = x; + } +} + +/* +Write `a * b` in `res`. + + The arguments a and b are meant to be 4096-bit bignums, i.e. uint32_t[128]. + The outparam res is meant to be a 8192-bit bignum, i.e. uint32_t[256]. +*/ +void Hacl_Bignum4096_32_mul(uint32_t *a, uint32_t *b, uint32_t *res) +{ + uint32_t tmp[512U] = { 0U }; + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint32((uint32_t)128U, a, b, tmp, res); +} + +/* +Write `a * a` in `res`. + + The argument a is meant to be a 4096-bit bignum, i.e. uint32_t[128]. + The outparam res is meant to be a 8192-bit bignum, i.e. uint32_t[256]. +*/ +void Hacl_Bignum4096_32_sqr(uint32_t *a, uint32_t *res) +{ + uint32_t tmp[512U] = { 0U }; + Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint32((uint32_t)128U, a, tmp, res); +} + +static inline void precompr2(uint32_t nBits, uint32_t *n, uint32_t *res) +{ + memset(res, 0U, (uint32_t)128U * sizeof (uint32_t)); + uint32_t i = nBits / (uint32_t)32U; + uint32_t j = nBits % (uint32_t)32U; + res[i] = res[i] | (uint32_t)1U << j; + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)8192U - nBits; i0++) + { + Hacl_Bignum4096_32_add_mod(n, res, res, res); + } +} + +static inline void reduction(uint32_t *n, uint32_t nInv, uint32_t *c, uint32_t *res) +{ + uint32_t c0 = (uint32_t)0U; + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)128U; i0++) + { + uint32_t qj = nInv * c[i0]; + uint32_t *res_j0 = c + i0; + uint32_t c1 = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)32U; i++) + { + uint32_t a_i = n[(uint32_t)4U * i]; + uint32_t *res_i0 = res_j0 + (uint32_t)4U * i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, qj, c1, res_i0); + uint32_t a_i0 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res_j0 + (uint32_t)4U * i + (uint32_t)1U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i0, qj, c1, res_i1); + uint32_t a_i1 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res_j0 + (uint32_t)4U * i + (uint32_t)2U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i1, qj, c1, res_i2); + uint32_t a_i2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res_j0 + (uint32_t)4U * i + (uint32_t)3U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i2, qj, c1, res_i); + } + for (uint32_t i = (uint32_t)128U; i < (uint32_t)128U; i++) + { + uint32_t a_i = n[i]; + uint32_t *res_i = res_j0 + i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, qj, c1, res_i); + } + uint32_t r = c1; + uint32_t c10 = r; + uint32_t *resb = c + (uint32_t)128U + i0; + uint32_t res_j = c[(uint32_t)128U + i0]; + c0 = Lib_IntTypes_Intrinsics_add_carry_u32(c0, c10, res_j, resb); + } + memcpy(res, c + (uint32_t)128U, (uint32_t)128U * sizeof (uint32_t)); + uint32_t c00 = c0; + uint32_t tmp[128U] = { 0U }; + uint32_t c1 = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)32U; i++) + { + uint32_t t1 = res[(uint32_t)4U * i]; + uint32_t t20 = n[(uint32_t)4U * i]; + uint32_t *res_i0 = tmp + (uint32_t)4U * i; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c1, t1, t20, res_i0); + uint32_t t10 = res[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t t21 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = tmp + (uint32_t)4U * i + (uint32_t)1U; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c1, t10, t21, res_i1); + uint32_t t11 = res[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t t22 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = tmp + (uint32_t)4U * i + (uint32_t)2U; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c1, t11, t22, res_i2); + uint32_t t12 = res[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t t2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = tmp + (uint32_t)4U * i + (uint32_t)3U; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c1, t12, t2, res_i); + } + for (uint32_t i = (uint32_t)128U; i < (uint32_t)128U; i++) + { + uint32_t t1 = res[i]; + uint32_t t2 = n[i]; + uint32_t *res_i = tmp + i; + c1 = Lib_IntTypes_Intrinsics_sub_borrow_u32(c1, t1, t2, res_i); + } + uint32_t c10 = c1; + uint32_t c2 = c00 - c10; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)128U; i++) + { + uint32_t *os = res; + uint32_t x = (c2 & res[i]) | (~c2 & tmp[i]); + os[i] = x; + } +} + +static inline void areduction(uint32_t *n, uint32_t nInv, uint32_t *c, uint32_t *res) +{ + uint32_t c0 = (uint32_t)0U; + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)128U; i0++) + { + uint32_t qj = nInv * c[i0]; + uint32_t *res_j0 = c + i0; + uint32_t c1 = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)32U; i++) + { + uint32_t a_i = n[(uint32_t)4U * i]; + uint32_t *res_i0 = res_j0 + (uint32_t)4U * i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, qj, c1, res_i0); + uint32_t a_i0 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res_j0 + (uint32_t)4U * i + (uint32_t)1U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i0, qj, c1, res_i1); + uint32_t a_i1 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res_j0 + (uint32_t)4U * i + (uint32_t)2U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i1, qj, c1, res_i2); + uint32_t a_i2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res_j0 + (uint32_t)4U * i + (uint32_t)3U; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i2, qj, c1, res_i); + } + for (uint32_t i = (uint32_t)128U; i < (uint32_t)128U; i++) + { + uint32_t a_i = n[i]; + uint32_t *res_i = res_j0 + i; + c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, qj, c1, res_i); + } + uint32_t r = c1; + uint32_t c10 = r; + uint32_t *resb = c + (uint32_t)128U + i0; + uint32_t res_j = c[(uint32_t)128U + i0]; + c0 = Lib_IntTypes_Intrinsics_add_carry_u32(c0, c10, res_j, resb); + } + memcpy(res, c + (uint32_t)128U, (uint32_t)128U * sizeof (uint32_t)); + uint32_t c00 = c0; + uint32_t tmp[128U] = { 0U }; + uint32_t c1 = Hacl_Bignum4096_32_sub(res, n, tmp); + uint32_t m = (uint32_t)0U - c00; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)128U; i++) + { + uint32_t *os = res; + uint32_t x = (m & tmp[i]) | (~m & res[i]); + os[i] = x; + } +} + +static inline void +amont_mul(uint32_t *n, uint32_t nInv_u64, uint32_t *aM, uint32_t *bM, uint32_t *resM) +{ + uint32_t c[256U] = { 0U }; + uint32_t tmp[512U] = { 0U }; + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint32((uint32_t)128U, aM, bM, tmp, c); + areduction(n, nInv_u64, c, resM); +} + +static inline void amont_sqr(uint32_t *n, uint32_t nInv_u64, uint32_t *aM, uint32_t *resM) +{ + uint32_t c[256U] = { 0U }; + uint32_t tmp[512U] = { 0U }; + Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint32((uint32_t)128U, aM, tmp, c); + areduction(n, nInv_u64, c, resM); +} + +static inline void +bn_slow_precomp(uint32_t *n, uint32_t mu, uint32_t *r2, uint32_t *a, uint32_t *res) +{ + uint32_t a_mod[128U] = { 0U }; + uint32_t a1[256U] = { 0U }; + memcpy(a1, a, (uint32_t)256U * sizeof (uint32_t)); + uint32_t c0 = (uint32_t)0U; + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)128U; i0++) + { + uint32_t qj = mu * a1[i0]; + uint32_t *res_j0 = a1 + i0; + uint32_t c = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)32U; i++) + { + uint32_t a_i = n[(uint32_t)4U * i]; + uint32_t *res_i0 = res_j0 + (uint32_t)4U * i; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, qj, c, res_i0); + uint32_t a_i0 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res_j0 + (uint32_t)4U * i + (uint32_t)1U; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i0, qj, c, res_i1); + uint32_t a_i1 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res_j0 + (uint32_t)4U * i + (uint32_t)2U; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i1, qj, c, res_i2); + uint32_t a_i2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res_j0 + (uint32_t)4U * i + (uint32_t)3U; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i2, qj, c, res_i); + } + for (uint32_t i = (uint32_t)128U; i < (uint32_t)128U; i++) + { + uint32_t a_i = n[i]; + uint32_t *res_i = res_j0 + i; + c = Hacl_Bignum_Base_mul_wide_add2_u32(a_i, qj, c, res_i); + } + uint32_t r = c; + uint32_t c1 = r; + uint32_t *resb = a1 + (uint32_t)128U + i0; + uint32_t res_j = a1[(uint32_t)128U + i0]; + c0 = Lib_IntTypes_Intrinsics_add_carry_u32(c0, c1, res_j, resb); + } + memcpy(a_mod, a1 + (uint32_t)128U, (uint32_t)128U * sizeof (uint32_t)); + uint32_t c00 = c0; + uint32_t tmp[128U] = { 0U }; + uint32_t c1 = Hacl_Bignum4096_32_sub(a_mod, n, tmp); + uint32_t m = (uint32_t)0U - c00; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)128U; i++) + { + uint32_t *os = a_mod; + uint32_t x = (m & tmp[i]) | (~m & a_mod[i]); + os[i] = x; + } + uint32_t c[256U] = { 0U }; + Hacl_Bignum4096_32_mul(a_mod, r2, c); + reduction(n, mu, c, res); +} + +/* +Write `a mod n` in `res`. + + The argument a is meant to be a 8192-bit bignum, i.e. uint32_t[256]. + The argument n and the outparam res are meant to be 4096-bit bignums, i.e. uint32_t[128]. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • 1 < n + • n % 2 = 1 +*/ +bool Hacl_Bignum4096_32_mod(uint32_t *n, uint32_t *a, uint32_t *res) +{ + uint32_t one[128U] = { 0U }; + memset(one, 0U, (uint32_t)128U * sizeof (uint32_t)); + one[0U] = (uint32_t)1U; + uint32_t bit0 = n[0U] & (uint32_t)1U; + uint32_t m0 = (uint32_t)0U - bit0; + uint32_t acc = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)128U; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(one[i], n[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(one[i], n[i]); + acc = (beq & acc) | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + uint32_t m1 = acc; + uint32_t is_valid_m = m0 & m1; + uint32_t nBits = (uint32_t)32U * Hacl_Bignum_Lib_bn_get_top_index_u32((uint32_t)128U, n); + if (is_valid_m == (uint32_t)0xFFFFFFFFU) + { + uint32_t r2[128U] = { 0U }; + precompr2(nBits, n, r2); + uint32_t mu = Hacl_Bignum_ModInvLimb_mod_inv_uint32(n[0U]); + bn_slow_precomp(n, mu, r2, a, res); + } + else + { + memset(res, 0U, (uint32_t)128U * sizeof (uint32_t)); + } + return is_valid_m == (uint32_t)0xFFFFFFFFU; +} + +static uint32_t exp_check(uint32_t *n, uint32_t *a, uint32_t bBits, uint32_t *b) +{ + uint32_t one[128U] = { 0U }; + memset(one, 0U, (uint32_t)128U * sizeof (uint32_t)); + one[0U] = (uint32_t)1U; + uint32_t bit0 = n[0U] & (uint32_t)1U; + uint32_t m0 = (uint32_t)0U - bit0; + uint32_t acc0 = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)128U; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(one[i], n[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(one[i], n[i]); + acc0 = (beq & acc0) | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + uint32_t m10 = acc0; + uint32_t m00 = m0 & m10; + uint32_t bLen; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)32U + (uint32_t)1U; + } + uint32_t m1; + if (bBits < (uint32_t)32U * bLen) + { + KRML_CHECK_SIZE(sizeof (uint32_t), bLen); + uint32_t *b2 = alloca(bLen * sizeof (uint32_t)); + memset(b2, 0U, bLen * sizeof (uint32_t)); + uint32_t i0 = bBits / (uint32_t)32U; + uint32_t j = bBits % (uint32_t)32U; + b2[i0] = b2[i0] | (uint32_t)1U << j; + uint32_t acc = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < bLen; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(b[i], b2[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(b[i], b2[i]); + acc = (beq & acc) | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + uint32_t res = acc; + m1 = res; + } + else + { + m1 = (uint32_t)0xFFFFFFFFU; + } + uint32_t acc = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)128U; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(a[i], n[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(a[i], n[i]); + acc = (beq & acc) | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + uint32_t m2 = acc; + uint32_t m = m1 & m2; + return m00 & m; +} + +static inline void +exp_vartime_precomp( + uint32_t *n, + uint32_t mu, + uint32_t *r2, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + if (bBits < (uint32_t)200U) + { + uint32_t aM[128U] = { 0U }; + uint32_t c[256U] = { 0U }; + Hacl_Bignum4096_32_mul(a, r2, c); + reduction(n, mu, c, aM); + uint32_t resM[128U] = { 0U }; + uint32_t tmp0[256U] = { 0U }; + memcpy(tmp0, r2, (uint32_t)128U * sizeof (uint32_t)); + reduction(n, mu, tmp0, resM); + for (uint32_t i = (uint32_t)0U; i < bBits; i++) + { + uint32_t i1 = i / (uint32_t)32U; + uint32_t j = i % (uint32_t)32U; + uint32_t tmp = b[i1]; + uint32_t bit = tmp >> j & (uint32_t)1U; + if (!(bit == (uint32_t)0U)) + { + amont_mul(n, mu, resM, aM, resM); + } + amont_sqr(n, mu, aM, aM); + } + uint32_t tmp[256U] = { 0U }; + memcpy(tmp, resM, (uint32_t)128U * sizeof (uint32_t)); + reduction(n, mu, tmp, res); + return; + } + uint32_t aM[128U] = { 0U }; + uint32_t c[256U] = { 0U }; + Hacl_Bignum4096_32_mul(a, r2, c); + reduction(n, mu, c, aM); + uint32_t resM[128U] = { 0U }; + uint32_t bLen; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)32U + (uint32_t)1U; + } + uint32_t tmp[256U] = { 0U }; + memcpy(tmp, r2, (uint32_t)128U * sizeof (uint32_t)); + reduction(n, mu, tmp, resM); + uint32_t table[2048U] = { 0U }; + memcpy(table, resM, (uint32_t)128U * sizeof (uint32_t)); + uint32_t *t1 = table + (uint32_t)128U; + memcpy(t1, aM, (uint32_t)128U * sizeof (uint32_t)); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)14U; i++) + { + uint32_t *t11 = table + (i + (uint32_t)1U) * (uint32_t)128U; + uint32_t *t2 = table + (i + (uint32_t)2U) * (uint32_t)128U; + amont_mul(n, mu, t11, aM, t2); + } + if (bBits % (uint32_t)4U != (uint32_t)0U) + { + uint32_t mask_l = (uint32_t)16U - (uint32_t)1U; + uint32_t i = bBits / (uint32_t)4U * (uint32_t)4U / (uint32_t)32U; + uint32_t j = bBits / (uint32_t)4U * (uint32_t)4U % (uint32_t)32U; + uint32_t p1 = b[i] >> j; + uint32_t ite; + if (i + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i + (uint32_t)1U] << ((uint32_t)32U - j); + } + else + { + ite = p1; + } + uint32_t bits_c = ite & mask_l; + uint32_t bits_l32 = bits_c; + uint32_t *a_bits_l = table + bits_l32 * (uint32_t)128U; + memcpy(resM, a_bits_l, (uint32_t)128U * sizeof (uint32_t)); + } + for (uint32_t i = (uint32_t)0U; i < bBits / (uint32_t)4U; i++) + { + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + amont_sqr(n, mu, resM, resM); + } + uint32_t bk = bBits - bBits % (uint32_t)4U; + uint32_t mask_l = (uint32_t)16U - (uint32_t)1U; + uint32_t i1 = (bk - (uint32_t)4U * i - (uint32_t)4U) / (uint32_t)32U; + uint32_t j = (bk - (uint32_t)4U * i - (uint32_t)4U) % (uint32_t)32U; + uint32_t p1 = b[i1] >> j; + uint32_t ite; + if (i1 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i1 + (uint32_t)1U] << ((uint32_t)32U - j); + } + else + { + ite = p1; + } + uint32_t bits_l = ite & mask_l; + uint32_t a_bits_l[128U] = { 0U }; + uint32_t bits_l32 = bits_l; + uint32_t *a_bits_l1 = table + bits_l32 * (uint32_t)128U; + memcpy(a_bits_l, a_bits_l1, (uint32_t)128U * sizeof (uint32_t)); + amont_mul(n, mu, resM, a_bits_l, resM); + } + uint32_t tmp0[256U] = { 0U }; + memcpy(tmp0, resM, (uint32_t)128U * sizeof (uint32_t)); + reduction(n, mu, tmp0, res); +} + +static inline void +exp_consttime_precomp( + uint32_t *n, + uint32_t mu, + uint32_t *r2, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + if (bBits < (uint32_t)200U) + { + uint32_t aM[128U] = { 0U }; + uint32_t c[256U] = { 0U }; + Hacl_Bignum4096_32_mul(a, r2, c); + reduction(n, mu, c, aM); + uint32_t resM[128U] = { 0U }; + uint32_t tmp0[256U] = { 0U }; + memcpy(tmp0, r2, (uint32_t)128U * sizeof (uint32_t)); + reduction(n, mu, tmp0, resM); + uint32_t sw = (uint32_t)0U; + for (uint32_t i0 = (uint32_t)0U; i0 < bBits; i0++) + { + uint32_t i1 = (bBits - i0 - (uint32_t)1U) / (uint32_t)32U; + uint32_t j = (bBits - i0 - (uint32_t)1U) % (uint32_t)32U; + uint32_t tmp = b[i1]; + uint32_t bit = tmp >> j & (uint32_t)1U; + uint32_t sw1 = bit ^ sw; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)128U; i++) + { + uint32_t dummy = ((uint32_t)0U - sw1) & (resM[i] ^ aM[i]); + resM[i] = resM[i] ^ dummy; + aM[i] = aM[i] ^ dummy; + } + amont_mul(n, mu, aM, resM, aM); + amont_sqr(n, mu, resM, resM); + sw = bit; + } + uint32_t sw0 = sw; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)128U; i++) + { + uint32_t dummy = ((uint32_t)0U - sw0) & (resM[i] ^ aM[i]); + resM[i] = resM[i] ^ dummy; + aM[i] = aM[i] ^ dummy; + } + uint32_t tmp[256U] = { 0U }; + memcpy(tmp, resM, (uint32_t)128U * sizeof (uint32_t)); + reduction(n, mu, tmp, res); + return; + } + uint32_t aM[128U] = { 0U }; + uint32_t c0[256U] = { 0U }; + Hacl_Bignum4096_32_mul(a, r2, c0); + reduction(n, mu, c0, aM); + uint32_t resM[128U] = { 0U }; + uint32_t bLen; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)32U + (uint32_t)1U; + } + uint32_t tmp[256U] = { 0U }; + memcpy(tmp, r2, (uint32_t)128U * sizeof (uint32_t)); + reduction(n, mu, tmp, resM); + uint32_t table[2048U] = { 0U }; + memcpy(table, resM, (uint32_t)128U * sizeof (uint32_t)); + uint32_t *t1 = table + (uint32_t)128U; + memcpy(t1, aM, (uint32_t)128U * sizeof (uint32_t)); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)14U; i++) + { + uint32_t *t11 = table + (i + (uint32_t)1U) * (uint32_t)128U; + uint32_t *t2 = table + (i + (uint32_t)2U) * (uint32_t)128U; + amont_mul(n, mu, t11, aM, t2); + } + if (bBits % (uint32_t)4U != (uint32_t)0U) + { + uint32_t mask_l = (uint32_t)16U - (uint32_t)1U; + uint32_t i0 = bBits / (uint32_t)4U * (uint32_t)4U / (uint32_t)32U; + uint32_t j = bBits / (uint32_t)4U * (uint32_t)4U % (uint32_t)32U; + uint32_t p1 = b[i0] >> j; + uint32_t ite; + if (i0 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i0 + (uint32_t)1U] << ((uint32_t)32U - j); + } + else + { + ite = p1; + } + uint32_t bits_c = ite & mask_l; + memcpy(resM, table, (uint32_t)128U * sizeof (uint32_t)); + for (uint32_t i1 = (uint32_t)0U; i1 < (uint32_t)15U; i1++) + { + uint32_t c = FStar_UInt32_eq_mask(bits_c, i1 + (uint32_t)1U); + uint32_t *res_j = table + (i1 + (uint32_t)1U) * (uint32_t)128U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)128U; i++) + { + uint32_t *os = resM; + uint32_t x = (c & res_j[i]) | (~c & resM[i]); + os[i] = x; + } + } + } + for (uint32_t i0 = (uint32_t)0U; i0 < bBits / (uint32_t)4U; i0++) + { + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + amont_sqr(n, mu, resM, resM); + } + uint32_t bk = bBits - bBits % (uint32_t)4U; + uint32_t mask_l = (uint32_t)16U - (uint32_t)1U; + uint32_t i1 = (bk - (uint32_t)4U * i0 - (uint32_t)4U) / (uint32_t)32U; + uint32_t j = (bk - (uint32_t)4U * i0 - (uint32_t)4U) % (uint32_t)32U; + uint32_t p1 = b[i1] >> j; + uint32_t ite; + if (i1 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i1 + (uint32_t)1U] << ((uint32_t)32U - j); + } + else + { + ite = p1; + } + uint32_t bits_l = ite & mask_l; + uint32_t a_bits_l[128U] = { 0U }; + memcpy(a_bits_l, table, (uint32_t)128U * sizeof (uint32_t)); + for (uint32_t i2 = (uint32_t)0U; i2 < (uint32_t)15U; i2++) + { + uint32_t c = FStar_UInt32_eq_mask(bits_l, i2 + (uint32_t)1U); + uint32_t *res_j = table + (i2 + (uint32_t)1U) * (uint32_t)128U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)128U; i++) + { + uint32_t *os = a_bits_l; + uint32_t x = (c & res_j[i]) | (~c & a_bits_l[i]); + os[i] = x; + } + } + amont_mul(n, mu, resM, a_bits_l, resM); + } + uint32_t tmp0[256U] = { 0U }; + memcpy(tmp0, resM, (uint32_t)128U * sizeof (uint32_t)); + reduction(n, mu, tmp0, res); +} + +static inline void +exp_vartime( + uint32_t nBits, + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + uint32_t r2[128U] = { 0U }; + precompr2(nBits, n, r2); + uint32_t mu = Hacl_Bignum_ModInvLimb_mod_inv_uint32(n[0U]); + exp_vartime_precomp(n, mu, r2, a, bBits, b, res); +} + +static inline void +exp_consttime( + uint32_t nBits, + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + uint32_t r2[128U] = { 0U }; + precompr2(nBits, n, r2); + uint32_t mu = Hacl_Bignum_ModInvLimb_mod_inv_uint32(n[0U]); + exp_consttime_precomp(n, mu, r2, a, bBits, b, res); +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 4096-bit bignums, i.e. uint32_t[128]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum4096_32_mod_exp_vartime( + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + uint32_t is_valid_m = exp_check(n, a, bBits, b); + uint32_t nBits = (uint32_t)32U * Hacl_Bignum_Lib_bn_get_top_index_u32((uint32_t)128U, n); + if (is_valid_m == (uint32_t)0xFFFFFFFFU) + { + exp_vartime(nBits, n, a, bBits, b, res); + } + else + { + memset(res, 0U, (uint32_t)128U * sizeof (uint32_t)); + } + return is_valid_m == (uint32_t)0xFFFFFFFFU; +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 4096-bit bignums, i.e. uint32_t[128]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum4096_32_mod_exp_consttime( + uint32_t *n, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + uint32_t is_valid_m = exp_check(n, a, bBits, b); + uint32_t nBits = (uint32_t)32U * Hacl_Bignum_Lib_bn_get_top_index_u32((uint32_t)128U, n); + if (is_valid_m == (uint32_t)0xFFFFFFFFU) + { + exp_consttime(nBits, n, a, bBits, b, res); + } + else + { + memset(res, 0U, (uint32_t)128U * sizeof (uint32_t)); + } + return is_valid_m == (uint32_t)0xFFFFFFFFU; +} + +/* +Write `a ^ (-1) mod n` in `res`. + + The arguments a, n and the outparam res are meant to be 4096-bit bignums, i.e. uint32_t[128]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + + The function returns false if any of the following preconditions are violated, true otherwise. + • n % 2 = 1 + • 1 < n + • 0 < a + • a < n +*/ +bool Hacl_Bignum4096_32_mod_inv_prime_vartime(uint32_t *n, uint32_t *a, uint32_t *res) +{ + uint32_t one[128U] = { 0U }; + memset(one, 0U, (uint32_t)128U * sizeof (uint32_t)); + one[0U] = (uint32_t)1U; + uint32_t bit0 = n[0U] & (uint32_t)1U; + uint32_t m0 = (uint32_t)0U - bit0; + uint32_t acc0 = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)128U; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(one[i], n[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(one[i], n[i]); + acc0 = (beq & acc0) | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + uint32_t m1 = acc0; + uint32_t m00 = m0 & m1; + uint32_t bn_zero[128U] = { 0U }; + uint32_t mask = (uint32_t)0xFFFFFFFFU; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)128U; i++) + { + uint32_t uu____0 = FStar_UInt32_eq_mask(a[i], bn_zero[i]); + mask = uu____0 & mask; + } + uint32_t mask1 = mask; + uint32_t res10 = mask1; + uint32_t m10 = res10; + uint32_t acc = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)128U; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(a[i], n[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(a[i], n[i]); + acc = (beq & acc) | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + uint32_t m2 = acc; + uint32_t is_valid_m = (m00 & ~m10) & m2; + uint32_t nBits = (uint32_t)32U * Hacl_Bignum_Lib_bn_get_top_index_u32((uint32_t)128U, n); + if (is_valid_m == (uint32_t)0xFFFFFFFFU) + { + uint32_t n2[128U] = { 0U }; + uint32_t c0 = Lib_IntTypes_Intrinsics_sub_borrow_u32((uint32_t)0U, n[0U], (uint32_t)2U, n2); + uint32_t c1; + if ((uint32_t)1U < (uint32_t)128U) + { + uint32_t rLen = (uint32_t)127U; + uint32_t *a1 = n + (uint32_t)1U; + uint32_t *res1 = n2 + (uint32_t)1U; + uint32_t c = c0; + for (uint32_t i = (uint32_t)0U; i < rLen / (uint32_t)4U; i++) + { + uint32_t t1 = a1[(uint32_t)4U * i]; + uint32_t *res_i0 = res1 + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, (uint32_t)0U, res_i0); + uint32_t t10 = a1[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res1 + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t10, (uint32_t)0U, res_i1); + uint32_t t11 = a1[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res1 + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t11, (uint32_t)0U, res_i2); + uint32_t t12 = a1[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res1 + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t12, (uint32_t)0U, res_i); + } + for (uint32_t i = rLen / (uint32_t)4U * (uint32_t)4U; i < rLen; i++) + { + uint32_t t1 = a1[i]; + uint32_t *res_i = res1 + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, (uint32_t)0U, res_i); + } + uint32_t c10 = c; + c1 = c10; + } + else + { + c1 = c0; + } + exp_vartime(nBits, n, a, (uint32_t)4096U, n2, res); + } + else + { + memset(res, 0U, (uint32_t)128U * sizeof (uint32_t)); + } + return is_valid_m == (uint32_t)0xFFFFFFFFU; +} + + +/**********************************************/ +/* Arithmetic functions with precomputations. */ +/**********************************************/ + + +/* +Heap-allocate and initialize a montgomery context. + + The argument n is meant to be a 4096-bit bignum, i.e. uint32_t[128]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n % 2 = 1 + • 1 < n + + The caller will need to call Hacl_Bignum4096_mont_ctx_free on the return value + to avoid memory leaks. +*/ +Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *Hacl_Bignum4096_32_mont_ctx_init(uint32_t *n) +{ + uint32_t *r2 = KRML_HOST_CALLOC((uint32_t)128U, sizeof (uint32_t)); + uint32_t *n1 = KRML_HOST_CALLOC((uint32_t)128U, sizeof (uint32_t)); + uint32_t *r21 = r2; + uint32_t *n11 = n1; + memcpy(n11, n, (uint32_t)128U * sizeof (uint32_t)); + uint32_t nBits = (uint32_t)32U * Hacl_Bignum_Lib_bn_get_top_index_u32((uint32_t)128U, n); + precompr2(nBits, n, r21); + uint32_t mu = Hacl_Bignum_ModInvLimb_mod_inv_uint32(n[0U]); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 + res = { .len = (uint32_t)128U, .n = n11, .mu = mu, .r2 = r21 }; + KRML_CHECK_SIZE(sizeof (Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32), (uint32_t)1U); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 + *buf = KRML_HOST_MALLOC(sizeof (Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32)); + buf[0U] = res; + return buf; +} + +/* +Deallocate the memory previously allocated by Hacl_Bignum4096_mont_ctx_init. + + The argument k is a montgomery context obtained through Hacl_Bignum4096_mont_ctx_init. +*/ +void Hacl_Bignum4096_32_mont_ctx_free(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + uint32_t *n = k1.n; + uint32_t *r2 = k1.r2; + KRML_HOST_FREE(n); + KRML_HOST_FREE(r2); + KRML_HOST_FREE(k); +} + +/* +Write `a mod n` in `res`. + + The argument a is meant to be a 8192-bit bignum, i.e. uint32_t[256]. + The outparam res is meant to be a 4096-bit bignum, i.e. uint32_t[128]. + The argument k is a montgomery context obtained through Hacl_Bignum4096_mont_ctx_init. +*/ +void +Hacl_Bignum4096_32_mod_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + bn_slow_precomp(k1.n, k1.mu, k1.r2, a, res); +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be 4096-bit bignums, i.e. uint32_t[128]. + The argument k is a montgomery context obtained through Hacl_Bignum4096_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum4096_32_mod_exp_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + exp_vartime_precomp(k1.n, k1.mu, k1.r2, a, bBits, b, res); +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be 4096-bit bignums, i.e. uint32_t[128]. + The argument k is a montgomery context obtained through Hacl_Bignum4096_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime_*. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum4096_32_mod_exp_consttime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t bBits, + uint32_t *b, + uint32_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + exp_consttime_precomp(k1.n, k1.mu, k1.r2, a, bBits, b, res); +} + +/* +Write `a ^ (-1) mod n` in `res`. + + The argument a and the outparam res are meant to be 4096-bit bignums, i.e. uint32_t[128]. + The argument k is a montgomery context obtained through Hacl_Bignum4096_mont_ctx_init. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + • 0 < a + • a < n +*/ +void +Hacl_Bignum4096_32_mod_inv_prime_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + uint32_t n2[128U] = { 0U }; + uint32_t c0 = Lib_IntTypes_Intrinsics_sub_borrow_u32((uint32_t)0U, k1.n[0U], (uint32_t)2U, n2); + uint32_t c1; + if ((uint32_t)1U < (uint32_t)128U) + { + uint32_t rLen = (uint32_t)127U; + uint32_t *a1 = k1.n + (uint32_t)1U; + uint32_t *res1 = n2 + (uint32_t)1U; + uint32_t c = c0; + for (uint32_t i = (uint32_t)0U; i < rLen / (uint32_t)4U; i++) + { + uint32_t t1 = a1[(uint32_t)4U * i]; + uint32_t *res_i0 = res1 + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, (uint32_t)0U, res_i0); + uint32_t t10 = a1[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res1 + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t10, (uint32_t)0U, res_i1); + uint32_t t11 = a1[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res1 + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t11, (uint32_t)0U, res_i2); + uint32_t t12 = a1[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res1 + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t12, (uint32_t)0U, res_i); + } + for (uint32_t i = rLen / (uint32_t)4U * (uint32_t)4U; i < rLen; i++) + { + uint32_t t1 = a1[i]; + uint32_t *res_i = res1 + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, (uint32_t)0U, res_i); + } + uint32_t c10 = c; + c1 = c10; + } + else + { + c1 = c0; + } + exp_vartime_precomp(k1.n, k1.mu, k1.r2, a, (uint32_t)4096U, n2, res); +} + + +/********************/ +/* Loads and stores */ +/********************/ + + +/* +Load a bid-endian bignum from memory. + + The argument b points to len bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint32_t *Hacl_Bignum4096_32_new_bn_from_bytes_be(uint32_t len, uint8_t *b) +{ + if + ( + len + == (uint32_t)0U + || !((len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U <= (uint32_t)1073741823U) + ) + { + return NULL; + } + KRML_CHECK_SIZE(sizeof (uint32_t), (len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U); + uint32_t + *res = KRML_HOST_CALLOC((len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U, sizeof (uint32_t)); + if (res == NULL) + { + return res; + } + uint32_t *res1 = res; + uint32_t *res2 = res1; + uint32_t bnLen = (len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)4U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + uint8_t *tmp = alloca(tmpLen * sizeof (uint8_t)); + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + memcpy(tmp + tmpLen - len, b, len * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < bnLen; i++) + { + uint32_t *os = res2; + uint32_t u = load32_be(tmp + (bnLen - i - (uint32_t)1U) * (uint32_t)4U); + uint32_t x = u; + os[i] = x; + } + return res2; +} + +/* +Load a little-endian bignum from memory. + + The argument b points to len bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint32_t *Hacl_Bignum4096_32_new_bn_from_bytes_le(uint32_t len, uint8_t *b) +{ + if + ( + len + == (uint32_t)0U + || !((len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U <= (uint32_t)1073741823U) + ) + { + return NULL; + } + KRML_CHECK_SIZE(sizeof (uint32_t), (len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U); + uint32_t + *res = KRML_HOST_CALLOC((len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U, sizeof (uint32_t)); + if (res == NULL) + { + return res; + } + uint32_t *res1 = res; + uint32_t *res2 = res1; + uint32_t bnLen = (len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)4U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + uint8_t *tmp = alloca(tmpLen * sizeof (uint8_t)); + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + memcpy(tmp, b, len * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < (len - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U; i++) + { + uint32_t *os = res2; + uint8_t *bj = tmp + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r1 = u; + uint32_t x = r1; + os[i] = x; + } + return res2; +} + +/* +Serialize a bignum into big-endian memory. + + The argument b points to a 4096-bit bignum. + The outparam res points to 512 bytes of valid memory. +*/ +void Hacl_Bignum4096_32_bn_to_bytes_be(uint32_t *b, uint8_t *res) +{ + uint32_t bnLen = ((uint32_t)512U - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)4U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + uint8_t *tmp = alloca(tmpLen * sizeof (uint8_t)); + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + uint32_t numb = (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < bnLen; i++) + { + store32_be(tmp + i * numb, b[bnLen - i - (uint32_t)1U]); + } + memcpy(res, tmp + tmpLen - (uint32_t)512U, (uint32_t)512U * sizeof (uint8_t)); +} + +/* +Serialize a bignum into little-endian memory. + + The argument b points to a 4096-bit bignum. + The outparam res points to 512 bytes of valid memory. +*/ +void Hacl_Bignum4096_32_bn_to_bytes_le(uint32_t *b, uint8_t *res) +{ + uint32_t bnLen = ((uint32_t)512U - (uint32_t)1U) / (uint32_t)4U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)4U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + uint8_t *tmp = alloca(tmpLen * sizeof (uint8_t)); + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < bnLen; i++) + { + store32_le(tmp + i * (uint32_t)4U, b[i]); + } + memcpy(res, tmp, (uint32_t)512U * sizeof (uint8_t)); +} + + +/***************/ +/* Comparisons */ +/***************/ + + +/* +Returns 2^32 - 1 if a < b, otherwise returns 0. + + The arguments a and b are meant to be 4096-bit bignums, i.e. uint32_t[128]. +*/ +uint32_t Hacl_Bignum4096_32_lt_mask(uint32_t *a, uint32_t *b) +{ + uint32_t acc = (uint32_t)0U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)128U; i++) + { + uint32_t beq = FStar_UInt32_eq_mask(a[i], b[i]); + uint32_t blt = ~FStar_UInt32_gte_mask(a[i], b[i]); + acc = (beq & acc) | (~beq & ((blt & (uint32_t)0xFFFFFFFFU) | (~blt & (uint32_t)0U))); + } + return acc; +} + +/* +Returns 2^32 - 1 if a = b, otherwise returns 0. + + The arguments a and b are meant to be 4096-bit bignums, i.e. uint32_t[128]. +*/ +uint32_t Hacl_Bignum4096_32_eq_mask(uint32_t *a, uint32_t *b) +{ + uint32_t mask = (uint32_t)0xFFFFFFFFU; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)128U; i++) + { + uint32_t uu____0 = FStar_UInt32_eq_mask(a[i], b[i]); + mask = uu____0 & mask; + } + uint32_t mask1 = mask; + return mask1; +} + diff --git a/src/msvc/Hacl_Bignum64.c b/src/msvc/Hacl_Bignum64.c new file mode 100644 index 00000000..e1e33016 --- /dev/null +++ b/src/msvc/Hacl_Bignum64.c @@ -0,0 +1,853 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Bignum64.h" + +#include "internal/Hacl_Kremlib.h" +#include "internal/Hacl_Bignum.h" + +/******************************************************************************* + +A verified bignum library. + +This is a 64-bit optimized version, where bignums are represented as an array +of `len` unsigned 64-bit integers, i.e. uint64_t[len]. + +*******************************************************************************/ + +/************************/ +/* Arithmetic functions */ +/************************/ + + +/* +Write `a + b mod 2 ^ (64 * len)` in `res`. + + This functions returns the carry. + + The arguments a, b and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len] +*/ +uint64_t Hacl_Bignum64_add(uint32_t len, uint64_t *a, uint64_t *b, uint64_t *res) +{ + return Hacl_Bignum_Addition_bn_add_eq_len_u64(len, a, b, res); +} + +/* +Write `a - b mod 2 ^ (64 * len)` in `res`. + + This functions returns the carry. + + The arguments a, b and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len] +*/ +uint64_t Hacl_Bignum64_sub(uint32_t len, uint64_t *a, uint64_t *b, uint64_t *res) +{ + return Hacl_Bignum_Addition_bn_sub_eq_len_u64(len, a, b, res); +} + +/* +Write `(a + b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum64_add_mod(uint32_t len, uint64_t *n, uint64_t *a, uint64_t *b, uint64_t *res) +{ + Hacl_Bignum_bn_add_mod_n_u64(len, n, a, b, res); +} + +/* +Write `(a - b) mod n` in `res`. + + The arguments a, b, n and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • a < n + • b < n +*/ +void Hacl_Bignum64_sub_mod(uint32_t len, uint64_t *n, uint64_t *a, uint64_t *b, uint64_t *res) +{ + Hacl_Bignum_bn_sub_mod_n_u64(len, n, a, b, res); +} + +/* +Write `a * b` in `res`. + + The arguments a and b are meant to be `len` limbs in size, i.e. uint64_t[len]. + The outparam res is meant to be `2*len` limbs in size, i.e. uint64_t[2*len]. +*/ +void Hacl_Bignum64_mul(uint32_t len, uint64_t *a, uint64_t *b, uint64_t *res) +{ + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)4U * len); + uint64_t *tmp = alloca((uint32_t)4U * len * sizeof (uint64_t)); + memset(tmp, 0U, (uint32_t)4U * len * sizeof (uint64_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint64(len, a, b, tmp, res); +} + +/* +Write `a * a` in `res`. + + The argument a is meant to be `len` limbs in size, i.e. uint64_t[len]. + The outparam res is meant to be `2*len` limbs in size, i.e. uint64_t[2*len]. +*/ +void Hacl_Bignum64_sqr(uint32_t len, uint64_t *a, uint64_t *res) +{ + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)4U * len); + uint64_t *tmp = alloca((uint32_t)4U * len * sizeof (uint64_t)); + memset(tmp, 0U, (uint32_t)4U * len * sizeof (uint64_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint64(len, a, tmp, res); +} + +static inline void +bn_slow_precomp( + uint32_t len, + uint64_t *n, + uint64_t mu, + uint64_t *r2, + uint64_t *a, + uint64_t *res +) +{ + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t *a_mod = alloca(len * sizeof (uint64_t)); + memset(a_mod, 0U, len * sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), len + len); + uint64_t *a1 = alloca((len + len) * sizeof (uint64_t)); + memset(a1, 0U, (len + len) * sizeof (uint64_t)); + memcpy(a1, a, (len + len) * sizeof (uint64_t)); + uint64_t c0 = (uint64_t)0U; + for (uint32_t i0 = (uint32_t)0U; i0 < len; i0++) + { + uint64_t qj = mu * a1[i0]; + uint64_t *res_j0 = a1 + i0; + uint64_t c = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < len / (uint32_t)4U; i++) + { + uint64_t a_i = n[(uint32_t)4U * i]; + uint64_t *res_i0 = res_j0 + (uint32_t)4U * i; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c, res_i0); + uint64_t a_i0 = n[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res_j0 + (uint32_t)4U * i + (uint32_t)1U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, qj, c, res_i1); + uint64_t a_i1 = n[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res_j0 + (uint32_t)4U * i + (uint32_t)2U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, qj, c, res_i2); + uint64_t a_i2 = n[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res_j0 + (uint32_t)4U * i + (uint32_t)3U; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, qj, c, res_i); + } + for (uint32_t i = len / (uint32_t)4U * (uint32_t)4U; i < len; i++) + { + uint64_t a_i = n[i]; + uint64_t *res_i = res_j0 + i; + c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c, res_i); + } + uint64_t r = c; + uint64_t c1 = r; + uint64_t *resb = a1 + len + i0; + uint64_t res_j = a1[len + i0]; + c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, c1, res_j, resb); + } + memcpy(a_mod, a1 + len, (len + len - len) * sizeof (uint64_t)); + uint64_t c00 = c0; + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t *tmp0 = alloca(len * sizeof (uint64_t)); + memset(tmp0, 0U, len * sizeof (uint64_t)); + uint64_t c1 = Hacl_Bignum_Addition_bn_sub_eq_len_u64(len, a_mod, n, tmp0); + uint64_t m = (uint64_t)0U - c00; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint64_t *os = a_mod; + uint64_t x = (m & tmp0[i]) | (~m & a_mod[i]); + os[i] = x; + } + KRML_CHECK_SIZE(sizeof (uint64_t), len + len); + uint64_t *c = alloca((len + len) * sizeof (uint64_t)); + memset(c, 0U, (len + len) * sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)4U * len); + uint64_t *tmp = alloca((uint32_t)4U * len * sizeof (uint64_t)); + memset(tmp, 0U, (uint32_t)4U * len * sizeof (uint64_t)); + Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint64(len, a_mod, r2, tmp, c); + Hacl_Bignum_Montgomery_bn_mont_reduction_u64(len, n, mu, c, res); +} + +/* +Write `a mod n` in `res`. + + The argument a is meant to be `2*len` limbs in size, i.e. uint64_t[2*len]. + The argument n and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len]. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • 1 < n + • n % 2 = 1 +*/ +bool Hacl_Bignum64_mod(uint32_t len, uint64_t *n, uint64_t *a, uint64_t *res) +{ + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t *one = alloca(len * sizeof (uint64_t)); + memset(one, 0U, len * sizeof (uint64_t)); + memset(one, 0U, len * sizeof (uint64_t)); + one[0U] = (uint64_t)1U; + uint64_t bit0 = n[0U] & (uint64_t)1U; + uint64_t m0 = (uint64_t)0U - bit0; + uint64_t acc = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(one[i], n[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(one[i], n[i]); + acc = (beq & acc) | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + uint64_t m1 = acc; + uint64_t is_valid_m = m0 & m1; + uint32_t nBits = (uint32_t)64U * (uint32_t)Hacl_Bignum_Lib_bn_get_top_index_u64(len, n); + if (is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU) + { + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t *r2 = alloca(len * sizeof (uint64_t)); + memset(r2, 0U, len * sizeof (uint64_t)); + Hacl_Bignum_Montgomery_bn_precomp_r2_mod_n_u64(len, nBits, n, r2); + uint64_t mu = Hacl_Bignum_ModInvLimb_mod_inv_uint64(n[0U]); + bn_slow_precomp(len, n, mu, r2, a, res); + } + else + { + memset(res, 0U, len * sizeof (uint64_t)); + } + return is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU; +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum64_mod_exp_vartime( + uint32_t len, + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + uint64_t is_valid_m = Hacl_Bignum_Exponentiation_bn_check_mod_exp_u64(len, n, a, bBits, b); + uint32_t nBits = (uint32_t)64U * (uint32_t)Hacl_Bignum_Lib_bn_get_top_index_u64(len, n); + if (is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU) + { + Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_u64(len, nBits, n, a, bBits, b, res); + } + else + { + memset(res, 0U, len * sizeof (uint64_t)); + } + return is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU; +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a, n and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len]. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • b < pow2 bBits + • a < n +*/ +bool +Hacl_Bignum64_mod_exp_consttime( + uint32_t len, + uint64_t *n, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + uint64_t is_valid_m = Hacl_Bignum_Exponentiation_bn_check_mod_exp_u64(len, n, a, bBits, b); + uint32_t nBits = (uint32_t)64U * (uint32_t)Hacl_Bignum_Lib_bn_get_top_index_u64(len, n); + if (is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU) + { + Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_u64(len, nBits, n, a, bBits, b, res); + } + else + { + memset(res, 0U, len * sizeof (uint64_t)); + } + return is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU; +} + +/* +Write `a ^ (-1) mod n` in `res`. + + The arguments a, n and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n + • 0 < a + • a < n +*/ +bool Hacl_Bignum64_mod_inv_prime_vartime(uint32_t len, uint64_t *n, uint64_t *a, uint64_t *res) +{ + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t *one = alloca(len * sizeof (uint64_t)); + memset(one, 0U, len * sizeof (uint64_t)); + memset(one, 0U, len * sizeof (uint64_t)); + one[0U] = (uint64_t)1U; + uint64_t bit0 = n[0U] & (uint64_t)1U; + uint64_t m0 = (uint64_t)0U - bit0; + uint64_t acc0 = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(one[i], n[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(one[i], n[i]); + acc0 = (beq & acc0) | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + uint64_t m1 = acc0; + uint64_t m00 = m0 & m1; + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t *bn_zero = alloca(len * sizeof (uint64_t)); + memset(bn_zero, 0U, len * sizeof (uint64_t)); + uint64_t mask = (uint64_t)0xFFFFFFFFFFFFFFFFU; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint64_t uu____0 = FStar_UInt64_eq_mask(a[i], bn_zero[i]); + mask = uu____0 & mask; + } + uint64_t mask1 = mask; + uint64_t res10 = mask1; + uint64_t m10 = res10; + uint64_t acc = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(a[i], n[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(a[i], n[i]); + acc = (beq & acc) | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + uint64_t m2 = acc; + uint64_t is_valid_m = (m00 & ~m10) & m2; + uint32_t nBits = (uint32_t)64U * (uint32_t)Hacl_Bignum_Lib_bn_get_top_index_u64(len, n); + if (is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU) + { + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t *n2 = alloca(len * sizeof (uint64_t)); + memset(n2, 0U, len * sizeof (uint64_t)); + uint64_t c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64((uint64_t)0U, n[0U], (uint64_t)2U, n2); + uint64_t c1; + if ((uint32_t)1U < len) + { + uint32_t rLen = len - (uint32_t)1U; + uint64_t *a1 = n + (uint32_t)1U; + uint64_t *res1 = n2 + (uint32_t)1U; + uint64_t c = c0; + for (uint32_t i = (uint32_t)0U; i < rLen / (uint32_t)4U; i++) + { + uint64_t t1 = a1[(uint32_t)4U * i]; + uint64_t *res_i0 = res1 + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, (uint64_t)0U, res_i0); + uint64_t t10 = a1[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res1 + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t10, (uint64_t)0U, res_i1); + uint64_t t11 = a1[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res1 + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t11, (uint64_t)0U, res_i2); + uint64_t t12 = a1[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res1 + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t12, (uint64_t)0U, res_i); + } + for (uint32_t i = rLen / (uint32_t)4U * (uint32_t)4U; i < rLen; i++) + { + uint64_t t1 = a1[i]; + uint64_t *res_i = res1 + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, (uint64_t)0U, res_i); + } + uint64_t c10 = c; + c1 = c10; + } + else + { + c1 = c0; + } + Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_u64(len, + nBits, + n, + a, + (uint32_t)64U * len, + n2, + res); + } + else + { + memset(res, 0U, len * sizeof (uint64_t)); + } + return is_valid_m == (uint64_t)0xFFFFFFFFFFFFFFFFU; +} + + +/**********************************************/ +/* Arithmetic functions with precomputations. */ +/**********************************************/ + + +/* +Heap-allocate and initialize a montgomery context. + + The argument n is meant to be `len` limbs in size, i.e. uint64_t[len]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n % 2 = 1 + • 1 < n + + The caller will need to call Hacl_Bignum64_mont_ctx_free on the return value + to avoid memory leaks. +*/ +Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 +*Hacl_Bignum64_mont_ctx_init(uint32_t len, uint64_t *n) +{ + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t *r2 = KRML_HOST_CALLOC(len, sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t *n1 = KRML_HOST_CALLOC(len, sizeof (uint64_t)); + uint64_t *r21 = r2; + uint64_t *n11 = n1; + memcpy(n11, n, len * sizeof (uint64_t)); + uint32_t nBits = (uint32_t)64U * (uint32_t)Hacl_Bignum_Lib_bn_get_top_index_u64(len, n); + Hacl_Bignum_Montgomery_bn_precomp_r2_mod_n_u64(len, nBits, n, r21); + uint64_t mu = Hacl_Bignum_ModInvLimb_mod_inv_uint64(n[0U]); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 res = { .len = len, .n = n11, .mu = mu, .r2 = r21 }; + KRML_CHECK_SIZE(sizeof (Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64), (uint32_t)1U); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 + *buf = KRML_HOST_MALLOC(sizeof (Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64)); + buf[0U] = res; + return buf; +} + +/* +Deallocate the memory previously allocated by Hacl_Bignum64_mont_ctx_init. + + The argument k is a montgomery context obtained through Hacl_Bignum64_mont_ctx_init. +*/ +void Hacl_Bignum64_mont_ctx_free(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + uint64_t *n = k1.n; + uint64_t *r2 = k1.r2; + KRML_HOST_FREE(n); + KRML_HOST_FREE(r2); + KRML_HOST_FREE(k); +} + +/* +Write `a mod n` in `res`. + + The argument a is meant to be `2*len` limbs in size, i.e. uint64_t[2*len]. + The outparam res is meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_Bignum64_mont_ctx_init. +*/ +void +Hacl_Bignum64_mod_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint64_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k10 = *k; + uint32_t len1 = k10.len; + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + bn_slow_precomp(len1, k1.n, k1.mu, k1.r2, a, res); +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_Bignum64_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + The function is *NOT* constant-time on the argument b. See the + mod_exp_consttime_* functions for constant-time variants. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum64_mod_exp_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k10 = *k; + uint32_t len1 = k10.len; + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_precomp_u64(len1, + k1.n, + k1.mu, + k1.r2, + a, + bBits, + b, + res); +} + +/* +Write `a ^ b mod n` in `res`. + + The arguments a and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_Bignum64_mont_ctx_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 4096-bit bignum, bBits should be 4096. + + This function is constant-time over its argument b, at the cost of a slower + execution time than mod_exp_vartime_*. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • b < pow2 bBits + • a < n +*/ +void +Hacl_Bignum64_mod_exp_consttime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint32_t bBits, + uint64_t *b, + uint64_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k10 = *k; + uint32_t len1 = k10.len; + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_precomp_u64(len1, + k1.n, + k1.mu, + k1.r2, + a, + bBits, + b, + res); +} + +/* +Write `a ^ (-1) mod n` in `res`. + + The argument a and the outparam res are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_Bignum64_mont_ctx_init. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + • 0 < a + • a < n +*/ +void +Hacl_Bignum64_mod_inv_prime_vartime_precomp( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint64_t *res +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k10 = *k; + uint32_t len1 = k10.len; + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + KRML_CHECK_SIZE(sizeof (uint64_t), len1); + uint64_t *n2 = alloca(len1 * sizeof (uint64_t)); + memset(n2, 0U, len1 * sizeof (uint64_t)); + uint64_t c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64((uint64_t)0U, k1.n[0U], (uint64_t)2U, n2); + uint64_t c1; + if ((uint32_t)1U < len1) + { + uint32_t rLen = len1 - (uint32_t)1U; + uint64_t *a1 = k1.n + (uint32_t)1U; + uint64_t *res1 = n2 + (uint32_t)1U; + uint64_t c = c0; + for (uint32_t i = (uint32_t)0U; i < rLen / (uint32_t)4U; i++) + { + uint64_t t1 = a1[(uint32_t)4U * i]; + uint64_t *res_i0 = res1 + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, (uint64_t)0U, res_i0); + uint64_t t10 = a1[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res1 + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t10, (uint64_t)0U, res_i1); + uint64_t t11 = a1[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res1 + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t11, (uint64_t)0U, res_i2); + uint64_t t12 = a1[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res1 + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t12, (uint64_t)0U, res_i); + } + for (uint32_t i = rLen / (uint32_t)4U * (uint32_t)4U; i < rLen; i++) + { + uint64_t t1 = a1[i]; + uint64_t *res_i = res1 + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, (uint64_t)0U, res_i); + } + uint64_t c10 = c; + c1 = c10; + } + else + { + c1 = c0; + } + Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_precomp_u64(len1, + k1.n, + k1.mu, + k1.r2, + a, + (uint32_t)64U * len1, + n2, + res); +} + + +/********************/ +/* Loads and stores */ +/********************/ + + +/* +Load a bid-endian bignum from memory. + + The argument b points to `len` bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint64_t *Hacl_Bignum64_new_bn_from_bytes_be(uint32_t len, uint8_t *b) +{ + if + ( + len + == (uint32_t)0U + || !((len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U <= (uint32_t)536870911U) + ) + { + return NULL; + } + KRML_CHECK_SIZE(sizeof (uint64_t), (len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U); + uint64_t + *res = KRML_HOST_CALLOC((len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U, sizeof (uint64_t)); + if (res == NULL) + { + return res; + } + uint64_t *res1 = res; + uint64_t *res2 = res1; + uint32_t bnLen = (len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)8U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + uint8_t *tmp = alloca(tmpLen * sizeof (uint8_t)); + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + memcpy(tmp + tmpLen - len, b, len * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < bnLen; i++) + { + uint64_t *os = res2; + uint64_t u = load64_be(tmp + (bnLen - i - (uint32_t)1U) * (uint32_t)8U); + uint64_t x = u; + os[i] = x; + } + return res2; +} + +/* +Load a little-endian bignum from memory. + + The argument b points to `len` bytes of valid memory. + The function returns a heap-allocated bignum of size sufficient to hold the + result of loading b, or NULL if either the allocation failed, or the amount of + required memory would exceed 4GB. + + If the return value is non-null, clients must eventually call free(3) on it to + avoid memory leaks. +*/ +uint64_t *Hacl_Bignum64_new_bn_from_bytes_le(uint32_t len, uint8_t *b) +{ + if + ( + len + == (uint32_t)0U + || !((len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U <= (uint32_t)536870911U) + ) + { + return NULL; + } + KRML_CHECK_SIZE(sizeof (uint64_t), (len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U); + uint64_t + *res = KRML_HOST_CALLOC((len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U, sizeof (uint64_t)); + if (res == NULL) + { + return res; + } + uint64_t *res1 = res; + uint64_t *res2 = res1; + uint32_t bnLen = (len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)8U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + uint8_t *tmp = alloca(tmpLen * sizeof (uint8_t)); + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + memcpy(tmp, b, len * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < (len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; i++) + { + uint64_t *os = res2; + uint8_t *bj = tmp + i * (uint32_t)8U; + uint64_t u = load64_le(bj); + uint64_t r1 = u; + uint64_t x = r1; + os[i] = x; + } + return res2; +} + +/* +Serialize a bignum into big-endian memory. + + The argument b points to a bignum of ⌈len / 8⌉ size. + The outparam res points to `len` bytes of valid memory. +*/ +void Hacl_Bignum64_bn_to_bytes_be(uint32_t len, uint64_t *b, uint8_t *res) +{ + uint32_t bnLen = (len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)8U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + uint8_t *tmp = alloca(tmpLen * sizeof (uint8_t)); + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + uint32_t numb = (uint32_t)8U; + for (uint32_t i = (uint32_t)0U; i < bnLen; i++) + { + store64_be(tmp + i * numb, b[bnLen - i - (uint32_t)1U]); + } + memcpy(res, tmp + tmpLen - len, len * sizeof (uint8_t)); +} + +/* +Serialize a bignum into little-endian memory. + + The argument b points to a bignum of ⌈len / 8⌉ size. + The outparam res points to `len` bytes of valid memory. +*/ +void Hacl_Bignum64_bn_to_bytes_le(uint32_t len, uint64_t *b, uint8_t *res) +{ + uint32_t bnLen = (len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t tmpLen = (uint32_t)8U * bnLen; + KRML_CHECK_SIZE(sizeof (uint8_t), tmpLen); + uint8_t *tmp = alloca(tmpLen * sizeof (uint8_t)); + memset(tmp, 0U, tmpLen * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < bnLen; i++) + { + store64_le(tmp + i * (uint32_t)8U, b[i]); + } + memcpy(res, tmp, len * sizeof (uint8_t)); +} + + +/***************/ +/* Comparisons */ +/***************/ + + +/* +Returns 2^64 - 1 if a < b, otherwise returns 0. + + The arguments a and b are meant to be `len` limbs in size, i.e. uint64_t[len]. +*/ +uint64_t Hacl_Bignum64_lt_mask(uint32_t len, uint64_t *a, uint64_t *b) +{ + uint64_t acc = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(a[i], b[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(a[i], b[i]); + acc = (beq & acc) | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + return acc; +} + +/* +Returns 2^64 - 1 if a = b, otherwise returns 0. + + The arguments a and b are meant to be `len` limbs in size, i.e. uint64_t[len]. +*/ +uint64_t Hacl_Bignum64_eq_mask(uint32_t len, uint64_t *a, uint64_t *b) +{ + uint64_t mask = (uint64_t)0xFFFFFFFFFFFFFFFFU; + for (uint32_t i = (uint32_t)0U; i < len; i++) + { + uint64_t uu____0 = FStar_UInt64_eq_mask(a[i], b[i]); + mask = uu____0 & mask; + } + uint64_t mask1 = mask; + return mask1; +} + diff --git a/src/msvc/Hacl_Chacha20.c b/src/msvc/Hacl_Chacha20.c new file mode 100644 index 00000000..56f54cc6 --- /dev/null +++ b/src/msvc/Hacl_Chacha20.c @@ -0,0 +1,237 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "internal/Hacl_Chacha20.h" + + + +const +uint32_t +Hacl_Impl_Chacha20_Vec_chacha20_constants[4U] = + { (uint32_t)0x61707865U, (uint32_t)0x3320646eU, (uint32_t)0x79622d32U, (uint32_t)0x6b206574U }; + +static inline void quarter_round(uint32_t *st, uint32_t a, uint32_t b, uint32_t c, uint32_t d) +{ + uint32_t sta = st[a]; + uint32_t stb0 = st[b]; + uint32_t std0 = st[d]; + uint32_t sta10 = sta + stb0; + uint32_t std10 = std0 ^ sta10; + uint32_t std2 = std10 << (uint32_t)16U | std10 >> (uint32_t)16U; + st[a] = sta10; + st[d] = std2; + uint32_t sta0 = st[c]; + uint32_t stb1 = st[d]; + uint32_t std3 = st[b]; + uint32_t sta11 = sta0 + stb1; + uint32_t std11 = std3 ^ sta11; + uint32_t std20 = std11 << (uint32_t)12U | std11 >> (uint32_t)20U; + st[c] = sta11; + st[b] = std20; + uint32_t sta2 = st[a]; + uint32_t stb2 = st[b]; + uint32_t std4 = st[d]; + uint32_t sta12 = sta2 + stb2; + uint32_t std12 = std4 ^ sta12; + uint32_t std21 = std12 << (uint32_t)8U | std12 >> (uint32_t)24U; + st[a] = sta12; + st[d] = std21; + uint32_t sta3 = st[c]; + uint32_t stb = st[d]; + uint32_t std = st[b]; + uint32_t sta1 = sta3 + stb; + uint32_t std1 = std ^ sta1; + uint32_t std22 = std1 << (uint32_t)7U | std1 >> (uint32_t)25U; + st[c] = sta1; + st[b] = std22; +} + +static inline void double_round(uint32_t *st) +{ + quarter_round(st, (uint32_t)0U, (uint32_t)4U, (uint32_t)8U, (uint32_t)12U); + quarter_round(st, (uint32_t)1U, (uint32_t)5U, (uint32_t)9U, (uint32_t)13U); + quarter_round(st, (uint32_t)2U, (uint32_t)6U, (uint32_t)10U, (uint32_t)14U); + quarter_round(st, (uint32_t)3U, (uint32_t)7U, (uint32_t)11U, (uint32_t)15U); + quarter_round(st, (uint32_t)0U, (uint32_t)5U, (uint32_t)10U, (uint32_t)15U); + quarter_round(st, (uint32_t)1U, (uint32_t)6U, (uint32_t)11U, (uint32_t)12U); + quarter_round(st, (uint32_t)2U, (uint32_t)7U, (uint32_t)8U, (uint32_t)13U); + quarter_round(st, (uint32_t)3U, (uint32_t)4U, (uint32_t)9U, (uint32_t)14U); +} + +static inline void rounds(uint32_t *st) +{ + double_round(st); + double_round(st); + double_round(st); + double_round(st); + double_round(st); + double_round(st); + double_round(st); + double_round(st); + double_round(st); + double_round(st); +} + +static inline void chacha20_core(uint32_t *k, uint32_t *ctx, uint32_t ctr) +{ + memcpy(k, ctx, (uint32_t)16U * sizeof (uint32_t)); + uint32_t ctr_u32 = ctr; + k[12U] = k[12U] + ctr_u32; + rounds(k); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t *os = k; + uint32_t x = k[i] + ctx[i]; + os[i] = x; + } + k[12U] = k[12U] + ctr_u32; +} + +static const +uint32_t +chacha20_constants[4U] = + { (uint32_t)0x61707865U, (uint32_t)0x3320646eU, (uint32_t)0x79622d32U, (uint32_t)0x6b206574U }; + +void Hacl_Impl_Chacha20_chacha20_init(uint32_t *ctx, uint8_t *k, uint8_t *n, uint32_t ctr) +{ + uint32_t *uu____0 = ctx; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = uu____0; + uint32_t x = chacha20_constants[i]; + os[i] = x; + } + uint32_t *uu____1 = ctx + (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t *os = uu____1; + uint8_t *bj = k + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + ctx[12U] = ctr; + uint32_t *uu____2 = ctx + (uint32_t)13U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)3U; i++) + { + uint32_t *os = uu____2; + uint8_t *bj = n + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } +} + +void +Hacl_Impl_Chacha20_chacha20_encrypt_block( + uint32_t *ctx, + uint8_t *out, + uint32_t incr, + uint8_t *text +) +{ + uint32_t k[16U] = { 0U }; + chacha20_core(k, ctx, incr); + uint32_t bl[16U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t *os = bl; + uint8_t *bj = text + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t *os = bl; + uint32_t x = bl[i] ^ k[i]; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + store32_le(out + i * (uint32_t)4U, bl[i]); + } +} + +static inline void +chacha20_encrypt_last(uint32_t *ctx, uint32_t len, uint8_t *out, uint32_t incr, uint8_t *text) +{ + uint8_t plain[64U] = { 0U }; + memcpy(plain, text, len * sizeof (uint8_t)); + Hacl_Impl_Chacha20_chacha20_encrypt_block(ctx, plain, incr, plain); + memcpy(out, plain, len * sizeof (uint8_t)); +} + +void +Hacl_Impl_Chacha20_chacha20_update(uint32_t *ctx, uint32_t len, uint8_t *out, uint8_t *text) +{ + uint32_t rem = len % (uint32_t)64U; + uint32_t nb = len / (uint32_t)64U; + uint32_t rem1 = len % (uint32_t)64U; + for (uint32_t i = (uint32_t)0U; i < nb; i++) + { + Hacl_Impl_Chacha20_chacha20_encrypt_block(ctx, + out + i * (uint32_t)64U, + i, + text + i * (uint32_t)64U); + } + if (rem1 > (uint32_t)0U) + { + chacha20_encrypt_last(ctx, rem, out + nb * (uint32_t)64U, nb, text + nb * (uint32_t)64U); + } +} + +void +Hacl_Chacha20_chacha20_encrypt( + uint32_t len, + uint8_t *out, + uint8_t *text, + uint8_t *key, + uint8_t *n, + uint32_t ctr +) +{ + uint32_t ctx[16U] = { 0U }; + Hacl_Impl_Chacha20_chacha20_init(ctx, key, n, ctr); + Hacl_Impl_Chacha20_chacha20_update(ctx, len, out, text); +} + +void +Hacl_Chacha20_chacha20_decrypt( + uint32_t len, + uint8_t *out, + uint8_t *cipher, + uint8_t *key, + uint8_t *n, + uint32_t ctr +) +{ + uint32_t ctx[16U] = { 0U }; + Hacl_Impl_Chacha20_chacha20_init(ctx, key, n, ctr); + Hacl_Impl_Chacha20_chacha20_update(ctx, len, out, cipher); +} + diff --git a/src/msvc/Hacl_Chacha20Poly1305_128.c b/src/msvc/Hacl_Chacha20Poly1305_128.c new file mode 100644 index 00000000..fb8a419d --- /dev/null +++ b/src/msvc/Hacl_Chacha20Poly1305_128.c @@ -0,0 +1,1195 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Chacha20Poly1305_128.h" + +#include "internal/Hacl_Poly1305_128.h" +#include "internal/Hacl_Kremlib.h" + +static inline void +poly1305_padded_128(Lib_IntVector_Intrinsics_vec128 *ctx, uint32_t len, uint8_t *text) +{ + uint32_t n = len / (uint32_t)16U; + uint32_t r = len % (uint32_t)16U; + uint8_t *blocks = text; + uint8_t *rem = text + n * (uint32_t)16U; + Lib_IntVector_Intrinsics_vec128 *pre0 = ctx + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec128 *acc0 = ctx; + uint32_t sz_block = (uint32_t)32U; + uint32_t len0 = n * (uint32_t)16U / sz_block * sz_block; + uint8_t *t00 = blocks; + if (len0 > (uint32_t)0U) + { + uint32_t bs = (uint32_t)32U; + uint8_t *text0 = t00; + Hacl_Impl_Poly1305_Field32xN_128_load_acc2(acc0, text0); + uint32_t len1 = len0 - bs; + uint8_t *text1 = t00 + bs; + uint32_t nb = len1 / bs; + for (uint32_t i = (uint32_t)0U; i < nb; i++) + { + uint8_t *block = text1 + i * bs; + Lib_IntVector_Intrinsics_vec128 e[5U]; + for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i) + e[_i] = Lib_IntVector_Intrinsics_vec128_zero; + Lib_IntVector_Intrinsics_vec128 b1 = Lib_IntVector_Intrinsics_vec128_load64_le(block); + Lib_IntVector_Intrinsics_vec128 + b2 = Lib_IntVector_Intrinsics_vec128_load64_le(block + (uint32_t)16U); + Lib_IntVector_Intrinsics_vec128 lo = Lib_IntVector_Intrinsics_vec128_interleave_low64(b1, b2); + Lib_IntVector_Intrinsics_vec128 + hi = Lib_IntVector_Intrinsics_vec128_interleave_high64(b1, b2); + Lib_IntVector_Intrinsics_vec128 + f00 = + Lib_IntVector_Intrinsics_vec128_and(lo, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f15 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(lo, + (uint32_t)26U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f25 = + Lib_IntVector_Intrinsics_vec128_or(Lib_IntVector_Intrinsics_vec128_shift_right64(lo, + (uint32_t)52U), + Lib_IntVector_Intrinsics_vec128_shift_left64(Lib_IntVector_Intrinsics_vec128_and(hi, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3fffU)), + (uint32_t)12U)); + Lib_IntVector_Intrinsics_vec128 + f30 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(hi, + (uint32_t)14U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f40 = Lib_IntVector_Intrinsics_vec128_shift_right64(hi, (uint32_t)40U); + Lib_IntVector_Intrinsics_vec128 f0 = f00; + Lib_IntVector_Intrinsics_vec128 f1 = f15; + Lib_IntVector_Intrinsics_vec128 f2 = f25; + Lib_IntVector_Intrinsics_vec128 f3 = f30; + Lib_IntVector_Intrinsics_vec128 f41 = f40; + e[0U] = f0; + e[1U] = f1; + e[2U] = f2; + e[3U] = f3; + e[4U] = f41; + uint64_t b = (uint64_t)0x1000000U; + Lib_IntVector_Intrinsics_vec128 mask = Lib_IntVector_Intrinsics_vec128_load64(b); + Lib_IntVector_Intrinsics_vec128 f4 = e[4U]; + e[4U] = Lib_IntVector_Intrinsics_vec128_or(f4, mask); + Lib_IntVector_Intrinsics_vec128 *rn = pre0 + (uint32_t)10U; + Lib_IntVector_Intrinsics_vec128 *rn5 = pre0 + (uint32_t)15U; + Lib_IntVector_Intrinsics_vec128 r0 = rn[0U]; + Lib_IntVector_Intrinsics_vec128 r1 = rn[1U]; + Lib_IntVector_Intrinsics_vec128 r2 = rn[2U]; + Lib_IntVector_Intrinsics_vec128 r3 = rn[3U]; + Lib_IntVector_Intrinsics_vec128 r4 = rn[4U]; + Lib_IntVector_Intrinsics_vec128 r51 = rn5[1U]; + Lib_IntVector_Intrinsics_vec128 r52 = rn5[2U]; + Lib_IntVector_Intrinsics_vec128 r53 = rn5[3U]; + Lib_IntVector_Intrinsics_vec128 r54 = rn5[4U]; + Lib_IntVector_Intrinsics_vec128 f10 = acc0[0U]; + Lib_IntVector_Intrinsics_vec128 f110 = acc0[1U]; + Lib_IntVector_Intrinsics_vec128 f120 = acc0[2U]; + Lib_IntVector_Intrinsics_vec128 f130 = acc0[3U]; + Lib_IntVector_Intrinsics_vec128 f140 = acc0[4U]; + Lib_IntVector_Intrinsics_vec128 a0 = Lib_IntVector_Intrinsics_vec128_mul64(r0, f10); + Lib_IntVector_Intrinsics_vec128 a1 = Lib_IntVector_Intrinsics_vec128_mul64(r1, f10); + Lib_IntVector_Intrinsics_vec128 a2 = Lib_IntVector_Intrinsics_vec128_mul64(r2, f10); + Lib_IntVector_Intrinsics_vec128 a3 = Lib_IntVector_Intrinsics_vec128_mul64(r3, f10); + Lib_IntVector_Intrinsics_vec128 a4 = Lib_IntVector_Intrinsics_vec128_mul64(r4, f10); + Lib_IntVector_Intrinsics_vec128 + a01 = + Lib_IntVector_Intrinsics_vec128_add64(a0, + Lib_IntVector_Intrinsics_vec128_mul64(r54, f110)); + Lib_IntVector_Intrinsics_vec128 + a11 = + Lib_IntVector_Intrinsics_vec128_add64(a1, + Lib_IntVector_Intrinsics_vec128_mul64(r0, f110)); + Lib_IntVector_Intrinsics_vec128 + a21 = + Lib_IntVector_Intrinsics_vec128_add64(a2, + Lib_IntVector_Intrinsics_vec128_mul64(r1, f110)); + Lib_IntVector_Intrinsics_vec128 + a31 = + Lib_IntVector_Intrinsics_vec128_add64(a3, + Lib_IntVector_Intrinsics_vec128_mul64(r2, f110)); + Lib_IntVector_Intrinsics_vec128 + a41 = + Lib_IntVector_Intrinsics_vec128_add64(a4, + Lib_IntVector_Intrinsics_vec128_mul64(r3, f110)); + Lib_IntVector_Intrinsics_vec128 + a02 = + Lib_IntVector_Intrinsics_vec128_add64(a01, + Lib_IntVector_Intrinsics_vec128_mul64(r53, f120)); + Lib_IntVector_Intrinsics_vec128 + a12 = + Lib_IntVector_Intrinsics_vec128_add64(a11, + Lib_IntVector_Intrinsics_vec128_mul64(r54, f120)); + Lib_IntVector_Intrinsics_vec128 + a22 = + Lib_IntVector_Intrinsics_vec128_add64(a21, + Lib_IntVector_Intrinsics_vec128_mul64(r0, f120)); + Lib_IntVector_Intrinsics_vec128 + a32 = + Lib_IntVector_Intrinsics_vec128_add64(a31, + Lib_IntVector_Intrinsics_vec128_mul64(r1, f120)); + Lib_IntVector_Intrinsics_vec128 + a42 = + Lib_IntVector_Intrinsics_vec128_add64(a41, + Lib_IntVector_Intrinsics_vec128_mul64(r2, f120)); + Lib_IntVector_Intrinsics_vec128 + a03 = + Lib_IntVector_Intrinsics_vec128_add64(a02, + Lib_IntVector_Intrinsics_vec128_mul64(r52, f130)); + Lib_IntVector_Intrinsics_vec128 + a13 = + Lib_IntVector_Intrinsics_vec128_add64(a12, + Lib_IntVector_Intrinsics_vec128_mul64(r53, f130)); + Lib_IntVector_Intrinsics_vec128 + a23 = + Lib_IntVector_Intrinsics_vec128_add64(a22, + Lib_IntVector_Intrinsics_vec128_mul64(r54, f130)); + Lib_IntVector_Intrinsics_vec128 + a33 = + Lib_IntVector_Intrinsics_vec128_add64(a32, + Lib_IntVector_Intrinsics_vec128_mul64(r0, f130)); + Lib_IntVector_Intrinsics_vec128 + a43 = + Lib_IntVector_Intrinsics_vec128_add64(a42, + Lib_IntVector_Intrinsics_vec128_mul64(r1, f130)); + Lib_IntVector_Intrinsics_vec128 + a04 = + Lib_IntVector_Intrinsics_vec128_add64(a03, + Lib_IntVector_Intrinsics_vec128_mul64(r51, f140)); + Lib_IntVector_Intrinsics_vec128 + a14 = + Lib_IntVector_Intrinsics_vec128_add64(a13, + Lib_IntVector_Intrinsics_vec128_mul64(r52, f140)); + Lib_IntVector_Intrinsics_vec128 + a24 = + Lib_IntVector_Intrinsics_vec128_add64(a23, + Lib_IntVector_Intrinsics_vec128_mul64(r53, f140)); + Lib_IntVector_Intrinsics_vec128 + a34 = + Lib_IntVector_Intrinsics_vec128_add64(a33, + Lib_IntVector_Intrinsics_vec128_mul64(r54, f140)); + Lib_IntVector_Intrinsics_vec128 + a44 = + Lib_IntVector_Intrinsics_vec128_add64(a43, + Lib_IntVector_Intrinsics_vec128_mul64(r0, f140)); + Lib_IntVector_Intrinsics_vec128 t01 = a04; + Lib_IntVector_Intrinsics_vec128 t1 = a14; + Lib_IntVector_Intrinsics_vec128 t2 = a24; + Lib_IntVector_Intrinsics_vec128 t3 = a34; + Lib_IntVector_Intrinsics_vec128 t4 = a44; + Lib_IntVector_Intrinsics_vec128 + mask26 = Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec128 + z0 = Lib_IntVector_Intrinsics_vec128_shift_right64(t01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z1 = Lib_IntVector_Intrinsics_vec128_shift_right64(t3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x0 = Lib_IntVector_Intrinsics_vec128_and(t01, mask26); + Lib_IntVector_Intrinsics_vec128 x3 = Lib_IntVector_Intrinsics_vec128_and(t3, mask26); + Lib_IntVector_Intrinsics_vec128 x1 = Lib_IntVector_Intrinsics_vec128_add64(t1, z0); + Lib_IntVector_Intrinsics_vec128 x4 = Lib_IntVector_Intrinsics_vec128_add64(t4, z1); + Lib_IntVector_Intrinsics_vec128 + z01 = Lib_IntVector_Intrinsics_vec128_shift_right64(x1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z11 = Lib_IntVector_Intrinsics_vec128_shift_right64(x4, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + t = Lib_IntVector_Intrinsics_vec128_shift_left64(z11, (uint32_t)2U); + Lib_IntVector_Intrinsics_vec128 z12 = Lib_IntVector_Intrinsics_vec128_add64(z11, t); + Lib_IntVector_Intrinsics_vec128 x11 = Lib_IntVector_Intrinsics_vec128_and(x1, mask26); + Lib_IntVector_Intrinsics_vec128 x41 = Lib_IntVector_Intrinsics_vec128_and(x4, mask26); + Lib_IntVector_Intrinsics_vec128 x2 = Lib_IntVector_Intrinsics_vec128_add64(t2, z01); + Lib_IntVector_Intrinsics_vec128 x01 = Lib_IntVector_Intrinsics_vec128_add64(x0, z12); + Lib_IntVector_Intrinsics_vec128 + z02 = Lib_IntVector_Intrinsics_vec128_shift_right64(x2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z13 = Lib_IntVector_Intrinsics_vec128_shift_right64(x01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x21 = Lib_IntVector_Intrinsics_vec128_and(x2, mask26); + Lib_IntVector_Intrinsics_vec128 x02 = Lib_IntVector_Intrinsics_vec128_and(x01, mask26); + Lib_IntVector_Intrinsics_vec128 x31 = Lib_IntVector_Intrinsics_vec128_add64(x3, z02); + Lib_IntVector_Intrinsics_vec128 x12 = Lib_IntVector_Intrinsics_vec128_add64(x11, z13); + Lib_IntVector_Intrinsics_vec128 + z03 = Lib_IntVector_Intrinsics_vec128_shift_right64(x31, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x32 = Lib_IntVector_Intrinsics_vec128_and(x31, mask26); + Lib_IntVector_Intrinsics_vec128 x42 = Lib_IntVector_Intrinsics_vec128_add64(x41, z03); + Lib_IntVector_Intrinsics_vec128 o00 = x02; + Lib_IntVector_Intrinsics_vec128 o10 = x12; + Lib_IntVector_Intrinsics_vec128 o20 = x21; + Lib_IntVector_Intrinsics_vec128 o30 = x32; + Lib_IntVector_Intrinsics_vec128 o40 = x42; + acc0[0U] = o00; + acc0[1U] = o10; + acc0[2U] = o20; + acc0[3U] = o30; + acc0[4U] = o40; + Lib_IntVector_Intrinsics_vec128 f100 = acc0[0U]; + Lib_IntVector_Intrinsics_vec128 f11 = acc0[1U]; + Lib_IntVector_Intrinsics_vec128 f12 = acc0[2U]; + Lib_IntVector_Intrinsics_vec128 f13 = acc0[3U]; + Lib_IntVector_Intrinsics_vec128 f14 = acc0[4U]; + Lib_IntVector_Intrinsics_vec128 f20 = e[0U]; + Lib_IntVector_Intrinsics_vec128 f21 = e[1U]; + Lib_IntVector_Intrinsics_vec128 f22 = e[2U]; + Lib_IntVector_Intrinsics_vec128 f23 = e[3U]; + Lib_IntVector_Intrinsics_vec128 f24 = e[4U]; + Lib_IntVector_Intrinsics_vec128 o0 = Lib_IntVector_Intrinsics_vec128_add64(f100, f20); + Lib_IntVector_Intrinsics_vec128 o1 = Lib_IntVector_Intrinsics_vec128_add64(f11, f21); + Lib_IntVector_Intrinsics_vec128 o2 = Lib_IntVector_Intrinsics_vec128_add64(f12, f22); + Lib_IntVector_Intrinsics_vec128 o3 = Lib_IntVector_Intrinsics_vec128_add64(f13, f23); + Lib_IntVector_Intrinsics_vec128 o4 = Lib_IntVector_Intrinsics_vec128_add64(f14, f24); + acc0[0U] = o0; + acc0[1U] = o1; + acc0[2U] = o2; + acc0[3U] = o3; + acc0[4U] = o4; + } + Hacl_Impl_Poly1305_Field32xN_128_fmul_r2_normalize(acc0, pre0); + } + uint32_t len1 = n * (uint32_t)16U - len0; + uint8_t *t10 = blocks + len0; + uint32_t nb = len1 / (uint32_t)16U; + uint32_t rem1 = len1 % (uint32_t)16U; + for (uint32_t i = (uint32_t)0U; i < nb; i++) + { + uint8_t *block = t10 + i * (uint32_t)16U; + Lib_IntVector_Intrinsics_vec128 e[5U]; + for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i) + e[_i] = Lib_IntVector_Intrinsics_vec128_zero; + uint64_t u0 = load64_le(block); + uint64_t lo = u0; + uint64_t u = load64_le(block + (uint32_t)8U); + uint64_t hi = u; + Lib_IntVector_Intrinsics_vec128 f0 = Lib_IntVector_Intrinsics_vec128_load64(lo); + Lib_IntVector_Intrinsics_vec128 f1 = Lib_IntVector_Intrinsics_vec128_load64(hi); + Lib_IntVector_Intrinsics_vec128 + f010 = + Lib_IntVector_Intrinsics_vec128_and(f0, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f110 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(f0, + (uint32_t)26U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f20 = + Lib_IntVector_Intrinsics_vec128_or(Lib_IntVector_Intrinsics_vec128_shift_right64(f0, + (uint32_t)52U), + Lib_IntVector_Intrinsics_vec128_shift_left64(Lib_IntVector_Intrinsics_vec128_and(f1, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3fffU)), + (uint32_t)12U)); + Lib_IntVector_Intrinsics_vec128 + f30 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(f1, + (uint32_t)14U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f40 = Lib_IntVector_Intrinsics_vec128_shift_right64(f1, (uint32_t)40U); + Lib_IntVector_Intrinsics_vec128 f01 = f010; + Lib_IntVector_Intrinsics_vec128 f111 = f110; + Lib_IntVector_Intrinsics_vec128 f2 = f20; + Lib_IntVector_Intrinsics_vec128 f3 = f30; + Lib_IntVector_Intrinsics_vec128 f41 = f40; + e[0U] = f01; + e[1U] = f111; + e[2U] = f2; + e[3U] = f3; + e[4U] = f41; + uint64_t b = (uint64_t)0x1000000U; + Lib_IntVector_Intrinsics_vec128 mask = Lib_IntVector_Intrinsics_vec128_load64(b); + Lib_IntVector_Intrinsics_vec128 f4 = e[4U]; + e[4U] = Lib_IntVector_Intrinsics_vec128_or(f4, mask); + Lib_IntVector_Intrinsics_vec128 *r1 = pre0; + Lib_IntVector_Intrinsics_vec128 *r5 = pre0 + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec128 r0 = r1[0U]; + Lib_IntVector_Intrinsics_vec128 r11 = r1[1U]; + Lib_IntVector_Intrinsics_vec128 r2 = r1[2U]; + Lib_IntVector_Intrinsics_vec128 r3 = r1[3U]; + Lib_IntVector_Intrinsics_vec128 r4 = r1[4U]; + Lib_IntVector_Intrinsics_vec128 r51 = r5[1U]; + Lib_IntVector_Intrinsics_vec128 r52 = r5[2U]; + Lib_IntVector_Intrinsics_vec128 r53 = r5[3U]; + Lib_IntVector_Intrinsics_vec128 r54 = r5[4U]; + Lib_IntVector_Intrinsics_vec128 f10 = e[0U]; + Lib_IntVector_Intrinsics_vec128 f11 = e[1U]; + Lib_IntVector_Intrinsics_vec128 f12 = e[2U]; + Lib_IntVector_Intrinsics_vec128 f13 = e[3U]; + Lib_IntVector_Intrinsics_vec128 f14 = e[4U]; + Lib_IntVector_Intrinsics_vec128 a0 = acc0[0U]; + Lib_IntVector_Intrinsics_vec128 a1 = acc0[1U]; + Lib_IntVector_Intrinsics_vec128 a2 = acc0[2U]; + Lib_IntVector_Intrinsics_vec128 a3 = acc0[3U]; + Lib_IntVector_Intrinsics_vec128 a4 = acc0[4U]; + Lib_IntVector_Intrinsics_vec128 a01 = Lib_IntVector_Intrinsics_vec128_add64(a0, f10); + Lib_IntVector_Intrinsics_vec128 a11 = Lib_IntVector_Intrinsics_vec128_add64(a1, f11); + Lib_IntVector_Intrinsics_vec128 a21 = Lib_IntVector_Intrinsics_vec128_add64(a2, f12); + Lib_IntVector_Intrinsics_vec128 a31 = Lib_IntVector_Intrinsics_vec128_add64(a3, f13); + Lib_IntVector_Intrinsics_vec128 a41 = Lib_IntVector_Intrinsics_vec128_add64(a4, f14); + Lib_IntVector_Intrinsics_vec128 a02 = Lib_IntVector_Intrinsics_vec128_mul64(r0, a01); + Lib_IntVector_Intrinsics_vec128 a12 = Lib_IntVector_Intrinsics_vec128_mul64(r11, a01); + Lib_IntVector_Intrinsics_vec128 a22 = Lib_IntVector_Intrinsics_vec128_mul64(r2, a01); + Lib_IntVector_Intrinsics_vec128 a32 = Lib_IntVector_Intrinsics_vec128_mul64(r3, a01); + Lib_IntVector_Intrinsics_vec128 a42 = Lib_IntVector_Intrinsics_vec128_mul64(r4, a01); + Lib_IntVector_Intrinsics_vec128 + a03 = + Lib_IntVector_Intrinsics_vec128_add64(a02, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a11)); + Lib_IntVector_Intrinsics_vec128 + a13 = + Lib_IntVector_Intrinsics_vec128_add64(a12, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a11)); + Lib_IntVector_Intrinsics_vec128 + a23 = + Lib_IntVector_Intrinsics_vec128_add64(a22, + Lib_IntVector_Intrinsics_vec128_mul64(r11, a11)); + Lib_IntVector_Intrinsics_vec128 + a33 = + Lib_IntVector_Intrinsics_vec128_add64(a32, + Lib_IntVector_Intrinsics_vec128_mul64(r2, a11)); + Lib_IntVector_Intrinsics_vec128 + a43 = + Lib_IntVector_Intrinsics_vec128_add64(a42, + Lib_IntVector_Intrinsics_vec128_mul64(r3, a11)); + Lib_IntVector_Intrinsics_vec128 + a04 = + Lib_IntVector_Intrinsics_vec128_add64(a03, + Lib_IntVector_Intrinsics_vec128_mul64(r53, a21)); + Lib_IntVector_Intrinsics_vec128 + a14 = + Lib_IntVector_Intrinsics_vec128_add64(a13, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a21)); + Lib_IntVector_Intrinsics_vec128 + a24 = + Lib_IntVector_Intrinsics_vec128_add64(a23, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a21)); + Lib_IntVector_Intrinsics_vec128 + a34 = + Lib_IntVector_Intrinsics_vec128_add64(a33, + Lib_IntVector_Intrinsics_vec128_mul64(r11, a21)); + Lib_IntVector_Intrinsics_vec128 + a44 = + Lib_IntVector_Intrinsics_vec128_add64(a43, + Lib_IntVector_Intrinsics_vec128_mul64(r2, a21)); + Lib_IntVector_Intrinsics_vec128 + a05 = + Lib_IntVector_Intrinsics_vec128_add64(a04, + Lib_IntVector_Intrinsics_vec128_mul64(r52, a31)); + Lib_IntVector_Intrinsics_vec128 + a15 = + Lib_IntVector_Intrinsics_vec128_add64(a14, + Lib_IntVector_Intrinsics_vec128_mul64(r53, a31)); + Lib_IntVector_Intrinsics_vec128 + a25 = + Lib_IntVector_Intrinsics_vec128_add64(a24, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a31)); + Lib_IntVector_Intrinsics_vec128 + a35 = + Lib_IntVector_Intrinsics_vec128_add64(a34, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a31)); + Lib_IntVector_Intrinsics_vec128 + a45 = + Lib_IntVector_Intrinsics_vec128_add64(a44, + Lib_IntVector_Intrinsics_vec128_mul64(r11, a31)); + Lib_IntVector_Intrinsics_vec128 + a06 = + Lib_IntVector_Intrinsics_vec128_add64(a05, + Lib_IntVector_Intrinsics_vec128_mul64(r51, a41)); + Lib_IntVector_Intrinsics_vec128 + a16 = + Lib_IntVector_Intrinsics_vec128_add64(a15, + Lib_IntVector_Intrinsics_vec128_mul64(r52, a41)); + Lib_IntVector_Intrinsics_vec128 + a26 = + Lib_IntVector_Intrinsics_vec128_add64(a25, + Lib_IntVector_Intrinsics_vec128_mul64(r53, a41)); + Lib_IntVector_Intrinsics_vec128 + a36 = + Lib_IntVector_Intrinsics_vec128_add64(a35, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a41)); + Lib_IntVector_Intrinsics_vec128 + a46 = + Lib_IntVector_Intrinsics_vec128_add64(a45, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a41)); + Lib_IntVector_Intrinsics_vec128 t01 = a06; + Lib_IntVector_Intrinsics_vec128 t11 = a16; + Lib_IntVector_Intrinsics_vec128 t2 = a26; + Lib_IntVector_Intrinsics_vec128 t3 = a36; + Lib_IntVector_Intrinsics_vec128 t4 = a46; + Lib_IntVector_Intrinsics_vec128 + mask26 = Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec128 + z0 = Lib_IntVector_Intrinsics_vec128_shift_right64(t01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z1 = Lib_IntVector_Intrinsics_vec128_shift_right64(t3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x0 = Lib_IntVector_Intrinsics_vec128_and(t01, mask26); + Lib_IntVector_Intrinsics_vec128 x3 = Lib_IntVector_Intrinsics_vec128_and(t3, mask26); + Lib_IntVector_Intrinsics_vec128 x1 = Lib_IntVector_Intrinsics_vec128_add64(t11, z0); + Lib_IntVector_Intrinsics_vec128 x4 = Lib_IntVector_Intrinsics_vec128_add64(t4, z1); + Lib_IntVector_Intrinsics_vec128 + z01 = Lib_IntVector_Intrinsics_vec128_shift_right64(x1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z11 = Lib_IntVector_Intrinsics_vec128_shift_right64(x4, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + t = Lib_IntVector_Intrinsics_vec128_shift_left64(z11, (uint32_t)2U); + Lib_IntVector_Intrinsics_vec128 z12 = Lib_IntVector_Intrinsics_vec128_add64(z11, t); + Lib_IntVector_Intrinsics_vec128 x11 = Lib_IntVector_Intrinsics_vec128_and(x1, mask26); + Lib_IntVector_Intrinsics_vec128 x41 = Lib_IntVector_Intrinsics_vec128_and(x4, mask26); + Lib_IntVector_Intrinsics_vec128 x2 = Lib_IntVector_Intrinsics_vec128_add64(t2, z01); + Lib_IntVector_Intrinsics_vec128 x01 = Lib_IntVector_Intrinsics_vec128_add64(x0, z12); + Lib_IntVector_Intrinsics_vec128 + z02 = Lib_IntVector_Intrinsics_vec128_shift_right64(x2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z13 = Lib_IntVector_Intrinsics_vec128_shift_right64(x01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x21 = Lib_IntVector_Intrinsics_vec128_and(x2, mask26); + Lib_IntVector_Intrinsics_vec128 x02 = Lib_IntVector_Intrinsics_vec128_and(x01, mask26); + Lib_IntVector_Intrinsics_vec128 x31 = Lib_IntVector_Intrinsics_vec128_add64(x3, z02); + Lib_IntVector_Intrinsics_vec128 x12 = Lib_IntVector_Intrinsics_vec128_add64(x11, z13); + Lib_IntVector_Intrinsics_vec128 + z03 = Lib_IntVector_Intrinsics_vec128_shift_right64(x31, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x32 = Lib_IntVector_Intrinsics_vec128_and(x31, mask26); + Lib_IntVector_Intrinsics_vec128 x42 = Lib_IntVector_Intrinsics_vec128_add64(x41, z03); + Lib_IntVector_Intrinsics_vec128 o0 = x02; + Lib_IntVector_Intrinsics_vec128 o1 = x12; + Lib_IntVector_Intrinsics_vec128 o2 = x21; + Lib_IntVector_Intrinsics_vec128 o3 = x32; + Lib_IntVector_Intrinsics_vec128 o4 = x42; + acc0[0U] = o0; + acc0[1U] = o1; + acc0[2U] = o2; + acc0[3U] = o3; + acc0[4U] = o4; + } + if (rem1 > (uint32_t)0U) + { + uint8_t *last = t10 + nb * (uint32_t)16U; + Lib_IntVector_Intrinsics_vec128 e[5U]; + for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i) + e[_i] = Lib_IntVector_Intrinsics_vec128_zero; + uint8_t tmp[16U] = { 0U }; + memcpy(tmp, last, rem1 * sizeof (uint8_t)); + uint64_t u0 = load64_le(tmp); + uint64_t lo = u0; + uint64_t u = load64_le(tmp + (uint32_t)8U); + uint64_t hi = u; + Lib_IntVector_Intrinsics_vec128 f0 = Lib_IntVector_Intrinsics_vec128_load64(lo); + Lib_IntVector_Intrinsics_vec128 f1 = Lib_IntVector_Intrinsics_vec128_load64(hi); + Lib_IntVector_Intrinsics_vec128 + f010 = + Lib_IntVector_Intrinsics_vec128_and(f0, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f110 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(f0, + (uint32_t)26U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f20 = + Lib_IntVector_Intrinsics_vec128_or(Lib_IntVector_Intrinsics_vec128_shift_right64(f0, + (uint32_t)52U), + Lib_IntVector_Intrinsics_vec128_shift_left64(Lib_IntVector_Intrinsics_vec128_and(f1, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3fffU)), + (uint32_t)12U)); + Lib_IntVector_Intrinsics_vec128 + f30 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(f1, + (uint32_t)14U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f40 = Lib_IntVector_Intrinsics_vec128_shift_right64(f1, (uint32_t)40U); + Lib_IntVector_Intrinsics_vec128 f01 = f010; + Lib_IntVector_Intrinsics_vec128 f111 = f110; + Lib_IntVector_Intrinsics_vec128 f2 = f20; + Lib_IntVector_Intrinsics_vec128 f3 = f30; + Lib_IntVector_Intrinsics_vec128 f4 = f40; + e[0U] = f01; + e[1U] = f111; + e[2U] = f2; + e[3U] = f3; + e[4U] = f4; + uint64_t b = (uint64_t)1U << rem1 * (uint32_t)8U % (uint32_t)26U; + Lib_IntVector_Intrinsics_vec128 mask = Lib_IntVector_Intrinsics_vec128_load64(b); + Lib_IntVector_Intrinsics_vec128 fi = e[rem1 * (uint32_t)8U / (uint32_t)26U]; + e[rem1 * (uint32_t)8U / (uint32_t)26U] = Lib_IntVector_Intrinsics_vec128_or(fi, mask); + Lib_IntVector_Intrinsics_vec128 *r1 = pre0; + Lib_IntVector_Intrinsics_vec128 *r5 = pre0 + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec128 r0 = r1[0U]; + Lib_IntVector_Intrinsics_vec128 r11 = r1[1U]; + Lib_IntVector_Intrinsics_vec128 r2 = r1[2U]; + Lib_IntVector_Intrinsics_vec128 r3 = r1[3U]; + Lib_IntVector_Intrinsics_vec128 r4 = r1[4U]; + Lib_IntVector_Intrinsics_vec128 r51 = r5[1U]; + Lib_IntVector_Intrinsics_vec128 r52 = r5[2U]; + Lib_IntVector_Intrinsics_vec128 r53 = r5[3U]; + Lib_IntVector_Intrinsics_vec128 r54 = r5[4U]; + Lib_IntVector_Intrinsics_vec128 f10 = e[0U]; + Lib_IntVector_Intrinsics_vec128 f11 = e[1U]; + Lib_IntVector_Intrinsics_vec128 f12 = e[2U]; + Lib_IntVector_Intrinsics_vec128 f13 = e[3U]; + Lib_IntVector_Intrinsics_vec128 f14 = e[4U]; + Lib_IntVector_Intrinsics_vec128 a0 = acc0[0U]; + Lib_IntVector_Intrinsics_vec128 a1 = acc0[1U]; + Lib_IntVector_Intrinsics_vec128 a2 = acc0[2U]; + Lib_IntVector_Intrinsics_vec128 a3 = acc0[3U]; + Lib_IntVector_Intrinsics_vec128 a4 = acc0[4U]; + Lib_IntVector_Intrinsics_vec128 a01 = Lib_IntVector_Intrinsics_vec128_add64(a0, f10); + Lib_IntVector_Intrinsics_vec128 a11 = Lib_IntVector_Intrinsics_vec128_add64(a1, f11); + Lib_IntVector_Intrinsics_vec128 a21 = Lib_IntVector_Intrinsics_vec128_add64(a2, f12); + Lib_IntVector_Intrinsics_vec128 a31 = Lib_IntVector_Intrinsics_vec128_add64(a3, f13); + Lib_IntVector_Intrinsics_vec128 a41 = Lib_IntVector_Intrinsics_vec128_add64(a4, f14); + Lib_IntVector_Intrinsics_vec128 a02 = Lib_IntVector_Intrinsics_vec128_mul64(r0, a01); + Lib_IntVector_Intrinsics_vec128 a12 = Lib_IntVector_Intrinsics_vec128_mul64(r11, a01); + Lib_IntVector_Intrinsics_vec128 a22 = Lib_IntVector_Intrinsics_vec128_mul64(r2, a01); + Lib_IntVector_Intrinsics_vec128 a32 = Lib_IntVector_Intrinsics_vec128_mul64(r3, a01); + Lib_IntVector_Intrinsics_vec128 a42 = Lib_IntVector_Intrinsics_vec128_mul64(r4, a01); + Lib_IntVector_Intrinsics_vec128 + a03 = + Lib_IntVector_Intrinsics_vec128_add64(a02, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a11)); + Lib_IntVector_Intrinsics_vec128 + a13 = + Lib_IntVector_Intrinsics_vec128_add64(a12, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a11)); + Lib_IntVector_Intrinsics_vec128 + a23 = + Lib_IntVector_Intrinsics_vec128_add64(a22, + Lib_IntVector_Intrinsics_vec128_mul64(r11, a11)); + Lib_IntVector_Intrinsics_vec128 + a33 = + Lib_IntVector_Intrinsics_vec128_add64(a32, + Lib_IntVector_Intrinsics_vec128_mul64(r2, a11)); + Lib_IntVector_Intrinsics_vec128 + a43 = + Lib_IntVector_Intrinsics_vec128_add64(a42, + Lib_IntVector_Intrinsics_vec128_mul64(r3, a11)); + Lib_IntVector_Intrinsics_vec128 + a04 = + Lib_IntVector_Intrinsics_vec128_add64(a03, + Lib_IntVector_Intrinsics_vec128_mul64(r53, a21)); + Lib_IntVector_Intrinsics_vec128 + a14 = + Lib_IntVector_Intrinsics_vec128_add64(a13, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a21)); + Lib_IntVector_Intrinsics_vec128 + a24 = + Lib_IntVector_Intrinsics_vec128_add64(a23, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a21)); + Lib_IntVector_Intrinsics_vec128 + a34 = + Lib_IntVector_Intrinsics_vec128_add64(a33, + Lib_IntVector_Intrinsics_vec128_mul64(r11, a21)); + Lib_IntVector_Intrinsics_vec128 + a44 = + Lib_IntVector_Intrinsics_vec128_add64(a43, + Lib_IntVector_Intrinsics_vec128_mul64(r2, a21)); + Lib_IntVector_Intrinsics_vec128 + a05 = + Lib_IntVector_Intrinsics_vec128_add64(a04, + Lib_IntVector_Intrinsics_vec128_mul64(r52, a31)); + Lib_IntVector_Intrinsics_vec128 + a15 = + Lib_IntVector_Intrinsics_vec128_add64(a14, + Lib_IntVector_Intrinsics_vec128_mul64(r53, a31)); + Lib_IntVector_Intrinsics_vec128 + a25 = + Lib_IntVector_Intrinsics_vec128_add64(a24, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a31)); + Lib_IntVector_Intrinsics_vec128 + a35 = + Lib_IntVector_Intrinsics_vec128_add64(a34, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a31)); + Lib_IntVector_Intrinsics_vec128 + a45 = + Lib_IntVector_Intrinsics_vec128_add64(a44, + Lib_IntVector_Intrinsics_vec128_mul64(r11, a31)); + Lib_IntVector_Intrinsics_vec128 + a06 = + Lib_IntVector_Intrinsics_vec128_add64(a05, + Lib_IntVector_Intrinsics_vec128_mul64(r51, a41)); + Lib_IntVector_Intrinsics_vec128 + a16 = + Lib_IntVector_Intrinsics_vec128_add64(a15, + Lib_IntVector_Intrinsics_vec128_mul64(r52, a41)); + Lib_IntVector_Intrinsics_vec128 + a26 = + Lib_IntVector_Intrinsics_vec128_add64(a25, + Lib_IntVector_Intrinsics_vec128_mul64(r53, a41)); + Lib_IntVector_Intrinsics_vec128 + a36 = + Lib_IntVector_Intrinsics_vec128_add64(a35, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a41)); + Lib_IntVector_Intrinsics_vec128 + a46 = + Lib_IntVector_Intrinsics_vec128_add64(a45, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a41)); + Lib_IntVector_Intrinsics_vec128 t01 = a06; + Lib_IntVector_Intrinsics_vec128 t11 = a16; + Lib_IntVector_Intrinsics_vec128 t2 = a26; + Lib_IntVector_Intrinsics_vec128 t3 = a36; + Lib_IntVector_Intrinsics_vec128 t4 = a46; + Lib_IntVector_Intrinsics_vec128 + mask26 = Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec128 + z0 = Lib_IntVector_Intrinsics_vec128_shift_right64(t01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z1 = Lib_IntVector_Intrinsics_vec128_shift_right64(t3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x0 = Lib_IntVector_Intrinsics_vec128_and(t01, mask26); + Lib_IntVector_Intrinsics_vec128 x3 = Lib_IntVector_Intrinsics_vec128_and(t3, mask26); + Lib_IntVector_Intrinsics_vec128 x1 = Lib_IntVector_Intrinsics_vec128_add64(t11, z0); + Lib_IntVector_Intrinsics_vec128 x4 = Lib_IntVector_Intrinsics_vec128_add64(t4, z1); + Lib_IntVector_Intrinsics_vec128 + z01 = Lib_IntVector_Intrinsics_vec128_shift_right64(x1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z11 = Lib_IntVector_Intrinsics_vec128_shift_right64(x4, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + t = Lib_IntVector_Intrinsics_vec128_shift_left64(z11, (uint32_t)2U); + Lib_IntVector_Intrinsics_vec128 z12 = Lib_IntVector_Intrinsics_vec128_add64(z11, t); + Lib_IntVector_Intrinsics_vec128 x11 = Lib_IntVector_Intrinsics_vec128_and(x1, mask26); + Lib_IntVector_Intrinsics_vec128 x41 = Lib_IntVector_Intrinsics_vec128_and(x4, mask26); + Lib_IntVector_Intrinsics_vec128 x2 = Lib_IntVector_Intrinsics_vec128_add64(t2, z01); + Lib_IntVector_Intrinsics_vec128 x01 = Lib_IntVector_Intrinsics_vec128_add64(x0, z12); + Lib_IntVector_Intrinsics_vec128 + z02 = Lib_IntVector_Intrinsics_vec128_shift_right64(x2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z13 = Lib_IntVector_Intrinsics_vec128_shift_right64(x01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x21 = Lib_IntVector_Intrinsics_vec128_and(x2, mask26); + Lib_IntVector_Intrinsics_vec128 x02 = Lib_IntVector_Intrinsics_vec128_and(x01, mask26); + Lib_IntVector_Intrinsics_vec128 x31 = Lib_IntVector_Intrinsics_vec128_add64(x3, z02); + Lib_IntVector_Intrinsics_vec128 x12 = Lib_IntVector_Intrinsics_vec128_add64(x11, z13); + Lib_IntVector_Intrinsics_vec128 + z03 = Lib_IntVector_Intrinsics_vec128_shift_right64(x31, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x32 = Lib_IntVector_Intrinsics_vec128_and(x31, mask26); + Lib_IntVector_Intrinsics_vec128 x42 = Lib_IntVector_Intrinsics_vec128_add64(x41, z03); + Lib_IntVector_Intrinsics_vec128 o0 = x02; + Lib_IntVector_Intrinsics_vec128 o1 = x12; + Lib_IntVector_Intrinsics_vec128 o2 = x21; + Lib_IntVector_Intrinsics_vec128 o3 = x32; + Lib_IntVector_Intrinsics_vec128 o4 = x42; + acc0[0U] = o0; + acc0[1U] = o1; + acc0[2U] = o2; + acc0[3U] = o3; + acc0[4U] = o4; + } + uint8_t tmp[16U] = { 0U }; + memcpy(tmp, rem, r * sizeof (uint8_t)); + if (r > (uint32_t)0U) + { + Lib_IntVector_Intrinsics_vec128 *pre = ctx + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec128 *acc = ctx; + Lib_IntVector_Intrinsics_vec128 e[5U]; + for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i) + e[_i] = Lib_IntVector_Intrinsics_vec128_zero; + uint64_t u0 = load64_le(tmp); + uint64_t lo = u0; + uint64_t u = load64_le(tmp + (uint32_t)8U); + uint64_t hi = u; + Lib_IntVector_Intrinsics_vec128 f0 = Lib_IntVector_Intrinsics_vec128_load64(lo); + Lib_IntVector_Intrinsics_vec128 f1 = Lib_IntVector_Intrinsics_vec128_load64(hi); + Lib_IntVector_Intrinsics_vec128 + f010 = + Lib_IntVector_Intrinsics_vec128_and(f0, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f110 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(f0, + (uint32_t)26U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f20 = + Lib_IntVector_Intrinsics_vec128_or(Lib_IntVector_Intrinsics_vec128_shift_right64(f0, + (uint32_t)52U), + Lib_IntVector_Intrinsics_vec128_shift_left64(Lib_IntVector_Intrinsics_vec128_and(f1, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3fffU)), + (uint32_t)12U)); + Lib_IntVector_Intrinsics_vec128 + f30 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(f1, + (uint32_t)14U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f40 = Lib_IntVector_Intrinsics_vec128_shift_right64(f1, (uint32_t)40U); + Lib_IntVector_Intrinsics_vec128 f01 = f010; + Lib_IntVector_Intrinsics_vec128 f111 = f110; + Lib_IntVector_Intrinsics_vec128 f2 = f20; + Lib_IntVector_Intrinsics_vec128 f3 = f30; + Lib_IntVector_Intrinsics_vec128 f41 = f40; + e[0U] = f01; + e[1U] = f111; + e[2U] = f2; + e[3U] = f3; + e[4U] = f41; + uint64_t b = (uint64_t)0x1000000U; + Lib_IntVector_Intrinsics_vec128 mask = Lib_IntVector_Intrinsics_vec128_load64(b); + Lib_IntVector_Intrinsics_vec128 f4 = e[4U]; + e[4U] = Lib_IntVector_Intrinsics_vec128_or(f4, mask); + Lib_IntVector_Intrinsics_vec128 *r1 = pre; + Lib_IntVector_Intrinsics_vec128 *r5 = pre + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec128 r0 = r1[0U]; + Lib_IntVector_Intrinsics_vec128 r11 = r1[1U]; + Lib_IntVector_Intrinsics_vec128 r2 = r1[2U]; + Lib_IntVector_Intrinsics_vec128 r3 = r1[3U]; + Lib_IntVector_Intrinsics_vec128 r4 = r1[4U]; + Lib_IntVector_Intrinsics_vec128 r51 = r5[1U]; + Lib_IntVector_Intrinsics_vec128 r52 = r5[2U]; + Lib_IntVector_Intrinsics_vec128 r53 = r5[3U]; + Lib_IntVector_Intrinsics_vec128 r54 = r5[4U]; + Lib_IntVector_Intrinsics_vec128 f10 = e[0U]; + Lib_IntVector_Intrinsics_vec128 f11 = e[1U]; + Lib_IntVector_Intrinsics_vec128 f12 = e[2U]; + Lib_IntVector_Intrinsics_vec128 f13 = e[3U]; + Lib_IntVector_Intrinsics_vec128 f14 = e[4U]; + Lib_IntVector_Intrinsics_vec128 a0 = acc[0U]; + Lib_IntVector_Intrinsics_vec128 a1 = acc[1U]; + Lib_IntVector_Intrinsics_vec128 a2 = acc[2U]; + Lib_IntVector_Intrinsics_vec128 a3 = acc[3U]; + Lib_IntVector_Intrinsics_vec128 a4 = acc[4U]; + Lib_IntVector_Intrinsics_vec128 a01 = Lib_IntVector_Intrinsics_vec128_add64(a0, f10); + Lib_IntVector_Intrinsics_vec128 a11 = Lib_IntVector_Intrinsics_vec128_add64(a1, f11); + Lib_IntVector_Intrinsics_vec128 a21 = Lib_IntVector_Intrinsics_vec128_add64(a2, f12); + Lib_IntVector_Intrinsics_vec128 a31 = Lib_IntVector_Intrinsics_vec128_add64(a3, f13); + Lib_IntVector_Intrinsics_vec128 a41 = Lib_IntVector_Intrinsics_vec128_add64(a4, f14); + Lib_IntVector_Intrinsics_vec128 a02 = Lib_IntVector_Intrinsics_vec128_mul64(r0, a01); + Lib_IntVector_Intrinsics_vec128 a12 = Lib_IntVector_Intrinsics_vec128_mul64(r11, a01); + Lib_IntVector_Intrinsics_vec128 a22 = Lib_IntVector_Intrinsics_vec128_mul64(r2, a01); + Lib_IntVector_Intrinsics_vec128 a32 = Lib_IntVector_Intrinsics_vec128_mul64(r3, a01); + Lib_IntVector_Intrinsics_vec128 a42 = Lib_IntVector_Intrinsics_vec128_mul64(r4, a01); + Lib_IntVector_Intrinsics_vec128 + a03 = + Lib_IntVector_Intrinsics_vec128_add64(a02, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a11)); + Lib_IntVector_Intrinsics_vec128 + a13 = + Lib_IntVector_Intrinsics_vec128_add64(a12, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a11)); + Lib_IntVector_Intrinsics_vec128 + a23 = + Lib_IntVector_Intrinsics_vec128_add64(a22, + Lib_IntVector_Intrinsics_vec128_mul64(r11, a11)); + Lib_IntVector_Intrinsics_vec128 + a33 = + Lib_IntVector_Intrinsics_vec128_add64(a32, + Lib_IntVector_Intrinsics_vec128_mul64(r2, a11)); + Lib_IntVector_Intrinsics_vec128 + a43 = + Lib_IntVector_Intrinsics_vec128_add64(a42, + Lib_IntVector_Intrinsics_vec128_mul64(r3, a11)); + Lib_IntVector_Intrinsics_vec128 + a04 = + Lib_IntVector_Intrinsics_vec128_add64(a03, + Lib_IntVector_Intrinsics_vec128_mul64(r53, a21)); + Lib_IntVector_Intrinsics_vec128 + a14 = + Lib_IntVector_Intrinsics_vec128_add64(a13, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a21)); + Lib_IntVector_Intrinsics_vec128 + a24 = + Lib_IntVector_Intrinsics_vec128_add64(a23, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a21)); + Lib_IntVector_Intrinsics_vec128 + a34 = + Lib_IntVector_Intrinsics_vec128_add64(a33, + Lib_IntVector_Intrinsics_vec128_mul64(r11, a21)); + Lib_IntVector_Intrinsics_vec128 + a44 = + Lib_IntVector_Intrinsics_vec128_add64(a43, + Lib_IntVector_Intrinsics_vec128_mul64(r2, a21)); + Lib_IntVector_Intrinsics_vec128 + a05 = + Lib_IntVector_Intrinsics_vec128_add64(a04, + Lib_IntVector_Intrinsics_vec128_mul64(r52, a31)); + Lib_IntVector_Intrinsics_vec128 + a15 = + Lib_IntVector_Intrinsics_vec128_add64(a14, + Lib_IntVector_Intrinsics_vec128_mul64(r53, a31)); + Lib_IntVector_Intrinsics_vec128 + a25 = + Lib_IntVector_Intrinsics_vec128_add64(a24, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a31)); + Lib_IntVector_Intrinsics_vec128 + a35 = + Lib_IntVector_Intrinsics_vec128_add64(a34, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a31)); + Lib_IntVector_Intrinsics_vec128 + a45 = + Lib_IntVector_Intrinsics_vec128_add64(a44, + Lib_IntVector_Intrinsics_vec128_mul64(r11, a31)); + Lib_IntVector_Intrinsics_vec128 + a06 = + Lib_IntVector_Intrinsics_vec128_add64(a05, + Lib_IntVector_Intrinsics_vec128_mul64(r51, a41)); + Lib_IntVector_Intrinsics_vec128 + a16 = + Lib_IntVector_Intrinsics_vec128_add64(a15, + Lib_IntVector_Intrinsics_vec128_mul64(r52, a41)); + Lib_IntVector_Intrinsics_vec128 + a26 = + Lib_IntVector_Intrinsics_vec128_add64(a25, + Lib_IntVector_Intrinsics_vec128_mul64(r53, a41)); + Lib_IntVector_Intrinsics_vec128 + a36 = + Lib_IntVector_Intrinsics_vec128_add64(a35, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a41)); + Lib_IntVector_Intrinsics_vec128 + a46 = + Lib_IntVector_Intrinsics_vec128_add64(a45, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a41)); + Lib_IntVector_Intrinsics_vec128 t0 = a06; + Lib_IntVector_Intrinsics_vec128 t1 = a16; + Lib_IntVector_Intrinsics_vec128 t2 = a26; + Lib_IntVector_Intrinsics_vec128 t3 = a36; + Lib_IntVector_Intrinsics_vec128 t4 = a46; + Lib_IntVector_Intrinsics_vec128 + mask26 = Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec128 + z0 = Lib_IntVector_Intrinsics_vec128_shift_right64(t0, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z1 = Lib_IntVector_Intrinsics_vec128_shift_right64(t3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x0 = Lib_IntVector_Intrinsics_vec128_and(t0, mask26); + Lib_IntVector_Intrinsics_vec128 x3 = Lib_IntVector_Intrinsics_vec128_and(t3, mask26); + Lib_IntVector_Intrinsics_vec128 x1 = Lib_IntVector_Intrinsics_vec128_add64(t1, z0); + Lib_IntVector_Intrinsics_vec128 x4 = Lib_IntVector_Intrinsics_vec128_add64(t4, z1); + Lib_IntVector_Intrinsics_vec128 + z01 = Lib_IntVector_Intrinsics_vec128_shift_right64(x1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z11 = Lib_IntVector_Intrinsics_vec128_shift_right64(x4, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + t = Lib_IntVector_Intrinsics_vec128_shift_left64(z11, (uint32_t)2U); + Lib_IntVector_Intrinsics_vec128 z12 = Lib_IntVector_Intrinsics_vec128_add64(z11, t); + Lib_IntVector_Intrinsics_vec128 x11 = Lib_IntVector_Intrinsics_vec128_and(x1, mask26); + Lib_IntVector_Intrinsics_vec128 x41 = Lib_IntVector_Intrinsics_vec128_and(x4, mask26); + Lib_IntVector_Intrinsics_vec128 x2 = Lib_IntVector_Intrinsics_vec128_add64(t2, z01); + Lib_IntVector_Intrinsics_vec128 x01 = Lib_IntVector_Intrinsics_vec128_add64(x0, z12); + Lib_IntVector_Intrinsics_vec128 + z02 = Lib_IntVector_Intrinsics_vec128_shift_right64(x2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z13 = Lib_IntVector_Intrinsics_vec128_shift_right64(x01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x21 = Lib_IntVector_Intrinsics_vec128_and(x2, mask26); + Lib_IntVector_Intrinsics_vec128 x02 = Lib_IntVector_Intrinsics_vec128_and(x01, mask26); + Lib_IntVector_Intrinsics_vec128 x31 = Lib_IntVector_Intrinsics_vec128_add64(x3, z02); + Lib_IntVector_Intrinsics_vec128 x12 = Lib_IntVector_Intrinsics_vec128_add64(x11, z13); + Lib_IntVector_Intrinsics_vec128 + z03 = Lib_IntVector_Intrinsics_vec128_shift_right64(x31, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x32 = Lib_IntVector_Intrinsics_vec128_and(x31, mask26); + Lib_IntVector_Intrinsics_vec128 x42 = Lib_IntVector_Intrinsics_vec128_add64(x41, z03); + Lib_IntVector_Intrinsics_vec128 o0 = x02; + Lib_IntVector_Intrinsics_vec128 o1 = x12; + Lib_IntVector_Intrinsics_vec128 o2 = x21; + Lib_IntVector_Intrinsics_vec128 o3 = x32; + Lib_IntVector_Intrinsics_vec128 o4 = x42; + acc[0U] = o0; + acc[1U] = o1; + acc[2U] = o2; + acc[3U] = o3; + acc[4U] = o4; + return; + } +} + +static inline void +poly1305_do_128( + uint8_t *k, + uint32_t aadlen, + uint8_t *aad, + uint32_t mlen, + uint8_t *m, + uint8_t *out +) +{ + Lib_IntVector_Intrinsics_vec128 ctx[25U]; + for (uint32_t _i = 0U; _i < (uint32_t)25U; ++_i) + ctx[_i] = Lib_IntVector_Intrinsics_vec128_zero; + uint8_t block[16U] = { 0U }; + Hacl_Poly1305_128_poly1305_init(ctx, k); + if (aadlen != (uint32_t)0U) + { + poly1305_padded_128(ctx, aadlen, aad); + } + if (mlen != (uint32_t)0U) + { + poly1305_padded_128(ctx, mlen, m); + } + store64_le(block, (uint64_t)aadlen); + store64_le(block + (uint32_t)8U, (uint64_t)mlen); + Lib_IntVector_Intrinsics_vec128 *pre = ctx + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec128 *acc = ctx; + Lib_IntVector_Intrinsics_vec128 e[5U]; + for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i) + e[_i] = Lib_IntVector_Intrinsics_vec128_zero; + uint64_t u0 = load64_le(block); + uint64_t lo = u0; + uint64_t u = load64_le(block + (uint32_t)8U); + uint64_t hi = u; + Lib_IntVector_Intrinsics_vec128 f0 = Lib_IntVector_Intrinsics_vec128_load64(lo); + Lib_IntVector_Intrinsics_vec128 f1 = Lib_IntVector_Intrinsics_vec128_load64(hi); + Lib_IntVector_Intrinsics_vec128 + f010 = + Lib_IntVector_Intrinsics_vec128_and(f0, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f110 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(f0, + (uint32_t)26U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f20 = + Lib_IntVector_Intrinsics_vec128_or(Lib_IntVector_Intrinsics_vec128_shift_right64(f0, + (uint32_t)52U), + Lib_IntVector_Intrinsics_vec128_shift_left64(Lib_IntVector_Intrinsics_vec128_and(f1, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3fffU)), + (uint32_t)12U)); + Lib_IntVector_Intrinsics_vec128 + f30 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(f1, + (uint32_t)14U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f40 = Lib_IntVector_Intrinsics_vec128_shift_right64(f1, (uint32_t)40U); + Lib_IntVector_Intrinsics_vec128 f01 = f010; + Lib_IntVector_Intrinsics_vec128 f111 = f110; + Lib_IntVector_Intrinsics_vec128 f2 = f20; + Lib_IntVector_Intrinsics_vec128 f3 = f30; + Lib_IntVector_Intrinsics_vec128 f41 = f40; + e[0U] = f01; + e[1U] = f111; + e[2U] = f2; + e[3U] = f3; + e[4U] = f41; + uint64_t b = (uint64_t)0x1000000U; + Lib_IntVector_Intrinsics_vec128 mask = Lib_IntVector_Intrinsics_vec128_load64(b); + Lib_IntVector_Intrinsics_vec128 f4 = e[4U]; + e[4U] = Lib_IntVector_Intrinsics_vec128_or(f4, mask); + Lib_IntVector_Intrinsics_vec128 *r = pre; + Lib_IntVector_Intrinsics_vec128 *r5 = pre + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec128 r0 = r[0U]; + Lib_IntVector_Intrinsics_vec128 r1 = r[1U]; + Lib_IntVector_Intrinsics_vec128 r2 = r[2U]; + Lib_IntVector_Intrinsics_vec128 r3 = r[3U]; + Lib_IntVector_Intrinsics_vec128 r4 = r[4U]; + Lib_IntVector_Intrinsics_vec128 r51 = r5[1U]; + Lib_IntVector_Intrinsics_vec128 r52 = r5[2U]; + Lib_IntVector_Intrinsics_vec128 r53 = r5[3U]; + Lib_IntVector_Intrinsics_vec128 r54 = r5[4U]; + Lib_IntVector_Intrinsics_vec128 f10 = e[0U]; + Lib_IntVector_Intrinsics_vec128 f11 = e[1U]; + Lib_IntVector_Intrinsics_vec128 f12 = e[2U]; + Lib_IntVector_Intrinsics_vec128 f13 = e[3U]; + Lib_IntVector_Intrinsics_vec128 f14 = e[4U]; + Lib_IntVector_Intrinsics_vec128 a0 = acc[0U]; + Lib_IntVector_Intrinsics_vec128 a1 = acc[1U]; + Lib_IntVector_Intrinsics_vec128 a2 = acc[2U]; + Lib_IntVector_Intrinsics_vec128 a3 = acc[3U]; + Lib_IntVector_Intrinsics_vec128 a4 = acc[4U]; + Lib_IntVector_Intrinsics_vec128 a01 = Lib_IntVector_Intrinsics_vec128_add64(a0, f10); + Lib_IntVector_Intrinsics_vec128 a11 = Lib_IntVector_Intrinsics_vec128_add64(a1, f11); + Lib_IntVector_Intrinsics_vec128 a21 = Lib_IntVector_Intrinsics_vec128_add64(a2, f12); + Lib_IntVector_Intrinsics_vec128 a31 = Lib_IntVector_Intrinsics_vec128_add64(a3, f13); + Lib_IntVector_Intrinsics_vec128 a41 = Lib_IntVector_Intrinsics_vec128_add64(a4, f14); + Lib_IntVector_Intrinsics_vec128 a02 = Lib_IntVector_Intrinsics_vec128_mul64(r0, a01); + Lib_IntVector_Intrinsics_vec128 a12 = Lib_IntVector_Intrinsics_vec128_mul64(r1, a01); + Lib_IntVector_Intrinsics_vec128 a22 = Lib_IntVector_Intrinsics_vec128_mul64(r2, a01); + Lib_IntVector_Intrinsics_vec128 a32 = Lib_IntVector_Intrinsics_vec128_mul64(r3, a01); + Lib_IntVector_Intrinsics_vec128 a42 = Lib_IntVector_Intrinsics_vec128_mul64(r4, a01); + Lib_IntVector_Intrinsics_vec128 + a03 = + Lib_IntVector_Intrinsics_vec128_add64(a02, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a11)); + Lib_IntVector_Intrinsics_vec128 + a13 = + Lib_IntVector_Intrinsics_vec128_add64(a12, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a11)); + Lib_IntVector_Intrinsics_vec128 + a23 = + Lib_IntVector_Intrinsics_vec128_add64(a22, + Lib_IntVector_Intrinsics_vec128_mul64(r1, a11)); + Lib_IntVector_Intrinsics_vec128 + a33 = + Lib_IntVector_Intrinsics_vec128_add64(a32, + Lib_IntVector_Intrinsics_vec128_mul64(r2, a11)); + Lib_IntVector_Intrinsics_vec128 + a43 = + Lib_IntVector_Intrinsics_vec128_add64(a42, + Lib_IntVector_Intrinsics_vec128_mul64(r3, a11)); + Lib_IntVector_Intrinsics_vec128 + a04 = + Lib_IntVector_Intrinsics_vec128_add64(a03, + Lib_IntVector_Intrinsics_vec128_mul64(r53, a21)); + Lib_IntVector_Intrinsics_vec128 + a14 = + Lib_IntVector_Intrinsics_vec128_add64(a13, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a21)); + Lib_IntVector_Intrinsics_vec128 + a24 = + Lib_IntVector_Intrinsics_vec128_add64(a23, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a21)); + Lib_IntVector_Intrinsics_vec128 + a34 = + Lib_IntVector_Intrinsics_vec128_add64(a33, + Lib_IntVector_Intrinsics_vec128_mul64(r1, a21)); + Lib_IntVector_Intrinsics_vec128 + a44 = + Lib_IntVector_Intrinsics_vec128_add64(a43, + Lib_IntVector_Intrinsics_vec128_mul64(r2, a21)); + Lib_IntVector_Intrinsics_vec128 + a05 = + Lib_IntVector_Intrinsics_vec128_add64(a04, + Lib_IntVector_Intrinsics_vec128_mul64(r52, a31)); + Lib_IntVector_Intrinsics_vec128 + a15 = + Lib_IntVector_Intrinsics_vec128_add64(a14, + Lib_IntVector_Intrinsics_vec128_mul64(r53, a31)); + Lib_IntVector_Intrinsics_vec128 + a25 = + Lib_IntVector_Intrinsics_vec128_add64(a24, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a31)); + Lib_IntVector_Intrinsics_vec128 + a35 = + Lib_IntVector_Intrinsics_vec128_add64(a34, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a31)); + Lib_IntVector_Intrinsics_vec128 + a45 = + Lib_IntVector_Intrinsics_vec128_add64(a44, + Lib_IntVector_Intrinsics_vec128_mul64(r1, a31)); + Lib_IntVector_Intrinsics_vec128 + a06 = + Lib_IntVector_Intrinsics_vec128_add64(a05, + Lib_IntVector_Intrinsics_vec128_mul64(r51, a41)); + Lib_IntVector_Intrinsics_vec128 + a16 = + Lib_IntVector_Intrinsics_vec128_add64(a15, + Lib_IntVector_Intrinsics_vec128_mul64(r52, a41)); + Lib_IntVector_Intrinsics_vec128 + a26 = + Lib_IntVector_Intrinsics_vec128_add64(a25, + Lib_IntVector_Intrinsics_vec128_mul64(r53, a41)); + Lib_IntVector_Intrinsics_vec128 + a36 = + Lib_IntVector_Intrinsics_vec128_add64(a35, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a41)); + Lib_IntVector_Intrinsics_vec128 + a46 = + Lib_IntVector_Intrinsics_vec128_add64(a45, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a41)); + Lib_IntVector_Intrinsics_vec128 t0 = a06; + Lib_IntVector_Intrinsics_vec128 t1 = a16; + Lib_IntVector_Intrinsics_vec128 t2 = a26; + Lib_IntVector_Intrinsics_vec128 t3 = a36; + Lib_IntVector_Intrinsics_vec128 t4 = a46; + Lib_IntVector_Intrinsics_vec128 + mask26 = Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec128 + z0 = Lib_IntVector_Intrinsics_vec128_shift_right64(t0, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z1 = Lib_IntVector_Intrinsics_vec128_shift_right64(t3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x0 = Lib_IntVector_Intrinsics_vec128_and(t0, mask26); + Lib_IntVector_Intrinsics_vec128 x3 = Lib_IntVector_Intrinsics_vec128_and(t3, mask26); + Lib_IntVector_Intrinsics_vec128 x1 = Lib_IntVector_Intrinsics_vec128_add64(t1, z0); + Lib_IntVector_Intrinsics_vec128 x4 = Lib_IntVector_Intrinsics_vec128_add64(t4, z1); + Lib_IntVector_Intrinsics_vec128 + z01 = Lib_IntVector_Intrinsics_vec128_shift_right64(x1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z11 = Lib_IntVector_Intrinsics_vec128_shift_right64(x4, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + t = Lib_IntVector_Intrinsics_vec128_shift_left64(z11, (uint32_t)2U); + Lib_IntVector_Intrinsics_vec128 z12 = Lib_IntVector_Intrinsics_vec128_add64(z11, t); + Lib_IntVector_Intrinsics_vec128 x11 = Lib_IntVector_Intrinsics_vec128_and(x1, mask26); + Lib_IntVector_Intrinsics_vec128 x41 = Lib_IntVector_Intrinsics_vec128_and(x4, mask26); + Lib_IntVector_Intrinsics_vec128 x2 = Lib_IntVector_Intrinsics_vec128_add64(t2, z01); + Lib_IntVector_Intrinsics_vec128 x01 = Lib_IntVector_Intrinsics_vec128_add64(x0, z12); + Lib_IntVector_Intrinsics_vec128 + z02 = Lib_IntVector_Intrinsics_vec128_shift_right64(x2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z13 = Lib_IntVector_Intrinsics_vec128_shift_right64(x01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x21 = Lib_IntVector_Intrinsics_vec128_and(x2, mask26); + Lib_IntVector_Intrinsics_vec128 x02 = Lib_IntVector_Intrinsics_vec128_and(x01, mask26); + Lib_IntVector_Intrinsics_vec128 x31 = Lib_IntVector_Intrinsics_vec128_add64(x3, z02); + Lib_IntVector_Intrinsics_vec128 x12 = Lib_IntVector_Intrinsics_vec128_add64(x11, z13); + Lib_IntVector_Intrinsics_vec128 + z03 = Lib_IntVector_Intrinsics_vec128_shift_right64(x31, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x32 = Lib_IntVector_Intrinsics_vec128_and(x31, mask26); + Lib_IntVector_Intrinsics_vec128 x42 = Lib_IntVector_Intrinsics_vec128_add64(x41, z03); + Lib_IntVector_Intrinsics_vec128 o0 = x02; + Lib_IntVector_Intrinsics_vec128 o1 = x12; + Lib_IntVector_Intrinsics_vec128 o2 = x21; + Lib_IntVector_Intrinsics_vec128 o3 = x32; + Lib_IntVector_Intrinsics_vec128 o4 = x42; + acc[0U] = o0; + acc[1U] = o1; + acc[2U] = o2; + acc[3U] = o3; + acc[4U] = o4; + Hacl_Poly1305_128_poly1305_finish(out, k, ctx); +} + +void +Hacl_Chacha20Poly1305_128_aead_encrypt( + uint8_t *k, + uint8_t *n, + uint32_t aadlen, + uint8_t *aad, + uint32_t mlen, + uint8_t *m, + uint8_t *cipher, + uint8_t *mac +) +{ + Hacl_Chacha20_Vec128_chacha20_encrypt_128(mlen, cipher, m, k, n, (uint32_t)1U); + uint8_t tmp[64U] = { 0U }; + Hacl_Chacha20_Vec128_chacha20_encrypt_128((uint32_t)64U, tmp, tmp, k, n, (uint32_t)0U); + uint8_t *key = tmp; + poly1305_do_128(key, aadlen, aad, mlen, cipher, mac); +} + +uint32_t +Hacl_Chacha20Poly1305_128_aead_decrypt( + uint8_t *k, + uint8_t *n, + uint32_t aadlen, + uint8_t *aad, + uint32_t mlen, + uint8_t *m, + uint8_t *cipher, + uint8_t *mac +) +{ + uint8_t computed_mac[16U] = { 0U }; + uint8_t tmp[64U] = { 0U }; + Hacl_Chacha20_Vec128_chacha20_encrypt_128((uint32_t)64U, tmp, tmp, k, n, (uint32_t)0U); + uint8_t *key = tmp; + poly1305_do_128(key, aadlen, aad, mlen, cipher, computed_mac); + uint8_t res = (uint8_t)255U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint8_t uu____0 = FStar_UInt8_eq_mask(computed_mac[i], mac[i]); + res = uu____0 & res; + } + uint8_t z = res; + if (z == (uint8_t)255U) + { + Hacl_Chacha20_Vec128_chacha20_encrypt_128(mlen, m, cipher, k, n, (uint32_t)1U); + return (uint32_t)0U; + } + return (uint32_t)1U; +} + diff --git a/src/msvc/Hacl_Chacha20Poly1305_256.c b/src/msvc/Hacl_Chacha20Poly1305_256.c new file mode 100644 index 00000000..d2ef7d5c --- /dev/null +++ b/src/msvc/Hacl_Chacha20Poly1305_256.c @@ -0,0 +1,1197 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Chacha20Poly1305_256.h" + +#include "internal/Hacl_Poly1305_256.h" +#include "internal/Hacl_Kremlib.h" + +static inline void +poly1305_padded_256(Lib_IntVector_Intrinsics_vec256 *ctx, uint32_t len, uint8_t *text) +{ + uint32_t n = len / (uint32_t)16U; + uint32_t r = len % (uint32_t)16U; + uint8_t *blocks = text; + uint8_t *rem = text + n * (uint32_t)16U; + Lib_IntVector_Intrinsics_vec256 *pre0 = ctx + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec256 *acc0 = ctx; + uint32_t sz_block = (uint32_t)64U; + uint32_t len0 = n * (uint32_t)16U / sz_block * sz_block; + uint8_t *t00 = blocks; + if (len0 > (uint32_t)0U) + { + uint32_t bs = (uint32_t)64U; + uint8_t *text0 = t00; + Hacl_Impl_Poly1305_Field32xN_256_load_acc4(acc0, text0); + uint32_t len1 = len0 - bs; + uint8_t *text1 = t00 + bs; + uint32_t nb = len1 / bs; + for (uint32_t i = (uint32_t)0U; i < nb; i++) + { + uint8_t *block = text1 + i * bs; + Lib_IntVector_Intrinsics_vec256 e[5U]; + for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i) + e[_i] = Lib_IntVector_Intrinsics_vec256_zero; + Lib_IntVector_Intrinsics_vec256 lo = Lib_IntVector_Intrinsics_vec256_load64_le(block); + Lib_IntVector_Intrinsics_vec256 + hi = Lib_IntVector_Intrinsics_vec256_load64_le(block + (uint32_t)32U); + Lib_IntVector_Intrinsics_vec256 + mask260 = Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec256 + m0 = Lib_IntVector_Intrinsics_vec256_interleave_low128(lo, hi); + Lib_IntVector_Intrinsics_vec256 + m1 = Lib_IntVector_Intrinsics_vec256_interleave_high128(lo, hi); + Lib_IntVector_Intrinsics_vec256 + m2 = Lib_IntVector_Intrinsics_vec256_shift_right(m0, (uint32_t)48U); + Lib_IntVector_Intrinsics_vec256 + m3 = Lib_IntVector_Intrinsics_vec256_shift_right(m1, (uint32_t)48U); + Lib_IntVector_Intrinsics_vec256 + m4 = Lib_IntVector_Intrinsics_vec256_interleave_high64(m0, m1); + Lib_IntVector_Intrinsics_vec256 + t010 = Lib_IntVector_Intrinsics_vec256_interleave_low64(m0, m1); + Lib_IntVector_Intrinsics_vec256 + t30 = Lib_IntVector_Intrinsics_vec256_interleave_low64(m2, m3); + Lib_IntVector_Intrinsics_vec256 + t20 = Lib_IntVector_Intrinsics_vec256_shift_right64(t30, (uint32_t)4U); + Lib_IntVector_Intrinsics_vec256 o20 = Lib_IntVector_Intrinsics_vec256_and(t20, mask260); + Lib_IntVector_Intrinsics_vec256 + t10 = Lib_IntVector_Intrinsics_vec256_shift_right64(t010, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 o10 = Lib_IntVector_Intrinsics_vec256_and(t10, mask260); + Lib_IntVector_Intrinsics_vec256 o5 = Lib_IntVector_Intrinsics_vec256_and(t010, mask260); + Lib_IntVector_Intrinsics_vec256 + t31 = Lib_IntVector_Intrinsics_vec256_shift_right64(t30, (uint32_t)30U); + Lib_IntVector_Intrinsics_vec256 o30 = Lib_IntVector_Intrinsics_vec256_and(t31, mask260); + Lib_IntVector_Intrinsics_vec256 + o40 = Lib_IntVector_Intrinsics_vec256_shift_right64(m4, (uint32_t)40U); + Lib_IntVector_Intrinsics_vec256 o00 = o5; + Lib_IntVector_Intrinsics_vec256 o11 = o10; + Lib_IntVector_Intrinsics_vec256 o21 = o20; + Lib_IntVector_Intrinsics_vec256 o31 = o30; + Lib_IntVector_Intrinsics_vec256 o41 = o40; + e[0U] = o00; + e[1U] = o11; + e[2U] = o21; + e[3U] = o31; + e[4U] = o41; + uint64_t b = (uint64_t)0x1000000U; + Lib_IntVector_Intrinsics_vec256 mask = Lib_IntVector_Intrinsics_vec256_load64(b); + Lib_IntVector_Intrinsics_vec256 f4 = e[4U]; + e[4U] = Lib_IntVector_Intrinsics_vec256_or(f4, mask); + Lib_IntVector_Intrinsics_vec256 *rn = pre0 + (uint32_t)10U; + Lib_IntVector_Intrinsics_vec256 *rn5 = pre0 + (uint32_t)15U; + Lib_IntVector_Intrinsics_vec256 r0 = rn[0U]; + Lib_IntVector_Intrinsics_vec256 r1 = rn[1U]; + Lib_IntVector_Intrinsics_vec256 r2 = rn[2U]; + Lib_IntVector_Intrinsics_vec256 r3 = rn[3U]; + Lib_IntVector_Intrinsics_vec256 r4 = rn[4U]; + Lib_IntVector_Intrinsics_vec256 r51 = rn5[1U]; + Lib_IntVector_Intrinsics_vec256 r52 = rn5[2U]; + Lib_IntVector_Intrinsics_vec256 r53 = rn5[3U]; + Lib_IntVector_Intrinsics_vec256 r54 = rn5[4U]; + Lib_IntVector_Intrinsics_vec256 f10 = acc0[0U]; + Lib_IntVector_Intrinsics_vec256 f110 = acc0[1U]; + Lib_IntVector_Intrinsics_vec256 f120 = acc0[2U]; + Lib_IntVector_Intrinsics_vec256 f130 = acc0[3U]; + Lib_IntVector_Intrinsics_vec256 f140 = acc0[4U]; + Lib_IntVector_Intrinsics_vec256 a0 = Lib_IntVector_Intrinsics_vec256_mul64(r0, f10); + Lib_IntVector_Intrinsics_vec256 a1 = Lib_IntVector_Intrinsics_vec256_mul64(r1, f10); + Lib_IntVector_Intrinsics_vec256 a2 = Lib_IntVector_Intrinsics_vec256_mul64(r2, f10); + Lib_IntVector_Intrinsics_vec256 a3 = Lib_IntVector_Intrinsics_vec256_mul64(r3, f10); + Lib_IntVector_Intrinsics_vec256 a4 = Lib_IntVector_Intrinsics_vec256_mul64(r4, f10); + Lib_IntVector_Intrinsics_vec256 + a01 = + Lib_IntVector_Intrinsics_vec256_add64(a0, + Lib_IntVector_Intrinsics_vec256_mul64(r54, f110)); + Lib_IntVector_Intrinsics_vec256 + a11 = + Lib_IntVector_Intrinsics_vec256_add64(a1, + Lib_IntVector_Intrinsics_vec256_mul64(r0, f110)); + Lib_IntVector_Intrinsics_vec256 + a21 = + Lib_IntVector_Intrinsics_vec256_add64(a2, + Lib_IntVector_Intrinsics_vec256_mul64(r1, f110)); + Lib_IntVector_Intrinsics_vec256 + a31 = + Lib_IntVector_Intrinsics_vec256_add64(a3, + Lib_IntVector_Intrinsics_vec256_mul64(r2, f110)); + Lib_IntVector_Intrinsics_vec256 + a41 = + Lib_IntVector_Intrinsics_vec256_add64(a4, + Lib_IntVector_Intrinsics_vec256_mul64(r3, f110)); + Lib_IntVector_Intrinsics_vec256 + a02 = + Lib_IntVector_Intrinsics_vec256_add64(a01, + Lib_IntVector_Intrinsics_vec256_mul64(r53, f120)); + Lib_IntVector_Intrinsics_vec256 + a12 = + Lib_IntVector_Intrinsics_vec256_add64(a11, + Lib_IntVector_Intrinsics_vec256_mul64(r54, f120)); + Lib_IntVector_Intrinsics_vec256 + a22 = + Lib_IntVector_Intrinsics_vec256_add64(a21, + Lib_IntVector_Intrinsics_vec256_mul64(r0, f120)); + Lib_IntVector_Intrinsics_vec256 + a32 = + Lib_IntVector_Intrinsics_vec256_add64(a31, + Lib_IntVector_Intrinsics_vec256_mul64(r1, f120)); + Lib_IntVector_Intrinsics_vec256 + a42 = + Lib_IntVector_Intrinsics_vec256_add64(a41, + Lib_IntVector_Intrinsics_vec256_mul64(r2, f120)); + Lib_IntVector_Intrinsics_vec256 + a03 = + Lib_IntVector_Intrinsics_vec256_add64(a02, + Lib_IntVector_Intrinsics_vec256_mul64(r52, f130)); + Lib_IntVector_Intrinsics_vec256 + a13 = + Lib_IntVector_Intrinsics_vec256_add64(a12, + Lib_IntVector_Intrinsics_vec256_mul64(r53, f130)); + Lib_IntVector_Intrinsics_vec256 + a23 = + Lib_IntVector_Intrinsics_vec256_add64(a22, + Lib_IntVector_Intrinsics_vec256_mul64(r54, f130)); + Lib_IntVector_Intrinsics_vec256 + a33 = + Lib_IntVector_Intrinsics_vec256_add64(a32, + Lib_IntVector_Intrinsics_vec256_mul64(r0, f130)); + Lib_IntVector_Intrinsics_vec256 + a43 = + Lib_IntVector_Intrinsics_vec256_add64(a42, + Lib_IntVector_Intrinsics_vec256_mul64(r1, f130)); + Lib_IntVector_Intrinsics_vec256 + a04 = + Lib_IntVector_Intrinsics_vec256_add64(a03, + Lib_IntVector_Intrinsics_vec256_mul64(r51, f140)); + Lib_IntVector_Intrinsics_vec256 + a14 = + Lib_IntVector_Intrinsics_vec256_add64(a13, + Lib_IntVector_Intrinsics_vec256_mul64(r52, f140)); + Lib_IntVector_Intrinsics_vec256 + a24 = + Lib_IntVector_Intrinsics_vec256_add64(a23, + Lib_IntVector_Intrinsics_vec256_mul64(r53, f140)); + Lib_IntVector_Intrinsics_vec256 + a34 = + Lib_IntVector_Intrinsics_vec256_add64(a33, + Lib_IntVector_Intrinsics_vec256_mul64(r54, f140)); + Lib_IntVector_Intrinsics_vec256 + a44 = + Lib_IntVector_Intrinsics_vec256_add64(a43, + Lib_IntVector_Intrinsics_vec256_mul64(r0, f140)); + Lib_IntVector_Intrinsics_vec256 t01 = a04; + Lib_IntVector_Intrinsics_vec256 t1 = a14; + Lib_IntVector_Intrinsics_vec256 t2 = a24; + Lib_IntVector_Intrinsics_vec256 t3 = a34; + Lib_IntVector_Intrinsics_vec256 t4 = a44; + Lib_IntVector_Intrinsics_vec256 + mask26 = Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec256 + z0 = Lib_IntVector_Intrinsics_vec256_shift_right64(t01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z1 = Lib_IntVector_Intrinsics_vec256_shift_right64(t3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x0 = Lib_IntVector_Intrinsics_vec256_and(t01, mask26); + Lib_IntVector_Intrinsics_vec256 x3 = Lib_IntVector_Intrinsics_vec256_and(t3, mask26); + Lib_IntVector_Intrinsics_vec256 x1 = Lib_IntVector_Intrinsics_vec256_add64(t1, z0); + Lib_IntVector_Intrinsics_vec256 x4 = Lib_IntVector_Intrinsics_vec256_add64(t4, z1); + Lib_IntVector_Intrinsics_vec256 + z01 = Lib_IntVector_Intrinsics_vec256_shift_right64(x1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z11 = Lib_IntVector_Intrinsics_vec256_shift_right64(x4, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + t = Lib_IntVector_Intrinsics_vec256_shift_left64(z11, (uint32_t)2U); + Lib_IntVector_Intrinsics_vec256 z12 = Lib_IntVector_Intrinsics_vec256_add64(z11, t); + Lib_IntVector_Intrinsics_vec256 x11 = Lib_IntVector_Intrinsics_vec256_and(x1, mask26); + Lib_IntVector_Intrinsics_vec256 x41 = Lib_IntVector_Intrinsics_vec256_and(x4, mask26); + Lib_IntVector_Intrinsics_vec256 x2 = Lib_IntVector_Intrinsics_vec256_add64(t2, z01); + Lib_IntVector_Intrinsics_vec256 x01 = Lib_IntVector_Intrinsics_vec256_add64(x0, z12); + Lib_IntVector_Intrinsics_vec256 + z02 = Lib_IntVector_Intrinsics_vec256_shift_right64(x2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z13 = Lib_IntVector_Intrinsics_vec256_shift_right64(x01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x21 = Lib_IntVector_Intrinsics_vec256_and(x2, mask26); + Lib_IntVector_Intrinsics_vec256 x02 = Lib_IntVector_Intrinsics_vec256_and(x01, mask26); + Lib_IntVector_Intrinsics_vec256 x31 = Lib_IntVector_Intrinsics_vec256_add64(x3, z02); + Lib_IntVector_Intrinsics_vec256 x12 = Lib_IntVector_Intrinsics_vec256_add64(x11, z13); + Lib_IntVector_Intrinsics_vec256 + z03 = Lib_IntVector_Intrinsics_vec256_shift_right64(x31, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x32 = Lib_IntVector_Intrinsics_vec256_and(x31, mask26); + Lib_IntVector_Intrinsics_vec256 x42 = Lib_IntVector_Intrinsics_vec256_add64(x41, z03); + Lib_IntVector_Intrinsics_vec256 o01 = x02; + Lib_IntVector_Intrinsics_vec256 o12 = x12; + Lib_IntVector_Intrinsics_vec256 o22 = x21; + Lib_IntVector_Intrinsics_vec256 o32 = x32; + Lib_IntVector_Intrinsics_vec256 o42 = x42; + acc0[0U] = o01; + acc0[1U] = o12; + acc0[2U] = o22; + acc0[3U] = o32; + acc0[4U] = o42; + Lib_IntVector_Intrinsics_vec256 f100 = acc0[0U]; + Lib_IntVector_Intrinsics_vec256 f11 = acc0[1U]; + Lib_IntVector_Intrinsics_vec256 f12 = acc0[2U]; + Lib_IntVector_Intrinsics_vec256 f13 = acc0[3U]; + Lib_IntVector_Intrinsics_vec256 f14 = acc0[4U]; + Lib_IntVector_Intrinsics_vec256 f20 = e[0U]; + Lib_IntVector_Intrinsics_vec256 f21 = e[1U]; + Lib_IntVector_Intrinsics_vec256 f22 = e[2U]; + Lib_IntVector_Intrinsics_vec256 f23 = e[3U]; + Lib_IntVector_Intrinsics_vec256 f24 = e[4U]; + Lib_IntVector_Intrinsics_vec256 o0 = Lib_IntVector_Intrinsics_vec256_add64(f100, f20); + Lib_IntVector_Intrinsics_vec256 o1 = Lib_IntVector_Intrinsics_vec256_add64(f11, f21); + Lib_IntVector_Intrinsics_vec256 o2 = Lib_IntVector_Intrinsics_vec256_add64(f12, f22); + Lib_IntVector_Intrinsics_vec256 o3 = Lib_IntVector_Intrinsics_vec256_add64(f13, f23); + Lib_IntVector_Intrinsics_vec256 o4 = Lib_IntVector_Intrinsics_vec256_add64(f14, f24); + acc0[0U] = o0; + acc0[1U] = o1; + acc0[2U] = o2; + acc0[3U] = o3; + acc0[4U] = o4; + } + Hacl_Impl_Poly1305_Field32xN_256_fmul_r4_normalize(acc0, pre0); + } + uint32_t len1 = n * (uint32_t)16U - len0; + uint8_t *t10 = blocks + len0; + uint32_t nb = len1 / (uint32_t)16U; + uint32_t rem1 = len1 % (uint32_t)16U; + for (uint32_t i = (uint32_t)0U; i < nb; i++) + { + uint8_t *block = t10 + i * (uint32_t)16U; + Lib_IntVector_Intrinsics_vec256 e[5U]; + for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i) + e[_i] = Lib_IntVector_Intrinsics_vec256_zero; + uint64_t u0 = load64_le(block); + uint64_t lo = u0; + uint64_t u = load64_le(block + (uint32_t)8U); + uint64_t hi = u; + Lib_IntVector_Intrinsics_vec256 f0 = Lib_IntVector_Intrinsics_vec256_load64(lo); + Lib_IntVector_Intrinsics_vec256 f1 = Lib_IntVector_Intrinsics_vec256_load64(hi); + Lib_IntVector_Intrinsics_vec256 + f010 = + Lib_IntVector_Intrinsics_vec256_and(f0, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f110 = + Lib_IntVector_Intrinsics_vec256_and(Lib_IntVector_Intrinsics_vec256_shift_right64(f0, + (uint32_t)26U), + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f20 = + Lib_IntVector_Intrinsics_vec256_or(Lib_IntVector_Intrinsics_vec256_shift_right64(f0, + (uint32_t)52U), + Lib_IntVector_Intrinsics_vec256_shift_left64(Lib_IntVector_Intrinsics_vec256_and(f1, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3fffU)), + (uint32_t)12U)); + Lib_IntVector_Intrinsics_vec256 + f30 = + Lib_IntVector_Intrinsics_vec256_and(Lib_IntVector_Intrinsics_vec256_shift_right64(f1, + (uint32_t)14U), + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f40 = Lib_IntVector_Intrinsics_vec256_shift_right64(f1, (uint32_t)40U); + Lib_IntVector_Intrinsics_vec256 f01 = f010; + Lib_IntVector_Intrinsics_vec256 f111 = f110; + Lib_IntVector_Intrinsics_vec256 f2 = f20; + Lib_IntVector_Intrinsics_vec256 f3 = f30; + Lib_IntVector_Intrinsics_vec256 f41 = f40; + e[0U] = f01; + e[1U] = f111; + e[2U] = f2; + e[3U] = f3; + e[4U] = f41; + uint64_t b = (uint64_t)0x1000000U; + Lib_IntVector_Intrinsics_vec256 mask = Lib_IntVector_Intrinsics_vec256_load64(b); + Lib_IntVector_Intrinsics_vec256 f4 = e[4U]; + e[4U] = Lib_IntVector_Intrinsics_vec256_or(f4, mask); + Lib_IntVector_Intrinsics_vec256 *r1 = pre0; + Lib_IntVector_Intrinsics_vec256 *r5 = pre0 + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec256 r0 = r1[0U]; + Lib_IntVector_Intrinsics_vec256 r11 = r1[1U]; + Lib_IntVector_Intrinsics_vec256 r2 = r1[2U]; + Lib_IntVector_Intrinsics_vec256 r3 = r1[3U]; + Lib_IntVector_Intrinsics_vec256 r4 = r1[4U]; + Lib_IntVector_Intrinsics_vec256 r51 = r5[1U]; + Lib_IntVector_Intrinsics_vec256 r52 = r5[2U]; + Lib_IntVector_Intrinsics_vec256 r53 = r5[3U]; + Lib_IntVector_Intrinsics_vec256 r54 = r5[4U]; + Lib_IntVector_Intrinsics_vec256 f10 = e[0U]; + Lib_IntVector_Intrinsics_vec256 f11 = e[1U]; + Lib_IntVector_Intrinsics_vec256 f12 = e[2U]; + Lib_IntVector_Intrinsics_vec256 f13 = e[3U]; + Lib_IntVector_Intrinsics_vec256 f14 = e[4U]; + Lib_IntVector_Intrinsics_vec256 a0 = acc0[0U]; + Lib_IntVector_Intrinsics_vec256 a1 = acc0[1U]; + Lib_IntVector_Intrinsics_vec256 a2 = acc0[2U]; + Lib_IntVector_Intrinsics_vec256 a3 = acc0[3U]; + Lib_IntVector_Intrinsics_vec256 a4 = acc0[4U]; + Lib_IntVector_Intrinsics_vec256 a01 = Lib_IntVector_Intrinsics_vec256_add64(a0, f10); + Lib_IntVector_Intrinsics_vec256 a11 = Lib_IntVector_Intrinsics_vec256_add64(a1, f11); + Lib_IntVector_Intrinsics_vec256 a21 = Lib_IntVector_Intrinsics_vec256_add64(a2, f12); + Lib_IntVector_Intrinsics_vec256 a31 = Lib_IntVector_Intrinsics_vec256_add64(a3, f13); + Lib_IntVector_Intrinsics_vec256 a41 = Lib_IntVector_Intrinsics_vec256_add64(a4, f14); + Lib_IntVector_Intrinsics_vec256 a02 = Lib_IntVector_Intrinsics_vec256_mul64(r0, a01); + Lib_IntVector_Intrinsics_vec256 a12 = Lib_IntVector_Intrinsics_vec256_mul64(r11, a01); + Lib_IntVector_Intrinsics_vec256 a22 = Lib_IntVector_Intrinsics_vec256_mul64(r2, a01); + Lib_IntVector_Intrinsics_vec256 a32 = Lib_IntVector_Intrinsics_vec256_mul64(r3, a01); + Lib_IntVector_Intrinsics_vec256 a42 = Lib_IntVector_Intrinsics_vec256_mul64(r4, a01); + Lib_IntVector_Intrinsics_vec256 + a03 = + Lib_IntVector_Intrinsics_vec256_add64(a02, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a11)); + Lib_IntVector_Intrinsics_vec256 + a13 = + Lib_IntVector_Intrinsics_vec256_add64(a12, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a11)); + Lib_IntVector_Intrinsics_vec256 + a23 = + Lib_IntVector_Intrinsics_vec256_add64(a22, + Lib_IntVector_Intrinsics_vec256_mul64(r11, a11)); + Lib_IntVector_Intrinsics_vec256 + a33 = + Lib_IntVector_Intrinsics_vec256_add64(a32, + Lib_IntVector_Intrinsics_vec256_mul64(r2, a11)); + Lib_IntVector_Intrinsics_vec256 + a43 = + Lib_IntVector_Intrinsics_vec256_add64(a42, + Lib_IntVector_Intrinsics_vec256_mul64(r3, a11)); + Lib_IntVector_Intrinsics_vec256 + a04 = + Lib_IntVector_Intrinsics_vec256_add64(a03, + Lib_IntVector_Intrinsics_vec256_mul64(r53, a21)); + Lib_IntVector_Intrinsics_vec256 + a14 = + Lib_IntVector_Intrinsics_vec256_add64(a13, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a21)); + Lib_IntVector_Intrinsics_vec256 + a24 = + Lib_IntVector_Intrinsics_vec256_add64(a23, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a21)); + Lib_IntVector_Intrinsics_vec256 + a34 = + Lib_IntVector_Intrinsics_vec256_add64(a33, + Lib_IntVector_Intrinsics_vec256_mul64(r11, a21)); + Lib_IntVector_Intrinsics_vec256 + a44 = + Lib_IntVector_Intrinsics_vec256_add64(a43, + Lib_IntVector_Intrinsics_vec256_mul64(r2, a21)); + Lib_IntVector_Intrinsics_vec256 + a05 = + Lib_IntVector_Intrinsics_vec256_add64(a04, + Lib_IntVector_Intrinsics_vec256_mul64(r52, a31)); + Lib_IntVector_Intrinsics_vec256 + a15 = + Lib_IntVector_Intrinsics_vec256_add64(a14, + Lib_IntVector_Intrinsics_vec256_mul64(r53, a31)); + Lib_IntVector_Intrinsics_vec256 + a25 = + Lib_IntVector_Intrinsics_vec256_add64(a24, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a31)); + Lib_IntVector_Intrinsics_vec256 + a35 = + Lib_IntVector_Intrinsics_vec256_add64(a34, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a31)); + Lib_IntVector_Intrinsics_vec256 + a45 = + Lib_IntVector_Intrinsics_vec256_add64(a44, + Lib_IntVector_Intrinsics_vec256_mul64(r11, a31)); + Lib_IntVector_Intrinsics_vec256 + a06 = + Lib_IntVector_Intrinsics_vec256_add64(a05, + Lib_IntVector_Intrinsics_vec256_mul64(r51, a41)); + Lib_IntVector_Intrinsics_vec256 + a16 = + Lib_IntVector_Intrinsics_vec256_add64(a15, + Lib_IntVector_Intrinsics_vec256_mul64(r52, a41)); + Lib_IntVector_Intrinsics_vec256 + a26 = + Lib_IntVector_Intrinsics_vec256_add64(a25, + Lib_IntVector_Intrinsics_vec256_mul64(r53, a41)); + Lib_IntVector_Intrinsics_vec256 + a36 = + Lib_IntVector_Intrinsics_vec256_add64(a35, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a41)); + Lib_IntVector_Intrinsics_vec256 + a46 = + Lib_IntVector_Intrinsics_vec256_add64(a45, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a41)); + Lib_IntVector_Intrinsics_vec256 t01 = a06; + Lib_IntVector_Intrinsics_vec256 t11 = a16; + Lib_IntVector_Intrinsics_vec256 t2 = a26; + Lib_IntVector_Intrinsics_vec256 t3 = a36; + Lib_IntVector_Intrinsics_vec256 t4 = a46; + Lib_IntVector_Intrinsics_vec256 + mask26 = Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec256 + z0 = Lib_IntVector_Intrinsics_vec256_shift_right64(t01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z1 = Lib_IntVector_Intrinsics_vec256_shift_right64(t3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x0 = Lib_IntVector_Intrinsics_vec256_and(t01, mask26); + Lib_IntVector_Intrinsics_vec256 x3 = Lib_IntVector_Intrinsics_vec256_and(t3, mask26); + Lib_IntVector_Intrinsics_vec256 x1 = Lib_IntVector_Intrinsics_vec256_add64(t11, z0); + Lib_IntVector_Intrinsics_vec256 x4 = Lib_IntVector_Intrinsics_vec256_add64(t4, z1); + Lib_IntVector_Intrinsics_vec256 + z01 = Lib_IntVector_Intrinsics_vec256_shift_right64(x1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z11 = Lib_IntVector_Intrinsics_vec256_shift_right64(x4, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + t = Lib_IntVector_Intrinsics_vec256_shift_left64(z11, (uint32_t)2U); + Lib_IntVector_Intrinsics_vec256 z12 = Lib_IntVector_Intrinsics_vec256_add64(z11, t); + Lib_IntVector_Intrinsics_vec256 x11 = Lib_IntVector_Intrinsics_vec256_and(x1, mask26); + Lib_IntVector_Intrinsics_vec256 x41 = Lib_IntVector_Intrinsics_vec256_and(x4, mask26); + Lib_IntVector_Intrinsics_vec256 x2 = Lib_IntVector_Intrinsics_vec256_add64(t2, z01); + Lib_IntVector_Intrinsics_vec256 x01 = Lib_IntVector_Intrinsics_vec256_add64(x0, z12); + Lib_IntVector_Intrinsics_vec256 + z02 = Lib_IntVector_Intrinsics_vec256_shift_right64(x2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z13 = Lib_IntVector_Intrinsics_vec256_shift_right64(x01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x21 = Lib_IntVector_Intrinsics_vec256_and(x2, mask26); + Lib_IntVector_Intrinsics_vec256 x02 = Lib_IntVector_Intrinsics_vec256_and(x01, mask26); + Lib_IntVector_Intrinsics_vec256 x31 = Lib_IntVector_Intrinsics_vec256_add64(x3, z02); + Lib_IntVector_Intrinsics_vec256 x12 = Lib_IntVector_Intrinsics_vec256_add64(x11, z13); + Lib_IntVector_Intrinsics_vec256 + z03 = Lib_IntVector_Intrinsics_vec256_shift_right64(x31, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x32 = Lib_IntVector_Intrinsics_vec256_and(x31, mask26); + Lib_IntVector_Intrinsics_vec256 x42 = Lib_IntVector_Intrinsics_vec256_add64(x41, z03); + Lib_IntVector_Intrinsics_vec256 o0 = x02; + Lib_IntVector_Intrinsics_vec256 o1 = x12; + Lib_IntVector_Intrinsics_vec256 o2 = x21; + Lib_IntVector_Intrinsics_vec256 o3 = x32; + Lib_IntVector_Intrinsics_vec256 o4 = x42; + acc0[0U] = o0; + acc0[1U] = o1; + acc0[2U] = o2; + acc0[3U] = o3; + acc0[4U] = o4; + } + if (rem1 > (uint32_t)0U) + { + uint8_t *last = t10 + nb * (uint32_t)16U; + Lib_IntVector_Intrinsics_vec256 e[5U]; + for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i) + e[_i] = Lib_IntVector_Intrinsics_vec256_zero; + uint8_t tmp[16U] = { 0U }; + memcpy(tmp, last, rem1 * sizeof (uint8_t)); + uint64_t u0 = load64_le(tmp); + uint64_t lo = u0; + uint64_t u = load64_le(tmp + (uint32_t)8U); + uint64_t hi = u; + Lib_IntVector_Intrinsics_vec256 f0 = Lib_IntVector_Intrinsics_vec256_load64(lo); + Lib_IntVector_Intrinsics_vec256 f1 = Lib_IntVector_Intrinsics_vec256_load64(hi); + Lib_IntVector_Intrinsics_vec256 + f010 = + Lib_IntVector_Intrinsics_vec256_and(f0, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f110 = + Lib_IntVector_Intrinsics_vec256_and(Lib_IntVector_Intrinsics_vec256_shift_right64(f0, + (uint32_t)26U), + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f20 = + Lib_IntVector_Intrinsics_vec256_or(Lib_IntVector_Intrinsics_vec256_shift_right64(f0, + (uint32_t)52U), + Lib_IntVector_Intrinsics_vec256_shift_left64(Lib_IntVector_Intrinsics_vec256_and(f1, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3fffU)), + (uint32_t)12U)); + Lib_IntVector_Intrinsics_vec256 + f30 = + Lib_IntVector_Intrinsics_vec256_and(Lib_IntVector_Intrinsics_vec256_shift_right64(f1, + (uint32_t)14U), + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f40 = Lib_IntVector_Intrinsics_vec256_shift_right64(f1, (uint32_t)40U); + Lib_IntVector_Intrinsics_vec256 f01 = f010; + Lib_IntVector_Intrinsics_vec256 f111 = f110; + Lib_IntVector_Intrinsics_vec256 f2 = f20; + Lib_IntVector_Intrinsics_vec256 f3 = f30; + Lib_IntVector_Intrinsics_vec256 f4 = f40; + e[0U] = f01; + e[1U] = f111; + e[2U] = f2; + e[3U] = f3; + e[4U] = f4; + uint64_t b = (uint64_t)1U << rem1 * (uint32_t)8U % (uint32_t)26U; + Lib_IntVector_Intrinsics_vec256 mask = Lib_IntVector_Intrinsics_vec256_load64(b); + Lib_IntVector_Intrinsics_vec256 fi = e[rem1 * (uint32_t)8U / (uint32_t)26U]; + e[rem1 * (uint32_t)8U / (uint32_t)26U] = Lib_IntVector_Intrinsics_vec256_or(fi, mask); + Lib_IntVector_Intrinsics_vec256 *r1 = pre0; + Lib_IntVector_Intrinsics_vec256 *r5 = pre0 + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec256 r0 = r1[0U]; + Lib_IntVector_Intrinsics_vec256 r11 = r1[1U]; + Lib_IntVector_Intrinsics_vec256 r2 = r1[2U]; + Lib_IntVector_Intrinsics_vec256 r3 = r1[3U]; + Lib_IntVector_Intrinsics_vec256 r4 = r1[4U]; + Lib_IntVector_Intrinsics_vec256 r51 = r5[1U]; + Lib_IntVector_Intrinsics_vec256 r52 = r5[2U]; + Lib_IntVector_Intrinsics_vec256 r53 = r5[3U]; + Lib_IntVector_Intrinsics_vec256 r54 = r5[4U]; + Lib_IntVector_Intrinsics_vec256 f10 = e[0U]; + Lib_IntVector_Intrinsics_vec256 f11 = e[1U]; + Lib_IntVector_Intrinsics_vec256 f12 = e[2U]; + Lib_IntVector_Intrinsics_vec256 f13 = e[3U]; + Lib_IntVector_Intrinsics_vec256 f14 = e[4U]; + Lib_IntVector_Intrinsics_vec256 a0 = acc0[0U]; + Lib_IntVector_Intrinsics_vec256 a1 = acc0[1U]; + Lib_IntVector_Intrinsics_vec256 a2 = acc0[2U]; + Lib_IntVector_Intrinsics_vec256 a3 = acc0[3U]; + Lib_IntVector_Intrinsics_vec256 a4 = acc0[4U]; + Lib_IntVector_Intrinsics_vec256 a01 = Lib_IntVector_Intrinsics_vec256_add64(a0, f10); + Lib_IntVector_Intrinsics_vec256 a11 = Lib_IntVector_Intrinsics_vec256_add64(a1, f11); + Lib_IntVector_Intrinsics_vec256 a21 = Lib_IntVector_Intrinsics_vec256_add64(a2, f12); + Lib_IntVector_Intrinsics_vec256 a31 = Lib_IntVector_Intrinsics_vec256_add64(a3, f13); + Lib_IntVector_Intrinsics_vec256 a41 = Lib_IntVector_Intrinsics_vec256_add64(a4, f14); + Lib_IntVector_Intrinsics_vec256 a02 = Lib_IntVector_Intrinsics_vec256_mul64(r0, a01); + Lib_IntVector_Intrinsics_vec256 a12 = Lib_IntVector_Intrinsics_vec256_mul64(r11, a01); + Lib_IntVector_Intrinsics_vec256 a22 = Lib_IntVector_Intrinsics_vec256_mul64(r2, a01); + Lib_IntVector_Intrinsics_vec256 a32 = Lib_IntVector_Intrinsics_vec256_mul64(r3, a01); + Lib_IntVector_Intrinsics_vec256 a42 = Lib_IntVector_Intrinsics_vec256_mul64(r4, a01); + Lib_IntVector_Intrinsics_vec256 + a03 = + Lib_IntVector_Intrinsics_vec256_add64(a02, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a11)); + Lib_IntVector_Intrinsics_vec256 + a13 = + Lib_IntVector_Intrinsics_vec256_add64(a12, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a11)); + Lib_IntVector_Intrinsics_vec256 + a23 = + Lib_IntVector_Intrinsics_vec256_add64(a22, + Lib_IntVector_Intrinsics_vec256_mul64(r11, a11)); + Lib_IntVector_Intrinsics_vec256 + a33 = + Lib_IntVector_Intrinsics_vec256_add64(a32, + Lib_IntVector_Intrinsics_vec256_mul64(r2, a11)); + Lib_IntVector_Intrinsics_vec256 + a43 = + Lib_IntVector_Intrinsics_vec256_add64(a42, + Lib_IntVector_Intrinsics_vec256_mul64(r3, a11)); + Lib_IntVector_Intrinsics_vec256 + a04 = + Lib_IntVector_Intrinsics_vec256_add64(a03, + Lib_IntVector_Intrinsics_vec256_mul64(r53, a21)); + Lib_IntVector_Intrinsics_vec256 + a14 = + Lib_IntVector_Intrinsics_vec256_add64(a13, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a21)); + Lib_IntVector_Intrinsics_vec256 + a24 = + Lib_IntVector_Intrinsics_vec256_add64(a23, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a21)); + Lib_IntVector_Intrinsics_vec256 + a34 = + Lib_IntVector_Intrinsics_vec256_add64(a33, + Lib_IntVector_Intrinsics_vec256_mul64(r11, a21)); + Lib_IntVector_Intrinsics_vec256 + a44 = + Lib_IntVector_Intrinsics_vec256_add64(a43, + Lib_IntVector_Intrinsics_vec256_mul64(r2, a21)); + Lib_IntVector_Intrinsics_vec256 + a05 = + Lib_IntVector_Intrinsics_vec256_add64(a04, + Lib_IntVector_Intrinsics_vec256_mul64(r52, a31)); + Lib_IntVector_Intrinsics_vec256 + a15 = + Lib_IntVector_Intrinsics_vec256_add64(a14, + Lib_IntVector_Intrinsics_vec256_mul64(r53, a31)); + Lib_IntVector_Intrinsics_vec256 + a25 = + Lib_IntVector_Intrinsics_vec256_add64(a24, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a31)); + Lib_IntVector_Intrinsics_vec256 + a35 = + Lib_IntVector_Intrinsics_vec256_add64(a34, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a31)); + Lib_IntVector_Intrinsics_vec256 + a45 = + Lib_IntVector_Intrinsics_vec256_add64(a44, + Lib_IntVector_Intrinsics_vec256_mul64(r11, a31)); + Lib_IntVector_Intrinsics_vec256 + a06 = + Lib_IntVector_Intrinsics_vec256_add64(a05, + Lib_IntVector_Intrinsics_vec256_mul64(r51, a41)); + Lib_IntVector_Intrinsics_vec256 + a16 = + Lib_IntVector_Intrinsics_vec256_add64(a15, + Lib_IntVector_Intrinsics_vec256_mul64(r52, a41)); + Lib_IntVector_Intrinsics_vec256 + a26 = + Lib_IntVector_Intrinsics_vec256_add64(a25, + Lib_IntVector_Intrinsics_vec256_mul64(r53, a41)); + Lib_IntVector_Intrinsics_vec256 + a36 = + Lib_IntVector_Intrinsics_vec256_add64(a35, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a41)); + Lib_IntVector_Intrinsics_vec256 + a46 = + Lib_IntVector_Intrinsics_vec256_add64(a45, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a41)); + Lib_IntVector_Intrinsics_vec256 t01 = a06; + Lib_IntVector_Intrinsics_vec256 t11 = a16; + Lib_IntVector_Intrinsics_vec256 t2 = a26; + Lib_IntVector_Intrinsics_vec256 t3 = a36; + Lib_IntVector_Intrinsics_vec256 t4 = a46; + Lib_IntVector_Intrinsics_vec256 + mask26 = Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec256 + z0 = Lib_IntVector_Intrinsics_vec256_shift_right64(t01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z1 = Lib_IntVector_Intrinsics_vec256_shift_right64(t3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x0 = Lib_IntVector_Intrinsics_vec256_and(t01, mask26); + Lib_IntVector_Intrinsics_vec256 x3 = Lib_IntVector_Intrinsics_vec256_and(t3, mask26); + Lib_IntVector_Intrinsics_vec256 x1 = Lib_IntVector_Intrinsics_vec256_add64(t11, z0); + Lib_IntVector_Intrinsics_vec256 x4 = Lib_IntVector_Intrinsics_vec256_add64(t4, z1); + Lib_IntVector_Intrinsics_vec256 + z01 = Lib_IntVector_Intrinsics_vec256_shift_right64(x1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z11 = Lib_IntVector_Intrinsics_vec256_shift_right64(x4, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + t = Lib_IntVector_Intrinsics_vec256_shift_left64(z11, (uint32_t)2U); + Lib_IntVector_Intrinsics_vec256 z12 = Lib_IntVector_Intrinsics_vec256_add64(z11, t); + Lib_IntVector_Intrinsics_vec256 x11 = Lib_IntVector_Intrinsics_vec256_and(x1, mask26); + Lib_IntVector_Intrinsics_vec256 x41 = Lib_IntVector_Intrinsics_vec256_and(x4, mask26); + Lib_IntVector_Intrinsics_vec256 x2 = Lib_IntVector_Intrinsics_vec256_add64(t2, z01); + Lib_IntVector_Intrinsics_vec256 x01 = Lib_IntVector_Intrinsics_vec256_add64(x0, z12); + Lib_IntVector_Intrinsics_vec256 + z02 = Lib_IntVector_Intrinsics_vec256_shift_right64(x2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z13 = Lib_IntVector_Intrinsics_vec256_shift_right64(x01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x21 = Lib_IntVector_Intrinsics_vec256_and(x2, mask26); + Lib_IntVector_Intrinsics_vec256 x02 = Lib_IntVector_Intrinsics_vec256_and(x01, mask26); + Lib_IntVector_Intrinsics_vec256 x31 = Lib_IntVector_Intrinsics_vec256_add64(x3, z02); + Lib_IntVector_Intrinsics_vec256 x12 = Lib_IntVector_Intrinsics_vec256_add64(x11, z13); + Lib_IntVector_Intrinsics_vec256 + z03 = Lib_IntVector_Intrinsics_vec256_shift_right64(x31, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x32 = Lib_IntVector_Intrinsics_vec256_and(x31, mask26); + Lib_IntVector_Intrinsics_vec256 x42 = Lib_IntVector_Intrinsics_vec256_add64(x41, z03); + Lib_IntVector_Intrinsics_vec256 o0 = x02; + Lib_IntVector_Intrinsics_vec256 o1 = x12; + Lib_IntVector_Intrinsics_vec256 o2 = x21; + Lib_IntVector_Intrinsics_vec256 o3 = x32; + Lib_IntVector_Intrinsics_vec256 o4 = x42; + acc0[0U] = o0; + acc0[1U] = o1; + acc0[2U] = o2; + acc0[3U] = o3; + acc0[4U] = o4; + } + uint8_t tmp[16U] = { 0U }; + memcpy(tmp, rem, r * sizeof (uint8_t)); + if (r > (uint32_t)0U) + { + Lib_IntVector_Intrinsics_vec256 *pre = ctx + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec256 *acc = ctx; + Lib_IntVector_Intrinsics_vec256 e[5U]; + for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i) + e[_i] = Lib_IntVector_Intrinsics_vec256_zero; + uint64_t u0 = load64_le(tmp); + uint64_t lo = u0; + uint64_t u = load64_le(tmp + (uint32_t)8U); + uint64_t hi = u; + Lib_IntVector_Intrinsics_vec256 f0 = Lib_IntVector_Intrinsics_vec256_load64(lo); + Lib_IntVector_Intrinsics_vec256 f1 = Lib_IntVector_Intrinsics_vec256_load64(hi); + Lib_IntVector_Intrinsics_vec256 + f010 = + Lib_IntVector_Intrinsics_vec256_and(f0, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f110 = + Lib_IntVector_Intrinsics_vec256_and(Lib_IntVector_Intrinsics_vec256_shift_right64(f0, + (uint32_t)26U), + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f20 = + Lib_IntVector_Intrinsics_vec256_or(Lib_IntVector_Intrinsics_vec256_shift_right64(f0, + (uint32_t)52U), + Lib_IntVector_Intrinsics_vec256_shift_left64(Lib_IntVector_Intrinsics_vec256_and(f1, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3fffU)), + (uint32_t)12U)); + Lib_IntVector_Intrinsics_vec256 + f30 = + Lib_IntVector_Intrinsics_vec256_and(Lib_IntVector_Intrinsics_vec256_shift_right64(f1, + (uint32_t)14U), + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f40 = Lib_IntVector_Intrinsics_vec256_shift_right64(f1, (uint32_t)40U); + Lib_IntVector_Intrinsics_vec256 f01 = f010; + Lib_IntVector_Intrinsics_vec256 f111 = f110; + Lib_IntVector_Intrinsics_vec256 f2 = f20; + Lib_IntVector_Intrinsics_vec256 f3 = f30; + Lib_IntVector_Intrinsics_vec256 f41 = f40; + e[0U] = f01; + e[1U] = f111; + e[2U] = f2; + e[3U] = f3; + e[4U] = f41; + uint64_t b = (uint64_t)0x1000000U; + Lib_IntVector_Intrinsics_vec256 mask = Lib_IntVector_Intrinsics_vec256_load64(b); + Lib_IntVector_Intrinsics_vec256 f4 = e[4U]; + e[4U] = Lib_IntVector_Intrinsics_vec256_or(f4, mask); + Lib_IntVector_Intrinsics_vec256 *r1 = pre; + Lib_IntVector_Intrinsics_vec256 *r5 = pre + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec256 r0 = r1[0U]; + Lib_IntVector_Intrinsics_vec256 r11 = r1[1U]; + Lib_IntVector_Intrinsics_vec256 r2 = r1[2U]; + Lib_IntVector_Intrinsics_vec256 r3 = r1[3U]; + Lib_IntVector_Intrinsics_vec256 r4 = r1[4U]; + Lib_IntVector_Intrinsics_vec256 r51 = r5[1U]; + Lib_IntVector_Intrinsics_vec256 r52 = r5[2U]; + Lib_IntVector_Intrinsics_vec256 r53 = r5[3U]; + Lib_IntVector_Intrinsics_vec256 r54 = r5[4U]; + Lib_IntVector_Intrinsics_vec256 f10 = e[0U]; + Lib_IntVector_Intrinsics_vec256 f11 = e[1U]; + Lib_IntVector_Intrinsics_vec256 f12 = e[2U]; + Lib_IntVector_Intrinsics_vec256 f13 = e[3U]; + Lib_IntVector_Intrinsics_vec256 f14 = e[4U]; + Lib_IntVector_Intrinsics_vec256 a0 = acc[0U]; + Lib_IntVector_Intrinsics_vec256 a1 = acc[1U]; + Lib_IntVector_Intrinsics_vec256 a2 = acc[2U]; + Lib_IntVector_Intrinsics_vec256 a3 = acc[3U]; + Lib_IntVector_Intrinsics_vec256 a4 = acc[4U]; + Lib_IntVector_Intrinsics_vec256 a01 = Lib_IntVector_Intrinsics_vec256_add64(a0, f10); + Lib_IntVector_Intrinsics_vec256 a11 = Lib_IntVector_Intrinsics_vec256_add64(a1, f11); + Lib_IntVector_Intrinsics_vec256 a21 = Lib_IntVector_Intrinsics_vec256_add64(a2, f12); + Lib_IntVector_Intrinsics_vec256 a31 = Lib_IntVector_Intrinsics_vec256_add64(a3, f13); + Lib_IntVector_Intrinsics_vec256 a41 = Lib_IntVector_Intrinsics_vec256_add64(a4, f14); + Lib_IntVector_Intrinsics_vec256 a02 = Lib_IntVector_Intrinsics_vec256_mul64(r0, a01); + Lib_IntVector_Intrinsics_vec256 a12 = Lib_IntVector_Intrinsics_vec256_mul64(r11, a01); + Lib_IntVector_Intrinsics_vec256 a22 = Lib_IntVector_Intrinsics_vec256_mul64(r2, a01); + Lib_IntVector_Intrinsics_vec256 a32 = Lib_IntVector_Intrinsics_vec256_mul64(r3, a01); + Lib_IntVector_Intrinsics_vec256 a42 = Lib_IntVector_Intrinsics_vec256_mul64(r4, a01); + Lib_IntVector_Intrinsics_vec256 + a03 = + Lib_IntVector_Intrinsics_vec256_add64(a02, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a11)); + Lib_IntVector_Intrinsics_vec256 + a13 = + Lib_IntVector_Intrinsics_vec256_add64(a12, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a11)); + Lib_IntVector_Intrinsics_vec256 + a23 = + Lib_IntVector_Intrinsics_vec256_add64(a22, + Lib_IntVector_Intrinsics_vec256_mul64(r11, a11)); + Lib_IntVector_Intrinsics_vec256 + a33 = + Lib_IntVector_Intrinsics_vec256_add64(a32, + Lib_IntVector_Intrinsics_vec256_mul64(r2, a11)); + Lib_IntVector_Intrinsics_vec256 + a43 = + Lib_IntVector_Intrinsics_vec256_add64(a42, + Lib_IntVector_Intrinsics_vec256_mul64(r3, a11)); + Lib_IntVector_Intrinsics_vec256 + a04 = + Lib_IntVector_Intrinsics_vec256_add64(a03, + Lib_IntVector_Intrinsics_vec256_mul64(r53, a21)); + Lib_IntVector_Intrinsics_vec256 + a14 = + Lib_IntVector_Intrinsics_vec256_add64(a13, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a21)); + Lib_IntVector_Intrinsics_vec256 + a24 = + Lib_IntVector_Intrinsics_vec256_add64(a23, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a21)); + Lib_IntVector_Intrinsics_vec256 + a34 = + Lib_IntVector_Intrinsics_vec256_add64(a33, + Lib_IntVector_Intrinsics_vec256_mul64(r11, a21)); + Lib_IntVector_Intrinsics_vec256 + a44 = + Lib_IntVector_Intrinsics_vec256_add64(a43, + Lib_IntVector_Intrinsics_vec256_mul64(r2, a21)); + Lib_IntVector_Intrinsics_vec256 + a05 = + Lib_IntVector_Intrinsics_vec256_add64(a04, + Lib_IntVector_Intrinsics_vec256_mul64(r52, a31)); + Lib_IntVector_Intrinsics_vec256 + a15 = + Lib_IntVector_Intrinsics_vec256_add64(a14, + Lib_IntVector_Intrinsics_vec256_mul64(r53, a31)); + Lib_IntVector_Intrinsics_vec256 + a25 = + Lib_IntVector_Intrinsics_vec256_add64(a24, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a31)); + Lib_IntVector_Intrinsics_vec256 + a35 = + Lib_IntVector_Intrinsics_vec256_add64(a34, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a31)); + Lib_IntVector_Intrinsics_vec256 + a45 = + Lib_IntVector_Intrinsics_vec256_add64(a44, + Lib_IntVector_Intrinsics_vec256_mul64(r11, a31)); + Lib_IntVector_Intrinsics_vec256 + a06 = + Lib_IntVector_Intrinsics_vec256_add64(a05, + Lib_IntVector_Intrinsics_vec256_mul64(r51, a41)); + Lib_IntVector_Intrinsics_vec256 + a16 = + Lib_IntVector_Intrinsics_vec256_add64(a15, + Lib_IntVector_Intrinsics_vec256_mul64(r52, a41)); + Lib_IntVector_Intrinsics_vec256 + a26 = + Lib_IntVector_Intrinsics_vec256_add64(a25, + Lib_IntVector_Intrinsics_vec256_mul64(r53, a41)); + Lib_IntVector_Intrinsics_vec256 + a36 = + Lib_IntVector_Intrinsics_vec256_add64(a35, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a41)); + Lib_IntVector_Intrinsics_vec256 + a46 = + Lib_IntVector_Intrinsics_vec256_add64(a45, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a41)); + Lib_IntVector_Intrinsics_vec256 t0 = a06; + Lib_IntVector_Intrinsics_vec256 t1 = a16; + Lib_IntVector_Intrinsics_vec256 t2 = a26; + Lib_IntVector_Intrinsics_vec256 t3 = a36; + Lib_IntVector_Intrinsics_vec256 t4 = a46; + Lib_IntVector_Intrinsics_vec256 + mask26 = Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec256 + z0 = Lib_IntVector_Intrinsics_vec256_shift_right64(t0, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z1 = Lib_IntVector_Intrinsics_vec256_shift_right64(t3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x0 = Lib_IntVector_Intrinsics_vec256_and(t0, mask26); + Lib_IntVector_Intrinsics_vec256 x3 = Lib_IntVector_Intrinsics_vec256_and(t3, mask26); + Lib_IntVector_Intrinsics_vec256 x1 = Lib_IntVector_Intrinsics_vec256_add64(t1, z0); + Lib_IntVector_Intrinsics_vec256 x4 = Lib_IntVector_Intrinsics_vec256_add64(t4, z1); + Lib_IntVector_Intrinsics_vec256 + z01 = Lib_IntVector_Intrinsics_vec256_shift_right64(x1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z11 = Lib_IntVector_Intrinsics_vec256_shift_right64(x4, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + t = Lib_IntVector_Intrinsics_vec256_shift_left64(z11, (uint32_t)2U); + Lib_IntVector_Intrinsics_vec256 z12 = Lib_IntVector_Intrinsics_vec256_add64(z11, t); + Lib_IntVector_Intrinsics_vec256 x11 = Lib_IntVector_Intrinsics_vec256_and(x1, mask26); + Lib_IntVector_Intrinsics_vec256 x41 = Lib_IntVector_Intrinsics_vec256_and(x4, mask26); + Lib_IntVector_Intrinsics_vec256 x2 = Lib_IntVector_Intrinsics_vec256_add64(t2, z01); + Lib_IntVector_Intrinsics_vec256 x01 = Lib_IntVector_Intrinsics_vec256_add64(x0, z12); + Lib_IntVector_Intrinsics_vec256 + z02 = Lib_IntVector_Intrinsics_vec256_shift_right64(x2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z13 = Lib_IntVector_Intrinsics_vec256_shift_right64(x01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x21 = Lib_IntVector_Intrinsics_vec256_and(x2, mask26); + Lib_IntVector_Intrinsics_vec256 x02 = Lib_IntVector_Intrinsics_vec256_and(x01, mask26); + Lib_IntVector_Intrinsics_vec256 x31 = Lib_IntVector_Intrinsics_vec256_add64(x3, z02); + Lib_IntVector_Intrinsics_vec256 x12 = Lib_IntVector_Intrinsics_vec256_add64(x11, z13); + Lib_IntVector_Intrinsics_vec256 + z03 = Lib_IntVector_Intrinsics_vec256_shift_right64(x31, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x32 = Lib_IntVector_Intrinsics_vec256_and(x31, mask26); + Lib_IntVector_Intrinsics_vec256 x42 = Lib_IntVector_Intrinsics_vec256_add64(x41, z03); + Lib_IntVector_Intrinsics_vec256 o0 = x02; + Lib_IntVector_Intrinsics_vec256 o1 = x12; + Lib_IntVector_Intrinsics_vec256 o2 = x21; + Lib_IntVector_Intrinsics_vec256 o3 = x32; + Lib_IntVector_Intrinsics_vec256 o4 = x42; + acc[0U] = o0; + acc[1U] = o1; + acc[2U] = o2; + acc[3U] = o3; + acc[4U] = o4; + return; + } +} + +static inline void +poly1305_do_256( + uint8_t *k, + uint32_t aadlen, + uint8_t *aad, + uint32_t mlen, + uint8_t *m, + uint8_t *out +) +{ + Lib_IntVector_Intrinsics_vec256 ctx[25U]; + for (uint32_t _i = 0U; _i < (uint32_t)25U; ++_i) + ctx[_i] = Lib_IntVector_Intrinsics_vec256_zero; + uint8_t block[16U] = { 0U }; + Hacl_Poly1305_256_poly1305_init(ctx, k); + if (aadlen != (uint32_t)0U) + { + poly1305_padded_256(ctx, aadlen, aad); + } + if (mlen != (uint32_t)0U) + { + poly1305_padded_256(ctx, mlen, m); + } + store64_le(block, (uint64_t)aadlen); + store64_le(block + (uint32_t)8U, (uint64_t)mlen); + Lib_IntVector_Intrinsics_vec256 *pre = ctx + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec256 *acc = ctx; + Lib_IntVector_Intrinsics_vec256 e[5U]; + for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i) + e[_i] = Lib_IntVector_Intrinsics_vec256_zero; + uint64_t u0 = load64_le(block); + uint64_t lo = u0; + uint64_t u = load64_le(block + (uint32_t)8U); + uint64_t hi = u; + Lib_IntVector_Intrinsics_vec256 f0 = Lib_IntVector_Intrinsics_vec256_load64(lo); + Lib_IntVector_Intrinsics_vec256 f1 = Lib_IntVector_Intrinsics_vec256_load64(hi); + Lib_IntVector_Intrinsics_vec256 + f010 = + Lib_IntVector_Intrinsics_vec256_and(f0, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f110 = + Lib_IntVector_Intrinsics_vec256_and(Lib_IntVector_Intrinsics_vec256_shift_right64(f0, + (uint32_t)26U), + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f20 = + Lib_IntVector_Intrinsics_vec256_or(Lib_IntVector_Intrinsics_vec256_shift_right64(f0, + (uint32_t)52U), + Lib_IntVector_Intrinsics_vec256_shift_left64(Lib_IntVector_Intrinsics_vec256_and(f1, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3fffU)), + (uint32_t)12U)); + Lib_IntVector_Intrinsics_vec256 + f30 = + Lib_IntVector_Intrinsics_vec256_and(Lib_IntVector_Intrinsics_vec256_shift_right64(f1, + (uint32_t)14U), + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f40 = Lib_IntVector_Intrinsics_vec256_shift_right64(f1, (uint32_t)40U); + Lib_IntVector_Intrinsics_vec256 f01 = f010; + Lib_IntVector_Intrinsics_vec256 f111 = f110; + Lib_IntVector_Intrinsics_vec256 f2 = f20; + Lib_IntVector_Intrinsics_vec256 f3 = f30; + Lib_IntVector_Intrinsics_vec256 f41 = f40; + e[0U] = f01; + e[1U] = f111; + e[2U] = f2; + e[3U] = f3; + e[4U] = f41; + uint64_t b = (uint64_t)0x1000000U; + Lib_IntVector_Intrinsics_vec256 mask = Lib_IntVector_Intrinsics_vec256_load64(b); + Lib_IntVector_Intrinsics_vec256 f4 = e[4U]; + e[4U] = Lib_IntVector_Intrinsics_vec256_or(f4, mask); + Lib_IntVector_Intrinsics_vec256 *r = pre; + Lib_IntVector_Intrinsics_vec256 *r5 = pre + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec256 r0 = r[0U]; + Lib_IntVector_Intrinsics_vec256 r1 = r[1U]; + Lib_IntVector_Intrinsics_vec256 r2 = r[2U]; + Lib_IntVector_Intrinsics_vec256 r3 = r[3U]; + Lib_IntVector_Intrinsics_vec256 r4 = r[4U]; + Lib_IntVector_Intrinsics_vec256 r51 = r5[1U]; + Lib_IntVector_Intrinsics_vec256 r52 = r5[2U]; + Lib_IntVector_Intrinsics_vec256 r53 = r5[3U]; + Lib_IntVector_Intrinsics_vec256 r54 = r5[4U]; + Lib_IntVector_Intrinsics_vec256 f10 = e[0U]; + Lib_IntVector_Intrinsics_vec256 f11 = e[1U]; + Lib_IntVector_Intrinsics_vec256 f12 = e[2U]; + Lib_IntVector_Intrinsics_vec256 f13 = e[3U]; + Lib_IntVector_Intrinsics_vec256 f14 = e[4U]; + Lib_IntVector_Intrinsics_vec256 a0 = acc[0U]; + Lib_IntVector_Intrinsics_vec256 a1 = acc[1U]; + Lib_IntVector_Intrinsics_vec256 a2 = acc[2U]; + Lib_IntVector_Intrinsics_vec256 a3 = acc[3U]; + Lib_IntVector_Intrinsics_vec256 a4 = acc[4U]; + Lib_IntVector_Intrinsics_vec256 a01 = Lib_IntVector_Intrinsics_vec256_add64(a0, f10); + Lib_IntVector_Intrinsics_vec256 a11 = Lib_IntVector_Intrinsics_vec256_add64(a1, f11); + Lib_IntVector_Intrinsics_vec256 a21 = Lib_IntVector_Intrinsics_vec256_add64(a2, f12); + Lib_IntVector_Intrinsics_vec256 a31 = Lib_IntVector_Intrinsics_vec256_add64(a3, f13); + Lib_IntVector_Intrinsics_vec256 a41 = Lib_IntVector_Intrinsics_vec256_add64(a4, f14); + Lib_IntVector_Intrinsics_vec256 a02 = Lib_IntVector_Intrinsics_vec256_mul64(r0, a01); + Lib_IntVector_Intrinsics_vec256 a12 = Lib_IntVector_Intrinsics_vec256_mul64(r1, a01); + Lib_IntVector_Intrinsics_vec256 a22 = Lib_IntVector_Intrinsics_vec256_mul64(r2, a01); + Lib_IntVector_Intrinsics_vec256 a32 = Lib_IntVector_Intrinsics_vec256_mul64(r3, a01); + Lib_IntVector_Intrinsics_vec256 a42 = Lib_IntVector_Intrinsics_vec256_mul64(r4, a01); + Lib_IntVector_Intrinsics_vec256 + a03 = + Lib_IntVector_Intrinsics_vec256_add64(a02, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a11)); + Lib_IntVector_Intrinsics_vec256 + a13 = + Lib_IntVector_Intrinsics_vec256_add64(a12, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a11)); + Lib_IntVector_Intrinsics_vec256 + a23 = + Lib_IntVector_Intrinsics_vec256_add64(a22, + Lib_IntVector_Intrinsics_vec256_mul64(r1, a11)); + Lib_IntVector_Intrinsics_vec256 + a33 = + Lib_IntVector_Intrinsics_vec256_add64(a32, + Lib_IntVector_Intrinsics_vec256_mul64(r2, a11)); + Lib_IntVector_Intrinsics_vec256 + a43 = + Lib_IntVector_Intrinsics_vec256_add64(a42, + Lib_IntVector_Intrinsics_vec256_mul64(r3, a11)); + Lib_IntVector_Intrinsics_vec256 + a04 = + Lib_IntVector_Intrinsics_vec256_add64(a03, + Lib_IntVector_Intrinsics_vec256_mul64(r53, a21)); + Lib_IntVector_Intrinsics_vec256 + a14 = + Lib_IntVector_Intrinsics_vec256_add64(a13, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a21)); + Lib_IntVector_Intrinsics_vec256 + a24 = + Lib_IntVector_Intrinsics_vec256_add64(a23, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a21)); + Lib_IntVector_Intrinsics_vec256 + a34 = + Lib_IntVector_Intrinsics_vec256_add64(a33, + Lib_IntVector_Intrinsics_vec256_mul64(r1, a21)); + Lib_IntVector_Intrinsics_vec256 + a44 = + Lib_IntVector_Intrinsics_vec256_add64(a43, + Lib_IntVector_Intrinsics_vec256_mul64(r2, a21)); + Lib_IntVector_Intrinsics_vec256 + a05 = + Lib_IntVector_Intrinsics_vec256_add64(a04, + Lib_IntVector_Intrinsics_vec256_mul64(r52, a31)); + Lib_IntVector_Intrinsics_vec256 + a15 = + Lib_IntVector_Intrinsics_vec256_add64(a14, + Lib_IntVector_Intrinsics_vec256_mul64(r53, a31)); + Lib_IntVector_Intrinsics_vec256 + a25 = + Lib_IntVector_Intrinsics_vec256_add64(a24, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a31)); + Lib_IntVector_Intrinsics_vec256 + a35 = + Lib_IntVector_Intrinsics_vec256_add64(a34, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a31)); + Lib_IntVector_Intrinsics_vec256 + a45 = + Lib_IntVector_Intrinsics_vec256_add64(a44, + Lib_IntVector_Intrinsics_vec256_mul64(r1, a31)); + Lib_IntVector_Intrinsics_vec256 + a06 = + Lib_IntVector_Intrinsics_vec256_add64(a05, + Lib_IntVector_Intrinsics_vec256_mul64(r51, a41)); + Lib_IntVector_Intrinsics_vec256 + a16 = + Lib_IntVector_Intrinsics_vec256_add64(a15, + Lib_IntVector_Intrinsics_vec256_mul64(r52, a41)); + Lib_IntVector_Intrinsics_vec256 + a26 = + Lib_IntVector_Intrinsics_vec256_add64(a25, + Lib_IntVector_Intrinsics_vec256_mul64(r53, a41)); + Lib_IntVector_Intrinsics_vec256 + a36 = + Lib_IntVector_Intrinsics_vec256_add64(a35, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a41)); + Lib_IntVector_Intrinsics_vec256 + a46 = + Lib_IntVector_Intrinsics_vec256_add64(a45, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a41)); + Lib_IntVector_Intrinsics_vec256 t0 = a06; + Lib_IntVector_Intrinsics_vec256 t1 = a16; + Lib_IntVector_Intrinsics_vec256 t2 = a26; + Lib_IntVector_Intrinsics_vec256 t3 = a36; + Lib_IntVector_Intrinsics_vec256 t4 = a46; + Lib_IntVector_Intrinsics_vec256 + mask26 = Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec256 + z0 = Lib_IntVector_Intrinsics_vec256_shift_right64(t0, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z1 = Lib_IntVector_Intrinsics_vec256_shift_right64(t3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x0 = Lib_IntVector_Intrinsics_vec256_and(t0, mask26); + Lib_IntVector_Intrinsics_vec256 x3 = Lib_IntVector_Intrinsics_vec256_and(t3, mask26); + Lib_IntVector_Intrinsics_vec256 x1 = Lib_IntVector_Intrinsics_vec256_add64(t1, z0); + Lib_IntVector_Intrinsics_vec256 x4 = Lib_IntVector_Intrinsics_vec256_add64(t4, z1); + Lib_IntVector_Intrinsics_vec256 + z01 = Lib_IntVector_Intrinsics_vec256_shift_right64(x1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z11 = Lib_IntVector_Intrinsics_vec256_shift_right64(x4, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + t = Lib_IntVector_Intrinsics_vec256_shift_left64(z11, (uint32_t)2U); + Lib_IntVector_Intrinsics_vec256 z12 = Lib_IntVector_Intrinsics_vec256_add64(z11, t); + Lib_IntVector_Intrinsics_vec256 x11 = Lib_IntVector_Intrinsics_vec256_and(x1, mask26); + Lib_IntVector_Intrinsics_vec256 x41 = Lib_IntVector_Intrinsics_vec256_and(x4, mask26); + Lib_IntVector_Intrinsics_vec256 x2 = Lib_IntVector_Intrinsics_vec256_add64(t2, z01); + Lib_IntVector_Intrinsics_vec256 x01 = Lib_IntVector_Intrinsics_vec256_add64(x0, z12); + Lib_IntVector_Intrinsics_vec256 + z02 = Lib_IntVector_Intrinsics_vec256_shift_right64(x2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z13 = Lib_IntVector_Intrinsics_vec256_shift_right64(x01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x21 = Lib_IntVector_Intrinsics_vec256_and(x2, mask26); + Lib_IntVector_Intrinsics_vec256 x02 = Lib_IntVector_Intrinsics_vec256_and(x01, mask26); + Lib_IntVector_Intrinsics_vec256 x31 = Lib_IntVector_Intrinsics_vec256_add64(x3, z02); + Lib_IntVector_Intrinsics_vec256 x12 = Lib_IntVector_Intrinsics_vec256_add64(x11, z13); + Lib_IntVector_Intrinsics_vec256 + z03 = Lib_IntVector_Intrinsics_vec256_shift_right64(x31, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x32 = Lib_IntVector_Intrinsics_vec256_and(x31, mask26); + Lib_IntVector_Intrinsics_vec256 x42 = Lib_IntVector_Intrinsics_vec256_add64(x41, z03); + Lib_IntVector_Intrinsics_vec256 o0 = x02; + Lib_IntVector_Intrinsics_vec256 o1 = x12; + Lib_IntVector_Intrinsics_vec256 o2 = x21; + Lib_IntVector_Intrinsics_vec256 o3 = x32; + Lib_IntVector_Intrinsics_vec256 o4 = x42; + acc[0U] = o0; + acc[1U] = o1; + acc[2U] = o2; + acc[3U] = o3; + acc[4U] = o4; + Hacl_Poly1305_256_poly1305_finish(out, k, ctx); +} + +void +Hacl_Chacha20Poly1305_256_aead_encrypt( + uint8_t *k, + uint8_t *n, + uint32_t aadlen, + uint8_t *aad, + uint32_t mlen, + uint8_t *m, + uint8_t *cipher, + uint8_t *mac +) +{ + Hacl_Chacha20_Vec256_chacha20_encrypt_256(mlen, cipher, m, k, n, (uint32_t)1U); + uint8_t tmp[64U] = { 0U }; + Hacl_Chacha20_Vec256_chacha20_encrypt_256((uint32_t)64U, tmp, tmp, k, n, (uint32_t)0U); + uint8_t *key = tmp; + poly1305_do_256(key, aadlen, aad, mlen, cipher, mac); +} + +uint32_t +Hacl_Chacha20Poly1305_256_aead_decrypt( + uint8_t *k, + uint8_t *n, + uint32_t aadlen, + uint8_t *aad, + uint32_t mlen, + uint8_t *m, + uint8_t *cipher, + uint8_t *mac +) +{ + uint8_t computed_mac[16U] = { 0U }; + uint8_t tmp[64U] = { 0U }; + Hacl_Chacha20_Vec256_chacha20_encrypt_256((uint32_t)64U, tmp, tmp, k, n, (uint32_t)0U); + uint8_t *key = tmp; + poly1305_do_256(key, aadlen, aad, mlen, cipher, computed_mac); + uint8_t res = (uint8_t)255U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint8_t uu____0 = FStar_UInt8_eq_mask(computed_mac[i], mac[i]); + res = uu____0 & res; + } + uint8_t z = res; + if (z == (uint8_t)255U) + { + Hacl_Chacha20_Vec256_chacha20_encrypt_256(mlen, m, cipher, k, n, (uint32_t)1U); + return (uint32_t)0U; + } + return (uint32_t)1U; +} + diff --git a/src/msvc/Hacl_Chacha20Poly1305_32.c b/src/msvc/Hacl_Chacha20Poly1305_32.c new file mode 100644 index 00000000..f25a377e --- /dev/null +++ b/src/msvc/Hacl_Chacha20Poly1305_32.c @@ -0,0 +1,601 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Chacha20Poly1305_32.h" + +#include "internal/Hacl_Kremlib.h" + +static inline void poly1305_padded_32(uint64_t *ctx, uint32_t len, uint8_t *text) +{ + uint32_t n = len / (uint32_t)16U; + uint32_t r = len % (uint32_t)16U; + uint8_t *blocks = text; + uint8_t *rem = text + n * (uint32_t)16U; + uint64_t *pre0 = ctx + (uint32_t)5U; + uint64_t *acc0 = ctx; + uint32_t nb = n * (uint32_t)16U / (uint32_t)16U; + uint32_t rem1 = n * (uint32_t)16U % (uint32_t)16U; + for (uint32_t i = (uint32_t)0U; i < nb; i++) + { + uint8_t *block = blocks + i * (uint32_t)16U; + uint64_t e[5U] = { 0U }; + uint64_t u0 = load64_le(block); + uint64_t lo = u0; + uint64_t u = load64_le(block + (uint32_t)8U); + uint64_t hi = u; + uint64_t f0 = lo; + uint64_t f1 = hi; + uint64_t f010 = f0 & (uint64_t)0x3ffffffU; + uint64_t f110 = f0 >> (uint32_t)26U & (uint64_t)0x3ffffffU; + uint64_t f20 = f0 >> (uint32_t)52U | (f1 & (uint64_t)0x3fffU) << (uint32_t)12U; + uint64_t f30 = f1 >> (uint32_t)14U & (uint64_t)0x3ffffffU; + uint64_t f40 = f1 >> (uint32_t)40U; + uint64_t f01 = f010; + uint64_t f111 = f110; + uint64_t f2 = f20; + uint64_t f3 = f30; + uint64_t f41 = f40; + e[0U] = f01; + e[1U] = f111; + e[2U] = f2; + e[3U] = f3; + e[4U] = f41; + uint64_t b = (uint64_t)0x1000000U; + uint64_t mask = b; + uint64_t f4 = e[4U]; + e[4U] = f4 | mask; + uint64_t *r1 = pre0; + uint64_t *r5 = pre0 + (uint32_t)5U; + uint64_t r0 = r1[0U]; + uint64_t r11 = r1[1U]; + uint64_t r2 = r1[2U]; + uint64_t r3 = r1[3U]; + uint64_t r4 = r1[4U]; + uint64_t r51 = r5[1U]; + uint64_t r52 = r5[2U]; + uint64_t r53 = r5[3U]; + uint64_t r54 = r5[4U]; + uint64_t f10 = e[0U]; + uint64_t f11 = e[1U]; + uint64_t f12 = e[2U]; + uint64_t f13 = e[3U]; + uint64_t f14 = e[4U]; + uint64_t a0 = acc0[0U]; + uint64_t a1 = acc0[1U]; + uint64_t a2 = acc0[2U]; + uint64_t a3 = acc0[3U]; + uint64_t a4 = acc0[4U]; + uint64_t a01 = a0 + f10; + uint64_t a11 = a1 + f11; + uint64_t a21 = a2 + f12; + uint64_t a31 = a3 + f13; + uint64_t a41 = a4 + f14; + uint64_t a02 = r0 * a01; + uint64_t a12 = r11 * a01; + uint64_t a22 = r2 * a01; + uint64_t a32 = r3 * a01; + uint64_t a42 = r4 * a01; + uint64_t a03 = a02 + r54 * a11; + uint64_t a13 = a12 + r0 * a11; + uint64_t a23 = a22 + r11 * a11; + uint64_t a33 = a32 + r2 * a11; + uint64_t a43 = a42 + r3 * a11; + uint64_t a04 = a03 + r53 * a21; + uint64_t a14 = a13 + r54 * a21; + uint64_t a24 = a23 + r0 * a21; + uint64_t a34 = a33 + r11 * a21; + uint64_t a44 = a43 + r2 * a21; + uint64_t a05 = a04 + r52 * a31; + uint64_t a15 = a14 + r53 * a31; + uint64_t a25 = a24 + r54 * a31; + uint64_t a35 = a34 + r0 * a31; + uint64_t a45 = a44 + r11 * a31; + uint64_t a06 = a05 + r51 * a41; + uint64_t a16 = a15 + r52 * a41; + uint64_t a26 = a25 + r53 * a41; + uint64_t a36 = a35 + r54 * a41; + uint64_t a46 = a45 + r0 * a41; + uint64_t t0 = a06; + uint64_t t1 = a16; + uint64_t t2 = a26; + uint64_t t3 = a36; + uint64_t t4 = a46; + uint64_t mask26 = (uint64_t)0x3ffffffU; + uint64_t z0 = t0 >> (uint32_t)26U; + uint64_t z1 = t3 >> (uint32_t)26U; + uint64_t x0 = t0 & mask26; + uint64_t x3 = t3 & mask26; + uint64_t x1 = t1 + z0; + uint64_t x4 = t4 + z1; + uint64_t z01 = x1 >> (uint32_t)26U; + uint64_t z11 = x4 >> (uint32_t)26U; + uint64_t t = z11 << (uint32_t)2U; + uint64_t z12 = z11 + t; + uint64_t x11 = x1 & mask26; + uint64_t x41 = x4 & mask26; + uint64_t x2 = t2 + z01; + uint64_t x01 = x0 + z12; + uint64_t z02 = x2 >> (uint32_t)26U; + uint64_t z13 = x01 >> (uint32_t)26U; + uint64_t x21 = x2 & mask26; + uint64_t x02 = x01 & mask26; + uint64_t x31 = x3 + z02; + uint64_t x12 = x11 + z13; + uint64_t z03 = x31 >> (uint32_t)26U; + uint64_t x32 = x31 & mask26; + uint64_t x42 = x41 + z03; + uint64_t o0 = x02; + uint64_t o1 = x12; + uint64_t o2 = x21; + uint64_t o3 = x32; + uint64_t o4 = x42; + acc0[0U] = o0; + acc0[1U] = o1; + acc0[2U] = o2; + acc0[3U] = o3; + acc0[4U] = o4; + } + if (rem1 > (uint32_t)0U) + { + uint8_t *last = blocks + nb * (uint32_t)16U; + uint64_t e[5U] = { 0U }; + uint8_t tmp[16U] = { 0U }; + memcpy(tmp, last, rem1 * sizeof (uint8_t)); + uint64_t u0 = load64_le(tmp); + uint64_t lo = u0; + uint64_t u = load64_le(tmp + (uint32_t)8U); + uint64_t hi = u; + uint64_t f0 = lo; + uint64_t f1 = hi; + uint64_t f010 = f0 & (uint64_t)0x3ffffffU; + uint64_t f110 = f0 >> (uint32_t)26U & (uint64_t)0x3ffffffU; + uint64_t f20 = f0 >> (uint32_t)52U | (f1 & (uint64_t)0x3fffU) << (uint32_t)12U; + uint64_t f30 = f1 >> (uint32_t)14U & (uint64_t)0x3ffffffU; + uint64_t f40 = f1 >> (uint32_t)40U; + uint64_t f01 = f010; + uint64_t f111 = f110; + uint64_t f2 = f20; + uint64_t f3 = f30; + uint64_t f4 = f40; + e[0U] = f01; + e[1U] = f111; + e[2U] = f2; + e[3U] = f3; + e[4U] = f4; + uint64_t b = (uint64_t)1U << rem1 * (uint32_t)8U % (uint32_t)26U; + uint64_t mask = b; + uint64_t fi = e[rem1 * (uint32_t)8U / (uint32_t)26U]; + e[rem1 * (uint32_t)8U / (uint32_t)26U] = fi | mask; + uint64_t *r1 = pre0; + uint64_t *r5 = pre0 + (uint32_t)5U; + uint64_t r0 = r1[0U]; + uint64_t r11 = r1[1U]; + uint64_t r2 = r1[2U]; + uint64_t r3 = r1[3U]; + uint64_t r4 = r1[4U]; + uint64_t r51 = r5[1U]; + uint64_t r52 = r5[2U]; + uint64_t r53 = r5[3U]; + uint64_t r54 = r5[4U]; + uint64_t f10 = e[0U]; + uint64_t f11 = e[1U]; + uint64_t f12 = e[2U]; + uint64_t f13 = e[3U]; + uint64_t f14 = e[4U]; + uint64_t a0 = acc0[0U]; + uint64_t a1 = acc0[1U]; + uint64_t a2 = acc0[2U]; + uint64_t a3 = acc0[3U]; + uint64_t a4 = acc0[4U]; + uint64_t a01 = a0 + f10; + uint64_t a11 = a1 + f11; + uint64_t a21 = a2 + f12; + uint64_t a31 = a3 + f13; + uint64_t a41 = a4 + f14; + uint64_t a02 = r0 * a01; + uint64_t a12 = r11 * a01; + uint64_t a22 = r2 * a01; + uint64_t a32 = r3 * a01; + uint64_t a42 = r4 * a01; + uint64_t a03 = a02 + r54 * a11; + uint64_t a13 = a12 + r0 * a11; + uint64_t a23 = a22 + r11 * a11; + uint64_t a33 = a32 + r2 * a11; + uint64_t a43 = a42 + r3 * a11; + uint64_t a04 = a03 + r53 * a21; + uint64_t a14 = a13 + r54 * a21; + uint64_t a24 = a23 + r0 * a21; + uint64_t a34 = a33 + r11 * a21; + uint64_t a44 = a43 + r2 * a21; + uint64_t a05 = a04 + r52 * a31; + uint64_t a15 = a14 + r53 * a31; + uint64_t a25 = a24 + r54 * a31; + uint64_t a35 = a34 + r0 * a31; + uint64_t a45 = a44 + r11 * a31; + uint64_t a06 = a05 + r51 * a41; + uint64_t a16 = a15 + r52 * a41; + uint64_t a26 = a25 + r53 * a41; + uint64_t a36 = a35 + r54 * a41; + uint64_t a46 = a45 + r0 * a41; + uint64_t t0 = a06; + uint64_t t1 = a16; + uint64_t t2 = a26; + uint64_t t3 = a36; + uint64_t t4 = a46; + uint64_t mask26 = (uint64_t)0x3ffffffU; + uint64_t z0 = t0 >> (uint32_t)26U; + uint64_t z1 = t3 >> (uint32_t)26U; + uint64_t x0 = t0 & mask26; + uint64_t x3 = t3 & mask26; + uint64_t x1 = t1 + z0; + uint64_t x4 = t4 + z1; + uint64_t z01 = x1 >> (uint32_t)26U; + uint64_t z11 = x4 >> (uint32_t)26U; + uint64_t t = z11 << (uint32_t)2U; + uint64_t z12 = z11 + t; + uint64_t x11 = x1 & mask26; + uint64_t x41 = x4 & mask26; + uint64_t x2 = t2 + z01; + uint64_t x01 = x0 + z12; + uint64_t z02 = x2 >> (uint32_t)26U; + uint64_t z13 = x01 >> (uint32_t)26U; + uint64_t x21 = x2 & mask26; + uint64_t x02 = x01 & mask26; + uint64_t x31 = x3 + z02; + uint64_t x12 = x11 + z13; + uint64_t z03 = x31 >> (uint32_t)26U; + uint64_t x32 = x31 & mask26; + uint64_t x42 = x41 + z03; + uint64_t o0 = x02; + uint64_t o1 = x12; + uint64_t o2 = x21; + uint64_t o3 = x32; + uint64_t o4 = x42; + acc0[0U] = o0; + acc0[1U] = o1; + acc0[2U] = o2; + acc0[3U] = o3; + acc0[4U] = o4; + } + uint8_t tmp[16U] = { 0U }; + memcpy(tmp, rem, r * sizeof (uint8_t)); + if (r > (uint32_t)0U) + { + uint64_t *pre = ctx + (uint32_t)5U; + uint64_t *acc = ctx; + uint64_t e[5U] = { 0U }; + uint64_t u0 = load64_le(tmp); + uint64_t lo = u0; + uint64_t u = load64_le(tmp + (uint32_t)8U); + uint64_t hi = u; + uint64_t f0 = lo; + uint64_t f1 = hi; + uint64_t f010 = f0 & (uint64_t)0x3ffffffU; + uint64_t f110 = f0 >> (uint32_t)26U & (uint64_t)0x3ffffffU; + uint64_t f20 = f0 >> (uint32_t)52U | (f1 & (uint64_t)0x3fffU) << (uint32_t)12U; + uint64_t f30 = f1 >> (uint32_t)14U & (uint64_t)0x3ffffffU; + uint64_t f40 = f1 >> (uint32_t)40U; + uint64_t f01 = f010; + uint64_t f111 = f110; + uint64_t f2 = f20; + uint64_t f3 = f30; + uint64_t f41 = f40; + e[0U] = f01; + e[1U] = f111; + e[2U] = f2; + e[3U] = f3; + e[4U] = f41; + uint64_t b = (uint64_t)0x1000000U; + uint64_t mask = b; + uint64_t f4 = e[4U]; + e[4U] = f4 | mask; + uint64_t *r1 = pre; + uint64_t *r5 = pre + (uint32_t)5U; + uint64_t r0 = r1[0U]; + uint64_t r11 = r1[1U]; + uint64_t r2 = r1[2U]; + uint64_t r3 = r1[3U]; + uint64_t r4 = r1[4U]; + uint64_t r51 = r5[1U]; + uint64_t r52 = r5[2U]; + uint64_t r53 = r5[3U]; + uint64_t r54 = r5[4U]; + uint64_t f10 = e[0U]; + uint64_t f11 = e[1U]; + uint64_t f12 = e[2U]; + uint64_t f13 = e[3U]; + uint64_t f14 = e[4U]; + uint64_t a0 = acc[0U]; + uint64_t a1 = acc[1U]; + uint64_t a2 = acc[2U]; + uint64_t a3 = acc[3U]; + uint64_t a4 = acc[4U]; + uint64_t a01 = a0 + f10; + uint64_t a11 = a1 + f11; + uint64_t a21 = a2 + f12; + uint64_t a31 = a3 + f13; + uint64_t a41 = a4 + f14; + uint64_t a02 = r0 * a01; + uint64_t a12 = r11 * a01; + uint64_t a22 = r2 * a01; + uint64_t a32 = r3 * a01; + uint64_t a42 = r4 * a01; + uint64_t a03 = a02 + r54 * a11; + uint64_t a13 = a12 + r0 * a11; + uint64_t a23 = a22 + r11 * a11; + uint64_t a33 = a32 + r2 * a11; + uint64_t a43 = a42 + r3 * a11; + uint64_t a04 = a03 + r53 * a21; + uint64_t a14 = a13 + r54 * a21; + uint64_t a24 = a23 + r0 * a21; + uint64_t a34 = a33 + r11 * a21; + uint64_t a44 = a43 + r2 * a21; + uint64_t a05 = a04 + r52 * a31; + uint64_t a15 = a14 + r53 * a31; + uint64_t a25 = a24 + r54 * a31; + uint64_t a35 = a34 + r0 * a31; + uint64_t a45 = a44 + r11 * a31; + uint64_t a06 = a05 + r51 * a41; + uint64_t a16 = a15 + r52 * a41; + uint64_t a26 = a25 + r53 * a41; + uint64_t a36 = a35 + r54 * a41; + uint64_t a46 = a45 + r0 * a41; + uint64_t t0 = a06; + uint64_t t1 = a16; + uint64_t t2 = a26; + uint64_t t3 = a36; + uint64_t t4 = a46; + uint64_t mask26 = (uint64_t)0x3ffffffU; + uint64_t z0 = t0 >> (uint32_t)26U; + uint64_t z1 = t3 >> (uint32_t)26U; + uint64_t x0 = t0 & mask26; + uint64_t x3 = t3 & mask26; + uint64_t x1 = t1 + z0; + uint64_t x4 = t4 + z1; + uint64_t z01 = x1 >> (uint32_t)26U; + uint64_t z11 = x4 >> (uint32_t)26U; + uint64_t t = z11 << (uint32_t)2U; + uint64_t z12 = z11 + t; + uint64_t x11 = x1 & mask26; + uint64_t x41 = x4 & mask26; + uint64_t x2 = t2 + z01; + uint64_t x01 = x0 + z12; + uint64_t z02 = x2 >> (uint32_t)26U; + uint64_t z13 = x01 >> (uint32_t)26U; + uint64_t x21 = x2 & mask26; + uint64_t x02 = x01 & mask26; + uint64_t x31 = x3 + z02; + uint64_t x12 = x11 + z13; + uint64_t z03 = x31 >> (uint32_t)26U; + uint64_t x32 = x31 & mask26; + uint64_t x42 = x41 + z03; + uint64_t o0 = x02; + uint64_t o1 = x12; + uint64_t o2 = x21; + uint64_t o3 = x32; + uint64_t o4 = x42; + acc[0U] = o0; + acc[1U] = o1; + acc[2U] = o2; + acc[3U] = o3; + acc[4U] = o4; + return; + } +} + +static inline void +poly1305_do_32( + uint8_t *k, + uint32_t aadlen, + uint8_t *aad, + uint32_t mlen, + uint8_t *m, + uint8_t *out +) +{ + uint64_t ctx[25U] = { 0U }; + uint8_t block[16U] = { 0U }; + Hacl_Poly1305_32_poly1305_init(ctx, k); + if (aadlen != (uint32_t)0U) + { + poly1305_padded_32(ctx, aadlen, aad); + } + if (mlen != (uint32_t)0U) + { + poly1305_padded_32(ctx, mlen, m); + } + store64_le(block, (uint64_t)aadlen); + store64_le(block + (uint32_t)8U, (uint64_t)mlen); + uint64_t *pre = ctx + (uint32_t)5U; + uint64_t *acc = ctx; + uint64_t e[5U] = { 0U }; + uint64_t u0 = load64_le(block); + uint64_t lo = u0; + uint64_t u = load64_le(block + (uint32_t)8U); + uint64_t hi = u; + uint64_t f0 = lo; + uint64_t f1 = hi; + uint64_t f010 = f0 & (uint64_t)0x3ffffffU; + uint64_t f110 = f0 >> (uint32_t)26U & (uint64_t)0x3ffffffU; + uint64_t f20 = f0 >> (uint32_t)52U | (f1 & (uint64_t)0x3fffU) << (uint32_t)12U; + uint64_t f30 = f1 >> (uint32_t)14U & (uint64_t)0x3ffffffU; + uint64_t f40 = f1 >> (uint32_t)40U; + uint64_t f01 = f010; + uint64_t f111 = f110; + uint64_t f2 = f20; + uint64_t f3 = f30; + uint64_t f41 = f40; + e[0U] = f01; + e[1U] = f111; + e[2U] = f2; + e[3U] = f3; + e[4U] = f41; + uint64_t b = (uint64_t)0x1000000U; + uint64_t mask = b; + uint64_t f4 = e[4U]; + e[4U] = f4 | mask; + uint64_t *r = pre; + uint64_t *r5 = pre + (uint32_t)5U; + uint64_t r0 = r[0U]; + uint64_t r1 = r[1U]; + uint64_t r2 = r[2U]; + uint64_t r3 = r[3U]; + uint64_t r4 = r[4U]; + uint64_t r51 = r5[1U]; + uint64_t r52 = r5[2U]; + uint64_t r53 = r5[3U]; + uint64_t r54 = r5[4U]; + uint64_t f10 = e[0U]; + uint64_t f11 = e[1U]; + uint64_t f12 = e[2U]; + uint64_t f13 = e[3U]; + uint64_t f14 = e[4U]; + uint64_t a0 = acc[0U]; + uint64_t a1 = acc[1U]; + uint64_t a2 = acc[2U]; + uint64_t a3 = acc[3U]; + uint64_t a4 = acc[4U]; + uint64_t a01 = a0 + f10; + uint64_t a11 = a1 + f11; + uint64_t a21 = a2 + f12; + uint64_t a31 = a3 + f13; + uint64_t a41 = a4 + f14; + uint64_t a02 = r0 * a01; + uint64_t a12 = r1 * a01; + uint64_t a22 = r2 * a01; + uint64_t a32 = r3 * a01; + uint64_t a42 = r4 * a01; + uint64_t a03 = a02 + r54 * a11; + uint64_t a13 = a12 + r0 * a11; + uint64_t a23 = a22 + r1 * a11; + uint64_t a33 = a32 + r2 * a11; + uint64_t a43 = a42 + r3 * a11; + uint64_t a04 = a03 + r53 * a21; + uint64_t a14 = a13 + r54 * a21; + uint64_t a24 = a23 + r0 * a21; + uint64_t a34 = a33 + r1 * a21; + uint64_t a44 = a43 + r2 * a21; + uint64_t a05 = a04 + r52 * a31; + uint64_t a15 = a14 + r53 * a31; + uint64_t a25 = a24 + r54 * a31; + uint64_t a35 = a34 + r0 * a31; + uint64_t a45 = a44 + r1 * a31; + uint64_t a06 = a05 + r51 * a41; + uint64_t a16 = a15 + r52 * a41; + uint64_t a26 = a25 + r53 * a41; + uint64_t a36 = a35 + r54 * a41; + uint64_t a46 = a45 + r0 * a41; + uint64_t t0 = a06; + uint64_t t1 = a16; + uint64_t t2 = a26; + uint64_t t3 = a36; + uint64_t t4 = a46; + uint64_t mask26 = (uint64_t)0x3ffffffU; + uint64_t z0 = t0 >> (uint32_t)26U; + uint64_t z1 = t3 >> (uint32_t)26U; + uint64_t x0 = t0 & mask26; + uint64_t x3 = t3 & mask26; + uint64_t x1 = t1 + z0; + uint64_t x4 = t4 + z1; + uint64_t z01 = x1 >> (uint32_t)26U; + uint64_t z11 = x4 >> (uint32_t)26U; + uint64_t t = z11 << (uint32_t)2U; + uint64_t z12 = z11 + t; + uint64_t x11 = x1 & mask26; + uint64_t x41 = x4 & mask26; + uint64_t x2 = t2 + z01; + uint64_t x01 = x0 + z12; + uint64_t z02 = x2 >> (uint32_t)26U; + uint64_t z13 = x01 >> (uint32_t)26U; + uint64_t x21 = x2 & mask26; + uint64_t x02 = x01 & mask26; + uint64_t x31 = x3 + z02; + uint64_t x12 = x11 + z13; + uint64_t z03 = x31 >> (uint32_t)26U; + uint64_t x32 = x31 & mask26; + uint64_t x42 = x41 + z03; + uint64_t o0 = x02; + uint64_t o1 = x12; + uint64_t o2 = x21; + uint64_t o3 = x32; + uint64_t o4 = x42; + acc[0U] = o0; + acc[1U] = o1; + acc[2U] = o2; + acc[3U] = o3; + acc[4U] = o4; + Hacl_Poly1305_32_poly1305_finish(out, k, ctx); +} + +void +Hacl_Chacha20Poly1305_32_aead_encrypt( + uint8_t *k, + uint8_t *n, + uint32_t aadlen, + uint8_t *aad, + uint32_t mlen, + uint8_t *m, + uint8_t *cipher, + uint8_t *mac +) +{ + Hacl_Chacha20_chacha20_encrypt(mlen, cipher, m, k, n, (uint32_t)1U); + uint8_t tmp[64U] = { 0U }; + Hacl_Chacha20_chacha20_encrypt((uint32_t)64U, tmp, tmp, k, n, (uint32_t)0U); + uint8_t *key = tmp; + poly1305_do_32(key, aadlen, aad, mlen, cipher, mac); +} + +uint32_t +Hacl_Chacha20Poly1305_32_aead_decrypt( + uint8_t *k, + uint8_t *n, + uint32_t aadlen, + uint8_t *aad, + uint32_t mlen, + uint8_t *m, + uint8_t *cipher, + uint8_t *mac +) +{ + uint8_t computed_mac[16U] = { 0U }; + uint8_t tmp[64U] = { 0U }; + Hacl_Chacha20_chacha20_encrypt((uint32_t)64U, tmp, tmp, k, n, (uint32_t)0U); + uint8_t *key = tmp; + poly1305_do_32(key, aadlen, aad, mlen, cipher, computed_mac); + uint8_t res = (uint8_t)255U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint8_t uu____0 = FStar_UInt8_eq_mask(computed_mac[i], mac[i]); + res = uu____0 & res; + } + uint8_t z = res; + if (z == (uint8_t)255U) + { + Hacl_Chacha20_chacha20_encrypt(mlen, m, cipher, k, n, (uint32_t)1U); + return (uint32_t)0U; + } + return (uint32_t)1U; +} + diff --git a/src/msvc/Hacl_Chacha20_Vec128.c b/src/msvc/Hacl_Chacha20_Vec128.c new file mode 100644 index 00000000..cbb36e04 --- /dev/null +++ b/src/msvc/Hacl_Chacha20_Vec128.c @@ -0,0 +1,827 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Chacha20_Vec128.h" + +#include "internal/Hacl_Chacha20.h" + +static inline void double_round_128(Lib_IntVector_Intrinsics_vec128 *st) +{ + st[0U] = Lib_IntVector_Intrinsics_vec128_add32(st[0U], st[4U]); + Lib_IntVector_Intrinsics_vec128 std = Lib_IntVector_Intrinsics_vec128_xor(st[12U], st[0U]); + st[12U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std, (uint32_t)16U); + st[8U] = Lib_IntVector_Intrinsics_vec128_add32(st[8U], st[12U]); + Lib_IntVector_Intrinsics_vec128 std0 = Lib_IntVector_Intrinsics_vec128_xor(st[4U], st[8U]); + st[4U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std0, (uint32_t)12U); + st[0U] = Lib_IntVector_Intrinsics_vec128_add32(st[0U], st[4U]); + Lib_IntVector_Intrinsics_vec128 std1 = Lib_IntVector_Intrinsics_vec128_xor(st[12U], st[0U]); + st[12U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std1, (uint32_t)8U); + st[8U] = Lib_IntVector_Intrinsics_vec128_add32(st[8U], st[12U]); + Lib_IntVector_Intrinsics_vec128 std2 = Lib_IntVector_Intrinsics_vec128_xor(st[4U], st[8U]); + st[4U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std2, (uint32_t)7U); + st[1U] = Lib_IntVector_Intrinsics_vec128_add32(st[1U], st[5U]); + Lib_IntVector_Intrinsics_vec128 std3 = Lib_IntVector_Intrinsics_vec128_xor(st[13U], st[1U]); + st[13U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std3, (uint32_t)16U); + st[9U] = Lib_IntVector_Intrinsics_vec128_add32(st[9U], st[13U]); + Lib_IntVector_Intrinsics_vec128 std4 = Lib_IntVector_Intrinsics_vec128_xor(st[5U], st[9U]); + st[5U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std4, (uint32_t)12U); + st[1U] = Lib_IntVector_Intrinsics_vec128_add32(st[1U], st[5U]); + Lib_IntVector_Intrinsics_vec128 std5 = Lib_IntVector_Intrinsics_vec128_xor(st[13U], st[1U]); + st[13U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std5, (uint32_t)8U); + st[9U] = Lib_IntVector_Intrinsics_vec128_add32(st[9U], st[13U]); + Lib_IntVector_Intrinsics_vec128 std6 = Lib_IntVector_Intrinsics_vec128_xor(st[5U], st[9U]); + st[5U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std6, (uint32_t)7U); + st[2U] = Lib_IntVector_Intrinsics_vec128_add32(st[2U], st[6U]); + Lib_IntVector_Intrinsics_vec128 std7 = Lib_IntVector_Intrinsics_vec128_xor(st[14U], st[2U]); + st[14U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std7, (uint32_t)16U); + st[10U] = Lib_IntVector_Intrinsics_vec128_add32(st[10U], st[14U]); + Lib_IntVector_Intrinsics_vec128 std8 = Lib_IntVector_Intrinsics_vec128_xor(st[6U], st[10U]); + st[6U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std8, (uint32_t)12U); + st[2U] = Lib_IntVector_Intrinsics_vec128_add32(st[2U], st[6U]); + Lib_IntVector_Intrinsics_vec128 std9 = Lib_IntVector_Intrinsics_vec128_xor(st[14U], st[2U]); + st[14U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std9, (uint32_t)8U); + st[10U] = Lib_IntVector_Intrinsics_vec128_add32(st[10U], st[14U]); + Lib_IntVector_Intrinsics_vec128 std10 = Lib_IntVector_Intrinsics_vec128_xor(st[6U], st[10U]); + st[6U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std10, (uint32_t)7U); + st[3U] = Lib_IntVector_Intrinsics_vec128_add32(st[3U], st[7U]); + Lib_IntVector_Intrinsics_vec128 std11 = Lib_IntVector_Intrinsics_vec128_xor(st[15U], st[3U]); + st[15U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std11, (uint32_t)16U); + st[11U] = Lib_IntVector_Intrinsics_vec128_add32(st[11U], st[15U]); + Lib_IntVector_Intrinsics_vec128 std12 = Lib_IntVector_Intrinsics_vec128_xor(st[7U], st[11U]); + st[7U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std12, (uint32_t)12U); + st[3U] = Lib_IntVector_Intrinsics_vec128_add32(st[3U], st[7U]); + Lib_IntVector_Intrinsics_vec128 std13 = Lib_IntVector_Intrinsics_vec128_xor(st[15U], st[3U]); + st[15U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std13, (uint32_t)8U); + st[11U] = Lib_IntVector_Intrinsics_vec128_add32(st[11U], st[15U]); + Lib_IntVector_Intrinsics_vec128 std14 = Lib_IntVector_Intrinsics_vec128_xor(st[7U], st[11U]); + st[7U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std14, (uint32_t)7U); + st[0U] = Lib_IntVector_Intrinsics_vec128_add32(st[0U], st[5U]); + Lib_IntVector_Intrinsics_vec128 std15 = Lib_IntVector_Intrinsics_vec128_xor(st[15U], st[0U]); + st[15U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std15, (uint32_t)16U); + st[10U] = Lib_IntVector_Intrinsics_vec128_add32(st[10U], st[15U]); + Lib_IntVector_Intrinsics_vec128 std16 = Lib_IntVector_Intrinsics_vec128_xor(st[5U], st[10U]); + st[5U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std16, (uint32_t)12U); + st[0U] = Lib_IntVector_Intrinsics_vec128_add32(st[0U], st[5U]); + Lib_IntVector_Intrinsics_vec128 std17 = Lib_IntVector_Intrinsics_vec128_xor(st[15U], st[0U]); + st[15U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std17, (uint32_t)8U); + st[10U] = Lib_IntVector_Intrinsics_vec128_add32(st[10U], st[15U]); + Lib_IntVector_Intrinsics_vec128 std18 = Lib_IntVector_Intrinsics_vec128_xor(st[5U], st[10U]); + st[5U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std18, (uint32_t)7U); + st[1U] = Lib_IntVector_Intrinsics_vec128_add32(st[1U], st[6U]); + Lib_IntVector_Intrinsics_vec128 std19 = Lib_IntVector_Intrinsics_vec128_xor(st[12U], st[1U]); + st[12U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std19, (uint32_t)16U); + st[11U] = Lib_IntVector_Intrinsics_vec128_add32(st[11U], st[12U]); + Lib_IntVector_Intrinsics_vec128 std20 = Lib_IntVector_Intrinsics_vec128_xor(st[6U], st[11U]); + st[6U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std20, (uint32_t)12U); + st[1U] = Lib_IntVector_Intrinsics_vec128_add32(st[1U], st[6U]); + Lib_IntVector_Intrinsics_vec128 std21 = Lib_IntVector_Intrinsics_vec128_xor(st[12U], st[1U]); + st[12U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std21, (uint32_t)8U); + st[11U] = Lib_IntVector_Intrinsics_vec128_add32(st[11U], st[12U]); + Lib_IntVector_Intrinsics_vec128 std22 = Lib_IntVector_Intrinsics_vec128_xor(st[6U], st[11U]); + st[6U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std22, (uint32_t)7U); + st[2U] = Lib_IntVector_Intrinsics_vec128_add32(st[2U], st[7U]); + Lib_IntVector_Intrinsics_vec128 std23 = Lib_IntVector_Intrinsics_vec128_xor(st[13U], st[2U]); + st[13U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std23, (uint32_t)16U); + st[8U] = Lib_IntVector_Intrinsics_vec128_add32(st[8U], st[13U]); + Lib_IntVector_Intrinsics_vec128 std24 = Lib_IntVector_Intrinsics_vec128_xor(st[7U], st[8U]); + st[7U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std24, (uint32_t)12U); + st[2U] = Lib_IntVector_Intrinsics_vec128_add32(st[2U], st[7U]); + Lib_IntVector_Intrinsics_vec128 std25 = Lib_IntVector_Intrinsics_vec128_xor(st[13U], st[2U]); + st[13U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std25, (uint32_t)8U); + st[8U] = Lib_IntVector_Intrinsics_vec128_add32(st[8U], st[13U]); + Lib_IntVector_Intrinsics_vec128 std26 = Lib_IntVector_Intrinsics_vec128_xor(st[7U], st[8U]); + st[7U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std26, (uint32_t)7U); + st[3U] = Lib_IntVector_Intrinsics_vec128_add32(st[3U], st[4U]); + Lib_IntVector_Intrinsics_vec128 std27 = Lib_IntVector_Intrinsics_vec128_xor(st[14U], st[3U]); + st[14U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std27, (uint32_t)16U); + st[9U] = Lib_IntVector_Intrinsics_vec128_add32(st[9U], st[14U]); + Lib_IntVector_Intrinsics_vec128 std28 = Lib_IntVector_Intrinsics_vec128_xor(st[4U], st[9U]); + st[4U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std28, (uint32_t)12U); + st[3U] = Lib_IntVector_Intrinsics_vec128_add32(st[3U], st[4U]); + Lib_IntVector_Intrinsics_vec128 std29 = Lib_IntVector_Intrinsics_vec128_xor(st[14U], st[3U]); + st[14U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std29, (uint32_t)8U); + st[9U] = Lib_IntVector_Intrinsics_vec128_add32(st[9U], st[14U]); + Lib_IntVector_Intrinsics_vec128 std30 = Lib_IntVector_Intrinsics_vec128_xor(st[4U], st[9U]); + st[4U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std30, (uint32_t)7U); +} + +static inline void +chacha20_core_128( + Lib_IntVector_Intrinsics_vec128 *k, + Lib_IntVector_Intrinsics_vec128 *ctx, + uint32_t ctr +) +{ + memcpy(k, ctx, (uint32_t)16U * sizeof (Lib_IntVector_Intrinsics_vec128)); + uint32_t ctr_u32 = (uint32_t)4U * ctr; + Lib_IntVector_Intrinsics_vec128 cv = Lib_IntVector_Intrinsics_vec128_load32(ctr_u32); + k[12U] = Lib_IntVector_Intrinsics_vec128_add32(k[12U], cv); + double_round_128(k); + double_round_128(k); + double_round_128(k); + double_round_128(k); + double_round_128(k); + double_round_128(k); + double_round_128(k); + double_round_128(k); + double_round_128(k); + double_round_128(k); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + Lib_IntVector_Intrinsics_vec128 *os = k; + Lib_IntVector_Intrinsics_vec128 x = Lib_IntVector_Intrinsics_vec128_add32(k[i], ctx[i]); + os[i] = x; + } + k[12U] = Lib_IntVector_Intrinsics_vec128_add32(k[12U], cv); +} + +static inline void +chacha20_init_128(Lib_IntVector_Intrinsics_vec128 *ctx, uint8_t *k, uint8_t *n, uint32_t ctr) +{ + uint32_t ctx1[16U] = { 0U }; + uint32_t *uu____0 = ctx1; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = uu____0; + uint32_t x = Hacl_Impl_Chacha20_Vec_chacha20_constants[i]; + os[i] = x; + } + uint32_t *uu____1 = ctx1 + (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t *os = uu____1; + uint8_t *bj = k + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + ctx1[12U] = ctr; + uint32_t *uu____2 = ctx1 + (uint32_t)13U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)3U; i++) + { + uint32_t *os = uu____2; + uint8_t *bj = n + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + Lib_IntVector_Intrinsics_vec128 *os = ctx; + uint32_t x = ctx1[i]; + Lib_IntVector_Intrinsics_vec128 x0 = Lib_IntVector_Intrinsics_vec128_load32(x); + os[i] = x0; + } + Lib_IntVector_Intrinsics_vec128 + ctr1 = + Lib_IntVector_Intrinsics_vec128_load32s((uint32_t)0U, + (uint32_t)1U, + (uint32_t)2U, + (uint32_t)3U); + Lib_IntVector_Intrinsics_vec128 c12 = ctx[12U]; + ctx[12U] = Lib_IntVector_Intrinsics_vec128_add32(c12, ctr1); +} + +void +Hacl_Chacha20_Vec128_chacha20_encrypt_128( + uint32_t len, + uint8_t *out, + uint8_t *text, + uint8_t *key, + uint8_t *n, + uint32_t ctr +) +{ + Lib_IntVector_Intrinsics_vec128 ctx[16U]; + for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i) + ctx[_i] = Lib_IntVector_Intrinsics_vec128_zero; + chacha20_init_128(ctx, key, n, ctr); + uint32_t rem = len % (uint32_t)256U; + uint32_t nb = len / (uint32_t)256U; + uint32_t rem1 = len % (uint32_t)256U; + for (uint32_t i = (uint32_t)0U; i < nb; i++) + { + uint8_t *uu____0 = out + i * (uint32_t)256U; + uint8_t *uu____1 = text + i * (uint32_t)256U; + Lib_IntVector_Intrinsics_vec128 k[16U]; + for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i) + k[_i] = Lib_IntVector_Intrinsics_vec128_zero; + chacha20_core_128(k, ctx, i); + Lib_IntVector_Intrinsics_vec128 st0 = k[0U]; + Lib_IntVector_Intrinsics_vec128 st1 = k[1U]; + Lib_IntVector_Intrinsics_vec128 st2 = k[2U]; + Lib_IntVector_Intrinsics_vec128 st3 = k[3U]; + Lib_IntVector_Intrinsics_vec128 st4 = k[4U]; + Lib_IntVector_Intrinsics_vec128 st5 = k[5U]; + Lib_IntVector_Intrinsics_vec128 st6 = k[6U]; + Lib_IntVector_Intrinsics_vec128 st7 = k[7U]; + Lib_IntVector_Intrinsics_vec128 st8 = k[8U]; + Lib_IntVector_Intrinsics_vec128 st9 = k[9U]; + Lib_IntVector_Intrinsics_vec128 st10 = k[10U]; + Lib_IntVector_Intrinsics_vec128 st11 = k[11U]; + Lib_IntVector_Intrinsics_vec128 st12 = k[12U]; + Lib_IntVector_Intrinsics_vec128 st13 = k[13U]; + Lib_IntVector_Intrinsics_vec128 st14 = k[14U]; + Lib_IntVector_Intrinsics_vec128 st15 = k[15U]; + Lib_IntVector_Intrinsics_vec128 + v0_ = Lib_IntVector_Intrinsics_vec128_interleave_low32(st0, st1); + Lib_IntVector_Intrinsics_vec128 + v1_ = Lib_IntVector_Intrinsics_vec128_interleave_high32(st0, st1); + Lib_IntVector_Intrinsics_vec128 + v2_ = Lib_IntVector_Intrinsics_vec128_interleave_low32(st2, st3); + Lib_IntVector_Intrinsics_vec128 + v3_ = Lib_IntVector_Intrinsics_vec128_interleave_high32(st2, st3); + Lib_IntVector_Intrinsics_vec128 + v0__ = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_, v2_); + Lib_IntVector_Intrinsics_vec128 + v1__ = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_, v2_); + Lib_IntVector_Intrinsics_vec128 + v2__ = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_, v3_); + Lib_IntVector_Intrinsics_vec128 + v3__ = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_, v3_); + Lib_IntVector_Intrinsics_vec128 v0__0 = v0__; + Lib_IntVector_Intrinsics_vec128 v2__0 = v2__; + Lib_IntVector_Intrinsics_vec128 v1__0 = v1__; + Lib_IntVector_Intrinsics_vec128 v3__0 = v3__; + Lib_IntVector_Intrinsics_vec128 v0 = v0__0; + Lib_IntVector_Intrinsics_vec128 v1 = v1__0; + Lib_IntVector_Intrinsics_vec128 v2 = v2__0; + Lib_IntVector_Intrinsics_vec128 v3 = v3__0; + Lib_IntVector_Intrinsics_vec128 + v0_0 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st4, st5); + Lib_IntVector_Intrinsics_vec128 + v1_0 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st4, st5); + Lib_IntVector_Intrinsics_vec128 + v2_0 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st6, st7); + Lib_IntVector_Intrinsics_vec128 + v3_0 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st6, st7); + Lib_IntVector_Intrinsics_vec128 + v0__1 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec128 + v1__1 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec128 + v2__1 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec128 + v3__1 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec128 v0__2 = v0__1; + Lib_IntVector_Intrinsics_vec128 v2__2 = v2__1; + Lib_IntVector_Intrinsics_vec128 v1__2 = v1__1; + Lib_IntVector_Intrinsics_vec128 v3__2 = v3__1; + Lib_IntVector_Intrinsics_vec128 v4 = v0__2; + Lib_IntVector_Intrinsics_vec128 v5 = v1__2; + Lib_IntVector_Intrinsics_vec128 v6 = v2__2; + Lib_IntVector_Intrinsics_vec128 v7 = v3__2; + Lib_IntVector_Intrinsics_vec128 + v0_1 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st8, st9); + Lib_IntVector_Intrinsics_vec128 + v1_1 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st8, st9); + Lib_IntVector_Intrinsics_vec128 + v2_1 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st10, st11); + Lib_IntVector_Intrinsics_vec128 + v3_1 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st10, st11); + Lib_IntVector_Intrinsics_vec128 + v0__3 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_1, v2_1); + Lib_IntVector_Intrinsics_vec128 + v1__3 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_1, v2_1); + Lib_IntVector_Intrinsics_vec128 + v2__3 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_1, v3_1); + Lib_IntVector_Intrinsics_vec128 + v3__3 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_1, v3_1); + Lib_IntVector_Intrinsics_vec128 v0__4 = v0__3; + Lib_IntVector_Intrinsics_vec128 v2__4 = v2__3; + Lib_IntVector_Intrinsics_vec128 v1__4 = v1__3; + Lib_IntVector_Intrinsics_vec128 v3__4 = v3__3; + Lib_IntVector_Intrinsics_vec128 v8 = v0__4; + Lib_IntVector_Intrinsics_vec128 v9 = v1__4; + Lib_IntVector_Intrinsics_vec128 v10 = v2__4; + Lib_IntVector_Intrinsics_vec128 v11 = v3__4; + Lib_IntVector_Intrinsics_vec128 + v0_2 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st12, st13); + Lib_IntVector_Intrinsics_vec128 + v1_2 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st12, st13); + Lib_IntVector_Intrinsics_vec128 + v2_2 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st14, st15); + Lib_IntVector_Intrinsics_vec128 + v3_2 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st14, st15); + Lib_IntVector_Intrinsics_vec128 + v0__5 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_2, v2_2); + Lib_IntVector_Intrinsics_vec128 + v1__5 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_2, v2_2); + Lib_IntVector_Intrinsics_vec128 + v2__5 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_2, v3_2); + Lib_IntVector_Intrinsics_vec128 + v3__5 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_2, v3_2); + Lib_IntVector_Intrinsics_vec128 v0__6 = v0__5; + Lib_IntVector_Intrinsics_vec128 v2__6 = v2__5; + Lib_IntVector_Intrinsics_vec128 v1__6 = v1__5; + Lib_IntVector_Intrinsics_vec128 v3__6 = v3__5; + Lib_IntVector_Intrinsics_vec128 v12 = v0__6; + Lib_IntVector_Intrinsics_vec128 v13 = v1__6; + Lib_IntVector_Intrinsics_vec128 v14 = v2__6; + Lib_IntVector_Intrinsics_vec128 v15 = v3__6; + k[0U] = v0; + k[1U] = v4; + k[2U] = v8; + k[3U] = v12; + k[4U] = v1; + k[5U] = v5; + k[6U] = v9; + k[7U] = v13; + k[8U] = v2; + k[9U] = v6; + k[10U] = v10; + k[11U] = v14; + k[12U] = v3; + k[13U] = v7; + k[14U] = v11; + k[15U] = v15; + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)16U; i0++) + { + Lib_IntVector_Intrinsics_vec128 + x = Lib_IntVector_Intrinsics_vec128_load32_le(uu____1 + i0 * (uint32_t)16U); + Lib_IntVector_Intrinsics_vec128 y = Lib_IntVector_Intrinsics_vec128_xor(x, k[i0]); + Lib_IntVector_Intrinsics_vec128_store32_le(uu____0 + i0 * (uint32_t)16U, y); + } + } + if (rem1 > (uint32_t)0U) + { + uint8_t *uu____2 = out + nb * (uint32_t)256U; + uint8_t *uu____3 = text + nb * (uint32_t)256U; + uint8_t plain[256U] = { 0U }; + memcpy(plain, uu____3, rem * sizeof (uint8_t)); + Lib_IntVector_Intrinsics_vec128 k[16U]; + for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i) + k[_i] = Lib_IntVector_Intrinsics_vec128_zero; + chacha20_core_128(k, ctx, nb); + Lib_IntVector_Intrinsics_vec128 st0 = k[0U]; + Lib_IntVector_Intrinsics_vec128 st1 = k[1U]; + Lib_IntVector_Intrinsics_vec128 st2 = k[2U]; + Lib_IntVector_Intrinsics_vec128 st3 = k[3U]; + Lib_IntVector_Intrinsics_vec128 st4 = k[4U]; + Lib_IntVector_Intrinsics_vec128 st5 = k[5U]; + Lib_IntVector_Intrinsics_vec128 st6 = k[6U]; + Lib_IntVector_Intrinsics_vec128 st7 = k[7U]; + Lib_IntVector_Intrinsics_vec128 st8 = k[8U]; + Lib_IntVector_Intrinsics_vec128 st9 = k[9U]; + Lib_IntVector_Intrinsics_vec128 st10 = k[10U]; + Lib_IntVector_Intrinsics_vec128 st11 = k[11U]; + Lib_IntVector_Intrinsics_vec128 st12 = k[12U]; + Lib_IntVector_Intrinsics_vec128 st13 = k[13U]; + Lib_IntVector_Intrinsics_vec128 st14 = k[14U]; + Lib_IntVector_Intrinsics_vec128 st15 = k[15U]; + Lib_IntVector_Intrinsics_vec128 + v0_ = Lib_IntVector_Intrinsics_vec128_interleave_low32(st0, st1); + Lib_IntVector_Intrinsics_vec128 + v1_ = Lib_IntVector_Intrinsics_vec128_interleave_high32(st0, st1); + Lib_IntVector_Intrinsics_vec128 + v2_ = Lib_IntVector_Intrinsics_vec128_interleave_low32(st2, st3); + Lib_IntVector_Intrinsics_vec128 + v3_ = Lib_IntVector_Intrinsics_vec128_interleave_high32(st2, st3); + Lib_IntVector_Intrinsics_vec128 + v0__ = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_, v2_); + Lib_IntVector_Intrinsics_vec128 + v1__ = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_, v2_); + Lib_IntVector_Intrinsics_vec128 + v2__ = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_, v3_); + Lib_IntVector_Intrinsics_vec128 + v3__ = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_, v3_); + Lib_IntVector_Intrinsics_vec128 v0__0 = v0__; + Lib_IntVector_Intrinsics_vec128 v2__0 = v2__; + Lib_IntVector_Intrinsics_vec128 v1__0 = v1__; + Lib_IntVector_Intrinsics_vec128 v3__0 = v3__; + Lib_IntVector_Intrinsics_vec128 v0 = v0__0; + Lib_IntVector_Intrinsics_vec128 v1 = v1__0; + Lib_IntVector_Intrinsics_vec128 v2 = v2__0; + Lib_IntVector_Intrinsics_vec128 v3 = v3__0; + Lib_IntVector_Intrinsics_vec128 + v0_0 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st4, st5); + Lib_IntVector_Intrinsics_vec128 + v1_0 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st4, st5); + Lib_IntVector_Intrinsics_vec128 + v2_0 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st6, st7); + Lib_IntVector_Intrinsics_vec128 + v3_0 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st6, st7); + Lib_IntVector_Intrinsics_vec128 + v0__1 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec128 + v1__1 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec128 + v2__1 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec128 + v3__1 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec128 v0__2 = v0__1; + Lib_IntVector_Intrinsics_vec128 v2__2 = v2__1; + Lib_IntVector_Intrinsics_vec128 v1__2 = v1__1; + Lib_IntVector_Intrinsics_vec128 v3__2 = v3__1; + Lib_IntVector_Intrinsics_vec128 v4 = v0__2; + Lib_IntVector_Intrinsics_vec128 v5 = v1__2; + Lib_IntVector_Intrinsics_vec128 v6 = v2__2; + Lib_IntVector_Intrinsics_vec128 v7 = v3__2; + Lib_IntVector_Intrinsics_vec128 + v0_1 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st8, st9); + Lib_IntVector_Intrinsics_vec128 + v1_1 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st8, st9); + Lib_IntVector_Intrinsics_vec128 + v2_1 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st10, st11); + Lib_IntVector_Intrinsics_vec128 + v3_1 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st10, st11); + Lib_IntVector_Intrinsics_vec128 + v0__3 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_1, v2_1); + Lib_IntVector_Intrinsics_vec128 + v1__3 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_1, v2_1); + Lib_IntVector_Intrinsics_vec128 + v2__3 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_1, v3_1); + Lib_IntVector_Intrinsics_vec128 + v3__3 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_1, v3_1); + Lib_IntVector_Intrinsics_vec128 v0__4 = v0__3; + Lib_IntVector_Intrinsics_vec128 v2__4 = v2__3; + Lib_IntVector_Intrinsics_vec128 v1__4 = v1__3; + Lib_IntVector_Intrinsics_vec128 v3__4 = v3__3; + Lib_IntVector_Intrinsics_vec128 v8 = v0__4; + Lib_IntVector_Intrinsics_vec128 v9 = v1__4; + Lib_IntVector_Intrinsics_vec128 v10 = v2__4; + Lib_IntVector_Intrinsics_vec128 v11 = v3__4; + Lib_IntVector_Intrinsics_vec128 + v0_2 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st12, st13); + Lib_IntVector_Intrinsics_vec128 + v1_2 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st12, st13); + Lib_IntVector_Intrinsics_vec128 + v2_2 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st14, st15); + Lib_IntVector_Intrinsics_vec128 + v3_2 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st14, st15); + Lib_IntVector_Intrinsics_vec128 + v0__5 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_2, v2_2); + Lib_IntVector_Intrinsics_vec128 + v1__5 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_2, v2_2); + Lib_IntVector_Intrinsics_vec128 + v2__5 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_2, v3_2); + Lib_IntVector_Intrinsics_vec128 + v3__5 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_2, v3_2); + Lib_IntVector_Intrinsics_vec128 v0__6 = v0__5; + Lib_IntVector_Intrinsics_vec128 v2__6 = v2__5; + Lib_IntVector_Intrinsics_vec128 v1__6 = v1__5; + Lib_IntVector_Intrinsics_vec128 v3__6 = v3__5; + Lib_IntVector_Intrinsics_vec128 v12 = v0__6; + Lib_IntVector_Intrinsics_vec128 v13 = v1__6; + Lib_IntVector_Intrinsics_vec128 v14 = v2__6; + Lib_IntVector_Intrinsics_vec128 v15 = v3__6; + k[0U] = v0; + k[1U] = v4; + k[2U] = v8; + k[3U] = v12; + k[4U] = v1; + k[5U] = v5; + k[6U] = v9; + k[7U] = v13; + k[8U] = v2; + k[9U] = v6; + k[10U] = v10; + k[11U] = v14; + k[12U] = v3; + k[13U] = v7; + k[14U] = v11; + k[15U] = v15; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + Lib_IntVector_Intrinsics_vec128 + x = Lib_IntVector_Intrinsics_vec128_load32_le(plain + i * (uint32_t)16U); + Lib_IntVector_Intrinsics_vec128 y = Lib_IntVector_Intrinsics_vec128_xor(x, k[i]); + Lib_IntVector_Intrinsics_vec128_store32_le(plain + i * (uint32_t)16U, y); + } + memcpy(uu____2, plain, rem * sizeof (uint8_t)); + } +} + +void +Hacl_Chacha20_Vec128_chacha20_decrypt_128( + uint32_t len, + uint8_t *out, + uint8_t *cipher, + uint8_t *key, + uint8_t *n, + uint32_t ctr +) +{ + Lib_IntVector_Intrinsics_vec128 ctx[16U]; + for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i) + ctx[_i] = Lib_IntVector_Intrinsics_vec128_zero; + chacha20_init_128(ctx, key, n, ctr); + uint32_t rem = len % (uint32_t)256U; + uint32_t nb = len / (uint32_t)256U; + uint32_t rem1 = len % (uint32_t)256U; + for (uint32_t i = (uint32_t)0U; i < nb; i++) + { + uint8_t *uu____0 = out + i * (uint32_t)256U; + uint8_t *uu____1 = cipher + i * (uint32_t)256U; + Lib_IntVector_Intrinsics_vec128 k[16U]; + for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i) + k[_i] = Lib_IntVector_Intrinsics_vec128_zero; + chacha20_core_128(k, ctx, i); + Lib_IntVector_Intrinsics_vec128 st0 = k[0U]; + Lib_IntVector_Intrinsics_vec128 st1 = k[1U]; + Lib_IntVector_Intrinsics_vec128 st2 = k[2U]; + Lib_IntVector_Intrinsics_vec128 st3 = k[3U]; + Lib_IntVector_Intrinsics_vec128 st4 = k[4U]; + Lib_IntVector_Intrinsics_vec128 st5 = k[5U]; + Lib_IntVector_Intrinsics_vec128 st6 = k[6U]; + Lib_IntVector_Intrinsics_vec128 st7 = k[7U]; + Lib_IntVector_Intrinsics_vec128 st8 = k[8U]; + Lib_IntVector_Intrinsics_vec128 st9 = k[9U]; + Lib_IntVector_Intrinsics_vec128 st10 = k[10U]; + Lib_IntVector_Intrinsics_vec128 st11 = k[11U]; + Lib_IntVector_Intrinsics_vec128 st12 = k[12U]; + Lib_IntVector_Intrinsics_vec128 st13 = k[13U]; + Lib_IntVector_Intrinsics_vec128 st14 = k[14U]; + Lib_IntVector_Intrinsics_vec128 st15 = k[15U]; + Lib_IntVector_Intrinsics_vec128 + v0_ = Lib_IntVector_Intrinsics_vec128_interleave_low32(st0, st1); + Lib_IntVector_Intrinsics_vec128 + v1_ = Lib_IntVector_Intrinsics_vec128_interleave_high32(st0, st1); + Lib_IntVector_Intrinsics_vec128 + v2_ = Lib_IntVector_Intrinsics_vec128_interleave_low32(st2, st3); + Lib_IntVector_Intrinsics_vec128 + v3_ = Lib_IntVector_Intrinsics_vec128_interleave_high32(st2, st3); + Lib_IntVector_Intrinsics_vec128 + v0__ = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_, v2_); + Lib_IntVector_Intrinsics_vec128 + v1__ = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_, v2_); + Lib_IntVector_Intrinsics_vec128 + v2__ = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_, v3_); + Lib_IntVector_Intrinsics_vec128 + v3__ = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_, v3_); + Lib_IntVector_Intrinsics_vec128 v0__0 = v0__; + Lib_IntVector_Intrinsics_vec128 v2__0 = v2__; + Lib_IntVector_Intrinsics_vec128 v1__0 = v1__; + Lib_IntVector_Intrinsics_vec128 v3__0 = v3__; + Lib_IntVector_Intrinsics_vec128 v0 = v0__0; + Lib_IntVector_Intrinsics_vec128 v1 = v1__0; + Lib_IntVector_Intrinsics_vec128 v2 = v2__0; + Lib_IntVector_Intrinsics_vec128 v3 = v3__0; + Lib_IntVector_Intrinsics_vec128 + v0_0 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st4, st5); + Lib_IntVector_Intrinsics_vec128 + v1_0 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st4, st5); + Lib_IntVector_Intrinsics_vec128 + v2_0 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st6, st7); + Lib_IntVector_Intrinsics_vec128 + v3_0 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st6, st7); + Lib_IntVector_Intrinsics_vec128 + v0__1 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec128 + v1__1 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec128 + v2__1 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec128 + v3__1 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec128 v0__2 = v0__1; + Lib_IntVector_Intrinsics_vec128 v2__2 = v2__1; + Lib_IntVector_Intrinsics_vec128 v1__2 = v1__1; + Lib_IntVector_Intrinsics_vec128 v3__2 = v3__1; + Lib_IntVector_Intrinsics_vec128 v4 = v0__2; + Lib_IntVector_Intrinsics_vec128 v5 = v1__2; + Lib_IntVector_Intrinsics_vec128 v6 = v2__2; + Lib_IntVector_Intrinsics_vec128 v7 = v3__2; + Lib_IntVector_Intrinsics_vec128 + v0_1 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st8, st9); + Lib_IntVector_Intrinsics_vec128 + v1_1 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st8, st9); + Lib_IntVector_Intrinsics_vec128 + v2_1 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st10, st11); + Lib_IntVector_Intrinsics_vec128 + v3_1 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st10, st11); + Lib_IntVector_Intrinsics_vec128 + v0__3 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_1, v2_1); + Lib_IntVector_Intrinsics_vec128 + v1__3 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_1, v2_1); + Lib_IntVector_Intrinsics_vec128 + v2__3 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_1, v3_1); + Lib_IntVector_Intrinsics_vec128 + v3__3 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_1, v3_1); + Lib_IntVector_Intrinsics_vec128 v0__4 = v0__3; + Lib_IntVector_Intrinsics_vec128 v2__4 = v2__3; + Lib_IntVector_Intrinsics_vec128 v1__4 = v1__3; + Lib_IntVector_Intrinsics_vec128 v3__4 = v3__3; + Lib_IntVector_Intrinsics_vec128 v8 = v0__4; + Lib_IntVector_Intrinsics_vec128 v9 = v1__4; + Lib_IntVector_Intrinsics_vec128 v10 = v2__4; + Lib_IntVector_Intrinsics_vec128 v11 = v3__4; + Lib_IntVector_Intrinsics_vec128 + v0_2 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st12, st13); + Lib_IntVector_Intrinsics_vec128 + v1_2 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st12, st13); + Lib_IntVector_Intrinsics_vec128 + v2_2 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st14, st15); + Lib_IntVector_Intrinsics_vec128 + v3_2 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st14, st15); + Lib_IntVector_Intrinsics_vec128 + v0__5 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_2, v2_2); + Lib_IntVector_Intrinsics_vec128 + v1__5 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_2, v2_2); + Lib_IntVector_Intrinsics_vec128 + v2__5 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_2, v3_2); + Lib_IntVector_Intrinsics_vec128 + v3__5 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_2, v3_2); + Lib_IntVector_Intrinsics_vec128 v0__6 = v0__5; + Lib_IntVector_Intrinsics_vec128 v2__6 = v2__5; + Lib_IntVector_Intrinsics_vec128 v1__6 = v1__5; + Lib_IntVector_Intrinsics_vec128 v3__6 = v3__5; + Lib_IntVector_Intrinsics_vec128 v12 = v0__6; + Lib_IntVector_Intrinsics_vec128 v13 = v1__6; + Lib_IntVector_Intrinsics_vec128 v14 = v2__6; + Lib_IntVector_Intrinsics_vec128 v15 = v3__6; + k[0U] = v0; + k[1U] = v4; + k[2U] = v8; + k[3U] = v12; + k[4U] = v1; + k[5U] = v5; + k[6U] = v9; + k[7U] = v13; + k[8U] = v2; + k[9U] = v6; + k[10U] = v10; + k[11U] = v14; + k[12U] = v3; + k[13U] = v7; + k[14U] = v11; + k[15U] = v15; + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)16U; i0++) + { + Lib_IntVector_Intrinsics_vec128 + x = Lib_IntVector_Intrinsics_vec128_load32_le(uu____1 + i0 * (uint32_t)16U); + Lib_IntVector_Intrinsics_vec128 y = Lib_IntVector_Intrinsics_vec128_xor(x, k[i0]); + Lib_IntVector_Intrinsics_vec128_store32_le(uu____0 + i0 * (uint32_t)16U, y); + } + } + if (rem1 > (uint32_t)0U) + { + uint8_t *uu____2 = out + nb * (uint32_t)256U; + uint8_t *uu____3 = cipher + nb * (uint32_t)256U; + uint8_t plain[256U] = { 0U }; + memcpy(plain, uu____3, rem * sizeof (uint8_t)); + Lib_IntVector_Intrinsics_vec128 k[16U]; + for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i) + k[_i] = Lib_IntVector_Intrinsics_vec128_zero; + chacha20_core_128(k, ctx, nb); + Lib_IntVector_Intrinsics_vec128 st0 = k[0U]; + Lib_IntVector_Intrinsics_vec128 st1 = k[1U]; + Lib_IntVector_Intrinsics_vec128 st2 = k[2U]; + Lib_IntVector_Intrinsics_vec128 st3 = k[3U]; + Lib_IntVector_Intrinsics_vec128 st4 = k[4U]; + Lib_IntVector_Intrinsics_vec128 st5 = k[5U]; + Lib_IntVector_Intrinsics_vec128 st6 = k[6U]; + Lib_IntVector_Intrinsics_vec128 st7 = k[7U]; + Lib_IntVector_Intrinsics_vec128 st8 = k[8U]; + Lib_IntVector_Intrinsics_vec128 st9 = k[9U]; + Lib_IntVector_Intrinsics_vec128 st10 = k[10U]; + Lib_IntVector_Intrinsics_vec128 st11 = k[11U]; + Lib_IntVector_Intrinsics_vec128 st12 = k[12U]; + Lib_IntVector_Intrinsics_vec128 st13 = k[13U]; + Lib_IntVector_Intrinsics_vec128 st14 = k[14U]; + Lib_IntVector_Intrinsics_vec128 st15 = k[15U]; + Lib_IntVector_Intrinsics_vec128 + v0_ = Lib_IntVector_Intrinsics_vec128_interleave_low32(st0, st1); + Lib_IntVector_Intrinsics_vec128 + v1_ = Lib_IntVector_Intrinsics_vec128_interleave_high32(st0, st1); + Lib_IntVector_Intrinsics_vec128 + v2_ = Lib_IntVector_Intrinsics_vec128_interleave_low32(st2, st3); + Lib_IntVector_Intrinsics_vec128 + v3_ = Lib_IntVector_Intrinsics_vec128_interleave_high32(st2, st3); + Lib_IntVector_Intrinsics_vec128 + v0__ = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_, v2_); + Lib_IntVector_Intrinsics_vec128 + v1__ = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_, v2_); + Lib_IntVector_Intrinsics_vec128 + v2__ = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_, v3_); + Lib_IntVector_Intrinsics_vec128 + v3__ = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_, v3_); + Lib_IntVector_Intrinsics_vec128 v0__0 = v0__; + Lib_IntVector_Intrinsics_vec128 v2__0 = v2__; + Lib_IntVector_Intrinsics_vec128 v1__0 = v1__; + Lib_IntVector_Intrinsics_vec128 v3__0 = v3__; + Lib_IntVector_Intrinsics_vec128 v0 = v0__0; + Lib_IntVector_Intrinsics_vec128 v1 = v1__0; + Lib_IntVector_Intrinsics_vec128 v2 = v2__0; + Lib_IntVector_Intrinsics_vec128 v3 = v3__0; + Lib_IntVector_Intrinsics_vec128 + v0_0 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st4, st5); + Lib_IntVector_Intrinsics_vec128 + v1_0 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st4, st5); + Lib_IntVector_Intrinsics_vec128 + v2_0 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st6, st7); + Lib_IntVector_Intrinsics_vec128 + v3_0 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st6, st7); + Lib_IntVector_Intrinsics_vec128 + v0__1 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec128 + v1__1 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec128 + v2__1 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec128 + v3__1 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec128 v0__2 = v0__1; + Lib_IntVector_Intrinsics_vec128 v2__2 = v2__1; + Lib_IntVector_Intrinsics_vec128 v1__2 = v1__1; + Lib_IntVector_Intrinsics_vec128 v3__2 = v3__1; + Lib_IntVector_Intrinsics_vec128 v4 = v0__2; + Lib_IntVector_Intrinsics_vec128 v5 = v1__2; + Lib_IntVector_Intrinsics_vec128 v6 = v2__2; + Lib_IntVector_Intrinsics_vec128 v7 = v3__2; + Lib_IntVector_Intrinsics_vec128 + v0_1 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st8, st9); + Lib_IntVector_Intrinsics_vec128 + v1_1 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st8, st9); + Lib_IntVector_Intrinsics_vec128 + v2_1 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st10, st11); + Lib_IntVector_Intrinsics_vec128 + v3_1 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st10, st11); + Lib_IntVector_Intrinsics_vec128 + v0__3 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_1, v2_1); + Lib_IntVector_Intrinsics_vec128 + v1__3 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_1, v2_1); + Lib_IntVector_Intrinsics_vec128 + v2__3 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_1, v3_1); + Lib_IntVector_Intrinsics_vec128 + v3__3 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_1, v3_1); + Lib_IntVector_Intrinsics_vec128 v0__4 = v0__3; + Lib_IntVector_Intrinsics_vec128 v2__4 = v2__3; + Lib_IntVector_Intrinsics_vec128 v1__4 = v1__3; + Lib_IntVector_Intrinsics_vec128 v3__4 = v3__3; + Lib_IntVector_Intrinsics_vec128 v8 = v0__4; + Lib_IntVector_Intrinsics_vec128 v9 = v1__4; + Lib_IntVector_Intrinsics_vec128 v10 = v2__4; + Lib_IntVector_Intrinsics_vec128 v11 = v3__4; + Lib_IntVector_Intrinsics_vec128 + v0_2 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st12, st13); + Lib_IntVector_Intrinsics_vec128 + v1_2 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st12, st13); + Lib_IntVector_Intrinsics_vec128 + v2_2 = Lib_IntVector_Intrinsics_vec128_interleave_low32(st14, st15); + Lib_IntVector_Intrinsics_vec128 + v3_2 = Lib_IntVector_Intrinsics_vec128_interleave_high32(st14, st15); + Lib_IntVector_Intrinsics_vec128 + v0__5 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_2, v2_2); + Lib_IntVector_Intrinsics_vec128 + v1__5 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_2, v2_2); + Lib_IntVector_Intrinsics_vec128 + v2__5 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_2, v3_2); + Lib_IntVector_Intrinsics_vec128 + v3__5 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_2, v3_2); + Lib_IntVector_Intrinsics_vec128 v0__6 = v0__5; + Lib_IntVector_Intrinsics_vec128 v2__6 = v2__5; + Lib_IntVector_Intrinsics_vec128 v1__6 = v1__5; + Lib_IntVector_Intrinsics_vec128 v3__6 = v3__5; + Lib_IntVector_Intrinsics_vec128 v12 = v0__6; + Lib_IntVector_Intrinsics_vec128 v13 = v1__6; + Lib_IntVector_Intrinsics_vec128 v14 = v2__6; + Lib_IntVector_Intrinsics_vec128 v15 = v3__6; + k[0U] = v0; + k[1U] = v4; + k[2U] = v8; + k[3U] = v12; + k[4U] = v1; + k[5U] = v5; + k[6U] = v9; + k[7U] = v13; + k[8U] = v2; + k[9U] = v6; + k[10U] = v10; + k[11U] = v14; + k[12U] = v3; + k[13U] = v7; + k[14U] = v11; + k[15U] = v15; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + Lib_IntVector_Intrinsics_vec128 + x = Lib_IntVector_Intrinsics_vec128_load32_le(plain + i * (uint32_t)16U); + Lib_IntVector_Intrinsics_vec128 y = Lib_IntVector_Intrinsics_vec128_xor(x, k[i]); + Lib_IntVector_Intrinsics_vec128_store32_le(plain + i * (uint32_t)16U, y); + } + memcpy(uu____2, plain, rem * sizeof (uint8_t)); + } +} + diff --git a/src/msvc/Hacl_Chacha20_Vec256.c b/src/msvc/Hacl_Chacha20_Vec256.c new file mode 100644 index 00000000..746e3993 --- /dev/null +++ b/src/msvc/Hacl_Chacha20_Vec256.c @@ -0,0 +1,1215 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Chacha20_Vec256.h" + +#include "internal/Hacl_Chacha20.h" + +static inline void double_round_256(Lib_IntVector_Intrinsics_vec256 *st) +{ + st[0U] = Lib_IntVector_Intrinsics_vec256_add32(st[0U], st[4U]); + Lib_IntVector_Intrinsics_vec256 std = Lib_IntVector_Intrinsics_vec256_xor(st[12U], st[0U]); + st[12U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std, (uint32_t)16U); + st[8U] = Lib_IntVector_Intrinsics_vec256_add32(st[8U], st[12U]); + Lib_IntVector_Intrinsics_vec256 std0 = Lib_IntVector_Intrinsics_vec256_xor(st[4U], st[8U]); + st[4U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std0, (uint32_t)12U); + st[0U] = Lib_IntVector_Intrinsics_vec256_add32(st[0U], st[4U]); + Lib_IntVector_Intrinsics_vec256 std1 = Lib_IntVector_Intrinsics_vec256_xor(st[12U], st[0U]); + st[12U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std1, (uint32_t)8U); + st[8U] = Lib_IntVector_Intrinsics_vec256_add32(st[8U], st[12U]); + Lib_IntVector_Intrinsics_vec256 std2 = Lib_IntVector_Intrinsics_vec256_xor(st[4U], st[8U]); + st[4U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std2, (uint32_t)7U); + st[1U] = Lib_IntVector_Intrinsics_vec256_add32(st[1U], st[5U]); + Lib_IntVector_Intrinsics_vec256 std3 = Lib_IntVector_Intrinsics_vec256_xor(st[13U], st[1U]); + st[13U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std3, (uint32_t)16U); + st[9U] = Lib_IntVector_Intrinsics_vec256_add32(st[9U], st[13U]); + Lib_IntVector_Intrinsics_vec256 std4 = Lib_IntVector_Intrinsics_vec256_xor(st[5U], st[9U]); + st[5U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std4, (uint32_t)12U); + st[1U] = Lib_IntVector_Intrinsics_vec256_add32(st[1U], st[5U]); + Lib_IntVector_Intrinsics_vec256 std5 = Lib_IntVector_Intrinsics_vec256_xor(st[13U], st[1U]); + st[13U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std5, (uint32_t)8U); + st[9U] = Lib_IntVector_Intrinsics_vec256_add32(st[9U], st[13U]); + Lib_IntVector_Intrinsics_vec256 std6 = Lib_IntVector_Intrinsics_vec256_xor(st[5U], st[9U]); + st[5U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std6, (uint32_t)7U); + st[2U] = Lib_IntVector_Intrinsics_vec256_add32(st[2U], st[6U]); + Lib_IntVector_Intrinsics_vec256 std7 = Lib_IntVector_Intrinsics_vec256_xor(st[14U], st[2U]); + st[14U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std7, (uint32_t)16U); + st[10U] = Lib_IntVector_Intrinsics_vec256_add32(st[10U], st[14U]); + Lib_IntVector_Intrinsics_vec256 std8 = Lib_IntVector_Intrinsics_vec256_xor(st[6U], st[10U]); + st[6U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std8, (uint32_t)12U); + st[2U] = Lib_IntVector_Intrinsics_vec256_add32(st[2U], st[6U]); + Lib_IntVector_Intrinsics_vec256 std9 = Lib_IntVector_Intrinsics_vec256_xor(st[14U], st[2U]); + st[14U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std9, (uint32_t)8U); + st[10U] = Lib_IntVector_Intrinsics_vec256_add32(st[10U], st[14U]); + Lib_IntVector_Intrinsics_vec256 std10 = Lib_IntVector_Intrinsics_vec256_xor(st[6U], st[10U]); + st[6U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std10, (uint32_t)7U); + st[3U] = Lib_IntVector_Intrinsics_vec256_add32(st[3U], st[7U]); + Lib_IntVector_Intrinsics_vec256 std11 = Lib_IntVector_Intrinsics_vec256_xor(st[15U], st[3U]); + st[15U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std11, (uint32_t)16U); + st[11U] = Lib_IntVector_Intrinsics_vec256_add32(st[11U], st[15U]); + Lib_IntVector_Intrinsics_vec256 std12 = Lib_IntVector_Intrinsics_vec256_xor(st[7U], st[11U]); + st[7U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std12, (uint32_t)12U); + st[3U] = Lib_IntVector_Intrinsics_vec256_add32(st[3U], st[7U]); + Lib_IntVector_Intrinsics_vec256 std13 = Lib_IntVector_Intrinsics_vec256_xor(st[15U], st[3U]); + st[15U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std13, (uint32_t)8U); + st[11U] = Lib_IntVector_Intrinsics_vec256_add32(st[11U], st[15U]); + Lib_IntVector_Intrinsics_vec256 std14 = Lib_IntVector_Intrinsics_vec256_xor(st[7U], st[11U]); + st[7U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std14, (uint32_t)7U); + st[0U] = Lib_IntVector_Intrinsics_vec256_add32(st[0U], st[5U]); + Lib_IntVector_Intrinsics_vec256 std15 = Lib_IntVector_Intrinsics_vec256_xor(st[15U], st[0U]); + st[15U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std15, (uint32_t)16U); + st[10U] = Lib_IntVector_Intrinsics_vec256_add32(st[10U], st[15U]); + Lib_IntVector_Intrinsics_vec256 std16 = Lib_IntVector_Intrinsics_vec256_xor(st[5U], st[10U]); + st[5U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std16, (uint32_t)12U); + st[0U] = Lib_IntVector_Intrinsics_vec256_add32(st[0U], st[5U]); + Lib_IntVector_Intrinsics_vec256 std17 = Lib_IntVector_Intrinsics_vec256_xor(st[15U], st[0U]); + st[15U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std17, (uint32_t)8U); + st[10U] = Lib_IntVector_Intrinsics_vec256_add32(st[10U], st[15U]); + Lib_IntVector_Intrinsics_vec256 std18 = Lib_IntVector_Intrinsics_vec256_xor(st[5U], st[10U]); + st[5U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std18, (uint32_t)7U); + st[1U] = Lib_IntVector_Intrinsics_vec256_add32(st[1U], st[6U]); + Lib_IntVector_Intrinsics_vec256 std19 = Lib_IntVector_Intrinsics_vec256_xor(st[12U], st[1U]); + st[12U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std19, (uint32_t)16U); + st[11U] = Lib_IntVector_Intrinsics_vec256_add32(st[11U], st[12U]); + Lib_IntVector_Intrinsics_vec256 std20 = Lib_IntVector_Intrinsics_vec256_xor(st[6U], st[11U]); + st[6U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std20, (uint32_t)12U); + st[1U] = Lib_IntVector_Intrinsics_vec256_add32(st[1U], st[6U]); + Lib_IntVector_Intrinsics_vec256 std21 = Lib_IntVector_Intrinsics_vec256_xor(st[12U], st[1U]); + st[12U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std21, (uint32_t)8U); + st[11U] = Lib_IntVector_Intrinsics_vec256_add32(st[11U], st[12U]); + Lib_IntVector_Intrinsics_vec256 std22 = Lib_IntVector_Intrinsics_vec256_xor(st[6U], st[11U]); + st[6U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std22, (uint32_t)7U); + st[2U] = Lib_IntVector_Intrinsics_vec256_add32(st[2U], st[7U]); + Lib_IntVector_Intrinsics_vec256 std23 = Lib_IntVector_Intrinsics_vec256_xor(st[13U], st[2U]); + st[13U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std23, (uint32_t)16U); + st[8U] = Lib_IntVector_Intrinsics_vec256_add32(st[8U], st[13U]); + Lib_IntVector_Intrinsics_vec256 std24 = Lib_IntVector_Intrinsics_vec256_xor(st[7U], st[8U]); + st[7U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std24, (uint32_t)12U); + st[2U] = Lib_IntVector_Intrinsics_vec256_add32(st[2U], st[7U]); + Lib_IntVector_Intrinsics_vec256 std25 = Lib_IntVector_Intrinsics_vec256_xor(st[13U], st[2U]); + st[13U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std25, (uint32_t)8U); + st[8U] = Lib_IntVector_Intrinsics_vec256_add32(st[8U], st[13U]); + Lib_IntVector_Intrinsics_vec256 std26 = Lib_IntVector_Intrinsics_vec256_xor(st[7U], st[8U]); + st[7U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std26, (uint32_t)7U); + st[3U] = Lib_IntVector_Intrinsics_vec256_add32(st[3U], st[4U]); + Lib_IntVector_Intrinsics_vec256 std27 = Lib_IntVector_Intrinsics_vec256_xor(st[14U], st[3U]); + st[14U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std27, (uint32_t)16U); + st[9U] = Lib_IntVector_Intrinsics_vec256_add32(st[9U], st[14U]); + Lib_IntVector_Intrinsics_vec256 std28 = Lib_IntVector_Intrinsics_vec256_xor(st[4U], st[9U]); + st[4U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std28, (uint32_t)12U); + st[3U] = Lib_IntVector_Intrinsics_vec256_add32(st[3U], st[4U]); + Lib_IntVector_Intrinsics_vec256 std29 = Lib_IntVector_Intrinsics_vec256_xor(st[14U], st[3U]); + st[14U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std29, (uint32_t)8U); + st[9U] = Lib_IntVector_Intrinsics_vec256_add32(st[9U], st[14U]); + Lib_IntVector_Intrinsics_vec256 std30 = Lib_IntVector_Intrinsics_vec256_xor(st[4U], st[9U]); + st[4U] = Lib_IntVector_Intrinsics_vec256_rotate_left32(std30, (uint32_t)7U); +} + +static inline void +chacha20_core_256( + Lib_IntVector_Intrinsics_vec256 *k, + Lib_IntVector_Intrinsics_vec256 *ctx, + uint32_t ctr +) +{ + memcpy(k, ctx, (uint32_t)16U * sizeof (Lib_IntVector_Intrinsics_vec256)); + uint32_t ctr_u32 = (uint32_t)8U * ctr; + Lib_IntVector_Intrinsics_vec256 cv = Lib_IntVector_Intrinsics_vec256_load32(ctr_u32); + k[12U] = Lib_IntVector_Intrinsics_vec256_add32(k[12U], cv); + double_round_256(k); + double_round_256(k); + double_round_256(k); + double_round_256(k); + double_round_256(k); + double_round_256(k); + double_round_256(k); + double_round_256(k); + double_round_256(k); + double_round_256(k); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + Lib_IntVector_Intrinsics_vec256 *os = k; + Lib_IntVector_Intrinsics_vec256 x = Lib_IntVector_Intrinsics_vec256_add32(k[i], ctx[i]); + os[i] = x; + } + k[12U] = Lib_IntVector_Intrinsics_vec256_add32(k[12U], cv); +} + +static inline void +chacha20_init_256(Lib_IntVector_Intrinsics_vec256 *ctx, uint8_t *k, uint8_t *n, uint32_t ctr) +{ + uint32_t ctx1[16U] = { 0U }; + uint32_t *uu____0 = ctx1; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = uu____0; + uint32_t x = Hacl_Impl_Chacha20_Vec_chacha20_constants[i]; + os[i] = x; + } + uint32_t *uu____1 = ctx1 + (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t *os = uu____1; + uint8_t *bj = k + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + ctx1[12U] = ctr; + uint32_t *uu____2 = ctx1 + (uint32_t)13U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)3U; i++) + { + uint32_t *os = uu____2; + uint8_t *bj = n + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + Lib_IntVector_Intrinsics_vec256 *os = ctx; + uint32_t x = ctx1[i]; + Lib_IntVector_Intrinsics_vec256 x0 = Lib_IntVector_Intrinsics_vec256_load32(x); + os[i] = x0; + } + Lib_IntVector_Intrinsics_vec256 + ctr1 = + Lib_IntVector_Intrinsics_vec256_load32s((uint32_t)0U, + (uint32_t)1U, + (uint32_t)2U, + (uint32_t)3U, + (uint32_t)4U, + (uint32_t)5U, + (uint32_t)6U, + (uint32_t)7U); + Lib_IntVector_Intrinsics_vec256 c12 = ctx[12U]; + ctx[12U] = Lib_IntVector_Intrinsics_vec256_add32(c12, ctr1); +} + +void +Hacl_Chacha20_Vec256_chacha20_encrypt_256( + uint32_t len, + uint8_t *out, + uint8_t *text, + uint8_t *key, + uint8_t *n, + uint32_t ctr +) +{ + Lib_IntVector_Intrinsics_vec256 ctx[16U]; + for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i) + ctx[_i] = Lib_IntVector_Intrinsics_vec256_zero; + chacha20_init_256(ctx, key, n, ctr); + uint32_t rem = len % (uint32_t)512U; + uint32_t nb = len / (uint32_t)512U; + uint32_t rem1 = len % (uint32_t)512U; + for (uint32_t i = (uint32_t)0U; i < nb; i++) + { + uint8_t *uu____0 = out + i * (uint32_t)512U; + uint8_t *uu____1 = text + i * (uint32_t)512U; + Lib_IntVector_Intrinsics_vec256 k[16U]; + for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i) + k[_i] = Lib_IntVector_Intrinsics_vec256_zero; + chacha20_core_256(k, ctx, i); + Lib_IntVector_Intrinsics_vec256 st0 = k[0U]; + Lib_IntVector_Intrinsics_vec256 st1 = k[1U]; + Lib_IntVector_Intrinsics_vec256 st2 = k[2U]; + Lib_IntVector_Intrinsics_vec256 st3 = k[3U]; + Lib_IntVector_Intrinsics_vec256 st4 = k[4U]; + Lib_IntVector_Intrinsics_vec256 st5 = k[5U]; + Lib_IntVector_Intrinsics_vec256 st6 = k[6U]; + Lib_IntVector_Intrinsics_vec256 st7 = k[7U]; + Lib_IntVector_Intrinsics_vec256 st8 = k[8U]; + Lib_IntVector_Intrinsics_vec256 st9 = k[9U]; + Lib_IntVector_Intrinsics_vec256 st10 = k[10U]; + Lib_IntVector_Intrinsics_vec256 st11 = k[11U]; + Lib_IntVector_Intrinsics_vec256 st12 = k[12U]; + Lib_IntVector_Intrinsics_vec256 st13 = k[13U]; + Lib_IntVector_Intrinsics_vec256 st14 = k[14U]; + Lib_IntVector_Intrinsics_vec256 st15 = k[15U]; + Lib_IntVector_Intrinsics_vec256 v00 = st0; + Lib_IntVector_Intrinsics_vec256 v16 = st1; + Lib_IntVector_Intrinsics_vec256 v20 = st2; + Lib_IntVector_Intrinsics_vec256 v30 = st3; + Lib_IntVector_Intrinsics_vec256 v40 = st4; + Lib_IntVector_Intrinsics_vec256 v50 = st5; + Lib_IntVector_Intrinsics_vec256 v60 = st6; + Lib_IntVector_Intrinsics_vec256 v70 = st7; + Lib_IntVector_Intrinsics_vec256 + v0_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v00, v16); + Lib_IntVector_Intrinsics_vec256 + v1_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v00, v16); + Lib_IntVector_Intrinsics_vec256 + v2_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v20, v30); + Lib_IntVector_Intrinsics_vec256 + v3_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v20, v30); + Lib_IntVector_Intrinsics_vec256 + v4_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v40, v50); + Lib_IntVector_Intrinsics_vec256 + v5_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v40, v50); + Lib_IntVector_Intrinsics_vec256 + v6_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v60, v70); + Lib_IntVector_Intrinsics_vec256 + v7_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v60, v70); + Lib_IntVector_Intrinsics_vec256 v0_0 = v0_; + Lib_IntVector_Intrinsics_vec256 v1_0 = v1_; + Lib_IntVector_Intrinsics_vec256 v2_0 = v2_; + Lib_IntVector_Intrinsics_vec256 v3_0 = v3_; + Lib_IntVector_Intrinsics_vec256 v4_0 = v4_; + Lib_IntVector_Intrinsics_vec256 v5_0 = v5_; + Lib_IntVector_Intrinsics_vec256 v6_0 = v6_; + Lib_IntVector_Intrinsics_vec256 v7_0 = v7_; + Lib_IntVector_Intrinsics_vec256 + v0_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v2_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v1_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 + v3_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 + v4_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v4_0, v6_0); + Lib_IntVector_Intrinsics_vec256 + v6_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v4_0, v6_0); + Lib_IntVector_Intrinsics_vec256 + v5_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v5_0, v7_0); + Lib_IntVector_Intrinsics_vec256 + v7_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v5_0, v7_0); + Lib_IntVector_Intrinsics_vec256 v0_10 = v0_1; + Lib_IntVector_Intrinsics_vec256 v1_10 = v1_1; + Lib_IntVector_Intrinsics_vec256 v2_10 = v2_1; + Lib_IntVector_Intrinsics_vec256 v3_10 = v3_1; + Lib_IntVector_Intrinsics_vec256 v4_10 = v4_1; + Lib_IntVector_Intrinsics_vec256 v5_10 = v5_1; + Lib_IntVector_Intrinsics_vec256 v6_10 = v6_1; + Lib_IntVector_Intrinsics_vec256 v7_10 = v7_1; + Lib_IntVector_Intrinsics_vec256 + v0_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_10, v4_10); + Lib_IntVector_Intrinsics_vec256 + v4_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_10, v4_10); + Lib_IntVector_Intrinsics_vec256 + v1_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_10, v5_10); + Lib_IntVector_Intrinsics_vec256 + v5_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_10, v5_10); + Lib_IntVector_Intrinsics_vec256 + v2_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v2_10, v6_10); + Lib_IntVector_Intrinsics_vec256 + v6_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v2_10, v6_10); + Lib_IntVector_Intrinsics_vec256 + v3_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v3_10, v7_10); + Lib_IntVector_Intrinsics_vec256 + v7_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v3_10, v7_10); + Lib_IntVector_Intrinsics_vec256 v0_20 = v0_2; + Lib_IntVector_Intrinsics_vec256 v1_20 = v1_2; + Lib_IntVector_Intrinsics_vec256 v2_20 = v2_2; + Lib_IntVector_Intrinsics_vec256 v3_20 = v3_2; + Lib_IntVector_Intrinsics_vec256 v4_20 = v4_2; + Lib_IntVector_Intrinsics_vec256 v5_20 = v5_2; + Lib_IntVector_Intrinsics_vec256 v6_20 = v6_2; + Lib_IntVector_Intrinsics_vec256 v7_20 = v7_2; + Lib_IntVector_Intrinsics_vec256 v0_3 = v0_20; + Lib_IntVector_Intrinsics_vec256 v1_3 = v1_20; + Lib_IntVector_Intrinsics_vec256 v2_3 = v2_20; + Lib_IntVector_Intrinsics_vec256 v3_3 = v3_20; + Lib_IntVector_Intrinsics_vec256 v4_3 = v4_20; + Lib_IntVector_Intrinsics_vec256 v5_3 = v5_20; + Lib_IntVector_Intrinsics_vec256 v6_3 = v6_20; + Lib_IntVector_Intrinsics_vec256 v7_3 = v7_20; + Lib_IntVector_Intrinsics_vec256 v0 = v0_3; + Lib_IntVector_Intrinsics_vec256 v1 = v2_3; + Lib_IntVector_Intrinsics_vec256 v2 = v1_3; + Lib_IntVector_Intrinsics_vec256 v3 = v3_3; + Lib_IntVector_Intrinsics_vec256 v4 = v4_3; + Lib_IntVector_Intrinsics_vec256 v5 = v6_3; + Lib_IntVector_Intrinsics_vec256 v6 = v5_3; + Lib_IntVector_Intrinsics_vec256 v7 = v7_3; + Lib_IntVector_Intrinsics_vec256 v01 = st8; + Lib_IntVector_Intrinsics_vec256 v110 = st9; + Lib_IntVector_Intrinsics_vec256 v21 = st10; + Lib_IntVector_Intrinsics_vec256 v31 = st11; + Lib_IntVector_Intrinsics_vec256 v41 = st12; + Lib_IntVector_Intrinsics_vec256 v51 = st13; + Lib_IntVector_Intrinsics_vec256 v61 = st14; + Lib_IntVector_Intrinsics_vec256 v71 = st15; + Lib_IntVector_Intrinsics_vec256 + v0_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v01, v110); + Lib_IntVector_Intrinsics_vec256 + v1_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v01, v110); + Lib_IntVector_Intrinsics_vec256 + v2_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v21, v31); + Lib_IntVector_Intrinsics_vec256 + v3_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v21, v31); + Lib_IntVector_Intrinsics_vec256 + v4_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v41, v51); + Lib_IntVector_Intrinsics_vec256 + v5_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v41, v51); + Lib_IntVector_Intrinsics_vec256 + v6_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v61, v71); + Lib_IntVector_Intrinsics_vec256 + v7_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v61, v71); + Lib_IntVector_Intrinsics_vec256 v0_5 = v0_4; + Lib_IntVector_Intrinsics_vec256 v1_5 = v1_4; + Lib_IntVector_Intrinsics_vec256 v2_5 = v2_4; + Lib_IntVector_Intrinsics_vec256 v3_5 = v3_4; + Lib_IntVector_Intrinsics_vec256 v4_5 = v4_4; + Lib_IntVector_Intrinsics_vec256 v5_5 = v5_4; + Lib_IntVector_Intrinsics_vec256 v6_5 = v6_4; + Lib_IntVector_Intrinsics_vec256 v7_5 = v7_4; + Lib_IntVector_Intrinsics_vec256 + v0_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0_5, v2_5); + Lib_IntVector_Intrinsics_vec256 + v2_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0_5, v2_5); + Lib_IntVector_Intrinsics_vec256 + v1_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v1_5, v3_5); + Lib_IntVector_Intrinsics_vec256 + v3_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v1_5, v3_5); + Lib_IntVector_Intrinsics_vec256 + v4_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v4_5, v6_5); + Lib_IntVector_Intrinsics_vec256 + v6_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v4_5, v6_5); + Lib_IntVector_Intrinsics_vec256 + v5_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v5_5, v7_5); + Lib_IntVector_Intrinsics_vec256 + v7_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v5_5, v7_5); + Lib_IntVector_Intrinsics_vec256 v0_12 = v0_11; + Lib_IntVector_Intrinsics_vec256 v1_12 = v1_11; + Lib_IntVector_Intrinsics_vec256 v2_12 = v2_11; + Lib_IntVector_Intrinsics_vec256 v3_12 = v3_11; + Lib_IntVector_Intrinsics_vec256 v4_12 = v4_11; + Lib_IntVector_Intrinsics_vec256 v5_12 = v5_11; + Lib_IntVector_Intrinsics_vec256 v6_12 = v6_11; + Lib_IntVector_Intrinsics_vec256 v7_12 = v7_11; + Lib_IntVector_Intrinsics_vec256 + v0_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_12, v4_12); + Lib_IntVector_Intrinsics_vec256 + v4_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_12, v4_12); + Lib_IntVector_Intrinsics_vec256 + v1_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_12, v5_12); + Lib_IntVector_Intrinsics_vec256 + v5_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_12, v5_12); + Lib_IntVector_Intrinsics_vec256 + v2_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v2_12, v6_12); + Lib_IntVector_Intrinsics_vec256 + v6_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v2_12, v6_12); + Lib_IntVector_Intrinsics_vec256 + v3_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v3_12, v7_12); + Lib_IntVector_Intrinsics_vec256 + v7_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v3_12, v7_12); + Lib_IntVector_Intrinsics_vec256 v0_22 = v0_21; + Lib_IntVector_Intrinsics_vec256 v1_22 = v1_21; + Lib_IntVector_Intrinsics_vec256 v2_22 = v2_21; + Lib_IntVector_Intrinsics_vec256 v3_22 = v3_21; + Lib_IntVector_Intrinsics_vec256 v4_22 = v4_21; + Lib_IntVector_Intrinsics_vec256 v5_22 = v5_21; + Lib_IntVector_Intrinsics_vec256 v6_22 = v6_21; + Lib_IntVector_Intrinsics_vec256 v7_22 = v7_21; + Lib_IntVector_Intrinsics_vec256 v0_6 = v0_22; + Lib_IntVector_Intrinsics_vec256 v1_6 = v1_22; + Lib_IntVector_Intrinsics_vec256 v2_6 = v2_22; + Lib_IntVector_Intrinsics_vec256 v3_6 = v3_22; + Lib_IntVector_Intrinsics_vec256 v4_6 = v4_22; + Lib_IntVector_Intrinsics_vec256 v5_6 = v5_22; + Lib_IntVector_Intrinsics_vec256 v6_6 = v6_22; + Lib_IntVector_Intrinsics_vec256 v7_6 = v7_22; + Lib_IntVector_Intrinsics_vec256 v8 = v0_6; + Lib_IntVector_Intrinsics_vec256 v9 = v2_6; + Lib_IntVector_Intrinsics_vec256 v10 = v1_6; + Lib_IntVector_Intrinsics_vec256 v11 = v3_6; + Lib_IntVector_Intrinsics_vec256 v12 = v4_6; + Lib_IntVector_Intrinsics_vec256 v13 = v6_6; + Lib_IntVector_Intrinsics_vec256 v14 = v5_6; + Lib_IntVector_Intrinsics_vec256 v15 = v7_6; + k[0U] = v0; + k[1U] = v8; + k[2U] = v1; + k[3U] = v9; + k[4U] = v2; + k[5U] = v10; + k[6U] = v3; + k[7U] = v11; + k[8U] = v4; + k[9U] = v12; + k[10U] = v5; + k[11U] = v13; + k[12U] = v6; + k[13U] = v14; + k[14U] = v7; + k[15U] = v15; + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)16U; i0++) + { + Lib_IntVector_Intrinsics_vec256 + x = Lib_IntVector_Intrinsics_vec256_load32_le(uu____1 + i0 * (uint32_t)32U); + Lib_IntVector_Intrinsics_vec256 y = Lib_IntVector_Intrinsics_vec256_xor(x, k[i0]); + Lib_IntVector_Intrinsics_vec256_store32_le(uu____0 + i0 * (uint32_t)32U, y); + } + } + if (rem1 > (uint32_t)0U) + { + uint8_t *uu____2 = out + nb * (uint32_t)512U; + uint8_t *uu____3 = text + nb * (uint32_t)512U; + uint8_t plain[512U] = { 0U }; + memcpy(plain, uu____3, rem * sizeof (uint8_t)); + Lib_IntVector_Intrinsics_vec256 k[16U]; + for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i) + k[_i] = Lib_IntVector_Intrinsics_vec256_zero; + chacha20_core_256(k, ctx, nb); + Lib_IntVector_Intrinsics_vec256 st0 = k[0U]; + Lib_IntVector_Intrinsics_vec256 st1 = k[1U]; + Lib_IntVector_Intrinsics_vec256 st2 = k[2U]; + Lib_IntVector_Intrinsics_vec256 st3 = k[3U]; + Lib_IntVector_Intrinsics_vec256 st4 = k[4U]; + Lib_IntVector_Intrinsics_vec256 st5 = k[5U]; + Lib_IntVector_Intrinsics_vec256 st6 = k[6U]; + Lib_IntVector_Intrinsics_vec256 st7 = k[7U]; + Lib_IntVector_Intrinsics_vec256 st8 = k[8U]; + Lib_IntVector_Intrinsics_vec256 st9 = k[9U]; + Lib_IntVector_Intrinsics_vec256 st10 = k[10U]; + Lib_IntVector_Intrinsics_vec256 st11 = k[11U]; + Lib_IntVector_Intrinsics_vec256 st12 = k[12U]; + Lib_IntVector_Intrinsics_vec256 st13 = k[13U]; + Lib_IntVector_Intrinsics_vec256 st14 = k[14U]; + Lib_IntVector_Intrinsics_vec256 st15 = k[15U]; + Lib_IntVector_Intrinsics_vec256 v00 = st0; + Lib_IntVector_Intrinsics_vec256 v16 = st1; + Lib_IntVector_Intrinsics_vec256 v20 = st2; + Lib_IntVector_Intrinsics_vec256 v30 = st3; + Lib_IntVector_Intrinsics_vec256 v40 = st4; + Lib_IntVector_Intrinsics_vec256 v50 = st5; + Lib_IntVector_Intrinsics_vec256 v60 = st6; + Lib_IntVector_Intrinsics_vec256 v70 = st7; + Lib_IntVector_Intrinsics_vec256 + v0_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v00, v16); + Lib_IntVector_Intrinsics_vec256 + v1_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v00, v16); + Lib_IntVector_Intrinsics_vec256 + v2_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v20, v30); + Lib_IntVector_Intrinsics_vec256 + v3_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v20, v30); + Lib_IntVector_Intrinsics_vec256 + v4_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v40, v50); + Lib_IntVector_Intrinsics_vec256 + v5_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v40, v50); + Lib_IntVector_Intrinsics_vec256 + v6_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v60, v70); + Lib_IntVector_Intrinsics_vec256 + v7_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v60, v70); + Lib_IntVector_Intrinsics_vec256 v0_0 = v0_; + Lib_IntVector_Intrinsics_vec256 v1_0 = v1_; + Lib_IntVector_Intrinsics_vec256 v2_0 = v2_; + Lib_IntVector_Intrinsics_vec256 v3_0 = v3_; + Lib_IntVector_Intrinsics_vec256 v4_0 = v4_; + Lib_IntVector_Intrinsics_vec256 v5_0 = v5_; + Lib_IntVector_Intrinsics_vec256 v6_0 = v6_; + Lib_IntVector_Intrinsics_vec256 v7_0 = v7_; + Lib_IntVector_Intrinsics_vec256 + v0_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v2_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v1_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 + v3_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 + v4_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v4_0, v6_0); + Lib_IntVector_Intrinsics_vec256 + v6_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v4_0, v6_0); + Lib_IntVector_Intrinsics_vec256 + v5_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v5_0, v7_0); + Lib_IntVector_Intrinsics_vec256 + v7_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v5_0, v7_0); + Lib_IntVector_Intrinsics_vec256 v0_10 = v0_1; + Lib_IntVector_Intrinsics_vec256 v1_10 = v1_1; + Lib_IntVector_Intrinsics_vec256 v2_10 = v2_1; + Lib_IntVector_Intrinsics_vec256 v3_10 = v3_1; + Lib_IntVector_Intrinsics_vec256 v4_10 = v4_1; + Lib_IntVector_Intrinsics_vec256 v5_10 = v5_1; + Lib_IntVector_Intrinsics_vec256 v6_10 = v6_1; + Lib_IntVector_Intrinsics_vec256 v7_10 = v7_1; + Lib_IntVector_Intrinsics_vec256 + v0_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_10, v4_10); + Lib_IntVector_Intrinsics_vec256 + v4_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_10, v4_10); + Lib_IntVector_Intrinsics_vec256 + v1_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_10, v5_10); + Lib_IntVector_Intrinsics_vec256 + v5_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_10, v5_10); + Lib_IntVector_Intrinsics_vec256 + v2_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v2_10, v6_10); + Lib_IntVector_Intrinsics_vec256 + v6_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v2_10, v6_10); + Lib_IntVector_Intrinsics_vec256 + v3_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v3_10, v7_10); + Lib_IntVector_Intrinsics_vec256 + v7_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v3_10, v7_10); + Lib_IntVector_Intrinsics_vec256 v0_20 = v0_2; + Lib_IntVector_Intrinsics_vec256 v1_20 = v1_2; + Lib_IntVector_Intrinsics_vec256 v2_20 = v2_2; + Lib_IntVector_Intrinsics_vec256 v3_20 = v3_2; + Lib_IntVector_Intrinsics_vec256 v4_20 = v4_2; + Lib_IntVector_Intrinsics_vec256 v5_20 = v5_2; + Lib_IntVector_Intrinsics_vec256 v6_20 = v6_2; + Lib_IntVector_Intrinsics_vec256 v7_20 = v7_2; + Lib_IntVector_Intrinsics_vec256 v0_3 = v0_20; + Lib_IntVector_Intrinsics_vec256 v1_3 = v1_20; + Lib_IntVector_Intrinsics_vec256 v2_3 = v2_20; + Lib_IntVector_Intrinsics_vec256 v3_3 = v3_20; + Lib_IntVector_Intrinsics_vec256 v4_3 = v4_20; + Lib_IntVector_Intrinsics_vec256 v5_3 = v5_20; + Lib_IntVector_Intrinsics_vec256 v6_3 = v6_20; + Lib_IntVector_Intrinsics_vec256 v7_3 = v7_20; + Lib_IntVector_Intrinsics_vec256 v0 = v0_3; + Lib_IntVector_Intrinsics_vec256 v1 = v2_3; + Lib_IntVector_Intrinsics_vec256 v2 = v1_3; + Lib_IntVector_Intrinsics_vec256 v3 = v3_3; + Lib_IntVector_Intrinsics_vec256 v4 = v4_3; + Lib_IntVector_Intrinsics_vec256 v5 = v6_3; + Lib_IntVector_Intrinsics_vec256 v6 = v5_3; + Lib_IntVector_Intrinsics_vec256 v7 = v7_3; + Lib_IntVector_Intrinsics_vec256 v01 = st8; + Lib_IntVector_Intrinsics_vec256 v110 = st9; + Lib_IntVector_Intrinsics_vec256 v21 = st10; + Lib_IntVector_Intrinsics_vec256 v31 = st11; + Lib_IntVector_Intrinsics_vec256 v41 = st12; + Lib_IntVector_Intrinsics_vec256 v51 = st13; + Lib_IntVector_Intrinsics_vec256 v61 = st14; + Lib_IntVector_Intrinsics_vec256 v71 = st15; + Lib_IntVector_Intrinsics_vec256 + v0_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v01, v110); + Lib_IntVector_Intrinsics_vec256 + v1_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v01, v110); + Lib_IntVector_Intrinsics_vec256 + v2_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v21, v31); + Lib_IntVector_Intrinsics_vec256 + v3_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v21, v31); + Lib_IntVector_Intrinsics_vec256 + v4_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v41, v51); + Lib_IntVector_Intrinsics_vec256 + v5_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v41, v51); + Lib_IntVector_Intrinsics_vec256 + v6_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v61, v71); + Lib_IntVector_Intrinsics_vec256 + v7_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v61, v71); + Lib_IntVector_Intrinsics_vec256 v0_5 = v0_4; + Lib_IntVector_Intrinsics_vec256 v1_5 = v1_4; + Lib_IntVector_Intrinsics_vec256 v2_5 = v2_4; + Lib_IntVector_Intrinsics_vec256 v3_5 = v3_4; + Lib_IntVector_Intrinsics_vec256 v4_5 = v4_4; + Lib_IntVector_Intrinsics_vec256 v5_5 = v5_4; + Lib_IntVector_Intrinsics_vec256 v6_5 = v6_4; + Lib_IntVector_Intrinsics_vec256 v7_5 = v7_4; + Lib_IntVector_Intrinsics_vec256 + v0_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0_5, v2_5); + Lib_IntVector_Intrinsics_vec256 + v2_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0_5, v2_5); + Lib_IntVector_Intrinsics_vec256 + v1_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v1_5, v3_5); + Lib_IntVector_Intrinsics_vec256 + v3_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v1_5, v3_5); + Lib_IntVector_Intrinsics_vec256 + v4_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v4_5, v6_5); + Lib_IntVector_Intrinsics_vec256 + v6_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v4_5, v6_5); + Lib_IntVector_Intrinsics_vec256 + v5_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v5_5, v7_5); + Lib_IntVector_Intrinsics_vec256 + v7_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v5_5, v7_5); + Lib_IntVector_Intrinsics_vec256 v0_12 = v0_11; + Lib_IntVector_Intrinsics_vec256 v1_12 = v1_11; + Lib_IntVector_Intrinsics_vec256 v2_12 = v2_11; + Lib_IntVector_Intrinsics_vec256 v3_12 = v3_11; + Lib_IntVector_Intrinsics_vec256 v4_12 = v4_11; + Lib_IntVector_Intrinsics_vec256 v5_12 = v5_11; + Lib_IntVector_Intrinsics_vec256 v6_12 = v6_11; + Lib_IntVector_Intrinsics_vec256 v7_12 = v7_11; + Lib_IntVector_Intrinsics_vec256 + v0_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_12, v4_12); + Lib_IntVector_Intrinsics_vec256 + v4_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_12, v4_12); + Lib_IntVector_Intrinsics_vec256 + v1_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_12, v5_12); + Lib_IntVector_Intrinsics_vec256 + v5_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_12, v5_12); + Lib_IntVector_Intrinsics_vec256 + v2_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v2_12, v6_12); + Lib_IntVector_Intrinsics_vec256 + v6_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v2_12, v6_12); + Lib_IntVector_Intrinsics_vec256 + v3_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v3_12, v7_12); + Lib_IntVector_Intrinsics_vec256 + v7_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v3_12, v7_12); + Lib_IntVector_Intrinsics_vec256 v0_22 = v0_21; + Lib_IntVector_Intrinsics_vec256 v1_22 = v1_21; + Lib_IntVector_Intrinsics_vec256 v2_22 = v2_21; + Lib_IntVector_Intrinsics_vec256 v3_22 = v3_21; + Lib_IntVector_Intrinsics_vec256 v4_22 = v4_21; + Lib_IntVector_Intrinsics_vec256 v5_22 = v5_21; + Lib_IntVector_Intrinsics_vec256 v6_22 = v6_21; + Lib_IntVector_Intrinsics_vec256 v7_22 = v7_21; + Lib_IntVector_Intrinsics_vec256 v0_6 = v0_22; + Lib_IntVector_Intrinsics_vec256 v1_6 = v1_22; + Lib_IntVector_Intrinsics_vec256 v2_6 = v2_22; + Lib_IntVector_Intrinsics_vec256 v3_6 = v3_22; + Lib_IntVector_Intrinsics_vec256 v4_6 = v4_22; + Lib_IntVector_Intrinsics_vec256 v5_6 = v5_22; + Lib_IntVector_Intrinsics_vec256 v6_6 = v6_22; + Lib_IntVector_Intrinsics_vec256 v7_6 = v7_22; + Lib_IntVector_Intrinsics_vec256 v8 = v0_6; + Lib_IntVector_Intrinsics_vec256 v9 = v2_6; + Lib_IntVector_Intrinsics_vec256 v10 = v1_6; + Lib_IntVector_Intrinsics_vec256 v11 = v3_6; + Lib_IntVector_Intrinsics_vec256 v12 = v4_6; + Lib_IntVector_Intrinsics_vec256 v13 = v6_6; + Lib_IntVector_Intrinsics_vec256 v14 = v5_6; + Lib_IntVector_Intrinsics_vec256 v15 = v7_6; + k[0U] = v0; + k[1U] = v8; + k[2U] = v1; + k[3U] = v9; + k[4U] = v2; + k[5U] = v10; + k[6U] = v3; + k[7U] = v11; + k[8U] = v4; + k[9U] = v12; + k[10U] = v5; + k[11U] = v13; + k[12U] = v6; + k[13U] = v14; + k[14U] = v7; + k[15U] = v15; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + Lib_IntVector_Intrinsics_vec256 + x = Lib_IntVector_Intrinsics_vec256_load32_le(plain + i * (uint32_t)32U); + Lib_IntVector_Intrinsics_vec256 y = Lib_IntVector_Intrinsics_vec256_xor(x, k[i]); + Lib_IntVector_Intrinsics_vec256_store32_le(plain + i * (uint32_t)32U, y); + } + memcpy(uu____2, plain, rem * sizeof (uint8_t)); + } +} + +void +Hacl_Chacha20_Vec256_chacha20_decrypt_256( + uint32_t len, + uint8_t *out, + uint8_t *cipher, + uint8_t *key, + uint8_t *n, + uint32_t ctr +) +{ + Lib_IntVector_Intrinsics_vec256 ctx[16U]; + for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i) + ctx[_i] = Lib_IntVector_Intrinsics_vec256_zero; + chacha20_init_256(ctx, key, n, ctr); + uint32_t rem = len % (uint32_t)512U; + uint32_t nb = len / (uint32_t)512U; + uint32_t rem1 = len % (uint32_t)512U; + for (uint32_t i = (uint32_t)0U; i < nb; i++) + { + uint8_t *uu____0 = out + i * (uint32_t)512U; + uint8_t *uu____1 = cipher + i * (uint32_t)512U; + Lib_IntVector_Intrinsics_vec256 k[16U]; + for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i) + k[_i] = Lib_IntVector_Intrinsics_vec256_zero; + chacha20_core_256(k, ctx, i); + Lib_IntVector_Intrinsics_vec256 st0 = k[0U]; + Lib_IntVector_Intrinsics_vec256 st1 = k[1U]; + Lib_IntVector_Intrinsics_vec256 st2 = k[2U]; + Lib_IntVector_Intrinsics_vec256 st3 = k[3U]; + Lib_IntVector_Intrinsics_vec256 st4 = k[4U]; + Lib_IntVector_Intrinsics_vec256 st5 = k[5U]; + Lib_IntVector_Intrinsics_vec256 st6 = k[6U]; + Lib_IntVector_Intrinsics_vec256 st7 = k[7U]; + Lib_IntVector_Intrinsics_vec256 st8 = k[8U]; + Lib_IntVector_Intrinsics_vec256 st9 = k[9U]; + Lib_IntVector_Intrinsics_vec256 st10 = k[10U]; + Lib_IntVector_Intrinsics_vec256 st11 = k[11U]; + Lib_IntVector_Intrinsics_vec256 st12 = k[12U]; + Lib_IntVector_Intrinsics_vec256 st13 = k[13U]; + Lib_IntVector_Intrinsics_vec256 st14 = k[14U]; + Lib_IntVector_Intrinsics_vec256 st15 = k[15U]; + Lib_IntVector_Intrinsics_vec256 v00 = st0; + Lib_IntVector_Intrinsics_vec256 v16 = st1; + Lib_IntVector_Intrinsics_vec256 v20 = st2; + Lib_IntVector_Intrinsics_vec256 v30 = st3; + Lib_IntVector_Intrinsics_vec256 v40 = st4; + Lib_IntVector_Intrinsics_vec256 v50 = st5; + Lib_IntVector_Intrinsics_vec256 v60 = st6; + Lib_IntVector_Intrinsics_vec256 v70 = st7; + Lib_IntVector_Intrinsics_vec256 + v0_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v00, v16); + Lib_IntVector_Intrinsics_vec256 + v1_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v00, v16); + Lib_IntVector_Intrinsics_vec256 + v2_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v20, v30); + Lib_IntVector_Intrinsics_vec256 + v3_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v20, v30); + Lib_IntVector_Intrinsics_vec256 + v4_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v40, v50); + Lib_IntVector_Intrinsics_vec256 + v5_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v40, v50); + Lib_IntVector_Intrinsics_vec256 + v6_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v60, v70); + Lib_IntVector_Intrinsics_vec256 + v7_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v60, v70); + Lib_IntVector_Intrinsics_vec256 v0_0 = v0_; + Lib_IntVector_Intrinsics_vec256 v1_0 = v1_; + Lib_IntVector_Intrinsics_vec256 v2_0 = v2_; + Lib_IntVector_Intrinsics_vec256 v3_0 = v3_; + Lib_IntVector_Intrinsics_vec256 v4_0 = v4_; + Lib_IntVector_Intrinsics_vec256 v5_0 = v5_; + Lib_IntVector_Intrinsics_vec256 v6_0 = v6_; + Lib_IntVector_Intrinsics_vec256 v7_0 = v7_; + Lib_IntVector_Intrinsics_vec256 + v0_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v2_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v1_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 + v3_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 + v4_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v4_0, v6_0); + Lib_IntVector_Intrinsics_vec256 + v6_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v4_0, v6_0); + Lib_IntVector_Intrinsics_vec256 + v5_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v5_0, v7_0); + Lib_IntVector_Intrinsics_vec256 + v7_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v5_0, v7_0); + Lib_IntVector_Intrinsics_vec256 v0_10 = v0_1; + Lib_IntVector_Intrinsics_vec256 v1_10 = v1_1; + Lib_IntVector_Intrinsics_vec256 v2_10 = v2_1; + Lib_IntVector_Intrinsics_vec256 v3_10 = v3_1; + Lib_IntVector_Intrinsics_vec256 v4_10 = v4_1; + Lib_IntVector_Intrinsics_vec256 v5_10 = v5_1; + Lib_IntVector_Intrinsics_vec256 v6_10 = v6_1; + Lib_IntVector_Intrinsics_vec256 v7_10 = v7_1; + Lib_IntVector_Intrinsics_vec256 + v0_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_10, v4_10); + Lib_IntVector_Intrinsics_vec256 + v4_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_10, v4_10); + Lib_IntVector_Intrinsics_vec256 + v1_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_10, v5_10); + Lib_IntVector_Intrinsics_vec256 + v5_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_10, v5_10); + Lib_IntVector_Intrinsics_vec256 + v2_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v2_10, v6_10); + Lib_IntVector_Intrinsics_vec256 + v6_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v2_10, v6_10); + Lib_IntVector_Intrinsics_vec256 + v3_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v3_10, v7_10); + Lib_IntVector_Intrinsics_vec256 + v7_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v3_10, v7_10); + Lib_IntVector_Intrinsics_vec256 v0_20 = v0_2; + Lib_IntVector_Intrinsics_vec256 v1_20 = v1_2; + Lib_IntVector_Intrinsics_vec256 v2_20 = v2_2; + Lib_IntVector_Intrinsics_vec256 v3_20 = v3_2; + Lib_IntVector_Intrinsics_vec256 v4_20 = v4_2; + Lib_IntVector_Intrinsics_vec256 v5_20 = v5_2; + Lib_IntVector_Intrinsics_vec256 v6_20 = v6_2; + Lib_IntVector_Intrinsics_vec256 v7_20 = v7_2; + Lib_IntVector_Intrinsics_vec256 v0_3 = v0_20; + Lib_IntVector_Intrinsics_vec256 v1_3 = v1_20; + Lib_IntVector_Intrinsics_vec256 v2_3 = v2_20; + Lib_IntVector_Intrinsics_vec256 v3_3 = v3_20; + Lib_IntVector_Intrinsics_vec256 v4_3 = v4_20; + Lib_IntVector_Intrinsics_vec256 v5_3 = v5_20; + Lib_IntVector_Intrinsics_vec256 v6_3 = v6_20; + Lib_IntVector_Intrinsics_vec256 v7_3 = v7_20; + Lib_IntVector_Intrinsics_vec256 v0 = v0_3; + Lib_IntVector_Intrinsics_vec256 v1 = v2_3; + Lib_IntVector_Intrinsics_vec256 v2 = v1_3; + Lib_IntVector_Intrinsics_vec256 v3 = v3_3; + Lib_IntVector_Intrinsics_vec256 v4 = v4_3; + Lib_IntVector_Intrinsics_vec256 v5 = v6_3; + Lib_IntVector_Intrinsics_vec256 v6 = v5_3; + Lib_IntVector_Intrinsics_vec256 v7 = v7_3; + Lib_IntVector_Intrinsics_vec256 v01 = st8; + Lib_IntVector_Intrinsics_vec256 v110 = st9; + Lib_IntVector_Intrinsics_vec256 v21 = st10; + Lib_IntVector_Intrinsics_vec256 v31 = st11; + Lib_IntVector_Intrinsics_vec256 v41 = st12; + Lib_IntVector_Intrinsics_vec256 v51 = st13; + Lib_IntVector_Intrinsics_vec256 v61 = st14; + Lib_IntVector_Intrinsics_vec256 v71 = st15; + Lib_IntVector_Intrinsics_vec256 + v0_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v01, v110); + Lib_IntVector_Intrinsics_vec256 + v1_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v01, v110); + Lib_IntVector_Intrinsics_vec256 + v2_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v21, v31); + Lib_IntVector_Intrinsics_vec256 + v3_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v21, v31); + Lib_IntVector_Intrinsics_vec256 + v4_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v41, v51); + Lib_IntVector_Intrinsics_vec256 + v5_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v41, v51); + Lib_IntVector_Intrinsics_vec256 + v6_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v61, v71); + Lib_IntVector_Intrinsics_vec256 + v7_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v61, v71); + Lib_IntVector_Intrinsics_vec256 v0_5 = v0_4; + Lib_IntVector_Intrinsics_vec256 v1_5 = v1_4; + Lib_IntVector_Intrinsics_vec256 v2_5 = v2_4; + Lib_IntVector_Intrinsics_vec256 v3_5 = v3_4; + Lib_IntVector_Intrinsics_vec256 v4_5 = v4_4; + Lib_IntVector_Intrinsics_vec256 v5_5 = v5_4; + Lib_IntVector_Intrinsics_vec256 v6_5 = v6_4; + Lib_IntVector_Intrinsics_vec256 v7_5 = v7_4; + Lib_IntVector_Intrinsics_vec256 + v0_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0_5, v2_5); + Lib_IntVector_Intrinsics_vec256 + v2_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0_5, v2_5); + Lib_IntVector_Intrinsics_vec256 + v1_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v1_5, v3_5); + Lib_IntVector_Intrinsics_vec256 + v3_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v1_5, v3_5); + Lib_IntVector_Intrinsics_vec256 + v4_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v4_5, v6_5); + Lib_IntVector_Intrinsics_vec256 + v6_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v4_5, v6_5); + Lib_IntVector_Intrinsics_vec256 + v5_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v5_5, v7_5); + Lib_IntVector_Intrinsics_vec256 + v7_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v5_5, v7_5); + Lib_IntVector_Intrinsics_vec256 v0_12 = v0_11; + Lib_IntVector_Intrinsics_vec256 v1_12 = v1_11; + Lib_IntVector_Intrinsics_vec256 v2_12 = v2_11; + Lib_IntVector_Intrinsics_vec256 v3_12 = v3_11; + Lib_IntVector_Intrinsics_vec256 v4_12 = v4_11; + Lib_IntVector_Intrinsics_vec256 v5_12 = v5_11; + Lib_IntVector_Intrinsics_vec256 v6_12 = v6_11; + Lib_IntVector_Intrinsics_vec256 v7_12 = v7_11; + Lib_IntVector_Intrinsics_vec256 + v0_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_12, v4_12); + Lib_IntVector_Intrinsics_vec256 + v4_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_12, v4_12); + Lib_IntVector_Intrinsics_vec256 + v1_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_12, v5_12); + Lib_IntVector_Intrinsics_vec256 + v5_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_12, v5_12); + Lib_IntVector_Intrinsics_vec256 + v2_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v2_12, v6_12); + Lib_IntVector_Intrinsics_vec256 + v6_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v2_12, v6_12); + Lib_IntVector_Intrinsics_vec256 + v3_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v3_12, v7_12); + Lib_IntVector_Intrinsics_vec256 + v7_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v3_12, v7_12); + Lib_IntVector_Intrinsics_vec256 v0_22 = v0_21; + Lib_IntVector_Intrinsics_vec256 v1_22 = v1_21; + Lib_IntVector_Intrinsics_vec256 v2_22 = v2_21; + Lib_IntVector_Intrinsics_vec256 v3_22 = v3_21; + Lib_IntVector_Intrinsics_vec256 v4_22 = v4_21; + Lib_IntVector_Intrinsics_vec256 v5_22 = v5_21; + Lib_IntVector_Intrinsics_vec256 v6_22 = v6_21; + Lib_IntVector_Intrinsics_vec256 v7_22 = v7_21; + Lib_IntVector_Intrinsics_vec256 v0_6 = v0_22; + Lib_IntVector_Intrinsics_vec256 v1_6 = v1_22; + Lib_IntVector_Intrinsics_vec256 v2_6 = v2_22; + Lib_IntVector_Intrinsics_vec256 v3_6 = v3_22; + Lib_IntVector_Intrinsics_vec256 v4_6 = v4_22; + Lib_IntVector_Intrinsics_vec256 v5_6 = v5_22; + Lib_IntVector_Intrinsics_vec256 v6_6 = v6_22; + Lib_IntVector_Intrinsics_vec256 v7_6 = v7_22; + Lib_IntVector_Intrinsics_vec256 v8 = v0_6; + Lib_IntVector_Intrinsics_vec256 v9 = v2_6; + Lib_IntVector_Intrinsics_vec256 v10 = v1_6; + Lib_IntVector_Intrinsics_vec256 v11 = v3_6; + Lib_IntVector_Intrinsics_vec256 v12 = v4_6; + Lib_IntVector_Intrinsics_vec256 v13 = v6_6; + Lib_IntVector_Intrinsics_vec256 v14 = v5_6; + Lib_IntVector_Intrinsics_vec256 v15 = v7_6; + k[0U] = v0; + k[1U] = v8; + k[2U] = v1; + k[3U] = v9; + k[4U] = v2; + k[5U] = v10; + k[6U] = v3; + k[7U] = v11; + k[8U] = v4; + k[9U] = v12; + k[10U] = v5; + k[11U] = v13; + k[12U] = v6; + k[13U] = v14; + k[14U] = v7; + k[15U] = v15; + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)16U; i0++) + { + Lib_IntVector_Intrinsics_vec256 + x = Lib_IntVector_Intrinsics_vec256_load32_le(uu____1 + i0 * (uint32_t)32U); + Lib_IntVector_Intrinsics_vec256 y = Lib_IntVector_Intrinsics_vec256_xor(x, k[i0]); + Lib_IntVector_Intrinsics_vec256_store32_le(uu____0 + i0 * (uint32_t)32U, y); + } + } + if (rem1 > (uint32_t)0U) + { + uint8_t *uu____2 = out + nb * (uint32_t)512U; + uint8_t *uu____3 = cipher + nb * (uint32_t)512U; + uint8_t plain[512U] = { 0U }; + memcpy(plain, uu____3, rem * sizeof (uint8_t)); + Lib_IntVector_Intrinsics_vec256 k[16U]; + for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i) + k[_i] = Lib_IntVector_Intrinsics_vec256_zero; + chacha20_core_256(k, ctx, nb); + Lib_IntVector_Intrinsics_vec256 st0 = k[0U]; + Lib_IntVector_Intrinsics_vec256 st1 = k[1U]; + Lib_IntVector_Intrinsics_vec256 st2 = k[2U]; + Lib_IntVector_Intrinsics_vec256 st3 = k[3U]; + Lib_IntVector_Intrinsics_vec256 st4 = k[4U]; + Lib_IntVector_Intrinsics_vec256 st5 = k[5U]; + Lib_IntVector_Intrinsics_vec256 st6 = k[6U]; + Lib_IntVector_Intrinsics_vec256 st7 = k[7U]; + Lib_IntVector_Intrinsics_vec256 st8 = k[8U]; + Lib_IntVector_Intrinsics_vec256 st9 = k[9U]; + Lib_IntVector_Intrinsics_vec256 st10 = k[10U]; + Lib_IntVector_Intrinsics_vec256 st11 = k[11U]; + Lib_IntVector_Intrinsics_vec256 st12 = k[12U]; + Lib_IntVector_Intrinsics_vec256 st13 = k[13U]; + Lib_IntVector_Intrinsics_vec256 st14 = k[14U]; + Lib_IntVector_Intrinsics_vec256 st15 = k[15U]; + Lib_IntVector_Intrinsics_vec256 v00 = st0; + Lib_IntVector_Intrinsics_vec256 v16 = st1; + Lib_IntVector_Intrinsics_vec256 v20 = st2; + Lib_IntVector_Intrinsics_vec256 v30 = st3; + Lib_IntVector_Intrinsics_vec256 v40 = st4; + Lib_IntVector_Intrinsics_vec256 v50 = st5; + Lib_IntVector_Intrinsics_vec256 v60 = st6; + Lib_IntVector_Intrinsics_vec256 v70 = st7; + Lib_IntVector_Intrinsics_vec256 + v0_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v00, v16); + Lib_IntVector_Intrinsics_vec256 + v1_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v00, v16); + Lib_IntVector_Intrinsics_vec256 + v2_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v20, v30); + Lib_IntVector_Intrinsics_vec256 + v3_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v20, v30); + Lib_IntVector_Intrinsics_vec256 + v4_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v40, v50); + Lib_IntVector_Intrinsics_vec256 + v5_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v40, v50); + Lib_IntVector_Intrinsics_vec256 + v6_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v60, v70); + Lib_IntVector_Intrinsics_vec256 + v7_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v60, v70); + Lib_IntVector_Intrinsics_vec256 v0_0 = v0_; + Lib_IntVector_Intrinsics_vec256 v1_0 = v1_; + Lib_IntVector_Intrinsics_vec256 v2_0 = v2_; + Lib_IntVector_Intrinsics_vec256 v3_0 = v3_; + Lib_IntVector_Intrinsics_vec256 v4_0 = v4_; + Lib_IntVector_Intrinsics_vec256 v5_0 = v5_; + Lib_IntVector_Intrinsics_vec256 v6_0 = v6_; + Lib_IntVector_Intrinsics_vec256 v7_0 = v7_; + Lib_IntVector_Intrinsics_vec256 + v0_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v2_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v1_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 + v3_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 + v4_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v4_0, v6_0); + Lib_IntVector_Intrinsics_vec256 + v6_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v4_0, v6_0); + Lib_IntVector_Intrinsics_vec256 + v5_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v5_0, v7_0); + Lib_IntVector_Intrinsics_vec256 + v7_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v5_0, v7_0); + Lib_IntVector_Intrinsics_vec256 v0_10 = v0_1; + Lib_IntVector_Intrinsics_vec256 v1_10 = v1_1; + Lib_IntVector_Intrinsics_vec256 v2_10 = v2_1; + Lib_IntVector_Intrinsics_vec256 v3_10 = v3_1; + Lib_IntVector_Intrinsics_vec256 v4_10 = v4_1; + Lib_IntVector_Intrinsics_vec256 v5_10 = v5_1; + Lib_IntVector_Intrinsics_vec256 v6_10 = v6_1; + Lib_IntVector_Intrinsics_vec256 v7_10 = v7_1; + Lib_IntVector_Intrinsics_vec256 + v0_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_10, v4_10); + Lib_IntVector_Intrinsics_vec256 + v4_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_10, v4_10); + Lib_IntVector_Intrinsics_vec256 + v1_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_10, v5_10); + Lib_IntVector_Intrinsics_vec256 + v5_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_10, v5_10); + Lib_IntVector_Intrinsics_vec256 + v2_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v2_10, v6_10); + Lib_IntVector_Intrinsics_vec256 + v6_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v2_10, v6_10); + Lib_IntVector_Intrinsics_vec256 + v3_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v3_10, v7_10); + Lib_IntVector_Intrinsics_vec256 + v7_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v3_10, v7_10); + Lib_IntVector_Intrinsics_vec256 v0_20 = v0_2; + Lib_IntVector_Intrinsics_vec256 v1_20 = v1_2; + Lib_IntVector_Intrinsics_vec256 v2_20 = v2_2; + Lib_IntVector_Intrinsics_vec256 v3_20 = v3_2; + Lib_IntVector_Intrinsics_vec256 v4_20 = v4_2; + Lib_IntVector_Intrinsics_vec256 v5_20 = v5_2; + Lib_IntVector_Intrinsics_vec256 v6_20 = v6_2; + Lib_IntVector_Intrinsics_vec256 v7_20 = v7_2; + Lib_IntVector_Intrinsics_vec256 v0_3 = v0_20; + Lib_IntVector_Intrinsics_vec256 v1_3 = v1_20; + Lib_IntVector_Intrinsics_vec256 v2_3 = v2_20; + Lib_IntVector_Intrinsics_vec256 v3_3 = v3_20; + Lib_IntVector_Intrinsics_vec256 v4_3 = v4_20; + Lib_IntVector_Intrinsics_vec256 v5_3 = v5_20; + Lib_IntVector_Intrinsics_vec256 v6_3 = v6_20; + Lib_IntVector_Intrinsics_vec256 v7_3 = v7_20; + Lib_IntVector_Intrinsics_vec256 v0 = v0_3; + Lib_IntVector_Intrinsics_vec256 v1 = v2_3; + Lib_IntVector_Intrinsics_vec256 v2 = v1_3; + Lib_IntVector_Intrinsics_vec256 v3 = v3_3; + Lib_IntVector_Intrinsics_vec256 v4 = v4_3; + Lib_IntVector_Intrinsics_vec256 v5 = v6_3; + Lib_IntVector_Intrinsics_vec256 v6 = v5_3; + Lib_IntVector_Intrinsics_vec256 v7 = v7_3; + Lib_IntVector_Intrinsics_vec256 v01 = st8; + Lib_IntVector_Intrinsics_vec256 v110 = st9; + Lib_IntVector_Intrinsics_vec256 v21 = st10; + Lib_IntVector_Intrinsics_vec256 v31 = st11; + Lib_IntVector_Intrinsics_vec256 v41 = st12; + Lib_IntVector_Intrinsics_vec256 v51 = st13; + Lib_IntVector_Intrinsics_vec256 v61 = st14; + Lib_IntVector_Intrinsics_vec256 v71 = st15; + Lib_IntVector_Intrinsics_vec256 + v0_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v01, v110); + Lib_IntVector_Intrinsics_vec256 + v1_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v01, v110); + Lib_IntVector_Intrinsics_vec256 + v2_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v21, v31); + Lib_IntVector_Intrinsics_vec256 + v3_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v21, v31); + Lib_IntVector_Intrinsics_vec256 + v4_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v41, v51); + Lib_IntVector_Intrinsics_vec256 + v5_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v41, v51); + Lib_IntVector_Intrinsics_vec256 + v6_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v61, v71); + Lib_IntVector_Intrinsics_vec256 + v7_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v61, v71); + Lib_IntVector_Intrinsics_vec256 v0_5 = v0_4; + Lib_IntVector_Intrinsics_vec256 v1_5 = v1_4; + Lib_IntVector_Intrinsics_vec256 v2_5 = v2_4; + Lib_IntVector_Intrinsics_vec256 v3_5 = v3_4; + Lib_IntVector_Intrinsics_vec256 v4_5 = v4_4; + Lib_IntVector_Intrinsics_vec256 v5_5 = v5_4; + Lib_IntVector_Intrinsics_vec256 v6_5 = v6_4; + Lib_IntVector_Intrinsics_vec256 v7_5 = v7_4; + Lib_IntVector_Intrinsics_vec256 + v0_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0_5, v2_5); + Lib_IntVector_Intrinsics_vec256 + v2_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0_5, v2_5); + Lib_IntVector_Intrinsics_vec256 + v1_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v1_5, v3_5); + Lib_IntVector_Intrinsics_vec256 + v3_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v1_5, v3_5); + Lib_IntVector_Intrinsics_vec256 + v4_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v4_5, v6_5); + Lib_IntVector_Intrinsics_vec256 + v6_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v4_5, v6_5); + Lib_IntVector_Intrinsics_vec256 + v5_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v5_5, v7_5); + Lib_IntVector_Intrinsics_vec256 + v7_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v5_5, v7_5); + Lib_IntVector_Intrinsics_vec256 v0_12 = v0_11; + Lib_IntVector_Intrinsics_vec256 v1_12 = v1_11; + Lib_IntVector_Intrinsics_vec256 v2_12 = v2_11; + Lib_IntVector_Intrinsics_vec256 v3_12 = v3_11; + Lib_IntVector_Intrinsics_vec256 v4_12 = v4_11; + Lib_IntVector_Intrinsics_vec256 v5_12 = v5_11; + Lib_IntVector_Intrinsics_vec256 v6_12 = v6_11; + Lib_IntVector_Intrinsics_vec256 v7_12 = v7_11; + Lib_IntVector_Intrinsics_vec256 + v0_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_12, v4_12); + Lib_IntVector_Intrinsics_vec256 + v4_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_12, v4_12); + Lib_IntVector_Intrinsics_vec256 + v1_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_12, v5_12); + Lib_IntVector_Intrinsics_vec256 + v5_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_12, v5_12); + Lib_IntVector_Intrinsics_vec256 + v2_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v2_12, v6_12); + Lib_IntVector_Intrinsics_vec256 + v6_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v2_12, v6_12); + Lib_IntVector_Intrinsics_vec256 + v3_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v3_12, v7_12); + Lib_IntVector_Intrinsics_vec256 + v7_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v3_12, v7_12); + Lib_IntVector_Intrinsics_vec256 v0_22 = v0_21; + Lib_IntVector_Intrinsics_vec256 v1_22 = v1_21; + Lib_IntVector_Intrinsics_vec256 v2_22 = v2_21; + Lib_IntVector_Intrinsics_vec256 v3_22 = v3_21; + Lib_IntVector_Intrinsics_vec256 v4_22 = v4_21; + Lib_IntVector_Intrinsics_vec256 v5_22 = v5_21; + Lib_IntVector_Intrinsics_vec256 v6_22 = v6_21; + Lib_IntVector_Intrinsics_vec256 v7_22 = v7_21; + Lib_IntVector_Intrinsics_vec256 v0_6 = v0_22; + Lib_IntVector_Intrinsics_vec256 v1_6 = v1_22; + Lib_IntVector_Intrinsics_vec256 v2_6 = v2_22; + Lib_IntVector_Intrinsics_vec256 v3_6 = v3_22; + Lib_IntVector_Intrinsics_vec256 v4_6 = v4_22; + Lib_IntVector_Intrinsics_vec256 v5_6 = v5_22; + Lib_IntVector_Intrinsics_vec256 v6_6 = v6_22; + Lib_IntVector_Intrinsics_vec256 v7_6 = v7_22; + Lib_IntVector_Intrinsics_vec256 v8 = v0_6; + Lib_IntVector_Intrinsics_vec256 v9 = v2_6; + Lib_IntVector_Intrinsics_vec256 v10 = v1_6; + Lib_IntVector_Intrinsics_vec256 v11 = v3_6; + Lib_IntVector_Intrinsics_vec256 v12 = v4_6; + Lib_IntVector_Intrinsics_vec256 v13 = v6_6; + Lib_IntVector_Intrinsics_vec256 v14 = v5_6; + Lib_IntVector_Intrinsics_vec256 v15 = v7_6; + k[0U] = v0; + k[1U] = v8; + k[2U] = v1; + k[3U] = v9; + k[4U] = v2; + k[5U] = v10; + k[6U] = v3; + k[7U] = v11; + k[8U] = v4; + k[9U] = v12; + k[10U] = v5; + k[11U] = v13; + k[12U] = v6; + k[13U] = v14; + k[14U] = v7; + k[15U] = v15; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + Lib_IntVector_Intrinsics_vec256 + x = Lib_IntVector_Intrinsics_vec256_load32_le(plain + i * (uint32_t)32U); + Lib_IntVector_Intrinsics_vec256 y = Lib_IntVector_Intrinsics_vec256_xor(x, k[i]); + Lib_IntVector_Intrinsics_vec256_store32_le(plain + i * (uint32_t)32U, y); + } + memcpy(uu____2, plain, rem * sizeof (uint8_t)); + } +} + diff --git a/src/msvc/Hacl_Curve25519_51.c b/src/msvc/Hacl_Curve25519_51.c new file mode 100644 index 00000000..be50cf91 --- /dev/null +++ b/src/msvc/Hacl_Curve25519_51.c @@ -0,0 +1,296 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "internal/Hacl_Curve25519_51.h" + +#include "internal/Hacl_Kremlib.h" + +static const uint8_t g25519[32U] = { (uint8_t)9U }; + +static void point_add_and_double(uint64_t *q, uint64_t *p01_tmp1, FStar_UInt128_uint128 *tmp2) +{ + uint64_t *nq = p01_tmp1; + uint64_t *nq_p1 = p01_tmp1 + (uint32_t)10U; + uint64_t *tmp1 = p01_tmp1 + (uint32_t)20U; + uint64_t *x1 = q; + uint64_t *x2 = nq; + uint64_t *z2 = nq + (uint32_t)5U; + uint64_t *z3 = nq_p1 + (uint32_t)5U; + uint64_t *a = tmp1; + uint64_t *b = tmp1 + (uint32_t)5U; + uint64_t *ab = tmp1; + uint64_t *dc = tmp1 + (uint32_t)10U; + Hacl_Impl_Curve25519_Field51_fadd(a, x2, z2); + Hacl_Impl_Curve25519_Field51_fsub(b, x2, z2); + uint64_t *x3 = nq_p1; + uint64_t *z31 = nq_p1 + (uint32_t)5U; + uint64_t *d0 = dc; + uint64_t *c0 = dc + (uint32_t)5U; + Hacl_Impl_Curve25519_Field51_fadd(c0, x3, z31); + Hacl_Impl_Curve25519_Field51_fsub(d0, x3, z31); + Hacl_Impl_Curve25519_Field51_fmul2(dc, dc, ab, tmp2); + Hacl_Impl_Curve25519_Field51_fadd(x3, d0, c0); + Hacl_Impl_Curve25519_Field51_fsub(z31, d0, c0); + uint64_t *a1 = tmp1; + uint64_t *b1 = tmp1 + (uint32_t)5U; + uint64_t *d = tmp1 + (uint32_t)10U; + uint64_t *c = tmp1 + (uint32_t)15U; + uint64_t *ab1 = tmp1; + uint64_t *dc1 = tmp1 + (uint32_t)10U; + Hacl_Impl_Curve25519_Field51_fsqr2(dc1, ab1, tmp2); + Hacl_Impl_Curve25519_Field51_fsqr2(nq_p1, nq_p1, tmp2); + a1[0U] = c[0U]; + a1[1U] = c[1U]; + a1[2U] = c[2U]; + a1[3U] = c[3U]; + a1[4U] = c[4U]; + Hacl_Impl_Curve25519_Field51_fsub(c, d, c); + Hacl_Impl_Curve25519_Field51_fmul1(b1, c, (uint64_t)121665U); + Hacl_Impl_Curve25519_Field51_fadd(b1, b1, d); + Hacl_Impl_Curve25519_Field51_fmul2(nq, dc1, ab1, tmp2); + Hacl_Impl_Curve25519_Field51_fmul(z3, z3, x1, tmp2); +} + +static void point_double(uint64_t *nq, uint64_t *tmp1, FStar_UInt128_uint128 *tmp2) +{ + uint64_t *x2 = nq; + uint64_t *z2 = nq + (uint32_t)5U; + uint64_t *a = tmp1; + uint64_t *b = tmp1 + (uint32_t)5U; + uint64_t *d = tmp1 + (uint32_t)10U; + uint64_t *c = tmp1 + (uint32_t)15U; + uint64_t *ab = tmp1; + uint64_t *dc = tmp1 + (uint32_t)10U; + Hacl_Impl_Curve25519_Field51_fadd(a, x2, z2); + Hacl_Impl_Curve25519_Field51_fsub(b, x2, z2); + Hacl_Impl_Curve25519_Field51_fsqr2(dc, ab, tmp2); + a[0U] = c[0U]; + a[1U] = c[1U]; + a[2U] = c[2U]; + a[3U] = c[3U]; + a[4U] = c[4U]; + Hacl_Impl_Curve25519_Field51_fsub(c, d, c); + Hacl_Impl_Curve25519_Field51_fmul1(b, c, (uint64_t)121665U); + Hacl_Impl_Curve25519_Field51_fadd(b, b, d); + Hacl_Impl_Curve25519_Field51_fmul2(nq, dc, ab, tmp2); +} + +static void montgomery_ladder(uint64_t *out, uint8_t *key, uint64_t *init) +{ + FStar_UInt128_uint128 tmp2[10U]; + for (uint32_t _i = 0U; _i < (uint32_t)10U; ++_i) + tmp2[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U); + uint64_t p01_tmp1_swap[41U] = { 0U }; + uint64_t *p0 = p01_tmp1_swap; + uint64_t *p01 = p01_tmp1_swap; + uint64_t *p03 = p01; + uint64_t *p11 = p01 + (uint32_t)10U; + memcpy(p11, init, (uint32_t)10U * sizeof (uint64_t)); + uint64_t *x0 = p03; + uint64_t *z0 = p03 + (uint32_t)5U; + x0[0U] = (uint64_t)1U; + x0[1U] = (uint64_t)0U; + x0[2U] = (uint64_t)0U; + x0[3U] = (uint64_t)0U; + x0[4U] = (uint64_t)0U; + z0[0U] = (uint64_t)0U; + z0[1U] = (uint64_t)0U; + z0[2U] = (uint64_t)0U; + z0[3U] = (uint64_t)0U; + z0[4U] = (uint64_t)0U; + uint64_t *p01_tmp1 = p01_tmp1_swap; + uint64_t *p01_tmp11 = p01_tmp1_swap; + uint64_t *nq1 = p01_tmp1_swap; + uint64_t *nq_p11 = p01_tmp1_swap + (uint32_t)10U; + uint64_t *swap = p01_tmp1_swap + (uint32_t)40U; + Hacl_Impl_Curve25519_Field51_cswap2((uint64_t)1U, nq1, nq_p11); + point_add_and_double(init, p01_tmp11, tmp2); + swap[0U] = (uint64_t)1U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)251U; i++) + { + uint64_t *p01_tmp12 = p01_tmp1_swap; + uint64_t *swap1 = p01_tmp1_swap + (uint32_t)40U; + uint64_t *nq2 = p01_tmp12; + uint64_t *nq_p12 = p01_tmp12 + (uint32_t)10U; + uint64_t + bit = + (uint64_t)(key[((uint32_t)253U - i) + / (uint32_t)8U] + >> ((uint32_t)253U - i) % (uint32_t)8U + & (uint8_t)1U); + uint64_t sw = swap1[0U] ^ bit; + Hacl_Impl_Curve25519_Field51_cswap2(sw, nq2, nq_p12); + point_add_and_double(init, p01_tmp12, tmp2); + swap1[0U] = bit; + } + uint64_t sw = swap[0U]; + Hacl_Impl_Curve25519_Field51_cswap2(sw, nq1, nq_p11); + uint64_t *nq10 = p01_tmp1; + uint64_t *tmp1 = p01_tmp1 + (uint32_t)20U; + point_double(nq10, tmp1, tmp2); + point_double(nq10, tmp1, tmp2); + point_double(nq10, tmp1, tmp2); + memcpy(out, p0, (uint32_t)10U * sizeof (uint64_t)); +} + +void +Hacl_Curve25519_51_fsquare_times( + uint64_t *o, + uint64_t *inp, + FStar_UInt128_uint128 *tmp, + uint32_t n +) +{ + Hacl_Impl_Curve25519_Field51_fsqr(o, inp, tmp); + for (uint32_t i = (uint32_t)0U; i < n - (uint32_t)1U; i++) + { + Hacl_Impl_Curve25519_Field51_fsqr(o, o, tmp); + } +} + +void Hacl_Curve25519_51_finv(uint64_t *o, uint64_t *i, FStar_UInt128_uint128 *tmp) +{ + uint64_t t1[20U] = { 0U }; + uint64_t *a1 = t1; + uint64_t *b1 = t1 + (uint32_t)5U; + uint64_t *t010 = t1 + (uint32_t)15U; + FStar_UInt128_uint128 *tmp10 = tmp; + Hacl_Curve25519_51_fsquare_times(a1, i, tmp10, (uint32_t)1U); + Hacl_Curve25519_51_fsquare_times(t010, a1, tmp10, (uint32_t)2U); + Hacl_Impl_Curve25519_Field51_fmul(b1, t010, i, tmp); + Hacl_Impl_Curve25519_Field51_fmul(a1, b1, a1, tmp); + Hacl_Curve25519_51_fsquare_times(t010, a1, tmp10, (uint32_t)1U); + Hacl_Impl_Curve25519_Field51_fmul(b1, t010, b1, tmp); + Hacl_Curve25519_51_fsquare_times(t010, b1, tmp10, (uint32_t)5U); + Hacl_Impl_Curve25519_Field51_fmul(b1, t010, b1, tmp); + uint64_t *b10 = t1 + (uint32_t)5U; + uint64_t *c10 = t1 + (uint32_t)10U; + uint64_t *t011 = t1 + (uint32_t)15U; + FStar_UInt128_uint128 *tmp11 = tmp; + Hacl_Curve25519_51_fsquare_times(t011, b10, tmp11, (uint32_t)10U); + Hacl_Impl_Curve25519_Field51_fmul(c10, t011, b10, tmp); + Hacl_Curve25519_51_fsquare_times(t011, c10, tmp11, (uint32_t)20U); + Hacl_Impl_Curve25519_Field51_fmul(t011, t011, c10, tmp); + Hacl_Curve25519_51_fsquare_times(t011, t011, tmp11, (uint32_t)10U); + Hacl_Impl_Curve25519_Field51_fmul(b10, t011, b10, tmp); + Hacl_Curve25519_51_fsquare_times(t011, b10, tmp11, (uint32_t)50U); + Hacl_Impl_Curve25519_Field51_fmul(c10, t011, b10, tmp); + uint64_t *b11 = t1 + (uint32_t)5U; + uint64_t *c1 = t1 + (uint32_t)10U; + uint64_t *t01 = t1 + (uint32_t)15U; + FStar_UInt128_uint128 *tmp1 = tmp; + Hacl_Curve25519_51_fsquare_times(t01, c1, tmp1, (uint32_t)100U); + Hacl_Impl_Curve25519_Field51_fmul(t01, t01, c1, tmp); + Hacl_Curve25519_51_fsquare_times(t01, t01, tmp1, (uint32_t)50U); + Hacl_Impl_Curve25519_Field51_fmul(t01, t01, b11, tmp); + Hacl_Curve25519_51_fsquare_times(t01, t01, tmp1, (uint32_t)5U); + uint64_t *a = t1; + uint64_t *t0 = t1 + (uint32_t)15U; + Hacl_Impl_Curve25519_Field51_fmul(o, t0, a, tmp); +} + +static void encode_point(uint8_t *o, uint64_t *i) +{ + uint64_t *x = i; + uint64_t *z = i + (uint32_t)5U; + uint64_t tmp[5U] = { 0U }; + uint64_t u64s[4U] = { 0U }; + FStar_UInt128_uint128 tmp_w[10U]; + for (uint32_t _i = 0U; _i < (uint32_t)10U; ++_i) + tmp_w[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U); + Hacl_Curve25519_51_finv(tmp, z, tmp_w); + Hacl_Impl_Curve25519_Field51_fmul(tmp, tmp, x, tmp_w); + Hacl_Impl_Curve25519_Field51_store_felem(u64s, tmp); + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + store64_le(o + i0 * (uint32_t)8U, u64s[i0]); + } +} + +void Hacl_Curve25519_51_scalarmult(uint8_t *out, uint8_t *priv, uint8_t *pub) +{ + uint64_t init[10U] = { 0U }; + uint64_t tmp[4U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = tmp; + uint8_t *bj = pub + i * (uint32_t)8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x; + } + uint64_t tmp3 = tmp[3U]; + tmp[3U] = tmp3 & (uint64_t)0x7fffffffffffffffU; + uint64_t *x = init; + uint64_t *z = init + (uint32_t)5U; + z[0U] = (uint64_t)1U; + z[1U] = (uint64_t)0U; + z[2U] = (uint64_t)0U; + z[3U] = (uint64_t)0U; + z[4U] = (uint64_t)0U; + uint64_t f0l = tmp[0U] & (uint64_t)0x7ffffffffffffU; + uint64_t f0h = tmp[0U] >> (uint32_t)51U; + uint64_t f1l = (tmp[1U] & (uint64_t)0x3fffffffffU) << (uint32_t)13U; + uint64_t f1h = tmp[1U] >> (uint32_t)38U; + uint64_t f2l = (tmp[2U] & (uint64_t)0x1ffffffU) << (uint32_t)26U; + uint64_t f2h = tmp[2U] >> (uint32_t)25U; + uint64_t f3l = (tmp[3U] & (uint64_t)0xfffU) << (uint32_t)39U; + uint64_t f3h = tmp[3U] >> (uint32_t)12U; + x[0U] = f0l; + x[1U] = f0h | f1l; + x[2U] = f1h | f2l; + x[3U] = f2h | f3l; + x[4U] = f3h; + montgomery_ladder(init, priv, init); + encode_point(out, init); +} + +void Hacl_Curve25519_51_secret_to_public(uint8_t *pub, uint8_t *priv) +{ + uint8_t basepoint[32U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)32U; i++) + { + uint8_t *os = basepoint; + uint8_t x = g25519[i]; + os[i] = x; + } + Hacl_Curve25519_51_scalarmult(pub, priv, basepoint); +} + +bool Hacl_Curve25519_51_ecdh(uint8_t *out, uint8_t *priv, uint8_t *pub) +{ + uint8_t zeros[32U] = { 0U }; + Hacl_Curve25519_51_scalarmult(out, priv, pub); + uint8_t res = (uint8_t)255U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)32U; i++) + { + uint8_t uu____0 = FStar_UInt8_eq_mask(out[i], zeros[i]); + res = uu____0 & res; + } + uint8_t z = res; + bool r = z == (uint8_t)255U; + return !r; +} + diff --git a/src/msvc/Hacl_Curve25519_64.c b/src/msvc/Hacl_Curve25519_64.c new file mode 100644 index 00000000..c2d09f93 --- /dev/null +++ b/src/msvc/Hacl_Curve25519_64.c @@ -0,0 +1,388 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Curve25519_64.h" + +#include "internal/Vale.h" +#include "internal/Hacl_Kremlib.h" +#include "curve25519-inline.h" +static inline uint64_t add_scalar0(uint64_t *out, uint64_t *f1, uint64_t f2) +{ + #if HACL_CAN_COMPILE_INLINE_ASM + return add_scalar(out, f1, f2); + #else + uint64_t scrut = add_scalar_e(out, f1, f2); + return scrut; + #endif +} + +static inline void fadd0(uint64_t *out, uint64_t *f1, uint64_t *f2) +{ + #if HACL_CAN_COMPILE_INLINE_ASM + fadd(out, f1, f2); + #else + uint64_t uu____0 = fadd_e(out, f1, f2); + #endif +} + +static inline void fsub0(uint64_t *out, uint64_t *f1, uint64_t *f2) +{ + #if HACL_CAN_COMPILE_INLINE_ASM + fsub(out, f1, f2); + #else + uint64_t uu____0 = fsub_e(out, f1, f2); + #endif +} + +static inline void fmul0(uint64_t *out, uint64_t *f1, uint64_t *f2, uint64_t *tmp) +{ + #if HACL_CAN_COMPILE_INLINE_ASM + fmul(out, f1, f2, tmp); + #else + uint64_t uu____0 = fmul_e(tmp, f1, out, f2); + #endif +} + +static inline void fmul20(uint64_t *out, uint64_t *f1, uint64_t *f2, uint64_t *tmp) +{ + #if HACL_CAN_COMPILE_INLINE_ASM + fmul2(out, f1, f2, tmp); + #else + uint64_t uu____0 = fmul2_e(tmp, f1, out, f2); + #endif +} + +static inline void fmul_scalar0(uint64_t *out, uint64_t *f1, uint64_t f2) +{ + #if HACL_CAN_COMPILE_INLINE_ASM + fmul_scalar(out, f1, f2); + #else + uint64_t uu____0 = fmul_scalar_e(out, f1, f2); + #endif +} + +static inline void fsqr0(uint64_t *out, uint64_t *f1, uint64_t *tmp) +{ + #if HACL_CAN_COMPILE_INLINE_ASM + fsqr(out, f1, tmp); + #else + uint64_t uu____0 = fsqr_e(tmp, f1, out); + #endif +} + +static inline void fsqr20(uint64_t *out, uint64_t *f, uint64_t *tmp) +{ + #if HACL_CAN_COMPILE_INLINE_ASM + fsqr2(out, f, tmp); + #else + uint64_t uu____0 = fsqr2_e(tmp, f, out); + #endif +} + +static inline void cswap20(uint64_t bit, uint64_t *p1, uint64_t *p2) +{ + #if HACL_CAN_COMPILE_INLINE_ASM + cswap2(bit, p1, p2); + #else + uint64_t uu____0 = cswap2_e(bit, p1, p2); + #endif +} + +static const uint8_t g25519[32U] = { (uint8_t)9U }; + +static void point_add_and_double(uint64_t *q, uint64_t *p01_tmp1, uint64_t *tmp2) +{ + uint64_t *nq = p01_tmp1; + uint64_t *nq_p1 = p01_tmp1 + (uint32_t)8U; + uint64_t *tmp1 = p01_tmp1 + (uint32_t)16U; + uint64_t *x1 = q; + uint64_t *x2 = nq; + uint64_t *z2 = nq + (uint32_t)4U; + uint64_t *z3 = nq_p1 + (uint32_t)4U; + uint64_t *a = tmp1; + uint64_t *b = tmp1 + (uint32_t)4U; + uint64_t *ab = tmp1; + uint64_t *dc = tmp1 + (uint32_t)8U; + fadd0(a, x2, z2); + fsub0(b, x2, z2); + uint64_t *x3 = nq_p1; + uint64_t *z31 = nq_p1 + (uint32_t)4U; + uint64_t *d0 = dc; + uint64_t *c0 = dc + (uint32_t)4U; + fadd0(c0, x3, z31); + fsub0(d0, x3, z31); + fmul20(dc, dc, ab, tmp2); + fadd0(x3, d0, c0); + fsub0(z31, d0, c0); + uint64_t *a1 = tmp1; + uint64_t *b1 = tmp1 + (uint32_t)4U; + uint64_t *d = tmp1 + (uint32_t)8U; + uint64_t *c = tmp1 + (uint32_t)12U; + uint64_t *ab1 = tmp1; + uint64_t *dc1 = tmp1 + (uint32_t)8U; + fsqr20(dc1, ab1, tmp2); + fsqr20(nq_p1, nq_p1, tmp2); + a1[0U] = c[0U]; + a1[1U] = c[1U]; + a1[2U] = c[2U]; + a1[3U] = c[3U]; + fsub0(c, d, c); + fmul_scalar0(b1, c, (uint64_t)121665U); + fadd0(b1, b1, d); + fmul20(nq, dc1, ab1, tmp2); + fmul0(z3, z3, x1, tmp2); +} + +static void point_double(uint64_t *nq, uint64_t *tmp1, uint64_t *tmp2) +{ + uint64_t *x2 = nq; + uint64_t *z2 = nq + (uint32_t)4U; + uint64_t *a = tmp1; + uint64_t *b = tmp1 + (uint32_t)4U; + uint64_t *d = tmp1 + (uint32_t)8U; + uint64_t *c = tmp1 + (uint32_t)12U; + uint64_t *ab = tmp1; + uint64_t *dc = tmp1 + (uint32_t)8U; + fadd0(a, x2, z2); + fsub0(b, x2, z2); + fsqr20(dc, ab, tmp2); + a[0U] = c[0U]; + a[1U] = c[1U]; + a[2U] = c[2U]; + a[3U] = c[3U]; + fsub0(c, d, c); + fmul_scalar0(b, c, (uint64_t)121665U); + fadd0(b, b, d); + fmul20(nq, dc, ab, tmp2); +} + +static void montgomery_ladder(uint64_t *out, uint8_t *key, uint64_t *init) +{ + uint64_t tmp2[16U] = { 0U }; + uint64_t p01_tmp1_swap[33U] = { 0U }; + uint64_t *p0 = p01_tmp1_swap; + uint64_t *p01 = p01_tmp1_swap; + uint64_t *p03 = p01; + uint64_t *p11 = p01 + (uint32_t)8U; + memcpy(p11, init, (uint32_t)8U * sizeof (uint64_t)); + uint64_t *x0 = p03; + uint64_t *z0 = p03 + (uint32_t)4U; + x0[0U] = (uint64_t)1U; + x0[1U] = (uint64_t)0U; + x0[2U] = (uint64_t)0U; + x0[3U] = (uint64_t)0U; + z0[0U] = (uint64_t)0U; + z0[1U] = (uint64_t)0U; + z0[2U] = (uint64_t)0U; + z0[3U] = (uint64_t)0U; + uint64_t *p01_tmp1 = p01_tmp1_swap; + uint64_t *p01_tmp11 = p01_tmp1_swap; + uint64_t *nq1 = p01_tmp1_swap; + uint64_t *nq_p11 = p01_tmp1_swap + (uint32_t)8U; + uint64_t *swap = p01_tmp1_swap + (uint32_t)32U; + cswap20((uint64_t)1U, nq1, nq_p11); + point_add_and_double(init, p01_tmp11, tmp2); + swap[0U] = (uint64_t)1U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)251U; i++) + { + uint64_t *p01_tmp12 = p01_tmp1_swap; + uint64_t *swap1 = p01_tmp1_swap + (uint32_t)32U; + uint64_t *nq2 = p01_tmp12; + uint64_t *nq_p12 = p01_tmp12 + (uint32_t)8U; + uint64_t + bit = + (uint64_t)(key[((uint32_t)253U - i) + / (uint32_t)8U] + >> ((uint32_t)253U - i) % (uint32_t)8U + & (uint8_t)1U); + uint64_t sw = swap1[0U] ^ bit; + cswap20(sw, nq2, nq_p12); + point_add_and_double(init, p01_tmp12, tmp2); + swap1[0U] = bit; + } + uint64_t sw = swap[0U]; + cswap20(sw, nq1, nq_p11); + uint64_t *nq10 = p01_tmp1; + uint64_t *tmp1 = p01_tmp1 + (uint32_t)16U; + point_double(nq10, tmp1, tmp2); + point_double(nq10, tmp1, tmp2); + point_double(nq10, tmp1, tmp2); + memcpy(out, p0, (uint32_t)8U * sizeof (uint64_t)); +} + +static void fsquare_times(uint64_t *o, uint64_t *inp, uint64_t *tmp, uint32_t n) +{ + fsqr0(o, inp, tmp); + for (uint32_t i = (uint32_t)0U; i < n - (uint32_t)1U; i++) + { + fsqr0(o, o, tmp); + } +} + +static void finv(uint64_t *o, uint64_t *i, uint64_t *tmp) +{ + uint64_t t1[16U] = { 0U }; + uint64_t *a1 = t1; + uint64_t *b1 = t1 + (uint32_t)4U; + uint64_t *t010 = t1 + (uint32_t)12U; + uint64_t *tmp10 = tmp; + fsquare_times(a1, i, tmp10, (uint32_t)1U); + fsquare_times(t010, a1, tmp10, (uint32_t)2U); + fmul0(b1, t010, i, tmp); + fmul0(a1, b1, a1, tmp); + fsquare_times(t010, a1, tmp10, (uint32_t)1U); + fmul0(b1, t010, b1, tmp); + fsquare_times(t010, b1, tmp10, (uint32_t)5U); + fmul0(b1, t010, b1, tmp); + uint64_t *b10 = t1 + (uint32_t)4U; + uint64_t *c10 = t1 + (uint32_t)8U; + uint64_t *t011 = t1 + (uint32_t)12U; + uint64_t *tmp11 = tmp; + fsquare_times(t011, b10, tmp11, (uint32_t)10U); + fmul0(c10, t011, b10, tmp); + fsquare_times(t011, c10, tmp11, (uint32_t)20U); + fmul0(t011, t011, c10, tmp); + fsquare_times(t011, t011, tmp11, (uint32_t)10U); + fmul0(b10, t011, b10, tmp); + fsquare_times(t011, b10, tmp11, (uint32_t)50U); + fmul0(c10, t011, b10, tmp); + uint64_t *b11 = t1 + (uint32_t)4U; + uint64_t *c1 = t1 + (uint32_t)8U; + uint64_t *t01 = t1 + (uint32_t)12U; + uint64_t *tmp1 = tmp; + fsquare_times(t01, c1, tmp1, (uint32_t)100U); + fmul0(t01, t01, c1, tmp); + fsquare_times(t01, t01, tmp1, (uint32_t)50U); + fmul0(t01, t01, b11, tmp); + fsquare_times(t01, t01, tmp1, (uint32_t)5U); + uint64_t *a = t1; + uint64_t *t0 = t1 + (uint32_t)12U; + fmul0(o, t0, a, tmp); +} + +static void store_felem(uint64_t *b, uint64_t *f) +{ + uint64_t f30 = f[3U]; + uint64_t top_bit0 = f30 >> (uint32_t)63U; + f[3U] = f30 & (uint64_t)0x7fffffffffffffffU; + uint64_t carry = add_scalar0(f, f, (uint64_t)19U * top_bit0); + uint64_t f31 = f[3U]; + uint64_t top_bit = f31 >> (uint32_t)63U; + f[3U] = f31 & (uint64_t)0x7fffffffffffffffU; + uint64_t carry0 = add_scalar0(f, f, (uint64_t)19U * top_bit); + uint64_t f0 = f[0U]; + uint64_t f1 = f[1U]; + uint64_t f2 = f[2U]; + uint64_t f3 = f[3U]; + uint64_t m0 = FStar_UInt64_gte_mask(f0, (uint64_t)0xffffffffffffffedU); + uint64_t m1 = FStar_UInt64_eq_mask(f1, (uint64_t)0xffffffffffffffffU); + uint64_t m2 = FStar_UInt64_eq_mask(f2, (uint64_t)0xffffffffffffffffU); + uint64_t m3 = FStar_UInt64_eq_mask(f3, (uint64_t)0x7fffffffffffffffU); + uint64_t mask = ((m0 & m1) & m2) & m3; + uint64_t f0_ = f0 - (mask & (uint64_t)0xffffffffffffffedU); + uint64_t f1_ = f1 - (mask & (uint64_t)0xffffffffffffffffU); + uint64_t f2_ = f2 - (mask & (uint64_t)0xffffffffffffffffU); + uint64_t f3_ = f3 - (mask & (uint64_t)0x7fffffffffffffffU); + uint64_t o0 = f0_; + uint64_t o1 = f1_; + uint64_t o2 = f2_; + uint64_t o3 = f3_; + b[0U] = o0; + b[1U] = o1; + b[2U] = o2; + b[3U] = o3; +} + +static void encode_point(uint8_t *o, uint64_t *i) +{ + uint64_t *x = i; + uint64_t *z = i + (uint32_t)4U; + uint64_t tmp[4U] = { 0U }; + uint64_t u64s[4U] = { 0U }; + uint64_t tmp_w[16U] = { 0U }; + finv(tmp, z, tmp_w); + fmul0(tmp, tmp, x, tmp_w); + store_felem(u64s, tmp); + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + store64_le(o + i0 * (uint32_t)8U, u64s[i0]); + } +} + +void Hacl_Curve25519_64_scalarmult(uint8_t *out, uint8_t *priv, uint8_t *pub) +{ + uint64_t init[8U] = { 0U }; + uint64_t tmp[4U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = tmp; + uint8_t *bj = pub + i * (uint32_t)8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x; + } + uint64_t tmp3 = tmp[3U]; + tmp[3U] = tmp3 & (uint64_t)0x7fffffffffffffffU; + uint64_t *x = init; + uint64_t *z = init + (uint32_t)4U; + z[0U] = (uint64_t)1U; + z[1U] = (uint64_t)0U; + z[2U] = (uint64_t)0U; + z[3U] = (uint64_t)0U; + x[0U] = tmp[0U]; + x[1U] = tmp[1U]; + x[2U] = tmp[2U]; + x[3U] = tmp[3U]; + montgomery_ladder(init, priv, init); + encode_point(out, init); +} + +void Hacl_Curve25519_64_secret_to_public(uint8_t *pub, uint8_t *priv) +{ + uint8_t basepoint[32U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)32U; i++) + { + uint8_t *os = basepoint; + uint8_t x = g25519[i]; + os[i] = x; + } + Hacl_Curve25519_64_scalarmult(pub, priv, basepoint); +} + +bool Hacl_Curve25519_64_ecdh(uint8_t *out, uint8_t *priv, uint8_t *pub) +{ + uint8_t zeros[32U] = { 0U }; + Hacl_Curve25519_64_scalarmult(out, priv, pub); + uint8_t res = (uint8_t)255U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)32U; i++) + { + uint8_t uu____0 = FStar_UInt8_eq_mask(out[i], zeros[i]); + res = uu____0 & res; + } + uint8_t z = res; + bool r = z == (uint8_t)255U; + return !r; +} + diff --git a/src/msvc/Hacl_Ed25519.c b/src/msvc/Hacl_Ed25519.c new file mode 100644 index 00000000..62c2ecc0 --- /dev/null +++ b/src/msvc/Hacl_Ed25519.c @@ -0,0 +1,1857 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "internal/Hacl_Ed25519.h" + +#include "internal/Hacl_Kremlib.h" +#include "internal/Hacl_Hash_SHA2.h" +#include "internal/Hacl_Curve25519_51.h" + +static inline void fsum(uint64_t *a, uint64_t *b) +{ + Hacl_Impl_Curve25519_Field51_fadd(a, a, b); +} + +static inline void fdifference(uint64_t *a, uint64_t *b) +{ + Hacl_Impl_Curve25519_Field51_fsub(a, b, a); +} + +void Hacl_Bignum25519_reduce_513(uint64_t *a) +{ + uint64_t f0 = a[0U]; + uint64_t f1 = a[1U]; + uint64_t f2 = a[2U]; + uint64_t f3 = a[3U]; + uint64_t f4 = a[4U]; + uint64_t l_ = f0 + (uint64_t)0U; + uint64_t tmp0 = l_ & (uint64_t)0x7ffffffffffffU; + uint64_t c0 = l_ >> (uint32_t)51U; + uint64_t l_0 = f1 + c0; + uint64_t tmp1 = l_0 & (uint64_t)0x7ffffffffffffU; + uint64_t c1 = l_0 >> (uint32_t)51U; + uint64_t l_1 = f2 + c1; + uint64_t tmp2 = l_1 & (uint64_t)0x7ffffffffffffU; + uint64_t c2 = l_1 >> (uint32_t)51U; + uint64_t l_2 = f3 + c2; + uint64_t tmp3 = l_2 & (uint64_t)0x7ffffffffffffU; + uint64_t c3 = l_2 >> (uint32_t)51U; + uint64_t l_3 = f4 + c3; + uint64_t tmp4 = l_3 & (uint64_t)0x7ffffffffffffU; + uint64_t c4 = l_3 >> (uint32_t)51U; + uint64_t l_4 = tmp0 + c4 * (uint64_t)19U; + uint64_t tmp0_ = l_4 & (uint64_t)0x7ffffffffffffU; + uint64_t c5 = l_4 >> (uint32_t)51U; + a[0U] = tmp0_; + a[1U] = tmp1 + c5; + a[2U] = tmp2; + a[3U] = tmp3; + a[4U] = tmp4; +} + +static inline void fmul0(uint64_t *output, uint64_t *input, uint64_t *input2) +{ + FStar_UInt128_uint128 tmp[10U]; + for (uint32_t _i = 0U; _i < (uint32_t)10U; ++_i) + tmp[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U); + Hacl_Impl_Curve25519_Field51_fmul(output, input, input2, tmp); +} + +static inline void times_2(uint64_t *out, uint64_t *a) +{ + uint64_t a0 = a[0U]; + uint64_t a1 = a[1U]; + uint64_t a2 = a[2U]; + uint64_t a3 = a[3U]; + uint64_t a4 = a[4U]; + uint64_t o0 = (uint64_t)2U * a0; + uint64_t o1 = (uint64_t)2U * a1; + uint64_t o2 = (uint64_t)2U * a2; + uint64_t o3 = (uint64_t)2U * a3; + uint64_t o4 = (uint64_t)2U * a4; + out[0U] = o0; + out[1U] = o1; + out[2U] = o2; + out[3U] = o3; + out[4U] = o4; +} + +static inline void times_d(uint64_t *out, uint64_t *a) +{ + uint64_t d[5U] = { 0U }; + d[0U] = (uint64_t)0x00034dca135978a3U; + d[1U] = (uint64_t)0x0001a8283b156ebdU; + d[2U] = (uint64_t)0x0005e7a26001c029U; + d[3U] = (uint64_t)0x000739c663a03cbbU; + d[4U] = (uint64_t)0x00052036cee2b6ffU; + fmul0(out, d, a); +} + +static inline void times_2d(uint64_t *out, uint64_t *a) +{ + uint64_t d2[5U] = { 0U }; + d2[0U] = (uint64_t)0x00069b9426b2f159U; + d2[1U] = (uint64_t)0x00035050762add7aU; + d2[2U] = (uint64_t)0x0003cf44c0038052U; + d2[3U] = (uint64_t)0x0006738cc7407977U; + d2[4U] = (uint64_t)0x0002406d9dc56dffU; + fmul0(out, d2, a); +} + +static inline void fsquare(uint64_t *out, uint64_t *a) +{ + FStar_UInt128_uint128 tmp[5U]; + for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i) + tmp[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U); + Hacl_Impl_Curve25519_Field51_fsqr(out, a, tmp); +} + +static inline void fsquare_times(uint64_t *output, uint64_t *input, uint32_t count) +{ + FStar_UInt128_uint128 tmp[5U]; + for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i) + tmp[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U); + Hacl_Curve25519_51_fsquare_times(output, input, tmp, count); +} + +static inline void fsquare_times_inplace(uint64_t *output, uint32_t count) +{ + FStar_UInt128_uint128 tmp[5U]; + for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i) + tmp[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U); + Hacl_Curve25519_51_fsquare_times(output, output, tmp, count); +} + +void Hacl_Bignum25519_inverse(uint64_t *out, uint64_t *a) +{ + FStar_UInt128_uint128 tmp[10U]; + for (uint32_t _i = 0U; _i < (uint32_t)10U; ++_i) + tmp[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U); + Hacl_Curve25519_51_finv(out, a, tmp); +} + +static inline void reduce(uint64_t *out) +{ + uint64_t o0 = out[0U]; + uint64_t o1 = out[1U]; + uint64_t o2 = out[2U]; + uint64_t o3 = out[3U]; + uint64_t o4 = out[4U]; + uint64_t l_ = o0 + (uint64_t)0U; + uint64_t tmp0 = l_ & (uint64_t)0x7ffffffffffffU; + uint64_t c0 = l_ >> (uint32_t)51U; + uint64_t l_0 = o1 + c0; + uint64_t tmp1 = l_0 & (uint64_t)0x7ffffffffffffU; + uint64_t c1 = l_0 >> (uint32_t)51U; + uint64_t l_1 = o2 + c1; + uint64_t tmp2 = l_1 & (uint64_t)0x7ffffffffffffU; + uint64_t c2 = l_1 >> (uint32_t)51U; + uint64_t l_2 = o3 + c2; + uint64_t tmp3 = l_2 & (uint64_t)0x7ffffffffffffU; + uint64_t c3 = l_2 >> (uint32_t)51U; + uint64_t l_3 = o4 + c3; + uint64_t tmp4 = l_3 & (uint64_t)0x7ffffffffffffU; + uint64_t c4 = l_3 >> (uint32_t)51U; + uint64_t l_4 = tmp0 + c4 * (uint64_t)19U; + uint64_t tmp0_ = l_4 & (uint64_t)0x7ffffffffffffU; + uint64_t c5 = l_4 >> (uint32_t)51U; + uint64_t f0 = tmp0_; + uint64_t f1 = tmp1 + c5; + uint64_t f2 = tmp2; + uint64_t f3 = tmp3; + uint64_t f4 = tmp4; + uint64_t m0 = FStar_UInt64_gte_mask(f0, (uint64_t)0x7ffffffffffedU); + uint64_t m1 = FStar_UInt64_eq_mask(f1, (uint64_t)0x7ffffffffffffU); + uint64_t m2 = FStar_UInt64_eq_mask(f2, (uint64_t)0x7ffffffffffffU); + uint64_t m3 = FStar_UInt64_eq_mask(f3, (uint64_t)0x7ffffffffffffU); + uint64_t m4 = FStar_UInt64_eq_mask(f4, (uint64_t)0x7ffffffffffffU); + uint64_t mask = (((m0 & m1) & m2) & m3) & m4; + uint64_t f0_ = f0 - (mask & (uint64_t)0x7ffffffffffedU); + uint64_t f1_ = f1 - (mask & (uint64_t)0x7ffffffffffffU); + uint64_t f2_ = f2 - (mask & (uint64_t)0x7ffffffffffffU); + uint64_t f3_ = f3 - (mask & (uint64_t)0x7ffffffffffffU); + uint64_t f4_ = f4 - (mask & (uint64_t)0x7ffffffffffffU); + uint64_t f01 = f0_; + uint64_t f11 = f1_; + uint64_t f21 = f2_; + uint64_t f31 = f3_; + uint64_t f41 = f4_; + out[0U] = f01; + out[1U] = f11; + out[2U] = f21; + out[3U] = f31; + out[4U] = f41; +} + +void Hacl_Bignum25519_load_51(uint64_t *output, uint8_t *input) +{ + uint64_t u64s[4U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = u64s; + uint8_t *bj = input + i * (uint32_t)8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x; + } + uint64_t u64s3 = u64s[3U]; + u64s[3U] = u64s3 & (uint64_t)0x7fffffffffffffffU; + output[0U] = u64s[0U] & (uint64_t)0x7ffffffffffffU; + output[1U] = u64s[0U] >> (uint32_t)51U | (u64s[1U] & (uint64_t)0x3fffffffffU) << (uint32_t)13U; + output[2U] = u64s[1U] >> (uint32_t)38U | (u64s[2U] & (uint64_t)0x1ffffffU) << (uint32_t)26U; + output[3U] = u64s[2U] >> (uint32_t)25U | (u64s[3U] & (uint64_t)0xfffU) << (uint32_t)39U; + output[4U] = u64s[3U] >> (uint32_t)12U; +} + +void Hacl_Bignum25519_store_51(uint8_t *output, uint64_t *input) +{ + uint64_t u64s[4U] = { 0U }; + Hacl_Impl_Curve25519_Field51_store_felem(u64s, input); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + store64_le(output + i * (uint32_t)8U, u64s[i]); + } +} + +static inline void point_double(uint64_t *out, uint64_t *p) +{ + uint64_t tmp[30U] = { 0U }; + uint64_t *tmp2 = tmp + (uint32_t)5U; + uint64_t *tmp3 = tmp + (uint32_t)10U; + uint64_t *tmp4 = tmp + (uint32_t)15U; + uint64_t *tmp6 = tmp + (uint32_t)25U; + uint64_t *x3 = out; + uint64_t *y3 = out + (uint32_t)5U; + uint64_t *z3 = out + (uint32_t)10U; + uint64_t *t3 = out + (uint32_t)15U; + uint64_t *tmp11 = tmp; + uint64_t *tmp210 = tmp + (uint32_t)5U; + uint64_t *tmp310 = tmp + (uint32_t)10U; + uint64_t *tmp410 = tmp + (uint32_t)15U; + uint64_t *x10 = p; + uint64_t *y10 = p + (uint32_t)5U; + uint64_t *z1 = p + (uint32_t)10U; + fsquare(tmp11, x10); + fsquare(tmp210, y10); + fsquare(tmp310, z1); + times_2(tmp410, tmp310); + memcpy(tmp310, tmp11, (uint32_t)5U * sizeof (uint64_t)); + fsum(tmp310, tmp210); + uint64_t *tmp110 = tmp; + uint64_t *tmp21 = tmp + (uint32_t)5U; + uint64_t *tmp31 = tmp + (uint32_t)10U; + uint64_t *tmp41 = tmp + (uint32_t)15U; + uint64_t *tmp51 = tmp + (uint32_t)20U; + uint64_t *tmp61 = tmp + (uint32_t)25U; + uint64_t *x1 = p; + uint64_t *y1 = p + (uint32_t)5U; + memcpy(tmp51, x1, (uint32_t)5U * sizeof (uint64_t)); + fsum(tmp51, y1); + fsquare(tmp61, tmp51); + memcpy(tmp51, tmp31, (uint32_t)5U * sizeof (uint64_t)); + Hacl_Bignum25519_reduce_513(tmp51); + fdifference(tmp61, tmp51); + fdifference(tmp21, tmp110); + Hacl_Bignum25519_reduce_513(tmp21); + Hacl_Bignum25519_reduce_513(tmp41); + fsum(tmp41, tmp21); + fmul0(x3, tmp4, tmp6); + fmul0(y3, tmp2, tmp3); + fmul0(t3, tmp6, tmp3); + fmul0(z3, tmp4, tmp2); +} + +void Hacl_Impl_Ed25519_PointAdd_point_add(uint64_t *out, uint64_t *p, uint64_t *q) +{ + uint64_t tmp[30U] = { 0U }; + uint64_t *tmp1 = tmp; + uint64_t *tmp20 = tmp + (uint32_t)5U; + uint64_t *tmp30 = tmp + (uint32_t)10U; + uint64_t *tmp40 = tmp + (uint32_t)15U; + uint64_t *x1 = p; + uint64_t *y1 = p + (uint32_t)5U; + uint64_t *x2 = q; + uint64_t *y2 = q + (uint32_t)5U; + memcpy(tmp1, x1, (uint32_t)5U * sizeof (uint64_t)); + memcpy(tmp20, x2, (uint32_t)5U * sizeof (uint64_t)); + fdifference(tmp1, y1); + fdifference(tmp20, y2); + fmul0(tmp30, tmp1, tmp20); + memcpy(tmp1, y1, (uint32_t)5U * sizeof (uint64_t)); + memcpy(tmp20, y2, (uint32_t)5U * sizeof (uint64_t)); + fsum(tmp1, x1); + fsum(tmp20, x2); + fmul0(tmp40, tmp1, tmp20); + uint64_t *tmp10 = tmp; + uint64_t *tmp2 = tmp + (uint32_t)5U; + uint64_t *tmp3 = tmp + (uint32_t)10U; + uint64_t *tmp41 = tmp + (uint32_t)15U; + uint64_t *tmp50 = tmp + (uint32_t)20U; + uint64_t *tmp60 = tmp + (uint32_t)25U; + uint64_t *z1 = p + (uint32_t)10U; + uint64_t *t1 = p + (uint32_t)15U; + uint64_t *z2 = q + (uint32_t)10U; + uint64_t *t2 = q + (uint32_t)15U; + times_2d(tmp10, t1); + fmul0(tmp2, tmp10, t2); + times_2(tmp10, z1); + fmul0(tmp50, tmp10, z2); + memcpy(tmp10, tmp3, (uint32_t)5U * sizeof (uint64_t)); + memcpy(tmp60, tmp2, (uint32_t)5U * sizeof (uint64_t)); + fdifference(tmp10, tmp41); + fdifference(tmp60, tmp50); + fsum(tmp50, tmp2); + fsum(tmp41, tmp3); + uint64_t *tmp11 = tmp; + uint64_t *tmp4 = tmp + (uint32_t)15U; + uint64_t *tmp5 = tmp + (uint32_t)20U; + uint64_t *tmp6 = tmp + (uint32_t)25U; + uint64_t *x3 = out; + uint64_t *y3 = out + (uint32_t)5U; + uint64_t *z3 = out + (uint32_t)10U; + uint64_t *t3 = out + (uint32_t)15U; + fmul0(x3, tmp11, tmp6); + fmul0(y3, tmp5, tmp4); + fmul0(t3, tmp11, tmp4); + fmul0(z3, tmp6, tmp5); +} + +void Hacl_Impl_Ed25519_Ladder_point_mul(uint64_t *result, uint8_t *scalar, uint64_t *q) +{ + uint64_t bscalar[4U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = bscalar; + uint8_t *bj = scalar + i * (uint32_t)8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x; + } + uint64_t *x0 = result; + uint64_t *y = result + (uint32_t)5U; + uint64_t *z = result + (uint32_t)10U; + uint64_t *t = result + (uint32_t)15U; + x0[0U] = (uint64_t)0U; + x0[1U] = (uint64_t)0U; + x0[2U] = (uint64_t)0U; + x0[3U] = (uint64_t)0U; + x0[4U] = (uint64_t)0U; + y[0U] = (uint64_t)1U; + y[1U] = (uint64_t)0U; + y[2U] = (uint64_t)0U; + y[3U] = (uint64_t)0U; + y[4U] = (uint64_t)0U; + z[0U] = (uint64_t)1U; + z[1U] = (uint64_t)0U; + z[2U] = (uint64_t)0U; + z[3U] = (uint64_t)0U; + z[4U] = (uint64_t)0U; + t[0U] = (uint64_t)0U; + t[1U] = (uint64_t)0U; + t[2U] = (uint64_t)0U; + t[3U] = (uint64_t)0U; + t[4U] = (uint64_t)0U; + uint64_t table[320U] = { 0U }; + memcpy(table, result, (uint32_t)20U * sizeof (uint64_t)); + uint64_t *t1 = table + (uint32_t)20U; + memcpy(t1, q, (uint32_t)20U * sizeof (uint64_t)); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)14U; i++) + { + uint64_t *t11 = table + (i + (uint32_t)1U) * (uint32_t)20U; + uint64_t *t2 = table + (i + (uint32_t)2U) * (uint32_t)20U; + Hacl_Impl_Ed25519_PointAdd_point_add(t2, t11, q); + } + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)64U; i0++) + { + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + point_double(result, result); + } + uint32_t bk = (uint32_t)256U; + uint64_t mask_l = (uint64_t)16U - (uint64_t)1U; + uint32_t i1 = (bk - (uint32_t)4U * i0 - (uint32_t)4U) / (uint32_t)64U; + uint32_t j = (bk - (uint32_t)4U * i0 - (uint32_t)4U) % (uint32_t)64U; + uint64_t p1 = bscalar[i1] >> j; + uint64_t ite; + if (i1 + (uint32_t)1U < (uint32_t)4U && (uint32_t)0U < j) + { + ite = p1 | bscalar[i1 + (uint32_t)1U] << ((uint32_t)64U - j); + } + else + { + ite = p1; + } + uint64_t bits_l = ite & mask_l; + uint64_t a_bits_l[20U] = { 0U }; + memcpy(a_bits_l, table, (uint32_t)20U * sizeof (uint64_t)); + for (uint32_t i2 = (uint32_t)0U; i2 < (uint32_t)15U; i2++) + { + uint64_t c = FStar_UInt64_eq_mask(bits_l, (uint64_t)(i2 + (uint32_t)1U)); + uint64_t *res_j = table + (i2 + (uint32_t)1U) * (uint32_t)20U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)20U; i++) + { + uint64_t *os = a_bits_l; + uint64_t x = (c & res_j[i]) | (~c & a_bits_l[i]); + os[i] = x; + } + } + Hacl_Impl_Ed25519_PointAdd_point_add(result, result, a_bits_l); + } +} + +static inline void point_mul_g(uint64_t *result, uint8_t *scalar) +{ + uint64_t g[20U] = { 0U }; + uint64_t *gx = g; + uint64_t *gy = g + (uint32_t)5U; + uint64_t *gz = g + (uint32_t)10U; + uint64_t *gt = g + (uint32_t)15U; + gx[0U] = (uint64_t)0x00062d608f25d51aU; + gx[1U] = (uint64_t)0x000412a4b4f6592aU; + gx[2U] = (uint64_t)0x00075b7171a4b31dU; + gx[3U] = (uint64_t)0x0001ff60527118feU; + gx[4U] = (uint64_t)0x000216936d3cd6e5U; + gy[0U] = (uint64_t)0x0006666666666658U; + gy[1U] = (uint64_t)0x0004ccccccccccccU; + gy[2U] = (uint64_t)0x0001999999999999U; + gy[3U] = (uint64_t)0x0003333333333333U; + gy[4U] = (uint64_t)0x0006666666666666U; + gz[0U] = (uint64_t)1U; + gz[1U] = (uint64_t)0U; + gz[2U] = (uint64_t)0U; + gz[3U] = (uint64_t)0U; + gz[4U] = (uint64_t)0U; + gt[0U] = (uint64_t)0x00068ab3a5b7dda3U; + gt[1U] = (uint64_t)0x00000eea2a5eadbbU; + gt[2U] = (uint64_t)0x0002af8df483c27eU; + gt[3U] = (uint64_t)0x000332b375274732U; + gt[4U] = (uint64_t)0x00067875f0fd78b7U; + Hacl_Impl_Ed25519_Ladder_point_mul(result, scalar, g); +} + +static inline void +point_mul_double_vartime( + uint64_t *result, + uint8_t *scalar1, + uint64_t *q1, + uint8_t *scalar2, + uint64_t *q2 +) +{ + uint64_t bscalar1[4U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = bscalar1; + uint8_t *bj = scalar1 + i * (uint32_t)8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x; + } + uint64_t bscalar2[4U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = bscalar2; + uint8_t *bj = scalar2 + i * (uint32_t)8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x; + } + uint64_t *x = result; + uint64_t *y = result + (uint32_t)5U; + uint64_t *z = result + (uint32_t)10U; + uint64_t *t = result + (uint32_t)15U; + x[0U] = (uint64_t)0U; + x[1U] = (uint64_t)0U; + x[2U] = (uint64_t)0U; + x[3U] = (uint64_t)0U; + x[4U] = (uint64_t)0U; + y[0U] = (uint64_t)1U; + y[1U] = (uint64_t)0U; + y[2U] = (uint64_t)0U; + y[3U] = (uint64_t)0U; + y[4U] = (uint64_t)0U; + z[0U] = (uint64_t)1U; + z[1U] = (uint64_t)0U; + z[2U] = (uint64_t)0U; + z[3U] = (uint64_t)0U; + z[4U] = (uint64_t)0U; + t[0U] = (uint64_t)0U; + t[1U] = (uint64_t)0U; + t[2U] = (uint64_t)0U; + t[3U] = (uint64_t)0U; + t[4U] = (uint64_t)0U; + uint64_t table1[320U] = { 0U }; + memcpy(table1, result, (uint32_t)20U * sizeof (uint64_t)); + uint64_t *t10 = table1 + (uint32_t)20U; + memcpy(t10, q1, (uint32_t)20U * sizeof (uint64_t)); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)14U; i++) + { + uint64_t *t11 = table1 + (i + (uint32_t)1U) * (uint32_t)20U; + uint64_t *t2 = table1 + (i + (uint32_t)2U) * (uint32_t)20U; + Hacl_Impl_Ed25519_PointAdd_point_add(t2, t11, q1); + } + uint64_t table2[320U] = { 0U }; + memcpy(table2, result, (uint32_t)20U * sizeof (uint64_t)); + uint64_t *t1 = table2 + (uint32_t)20U; + memcpy(t1, q2, (uint32_t)20U * sizeof (uint64_t)); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)14U; i++) + { + uint64_t *t11 = table2 + (i + (uint32_t)1U) * (uint32_t)20U; + uint64_t *t2 = table2 + (i + (uint32_t)2U) * (uint32_t)20U; + Hacl_Impl_Ed25519_PointAdd_point_add(t2, t11, q2); + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + point_double(result, result); + } + uint32_t bk = (uint32_t)256U; + uint64_t mask_l0 = (uint64_t)16U - (uint64_t)1U; + uint32_t i10 = (bk - (uint32_t)4U * i - (uint32_t)4U) / (uint32_t)64U; + uint32_t j0 = (bk - (uint32_t)4U * i - (uint32_t)4U) % (uint32_t)64U; + uint64_t p10 = bscalar1[i10] >> j0; + uint64_t ite0; + if (i10 + (uint32_t)1U < (uint32_t)4U && (uint32_t)0U < j0) + { + ite0 = p10 | bscalar1[i10 + (uint32_t)1U] << ((uint32_t)64U - j0); + } + else + { + ite0 = p10; + } + uint64_t bits_l = ite0 & mask_l0; + uint64_t a_bits_l0[20U] = { 0U }; + uint32_t bits_l320 = (uint32_t)bits_l; + uint64_t *a_bits_l1 = table1 + bits_l320 * (uint32_t)20U; + memcpy(a_bits_l0, a_bits_l1, (uint32_t)20U * sizeof (uint64_t)); + Hacl_Impl_Ed25519_PointAdd_point_add(result, result, a_bits_l0); + uint32_t bk0 = (uint32_t)256U; + uint64_t mask_l = (uint64_t)16U - (uint64_t)1U; + uint32_t i1 = (bk0 - (uint32_t)4U * i - (uint32_t)4U) / (uint32_t)64U; + uint32_t j = (bk0 - (uint32_t)4U * i - (uint32_t)4U) % (uint32_t)64U; + uint64_t p1 = bscalar2[i1] >> j; + uint64_t ite; + if (i1 + (uint32_t)1U < (uint32_t)4U && (uint32_t)0U < j) + { + ite = p1 | bscalar2[i1 + (uint32_t)1U] << ((uint32_t)64U - j); + } + else + { + ite = p1; + } + uint64_t bits_l0 = ite & mask_l; + uint64_t a_bits_l[20U] = { 0U }; + uint32_t bits_l32 = (uint32_t)bits_l0; + uint64_t *a_bits_l10 = table2 + bits_l32 * (uint32_t)20U; + memcpy(a_bits_l, a_bits_l10, (uint32_t)20U * sizeof (uint64_t)); + Hacl_Impl_Ed25519_PointAdd_point_add(result, result, a_bits_l); + } +} + +static inline void +point_mul_g_double_vartime(uint64_t *result, uint8_t *scalar1, uint8_t *scalar2, uint64_t *q2) +{ + uint64_t g[20U] = { 0U }; + uint64_t *gx = g; + uint64_t *gy = g + (uint32_t)5U; + uint64_t *gz = g + (uint32_t)10U; + uint64_t *gt = g + (uint32_t)15U; + gx[0U] = (uint64_t)0x00062d608f25d51aU; + gx[1U] = (uint64_t)0x000412a4b4f6592aU; + gx[2U] = (uint64_t)0x00075b7171a4b31dU; + gx[3U] = (uint64_t)0x0001ff60527118feU; + gx[4U] = (uint64_t)0x000216936d3cd6e5U; + gy[0U] = (uint64_t)0x0006666666666658U; + gy[1U] = (uint64_t)0x0004ccccccccccccU; + gy[2U] = (uint64_t)0x0001999999999999U; + gy[3U] = (uint64_t)0x0003333333333333U; + gy[4U] = (uint64_t)0x0006666666666666U; + gz[0U] = (uint64_t)1U; + gz[1U] = (uint64_t)0U; + gz[2U] = (uint64_t)0U; + gz[3U] = (uint64_t)0U; + gz[4U] = (uint64_t)0U; + gt[0U] = (uint64_t)0x00068ab3a5b7dda3U; + gt[1U] = (uint64_t)0x00000eea2a5eadbbU; + gt[2U] = (uint64_t)0x0002af8df483c27eU; + gt[3U] = (uint64_t)0x000332b375274732U; + gt[4U] = (uint64_t)0x00067875f0fd78b7U; + point_mul_double_vartime(result, scalar1, g, scalar2, q2); +} + +void Hacl_Impl_Ed25519_PointCompress_point_compress(uint8_t *z, uint64_t *p) +{ + uint64_t tmp[15U] = { 0U }; + uint64_t *x = tmp + (uint32_t)5U; + uint64_t *out = tmp + (uint32_t)10U; + uint64_t *zinv1 = tmp; + uint64_t *x1 = tmp + (uint32_t)5U; + uint64_t *out1 = tmp + (uint32_t)10U; + uint64_t *px = p; + uint64_t *py = p + (uint32_t)5U; + uint64_t *pz = p + (uint32_t)10U; + Hacl_Bignum25519_inverse(zinv1, pz); + fmul0(x1, px, zinv1); + reduce(x1); + fmul0(out1, py, zinv1); + Hacl_Bignum25519_reduce_513(out1); + uint64_t x0 = x[0U]; + uint64_t b = x0 & (uint64_t)1U; + Hacl_Bignum25519_store_51(z, out); + uint8_t xbyte = (uint8_t)b; + uint8_t o31 = z[31U]; + z[31U] = o31 + (xbyte << (uint32_t)7U); +} + +static inline void secret_expand(uint8_t *expanded, uint8_t *secret) +{ + Hacl_Hash_SHA2_hash_512(secret, (uint32_t)32U, expanded); + uint8_t *h_low = expanded; + uint8_t h_low0 = h_low[0U]; + uint8_t h_low31 = h_low[31U]; + h_low[0U] = h_low0 & (uint8_t)0xf8U; + h_low[31U] = (h_low31 & (uint8_t)127U) | (uint8_t)64U; +} + +static inline void secret_to_public(uint8_t *out, uint8_t *secret) +{ + uint8_t expanded_secret[64U] = { 0U }; + uint64_t res[20U] = { 0U }; + secret_expand(expanded_secret, secret); + uint8_t *a = expanded_secret; + point_mul_g(res, a); + Hacl_Impl_Ed25519_PointCompress_point_compress(out, res); +} + +static inline void barrett_reduction(uint64_t *z, uint64_t *t) +{ + uint64_t t0 = t[0U]; + uint64_t t1 = t[1U]; + uint64_t t2 = t[2U]; + uint64_t t3 = t[3U]; + uint64_t t4 = t[4U]; + uint64_t t5 = t[5U]; + uint64_t t6 = t[6U]; + uint64_t t7 = t[7U]; + uint64_t t8 = t[8U]; + uint64_t t9 = t[9U]; + uint64_t m00 = (uint64_t)0x12631a5cf5d3edU; + uint64_t m10 = (uint64_t)0xf9dea2f79cd658U; + uint64_t m20 = (uint64_t)0x000000000014deU; + uint64_t m30 = (uint64_t)0x00000000000000U; + uint64_t m40 = (uint64_t)0x00000010000000U; + uint64_t m0 = m00; + uint64_t m1 = m10; + uint64_t m2 = m20; + uint64_t m3 = m30; + uint64_t m4 = m40; + uint64_t m010 = (uint64_t)0x9ce5a30a2c131bU; + uint64_t m110 = (uint64_t)0x215d086329a7edU; + uint64_t m210 = (uint64_t)0xffffffffeb2106U; + uint64_t m310 = (uint64_t)0xffffffffffffffU; + uint64_t m410 = (uint64_t)0x00000fffffffffU; + uint64_t mu0 = m010; + uint64_t mu1 = m110; + uint64_t mu2 = m210; + uint64_t mu3 = m310; + uint64_t mu4 = m410; + uint64_t y_ = (t5 & (uint64_t)0xffffffU) << (uint32_t)32U; + uint64_t x_ = t4 >> (uint32_t)24U; + uint64_t z00 = x_ | y_; + uint64_t y_0 = (t6 & (uint64_t)0xffffffU) << (uint32_t)32U; + uint64_t x_0 = t5 >> (uint32_t)24U; + uint64_t z10 = x_0 | y_0; + uint64_t y_1 = (t7 & (uint64_t)0xffffffU) << (uint32_t)32U; + uint64_t x_1 = t6 >> (uint32_t)24U; + uint64_t z20 = x_1 | y_1; + uint64_t y_2 = (t8 & (uint64_t)0xffffffU) << (uint32_t)32U; + uint64_t x_2 = t7 >> (uint32_t)24U; + uint64_t z30 = x_2 | y_2; + uint64_t y_3 = (t9 & (uint64_t)0xffffffU) << (uint32_t)32U; + uint64_t x_3 = t8 >> (uint32_t)24U; + uint64_t z40 = x_3 | y_3; + uint64_t q0 = z00; + uint64_t q1 = z10; + uint64_t q2 = z20; + uint64_t q3 = z30; + uint64_t q4 = z40; + FStar_UInt128_uint128 xy000 = FStar_UInt128_mul_wide(q0, mu0); + FStar_UInt128_uint128 xy010 = FStar_UInt128_mul_wide(q0, mu1); + FStar_UInt128_uint128 xy020 = FStar_UInt128_mul_wide(q0, mu2); + FStar_UInt128_uint128 xy030 = FStar_UInt128_mul_wide(q0, mu3); + FStar_UInt128_uint128 xy040 = FStar_UInt128_mul_wide(q0, mu4); + FStar_UInt128_uint128 xy100 = FStar_UInt128_mul_wide(q1, mu0); + FStar_UInt128_uint128 xy110 = FStar_UInt128_mul_wide(q1, mu1); + FStar_UInt128_uint128 xy120 = FStar_UInt128_mul_wide(q1, mu2); + FStar_UInt128_uint128 xy130 = FStar_UInt128_mul_wide(q1, mu3); + FStar_UInt128_uint128 xy14 = FStar_UInt128_mul_wide(q1, mu4); + FStar_UInt128_uint128 xy200 = FStar_UInt128_mul_wide(q2, mu0); + FStar_UInt128_uint128 xy210 = FStar_UInt128_mul_wide(q2, mu1); + FStar_UInt128_uint128 xy220 = FStar_UInt128_mul_wide(q2, mu2); + FStar_UInt128_uint128 xy23 = FStar_UInt128_mul_wide(q2, mu3); + FStar_UInt128_uint128 xy24 = FStar_UInt128_mul_wide(q2, mu4); + FStar_UInt128_uint128 xy300 = FStar_UInt128_mul_wide(q3, mu0); + FStar_UInt128_uint128 xy310 = FStar_UInt128_mul_wide(q3, mu1); + FStar_UInt128_uint128 xy32 = FStar_UInt128_mul_wide(q3, mu2); + FStar_UInt128_uint128 xy33 = FStar_UInt128_mul_wide(q3, mu3); + FStar_UInt128_uint128 xy34 = FStar_UInt128_mul_wide(q3, mu4); + FStar_UInt128_uint128 xy400 = FStar_UInt128_mul_wide(q4, mu0); + FStar_UInt128_uint128 xy41 = FStar_UInt128_mul_wide(q4, mu1); + FStar_UInt128_uint128 xy42 = FStar_UInt128_mul_wide(q4, mu2); + FStar_UInt128_uint128 xy43 = FStar_UInt128_mul_wide(q4, mu3); + FStar_UInt128_uint128 xy44 = FStar_UInt128_mul_wide(q4, mu4); + FStar_UInt128_uint128 z01 = xy000; + FStar_UInt128_uint128 z11 = FStar_UInt128_add_mod(xy010, xy100); + FStar_UInt128_uint128 z21 = FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy020, xy110), xy200); + FStar_UInt128_uint128 + z31 = + FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy030, xy120), xy210), + xy300); + FStar_UInt128_uint128 + z41 = + FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy040, + xy130), + xy220), + xy310), + xy400); + FStar_UInt128_uint128 + z5 = + FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy14, xy23), xy32), + xy41); + FStar_UInt128_uint128 z6 = FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy24, xy33), xy42); + FStar_UInt128_uint128 z7 = FStar_UInt128_add_mod(xy34, xy43); + FStar_UInt128_uint128 z8 = xy44; + FStar_UInt128_uint128 carry0 = FStar_UInt128_shift_right(z01, (uint32_t)56U); + FStar_UInt128_uint128 c00 = carry0; + FStar_UInt128_uint128 + carry1 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z11, c00), (uint32_t)56U); + uint64_t + t100 = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z11, c00)) + & (uint64_t)0xffffffffffffffU; + FStar_UInt128_uint128 c10 = carry1; + FStar_UInt128_uint128 + carry2 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z21, c10), (uint32_t)56U); + uint64_t + t101 = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z21, c10)) + & (uint64_t)0xffffffffffffffU; + FStar_UInt128_uint128 c20 = carry2; + FStar_UInt128_uint128 + carry3 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z31, c20), (uint32_t)56U); + uint64_t + t102 = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z31, c20)) + & (uint64_t)0xffffffffffffffU; + FStar_UInt128_uint128 c30 = carry3; + FStar_UInt128_uint128 + carry4 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z41, c30), (uint32_t)56U); + uint64_t + t103 = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z41, c30)) + & (uint64_t)0xffffffffffffffU; + FStar_UInt128_uint128 c40 = carry4; + uint64_t t410 = t103; + FStar_UInt128_uint128 + carry5 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z5, c40), (uint32_t)56U); + uint64_t + t104 = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z5, c40)) + & (uint64_t)0xffffffffffffffU; + FStar_UInt128_uint128 c5 = carry5; + uint64_t t51 = t104; + FStar_UInt128_uint128 + carry6 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z6, c5), (uint32_t)56U); + uint64_t + t105 = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z6, c5)) + & (uint64_t)0xffffffffffffffU; + FStar_UInt128_uint128 c6 = carry6; + uint64_t t61 = t105; + FStar_UInt128_uint128 + carry7 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z7, c6), (uint32_t)56U); + uint64_t + t106 = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z7, c6)) + & (uint64_t)0xffffffffffffffU; + FStar_UInt128_uint128 c7 = carry7; + uint64_t t71 = t106; + FStar_UInt128_uint128 + carry8 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z8, c7), (uint32_t)56U); + uint64_t + t107 = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z8, c7)) + & (uint64_t)0xffffffffffffffU; + FStar_UInt128_uint128 c8 = carry8; + uint64_t t81 = t107; + uint64_t t91 = FStar_UInt128_uint128_to_uint64(c8); + uint64_t qmu4_ = t410; + uint64_t qmu5_ = t51; + uint64_t qmu6_ = t61; + uint64_t qmu7_ = t71; + uint64_t qmu8_ = t81; + uint64_t qmu9_ = t91; + uint64_t y_4 = (qmu5_ & (uint64_t)0xffffffffffU) << (uint32_t)16U; + uint64_t x_4 = qmu4_ >> (uint32_t)40U; + uint64_t z02 = x_4 | y_4; + uint64_t y_5 = (qmu6_ & (uint64_t)0xffffffffffU) << (uint32_t)16U; + uint64_t x_5 = qmu5_ >> (uint32_t)40U; + uint64_t z12 = x_5 | y_5; + uint64_t y_6 = (qmu7_ & (uint64_t)0xffffffffffU) << (uint32_t)16U; + uint64_t x_6 = qmu6_ >> (uint32_t)40U; + uint64_t z22 = x_6 | y_6; + uint64_t y_7 = (qmu8_ & (uint64_t)0xffffffffffU) << (uint32_t)16U; + uint64_t x_7 = qmu7_ >> (uint32_t)40U; + uint64_t z32 = x_7 | y_7; + uint64_t y_8 = (qmu9_ & (uint64_t)0xffffffffffU) << (uint32_t)16U; + uint64_t x_8 = qmu8_ >> (uint32_t)40U; + uint64_t z42 = x_8 | y_8; + uint64_t qdiv0 = z02; + uint64_t qdiv1 = z12; + uint64_t qdiv2 = z22; + uint64_t qdiv3 = z32; + uint64_t qdiv4 = z42; + uint64_t r0 = t0; + uint64_t r1 = t1; + uint64_t r2 = t2; + uint64_t r3 = t3; + uint64_t r4 = t4 & (uint64_t)0xffffffffffU; + FStar_UInt128_uint128 xy00 = FStar_UInt128_mul_wide(qdiv0, m0); + FStar_UInt128_uint128 xy01 = FStar_UInt128_mul_wide(qdiv0, m1); + FStar_UInt128_uint128 xy02 = FStar_UInt128_mul_wide(qdiv0, m2); + FStar_UInt128_uint128 xy03 = FStar_UInt128_mul_wide(qdiv0, m3); + FStar_UInt128_uint128 xy04 = FStar_UInt128_mul_wide(qdiv0, m4); + FStar_UInt128_uint128 xy10 = FStar_UInt128_mul_wide(qdiv1, m0); + FStar_UInt128_uint128 xy11 = FStar_UInt128_mul_wide(qdiv1, m1); + FStar_UInt128_uint128 xy12 = FStar_UInt128_mul_wide(qdiv1, m2); + FStar_UInt128_uint128 xy13 = FStar_UInt128_mul_wide(qdiv1, m3); + FStar_UInt128_uint128 xy20 = FStar_UInt128_mul_wide(qdiv2, m0); + FStar_UInt128_uint128 xy21 = FStar_UInt128_mul_wide(qdiv2, m1); + FStar_UInt128_uint128 xy22 = FStar_UInt128_mul_wide(qdiv2, m2); + FStar_UInt128_uint128 xy30 = FStar_UInt128_mul_wide(qdiv3, m0); + FStar_UInt128_uint128 xy31 = FStar_UInt128_mul_wide(qdiv3, m1); + FStar_UInt128_uint128 xy40 = FStar_UInt128_mul_wide(qdiv4, m0); + FStar_UInt128_uint128 carry9 = FStar_UInt128_shift_right(xy00, (uint32_t)56U); + uint64_t t108 = FStar_UInt128_uint128_to_uint64(xy00) & (uint64_t)0xffffffffffffffU; + FStar_UInt128_uint128 c0 = carry9; + uint64_t t010 = t108; + FStar_UInt128_uint128 + carry10 = + FStar_UInt128_shift_right(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy01, xy10), c0), + (uint32_t)56U); + uint64_t + t109 = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy01, xy10), c0)) + & (uint64_t)0xffffffffffffffU; + FStar_UInt128_uint128 c11 = carry10; + uint64_t t110 = t109; + FStar_UInt128_uint128 + carry11 = + FStar_UInt128_shift_right(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy02, + xy11), + xy20), + c11), + (uint32_t)56U); + uint64_t + t1010 = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy02, + xy11), + xy20), + c11)) + & (uint64_t)0xffffffffffffffU; + FStar_UInt128_uint128 c21 = carry11; + uint64_t t210 = t1010; + FStar_UInt128_uint128 + carry = + FStar_UInt128_shift_right(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy03, + xy12), + xy21), + xy30), + c21), + (uint32_t)56U); + uint64_t + t1011 = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy03, + xy12), + xy21), + xy30), + c21)) + & (uint64_t)0xffffffffffffffU; + FStar_UInt128_uint128 c31 = carry; + uint64_t t310 = t1011; + uint64_t + t411 = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy04, + xy13), + xy22), + xy31), + xy40), + c31)) + & (uint64_t)0xffffffffffU; + uint64_t qmul0 = t010; + uint64_t qmul1 = t110; + uint64_t qmul2 = t210; + uint64_t qmul3 = t310; + uint64_t qmul4 = t411; + uint64_t b5 = (r0 - qmul0) >> (uint32_t)63U; + uint64_t t1012 = (b5 << (uint32_t)56U) + r0 - qmul0; + uint64_t c1 = b5; + uint64_t t011 = t1012; + uint64_t b6 = (r1 - (qmul1 + c1)) >> (uint32_t)63U; + uint64_t t1013 = (b6 << (uint32_t)56U) + r1 - (qmul1 + c1); + uint64_t c2 = b6; + uint64_t t111 = t1013; + uint64_t b7 = (r2 - (qmul2 + c2)) >> (uint32_t)63U; + uint64_t t1014 = (b7 << (uint32_t)56U) + r2 - (qmul2 + c2); + uint64_t c3 = b7; + uint64_t t211 = t1014; + uint64_t b8 = (r3 - (qmul3 + c3)) >> (uint32_t)63U; + uint64_t t1015 = (b8 << (uint32_t)56U) + r3 - (qmul3 + c3); + uint64_t c4 = b8; + uint64_t t311 = t1015; + uint64_t b9 = (r4 - (qmul4 + c4)) >> (uint32_t)63U; + uint64_t t1016 = (b9 << (uint32_t)40U) + r4 - (qmul4 + c4); + uint64_t t412 = t1016; + uint64_t s0 = t011; + uint64_t s1 = t111; + uint64_t s2 = t211; + uint64_t s3 = t311; + uint64_t s4 = t412; + uint64_t m01 = (uint64_t)0x12631a5cf5d3edU; + uint64_t m11 = (uint64_t)0xf9dea2f79cd658U; + uint64_t m21 = (uint64_t)0x000000000014deU; + uint64_t m31 = (uint64_t)0x00000000000000U; + uint64_t m41 = (uint64_t)0x00000010000000U; + uint64_t y0 = m01; + uint64_t y1 = m11; + uint64_t y2 = m21; + uint64_t y3 = m31; + uint64_t y4 = m41; + uint64_t b10 = (s0 - y0) >> (uint32_t)63U; + uint64_t t1017 = (b10 << (uint32_t)56U) + s0 - y0; + uint64_t b0 = b10; + uint64_t t01 = t1017; + uint64_t b11 = (s1 - (y1 + b0)) >> (uint32_t)63U; + uint64_t t1018 = (b11 << (uint32_t)56U) + s1 - (y1 + b0); + uint64_t b1 = b11; + uint64_t t11 = t1018; + uint64_t b12 = (s2 - (y2 + b1)) >> (uint32_t)63U; + uint64_t t1019 = (b12 << (uint32_t)56U) + s2 - (y2 + b1); + uint64_t b2 = b12; + uint64_t t21 = t1019; + uint64_t b13 = (s3 - (y3 + b2)) >> (uint32_t)63U; + uint64_t t1020 = (b13 << (uint32_t)56U) + s3 - (y3 + b2); + uint64_t b3 = b13; + uint64_t t31 = t1020; + uint64_t b = (s4 - (y4 + b3)) >> (uint32_t)63U; + uint64_t t10 = (b << (uint32_t)56U) + s4 - (y4 + b3); + uint64_t b4 = b; + uint64_t t41 = t10; + uint64_t mask = b4 - (uint64_t)1U; + uint64_t z03 = s0 ^ (mask & (s0 ^ t01)); + uint64_t z13 = s1 ^ (mask & (s1 ^ t11)); + uint64_t z23 = s2 ^ (mask & (s2 ^ t21)); + uint64_t z33 = s3 ^ (mask & (s3 ^ t31)); + uint64_t z43 = s4 ^ (mask & (s4 ^ t41)); + uint64_t z04 = z03; + uint64_t z14 = z13; + uint64_t z24 = z23; + uint64_t z34 = z33; + uint64_t z44 = z43; + uint64_t o0 = z04; + uint64_t o1 = z14; + uint64_t o2 = z24; + uint64_t o3 = z34; + uint64_t o4 = z44; + uint64_t z0 = o0; + uint64_t z1 = o1; + uint64_t z2 = o2; + uint64_t z3 = o3; + uint64_t z4 = o4; + z[0U] = z0; + z[1U] = z1; + z[2U] = z2; + z[3U] = z3; + z[4U] = z4; +} + +static inline void mul_modq(uint64_t *out, uint64_t *x, uint64_t *y) +{ + uint64_t tmp[10U] = { 0U }; + uint64_t x0 = x[0U]; + uint64_t x1 = x[1U]; + uint64_t x2 = x[2U]; + uint64_t x3 = x[3U]; + uint64_t x4 = x[4U]; + uint64_t y0 = y[0U]; + uint64_t y1 = y[1U]; + uint64_t y2 = y[2U]; + uint64_t y3 = y[3U]; + uint64_t y4 = y[4U]; + FStar_UInt128_uint128 xy00 = FStar_UInt128_mul_wide(x0, y0); + FStar_UInt128_uint128 xy01 = FStar_UInt128_mul_wide(x0, y1); + FStar_UInt128_uint128 xy02 = FStar_UInt128_mul_wide(x0, y2); + FStar_UInt128_uint128 xy03 = FStar_UInt128_mul_wide(x0, y3); + FStar_UInt128_uint128 xy04 = FStar_UInt128_mul_wide(x0, y4); + FStar_UInt128_uint128 xy10 = FStar_UInt128_mul_wide(x1, y0); + FStar_UInt128_uint128 xy11 = FStar_UInt128_mul_wide(x1, y1); + FStar_UInt128_uint128 xy12 = FStar_UInt128_mul_wide(x1, y2); + FStar_UInt128_uint128 xy13 = FStar_UInt128_mul_wide(x1, y3); + FStar_UInt128_uint128 xy14 = FStar_UInt128_mul_wide(x1, y4); + FStar_UInt128_uint128 xy20 = FStar_UInt128_mul_wide(x2, y0); + FStar_UInt128_uint128 xy21 = FStar_UInt128_mul_wide(x2, y1); + FStar_UInt128_uint128 xy22 = FStar_UInt128_mul_wide(x2, y2); + FStar_UInt128_uint128 xy23 = FStar_UInt128_mul_wide(x2, y3); + FStar_UInt128_uint128 xy24 = FStar_UInt128_mul_wide(x2, y4); + FStar_UInt128_uint128 xy30 = FStar_UInt128_mul_wide(x3, y0); + FStar_UInt128_uint128 xy31 = FStar_UInt128_mul_wide(x3, y1); + FStar_UInt128_uint128 xy32 = FStar_UInt128_mul_wide(x3, y2); + FStar_UInt128_uint128 xy33 = FStar_UInt128_mul_wide(x3, y3); + FStar_UInt128_uint128 xy34 = FStar_UInt128_mul_wide(x3, y4); + FStar_UInt128_uint128 xy40 = FStar_UInt128_mul_wide(x4, y0); + FStar_UInt128_uint128 xy41 = FStar_UInt128_mul_wide(x4, y1); + FStar_UInt128_uint128 xy42 = FStar_UInt128_mul_wide(x4, y2); + FStar_UInt128_uint128 xy43 = FStar_UInt128_mul_wide(x4, y3); + FStar_UInt128_uint128 xy44 = FStar_UInt128_mul_wide(x4, y4); + FStar_UInt128_uint128 z00 = xy00; + FStar_UInt128_uint128 z10 = FStar_UInt128_add_mod(xy01, xy10); + FStar_UInt128_uint128 z20 = FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy02, xy11), xy20); + FStar_UInt128_uint128 + z30 = + FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy03, xy12), xy21), + xy30); + FStar_UInt128_uint128 + z40 = + FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy04, + xy13), + xy22), + xy31), + xy40); + FStar_UInt128_uint128 + z50 = + FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy14, xy23), xy32), + xy41); + FStar_UInt128_uint128 z60 = FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy24, xy33), xy42); + FStar_UInt128_uint128 z70 = FStar_UInt128_add_mod(xy34, xy43); + FStar_UInt128_uint128 z80 = xy44; + FStar_UInt128_uint128 carry0 = FStar_UInt128_shift_right(z00, (uint32_t)56U); + uint64_t t10 = FStar_UInt128_uint128_to_uint64(z00) & (uint64_t)0xffffffffffffffU; + FStar_UInt128_uint128 c0 = carry0; + uint64_t t0 = t10; + FStar_UInt128_uint128 + carry1 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z10, c0), (uint32_t)56U); + uint64_t + t11 = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z10, c0)) + & (uint64_t)0xffffffffffffffU; + FStar_UInt128_uint128 c1 = carry1; + uint64_t t1 = t11; + FStar_UInt128_uint128 + carry2 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z20, c1), (uint32_t)56U); + uint64_t + t12 = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z20, c1)) + & (uint64_t)0xffffffffffffffU; + FStar_UInt128_uint128 c2 = carry2; + uint64_t t2 = t12; + FStar_UInt128_uint128 + carry3 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z30, c2), (uint32_t)56U); + uint64_t + t13 = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z30, c2)) + & (uint64_t)0xffffffffffffffU; + FStar_UInt128_uint128 c3 = carry3; + uint64_t t3 = t13; + FStar_UInt128_uint128 + carry4 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z40, c3), (uint32_t)56U); + uint64_t + t14 = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z40, c3)) + & (uint64_t)0xffffffffffffffU; + FStar_UInt128_uint128 c4 = carry4; + uint64_t t4 = t14; + FStar_UInt128_uint128 + carry5 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z50, c4), (uint32_t)56U); + uint64_t + t15 = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z50, c4)) + & (uint64_t)0xffffffffffffffU; + FStar_UInt128_uint128 c5 = carry5; + uint64_t t5 = t15; + FStar_UInt128_uint128 + carry6 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z60, c5), (uint32_t)56U); + uint64_t + t16 = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z60, c5)) + & (uint64_t)0xffffffffffffffU; + FStar_UInt128_uint128 c6 = carry6; + uint64_t t6 = t16; + FStar_UInt128_uint128 + carry7 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z70, c6), (uint32_t)56U); + uint64_t + t17 = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z70, c6)) + & (uint64_t)0xffffffffffffffU; + FStar_UInt128_uint128 c7 = carry7; + uint64_t t7 = t17; + FStar_UInt128_uint128 + carry = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z80, c7), (uint32_t)56U); + uint64_t + t = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z80, c7)) + & (uint64_t)0xffffffffffffffU; + FStar_UInt128_uint128 c8 = carry; + uint64_t t8 = t; + uint64_t t9 = FStar_UInt128_uint128_to_uint64(c8); + uint64_t z0 = t0; + uint64_t z1 = t1; + uint64_t z2 = t2; + uint64_t z3 = t3; + uint64_t z4 = t4; + uint64_t z5 = t5; + uint64_t z6 = t6; + uint64_t z7 = t7; + uint64_t z8 = t8; + uint64_t z9 = t9; + tmp[0U] = z0; + tmp[1U] = z1; + tmp[2U] = z2; + tmp[3U] = z3; + tmp[4U] = z4; + tmp[5U] = z5; + tmp[6U] = z6; + tmp[7U] = z7; + tmp[8U] = z8; + tmp[9U] = z9; + barrett_reduction(out, tmp); +} + +static inline void add_modq(uint64_t *out, uint64_t *x, uint64_t *y) +{ + uint64_t x0 = x[0U]; + uint64_t x1 = x[1U]; + uint64_t x2 = x[2U]; + uint64_t x3 = x[3U]; + uint64_t x4 = x[4U]; + uint64_t y0 = y[0U]; + uint64_t y1 = y[1U]; + uint64_t y2 = y[2U]; + uint64_t y3 = y[3U]; + uint64_t y4 = y[4U]; + uint64_t carry0 = (x0 + y0) >> (uint32_t)56U; + uint64_t t0 = (x0 + y0) & (uint64_t)0xffffffffffffffU; + uint64_t t00 = t0; + uint64_t c0 = carry0; + uint64_t carry1 = (x1 + y1 + c0) >> (uint32_t)56U; + uint64_t t1 = (x1 + y1 + c0) & (uint64_t)0xffffffffffffffU; + uint64_t t10 = t1; + uint64_t c1 = carry1; + uint64_t carry2 = (x2 + y2 + c1) >> (uint32_t)56U; + uint64_t t2 = (x2 + y2 + c1) & (uint64_t)0xffffffffffffffU; + uint64_t t20 = t2; + uint64_t c2 = carry2; + uint64_t carry = (x3 + y3 + c2) >> (uint32_t)56U; + uint64_t t3 = (x3 + y3 + c2) & (uint64_t)0xffffffffffffffU; + uint64_t t30 = t3; + uint64_t c3 = carry; + uint64_t t4 = x4 + y4 + c3; + uint64_t m0 = (uint64_t)0x12631a5cf5d3edU; + uint64_t m1 = (uint64_t)0xf9dea2f79cd658U; + uint64_t m2 = (uint64_t)0x000000000014deU; + uint64_t m3 = (uint64_t)0x00000000000000U; + uint64_t m4 = (uint64_t)0x00000010000000U; + uint64_t y01 = m0; + uint64_t y11 = m1; + uint64_t y21 = m2; + uint64_t y31 = m3; + uint64_t y41 = m4; + uint64_t b5 = (t00 - y01) >> (uint32_t)63U; + uint64_t t5 = (b5 << (uint32_t)56U) + t00 - y01; + uint64_t b0 = b5; + uint64_t t01 = t5; + uint64_t b6 = (t10 - (y11 + b0)) >> (uint32_t)63U; + uint64_t t6 = (b6 << (uint32_t)56U) + t10 - (y11 + b0); + uint64_t b1 = b6; + uint64_t t11 = t6; + uint64_t b7 = (t20 - (y21 + b1)) >> (uint32_t)63U; + uint64_t t7 = (b7 << (uint32_t)56U) + t20 - (y21 + b1); + uint64_t b2 = b7; + uint64_t t21 = t7; + uint64_t b8 = (t30 - (y31 + b2)) >> (uint32_t)63U; + uint64_t t8 = (b8 << (uint32_t)56U) + t30 - (y31 + b2); + uint64_t b3 = b8; + uint64_t t31 = t8; + uint64_t b = (t4 - (y41 + b3)) >> (uint32_t)63U; + uint64_t t = (b << (uint32_t)56U) + t4 - (y41 + b3); + uint64_t b4 = b; + uint64_t t41 = t; + uint64_t mask = b4 - (uint64_t)1U; + uint64_t z00 = t00 ^ (mask & (t00 ^ t01)); + uint64_t z10 = t10 ^ (mask & (t10 ^ t11)); + uint64_t z20 = t20 ^ (mask & (t20 ^ t21)); + uint64_t z30 = t30 ^ (mask & (t30 ^ t31)); + uint64_t z40 = t4 ^ (mask & (t4 ^ t41)); + uint64_t z01 = z00; + uint64_t z11 = z10; + uint64_t z21 = z20; + uint64_t z31 = z30; + uint64_t z41 = z40; + uint64_t o0 = z01; + uint64_t o1 = z11; + uint64_t o2 = z21; + uint64_t o3 = z31; + uint64_t o4 = z41; + uint64_t z0 = o0; + uint64_t z1 = o1; + uint64_t z2 = o2; + uint64_t z3 = o3; + uint64_t z4 = o4; + out[0U] = z0; + out[1U] = z1; + out[2U] = z2; + out[3U] = z3; + out[4U] = z4; +} + +static inline void load_64_bytes(uint64_t *out, uint8_t *b) +{ + uint8_t *b80 = b; + uint64_t u = load64_le(b80); + uint64_t z = u; + uint64_t b0 = z & (uint64_t)0xffffffffffffffU; + uint8_t *b81 = b + (uint32_t)7U; + uint64_t u0 = load64_le(b81); + uint64_t z0 = u0; + uint64_t b1 = z0 & (uint64_t)0xffffffffffffffU; + uint8_t *b82 = b + (uint32_t)14U; + uint64_t u1 = load64_le(b82); + uint64_t z1 = u1; + uint64_t b2 = z1 & (uint64_t)0xffffffffffffffU; + uint8_t *b83 = b + (uint32_t)21U; + uint64_t u2 = load64_le(b83); + uint64_t z2 = u2; + uint64_t b3 = z2 & (uint64_t)0xffffffffffffffU; + uint8_t *b84 = b + (uint32_t)28U; + uint64_t u3 = load64_le(b84); + uint64_t z3 = u3; + uint64_t b4 = z3 & (uint64_t)0xffffffffffffffU; + uint8_t *b85 = b + (uint32_t)35U; + uint64_t u4 = load64_le(b85); + uint64_t z4 = u4; + uint64_t b5 = z4 & (uint64_t)0xffffffffffffffU; + uint8_t *b86 = b + (uint32_t)42U; + uint64_t u5 = load64_le(b86); + uint64_t z5 = u5; + uint64_t b6 = z5 & (uint64_t)0xffffffffffffffU; + uint8_t *b87 = b + (uint32_t)49U; + uint64_t u6 = load64_le(b87); + uint64_t z6 = u6; + uint64_t b7 = z6 & (uint64_t)0xffffffffffffffU; + uint8_t *b8 = b + (uint32_t)56U; + uint64_t u7 = load64_le(b8); + uint64_t z7 = u7; + uint64_t b88 = z7 & (uint64_t)0xffffffffffffffU; + uint8_t b63 = b[63U]; + uint64_t b9 = (uint64_t)b63; + out[0U] = b0; + out[1U] = b1; + out[2U] = b2; + out[3U] = b3; + out[4U] = b4; + out[5U] = b5; + out[6U] = b6; + out[7U] = b7; + out[8U] = b88; + out[9U] = b9; +} + +static inline void load_32_bytes(uint64_t *out, uint8_t *b) +{ + uint8_t *b80 = b; + uint64_t u0 = load64_le(b80); + uint64_t z = u0; + uint64_t b0 = z & (uint64_t)0xffffffffffffffU; + uint8_t *b81 = b + (uint32_t)7U; + uint64_t u1 = load64_le(b81); + uint64_t z0 = u1; + uint64_t b1 = z0 & (uint64_t)0xffffffffffffffU; + uint8_t *b82 = b + (uint32_t)14U; + uint64_t u2 = load64_le(b82); + uint64_t z1 = u2; + uint64_t b2 = z1 & (uint64_t)0xffffffffffffffU; + uint8_t *b8 = b + (uint32_t)21U; + uint64_t u3 = load64_le(b8); + uint64_t z2 = u3; + uint64_t b3 = z2 & (uint64_t)0xffffffffffffffU; + uint32_t u = load32_le(b + (uint32_t)28U); + uint32_t b4 = u; + uint64_t b41 = (uint64_t)b4; + out[0U] = b0; + out[1U] = b1; + out[2U] = b2; + out[3U] = b3; + out[4U] = b41; +} + +static inline void store_56(uint8_t *out, uint64_t *b) +{ + uint64_t b0 = b[0U]; + uint64_t b1 = b[1U]; + uint64_t b2 = b[2U]; + uint64_t b3 = b[3U]; + uint64_t b4 = b[4U]; + uint32_t b4_ = (uint32_t)b4; + uint8_t *b8 = out; + store64_le(b8, b0); + uint8_t *b80 = out + (uint32_t)7U; + store64_le(b80, b1); + uint8_t *b81 = out + (uint32_t)14U; + store64_le(b81, b2); + uint8_t *b82 = out + (uint32_t)21U; + store64_le(b82, b3); + store32_le(out + (uint32_t)28U, b4_); +} + +static inline void sha512_pre_msg(uint8_t *hash, uint8_t *prefix, uint32_t len, uint8_t *input) +{ + uint8_t buf[128U] = { 0U }; + uint64_t block_state[8U] = { 0U }; + Hacl_Streaming_SHA2_state_sha2_384 + s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; + Hacl_Streaming_SHA2_state_sha2_384 p = s; + Hacl_Hash_Core_SHA2_init_512(block_state); + Hacl_Streaming_SHA2_state_sha2_384 *st = &p; + Hacl_Streaming_SHA2_update_512(st, prefix, (uint32_t)32U); + Hacl_Streaming_SHA2_update_512(st, input, len); + Hacl_Streaming_SHA2_finish_512(st, hash); +} + +static inline void +sha512_pre_pre2_msg( + uint8_t *hash, + uint8_t *prefix, + uint8_t *prefix2, + uint32_t len, + uint8_t *input +) +{ + uint8_t buf[128U] = { 0U }; + uint64_t block_state[8U] = { 0U }; + Hacl_Streaming_SHA2_state_sha2_384 + s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; + Hacl_Streaming_SHA2_state_sha2_384 p = s; + Hacl_Hash_Core_SHA2_init_512(block_state); + Hacl_Streaming_SHA2_state_sha2_384 *st = &p; + Hacl_Streaming_SHA2_update_512(st, prefix, (uint32_t)32U); + Hacl_Streaming_SHA2_update_512(st, prefix2, (uint32_t)32U); + Hacl_Streaming_SHA2_update_512(st, input, len); + Hacl_Streaming_SHA2_finish_512(st, hash); +} + +static inline void +sha512_modq_pre(uint64_t *out, uint8_t *prefix, uint32_t len, uint8_t *input) +{ + uint64_t tmp[10U] = { 0U }; + uint8_t hash[64U] = { 0U }; + sha512_pre_msg(hash, prefix, len, input); + load_64_bytes(tmp, hash); + barrett_reduction(out, tmp); +} + +static inline void +sha512_modq_pre_pre2( + uint64_t *out, + uint8_t *prefix, + uint8_t *prefix2, + uint32_t len, + uint8_t *input +) +{ + uint64_t tmp[10U] = { 0U }; + uint8_t hash[64U] = { 0U }; + sha512_pre_pre2_msg(hash, prefix, prefix2, len, input); + load_64_bytes(tmp, hash); + barrett_reduction(out, tmp); +} + +static inline void point_mul_g_compress(uint8_t *out, uint8_t *s) +{ + uint64_t tmp[20U] = { 0U }; + point_mul_g(tmp, s); + Hacl_Impl_Ed25519_PointCompress_point_compress(out, tmp); +} + +static inline void sign_expanded(uint8_t *signature, uint8_t *ks, uint32_t msg, uint8_t *len) +{ + uint8_t tmp_bytes[160U] = { 0U }; + uint64_t tmp_ints[25U] = { 0U }; + uint8_t *rs_ = tmp_bytes + (uint32_t)32U; + uint8_t *s_ = tmp_bytes + (uint32_t)64U; + uint8_t *tmp_public = tmp_bytes; + uint8_t *tmp_xsecret = tmp_bytes + (uint32_t)96U; + memcpy(tmp_public, ks, (uint32_t)32U * sizeof (uint8_t)); + memcpy(tmp_xsecret, ks + (uint32_t)32U, (uint32_t)64U * sizeof (uint8_t)); + uint64_t *r0 = tmp_ints; + uint8_t *prefix = tmp_bytes + (uint32_t)128U; + sha512_modq_pre(r0, prefix, msg, len); + uint8_t *rs_1 = tmp_bytes + (uint32_t)32U; + uint64_t *r = tmp_ints; + uint8_t rb[32U] = { 0U }; + store_56(rb, r); + point_mul_g_compress(rs_1, rb); + uint64_t *h0 = tmp_ints + (uint32_t)20U; + uint8_t *a__ = tmp_bytes; + uint8_t *rs_10 = tmp_bytes + (uint32_t)32U; + sha512_modq_pre_pre2(h0, rs_10, a__, msg, len); + uint64_t *r1 = tmp_ints; + uint64_t *aq = tmp_ints + (uint32_t)5U; + uint64_t *ha = tmp_ints + (uint32_t)10U; + uint64_t *s = tmp_ints + (uint32_t)15U; + uint64_t *h = tmp_ints + (uint32_t)20U; + uint8_t *s_1 = tmp_bytes + (uint32_t)64U; + uint8_t *a = tmp_bytes + (uint32_t)96U; + load_32_bytes(aq, a); + mul_modq(ha, h, aq); + add_modq(s, r1, ha); + store_56(s_1, s); + memcpy(signature, rs_, (uint32_t)32U * sizeof (uint8_t)); + memcpy(signature + (uint32_t)32U, s_, (uint32_t)32U * sizeof (uint8_t)); +} + +static inline void pow2_252m2(uint64_t *out, uint64_t *z) +{ + uint64_t buf[20U] = { 0U }; + uint64_t *a = buf; + uint64_t *t00 = buf + (uint32_t)5U; + uint64_t *b0 = buf + (uint32_t)10U; + uint64_t *c0 = buf + (uint32_t)15U; + fsquare_times(a, z, (uint32_t)1U); + fsquare_times(t00, a, (uint32_t)2U); + fmul0(b0, t00, z); + fmul0(a, b0, a); + fsquare_times(t00, a, (uint32_t)1U); + fmul0(b0, t00, b0); + fsquare_times(t00, b0, (uint32_t)5U); + fmul0(b0, t00, b0); + fsquare_times(t00, b0, (uint32_t)10U); + fmul0(c0, t00, b0); + fsquare_times(t00, c0, (uint32_t)20U); + fmul0(t00, t00, c0); + fsquare_times_inplace(t00, (uint32_t)10U); + fmul0(b0, t00, b0); + fsquare_times(t00, b0, (uint32_t)50U); + uint64_t *a0 = buf; + uint64_t *t0 = buf + (uint32_t)5U; + uint64_t *b = buf + (uint32_t)10U; + uint64_t *c = buf + (uint32_t)15U; + fsquare_times(a0, z, (uint32_t)1U); + fmul0(c, t0, b); + fsquare_times(t0, c, (uint32_t)100U); + fmul0(t0, t0, c); + fsquare_times_inplace(t0, (uint32_t)50U); + fmul0(t0, t0, b); + fsquare_times_inplace(t0, (uint32_t)2U); + fmul0(out, t0, a0); +} + +static inline bool is_0(uint64_t *x) +{ + uint64_t x0 = x[0U]; + uint64_t x1 = x[1U]; + uint64_t x2 = x[2U]; + uint64_t x3 = x[3U]; + uint64_t x4 = x[4U]; + return + x0 + == (uint64_t)0U + && x1 == (uint64_t)0U + && x2 == (uint64_t)0U + && x3 == (uint64_t)0U + && x4 == (uint64_t)0U; +} + +static inline void mul_modp_sqrt_m1(uint64_t *x) +{ + uint64_t sqrt_m1[5U] = { 0U }; + sqrt_m1[0U] = (uint64_t)0x00061b274a0ea0b0U; + sqrt_m1[1U] = (uint64_t)0x0000d5a5fc8f189dU; + sqrt_m1[2U] = (uint64_t)0x0007ef5e9cbd0c60U; + sqrt_m1[3U] = (uint64_t)0x00078595a6804c9eU; + sqrt_m1[4U] = (uint64_t)0x0002b8324804fc1dU; + fmul0(x, x, sqrt_m1); +} + +static inline bool recover_x(uint64_t *x, uint64_t *y, uint64_t sign) +{ + uint64_t tmp[20U] = { 0U }; + uint64_t *x2 = tmp; + uint64_t x00 = y[0U]; + uint64_t x1 = y[1U]; + uint64_t x21 = y[2U]; + uint64_t x30 = y[3U]; + uint64_t x4 = y[4U]; + bool + b = + x00 + >= (uint64_t)0x7ffffffffffedU + && x1 == (uint64_t)0x7ffffffffffffU + && x21 == (uint64_t)0x7ffffffffffffU + && x30 == (uint64_t)0x7ffffffffffffU + && x4 == (uint64_t)0x7ffffffffffffU; + bool res; + if (b) + { + res = false; + } + else + { + uint64_t tmp1[25U] = { 0U }; + uint64_t *one = tmp1; + uint64_t *y2 = tmp1 + (uint32_t)5U; + uint64_t *dyyi = tmp1 + (uint32_t)10U; + uint64_t *dyy = tmp1 + (uint32_t)15U; + one[0U] = (uint64_t)1U; + one[1U] = (uint64_t)0U; + one[2U] = (uint64_t)0U; + one[3U] = (uint64_t)0U; + one[4U] = (uint64_t)0U; + fsquare(y2, y); + times_d(dyy, y2); + fsum(dyy, one); + Hacl_Bignum25519_reduce_513(dyy); + Hacl_Bignum25519_inverse(dyyi, dyy); + fdifference(one, y2); + fmul0(x2, one, dyyi); + reduce(x2); + bool x2_is_0 = is_0(x2); + uint8_t z; + if (x2_is_0) + { + if (sign == (uint64_t)0U) + { + x[0U] = (uint64_t)0U; + x[1U] = (uint64_t)0U; + x[2U] = (uint64_t)0U; + x[3U] = (uint64_t)0U; + x[4U] = (uint64_t)0U; + z = (uint8_t)1U; + } + else + { + z = (uint8_t)0U; + } + } + else + { + z = (uint8_t)2U; + } + if (z == (uint8_t)0U) + { + res = false; + } + else if (z == (uint8_t)1U) + { + res = true; + } + else + { + uint64_t *x210 = tmp; + uint64_t *x31 = tmp + (uint32_t)5U; + uint64_t *t00 = tmp + (uint32_t)10U; + uint64_t *t10 = tmp + (uint32_t)15U; + pow2_252m2(x31, x210); + fsquare(t00, x31); + memcpy(t10, x210, (uint32_t)5U * sizeof (uint64_t)); + fdifference(t10, t00); + Hacl_Bignum25519_reduce_513(t10); + reduce(t10); + bool t1_is_0 = is_0(t10); + if (!t1_is_0) + { + mul_modp_sqrt_m1(x31); + } + uint64_t *x211 = tmp; + uint64_t *x3 = tmp + (uint32_t)5U; + uint64_t *t01 = tmp + (uint32_t)10U; + uint64_t *t1 = tmp + (uint32_t)15U; + fsquare(t01, x3); + memcpy(t1, x211, (uint32_t)5U * sizeof (uint64_t)); + fdifference(t1, t01); + Hacl_Bignum25519_reduce_513(t1); + reduce(t1); + bool z1 = is_0(t1); + if (z1 == false) + { + res = false; + } + else + { + uint64_t *x32 = tmp + (uint32_t)5U; + uint64_t *t0 = tmp + (uint32_t)10U; + reduce(x32); + uint64_t x0 = x32[0U]; + uint64_t x01 = x0 & (uint64_t)1U; + if (!(x01 == sign)) + { + t0[0U] = (uint64_t)0U; + t0[1U] = (uint64_t)0U; + t0[2U] = (uint64_t)0U; + t0[3U] = (uint64_t)0U; + t0[4U] = (uint64_t)0U; + fdifference(x32, t0); + Hacl_Bignum25519_reduce_513(x32); + reduce(x32); + } + memcpy(x, x32, (uint32_t)5U * sizeof (uint64_t)); + res = true; + } + } + } + bool res0 = res; + return res0; +} + +bool Hacl_Impl_Ed25519_PointDecompress_point_decompress(uint64_t *out, uint8_t *s) +{ + uint64_t tmp[10U] = { 0U }; + uint64_t *y = tmp; + uint64_t *x = tmp + (uint32_t)5U; + uint8_t s31 = s[31U]; + uint8_t z = s31 >> (uint32_t)7U; + uint64_t sign = (uint64_t)z; + Hacl_Bignum25519_load_51(y, s); + bool z0 = recover_x(x, y, sign); + bool res; + if (z0 == false) + { + res = false; + } + else + { + uint64_t *outx = out; + uint64_t *outy = out + (uint32_t)5U; + uint64_t *outz = out + (uint32_t)10U; + uint64_t *outt = out + (uint32_t)15U; + memcpy(outx, x, (uint32_t)5U * sizeof (uint64_t)); + memcpy(outy, y, (uint32_t)5U * sizeof (uint64_t)); + outz[0U] = (uint64_t)1U; + outz[1U] = (uint64_t)0U; + outz[2U] = (uint64_t)0U; + outz[3U] = (uint64_t)0U; + outz[4U] = (uint64_t)0U; + fmul0(outt, x, y); + res = true; + } + bool res0 = res; + return res0; +} + +static inline bool gte_q(uint64_t *s) +{ + uint64_t s0 = s[0U]; + uint64_t s1 = s[1U]; + uint64_t s2 = s[2U]; + uint64_t s3 = s[3U]; + uint64_t s4 = s[4U]; + if (s4 > (uint64_t)0x00000010000000U) + { + return true; + } + if (s4 < (uint64_t)0x00000010000000U) + { + return false; + } + if (s3 > (uint64_t)0x00000000000000U) + { + return true; + } + if (s2 > (uint64_t)0x000000000014deU) + { + return true; + } + if (s2 < (uint64_t)0x000000000014deU) + { + return false; + } + if (s1 > (uint64_t)0xf9dea2f79cd658U) + { + return true; + } + if (s1 < (uint64_t)0xf9dea2f79cd658U) + { + return false; + } + if (s0 >= (uint64_t)0x12631a5cf5d3edU) + { + return true; + } + return false; +} + +static inline bool eq(uint64_t *a, uint64_t *b) +{ + uint64_t a0 = a[0U]; + uint64_t a1 = a[1U]; + uint64_t a2 = a[2U]; + uint64_t a3 = a[3U]; + uint64_t a4 = a[4U]; + uint64_t b0 = b[0U]; + uint64_t b1 = b[1U]; + uint64_t b2 = b[2U]; + uint64_t b3 = b[3U]; + uint64_t b4 = b[4U]; + return a0 == b0 && a1 == b1 && a2 == b2 && a3 == b3 && a4 == b4; +} + +bool Hacl_Impl_Ed25519_PointEqual_point_equal(uint64_t *p, uint64_t *q) +{ + uint64_t tmp[20U] = { 0U }; + uint64_t *pxqz = tmp; + uint64_t *qxpz = tmp + (uint32_t)5U; + fmul0(pxqz, p, q + (uint32_t)10U); + reduce(pxqz); + fmul0(qxpz, q, p + (uint32_t)10U); + reduce(qxpz); + bool b = eq(pxqz, qxpz); + if (b) + { + uint64_t *pyqz = tmp + (uint32_t)10U; + uint64_t *qypz = tmp + (uint32_t)15U; + fmul0(pyqz, p + (uint32_t)5U, q + (uint32_t)10U); + reduce(pyqz); + fmul0(qypz, q + (uint32_t)5U, p + (uint32_t)10U); + reduce(qypz); + return eq(pyqz, qypz); + } + return false; +} + +void Hacl_Impl_Ed25519_PointNegate_point_negate(uint64_t *p, uint64_t *out) +{ + uint64_t zero[5U] = { 0U }; + zero[0U] = (uint64_t)0U; + zero[1U] = (uint64_t)0U; + zero[2U] = (uint64_t)0U; + zero[3U] = (uint64_t)0U; + zero[4U] = (uint64_t)0U; + uint64_t *x = p; + uint64_t *y = p + (uint32_t)5U; + uint64_t *z = p + (uint32_t)10U; + uint64_t *t = p + (uint32_t)15U; + uint64_t *x1 = out; + uint64_t *y1 = out + (uint32_t)5U; + uint64_t *z1 = out + (uint32_t)10U; + uint64_t *t1 = out + (uint32_t)15U; + memcpy(x1, x, (uint32_t)5U * sizeof (uint64_t)); + fdifference(x1, zero); + Hacl_Bignum25519_reduce_513(x1); + memcpy(y1, y, (uint32_t)5U * sizeof (uint64_t)); + memcpy(z1, z, (uint32_t)5U * sizeof (uint64_t)); + memcpy(t1, t, (uint32_t)5U * sizeof (uint64_t)); + fdifference(t1, zero); + Hacl_Bignum25519_reduce_513(t1); +} + +void Hacl_Ed25519_sign(uint8_t *signature, uint8_t *priv, uint32_t len, uint8_t *msg) +{ + uint8_t ks[96U] = { 0U }; + secret_expand(ks + (uint32_t)32U, priv); + secret_to_public(ks, priv); + sign_expanded(signature, ks, len, msg); +} + +bool Hacl_Ed25519_verify(uint8_t *pub, uint32_t len, uint8_t *msg, uint8_t *signature) +{ + uint64_t tmp[45U] = { 0U }; + uint8_t tmp_[32U] = { 0U }; + uint64_t *a_ = tmp; + uint64_t *r_ = tmp + (uint32_t)20U; + bool b = Hacl_Impl_Ed25519_PointDecompress_point_decompress(a_, pub); + bool res; + if (b) + { + uint8_t *rs = signature; + bool b_ = Hacl_Impl_Ed25519_PointDecompress_point_decompress(r_, rs); + if (b_) + { + uint8_t *rs1 = signature; + uint64_t *a_1 = tmp; + uint64_t *r_1 = tmp + (uint32_t)20U; + uint64_t *s = tmp + (uint32_t)40U; + load_32_bytes(s, signature + (uint32_t)32U); + bool b__ = gte_q(s); + if (b__) + { + res = false; + } + else + { + uint64_t r_2[5U] = { 0U }; + sha512_modq_pre_pre2(r_2, rs1, pub, len, msg); + store_56(tmp_, r_2); + uint8_t *uu____0 = signature + (uint32_t)32U; + uint64_t tmp1[40U] = { 0U }; + uint64_t *a_neg = tmp1; + uint64_t *exp_d = tmp1 + (uint32_t)20U; + Hacl_Impl_Ed25519_PointNegate_point_negate(a_1, a_neg); + point_mul_g_double_vartime(exp_d, uu____0, tmp_, a_neg); + uint64_t *exp_d0 = tmp1 + (uint32_t)20U; + bool b1 = Hacl_Impl_Ed25519_PointEqual_point_equal(exp_d0, r_1); + res = b1; + } + } + else + { + res = false; + } + } + else + { + res = false; + } + bool res0 = res; + return res0; +} + +void Hacl_Ed25519_secret_to_public(uint8_t *pub, uint8_t *priv) +{ + secret_to_public(pub, priv); +} + +void Hacl_Ed25519_expand_keys(uint8_t *ks, uint8_t *priv) +{ + secret_expand(ks + (uint32_t)32U, priv); + secret_to_public(ks, priv); +} + +void Hacl_Ed25519_sign_expanded(uint8_t *signature, uint8_t *ks, uint32_t len, uint8_t *msg) +{ + sign_expanded(signature, ks, len, msg); +} + diff --git a/src/msvc/Hacl_GenericField32.c b/src/msvc/Hacl_GenericField32.c new file mode 100644 index 00000000..ec242748 --- /dev/null +++ b/src/msvc/Hacl_GenericField32.c @@ -0,0 +1,591 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_GenericField32.h" + +#include "internal/Hacl_Kremlib.h" +#include "internal/Hacl_Bignum.h" + +/******************************************************************************* + +A verified field arithmetic library. + +This is a 32-bit optimized version, where bignums are represented as an array +of `len` unsigned 32-bit integers, i.e. uint32_t[len]. + +All the arithmetic operations are performed in the Montgomery domain. + +All the functions below preserve the following invariant for a bignum `aM` in +Montgomery form. + • aM < n + +*******************************************************************************/ + + +/* +Check whether this library will work for a modulus `n`. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n +*/ +bool Hacl_GenericField32_field_modulus_check(uint32_t len, uint32_t *n) +{ + uint32_t m = Hacl_Bignum_Montgomery_bn_check_modulus_u32(len, n); + return m == (uint32_t)0xFFFFFFFFU; +} + +/* +Heap-allocate and initialize a montgomery context. + + The argument n is meant to be `len` limbs in size, i.e. uint32_t[len]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n % 2 = 1 + • 1 < n + + The caller will need to call Hacl_GenericField32_field_free on the return value + to avoid memory leaks. +*/ +Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 +*Hacl_GenericField32_field_init(uint32_t len, uint32_t *n) +{ + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t *r2 = KRML_HOST_CALLOC(len, sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t *n1 = KRML_HOST_CALLOC(len, sizeof (uint32_t)); + uint32_t *r21 = r2; + uint32_t *n11 = n1; + memcpy(n11, n, len * sizeof (uint32_t)); + uint32_t nBits = (uint32_t)32U * Hacl_Bignum_Lib_bn_get_top_index_u32(len, n); + Hacl_Bignum_Montgomery_bn_precomp_r2_mod_n_u32(len, nBits, n, r21); + uint32_t mu = Hacl_Bignum_ModInvLimb_mod_inv_uint32(n[0U]); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 res = { .len = len, .n = n11, .mu = mu, .r2 = r21 }; + KRML_CHECK_SIZE(sizeof (Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32), (uint32_t)1U); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 + *buf = KRML_HOST_MALLOC(sizeof (Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32)); + buf[0U] = res; + return buf; +} + +/* +Deallocate the memory previously allocated by Hacl_GenericField32_field_init. + + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. +*/ +void Hacl_GenericField32_field_free(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + uint32_t *n = k1.n; + uint32_t *r2 = k1.r2; + KRML_HOST_FREE(n); + KRML_HOST_FREE(r2); + KRML_HOST_FREE(k); +} + +/* +Return the size of a modulus `n` in limbs. + + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. +*/ +uint32_t Hacl_GenericField32_field_get_len(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + return k1.len; +} + +/* +Convert a bignum from the regular representation to the Montgomery representation. + + Write `a * R mod n` in `aM`. + + The argument a and the outparam aM are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. +*/ +void +Hacl_GenericField32_to_field( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *a, + uint32_t *aM +) +{ + uint32_t len1 = Hacl_GenericField32_field_get_len(k); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + Hacl_Bignum_Montgomery_bn_to_mont_u32(len1, k1.n, k1.mu, k1.r2, a, aM); +} + +/* +Convert a result back from the Montgomery representation to the regular representation. + + Write `aM / R mod n` in `a`, i.e. + Hacl_GenericField32_from_field(k, Hacl_GenericField32_to_field(k, a)) == a % n + + The argument aM and the outparam a are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. +*/ +void +Hacl_GenericField32_from_field( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *aM, + uint32_t *a +) +{ + uint32_t len1 = Hacl_GenericField32_field_get_len(k); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + Hacl_Bignum_Montgomery_bn_from_mont_u32(len1, k1.n, k1.mu, aM, a); +} + +/* +Write `aM + bM mod n` in `cM`. + + The arguments aM, bM, and the outparam cM are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. +*/ +void +Hacl_GenericField32_add( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *aM, + uint32_t *bM, + uint32_t *cM +) +{ + uint32_t len1 = Hacl_GenericField32_field_get_len(k); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + Hacl_Bignum_bn_add_mod_n_u32(len1, k1.n, aM, bM, cM); +} + +/* +Write `aM - bM mod n` to `cM`. + + The arguments aM, bM, and the outparam cM are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. +*/ +void +Hacl_GenericField32_sub( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *aM, + uint32_t *bM, + uint32_t *cM +) +{ + uint32_t len1 = Hacl_GenericField32_field_get_len(k); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + Hacl_Bignum_bn_sub_mod_n_u32(len1, k1.n, aM, bM, cM); +} + +/* +Write `aM * bM mod n` in `cM`. + + The arguments aM, bM, and the outparam cM are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. +*/ +void +Hacl_GenericField32_mul( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *aM, + uint32_t *bM, + uint32_t *cM +) +{ + uint32_t len1 = Hacl_GenericField32_field_get_len(k); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + Hacl_Bignum_Montgomery_bn_mont_mul_u32(len1, k1.n, k1.mu, aM, bM, cM); +} + +/* +Write `aM * aM mod n` in `cM`. + + The argument aM and the outparam cM are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. +*/ +void +Hacl_GenericField32_sqr( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *aM, + uint32_t *cM +) +{ + uint32_t len1 = Hacl_GenericField32_field_get_len(k); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + Hacl_Bignum_Montgomery_bn_mont_sqr_u32(len1, k1.n, k1.mu, aM, cM); +} + +/* +Convert a bignum `one` to its Montgomery representation. + + The outparam oneM is meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. +*/ +void Hacl_GenericField32_one(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, uint32_t *oneM) +{ + uint32_t len1 = Hacl_GenericField32_field_get_len(k); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + Hacl_Bignum_Montgomery_bn_from_mont_u32(len1, k1.n, k1.mu, k1.r2, oneM); +} + +/* +Write `aM ^ b mod n` in `resM`. + + The argument aM and the outparam resM are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + This function is constant-time over its argument b, at the cost of a slower + execution time than exp_vartime. + + Before calling this function, the caller will need to ensure that the following + precondition is observed. + • b < pow2 bBits +*/ +void +Hacl_GenericField32_exp_consttime( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *aM, + uint32_t bBits, + uint32_t *b, + uint32_t *resM +) +{ + uint32_t len1 = Hacl_GenericField32_field_get_len(k); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + KRML_CHECK_SIZE(sizeof (uint32_t), k1.len); + uint32_t *aMc = alloca(k1.len * sizeof (uint32_t)); + memset(aMc, 0U, k1.len * sizeof (uint32_t)); + memcpy(aMc, aM, k1.len * sizeof (uint32_t)); + if (bBits < (uint32_t)200U) + { + Hacl_Bignum_Montgomery_bn_from_mont_u32(len1, k1.n, k1.mu, k1.r2, resM); + uint32_t sw = (uint32_t)0U; + for (uint32_t i0 = (uint32_t)0U; i0 < bBits; i0++) + { + uint32_t i1 = (bBits - i0 - (uint32_t)1U) / (uint32_t)32U; + uint32_t j = (bBits - i0 - (uint32_t)1U) % (uint32_t)32U; + uint32_t tmp = b[i1]; + uint32_t bit = tmp >> j & (uint32_t)1U; + uint32_t sw1 = bit ^ sw; + for (uint32_t i = (uint32_t)0U; i < len1; i++) + { + uint32_t dummy = ((uint32_t)0U - sw1) & (resM[i] ^ aMc[i]); + resM[i] = resM[i] ^ dummy; + aMc[i] = aMc[i] ^ dummy; + } + Hacl_Bignum_Montgomery_bn_mont_mul_u32(len1, k1.n, k1.mu, aMc, resM, aMc); + Hacl_Bignum_Montgomery_bn_mont_sqr_u32(len1, k1.n, k1.mu, resM, resM); + sw = bit; + } + uint32_t sw0 = sw; + for (uint32_t i = (uint32_t)0U; i < len1; i++) + { + uint32_t dummy = ((uint32_t)0U - sw0) & (resM[i] ^ aMc[i]); + resM[i] = resM[i] ^ dummy; + aMc[i] = aMc[i] ^ dummy; + } + } + else + { + uint32_t bLen; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)32U + (uint32_t)1U; + } + Hacl_Bignum_Montgomery_bn_from_mont_u32(len1, k1.n, k1.mu, k1.r2, resM); + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)16U * len1); + uint32_t *table = alloca((uint32_t)16U * len1 * sizeof (uint32_t)); + memset(table, 0U, (uint32_t)16U * len1 * sizeof (uint32_t)); + memcpy(table, resM, len1 * sizeof (uint32_t)); + uint32_t *t1 = table + len1; + memcpy(t1, aMc, len1 * sizeof (uint32_t)); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)14U; i++) + { + uint32_t *t11 = table + (i + (uint32_t)1U) * len1; + uint32_t *t2 = table + (i + (uint32_t)2U) * len1; + Hacl_Bignum_Montgomery_bn_mont_mul_u32(len1, k1.n, k1.mu, t11, aMc, t2); + } + if (bBits % (uint32_t)4U != (uint32_t)0U) + { + uint32_t mask_l = (uint32_t)16U - (uint32_t)1U; + uint32_t i0 = bBits / (uint32_t)4U * (uint32_t)4U / (uint32_t)32U; + uint32_t j = bBits / (uint32_t)4U * (uint32_t)4U % (uint32_t)32U; + uint32_t p1 = b[i0] >> j; + uint32_t ite; + if (i0 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i0 + (uint32_t)1U] << ((uint32_t)32U - j); + } + else + { + ite = p1; + } + uint32_t bits_c = ite & mask_l; + memcpy(resM, table, len1 * sizeof (uint32_t)); + for (uint32_t i1 = (uint32_t)0U; i1 < (uint32_t)15U; i1++) + { + uint32_t c = FStar_UInt32_eq_mask(bits_c, i1 + (uint32_t)1U); + uint32_t *res_j = table + (i1 + (uint32_t)1U) * len1; + for (uint32_t i = (uint32_t)0U; i < len1; i++) + { + uint32_t *os = resM; + uint32_t x = (c & res_j[i]) | (~c & resM[i]); + os[i] = x; + } + } + } + for (uint32_t i0 = (uint32_t)0U; i0 < bBits / (uint32_t)4U; i0++) + { + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + Hacl_Bignum_Montgomery_bn_mont_sqr_u32(len1, k1.n, k1.mu, resM, resM); + } + uint32_t bk = bBits - bBits % (uint32_t)4U; + uint32_t mask_l = (uint32_t)16U - (uint32_t)1U; + uint32_t i1 = (bk - (uint32_t)4U * i0 - (uint32_t)4U) / (uint32_t)32U; + uint32_t j = (bk - (uint32_t)4U * i0 - (uint32_t)4U) % (uint32_t)32U; + uint32_t p1 = b[i1] >> j; + uint32_t ite; + if (i1 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i1 + (uint32_t)1U] << ((uint32_t)32U - j); + } + else + { + ite = p1; + } + uint32_t bits_l = ite & mask_l; + KRML_CHECK_SIZE(sizeof (uint32_t), len1); + uint32_t *a_bits_l = alloca(len1 * sizeof (uint32_t)); + memset(a_bits_l, 0U, len1 * sizeof (uint32_t)); + memcpy(a_bits_l, table, len1 * sizeof (uint32_t)); + for (uint32_t i2 = (uint32_t)0U; i2 < (uint32_t)15U; i2++) + { + uint32_t c = FStar_UInt32_eq_mask(bits_l, i2 + (uint32_t)1U); + uint32_t *res_j = table + (i2 + (uint32_t)1U) * len1; + for (uint32_t i = (uint32_t)0U; i < len1; i++) + { + uint32_t *os = a_bits_l; + uint32_t x = (c & res_j[i]) | (~c & a_bits_l[i]); + os[i] = x; + } + } + Hacl_Bignum_Montgomery_bn_mont_mul_u32(len1, k1.n, k1.mu, resM, a_bits_l, resM); + } + } +} + +/* +Write `aM ^ b mod n` in `resM`. + + The argument aM and the outparam resM are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + The function is *NOT* constant-time on the argument b. See the + exp_consttime function for constant-time variant. + + Before calling this function, the caller will need to ensure that the following + precondition is observed. + • b < pow2 bBits +*/ +void +Hacl_GenericField32_exp_vartime( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *aM, + uint32_t bBits, + uint32_t *b, + uint32_t *resM +) +{ + uint32_t len1 = Hacl_GenericField32_field_get_len(k); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + KRML_CHECK_SIZE(sizeof (uint32_t), k1.len); + uint32_t *aMc = alloca(k1.len * sizeof (uint32_t)); + memset(aMc, 0U, k1.len * sizeof (uint32_t)); + memcpy(aMc, aM, k1.len * sizeof (uint32_t)); + if (bBits < (uint32_t)200U) + { + Hacl_Bignum_Montgomery_bn_from_mont_u32(len1, k1.n, k1.mu, k1.r2, resM); + for (uint32_t i = (uint32_t)0U; i < bBits; i++) + { + uint32_t i1 = i / (uint32_t)32U; + uint32_t j = i % (uint32_t)32U; + uint32_t tmp = b[i1]; + uint32_t bit = tmp >> j & (uint32_t)1U; + if (!(bit == (uint32_t)0U)) + { + Hacl_Bignum_Montgomery_bn_mont_mul_u32(len1, k1.n, k1.mu, resM, aMc, resM); + } + Hacl_Bignum_Montgomery_bn_mont_sqr_u32(len1, k1.n, k1.mu, aMc, aMc); + } + } + else + { + uint32_t bLen; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)32U + (uint32_t)1U; + } + Hacl_Bignum_Montgomery_bn_from_mont_u32(len1, k1.n, k1.mu, k1.r2, resM); + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)16U * len1); + uint32_t *table = alloca((uint32_t)16U * len1 * sizeof (uint32_t)); + memset(table, 0U, (uint32_t)16U * len1 * sizeof (uint32_t)); + memcpy(table, resM, len1 * sizeof (uint32_t)); + uint32_t *t1 = table + len1; + memcpy(t1, aMc, len1 * sizeof (uint32_t)); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)14U; i++) + { + uint32_t *t11 = table + (i + (uint32_t)1U) * len1; + uint32_t *t2 = table + (i + (uint32_t)2U) * len1; + Hacl_Bignum_Montgomery_bn_mont_mul_u32(len1, k1.n, k1.mu, t11, aMc, t2); + } + if (bBits % (uint32_t)4U != (uint32_t)0U) + { + uint32_t mask_l = (uint32_t)16U - (uint32_t)1U; + uint32_t i = bBits / (uint32_t)4U * (uint32_t)4U / (uint32_t)32U; + uint32_t j = bBits / (uint32_t)4U * (uint32_t)4U % (uint32_t)32U; + uint32_t p1 = b[i] >> j; + uint32_t ite; + if (i + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i + (uint32_t)1U] << ((uint32_t)32U - j); + } + else + { + ite = p1; + } + uint32_t bits_c = ite & mask_l; + uint32_t bits_l32 = bits_c; + uint32_t *a_bits_l = table + bits_l32 * len1; + memcpy(resM, a_bits_l, len1 * sizeof (uint32_t)); + } + for (uint32_t i = (uint32_t)0U; i < bBits / (uint32_t)4U; i++) + { + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + Hacl_Bignum_Montgomery_bn_mont_sqr_u32(len1, k1.n, k1.mu, resM, resM); + } + uint32_t bk = bBits - bBits % (uint32_t)4U; + uint32_t mask_l = (uint32_t)16U - (uint32_t)1U; + uint32_t i1 = (bk - (uint32_t)4U * i - (uint32_t)4U) / (uint32_t)32U; + uint32_t j = (bk - (uint32_t)4U * i - (uint32_t)4U) % (uint32_t)32U; + uint32_t p1 = b[i1] >> j; + uint32_t ite; + if (i1 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i1 + (uint32_t)1U] << ((uint32_t)32U - j); + } + else + { + ite = p1; + } + uint32_t bits_l = ite & mask_l; + KRML_CHECK_SIZE(sizeof (uint32_t), len1); + uint32_t *a_bits_l = alloca(len1 * sizeof (uint32_t)); + memset(a_bits_l, 0U, len1 * sizeof (uint32_t)); + uint32_t bits_l32 = bits_l; + uint32_t *a_bits_l1 = table + bits_l32 * len1; + memcpy(a_bits_l, a_bits_l1, len1 * sizeof (uint32_t)); + Hacl_Bignum_Montgomery_bn_mont_mul_u32(len1, k1.n, k1.mu, resM, a_bits_l, resM); + } + } +} + +/* +Write `aM ^ (-1) mod n` in `aInvM`. + + The argument aM and the outparam aInvM are meant to be `len` limbs in size, i.e. uint32_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField32_field_init. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + • 0 < aM +*/ +void +Hacl_GenericField32_inverse( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, + uint32_t *aM, + uint32_t *aInvM +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + uint32_t len1 = k1.len; + KRML_CHECK_SIZE(sizeof (uint32_t), len1); + uint32_t *n2 = alloca(len1 * sizeof (uint32_t)); + memset(n2, 0U, len1 * sizeof (uint32_t)); + uint32_t c0 = Lib_IntTypes_Intrinsics_sub_borrow_u32((uint32_t)0U, k1.n[0U], (uint32_t)2U, n2); + uint32_t c1; + if ((uint32_t)1U < len1) + { + uint32_t rLen = len1 - (uint32_t)1U; + uint32_t *a1 = k1.n + (uint32_t)1U; + uint32_t *res1 = n2 + (uint32_t)1U; + uint32_t c = c0; + for (uint32_t i = (uint32_t)0U; i < rLen / (uint32_t)4U; i++) + { + uint32_t t1 = a1[(uint32_t)4U * i]; + uint32_t *res_i0 = res1 + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, (uint32_t)0U, res_i0); + uint32_t t10 = a1[(uint32_t)4U * i + (uint32_t)1U]; + uint32_t *res_i1 = res1 + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t10, (uint32_t)0U, res_i1); + uint32_t t11 = a1[(uint32_t)4U * i + (uint32_t)2U]; + uint32_t *res_i2 = res1 + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t11, (uint32_t)0U, res_i2); + uint32_t t12 = a1[(uint32_t)4U * i + (uint32_t)3U]; + uint32_t *res_i = res1 + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t12, (uint32_t)0U, res_i); + } + for (uint32_t i = rLen / (uint32_t)4U * (uint32_t)4U; i < rLen; i++) + { + uint32_t t1 = a1[i]; + uint32_t *res_i = res1 + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u32(c, t1, (uint32_t)0U, res_i); + } + uint32_t c10 = c; + c1 = c10; + } + else + { + c1 = c0; + } + Hacl_GenericField32_exp_vartime(k, aM, k1.len * (uint32_t)32U, n2, aInvM); +} + diff --git a/src/msvc/Hacl_GenericField64.c b/src/msvc/Hacl_GenericField64.c new file mode 100644 index 00000000..8e4416f0 --- /dev/null +++ b/src/msvc/Hacl_GenericField64.c @@ -0,0 +1,591 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_GenericField64.h" + +#include "internal/Hacl_Kremlib.h" +#include "internal/Hacl_Bignum.h" + +/******************************************************************************* + +A verified field arithmetic library. + +This is a 64-bit optimized version, where bignums are represented as an array +of `len` unsigned 64-bit integers, i.e. uint64_t[len]. + +All the arithmetic operations are performed in the Montgomery domain. + +All the functions below preserve the following invariant for a bignum `aM` in +Montgomery form. + • aM < n + +*******************************************************************************/ + + +/* +Check whether this library will work for a modulus `n`. + + The function returns false if any of the following preconditions are violated, + true otherwise. + • n % 2 = 1 + • 1 < n +*/ +bool Hacl_GenericField64_field_modulus_check(uint32_t len, uint64_t *n) +{ + uint64_t m = Hacl_Bignum_Montgomery_bn_check_modulus_u64(len, n); + return m == (uint64_t)0xFFFFFFFFFFFFFFFFU; +} + +/* +Heap-allocate and initialize a montgomery context. + + The argument n is meant to be `len` limbs in size, i.e. uint64_t[len]. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n % 2 = 1 + • 1 < n + + The caller will need to call Hacl_GenericField64_field_free on the return value + to avoid memory leaks. +*/ +Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 +*Hacl_GenericField64_field_init(uint32_t len, uint64_t *n) +{ + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t *r2 = KRML_HOST_CALLOC(len, sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t *n1 = KRML_HOST_CALLOC(len, sizeof (uint64_t)); + uint64_t *r21 = r2; + uint64_t *n11 = n1; + memcpy(n11, n, len * sizeof (uint64_t)); + uint32_t nBits = (uint32_t)64U * (uint32_t)Hacl_Bignum_Lib_bn_get_top_index_u64(len, n); + Hacl_Bignum_Montgomery_bn_precomp_r2_mod_n_u64(len, nBits, n, r21); + uint64_t mu = Hacl_Bignum_ModInvLimb_mod_inv_uint64(n[0U]); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 res = { .len = len, .n = n11, .mu = mu, .r2 = r21 }; + KRML_CHECK_SIZE(sizeof (Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64), (uint32_t)1U); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 + *buf = KRML_HOST_MALLOC(sizeof (Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64)); + buf[0U] = res; + return buf; +} + +/* +Deallocate the memory previously allocated by Hacl_GenericField64_field_init. + + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. +*/ +void Hacl_GenericField64_field_free(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + uint64_t *n = k1.n; + uint64_t *r2 = k1.r2; + KRML_HOST_FREE(n); + KRML_HOST_FREE(r2); + KRML_HOST_FREE(k); +} + +/* +Return the size of a modulus `n` in limbs. + + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. +*/ +uint32_t Hacl_GenericField64_field_get_len(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + return k1.len; +} + +/* +Convert a bignum from the regular representation to the Montgomery representation. + + Write `a * R mod n` in `aM`. + + The argument a and the outparam aM are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. +*/ +void +Hacl_GenericField64_to_field( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *a, + uint64_t *aM +) +{ + uint32_t len1 = Hacl_GenericField64_field_get_len(k); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + Hacl_Bignum_Montgomery_bn_to_mont_u64(len1, k1.n, k1.mu, k1.r2, a, aM); +} + +/* +Convert a result back from the Montgomery representation to the regular representation. + + Write `aM / R mod n` in `a`, i.e. + Hacl_GenericField64_from_field(k, Hacl_GenericField64_to_field(k, a)) == a % n + + The argument aM and the outparam a are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. +*/ +void +Hacl_GenericField64_from_field( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *aM, + uint64_t *a +) +{ + uint32_t len1 = Hacl_GenericField64_field_get_len(k); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + Hacl_Bignum_Montgomery_bn_from_mont_u64(len1, k1.n, k1.mu, aM, a); +} + +/* +Write `aM + bM mod n` in `cM`. + + The arguments aM, bM, and the outparam cM are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. +*/ +void +Hacl_GenericField64_add( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *aM, + uint64_t *bM, + uint64_t *cM +) +{ + uint32_t len1 = Hacl_GenericField64_field_get_len(k); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + Hacl_Bignum_bn_add_mod_n_u64(len1, k1.n, aM, bM, cM); +} + +/* +Write `aM - bM mod n` to `cM`. + + The arguments aM, bM, and the outparam cM are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. +*/ +void +Hacl_GenericField64_sub( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *aM, + uint64_t *bM, + uint64_t *cM +) +{ + uint32_t len1 = Hacl_GenericField64_field_get_len(k); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + Hacl_Bignum_bn_sub_mod_n_u64(len1, k1.n, aM, bM, cM); +} + +/* +Write `aM * bM mod n` in `cM`. + + The arguments aM, bM, and the outparam cM are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. +*/ +void +Hacl_GenericField64_mul( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *aM, + uint64_t *bM, + uint64_t *cM +) +{ + uint32_t len1 = Hacl_GenericField64_field_get_len(k); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + Hacl_Bignum_Montgomery_bn_mont_mul_u64(len1, k1.n, k1.mu, aM, bM, cM); +} + +/* +Write `aM * aM mod n` in `cM`. + + The argument aM and the outparam cM are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. +*/ +void +Hacl_GenericField64_sqr( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *aM, + uint64_t *cM +) +{ + uint32_t len1 = Hacl_GenericField64_field_get_len(k); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + Hacl_Bignum_Montgomery_bn_mont_sqr_u64(len1, k1.n, k1.mu, aM, cM); +} + +/* +Convert a bignum `one` to its Montgomery representation. + + The outparam oneM is meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. +*/ +void Hacl_GenericField64_one(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, uint64_t *oneM) +{ + uint32_t len1 = Hacl_GenericField64_field_get_len(k); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + Hacl_Bignum_Montgomery_bn_from_mont_u64(len1, k1.n, k1.mu, k1.r2, oneM); +} + +/* +Write `aM ^ b mod n` in `resM`. + + The argument aM and the outparam resM are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + This function is constant-time over its argument b, at the cost of a slower + execution time than exp_vartime. + + Before calling this function, the caller will need to ensure that the following + precondition is observed. + • b < pow2 bBits +*/ +void +Hacl_GenericField64_exp_consttime( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *aM, + uint32_t bBits, + uint64_t *b, + uint64_t *resM +) +{ + uint32_t len1 = Hacl_GenericField64_field_get_len(k); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + KRML_CHECK_SIZE(sizeof (uint64_t), k1.len); + uint64_t *aMc = alloca(k1.len * sizeof (uint64_t)); + memset(aMc, 0U, k1.len * sizeof (uint64_t)); + memcpy(aMc, aM, k1.len * sizeof (uint64_t)); + if (bBits < (uint32_t)200U) + { + Hacl_Bignum_Montgomery_bn_from_mont_u64(len1, k1.n, k1.mu, k1.r2, resM); + uint64_t sw = (uint64_t)0U; + for (uint32_t i0 = (uint32_t)0U; i0 < bBits; i0++) + { + uint32_t i1 = (bBits - i0 - (uint32_t)1U) / (uint32_t)64U; + uint32_t j = (bBits - i0 - (uint32_t)1U) % (uint32_t)64U; + uint64_t tmp = b[i1]; + uint64_t bit = tmp >> j & (uint64_t)1U; + uint64_t sw1 = bit ^ sw; + for (uint32_t i = (uint32_t)0U; i < len1; i++) + { + uint64_t dummy = ((uint64_t)0U - sw1) & (resM[i] ^ aMc[i]); + resM[i] = resM[i] ^ dummy; + aMc[i] = aMc[i] ^ dummy; + } + Hacl_Bignum_Montgomery_bn_mont_mul_u64(len1, k1.n, k1.mu, aMc, resM, aMc); + Hacl_Bignum_Montgomery_bn_mont_sqr_u64(len1, k1.n, k1.mu, resM, resM); + sw = bit; + } + uint64_t sw0 = sw; + for (uint32_t i = (uint32_t)0U; i < len1; i++) + { + uint64_t dummy = ((uint64_t)0U - sw0) & (resM[i] ^ aMc[i]); + resM[i] = resM[i] ^ dummy; + aMc[i] = aMc[i] ^ dummy; + } + } + else + { + uint32_t bLen; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + } + Hacl_Bignum_Montgomery_bn_from_mont_u64(len1, k1.n, k1.mu, k1.r2, resM); + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)16U * len1); + uint64_t *table = alloca((uint32_t)16U * len1 * sizeof (uint64_t)); + memset(table, 0U, (uint32_t)16U * len1 * sizeof (uint64_t)); + memcpy(table, resM, len1 * sizeof (uint64_t)); + uint64_t *t1 = table + len1; + memcpy(t1, aMc, len1 * sizeof (uint64_t)); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)14U; i++) + { + uint64_t *t11 = table + (i + (uint32_t)1U) * len1; + uint64_t *t2 = table + (i + (uint32_t)2U) * len1; + Hacl_Bignum_Montgomery_bn_mont_mul_u64(len1, k1.n, k1.mu, t11, aMc, t2); + } + if (bBits % (uint32_t)4U != (uint32_t)0U) + { + uint64_t mask_l = (uint64_t)16U - (uint64_t)1U; + uint32_t i0 = bBits / (uint32_t)4U * (uint32_t)4U / (uint32_t)64U; + uint32_t j = bBits / (uint32_t)4U * (uint32_t)4U % (uint32_t)64U; + uint64_t p1 = b[i0] >> j; + uint64_t ite; + if (i0 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i0 + (uint32_t)1U] << ((uint32_t)64U - j); + } + else + { + ite = p1; + } + uint64_t bits_c = ite & mask_l; + memcpy(resM, table, len1 * sizeof (uint64_t)); + for (uint32_t i1 = (uint32_t)0U; i1 < (uint32_t)15U; i1++) + { + uint64_t c = FStar_UInt64_eq_mask(bits_c, (uint64_t)(i1 + (uint32_t)1U)); + uint64_t *res_j = table + (i1 + (uint32_t)1U) * len1; + for (uint32_t i = (uint32_t)0U; i < len1; i++) + { + uint64_t *os = resM; + uint64_t x = (c & res_j[i]) | (~c & resM[i]); + os[i] = x; + } + } + } + for (uint32_t i0 = (uint32_t)0U; i0 < bBits / (uint32_t)4U; i0++) + { + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + Hacl_Bignum_Montgomery_bn_mont_sqr_u64(len1, k1.n, k1.mu, resM, resM); + } + uint32_t bk = bBits - bBits % (uint32_t)4U; + uint64_t mask_l = (uint64_t)16U - (uint64_t)1U; + uint32_t i1 = (bk - (uint32_t)4U * i0 - (uint32_t)4U) / (uint32_t)64U; + uint32_t j = (bk - (uint32_t)4U * i0 - (uint32_t)4U) % (uint32_t)64U; + uint64_t p1 = b[i1] >> j; + uint64_t ite; + if (i1 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i1 + (uint32_t)1U] << ((uint32_t)64U - j); + } + else + { + ite = p1; + } + uint64_t bits_l = ite & mask_l; + KRML_CHECK_SIZE(sizeof (uint64_t), len1); + uint64_t *a_bits_l = alloca(len1 * sizeof (uint64_t)); + memset(a_bits_l, 0U, len1 * sizeof (uint64_t)); + memcpy(a_bits_l, table, len1 * sizeof (uint64_t)); + for (uint32_t i2 = (uint32_t)0U; i2 < (uint32_t)15U; i2++) + { + uint64_t c = FStar_UInt64_eq_mask(bits_l, (uint64_t)(i2 + (uint32_t)1U)); + uint64_t *res_j = table + (i2 + (uint32_t)1U) * len1; + for (uint32_t i = (uint32_t)0U; i < len1; i++) + { + uint64_t *os = a_bits_l; + uint64_t x = (c & res_j[i]) | (~c & a_bits_l[i]); + os[i] = x; + } + } + Hacl_Bignum_Montgomery_bn_mont_mul_u64(len1, k1.n, k1.mu, resM, a_bits_l, resM); + } + } +} + +/* +Write `aM ^ b mod n` in `resM`. + + The argument aM and the outparam resM are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. + + The argument b is a bignum of any size, and bBits is an upper bound on the + number of significant bits of b. A tighter bound results in faster execution + time. When in doubt, the number of bits for the bignum size is always a safe + default, e.g. if b is a 256-bit bignum, bBits should be 256. + + The function is *NOT* constant-time on the argument b. See the + exp_consttime function for constant-time variant. + + Before calling this function, the caller will need to ensure that the following + precondition is observed. + • b < pow2 bBits +*/ +void +Hacl_GenericField64_exp_vartime( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *aM, + uint32_t bBits, + uint64_t *b, + uint64_t *resM +) +{ + uint32_t len1 = Hacl_GenericField64_field_get_len(k); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + KRML_CHECK_SIZE(sizeof (uint64_t), k1.len); + uint64_t *aMc = alloca(k1.len * sizeof (uint64_t)); + memset(aMc, 0U, k1.len * sizeof (uint64_t)); + memcpy(aMc, aM, k1.len * sizeof (uint64_t)); + if (bBits < (uint32_t)200U) + { + Hacl_Bignum_Montgomery_bn_from_mont_u64(len1, k1.n, k1.mu, k1.r2, resM); + for (uint32_t i = (uint32_t)0U; i < bBits; i++) + { + uint32_t i1 = i / (uint32_t)64U; + uint32_t j = i % (uint32_t)64U; + uint64_t tmp = b[i1]; + uint64_t bit = tmp >> j & (uint64_t)1U; + if (!(bit == (uint64_t)0U)) + { + Hacl_Bignum_Montgomery_bn_mont_mul_u64(len1, k1.n, k1.mu, resM, aMc, resM); + } + Hacl_Bignum_Montgomery_bn_mont_sqr_u64(len1, k1.n, k1.mu, aMc, aMc); + } + } + else + { + uint32_t bLen; + if (bBits == (uint32_t)0U) + { + bLen = (uint32_t)1U; + } + else + { + bLen = (bBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + } + Hacl_Bignum_Montgomery_bn_from_mont_u64(len1, k1.n, k1.mu, k1.r2, resM); + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)16U * len1); + uint64_t *table = alloca((uint32_t)16U * len1 * sizeof (uint64_t)); + memset(table, 0U, (uint32_t)16U * len1 * sizeof (uint64_t)); + memcpy(table, resM, len1 * sizeof (uint64_t)); + uint64_t *t1 = table + len1; + memcpy(t1, aMc, len1 * sizeof (uint64_t)); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)14U; i++) + { + uint64_t *t11 = table + (i + (uint32_t)1U) * len1; + uint64_t *t2 = table + (i + (uint32_t)2U) * len1; + Hacl_Bignum_Montgomery_bn_mont_mul_u64(len1, k1.n, k1.mu, t11, aMc, t2); + } + if (bBits % (uint32_t)4U != (uint32_t)0U) + { + uint64_t mask_l = (uint64_t)16U - (uint64_t)1U; + uint32_t i = bBits / (uint32_t)4U * (uint32_t)4U / (uint32_t)64U; + uint32_t j = bBits / (uint32_t)4U * (uint32_t)4U % (uint32_t)64U; + uint64_t p1 = b[i] >> j; + uint64_t ite; + if (i + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i + (uint32_t)1U] << ((uint32_t)64U - j); + } + else + { + ite = p1; + } + uint64_t bits_c = ite & mask_l; + uint32_t bits_l32 = (uint32_t)bits_c; + uint64_t *a_bits_l = table + bits_l32 * len1; + memcpy(resM, a_bits_l, len1 * sizeof (uint64_t)); + } + for (uint32_t i = (uint32_t)0U; i < bBits / (uint32_t)4U; i++) + { + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + Hacl_Bignum_Montgomery_bn_mont_sqr_u64(len1, k1.n, k1.mu, resM, resM); + } + uint32_t bk = bBits - bBits % (uint32_t)4U; + uint64_t mask_l = (uint64_t)16U - (uint64_t)1U; + uint32_t i1 = (bk - (uint32_t)4U * i - (uint32_t)4U) / (uint32_t)64U; + uint32_t j = (bk - (uint32_t)4U * i - (uint32_t)4U) % (uint32_t)64U; + uint64_t p1 = b[i1] >> j; + uint64_t ite; + if (i1 + (uint32_t)1U < bLen && (uint32_t)0U < j) + { + ite = p1 | b[i1 + (uint32_t)1U] << ((uint32_t)64U - j); + } + else + { + ite = p1; + } + uint64_t bits_l = ite & mask_l; + KRML_CHECK_SIZE(sizeof (uint64_t), len1); + uint64_t *a_bits_l = alloca(len1 * sizeof (uint64_t)); + memset(a_bits_l, 0U, len1 * sizeof (uint64_t)); + uint32_t bits_l32 = (uint32_t)bits_l; + uint64_t *a_bits_l1 = table + bits_l32 * len1; + memcpy(a_bits_l, a_bits_l1, len1 * sizeof (uint64_t)); + Hacl_Bignum_Montgomery_bn_mont_mul_u64(len1, k1.n, k1.mu, resM, a_bits_l, resM); + } + } +} + +/* +Write `aM ^ (-1) mod n` in `aInvM`. + + The argument aM and the outparam aInvM are meant to be `len` limbs in size, i.e. uint64_t[len]. + The argument k is a montgomery context obtained through Hacl_GenericField64_field_init. + + Before calling this function, the caller will need to ensure that the following + preconditions are observed. + • n is a prime + • 0 < aM +*/ +void +Hacl_GenericField64_inverse( + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, + uint64_t *aM, + uint64_t *aInvM +) +{ + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + uint32_t len1 = k1.len; + KRML_CHECK_SIZE(sizeof (uint64_t), len1); + uint64_t *n2 = alloca(len1 * sizeof (uint64_t)); + memset(n2, 0U, len1 * sizeof (uint64_t)); + uint64_t c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64((uint64_t)0U, k1.n[0U], (uint64_t)2U, n2); + uint64_t c1; + if ((uint32_t)1U < len1) + { + uint32_t rLen = len1 - (uint32_t)1U; + uint64_t *a1 = k1.n + (uint32_t)1U; + uint64_t *res1 = n2 + (uint32_t)1U; + uint64_t c = c0; + for (uint32_t i = (uint32_t)0U; i < rLen / (uint32_t)4U; i++) + { + uint64_t t1 = a1[(uint32_t)4U * i]; + uint64_t *res_i0 = res1 + (uint32_t)4U * i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, (uint64_t)0U, res_i0); + uint64_t t10 = a1[(uint32_t)4U * i + (uint32_t)1U]; + uint64_t *res_i1 = res1 + (uint32_t)4U * i + (uint32_t)1U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t10, (uint64_t)0U, res_i1); + uint64_t t11 = a1[(uint32_t)4U * i + (uint32_t)2U]; + uint64_t *res_i2 = res1 + (uint32_t)4U * i + (uint32_t)2U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t11, (uint64_t)0U, res_i2); + uint64_t t12 = a1[(uint32_t)4U * i + (uint32_t)3U]; + uint64_t *res_i = res1 + (uint32_t)4U * i + (uint32_t)3U; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t12, (uint64_t)0U, res_i); + } + for (uint32_t i = rLen / (uint32_t)4U * (uint32_t)4U; i < rLen; i++) + { + uint64_t t1 = a1[i]; + uint64_t *res_i = res1 + i; + c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, (uint64_t)0U, res_i); + } + uint64_t c10 = c; + c1 = c10; + } + else + { + c1 = c0; + } + Hacl_GenericField64_exp_vartime(k, aM, k1.len * (uint32_t)64U, n2, aInvM); +} + diff --git a/src/msvc/Hacl_HKDF.c b/src/msvc/Hacl_HKDF.c new file mode 100644 index 00000000..cea789af --- /dev/null +++ b/src/msvc/Hacl_HKDF.c @@ -0,0 +1,272 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_HKDF.h" + + + +void +Hacl_HKDF_expand_sha2_256( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +) +{ + uint32_t tlen = (uint32_t)32U; + uint32_t n = len / tlen; + uint8_t *output = okm; + KRML_CHECK_SIZE(sizeof (uint8_t), tlen + infolen + (uint32_t)1U); + uint8_t *text = alloca((tlen + infolen + (uint32_t)1U) * sizeof (uint8_t)); + memset(text, 0U, (tlen + infolen + (uint32_t)1U) * sizeof (uint8_t)); + uint8_t *text0 = text + tlen; + uint8_t *tag = text; + uint8_t *ctr = text + tlen + infolen; + memcpy(text + tlen, info, infolen * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < n; i++) + { + ctr[0U] = (uint8_t)(i + (uint32_t)1U); + if (i == (uint32_t)0U) + { + Hacl_HMAC_compute_sha2_256(tag, prk, prklen, text0, infolen + (uint32_t)1U); + } + else + { + Hacl_HMAC_compute_sha2_256(tag, prk, prklen, text, tlen + infolen + (uint32_t)1U); + } + memcpy(output + i * tlen, tag, tlen * sizeof (uint8_t)); + } + if (n * tlen < len) + { + ctr[0U] = (uint8_t)(n + (uint32_t)1U); + if (n == (uint32_t)0U) + { + Hacl_HMAC_compute_sha2_256(tag, prk, prklen, text0, infolen + (uint32_t)1U); + } + else + { + Hacl_HMAC_compute_sha2_256(tag, prk, prklen, text, tlen + infolen + (uint32_t)1U); + } + uint8_t *block = okm + n * tlen; + memcpy(block, tag, (len - n * tlen) * sizeof (uint8_t)); + } +} + +void +Hacl_HKDF_extract_sha2_256( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +) +{ + Hacl_HMAC_compute_sha2_256(prk, salt, saltlen, ikm, ikmlen); +} + +void +Hacl_HKDF_expand_sha2_512( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +) +{ + uint32_t tlen = (uint32_t)64U; + uint32_t n = len / tlen; + uint8_t *output = okm; + KRML_CHECK_SIZE(sizeof (uint8_t), tlen + infolen + (uint32_t)1U); + uint8_t *text = alloca((tlen + infolen + (uint32_t)1U) * sizeof (uint8_t)); + memset(text, 0U, (tlen + infolen + (uint32_t)1U) * sizeof (uint8_t)); + uint8_t *text0 = text + tlen; + uint8_t *tag = text; + uint8_t *ctr = text + tlen + infolen; + memcpy(text + tlen, info, infolen * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < n; i++) + { + ctr[0U] = (uint8_t)(i + (uint32_t)1U); + if (i == (uint32_t)0U) + { + Hacl_HMAC_compute_sha2_512(tag, prk, prklen, text0, infolen + (uint32_t)1U); + } + else + { + Hacl_HMAC_compute_sha2_512(tag, prk, prklen, text, tlen + infolen + (uint32_t)1U); + } + memcpy(output + i * tlen, tag, tlen * sizeof (uint8_t)); + } + if (n * tlen < len) + { + ctr[0U] = (uint8_t)(n + (uint32_t)1U); + if (n == (uint32_t)0U) + { + Hacl_HMAC_compute_sha2_512(tag, prk, prklen, text0, infolen + (uint32_t)1U); + } + else + { + Hacl_HMAC_compute_sha2_512(tag, prk, prklen, text, tlen + infolen + (uint32_t)1U); + } + uint8_t *block = okm + n * tlen; + memcpy(block, tag, (len - n * tlen) * sizeof (uint8_t)); + } +} + +void +Hacl_HKDF_extract_sha2_512( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +) +{ + Hacl_HMAC_compute_sha2_512(prk, salt, saltlen, ikm, ikmlen); +} + +void +Hacl_HKDF_expand_blake2s_32( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +) +{ + uint32_t tlen = (uint32_t)32U; + uint32_t n = len / tlen; + uint8_t *output = okm; + KRML_CHECK_SIZE(sizeof (uint8_t), tlen + infolen + (uint32_t)1U); + uint8_t *text = alloca((tlen + infolen + (uint32_t)1U) * sizeof (uint8_t)); + memset(text, 0U, (tlen + infolen + (uint32_t)1U) * sizeof (uint8_t)); + uint8_t *text0 = text + tlen; + uint8_t *tag = text; + uint8_t *ctr = text + tlen + infolen; + memcpy(text + tlen, info, infolen * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < n; i++) + { + ctr[0U] = (uint8_t)(i + (uint32_t)1U); + if (i == (uint32_t)0U) + { + Hacl_HMAC_compute_blake2s_32(tag, prk, prklen, text0, infolen + (uint32_t)1U); + } + else + { + Hacl_HMAC_compute_blake2s_32(tag, prk, prklen, text, tlen + infolen + (uint32_t)1U); + } + memcpy(output + i * tlen, tag, tlen * sizeof (uint8_t)); + } + if (n * tlen < len) + { + ctr[0U] = (uint8_t)(n + (uint32_t)1U); + if (n == (uint32_t)0U) + { + Hacl_HMAC_compute_blake2s_32(tag, prk, prklen, text0, infolen + (uint32_t)1U); + } + else + { + Hacl_HMAC_compute_blake2s_32(tag, prk, prklen, text, tlen + infolen + (uint32_t)1U); + } + uint8_t *block = okm + n * tlen; + memcpy(block, tag, (len - n * tlen) * sizeof (uint8_t)); + } +} + +void +Hacl_HKDF_extract_blake2s_32( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +) +{ + Hacl_HMAC_compute_blake2s_32(prk, salt, saltlen, ikm, ikmlen); +} + +void +Hacl_HKDF_expand_blake2b_32( + uint8_t *okm, + uint8_t *prk, + uint32_t prklen, + uint8_t *info, + uint32_t infolen, + uint32_t len +) +{ + uint32_t tlen = (uint32_t)64U; + uint32_t n = len / tlen; + uint8_t *output = okm; + KRML_CHECK_SIZE(sizeof (uint8_t), tlen + infolen + (uint32_t)1U); + uint8_t *text = alloca((tlen + infolen + (uint32_t)1U) * sizeof (uint8_t)); + memset(text, 0U, (tlen + infolen + (uint32_t)1U) * sizeof (uint8_t)); + uint8_t *text0 = text + tlen; + uint8_t *tag = text; + uint8_t *ctr = text + tlen + infolen; + memcpy(text + tlen, info, infolen * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < n; i++) + { + ctr[0U] = (uint8_t)(i + (uint32_t)1U); + if (i == (uint32_t)0U) + { + Hacl_HMAC_compute_blake2b_32(tag, prk, prklen, text0, infolen + (uint32_t)1U); + } + else + { + Hacl_HMAC_compute_blake2b_32(tag, prk, prklen, text, tlen + infolen + (uint32_t)1U); + } + memcpy(output + i * tlen, tag, tlen * sizeof (uint8_t)); + } + if (n * tlen < len) + { + ctr[0U] = (uint8_t)(n + (uint32_t)1U); + if (n == (uint32_t)0U) + { + Hacl_HMAC_compute_blake2b_32(tag, prk, prklen, text0, infolen + (uint32_t)1U); + } + else + { + Hacl_HMAC_compute_blake2b_32(tag, prk, prklen, text, tlen + infolen + (uint32_t)1U); + } + uint8_t *block = okm + n * tlen; + memcpy(block, tag, (len - n * tlen) * sizeof (uint8_t)); + } +} + +void +Hacl_HKDF_extract_blake2b_32( + uint8_t *prk, + uint8_t *salt, + uint32_t saltlen, + uint8_t *ikm, + uint32_t ikmlen +) +{ + Hacl_HMAC_compute_blake2b_32(prk, salt, saltlen, ikm, ikmlen); +} + diff --git a/src/msvc/Hacl_HMAC.c b/src/msvc/Hacl_HMAC.c new file mode 100644 index 00000000..160d153c --- /dev/null +++ b/src/msvc/Hacl_HMAC.c @@ -0,0 +1,769 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "internal/Hacl_HMAC.h" + +#include "internal/Hacl_Hash_SHA2.h" +#include "internal/Hacl_Hash_SHA1.h" +#include "internal/Hacl_Hash_Blake2.h" + +void +Hacl_HMAC_legacy_compute_sha1( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +) +{ + uint32_t l = (uint32_t)64U; + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t *key_block = alloca(l * sizeof (uint8_t)); + memset(key_block, 0U, l * sizeof (uint8_t)); + uint32_t i0; + if (key_len <= (uint32_t)64U) + { + i0 = key_len; + } + else + { + i0 = (uint32_t)20U; + } + uint8_t *nkey = key_block; + if (key_len <= (uint32_t)64U) + { + memcpy(nkey, key, key_len * sizeof (uint8_t)); + } + else + { + Hacl_Hash_SHA1_legacy_hash(key, key_len, nkey); + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t *ipad = alloca(l * sizeof (uint8_t)); + memset(ipad, (uint8_t)0x36U, l * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = ipad[i]; + uint8_t yi = key_block[i]; + ipad[i] = xi ^ yi; + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t *opad = alloca(l * sizeof (uint8_t)); + memset(opad, (uint8_t)0x5cU, l * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = opad[i]; + uint8_t yi = key_block[i]; + opad[i] = xi ^ yi; + } + uint32_t + scrut[5U] = + { + (uint32_t)0x67452301U, (uint32_t)0xefcdab89U, (uint32_t)0x98badcfeU, (uint32_t)0x10325476U, + (uint32_t)0xc3d2e1f0U + }; + uint32_t *s = scrut; + uint8_t *dst1 = ipad; + Hacl_Hash_Core_SHA1_legacy_init(s); + if (data_len == (uint32_t)0U) + { + Hacl_Hash_SHA1_legacy_update_last(s, (uint64_t)0U, ipad, (uint32_t)64U); + } + else + { + Hacl_Hash_SHA1_legacy_update_multi(s, ipad, (uint32_t)1U); + Hacl_Hash_SHA1_legacy_update_last(s, (uint64_t)(uint32_t)64U, data, data_len); + } + Hacl_Hash_Core_SHA1_legacy_finish(s, dst1); + uint8_t *hash1 = ipad; + Hacl_Hash_Core_SHA1_legacy_init(s); + if ((uint32_t)20U == (uint32_t)0U) + { + Hacl_Hash_SHA1_legacy_update_last(s, (uint64_t)0U, opad, (uint32_t)64U); + } + else + { + Hacl_Hash_SHA1_legacy_update_multi(s, opad, (uint32_t)1U); + Hacl_Hash_SHA1_legacy_update_last(s, (uint64_t)(uint32_t)64U, hash1, (uint32_t)20U); + } + Hacl_Hash_Core_SHA1_legacy_finish(s, dst); +} + +void +Hacl_HMAC_compute_sha2_256( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +) +{ + uint32_t l = (uint32_t)64U; + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t *key_block = alloca(l * sizeof (uint8_t)); + memset(key_block, 0U, l * sizeof (uint8_t)); + uint32_t i0; + if (key_len <= (uint32_t)64U) + { + i0 = key_len; + } + else + { + i0 = (uint32_t)32U; + } + uint8_t *nkey = key_block; + if (key_len <= (uint32_t)64U) + { + memcpy(nkey, key, key_len * sizeof (uint8_t)); + } + else + { + Hacl_Hash_SHA2_hash_256(key, key_len, nkey); + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t *ipad = alloca(l * sizeof (uint8_t)); + memset(ipad, (uint8_t)0x36U, l * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = ipad[i]; + uint8_t yi = key_block[i]; + ipad[i] = xi ^ yi; + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t *opad = alloca(l * sizeof (uint8_t)); + memset(opad, (uint8_t)0x5cU, l * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = opad[i]; + uint8_t yi = key_block[i]; + opad[i] = xi ^ yi; + } + uint32_t + scrut[8U] = + { + (uint32_t)0x6a09e667U, (uint32_t)0xbb67ae85U, (uint32_t)0x3c6ef372U, (uint32_t)0xa54ff53aU, + (uint32_t)0x510e527fU, (uint32_t)0x9b05688cU, (uint32_t)0x1f83d9abU, (uint32_t)0x5be0cd19U + }; + uint32_t *s = scrut; + uint8_t *dst1 = ipad; + Hacl_Hash_Core_SHA2_init_256(s); + if (data_len == (uint32_t)0U) + { + Hacl_Hash_SHA2_update_last_256(s, (uint64_t)0U, ipad, (uint32_t)64U); + } + else + { + Hacl_Hash_SHA2_update_multi_256(s, ipad, (uint32_t)1U); + Hacl_Hash_SHA2_update_last_256(s, (uint64_t)(uint32_t)64U, data, data_len); + } + Hacl_Hash_Core_SHA2_finish_256(s, dst1); + uint8_t *hash1 = ipad; + Hacl_Hash_Core_SHA2_init_256(s); + if ((uint32_t)32U == (uint32_t)0U) + { + Hacl_Hash_SHA2_update_last_256(s, (uint64_t)0U, opad, (uint32_t)64U); + } + else + { + Hacl_Hash_SHA2_update_multi_256(s, opad, (uint32_t)1U); + Hacl_Hash_SHA2_update_last_256(s, (uint64_t)(uint32_t)64U, hash1, (uint32_t)32U); + } + Hacl_Hash_Core_SHA2_finish_256(s, dst); +} + +void +Hacl_HMAC_compute_sha2_384( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +) +{ + uint32_t l = (uint32_t)128U; + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t *key_block = alloca(l * sizeof (uint8_t)); + memset(key_block, 0U, l * sizeof (uint8_t)); + uint32_t i0; + if (key_len <= (uint32_t)128U) + { + i0 = key_len; + } + else + { + i0 = (uint32_t)48U; + } + uint8_t *nkey = key_block; + if (key_len <= (uint32_t)128U) + { + memcpy(nkey, key, key_len * sizeof (uint8_t)); + } + else + { + Hacl_Hash_SHA2_hash_384(key, key_len, nkey); + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t *ipad = alloca(l * sizeof (uint8_t)); + memset(ipad, (uint8_t)0x36U, l * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = ipad[i]; + uint8_t yi = key_block[i]; + ipad[i] = xi ^ yi; + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t *opad = alloca(l * sizeof (uint8_t)); + memset(opad, (uint8_t)0x5cU, l * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = opad[i]; + uint8_t yi = key_block[i]; + opad[i] = xi ^ yi; + } + uint64_t + scrut[8U] = + { + (uint64_t)0xcbbb9d5dc1059ed8U, (uint64_t)0x629a292a367cd507U, (uint64_t)0x9159015a3070dd17U, + (uint64_t)0x152fecd8f70e5939U, (uint64_t)0x67332667ffc00b31U, (uint64_t)0x8eb44a8768581511U, + (uint64_t)0xdb0c2e0d64f98fa7U, (uint64_t)0x47b5481dbefa4fa4U + }; + uint64_t *s = scrut; + uint8_t *dst1 = ipad; + Hacl_Hash_Core_SHA2_init_384(s); + if (data_len == (uint32_t)0U) + { + Hacl_Hash_SHA2_update_last_384(s, + FStar_UInt128_uint64_to_uint128((uint64_t)0U), + ipad, + (uint32_t)128U); + } + else + { + Hacl_Hash_SHA2_update_multi_384(s, ipad, (uint32_t)1U); + Hacl_Hash_SHA2_update_last_384(s, + FStar_UInt128_uint64_to_uint128((uint64_t)(uint32_t)128U), + data, + data_len); + } + Hacl_Hash_Core_SHA2_finish_384(s, dst1); + uint8_t *hash1 = ipad; + Hacl_Hash_Core_SHA2_init_384(s); + if ((uint32_t)48U == (uint32_t)0U) + { + Hacl_Hash_SHA2_update_last_384(s, + FStar_UInt128_uint64_to_uint128((uint64_t)0U), + opad, + (uint32_t)128U); + } + else + { + Hacl_Hash_SHA2_update_multi_384(s, opad, (uint32_t)1U); + Hacl_Hash_SHA2_update_last_384(s, + FStar_UInt128_uint64_to_uint128((uint64_t)(uint32_t)128U), + hash1, + (uint32_t)48U); + } + Hacl_Hash_Core_SHA2_finish_384(s, dst); +} + +void +Hacl_HMAC_compute_sha2_512( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +) +{ + uint32_t l = (uint32_t)128U; + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t *key_block = alloca(l * sizeof (uint8_t)); + memset(key_block, 0U, l * sizeof (uint8_t)); + uint32_t i0; + if (key_len <= (uint32_t)128U) + { + i0 = key_len; + } + else + { + i0 = (uint32_t)64U; + } + uint8_t *nkey = key_block; + if (key_len <= (uint32_t)128U) + { + memcpy(nkey, key, key_len * sizeof (uint8_t)); + } + else + { + Hacl_Hash_SHA2_hash_512(key, key_len, nkey); + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t *ipad = alloca(l * sizeof (uint8_t)); + memset(ipad, (uint8_t)0x36U, l * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = ipad[i]; + uint8_t yi = key_block[i]; + ipad[i] = xi ^ yi; + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t *opad = alloca(l * sizeof (uint8_t)); + memset(opad, (uint8_t)0x5cU, l * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = opad[i]; + uint8_t yi = key_block[i]; + opad[i] = xi ^ yi; + } + uint64_t + scrut[8U] = + { + (uint64_t)0x6a09e667f3bcc908U, (uint64_t)0xbb67ae8584caa73bU, (uint64_t)0x3c6ef372fe94f82bU, + (uint64_t)0xa54ff53a5f1d36f1U, (uint64_t)0x510e527fade682d1U, (uint64_t)0x9b05688c2b3e6c1fU, + (uint64_t)0x1f83d9abfb41bd6bU, (uint64_t)0x5be0cd19137e2179U + }; + uint64_t *s = scrut; + uint8_t *dst1 = ipad; + Hacl_Hash_Core_SHA2_init_512(s); + if (data_len == (uint32_t)0U) + { + Hacl_Hash_SHA2_update_last_512(s, + FStar_UInt128_uint64_to_uint128((uint64_t)0U), + ipad, + (uint32_t)128U); + } + else + { + Hacl_Hash_SHA2_update_multi_512(s, ipad, (uint32_t)1U); + Hacl_Hash_SHA2_update_last_512(s, + FStar_UInt128_uint64_to_uint128((uint64_t)(uint32_t)128U), + data, + data_len); + } + Hacl_Hash_Core_SHA2_finish_512(s, dst1); + uint8_t *hash1 = ipad; + Hacl_Hash_Core_SHA2_init_512(s); + if ((uint32_t)64U == (uint32_t)0U) + { + Hacl_Hash_SHA2_update_last_512(s, + FStar_UInt128_uint64_to_uint128((uint64_t)0U), + opad, + (uint32_t)128U); + } + else + { + Hacl_Hash_SHA2_update_multi_512(s, opad, (uint32_t)1U); + Hacl_Hash_SHA2_update_last_512(s, + FStar_UInt128_uint64_to_uint128((uint64_t)(uint32_t)128U), + hash1, + (uint32_t)64U); + } + Hacl_Hash_Core_SHA2_finish_512(s, dst); +} + +void +Hacl_HMAC_compute_blake2s_32( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +) +{ + uint32_t l = (uint32_t)64U; + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t *key_block = alloca(l * sizeof (uint8_t)); + memset(key_block, 0U, l * sizeof (uint8_t)); + uint32_t i0; + if (key_len <= (uint32_t)64U) + { + i0 = key_len; + } + else + { + i0 = (uint32_t)32U; + } + uint8_t *nkey = key_block; + if (key_len <= (uint32_t)64U) + { + memcpy(nkey, key, key_len * sizeof (uint8_t)); + } + else + { + Hacl_Hash_Blake2_hash_blake2s_32(key, key_len, nkey); + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t *ipad = alloca(l * sizeof (uint8_t)); + memset(ipad, (uint8_t)0x36U, l * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = ipad[i]; + uint8_t yi = key_block[i]; + ipad[i] = xi ^ yi; + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t *opad = alloca(l * sizeof (uint8_t)); + memset(opad, (uint8_t)0x5cU, l * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = opad[i]; + uint8_t yi = key_block[i]; + opad[i] = xi ^ yi; + } + uint32_t s[16U] = { 0U }; + uint32_t *r00 = s + (uint32_t)0U * (uint32_t)4U; + uint32_t *r10 = s + (uint32_t)1U * (uint32_t)4U; + uint32_t *r20 = s + (uint32_t)2U * (uint32_t)4U; + uint32_t *r30 = s + (uint32_t)3U * (uint32_t)4U; + uint32_t iv00 = Hacl_Impl_Blake2_Constants_ivTable_S[0U]; + uint32_t iv10 = Hacl_Impl_Blake2_Constants_ivTable_S[1U]; + uint32_t iv20 = Hacl_Impl_Blake2_Constants_ivTable_S[2U]; + uint32_t iv30 = Hacl_Impl_Blake2_Constants_ivTable_S[3U]; + uint32_t iv40 = Hacl_Impl_Blake2_Constants_ivTable_S[4U]; + uint32_t iv50 = Hacl_Impl_Blake2_Constants_ivTable_S[5U]; + uint32_t iv60 = Hacl_Impl_Blake2_Constants_ivTable_S[6U]; + uint32_t iv70 = Hacl_Impl_Blake2_Constants_ivTable_S[7U]; + r20[0U] = iv00; + r20[1U] = iv10; + r20[2U] = iv20; + r20[3U] = iv30; + r30[0U] = iv40; + r30[1U] = iv50; + r30[2U] = iv60; + r30[3U] = iv70; + uint32_t kk_shift_80 = (uint32_t)0U; + uint32_t iv0_ = iv00 ^ ((uint32_t)0x01010000U ^ (kk_shift_80 ^ (uint32_t)32U)); + r00[0U] = iv0_; + r00[1U] = iv10; + r00[2U] = iv20; + r00[3U] = iv30; + r10[0U] = iv40; + r10[1U] = iv50; + r10[2U] = iv60; + r10[3U] = iv70; + uint64_t es = (uint64_t)0U; + K____uint32_t__uint64_t scrut = { .fst = s, .snd = es }; + uint32_t *s0 = scrut.fst; + uint8_t *dst1 = ipad; + uint32_t *r01 = s0 + (uint32_t)0U * (uint32_t)4U; + uint32_t *r11 = s0 + (uint32_t)1U * (uint32_t)4U; + uint32_t *r21 = s0 + (uint32_t)2U * (uint32_t)4U; + uint32_t *r31 = s0 + (uint32_t)3U * (uint32_t)4U; + uint32_t iv01 = Hacl_Impl_Blake2_Constants_ivTable_S[0U]; + uint32_t iv11 = Hacl_Impl_Blake2_Constants_ivTable_S[1U]; + uint32_t iv21 = Hacl_Impl_Blake2_Constants_ivTable_S[2U]; + uint32_t iv31 = Hacl_Impl_Blake2_Constants_ivTable_S[3U]; + uint32_t iv41 = Hacl_Impl_Blake2_Constants_ivTable_S[4U]; + uint32_t iv51 = Hacl_Impl_Blake2_Constants_ivTable_S[5U]; + uint32_t iv61 = Hacl_Impl_Blake2_Constants_ivTable_S[6U]; + uint32_t iv71 = Hacl_Impl_Blake2_Constants_ivTable_S[7U]; + r21[0U] = iv01; + r21[1U] = iv11; + r21[2U] = iv21; + r21[3U] = iv31; + r31[0U] = iv41; + r31[1U] = iv51; + r31[2U] = iv61; + r31[3U] = iv71; + uint32_t kk_shift_81 = (uint32_t)0U; + uint32_t iv0_0 = iv01 ^ ((uint32_t)0x01010000U ^ (kk_shift_81 ^ (uint32_t)32U)); + r01[0U] = iv0_0; + r01[1U] = iv11; + r01[2U] = iv21; + r01[3U] = iv31; + r11[0U] = iv41; + r11[1U] = iv51; + r11[2U] = iv61; + r11[3U] = iv71; + uint64_t ev = (uint64_t)0U; + uint64_t ev10; + if (data_len == (uint32_t)0U) + { + uint64_t + ev1 = Hacl_Hash_Blake2_update_last_blake2s_32(s0, ev, (uint64_t)0U, ipad, (uint32_t)64U); + ev10 = ev1; + } + else + { + uint64_t ev1 = Hacl_Hash_Blake2_update_multi_blake2s_32(s0, ev, ipad, (uint32_t)1U); + uint64_t + ev2 = Hacl_Hash_Blake2_update_last_blake2s_32(s0, ev1, (uint64_t)(uint32_t)64U, data, data_len); + ev10 = ev2; + } + Hacl_Hash_Core_Blake2_finish_blake2s_32(s0, ev10, dst1); + uint8_t *hash1 = ipad; + uint32_t *r0 = s0 + (uint32_t)0U * (uint32_t)4U; + uint32_t *r1 = s0 + (uint32_t)1U * (uint32_t)4U; + uint32_t *r2 = s0 + (uint32_t)2U * (uint32_t)4U; + uint32_t *r3 = s0 + (uint32_t)3U * (uint32_t)4U; + uint32_t iv0 = Hacl_Impl_Blake2_Constants_ivTable_S[0U]; + uint32_t iv1 = Hacl_Impl_Blake2_Constants_ivTable_S[1U]; + uint32_t iv2 = Hacl_Impl_Blake2_Constants_ivTable_S[2U]; + uint32_t iv3 = Hacl_Impl_Blake2_Constants_ivTable_S[3U]; + uint32_t iv4 = Hacl_Impl_Blake2_Constants_ivTable_S[4U]; + uint32_t iv5 = Hacl_Impl_Blake2_Constants_ivTable_S[5U]; + uint32_t iv6 = Hacl_Impl_Blake2_Constants_ivTable_S[6U]; + uint32_t iv7 = Hacl_Impl_Blake2_Constants_ivTable_S[7U]; + r2[0U] = iv0; + r2[1U] = iv1; + r2[2U] = iv2; + r2[3U] = iv3; + r3[0U] = iv4; + r3[1U] = iv5; + r3[2U] = iv6; + r3[3U] = iv7; + uint32_t kk_shift_8 = (uint32_t)0U; + uint32_t iv0_1 = iv0 ^ ((uint32_t)0x01010000U ^ (kk_shift_8 ^ (uint32_t)32U)); + r0[0U] = iv0_1; + r0[1U] = iv1; + r0[2U] = iv2; + r0[3U] = iv3; + r1[0U] = iv4; + r1[1U] = iv5; + r1[2U] = iv6; + r1[3U] = iv7; + uint64_t ev0 = (uint64_t)0U; + uint64_t ev11; + if ((uint32_t)32U == (uint32_t)0U) + { + uint64_t + ev1 = Hacl_Hash_Blake2_update_last_blake2s_32(s0, ev0, (uint64_t)0U, opad, (uint32_t)64U); + ev11 = ev1; + } + else + { + uint64_t ev1 = Hacl_Hash_Blake2_update_multi_blake2s_32(s0, ev0, opad, (uint32_t)1U); + uint64_t + ev2 = + Hacl_Hash_Blake2_update_last_blake2s_32(s0, + ev1, + (uint64_t)(uint32_t)64U, + hash1, + (uint32_t)32U); + ev11 = ev2; + } + Hacl_Hash_Core_Blake2_finish_blake2s_32(s0, ev11, dst); +} + +void +Hacl_HMAC_compute_blake2b_32( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +) +{ + uint32_t l = (uint32_t)128U; + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t *key_block = alloca(l * sizeof (uint8_t)); + memset(key_block, 0U, l * sizeof (uint8_t)); + uint32_t i0; + if (key_len <= (uint32_t)128U) + { + i0 = key_len; + } + else + { + i0 = (uint32_t)64U; + } + uint8_t *nkey = key_block; + if (key_len <= (uint32_t)128U) + { + memcpy(nkey, key, key_len * sizeof (uint8_t)); + } + else + { + Hacl_Hash_Blake2_hash_blake2b_32(key, key_len, nkey); + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t *ipad = alloca(l * sizeof (uint8_t)); + memset(ipad, (uint8_t)0x36U, l * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = ipad[i]; + uint8_t yi = key_block[i]; + ipad[i] = xi ^ yi; + } + KRML_CHECK_SIZE(sizeof (uint8_t), l); + uint8_t *opad = alloca(l * sizeof (uint8_t)); + memset(opad, (uint8_t)0x5cU, l * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < l; i++) + { + uint8_t xi = opad[i]; + uint8_t yi = key_block[i]; + opad[i] = xi ^ yi; + } + uint64_t s[16U] = { 0U }; + uint64_t *r00 = s + (uint32_t)0U * (uint32_t)4U; + uint64_t *r10 = s + (uint32_t)1U * (uint32_t)4U; + uint64_t *r20 = s + (uint32_t)2U * (uint32_t)4U; + uint64_t *r30 = s + (uint32_t)3U * (uint32_t)4U; + uint64_t iv00 = Hacl_Impl_Blake2_Constants_ivTable_B[0U]; + uint64_t iv10 = Hacl_Impl_Blake2_Constants_ivTable_B[1U]; + uint64_t iv20 = Hacl_Impl_Blake2_Constants_ivTable_B[2U]; + uint64_t iv30 = Hacl_Impl_Blake2_Constants_ivTable_B[3U]; + uint64_t iv40 = Hacl_Impl_Blake2_Constants_ivTable_B[4U]; + uint64_t iv50 = Hacl_Impl_Blake2_Constants_ivTable_B[5U]; + uint64_t iv60 = Hacl_Impl_Blake2_Constants_ivTable_B[6U]; + uint64_t iv70 = Hacl_Impl_Blake2_Constants_ivTable_B[7U]; + r20[0U] = iv00; + r20[1U] = iv10; + r20[2U] = iv20; + r20[3U] = iv30; + r30[0U] = iv40; + r30[1U] = iv50; + r30[2U] = iv60; + r30[3U] = iv70; + uint64_t kk_shift_80 = (uint64_t)(uint32_t)0U << (uint32_t)8U; + uint64_t iv0_ = iv00 ^ ((uint64_t)0x01010000U ^ (kk_shift_80 ^ (uint64_t)(uint32_t)64U)); + r00[0U] = iv0_; + r00[1U] = iv10; + r00[2U] = iv20; + r00[3U] = iv30; + r10[0U] = iv40; + r10[1U] = iv50; + r10[2U] = iv60; + r10[3U] = iv70; + FStar_UInt128_uint128 es = FStar_UInt128_uint64_to_uint128((uint64_t)0U); + K____uint64_t__FStar_UInt128_uint128 scrut = { .fst = s, .snd = es }; + uint64_t *s0 = scrut.fst; + uint8_t *dst1 = ipad; + uint64_t *r01 = s0 + (uint32_t)0U * (uint32_t)4U; + uint64_t *r11 = s0 + (uint32_t)1U * (uint32_t)4U; + uint64_t *r21 = s0 + (uint32_t)2U * (uint32_t)4U; + uint64_t *r31 = s0 + (uint32_t)3U * (uint32_t)4U; + uint64_t iv01 = Hacl_Impl_Blake2_Constants_ivTable_B[0U]; + uint64_t iv11 = Hacl_Impl_Blake2_Constants_ivTable_B[1U]; + uint64_t iv21 = Hacl_Impl_Blake2_Constants_ivTable_B[2U]; + uint64_t iv31 = Hacl_Impl_Blake2_Constants_ivTable_B[3U]; + uint64_t iv41 = Hacl_Impl_Blake2_Constants_ivTable_B[4U]; + uint64_t iv51 = Hacl_Impl_Blake2_Constants_ivTable_B[5U]; + uint64_t iv61 = Hacl_Impl_Blake2_Constants_ivTable_B[6U]; + uint64_t iv71 = Hacl_Impl_Blake2_Constants_ivTable_B[7U]; + r21[0U] = iv01; + r21[1U] = iv11; + r21[2U] = iv21; + r21[3U] = iv31; + r31[0U] = iv41; + r31[1U] = iv51; + r31[2U] = iv61; + r31[3U] = iv71; + uint64_t kk_shift_81 = (uint64_t)(uint32_t)0U << (uint32_t)8U; + uint64_t iv0_0 = iv01 ^ ((uint64_t)0x01010000U ^ (kk_shift_81 ^ (uint64_t)(uint32_t)64U)); + r01[0U] = iv0_0; + r01[1U] = iv11; + r01[2U] = iv21; + r01[3U] = iv31; + r11[0U] = iv41; + r11[1U] = iv51; + r11[2U] = iv61; + r11[3U] = iv71; + FStar_UInt128_uint128 ev = FStar_UInt128_uint64_to_uint128((uint64_t)0U); + FStar_UInt128_uint128 ev10; + if (data_len == (uint32_t)0U) + { + FStar_UInt128_uint128 + ev1 = + Hacl_Hash_Blake2_update_last_blake2b_32(s0, + ev, + FStar_UInt128_uint64_to_uint128((uint64_t)0U), + ipad, + (uint32_t)128U); + ev10 = ev1; + } + else + { + FStar_UInt128_uint128 + ev1 = Hacl_Hash_Blake2_update_multi_blake2b_32(s0, ev, ipad, (uint32_t)1U); + FStar_UInt128_uint128 + ev2 = + Hacl_Hash_Blake2_update_last_blake2b_32(s0, + ev1, + FStar_UInt128_uint64_to_uint128((uint64_t)(uint32_t)128U), + data, + data_len); + ev10 = ev2; + } + Hacl_Hash_Core_Blake2_finish_blake2b_32(s0, ev10, dst1); + uint8_t *hash1 = ipad; + uint64_t *r0 = s0 + (uint32_t)0U * (uint32_t)4U; + uint64_t *r1 = s0 + (uint32_t)1U * (uint32_t)4U; + uint64_t *r2 = s0 + (uint32_t)2U * (uint32_t)4U; + uint64_t *r3 = s0 + (uint32_t)3U * (uint32_t)4U; + uint64_t iv0 = Hacl_Impl_Blake2_Constants_ivTable_B[0U]; + uint64_t iv1 = Hacl_Impl_Blake2_Constants_ivTable_B[1U]; + uint64_t iv2 = Hacl_Impl_Blake2_Constants_ivTable_B[2U]; + uint64_t iv3 = Hacl_Impl_Blake2_Constants_ivTable_B[3U]; + uint64_t iv4 = Hacl_Impl_Blake2_Constants_ivTable_B[4U]; + uint64_t iv5 = Hacl_Impl_Blake2_Constants_ivTable_B[5U]; + uint64_t iv6 = Hacl_Impl_Blake2_Constants_ivTable_B[6U]; + uint64_t iv7 = Hacl_Impl_Blake2_Constants_ivTable_B[7U]; + r2[0U] = iv0; + r2[1U] = iv1; + r2[2U] = iv2; + r2[3U] = iv3; + r3[0U] = iv4; + r3[1U] = iv5; + r3[2U] = iv6; + r3[3U] = iv7; + uint64_t kk_shift_8 = (uint64_t)(uint32_t)0U << (uint32_t)8U; + uint64_t iv0_1 = iv0 ^ ((uint64_t)0x01010000U ^ (kk_shift_8 ^ (uint64_t)(uint32_t)64U)); + r0[0U] = iv0_1; + r0[1U] = iv1; + r0[2U] = iv2; + r0[3U] = iv3; + r1[0U] = iv4; + r1[1U] = iv5; + r1[2U] = iv6; + r1[3U] = iv7; + FStar_UInt128_uint128 ev0 = FStar_UInt128_uint64_to_uint128((uint64_t)0U); + FStar_UInt128_uint128 ev11; + if ((uint32_t)64U == (uint32_t)0U) + { + FStar_UInt128_uint128 + ev1 = + Hacl_Hash_Blake2_update_last_blake2b_32(s0, + ev0, + FStar_UInt128_uint64_to_uint128((uint64_t)0U), + opad, + (uint32_t)128U); + ev11 = ev1; + } + else + { + FStar_UInt128_uint128 + ev1 = Hacl_Hash_Blake2_update_multi_blake2b_32(s0, ev0, opad, (uint32_t)1U); + FStar_UInt128_uint128 + ev2 = + Hacl_Hash_Blake2_update_last_blake2b_32(s0, + ev1, + FStar_UInt128_uint64_to_uint128((uint64_t)(uint32_t)128U), + hash1, + (uint32_t)64U); + ev11 = ev2; + } + Hacl_Hash_Core_Blake2_finish_blake2b_32(s0, ev11, dst); +} + diff --git a/src/msvc/Hacl_HMAC_DRBG.c b/src/msvc/Hacl_HMAC_DRBG.c new file mode 100644 index 00000000..b213572d --- /dev/null +++ b/src/msvc/Hacl_HMAC_DRBG.c @@ -0,0 +1,1055 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_HMAC_DRBG.h" + + + +uint32_t Hacl_HMAC_DRBG_reseed_interval = (uint32_t)1024U; + +uint32_t Hacl_HMAC_DRBG_max_output_length = (uint32_t)65536U; + +uint32_t Hacl_HMAC_DRBG_max_length = (uint32_t)65536U; + +uint32_t Hacl_HMAC_DRBG_max_personalization_string_length = (uint32_t)65536U; + +uint32_t Hacl_HMAC_DRBG_max_additional_input_length = (uint32_t)65536U; + +uint32_t Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_hash_alg a) +{ + switch (a) + { + case Spec_Hash_Definitions_SHA1: + { + return (uint32_t)16U; + } + case Spec_Hash_Definitions_SHA2_256: + { + return (uint32_t)32U; + } + case Spec_Hash_Definitions_SHA2_384: + { + return (uint32_t)32U; + } + case Spec_Hash_Definitions_SHA2_512: + { + return (uint32_t)32U; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +bool +Hacl_HMAC_DRBG_uu___is_State(Spec_Hash_Definitions_hash_alg a, Hacl_HMAC_DRBG_state projectee) +{ + return true; +} + +Hacl_HMAC_DRBG_state Hacl_HMAC_DRBG_create_in(Spec_Hash_Definitions_hash_alg a) +{ + uint8_t *k; + switch (a) + { + case Spec_Hash_Definitions_SHA1: + { + uint8_t *buf = KRML_HOST_CALLOC((uint32_t)20U, sizeof (uint8_t)); + k = buf; + break; + } + case Spec_Hash_Definitions_SHA2_256: + { + uint8_t *buf = KRML_HOST_CALLOC((uint32_t)32U, sizeof (uint8_t)); + k = buf; + break; + } + case Spec_Hash_Definitions_SHA2_384: + { + uint8_t *buf = KRML_HOST_CALLOC((uint32_t)48U, sizeof (uint8_t)); + k = buf; + break; + } + case Spec_Hash_Definitions_SHA2_512: + { + uint8_t *buf = KRML_HOST_CALLOC((uint32_t)64U, sizeof (uint8_t)); + k = buf; + break; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + uint8_t *v; + switch (a) + { + case Spec_Hash_Definitions_SHA1: + { + uint8_t *buf = KRML_HOST_CALLOC((uint32_t)20U, sizeof (uint8_t)); + v = buf; + break; + } + case Spec_Hash_Definitions_SHA2_256: + { + uint8_t *buf = KRML_HOST_CALLOC((uint32_t)32U, sizeof (uint8_t)); + v = buf; + break; + } + case Spec_Hash_Definitions_SHA2_384: + { + uint8_t *buf = KRML_HOST_CALLOC((uint32_t)48U, sizeof (uint8_t)); + v = buf; + break; + } + case Spec_Hash_Definitions_SHA2_512: + { + uint8_t *buf = KRML_HOST_CALLOC((uint32_t)64U, sizeof (uint8_t)); + v = buf; + break; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + uint32_t *ctr = KRML_HOST_MALLOC(sizeof (uint32_t)); + ctr[0U] = (uint32_t)1U; + return ((Hacl_HMAC_DRBG_state){ .k = k, .v = v, .reseed_counter = ctr }); +} + +void +Hacl_HMAC_DRBG_instantiate( + Spec_Hash_Definitions_hash_alg a, + Hacl_HMAC_DRBG_state st, + uint32_t entropy_input_len, + uint8_t *entropy_input, + uint32_t nonce_len, + uint8_t *nonce, + uint32_t personalization_string_len, + uint8_t *personalization_string +) +{ + switch (a) + { + case Spec_Hash_Definitions_SHA1: + { + KRML_CHECK_SIZE(sizeof (uint8_t), + entropy_input_len + nonce_len + personalization_string_len); + uint8_t + *seed_material = + alloca((entropy_input_len + nonce_len + personalization_string_len) * sizeof (uint8_t)); + memset(seed_material, + 0U, + (entropy_input_len + nonce_len + personalization_string_len) * sizeof (uint8_t)); + memcpy(seed_material, entropy_input, entropy_input_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len, nonce, nonce_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len + nonce_len, + personalization_string, + personalization_string_len * sizeof (uint8_t)); + uint8_t *k = st.k; + uint8_t *v = st.v; + uint32_t *ctr = st.reseed_counter; + memset(k, 0U, (uint32_t)20U * sizeof (uint8_t)); + memset(v, (uint8_t)1U, (uint32_t)20U * sizeof (uint8_t)); + ctr[0U] = (uint32_t)1U; + uint32_t + input_len = (uint32_t)21U + entropy_input_len + nonce_len + personalization_string_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t *input0 = alloca(input_len * sizeof (uint8_t)); + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)20U * sizeof (uint8_t)); + if (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)21U, + seed_material, + (entropy_input_len + nonce_len + personalization_string_len) * sizeof (uint8_t)); + } + input0[20U] = (uint8_t)0U; + Hacl_HMAC_legacy_compute_sha1(k_, k, (uint32_t)20U, input0, input_len); + Hacl_HMAC_legacy_compute_sha1(v, k_, (uint32_t)20U, v, (uint32_t)20U); + memcpy(k, k_, (uint32_t)20U * sizeof (uint8_t)); + if (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + uint32_t + input_len0 = (uint32_t)21U + entropy_input_len + nonce_len + personalization_string_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t *input = alloca(input_len0 * sizeof (uint8_t)); + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)20U * sizeof (uint8_t)); + if (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)21U, + seed_material, + (entropy_input_len + nonce_len + personalization_string_len) * sizeof (uint8_t)); + } + input[20U] = (uint8_t)1U; + Hacl_HMAC_legacy_compute_sha1(k_0, k, (uint32_t)20U, input, input_len0); + Hacl_HMAC_legacy_compute_sha1(v, k_0, (uint32_t)20U, v, (uint32_t)20U); + memcpy(k, k_0, (uint32_t)20U * sizeof (uint8_t)); + } + break; + } + case Spec_Hash_Definitions_SHA2_256: + { + KRML_CHECK_SIZE(sizeof (uint8_t), + entropy_input_len + nonce_len + personalization_string_len); + uint8_t + *seed_material = + alloca((entropy_input_len + nonce_len + personalization_string_len) * sizeof (uint8_t)); + memset(seed_material, + 0U, + (entropy_input_len + nonce_len + personalization_string_len) * sizeof (uint8_t)); + memcpy(seed_material, entropy_input, entropy_input_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len, nonce, nonce_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len + nonce_len, + personalization_string, + personalization_string_len * sizeof (uint8_t)); + uint8_t *k = st.k; + uint8_t *v = st.v; + uint32_t *ctr = st.reseed_counter; + memset(k, 0U, (uint32_t)32U * sizeof (uint8_t)); + memset(v, (uint8_t)1U, (uint32_t)32U * sizeof (uint8_t)); + ctr[0U] = (uint32_t)1U; + uint32_t + input_len = (uint32_t)33U + entropy_input_len + nonce_len + personalization_string_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t *input0 = alloca(input_len * sizeof (uint8_t)); + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)32U * sizeof (uint8_t)); + if (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)33U, + seed_material, + (entropy_input_len + nonce_len + personalization_string_len) * sizeof (uint8_t)); + } + input0[32U] = (uint8_t)0U; + Hacl_HMAC_compute_sha2_256(k_, k, (uint32_t)32U, input0, input_len); + Hacl_HMAC_compute_sha2_256(v, k_, (uint32_t)32U, v, (uint32_t)32U); + memcpy(k, k_, (uint32_t)32U * sizeof (uint8_t)); + if (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + uint32_t + input_len0 = (uint32_t)33U + entropy_input_len + nonce_len + personalization_string_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t *input = alloca(input_len0 * sizeof (uint8_t)); + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)32U * sizeof (uint8_t)); + if (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)33U, + seed_material, + (entropy_input_len + nonce_len + personalization_string_len) * sizeof (uint8_t)); + } + input[32U] = (uint8_t)1U; + Hacl_HMAC_compute_sha2_256(k_0, k, (uint32_t)32U, input, input_len0); + Hacl_HMAC_compute_sha2_256(v, k_0, (uint32_t)32U, v, (uint32_t)32U); + memcpy(k, k_0, (uint32_t)32U * sizeof (uint8_t)); + } + break; + } + case Spec_Hash_Definitions_SHA2_384: + { + KRML_CHECK_SIZE(sizeof (uint8_t), + entropy_input_len + nonce_len + personalization_string_len); + uint8_t + *seed_material = + alloca((entropy_input_len + nonce_len + personalization_string_len) * sizeof (uint8_t)); + memset(seed_material, + 0U, + (entropy_input_len + nonce_len + personalization_string_len) * sizeof (uint8_t)); + memcpy(seed_material, entropy_input, entropy_input_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len, nonce, nonce_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len + nonce_len, + personalization_string, + personalization_string_len * sizeof (uint8_t)); + uint8_t *k = st.k; + uint8_t *v = st.v; + uint32_t *ctr = st.reseed_counter; + memset(k, 0U, (uint32_t)48U * sizeof (uint8_t)); + memset(v, (uint8_t)1U, (uint32_t)48U * sizeof (uint8_t)); + ctr[0U] = (uint32_t)1U; + uint32_t + input_len = (uint32_t)49U + entropy_input_len + nonce_len + personalization_string_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t *input0 = alloca(input_len * sizeof (uint8_t)); + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)48U * sizeof (uint8_t)); + if (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)49U, + seed_material, + (entropy_input_len + nonce_len + personalization_string_len) * sizeof (uint8_t)); + } + input0[48U] = (uint8_t)0U; + Hacl_HMAC_compute_sha2_384(k_, k, (uint32_t)48U, input0, input_len); + Hacl_HMAC_compute_sha2_384(v, k_, (uint32_t)48U, v, (uint32_t)48U); + memcpy(k, k_, (uint32_t)48U * sizeof (uint8_t)); + if (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + uint32_t + input_len0 = (uint32_t)49U + entropy_input_len + nonce_len + personalization_string_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t *input = alloca(input_len0 * sizeof (uint8_t)); + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)48U * sizeof (uint8_t)); + if (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)49U, + seed_material, + (entropy_input_len + nonce_len + personalization_string_len) * sizeof (uint8_t)); + } + input[48U] = (uint8_t)1U; + Hacl_HMAC_compute_sha2_384(k_0, k, (uint32_t)48U, input, input_len0); + Hacl_HMAC_compute_sha2_384(v, k_0, (uint32_t)48U, v, (uint32_t)48U); + memcpy(k, k_0, (uint32_t)48U * sizeof (uint8_t)); + } + break; + } + case Spec_Hash_Definitions_SHA2_512: + { + KRML_CHECK_SIZE(sizeof (uint8_t), + entropy_input_len + nonce_len + personalization_string_len); + uint8_t + *seed_material = + alloca((entropy_input_len + nonce_len + personalization_string_len) * sizeof (uint8_t)); + memset(seed_material, + 0U, + (entropy_input_len + nonce_len + personalization_string_len) * sizeof (uint8_t)); + memcpy(seed_material, entropy_input, entropy_input_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len, nonce, nonce_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len + nonce_len, + personalization_string, + personalization_string_len * sizeof (uint8_t)); + uint8_t *k = st.k; + uint8_t *v = st.v; + uint32_t *ctr = st.reseed_counter; + memset(k, 0U, (uint32_t)64U * sizeof (uint8_t)); + memset(v, (uint8_t)1U, (uint32_t)64U * sizeof (uint8_t)); + ctr[0U] = (uint32_t)1U; + uint32_t + input_len = (uint32_t)65U + entropy_input_len + nonce_len + personalization_string_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t *input0 = alloca(input_len * sizeof (uint8_t)); + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)64U * sizeof (uint8_t)); + if (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)65U, + seed_material, + (entropy_input_len + nonce_len + personalization_string_len) * sizeof (uint8_t)); + } + input0[64U] = (uint8_t)0U; + Hacl_HMAC_compute_sha2_512(k_, k, (uint32_t)64U, input0, input_len); + Hacl_HMAC_compute_sha2_512(v, k_, (uint32_t)64U, v, (uint32_t)64U); + memcpy(k, k_, (uint32_t)64U * sizeof (uint8_t)); + if (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + uint32_t + input_len0 = (uint32_t)65U + entropy_input_len + nonce_len + personalization_string_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t *input = alloca(input_len0 * sizeof (uint8_t)); + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)64U * sizeof (uint8_t)); + if (entropy_input_len + nonce_len + personalization_string_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)65U, + seed_material, + (entropy_input_len + nonce_len + personalization_string_len) * sizeof (uint8_t)); + } + input[64U] = (uint8_t)1U; + Hacl_HMAC_compute_sha2_512(k_0, k, (uint32_t)64U, input, input_len0); + Hacl_HMAC_compute_sha2_512(v, k_0, (uint32_t)64U, v, (uint32_t)64U); + memcpy(k, k_0, (uint32_t)64U * sizeof (uint8_t)); + } + break; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +void +Hacl_HMAC_DRBG_reseed( + Spec_Hash_Definitions_hash_alg a, + Hacl_HMAC_DRBG_state st, + uint32_t entropy_input_len, + uint8_t *entropy_input, + uint32_t additional_input_input_len, + uint8_t *additional_input_input +) +{ + switch (a) + { + case Spec_Hash_Definitions_SHA1: + { + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len + additional_input_input_len); + uint8_t + *seed_material = alloca((entropy_input_len + additional_input_input_len) * sizeof (uint8_t)); + memset(seed_material, + 0U, + (entropy_input_len + additional_input_input_len) * sizeof (uint8_t)); + memcpy(seed_material, entropy_input, entropy_input_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len, + additional_input_input, + additional_input_input_len * sizeof (uint8_t)); + Hacl_HMAC_DRBG_state uu____0 = st; + uint8_t *k = uu____0.k; + uint8_t *v = uu____0.v; + uint32_t *ctr = uu____0.reseed_counter; + uint32_t input_len = (uint32_t)21U + entropy_input_len + additional_input_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t *input0 = alloca(input_len * sizeof (uint8_t)); + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)20U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)21U, + seed_material, + (entropy_input_len + additional_input_input_len) * sizeof (uint8_t)); + } + input0[20U] = (uint8_t)0U; + Hacl_HMAC_legacy_compute_sha1(k_, k, (uint32_t)20U, input0, input_len); + Hacl_HMAC_legacy_compute_sha1(v, k_, (uint32_t)20U, v, (uint32_t)20U); + memcpy(k, k_, (uint32_t)20U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)21U + entropy_input_len + additional_input_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t *input = alloca(input_len0 * sizeof (uint8_t)); + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)20U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)21U, + seed_material, + (entropy_input_len + additional_input_input_len) * sizeof (uint8_t)); + } + input[20U] = (uint8_t)1U; + Hacl_HMAC_legacy_compute_sha1(k_0, k, (uint32_t)20U, input, input_len0); + Hacl_HMAC_legacy_compute_sha1(v, k_0, (uint32_t)20U, v, (uint32_t)20U); + memcpy(k, k_0, (uint32_t)20U * sizeof (uint8_t)); + } + ctr[0U] = (uint32_t)1U; + break; + } + case Spec_Hash_Definitions_SHA2_256: + { + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len + additional_input_input_len); + uint8_t + *seed_material = alloca((entropy_input_len + additional_input_input_len) * sizeof (uint8_t)); + memset(seed_material, + 0U, + (entropy_input_len + additional_input_input_len) * sizeof (uint8_t)); + memcpy(seed_material, entropy_input, entropy_input_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len, + additional_input_input, + additional_input_input_len * sizeof (uint8_t)); + Hacl_HMAC_DRBG_state uu____1 = st; + uint8_t *k = uu____1.k; + uint8_t *v = uu____1.v; + uint32_t *ctr = uu____1.reseed_counter; + uint32_t input_len = (uint32_t)33U + entropy_input_len + additional_input_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t *input0 = alloca(input_len * sizeof (uint8_t)); + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)32U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)33U, + seed_material, + (entropy_input_len + additional_input_input_len) * sizeof (uint8_t)); + } + input0[32U] = (uint8_t)0U; + Hacl_HMAC_compute_sha2_256(k_, k, (uint32_t)32U, input0, input_len); + Hacl_HMAC_compute_sha2_256(v, k_, (uint32_t)32U, v, (uint32_t)32U); + memcpy(k, k_, (uint32_t)32U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)33U + entropy_input_len + additional_input_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t *input = alloca(input_len0 * sizeof (uint8_t)); + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)32U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)33U, + seed_material, + (entropy_input_len + additional_input_input_len) * sizeof (uint8_t)); + } + input[32U] = (uint8_t)1U; + Hacl_HMAC_compute_sha2_256(k_0, k, (uint32_t)32U, input, input_len0); + Hacl_HMAC_compute_sha2_256(v, k_0, (uint32_t)32U, v, (uint32_t)32U); + memcpy(k, k_0, (uint32_t)32U * sizeof (uint8_t)); + } + ctr[0U] = (uint32_t)1U; + break; + } + case Spec_Hash_Definitions_SHA2_384: + { + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len + additional_input_input_len); + uint8_t + *seed_material = alloca((entropy_input_len + additional_input_input_len) * sizeof (uint8_t)); + memset(seed_material, + 0U, + (entropy_input_len + additional_input_input_len) * sizeof (uint8_t)); + memcpy(seed_material, entropy_input, entropy_input_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len, + additional_input_input, + additional_input_input_len * sizeof (uint8_t)); + Hacl_HMAC_DRBG_state uu____2 = st; + uint8_t *k = uu____2.k; + uint8_t *v = uu____2.v; + uint32_t *ctr = uu____2.reseed_counter; + uint32_t input_len = (uint32_t)49U + entropy_input_len + additional_input_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t *input0 = alloca(input_len * sizeof (uint8_t)); + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)48U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)49U, + seed_material, + (entropy_input_len + additional_input_input_len) * sizeof (uint8_t)); + } + input0[48U] = (uint8_t)0U; + Hacl_HMAC_compute_sha2_384(k_, k, (uint32_t)48U, input0, input_len); + Hacl_HMAC_compute_sha2_384(v, k_, (uint32_t)48U, v, (uint32_t)48U); + memcpy(k, k_, (uint32_t)48U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)49U + entropy_input_len + additional_input_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t *input = alloca(input_len0 * sizeof (uint8_t)); + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)48U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)49U, + seed_material, + (entropy_input_len + additional_input_input_len) * sizeof (uint8_t)); + } + input[48U] = (uint8_t)1U; + Hacl_HMAC_compute_sha2_384(k_0, k, (uint32_t)48U, input, input_len0); + Hacl_HMAC_compute_sha2_384(v, k_0, (uint32_t)48U, v, (uint32_t)48U); + memcpy(k, k_0, (uint32_t)48U * sizeof (uint8_t)); + } + ctr[0U] = (uint32_t)1U; + break; + } + case Spec_Hash_Definitions_SHA2_512: + { + KRML_CHECK_SIZE(sizeof (uint8_t), entropy_input_len + additional_input_input_len); + uint8_t + *seed_material = alloca((entropy_input_len + additional_input_input_len) * sizeof (uint8_t)); + memset(seed_material, + 0U, + (entropy_input_len + additional_input_input_len) * sizeof (uint8_t)); + memcpy(seed_material, entropy_input, entropy_input_len * sizeof (uint8_t)); + memcpy(seed_material + entropy_input_len, + additional_input_input, + additional_input_input_len * sizeof (uint8_t)); + Hacl_HMAC_DRBG_state uu____3 = st; + uint8_t *k = uu____3.k; + uint8_t *v = uu____3.v; + uint32_t *ctr = uu____3.reseed_counter; + uint32_t input_len = (uint32_t)65U + entropy_input_len + additional_input_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t *input0 = alloca(input_len * sizeof (uint8_t)); + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)64U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)65U, + seed_material, + (entropy_input_len + additional_input_input_len) * sizeof (uint8_t)); + } + input0[64U] = (uint8_t)0U; + Hacl_HMAC_compute_sha2_512(k_, k, (uint32_t)64U, input0, input_len); + Hacl_HMAC_compute_sha2_512(v, k_, (uint32_t)64U, v, (uint32_t)64U); + memcpy(k, k_, (uint32_t)64U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)65U + entropy_input_len + additional_input_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t *input = alloca(input_len0 * sizeof (uint8_t)); + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)64U * sizeof (uint8_t)); + if (entropy_input_len + additional_input_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)65U, + seed_material, + (entropy_input_len + additional_input_input_len) * sizeof (uint8_t)); + } + input[64U] = (uint8_t)1U; + Hacl_HMAC_compute_sha2_512(k_0, k, (uint32_t)64U, input, input_len0); + Hacl_HMAC_compute_sha2_512(v, k_0, (uint32_t)64U, v, (uint32_t)64U); + memcpy(k, k_0, (uint32_t)64U * sizeof (uint8_t)); + } + ctr[0U] = (uint32_t)1U; + break; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +bool +Hacl_HMAC_DRBG_generate( + Spec_Hash_Definitions_hash_alg a, + uint8_t *output, + Hacl_HMAC_DRBG_state st, + uint32_t n, + uint32_t additional_input_len, + uint8_t *additional_input +) +{ + switch (a) + { + case Spec_Hash_Definitions_SHA1: + { + if (st.reseed_counter[0U] > Hacl_HMAC_DRBG_reseed_interval) + { + return false; + } + uint8_t *k = st.k; + uint8_t *v = st.v; + uint32_t *ctr = st.reseed_counter; + if (additional_input_len > (uint32_t)0U) + { + uint32_t input_len = (uint32_t)21U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t *input0 = alloca(input_len * sizeof (uint8_t)); + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)20U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)21U, + additional_input, + additional_input_len * sizeof (uint8_t)); + } + input0[20U] = (uint8_t)0U; + Hacl_HMAC_legacy_compute_sha1(k_, k, (uint32_t)20U, input0, input_len); + Hacl_HMAC_legacy_compute_sha1(v, k_, (uint32_t)20U, v, (uint32_t)20U); + memcpy(k, k_, (uint32_t)20U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)21U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t *input = alloca(input_len0 * sizeof (uint8_t)); + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)20U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)21U, + additional_input, + additional_input_len * sizeof (uint8_t)); + } + input[20U] = (uint8_t)1U; + Hacl_HMAC_legacy_compute_sha1(k_0, k, (uint32_t)20U, input, input_len0); + Hacl_HMAC_legacy_compute_sha1(v, k_0, (uint32_t)20U, v, (uint32_t)20U); + memcpy(k, k_0, (uint32_t)20U * sizeof (uint8_t)); + } + } + uint8_t *output1 = output; + uint32_t max = n / (uint32_t)20U; + uint8_t *out = output1; + for (uint32_t i = (uint32_t)0U; i < max; i++) + { + Hacl_HMAC_legacy_compute_sha1(v, k, (uint32_t)20U, v, (uint32_t)20U); + memcpy(out + i * (uint32_t)20U, v, (uint32_t)20U * sizeof (uint8_t)); + } + if (max * (uint32_t)20U < n) + { + uint8_t *block = output1 + max * (uint32_t)20U; + Hacl_HMAC_legacy_compute_sha1(v, k, (uint32_t)20U, v, (uint32_t)20U); + memcpy(block, v, (n - max * (uint32_t)20U) * sizeof (uint8_t)); + } + uint32_t input_len = (uint32_t)21U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t *input0 = alloca(input_len * sizeof (uint8_t)); + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)20U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)21U, additional_input, additional_input_len * sizeof (uint8_t)); + } + input0[20U] = (uint8_t)0U; + Hacl_HMAC_legacy_compute_sha1(k_, k, (uint32_t)20U, input0, input_len); + Hacl_HMAC_legacy_compute_sha1(v, k_, (uint32_t)20U, v, (uint32_t)20U); + memcpy(k, k_, (uint32_t)20U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)21U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t *input = alloca(input_len0 * sizeof (uint8_t)); + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)20U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)21U, + additional_input, + additional_input_len * sizeof (uint8_t)); + } + input[20U] = (uint8_t)1U; + Hacl_HMAC_legacy_compute_sha1(k_0, k, (uint32_t)20U, input, input_len0); + Hacl_HMAC_legacy_compute_sha1(v, k_0, (uint32_t)20U, v, (uint32_t)20U); + memcpy(k, k_0, (uint32_t)20U * sizeof (uint8_t)); + } + uint32_t old_ctr = ctr[0U]; + ctr[0U] = old_ctr + (uint32_t)1U; + return true; + } + case Spec_Hash_Definitions_SHA2_256: + { + if (st.reseed_counter[0U] > Hacl_HMAC_DRBG_reseed_interval) + { + return false; + } + uint8_t *k = st.k; + uint8_t *v = st.v; + uint32_t *ctr = st.reseed_counter; + if (additional_input_len > (uint32_t)0U) + { + uint32_t input_len = (uint32_t)33U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t *input0 = alloca(input_len * sizeof (uint8_t)); + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)32U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)33U, + additional_input, + additional_input_len * sizeof (uint8_t)); + } + input0[32U] = (uint8_t)0U; + Hacl_HMAC_compute_sha2_256(k_, k, (uint32_t)32U, input0, input_len); + Hacl_HMAC_compute_sha2_256(v, k_, (uint32_t)32U, v, (uint32_t)32U); + memcpy(k, k_, (uint32_t)32U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)33U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t *input = alloca(input_len0 * sizeof (uint8_t)); + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)32U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)33U, + additional_input, + additional_input_len * sizeof (uint8_t)); + } + input[32U] = (uint8_t)1U; + Hacl_HMAC_compute_sha2_256(k_0, k, (uint32_t)32U, input, input_len0); + Hacl_HMAC_compute_sha2_256(v, k_0, (uint32_t)32U, v, (uint32_t)32U); + memcpy(k, k_0, (uint32_t)32U * sizeof (uint8_t)); + } + } + uint8_t *output1 = output; + uint32_t max = n / (uint32_t)32U; + uint8_t *out = output1; + for (uint32_t i = (uint32_t)0U; i < max; i++) + { + Hacl_HMAC_compute_sha2_256(v, k, (uint32_t)32U, v, (uint32_t)32U); + memcpy(out + i * (uint32_t)32U, v, (uint32_t)32U * sizeof (uint8_t)); + } + if (max * (uint32_t)32U < n) + { + uint8_t *block = output1 + max * (uint32_t)32U; + Hacl_HMAC_compute_sha2_256(v, k, (uint32_t)32U, v, (uint32_t)32U); + memcpy(block, v, (n - max * (uint32_t)32U) * sizeof (uint8_t)); + } + uint32_t input_len = (uint32_t)33U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t *input0 = alloca(input_len * sizeof (uint8_t)); + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)32U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)33U, additional_input, additional_input_len * sizeof (uint8_t)); + } + input0[32U] = (uint8_t)0U; + Hacl_HMAC_compute_sha2_256(k_, k, (uint32_t)32U, input0, input_len); + Hacl_HMAC_compute_sha2_256(v, k_, (uint32_t)32U, v, (uint32_t)32U); + memcpy(k, k_, (uint32_t)32U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)33U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t *input = alloca(input_len0 * sizeof (uint8_t)); + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)32U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)33U, + additional_input, + additional_input_len * sizeof (uint8_t)); + } + input[32U] = (uint8_t)1U; + Hacl_HMAC_compute_sha2_256(k_0, k, (uint32_t)32U, input, input_len0); + Hacl_HMAC_compute_sha2_256(v, k_0, (uint32_t)32U, v, (uint32_t)32U); + memcpy(k, k_0, (uint32_t)32U * sizeof (uint8_t)); + } + uint32_t old_ctr = ctr[0U]; + ctr[0U] = old_ctr + (uint32_t)1U; + return true; + } + case Spec_Hash_Definitions_SHA2_384: + { + if (st.reseed_counter[0U] > Hacl_HMAC_DRBG_reseed_interval) + { + return false; + } + uint8_t *k = st.k; + uint8_t *v = st.v; + uint32_t *ctr = st.reseed_counter; + if (additional_input_len > (uint32_t)0U) + { + uint32_t input_len = (uint32_t)49U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t *input0 = alloca(input_len * sizeof (uint8_t)); + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)48U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)49U, + additional_input, + additional_input_len * sizeof (uint8_t)); + } + input0[48U] = (uint8_t)0U; + Hacl_HMAC_compute_sha2_384(k_, k, (uint32_t)48U, input0, input_len); + Hacl_HMAC_compute_sha2_384(v, k_, (uint32_t)48U, v, (uint32_t)48U); + memcpy(k, k_, (uint32_t)48U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)49U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t *input = alloca(input_len0 * sizeof (uint8_t)); + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)48U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)49U, + additional_input, + additional_input_len * sizeof (uint8_t)); + } + input[48U] = (uint8_t)1U; + Hacl_HMAC_compute_sha2_384(k_0, k, (uint32_t)48U, input, input_len0); + Hacl_HMAC_compute_sha2_384(v, k_0, (uint32_t)48U, v, (uint32_t)48U); + memcpy(k, k_0, (uint32_t)48U * sizeof (uint8_t)); + } + } + uint8_t *output1 = output; + uint32_t max = n / (uint32_t)48U; + uint8_t *out = output1; + for (uint32_t i = (uint32_t)0U; i < max; i++) + { + Hacl_HMAC_compute_sha2_384(v, k, (uint32_t)48U, v, (uint32_t)48U); + memcpy(out + i * (uint32_t)48U, v, (uint32_t)48U * sizeof (uint8_t)); + } + if (max * (uint32_t)48U < n) + { + uint8_t *block = output1 + max * (uint32_t)48U; + Hacl_HMAC_compute_sha2_384(v, k, (uint32_t)48U, v, (uint32_t)48U); + memcpy(block, v, (n - max * (uint32_t)48U) * sizeof (uint8_t)); + } + uint32_t input_len = (uint32_t)49U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t *input0 = alloca(input_len * sizeof (uint8_t)); + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)48U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)49U, additional_input, additional_input_len * sizeof (uint8_t)); + } + input0[48U] = (uint8_t)0U; + Hacl_HMAC_compute_sha2_384(k_, k, (uint32_t)48U, input0, input_len); + Hacl_HMAC_compute_sha2_384(v, k_, (uint32_t)48U, v, (uint32_t)48U); + memcpy(k, k_, (uint32_t)48U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)49U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t *input = alloca(input_len0 * sizeof (uint8_t)); + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)48U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)49U, + additional_input, + additional_input_len * sizeof (uint8_t)); + } + input[48U] = (uint8_t)1U; + Hacl_HMAC_compute_sha2_384(k_0, k, (uint32_t)48U, input, input_len0); + Hacl_HMAC_compute_sha2_384(v, k_0, (uint32_t)48U, v, (uint32_t)48U); + memcpy(k, k_0, (uint32_t)48U * sizeof (uint8_t)); + } + uint32_t old_ctr = ctr[0U]; + ctr[0U] = old_ctr + (uint32_t)1U; + return true; + } + case Spec_Hash_Definitions_SHA2_512: + { + if (st.reseed_counter[0U] > Hacl_HMAC_DRBG_reseed_interval) + { + return false; + } + uint8_t *k = st.k; + uint8_t *v = st.v; + uint32_t *ctr = st.reseed_counter; + if (additional_input_len > (uint32_t)0U) + { + uint32_t input_len = (uint32_t)65U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t *input0 = alloca(input_len * sizeof (uint8_t)); + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)64U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)65U, + additional_input, + additional_input_len * sizeof (uint8_t)); + } + input0[64U] = (uint8_t)0U; + Hacl_HMAC_compute_sha2_512(k_, k, (uint32_t)64U, input0, input_len); + Hacl_HMAC_compute_sha2_512(v, k_, (uint32_t)64U, v, (uint32_t)64U); + memcpy(k, k_, (uint32_t)64U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)65U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t *input = alloca(input_len0 * sizeof (uint8_t)); + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)64U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)65U, + additional_input, + additional_input_len * sizeof (uint8_t)); + } + input[64U] = (uint8_t)1U; + Hacl_HMAC_compute_sha2_512(k_0, k, (uint32_t)64U, input, input_len0); + Hacl_HMAC_compute_sha2_512(v, k_0, (uint32_t)64U, v, (uint32_t)64U); + memcpy(k, k_0, (uint32_t)64U * sizeof (uint8_t)); + } + } + uint8_t *output1 = output; + uint32_t max = n / (uint32_t)64U; + uint8_t *out = output1; + for (uint32_t i = (uint32_t)0U; i < max; i++) + { + Hacl_HMAC_compute_sha2_512(v, k, (uint32_t)64U, v, (uint32_t)64U); + memcpy(out + i * (uint32_t)64U, v, (uint32_t)64U * sizeof (uint8_t)); + } + if (max * (uint32_t)64U < n) + { + uint8_t *block = output1 + max * (uint32_t)64U; + Hacl_HMAC_compute_sha2_512(v, k, (uint32_t)64U, v, (uint32_t)64U); + memcpy(block, v, (n - max * (uint32_t)64U) * sizeof (uint8_t)); + } + uint32_t input_len = (uint32_t)65U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len); + uint8_t *input0 = alloca(input_len * sizeof (uint8_t)); + memset(input0, 0U, input_len * sizeof (uint8_t)); + uint8_t *k_ = input0; + memcpy(k_, v, (uint32_t)64U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input0 + (uint32_t)65U, additional_input, additional_input_len * sizeof (uint8_t)); + } + input0[64U] = (uint8_t)0U; + Hacl_HMAC_compute_sha2_512(k_, k, (uint32_t)64U, input0, input_len); + Hacl_HMAC_compute_sha2_512(v, k_, (uint32_t)64U, v, (uint32_t)64U); + memcpy(k, k_, (uint32_t)64U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + uint32_t input_len0 = (uint32_t)65U + additional_input_len; + KRML_CHECK_SIZE(sizeof (uint8_t), input_len0); + uint8_t *input = alloca(input_len0 * sizeof (uint8_t)); + memset(input, 0U, input_len0 * sizeof (uint8_t)); + uint8_t *k_0 = input; + memcpy(k_0, v, (uint32_t)64U * sizeof (uint8_t)); + if (additional_input_len != (uint32_t)0U) + { + memcpy(input + (uint32_t)65U, + additional_input, + additional_input_len * sizeof (uint8_t)); + } + input[64U] = (uint8_t)1U; + Hacl_HMAC_compute_sha2_512(k_0, k, (uint32_t)64U, input, input_len0); + Hacl_HMAC_compute_sha2_512(v, k_0, (uint32_t)64U, v, (uint32_t)64U); + memcpy(k, k_0, (uint32_t)64U * sizeof (uint8_t)); + } + uint32_t old_ctr = ctr[0U]; + ctr[0U] = old_ctr + (uint32_t)1U; + return true; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + diff --git a/src/msvc/Hacl_Hash_Base.c b/src/msvc/Hacl_Hash_Base.c new file mode 100644 index 00000000..b6516a11 --- /dev/null +++ b/src/msvc/Hacl_Hash_Base.c @@ -0,0 +1,204 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Hash_Base.h" + + + +uint32_t Hacl_Hash_Definitions_word_len(Spec_Hash_Definitions_hash_alg a) +{ + switch (a) + { + case Spec_Hash_Definitions_MD5: + { + return (uint32_t)4U; + } + case Spec_Hash_Definitions_SHA1: + { + return (uint32_t)4U; + } + case Spec_Hash_Definitions_SHA2_224: + { + return (uint32_t)4U; + } + case Spec_Hash_Definitions_SHA2_256: + { + return (uint32_t)4U; + } + case Spec_Hash_Definitions_SHA2_384: + { + return (uint32_t)8U; + } + case Spec_Hash_Definitions_SHA2_512: + { + return (uint32_t)8U; + } + case Spec_Hash_Definitions_Blake2S: + { + return (uint32_t)4U; + } + case Spec_Hash_Definitions_Blake2B: + { + return (uint32_t)8U; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +uint32_t Hacl_Hash_Definitions_block_len(Spec_Hash_Definitions_hash_alg a) +{ + switch (a) + { + case Spec_Hash_Definitions_MD5: + { + return (uint32_t)64U; + } + case Spec_Hash_Definitions_SHA1: + { + return (uint32_t)64U; + } + case Spec_Hash_Definitions_SHA2_224: + { + return (uint32_t)64U; + } + case Spec_Hash_Definitions_SHA2_256: + { + return (uint32_t)64U; + } + case Spec_Hash_Definitions_SHA2_384: + { + return (uint32_t)128U; + } + case Spec_Hash_Definitions_SHA2_512: + { + return (uint32_t)128U; + } + case Spec_Hash_Definitions_Blake2S: + { + return (uint32_t)64U; + } + case Spec_Hash_Definitions_Blake2B: + { + return (uint32_t)128U; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +uint32_t Hacl_Hash_Definitions_hash_word_len(Spec_Hash_Definitions_hash_alg a) +{ + switch (a) + { + case Spec_Hash_Definitions_MD5: + { + return (uint32_t)4U; + } + case Spec_Hash_Definitions_SHA1: + { + return (uint32_t)5U; + } + case Spec_Hash_Definitions_SHA2_224: + { + return (uint32_t)7U; + } + case Spec_Hash_Definitions_SHA2_256: + { + return (uint32_t)8U; + } + case Spec_Hash_Definitions_SHA2_384: + { + return (uint32_t)6U; + } + case Spec_Hash_Definitions_SHA2_512: + { + return (uint32_t)8U; + } + case Spec_Hash_Definitions_Blake2S: + { + return (uint32_t)8U; + } + case Spec_Hash_Definitions_Blake2B: + { + return (uint32_t)8U; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +uint32_t Hacl_Hash_Definitions_hash_len(Spec_Hash_Definitions_hash_alg a) +{ + switch (a) + { + case Spec_Hash_Definitions_MD5: + { + return (uint32_t)16U; + } + case Spec_Hash_Definitions_SHA1: + { + return (uint32_t)20U; + } + case Spec_Hash_Definitions_SHA2_224: + { + return (uint32_t)28U; + } + case Spec_Hash_Definitions_SHA2_256: + { + return (uint32_t)32U; + } + case Spec_Hash_Definitions_SHA2_384: + { + return (uint32_t)48U; + } + case Spec_Hash_Definitions_SHA2_512: + { + return (uint32_t)64U; + } + case Spec_Hash_Definitions_Blake2S: + { + return (uint32_t)32U; + } + case Spec_Hash_Definitions_Blake2B: + { + return (uint32_t)64U; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + diff --git a/src/msvc/Hacl_Hash_Blake2.c b/src/msvc/Hacl_Hash_Blake2.c new file mode 100644 index 00000000..5debde4d --- /dev/null +++ b/src/msvc/Hacl_Hash_Blake2.c @@ -0,0 +1,3056 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "internal/Hacl_Hash_Blake2.h" + +#include "internal/Hacl_Kremlib.h" + +uint64_t Hacl_Hash_Core_Blake2_update_blake2s_32(uint32_t *s, uint64_t totlen, uint8_t *block) +{ + uint32_t wv[16U] = { 0U }; + uint64_t totlen1 = totlen + (uint64_t)(uint32_t)64U; + uint32_t m_w[16U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t *os = m_w; + uint8_t *bj = block + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + uint32_t mask[4U] = { 0U }; + uint32_t wv_14 = (uint32_t)0U; + uint32_t wv_15 = (uint32_t)0U; + mask[0U] = (uint32_t)totlen1; + mask[1U] = (uint32_t)(totlen1 >> (uint32_t)32U); + mask[2U] = wv_14; + mask[3U] = wv_15; + memcpy(wv, s, (uint32_t)4U * (uint32_t)4U * sizeof (uint32_t)); + uint32_t *wv3 = wv + (uint32_t)3U * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv3; + uint32_t x = wv3[i] ^ mask[i]; + os[i] = x; + } + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)10U; i0++) + { + uint32_t start_idx = i0 % (uint32_t)10U * (uint32_t)16U; + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)4U * (uint32_t)4U); + uint32_t *m_st = alloca((uint32_t)4U * (uint32_t)4U * sizeof (uint32_t)); + memset(m_st, 0U, (uint32_t)4U * (uint32_t)4U * sizeof (uint32_t)); + uint32_t *r0 = m_st + (uint32_t)0U * (uint32_t)4U; + uint32_t *r1 = m_st + (uint32_t)1U * (uint32_t)4U; + uint32_t *r20 = m_st + (uint32_t)2U * (uint32_t)4U; + uint32_t *r30 = m_st + (uint32_t)3U * (uint32_t)4U; + uint32_t s0 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx]; + uint32_t s1 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)1U]; + uint32_t s2 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)2U]; + uint32_t s3 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)3U]; + uint32_t s4 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)4U]; + uint32_t s5 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)5U]; + uint32_t s6 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)6U]; + uint32_t s7 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)7U]; + uint32_t s8 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)8U]; + uint32_t s9 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)9U]; + uint32_t s10 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)10U]; + uint32_t s11 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)11U]; + uint32_t s12 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)12U]; + uint32_t s13 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)13U]; + uint32_t s14 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)14U]; + uint32_t s15 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)15U]; + uint32_t uu____0 = m_w[s2]; + uint32_t uu____1 = m_w[s4]; + uint32_t uu____2 = m_w[s6]; + r0[0U] = m_w[s0]; + r0[1U] = uu____0; + r0[2U] = uu____1; + r0[3U] = uu____2; + uint32_t uu____3 = m_w[s3]; + uint32_t uu____4 = m_w[s5]; + uint32_t uu____5 = m_w[s7]; + r1[0U] = m_w[s1]; + r1[1U] = uu____3; + r1[2U] = uu____4; + r1[3U] = uu____5; + uint32_t uu____6 = m_w[s10]; + uint32_t uu____7 = m_w[s12]; + uint32_t uu____8 = m_w[s14]; + r20[0U] = m_w[s8]; + r20[1U] = uu____6; + r20[2U] = uu____7; + r20[3U] = uu____8; + uint32_t uu____9 = m_w[s11]; + uint32_t uu____10 = m_w[s13]; + uint32_t uu____11 = m_w[s15]; + r30[0U] = m_w[s9]; + r30[1U] = uu____9; + r30[2U] = uu____10; + r30[3U] = uu____11; + uint32_t *x = m_st + (uint32_t)0U * (uint32_t)4U; + uint32_t *y = m_st + (uint32_t)1U * (uint32_t)4U; + uint32_t *z = m_st + (uint32_t)2U * (uint32_t)4U; + uint32_t *w = m_st + (uint32_t)3U * (uint32_t)4U; + uint32_t a = (uint32_t)0U; + uint32_t b0 = (uint32_t)1U; + uint32_t c0 = (uint32_t)2U; + uint32_t d0 = (uint32_t)3U; + uint32_t *wv_a0 = wv + a * (uint32_t)4U; + uint32_t *wv_b0 = wv + b0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a0; + uint32_t x1 = wv_a0[i] + wv_b0[i]; + os[i] = x1; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a0; + uint32_t x1 = wv_a0[i] + x[i]; + os[i] = x1; + } + uint32_t *wv_a1 = wv + d0 * (uint32_t)4U; + uint32_t *wv_b1 = wv + a * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a1; + uint32_t x1 = wv_a1[i] ^ wv_b1[i]; + os[i] = x1; + } + uint32_t *r10 = wv_a1; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = r10; + uint32_t x1 = r10[i]; + uint32_t x10 = x1 >> (uint32_t)16U | x1 << (uint32_t)16U; + os[i] = x10; + } + uint32_t *wv_a2 = wv + c0 * (uint32_t)4U; + uint32_t *wv_b2 = wv + d0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a2; + uint32_t x1 = wv_a2[i] + wv_b2[i]; + os[i] = x1; + } + uint32_t *wv_a3 = wv + b0 * (uint32_t)4U; + uint32_t *wv_b3 = wv + c0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a3; + uint32_t x1 = wv_a3[i] ^ wv_b3[i]; + os[i] = x1; + } + uint32_t *r12 = wv_a3; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = r12; + uint32_t x1 = r12[i]; + uint32_t x10 = x1 >> (uint32_t)12U | x1 << (uint32_t)20U; + os[i] = x10; + } + uint32_t *wv_a4 = wv + a * (uint32_t)4U; + uint32_t *wv_b4 = wv + b0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a4; + uint32_t x1 = wv_a4[i] + wv_b4[i]; + os[i] = x1; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a4; + uint32_t x1 = wv_a4[i] + y[i]; + os[i] = x1; + } + uint32_t *wv_a5 = wv + d0 * (uint32_t)4U; + uint32_t *wv_b5 = wv + a * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a5; + uint32_t x1 = wv_a5[i] ^ wv_b5[i]; + os[i] = x1; + } + uint32_t *r13 = wv_a5; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = r13; + uint32_t x1 = r13[i]; + uint32_t x10 = x1 >> (uint32_t)8U | x1 << (uint32_t)24U; + os[i] = x10; + } + uint32_t *wv_a6 = wv + c0 * (uint32_t)4U; + uint32_t *wv_b6 = wv + d0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a6; + uint32_t x1 = wv_a6[i] + wv_b6[i]; + os[i] = x1; + } + uint32_t *wv_a7 = wv + b0 * (uint32_t)4U; + uint32_t *wv_b7 = wv + c0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a7; + uint32_t x1 = wv_a7[i] ^ wv_b7[i]; + os[i] = x1; + } + uint32_t *r14 = wv_a7; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = r14; + uint32_t x1 = r14[i]; + uint32_t x10 = x1 >> (uint32_t)7U | x1 << (uint32_t)25U; + os[i] = x10; + } + uint32_t *r15 = wv + (uint32_t)1U * (uint32_t)4U; + uint32_t *r21 = wv + (uint32_t)2U * (uint32_t)4U; + uint32_t *r31 = wv + (uint32_t)3U * (uint32_t)4U; + uint32_t *r110 = r15; + uint32_t x00 = r110[1U]; + uint32_t x10 = r110[((uint32_t)1U + (uint32_t)1U) % (uint32_t)4U]; + uint32_t x20 = r110[((uint32_t)1U + (uint32_t)2U) % (uint32_t)4U]; + uint32_t x30 = r110[((uint32_t)1U + (uint32_t)3U) % (uint32_t)4U]; + r110[0U] = x00; + r110[1U] = x10; + r110[2U] = x20; + r110[3U] = x30; + uint32_t *r111 = r21; + uint32_t x01 = r111[2U]; + uint32_t x11 = r111[((uint32_t)2U + (uint32_t)1U) % (uint32_t)4U]; + uint32_t x21 = r111[((uint32_t)2U + (uint32_t)2U) % (uint32_t)4U]; + uint32_t x31 = r111[((uint32_t)2U + (uint32_t)3U) % (uint32_t)4U]; + r111[0U] = x01; + r111[1U] = x11; + r111[2U] = x21; + r111[3U] = x31; + uint32_t *r112 = r31; + uint32_t x02 = r112[3U]; + uint32_t x12 = r112[((uint32_t)3U + (uint32_t)1U) % (uint32_t)4U]; + uint32_t x22 = r112[((uint32_t)3U + (uint32_t)2U) % (uint32_t)4U]; + uint32_t x32 = r112[((uint32_t)3U + (uint32_t)3U) % (uint32_t)4U]; + r112[0U] = x02; + r112[1U] = x12; + r112[2U] = x22; + r112[3U] = x32; + uint32_t a0 = (uint32_t)0U; + uint32_t b = (uint32_t)1U; + uint32_t c = (uint32_t)2U; + uint32_t d = (uint32_t)3U; + uint32_t *wv_a = wv + a0 * (uint32_t)4U; + uint32_t *wv_b8 = wv + b * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a; + uint32_t x1 = wv_a[i] + wv_b8[i]; + os[i] = x1; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a; + uint32_t x1 = wv_a[i] + z[i]; + os[i] = x1; + } + uint32_t *wv_a8 = wv + d * (uint32_t)4U; + uint32_t *wv_b9 = wv + a0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a8; + uint32_t x1 = wv_a8[i] ^ wv_b9[i]; + os[i] = x1; + } + uint32_t *r16 = wv_a8; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = r16; + uint32_t x1 = r16[i]; + uint32_t x13 = x1 >> (uint32_t)16U | x1 << (uint32_t)16U; + os[i] = x13; + } + uint32_t *wv_a9 = wv + c * (uint32_t)4U; + uint32_t *wv_b10 = wv + d * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a9; + uint32_t x1 = wv_a9[i] + wv_b10[i]; + os[i] = x1; + } + uint32_t *wv_a10 = wv + b * (uint32_t)4U; + uint32_t *wv_b11 = wv + c * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a10; + uint32_t x1 = wv_a10[i] ^ wv_b11[i]; + os[i] = x1; + } + uint32_t *r17 = wv_a10; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = r17; + uint32_t x1 = r17[i]; + uint32_t x13 = x1 >> (uint32_t)12U | x1 << (uint32_t)20U; + os[i] = x13; + } + uint32_t *wv_a11 = wv + a0 * (uint32_t)4U; + uint32_t *wv_b12 = wv + b * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a11; + uint32_t x1 = wv_a11[i] + wv_b12[i]; + os[i] = x1; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a11; + uint32_t x1 = wv_a11[i] + w[i]; + os[i] = x1; + } + uint32_t *wv_a12 = wv + d * (uint32_t)4U; + uint32_t *wv_b13 = wv + a0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a12; + uint32_t x1 = wv_a12[i] ^ wv_b13[i]; + os[i] = x1; + } + uint32_t *r18 = wv_a12; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = r18; + uint32_t x1 = r18[i]; + uint32_t x13 = x1 >> (uint32_t)8U | x1 << (uint32_t)24U; + os[i] = x13; + } + uint32_t *wv_a13 = wv + c * (uint32_t)4U; + uint32_t *wv_b14 = wv + d * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a13; + uint32_t x1 = wv_a13[i] + wv_b14[i]; + os[i] = x1; + } + uint32_t *wv_a14 = wv + b * (uint32_t)4U; + uint32_t *wv_b = wv + c * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a14; + uint32_t x1 = wv_a14[i] ^ wv_b[i]; + os[i] = x1; + } + uint32_t *r19 = wv_a14; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = r19; + uint32_t x1 = r19[i]; + uint32_t x13 = x1 >> (uint32_t)7U | x1 << (uint32_t)25U; + os[i] = x13; + } + uint32_t *r113 = wv + (uint32_t)1U * (uint32_t)4U; + uint32_t *r2 = wv + (uint32_t)2U * (uint32_t)4U; + uint32_t *r3 = wv + (uint32_t)3U * (uint32_t)4U; + uint32_t *r11 = r113; + uint32_t x03 = r11[3U]; + uint32_t x13 = r11[((uint32_t)3U + (uint32_t)1U) % (uint32_t)4U]; + uint32_t x23 = r11[((uint32_t)3U + (uint32_t)2U) % (uint32_t)4U]; + uint32_t x33 = r11[((uint32_t)3U + (uint32_t)3U) % (uint32_t)4U]; + r11[0U] = x03; + r11[1U] = x13; + r11[2U] = x23; + r11[3U] = x33; + uint32_t *r114 = r2; + uint32_t x04 = r114[2U]; + uint32_t x14 = r114[((uint32_t)2U + (uint32_t)1U) % (uint32_t)4U]; + uint32_t x24 = r114[((uint32_t)2U + (uint32_t)2U) % (uint32_t)4U]; + uint32_t x34 = r114[((uint32_t)2U + (uint32_t)3U) % (uint32_t)4U]; + r114[0U] = x04; + r114[1U] = x14; + r114[2U] = x24; + r114[3U] = x34; + uint32_t *r115 = r3; + uint32_t x0 = r115[1U]; + uint32_t x1 = r115[((uint32_t)1U + (uint32_t)1U) % (uint32_t)4U]; + uint32_t x2 = r115[((uint32_t)1U + (uint32_t)2U) % (uint32_t)4U]; + uint32_t x3 = r115[((uint32_t)1U + (uint32_t)3U) % (uint32_t)4U]; + r115[0U] = x0; + r115[1U] = x1; + r115[2U] = x2; + r115[3U] = x3; + } + uint32_t *s0 = s + (uint32_t)0U * (uint32_t)4U; + uint32_t *s1 = s + (uint32_t)1U * (uint32_t)4U; + uint32_t *r0 = wv + (uint32_t)0U * (uint32_t)4U; + uint32_t *r1 = wv + (uint32_t)1U * (uint32_t)4U; + uint32_t *r2 = wv + (uint32_t)2U * (uint32_t)4U; + uint32_t *r3 = wv + (uint32_t)3U * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = s0; + uint32_t x = s0[i] ^ r0[i]; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = s0; + uint32_t x = s0[i] ^ r2[i]; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = s1; + uint32_t x = s1[i] ^ r1[i]; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = s1; + uint32_t x = s1[i] ^ r3[i]; + os[i] = x; + } + return totlen1; +} + +void Hacl_Hash_Core_Blake2_finish_blake2s_32(uint32_t *s, uint64_t ev, uint8_t *dst) +{ + uint32_t double_row = (uint32_t)2U * ((uint32_t)4U * (uint32_t)4U); + KRML_CHECK_SIZE(sizeof (uint8_t), double_row); + uint8_t *b = alloca(double_row * sizeof (uint8_t)); + memset(b, 0U, double_row * sizeof (uint8_t)); + uint8_t *first = b; + uint8_t *second = b + (uint32_t)4U * (uint32_t)4U; + uint32_t *row0 = s + (uint32_t)0U * (uint32_t)4U; + uint32_t *row1 = s + (uint32_t)1U * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + store32_le(first + i * (uint32_t)4U, row0[i]); + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + store32_le(second + i * (uint32_t)4U, row1[i]); + } + uint8_t *final = b; + memcpy(dst, final, (uint32_t)32U * sizeof (uint8_t)); + Lib_Memzero0_memzero(b, double_row * sizeof (b[0U])); +} + +FStar_UInt128_uint128 +Hacl_Hash_Core_Blake2_update_blake2b_32( + uint64_t *s, + FStar_UInt128_uint128 totlen, + uint8_t *block +) +{ + uint64_t wv[16U] = { 0U }; + FStar_UInt128_uint128 + totlen1 = + FStar_UInt128_add_mod(totlen, + FStar_UInt128_uint64_to_uint128((uint64_t)(uint32_t)128U)); + uint64_t m_w[16U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint64_t *os = m_w; + uint8_t *bj = block + i * (uint32_t)8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x; + } + uint64_t mask[4U] = { 0U }; + uint64_t wv_14 = (uint64_t)0U; + uint64_t wv_15 = (uint64_t)0U; + mask[0U] = FStar_UInt128_uint128_to_uint64(totlen1); + mask[1U] = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(totlen1, (uint32_t)64U)); + mask[2U] = wv_14; + mask[3U] = wv_15; + memcpy(wv, s, (uint32_t)4U * (uint32_t)4U * sizeof (uint64_t)); + uint64_t *wv3 = wv + (uint32_t)3U * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv3; + uint64_t x = wv3[i] ^ mask[i]; + os[i] = x; + } + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)12U; i0++) + { + uint32_t start_idx = i0 % (uint32_t)10U * (uint32_t)16U; + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)4U * (uint32_t)4U); + uint64_t *m_st = alloca((uint32_t)4U * (uint32_t)4U * sizeof (uint64_t)); + memset(m_st, 0U, (uint32_t)4U * (uint32_t)4U * sizeof (uint64_t)); + uint64_t *r0 = m_st + (uint32_t)0U * (uint32_t)4U; + uint64_t *r1 = m_st + (uint32_t)1U * (uint32_t)4U; + uint64_t *r20 = m_st + (uint32_t)2U * (uint32_t)4U; + uint64_t *r30 = m_st + (uint32_t)3U * (uint32_t)4U; + uint32_t s0 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx]; + uint32_t s1 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)1U]; + uint32_t s2 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)2U]; + uint32_t s3 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)3U]; + uint32_t s4 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)4U]; + uint32_t s5 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)5U]; + uint32_t s6 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)6U]; + uint32_t s7 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)7U]; + uint32_t s8 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)8U]; + uint32_t s9 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)9U]; + uint32_t s10 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)10U]; + uint32_t s11 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)11U]; + uint32_t s12 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)12U]; + uint32_t s13 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)13U]; + uint32_t s14 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)14U]; + uint32_t s15 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)15U]; + uint64_t uu____0 = m_w[s2]; + uint64_t uu____1 = m_w[s4]; + uint64_t uu____2 = m_w[s6]; + r0[0U] = m_w[s0]; + r0[1U] = uu____0; + r0[2U] = uu____1; + r0[3U] = uu____2; + uint64_t uu____3 = m_w[s3]; + uint64_t uu____4 = m_w[s5]; + uint64_t uu____5 = m_w[s7]; + r1[0U] = m_w[s1]; + r1[1U] = uu____3; + r1[2U] = uu____4; + r1[3U] = uu____5; + uint64_t uu____6 = m_w[s10]; + uint64_t uu____7 = m_w[s12]; + uint64_t uu____8 = m_w[s14]; + r20[0U] = m_w[s8]; + r20[1U] = uu____6; + r20[2U] = uu____7; + r20[3U] = uu____8; + uint64_t uu____9 = m_w[s11]; + uint64_t uu____10 = m_w[s13]; + uint64_t uu____11 = m_w[s15]; + r30[0U] = m_w[s9]; + r30[1U] = uu____9; + r30[2U] = uu____10; + r30[3U] = uu____11; + uint64_t *x = m_st + (uint32_t)0U * (uint32_t)4U; + uint64_t *y = m_st + (uint32_t)1U * (uint32_t)4U; + uint64_t *z = m_st + (uint32_t)2U * (uint32_t)4U; + uint64_t *w = m_st + (uint32_t)3U * (uint32_t)4U; + uint32_t a = (uint32_t)0U; + uint32_t b0 = (uint32_t)1U; + uint32_t c0 = (uint32_t)2U; + uint32_t d0 = (uint32_t)3U; + uint64_t *wv_a0 = wv + a * (uint32_t)4U; + uint64_t *wv_b0 = wv + b0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a0; + uint64_t x1 = wv_a0[i] + wv_b0[i]; + os[i] = x1; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a0; + uint64_t x1 = wv_a0[i] + x[i]; + os[i] = x1; + } + uint64_t *wv_a1 = wv + d0 * (uint32_t)4U; + uint64_t *wv_b1 = wv + a * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a1; + uint64_t x1 = wv_a1[i] ^ wv_b1[i]; + os[i] = x1; + } + uint64_t *r10 = wv_a1; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = r10; + uint64_t x1 = r10[i]; + uint64_t x10 = x1 >> (uint32_t)32U | x1 << (uint32_t)32U; + os[i] = x10; + } + uint64_t *wv_a2 = wv + c0 * (uint32_t)4U; + uint64_t *wv_b2 = wv + d0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a2; + uint64_t x1 = wv_a2[i] + wv_b2[i]; + os[i] = x1; + } + uint64_t *wv_a3 = wv + b0 * (uint32_t)4U; + uint64_t *wv_b3 = wv + c0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a3; + uint64_t x1 = wv_a3[i] ^ wv_b3[i]; + os[i] = x1; + } + uint64_t *r12 = wv_a3; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = r12; + uint64_t x1 = r12[i]; + uint64_t x10 = x1 >> (uint32_t)24U | x1 << (uint32_t)40U; + os[i] = x10; + } + uint64_t *wv_a4 = wv + a * (uint32_t)4U; + uint64_t *wv_b4 = wv + b0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a4; + uint64_t x1 = wv_a4[i] + wv_b4[i]; + os[i] = x1; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a4; + uint64_t x1 = wv_a4[i] + y[i]; + os[i] = x1; + } + uint64_t *wv_a5 = wv + d0 * (uint32_t)4U; + uint64_t *wv_b5 = wv + a * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a5; + uint64_t x1 = wv_a5[i] ^ wv_b5[i]; + os[i] = x1; + } + uint64_t *r13 = wv_a5; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = r13; + uint64_t x1 = r13[i]; + uint64_t x10 = x1 >> (uint32_t)16U | x1 << (uint32_t)48U; + os[i] = x10; + } + uint64_t *wv_a6 = wv + c0 * (uint32_t)4U; + uint64_t *wv_b6 = wv + d0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a6; + uint64_t x1 = wv_a6[i] + wv_b6[i]; + os[i] = x1; + } + uint64_t *wv_a7 = wv + b0 * (uint32_t)4U; + uint64_t *wv_b7 = wv + c0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a7; + uint64_t x1 = wv_a7[i] ^ wv_b7[i]; + os[i] = x1; + } + uint64_t *r14 = wv_a7; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = r14; + uint64_t x1 = r14[i]; + uint64_t x10 = x1 >> (uint32_t)63U | x1 << (uint32_t)1U; + os[i] = x10; + } + uint64_t *r15 = wv + (uint32_t)1U * (uint32_t)4U; + uint64_t *r21 = wv + (uint32_t)2U * (uint32_t)4U; + uint64_t *r31 = wv + (uint32_t)3U * (uint32_t)4U; + uint64_t *r110 = r15; + uint64_t x00 = r110[1U]; + uint64_t x10 = r110[((uint32_t)1U + (uint32_t)1U) % (uint32_t)4U]; + uint64_t x20 = r110[((uint32_t)1U + (uint32_t)2U) % (uint32_t)4U]; + uint64_t x30 = r110[((uint32_t)1U + (uint32_t)3U) % (uint32_t)4U]; + r110[0U] = x00; + r110[1U] = x10; + r110[2U] = x20; + r110[3U] = x30; + uint64_t *r111 = r21; + uint64_t x01 = r111[2U]; + uint64_t x11 = r111[((uint32_t)2U + (uint32_t)1U) % (uint32_t)4U]; + uint64_t x21 = r111[((uint32_t)2U + (uint32_t)2U) % (uint32_t)4U]; + uint64_t x31 = r111[((uint32_t)2U + (uint32_t)3U) % (uint32_t)4U]; + r111[0U] = x01; + r111[1U] = x11; + r111[2U] = x21; + r111[3U] = x31; + uint64_t *r112 = r31; + uint64_t x02 = r112[3U]; + uint64_t x12 = r112[((uint32_t)3U + (uint32_t)1U) % (uint32_t)4U]; + uint64_t x22 = r112[((uint32_t)3U + (uint32_t)2U) % (uint32_t)4U]; + uint64_t x32 = r112[((uint32_t)3U + (uint32_t)3U) % (uint32_t)4U]; + r112[0U] = x02; + r112[1U] = x12; + r112[2U] = x22; + r112[3U] = x32; + uint32_t a0 = (uint32_t)0U; + uint32_t b = (uint32_t)1U; + uint32_t c = (uint32_t)2U; + uint32_t d = (uint32_t)3U; + uint64_t *wv_a = wv + a0 * (uint32_t)4U; + uint64_t *wv_b8 = wv + b * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a; + uint64_t x1 = wv_a[i] + wv_b8[i]; + os[i] = x1; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a; + uint64_t x1 = wv_a[i] + z[i]; + os[i] = x1; + } + uint64_t *wv_a8 = wv + d * (uint32_t)4U; + uint64_t *wv_b9 = wv + a0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a8; + uint64_t x1 = wv_a8[i] ^ wv_b9[i]; + os[i] = x1; + } + uint64_t *r16 = wv_a8; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = r16; + uint64_t x1 = r16[i]; + uint64_t x13 = x1 >> (uint32_t)32U | x1 << (uint32_t)32U; + os[i] = x13; + } + uint64_t *wv_a9 = wv + c * (uint32_t)4U; + uint64_t *wv_b10 = wv + d * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a9; + uint64_t x1 = wv_a9[i] + wv_b10[i]; + os[i] = x1; + } + uint64_t *wv_a10 = wv + b * (uint32_t)4U; + uint64_t *wv_b11 = wv + c * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a10; + uint64_t x1 = wv_a10[i] ^ wv_b11[i]; + os[i] = x1; + } + uint64_t *r17 = wv_a10; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = r17; + uint64_t x1 = r17[i]; + uint64_t x13 = x1 >> (uint32_t)24U | x1 << (uint32_t)40U; + os[i] = x13; + } + uint64_t *wv_a11 = wv + a0 * (uint32_t)4U; + uint64_t *wv_b12 = wv + b * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a11; + uint64_t x1 = wv_a11[i] + wv_b12[i]; + os[i] = x1; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a11; + uint64_t x1 = wv_a11[i] + w[i]; + os[i] = x1; + } + uint64_t *wv_a12 = wv + d * (uint32_t)4U; + uint64_t *wv_b13 = wv + a0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a12; + uint64_t x1 = wv_a12[i] ^ wv_b13[i]; + os[i] = x1; + } + uint64_t *r18 = wv_a12; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = r18; + uint64_t x1 = r18[i]; + uint64_t x13 = x1 >> (uint32_t)16U | x1 << (uint32_t)48U; + os[i] = x13; + } + uint64_t *wv_a13 = wv + c * (uint32_t)4U; + uint64_t *wv_b14 = wv + d * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a13; + uint64_t x1 = wv_a13[i] + wv_b14[i]; + os[i] = x1; + } + uint64_t *wv_a14 = wv + b * (uint32_t)4U; + uint64_t *wv_b = wv + c * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a14; + uint64_t x1 = wv_a14[i] ^ wv_b[i]; + os[i] = x1; + } + uint64_t *r19 = wv_a14; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = r19; + uint64_t x1 = r19[i]; + uint64_t x13 = x1 >> (uint32_t)63U | x1 << (uint32_t)1U; + os[i] = x13; + } + uint64_t *r113 = wv + (uint32_t)1U * (uint32_t)4U; + uint64_t *r2 = wv + (uint32_t)2U * (uint32_t)4U; + uint64_t *r3 = wv + (uint32_t)3U * (uint32_t)4U; + uint64_t *r11 = r113; + uint64_t x03 = r11[3U]; + uint64_t x13 = r11[((uint32_t)3U + (uint32_t)1U) % (uint32_t)4U]; + uint64_t x23 = r11[((uint32_t)3U + (uint32_t)2U) % (uint32_t)4U]; + uint64_t x33 = r11[((uint32_t)3U + (uint32_t)3U) % (uint32_t)4U]; + r11[0U] = x03; + r11[1U] = x13; + r11[2U] = x23; + r11[3U] = x33; + uint64_t *r114 = r2; + uint64_t x04 = r114[2U]; + uint64_t x14 = r114[((uint32_t)2U + (uint32_t)1U) % (uint32_t)4U]; + uint64_t x24 = r114[((uint32_t)2U + (uint32_t)2U) % (uint32_t)4U]; + uint64_t x34 = r114[((uint32_t)2U + (uint32_t)3U) % (uint32_t)4U]; + r114[0U] = x04; + r114[1U] = x14; + r114[2U] = x24; + r114[3U] = x34; + uint64_t *r115 = r3; + uint64_t x0 = r115[1U]; + uint64_t x1 = r115[((uint32_t)1U + (uint32_t)1U) % (uint32_t)4U]; + uint64_t x2 = r115[((uint32_t)1U + (uint32_t)2U) % (uint32_t)4U]; + uint64_t x3 = r115[((uint32_t)1U + (uint32_t)3U) % (uint32_t)4U]; + r115[0U] = x0; + r115[1U] = x1; + r115[2U] = x2; + r115[3U] = x3; + } + uint64_t *s0 = s + (uint32_t)0U * (uint32_t)4U; + uint64_t *s1 = s + (uint32_t)1U * (uint32_t)4U; + uint64_t *r0 = wv + (uint32_t)0U * (uint32_t)4U; + uint64_t *r1 = wv + (uint32_t)1U * (uint32_t)4U; + uint64_t *r2 = wv + (uint32_t)2U * (uint32_t)4U; + uint64_t *r3 = wv + (uint32_t)3U * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = s0; + uint64_t x = s0[i] ^ r0[i]; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = s0; + uint64_t x = s0[i] ^ r2[i]; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = s1; + uint64_t x = s1[i] ^ r1[i]; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = s1; + uint64_t x = s1[i] ^ r3[i]; + os[i] = x; + } + return totlen1; +} + +void +Hacl_Hash_Core_Blake2_finish_blake2b_32(uint64_t *s, FStar_UInt128_uint128 ev, uint8_t *dst) +{ + uint32_t double_row = (uint32_t)2U * ((uint32_t)4U * (uint32_t)8U); + KRML_CHECK_SIZE(sizeof (uint8_t), double_row); + uint8_t *b = alloca(double_row * sizeof (uint8_t)); + memset(b, 0U, double_row * sizeof (uint8_t)); + uint8_t *first = b; + uint8_t *second = b + (uint32_t)4U * (uint32_t)8U; + uint64_t *row0 = s + (uint32_t)0U * (uint32_t)4U; + uint64_t *row1 = s + (uint32_t)1U * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + store64_le(first + i * (uint32_t)8U, row0[i]); + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + store64_le(second + i * (uint32_t)8U, row1[i]); + } + uint8_t *final = b; + memcpy(dst, final, (uint32_t)64U * sizeof (uint8_t)); + Lib_Memzero0_memzero(b, double_row * sizeof (b[0U])); +} + +uint64_t +Hacl_Hash_Blake2_update_multi_blake2s_32( + uint32_t *s, + uint64_t ev, + uint8_t *blocks, + uint32_t n_blocks +) +{ + for (uint32_t i = (uint32_t)0U; i < n_blocks; i++) + { + uint32_t sz = (uint32_t)64U; + uint8_t *block = blocks + sz * i; + uint64_t + v_ = + Hacl_Hash_Core_Blake2_update_blake2s_32(s, + ev + (uint64_t)i * (uint64_t)(uint32_t)64U, + block); + } + return ev + (uint64_t)n_blocks * (uint64_t)(uint32_t)64U; +} + +FStar_UInt128_uint128 +Hacl_Hash_Blake2_update_multi_blake2b_32( + uint64_t *s, + FStar_UInt128_uint128 ev, + uint8_t *blocks, + uint32_t n_blocks +) +{ + for (uint32_t i = (uint32_t)0U; i < n_blocks; i++) + { + uint32_t sz = (uint32_t)128U; + uint8_t *block = blocks + sz * i; + FStar_UInt128_uint128 + v_ = + Hacl_Hash_Core_Blake2_update_blake2b_32(s, + FStar_UInt128_add_mod(ev, + FStar_UInt128_uint64_to_uint128((uint64_t)i * (uint64_t)(uint32_t)128U)), + block); + } + return + FStar_UInt128_add_mod(ev, + FStar_UInt128_uint64_to_uint128((uint64_t)n_blocks * (uint64_t)(uint32_t)128U)); +} + +uint64_t +Hacl_Hash_Blake2_update_last_blake2s_32( + uint32_t *s, + uint64_t ev, + uint64_t prev_len, + uint8_t *input, + uint32_t input_len +) +{ + uint32_t blocks_n = input_len / (uint32_t)64U; + uint32_t blocks_len0 = blocks_n * (uint32_t)64U; + uint32_t rest_len0 = input_len - blocks_len0; + K___uint32_t_uint32_t_uint32_t scrut; + if (rest_len0 == (uint32_t)0U && blocks_n > (uint32_t)0U) + { + uint32_t blocks_n1 = blocks_n - (uint32_t)1U; + uint32_t blocks_len1 = blocks_len0 - (uint32_t)64U; + uint32_t rest_len1 = (uint32_t)64U; + scrut = + ((K___uint32_t_uint32_t_uint32_t){ .fst = blocks_n1, .snd = blocks_len1, .thd = rest_len1 }); + } + else + { + scrut = + ((K___uint32_t_uint32_t_uint32_t){ .fst = blocks_n, .snd = blocks_len0, .thd = rest_len0 }); + } + uint32_t num_blocks0 = scrut.fst; + uint32_t blocks_len = scrut.snd; + uint32_t rest_len1 = scrut.thd; + uint8_t *blocks0 = input; + uint8_t *rest0 = input + blocks_len; + K___uint32_t_uint32_t_uint32_t__uint8_t___uint8_t_ + scrut0 = + { .fst = num_blocks0, .snd = blocks_len, .thd = rest_len1, .f3 = blocks0, .f4 = rest0 }; + uint32_t num_blocks = scrut0.fst; + uint32_t rest_len = scrut0.thd; + uint8_t *blocks = scrut0.f3; + uint8_t *rest = scrut0.f4; + uint64_t ev_ = Hacl_Hash_Blake2_update_multi_blake2s_32(s, ev, blocks, num_blocks); + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)4U * (uint32_t)4U); + uint32_t *wv = alloca((uint32_t)4U * (uint32_t)4U * sizeof (uint32_t)); + memset(wv, 0U, (uint32_t)4U * (uint32_t)4U * sizeof (uint32_t)); + uint8_t tmp[64U] = { 0U }; + uint8_t *tmp_rest = tmp; + memcpy(tmp_rest, rest, rest_len * sizeof (uint8_t)); + uint64_t totlen = ev_ + (uint64_t)rest_len; + uint32_t m_w[16U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t *os = m_w; + uint8_t *bj = tmp + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + uint32_t mask[4U] = { 0U }; + uint32_t wv_14 = (uint32_t)0xFFFFFFFFU; + uint32_t wv_15 = (uint32_t)0U; + mask[0U] = (uint32_t)totlen; + mask[1U] = (uint32_t)(totlen >> (uint32_t)32U); + mask[2U] = wv_14; + mask[3U] = wv_15; + memcpy(wv, s, (uint32_t)4U * (uint32_t)4U * sizeof (uint32_t)); + uint32_t *wv3 = wv + (uint32_t)3U * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv3; + uint32_t x = wv3[i] ^ mask[i]; + os[i] = x; + } + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)10U; i0++) + { + uint32_t start_idx = i0 % (uint32_t)10U * (uint32_t)16U; + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)4U * (uint32_t)4U); + uint32_t *m_st = alloca((uint32_t)4U * (uint32_t)4U * sizeof (uint32_t)); + memset(m_st, 0U, (uint32_t)4U * (uint32_t)4U * sizeof (uint32_t)); + uint32_t *r0 = m_st + (uint32_t)0U * (uint32_t)4U; + uint32_t *r1 = m_st + (uint32_t)1U * (uint32_t)4U; + uint32_t *r20 = m_st + (uint32_t)2U * (uint32_t)4U; + uint32_t *r30 = m_st + (uint32_t)3U * (uint32_t)4U; + uint32_t s0 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx]; + uint32_t s1 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)1U]; + uint32_t s2 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)2U]; + uint32_t s3 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)3U]; + uint32_t s4 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)4U]; + uint32_t s5 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)5U]; + uint32_t s6 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)6U]; + uint32_t s7 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)7U]; + uint32_t s8 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)8U]; + uint32_t s9 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)9U]; + uint32_t s10 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)10U]; + uint32_t s11 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)11U]; + uint32_t s12 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)12U]; + uint32_t s13 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)13U]; + uint32_t s14 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)14U]; + uint32_t s15 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)15U]; + uint32_t uu____0 = m_w[s2]; + uint32_t uu____1 = m_w[s4]; + uint32_t uu____2 = m_w[s6]; + r0[0U] = m_w[s0]; + r0[1U] = uu____0; + r0[2U] = uu____1; + r0[3U] = uu____2; + uint32_t uu____3 = m_w[s3]; + uint32_t uu____4 = m_w[s5]; + uint32_t uu____5 = m_w[s7]; + r1[0U] = m_w[s1]; + r1[1U] = uu____3; + r1[2U] = uu____4; + r1[3U] = uu____5; + uint32_t uu____6 = m_w[s10]; + uint32_t uu____7 = m_w[s12]; + uint32_t uu____8 = m_w[s14]; + r20[0U] = m_w[s8]; + r20[1U] = uu____6; + r20[2U] = uu____7; + r20[3U] = uu____8; + uint32_t uu____9 = m_w[s11]; + uint32_t uu____10 = m_w[s13]; + uint32_t uu____11 = m_w[s15]; + r30[0U] = m_w[s9]; + r30[1U] = uu____9; + r30[2U] = uu____10; + r30[3U] = uu____11; + uint32_t *x = m_st + (uint32_t)0U * (uint32_t)4U; + uint32_t *y = m_st + (uint32_t)1U * (uint32_t)4U; + uint32_t *z = m_st + (uint32_t)2U * (uint32_t)4U; + uint32_t *w = m_st + (uint32_t)3U * (uint32_t)4U; + uint32_t a = (uint32_t)0U; + uint32_t b0 = (uint32_t)1U; + uint32_t c0 = (uint32_t)2U; + uint32_t d0 = (uint32_t)3U; + uint32_t *wv_a0 = wv + a * (uint32_t)4U; + uint32_t *wv_b0 = wv + b0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a0; + uint32_t x1 = wv_a0[i] + wv_b0[i]; + os[i] = x1; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a0; + uint32_t x1 = wv_a0[i] + x[i]; + os[i] = x1; + } + uint32_t *wv_a1 = wv + d0 * (uint32_t)4U; + uint32_t *wv_b1 = wv + a * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a1; + uint32_t x1 = wv_a1[i] ^ wv_b1[i]; + os[i] = x1; + } + uint32_t *r10 = wv_a1; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = r10; + uint32_t x1 = r10[i]; + uint32_t x10 = x1 >> (uint32_t)16U | x1 << (uint32_t)16U; + os[i] = x10; + } + uint32_t *wv_a2 = wv + c0 * (uint32_t)4U; + uint32_t *wv_b2 = wv + d0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a2; + uint32_t x1 = wv_a2[i] + wv_b2[i]; + os[i] = x1; + } + uint32_t *wv_a3 = wv + b0 * (uint32_t)4U; + uint32_t *wv_b3 = wv + c0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a3; + uint32_t x1 = wv_a3[i] ^ wv_b3[i]; + os[i] = x1; + } + uint32_t *r12 = wv_a3; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = r12; + uint32_t x1 = r12[i]; + uint32_t x10 = x1 >> (uint32_t)12U | x1 << (uint32_t)20U; + os[i] = x10; + } + uint32_t *wv_a4 = wv + a * (uint32_t)4U; + uint32_t *wv_b4 = wv + b0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a4; + uint32_t x1 = wv_a4[i] + wv_b4[i]; + os[i] = x1; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a4; + uint32_t x1 = wv_a4[i] + y[i]; + os[i] = x1; + } + uint32_t *wv_a5 = wv + d0 * (uint32_t)4U; + uint32_t *wv_b5 = wv + a * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a5; + uint32_t x1 = wv_a5[i] ^ wv_b5[i]; + os[i] = x1; + } + uint32_t *r13 = wv_a5; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = r13; + uint32_t x1 = r13[i]; + uint32_t x10 = x1 >> (uint32_t)8U | x1 << (uint32_t)24U; + os[i] = x10; + } + uint32_t *wv_a6 = wv + c0 * (uint32_t)4U; + uint32_t *wv_b6 = wv + d0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a6; + uint32_t x1 = wv_a6[i] + wv_b6[i]; + os[i] = x1; + } + uint32_t *wv_a7 = wv + b0 * (uint32_t)4U; + uint32_t *wv_b7 = wv + c0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a7; + uint32_t x1 = wv_a7[i] ^ wv_b7[i]; + os[i] = x1; + } + uint32_t *r14 = wv_a7; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = r14; + uint32_t x1 = r14[i]; + uint32_t x10 = x1 >> (uint32_t)7U | x1 << (uint32_t)25U; + os[i] = x10; + } + uint32_t *r15 = wv + (uint32_t)1U * (uint32_t)4U; + uint32_t *r21 = wv + (uint32_t)2U * (uint32_t)4U; + uint32_t *r31 = wv + (uint32_t)3U * (uint32_t)4U; + uint32_t *r110 = r15; + uint32_t x00 = r110[1U]; + uint32_t x10 = r110[((uint32_t)1U + (uint32_t)1U) % (uint32_t)4U]; + uint32_t x20 = r110[((uint32_t)1U + (uint32_t)2U) % (uint32_t)4U]; + uint32_t x30 = r110[((uint32_t)1U + (uint32_t)3U) % (uint32_t)4U]; + r110[0U] = x00; + r110[1U] = x10; + r110[2U] = x20; + r110[3U] = x30; + uint32_t *r111 = r21; + uint32_t x01 = r111[2U]; + uint32_t x11 = r111[((uint32_t)2U + (uint32_t)1U) % (uint32_t)4U]; + uint32_t x21 = r111[((uint32_t)2U + (uint32_t)2U) % (uint32_t)4U]; + uint32_t x31 = r111[((uint32_t)2U + (uint32_t)3U) % (uint32_t)4U]; + r111[0U] = x01; + r111[1U] = x11; + r111[2U] = x21; + r111[3U] = x31; + uint32_t *r112 = r31; + uint32_t x02 = r112[3U]; + uint32_t x12 = r112[((uint32_t)3U + (uint32_t)1U) % (uint32_t)4U]; + uint32_t x22 = r112[((uint32_t)3U + (uint32_t)2U) % (uint32_t)4U]; + uint32_t x32 = r112[((uint32_t)3U + (uint32_t)3U) % (uint32_t)4U]; + r112[0U] = x02; + r112[1U] = x12; + r112[2U] = x22; + r112[3U] = x32; + uint32_t a0 = (uint32_t)0U; + uint32_t b = (uint32_t)1U; + uint32_t c = (uint32_t)2U; + uint32_t d = (uint32_t)3U; + uint32_t *wv_a = wv + a0 * (uint32_t)4U; + uint32_t *wv_b8 = wv + b * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a; + uint32_t x1 = wv_a[i] + wv_b8[i]; + os[i] = x1; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a; + uint32_t x1 = wv_a[i] + z[i]; + os[i] = x1; + } + uint32_t *wv_a8 = wv + d * (uint32_t)4U; + uint32_t *wv_b9 = wv + a0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a8; + uint32_t x1 = wv_a8[i] ^ wv_b9[i]; + os[i] = x1; + } + uint32_t *r16 = wv_a8; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = r16; + uint32_t x1 = r16[i]; + uint32_t x13 = x1 >> (uint32_t)16U | x1 << (uint32_t)16U; + os[i] = x13; + } + uint32_t *wv_a9 = wv + c * (uint32_t)4U; + uint32_t *wv_b10 = wv + d * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a9; + uint32_t x1 = wv_a9[i] + wv_b10[i]; + os[i] = x1; + } + uint32_t *wv_a10 = wv + b * (uint32_t)4U; + uint32_t *wv_b11 = wv + c * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a10; + uint32_t x1 = wv_a10[i] ^ wv_b11[i]; + os[i] = x1; + } + uint32_t *r17 = wv_a10; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = r17; + uint32_t x1 = r17[i]; + uint32_t x13 = x1 >> (uint32_t)12U | x1 << (uint32_t)20U; + os[i] = x13; + } + uint32_t *wv_a11 = wv + a0 * (uint32_t)4U; + uint32_t *wv_b12 = wv + b * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a11; + uint32_t x1 = wv_a11[i] + wv_b12[i]; + os[i] = x1; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a11; + uint32_t x1 = wv_a11[i] + w[i]; + os[i] = x1; + } + uint32_t *wv_a12 = wv + d * (uint32_t)4U; + uint32_t *wv_b13 = wv + a0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a12; + uint32_t x1 = wv_a12[i] ^ wv_b13[i]; + os[i] = x1; + } + uint32_t *r18 = wv_a12; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = r18; + uint32_t x1 = r18[i]; + uint32_t x13 = x1 >> (uint32_t)8U | x1 << (uint32_t)24U; + os[i] = x13; + } + uint32_t *wv_a13 = wv + c * (uint32_t)4U; + uint32_t *wv_b14 = wv + d * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a13; + uint32_t x1 = wv_a13[i] + wv_b14[i]; + os[i] = x1; + } + uint32_t *wv_a14 = wv + b * (uint32_t)4U; + uint32_t *wv_b = wv + c * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a14; + uint32_t x1 = wv_a14[i] ^ wv_b[i]; + os[i] = x1; + } + uint32_t *r19 = wv_a14; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = r19; + uint32_t x1 = r19[i]; + uint32_t x13 = x1 >> (uint32_t)7U | x1 << (uint32_t)25U; + os[i] = x13; + } + uint32_t *r113 = wv + (uint32_t)1U * (uint32_t)4U; + uint32_t *r2 = wv + (uint32_t)2U * (uint32_t)4U; + uint32_t *r3 = wv + (uint32_t)3U * (uint32_t)4U; + uint32_t *r11 = r113; + uint32_t x03 = r11[3U]; + uint32_t x13 = r11[((uint32_t)3U + (uint32_t)1U) % (uint32_t)4U]; + uint32_t x23 = r11[((uint32_t)3U + (uint32_t)2U) % (uint32_t)4U]; + uint32_t x33 = r11[((uint32_t)3U + (uint32_t)3U) % (uint32_t)4U]; + r11[0U] = x03; + r11[1U] = x13; + r11[2U] = x23; + r11[3U] = x33; + uint32_t *r114 = r2; + uint32_t x04 = r114[2U]; + uint32_t x14 = r114[((uint32_t)2U + (uint32_t)1U) % (uint32_t)4U]; + uint32_t x24 = r114[((uint32_t)2U + (uint32_t)2U) % (uint32_t)4U]; + uint32_t x34 = r114[((uint32_t)2U + (uint32_t)3U) % (uint32_t)4U]; + r114[0U] = x04; + r114[1U] = x14; + r114[2U] = x24; + r114[3U] = x34; + uint32_t *r115 = r3; + uint32_t x0 = r115[1U]; + uint32_t x1 = r115[((uint32_t)1U + (uint32_t)1U) % (uint32_t)4U]; + uint32_t x2 = r115[((uint32_t)1U + (uint32_t)2U) % (uint32_t)4U]; + uint32_t x3 = r115[((uint32_t)1U + (uint32_t)3U) % (uint32_t)4U]; + r115[0U] = x0; + r115[1U] = x1; + r115[2U] = x2; + r115[3U] = x3; + } + uint32_t *s0 = s + (uint32_t)0U * (uint32_t)4U; + uint32_t *s1 = s + (uint32_t)1U * (uint32_t)4U; + uint32_t *r0 = wv + (uint32_t)0U * (uint32_t)4U; + uint32_t *r1 = wv + (uint32_t)1U * (uint32_t)4U; + uint32_t *r2 = wv + (uint32_t)2U * (uint32_t)4U; + uint32_t *r3 = wv + (uint32_t)3U * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = s0; + uint32_t x = s0[i] ^ r0[i]; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = s0; + uint32_t x = s0[i] ^ r2[i]; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = s1; + uint32_t x = s1[i] ^ r1[i]; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = s1; + uint32_t x = s1[i] ^ r3[i]; + os[i] = x; + } + return (uint64_t)0U; +} + +FStar_UInt128_uint128 +Hacl_Hash_Blake2_update_last_blake2b_32( + uint64_t *s, + FStar_UInt128_uint128 ev, + FStar_UInt128_uint128 prev_len, + uint8_t *input, + uint32_t input_len +) +{ + uint32_t blocks_n = input_len / (uint32_t)128U; + uint32_t blocks_len0 = blocks_n * (uint32_t)128U; + uint32_t rest_len0 = input_len - blocks_len0; + K___uint32_t_uint32_t_uint32_t scrut; + if (rest_len0 == (uint32_t)0U && blocks_n > (uint32_t)0U) + { + uint32_t blocks_n1 = blocks_n - (uint32_t)1U; + uint32_t blocks_len1 = blocks_len0 - (uint32_t)128U; + uint32_t rest_len1 = (uint32_t)128U; + scrut = + ((K___uint32_t_uint32_t_uint32_t){ .fst = blocks_n1, .snd = blocks_len1, .thd = rest_len1 }); + } + else + { + scrut = + ((K___uint32_t_uint32_t_uint32_t){ .fst = blocks_n, .snd = blocks_len0, .thd = rest_len0 }); + } + uint32_t num_blocks0 = scrut.fst; + uint32_t blocks_len = scrut.snd; + uint32_t rest_len1 = scrut.thd; + uint8_t *blocks0 = input; + uint8_t *rest0 = input + blocks_len; + K___uint32_t_uint32_t_uint32_t__uint8_t___uint8_t_ + scrut0 = + { .fst = num_blocks0, .snd = blocks_len, .thd = rest_len1, .f3 = blocks0, .f4 = rest0 }; + uint32_t num_blocks = scrut0.fst; + uint32_t rest_len = scrut0.thd; + uint8_t *blocks = scrut0.f3; + uint8_t *rest = scrut0.f4; + FStar_UInt128_uint128 + ev_ = Hacl_Hash_Blake2_update_multi_blake2b_32(s, ev, blocks, num_blocks); + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)4U * (uint32_t)4U); + uint64_t *wv = alloca((uint32_t)4U * (uint32_t)4U * sizeof (uint64_t)); + memset(wv, 0U, (uint32_t)4U * (uint32_t)4U * sizeof (uint64_t)); + uint8_t tmp[128U] = { 0U }; + uint8_t *tmp_rest = tmp; + memcpy(tmp_rest, rest, rest_len * sizeof (uint8_t)); + FStar_UInt128_uint128 + totlen = FStar_UInt128_add_mod(ev_, FStar_UInt128_uint64_to_uint128((uint64_t)rest_len)); + uint64_t m_w[16U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint64_t *os = m_w; + uint8_t *bj = tmp + i * (uint32_t)8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x; + } + uint64_t mask[4U] = { 0U }; + uint64_t wv_14 = (uint64_t)0xFFFFFFFFFFFFFFFFU; + uint64_t wv_15 = (uint64_t)0U; + mask[0U] = FStar_UInt128_uint128_to_uint64(totlen); + mask[1U] = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(totlen, (uint32_t)64U)); + mask[2U] = wv_14; + mask[3U] = wv_15; + memcpy(wv, s, (uint32_t)4U * (uint32_t)4U * sizeof (uint64_t)); + uint64_t *wv3 = wv + (uint32_t)3U * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv3; + uint64_t x = wv3[i] ^ mask[i]; + os[i] = x; + } + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)12U; i0++) + { + uint32_t start_idx = i0 % (uint32_t)10U * (uint32_t)16U; + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)4U * (uint32_t)4U); + uint64_t *m_st = alloca((uint32_t)4U * (uint32_t)4U * sizeof (uint64_t)); + memset(m_st, 0U, (uint32_t)4U * (uint32_t)4U * sizeof (uint64_t)); + uint64_t *r0 = m_st + (uint32_t)0U * (uint32_t)4U; + uint64_t *r1 = m_st + (uint32_t)1U * (uint32_t)4U; + uint64_t *r20 = m_st + (uint32_t)2U * (uint32_t)4U; + uint64_t *r30 = m_st + (uint32_t)3U * (uint32_t)4U; + uint32_t s0 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx]; + uint32_t s1 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)1U]; + uint32_t s2 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)2U]; + uint32_t s3 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)3U]; + uint32_t s4 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)4U]; + uint32_t s5 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)5U]; + uint32_t s6 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)6U]; + uint32_t s7 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)7U]; + uint32_t s8 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)8U]; + uint32_t s9 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)9U]; + uint32_t s10 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)10U]; + uint32_t s11 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)11U]; + uint32_t s12 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)12U]; + uint32_t s13 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)13U]; + uint32_t s14 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)14U]; + uint32_t s15 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)15U]; + uint64_t uu____0 = m_w[s2]; + uint64_t uu____1 = m_w[s4]; + uint64_t uu____2 = m_w[s6]; + r0[0U] = m_w[s0]; + r0[1U] = uu____0; + r0[2U] = uu____1; + r0[3U] = uu____2; + uint64_t uu____3 = m_w[s3]; + uint64_t uu____4 = m_w[s5]; + uint64_t uu____5 = m_w[s7]; + r1[0U] = m_w[s1]; + r1[1U] = uu____3; + r1[2U] = uu____4; + r1[3U] = uu____5; + uint64_t uu____6 = m_w[s10]; + uint64_t uu____7 = m_w[s12]; + uint64_t uu____8 = m_w[s14]; + r20[0U] = m_w[s8]; + r20[1U] = uu____6; + r20[2U] = uu____7; + r20[3U] = uu____8; + uint64_t uu____9 = m_w[s11]; + uint64_t uu____10 = m_w[s13]; + uint64_t uu____11 = m_w[s15]; + r30[0U] = m_w[s9]; + r30[1U] = uu____9; + r30[2U] = uu____10; + r30[3U] = uu____11; + uint64_t *x = m_st + (uint32_t)0U * (uint32_t)4U; + uint64_t *y = m_st + (uint32_t)1U * (uint32_t)4U; + uint64_t *z = m_st + (uint32_t)2U * (uint32_t)4U; + uint64_t *w = m_st + (uint32_t)3U * (uint32_t)4U; + uint32_t a = (uint32_t)0U; + uint32_t b0 = (uint32_t)1U; + uint32_t c0 = (uint32_t)2U; + uint32_t d0 = (uint32_t)3U; + uint64_t *wv_a0 = wv + a * (uint32_t)4U; + uint64_t *wv_b0 = wv + b0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a0; + uint64_t x1 = wv_a0[i] + wv_b0[i]; + os[i] = x1; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a0; + uint64_t x1 = wv_a0[i] + x[i]; + os[i] = x1; + } + uint64_t *wv_a1 = wv + d0 * (uint32_t)4U; + uint64_t *wv_b1 = wv + a * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a1; + uint64_t x1 = wv_a1[i] ^ wv_b1[i]; + os[i] = x1; + } + uint64_t *r10 = wv_a1; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = r10; + uint64_t x1 = r10[i]; + uint64_t x10 = x1 >> (uint32_t)32U | x1 << (uint32_t)32U; + os[i] = x10; + } + uint64_t *wv_a2 = wv + c0 * (uint32_t)4U; + uint64_t *wv_b2 = wv + d0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a2; + uint64_t x1 = wv_a2[i] + wv_b2[i]; + os[i] = x1; + } + uint64_t *wv_a3 = wv + b0 * (uint32_t)4U; + uint64_t *wv_b3 = wv + c0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a3; + uint64_t x1 = wv_a3[i] ^ wv_b3[i]; + os[i] = x1; + } + uint64_t *r12 = wv_a3; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = r12; + uint64_t x1 = r12[i]; + uint64_t x10 = x1 >> (uint32_t)24U | x1 << (uint32_t)40U; + os[i] = x10; + } + uint64_t *wv_a4 = wv + a * (uint32_t)4U; + uint64_t *wv_b4 = wv + b0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a4; + uint64_t x1 = wv_a4[i] + wv_b4[i]; + os[i] = x1; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a4; + uint64_t x1 = wv_a4[i] + y[i]; + os[i] = x1; + } + uint64_t *wv_a5 = wv + d0 * (uint32_t)4U; + uint64_t *wv_b5 = wv + a * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a5; + uint64_t x1 = wv_a5[i] ^ wv_b5[i]; + os[i] = x1; + } + uint64_t *r13 = wv_a5; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = r13; + uint64_t x1 = r13[i]; + uint64_t x10 = x1 >> (uint32_t)16U | x1 << (uint32_t)48U; + os[i] = x10; + } + uint64_t *wv_a6 = wv + c0 * (uint32_t)4U; + uint64_t *wv_b6 = wv + d0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a6; + uint64_t x1 = wv_a6[i] + wv_b6[i]; + os[i] = x1; + } + uint64_t *wv_a7 = wv + b0 * (uint32_t)4U; + uint64_t *wv_b7 = wv + c0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a7; + uint64_t x1 = wv_a7[i] ^ wv_b7[i]; + os[i] = x1; + } + uint64_t *r14 = wv_a7; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = r14; + uint64_t x1 = r14[i]; + uint64_t x10 = x1 >> (uint32_t)63U | x1 << (uint32_t)1U; + os[i] = x10; + } + uint64_t *r15 = wv + (uint32_t)1U * (uint32_t)4U; + uint64_t *r21 = wv + (uint32_t)2U * (uint32_t)4U; + uint64_t *r31 = wv + (uint32_t)3U * (uint32_t)4U; + uint64_t *r110 = r15; + uint64_t x00 = r110[1U]; + uint64_t x10 = r110[((uint32_t)1U + (uint32_t)1U) % (uint32_t)4U]; + uint64_t x20 = r110[((uint32_t)1U + (uint32_t)2U) % (uint32_t)4U]; + uint64_t x30 = r110[((uint32_t)1U + (uint32_t)3U) % (uint32_t)4U]; + r110[0U] = x00; + r110[1U] = x10; + r110[2U] = x20; + r110[3U] = x30; + uint64_t *r111 = r21; + uint64_t x01 = r111[2U]; + uint64_t x11 = r111[((uint32_t)2U + (uint32_t)1U) % (uint32_t)4U]; + uint64_t x21 = r111[((uint32_t)2U + (uint32_t)2U) % (uint32_t)4U]; + uint64_t x31 = r111[((uint32_t)2U + (uint32_t)3U) % (uint32_t)4U]; + r111[0U] = x01; + r111[1U] = x11; + r111[2U] = x21; + r111[3U] = x31; + uint64_t *r112 = r31; + uint64_t x02 = r112[3U]; + uint64_t x12 = r112[((uint32_t)3U + (uint32_t)1U) % (uint32_t)4U]; + uint64_t x22 = r112[((uint32_t)3U + (uint32_t)2U) % (uint32_t)4U]; + uint64_t x32 = r112[((uint32_t)3U + (uint32_t)3U) % (uint32_t)4U]; + r112[0U] = x02; + r112[1U] = x12; + r112[2U] = x22; + r112[3U] = x32; + uint32_t a0 = (uint32_t)0U; + uint32_t b = (uint32_t)1U; + uint32_t c = (uint32_t)2U; + uint32_t d = (uint32_t)3U; + uint64_t *wv_a = wv + a0 * (uint32_t)4U; + uint64_t *wv_b8 = wv + b * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a; + uint64_t x1 = wv_a[i] + wv_b8[i]; + os[i] = x1; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a; + uint64_t x1 = wv_a[i] + z[i]; + os[i] = x1; + } + uint64_t *wv_a8 = wv + d * (uint32_t)4U; + uint64_t *wv_b9 = wv + a0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a8; + uint64_t x1 = wv_a8[i] ^ wv_b9[i]; + os[i] = x1; + } + uint64_t *r16 = wv_a8; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = r16; + uint64_t x1 = r16[i]; + uint64_t x13 = x1 >> (uint32_t)32U | x1 << (uint32_t)32U; + os[i] = x13; + } + uint64_t *wv_a9 = wv + c * (uint32_t)4U; + uint64_t *wv_b10 = wv + d * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a9; + uint64_t x1 = wv_a9[i] + wv_b10[i]; + os[i] = x1; + } + uint64_t *wv_a10 = wv + b * (uint32_t)4U; + uint64_t *wv_b11 = wv + c * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a10; + uint64_t x1 = wv_a10[i] ^ wv_b11[i]; + os[i] = x1; + } + uint64_t *r17 = wv_a10; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = r17; + uint64_t x1 = r17[i]; + uint64_t x13 = x1 >> (uint32_t)24U | x1 << (uint32_t)40U; + os[i] = x13; + } + uint64_t *wv_a11 = wv + a0 * (uint32_t)4U; + uint64_t *wv_b12 = wv + b * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a11; + uint64_t x1 = wv_a11[i] + wv_b12[i]; + os[i] = x1; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a11; + uint64_t x1 = wv_a11[i] + w[i]; + os[i] = x1; + } + uint64_t *wv_a12 = wv + d * (uint32_t)4U; + uint64_t *wv_b13 = wv + a0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a12; + uint64_t x1 = wv_a12[i] ^ wv_b13[i]; + os[i] = x1; + } + uint64_t *r18 = wv_a12; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = r18; + uint64_t x1 = r18[i]; + uint64_t x13 = x1 >> (uint32_t)16U | x1 << (uint32_t)48U; + os[i] = x13; + } + uint64_t *wv_a13 = wv + c * (uint32_t)4U; + uint64_t *wv_b14 = wv + d * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a13; + uint64_t x1 = wv_a13[i] + wv_b14[i]; + os[i] = x1; + } + uint64_t *wv_a14 = wv + b * (uint32_t)4U; + uint64_t *wv_b = wv + c * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a14; + uint64_t x1 = wv_a14[i] ^ wv_b[i]; + os[i] = x1; + } + uint64_t *r19 = wv_a14; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = r19; + uint64_t x1 = r19[i]; + uint64_t x13 = x1 >> (uint32_t)63U | x1 << (uint32_t)1U; + os[i] = x13; + } + uint64_t *r113 = wv + (uint32_t)1U * (uint32_t)4U; + uint64_t *r2 = wv + (uint32_t)2U * (uint32_t)4U; + uint64_t *r3 = wv + (uint32_t)3U * (uint32_t)4U; + uint64_t *r11 = r113; + uint64_t x03 = r11[3U]; + uint64_t x13 = r11[((uint32_t)3U + (uint32_t)1U) % (uint32_t)4U]; + uint64_t x23 = r11[((uint32_t)3U + (uint32_t)2U) % (uint32_t)4U]; + uint64_t x33 = r11[((uint32_t)3U + (uint32_t)3U) % (uint32_t)4U]; + r11[0U] = x03; + r11[1U] = x13; + r11[2U] = x23; + r11[3U] = x33; + uint64_t *r114 = r2; + uint64_t x04 = r114[2U]; + uint64_t x14 = r114[((uint32_t)2U + (uint32_t)1U) % (uint32_t)4U]; + uint64_t x24 = r114[((uint32_t)2U + (uint32_t)2U) % (uint32_t)4U]; + uint64_t x34 = r114[((uint32_t)2U + (uint32_t)3U) % (uint32_t)4U]; + r114[0U] = x04; + r114[1U] = x14; + r114[2U] = x24; + r114[3U] = x34; + uint64_t *r115 = r3; + uint64_t x0 = r115[1U]; + uint64_t x1 = r115[((uint32_t)1U + (uint32_t)1U) % (uint32_t)4U]; + uint64_t x2 = r115[((uint32_t)1U + (uint32_t)2U) % (uint32_t)4U]; + uint64_t x3 = r115[((uint32_t)1U + (uint32_t)3U) % (uint32_t)4U]; + r115[0U] = x0; + r115[1U] = x1; + r115[2U] = x2; + r115[3U] = x3; + } + uint64_t *s0 = s + (uint32_t)0U * (uint32_t)4U; + uint64_t *s1 = s + (uint32_t)1U * (uint32_t)4U; + uint64_t *r0 = wv + (uint32_t)0U * (uint32_t)4U; + uint64_t *r1 = wv + (uint32_t)1U * (uint32_t)4U; + uint64_t *r2 = wv + (uint32_t)2U * (uint32_t)4U; + uint64_t *r3 = wv + (uint32_t)3U * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = s0; + uint64_t x = s0[i] ^ r0[i]; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = s0; + uint64_t x = s0[i] ^ r2[i]; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = s1; + uint64_t x = s1[i] ^ r1[i]; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = s1; + uint64_t x = s1[i] ^ r3[i]; + os[i] = x; + } + return FStar_UInt128_uint64_to_uint128((uint64_t)0U); +} + +void Hacl_Hash_Blake2_hash_blake2s_32(uint8_t *input, uint32_t input_len, uint8_t *dst) +{ + Hacl_Blake2s_32_blake2s((uint32_t)32U, dst, input_len, input, (uint32_t)0U, NULL); +} + +void Hacl_Hash_Blake2_hash_blake2b_32(uint8_t *input, uint32_t input_len, uint8_t *dst) +{ + Hacl_Blake2b_32_blake2b((uint32_t)64U, dst, input_len, input, (uint32_t)0U, NULL); +} + +static inline void +blake2b_update_block( + uint64_t *wv, + uint64_t *hash, + bool flag, + FStar_UInt128_uint128 totlen, + uint8_t *d +) +{ + uint64_t m_w[16U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint64_t *os = m_w; + uint8_t *bj = d + i * (uint32_t)8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x; + } + uint64_t mask[4U] = { 0U }; + uint64_t wv_14; + if (flag) + { + wv_14 = (uint64_t)0xFFFFFFFFFFFFFFFFU; + } + else + { + wv_14 = (uint64_t)0U; + } + uint64_t wv_15 = (uint64_t)0U; + mask[0U] = FStar_UInt128_uint128_to_uint64(totlen); + mask[1U] = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(totlen, (uint32_t)64U)); + mask[2U] = wv_14; + mask[3U] = wv_15; + memcpy(wv, hash, (uint32_t)4U * (uint32_t)4U * sizeof (uint64_t)); + uint64_t *wv3 = wv + (uint32_t)3U * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv3; + uint64_t x = wv3[i] ^ mask[i]; + os[i] = x; + } + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)12U; i0++) + { + uint32_t start_idx = i0 % (uint32_t)10U * (uint32_t)16U; + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)4U * (uint32_t)4U); + uint64_t *m_st = alloca((uint32_t)4U * (uint32_t)4U * sizeof (uint64_t)); + memset(m_st, 0U, (uint32_t)4U * (uint32_t)4U * sizeof (uint64_t)); + uint64_t *r0 = m_st + (uint32_t)0U * (uint32_t)4U; + uint64_t *r1 = m_st + (uint32_t)1U * (uint32_t)4U; + uint64_t *r20 = m_st + (uint32_t)2U * (uint32_t)4U; + uint64_t *r30 = m_st + (uint32_t)3U * (uint32_t)4U; + uint32_t s0 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx]; + uint32_t s1 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)1U]; + uint32_t s2 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)2U]; + uint32_t s3 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)3U]; + uint32_t s4 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)4U]; + uint32_t s5 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)5U]; + uint32_t s6 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)6U]; + uint32_t s7 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)7U]; + uint32_t s8 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)8U]; + uint32_t s9 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)9U]; + uint32_t s10 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)10U]; + uint32_t s11 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)11U]; + uint32_t s12 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)12U]; + uint32_t s13 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)13U]; + uint32_t s14 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)14U]; + uint32_t s15 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)15U]; + uint64_t uu____0 = m_w[s2]; + uint64_t uu____1 = m_w[s4]; + uint64_t uu____2 = m_w[s6]; + r0[0U] = m_w[s0]; + r0[1U] = uu____0; + r0[2U] = uu____1; + r0[3U] = uu____2; + uint64_t uu____3 = m_w[s3]; + uint64_t uu____4 = m_w[s5]; + uint64_t uu____5 = m_w[s7]; + r1[0U] = m_w[s1]; + r1[1U] = uu____3; + r1[2U] = uu____4; + r1[3U] = uu____5; + uint64_t uu____6 = m_w[s10]; + uint64_t uu____7 = m_w[s12]; + uint64_t uu____8 = m_w[s14]; + r20[0U] = m_w[s8]; + r20[1U] = uu____6; + r20[2U] = uu____7; + r20[3U] = uu____8; + uint64_t uu____9 = m_w[s11]; + uint64_t uu____10 = m_w[s13]; + uint64_t uu____11 = m_w[s15]; + r30[0U] = m_w[s9]; + r30[1U] = uu____9; + r30[2U] = uu____10; + r30[3U] = uu____11; + uint64_t *x = m_st + (uint32_t)0U * (uint32_t)4U; + uint64_t *y = m_st + (uint32_t)1U * (uint32_t)4U; + uint64_t *z = m_st + (uint32_t)2U * (uint32_t)4U; + uint64_t *w = m_st + (uint32_t)3U * (uint32_t)4U; + uint32_t a = (uint32_t)0U; + uint32_t b0 = (uint32_t)1U; + uint32_t c0 = (uint32_t)2U; + uint32_t d10 = (uint32_t)3U; + uint64_t *wv_a0 = wv + a * (uint32_t)4U; + uint64_t *wv_b0 = wv + b0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a0; + uint64_t x1 = wv_a0[i] + wv_b0[i]; + os[i] = x1; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a0; + uint64_t x1 = wv_a0[i] + x[i]; + os[i] = x1; + } + uint64_t *wv_a1 = wv + d10 * (uint32_t)4U; + uint64_t *wv_b1 = wv + a * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a1; + uint64_t x1 = wv_a1[i] ^ wv_b1[i]; + os[i] = x1; + } + uint64_t *r10 = wv_a1; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = r10; + uint64_t x1 = r10[i]; + uint64_t x10 = x1 >> (uint32_t)32U | x1 << (uint32_t)32U; + os[i] = x10; + } + uint64_t *wv_a2 = wv + c0 * (uint32_t)4U; + uint64_t *wv_b2 = wv + d10 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a2; + uint64_t x1 = wv_a2[i] + wv_b2[i]; + os[i] = x1; + } + uint64_t *wv_a3 = wv + b0 * (uint32_t)4U; + uint64_t *wv_b3 = wv + c0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a3; + uint64_t x1 = wv_a3[i] ^ wv_b3[i]; + os[i] = x1; + } + uint64_t *r12 = wv_a3; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = r12; + uint64_t x1 = r12[i]; + uint64_t x10 = x1 >> (uint32_t)24U | x1 << (uint32_t)40U; + os[i] = x10; + } + uint64_t *wv_a4 = wv + a * (uint32_t)4U; + uint64_t *wv_b4 = wv + b0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a4; + uint64_t x1 = wv_a4[i] + wv_b4[i]; + os[i] = x1; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a4; + uint64_t x1 = wv_a4[i] + y[i]; + os[i] = x1; + } + uint64_t *wv_a5 = wv + d10 * (uint32_t)4U; + uint64_t *wv_b5 = wv + a * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a5; + uint64_t x1 = wv_a5[i] ^ wv_b5[i]; + os[i] = x1; + } + uint64_t *r13 = wv_a5; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = r13; + uint64_t x1 = r13[i]; + uint64_t x10 = x1 >> (uint32_t)16U | x1 << (uint32_t)48U; + os[i] = x10; + } + uint64_t *wv_a6 = wv + c0 * (uint32_t)4U; + uint64_t *wv_b6 = wv + d10 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a6; + uint64_t x1 = wv_a6[i] + wv_b6[i]; + os[i] = x1; + } + uint64_t *wv_a7 = wv + b0 * (uint32_t)4U; + uint64_t *wv_b7 = wv + c0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a7; + uint64_t x1 = wv_a7[i] ^ wv_b7[i]; + os[i] = x1; + } + uint64_t *r14 = wv_a7; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = r14; + uint64_t x1 = r14[i]; + uint64_t x10 = x1 >> (uint32_t)63U | x1 << (uint32_t)1U; + os[i] = x10; + } + uint64_t *r15 = wv + (uint32_t)1U * (uint32_t)4U; + uint64_t *r21 = wv + (uint32_t)2U * (uint32_t)4U; + uint64_t *r31 = wv + (uint32_t)3U * (uint32_t)4U; + uint64_t *r110 = r15; + uint64_t x00 = r110[1U]; + uint64_t x10 = r110[((uint32_t)1U + (uint32_t)1U) % (uint32_t)4U]; + uint64_t x20 = r110[((uint32_t)1U + (uint32_t)2U) % (uint32_t)4U]; + uint64_t x30 = r110[((uint32_t)1U + (uint32_t)3U) % (uint32_t)4U]; + r110[0U] = x00; + r110[1U] = x10; + r110[2U] = x20; + r110[3U] = x30; + uint64_t *r111 = r21; + uint64_t x01 = r111[2U]; + uint64_t x11 = r111[((uint32_t)2U + (uint32_t)1U) % (uint32_t)4U]; + uint64_t x21 = r111[((uint32_t)2U + (uint32_t)2U) % (uint32_t)4U]; + uint64_t x31 = r111[((uint32_t)2U + (uint32_t)3U) % (uint32_t)4U]; + r111[0U] = x01; + r111[1U] = x11; + r111[2U] = x21; + r111[3U] = x31; + uint64_t *r112 = r31; + uint64_t x02 = r112[3U]; + uint64_t x12 = r112[((uint32_t)3U + (uint32_t)1U) % (uint32_t)4U]; + uint64_t x22 = r112[((uint32_t)3U + (uint32_t)2U) % (uint32_t)4U]; + uint64_t x32 = r112[((uint32_t)3U + (uint32_t)3U) % (uint32_t)4U]; + r112[0U] = x02; + r112[1U] = x12; + r112[2U] = x22; + r112[3U] = x32; + uint32_t a0 = (uint32_t)0U; + uint32_t b = (uint32_t)1U; + uint32_t c = (uint32_t)2U; + uint32_t d1 = (uint32_t)3U; + uint64_t *wv_a = wv + a0 * (uint32_t)4U; + uint64_t *wv_b8 = wv + b * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a; + uint64_t x1 = wv_a[i] + wv_b8[i]; + os[i] = x1; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a; + uint64_t x1 = wv_a[i] + z[i]; + os[i] = x1; + } + uint64_t *wv_a8 = wv + d1 * (uint32_t)4U; + uint64_t *wv_b9 = wv + a0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a8; + uint64_t x1 = wv_a8[i] ^ wv_b9[i]; + os[i] = x1; + } + uint64_t *r16 = wv_a8; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = r16; + uint64_t x1 = r16[i]; + uint64_t x13 = x1 >> (uint32_t)32U | x1 << (uint32_t)32U; + os[i] = x13; + } + uint64_t *wv_a9 = wv + c * (uint32_t)4U; + uint64_t *wv_b10 = wv + d1 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a9; + uint64_t x1 = wv_a9[i] + wv_b10[i]; + os[i] = x1; + } + uint64_t *wv_a10 = wv + b * (uint32_t)4U; + uint64_t *wv_b11 = wv + c * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a10; + uint64_t x1 = wv_a10[i] ^ wv_b11[i]; + os[i] = x1; + } + uint64_t *r17 = wv_a10; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = r17; + uint64_t x1 = r17[i]; + uint64_t x13 = x1 >> (uint32_t)24U | x1 << (uint32_t)40U; + os[i] = x13; + } + uint64_t *wv_a11 = wv + a0 * (uint32_t)4U; + uint64_t *wv_b12 = wv + b * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a11; + uint64_t x1 = wv_a11[i] + wv_b12[i]; + os[i] = x1; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a11; + uint64_t x1 = wv_a11[i] + w[i]; + os[i] = x1; + } + uint64_t *wv_a12 = wv + d1 * (uint32_t)4U; + uint64_t *wv_b13 = wv + a0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a12; + uint64_t x1 = wv_a12[i] ^ wv_b13[i]; + os[i] = x1; + } + uint64_t *r18 = wv_a12; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = r18; + uint64_t x1 = r18[i]; + uint64_t x13 = x1 >> (uint32_t)16U | x1 << (uint32_t)48U; + os[i] = x13; + } + uint64_t *wv_a13 = wv + c * (uint32_t)4U; + uint64_t *wv_b14 = wv + d1 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a13; + uint64_t x1 = wv_a13[i] + wv_b14[i]; + os[i] = x1; + } + uint64_t *wv_a14 = wv + b * (uint32_t)4U; + uint64_t *wv_b = wv + c * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = wv_a14; + uint64_t x1 = wv_a14[i] ^ wv_b[i]; + os[i] = x1; + } + uint64_t *r19 = wv_a14; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = r19; + uint64_t x1 = r19[i]; + uint64_t x13 = x1 >> (uint32_t)63U | x1 << (uint32_t)1U; + os[i] = x13; + } + uint64_t *r113 = wv + (uint32_t)1U * (uint32_t)4U; + uint64_t *r2 = wv + (uint32_t)2U * (uint32_t)4U; + uint64_t *r3 = wv + (uint32_t)3U * (uint32_t)4U; + uint64_t *r11 = r113; + uint64_t x03 = r11[3U]; + uint64_t x13 = r11[((uint32_t)3U + (uint32_t)1U) % (uint32_t)4U]; + uint64_t x23 = r11[((uint32_t)3U + (uint32_t)2U) % (uint32_t)4U]; + uint64_t x33 = r11[((uint32_t)3U + (uint32_t)3U) % (uint32_t)4U]; + r11[0U] = x03; + r11[1U] = x13; + r11[2U] = x23; + r11[3U] = x33; + uint64_t *r114 = r2; + uint64_t x04 = r114[2U]; + uint64_t x14 = r114[((uint32_t)2U + (uint32_t)1U) % (uint32_t)4U]; + uint64_t x24 = r114[((uint32_t)2U + (uint32_t)2U) % (uint32_t)4U]; + uint64_t x34 = r114[((uint32_t)2U + (uint32_t)3U) % (uint32_t)4U]; + r114[0U] = x04; + r114[1U] = x14; + r114[2U] = x24; + r114[3U] = x34; + uint64_t *r115 = r3; + uint64_t x0 = r115[1U]; + uint64_t x1 = r115[((uint32_t)1U + (uint32_t)1U) % (uint32_t)4U]; + uint64_t x2 = r115[((uint32_t)1U + (uint32_t)2U) % (uint32_t)4U]; + uint64_t x3 = r115[((uint32_t)1U + (uint32_t)3U) % (uint32_t)4U]; + r115[0U] = x0; + r115[1U] = x1; + r115[2U] = x2; + r115[3U] = x3; + } + uint64_t *s0 = hash + (uint32_t)0U * (uint32_t)4U; + uint64_t *s1 = hash + (uint32_t)1U * (uint32_t)4U; + uint64_t *r0 = wv + (uint32_t)0U * (uint32_t)4U; + uint64_t *r1 = wv + (uint32_t)1U * (uint32_t)4U; + uint64_t *r2 = wv + (uint32_t)2U * (uint32_t)4U; + uint64_t *r3 = wv + (uint32_t)3U * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = s0; + uint64_t x = s0[i] ^ r0[i]; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = s0; + uint64_t x = s0[i] ^ r2[i]; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = s1; + uint64_t x = s1[i] ^ r1[i]; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t *os = s1; + uint64_t x = s1[i] ^ r3[i]; + os[i] = x; + } +} + +void Hacl_Blake2b_32_blake2b_init(uint64_t *hash, uint32_t kk, uint32_t nn) +{ + uint64_t *r0 = hash + (uint32_t)0U * (uint32_t)4U; + uint64_t *r1 = hash + (uint32_t)1U * (uint32_t)4U; + uint64_t *r2 = hash + (uint32_t)2U * (uint32_t)4U; + uint64_t *r3 = hash + (uint32_t)3U * (uint32_t)4U; + uint64_t iv0 = Hacl_Impl_Blake2_Constants_ivTable_B[0U]; + uint64_t iv1 = Hacl_Impl_Blake2_Constants_ivTable_B[1U]; + uint64_t iv2 = Hacl_Impl_Blake2_Constants_ivTable_B[2U]; + uint64_t iv3 = Hacl_Impl_Blake2_Constants_ivTable_B[3U]; + uint64_t iv4 = Hacl_Impl_Blake2_Constants_ivTable_B[4U]; + uint64_t iv5 = Hacl_Impl_Blake2_Constants_ivTable_B[5U]; + uint64_t iv6 = Hacl_Impl_Blake2_Constants_ivTable_B[6U]; + uint64_t iv7 = Hacl_Impl_Blake2_Constants_ivTable_B[7U]; + r2[0U] = iv0; + r2[1U] = iv1; + r2[2U] = iv2; + r2[3U] = iv3; + r3[0U] = iv4; + r3[1U] = iv5; + r3[2U] = iv6; + r3[3U] = iv7; + uint64_t kk_shift_8 = (uint64_t)kk << (uint32_t)8U; + uint64_t iv0_ = iv0 ^ ((uint64_t)0x01010000U ^ (kk_shift_8 ^ (uint64_t)nn)); + r0[0U] = iv0_; + r0[1U] = iv1; + r0[2U] = iv2; + r0[3U] = iv3; + r1[0U] = iv4; + r1[1U] = iv5; + r1[2U] = iv6; + r1[3U] = iv7; +} + +void +Hacl_Blake2b_32_blake2b_update_key( + uint64_t *wv, + uint64_t *hash, + uint32_t kk, + uint8_t *k, + uint32_t ll +) +{ + FStar_UInt128_uint128 lb = FStar_UInt128_uint64_to_uint128((uint64_t)(uint32_t)128U); + uint8_t b[128U] = { 0U }; + memcpy(b, k, kk * sizeof (uint8_t)); + if (ll == (uint32_t)0U) + { + blake2b_update_block(wv, hash, true, lb, b); + } + else + { + blake2b_update_block(wv, hash, false, lb, b); + } + Lib_Memzero0_memzero(b, (uint32_t)128U * sizeof (b[0U])); +} + +void +Hacl_Blake2b_32_blake2b_update_multi( + uint32_t len, + uint64_t *wv, + uint64_t *hash, + FStar_UInt128_uint128 prev, + uint8_t *blocks, + uint32_t nb +) +{ + for (uint32_t i = (uint32_t)0U; i < nb; i++) + { + FStar_UInt128_uint128 + totlen = + FStar_UInt128_add_mod(prev, + FStar_UInt128_uint64_to_uint128((uint64_t)((i + (uint32_t)1U) * (uint32_t)128U))); + uint8_t *b = blocks + i * (uint32_t)128U; + blake2b_update_block(wv, hash, false, totlen, b); + } +} + +void +Hacl_Blake2b_32_blake2b_update_last( + uint32_t len, + uint64_t *wv, + uint64_t *hash, + FStar_UInt128_uint128 prev, + uint32_t rem, + uint8_t *d +) +{ + uint8_t b[128U] = { 0U }; + uint8_t *last = d + len - rem; + memcpy(b, last, rem * sizeof (uint8_t)); + FStar_UInt128_uint128 + totlen = FStar_UInt128_add_mod(prev, FStar_UInt128_uint64_to_uint128((uint64_t)len)); + blake2b_update_block(wv, hash, true, totlen, b); + Lib_Memzero0_memzero(b, (uint32_t)128U * sizeof (b[0U])); +} + +static inline void +blake2b_update_blocks( + uint32_t len, + uint64_t *wv, + uint64_t *hash, + FStar_UInt128_uint128 prev, + uint8_t *blocks +) +{ + uint32_t nb0 = len / (uint32_t)128U; + uint32_t rem0 = len % (uint32_t)128U; + K___uint32_t_uint32_t scrut; + if (rem0 == (uint32_t)0U && nb0 > (uint32_t)0U) + { + uint32_t nb_ = nb0 - (uint32_t)1U; + uint32_t rem_ = (uint32_t)128U; + scrut = ((K___uint32_t_uint32_t){ .fst = nb_, .snd = rem_ }); + } + else + { + scrut = ((K___uint32_t_uint32_t){ .fst = nb0, .snd = rem0 }); + } + uint32_t nb = scrut.fst; + uint32_t rem = scrut.snd; + Hacl_Blake2b_32_blake2b_update_multi(len, wv, hash, prev, blocks, nb); + Hacl_Blake2b_32_blake2b_update_last(len, wv, hash, prev, rem, blocks); +} + +static inline void +blake2b_update(uint64_t *wv, uint64_t *hash, uint32_t kk, uint8_t *k, uint32_t ll, uint8_t *d) +{ + FStar_UInt128_uint128 lb = FStar_UInt128_uint64_to_uint128((uint64_t)(uint32_t)128U); + if (kk > (uint32_t)0U) + { + Hacl_Blake2b_32_blake2b_update_key(wv, hash, kk, k, ll); + if (!(ll == (uint32_t)0U)) + { + blake2b_update_blocks(ll, wv, hash, lb, d); + return; + } + return; + } + blake2b_update_blocks(ll, + wv, + hash, + FStar_UInt128_uint64_to_uint128((uint64_t)(uint32_t)0U), + d); +} + +void Hacl_Blake2b_32_blake2b_finish(uint32_t nn, uint8_t *output, uint64_t *hash) +{ + uint32_t double_row = (uint32_t)2U * ((uint32_t)4U * (uint32_t)8U); + KRML_CHECK_SIZE(sizeof (uint8_t), double_row); + uint8_t *b = alloca(double_row * sizeof (uint8_t)); + memset(b, 0U, double_row * sizeof (uint8_t)); + uint8_t *first = b; + uint8_t *second = b + (uint32_t)4U * (uint32_t)8U; + uint64_t *row0 = hash + (uint32_t)0U * (uint32_t)4U; + uint64_t *row1 = hash + (uint32_t)1U * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + store64_le(first + i * (uint32_t)8U, row0[i]); + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + store64_le(second + i * (uint32_t)8U, row1[i]); + } + uint8_t *final = b; + memcpy(output, final, nn * sizeof (uint8_t)); + Lib_Memzero0_memzero(b, double_row * sizeof (b[0U])); +} + +void +Hacl_Blake2b_32_blake2b( + uint32_t nn, + uint8_t *output, + uint32_t ll, + uint8_t *d, + uint32_t kk, + uint8_t *k +) +{ + uint32_t stlen = (uint32_t)4U * (uint32_t)4U; + uint64_t stzero = (uint64_t)0U; + KRML_CHECK_SIZE(sizeof (uint64_t), stlen); + uint64_t *b = alloca(stlen * sizeof (uint64_t)); + for (uint32_t _i = 0U; _i < stlen; ++_i) + b[_i] = stzero; + KRML_CHECK_SIZE(sizeof (uint64_t), stlen); + uint64_t *b1 = alloca(stlen * sizeof (uint64_t)); + for (uint32_t _i = 0U; _i < stlen; ++_i) + b1[_i] = stzero; + Hacl_Blake2b_32_blake2b_init(b, kk, nn); + blake2b_update(b1, b, kk, k, ll, d); + Hacl_Blake2b_32_blake2b_finish(nn, output, b); + Lib_Memzero0_memzero(b1, stlen * sizeof (b1[0U])); + Lib_Memzero0_memzero(b, stlen * sizeof (b[0U])); +} + +static inline void +blake2s_update_block(uint32_t *wv, uint32_t *hash, bool flag, uint64_t totlen, uint8_t *d) +{ + uint32_t m_w[16U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t *os = m_w; + uint8_t *bj = d + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + uint32_t mask[4U] = { 0U }; + uint32_t wv_14; + if (flag) + { + wv_14 = (uint32_t)0xFFFFFFFFU; + } + else + { + wv_14 = (uint32_t)0U; + } + uint32_t wv_15 = (uint32_t)0U; + mask[0U] = (uint32_t)totlen; + mask[1U] = (uint32_t)(totlen >> (uint32_t)32U); + mask[2U] = wv_14; + mask[3U] = wv_15; + memcpy(wv, hash, (uint32_t)4U * (uint32_t)4U * sizeof (uint32_t)); + uint32_t *wv3 = wv + (uint32_t)3U * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv3; + uint32_t x = wv3[i] ^ mask[i]; + os[i] = x; + } + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)10U; i0++) + { + uint32_t start_idx = i0 % (uint32_t)10U * (uint32_t)16U; + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)4U * (uint32_t)4U); + uint32_t *m_st = alloca((uint32_t)4U * (uint32_t)4U * sizeof (uint32_t)); + memset(m_st, 0U, (uint32_t)4U * (uint32_t)4U * sizeof (uint32_t)); + uint32_t *r0 = m_st + (uint32_t)0U * (uint32_t)4U; + uint32_t *r1 = m_st + (uint32_t)1U * (uint32_t)4U; + uint32_t *r20 = m_st + (uint32_t)2U * (uint32_t)4U; + uint32_t *r30 = m_st + (uint32_t)3U * (uint32_t)4U; + uint32_t s0 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx]; + uint32_t s1 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)1U]; + uint32_t s2 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)2U]; + uint32_t s3 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)3U]; + uint32_t s4 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)4U]; + uint32_t s5 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)5U]; + uint32_t s6 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)6U]; + uint32_t s7 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)7U]; + uint32_t s8 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)8U]; + uint32_t s9 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)9U]; + uint32_t s10 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)10U]; + uint32_t s11 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)11U]; + uint32_t s12 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)12U]; + uint32_t s13 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)13U]; + uint32_t s14 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)14U]; + uint32_t s15 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)15U]; + uint32_t uu____0 = m_w[s2]; + uint32_t uu____1 = m_w[s4]; + uint32_t uu____2 = m_w[s6]; + r0[0U] = m_w[s0]; + r0[1U] = uu____0; + r0[2U] = uu____1; + r0[3U] = uu____2; + uint32_t uu____3 = m_w[s3]; + uint32_t uu____4 = m_w[s5]; + uint32_t uu____5 = m_w[s7]; + r1[0U] = m_w[s1]; + r1[1U] = uu____3; + r1[2U] = uu____4; + r1[3U] = uu____5; + uint32_t uu____6 = m_w[s10]; + uint32_t uu____7 = m_w[s12]; + uint32_t uu____8 = m_w[s14]; + r20[0U] = m_w[s8]; + r20[1U] = uu____6; + r20[2U] = uu____7; + r20[3U] = uu____8; + uint32_t uu____9 = m_w[s11]; + uint32_t uu____10 = m_w[s13]; + uint32_t uu____11 = m_w[s15]; + r30[0U] = m_w[s9]; + r30[1U] = uu____9; + r30[2U] = uu____10; + r30[3U] = uu____11; + uint32_t *x = m_st + (uint32_t)0U * (uint32_t)4U; + uint32_t *y = m_st + (uint32_t)1U * (uint32_t)4U; + uint32_t *z = m_st + (uint32_t)2U * (uint32_t)4U; + uint32_t *w = m_st + (uint32_t)3U * (uint32_t)4U; + uint32_t a = (uint32_t)0U; + uint32_t b0 = (uint32_t)1U; + uint32_t c0 = (uint32_t)2U; + uint32_t d10 = (uint32_t)3U; + uint32_t *wv_a0 = wv + a * (uint32_t)4U; + uint32_t *wv_b0 = wv + b0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a0; + uint32_t x1 = wv_a0[i] + wv_b0[i]; + os[i] = x1; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a0; + uint32_t x1 = wv_a0[i] + x[i]; + os[i] = x1; + } + uint32_t *wv_a1 = wv + d10 * (uint32_t)4U; + uint32_t *wv_b1 = wv + a * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a1; + uint32_t x1 = wv_a1[i] ^ wv_b1[i]; + os[i] = x1; + } + uint32_t *r10 = wv_a1; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = r10; + uint32_t x1 = r10[i]; + uint32_t x10 = x1 >> (uint32_t)16U | x1 << (uint32_t)16U; + os[i] = x10; + } + uint32_t *wv_a2 = wv + c0 * (uint32_t)4U; + uint32_t *wv_b2 = wv + d10 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a2; + uint32_t x1 = wv_a2[i] + wv_b2[i]; + os[i] = x1; + } + uint32_t *wv_a3 = wv + b0 * (uint32_t)4U; + uint32_t *wv_b3 = wv + c0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a3; + uint32_t x1 = wv_a3[i] ^ wv_b3[i]; + os[i] = x1; + } + uint32_t *r12 = wv_a3; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = r12; + uint32_t x1 = r12[i]; + uint32_t x10 = x1 >> (uint32_t)12U | x1 << (uint32_t)20U; + os[i] = x10; + } + uint32_t *wv_a4 = wv + a * (uint32_t)4U; + uint32_t *wv_b4 = wv + b0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a4; + uint32_t x1 = wv_a4[i] + wv_b4[i]; + os[i] = x1; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a4; + uint32_t x1 = wv_a4[i] + y[i]; + os[i] = x1; + } + uint32_t *wv_a5 = wv + d10 * (uint32_t)4U; + uint32_t *wv_b5 = wv + a * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a5; + uint32_t x1 = wv_a5[i] ^ wv_b5[i]; + os[i] = x1; + } + uint32_t *r13 = wv_a5; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = r13; + uint32_t x1 = r13[i]; + uint32_t x10 = x1 >> (uint32_t)8U | x1 << (uint32_t)24U; + os[i] = x10; + } + uint32_t *wv_a6 = wv + c0 * (uint32_t)4U; + uint32_t *wv_b6 = wv + d10 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a6; + uint32_t x1 = wv_a6[i] + wv_b6[i]; + os[i] = x1; + } + uint32_t *wv_a7 = wv + b0 * (uint32_t)4U; + uint32_t *wv_b7 = wv + c0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a7; + uint32_t x1 = wv_a7[i] ^ wv_b7[i]; + os[i] = x1; + } + uint32_t *r14 = wv_a7; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = r14; + uint32_t x1 = r14[i]; + uint32_t x10 = x1 >> (uint32_t)7U | x1 << (uint32_t)25U; + os[i] = x10; + } + uint32_t *r15 = wv + (uint32_t)1U * (uint32_t)4U; + uint32_t *r21 = wv + (uint32_t)2U * (uint32_t)4U; + uint32_t *r31 = wv + (uint32_t)3U * (uint32_t)4U; + uint32_t *r110 = r15; + uint32_t x00 = r110[1U]; + uint32_t x10 = r110[((uint32_t)1U + (uint32_t)1U) % (uint32_t)4U]; + uint32_t x20 = r110[((uint32_t)1U + (uint32_t)2U) % (uint32_t)4U]; + uint32_t x30 = r110[((uint32_t)1U + (uint32_t)3U) % (uint32_t)4U]; + r110[0U] = x00; + r110[1U] = x10; + r110[2U] = x20; + r110[3U] = x30; + uint32_t *r111 = r21; + uint32_t x01 = r111[2U]; + uint32_t x11 = r111[((uint32_t)2U + (uint32_t)1U) % (uint32_t)4U]; + uint32_t x21 = r111[((uint32_t)2U + (uint32_t)2U) % (uint32_t)4U]; + uint32_t x31 = r111[((uint32_t)2U + (uint32_t)3U) % (uint32_t)4U]; + r111[0U] = x01; + r111[1U] = x11; + r111[2U] = x21; + r111[3U] = x31; + uint32_t *r112 = r31; + uint32_t x02 = r112[3U]; + uint32_t x12 = r112[((uint32_t)3U + (uint32_t)1U) % (uint32_t)4U]; + uint32_t x22 = r112[((uint32_t)3U + (uint32_t)2U) % (uint32_t)4U]; + uint32_t x32 = r112[((uint32_t)3U + (uint32_t)3U) % (uint32_t)4U]; + r112[0U] = x02; + r112[1U] = x12; + r112[2U] = x22; + r112[3U] = x32; + uint32_t a0 = (uint32_t)0U; + uint32_t b = (uint32_t)1U; + uint32_t c = (uint32_t)2U; + uint32_t d1 = (uint32_t)3U; + uint32_t *wv_a = wv + a0 * (uint32_t)4U; + uint32_t *wv_b8 = wv + b * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a; + uint32_t x1 = wv_a[i] + wv_b8[i]; + os[i] = x1; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a; + uint32_t x1 = wv_a[i] + z[i]; + os[i] = x1; + } + uint32_t *wv_a8 = wv + d1 * (uint32_t)4U; + uint32_t *wv_b9 = wv + a0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a8; + uint32_t x1 = wv_a8[i] ^ wv_b9[i]; + os[i] = x1; + } + uint32_t *r16 = wv_a8; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = r16; + uint32_t x1 = r16[i]; + uint32_t x13 = x1 >> (uint32_t)16U | x1 << (uint32_t)16U; + os[i] = x13; + } + uint32_t *wv_a9 = wv + c * (uint32_t)4U; + uint32_t *wv_b10 = wv + d1 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a9; + uint32_t x1 = wv_a9[i] + wv_b10[i]; + os[i] = x1; + } + uint32_t *wv_a10 = wv + b * (uint32_t)4U; + uint32_t *wv_b11 = wv + c * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a10; + uint32_t x1 = wv_a10[i] ^ wv_b11[i]; + os[i] = x1; + } + uint32_t *r17 = wv_a10; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = r17; + uint32_t x1 = r17[i]; + uint32_t x13 = x1 >> (uint32_t)12U | x1 << (uint32_t)20U; + os[i] = x13; + } + uint32_t *wv_a11 = wv + a0 * (uint32_t)4U; + uint32_t *wv_b12 = wv + b * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a11; + uint32_t x1 = wv_a11[i] + wv_b12[i]; + os[i] = x1; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a11; + uint32_t x1 = wv_a11[i] + w[i]; + os[i] = x1; + } + uint32_t *wv_a12 = wv + d1 * (uint32_t)4U; + uint32_t *wv_b13 = wv + a0 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a12; + uint32_t x1 = wv_a12[i] ^ wv_b13[i]; + os[i] = x1; + } + uint32_t *r18 = wv_a12; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = r18; + uint32_t x1 = r18[i]; + uint32_t x13 = x1 >> (uint32_t)8U | x1 << (uint32_t)24U; + os[i] = x13; + } + uint32_t *wv_a13 = wv + c * (uint32_t)4U; + uint32_t *wv_b14 = wv + d1 * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a13; + uint32_t x1 = wv_a13[i] + wv_b14[i]; + os[i] = x1; + } + uint32_t *wv_a14 = wv + b * (uint32_t)4U; + uint32_t *wv_b = wv + c * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = wv_a14; + uint32_t x1 = wv_a14[i] ^ wv_b[i]; + os[i] = x1; + } + uint32_t *r19 = wv_a14; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = r19; + uint32_t x1 = r19[i]; + uint32_t x13 = x1 >> (uint32_t)7U | x1 << (uint32_t)25U; + os[i] = x13; + } + uint32_t *r113 = wv + (uint32_t)1U * (uint32_t)4U; + uint32_t *r2 = wv + (uint32_t)2U * (uint32_t)4U; + uint32_t *r3 = wv + (uint32_t)3U * (uint32_t)4U; + uint32_t *r11 = r113; + uint32_t x03 = r11[3U]; + uint32_t x13 = r11[((uint32_t)3U + (uint32_t)1U) % (uint32_t)4U]; + uint32_t x23 = r11[((uint32_t)3U + (uint32_t)2U) % (uint32_t)4U]; + uint32_t x33 = r11[((uint32_t)3U + (uint32_t)3U) % (uint32_t)4U]; + r11[0U] = x03; + r11[1U] = x13; + r11[2U] = x23; + r11[3U] = x33; + uint32_t *r114 = r2; + uint32_t x04 = r114[2U]; + uint32_t x14 = r114[((uint32_t)2U + (uint32_t)1U) % (uint32_t)4U]; + uint32_t x24 = r114[((uint32_t)2U + (uint32_t)2U) % (uint32_t)4U]; + uint32_t x34 = r114[((uint32_t)2U + (uint32_t)3U) % (uint32_t)4U]; + r114[0U] = x04; + r114[1U] = x14; + r114[2U] = x24; + r114[3U] = x34; + uint32_t *r115 = r3; + uint32_t x0 = r115[1U]; + uint32_t x1 = r115[((uint32_t)1U + (uint32_t)1U) % (uint32_t)4U]; + uint32_t x2 = r115[((uint32_t)1U + (uint32_t)2U) % (uint32_t)4U]; + uint32_t x3 = r115[((uint32_t)1U + (uint32_t)3U) % (uint32_t)4U]; + r115[0U] = x0; + r115[1U] = x1; + r115[2U] = x2; + r115[3U] = x3; + } + uint32_t *s0 = hash + (uint32_t)0U * (uint32_t)4U; + uint32_t *s1 = hash + (uint32_t)1U * (uint32_t)4U; + uint32_t *r0 = wv + (uint32_t)0U * (uint32_t)4U; + uint32_t *r1 = wv + (uint32_t)1U * (uint32_t)4U; + uint32_t *r2 = wv + (uint32_t)2U * (uint32_t)4U; + uint32_t *r3 = wv + (uint32_t)3U * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = s0; + uint32_t x = s0[i] ^ r0[i]; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = s0; + uint32_t x = s0[i] ^ r2[i]; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = s1; + uint32_t x = s1[i] ^ r1[i]; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = s1; + uint32_t x = s1[i] ^ r3[i]; + os[i] = x; + } +} + +void Hacl_Blake2s_32_blake2s_init(uint32_t *hash, uint32_t kk, uint32_t nn) +{ + uint32_t *r0 = hash + (uint32_t)0U * (uint32_t)4U; + uint32_t *r1 = hash + (uint32_t)1U * (uint32_t)4U; + uint32_t *r2 = hash + (uint32_t)2U * (uint32_t)4U; + uint32_t *r3 = hash + (uint32_t)3U * (uint32_t)4U; + uint32_t iv0 = Hacl_Impl_Blake2_Constants_ivTable_S[0U]; + uint32_t iv1 = Hacl_Impl_Blake2_Constants_ivTable_S[1U]; + uint32_t iv2 = Hacl_Impl_Blake2_Constants_ivTable_S[2U]; + uint32_t iv3 = Hacl_Impl_Blake2_Constants_ivTable_S[3U]; + uint32_t iv4 = Hacl_Impl_Blake2_Constants_ivTable_S[4U]; + uint32_t iv5 = Hacl_Impl_Blake2_Constants_ivTable_S[5U]; + uint32_t iv6 = Hacl_Impl_Blake2_Constants_ivTable_S[6U]; + uint32_t iv7 = Hacl_Impl_Blake2_Constants_ivTable_S[7U]; + r2[0U] = iv0; + r2[1U] = iv1; + r2[2U] = iv2; + r2[3U] = iv3; + r3[0U] = iv4; + r3[1U] = iv5; + r3[2U] = iv6; + r3[3U] = iv7; + uint32_t kk_shift_8 = kk << (uint32_t)8U; + uint32_t iv0_ = iv0 ^ ((uint32_t)0x01010000U ^ (kk_shift_8 ^ nn)); + r0[0U] = iv0_; + r0[1U] = iv1; + r0[2U] = iv2; + r0[3U] = iv3; + r1[0U] = iv4; + r1[1U] = iv5; + r1[2U] = iv6; + r1[3U] = iv7; +} + +void +Hacl_Blake2s_32_blake2s_update_key( + uint32_t *wv, + uint32_t *hash, + uint32_t kk, + uint8_t *k, + uint32_t ll +) +{ + uint64_t lb = (uint64_t)(uint32_t)64U; + uint8_t b[64U] = { 0U }; + memcpy(b, k, kk * sizeof (uint8_t)); + if (ll == (uint32_t)0U) + { + blake2s_update_block(wv, hash, true, lb, b); + } + else + { + blake2s_update_block(wv, hash, false, lb, b); + } + Lib_Memzero0_memzero(b, (uint32_t)64U * sizeof (b[0U])); +} + +void +Hacl_Blake2s_32_blake2s_update_multi( + uint32_t len, + uint32_t *wv, + uint32_t *hash, + uint64_t prev, + uint8_t *blocks, + uint32_t nb +) +{ + for (uint32_t i = (uint32_t)0U; i < nb; i++) + { + uint64_t totlen = prev + (uint64_t)((i + (uint32_t)1U) * (uint32_t)64U); + uint8_t *b = blocks + i * (uint32_t)64U; + blake2s_update_block(wv, hash, false, totlen, b); + } +} + +void +Hacl_Blake2s_32_blake2s_update_last( + uint32_t len, + uint32_t *wv, + uint32_t *hash, + uint64_t prev, + uint32_t rem, + uint8_t *d +) +{ + uint8_t b[64U] = { 0U }; + uint8_t *last = d + len - rem; + memcpy(b, last, rem * sizeof (uint8_t)); + uint64_t totlen = prev + (uint64_t)len; + blake2s_update_block(wv, hash, true, totlen, b); + Lib_Memzero0_memzero(b, (uint32_t)64U * sizeof (b[0U])); +} + +static inline void +blake2s_update_blocks( + uint32_t len, + uint32_t *wv, + uint32_t *hash, + uint64_t prev, + uint8_t *blocks +) +{ + uint32_t nb0 = len / (uint32_t)64U; + uint32_t rem0 = len % (uint32_t)64U; + K___uint32_t_uint32_t scrut; + if (rem0 == (uint32_t)0U && nb0 > (uint32_t)0U) + { + uint32_t nb_ = nb0 - (uint32_t)1U; + uint32_t rem_ = (uint32_t)64U; + scrut = ((K___uint32_t_uint32_t){ .fst = nb_, .snd = rem_ }); + } + else + { + scrut = ((K___uint32_t_uint32_t){ .fst = nb0, .snd = rem0 }); + } + uint32_t nb = scrut.fst; + uint32_t rem = scrut.snd; + Hacl_Blake2s_32_blake2s_update_multi(len, wv, hash, prev, blocks, nb); + Hacl_Blake2s_32_blake2s_update_last(len, wv, hash, prev, rem, blocks); +} + +static inline void +blake2s_update(uint32_t *wv, uint32_t *hash, uint32_t kk, uint8_t *k, uint32_t ll, uint8_t *d) +{ + uint64_t lb = (uint64_t)(uint32_t)64U; + if (kk > (uint32_t)0U) + { + Hacl_Blake2s_32_blake2s_update_key(wv, hash, kk, k, ll); + if (!(ll == (uint32_t)0U)) + { + blake2s_update_blocks(ll, wv, hash, lb, d); + return; + } + return; + } + blake2s_update_blocks(ll, wv, hash, (uint64_t)(uint32_t)0U, d); +} + +void Hacl_Blake2s_32_blake2s_finish(uint32_t nn, uint8_t *output, uint32_t *hash) +{ + uint32_t double_row = (uint32_t)2U * ((uint32_t)4U * (uint32_t)4U); + KRML_CHECK_SIZE(sizeof (uint8_t), double_row); + uint8_t *b = alloca(double_row * sizeof (uint8_t)); + memset(b, 0U, double_row * sizeof (uint8_t)); + uint8_t *first = b; + uint8_t *second = b + (uint32_t)4U * (uint32_t)4U; + uint32_t *row0 = hash + (uint32_t)0U * (uint32_t)4U; + uint32_t *row1 = hash + (uint32_t)1U * (uint32_t)4U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + store32_le(first + i * (uint32_t)4U, row0[i]); + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + store32_le(second + i * (uint32_t)4U, row1[i]); + } + uint8_t *final = b; + memcpy(output, final, nn * sizeof (uint8_t)); + Lib_Memzero0_memzero(b, double_row * sizeof (b[0U])); +} + +void +Hacl_Blake2s_32_blake2s( + uint32_t nn, + uint8_t *output, + uint32_t ll, + uint8_t *d, + uint32_t kk, + uint8_t *k +) +{ + uint32_t stlen = (uint32_t)4U * (uint32_t)4U; + uint32_t stzero = (uint32_t)0U; + KRML_CHECK_SIZE(sizeof (uint32_t), stlen); + uint32_t *b = alloca(stlen * sizeof (uint32_t)); + for (uint32_t _i = 0U; _i < stlen; ++_i) + b[_i] = stzero; + KRML_CHECK_SIZE(sizeof (uint32_t), stlen); + uint32_t *b1 = alloca(stlen * sizeof (uint32_t)); + for (uint32_t _i = 0U; _i < stlen; ++_i) + b1[_i] = stzero; + Hacl_Blake2s_32_blake2s_init(b, kk, nn); + blake2s_update(b1, b, kk, k, ll, d); + Hacl_Blake2s_32_blake2s_finish(nn, output, b); + Lib_Memzero0_memzero(b1, stlen * sizeof (b1[0U])); + Lib_Memzero0_memzero(b, stlen * sizeof (b[0U])); +} + diff --git a/src/msvc/Hacl_Hash_Blake2b_256.c b/src/msvc/Hacl_Hash_Blake2b_256.c new file mode 100644 index 00000000..032257db --- /dev/null +++ b/src/msvc/Hacl_Hash_Blake2b_256.c @@ -0,0 +1,858 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "internal/Hacl_Hash_Blake2b_256.h" + +#include "internal/Hacl_Kremlib.h" +#include "internal/Hacl_Hash_Blake2.h" + +static FStar_UInt128_uint128 +update_blake2b_256( + Lib_IntVector_Intrinsics_vec256 *s, + FStar_UInt128_uint128 totlen, + uint8_t *block +) +{ + Lib_IntVector_Intrinsics_vec256 wv[4U]; + for (uint32_t _i = 0U; _i < (uint32_t)4U; ++_i) + wv[_i] = Lib_IntVector_Intrinsics_vec256_zero; + FStar_UInt128_uint128 + totlen1 = + FStar_UInt128_add_mod(totlen, + FStar_UInt128_uint64_to_uint128((uint64_t)(uint32_t)128U)); + uint64_t m_w[16U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint64_t *os = m_w; + uint8_t *bj = block + i * (uint32_t)8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x; + } + Lib_IntVector_Intrinsics_vec256 mask = Lib_IntVector_Intrinsics_vec256_zero; + uint64_t wv_14 = (uint64_t)0U; + uint64_t wv_15 = (uint64_t)0U; + mask = + Lib_IntVector_Intrinsics_vec256_load64s(FStar_UInt128_uint128_to_uint64(totlen1), + FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(totlen1, (uint32_t)64U)), + wv_14, + wv_15); + memcpy(wv, s, (uint32_t)4U * (uint32_t)1U * sizeof (Lib_IntVector_Intrinsics_vec256)); + Lib_IntVector_Intrinsics_vec256 *wv3 = wv + (uint32_t)3U * (uint32_t)1U; + wv3[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv3[0U], mask); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)12U; i++) + { + uint32_t start_idx = i % (uint32_t)10U * (uint32_t)16U; + KRML_CHECK_SIZE(sizeof (Lib_IntVector_Intrinsics_vec256), (uint32_t)4U * (uint32_t)1U); + Lib_IntVector_Intrinsics_vec256 + *m_st = alloca((uint32_t)4U * (uint32_t)1U * sizeof (Lib_IntVector_Intrinsics_vec256)); + for (uint32_t _i = 0U; _i < (uint32_t)4U * (uint32_t)1U; ++_i) + m_st[_i] = Lib_IntVector_Intrinsics_vec256_zero; + Lib_IntVector_Intrinsics_vec256 *r0 = m_st + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r1 = m_st + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r20 = m_st + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r30 = m_st + (uint32_t)3U * (uint32_t)1U; + uint32_t s0 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx]; + uint32_t s1 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)1U]; + uint32_t s2 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)2U]; + uint32_t s3 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)3U]; + uint32_t s4 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)4U]; + uint32_t s5 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)5U]; + uint32_t s6 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)6U]; + uint32_t s7 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)7U]; + uint32_t s8 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)8U]; + uint32_t s9 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)9U]; + uint32_t s10 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)10U]; + uint32_t s11 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)11U]; + uint32_t s12 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)12U]; + uint32_t s13 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)13U]; + uint32_t s14 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)14U]; + uint32_t s15 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)15U]; + r0[0U] = Lib_IntVector_Intrinsics_vec256_load64s(m_w[s0], m_w[s2], m_w[s4], m_w[s6]); + r1[0U] = Lib_IntVector_Intrinsics_vec256_load64s(m_w[s1], m_w[s3], m_w[s5], m_w[s7]); + r20[0U] = Lib_IntVector_Intrinsics_vec256_load64s(m_w[s8], m_w[s10], m_w[s12], m_w[s14]); + r30[0U] = Lib_IntVector_Intrinsics_vec256_load64s(m_w[s9], m_w[s11], m_w[s13], m_w[s15]); + Lib_IntVector_Intrinsics_vec256 *x = m_st + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *y = m_st + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *z = m_st + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *w = m_st + (uint32_t)3U * (uint32_t)1U; + uint32_t a = (uint32_t)0U; + uint32_t b0 = (uint32_t)1U; + uint32_t c0 = (uint32_t)2U; + uint32_t d0 = (uint32_t)3U; + Lib_IntVector_Intrinsics_vec256 *wv_a0 = wv + a * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b0 = wv + b0 * (uint32_t)1U; + wv_a0[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a0[0U], wv_b0[0U]); + wv_a0[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a0[0U], x[0U]); + Lib_IntVector_Intrinsics_vec256 *wv_a1 = wv + d0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b1 = wv + a * (uint32_t)1U; + wv_a1[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv_a1[0U], wv_b1[0U]); + wv_a1[0U] = Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a1[0U], (uint32_t)32U); + Lib_IntVector_Intrinsics_vec256 *wv_a2 = wv + c0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b2 = wv + d0 * (uint32_t)1U; + wv_a2[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a2[0U], wv_b2[0U]); + Lib_IntVector_Intrinsics_vec256 *wv_a3 = wv + b0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b3 = wv + c0 * (uint32_t)1U; + wv_a3[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv_a3[0U], wv_b3[0U]); + wv_a3[0U] = Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a3[0U], (uint32_t)24U); + Lib_IntVector_Intrinsics_vec256 *wv_a4 = wv + a * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b4 = wv + b0 * (uint32_t)1U; + wv_a4[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a4[0U], wv_b4[0U]); + wv_a4[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a4[0U], y[0U]); + Lib_IntVector_Intrinsics_vec256 *wv_a5 = wv + d0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b5 = wv + a * (uint32_t)1U; + wv_a5[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv_a5[0U], wv_b5[0U]); + wv_a5[0U] = Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a5[0U], (uint32_t)16U); + Lib_IntVector_Intrinsics_vec256 *wv_a6 = wv + c0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b6 = wv + d0 * (uint32_t)1U; + wv_a6[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a6[0U], wv_b6[0U]); + Lib_IntVector_Intrinsics_vec256 *wv_a7 = wv + b0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b7 = wv + c0 * (uint32_t)1U; + wv_a7[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv_a7[0U], wv_b7[0U]); + wv_a7[0U] = Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a7[0U], (uint32_t)63U); + Lib_IntVector_Intrinsics_vec256 *r10 = wv + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r21 = wv + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r31 = wv + (uint32_t)3U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 v00 = r10[0U]; + Lib_IntVector_Intrinsics_vec256 + v1 = Lib_IntVector_Intrinsics_vec256_rotate_right_lanes64(v00, (uint32_t)1U); + r10[0U] = v1; + Lib_IntVector_Intrinsics_vec256 v01 = r21[0U]; + Lib_IntVector_Intrinsics_vec256 + v10 = Lib_IntVector_Intrinsics_vec256_rotate_right_lanes64(v01, (uint32_t)2U); + r21[0U] = v10; + Lib_IntVector_Intrinsics_vec256 v02 = r31[0U]; + Lib_IntVector_Intrinsics_vec256 + v11 = Lib_IntVector_Intrinsics_vec256_rotate_right_lanes64(v02, (uint32_t)3U); + r31[0U] = v11; + uint32_t a0 = (uint32_t)0U; + uint32_t b = (uint32_t)1U; + uint32_t c = (uint32_t)2U; + uint32_t d = (uint32_t)3U; + Lib_IntVector_Intrinsics_vec256 *wv_a = wv + a0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b8 = wv + b * (uint32_t)1U; + wv_a[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a[0U], wv_b8[0U]); + wv_a[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a[0U], z[0U]); + Lib_IntVector_Intrinsics_vec256 *wv_a8 = wv + d * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b9 = wv + a0 * (uint32_t)1U; + wv_a8[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv_a8[0U], wv_b9[0U]); + wv_a8[0U] = Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a8[0U], (uint32_t)32U); + Lib_IntVector_Intrinsics_vec256 *wv_a9 = wv + c * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b10 = wv + d * (uint32_t)1U; + wv_a9[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a9[0U], wv_b10[0U]); + Lib_IntVector_Intrinsics_vec256 *wv_a10 = wv + b * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b11 = wv + c * (uint32_t)1U; + wv_a10[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv_a10[0U], wv_b11[0U]); + wv_a10[0U] = Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a10[0U], (uint32_t)24U); + Lib_IntVector_Intrinsics_vec256 *wv_a11 = wv + a0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b12 = wv + b * (uint32_t)1U; + wv_a11[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a11[0U], wv_b12[0U]); + wv_a11[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a11[0U], w[0U]); + Lib_IntVector_Intrinsics_vec256 *wv_a12 = wv + d * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b13 = wv + a0 * (uint32_t)1U; + wv_a12[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv_a12[0U], wv_b13[0U]); + wv_a12[0U] = Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a12[0U], (uint32_t)16U); + Lib_IntVector_Intrinsics_vec256 *wv_a13 = wv + c * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b14 = wv + d * (uint32_t)1U; + wv_a13[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a13[0U], wv_b14[0U]); + Lib_IntVector_Intrinsics_vec256 *wv_a14 = wv + b * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b = wv + c * (uint32_t)1U; + wv_a14[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv_a14[0U], wv_b[0U]); + wv_a14[0U] = Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a14[0U], (uint32_t)63U); + Lib_IntVector_Intrinsics_vec256 *r11 = wv + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r2 = wv + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r3 = wv + (uint32_t)3U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 v0 = r11[0U]; + Lib_IntVector_Intrinsics_vec256 + v12 = Lib_IntVector_Intrinsics_vec256_rotate_right_lanes64(v0, (uint32_t)3U); + r11[0U] = v12; + Lib_IntVector_Intrinsics_vec256 v03 = r2[0U]; + Lib_IntVector_Intrinsics_vec256 + v13 = Lib_IntVector_Intrinsics_vec256_rotate_right_lanes64(v03, (uint32_t)2U); + r2[0U] = v13; + Lib_IntVector_Intrinsics_vec256 v04 = r3[0U]; + Lib_IntVector_Intrinsics_vec256 + v14 = Lib_IntVector_Intrinsics_vec256_rotate_right_lanes64(v04, (uint32_t)1U); + r3[0U] = v14; + } + Lib_IntVector_Intrinsics_vec256 *s0 = s + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *s1 = s + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r0 = wv + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r1 = wv + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r2 = wv + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r3 = wv + (uint32_t)3U * (uint32_t)1U; + s0[0U] = Lib_IntVector_Intrinsics_vec256_xor(s0[0U], r0[0U]); + s0[0U] = Lib_IntVector_Intrinsics_vec256_xor(s0[0U], r2[0U]); + s1[0U] = Lib_IntVector_Intrinsics_vec256_xor(s1[0U], r1[0U]); + s1[0U] = Lib_IntVector_Intrinsics_vec256_xor(s1[0U], r3[0U]); + return totlen1; +} + +void +Hacl_Hash_Blake2b_256_finish_blake2b_256( + Lib_IntVector_Intrinsics_vec256 *s, + FStar_UInt128_uint128 ev, + uint8_t *dst +) +{ + uint32_t double_row = (uint32_t)2U * ((uint32_t)4U * (uint32_t)8U); + KRML_CHECK_SIZE(sizeof (uint8_t), double_row); + uint8_t *b = alloca(double_row * sizeof (uint8_t)); + memset(b, 0U, double_row * sizeof (uint8_t)); + uint8_t *first = b; + uint8_t *second = b + (uint32_t)4U * (uint32_t)8U; + Lib_IntVector_Intrinsics_vec256 *row0 = s + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *row1 = s + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256_store64_le(first, row0[0U]); + Lib_IntVector_Intrinsics_vec256_store64_le(second, row1[0U]); + uint8_t *final = b; + memcpy(dst, final, (uint32_t)64U * sizeof (uint8_t)); + Lib_Memzero0_memzero(b, double_row * sizeof (b[0U])); +} + +FStar_UInt128_uint128 +Hacl_Hash_Blake2b_256_update_multi_blake2b_256( + Lib_IntVector_Intrinsics_vec256 *s, + FStar_UInt128_uint128 ev, + uint8_t *blocks, + uint32_t n_blocks +) +{ + for (uint32_t i = (uint32_t)0U; i < n_blocks; i++) + { + uint32_t sz = (uint32_t)128U; + uint8_t *block = blocks + sz * i; + FStar_UInt128_uint128 + v_ = + update_blake2b_256(s, + FStar_UInt128_add_mod(ev, + FStar_UInt128_uint64_to_uint128((uint64_t)i * (uint64_t)(uint32_t)128U)), + block); + } + return + FStar_UInt128_add_mod(ev, + FStar_UInt128_uint64_to_uint128((uint64_t)n_blocks * (uint64_t)(uint32_t)128U)); +} + +FStar_UInt128_uint128 +Hacl_Hash_Blake2b_256_update_last_blake2b_256( + Lib_IntVector_Intrinsics_vec256 *s, + FStar_UInt128_uint128 ev, + FStar_UInt128_uint128 prev_len, + uint8_t *input, + uint32_t input_len +) +{ + uint32_t blocks_n = input_len / (uint32_t)128U; + uint32_t blocks_len0 = blocks_n * (uint32_t)128U; + uint32_t rest_len0 = input_len - blocks_len0; + K___uint32_t_uint32_t_uint32_t scrut; + if (rest_len0 == (uint32_t)0U && blocks_n > (uint32_t)0U) + { + uint32_t blocks_n1 = blocks_n - (uint32_t)1U; + uint32_t blocks_len1 = blocks_len0 - (uint32_t)128U; + uint32_t rest_len1 = (uint32_t)128U; + scrut = + ((K___uint32_t_uint32_t_uint32_t){ .fst = blocks_n1, .snd = blocks_len1, .thd = rest_len1 }); + } + else + { + scrut = + ((K___uint32_t_uint32_t_uint32_t){ .fst = blocks_n, .snd = blocks_len0, .thd = rest_len0 }); + } + uint32_t num_blocks0 = scrut.fst; + uint32_t blocks_len = scrut.snd; + uint32_t rest_len1 = scrut.thd; + uint8_t *blocks0 = input; + uint8_t *rest0 = input + blocks_len; + K___uint32_t_uint32_t_uint32_t__uint8_t___uint8_t_ + scrut0 = + { .fst = num_blocks0, .snd = blocks_len, .thd = rest_len1, .f3 = blocks0, .f4 = rest0 }; + uint32_t num_blocks = scrut0.fst; + uint32_t rest_len = scrut0.thd; + uint8_t *blocks = scrut0.f3; + uint8_t *rest = scrut0.f4; + FStar_UInt128_uint128 + ev_ = Hacl_Hash_Blake2b_256_update_multi_blake2b_256(s, ev, blocks, num_blocks); + KRML_CHECK_SIZE(sizeof (Lib_IntVector_Intrinsics_vec256), (uint32_t)4U * (uint32_t)1U); + Lib_IntVector_Intrinsics_vec256 + *wv = alloca((uint32_t)4U * (uint32_t)1U * sizeof (Lib_IntVector_Intrinsics_vec256)); + for (uint32_t _i = 0U; _i < (uint32_t)4U * (uint32_t)1U; ++_i) + wv[_i] = Lib_IntVector_Intrinsics_vec256_zero; + uint8_t tmp[128U] = { 0U }; + uint8_t *tmp_rest = tmp; + memcpy(tmp_rest, rest, rest_len * sizeof (uint8_t)); + FStar_UInt128_uint128 + totlen = FStar_UInt128_add_mod(ev_, FStar_UInt128_uint64_to_uint128((uint64_t)rest_len)); + uint64_t m_w[16U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint64_t *os = m_w; + uint8_t *bj = tmp + i * (uint32_t)8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x; + } + Lib_IntVector_Intrinsics_vec256 mask = Lib_IntVector_Intrinsics_vec256_zero; + uint64_t wv_14 = (uint64_t)0xFFFFFFFFFFFFFFFFU; + uint64_t wv_15 = (uint64_t)0U; + mask = + Lib_IntVector_Intrinsics_vec256_load64s(FStar_UInt128_uint128_to_uint64(totlen), + FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(totlen, (uint32_t)64U)), + wv_14, + wv_15); + memcpy(wv, s, (uint32_t)4U * (uint32_t)1U * sizeof (Lib_IntVector_Intrinsics_vec256)); + Lib_IntVector_Intrinsics_vec256 *wv3 = wv + (uint32_t)3U * (uint32_t)1U; + wv3[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv3[0U], mask); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)12U; i++) + { + uint32_t start_idx = i % (uint32_t)10U * (uint32_t)16U; + KRML_CHECK_SIZE(sizeof (Lib_IntVector_Intrinsics_vec256), (uint32_t)4U * (uint32_t)1U); + Lib_IntVector_Intrinsics_vec256 + *m_st = alloca((uint32_t)4U * (uint32_t)1U * sizeof (Lib_IntVector_Intrinsics_vec256)); + for (uint32_t _i = 0U; _i < (uint32_t)4U * (uint32_t)1U; ++_i) + m_st[_i] = Lib_IntVector_Intrinsics_vec256_zero; + Lib_IntVector_Intrinsics_vec256 *r0 = m_st + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r1 = m_st + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r20 = m_st + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r30 = m_st + (uint32_t)3U * (uint32_t)1U; + uint32_t s0 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx]; + uint32_t s1 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)1U]; + uint32_t s2 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)2U]; + uint32_t s3 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)3U]; + uint32_t s4 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)4U]; + uint32_t s5 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)5U]; + uint32_t s6 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)6U]; + uint32_t s7 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)7U]; + uint32_t s8 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)8U]; + uint32_t s9 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)9U]; + uint32_t s10 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)10U]; + uint32_t s11 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)11U]; + uint32_t s12 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)12U]; + uint32_t s13 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)13U]; + uint32_t s14 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)14U]; + uint32_t s15 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)15U]; + r0[0U] = Lib_IntVector_Intrinsics_vec256_load64s(m_w[s0], m_w[s2], m_w[s4], m_w[s6]); + r1[0U] = Lib_IntVector_Intrinsics_vec256_load64s(m_w[s1], m_w[s3], m_w[s5], m_w[s7]); + r20[0U] = Lib_IntVector_Intrinsics_vec256_load64s(m_w[s8], m_w[s10], m_w[s12], m_w[s14]); + r30[0U] = Lib_IntVector_Intrinsics_vec256_load64s(m_w[s9], m_w[s11], m_w[s13], m_w[s15]); + Lib_IntVector_Intrinsics_vec256 *x = m_st + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *y = m_st + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *z = m_st + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *w = m_st + (uint32_t)3U * (uint32_t)1U; + uint32_t a = (uint32_t)0U; + uint32_t b0 = (uint32_t)1U; + uint32_t c0 = (uint32_t)2U; + uint32_t d0 = (uint32_t)3U; + Lib_IntVector_Intrinsics_vec256 *wv_a0 = wv + a * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b0 = wv + b0 * (uint32_t)1U; + wv_a0[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a0[0U], wv_b0[0U]); + wv_a0[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a0[0U], x[0U]); + Lib_IntVector_Intrinsics_vec256 *wv_a1 = wv + d0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b1 = wv + a * (uint32_t)1U; + wv_a1[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv_a1[0U], wv_b1[0U]); + wv_a1[0U] = Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a1[0U], (uint32_t)32U); + Lib_IntVector_Intrinsics_vec256 *wv_a2 = wv + c0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b2 = wv + d0 * (uint32_t)1U; + wv_a2[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a2[0U], wv_b2[0U]); + Lib_IntVector_Intrinsics_vec256 *wv_a3 = wv + b0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b3 = wv + c0 * (uint32_t)1U; + wv_a3[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv_a3[0U], wv_b3[0U]); + wv_a3[0U] = Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a3[0U], (uint32_t)24U); + Lib_IntVector_Intrinsics_vec256 *wv_a4 = wv + a * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b4 = wv + b0 * (uint32_t)1U; + wv_a4[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a4[0U], wv_b4[0U]); + wv_a4[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a4[0U], y[0U]); + Lib_IntVector_Intrinsics_vec256 *wv_a5 = wv + d0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b5 = wv + a * (uint32_t)1U; + wv_a5[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv_a5[0U], wv_b5[0U]); + wv_a5[0U] = Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a5[0U], (uint32_t)16U); + Lib_IntVector_Intrinsics_vec256 *wv_a6 = wv + c0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b6 = wv + d0 * (uint32_t)1U; + wv_a6[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a6[0U], wv_b6[0U]); + Lib_IntVector_Intrinsics_vec256 *wv_a7 = wv + b0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b7 = wv + c0 * (uint32_t)1U; + wv_a7[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv_a7[0U], wv_b7[0U]); + wv_a7[0U] = Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a7[0U], (uint32_t)63U); + Lib_IntVector_Intrinsics_vec256 *r10 = wv + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r21 = wv + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r31 = wv + (uint32_t)3U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 v00 = r10[0U]; + Lib_IntVector_Intrinsics_vec256 + v1 = Lib_IntVector_Intrinsics_vec256_rotate_right_lanes64(v00, (uint32_t)1U); + r10[0U] = v1; + Lib_IntVector_Intrinsics_vec256 v01 = r21[0U]; + Lib_IntVector_Intrinsics_vec256 + v10 = Lib_IntVector_Intrinsics_vec256_rotate_right_lanes64(v01, (uint32_t)2U); + r21[0U] = v10; + Lib_IntVector_Intrinsics_vec256 v02 = r31[0U]; + Lib_IntVector_Intrinsics_vec256 + v11 = Lib_IntVector_Intrinsics_vec256_rotate_right_lanes64(v02, (uint32_t)3U); + r31[0U] = v11; + uint32_t a0 = (uint32_t)0U; + uint32_t b = (uint32_t)1U; + uint32_t c = (uint32_t)2U; + uint32_t d = (uint32_t)3U; + Lib_IntVector_Intrinsics_vec256 *wv_a = wv + a0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b8 = wv + b * (uint32_t)1U; + wv_a[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a[0U], wv_b8[0U]); + wv_a[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a[0U], z[0U]); + Lib_IntVector_Intrinsics_vec256 *wv_a8 = wv + d * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b9 = wv + a0 * (uint32_t)1U; + wv_a8[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv_a8[0U], wv_b9[0U]); + wv_a8[0U] = Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a8[0U], (uint32_t)32U); + Lib_IntVector_Intrinsics_vec256 *wv_a9 = wv + c * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b10 = wv + d * (uint32_t)1U; + wv_a9[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a9[0U], wv_b10[0U]); + Lib_IntVector_Intrinsics_vec256 *wv_a10 = wv + b * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b11 = wv + c * (uint32_t)1U; + wv_a10[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv_a10[0U], wv_b11[0U]); + wv_a10[0U] = Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a10[0U], (uint32_t)24U); + Lib_IntVector_Intrinsics_vec256 *wv_a11 = wv + a0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b12 = wv + b * (uint32_t)1U; + wv_a11[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a11[0U], wv_b12[0U]); + wv_a11[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a11[0U], w[0U]); + Lib_IntVector_Intrinsics_vec256 *wv_a12 = wv + d * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b13 = wv + a0 * (uint32_t)1U; + wv_a12[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv_a12[0U], wv_b13[0U]); + wv_a12[0U] = Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a12[0U], (uint32_t)16U); + Lib_IntVector_Intrinsics_vec256 *wv_a13 = wv + c * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b14 = wv + d * (uint32_t)1U; + wv_a13[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a13[0U], wv_b14[0U]); + Lib_IntVector_Intrinsics_vec256 *wv_a14 = wv + b * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b = wv + c * (uint32_t)1U; + wv_a14[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv_a14[0U], wv_b[0U]); + wv_a14[0U] = Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a14[0U], (uint32_t)63U); + Lib_IntVector_Intrinsics_vec256 *r11 = wv + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r2 = wv + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r3 = wv + (uint32_t)3U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 v0 = r11[0U]; + Lib_IntVector_Intrinsics_vec256 + v12 = Lib_IntVector_Intrinsics_vec256_rotate_right_lanes64(v0, (uint32_t)3U); + r11[0U] = v12; + Lib_IntVector_Intrinsics_vec256 v03 = r2[0U]; + Lib_IntVector_Intrinsics_vec256 + v13 = Lib_IntVector_Intrinsics_vec256_rotate_right_lanes64(v03, (uint32_t)2U); + r2[0U] = v13; + Lib_IntVector_Intrinsics_vec256 v04 = r3[0U]; + Lib_IntVector_Intrinsics_vec256 + v14 = Lib_IntVector_Intrinsics_vec256_rotate_right_lanes64(v04, (uint32_t)1U); + r3[0U] = v14; + } + Lib_IntVector_Intrinsics_vec256 *s0 = s + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *s1 = s + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r0 = wv + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r1 = wv + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r2 = wv + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r3 = wv + (uint32_t)3U * (uint32_t)1U; + s0[0U] = Lib_IntVector_Intrinsics_vec256_xor(s0[0U], r0[0U]); + s0[0U] = Lib_IntVector_Intrinsics_vec256_xor(s0[0U], r2[0U]); + s1[0U] = Lib_IntVector_Intrinsics_vec256_xor(s1[0U], r1[0U]); + s1[0U] = Lib_IntVector_Intrinsics_vec256_xor(s1[0U], r3[0U]); + return FStar_UInt128_uint64_to_uint128((uint64_t)0U); +} + +void Hacl_Hash_Blake2b_256_hash_blake2b_256(uint8_t *input, uint32_t input_len, uint8_t *dst) +{ + Hacl_Blake2b_256_blake2b((uint32_t)64U, dst, input_len, input, (uint32_t)0U, NULL); +} + +static inline void +blake2b_update_block( + Lib_IntVector_Intrinsics_vec256 *wv, + Lib_IntVector_Intrinsics_vec256 *hash, + bool flag, + FStar_UInt128_uint128 totlen, + uint8_t *d +) +{ + uint64_t m_w[16U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint64_t *os = m_w; + uint8_t *bj = d + i * (uint32_t)8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x; + } + Lib_IntVector_Intrinsics_vec256 mask = Lib_IntVector_Intrinsics_vec256_zero; + uint64_t wv_14; + if (flag) + { + wv_14 = (uint64_t)0xFFFFFFFFFFFFFFFFU; + } + else + { + wv_14 = (uint64_t)0U; + } + uint64_t wv_15 = (uint64_t)0U; + mask = + Lib_IntVector_Intrinsics_vec256_load64s(FStar_UInt128_uint128_to_uint64(totlen), + FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(totlen, (uint32_t)64U)), + wv_14, + wv_15); + memcpy(wv, hash, (uint32_t)4U * (uint32_t)1U * sizeof (Lib_IntVector_Intrinsics_vec256)); + Lib_IntVector_Intrinsics_vec256 *wv3 = wv + (uint32_t)3U * (uint32_t)1U; + wv3[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv3[0U], mask); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)12U; i++) + { + uint32_t start_idx = i % (uint32_t)10U * (uint32_t)16U; + KRML_CHECK_SIZE(sizeof (Lib_IntVector_Intrinsics_vec256), (uint32_t)4U * (uint32_t)1U); + Lib_IntVector_Intrinsics_vec256 + *m_st = alloca((uint32_t)4U * (uint32_t)1U * sizeof (Lib_IntVector_Intrinsics_vec256)); + for (uint32_t _i = 0U; _i < (uint32_t)4U * (uint32_t)1U; ++_i) + m_st[_i] = Lib_IntVector_Intrinsics_vec256_zero; + Lib_IntVector_Intrinsics_vec256 *r0 = m_st + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r1 = m_st + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r20 = m_st + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r30 = m_st + (uint32_t)3U * (uint32_t)1U; + uint32_t s0 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx]; + uint32_t s1 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)1U]; + uint32_t s2 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)2U]; + uint32_t s3 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)3U]; + uint32_t s4 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)4U]; + uint32_t s5 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)5U]; + uint32_t s6 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)6U]; + uint32_t s7 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)7U]; + uint32_t s8 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)8U]; + uint32_t s9 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)9U]; + uint32_t s10 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)10U]; + uint32_t s11 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)11U]; + uint32_t s12 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)12U]; + uint32_t s13 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)13U]; + uint32_t s14 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)14U]; + uint32_t s15 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)15U]; + r0[0U] = Lib_IntVector_Intrinsics_vec256_load64s(m_w[s0], m_w[s2], m_w[s4], m_w[s6]); + r1[0U] = Lib_IntVector_Intrinsics_vec256_load64s(m_w[s1], m_w[s3], m_w[s5], m_w[s7]); + r20[0U] = Lib_IntVector_Intrinsics_vec256_load64s(m_w[s8], m_w[s10], m_w[s12], m_w[s14]); + r30[0U] = Lib_IntVector_Intrinsics_vec256_load64s(m_w[s9], m_w[s11], m_w[s13], m_w[s15]); + Lib_IntVector_Intrinsics_vec256 *x = m_st + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *y = m_st + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *z = m_st + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *w = m_st + (uint32_t)3U * (uint32_t)1U; + uint32_t a = (uint32_t)0U; + uint32_t b0 = (uint32_t)1U; + uint32_t c0 = (uint32_t)2U; + uint32_t d10 = (uint32_t)3U; + Lib_IntVector_Intrinsics_vec256 *wv_a0 = wv + a * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b0 = wv + b0 * (uint32_t)1U; + wv_a0[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a0[0U], wv_b0[0U]); + wv_a0[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a0[0U], x[0U]); + Lib_IntVector_Intrinsics_vec256 *wv_a1 = wv + d10 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b1 = wv + a * (uint32_t)1U; + wv_a1[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv_a1[0U], wv_b1[0U]); + wv_a1[0U] = Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a1[0U], (uint32_t)32U); + Lib_IntVector_Intrinsics_vec256 *wv_a2 = wv + c0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b2 = wv + d10 * (uint32_t)1U; + wv_a2[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a2[0U], wv_b2[0U]); + Lib_IntVector_Intrinsics_vec256 *wv_a3 = wv + b0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b3 = wv + c0 * (uint32_t)1U; + wv_a3[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv_a3[0U], wv_b3[0U]); + wv_a3[0U] = Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a3[0U], (uint32_t)24U); + Lib_IntVector_Intrinsics_vec256 *wv_a4 = wv + a * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b4 = wv + b0 * (uint32_t)1U; + wv_a4[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a4[0U], wv_b4[0U]); + wv_a4[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a4[0U], y[0U]); + Lib_IntVector_Intrinsics_vec256 *wv_a5 = wv + d10 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b5 = wv + a * (uint32_t)1U; + wv_a5[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv_a5[0U], wv_b5[0U]); + wv_a5[0U] = Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a5[0U], (uint32_t)16U); + Lib_IntVector_Intrinsics_vec256 *wv_a6 = wv + c0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b6 = wv + d10 * (uint32_t)1U; + wv_a6[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a6[0U], wv_b6[0U]); + Lib_IntVector_Intrinsics_vec256 *wv_a7 = wv + b0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b7 = wv + c0 * (uint32_t)1U; + wv_a7[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv_a7[0U], wv_b7[0U]); + wv_a7[0U] = Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a7[0U], (uint32_t)63U); + Lib_IntVector_Intrinsics_vec256 *r10 = wv + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r21 = wv + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r31 = wv + (uint32_t)3U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 v00 = r10[0U]; + Lib_IntVector_Intrinsics_vec256 + v1 = Lib_IntVector_Intrinsics_vec256_rotate_right_lanes64(v00, (uint32_t)1U); + r10[0U] = v1; + Lib_IntVector_Intrinsics_vec256 v01 = r21[0U]; + Lib_IntVector_Intrinsics_vec256 + v10 = Lib_IntVector_Intrinsics_vec256_rotate_right_lanes64(v01, (uint32_t)2U); + r21[0U] = v10; + Lib_IntVector_Intrinsics_vec256 v02 = r31[0U]; + Lib_IntVector_Intrinsics_vec256 + v11 = Lib_IntVector_Intrinsics_vec256_rotate_right_lanes64(v02, (uint32_t)3U); + r31[0U] = v11; + uint32_t a0 = (uint32_t)0U; + uint32_t b = (uint32_t)1U; + uint32_t c = (uint32_t)2U; + uint32_t d1 = (uint32_t)3U; + Lib_IntVector_Intrinsics_vec256 *wv_a = wv + a0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b8 = wv + b * (uint32_t)1U; + wv_a[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a[0U], wv_b8[0U]); + wv_a[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a[0U], z[0U]); + Lib_IntVector_Intrinsics_vec256 *wv_a8 = wv + d1 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b9 = wv + a0 * (uint32_t)1U; + wv_a8[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv_a8[0U], wv_b9[0U]); + wv_a8[0U] = Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a8[0U], (uint32_t)32U); + Lib_IntVector_Intrinsics_vec256 *wv_a9 = wv + c * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b10 = wv + d1 * (uint32_t)1U; + wv_a9[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a9[0U], wv_b10[0U]); + Lib_IntVector_Intrinsics_vec256 *wv_a10 = wv + b * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b11 = wv + c * (uint32_t)1U; + wv_a10[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv_a10[0U], wv_b11[0U]); + wv_a10[0U] = Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a10[0U], (uint32_t)24U); + Lib_IntVector_Intrinsics_vec256 *wv_a11 = wv + a0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b12 = wv + b * (uint32_t)1U; + wv_a11[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a11[0U], wv_b12[0U]); + wv_a11[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a11[0U], w[0U]); + Lib_IntVector_Intrinsics_vec256 *wv_a12 = wv + d1 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b13 = wv + a0 * (uint32_t)1U; + wv_a12[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv_a12[0U], wv_b13[0U]); + wv_a12[0U] = Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a12[0U], (uint32_t)16U); + Lib_IntVector_Intrinsics_vec256 *wv_a13 = wv + c * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b14 = wv + d1 * (uint32_t)1U; + wv_a13[0U] = Lib_IntVector_Intrinsics_vec256_add64(wv_a13[0U], wv_b14[0U]); + Lib_IntVector_Intrinsics_vec256 *wv_a14 = wv + b * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *wv_b = wv + c * (uint32_t)1U; + wv_a14[0U] = Lib_IntVector_Intrinsics_vec256_xor(wv_a14[0U], wv_b[0U]); + wv_a14[0U] = Lib_IntVector_Intrinsics_vec256_rotate_right64(wv_a14[0U], (uint32_t)63U); + Lib_IntVector_Intrinsics_vec256 *r11 = wv + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r2 = wv + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r3 = wv + (uint32_t)3U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 v0 = r11[0U]; + Lib_IntVector_Intrinsics_vec256 + v12 = Lib_IntVector_Intrinsics_vec256_rotate_right_lanes64(v0, (uint32_t)3U); + r11[0U] = v12; + Lib_IntVector_Intrinsics_vec256 v03 = r2[0U]; + Lib_IntVector_Intrinsics_vec256 + v13 = Lib_IntVector_Intrinsics_vec256_rotate_right_lanes64(v03, (uint32_t)2U); + r2[0U] = v13; + Lib_IntVector_Intrinsics_vec256 v04 = r3[0U]; + Lib_IntVector_Intrinsics_vec256 + v14 = Lib_IntVector_Intrinsics_vec256_rotate_right_lanes64(v04, (uint32_t)1U); + r3[0U] = v14; + } + Lib_IntVector_Intrinsics_vec256 *s0 = hash + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *s1 = hash + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r0 = wv + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r1 = wv + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r2 = wv + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r3 = wv + (uint32_t)3U * (uint32_t)1U; + s0[0U] = Lib_IntVector_Intrinsics_vec256_xor(s0[0U], r0[0U]); + s0[0U] = Lib_IntVector_Intrinsics_vec256_xor(s0[0U], r2[0U]); + s1[0U] = Lib_IntVector_Intrinsics_vec256_xor(s1[0U], r1[0U]); + s1[0U] = Lib_IntVector_Intrinsics_vec256_xor(s1[0U], r3[0U]); +} + +void +Hacl_Blake2b_256_blake2b_init(Lib_IntVector_Intrinsics_vec256 *hash, uint32_t kk, uint32_t nn) +{ + Lib_IntVector_Intrinsics_vec256 *r0 = hash + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r1 = hash + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r2 = hash + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *r3 = hash + (uint32_t)3U * (uint32_t)1U; + uint64_t iv0 = Hacl_Impl_Blake2_Constants_ivTable_B[0U]; + uint64_t iv1 = Hacl_Impl_Blake2_Constants_ivTable_B[1U]; + uint64_t iv2 = Hacl_Impl_Blake2_Constants_ivTable_B[2U]; + uint64_t iv3 = Hacl_Impl_Blake2_Constants_ivTable_B[3U]; + uint64_t iv4 = Hacl_Impl_Blake2_Constants_ivTable_B[4U]; + uint64_t iv5 = Hacl_Impl_Blake2_Constants_ivTable_B[5U]; + uint64_t iv6 = Hacl_Impl_Blake2_Constants_ivTable_B[6U]; + uint64_t iv7 = Hacl_Impl_Blake2_Constants_ivTable_B[7U]; + r2[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv0, iv1, iv2, iv3); + r3[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv4, iv5, iv6, iv7); + uint64_t kk_shift_8 = (uint64_t)kk << (uint32_t)8U; + uint64_t iv0_ = iv0 ^ ((uint64_t)0x01010000U ^ (kk_shift_8 ^ (uint64_t)nn)); + r0[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv0_, iv1, iv2, iv3); + r1[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv4, iv5, iv6, iv7); +} + +void +Hacl_Blake2b_256_blake2b_update_key( + Lib_IntVector_Intrinsics_vec256 *wv, + Lib_IntVector_Intrinsics_vec256 *hash, + uint32_t kk, + uint8_t *k, + uint32_t ll +) +{ + FStar_UInt128_uint128 lb = FStar_UInt128_uint64_to_uint128((uint64_t)(uint32_t)128U); + uint8_t b[128U] = { 0U }; + memcpy(b, k, kk * sizeof (uint8_t)); + if (ll == (uint32_t)0U) + { + blake2b_update_block(wv, hash, true, lb, b); + } + else + { + blake2b_update_block(wv, hash, false, lb, b); + } + Lib_Memzero0_memzero(b, (uint32_t)128U * sizeof (b[0U])); +} + +void +Hacl_Blake2b_256_blake2b_update_multi( + uint32_t len, + Lib_IntVector_Intrinsics_vec256 *wv, + Lib_IntVector_Intrinsics_vec256 *hash, + FStar_UInt128_uint128 prev, + uint8_t *blocks, + uint32_t nb +) +{ + for (uint32_t i = (uint32_t)0U; i < nb; i++) + { + FStar_UInt128_uint128 + totlen = + FStar_UInt128_add_mod(prev, + FStar_UInt128_uint64_to_uint128((uint64_t)((i + (uint32_t)1U) * (uint32_t)128U))); + uint8_t *b = blocks + i * (uint32_t)128U; + blake2b_update_block(wv, hash, false, totlen, b); + } +} + +void +Hacl_Blake2b_256_blake2b_update_last( + uint32_t len, + Lib_IntVector_Intrinsics_vec256 *wv, + Lib_IntVector_Intrinsics_vec256 *hash, + FStar_UInt128_uint128 prev, + uint32_t rem, + uint8_t *d +) +{ + uint8_t b[128U] = { 0U }; + uint8_t *last = d + len - rem; + memcpy(b, last, rem * sizeof (uint8_t)); + FStar_UInt128_uint128 + totlen = FStar_UInt128_add_mod(prev, FStar_UInt128_uint64_to_uint128((uint64_t)len)); + blake2b_update_block(wv, hash, true, totlen, b); + Lib_Memzero0_memzero(b, (uint32_t)128U * sizeof (b[0U])); +} + +static inline void +blake2b_update_blocks( + uint32_t len, + Lib_IntVector_Intrinsics_vec256 *wv, + Lib_IntVector_Intrinsics_vec256 *hash, + FStar_UInt128_uint128 prev, + uint8_t *blocks +) +{ + uint32_t nb0 = len / (uint32_t)128U; + uint32_t rem0 = len % (uint32_t)128U; + K___uint32_t_uint32_t scrut; + if (rem0 == (uint32_t)0U && nb0 > (uint32_t)0U) + { + uint32_t nb_ = nb0 - (uint32_t)1U; + uint32_t rem_ = (uint32_t)128U; + scrut = ((K___uint32_t_uint32_t){ .fst = nb_, .snd = rem_ }); + } + else + { + scrut = ((K___uint32_t_uint32_t){ .fst = nb0, .snd = rem0 }); + } + uint32_t nb = scrut.fst; + uint32_t rem = scrut.snd; + Hacl_Blake2b_256_blake2b_update_multi(len, wv, hash, prev, blocks, nb); + Hacl_Blake2b_256_blake2b_update_last(len, wv, hash, prev, rem, blocks); +} + +static inline void +blake2b_update( + Lib_IntVector_Intrinsics_vec256 *wv, + Lib_IntVector_Intrinsics_vec256 *hash, + uint32_t kk, + uint8_t *k, + uint32_t ll, + uint8_t *d +) +{ + FStar_UInt128_uint128 lb = FStar_UInt128_uint64_to_uint128((uint64_t)(uint32_t)128U); + if (kk > (uint32_t)0U) + { + Hacl_Blake2b_256_blake2b_update_key(wv, hash, kk, k, ll); + if (!(ll == (uint32_t)0U)) + { + blake2b_update_blocks(ll, wv, hash, lb, d); + return; + } + return; + } + blake2b_update_blocks(ll, + wv, + hash, + FStar_UInt128_uint64_to_uint128((uint64_t)(uint32_t)0U), + d); +} + +void +Hacl_Blake2b_256_blake2b_finish( + uint32_t nn, + uint8_t *output, + Lib_IntVector_Intrinsics_vec256 *hash +) +{ + uint32_t double_row = (uint32_t)2U * ((uint32_t)4U * (uint32_t)8U); + KRML_CHECK_SIZE(sizeof (uint8_t), double_row); + uint8_t *b = alloca(double_row * sizeof (uint8_t)); + memset(b, 0U, double_row * sizeof (uint8_t)); + uint8_t *first = b; + uint8_t *second = b + (uint32_t)4U * (uint32_t)8U; + Lib_IntVector_Intrinsics_vec256 *row0 = hash + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 *row1 = hash + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256_store64_le(first, row0[0U]); + Lib_IntVector_Intrinsics_vec256_store64_le(second, row1[0U]); + uint8_t *final = b; + memcpy(output, final, nn * sizeof (uint8_t)); + Lib_Memzero0_memzero(b, double_row * sizeof (b[0U])); +} + +void +Hacl_Blake2b_256_blake2b( + uint32_t nn, + uint8_t *output, + uint32_t ll, + uint8_t *d, + uint32_t kk, + uint8_t *k +) +{ + uint32_t stlen = (uint32_t)4U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec256 stzero = Lib_IntVector_Intrinsics_vec256_zero; + KRML_CHECK_SIZE(sizeof (Lib_IntVector_Intrinsics_vec256), stlen); + Lib_IntVector_Intrinsics_vec256 *b = alloca(stlen * sizeof (Lib_IntVector_Intrinsics_vec256)); + for (uint32_t _i = 0U; _i < stlen; ++_i) + b[_i] = stzero; + KRML_CHECK_SIZE(sizeof (Lib_IntVector_Intrinsics_vec256), stlen); + Lib_IntVector_Intrinsics_vec256 *b1 = alloca(stlen * sizeof (Lib_IntVector_Intrinsics_vec256)); + for (uint32_t _i = 0U; _i < stlen; ++_i) + b1[_i] = stzero; + Hacl_Blake2b_256_blake2b_init(b, kk, nn); + blake2b_update(b1, b, kk, k, ll, d); + Hacl_Blake2b_256_blake2b_finish(nn, output, b); + Lib_Memzero0_memzero(b1, stlen * sizeof (b1[0U])); + Lib_Memzero0_memzero(b, stlen * sizeof (b[0U])); +} + diff --git a/src/msvc/Hacl_Hash_Blake2s_128.c b/src/msvc/Hacl_Hash_Blake2s_128.c new file mode 100644 index 00000000..63dac6e1 --- /dev/null +++ b/src/msvc/Hacl_Hash_Blake2s_128.c @@ -0,0 +1,834 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "internal/Hacl_Hash_Blake2s_128.h" + +#include "internal/Hacl_Kremlib.h" +#include "internal/Hacl_Hash_Blake2.h" + +static uint64_t +update_blake2s_128(Lib_IntVector_Intrinsics_vec128 *s, uint64_t totlen, uint8_t *block) +{ + Lib_IntVector_Intrinsics_vec128 wv[4U]; + for (uint32_t _i = 0U; _i < (uint32_t)4U; ++_i) + wv[_i] = Lib_IntVector_Intrinsics_vec128_zero; + uint64_t totlen1 = totlen + (uint64_t)(uint32_t)64U; + uint32_t m_w[16U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t *os = m_w; + uint8_t *bj = block + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + Lib_IntVector_Intrinsics_vec128 mask = Lib_IntVector_Intrinsics_vec128_zero; + uint32_t wv_14 = (uint32_t)0U; + uint32_t wv_15 = (uint32_t)0U; + mask = + Lib_IntVector_Intrinsics_vec128_load32s((uint32_t)totlen1, + (uint32_t)(totlen1 >> (uint32_t)32U), + wv_14, + wv_15); + memcpy(wv, s, (uint32_t)4U * (uint32_t)1U * sizeof (Lib_IntVector_Intrinsics_vec128)); + Lib_IntVector_Intrinsics_vec128 *wv3 = wv + (uint32_t)3U * (uint32_t)1U; + wv3[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv3[0U], mask); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)10U; i++) + { + uint32_t start_idx = i % (uint32_t)10U * (uint32_t)16U; + KRML_CHECK_SIZE(sizeof (Lib_IntVector_Intrinsics_vec128), (uint32_t)4U * (uint32_t)1U); + Lib_IntVector_Intrinsics_vec128 + *m_st = alloca((uint32_t)4U * (uint32_t)1U * sizeof (Lib_IntVector_Intrinsics_vec128)); + for (uint32_t _i = 0U; _i < (uint32_t)4U * (uint32_t)1U; ++_i) + m_st[_i] = Lib_IntVector_Intrinsics_vec128_zero; + Lib_IntVector_Intrinsics_vec128 *r0 = m_st + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r1 = m_st + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r20 = m_st + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r30 = m_st + (uint32_t)3U * (uint32_t)1U; + uint32_t s0 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx]; + uint32_t s1 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)1U]; + uint32_t s2 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)2U]; + uint32_t s3 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)3U]; + uint32_t s4 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)4U]; + uint32_t s5 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)5U]; + uint32_t s6 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)6U]; + uint32_t s7 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)7U]; + uint32_t s8 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)8U]; + uint32_t s9 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)9U]; + uint32_t s10 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)10U]; + uint32_t s11 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)11U]; + uint32_t s12 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)12U]; + uint32_t s13 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)13U]; + uint32_t s14 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)14U]; + uint32_t s15 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)15U]; + r0[0U] = Lib_IntVector_Intrinsics_vec128_load32s(m_w[s0], m_w[s2], m_w[s4], m_w[s6]); + r1[0U] = Lib_IntVector_Intrinsics_vec128_load32s(m_w[s1], m_w[s3], m_w[s5], m_w[s7]); + r20[0U] = Lib_IntVector_Intrinsics_vec128_load32s(m_w[s8], m_w[s10], m_w[s12], m_w[s14]); + r30[0U] = Lib_IntVector_Intrinsics_vec128_load32s(m_w[s9], m_w[s11], m_w[s13], m_w[s15]); + Lib_IntVector_Intrinsics_vec128 *x = m_st + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *y = m_st + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *z = m_st + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *w = m_st + (uint32_t)3U * (uint32_t)1U; + uint32_t a = (uint32_t)0U; + uint32_t b0 = (uint32_t)1U; + uint32_t c0 = (uint32_t)2U; + uint32_t d0 = (uint32_t)3U; + Lib_IntVector_Intrinsics_vec128 *wv_a0 = wv + a * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b0 = wv + b0 * (uint32_t)1U; + wv_a0[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a0[0U], wv_b0[0U]); + wv_a0[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a0[0U], x[0U]); + Lib_IntVector_Intrinsics_vec128 *wv_a1 = wv + d0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b1 = wv + a * (uint32_t)1U; + wv_a1[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv_a1[0U], wv_b1[0U]); + wv_a1[0U] = Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a1[0U], (uint32_t)16U); + Lib_IntVector_Intrinsics_vec128 *wv_a2 = wv + c0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b2 = wv + d0 * (uint32_t)1U; + wv_a2[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a2[0U], wv_b2[0U]); + Lib_IntVector_Intrinsics_vec128 *wv_a3 = wv + b0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b3 = wv + c0 * (uint32_t)1U; + wv_a3[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv_a3[0U], wv_b3[0U]); + wv_a3[0U] = Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a3[0U], (uint32_t)12U); + Lib_IntVector_Intrinsics_vec128 *wv_a4 = wv + a * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b4 = wv + b0 * (uint32_t)1U; + wv_a4[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a4[0U], wv_b4[0U]); + wv_a4[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a4[0U], y[0U]); + Lib_IntVector_Intrinsics_vec128 *wv_a5 = wv + d0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b5 = wv + a * (uint32_t)1U; + wv_a5[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv_a5[0U], wv_b5[0U]); + wv_a5[0U] = Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a5[0U], (uint32_t)8U); + Lib_IntVector_Intrinsics_vec128 *wv_a6 = wv + c0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b6 = wv + d0 * (uint32_t)1U; + wv_a6[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a6[0U], wv_b6[0U]); + Lib_IntVector_Intrinsics_vec128 *wv_a7 = wv + b0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b7 = wv + c0 * (uint32_t)1U; + wv_a7[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv_a7[0U], wv_b7[0U]); + wv_a7[0U] = Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a7[0U], (uint32_t)7U); + Lib_IntVector_Intrinsics_vec128 *r10 = wv + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r21 = wv + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r31 = wv + (uint32_t)3U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 v00 = r10[0U]; + Lib_IntVector_Intrinsics_vec128 + v1 = Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(v00, (uint32_t)1U); + r10[0U] = v1; + Lib_IntVector_Intrinsics_vec128 v01 = r21[0U]; + Lib_IntVector_Intrinsics_vec128 + v10 = Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(v01, (uint32_t)2U); + r21[0U] = v10; + Lib_IntVector_Intrinsics_vec128 v02 = r31[0U]; + Lib_IntVector_Intrinsics_vec128 + v11 = Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(v02, (uint32_t)3U); + r31[0U] = v11; + uint32_t a0 = (uint32_t)0U; + uint32_t b = (uint32_t)1U; + uint32_t c = (uint32_t)2U; + uint32_t d = (uint32_t)3U; + Lib_IntVector_Intrinsics_vec128 *wv_a = wv + a0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b8 = wv + b * (uint32_t)1U; + wv_a[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a[0U], wv_b8[0U]); + wv_a[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a[0U], z[0U]); + Lib_IntVector_Intrinsics_vec128 *wv_a8 = wv + d * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b9 = wv + a0 * (uint32_t)1U; + wv_a8[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv_a8[0U], wv_b9[0U]); + wv_a8[0U] = Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a8[0U], (uint32_t)16U); + Lib_IntVector_Intrinsics_vec128 *wv_a9 = wv + c * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b10 = wv + d * (uint32_t)1U; + wv_a9[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a9[0U], wv_b10[0U]); + Lib_IntVector_Intrinsics_vec128 *wv_a10 = wv + b * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b11 = wv + c * (uint32_t)1U; + wv_a10[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv_a10[0U], wv_b11[0U]); + wv_a10[0U] = Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a10[0U], (uint32_t)12U); + Lib_IntVector_Intrinsics_vec128 *wv_a11 = wv + a0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b12 = wv + b * (uint32_t)1U; + wv_a11[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a11[0U], wv_b12[0U]); + wv_a11[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a11[0U], w[0U]); + Lib_IntVector_Intrinsics_vec128 *wv_a12 = wv + d * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b13 = wv + a0 * (uint32_t)1U; + wv_a12[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv_a12[0U], wv_b13[0U]); + wv_a12[0U] = Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a12[0U], (uint32_t)8U); + Lib_IntVector_Intrinsics_vec128 *wv_a13 = wv + c * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b14 = wv + d * (uint32_t)1U; + wv_a13[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a13[0U], wv_b14[0U]); + Lib_IntVector_Intrinsics_vec128 *wv_a14 = wv + b * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b = wv + c * (uint32_t)1U; + wv_a14[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv_a14[0U], wv_b[0U]); + wv_a14[0U] = Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a14[0U], (uint32_t)7U); + Lib_IntVector_Intrinsics_vec128 *r11 = wv + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r2 = wv + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r3 = wv + (uint32_t)3U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 v0 = r11[0U]; + Lib_IntVector_Intrinsics_vec128 + v12 = Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(v0, (uint32_t)3U); + r11[0U] = v12; + Lib_IntVector_Intrinsics_vec128 v03 = r2[0U]; + Lib_IntVector_Intrinsics_vec128 + v13 = Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(v03, (uint32_t)2U); + r2[0U] = v13; + Lib_IntVector_Intrinsics_vec128 v04 = r3[0U]; + Lib_IntVector_Intrinsics_vec128 + v14 = Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(v04, (uint32_t)1U); + r3[0U] = v14; + } + Lib_IntVector_Intrinsics_vec128 *s0 = s + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *s1 = s + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r0 = wv + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r1 = wv + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r2 = wv + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r3 = wv + (uint32_t)3U * (uint32_t)1U; + s0[0U] = Lib_IntVector_Intrinsics_vec128_xor(s0[0U], r0[0U]); + s0[0U] = Lib_IntVector_Intrinsics_vec128_xor(s0[0U], r2[0U]); + s1[0U] = Lib_IntVector_Intrinsics_vec128_xor(s1[0U], r1[0U]); + s1[0U] = Lib_IntVector_Intrinsics_vec128_xor(s1[0U], r3[0U]); + return totlen1; +} + +void +Hacl_Hash_Blake2s_128_finish_blake2s_128( + Lib_IntVector_Intrinsics_vec128 *s, + uint64_t ev, + uint8_t *dst +) +{ + uint32_t double_row = (uint32_t)2U * ((uint32_t)4U * (uint32_t)4U); + KRML_CHECK_SIZE(sizeof (uint8_t), double_row); + uint8_t *b = alloca(double_row * sizeof (uint8_t)); + memset(b, 0U, double_row * sizeof (uint8_t)); + uint8_t *first = b; + uint8_t *second = b + (uint32_t)4U * (uint32_t)4U; + Lib_IntVector_Intrinsics_vec128 *row0 = s + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *row1 = s + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128_store32_le(first, row0[0U]); + Lib_IntVector_Intrinsics_vec128_store32_le(second, row1[0U]); + uint8_t *final = b; + memcpy(dst, final, (uint32_t)32U * sizeof (uint8_t)); + Lib_Memzero0_memzero(b, double_row * sizeof (b[0U])); +} + +uint64_t +Hacl_Hash_Blake2s_128_update_multi_blake2s_128( + Lib_IntVector_Intrinsics_vec128 *s, + uint64_t ev, + uint8_t *blocks, + uint32_t n_blocks +) +{ + for (uint32_t i = (uint32_t)0U; i < n_blocks; i++) + { + uint32_t sz = (uint32_t)64U; + uint8_t *block = blocks + sz * i; + uint64_t v_ = update_blake2s_128(s, ev + (uint64_t)i * (uint64_t)(uint32_t)64U, block); + } + return ev + (uint64_t)n_blocks * (uint64_t)(uint32_t)64U; +} + +uint64_t +Hacl_Hash_Blake2s_128_update_last_blake2s_128( + Lib_IntVector_Intrinsics_vec128 *s, + uint64_t ev, + uint64_t prev_len, + uint8_t *input, + uint32_t input_len +) +{ + uint32_t blocks_n = input_len / (uint32_t)64U; + uint32_t blocks_len0 = blocks_n * (uint32_t)64U; + uint32_t rest_len0 = input_len - blocks_len0; + K___uint32_t_uint32_t_uint32_t scrut; + if (rest_len0 == (uint32_t)0U && blocks_n > (uint32_t)0U) + { + uint32_t blocks_n1 = blocks_n - (uint32_t)1U; + uint32_t blocks_len1 = blocks_len0 - (uint32_t)64U; + uint32_t rest_len1 = (uint32_t)64U; + scrut = + ((K___uint32_t_uint32_t_uint32_t){ .fst = blocks_n1, .snd = blocks_len1, .thd = rest_len1 }); + } + else + { + scrut = + ((K___uint32_t_uint32_t_uint32_t){ .fst = blocks_n, .snd = blocks_len0, .thd = rest_len0 }); + } + uint32_t num_blocks0 = scrut.fst; + uint32_t blocks_len = scrut.snd; + uint32_t rest_len1 = scrut.thd; + uint8_t *blocks0 = input; + uint8_t *rest0 = input + blocks_len; + K___uint32_t_uint32_t_uint32_t__uint8_t___uint8_t_ + scrut0 = + { .fst = num_blocks0, .snd = blocks_len, .thd = rest_len1, .f3 = blocks0, .f4 = rest0 }; + uint32_t num_blocks = scrut0.fst; + uint32_t rest_len = scrut0.thd; + uint8_t *blocks = scrut0.f3; + uint8_t *rest = scrut0.f4; + uint64_t ev_ = Hacl_Hash_Blake2s_128_update_multi_blake2s_128(s, ev, blocks, num_blocks); + KRML_CHECK_SIZE(sizeof (Lib_IntVector_Intrinsics_vec128), (uint32_t)4U * (uint32_t)1U); + Lib_IntVector_Intrinsics_vec128 + *wv = alloca((uint32_t)4U * (uint32_t)1U * sizeof (Lib_IntVector_Intrinsics_vec128)); + for (uint32_t _i = 0U; _i < (uint32_t)4U * (uint32_t)1U; ++_i) + wv[_i] = Lib_IntVector_Intrinsics_vec128_zero; + uint8_t tmp[64U] = { 0U }; + uint8_t *tmp_rest = tmp; + memcpy(tmp_rest, rest, rest_len * sizeof (uint8_t)); + uint64_t totlen = ev_ + (uint64_t)rest_len; + uint32_t m_w[16U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t *os = m_w; + uint8_t *bj = tmp + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + Lib_IntVector_Intrinsics_vec128 mask = Lib_IntVector_Intrinsics_vec128_zero; + uint32_t wv_14 = (uint32_t)0xFFFFFFFFU; + uint32_t wv_15 = (uint32_t)0U; + mask = + Lib_IntVector_Intrinsics_vec128_load32s((uint32_t)totlen, + (uint32_t)(totlen >> (uint32_t)32U), + wv_14, + wv_15); + memcpy(wv, s, (uint32_t)4U * (uint32_t)1U * sizeof (Lib_IntVector_Intrinsics_vec128)); + Lib_IntVector_Intrinsics_vec128 *wv3 = wv + (uint32_t)3U * (uint32_t)1U; + wv3[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv3[0U], mask); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)10U; i++) + { + uint32_t start_idx = i % (uint32_t)10U * (uint32_t)16U; + KRML_CHECK_SIZE(sizeof (Lib_IntVector_Intrinsics_vec128), (uint32_t)4U * (uint32_t)1U); + Lib_IntVector_Intrinsics_vec128 + *m_st = alloca((uint32_t)4U * (uint32_t)1U * sizeof (Lib_IntVector_Intrinsics_vec128)); + for (uint32_t _i = 0U; _i < (uint32_t)4U * (uint32_t)1U; ++_i) + m_st[_i] = Lib_IntVector_Intrinsics_vec128_zero; + Lib_IntVector_Intrinsics_vec128 *r0 = m_st + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r1 = m_st + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r20 = m_st + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r30 = m_st + (uint32_t)3U * (uint32_t)1U; + uint32_t s0 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx]; + uint32_t s1 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)1U]; + uint32_t s2 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)2U]; + uint32_t s3 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)3U]; + uint32_t s4 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)4U]; + uint32_t s5 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)5U]; + uint32_t s6 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)6U]; + uint32_t s7 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)7U]; + uint32_t s8 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)8U]; + uint32_t s9 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)9U]; + uint32_t s10 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)10U]; + uint32_t s11 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)11U]; + uint32_t s12 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)12U]; + uint32_t s13 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)13U]; + uint32_t s14 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)14U]; + uint32_t s15 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)15U]; + r0[0U] = Lib_IntVector_Intrinsics_vec128_load32s(m_w[s0], m_w[s2], m_w[s4], m_w[s6]); + r1[0U] = Lib_IntVector_Intrinsics_vec128_load32s(m_w[s1], m_w[s3], m_w[s5], m_w[s7]); + r20[0U] = Lib_IntVector_Intrinsics_vec128_load32s(m_w[s8], m_w[s10], m_w[s12], m_w[s14]); + r30[0U] = Lib_IntVector_Intrinsics_vec128_load32s(m_w[s9], m_w[s11], m_w[s13], m_w[s15]); + Lib_IntVector_Intrinsics_vec128 *x = m_st + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *y = m_st + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *z = m_st + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *w = m_st + (uint32_t)3U * (uint32_t)1U; + uint32_t a = (uint32_t)0U; + uint32_t b0 = (uint32_t)1U; + uint32_t c0 = (uint32_t)2U; + uint32_t d0 = (uint32_t)3U; + Lib_IntVector_Intrinsics_vec128 *wv_a0 = wv + a * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b0 = wv + b0 * (uint32_t)1U; + wv_a0[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a0[0U], wv_b0[0U]); + wv_a0[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a0[0U], x[0U]); + Lib_IntVector_Intrinsics_vec128 *wv_a1 = wv + d0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b1 = wv + a * (uint32_t)1U; + wv_a1[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv_a1[0U], wv_b1[0U]); + wv_a1[0U] = Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a1[0U], (uint32_t)16U); + Lib_IntVector_Intrinsics_vec128 *wv_a2 = wv + c0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b2 = wv + d0 * (uint32_t)1U; + wv_a2[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a2[0U], wv_b2[0U]); + Lib_IntVector_Intrinsics_vec128 *wv_a3 = wv + b0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b3 = wv + c0 * (uint32_t)1U; + wv_a3[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv_a3[0U], wv_b3[0U]); + wv_a3[0U] = Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a3[0U], (uint32_t)12U); + Lib_IntVector_Intrinsics_vec128 *wv_a4 = wv + a * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b4 = wv + b0 * (uint32_t)1U; + wv_a4[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a4[0U], wv_b4[0U]); + wv_a4[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a4[0U], y[0U]); + Lib_IntVector_Intrinsics_vec128 *wv_a5 = wv + d0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b5 = wv + a * (uint32_t)1U; + wv_a5[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv_a5[0U], wv_b5[0U]); + wv_a5[0U] = Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a5[0U], (uint32_t)8U); + Lib_IntVector_Intrinsics_vec128 *wv_a6 = wv + c0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b6 = wv + d0 * (uint32_t)1U; + wv_a6[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a6[0U], wv_b6[0U]); + Lib_IntVector_Intrinsics_vec128 *wv_a7 = wv + b0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b7 = wv + c0 * (uint32_t)1U; + wv_a7[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv_a7[0U], wv_b7[0U]); + wv_a7[0U] = Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a7[0U], (uint32_t)7U); + Lib_IntVector_Intrinsics_vec128 *r10 = wv + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r21 = wv + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r31 = wv + (uint32_t)3U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 v00 = r10[0U]; + Lib_IntVector_Intrinsics_vec128 + v1 = Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(v00, (uint32_t)1U); + r10[0U] = v1; + Lib_IntVector_Intrinsics_vec128 v01 = r21[0U]; + Lib_IntVector_Intrinsics_vec128 + v10 = Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(v01, (uint32_t)2U); + r21[0U] = v10; + Lib_IntVector_Intrinsics_vec128 v02 = r31[0U]; + Lib_IntVector_Intrinsics_vec128 + v11 = Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(v02, (uint32_t)3U); + r31[0U] = v11; + uint32_t a0 = (uint32_t)0U; + uint32_t b = (uint32_t)1U; + uint32_t c = (uint32_t)2U; + uint32_t d = (uint32_t)3U; + Lib_IntVector_Intrinsics_vec128 *wv_a = wv + a0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b8 = wv + b * (uint32_t)1U; + wv_a[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a[0U], wv_b8[0U]); + wv_a[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a[0U], z[0U]); + Lib_IntVector_Intrinsics_vec128 *wv_a8 = wv + d * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b9 = wv + a0 * (uint32_t)1U; + wv_a8[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv_a8[0U], wv_b9[0U]); + wv_a8[0U] = Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a8[0U], (uint32_t)16U); + Lib_IntVector_Intrinsics_vec128 *wv_a9 = wv + c * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b10 = wv + d * (uint32_t)1U; + wv_a9[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a9[0U], wv_b10[0U]); + Lib_IntVector_Intrinsics_vec128 *wv_a10 = wv + b * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b11 = wv + c * (uint32_t)1U; + wv_a10[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv_a10[0U], wv_b11[0U]); + wv_a10[0U] = Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a10[0U], (uint32_t)12U); + Lib_IntVector_Intrinsics_vec128 *wv_a11 = wv + a0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b12 = wv + b * (uint32_t)1U; + wv_a11[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a11[0U], wv_b12[0U]); + wv_a11[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a11[0U], w[0U]); + Lib_IntVector_Intrinsics_vec128 *wv_a12 = wv + d * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b13 = wv + a0 * (uint32_t)1U; + wv_a12[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv_a12[0U], wv_b13[0U]); + wv_a12[0U] = Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a12[0U], (uint32_t)8U); + Lib_IntVector_Intrinsics_vec128 *wv_a13 = wv + c * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b14 = wv + d * (uint32_t)1U; + wv_a13[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a13[0U], wv_b14[0U]); + Lib_IntVector_Intrinsics_vec128 *wv_a14 = wv + b * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b = wv + c * (uint32_t)1U; + wv_a14[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv_a14[0U], wv_b[0U]); + wv_a14[0U] = Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a14[0U], (uint32_t)7U); + Lib_IntVector_Intrinsics_vec128 *r11 = wv + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r2 = wv + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r3 = wv + (uint32_t)3U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 v0 = r11[0U]; + Lib_IntVector_Intrinsics_vec128 + v12 = Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(v0, (uint32_t)3U); + r11[0U] = v12; + Lib_IntVector_Intrinsics_vec128 v03 = r2[0U]; + Lib_IntVector_Intrinsics_vec128 + v13 = Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(v03, (uint32_t)2U); + r2[0U] = v13; + Lib_IntVector_Intrinsics_vec128 v04 = r3[0U]; + Lib_IntVector_Intrinsics_vec128 + v14 = Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(v04, (uint32_t)1U); + r3[0U] = v14; + } + Lib_IntVector_Intrinsics_vec128 *s0 = s + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *s1 = s + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r0 = wv + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r1 = wv + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r2 = wv + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r3 = wv + (uint32_t)3U * (uint32_t)1U; + s0[0U] = Lib_IntVector_Intrinsics_vec128_xor(s0[0U], r0[0U]); + s0[0U] = Lib_IntVector_Intrinsics_vec128_xor(s0[0U], r2[0U]); + s1[0U] = Lib_IntVector_Intrinsics_vec128_xor(s1[0U], r1[0U]); + s1[0U] = Lib_IntVector_Intrinsics_vec128_xor(s1[0U], r3[0U]); + return (uint64_t)0U; +} + +void Hacl_Hash_Blake2s_128_hash_blake2s_128(uint8_t *input, uint32_t input_len, uint8_t *dst) +{ + Hacl_Blake2s_128_blake2s((uint32_t)32U, dst, input_len, input, (uint32_t)0U, NULL); +} + +static inline void +blake2s_update_block( + Lib_IntVector_Intrinsics_vec128 *wv, + Lib_IntVector_Intrinsics_vec128 *hash, + bool flag, + uint64_t totlen, + uint8_t *d +) +{ + uint32_t m_w[16U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t *os = m_w; + uint8_t *bj = d + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + Lib_IntVector_Intrinsics_vec128 mask = Lib_IntVector_Intrinsics_vec128_zero; + uint32_t wv_14; + if (flag) + { + wv_14 = (uint32_t)0xFFFFFFFFU; + } + else + { + wv_14 = (uint32_t)0U; + } + uint32_t wv_15 = (uint32_t)0U; + mask = + Lib_IntVector_Intrinsics_vec128_load32s((uint32_t)totlen, + (uint32_t)(totlen >> (uint32_t)32U), + wv_14, + wv_15); + memcpy(wv, hash, (uint32_t)4U * (uint32_t)1U * sizeof (Lib_IntVector_Intrinsics_vec128)); + Lib_IntVector_Intrinsics_vec128 *wv3 = wv + (uint32_t)3U * (uint32_t)1U; + wv3[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv3[0U], mask); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)10U; i++) + { + uint32_t start_idx = i % (uint32_t)10U * (uint32_t)16U; + KRML_CHECK_SIZE(sizeof (Lib_IntVector_Intrinsics_vec128), (uint32_t)4U * (uint32_t)1U); + Lib_IntVector_Intrinsics_vec128 + *m_st = alloca((uint32_t)4U * (uint32_t)1U * sizeof (Lib_IntVector_Intrinsics_vec128)); + for (uint32_t _i = 0U; _i < (uint32_t)4U * (uint32_t)1U; ++_i) + m_st[_i] = Lib_IntVector_Intrinsics_vec128_zero; + Lib_IntVector_Intrinsics_vec128 *r0 = m_st + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r1 = m_st + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r20 = m_st + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r30 = m_st + (uint32_t)3U * (uint32_t)1U; + uint32_t s0 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx]; + uint32_t s1 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)1U]; + uint32_t s2 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)2U]; + uint32_t s3 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)3U]; + uint32_t s4 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)4U]; + uint32_t s5 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)5U]; + uint32_t s6 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)6U]; + uint32_t s7 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)7U]; + uint32_t s8 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)8U]; + uint32_t s9 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)9U]; + uint32_t s10 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)10U]; + uint32_t s11 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)11U]; + uint32_t s12 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)12U]; + uint32_t s13 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)13U]; + uint32_t s14 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)14U]; + uint32_t s15 = Hacl_Impl_Blake2_Constants_sigmaTable[start_idx + (uint32_t)15U]; + r0[0U] = Lib_IntVector_Intrinsics_vec128_load32s(m_w[s0], m_w[s2], m_w[s4], m_w[s6]); + r1[0U] = Lib_IntVector_Intrinsics_vec128_load32s(m_w[s1], m_w[s3], m_w[s5], m_w[s7]); + r20[0U] = Lib_IntVector_Intrinsics_vec128_load32s(m_w[s8], m_w[s10], m_w[s12], m_w[s14]); + r30[0U] = Lib_IntVector_Intrinsics_vec128_load32s(m_w[s9], m_w[s11], m_w[s13], m_w[s15]); + Lib_IntVector_Intrinsics_vec128 *x = m_st + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *y = m_st + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *z = m_st + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *w = m_st + (uint32_t)3U * (uint32_t)1U; + uint32_t a = (uint32_t)0U; + uint32_t b0 = (uint32_t)1U; + uint32_t c0 = (uint32_t)2U; + uint32_t d10 = (uint32_t)3U; + Lib_IntVector_Intrinsics_vec128 *wv_a0 = wv + a * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b0 = wv + b0 * (uint32_t)1U; + wv_a0[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a0[0U], wv_b0[0U]); + wv_a0[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a0[0U], x[0U]); + Lib_IntVector_Intrinsics_vec128 *wv_a1 = wv + d10 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b1 = wv + a * (uint32_t)1U; + wv_a1[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv_a1[0U], wv_b1[0U]); + wv_a1[0U] = Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a1[0U], (uint32_t)16U); + Lib_IntVector_Intrinsics_vec128 *wv_a2 = wv + c0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b2 = wv + d10 * (uint32_t)1U; + wv_a2[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a2[0U], wv_b2[0U]); + Lib_IntVector_Intrinsics_vec128 *wv_a3 = wv + b0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b3 = wv + c0 * (uint32_t)1U; + wv_a3[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv_a3[0U], wv_b3[0U]); + wv_a3[0U] = Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a3[0U], (uint32_t)12U); + Lib_IntVector_Intrinsics_vec128 *wv_a4 = wv + a * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b4 = wv + b0 * (uint32_t)1U; + wv_a4[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a4[0U], wv_b4[0U]); + wv_a4[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a4[0U], y[0U]); + Lib_IntVector_Intrinsics_vec128 *wv_a5 = wv + d10 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b5 = wv + a * (uint32_t)1U; + wv_a5[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv_a5[0U], wv_b5[0U]); + wv_a5[0U] = Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a5[0U], (uint32_t)8U); + Lib_IntVector_Intrinsics_vec128 *wv_a6 = wv + c0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b6 = wv + d10 * (uint32_t)1U; + wv_a6[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a6[0U], wv_b6[0U]); + Lib_IntVector_Intrinsics_vec128 *wv_a7 = wv + b0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b7 = wv + c0 * (uint32_t)1U; + wv_a7[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv_a7[0U], wv_b7[0U]); + wv_a7[0U] = Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a7[0U], (uint32_t)7U); + Lib_IntVector_Intrinsics_vec128 *r10 = wv + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r21 = wv + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r31 = wv + (uint32_t)3U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 v00 = r10[0U]; + Lib_IntVector_Intrinsics_vec128 + v1 = Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(v00, (uint32_t)1U); + r10[0U] = v1; + Lib_IntVector_Intrinsics_vec128 v01 = r21[0U]; + Lib_IntVector_Intrinsics_vec128 + v10 = Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(v01, (uint32_t)2U); + r21[0U] = v10; + Lib_IntVector_Intrinsics_vec128 v02 = r31[0U]; + Lib_IntVector_Intrinsics_vec128 + v11 = Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(v02, (uint32_t)3U); + r31[0U] = v11; + uint32_t a0 = (uint32_t)0U; + uint32_t b = (uint32_t)1U; + uint32_t c = (uint32_t)2U; + uint32_t d1 = (uint32_t)3U; + Lib_IntVector_Intrinsics_vec128 *wv_a = wv + a0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b8 = wv + b * (uint32_t)1U; + wv_a[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a[0U], wv_b8[0U]); + wv_a[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a[0U], z[0U]); + Lib_IntVector_Intrinsics_vec128 *wv_a8 = wv + d1 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b9 = wv + a0 * (uint32_t)1U; + wv_a8[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv_a8[0U], wv_b9[0U]); + wv_a8[0U] = Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a8[0U], (uint32_t)16U); + Lib_IntVector_Intrinsics_vec128 *wv_a9 = wv + c * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b10 = wv + d1 * (uint32_t)1U; + wv_a9[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a9[0U], wv_b10[0U]); + Lib_IntVector_Intrinsics_vec128 *wv_a10 = wv + b * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b11 = wv + c * (uint32_t)1U; + wv_a10[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv_a10[0U], wv_b11[0U]); + wv_a10[0U] = Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a10[0U], (uint32_t)12U); + Lib_IntVector_Intrinsics_vec128 *wv_a11 = wv + a0 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b12 = wv + b * (uint32_t)1U; + wv_a11[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a11[0U], wv_b12[0U]); + wv_a11[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a11[0U], w[0U]); + Lib_IntVector_Intrinsics_vec128 *wv_a12 = wv + d1 * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b13 = wv + a0 * (uint32_t)1U; + wv_a12[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv_a12[0U], wv_b13[0U]); + wv_a12[0U] = Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a12[0U], (uint32_t)8U); + Lib_IntVector_Intrinsics_vec128 *wv_a13 = wv + c * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b14 = wv + d1 * (uint32_t)1U; + wv_a13[0U] = Lib_IntVector_Intrinsics_vec128_add32(wv_a13[0U], wv_b14[0U]); + Lib_IntVector_Intrinsics_vec128 *wv_a14 = wv + b * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *wv_b = wv + c * (uint32_t)1U; + wv_a14[0U] = Lib_IntVector_Intrinsics_vec128_xor(wv_a14[0U], wv_b[0U]); + wv_a14[0U] = Lib_IntVector_Intrinsics_vec128_rotate_right32(wv_a14[0U], (uint32_t)7U); + Lib_IntVector_Intrinsics_vec128 *r11 = wv + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r2 = wv + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r3 = wv + (uint32_t)3U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 v0 = r11[0U]; + Lib_IntVector_Intrinsics_vec128 + v12 = Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(v0, (uint32_t)3U); + r11[0U] = v12; + Lib_IntVector_Intrinsics_vec128 v03 = r2[0U]; + Lib_IntVector_Intrinsics_vec128 + v13 = Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(v03, (uint32_t)2U); + r2[0U] = v13; + Lib_IntVector_Intrinsics_vec128 v04 = r3[0U]; + Lib_IntVector_Intrinsics_vec128 + v14 = Lib_IntVector_Intrinsics_vec128_rotate_right_lanes32(v04, (uint32_t)1U); + r3[0U] = v14; + } + Lib_IntVector_Intrinsics_vec128 *s0 = hash + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *s1 = hash + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r0 = wv + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r1 = wv + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r2 = wv + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r3 = wv + (uint32_t)3U * (uint32_t)1U; + s0[0U] = Lib_IntVector_Intrinsics_vec128_xor(s0[0U], r0[0U]); + s0[0U] = Lib_IntVector_Intrinsics_vec128_xor(s0[0U], r2[0U]); + s1[0U] = Lib_IntVector_Intrinsics_vec128_xor(s1[0U], r1[0U]); + s1[0U] = Lib_IntVector_Intrinsics_vec128_xor(s1[0U], r3[0U]); +} + +void +Hacl_Blake2s_128_blake2s_init(Lib_IntVector_Intrinsics_vec128 *hash, uint32_t kk, uint32_t nn) +{ + Lib_IntVector_Intrinsics_vec128 *r0 = hash + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r1 = hash + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r2 = hash + (uint32_t)2U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *r3 = hash + (uint32_t)3U * (uint32_t)1U; + uint32_t iv0 = Hacl_Impl_Blake2_Constants_ivTable_S[0U]; + uint32_t iv1 = Hacl_Impl_Blake2_Constants_ivTable_S[1U]; + uint32_t iv2 = Hacl_Impl_Blake2_Constants_ivTable_S[2U]; + uint32_t iv3 = Hacl_Impl_Blake2_Constants_ivTable_S[3U]; + uint32_t iv4 = Hacl_Impl_Blake2_Constants_ivTable_S[4U]; + uint32_t iv5 = Hacl_Impl_Blake2_Constants_ivTable_S[5U]; + uint32_t iv6 = Hacl_Impl_Blake2_Constants_ivTable_S[6U]; + uint32_t iv7 = Hacl_Impl_Blake2_Constants_ivTable_S[7U]; + r2[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv0, iv1, iv2, iv3); + r3[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv4, iv5, iv6, iv7); + uint32_t kk_shift_8 = kk << (uint32_t)8U; + uint32_t iv0_ = iv0 ^ ((uint32_t)0x01010000U ^ (kk_shift_8 ^ nn)); + r0[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv0_, iv1, iv2, iv3); + r1[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv4, iv5, iv6, iv7); +} + +void +Hacl_Blake2s_128_blake2s_update_key( + Lib_IntVector_Intrinsics_vec128 *wv, + Lib_IntVector_Intrinsics_vec128 *hash, + uint32_t kk, + uint8_t *k, + uint32_t ll +) +{ + uint64_t lb = (uint64_t)(uint32_t)64U; + uint8_t b[64U] = { 0U }; + memcpy(b, k, kk * sizeof (uint8_t)); + if (ll == (uint32_t)0U) + { + blake2s_update_block(wv, hash, true, lb, b); + } + else + { + blake2s_update_block(wv, hash, false, lb, b); + } + Lib_Memzero0_memzero(b, (uint32_t)64U * sizeof (b[0U])); +} + +void +Hacl_Blake2s_128_blake2s_update_multi( + uint32_t len, + Lib_IntVector_Intrinsics_vec128 *wv, + Lib_IntVector_Intrinsics_vec128 *hash, + uint64_t prev, + uint8_t *blocks, + uint32_t nb +) +{ + for (uint32_t i = (uint32_t)0U; i < nb; i++) + { + uint64_t totlen = prev + (uint64_t)((i + (uint32_t)1U) * (uint32_t)64U); + uint8_t *b = blocks + i * (uint32_t)64U; + blake2s_update_block(wv, hash, false, totlen, b); + } +} + +void +Hacl_Blake2s_128_blake2s_update_last( + uint32_t len, + Lib_IntVector_Intrinsics_vec128 *wv, + Lib_IntVector_Intrinsics_vec128 *hash, + uint64_t prev, + uint32_t rem, + uint8_t *d +) +{ + uint8_t b[64U] = { 0U }; + uint8_t *last = d + len - rem; + memcpy(b, last, rem * sizeof (uint8_t)); + uint64_t totlen = prev + (uint64_t)len; + blake2s_update_block(wv, hash, true, totlen, b); + Lib_Memzero0_memzero(b, (uint32_t)64U * sizeof (b[0U])); +} + +static inline void +blake2s_update_blocks( + uint32_t len, + Lib_IntVector_Intrinsics_vec128 *wv, + Lib_IntVector_Intrinsics_vec128 *hash, + uint64_t prev, + uint8_t *blocks +) +{ + uint32_t nb0 = len / (uint32_t)64U; + uint32_t rem0 = len % (uint32_t)64U; + K___uint32_t_uint32_t scrut; + if (rem0 == (uint32_t)0U && nb0 > (uint32_t)0U) + { + uint32_t nb_ = nb0 - (uint32_t)1U; + uint32_t rem_ = (uint32_t)64U; + scrut = ((K___uint32_t_uint32_t){ .fst = nb_, .snd = rem_ }); + } + else + { + scrut = ((K___uint32_t_uint32_t){ .fst = nb0, .snd = rem0 }); + } + uint32_t nb = scrut.fst; + uint32_t rem = scrut.snd; + Hacl_Blake2s_128_blake2s_update_multi(len, wv, hash, prev, blocks, nb); + Hacl_Blake2s_128_blake2s_update_last(len, wv, hash, prev, rem, blocks); +} + +static inline void +blake2s_update( + Lib_IntVector_Intrinsics_vec128 *wv, + Lib_IntVector_Intrinsics_vec128 *hash, + uint32_t kk, + uint8_t *k, + uint32_t ll, + uint8_t *d +) +{ + uint64_t lb = (uint64_t)(uint32_t)64U; + if (kk > (uint32_t)0U) + { + Hacl_Blake2s_128_blake2s_update_key(wv, hash, kk, k, ll); + if (!(ll == (uint32_t)0U)) + { + blake2s_update_blocks(ll, wv, hash, lb, d); + return; + } + return; + } + blake2s_update_blocks(ll, wv, hash, (uint64_t)(uint32_t)0U, d); +} + +void +Hacl_Blake2s_128_blake2s_finish( + uint32_t nn, + uint8_t *output, + Lib_IntVector_Intrinsics_vec128 *hash +) +{ + uint32_t double_row = (uint32_t)2U * ((uint32_t)4U * (uint32_t)4U); + KRML_CHECK_SIZE(sizeof (uint8_t), double_row); + uint8_t *b = alloca(double_row * sizeof (uint8_t)); + memset(b, 0U, double_row * sizeof (uint8_t)); + uint8_t *first = b; + uint8_t *second = b + (uint32_t)4U * (uint32_t)4U; + Lib_IntVector_Intrinsics_vec128 *row0 = hash + (uint32_t)0U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 *row1 = hash + (uint32_t)1U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128_store32_le(first, row0[0U]); + Lib_IntVector_Intrinsics_vec128_store32_le(second, row1[0U]); + uint8_t *final = b; + memcpy(output, final, nn * sizeof (uint8_t)); + Lib_Memzero0_memzero(b, double_row * sizeof (b[0U])); +} + +void +Hacl_Blake2s_128_blake2s( + uint32_t nn, + uint8_t *output, + uint32_t ll, + uint8_t *d, + uint32_t kk, + uint8_t *k +) +{ + uint32_t stlen = (uint32_t)4U * (uint32_t)1U; + Lib_IntVector_Intrinsics_vec128 stzero = Lib_IntVector_Intrinsics_vec128_zero; + KRML_CHECK_SIZE(sizeof (Lib_IntVector_Intrinsics_vec128), stlen); + Lib_IntVector_Intrinsics_vec128 *b = alloca(stlen * sizeof (Lib_IntVector_Intrinsics_vec128)); + for (uint32_t _i = 0U; _i < stlen; ++_i) + b[_i] = stzero; + KRML_CHECK_SIZE(sizeof (Lib_IntVector_Intrinsics_vec128), stlen); + Lib_IntVector_Intrinsics_vec128 *b1 = alloca(stlen * sizeof (Lib_IntVector_Intrinsics_vec128)); + for (uint32_t _i = 0U; _i < stlen; ++_i) + b1[_i] = stzero; + Hacl_Blake2s_128_blake2s_init(b, kk, nn); + blake2s_update(b1, b, kk, k, ll, d); + Hacl_Blake2s_128_blake2s_finish(nn, output, b); + Lib_Memzero0_memzero(b1, stlen * sizeof (b1[0U])); + Lib_Memzero0_memzero(b, stlen * sizeof (b[0U])); +} + diff --git a/src/msvc/Hacl_Hash_MD5.c b/src/msvc/Hacl_Hash_MD5.c new file mode 100644 index 00000000..54aef8c9 --- /dev/null +++ b/src/msvc/Hacl_Hash_MD5.c @@ -0,0 +1,1209 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "internal/Hacl_Hash_MD5.h" + + + +static uint32_t +_h0[4U] = + { (uint32_t)0x67452301U, (uint32_t)0xefcdab89U, (uint32_t)0x98badcfeU, (uint32_t)0x10325476U }; + +static uint32_t +_t[64U] = + { + (uint32_t)0xd76aa478U, (uint32_t)0xe8c7b756U, (uint32_t)0x242070dbU, (uint32_t)0xc1bdceeeU, + (uint32_t)0xf57c0fafU, (uint32_t)0x4787c62aU, (uint32_t)0xa8304613U, (uint32_t)0xfd469501U, + (uint32_t)0x698098d8U, (uint32_t)0x8b44f7afU, (uint32_t)0xffff5bb1U, (uint32_t)0x895cd7beU, + (uint32_t)0x6b901122U, (uint32_t)0xfd987193U, (uint32_t)0xa679438eU, (uint32_t)0x49b40821U, + (uint32_t)0xf61e2562U, (uint32_t)0xc040b340U, (uint32_t)0x265e5a51U, (uint32_t)0xe9b6c7aaU, + (uint32_t)0xd62f105dU, (uint32_t)0x02441453U, (uint32_t)0xd8a1e681U, (uint32_t)0xe7d3fbc8U, + (uint32_t)0x21e1cde6U, (uint32_t)0xc33707d6U, (uint32_t)0xf4d50d87U, (uint32_t)0x455a14edU, + (uint32_t)0xa9e3e905U, (uint32_t)0xfcefa3f8U, (uint32_t)0x676f02d9U, (uint32_t)0x8d2a4c8aU, + (uint32_t)0xfffa3942U, (uint32_t)0x8771f681U, (uint32_t)0x6d9d6122U, (uint32_t)0xfde5380cU, + (uint32_t)0xa4beea44U, (uint32_t)0x4bdecfa9U, (uint32_t)0xf6bb4b60U, (uint32_t)0xbebfbc70U, + (uint32_t)0x289b7ec6U, (uint32_t)0xeaa127faU, (uint32_t)0xd4ef3085U, (uint32_t)0x4881d05U, + (uint32_t)0xd9d4d039U, (uint32_t)0xe6db99e5U, (uint32_t)0x1fa27cf8U, (uint32_t)0xc4ac5665U, + (uint32_t)0xf4292244U, (uint32_t)0x432aff97U, (uint32_t)0xab9423a7U, (uint32_t)0xfc93a039U, + (uint32_t)0x655b59c3U, (uint32_t)0x8f0ccc92U, (uint32_t)0xffeff47dU, (uint32_t)0x85845dd1U, + (uint32_t)0x6fa87e4fU, (uint32_t)0xfe2ce6e0U, (uint32_t)0xa3014314U, (uint32_t)0x4e0811a1U, + (uint32_t)0xf7537e82U, (uint32_t)0xbd3af235U, (uint32_t)0x2ad7d2bbU, (uint32_t)0xeb86d391U + }; + +void Hacl_Hash_Core_MD5_legacy_init(uint32_t *s) +{ + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + s[i] = _h0[i]; + } +} + +void Hacl_Hash_Core_MD5_legacy_update(uint32_t *abcd, uint8_t *x) +{ + uint32_t aa = abcd[0U]; + uint32_t bb = abcd[1U]; + uint32_t cc = abcd[2U]; + uint32_t dd = abcd[3U]; + uint32_t va = abcd[0U]; + uint32_t vb0 = abcd[1U]; + uint32_t vc0 = abcd[2U]; + uint32_t vd0 = abcd[3U]; + uint8_t *b0 = x; + uint32_t u = load32_le(b0); + uint32_t xk = u; + uint32_t ti0 = _t[0U]; + uint32_t + v = + vb0 + + + ((va + ((vb0 & vc0) | (~vb0 & vd0)) + xk + ti0) + << (uint32_t)7U + | (va + ((vb0 & vc0) | (~vb0 & vd0)) + xk + ti0) >> (uint32_t)25U); + abcd[0U] = v; + uint32_t va0 = abcd[3U]; + uint32_t vb1 = abcd[0U]; + uint32_t vc1 = abcd[1U]; + uint32_t vd1 = abcd[2U]; + uint8_t *b1 = x + (uint32_t)4U; + uint32_t u0 = load32_le(b1); + uint32_t xk0 = u0; + uint32_t ti1 = _t[1U]; + uint32_t + v0 = + vb1 + + + ((va0 + ((vb1 & vc1) | (~vb1 & vd1)) + xk0 + ti1) + << (uint32_t)12U + | (va0 + ((vb1 & vc1) | (~vb1 & vd1)) + xk0 + ti1) >> (uint32_t)20U); + abcd[3U] = v0; + uint32_t va1 = abcd[2U]; + uint32_t vb2 = abcd[3U]; + uint32_t vc2 = abcd[0U]; + uint32_t vd2 = abcd[1U]; + uint8_t *b2 = x + (uint32_t)8U; + uint32_t u1 = load32_le(b2); + uint32_t xk1 = u1; + uint32_t ti2 = _t[2U]; + uint32_t + v1 = + vb2 + + + ((va1 + ((vb2 & vc2) | (~vb2 & vd2)) + xk1 + ti2) + << (uint32_t)17U + | (va1 + ((vb2 & vc2) | (~vb2 & vd2)) + xk1 + ti2) >> (uint32_t)15U); + abcd[2U] = v1; + uint32_t va2 = abcd[1U]; + uint32_t vb3 = abcd[2U]; + uint32_t vc3 = abcd[3U]; + uint32_t vd3 = abcd[0U]; + uint8_t *b3 = x + (uint32_t)12U; + uint32_t u2 = load32_le(b3); + uint32_t xk2 = u2; + uint32_t ti3 = _t[3U]; + uint32_t + v2 = + vb3 + + + ((va2 + ((vb3 & vc3) | (~vb3 & vd3)) + xk2 + ti3) + << (uint32_t)22U + | (va2 + ((vb3 & vc3) | (~vb3 & vd3)) + xk2 + ti3) >> (uint32_t)10U); + abcd[1U] = v2; + uint32_t va3 = abcd[0U]; + uint32_t vb4 = abcd[1U]; + uint32_t vc4 = abcd[2U]; + uint32_t vd4 = abcd[3U]; + uint8_t *b4 = x + (uint32_t)16U; + uint32_t u3 = load32_le(b4); + uint32_t xk3 = u3; + uint32_t ti4 = _t[4U]; + uint32_t + v3 = + vb4 + + + ((va3 + ((vb4 & vc4) | (~vb4 & vd4)) + xk3 + ti4) + << (uint32_t)7U + | (va3 + ((vb4 & vc4) | (~vb4 & vd4)) + xk3 + ti4) >> (uint32_t)25U); + abcd[0U] = v3; + uint32_t va4 = abcd[3U]; + uint32_t vb5 = abcd[0U]; + uint32_t vc5 = abcd[1U]; + uint32_t vd5 = abcd[2U]; + uint8_t *b5 = x + (uint32_t)20U; + uint32_t u4 = load32_le(b5); + uint32_t xk4 = u4; + uint32_t ti5 = _t[5U]; + uint32_t + v4 = + vb5 + + + ((va4 + ((vb5 & vc5) | (~vb5 & vd5)) + xk4 + ti5) + << (uint32_t)12U + | (va4 + ((vb5 & vc5) | (~vb5 & vd5)) + xk4 + ti5) >> (uint32_t)20U); + abcd[3U] = v4; + uint32_t va5 = abcd[2U]; + uint32_t vb6 = abcd[3U]; + uint32_t vc6 = abcd[0U]; + uint32_t vd6 = abcd[1U]; + uint8_t *b6 = x + (uint32_t)24U; + uint32_t u5 = load32_le(b6); + uint32_t xk5 = u5; + uint32_t ti6 = _t[6U]; + uint32_t + v5 = + vb6 + + + ((va5 + ((vb6 & vc6) | (~vb6 & vd6)) + xk5 + ti6) + << (uint32_t)17U + | (va5 + ((vb6 & vc6) | (~vb6 & vd6)) + xk5 + ti6) >> (uint32_t)15U); + abcd[2U] = v5; + uint32_t va6 = abcd[1U]; + uint32_t vb7 = abcd[2U]; + uint32_t vc7 = abcd[3U]; + uint32_t vd7 = abcd[0U]; + uint8_t *b7 = x + (uint32_t)28U; + uint32_t u6 = load32_le(b7); + uint32_t xk6 = u6; + uint32_t ti7 = _t[7U]; + uint32_t + v6 = + vb7 + + + ((va6 + ((vb7 & vc7) | (~vb7 & vd7)) + xk6 + ti7) + << (uint32_t)22U + | (va6 + ((vb7 & vc7) | (~vb7 & vd7)) + xk6 + ti7) >> (uint32_t)10U); + abcd[1U] = v6; + uint32_t va7 = abcd[0U]; + uint32_t vb8 = abcd[1U]; + uint32_t vc8 = abcd[2U]; + uint32_t vd8 = abcd[3U]; + uint8_t *b8 = x + (uint32_t)32U; + uint32_t u7 = load32_le(b8); + uint32_t xk7 = u7; + uint32_t ti8 = _t[8U]; + uint32_t + v7 = + vb8 + + + ((va7 + ((vb8 & vc8) | (~vb8 & vd8)) + xk7 + ti8) + << (uint32_t)7U + | (va7 + ((vb8 & vc8) | (~vb8 & vd8)) + xk7 + ti8) >> (uint32_t)25U); + abcd[0U] = v7; + uint32_t va8 = abcd[3U]; + uint32_t vb9 = abcd[0U]; + uint32_t vc9 = abcd[1U]; + uint32_t vd9 = abcd[2U]; + uint8_t *b9 = x + (uint32_t)36U; + uint32_t u8 = load32_le(b9); + uint32_t xk8 = u8; + uint32_t ti9 = _t[9U]; + uint32_t + v8 = + vb9 + + + ((va8 + ((vb9 & vc9) | (~vb9 & vd9)) + xk8 + ti9) + << (uint32_t)12U + | (va8 + ((vb9 & vc9) | (~vb9 & vd9)) + xk8 + ti9) >> (uint32_t)20U); + abcd[3U] = v8; + uint32_t va9 = abcd[2U]; + uint32_t vb10 = abcd[3U]; + uint32_t vc10 = abcd[0U]; + uint32_t vd10 = abcd[1U]; + uint8_t *b10 = x + (uint32_t)40U; + uint32_t u9 = load32_le(b10); + uint32_t xk9 = u9; + uint32_t ti10 = _t[10U]; + uint32_t + v9 = + vb10 + + + ((va9 + ((vb10 & vc10) | (~vb10 & vd10)) + xk9 + ti10) + << (uint32_t)17U + | (va9 + ((vb10 & vc10) | (~vb10 & vd10)) + xk9 + ti10) >> (uint32_t)15U); + abcd[2U] = v9; + uint32_t va10 = abcd[1U]; + uint32_t vb11 = abcd[2U]; + uint32_t vc11 = abcd[3U]; + uint32_t vd11 = abcd[0U]; + uint8_t *b11 = x + (uint32_t)44U; + uint32_t u10 = load32_le(b11); + uint32_t xk10 = u10; + uint32_t ti11 = _t[11U]; + uint32_t + v10 = + vb11 + + + ((va10 + ((vb11 & vc11) | (~vb11 & vd11)) + xk10 + ti11) + << (uint32_t)22U + | (va10 + ((vb11 & vc11) | (~vb11 & vd11)) + xk10 + ti11) >> (uint32_t)10U); + abcd[1U] = v10; + uint32_t va11 = abcd[0U]; + uint32_t vb12 = abcd[1U]; + uint32_t vc12 = abcd[2U]; + uint32_t vd12 = abcd[3U]; + uint8_t *b12 = x + (uint32_t)48U; + uint32_t u11 = load32_le(b12); + uint32_t xk11 = u11; + uint32_t ti12 = _t[12U]; + uint32_t + v11 = + vb12 + + + ((va11 + ((vb12 & vc12) | (~vb12 & vd12)) + xk11 + ti12) + << (uint32_t)7U + | (va11 + ((vb12 & vc12) | (~vb12 & vd12)) + xk11 + ti12) >> (uint32_t)25U); + abcd[0U] = v11; + uint32_t va12 = abcd[3U]; + uint32_t vb13 = abcd[0U]; + uint32_t vc13 = abcd[1U]; + uint32_t vd13 = abcd[2U]; + uint8_t *b13 = x + (uint32_t)52U; + uint32_t u12 = load32_le(b13); + uint32_t xk12 = u12; + uint32_t ti13 = _t[13U]; + uint32_t + v12 = + vb13 + + + ((va12 + ((vb13 & vc13) | (~vb13 & vd13)) + xk12 + ti13) + << (uint32_t)12U + | (va12 + ((vb13 & vc13) | (~vb13 & vd13)) + xk12 + ti13) >> (uint32_t)20U); + abcd[3U] = v12; + uint32_t va13 = abcd[2U]; + uint32_t vb14 = abcd[3U]; + uint32_t vc14 = abcd[0U]; + uint32_t vd14 = abcd[1U]; + uint8_t *b14 = x + (uint32_t)56U; + uint32_t u13 = load32_le(b14); + uint32_t xk13 = u13; + uint32_t ti14 = _t[14U]; + uint32_t + v13 = + vb14 + + + ((va13 + ((vb14 & vc14) | (~vb14 & vd14)) + xk13 + ti14) + << (uint32_t)17U + | (va13 + ((vb14 & vc14) | (~vb14 & vd14)) + xk13 + ti14) >> (uint32_t)15U); + abcd[2U] = v13; + uint32_t va14 = abcd[1U]; + uint32_t vb15 = abcd[2U]; + uint32_t vc15 = abcd[3U]; + uint32_t vd15 = abcd[0U]; + uint8_t *b15 = x + (uint32_t)60U; + uint32_t u14 = load32_le(b15); + uint32_t xk14 = u14; + uint32_t ti15 = _t[15U]; + uint32_t + v14 = + vb15 + + + ((va14 + ((vb15 & vc15) | (~vb15 & vd15)) + xk14 + ti15) + << (uint32_t)22U + | (va14 + ((vb15 & vc15) | (~vb15 & vd15)) + xk14 + ti15) >> (uint32_t)10U); + abcd[1U] = v14; + uint32_t va15 = abcd[0U]; + uint32_t vb16 = abcd[1U]; + uint32_t vc16 = abcd[2U]; + uint32_t vd16 = abcd[3U]; + uint8_t *b16 = x + (uint32_t)4U; + uint32_t u15 = load32_le(b16); + uint32_t xk15 = u15; + uint32_t ti16 = _t[16U]; + uint32_t + v15 = + vb16 + + + ((va15 + ((vb16 & vd16) | (vc16 & ~vd16)) + xk15 + ti16) + << (uint32_t)5U + | (va15 + ((vb16 & vd16) | (vc16 & ~vd16)) + xk15 + ti16) >> (uint32_t)27U); + abcd[0U] = v15; + uint32_t va16 = abcd[3U]; + uint32_t vb17 = abcd[0U]; + uint32_t vc17 = abcd[1U]; + uint32_t vd17 = abcd[2U]; + uint8_t *b17 = x + (uint32_t)24U; + uint32_t u16 = load32_le(b17); + uint32_t xk16 = u16; + uint32_t ti17 = _t[17U]; + uint32_t + v16 = + vb17 + + + ((va16 + ((vb17 & vd17) | (vc17 & ~vd17)) + xk16 + ti17) + << (uint32_t)9U + | (va16 + ((vb17 & vd17) | (vc17 & ~vd17)) + xk16 + ti17) >> (uint32_t)23U); + abcd[3U] = v16; + uint32_t va17 = abcd[2U]; + uint32_t vb18 = abcd[3U]; + uint32_t vc18 = abcd[0U]; + uint32_t vd18 = abcd[1U]; + uint8_t *b18 = x + (uint32_t)44U; + uint32_t u17 = load32_le(b18); + uint32_t xk17 = u17; + uint32_t ti18 = _t[18U]; + uint32_t + v17 = + vb18 + + + ((va17 + ((vb18 & vd18) | (vc18 & ~vd18)) + xk17 + ti18) + << (uint32_t)14U + | (va17 + ((vb18 & vd18) | (vc18 & ~vd18)) + xk17 + ti18) >> (uint32_t)18U); + abcd[2U] = v17; + uint32_t va18 = abcd[1U]; + uint32_t vb19 = abcd[2U]; + uint32_t vc19 = abcd[3U]; + uint32_t vd19 = abcd[0U]; + uint8_t *b19 = x; + uint32_t u18 = load32_le(b19); + uint32_t xk18 = u18; + uint32_t ti19 = _t[19U]; + uint32_t + v18 = + vb19 + + + ((va18 + ((vb19 & vd19) | (vc19 & ~vd19)) + xk18 + ti19) + << (uint32_t)20U + | (va18 + ((vb19 & vd19) | (vc19 & ~vd19)) + xk18 + ti19) >> (uint32_t)12U); + abcd[1U] = v18; + uint32_t va19 = abcd[0U]; + uint32_t vb20 = abcd[1U]; + uint32_t vc20 = abcd[2U]; + uint32_t vd20 = abcd[3U]; + uint8_t *b20 = x + (uint32_t)20U; + uint32_t u19 = load32_le(b20); + uint32_t xk19 = u19; + uint32_t ti20 = _t[20U]; + uint32_t + v19 = + vb20 + + + ((va19 + ((vb20 & vd20) | (vc20 & ~vd20)) + xk19 + ti20) + << (uint32_t)5U + | (va19 + ((vb20 & vd20) | (vc20 & ~vd20)) + xk19 + ti20) >> (uint32_t)27U); + abcd[0U] = v19; + uint32_t va20 = abcd[3U]; + uint32_t vb21 = abcd[0U]; + uint32_t vc21 = abcd[1U]; + uint32_t vd21 = abcd[2U]; + uint8_t *b21 = x + (uint32_t)40U; + uint32_t u20 = load32_le(b21); + uint32_t xk20 = u20; + uint32_t ti21 = _t[21U]; + uint32_t + v20 = + vb21 + + + ((va20 + ((vb21 & vd21) | (vc21 & ~vd21)) + xk20 + ti21) + << (uint32_t)9U + | (va20 + ((vb21 & vd21) | (vc21 & ~vd21)) + xk20 + ti21) >> (uint32_t)23U); + abcd[3U] = v20; + uint32_t va21 = abcd[2U]; + uint32_t vb22 = abcd[3U]; + uint32_t vc22 = abcd[0U]; + uint32_t vd22 = abcd[1U]; + uint8_t *b22 = x + (uint32_t)60U; + uint32_t u21 = load32_le(b22); + uint32_t xk21 = u21; + uint32_t ti22 = _t[22U]; + uint32_t + v21 = + vb22 + + + ((va21 + ((vb22 & vd22) | (vc22 & ~vd22)) + xk21 + ti22) + << (uint32_t)14U + | (va21 + ((vb22 & vd22) | (vc22 & ~vd22)) + xk21 + ti22) >> (uint32_t)18U); + abcd[2U] = v21; + uint32_t va22 = abcd[1U]; + uint32_t vb23 = abcd[2U]; + uint32_t vc23 = abcd[3U]; + uint32_t vd23 = abcd[0U]; + uint8_t *b23 = x + (uint32_t)16U; + uint32_t u22 = load32_le(b23); + uint32_t xk22 = u22; + uint32_t ti23 = _t[23U]; + uint32_t + v22 = + vb23 + + + ((va22 + ((vb23 & vd23) | (vc23 & ~vd23)) + xk22 + ti23) + << (uint32_t)20U + | (va22 + ((vb23 & vd23) | (vc23 & ~vd23)) + xk22 + ti23) >> (uint32_t)12U); + abcd[1U] = v22; + uint32_t va23 = abcd[0U]; + uint32_t vb24 = abcd[1U]; + uint32_t vc24 = abcd[2U]; + uint32_t vd24 = abcd[3U]; + uint8_t *b24 = x + (uint32_t)36U; + uint32_t u23 = load32_le(b24); + uint32_t xk23 = u23; + uint32_t ti24 = _t[24U]; + uint32_t + v23 = + vb24 + + + ((va23 + ((vb24 & vd24) | (vc24 & ~vd24)) + xk23 + ti24) + << (uint32_t)5U + | (va23 + ((vb24 & vd24) | (vc24 & ~vd24)) + xk23 + ti24) >> (uint32_t)27U); + abcd[0U] = v23; + uint32_t va24 = abcd[3U]; + uint32_t vb25 = abcd[0U]; + uint32_t vc25 = abcd[1U]; + uint32_t vd25 = abcd[2U]; + uint8_t *b25 = x + (uint32_t)56U; + uint32_t u24 = load32_le(b25); + uint32_t xk24 = u24; + uint32_t ti25 = _t[25U]; + uint32_t + v24 = + vb25 + + + ((va24 + ((vb25 & vd25) | (vc25 & ~vd25)) + xk24 + ti25) + << (uint32_t)9U + | (va24 + ((vb25 & vd25) | (vc25 & ~vd25)) + xk24 + ti25) >> (uint32_t)23U); + abcd[3U] = v24; + uint32_t va25 = abcd[2U]; + uint32_t vb26 = abcd[3U]; + uint32_t vc26 = abcd[0U]; + uint32_t vd26 = abcd[1U]; + uint8_t *b26 = x + (uint32_t)12U; + uint32_t u25 = load32_le(b26); + uint32_t xk25 = u25; + uint32_t ti26 = _t[26U]; + uint32_t + v25 = + vb26 + + + ((va25 + ((vb26 & vd26) | (vc26 & ~vd26)) + xk25 + ti26) + << (uint32_t)14U + | (va25 + ((vb26 & vd26) | (vc26 & ~vd26)) + xk25 + ti26) >> (uint32_t)18U); + abcd[2U] = v25; + uint32_t va26 = abcd[1U]; + uint32_t vb27 = abcd[2U]; + uint32_t vc27 = abcd[3U]; + uint32_t vd27 = abcd[0U]; + uint8_t *b27 = x + (uint32_t)32U; + uint32_t u26 = load32_le(b27); + uint32_t xk26 = u26; + uint32_t ti27 = _t[27U]; + uint32_t + v26 = + vb27 + + + ((va26 + ((vb27 & vd27) | (vc27 & ~vd27)) + xk26 + ti27) + << (uint32_t)20U + | (va26 + ((vb27 & vd27) | (vc27 & ~vd27)) + xk26 + ti27) >> (uint32_t)12U); + abcd[1U] = v26; + uint32_t va27 = abcd[0U]; + uint32_t vb28 = abcd[1U]; + uint32_t vc28 = abcd[2U]; + uint32_t vd28 = abcd[3U]; + uint8_t *b28 = x + (uint32_t)52U; + uint32_t u27 = load32_le(b28); + uint32_t xk27 = u27; + uint32_t ti28 = _t[28U]; + uint32_t + v27 = + vb28 + + + ((va27 + ((vb28 & vd28) | (vc28 & ~vd28)) + xk27 + ti28) + << (uint32_t)5U + | (va27 + ((vb28 & vd28) | (vc28 & ~vd28)) + xk27 + ti28) >> (uint32_t)27U); + abcd[0U] = v27; + uint32_t va28 = abcd[3U]; + uint32_t vb29 = abcd[0U]; + uint32_t vc29 = abcd[1U]; + uint32_t vd29 = abcd[2U]; + uint8_t *b29 = x + (uint32_t)8U; + uint32_t u28 = load32_le(b29); + uint32_t xk28 = u28; + uint32_t ti29 = _t[29U]; + uint32_t + v28 = + vb29 + + + ((va28 + ((vb29 & vd29) | (vc29 & ~vd29)) + xk28 + ti29) + << (uint32_t)9U + | (va28 + ((vb29 & vd29) | (vc29 & ~vd29)) + xk28 + ti29) >> (uint32_t)23U); + abcd[3U] = v28; + uint32_t va29 = abcd[2U]; + uint32_t vb30 = abcd[3U]; + uint32_t vc30 = abcd[0U]; + uint32_t vd30 = abcd[1U]; + uint8_t *b30 = x + (uint32_t)28U; + uint32_t u29 = load32_le(b30); + uint32_t xk29 = u29; + uint32_t ti30 = _t[30U]; + uint32_t + v29 = + vb30 + + + ((va29 + ((vb30 & vd30) | (vc30 & ~vd30)) + xk29 + ti30) + << (uint32_t)14U + | (va29 + ((vb30 & vd30) | (vc30 & ~vd30)) + xk29 + ti30) >> (uint32_t)18U); + abcd[2U] = v29; + uint32_t va30 = abcd[1U]; + uint32_t vb31 = abcd[2U]; + uint32_t vc31 = abcd[3U]; + uint32_t vd31 = abcd[0U]; + uint8_t *b31 = x + (uint32_t)48U; + uint32_t u30 = load32_le(b31); + uint32_t xk30 = u30; + uint32_t ti31 = _t[31U]; + uint32_t + v30 = + vb31 + + + ((va30 + ((vb31 & vd31) | (vc31 & ~vd31)) + xk30 + ti31) + << (uint32_t)20U + | (va30 + ((vb31 & vd31) | (vc31 & ~vd31)) + xk30 + ti31) >> (uint32_t)12U); + abcd[1U] = v30; + uint32_t va31 = abcd[0U]; + uint32_t vb32 = abcd[1U]; + uint32_t vc32 = abcd[2U]; + uint32_t vd32 = abcd[3U]; + uint8_t *b32 = x + (uint32_t)20U; + uint32_t u31 = load32_le(b32); + uint32_t xk31 = u31; + uint32_t ti32 = _t[32U]; + uint32_t + v31 = + vb32 + + + ((va31 + (vb32 ^ (vc32 ^ vd32)) + xk31 + ti32) + << (uint32_t)4U + | (va31 + (vb32 ^ (vc32 ^ vd32)) + xk31 + ti32) >> (uint32_t)28U); + abcd[0U] = v31; + uint32_t va32 = abcd[3U]; + uint32_t vb33 = abcd[0U]; + uint32_t vc33 = abcd[1U]; + uint32_t vd33 = abcd[2U]; + uint8_t *b33 = x + (uint32_t)32U; + uint32_t u32 = load32_le(b33); + uint32_t xk32 = u32; + uint32_t ti33 = _t[33U]; + uint32_t + v32 = + vb33 + + + ((va32 + (vb33 ^ (vc33 ^ vd33)) + xk32 + ti33) + << (uint32_t)11U + | (va32 + (vb33 ^ (vc33 ^ vd33)) + xk32 + ti33) >> (uint32_t)21U); + abcd[3U] = v32; + uint32_t va33 = abcd[2U]; + uint32_t vb34 = abcd[3U]; + uint32_t vc34 = abcd[0U]; + uint32_t vd34 = abcd[1U]; + uint8_t *b34 = x + (uint32_t)44U; + uint32_t u33 = load32_le(b34); + uint32_t xk33 = u33; + uint32_t ti34 = _t[34U]; + uint32_t + v33 = + vb34 + + + ((va33 + (vb34 ^ (vc34 ^ vd34)) + xk33 + ti34) + << (uint32_t)16U + | (va33 + (vb34 ^ (vc34 ^ vd34)) + xk33 + ti34) >> (uint32_t)16U); + abcd[2U] = v33; + uint32_t va34 = abcd[1U]; + uint32_t vb35 = abcd[2U]; + uint32_t vc35 = abcd[3U]; + uint32_t vd35 = abcd[0U]; + uint8_t *b35 = x + (uint32_t)56U; + uint32_t u34 = load32_le(b35); + uint32_t xk34 = u34; + uint32_t ti35 = _t[35U]; + uint32_t + v34 = + vb35 + + + ((va34 + (vb35 ^ (vc35 ^ vd35)) + xk34 + ti35) + << (uint32_t)23U + | (va34 + (vb35 ^ (vc35 ^ vd35)) + xk34 + ti35) >> (uint32_t)9U); + abcd[1U] = v34; + uint32_t va35 = abcd[0U]; + uint32_t vb36 = abcd[1U]; + uint32_t vc36 = abcd[2U]; + uint32_t vd36 = abcd[3U]; + uint8_t *b36 = x + (uint32_t)4U; + uint32_t u35 = load32_le(b36); + uint32_t xk35 = u35; + uint32_t ti36 = _t[36U]; + uint32_t + v35 = + vb36 + + + ((va35 + (vb36 ^ (vc36 ^ vd36)) + xk35 + ti36) + << (uint32_t)4U + | (va35 + (vb36 ^ (vc36 ^ vd36)) + xk35 + ti36) >> (uint32_t)28U); + abcd[0U] = v35; + uint32_t va36 = abcd[3U]; + uint32_t vb37 = abcd[0U]; + uint32_t vc37 = abcd[1U]; + uint32_t vd37 = abcd[2U]; + uint8_t *b37 = x + (uint32_t)16U; + uint32_t u36 = load32_le(b37); + uint32_t xk36 = u36; + uint32_t ti37 = _t[37U]; + uint32_t + v36 = + vb37 + + + ((va36 + (vb37 ^ (vc37 ^ vd37)) + xk36 + ti37) + << (uint32_t)11U + | (va36 + (vb37 ^ (vc37 ^ vd37)) + xk36 + ti37) >> (uint32_t)21U); + abcd[3U] = v36; + uint32_t va37 = abcd[2U]; + uint32_t vb38 = abcd[3U]; + uint32_t vc38 = abcd[0U]; + uint32_t vd38 = abcd[1U]; + uint8_t *b38 = x + (uint32_t)28U; + uint32_t u37 = load32_le(b38); + uint32_t xk37 = u37; + uint32_t ti38 = _t[38U]; + uint32_t + v37 = + vb38 + + + ((va37 + (vb38 ^ (vc38 ^ vd38)) + xk37 + ti38) + << (uint32_t)16U + | (va37 + (vb38 ^ (vc38 ^ vd38)) + xk37 + ti38) >> (uint32_t)16U); + abcd[2U] = v37; + uint32_t va38 = abcd[1U]; + uint32_t vb39 = abcd[2U]; + uint32_t vc39 = abcd[3U]; + uint32_t vd39 = abcd[0U]; + uint8_t *b39 = x + (uint32_t)40U; + uint32_t u38 = load32_le(b39); + uint32_t xk38 = u38; + uint32_t ti39 = _t[39U]; + uint32_t + v38 = + vb39 + + + ((va38 + (vb39 ^ (vc39 ^ vd39)) + xk38 + ti39) + << (uint32_t)23U + | (va38 + (vb39 ^ (vc39 ^ vd39)) + xk38 + ti39) >> (uint32_t)9U); + abcd[1U] = v38; + uint32_t va39 = abcd[0U]; + uint32_t vb40 = abcd[1U]; + uint32_t vc40 = abcd[2U]; + uint32_t vd40 = abcd[3U]; + uint8_t *b40 = x + (uint32_t)52U; + uint32_t u39 = load32_le(b40); + uint32_t xk39 = u39; + uint32_t ti40 = _t[40U]; + uint32_t + v39 = + vb40 + + + ((va39 + (vb40 ^ (vc40 ^ vd40)) + xk39 + ti40) + << (uint32_t)4U + | (va39 + (vb40 ^ (vc40 ^ vd40)) + xk39 + ti40) >> (uint32_t)28U); + abcd[0U] = v39; + uint32_t va40 = abcd[3U]; + uint32_t vb41 = abcd[0U]; + uint32_t vc41 = abcd[1U]; + uint32_t vd41 = abcd[2U]; + uint8_t *b41 = x; + uint32_t u40 = load32_le(b41); + uint32_t xk40 = u40; + uint32_t ti41 = _t[41U]; + uint32_t + v40 = + vb41 + + + ((va40 + (vb41 ^ (vc41 ^ vd41)) + xk40 + ti41) + << (uint32_t)11U + | (va40 + (vb41 ^ (vc41 ^ vd41)) + xk40 + ti41) >> (uint32_t)21U); + abcd[3U] = v40; + uint32_t va41 = abcd[2U]; + uint32_t vb42 = abcd[3U]; + uint32_t vc42 = abcd[0U]; + uint32_t vd42 = abcd[1U]; + uint8_t *b42 = x + (uint32_t)12U; + uint32_t u41 = load32_le(b42); + uint32_t xk41 = u41; + uint32_t ti42 = _t[42U]; + uint32_t + v41 = + vb42 + + + ((va41 + (vb42 ^ (vc42 ^ vd42)) + xk41 + ti42) + << (uint32_t)16U + | (va41 + (vb42 ^ (vc42 ^ vd42)) + xk41 + ti42) >> (uint32_t)16U); + abcd[2U] = v41; + uint32_t va42 = abcd[1U]; + uint32_t vb43 = abcd[2U]; + uint32_t vc43 = abcd[3U]; + uint32_t vd43 = abcd[0U]; + uint8_t *b43 = x + (uint32_t)24U; + uint32_t u42 = load32_le(b43); + uint32_t xk42 = u42; + uint32_t ti43 = _t[43U]; + uint32_t + v42 = + vb43 + + + ((va42 + (vb43 ^ (vc43 ^ vd43)) + xk42 + ti43) + << (uint32_t)23U + | (va42 + (vb43 ^ (vc43 ^ vd43)) + xk42 + ti43) >> (uint32_t)9U); + abcd[1U] = v42; + uint32_t va43 = abcd[0U]; + uint32_t vb44 = abcd[1U]; + uint32_t vc44 = abcd[2U]; + uint32_t vd44 = abcd[3U]; + uint8_t *b44 = x + (uint32_t)36U; + uint32_t u43 = load32_le(b44); + uint32_t xk43 = u43; + uint32_t ti44 = _t[44U]; + uint32_t + v43 = + vb44 + + + ((va43 + (vb44 ^ (vc44 ^ vd44)) + xk43 + ti44) + << (uint32_t)4U + | (va43 + (vb44 ^ (vc44 ^ vd44)) + xk43 + ti44) >> (uint32_t)28U); + abcd[0U] = v43; + uint32_t va44 = abcd[3U]; + uint32_t vb45 = abcd[0U]; + uint32_t vc45 = abcd[1U]; + uint32_t vd45 = abcd[2U]; + uint8_t *b45 = x + (uint32_t)48U; + uint32_t u44 = load32_le(b45); + uint32_t xk44 = u44; + uint32_t ti45 = _t[45U]; + uint32_t + v44 = + vb45 + + + ((va44 + (vb45 ^ (vc45 ^ vd45)) + xk44 + ti45) + << (uint32_t)11U + | (va44 + (vb45 ^ (vc45 ^ vd45)) + xk44 + ti45) >> (uint32_t)21U); + abcd[3U] = v44; + uint32_t va45 = abcd[2U]; + uint32_t vb46 = abcd[3U]; + uint32_t vc46 = abcd[0U]; + uint32_t vd46 = abcd[1U]; + uint8_t *b46 = x + (uint32_t)60U; + uint32_t u45 = load32_le(b46); + uint32_t xk45 = u45; + uint32_t ti46 = _t[46U]; + uint32_t + v45 = + vb46 + + + ((va45 + (vb46 ^ (vc46 ^ vd46)) + xk45 + ti46) + << (uint32_t)16U + | (va45 + (vb46 ^ (vc46 ^ vd46)) + xk45 + ti46) >> (uint32_t)16U); + abcd[2U] = v45; + uint32_t va46 = abcd[1U]; + uint32_t vb47 = abcd[2U]; + uint32_t vc47 = abcd[3U]; + uint32_t vd47 = abcd[0U]; + uint8_t *b47 = x + (uint32_t)8U; + uint32_t u46 = load32_le(b47); + uint32_t xk46 = u46; + uint32_t ti47 = _t[47U]; + uint32_t + v46 = + vb47 + + + ((va46 + (vb47 ^ (vc47 ^ vd47)) + xk46 + ti47) + << (uint32_t)23U + | (va46 + (vb47 ^ (vc47 ^ vd47)) + xk46 + ti47) >> (uint32_t)9U); + abcd[1U] = v46; + uint32_t va47 = abcd[0U]; + uint32_t vb48 = abcd[1U]; + uint32_t vc48 = abcd[2U]; + uint32_t vd48 = abcd[3U]; + uint8_t *b48 = x; + uint32_t u47 = load32_le(b48); + uint32_t xk47 = u47; + uint32_t ti48 = _t[48U]; + uint32_t + v47 = + vb48 + + + ((va47 + (vc48 ^ (vb48 | ~vd48)) + xk47 + ti48) + << (uint32_t)6U + | (va47 + (vc48 ^ (vb48 | ~vd48)) + xk47 + ti48) >> (uint32_t)26U); + abcd[0U] = v47; + uint32_t va48 = abcd[3U]; + uint32_t vb49 = abcd[0U]; + uint32_t vc49 = abcd[1U]; + uint32_t vd49 = abcd[2U]; + uint8_t *b49 = x + (uint32_t)28U; + uint32_t u48 = load32_le(b49); + uint32_t xk48 = u48; + uint32_t ti49 = _t[49U]; + uint32_t + v48 = + vb49 + + + ((va48 + (vc49 ^ (vb49 | ~vd49)) + xk48 + ti49) + << (uint32_t)10U + | (va48 + (vc49 ^ (vb49 | ~vd49)) + xk48 + ti49) >> (uint32_t)22U); + abcd[3U] = v48; + uint32_t va49 = abcd[2U]; + uint32_t vb50 = abcd[3U]; + uint32_t vc50 = abcd[0U]; + uint32_t vd50 = abcd[1U]; + uint8_t *b50 = x + (uint32_t)56U; + uint32_t u49 = load32_le(b50); + uint32_t xk49 = u49; + uint32_t ti50 = _t[50U]; + uint32_t + v49 = + vb50 + + + ((va49 + (vc50 ^ (vb50 | ~vd50)) + xk49 + ti50) + << (uint32_t)15U + | (va49 + (vc50 ^ (vb50 | ~vd50)) + xk49 + ti50) >> (uint32_t)17U); + abcd[2U] = v49; + uint32_t va50 = abcd[1U]; + uint32_t vb51 = abcd[2U]; + uint32_t vc51 = abcd[3U]; + uint32_t vd51 = abcd[0U]; + uint8_t *b51 = x + (uint32_t)20U; + uint32_t u50 = load32_le(b51); + uint32_t xk50 = u50; + uint32_t ti51 = _t[51U]; + uint32_t + v50 = + vb51 + + + ((va50 + (vc51 ^ (vb51 | ~vd51)) + xk50 + ti51) + << (uint32_t)21U + | (va50 + (vc51 ^ (vb51 | ~vd51)) + xk50 + ti51) >> (uint32_t)11U); + abcd[1U] = v50; + uint32_t va51 = abcd[0U]; + uint32_t vb52 = abcd[1U]; + uint32_t vc52 = abcd[2U]; + uint32_t vd52 = abcd[3U]; + uint8_t *b52 = x + (uint32_t)48U; + uint32_t u51 = load32_le(b52); + uint32_t xk51 = u51; + uint32_t ti52 = _t[52U]; + uint32_t + v51 = + vb52 + + + ((va51 + (vc52 ^ (vb52 | ~vd52)) + xk51 + ti52) + << (uint32_t)6U + | (va51 + (vc52 ^ (vb52 | ~vd52)) + xk51 + ti52) >> (uint32_t)26U); + abcd[0U] = v51; + uint32_t va52 = abcd[3U]; + uint32_t vb53 = abcd[0U]; + uint32_t vc53 = abcd[1U]; + uint32_t vd53 = abcd[2U]; + uint8_t *b53 = x + (uint32_t)12U; + uint32_t u52 = load32_le(b53); + uint32_t xk52 = u52; + uint32_t ti53 = _t[53U]; + uint32_t + v52 = + vb53 + + + ((va52 + (vc53 ^ (vb53 | ~vd53)) + xk52 + ti53) + << (uint32_t)10U + | (va52 + (vc53 ^ (vb53 | ~vd53)) + xk52 + ti53) >> (uint32_t)22U); + abcd[3U] = v52; + uint32_t va53 = abcd[2U]; + uint32_t vb54 = abcd[3U]; + uint32_t vc54 = abcd[0U]; + uint32_t vd54 = abcd[1U]; + uint8_t *b54 = x + (uint32_t)40U; + uint32_t u53 = load32_le(b54); + uint32_t xk53 = u53; + uint32_t ti54 = _t[54U]; + uint32_t + v53 = + vb54 + + + ((va53 + (vc54 ^ (vb54 | ~vd54)) + xk53 + ti54) + << (uint32_t)15U + | (va53 + (vc54 ^ (vb54 | ~vd54)) + xk53 + ti54) >> (uint32_t)17U); + abcd[2U] = v53; + uint32_t va54 = abcd[1U]; + uint32_t vb55 = abcd[2U]; + uint32_t vc55 = abcd[3U]; + uint32_t vd55 = abcd[0U]; + uint8_t *b55 = x + (uint32_t)4U; + uint32_t u54 = load32_le(b55); + uint32_t xk54 = u54; + uint32_t ti55 = _t[55U]; + uint32_t + v54 = + vb55 + + + ((va54 + (vc55 ^ (vb55 | ~vd55)) + xk54 + ti55) + << (uint32_t)21U + | (va54 + (vc55 ^ (vb55 | ~vd55)) + xk54 + ti55) >> (uint32_t)11U); + abcd[1U] = v54; + uint32_t va55 = abcd[0U]; + uint32_t vb56 = abcd[1U]; + uint32_t vc56 = abcd[2U]; + uint32_t vd56 = abcd[3U]; + uint8_t *b56 = x + (uint32_t)32U; + uint32_t u55 = load32_le(b56); + uint32_t xk55 = u55; + uint32_t ti56 = _t[56U]; + uint32_t + v55 = + vb56 + + + ((va55 + (vc56 ^ (vb56 | ~vd56)) + xk55 + ti56) + << (uint32_t)6U + | (va55 + (vc56 ^ (vb56 | ~vd56)) + xk55 + ti56) >> (uint32_t)26U); + abcd[0U] = v55; + uint32_t va56 = abcd[3U]; + uint32_t vb57 = abcd[0U]; + uint32_t vc57 = abcd[1U]; + uint32_t vd57 = abcd[2U]; + uint8_t *b57 = x + (uint32_t)60U; + uint32_t u56 = load32_le(b57); + uint32_t xk56 = u56; + uint32_t ti57 = _t[57U]; + uint32_t + v56 = + vb57 + + + ((va56 + (vc57 ^ (vb57 | ~vd57)) + xk56 + ti57) + << (uint32_t)10U + | (va56 + (vc57 ^ (vb57 | ~vd57)) + xk56 + ti57) >> (uint32_t)22U); + abcd[3U] = v56; + uint32_t va57 = abcd[2U]; + uint32_t vb58 = abcd[3U]; + uint32_t vc58 = abcd[0U]; + uint32_t vd58 = abcd[1U]; + uint8_t *b58 = x + (uint32_t)24U; + uint32_t u57 = load32_le(b58); + uint32_t xk57 = u57; + uint32_t ti58 = _t[58U]; + uint32_t + v57 = + vb58 + + + ((va57 + (vc58 ^ (vb58 | ~vd58)) + xk57 + ti58) + << (uint32_t)15U + | (va57 + (vc58 ^ (vb58 | ~vd58)) + xk57 + ti58) >> (uint32_t)17U); + abcd[2U] = v57; + uint32_t va58 = abcd[1U]; + uint32_t vb59 = abcd[2U]; + uint32_t vc59 = abcd[3U]; + uint32_t vd59 = abcd[0U]; + uint8_t *b59 = x + (uint32_t)52U; + uint32_t u58 = load32_le(b59); + uint32_t xk58 = u58; + uint32_t ti59 = _t[59U]; + uint32_t + v58 = + vb59 + + + ((va58 + (vc59 ^ (vb59 | ~vd59)) + xk58 + ti59) + << (uint32_t)21U + | (va58 + (vc59 ^ (vb59 | ~vd59)) + xk58 + ti59) >> (uint32_t)11U); + abcd[1U] = v58; + uint32_t va59 = abcd[0U]; + uint32_t vb60 = abcd[1U]; + uint32_t vc60 = abcd[2U]; + uint32_t vd60 = abcd[3U]; + uint8_t *b60 = x + (uint32_t)16U; + uint32_t u59 = load32_le(b60); + uint32_t xk59 = u59; + uint32_t ti60 = _t[60U]; + uint32_t + v59 = + vb60 + + + ((va59 + (vc60 ^ (vb60 | ~vd60)) + xk59 + ti60) + << (uint32_t)6U + | (va59 + (vc60 ^ (vb60 | ~vd60)) + xk59 + ti60) >> (uint32_t)26U); + abcd[0U] = v59; + uint32_t va60 = abcd[3U]; + uint32_t vb61 = abcd[0U]; + uint32_t vc61 = abcd[1U]; + uint32_t vd61 = abcd[2U]; + uint8_t *b61 = x + (uint32_t)44U; + uint32_t u60 = load32_le(b61); + uint32_t xk60 = u60; + uint32_t ti61 = _t[61U]; + uint32_t + v60 = + vb61 + + + ((va60 + (vc61 ^ (vb61 | ~vd61)) + xk60 + ti61) + << (uint32_t)10U + | (va60 + (vc61 ^ (vb61 | ~vd61)) + xk60 + ti61) >> (uint32_t)22U); + abcd[3U] = v60; + uint32_t va61 = abcd[2U]; + uint32_t vb62 = abcd[3U]; + uint32_t vc62 = abcd[0U]; + uint32_t vd62 = abcd[1U]; + uint8_t *b62 = x + (uint32_t)8U; + uint32_t u61 = load32_le(b62); + uint32_t xk61 = u61; + uint32_t ti62 = _t[62U]; + uint32_t + v61 = + vb62 + + + ((va61 + (vc62 ^ (vb62 | ~vd62)) + xk61 + ti62) + << (uint32_t)15U + | (va61 + (vc62 ^ (vb62 | ~vd62)) + xk61 + ti62) >> (uint32_t)17U); + abcd[2U] = v61; + uint32_t va62 = abcd[1U]; + uint32_t vb = abcd[2U]; + uint32_t vc = abcd[3U]; + uint32_t vd = abcd[0U]; + uint8_t *b63 = x + (uint32_t)36U; + uint32_t u62 = load32_le(b63); + uint32_t xk62 = u62; + uint32_t ti = _t[63U]; + uint32_t + v62 = + vb + + + ((va62 + (vc ^ (vb | ~vd)) + xk62 + ti) + << (uint32_t)21U + | (va62 + (vc ^ (vb | ~vd)) + xk62 + ti) >> (uint32_t)11U); + abcd[1U] = v62; + uint32_t a = abcd[0U]; + uint32_t b = abcd[1U]; + uint32_t c = abcd[2U]; + uint32_t d = abcd[3U]; + abcd[0U] = a + aa; + abcd[1U] = b + bb; + abcd[2U] = c + cc; + abcd[3U] = d + dd; +} + +static void legacy_pad(uint64_t len, uint8_t *dst) +{ + uint8_t *dst1 = dst; + dst1[0U] = (uint8_t)0x80U; + uint8_t *dst2 = dst + (uint32_t)1U; + for + (uint32_t + i = (uint32_t)0U; + i + < ((uint32_t)128U - ((uint32_t)9U + (uint32_t)(len % (uint64_t)(uint32_t)64U))) % (uint32_t)64U; + i++) + { + dst2[i] = (uint8_t)0U; + } + uint8_t + *dst3 = + dst + + + (uint32_t)1U + + + ((uint32_t)128U - ((uint32_t)9U + (uint32_t)(len % (uint64_t)(uint32_t)64U))) + % (uint32_t)64U; + store64_le(dst3, len << (uint32_t)3U); +} + +void Hacl_Hash_Core_MD5_legacy_finish(uint32_t *s, uint8_t *dst) +{ + uint32_t *uu____0 = s; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + store32_le(dst + i * (uint32_t)4U, uu____0[i]); + } +} + +void Hacl_Hash_MD5_legacy_update_multi(uint32_t *s, uint8_t *blocks, uint32_t n_blocks) +{ + for (uint32_t i = (uint32_t)0U; i < n_blocks; i++) + { + uint32_t sz = (uint32_t)64U; + uint8_t *block = blocks + sz * i; + Hacl_Hash_Core_MD5_legacy_update(s, block); + } +} + +void +Hacl_Hash_MD5_legacy_update_last( + uint32_t *s, + uint64_t prev_len, + uint8_t *input, + uint32_t input_len +) +{ + uint32_t blocks_n = input_len / (uint32_t)64U; + uint32_t blocks_len = blocks_n * (uint32_t)64U; + uint8_t *blocks = input; + uint32_t rest_len = input_len - blocks_len; + uint8_t *rest = input + blocks_len; + Hacl_Hash_MD5_legacy_update_multi(s, blocks, blocks_n); + uint64_t total_input_len = prev_len + (uint64_t)input_len; + uint32_t + pad_len = + (uint32_t)1U + + + ((uint32_t)128U - ((uint32_t)9U + (uint32_t)(total_input_len % (uint64_t)(uint32_t)64U))) + % (uint32_t)64U + + (uint32_t)8U; + uint32_t tmp_len = rest_len + pad_len; + uint8_t tmp_twoblocks[128U] = { 0U }; + uint8_t *tmp = tmp_twoblocks; + uint8_t *tmp_rest = tmp; + uint8_t *tmp_pad = tmp + rest_len; + memcpy(tmp_rest, rest, rest_len * sizeof (uint8_t)); + legacy_pad(total_input_len, tmp_pad); + Hacl_Hash_MD5_legacy_update_multi(s, tmp, tmp_len / (uint32_t)64U); +} + +typedef uint32_t *___uint32_t____; + +void Hacl_Hash_MD5_legacy_hash(uint8_t *input, uint32_t input_len, uint8_t *dst) +{ + uint32_t + scrut[4U] = + { (uint32_t)0x67452301U, (uint32_t)0xefcdab89U, (uint32_t)0x98badcfeU, (uint32_t)0x10325476U }; + uint32_t *s = scrut; + uint32_t blocks_n0 = input_len / (uint32_t)64U; + uint32_t blocks_n1; + if (input_len % (uint32_t)64U == (uint32_t)0U && blocks_n0 > (uint32_t)0U) + { + blocks_n1 = blocks_n0 - (uint32_t)1U; + } + else + { + blocks_n1 = blocks_n0; + } + uint32_t blocks_len0 = blocks_n1 * (uint32_t)64U; + uint8_t *blocks0 = input; + uint32_t rest_len0 = input_len - blocks_len0; + uint8_t *rest0 = input + blocks_len0; + uint32_t blocks_n = blocks_n1; + uint32_t blocks_len = blocks_len0; + uint8_t *blocks = blocks0; + uint32_t rest_len = rest_len0; + uint8_t *rest = rest0; + Hacl_Hash_MD5_legacy_update_multi(s, blocks, blocks_n); + Hacl_Hash_MD5_legacy_update_last(s, (uint64_t)blocks_len, rest, rest_len); + Hacl_Hash_Core_MD5_legacy_finish(s, dst); +} + diff --git a/src/msvc/Hacl_Hash_SHA1.c b/src/msvc/Hacl_Hash_SHA1.c new file mode 100644 index 00000000..2d581ad1 --- /dev/null +++ b/src/msvc/Hacl_Hash_SHA1.c @@ -0,0 +1,243 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "internal/Hacl_Hash_SHA1.h" + + + +static uint32_t +_h0[5U] = + { + (uint32_t)0x67452301U, (uint32_t)0xefcdab89U, (uint32_t)0x98badcfeU, (uint32_t)0x10325476U, + (uint32_t)0xc3d2e1f0U + }; + +void Hacl_Hash_Core_SHA1_legacy_init(uint32_t *s) +{ + for (uint32_t i = (uint32_t)0U; i < (uint32_t)5U; i++) + { + s[i] = _h0[i]; + } +} + +void Hacl_Hash_Core_SHA1_legacy_update(uint32_t *h, uint8_t *l) +{ + uint32_t ha = h[0U]; + uint32_t hb = h[1U]; + uint32_t hc = h[2U]; + uint32_t hd = h[3U]; + uint32_t he = h[4U]; + uint32_t _w[80U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)80U; i++) + { + uint32_t v; + if (i < (uint32_t)16U) + { + uint8_t *b = l + i * (uint32_t)4U; + uint32_t u = load32_be(b); + v = u; + } + else + { + uint32_t wmit3 = _w[i - (uint32_t)3U]; + uint32_t wmit8 = _w[i - (uint32_t)8U]; + uint32_t wmit14 = _w[i - (uint32_t)14U]; + uint32_t wmit16 = _w[i - (uint32_t)16U]; + v = + (wmit3 ^ (wmit8 ^ (wmit14 ^ wmit16))) + << (uint32_t)1U + | (wmit3 ^ (wmit8 ^ (wmit14 ^ wmit16))) >> (uint32_t)31U; + } + _w[i] = v; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)80U; i++) + { + uint32_t _a = h[0U]; + uint32_t _b = h[1U]; + uint32_t _c = h[2U]; + uint32_t _d = h[3U]; + uint32_t _e = h[4U]; + uint32_t wmit = _w[i]; + uint32_t ite0; + if (i < (uint32_t)20U) + { + ite0 = (_b & _c) ^ (~_b & _d); + } + else if ((uint32_t)39U < i && i < (uint32_t)60U) + { + ite0 = (_b & _c) ^ ((_b & _d) ^ (_c & _d)); + } + else + { + ite0 = _b ^ (_c ^ _d); + } + uint32_t ite; + if (i < (uint32_t)20U) + { + ite = (uint32_t)0x5a827999U; + } + else if (i < (uint32_t)40U) + { + ite = (uint32_t)0x6ed9eba1U; + } + else if (i < (uint32_t)60U) + { + ite = (uint32_t)0x8f1bbcdcU; + } + else + { + ite = (uint32_t)0xca62c1d6U; + } + uint32_t _T = (_a << (uint32_t)5U | _a >> (uint32_t)27U) + ite0 + _e + ite + wmit; + h[0U] = _T; + h[1U] = _a; + h[2U] = _b << (uint32_t)30U | _b >> (uint32_t)2U; + h[3U] = _c; + h[4U] = _d; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)80U; i++) + { + _w[i] = (uint32_t)0U; + } + uint32_t sta = h[0U]; + uint32_t stb = h[1U]; + uint32_t stc = h[2U]; + uint32_t std = h[3U]; + uint32_t ste = h[4U]; + h[0U] = sta + ha; + h[1U] = stb + hb; + h[2U] = stc + hc; + h[3U] = std + hd; + h[4U] = ste + he; +} + +static void legacy_pad(uint64_t len, uint8_t *dst) +{ + uint8_t *dst1 = dst; + dst1[0U] = (uint8_t)0x80U; + uint8_t *dst2 = dst + (uint32_t)1U; + for + (uint32_t + i = (uint32_t)0U; + i + < ((uint32_t)128U - ((uint32_t)9U + (uint32_t)(len % (uint64_t)(uint32_t)64U))) % (uint32_t)64U; + i++) + { + dst2[i] = (uint8_t)0U; + } + uint8_t + *dst3 = + dst + + + (uint32_t)1U + + + ((uint32_t)128U - ((uint32_t)9U + (uint32_t)(len % (uint64_t)(uint32_t)64U))) + % (uint32_t)64U; + store64_be(dst3, len << (uint32_t)3U); +} + +void Hacl_Hash_Core_SHA1_legacy_finish(uint32_t *s, uint8_t *dst) +{ + uint32_t *uu____0 = s; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)5U; i++) + { + store32_be(dst + i * (uint32_t)4U, uu____0[i]); + } +} + +void Hacl_Hash_SHA1_legacy_update_multi(uint32_t *s, uint8_t *blocks, uint32_t n_blocks) +{ + for (uint32_t i = (uint32_t)0U; i < n_blocks; i++) + { + uint32_t sz = (uint32_t)64U; + uint8_t *block = blocks + sz * i; + Hacl_Hash_Core_SHA1_legacy_update(s, block); + } +} + +void +Hacl_Hash_SHA1_legacy_update_last( + uint32_t *s, + uint64_t prev_len, + uint8_t *input, + uint32_t input_len +) +{ + uint32_t blocks_n = input_len / (uint32_t)64U; + uint32_t blocks_len = blocks_n * (uint32_t)64U; + uint8_t *blocks = input; + uint32_t rest_len = input_len - blocks_len; + uint8_t *rest = input + blocks_len; + Hacl_Hash_SHA1_legacy_update_multi(s, blocks, blocks_n); + uint64_t total_input_len = prev_len + (uint64_t)input_len; + uint32_t + pad_len = + (uint32_t)1U + + + ((uint32_t)128U - ((uint32_t)9U + (uint32_t)(total_input_len % (uint64_t)(uint32_t)64U))) + % (uint32_t)64U + + (uint32_t)8U; + uint32_t tmp_len = rest_len + pad_len; + uint8_t tmp_twoblocks[128U] = { 0U }; + uint8_t *tmp = tmp_twoblocks; + uint8_t *tmp_rest = tmp; + uint8_t *tmp_pad = tmp + rest_len; + memcpy(tmp_rest, rest, rest_len * sizeof (uint8_t)); + legacy_pad(total_input_len, tmp_pad); + Hacl_Hash_SHA1_legacy_update_multi(s, tmp, tmp_len / (uint32_t)64U); +} + +void Hacl_Hash_SHA1_legacy_hash(uint8_t *input, uint32_t input_len, uint8_t *dst) +{ + uint32_t + scrut[5U] = + { + (uint32_t)0x67452301U, (uint32_t)0xefcdab89U, (uint32_t)0x98badcfeU, (uint32_t)0x10325476U, + (uint32_t)0xc3d2e1f0U + }; + uint32_t *s = scrut; + uint32_t blocks_n0 = input_len / (uint32_t)64U; + uint32_t blocks_n1; + if (input_len % (uint32_t)64U == (uint32_t)0U && blocks_n0 > (uint32_t)0U) + { + blocks_n1 = blocks_n0 - (uint32_t)1U; + } + else + { + blocks_n1 = blocks_n0; + } + uint32_t blocks_len0 = blocks_n1 * (uint32_t)64U; + uint8_t *blocks0 = input; + uint32_t rest_len0 = input_len - blocks_len0; + uint8_t *rest0 = input + blocks_len0; + uint32_t blocks_n = blocks_n1; + uint32_t blocks_len = blocks_len0; + uint8_t *blocks = blocks0; + uint32_t rest_len = rest_len0; + uint8_t *rest = rest0; + Hacl_Hash_SHA1_legacy_update_multi(s, blocks, blocks_n); + Hacl_Hash_SHA1_legacy_update_last(s, (uint64_t)blocks_len, rest, rest_len); + Hacl_Hash_Core_SHA1_legacy_finish(s, dst); +} + diff --git a/src/msvc/Hacl_Hash_SHA2.c b/src/msvc/Hacl_Hash_SHA2.c new file mode 100644 index 00000000..8de9eaa0 --- /dev/null +++ b/src/msvc/Hacl_Hash_SHA2.c @@ -0,0 +1,915 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "internal/Hacl_Hash_SHA2.h" + + + +static uint32_t +h224[8U] = + { + (uint32_t)0xc1059ed8U, (uint32_t)0x367cd507U, (uint32_t)0x3070dd17U, (uint32_t)0xf70e5939U, + (uint32_t)0xffc00b31U, (uint32_t)0x68581511U, (uint32_t)0x64f98fa7U, (uint32_t)0xbefa4fa4U + }; + +static uint32_t +h256[8U] = + { + (uint32_t)0x6a09e667U, (uint32_t)0xbb67ae85U, (uint32_t)0x3c6ef372U, (uint32_t)0xa54ff53aU, + (uint32_t)0x510e527fU, (uint32_t)0x9b05688cU, (uint32_t)0x1f83d9abU, (uint32_t)0x5be0cd19U + }; + +static uint64_t +h384[8U] = + { + (uint64_t)0xcbbb9d5dc1059ed8U, (uint64_t)0x629a292a367cd507U, (uint64_t)0x9159015a3070dd17U, + (uint64_t)0x152fecd8f70e5939U, (uint64_t)0x67332667ffc00b31U, (uint64_t)0x8eb44a8768581511U, + (uint64_t)0xdb0c2e0d64f98fa7U, (uint64_t)0x47b5481dbefa4fa4U + }; + +static uint64_t +h512[8U] = + { + (uint64_t)0x6a09e667f3bcc908U, (uint64_t)0xbb67ae8584caa73bU, (uint64_t)0x3c6ef372fe94f82bU, + (uint64_t)0xa54ff53a5f1d36f1U, (uint64_t)0x510e527fade682d1U, (uint64_t)0x9b05688c2b3e6c1fU, + (uint64_t)0x1f83d9abfb41bd6bU, (uint64_t)0x5be0cd19137e2179U + }; + +static uint32_t +k224_256[64U] = + { + (uint32_t)0x428a2f98U, (uint32_t)0x71374491U, (uint32_t)0xb5c0fbcfU, (uint32_t)0xe9b5dba5U, + (uint32_t)0x3956c25bU, (uint32_t)0x59f111f1U, (uint32_t)0x923f82a4U, (uint32_t)0xab1c5ed5U, + (uint32_t)0xd807aa98U, (uint32_t)0x12835b01U, (uint32_t)0x243185beU, (uint32_t)0x550c7dc3U, + (uint32_t)0x72be5d74U, (uint32_t)0x80deb1feU, (uint32_t)0x9bdc06a7U, (uint32_t)0xc19bf174U, + (uint32_t)0xe49b69c1U, (uint32_t)0xefbe4786U, (uint32_t)0x0fc19dc6U, (uint32_t)0x240ca1ccU, + (uint32_t)0x2de92c6fU, (uint32_t)0x4a7484aaU, (uint32_t)0x5cb0a9dcU, (uint32_t)0x76f988daU, + (uint32_t)0x983e5152U, (uint32_t)0xa831c66dU, (uint32_t)0xb00327c8U, (uint32_t)0xbf597fc7U, + (uint32_t)0xc6e00bf3U, (uint32_t)0xd5a79147U, (uint32_t)0x06ca6351U, (uint32_t)0x14292967U, + (uint32_t)0x27b70a85U, (uint32_t)0x2e1b2138U, (uint32_t)0x4d2c6dfcU, (uint32_t)0x53380d13U, + (uint32_t)0x650a7354U, (uint32_t)0x766a0abbU, (uint32_t)0x81c2c92eU, (uint32_t)0x92722c85U, + (uint32_t)0xa2bfe8a1U, (uint32_t)0xa81a664bU, (uint32_t)0xc24b8b70U, (uint32_t)0xc76c51a3U, + (uint32_t)0xd192e819U, (uint32_t)0xd6990624U, (uint32_t)0xf40e3585U, (uint32_t)0x106aa070U, + (uint32_t)0x19a4c116U, (uint32_t)0x1e376c08U, (uint32_t)0x2748774cU, (uint32_t)0x34b0bcb5U, + (uint32_t)0x391c0cb3U, (uint32_t)0x4ed8aa4aU, (uint32_t)0x5b9cca4fU, (uint32_t)0x682e6ff3U, + (uint32_t)0x748f82eeU, (uint32_t)0x78a5636fU, (uint32_t)0x84c87814U, (uint32_t)0x8cc70208U, + (uint32_t)0x90befffaU, (uint32_t)0xa4506cebU, (uint32_t)0xbef9a3f7U, (uint32_t)0xc67178f2U + }; + +static uint64_t +k384_512[80U] = + { + (uint64_t)0x428a2f98d728ae22U, (uint64_t)0x7137449123ef65cdU, (uint64_t)0xb5c0fbcfec4d3b2fU, + (uint64_t)0xe9b5dba58189dbbcU, (uint64_t)0x3956c25bf348b538U, (uint64_t)0x59f111f1b605d019U, + (uint64_t)0x923f82a4af194f9bU, (uint64_t)0xab1c5ed5da6d8118U, (uint64_t)0xd807aa98a3030242U, + (uint64_t)0x12835b0145706fbeU, (uint64_t)0x243185be4ee4b28cU, (uint64_t)0x550c7dc3d5ffb4e2U, + (uint64_t)0x72be5d74f27b896fU, (uint64_t)0x80deb1fe3b1696b1U, (uint64_t)0x9bdc06a725c71235U, + (uint64_t)0xc19bf174cf692694U, (uint64_t)0xe49b69c19ef14ad2U, (uint64_t)0xefbe4786384f25e3U, + (uint64_t)0x0fc19dc68b8cd5b5U, (uint64_t)0x240ca1cc77ac9c65U, (uint64_t)0x2de92c6f592b0275U, + (uint64_t)0x4a7484aa6ea6e483U, (uint64_t)0x5cb0a9dcbd41fbd4U, (uint64_t)0x76f988da831153b5U, + (uint64_t)0x983e5152ee66dfabU, (uint64_t)0xa831c66d2db43210U, (uint64_t)0xb00327c898fb213fU, + (uint64_t)0xbf597fc7beef0ee4U, (uint64_t)0xc6e00bf33da88fc2U, (uint64_t)0xd5a79147930aa725U, + (uint64_t)0x06ca6351e003826fU, (uint64_t)0x142929670a0e6e70U, (uint64_t)0x27b70a8546d22ffcU, + (uint64_t)0x2e1b21385c26c926U, (uint64_t)0x4d2c6dfc5ac42aedU, (uint64_t)0x53380d139d95b3dfU, + (uint64_t)0x650a73548baf63deU, (uint64_t)0x766a0abb3c77b2a8U, (uint64_t)0x81c2c92e47edaee6U, + (uint64_t)0x92722c851482353bU, (uint64_t)0xa2bfe8a14cf10364U, (uint64_t)0xa81a664bbc423001U, + (uint64_t)0xc24b8b70d0f89791U, (uint64_t)0xc76c51a30654be30U, (uint64_t)0xd192e819d6ef5218U, + (uint64_t)0xd69906245565a910U, (uint64_t)0xf40e35855771202aU, (uint64_t)0x106aa07032bbd1b8U, + (uint64_t)0x19a4c116b8d2d0c8U, (uint64_t)0x1e376c085141ab53U, (uint64_t)0x2748774cdf8eeb99U, + (uint64_t)0x34b0bcb5e19b48a8U, (uint64_t)0x391c0cb3c5c95a63U, (uint64_t)0x4ed8aa4ae3418acbU, + (uint64_t)0x5b9cca4f7763e373U, (uint64_t)0x682e6ff3d6b2b8a3U, (uint64_t)0x748f82ee5defb2fcU, + (uint64_t)0x78a5636f43172f60U, (uint64_t)0x84c87814a1f0ab72U, (uint64_t)0x8cc702081a6439ecU, + (uint64_t)0x90befffa23631e28U, (uint64_t)0xa4506cebde82bde9U, (uint64_t)0xbef9a3f7b2c67915U, + (uint64_t)0xc67178f2e372532bU, (uint64_t)0xca273eceea26619cU, (uint64_t)0xd186b8c721c0c207U, + (uint64_t)0xeada7dd6cde0eb1eU, (uint64_t)0xf57d4f7fee6ed178U, (uint64_t)0x06f067aa72176fbaU, + (uint64_t)0x0a637dc5a2c898a6U, (uint64_t)0x113f9804bef90daeU, (uint64_t)0x1b710b35131c471bU, + (uint64_t)0x28db77f523047d84U, (uint64_t)0x32caab7b40c72493U, (uint64_t)0x3c9ebe0a15c9bebcU, + (uint64_t)0x431d67c49c100d4cU, (uint64_t)0x4cc5d4becb3e42b6U, (uint64_t)0x597f299cfc657e2aU, + (uint64_t)0x5fcb6fab3ad6faecU, (uint64_t)0x6c44198c4a475817U + }; + +void Hacl_Hash_Core_SHA2_init_224(uint32_t *s) +{ + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + s[i] = h224[i]; + } +} + +void Hacl_Hash_Core_SHA2_init_256(uint32_t *s) +{ + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + s[i] = h256[i]; + } +} + +void Hacl_Hash_Core_SHA2_init_384(uint64_t *s) +{ + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + s[i] = h384[i]; + } +} + +void Hacl_Hash_Core_SHA2_init_512(uint64_t *s) +{ + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + s[i] = h512[i]; + } +} + +static void update_224(uint32_t *hash, uint8_t *block) +{ + uint32_t hash1[8U] = { 0U }; + uint32_t computed_ws[64U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + if (i < (uint32_t)16U) + { + uint8_t *b = block + i * (uint32_t)4U; + uint32_t u = load32_be(b); + computed_ws[i] = u; + } + else + { + uint32_t t16 = computed_ws[i - (uint32_t)16U]; + uint32_t t15 = computed_ws[i - (uint32_t)15U]; + uint32_t t7 = computed_ws[i - (uint32_t)7U]; + uint32_t t2 = computed_ws[i - (uint32_t)2U]; + uint32_t + s1 = + (t2 >> (uint32_t)17U | t2 << (uint32_t)15U) + ^ ((t2 >> (uint32_t)19U | t2 << (uint32_t)13U) ^ t2 >> (uint32_t)10U); + uint32_t + s0 = + (t15 >> (uint32_t)7U | t15 << (uint32_t)25U) + ^ ((t15 >> (uint32_t)18U | t15 << (uint32_t)14U) ^ t15 >> (uint32_t)3U); + uint32_t w = s1 + t7 + s0 + t16; + computed_ws[i] = w; + } + } + memcpy(hash1, hash, (uint32_t)8U * sizeof (uint32_t)); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + uint32_t a0 = hash1[0U]; + uint32_t b0 = hash1[1U]; + uint32_t c0 = hash1[2U]; + uint32_t d0 = hash1[3U]; + uint32_t e0 = hash1[4U]; + uint32_t f0 = hash1[5U]; + uint32_t g0 = hash1[6U]; + uint32_t h02 = hash1[7U]; + uint32_t w = computed_ws[i]; + uint32_t + t1 = + h02 + + + ((e0 >> (uint32_t)6U | e0 << (uint32_t)26U) + ^ ((e0 >> (uint32_t)11U | e0 << (uint32_t)21U) ^ (e0 >> (uint32_t)25U | e0 << (uint32_t)7U))) + + ((e0 & f0) ^ (~e0 & g0)) + + k224_256[i] + + w; + uint32_t + t2 = + ((a0 >> (uint32_t)2U | a0 << (uint32_t)30U) + ^ ((a0 >> (uint32_t)13U | a0 << (uint32_t)19U) ^ (a0 >> (uint32_t)22U | a0 << (uint32_t)10U))) + + ((a0 & b0) ^ ((a0 & c0) ^ (b0 & c0))); + hash1[0U] = t1 + t2; + hash1[1U] = a0; + hash1[2U] = b0; + hash1[3U] = c0; + hash1[4U] = d0 + t1; + hash1[5U] = e0; + hash1[6U] = f0; + hash1[7U] = g0; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t xi = hash[i]; + uint32_t yi = hash1[i]; + hash[i] = xi + yi; + } +} + +static void update_256(uint32_t *hash, uint8_t *block) +{ + uint32_t hash1[8U] = { 0U }; + uint32_t computed_ws[64U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + if (i < (uint32_t)16U) + { + uint8_t *b = block + i * (uint32_t)4U; + uint32_t u = load32_be(b); + computed_ws[i] = u; + } + else + { + uint32_t t16 = computed_ws[i - (uint32_t)16U]; + uint32_t t15 = computed_ws[i - (uint32_t)15U]; + uint32_t t7 = computed_ws[i - (uint32_t)7U]; + uint32_t t2 = computed_ws[i - (uint32_t)2U]; + uint32_t + s1 = + (t2 >> (uint32_t)17U | t2 << (uint32_t)15U) + ^ ((t2 >> (uint32_t)19U | t2 << (uint32_t)13U) ^ t2 >> (uint32_t)10U); + uint32_t + s0 = + (t15 >> (uint32_t)7U | t15 << (uint32_t)25U) + ^ ((t15 >> (uint32_t)18U | t15 << (uint32_t)14U) ^ t15 >> (uint32_t)3U); + uint32_t w = s1 + t7 + s0 + t16; + computed_ws[i] = w; + } + } + memcpy(hash1, hash, (uint32_t)8U * sizeof (uint32_t)); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)64U; i++) + { + uint32_t a0 = hash1[0U]; + uint32_t b0 = hash1[1U]; + uint32_t c0 = hash1[2U]; + uint32_t d0 = hash1[3U]; + uint32_t e0 = hash1[4U]; + uint32_t f0 = hash1[5U]; + uint32_t g0 = hash1[6U]; + uint32_t h02 = hash1[7U]; + uint32_t w = computed_ws[i]; + uint32_t + t1 = + h02 + + + ((e0 >> (uint32_t)6U | e0 << (uint32_t)26U) + ^ ((e0 >> (uint32_t)11U | e0 << (uint32_t)21U) ^ (e0 >> (uint32_t)25U | e0 << (uint32_t)7U))) + + ((e0 & f0) ^ (~e0 & g0)) + + k224_256[i] + + w; + uint32_t + t2 = + ((a0 >> (uint32_t)2U | a0 << (uint32_t)30U) + ^ ((a0 >> (uint32_t)13U | a0 << (uint32_t)19U) ^ (a0 >> (uint32_t)22U | a0 << (uint32_t)10U))) + + ((a0 & b0) ^ ((a0 & c0) ^ (b0 & c0))); + hash1[0U] = t1 + t2; + hash1[1U] = a0; + hash1[2U] = b0; + hash1[3U] = c0; + hash1[4U] = d0 + t1; + hash1[5U] = e0; + hash1[6U] = f0; + hash1[7U] = g0; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t xi = hash[i]; + uint32_t yi = hash1[i]; + hash[i] = xi + yi; + } +} + +void Hacl_Hash_Core_SHA2_update_384(uint64_t *hash, uint8_t *block) +{ + uint64_t hash1[8U] = { 0U }; + uint64_t computed_ws[80U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)80U; i++) + { + if (i < (uint32_t)16U) + { + uint8_t *b = block + i * (uint32_t)8U; + uint64_t u = load64_be(b); + computed_ws[i] = u; + } + else + { + uint64_t t16 = computed_ws[i - (uint32_t)16U]; + uint64_t t15 = computed_ws[i - (uint32_t)15U]; + uint64_t t7 = computed_ws[i - (uint32_t)7U]; + uint64_t t2 = computed_ws[i - (uint32_t)2U]; + uint64_t + s1 = + (t2 >> (uint32_t)19U | t2 << (uint32_t)45U) + ^ ((t2 >> (uint32_t)61U | t2 << (uint32_t)3U) ^ t2 >> (uint32_t)6U); + uint64_t + s0 = + (t15 >> (uint32_t)1U | t15 << (uint32_t)63U) + ^ ((t15 >> (uint32_t)8U | t15 << (uint32_t)56U) ^ t15 >> (uint32_t)7U); + uint64_t w = s1 + t7 + s0 + t16; + computed_ws[i] = w; + } + } + memcpy(hash1, hash, (uint32_t)8U * sizeof (uint64_t)); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)80U; i++) + { + uint64_t a0 = hash1[0U]; + uint64_t b0 = hash1[1U]; + uint64_t c0 = hash1[2U]; + uint64_t d0 = hash1[3U]; + uint64_t e0 = hash1[4U]; + uint64_t f0 = hash1[5U]; + uint64_t g0 = hash1[6U]; + uint64_t h02 = hash1[7U]; + uint64_t w = computed_ws[i]; + uint64_t + t1 = + h02 + + + ((e0 >> (uint32_t)14U | e0 << (uint32_t)50U) + ^ + ((e0 >> (uint32_t)18U | e0 << (uint32_t)46U) + ^ (e0 >> (uint32_t)41U | e0 << (uint32_t)23U))) + + ((e0 & f0) ^ (~e0 & g0)) + + k384_512[i] + + w; + uint64_t + t2 = + ((a0 >> (uint32_t)28U | a0 << (uint32_t)36U) + ^ ((a0 >> (uint32_t)34U | a0 << (uint32_t)30U) ^ (a0 >> (uint32_t)39U | a0 << (uint32_t)25U))) + + ((a0 & b0) ^ ((a0 & c0) ^ (b0 & c0))); + hash1[0U] = t1 + t2; + hash1[1U] = a0; + hash1[2U] = b0; + hash1[3U] = c0; + hash1[4U] = d0 + t1; + hash1[5U] = e0; + hash1[6U] = f0; + hash1[7U] = g0; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint64_t xi = hash[i]; + uint64_t yi = hash1[i]; + hash[i] = xi + yi; + } +} + +void Hacl_Hash_Core_SHA2_update_512(uint64_t *hash, uint8_t *block) +{ + uint64_t hash1[8U] = { 0U }; + uint64_t computed_ws[80U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)80U; i++) + { + if (i < (uint32_t)16U) + { + uint8_t *b = block + i * (uint32_t)8U; + uint64_t u = load64_be(b); + computed_ws[i] = u; + } + else + { + uint64_t t16 = computed_ws[i - (uint32_t)16U]; + uint64_t t15 = computed_ws[i - (uint32_t)15U]; + uint64_t t7 = computed_ws[i - (uint32_t)7U]; + uint64_t t2 = computed_ws[i - (uint32_t)2U]; + uint64_t + s1 = + (t2 >> (uint32_t)19U | t2 << (uint32_t)45U) + ^ ((t2 >> (uint32_t)61U | t2 << (uint32_t)3U) ^ t2 >> (uint32_t)6U); + uint64_t + s0 = + (t15 >> (uint32_t)1U | t15 << (uint32_t)63U) + ^ ((t15 >> (uint32_t)8U | t15 << (uint32_t)56U) ^ t15 >> (uint32_t)7U); + uint64_t w = s1 + t7 + s0 + t16; + computed_ws[i] = w; + } + } + memcpy(hash1, hash, (uint32_t)8U * sizeof (uint64_t)); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)80U; i++) + { + uint64_t a0 = hash1[0U]; + uint64_t b0 = hash1[1U]; + uint64_t c0 = hash1[2U]; + uint64_t d0 = hash1[3U]; + uint64_t e0 = hash1[4U]; + uint64_t f0 = hash1[5U]; + uint64_t g0 = hash1[6U]; + uint64_t h02 = hash1[7U]; + uint64_t w = computed_ws[i]; + uint64_t + t1 = + h02 + + + ((e0 >> (uint32_t)14U | e0 << (uint32_t)50U) + ^ + ((e0 >> (uint32_t)18U | e0 << (uint32_t)46U) + ^ (e0 >> (uint32_t)41U | e0 << (uint32_t)23U))) + + ((e0 & f0) ^ (~e0 & g0)) + + k384_512[i] + + w; + uint64_t + t2 = + ((a0 >> (uint32_t)28U | a0 << (uint32_t)36U) + ^ ((a0 >> (uint32_t)34U | a0 << (uint32_t)30U) ^ (a0 >> (uint32_t)39U | a0 << (uint32_t)25U))) + + ((a0 & b0) ^ ((a0 & c0) ^ (b0 & c0))); + hash1[0U] = t1 + t2; + hash1[1U] = a0; + hash1[2U] = b0; + hash1[3U] = c0; + hash1[4U] = d0 + t1; + hash1[5U] = e0; + hash1[6U] = f0; + hash1[7U] = g0; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint64_t xi = hash[i]; + uint64_t yi = hash1[i]; + hash[i] = xi + yi; + } +} + +static void pad_224(uint64_t len, uint8_t *dst) +{ + uint8_t *dst1 = dst; + dst1[0U] = (uint8_t)0x80U; + uint8_t *dst2 = dst + (uint32_t)1U; + for + (uint32_t + i = (uint32_t)0U; + i + < ((uint32_t)128U - ((uint32_t)9U + (uint32_t)(len % (uint64_t)(uint32_t)64U))) % (uint32_t)64U; + i++) + { + dst2[i] = (uint8_t)0U; + } + uint8_t + *dst3 = + dst + + + (uint32_t)1U + + + ((uint32_t)128U - ((uint32_t)9U + (uint32_t)(len % (uint64_t)(uint32_t)64U))) + % (uint32_t)64U; + store64_be(dst3, len << (uint32_t)3U); +} + +void Hacl_Hash_Core_SHA2_pad_256(uint64_t len, uint8_t *dst) +{ + uint8_t *dst1 = dst; + dst1[0U] = (uint8_t)0x80U; + uint8_t *dst2 = dst + (uint32_t)1U; + for + (uint32_t + i = (uint32_t)0U; + i + < ((uint32_t)128U - ((uint32_t)9U + (uint32_t)(len % (uint64_t)(uint32_t)64U))) % (uint32_t)64U; + i++) + { + dst2[i] = (uint8_t)0U; + } + uint8_t + *dst3 = + dst + + + (uint32_t)1U + + + ((uint32_t)128U - ((uint32_t)9U + (uint32_t)(len % (uint64_t)(uint32_t)64U))) + % (uint32_t)64U; + store64_be(dst3, len << (uint32_t)3U); +} + +static void pad_384(FStar_UInt128_uint128 len, uint8_t *dst) +{ + uint8_t *dst1 = dst; + dst1[0U] = (uint8_t)0x80U; + uint8_t *dst2 = dst + (uint32_t)1U; + for + (uint32_t + i = (uint32_t)0U; + i + < + ((uint32_t)256U + - + ((uint32_t)17U + + (uint32_t)(FStar_UInt128_uint128_to_uint64(len) % (uint64_t)(uint32_t)128U))) + % (uint32_t)128U; + i++) + { + dst2[i] = (uint8_t)0U; + } + uint8_t + *dst3 = + dst + + + (uint32_t)1U + + + ((uint32_t)256U + - + ((uint32_t)17U + + (uint32_t)(FStar_UInt128_uint128_to_uint64(len) % (uint64_t)(uint32_t)128U))) + % (uint32_t)128U; + FStar_UInt128_uint128 len_ = FStar_UInt128_shift_left(len, (uint32_t)3U); + store128_be(dst3, len_); +} + +static void pad_512(FStar_UInt128_uint128 len, uint8_t *dst) +{ + uint8_t *dst1 = dst; + dst1[0U] = (uint8_t)0x80U; + uint8_t *dst2 = dst + (uint32_t)1U; + for + (uint32_t + i = (uint32_t)0U; + i + < + ((uint32_t)256U + - + ((uint32_t)17U + + (uint32_t)(FStar_UInt128_uint128_to_uint64(len) % (uint64_t)(uint32_t)128U))) + % (uint32_t)128U; + i++) + { + dst2[i] = (uint8_t)0U; + } + uint8_t + *dst3 = + dst + + + (uint32_t)1U + + + ((uint32_t)256U + - + ((uint32_t)17U + + (uint32_t)(FStar_UInt128_uint128_to_uint64(len) % (uint64_t)(uint32_t)128U))) + % (uint32_t)128U; + FStar_UInt128_uint128 len_ = FStar_UInt128_shift_left(len, (uint32_t)3U); + store128_be(dst3, len_); +} + +void Hacl_Hash_Core_SHA2_finish_224(uint32_t *s, uint8_t *dst) +{ + uint32_t *uu____0 = s; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)7U; i++) + { + store32_be(dst + i * (uint32_t)4U, uu____0[i]); + } +} + +void Hacl_Hash_Core_SHA2_finish_256(uint32_t *s, uint8_t *dst) +{ + uint32_t *uu____0 = s; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + store32_be(dst + i * (uint32_t)4U, uu____0[i]); + } +} + +void Hacl_Hash_Core_SHA2_finish_384(uint64_t *s, uint8_t *dst) +{ + uint64_t *uu____0 = s; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)6U; i++) + { + store64_be(dst + i * (uint32_t)8U, uu____0[i]); + } +} + +void Hacl_Hash_Core_SHA2_finish_512(uint64_t *s, uint8_t *dst) +{ + uint64_t *uu____0 = s; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + store64_be(dst + i * (uint32_t)8U, uu____0[i]); + } +} + +void Hacl_Hash_SHA2_update_multi_224(uint32_t *s, uint8_t *blocks, uint32_t n_blocks) +{ + for (uint32_t i = (uint32_t)0U; i < n_blocks; i++) + { + uint32_t sz = (uint32_t)64U; + uint8_t *block = blocks + sz * i; + update_224(s, block); + } +} + +void Hacl_Hash_SHA2_update_multi_256(uint32_t *s, uint8_t *blocks, uint32_t n_blocks) +{ + for (uint32_t i = (uint32_t)0U; i < n_blocks; i++) + { + uint32_t sz = (uint32_t)64U; + uint8_t *block = blocks + sz * i; + update_256(s, block); + } +} + +void Hacl_Hash_SHA2_update_multi_384(uint64_t *s, uint8_t *blocks, uint32_t n_blocks) +{ + for (uint32_t i = (uint32_t)0U; i < n_blocks; i++) + { + uint32_t sz = (uint32_t)128U; + uint8_t *block = blocks + sz * i; + Hacl_Hash_Core_SHA2_update_384(s, block); + } +} + +void Hacl_Hash_SHA2_update_multi_512(uint64_t *s, uint8_t *blocks, uint32_t n_blocks) +{ + for (uint32_t i = (uint32_t)0U; i < n_blocks; i++) + { + uint32_t sz = (uint32_t)128U; + uint8_t *block = blocks + sz * i; + Hacl_Hash_Core_SHA2_update_512(s, block); + } +} + +void +Hacl_Hash_SHA2_update_last_224( + uint32_t *s, + uint64_t prev_len, + uint8_t *input, + uint32_t input_len +) +{ + uint32_t blocks_n = input_len / (uint32_t)64U; + uint32_t blocks_len = blocks_n * (uint32_t)64U; + uint8_t *blocks = input; + uint32_t rest_len = input_len - blocks_len; + uint8_t *rest = input + blocks_len; + Hacl_Hash_SHA2_update_multi_224(s, blocks, blocks_n); + uint64_t total_input_len = prev_len + (uint64_t)input_len; + uint32_t + pad_len = + (uint32_t)1U + + + ((uint32_t)128U - ((uint32_t)9U + (uint32_t)(total_input_len % (uint64_t)(uint32_t)64U))) + % (uint32_t)64U + + (uint32_t)8U; + uint32_t tmp_len = rest_len + pad_len; + uint8_t tmp_twoblocks[128U] = { 0U }; + uint8_t *tmp = tmp_twoblocks; + uint8_t *tmp_rest = tmp; + uint8_t *tmp_pad = tmp + rest_len; + memcpy(tmp_rest, rest, rest_len * sizeof (uint8_t)); + pad_224(total_input_len, tmp_pad); + Hacl_Hash_SHA2_update_multi_224(s, tmp, tmp_len / (uint32_t)64U); +} + +void +Hacl_Hash_SHA2_update_last_256( + uint32_t *s, + uint64_t prev_len, + uint8_t *input, + uint32_t input_len +) +{ + uint32_t blocks_n = input_len / (uint32_t)64U; + uint32_t blocks_len = blocks_n * (uint32_t)64U; + uint8_t *blocks = input; + uint32_t rest_len = input_len - blocks_len; + uint8_t *rest = input + blocks_len; + Hacl_Hash_SHA2_update_multi_256(s, blocks, blocks_n); + uint64_t total_input_len = prev_len + (uint64_t)input_len; + uint32_t + pad_len = + (uint32_t)1U + + + ((uint32_t)128U - ((uint32_t)9U + (uint32_t)(total_input_len % (uint64_t)(uint32_t)64U))) + % (uint32_t)64U + + (uint32_t)8U; + uint32_t tmp_len = rest_len + pad_len; + uint8_t tmp_twoblocks[128U] = { 0U }; + uint8_t *tmp = tmp_twoblocks; + uint8_t *tmp_rest = tmp; + uint8_t *tmp_pad = tmp + rest_len; + memcpy(tmp_rest, rest, rest_len * sizeof (uint8_t)); + Hacl_Hash_Core_SHA2_pad_256(total_input_len, tmp_pad); + Hacl_Hash_SHA2_update_multi_256(s, tmp, tmp_len / (uint32_t)64U); +} + +void +Hacl_Hash_SHA2_update_last_384( + uint64_t *s, + FStar_UInt128_uint128 prev_len, + uint8_t *input, + uint32_t input_len +) +{ + uint32_t blocks_n = input_len / (uint32_t)128U; + uint32_t blocks_len = blocks_n * (uint32_t)128U; + uint8_t *blocks = input; + uint32_t rest_len = input_len - blocks_len; + uint8_t *rest = input + blocks_len; + Hacl_Hash_SHA2_update_multi_384(s, blocks, blocks_n); + FStar_UInt128_uint128 + total_input_len = + FStar_UInt128_add(prev_len, + FStar_UInt128_uint64_to_uint128((uint64_t)input_len)); + uint32_t + pad_len = + (uint32_t)1U + + + ((uint32_t)256U + - + ((uint32_t)17U + + (uint32_t)(FStar_UInt128_uint128_to_uint64(total_input_len) % (uint64_t)(uint32_t)128U))) + % (uint32_t)128U + + (uint32_t)16U; + uint32_t tmp_len = rest_len + pad_len; + uint8_t tmp_twoblocks[256U] = { 0U }; + uint8_t *tmp = tmp_twoblocks; + uint8_t *tmp_rest = tmp; + uint8_t *tmp_pad = tmp + rest_len; + memcpy(tmp_rest, rest, rest_len * sizeof (uint8_t)); + pad_384(total_input_len, tmp_pad); + Hacl_Hash_SHA2_update_multi_384(s, tmp, tmp_len / (uint32_t)128U); +} + +void +Hacl_Hash_SHA2_update_last_512( + uint64_t *s, + FStar_UInt128_uint128 prev_len, + uint8_t *input, + uint32_t input_len +) +{ + uint32_t blocks_n = input_len / (uint32_t)128U; + uint32_t blocks_len = blocks_n * (uint32_t)128U; + uint8_t *blocks = input; + uint32_t rest_len = input_len - blocks_len; + uint8_t *rest = input + blocks_len; + Hacl_Hash_SHA2_update_multi_512(s, blocks, blocks_n); + FStar_UInt128_uint128 + total_input_len = + FStar_UInt128_add(prev_len, + FStar_UInt128_uint64_to_uint128((uint64_t)input_len)); + uint32_t + pad_len = + (uint32_t)1U + + + ((uint32_t)256U + - + ((uint32_t)17U + + (uint32_t)(FStar_UInt128_uint128_to_uint64(total_input_len) % (uint64_t)(uint32_t)128U))) + % (uint32_t)128U + + (uint32_t)16U; + uint32_t tmp_len = rest_len + pad_len; + uint8_t tmp_twoblocks[256U] = { 0U }; + uint8_t *tmp = tmp_twoblocks; + uint8_t *tmp_rest = tmp; + uint8_t *tmp_pad = tmp + rest_len; + memcpy(tmp_rest, rest, rest_len * sizeof (uint8_t)); + pad_512(total_input_len, tmp_pad); + Hacl_Hash_SHA2_update_multi_512(s, tmp, tmp_len / (uint32_t)128U); +} + +void Hacl_Hash_SHA2_hash_224(uint8_t *input, uint32_t input_len, uint8_t *dst) +{ + uint32_t + scrut[8U] = + { + (uint32_t)0xc1059ed8U, (uint32_t)0x367cd507U, (uint32_t)0x3070dd17U, (uint32_t)0xf70e5939U, + (uint32_t)0xffc00b31U, (uint32_t)0x68581511U, (uint32_t)0x64f98fa7U, (uint32_t)0xbefa4fa4U + }; + uint32_t *s = scrut; + uint32_t blocks_n0 = input_len / (uint32_t)64U; + uint32_t blocks_n1; + if (input_len % (uint32_t)64U == (uint32_t)0U && blocks_n0 > (uint32_t)0U) + { + blocks_n1 = blocks_n0 - (uint32_t)1U; + } + else + { + blocks_n1 = blocks_n0; + } + uint32_t blocks_len0 = blocks_n1 * (uint32_t)64U; + uint8_t *blocks0 = input; + uint32_t rest_len0 = input_len - blocks_len0; + uint8_t *rest0 = input + blocks_len0; + uint32_t blocks_n = blocks_n1; + uint32_t blocks_len = blocks_len0; + uint8_t *blocks = blocks0; + uint32_t rest_len = rest_len0; + uint8_t *rest = rest0; + Hacl_Hash_SHA2_update_multi_224(s, blocks, blocks_n); + Hacl_Hash_SHA2_update_last_224(s, (uint64_t)blocks_len, rest, rest_len); + Hacl_Hash_Core_SHA2_finish_224(s, dst); +} + +void Hacl_Hash_SHA2_hash_256(uint8_t *input, uint32_t input_len, uint8_t *dst) +{ + uint32_t + scrut[8U] = + { + (uint32_t)0x6a09e667U, (uint32_t)0xbb67ae85U, (uint32_t)0x3c6ef372U, (uint32_t)0xa54ff53aU, + (uint32_t)0x510e527fU, (uint32_t)0x9b05688cU, (uint32_t)0x1f83d9abU, (uint32_t)0x5be0cd19U + }; + uint32_t *s = scrut; + uint32_t blocks_n0 = input_len / (uint32_t)64U; + uint32_t blocks_n1; + if (input_len % (uint32_t)64U == (uint32_t)0U && blocks_n0 > (uint32_t)0U) + { + blocks_n1 = blocks_n0 - (uint32_t)1U; + } + else + { + blocks_n1 = blocks_n0; + } + uint32_t blocks_len0 = blocks_n1 * (uint32_t)64U; + uint8_t *blocks0 = input; + uint32_t rest_len0 = input_len - blocks_len0; + uint8_t *rest0 = input + blocks_len0; + uint32_t blocks_n = blocks_n1; + uint32_t blocks_len = blocks_len0; + uint8_t *blocks = blocks0; + uint32_t rest_len = rest_len0; + uint8_t *rest = rest0; + Hacl_Hash_SHA2_update_multi_256(s, blocks, blocks_n); + Hacl_Hash_SHA2_update_last_256(s, (uint64_t)blocks_len, rest, rest_len); + Hacl_Hash_Core_SHA2_finish_256(s, dst); +} + +typedef uint64_t *___uint64_t____; + +void Hacl_Hash_SHA2_hash_384(uint8_t *input, uint32_t input_len, uint8_t *dst) +{ + uint64_t + scrut[8U] = + { + (uint64_t)0xcbbb9d5dc1059ed8U, (uint64_t)0x629a292a367cd507U, (uint64_t)0x9159015a3070dd17U, + (uint64_t)0x152fecd8f70e5939U, (uint64_t)0x67332667ffc00b31U, (uint64_t)0x8eb44a8768581511U, + (uint64_t)0xdb0c2e0d64f98fa7U, (uint64_t)0x47b5481dbefa4fa4U + }; + uint64_t *s = scrut; + uint32_t blocks_n0 = input_len / (uint32_t)128U; + uint32_t blocks_n1; + if (input_len % (uint32_t)128U == (uint32_t)0U && blocks_n0 > (uint32_t)0U) + { + blocks_n1 = blocks_n0 - (uint32_t)1U; + } + else + { + blocks_n1 = blocks_n0; + } + uint32_t blocks_len0 = blocks_n1 * (uint32_t)128U; + uint8_t *blocks0 = input; + uint32_t rest_len0 = input_len - blocks_len0; + uint8_t *rest0 = input + blocks_len0; + uint32_t blocks_n = blocks_n1; + uint32_t blocks_len = blocks_len0; + uint8_t *blocks = blocks0; + uint32_t rest_len = rest_len0; + uint8_t *rest = rest0; + Hacl_Hash_SHA2_update_multi_384(s, blocks, blocks_n); + Hacl_Hash_SHA2_update_last_384(s, + FStar_UInt128_uint64_to_uint128((uint64_t)blocks_len), + rest, + rest_len); + Hacl_Hash_Core_SHA2_finish_384(s, dst); +} + +void Hacl_Hash_SHA2_hash_512(uint8_t *input, uint32_t input_len, uint8_t *dst) +{ + uint64_t + scrut[8U] = + { + (uint64_t)0x6a09e667f3bcc908U, (uint64_t)0xbb67ae8584caa73bU, (uint64_t)0x3c6ef372fe94f82bU, + (uint64_t)0xa54ff53a5f1d36f1U, (uint64_t)0x510e527fade682d1U, (uint64_t)0x9b05688c2b3e6c1fU, + (uint64_t)0x1f83d9abfb41bd6bU, (uint64_t)0x5be0cd19137e2179U + }; + uint64_t *s = scrut; + uint32_t blocks_n0 = input_len / (uint32_t)128U; + uint32_t blocks_n1; + if (input_len % (uint32_t)128U == (uint32_t)0U && blocks_n0 > (uint32_t)0U) + { + blocks_n1 = blocks_n0 - (uint32_t)1U; + } + else + { + blocks_n1 = blocks_n0; + } + uint32_t blocks_len0 = blocks_n1 * (uint32_t)128U; + uint8_t *blocks0 = input; + uint32_t rest_len0 = input_len - blocks_len0; + uint8_t *rest0 = input + blocks_len0; + uint32_t blocks_n = blocks_n1; + uint32_t blocks_len = blocks_len0; + uint8_t *blocks = blocks0; + uint32_t rest_len = rest_len0; + uint8_t *rest = rest0; + Hacl_Hash_SHA2_update_multi_512(s, blocks, blocks_n); + Hacl_Hash_SHA2_update_last_512(s, + FStar_UInt128_uint64_to_uint128((uint64_t)blocks_len), + rest, + rest_len); + Hacl_Hash_Core_SHA2_finish_512(s, dst); +} + diff --git a/src/msvc/Hacl_Kremlib.c b/src/msvc/Hacl_Kremlib.c new file mode 100644 index 00000000..ac1f323c --- /dev/null +++ b/src/msvc/Hacl_Kremlib.c @@ -0,0 +1,45 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "internal/Hacl_Kremlib.h" + + + +static uint32_t max_uint32 = (uint32_t)4294967295U; + +static uint32_t resize_ratio = (uint32_t)2U; + +uint32_t LowStar_Vector_new_capacity(uint32_t cap) +{ + if (cap >= max_uint32 / resize_ratio) + { + return max_uint32; + } + if (cap == (uint32_t)0U) + { + return (uint32_t)1U; + } + return cap * resize_ratio; +} + diff --git a/src/msvc/Hacl_NaCl.c b/src/msvc/Hacl_NaCl.c new file mode 100644 index 00000000..6cbed421 --- /dev/null +++ b/src/msvc/Hacl_NaCl.c @@ -0,0 +1,413 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_NaCl.h" + +#include "internal/Hacl_Kremlib.h" + +static void secretbox_init(uint8_t *xkeys, uint8_t *k, uint8_t *n) +{ + uint8_t *subkey = xkeys; + uint8_t *aekey = xkeys + (uint32_t)32U; + uint8_t *n0 = n; + uint8_t *n1 = n + (uint32_t)16U; + Hacl_Salsa20_hsalsa20(subkey, k, n0); + Hacl_Salsa20_salsa20_key_block0(aekey, subkey, n1); +} + +static void +secretbox_detached(uint32_t mlen, uint8_t *c, uint8_t *tag, uint8_t *k, uint8_t *n, uint8_t *m) +{ + uint8_t xkeys[96U] = { 0U }; + secretbox_init(xkeys, k, n); + uint8_t *mkey = xkeys + (uint32_t)32U; + uint8_t *n1 = n + (uint32_t)16U; + uint8_t *subkey = xkeys; + uint8_t *ekey0 = xkeys + (uint32_t)64U; + uint32_t mlen0; + if (mlen <= (uint32_t)32U) + { + mlen0 = mlen; + } + else + { + mlen0 = (uint32_t)32U; + } + uint32_t mlen1 = mlen - mlen0; + uint8_t *m0 = m; + uint8_t *m1 = m + mlen0; + uint8_t block0[32U] = { 0U }; + memcpy(block0, m0, mlen0 * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)32U; i++) + { + uint8_t *os = block0; + uint8_t x = block0[i] ^ ekey0[i]; + os[i] = x; + } + uint8_t *c0 = c; + uint8_t *c1 = c + mlen0; + memcpy(c0, block0, mlen0 * sizeof (uint8_t)); + Hacl_Salsa20_salsa20_encrypt(mlen1, c1, m1, subkey, n1, (uint32_t)1U); + Hacl_Poly1305_32_poly1305_mac(tag, mlen, c, mkey); +} + +static uint32_t +secretbox_open_detached( + uint32_t mlen, + uint8_t *m, + uint8_t *k, + uint8_t *n, + uint8_t *c, + uint8_t *tag +) +{ + uint8_t xkeys[96U] = { 0U }; + secretbox_init(xkeys, k, n); + uint8_t *mkey = xkeys + (uint32_t)32U; + uint8_t tag_[16U] = { 0U }; + Hacl_Poly1305_32_poly1305_mac(tag_, mlen, c, mkey); + uint8_t res = (uint8_t)255U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint8_t uu____0 = FStar_UInt8_eq_mask(tag[i], tag_[i]); + res = uu____0 & res; + } + uint8_t z = res; + if (z == (uint8_t)255U) + { + uint8_t *subkey = xkeys; + uint8_t *ekey0 = xkeys + (uint32_t)64U; + uint8_t *n1 = n + (uint32_t)16U; + uint32_t mlen0; + if (mlen <= (uint32_t)32U) + { + mlen0 = mlen; + } + else + { + mlen0 = (uint32_t)32U; + } + uint32_t mlen1 = mlen - mlen0; + uint8_t *c0 = c; + uint8_t *c1 = c + mlen0; + uint8_t block0[32U] = { 0U }; + memcpy(block0, c0, mlen0 * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)32U; i++) + { + uint8_t *os = block0; + uint8_t x = block0[i] ^ ekey0[i]; + os[i] = x; + } + uint8_t *m0 = m; + uint8_t *m1 = m + mlen0; + memcpy(m0, block0, mlen0 * sizeof (uint8_t)); + Hacl_Salsa20_salsa20_decrypt(mlen1, m1, c1, subkey, n1, (uint32_t)1U); + return (uint32_t)0U; + } + return (uint32_t)0xffffffffU; +} + +static void secretbox_easy(uint32_t mlen, uint8_t *c, uint8_t *k, uint8_t *n, uint8_t *m) +{ + uint8_t *tag = c; + uint8_t *cip = c + (uint32_t)16U; + secretbox_detached(mlen, cip, tag, k, n, m); +} + +static uint32_t +secretbox_open_easy(uint32_t mlen, uint8_t *m, uint8_t *k, uint8_t *n, uint8_t *c) +{ + uint8_t *tag = c; + uint8_t *cip = c + (uint32_t)16U; + return secretbox_open_detached(mlen, m, k, n, cip, tag); +} + +static inline uint32_t box_beforenm(uint8_t *k, uint8_t *pk, uint8_t *sk) +{ + uint8_t n0[16U] = { 0U }; + bool r = Hacl_Curve25519_51_ecdh(k, sk, pk); + if (r) + { + Hacl_Salsa20_hsalsa20(k, k, n0); + return (uint32_t)0U; + } + return (uint32_t)0xffffffffU; +} + +static inline uint32_t +box_detached_afternm( + uint32_t mlen, + uint8_t *c, + uint8_t *tag, + uint8_t *k, + uint8_t *n, + uint8_t *m +) +{ + secretbox_detached(mlen, c, tag, k, n, m); + return (uint32_t)0U; +} + +static inline uint32_t +box_detached( + uint32_t mlen, + uint8_t *c, + uint8_t *tag, + uint8_t *sk, + uint8_t *pk, + uint8_t *n, + uint8_t *m +) +{ + uint8_t k[32U] = { 0U }; + uint32_t r = box_beforenm(k, pk, sk); + if (r == (uint32_t)0U) + { + return box_detached_afternm(mlen, c, tag, k, n, m); + } + return (uint32_t)0xffffffffU; +} + +static inline uint32_t +box_open_detached_afternm( + uint32_t mlen, + uint8_t *m, + uint8_t *k, + uint8_t *n, + uint8_t *c, + uint8_t *tag +) +{ + return secretbox_open_detached(mlen, m, k, n, c, tag); +} + +static inline uint32_t +box_open_detached( + uint32_t mlen, + uint8_t *m, + uint8_t *pk, + uint8_t *sk, + uint8_t *n, + uint8_t *c, + uint8_t *tag +) +{ + uint8_t k[32U] = { 0U }; + uint32_t r = box_beforenm(k, pk, sk); + if (r == (uint32_t)0U) + { + return box_open_detached_afternm(mlen, m, k, n, c, tag); + } + return (uint32_t)0xffffffffU; +} + +static inline uint32_t +box_easy_afternm(uint32_t mlen, uint8_t *c, uint8_t *k, uint8_t *n, uint8_t *m) +{ + uint8_t *tag = c; + uint8_t *cip = c + (uint32_t)16U; + uint32_t res = box_detached_afternm(mlen, cip, tag, k, n, m); + return res; +} + +static inline uint32_t +box_easy(uint32_t mlen, uint8_t *c, uint8_t *sk, uint8_t *pk, uint8_t *n, uint8_t *m) +{ + uint8_t *tag = c; + uint8_t *cip = c + (uint32_t)16U; + uint32_t res = box_detached(mlen, cip, tag, sk, pk, n, m); + return res; +} + +static inline uint32_t +box_open_easy_afternm(uint32_t mlen, uint8_t *m, uint8_t *k, uint8_t *n, uint8_t *c) +{ + uint8_t *tag = c; + uint8_t *cip = c + (uint32_t)16U; + return box_open_detached_afternm(mlen, m, k, n, cip, tag); +} + +static inline uint32_t +box_open_easy(uint32_t mlen, uint8_t *m, uint8_t *pk, uint8_t *sk, uint8_t *n, uint8_t *c) +{ + uint8_t *tag = c; + uint8_t *cip = c + (uint32_t)16U; + return box_open_detached(mlen, m, pk, sk, n, cip, tag); +} + +uint32_t +Hacl_NaCl_crypto_secretbox_detached( + uint8_t *c, + uint8_t *tag, + uint8_t *m, + uint32_t mlen, + uint8_t *n, + uint8_t *k +) +{ + secretbox_detached(mlen, c, tag, k, n, m); + return (uint32_t)0U; +} + +uint32_t +Hacl_NaCl_crypto_secretbox_open_detached( + uint8_t *m, + uint8_t *c, + uint8_t *tag, + uint32_t mlen, + uint8_t *n, + uint8_t *k +) +{ + return secretbox_open_detached(mlen, m, k, n, c, tag); +} + +uint32_t +Hacl_NaCl_crypto_secretbox_easy(uint8_t *c, uint8_t *m, uint32_t mlen, uint8_t *n, uint8_t *k) +{ + secretbox_easy(mlen, c, k, n, m); + return (uint32_t)0U; +} + +uint32_t +Hacl_NaCl_crypto_secretbox_open_easy( + uint8_t *m, + uint8_t *c, + uint32_t clen, + uint8_t *n, + uint8_t *k +) +{ + return secretbox_open_easy(clen - (uint32_t)16U, m, k, n, c); +} + +uint32_t Hacl_NaCl_crypto_box_beforenm(uint8_t *k, uint8_t *pk, uint8_t *sk) +{ + return box_beforenm(k, pk, sk); +} + +uint32_t +Hacl_NaCl_crypto_box_detached_afternm( + uint8_t *c, + uint8_t *tag, + uint8_t *m, + uint32_t mlen, + uint8_t *n, + uint8_t *k +) +{ + return box_detached_afternm(mlen, c, tag, k, n, m); +} + +uint32_t +Hacl_NaCl_crypto_box_detached( + uint8_t *c, + uint8_t *tag, + uint8_t *m, + uint32_t mlen, + uint8_t *n, + uint8_t *pk, + uint8_t *sk +) +{ + return box_detached(mlen, c, tag, sk, pk, n, m); +} + +uint32_t +Hacl_NaCl_crypto_box_open_detached_afternm( + uint8_t *m, + uint8_t *c, + uint8_t *tag, + uint32_t mlen, + uint8_t *n, + uint8_t *k +) +{ + return box_open_detached_afternm(mlen, m, k, n, c, tag); +} + +uint32_t +Hacl_NaCl_crypto_box_open_detached( + uint8_t *m, + uint8_t *c, + uint8_t *tag, + uint32_t mlen, + uint8_t *n, + uint8_t *pk, + uint8_t *sk +) +{ + return box_open_detached(mlen, m, pk, sk, n, c, tag); +} + +uint32_t +Hacl_NaCl_crypto_box_easy_afternm( + uint8_t *c, + uint8_t *m, + uint32_t mlen, + uint8_t *n, + uint8_t *k +) +{ + return box_easy_afternm(mlen, c, k, n, m); +} + +uint32_t +Hacl_NaCl_crypto_box_easy( + uint8_t *c, + uint8_t *m, + uint32_t mlen, + uint8_t *n, + uint8_t *pk, + uint8_t *sk +) +{ + return box_easy(mlen, c, sk, pk, n, m); +} + +uint32_t +Hacl_NaCl_crypto_box_open_easy_afternm( + uint8_t *m, + uint8_t *c, + uint32_t clen, + uint8_t *n, + uint8_t *k +) +{ + return box_open_easy_afternm(clen - (uint32_t)16U, m, k, n, c); +} + +uint32_t +Hacl_NaCl_crypto_box_open_easy( + uint8_t *m, + uint8_t *c, + uint32_t clen, + uint8_t *n, + uint8_t *pk, + uint8_t *sk +) +{ + return box_open_easy(clen - (uint32_t)16U, m, pk, sk, n, c); +} + diff --git a/src/msvc/Hacl_P256.c b/src/msvc/Hacl_P256.c new file mode 100644 index 00000000..8db4fa43 --- /dev/null +++ b/src/msvc/Hacl_P256.c @@ -0,0 +1,3118 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "internal/Hacl_P256.h" + +#include "internal/Hacl_Spec.h" +#include "internal/Hacl_Kremlib.h" + +static uint64_t isZero_uint64_CT(uint64_t *f) +{ + uint64_t a0 = f[0U]; + uint64_t a1 = f[1U]; + uint64_t a2 = f[2U]; + uint64_t a3 = f[3U]; + uint64_t r0 = FStar_UInt64_eq_mask(a0, (uint64_t)0U); + uint64_t r1 = FStar_UInt64_eq_mask(a1, (uint64_t)0U); + uint64_t r2 = FStar_UInt64_eq_mask(a2, (uint64_t)0U); + uint64_t r3 = FStar_UInt64_eq_mask(a3, (uint64_t)0U); + uint64_t r01 = r0 & r1; + uint64_t r23 = r2 & r3; + return r01 & r23; +} + +static uint64_t compare_felem(uint64_t *a, uint64_t *b) +{ + uint64_t a_0 = a[0U]; + uint64_t a_1 = a[1U]; + uint64_t a_2 = a[2U]; + uint64_t a_3 = a[3U]; + uint64_t b_0 = b[0U]; + uint64_t b_1 = b[1U]; + uint64_t b_2 = b[2U]; + uint64_t b_3 = b[3U]; + uint64_t r_0 = FStar_UInt64_eq_mask(a_0, b_0); + uint64_t r_1 = FStar_UInt64_eq_mask(a_1, b_1); + uint64_t r_2 = FStar_UInt64_eq_mask(a_2, b_2); + uint64_t r_3 = FStar_UInt64_eq_mask(a_3, b_3); + uint64_t r01 = r_0 & r_1; + uint64_t r23 = r_2 & r_3; + return r01 & r23; +} + +static void copy_conditional(uint64_t *out, uint64_t *x, uint64_t mask) +{ + uint64_t out_0 = out[0U]; + uint64_t out_1 = out[1U]; + uint64_t out_2 = out[2U]; + uint64_t out_3 = out[3U]; + uint64_t x_0 = x[0U]; + uint64_t x_1 = x[1U]; + uint64_t x_2 = x[2U]; + uint64_t x_3 = x[3U]; + uint64_t r_0 = out_0 ^ (mask & (out_0 ^ x_0)); + uint64_t r_1 = out_1 ^ (mask & (out_1 ^ x_1)); + uint64_t r_2 = out_2 ^ (mask & (out_2 ^ x_2)); + uint64_t r_3 = out_3 ^ (mask & (out_3 ^ x_3)); + out[0U] = r_0; + out[1U] = r_1; + out[2U] = r_2; + out[3U] = r_3; +} + +static uint64_t add4(uint64_t *x, uint64_t *y, uint64_t *result) +{ + uint64_t *r0 = result; + uint64_t *r1 = result + (uint32_t)1U; + uint64_t *r2 = result + (uint32_t)2U; + uint64_t *r3 = result + (uint32_t)3U; + uint64_t cc0 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, x[0U], y[0U], r0); + uint64_t cc1 = Lib_IntTypes_Intrinsics_add_carry_u64(cc0, x[1U], y[1U], r1); + uint64_t cc2 = Lib_IntTypes_Intrinsics_add_carry_u64(cc1, x[2U], y[2U], r2); + uint64_t cc3 = Lib_IntTypes_Intrinsics_add_carry_u64(cc2, x[3U], y[3U], r3); + return cc3; +} + +static uint64_t add4_with_carry(uint64_t c, uint64_t *x, uint64_t *y, uint64_t *result) +{ + uint64_t *r0 = result; + uint64_t *r1 = result + (uint32_t)1U; + uint64_t *r2 = result + (uint32_t)2U; + uint64_t *r3 = result + (uint32_t)3U; + uint64_t cc = Lib_IntTypes_Intrinsics_add_carry_u64(c, x[0U], y[0U], r0); + uint64_t cc1 = Lib_IntTypes_Intrinsics_add_carry_u64(cc, x[1U], y[1U], r1); + uint64_t cc2 = Lib_IntTypes_Intrinsics_add_carry_u64(cc1, x[2U], y[2U], r2); + uint64_t cc3 = Lib_IntTypes_Intrinsics_add_carry_u64(cc2, x[3U], y[3U], r3); + return cc3; +} + +static uint64_t add8(uint64_t *x, uint64_t *y, uint64_t *result) +{ + uint64_t *a0 = x; + uint64_t *a1 = x + (uint32_t)4U; + uint64_t *b0 = y; + uint64_t *b1 = y + (uint32_t)4U; + uint64_t *c0 = result; + uint64_t *c1 = result + (uint32_t)4U; + uint64_t carry0 = add4(a0, b0, c0); + uint64_t carry1 = add4_with_carry(carry0, a1, b1, c1); + return carry1; +} + +static uint64_t +add4_variables( + uint64_t *x, + uint64_t cin, + uint64_t y0, + uint64_t y1, + uint64_t y2, + uint64_t y3, + uint64_t *result +) +{ + uint64_t *r0 = result; + uint64_t *r1 = result + (uint32_t)1U; + uint64_t *r2 = result + (uint32_t)2U; + uint64_t *r3 = result + (uint32_t)3U; + uint64_t cc = Lib_IntTypes_Intrinsics_add_carry_u64(cin, x[0U], y0, r0); + uint64_t cc1 = Lib_IntTypes_Intrinsics_add_carry_u64(cc, x[1U], y1, r1); + uint64_t cc2 = Lib_IntTypes_Intrinsics_add_carry_u64(cc1, x[2U], y2, r2); + uint64_t cc3 = Lib_IntTypes_Intrinsics_add_carry_u64(cc2, x[3U], y3, r3); + return cc3; +} + +static uint64_t sub4_il(uint64_t *x, const uint64_t *y, uint64_t *result) +{ + uint64_t *r0 = result; + uint64_t *r1 = result + (uint32_t)1U; + uint64_t *r2 = result + (uint32_t)2U; + uint64_t *r3 = result + (uint32_t)3U; + uint64_t cc = Lib_IntTypes_Intrinsics_sub_borrow_u64((uint64_t)0U, x[0U], y[0U], r0); + uint64_t cc1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(cc, x[1U], y[1U], r1); + uint64_t cc2 = Lib_IntTypes_Intrinsics_sub_borrow_u64(cc1, x[2U], y[2U], r2); + uint64_t cc3 = Lib_IntTypes_Intrinsics_sub_borrow_u64(cc2, x[3U], y[3U], r3); + return cc3; +} + +static uint64_t sub4(uint64_t *x, uint64_t *y, uint64_t *result) +{ + uint64_t *r0 = result; + uint64_t *r1 = result + (uint32_t)1U; + uint64_t *r2 = result + (uint32_t)2U; + uint64_t *r3 = result + (uint32_t)3U; + uint64_t cc = Lib_IntTypes_Intrinsics_sub_borrow_u64((uint64_t)0U, x[0U], y[0U], r0); + uint64_t cc1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(cc, x[1U], y[1U], r1); + uint64_t cc2 = Lib_IntTypes_Intrinsics_sub_borrow_u64(cc1, x[2U], y[2U], r2); + uint64_t cc3 = Lib_IntTypes_Intrinsics_sub_borrow_u64(cc2, x[3U], y[3U], r3); + return cc3; +} + +static void mul64(uint64_t x, uint64_t y, uint64_t *result, uint64_t *temp) +{ + FStar_UInt128_uint128 res = FStar_UInt128_mul_wide(x, y); + uint64_t l0 = FStar_UInt128_uint128_to_uint64(res); + uint64_t h0 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(res, (uint32_t)64U)); + result[0U] = l0; + temp[0U] = h0; +} + +static void sq(uint64_t *f, uint64_t *out) +{ + uint64_t wb[17U] = { 0U }; + uint64_t *tb = wb; + uint64_t *memory = wb + (uint32_t)5U; + uint64_t *b0 = out; + uint64_t f01 = f[0U]; + uint64_t f310 = f[3U]; + uint64_t *o30 = b0 + (uint32_t)3U; + uint64_t *temp1 = tb; + uint64_t f02 = f[0U]; + uint64_t f12 = f[1U]; + uint64_t f22 = f[2U]; + uint64_t *o01 = b0; + uint64_t *o10 = b0 + (uint32_t)1U; + uint64_t *o20 = b0 + (uint32_t)2U; + mul64(f02, f02, o01, temp1); + uint64_t h_00 = temp1[0U]; + mul64(f02, f12, o10, temp1); + uint64_t l0 = o10[0U]; + memory[0U] = l0; + memory[1U] = temp1[0U]; + uint64_t c1 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l0, h_00, o10); + uint64_t h_10 = temp1[0U]; + mul64(f02, f22, o20, temp1); + uint64_t l10 = o20[0U]; + memory[2U] = l10; + memory[3U] = temp1[0U]; + uint64_t c2 = Lib_IntTypes_Intrinsics_add_carry_u64(c1, l10, h_10, o20); + uint64_t h_20 = temp1[0U]; + mul64(f01, f310, o30, temp1); + uint64_t l3 = o30[0U]; + memory[4U] = l3; + memory[5U] = temp1[0U]; + uint64_t c3 = Lib_IntTypes_Intrinsics_add_carry_u64(c2, l3, h_20, o30); + uint64_t temp0 = temp1[0U]; + uint64_t c0 = c3 + temp0; + out[4U] = c0; + uint64_t *b1 = out + (uint32_t)1U; + uint64_t *temp2 = tb; + uint64_t *tempBufferResult0 = tb + (uint32_t)1U; + uint64_t f11 = f[1U]; + uint64_t f210 = f[2U]; + uint64_t f311 = f[3U]; + uint64_t *o00 = tempBufferResult0; + uint64_t *o11 = tempBufferResult0 + (uint32_t)1U; + uint64_t *o21 = tempBufferResult0 + (uint32_t)2U; + uint64_t *o31 = tempBufferResult0 + (uint32_t)3U; + o00[0U] = memory[0U]; + uint64_t h_01 = memory[1U]; + mul64(f11, f11, o11, temp2); + uint64_t l4 = o11[0U]; + uint64_t c10 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l4, h_01, o11); + uint64_t h_11 = temp2[0U]; + mul64(f11, f210, o21, temp2); + uint64_t l11 = o21[0U]; + memory[6U] = l11; + memory[7U] = temp2[0U]; + uint64_t c20 = Lib_IntTypes_Intrinsics_add_carry_u64(c10, l11, h_11, o21); + uint64_t h_21 = temp2[0U]; + mul64(f11, f311, o31, temp2); + uint64_t l20 = o31[0U]; + memory[8U] = l20; + memory[9U] = temp2[0U]; + uint64_t c30 = Lib_IntTypes_Intrinsics_add_carry_u64(c20, l20, h_21, o31); + uint64_t h_30 = temp2[0U]; + uint64_t c40 = add4(tempBufferResult0, b1, b1); + uint64_t c11 = c30 + h_30 + c40; + out[5U] = c11; + uint64_t *b2 = out + (uint32_t)2U; + uint64_t *temp3 = tb; + uint64_t *tempBufferResult1 = tb + (uint32_t)1U; + uint64_t f21 = f[2U]; + uint64_t f312 = f[3U]; + uint64_t *o02 = tempBufferResult1; + uint64_t *o12 = tempBufferResult1 + (uint32_t)1U; + uint64_t *o22 = tempBufferResult1 + (uint32_t)2U; + uint64_t *o32 = tempBufferResult1 + (uint32_t)3U; + o02[0U] = memory[2U]; + uint64_t h_0 = memory[3U]; + o12[0U] = memory[6U]; + uint64_t l5 = o12[0U]; + uint64_t c110 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l5, h_0, o12); + uint64_t h_1 = memory[7U]; + mul64(f21, f21, o22, temp3); + uint64_t l12 = o22[0U]; + uint64_t c21 = Lib_IntTypes_Intrinsics_add_carry_u64(c110, l12, h_1, o22); + uint64_t h_2 = temp3[0U]; + mul64(f21, f312, o32, temp3); + uint64_t l21 = o32[0U]; + memory[10U] = l21; + memory[11U] = temp3[0U]; + uint64_t c31 = Lib_IntTypes_Intrinsics_add_carry_u64(c21, l21, h_2, o32); + uint64_t h_31 = temp3[0U]; + uint64_t c41 = add4(tempBufferResult1, b2, b2); + uint64_t c22 = c31 + h_31 + c41; + out[6U] = c22; + uint64_t *b3 = out + (uint32_t)3U; + uint64_t *temp = tb; + uint64_t *tempBufferResult = tb + (uint32_t)1U; + uint64_t f31 = f[3U]; + uint64_t *o0 = tempBufferResult; + uint64_t *o1 = tempBufferResult + (uint32_t)1U; + uint64_t *o2 = tempBufferResult + (uint32_t)2U; + uint64_t *o3 = tempBufferResult + (uint32_t)3U; + o0[0U] = memory[4U]; + uint64_t h = memory[5U]; + o1[0U] = memory[8U]; + uint64_t l = o1[0U]; + uint64_t c111 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l, h, o1); + uint64_t h4 = memory[9U]; + o2[0U] = memory[10U]; + uint64_t l1 = o2[0U]; + uint64_t c210 = Lib_IntTypes_Intrinsics_add_carry_u64(c111, l1, h4, o2); + uint64_t h5 = memory[11U]; + mul64(f31, f31, o3, temp); + uint64_t l2 = o3[0U]; + uint64_t c32 = Lib_IntTypes_Intrinsics_add_carry_u64(c210, l2, h5, o3); + uint64_t h_3 = temp[0U]; + uint64_t c4 = add4(tempBufferResult, b3, b3); + uint64_t c33 = c32 + h_3 + c4; + out[7U] = c33; +} + +static void cmovznz4(uint64_t cin, uint64_t *x, uint64_t *y, uint64_t *r) +{ + uint64_t mask = ~FStar_UInt64_eq_mask(cin, (uint64_t)0U); + uint64_t r0 = (y[0U] & mask) | (x[0U] & ~mask); + uint64_t r1 = (y[1U] & mask) | (x[1U] & ~mask); + uint64_t r2 = (y[2U] & mask) | (x[2U] & ~mask); + uint64_t r3 = (y[3U] & mask) | (x[3U] & ~mask); + r[0U] = r0; + r[1U] = r1; + r[2U] = r2; + r[3U] = r3; +} + +static void shift_256_impl(uint64_t *i, uint64_t *o) +{ + o[0U] = (uint64_t)0U; + o[1U] = (uint64_t)0U; + o[2U] = (uint64_t)0U; + o[3U] = (uint64_t)0U; + o[4U] = i[0U]; + o[5U] = i[1U]; + o[6U] = i[2U]; + o[7U] = i[3U]; +} + +static void shift8(uint64_t *t, uint64_t *out) +{ + uint64_t t1 = t[1U]; + uint64_t t2 = t[2U]; + uint64_t t3 = t[3U]; + uint64_t t4 = t[4U]; + uint64_t t5 = t[5U]; + uint64_t t6 = t[6U]; + uint64_t t7 = t[7U]; + out[0U] = t1; + out[1U] = t2; + out[2U] = t3; + out[3U] = t4; + out[4U] = t5; + out[5U] = t6; + out[6U] = t7; + out[7U] = (uint64_t)0U; +} + +static void uploadZeroImpl(uint64_t *f) +{ + f[0U] = (uint64_t)0U; + f[1U] = (uint64_t)0U; + f[2U] = (uint64_t)0U; + f[3U] = (uint64_t)0U; +} + +static void uploadOneImpl(uint64_t *f) +{ + f[0U] = (uint64_t)1U; + f[1U] = (uint64_t)0U; + f[2U] = (uint64_t)0U; + f[3U] = (uint64_t)0U; +} + +void Hacl_Impl_P256_LowLevel_toUint8(uint64_t *i, uint8_t *o) +{ + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + store64_be(o + i0 * (uint32_t)8U, i[i0]); + } +} + +void Hacl_Impl_P256_LowLevel_changeEndian(uint64_t *i) +{ + uint64_t zero = i[0U]; + uint64_t one = i[1U]; + uint64_t two = i[2U]; + uint64_t three = i[3U]; + i[0U] = three; + i[1U] = two; + i[2U] = one; + i[3U] = zero; +} + +void Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(uint8_t *i, uint64_t *o) +{ + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + uint64_t *os = o; + uint8_t *bj = i + i0 * (uint32_t)8U; + uint64_t u = load64_be(bj); + uint64_t r = u; + uint64_t x = r; + os[i0] = x; + } + Hacl_Impl_P256_LowLevel_changeEndian(o); +} + +static const +uint64_t +prime256_buffer[4U] = + { + (uint64_t)0xffffffffffffffffU, + (uint64_t)0xffffffffU, + (uint64_t)0U, + (uint64_t)0xffffffff00000001U + }; + +static void reduction_prime_2prime_impl(uint64_t *x, uint64_t *result) +{ + uint64_t tempBuffer[4U] = { 0U }; + uint64_t c = sub4_il(x, prime256_buffer, tempBuffer); + cmovznz4(c, tempBuffer, x, result); +} + +static void p256_add(uint64_t *arg1, uint64_t *arg2, uint64_t *out) +{ + uint64_t t = add4(arg1, arg2, out); + uint64_t tempBuffer[4U] = { 0U }; + uint64_t tempBufferForSubborrow = (uint64_t)0U; + uint64_t c = sub4_il(out, prime256_buffer, tempBuffer); + uint64_t + carry = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t, (uint64_t)0U, &tempBufferForSubborrow); + cmovznz4(carry, tempBuffer, out, out); +} + +static void p256_double(uint64_t *arg1, uint64_t *out) +{ + uint64_t t = add4(arg1, arg1, out); + uint64_t tempBuffer[4U] = { 0U }; + uint64_t tempBufferForSubborrow = (uint64_t)0U; + uint64_t c = sub4_il(out, prime256_buffer, tempBuffer); + uint64_t + carry = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t, (uint64_t)0U, &tempBufferForSubborrow); + cmovznz4(carry, tempBuffer, out, out); +} + +static void p256_sub(uint64_t *arg1, uint64_t *arg2, uint64_t *out) +{ + uint64_t t = sub4(arg1, arg2, out); + uint64_t t0 = (uint64_t)0U - t; + uint64_t t1 = ((uint64_t)0U - t) >> (uint32_t)32U; + uint64_t t2 = (uint64_t)0U; + uint64_t t3 = t - (t << (uint32_t)32U); + uint64_t c = add4_variables(out, (uint64_t)0U, t0, t1, t2, t3, out); +} + +static void montgomery_multiplication_buffer_by_one(uint64_t *a, uint64_t *result) +{ + uint64_t t[8U] = { 0U }; + uint64_t *t_low = t; + uint64_t round2[8U] = { 0U }; + uint64_t round4[8U] = { 0U }; + memcpy(t_low, a, (uint32_t)4U * sizeof (uint64_t)); + uint64_t tempRound[8U] = { 0U }; + uint64_t t20[8U] = { 0U }; + uint64_t t30[8U] = { 0U }; + uint64_t t10 = t[0U]; + uint64_t *result040 = t20; + uint64_t temp1 = (uint64_t)0U; + uint64_t f10 = prime256_buffer[1U]; + uint64_t f20 = prime256_buffer[2U]; + uint64_t f30 = prime256_buffer[3U]; + uint64_t *o00 = result040; + uint64_t *o10 = result040 + (uint32_t)1U; + uint64_t *o20 = result040 + (uint32_t)2U; + uint64_t *o30 = result040 + (uint32_t)3U; + uint64_t f010 = prime256_buffer[0U]; + mul64(f010, t10, o00, &temp1); + uint64_t h0 = temp1; + mul64(f10, t10, o10, &temp1); + uint64_t l0 = o10[0U]; + uint64_t c1 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l0, h0, o10); + uint64_t h1 = temp1; + mul64(f20, t10, o20, &temp1); + uint64_t l1 = o20[0U]; + uint64_t c2 = Lib_IntTypes_Intrinsics_add_carry_u64(c1, l1, h1, o20); + uint64_t h2 = temp1; + mul64(f30, t10, o30, &temp1); + uint64_t l2 = o30[0U]; + uint64_t c3 = Lib_IntTypes_Intrinsics_add_carry_u64(c2, l2, h2, o30); + uint64_t temp00 = temp1; + uint64_t c0 = c3 + temp00; + t20[4U] = c0; + uint64_t uu____0 = add8(t, t20, t30); + shift8(t30, tempRound); + uint64_t t21[8U] = { 0U }; + uint64_t t31[8U] = { 0U }; + uint64_t t11 = tempRound[0U]; + uint64_t *result041 = t21; + uint64_t temp2 = (uint64_t)0U; + uint64_t f11 = prime256_buffer[1U]; + uint64_t f21 = prime256_buffer[2U]; + uint64_t f31 = prime256_buffer[3U]; + uint64_t *o01 = result041; + uint64_t *o11 = result041 + (uint32_t)1U; + uint64_t *o21 = result041 + (uint32_t)2U; + uint64_t *o31 = result041 + (uint32_t)3U; + uint64_t f011 = prime256_buffer[0U]; + mul64(f011, t11, o01, &temp2); + uint64_t h3 = temp2; + mul64(f11, t11, o11, &temp2); + uint64_t l3 = o11[0U]; + uint64_t c10 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l3, h3, o11); + uint64_t h4 = temp2; + mul64(f21, t11, o21, &temp2); + uint64_t l4 = o21[0U]; + uint64_t c20 = Lib_IntTypes_Intrinsics_add_carry_u64(c10, l4, h4, o21); + uint64_t h5 = temp2; + mul64(f31, t11, o31, &temp2); + uint64_t l5 = o31[0U]; + uint64_t c30 = Lib_IntTypes_Intrinsics_add_carry_u64(c20, l5, h5, o31); + uint64_t temp01 = temp2; + uint64_t c4 = c30 + temp01; + t21[4U] = c4; + uint64_t uu____1 = add8(tempRound, t21, t31); + shift8(t31, round2); + uint64_t tempRound0[8U] = { 0U }; + uint64_t t2[8U] = { 0U }; + uint64_t t32[8U] = { 0U }; + uint64_t t12 = round2[0U]; + uint64_t *result042 = t2; + uint64_t temp3 = (uint64_t)0U; + uint64_t f12 = prime256_buffer[1U]; + uint64_t f22 = prime256_buffer[2U]; + uint64_t f32 = prime256_buffer[3U]; + uint64_t *o02 = result042; + uint64_t *o12 = result042 + (uint32_t)1U; + uint64_t *o22 = result042 + (uint32_t)2U; + uint64_t *o32 = result042 + (uint32_t)3U; + uint64_t f012 = prime256_buffer[0U]; + mul64(f012, t12, o02, &temp3); + uint64_t h6 = temp3; + mul64(f12, t12, o12, &temp3); + uint64_t l6 = o12[0U]; + uint64_t c11 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l6, h6, o12); + uint64_t h7 = temp3; + mul64(f22, t12, o22, &temp3); + uint64_t l7 = o22[0U]; + uint64_t c21 = Lib_IntTypes_Intrinsics_add_carry_u64(c11, l7, h7, o22); + uint64_t h8 = temp3; + mul64(f32, t12, o32, &temp3); + uint64_t l8 = o32[0U]; + uint64_t c31 = Lib_IntTypes_Intrinsics_add_carry_u64(c21, l8, h8, o32); + uint64_t temp02 = temp3; + uint64_t c5 = c31 + temp02; + t2[4U] = c5; + uint64_t uu____2 = add8(round2, t2, t32); + shift8(t32, tempRound0); + uint64_t t22[8U] = { 0U }; + uint64_t t3[8U] = { 0U }; + uint64_t t1 = tempRound0[0U]; + uint64_t *result04 = t22; + uint64_t temp = (uint64_t)0U; + uint64_t f1 = prime256_buffer[1U]; + uint64_t f2 = prime256_buffer[2U]; + uint64_t f3 = prime256_buffer[3U]; + uint64_t *o0 = result04; + uint64_t *o1 = result04 + (uint32_t)1U; + uint64_t *o2 = result04 + (uint32_t)2U; + uint64_t *o3 = result04 + (uint32_t)3U; + uint64_t f01 = prime256_buffer[0U]; + mul64(f01, t1, o0, &temp); + uint64_t h9 = temp; + mul64(f1, t1, o1, &temp); + uint64_t l9 = o1[0U]; + uint64_t c12 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l9, h9, o1); + uint64_t h10 = temp; + mul64(f2, t1, o2, &temp); + uint64_t l10 = o2[0U]; + uint64_t c22 = Lib_IntTypes_Intrinsics_add_carry_u64(c12, l10, h10, o2); + uint64_t h = temp; + mul64(f3, t1, o3, &temp); + uint64_t l = o3[0U]; + uint64_t c32 = Lib_IntTypes_Intrinsics_add_carry_u64(c22, l, h, o3); + uint64_t temp0 = temp; + uint64_t c6 = c32 + temp0; + t22[4U] = c6; + uint64_t uu____3 = add8(tempRound0, t22, t3); + shift8(t3, round4); + uint64_t tempBuffer[4U] = { 0U }; + uint64_t tempBufferForSubborrow = (uint64_t)0U; + uint64_t cin = round4[4U]; + uint64_t *x_ = round4; + uint64_t c = sub4_il(x_, prime256_buffer, tempBuffer); + uint64_t + carry = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, cin, (uint64_t)0U, &tempBufferForSubborrow); + cmovznz4(carry, tempBuffer, x_, result); +} + +static void montgomery_multiplication_buffer(uint64_t *a, uint64_t *b, uint64_t *result) +{ + uint64_t t[8U] = { 0U }; + uint64_t round2[8U] = { 0U }; + uint64_t round4[8U] = { 0U }; + uint64_t f0 = a[0U]; + uint64_t f10 = a[1U]; + uint64_t f20 = a[2U]; + uint64_t f30 = a[3U]; + uint64_t *b0 = t; + uint64_t temp2 = (uint64_t)0U; + uint64_t f110 = b[1U]; + uint64_t f210 = b[2U]; + uint64_t f310 = b[3U]; + uint64_t *o00 = b0; + uint64_t *o10 = b0 + (uint32_t)1U; + uint64_t *o20 = b0 + (uint32_t)2U; + uint64_t *o30 = b0 + (uint32_t)3U; + uint64_t f020 = b[0U]; + mul64(f020, f0, o00, &temp2); + uint64_t h0 = temp2; + mul64(f110, f0, o10, &temp2); + uint64_t l0 = o10[0U]; + uint64_t c1 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l0, h0, o10); + uint64_t h1 = temp2; + mul64(f210, f0, o20, &temp2); + uint64_t l1 = o20[0U]; + uint64_t c2 = Lib_IntTypes_Intrinsics_add_carry_u64(c1, l1, h1, o20); + uint64_t h2 = temp2; + mul64(f310, f0, o30, &temp2); + uint64_t l2 = o30[0U]; + uint64_t c30 = Lib_IntTypes_Intrinsics_add_carry_u64(c2, l2, h2, o30); + uint64_t temp00 = temp2; + uint64_t c0 = c30 + temp00; + t[4U] = c0; + uint64_t *b1 = t + (uint32_t)1U; + uint64_t temp3[4U] = { 0U }; + uint64_t temp10 = (uint64_t)0U; + uint64_t f111 = b[1U]; + uint64_t f211 = b[2U]; + uint64_t f311 = b[3U]; + uint64_t *o01 = temp3; + uint64_t *o11 = temp3 + (uint32_t)1U; + uint64_t *o21 = temp3 + (uint32_t)2U; + uint64_t *o31 = temp3 + (uint32_t)3U; + uint64_t f021 = b[0U]; + mul64(f021, f10, o01, &temp10); + uint64_t h3 = temp10; + mul64(f111, f10, o11, &temp10); + uint64_t l3 = o11[0U]; + uint64_t c10 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l3, h3, o11); + uint64_t h4 = temp10; + mul64(f211, f10, o21, &temp10); + uint64_t l4 = o21[0U]; + uint64_t c20 = Lib_IntTypes_Intrinsics_add_carry_u64(c10, l4, h4, o21); + uint64_t h5 = temp10; + mul64(f311, f10, o31, &temp10); + uint64_t l5 = o31[0U]; + uint64_t c31 = Lib_IntTypes_Intrinsics_add_carry_u64(c20, l5, h5, o31); + uint64_t temp01 = temp10; + uint64_t c4 = c31 + temp01; + uint64_t c32 = add4(temp3, b1, b1); + uint64_t c11 = c4 + c32; + t[5U] = c11; + uint64_t *b2 = t + (uint32_t)2U; + uint64_t temp4[4U] = { 0U }; + uint64_t temp11 = (uint64_t)0U; + uint64_t f112 = b[1U]; + uint64_t f212 = b[2U]; + uint64_t f312 = b[3U]; + uint64_t *o02 = temp4; + uint64_t *o12 = temp4 + (uint32_t)1U; + uint64_t *o22 = temp4 + (uint32_t)2U; + uint64_t *o32 = temp4 + (uint32_t)3U; + uint64_t f022 = b[0U]; + mul64(f022, f20, o02, &temp11); + uint64_t h6 = temp11; + mul64(f112, f20, o12, &temp11); + uint64_t l6 = o12[0U]; + uint64_t c110 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l6, h6, o12); + uint64_t h7 = temp11; + mul64(f212, f20, o22, &temp11); + uint64_t l7 = o22[0U]; + uint64_t c21 = Lib_IntTypes_Intrinsics_add_carry_u64(c110, l7, h7, o22); + uint64_t h8 = temp11; + mul64(f312, f20, o32, &temp11); + uint64_t l8 = o32[0U]; + uint64_t c33 = Lib_IntTypes_Intrinsics_add_carry_u64(c21, l8, h8, o32); + uint64_t temp02 = temp11; + uint64_t c5 = c33 + temp02; + uint64_t c34 = add4(temp4, b2, b2); + uint64_t c22 = c5 + c34; + t[6U] = c22; + uint64_t *b3 = t + (uint32_t)3U; + uint64_t temp5[4U] = { 0U }; + uint64_t temp1 = (uint64_t)0U; + uint64_t f11 = b[1U]; + uint64_t f21 = b[2U]; + uint64_t f31 = b[3U]; + uint64_t *o03 = temp5; + uint64_t *o13 = temp5 + (uint32_t)1U; + uint64_t *o23 = temp5 + (uint32_t)2U; + uint64_t *o33 = temp5 + (uint32_t)3U; + uint64_t f02 = b[0U]; + mul64(f02, f30, o03, &temp1); + uint64_t h9 = temp1; + mul64(f11, f30, o13, &temp1); + uint64_t l9 = o13[0U]; + uint64_t c111 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l9, h9, o13); + uint64_t h10 = temp1; + mul64(f21, f30, o23, &temp1); + uint64_t l10 = o23[0U]; + uint64_t c210 = Lib_IntTypes_Intrinsics_add_carry_u64(c111, l10, h10, o23); + uint64_t h11 = temp1; + mul64(f31, f30, o33, &temp1); + uint64_t l11 = o33[0U]; + uint64_t c35 = Lib_IntTypes_Intrinsics_add_carry_u64(c210, l11, h11, o33); + uint64_t temp03 = temp1; + uint64_t c6 = c35 + temp03; + uint64_t c3 = add4(temp5, b3, b3); + uint64_t c36 = c6 + c3; + t[7U] = c36; + uint64_t tempRound[8U] = { 0U }; + uint64_t t20[8U] = { 0U }; + uint64_t t30[8U] = { 0U }; + uint64_t t10 = t[0U]; + uint64_t *result040 = t20; + uint64_t temp6 = (uint64_t)0U; + uint64_t f12 = prime256_buffer[1U]; + uint64_t f22 = prime256_buffer[2U]; + uint64_t f32 = prime256_buffer[3U]; + uint64_t *o04 = result040; + uint64_t *o14 = result040 + (uint32_t)1U; + uint64_t *o24 = result040 + (uint32_t)2U; + uint64_t *o34 = result040 + (uint32_t)3U; + uint64_t f010 = prime256_buffer[0U]; + mul64(f010, t10, o04, &temp6); + uint64_t h12 = temp6; + mul64(f12, t10, o14, &temp6); + uint64_t l12 = o14[0U]; + uint64_t c12 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l12, h12, o14); + uint64_t h13 = temp6; + mul64(f22, t10, o24, &temp6); + uint64_t l13 = o24[0U]; + uint64_t c23 = Lib_IntTypes_Intrinsics_add_carry_u64(c12, l13, h13, o24); + uint64_t h14 = temp6; + mul64(f32, t10, o34, &temp6); + uint64_t l14 = o34[0U]; + uint64_t c37 = Lib_IntTypes_Intrinsics_add_carry_u64(c23, l14, h14, o34); + uint64_t temp04 = temp6; + uint64_t c7 = c37 + temp04; + t20[4U] = c7; + uint64_t uu____0 = add8(t, t20, t30); + shift8(t30, tempRound); + uint64_t t21[8U] = { 0U }; + uint64_t t31[8U] = { 0U }; + uint64_t t11 = tempRound[0U]; + uint64_t *result041 = t21; + uint64_t temp7 = (uint64_t)0U; + uint64_t f13 = prime256_buffer[1U]; + uint64_t f23 = prime256_buffer[2U]; + uint64_t f33 = prime256_buffer[3U]; + uint64_t *o05 = result041; + uint64_t *o15 = result041 + (uint32_t)1U; + uint64_t *o25 = result041 + (uint32_t)2U; + uint64_t *o35 = result041 + (uint32_t)3U; + uint64_t f011 = prime256_buffer[0U]; + mul64(f011, t11, o05, &temp7); + uint64_t h15 = temp7; + mul64(f13, t11, o15, &temp7); + uint64_t l15 = o15[0U]; + uint64_t c13 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l15, h15, o15); + uint64_t h16 = temp7; + mul64(f23, t11, o25, &temp7); + uint64_t l16 = o25[0U]; + uint64_t c24 = Lib_IntTypes_Intrinsics_add_carry_u64(c13, l16, h16, o25); + uint64_t h17 = temp7; + mul64(f33, t11, o35, &temp7); + uint64_t l17 = o35[0U]; + uint64_t c38 = Lib_IntTypes_Intrinsics_add_carry_u64(c24, l17, h17, o35); + uint64_t temp05 = temp7; + uint64_t c8 = c38 + temp05; + t21[4U] = c8; + uint64_t uu____1 = add8(tempRound, t21, t31); + shift8(t31, round2); + uint64_t tempRound0[8U] = { 0U }; + uint64_t t2[8U] = { 0U }; + uint64_t t32[8U] = { 0U }; + uint64_t t12 = round2[0U]; + uint64_t *result042 = t2; + uint64_t temp8 = (uint64_t)0U; + uint64_t f14 = prime256_buffer[1U]; + uint64_t f24 = prime256_buffer[2U]; + uint64_t f34 = prime256_buffer[3U]; + uint64_t *o06 = result042; + uint64_t *o16 = result042 + (uint32_t)1U; + uint64_t *o26 = result042 + (uint32_t)2U; + uint64_t *o36 = result042 + (uint32_t)3U; + uint64_t f012 = prime256_buffer[0U]; + mul64(f012, t12, o06, &temp8); + uint64_t h18 = temp8; + mul64(f14, t12, o16, &temp8); + uint64_t l18 = o16[0U]; + uint64_t c14 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l18, h18, o16); + uint64_t h19 = temp8; + mul64(f24, t12, o26, &temp8); + uint64_t l19 = o26[0U]; + uint64_t c25 = Lib_IntTypes_Intrinsics_add_carry_u64(c14, l19, h19, o26); + uint64_t h20 = temp8; + mul64(f34, t12, o36, &temp8); + uint64_t l20 = o36[0U]; + uint64_t c39 = Lib_IntTypes_Intrinsics_add_carry_u64(c25, l20, h20, o36); + uint64_t temp06 = temp8; + uint64_t c9 = c39 + temp06; + t2[4U] = c9; + uint64_t uu____2 = add8(round2, t2, t32); + shift8(t32, tempRound0); + uint64_t t22[8U] = { 0U }; + uint64_t t3[8U] = { 0U }; + uint64_t t1 = tempRound0[0U]; + uint64_t *result04 = t22; + uint64_t temp = (uint64_t)0U; + uint64_t f1 = prime256_buffer[1U]; + uint64_t f2 = prime256_buffer[2U]; + uint64_t f3 = prime256_buffer[3U]; + uint64_t *o0 = result04; + uint64_t *o1 = result04 + (uint32_t)1U; + uint64_t *o2 = result04 + (uint32_t)2U; + uint64_t *o3 = result04 + (uint32_t)3U; + uint64_t f01 = prime256_buffer[0U]; + mul64(f01, t1, o0, &temp); + uint64_t h21 = temp; + mul64(f1, t1, o1, &temp); + uint64_t l21 = o1[0U]; + uint64_t c15 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l21, h21, o1); + uint64_t h22 = temp; + mul64(f2, t1, o2, &temp); + uint64_t l22 = o2[0U]; + uint64_t c26 = Lib_IntTypes_Intrinsics_add_carry_u64(c15, l22, h22, o2); + uint64_t h = temp; + mul64(f3, t1, o3, &temp); + uint64_t l = o3[0U]; + uint64_t c310 = Lib_IntTypes_Intrinsics_add_carry_u64(c26, l, h, o3); + uint64_t temp0 = temp; + uint64_t c16 = c310 + temp0; + t22[4U] = c16; + uint64_t uu____3 = add8(tempRound0, t22, t3); + shift8(t3, round4); + uint64_t tempBuffer[4U] = { 0U }; + uint64_t tempBufferForSubborrow = (uint64_t)0U; + uint64_t cin = round4[4U]; + uint64_t *x_ = round4; + uint64_t c = sub4_il(x_, prime256_buffer, tempBuffer); + uint64_t + carry = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, cin, (uint64_t)0U, &tempBufferForSubborrow); + cmovznz4(carry, tempBuffer, x_, result); +} + +static void montgomery_square_buffer(uint64_t *a, uint64_t *result) +{ + uint64_t t[8U] = { 0U }; + uint64_t round2[8U] = { 0U }; + uint64_t round4[8U] = { 0U }; + sq(a, t); + uint64_t tempRound[8U] = { 0U }; + uint64_t t20[8U] = { 0U }; + uint64_t t30[8U] = { 0U }; + uint64_t t10 = t[0U]; + uint64_t *result040 = t20; + uint64_t temp1 = (uint64_t)0U; + uint64_t f10 = prime256_buffer[1U]; + uint64_t f20 = prime256_buffer[2U]; + uint64_t f30 = prime256_buffer[3U]; + uint64_t *o00 = result040; + uint64_t *o10 = result040 + (uint32_t)1U; + uint64_t *o20 = result040 + (uint32_t)2U; + uint64_t *o30 = result040 + (uint32_t)3U; + uint64_t f010 = prime256_buffer[0U]; + mul64(f010, t10, o00, &temp1); + uint64_t h0 = temp1; + mul64(f10, t10, o10, &temp1); + uint64_t l0 = o10[0U]; + uint64_t c1 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l0, h0, o10); + uint64_t h1 = temp1; + mul64(f20, t10, o20, &temp1); + uint64_t l1 = o20[0U]; + uint64_t c2 = Lib_IntTypes_Intrinsics_add_carry_u64(c1, l1, h1, o20); + uint64_t h2 = temp1; + mul64(f30, t10, o30, &temp1); + uint64_t l2 = o30[0U]; + uint64_t c3 = Lib_IntTypes_Intrinsics_add_carry_u64(c2, l2, h2, o30); + uint64_t temp00 = temp1; + uint64_t c0 = c3 + temp00; + t20[4U] = c0; + uint64_t uu____0 = add8(t, t20, t30); + shift8(t30, tempRound); + uint64_t t21[8U] = { 0U }; + uint64_t t31[8U] = { 0U }; + uint64_t t11 = tempRound[0U]; + uint64_t *result041 = t21; + uint64_t temp2 = (uint64_t)0U; + uint64_t f11 = prime256_buffer[1U]; + uint64_t f21 = prime256_buffer[2U]; + uint64_t f31 = prime256_buffer[3U]; + uint64_t *o01 = result041; + uint64_t *o11 = result041 + (uint32_t)1U; + uint64_t *o21 = result041 + (uint32_t)2U; + uint64_t *o31 = result041 + (uint32_t)3U; + uint64_t f011 = prime256_buffer[0U]; + mul64(f011, t11, o01, &temp2); + uint64_t h3 = temp2; + mul64(f11, t11, o11, &temp2); + uint64_t l3 = o11[0U]; + uint64_t c10 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l3, h3, o11); + uint64_t h4 = temp2; + mul64(f21, t11, o21, &temp2); + uint64_t l4 = o21[0U]; + uint64_t c20 = Lib_IntTypes_Intrinsics_add_carry_u64(c10, l4, h4, o21); + uint64_t h5 = temp2; + mul64(f31, t11, o31, &temp2); + uint64_t l5 = o31[0U]; + uint64_t c30 = Lib_IntTypes_Intrinsics_add_carry_u64(c20, l5, h5, o31); + uint64_t temp01 = temp2; + uint64_t c4 = c30 + temp01; + t21[4U] = c4; + uint64_t uu____1 = add8(tempRound, t21, t31); + shift8(t31, round2); + uint64_t tempRound0[8U] = { 0U }; + uint64_t t2[8U] = { 0U }; + uint64_t t32[8U] = { 0U }; + uint64_t t12 = round2[0U]; + uint64_t *result042 = t2; + uint64_t temp3 = (uint64_t)0U; + uint64_t f12 = prime256_buffer[1U]; + uint64_t f22 = prime256_buffer[2U]; + uint64_t f32 = prime256_buffer[3U]; + uint64_t *o02 = result042; + uint64_t *o12 = result042 + (uint32_t)1U; + uint64_t *o22 = result042 + (uint32_t)2U; + uint64_t *o32 = result042 + (uint32_t)3U; + uint64_t f012 = prime256_buffer[0U]; + mul64(f012, t12, o02, &temp3); + uint64_t h6 = temp3; + mul64(f12, t12, o12, &temp3); + uint64_t l6 = o12[0U]; + uint64_t c11 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l6, h6, o12); + uint64_t h7 = temp3; + mul64(f22, t12, o22, &temp3); + uint64_t l7 = o22[0U]; + uint64_t c21 = Lib_IntTypes_Intrinsics_add_carry_u64(c11, l7, h7, o22); + uint64_t h8 = temp3; + mul64(f32, t12, o32, &temp3); + uint64_t l8 = o32[0U]; + uint64_t c31 = Lib_IntTypes_Intrinsics_add_carry_u64(c21, l8, h8, o32); + uint64_t temp02 = temp3; + uint64_t c5 = c31 + temp02; + t2[4U] = c5; + uint64_t uu____2 = add8(round2, t2, t32); + shift8(t32, tempRound0); + uint64_t t22[8U] = { 0U }; + uint64_t t3[8U] = { 0U }; + uint64_t t1 = tempRound0[0U]; + uint64_t *result04 = t22; + uint64_t temp = (uint64_t)0U; + uint64_t f1 = prime256_buffer[1U]; + uint64_t f2 = prime256_buffer[2U]; + uint64_t f3 = prime256_buffer[3U]; + uint64_t *o0 = result04; + uint64_t *o1 = result04 + (uint32_t)1U; + uint64_t *o2 = result04 + (uint32_t)2U; + uint64_t *o3 = result04 + (uint32_t)3U; + uint64_t f01 = prime256_buffer[0U]; + mul64(f01, t1, o0, &temp); + uint64_t h9 = temp; + mul64(f1, t1, o1, &temp); + uint64_t l9 = o1[0U]; + uint64_t c12 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l9, h9, o1); + uint64_t h10 = temp; + mul64(f2, t1, o2, &temp); + uint64_t l10 = o2[0U]; + uint64_t c22 = Lib_IntTypes_Intrinsics_add_carry_u64(c12, l10, h10, o2); + uint64_t h = temp; + mul64(f3, t1, o3, &temp); + uint64_t l = o3[0U]; + uint64_t c32 = Lib_IntTypes_Intrinsics_add_carry_u64(c22, l, h, o3); + uint64_t temp0 = temp; + uint64_t c6 = c32 + temp0; + t22[4U] = c6; + uint64_t uu____3 = add8(tempRound0, t22, t3); + shift8(t3, round4); + uint64_t tempBuffer[4U] = { 0U }; + uint64_t tempBufferForSubborrow = (uint64_t)0U; + uint64_t cin = round4[4U]; + uint64_t *x_ = round4; + uint64_t c = sub4_il(x_, prime256_buffer, tempBuffer); + uint64_t + carry = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, cin, (uint64_t)0U, &tempBufferForSubborrow); + cmovznz4(carry, tempBuffer, x_, result); +} + +static void fsquarePowN(uint32_t n, uint64_t *a) +{ + for (uint32_t i = (uint32_t)0U; i < n; i++) + { + montgomery_square_buffer(a, a); + } +} + +static void fsquarePowNminusOne(uint32_t n, uint64_t *a, uint64_t *b) +{ + b[0U] = (uint64_t)1U; + b[1U] = (uint64_t)18446744069414584320U; + b[2U] = (uint64_t)18446744073709551615U; + b[3U] = (uint64_t)4294967294U; + for (uint32_t i = (uint32_t)0U; i < n; i++) + { + montgomery_multiplication_buffer(b, a, b); + montgomery_square_buffer(a, a); + } +} + +static void exponent(uint64_t *a, uint64_t *result, uint64_t *tempBuffer) +{ + uint64_t *buffer_norm_1 = tempBuffer; + uint64_t *buffer_result1 = tempBuffer + (uint32_t)4U; + uint64_t *buffer_result2 = tempBuffer + (uint32_t)8U; + uint64_t *buffer_norm_3 = tempBuffer + (uint32_t)12U; + uint64_t *buffer_result3 = tempBuffer + (uint32_t)16U; + memcpy(buffer_norm_1, a, (uint32_t)4U * sizeof (uint64_t)); + uint64_t *buffer_a = buffer_norm_1; + uint64_t *buffer_b0 = buffer_norm_1 + (uint32_t)4U; + fsquarePowNminusOne((uint32_t)32U, buffer_a, buffer_b0); + fsquarePowN((uint32_t)224U, buffer_b0); + memcpy(buffer_result2, a, (uint32_t)4U * sizeof (uint64_t)); + fsquarePowN((uint32_t)192U, buffer_result2); + memcpy(buffer_norm_3, a, (uint32_t)4U * sizeof (uint64_t)); + uint64_t *buffer_a0 = buffer_norm_3; + uint64_t *buffer_b = buffer_norm_3 + (uint32_t)4U; + fsquarePowNminusOne((uint32_t)94U, buffer_a0, buffer_b); + fsquarePowN((uint32_t)2U, buffer_b); + montgomery_multiplication_buffer(buffer_result1, buffer_result2, buffer_result1); + montgomery_multiplication_buffer(buffer_result1, buffer_result3, buffer_result1); + montgomery_multiplication_buffer(buffer_result1, a, buffer_result1); + memcpy(result, buffer_result1, (uint32_t)4U * sizeof (uint64_t)); +} + +static void cube(uint64_t *a, uint64_t *result) +{ + montgomery_square_buffer(a, result); + montgomery_multiplication_buffer(result, a, result); +} + +static void multByTwo(uint64_t *a, uint64_t *out) +{ + p256_add(a, a, out); +} + +static void multByThree(uint64_t *a, uint64_t *result) +{ + multByTwo(a, result); + p256_add(a, result, result); +} + +static void multByFour(uint64_t *a, uint64_t *result) +{ + multByTwo(a, result); + multByTwo(result, result); +} + +static void multByEight(uint64_t *a, uint64_t *result) +{ + multByTwo(a, result); + multByTwo(result, result); + multByTwo(result, result); +} + +static uint64_t store_high_low_u(uint32_t high, uint32_t low) +{ + uint64_t as_uint64_high = (uint64_t)high; + uint64_t as_uint64_high1 = as_uint64_high << (uint32_t)32U; + uint64_t as_uint64_low = (uint64_t)low; + return as_uint64_low ^ as_uint64_high1; +} + +static void solinas_reduction_impl(uint64_t *i, uint64_t *o) +{ + uint64_t tempBuffer[36U] = { 0U }; + uint64_t i0 = i[0U]; + uint64_t i1 = i[1U]; + uint64_t i2 = i[2U]; + uint64_t i3 = i[3U]; + uint64_t i4 = i[4U]; + uint64_t i5 = i[5U]; + uint64_t i6 = i[6U]; + uint64_t i7 = i[7U]; + uint32_t c0 = (uint32_t)i0; + uint32_t c1 = (uint32_t)(i0 >> (uint32_t)32U); + uint32_t c2 = (uint32_t)i1; + uint32_t c3 = (uint32_t)(i1 >> (uint32_t)32U); + uint32_t c4 = (uint32_t)i2; + uint32_t c5 = (uint32_t)(i2 >> (uint32_t)32U); + uint32_t c6 = (uint32_t)i3; + uint32_t c7 = (uint32_t)(i3 >> (uint32_t)32U); + uint32_t c8 = (uint32_t)i4; + uint32_t c9 = (uint32_t)(i4 >> (uint32_t)32U); + uint32_t c10 = (uint32_t)i5; + uint32_t c11 = (uint32_t)(i5 >> (uint32_t)32U); + uint32_t c12 = (uint32_t)i6; + uint32_t c13 = (uint32_t)(i6 >> (uint32_t)32U); + uint32_t c14 = (uint32_t)i7; + uint32_t c15 = (uint32_t)(i7 >> (uint32_t)32U); + uint64_t *t01 = tempBuffer; + uint64_t *t110 = tempBuffer + (uint32_t)4U; + uint64_t *t210 = tempBuffer + (uint32_t)8U; + uint64_t *t310 = tempBuffer + (uint32_t)12U; + uint64_t *t410 = tempBuffer + (uint32_t)16U; + uint64_t *t510 = tempBuffer + (uint32_t)20U; + uint64_t *t610 = tempBuffer + (uint32_t)24U; + uint64_t *t710 = tempBuffer + (uint32_t)28U; + uint64_t *t810 = tempBuffer + (uint32_t)32U; + uint64_t b0 = store_high_low_u(c1, c0); + uint64_t b10 = store_high_low_u(c3, c2); + uint64_t b20 = store_high_low_u(c5, c4); + uint64_t b30 = store_high_low_u(c7, c6); + t01[0U] = b0; + t01[1U] = b10; + t01[2U] = b20; + t01[3U] = b30; + reduction_prime_2prime_impl(t01, t01); + uint64_t b00 = (uint64_t)0U; + uint64_t b11 = store_high_low_u(c11, (uint32_t)0U); + uint64_t b21 = store_high_low_u(c13, c12); + uint64_t b31 = store_high_low_u(c15, c14); + t110[0U] = b00; + t110[1U] = b11; + t110[2U] = b21; + t110[3U] = b31; + reduction_prime_2prime_impl(t110, t110); + uint64_t b01 = (uint64_t)0U; + uint64_t b12 = store_high_low_u(c12, (uint32_t)0U); + uint64_t b22 = store_high_low_u(c14, c13); + uint64_t b32 = store_high_low_u((uint32_t)0U, c15); + t210[0U] = b01; + t210[1U] = b12; + t210[2U] = b22; + t210[3U] = b32; + uint64_t b02 = store_high_low_u(c9, c8); + uint64_t b13 = store_high_low_u((uint32_t)0U, c10); + uint64_t b23 = (uint64_t)0U; + uint64_t b33 = store_high_low_u(c15, c14); + t310[0U] = b02; + t310[1U] = b13; + t310[2U] = b23; + t310[3U] = b33; + reduction_prime_2prime_impl(t310, t310); + uint64_t b03 = store_high_low_u(c10, c9); + uint64_t b14 = store_high_low_u(c13, c11); + uint64_t b24 = store_high_low_u(c15, c14); + uint64_t b34 = store_high_low_u(c8, c13); + t410[0U] = b03; + t410[1U] = b14; + t410[2U] = b24; + t410[3U] = b34; + reduction_prime_2prime_impl(t410, t410); + uint64_t b04 = store_high_low_u(c12, c11); + uint64_t b15 = store_high_low_u((uint32_t)0U, c13); + uint64_t b25 = (uint64_t)0U; + uint64_t b35 = store_high_low_u(c10, c8); + t510[0U] = b04; + t510[1U] = b15; + t510[2U] = b25; + t510[3U] = b35; + reduction_prime_2prime_impl(t510, t510); + uint64_t b05 = store_high_low_u(c13, c12); + uint64_t b16 = store_high_low_u(c15, c14); + uint64_t b26 = (uint64_t)0U; + uint64_t b36 = store_high_low_u(c11, c9); + t610[0U] = b05; + t610[1U] = b16; + t610[2U] = b26; + t610[3U] = b36; + reduction_prime_2prime_impl(t610, t610); + uint64_t b06 = store_high_low_u(c14, c13); + uint64_t b17 = store_high_low_u(c8, c15); + uint64_t b27 = store_high_low_u(c10, c9); + uint64_t b37 = store_high_low_u(c12, (uint32_t)0U); + t710[0U] = b06; + t710[1U] = b17; + t710[2U] = b27; + t710[3U] = b37; + reduction_prime_2prime_impl(t710, t710); + uint64_t b07 = store_high_low_u(c15, c14); + uint64_t b1 = store_high_low_u(c9, (uint32_t)0U); + uint64_t b2 = store_high_low_u(c11, c10); + uint64_t b3 = store_high_low_u(c13, (uint32_t)0U); + t810[0U] = b07; + t810[1U] = b1; + t810[2U] = b2; + t810[3U] = b3; + reduction_prime_2prime_impl(t810, t810); + uint64_t *t010 = tempBuffer; + uint64_t *t11 = tempBuffer + (uint32_t)4U; + uint64_t *t21 = tempBuffer + (uint32_t)8U; + uint64_t *t31 = tempBuffer + (uint32_t)12U; + uint64_t *t41 = tempBuffer + (uint32_t)16U; + uint64_t *t51 = tempBuffer + (uint32_t)20U; + uint64_t *t61 = tempBuffer + (uint32_t)24U; + uint64_t *t71 = tempBuffer + (uint32_t)28U; + uint64_t *t81 = tempBuffer + (uint32_t)32U; + p256_double(t21, t21); + p256_double(t11, t11); + p256_add(t010, t11, o); + p256_add(t21, o, o); + p256_add(t31, o, o); + p256_add(t41, o, o); + p256_sub(o, t51, o); + p256_sub(o, t61, o); + p256_sub(o, t71, o); + p256_sub(o, t81, o); +} + +static void +point_double_a_b_g( + uint64_t *p, + uint64_t *alpha, + uint64_t *beta, + uint64_t *gamma, + uint64_t *delta, + uint64_t *tempBuffer +) +{ + uint64_t *pX = p; + uint64_t *pY = p + (uint32_t)4U; + uint64_t *pZ = p + (uint32_t)8U; + uint64_t *a0 = tempBuffer; + uint64_t *a1 = tempBuffer + (uint32_t)4U; + uint64_t *alpha0 = tempBuffer + (uint32_t)8U; + montgomery_square_buffer(pZ, delta); + montgomery_square_buffer(pY, gamma); + montgomery_multiplication_buffer(pX, gamma, beta); + p256_sub(pX, delta, a0); + p256_add(pX, delta, a1); + montgomery_multiplication_buffer(a0, a1, alpha0); + multByThree(alpha0, alpha); +} + +static void +point_double_x3( + uint64_t *x3, + uint64_t *alpha, + uint64_t *fourBeta, + uint64_t *beta, + uint64_t *eightBeta +) +{ + montgomery_square_buffer(alpha, x3); + multByFour(beta, fourBeta); + multByTwo(fourBeta, eightBeta); + p256_sub(x3, eightBeta, x3); +} + +static void +point_double_z3(uint64_t *z3, uint64_t *pY, uint64_t *pZ, uint64_t *gamma, uint64_t *delta) +{ + p256_add(pY, pZ, z3); + montgomery_square_buffer(z3, z3); + p256_sub(z3, gamma, z3); + p256_sub(z3, delta, z3); +} + +static void +point_double_y3( + uint64_t *y3, + uint64_t *x3, + uint64_t *alpha, + uint64_t *gamma, + uint64_t *eightGamma, + uint64_t *fourBeta +) +{ + p256_sub(fourBeta, x3, y3); + montgomery_multiplication_buffer(alpha, y3, y3); + montgomery_square_buffer(gamma, gamma); + multByEight(gamma, eightGamma); + p256_sub(y3, eightGamma, y3); +} + +static void point_double(uint64_t *p, uint64_t *result, uint64_t *tempBuffer) +{ + uint64_t *pY = p + (uint32_t)4U; + uint64_t *pZ = p + (uint32_t)8U; + uint64_t *x3 = result; + uint64_t *y3 = result + (uint32_t)4U; + uint64_t *z3 = result + (uint32_t)8U; + uint64_t *delta = tempBuffer; + uint64_t *gamma = tempBuffer + (uint32_t)4U; + uint64_t *beta = tempBuffer + (uint32_t)8U; + uint64_t *alpha = tempBuffer + (uint32_t)16U; + uint64_t *fourBeta = tempBuffer + (uint32_t)20U; + uint64_t *eightBeta = tempBuffer + (uint32_t)24U; + uint64_t *eightGamma = tempBuffer + (uint32_t)28U; + uint64_t *tmp = tempBuffer + (uint32_t)32U; + point_double_a_b_g(p, alpha, beta, gamma, delta, tmp); + point_double_x3(x3, alpha, fourBeta, beta, eightBeta); + point_double_z3(z3, pY, pZ, gamma, delta); + point_double_y3(y3, x3, alpha, gamma, eightGamma, fourBeta); +} + +static void +copy_point_conditional( + uint64_t *x3_out, + uint64_t *y3_out, + uint64_t *z3_out, + uint64_t *p, + uint64_t *maskPoint +) +{ + uint64_t *z = maskPoint + (uint32_t)8U; + uint64_t mask = isZero_uint64_CT(z); + uint64_t *p_x = p; + uint64_t *p_y = p + (uint32_t)4U; + uint64_t *p_z = p + (uint32_t)8U; + copy_conditional(x3_out, p_x, mask); + copy_conditional(y3_out, p_y, mask); + copy_conditional(z3_out, p_z, mask); +} + +static void point_add(uint64_t *p, uint64_t *q, uint64_t *result, uint64_t *tempBuffer) +{ + uint64_t *tempBuffer16 = tempBuffer; + uint64_t *u1 = tempBuffer + (uint32_t)16U; + uint64_t *u2 = tempBuffer + (uint32_t)20U; + uint64_t *s1 = tempBuffer + (uint32_t)24U; + uint64_t *s2 = tempBuffer + (uint32_t)28U; + uint64_t *h = tempBuffer + (uint32_t)32U; + uint64_t *r = tempBuffer + (uint32_t)36U; + uint64_t *uh = tempBuffer + (uint32_t)40U; + uint64_t *hCube = tempBuffer + (uint32_t)44U; + uint64_t *tempBuffer28 = tempBuffer + (uint32_t)60U; + uint64_t *pX = p; + uint64_t *pY = p + (uint32_t)4U; + uint64_t *pZ = p + (uint32_t)8U; + uint64_t *qX = q; + uint64_t *qY = q + (uint32_t)4U; + uint64_t *qZ0 = q + (uint32_t)8U; + uint64_t *z2Square = tempBuffer16; + uint64_t *z1Square = tempBuffer16 + (uint32_t)4U; + uint64_t *z2Cube = tempBuffer16 + (uint32_t)8U; + uint64_t *z1Cube = tempBuffer16 + (uint32_t)12U; + montgomery_square_buffer(qZ0, z2Square); + montgomery_square_buffer(pZ, z1Square); + montgomery_multiplication_buffer(z2Square, qZ0, z2Cube); + montgomery_multiplication_buffer(z1Square, pZ, z1Cube); + montgomery_multiplication_buffer(z2Square, pX, u1); + montgomery_multiplication_buffer(z1Square, qX, u2); + montgomery_multiplication_buffer(z2Cube, pY, s1); + montgomery_multiplication_buffer(z1Cube, qY, s2); + uint64_t *temp = tempBuffer16; + p256_sub(u2, u1, h); + p256_sub(s2, s1, r); + montgomery_square_buffer(h, temp); + montgomery_multiplication_buffer(temp, u1, uh); + montgomery_multiplication_buffer(temp, h, hCube); + uint64_t *pZ0 = p + (uint32_t)8U; + uint64_t *qZ = q + (uint32_t)8U; + uint64_t *tempBuffer161 = tempBuffer28; + uint64_t *x3_out1 = tempBuffer28 + (uint32_t)16U; + uint64_t *y3_out1 = tempBuffer28 + (uint32_t)20U; + uint64_t *z3_out1 = tempBuffer28 + (uint32_t)24U; + uint64_t *rSquare = tempBuffer161; + uint64_t *rH = tempBuffer161 + (uint32_t)4U; + uint64_t *twoUh = tempBuffer161 + (uint32_t)8U; + montgomery_square_buffer(r, rSquare); + p256_sub(rSquare, hCube, rH); + multByTwo(uh, twoUh); + p256_sub(rH, twoUh, x3_out1); + uint64_t *s1hCube = tempBuffer161; + uint64_t *u1hx3 = tempBuffer161 + (uint32_t)4U; + uint64_t *ru1hx3 = tempBuffer161 + (uint32_t)8U; + montgomery_multiplication_buffer(s1, hCube, s1hCube); + p256_sub(uh, x3_out1, u1hx3); + montgomery_multiplication_buffer(u1hx3, r, ru1hx3); + p256_sub(ru1hx3, s1hCube, y3_out1); + uint64_t *z1z2 = tempBuffer161; + montgomery_multiplication_buffer(pZ0, qZ, z1z2); + montgomery_multiplication_buffer(z1z2, h, z3_out1); + copy_point_conditional(x3_out1, y3_out1, z3_out1, q, p); + copy_point_conditional(x3_out1, y3_out1, z3_out1, p, q); + memcpy(result, x3_out1, (uint32_t)4U * sizeof (uint64_t)); + memcpy(result + (uint32_t)4U, y3_out1, (uint32_t)4U * sizeof (uint64_t)); + memcpy(result + (uint32_t)8U, z3_out1, (uint32_t)4U * sizeof (uint64_t)); +} + +static void pointToDomain(uint64_t *p, uint64_t *result) +{ + uint64_t *p_x = p; + uint64_t *p_y = p + (uint32_t)4U; + uint64_t *p_z = p + (uint32_t)8U; + uint64_t *r_x = result; + uint64_t *r_y = result + (uint32_t)4U; + uint64_t *r_z = result + (uint32_t)8U; + uint64_t multBuffer[8U] = { 0U }; + shift_256_impl(p_x, multBuffer); + solinas_reduction_impl(multBuffer, r_x); + uint64_t multBuffer0[8U] = { 0U }; + shift_256_impl(p_y, multBuffer0); + solinas_reduction_impl(multBuffer0, r_y); + uint64_t multBuffer1[8U] = { 0U }; + shift_256_impl(p_z, multBuffer1); + solinas_reduction_impl(multBuffer1, r_z); +} + +static void copy_point(uint64_t *p, uint64_t *result) +{ + memcpy(result, p, (uint32_t)12U * sizeof (uint64_t)); +} + +uint64_t Hacl_Impl_P256_Core_isPointAtInfinityPrivate(uint64_t *p) +{ + uint64_t z0 = p[8U]; + uint64_t z1 = p[9U]; + uint64_t z2 = p[10U]; + uint64_t z3 = p[11U]; + uint64_t z0_zero = FStar_UInt64_eq_mask(z0, (uint64_t)0U); + uint64_t z1_zero = FStar_UInt64_eq_mask(z1, (uint64_t)0U); + uint64_t z2_zero = FStar_UInt64_eq_mask(z2, (uint64_t)0U); + uint64_t z3_zero = FStar_UInt64_eq_mask(z3, (uint64_t)0U); + return (z0_zero & z1_zero) & (z2_zero & z3_zero); +} + +static inline void cswap(uint64_t bit, uint64_t *p1, uint64_t *p2) +{ + uint64_t mask = (uint64_t)0U - bit; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)12U; i++) + { + uint64_t dummy = mask & (p1[i] ^ p2[i]); + p1[i] = p1[i] ^ dummy; + p2[i] = p2[i] ^ dummy; + } +} + +static void norm(uint64_t *p, uint64_t *resultPoint, uint64_t *tempBuffer) +{ + uint64_t *xf = p; + uint64_t *yf = p + (uint32_t)4U; + uint64_t *zf = p + (uint32_t)8U; + uint64_t *z2f = tempBuffer + (uint32_t)4U; + uint64_t *z3f = tempBuffer + (uint32_t)8U; + uint64_t *tempBuffer20 = tempBuffer + (uint32_t)12U; + montgomery_square_buffer(zf, z2f); + montgomery_multiplication_buffer(z2f, zf, z3f); + exponent(z2f, z2f, tempBuffer20); + exponent(z3f, z3f, tempBuffer20); + montgomery_multiplication_buffer(xf, z2f, z2f); + montgomery_multiplication_buffer(yf, z3f, z3f); + uint64_t zeroBuffer[4U] = { 0U }; + uint64_t *resultX = resultPoint; + uint64_t *resultY = resultPoint + (uint32_t)4U; + uint64_t *resultZ = resultPoint + (uint32_t)8U; + uint64_t bit = Hacl_Impl_P256_Core_isPointAtInfinityPrivate(p); + montgomery_multiplication_buffer_by_one(z2f, resultX); + montgomery_multiplication_buffer_by_one(z3f, resultY); + uploadOneImpl(resultZ); + copy_conditional(resultZ, zeroBuffer, bit); +} + +static void normX(uint64_t *p, uint64_t *result, uint64_t *tempBuffer) +{ + uint64_t *xf = p; + uint64_t *zf = p + (uint32_t)8U; + uint64_t *z2f = tempBuffer + (uint32_t)4U; + uint64_t *tempBuffer20 = tempBuffer + (uint32_t)12U; + montgomery_square_buffer(zf, z2f); + exponent(z2f, z2f, tempBuffer20); + montgomery_multiplication_buffer(z2f, xf, z2f); + montgomery_multiplication_buffer_by_one(z2f, result); +} + +static void zero_buffer(uint64_t *p) +{ + p[0U] = (uint64_t)0U; + p[1U] = (uint64_t)0U; + p[2U] = (uint64_t)0U; + p[3U] = (uint64_t)0U; + p[4U] = (uint64_t)0U; + p[5U] = (uint64_t)0U; + p[6U] = (uint64_t)0U; + p[7U] = (uint64_t)0U; + p[8U] = (uint64_t)0U; + p[9U] = (uint64_t)0U; + p[10U] = (uint64_t)0U; + p[11U] = (uint64_t)0U; +} + +static void +scalarMultiplicationL(uint64_t *p, uint64_t *result, uint8_t *scalar, uint64_t *tempBuffer) +{ + uint64_t *q = tempBuffer; + zero_buffer(q); + uint64_t *buff = tempBuffer + (uint32_t)12U; + pointToDomain(p, result); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)256U; i++) + { + uint32_t bit0 = (uint32_t)255U - i; + uint64_t + bit = + (uint64_t)(scalar[(uint32_t)31U - bit0 / (uint32_t)8U] >> bit0 % (uint32_t)8U & (uint8_t)1U); + cswap(bit, q, result); + point_add(q, result, result, buff); + point_double(q, q, buff); + cswap(bit, q, result); + } + norm(q, result, buff); +} + +static void +scalarMultiplicationC( + uint64_t *p, + uint64_t *result, + const uint8_t *scalar, + uint64_t *tempBuffer +) +{ + uint64_t *q = tempBuffer; + zero_buffer(q); + uint64_t *buff = tempBuffer + (uint32_t)12U; + pointToDomain(p, result); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)256U; i++) + { + uint32_t bit0 = (uint32_t)255U - i; + uint64_t + bit = + (uint64_t)(scalar[(uint32_t)31U - bit0 / (uint32_t)8U] >> bit0 % (uint32_t)8U & (uint8_t)1U); + cswap(bit, q, result); + point_add(q, result, result, buff); + point_double(q, q, buff); + cswap(bit, q, result); + } + norm(q, result, buff); +} + +static void uploadBasePoint(uint64_t *p) +{ + p[0U] = (uint64_t)8784043285714375740U; + p[1U] = (uint64_t)8483257759279461889U; + p[2U] = (uint64_t)8789745728267363600U; + p[3U] = (uint64_t)1770019616739251654U; + p[4U] = (uint64_t)15992936863339206154U; + p[5U] = (uint64_t)10037038012062884956U; + p[6U] = (uint64_t)15197544864945402661U; + p[7U] = (uint64_t)9615747158586711429U; + p[8U] = (uint64_t)1U; + p[9U] = (uint64_t)18446744069414584320U; + p[10U] = (uint64_t)18446744073709551615U; + p[11U] = (uint64_t)4294967294U; +} + +static void +scalarMultiplicationWithoutNorm( + uint64_t *p, + uint64_t *result, + uint8_t *scalar, + uint64_t *tempBuffer +) +{ + uint64_t *q = tempBuffer; + zero_buffer(q); + uint64_t *buff = tempBuffer + (uint32_t)12U; + pointToDomain(p, result); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)256U; i++) + { + uint32_t bit0 = (uint32_t)255U - i; + uint64_t + bit = + (uint64_t)(scalar[(uint32_t)31U - bit0 / (uint32_t)8U] >> bit0 % (uint32_t)8U & (uint8_t)1U); + cswap(bit, q, result); + point_add(q, result, result, buff); + point_double(q, q, buff); + cswap(bit, q, result); + } + copy_point(q, result); +} + +void +Hacl_Impl_P256_Core_secretToPublic(uint64_t *result, uint8_t *scalar, uint64_t *tempBuffer) +{ + uint64_t basePoint[12U] = { 0U }; + uploadBasePoint(basePoint); + uint64_t *q = tempBuffer; + uint64_t *buff = tempBuffer + (uint32_t)12U; + zero_buffer(q); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)256U; i++) + { + uint32_t bit0 = (uint32_t)255U - i; + uint64_t + bit = + (uint64_t)(scalar[(uint32_t)31U - bit0 / (uint32_t)8U] >> bit0 % (uint32_t)8U & (uint8_t)1U); + cswap(bit, q, basePoint); + point_add(q, basePoint, basePoint, buff); + point_double(q, q, buff); + cswap(bit, q, basePoint); + } + norm(q, result, buff); +} + +static void secretToPublicWithoutNorm(uint64_t *result, uint8_t *scalar, uint64_t *tempBuffer) +{ + uint64_t basePoint[12U] = { 0U }; + uploadBasePoint(basePoint); + uint64_t *q = tempBuffer; + uint64_t *buff = tempBuffer + (uint32_t)12U; + zero_buffer(q); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)256U; i++) + { + uint32_t bit0 = (uint32_t)255U - i; + uint64_t + bit = + (uint64_t)(scalar[(uint32_t)31U - bit0 / (uint32_t)8U] >> bit0 % (uint32_t)8U & (uint8_t)1U); + cswap(bit, q, basePoint); + point_add(q, basePoint, basePoint, buff); + point_double(q, q, buff); + cswap(bit, q, basePoint); + } + copy_point(q, result); +} + +static const +uint64_t +prime256order_buffer[4U] = + { + (uint64_t)17562291160714782033U, + (uint64_t)13611842547513532036U, + (uint64_t)18446744073709551615U, + (uint64_t)18446744069414584320U + }; + +static const +uint8_t +order_inverse_buffer[32U] = + { + (uint8_t)79U, (uint8_t)37U, (uint8_t)99U, (uint8_t)252U, (uint8_t)194U, (uint8_t)202U, + (uint8_t)185U, (uint8_t)243U, (uint8_t)132U, (uint8_t)158U, (uint8_t)23U, (uint8_t)167U, + (uint8_t)173U, (uint8_t)250U, (uint8_t)230U, (uint8_t)188U, (uint8_t)255U, (uint8_t)255U, + (uint8_t)255U, (uint8_t)255U, (uint8_t)255U, (uint8_t)255U, (uint8_t)255U, (uint8_t)255U, + (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)255U, (uint8_t)255U, (uint8_t)255U, + (uint8_t)255U + }; + +static const +uint8_t +order_buffer[32U] = + { + (uint8_t)255U, (uint8_t)255U, (uint8_t)255U, (uint8_t)255U, (uint8_t)0U, (uint8_t)0U, + (uint8_t)0U, (uint8_t)0U, (uint8_t)255U, (uint8_t)255U, (uint8_t)255U, (uint8_t)255U, + (uint8_t)255U, (uint8_t)255U, (uint8_t)255U, (uint8_t)255U, (uint8_t)188U, (uint8_t)230U, + (uint8_t)250U, (uint8_t)173U, (uint8_t)167U, (uint8_t)23U, (uint8_t)158U, (uint8_t)132U, + (uint8_t)243U, (uint8_t)185U, (uint8_t)202U, (uint8_t)194U, (uint8_t)252U, (uint8_t)99U, + (uint8_t)37U, (uint8_t)81U + }; + +static void montgomery_multiplication_round(uint64_t *t, uint64_t *round, uint64_t k0) +{ + uint64_t temp = (uint64_t)0U; + uint64_t y = (uint64_t)0U; + uint64_t t2[8U] = { 0U }; + uint64_t t3[8U] = { 0U }; + uint64_t t1 = t[0U]; + mul64(t1, k0, &y, &temp); + uint64_t y_ = y; + uint64_t *result04 = t2; + uint64_t temp1 = (uint64_t)0U; + uint64_t f1 = prime256order_buffer[1U]; + uint64_t f2 = prime256order_buffer[2U]; + uint64_t f3 = prime256order_buffer[3U]; + uint64_t *o0 = result04; + uint64_t *o1 = result04 + (uint32_t)1U; + uint64_t *o2 = result04 + (uint32_t)2U; + uint64_t *o3 = result04 + (uint32_t)3U; + uint64_t f01 = prime256order_buffer[0U]; + mul64(f01, y_, o0, &temp1); + uint64_t h0 = temp1; + mul64(f1, y_, o1, &temp1); + uint64_t l0 = o1[0U]; + uint64_t c1 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l0, h0, o1); + uint64_t h1 = temp1; + mul64(f2, y_, o2, &temp1); + uint64_t l1 = o2[0U]; + uint64_t c2 = Lib_IntTypes_Intrinsics_add_carry_u64(c1, l1, h1, o2); + uint64_t h = temp1; + mul64(f3, y_, o3, &temp1); + uint64_t l = o3[0U]; + uint64_t c3 = Lib_IntTypes_Intrinsics_add_carry_u64(c2, l, h, o3); + uint64_t temp0 = temp1; + uint64_t c = c3 + temp0; + t2[4U] = c; + uint64_t uu____0 = add8(t, t2, t3); + shift8(t3, round); +} + +static void montgomery_multiplication_round_twice(uint64_t *t, uint64_t *result, uint64_t k0) +{ + uint64_t tempRound[8U] = { 0U }; + montgomery_multiplication_round(t, tempRound, k0); + montgomery_multiplication_round(tempRound, result, k0); +} + +static void reduction_prime_2prime_with_carry(uint64_t *x, uint64_t *result) +{ + uint64_t tempBuffer[4U] = { 0U }; + uint64_t tempBufferForSubborrow = (uint64_t)0U; + uint64_t cin = x[4U]; + uint64_t *x_ = x; + uint64_t c = sub4_il(x_, prime256order_buffer, tempBuffer); + uint64_t + carry = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, cin, (uint64_t)0U, &tempBufferForSubborrow); + cmovznz4(carry, tempBuffer, x_, result); +} + +static void reduction_prime_2prime_order(uint64_t *x, uint64_t *result) +{ + uint64_t tempBuffer[4U] = { 0U }; + uint64_t c = sub4_il(x, prime256order_buffer, tempBuffer); + cmovznz4(c, tempBuffer, x, result); +} + +static void montgomery_multiplication_ecdsa_module(uint64_t *a, uint64_t *b, uint64_t *result) +{ + uint64_t t[8U] = { 0U }; + uint64_t round2[8U] = { 0U }; + uint64_t round4[8U] = { 0U }; + uint64_t prime_p256_orderBuffer[4U] = { 0U }; + uint64_t k0 = (uint64_t)14758798090332847183U; + uint64_t f0 = a[0U]; + uint64_t f1 = a[1U]; + uint64_t f2 = a[2U]; + uint64_t f3 = a[3U]; + uint64_t *b0 = t; + uint64_t temp2 = (uint64_t)0U; + uint64_t f110 = b[1U]; + uint64_t f210 = b[2U]; + uint64_t f310 = b[3U]; + uint64_t *o00 = b0; + uint64_t *o10 = b0 + (uint32_t)1U; + uint64_t *o20 = b0 + (uint32_t)2U; + uint64_t *o30 = b0 + (uint32_t)3U; + uint64_t f020 = b[0U]; + mul64(f020, f0, o00, &temp2); + uint64_t h0 = temp2; + mul64(f110, f0, o10, &temp2); + uint64_t l0 = o10[0U]; + uint64_t c1 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l0, h0, o10); + uint64_t h1 = temp2; + mul64(f210, f0, o20, &temp2); + uint64_t l1 = o20[0U]; + uint64_t c2 = Lib_IntTypes_Intrinsics_add_carry_u64(c1, l1, h1, o20); + uint64_t h2 = temp2; + mul64(f310, f0, o30, &temp2); + uint64_t l2 = o30[0U]; + uint64_t c30 = Lib_IntTypes_Intrinsics_add_carry_u64(c2, l2, h2, o30); + uint64_t temp00 = temp2; + uint64_t c0 = c30 + temp00; + t[4U] = c0; + uint64_t *b1 = t + (uint32_t)1U; + uint64_t temp3[4U] = { 0U }; + uint64_t temp10 = (uint64_t)0U; + uint64_t f111 = b[1U]; + uint64_t f211 = b[2U]; + uint64_t f311 = b[3U]; + uint64_t *o01 = temp3; + uint64_t *o11 = temp3 + (uint32_t)1U; + uint64_t *o21 = temp3 + (uint32_t)2U; + uint64_t *o31 = temp3 + (uint32_t)3U; + uint64_t f021 = b[0U]; + mul64(f021, f1, o01, &temp10); + uint64_t h3 = temp10; + mul64(f111, f1, o11, &temp10); + uint64_t l3 = o11[0U]; + uint64_t c10 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l3, h3, o11); + uint64_t h4 = temp10; + mul64(f211, f1, o21, &temp10); + uint64_t l4 = o21[0U]; + uint64_t c20 = Lib_IntTypes_Intrinsics_add_carry_u64(c10, l4, h4, o21); + uint64_t h5 = temp10; + mul64(f311, f1, o31, &temp10); + uint64_t l5 = o31[0U]; + uint64_t c31 = Lib_IntTypes_Intrinsics_add_carry_u64(c20, l5, h5, o31); + uint64_t temp01 = temp10; + uint64_t c = c31 + temp01; + uint64_t c32 = add4(temp3, b1, b1); + uint64_t c11 = c + c32; + t[5U] = c11; + uint64_t *b2 = t + (uint32_t)2U; + uint64_t temp4[4U] = { 0U }; + uint64_t temp11 = (uint64_t)0U; + uint64_t f112 = b[1U]; + uint64_t f212 = b[2U]; + uint64_t f312 = b[3U]; + uint64_t *o02 = temp4; + uint64_t *o12 = temp4 + (uint32_t)1U; + uint64_t *o22 = temp4 + (uint32_t)2U; + uint64_t *o32 = temp4 + (uint32_t)3U; + uint64_t f022 = b[0U]; + mul64(f022, f2, o02, &temp11); + uint64_t h6 = temp11; + mul64(f112, f2, o12, &temp11); + uint64_t l6 = o12[0U]; + uint64_t c110 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l6, h6, o12); + uint64_t h7 = temp11; + mul64(f212, f2, o22, &temp11); + uint64_t l7 = o22[0U]; + uint64_t c21 = Lib_IntTypes_Intrinsics_add_carry_u64(c110, l7, h7, o22); + uint64_t h8 = temp11; + mul64(f312, f2, o32, &temp11); + uint64_t l8 = o32[0U]; + uint64_t c33 = Lib_IntTypes_Intrinsics_add_carry_u64(c21, l8, h8, o32); + uint64_t temp02 = temp11; + uint64_t c4 = c33 + temp02; + uint64_t c34 = add4(temp4, b2, b2); + uint64_t c22 = c4 + c34; + t[6U] = c22; + uint64_t *b3 = t + (uint32_t)3U; + uint64_t temp[4U] = { 0U }; + uint64_t temp1 = (uint64_t)0U; + uint64_t f11 = b[1U]; + uint64_t f21 = b[2U]; + uint64_t f31 = b[3U]; + uint64_t *o0 = temp; + uint64_t *o1 = temp + (uint32_t)1U; + uint64_t *o2 = temp + (uint32_t)2U; + uint64_t *o3 = temp + (uint32_t)3U; + uint64_t f02 = b[0U]; + mul64(f02, f3, o0, &temp1); + uint64_t h9 = temp1; + mul64(f11, f3, o1, &temp1); + uint64_t l9 = o1[0U]; + uint64_t c111 = Lib_IntTypes_Intrinsics_add_carry_u64((uint64_t)0U, l9, h9, o1); + uint64_t h10 = temp1; + mul64(f21, f3, o2, &temp1); + uint64_t l10 = o2[0U]; + uint64_t c210 = Lib_IntTypes_Intrinsics_add_carry_u64(c111, l10, h10, o2); + uint64_t h = temp1; + mul64(f31, f3, o3, &temp1); + uint64_t l = o3[0U]; + uint64_t c35 = Lib_IntTypes_Intrinsics_add_carry_u64(c210, l, h, o3); + uint64_t temp0 = temp1; + uint64_t c5 = c35 + temp0; + uint64_t c3 = add4(temp, b3, b3); + uint64_t c36 = c5 + c3; + t[7U] = c36; + montgomery_multiplication_round_twice(t, round2, k0); + montgomery_multiplication_round_twice(round2, round4, k0); + reduction_prime_2prime_with_carry(round4, result); +} + +static void bufferToJac(uint64_t *p, uint64_t *result) +{ + uint64_t *partPoint = result; + memcpy(partPoint, p, (uint32_t)8U * sizeof (uint64_t)); + result[8U] = (uint64_t)1U; + result[9U] = (uint64_t)0U; + result[10U] = (uint64_t)0U; + result[11U] = (uint64_t)0U; +} + +/* + The input of the function is considered to be public, +thus this code is not secret independent with respect to the operations done over the input. +*/ +static bool isPointAtInfinityPublic(uint64_t *p) +{ + uint64_t z0 = p[8U]; + uint64_t z1 = p[9U]; + uint64_t z2 = p[10U]; + uint64_t z3 = p[11U]; + bool z0_zero = z0 == (uint64_t)0U; + bool z1_zero = z1 == (uint64_t)0U; + bool z2_zero = z2 == (uint64_t)0U; + bool z3_zero = z3 == (uint64_t)0U; + return z0_zero && z1_zero && z2_zero && z3_zero; +} + +/* + The input of the function is considered to be public, +thus this code is not secret independent with respect to the operations done over the input. +*/ +static bool isPointOnCurvePublic(uint64_t *p) +{ + uint64_t y2Buffer[4U] = { 0U }; + uint64_t xBuffer[4U] = { 0U }; + uint64_t *x = p; + uint64_t *y = p + (uint32_t)4U; + uint64_t multBuffer0[8U] = { 0U }; + shift_256_impl(y, multBuffer0); + solinas_reduction_impl(multBuffer0, y2Buffer); + montgomery_square_buffer(y2Buffer, y2Buffer); + uint64_t xToDomainBuffer[4U] = { 0U }; + uint64_t minusThreeXBuffer[4U] = { 0U }; + uint64_t p256_constant[4U] = { 0U }; + uint64_t multBuffer[8U] = { 0U }; + shift_256_impl(x, multBuffer); + solinas_reduction_impl(multBuffer, xToDomainBuffer); + montgomery_square_buffer(xToDomainBuffer, xBuffer); + montgomery_multiplication_buffer(xBuffer, xToDomainBuffer, xBuffer); + multByThree(xToDomainBuffer, minusThreeXBuffer); + p256_sub(xBuffer, minusThreeXBuffer, xBuffer); + p256_constant[0U] = (uint64_t)15608596021259845087U; + p256_constant[1U] = (uint64_t)12461466548982526096U; + p256_constant[2U] = (uint64_t)16546823903870267094U; + p256_constant[3U] = (uint64_t)15866188208926050356U; + p256_add(xBuffer, p256_constant, xBuffer); + uint64_t r = compare_felem(y2Buffer, xBuffer); + return !(r == (uint64_t)0U); +} + +static bool isCoordinateValid(uint64_t *p) +{ + uint64_t tempBuffer[4U] = { 0U }; + uint64_t *x = p; + uint64_t *y = p + (uint32_t)4U; + uint64_t carryX = sub4_il(x, prime256_buffer, tempBuffer); + uint64_t carryY = sub4_il(y, prime256_buffer, tempBuffer); + bool lessX = carryX == (uint64_t)1U; + bool lessY = carryY == (uint64_t)1U; + return lessX && lessY; +} + +/* + The input of the function is considered to be public, +thus this code is not secret independent with respect to the operations done over the input. +*/ +static bool isOrderCorrect(uint64_t *p, uint64_t *tempBuffer) +{ + uint64_t multResult[12U] = { 0U }; + uint64_t pBuffer[12U] = { 0U }; + memcpy(pBuffer, p, (uint32_t)12U * sizeof (uint64_t)); + scalarMultiplicationC(pBuffer, multResult, order_buffer, tempBuffer); + bool result = isPointAtInfinityPublic(multResult); + return result; +} + +/* + The input of the function is considered to be public, +thus this code is not secret independent with respect to the operations done over the input. +*/ +static bool verifyQValidCurvePoint(uint64_t *pubKeyAsPoint, uint64_t *tempBuffer) +{ + bool coordinatesValid = isCoordinateValid(pubKeyAsPoint); + if (!coordinatesValid) + { + return false; + } + bool belongsToCurve = isPointOnCurvePublic(pubKeyAsPoint); + bool orderCorrect = isOrderCorrect(pubKeyAsPoint, tempBuffer); + return coordinatesValid && belongsToCurve && orderCorrect; +} + +static bool isMoreThanZeroLessThanOrder(uint8_t *x) +{ + uint64_t xAsFelem[4U] = { 0U }; + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(x, xAsFelem); + uint64_t tempBuffer[4U] = { 0U }; + uint64_t carry = sub4_il(xAsFelem, prime256order_buffer, tempBuffer); + uint64_t less = FStar_UInt64_eq_mask(carry, (uint64_t)1U); + uint64_t more = isZero_uint64_CT(xAsFelem); + uint64_t notMore = ~more; + uint64_t result = less & notMore; + return ~result == (uint64_t)0U; +} + +/* + The pub(lic)_key input of the function is considered to be public, + thus this code is not secret independent with respect to the operations done over this variable. +*/ +uint64_t Hacl_Impl_P256_DH__ecp256dh_r(uint64_t *result, uint64_t *pubKey, uint8_t *scalar) +{ + uint64_t tempBuffer[100U] = { 0U }; + uint64_t publicKeyBuffer[12U] = { 0U }; + bufferToJac(pubKey, publicKeyBuffer); + bool publicKeyCorrect = verifyQValidCurvePoint(publicKeyBuffer, tempBuffer); + if (publicKeyCorrect) + { + scalarMultiplicationL(publicKeyBuffer, result, scalar, tempBuffer); + uint64_t flag = Hacl_Impl_P256_Core_isPointAtInfinityPrivate(result); + return flag; + } + return (uint64_t)18446744073709551615U; +} + +static inline void cswap0(uint64_t bit, uint64_t *p1, uint64_t *p2) +{ + uint64_t mask = (uint64_t)0U - bit; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t dummy = mask & (p1[i] ^ p2[i]); + p1[i] = p1[i] ^ dummy; + p2[i] = p2[i] ^ dummy; + } +} + +static void montgomery_ladder_exponent(uint64_t *r) +{ + uint64_t p[4U] = { 0U }; + p[0U] = (uint64_t)884452912994769583U; + p[1U] = (uint64_t)4834901526196019579U; + p[2U] = (uint64_t)0U; + p[3U] = (uint64_t)4294967295U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)256U; i++) + { + uint32_t bit0 = (uint32_t)255U - i; + uint64_t + bit = + (uint64_t)(order_inverse_buffer[bit0 / (uint32_t)8U] >> bit0 % (uint32_t)8U & (uint8_t)1U); + cswap0(bit, p, r); + montgomery_multiplication_ecdsa_module(p, r, r); + montgomery_multiplication_ecdsa_module(p, p, p); + cswap0(bit, p, r); + } + memcpy(r, p, (uint32_t)4U * sizeof (uint64_t)); +} + +static void fromDomainImpl(uint64_t *a, uint64_t *result) +{ + uint64_t one[4U] = { 0U }; + uploadOneImpl(one); + montgomery_multiplication_ecdsa_module(one, a, result); +} + +static void multPowerPartial(uint64_t *a, uint64_t *b, uint64_t *result) +{ + uint64_t buffFromDB[4U] = { 0U }; + fromDomainImpl(b, buffFromDB); + fromDomainImpl(buffFromDB, buffFromDB); + montgomery_multiplication_ecdsa_module(a, buffFromDB, result); +} + +/* + The input of the function is considered to be public, +thus this code is not secret independent with respect to the operations done over the input. +*/ +static bool isMoreThanZeroLessThanOrderMinusOne(uint64_t *f) +{ + uint64_t tempBuffer[4U] = { 0U }; + uint64_t carry = sub4_il(f, prime256order_buffer, tempBuffer); + bool less = carry == (uint64_t)1U; + uint64_t f0 = f[0U]; + uint64_t f1 = f[1U]; + uint64_t f2 = f[2U]; + uint64_t f3 = f[3U]; + bool z0_zero = f0 == (uint64_t)0U; + bool z1_zero = f1 == (uint64_t)0U; + bool z2_zero = f2 == (uint64_t)0U; + bool z3_zero = f3 == (uint64_t)0U; + bool more = z0_zero && z1_zero && z2_zero && z3_zero; + return less && !more; +} + +/* + The input of the function is considered to be public, +thus this code is not secret independent with respect to the operations done over the input. +*/ +static bool compare_felem_bool(uint64_t *a, uint64_t *b) +{ + uint64_t a_0 = a[0U]; + uint64_t a_1 = a[1U]; + uint64_t a_2 = a[2U]; + uint64_t a_3 = a[3U]; + uint64_t b_0 = b[0U]; + uint64_t b_1 = b[1U]; + uint64_t b_2 = b[2U]; + uint64_t b_3 = b[3U]; + return a_0 == b_0 && a_1 == b_1 && a_2 == b_2 && a_3 == b_3; +} + +/* + The input of the function is considered to be public, +thus this code is not secret independent with respect to the operations done over the input. +*/ +static bool +ecdsa_verification_( + Spec_ECDSA_hash_alg_ecdsa alg, + uint64_t *pubKey, + uint64_t *r, + uint64_t *s, + uint32_t mLen, + uint8_t *m +) +{ + uint64_t tempBufferU64[120U] = { 0U }; + uint64_t *publicKeyBuffer = tempBufferU64; + uint64_t *hashAsFelem = tempBufferU64 + (uint32_t)12U; + uint64_t *tempBuffer = tempBufferU64 + (uint32_t)16U; + uint64_t *xBuffer = tempBufferU64 + (uint32_t)116U; + bufferToJac(pubKey, publicKeyBuffer); + bool publicKeyCorrect = verifyQValidCurvePoint(publicKeyBuffer, tempBuffer); + if (publicKeyCorrect == false) + { + return false; + } + bool isRCorrect = isMoreThanZeroLessThanOrderMinusOne(r); + bool isSCorrect = isMoreThanZeroLessThanOrderMinusOne(s); + bool step1 = isRCorrect && isSCorrect; + if (step1 == false) + { + return false; + } + uint8_t tempBufferU8[64U] = { 0U }; + uint8_t *bufferU1 = tempBufferU8; + uint8_t *bufferU2 = tempBufferU8 + (uint32_t)32U; + uint32_t sz; + if (alg.tag == Spec_ECDSA_NoHash) + { + sz = mLen; + } + else if (alg.tag == Spec_ECDSA_Hash) + { + Spec_Hash_Definitions_hash_alg a = alg._0; + switch (a) + { + case Spec_Hash_Definitions_MD5: + { + sz = (uint32_t)16U; + break; + } + case Spec_Hash_Definitions_SHA1: + { + sz = (uint32_t)20U; + break; + } + case Spec_Hash_Definitions_SHA2_224: + { + sz = (uint32_t)28U; + break; + } + case Spec_Hash_Definitions_SHA2_256: + { + sz = (uint32_t)32U; + break; + } + case Spec_Hash_Definitions_SHA2_384: + { + sz = (uint32_t)48U; + break; + } + case Spec_Hash_Definitions_SHA2_512: + { + sz = (uint32_t)64U; + break; + } + case Spec_Hash_Definitions_Blake2S: + { + sz = (uint32_t)32U; + break; + } + case Spec_Hash_Definitions_Blake2B: + { + sz = (uint32_t)64U; + break; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + } + else + { + sz = KRML_EABORT(uint32_t, "unreachable (pattern matches are exhaustive in F*)"); + } + KRML_CHECK_SIZE(sizeof (uint8_t), sz); + uint8_t *mHash = alloca(sz * sizeof (uint8_t)); + memset(mHash, 0U, sz * sizeof (uint8_t)); + if (alg.tag == Spec_ECDSA_NoHash) + { + memcpy(mHash, m, sz * sizeof (uint8_t)); + } + else if (alg.tag == Spec_ECDSA_Hash) + { + Spec_Hash_Definitions_hash_alg a = alg._0; + switch (a) + { + case Spec_Hash_Definitions_SHA2_256: + { + Hacl_Hash_SHA2_hash_256(m, mLen, mHash); + break; + } + case Spec_Hash_Definitions_SHA2_384: + { + Hacl_Hash_SHA2_hash_384(m, mLen, mHash); + break; + } + case Spec_Hash_Definitions_SHA2_512: + { + Hacl_Hash_SHA2_hash_512(m, mLen, mHash); + break; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + } + else + { + KRML_HOST_EPRINTF("KreMLin abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); + } + uint8_t *cutHash = mHash; + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(cutHash, hashAsFelem); + reduction_prime_2prime_order(hashAsFelem, hashAsFelem); + uint64_t tempBuffer1[12U] = { 0U }; + uint64_t *inverseS = tempBuffer1; + uint64_t *u1 = tempBuffer1 + (uint32_t)4U; + uint64_t *u2 = tempBuffer1 + (uint32_t)8U; + fromDomainImpl(s, inverseS); + montgomery_ladder_exponent(inverseS); + multPowerPartial(inverseS, hashAsFelem, u1); + multPowerPartial(inverseS, r, u2); + Hacl_Impl_P256_LowLevel_changeEndian(u1); + Hacl_Impl_P256_LowLevel_changeEndian(u2); + Hacl_Impl_P256_LowLevel_toUint8(u1, bufferU1); + Hacl_Impl_P256_LowLevel_toUint8(u2, bufferU2); + uint64_t pointSum[12U] = { 0U }; + uint64_t points[24U] = { 0U }; + uint64_t *buff = tempBuffer + (uint32_t)12U; + uint64_t *pointU1G = points; + uint64_t *pointU2Q0 = points + (uint32_t)12U; + secretToPublicWithoutNorm(pointU1G, bufferU1, tempBuffer); + scalarMultiplicationWithoutNorm(publicKeyBuffer, pointU2Q0, bufferU2, tempBuffer); + uint64_t *pointU1G0 = points; + uint64_t *pointU2Q = points + (uint32_t)12U; + uint64_t tmp[112U] = { 0U }; + uint64_t *tmpForNorm = tmp; + uint64_t *result0Norm = tmp + (uint32_t)88U; + uint64_t *result1Norm = tmp + (uint32_t)100U; + uint64_t *pointU1G1 = points; + uint64_t *pointU2Q1 = points + (uint32_t)12U; + norm(pointU1G1, result0Norm, tmpForNorm); + norm(pointU2Q1, result1Norm, tmpForNorm); + uint64_t *x0 = result0Norm; + uint64_t *y0 = result0Norm + (uint32_t)4U; + uint64_t *z0 = result0Norm + (uint32_t)8U; + uint64_t *x1 = result1Norm; + uint64_t *y1 = result1Norm + (uint32_t)4U; + uint64_t *z1 = result1Norm + (uint32_t)8U; + bool xEqual = compare_felem_bool(x0, x1); + bool yEqual = compare_felem_bool(y0, y1); + bool zEqual = compare_felem_bool(z0, z1); + bool equalX = xEqual && yEqual && zEqual; + bool equalX0 = equalX; + if (equalX0) + { + point_double(pointU1G0, pointSum, buff); + } + else + { + point_add(pointU1G0, pointU2Q, pointSum, buff); + } + norm(pointSum, pointSum, buff); + bool resultIsPAI = isPointAtInfinityPublic(pointSum); + uint64_t *xCoordinateSum = pointSum; + memcpy(xBuffer, xCoordinateSum, (uint32_t)4U * sizeof (uint64_t)); + reduction_prime_2prime_order(xBuffer, xBuffer); + bool r1 = !resultIsPAI; + bool state = r1; + if (state == false) + { + return false; + } + bool result = compare_felem_bool(xBuffer, r); + return result; +} + +static uint64_t +ecdsa_signature_core( + Spec_ECDSA_hash_alg_ecdsa alg, + uint64_t *r, + uint64_t *s, + uint32_t mLen, + uint8_t *m, + uint64_t *privKeyAsFelem, + uint8_t *k +) +{ + uint64_t hashAsFelem[4U] = { 0U }; + uint64_t tempBuffer[100U] = { 0U }; + uint64_t kAsFelem[4U] = { 0U }; + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(k, kAsFelem); + uint32_t sz; + if (alg.tag == Spec_ECDSA_NoHash) + { + sz = mLen; + } + else if (alg.tag == Spec_ECDSA_Hash) + { + Spec_Hash_Definitions_hash_alg a = alg._0; + switch (a) + { + case Spec_Hash_Definitions_MD5: + { + sz = (uint32_t)16U; + break; + } + case Spec_Hash_Definitions_SHA1: + { + sz = (uint32_t)20U; + break; + } + case Spec_Hash_Definitions_SHA2_224: + { + sz = (uint32_t)28U; + break; + } + case Spec_Hash_Definitions_SHA2_256: + { + sz = (uint32_t)32U; + break; + } + case Spec_Hash_Definitions_SHA2_384: + { + sz = (uint32_t)48U; + break; + } + case Spec_Hash_Definitions_SHA2_512: + { + sz = (uint32_t)64U; + break; + } + case Spec_Hash_Definitions_Blake2S: + { + sz = (uint32_t)32U; + break; + } + case Spec_Hash_Definitions_Blake2B: + { + sz = (uint32_t)64U; + break; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + } + else + { + sz = KRML_EABORT(uint32_t, "unreachable (pattern matches are exhaustive in F*)"); + } + KRML_CHECK_SIZE(sizeof (uint8_t), sz); + uint8_t *mHash = alloca(sz * sizeof (uint8_t)); + memset(mHash, 0U, sz * sizeof (uint8_t)); + if (alg.tag == Spec_ECDSA_NoHash) + { + memcpy(mHash, m, sz * sizeof (uint8_t)); + } + else if (alg.tag == Spec_ECDSA_Hash) + { + Spec_Hash_Definitions_hash_alg a = alg._0; + switch (a) + { + case Spec_Hash_Definitions_SHA2_256: + { + Hacl_Hash_SHA2_hash_256(m, mLen, mHash); + break; + } + case Spec_Hash_Definitions_SHA2_384: + { + Hacl_Hash_SHA2_hash_384(m, mLen, mHash); + break; + } + case Spec_Hash_Definitions_SHA2_512: + { + Hacl_Hash_SHA2_hash_512(m, mLen, mHash); + break; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + } + else + { + KRML_HOST_EPRINTF("KreMLin abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); + } + uint8_t *cutHash = mHash; + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(cutHash, hashAsFelem); + reduction_prime_2prime_order(hashAsFelem, hashAsFelem); + uint64_t result[12U] = { 0U }; + uint64_t *tempForNorm = tempBuffer; + secretToPublicWithoutNorm(result, k, tempBuffer); + normX(result, r, tempForNorm); + reduction_prime_2prime_order(r, r); + uint64_t step5Flag = isZero_uint64_CT(r); + uint64_t rda[4U] = { 0U }; + uint64_t zBuffer[4U] = { 0U }; + uint64_t kInv[4U] = { 0U }; + montgomery_multiplication_ecdsa_module(r, privKeyAsFelem, rda); + fromDomainImpl(hashAsFelem, zBuffer); + uint64_t t = add4(rda, zBuffer, zBuffer); + uint64_t tempBuffer1[4U] = { 0U }; + uint64_t tempBufferForSubborrow = (uint64_t)0U; + uint64_t c = sub4_il(zBuffer, prime256order_buffer, tempBuffer1); + uint64_t + carry = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t, (uint64_t)0U, &tempBufferForSubborrow); + cmovznz4(carry, tempBuffer1, zBuffer, zBuffer); + memcpy(kInv, kAsFelem, (uint32_t)4U * sizeof (uint64_t)); + montgomery_ladder_exponent(kInv); + montgomery_multiplication_ecdsa_module(zBuffer, kInv, s); + uint64_t sIsZero = isZero_uint64_CT(s); + return step5Flag | sIsZero; +} + +static inline void cswap1(uint64_t bit, uint64_t *p1, uint64_t *p2) +{ + uint64_t mask = (uint64_t)0U - bit; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint64_t dummy = mask & (p1[i] ^ p2[i]); + p1[i] = p1[i] ^ dummy; + p2[i] = p2[i] ^ dummy; + } +} + +static void montgomery_ladder_power(uint64_t *a, const uint8_t *scalar, uint64_t *result) +{ + uint64_t p[4U] = { 0U }; + p[0U] = (uint64_t)1U; + p[1U] = (uint64_t)18446744069414584320U; + p[2U] = (uint64_t)18446744073709551615U; + p[3U] = (uint64_t)4294967294U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)256U; i++) + { + uint32_t bit0 = (uint32_t)255U - i; + uint64_t bit = (uint64_t)(scalar[bit0 / (uint32_t)8U] >> bit0 % (uint32_t)8U & (uint8_t)1U); + cswap1(bit, p, a); + montgomery_multiplication_buffer(p, a, a); + montgomery_square_buffer(p, p); + cswap1(bit, p, a); + } + memcpy(result, p, (uint32_t)4U * sizeof (uint64_t)); +} + +static const +uint8_t +sqPower_buffer[32U] = + { + (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, + (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)64U, (uint8_t)0U, (uint8_t)0U, + (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, + (uint8_t)0U, (uint8_t)0U, (uint8_t)64U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)192U, + (uint8_t)255U, (uint8_t)255U, (uint8_t)255U, (uint8_t)63U + }; + +static void computeYFromX(uint64_t *x, uint64_t *result, uint64_t sign) +{ + uint64_t aCoordinateBuffer[4U] = { 0U }; + uint64_t bCoordinateBuffer[4U] = { 0U }; + aCoordinateBuffer[0U] = (uint64_t)18446744073709551612U; + aCoordinateBuffer[1U] = (uint64_t)17179869183U; + aCoordinateBuffer[2U] = (uint64_t)0U; + aCoordinateBuffer[3U] = (uint64_t)18446744056529682436U; + bCoordinateBuffer[0U] = (uint64_t)15608596021259845087U; + bCoordinateBuffer[1U] = (uint64_t)12461466548982526096U; + bCoordinateBuffer[2U] = (uint64_t)16546823903870267094U; + bCoordinateBuffer[3U] = (uint64_t)15866188208926050356U; + montgomery_multiplication_buffer(aCoordinateBuffer, x, aCoordinateBuffer); + cube(x, result); + p256_add(result, aCoordinateBuffer, result); + p256_add(result, bCoordinateBuffer, result); + uploadZeroImpl(aCoordinateBuffer); + montgomery_ladder_power(result, sqPower_buffer, result); + montgomery_multiplication_buffer_by_one(result, result); + p256_sub(aCoordinateBuffer, result, bCoordinateBuffer); + uint64_t word = result[0U]; + uint64_t bitToCheck = word & (uint64_t)1U; + uint64_t flag = FStar_UInt64_eq_mask(bitToCheck, sign); + cmovznz4(flag, bCoordinateBuffer, result, result); +} + + +/******************************************************************************* + +ECDSA and ECDH functions over the P-256 NIST curve. + +This module implements signing and verification, key validation, conversions +between various point representations, and ECDH key agreement. + +*******************************************************************************/ + +/**************/ +/* Signatures */ +/**************/ + +/* + Per the standard, a hash function *shall* be used. Therefore, we recommend + using one of the three combined hash-and-sign variants. +*/ + +/* +Hash the message with SHA2-256, then sign the resulting digest with the P256 signature function. + +Input: result buffer: uint8[64], + m buffer: uint8 [mLen], + priv(ate)Key: uint8[32], + k (nonce): uint32[32]. + + Output: bool, where True stands for the correct signature generation. False value means that an error has occurred. + + The private key and the nonce are expected to be more than 0 and less than the curve order. +*/ +bool +Hacl_P256_ecdsa_sign_p256_sha2( + uint8_t *result, + uint32_t mLen, + uint8_t *m, + uint8_t *privKey, + uint8_t *k +) +{ + uint64_t privKeyAsFelem[4U] = { 0U }; + uint64_t r[4U] = { 0U }; + uint64_t s[4U] = { 0U }; + uint8_t *resultR = result; + uint8_t *resultS = result + (uint32_t)32U; + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(privKey, privKeyAsFelem); + uint64_t + flag = + ecdsa_signature_core(( + (Spec_ECDSA_hash_alg_ecdsa){ .tag = Spec_ECDSA_Hash, ._0 = Spec_Hash_Definitions_SHA2_256 } + ), + r, + s, + mLen, + m, + privKeyAsFelem, + k); + Hacl_Impl_P256_LowLevel_changeEndian(r); + Hacl_Impl_P256_LowLevel_toUint8(r, resultR); + Hacl_Impl_P256_LowLevel_changeEndian(s); + Hacl_Impl_P256_LowLevel_toUint8(s, resultS); + return flag == (uint64_t)0U; +} + +/* +Hash the message with SHA2-384, then sign the resulting digest with the P256 signature function. + +Input: result buffer: uint8[64], + m buffer: uint8 [mLen], + priv(ate)Key: uint8[32], + k (nonce): uint32[32]. + + Output: bool, where True stands for the correct signature generation. False value means that an error has occurred. + + The private key and the nonce are expected to be more than 0 and less than the curve order. +*/ +bool +Hacl_P256_ecdsa_sign_p256_sha384( + uint8_t *result, + uint32_t mLen, + uint8_t *m, + uint8_t *privKey, + uint8_t *k +) +{ + uint64_t privKeyAsFelem[4U] = { 0U }; + uint64_t r[4U] = { 0U }; + uint64_t s[4U] = { 0U }; + uint8_t *resultR = result; + uint8_t *resultS = result + (uint32_t)32U; + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(privKey, privKeyAsFelem); + uint64_t + flag = + ecdsa_signature_core(( + (Spec_ECDSA_hash_alg_ecdsa){ .tag = Spec_ECDSA_Hash, ._0 = Spec_Hash_Definitions_SHA2_384 } + ), + r, + s, + mLen, + m, + privKeyAsFelem, + k); + Hacl_Impl_P256_LowLevel_changeEndian(r); + Hacl_Impl_P256_LowLevel_toUint8(r, resultR); + Hacl_Impl_P256_LowLevel_changeEndian(s); + Hacl_Impl_P256_LowLevel_toUint8(s, resultS); + return flag == (uint64_t)0U; +} + +/* +Hash the message with SHA2-512, then sign the resulting digest with the P256 signature function. + +Input: result buffer: uint8[64], + m buffer: uint8 [mLen], + priv(ate)Key: uint8[32], + k (nonce): uint32[32]. + + Output: bool, where True stands for the correct signature generation. False value means that an error has occurred. + + The private key and the nonce are expected to be more than 0 and less than the curve order. +*/ +bool +Hacl_P256_ecdsa_sign_p256_sha512( + uint8_t *result, + uint32_t mLen, + uint8_t *m, + uint8_t *privKey, + uint8_t *k +) +{ + uint64_t privKeyAsFelem[4U] = { 0U }; + uint64_t r[4U] = { 0U }; + uint64_t s[4U] = { 0U }; + uint8_t *resultR = result; + uint8_t *resultS = result + (uint32_t)32U; + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(privKey, privKeyAsFelem); + uint64_t + flag = + ecdsa_signature_core(( + (Spec_ECDSA_hash_alg_ecdsa){ .tag = Spec_ECDSA_Hash, ._0 = Spec_Hash_Definitions_SHA2_512 } + ), + r, + s, + mLen, + m, + privKeyAsFelem, + k); + Hacl_Impl_P256_LowLevel_changeEndian(r); + Hacl_Impl_P256_LowLevel_toUint8(r, resultR); + Hacl_Impl_P256_LowLevel_changeEndian(s); + Hacl_Impl_P256_LowLevel_toUint8(s, resultS); + return flag == (uint64_t)0U; +} + +/* +P256 signature WITHOUT hashing first. + +This function is intended to receive a hash of the input. For convenience, we +recommend using one of the hash-and-sign combined functions above. + +The argument `m` MUST be at least 32 bytes (i.e. `mLen >= 32`). + +NOTE: The equivalent functions in OpenSSL and Fiat-Crypto both accept inputs +smaller than 32 bytes. These libraries left-pad the input with enough zeroes to +reach the minimum 32 byte size. Clients who need behavior identical to OpenSSL +need to perform the left-padding themselves. + +Input: result buffer: uint8[64], + m buffer: uint8 [mLen], + priv(ate)Key: uint8[32], + k (nonce): uint32[32]. + + Output: bool, where True stands for the correct signature generation. False value means that an error has occurred. + + The private key and the nonce are expected to be more than 0 and less than the curve order. + + The message m is expected to be hashed by a strong hash function, the lenght of the message is expected to be 32 bytes and more. +*/ +bool +Hacl_P256_ecdsa_sign_p256_without_hash( + uint8_t *result, + uint32_t mLen, + uint8_t *m, + uint8_t *privKey, + uint8_t *k +) +{ + uint64_t privKeyAsFelem[4U] = { 0U }; + uint64_t r[4U] = { 0U }; + uint64_t s[4U] = { 0U }; + uint8_t *resultR = result; + uint8_t *resultS = result + (uint32_t)32U; + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(privKey, privKeyAsFelem); + uint64_t + flag = + ecdsa_signature_core(((Spec_ECDSA_hash_alg_ecdsa){ .tag = Spec_ECDSA_NoHash }), + r, + s, + mLen, + m, + privKeyAsFelem, + k); + Hacl_Impl_P256_LowLevel_changeEndian(r); + Hacl_Impl_P256_LowLevel_toUint8(r, resultR); + Hacl_Impl_P256_LowLevel_changeEndian(s); + Hacl_Impl_P256_LowLevel_toUint8(s, resultS); + return flag == (uint64_t)0U; +} + + +/****************/ +/* Verification */ +/****************/ + +/* + Verify a message signature. These functions internally validate the public key using validate_public_key. +*/ + + +/* + The input of the function is considered to be public, + thus this code is not secret independent with respect to the operations done over the input. + + Input: m buffer: uint8 [mLen], + pub(lic)Key: uint8[64], + r: uint8[32], + s: uint8[32]. + + Output: bool, where true stands for the correct signature verification. +*/ +bool +Hacl_P256_ecdsa_verif_p256_sha2( + uint32_t mLen, + uint8_t *m, + uint8_t *pubKey, + uint8_t *r, + uint8_t *s +) +{ + uint64_t publicKeyAsFelem[8U] = { 0U }; + uint64_t *publicKeyFelemX = publicKeyAsFelem; + uint64_t *publicKeyFelemY = publicKeyAsFelem + (uint32_t)4U; + uint64_t rAsFelem[4U] = { 0U }; + uint64_t sAsFelem[4U] = { 0U }; + uint8_t *pubKeyX = pubKey; + uint8_t *pubKeyY = pubKey + (uint32_t)32U; + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(pubKeyX, publicKeyFelemX); + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(pubKeyY, publicKeyFelemY); + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(r, rAsFelem); + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(s, sAsFelem); + bool + result = + ecdsa_verification_(( + (Spec_ECDSA_hash_alg_ecdsa){ .tag = Spec_ECDSA_Hash, ._0 = Spec_Hash_Definitions_SHA2_256 } + ), + publicKeyAsFelem, + rAsFelem, + sAsFelem, + mLen, + m); + return result; +} + +/* + The input of the function is considered to be public, + thus this code is not secret independent with respect to the operations done over the input. + + Input: m buffer: uint8 [mLen], + pub(lic)Key: uint8[64], + r: uint8[32], + s: uint8[32]. + + Output: bool, where true stands for the correct signature verification. +*/ +bool +Hacl_P256_ecdsa_verif_p256_sha384( + uint32_t mLen, + uint8_t *m, + uint8_t *pubKey, + uint8_t *r, + uint8_t *s +) +{ + uint64_t publicKeyAsFelem[8U] = { 0U }; + uint64_t *publicKeyFelemX = publicKeyAsFelem; + uint64_t *publicKeyFelemY = publicKeyAsFelem + (uint32_t)4U; + uint64_t rAsFelem[4U] = { 0U }; + uint64_t sAsFelem[4U] = { 0U }; + uint8_t *pubKeyX = pubKey; + uint8_t *pubKeyY = pubKey + (uint32_t)32U; + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(pubKeyX, publicKeyFelemX); + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(pubKeyY, publicKeyFelemY); + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(r, rAsFelem); + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(s, sAsFelem); + bool + result = + ecdsa_verification_(( + (Spec_ECDSA_hash_alg_ecdsa){ .tag = Spec_ECDSA_Hash, ._0 = Spec_Hash_Definitions_SHA2_384 } + ), + publicKeyAsFelem, + rAsFelem, + sAsFelem, + mLen, + m); + return result; +} + +/* + The input of the function is considered to be public, + thus this code is not secret independent with respect to the operations done over the input. + + Input: m buffer: uint8 [mLen], + pub(lic)Key: uint8[64], + r: uint8[32], + s: uint8[32]. + + Output: bool, where true stands for the correct signature verification. +*/ +bool +Hacl_P256_ecdsa_verif_p256_sha512( + uint32_t mLen, + uint8_t *m, + uint8_t *pubKey, + uint8_t *r, + uint8_t *s +) +{ + uint64_t publicKeyAsFelem[8U] = { 0U }; + uint64_t *publicKeyFelemX = publicKeyAsFelem; + uint64_t *publicKeyFelemY = publicKeyAsFelem + (uint32_t)4U; + uint64_t rAsFelem[4U] = { 0U }; + uint64_t sAsFelem[4U] = { 0U }; + uint8_t *pubKeyX = pubKey; + uint8_t *pubKeyY = pubKey + (uint32_t)32U; + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(pubKeyX, publicKeyFelemX); + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(pubKeyY, publicKeyFelemY); + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(r, rAsFelem); + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(s, sAsFelem); + bool + result = + ecdsa_verification_(( + (Spec_ECDSA_hash_alg_ecdsa){ .tag = Spec_ECDSA_Hash, ._0 = Spec_Hash_Definitions_SHA2_512 } + ), + publicKeyAsFelem, + rAsFelem, + sAsFelem, + mLen, + m); + return result; +} + +/* + The input of the function is considered to be public, + thus this code is not secret independent with respect to the operations done over the input. + + Input: m buffer: uint8 [mLen], + pub(lic)Key: uint8[64], + r: uint8[32], + s: uint8[32]. + + Output: bool, where true stands for the correct signature verification. + + The message m is expected to be hashed by a strong hash function, the lenght of the message is expected to be 32 bytes and more. +*/ +bool +Hacl_P256_ecdsa_verif_without_hash( + uint32_t mLen, + uint8_t *m, + uint8_t *pubKey, + uint8_t *r, + uint8_t *s +) +{ + uint64_t publicKeyAsFelem[8U] = { 0U }; + uint64_t *publicKeyFelemX = publicKeyAsFelem; + uint64_t *publicKeyFelemY = publicKeyAsFelem + (uint32_t)4U; + uint64_t rAsFelem[4U] = { 0U }; + uint64_t sAsFelem[4U] = { 0U }; + uint8_t *pubKeyX = pubKey; + uint8_t *pubKeyY = pubKey + (uint32_t)32U; + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(pubKeyX, publicKeyFelemX); + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(pubKeyY, publicKeyFelemY); + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(r, rAsFelem); + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(s, sAsFelem); + bool + result = + ecdsa_verification_(((Spec_ECDSA_hash_alg_ecdsa){ .tag = Spec_ECDSA_NoHash }), + publicKeyAsFelem, + rAsFelem, + sAsFelem, + mLen, + m); + return result; +} + + +/******************/ +/* Key validation */ +/******************/ + + +/* +Validate a public key. + + + The input of the function is considered to be public, + thus this code is not secret independent with respect to the operations done over the input. + + Input: pub(lic)Key: uint8[64]. + + Output: bool, where 0 stands for the public key to be correct with respect to SP 800-56A: + Verify that the public key is not the “point at infinity”, represented as O. + Verify that the affine x and y coordinates of the point represented by the public key are in the range [0, p – 1] where p is the prime defining the finite field. + Verify that y2 = x3 + ax + b where a and b are the coefficients of the curve equation. + Verify that nQ = O (the point at infinity), where n is the order of the curve and Q is the public key point. + + The last extract is taken from : https://neilmadden.blog/2017/05/17/so-how-do-you-validate-nist-ecdh-public-keys/ +*/ +bool Hacl_P256_validate_public_key(uint8_t *pubKey) +{ + uint8_t *pubKeyX = pubKey; + uint8_t *pubKeyY = pubKey + (uint32_t)32U; + uint64_t tempBuffer[120U] = { 0U }; + uint64_t *tempBufferV = tempBuffer; + uint64_t *publicKeyJ = tempBuffer + (uint32_t)100U; + uint64_t *publicKeyB = tempBuffer + (uint32_t)112U; + uint64_t *publicKeyX = publicKeyB; + uint64_t *publicKeyY = publicKeyB + (uint32_t)4U; + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(pubKeyX, publicKeyX); + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(pubKeyY, publicKeyY); + bufferToJac(publicKeyB, publicKeyJ); + bool r = verifyQValidCurvePoint(publicKeyJ, tempBufferV); + return r; +} + +/* +Validate a private key, e.g. prior to signing. + +Input: scalar: uint8[32]. + + Output: bool, where true stands for the scalar to be more than 0 and less than order. +*/ +bool Hacl_P256_validate_private_key(uint8_t *x) +{ + return isMoreThanZeroLessThanOrder(x); +} + + +/*****************************************/ +/* Point representations and conversions */ +/*****************************************/ + +/* + Elliptic curve points have 2 32-byte coordinates (x, y) and can be represented in 3 ways: + + - "raw" form (64 bytes): the concatenation of the 2 coordinates, also known as "internal" + - "compressed" form (33 bytes): first the sign byte of y (either 0x02 or 0x03), followed by x + - "uncompressed" form (65 bytes): first a constant byte (always 0x04), followed by the "raw" form + + For all of the conversation functions below, the input and output MUST NOT overlap. +*/ + + +/* +Convert 65-byte uncompressed to raw. + +The function errors out if the first byte is incorrect, or if the resulting point is invalid. + + + + Input: a point in not compressed form (uint8[65]), + result: uint8[64] (internal point representation). + + Output: bool, where true stands for the correct decompression. + +*/ +bool Hacl_P256_uncompressed_to_raw(uint8_t *b, uint8_t *result) +{ + uint8_t compressionIdentifier = b[0U]; + bool correctIdentifier = (uint8_t)4U == compressionIdentifier; + if (correctIdentifier) + { + memcpy(result, b + (uint32_t)1U, (uint32_t)64U * sizeof (uint8_t)); + } + return correctIdentifier; +} + +/* +Convert 33-byte compressed to raw. + +The function errors out if the first byte is incorrect, or if the resulting point is invalid. + +Input: a point in compressed form (uint8[33]), + result: uint8[64] (internal point representation). + + Output: bool, where true stands for the correct decompression. + +*/ +bool Hacl_P256_compressed_to_raw(uint8_t *b, uint8_t *result) +{ + uint64_t temp[8U] = { 0U }; + uint64_t *t0 = temp; + uint64_t *t1 = temp + (uint32_t)4U; + uint8_t compressedIdentifier = b[0U]; + uint8_t correctIdentifier2 = FStar_UInt8_eq_mask((uint8_t)2U, compressedIdentifier); + uint8_t correctIdentifier3 = FStar_UInt8_eq_mask((uint8_t)3U, compressedIdentifier); + uint8_t isIdentifierCorrect = correctIdentifier2 | correctIdentifier3; + bool flag = isIdentifierCorrect == (uint8_t)255U; + if (flag) + { + uint8_t *x = b + (uint32_t)1U; + memcpy(result, x, (uint32_t)32U * sizeof (uint8_t)); + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(x, t0); + uint64_t tempBuffer[4U] = { 0U }; + uint64_t carry = sub4_il(t0, prime256_buffer, tempBuffer); + bool lessThanPrimeXCoordinate = carry == (uint64_t)1U; + if (!lessThanPrimeXCoordinate) + { + return false; + } + uint64_t multBuffer[8U] = { 0U }; + shift_256_impl(t0, multBuffer); + solinas_reduction_impl(multBuffer, t0); + uint64_t identifierBit = (uint64_t)(compressedIdentifier & (uint8_t)1U); + computeYFromX(t0, t1, identifierBit); + Hacl_Impl_P256_LowLevel_changeEndian(t1); + Hacl_Impl_P256_LowLevel_toUint8(t1, result + (uint32_t)32U); + return true; + } + return false; +} + +/* +Convert raw to 65-byte uncompressed. + +This function effectively prepends a 0x04 byte. + +Input: a point buffer (internal representation: uint8[64]), + result: a point in not compressed form (uint8[65]). +*/ +void Hacl_P256_raw_to_uncompressed(uint8_t *b, uint8_t *result) +{ + uint8_t *to = result + (uint32_t)1U; + memcpy(to, b, (uint32_t)64U * sizeof (uint8_t)); + result[0U] = (uint8_t)4U; +} + +/* +Convert raw to 33-byte compressed. + + Input: `b`, the pointer buffer in internal representation, of type `uint8[64]` + Output: `result`, a point in compressed form, of type `uint8[33]` + +*/ +void Hacl_P256_raw_to_compressed(uint8_t *b, uint8_t *result) +{ + uint8_t *y = b + (uint32_t)32U; + uint8_t lastWordY = y[31U]; + uint8_t lastBitY = lastWordY & (uint8_t)1U; + uint8_t identifier = lastBitY + (uint8_t)2U; + memcpy(result + (uint32_t)1U, b, (uint32_t)32U * sizeof (uint8_t)); + result[0U] = identifier; +} + + +/******************/ +/* ECDH agreement */ +/******************/ + +/* +Convert a private key into a raw public key. + +This function performs no key validation. + + Input: `scalar`, the private key, of type `uint8[32]`. + Output: `result`, the public key, of type `uint8[64]`. + Returns: + - `true`, for success, meaning the public key is not a point at infinity + - `false`, otherwise. + + `scalar` and `result` MUST NOT overlap. +*/ +bool Hacl_P256_dh_initiator(uint8_t *result, uint8_t *scalar) +{ + uint64_t tempBuffer[100U] = { 0U }; + uint64_t resultBuffer[12U] = { 0U }; + uint64_t *resultBufferX = resultBuffer; + uint64_t *resultBufferY = resultBuffer + (uint32_t)4U; + uint8_t *resultX = result; + uint8_t *resultY = result + (uint32_t)32U; + Hacl_Impl_P256_Core_secretToPublic(resultBuffer, scalar, tempBuffer); + uint64_t flag = Hacl_Impl_P256_Core_isPointAtInfinityPrivate(resultBuffer); + Hacl_Impl_P256_LowLevel_changeEndian(resultBufferX); + Hacl_Impl_P256_LowLevel_changeEndian(resultBufferY); + Hacl_Impl_P256_LowLevel_toUint8(resultBufferX, resultX); + Hacl_Impl_P256_LowLevel_toUint8(resultBufferY, resultY); + return flag == (uint64_t)0U; +} + +/* +ECDH key agreement. + +This function takes a 32-byte secret key, another party's 64-byte raw public +key, and computeds the 64-byte ECDH shared key. + +This function ONLY validates the public key. + + The pub(lic)_key input of the function is considered to be public, + thus this code is not secret independent with respect to the operations done over this variable. + + Input: result: uint8[64], + pub(lic)Key: uint8[64], + scalar: uint8[32]. + + Output: bool, where True stands for the correct key generation. False value means that an error has occurred (possibly the provided public key was incorrect or the result represents point at infinity). + +*/ +bool Hacl_P256_dh_responder(uint8_t *result, uint8_t *pubKey, uint8_t *scalar) +{ + uint64_t resultBufferFelem[12U] = { 0U }; + uint64_t *resultBufferFelemX = resultBufferFelem; + uint64_t *resultBufferFelemY = resultBufferFelem + (uint32_t)4U; + uint8_t *resultX = result; + uint8_t *resultY = result + (uint32_t)32U; + uint64_t publicKeyAsFelem[8U] = { 0U }; + uint64_t *publicKeyFelemX = publicKeyAsFelem; + uint64_t *publicKeyFelemY = publicKeyAsFelem + (uint32_t)4U; + uint8_t *pubKeyX = pubKey; + uint8_t *pubKeyY = pubKey + (uint32_t)32U; + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(pubKeyX, publicKeyFelemX); + Hacl_Impl_P256_LowLevel_toUint64ChangeEndian(pubKeyY, publicKeyFelemY); + uint64_t flag = Hacl_Impl_P256_DH__ecp256dh_r(resultBufferFelem, publicKeyAsFelem, scalar); + Hacl_Impl_P256_LowLevel_changeEndian(resultBufferFelemX); + Hacl_Impl_P256_LowLevel_changeEndian(resultBufferFelemY); + Hacl_Impl_P256_LowLevel_toUint8(resultBufferFelemX, resultX); + Hacl_Impl_P256_LowLevel_toUint8(resultBufferFelemY, resultY); + return flag == (uint64_t)0U; +} + diff --git a/src/msvc/Hacl_Poly1305_128.c b/src/msvc/Hacl_Poly1305_128.c new file mode 100644 index 00000000..46f6e187 --- /dev/null +++ b/src/msvc/Hacl_Poly1305_128.c @@ -0,0 +1,1632 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "internal/Hacl_Poly1305_128.h" + + + +void +Hacl_Impl_Poly1305_Field32xN_128_load_acc2(Lib_IntVector_Intrinsics_vec128 *acc, uint8_t *b) +{ + Lib_IntVector_Intrinsics_vec128 e[5U]; + for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i) + e[_i] = Lib_IntVector_Intrinsics_vec128_zero; + Lib_IntVector_Intrinsics_vec128 b1 = Lib_IntVector_Intrinsics_vec128_load64_le(b); + Lib_IntVector_Intrinsics_vec128 + b2 = Lib_IntVector_Intrinsics_vec128_load64_le(b + (uint32_t)16U); + Lib_IntVector_Intrinsics_vec128 lo = Lib_IntVector_Intrinsics_vec128_interleave_low64(b1, b2); + Lib_IntVector_Intrinsics_vec128 hi = Lib_IntVector_Intrinsics_vec128_interleave_high64(b1, b2); + Lib_IntVector_Intrinsics_vec128 + f00 = + Lib_IntVector_Intrinsics_vec128_and(lo, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f10 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(lo, + (uint32_t)26U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f20 = + Lib_IntVector_Intrinsics_vec128_or(Lib_IntVector_Intrinsics_vec128_shift_right64(lo, + (uint32_t)52U), + Lib_IntVector_Intrinsics_vec128_shift_left64(Lib_IntVector_Intrinsics_vec128_and(hi, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3fffU)), + (uint32_t)12U)); + Lib_IntVector_Intrinsics_vec128 + f30 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(hi, + (uint32_t)14U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f40 = Lib_IntVector_Intrinsics_vec128_shift_right64(hi, (uint32_t)40U); + Lib_IntVector_Intrinsics_vec128 f02 = f00; + Lib_IntVector_Intrinsics_vec128 f12 = f10; + Lib_IntVector_Intrinsics_vec128 f22 = f20; + Lib_IntVector_Intrinsics_vec128 f32 = f30; + Lib_IntVector_Intrinsics_vec128 f42 = f40; + e[0U] = f02; + e[1U] = f12; + e[2U] = f22; + e[3U] = f32; + e[4U] = f42; + uint64_t b10 = (uint64_t)0x1000000U; + Lib_IntVector_Intrinsics_vec128 mask = Lib_IntVector_Intrinsics_vec128_load64(b10); + Lib_IntVector_Intrinsics_vec128 f43 = e[4U]; + e[4U] = Lib_IntVector_Intrinsics_vec128_or(f43, mask); + Lib_IntVector_Intrinsics_vec128 acc0 = acc[0U]; + Lib_IntVector_Intrinsics_vec128 acc1 = acc[1U]; + Lib_IntVector_Intrinsics_vec128 acc2 = acc[2U]; + Lib_IntVector_Intrinsics_vec128 acc3 = acc[3U]; + Lib_IntVector_Intrinsics_vec128 acc4 = acc[4U]; + Lib_IntVector_Intrinsics_vec128 e0 = e[0U]; + Lib_IntVector_Intrinsics_vec128 e1 = e[1U]; + Lib_IntVector_Intrinsics_vec128 e2 = e[2U]; + Lib_IntVector_Intrinsics_vec128 e3 = e[3U]; + Lib_IntVector_Intrinsics_vec128 e4 = e[4U]; + Lib_IntVector_Intrinsics_vec128 + f0 = Lib_IntVector_Intrinsics_vec128_insert64(acc0, (uint64_t)0U, (uint32_t)1U); + Lib_IntVector_Intrinsics_vec128 + f1 = Lib_IntVector_Intrinsics_vec128_insert64(acc1, (uint64_t)0U, (uint32_t)1U); + Lib_IntVector_Intrinsics_vec128 + f2 = Lib_IntVector_Intrinsics_vec128_insert64(acc2, (uint64_t)0U, (uint32_t)1U); + Lib_IntVector_Intrinsics_vec128 + f3 = Lib_IntVector_Intrinsics_vec128_insert64(acc3, (uint64_t)0U, (uint32_t)1U); + Lib_IntVector_Intrinsics_vec128 + f4 = Lib_IntVector_Intrinsics_vec128_insert64(acc4, (uint64_t)0U, (uint32_t)1U); + Lib_IntVector_Intrinsics_vec128 f01 = Lib_IntVector_Intrinsics_vec128_add64(f0, e0); + Lib_IntVector_Intrinsics_vec128 f11 = Lib_IntVector_Intrinsics_vec128_add64(f1, e1); + Lib_IntVector_Intrinsics_vec128 f21 = Lib_IntVector_Intrinsics_vec128_add64(f2, e2); + Lib_IntVector_Intrinsics_vec128 f31 = Lib_IntVector_Intrinsics_vec128_add64(f3, e3); + Lib_IntVector_Intrinsics_vec128 f41 = Lib_IntVector_Intrinsics_vec128_add64(f4, e4); + Lib_IntVector_Intrinsics_vec128 acc01 = f01; + Lib_IntVector_Intrinsics_vec128 acc11 = f11; + Lib_IntVector_Intrinsics_vec128 acc21 = f21; + Lib_IntVector_Intrinsics_vec128 acc31 = f31; + Lib_IntVector_Intrinsics_vec128 acc41 = f41; + acc[0U] = acc01; + acc[1U] = acc11; + acc[2U] = acc21; + acc[3U] = acc31; + acc[4U] = acc41; +} + +void +Hacl_Impl_Poly1305_Field32xN_128_fmul_r2_normalize( + Lib_IntVector_Intrinsics_vec128 *out, + Lib_IntVector_Intrinsics_vec128 *p +) +{ + Lib_IntVector_Intrinsics_vec128 *r = p; + Lib_IntVector_Intrinsics_vec128 *r2 = p + (uint32_t)10U; + Lib_IntVector_Intrinsics_vec128 a0 = out[0U]; + Lib_IntVector_Intrinsics_vec128 a1 = out[1U]; + Lib_IntVector_Intrinsics_vec128 a2 = out[2U]; + Lib_IntVector_Intrinsics_vec128 a3 = out[3U]; + Lib_IntVector_Intrinsics_vec128 a4 = out[4U]; + Lib_IntVector_Intrinsics_vec128 r10 = r[0U]; + Lib_IntVector_Intrinsics_vec128 r11 = r[1U]; + Lib_IntVector_Intrinsics_vec128 r12 = r[2U]; + Lib_IntVector_Intrinsics_vec128 r13 = r[3U]; + Lib_IntVector_Intrinsics_vec128 r14 = r[4U]; + Lib_IntVector_Intrinsics_vec128 r20 = r2[0U]; + Lib_IntVector_Intrinsics_vec128 r21 = r2[1U]; + Lib_IntVector_Intrinsics_vec128 r22 = r2[2U]; + Lib_IntVector_Intrinsics_vec128 r23 = r2[3U]; + Lib_IntVector_Intrinsics_vec128 r24 = r2[4U]; + Lib_IntVector_Intrinsics_vec128 + r201 = Lib_IntVector_Intrinsics_vec128_interleave_low64(r20, r10); + Lib_IntVector_Intrinsics_vec128 + r211 = Lib_IntVector_Intrinsics_vec128_interleave_low64(r21, r11); + Lib_IntVector_Intrinsics_vec128 + r221 = Lib_IntVector_Intrinsics_vec128_interleave_low64(r22, r12); + Lib_IntVector_Intrinsics_vec128 + r231 = Lib_IntVector_Intrinsics_vec128_interleave_low64(r23, r13); + Lib_IntVector_Intrinsics_vec128 + r241 = Lib_IntVector_Intrinsics_vec128_interleave_low64(r24, r14); + Lib_IntVector_Intrinsics_vec128 + r251 = Lib_IntVector_Intrinsics_vec128_smul64(r211, (uint64_t)5U); + Lib_IntVector_Intrinsics_vec128 + r252 = Lib_IntVector_Intrinsics_vec128_smul64(r221, (uint64_t)5U); + Lib_IntVector_Intrinsics_vec128 + r253 = Lib_IntVector_Intrinsics_vec128_smul64(r231, (uint64_t)5U); + Lib_IntVector_Intrinsics_vec128 + r254 = Lib_IntVector_Intrinsics_vec128_smul64(r241, (uint64_t)5U); + Lib_IntVector_Intrinsics_vec128 a01 = Lib_IntVector_Intrinsics_vec128_mul64(r201, a0); + Lib_IntVector_Intrinsics_vec128 a11 = Lib_IntVector_Intrinsics_vec128_mul64(r211, a0); + Lib_IntVector_Intrinsics_vec128 a21 = Lib_IntVector_Intrinsics_vec128_mul64(r221, a0); + Lib_IntVector_Intrinsics_vec128 a31 = Lib_IntVector_Intrinsics_vec128_mul64(r231, a0); + Lib_IntVector_Intrinsics_vec128 a41 = Lib_IntVector_Intrinsics_vec128_mul64(r241, a0); + Lib_IntVector_Intrinsics_vec128 + a02 = + Lib_IntVector_Intrinsics_vec128_add64(a01, + Lib_IntVector_Intrinsics_vec128_mul64(r254, a1)); + Lib_IntVector_Intrinsics_vec128 + a12 = + Lib_IntVector_Intrinsics_vec128_add64(a11, + Lib_IntVector_Intrinsics_vec128_mul64(r201, a1)); + Lib_IntVector_Intrinsics_vec128 + a22 = + Lib_IntVector_Intrinsics_vec128_add64(a21, + Lib_IntVector_Intrinsics_vec128_mul64(r211, a1)); + Lib_IntVector_Intrinsics_vec128 + a32 = + Lib_IntVector_Intrinsics_vec128_add64(a31, + Lib_IntVector_Intrinsics_vec128_mul64(r221, a1)); + Lib_IntVector_Intrinsics_vec128 + a42 = + Lib_IntVector_Intrinsics_vec128_add64(a41, + Lib_IntVector_Intrinsics_vec128_mul64(r231, a1)); + Lib_IntVector_Intrinsics_vec128 + a03 = + Lib_IntVector_Intrinsics_vec128_add64(a02, + Lib_IntVector_Intrinsics_vec128_mul64(r253, a2)); + Lib_IntVector_Intrinsics_vec128 + a13 = + Lib_IntVector_Intrinsics_vec128_add64(a12, + Lib_IntVector_Intrinsics_vec128_mul64(r254, a2)); + Lib_IntVector_Intrinsics_vec128 + a23 = + Lib_IntVector_Intrinsics_vec128_add64(a22, + Lib_IntVector_Intrinsics_vec128_mul64(r201, a2)); + Lib_IntVector_Intrinsics_vec128 + a33 = + Lib_IntVector_Intrinsics_vec128_add64(a32, + Lib_IntVector_Intrinsics_vec128_mul64(r211, a2)); + Lib_IntVector_Intrinsics_vec128 + a43 = + Lib_IntVector_Intrinsics_vec128_add64(a42, + Lib_IntVector_Intrinsics_vec128_mul64(r221, a2)); + Lib_IntVector_Intrinsics_vec128 + a04 = + Lib_IntVector_Intrinsics_vec128_add64(a03, + Lib_IntVector_Intrinsics_vec128_mul64(r252, a3)); + Lib_IntVector_Intrinsics_vec128 + a14 = + Lib_IntVector_Intrinsics_vec128_add64(a13, + Lib_IntVector_Intrinsics_vec128_mul64(r253, a3)); + Lib_IntVector_Intrinsics_vec128 + a24 = + Lib_IntVector_Intrinsics_vec128_add64(a23, + Lib_IntVector_Intrinsics_vec128_mul64(r254, a3)); + Lib_IntVector_Intrinsics_vec128 + a34 = + Lib_IntVector_Intrinsics_vec128_add64(a33, + Lib_IntVector_Intrinsics_vec128_mul64(r201, a3)); + Lib_IntVector_Intrinsics_vec128 + a44 = + Lib_IntVector_Intrinsics_vec128_add64(a43, + Lib_IntVector_Intrinsics_vec128_mul64(r211, a3)); + Lib_IntVector_Intrinsics_vec128 + a05 = + Lib_IntVector_Intrinsics_vec128_add64(a04, + Lib_IntVector_Intrinsics_vec128_mul64(r251, a4)); + Lib_IntVector_Intrinsics_vec128 + a15 = + Lib_IntVector_Intrinsics_vec128_add64(a14, + Lib_IntVector_Intrinsics_vec128_mul64(r252, a4)); + Lib_IntVector_Intrinsics_vec128 + a25 = + Lib_IntVector_Intrinsics_vec128_add64(a24, + Lib_IntVector_Intrinsics_vec128_mul64(r253, a4)); + Lib_IntVector_Intrinsics_vec128 + a35 = + Lib_IntVector_Intrinsics_vec128_add64(a34, + Lib_IntVector_Intrinsics_vec128_mul64(r254, a4)); + Lib_IntVector_Intrinsics_vec128 + a45 = + Lib_IntVector_Intrinsics_vec128_add64(a44, + Lib_IntVector_Intrinsics_vec128_mul64(r201, a4)); + Lib_IntVector_Intrinsics_vec128 t0 = a05; + Lib_IntVector_Intrinsics_vec128 t1 = a15; + Lib_IntVector_Intrinsics_vec128 t2 = a25; + Lib_IntVector_Intrinsics_vec128 t3 = a35; + Lib_IntVector_Intrinsics_vec128 t4 = a45; + Lib_IntVector_Intrinsics_vec128 + mask26 = Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec128 + z0 = Lib_IntVector_Intrinsics_vec128_shift_right64(t0, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z1 = Lib_IntVector_Intrinsics_vec128_shift_right64(t3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x0 = Lib_IntVector_Intrinsics_vec128_and(t0, mask26); + Lib_IntVector_Intrinsics_vec128 x3 = Lib_IntVector_Intrinsics_vec128_and(t3, mask26); + Lib_IntVector_Intrinsics_vec128 x1 = Lib_IntVector_Intrinsics_vec128_add64(t1, z0); + Lib_IntVector_Intrinsics_vec128 x4 = Lib_IntVector_Intrinsics_vec128_add64(t4, z1); + Lib_IntVector_Intrinsics_vec128 + z01 = Lib_IntVector_Intrinsics_vec128_shift_right64(x1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z11 = Lib_IntVector_Intrinsics_vec128_shift_right64(x4, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + t = Lib_IntVector_Intrinsics_vec128_shift_left64(z11, (uint32_t)2U); + Lib_IntVector_Intrinsics_vec128 z12 = Lib_IntVector_Intrinsics_vec128_add64(z11, t); + Lib_IntVector_Intrinsics_vec128 x11 = Lib_IntVector_Intrinsics_vec128_and(x1, mask26); + Lib_IntVector_Intrinsics_vec128 x41 = Lib_IntVector_Intrinsics_vec128_and(x4, mask26); + Lib_IntVector_Intrinsics_vec128 x2 = Lib_IntVector_Intrinsics_vec128_add64(t2, z01); + Lib_IntVector_Intrinsics_vec128 x01 = Lib_IntVector_Intrinsics_vec128_add64(x0, z12); + Lib_IntVector_Intrinsics_vec128 + z02 = Lib_IntVector_Intrinsics_vec128_shift_right64(x2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z13 = Lib_IntVector_Intrinsics_vec128_shift_right64(x01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x21 = Lib_IntVector_Intrinsics_vec128_and(x2, mask26); + Lib_IntVector_Intrinsics_vec128 x02 = Lib_IntVector_Intrinsics_vec128_and(x01, mask26); + Lib_IntVector_Intrinsics_vec128 x31 = Lib_IntVector_Intrinsics_vec128_add64(x3, z02); + Lib_IntVector_Intrinsics_vec128 x12 = Lib_IntVector_Intrinsics_vec128_add64(x11, z13); + Lib_IntVector_Intrinsics_vec128 + z03 = Lib_IntVector_Intrinsics_vec128_shift_right64(x31, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x32 = Lib_IntVector_Intrinsics_vec128_and(x31, mask26); + Lib_IntVector_Intrinsics_vec128 x42 = Lib_IntVector_Intrinsics_vec128_add64(x41, z03); + Lib_IntVector_Intrinsics_vec128 o0 = x02; + Lib_IntVector_Intrinsics_vec128 o10 = x12; + Lib_IntVector_Intrinsics_vec128 o20 = x21; + Lib_IntVector_Intrinsics_vec128 o30 = x32; + Lib_IntVector_Intrinsics_vec128 o40 = x42; + Lib_IntVector_Intrinsics_vec128 + o01 = + Lib_IntVector_Intrinsics_vec128_add64(o0, + Lib_IntVector_Intrinsics_vec128_interleave_high64(o0, o0)); + Lib_IntVector_Intrinsics_vec128 + o11 = + Lib_IntVector_Intrinsics_vec128_add64(o10, + Lib_IntVector_Intrinsics_vec128_interleave_high64(o10, o10)); + Lib_IntVector_Intrinsics_vec128 + o21 = + Lib_IntVector_Intrinsics_vec128_add64(o20, + Lib_IntVector_Intrinsics_vec128_interleave_high64(o20, o20)); + Lib_IntVector_Intrinsics_vec128 + o31 = + Lib_IntVector_Intrinsics_vec128_add64(o30, + Lib_IntVector_Intrinsics_vec128_interleave_high64(o30, o30)); + Lib_IntVector_Intrinsics_vec128 + o41 = + Lib_IntVector_Intrinsics_vec128_add64(o40, + Lib_IntVector_Intrinsics_vec128_interleave_high64(o40, o40)); + Lib_IntVector_Intrinsics_vec128 + l = Lib_IntVector_Intrinsics_vec128_add64(o01, Lib_IntVector_Intrinsics_vec128_zero); + Lib_IntVector_Intrinsics_vec128 + tmp0 = + Lib_IntVector_Intrinsics_vec128_and(l, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + c0 = Lib_IntVector_Intrinsics_vec128_shift_right64(l, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 l0 = Lib_IntVector_Intrinsics_vec128_add64(o11, c0); + Lib_IntVector_Intrinsics_vec128 + tmp1 = + Lib_IntVector_Intrinsics_vec128_and(l0, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + c1 = Lib_IntVector_Intrinsics_vec128_shift_right64(l0, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 l1 = Lib_IntVector_Intrinsics_vec128_add64(o21, c1); + Lib_IntVector_Intrinsics_vec128 + tmp2 = + Lib_IntVector_Intrinsics_vec128_and(l1, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + c2 = Lib_IntVector_Intrinsics_vec128_shift_right64(l1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 l2 = Lib_IntVector_Intrinsics_vec128_add64(o31, c2); + Lib_IntVector_Intrinsics_vec128 + tmp3 = + Lib_IntVector_Intrinsics_vec128_and(l2, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + c3 = Lib_IntVector_Intrinsics_vec128_shift_right64(l2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 l3 = Lib_IntVector_Intrinsics_vec128_add64(o41, c3); + Lib_IntVector_Intrinsics_vec128 + tmp4 = + Lib_IntVector_Intrinsics_vec128_and(l3, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + c4 = Lib_IntVector_Intrinsics_vec128_shift_right64(l3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + o00 = + Lib_IntVector_Intrinsics_vec128_add64(tmp0, + Lib_IntVector_Intrinsics_vec128_smul64(c4, (uint64_t)5U)); + Lib_IntVector_Intrinsics_vec128 o1 = tmp1; + Lib_IntVector_Intrinsics_vec128 o2 = tmp2; + Lib_IntVector_Intrinsics_vec128 o3 = tmp3; + Lib_IntVector_Intrinsics_vec128 o4 = tmp4; + out[0U] = o00; + out[1U] = o1; + out[2U] = o2; + out[3U] = o3; + out[4U] = o4; +} + +uint32_t Hacl_Poly1305_128_blocklen = (uint32_t)16U; + +void Hacl_Poly1305_128_poly1305_init(Lib_IntVector_Intrinsics_vec128 *ctx, uint8_t *key) +{ + Lib_IntVector_Intrinsics_vec128 *acc = ctx; + Lib_IntVector_Intrinsics_vec128 *pre = ctx + (uint32_t)5U; + uint8_t *kr = key; + acc[0U] = Lib_IntVector_Intrinsics_vec128_zero; + acc[1U] = Lib_IntVector_Intrinsics_vec128_zero; + acc[2U] = Lib_IntVector_Intrinsics_vec128_zero; + acc[3U] = Lib_IntVector_Intrinsics_vec128_zero; + acc[4U] = Lib_IntVector_Intrinsics_vec128_zero; + uint64_t u0 = load64_le(kr); + uint64_t lo = u0; + uint64_t u = load64_le(kr + (uint32_t)8U); + uint64_t hi = u; + uint64_t mask0 = (uint64_t)0x0ffffffc0fffffffU; + uint64_t mask1 = (uint64_t)0x0ffffffc0ffffffcU; + uint64_t lo1 = lo & mask0; + uint64_t hi1 = hi & mask1; + Lib_IntVector_Intrinsics_vec128 *r = pre; + Lib_IntVector_Intrinsics_vec128 *r5 = pre + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec128 *rn = pre + (uint32_t)10U; + Lib_IntVector_Intrinsics_vec128 *rn_5 = pre + (uint32_t)15U; + Lib_IntVector_Intrinsics_vec128 r_vec0 = Lib_IntVector_Intrinsics_vec128_load64(lo1); + Lib_IntVector_Intrinsics_vec128 r_vec1 = Lib_IntVector_Intrinsics_vec128_load64(hi1); + Lib_IntVector_Intrinsics_vec128 + f00 = + Lib_IntVector_Intrinsics_vec128_and(r_vec0, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f15 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(r_vec0, + (uint32_t)26U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f20 = + Lib_IntVector_Intrinsics_vec128_or(Lib_IntVector_Intrinsics_vec128_shift_right64(r_vec0, + (uint32_t)52U), + Lib_IntVector_Intrinsics_vec128_shift_left64(Lib_IntVector_Intrinsics_vec128_and(r_vec1, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3fffU)), + (uint32_t)12U)); + Lib_IntVector_Intrinsics_vec128 + f30 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(r_vec1, + (uint32_t)14U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f40 = Lib_IntVector_Intrinsics_vec128_shift_right64(r_vec1, (uint32_t)40U); + Lib_IntVector_Intrinsics_vec128 f0 = f00; + Lib_IntVector_Intrinsics_vec128 f1 = f15; + Lib_IntVector_Intrinsics_vec128 f2 = f20; + Lib_IntVector_Intrinsics_vec128 f3 = f30; + Lib_IntVector_Intrinsics_vec128 f4 = f40; + r[0U] = f0; + r[1U] = f1; + r[2U] = f2; + r[3U] = f3; + r[4U] = f4; + Lib_IntVector_Intrinsics_vec128 f200 = r[0U]; + Lib_IntVector_Intrinsics_vec128 f210 = r[1U]; + Lib_IntVector_Intrinsics_vec128 f220 = r[2U]; + Lib_IntVector_Intrinsics_vec128 f230 = r[3U]; + Lib_IntVector_Intrinsics_vec128 f240 = r[4U]; + r5[0U] = Lib_IntVector_Intrinsics_vec128_smul64(f200, (uint64_t)5U); + r5[1U] = Lib_IntVector_Intrinsics_vec128_smul64(f210, (uint64_t)5U); + r5[2U] = Lib_IntVector_Intrinsics_vec128_smul64(f220, (uint64_t)5U); + r5[3U] = Lib_IntVector_Intrinsics_vec128_smul64(f230, (uint64_t)5U); + r5[4U] = Lib_IntVector_Intrinsics_vec128_smul64(f240, (uint64_t)5U); + Lib_IntVector_Intrinsics_vec128 r0 = r[0U]; + Lib_IntVector_Intrinsics_vec128 r1 = r[1U]; + Lib_IntVector_Intrinsics_vec128 r2 = r[2U]; + Lib_IntVector_Intrinsics_vec128 r3 = r[3U]; + Lib_IntVector_Intrinsics_vec128 r4 = r[4U]; + Lib_IntVector_Intrinsics_vec128 r51 = r5[1U]; + Lib_IntVector_Intrinsics_vec128 r52 = r5[2U]; + Lib_IntVector_Intrinsics_vec128 r53 = r5[3U]; + Lib_IntVector_Intrinsics_vec128 r54 = r5[4U]; + Lib_IntVector_Intrinsics_vec128 f10 = r[0U]; + Lib_IntVector_Intrinsics_vec128 f11 = r[1U]; + Lib_IntVector_Intrinsics_vec128 f12 = r[2U]; + Lib_IntVector_Intrinsics_vec128 f13 = r[3U]; + Lib_IntVector_Intrinsics_vec128 f14 = r[4U]; + Lib_IntVector_Intrinsics_vec128 a0 = Lib_IntVector_Intrinsics_vec128_mul64(r0, f10); + Lib_IntVector_Intrinsics_vec128 a1 = Lib_IntVector_Intrinsics_vec128_mul64(r1, f10); + Lib_IntVector_Intrinsics_vec128 a2 = Lib_IntVector_Intrinsics_vec128_mul64(r2, f10); + Lib_IntVector_Intrinsics_vec128 a3 = Lib_IntVector_Intrinsics_vec128_mul64(r3, f10); + Lib_IntVector_Intrinsics_vec128 a4 = Lib_IntVector_Intrinsics_vec128_mul64(r4, f10); + Lib_IntVector_Intrinsics_vec128 + a01 = + Lib_IntVector_Intrinsics_vec128_add64(a0, + Lib_IntVector_Intrinsics_vec128_mul64(r54, f11)); + Lib_IntVector_Intrinsics_vec128 + a11 = Lib_IntVector_Intrinsics_vec128_add64(a1, Lib_IntVector_Intrinsics_vec128_mul64(r0, f11)); + Lib_IntVector_Intrinsics_vec128 + a21 = Lib_IntVector_Intrinsics_vec128_add64(a2, Lib_IntVector_Intrinsics_vec128_mul64(r1, f11)); + Lib_IntVector_Intrinsics_vec128 + a31 = Lib_IntVector_Intrinsics_vec128_add64(a3, Lib_IntVector_Intrinsics_vec128_mul64(r2, f11)); + Lib_IntVector_Intrinsics_vec128 + a41 = Lib_IntVector_Intrinsics_vec128_add64(a4, Lib_IntVector_Intrinsics_vec128_mul64(r3, f11)); + Lib_IntVector_Intrinsics_vec128 + a02 = + Lib_IntVector_Intrinsics_vec128_add64(a01, + Lib_IntVector_Intrinsics_vec128_mul64(r53, f12)); + Lib_IntVector_Intrinsics_vec128 + a12 = + Lib_IntVector_Intrinsics_vec128_add64(a11, + Lib_IntVector_Intrinsics_vec128_mul64(r54, f12)); + Lib_IntVector_Intrinsics_vec128 + a22 = + Lib_IntVector_Intrinsics_vec128_add64(a21, + Lib_IntVector_Intrinsics_vec128_mul64(r0, f12)); + Lib_IntVector_Intrinsics_vec128 + a32 = + Lib_IntVector_Intrinsics_vec128_add64(a31, + Lib_IntVector_Intrinsics_vec128_mul64(r1, f12)); + Lib_IntVector_Intrinsics_vec128 + a42 = + Lib_IntVector_Intrinsics_vec128_add64(a41, + Lib_IntVector_Intrinsics_vec128_mul64(r2, f12)); + Lib_IntVector_Intrinsics_vec128 + a03 = + Lib_IntVector_Intrinsics_vec128_add64(a02, + Lib_IntVector_Intrinsics_vec128_mul64(r52, f13)); + Lib_IntVector_Intrinsics_vec128 + a13 = + Lib_IntVector_Intrinsics_vec128_add64(a12, + Lib_IntVector_Intrinsics_vec128_mul64(r53, f13)); + Lib_IntVector_Intrinsics_vec128 + a23 = + Lib_IntVector_Intrinsics_vec128_add64(a22, + Lib_IntVector_Intrinsics_vec128_mul64(r54, f13)); + Lib_IntVector_Intrinsics_vec128 + a33 = + Lib_IntVector_Intrinsics_vec128_add64(a32, + Lib_IntVector_Intrinsics_vec128_mul64(r0, f13)); + Lib_IntVector_Intrinsics_vec128 + a43 = + Lib_IntVector_Intrinsics_vec128_add64(a42, + Lib_IntVector_Intrinsics_vec128_mul64(r1, f13)); + Lib_IntVector_Intrinsics_vec128 + a04 = + Lib_IntVector_Intrinsics_vec128_add64(a03, + Lib_IntVector_Intrinsics_vec128_mul64(r51, f14)); + Lib_IntVector_Intrinsics_vec128 + a14 = + Lib_IntVector_Intrinsics_vec128_add64(a13, + Lib_IntVector_Intrinsics_vec128_mul64(r52, f14)); + Lib_IntVector_Intrinsics_vec128 + a24 = + Lib_IntVector_Intrinsics_vec128_add64(a23, + Lib_IntVector_Intrinsics_vec128_mul64(r53, f14)); + Lib_IntVector_Intrinsics_vec128 + a34 = + Lib_IntVector_Intrinsics_vec128_add64(a33, + Lib_IntVector_Intrinsics_vec128_mul64(r54, f14)); + Lib_IntVector_Intrinsics_vec128 + a44 = + Lib_IntVector_Intrinsics_vec128_add64(a43, + Lib_IntVector_Intrinsics_vec128_mul64(r0, f14)); + Lib_IntVector_Intrinsics_vec128 t0 = a04; + Lib_IntVector_Intrinsics_vec128 t1 = a14; + Lib_IntVector_Intrinsics_vec128 t2 = a24; + Lib_IntVector_Intrinsics_vec128 t3 = a34; + Lib_IntVector_Intrinsics_vec128 t4 = a44; + Lib_IntVector_Intrinsics_vec128 + mask26 = Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec128 + z0 = Lib_IntVector_Intrinsics_vec128_shift_right64(t0, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z1 = Lib_IntVector_Intrinsics_vec128_shift_right64(t3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x0 = Lib_IntVector_Intrinsics_vec128_and(t0, mask26); + Lib_IntVector_Intrinsics_vec128 x3 = Lib_IntVector_Intrinsics_vec128_and(t3, mask26); + Lib_IntVector_Intrinsics_vec128 x1 = Lib_IntVector_Intrinsics_vec128_add64(t1, z0); + Lib_IntVector_Intrinsics_vec128 x4 = Lib_IntVector_Intrinsics_vec128_add64(t4, z1); + Lib_IntVector_Intrinsics_vec128 + z01 = Lib_IntVector_Intrinsics_vec128_shift_right64(x1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z11 = Lib_IntVector_Intrinsics_vec128_shift_right64(x4, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + t = Lib_IntVector_Intrinsics_vec128_shift_left64(z11, (uint32_t)2U); + Lib_IntVector_Intrinsics_vec128 z12 = Lib_IntVector_Intrinsics_vec128_add64(z11, t); + Lib_IntVector_Intrinsics_vec128 x11 = Lib_IntVector_Intrinsics_vec128_and(x1, mask26); + Lib_IntVector_Intrinsics_vec128 x41 = Lib_IntVector_Intrinsics_vec128_and(x4, mask26); + Lib_IntVector_Intrinsics_vec128 x2 = Lib_IntVector_Intrinsics_vec128_add64(t2, z01); + Lib_IntVector_Intrinsics_vec128 x01 = Lib_IntVector_Intrinsics_vec128_add64(x0, z12); + Lib_IntVector_Intrinsics_vec128 + z02 = Lib_IntVector_Intrinsics_vec128_shift_right64(x2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z13 = Lib_IntVector_Intrinsics_vec128_shift_right64(x01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x21 = Lib_IntVector_Intrinsics_vec128_and(x2, mask26); + Lib_IntVector_Intrinsics_vec128 x02 = Lib_IntVector_Intrinsics_vec128_and(x01, mask26); + Lib_IntVector_Intrinsics_vec128 x31 = Lib_IntVector_Intrinsics_vec128_add64(x3, z02); + Lib_IntVector_Intrinsics_vec128 x12 = Lib_IntVector_Intrinsics_vec128_add64(x11, z13); + Lib_IntVector_Intrinsics_vec128 + z03 = Lib_IntVector_Intrinsics_vec128_shift_right64(x31, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x32 = Lib_IntVector_Intrinsics_vec128_and(x31, mask26); + Lib_IntVector_Intrinsics_vec128 x42 = Lib_IntVector_Intrinsics_vec128_add64(x41, z03); + Lib_IntVector_Intrinsics_vec128 o0 = x02; + Lib_IntVector_Intrinsics_vec128 o1 = x12; + Lib_IntVector_Intrinsics_vec128 o2 = x21; + Lib_IntVector_Intrinsics_vec128 o3 = x32; + Lib_IntVector_Intrinsics_vec128 o4 = x42; + rn[0U] = o0; + rn[1U] = o1; + rn[2U] = o2; + rn[3U] = o3; + rn[4U] = o4; + Lib_IntVector_Intrinsics_vec128 f201 = rn[0U]; + Lib_IntVector_Intrinsics_vec128 f21 = rn[1U]; + Lib_IntVector_Intrinsics_vec128 f22 = rn[2U]; + Lib_IntVector_Intrinsics_vec128 f23 = rn[3U]; + Lib_IntVector_Intrinsics_vec128 f24 = rn[4U]; + rn_5[0U] = Lib_IntVector_Intrinsics_vec128_smul64(f201, (uint64_t)5U); + rn_5[1U] = Lib_IntVector_Intrinsics_vec128_smul64(f21, (uint64_t)5U); + rn_5[2U] = Lib_IntVector_Intrinsics_vec128_smul64(f22, (uint64_t)5U); + rn_5[3U] = Lib_IntVector_Intrinsics_vec128_smul64(f23, (uint64_t)5U); + rn_5[4U] = Lib_IntVector_Intrinsics_vec128_smul64(f24, (uint64_t)5U); +} + +void Hacl_Poly1305_128_poly1305_update1(Lib_IntVector_Intrinsics_vec128 *ctx, uint8_t *text) +{ + Lib_IntVector_Intrinsics_vec128 *pre = ctx + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec128 *acc = ctx; + Lib_IntVector_Intrinsics_vec128 e[5U]; + for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i) + e[_i] = Lib_IntVector_Intrinsics_vec128_zero; + uint64_t u0 = load64_le(text); + uint64_t lo = u0; + uint64_t u = load64_le(text + (uint32_t)8U); + uint64_t hi = u; + Lib_IntVector_Intrinsics_vec128 f0 = Lib_IntVector_Intrinsics_vec128_load64(lo); + Lib_IntVector_Intrinsics_vec128 f1 = Lib_IntVector_Intrinsics_vec128_load64(hi); + Lib_IntVector_Intrinsics_vec128 + f010 = + Lib_IntVector_Intrinsics_vec128_and(f0, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f110 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(f0, + (uint32_t)26U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f20 = + Lib_IntVector_Intrinsics_vec128_or(Lib_IntVector_Intrinsics_vec128_shift_right64(f0, + (uint32_t)52U), + Lib_IntVector_Intrinsics_vec128_shift_left64(Lib_IntVector_Intrinsics_vec128_and(f1, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3fffU)), + (uint32_t)12U)); + Lib_IntVector_Intrinsics_vec128 + f30 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(f1, + (uint32_t)14U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f40 = Lib_IntVector_Intrinsics_vec128_shift_right64(f1, (uint32_t)40U); + Lib_IntVector_Intrinsics_vec128 f01 = f010; + Lib_IntVector_Intrinsics_vec128 f111 = f110; + Lib_IntVector_Intrinsics_vec128 f2 = f20; + Lib_IntVector_Intrinsics_vec128 f3 = f30; + Lib_IntVector_Intrinsics_vec128 f41 = f40; + e[0U] = f01; + e[1U] = f111; + e[2U] = f2; + e[3U] = f3; + e[4U] = f41; + uint64_t b = (uint64_t)0x1000000U; + Lib_IntVector_Intrinsics_vec128 mask = Lib_IntVector_Intrinsics_vec128_load64(b); + Lib_IntVector_Intrinsics_vec128 f4 = e[4U]; + e[4U] = Lib_IntVector_Intrinsics_vec128_or(f4, mask); + Lib_IntVector_Intrinsics_vec128 *r = pre; + Lib_IntVector_Intrinsics_vec128 *r5 = pre + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec128 r0 = r[0U]; + Lib_IntVector_Intrinsics_vec128 r1 = r[1U]; + Lib_IntVector_Intrinsics_vec128 r2 = r[2U]; + Lib_IntVector_Intrinsics_vec128 r3 = r[3U]; + Lib_IntVector_Intrinsics_vec128 r4 = r[4U]; + Lib_IntVector_Intrinsics_vec128 r51 = r5[1U]; + Lib_IntVector_Intrinsics_vec128 r52 = r5[2U]; + Lib_IntVector_Intrinsics_vec128 r53 = r5[3U]; + Lib_IntVector_Intrinsics_vec128 r54 = r5[4U]; + Lib_IntVector_Intrinsics_vec128 f10 = e[0U]; + Lib_IntVector_Intrinsics_vec128 f11 = e[1U]; + Lib_IntVector_Intrinsics_vec128 f12 = e[2U]; + Lib_IntVector_Intrinsics_vec128 f13 = e[3U]; + Lib_IntVector_Intrinsics_vec128 f14 = e[4U]; + Lib_IntVector_Intrinsics_vec128 a0 = acc[0U]; + Lib_IntVector_Intrinsics_vec128 a1 = acc[1U]; + Lib_IntVector_Intrinsics_vec128 a2 = acc[2U]; + Lib_IntVector_Intrinsics_vec128 a3 = acc[3U]; + Lib_IntVector_Intrinsics_vec128 a4 = acc[4U]; + Lib_IntVector_Intrinsics_vec128 a01 = Lib_IntVector_Intrinsics_vec128_add64(a0, f10); + Lib_IntVector_Intrinsics_vec128 a11 = Lib_IntVector_Intrinsics_vec128_add64(a1, f11); + Lib_IntVector_Intrinsics_vec128 a21 = Lib_IntVector_Intrinsics_vec128_add64(a2, f12); + Lib_IntVector_Intrinsics_vec128 a31 = Lib_IntVector_Intrinsics_vec128_add64(a3, f13); + Lib_IntVector_Intrinsics_vec128 a41 = Lib_IntVector_Intrinsics_vec128_add64(a4, f14); + Lib_IntVector_Intrinsics_vec128 a02 = Lib_IntVector_Intrinsics_vec128_mul64(r0, a01); + Lib_IntVector_Intrinsics_vec128 a12 = Lib_IntVector_Intrinsics_vec128_mul64(r1, a01); + Lib_IntVector_Intrinsics_vec128 a22 = Lib_IntVector_Intrinsics_vec128_mul64(r2, a01); + Lib_IntVector_Intrinsics_vec128 a32 = Lib_IntVector_Intrinsics_vec128_mul64(r3, a01); + Lib_IntVector_Intrinsics_vec128 a42 = Lib_IntVector_Intrinsics_vec128_mul64(r4, a01); + Lib_IntVector_Intrinsics_vec128 + a03 = + Lib_IntVector_Intrinsics_vec128_add64(a02, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a11)); + Lib_IntVector_Intrinsics_vec128 + a13 = + Lib_IntVector_Intrinsics_vec128_add64(a12, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a11)); + Lib_IntVector_Intrinsics_vec128 + a23 = + Lib_IntVector_Intrinsics_vec128_add64(a22, + Lib_IntVector_Intrinsics_vec128_mul64(r1, a11)); + Lib_IntVector_Intrinsics_vec128 + a33 = + Lib_IntVector_Intrinsics_vec128_add64(a32, + Lib_IntVector_Intrinsics_vec128_mul64(r2, a11)); + Lib_IntVector_Intrinsics_vec128 + a43 = + Lib_IntVector_Intrinsics_vec128_add64(a42, + Lib_IntVector_Intrinsics_vec128_mul64(r3, a11)); + Lib_IntVector_Intrinsics_vec128 + a04 = + Lib_IntVector_Intrinsics_vec128_add64(a03, + Lib_IntVector_Intrinsics_vec128_mul64(r53, a21)); + Lib_IntVector_Intrinsics_vec128 + a14 = + Lib_IntVector_Intrinsics_vec128_add64(a13, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a21)); + Lib_IntVector_Intrinsics_vec128 + a24 = + Lib_IntVector_Intrinsics_vec128_add64(a23, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a21)); + Lib_IntVector_Intrinsics_vec128 + a34 = + Lib_IntVector_Intrinsics_vec128_add64(a33, + Lib_IntVector_Intrinsics_vec128_mul64(r1, a21)); + Lib_IntVector_Intrinsics_vec128 + a44 = + Lib_IntVector_Intrinsics_vec128_add64(a43, + Lib_IntVector_Intrinsics_vec128_mul64(r2, a21)); + Lib_IntVector_Intrinsics_vec128 + a05 = + Lib_IntVector_Intrinsics_vec128_add64(a04, + Lib_IntVector_Intrinsics_vec128_mul64(r52, a31)); + Lib_IntVector_Intrinsics_vec128 + a15 = + Lib_IntVector_Intrinsics_vec128_add64(a14, + Lib_IntVector_Intrinsics_vec128_mul64(r53, a31)); + Lib_IntVector_Intrinsics_vec128 + a25 = + Lib_IntVector_Intrinsics_vec128_add64(a24, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a31)); + Lib_IntVector_Intrinsics_vec128 + a35 = + Lib_IntVector_Intrinsics_vec128_add64(a34, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a31)); + Lib_IntVector_Intrinsics_vec128 + a45 = + Lib_IntVector_Intrinsics_vec128_add64(a44, + Lib_IntVector_Intrinsics_vec128_mul64(r1, a31)); + Lib_IntVector_Intrinsics_vec128 + a06 = + Lib_IntVector_Intrinsics_vec128_add64(a05, + Lib_IntVector_Intrinsics_vec128_mul64(r51, a41)); + Lib_IntVector_Intrinsics_vec128 + a16 = + Lib_IntVector_Intrinsics_vec128_add64(a15, + Lib_IntVector_Intrinsics_vec128_mul64(r52, a41)); + Lib_IntVector_Intrinsics_vec128 + a26 = + Lib_IntVector_Intrinsics_vec128_add64(a25, + Lib_IntVector_Intrinsics_vec128_mul64(r53, a41)); + Lib_IntVector_Intrinsics_vec128 + a36 = + Lib_IntVector_Intrinsics_vec128_add64(a35, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a41)); + Lib_IntVector_Intrinsics_vec128 + a46 = + Lib_IntVector_Intrinsics_vec128_add64(a45, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a41)); + Lib_IntVector_Intrinsics_vec128 t0 = a06; + Lib_IntVector_Intrinsics_vec128 t1 = a16; + Lib_IntVector_Intrinsics_vec128 t2 = a26; + Lib_IntVector_Intrinsics_vec128 t3 = a36; + Lib_IntVector_Intrinsics_vec128 t4 = a46; + Lib_IntVector_Intrinsics_vec128 + mask26 = Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec128 + z0 = Lib_IntVector_Intrinsics_vec128_shift_right64(t0, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z1 = Lib_IntVector_Intrinsics_vec128_shift_right64(t3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x0 = Lib_IntVector_Intrinsics_vec128_and(t0, mask26); + Lib_IntVector_Intrinsics_vec128 x3 = Lib_IntVector_Intrinsics_vec128_and(t3, mask26); + Lib_IntVector_Intrinsics_vec128 x1 = Lib_IntVector_Intrinsics_vec128_add64(t1, z0); + Lib_IntVector_Intrinsics_vec128 x4 = Lib_IntVector_Intrinsics_vec128_add64(t4, z1); + Lib_IntVector_Intrinsics_vec128 + z01 = Lib_IntVector_Intrinsics_vec128_shift_right64(x1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z11 = Lib_IntVector_Intrinsics_vec128_shift_right64(x4, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + t = Lib_IntVector_Intrinsics_vec128_shift_left64(z11, (uint32_t)2U); + Lib_IntVector_Intrinsics_vec128 z12 = Lib_IntVector_Intrinsics_vec128_add64(z11, t); + Lib_IntVector_Intrinsics_vec128 x11 = Lib_IntVector_Intrinsics_vec128_and(x1, mask26); + Lib_IntVector_Intrinsics_vec128 x41 = Lib_IntVector_Intrinsics_vec128_and(x4, mask26); + Lib_IntVector_Intrinsics_vec128 x2 = Lib_IntVector_Intrinsics_vec128_add64(t2, z01); + Lib_IntVector_Intrinsics_vec128 x01 = Lib_IntVector_Intrinsics_vec128_add64(x0, z12); + Lib_IntVector_Intrinsics_vec128 + z02 = Lib_IntVector_Intrinsics_vec128_shift_right64(x2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z13 = Lib_IntVector_Intrinsics_vec128_shift_right64(x01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x21 = Lib_IntVector_Intrinsics_vec128_and(x2, mask26); + Lib_IntVector_Intrinsics_vec128 x02 = Lib_IntVector_Intrinsics_vec128_and(x01, mask26); + Lib_IntVector_Intrinsics_vec128 x31 = Lib_IntVector_Intrinsics_vec128_add64(x3, z02); + Lib_IntVector_Intrinsics_vec128 x12 = Lib_IntVector_Intrinsics_vec128_add64(x11, z13); + Lib_IntVector_Intrinsics_vec128 + z03 = Lib_IntVector_Intrinsics_vec128_shift_right64(x31, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x32 = Lib_IntVector_Intrinsics_vec128_and(x31, mask26); + Lib_IntVector_Intrinsics_vec128 x42 = Lib_IntVector_Intrinsics_vec128_add64(x41, z03); + Lib_IntVector_Intrinsics_vec128 o0 = x02; + Lib_IntVector_Intrinsics_vec128 o1 = x12; + Lib_IntVector_Intrinsics_vec128 o2 = x21; + Lib_IntVector_Intrinsics_vec128 o3 = x32; + Lib_IntVector_Intrinsics_vec128 o4 = x42; + acc[0U] = o0; + acc[1U] = o1; + acc[2U] = o2; + acc[3U] = o3; + acc[4U] = o4; +} + +void +Hacl_Poly1305_128_poly1305_update( + Lib_IntVector_Intrinsics_vec128 *ctx, + uint32_t len, + uint8_t *text +) +{ + Lib_IntVector_Intrinsics_vec128 *pre = ctx + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec128 *acc = ctx; + uint32_t sz_block = (uint32_t)32U; + uint32_t len0 = len / sz_block * sz_block; + uint8_t *t0 = text; + if (len0 > (uint32_t)0U) + { + uint32_t bs = (uint32_t)32U; + uint8_t *text0 = t0; + Hacl_Impl_Poly1305_Field32xN_128_load_acc2(acc, text0); + uint32_t len1 = len0 - bs; + uint8_t *text1 = t0 + bs; + uint32_t nb = len1 / bs; + for (uint32_t i = (uint32_t)0U; i < nb; i++) + { + uint8_t *block = text1 + i * bs; + Lib_IntVector_Intrinsics_vec128 e[5U]; + for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i) + e[_i] = Lib_IntVector_Intrinsics_vec128_zero; + Lib_IntVector_Intrinsics_vec128 b1 = Lib_IntVector_Intrinsics_vec128_load64_le(block); + Lib_IntVector_Intrinsics_vec128 + b2 = Lib_IntVector_Intrinsics_vec128_load64_le(block + (uint32_t)16U); + Lib_IntVector_Intrinsics_vec128 lo = Lib_IntVector_Intrinsics_vec128_interleave_low64(b1, b2); + Lib_IntVector_Intrinsics_vec128 + hi = Lib_IntVector_Intrinsics_vec128_interleave_high64(b1, b2); + Lib_IntVector_Intrinsics_vec128 + f00 = + Lib_IntVector_Intrinsics_vec128_and(lo, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f15 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(lo, + (uint32_t)26U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f25 = + Lib_IntVector_Intrinsics_vec128_or(Lib_IntVector_Intrinsics_vec128_shift_right64(lo, + (uint32_t)52U), + Lib_IntVector_Intrinsics_vec128_shift_left64(Lib_IntVector_Intrinsics_vec128_and(hi, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3fffU)), + (uint32_t)12U)); + Lib_IntVector_Intrinsics_vec128 + f30 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(hi, + (uint32_t)14U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f40 = Lib_IntVector_Intrinsics_vec128_shift_right64(hi, (uint32_t)40U); + Lib_IntVector_Intrinsics_vec128 f0 = f00; + Lib_IntVector_Intrinsics_vec128 f1 = f15; + Lib_IntVector_Intrinsics_vec128 f2 = f25; + Lib_IntVector_Intrinsics_vec128 f3 = f30; + Lib_IntVector_Intrinsics_vec128 f41 = f40; + e[0U] = f0; + e[1U] = f1; + e[2U] = f2; + e[3U] = f3; + e[4U] = f41; + uint64_t b = (uint64_t)0x1000000U; + Lib_IntVector_Intrinsics_vec128 mask = Lib_IntVector_Intrinsics_vec128_load64(b); + Lib_IntVector_Intrinsics_vec128 f4 = e[4U]; + e[4U] = Lib_IntVector_Intrinsics_vec128_or(f4, mask); + Lib_IntVector_Intrinsics_vec128 *rn = pre + (uint32_t)10U; + Lib_IntVector_Intrinsics_vec128 *rn5 = pre + (uint32_t)15U; + Lib_IntVector_Intrinsics_vec128 r0 = rn[0U]; + Lib_IntVector_Intrinsics_vec128 r1 = rn[1U]; + Lib_IntVector_Intrinsics_vec128 r2 = rn[2U]; + Lib_IntVector_Intrinsics_vec128 r3 = rn[3U]; + Lib_IntVector_Intrinsics_vec128 r4 = rn[4U]; + Lib_IntVector_Intrinsics_vec128 r51 = rn5[1U]; + Lib_IntVector_Intrinsics_vec128 r52 = rn5[2U]; + Lib_IntVector_Intrinsics_vec128 r53 = rn5[3U]; + Lib_IntVector_Intrinsics_vec128 r54 = rn5[4U]; + Lib_IntVector_Intrinsics_vec128 f10 = acc[0U]; + Lib_IntVector_Intrinsics_vec128 f110 = acc[1U]; + Lib_IntVector_Intrinsics_vec128 f120 = acc[2U]; + Lib_IntVector_Intrinsics_vec128 f130 = acc[3U]; + Lib_IntVector_Intrinsics_vec128 f140 = acc[4U]; + Lib_IntVector_Intrinsics_vec128 a0 = Lib_IntVector_Intrinsics_vec128_mul64(r0, f10); + Lib_IntVector_Intrinsics_vec128 a1 = Lib_IntVector_Intrinsics_vec128_mul64(r1, f10); + Lib_IntVector_Intrinsics_vec128 a2 = Lib_IntVector_Intrinsics_vec128_mul64(r2, f10); + Lib_IntVector_Intrinsics_vec128 a3 = Lib_IntVector_Intrinsics_vec128_mul64(r3, f10); + Lib_IntVector_Intrinsics_vec128 a4 = Lib_IntVector_Intrinsics_vec128_mul64(r4, f10); + Lib_IntVector_Intrinsics_vec128 + a01 = + Lib_IntVector_Intrinsics_vec128_add64(a0, + Lib_IntVector_Intrinsics_vec128_mul64(r54, f110)); + Lib_IntVector_Intrinsics_vec128 + a11 = + Lib_IntVector_Intrinsics_vec128_add64(a1, + Lib_IntVector_Intrinsics_vec128_mul64(r0, f110)); + Lib_IntVector_Intrinsics_vec128 + a21 = + Lib_IntVector_Intrinsics_vec128_add64(a2, + Lib_IntVector_Intrinsics_vec128_mul64(r1, f110)); + Lib_IntVector_Intrinsics_vec128 + a31 = + Lib_IntVector_Intrinsics_vec128_add64(a3, + Lib_IntVector_Intrinsics_vec128_mul64(r2, f110)); + Lib_IntVector_Intrinsics_vec128 + a41 = + Lib_IntVector_Intrinsics_vec128_add64(a4, + Lib_IntVector_Intrinsics_vec128_mul64(r3, f110)); + Lib_IntVector_Intrinsics_vec128 + a02 = + Lib_IntVector_Intrinsics_vec128_add64(a01, + Lib_IntVector_Intrinsics_vec128_mul64(r53, f120)); + Lib_IntVector_Intrinsics_vec128 + a12 = + Lib_IntVector_Intrinsics_vec128_add64(a11, + Lib_IntVector_Intrinsics_vec128_mul64(r54, f120)); + Lib_IntVector_Intrinsics_vec128 + a22 = + Lib_IntVector_Intrinsics_vec128_add64(a21, + Lib_IntVector_Intrinsics_vec128_mul64(r0, f120)); + Lib_IntVector_Intrinsics_vec128 + a32 = + Lib_IntVector_Intrinsics_vec128_add64(a31, + Lib_IntVector_Intrinsics_vec128_mul64(r1, f120)); + Lib_IntVector_Intrinsics_vec128 + a42 = + Lib_IntVector_Intrinsics_vec128_add64(a41, + Lib_IntVector_Intrinsics_vec128_mul64(r2, f120)); + Lib_IntVector_Intrinsics_vec128 + a03 = + Lib_IntVector_Intrinsics_vec128_add64(a02, + Lib_IntVector_Intrinsics_vec128_mul64(r52, f130)); + Lib_IntVector_Intrinsics_vec128 + a13 = + Lib_IntVector_Intrinsics_vec128_add64(a12, + Lib_IntVector_Intrinsics_vec128_mul64(r53, f130)); + Lib_IntVector_Intrinsics_vec128 + a23 = + Lib_IntVector_Intrinsics_vec128_add64(a22, + Lib_IntVector_Intrinsics_vec128_mul64(r54, f130)); + Lib_IntVector_Intrinsics_vec128 + a33 = + Lib_IntVector_Intrinsics_vec128_add64(a32, + Lib_IntVector_Intrinsics_vec128_mul64(r0, f130)); + Lib_IntVector_Intrinsics_vec128 + a43 = + Lib_IntVector_Intrinsics_vec128_add64(a42, + Lib_IntVector_Intrinsics_vec128_mul64(r1, f130)); + Lib_IntVector_Intrinsics_vec128 + a04 = + Lib_IntVector_Intrinsics_vec128_add64(a03, + Lib_IntVector_Intrinsics_vec128_mul64(r51, f140)); + Lib_IntVector_Intrinsics_vec128 + a14 = + Lib_IntVector_Intrinsics_vec128_add64(a13, + Lib_IntVector_Intrinsics_vec128_mul64(r52, f140)); + Lib_IntVector_Intrinsics_vec128 + a24 = + Lib_IntVector_Intrinsics_vec128_add64(a23, + Lib_IntVector_Intrinsics_vec128_mul64(r53, f140)); + Lib_IntVector_Intrinsics_vec128 + a34 = + Lib_IntVector_Intrinsics_vec128_add64(a33, + Lib_IntVector_Intrinsics_vec128_mul64(r54, f140)); + Lib_IntVector_Intrinsics_vec128 + a44 = + Lib_IntVector_Intrinsics_vec128_add64(a43, + Lib_IntVector_Intrinsics_vec128_mul64(r0, f140)); + Lib_IntVector_Intrinsics_vec128 t01 = a04; + Lib_IntVector_Intrinsics_vec128 t1 = a14; + Lib_IntVector_Intrinsics_vec128 t2 = a24; + Lib_IntVector_Intrinsics_vec128 t3 = a34; + Lib_IntVector_Intrinsics_vec128 t4 = a44; + Lib_IntVector_Intrinsics_vec128 + mask26 = Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec128 + z0 = Lib_IntVector_Intrinsics_vec128_shift_right64(t01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z1 = Lib_IntVector_Intrinsics_vec128_shift_right64(t3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x0 = Lib_IntVector_Intrinsics_vec128_and(t01, mask26); + Lib_IntVector_Intrinsics_vec128 x3 = Lib_IntVector_Intrinsics_vec128_and(t3, mask26); + Lib_IntVector_Intrinsics_vec128 x1 = Lib_IntVector_Intrinsics_vec128_add64(t1, z0); + Lib_IntVector_Intrinsics_vec128 x4 = Lib_IntVector_Intrinsics_vec128_add64(t4, z1); + Lib_IntVector_Intrinsics_vec128 + z01 = Lib_IntVector_Intrinsics_vec128_shift_right64(x1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z11 = Lib_IntVector_Intrinsics_vec128_shift_right64(x4, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + t = Lib_IntVector_Intrinsics_vec128_shift_left64(z11, (uint32_t)2U); + Lib_IntVector_Intrinsics_vec128 z12 = Lib_IntVector_Intrinsics_vec128_add64(z11, t); + Lib_IntVector_Intrinsics_vec128 x11 = Lib_IntVector_Intrinsics_vec128_and(x1, mask26); + Lib_IntVector_Intrinsics_vec128 x41 = Lib_IntVector_Intrinsics_vec128_and(x4, mask26); + Lib_IntVector_Intrinsics_vec128 x2 = Lib_IntVector_Intrinsics_vec128_add64(t2, z01); + Lib_IntVector_Intrinsics_vec128 x01 = Lib_IntVector_Intrinsics_vec128_add64(x0, z12); + Lib_IntVector_Intrinsics_vec128 + z02 = Lib_IntVector_Intrinsics_vec128_shift_right64(x2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z13 = Lib_IntVector_Intrinsics_vec128_shift_right64(x01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x21 = Lib_IntVector_Intrinsics_vec128_and(x2, mask26); + Lib_IntVector_Intrinsics_vec128 x02 = Lib_IntVector_Intrinsics_vec128_and(x01, mask26); + Lib_IntVector_Intrinsics_vec128 x31 = Lib_IntVector_Intrinsics_vec128_add64(x3, z02); + Lib_IntVector_Intrinsics_vec128 x12 = Lib_IntVector_Intrinsics_vec128_add64(x11, z13); + Lib_IntVector_Intrinsics_vec128 + z03 = Lib_IntVector_Intrinsics_vec128_shift_right64(x31, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x32 = Lib_IntVector_Intrinsics_vec128_and(x31, mask26); + Lib_IntVector_Intrinsics_vec128 x42 = Lib_IntVector_Intrinsics_vec128_add64(x41, z03); + Lib_IntVector_Intrinsics_vec128 o00 = x02; + Lib_IntVector_Intrinsics_vec128 o10 = x12; + Lib_IntVector_Intrinsics_vec128 o20 = x21; + Lib_IntVector_Intrinsics_vec128 o30 = x32; + Lib_IntVector_Intrinsics_vec128 o40 = x42; + acc[0U] = o00; + acc[1U] = o10; + acc[2U] = o20; + acc[3U] = o30; + acc[4U] = o40; + Lib_IntVector_Intrinsics_vec128 f100 = acc[0U]; + Lib_IntVector_Intrinsics_vec128 f11 = acc[1U]; + Lib_IntVector_Intrinsics_vec128 f12 = acc[2U]; + Lib_IntVector_Intrinsics_vec128 f13 = acc[3U]; + Lib_IntVector_Intrinsics_vec128 f14 = acc[4U]; + Lib_IntVector_Intrinsics_vec128 f20 = e[0U]; + Lib_IntVector_Intrinsics_vec128 f21 = e[1U]; + Lib_IntVector_Intrinsics_vec128 f22 = e[2U]; + Lib_IntVector_Intrinsics_vec128 f23 = e[3U]; + Lib_IntVector_Intrinsics_vec128 f24 = e[4U]; + Lib_IntVector_Intrinsics_vec128 o0 = Lib_IntVector_Intrinsics_vec128_add64(f100, f20); + Lib_IntVector_Intrinsics_vec128 o1 = Lib_IntVector_Intrinsics_vec128_add64(f11, f21); + Lib_IntVector_Intrinsics_vec128 o2 = Lib_IntVector_Intrinsics_vec128_add64(f12, f22); + Lib_IntVector_Intrinsics_vec128 o3 = Lib_IntVector_Intrinsics_vec128_add64(f13, f23); + Lib_IntVector_Intrinsics_vec128 o4 = Lib_IntVector_Intrinsics_vec128_add64(f14, f24); + acc[0U] = o0; + acc[1U] = o1; + acc[2U] = o2; + acc[3U] = o3; + acc[4U] = o4; + } + Hacl_Impl_Poly1305_Field32xN_128_fmul_r2_normalize(acc, pre); + } + uint32_t len1 = len - len0; + uint8_t *t1 = text + len0; + uint32_t nb = len1 / (uint32_t)16U; + uint32_t rem = len1 % (uint32_t)16U; + for (uint32_t i = (uint32_t)0U; i < nb; i++) + { + uint8_t *block = t1 + i * (uint32_t)16U; + Lib_IntVector_Intrinsics_vec128 e[5U]; + for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i) + e[_i] = Lib_IntVector_Intrinsics_vec128_zero; + uint64_t u0 = load64_le(block); + uint64_t lo = u0; + uint64_t u = load64_le(block + (uint32_t)8U); + uint64_t hi = u; + Lib_IntVector_Intrinsics_vec128 f0 = Lib_IntVector_Intrinsics_vec128_load64(lo); + Lib_IntVector_Intrinsics_vec128 f1 = Lib_IntVector_Intrinsics_vec128_load64(hi); + Lib_IntVector_Intrinsics_vec128 + f010 = + Lib_IntVector_Intrinsics_vec128_and(f0, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f110 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(f0, + (uint32_t)26U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f20 = + Lib_IntVector_Intrinsics_vec128_or(Lib_IntVector_Intrinsics_vec128_shift_right64(f0, + (uint32_t)52U), + Lib_IntVector_Intrinsics_vec128_shift_left64(Lib_IntVector_Intrinsics_vec128_and(f1, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3fffU)), + (uint32_t)12U)); + Lib_IntVector_Intrinsics_vec128 + f30 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(f1, + (uint32_t)14U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f40 = Lib_IntVector_Intrinsics_vec128_shift_right64(f1, (uint32_t)40U); + Lib_IntVector_Intrinsics_vec128 f01 = f010; + Lib_IntVector_Intrinsics_vec128 f111 = f110; + Lib_IntVector_Intrinsics_vec128 f2 = f20; + Lib_IntVector_Intrinsics_vec128 f3 = f30; + Lib_IntVector_Intrinsics_vec128 f41 = f40; + e[0U] = f01; + e[1U] = f111; + e[2U] = f2; + e[3U] = f3; + e[4U] = f41; + uint64_t b = (uint64_t)0x1000000U; + Lib_IntVector_Intrinsics_vec128 mask = Lib_IntVector_Intrinsics_vec128_load64(b); + Lib_IntVector_Intrinsics_vec128 f4 = e[4U]; + e[4U] = Lib_IntVector_Intrinsics_vec128_or(f4, mask); + Lib_IntVector_Intrinsics_vec128 *r = pre; + Lib_IntVector_Intrinsics_vec128 *r5 = pre + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec128 r0 = r[0U]; + Lib_IntVector_Intrinsics_vec128 r1 = r[1U]; + Lib_IntVector_Intrinsics_vec128 r2 = r[2U]; + Lib_IntVector_Intrinsics_vec128 r3 = r[3U]; + Lib_IntVector_Intrinsics_vec128 r4 = r[4U]; + Lib_IntVector_Intrinsics_vec128 r51 = r5[1U]; + Lib_IntVector_Intrinsics_vec128 r52 = r5[2U]; + Lib_IntVector_Intrinsics_vec128 r53 = r5[3U]; + Lib_IntVector_Intrinsics_vec128 r54 = r5[4U]; + Lib_IntVector_Intrinsics_vec128 f10 = e[0U]; + Lib_IntVector_Intrinsics_vec128 f11 = e[1U]; + Lib_IntVector_Intrinsics_vec128 f12 = e[2U]; + Lib_IntVector_Intrinsics_vec128 f13 = e[3U]; + Lib_IntVector_Intrinsics_vec128 f14 = e[4U]; + Lib_IntVector_Intrinsics_vec128 a0 = acc[0U]; + Lib_IntVector_Intrinsics_vec128 a1 = acc[1U]; + Lib_IntVector_Intrinsics_vec128 a2 = acc[2U]; + Lib_IntVector_Intrinsics_vec128 a3 = acc[3U]; + Lib_IntVector_Intrinsics_vec128 a4 = acc[4U]; + Lib_IntVector_Intrinsics_vec128 a01 = Lib_IntVector_Intrinsics_vec128_add64(a0, f10); + Lib_IntVector_Intrinsics_vec128 a11 = Lib_IntVector_Intrinsics_vec128_add64(a1, f11); + Lib_IntVector_Intrinsics_vec128 a21 = Lib_IntVector_Intrinsics_vec128_add64(a2, f12); + Lib_IntVector_Intrinsics_vec128 a31 = Lib_IntVector_Intrinsics_vec128_add64(a3, f13); + Lib_IntVector_Intrinsics_vec128 a41 = Lib_IntVector_Intrinsics_vec128_add64(a4, f14); + Lib_IntVector_Intrinsics_vec128 a02 = Lib_IntVector_Intrinsics_vec128_mul64(r0, a01); + Lib_IntVector_Intrinsics_vec128 a12 = Lib_IntVector_Intrinsics_vec128_mul64(r1, a01); + Lib_IntVector_Intrinsics_vec128 a22 = Lib_IntVector_Intrinsics_vec128_mul64(r2, a01); + Lib_IntVector_Intrinsics_vec128 a32 = Lib_IntVector_Intrinsics_vec128_mul64(r3, a01); + Lib_IntVector_Intrinsics_vec128 a42 = Lib_IntVector_Intrinsics_vec128_mul64(r4, a01); + Lib_IntVector_Intrinsics_vec128 + a03 = + Lib_IntVector_Intrinsics_vec128_add64(a02, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a11)); + Lib_IntVector_Intrinsics_vec128 + a13 = + Lib_IntVector_Intrinsics_vec128_add64(a12, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a11)); + Lib_IntVector_Intrinsics_vec128 + a23 = + Lib_IntVector_Intrinsics_vec128_add64(a22, + Lib_IntVector_Intrinsics_vec128_mul64(r1, a11)); + Lib_IntVector_Intrinsics_vec128 + a33 = + Lib_IntVector_Intrinsics_vec128_add64(a32, + Lib_IntVector_Intrinsics_vec128_mul64(r2, a11)); + Lib_IntVector_Intrinsics_vec128 + a43 = + Lib_IntVector_Intrinsics_vec128_add64(a42, + Lib_IntVector_Intrinsics_vec128_mul64(r3, a11)); + Lib_IntVector_Intrinsics_vec128 + a04 = + Lib_IntVector_Intrinsics_vec128_add64(a03, + Lib_IntVector_Intrinsics_vec128_mul64(r53, a21)); + Lib_IntVector_Intrinsics_vec128 + a14 = + Lib_IntVector_Intrinsics_vec128_add64(a13, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a21)); + Lib_IntVector_Intrinsics_vec128 + a24 = + Lib_IntVector_Intrinsics_vec128_add64(a23, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a21)); + Lib_IntVector_Intrinsics_vec128 + a34 = + Lib_IntVector_Intrinsics_vec128_add64(a33, + Lib_IntVector_Intrinsics_vec128_mul64(r1, a21)); + Lib_IntVector_Intrinsics_vec128 + a44 = + Lib_IntVector_Intrinsics_vec128_add64(a43, + Lib_IntVector_Intrinsics_vec128_mul64(r2, a21)); + Lib_IntVector_Intrinsics_vec128 + a05 = + Lib_IntVector_Intrinsics_vec128_add64(a04, + Lib_IntVector_Intrinsics_vec128_mul64(r52, a31)); + Lib_IntVector_Intrinsics_vec128 + a15 = + Lib_IntVector_Intrinsics_vec128_add64(a14, + Lib_IntVector_Intrinsics_vec128_mul64(r53, a31)); + Lib_IntVector_Intrinsics_vec128 + a25 = + Lib_IntVector_Intrinsics_vec128_add64(a24, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a31)); + Lib_IntVector_Intrinsics_vec128 + a35 = + Lib_IntVector_Intrinsics_vec128_add64(a34, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a31)); + Lib_IntVector_Intrinsics_vec128 + a45 = + Lib_IntVector_Intrinsics_vec128_add64(a44, + Lib_IntVector_Intrinsics_vec128_mul64(r1, a31)); + Lib_IntVector_Intrinsics_vec128 + a06 = + Lib_IntVector_Intrinsics_vec128_add64(a05, + Lib_IntVector_Intrinsics_vec128_mul64(r51, a41)); + Lib_IntVector_Intrinsics_vec128 + a16 = + Lib_IntVector_Intrinsics_vec128_add64(a15, + Lib_IntVector_Intrinsics_vec128_mul64(r52, a41)); + Lib_IntVector_Intrinsics_vec128 + a26 = + Lib_IntVector_Intrinsics_vec128_add64(a25, + Lib_IntVector_Intrinsics_vec128_mul64(r53, a41)); + Lib_IntVector_Intrinsics_vec128 + a36 = + Lib_IntVector_Intrinsics_vec128_add64(a35, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a41)); + Lib_IntVector_Intrinsics_vec128 + a46 = + Lib_IntVector_Intrinsics_vec128_add64(a45, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a41)); + Lib_IntVector_Intrinsics_vec128 t01 = a06; + Lib_IntVector_Intrinsics_vec128 t11 = a16; + Lib_IntVector_Intrinsics_vec128 t2 = a26; + Lib_IntVector_Intrinsics_vec128 t3 = a36; + Lib_IntVector_Intrinsics_vec128 t4 = a46; + Lib_IntVector_Intrinsics_vec128 + mask26 = Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec128 + z0 = Lib_IntVector_Intrinsics_vec128_shift_right64(t01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z1 = Lib_IntVector_Intrinsics_vec128_shift_right64(t3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x0 = Lib_IntVector_Intrinsics_vec128_and(t01, mask26); + Lib_IntVector_Intrinsics_vec128 x3 = Lib_IntVector_Intrinsics_vec128_and(t3, mask26); + Lib_IntVector_Intrinsics_vec128 x1 = Lib_IntVector_Intrinsics_vec128_add64(t11, z0); + Lib_IntVector_Intrinsics_vec128 x4 = Lib_IntVector_Intrinsics_vec128_add64(t4, z1); + Lib_IntVector_Intrinsics_vec128 + z01 = Lib_IntVector_Intrinsics_vec128_shift_right64(x1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z11 = Lib_IntVector_Intrinsics_vec128_shift_right64(x4, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + t = Lib_IntVector_Intrinsics_vec128_shift_left64(z11, (uint32_t)2U); + Lib_IntVector_Intrinsics_vec128 z12 = Lib_IntVector_Intrinsics_vec128_add64(z11, t); + Lib_IntVector_Intrinsics_vec128 x11 = Lib_IntVector_Intrinsics_vec128_and(x1, mask26); + Lib_IntVector_Intrinsics_vec128 x41 = Lib_IntVector_Intrinsics_vec128_and(x4, mask26); + Lib_IntVector_Intrinsics_vec128 x2 = Lib_IntVector_Intrinsics_vec128_add64(t2, z01); + Lib_IntVector_Intrinsics_vec128 x01 = Lib_IntVector_Intrinsics_vec128_add64(x0, z12); + Lib_IntVector_Intrinsics_vec128 + z02 = Lib_IntVector_Intrinsics_vec128_shift_right64(x2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z13 = Lib_IntVector_Intrinsics_vec128_shift_right64(x01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x21 = Lib_IntVector_Intrinsics_vec128_and(x2, mask26); + Lib_IntVector_Intrinsics_vec128 x02 = Lib_IntVector_Intrinsics_vec128_and(x01, mask26); + Lib_IntVector_Intrinsics_vec128 x31 = Lib_IntVector_Intrinsics_vec128_add64(x3, z02); + Lib_IntVector_Intrinsics_vec128 x12 = Lib_IntVector_Intrinsics_vec128_add64(x11, z13); + Lib_IntVector_Intrinsics_vec128 + z03 = Lib_IntVector_Intrinsics_vec128_shift_right64(x31, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x32 = Lib_IntVector_Intrinsics_vec128_and(x31, mask26); + Lib_IntVector_Intrinsics_vec128 x42 = Lib_IntVector_Intrinsics_vec128_add64(x41, z03); + Lib_IntVector_Intrinsics_vec128 o0 = x02; + Lib_IntVector_Intrinsics_vec128 o1 = x12; + Lib_IntVector_Intrinsics_vec128 o2 = x21; + Lib_IntVector_Intrinsics_vec128 o3 = x32; + Lib_IntVector_Intrinsics_vec128 o4 = x42; + acc[0U] = o0; + acc[1U] = o1; + acc[2U] = o2; + acc[3U] = o3; + acc[4U] = o4; + } + if (rem > (uint32_t)0U) + { + uint8_t *last = t1 + nb * (uint32_t)16U; + Lib_IntVector_Intrinsics_vec128 e[5U]; + for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i) + e[_i] = Lib_IntVector_Intrinsics_vec128_zero; + uint8_t tmp[16U] = { 0U }; + memcpy(tmp, last, rem * sizeof (uint8_t)); + uint64_t u0 = load64_le(tmp); + uint64_t lo = u0; + uint64_t u = load64_le(tmp + (uint32_t)8U); + uint64_t hi = u; + Lib_IntVector_Intrinsics_vec128 f0 = Lib_IntVector_Intrinsics_vec128_load64(lo); + Lib_IntVector_Intrinsics_vec128 f1 = Lib_IntVector_Intrinsics_vec128_load64(hi); + Lib_IntVector_Intrinsics_vec128 + f010 = + Lib_IntVector_Intrinsics_vec128_and(f0, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f110 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(f0, + (uint32_t)26U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f20 = + Lib_IntVector_Intrinsics_vec128_or(Lib_IntVector_Intrinsics_vec128_shift_right64(f0, + (uint32_t)52U), + Lib_IntVector_Intrinsics_vec128_shift_left64(Lib_IntVector_Intrinsics_vec128_and(f1, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3fffU)), + (uint32_t)12U)); + Lib_IntVector_Intrinsics_vec128 + f30 = + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(f1, + (uint32_t)14U), + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + f40 = Lib_IntVector_Intrinsics_vec128_shift_right64(f1, (uint32_t)40U); + Lib_IntVector_Intrinsics_vec128 f01 = f010; + Lib_IntVector_Intrinsics_vec128 f111 = f110; + Lib_IntVector_Intrinsics_vec128 f2 = f20; + Lib_IntVector_Intrinsics_vec128 f3 = f30; + Lib_IntVector_Intrinsics_vec128 f4 = f40; + e[0U] = f01; + e[1U] = f111; + e[2U] = f2; + e[3U] = f3; + e[4U] = f4; + uint64_t b = (uint64_t)1U << rem * (uint32_t)8U % (uint32_t)26U; + Lib_IntVector_Intrinsics_vec128 mask = Lib_IntVector_Intrinsics_vec128_load64(b); + Lib_IntVector_Intrinsics_vec128 fi = e[rem * (uint32_t)8U / (uint32_t)26U]; + e[rem * (uint32_t)8U / (uint32_t)26U] = Lib_IntVector_Intrinsics_vec128_or(fi, mask); + Lib_IntVector_Intrinsics_vec128 *r = pre; + Lib_IntVector_Intrinsics_vec128 *r5 = pre + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec128 r0 = r[0U]; + Lib_IntVector_Intrinsics_vec128 r1 = r[1U]; + Lib_IntVector_Intrinsics_vec128 r2 = r[2U]; + Lib_IntVector_Intrinsics_vec128 r3 = r[3U]; + Lib_IntVector_Intrinsics_vec128 r4 = r[4U]; + Lib_IntVector_Intrinsics_vec128 r51 = r5[1U]; + Lib_IntVector_Intrinsics_vec128 r52 = r5[2U]; + Lib_IntVector_Intrinsics_vec128 r53 = r5[3U]; + Lib_IntVector_Intrinsics_vec128 r54 = r5[4U]; + Lib_IntVector_Intrinsics_vec128 f10 = e[0U]; + Lib_IntVector_Intrinsics_vec128 f11 = e[1U]; + Lib_IntVector_Intrinsics_vec128 f12 = e[2U]; + Lib_IntVector_Intrinsics_vec128 f13 = e[3U]; + Lib_IntVector_Intrinsics_vec128 f14 = e[4U]; + Lib_IntVector_Intrinsics_vec128 a0 = acc[0U]; + Lib_IntVector_Intrinsics_vec128 a1 = acc[1U]; + Lib_IntVector_Intrinsics_vec128 a2 = acc[2U]; + Lib_IntVector_Intrinsics_vec128 a3 = acc[3U]; + Lib_IntVector_Intrinsics_vec128 a4 = acc[4U]; + Lib_IntVector_Intrinsics_vec128 a01 = Lib_IntVector_Intrinsics_vec128_add64(a0, f10); + Lib_IntVector_Intrinsics_vec128 a11 = Lib_IntVector_Intrinsics_vec128_add64(a1, f11); + Lib_IntVector_Intrinsics_vec128 a21 = Lib_IntVector_Intrinsics_vec128_add64(a2, f12); + Lib_IntVector_Intrinsics_vec128 a31 = Lib_IntVector_Intrinsics_vec128_add64(a3, f13); + Lib_IntVector_Intrinsics_vec128 a41 = Lib_IntVector_Intrinsics_vec128_add64(a4, f14); + Lib_IntVector_Intrinsics_vec128 a02 = Lib_IntVector_Intrinsics_vec128_mul64(r0, a01); + Lib_IntVector_Intrinsics_vec128 a12 = Lib_IntVector_Intrinsics_vec128_mul64(r1, a01); + Lib_IntVector_Intrinsics_vec128 a22 = Lib_IntVector_Intrinsics_vec128_mul64(r2, a01); + Lib_IntVector_Intrinsics_vec128 a32 = Lib_IntVector_Intrinsics_vec128_mul64(r3, a01); + Lib_IntVector_Intrinsics_vec128 a42 = Lib_IntVector_Intrinsics_vec128_mul64(r4, a01); + Lib_IntVector_Intrinsics_vec128 + a03 = + Lib_IntVector_Intrinsics_vec128_add64(a02, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a11)); + Lib_IntVector_Intrinsics_vec128 + a13 = + Lib_IntVector_Intrinsics_vec128_add64(a12, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a11)); + Lib_IntVector_Intrinsics_vec128 + a23 = + Lib_IntVector_Intrinsics_vec128_add64(a22, + Lib_IntVector_Intrinsics_vec128_mul64(r1, a11)); + Lib_IntVector_Intrinsics_vec128 + a33 = + Lib_IntVector_Intrinsics_vec128_add64(a32, + Lib_IntVector_Intrinsics_vec128_mul64(r2, a11)); + Lib_IntVector_Intrinsics_vec128 + a43 = + Lib_IntVector_Intrinsics_vec128_add64(a42, + Lib_IntVector_Intrinsics_vec128_mul64(r3, a11)); + Lib_IntVector_Intrinsics_vec128 + a04 = + Lib_IntVector_Intrinsics_vec128_add64(a03, + Lib_IntVector_Intrinsics_vec128_mul64(r53, a21)); + Lib_IntVector_Intrinsics_vec128 + a14 = + Lib_IntVector_Intrinsics_vec128_add64(a13, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a21)); + Lib_IntVector_Intrinsics_vec128 + a24 = + Lib_IntVector_Intrinsics_vec128_add64(a23, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a21)); + Lib_IntVector_Intrinsics_vec128 + a34 = + Lib_IntVector_Intrinsics_vec128_add64(a33, + Lib_IntVector_Intrinsics_vec128_mul64(r1, a21)); + Lib_IntVector_Intrinsics_vec128 + a44 = + Lib_IntVector_Intrinsics_vec128_add64(a43, + Lib_IntVector_Intrinsics_vec128_mul64(r2, a21)); + Lib_IntVector_Intrinsics_vec128 + a05 = + Lib_IntVector_Intrinsics_vec128_add64(a04, + Lib_IntVector_Intrinsics_vec128_mul64(r52, a31)); + Lib_IntVector_Intrinsics_vec128 + a15 = + Lib_IntVector_Intrinsics_vec128_add64(a14, + Lib_IntVector_Intrinsics_vec128_mul64(r53, a31)); + Lib_IntVector_Intrinsics_vec128 + a25 = + Lib_IntVector_Intrinsics_vec128_add64(a24, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a31)); + Lib_IntVector_Intrinsics_vec128 + a35 = + Lib_IntVector_Intrinsics_vec128_add64(a34, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a31)); + Lib_IntVector_Intrinsics_vec128 + a45 = + Lib_IntVector_Intrinsics_vec128_add64(a44, + Lib_IntVector_Intrinsics_vec128_mul64(r1, a31)); + Lib_IntVector_Intrinsics_vec128 + a06 = + Lib_IntVector_Intrinsics_vec128_add64(a05, + Lib_IntVector_Intrinsics_vec128_mul64(r51, a41)); + Lib_IntVector_Intrinsics_vec128 + a16 = + Lib_IntVector_Intrinsics_vec128_add64(a15, + Lib_IntVector_Intrinsics_vec128_mul64(r52, a41)); + Lib_IntVector_Intrinsics_vec128 + a26 = + Lib_IntVector_Intrinsics_vec128_add64(a25, + Lib_IntVector_Intrinsics_vec128_mul64(r53, a41)); + Lib_IntVector_Intrinsics_vec128 + a36 = + Lib_IntVector_Intrinsics_vec128_add64(a35, + Lib_IntVector_Intrinsics_vec128_mul64(r54, a41)); + Lib_IntVector_Intrinsics_vec128 + a46 = + Lib_IntVector_Intrinsics_vec128_add64(a45, + Lib_IntVector_Intrinsics_vec128_mul64(r0, a41)); + Lib_IntVector_Intrinsics_vec128 t01 = a06; + Lib_IntVector_Intrinsics_vec128 t11 = a16; + Lib_IntVector_Intrinsics_vec128 t2 = a26; + Lib_IntVector_Intrinsics_vec128 t3 = a36; + Lib_IntVector_Intrinsics_vec128 t4 = a46; + Lib_IntVector_Intrinsics_vec128 + mask26 = Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec128 + z0 = Lib_IntVector_Intrinsics_vec128_shift_right64(t01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z1 = Lib_IntVector_Intrinsics_vec128_shift_right64(t3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x0 = Lib_IntVector_Intrinsics_vec128_and(t01, mask26); + Lib_IntVector_Intrinsics_vec128 x3 = Lib_IntVector_Intrinsics_vec128_and(t3, mask26); + Lib_IntVector_Intrinsics_vec128 x1 = Lib_IntVector_Intrinsics_vec128_add64(t11, z0); + Lib_IntVector_Intrinsics_vec128 x4 = Lib_IntVector_Intrinsics_vec128_add64(t4, z1); + Lib_IntVector_Intrinsics_vec128 + z01 = Lib_IntVector_Intrinsics_vec128_shift_right64(x1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z11 = Lib_IntVector_Intrinsics_vec128_shift_right64(x4, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + t = Lib_IntVector_Intrinsics_vec128_shift_left64(z11, (uint32_t)2U); + Lib_IntVector_Intrinsics_vec128 z12 = Lib_IntVector_Intrinsics_vec128_add64(z11, t); + Lib_IntVector_Intrinsics_vec128 x11 = Lib_IntVector_Intrinsics_vec128_and(x1, mask26); + Lib_IntVector_Intrinsics_vec128 x41 = Lib_IntVector_Intrinsics_vec128_and(x4, mask26); + Lib_IntVector_Intrinsics_vec128 x2 = Lib_IntVector_Intrinsics_vec128_add64(t2, z01); + Lib_IntVector_Intrinsics_vec128 x01 = Lib_IntVector_Intrinsics_vec128_add64(x0, z12); + Lib_IntVector_Intrinsics_vec128 + z02 = Lib_IntVector_Intrinsics_vec128_shift_right64(x2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + z13 = Lib_IntVector_Intrinsics_vec128_shift_right64(x01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x21 = Lib_IntVector_Intrinsics_vec128_and(x2, mask26); + Lib_IntVector_Intrinsics_vec128 x02 = Lib_IntVector_Intrinsics_vec128_and(x01, mask26); + Lib_IntVector_Intrinsics_vec128 x31 = Lib_IntVector_Intrinsics_vec128_add64(x3, z02); + Lib_IntVector_Intrinsics_vec128 x12 = Lib_IntVector_Intrinsics_vec128_add64(x11, z13); + Lib_IntVector_Intrinsics_vec128 + z03 = Lib_IntVector_Intrinsics_vec128_shift_right64(x31, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 x32 = Lib_IntVector_Intrinsics_vec128_and(x31, mask26); + Lib_IntVector_Intrinsics_vec128 x42 = Lib_IntVector_Intrinsics_vec128_add64(x41, z03); + Lib_IntVector_Intrinsics_vec128 o0 = x02; + Lib_IntVector_Intrinsics_vec128 o1 = x12; + Lib_IntVector_Intrinsics_vec128 o2 = x21; + Lib_IntVector_Intrinsics_vec128 o3 = x32; + Lib_IntVector_Intrinsics_vec128 o4 = x42; + acc[0U] = o0; + acc[1U] = o1; + acc[2U] = o2; + acc[3U] = o3; + acc[4U] = o4; + return; + } +} + +void +Hacl_Poly1305_128_poly1305_finish( + uint8_t *tag, + uint8_t *key, + Lib_IntVector_Intrinsics_vec128 *ctx +) +{ + Lib_IntVector_Intrinsics_vec128 *acc = ctx; + uint8_t *ks = key + (uint32_t)16U; + Lib_IntVector_Intrinsics_vec128 f0 = acc[0U]; + Lib_IntVector_Intrinsics_vec128 f13 = acc[1U]; + Lib_IntVector_Intrinsics_vec128 f23 = acc[2U]; + Lib_IntVector_Intrinsics_vec128 f33 = acc[3U]; + Lib_IntVector_Intrinsics_vec128 f40 = acc[4U]; + Lib_IntVector_Intrinsics_vec128 + l0 = Lib_IntVector_Intrinsics_vec128_add64(f0, Lib_IntVector_Intrinsics_vec128_zero); + Lib_IntVector_Intrinsics_vec128 + tmp00 = + Lib_IntVector_Intrinsics_vec128_and(l0, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + c00 = Lib_IntVector_Intrinsics_vec128_shift_right64(l0, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 l1 = Lib_IntVector_Intrinsics_vec128_add64(f13, c00); + Lib_IntVector_Intrinsics_vec128 + tmp10 = + Lib_IntVector_Intrinsics_vec128_and(l1, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + c10 = Lib_IntVector_Intrinsics_vec128_shift_right64(l1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 l2 = Lib_IntVector_Intrinsics_vec128_add64(f23, c10); + Lib_IntVector_Intrinsics_vec128 + tmp20 = + Lib_IntVector_Intrinsics_vec128_and(l2, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + c20 = Lib_IntVector_Intrinsics_vec128_shift_right64(l2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 l3 = Lib_IntVector_Intrinsics_vec128_add64(f33, c20); + Lib_IntVector_Intrinsics_vec128 + tmp30 = + Lib_IntVector_Intrinsics_vec128_and(l3, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + c30 = Lib_IntVector_Intrinsics_vec128_shift_right64(l3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 l4 = Lib_IntVector_Intrinsics_vec128_add64(f40, c30); + Lib_IntVector_Intrinsics_vec128 + tmp40 = + Lib_IntVector_Intrinsics_vec128_and(l4, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + c40 = Lib_IntVector_Intrinsics_vec128_shift_right64(l4, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + f010 = + Lib_IntVector_Intrinsics_vec128_add64(tmp00, + Lib_IntVector_Intrinsics_vec128_smul64(c40, (uint64_t)5U)); + Lib_IntVector_Intrinsics_vec128 f110 = tmp10; + Lib_IntVector_Intrinsics_vec128 f210 = tmp20; + Lib_IntVector_Intrinsics_vec128 f310 = tmp30; + Lib_IntVector_Intrinsics_vec128 f410 = tmp40; + Lib_IntVector_Intrinsics_vec128 + l = Lib_IntVector_Intrinsics_vec128_add64(f010, Lib_IntVector_Intrinsics_vec128_zero); + Lib_IntVector_Intrinsics_vec128 + tmp0 = + Lib_IntVector_Intrinsics_vec128_and(l, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + c0 = Lib_IntVector_Intrinsics_vec128_shift_right64(l, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 l5 = Lib_IntVector_Intrinsics_vec128_add64(f110, c0); + Lib_IntVector_Intrinsics_vec128 + tmp1 = + Lib_IntVector_Intrinsics_vec128_and(l5, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + c1 = Lib_IntVector_Intrinsics_vec128_shift_right64(l5, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 l6 = Lib_IntVector_Intrinsics_vec128_add64(f210, c1); + Lib_IntVector_Intrinsics_vec128 + tmp2 = + Lib_IntVector_Intrinsics_vec128_and(l6, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + c2 = Lib_IntVector_Intrinsics_vec128_shift_right64(l6, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 l7 = Lib_IntVector_Intrinsics_vec128_add64(f310, c2); + Lib_IntVector_Intrinsics_vec128 + tmp3 = + Lib_IntVector_Intrinsics_vec128_and(l7, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + c3 = Lib_IntVector_Intrinsics_vec128_shift_right64(l7, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 l8 = Lib_IntVector_Intrinsics_vec128_add64(f410, c3); + Lib_IntVector_Intrinsics_vec128 + tmp4 = + Lib_IntVector_Intrinsics_vec128_and(l8, + Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec128 + c4 = Lib_IntVector_Intrinsics_vec128_shift_right64(l8, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec128 + f02 = + Lib_IntVector_Intrinsics_vec128_add64(tmp0, + Lib_IntVector_Intrinsics_vec128_smul64(c4, (uint64_t)5U)); + Lib_IntVector_Intrinsics_vec128 f12 = tmp1; + Lib_IntVector_Intrinsics_vec128 f22 = tmp2; + Lib_IntVector_Intrinsics_vec128 f32 = tmp3; + Lib_IntVector_Intrinsics_vec128 f42 = tmp4; + Lib_IntVector_Intrinsics_vec128 + mh = Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec128 + ml = Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3fffffbU); + Lib_IntVector_Intrinsics_vec128 mask = Lib_IntVector_Intrinsics_vec128_eq64(f42, mh); + Lib_IntVector_Intrinsics_vec128 + mask1 = + Lib_IntVector_Intrinsics_vec128_and(mask, + Lib_IntVector_Intrinsics_vec128_eq64(f32, mh)); + Lib_IntVector_Intrinsics_vec128 + mask2 = + Lib_IntVector_Intrinsics_vec128_and(mask1, + Lib_IntVector_Intrinsics_vec128_eq64(f22, mh)); + Lib_IntVector_Intrinsics_vec128 + mask3 = + Lib_IntVector_Intrinsics_vec128_and(mask2, + Lib_IntVector_Intrinsics_vec128_eq64(f12, mh)); + Lib_IntVector_Intrinsics_vec128 + mask4 = + Lib_IntVector_Intrinsics_vec128_and(mask3, + Lib_IntVector_Intrinsics_vec128_lognot(Lib_IntVector_Intrinsics_vec128_gt64(ml, f02))); + Lib_IntVector_Intrinsics_vec128 ph = Lib_IntVector_Intrinsics_vec128_and(mask4, mh); + Lib_IntVector_Intrinsics_vec128 pl = Lib_IntVector_Intrinsics_vec128_and(mask4, ml); + Lib_IntVector_Intrinsics_vec128 o0 = Lib_IntVector_Intrinsics_vec128_sub64(f02, pl); + Lib_IntVector_Intrinsics_vec128 o1 = Lib_IntVector_Intrinsics_vec128_sub64(f12, ph); + Lib_IntVector_Intrinsics_vec128 o2 = Lib_IntVector_Intrinsics_vec128_sub64(f22, ph); + Lib_IntVector_Intrinsics_vec128 o3 = Lib_IntVector_Intrinsics_vec128_sub64(f32, ph); + Lib_IntVector_Intrinsics_vec128 o4 = Lib_IntVector_Intrinsics_vec128_sub64(f42, ph); + Lib_IntVector_Intrinsics_vec128 f011 = o0; + Lib_IntVector_Intrinsics_vec128 f111 = o1; + Lib_IntVector_Intrinsics_vec128 f211 = o2; + Lib_IntVector_Intrinsics_vec128 f311 = o3; + Lib_IntVector_Intrinsics_vec128 f411 = o4; + acc[0U] = f011; + acc[1U] = f111; + acc[2U] = f211; + acc[3U] = f311; + acc[4U] = f411; + Lib_IntVector_Intrinsics_vec128 f00 = acc[0U]; + Lib_IntVector_Intrinsics_vec128 f1 = acc[1U]; + Lib_IntVector_Intrinsics_vec128 f2 = acc[2U]; + Lib_IntVector_Intrinsics_vec128 f3 = acc[3U]; + Lib_IntVector_Intrinsics_vec128 f4 = acc[4U]; + uint64_t f01 = Lib_IntVector_Intrinsics_vec128_extract64(f00, (uint32_t)0U); + uint64_t f112 = Lib_IntVector_Intrinsics_vec128_extract64(f1, (uint32_t)0U); + uint64_t f212 = Lib_IntVector_Intrinsics_vec128_extract64(f2, (uint32_t)0U); + uint64_t f312 = Lib_IntVector_Intrinsics_vec128_extract64(f3, (uint32_t)0U); + uint64_t f41 = Lib_IntVector_Intrinsics_vec128_extract64(f4, (uint32_t)0U); + uint64_t lo = (f01 | f112 << (uint32_t)26U) | f212 << (uint32_t)52U; + uint64_t hi = (f212 >> (uint32_t)12U | f312 << (uint32_t)14U) | f41 << (uint32_t)40U; + uint64_t f10 = lo; + uint64_t f11 = hi; + uint64_t u0 = load64_le(ks); + uint64_t lo0 = u0; + uint64_t u = load64_le(ks + (uint32_t)8U); + uint64_t hi0 = u; + uint64_t f20 = lo0; + uint64_t f21 = hi0; + uint64_t r0 = f10 + f20; + uint64_t r1 = f11 + f21; + uint64_t c = (r0 ^ ((r0 ^ f20) | ((r0 - f20) ^ f20))) >> (uint32_t)63U; + uint64_t r11 = r1 + c; + uint64_t f30 = r0; + uint64_t f31 = r11; + store64_le(tag, f30); + store64_le(tag + (uint32_t)8U, f31); +} + +void Hacl_Poly1305_128_poly1305_mac(uint8_t *tag, uint32_t len, uint8_t *text, uint8_t *key) +{ + Lib_IntVector_Intrinsics_vec128 ctx[25U]; + for (uint32_t _i = 0U; _i < (uint32_t)25U; ++_i) + ctx[_i] = Lib_IntVector_Intrinsics_vec128_zero; + Hacl_Poly1305_128_poly1305_init(ctx, key); + Hacl_Poly1305_128_poly1305_update(ctx, len, text); + Hacl_Poly1305_128_poly1305_finish(tag, key, ctx); +} + diff --git a/src/msvc/Hacl_Poly1305_256.c b/src/msvc/Hacl_Poly1305_256.c new file mode 100644 index 00000000..7430d78c --- /dev/null +++ b/src/msvc/Hacl_Poly1305_256.c @@ -0,0 +1,2103 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "internal/Hacl_Poly1305_256.h" + + + +void +Hacl_Impl_Poly1305_Field32xN_256_load_acc4(Lib_IntVector_Intrinsics_vec256 *acc, uint8_t *b) +{ + Lib_IntVector_Intrinsics_vec256 e[5U]; + for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i) + e[_i] = Lib_IntVector_Intrinsics_vec256_zero; + Lib_IntVector_Intrinsics_vec256 lo = Lib_IntVector_Intrinsics_vec256_load64_le(b); + Lib_IntVector_Intrinsics_vec256 + hi = Lib_IntVector_Intrinsics_vec256_load64_le(b + (uint32_t)32U); + Lib_IntVector_Intrinsics_vec256 + mask26 = Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec256 m0 = Lib_IntVector_Intrinsics_vec256_interleave_low128(lo, hi); + Lib_IntVector_Intrinsics_vec256 + m1 = Lib_IntVector_Intrinsics_vec256_interleave_high128(lo, hi); + Lib_IntVector_Intrinsics_vec256 + m2 = Lib_IntVector_Intrinsics_vec256_shift_right(m0, (uint32_t)48U); + Lib_IntVector_Intrinsics_vec256 + m3 = Lib_IntVector_Intrinsics_vec256_shift_right(m1, (uint32_t)48U); + Lib_IntVector_Intrinsics_vec256 m4 = Lib_IntVector_Intrinsics_vec256_interleave_high64(m0, m1); + Lib_IntVector_Intrinsics_vec256 t0 = Lib_IntVector_Intrinsics_vec256_interleave_low64(m0, m1); + Lib_IntVector_Intrinsics_vec256 t3 = Lib_IntVector_Intrinsics_vec256_interleave_low64(m2, m3); + Lib_IntVector_Intrinsics_vec256 + t2 = Lib_IntVector_Intrinsics_vec256_shift_right64(t3, (uint32_t)4U); + Lib_IntVector_Intrinsics_vec256 o20 = Lib_IntVector_Intrinsics_vec256_and(t2, mask26); + Lib_IntVector_Intrinsics_vec256 + t1 = Lib_IntVector_Intrinsics_vec256_shift_right64(t0, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 o10 = Lib_IntVector_Intrinsics_vec256_and(t1, mask26); + Lib_IntVector_Intrinsics_vec256 o5 = Lib_IntVector_Intrinsics_vec256_and(t0, mask26); + Lib_IntVector_Intrinsics_vec256 + t31 = Lib_IntVector_Intrinsics_vec256_shift_right64(t3, (uint32_t)30U); + Lib_IntVector_Intrinsics_vec256 o30 = Lib_IntVector_Intrinsics_vec256_and(t31, mask26); + Lib_IntVector_Intrinsics_vec256 + o40 = Lib_IntVector_Intrinsics_vec256_shift_right64(m4, (uint32_t)40U); + Lib_IntVector_Intrinsics_vec256 o0 = o5; + Lib_IntVector_Intrinsics_vec256 o1 = o10; + Lib_IntVector_Intrinsics_vec256 o2 = o20; + Lib_IntVector_Intrinsics_vec256 o3 = o30; + Lib_IntVector_Intrinsics_vec256 o4 = o40; + e[0U] = o0; + e[1U] = o1; + e[2U] = o2; + e[3U] = o3; + e[4U] = o4; + uint64_t b1 = (uint64_t)0x1000000U; + Lib_IntVector_Intrinsics_vec256 mask = Lib_IntVector_Intrinsics_vec256_load64(b1); + Lib_IntVector_Intrinsics_vec256 f40 = e[4U]; + e[4U] = Lib_IntVector_Intrinsics_vec256_or(f40, mask); + Lib_IntVector_Intrinsics_vec256 acc0 = acc[0U]; + Lib_IntVector_Intrinsics_vec256 acc1 = acc[1U]; + Lib_IntVector_Intrinsics_vec256 acc2 = acc[2U]; + Lib_IntVector_Intrinsics_vec256 acc3 = acc[3U]; + Lib_IntVector_Intrinsics_vec256 acc4 = acc[4U]; + Lib_IntVector_Intrinsics_vec256 e0 = e[0U]; + Lib_IntVector_Intrinsics_vec256 e1 = e[1U]; + Lib_IntVector_Intrinsics_vec256 e2 = e[2U]; + Lib_IntVector_Intrinsics_vec256 e3 = e[3U]; + Lib_IntVector_Intrinsics_vec256 e4 = e[4U]; + Lib_IntVector_Intrinsics_vec256 r0 = Lib_IntVector_Intrinsics_vec256_zero; + Lib_IntVector_Intrinsics_vec256 r1 = Lib_IntVector_Intrinsics_vec256_zero; + Lib_IntVector_Intrinsics_vec256 r2 = Lib_IntVector_Intrinsics_vec256_zero; + Lib_IntVector_Intrinsics_vec256 r3 = Lib_IntVector_Intrinsics_vec256_zero; + Lib_IntVector_Intrinsics_vec256 r4 = Lib_IntVector_Intrinsics_vec256_zero; + Lib_IntVector_Intrinsics_vec256 + r01 = + Lib_IntVector_Intrinsics_vec256_insert64(r0, + Lib_IntVector_Intrinsics_vec256_extract64(acc0, (uint32_t)0U), + (uint32_t)0U); + Lib_IntVector_Intrinsics_vec256 + r11 = + Lib_IntVector_Intrinsics_vec256_insert64(r1, + Lib_IntVector_Intrinsics_vec256_extract64(acc1, (uint32_t)0U), + (uint32_t)0U); + Lib_IntVector_Intrinsics_vec256 + r21 = + Lib_IntVector_Intrinsics_vec256_insert64(r2, + Lib_IntVector_Intrinsics_vec256_extract64(acc2, (uint32_t)0U), + (uint32_t)0U); + Lib_IntVector_Intrinsics_vec256 + r31 = + Lib_IntVector_Intrinsics_vec256_insert64(r3, + Lib_IntVector_Intrinsics_vec256_extract64(acc3, (uint32_t)0U), + (uint32_t)0U); + Lib_IntVector_Intrinsics_vec256 + r41 = + Lib_IntVector_Intrinsics_vec256_insert64(r4, + Lib_IntVector_Intrinsics_vec256_extract64(acc4, (uint32_t)0U), + (uint32_t)0U); + Lib_IntVector_Intrinsics_vec256 f0 = Lib_IntVector_Intrinsics_vec256_add64(r01, e0); + Lib_IntVector_Intrinsics_vec256 f1 = Lib_IntVector_Intrinsics_vec256_add64(r11, e1); + Lib_IntVector_Intrinsics_vec256 f2 = Lib_IntVector_Intrinsics_vec256_add64(r21, e2); + Lib_IntVector_Intrinsics_vec256 f3 = Lib_IntVector_Intrinsics_vec256_add64(r31, e3); + Lib_IntVector_Intrinsics_vec256 f4 = Lib_IntVector_Intrinsics_vec256_add64(r41, e4); + Lib_IntVector_Intrinsics_vec256 acc01 = f0; + Lib_IntVector_Intrinsics_vec256 acc11 = f1; + Lib_IntVector_Intrinsics_vec256 acc21 = f2; + Lib_IntVector_Intrinsics_vec256 acc31 = f3; + Lib_IntVector_Intrinsics_vec256 acc41 = f4; + acc[0U] = acc01; + acc[1U] = acc11; + acc[2U] = acc21; + acc[3U] = acc31; + acc[4U] = acc41; +} + +void +Hacl_Impl_Poly1305_Field32xN_256_fmul_r4_normalize( + Lib_IntVector_Intrinsics_vec256 *out, + Lib_IntVector_Intrinsics_vec256 *p +) +{ + Lib_IntVector_Intrinsics_vec256 *r = p; + Lib_IntVector_Intrinsics_vec256 *r_5 = p + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec256 *r4 = p + (uint32_t)10U; + Lib_IntVector_Intrinsics_vec256 a0 = out[0U]; + Lib_IntVector_Intrinsics_vec256 a1 = out[1U]; + Lib_IntVector_Intrinsics_vec256 a2 = out[2U]; + Lib_IntVector_Intrinsics_vec256 a3 = out[3U]; + Lib_IntVector_Intrinsics_vec256 a4 = out[4U]; + Lib_IntVector_Intrinsics_vec256 r10 = r[0U]; + Lib_IntVector_Intrinsics_vec256 r11 = r[1U]; + Lib_IntVector_Intrinsics_vec256 r12 = r[2U]; + Lib_IntVector_Intrinsics_vec256 r13 = r[3U]; + Lib_IntVector_Intrinsics_vec256 r14 = r[4U]; + Lib_IntVector_Intrinsics_vec256 r151 = r_5[1U]; + Lib_IntVector_Intrinsics_vec256 r152 = r_5[2U]; + Lib_IntVector_Intrinsics_vec256 r153 = r_5[3U]; + Lib_IntVector_Intrinsics_vec256 r154 = r_5[4U]; + Lib_IntVector_Intrinsics_vec256 r40 = r4[0U]; + Lib_IntVector_Intrinsics_vec256 r41 = r4[1U]; + Lib_IntVector_Intrinsics_vec256 r42 = r4[2U]; + Lib_IntVector_Intrinsics_vec256 r43 = r4[3U]; + Lib_IntVector_Intrinsics_vec256 r44 = r4[4U]; + Lib_IntVector_Intrinsics_vec256 a010 = Lib_IntVector_Intrinsics_vec256_mul64(r10, r10); + Lib_IntVector_Intrinsics_vec256 a110 = Lib_IntVector_Intrinsics_vec256_mul64(r11, r10); + Lib_IntVector_Intrinsics_vec256 a210 = Lib_IntVector_Intrinsics_vec256_mul64(r12, r10); + Lib_IntVector_Intrinsics_vec256 a310 = Lib_IntVector_Intrinsics_vec256_mul64(r13, r10); + Lib_IntVector_Intrinsics_vec256 a410 = Lib_IntVector_Intrinsics_vec256_mul64(r14, r10); + Lib_IntVector_Intrinsics_vec256 + a020 = + Lib_IntVector_Intrinsics_vec256_add64(a010, + Lib_IntVector_Intrinsics_vec256_mul64(r154, r11)); + Lib_IntVector_Intrinsics_vec256 + a120 = + Lib_IntVector_Intrinsics_vec256_add64(a110, + Lib_IntVector_Intrinsics_vec256_mul64(r10, r11)); + Lib_IntVector_Intrinsics_vec256 + a220 = + Lib_IntVector_Intrinsics_vec256_add64(a210, + Lib_IntVector_Intrinsics_vec256_mul64(r11, r11)); + Lib_IntVector_Intrinsics_vec256 + a320 = + Lib_IntVector_Intrinsics_vec256_add64(a310, + Lib_IntVector_Intrinsics_vec256_mul64(r12, r11)); + Lib_IntVector_Intrinsics_vec256 + a420 = + Lib_IntVector_Intrinsics_vec256_add64(a410, + Lib_IntVector_Intrinsics_vec256_mul64(r13, r11)); + Lib_IntVector_Intrinsics_vec256 + a030 = + Lib_IntVector_Intrinsics_vec256_add64(a020, + Lib_IntVector_Intrinsics_vec256_mul64(r153, r12)); + Lib_IntVector_Intrinsics_vec256 + a130 = + Lib_IntVector_Intrinsics_vec256_add64(a120, + Lib_IntVector_Intrinsics_vec256_mul64(r154, r12)); + Lib_IntVector_Intrinsics_vec256 + a230 = + Lib_IntVector_Intrinsics_vec256_add64(a220, + Lib_IntVector_Intrinsics_vec256_mul64(r10, r12)); + Lib_IntVector_Intrinsics_vec256 + a330 = + Lib_IntVector_Intrinsics_vec256_add64(a320, + Lib_IntVector_Intrinsics_vec256_mul64(r11, r12)); + Lib_IntVector_Intrinsics_vec256 + a430 = + Lib_IntVector_Intrinsics_vec256_add64(a420, + Lib_IntVector_Intrinsics_vec256_mul64(r12, r12)); + Lib_IntVector_Intrinsics_vec256 + a040 = + Lib_IntVector_Intrinsics_vec256_add64(a030, + Lib_IntVector_Intrinsics_vec256_mul64(r152, r13)); + Lib_IntVector_Intrinsics_vec256 + a140 = + Lib_IntVector_Intrinsics_vec256_add64(a130, + Lib_IntVector_Intrinsics_vec256_mul64(r153, r13)); + Lib_IntVector_Intrinsics_vec256 + a240 = + Lib_IntVector_Intrinsics_vec256_add64(a230, + Lib_IntVector_Intrinsics_vec256_mul64(r154, r13)); + Lib_IntVector_Intrinsics_vec256 + a340 = + Lib_IntVector_Intrinsics_vec256_add64(a330, + Lib_IntVector_Intrinsics_vec256_mul64(r10, r13)); + Lib_IntVector_Intrinsics_vec256 + a440 = + Lib_IntVector_Intrinsics_vec256_add64(a430, + Lib_IntVector_Intrinsics_vec256_mul64(r11, r13)); + Lib_IntVector_Intrinsics_vec256 + a050 = + Lib_IntVector_Intrinsics_vec256_add64(a040, + Lib_IntVector_Intrinsics_vec256_mul64(r151, r14)); + Lib_IntVector_Intrinsics_vec256 + a150 = + Lib_IntVector_Intrinsics_vec256_add64(a140, + Lib_IntVector_Intrinsics_vec256_mul64(r152, r14)); + Lib_IntVector_Intrinsics_vec256 + a250 = + Lib_IntVector_Intrinsics_vec256_add64(a240, + Lib_IntVector_Intrinsics_vec256_mul64(r153, r14)); + Lib_IntVector_Intrinsics_vec256 + a350 = + Lib_IntVector_Intrinsics_vec256_add64(a340, + Lib_IntVector_Intrinsics_vec256_mul64(r154, r14)); + Lib_IntVector_Intrinsics_vec256 + a450 = + Lib_IntVector_Intrinsics_vec256_add64(a440, + Lib_IntVector_Intrinsics_vec256_mul64(r10, r14)); + Lib_IntVector_Intrinsics_vec256 t00 = a050; + Lib_IntVector_Intrinsics_vec256 t10 = a150; + Lib_IntVector_Intrinsics_vec256 t20 = a250; + Lib_IntVector_Intrinsics_vec256 t30 = a350; + Lib_IntVector_Intrinsics_vec256 t40 = a450; + Lib_IntVector_Intrinsics_vec256 + mask260 = Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec256 + z00 = Lib_IntVector_Intrinsics_vec256_shift_right64(t00, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z10 = Lib_IntVector_Intrinsics_vec256_shift_right64(t30, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x00 = Lib_IntVector_Intrinsics_vec256_and(t00, mask260); + Lib_IntVector_Intrinsics_vec256 x30 = Lib_IntVector_Intrinsics_vec256_and(t30, mask260); + Lib_IntVector_Intrinsics_vec256 x10 = Lib_IntVector_Intrinsics_vec256_add64(t10, z00); + Lib_IntVector_Intrinsics_vec256 x40 = Lib_IntVector_Intrinsics_vec256_add64(t40, z10); + Lib_IntVector_Intrinsics_vec256 + z010 = Lib_IntVector_Intrinsics_vec256_shift_right64(x10, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z110 = Lib_IntVector_Intrinsics_vec256_shift_right64(x40, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + t5 = Lib_IntVector_Intrinsics_vec256_shift_left64(z110, (uint32_t)2U); + Lib_IntVector_Intrinsics_vec256 z12 = Lib_IntVector_Intrinsics_vec256_add64(z110, t5); + Lib_IntVector_Intrinsics_vec256 x110 = Lib_IntVector_Intrinsics_vec256_and(x10, mask260); + Lib_IntVector_Intrinsics_vec256 x410 = Lib_IntVector_Intrinsics_vec256_and(x40, mask260); + Lib_IntVector_Intrinsics_vec256 x20 = Lib_IntVector_Intrinsics_vec256_add64(t20, z010); + Lib_IntVector_Intrinsics_vec256 x010 = Lib_IntVector_Intrinsics_vec256_add64(x00, z12); + Lib_IntVector_Intrinsics_vec256 + z020 = Lib_IntVector_Intrinsics_vec256_shift_right64(x20, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z130 = Lib_IntVector_Intrinsics_vec256_shift_right64(x010, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x210 = Lib_IntVector_Intrinsics_vec256_and(x20, mask260); + Lib_IntVector_Intrinsics_vec256 x020 = Lib_IntVector_Intrinsics_vec256_and(x010, mask260); + Lib_IntVector_Intrinsics_vec256 x310 = Lib_IntVector_Intrinsics_vec256_add64(x30, z020); + Lib_IntVector_Intrinsics_vec256 x120 = Lib_IntVector_Intrinsics_vec256_add64(x110, z130); + Lib_IntVector_Intrinsics_vec256 + z030 = Lib_IntVector_Intrinsics_vec256_shift_right64(x310, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x320 = Lib_IntVector_Intrinsics_vec256_and(x310, mask260); + Lib_IntVector_Intrinsics_vec256 x420 = Lib_IntVector_Intrinsics_vec256_add64(x410, z030); + Lib_IntVector_Intrinsics_vec256 r20 = x020; + Lib_IntVector_Intrinsics_vec256 r21 = x120; + Lib_IntVector_Intrinsics_vec256 r22 = x210; + Lib_IntVector_Intrinsics_vec256 r23 = x320; + Lib_IntVector_Intrinsics_vec256 r24 = x420; + Lib_IntVector_Intrinsics_vec256 a011 = Lib_IntVector_Intrinsics_vec256_mul64(r10, r20); + Lib_IntVector_Intrinsics_vec256 a111 = Lib_IntVector_Intrinsics_vec256_mul64(r11, r20); + Lib_IntVector_Intrinsics_vec256 a211 = Lib_IntVector_Intrinsics_vec256_mul64(r12, r20); + Lib_IntVector_Intrinsics_vec256 a311 = Lib_IntVector_Intrinsics_vec256_mul64(r13, r20); + Lib_IntVector_Intrinsics_vec256 a411 = Lib_IntVector_Intrinsics_vec256_mul64(r14, r20); + Lib_IntVector_Intrinsics_vec256 + a021 = + Lib_IntVector_Intrinsics_vec256_add64(a011, + Lib_IntVector_Intrinsics_vec256_mul64(r154, r21)); + Lib_IntVector_Intrinsics_vec256 + a121 = + Lib_IntVector_Intrinsics_vec256_add64(a111, + Lib_IntVector_Intrinsics_vec256_mul64(r10, r21)); + Lib_IntVector_Intrinsics_vec256 + a221 = + Lib_IntVector_Intrinsics_vec256_add64(a211, + Lib_IntVector_Intrinsics_vec256_mul64(r11, r21)); + Lib_IntVector_Intrinsics_vec256 + a321 = + Lib_IntVector_Intrinsics_vec256_add64(a311, + Lib_IntVector_Intrinsics_vec256_mul64(r12, r21)); + Lib_IntVector_Intrinsics_vec256 + a421 = + Lib_IntVector_Intrinsics_vec256_add64(a411, + Lib_IntVector_Intrinsics_vec256_mul64(r13, r21)); + Lib_IntVector_Intrinsics_vec256 + a031 = + Lib_IntVector_Intrinsics_vec256_add64(a021, + Lib_IntVector_Intrinsics_vec256_mul64(r153, r22)); + Lib_IntVector_Intrinsics_vec256 + a131 = + Lib_IntVector_Intrinsics_vec256_add64(a121, + Lib_IntVector_Intrinsics_vec256_mul64(r154, r22)); + Lib_IntVector_Intrinsics_vec256 + a231 = + Lib_IntVector_Intrinsics_vec256_add64(a221, + Lib_IntVector_Intrinsics_vec256_mul64(r10, r22)); + Lib_IntVector_Intrinsics_vec256 + a331 = + Lib_IntVector_Intrinsics_vec256_add64(a321, + Lib_IntVector_Intrinsics_vec256_mul64(r11, r22)); + Lib_IntVector_Intrinsics_vec256 + a431 = + Lib_IntVector_Intrinsics_vec256_add64(a421, + Lib_IntVector_Intrinsics_vec256_mul64(r12, r22)); + Lib_IntVector_Intrinsics_vec256 + a041 = + Lib_IntVector_Intrinsics_vec256_add64(a031, + Lib_IntVector_Intrinsics_vec256_mul64(r152, r23)); + Lib_IntVector_Intrinsics_vec256 + a141 = + Lib_IntVector_Intrinsics_vec256_add64(a131, + Lib_IntVector_Intrinsics_vec256_mul64(r153, r23)); + Lib_IntVector_Intrinsics_vec256 + a241 = + Lib_IntVector_Intrinsics_vec256_add64(a231, + Lib_IntVector_Intrinsics_vec256_mul64(r154, r23)); + Lib_IntVector_Intrinsics_vec256 + a341 = + Lib_IntVector_Intrinsics_vec256_add64(a331, + Lib_IntVector_Intrinsics_vec256_mul64(r10, r23)); + Lib_IntVector_Intrinsics_vec256 + a441 = + Lib_IntVector_Intrinsics_vec256_add64(a431, + Lib_IntVector_Intrinsics_vec256_mul64(r11, r23)); + Lib_IntVector_Intrinsics_vec256 + a051 = + Lib_IntVector_Intrinsics_vec256_add64(a041, + Lib_IntVector_Intrinsics_vec256_mul64(r151, r24)); + Lib_IntVector_Intrinsics_vec256 + a151 = + Lib_IntVector_Intrinsics_vec256_add64(a141, + Lib_IntVector_Intrinsics_vec256_mul64(r152, r24)); + Lib_IntVector_Intrinsics_vec256 + a251 = + Lib_IntVector_Intrinsics_vec256_add64(a241, + Lib_IntVector_Intrinsics_vec256_mul64(r153, r24)); + Lib_IntVector_Intrinsics_vec256 + a351 = + Lib_IntVector_Intrinsics_vec256_add64(a341, + Lib_IntVector_Intrinsics_vec256_mul64(r154, r24)); + Lib_IntVector_Intrinsics_vec256 + a451 = + Lib_IntVector_Intrinsics_vec256_add64(a441, + Lib_IntVector_Intrinsics_vec256_mul64(r10, r24)); + Lib_IntVector_Intrinsics_vec256 t01 = a051; + Lib_IntVector_Intrinsics_vec256 t11 = a151; + Lib_IntVector_Intrinsics_vec256 t21 = a251; + Lib_IntVector_Intrinsics_vec256 t31 = a351; + Lib_IntVector_Intrinsics_vec256 t41 = a451; + Lib_IntVector_Intrinsics_vec256 + mask261 = Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec256 + z04 = Lib_IntVector_Intrinsics_vec256_shift_right64(t01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z14 = Lib_IntVector_Intrinsics_vec256_shift_right64(t31, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x03 = Lib_IntVector_Intrinsics_vec256_and(t01, mask261); + Lib_IntVector_Intrinsics_vec256 x33 = Lib_IntVector_Intrinsics_vec256_and(t31, mask261); + Lib_IntVector_Intrinsics_vec256 x13 = Lib_IntVector_Intrinsics_vec256_add64(t11, z04); + Lib_IntVector_Intrinsics_vec256 x43 = Lib_IntVector_Intrinsics_vec256_add64(t41, z14); + Lib_IntVector_Intrinsics_vec256 + z011 = Lib_IntVector_Intrinsics_vec256_shift_right64(x13, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z111 = Lib_IntVector_Intrinsics_vec256_shift_right64(x43, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + t6 = Lib_IntVector_Intrinsics_vec256_shift_left64(z111, (uint32_t)2U); + Lib_IntVector_Intrinsics_vec256 z120 = Lib_IntVector_Intrinsics_vec256_add64(z111, t6); + Lib_IntVector_Intrinsics_vec256 x111 = Lib_IntVector_Intrinsics_vec256_and(x13, mask261); + Lib_IntVector_Intrinsics_vec256 x411 = Lib_IntVector_Intrinsics_vec256_and(x43, mask261); + Lib_IntVector_Intrinsics_vec256 x22 = Lib_IntVector_Intrinsics_vec256_add64(t21, z011); + Lib_IntVector_Intrinsics_vec256 x011 = Lib_IntVector_Intrinsics_vec256_add64(x03, z120); + Lib_IntVector_Intrinsics_vec256 + z021 = Lib_IntVector_Intrinsics_vec256_shift_right64(x22, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z131 = Lib_IntVector_Intrinsics_vec256_shift_right64(x011, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x211 = Lib_IntVector_Intrinsics_vec256_and(x22, mask261); + Lib_IntVector_Intrinsics_vec256 x021 = Lib_IntVector_Intrinsics_vec256_and(x011, mask261); + Lib_IntVector_Intrinsics_vec256 x311 = Lib_IntVector_Intrinsics_vec256_add64(x33, z021); + Lib_IntVector_Intrinsics_vec256 x121 = Lib_IntVector_Intrinsics_vec256_add64(x111, z131); + Lib_IntVector_Intrinsics_vec256 + z031 = Lib_IntVector_Intrinsics_vec256_shift_right64(x311, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x321 = Lib_IntVector_Intrinsics_vec256_and(x311, mask261); + Lib_IntVector_Intrinsics_vec256 x421 = Lib_IntVector_Intrinsics_vec256_add64(x411, z031); + Lib_IntVector_Intrinsics_vec256 r30 = x021; + Lib_IntVector_Intrinsics_vec256 r31 = x121; + Lib_IntVector_Intrinsics_vec256 r32 = x211; + Lib_IntVector_Intrinsics_vec256 r33 = x321; + Lib_IntVector_Intrinsics_vec256 r34 = x421; + Lib_IntVector_Intrinsics_vec256 + v12120 = Lib_IntVector_Intrinsics_vec256_interleave_low64(r20, r10); + Lib_IntVector_Intrinsics_vec256 + v34340 = Lib_IntVector_Intrinsics_vec256_interleave_low64(r40, r30); + Lib_IntVector_Intrinsics_vec256 + r12340 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v34340, v12120); + Lib_IntVector_Intrinsics_vec256 + v12121 = Lib_IntVector_Intrinsics_vec256_interleave_low64(r21, r11); + Lib_IntVector_Intrinsics_vec256 + v34341 = Lib_IntVector_Intrinsics_vec256_interleave_low64(r41, r31); + Lib_IntVector_Intrinsics_vec256 + r12341 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v34341, v12121); + Lib_IntVector_Intrinsics_vec256 + v12122 = Lib_IntVector_Intrinsics_vec256_interleave_low64(r22, r12); + Lib_IntVector_Intrinsics_vec256 + v34342 = Lib_IntVector_Intrinsics_vec256_interleave_low64(r42, r32); + Lib_IntVector_Intrinsics_vec256 + r12342 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v34342, v12122); + Lib_IntVector_Intrinsics_vec256 + v12123 = Lib_IntVector_Intrinsics_vec256_interleave_low64(r23, r13); + Lib_IntVector_Intrinsics_vec256 + v34343 = Lib_IntVector_Intrinsics_vec256_interleave_low64(r43, r33); + Lib_IntVector_Intrinsics_vec256 + r12343 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v34343, v12123); + Lib_IntVector_Intrinsics_vec256 + v12124 = Lib_IntVector_Intrinsics_vec256_interleave_low64(r24, r14); + Lib_IntVector_Intrinsics_vec256 + v34344 = Lib_IntVector_Intrinsics_vec256_interleave_low64(r44, r34); + Lib_IntVector_Intrinsics_vec256 + r12344 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v34344, v12124); + Lib_IntVector_Intrinsics_vec256 + r123451 = Lib_IntVector_Intrinsics_vec256_smul64(r12341, (uint64_t)5U); + Lib_IntVector_Intrinsics_vec256 + r123452 = Lib_IntVector_Intrinsics_vec256_smul64(r12342, (uint64_t)5U); + Lib_IntVector_Intrinsics_vec256 + r123453 = Lib_IntVector_Intrinsics_vec256_smul64(r12343, (uint64_t)5U); + Lib_IntVector_Intrinsics_vec256 + r123454 = Lib_IntVector_Intrinsics_vec256_smul64(r12344, (uint64_t)5U); + Lib_IntVector_Intrinsics_vec256 a01 = Lib_IntVector_Intrinsics_vec256_mul64(r12340, a0); + Lib_IntVector_Intrinsics_vec256 a11 = Lib_IntVector_Intrinsics_vec256_mul64(r12341, a0); + Lib_IntVector_Intrinsics_vec256 a21 = Lib_IntVector_Intrinsics_vec256_mul64(r12342, a0); + Lib_IntVector_Intrinsics_vec256 a31 = Lib_IntVector_Intrinsics_vec256_mul64(r12343, a0); + Lib_IntVector_Intrinsics_vec256 a41 = Lib_IntVector_Intrinsics_vec256_mul64(r12344, a0); + Lib_IntVector_Intrinsics_vec256 + a02 = + Lib_IntVector_Intrinsics_vec256_add64(a01, + Lib_IntVector_Intrinsics_vec256_mul64(r123454, a1)); + Lib_IntVector_Intrinsics_vec256 + a12 = + Lib_IntVector_Intrinsics_vec256_add64(a11, + Lib_IntVector_Intrinsics_vec256_mul64(r12340, a1)); + Lib_IntVector_Intrinsics_vec256 + a22 = + Lib_IntVector_Intrinsics_vec256_add64(a21, + Lib_IntVector_Intrinsics_vec256_mul64(r12341, a1)); + Lib_IntVector_Intrinsics_vec256 + a32 = + Lib_IntVector_Intrinsics_vec256_add64(a31, + Lib_IntVector_Intrinsics_vec256_mul64(r12342, a1)); + Lib_IntVector_Intrinsics_vec256 + a42 = + Lib_IntVector_Intrinsics_vec256_add64(a41, + Lib_IntVector_Intrinsics_vec256_mul64(r12343, a1)); + Lib_IntVector_Intrinsics_vec256 + a03 = + Lib_IntVector_Intrinsics_vec256_add64(a02, + Lib_IntVector_Intrinsics_vec256_mul64(r123453, a2)); + Lib_IntVector_Intrinsics_vec256 + a13 = + Lib_IntVector_Intrinsics_vec256_add64(a12, + Lib_IntVector_Intrinsics_vec256_mul64(r123454, a2)); + Lib_IntVector_Intrinsics_vec256 + a23 = + Lib_IntVector_Intrinsics_vec256_add64(a22, + Lib_IntVector_Intrinsics_vec256_mul64(r12340, a2)); + Lib_IntVector_Intrinsics_vec256 + a33 = + Lib_IntVector_Intrinsics_vec256_add64(a32, + Lib_IntVector_Intrinsics_vec256_mul64(r12341, a2)); + Lib_IntVector_Intrinsics_vec256 + a43 = + Lib_IntVector_Intrinsics_vec256_add64(a42, + Lib_IntVector_Intrinsics_vec256_mul64(r12342, a2)); + Lib_IntVector_Intrinsics_vec256 + a04 = + Lib_IntVector_Intrinsics_vec256_add64(a03, + Lib_IntVector_Intrinsics_vec256_mul64(r123452, a3)); + Lib_IntVector_Intrinsics_vec256 + a14 = + Lib_IntVector_Intrinsics_vec256_add64(a13, + Lib_IntVector_Intrinsics_vec256_mul64(r123453, a3)); + Lib_IntVector_Intrinsics_vec256 + a24 = + Lib_IntVector_Intrinsics_vec256_add64(a23, + Lib_IntVector_Intrinsics_vec256_mul64(r123454, a3)); + Lib_IntVector_Intrinsics_vec256 + a34 = + Lib_IntVector_Intrinsics_vec256_add64(a33, + Lib_IntVector_Intrinsics_vec256_mul64(r12340, a3)); + Lib_IntVector_Intrinsics_vec256 + a44 = + Lib_IntVector_Intrinsics_vec256_add64(a43, + Lib_IntVector_Intrinsics_vec256_mul64(r12341, a3)); + Lib_IntVector_Intrinsics_vec256 + a05 = + Lib_IntVector_Intrinsics_vec256_add64(a04, + Lib_IntVector_Intrinsics_vec256_mul64(r123451, a4)); + Lib_IntVector_Intrinsics_vec256 + a15 = + Lib_IntVector_Intrinsics_vec256_add64(a14, + Lib_IntVector_Intrinsics_vec256_mul64(r123452, a4)); + Lib_IntVector_Intrinsics_vec256 + a25 = + Lib_IntVector_Intrinsics_vec256_add64(a24, + Lib_IntVector_Intrinsics_vec256_mul64(r123453, a4)); + Lib_IntVector_Intrinsics_vec256 + a35 = + Lib_IntVector_Intrinsics_vec256_add64(a34, + Lib_IntVector_Intrinsics_vec256_mul64(r123454, a4)); + Lib_IntVector_Intrinsics_vec256 + a45 = + Lib_IntVector_Intrinsics_vec256_add64(a44, + Lib_IntVector_Intrinsics_vec256_mul64(r12340, a4)); + Lib_IntVector_Intrinsics_vec256 t0 = a05; + Lib_IntVector_Intrinsics_vec256 t1 = a15; + Lib_IntVector_Intrinsics_vec256 t2 = a25; + Lib_IntVector_Intrinsics_vec256 t3 = a35; + Lib_IntVector_Intrinsics_vec256 t4 = a45; + Lib_IntVector_Intrinsics_vec256 + mask26 = Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec256 + z0 = Lib_IntVector_Intrinsics_vec256_shift_right64(t0, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z1 = Lib_IntVector_Intrinsics_vec256_shift_right64(t3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x0 = Lib_IntVector_Intrinsics_vec256_and(t0, mask26); + Lib_IntVector_Intrinsics_vec256 x3 = Lib_IntVector_Intrinsics_vec256_and(t3, mask26); + Lib_IntVector_Intrinsics_vec256 x1 = Lib_IntVector_Intrinsics_vec256_add64(t1, z0); + Lib_IntVector_Intrinsics_vec256 x4 = Lib_IntVector_Intrinsics_vec256_add64(t4, z1); + Lib_IntVector_Intrinsics_vec256 + z01 = Lib_IntVector_Intrinsics_vec256_shift_right64(x1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z11 = Lib_IntVector_Intrinsics_vec256_shift_right64(x4, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + t = Lib_IntVector_Intrinsics_vec256_shift_left64(z11, (uint32_t)2U); + Lib_IntVector_Intrinsics_vec256 z121 = Lib_IntVector_Intrinsics_vec256_add64(z11, t); + Lib_IntVector_Intrinsics_vec256 x11 = Lib_IntVector_Intrinsics_vec256_and(x1, mask26); + Lib_IntVector_Intrinsics_vec256 x41 = Lib_IntVector_Intrinsics_vec256_and(x4, mask26); + Lib_IntVector_Intrinsics_vec256 x2 = Lib_IntVector_Intrinsics_vec256_add64(t2, z01); + Lib_IntVector_Intrinsics_vec256 x01 = Lib_IntVector_Intrinsics_vec256_add64(x0, z121); + Lib_IntVector_Intrinsics_vec256 + z02 = Lib_IntVector_Intrinsics_vec256_shift_right64(x2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z13 = Lib_IntVector_Intrinsics_vec256_shift_right64(x01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x21 = Lib_IntVector_Intrinsics_vec256_and(x2, mask26); + Lib_IntVector_Intrinsics_vec256 x02 = Lib_IntVector_Intrinsics_vec256_and(x01, mask26); + Lib_IntVector_Intrinsics_vec256 x31 = Lib_IntVector_Intrinsics_vec256_add64(x3, z02); + Lib_IntVector_Intrinsics_vec256 x12 = Lib_IntVector_Intrinsics_vec256_add64(x11, z13); + Lib_IntVector_Intrinsics_vec256 + z03 = Lib_IntVector_Intrinsics_vec256_shift_right64(x31, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x32 = Lib_IntVector_Intrinsics_vec256_and(x31, mask26); + Lib_IntVector_Intrinsics_vec256 x42 = Lib_IntVector_Intrinsics_vec256_add64(x41, z03); + Lib_IntVector_Intrinsics_vec256 o0 = x02; + Lib_IntVector_Intrinsics_vec256 o10 = x12; + Lib_IntVector_Intrinsics_vec256 o20 = x21; + Lib_IntVector_Intrinsics_vec256 o30 = x32; + Lib_IntVector_Intrinsics_vec256 o40 = x42; + Lib_IntVector_Intrinsics_vec256 + v00 = Lib_IntVector_Intrinsics_vec256_interleave_high128(o0, o0); + Lib_IntVector_Intrinsics_vec256 v10 = Lib_IntVector_Intrinsics_vec256_add64(o0, v00); + Lib_IntVector_Intrinsics_vec256 + v10h = Lib_IntVector_Intrinsics_vec256_interleave_high64(v10, v10); + Lib_IntVector_Intrinsics_vec256 v20 = Lib_IntVector_Intrinsics_vec256_add64(v10, v10h); + Lib_IntVector_Intrinsics_vec256 + v01 = Lib_IntVector_Intrinsics_vec256_interleave_high128(o10, o10); + Lib_IntVector_Intrinsics_vec256 v11 = Lib_IntVector_Intrinsics_vec256_add64(o10, v01); + Lib_IntVector_Intrinsics_vec256 + v11h = Lib_IntVector_Intrinsics_vec256_interleave_high64(v11, v11); + Lib_IntVector_Intrinsics_vec256 v21 = Lib_IntVector_Intrinsics_vec256_add64(v11, v11h); + Lib_IntVector_Intrinsics_vec256 + v02 = Lib_IntVector_Intrinsics_vec256_interleave_high128(o20, o20); + Lib_IntVector_Intrinsics_vec256 v12 = Lib_IntVector_Intrinsics_vec256_add64(o20, v02); + Lib_IntVector_Intrinsics_vec256 + v12h = Lib_IntVector_Intrinsics_vec256_interleave_high64(v12, v12); + Lib_IntVector_Intrinsics_vec256 v22 = Lib_IntVector_Intrinsics_vec256_add64(v12, v12h); + Lib_IntVector_Intrinsics_vec256 + v03 = Lib_IntVector_Intrinsics_vec256_interleave_high128(o30, o30); + Lib_IntVector_Intrinsics_vec256 v13 = Lib_IntVector_Intrinsics_vec256_add64(o30, v03); + Lib_IntVector_Intrinsics_vec256 + v13h = Lib_IntVector_Intrinsics_vec256_interleave_high64(v13, v13); + Lib_IntVector_Intrinsics_vec256 v23 = Lib_IntVector_Intrinsics_vec256_add64(v13, v13h); + Lib_IntVector_Intrinsics_vec256 + v04 = Lib_IntVector_Intrinsics_vec256_interleave_high128(o40, o40); + Lib_IntVector_Intrinsics_vec256 v14 = Lib_IntVector_Intrinsics_vec256_add64(o40, v04); + Lib_IntVector_Intrinsics_vec256 + v14h = Lib_IntVector_Intrinsics_vec256_interleave_high64(v14, v14); + Lib_IntVector_Intrinsics_vec256 v24 = Lib_IntVector_Intrinsics_vec256_add64(v14, v14h); + Lib_IntVector_Intrinsics_vec256 + l = Lib_IntVector_Intrinsics_vec256_add64(v20, Lib_IntVector_Intrinsics_vec256_zero); + Lib_IntVector_Intrinsics_vec256 + tmp0 = + Lib_IntVector_Intrinsics_vec256_and(l, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + c0 = Lib_IntVector_Intrinsics_vec256_shift_right64(l, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 l0 = Lib_IntVector_Intrinsics_vec256_add64(v21, c0); + Lib_IntVector_Intrinsics_vec256 + tmp1 = + Lib_IntVector_Intrinsics_vec256_and(l0, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + c1 = Lib_IntVector_Intrinsics_vec256_shift_right64(l0, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 l1 = Lib_IntVector_Intrinsics_vec256_add64(v22, c1); + Lib_IntVector_Intrinsics_vec256 + tmp2 = + Lib_IntVector_Intrinsics_vec256_and(l1, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + c2 = Lib_IntVector_Intrinsics_vec256_shift_right64(l1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 l2 = Lib_IntVector_Intrinsics_vec256_add64(v23, c2); + Lib_IntVector_Intrinsics_vec256 + tmp3 = + Lib_IntVector_Intrinsics_vec256_and(l2, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + c3 = Lib_IntVector_Intrinsics_vec256_shift_right64(l2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 l3 = Lib_IntVector_Intrinsics_vec256_add64(v24, c3); + Lib_IntVector_Intrinsics_vec256 + tmp4 = + Lib_IntVector_Intrinsics_vec256_and(l3, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + c4 = Lib_IntVector_Intrinsics_vec256_shift_right64(l3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + o00 = + Lib_IntVector_Intrinsics_vec256_add64(tmp0, + Lib_IntVector_Intrinsics_vec256_smul64(c4, (uint64_t)5U)); + Lib_IntVector_Intrinsics_vec256 o1 = tmp1; + Lib_IntVector_Intrinsics_vec256 o2 = tmp2; + Lib_IntVector_Intrinsics_vec256 o3 = tmp3; + Lib_IntVector_Intrinsics_vec256 o4 = tmp4; + out[0U] = o00; + out[1U] = o1; + out[2U] = o2; + out[3U] = o3; + out[4U] = o4; +} + +uint32_t Hacl_Poly1305_256_blocklen = (uint32_t)16U; + +void Hacl_Poly1305_256_poly1305_init(Lib_IntVector_Intrinsics_vec256 *ctx, uint8_t *key) +{ + Lib_IntVector_Intrinsics_vec256 *acc = ctx; + Lib_IntVector_Intrinsics_vec256 *pre = ctx + (uint32_t)5U; + uint8_t *kr = key; + acc[0U] = Lib_IntVector_Intrinsics_vec256_zero; + acc[1U] = Lib_IntVector_Intrinsics_vec256_zero; + acc[2U] = Lib_IntVector_Intrinsics_vec256_zero; + acc[3U] = Lib_IntVector_Intrinsics_vec256_zero; + acc[4U] = Lib_IntVector_Intrinsics_vec256_zero; + uint64_t u0 = load64_le(kr); + uint64_t lo = u0; + uint64_t u = load64_le(kr + (uint32_t)8U); + uint64_t hi = u; + uint64_t mask0 = (uint64_t)0x0ffffffc0fffffffU; + uint64_t mask1 = (uint64_t)0x0ffffffc0ffffffcU; + uint64_t lo1 = lo & mask0; + uint64_t hi1 = hi & mask1; + Lib_IntVector_Intrinsics_vec256 *r = pre; + Lib_IntVector_Intrinsics_vec256 *r5 = pre + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec256 *rn = pre + (uint32_t)10U; + Lib_IntVector_Intrinsics_vec256 *rn_5 = pre + (uint32_t)15U; + Lib_IntVector_Intrinsics_vec256 r_vec0 = Lib_IntVector_Intrinsics_vec256_load64(lo1); + Lib_IntVector_Intrinsics_vec256 r_vec1 = Lib_IntVector_Intrinsics_vec256_load64(hi1); + Lib_IntVector_Intrinsics_vec256 + f00 = + Lib_IntVector_Intrinsics_vec256_and(r_vec0, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f15 = + Lib_IntVector_Intrinsics_vec256_and(Lib_IntVector_Intrinsics_vec256_shift_right64(r_vec0, + (uint32_t)26U), + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f20 = + Lib_IntVector_Intrinsics_vec256_or(Lib_IntVector_Intrinsics_vec256_shift_right64(r_vec0, + (uint32_t)52U), + Lib_IntVector_Intrinsics_vec256_shift_left64(Lib_IntVector_Intrinsics_vec256_and(r_vec1, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3fffU)), + (uint32_t)12U)); + Lib_IntVector_Intrinsics_vec256 + f30 = + Lib_IntVector_Intrinsics_vec256_and(Lib_IntVector_Intrinsics_vec256_shift_right64(r_vec1, + (uint32_t)14U), + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f40 = Lib_IntVector_Intrinsics_vec256_shift_right64(r_vec1, (uint32_t)40U); + Lib_IntVector_Intrinsics_vec256 f0 = f00; + Lib_IntVector_Intrinsics_vec256 f1 = f15; + Lib_IntVector_Intrinsics_vec256 f2 = f20; + Lib_IntVector_Intrinsics_vec256 f3 = f30; + Lib_IntVector_Intrinsics_vec256 f4 = f40; + r[0U] = f0; + r[1U] = f1; + r[2U] = f2; + r[3U] = f3; + r[4U] = f4; + Lib_IntVector_Intrinsics_vec256 f200 = r[0U]; + Lib_IntVector_Intrinsics_vec256 f210 = r[1U]; + Lib_IntVector_Intrinsics_vec256 f220 = r[2U]; + Lib_IntVector_Intrinsics_vec256 f230 = r[3U]; + Lib_IntVector_Intrinsics_vec256 f240 = r[4U]; + r5[0U] = Lib_IntVector_Intrinsics_vec256_smul64(f200, (uint64_t)5U); + r5[1U] = Lib_IntVector_Intrinsics_vec256_smul64(f210, (uint64_t)5U); + r5[2U] = Lib_IntVector_Intrinsics_vec256_smul64(f220, (uint64_t)5U); + r5[3U] = Lib_IntVector_Intrinsics_vec256_smul64(f230, (uint64_t)5U); + r5[4U] = Lib_IntVector_Intrinsics_vec256_smul64(f240, (uint64_t)5U); + Lib_IntVector_Intrinsics_vec256 r0 = r[0U]; + Lib_IntVector_Intrinsics_vec256 r10 = r[1U]; + Lib_IntVector_Intrinsics_vec256 r20 = r[2U]; + Lib_IntVector_Intrinsics_vec256 r30 = r[3U]; + Lib_IntVector_Intrinsics_vec256 r40 = r[4U]; + Lib_IntVector_Intrinsics_vec256 r510 = r5[1U]; + Lib_IntVector_Intrinsics_vec256 r520 = r5[2U]; + Lib_IntVector_Intrinsics_vec256 r530 = r5[3U]; + Lib_IntVector_Intrinsics_vec256 r540 = r5[4U]; + Lib_IntVector_Intrinsics_vec256 f100 = r[0U]; + Lib_IntVector_Intrinsics_vec256 f110 = r[1U]; + Lib_IntVector_Intrinsics_vec256 f120 = r[2U]; + Lib_IntVector_Intrinsics_vec256 f130 = r[3U]; + Lib_IntVector_Intrinsics_vec256 f140 = r[4U]; + Lib_IntVector_Intrinsics_vec256 a00 = Lib_IntVector_Intrinsics_vec256_mul64(r0, f100); + Lib_IntVector_Intrinsics_vec256 a10 = Lib_IntVector_Intrinsics_vec256_mul64(r10, f100); + Lib_IntVector_Intrinsics_vec256 a20 = Lib_IntVector_Intrinsics_vec256_mul64(r20, f100); + Lib_IntVector_Intrinsics_vec256 a30 = Lib_IntVector_Intrinsics_vec256_mul64(r30, f100); + Lib_IntVector_Intrinsics_vec256 a40 = Lib_IntVector_Intrinsics_vec256_mul64(r40, f100); + Lib_IntVector_Intrinsics_vec256 + a010 = + Lib_IntVector_Intrinsics_vec256_add64(a00, + Lib_IntVector_Intrinsics_vec256_mul64(r540, f110)); + Lib_IntVector_Intrinsics_vec256 + a110 = + Lib_IntVector_Intrinsics_vec256_add64(a10, + Lib_IntVector_Intrinsics_vec256_mul64(r0, f110)); + Lib_IntVector_Intrinsics_vec256 + a210 = + Lib_IntVector_Intrinsics_vec256_add64(a20, + Lib_IntVector_Intrinsics_vec256_mul64(r10, f110)); + Lib_IntVector_Intrinsics_vec256 + a310 = + Lib_IntVector_Intrinsics_vec256_add64(a30, + Lib_IntVector_Intrinsics_vec256_mul64(r20, f110)); + Lib_IntVector_Intrinsics_vec256 + a410 = + Lib_IntVector_Intrinsics_vec256_add64(a40, + Lib_IntVector_Intrinsics_vec256_mul64(r30, f110)); + Lib_IntVector_Intrinsics_vec256 + a020 = + Lib_IntVector_Intrinsics_vec256_add64(a010, + Lib_IntVector_Intrinsics_vec256_mul64(r530, f120)); + Lib_IntVector_Intrinsics_vec256 + a120 = + Lib_IntVector_Intrinsics_vec256_add64(a110, + Lib_IntVector_Intrinsics_vec256_mul64(r540, f120)); + Lib_IntVector_Intrinsics_vec256 + a220 = + Lib_IntVector_Intrinsics_vec256_add64(a210, + Lib_IntVector_Intrinsics_vec256_mul64(r0, f120)); + Lib_IntVector_Intrinsics_vec256 + a320 = + Lib_IntVector_Intrinsics_vec256_add64(a310, + Lib_IntVector_Intrinsics_vec256_mul64(r10, f120)); + Lib_IntVector_Intrinsics_vec256 + a420 = + Lib_IntVector_Intrinsics_vec256_add64(a410, + Lib_IntVector_Intrinsics_vec256_mul64(r20, f120)); + Lib_IntVector_Intrinsics_vec256 + a030 = + Lib_IntVector_Intrinsics_vec256_add64(a020, + Lib_IntVector_Intrinsics_vec256_mul64(r520, f130)); + Lib_IntVector_Intrinsics_vec256 + a130 = + Lib_IntVector_Intrinsics_vec256_add64(a120, + Lib_IntVector_Intrinsics_vec256_mul64(r530, f130)); + Lib_IntVector_Intrinsics_vec256 + a230 = + Lib_IntVector_Intrinsics_vec256_add64(a220, + Lib_IntVector_Intrinsics_vec256_mul64(r540, f130)); + Lib_IntVector_Intrinsics_vec256 + a330 = + Lib_IntVector_Intrinsics_vec256_add64(a320, + Lib_IntVector_Intrinsics_vec256_mul64(r0, f130)); + Lib_IntVector_Intrinsics_vec256 + a430 = + Lib_IntVector_Intrinsics_vec256_add64(a420, + Lib_IntVector_Intrinsics_vec256_mul64(r10, f130)); + Lib_IntVector_Intrinsics_vec256 + a040 = + Lib_IntVector_Intrinsics_vec256_add64(a030, + Lib_IntVector_Intrinsics_vec256_mul64(r510, f140)); + Lib_IntVector_Intrinsics_vec256 + a140 = + Lib_IntVector_Intrinsics_vec256_add64(a130, + Lib_IntVector_Intrinsics_vec256_mul64(r520, f140)); + Lib_IntVector_Intrinsics_vec256 + a240 = + Lib_IntVector_Intrinsics_vec256_add64(a230, + Lib_IntVector_Intrinsics_vec256_mul64(r530, f140)); + Lib_IntVector_Intrinsics_vec256 + a340 = + Lib_IntVector_Intrinsics_vec256_add64(a330, + Lib_IntVector_Intrinsics_vec256_mul64(r540, f140)); + Lib_IntVector_Intrinsics_vec256 + a440 = + Lib_IntVector_Intrinsics_vec256_add64(a430, + Lib_IntVector_Intrinsics_vec256_mul64(r0, f140)); + Lib_IntVector_Intrinsics_vec256 t00 = a040; + Lib_IntVector_Intrinsics_vec256 t10 = a140; + Lib_IntVector_Intrinsics_vec256 t20 = a240; + Lib_IntVector_Intrinsics_vec256 t30 = a340; + Lib_IntVector_Intrinsics_vec256 t40 = a440; + Lib_IntVector_Intrinsics_vec256 + mask260 = Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec256 + z00 = Lib_IntVector_Intrinsics_vec256_shift_right64(t00, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z10 = Lib_IntVector_Intrinsics_vec256_shift_right64(t30, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x00 = Lib_IntVector_Intrinsics_vec256_and(t00, mask260); + Lib_IntVector_Intrinsics_vec256 x30 = Lib_IntVector_Intrinsics_vec256_and(t30, mask260); + Lib_IntVector_Intrinsics_vec256 x10 = Lib_IntVector_Intrinsics_vec256_add64(t10, z00); + Lib_IntVector_Intrinsics_vec256 x40 = Lib_IntVector_Intrinsics_vec256_add64(t40, z10); + Lib_IntVector_Intrinsics_vec256 + z010 = Lib_IntVector_Intrinsics_vec256_shift_right64(x10, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z110 = Lib_IntVector_Intrinsics_vec256_shift_right64(x40, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + t5 = Lib_IntVector_Intrinsics_vec256_shift_left64(z110, (uint32_t)2U); + Lib_IntVector_Intrinsics_vec256 z12 = Lib_IntVector_Intrinsics_vec256_add64(z110, t5); + Lib_IntVector_Intrinsics_vec256 x110 = Lib_IntVector_Intrinsics_vec256_and(x10, mask260); + Lib_IntVector_Intrinsics_vec256 x410 = Lib_IntVector_Intrinsics_vec256_and(x40, mask260); + Lib_IntVector_Intrinsics_vec256 x20 = Lib_IntVector_Intrinsics_vec256_add64(t20, z010); + Lib_IntVector_Intrinsics_vec256 x010 = Lib_IntVector_Intrinsics_vec256_add64(x00, z12); + Lib_IntVector_Intrinsics_vec256 + z020 = Lib_IntVector_Intrinsics_vec256_shift_right64(x20, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z130 = Lib_IntVector_Intrinsics_vec256_shift_right64(x010, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x210 = Lib_IntVector_Intrinsics_vec256_and(x20, mask260); + Lib_IntVector_Intrinsics_vec256 x020 = Lib_IntVector_Intrinsics_vec256_and(x010, mask260); + Lib_IntVector_Intrinsics_vec256 x310 = Lib_IntVector_Intrinsics_vec256_add64(x30, z020); + Lib_IntVector_Intrinsics_vec256 x120 = Lib_IntVector_Intrinsics_vec256_add64(x110, z130); + Lib_IntVector_Intrinsics_vec256 + z030 = Lib_IntVector_Intrinsics_vec256_shift_right64(x310, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x320 = Lib_IntVector_Intrinsics_vec256_and(x310, mask260); + Lib_IntVector_Intrinsics_vec256 x420 = Lib_IntVector_Intrinsics_vec256_add64(x410, z030); + Lib_IntVector_Intrinsics_vec256 o00 = x020; + Lib_IntVector_Intrinsics_vec256 o10 = x120; + Lib_IntVector_Intrinsics_vec256 o20 = x210; + Lib_IntVector_Intrinsics_vec256 o30 = x320; + Lib_IntVector_Intrinsics_vec256 o40 = x420; + rn[0U] = o00; + rn[1U] = o10; + rn[2U] = o20; + rn[3U] = o30; + rn[4U] = o40; + Lib_IntVector_Intrinsics_vec256 f201 = rn[0U]; + Lib_IntVector_Intrinsics_vec256 f211 = rn[1U]; + Lib_IntVector_Intrinsics_vec256 f221 = rn[2U]; + Lib_IntVector_Intrinsics_vec256 f231 = rn[3U]; + Lib_IntVector_Intrinsics_vec256 f241 = rn[4U]; + rn_5[0U] = Lib_IntVector_Intrinsics_vec256_smul64(f201, (uint64_t)5U); + rn_5[1U] = Lib_IntVector_Intrinsics_vec256_smul64(f211, (uint64_t)5U); + rn_5[2U] = Lib_IntVector_Intrinsics_vec256_smul64(f221, (uint64_t)5U); + rn_5[3U] = Lib_IntVector_Intrinsics_vec256_smul64(f231, (uint64_t)5U); + rn_5[4U] = Lib_IntVector_Intrinsics_vec256_smul64(f241, (uint64_t)5U); + Lib_IntVector_Intrinsics_vec256 r00 = rn[0U]; + Lib_IntVector_Intrinsics_vec256 r1 = rn[1U]; + Lib_IntVector_Intrinsics_vec256 r2 = rn[2U]; + Lib_IntVector_Intrinsics_vec256 r3 = rn[3U]; + Lib_IntVector_Intrinsics_vec256 r4 = rn[4U]; + Lib_IntVector_Intrinsics_vec256 r51 = rn_5[1U]; + Lib_IntVector_Intrinsics_vec256 r52 = rn_5[2U]; + Lib_IntVector_Intrinsics_vec256 r53 = rn_5[3U]; + Lib_IntVector_Intrinsics_vec256 r54 = rn_5[4U]; + Lib_IntVector_Intrinsics_vec256 f10 = rn[0U]; + Lib_IntVector_Intrinsics_vec256 f11 = rn[1U]; + Lib_IntVector_Intrinsics_vec256 f12 = rn[2U]; + Lib_IntVector_Intrinsics_vec256 f13 = rn[3U]; + Lib_IntVector_Intrinsics_vec256 f14 = rn[4U]; + Lib_IntVector_Intrinsics_vec256 a0 = Lib_IntVector_Intrinsics_vec256_mul64(r00, f10); + Lib_IntVector_Intrinsics_vec256 a1 = Lib_IntVector_Intrinsics_vec256_mul64(r1, f10); + Lib_IntVector_Intrinsics_vec256 a2 = Lib_IntVector_Intrinsics_vec256_mul64(r2, f10); + Lib_IntVector_Intrinsics_vec256 a3 = Lib_IntVector_Intrinsics_vec256_mul64(r3, f10); + Lib_IntVector_Intrinsics_vec256 a4 = Lib_IntVector_Intrinsics_vec256_mul64(r4, f10); + Lib_IntVector_Intrinsics_vec256 + a01 = + Lib_IntVector_Intrinsics_vec256_add64(a0, + Lib_IntVector_Intrinsics_vec256_mul64(r54, f11)); + Lib_IntVector_Intrinsics_vec256 + a11 = + Lib_IntVector_Intrinsics_vec256_add64(a1, + Lib_IntVector_Intrinsics_vec256_mul64(r00, f11)); + Lib_IntVector_Intrinsics_vec256 + a21 = Lib_IntVector_Intrinsics_vec256_add64(a2, Lib_IntVector_Intrinsics_vec256_mul64(r1, f11)); + Lib_IntVector_Intrinsics_vec256 + a31 = Lib_IntVector_Intrinsics_vec256_add64(a3, Lib_IntVector_Intrinsics_vec256_mul64(r2, f11)); + Lib_IntVector_Intrinsics_vec256 + a41 = Lib_IntVector_Intrinsics_vec256_add64(a4, Lib_IntVector_Intrinsics_vec256_mul64(r3, f11)); + Lib_IntVector_Intrinsics_vec256 + a02 = + Lib_IntVector_Intrinsics_vec256_add64(a01, + Lib_IntVector_Intrinsics_vec256_mul64(r53, f12)); + Lib_IntVector_Intrinsics_vec256 + a12 = + Lib_IntVector_Intrinsics_vec256_add64(a11, + Lib_IntVector_Intrinsics_vec256_mul64(r54, f12)); + Lib_IntVector_Intrinsics_vec256 + a22 = + Lib_IntVector_Intrinsics_vec256_add64(a21, + Lib_IntVector_Intrinsics_vec256_mul64(r00, f12)); + Lib_IntVector_Intrinsics_vec256 + a32 = + Lib_IntVector_Intrinsics_vec256_add64(a31, + Lib_IntVector_Intrinsics_vec256_mul64(r1, f12)); + Lib_IntVector_Intrinsics_vec256 + a42 = + Lib_IntVector_Intrinsics_vec256_add64(a41, + Lib_IntVector_Intrinsics_vec256_mul64(r2, f12)); + Lib_IntVector_Intrinsics_vec256 + a03 = + Lib_IntVector_Intrinsics_vec256_add64(a02, + Lib_IntVector_Intrinsics_vec256_mul64(r52, f13)); + Lib_IntVector_Intrinsics_vec256 + a13 = + Lib_IntVector_Intrinsics_vec256_add64(a12, + Lib_IntVector_Intrinsics_vec256_mul64(r53, f13)); + Lib_IntVector_Intrinsics_vec256 + a23 = + Lib_IntVector_Intrinsics_vec256_add64(a22, + Lib_IntVector_Intrinsics_vec256_mul64(r54, f13)); + Lib_IntVector_Intrinsics_vec256 + a33 = + Lib_IntVector_Intrinsics_vec256_add64(a32, + Lib_IntVector_Intrinsics_vec256_mul64(r00, f13)); + Lib_IntVector_Intrinsics_vec256 + a43 = + Lib_IntVector_Intrinsics_vec256_add64(a42, + Lib_IntVector_Intrinsics_vec256_mul64(r1, f13)); + Lib_IntVector_Intrinsics_vec256 + a04 = + Lib_IntVector_Intrinsics_vec256_add64(a03, + Lib_IntVector_Intrinsics_vec256_mul64(r51, f14)); + Lib_IntVector_Intrinsics_vec256 + a14 = + Lib_IntVector_Intrinsics_vec256_add64(a13, + Lib_IntVector_Intrinsics_vec256_mul64(r52, f14)); + Lib_IntVector_Intrinsics_vec256 + a24 = + Lib_IntVector_Intrinsics_vec256_add64(a23, + Lib_IntVector_Intrinsics_vec256_mul64(r53, f14)); + Lib_IntVector_Intrinsics_vec256 + a34 = + Lib_IntVector_Intrinsics_vec256_add64(a33, + Lib_IntVector_Intrinsics_vec256_mul64(r54, f14)); + Lib_IntVector_Intrinsics_vec256 + a44 = + Lib_IntVector_Intrinsics_vec256_add64(a43, + Lib_IntVector_Intrinsics_vec256_mul64(r00, f14)); + Lib_IntVector_Intrinsics_vec256 t0 = a04; + Lib_IntVector_Intrinsics_vec256 t1 = a14; + Lib_IntVector_Intrinsics_vec256 t2 = a24; + Lib_IntVector_Intrinsics_vec256 t3 = a34; + Lib_IntVector_Intrinsics_vec256 t4 = a44; + Lib_IntVector_Intrinsics_vec256 + mask26 = Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec256 + z0 = Lib_IntVector_Intrinsics_vec256_shift_right64(t0, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z1 = Lib_IntVector_Intrinsics_vec256_shift_right64(t3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x0 = Lib_IntVector_Intrinsics_vec256_and(t0, mask26); + Lib_IntVector_Intrinsics_vec256 x3 = Lib_IntVector_Intrinsics_vec256_and(t3, mask26); + Lib_IntVector_Intrinsics_vec256 x1 = Lib_IntVector_Intrinsics_vec256_add64(t1, z0); + Lib_IntVector_Intrinsics_vec256 x4 = Lib_IntVector_Intrinsics_vec256_add64(t4, z1); + Lib_IntVector_Intrinsics_vec256 + z01 = Lib_IntVector_Intrinsics_vec256_shift_right64(x1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z11 = Lib_IntVector_Intrinsics_vec256_shift_right64(x4, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + t = Lib_IntVector_Intrinsics_vec256_shift_left64(z11, (uint32_t)2U); + Lib_IntVector_Intrinsics_vec256 z120 = Lib_IntVector_Intrinsics_vec256_add64(z11, t); + Lib_IntVector_Intrinsics_vec256 x11 = Lib_IntVector_Intrinsics_vec256_and(x1, mask26); + Lib_IntVector_Intrinsics_vec256 x41 = Lib_IntVector_Intrinsics_vec256_and(x4, mask26); + Lib_IntVector_Intrinsics_vec256 x2 = Lib_IntVector_Intrinsics_vec256_add64(t2, z01); + Lib_IntVector_Intrinsics_vec256 x01 = Lib_IntVector_Intrinsics_vec256_add64(x0, z120); + Lib_IntVector_Intrinsics_vec256 + z02 = Lib_IntVector_Intrinsics_vec256_shift_right64(x2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z13 = Lib_IntVector_Intrinsics_vec256_shift_right64(x01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x21 = Lib_IntVector_Intrinsics_vec256_and(x2, mask26); + Lib_IntVector_Intrinsics_vec256 x02 = Lib_IntVector_Intrinsics_vec256_and(x01, mask26); + Lib_IntVector_Intrinsics_vec256 x31 = Lib_IntVector_Intrinsics_vec256_add64(x3, z02); + Lib_IntVector_Intrinsics_vec256 x12 = Lib_IntVector_Intrinsics_vec256_add64(x11, z13); + Lib_IntVector_Intrinsics_vec256 + z03 = Lib_IntVector_Intrinsics_vec256_shift_right64(x31, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x32 = Lib_IntVector_Intrinsics_vec256_and(x31, mask26); + Lib_IntVector_Intrinsics_vec256 x42 = Lib_IntVector_Intrinsics_vec256_add64(x41, z03); + Lib_IntVector_Intrinsics_vec256 o0 = x02; + Lib_IntVector_Intrinsics_vec256 o1 = x12; + Lib_IntVector_Intrinsics_vec256 o2 = x21; + Lib_IntVector_Intrinsics_vec256 o3 = x32; + Lib_IntVector_Intrinsics_vec256 o4 = x42; + rn[0U] = o0; + rn[1U] = o1; + rn[2U] = o2; + rn[3U] = o3; + rn[4U] = o4; + Lib_IntVector_Intrinsics_vec256 f202 = rn[0U]; + Lib_IntVector_Intrinsics_vec256 f21 = rn[1U]; + Lib_IntVector_Intrinsics_vec256 f22 = rn[2U]; + Lib_IntVector_Intrinsics_vec256 f23 = rn[3U]; + Lib_IntVector_Intrinsics_vec256 f24 = rn[4U]; + rn_5[0U] = Lib_IntVector_Intrinsics_vec256_smul64(f202, (uint64_t)5U); + rn_5[1U] = Lib_IntVector_Intrinsics_vec256_smul64(f21, (uint64_t)5U); + rn_5[2U] = Lib_IntVector_Intrinsics_vec256_smul64(f22, (uint64_t)5U); + rn_5[3U] = Lib_IntVector_Intrinsics_vec256_smul64(f23, (uint64_t)5U); + rn_5[4U] = Lib_IntVector_Intrinsics_vec256_smul64(f24, (uint64_t)5U); +} + +void Hacl_Poly1305_256_poly1305_update1(Lib_IntVector_Intrinsics_vec256 *ctx, uint8_t *text) +{ + Lib_IntVector_Intrinsics_vec256 *pre = ctx + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec256 *acc = ctx; + Lib_IntVector_Intrinsics_vec256 e[5U]; + for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i) + e[_i] = Lib_IntVector_Intrinsics_vec256_zero; + uint64_t u0 = load64_le(text); + uint64_t lo = u0; + uint64_t u = load64_le(text + (uint32_t)8U); + uint64_t hi = u; + Lib_IntVector_Intrinsics_vec256 f0 = Lib_IntVector_Intrinsics_vec256_load64(lo); + Lib_IntVector_Intrinsics_vec256 f1 = Lib_IntVector_Intrinsics_vec256_load64(hi); + Lib_IntVector_Intrinsics_vec256 + f010 = + Lib_IntVector_Intrinsics_vec256_and(f0, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f110 = + Lib_IntVector_Intrinsics_vec256_and(Lib_IntVector_Intrinsics_vec256_shift_right64(f0, + (uint32_t)26U), + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f20 = + Lib_IntVector_Intrinsics_vec256_or(Lib_IntVector_Intrinsics_vec256_shift_right64(f0, + (uint32_t)52U), + Lib_IntVector_Intrinsics_vec256_shift_left64(Lib_IntVector_Intrinsics_vec256_and(f1, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3fffU)), + (uint32_t)12U)); + Lib_IntVector_Intrinsics_vec256 + f30 = + Lib_IntVector_Intrinsics_vec256_and(Lib_IntVector_Intrinsics_vec256_shift_right64(f1, + (uint32_t)14U), + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f40 = Lib_IntVector_Intrinsics_vec256_shift_right64(f1, (uint32_t)40U); + Lib_IntVector_Intrinsics_vec256 f01 = f010; + Lib_IntVector_Intrinsics_vec256 f111 = f110; + Lib_IntVector_Intrinsics_vec256 f2 = f20; + Lib_IntVector_Intrinsics_vec256 f3 = f30; + Lib_IntVector_Intrinsics_vec256 f41 = f40; + e[0U] = f01; + e[1U] = f111; + e[2U] = f2; + e[3U] = f3; + e[4U] = f41; + uint64_t b = (uint64_t)0x1000000U; + Lib_IntVector_Intrinsics_vec256 mask = Lib_IntVector_Intrinsics_vec256_load64(b); + Lib_IntVector_Intrinsics_vec256 f4 = e[4U]; + e[4U] = Lib_IntVector_Intrinsics_vec256_or(f4, mask); + Lib_IntVector_Intrinsics_vec256 *r = pre; + Lib_IntVector_Intrinsics_vec256 *r5 = pre + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec256 r0 = r[0U]; + Lib_IntVector_Intrinsics_vec256 r1 = r[1U]; + Lib_IntVector_Intrinsics_vec256 r2 = r[2U]; + Lib_IntVector_Intrinsics_vec256 r3 = r[3U]; + Lib_IntVector_Intrinsics_vec256 r4 = r[4U]; + Lib_IntVector_Intrinsics_vec256 r51 = r5[1U]; + Lib_IntVector_Intrinsics_vec256 r52 = r5[2U]; + Lib_IntVector_Intrinsics_vec256 r53 = r5[3U]; + Lib_IntVector_Intrinsics_vec256 r54 = r5[4U]; + Lib_IntVector_Intrinsics_vec256 f10 = e[0U]; + Lib_IntVector_Intrinsics_vec256 f11 = e[1U]; + Lib_IntVector_Intrinsics_vec256 f12 = e[2U]; + Lib_IntVector_Intrinsics_vec256 f13 = e[3U]; + Lib_IntVector_Intrinsics_vec256 f14 = e[4U]; + Lib_IntVector_Intrinsics_vec256 a0 = acc[0U]; + Lib_IntVector_Intrinsics_vec256 a1 = acc[1U]; + Lib_IntVector_Intrinsics_vec256 a2 = acc[2U]; + Lib_IntVector_Intrinsics_vec256 a3 = acc[3U]; + Lib_IntVector_Intrinsics_vec256 a4 = acc[4U]; + Lib_IntVector_Intrinsics_vec256 a01 = Lib_IntVector_Intrinsics_vec256_add64(a0, f10); + Lib_IntVector_Intrinsics_vec256 a11 = Lib_IntVector_Intrinsics_vec256_add64(a1, f11); + Lib_IntVector_Intrinsics_vec256 a21 = Lib_IntVector_Intrinsics_vec256_add64(a2, f12); + Lib_IntVector_Intrinsics_vec256 a31 = Lib_IntVector_Intrinsics_vec256_add64(a3, f13); + Lib_IntVector_Intrinsics_vec256 a41 = Lib_IntVector_Intrinsics_vec256_add64(a4, f14); + Lib_IntVector_Intrinsics_vec256 a02 = Lib_IntVector_Intrinsics_vec256_mul64(r0, a01); + Lib_IntVector_Intrinsics_vec256 a12 = Lib_IntVector_Intrinsics_vec256_mul64(r1, a01); + Lib_IntVector_Intrinsics_vec256 a22 = Lib_IntVector_Intrinsics_vec256_mul64(r2, a01); + Lib_IntVector_Intrinsics_vec256 a32 = Lib_IntVector_Intrinsics_vec256_mul64(r3, a01); + Lib_IntVector_Intrinsics_vec256 a42 = Lib_IntVector_Intrinsics_vec256_mul64(r4, a01); + Lib_IntVector_Intrinsics_vec256 + a03 = + Lib_IntVector_Intrinsics_vec256_add64(a02, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a11)); + Lib_IntVector_Intrinsics_vec256 + a13 = + Lib_IntVector_Intrinsics_vec256_add64(a12, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a11)); + Lib_IntVector_Intrinsics_vec256 + a23 = + Lib_IntVector_Intrinsics_vec256_add64(a22, + Lib_IntVector_Intrinsics_vec256_mul64(r1, a11)); + Lib_IntVector_Intrinsics_vec256 + a33 = + Lib_IntVector_Intrinsics_vec256_add64(a32, + Lib_IntVector_Intrinsics_vec256_mul64(r2, a11)); + Lib_IntVector_Intrinsics_vec256 + a43 = + Lib_IntVector_Intrinsics_vec256_add64(a42, + Lib_IntVector_Intrinsics_vec256_mul64(r3, a11)); + Lib_IntVector_Intrinsics_vec256 + a04 = + Lib_IntVector_Intrinsics_vec256_add64(a03, + Lib_IntVector_Intrinsics_vec256_mul64(r53, a21)); + Lib_IntVector_Intrinsics_vec256 + a14 = + Lib_IntVector_Intrinsics_vec256_add64(a13, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a21)); + Lib_IntVector_Intrinsics_vec256 + a24 = + Lib_IntVector_Intrinsics_vec256_add64(a23, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a21)); + Lib_IntVector_Intrinsics_vec256 + a34 = + Lib_IntVector_Intrinsics_vec256_add64(a33, + Lib_IntVector_Intrinsics_vec256_mul64(r1, a21)); + Lib_IntVector_Intrinsics_vec256 + a44 = + Lib_IntVector_Intrinsics_vec256_add64(a43, + Lib_IntVector_Intrinsics_vec256_mul64(r2, a21)); + Lib_IntVector_Intrinsics_vec256 + a05 = + Lib_IntVector_Intrinsics_vec256_add64(a04, + Lib_IntVector_Intrinsics_vec256_mul64(r52, a31)); + Lib_IntVector_Intrinsics_vec256 + a15 = + Lib_IntVector_Intrinsics_vec256_add64(a14, + Lib_IntVector_Intrinsics_vec256_mul64(r53, a31)); + Lib_IntVector_Intrinsics_vec256 + a25 = + Lib_IntVector_Intrinsics_vec256_add64(a24, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a31)); + Lib_IntVector_Intrinsics_vec256 + a35 = + Lib_IntVector_Intrinsics_vec256_add64(a34, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a31)); + Lib_IntVector_Intrinsics_vec256 + a45 = + Lib_IntVector_Intrinsics_vec256_add64(a44, + Lib_IntVector_Intrinsics_vec256_mul64(r1, a31)); + Lib_IntVector_Intrinsics_vec256 + a06 = + Lib_IntVector_Intrinsics_vec256_add64(a05, + Lib_IntVector_Intrinsics_vec256_mul64(r51, a41)); + Lib_IntVector_Intrinsics_vec256 + a16 = + Lib_IntVector_Intrinsics_vec256_add64(a15, + Lib_IntVector_Intrinsics_vec256_mul64(r52, a41)); + Lib_IntVector_Intrinsics_vec256 + a26 = + Lib_IntVector_Intrinsics_vec256_add64(a25, + Lib_IntVector_Intrinsics_vec256_mul64(r53, a41)); + Lib_IntVector_Intrinsics_vec256 + a36 = + Lib_IntVector_Intrinsics_vec256_add64(a35, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a41)); + Lib_IntVector_Intrinsics_vec256 + a46 = + Lib_IntVector_Intrinsics_vec256_add64(a45, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a41)); + Lib_IntVector_Intrinsics_vec256 t0 = a06; + Lib_IntVector_Intrinsics_vec256 t1 = a16; + Lib_IntVector_Intrinsics_vec256 t2 = a26; + Lib_IntVector_Intrinsics_vec256 t3 = a36; + Lib_IntVector_Intrinsics_vec256 t4 = a46; + Lib_IntVector_Intrinsics_vec256 + mask26 = Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec256 + z0 = Lib_IntVector_Intrinsics_vec256_shift_right64(t0, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z1 = Lib_IntVector_Intrinsics_vec256_shift_right64(t3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x0 = Lib_IntVector_Intrinsics_vec256_and(t0, mask26); + Lib_IntVector_Intrinsics_vec256 x3 = Lib_IntVector_Intrinsics_vec256_and(t3, mask26); + Lib_IntVector_Intrinsics_vec256 x1 = Lib_IntVector_Intrinsics_vec256_add64(t1, z0); + Lib_IntVector_Intrinsics_vec256 x4 = Lib_IntVector_Intrinsics_vec256_add64(t4, z1); + Lib_IntVector_Intrinsics_vec256 + z01 = Lib_IntVector_Intrinsics_vec256_shift_right64(x1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z11 = Lib_IntVector_Intrinsics_vec256_shift_right64(x4, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + t = Lib_IntVector_Intrinsics_vec256_shift_left64(z11, (uint32_t)2U); + Lib_IntVector_Intrinsics_vec256 z12 = Lib_IntVector_Intrinsics_vec256_add64(z11, t); + Lib_IntVector_Intrinsics_vec256 x11 = Lib_IntVector_Intrinsics_vec256_and(x1, mask26); + Lib_IntVector_Intrinsics_vec256 x41 = Lib_IntVector_Intrinsics_vec256_and(x4, mask26); + Lib_IntVector_Intrinsics_vec256 x2 = Lib_IntVector_Intrinsics_vec256_add64(t2, z01); + Lib_IntVector_Intrinsics_vec256 x01 = Lib_IntVector_Intrinsics_vec256_add64(x0, z12); + Lib_IntVector_Intrinsics_vec256 + z02 = Lib_IntVector_Intrinsics_vec256_shift_right64(x2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z13 = Lib_IntVector_Intrinsics_vec256_shift_right64(x01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x21 = Lib_IntVector_Intrinsics_vec256_and(x2, mask26); + Lib_IntVector_Intrinsics_vec256 x02 = Lib_IntVector_Intrinsics_vec256_and(x01, mask26); + Lib_IntVector_Intrinsics_vec256 x31 = Lib_IntVector_Intrinsics_vec256_add64(x3, z02); + Lib_IntVector_Intrinsics_vec256 x12 = Lib_IntVector_Intrinsics_vec256_add64(x11, z13); + Lib_IntVector_Intrinsics_vec256 + z03 = Lib_IntVector_Intrinsics_vec256_shift_right64(x31, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x32 = Lib_IntVector_Intrinsics_vec256_and(x31, mask26); + Lib_IntVector_Intrinsics_vec256 x42 = Lib_IntVector_Intrinsics_vec256_add64(x41, z03); + Lib_IntVector_Intrinsics_vec256 o0 = x02; + Lib_IntVector_Intrinsics_vec256 o1 = x12; + Lib_IntVector_Intrinsics_vec256 o2 = x21; + Lib_IntVector_Intrinsics_vec256 o3 = x32; + Lib_IntVector_Intrinsics_vec256 o4 = x42; + acc[0U] = o0; + acc[1U] = o1; + acc[2U] = o2; + acc[3U] = o3; + acc[4U] = o4; +} + +void +Hacl_Poly1305_256_poly1305_update( + Lib_IntVector_Intrinsics_vec256 *ctx, + uint32_t len, + uint8_t *text +) +{ + Lib_IntVector_Intrinsics_vec256 *pre = ctx + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec256 *acc = ctx; + uint32_t sz_block = (uint32_t)64U; + uint32_t len0 = len / sz_block * sz_block; + uint8_t *t0 = text; + if (len0 > (uint32_t)0U) + { + uint32_t bs = (uint32_t)64U; + uint8_t *text0 = t0; + Hacl_Impl_Poly1305_Field32xN_256_load_acc4(acc, text0); + uint32_t len1 = len0 - bs; + uint8_t *text1 = t0 + bs; + uint32_t nb = len1 / bs; + for (uint32_t i = (uint32_t)0U; i < nb; i++) + { + uint8_t *block = text1 + i * bs; + Lib_IntVector_Intrinsics_vec256 e[5U]; + for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i) + e[_i] = Lib_IntVector_Intrinsics_vec256_zero; + Lib_IntVector_Intrinsics_vec256 lo = Lib_IntVector_Intrinsics_vec256_load64_le(block); + Lib_IntVector_Intrinsics_vec256 + hi = Lib_IntVector_Intrinsics_vec256_load64_le(block + (uint32_t)32U); + Lib_IntVector_Intrinsics_vec256 + mask260 = Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec256 + m0 = Lib_IntVector_Intrinsics_vec256_interleave_low128(lo, hi); + Lib_IntVector_Intrinsics_vec256 + m1 = Lib_IntVector_Intrinsics_vec256_interleave_high128(lo, hi); + Lib_IntVector_Intrinsics_vec256 + m2 = Lib_IntVector_Intrinsics_vec256_shift_right(m0, (uint32_t)48U); + Lib_IntVector_Intrinsics_vec256 + m3 = Lib_IntVector_Intrinsics_vec256_shift_right(m1, (uint32_t)48U); + Lib_IntVector_Intrinsics_vec256 + m4 = Lib_IntVector_Intrinsics_vec256_interleave_high64(m0, m1); + Lib_IntVector_Intrinsics_vec256 + t010 = Lib_IntVector_Intrinsics_vec256_interleave_low64(m0, m1); + Lib_IntVector_Intrinsics_vec256 + t30 = Lib_IntVector_Intrinsics_vec256_interleave_low64(m2, m3); + Lib_IntVector_Intrinsics_vec256 + t20 = Lib_IntVector_Intrinsics_vec256_shift_right64(t30, (uint32_t)4U); + Lib_IntVector_Intrinsics_vec256 o20 = Lib_IntVector_Intrinsics_vec256_and(t20, mask260); + Lib_IntVector_Intrinsics_vec256 + t10 = Lib_IntVector_Intrinsics_vec256_shift_right64(t010, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 o10 = Lib_IntVector_Intrinsics_vec256_and(t10, mask260); + Lib_IntVector_Intrinsics_vec256 o5 = Lib_IntVector_Intrinsics_vec256_and(t010, mask260); + Lib_IntVector_Intrinsics_vec256 + t31 = Lib_IntVector_Intrinsics_vec256_shift_right64(t30, (uint32_t)30U); + Lib_IntVector_Intrinsics_vec256 o30 = Lib_IntVector_Intrinsics_vec256_and(t31, mask260); + Lib_IntVector_Intrinsics_vec256 + o40 = Lib_IntVector_Intrinsics_vec256_shift_right64(m4, (uint32_t)40U); + Lib_IntVector_Intrinsics_vec256 o00 = o5; + Lib_IntVector_Intrinsics_vec256 o11 = o10; + Lib_IntVector_Intrinsics_vec256 o21 = o20; + Lib_IntVector_Intrinsics_vec256 o31 = o30; + Lib_IntVector_Intrinsics_vec256 o41 = o40; + e[0U] = o00; + e[1U] = o11; + e[2U] = o21; + e[3U] = o31; + e[4U] = o41; + uint64_t b = (uint64_t)0x1000000U; + Lib_IntVector_Intrinsics_vec256 mask = Lib_IntVector_Intrinsics_vec256_load64(b); + Lib_IntVector_Intrinsics_vec256 f4 = e[4U]; + e[4U] = Lib_IntVector_Intrinsics_vec256_or(f4, mask); + Lib_IntVector_Intrinsics_vec256 *rn = pre + (uint32_t)10U; + Lib_IntVector_Intrinsics_vec256 *rn5 = pre + (uint32_t)15U; + Lib_IntVector_Intrinsics_vec256 r0 = rn[0U]; + Lib_IntVector_Intrinsics_vec256 r1 = rn[1U]; + Lib_IntVector_Intrinsics_vec256 r2 = rn[2U]; + Lib_IntVector_Intrinsics_vec256 r3 = rn[3U]; + Lib_IntVector_Intrinsics_vec256 r4 = rn[4U]; + Lib_IntVector_Intrinsics_vec256 r51 = rn5[1U]; + Lib_IntVector_Intrinsics_vec256 r52 = rn5[2U]; + Lib_IntVector_Intrinsics_vec256 r53 = rn5[3U]; + Lib_IntVector_Intrinsics_vec256 r54 = rn5[4U]; + Lib_IntVector_Intrinsics_vec256 f10 = acc[0U]; + Lib_IntVector_Intrinsics_vec256 f110 = acc[1U]; + Lib_IntVector_Intrinsics_vec256 f120 = acc[2U]; + Lib_IntVector_Intrinsics_vec256 f130 = acc[3U]; + Lib_IntVector_Intrinsics_vec256 f140 = acc[4U]; + Lib_IntVector_Intrinsics_vec256 a0 = Lib_IntVector_Intrinsics_vec256_mul64(r0, f10); + Lib_IntVector_Intrinsics_vec256 a1 = Lib_IntVector_Intrinsics_vec256_mul64(r1, f10); + Lib_IntVector_Intrinsics_vec256 a2 = Lib_IntVector_Intrinsics_vec256_mul64(r2, f10); + Lib_IntVector_Intrinsics_vec256 a3 = Lib_IntVector_Intrinsics_vec256_mul64(r3, f10); + Lib_IntVector_Intrinsics_vec256 a4 = Lib_IntVector_Intrinsics_vec256_mul64(r4, f10); + Lib_IntVector_Intrinsics_vec256 + a01 = + Lib_IntVector_Intrinsics_vec256_add64(a0, + Lib_IntVector_Intrinsics_vec256_mul64(r54, f110)); + Lib_IntVector_Intrinsics_vec256 + a11 = + Lib_IntVector_Intrinsics_vec256_add64(a1, + Lib_IntVector_Intrinsics_vec256_mul64(r0, f110)); + Lib_IntVector_Intrinsics_vec256 + a21 = + Lib_IntVector_Intrinsics_vec256_add64(a2, + Lib_IntVector_Intrinsics_vec256_mul64(r1, f110)); + Lib_IntVector_Intrinsics_vec256 + a31 = + Lib_IntVector_Intrinsics_vec256_add64(a3, + Lib_IntVector_Intrinsics_vec256_mul64(r2, f110)); + Lib_IntVector_Intrinsics_vec256 + a41 = + Lib_IntVector_Intrinsics_vec256_add64(a4, + Lib_IntVector_Intrinsics_vec256_mul64(r3, f110)); + Lib_IntVector_Intrinsics_vec256 + a02 = + Lib_IntVector_Intrinsics_vec256_add64(a01, + Lib_IntVector_Intrinsics_vec256_mul64(r53, f120)); + Lib_IntVector_Intrinsics_vec256 + a12 = + Lib_IntVector_Intrinsics_vec256_add64(a11, + Lib_IntVector_Intrinsics_vec256_mul64(r54, f120)); + Lib_IntVector_Intrinsics_vec256 + a22 = + Lib_IntVector_Intrinsics_vec256_add64(a21, + Lib_IntVector_Intrinsics_vec256_mul64(r0, f120)); + Lib_IntVector_Intrinsics_vec256 + a32 = + Lib_IntVector_Intrinsics_vec256_add64(a31, + Lib_IntVector_Intrinsics_vec256_mul64(r1, f120)); + Lib_IntVector_Intrinsics_vec256 + a42 = + Lib_IntVector_Intrinsics_vec256_add64(a41, + Lib_IntVector_Intrinsics_vec256_mul64(r2, f120)); + Lib_IntVector_Intrinsics_vec256 + a03 = + Lib_IntVector_Intrinsics_vec256_add64(a02, + Lib_IntVector_Intrinsics_vec256_mul64(r52, f130)); + Lib_IntVector_Intrinsics_vec256 + a13 = + Lib_IntVector_Intrinsics_vec256_add64(a12, + Lib_IntVector_Intrinsics_vec256_mul64(r53, f130)); + Lib_IntVector_Intrinsics_vec256 + a23 = + Lib_IntVector_Intrinsics_vec256_add64(a22, + Lib_IntVector_Intrinsics_vec256_mul64(r54, f130)); + Lib_IntVector_Intrinsics_vec256 + a33 = + Lib_IntVector_Intrinsics_vec256_add64(a32, + Lib_IntVector_Intrinsics_vec256_mul64(r0, f130)); + Lib_IntVector_Intrinsics_vec256 + a43 = + Lib_IntVector_Intrinsics_vec256_add64(a42, + Lib_IntVector_Intrinsics_vec256_mul64(r1, f130)); + Lib_IntVector_Intrinsics_vec256 + a04 = + Lib_IntVector_Intrinsics_vec256_add64(a03, + Lib_IntVector_Intrinsics_vec256_mul64(r51, f140)); + Lib_IntVector_Intrinsics_vec256 + a14 = + Lib_IntVector_Intrinsics_vec256_add64(a13, + Lib_IntVector_Intrinsics_vec256_mul64(r52, f140)); + Lib_IntVector_Intrinsics_vec256 + a24 = + Lib_IntVector_Intrinsics_vec256_add64(a23, + Lib_IntVector_Intrinsics_vec256_mul64(r53, f140)); + Lib_IntVector_Intrinsics_vec256 + a34 = + Lib_IntVector_Intrinsics_vec256_add64(a33, + Lib_IntVector_Intrinsics_vec256_mul64(r54, f140)); + Lib_IntVector_Intrinsics_vec256 + a44 = + Lib_IntVector_Intrinsics_vec256_add64(a43, + Lib_IntVector_Intrinsics_vec256_mul64(r0, f140)); + Lib_IntVector_Intrinsics_vec256 t01 = a04; + Lib_IntVector_Intrinsics_vec256 t1 = a14; + Lib_IntVector_Intrinsics_vec256 t2 = a24; + Lib_IntVector_Intrinsics_vec256 t3 = a34; + Lib_IntVector_Intrinsics_vec256 t4 = a44; + Lib_IntVector_Intrinsics_vec256 + mask26 = Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec256 + z0 = Lib_IntVector_Intrinsics_vec256_shift_right64(t01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z1 = Lib_IntVector_Intrinsics_vec256_shift_right64(t3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x0 = Lib_IntVector_Intrinsics_vec256_and(t01, mask26); + Lib_IntVector_Intrinsics_vec256 x3 = Lib_IntVector_Intrinsics_vec256_and(t3, mask26); + Lib_IntVector_Intrinsics_vec256 x1 = Lib_IntVector_Intrinsics_vec256_add64(t1, z0); + Lib_IntVector_Intrinsics_vec256 x4 = Lib_IntVector_Intrinsics_vec256_add64(t4, z1); + Lib_IntVector_Intrinsics_vec256 + z01 = Lib_IntVector_Intrinsics_vec256_shift_right64(x1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z11 = Lib_IntVector_Intrinsics_vec256_shift_right64(x4, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + t = Lib_IntVector_Intrinsics_vec256_shift_left64(z11, (uint32_t)2U); + Lib_IntVector_Intrinsics_vec256 z12 = Lib_IntVector_Intrinsics_vec256_add64(z11, t); + Lib_IntVector_Intrinsics_vec256 x11 = Lib_IntVector_Intrinsics_vec256_and(x1, mask26); + Lib_IntVector_Intrinsics_vec256 x41 = Lib_IntVector_Intrinsics_vec256_and(x4, mask26); + Lib_IntVector_Intrinsics_vec256 x2 = Lib_IntVector_Intrinsics_vec256_add64(t2, z01); + Lib_IntVector_Intrinsics_vec256 x01 = Lib_IntVector_Intrinsics_vec256_add64(x0, z12); + Lib_IntVector_Intrinsics_vec256 + z02 = Lib_IntVector_Intrinsics_vec256_shift_right64(x2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z13 = Lib_IntVector_Intrinsics_vec256_shift_right64(x01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x21 = Lib_IntVector_Intrinsics_vec256_and(x2, mask26); + Lib_IntVector_Intrinsics_vec256 x02 = Lib_IntVector_Intrinsics_vec256_and(x01, mask26); + Lib_IntVector_Intrinsics_vec256 x31 = Lib_IntVector_Intrinsics_vec256_add64(x3, z02); + Lib_IntVector_Intrinsics_vec256 x12 = Lib_IntVector_Intrinsics_vec256_add64(x11, z13); + Lib_IntVector_Intrinsics_vec256 + z03 = Lib_IntVector_Intrinsics_vec256_shift_right64(x31, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x32 = Lib_IntVector_Intrinsics_vec256_and(x31, mask26); + Lib_IntVector_Intrinsics_vec256 x42 = Lib_IntVector_Intrinsics_vec256_add64(x41, z03); + Lib_IntVector_Intrinsics_vec256 o01 = x02; + Lib_IntVector_Intrinsics_vec256 o12 = x12; + Lib_IntVector_Intrinsics_vec256 o22 = x21; + Lib_IntVector_Intrinsics_vec256 o32 = x32; + Lib_IntVector_Intrinsics_vec256 o42 = x42; + acc[0U] = o01; + acc[1U] = o12; + acc[2U] = o22; + acc[3U] = o32; + acc[4U] = o42; + Lib_IntVector_Intrinsics_vec256 f100 = acc[0U]; + Lib_IntVector_Intrinsics_vec256 f11 = acc[1U]; + Lib_IntVector_Intrinsics_vec256 f12 = acc[2U]; + Lib_IntVector_Intrinsics_vec256 f13 = acc[3U]; + Lib_IntVector_Intrinsics_vec256 f14 = acc[4U]; + Lib_IntVector_Intrinsics_vec256 f20 = e[0U]; + Lib_IntVector_Intrinsics_vec256 f21 = e[1U]; + Lib_IntVector_Intrinsics_vec256 f22 = e[2U]; + Lib_IntVector_Intrinsics_vec256 f23 = e[3U]; + Lib_IntVector_Intrinsics_vec256 f24 = e[4U]; + Lib_IntVector_Intrinsics_vec256 o0 = Lib_IntVector_Intrinsics_vec256_add64(f100, f20); + Lib_IntVector_Intrinsics_vec256 o1 = Lib_IntVector_Intrinsics_vec256_add64(f11, f21); + Lib_IntVector_Intrinsics_vec256 o2 = Lib_IntVector_Intrinsics_vec256_add64(f12, f22); + Lib_IntVector_Intrinsics_vec256 o3 = Lib_IntVector_Intrinsics_vec256_add64(f13, f23); + Lib_IntVector_Intrinsics_vec256 o4 = Lib_IntVector_Intrinsics_vec256_add64(f14, f24); + acc[0U] = o0; + acc[1U] = o1; + acc[2U] = o2; + acc[3U] = o3; + acc[4U] = o4; + } + Hacl_Impl_Poly1305_Field32xN_256_fmul_r4_normalize(acc, pre); + } + uint32_t len1 = len - len0; + uint8_t *t1 = text + len0; + uint32_t nb = len1 / (uint32_t)16U; + uint32_t rem = len1 % (uint32_t)16U; + for (uint32_t i = (uint32_t)0U; i < nb; i++) + { + uint8_t *block = t1 + i * (uint32_t)16U; + Lib_IntVector_Intrinsics_vec256 e[5U]; + for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i) + e[_i] = Lib_IntVector_Intrinsics_vec256_zero; + uint64_t u0 = load64_le(block); + uint64_t lo = u0; + uint64_t u = load64_le(block + (uint32_t)8U); + uint64_t hi = u; + Lib_IntVector_Intrinsics_vec256 f0 = Lib_IntVector_Intrinsics_vec256_load64(lo); + Lib_IntVector_Intrinsics_vec256 f1 = Lib_IntVector_Intrinsics_vec256_load64(hi); + Lib_IntVector_Intrinsics_vec256 + f010 = + Lib_IntVector_Intrinsics_vec256_and(f0, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f110 = + Lib_IntVector_Intrinsics_vec256_and(Lib_IntVector_Intrinsics_vec256_shift_right64(f0, + (uint32_t)26U), + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f20 = + Lib_IntVector_Intrinsics_vec256_or(Lib_IntVector_Intrinsics_vec256_shift_right64(f0, + (uint32_t)52U), + Lib_IntVector_Intrinsics_vec256_shift_left64(Lib_IntVector_Intrinsics_vec256_and(f1, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3fffU)), + (uint32_t)12U)); + Lib_IntVector_Intrinsics_vec256 + f30 = + Lib_IntVector_Intrinsics_vec256_and(Lib_IntVector_Intrinsics_vec256_shift_right64(f1, + (uint32_t)14U), + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f40 = Lib_IntVector_Intrinsics_vec256_shift_right64(f1, (uint32_t)40U); + Lib_IntVector_Intrinsics_vec256 f01 = f010; + Lib_IntVector_Intrinsics_vec256 f111 = f110; + Lib_IntVector_Intrinsics_vec256 f2 = f20; + Lib_IntVector_Intrinsics_vec256 f3 = f30; + Lib_IntVector_Intrinsics_vec256 f41 = f40; + e[0U] = f01; + e[1U] = f111; + e[2U] = f2; + e[3U] = f3; + e[4U] = f41; + uint64_t b = (uint64_t)0x1000000U; + Lib_IntVector_Intrinsics_vec256 mask = Lib_IntVector_Intrinsics_vec256_load64(b); + Lib_IntVector_Intrinsics_vec256 f4 = e[4U]; + e[4U] = Lib_IntVector_Intrinsics_vec256_or(f4, mask); + Lib_IntVector_Intrinsics_vec256 *r = pre; + Lib_IntVector_Intrinsics_vec256 *r5 = pre + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec256 r0 = r[0U]; + Lib_IntVector_Intrinsics_vec256 r1 = r[1U]; + Lib_IntVector_Intrinsics_vec256 r2 = r[2U]; + Lib_IntVector_Intrinsics_vec256 r3 = r[3U]; + Lib_IntVector_Intrinsics_vec256 r4 = r[4U]; + Lib_IntVector_Intrinsics_vec256 r51 = r5[1U]; + Lib_IntVector_Intrinsics_vec256 r52 = r5[2U]; + Lib_IntVector_Intrinsics_vec256 r53 = r5[3U]; + Lib_IntVector_Intrinsics_vec256 r54 = r5[4U]; + Lib_IntVector_Intrinsics_vec256 f10 = e[0U]; + Lib_IntVector_Intrinsics_vec256 f11 = e[1U]; + Lib_IntVector_Intrinsics_vec256 f12 = e[2U]; + Lib_IntVector_Intrinsics_vec256 f13 = e[3U]; + Lib_IntVector_Intrinsics_vec256 f14 = e[4U]; + Lib_IntVector_Intrinsics_vec256 a0 = acc[0U]; + Lib_IntVector_Intrinsics_vec256 a1 = acc[1U]; + Lib_IntVector_Intrinsics_vec256 a2 = acc[2U]; + Lib_IntVector_Intrinsics_vec256 a3 = acc[3U]; + Lib_IntVector_Intrinsics_vec256 a4 = acc[4U]; + Lib_IntVector_Intrinsics_vec256 a01 = Lib_IntVector_Intrinsics_vec256_add64(a0, f10); + Lib_IntVector_Intrinsics_vec256 a11 = Lib_IntVector_Intrinsics_vec256_add64(a1, f11); + Lib_IntVector_Intrinsics_vec256 a21 = Lib_IntVector_Intrinsics_vec256_add64(a2, f12); + Lib_IntVector_Intrinsics_vec256 a31 = Lib_IntVector_Intrinsics_vec256_add64(a3, f13); + Lib_IntVector_Intrinsics_vec256 a41 = Lib_IntVector_Intrinsics_vec256_add64(a4, f14); + Lib_IntVector_Intrinsics_vec256 a02 = Lib_IntVector_Intrinsics_vec256_mul64(r0, a01); + Lib_IntVector_Intrinsics_vec256 a12 = Lib_IntVector_Intrinsics_vec256_mul64(r1, a01); + Lib_IntVector_Intrinsics_vec256 a22 = Lib_IntVector_Intrinsics_vec256_mul64(r2, a01); + Lib_IntVector_Intrinsics_vec256 a32 = Lib_IntVector_Intrinsics_vec256_mul64(r3, a01); + Lib_IntVector_Intrinsics_vec256 a42 = Lib_IntVector_Intrinsics_vec256_mul64(r4, a01); + Lib_IntVector_Intrinsics_vec256 + a03 = + Lib_IntVector_Intrinsics_vec256_add64(a02, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a11)); + Lib_IntVector_Intrinsics_vec256 + a13 = + Lib_IntVector_Intrinsics_vec256_add64(a12, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a11)); + Lib_IntVector_Intrinsics_vec256 + a23 = + Lib_IntVector_Intrinsics_vec256_add64(a22, + Lib_IntVector_Intrinsics_vec256_mul64(r1, a11)); + Lib_IntVector_Intrinsics_vec256 + a33 = + Lib_IntVector_Intrinsics_vec256_add64(a32, + Lib_IntVector_Intrinsics_vec256_mul64(r2, a11)); + Lib_IntVector_Intrinsics_vec256 + a43 = + Lib_IntVector_Intrinsics_vec256_add64(a42, + Lib_IntVector_Intrinsics_vec256_mul64(r3, a11)); + Lib_IntVector_Intrinsics_vec256 + a04 = + Lib_IntVector_Intrinsics_vec256_add64(a03, + Lib_IntVector_Intrinsics_vec256_mul64(r53, a21)); + Lib_IntVector_Intrinsics_vec256 + a14 = + Lib_IntVector_Intrinsics_vec256_add64(a13, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a21)); + Lib_IntVector_Intrinsics_vec256 + a24 = + Lib_IntVector_Intrinsics_vec256_add64(a23, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a21)); + Lib_IntVector_Intrinsics_vec256 + a34 = + Lib_IntVector_Intrinsics_vec256_add64(a33, + Lib_IntVector_Intrinsics_vec256_mul64(r1, a21)); + Lib_IntVector_Intrinsics_vec256 + a44 = + Lib_IntVector_Intrinsics_vec256_add64(a43, + Lib_IntVector_Intrinsics_vec256_mul64(r2, a21)); + Lib_IntVector_Intrinsics_vec256 + a05 = + Lib_IntVector_Intrinsics_vec256_add64(a04, + Lib_IntVector_Intrinsics_vec256_mul64(r52, a31)); + Lib_IntVector_Intrinsics_vec256 + a15 = + Lib_IntVector_Intrinsics_vec256_add64(a14, + Lib_IntVector_Intrinsics_vec256_mul64(r53, a31)); + Lib_IntVector_Intrinsics_vec256 + a25 = + Lib_IntVector_Intrinsics_vec256_add64(a24, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a31)); + Lib_IntVector_Intrinsics_vec256 + a35 = + Lib_IntVector_Intrinsics_vec256_add64(a34, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a31)); + Lib_IntVector_Intrinsics_vec256 + a45 = + Lib_IntVector_Intrinsics_vec256_add64(a44, + Lib_IntVector_Intrinsics_vec256_mul64(r1, a31)); + Lib_IntVector_Intrinsics_vec256 + a06 = + Lib_IntVector_Intrinsics_vec256_add64(a05, + Lib_IntVector_Intrinsics_vec256_mul64(r51, a41)); + Lib_IntVector_Intrinsics_vec256 + a16 = + Lib_IntVector_Intrinsics_vec256_add64(a15, + Lib_IntVector_Intrinsics_vec256_mul64(r52, a41)); + Lib_IntVector_Intrinsics_vec256 + a26 = + Lib_IntVector_Intrinsics_vec256_add64(a25, + Lib_IntVector_Intrinsics_vec256_mul64(r53, a41)); + Lib_IntVector_Intrinsics_vec256 + a36 = + Lib_IntVector_Intrinsics_vec256_add64(a35, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a41)); + Lib_IntVector_Intrinsics_vec256 + a46 = + Lib_IntVector_Intrinsics_vec256_add64(a45, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a41)); + Lib_IntVector_Intrinsics_vec256 t01 = a06; + Lib_IntVector_Intrinsics_vec256 t11 = a16; + Lib_IntVector_Intrinsics_vec256 t2 = a26; + Lib_IntVector_Intrinsics_vec256 t3 = a36; + Lib_IntVector_Intrinsics_vec256 t4 = a46; + Lib_IntVector_Intrinsics_vec256 + mask26 = Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec256 + z0 = Lib_IntVector_Intrinsics_vec256_shift_right64(t01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z1 = Lib_IntVector_Intrinsics_vec256_shift_right64(t3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x0 = Lib_IntVector_Intrinsics_vec256_and(t01, mask26); + Lib_IntVector_Intrinsics_vec256 x3 = Lib_IntVector_Intrinsics_vec256_and(t3, mask26); + Lib_IntVector_Intrinsics_vec256 x1 = Lib_IntVector_Intrinsics_vec256_add64(t11, z0); + Lib_IntVector_Intrinsics_vec256 x4 = Lib_IntVector_Intrinsics_vec256_add64(t4, z1); + Lib_IntVector_Intrinsics_vec256 + z01 = Lib_IntVector_Intrinsics_vec256_shift_right64(x1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z11 = Lib_IntVector_Intrinsics_vec256_shift_right64(x4, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + t = Lib_IntVector_Intrinsics_vec256_shift_left64(z11, (uint32_t)2U); + Lib_IntVector_Intrinsics_vec256 z12 = Lib_IntVector_Intrinsics_vec256_add64(z11, t); + Lib_IntVector_Intrinsics_vec256 x11 = Lib_IntVector_Intrinsics_vec256_and(x1, mask26); + Lib_IntVector_Intrinsics_vec256 x41 = Lib_IntVector_Intrinsics_vec256_and(x4, mask26); + Lib_IntVector_Intrinsics_vec256 x2 = Lib_IntVector_Intrinsics_vec256_add64(t2, z01); + Lib_IntVector_Intrinsics_vec256 x01 = Lib_IntVector_Intrinsics_vec256_add64(x0, z12); + Lib_IntVector_Intrinsics_vec256 + z02 = Lib_IntVector_Intrinsics_vec256_shift_right64(x2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z13 = Lib_IntVector_Intrinsics_vec256_shift_right64(x01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x21 = Lib_IntVector_Intrinsics_vec256_and(x2, mask26); + Lib_IntVector_Intrinsics_vec256 x02 = Lib_IntVector_Intrinsics_vec256_and(x01, mask26); + Lib_IntVector_Intrinsics_vec256 x31 = Lib_IntVector_Intrinsics_vec256_add64(x3, z02); + Lib_IntVector_Intrinsics_vec256 x12 = Lib_IntVector_Intrinsics_vec256_add64(x11, z13); + Lib_IntVector_Intrinsics_vec256 + z03 = Lib_IntVector_Intrinsics_vec256_shift_right64(x31, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x32 = Lib_IntVector_Intrinsics_vec256_and(x31, mask26); + Lib_IntVector_Intrinsics_vec256 x42 = Lib_IntVector_Intrinsics_vec256_add64(x41, z03); + Lib_IntVector_Intrinsics_vec256 o0 = x02; + Lib_IntVector_Intrinsics_vec256 o1 = x12; + Lib_IntVector_Intrinsics_vec256 o2 = x21; + Lib_IntVector_Intrinsics_vec256 o3 = x32; + Lib_IntVector_Intrinsics_vec256 o4 = x42; + acc[0U] = o0; + acc[1U] = o1; + acc[2U] = o2; + acc[3U] = o3; + acc[4U] = o4; + } + if (rem > (uint32_t)0U) + { + uint8_t *last = t1 + nb * (uint32_t)16U; + Lib_IntVector_Intrinsics_vec256 e[5U]; + for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i) + e[_i] = Lib_IntVector_Intrinsics_vec256_zero; + uint8_t tmp[16U] = { 0U }; + memcpy(tmp, last, rem * sizeof (uint8_t)); + uint64_t u0 = load64_le(tmp); + uint64_t lo = u0; + uint64_t u = load64_le(tmp + (uint32_t)8U); + uint64_t hi = u; + Lib_IntVector_Intrinsics_vec256 f0 = Lib_IntVector_Intrinsics_vec256_load64(lo); + Lib_IntVector_Intrinsics_vec256 f1 = Lib_IntVector_Intrinsics_vec256_load64(hi); + Lib_IntVector_Intrinsics_vec256 + f010 = + Lib_IntVector_Intrinsics_vec256_and(f0, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f110 = + Lib_IntVector_Intrinsics_vec256_and(Lib_IntVector_Intrinsics_vec256_shift_right64(f0, + (uint32_t)26U), + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f20 = + Lib_IntVector_Intrinsics_vec256_or(Lib_IntVector_Intrinsics_vec256_shift_right64(f0, + (uint32_t)52U), + Lib_IntVector_Intrinsics_vec256_shift_left64(Lib_IntVector_Intrinsics_vec256_and(f1, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3fffU)), + (uint32_t)12U)); + Lib_IntVector_Intrinsics_vec256 + f30 = + Lib_IntVector_Intrinsics_vec256_and(Lib_IntVector_Intrinsics_vec256_shift_right64(f1, + (uint32_t)14U), + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + f40 = Lib_IntVector_Intrinsics_vec256_shift_right64(f1, (uint32_t)40U); + Lib_IntVector_Intrinsics_vec256 f01 = f010; + Lib_IntVector_Intrinsics_vec256 f111 = f110; + Lib_IntVector_Intrinsics_vec256 f2 = f20; + Lib_IntVector_Intrinsics_vec256 f3 = f30; + Lib_IntVector_Intrinsics_vec256 f4 = f40; + e[0U] = f01; + e[1U] = f111; + e[2U] = f2; + e[3U] = f3; + e[4U] = f4; + uint64_t b = (uint64_t)1U << rem * (uint32_t)8U % (uint32_t)26U; + Lib_IntVector_Intrinsics_vec256 mask = Lib_IntVector_Intrinsics_vec256_load64(b); + Lib_IntVector_Intrinsics_vec256 fi = e[rem * (uint32_t)8U / (uint32_t)26U]; + e[rem * (uint32_t)8U / (uint32_t)26U] = Lib_IntVector_Intrinsics_vec256_or(fi, mask); + Lib_IntVector_Intrinsics_vec256 *r = pre; + Lib_IntVector_Intrinsics_vec256 *r5 = pre + (uint32_t)5U; + Lib_IntVector_Intrinsics_vec256 r0 = r[0U]; + Lib_IntVector_Intrinsics_vec256 r1 = r[1U]; + Lib_IntVector_Intrinsics_vec256 r2 = r[2U]; + Lib_IntVector_Intrinsics_vec256 r3 = r[3U]; + Lib_IntVector_Intrinsics_vec256 r4 = r[4U]; + Lib_IntVector_Intrinsics_vec256 r51 = r5[1U]; + Lib_IntVector_Intrinsics_vec256 r52 = r5[2U]; + Lib_IntVector_Intrinsics_vec256 r53 = r5[3U]; + Lib_IntVector_Intrinsics_vec256 r54 = r5[4U]; + Lib_IntVector_Intrinsics_vec256 f10 = e[0U]; + Lib_IntVector_Intrinsics_vec256 f11 = e[1U]; + Lib_IntVector_Intrinsics_vec256 f12 = e[2U]; + Lib_IntVector_Intrinsics_vec256 f13 = e[3U]; + Lib_IntVector_Intrinsics_vec256 f14 = e[4U]; + Lib_IntVector_Intrinsics_vec256 a0 = acc[0U]; + Lib_IntVector_Intrinsics_vec256 a1 = acc[1U]; + Lib_IntVector_Intrinsics_vec256 a2 = acc[2U]; + Lib_IntVector_Intrinsics_vec256 a3 = acc[3U]; + Lib_IntVector_Intrinsics_vec256 a4 = acc[4U]; + Lib_IntVector_Intrinsics_vec256 a01 = Lib_IntVector_Intrinsics_vec256_add64(a0, f10); + Lib_IntVector_Intrinsics_vec256 a11 = Lib_IntVector_Intrinsics_vec256_add64(a1, f11); + Lib_IntVector_Intrinsics_vec256 a21 = Lib_IntVector_Intrinsics_vec256_add64(a2, f12); + Lib_IntVector_Intrinsics_vec256 a31 = Lib_IntVector_Intrinsics_vec256_add64(a3, f13); + Lib_IntVector_Intrinsics_vec256 a41 = Lib_IntVector_Intrinsics_vec256_add64(a4, f14); + Lib_IntVector_Intrinsics_vec256 a02 = Lib_IntVector_Intrinsics_vec256_mul64(r0, a01); + Lib_IntVector_Intrinsics_vec256 a12 = Lib_IntVector_Intrinsics_vec256_mul64(r1, a01); + Lib_IntVector_Intrinsics_vec256 a22 = Lib_IntVector_Intrinsics_vec256_mul64(r2, a01); + Lib_IntVector_Intrinsics_vec256 a32 = Lib_IntVector_Intrinsics_vec256_mul64(r3, a01); + Lib_IntVector_Intrinsics_vec256 a42 = Lib_IntVector_Intrinsics_vec256_mul64(r4, a01); + Lib_IntVector_Intrinsics_vec256 + a03 = + Lib_IntVector_Intrinsics_vec256_add64(a02, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a11)); + Lib_IntVector_Intrinsics_vec256 + a13 = + Lib_IntVector_Intrinsics_vec256_add64(a12, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a11)); + Lib_IntVector_Intrinsics_vec256 + a23 = + Lib_IntVector_Intrinsics_vec256_add64(a22, + Lib_IntVector_Intrinsics_vec256_mul64(r1, a11)); + Lib_IntVector_Intrinsics_vec256 + a33 = + Lib_IntVector_Intrinsics_vec256_add64(a32, + Lib_IntVector_Intrinsics_vec256_mul64(r2, a11)); + Lib_IntVector_Intrinsics_vec256 + a43 = + Lib_IntVector_Intrinsics_vec256_add64(a42, + Lib_IntVector_Intrinsics_vec256_mul64(r3, a11)); + Lib_IntVector_Intrinsics_vec256 + a04 = + Lib_IntVector_Intrinsics_vec256_add64(a03, + Lib_IntVector_Intrinsics_vec256_mul64(r53, a21)); + Lib_IntVector_Intrinsics_vec256 + a14 = + Lib_IntVector_Intrinsics_vec256_add64(a13, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a21)); + Lib_IntVector_Intrinsics_vec256 + a24 = + Lib_IntVector_Intrinsics_vec256_add64(a23, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a21)); + Lib_IntVector_Intrinsics_vec256 + a34 = + Lib_IntVector_Intrinsics_vec256_add64(a33, + Lib_IntVector_Intrinsics_vec256_mul64(r1, a21)); + Lib_IntVector_Intrinsics_vec256 + a44 = + Lib_IntVector_Intrinsics_vec256_add64(a43, + Lib_IntVector_Intrinsics_vec256_mul64(r2, a21)); + Lib_IntVector_Intrinsics_vec256 + a05 = + Lib_IntVector_Intrinsics_vec256_add64(a04, + Lib_IntVector_Intrinsics_vec256_mul64(r52, a31)); + Lib_IntVector_Intrinsics_vec256 + a15 = + Lib_IntVector_Intrinsics_vec256_add64(a14, + Lib_IntVector_Intrinsics_vec256_mul64(r53, a31)); + Lib_IntVector_Intrinsics_vec256 + a25 = + Lib_IntVector_Intrinsics_vec256_add64(a24, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a31)); + Lib_IntVector_Intrinsics_vec256 + a35 = + Lib_IntVector_Intrinsics_vec256_add64(a34, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a31)); + Lib_IntVector_Intrinsics_vec256 + a45 = + Lib_IntVector_Intrinsics_vec256_add64(a44, + Lib_IntVector_Intrinsics_vec256_mul64(r1, a31)); + Lib_IntVector_Intrinsics_vec256 + a06 = + Lib_IntVector_Intrinsics_vec256_add64(a05, + Lib_IntVector_Intrinsics_vec256_mul64(r51, a41)); + Lib_IntVector_Intrinsics_vec256 + a16 = + Lib_IntVector_Intrinsics_vec256_add64(a15, + Lib_IntVector_Intrinsics_vec256_mul64(r52, a41)); + Lib_IntVector_Intrinsics_vec256 + a26 = + Lib_IntVector_Intrinsics_vec256_add64(a25, + Lib_IntVector_Intrinsics_vec256_mul64(r53, a41)); + Lib_IntVector_Intrinsics_vec256 + a36 = + Lib_IntVector_Intrinsics_vec256_add64(a35, + Lib_IntVector_Intrinsics_vec256_mul64(r54, a41)); + Lib_IntVector_Intrinsics_vec256 + a46 = + Lib_IntVector_Intrinsics_vec256_add64(a45, + Lib_IntVector_Intrinsics_vec256_mul64(r0, a41)); + Lib_IntVector_Intrinsics_vec256 t01 = a06; + Lib_IntVector_Intrinsics_vec256 t11 = a16; + Lib_IntVector_Intrinsics_vec256 t2 = a26; + Lib_IntVector_Intrinsics_vec256 t3 = a36; + Lib_IntVector_Intrinsics_vec256 t4 = a46; + Lib_IntVector_Intrinsics_vec256 + mask26 = Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec256 + z0 = Lib_IntVector_Intrinsics_vec256_shift_right64(t01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z1 = Lib_IntVector_Intrinsics_vec256_shift_right64(t3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x0 = Lib_IntVector_Intrinsics_vec256_and(t01, mask26); + Lib_IntVector_Intrinsics_vec256 x3 = Lib_IntVector_Intrinsics_vec256_and(t3, mask26); + Lib_IntVector_Intrinsics_vec256 x1 = Lib_IntVector_Intrinsics_vec256_add64(t11, z0); + Lib_IntVector_Intrinsics_vec256 x4 = Lib_IntVector_Intrinsics_vec256_add64(t4, z1); + Lib_IntVector_Intrinsics_vec256 + z01 = Lib_IntVector_Intrinsics_vec256_shift_right64(x1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z11 = Lib_IntVector_Intrinsics_vec256_shift_right64(x4, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + t = Lib_IntVector_Intrinsics_vec256_shift_left64(z11, (uint32_t)2U); + Lib_IntVector_Intrinsics_vec256 z12 = Lib_IntVector_Intrinsics_vec256_add64(z11, t); + Lib_IntVector_Intrinsics_vec256 x11 = Lib_IntVector_Intrinsics_vec256_and(x1, mask26); + Lib_IntVector_Intrinsics_vec256 x41 = Lib_IntVector_Intrinsics_vec256_and(x4, mask26); + Lib_IntVector_Intrinsics_vec256 x2 = Lib_IntVector_Intrinsics_vec256_add64(t2, z01); + Lib_IntVector_Intrinsics_vec256 x01 = Lib_IntVector_Intrinsics_vec256_add64(x0, z12); + Lib_IntVector_Intrinsics_vec256 + z02 = Lib_IntVector_Intrinsics_vec256_shift_right64(x2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + z13 = Lib_IntVector_Intrinsics_vec256_shift_right64(x01, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x21 = Lib_IntVector_Intrinsics_vec256_and(x2, mask26); + Lib_IntVector_Intrinsics_vec256 x02 = Lib_IntVector_Intrinsics_vec256_and(x01, mask26); + Lib_IntVector_Intrinsics_vec256 x31 = Lib_IntVector_Intrinsics_vec256_add64(x3, z02); + Lib_IntVector_Intrinsics_vec256 x12 = Lib_IntVector_Intrinsics_vec256_add64(x11, z13); + Lib_IntVector_Intrinsics_vec256 + z03 = Lib_IntVector_Intrinsics_vec256_shift_right64(x31, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 x32 = Lib_IntVector_Intrinsics_vec256_and(x31, mask26); + Lib_IntVector_Intrinsics_vec256 x42 = Lib_IntVector_Intrinsics_vec256_add64(x41, z03); + Lib_IntVector_Intrinsics_vec256 o0 = x02; + Lib_IntVector_Intrinsics_vec256 o1 = x12; + Lib_IntVector_Intrinsics_vec256 o2 = x21; + Lib_IntVector_Intrinsics_vec256 o3 = x32; + Lib_IntVector_Intrinsics_vec256 o4 = x42; + acc[0U] = o0; + acc[1U] = o1; + acc[2U] = o2; + acc[3U] = o3; + acc[4U] = o4; + return; + } +} + +void +Hacl_Poly1305_256_poly1305_finish( + uint8_t *tag, + uint8_t *key, + Lib_IntVector_Intrinsics_vec256 *ctx +) +{ + Lib_IntVector_Intrinsics_vec256 *acc = ctx; + uint8_t *ks = key + (uint32_t)16U; + Lib_IntVector_Intrinsics_vec256 f0 = acc[0U]; + Lib_IntVector_Intrinsics_vec256 f13 = acc[1U]; + Lib_IntVector_Intrinsics_vec256 f23 = acc[2U]; + Lib_IntVector_Intrinsics_vec256 f33 = acc[3U]; + Lib_IntVector_Intrinsics_vec256 f40 = acc[4U]; + Lib_IntVector_Intrinsics_vec256 + l0 = Lib_IntVector_Intrinsics_vec256_add64(f0, Lib_IntVector_Intrinsics_vec256_zero); + Lib_IntVector_Intrinsics_vec256 + tmp00 = + Lib_IntVector_Intrinsics_vec256_and(l0, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + c00 = Lib_IntVector_Intrinsics_vec256_shift_right64(l0, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 l1 = Lib_IntVector_Intrinsics_vec256_add64(f13, c00); + Lib_IntVector_Intrinsics_vec256 + tmp10 = + Lib_IntVector_Intrinsics_vec256_and(l1, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + c10 = Lib_IntVector_Intrinsics_vec256_shift_right64(l1, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 l2 = Lib_IntVector_Intrinsics_vec256_add64(f23, c10); + Lib_IntVector_Intrinsics_vec256 + tmp20 = + Lib_IntVector_Intrinsics_vec256_and(l2, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + c20 = Lib_IntVector_Intrinsics_vec256_shift_right64(l2, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 l3 = Lib_IntVector_Intrinsics_vec256_add64(f33, c20); + Lib_IntVector_Intrinsics_vec256 + tmp30 = + Lib_IntVector_Intrinsics_vec256_and(l3, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + c30 = Lib_IntVector_Intrinsics_vec256_shift_right64(l3, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 l4 = Lib_IntVector_Intrinsics_vec256_add64(f40, c30); + Lib_IntVector_Intrinsics_vec256 + tmp40 = + Lib_IntVector_Intrinsics_vec256_and(l4, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + c40 = Lib_IntVector_Intrinsics_vec256_shift_right64(l4, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + f010 = + Lib_IntVector_Intrinsics_vec256_add64(tmp00, + Lib_IntVector_Intrinsics_vec256_smul64(c40, (uint64_t)5U)); + Lib_IntVector_Intrinsics_vec256 f110 = tmp10; + Lib_IntVector_Intrinsics_vec256 f210 = tmp20; + Lib_IntVector_Intrinsics_vec256 f310 = tmp30; + Lib_IntVector_Intrinsics_vec256 f410 = tmp40; + Lib_IntVector_Intrinsics_vec256 + l = Lib_IntVector_Intrinsics_vec256_add64(f010, Lib_IntVector_Intrinsics_vec256_zero); + Lib_IntVector_Intrinsics_vec256 + tmp0 = + Lib_IntVector_Intrinsics_vec256_and(l, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + c0 = Lib_IntVector_Intrinsics_vec256_shift_right64(l, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 l5 = Lib_IntVector_Intrinsics_vec256_add64(f110, c0); + Lib_IntVector_Intrinsics_vec256 + tmp1 = + Lib_IntVector_Intrinsics_vec256_and(l5, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + c1 = Lib_IntVector_Intrinsics_vec256_shift_right64(l5, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 l6 = Lib_IntVector_Intrinsics_vec256_add64(f210, c1); + Lib_IntVector_Intrinsics_vec256 + tmp2 = + Lib_IntVector_Intrinsics_vec256_and(l6, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + c2 = Lib_IntVector_Intrinsics_vec256_shift_right64(l6, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 l7 = Lib_IntVector_Intrinsics_vec256_add64(f310, c2); + Lib_IntVector_Intrinsics_vec256 + tmp3 = + Lib_IntVector_Intrinsics_vec256_and(l7, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + c3 = Lib_IntVector_Intrinsics_vec256_shift_right64(l7, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 l8 = Lib_IntVector_Intrinsics_vec256_add64(f410, c3); + Lib_IntVector_Intrinsics_vec256 + tmp4 = + Lib_IntVector_Intrinsics_vec256_and(l8, + Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU)); + Lib_IntVector_Intrinsics_vec256 + c4 = Lib_IntVector_Intrinsics_vec256_shift_right64(l8, (uint32_t)26U); + Lib_IntVector_Intrinsics_vec256 + f02 = + Lib_IntVector_Intrinsics_vec256_add64(tmp0, + Lib_IntVector_Intrinsics_vec256_smul64(c4, (uint64_t)5U)); + Lib_IntVector_Intrinsics_vec256 f12 = tmp1; + Lib_IntVector_Intrinsics_vec256 f22 = tmp2; + Lib_IntVector_Intrinsics_vec256 f32 = tmp3; + Lib_IntVector_Intrinsics_vec256 f42 = tmp4; + Lib_IntVector_Intrinsics_vec256 + mh = Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3ffffffU); + Lib_IntVector_Intrinsics_vec256 + ml = Lib_IntVector_Intrinsics_vec256_load64((uint64_t)0x3fffffbU); + Lib_IntVector_Intrinsics_vec256 mask = Lib_IntVector_Intrinsics_vec256_eq64(f42, mh); + Lib_IntVector_Intrinsics_vec256 + mask1 = + Lib_IntVector_Intrinsics_vec256_and(mask, + Lib_IntVector_Intrinsics_vec256_eq64(f32, mh)); + Lib_IntVector_Intrinsics_vec256 + mask2 = + Lib_IntVector_Intrinsics_vec256_and(mask1, + Lib_IntVector_Intrinsics_vec256_eq64(f22, mh)); + Lib_IntVector_Intrinsics_vec256 + mask3 = + Lib_IntVector_Intrinsics_vec256_and(mask2, + Lib_IntVector_Intrinsics_vec256_eq64(f12, mh)); + Lib_IntVector_Intrinsics_vec256 + mask4 = + Lib_IntVector_Intrinsics_vec256_and(mask3, + Lib_IntVector_Intrinsics_vec256_lognot(Lib_IntVector_Intrinsics_vec256_gt64(ml, f02))); + Lib_IntVector_Intrinsics_vec256 ph = Lib_IntVector_Intrinsics_vec256_and(mask4, mh); + Lib_IntVector_Intrinsics_vec256 pl = Lib_IntVector_Intrinsics_vec256_and(mask4, ml); + Lib_IntVector_Intrinsics_vec256 o0 = Lib_IntVector_Intrinsics_vec256_sub64(f02, pl); + Lib_IntVector_Intrinsics_vec256 o1 = Lib_IntVector_Intrinsics_vec256_sub64(f12, ph); + Lib_IntVector_Intrinsics_vec256 o2 = Lib_IntVector_Intrinsics_vec256_sub64(f22, ph); + Lib_IntVector_Intrinsics_vec256 o3 = Lib_IntVector_Intrinsics_vec256_sub64(f32, ph); + Lib_IntVector_Intrinsics_vec256 o4 = Lib_IntVector_Intrinsics_vec256_sub64(f42, ph); + Lib_IntVector_Intrinsics_vec256 f011 = o0; + Lib_IntVector_Intrinsics_vec256 f111 = o1; + Lib_IntVector_Intrinsics_vec256 f211 = o2; + Lib_IntVector_Intrinsics_vec256 f311 = o3; + Lib_IntVector_Intrinsics_vec256 f411 = o4; + acc[0U] = f011; + acc[1U] = f111; + acc[2U] = f211; + acc[3U] = f311; + acc[4U] = f411; + Lib_IntVector_Intrinsics_vec256 f00 = acc[0U]; + Lib_IntVector_Intrinsics_vec256 f1 = acc[1U]; + Lib_IntVector_Intrinsics_vec256 f2 = acc[2U]; + Lib_IntVector_Intrinsics_vec256 f3 = acc[3U]; + Lib_IntVector_Intrinsics_vec256 f4 = acc[4U]; + uint64_t f01 = Lib_IntVector_Intrinsics_vec256_extract64(f00, (uint32_t)0U); + uint64_t f112 = Lib_IntVector_Intrinsics_vec256_extract64(f1, (uint32_t)0U); + uint64_t f212 = Lib_IntVector_Intrinsics_vec256_extract64(f2, (uint32_t)0U); + uint64_t f312 = Lib_IntVector_Intrinsics_vec256_extract64(f3, (uint32_t)0U); + uint64_t f41 = Lib_IntVector_Intrinsics_vec256_extract64(f4, (uint32_t)0U); + uint64_t lo = (f01 | f112 << (uint32_t)26U) | f212 << (uint32_t)52U; + uint64_t hi = (f212 >> (uint32_t)12U | f312 << (uint32_t)14U) | f41 << (uint32_t)40U; + uint64_t f10 = lo; + uint64_t f11 = hi; + uint64_t u0 = load64_le(ks); + uint64_t lo0 = u0; + uint64_t u = load64_le(ks + (uint32_t)8U); + uint64_t hi0 = u; + uint64_t f20 = lo0; + uint64_t f21 = hi0; + uint64_t r0 = f10 + f20; + uint64_t r1 = f11 + f21; + uint64_t c = (r0 ^ ((r0 ^ f20) | ((r0 - f20) ^ f20))) >> (uint32_t)63U; + uint64_t r11 = r1 + c; + uint64_t f30 = r0; + uint64_t f31 = r11; + store64_le(tag, f30); + store64_le(tag + (uint32_t)8U, f31); +} + +void Hacl_Poly1305_256_poly1305_mac(uint8_t *tag, uint32_t len, uint8_t *text, uint8_t *key) +{ + Lib_IntVector_Intrinsics_vec256 ctx[25U]; + for (uint32_t _i = 0U; _i < (uint32_t)25U; ++_i) + ctx[_i] = Lib_IntVector_Intrinsics_vec256_zero; + Hacl_Poly1305_256_poly1305_init(ctx, key); + Hacl_Poly1305_256_poly1305_update(ctx, len, text); + Hacl_Poly1305_256_poly1305_finish(tag, key, ctx); +} + diff --git a/src/msvc/Hacl_Poly1305_32.c b/src/msvc/Hacl_Poly1305_32.c new file mode 100644 index 00000000..7223c365 --- /dev/null +++ b/src/msvc/Hacl_Poly1305_32.c @@ -0,0 +1,575 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Poly1305_32.h" + +#include "internal/Hacl_Kremlib.h" + +uint32_t Hacl_Poly1305_32_blocklen = (uint32_t)16U; + +void Hacl_Poly1305_32_poly1305_init(uint64_t *ctx, uint8_t *key) +{ + uint64_t *acc = ctx; + uint64_t *pre = ctx + (uint32_t)5U; + uint8_t *kr = key; + acc[0U] = (uint64_t)0U; + acc[1U] = (uint64_t)0U; + acc[2U] = (uint64_t)0U; + acc[3U] = (uint64_t)0U; + acc[4U] = (uint64_t)0U; + uint64_t u0 = load64_le(kr); + uint64_t lo = u0; + uint64_t u = load64_le(kr + (uint32_t)8U); + uint64_t hi = u; + uint64_t mask0 = (uint64_t)0x0ffffffc0fffffffU; + uint64_t mask1 = (uint64_t)0x0ffffffc0ffffffcU; + uint64_t lo1 = lo & mask0; + uint64_t hi1 = hi & mask1; + uint64_t *r = pre; + uint64_t *r5 = pre + (uint32_t)5U; + uint64_t *rn = pre + (uint32_t)10U; + uint64_t *rn_5 = pre + (uint32_t)15U; + uint64_t r_vec0 = lo1; + uint64_t r_vec1 = hi1; + uint64_t f00 = r_vec0 & (uint64_t)0x3ffffffU; + uint64_t f10 = r_vec0 >> (uint32_t)26U & (uint64_t)0x3ffffffU; + uint64_t f20 = r_vec0 >> (uint32_t)52U | (r_vec1 & (uint64_t)0x3fffU) << (uint32_t)12U; + uint64_t f30 = r_vec1 >> (uint32_t)14U & (uint64_t)0x3ffffffU; + uint64_t f40 = r_vec1 >> (uint32_t)40U; + uint64_t f0 = f00; + uint64_t f1 = f10; + uint64_t f2 = f20; + uint64_t f3 = f30; + uint64_t f4 = f40; + r[0U] = f0; + r[1U] = f1; + r[2U] = f2; + r[3U] = f3; + r[4U] = f4; + uint64_t f200 = r[0U]; + uint64_t f21 = r[1U]; + uint64_t f22 = r[2U]; + uint64_t f23 = r[3U]; + uint64_t f24 = r[4U]; + r5[0U] = f200 * (uint64_t)5U; + r5[1U] = f21 * (uint64_t)5U; + r5[2U] = f22 * (uint64_t)5U; + r5[3U] = f23 * (uint64_t)5U; + r5[4U] = f24 * (uint64_t)5U; + rn[0U] = r[0U]; + rn[1U] = r[1U]; + rn[2U] = r[2U]; + rn[3U] = r[3U]; + rn[4U] = r[4U]; + rn_5[0U] = r5[0U]; + rn_5[1U] = r5[1U]; + rn_5[2U] = r5[2U]; + rn_5[3U] = r5[3U]; + rn_5[4U] = r5[4U]; +} + +void Hacl_Poly1305_32_poly1305_update1(uint64_t *ctx, uint8_t *text) +{ + uint64_t *pre = ctx + (uint32_t)5U; + uint64_t *acc = ctx; + uint64_t e[5U] = { 0U }; + uint64_t u0 = load64_le(text); + uint64_t lo = u0; + uint64_t u = load64_le(text + (uint32_t)8U); + uint64_t hi = u; + uint64_t f0 = lo; + uint64_t f1 = hi; + uint64_t f010 = f0 & (uint64_t)0x3ffffffU; + uint64_t f110 = f0 >> (uint32_t)26U & (uint64_t)0x3ffffffU; + uint64_t f20 = f0 >> (uint32_t)52U | (f1 & (uint64_t)0x3fffU) << (uint32_t)12U; + uint64_t f30 = f1 >> (uint32_t)14U & (uint64_t)0x3ffffffU; + uint64_t f40 = f1 >> (uint32_t)40U; + uint64_t f01 = f010; + uint64_t f111 = f110; + uint64_t f2 = f20; + uint64_t f3 = f30; + uint64_t f41 = f40; + e[0U] = f01; + e[1U] = f111; + e[2U] = f2; + e[3U] = f3; + e[4U] = f41; + uint64_t b = (uint64_t)0x1000000U; + uint64_t mask = b; + uint64_t f4 = e[4U]; + e[4U] = f4 | mask; + uint64_t *r = pre; + uint64_t *r5 = pre + (uint32_t)5U; + uint64_t r0 = r[0U]; + uint64_t r1 = r[1U]; + uint64_t r2 = r[2U]; + uint64_t r3 = r[3U]; + uint64_t r4 = r[4U]; + uint64_t r51 = r5[1U]; + uint64_t r52 = r5[2U]; + uint64_t r53 = r5[3U]; + uint64_t r54 = r5[4U]; + uint64_t f10 = e[0U]; + uint64_t f11 = e[1U]; + uint64_t f12 = e[2U]; + uint64_t f13 = e[3U]; + uint64_t f14 = e[4U]; + uint64_t a0 = acc[0U]; + uint64_t a1 = acc[1U]; + uint64_t a2 = acc[2U]; + uint64_t a3 = acc[3U]; + uint64_t a4 = acc[4U]; + uint64_t a01 = a0 + f10; + uint64_t a11 = a1 + f11; + uint64_t a21 = a2 + f12; + uint64_t a31 = a3 + f13; + uint64_t a41 = a4 + f14; + uint64_t a02 = r0 * a01; + uint64_t a12 = r1 * a01; + uint64_t a22 = r2 * a01; + uint64_t a32 = r3 * a01; + uint64_t a42 = r4 * a01; + uint64_t a03 = a02 + r54 * a11; + uint64_t a13 = a12 + r0 * a11; + uint64_t a23 = a22 + r1 * a11; + uint64_t a33 = a32 + r2 * a11; + uint64_t a43 = a42 + r3 * a11; + uint64_t a04 = a03 + r53 * a21; + uint64_t a14 = a13 + r54 * a21; + uint64_t a24 = a23 + r0 * a21; + uint64_t a34 = a33 + r1 * a21; + uint64_t a44 = a43 + r2 * a21; + uint64_t a05 = a04 + r52 * a31; + uint64_t a15 = a14 + r53 * a31; + uint64_t a25 = a24 + r54 * a31; + uint64_t a35 = a34 + r0 * a31; + uint64_t a45 = a44 + r1 * a31; + uint64_t a06 = a05 + r51 * a41; + uint64_t a16 = a15 + r52 * a41; + uint64_t a26 = a25 + r53 * a41; + uint64_t a36 = a35 + r54 * a41; + uint64_t a46 = a45 + r0 * a41; + uint64_t t0 = a06; + uint64_t t1 = a16; + uint64_t t2 = a26; + uint64_t t3 = a36; + uint64_t t4 = a46; + uint64_t mask26 = (uint64_t)0x3ffffffU; + uint64_t z0 = t0 >> (uint32_t)26U; + uint64_t z1 = t3 >> (uint32_t)26U; + uint64_t x0 = t0 & mask26; + uint64_t x3 = t3 & mask26; + uint64_t x1 = t1 + z0; + uint64_t x4 = t4 + z1; + uint64_t z01 = x1 >> (uint32_t)26U; + uint64_t z11 = x4 >> (uint32_t)26U; + uint64_t t = z11 << (uint32_t)2U; + uint64_t z12 = z11 + t; + uint64_t x11 = x1 & mask26; + uint64_t x41 = x4 & mask26; + uint64_t x2 = t2 + z01; + uint64_t x01 = x0 + z12; + uint64_t z02 = x2 >> (uint32_t)26U; + uint64_t z13 = x01 >> (uint32_t)26U; + uint64_t x21 = x2 & mask26; + uint64_t x02 = x01 & mask26; + uint64_t x31 = x3 + z02; + uint64_t x12 = x11 + z13; + uint64_t z03 = x31 >> (uint32_t)26U; + uint64_t x32 = x31 & mask26; + uint64_t x42 = x41 + z03; + uint64_t o0 = x02; + uint64_t o1 = x12; + uint64_t o2 = x21; + uint64_t o3 = x32; + uint64_t o4 = x42; + acc[0U] = o0; + acc[1U] = o1; + acc[2U] = o2; + acc[3U] = o3; + acc[4U] = o4; +} + +void Hacl_Poly1305_32_poly1305_update(uint64_t *ctx, uint32_t len, uint8_t *text) +{ + uint64_t *pre = ctx + (uint32_t)5U; + uint64_t *acc = ctx; + uint32_t nb = len / (uint32_t)16U; + uint32_t rem = len % (uint32_t)16U; + for (uint32_t i = (uint32_t)0U; i < nb; i++) + { + uint8_t *block = text + i * (uint32_t)16U; + uint64_t e[5U] = { 0U }; + uint64_t u0 = load64_le(block); + uint64_t lo = u0; + uint64_t u = load64_le(block + (uint32_t)8U); + uint64_t hi = u; + uint64_t f0 = lo; + uint64_t f1 = hi; + uint64_t f010 = f0 & (uint64_t)0x3ffffffU; + uint64_t f110 = f0 >> (uint32_t)26U & (uint64_t)0x3ffffffU; + uint64_t f20 = f0 >> (uint32_t)52U | (f1 & (uint64_t)0x3fffU) << (uint32_t)12U; + uint64_t f30 = f1 >> (uint32_t)14U & (uint64_t)0x3ffffffU; + uint64_t f40 = f1 >> (uint32_t)40U; + uint64_t f01 = f010; + uint64_t f111 = f110; + uint64_t f2 = f20; + uint64_t f3 = f30; + uint64_t f41 = f40; + e[0U] = f01; + e[1U] = f111; + e[2U] = f2; + e[3U] = f3; + e[4U] = f41; + uint64_t b = (uint64_t)0x1000000U; + uint64_t mask = b; + uint64_t f4 = e[4U]; + e[4U] = f4 | mask; + uint64_t *r = pre; + uint64_t *r5 = pre + (uint32_t)5U; + uint64_t r0 = r[0U]; + uint64_t r1 = r[1U]; + uint64_t r2 = r[2U]; + uint64_t r3 = r[3U]; + uint64_t r4 = r[4U]; + uint64_t r51 = r5[1U]; + uint64_t r52 = r5[2U]; + uint64_t r53 = r5[3U]; + uint64_t r54 = r5[4U]; + uint64_t f10 = e[0U]; + uint64_t f11 = e[1U]; + uint64_t f12 = e[2U]; + uint64_t f13 = e[3U]; + uint64_t f14 = e[4U]; + uint64_t a0 = acc[0U]; + uint64_t a1 = acc[1U]; + uint64_t a2 = acc[2U]; + uint64_t a3 = acc[3U]; + uint64_t a4 = acc[4U]; + uint64_t a01 = a0 + f10; + uint64_t a11 = a1 + f11; + uint64_t a21 = a2 + f12; + uint64_t a31 = a3 + f13; + uint64_t a41 = a4 + f14; + uint64_t a02 = r0 * a01; + uint64_t a12 = r1 * a01; + uint64_t a22 = r2 * a01; + uint64_t a32 = r3 * a01; + uint64_t a42 = r4 * a01; + uint64_t a03 = a02 + r54 * a11; + uint64_t a13 = a12 + r0 * a11; + uint64_t a23 = a22 + r1 * a11; + uint64_t a33 = a32 + r2 * a11; + uint64_t a43 = a42 + r3 * a11; + uint64_t a04 = a03 + r53 * a21; + uint64_t a14 = a13 + r54 * a21; + uint64_t a24 = a23 + r0 * a21; + uint64_t a34 = a33 + r1 * a21; + uint64_t a44 = a43 + r2 * a21; + uint64_t a05 = a04 + r52 * a31; + uint64_t a15 = a14 + r53 * a31; + uint64_t a25 = a24 + r54 * a31; + uint64_t a35 = a34 + r0 * a31; + uint64_t a45 = a44 + r1 * a31; + uint64_t a06 = a05 + r51 * a41; + uint64_t a16 = a15 + r52 * a41; + uint64_t a26 = a25 + r53 * a41; + uint64_t a36 = a35 + r54 * a41; + uint64_t a46 = a45 + r0 * a41; + uint64_t t0 = a06; + uint64_t t1 = a16; + uint64_t t2 = a26; + uint64_t t3 = a36; + uint64_t t4 = a46; + uint64_t mask26 = (uint64_t)0x3ffffffU; + uint64_t z0 = t0 >> (uint32_t)26U; + uint64_t z1 = t3 >> (uint32_t)26U; + uint64_t x0 = t0 & mask26; + uint64_t x3 = t3 & mask26; + uint64_t x1 = t1 + z0; + uint64_t x4 = t4 + z1; + uint64_t z01 = x1 >> (uint32_t)26U; + uint64_t z11 = x4 >> (uint32_t)26U; + uint64_t t = z11 << (uint32_t)2U; + uint64_t z12 = z11 + t; + uint64_t x11 = x1 & mask26; + uint64_t x41 = x4 & mask26; + uint64_t x2 = t2 + z01; + uint64_t x01 = x0 + z12; + uint64_t z02 = x2 >> (uint32_t)26U; + uint64_t z13 = x01 >> (uint32_t)26U; + uint64_t x21 = x2 & mask26; + uint64_t x02 = x01 & mask26; + uint64_t x31 = x3 + z02; + uint64_t x12 = x11 + z13; + uint64_t z03 = x31 >> (uint32_t)26U; + uint64_t x32 = x31 & mask26; + uint64_t x42 = x41 + z03; + uint64_t o0 = x02; + uint64_t o1 = x12; + uint64_t o2 = x21; + uint64_t o3 = x32; + uint64_t o4 = x42; + acc[0U] = o0; + acc[1U] = o1; + acc[2U] = o2; + acc[3U] = o3; + acc[4U] = o4; + } + if (rem > (uint32_t)0U) + { + uint8_t *last = text + nb * (uint32_t)16U; + uint64_t e[5U] = { 0U }; + uint8_t tmp[16U] = { 0U }; + memcpy(tmp, last, rem * sizeof (uint8_t)); + uint64_t u0 = load64_le(tmp); + uint64_t lo = u0; + uint64_t u = load64_le(tmp + (uint32_t)8U); + uint64_t hi = u; + uint64_t f0 = lo; + uint64_t f1 = hi; + uint64_t f010 = f0 & (uint64_t)0x3ffffffU; + uint64_t f110 = f0 >> (uint32_t)26U & (uint64_t)0x3ffffffU; + uint64_t f20 = f0 >> (uint32_t)52U | (f1 & (uint64_t)0x3fffU) << (uint32_t)12U; + uint64_t f30 = f1 >> (uint32_t)14U & (uint64_t)0x3ffffffU; + uint64_t f40 = f1 >> (uint32_t)40U; + uint64_t f01 = f010; + uint64_t f111 = f110; + uint64_t f2 = f20; + uint64_t f3 = f30; + uint64_t f4 = f40; + e[0U] = f01; + e[1U] = f111; + e[2U] = f2; + e[3U] = f3; + e[4U] = f4; + uint64_t b = (uint64_t)1U << rem * (uint32_t)8U % (uint32_t)26U; + uint64_t mask = b; + uint64_t fi = e[rem * (uint32_t)8U / (uint32_t)26U]; + e[rem * (uint32_t)8U / (uint32_t)26U] = fi | mask; + uint64_t *r = pre; + uint64_t *r5 = pre + (uint32_t)5U; + uint64_t r0 = r[0U]; + uint64_t r1 = r[1U]; + uint64_t r2 = r[2U]; + uint64_t r3 = r[3U]; + uint64_t r4 = r[4U]; + uint64_t r51 = r5[1U]; + uint64_t r52 = r5[2U]; + uint64_t r53 = r5[3U]; + uint64_t r54 = r5[4U]; + uint64_t f10 = e[0U]; + uint64_t f11 = e[1U]; + uint64_t f12 = e[2U]; + uint64_t f13 = e[3U]; + uint64_t f14 = e[4U]; + uint64_t a0 = acc[0U]; + uint64_t a1 = acc[1U]; + uint64_t a2 = acc[2U]; + uint64_t a3 = acc[3U]; + uint64_t a4 = acc[4U]; + uint64_t a01 = a0 + f10; + uint64_t a11 = a1 + f11; + uint64_t a21 = a2 + f12; + uint64_t a31 = a3 + f13; + uint64_t a41 = a4 + f14; + uint64_t a02 = r0 * a01; + uint64_t a12 = r1 * a01; + uint64_t a22 = r2 * a01; + uint64_t a32 = r3 * a01; + uint64_t a42 = r4 * a01; + uint64_t a03 = a02 + r54 * a11; + uint64_t a13 = a12 + r0 * a11; + uint64_t a23 = a22 + r1 * a11; + uint64_t a33 = a32 + r2 * a11; + uint64_t a43 = a42 + r3 * a11; + uint64_t a04 = a03 + r53 * a21; + uint64_t a14 = a13 + r54 * a21; + uint64_t a24 = a23 + r0 * a21; + uint64_t a34 = a33 + r1 * a21; + uint64_t a44 = a43 + r2 * a21; + uint64_t a05 = a04 + r52 * a31; + uint64_t a15 = a14 + r53 * a31; + uint64_t a25 = a24 + r54 * a31; + uint64_t a35 = a34 + r0 * a31; + uint64_t a45 = a44 + r1 * a31; + uint64_t a06 = a05 + r51 * a41; + uint64_t a16 = a15 + r52 * a41; + uint64_t a26 = a25 + r53 * a41; + uint64_t a36 = a35 + r54 * a41; + uint64_t a46 = a45 + r0 * a41; + uint64_t t0 = a06; + uint64_t t1 = a16; + uint64_t t2 = a26; + uint64_t t3 = a36; + uint64_t t4 = a46; + uint64_t mask26 = (uint64_t)0x3ffffffU; + uint64_t z0 = t0 >> (uint32_t)26U; + uint64_t z1 = t3 >> (uint32_t)26U; + uint64_t x0 = t0 & mask26; + uint64_t x3 = t3 & mask26; + uint64_t x1 = t1 + z0; + uint64_t x4 = t4 + z1; + uint64_t z01 = x1 >> (uint32_t)26U; + uint64_t z11 = x4 >> (uint32_t)26U; + uint64_t t = z11 << (uint32_t)2U; + uint64_t z12 = z11 + t; + uint64_t x11 = x1 & mask26; + uint64_t x41 = x4 & mask26; + uint64_t x2 = t2 + z01; + uint64_t x01 = x0 + z12; + uint64_t z02 = x2 >> (uint32_t)26U; + uint64_t z13 = x01 >> (uint32_t)26U; + uint64_t x21 = x2 & mask26; + uint64_t x02 = x01 & mask26; + uint64_t x31 = x3 + z02; + uint64_t x12 = x11 + z13; + uint64_t z03 = x31 >> (uint32_t)26U; + uint64_t x32 = x31 & mask26; + uint64_t x42 = x41 + z03; + uint64_t o0 = x02; + uint64_t o1 = x12; + uint64_t o2 = x21; + uint64_t o3 = x32; + uint64_t o4 = x42; + acc[0U] = o0; + acc[1U] = o1; + acc[2U] = o2; + acc[3U] = o3; + acc[4U] = o4; + return; + } +} + +void Hacl_Poly1305_32_poly1305_finish(uint8_t *tag, uint8_t *key, uint64_t *ctx) +{ + uint64_t *acc = ctx; + uint8_t *ks = key + (uint32_t)16U; + uint64_t f0 = acc[0U]; + uint64_t f13 = acc[1U]; + uint64_t f23 = acc[2U]; + uint64_t f33 = acc[3U]; + uint64_t f40 = acc[4U]; + uint64_t l0 = f0 + (uint64_t)0U; + uint64_t tmp00 = l0 & (uint64_t)0x3ffffffU; + uint64_t c00 = l0 >> (uint32_t)26U; + uint64_t l1 = f13 + c00; + uint64_t tmp10 = l1 & (uint64_t)0x3ffffffU; + uint64_t c10 = l1 >> (uint32_t)26U; + uint64_t l2 = f23 + c10; + uint64_t tmp20 = l2 & (uint64_t)0x3ffffffU; + uint64_t c20 = l2 >> (uint32_t)26U; + uint64_t l3 = f33 + c20; + uint64_t tmp30 = l3 & (uint64_t)0x3ffffffU; + uint64_t c30 = l3 >> (uint32_t)26U; + uint64_t l4 = f40 + c30; + uint64_t tmp40 = l4 & (uint64_t)0x3ffffffU; + uint64_t c40 = l4 >> (uint32_t)26U; + uint64_t f010 = tmp00 + c40 * (uint64_t)5U; + uint64_t f110 = tmp10; + uint64_t f210 = tmp20; + uint64_t f310 = tmp30; + uint64_t f410 = tmp40; + uint64_t l = f010 + (uint64_t)0U; + uint64_t tmp0 = l & (uint64_t)0x3ffffffU; + uint64_t c0 = l >> (uint32_t)26U; + uint64_t l5 = f110 + c0; + uint64_t tmp1 = l5 & (uint64_t)0x3ffffffU; + uint64_t c1 = l5 >> (uint32_t)26U; + uint64_t l6 = f210 + c1; + uint64_t tmp2 = l6 & (uint64_t)0x3ffffffU; + uint64_t c2 = l6 >> (uint32_t)26U; + uint64_t l7 = f310 + c2; + uint64_t tmp3 = l7 & (uint64_t)0x3ffffffU; + uint64_t c3 = l7 >> (uint32_t)26U; + uint64_t l8 = f410 + c3; + uint64_t tmp4 = l8 & (uint64_t)0x3ffffffU; + uint64_t c4 = l8 >> (uint32_t)26U; + uint64_t f02 = tmp0 + c4 * (uint64_t)5U; + uint64_t f12 = tmp1; + uint64_t f22 = tmp2; + uint64_t f32 = tmp3; + uint64_t f42 = tmp4; + uint64_t mh = (uint64_t)0x3ffffffU; + uint64_t ml = (uint64_t)0x3fffffbU; + uint64_t mask = FStar_UInt64_eq_mask(f42, mh); + uint64_t mask1 = mask & FStar_UInt64_eq_mask(f32, mh); + uint64_t mask2 = mask1 & FStar_UInt64_eq_mask(f22, mh); + uint64_t mask3 = mask2 & FStar_UInt64_eq_mask(f12, mh); + uint64_t mask4 = mask3 & ~~FStar_UInt64_gte_mask(f02, ml); + uint64_t ph = mask4 & mh; + uint64_t pl = mask4 & ml; + uint64_t o0 = f02 - pl; + uint64_t o1 = f12 - ph; + uint64_t o2 = f22 - ph; + uint64_t o3 = f32 - ph; + uint64_t o4 = f42 - ph; + uint64_t f011 = o0; + uint64_t f111 = o1; + uint64_t f211 = o2; + uint64_t f311 = o3; + uint64_t f411 = o4; + acc[0U] = f011; + acc[1U] = f111; + acc[2U] = f211; + acc[3U] = f311; + acc[4U] = f411; + uint64_t f00 = acc[0U]; + uint64_t f1 = acc[1U]; + uint64_t f2 = acc[2U]; + uint64_t f3 = acc[3U]; + uint64_t f4 = acc[4U]; + uint64_t f01 = f00; + uint64_t f112 = f1; + uint64_t f212 = f2; + uint64_t f312 = f3; + uint64_t f41 = f4; + uint64_t lo = (f01 | f112 << (uint32_t)26U) | f212 << (uint32_t)52U; + uint64_t hi = (f212 >> (uint32_t)12U | f312 << (uint32_t)14U) | f41 << (uint32_t)40U; + uint64_t f10 = lo; + uint64_t f11 = hi; + uint64_t u0 = load64_le(ks); + uint64_t lo0 = u0; + uint64_t u = load64_le(ks + (uint32_t)8U); + uint64_t hi0 = u; + uint64_t f20 = lo0; + uint64_t f21 = hi0; + uint64_t r0 = f10 + f20; + uint64_t r1 = f11 + f21; + uint64_t c = (r0 ^ ((r0 ^ f20) | ((r0 - f20) ^ f20))) >> (uint32_t)63U; + uint64_t r11 = r1 + c; + uint64_t f30 = r0; + uint64_t f31 = r11; + store64_le(tag, f30); + store64_le(tag + (uint32_t)8U, f31); +} + +void Hacl_Poly1305_32_poly1305_mac(uint8_t *tag, uint32_t len, uint8_t *text, uint8_t *key) +{ + uint64_t ctx[25U] = { 0U }; + Hacl_Poly1305_32_poly1305_init(ctx, key); + Hacl_Poly1305_32_poly1305_update(ctx, len, text); + Hacl_Poly1305_32_poly1305_finish(tag, key, ctx); +} + diff --git a/src/msvc/Hacl_RSAPSS.c b/src/msvc/Hacl_RSAPSS.c new file mode 100644 index 00000000..5148b08f --- /dev/null +++ b/src/msvc/Hacl_RSAPSS.c @@ -0,0 +1,818 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_RSAPSS.h" + +#include "internal/Hacl_Kremlib.h" +#include "internal/Hacl_Bignum.h" + +static inline uint32_t hash_len(Spec_Hash_Definitions_hash_alg a) +{ + switch (a) + { + case Spec_Hash_Definitions_MD5: + { + return (uint32_t)16U; + } + case Spec_Hash_Definitions_SHA1: + { + return (uint32_t)20U; + } + case Spec_Hash_Definitions_SHA2_224: + { + return (uint32_t)28U; + } + case Spec_Hash_Definitions_SHA2_256: + { + return (uint32_t)32U; + } + case Spec_Hash_Definitions_SHA2_384: + { + return (uint32_t)48U; + } + case Spec_Hash_Definitions_SHA2_512: + { + return (uint32_t)64U; + } + case Spec_Hash_Definitions_Blake2S: + { + return (uint32_t)32U; + } + case Spec_Hash_Definitions_Blake2B: + { + return (uint32_t)64U; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +static inline void +hash(Spec_Hash_Definitions_hash_alg a, uint8_t *mHash, uint32_t msgLen, uint8_t *msg) +{ + switch (a) + { + case Spec_Hash_Definitions_SHA2_256: + { + Hacl_Hash_SHA2_hash_256(msg, msgLen, mHash); + break; + } + case Spec_Hash_Definitions_SHA2_384: + { + Hacl_Hash_SHA2_hash_384(msg, msgLen, mHash); + break; + } + case Spec_Hash_Definitions_SHA2_512: + { + Hacl_Hash_SHA2_hash_512(msg, msgLen, mHash); + break; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +static inline void +mgf_hash( + Spec_Hash_Definitions_hash_alg a, + uint32_t len, + uint8_t *mgfseed, + uint32_t maskLen, + uint8_t *res +) +{ + KRML_CHECK_SIZE(sizeof (uint8_t), len + (uint32_t)4U); + uint8_t *mgfseed_counter = alloca((len + (uint32_t)4U) * sizeof (uint8_t)); + memset(mgfseed_counter, 0U, (len + (uint32_t)4U) * sizeof (uint8_t)); + memcpy(mgfseed_counter, mgfseed, len * sizeof (uint8_t)); + uint32_t hLen = hash_len(a); + uint32_t n = (maskLen - (uint32_t)1U) / hLen + (uint32_t)1U; + uint32_t accLen = n * hLen; + KRML_CHECK_SIZE(sizeof (uint8_t), accLen); + uint8_t *acc = alloca(accLen * sizeof (uint8_t)); + memset(acc, 0U, accLen * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < n; i++) + { + uint8_t *acc_i = acc + i * hLen; + uint8_t *c = mgfseed_counter + len; + c[0U] = (uint8_t)(i >> (uint32_t)24U); + c[1U] = (uint8_t)(i >> (uint32_t)16U); + c[2U] = (uint8_t)(i >> (uint32_t)8U); + c[3U] = (uint8_t)i; + hash(a, acc_i, len + (uint32_t)4U, mgfseed_counter); + } + memcpy(res, acc, maskLen * sizeof (uint8_t)); +} + +static inline uint64_t check_num_bits_u64(uint32_t bs, uint64_t *b) +{ + uint32_t bLen = (bs - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + if (bs == (uint32_t)64U * bLen) + { + return (uint64_t)0xFFFFFFFFFFFFFFFFU; + } + KRML_CHECK_SIZE(sizeof (uint64_t), bLen); + uint64_t *b2 = alloca(bLen * sizeof (uint64_t)); + memset(b2, 0U, bLen * sizeof (uint64_t)); + uint32_t i0 = bs / (uint32_t)64U; + uint32_t j = bs % (uint32_t)64U; + b2[i0] = b2[i0] | (uint64_t)1U << j; + uint64_t acc = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < bLen; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(b[i], b2[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(b[i], b2[i]); + acc = (beq & acc) | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + uint64_t res = acc; + return res; +} + +static inline uint64_t check_modulus_u64(uint32_t modBits, uint64_t *n) +{ + uint32_t nLen = (modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint64_t bits0 = n[0U] & (uint64_t)1U; + uint64_t m0 = (uint64_t)0U - bits0; + KRML_CHECK_SIZE(sizeof (uint64_t), nLen); + uint64_t *b2 = alloca(nLen * sizeof (uint64_t)); + memset(b2, 0U, nLen * sizeof (uint64_t)); + uint32_t i0 = (modBits - (uint32_t)1U) / (uint32_t)64U; + uint32_t j = (modBits - (uint32_t)1U) % (uint32_t)64U; + b2[i0] = b2[i0] | (uint64_t)1U << j; + uint64_t acc = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < nLen; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(b2[i], n[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(b2[i], n[i]); + acc = (beq & acc) | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + uint64_t res = acc; + uint64_t m1 = res; + uint64_t m2 = check_num_bits_u64(modBits, n); + return m0 & (m1 & m2); +} + +static inline uint64_t check_exponent_u64(uint32_t eBits, uint64_t *e) +{ + uint32_t eLen = (eBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + KRML_CHECK_SIZE(sizeof (uint64_t), eLen); + uint64_t *bn_zero = alloca(eLen * sizeof (uint64_t)); + memset(bn_zero, 0U, eLen * sizeof (uint64_t)); + uint64_t mask = (uint64_t)0xFFFFFFFFFFFFFFFFU; + for (uint32_t i = (uint32_t)0U; i < eLen; i++) + { + uint64_t uu____0 = FStar_UInt64_eq_mask(e[i], bn_zero[i]); + mask = uu____0 & mask; + } + uint64_t mask1 = mask; + uint64_t res = mask1; + uint64_t m0 = res; + uint64_t m1 = check_num_bits_u64(eBits, e); + return ~m0 & m1; +} + +static inline void +pss_encode( + Spec_Hash_Definitions_hash_alg a, + uint32_t saltLen, + uint8_t *salt, + uint32_t msgLen, + uint8_t *msg, + uint32_t emBits, + uint8_t *em +) +{ + uint32_t hLen = hash_len(a); + KRML_CHECK_SIZE(sizeof (uint8_t), hLen); + uint8_t *m1Hash = alloca(hLen * sizeof (uint8_t)); + memset(m1Hash, 0U, hLen * sizeof (uint8_t)); + uint32_t m1Len = (uint32_t)8U + hLen + saltLen; + KRML_CHECK_SIZE(sizeof (uint8_t), m1Len); + uint8_t *m1 = alloca(m1Len * sizeof (uint8_t)); + memset(m1, 0U, m1Len * sizeof (uint8_t)); + hash(a, m1 + (uint32_t)8U, msgLen, msg); + memcpy(m1 + (uint32_t)8U + hLen, salt, saltLen * sizeof (uint8_t)); + hash(a, m1Hash, m1Len, m1); + uint32_t emLen = (emBits - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t dbLen = emLen - hLen - (uint32_t)1U; + KRML_CHECK_SIZE(sizeof (uint8_t), dbLen); + uint8_t *db = alloca(dbLen * sizeof (uint8_t)); + memset(db, 0U, dbLen * sizeof (uint8_t)); + uint32_t last_before_salt = dbLen - saltLen - (uint32_t)1U; + db[last_before_salt] = (uint8_t)1U; + memcpy(db + last_before_salt + (uint32_t)1U, salt, saltLen * sizeof (uint8_t)); + KRML_CHECK_SIZE(sizeof (uint8_t), dbLen); + uint8_t *dbMask = alloca(dbLen * sizeof (uint8_t)); + memset(dbMask, 0U, dbLen * sizeof (uint8_t)); + mgf_hash(a, hLen, m1Hash, dbLen, dbMask); + for (uint32_t i = (uint32_t)0U; i < dbLen; i++) + { + uint8_t *os = db; + uint8_t x = db[i] ^ dbMask[i]; + os[i] = x; + } + uint32_t msBits = emBits % (uint32_t)8U; + if (msBits > (uint32_t)0U) + { + db[0U] = db[0U] & (uint8_t)0xffU >> ((uint32_t)8U - msBits); + } + memcpy(em, db, dbLen * sizeof (uint8_t)); + memcpy(em + dbLen, m1Hash, hLen * sizeof (uint8_t)); + em[emLen - (uint32_t)1U] = (uint8_t)0xbcU; +} + +static inline bool +pss_verify( + Spec_Hash_Definitions_hash_alg a, + uint32_t saltLen, + uint32_t msgLen, + uint8_t *msg, + uint32_t emBits, + uint8_t *em +) +{ + uint32_t emLen = (emBits - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t msBits = emBits % (uint32_t)8U; + uint8_t em_0; + if (msBits > (uint32_t)0U) + { + em_0 = em[0U] & (uint8_t)0xffU << msBits; + } + else + { + em_0 = (uint8_t)0U; + } + uint8_t em_last = em[emLen - (uint32_t)1U]; + if (emLen < saltLen + hash_len(a) + (uint32_t)2U) + { + return false; + } + if (!(em_last == (uint8_t)0xbcU && em_0 == (uint8_t)0U)) + { + return false; + } + uint32_t emLen1 = (emBits - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t hLen = hash_len(a); + KRML_CHECK_SIZE(sizeof (uint8_t), hLen); + uint8_t *m1Hash0 = alloca(hLen * sizeof (uint8_t)); + memset(m1Hash0, 0U, hLen * sizeof (uint8_t)); + uint32_t dbLen = emLen1 - hLen - (uint32_t)1U; + uint8_t *maskedDB = em; + uint8_t *m1Hash = em + dbLen; + KRML_CHECK_SIZE(sizeof (uint8_t), dbLen); + uint8_t *dbMask = alloca(dbLen * sizeof (uint8_t)); + memset(dbMask, 0U, dbLen * sizeof (uint8_t)); + mgf_hash(a, hLen, m1Hash, dbLen, dbMask); + for (uint32_t i = (uint32_t)0U; i < dbLen; i++) + { + uint8_t *os = dbMask; + uint8_t x = dbMask[i] ^ maskedDB[i]; + os[i] = x; + } + uint32_t msBits1 = emBits % (uint32_t)8U; + if (msBits1 > (uint32_t)0U) + { + dbMask[0U] = dbMask[0U] & (uint8_t)0xffU >> ((uint32_t)8U - msBits1); + } + uint32_t padLen = emLen1 - saltLen - hLen - (uint32_t)1U; + KRML_CHECK_SIZE(sizeof (uint8_t), padLen); + uint8_t *pad2 = alloca(padLen * sizeof (uint8_t)); + memset(pad2, 0U, padLen * sizeof (uint8_t)); + pad2[padLen - (uint32_t)1U] = (uint8_t)0x01U; + uint8_t *pad = dbMask; + uint8_t *salt = dbMask + padLen; + uint8_t res = (uint8_t)255U; + for (uint32_t i = (uint32_t)0U; i < padLen; i++) + { + uint8_t uu____0 = FStar_UInt8_eq_mask(pad[i], pad2[i]); + res = uu____0 & res; + } + uint8_t z = res; + if (!(z == (uint8_t)255U)) + { + return false; + } + uint32_t m1Len = (uint32_t)8U + hLen + saltLen; + KRML_CHECK_SIZE(sizeof (uint8_t), m1Len); + uint8_t *m1 = alloca(m1Len * sizeof (uint8_t)); + memset(m1, 0U, m1Len * sizeof (uint8_t)); + hash(a, m1 + (uint32_t)8U, msgLen, msg); + memcpy(m1 + (uint32_t)8U + hLen, salt, saltLen * sizeof (uint8_t)); + hash(a, m1Hash0, m1Len, m1); + uint8_t res0 = (uint8_t)255U; + for (uint32_t i = (uint32_t)0U; i < hLen; i++) + { + uint8_t uu____1 = FStar_UInt8_eq_mask(m1Hash0[i], m1Hash[i]); + res0 = uu____1 & res0; + } + uint8_t z0 = res0; + return z0 == (uint8_t)255U; +} + +static inline bool +load_pkey(uint32_t modBits, uint32_t eBits, uint8_t *nb, uint8_t *eb, uint64_t *pkey) +{ + uint32_t nbLen = (modBits - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t ebLen = (eBits - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t nLen = (modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint64_t *n = pkey; + uint64_t *r2 = pkey + nLen; + uint64_t *e = pkey + nLen + nLen; + Hacl_Bignum_Convert_bn_from_bytes_be_uint64(nbLen, nb, n); + Hacl_Bignum_Montgomery_bn_precomp_r2_mod_n_u64((modBits - (uint32_t)1U) + / (uint32_t)64U + + (uint32_t)1U, + modBits - (uint32_t)1U, + n, + r2); + Hacl_Bignum_Convert_bn_from_bytes_be_uint64(ebLen, eb, e); + uint64_t m0 = check_modulus_u64(modBits, n); + uint64_t m1 = check_exponent_u64(eBits, e); + uint64_t m = m0 & m1; + return m == (uint64_t)0xFFFFFFFFFFFFFFFFU; +} + +static inline bool +load_skey( + uint32_t modBits, + uint32_t eBits, + uint32_t dBits, + uint8_t *nb, + uint8_t *eb, + uint8_t *db, + uint64_t *skey +) +{ + uint32_t dbLen = (dBits - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t nLen = (modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint32_t eLen = (eBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint32_t pkeyLen = nLen + nLen + eLen; + uint64_t *pkey = skey; + uint64_t *d = skey + pkeyLen; + bool b = load_pkey(modBits, eBits, nb, eb, pkey); + Hacl_Bignum_Convert_bn_from_bytes_be_uint64(dbLen, db, d); + uint64_t m1 = check_exponent_u64(dBits, d); + return b && m1 == (uint64_t)0xFFFFFFFFFFFFFFFFU; +} + +bool +Hacl_RSAPSS_rsapss_sign( + Spec_Hash_Definitions_hash_alg a, + uint32_t modBits, + uint32_t eBits, + uint32_t dBits, + uint64_t *skey, + uint32_t saltLen, + uint8_t *salt, + uint32_t msgLen, + uint8_t *msg, + uint8_t *sgnt +) +{ + uint32_t hLen = hash_len(a); + bool + b = + saltLen + <= (uint32_t)0xffffffffU - hLen - (uint32_t)8U + && + saltLen + + hLen + + (uint32_t)2U + <= (modBits - (uint32_t)1U - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + if (b) + { + uint32_t nLen = (modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + KRML_CHECK_SIZE(sizeof (uint64_t), nLen); + uint64_t *m = alloca(nLen * sizeof (uint64_t)); + memset(m, 0U, nLen * sizeof (uint64_t)); + uint32_t emBits = modBits - (uint32_t)1U; + uint32_t emLen = (emBits - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + KRML_CHECK_SIZE(sizeof (uint8_t), emLen); + uint8_t *em = alloca(emLen * sizeof (uint8_t)); + memset(em, 0U, emLen * sizeof (uint8_t)); + pss_encode(a, saltLen, salt, msgLen, msg, emBits, em); + Hacl_Bignum_Convert_bn_from_bytes_be_uint64(emLen, em, m); + uint32_t nLen1 = (modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint32_t k = (modBits - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + KRML_CHECK_SIZE(sizeof (uint64_t), nLen1); + uint64_t *s = alloca(nLen1 * sizeof (uint64_t)); + memset(s, 0U, nLen1 * sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), nLen1); + uint64_t *m_ = alloca(nLen1 * sizeof (uint64_t)); + memset(m_, 0U, nLen1 * sizeof (uint64_t)); + uint32_t nLen2 = (modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint32_t eLen = (eBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint64_t *n = skey; + uint64_t *r2 = skey + nLen2; + uint64_t *e = skey + nLen2 + nLen2; + uint64_t *d = skey + nLen2 + nLen2 + eLen; + uint64_t mu = Hacl_Bignum_ModInvLimb_mod_inv_uint64(n[0U]); + Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_precomp_u64((modBits - (uint32_t)1U) + / (uint32_t)64U + + (uint32_t)1U, + n, + mu, + r2, + m, + dBits, + d, + s); + uint64_t mu0 = Hacl_Bignum_ModInvLimb_mod_inv_uint64(n[0U]); + Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_precomp_u64((modBits - (uint32_t)1U) + / (uint32_t)64U + + (uint32_t)1U, + n, + mu0, + r2, + s, + eBits, + e, + m_); + uint64_t mask = (uint64_t)0xFFFFFFFFFFFFFFFFU; + for (uint32_t i = (uint32_t)0U; i < nLen2; i++) + { + uint64_t uu____0 = FStar_UInt64_eq_mask(m[i], m_[i]); + mask = uu____0 & mask; + } + uint64_t mask1 = mask; + uint64_t eq_m = mask1; + for (uint32_t i = (uint32_t)0U; i < nLen2; i++) + { + uint64_t *os = s; + uint64_t x = s[i]; + uint64_t x0 = eq_m & x; + os[i] = x0; + } + bool eq_b = eq_m == (uint64_t)0xFFFFFFFFFFFFFFFFU; + Hacl_Bignum_Convert_bn_to_bytes_be_uint64(k, s, sgnt); + bool eq_b0 = eq_b; + return eq_b0; + } + return false; +} + +bool +Hacl_RSAPSS_rsapss_verify( + Spec_Hash_Definitions_hash_alg a, + uint32_t modBits, + uint32_t eBits, + uint64_t *pkey, + uint32_t saltLen, + uint32_t sgntLen, + uint8_t *sgnt, + uint32_t msgLen, + uint8_t *msg +) +{ + uint32_t hLen = hash_len(a); + bool + b = + saltLen + <= (uint32_t)0xffffffffU - hLen - (uint32_t)8U + && sgntLen == (modBits - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + if (b) + { + uint32_t nLen = (modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + KRML_CHECK_SIZE(sizeof (uint64_t), nLen); + uint64_t *m = alloca(nLen * sizeof (uint64_t)); + memset(m, 0U, nLen * sizeof (uint64_t)); + uint32_t nLen1 = (modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint32_t k = (modBits - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + KRML_CHECK_SIZE(sizeof (uint64_t), nLen1); + uint64_t *s = alloca(nLen1 * sizeof (uint64_t)); + memset(s, 0U, nLen1 * sizeof (uint64_t)); + Hacl_Bignum_Convert_bn_from_bytes_be_uint64(k, sgnt, s); + uint32_t nLen2 = (modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint64_t *n = pkey; + uint64_t *r2 = pkey + nLen2; + uint64_t *e = pkey + nLen2 + nLen2; + uint64_t acc = (uint64_t)0U; + for (uint32_t i = (uint32_t)0U; i < nLen2; i++) + { + uint64_t beq = FStar_UInt64_eq_mask(s[i], n[i]); + uint64_t blt = ~FStar_UInt64_gte_mask(s[i], n[i]); + acc = (beq & acc) | (~beq & ((blt & (uint64_t)0xFFFFFFFFFFFFFFFFU) | (~blt & (uint64_t)0U))); + } + uint64_t mask = acc; + bool res; + if (mask == (uint64_t)0xFFFFFFFFFFFFFFFFU) + { + uint64_t mu = Hacl_Bignum_ModInvLimb_mod_inv_uint64(n[0U]); + Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_precomp_u64((modBits - (uint32_t)1U) + / (uint32_t)64U + + (uint32_t)1U, + n, + mu, + r2, + s, + eBits, + e, + m); + bool ite; + if (!((modBits - (uint32_t)1U) % (uint32_t)8U == (uint32_t)0U)) + { + ite = true; + } + else + { + uint32_t i = (modBits - (uint32_t)1U) / (uint32_t)64U; + uint32_t j = (modBits - (uint32_t)1U) % (uint32_t)64U; + uint64_t tmp = m[i]; + uint64_t get_bit = tmp >> j & (uint64_t)1U; + ite = get_bit == (uint64_t)0U; + } + if (ite) + { + res = true; + } + else + { + res = false; + } + } + else + { + res = false; + } + bool b1 = res; + bool b10 = b1; + if (b10) + { + uint32_t emBits = modBits - (uint32_t)1U; + uint32_t emLen = (emBits - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + KRML_CHECK_SIZE(sizeof (uint8_t), emLen); + uint8_t *em = alloca(emLen * sizeof (uint8_t)); + memset(em, 0U, emLen * sizeof (uint8_t)); + uint64_t *m1 = m; + Hacl_Bignum_Convert_bn_to_bytes_be_uint64(emLen, m1, em); + bool res0 = pss_verify(a, saltLen, msgLen, msg, emBits, em); + return res0; + } + return false; + } + return false; +} + +uint64_t +*Hacl_RSAPSS_new_rsapss_load_pkey(uint32_t modBits, uint32_t eBits, uint8_t *nb, uint8_t *eb) +{ + bool ite; + if ((uint32_t)1U < modBits && (uint32_t)0U < eBits) + { + uint32_t nLen = (modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint32_t eLen = (eBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + ite = + nLen + <= (uint32_t)33554431U + && eLen <= (uint32_t)67108863U + && nLen + nLen <= (uint32_t)0xffffffffU - eLen; + } + else + { + ite = false; + } + if (!ite) + { + return NULL; + } + uint32_t nLen = (modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint32_t eLen = (eBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint32_t pkeyLen = nLen + nLen + eLen; + KRML_CHECK_SIZE(sizeof (uint64_t), pkeyLen); + uint64_t *pkey = KRML_HOST_CALLOC(pkeyLen, sizeof (uint64_t)); + if (pkey == NULL) + { + return pkey; + } + uint64_t *pkey1 = pkey; + uint64_t *pkey2 = pkey1; + uint32_t nbLen = (modBits - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t ebLen = (eBits - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t nLen1 = (modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint64_t *n = pkey2; + uint64_t *r2 = pkey2 + nLen1; + uint64_t *e = pkey2 + nLen1 + nLen1; + Hacl_Bignum_Convert_bn_from_bytes_be_uint64(nbLen, nb, n); + Hacl_Bignum_Montgomery_bn_precomp_r2_mod_n_u64((modBits - (uint32_t)1U) + / (uint32_t)64U + + (uint32_t)1U, + modBits - (uint32_t)1U, + n, + r2); + Hacl_Bignum_Convert_bn_from_bytes_be_uint64(ebLen, eb, e); + uint64_t m0 = check_modulus_u64(modBits, n); + uint64_t m1 = check_exponent_u64(eBits, e); + uint64_t m = m0 & m1; + bool b = m == (uint64_t)0xFFFFFFFFFFFFFFFFU; + if (b) + { + return pkey2; + } + return NULL; +} + +uint64_t +*Hacl_RSAPSS_new_rsapss_load_skey( + uint32_t modBits, + uint32_t eBits, + uint32_t dBits, + uint8_t *nb, + uint8_t *eb, + uint8_t *db +) +{ + bool ite0; + if ((uint32_t)1U < modBits && (uint32_t)0U < eBits) + { + uint32_t nLen = (modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint32_t eLen = (eBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + ite0 = + nLen + <= (uint32_t)33554431U + && eLen <= (uint32_t)67108863U + && nLen + nLen <= (uint32_t)0xffffffffU - eLen; + } + else + { + ite0 = false; + } + bool ite; + if (ite0 && (uint32_t)0U < dBits) + { + uint32_t nLen = (modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint32_t eLen = (eBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint32_t dLen = (dBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + ite = dLen <= (uint32_t)67108863U && (uint32_t)2U * nLen <= (uint32_t)0xffffffffU - eLen - dLen; + } + else + { + ite = false; + } + if (!ite) + { + return NULL; + } + uint32_t nLen = (modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint32_t eLen = (eBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint32_t dLen = (dBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint32_t skeyLen = nLen + nLen + eLen + dLen; + KRML_CHECK_SIZE(sizeof (uint64_t), skeyLen); + uint64_t *skey = KRML_HOST_CALLOC(skeyLen, sizeof (uint64_t)); + if (skey == NULL) + { + return skey; + } + uint64_t *skey1 = skey; + uint64_t *skey2 = skey1; + uint32_t dbLen = (dBits - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t nLen1 = (modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint32_t eLen1 = (eBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint32_t pkeyLen = nLen1 + nLen1 + eLen1; + uint64_t *pkey = skey2; + uint64_t *d = skey2 + pkeyLen; + uint32_t nbLen1 = (modBits - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t ebLen1 = (eBits - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; + uint32_t nLen2 = (modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U; + uint64_t *n = pkey; + uint64_t *r2 = pkey + nLen2; + uint64_t *e = pkey + nLen2 + nLen2; + Hacl_Bignum_Convert_bn_from_bytes_be_uint64(nbLen1, nb, n); + Hacl_Bignum_Montgomery_bn_precomp_r2_mod_n_u64((modBits - (uint32_t)1U) + / (uint32_t)64U + + (uint32_t)1U, + modBits - (uint32_t)1U, + n, + r2); + Hacl_Bignum_Convert_bn_from_bytes_be_uint64(ebLen1, eb, e); + uint64_t m0 = check_modulus_u64(modBits, n); + uint64_t m10 = check_exponent_u64(eBits, e); + uint64_t m = m0 & m10; + bool b = m == (uint64_t)0xFFFFFFFFFFFFFFFFU; + Hacl_Bignum_Convert_bn_from_bytes_be_uint64(dbLen, db, d); + uint64_t m1 = check_exponent_u64(dBits, d); + bool b0 = b && m1 == (uint64_t)0xFFFFFFFFFFFFFFFFU; + if (b0) + { + return skey2; + } + return NULL; +} + +bool +Hacl_RSAPSS_rsapss_skey_sign( + Spec_Hash_Definitions_hash_alg a, + uint32_t modBits, + uint32_t eBits, + uint32_t dBits, + uint8_t *nb, + uint8_t *eb, + uint8_t *db, + uint32_t saltLen, + uint8_t *salt, + uint32_t msgLen, + uint8_t *msg, + uint8_t *sgnt +) +{ + KRML_CHECK_SIZE(sizeof (uint64_t), + (uint32_t)2U + * ((modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U) + + (eBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U + + (dBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U); + uint64_t + *skey = + alloca(((uint32_t)2U + * ((modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U) + + (eBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U + + (dBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U) + * sizeof (uint64_t)); + memset(skey, + 0U, + ((uint32_t)2U + * ((modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U) + + (eBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U + + (dBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U) + * sizeof (uint64_t)); + bool b = load_skey(modBits, eBits, dBits, nb, eb, db, skey); + if (b) + { + return + Hacl_RSAPSS_rsapss_sign(a, + modBits, + eBits, + dBits, + skey, + saltLen, + salt, + msgLen, + msg, + sgnt); + } + return false; +} + +bool +Hacl_RSAPSS_rsapss_pkey_verify( + Spec_Hash_Definitions_hash_alg a, + uint32_t modBits, + uint32_t eBits, + uint8_t *nb, + uint8_t *eb, + uint32_t saltLen, + uint32_t sgntLen, + uint8_t *sgnt, + uint32_t msgLen, + uint8_t *msg +) +{ + KRML_CHECK_SIZE(sizeof (uint64_t), + (uint32_t)2U + * ((modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U) + + (eBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U); + uint64_t + *pkey = + alloca(((uint32_t)2U + * ((modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U) + + (eBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U) + * sizeof (uint64_t)); + memset(pkey, + 0U, + ((uint32_t)2U + * ((modBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U) + + (eBits - (uint32_t)1U) / (uint32_t)64U + (uint32_t)1U) + * sizeof (uint64_t)); + bool b = load_pkey(modBits, eBits, nb, eb, pkey); + if (b) + { + return Hacl_RSAPSS_rsapss_verify(a, modBits, eBits, pkey, saltLen, sgntLen, sgnt, msgLen, msg); + } + return false; +} + diff --git a/src/msvc/Hacl_SHA2_Vec128.c b/src/msvc/Hacl_SHA2_Vec128.c new file mode 100644 index 00000000..04366d00 --- /dev/null +++ b/src/msvc/Hacl_SHA2_Vec128.c @@ -0,0 +1,942 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_SHA2_Vec128.h" + +#include "internal/Hacl_SHA2_Vec128.h" + +static inline void +sha224_update4( + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ block, + Lib_IntVector_Intrinsics_vec128 *hash +) +{ + Lib_IntVector_Intrinsics_vec128 hash_old[8U]; + for (uint32_t _i = 0U; _i < (uint32_t)8U; ++_i) + hash_old[_i] = Lib_IntVector_Intrinsics_vec128_zero; + Lib_IntVector_Intrinsics_vec128 ws[16U]; + for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i) + ws[_i] = Lib_IntVector_Intrinsics_vec128_zero; + memcpy(hash_old, hash, (uint32_t)8U * sizeof (Lib_IntVector_Intrinsics_vec128)); + uint8_t *b3 = block.snd.snd.snd; + uint8_t *b2 = block.snd.snd.fst; + uint8_t *b10 = block.snd.fst; + uint8_t *b00 = block.fst; + ws[0U] = Lib_IntVector_Intrinsics_vec128_load32_be(b00); + ws[1U] = Lib_IntVector_Intrinsics_vec128_load32_be(b10); + ws[2U] = Lib_IntVector_Intrinsics_vec128_load32_be(b2); + ws[3U] = Lib_IntVector_Intrinsics_vec128_load32_be(b3); + ws[4U] = Lib_IntVector_Intrinsics_vec128_load32_be(b00 + (uint32_t)16U); + ws[5U] = Lib_IntVector_Intrinsics_vec128_load32_be(b10 + (uint32_t)16U); + ws[6U] = Lib_IntVector_Intrinsics_vec128_load32_be(b2 + (uint32_t)16U); + ws[7U] = Lib_IntVector_Intrinsics_vec128_load32_be(b3 + (uint32_t)16U); + ws[8U] = Lib_IntVector_Intrinsics_vec128_load32_be(b00 + (uint32_t)32U); + ws[9U] = Lib_IntVector_Intrinsics_vec128_load32_be(b10 + (uint32_t)32U); + ws[10U] = Lib_IntVector_Intrinsics_vec128_load32_be(b2 + (uint32_t)32U); + ws[11U] = Lib_IntVector_Intrinsics_vec128_load32_be(b3 + (uint32_t)32U); + ws[12U] = Lib_IntVector_Intrinsics_vec128_load32_be(b00 + (uint32_t)48U); + ws[13U] = Lib_IntVector_Intrinsics_vec128_load32_be(b10 + (uint32_t)48U); + ws[14U] = Lib_IntVector_Intrinsics_vec128_load32_be(b2 + (uint32_t)48U); + ws[15U] = Lib_IntVector_Intrinsics_vec128_load32_be(b3 + (uint32_t)48U); + Lib_IntVector_Intrinsics_vec128 v00 = ws[0U]; + Lib_IntVector_Intrinsics_vec128 v10 = ws[1U]; + Lib_IntVector_Intrinsics_vec128 v20 = ws[2U]; + Lib_IntVector_Intrinsics_vec128 v30 = ws[3U]; + Lib_IntVector_Intrinsics_vec128 + v0_ = Lib_IntVector_Intrinsics_vec128_interleave_low32(v00, v10); + Lib_IntVector_Intrinsics_vec128 + v1_ = Lib_IntVector_Intrinsics_vec128_interleave_high32(v00, v10); + Lib_IntVector_Intrinsics_vec128 + v2_ = Lib_IntVector_Intrinsics_vec128_interleave_low32(v20, v30); + Lib_IntVector_Intrinsics_vec128 + v3_ = Lib_IntVector_Intrinsics_vec128_interleave_high32(v20, v30); + Lib_IntVector_Intrinsics_vec128 + v0__ = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_, v2_); + Lib_IntVector_Intrinsics_vec128 + v1__ = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_, v2_); + Lib_IntVector_Intrinsics_vec128 + v2__ = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_, v3_); + Lib_IntVector_Intrinsics_vec128 + v3__ = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_, v3_); + Lib_IntVector_Intrinsics_vec128 v0__0 = v0__; + Lib_IntVector_Intrinsics_vec128 v2__0 = v2__; + Lib_IntVector_Intrinsics_vec128 v1__0 = v1__; + Lib_IntVector_Intrinsics_vec128 v3__0 = v3__; + Lib_IntVector_Intrinsics_vec128 ws0 = v0__0; + Lib_IntVector_Intrinsics_vec128 ws1 = v1__0; + Lib_IntVector_Intrinsics_vec128 ws2 = v2__0; + Lib_IntVector_Intrinsics_vec128 ws3 = v3__0; + Lib_IntVector_Intrinsics_vec128 v01 = ws[4U]; + Lib_IntVector_Intrinsics_vec128 v11 = ws[5U]; + Lib_IntVector_Intrinsics_vec128 v21 = ws[6U]; + Lib_IntVector_Intrinsics_vec128 v31 = ws[7U]; + Lib_IntVector_Intrinsics_vec128 + v0_0 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v01, v11); + Lib_IntVector_Intrinsics_vec128 + v1_0 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v01, v11); + Lib_IntVector_Intrinsics_vec128 + v2_0 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v21, v31); + Lib_IntVector_Intrinsics_vec128 + v3_0 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v21, v31); + Lib_IntVector_Intrinsics_vec128 + v0__1 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec128 + v1__1 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec128 + v2__1 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec128 + v3__1 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec128 v0__2 = v0__1; + Lib_IntVector_Intrinsics_vec128 v2__2 = v2__1; + Lib_IntVector_Intrinsics_vec128 v1__2 = v1__1; + Lib_IntVector_Intrinsics_vec128 v3__2 = v3__1; + Lib_IntVector_Intrinsics_vec128 ws4 = v0__2; + Lib_IntVector_Intrinsics_vec128 ws5 = v1__2; + Lib_IntVector_Intrinsics_vec128 ws6 = v2__2; + Lib_IntVector_Intrinsics_vec128 ws7 = v3__2; + Lib_IntVector_Intrinsics_vec128 v02 = ws[8U]; + Lib_IntVector_Intrinsics_vec128 v12 = ws[9U]; + Lib_IntVector_Intrinsics_vec128 v22 = ws[10U]; + Lib_IntVector_Intrinsics_vec128 v32 = ws[11U]; + Lib_IntVector_Intrinsics_vec128 + v0_1 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v02, v12); + Lib_IntVector_Intrinsics_vec128 + v1_1 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v02, v12); + Lib_IntVector_Intrinsics_vec128 + v2_1 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v22, v32); + Lib_IntVector_Intrinsics_vec128 + v3_1 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v22, v32); + Lib_IntVector_Intrinsics_vec128 + v0__3 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_1, v2_1); + Lib_IntVector_Intrinsics_vec128 + v1__3 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_1, v2_1); + Lib_IntVector_Intrinsics_vec128 + v2__3 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_1, v3_1); + Lib_IntVector_Intrinsics_vec128 + v3__3 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_1, v3_1); + Lib_IntVector_Intrinsics_vec128 v0__4 = v0__3; + Lib_IntVector_Intrinsics_vec128 v2__4 = v2__3; + Lib_IntVector_Intrinsics_vec128 v1__4 = v1__3; + Lib_IntVector_Intrinsics_vec128 v3__4 = v3__3; + Lib_IntVector_Intrinsics_vec128 ws8 = v0__4; + Lib_IntVector_Intrinsics_vec128 ws9 = v1__4; + Lib_IntVector_Intrinsics_vec128 ws10 = v2__4; + Lib_IntVector_Intrinsics_vec128 ws11 = v3__4; + Lib_IntVector_Intrinsics_vec128 v0 = ws[12U]; + Lib_IntVector_Intrinsics_vec128 v1 = ws[13U]; + Lib_IntVector_Intrinsics_vec128 v2 = ws[14U]; + Lib_IntVector_Intrinsics_vec128 v3 = ws[15U]; + Lib_IntVector_Intrinsics_vec128 + v0_2 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v0, v1); + Lib_IntVector_Intrinsics_vec128 + v1_2 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v0, v1); + Lib_IntVector_Intrinsics_vec128 + v2_2 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v2, v3); + Lib_IntVector_Intrinsics_vec128 + v3_2 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v2, v3); + Lib_IntVector_Intrinsics_vec128 + v0__5 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_2, v2_2); + Lib_IntVector_Intrinsics_vec128 + v1__5 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_2, v2_2); + Lib_IntVector_Intrinsics_vec128 + v2__5 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_2, v3_2); + Lib_IntVector_Intrinsics_vec128 + v3__5 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_2, v3_2); + Lib_IntVector_Intrinsics_vec128 v0__6 = v0__5; + Lib_IntVector_Intrinsics_vec128 v2__6 = v2__5; + Lib_IntVector_Intrinsics_vec128 v1__6 = v1__5; + Lib_IntVector_Intrinsics_vec128 v3__6 = v3__5; + Lib_IntVector_Intrinsics_vec128 ws12 = v0__6; + Lib_IntVector_Intrinsics_vec128 ws13 = v1__6; + Lib_IntVector_Intrinsics_vec128 ws14 = v2__6; + Lib_IntVector_Intrinsics_vec128 ws15 = v3__6; + ws[0U] = ws0; + ws[1U] = ws1; + ws[2U] = ws2; + ws[3U] = ws3; + ws[4U] = ws4; + ws[5U] = ws5; + ws[6U] = ws6; + ws[7U] = ws7; + ws[8U] = ws8; + ws[9U] = ws9; + ws[10U] = ws10; + ws[11U] = ws11; + ws[12U] = ws12; + ws[13U] = ws13; + ws[14U] = ws14; + ws[15U] = ws15; + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t k_t = Hacl_Impl_SHA2_Generic_k224_256[(uint32_t)16U * i0 + i]; + Lib_IntVector_Intrinsics_vec128 ws_t = ws[i]; + Lib_IntVector_Intrinsics_vec128 a0 = hash[0U]; + Lib_IntVector_Intrinsics_vec128 b0 = hash[1U]; + Lib_IntVector_Intrinsics_vec128 c0 = hash[2U]; + Lib_IntVector_Intrinsics_vec128 d0 = hash[3U]; + Lib_IntVector_Intrinsics_vec128 e0 = hash[4U]; + Lib_IntVector_Intrinsics_vec128 f0 = hash[5U]; + Lib_IntVector_Intrinsics_vec128 g0 = hash[6U]; + Lib_IntVector_Intrinsics_vec128 h02 = hash[7U]; + Lib_IntVector_Intrinsics_vec128 k_e_t = Lib_IntVector_Intrinsics_vec128_load32(k_t); + Lib_IntVector_Intrinsics_vec128 + t1 = + Lib_IntVector_Intrinsics_vec128_add32(Lib_IntVector_Intrinsics_vec128_add32(Lib_IntVector_Intrinsics_vec128_add32(Lib_IntVector_Intrinsics_vec128_add32(h02, + Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_rotate_right32(e0, + (uint32_t)6U), + Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_rotate_right32(e0, + (uint32_t)11U), + Lib_IntVector_Intrinsics_vec128_rotate_right32(e0, (uint32_t)25U)))), + Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_and(e0, f0), + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_lognot(e0), g0))), + k_e_t), + ws_t); + Lib_IntVector_Intrinsics_vec128 + t2 = + Lib_IntVector_Intrinsics_vec128_add32(Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_rotate_right32(a0, + (uint32_t)2U), + Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_rotate_right32(a0, + (uint32_t)13U), + Lib_IntVector_Intrinsics_vec128_rotate_right32(a0, (uint32_t)22U))), + Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_and(a0, b0), + Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_and(a0, c0), + Lib_IntVector_Intrinsics_vec128_and(b0, c0)))); + Lib_IntVector_Intrinsics_vec128 a1 = Lib_IntVector_Intrinsics_vec128_add32(t1, t2); + Lib_IntVector_Intrinsics_vec128 b1 = a0; + Lib_IntVector_Intrinsics_vec128 c1 = b0; + Lib_IntVector_Intrinsics_vec128 d1 = c0; + Lib_IntVector_Intrinsics_vec128 e1 = Lib_IntVector_Intrinsics_vec128_add32(d0, t1); + Lib_IntVector_Intrinsics_vec128 f1 = e0; + Lib_IntVector_Intrinsics_vec128 g1 = f0; + Lib_IntVector_Intrinsics_vec128 h12 = g0; + hash[0U] = a1; + hash[1U] = b1; + hash[2U] = c1; + hash[3U] = d1; + hash[4U] = e1; + hash[5U] = f1; + hash[6U] = g1; + hash[7U] = h12; + } + if (i0 < (uint32_t)4U - (uint32_t)1U) + { + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + Lib_IntVector_Intrinsics_vec128 t16 = ws[i]; + Lib_IntVector_Intrinsics_vec128 t15 = ws[(i + (uint32_t)1U) % (uint32_t)16U]; + Lib_IntVector_Intrinsics_vec128 t7 = ws[(i + (uint32_t)9U) % (uint32_t)16U]; + Lib_IntVector_Intrinsics_vec128 t2 = ws[(i + (uint32_t)14U) % (uint32_t)16U]; + Lib_IntVector_Intrinsics_vec128 + s1 = + Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_rotate_right32(t2, + (uint32_t)17U), + Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_rotate_right32(t2, + (uint32_t)19U), + Lib_IntVector_Intrinsics_vec128_shift_right32(t2, (uint32_t)10U))); + Lib_IntVector_Intrinsics_vec128 + s0 = + Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_rotate_right32(t15, + (uint32_t)7U), + Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_rotate_right32(t15, + (uint32_t)18U), + Lib_IntVector_Intrinsics_vec128_shift_right32(t15, (uint32_t)3U))); + ws[i] = + Lib_IntVector_Intrinsics_vec128_add32(Lib_IntVector_Intrinsics_vec128_add32(Lib_IntVector_Intrinsics_vec128_add32(s1, + t7), + s0), + t16); + } + } + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + Lib_IntVector_Intrinsics_vec128 *os = hash; + Lib_IntVector_Intrinsics_vec128 + x = Lib_IntVector_Intrinsics_vec128_add32(hash[i], hash_old[i]); + os[i] = x; + } +} + +void +Hacl_SHA2_Vec128_sha224_4( + uint8_t *dst0, + uint8_t *dst1, + uint8_t *dst2, + uint8_t *dst3, + uint32_t input_len, + uint8_t *input0, + uint8_t *input1, + uint8_t *input2, + uint8_t *input3 +) +{ + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + ib = { .fst = input0, .snd = { .fst = input1, .snd = { .fst = input2, .snd = input3 } } }; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + rb = { .fst = dst0, .snd = { .fst = dst1, .snd = { .fst = dst2, .snd = dst3 } } }; + Lib_IntVector_Intrinsics_vec128 st[8U]; + for (uint32_t _i = 0U; _i < (uint32_t)8U; ++_i) + st[_i] = Lib_IntVector_Intrinsics_vec128_zero; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + Lib_IntVector_Intrinsics_vec128 *os = st; + uint32_t hi = Hacl_Impl_SHA2_Generic_h224[i]; + Lib_IntVector_Intrinsics_vec128 x = Lib_IntVector_Intrinsics_vec128_load32(hi); + os[i] = x; + } + uint32_t rem = input_len % (uint32_t)64U; + uint64_t len_ = (uint64_t)input_len; + uint32_t blocks0 = input_len / (uint32_t)64U; + for (uint32_t i = (uint32_t)0U; i < blocks0; i++) + { + uint8_t *b3 = ib.snd.snd.snd; + uint8_t *b2 = ib.snd.snd.fst; + uint8_t *b1 = ib.snd.fst; + uint8_t *b0 = ib.fst; + uint8_t *bl0 = b0 + i * (uint32_t)64U; + uint8_t *bl1 = b1 + i * (uint32_t)64U; + uint8_t *bl2 = b2 + i * (uint32_t)64U; + uint8_t *bl3 = b3 + i * (uint32_t)64U; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + mb = { .fst = bl0, .snd = { .fst = bl1, .snd = { .fst = bl2, .snd = bl3 } } }; + sha224_update4(mb, st); + } + uint32_t rem1 = input_len % (uint32_t)64U; + uint8_t *b3 = ib.snd.snd.snd; + uint8_t *b20 = ib.snd.snd.fst; + uint8_t *b10 = ib.snd.fst; + uint8_t *b00 = ib.fst; + uint8_t *bl0 = b00 + input_len - rem1; + uint8_t *bl1 = b10 + input_len - rem1; + uint8_t *bl2 = b20 + input_len - rem1; + uint8_t *bl3 = b3 + input_len - rem1; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + lb = { .fst = bl0, .snd = { .fst = bl1, .snd = { .fst = bl2, .snd = bl3 } } }; + uint32_t blocks; + if (rem + (uint32_t)8U + (uint32_t)1U <= (uint32_t)64U) + { + blocks = (uint32_t)1U; + } + else + { + blocks = (uint32_t)2U; + } + uint32_t fin = blocks * (uint32_t)64U; + uint8_t last[512U] = { 0U }; + uint8_t totlen_buf[8U] = { 0U }; + uint64_t total_len_bits = len_ << (uint32_t)3U; + store64_be(totlen_buf, total_len_bits); + uint8_t *b30 = lb.snd.snd.snd; + uint8_t *b21 = lb.snd.snd.fst; + uint8_t *b11 = lb.snd.fst; + uint8_t *b01 = lb.fst; + uint8_t *last00 = last; + uint8_t *last10 = last + (uint32_t)128U; + uint8_t *last2 = last + (uint32_t)256U; + uint8_t *last3 = last + (uint32_t)384U; + memcpy(last00, b01, rem * sizeof (uint8_t)); + last00[rem] = (uint8_t)0x80U; + memcpy(last00 + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + uint8_t *last010 = last00; + uint8_t *last110 = last00 + (uint32_t)64U; + K____uint8_t___uint8_t_ scrut = { .fst = last010, .snd = last110 }; + uint8_t *l00 = scrut.fst; + uint8_t *l01 = scrut.snd; + memcpy(last10, b11, rem * sizeof (uint8_t)); + last10[rem] = (uint8_t)0x80U; + memcpy(last10 + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + uint8_t *last011 = last10; + uint8_t *last111 = last10 + (uint32_t)64U; + K____uint8_t___uint8_t_ scrut0 = { .fst = last011, .snd = last111 }; + uint8_t *l10 = scrut0.fst; + uint8_t *l11 = scrut0.snd; + memcpy(last2, b21, rem * sizeof (uint8_t)); + last2[rem] = (uint8_t)0x80U; + memcpy(last2 + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + uint8_t *last012 = last2; + uint8_t *last112 = last2 + (uint32_t)64U; + K____uint8_t___uint8_t_ scrut1 = { .fst = last012, .snd = last112 }; + uint8_t *l20 = scrut1.fst; + uint8_t *l21 = scrut1.snd; + memcpy(last3, b30, rem * sizeof (uint8_t)); + last3[rem] = (uint8_t)0x80U; + memcpy(last3 + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + uint8_t *last01 = last3; + uint8_t *last11 = last3 + (uint32_t)64U; + K____uint8_t___uint8_t_ scrut2 = { .fst = last01, .snd = last11 }; + uint8_t *l30 = scrut2.fst; + uint8_t *l31 = scrut2.snd; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + mb0 = { .fst = l00, .snd = { .fst = l10, .snd = { .fst = l20, .snd = l30 } } }; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + mb1 = { .fst = l01, .snd = { .fst = l11, .snd = { .fst = l21, .snd = l31 } } }; + K___K____uint8_t__K____uint8_t__K____uint8_t___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + scrut3 = { .fst = mb0, .snd = mb1 }; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ last0 = scrut3.fst; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ last1 = scrut3.snd; + sha224_update4(last0, st); + if (blocks > (uint32_t)1U) + { + sha224_update4(last1, st); + } + KRML_CHECK_SIZE(sizeof (uint8_t), (uint32_t)4U * (uint32_t)8U * (uint32_t)4U); + uint8_t *hbuf = alloca((uint32_t)4U * (uint32_t)8U * (uint32_t)4U * sizeof (uint8_t)); + memset(hbuf, 0U, (uint32_t)4U * (uint32_t)8U * (uint32_t)4U * sizeof (uint8_t)); + Lib_IntVector_Intrinsics_vec128 v00 = st[0U]; + Lib_IntVector_Intrinsics_vec128 v10 = st[1U]; + Lib_IntVector_Intrinsics_vec128 v20 = st[2U]; + Lib_IntVector_Intrinsics_vec128 v30 = st[3U]; + Lib_IntVector_Intrinsics_vec128 + v0_ = Lib_IntVector_Intrinsics_vec128_interleave_low32(v00, v10); + Lib_IntVector_Intrinsics_vec128 + v1_ = Lib_IntVector_Intrinsics_vec128_interleave_high32(v00, v10); + Lib_IntVector_Intrinsics_vec128 + v2_ = Lib_IntVector_Intrinsics_vec128_interleave_low32(v20, v30); + Lib_IntVector_Intrinsics_vec128 + v3_ = Lib_IntVector_Intrinsics_vec128_interleave_high32(v20, v30); + Lib_IntVector_Intrinsics_vec128 + v0__ = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_, v2_); + Lib_IntVector_Intrinsics_vec128 + v1__ = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_, v2_); + Lib_IntVector_Intrinsics_vec128 + v2__ = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_, v3_); + Lib_IntVector_Intrinsics_vec128 + v3__ = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_, v3_); + Lib_IntVector_Intrinsics_vec128 v0__0 = v0__; + Lib_IntVector_Intrinsics_vec128 v2__0 = v2__; + Lib_IntVector_Intrinsics_vec128 v1__0 = v1__; + Lib_IntVector_Intrinsics_vec128 v3__0 = v3__; + Lib_IntVector_Intrinsics_vec128 st0_ = v0__0; + Lib_IntVector_Intrinsics_vec128 st1_ = v1__0; + Lib_IntVector_Intrinsics_vec128 st2_ = v2__0; + Lib_IntVector_Intrinsics_vec128 st3_ = v3__0; + Lib_IntVector_Intrinsics_vec128 v0 = st[4U]; + Lib_IntVector_Intrinsics_vec128 v1 = st[5U]; + Lib_IntVector_Intrinsics_vec128 v2 = st[6U]; + Lib_IntVector_Intrinsics_vec128 v3 = st[7U]; + Lib_IntVector_Intrinsics_vec128 + v0_0 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v0, v1); + Lib_IntVector_Intrinsics_vec128 + v1_0 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v0, v1); + Lib_IntVector_Intrinsics_vec128 + v2_0 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v2, v3); + Lib_IntVector_Intrinsics_vec128 + v3_0 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v2, v3); + Lib_IntVector_Intrinsics_vec128 + v0__1 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec128 + v1__1 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec128 + v2__1 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec128 + v3__1 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec128 v0__2 = v0__1; + Lib_IntVector_Intrinsics_vec128 v2__2 = v2__1; + Lib_IntVector_Intrinsics_vec128 v1__2 = v1__1; + Lib_IntVector_Intrinsics_vec128 v3__2 = v3__1; + Lib_IntVector_Intrinsics_vec128 st4_ = v0__2; + Lib_IntVector_Intrinsics_vec128 st5_ = v1__2; + Lib_IntVector_Intrinsics_vec128 st6_ = v2__2; + Lib_IntVector_Intrinsics_vec128 st7_ = v3__2; + st[0U] = st0_; + st[1U] = st4_; + st[2U] = st1_; + st[3U] = st5_; + st[4U] = st2_; + st[5U] = st6_; + st[6U] = st3_; + st[7U] = st7_; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + Lib_IntVector_Intrinsics_vec128_store32_be(hbuf + i * (uint32_t)16U, st[i]); + } + uint8_t *b31 = rb.snd.snd.snd; + uint8_t *b2 = rb.snd.snd.fst; + uint8_t *b1 = rb.snd.fst; + uint8_t *b0 = rb.fst; + memcpy(b0, hbuf, (uint32_t)28U * sizeof (uint8_t)); + memcpy(b1, hbuf + (uint32_t)32U, (uint32_t)28U * sizeof (uint8_t)); + memcpy(b2, hbuf + (uint32_t)64U, (uint32_t)28U * sizeof (uint8_t)); + memcpy(b31, hbuf + (uint32_t)96U, (uint32_t)28U * sizeof (uint8_t)); +} + +static inline void +sha256_update4( + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ block, + Lib_IntVector_Intrinsics_vec128 *hash +) +{ + Lib_IntVector_Intrinsics_vec128 hash_old[8U]; + for (uint32_t _i = 0U; _i < (uint32_t)8U; ++_i) + hash_old[_i] = Lib_IntVector_Intrinsics_vec128_zero; + Lib_IntVector_Intrinsics_vec128 ws[16U]; + for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i) + ws[_i] = Lib_IntVector_Intrinsics_vec128_zero; + memcpy(hash_old, hash, (uint32_t)8U * sizeof (Lib_IntVector_Intrinsics_vec128)); + uint8_t *b3 = block.snd.snd.snd; + uint8_t *b2 = block.snd.snd.fst; + uint8_t *b10 = block.snd.fst; + uint8_t *b00 = block.fst; + ws[0U] = Lib_IntVector_Intrinsics_vec128_load32_be(b00); + ws[1U] = Lib_IntVector_Intrinsics_vec128_load32_be(b10); + ws[2U] = Lib_IntVector_Intrinsics_vec128_load32_be(b2); + ws[3U] = Lib_IntVector_Intrinsics_vec128_load32_be(b3); + ws[4U] = Lib_IntVector_Intrinsics_vec128_load32_be(b00 + (uint32_t)16U); + ws[5U] = Lib_IntVector_Intrinsics_vec128_load32_be(b10 + (uint32_t)16U); + ws[6U] = Lib_IntVector_Intrinsics_vec128_load32_be(b2 + (uint32_t)16U); + ws[7U] = Lib_IntVector_Intrinsics_vec128_load32_be(b3 + (uint32_t)16U); + ws[8U] = Lib_IntVector_Intrinsics_vec128_load32_be(b00 + (uint32_t)32U); + ws[9U] = Lib_IntVector_Intrinsics_vec128_load32_be(b10 + (uint32_t)32U); + ws[10U] = Lib_IntVector_Intrinsics_vec128_load32_be(b2 + (uint32_t)32U); + ws[11U] = Lib_IntVector_Intrinsics_vec128_load32_be(b3 + (uint32_t)32U); + ws[12U] = Lib_IntVector_Intrinsics_vec128_load32_be(b00 + (uint32_t)48U); + ws[13U] = Lib_IntVector_Intrinsics_vec128_load32_be(b10 + (uint32_t)48U); + ws[14U] = Lib_IntVector_Intrinsics_vec128_load32_be(b2 + (uint32_t)48U); + ws[15U] = Lib_IntVector_Intrinsics_vec128_load32_be(b3 + (uint32_t)48U); + Lib_IntVector_Intrinsics_vec128 v00 = ws[0U]; + Lib_IntVector_Intrinsics_vec128 v10 = ws[1U]; + Lib_IntVector_Intrinsics_vec128 v20 = ws[2U]; + Lib_IntVector_Intrinsics_vec128 v30 = ws[3U]; + Lib_IntVector_Intrinsics_vec128 + v0_ = Lib_IntVector_Intrinsics_vec128_interleave_low32(v00, v10); + Lib_IntVector_Intrinsics_vec128 + v1_ = Lib_IntVector_Intrinsics_vec128_interleave_high32(v00, v10); + Lib_IntVector_Intrinsics_vec128 + v2_ = Lib_IntVector_Intrinsics_vec128_interleave_low32(v20, v30); + Lib_IntVector_Intrinsics_vec128 + v3_ = Lib_IntVector_Intrinsics_vec128_interleave_high32(v20, v30); + Lib_IntVector_Intrinsics_vec128 + v0__ = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_, v2_); + Lib_IntVector_Intrinsics_vec128 + v1__ = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_, v2_); + Lib_IntVector_Intrinsics_vec128 + v2__ = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_, v3_); + Lib_IntVector_Intrinsics_vec128 + v3__ = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_, v3_); + Lib_IntVector_Intrinsics_vec128 v0__0 = v0__; + Lib_IntVector_Intrinsics_vec128 v2__0 = v2__; + Lib_IntVector_Intrinsics_vec128 v1__0 = v1__; + Lib_IntVector_Intrinsics_vec128 v3__0 = v3__; + Lib_IntVector_Intrinsics_vec128 ws0 = v0__0; + Lib_IntVector_Intrinsics_vec128 ws1 = v1__0; + Lib_IntVector_Intrinsics_vec128 ws2 = v2__0; + Lib_IntVector_Intrinsics_vec128 ws3 = v3__0; + Lib_IntVector_Intrinsics_vec128 v01 = ws[4U]; + Lib_IntVector_Intrinsics_vec128 v11 = ws[5U]; + Lib_IntVector_Intrinsics_vec128 v21 = ws[6U]; + Lib_IntVector_Intrinsics_vec128 v31 = ws[7U]; + Lib_IntVector_Intrinsics_vec128 + v0_0 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v01, v11); + Lib_IntVector_Intrinsics_vec128 + v1_0 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v01, v11); + Lib_IntVector_Intrinsics_vec128 + v2_0 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v21, v31); + Lib_IntVector_Intrinsics_vec128 + v3_0 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v21, v31); + Lib_IntVector_Intrinsics_vec128 + v0__1 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec128 + v1__1 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec128 + v2__1 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec128 + v3__1 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec128 v0__2 = v0__1; + Lib_IntVector_Intrinsics_vec128 v2__2 = v2__1; + Lib_IntVector_Intrinsics_vec128 v1__2 = v1__1; + Lib_IntVector_Intrinsics_vec128 v3__2 = v3__1; + Lib_IntVector_Intrinsics_vec128 ws4 = v0__2; + Lib_IntVector_Intrinsics_vec128 ws5 = v1__2; + Lib_IntVector_Intrinsics_vec128 ws6 = v2__2; + Lib_IntVector_Intrinsics_vec128 ws7 = v3__2; + Lib_IntVector_Intrinsics_vec128 v02 = ws[8U]; + Lib_IntVector_Intrinsics_vec128 v12 = ws[9U]; + Lib_IntVector_Intrinsics_vec128 v22 = ws[10U]; + Lib_IntVector_Intrinsics_vec128 v32 = ws[11U]; + Lib_IntVector_Intrinsics_vec128 + v0_1 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v02, v12); + Lib_IntVector_Intrinsics_vec128 + v1_1 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v02, v12); + Lib_IntVector_Intrinsics_vec128 + v2_1 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v22, v32); + Lib_IntVector_Intrinsics_vec128 + v3_1 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v22, v32); + Lib_IntVector_Intrinsics_vec128 + v0__3 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_1, v2_1); + Lib_IntVector_Intrinsics_vec128 + v1__3 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_1, v2_1); + Lib_IntVector_Intrinsics_vec128 + v2__3 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_1, v3_1); + Lib_IntVector_Intrinsics_vec128 + v3__3 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_1, v3_1); + Lib_IntVector_Intrinsics_vec128 v0__4 = v0__3; + Lib_IntVector_Intrinsics_vec128 v2__4 = v2__3; + Lib_IntVector_Intrinsics_vec128 v1__4 = v1__3; + Lib_IntVector_Intrinsics_vec128 v3__4 = v3__3; + Lib_IntVector_Intrinsics_vec128 ws8 = v0__4; + Lib_IntVector_Intrinsics_vec128 ws9 = v1__4; + Lib_IntVector_Intrinsics_vec128 ws10 = v2__4; + Lib_IntVector_Intrinsics_vec128 ws11 = v3__4; + Lib_IntVector_Intrinsics_vec128 v0 = ws[12U]; + Lib_IntVector_Intrinsics_vec128 v1 = ws[13U]; + Lib_IntVector_Intrinsics_vec128 v2 = ws[14U]; + Lib_IntVector_Intrinsics_vec128 v3 = ws[15U]; + Lib_IntVector_Intrinsics_vec128 + v0_2 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v0, v1); + Lib_IntVector_Intrinsics_vec128 + v1_2 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v0, v1); + Lib_IntVector_Intrinsics_vec128 + v2_2 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v2, v3); + Lib_IntVector_Intrinsics_vec128 + v3_2 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v2, v3); + Lib_IntVector_Intrinsics_vec128 + v0__5 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_2, v2_2); + Lib_IntVector_Intrinsics_vec128 + v1__5 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_2, v2_2); + Lib_IntVector_Intrinsics_vec128 + v2__5 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_2, v3_2); + Lib_IntVector_Intrinsics_vec128 + v3__5 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_2, v3_2); + Lib_IntVector_Intrinsics_vec128 v0__6 = v0__5; + Lib_IntVector_Intrinsics_vec128 v2__6 = v2__5; + Lib_IntVector_Intrinsics_vec128 v1__6 = v1__5; + Lib_IntVector_Intrinsics_vec128 v3__6 = v3__5; + Lib_IntVector_Intrinsics_vec128 ws12 = v0__6; + Lib_IntVector_Intrinsics_vec128 ws13 = v1__6; + Lib_IntVector_Intrinsics_vec128 ws14 = v2__6; + Lib_IntVector_Intrinsics_vec128 ws15 = v3__6; + ws[0U] = ws0; + ws[1U] = ws1; + ws[2U] = ws2; + ws[3U] = ws3; + ws[4U] = ws4; + ws[5U] = ws5; + ws[6U] = ws6; + ws[7U] = ws7; + ws[8U] = ws8; + ws[9U] = ws9; + ws[10U] = ws10; + ws[11U] = ws11; + ws[12U] = ws12; + ws[13U] = ws13; + ws[14U] = ws14; + ws[15U] = ws15; + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t k_t = Hacl_Impl_SHA2_Generic_k224_256[(uint32_t)16U * i0 + i]; + Lib_IntVector_Intrinsics_vec128 ws_t = ws[i]; + Lib_IntVector_Intrinsics_vec128 a0 = hash[0U]; + Lib_IntVector_Intrinsics_vec128 b0 = hash[1U]; + Lib_IntVector_Intrinsics_vec128 c0 = hash[2U]; + Lib_IntVector_Intrinsics_vec128 d0 = hash[3U]; + Lib_IntVector_Intrinsics_vec128 e0 = hash[4U]; + Lib_IntVector_Intrinsics_vec128 f0 = hash[5U]; + Lib_IntVector_Intrinsics_vec128 g0 = hash[6U]; + Lib_IntVector_Intrinsics_vec128 h02 = hash[7U]; + Lib_IntVector_Intrinsics_vec128 k_e_t = Lib_IntVector_Intrinsics_vec128_load32(k_t); + Lib_IntVector_Intrinsics_vec128 + t1 = + Lib_IntVector_Intrinsics_vec128_add32(Lib_IntVector_Intrinsics_vec128_add32(Lib_IntVector_Intrinsics_vec128_add32(Lib_IntVector_Intrinsics_vec128_add32(h02, + Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_rotate_right32(e0, + (uint32_t)6U), + Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_rotate_right32(e0, + (uint32_t)11U), + Lib_IntVector_Intrinsics_vec128_rotate_right32(e0, (uint32_t)25U)))), + Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_and(e0, f0), + Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_lognot(e0), g0))), + k_e_t), + ws_t); + Lib_IntVector_Intrinsics_vec128 + t2 = + Lib_IntVector_Intrinsics_vec128_add32(Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_rotate_right32(a0, + (uint32_t)2U), + Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_rotate_right32(a0, + (uint32_t)13U), + Lib_IntVector_Intrinsics_vec128_rotate_right32(a0, (uint32_t)22U))), + Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_and(a0, b0), + Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_and(a0, c0), + Lib_IntVector_Intrinsics_vec128_and(b0, c0)))); + Lib_IntVector_Intrinsics_vec128 a1 = Lib_IntVector_Intrinsics_vec128_add32(t1, t2); + Lib_IntVector_Intrinsics_vec128 b1 = a0; + Lib_IntVector_Intrinsics_vec128 c1 = b0; + Lib_IntVector_Intrinsics_vec128 d1 = c0; + Lib_IntVector_Intrinsics_vec128 e1 = Lib_IntVector_Intrinsics_vec128_add32(d0, t1); + Lib_IntVector_Intrinsics_vec128 f1 = e0; + Lib_IntVector_Intrinsics_vec128 g1 = f0; + Lib_IntVector_Intrinsics_vec128 h12 = g0; + hash[0U] = a1; + hash[1U] = b1; + hash[2U] = c1; + hash[3U] = d1; + hash[4U] = e1; + hash[5U] = f1; + hash[6U] = g1; + hash[7U] = h12; + } + if (i0 < (uint32_t)4U - (uint32_t)1U) + { + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + Lib_IntVector_Intrinsics_vec128 t16 = ws[i]; + Lib_IntVector_Intrinsics_vec128 t15 = ws[(i + (uint32_t)1U) % (uint32_t)16U]; + Lib_IntVector_Intrinsics_vec128 t7 = ws[(i + (uint32_t)9U) % (uint32_t)16U]; + Lib_IntVector_Intrinsics_vec128 t2 = ws[(i + (uint32_t)14U) % (uint32_t)16U]; + Lib_IntVector_Intrinsics_vec128 + s1 = + Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_rotate_right32(t2, + (uint32_t)17U), + Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_rotate_right32(t2, + (uint32_t)19U), + Lib_IntVector_Intrinsics_vec128_shift_right32(t2, (uint32_t)10U))); + Lib_IntVector_Intrinsics_vec128 + s0 = + Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_rotate_right32(t15, + (uint32_t)7U), + Lib_IntVector_Intrinsics_vec128_xor(Lib_IntVector_Intrinsics_vec128_rotate_right32(t15, + (uint32_t)18U), + Lib_IntVector_Intrinsics_vec128_shift_right32(t15, (uint32_t)3U))); + ws[i] = + Lib_IntVector_Intrinsics_vec128_add32(Lib_IntVector_Intrinsics_vec128_add32(Lib_IntVector_Intrinsics_vec128_add32(s1, + t7), + s0), + t16); + } + } + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + Lib_IntVector_Intrinsics_vec128 *os = hash; + Lib_IntVector_Intrinsics_vec128 + x = Lib_IntVector_Intrinsics_vec128_add32(hash[i], hash_old[i]); + os[i] = x; + } +} + +void +Hacl_SHA2_Vec128_sha256_4( + uint8_t *dst0, + uint8_t *dst1, + uint8_t *dst2, + uint8_t *dst3, + uint32_t input_len, + uint8_t *input0, + uint8_t *input1, + uint8_t *input2, + uint8_t *input3 +) +{ + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + ib = { .fst = input0, .snd = { .fst = input1, .snd = { .fst = input2, .snd = input3 } } }; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + rb = { .fst = dst0, .snd = { .fst = dst1, .snd = { .fst = dst2, .snd = dst3 } } }; + Lib_IntVector_Intrinsics_vec128 st[8U]; + for (uint32_t _i = 0U; _i < (uint32_t)8U; ++_i) + st[_i] = Lib_IntVector_Intrinsics_vec128_zero; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + Lib_IntVector_Intrinsics_vec128 *os = st; + uint32_t hi = Hacl_Impl_SHA2_Generic_h256[i]; + Lib_IntVector_Intrinsics_vec128 x = Lib_IntVector_Intrinsics_vec128_load32(hi); + os[i] = x; + } + uint32_t rem = input_len % (uint32_t)64U; + uint64_t len_ = (uint64_t)input_len; + uint32_t blocks0 = input_len / (uint32_t)64U; + for (uint32_t i = (uint32_t)0U; i < blocks0; i++) + { + uint8_t *b3 = ib.snd.snd.snd; + uint8_t *b2 = ib.snd.snd.fst; + uint8_t *b1 = ib.snd.fst; + uint8_t *b0 = ib.fst; + uint8_t *bl0 = b0 + i * (uint32_t)64U; + uint8_t *bl1 = b1 + i * (uint32_t)64U; + uint8_t *bl2 = b2 + i * (uint32_t)64U; + uint8_t *bl3 = b3 + i * (uint32_t)64U; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + mb = { .fst = bl0, .snd = { .fst = bl1, .snd = { .fst = bl2, .snd = bl3 } } }; + sha256_update4(mb, st); + } + uint32_t rem1 = input_len % (uint32_t)64U; + uint8_t *b3 = ib.snd.snd.snd; + uint8_t *b20 = ib.snd.snd.fst; + uint8_t *b10 = ib.snd.fst; + uint8_t *b00 = ib.fst; + uint8_t *bl0 = b00 + input_len - rem1; + uint8_t *bl1 = b10 + input_len - rem1; + uint8_t *bl2 = b20 + input_len - rem1; + uint8_t *bl3 = b3 + input_len - rem1; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + lb = { .fst = bl0, .snd = { .fst = bl1, .snd = { .fst = bl2, .snd = bl3 } } }; + uint32_t blocks; + if (rem + (uint32_t)8U + (uint32_t)1U <= (uint32_t)64U) + { + blocks = (uint32_t)1U; + } + else + { + blocks = (uint32_t)2U; + } + uint32_t fin = blocks * (uint32_t)64U; + uint8_t last[512U] = { 0U }; + uint8_t totlen_buf[8U] = { 0U }; + uint64_t total_len_bits = len_ << (uint32_t)3U; + store64_be(totlen_buf, total_len_bits); + uint8_t *b30 = lb.snd.snd.snd; + uint8_t *b21 = lb.snd.snd.fst; + uint8_t *b11 = lb.snd.fst; + uint8_t *b01 = lb.fst; + uint8_t *last00 = last; + uint8_t *last10 = last + (uint32_t)128U; + uint8_t *last2 = last + (uint32_t)256U; + uint8_t *last3 = last + (uint32_t)384U; + memcpy(last00, b01, rem * sizeof (uint8_t)); + last00[rem] = (uint8_t)0x80U; + memcpy(last00 + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + uint8_t *last010 = last00; + uint8_t *last110 = last00 + (uint32_t)64U; + K____uint8_t___uint8_t_ scrut = { .fst = last010, .snd = last110 }; + uint8_t *l00 = scrut.fst; + uint8_t *l01 = scrut.snd; + memcpy(last10, b11, rem * sizeof (uint8_t)); + last10[rem] = (uint8_t)0x80U; + memcpy(last10 + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + uint8_t *last011 = last10; + uint8_t *last111 = last10 + (uint32_t)64U; + K____uint8_t___uint8_t_ scrut0 = { .fst = last011, .snd = last111 }; + uint8_t *l10 = scrut0.fst; + uint8_t *l11 = scrut0.snd; + memcpy(last2, b21, rem * sizeof (uint8_t)); + last2[rem] = (uint8_t)0x80U; + memcpy(last2 + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + uint8_t *last012 = last2; + uint8_t *last112 = last2 + (uint32_t)64U; + K____uint8_t___uint8_t_ scrut1 = { .fst = last012, .snd = last112 }; + uint8_t *l20 = scrut1.fst; + uint8_t *l21 = scrut1.snd; + memcpy(last3, b30, rem * sizeof (uint8_t)); + last3[rem] = (uint8_t)0x80U; + memcpy(last3 + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + uint8_t *last01 = last3; + uint8_t *last11 = last3 + (uint32_t)64U; + K____uint8_t___uint8_t_ scrut2 = { .fst = last01, .snd = last11 }; + uint8_t *l30 = scrut2.fst; + uint8_t *l31 = scrut2.snd; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + mb0 = { .fst = l00, .snd = { .fst = l10, .snd = { .fst = l20, .snd = l30 } } }; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + mb1 = { .fst = l01, .snd = { .fst = l11, .snd = { .fst = l21, .snd = l31 } } }; + K___K____uint8_t__K____uint8_t__K____uint8_t___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + scrut3 = { .fst = mb0, .snd = mb1 }; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ last0 = scrut3.fst; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ last1 = scrut3.snd; + sha256_update4(last0, st); + if (blocks > (uint32_t)1U) + { + sha256_update4(last1, st); + } + KRML_CHECK_SIZE(sizeof (uint8_t), (uint32_t)4U * (uint32_t)8U * (uint32_t)4U); + uint8_t *hbuf = alloca((uint32_t)4U * (uint32_t)8U * (uint32_t)4U * sizeof (uint8_t)); + memset(hbuf, 0U, (uint32_t)4U * (uint32_t)8U * (uint32_t)4U * sizeof (uint8_t)); + Lib_IntVector_Intrinsics_vec128 v00 = st[0U]; + Lib_IntVector_Intrinsics_vec128 v10 = st[1U]; + Lib_IntVector_Intrinsics_vec128 v20 = st[2U]; + Lib_IntVector_Intrinsics_vec128 v30 = st[3U]; + Lib_IntVector_Intrinsics_vec128 + v0_ = Lib_IntVector_Intrinsics_vec128_interleave_low32(v00, v10); + Lib_IntVector_Intrinsics_vec128 + v1_ = Lib_IntVector_Intrinsics_vec128_interleave_high32(v00, v10); + Lib_IntVector_Intrinsics_vec128 + v2_ = Lib_IntVector_Intrinsics_vec128_interleave_low32(v20, v30); + Lib_IntVector_Intrinsics_vec128 + v3_ = Lib_IntVector_Intrinsics_vec128_interleave_high32(v20, v30); + Lib_IntVector_Intrinsics_vec128 + v0__ = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_, v2_); + Lib_IntVector_Intrinsics_vec128 + v1__ = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_, v2_); + Lib_IntVector_Intrinsics_vec128 + v2__ = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_, v3_); + Lib_IntVector_Intrinsics_vec128 + v3__ = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_, v3_); + Lib_IntVector_Intrinsics_vec128 v0__0 = v0__; + Lib_IntVector_Intrinsics_vec128 v2__0 = v2__; + Lib_IntVector_Intrinsics_vec128 v1__0 = v1__; + Lib_IntVector_Intrinsics_vec128 v3__0 = v3__; + Lib_IntVector_Intrinsics_vec128 st0_ = v0__0; + Lib_IntVector_Intrinsics_vec128 st1_ = v1__0; + Lib_IntVector_Intrinsics_vec128 st2_ = v2__0; + Lib_IntVector_Intrinsics_vec128 st3_ = v3__0; + Lib_IntVector_Intrinsics_vec128 v0 = st[4U]; + Lib_IntVector_Intrinsics_vec128 v1 = st[5U]; + Lib_IntVector_Intrinsics_vec128 v2 = st[6U]; + Lib_IntVector_Intrinsics_vec128 v3 = st[7U]; + Lib_IntVector_Intrinsics_vec128 + v0_0 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v0, v1); + Lib_IntVector_Intrinsics_vec128 + v1_0 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v0, v1); + Lib_IntVector_Intrinsics_vec128 + v2_0 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v2, v3); + Lib_IntVector_Intrinsics_vec128 + v3_0 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v2, v3); + Lib_IntVector_Intrinsics_vec128 + v0__1 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec128 + v1__1 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec128 + v2__1 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec128 + v3__1 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec128 v0__2 = v0__1; + Lib_IntVector_Intrinsics_vec128 v2__2 = v2__1; + Lib_IntVector_Intrinsics_vec128 v1__2 = v1__1; + Lib_IntVector_Intrinsics_vec128 v3__2 = v3__1; + Lib_IntVector_Intrinsics_vec128 st4_ = v0__2; + Lib_IntVector_Intrinsics_vec128 st5_ = v1__2; + Lib_IntVector_Intrinsics_vec128 st6_ = v2__2; + Lib_IntVector_Intrinsics_vec128 st7_ = v3__2; + st[0U] = st0_; + st[1U] = st4_; + st[2U] = st1_; + st[3U] = st5_; + st[4U] = st2_; + st[5U] = st6_; + st[6U] = st3_; + st[7U] = st7_; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + Lib_IntVector_Intrinsics_vec128_store32_be(hbuf + i * (uint32_t)16U, st[i]); + } + uint8_t *b31 = rb.snd.snd.snd; + uint8_t *b2 = rb.snd.snd.fst; + uint8_t *b1 = rb.snd.fst; + uint8_t *b0 = rb.fst; + memcpy(b0, hbuf, (uint32_t)32U * sizeof (uint8_t)); + memcpy(b1, hbuf + (uint32_t)32U, (uint32_t)32U * sizeof (uint8_t)); + memcpy(b2, hbuf + (uint32_t)64U, (uint32_t)32U * sizeof (uint8_t)); + memcpy(b31, hbuf + (uint32_t)96U, (uint32_t)32U * sizeof (uint8_t)); +} + diff --git a/src/msvc/Hacl_SHA2_Vec256.c b/src/msvc/Hacl_SHA2_Vec256.c new file mode 100644 index 00000000..74620c2b --- /dev/null +++ b/src/msvc/Hacl_SHA2_Vec256.c @@ -0,0 +1,2401 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "internal/Hacl_SHA2_Vec256.h" + + + +typedef struct ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t__s +{ + uint8_t *fst; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ snd; +} +___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_; + +typedef struct ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t__s +{ + uint8_t *fst; + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ snd; +} +___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_; + +typedef struct +___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t__s +{ + uint8_t *fst; + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ snd; +} +___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_; + +typedef struct +___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t__s +{ + uint8_t *fst; + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + snd; +} +___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_; + +static inline void +sha224_update8( + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + block, + Lib_IntVector_Intrinsics_vec256 *hash +) +{ + Lib_IntVector_Intrinsics_vec256 hash_old[8U]; + for (uint32_t _i = 0U; _i < (uint32_t)8U; ++_i) + hash_old[_i] = Lib_IntVector_Intrinsics_vec256_zero; + Lib_IntVector_Intrinsics_vec256 ws[16U]; + for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i) + ws[_i] = Lib_IntVector_Intrinsics_vec256_zero; + memcpy(hash_old, hash, (uint32_t)8U * sizeof (Lib_IntVector_Intrinsics_vec256)); + uint8_t *b7 = block.snd.snd.snd.snd.snd.snd.snd; + uint8_t *b6 = block.snd.snd.snd.snd.snd.snd.fst; + uint8_t *b5 = block.snd.snd.snd.snd.snd.fst; + uint8_t *b4 = block.snd.snd.snd.snd.fst; + uint8_t *b3 = block.snd.snd.snd.fst; + uint8_t *b2 = block.snd.snd.fst; + uint8_t *b10 = block.snd.fst; + uint8_t *b00 = block.fst; + ws[0U] = Lib_IntVector_Intrinsics_vec256_load32_be(b00); + ws[1U] = Lib_IntVector_Intrinsics_vec256_load32_be(b10); + ws[2U] = Lib_IntVector_Intrinsics_vec256_load32_be(b2); + ws[3U] = Lib_IntVector_Intrinsics_vec256_load32_be(b3); + ws[4U] = Lib_IntVector_Intrinsics_vec256_load32_be(b4); + ws[5U] = Lib_IntVector_Intrinsics_vec256_load32_be(b5); + ws[6U] = Lib_IntVector_Intrinsics_vec256_load32_be(b6); + ws[7U] = Lib_IntVector_Intrinsics_vec256_load32_be(b7); + ws[8U] = Lib_IntVector_Intrinsics_vec256_load32_be(b00 + (uint32_t)32U); + ws[9U] = Lib_IntVector_Intrinsics_vec256_load32_be(b10 + (uint32_t)32U); + ws[10U] = Lib_IntVector_Intrinsics_vec256_load32_be(b2 + (uint32_t)32U); + ws[11U] = Lib_IntVector_Intrinsics_vec256_load32_be(b3 + (uint32_t)32U); + ws[12U] = Lib_IntVector_Intrinsics_vec256_load32_be(b4 + (uint32_t)32U); + ws[13U] = Lib_IntVector_Intrinsics_vec256_load32_be(b5 + (uint32_t)32U); + ws[14U] = Lib_IntVector_Intrinsics_vec256_load32_be(b6 + (uint32_t)32U); + ws[15U] = Lib_IntVector_Intrinsics_vec256_load32_be(b7 + (uint32_t)32U); + Lib_IntVector_Intrinsics_vec256 v00 = ws[0U]; + Lib_IntVector_Intrinsics_vec256 v10 = ws[1U]; + Lib_IntVector_Intrinsics_vec256 v20 = ws[2U]; + Lib_IntVector_Intrinsics_vec256 v30 = ws[3U]; + Lib_IntVector_Intrinsics_vec256 v40 = ws[4U]; + Lib_IntVector_Intrinsics_vec256 v50 = ws[5U]; + Lib_IntVector_Intrinsics_vec256 v60 = ws[6U]; + Lib_IntVector_Intrinsics_vec256 v70 = ws[7U]; + Lib_IntVector_Intrinsics_vec256 + v0_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v00, v10); + Lib_IntVector_Intrinsics_vec256 + v1_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v00, v10); + Lib_IntVector_Intrinsics_vec256 + v2_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v20, v30); + Lib_IntVector_Intrinsics_vec256 + v3_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v20, v30); + Lib_IntVector_Intrinsics_vec256 + v4_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v40, v50); + Lib_IntVector_Intrinsics_vec256 + v5_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v40, v50); + Lib_IntVector_Intrinsics_vec256 + v6_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v60, v70); + Lib_IntVector_Intrinsics_vec256 + v7_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v60, v70); + Lib_IntVector_Intrinsics_vec256 v0_0 = v0_; + Lib_IntVector_Intrinsics_vec256 v1_0 = v1_; + Lib_IntVector_Intrinsics_vec256 v2_0 = v2_; + Lib_IntVector_Intrinsics_vec256 v3_0 = v3_; + Lib_IntVector_Intrinsics_vec256 v4_0 = v4_; + Lib_IntVector_Intrinsics_vec256 v5_0 = v5_; + Lib_IntVector_Intrinsics_vec256 v6_0 = v6_; + Lib_IntVector_Intrinsics_vec256 v7_0 = v7_; + Lib_IntVector_Intrinsics_vec256 + v0_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v2_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v1_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 + v3_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 + v4_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v4_0, v6_0); + Lib_IntVector_Intrinsics_vec256 + v6_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v4_0, v6_0); + Lib_IntVector_Intrinsics_vec256 + v5_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v5_0, v7_0); + Lib_IntVector_Intrinsics_vec256 + v7_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v5_0, v7_0); + Lib_IntVector_Intrinsics_vec256 v0_10 = v0_1; + Lib_IntVector_Intrinsics_vec256 v1_10 = v1_1; + Lib_IntVector_Intrinsics_vec256 v2_10 = v2_1; + Lib_IntVector_Intrinsics_vec256 v3_10 = v3_1; + Lib_IntVector_Intrinsics_vec256 v4_10 = v4_1; + Lib_IntVector_Intrinsics_vec256 v5_10 = v5_1; + Lib_IntVector_Intrinsics_vec256 v6_10 = v6_1; + Lib_IntVector_Intrinsics_vec256 v7_10 = v7_1; + Lib_IntVector_Intrinsics_vec256 + v0_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_10, v4_10); + Lib_IntVector_Intrinsics_vec256 + v4_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_10, v4_10); + Lib_IntVector_Intrinsics_vec256 + v1_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_10, v5_10); + Lib_IntVector_Intrinsics_vec256 + v5_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_10, v5_10); + Lib_IntVector_Intrinsics_vec256 + v2_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v2_10, v6_10); + Lib_IntVector_Intrinsics_vec256 + v6_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v2_10, v6_10); + Lib_IntVector_Intrinsics_vec256 + v3_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v3_10, v7_10); + Lib_IntVector_Intrinsics_vec256 + v7_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v3_10, v7_10); + Lib_IntVector_Intrinsics_vec256 v0_20 = v0_2; + Lib_IntVector_Intrinsics_vec256 v1_20 = v1_2; + Lib_IntVector_Intrinsics_vec256 v2_20 = v2_2; + Lib_IntVector_Intrinsics_vec256 v3_20 = v3_2; + Lib_IntVector_Intrinsics_vec256 v4_20 = v4_2; + Lib_IntVector_Intrinsics_vec256 v5_20 = v5_2; + Lib_IntVector_Intrinsics_vec256 v6_20 = v6_2; + Lib_IntVector_Intrinsics_vec256 v7_20 = v7_2; + Lib_IntVector_Intrinsics_vec256 v0_3 = v0_20; + Lib_IntVector_Intrinsics_vec256 v1_3 = v1_20; + Lib_IntVector_Intrinsics_vec256 v2_3 = v2_20; + Lib_IntVector_Intrinsics_vec256 v3_3 = v3_20; + Lib_IntVector_Intrinsics_vec256 v4_3 = v4_20; + Lib_IntVector_Intrinsics_vec256 v5_3 = v5_20; + Lib_IntVector_Intrinsics_vec256 v6_3 = v6_20; + Lib_IntVector_Intrinsics_vec256 v7_3 = v7_20; + Lib_IntVector_Intrinsics_vec256 ws0 = v0_3; + Lib_IntVector_Intrinsics_vec256 ws1 = v2_3; + Lib_IntVector_Intrinsics_vec256 ws2 = v1_3; + Lib_IntVector_Intrinsics_vec256 ws3 = v3_3; + Lib_IntVector_Intrinsics_vec256 ws4 = v4_3; + Lib_IntVector_Intrinsics_vec256 ws5 = v6_3; + Lib_IntVector_Intrinsics_vec256 ws6 = v5_3; + Lib_IntVector_Intrinsics_vec256 ws7 = v7_3; + Lib_IntVector_Intrinsics_vec256 v0 = ws[8U]; + Lib_IntVector_Intrinsics_vec256 v1 = ws[9U]; + Lib_IntVector_Intrinsics_vec256 v2 = ws[10U]; + Lib_IntVector_Intrinsics_vec256 v3 = ws[11U]; + Lib_IntVector_Intrinsics_vec256 v4 = ws[12U]; + Lib_IntVector_Intrinsics_vec256 v5 = ws[13U]; + Lib_IntVector_Intrinsics_vec256 v6 = ws[14U]; + Lib_IntVector_Intrinsics_vec256 v7 = ws[15U]; + Lib_IntVector_Intrinsics_vec256 + v0_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v0, v1); + Lib_IntVector_Intrinsics_vec256 + v1_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v0, v1); + Lib_IntVector_Intrinsics_vec256 + v2_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v2, v3); + Lib_IntVector_Intrinsics_vec256 + v3_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v2, v3); + Lib_IntVector_Intrinsics_vec256 + v4_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v4, v5); + Lib_IntVector_Intrinsics_vec256 + v5_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v4, v5); + Lib_IntVector_Intrinsics_vec256 + v6_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v6, v7); + Lib_IntVector_Intrinsics_vec256 + v7_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v6, v7); + Lib_IntVector_Intrinsics_vec256 v0_5 = v0_4; + Lib_IntVector_Intrinsics_vec256 v1_5 = v1_4; + Lib_IntVector_Intrinsics_vec256 v2_5 = v2_4; + Lib_IntVector_Intrinsics_vec256 v3_5 = v3_4; + Lib_IntVector_Intrinsics_vec256 v4_5 = v4_4; + Lib_IntVector_Intrinsics_vec256 v5_5 = v5_4; + Lib_IntVector_Intrinsics_vec256 v6_5 = v6_4; + Lib_IntVector_Intrinsics_vec256 v7_5 = v7_4; + Lib_IntVector_Intrinsics_vec256 + v0_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0_5, v2_5); + Lib_IntVector_Intrinsics_vec256 + v2_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0_5, v2_5); + Lib_IntVector_Intrinsics_vec256 + v1_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v1_5, v3_5); + Lib_IntVector_Intrinsics_vec256 + v3_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v1_5, v3_5); + Lib_IntVector_Intrinsics_vec256 + v4_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v4_5, v6_5); + Lib_IntVector_Intrinsics_vec256 + v6_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v4_5, v6_5); + Lib_IntVector_Intrinsics_vec256 + v5_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v5_5, v7_5); + Lib_IntVector_Intrinsics_vec256 + v7_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v5_5, v7_5); + Lib_IntVector_Intrinsics_vec256 v0_12 = v0_11; + Lib_IntVector_Intrinsics_vec256 v1_12 = v1_11; + Lib_IntVector_Intrinsics_vec256 v2_12 = v2_11; + Lib_IntVector_Intrinsics_vec256 v3_12 = v3_11; + Lib_IntVector_Intrinsics_vec256 v4_12 = v4_11; + Lib_IntVector_Intrinsics_vec256 v5_12 = v5_11; + Lib_IntVector_Intrinsics_vec256 v6_12 = v6_11; + Lib_IntVector_Intrinsics_vec256 v7_12 = v7_11; + Lib_IntVector_Intrinsics_vec256 + v0_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_12, v4_12); + Lib_IntVector_Intrinsics_vec256 + v4_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_12, v4_12); + Lib_IntVector_Intrinsics_vec256 + v1_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_12, v5_12); + Lib_IntVector_Intrinsics_vec256 + v5_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_12, v5_12); + Lib_IntVector_Intrinsics_vec256 + v2_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v2_12, v6_12); + Lib_IntVector_Intrinsics_vec256 + v6_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v2_12, v6_12); + Lib_IntVector_Intrinsics_vec256 + v3_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v3_12, v7_12); + Lib_IntVector_Intrinsics_vec256 + v7_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v3_12, v7_12); + Lib_IntVector_Intrinsics_vec256 v0_22 = v0_21; + Lib_IntVector_Intrinsics_vec256 v1_22 = v1_21; + Lib_IntVector_Intrinsics_vec256 v2_22 = v2_21; + Lib_IntVector_Intrinsics_vec256 v3_22 = v3_21; + Lib_IntVector_Intrinsics_vec256 v4_22 = v4_21; + Lib_IntVector_Intrinsics_vec256 v5_22 = v5_21; + Lib_IntVector_Intrinsics_vec256 v6_22 = v6_21; + Lib_IntVector_Intrinsics_vec256 v7_22 = v7_21; + Lib_IntVector_Intrinsics_vec256 v0_6 = v0_22; + Lib_IntVector_Intrinsics_vec256 v1_6 = v1_22; + Lib_IntVector_Intrinsics_vec256 v2_6 = v2_22; + Lib_IntVector_Intrinsics_vec256 v3_6 = v3_22; + Lib_IntVector_Intrinsics_vec256 v4_6 = v4_22; + Lib_IntVector_Intrinsics_vec256 v5_6 = v5_22; + Lib_IntVector_Intrinsics_vec256 v6_6 = v6_22; + Lib_IntVector_Intrinsics_vec256 v7_6 = v7_22; + Lib_IntVector_Intrinsics_vec256 ws8 = v0_6; + Lib_IntVector_Intrinsics_vec256 ws9 = v2_6; + Lib_IntVector_Intrinsics_vec256 ws10 = v1_6; + Lib_IntVector_Intrinsics_vec256 ws11 = v3_6; + Lib_IntVector_Intrinsics_vec256 ws12 = v4_6; + Lib_IntVector_Intrinsics_vec256 ws13 = v6_6; + Lib_IntVector_Intrinsics_vec256 ws14 = v5_6; + Lib_IntVector_Intrinsics_vec256 ws15 = v7_6; + ws[0U] = ws0; + ws[1U] = ws1; + ws[2U] = ws2; + ws[3U] = ws3; + ws[4U] = ws4; + ws[5U] = ws5; + ws[6U] = ws6; + ws[7U] = ws7; + ws[8U] = ws8; + ws[9U] = ws9; + ws[10U] = ws10; + ws[11U] = ws11; + ws[12U] = ws12; + ws[13U] = ws13; + ws[14U] = ws14; + ws[15U] = ws15; + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t k_t = Hacl_Impl_SHA2_Generic_k224_256[(uint32_t)16U * i0 + i]; + Lib_IntVector_Intrinsics_vec256 ws_t = ws[i]; + Lib_IntVector_Intrinsics_vec256 a0 = hash[0U]; + Lib_IntVector_Intrinsics_vec256 b0 = hash[1U]; + Lib_IntVector_Intrinsics_vec256 c0 = hash[2U]; + Lib_IntVector_Intrinsics_vec256 d0 = hash[3U]; + Lib_IntVector_Intrinsics_vec256 e0 = hash[4U]; + Lib_IntVector_Intrinsics_vec256 f0 = hash[5U]; + Lib_IntVector_Intrinsics_vec256 g0 = hash[6U]; + Lib_IntVector_Intrinsics_vec256 h02 = hash[7U]; + Lib_IntVector_Intrinsics_vec256 k_e_t = Lib_IntVector_Intrinsics_vec256_load32(k_t); + Lib_IntVector_Intrinsics_vec256 + t1 = + Lib_IntVector_Intrinsics_vec256_add32(Lib_IntVector_Intrinsics_vec256_add32(Lib_IntVector_Intrinsics_vec256_add32(Lib_IntVector_Intrinsics_vec256_add32(h02, + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right32(e0, + (uint32_t)6U), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right32(e0, + (uint32_t)11U), + Lib_IntVector_Intrinsics_vec256_rotate_right32(e0, (uint32_t)25U)))), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_and(e0, f0), + Lib_IntVector_Intrinsics_vec256_and(Lib_IntVector_Intrinsics_vec256_lognot(e0), g0))), + k_e_t), + ws_t); + Lib_IntVector_Intrinsics_vec256 + t2 = + Lib_IntVector_Intrinsics_vec256_add32(Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right32(a0, + (uint32_t)2U), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right32(a0, + (uint32_t)13U), + Lib_IntVector_Intrinsics_vec256_rotate_right32(a0, (uint32_t)22U))), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_and(a0, b0), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_and(a0, c0), + Lib_IntVector_Intrinsics_vec256_and(b0, c0)))); + Lib_IntVector_Intrinsics_vec256 a1 = Lib_IntVector_Intrinsics_vec256_add32(t1, t2); + Lib_IntVector_Intrinsics_vec256 b1 = a0; + Lib_IntVector_Intrinsics_vec256 c1 = b0; + Lib_IntVector_Intrinsics_vec256 d1 = c0; + Lib_IntVector_Intrinsics_vec256 e1 = Lib_IntVector_Intrinsics_vec256_add32(d0, t1); + Lib_IntVector_Intrinsics_vec256 f1 = e0; + Lib_IntVector_Intrinsics_vec256 g1 = f0; + Lib_IntVector_Intrinsics_vec256 h12 = g0; + hash[0U] = a1; + hash[1U] = b1; + hash[2U] = c1; + hash[3U] = d1; + hash[4U] = e1; + hash[5U] = f1; + hash[6U] = g1; + hash[7U] = h12; + } + if (i0 < (uint32_t)4U - (uint32_t)1U) + { + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + Lib_IntVector_Intrinsics_vec256 t16 = ws[i]; + Lib_IntVector_Intrinsics_vec256 t15 = ws[(i + (uint32_t)1U) % (uint32_t)16U]; + Lib_IntVector_Intrinsics_vec256 t7 = ws[(i + (uint32_t)9U) % (uint32_t)16U]; + Lib_IntVector_Intrinsics_vec256 t2 = ws[(i + (uint32_t)14U) % (uint32_t)16U]; + Lib_IntVector_Intrinsics_vec256 + s1 = + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right32(t2, + (uint32_t)17U), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right32(t2, + (uint32_t)19U), + Lib_IntVector_Intrinsics_vec256_shift_right32(t2, (uint32_t)10U))); + Lib_IntVector_Intrinsics_vec256 + s0 = + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right32(t15, + (uint32_t)7U), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right32(t15, + (uint32_t)18U), + Lib_IntVector_Intrinsics_vec256_shift_right32(t15, (uint32_t)3U))); + ws[i] = + Lib_IntVector_Intrinsics_vec256_add32(Lib_IntVector_Intrinsics_vec256_add32(Lib_IntVector_Intrinsics_vec256_add32(s1, + t7), + s0), + t16); + } + } + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + Lib_IntVector_Intrinsics_vec256 *os = hash; + Lib_IntVector_Intrinsics_vec256 + x = Lib_IntVector_Intrinsics_vec256_add32(hash[i], hash_old[i]); + os[i] = x; + } +} + +typedef struct +__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t__s +{ + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + fst; + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + snd; +} +__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_; + +void +Hacl_SHA2_Vec256_sha224_8( + uint8_t *dst0, + uint8_t *dst1, + uint8_t *dst2, + uint8_t *dst3, + uint8_t *dst4, + uint8_t *dst5, + uint8_t *dst6, + uint8_t *dst7, + uint32_t input_len, + uint8_t *input0, + uint8_t *input1, + uint8_t *input2, + uint8_t *input3, + uint8_t *input4, + uint8_t *input5, + uint8_t *input6, + uint8_t *input7 +) +{ + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + ib = + { + .fst = input0, + .snd = { + .fst = input1, + .snd = { + .fst = input2, + .snd = { + .fst = input3, + .snd = { + .fst = input4, + .snd = { .fst = input5, .snd = { .fst = input6, .snd = input7 } } + } + } + } + } + }; + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + rb = + { + .fst = dst0, + .snd = { + .fst = dst1, + .snd = { + .fst = dst2, + .snd = { + .fst = dst3, + .snd = { .fst = dst4, .snd = { .fst = dst5, .snd = { .fst = dst6, .snd = dst7 } } } + } + } + } + }; + Lib_IntVector_Intrinsics_vec256 st[8U]; + for (uint32_t _i = 0U; _i < (uint32_t)8U; ++_i) + st[_i] = Lib_IntVector_Intrinsics_vec256_zero; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + Lib_IntVector_Intrinsics_vec256 *os = st; + uint32_t hi = Hacl_Impl_SHA2_Generic_h224[i]; + Lib_IntVector_Intrinsics_vec256 x = Lib_IntVector_Intrinsics_vec256_load32(hi); + os[i] = x; + } + uint32_t rem = input_len % (uint32_t)64U; + uint64_t len_ = (uint64_t)input_len; + uint32_t blocks0 = input_len / (uint32_t)64U; + for (uint32_t i = (uint32_t)0U; i < blocks0; i++) + { + uint8_t *b7 = ib.snd.snd.snd.snd.snd.snd.snd; + uint8_t *b6 = ib.snd.snd.snd.snd.snd.snd.fst; + uint8_t *b5 = ib.snd.snd.snd.snd.snd.fst; + uint8_t *b4 = ib.snd.snd.snd.snd.fst; + uint8_t *b3 = ib.snd.snd.snd.fst; + uint8_t *b2 = ib.snd.snd.fst; + uint8_t *b1 = ib.snd.fst; + uint8_t *b0 = ib.fst; + uint8_t *bl0 = b0 + i * (uint32_t)64U; + uint8_t *bl1 = b1 + i * (uint32_t)64U; + uint8_t *bl2 = b2 + i * (uint32_t)64U; + uint8_t *bl3 = b3 + i * (uint32_t)64U; + uint8_t *bl4 = b4 + i * (uint32_t)64U; + uint8_t *bl5 = b5 + i * (uint32_t)64U; + uint8_t *bl6 = b6 + i * (uint32_t)64U; + uint8_t *bl7 = b7 + i * (uint32_t)64U; + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + mb = + { + .fst = bl0, + .snd = { + .fst = bl1, + .snd = { + .fst = bl2, + .snd = { + .fst = bl3, + .snd = { .fst = bl4, .snd = { .fst = bl5, .snd = { .fst = bl6, .snd = bl7 } } } + } + } + } + }; + sha224_update8(mb, st); + } + uint32_t rem1 = input_len % (uint32_t)64U; + uint8_t *b7 = ib.snd.snd.snd.snd.snd.snd.snd; + uint8_t *b60 = ib.snd.snd.snd.snd.snd.snd.fst; + uint8_t *b50 = ib.snd.snd.snd.snd.snd.fst; + uint8_t *b40 = ib.snd.snd.snd.snd.fst; + uint8_t *b30 = ib.snd.snd.snd.fst; + uint8_t *b20 = ib.snd.snd.fst; + uint8_t *b10 = ib.snd.fst; + uint8_t *b00 = ib.fst; + uint8_t *bl0 = b00 + input_len - rem1; + uint8_t *bl1 = b10 + input_len - rem1; + uint8_t *bl2 = b20 + input_len - rem1; + uint8_t *bl3 = b30 + input_len - rem1; + uint8_t *bl4 = b40 + input_len - rem1; + uint8_t *bl5 = b50 + input_len - rem1; + uint8_t *bl6 = b60 + input_len - rem1; + uint8_t *bl7 = b7 + input_len - rem1; + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + lb = + { + .fst = bl0, + .snd = { + .fst = bl1, + .snd = { + .fst = bl2, + .snd = { + .fst = bl3, + .snd = { .fst = bl4, .snd = { .fst = bl5, .snd = { .fst = bl6, .snd = bl7 } } } + } + } + } + }; + uint32_t blocks; + if (rem + (uint32_t)8U + (uint32_t)1U <= (uint32_t)64U) + { + blocks = (uint32_t)1U; + } + else + { + blocks = (uint32_t)2U; + } + uint32_t fin = blocks * (uint32_t)64U; + uint8_t last[1024U] = { 0U }; + uint8_t totlen_buf[8U] = { 0U }; + uint64_t total_len_bits = len_ << (uint32_t)3U; + store64_be(totlen_buf, total_len_bits); + uint8_t *b70 = lb.snd.snd.snd.snd.snd.snd.snd; + uint8_t *b61 = lb.snd.snd.snd.snd.snd.snd.fst; + uint8_t *b51 = lb.snd.snd.snd.snd.snd.fst; + uint8_t *b41 = lb.snd.snd.snd.snd.fst; + uint8_t *b31 = lb.snd.snd.snd.fst; + uint8_t *b21 = lb.snd.snd.fst; + uint8_t *b11 = lb.snd.fst; + uint8_t *b01 = lb.fst; + uint8_t *last00 = last; + uint8_t *last10 = last + (uint32_t)128U; + uint8_t *last2 = last + (uint32_t)256U; + uint8_t *last3 = last + (uint32_t)384U; + uint8_t *last4 = last + (uint32_t)512U; + uint8_t *last5 = last + (uint32_t)640U; + uint8_t *last6 = last + (uint32_t)768U; + uint8_t *last7 = last + (uint32_t)896U; + memcpy(last00, b01, rem * sizeof (uint8_t)); + last00[rem] = (uint8_t)0x80U; + memcpy(last00 + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + uint8_t *last010 = last00; + uint8_t *last110 = last00 + (uint32_t)64U; + K____uint8_t___uint8_t_ scrut = { .fst = last010, .snd = last110 }; + uint8_t *l00 = scrut.fst; + uint8_t *l01 = scrut.snd; + memcpy(last10, b11, rem * sizeof (uint8_t)); + last10[rem] = (uint8_t)0x80U; + memcpy(last10 + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + uint8_t *last011 = last10; + uint8_t *last111 = last10 + (uint32_t)64U; + K____uint8_t___uint8_t_ scrut0 = { .fst = last011, .snd = last111 }; + uint8_t *l10 = scrut0.fst; + uint8_t *l11 = scrut0.snd; + memcpy(last2, b21, rem * sizeof (uint8_t)); + last2[rem] = (uint8_t)0x80U; + memcpy(last2 + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + uint8_t *last012 = last2; + uint8_t *last112 = last2 + (uint32_t)64U; + K____uint8_t___uint8_t_ scrut1 = { .fst = last012, .snd = last112 }; + uint8_t *l20 = scrut1.fst; + uint8_t *l21 = scrut1.snd; + memcpy(last3, b31, rem * sizeof (uint8_t)); + last3[rem] = (uint8_t)0x80U; + memcpy(last3 + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + uint8_t *last013 = last3; + uint8_t *last113 = last3 + (uint32_t)64U; + K____uint8_t___uint8_t_ scrut2 = { .fst = last013, .snd = last113 }; + uint8_t *l30 = scrut2.fst; + uint8_t *l31 = scrut2.snd; + memcpy(last4, b41, rem * sizeof (uint8_t)); + last4[rem] = (uint8_t)0x80U; + memcpy(last4 + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + uint8_t *last014 = last4; + uint8_t *last114 = last4 + (uint32_t)64U; + K____uint8_t___uint8_t_ scrut3 = { .fst = last014, .snd = last114 }; + uint8_t *l40 = scrut3.fst; + uint8_t *l41 = scrut3.snd; + memcpy(last5, b51, rem * sizeof (uint8_t)); + last5[rem] = (uint8_t)0x80U; + memcpy(last5 + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + uint8_t *last015 = last5; + uint8_t *last115 = last5 + (uint32_t)64U; + K____uint8_t___uint8_t_ scrut4 = { .fst = last015, .snd = last115 }; + uint8_t *l50 = scrut4.fst; + uint8_t *l51 = scrut4.snd; + memcpy(last6, b61, rem * sizeof (uint8_t)); + last6[rem] = (uint8_t)0x80U; + memcpy(last6 + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + uint8_t *last016 = last6; + uint8_t *last116 = last6 + (uint32_t)64U; + K____uint8_t___uint8_t_ scrut5 = { .fst = last016, .snd = last116 }; + uint8_t *l60 = scrut5.fst; + uint8_t *l61 = scrut5.snd; + memcpy(last7, b70, rem * sizeof (uint8_t)); + last7[rem] = (uint8_t)0x80U; + memcpy(last7 + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + uint8_t *last01 = last7; + uint8_t *last11 = last7 + (uint32_t)64U; + K____uint8_t___uint8_t_ scrut6 = { .fst = last01, .snd = last11 }; + uint8_t *l70 = scrut6.fst; + uint8_t *l71 = scrut6.snd; + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + mb0 = + { + .fst = l00, + .snd = { + .fst = l10, + .snd = { + .fst = l20, + .snd = { + .fst = l30, + .snd = { .fst = l40, .snd = { .fst = l50, .snd = { .fst = l60, .snd = l70 } } } + } + } + } + }; + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + mb1 = + { + .fst = l01, + .snd = { + .fst = l11, + .snd = { + .fst = l21, + .snd = { + .fst = l31, + .snd = { .fst = l41, .snd = { .fst = l51, .snd = { .fst = l61, .snd = l71 } } } + } + } + } + }; + __K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + scrut7 = { .fst = mb0, .snd = mb1 }; + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + last0 = scrut7.fst; + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + last1 = scrut7.snd; + sha224_update8(last0, st); + if (blocks > (uint32_t)1U) + { + sha224_update8(last1, st); + } + KRML_CHECK_SIZE(sizeof (uint8_t), (uint32_t)8U * (uint32_t)8U * (uint32_t)4U); + uint8_t *hbuf = alloca((uint32_t)8U * (uint32_t)8U * (uint32_t)4U * sizeof (uint8_t)); + memset(hbuf, 0U, (uint32_t)8U * (uint32_t)8U * (uint32_t)4U * sizeof (uint8_t)); + Lib_IntVector_Intrinsics_vec256 v0 = st[0U]; + Lib_IntVector_Intrinsics_vec256 v1 = st[1U]; + Lib_IntVector_Intrinsics_vec256 v2 = st[2U]; + Lib_IntVector_Intrinsics_vec256 v3 = st[3U]; + Lib_IntVector_Intrinsics_vec256 v4 = st[4U]; + Lib_IntVector_Intrinsics_vec256 v5 = st[5U]; + Lib_IntVector_Intrinsics_vec256 v6 = st[6U]; + Lib_IntVector_Intrinsics_vec256 v7 = st[7U]; + Lib_IntVector_Intrinsics_vec256 v0_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v0, v1); + Lib_IntVector_Intrinsics_vec256 + v1_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v0, v1); + Lib_IntVector_Intrinsics_vec256 v2_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v2, v3); + Lib_IntVector_Intrinsics_vec256 + v3_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v2, v3); + Lib_IntVector_Intrinsics_vec256 v4_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v4, v5); + Lib_IntVector_Intrinsics_vec256 + v5_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v4, v5); + Lib_IntVector_Intrinsics_vec256 v6_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v6, v7); + Lib_IntVector_Intrinsics_vec256 + v7_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v6, v7); + Lib_IntVector_Intrinsics_vec256 v0_0 = v0_; + Lib_IntVector_Intrinsics_vec256 v1_0 = v1_; + Lib_IntVector_Intrinsics_vec256 v2_0 = v2_; + Lib_IntVector_Intrinsics_vec256 v3_0 = v3_; + Lib_IntVector_Intrinsics_vec256 v4_0 = v4_; + Lib_IntVector_Intrinsics_vec256 v5_0 = v5_; + Lib_IntVector_Intrinsics_vec256 v6_0 = v6_; + Lib_IntVector_Intrinsics_vec256 v7_0 = v7_; + Lib_IntVector_Intrinsics_vec256 + v0_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v2_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v1_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 + v3_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 + v4_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v4_0, v6_0); + Lib_IntVector_Intrinsics_vec256 + v6_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v4_0, v6_0); + Lib_IntVector_Intrinsics_vec256 + v5_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v5_0, v7_0); + Lib_IntVector_Intrinsics_vec256 + v7_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v5_0, v7_0); + Lib_IntVector_Intrinsics_vec256 v0_10 = v0_1; + Lib_IntVector_Intrinsics_vec256 v1_10 = v1_1; + Lib_IntVector_Intrinsics_vec256 v2_10 = v2_1; + Lib_IntVector_Intrinsics_vec256 v3_10 = v3_1; + Lib_IntVector_Intrinsics_vec256 v4_10 = v4_1; + Lib_IntVector_Intrinsics_vec256 v5_10 = v5_1; + Lib_IntVector_Intrinsics_vec256 v6_10 = v6_1; + Lib_IntVector_Intrinsics_vec256 v7_10 = v7_1; + Lib_IntVector_Intrinsics_vec256 + v0_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_10, v4_10); + Lib_IntVector_Intrinsics_vec256 + v4_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_10, v4_10); + Lib_IntVector_Intrinsics_vec256 + v1_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_10, v5_10); + Lib_IntVector_Intrinsics_vec256 + v5_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_10, v5_10); + Lib_IntVector_Intrinsics_vec256 + v2_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v2_10, v6_10); + Lib_IntVector_Intrinsics_vec256 + v6_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v2_10, v6_10); + Lib_IntVector_Intrinsics_vec256 + v3_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v3_10, v7_10); + Lib_IntVector_Intrinsics_vec256 + v7_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v3_10, v7_10); + Lib_IntVector_Intrinsics_vec256 v0_20 = v0_2; + Lib_IntVector_Intrinsics_vec256 v1_20 = v1_2; + Lib_IntVector_Intrinsics_vec256 v2_20 = v2_2; + Lib_IntVector_Intrinsics_vec256 v3_20 = v3_2; + Lib_IntVector_Intrinsics_vec256 v4_20 = v4_2; + Lib_IntVector_Intrinsics_vec256 v5_20 = v5_2; + Lib_IntVector_Intrinsics_vec256 v6_20 = v6_2; + Lib_IntVector_Intrinsics_vec256 v7_20 = v7_2; + Lib_IntVector_Intrinsics_vec256 v0_3 = v0_20; + Lib_IntVector_Intrinsics_vec256 v1_3 = v1_20; + Lib_IntVector_Intrinsics_vec256 v2_3 = v2_20; + Lib_IntVector_Intrinsics_vec256 v3_3 = v3_20; + Lib_IntVector_Intrinsics_vec256 v4_3 = v4_20; + Lib_IntVector_Intrinsics_vec256 v5_3 = v5_20; + Lib_IntVector_Intrinsics_vec256 v6_3 = v6_20; + Lib_IntVector_Intrinsics_vec256 v7_3 = v7_20; + Lib_IntVector_Intrinsics_vec256 st0_ = v0_3; + Lib_IntVector_Intrinsics_vec256 st1_ = v2_3; + Lib_IntVector_Intrinsics_vec256 st2_ = v1_3; + Lib_IntVector_Intrinsics_vec256 st3_ = v3_3; + Lib_IntVector_Intrinsics_vec256 st4_ = v4_3; + Lib_IntVector_Intrinsics_vec256 st5_ = v6_3; + Lib_IntVector_Intrinsics_vec256 st6_ = v5_3; + Lib_IntVector_Intrinsics_vec256 st7_ = v7_3; + st[0U] = st0_; + st[1U] = st1_; + st[2U] = st2_; + st[3U] = st3_; + st[4U] = st4_; + st[5U] = st5_; + st[6U] = st6_; + st[7U] = st7_; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + Lib_IntVector_Intrinsics_vec256_store32_be(hbuf + i * (uint32_t)32U, st[i]); + } + uint8_t *b71 = rb.snd.snd.snd.snd.snd.snd.snd; + uint8_t *b6 = rb.snd.snd.snd.snd.snd.snd.fst; + uint8_t *b5 = rb.snd.snd.snd.snd.snd.fst; + uint8_t *b4 = rb.snd.snd.snd.snd.fst; + uint8_t *b3 = rb.snd.snd.snd.fst; + uint8_t *b2 = rb.snd.snd.fst; + uint8_t *b1 = rb.snd.fst; + uint8_t *b0 = rb.fst; + memcpy(b0, hbuf, (uint32_t)28U * sizeof (uint8_t)); + memcpy(b1, hbuf + (uint32_t)32U, (uint32_t)28U * sizeof (uint8_t)); + memcpy(b2, hbuf + (uint32_t)64U, (uint32_t)28U * sizeof (uint8_t)); + memcpy(b3, hbuf + (uint32_t)96U, (uint32_t)28U * sizeof (uint8_t)); + memcpy(b4, hbuf + (uint32_t)128U, (uint32_t)28U * sizeof (uint8_t)); + memcpy(b5, hbuf + (uint32_t)160U, (uint32_t)28U * sizeof (uint8_t)); + memcpy(b6, hbuf + (uint32_t)192U, (uint32_t)28U * sizeof (uint8_t)); + memcpy(b71, hbuf + (uint32_t)224U, (uint32_t)28U * sizeof (uint8_t)); +} + +static inline void +sha256_update8( + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + block, + Lib_IntVector_Intrinsics_vec256 *hash +) +{ + Lib_IntVector_Intrinsics_vec256 hash_old[8U]; + for (uint32_t _i = 0U; _i < (uint32_t)8U; ++_i) + hash_old[_i] = Lib_IntVector_Intrinsics_vec256_zero; + Lib_IntVector_Intrinsics_vec256 ws[16U]; + for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i) + ws[_i] = Lib_IntVector_Intrinsics_vec256_zero; + memcpy(hash_old, hash, (uint32_t)8U * sizeof (Lib_IntVector_Intrinsics_vec256)); + uint8_t *b7 = block.snd.snd.snd.snd.snd.snd.snd; + uint8_t *b6 = block.snd.snd.snd.snd.snd.snd.fst; + uint8_t *b5 = block.snd.snd.snd.snd.snd.fst; + uint8_t *b4 = block.snd.snd.snd.snd.fst; + uint8_t *b3 = block.snd.snd.snd.fst; + uint8_t *b2 = block.snd.snd.fst; + uint8_t *b10 = block.snd.fst; + uint8_t *b00 = block.fst; + ws[0U] = Lib_IntVector_Intrinsics_vec256_load32_be(b00); + ws[1U] = Lib_IntVector_Intrinsics_vec256_load32_be(b10); + ws[2U] = Lib_IntVector_Intrinsics_vec256_load32_be(b2); + ws[3U] = Lib_IntVector_Intrinsics_vec256_load32_be(b3); + ws[4U] = Lib_IntVector_Intrinsics_vec256_load32_be(b4); + ws[5U] = Lib_IntVector_Intrinsics_vec256_load32_be(b5); + ws[6U] = Lib_IntVector_Intrinsics_vec256_load32_be(b6); + ws[7U] = Lib_IntVector_Intrinsics_vec256_load32_be(b7); + ws[8U] = Lib_IntVector_Intrinsics_vec256_load32_be(b00 + (uint32_t)32U); + ws[9U] = Lib_IntVector_Intrinsics_vec256_load32_be(b10 + (uint32_t)32U); + ws[10U] = Lib_IntVector_Intrinsics_vec256_load32_be(b2 + (uint32_t)32U); + ws[11U] = Lib_IntVector_Intrinsics_vec256_load32_be(b3 + (uint32_t)32U); + ws[12U] = Lib_IntVector_Intrinsics_vec256_load32_be(b4 + (uint32_t)32U); + ws[13U] = Lib_IntVector_Intrinsics_vec256_load32_be(b5 + (uint32_t)32U); + ws[14U] = Lib_IntVector_Intrinsics_vec256_load32_be(b6 + (uint32_t)32U); + ws[15U] = Lib_IntVector_Intrinsics_vec256_load32_be(b7 + (uint32_t)32U); + Lib_IntVector_Intrinsics_vec256 v00 = ws[0U]; + Lib_IntVector_Intrinsics_vec256 v10 = ws[1U]; + Lib_IntVector_Intrinsics_vec256 v20 = ws[2U]; + Lib_IntVector_Intrinsics_vec256 v30 = ws[3U]; + Lib_IntVector_Intrinsics_vec256 v40 = ws[4U]; + Lib_IntVector_Intrinsics_vec256 v50 = ws[5U]; + Lib_IntVector_Intrinsics_vec256 v60 = ws[6U]; + Lib_IntVector_Intrinsics_vec256 v70 = ws[7U]; + Lib_IntVector_Intrinsics_vec256 + v0_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v00, v10); + Lib_IntVector_Intrinsics_vec256 + v1_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v00, v10); + Lib_IntVector_Intrinsics_vec256 + v2_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v20, v30); + Lib_IntVector_Intrinsics_vec256 + v3_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v20, v30); + Lib_IntVector_Intrinsics_vec256 + v4_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v40, v50); + Lib_IntVector_Intrinsics_vec256 + v5_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v40, v50); + Lib_IntVector_Intrinsics_vec256 + v6_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v60, v70); + Lib_IntVector_Intrinsics_vec256 + v7_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v60, v70); + Lib_IntVector_Intrinsics_vec256 v0_0 = v0_; + Lib_IntVector_Intrinsics_vec256 v1_0 = v1_; + Lib_IntVector_Intrinsics_vec256 v2_0 = v2_; + Lib_IntVector_Intrinsics_vec256 v3_0 = v3_; + Lib_IntVector_Intrinsics_vec256 v4_0 = v4_; + Lib_IntVector_Intrinsics_vec256 v5_0 = v5_; + Lib_IntVector_Intrinsics_vec256 v6_0 = v6_; + Lib_IntVector_Intrinsics_vec256 v7_0 = v7_; + Lib_IntVector_Intrinsics_vec256 + v0_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v2_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v1_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 + v3_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 + v4_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v4_0, v6_0); + Lib_IntVector_Intrinsics_vec256 + v6_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v4_0, v6_0); + Lib_IntVector_Intrinsics_vec256 + v5_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v5_0, v7_0); + Lib_IntVector_Intrinsics_vec256 + v7_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v5_0, v7_0); + Lib_IntVector_Intrinsics_vec256 v0_10 = v0_1; + Lib_IntVector_Intrinsics_vec256 v1_10 = v1_1; + Lib_IntVector_Intrinsics_vec256 v2_10 = v2_1; + Lib_IntVector_Intrinsics_vec256 v3_10 = v3_1; + Lib_IntVector_Intrinsics_vec256 v4_10 = v4_1; + Lib_IntVector_Intrinsics_vec256 v5_10 = v5_1; + Lib_IntVector_Intrinsics_vec256 v6_10 = v6_1; + Lib_IntVector_Intrinsics_vec256 v7_10 = v7_1; + Lib_IntVector_Intrinsics_vec256 + v0_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_10, v4_10); + Lib_IntVector_Intrinsics_vec256 + v4_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_10, v4_10); + Lib_IntVector_Intrinsics_vec256 + v1_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_10, v5_10); + Lib_IntVector_Intrinsics_vec256 + v5_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_10, v5_10); + Lib_IntVector_Intrinsics_vec256 + v2_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v2_10, v6_10); + Lib_IntVector_Intrinsics_vec256 + v6_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v2_10, v6_10); + Lib_IntVector_Intrinsics_vec256 + v3_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v3_10, v7_10); + Lib_IntVector_Intrinsics_vec256 + v7_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v3_10, v7_10); + Lib_IntVector_Intrinsics_vec256 v0_20 = v0_2; + Lib_IntVector_Intrinsics_vec256 v1_20 = v1_2; + Lib_IntVector_Intrinsics_vec256 v2_20 = v2_2; + Lib_IntVector_Intrinsics_vec256 v3_20 = v3_2; + Lib_IntVector_Intrinsics_vec256 v4_20 = v4_2; + Lib_IntVector_Intrinsics_vec256 v5_20 = v5_2; + Lib_IntVector_Intrinsics_vec256 v6_20 = v6_2; + Lib_IntVector_Intrinsics_vec256 v7_20 = v7_2; + Lib_IntVector_Intrinsics_vec256 v0_3 = v0_20; + Lib_IntVector_Intrinsics_vec256 v1_3 = v1_20; + Lib_IntVector_Intrinsics_vec256 v2_3 = v2_20; + Lib_IntVector_Intrinsics_vec256 v3_3 = v3_20; + Lib_IntVector_Intrinsics_vec256 v4_3 = v4_20; + Lib_IntVector_Intrinsics_vec256 v5_3 = v5_20; + Lib_IntVector_Intrinsics_vec256 v6_3 = v6_20; + Lib_IntVector_Intrinsics_vec256 v7_3 = v7_20; + Lib_IntVector_Intrinsics_vec256 ws0 = v0_3; + Lib_IntVector_Intrinsics_vec256 ws1 = v2_3; + Lib_IntVector_Intrinsics_vec256 ws2 = v1_3; + Lib_IntVector_Intrinsics_vec256 ws3 = v3_3; + Lib_IntVector_Intrinsics_vec256 ws4 = v4_3; + Lib_IntVector_Intrinsics_vec256 ws5 = v6_3; + Lib_IntVector_Intrinsics_vec256 ws6 = v5_3; + Lib_IntVector_Intrinsics_vec256 ws7 = v7_3; + Lib_IntVector_Intrinsics_vec256 v0 = ws[8U]; + Lib_IntVector_Intrinsics_vec256 v1 = ws[9U]; + Lib_IntVector_Intrinsics_vec256 v2 = ws[10U]; + Lib_IntVector_Intrinsics_vec256 v3 = ws[11U]; + Lib_IntVector_Intrinsics_vec256 v4 = ws[12U]; + Lib_IntVector_Intrinsics_vec256 v5 = ws[13U]; + Lib_IntVector_Intrinsics_vec256 v6 = ws[14U]; + Lib_IntVector_Intrinsics_vec256 v7 = ws[15U]; + Lib_IntVector_Intrinsics_vec256 + v0_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v0, v1); + Lib_IntVector_Intrinsics_vec256 + v1_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v0, v1); + Lib_IntVector_Intrinsics_vec256 + v2_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v2, v3); + Lib_IntVector_Intrinsics_vec256 + v3_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v2, v3); + Lib_IntVector_Intrinsics_vec256 + v4_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v4, v5); + Lib_IntVector_Intrinsics_vec256 + v5_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v4, v5); + Lib_IntVector_Intrinsics_vec256 + v6_4 = Lib_IntVector_Intrinsics_vec256_interleave_low32(v6, v7); + Lib_IntVector_Intrinsics_vec256 + v7_4 = Lib_IntVector_Intrinsics_vec256_interleave_high32(v6, v7); + Lib_IntVector_Intrinsics_vec256 v0_5 = v0_4; + Lib_IntVector_Intrinsics_vec256 v1_5 = v1_4; + Lib_IntVector_Intrinsics_vec256 v2_5 = v2_4; + Lib_IntVector_Intrinsics_vec256 v3_5 = v3_4; + Lib_IntVector_Intrinsics_vec256 v4_5 = v4_4; + Lib_IntVector_Intrinsics_vec256 v5_5 = v5_4; + Lib_IntVector_Intrinsics_vec256 v6_5 = v6_4; + Lib_IntVector_Intrinsics_vec256 v7_5 = v7_4; + Lib_IntVector_Intrinsics_vec256 + v0_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0_5, v2_5); + Lib_IntVector_Intrinsics_vec256 + v2_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0_5, v2_5); + Lib_IntVector_Intrinsics_vec256 + v1_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v1_5, v3_5); + Lib_IntVector_Intrinsics_vec256 + v3_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v1_5, v3_5); + Lib_IntVector_Intrinsics_vec256 + v4_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v4_5, v6_5); + Lib_IntVector_Intrinsics_vec256 + v6_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v4_5, v6_5); + Lib_IntVector_Intrinsics_vec256 + v5_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v5_5, v7_5); + Lib_IntVector_Intrinsics_vec256 + v7_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v5_5, v7_5); + Lib_IntVector_Intrinsics_vec256 v0_12 = v0_11; + Lib_IntVector_Intrinsics_vec256 v1_12 = v1_11; + Lib_IntVector_Intrinsics_vec256 v2_12 = v2_11; + Lib_IntVector_Intrinsics_vec256 v3_12 = v3_11; + Lib_IntVector_Intrinsics_vec256 v4_12 = v4_11; + Lib_IntVector_Intrinsics_vec256 v5_12 = v5_11; + Lib_IntVector_Intrinsics_vec256 v6_12 = v6_11; + Lib_IntVector_Intrinsics_vec256 v7_12 = v7_11; + Lib_IntVector_Intrinsics_vec256 + v0_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_12, v4_12); + Lib_IntVector_Intrinsics_vec256 + v4_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_12, v4_12); + Lib_IntVector_Intrinsics_vec256 + v1_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_12, v5_12); + Lib_IntVector_Intrinsics_vec256 + v5_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_12, v5_12); + Lib_IntVector_Intrinsics_vec256 + v2_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v2_12, v6_12); + Lib_IntVector_Intrinsics_vec256 + v6_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v2_12, v6_12); + Lib_IntVector_Intrinsics_vec256 + v3_21 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v3_12, v7_12); + Lib_IntVector_Intrinsics_vec256 + v7_21 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v3_12, v7_12); + Lib_IntVector_Intrinsics_vec256 v0_22 = v0_21; + Lib_IntVector_Intrinsics_vec256 v1_22 = v1_21; + Lib_IntVector_Intrinsics_vec256 v2_22 = v2_21; + Lib_IntVector_Intrinsics_vec256 v3_22 = v3_21; + Lib_IntVector_Intrinsics_vec256 v4_22 = v4_21; + Lib_IntVector_Intrinsics_vec256 v5_22 = v5_21; + Lib_IntVector_Intrinsics_vec256 v6_22 = v6_21; + Lib_IntVector_Intrinsics_vec256 v7_22 = v7_21; + Lib_IntVector_Intrinsics_vec256 v0_6 = v0_22; + Lib_IntVector_Intrinsics_vec256 v1_6 = v1_22; + Lib_IntVector_Intrinsics_vec256 v2_6 = v2_22; + Lib_IntVector_Intrinsics_vec256 v3_6 = v3_22; + Lib_IntVector_Intrinsics_vec256 v4_6 = v4_22; + Lib_IntVector_Intrinsics_vec256 v5_6 = v5_22; + Lib_IntVector_Intrinsics_vec256 v6_6 = v6_22; + Lib_IntVector_Intrinsics_vec256 v7_6 = v7_22; + Lib_IntVector_Intrinsics_vec256 ws8 = v0_6; + Lib_IntVector_Intrinsics_vec256 ws9 = v2_6; + Lib_IntVector_Intrinsics_vec256 ws10 = v1_6; + Lib_IntVector_Intrinsics_vec256 ws11 = v3_6; + Lib_IntVector_Intrinsics_vec256 ws12 = v4_6; + Lib_IntVector_Intrinsics_vec256 ws13 = v6_6; + Lib_IntVector_Intrinsics_vec256 ws14 = v5_6; + Lib_IntVector_Intrinsics_vec256 ws15 = v7_6; + ws[0U] = ws0; + ws[1U] = ws1; + ws[2U] = ws2; + ws[3U] = ws3; + ws[4U] = ws4; + ws[5U] = ws5; + ws[6U] = ws6; + ws[7U] = ws7; + ws[8U] = ws8; + ws[9U] = ws9; + ws[10U] = ws10; + ws[11U] = ws11; + ws[12U] = ws12; + ws[13U] = ws13; + ws[14U] = ws14; + ws[15U] = ws15; + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0++) + { + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t k_t = Hacl_Impl_SHA2_Generic_k224_256[(uint32_t)16U * i0 + i]; + Lib_IntVector_Intrinsics_vec256 ws_t = ws[i]; + Lib_IntVector_Intrinsics_vec256 a0 = hash[0U]; + Lib_IntVector_Intrinsics_vec256 b0 = hash[1U]; + Lib_IntVector_Intrinsics_vec256 c0 = hash[2U]; + Lib_IntVector_Intrinsics_vec256 d0 = hash[3U]; + Lib_IntVector_Intrinsics_vec256 e0 = hash[4U]; + Lib_IntVector_Intrinsics_vec256 f0 = hash[5U]; + Lib_IntVector_Intrinsics_vec256 g0 = hash[6U]; + Lib_IntVector_Intrinsics_vec256 h02 = hash[7U]; + Lib_IntVector_Intrinsics_vec256 k_e_t = Lib_IntVector_Intrinsics_vec256_load32(k_t); + Lib_IntVector_Intrinsics_vec256 + t1 = + Lib_IntVector_Intrinsics_vec256_add32(Lib_IntVector_Intrinsics_vec256_add32(Lib_IntVector_Intrinsics_vec256_add32(Lib_IntVector_Intrinsics_vec256_add32(h02, + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right32(e0, + (uint32_t)6U), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right32(e0, + (uint32_t)11U), + Lib_IntVector_Intrinsics_vec256_rotate_right32(e0, (uint32_t)25U)))), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_and(e0, f0), + Lib_IntVector_Intrinsics_vec256_and(Lib_IntVector_Intrinsics_vec256_lognot(e0), g0))), + k_e_t), + ws_t); + Lib_IntVector_Intrinsics_vec256 + t2 = + Lib_IntVector_Intrinsics_vec256_add32(Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right32(a0, + (uint32_t)2U), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right32(a0, + (uint32_t)13U), + Lib_IntVector_Intrinsics_vec256_rotate_right32(a0, (uint32_t)22U))), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_and(a0, b0), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_and(a0, c0), + Lib_IntVector_Intrinsics_vec256_and(b0, c0)))); + Lib_IntVector_Intrinsics_vec256 a1 = Lib_IntVector_Intrinsics_vec256_add32(t1, t2); + Lib_IntVector_Intrinsics_vec256 b1 = a0; + Lib_IntVector_Intrinsics_vec256 c1 = b0; + Lib_IntVector_Intrinsics_vec256 d1 = c0; + Lib_IntVector_Intrinsics_vec256 e1 = Lib_IntVector_Intrinsics_vec256_add32(d0, t1); + Lib_IntVector_Intrinsics_vec256 f1 = e0; + Lib_IntVector_Intrinsics_vec256 g1 = f0; + Lib_IntVector_Intrinsics_vec256 h12 = g0; + hash[0U] = a1; + hash[1U] = b1; + hash[2U] = c1; + hash[3U] = d1; + hash[4U] = e1; + hash[5U] = f1; + hash[6U] = g1; + hash[7U] = h12; + } + if (i0 < (uint32_t)4U - (uint32_t)1U) + { + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + Lib_IntVector_Intrinsics_vec256 t16 = ws[i]; + Lib_IntVector_Intrinsics_vec256 t15 = ws[(i + (uint32_t)1U) % (uint32_t)16U]; + Lib_IntVector_Intrinsics_vec256 t7 = ws[(i + (uint32_t)9U) % (uint32_t)16U]; + Lib_IntVector_Intrinsics_vec256 t2 = ws[(i + (uint32_t)14U) % (uint32_t)16U]; + Lib_IntVector_Intrinsics_vec256 + s1 = + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right32(t2, + (uint32_t)17U), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right32(t2, + (uint32_t)19U), + Lib_IntVector_Intrinsics_vec256_shift_right32(t2, (uint32_t)10U))); + Lib_IntVector_Intrinsics_vec256 + s0 = + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right32(t15, + (uint32_t)7U), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right32(t15, + (uint32_t)18U), + Lib_IntVector_Intrinsics_vec256_shift_right32(t15, (uint32_t)3U))); + ws[i] = + Lib_IntVector_Intrinsics_vec256_add32(Lib_IntVector_Intrinsics_vec256_add32(Lib_IntVector_Intrinsics_vec256_add32(s1, + t7), + s0), + t16); + } + } + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + Lib_IntVector_Intrinsics_vec256 *os = hash; + Lib_IntVector_Intrinsics_vec256 + x = Lib_IntVector_Intrinsics_vec256_add32(hash[i], hash_old[i]); + os[i] = x; + } +} + +void +Hacl_SHA2_Vec256_sha256_8( + uint8_t *dst0, + uint8_t *dst1, + uint8_t *dst2, + uint8_t *dst3, + uint8_t *dst4, + uint8_t *dst5, + uint8_t *dst6, + uint8_t *dst7, + uint32_t input_len, + uint8_t *input0, + uint8_t *input1, + uint8_t *input2, + uint8_t *input3, + uint8_t *input4, + uint8_t *input5, + uint8_t *input6, + uint8_t *input7 +) +{ + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + ib = + { + .fst = input0, + .snd = { + .fst = input1, + .snd = { + .fst = input2, + .snd = { + .fst = input3, + .snd = { + .fst = input4, + .snd = { .fst = input5, .snd = { .fst = input6, .snd = input7 } } + } + } + } + } + }; + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + rb = + { + .fst = dst0, + .snd = { + .fst = dst1, + .snd = { + .fst = dst2, + .snd = { + .fst = dst3, + .snd = { .fst = dst4, .snd = { .fst = dst5, .snd = { .fst = dst6, .snd = dst7 } } } + } + } + } + }; + Lib_IntVector_Intrinsics_vec256 st[8U]; + for (uint32_t _i = 0U; _i < (uint32_t)8U; ++_i) + st[_i] = Lib_IntVector_Intrinsics_vec256_zero; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + Lib_IntVector_Intrinsics_vec256 *os = st; + uint32_t hi = Hacl_Impl_SHA2_Generic_h256[i]; + Lib_IntVector_Intrinsics_vec256 x = Lib_IntVector_Intrinsics_vec256_load32(hi); + os[i] = x; + } + uint32_t rem = input_len % (uint32_t)64U; + uint64_t len_ = (uint64_t)input_len; + uint32_t blocks0 = input_len / (uint32_t)64U; + for (uint32_t i = (uint32_t)0U; i < blocks0; i++) + { + uint8_t *b7 = ib.snd.snd.snd.snd.snd.snd.snd; + uint8_t *b6 = ib.snd.snd.snd.snd.snd.snd.fst; + uint8_t *b5 = ib.snd.snd.snd.snd.snd.fst; + uint8_t *b4 = ib.snd.snd.snd.snd.fst; + uint8_t *b3 = ib.snd.snd.snd.fst; + uint8_t *b2 = ib.snd.snd.fst; + uint8_t *b1 = ib.snd.fst; + uint8_t *b0 = ib.fst; + uint8_t *bl0 = b0 + i * (uint32_t)64U; + uint8_t *bl1 = b1 + i * (uint32_t)64U; + uint8_t *bl2 = b2 + i * (uint32_t)64U; + uint8_t *bl3 = b3 + i * (uint32_t)64U; + uint8_t *bl4 = b4 + i * (uint32_t)64U; + uint8_t *bl5 = b5 + i * (uint32_t)64U; + uint8_t *bl6 = b6 + i * (uint32_t)64U; + uint8_t *bl7 = b7 + i * (uint32_t)64U; + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + mb = + { + .fst = bl0, + .snd = { + .fst = bl1, + .snd = { + .fst = bl2, + .snd = { + .fst = bl3, + .snd = { .fst = bl4, .snd = { .fst = bl5, .snd = { .fst = bl6, .snd = bl7 } } } + } + } + } + }; + sha256_update8(mb, st); + } + uint32_t rem1 = input_len % (uint32_t)64U; + uint8_t *b7 = ib.snd.snd.snd.snd.snd.snd.snd; + uint8_t *b60 = ib.snd.snd.snd.snd.snd.snd.fst; + uint8_t *b50 = ib.snd.snd.snd.snd.snd.fst; + uint8_t *b40 = ib.snd.snd.snd.snd.fst; + uint8_t *b30 = ib.snd.snd.snd.fst; + uint8_t *b20 = ib.snd.snd.fst; + uint8_t *b10 = ib.snd.fst; + uint8_t *b00 = ib.fst; + uint8_t *bl0 = b00 + input_len - rem1; + uint8_t *bl1 = b10 + input_len - rem1; + uint8_t *bl2 = b20 + input_len - rem1; + uint8_t *bl3 = b30 + input_len - rem1; + uint8_t *bl4 = b40 + input_len - rem1; + uint8_t *bl5 = b50 + input_len - rem1; + uint8_t *bl6 = b60 + input_len - rem1; + uint8_t *bl7 = b7 + input_len - rem1; + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + lb = + { + .fst = bl0, + .snd = { + .fst = bl1, + .snd = { + .fst = bl2, + .snd = { + .fst = bl3, + .snd = { .fst = bl4, .snd = { .fst = bl5, .snd = { .fst = bl6, .snd = bl7 } } } + } + } + } + }; + uint32_t blocks; + if (rem + (uint32_t)8U + (uint32_t)1U <= (uint32_t)64U) + { + blocks = (uint32_t)1U; + } + else + { + blocks = (uint32_t)2U; + } + uint32_t fin = blocks * (uint32_t)64U; + uint8_t last[1024U] = { 0U }; + uint8_t totlen_buf[8U] = { 0U }; + uint64_t total_len_bits = len_ << (uint32_t)3U; + store64_be(totlen_buf, total_len_bits); + uint8_t *b70 = lb.snd.snd.snd.snd.snd.snd.snd; + uint8_t *b61 = lb.snd.snd.snd.snd.snd.snd.fst; + uint8_t *b51 = lb.snd.snd.snd.snd.snd.fst; + uint8_t *b41 = lb.snd.snd.snd.snd.fst; + uint8_t *b31 = lb.snd.snd.snd.fst; + uint8_t *b21 = lb.snd.snd.fst; + uint8_t *b11 = lb.snd.fst; + uint8_t *b01 = lb.fst; + uint8_t *last00 = last; + uint8_t *last10 = last + (uint32_t)128U; + uint8_t *last2 = last + (uint32_t)256U; + uint8_t *last3 = last + (uint32_t)384U; + uint8_t *last4 = last + (uint32_t)512U; + uint8_t *last5 = last + (uint32_t)640U; + uint8_t *last6 = last + (uint32_t)768U; + uint8_t *last7 = last + (uint32_t)896U; + memcpy(last00, b01, rem * sizeof (uint8_t)); + last00[rem] = (uint8_t)0x80U; + memcpy(last00 + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + uint8_t *last010 = last00; + uint8_t *last110 = last00 + (uint32_t)64U; + K____uint8_t___uint8_t_ scrut = { .fst = last010, .snd = last110 }; + uint8_t *l00 = scrut.fst; + uint8_t *l01 = scrut.snd; + memcpy(last10, b11, rem * sizeof (uint8_t)); + last10[rem] = (uint8_t)0x80U; + memcpy(last10 + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + uint8_t *last011 = last10; + uint8_t *last111 = last10 + (uint32_t)64U; + K____uint8_t___uint8_t_ scrut0 = { .fst = last011, .snd = last111 }; + uint8_t *l10 = scrut0.fst; + uint8_t *l11 = scrut0.snd; + memcpy(last2, b21, rem * sizeof (uint8_t)); + last2[rem] = (uint8_t)0x80U; + memcpy(last2 + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + uint8_t *last012 = last2; + uint8_t *last112 = last2 + (uint32_t)64U; + K____uint8_t___uint8_t_ scrut1 = { .fst = last012, .snd = last112 }; + uint8_t *l20 = scrut1.fst; + uint8_t *l21 = scrut1.snd; + memcpy(last3, b31, rem * sizeof (uint8_t)); + last3[rem] = (uint8_t)0x80U; + memcpy(last3 + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + uint8_t *last013 = last3; + uint8_t *last113 = last3 + (uint32_t)64U; + K____uint8_t___uint8_t_ scrut2 = { .fst = last013, .snd = last113 }; + uint8_t *l30 = scrut2.fst; + uint8_t *l31 = scrut2.snd; + memcpy(last4, b41, rem * sizeof (uint8_t)); + last4[rem] = (uint8_t)0x80U; + memcpy(last4 + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + uint8_t *last014 = last4; + uint8_t *last114 = last4 + (uint32_t)64U; + K____uint8_t___uint8_t_ scrut3 = { .fst = last014, .snd = last114 }; + uint8_t *l40 = scrut3.fst; + uint8_t *l41 = scrut3.snd; + memcpy(last5, b51, rem * sizeof (uint8_t)); + last5[rem] = (uint8_t)0x80U; + memcpy(last5 + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + uint8_t *last015 = last5; + uint8_t *last115 = last5 + (uint32_t)64U; + K____uint8_t___uint8_t_ scrut4 = { .fst = last015, .snd = last115 }; + uint8_t *l50 = scrut4.fst; + uint8_t *l51 = scrut4.snd; + memcpy(last6, b61, rem * sizeof (uint8_t)); + last6[rem] = (uint8_t)0x80U; + memcpy(last6 + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + uint8_t *last016 = last6; + uint8_t *last116 = last6 + (uint32_t)64U; + K____uint8_t___uint8_t_ scrut5 = { .fst = last016, .snd = last116 }; + uint8_t *l60 = scrut5.fst; + uint8_t *l61 = scrut5.snd; + memcpy(last7, b70, rem * sizeof (uint8_t)); + last7[rem] = (uint8_t)0x80U; + memcpy(last7 + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + uint8_t *last01 = last7; + uint8_t *last11 = last7 + (uint32_t)64U; + K____uint8_t___uint8_t_ scrut6 = { .fst = last01, .snd = last11 }; + uint8_t *l70 = scrut6.fst; + uint8_t *l71 = scrut6.snd; + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + mb0 = + { + .fst = l00, + .snd = { + .fst = l10, + .snd = { + .fst = l20, + .snd = { + .fst = l30, + .snd = { .fst = l40, .snd = { .fst = l50, .snd = { .fst = l60, .snd = l70 } } } + } + } + } + }; + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + mb1 = + { + .fst = l01, + .snd = { + .fst = l11, + .snd = { + .fst = l21, + .snd = { + .fst = l31, + .snd = { .fst = l41, .snd = { .fst = l51, .snd = { .fst = l61, .snd = l71 } } } + } + } + } + }; + __K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + scrut7 = { .fst = mb0, .snd = mb1 }; + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + last0 = scrut7.fst; + ___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + last1 = scrut7.snd; + sha256_update8(last0, st); + if (blocks > (uint32_t)1U) + { + sha256_update8(last1, st); + } + KRML_CHECK_SIZE(sizeof (uint8_t), (uint32_t)8U * (uint32_t)8U * (uint32_t)4U); + uint8_t *hbuf = alloca((uint32_t)8U * (uint32_t)8U * (uint32_t)4U * sizeof (uint8_t)); + memset(hbuf, 0U, (uint32_t)8U * (uint32_t)8U * (uint32_t)4U * sizeof (uint8_t)); + Lib_IntVector_Intrinsics_vec256 v0 = st[0U]; + Lib_IntVector_Intrinsics_vec256 v1 = st[1U]; + Lib_IntVector_Intrinsics_vec256 v2 = st[2U]; + Lib_IntVector_Intrinsics_vec256 v3 = st[3U]; + Lib_IntVector_Intrinsics_vec256 v4 = st[4U]; + Lib_IntVector_Intrinsics_vec256 v5 = st[5U]; + Lib_IntVector_Intrinsics_vec256 v6 = st[6U]; + Lib_IntVector_Intrinsics_vec256 v7 = st[7U]; + Lib_IntVector_Intrinsics_vec256 v0_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v0, v1); + Lib_IntVector_Intrinsics_vec256 + v1_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v0, v1); + Lib_IntVector_Intrinsics_vec256 v2_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v2, v3); + Lib_IntVector_Intrinsics_vec256 + v3_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v2, v3); + Lib_IntVector_Intrinsics_vec256 v4_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v4, v5); + Lib_IntVector_Intrinsics_vec256 + v5_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v4, v5); + Lib_IntVector_Intrinsics_vec256 v6_ = Lib_IntVector_Intrinsics_vec256_interleave_low32(v6, v7); + Lib_IntVector_Intrinsics_vec256 + v7_ = Lib_IntVector_Intrinsics_vec256_interleave_high32(v6, v7); + Lib_IntVector_Intrinsics_vec256 v0_0 = v0_; + Lib_IntVector_Intrinsics_vec256 v1_0 = v1_; + Lib_IntVector_Intrinsics_vec256 v2_0 = v2_; + Lib_IntVector_Intrinsics_vec256 v3_0 = v3_; + Lib_IntVector_Intrinsics_vec256 v4_0 = v4_; + Lib_IntVector_Intrinsics_vec256 v5_0 = v5_; + Lib_IntVector_Intrinsics_vec256 v6_0 = v6_; + Lib_IntVector_Intrinsics_vec256 v7_0 = v7_; + Lib_IntVector_Intrinsics_vec256 + v0_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v2_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v1_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 + v3_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 + v4_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v4_0, v6_0); + Lib_IntVector_Intrinsics_vec256 + v6_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v4_0, v6_0); + Lib_IntVector_Intrinsics_vec256 + v5_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v5_0, v7_0); + Lib_IntVector_Intrinsics_vec256 + v7_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v5_0, v7_0); + Lib_IntVector_Intrinsics_vec256 v0_10 = v0_1; + Lib_IntVector_Intrinsics_vec256 v1_10 = v1_1; + Lib_IntVector_Intrinsics_vec256 v2_10 = v2_1; + Lib_IntVector_Intrinsics_vec256 v3_10 = v3_1; + Lib_IntVector_Intrinsics_vec256 v4_10 = v4_1; + Lib_IntVector_Intrinsics_vec256 v5_10 = v5_1; + Lib_IntVector_Intrinsics_vec256 v6_10 = v6_1; + Lib_IntVector_Intrinsics_vec256 v7_10 = v7_1; + Lib_IntVector_Intrinsics_vec256 + v0_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_10, v4_10); + Lib_IntVector_Intrinsics_vec256 + v4_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_10, v4_10); + Lib_IntVector_Intrinsics_vec256 + v1_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_10, v5_10); + Lib_IntVector_Intrinsics_vec256 + v5_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_10, v5_10); + Lib_IntVector_Intrinsics_vec256 + v2_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v2_10, v6_10); + Lib_IntVector_Intrinsics_vec256 + v6_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v2_10, v6_10); + Lib_IntVector_Intrinsics_vec256 + v3_2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v3_10, v7_10); + Lib_IntVector_Intrinsics_vec256 + v7_2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v3_10, v7_10); + Lib_IntVector_Intrinsics_vec256 v0_20 = v0_2; + Lib_IntVector_Intrinsics_vec256 v1_20 = v1_2; + Lib_IntVector_Intrinsics_vec256 v2_20 = v2_2; + Lib_IntVector_Intrinsics_vec256 v3_20 = v3_2; + Lib_IntVector_Intrinsics_vec256 v4_20 = v4_2; + Lib_IntVector_Intrinsics_vec256 v5_20 = v5_2; + Lib_IntVector_Intrinsics_vec256 v6_20 = v6_2; + Lib_IntVector_Intrinsics_vec256 v7_20 = v7_2; + Lib_IntVector_Intrinsics_vec256 v0_3 = v0_20; + Lib_IntVector_Intrinsics_vec256 v1_3 = v1_20; + Lib_IntVector_Intrinsics_vec256 v2_3 = v2_20; + Lib_IntVector_Intrinsics_vec256 v3_3 = v3_20; + Lib_IntVector_Intrinsics_vec256 v4_3 = v4_20; + Lib_IntVector_Intrinsics_vec256 v5_3 = v5_20; + Lib_IntVector_Intrinsics_vec256 v6_3 = v6_20; + Lib_IntVector_Intrinsics_vec256 v7_3 = v7_20; + Lib_IntVector_Intrinsics_vec256 st0_ = v0_3; + Lib_IntVector_Intrinsics_vec256 st1_ = v2_3; + Lib_IntVector_Intrinsics_vec256 st2_ = v1_3; + Lib_IntVector_Intrinsics_vec256 st3_ = v3_3; + Lib_IntVector_Intrinsics_vec256 st4_ = v4_3; + Lib_IntVector_Intrinsics_vec256 st5_ = v6_3; + Lib_IntVector_Intrinsics_vec256 st6_ = v5_3; + Lib_IntVector_Intrinsics_vec256 st7_ = v7_3; + st[0U] = st0_; + st[1U] = st1_; + st[2U] = st2_; + st[3U] = st3_; + st[4U] = st4_; + st[5U] = st5_; + st[6U] = st6_; + st[7U] = st7_; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + Lib_IntVector_Intrinsics_vec256_store32_be(hbuf + i * (uint32_t)32U, st[i]); + } + uint8_t *b71 = rb.snd.snd.snd.snd.snd.snd.snd; + uint8_t *b6 = rb.snd.snd.snd.snd.snd.snd.fst; + uint8_t *b5 = rb.snd.snd.snd.snd.snd.fst; + uint8_t *b4 = rb.snd.snd.snd.snd.fst; + uint8_t *b3 = rb.snd.snd.snd.fst; + uint8_t *b2 = rb.snd.snd.fst; + uint8_t *b1 = rb.snd.fst; + uint8_t *b0 = rb.fst; + memcpy(b0, hbuf, (uint32_t)32U * sizeof (uint8_t)); + memcpy(b1, hbuf + (uint32_t)32U, (uint32_t)32U * sizeof (uint8_t)); + memcpy(b2, hbuf + (uint32_t)64U, (uint32_t)32U * sizeof (uint8_t)); + memcpy(b3, hbuf + (uint32_t)96U, (uint32_t)32U * sizeof (uint8_t)); + memcpy(b4, hbuf + (uint32_t)128U, (uint32_t)32U * sizeof (uint8_t)); + memcpy(b5, hbuf + (uint32_t)160U, (uint32_t)32U * sizeof (uint8_t)); + memcpy(b6, hbuf + (uint32_t)192U, (uint32_t)32U * sizeof (uint8_t)); + memcpy(b71, hbuf + (uint32_t)224U, (uint32_t)32U * sizeof (uint8_t)); +} + +static inline void +sha384_update4( + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ block, + Lib_IntVector_Intrinsics_vec256 *hash +) +{ + Lib_IntVector_Intrinsics_vec256 hash_old[8U]; + for (uint32_t _i = 0U; _i < (uint32_t)8U; ++_i) + hash_old[_i] = Lib_IntVector_Intrinsics_vec256_zero; + Lib_IntVector_Intrinsics_vec256 ws[16U]; + for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i) + ws[_i] = Lib_IntVector_Intrinsics_vec256_zero; + memcpy(hash_old, hash, (uint32_t)8U * sizeof (Lib_IntVector_Intrinsics_vec256)); + uint8_t *b3 = block.snd.snd.snd; + uint8_t *b2 = block.snd.snd.fst; + uint8_t *b10 = block.snd.fst; + uint8_t *b00 = block.fst; + ws[0U] = Lib_IntVector_Intrinsics_vec256_load64_be(b00); + ws[1U] = Lib_IntVector_Intrinsics_vec256_load64_be(b10); + ws[2U] = Lib_IntVector_Intrinsics_vec256_load64_be(b2); + ws[3U] = Lib_IntVector_Intrinsics_vec256_load64_be(b3); + ws[4U] = Lib_IntVector_Intrinsics_vec256_load64_be(b00 + (uint32_t)32U); + ws[5U] = Lib_IntVector_Intrinsics_vec256_load64_be(b10 + (uint32_t)32U); + ws[6U] = Lib_IntVector_Intrinsics_vec256_load64_be(b2 + (uint32_t)32U); + ws[7U] = Lib_IntVector_Intrinsics_vec256_load64_be(b3 + (uint32_t)32U); + ws[8U] = Lib_IntVector_Intrinsics_vec256_load64_be(b00 + (uint32_t)64U); + ws[9U] = Lib_IntVector_Intrinsics_vec256_load64_be(b10 + (uint32_t)64U); + ws[10U] = Lib_IntVector_Intrinsics_vec256_load64_be(b2 + (uint32_t)64U); + ws[11U] = Lib_IntVector_Intrinsics_vec256_load64_be(b3 + (uint32_t)64U); + ws[12U] = Lib_IntVector_Intrinsics_vec256_load64_be(b00 + (uint32_t)96U); + ws[13U] = Lib_IntVector_Intrinsics_vec256_load64_be(b10 + (uint32_t)96U); + ws[14U] = Lib_IntVector_Intrinsics_vec256_load64_be(b2 + (uint32_t)96U); + ws[15U] = Lib_IntVector_Intrinsics_vec256_load64_be(b3 + (uint32_t)96U); + Lib_IntVector_Intrinsics_vec256 v00 = ws[0U]; + Lib_IntVector_Intrinsics_vec256 v10 = ws[1U]; + Lib_IntVector_Intrinsics_vec256 v20 = ws[2U]; + Lib_IntVector_Intrinsics_vec256 v30 = ws[3U]; + Lib_IntVector_Intrinsics_vec256 + v0_ = Lib_IntVector_Intrinsics_vec256_interleave_low64(v00, v10); + Lib_IntVector_Intrinsics_vec256 + v1_ = Lib_IntVector_Intrinsics_vec256_interleave_high64(v00, v10); + Lib_IntVector_Intrinsics_vec256 + v2_ = Lib_IntVector_Intrinsics_vec256_interleave_low64(v20, v30); + Lib_IntVector_Intrinsics_vec256 + v3_ = Lib_IntVector_Intrinsics_vec256_interleave_high64(v20, v30); + Lib_IntVector_Intrinsics_vec256 + v0__ = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_, v2_); + Lib_IntVector_Intrinsics_vec256 + v1__ = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_, v2_); + Lib_IntVector_Intrinsics_vec256 + v2__ = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_, v3_); + Lib_IntVector_Intrinsics_vec256 + v3__ = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_, v3_); + Lib_IntVector_Intrinsics_vec256 ws0 = v0__; + Lib_IntVector_Intrinsics_vec256 ws1 = v2__; + Lib_IntVector_Intrinsics_vec256 ws2 = v1__; + Lib_IntVector_Intrinsics_vec256 ws3 = v3__; + Lib_IntVector_Intrinsics_vec256 v01 = ws[4U]; + Lib_IntVector_Intrinsics_vec256 v11 = ws[5U]; + Lib_IntVector_Intrinsics_vec256 v21 = ws[6U]; + Lib_IntVector_Intrinsics_vec256 v31 = ws[7U]; + Lib_IntVector_Intrinsics_vec256 + v0_0 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v01, v11); + Lib_IntVector_Intrinsics_vec256 + v1_0 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v01, v11); + Lib_IntVector_Intrinsics_vec256 + v2_0 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v21, v31); + Lib_IntVector_Intrinsics_vec256 + v3_0 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v21, v31); + Lib_IntVector_Intrinsics_vec256 + v0__0 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v1__0 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v2__0 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 + v3__0 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 ws4 = v0__0; + Lib_IntVector_Intrinsics_vec256 ws5 = v2__0; + Lib_IntVector_Intrinsics_vec256 ws6 = v1__0; + Lib_IntVector_Intrinsics_vec256 ws7 = v3__0; + Lib_IntVector_Intrinsics_vec256 v02 = ws[8U]; + Lib_IntVector_Intrinsics_vec256 v12 = ws[9U]; + Lib_IntVector_Intrinsics_vec256 v22 = ws[10U]; + Lib_IntVector_Intrinsics_vec256 v32 = ws[11U]; + Lib_IntVector_Intrinsics_vec256 + v0_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v02, v12); + Lib_IntVector_Intrinsics_vec256 + v1_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v02, v12); + Lib_IntVector_Intrinsics_vec256 + v2_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v22, v32); + Lib_IntVector_Intrinsics_vec256 + v3_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v22, v32); + Lib_IntVector_Intrinsics_vec256 + v0__1 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_1, v2_1); + Lib_IntVector_Intrinsics_vec256 + v1__1 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_1, v2_1); + Lib_IntVector_Intrinsics_vec256 + v2__1 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_1, v3_1); + Lib_IntVector_Intrinsics_vec256 + v3__1 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_1, v3_1); + Lib_IntVector_Intrinsics_vec256 ws8 = v0__1; + Lib_IntVector_Intrinsics_vec256 ws9 = v2__1; + Lib_IntVector_Intrinsics_vec256 ws10 = v1__1; + Lib_IntVector_Intrinsics_vec256 ws11 = v3__1; + Lib_IntVector_Intrinsics_vec256 v0 = ws[12U]; + Lib_IntVector_Intrinsics_vec256 v1 = ws[13U]; + Lib_IntVector_Intrinsics_vec256 v2 = ws[14U]; + Lib_IntVector_Intrinsics_vec256 v3 = ws[15U]; + Lib_IntVector_Intrinsics_vec256 + v0_2 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0, v1); + Lib_IntVector_Intrinsics_vec256 + v1_2 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0, v1); + Lib_IntVector_Intrinsics_vec256 + v2_2 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v2, v3); + Lib_IntVector_Intrinsics_vec256 + v3_2 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v2, v3); + Lib_IntVector_Intrinsics_vec256 + v0__2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_2, v2_2); + Lib_IntVector_Intrinsics_vec256 + v1__2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_2, v2_2); + Lib_IntVector_Intrinsics_vec256 + v2__2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_2, v3_2); + Lib_IntVector_Intrinsics_vec256 + v3__2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_2, v3_2); + Lib_IntVector_Intrinsics_vec256 ws12 = v0__2; + Lib_IntVector_Intrinsics_vec256 ws13 = v2__2; + Lib_IntVector_Intrinsics_vec256 ws14 = v1__2; + Lib_IntVector_Intrinsics_vec256 ws15 = v3__2; + ws[0U] = ws0; + ws[1U] = ws1; + ws[2U] = ws2; + ws[3U] = ws3; + ws[4U] = ws4; + ws[5U] = ws5; + ws[6U] = ws6; + ws[7U] = ws7; + ws[8U] = ws8; + ws[9U] = ws9; + ws[10U] = ws10; + ws[11U] = ws11; + ws[12U] = ws12; + ws[13U] = ws13; + ws[14U] = ws14; + ws[15U] = ws15; + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)5U; i0++) + { + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint64_t k_t = Hacl_Impl_SHA2_Generic_k384_512[(uint32_t)16U * i0 + i]; + Lib_IntVector_Intrinsics_vec256 ws_t = ws[i]; + Lib_IntVector_Intrinsics_vec256 a0 = hash[0U]; + Lib_IntVector_Intrinsics_vec256 b0 = hash[1U]; + Lib_IntVector_Intrinsics_vec256 c0 = hash[2U]; + Lib_IntVector_Intrinsics_vec256 d0 = hash[3U]; + Lib_IntVector_Intrinsics_vec256 e0 = hash[4U]; + Lib_IntVector_Intrinsics_vec256 f0 = hash[5U]; + Lib_IntVector_Intrinsics_vec256 g0 = hash[6U]; + Lib_IntVector_Intrinsics_vec256 h02 = hash[7U]; + Lib_IntVector_Intrinsics_vec256 k_e_t = Lib_IntVector_Intrinsics_vec256_load64(k_t); + Lib_IntVector_Intrinsics_vec256 + t1 = + Lib_IntVector_Intrinsics_vec256_add64(Lib_IntVector_Intrinsics_vec256_add64(Lib_IntVector_Intrinsics_vec256_add64(Lib_IntVector_Intrinsics_vec256_add64(h02, + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right64(e0, + (uint32_t)14U), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right64(e0, + (uint32_t)18U), + Lib_IntVector_Intrinsics_vec256_rotate_right64(e0, (uint32_t)41U)))), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_and(e0, f0), + Lib_IntVector_Intrinsics_vec256_and(Lib_IntVector_Intrinsics_vec256_lognot(e0), g0))), + k_e_t), + ws_t); + Lib_IntVector_Intrinsics_vec256 + t2 = + Lib_IntVector_Intrinsics_vec256_add64(Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right64(a0, + (uint32_t)28U), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right64(a0, + (uint32_t)34U), + Lib_IntVector_Intrinsics_vec256_rotate_right64(a0, (uint32_t)39U))), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_and(a0, b0), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_and(a0, c0), + Lib_IntVector_Intrinsics_vec256_and(b0, c0)))); + Lib_IntVector_Intrinsics_vec256 a1 = Lib_IntVector_Intrinsics_vec256_add64(t1, t2); + Lib_IntVector_Intrinsics_vec256 b1 = a0; + Lib_IntVector_Intrinsics_vec256 c1 = b0; + Lib_IntVector_Intrinsics_vec256 d1 = c0; + Lib_IntVector_Intrinsics_vec256 e1 = Lib_IntVector_Intrinsics_vec256_add64(d0, t1); + Lib_IntVector_Intrinsics_vec256 f1 = e0; + Lib_IntVector_Intrinsics_vec256 g1 = f0; + Lib_IntVector_Intrinsics_vec256 h12 = g0; + hash[0U] = a1; + hash[1U] = b1; + hash[2U] = c1; + hash[3U] = d1; + hash[4U] = e1; + hash[5U] = f1; + hash[6U] = g1; + hash[7U] = h12; + } + if (i0 < (uint32_t)5U - (uint32_t)1U) + { + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + Lib_IntVector_Intrinsics_vec256 t16 = ws[i]; + Lib_IntVector_Intrinsics_vec256 t15 = ws[(i + (uint32_t)1U) % (uint32_t)16U]; + Lib_IntVector_Intrinsics_vec256 t7 = ws[(i + (uint32_t)9U) % (uint32_t)16U]; + Lib_IntVector_Intrinsics_vec256 t2 = ws[(i + (uint32_t)14U) % (uint32_t)16U]; + Lib_IntVector_Intrinsics_vec256 + s1 = + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right64(t2, + (uint32_t)19U), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right64(t2, + (uint32_t)61U), + Lib_IntVector_Intrinsics_vec256_shift_right64(t2, (uint32_t)6U))); + Lib_IntVector_Intrinsics_vec256 + s0 = + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right64(t15, + (uint32_t)1U), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right64(t15, + (uint32_t)8U), + Lib_IntVector_Intrinsics_vec256_shift_right64(t15, (uint32_t)7U))); + ws[i] = + Lib_IntVector_Intrinsics_vec256_add64(Lib_IntVector_Intrinsics_vec256_add64(Lib_IntVector_Intrinsics_vec256_add64(s1, + t7), + s0), + t16); + } + } + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + Lib_IntVector_Intrinsics_vec256 *os = hash; + Lib_IntVector_Intrinsics_vec256 + x = Lib_IntVector_Intrinsics_vec256_add64(hash[i], hash_old[i]); + os[i] = x; + } +} + +void +Hacl_SHA2_Vec256_sha384_4( + uint8_t *dst0, + uint8_t *dst1, + uint8_t *dst2, + uint8_t *dst3, + uint32_t input_len, + uint8_t *input0, + uint8_t *input1, + uint8_t *input2, + uint8_t *input3 +) +{ + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + ib = { .fst = input0, .snd = { .fst = input1, .snd = { .fst = input2, .snd = input3 } } }; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + rb = { .fst = dst0, .snd = { .fst = dst1, .snd = { .fst = dst2, .snd = dst3 } } }; + Lib_IntVector_Intrinsics_vec256 st[8U]; + for (uint32_t _i = 0U; _i < (uint32_t)8U; ++_i) + st[_i] = Lib_IntVector_Intrinsics_vec256_zero; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + Lib_IntVector_Intrinsics_vec256 *os = st; + uint64_t hi = Hacl_Impl_SHA2_Generic_h384[i]; + Lib_IntVector_Intrinsics_vec256 x = Lib_IntVector_Intrinsics_vec256_load64(hi); + os[i] = x; + } + uint32_t rem = input_len % (uint32_t)128U; + FStar_UInt128_uint128 len_ = FStar_UInt128_uint64_to_uint128((uint64_t)input_len); + uint32_t blocks0 = input_len / (uint32_t)128U; + for (uint32_t i = (uint32_t)0U; i < blocks0; i++) + { + uint8_t *b3 = ib.snd.snd.snd; + uint8_t *b2 = ib.snd.snd.fst; + uint8_t *b1 = ib.snd.fst; + uint8_t *b0 = ib.fst; + uint8_t *bl0 = b0 + i * (uint32_t)128U; + uint8_t *bl1 = b1 + i * (uint32_t)128U; + uint8_t *bl2 = b2 + i * (uint32_t)128U; + uint8_t *bl3 = b3 + i * (uint32_t)128U; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + mb = { .fst = bl0, .snd = { .fst = bl1, .snd = { .fst = bl2, .snd = bl3 } } }; + sha384_update4(mb, st); + } + uint32_t rem1 = input_len % (uint32_t)128U; + uint8_t *b3 = ib.snd.snd.snd; + uint8_t *b20 = ib.snd.snd.fst; + uint8_t *b10 = ib.snd.fst; + uint8_t *b00 = ib.fst; + uint8_t *bl0 = b00 + input_len - rem1; + uint8_t *bl1 = b10 + input_len - rem1; + uint8_t *bl2 = b20 + input_len - rem1; + uint8_t *bl3 = b3 + input_len - rem1; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + lb = { .fst = bl0, .snd = { .fst = bl1, .snd = { .fst = bl2, .snd = bl3 } } }; + uint32_t blocks; + if (rem + (uint32_t)16U + (uint32_t)1U <= (uint32_t)128U) + { + blocks = (uint32_t)1U; + } + else + { + blocks = (uint32_t)2U; + } + uint32_t fin = blocks * (uint32_t)128U; + uint8_t last[1024U] = { 0U }; + uint8_t totlen_buf[16U] = { 0U }; + FStar_UInt128_uint128 total_len_bits = FStar_UInt128_shift_left(len_, (uint32_t)3U); + store128_be(totlen_buf, total_len_bits); + uint8_t *b30 = lb.snd.snd.snd; + uint8_t *b21 = lb.snd.snd.fst; + uint8_t *b11 = lb.snd.fst; + uint8_t *b01 = lb.fst; + uint8_t *last00 = last; + uint8_t *last10 = last + (uint32_t)256U; + uint8_t *last2 = last + (uint32_t)512U; + uint8_t *last3 = last + (uint32_t)768U; + memcpy(last00, b01, rem * sizeof (uint8_t)); + last00[rem] = (uint8_t)0x80U; + memcpy(last00 + fin - (uint32_t)16U, totlen_buf, (uint32_t)16U * sizeof (uint8_t)); + uint8_t *last010 = last00; + uint8_t *last110 = last00 + (uint32_t)128U; + K____uint8_t___uint8_t_ scrut = { .fst = last010, .snd = last110 }; + uint8_t *l00 = scrut.fst; + uint8_t *l01 = scrut.snd; + memcpy(last10, b11, rem * sizeof (uint8_t)); + last10[rem] = (uint8_t)0x80U; + memcpy(last10 + fin - (uint32_t)16U, totlen_buf, (uint32_t)16U * sizeof (uint8_t)); + uint8_t *last011 = last10; + uint8_t *last111 = last10 + (uint32_t)128U; + K____uint8_t___uint8_t_ scrut0 = { .fst = last011, .snd = last111 }; + uint8_t *l10 = scrut0.fst; + uint8_t *l11 = scrut0.snd; + memcpy(last2, b21, rem * sizeof (uint8_t)); + last2[rem] = (uint8_t)0x80U; + memcpy(last2 + fin - (uint32_t)16U, totlen_buf, (uint32_t)16U * sizeof (uint8_t)); + uint8_t *last012 = last2; + uint8_t *last112 = last2 + (uint32_t)128U; + K____uint8_t___uint8_t_ scrut1 = { .fst = last012, .snd = last112 }; + uint8_t *l20 = scrut1.fst; + uint8_t *l21 = scrut1.snd; + memcpy(last3, b30, rem * sizeof (uint8_t)); + last3[rem] = (uint8_t)0x80U; + memcpy(last3 + fin - (uint32_t)16U, totlen_buf, (uint32_t)16U * sizeof (uint8_t)); + uint8_t *last01 = last3; + uint8_t *last11 = last3 + (uint32_t)128U; + K____uint8_t___uint8_t_ scrut2 = { .fst = last01, .snd = last11 }; + uint8_t *l30 = scrut2.fst; + uint8_t *l31 = scrut2.snd; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + mb0 = { .fst = l00, .snd = { .fst = l10, .snd = { .fst = l20, .snd = l30 } } }; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + mb1 = { .fst = l01, .snd = { .fst = l11, .snd = { .fst = l21, .snd = l31 } } }; + K___K____uint8_t__K____uint8_t__K____uint8_t___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + scrut3 = { .fst = mb0, .snd = mb1 }; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ last0 = scrut3.fst; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ last1 = scrut3.snd; + sha384_update4(last0, st); + if (blocks > (uint32_t)1U) + { + sha384_update4(last1, st); + } + KRML_CHECK_SIZE(sizeof (uint8_t), (uint32_t)4U * (uint32_t)8U * (uint32_t)8U); + uint8_t *hbuf = alloca((uint32_t)4U * (uint32_t)8U * (uint32_t)8U * sizeof (uint8_t)); + memset(hbuf, 0U, (uint32_t)4U * (uint32_t)8U * (uint32_t)8U * sizeof (uint8_t)); + Lib_IntVector_Intrinsics_vec256 v00 = st[0U]; + Lib_IntVector_Intrinsics_vec256 v10 = st[1U]; + Lib_IntVector_Intrinsics_vec256 v20 = st[2U]; + Lib_IntVector_Intrinsics_vec256 v30 = st[3U]; + Lib_IntVector_Intrinsics_vec256 + v0_ = Lib_IntVector_Intrinsics_vec256_interleave_low64(v00, v10); + Lib_IntVector_Intrinsics_vec256 + v1_ = Lib_IntVector_Intrinsics_vec256_interleave_high64(v00, v10); + Lib_IntVector_Intrinsics_vec256 + v2_ = Lib_IntVector_Intrinsics_vec256_interleave_low64(v20, v30); + Lib_IntVector_Intrinsics_vec256 + v3_ = Lib_IntVector_Intrinsics_vec256_interleave_high64(v20, v30); + Lib_IntVector_Intrinsics_vec256 + v0__ = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_, v2_); + Lib_IntVector_Intrinsics_vec256 + v1__ = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_, v2_); + Lib_IntVector_Intrinsics_vec256 + v2__ = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_, v3_); + Lib_IntVector_Intrinsics_vec256 + v3__ = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_, v3_); + Lib_IntVector_Intrinsics_vec256 st0_ = v0__; + Lib_IntVector_Intrinsics_vec256 st1_ = v2__; + Lib_IntVector_Intrinsics_vec256 st2_ = v1__; + Lib_IntVector_Intrinsics_vec256 st3_ = v3__; + Lib_IntVector_Intrinsics_vec256 v0 = st[4U]; + Lib_IntVector_Intrinsics_vec256 v1 = st[5U]; + Lib_IntVector_Intrinsics_vec256 v2 = st[6U]; + Lib_IntVector_Intrinsics_vec256 v3 = st[7U]; + Lib_IntVector_Intrinsics_vec256 + v0_0 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0, v1); + Lib_IntVector_Intrinsics_vec256 + v1_0 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0, v1); + Lib_IntVector_Intrinsics_vec256 + v2_0 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v2, v3); + Lib_IntVector_Intrinsics_vec256 + v3_0 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v2, v3); + Lib_IntVector_Intrinsics_vec256 + v0__0 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v1__0 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v2__0 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 + v3__0 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 st4_ = v0__0; + Lib_IntVector_Intrinsics_vec256 st5_ = v2__0; + Lib_IntVector_Intrinsics_vec256 st6_ = v1__0; + Lib_IntVector_Intrinsics_vec256 st7_ = v3__0; + st[0U] = st0_; + st[1U] = st4_; + st[2U] = st1_; + st[3U] = st5_; + st[4U] = st2_; + st[5U] = st6_; + st[6U] = st3_; + st[7U] = st7_; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + Lib_IntVector_Intrinsics_vec256_store64_be(hbuf + i * (uint32_t)32U, st[i]); + } + uint8_t *b31 = rb.snd.snd.snd; + uint8_t *b2 = rb.snd.snd.fst; + uint8_t *b1 = rb.snd.fst; + uint8_t *b0 = rb.fst; + memcpy(b0, hbuf, (uint32_t)48U * sizeof (uint8_t)); + memcpy(b1, hbuf + (uint32_t)64U, (uint32_t)48U * sizeof (uint8_t)); + memcpy(b2, hbuf + (uint32_t)128U, (uint32_t)48U * sizeof (uint8_t)); + memcpy(b31, hbuf + (uint32_t)192U, (uint32_t)48U * sizeof (uint8_t)); +} + +static inline void +sha512_update4( + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ block, + Lib_IntVector_Intrinsics_vec256 *hash +) +{ + Lib_IntVector_Intrinsics_vec256 hash_old[8U]; + for (uint32_t _i = 0U; _i < (uint32_t)8U; ++_i) + hash_old[_i] = Lib_IntVector_Intrinsics_vec256_zero; + Lib_IntVector_Intrinsics_vec256 ws[16U]; + for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i) + ws[_i] = Lib_IntVector_Intrinsics_vec256_zero; + memcpy(hash_old, hash, (uint32_t)8U * sizeof (Lib_IntVector_Intrinsics_vec256)); + uint8_t *b3 = block.snd.snd.snd; + uint8_t *b2 = block.snd.snd.fst; + uint8_t *b10 = block.snd.fst; + uint8_t *b00 = block.fst; + ws[0U] = Lib_IntVector_Intrinsics_vec256_load64_be(b00); + ws[1U] = Lib_IntVector_Intrinsics_vec256_load64_be(b10); + ws[2U] = Lib_IntVector_Intrinsics_vec256_load64_be(b2); + ws[3U] = Lib_IntVector_Intrinsics_vec256_load64_be(b3); + ws[4U] = Lib_IntVector_Intrinsics_vec256_load64_be(b00 + (uint32_t)32U); + ws[5U] = Lib_IntVector_Intrinsics_vec256_load64_be(b10 + (uint32_t)32U); + ws[6U] = Lib_IntVector_Intrinsics_vec256_load64_be(b2 + (uint32_t)32U); + ws[7U] = Lib_IntVector_Intrinsics_vec256_load64_be(b3 + (uint32_t)32U); + ws[8U] = Lib_IntVector_Intrinsics_vec256_load64_be(b00 + (uint32_t)64U); + ws[9U] = Lib_IntVector_Intrinsics_vec256_load64_be(b10 + (uint32_t)64U); + ws[10U] = Lib_IntVector_Intrinsics_vec256_load64_be(b2 + (uint32_t)64U); + ws[11U] = Lib_IntVector_Intrinsics_vec256_load64_be(b3 + (uint32_t)64U); + ws[12U] = Lib_IntVector_Intrinsics_vec256_load64_be(b00 + (uint32_t)96U); + ws[13U] = Lib_IntVector_Intrinsics_vec256_load64_be(b10 + (uint32_t)96U); + ws[14U] = Lib_IntVector_Intrinsics_vec256_load64_be(b2 + (uint32_t)96U); + ws[15U] = Lib_IntVector_Intrinsics_vec256_load64_be(b3 + (uint32_t)96U); + Lib_IntVector_Intrinsics_vec256 v00 = ws[0U]; + Lib_IntVector_Intrinsics_vec256 v10 = ws[1U]; + Lib_IntVector_Intrinsics_vec256 v20 = ws[2U]; + Lib_IntVector_Intrinsics_vec256 v30 = ws[3U]; + Lib_IntVector_Intrinsics_vec256 + v0_ = Lib_IntVector_Intrinsics_vec256_interleave_low64(v00, v10); + Lib_IntVector_Intrinsics_vec256 + v1_ = Lib_IntVector_Intrinsics_vec256_interleave_high64(v00, v10); + Lib_IntVector_Intrinsics_vec256 + v2_ = Lib_IntVector_Intrinsics_vec256_interleave_low64(v20, v30); + Lib_IntVector_Intrinsics_vec256 + v3_ = Lib_IntVector_Intrinsics_vec256_interleave_high64(v20, v30); + Lib_IntVector_Intrinsics_vec256 + v0__ = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_, v2_); + Lib_IntVector_Intrinsics_vec256 + v1__ = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_, v2_); + Lib_IntVector_Intrinsics_vec256 + v2__ = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_, v3_); + Lib_IntVector_Intrinsics_vec256 + v3__ = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_, v3_); + Lib_IntVector_Intrinsics_vec256 ws0 = v0__; + Lib_IntVector_Intrinsics_vec256 ws1 = v2__; + Lib_IntVector_Intrinsics_vec256 ws2 = v1__; + Lib_IntVector_Intrinsics_vec256 ws3 = v3__; + Lib_IntVector_Intrinsics_vec256 v01 = ws[4U]; + Lib_IntVector_Intrinsics_vec256 v11 = ws[5U]; + Lib_IntVector_Intrinsics_vec256 v21 = ws[6U]; + Lib_IntVector_Intrinsics_vec256 v31 = ws[7U]; + Lib_IntVector_Intrinsics_vec256 + v0_0 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v01, v11); + Lib_IntVector_Intrinsics_vec256 + v1_0 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v01, v11); + Lib_IntVector_Intrinsics_vec256 + v2_0 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v21, v31); + Lib_IntVector_Intrinsics_vec256 + v3_0 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v21, v31); + Lib_IntVector_Intrinsics_vec256 + v0__0 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v1__0 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v2__0 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 + v3__0 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 ws4 = v0__0; + Lib_IntVector_Intrinsics_vec256 ws5 = v2__0; + Lib_IntVector_Intrinsics_vec256 ws6 = v1__0; + Lib_IntVector_Intrinsics_vec256 ws7 = v3__0; + Lib_IntVector_Intrinsics_vec256 v02 = ws[8U]; + Lib_IntVector_Intrinsics_vec256 v12 = ws[9U]; + Lib_IntVector_Intrinsics_vec256 v22 = ws[10U]; + Lib_IntVector_Intrinsics_vec256 v32 = ws[11U]; + Lib_IntVector_Intrinsics_vec256 + v0_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v02, v12); + Lib_IntVector_Intrinsics_vec256 + v1_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v02, v12); + Lib_IntVector_Intrinsics_vec256 + v2_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v22, v32); + Lib_IntVector_Intrinsics_vec256 + v3_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v22, v32); + Lib_IntVector_Intrinsics_vec256 + v0__1 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_1, v2_1); + Lib_IntVector_Intrinsics_vec256 + v1__1 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_1, v2_1); + Lib_IntVector_Intrinsics_vec256 + v2__1 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_1, v3_1); + Lib_IntVector_Intrinsics_vec256 + v3__1 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_1, v3_1); + Lib_IntVector_Intrinsics_vec256 ws8 = v0__1; + Lib_IntVector_Intrinsics_vec256 ws9 = v2__1; + Lib_IntVector_Intrinsics_vec256 ws10 = v1__1; + Lib_IntVector_Intrinsics_vec256 ws11 = v3__1; + Lib_IntVector_Intrinsics_vec256 v0 = ws[12U]; + Lib_IntVector_Intrinsics_vec256 v1 = ws[13U]; + Lib_IntVector_Intrinsics_vec256 v2 = ws[14U]; + Lib_IntVector_Intrinsics_vec256 v3 = ws[15U]; + Lib_IntVector_Intrinsics_vec256 + v0_2 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0, v1); + Lib_IntVector_Intrinsics_vec256 + v1_2 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0, v1); + Lib_IntVector_Intrinsics_vec256 + v2_2 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v2, v3); + Lib_IntVector_Intrinsics_vec256 + v3_2 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v2, v3); + Lib_IntVector_Intrinsics_vec256 + v0__2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_2, v2_2); + Lib_IntVector_Intrinsics_vec256 + v1__2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_2, v2_2); + Lib_IntVector_Intrinsics_vec256 + v2__2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_2, v3_2); + Lib_IntVector_Intrinsics_vec256 + v3__2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_2, v3_2); + Lib_IntVector_Intrinsics_vec256 ws12 = v0__2; + Lib_IntVector_Intrinsics_vec256 ws13 = v2__2; + Lib_IntVector_Intrinsics_vec256 ws14 = v1__2; + Lib_IntVector_Intrinsics_vec256 ws15 = v3__2; + ws[0U] = ws0; + ws[1U] = ws1; + ws[2U] = ws2; + ws[3U] = ws3; + ws[4U] = ws4; + ws[5U] = ws5; + ws[6U] = ws6; + ws[7U] = ws7; + ws[8U] = ws8; + ws[9U] = ws9; + ws[10U] = ws10; + ws[11U] = ws11; + ws[12U] = ws12; + ws[13U] = ws13; + ws[14U] = ws14; + ws[15U] = ws15; + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)5U; i0++) + { + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint64_t k_t = Hacl_Impl_SHA2_Generic_k384_512[(uint32_t)16U * i0 + i]; + Lib_IntVector_Intrinsics_vec256 ws_t = ws[i]; + Lib_IntVector_Intrinsics_vec256 a0 = hash[0U]; + Lib_IntVector_Intrinsics_vec256 b0 = hash[1U]; + Lib_IntVector_Intrinsics_vec256 c0 = hash[2U]; + Lib_IntVector_Intrinsics_vec256 d0 = hash[3U]; + Lib_IntVector_Intrinsics_vec256 e0 = hash[4U]; + Lib_IntVector_Intrinsics_vec256 f0 = hash[5U]; + Lib_IntVector_Intrinsics_vec256 g0 = hash[6U]; + Lib_IntVector_Intrinsics_vec256 h02 = hash[7U]; + Lib_IntVector_Intrinsics_vec256 k_e_t = Lib_IntVector_Intrinsics_vec256_load64(k_t); + Lib_IntVector_Intrinsics_vec256 + t1 = + Lib_IntVector_Intrinsics_vec256_add64(Lib_IntVector_Intrinsics_vec256_add64(Lib_IntVector_Intrinsics_vec256_add64(Lib_IntVector_Intrinsics_vec256_add64(h02, + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right64(e0, + (uint32_t)14U), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right64(e0, + (uint32_t)18U), + Lib_IntVector_Intrinsics_vec256_rotate_right64(e0, (uint32_t)41U)))), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_and(e0, f0), + Lib_IntVector_Intrinsics_vec256_and(Lib_IntVector_Intrinsics_vec256_lognot(e0), g0))), + k_e_t), + ws_t); + Lib_IntVector_Intrinsics_vec256 + t2 = + Lib_IntVector_Intrinsics_vec256_add64(Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right64(a0, + (uint32_t)28U), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right64(a0, + (uint32_t)34U), + Lib_IntVector_Intrinsics_vec256_rotate_right64(a0, (uint32_t)39U))), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_and(a0, b0), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_and(a0, c0), + Lib_IntVector_Intrinsics_vec256_and(b0, c0)))); + Lib_IntVector_Intrinsics_vec256 a1 = Lib_IntVector_Intrinsics_vec256_add64(t1, t2); + Lib_IntVector_Intrinsics_vec256 b1 = a0; + Lib_IntVector_Intrinsics_vec256 c1 = b0; + Lib_IntVector_Intrinsics_vec256 d1 = c0; + Lib_IntVector_Intrinsics_vec256 e1 = Lib_IntVector_Intrinsics_vec256_add64(d0, t1); + Lib_IntVector_Intrinsics_vec256 f1 = e0; + Lib_IntVector_Intrinsics_vec256 g1 = f0; + Lib_IntVector_Intrinsics_vec256 h12 = g0; + hash[0U] = a1; + hash[1U] = b1; + hash[2U] = c1; + hash[3U] = d1; + hash[4U] = e1; + hash[5U] = f1; + hash[6U] = g1; + hash[7U] = h12; + } + if (i0 < (uint32_t)5U - (uint32_t)1U) + { + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + Lib_IntVector_Intrinsics_vec256 t16 = ws[i]; + Lib_IntVector_Intrinsics_vec256 t15 = ws[(i + (uint32_t)1U) % (uint32_t)16U]; + Lib_IntVector_Intrinsics_vec256 t7 = ws[(i + (uint32_t)9U) % (uint32_t)16U]; + Lib_IntVector_Intrinsics_vec256 t2 = ws[(i + (uint32_t)14U) % (uint32_t)16U]; + Lib_IntVector_Intrinsics_vec256 + s1 = + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right64(t2, + (uint32_t)19U), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right64(t2, + (uint32_t)61U), + Lib_IntVector_Intrinsics_vec256_shift_right64(t2, (uint32_t)6U))); + Lib_IntVector_Intrinsics_vec256 + s0 = + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right64(t15, + (uint32_t)1U), + Lib_IntVector_Intrinsics_vec256_xor(Lib_IntVector_Intrinsics_vec256_rotate_right64(t15, + (uint32_t)8U), + Lib_IntVector_Intrinsics_vec256_shift_right64(t15, (uint32_t)7U))); + ws[i] = + Lib_IntVector_Intrinsics_vec256_add64(Lib_IntVector_Intrinsics_vec256_add64(Lib_IntVector_Intrinsics_vec256_add64(s1, + t7), + s0), + t16); + } + } + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + Lib_IntVector_Intrinsics_vec256 *os = hash; + Lib_IntVector_Intrinsics_vec256 + x = Lib_IntVector_Intrinsics_vec256_add64(hash[i], hash_old[i]); + os[i] = x; + } +} + +void +Hacl_SHA2_Vec256_sha512_4( + uint8_t *dst0, + uint8_t *dst1, + uint8_t *dst2, + uint8_t *dst3, + uint32_t input_len, + uint8_t *input0, + uint8_t *input1, + uint8_t *input2, + uint8_t *input3 +) +{ + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + ib = { .fst = input0, .snd = { .fst = input1, .snd = { .fst = input2, .snd = input3 } } }; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + rb = { .fst = dst0, .snd = { .fst = dst1, .snd = { .fst = dst2, .snd = dst3 } } }; + Lib_IntVector_Intrinsics_vec256 st[8U]; + for (uint32_t _i = 0U; _i < (uint32_t)8U; ++_i) + st[_i] = Lib_IntVector_Intrinsics_vec256_zero; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + Lib_IntVector_Intrinsics_vec256 *os = st; + uint64_t hi = Hacl_Impl_SHA2_Generic_h512[i]; + Lib_IntVector_Intrinsics_vec256 x = Lib_IntVector_Intrinsics_vec256_load64(hi); + os[i] = x; + } + uint32_t rem = input_len % (uint32_t)128U; + FStar_UInt128_uint128 len_ = FStar_UInt128_uint64_to_uint128((uint64_t)input_len); + uint32_t blocks0 = input_len / (uint32_t)128U; + for (uint32_t i = (uint32_t)0U; i < blocks0; i++) + { + uint8_t *b3 = ib.snd.snd.snd; + uint8_t *b2 = ib.snd.snd.fst; + uint8_t *b1 = ib.snd.fst; + uint8_t *b0 = ib.fst; + uint8_t *bl0 = b0 + i * (uint32_t)128U; + uint8_t *bl1 = b1 + i * (uint32_t)128U; + uint8_t *bl2 = b2 + i * (uint32_t)128U; + uint8_t *bl3 = b3 + i * (uint32_t)128U; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + mb = { .fst = bl0, .snd = { .fst = bl1, .snd = { .fst = bl2, .snd = bl3 } } }; + sha512_update4(mb, st); + } + uint32_t rem1 = input_len % (uint32_t)128U; + uint8_t *b3 = ib.snd.snd.snd; + uint8_t *b20 = ib.snd.snd.fst; + uint8_t *b10 = ib.snd.fst; + uint8_t *b00 = ib.fst; + uint8_t *bl0 = b00 + input_len - rem1; + uint8_t *bl1 = b10 + input_len - rem1; + uint8_t *bl2 = b20 + input_len - rem1; + uint8_t *bl3 = b3 + input_len - rem1; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + lb = { .fst = bl0, .snd = { .fst = bl1, .snd = { .fst = bl2, .snd = bl3 } } }; + uint32_t blocks; + if (rem + (uint32_t)16U + (uint32_t)1U <= (uint32_t)128U) + { + blocks = (uint32_t)1U; + } + else + { + blocks = (uint32_t)2U; + } + uint32_t fin = blocks * (uint32_t)128U; + uint8_t last[1024U] = { 0U }; + uint8_t totlen_buf[16U] = { 0U }; + FStar_UInt128_uint128 total_len_bits = FStar_UInt128_shift_left(len_, (uint32_t)3U); + store128_be(totlen_buf, total_len_bits); + uint8_t *b30 = lb.snd.snd.snd; + uint8_t *b21 = lb.snd.snd.fst; + uint8_t *b11 = lb.snd.fst; + uint8_t *b01 = lb.fst; + uint8_t *last00 = last; + uint8_t *last10 = last + (uint32_t)256U; + uint8_t *last2 = last + (uint32_t)512U; + uint8_t *last3 = last + (uint32_t)768U; + memcpy(last00, b01, rem * sizeof (uint8_t)); + last00[rem] = (uint8_t)0x80U; + memcpy(last00 + fin - (uint32_t)16U, totlen_buf, (uint32_t)16U * sizeof (uint8_t)); + uint8_t *last010 = last00; + uint8_t *last110 = last00 + (uint32_t)128U; + K____uint8_t___uint8_t_ scrut = { .fst = last010, .snd = last110 }; + uint8_t *l00 = scrut.fst; + uint8_t *l01 = scrut.snd; + memcpy(last10, b11, rem * sizeof (uint8_t)); + last10[rem] = (uint8_t)0x80U; + memcpy(last10 + fin - (uint32_t)16U, totlen_buf, (uint32_t)16U * sizeof (uint8_t)); + uint8_t *last011 = last10; + uint8_t *last111 = last10 + (uint32_t)128U; + K____uint8_t___uint8_t_ scrut0 = { .fst = last011, .snd = last111 }; + uint8_t *l10 = scrut0.fst; + uint8_t *l11 = scrut0.snd; + memcpy(last2, b21, rem * sizeof (uint8_t)); + last2[rem] = (uint8_t)0x80U; + memcpy(last2 + fin - (uint32_t)16U, totlen_buf, (uint32_t)16U * sizeof (uint8_t)); + uint8_t *last012 = last2; + uint8_t *last112 = last2 + (uint32_t)128U; + K____uint8_t___uint8_t_ scrut1 = { .fst = last012, .snd = last112 }; + uint8_t *l20 = scrut1.fst; + uint8_t *l21 = scrut1.snd; + memcpy(last3, b30, rem * sizeof (uint8_t)); + last3[rem] = (uint8_t)0x80U; + memcpy(last3 + fin - (uint32_t)16U, totlen_buf, (uint32_t)16U * sizeof (uint8_t)); + uint8_t *last01 = last3; + uint8_t *last11 = last3 + (uint32_t)128U; + K____uint8_t___uint8_t_ scrut2 = { .fst = last01, .snd = last11 }; + uint8_t *l30 = scrut2.fst; + uint8_t *l31 = scrut2.snd; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + mb0 = { .fst = l00, .snd = { .fst = l10, .snd = { .fst = l20, .snd = l30 } } }; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + mb1 = { .fst = l01, .snd = { .fst = l11, .snd = { .fst = l21, .snd = l31 } } }; + K___K____uint8_t__K____uint8_t__K____uint8_t___uint8_t__K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ + scrut3 = { .fst = mb0, .snd = mb1 }; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ last0 = scrut3.fst; + K____uint8_t__K____uint8_t__K____uint8_t___uint8_t_ last1 = scrut3.snd; + sha512_update4(last0, st); + if (blocks > (uint32_t)1U) + { + sha512_update4(last1, st); + } + KRML_CHECK_SIZE(sizeof (uint8_t), (uint32_t)4U * (uint32_t)8U * (uint32_t)8U); + uint8_t *hbuf = alloca((uint32_t)4U * (uint32_t)8U * (uint32_t)8U * sizeof (uint8_t)); + memset(hbuf, 0U, (uint32_t)4U * (uint32_t)8U * (uint32_t)8U * sizeof (uint8_t)); + Lib_IntVector_Intrinsics_vec256 v00 = st[0U]; + Lib_IntVector_Intrinsics_vec256 v10 = st[1U]; + Lib_IntVector_Intrinsics_vec256 v20 = st[2U]; + Lib_IntVector_Intrinsics_vec256 v30 = st[3U]; + Lib_IntVector_Intrinsics_vec256 + v0_ = Lib_IntVector_Intrinsics_vec256_interleave_low64(v00, v10); + Lib_IntVector_Intrinsics_vec256 + v1_ = Lib_IntVector_Intrinsics_vec256_interleave_high64(v00, v10); + Lib_IntVector_Intrinsics_vec256 + v2_ = Lib_IntVector_Intrinsics_vec256_interleave_low64(v20, v30); + Lib_IntVector_Intrinsics_vec256 + v3_ = Lib_IntVector_Intrinsics_vec256_interleave_high64(v20, v30); + Lib_IntVector_Intrinsics_vec256 + v0__ = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_, v2_); + Lib_IntVector_Intrinsics_vec256 + v1__ = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_, v2_); + Lib_IntVector_Intrinsics_vec256 + v2__ = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_, v3_); + Lib_IntVector_Intrinsics_vec256 + v3__ = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_, v3_); + Lib_IntVector_Intrinsics_vec256 st0_ = v0__; + Lib_IntVector_Intrinsics_vec256 st1_ = v2__; + Lib_IntVector_Intrinsics_vec256 st2_ = v1__; + Lib_IntVector_Intrinsics_vec256 st3_ = v3__; + Lib_IntVector_Intrinsics_vec256 v0 = st[4U]; + Lib_IntVector_Intrinsics_vec256 v1 = st[5U]; + Lib_IntVector_Intrinsics_vec256 v2 = st[6U]; + Lib_IntVector_Intrinsics_vec256 v3 = st[7U]; + Lib_IntVector_Intrinsics_vec256 + v0_0 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0, v1); + Lib_IntVector_Intrinsics_vec256 + v1_0 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0, v1); + Lib_IntVector_Intrinsics_vec256 + v2_0 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v2, v3); + Lib_IntVector_Intrinsics_vec256 + v3_0 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v2, v3); + Lib_IntVector_Intrinsics_vec256 + v0__0 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v1__0 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v2__0 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 + v3__0 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 st4_ = v0__0; + Lib_IntVector_Intrinsics_vec256 st5_ = v2__0; + Lib_IntVector_Intrinsics_vec256 st6_ = v1__0; + Lib_IntVector_Intrinsics_vec256 st7_ = v3__0; + st[0U] = st0_; + st[1U] = st4_; + st[2U] = st1_; + st[3U] = st5_; + st[4U] = st2_; + st[5U] = st6_; + st[6U] = st3_; + st[7U] = st7_; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + Lib_IntVector_Intrinsics_vec256_store64_be(hbuf + i * (uint32_t)32U, st[i]); + } + uint8_t *b31 = rb.snd.snd.snd; + uint8_t *b2 = rb.snd.snd.fst; + uint8_t *b1 = rb.snd.fst; + uint8_t *b0 = rb.fst; + memcpy(b0, hbuf, (uint32_t)64U * sizeof (uint8_t)); + memcpy(b1, hbuf + (uint32_t)64U, (uint32_t)64U * sizeof (uint8_t)); + memcpy(b2, hbuf + (uint32_t)128U, (uint32_t)64U * sizeof (uint8_t)); + memcpy(b31, hbuf + (uint32_t)192U, (uint32_t)64U * sizeof (uint8_t)); +} + diff --git a/src/msvc/Hacl_SHA3.c b/src/msvc/Hacl_SHA3.c new file mode 100644 index 00000000..9a9b427c --- /dev/null +++ b/src/msvc/Hacl_SHA3.c @@ -0,0 +1,304 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_SHA3.h" + + + +const +uint32_t +Hacl_Impl_SHA3_keccak_rotc[24U] = + { + (uint32_t)1U, (uint32_t)3U, (uint32_t)6U, (uint32_t)10U, (uint32_t)15U, (uint32_t)21U, + (uint32_t)28U, (uint32_t)36U, (uint32_t)45U, (uint32_t)55U, (uint32_t)2U, (uint32_t)14U, + (uint32_t)27U, (uint32_t)41U, (uint32_t)56U, (uint32_t)8U, (uint32_t)25U, (uint32_t)43U, + (uint32_t)62U, (uint32_t)18U, (uint32_t)39U, (uint32_t)61U, (uint32_t)20U, (uint32_t)44U + }; + +const +uint32_t +Hacl_Impl_SHA3_keccak_piln[24U] = + { + (uint32_t)10U, (uint32_t)7U, (uint32_t)11U, (uint32_t)17U, (uint32_t)18U, (uint32_t)3U, + (uint32_t)5U, (uint32_t)16U, (uint32_t)8U, (uint32_t)21U, (uint32_t)24U, (uint32_t)4U, + (uint32_t)15U, (uint32_t)23U, (uint32_t)19U, (uint32_t)13U, (uint32_t)12U, (uint32_t)2U, + (uint32_t)20U, (uint32_t)14U, (uint32_t)22U, (uint32_t)9U, (uint32_t)6U, (uint32_t)1U + }; + +const +uint64_t +Hacl_Impl_SHA3_keccak_rndc[24U] = + { + (uint64_t)0x0000000000000001U, (uint64_t)0x0000000000008082U, (uint64_t)0x800000000000808aU, + (uint64_t)0x8000000080008000U, (uint64_t)0x000000000000808bU, (uint64_t)0x0000000080000001U, + (uint64_t)0x8000000080008081U, (uint64_t)0x8000000000008009U, (uint64_t)0x000000000000008aU, + (uint64_t)0x0000000000000088U, (uint64_t)0x0000000080008009U, (uint64_t)0x000000008000000aU, + (uint64_t)0x000000008000808bU, (uint64_t)0x800000000000008bU, (uint64_t)0x8000000000008089U, + (uint64_t)0x8000000000008003U, (uint64_t)0x8000000000008002U, (uint64_t)0x8000000000000080U, + (uint64_t)0x000000000000800aU, (uint64_t)0x800000008000000aU, (uint64_t)0x8000000080008081U, + (uint64_t)0x8000000000008080U, (uint64_t)0x0000000080000001U, (uint64_t)0x8000000080008008U + }; + +inline uint64_t Hacl_Impl_SHA3_rotl(uint64_t a, uint32_t b) +{ + return a << b | a >> ((uint32_t)64U - b); +} + +void Hacl_Impl_SHA3_state_permute(uint64_t *s) +{ + for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)24U; i0++) + { + uint64_t b[5U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)5U; i++) + { + b[i] = + s[i + + (uint32_t)0U] + ^ + (s[i + + (uint32_t)5U] + ^ (s[i + (uint32_t)10U] ^ (s[i + (uint32_t)15U] ^ s[i + (uint32_t)20U]))); + } + for (uint32_t i1 = (uint32_t)0U; i1 < (uint32_t)5U; i1++) + { + uint64_t uu____0 = b[(i1 + (uint32_t)4U) % (uint32_t)5U]; + uint64_t + _D = uu____0 ^ Hacl_Impl_SHA3_rotl(b[(i1 + (uint32_t)1U) % (uint32_t)5U], (uint32_t)1U); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)5U; i++) + { + s[i1 + (uint32_t)5U * i] = s[i1 + (uint32_t)5U * i] ^ _D; + } + } + Lib_Memzero0_memzero(b, (uint32_t)5U * sizeof (b[0U])); + uint64_t x = s[1U]; + uint64_t b0 = x; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)24U; i++) + { + uint32_t _Y = Hacl_Impl_SHA3_keccak_piln[i]; + uint32_t r = Hacl_Impl_SHA3_keccak_rotc[i]; + uint64_t temp = s[_Y]; + s[_Y] = Hacl_Impl_SHA3_rotl(b0, r); + b0 = temp; + } + Lib_Memzero0_memzero(&b0, (uint32_t)1U * sizeof ((&b0)[0U])); + uint64_t b1[25U] = { 0U }; + memcpy(b1, s, (uint32_t)25U * sizeof (uint64_t)); + for (uint32_t i1 = (uint32_t)0U; i1 < (uint32_t)5U; i1++) + { + for (uint32_t i = (uint32_t)0U; i < (uint32_t)5U; i++) + { + s[i + (uint32_t)5U * i1] = + b1[i + + (uint32_t)5U * i1] + ^ + (~b1[(i + (uint32_t)1U) + % (uint32_t)5U + + (uint32_t)5U * i1] + & b1[(i + (uint32_t)2U) % (uint32_t)5U + (uint32_t)5U * i1]); + } + } + Lib_Memzero0_memzero(b1, (uint32_t)25U * sizeof (b1[0U])); + uint64_t c = Hacl_Impl_SHA3_keccak_rndc[i0]; + s[0U] = s[0U] ^ c; + } +} + +void Hacl_Impl_SHA3_loadState(uint32_t rateInBytes, uint8_t *input, uint64_t *s) +{ + uint8_t b[200U] = { 0U }; + memcpy(b, input, rateInBytes * sizeof (uint8_t)); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)25U; i++) + { + uint64_t u = load64_le(b + i * (uint32_t)8U); + uint64_t x = u; + s[i] = s[i] ^ x; + } + Lib_Memzero0_memzero(b, (uint32_t)200U * sizeof (b[0U])); +} + +void Hacl_Impl_SHA3_storeState(uint32_t rateInBytes, uint64_t *s, uint8_t *res) +{ + uint8_t b[200U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)25U; i++) + { + uint64_t sj = s[i]; + store64_le(b + i * (uint32_t)8U, sj); + } + memcpy(res, b, rateInBytes * sizeof (uint8_t)); + Lib_Memzero0_memzero(b, (uint32_t)200U * sizeof (b[0U])); +} + +void +Hacl_Impl_SHA3_absorb( + uint64_t *s, + uint32_t rateInBytes, + uint32_t inputByteLen, + uint8_t *input, + uint8_t delimitedSuffix +) +{ + uint32_t nb = inputByteLen / rateInBytes; + uint32_t rem = inputByteLen % rateInBytes; + for (uint32_t i = (uint32_t)0U; i < nb; i++) + { + uint8_t *block = input + i * rateInBytes; + Hacl_Impl_SHA3_loadState(rateInBytes, block, s); + Hacl_Impl_SHA3_state_permute(s); + } + uint8_t *last = input + nb * rateInBytes; + KRML_CHECK_SIZE(sizeof (uint8_t), rateInBytes); + uint8_t *b = alloca(rateInBytes * sizeof (uint8_t)); + memset(b, 0U, rateInBytes * sizeof (uint8_t)); + memcpy(b, last, rem * sizeof (uint8_t)); + b[rem] = delimitedSuffix; + Hacl_Impl_SHA3_loadState(rateInBytes, b, s); + if (!((delimitedSuffix & (uint8_t)0x80U) == (uint8_t)0U) && rem == rateInBytes - (uint32_t)1U) + { + Hacl_Impl_SHA3_state_permute(s); + } + KRML_CHECK_SIZE(sizeof (uint8_t), rateInBytes); + uint8_t *b1 = alloca(rateInBytes * sizeof (uint8_t)); + memset(b1, 0U, rateInBytes * sizeof (uint8_t)); + b1[rateInBytes - (uint32_t)1U] = (uint8_t)0x80U; + Hacl_Impl_SHA3_loadState(rateInBytes, b1, s); + Hacl_Impl_SHA3_state_permute(s); + Lib_Memzero0_memzero(b1, rateInBytes * sizeof (b1[0U])); + Lib_Memzero0_memzero(b, rateInBytes * sizeof (b[0U])); +} + +void +Hacl_Impl_SHA3_squeeze( + uint64_t *s, + uint32_t rateInBytes, + uint32_t outputByteLen, + uint8_t *output +) +{ + uint32_t outBlocks = outputByteLen / rateInBytes; + uint32_t remOut = outputByteLen % rateInBytes; + uint8_t *last = output + outputByteLen - remOut; + uint8_t *blocks = output; + for (uint32_t i = (uint32_t)0U; i < outBlocks; i++) + { + Hacl_Impl_SHA3_storeState(rateInBytes, s, blocks + i * rateInBytes); + Hacl_Impl_SHA3_state_permute(s); + } + Hacl_Impl_SHA3_storeState(remOut, s, last); +} + +void +Hacl_Impl_SHA3_keccak( + uint32_t rate, + uint32_t capacity, + uint32_t inputByteLen, + uint8_t *input, + uint8_t delimitedSuffix, + uint32_t outputByteLen, + uint8_t *output +) +{ + uint32_t rateInBytes = rate / (uint32_t)8U; + uint64_t s[25U] = { 0U }; + Hacl_Impl_SHA3_absorb(s, rateInBytes, inputByteLen, input, delimitedSuffix); + Hacl_Impl_SHA3_squeeze(s, rateInBytes, outputByteLen, output); +} + +void +Hacl_SHA3_shake128_hacl( + uint32_t inputByteLen, + uint8_t *input, + uint32_t outputByteLen, + uint8_t *output +) +{ + Hacl_Impl_SHA3_keccak((uint32_t)1344U, + (uint32_t)256U, + inputByteLen, + input, + (uint8_t)0x1FU, + outputByteLen, + output); +} + +void +Hacl_SHA3_shake256_hacl( + uint32_t inputByteLen, + uint8_t *input, + uint32_t outputByteLen, + uint8_t *output +) +{ + Hacl_Impl_SHA3_keccak((uint32_t)1088U, + (uint32_t)512U, + inputByteLen, + input, + (uint8_t)0x1FU, + outputByteLen, + output); +} + +void Hacl_SHA3_sha3_224(uint32_t inputByteLen, uint8_t *input, uint8_t *output) +{ + Hacl_Impl_SHA3_keccak((uint32_t)1152U, + (uint32_t)448U, + inputByteLen, + input, + (uint8_t)0x06U, + (uint32_t)28U, + output); +} + +void Hacl_SHA3_sha3_256(uint32_t inputByteLen, uint8_t *input, uint8_t *output) +{ + Hacl_Impl_SHA3_keccak((uint32_t)1088U, + (uint32_t)512U, + inputByteLen, + input, + (uint8_t)0x06U, + (uint32_t)32U, + output); +} + +void Hacl_SHA3_sha3_384(uint32_t inputByteLen, uint8_t *input, uint8_t *output) +{ + Hacl_Impl_SHA3_keccak((uint32_t)832U, + (uint32_t)768U, + inputByteLen, + input, + (uint8_t)0x06U, + (uint32_t)48U, + output); +} + +void Hacl_SHA3_sha3_512(uint32_t inputByteLen, uint8_t *input, uint8_t *output) +{ + Hacl_Impl_SHA3_keccak((uint32_t)576U, + (uint32_t)1024U, + inputByteLen, + input, + (uint8_t)0x06U, + (uint32_t)64U, + output); +} + diff --git a/src/msvc/Hacl_Salsa20.c b/src/msvc/Hacl_Salsa20.c new file mode 100644 index 00000000..044219e0 --- /dev/null +++ b/src/msvc/Hacl_Salsa20.c @@ -0,0 +1,429 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Salsa20.h" + + + +static inline void quarter_round(uint32_t *st, uint32_t a, uint32_t b, uint32_t c, uint32_t d) +{ + uint32_t sta = st[b]; + uint32_t stb0 = st[a]; + uint32_t std0 = st[d]; + uint32_t sta1 = sta ^ ((stb0 + std0) << (uint32_t)7U | (stb0 + std0) >> (uint32_t)25U); + st[b] = sta1; + uint32_t sta0 = st[c]; + uint32_t stb1 = st[b]; + uint32_t std1 = st[a]; + uint32_t sta10 = sta0 ^ ((stb1 + std1) << (uint32_t)9U | (stb1 + std1) >> (uint32_t)23U); + st[c] = sta10; + uint32_t sta2 = st[d]; + uint32_t stb2 = st[c]; + uint32_t std2 = st[b]; + uint32_t sta11 = sta2 ^ ((stb2 + std2) << (uint32_t)13U | (stb2 + std2) >> (uint32_t)19U); + st[d] = sta11; + uint32_t sta3 = st[a]; + uint32_t stb = st[d]; + uint32_t std = st[c]; + uint32_t sta12 = sta3 ^ ((stb + std) << (uint32_t)18U | (stb + std) >> (uint32_t)14U); + st[a] = sta12; +} + +static inline void double_round(uint32_t *st) +{ + quarter_round(st, (uint32_t)0U, (uint32_t)4U, (uint32_t)8U, (uint32_t)12U); + quarter_round(st, (uint32_t)5U, (uint32_t)9U, (uint32_t)13U, (uint32_t)1U); + quarter_round(st, (uint32_t)10U, (uint32_t)14U, (uint32_t)2U, (uint32_t)6U); + quarter_round(st, (uint32_t)15U, (uint32_t)3U, (uint32_t)7U, (uint32_t)11U); + quarter_round(st, (uint32_t)0U, (uint32_t)1U, (uint32_t)2U, (uint32_t)3U); + quarter_round(st, (uint32_t)5U, (uint32_t)6U, (uint32_t)7U, (uint32_t)4U); + quarter_round(st, (uint32_t)10U, (uint32_t)11U, (uint32_t)8U, (uint32_t)9U); + quarter_round(st, (uint32_t)15U, (uint32_t)12U, (uint32_t)13U, (uint32_t)14U); +} + +static inline void rounds(uint32_t *st) +{ + double_round(st); + double_round(st); + double_round(st); + double_round(st); + double_round(st); + double_round(st); + double_round(st); + double_round(st); + double_round(st); + double_round(st); +} + +static inline void salsa20_core(uint32_t *k, uint32_t *ctx, uint32_t ctr) +{ + memcpy(k, ctx, (uint32_t)16U * sizeof (uint32_t)); + uint32_t ctr_u32 = ctr; + k[8U] = k[8U] + ctr_u32; + rounds(k); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t *os = k; + uint32_t x = k[i] + ctx[i]; + os[i] = x; + } + k[8U] = k[8U] + ctr_u32; +} + +static inline void salsa20_key_block0(uint8_t *out, uint8_t *key, uint8_t *n) +{ + uint32_t ctx[16U] = { 0U }; + uint32_t k[16U] = { 0U }; + uint32_t k32[8U] = { 0U }; + uint32_t n32[2U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t *os = k32; + uint8_t *bj = key + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)2U; i++) + { + uint32_t *os = n32; + uint8_t *bj = n + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + ctx[0U] = (uint32_t)0x61707865U; + uint32_t *k0 = k32; + uint32_t *k1 = k32 + (uint32_t)4U; + memcpy(ctx + (uint32_t)1U, k0, (uint32_t)4U * sizeof (uint32_t)); + ctx[5U] = (uint32_t)0x3320646eU; + memcpy(ctx + (uint32_t)6U, n32, (uint32_t)2U * sizeof (uint32_t)); + ctx[8U] = (uint32_t)0U; + ctx[9U] = (uint32_t)0U; + ctx[10U] = (uint32_t)0x79622d32U; + memcpy(ctx + (uint32_t)11U, k1, (uint32_t)4U * sizeof (uint32_t)); + ctx[15U] = (uint32_t)0x6b206574U; + salsa20_core(k, ctx, (uint32_t)0U); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + store32_le(out + i * (uint32_t)4U, k[i]); + } +} + +static inline void +salsa20_encrypt( + uint32_t len, + uint8_t *out, + uint8_t *text, + uint8_t *key, + uint8_t *n, + uint32_t ctr +) +{ + uint32_t ctx[16U] = { 0U }; + uint32_t k32[8U] = { 0U }; + uint32_t n32[2U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t *os = k32; + uint8_t *bj = key + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)2U; i++) + { + uint32_t *os = n32; + uint8_t *bj = n + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + ctx[0U] = (uint32_t)0x61707865U; + uint32_t *k0 = k32; + uint32_t *k10 = k32 + (uint32_t)4U; + memcpy(ctx + (uint32_t)1U, k0, (uint32_t)4U * sizeof (uint32_t)); + ctx[5U] = (uint32_t)0x3320646eU; + memcpy(ctx + (uint32_t)6U, n32, (uint32_t)2U * sizeof (uint32_t)); + ctx[8U] = ctr; + ctx[9U] = (uint32_t)0U; + ctx[10U] = (uint32_t)0x79622d32U; + memcpy(ctx + (uint32_t)11U, k10, (uint32_t)4U * sizeof (uint32_t)); + ctx[15U] = (uint32_t)0x6b206574U; + uint32_t k[16U] = { 0U }; + uint32_t rem = len % (uint32_t)64U; + uint32_t nb = len / (uint32_t)64U; + uint32_t rem1 = len % (uint32_t)64U; + for (uint32_t i0 = (uint32_t)0U; i0 < nb; i0++) + { + uint8_t *uu____0 = out + i0 * (uint32_t)64U; + uint8_t *uu____1 = text + i0 * (uint32_t)64U; + uint32_t k1[16U] = { 0U }; + salsa20_core(k1, ctx, i0); + uint32_t bl[16U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t *os = bl; + uint8_t *bj = uu____1 + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t *os = bl; + uint32_t x = bl[i] ^ k1[i]; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + store32_le(uu____0 + i * (uint32_t)4U, bl[i]); + } + } + if (rem1 > (uint32_t)0U) + { + uint8_t *uu____2 = out + nb * (uint32_t)64U; + uint8_t *uu____3 = text + nb * (uint32_t)64U; + uint8_t plain[64U] = { 0U }; + memcpy(plain, uu____3, rem * sizeof (uint8_t)); + uint32_t k1[16U] = { 0U }; + salsa20_core(k1, ctx, nb); + uint32_t bl[16U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t *os = bl; + uint8_t *bj = plain + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t *os = bl; + uint32_t x = bl[i] ^ k1[i]; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + store32_le(plain + i * (uint32_t)4U, bl[i]); + } + memcpy(uu____2, plain, rem * sizeof (uint8_t)); + } +} + +static inline void +salsa20_decrypt( + uint32_t len, + uint8_t *out, + uint8_t *cipher, + uint8_t *key, + uint8_t *n, + uint32_t ctr +) +{ + uint32_t ctx[16U] = { 0U }; + uint32_t k32[8U] = { 0U }; + uint32_t n32[2U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t *os = k32; + uint8_t *bj = key + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)2U; i++) + { + uint32_t *os = n32; + uint8_t *bj = n + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + ctx[0U] = (uint32_t)0x61707865U; + uint32_t *k0 = k32; + uint32_t *k10 = k32 + (uint32_t)4U; + memcpy(ctx + (uint32_t)1U, k0, (uint32_t)4U * sizeof (uint32_t)); + ctx[5U] = (uint32_t)0x3320646eU; + memcpy(ctx + (uint32_t)6U, n32, (uint32_t)2U * sizeof (uint32_t)); + ctx[8U] = ctr; + ctx[9U] = (uint32_t)0U; + ctx[10U] = (uint32_t)0x79622d32U; + memcpy(ctx + (uint32_t)11U, k10, (uint32_t)4U * sizeof (uint32_t)); + ctx[15U] = (uint32_t)0x6b206574U; + uint32_t k[16U] = { 0U }; + uint32_t rem = len % (uint32_t)64U; + uint32_t nb = len / (uint32_t)64U; + uint32_t rem1 = len % (uint32_t)64U; + for (uint32_t i0 = (uint32_t)0U; i0 < nb; i0++) + { + uint8_t *uu____0 = out + i0 * (uint32_t)64U; + uint8_t *uu____1 = cipher + i0 * (uint32_t)64U; + uint32_t k1[16U] = { 0U }; + salsa20_core(k1, ctx, i0); + uint32_t bl[16U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t *os = bl; + uint8_t *bj = uu____1 + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t *os = bl; + uint32_t x = bl[i] ^ k1[i]; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + store32_le(uu____0 + i * (uint32_t)4U, bl[i]); + } + } + if (rem1 > (uint32_t)0U) + { + uint8_t *uu____2 = out + nb * (uint32_t)64U; + uint8_t *uu____3 = cipher + nb * (uint32_t)64U; + uint8_t plain[64U] = { 0U }; + memcpy(plain, uu____3, rem * sizeof (uint8_t)); + uint32_t k1[16U] = { 0U }; + salsa20_core(k1, ctx, nb); + uint32_t bl[16U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t *os = bl; + uint8_t *bj = plain + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + uint32_t *os = bl; + uint32_t x = bl[i] ^ k1[i]; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i++) + { + store32_le(plain + i * (uint32_t)4U, bl[i]); + } + memcpy(uu____2, plain, rem * sizeof (uint8_t)); + } +} + +static inline void hsalsa20(uint8_t *out, uint8_t *key, uint8_t *n) +{ + uint32_t ctx[16U] = { 0U }; + uint32_t k32[8U] = { 0U }; + uint32_t n32[4U] = { 0U }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + uint32_t *os = k32; + uint8_t *bj = key + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i++) + { + uint32_t *os = n32; + uint8_t *bj = n + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x; + } + uint32_t *k0 = k32; + uint32_t *k1 = k32 + (uint32_t)4U; + ctx[0U] = (uint32_t)0x61707865U; + memcpy(ctx + (uint32_t)1U, k0, (uint32_t)4U * sizeof (uint32_t)); + ctx[5U] = (uint32_t)0x3320646eU; + memcpy(ctx + (uint32_t)6U, n32, (uint32_t)4U * sizeof (uint32_t)); + ctx[10U] = (uint32_t)0x79622d32U; + memcpy(ctx + (uint32_t)11U, k1, (uint32_t)4U * sizeof (uint32_t)); + ctx[15U] = (uint32_t)0x6b206574U; + rounds(ctx); + uint32_t r0 = ctx[0U]; + uint32_t r1 = ctx[5U]; + uint32_t r2 = ctx[10U]; + uint32_t r3 = ctx[15U]; + uint32_t r4 = ctx[6U]; + uint32_t r5 = ctx[7U]; + uint32_t r6 = ctx[8U]; + uint32_t r7 = ctx[9U]; + uint32_t res[8U] = { r0, r1, r2, r3, r4, r5, r6, r7 }; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i++) + { + store32_le(out + i * (uint32_t)4U, res[i]); + } +} + +void +Hacl_Salsa20_salsa20_encrypt( + uint32_t len, + uint8_t *out, + uint8_t *text, + uint8_t *key, + uint8_t *n, + uint32_t ctr +) +{ + salsa20_encrypt(len, out, text, key, n, ctr); +} + +void +Hacl_Salsa20_salsa20_decrypt( + uint32_t len, + uint8_t *out, + uint8_t *cipher, + uint8_t *key, + uint8_t *n, + uint32_t ctr +) +{ + salsa20_decrypt(len, out, cipher, key, n, ctr); +} + +void Hacl_Salsa20_salsa20_key_block0(uint8_t *out, uint8_t *key, uint8_t *n) +{ + salsa20_key_block0(out, key, n); +} + +void Hacl_Salsa20_hsalsa20(uint8_t *out, uint8_t *key, uint8_t *n) +{ + hsalsa20(out, key, n); +} + diff --git a/src/msvc/Hacl_Spec.c b/src/msvc/Hacl_Spec.c new file mode 100644 index 00000000..7dacd2c4 --- /dev/null +++ b/src/msvc/Hacl_Spec.c @@ -0,0 +1,53 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "internal/Hacl_Spec.h" + + + +Spec_Agile_Cipher_cipher_alg +Spec_Cipher_Expansion_cipher_alg_of_impl(Spec_Cipher_Expansion_impl i) +{ + switch (i) + { + case Spec_Cipher_Expansion_Hacl_CHACHA20: + { + return Spec_Agile_Cipher_CHACHA20; + } + case Spec_Cipher_Expansion_Vale_AES128: + { + return Spec_Agile_Cipher_AES128; + } + case Spec_Cipher_Expansion_Vale_AES256: + { + return Spec_Agile_Cipher_AES256; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + diff --git a/src/msvc/Hacl_Streaming_Blake2.c b/src/msvc/Hacl_Streaming_Blake2.c new file mode 100644 index 00000000..7e2f87ce --- /dev/null +++ b/src/msvc/Hacl_Streaming_Blake2.c @@ -0,0 +1,1179 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Streaming_Blake2.h" + + + +uint32_t +Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_alg a, Hacl_Impl_Blake2_Core_m_spec m) +{ + switch (m) + { + case Hacl_Impl_Blake2_Core_M32: + { + switch (a) + { + case Spec_Blake2_Blake2S: + { + return (uint32_t)64U; + } + case Spec_Blake2_Blake2B: + { + return (uint32_t)128U; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + break; + } + case Hacl_Impl_Blake2_Core_M128: + { + switch (a) + { + case Spec_Blake2_Blake2S: + { + return (uint32_t)64U; + } + case Spec_Blake2_Blake2B: + { + return (uint32_t)128U; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + break; + } + case Hacl_Impl_Blake2_Core_M256: + { + switch (a) + { + case Spec_Blake2_Blake2S: + { + return (uint32_t)64U; + } + case Spec_Blake2_Blake2B: + { + return (uint32_t)128U; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + break; + } + default: + { + KRML_HOST_EPRINTF("KreMLin incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +/* + State allocation function when there is no key +*/ +Hacl_Streaming_Blake2_blake2s_32_state *Hacl_Streaming_Blake2_blake2s_32_no_key_create_in() +{ + KRML_CHECK_SIZE(sizeof (uint8_t), + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M32)); + uint8_t + *buf = + KRML_HOST_CALLOC(Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32), + sizeof (uint8_t)); + uint32_t *wv = KRML_HOST_CALLOC((uint32_t)16U, sizeof (uint32_t)); + uint32_t *b = KRML_HOST_CALLOC((uint32_t)16U, sizeof (uint32_t)); + Hacl_Streaming_Blake2_blake2s_32_block_state block_state = { .fst = wv, .snd = b }; + Hacl_Streaming_Blake2_blake2s_32_state + s1 = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; + KRML_CHECK_SIZE(sizeof (Hacl_Streaming_Blake2_blake2s_32_state), (uint32_t)1U); + Hacl_Streaming_Blake2_blake2s_32_state + *p = KRML_HOST_MALLOC(sizeof (Hacl_Streaming_Blake2_blake2s_32_state)); + p[0U] = s1; + Hacl_Blake2s_32_blake2s_init(block_state.snd, (uint32_t)0U, (uint32_t)32U); + return p; +} + +/* + (Re-)initialization function when there is no key +*/ +void Hacl_Streaming_Blake2_blake2s_32_no_key_init(Hacl_Streaming_Blake2_blake2s_32_state *s1) +{ + Hacl_Streaming_Blake2_blake2s_32_state scrut = *s1; + uint8_t *buf = scrut.buf; + Hacl_Streaming_Blake2_blake2s_32_block_state block_state = scrut.block_state; + Hacl_Blake2s_32_blake2s_init(block_state.snd, (uint32_t)0U, (uint32_t)32U); + s1[0U] = + ( + (Hacl_Streaming_Blake2_blake2s_32_state){ + .block_state = block_state, + .buf = buf, + .total_len = (uint64_t)0U + } + ); +} + +/* + Update function when there is no key +*/ +void +Hacl_Streaming_Blake2_blake2s_32_no_key_update( + Hacl_Streaming_Blake2_blake2s_32_state *p, + uint8_t *data, + uint32_t len +) +{ + Hacl_Streaming_Blake2_blake2s_32_state s1 = *p; + uint64_t total_len = s1.total_len; + uint32_t sz; + if + ( + total_len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32) + == (uint64_t)0U + && total_len > (uint64_t)0U + ) + { + sz = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M32); + } + else + { + sz = + (uint32_t)(total_len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32)); + } + if + ( + len + <= Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M32) - sz + ) + { + Hacl_Streaming_Blake2_blake2s_32_state s2 = *p; + Hacl_Streaming_Blake2_blake2s_32_block_state block_state1 = s2.block_state; + uint8_t *buf = s2.buf; + uint64_t total_len1 = s2.total_len; + uint32_t sz1; + if + ( + total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32) + == (uint64_t)0U + && total_len1 > (uint64_t)0U + ) + { + sz1 = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M32); + } + else + { + sz1 = + (uint32_t)(total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32)); + } + uint8_t *buf2 = buf + sz1; + memcpy(buf2, data, len * sizeof (uint8_t)); + uint64_t total_len2 = total_len1 + (uint64_t)len; + *p + = + ( + (Hacl_Streaming_Blake2_blake2s_32_state){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len2 + } + ); + return; + } + if (sz == (uint32_t)0U) + { + Hacl_Streaming_Blake2_blake2s_32_state s2 = *p; + Hacl_Streaming_Blake2_blake2s_32_block_state block_state1 = s2.block_state; + uint8_t *buf = s2.buf; + uint64_t total_len1 = s2.total_len; + uint32_t sz1; + if + ( + total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32) + == (uint64_t)0U + && total_len1 > (uint64_t)0U + ) + { + sz1 = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M32); + } + else + { + sz1 = + (uint32_t)(total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32)); + } + if (!(sz1 == (uint32_t)0U)) + { + uint64_t prevlen = total_len1 - (uint64_t)sz1; + uint32_t + nb = + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32) + / (uint32_t)64U; + Hacl_Blake2s_32_blake2s_update_multi(Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32), + block_state1.fst, + block_state1.snd, + prevlen, + buf, + nb); + } + uint32_t ite; + if + ( + (uint64_t)len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32) + == (uint64_t)0U + && (uint64_t)len > (uint64_t)0U + ) + { + ite = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M32); + } + else + { + ite = + (uint32_t)((uint64_t)len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32)); + } + uint32_t + n_blocks = + (len - ite) + / Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M32); + uint32_t + data1_len = + n_blocks + * Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M32); + uint32_t data2_len = len - data1_len; + uint8_t *data1 = data; + uint8_t *data2 = data + data1_len; + uint32_t nb = data1_len / (uint32_t)64U; + Hacl_Blake2s_32_blake2s_update_multi(data1_len, + block_state1.fst, + block_state1.snd, + total_len1, + data1, + nb); + uint8_t *dst = buf; + memcpy(dst, data2, data2_len * sizeof (uint8_t)); + *p + = + ( + (Hacl_Streaming_Blake2_blake2s_32_state){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len1 + (uint64_t)len + } + ); + return; + } + uint32_t + diff = + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32) + - sz; + uint8_t *data1 = data; + uint8_t *data2 = data + diff; + Hacl_Streaming_Blake2_blake2s_32_state s2 = *p; + Hacl_Streaming_Blake2_blake2s_32_block_state block_state10 = s2.block_state; + uint8_t *buf0 = s2.buf; + uint64_t total_len10 = s2.total_len; + uint32_t sz10; + if + ( + total_len10 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32) + == (uint64_t)0U + && total_len10 > (uint64_t)0U + ) + { + sz10 = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M32); + } + else + { + sz10 = + (uint32_t)(total_len10 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32)); + } + uint8_t *buf2 = buf0 + sz10; + memcpy(buf2, data1, diff * sizeof (uint8_t)); + uint64_t total_len2 = total_len10 + (uint64_t)diff; + *p + = + ( + (Hacl_Streaming_Blake2_blake2s_32_state){ + .block_state = block_state10, + .buf = buf0, + .total_len = total_len2 + } + ); + Hacl_Streaming_Blake2_blake2s_32_state s20 = *p; + Hacl_Streaming_Blake2_blake2s_32_block_state block_state1 = s20.block_state; + uint8_t *buf = s20.buf; + uint64_t total_len1 = s20.total_len; + uint32_t sz1; + if + ( + total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32) + == (uint64_t)0U + && total_len1 > (uint64_t)0U + ) + { + sz1 = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M32); + } + else + { + sz1 = + (uint32_t)(total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32)); + } + if (!(sz1 == (uint32_t)0U)) + { + uint64_t prevlen = total_len1 - (uint64_t)sz1; + uint32_t + nb = + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32) + / (uint32_t)64U; + Hacl_Blake2s_32_blake2s_update_multi(Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32), + block_state1.fst, + block_state1.snd, + prevlen, + buf, + nb); + } + uint32_t ite; + if + ( + (uint64_t)(len - diff) + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32) + == (uint64_t)0U + && (uint64_t)(len - diff) > (uint64_t)0U + ) + { + ite = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M32); + } + else + { + ite = + (uint32_t)((uint64_t)(len - diff) + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32)); + } + uint32_t + n_blocks = + (len - diff - ite) + / Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M32); + uint32_t + data1_len = + n_blocks + * Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M32); + uint32_t data2_len = len - diff - data1_len; + uint8_t *data11 = data2; + uint8_t *data21 = data2 + data1_len; + uint32_t nb = data1_len / (uint32_t)64U; + Hacl_Blake2s_32_blake2s_update_multi(data1_len, + block_state1.fst, + block_state1.snd, + total_len1, + data11, + nb); + uint8_t *dst = buf; + memcpy(dst, data21, data2_len * sizeof (uint8_t)); + *p + = + ( + (Hacl_Streaming_Blake2_blake2s_32_state){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len1 + (uint64_t)(len - diff) + } + ); +} + +/* + Finish function when there is no key +*/ +void +Hacl_Streaming_Blake2_blake2s_32_no_key_finish( + Hacl_Streaming_Blake2_blake2s_32_state *p, + uint8_t *dst +) +{ + Hacl_Streaming_Blake2_blake2s_32_state scrut = *p; + Hacl_Streaming_Blake2_blake2s_32_block_state block_state = scrut.block_state; + uint8_t *buf_ = scrut.buf; + uint64_t total_len = scrut.total_len; + uint32_t r; + if + ( + total_len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32) + == (uint64_t)0U + && total_len > (uint64_t)0U + ) + { + r = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M32); + } + else + { + r = + (uint32_t)(total_len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M32)); + } + uint8_t *buf_1 = buf_; + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)4U * (uint32_t)4U); + uint32_t *wv = alloca((uint32_t)4U * (uint32_t)4U * sizeof (uint32_t)); + memset(wv, 0U, (uint32_t)4U * (uint32_t)4U * sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), (uint32_t)4U * (uint32_t)4U); + uint32_t *b = alloca((uint32_t)4U * (uint32_t)4U * sizeof (uint32_t)); + memset(b, 0U, (uint32_t)4U * (uint32_t)4U * sizeof (uint32_t)); + Hacl_Streaming_Blake2_blake2s_32_block_state tmp_block_state = { .fst = wv, .snd = b }; + uint32_t *src_b = block_state.snd; + uint32_t *dst_b = tmp_block_state.snd; + memcpy(dst_b, src_b, (uint32_t)16U * sizeof (uint32_t)); + uint64_t prev_len = total_len - (uint64_t)r; + uint32_t ite0; + if (r % (uint32_t)64U == (uint32_t)0U && r > (uint32_t)0U) + { + ite0 = (uint32_t)64U; + } + else + { + ite0 = r % (uint32_t)64U; + } + uint8_t *buf_last = buf_1 + r - ite0; + uint8_t *buf_multi = buf_1; + uint32_t ite1; + if + ( + (uint32_t)64U + == Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M32) + ) + { + ite1 = (uint32_t)0U; + } + else + { + uint32_t ite; + if (r % (uint32_t)64U == (uint32_t)0U && r > (uint32_t)0U) + { + ite = (uint32_t)64U; + } + else + { + ite = r % (uint32_t)64U; + } + ite1 = r - ite; + } + uint32_t nb = ite1 / (uint32_t)64U; + uint32_t ite2; + if + ( + (uint32_t)64U + == Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M32) + ) + { + ite2 = (uint32_t)0U; + } + else + { + uint32_t ite; + if (r % (uint32_t)64U == (uint32_t)0U && r > (uint32_t)0U) + { + ite = (uint32_t)64U; + } + else + { + ite = r % (uint32_t)64U; + } + ite2 = r - ite; + } + Hacl_Blake2s_32_blake2s_update_multi(ite2, + tmp_block_state.fst, + tmp_block_state.snd, + prev_len, + buf_multi, + nb); + uint32_t ite3; + if + ( + (uint32_t)64U + == Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M32) + ) + { + ite3 = r; + } + else if (r % (uint32_t)64U == (uint32_t)0U && r > (uint32_t)0U) + { + ite3 = (uint32_t)64U; + } + else + { + ite3 = r % (uint32_t)64U; + } + uint64_t prev_len_last = total_len - (uint64_t)ite3; + uint32_t ite4; + if + ( + (uint32_t)64U + == Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M32) + ) + { + ite4 = r; + } + else if (r % (uint32_t)64U == (uint32_t)0U && r > (uint32_t)0U) + { + ite4 = (uint32_t)64U; + } + else + { + ite4 = r % (uint32_t)64U; + } + uint32_t ite; + if + ( + (uint32_t)64U + == Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M32) + ) + { + ite = r; + } + else if (r % (uint32_t)64U == (uint32_t)0U && r > (uint32_t)0U) + { + ite = (uint32_t)64U; + } + else + { + ite = r % (uint32_t)64U; + } + Hacl_Blake2s_32_blake2s_update_last(ite4, + tmp_block_state.fst, + tmp_block_state.snd, + prev_len_last, + ite, + buf_last); + Hacl_Blake2s_32_blake2s_finish((uint32_t)32U, dst, tmp_block_state.snd); +} + +/* + Free state function when there is no key +*/ +void Hacl_Streaming_Blake2_blake2s_32_no_key_free(Hacl_Streaming_Blake2_blake2s_32_state *s1) +{ + Hacl_Streaming_Blake2_blake2s_32_state scrut = *s1; + uint8_t *buf = scrut.buf; + Hacl_Streaming_Blake2_blake2s_32_block_state block_state = scrut.block_state; + uint32_t *wv = block_state.fst; + uint32_t *b = block_state.snd; + KRML_HOST_FREE(wv); + KRML_HOST_FREE(b); + KRML_HOST_FREE(buf); + KRML_HOST_FREE(s1); +} + +/* + State allocation function when there is no key +*/ +Hacl_Streaming_Blake2_blake2b_32_state *Hacl_Streaming_Blake2_blake2b_32_no_key_create_in() +{ + KRML_CHECK_SIZE(sizeof (uint8_t), + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M32)); + uint8_t + *buf = + KRML_HOST_CALLOC(Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32), + sizeof (uint8_t)); + uint64_t *wv = KRML_HOST_CALLOC((uint32_t)16U, sizeof (uint64_t)); + uint64_t *b = KRML_HOST_CALLOC((uint32_t)16U, sizeof (uint64_t)); + Hacl_Streaming_Blake2_blake2b_32_block_state block_state = { .fst = wv, .snd = b }; + Hacl_Streaming_Blake2_blake2b_32_state + s1 = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; + KRML_CHECK_SIZE(sizeof (Hacl_Streaming_Blake2_blake2b_32_state), (uint32_t)1U); + Hacl_Streaming_Blake2_blake2b_32_state + *p = KRML_HOST_MALLOC(sizeof (Hacl_Streaming_Blake2_blake2b_32_state)); + p[0U] = s1; + Hacl_Blake2b_32_blake2b_init(block_state.snd, (uint32_t)0U, (uint32_t)64U); + return p; +} + +/* + (Re)-initialization function when there is no key +*/ +void Hacl_Streaming_Blake2_blake2b_32_no_key_init(Hacl_Streaming_Blake2_blake2b_32_state *s1) +{ + Hacl_Streaming_Blake2_blake2b_32_state scrut = *s1; + uint8_t *buf = scrut.buf; + Hacl_Streaming_Blake2_blake2b_32_block_state block_state = scrut.block_state; + Hacl_Blake2b_32_blake2b_init(block_state.snd, (uint32_t)0U, (uint32_t)64U); + s1[0U] = + ( + (Hacl_Streaming_Blake2_blake2b_32_state){ + .block_state = block_state, + .buf = buf, + .total_len = (uint64_t)0U + } + ); +} + +/* + Update function when there is no key +*/ +void +Hacl_Streaming_Blake2_blake2b_32_no_key_update( + Hacl_Streaming_Blake2_blake2b_32_state *p, + uint8_t *data, + uint32_t len +) +{ + Hacl_Streaming_Blake2_blake2b_32_state s1 = *p; + uint64_t total_len = s1.total_len; + uint32_t sz; + if + ( + total_len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32) + == (uint64_t)0U + && total_len > (uint64_t)0U + ) + { + sz = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M32); + } + else + { + sz = + (uint32_t)(total_len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32)); + } + if + ( + len + <= Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M32) - sz + ) + { + Hacl_Streaming_Blake2_blake2b_32_state s2 = *p; + Hacl_Streaming_Blake2_blake2b_32_block_state block_state1 = s2.block_state; + uint8_t *buf = s2.buf; + uint64_t total_len1 = s2.total_len; + uint32_t sz1; + if + ( + total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32) + == (uint64_t)0U + && total_len1 > (uint64_t)0U + ) + { + sz1 = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M32); + } + else + { + sz1 = + (uint32_t)(total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32)); + } + uint8_t *buf2 = buf + sz1; + memcpy(buf2, data, len * sizeof (uint8_t)); + uint64_t total_len2 = total_len1 + (uint64_t)len; + *p + = + ( + (Hacl_Streaming_Blake2_blake2b_32_state){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len2 + } + ); + return; + } + if (sz == (uint32_t)0U) + { + Hacl_Streaming_Blake2_blake2b_32_state s2 = *p; + Hacl_Streaming_Blake2_blake2b_32_block_state block_state1 = s2.block_state; + uint8_t *buf = s2.buf; + uint64_t total_len1 = s2.total_len; + uint32_t sz1; + if + ( + total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32) + == (uint64_t)0U + && total_len1 > (uint64_t)0U + ) + { + sz1 = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M32); + } + else + { + sz1 = + (uint32_t)(total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32)); + } + if (!(sz1 == (uint32_t)0U)) + { + uint64_t prevlen = total_len1 - (uint64_t)sz1; + uint32_t + nb = + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32) + / (uint32_t)128U; + Hacl_Blake2b_32_blake2b_update_multi(Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32), + block_state1.fst, + block_state1.snd, + FStar_UInt128_uint64_to_uint128(prevlen), + buf, + nb); + } + uint32_t ite; + if + ( + (uint64_t)len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32) + == (uint64_t)0U + && (uint64_t)len > (uint64_t)0U + ) + { + ite = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M32); + } + else + { + ite = + (uint32_t)((uint64_t)len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32)); + } + uint32_t + n_blocks = + (len - ite) + / Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M32); + uint32_t + data1_len = + n_blocks + * Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M32); + uint32_t data2_len = len - data1_len; + uint8_t *data1 = data; + uint8_t *data2 = data + data1_len; + uint32_t nb = data1_len / (uint32_t)128U; + Hacl_Blake2b_32_blake2b_update_multi(data1_len, + block_state1.fst, + block_state1.snd, + FStar_UInt128_uint64_to_uint128(total_len1), + data1, + nb); + uint8_t *dst = buf; + memcpy(dst, data2, data2_len * sizeof (uint8_t)); + *p + = + ( + (Hacl_Streaming_Blake2_blake2b_32_state){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len1 + (uint64_t)len + } + ); + return; + } + uint32_t + diff = + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32) + - sz; + uint8_t *data1 = data; + uint8_t *data2 = data + diff; + Hacl_Streaming_Blake2_blake2b_32_state s2 = *p; + Hacl_Streaming_Blake2_blake2b_32_block_state block_state10 = s2.block_state; + uint8_t *buf0 = s2.buf; + uint64_t total_len10 = s2.total_len; + uint32_t sz10; + if + ( + total_len10 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32) + == (uint64_t)0U + && total_len10 > (uint64_t)0U + ) + { + sz10 = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M32); + } + else + { + sz10 = + (uint32_t)(total_len10 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32)); + } + uint8_t *buf2 = buf0 + sz10; + memcpy(buf2, data1, diff * sizeof (uint8_t)); + uint64_t total_len2 = total_len10 + (uint64_t)diff; + *p + = + ( + (Hacl_Streaming_Blake2_blake2b_32_state){ + .block_state = block_state10, + .buf = buf0, + .total_len = total_len2 + } + ); + Hacl_Streaming_Blake2_blake2b_32_state s20 = *p; + Hacl_Streaming_Blake2_blake2b_32_block_state block_state1 = s20.block_state; + uint8_t *buf = s20.buf; + uint64_t total_len1 = s20.total_len; + uint32_t sz1; + if + ( + total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32) + == (uint64_t)0U + && total_len1 > (uint64_t)0U + ) + { + sz1 = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M32); + } + else + { + sz1 = + (uint32_t)(total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32)); + } + if (!(sz1 == (uint32_t)0U)) + { + uint64_t prevlen = total_len1 - (uint64_t)sz1; + uint32_t + nb = + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32) + / (uint32_t)128U; + Hacl_Blake2b_32_blake2b_update_multi(Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32), + block_state1.fst, + block_state1.snd, + FStar_UInt128_uint64_to_uint128(prevlen), + buf, + nb); + } + uint32_t ite; + if + ( + (uint64_t)(len - diff) + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32) + == (uint64_t)0U + && (uint64_t)(len - diff) > (uint64_t)0U + ) + { + ite = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M32); + } + else + { + ite = + (uint32_t)((uint64_t)(len - diff) + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32)); + } + uint32_t + n_blocks = + (len - diff - ite) + / Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M32); + uint32_t + data1_len = + n_blocks + * Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M32); + uint32_t data2_len = len - diff - data1_len; + uint8_t *data11 = data2; + uint8_t *data21 = data2 + data1_len; + uint32_t nb = data1_len / (uint32_t)128U; + Hacl_Blake2b_32_blake2b_update_multi(data1_len, + block_state1.fst, + block_state1.snd, + FStar_UInt128_uint64_to_uint128(total_len1), + data11, + nb); + uint8_t *dst = buf; + memcpy(dst, data21, data2_len * sizeof (uint8_t)); + *p + = + ( + (Hacl_Streaming_Blake2_blake2b_32_state){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len1 + (uint64_t)(len - diff) + } + ); +} + +/* + Finish function when there is no key +*/ +void +Hacl_Streaming_Blake2_blake2b_32_no_key_finish( + Hacl_Streaming_Blake2_blake2b_32_state *p, + uint8_t *dst +) +{ + Hacl_Streaming_Blake2_blake2b_32_state scrut = *p; + Hacl_Streaming_Blake2_blake2b_32_block_state block_state = scrut.block_state; + uint8_t *buf_ = scrut.buf; + uint64_t total_len = scrut.total_len; + uint32_t r; + if + ( + total_len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32) + == (uint64_t)0U + && total_len > (uint64_t)0U + ) + { + r = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M32); + } + else + { + r = + (uint32_t)(total_len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M32)); + } + uint8_t *buf_1 = buf_; + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)4U * (uint32_t)4U); + uint64_t *wv = alloca((uint32_t)4U * (uint32_t)4U * sizeof (uint64_t)); + memset(wv, 0U, (uint32_t)4U * (uint32_t)4U * sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), (uint32_t)4U * (uint32_t)4U); + uint64_t *b = alloca((uint32_t)4U * (uint32_t)4U * sizeof (uint64_t)); + memset(b, 0U, (uint32_t)4U * (uint32_t)4U * sizeof (uint64_t)); + Hacl_Streaming_Blake2_blake2b_32_block_state tmp_block_state = { .fst = wv, .snd = b }; + uint64_t *src_b = block_state.snd; + uint64_t *dst_b = tmp_block_state.snd; + memcpy(dst_b, src_b, (uint32_t)16U * sizeof (uint64_t)); + uint64_t prev_len = total_len - (uint64_t)r; + uint32_t ite0; + if (r % (uint32_t)128U == (uint32_t)0U && r > (uint32_t)0U) + { + ite0 = (uint32_t)128U; + } + else + { + ite0 = r % (uint32_t)128U; + } + uint8_t *buf_last = buf_1 + r - ite0; + uint8_t *buf_multi = buf_1; + uint32_t ite1; + if + ( + (uint32_t)128U + == Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M32) + ) + { + ite1 = (uint32_t)0U; + } + else + { + uint32_t ite; + if (r % (uint32_t)128U == (uint32_t)0U && r > (uint32_t)0U) + { + ite = (uint32_t)128U; + } + else + { + ite = r % (uint32_t)128U; + } + ite1 = r - ite; + } + uint32_t nb = ite1 / (uint32_t)128U; + uint32_t ite2; + if + ( + (uint32_t)128U + == Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M32) + ) + { + ite2 = (uint32_t)0U; + } + else + { + uint32_t ite; + if (r % (uint32_t)128U == (uint32_t)0U && r > (uint32_t)0U) + { + ite = (uint32_t)128U; + } + else + { + ite = r % (uint32_t)128U; + } + ite2 = r - ite; + } + Hacl_Blake2b_32_blake2b_update_multi(ite2, + tmp_block_state.fst, + tmp_block_state.snd, + FStar_UInt128_uint64_to_uint128(prev_len), + buf_multi, + nb); + uint32_t ite3; + if + ( + (uint32_t)128U + == Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M32) + ) + { + ite3 = r; + } + else if (r % (uint32_t)128U == (uint32_t)0U && r > (uint32_t)0U) + { + ite3 = (uint32_t)128U; + } + else + { + ite3 = r % (uint32_t)128U; + } + uint64_t prev_len_last = total_len - (uint64_t)ite3; + uint32_t ite4; + if + ( + (uint32_t)128U + == Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M32) + ) + { + ite4 = r; + } + else if (r % (uint32_t)128U == (uint32_t)0U && r > (uint32_t)0U) + { + ite4 = (uint32_t)128U; + } + else + { + ite4 = r % (uint32_t)128U; + } + uint32_t ite; + if + ( + (uint32_t)128U + == Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M32) + ) + { + ite = r; + } + else if (r % (uint32_t)128U == (uint32_t)0U && r > (uint32_t)0U) + { + ite = (uint32_t)128U; + } + else + { + ite = r % (uint32_t)128U; + } + Hacl_Blake2b_32_blake2b_update_last(ite4, + tmp_block_state.fst, + tmp_block_state.snd, + FStar_UInt128_uint64_to_uint128(prev_len_last), + ite, + buf_last); + Hacl_Blake2b_32_blake2b_finish((uint32_t)64U, dst, tmp_block_state.snd); +} + +/* + Free state function when there is no key +*/ +void Hacl_Streaming_Blake2_blake2b_32_no_key_free(Hacl_Streaming_Blake2_blake2b_32_state *s1) +{ + Hacl_Streaming_Blake2_blake2b_32_state scrut = *s1; + uint8_t *buf = scrut.buf; + Hacl_Streaming_Blake2_blake2b_32_block_state block_state = scrut.block_state; + uint64_t *wv = block_state.fst; + uint64_t *b = block_state.snd; + KRML_HOST_FREE(wv); + KRML_HOST_FREE(b); + KRML_HOST_FREE(buf); + KRML_HOST_FREE(s1); +} + diff --git a/src/msvc/Hacl_Streaming_Blake2b_256.c b/src/msvc/Hacl_Streaming_Blake2b_256.c new file mode 100644 index 00000000..246edb5a --- /dev/null +++ b/src/msvc/Hacl_Streaming_Blake2b_256.c @@ -0,0 +1,584 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Streaming_Blake2b_256.h" + + + +/* + State allocation function when there is no key +*/ +Hacl_Streaming_Blake2b_256_blake2b_256_state +*Hacl_Streaming_Blake2b_256_blake2b_256_no_key_create_in() +{ + KRML_CHECK_SIZE(sizeof (uint8_t), + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M256)); + uint8_t + *buf = + KRML_HOST_CALLOC(Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256), + sizeof (uint8_t)); + Lib_IntVector_Intrinsics_vec256 + *wv = KRML_HOST_MALLOC(sizeof (Lib_IntVector_Intrinsics_vec256) * (uint32_t)4U); + for (uint32_t _i = 0U; _i < (uint32_t)4U; ++_i) + wv[_i] = Lib_IntVector_Intrinsics_vec256_zero; + Lib_IntVector_Intrinsics_vec256 + *b = KRML_HOST_MALLOC(sizeof (Lib_IntVector_Intrinsics_vec256) * (uint32_t)4U); + for (uint32_t _i = 0U; _i < (uint32_t)4U; ++_i) + b[_i] = Lib_IntVector_Intrinsics_vec256_zero; + Hacl_Streaming_Blake2b_256_blake2b_256_block_state block_state = { .fst = wv, .snd = b }; + Hacl_Streaming_Blake2b_256_blake2b_256_state + s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; + KRML_CHECK_SIZE(sizeof (Hacl_Streaming_Blake2b_256_blake2b_256_state), (uint32_t)1U); + Hacl_Streaming_Blake2b_256_blake2b_256_state + *p = KRML_HOST_MALLOC(sizeof (Hacl_Streaming_Blake2b_256_blake2b_256_state)); + p[0U] = s; + Hacl_Blake2b_256_blake2b_init(block_state.snd, (uint32_t)0U, (uint32_t)64U); + return p; +} + +/* + (Re-)initialization function when there is no key +*/ +void +Hacl_Streaming_Blake2b_256_blake2b_256_no_key_init( + Hacl_Streaming_Blake2b_256_blake2b_256_state *s +) +{ + Hacl_Streaming_Blake2b_256_blake2b_256_state scrut = *s; + uint8_t *buf = scrut.buf; + Hacl_Streaming_Blake2b_256_blake2b_256_block_state block_state = scrut.block_state; + Hacl_Blake2b_256_blake2b_init(block_state.snd, (uint32_t)0U, (uint32_t)64U); + s[0U] = + ( + (Hacl_Streaming_Blake2b_256_blake2b_256_state){ + .block_state = block_state, + .buf = buf, + .total_len = (uint64_t)0U + } + ); +} + +/* + Update function when there is no key +*/ +void +Hacl_Streaming_Blake2b_256_blake2b_256_no_key_update( + Hacl_Streaming_Blake2b_256_blake2b_256_state *p, + uint8_t *data, + uint32_t len +) +{ + Hacl_Streaming_Blake2b_256_blake2b_256_state s = *p; + uint64_t total_len = s.total_len; + uint32_t sz; + if + ( + total_len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256) + == (uint64_t)0U + && total_len > (uint64_t)0U + ) + { + sz = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M256); + } + else + { + sz = + (uint32_t)(total_len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256)); + } + if + ( + len + <= Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M256) - sz + ) + { + Hacl_Streaming_Blake2b_256_blake2b_256_state s1 = *p; + Hacl_Streaming_Blake2b_256_blake2b_256_block_state block_state1 = s1.block_state; + uint8_t *buf = s1.buf; + uint64_t total_len1 = s1.total_len; + uint32_t sz1; + if + ( + total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256) + == (uint64_t)0U + && total_len1 > (uint64_t)0U + ) + { + sz1 = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M256); + } + else + { + sz1 = + (uint32_t)(total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256)); + } + uint8_t *buf2 = buf + sz1; + memcpy(buf2, data, len * sizeof (uint8_t)); + uint64_t total_len2 = total_len1 + (uint64_t)len; + *p + = + ( + (Hacl_Streaming_Blake2b_256_blake2b_256_state){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len2 + } + ); + return; + } + if (sz == (uint32_t)0U) + { + Hacl_Streaming_Blake2b_256_blake2b_256_state s1 = *p; + Hacl_Streaming_Blake2b_256_blake2b_256_block_state block_state1 = s1.block_state; + uint8_t *buf = s1.buf; + uint64_t total_len1 = s1.total_len; + uint32_t sz1; + if + ( + total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256) + == (uint64_t)0U + && total_len1 > (uint64_t)0U + ) + { + sz1 = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M256); + } + else + { + sz1 = + (uint32_t)(total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256)); + } + if (!(sz1 == (uint32_t)0U)) + { + uint64_t prevlen = total_len1 - (uint64_t)sz1; + uint32_t + nb = + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256) + / (uint32_t)128U; + Hacl_Blake2b_256_blake2b_update_multi(Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256), + block_state1.fst, + block_state1.snd, + FStar_UInt128_uint64_to_uint128(prevlen), + buf, + nb); + } + uint32_t ite; + if + ( + (uint64_t)len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256) + == (uint64_t)0U + && (uint64_t)len > (uint64_t)0U + ) + { + ite = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M256); + } + else + { + ite = + (uint32_t)((uint64_t)len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256)); + } + uint32_t + n_blocks = + (len - ite) + / Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M256); + uint32_t + data1_len = + n_blocks + * Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M256); + uint32_t data2_len = len - data1_len; + uint8_t *data1 = data; + uint8_t *data2 = data + data1_len; + uint32_t nb = data1_len / (uint32_t)128U; + Hacl_Blake2b_256_blake2b_update_multi(data1_len, + block_state1.fst, + block_state1.snd, + FStar_UInt128_uint64_to_uint128(total_len1), + data1, + nb); + uint8_t *dst = buf; + memcpy(dst, data2, data2_len * sizeof (uint8_t)); + *p + = + ( + (Hacl_Streaming_Blake2b_256_blake2b_256_state){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len1 + (uint64_t)len + } + ); + return; + } + uint32_t + diff = + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256) + - sz; + uint8_t *data1 = data; + uint8_t *data2 = data + diff; + Hacl_Streaming_Blake2b_256_blake2b_256_state s1 = *p; + Hacl_Streaming_Blake2b_256_blake2b_256_block_state block_state10 = s1.block_state; + uint8_t *buf0 = s1.buf; + uint64_t total_len10 = s1.total_len; + uint32_t sz10; + if + ( + total_len10 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256) + == (uint64_t)0U + && total_len10 > (uint64_t)0U + ) + { + sz10 = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M256); + } + else + { + sz10 = + (uint32_t)(total_len10 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256)); + } + uint8_t *buf2 = buf0 + sz10; + memcpy(buf2, data1, diff * sizeof (uint8_t)); + uint64_t total_len2 = total_len10 + (uint64_t)diff; + *p + = + ( + (Hacl_Streaming_Blake2b_256_blake2b_256_state){ + .block_state = block_state10, + .buf = buf0, + .total_len = total_len2 + } + ); + Hacl_Streaming_Blake2b_256_blake2b_256_state s10 = *p; + Hacl_Streaming_Blake2b_256_blake2b_256_block_state block_state1 = s10.block_state; + uint8_t *buf = s10.buf; + uint64_t total_len1 = s10.total_len; + uint32_t sz1; + if + ( + total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256) + == (uint64_t)0U + && total_len1 > (uint64_t)0U + ) + { + sz1 = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M256); + } + else + { + sz1 = + (uint32_t)(total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256)); + } + if (!(sz1 == (uint32_t)0U)) + { + uint64_t prevlen = total_len1 - (uint64_t)sz1; + uint32_t + nb = + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256) + / (uint32_t)128U; + Hacl_Blake2b_256_blake2b_update_multi(Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256), + block_state1.fst, + block_state1.snd, + FStar_UInt128_uint64_to_uint128(prevlen), + buf, + nb); + } + uint32_t ite; + if + ( + (uint64_t)(len - diff) + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256) + == (uint64_t)0U + && (uint64_t)(len - diff) > (uint64_t)0U + ) + { + ite = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M256); + } + else + { + ite = + (uint32_t)((uint64_t)(len - diff) + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256)); + } + uint32_t + n_blocks = + (len - diff - ite) + / Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M256); + uint32_t + data1_len = + n_blocks + * Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M256); + uint32_t data2_len = len - diff - data1_len; + uint8_t *data11 = data2; + uint8_t *data21 = data2 + data1_len; + uint32_t nb = data1_len / (uint32_t)128U; + Hacl_Blake2b_256_blake2b_update_multi(data1_len, + block_state1.fst, + block_state1.snd, + FStar_UInt128_uint64_to_uint128(total_len1), + data11, + nb); + uint8_t *dst = buf; + memcpy(dst, data21, data2_len * sizeof (uint8_t)); + *p + = + ( + (Hacl_Streaming_Blake2b_256_blake2b_256_state){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len1 + (uint64_t)(len - diff) + } + ); +} + +/* + Finish function when there is no key +*/ +void +Hacl_Streaming_Blake2b_256_blake2b_256_no_key_finish( + Hacl_Streaming_Blake2b_256_blake2b_256_state *p, + uint8_t *dst +) +{ + Hacl_Streaming_Blake2b_256_blake2b_256_state scrut = *p; + Hacl_Streaming_Blake2b_256_blake2b_256_block_state block_state = scrut.block_state; + uint8_t *buf_ = scrut.buf; + uint64_t total_len = scrut.total_len; + uint32_t r; + if + ( + total_len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256) + == (uint64_t)0U + && total_len > (uint64_t)0U + ) + { + r = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M256); + } + else + { + r = + (uint32_t)(total_len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, + Hacl_Impl_Blake2_Core_M256)); + } + uint8_t *buf_1 = buf_; + KRML_CHECK_SIZE(sizeof (Lib_IntVector_Intrinsics_vec256), (uint32_t)4U * (uint32_t)1U); + Lib_IntVector_Intrinsics_vec256 + *wv = alloca((uint32_t)4U * (uint32_t)1U * sizeof (Lib_IntVector_Intrinsics_vec256)); + for (uint32_t _i = 0U; _i < (uint32_t)4U * (uint32_t)1U; ++_i) + wv[_i] = Lib_IntVector_Intrinsics_vec256_zero; + KRML_CHECK_SIZE(sizeof (Lib_IntVector_Intrinsics_vec256), (uint32_t)4U * (uint32_t)1U); + Lib_IntVector_Intrinsics_vec256 + *b = alloca((uint32_t)4U * (uint32_t)1U * sizeof (Lib_IntVector_Intrinsics_vec256)); + for (uint32_t _i = 0U; _i < (uint32_t)4U * (uint32_t)1U; ++_i) + b[_i] = Lib_IntVector_Intrinsics_vec256_zero; + Hacl_Streaming_Blake2b_256_blake2b_256_block_state tmp_block_state = { .fst = wv, .snd = b }; + Lib_IntVector_Intrinsics_vec256 *src_b = block_state.snd; + Lib_IntVector_Intrinsics_vec256 *dst_b = tmp_block_state.snd; + memcpy(dst_b, src_b, (uint32_t)4U * sizeof (Lib_IntVector_Intrinsics_vec256)); + uint64_t prev_len = total_len - (uint64_t)r; + uint32_t ite0; + if (r % (uint32_t)128U == (uint32_t)0U && r > (uint32_t)0U) + { + ite0 = (uint32_t)128U; + } + else + { + ite0 = r % (uint32_t)128U; + } + uint8_t *buf_last = buf_1 + r - ite0; + uint8_t *buf_multi = buf_1; + uint32_t ite1; + if + ( + (uint32_t)128U + == Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M256) + ) + { + ite1 = (uint32_t)0U; + } + else + { + uint32_t ite; + if (r % (uint32_t)128U == (uint32_t)0U && r > (uint32_t)0U) + { + ite = (uint32_t)128U; + } + else + { + ite = r % (uint32_t)128U; + } + ite1 = r - ite; + } + uint32_t nb = ite1 / (uint32_t)128U; + uint32_t ite2; + if + ( + (uint32_t)128U + == Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M256) + ) + { + ite2 = (uint32_t)0U; + } + else + { + uint32_t ite; + if (r % (uint32_t)128U == (uint32_t)0U && r > (uint32_t)0U) + { + ite = (uint32_t)128U; + } + else + { + ite = r % (uint32_t)128U; + } + ite2 = r - ite; + } + Hacl_Blake2b_256_blake2b_update_multi(ite2, + tmp_block_state.fst, + tmp_block_state.snd, + FStar_UInt128_uint64_to_uint128(prev_len), + buf_multi, + nb); + uint32_t ite3; + if + ( + (uint32_t)128U + == Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M256) + ) + { + ite3 = r; + } + else if (r % (uint32_t)128U == (uint32_t)0U && r > (uint32_t)0U) + { + ite3 = (uint32_t)128U; + } + else + { + ite3 = r % (uint32_t)128U; + } + uint64_t prev_len_last = total_len - (uint64_t)ite3; + uint32_t ite4; + if + ( + (uint32_t)128U + == Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M256) + ) + { + ite4 = r; + } + else if (r % (uint32_t)128U == (uint32_t)0U && r > (uint32_t)0U) + { + ite4 = (uint32_t)128U; + } + else + { + ite4 = r % (uint32_t)128U; + } + uint32_t ite; + if + ( + (uint32_t)128U + == Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2B, Hacl_Impl_Blake2_Core_M256) + ) + { + ite = r; + } + else if (r % (uint32_t)128U == (uint32_t)0U && r > (uint32_t)0U) + { + ite = (uint32_t)128U; + } + else + { + ite = r % (uint32_t)128U; + } + Hacl_Blake2b_256_blake2b_update_last(ite4, + tmp_block_state.fst, + tmp_block_state.snd, + FStar_UInt128_uint64_to_uint128(prev_len_last), + ite, + buf_last); + Hacl_Blake2b_256_blake2b_finish((uint32_t)64U, dst, tmp_block_state.snd); +} + +/* + Free state function when there is no key +*/ +void +Hacl_Streaming_Blake2b_256_blake2b_256_no_key_free( + Hacl_Streaming_Blake2b_256_blake2b_256_state *s +) +{ + Hacl_Streaming_Blake2b_256_blake2b_256_state scrut = *s; + uint8_t *buf = scrut.buf; + Hacl_Streaming_Blake2b_256_blake2b_256_block_state block_state = scrut.block_state; + Lib_IntVector_Intrinsics_vec256 *wv = block_state.fst; + Lib_IntVector_Intrinsics_vec256 *b = block_state.snd; + KRML_HOST_FREE(wv); + KRML_HOST_FREE(b); + KRML_HOST_FREE(buf); + KRML_HOST_FREE(s); +} + diff --git a/src/msvc/Hacl_Streaming_Blake2s_128.c b/src/msvc/Hacl_Streaming_Blake2s_128.c new file mode 100644 index 00000000..bca478cc --- /dev/null +++ b/src/msvc/Hacl_Streaming_Blake2s_128.c @@ -0,0 +1,584 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Streaming_Blake2s_128.h" + + + +/* + State allocation function when there is no key +*/ +Hacl_Streaming_Blake2s_128_blake2s_128_state +*Hacl_Streaming_Blake2s_128_blake2s_128_no_key_create_in() +{ + KRML_CHECK_SIZE(sizeof (uint8_t), + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M128)); + uint8_t + *buf = + KRML_HOST_CALLOC(Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128), + sizeof (uint8_t)); + Lib_IntVector_Intrinsics_vec128 + *wv = KRML_HOST_MALLOC(sizeof (Lib_IntVector_Intrinsics_vec128) * (uint32_t)4U); + for (uint32_t _i = 0U; _i < (uint32_t)4U; ++_i) + wv[_i] = Lib_IntVector_Intrinsics_vec128_zero; + Lib_IntVector_Intrinsics_vec128 + *b = KRML_HOST_MALLOC(sizeof (Lib_IntVector_Intrinsics_vec128) * (uint32_t)4U); + for (uint32_t _i = 0U; _i < (uint32_t)4U; ++_i) + b[_i] = Lib_IntVector_Intrinsics_vec128_zero; + Hacl_Streaming_Blake2s_128_blake2s_128_block_state block_state = { .fst = wv, .snd = b }; + Hacl_Streaming_Blake2s_128_blake2s_128_state + s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; + KRML_CHECK_SIZE(sizeof (Hacl_Streaming_Blake2s_128_blake2s_128_state), (uint32_t)1U); + Hacl_Streaming_Blake2s_128_blake2s_128_state + *p = KRML_HOST_MALLOC(sizeof (Hacl_Streaming_Blake2s_128_blake2s_128_state)); + p[0U] = s; + Hacl_Blake2s_128_blake2s_init(block_state.snd, (uint32_t)0U, (uint32_t)32U); + return p; +} + +/* + (Re-)initialization function when there is no key +*/ +void +Hacl_Streaming_Blake2s_128_blake2s_128_no_key_init( + Hacl_Streaming_Blake2s_128_blake2s_128_state *s +) +{ + Hacl_Streaming_Blake2s_128_blake2s_128_state scrut = *s; + uint8_t *buf = scrut.buf; + Hacl_Streaming_Blake2s_128_blake2s_128_block_state block_state = scrut.block_state; + Hacl_Blake2s_128_blake2s_init(block_state.snd, (uint32_t)0U, (uint32_t)32U); + s[0U] = + ( + (Hacl_Streaming_Blake2s_128_blake2s_128_state){ + .block_state = block_state, + .buf = buf, + .total_len = (uint64_t)0U + } + ); +} + +/* + Update function when there is no key +*/ +void +Hacl_Streaming_Blake2s_128_blake2s_128_no_key_update( + Hacl_Streaming_Blake2s_128_blake2s_128_state *p, + uint8_t *data, + uint32_t len +) +{ + Hacl_Streaming_Blake2s_128_blake2s_128_state s = *p; + uint64_t total_len = s.total_len; + uint32_t sz; + if + ( + total_len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128) + == (uint64_t)0U + && total_len > (uint64_t)0U + ) + { + sz = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M128); + } + else + { + sz = + (uint32_t)(total_len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128)); + } + if + ( + len + <= Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M128) - sz + ) + { + Hacl_Streaming_Blake2s_128_blake2s_128_state s1 = *p; + Hacl_Streaming_Blake2s_128_blake2s_128_block_state block_state1 = s1.block_state; + uint8_t *buf = s1.buf; + uint64_t total_len1 = s1.total_len; + uint32_t sz1; + if + ( + total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128) + == (uint64_t)0U + && total_len1 > (uint64_t)0U + ) + { + sz1 = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M128); + } + else + { + sz1 = + (uint32_t)(total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128)); + } + uint8_t *buf2 = buf + sz1; + memcpy(buf2, data, len * sizeof (uint8_t)); + uint64_t total_len2 = total_len1 + (uint64_t)len; + *p + = + ( + (Hacl_Streaming_Blake2s_128_blake2s_128_state){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len2 + } + ); + return; + } + if (sz == (uint32_t)0U) + { + Hacl_Streaming_Blake2s_128_blake2s_128_state s1 = *p; + Hacl_Streaming_Blake2s_128_blake2s_128_block_state block_state1 = s1.block_state; + uint8_t *buf = s1.buf; + uint64_t total_len1 = s1.total_len; + uint32_t sz1; + if + ( + total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128) + == (uint64_t)0U + && total_len1 > (uint64_t)0U + ) + { + sz1 = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M128); + } + else + { + sz1 = + (uint32_t)(total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128)); + } + if (!(sz1 == (uint32_t)0U)) + { + uint64_t prevlen = total_len1 - (uint64_t)sz1; + uint32_t + nb = + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128) + / (uint32_t)64U; + Hacl_Blake2s_128_blake2s_update_multi(Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128), + block_state1.fst, + block_state1.snd, + prevlen, + buf, + nb); + } + uint32_t ite; + if + ( + (uint64_t)len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128) + == (uint64_t)0U + && (uint64_t)len > (uint64_t)0U + ) + { + ite = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M128); + } + else + { + ite = + (uint32_t)((uint64_t)len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128)); + } + uint32_t + n_blocks = + (len - ite) + / Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M128); + uint32_t + data1_len = + n_blocks + * Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M128); + uint32_t data2_len = len - data1_len; + uint8_t *data1 = data; + uint8_t *data2 = data + data1_len; + uint32_t nb = data1_len / (uint32_t)64U; + Hacl_Blake2s_128_blake2s_update_multi(data1_len, + block_state1.fst, + block_state1.snd, + total_len1, + data1, + nb); + uint8_t *dst = buf; + memcpy(dst, data2, data2_len * sizeof (uint8_t)); + *p + = + ( + (Hacl_Streaming_Blake2s_128_blake2s_128_state){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len1 + (uint64_t)len + } + ); + return; + } + uint32_t + diff = + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128) + - sz; + uint8_t *data1 = data; + uint8_t *data2 = data + diff; + Hacl_Streaming_Blake2s_128_blake2s_128_state s1 = *p; + Hacl_Streaming_Blake2s_128_blake2s_128_block_state block_state10 = s1.block_state; + uint8_t *buf0 = s1.buf; + uint64_t total_len10 = s1.total_len; + uint32_t sz10; + if + ( + total_len10 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128) + == (uint64_t)0U + && total_len10 > (uint64_t)0U + ) + { + sz10 = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M128); + } + else + { + sz10 = + (uint32_t)(total_len10 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128)); + } + uint8_t *buf2 = buf0 + sz10; + memcpy(buf2, data1, diff * sizeof (uint8_t)); + uint64_t total_len2 = total_len10 + (uint64_t)diff; + *p + = + ( + (Hacl_Streaming_Blake2s_128_blake2s_128_state){ + .block_state = block_state10, + .buf = buf0, + .total_len = total_len2 + } + ); + Hacl_Streaming_Blake2s_128_blake2s_128_state s10 = *p; + Hacl_Streaming_Blake2s_128_blake2s_128_block_state block_state1 = s10.block_state; + uint8_t *buf = s10.buf; + uint64_t total_len1 = s10.total_len; + uint32_t sz1; + if + ( + total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128) + == (uint64_t)0U + && total_len1 > (uint64_t)0U + ) + { + sz1 = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M128); + } + else + { + sz1 = + (uint32_t)(total_len1 + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128)); + } + if (!(sz1 == (uint32_t)0U)) + { + uint64_t prevlen = total_len1 - (uint64_t)sz1; + uint32_t + nb = + Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128) + / (uint32_t)64U; + Hacl_Blake2s_128_blake2s_update_multi(Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128), + block_state1.fst, + block_state1.snd, + prevlen, + buf, + nb); + } + uint32_t ite; + if + ( + (uint64_t)(len - diff) + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128) + == (uint64_t)0U + && (uint64_t)(len - diff) > (uint64_t)0U + ) + { + ite = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M128); + } + else + { + ite = + (uint32_t)((uint64_t)(len - diff) + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128)); + } + uint32_t + n_blocks = + (len - diff - ite) + / Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M128); + uint32_t + data1_len = + n_blocks + * Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M128); + uint32_t data2_len = len - diff - data1_len; + uint8_t *data11 = data2; + uint8_t *data21 = data2 + data1_len; + uint32_t nb = data1_len / (uint32_t)64U; + Hacl_Blake2s_128_blake2s_update_multi(data1_len, + block_state1.fst, + block_state1.snd, + total_len1, + data11, + nb); + uint8_t *dst = buf; + memcpy(dst, data21, data2_len * sizeof (uint8_t)); + *p + = + ( + (Hacl_Streaming_Blake2s_128_blake2s_128_state){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len1 + (uint64_t)(len - diff) + } + ); +} + +/* + Finish function when there is no key +*/ +void +Hacl_Streaming_Blake2s_128_blake2s_128_no_key_finish( + Hacl_Streaming_Blake2s_128_blake2s_128_state *p, + uint8_t *dst +) +{ + Hacl_Streaming_Blake2s_128_blake2s_128_state scrut = *p; + Hacl_Streaming_Blake2s_128_blake2s_128_block_state block_state = scrut.block_state; + uint8_t *buf_ = scrut.buf; + uint64_t total_len = scrut.total_len; + uint32_t r; + if + ( + total_len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128) + == (uint64_t)0U + && total_len > (uint64_t)0U + ) + { + r = Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M128); + } + else + { + r = + (uint32_t)(total_len + % + (uint64_t)Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, + Hacl_Impl_Blake2_Core_M128)); + } + uint8_t *buf_1 = buf_; + KRML_CHECK_SIZE(sizeof (Lib_IntVector_Intrinsics_vec128), (uint32_t)4U * (uint32_t)1U); + Lib_IntVector_Intrinsics_vec128 + *wv = alloca((uint32_t)4U * (uint32_t)1U * sizeof (Lib_IntVector_Intrinsics_vec128)); + for (uint32_t _i = 0U; _i < (uint32_t)4U * (uint32_t)1U; ++_i) + wv[_i] = Lib_IntVector_Intrinsics_vec128_zero; + KRML_CHECK_SIZE(sizeof (Lib_IntVector_Intrinsics_vec128), (uint32_t)4U * (uint32_t)1U); + Lib_IntVector_Intrinsics_vec128 + *b = alloca((uint32_t)4U * (uint32_t)1U * sizeof (Lib_IntVector_Intrinsics_vec128)); + for (uint32_t _i = 0U; _i < (uint32_t)4U * (uint32_t)1U; ++_i) + b[_i] = Lib_IntVector_Intrinsics_vec128_zero; + Hacl_Streaming_Blake2s_128_blake2s_128_block_state tmp_block_state = { .fst = wv, .snd = b }; + Lib_IntVector_Intrinsics_vec128 *src_b = block_state.snd; + Lib_IntVector_Intrinsics_vec128 *dst_b = tmp_block_state.snd; + memcpy(dst_b, src_b, (uint32_t)4U * sizeof (Lib_IntVector_Intrinsics_vec128)); + uint64_t prev_len = total_len - (uint64_t)r; + uint32_t ite0; + if (r % (uint32_t)64U == (uint32_t)0U && r > (uint32_t)0U) + { + ite0 = (uint32_t)64U; + } + else + { + ite0 = r % (uint32_t)64U; + } + uint8_t *buf_last = buf_1 + r - ite0; + uint8_t *buf_multi = buf_1; + uint32_t ite1; + if + ( + (uint32_t)64U + == Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M128) + ) + { + ite1 = (uint32_t)0U; + } + else + { + uint32_t ite; + if (r % (uint32_t)64U == (uint32_t)0U && r > (uint32_t)0U) + { + ite = (uint32_t)64U; + } + else + { + ite = r % (uint32_t)64U; + } + ite1 = r - ite; + } + uint32_t nb = ite1 / (uint32_t)64U; + uint32_t ite2; + if + ( + (uint32_t)64U + == Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M128) + ) + { + ite2 = (uint32_t)0U; + } + else + { + uint32_t ite; + if (r % (uint32_t)64U == (uint32_t)0U && r > (uint32_t)0U) + { + ite = (uint32_t)64U; + } + else + { + ite = r % (uint32_t)64U; + } + ite2 = r - ite; + } + Hacl_Blake2s_128_blake2s_update_multi(ite2, + tmp_block_state.fst, + tmp_block_state.snd, + prev_len, + buf_multi, + nb); + uint32_t ite3; + if + ( + (uint32_t)64U + == Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M128) + ) + { + ite3 = r; + } + else if (r % (uint32_t)64U == (uint32_t)0U && r > (uint32_t)0U) + { + ite3 = (uint32_t)64U; + } + else + { + ite3 = r % (uint32_t)64U; + } + uint64_t prev_len_last = total_len - (uint64_t)ite3; + uint32_t ite4; + if + ( + (uint32_t)64U + == Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M128) + ) + { + ite4 = r; + } + else if (r % (uint32_t)64U == (uint32_t)0U && r > (uint32_t)0U) + { + ite4 = (uint32_t)64U; + } + else + { + ite4 = r % (uint32_t)64U; + } + uint32_t ite; + if + ( + (uint32_t)64U + == Hacl_Streaming_Blake2_blocks_state_len(Spec_Blake2_Blake2S, Hacl_Impl_Blake2_Core_M128) + ) + { + ite = r; + } + else if (r % (uint32_t)64U == (uint32_t)0U && r > (uint32_t)0U) + { + ite = (uint32_t)64U; + } + else + { + ite = r % (uint32_t)64U; + } + Hacl_Blake2s_128_blake2s_update_last(ite4, + tmp_block_state.fst, + tmp_block_state.snd, + prev_len_last, + ite, + buf_last); + Hacl_Blake2s_128_blake2s_finish((uint32_t)32U, dst, tmp_block_state.snd); +} + +/* + Free state function when there is no key +*/ +void +Hacl_Streaming_Blake2s_128_blake2s_128_no_key_free( + Hacl_Streaming_Blake2s_128_blake2s_128_state *s +) +{ + Hacl_Streaming_Blake2s_128_blake2s_128_state scrut = *s; + uint8_t *buf = scrut.buf; + Hacl_Streaming_Blake2s_128_blake2s_128_block_state block_state = scrut.block_state; + Lib_IntVector_Intrinsics_vec128 *wv = block_state.fst; + Lib_IntVector_Intrinsics_vec128 *b = block_state.snd; + KRML_HOST_FREE(wv); + KRML_HOST_FREE(b); + KRML_HOST_FREE(buf); + KRML_HOST_FREE(s); +} + diff --git a/src/msvc/Hacl_Streaming_SHA1.c b/src/msvc/Hacl_Streaming_SHA1.c new file mode 100644 index 00000000..eed6cccb --- /dev/null +++ b/src/msvc/Hacl_Streaming_SHA1.c @@ -0,0 +1,277 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Streaming_SHA1.h" + +#include "internal/Hacl_Hash_SHA1.h" + +Hacl_Streaming_SHA2_state_sha2_224 *Hacl_Streaming_SHA1_legacy_create_in_sha1() +{ + uint8_t *buf = KRML_HOST_CALLOC((uint32_t)64U, sizeof (uint8_t)); + uint32_t *block_state = KRML_HOST_CALLOC((uint32_t)5U, sizeof (uint32_t)); + Hacl_Streaming_SHA2_state_sha2_224 + s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; + KRML_CHECK_SIZE(sizeof (Hacl_Streaming_SHA2_state_sha2_224), (uint32_t)1U); + Hacl_Streaming_SHA2_state_sha2_224 + *p = KRML_HOST_MALLOC(sizeof (Hacl_Streaming_SHA2_state_sha2_224)); + p[0U] = s; + Hacl_Hash_Core_SHA1_legacy_init(block_state); + return p; +} + +void Hacl_Streaming_SHA1_legacy_init_sha1(Hacl_Streaming_SHA2_state_sha2_224 *s) +{ + Hacl_Streaming_SHA2_state_sha2_224 scrut = *s; + uint8_t *buf = scrut.buf; + uint32_t *block_state = scrut.block_state; + Hacl_Hash_Core_SHA1_legacy_init(block_state); + s[0U] = + ( + (Hacl_Streaming_SHA2_state_sha2_224){ + .block_state = block_state, + .buf = buf, + .total_len = (uint64_t)0U + } + ); +} + +void +Hacl_Streaming_SHA1_legacy_update_sha1( + Hacl_Streaming_SHA2_state_sha2_224 *p, + uint8_t *data, + uint32_t len +) +{ + Hacl_Streaming_SHA2_state_sha2_224 s = *p; + uint64_t total_len = s.total_len; + uint32_t sz; + if (total_len % (uint64_t)(uint32_t)64U == (uint64_t)0U && total_len > (uint64_t)0U) + { + sz = (uint32_t)64U; + } + else + { + sz = (uint32_t)(total_len % (uint64_t)(uint32_t)64U); + } + if (len <= (uint32_t)64U - sz) + { + Hacl_Streaming_SHA2_state_sha2_224 s1 = *p; + uint32_t *block_state1 = s1.block_state; + uint8_t *buf = s1.buf; + uint64_t total_len1 = s1.total_len; + uint32_t sz1; + if (total_len1 % (uint64_t)(uint32_t)64U == (uint64_t)0U && total_len1 > (uint64_t)0U) + { + sz1 = (uint32_t)64U; + } + else + { + sz1 = (uint32_t)(total_len1 % (uint64_t)(uint32_t)64U); + } + uint8_t *buf2 = buf + sz1; + memcpy(buf2, data, len * sizeof (uint8_t)); + uint64_t total_len2 = total_len1 + (uint64_t)len; + *p + = + ( + (Hacl_Streaming_SHA2_state_sha2_224){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len2 + } + ); + return; + } + if (sz == (uint32_t)0U) + { + Hacl_Streaming_SHA2_state_sha2_224 s1 = *p; + uint32_t *block_state1 = s1.block_state; + uint8_t *buf = s1.buf; + uint64_t total_len1 = s1.total_len; + uint32_t sz1; + if (total_len1 % (uint64_t)(uint32_t)64U == (uint64_t)0U && total_len1 > (uint64_t)0U) + { + sz1 = (uint32_t)64U; + } + else + { + sz1 = (uint32_t)(total_len1 % (uint64_t)(uint32_t)64U); + } + if (!(sz1 == (uint32_t)0U)) + { + Hacl_Hash_SHA1_legacy_update_multi(block_state1, buf, (uint32_t)1U); + } + uint32_t ite; + if ((uint64_t)len % (uint64_t)(uint32_t)64U == (uint64_t)0U && (uint64_t)len > (uint64_t)0U) + { + ite = (uint32_t)64U; + } + else + { + ite = (uint32_t)((uint64_t)len % (uint64_t)(uint32_t)64U); + } + uint32_t n_blocks = (len - ite) / (uint32_t)64U; + uint32_t data1_len = n_blocks * (uint32_t)64U; + uint32_t data2_len = len - data1_len; + uint8_t *data1 = data; + uint8_t *data2 = data + data1_len; + Hacl_Hash_SHA1_legacy_update_multi(block_state1, data1, data1_len / (uint32_t)64U); + uint8_t *dst = buf; + memcpy(dst, data2, data2_len * sizeof (uint8_t)); + *p + = + ( + (Hacl_Streaming_SHA2_state_sha2_224){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len1 + (uint64_t)len + } + ); + return; + } + uint32_t diff = (uint32_t)64U - sz; + uint8_t *data1 = data; + uint8_t *data2 = data + diff; + Hacl_Streaming_SHA2_state_sha2_224 s1 = *p; + uint32_t *block_state10 = s1.block_state; + uint8_t *buf0 = s1.buf; + uint64_t total_len10 = s1.total_len; + uint32_t sz10; + if (total_len10 % (uint64_t)(uint32_t)64U == (uint64_t)0U && total_len10 > (uint64_t)0U) + { + sz10 = (uint32_t)64U; + } + else + { + sz10 = (uint32_t)(total_len10 % (uint64_t)(uint32_t)64U); + } + uint8_t *buf2 = buf0 + sz10; + memcpy(buf2, data1, diff * sizeof (uint8_t)); + uint64_t total_len2 = total_len10 + (uint64_t)diff; + *p + = + ( + (Hacl_Streaming_SHA2_state_sha2_224){ + .block_state = block_state10, + .buf = buf0, + .total_len = total_len2 + } + ); + Hacl_Streaming_SHA2_state_sha2_224 s10 = *p; + uint32_t *block_state1 = s10.block_state; + uint8_t *buf = s10.buf; + uint64_t total_len1 = s10.total_len; + uint32_t sz1; + if (total_len1 % (uint64_t)(uint32_t)64U == (uint64_t)0U && total_len1 > (uint64_t)0U) + { + sz1 = (uint32_t)64U; + } + else + { + sz1 = (uint32_t)(total_len1 % (uint64_t)(uint32_t)64U); + } + if (!(sz1 == (uint32_t)0U)) + { + Hacl_Hash_SHA1_legacy_update_multi(block_state1, buf, (uint32_t)1U); + } + uint32_t ite; + if + ( + (uint64_t)(len - diff) + % (uint64_t)(uint32_t)64U + == (uint64_t)0U + && (uint64_t)(len - diff) > (uint64_t)0U + ) + { + ite = (uint32_t)64U; + } + else + { + ite = (uint32_t)((uint64_t)(len - diff) % (uint64_t)(uint32_t)64U); + } + uint32_t n_blocks = (len - diff - ite) / (uint32_t)64U; + uint32_t data1_len = n_blocks * (uint32_t)64U; + uint32_t data2_len = len - diff - data1_len; + uint8_t *data11 = data2; + uint8_t *data21 = data2 + data1_len; + Hacl_Hash_SHA1_legacy_update_multi(block_state1, data11, data1_len / (uint32_t)64U); + uint8_t *dst = buf; + memcpy(dst, data21, data2_len * sizeof (uint8_t)); + *p + = + ( + (Hacl_Streaming_SHA2_state_sha2_224){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len1 + (uint64_t)(len - diff) + } + ); +} + +void +Hacl_Streaming_SHA1_legacy_finish_sha1(Hacl_Streaming_SHA2_state_sha2_224 *p, uint8_t *dst) +{ + Hacl_Streaming_SHA2_state_sha2_224 scrut = *p; + uint32_t *block_state = scrut.block_state; + uint8_t *buf_ = scrut.buf; + uint64_t total_len = scrut.total_len; + uint32_t r; + if (total_len % (uint64_t)(uint32_t)64U == (uint64_t)0U && total_len > (uint64_t)0U) + { + r = (uint32_t)64U; + } + else + { + r = (uint32_t)(total_len % (uint64_t)(uint32_t)64U); + } + uint8_t *buf_1 = buf_; + uint32_t tmp_block_state[5U] = { 0U }; + memcpy(tmp_block_state, block_state, (uint32_t)5U * sizeof (uint32_t)); + uint32_t ite; + if (r % (uint32_t)64U == (uint32_t)0U && r > (uint32_t)0U) + { + ite = (uint32_t)64U; + } + else + { + ite = r % (uint32_t)64U; + } + uint8_t *buf_last = buf_1 + r - ite; + uint8_t *buf_multi = buf_1; + Hacl_Hash_SHA1_legacy_update_multi(tmp_block_state, buf_multi, (uint32_t)0U); + uint64_t prev_len_last = total_len - (uint64_t)r; + Hacl_Hash_SHA1_legacy_update_last(tmp_block_state, prev_len_last, buf_last, r); + Hacl_Hash_Core_SHA1_legacy_finish(tmp_block_state, dst); +} + +void Hacl_Streaming_SHA1_legacy_free_sha1(Hacl_Streaming_SHA2_state_sha2_224 *s) +{ + Hacl_Streaming_SHA2_state_sha2_224 scrut = *s; + uint8_t *buf = scrut.buf; + uint32_t *block_state = scrut.block_state; + KRML_HOST_FREE(block_state); + KRML_HOST_FREE(buf); + KRML_HOST_FREE(s); +} + diff --git a/src/msvc/Hacl_Streaming_SHA2.c b/src/msvc/Hacl_Streaming_SHA2.c new file mode 100644 index 00000000..2b9af15d --- /dev/null +++ b/src/msvc/Hacl_Streaming_SHA2.c @@ -0,0 +1,1026 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Streaming_SHA2.h" + +#include "internal/Hacl_Hash_SHA2.h" + +Hacl_Streaming_SHA2_state_sha2_224 *Hacl_Streaming_SHA2_create_in_224() +{ + uint8_t *buf = KRML_HOST_CALLOC((uint32_t)64U, sizeof (uint8_t)); + uint32_t *block_state = KRML_HOST_CALLOC((uint32_t)8U, sizeof (uint32_t)); + Hacl_Streaming_SHA2_state_sha2_224 + s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; + KRML_CHECK_SIZE(sizeof (Hacl_Streaming_SHA2_state_sha2_224), (uint32_t)1U); + Hacl_Streaming_SHA2_state_sha2_224 + *p = KRML_HOST_MALLOC(sizeof (Hacl_Streaming_SHA2_state_sha2_224)); + p[0U] = s; + Hacl_Hash_Core_SHA2_init_224(block_state); + return p; +} + +void Hacl_Streaming_SHA2_init_224(Hacl_Streaming_SHA2_state_sha2_224 *s) +{ + Hacl_Streaming_SHA2_state_sha2_224 scrut = *s; + uint8_t *buf = scrut.buf; + uint32_t *block_state = scrut.block_state; + Hacl_Hash_Core_SHA2_init_224(block_state); + s[0U] = + ( + (Hacl_Streaming_SHA2_state_sha2_224){ + .block_state = block_state, + .buf = buf, + .total_len = (uint64_t)0U + } + ); +} + +void +Hacl_Streaming_SHA2_update_224( + Hacl_Streaming_SHA2_state_sha2_224 *p, + uint8_t *data, + uint32_t len +) +{ + Hacl_Streaming_SHA2_state_sha2_224 s = *p; + uint64_t total_len = s.total_len; + uint32_t sz; + if (total_len % (uint64_t)(uint32_t)64U == (uint64_t)0U && total_len > (uint64_t)0U) + { + sz = (uint32_t)64U; + } + else + { + sz = (uint32_t)(total_len % (uint64_t)(uint32_t)64U); + } + if (len <= (uint32_t)64U - sz) + { + Hacl_Streaming_SHA2_state_sha2_224 s1 = *p; + uint32_t *block_state1 = s1.block_state; + uint8_t *buf = s1.buf; + uint64_t total_len1 = s1.total_len; + uint32_t sz1; + if (total_len1 % (uint64_t)(uint32_t)64U == (uint64_t)0U && total_len1 > (uint64_t)0U) + { + sz1 = (uint32_t)64U; + } + else + { + sz1 = (uint32_t)(total_len1 % (uint64_t)(uint32_t)64U); + } + uint8_t *buf2 = buf + sz1; + memcpy(buf2, data, len * sizeof (uint8_t)); + uint64_t total_len2 = total_len1 + (uint64_t)len; + *p + = + ( + (Hacl_Streaming_SHA2_state_sha2_224){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len2 + } + ); + return; + } + if (sz == (uint32_t)0U) + { + Hacl_Streaming_SHA2_state_sha2_224 s1 = *p; + uint32_t *block_state1 = s1.block_state; + uint8_t *buf = s1.buf; + uint64_t total_len1 = s1.total_len; + uint32_t sz1; + if (total_len1 % (uint64_t)(uint32_t)64U == (uint64_t)0U && total_len1 > (uint64_t)0U) + { + sz1 = (uint32_t)64U; + } + else + { + sz1 = (uint32_t)(total_len1 % (uint64_t)(uint32_t)64U); + } + if (!(sz1 == (uint32_t)0U)) + { + Hacl_Hash_SHA2_update_multi_224(block_state1, buf, (uint32_t)1U); + } + uint32_t ite; + if ((uint64_t)len % (uint64_t)(uint32_t)64U == (uint64_t)0U && (uint64_t)len > (uint64_t)0U) + { + ite = (uint32_t)64U; + } + else + { + ite = (uint32_t)((uint64_t)len % (uint64_t)(uint32_t)64U); + } + uint32_t n_blocks = (len - ite) / (uint32_t)64U; + uint32_t data1_len = n_blocks * (uint32_t)64U; + uint32_t data2_len = len - data1_len; + uint8_t *data1 = data; + uint8_t *data2 = data + data1_len; + Hacl_Hash_SHA2_update_multi_224(block_state1, data1, data1_len / (uint32_t)64U); + uint8_t *dst = buf; + memcpy(dst, data2, data2_len * sizeof (uint8_t)); + *p + = + ( + (Hacl_Streaming_SHA2_state_sha2_224){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len1 + (uint64_t)len + } + ); + return; + } + uint32_t diff = (uint32_t)64U - sz; + uint8_t *data1 = data; + uint8_t *data2 = data + diff; + Hacl_Streaming_SHA2_state_sha2_224 s1 = *p; + uint32_t *block_state10 = s1.block_state; + uint8_t *buf0 = s1.buf; + uint64_t total_len10 = s1.total_len; + uint32_t sz10; + if (total_len10 % (uint64_t)(uint32_t)64U == (uint64_t)0U && total_len10 > (uint64_t)0U) + { + sz10 = (uint32_t)64U; + } + else + { + sz10 = (uint32_t)(total_len10 % (uint64_t)(uint32_t)64U); + } + uint8_t *buf2 = buf0 + sz10; + memcpy(buf2, data1, diff * sizeof (uint8_t)); + uint64_t total_len2 = total_len10 + (uint64_t)diff; + *p + = + ( + (Hacl_Streaming_SHA2_state_sha2_224){ + .block_state = block_state10, + .buf = buf0, + .total_len = total_len2 + } + ); + Hacl_Streaming_SHA2_state_sha2_224 s10 = *p; + uint32_t *block_state1 = s10.block_state; + uint8_t *buf = s10.buf; + uint64_t total_len1 = s10.total_len; + uint32_t sz1; + if (total_len1 % (uint64_t)(uint32_t)64U == (uint64_t)0U && total_len1 > (uint64_t)0U) + { + sz1 = (uint32_t)64U; + } + else + { + sz1 = (uint32_t)(total_len1 % (uint64_t)(uint32_t)64U); + } + if (!(sz1 == (uint32_t)0U)) + { + Hacl_Hash_SHA2_update_multi_224(block_state1, buf, (uint32_t)1U); + } + uint32_t ite; + if + ( + (uint64_t)(len - diff) + % (uint64_t)(uint32_t)64U + == (uint64_t)0U + && (uint64_t)(len - diff) > (uint64_t)0U + ) + { + ite = (uint32_t)64U; + } + else + { + ite = (uint32_t)((uint64_t)(len - diff) % (uint64_t)(uint32_t)64U); + } + uint32_t n_blocks = (len - diff - ite) / (uint32_t)64U; + uint32_t data1_len = n_blocks * (uint32_t)64U; + uint32_t data2_len = len - diff - data1_len; + uint8_t *data11 = data2; + uint8_t *data21 = data2 + data1_len; + Hacl_Hash_SHA2_update_multi_224(block_state1, data11, data1_len / (uint32_t)64U); + uint8_t *dst = buf; + memcpy(dst, data21, data2_len * sizeof (uint8_t)); + *p + = + ( + (Hacl_Streaming_SHA2_state_sha2_224){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len1 + (uint64_t)(len - diff) + } + ); +} + +void Hacl_Streaming_SHA2_finish_224(Hacl_Streaming_SHA2_state_sha2_224 *p, uint8_t *dst) +{ + Hacl_Streaming_SHA2_state_sha2_224 scrut = *p; + uint32_t *block_state = scrut.block_state; + uint8_t *buf_ = scrut.buf; + uint64_t total_len = scrut.total_len; + uint32_t r; + if (total_len % (uint64_t)(uint32_t)64U == (uint64_t)0U && total_len > (uint64_t)0U) + { + r = (uint32_t)64U; + } + else + { + r = (uint32_t)(total_len % (uint64_t)(uint32_t)64U); + } + uint8_t *buf_1 = buf_; + uint32_t tmp_block_state[8U] = { 0U }; + memcpy(tmp_block_state, block_state, (uint32_t)8U * sizeof (uint32_t)); + uint32_t ite; + if (r % (uint32_t)64U == (uint32_t)0U && r > (uint32_t)0U) + { + ite = (uint32_t)64U; + } + else + { + ite = r % (uint32_t)64U; + } + uint8_t *buf_last = buf_1 + r - ite; + uint8_t *buf_multi = buf_1; + Hacl_Hash_SHA2_update_multi_224(tmp_block_state, buf_multi, (uint32_t)0U); + uint64_t prev_len_last = total_len - (uint64_t)r; + Hacl_Hash_SHA2_update_last_224(tmp_block_state, prev_len_last, buf_last, r); + Hacl_Hash_Core_SHA2_finish_224(tmp_block_state, dst); +} + +void Hacl_Streaming_SHA2_free_224(Hacl_Streaming_SHA2_state_sha2_224 *s) +{ + Hacl_Streaming_SHA2_state_sha2_224 scrut = *s; + uint8_t *buf = scrut.buf; + uint32_t *block_state = scrut.block_state; + KRML_HOST_FREE(block_state); + KRML_HOST_FREE(buf); + KRML_HOST_FREE(s); +} + +Hacl_Streaming_SHA2_state_sha2_224 *Hacl_Streaming_SHA2_create_in_256() +{ + uint8_t *buf = KRML_HOST_CALLOC((uint32_t)64U, sizeof (uint8_t)); + uint32_t *block_state = KRML_HOST_CALLOC((uint32_t)8U, sizeof (uint32_t)); + Hacl_Streaming_SHA2_state_sha2_224 + s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; + KRML_CHECK_SIZE(sizeof (Hacl_Streaming_SHA2_state_sha2_224), (uint32_t)1U); + Hacl_Streaming_SHA2_state_sha2_224 + *p = KRML_HOST_MALLOC(sizeof (Hacl_Streaming_SHA2_state_sha2_224)); + p[0U] = s; + Hacl_Hash_Core_SHA2_init_256(block_state); + return p; +} + +void Hacl_Streaming_SHA2_init_256(Hacl_Streaming_SHA2_state_sha2_224 *s) +{ + Hacl_Streaming_SHA2_state_sha2_224 scrut = *s; + uint8_t *buf = scrut.buf; + uint32_t *block_state = scrut.block_state; + Hacl_Hash_Core_SHA2_init_256(block_state); + s[0U] = + ( + (Hacl_Streaming_SHA2_state_sha2_224){ + .block_state = block_state, + .buf = buf, + .total_len = (uint64_t)0U + } + ); +} + +void +Hacl_Streaming_SHA2_update_256( + Hacl_Streaming_SHA2_state_sha2_224 *p, + uint8_t *data, + uint32_t len +) +{ + Hacl_Streaming_SHA2_state_sha2_224 s = *p; + uint64_t total_len = s.total_len; + uint32_t sz; + if (total_len % (uint64_t)(uint32_t)64U == (uint64_t)0U && total_len > (uint64_t)0U) + { + sz = (uint32_t)64U; + } + else + { + sz = (uint32_t)(total_len % (uint64_t)(uint32_t)64U); + } + if (len <= (uint32_t)64U - sz) + { + Hacl_Streaming_SHA2_state_sha2_224 s1 = *p; + uint32_t *block_state1 = s1.block_state; + uint8_t *buf = s1.buf; + uint64_t total_len1 = s1.total_len; + uint32_t sz1; + if (total_len1 % (uint64_t)(uint32_t)64U == (uint64_t)0U && total_len1 > (uint64_t)0U) + { + sz1 = (uint32_t)64U; + } + else + { + sz1 = (uint32_t)(total_len1 % (uint64_t)(uint32_t)64U); + } + uint8_t *buf2 = buf + sz1; + memcpy(buf2, data, len * sizeof (uint8_t)); + uint64_t total_len2 = total_len1 + (uint64_t)len; + *p + = + ( + (Hacl_Streaming_SHA2_state_sha2_224){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len2 + } + ); + return; + } + if (sz == (uint32_t)0U) + { + Hacl_Streaming_SHA2_state_sha2_224 s1 = *p; + uint32_t *block_state1 = s1.block_state; + uint8_t *buf = s1.buf; + uint64_t total_len1 = s1.total_len; + uint32_t sz1; + if (total_len1 % (uint64_t)(uint32_t)64U == (uint64_t)0U && total_len1 > (uint64_t)0U) + { + sz1 = (uint32_t)64U; + } + else + { + sz1 = (uint32_t)(total_len1 % (uint64_t)(uint32_t)64U); + } + if (!(sz1 == (uint32_t)0U)) + { + Hacl_Hash_SHA2_update_multi_256(block_state1, buf, (uint32_t)1U); + } + uint32_t ite; + if ((uint64_t)len % (uint64_t)(uint32_t)64U == (uint64_t)0U && (uint64_t)len > (uint64_t)0U) + { + ite = (uint32_t)64U; + } + else + { + ite = (uint32_t)((uint64_t)len % (uint64_t)(uint32_t)64U); + } + uint32_t n_blocks = (len - ite) / (uint32_t)64U; + uint32_t data1_len = n_blocks * (uint32_t)64U; + uint32_t data2_len = len - data1_len; + uint8_t *data1 = data; + uint8_t *data2 = data + data1_len; + Hacl_Hash_SHA2_update_multi_256(block_state1, data1, data1_len / (uint32_t)64U); + uint8_t *dst = buf; + memcpy(dst, data2, data2_len * sizeof (uint8_t)); + *p + = + ( + (Hacl_Streaming_SHA2_state_sha2_224){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len1 + (uint64_t)len + } + ); + return; + } + uint32_t diff = (uint32_t)64U - sz; + uint8_t *data1 = data; + uint8_t *data2 = data + diff; + Hacl_Streaming_SHA2_state_sha2_224 s1 = *p; + uint32_t *block_state10 = s1.block_state; + uint8_t *buf0 = s1.buf; + uint64_t total_len10 = s1.total_len; + uint32_t sz10; + if (total_len10 % (uint64_t)(uint32_t)64U == (uint64_t)0U && total_len10 > (uint64_t)0U) + { + sz10 = (uint32_t)64U; + } + else + { + sz10 = (uint32_t)(total_len10 % (uint64_t)(uint32_t)64U); + } + uint8_t *buf2 = buf0 + sz10; + memcpy(buf2, data1, diff * sizeof (uint8_t)); + uint64_t total_len2 = total_len10 + (uint64_t)diff; + *p + = + ( + (Hacl_Streaming_SHA2_state_sha2_224){ + .block_state = block_state10, + .buf = buf0, + .total_len = total_len2 + } + ); + Hacl_Streaming_SHA2_state_sha2_224 s10 = *p; + uint32_t *block_state1 = s10.block_state; + uint8_t *buf = s10.buf; + uint64_t total_len1 = s10.total_len; + uint32_t sz1; + if (total_len1 % (uint64_t)(uint32_t)64U == (uint64_t)0U && total_len1 > (uint64_t)0U) + { + sz1 = (uint32_t)64U; + } + else + { + sz1 = (uint32_t)(total_len1 % (uint64_t)(uint32_t)64U); + } + if (!(sz1 == (uint32_t)0U)) + { + Hacl_Hash_SHA2_update_multi_256(block_state1, buf, (uint32_t)1U); + } + uint32_t ite; + if + ( + (uint64_t)(len - diff) + % (uint64_t)(uint32_t)64U + == (uint64_t)0U + && (uint64_t)(len - diff) > (uint64_t)0U + ) + { + ite = (uint32_t)64U; + } + else + { + ite = (uint32_t)((uint64_t)(len - diff) % (uint64_t)(uint32_t)64U); + } + uint32_t n_blocks = (len - diff - ite) / (uint32_t)64U; + uint32_t data1_len = n_blocks * (uint32_t)64U; + uint32_t data2_len = len - diff - data1_len; + uint8_t *data11 = data2; + uint8_t *data21 = data2 + data1_len; + Hacl_Hash_SHA2_update_multi_256(block_state1, data11, data1_len / (uint32_t)64U); + uint8_t *dst = buf; + memcpy(dst, data21, data2_len * sizeof (uint8_t)); + *p + = + ( + (Hacl_Streaming_SHA2_state_sha2_224){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len1 + (uint64_t)(len - diff) + } + ); +} + +void Hacl_Streaming_SHA2_finish_256(Hacl_Streaming_SHA2_state_sha2_224 *p, uint8_t *dst) +{ + Hacl_Streaming_SHA2_state_sha2_224 scrut = *p; + uint32_t *block_state = scrut.block_state; + uint8_t *buf_ = scrut.buf; + uint64_t total_len = scrut.total_len; + uint32_t r; + if (total_len % (uint64_t)(uint32_t)64U == (uint64_t)0U && total_len > (uint64_t)0U) + { + r = (uint32_t)64U; + } + else + { + r = (uint32_t)(total_len % (uint64_t)(uint32_t)64U); + } + uint8_t *buf_1 = buf_; + uint32_t tmp_block_state[8U] = { 0U }; + memcpy(tmp_block_state, block_state, (uint32_t)8U * sizeof (uint32_t)); + uint32_t ite; + if (r % (uint32_t)64U == (uint32_t)0U && r > (uint32_t)0U) + { + ite = (uint32_t)64U; + } + else + { + ite = r % (uint32_t)64U; + } + uint8_t *buf_last = buf_1 + r - ite; + uint8_t *buf_multi = buf_1; + Hacl_Hash_SHA2_update_multi_256(tmp_block_state, buf_multi, (uint32_t)0U); + uint64_t prev_len_last = total_len - (uint64_t)r; + Hacl_Hash_SHA2_update_last_256(tmp_block_state, prev_len_last, buf_last, r); + Hacl_Hash_Core_SHA2_finish_256(tmp_block_state, dst); +} + +void Hacl_Streaming_SHA2_free_256(Hacl_Streaming_SHA2_state_sha2_224 *s) +{ + Hacl_Streaming_SHA2_state_sha2_224 scrut = *s; + uint8_t *buf = scrut.buf; + uint32_t *block_state = scrut.block_state; + KRML_HOST_FREE(block_state); + KRML_HOST_FREE(buf); + KRML_HOST_FREE(s); +} + +Hacl_Streaming_SHA2_state_sha2_384 *Hacl_Streaming_SHA2_create_in_384() +{ + uint8_t *buf = KRML_HOST_CALLOC((uint32_t)128U, sizeof (uint8_t)); + uint64_t *block_state = KRML_HOST_CALLOC((uint32_t)8U, sizeof (uint64_t)); + Hacl_Streaming_SHA2_state_sha2_384 + s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; + KRML_CHECK_SIZE(sizeof (Hacl_Streaming_SHA2_state_sha2_384), (uint32_t)1U); + Hacl_Streaming_SHA2_state_sha2_384 + *p = KRML_HOST_MALLOC(sizeof (Hacl_Streaming_SHA2_state_sha2_384)); + p[0U] = s; + Hacl_Hash_Core_SHA2_init_384(block_state); + return p; +} + +void Hacl_Streaming_SHA2_init_384(Hacl_Streaming_SHA2_state_sha2_384 *s) +{ + Hacl_Streaming_SHA2_state_sha2_384 scrut = *s; + uint8_t *buf = scrut.buf; + uint64_t *block_state = scrut.block_state; + Hacl_Hash_Core_SHA2_init_384(block_state); + s[0U] = + ( + (Hacl_Streaming_SHA2_state_sha2_384){ + .block_state = block_state, + .buf = buf, + .total_len = (uint64_t)0U + } + ); +} + +void +Hacl_Streaming_SHA2_update_384( + Hacl_Streaming_SHA2_state_sha2_384 *p, + uint8_t *data, + uint32_t len +) +{ + Hacl_Streaming_SHA2_state_sha2_384 s = *p; + uint64_t total_len = s.total_len; + uint32_t sz; + if (total_len % (uint64_t)(uint32_t)128U == (uint64_t)0U && total_len > (uint64_t)0U) + { + sz = (uint32_t)128U; + } + else + { + sz = (uint32_t)(total_len % (uint64_t)(uint32_t)128U); + } + if (len <= (uint32_t)128U - sz) + { + Hacl_Streaming_SHA2_state_sha2_384 s1 = *p; + uint64_t *block_state1 = s1.block_state; + uint8_t *buf = s1.buf; + uint64_t total_len1 = s1.total_len; + uint32_t sz1; + if (total_len1 % (uint64_t)(uint32_t)128U == (uint64_t)0U && total_len1 > (uint64_t)0U) + { + sz1 = (uint32_t)128U; + } + else + { + sz1 = (uint32_t)(total_len1 % (uint64_t)(uint32_t)128U); + } + uint8_t *buf2 = buf + sz1; + memcpy(buf2, data, len * sizeof (uint8_t)); + uint64_t total_len2 = total_len1 + (uint64_t)len; + *p + = + ( + (Hacl_Streaming_SHA2_state_sha2_384){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len2 + } + ); + return; + } + if (sz == (uint32_t)0U) + { + Hacl_Streaming_SHA2_state_sha2_384 s1 = *p; + uint64_t *block_state1 = s1.block_state; + uint8_t *buf = s1.buf; + uint64_t total_len1 = s1.total_len; + uint32_t sz1; + if (total_len1 % (uint64_t)(uint32_t)128U == (uint64_t)0U && total_len1 > (uint64_t)0U) + { + sz1 = (uint32_t)128U; + } + else + { + sz1 = (uint32_t)(total_len1 % (uint64_t)(uint32_t)128U); + } + if (!(sz1 == (uint32_t)0U)) + { + Hacl_Hash_SHA2_update_multi_384(block_state1, buf, (uint32_t)1U); + } + uint32_t ite; + if ((uint64_t)len % (uint64_t)(uint32_t)128U == (uint64_t)0U && (uint64_t)len > (uint64_t)0U) + { + ite = (uint32_t)128U; + } + else + { + ite = (uint32_t)((uint64_t)len % (uint64_t)(uint32_t)128U); + } + uint32_t n_blocks = (len - ite) / (uint32_t)128U; + uint32_t data1_len = n_blocks * (uint32_t)128U; + uint32_t data2_len = len - data1_len; + uint8_t *data1 = data; + uint8_t *data2 = data + data1_len; + Hacl_Hash_SHA2_update_multi_384(block_state1, data1, data1_len / (uint32_t)128U); + uint8_t *dst = buf; + memcpy(dst, data2, data2_len * sizeof (uint8_t)); + *p + = + ( + (Hacl_Streaming_SHA2_state_sha2_384){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len1 + (uint64_t)len + } + ); + return; + } + uint32_t diff = (uint32_t)128U - sz; + uint8_t *data1 = data; + uint8_t *data2 = data + diff; + Hacl_Streaming_SHA2_state_sha2_384 s1 = *p; + uint64_t *block_state10 = s1.block_state; + uint8_t *buf0 = s1.buf; + uint64_t total_len10 = s1.total_len; + uint32_t sz10; + if (total_len10 % (uint64_t)(uint32_t)128U == (uint64_t)0U && total_len10 > (uint64_t)0U) + { + sz10 = (uint32_t)128U; + } + else + { + sz10 = (uint32_t)(total_len10 % (uint64_t)(uint32_t)128U); + } + uint8_t *buf2 = buf0 + sz10; + memcpy(buf2, data1, diff * sizeof (uint8_t)); + uint64_t total_len2 = total_len10 + (uint64_t)diff; + *p + = + ( + (Hacl_Streaming_SHA2_state_sha2_384){ + .block_state = block_state10, + .buf = buf0, + .total_len = total_len2 + } + ); + Hacl_Streaming_SHA2_state_sha2_384 s10 = *p; + uint64_t *block_state1 = s10.block_state; + uint8_t *buf = s10.buf; + uint64_t total_len1 = s10.total_len; + uint32_t sz1; + if (total_len1 % (uint64_t)(uint32_t)128U == (uint64_t)0U && total_len1 > (uint64_t)0U) + { + sz1 = (uint32_t)128U; + } + else + { + sz1 = (uint32_t)(total_len1 % (uint64_t)(uint32_t)128U); + } + if (!(sz1 == (uint32_t)0U)) + { + Hacl_Hash_SHA2_update_multi_384(block_state1, buf, (uint32_t)1U); + } + uint32_t ite; + if + ( + (uint64_t)(len - diff) + % (uint64_t)(uint32_t)128U + == (uint64_t)0U + && (uint64_t)(len - diff) > (uint64_t)0U + ) + { + ite = (uint32_t)128U; + } + else + { + ite = (uint32_t)((uint64_t)(len - diff) % (uint64_t)(uint32_t)128U); + } + uint32_t n_blocks = (len - diff - ite) / (uint32_t)128U; + uint32_t data1_len = n_blocks * (uint32_t)128U; + uint32_t data2_len = len - diff - data1_len; + uint8_t *data11 = data2; + uint8_t *data21 = data2 + data1_len; + Hacl_Hash_SHA2_update_multi_384(block_state1, data11, data1_len / (uint32_t)128U); + uint8_t *dst = buf; + memcpy(dst, data21, data2_len * sizeof (uint8_t)); + *p + = + ( + (Hacl_Streaming_SHA2_state_sha2_384){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len1 + (uint64_t)(len - diff) + } + ); +} + +void Hacl_Streaming_SHA2_finish_384(Hacl_Streaming_SHA2_state_sha2_384 *p, uint8_t *dst) +{ + Hacl_Streaming_SHA2_state_sha2_384 scrut = *p; + uint64_t *block_state = scrut.block_state; + uint8_t *buf_ = scrut.buf; + uint64_t total_len = scrut.total_len; + uint32_t r; + if (total_len % (uint64_t)(uint32_t)128U == (uint64_t)0U && total_len > (uint64_t)0U) + { + r = (uint32_t)128U; + } + else + { + r = (uint32_t)(total_len % (uint64_t)(uint32_t)128U); + } + uint8_t *buf_1 = buf_; + uint64_t tmp_block_state[8U] = { 0U }; + memcpy(tmp_block_state, block_state, (uint32_t)8U * sizeof (uint64_t)); + uint32_t ite; + if (r % (uint32_t)128U == (uint32_t)0U && r > (uint32_t)0U) + { + ite = (uint32_t)128U; + } + else + { + ite = r % (uint32_t)128U; + } + uint8_t *buf_last = buf_1 + r - ite; + uint8_t *buf_multi = buf_1; + Hacl_Hash_SHA2_update_multi_384(tmp_block_state, buf_multi, (uint32_t)0U); + uint64_t prev_len_last = total_len - (uint64_t)r; + Hacl_Hash_SHA2_update_last_384(tmp_block_state, + FStar_UInt128_uint64_to_uint128(prev_len_last), + buf_last, + r); + Hacl_Hash_Core_SHA2_finish_384(tmp_block_state, dst); +} + +void Hacl_Streaming_SHA2_free_384(Hacl_Streaming_SHA2_state_sha2_384 *s) +{ + Hacl_Streaming_SHA2_state_sha2_384 scrut = *s; + uint8_t *buf = scrut.buf; + uint64_t *block_state = scrut.block_state; + KRML_HOST_FREE(block_state); + KRML_HOST_FREE(buf); + KRML_HOST_FREE(s); +} + +Hacl_Streaming_SHA2_state_sha2_384 *Hacl_Streaming_SHA2_create_in_512() +{ + uint8_t *buf = KRML_HOST_CALLOC((uint32_t)128U, sizeof (uint8_t)); + uint64_t *block_state = KRML_HOST_CALLOC((uint32_t)8U, sizeof (uint64_t)); + Hacl_Streaming_SHA2_state_sha2_384 + s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; + KRML_CHECK_SIZE(sizeof (Hacl_Streaming_SHA2_state_sha2_384), (uint32_t)1U); + Hacl_Streaming_SHA2_state_sha2_384 + *p = KRML_HOST_MALLOC(sizeof (Hacl_Streaming_SHA2_state_sha2_384)); + p[0U] = s; + Hacl_Hash_Core_SHA2_init_512(block_state); + return p; +} + +void Hacl_Streaming_SHA2_init_512(Hacl_Streaming_SHA2_state_sha2_384 *s) +{ + Hacl_Streaming_SHA2_state_sha2_384 scrut = *s; + uint8_t *buf = scrut.buf; + uint64_t *block_state = scrut.block_state; + Hacl_Hash_Core_SHA2_init_512(block_state); + s[0U] = + ( + (Hacl_Streaming_SHA2_state_sha2_384){ + .block_state = block_state, + .buf = buf, + .total_len = (uint64_t)0U + } + ); +} + +void +Hacl_Streaming_SHA2_update_512( + Hacl_Streaming_SHA2_state_sha2_384 *p, + uint8_t *data, + uint32_t len +) +{ + Hacl_Streaming_SHA2_state_sha2_384 s = *p; + uint64_t total_len = s.total_len; + uint32_t sz; + if (total_len % (uint64_t)(uint32_t)128U == (uint64_t)0U && total_len > (uint64_t)0U) + { + sz = (uint32_t)128U; + } + else + { + sz = (uint32_t)(total_len % (uint64_t)(uint32_t)128U); + } + if (len <= (uint32_t)128U - sz) + { + Hacl_Streaming_SHA2_state_sha2_384 s1 = *p; + uint64_t *block_state1 = s1.block_state; + uint8_t *buf = s1.buf; + uint64_t total_len1 = s1.total_len; + uint32_t sz1; + if (total_len1 % (uint64_t)(uint32_t)128U == (uint64_t)0U && total_len1 > (uint64_t)0U) + { + sz1 = (uint32_t)128U; + } + else + { + sz1 = (uint32_t)(total_len1 % (uint64_t)(uint32_t)128U); + } + uint8_t *buf2 = buf + sz1; + memcpy(buf2, data, len * sizeof (uint8_t)); + uint64_t total_len2 = total_len1 + (uint64_t)len; + *p + = + ( + (Hacl_Streaming_SHA2_state_sha2_384){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len2 + } + ); + return; + } + if (sz == (uint32_t)0U) + { + Hacl_Streaming_SHA2_state_sha2_384 s1 = *p; + uint64_t *block_state1 = s1.block_state; + uint8_t *buf = s1.buf; + uint64_t total_len1 = s1.total_len; + uint32_t sz1; + if (total_len1 % (uint64_t)(uint32_t)128U == (uint64_t)0U && total_len1 > (uint64_t)0U) + { + sz1 = (uint32_t)128U; + } + else + { + sz1 = (uint32_t)(total_len1 % (uint64_t)(uint32_t)128U); + } + if (!(sz1 == (uint32_t)0U)) + { + Hacl_Hash_SHA2_update_multi_512(block_state1, buf, (uint32_t)1U); + } + uint32_t ite; + if ((uint64_t)len % (uint64_t)(uint32_t)128U == (uint64_t)0U && (uint64_t)len > (uint64_t)0U) + { + ite = (uint32_t)128U; + } + else + { + ite = (uint32_t)((uint64_t)len % (uint64_t)(uint32_t)128U); + } + uint32_t n_blocks = (len - ite) / (uint32_t)128U; + uint32_t data1_len = n_blocks * (uint32_t)128U; + uint32_t data2_len = len - data1_len; + uint8_t *data1 = data; + uint8_t *data2 = data + data1_len; + Hacl_Hash_SHA2_update_multi_512(block_state1, data1, data1_len / (uint32_t)128U); + uint8_t *dst = buf; + memcpy(dst, data2, data2_len * sizeof (uint8_t)); + *p + = + ( + (Hacl_Streaming_SHA2_state_sha2_384){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len1 + (uint64_t)len + } + ); + return; + } + uint32_t diff = (uint32_t)128U - sz; + uint8_t *data1 = data; + uint8_t *data2 = data + diff; + Hacl_Streaming_SHA2_state_sha2_384 s1 = *p; + uint64_t *block_state10 = s1.block_state; + uint8_t *buf0 = s1.buf; + uint64_t total_len10 = s1.total_len; + uint32_t sz10; + if (total_len10 % (uint64_t)(uint32_t)128U == (uint64_t)0U && total_len10 > (uint64_t)0U) + { + sz10 = (uint32_t)128U; + } + else + { + sz10 = (uint32_t)(total_len10 % (uint64_t)(uint32_t)128U); + } + uint8_t *buf2 = buf0 + sz10; + memcpy(buf2, data1, diff * sizeof (uint8_t)); + uint64_t total_len2 = total_len10 + (uint64_t)diff; + *p + = + ( + (Hacl_Streaming_SHA2_state_sha2_384){ + .block_state = block_state10, + .buf = buf0, + .total_len = total_len2 + } + ); + Hacl_Streaming_SHA2_state_sha2_384 s10 = *p; + uint64_t *block_state1 = s10.block_state; + uint8_t *buf = s10.buf; + uint64_t total_len1 = s10.total_len; + uint32_t sz1; + if (total_len1 % (uint64_t)(uint32_t)128U == (uint64_t)0U && total_len1 > (uint64_t)0U) + { + sz1 = (uint32_t)128U; + } + else + { + sz1 = (uint32_t)(total_len1 % (uint64_t)(uint32_t)128U); + } + if (!(sz1 == (uint32_t)0U)) + { + Hacl_Hash_SHA2_update_multi_512(block_state1, buf, (uint32_t)1U); + } + uint32_t ite; + if + ( + (uint64_t)(len - diff) + % (uint64_t)(uint32_t)128U + == (uint64_t)0U + && (uint64_t)(len - diff) > (uint64_t)0U + ) + { + ite = (uint32_t)128U; + } + else + { + ite = (uint32_t)((uint64_t)(len - diff) % (uint64_t)(uint32_t)128U); + } + uint32_t n_blocks = (len - diff - ite) / (uint32_t)128U; + uint32_t data1_len = n_blocks * (uint32_t)128U; + uint32_t data2_len = len - diff - data1_len; + uint8_t *data11 = data2; + uint8_t *data21 = data2 + data1_len; + Hacl_Hash_SHA2_update_multi_512(block_state1, data11, data1_len / (uint32_t)128U); + uint8_t *dst = buf; + memcpy(dst, data21, data2_len * sizeof (uint8_t)); + *p + = + ( + (Hacl_Streaming_SHA2_state_sha2_384){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len1 + (uint64_t)(len - diff) + } + ); +} + +void Hacl_Streaming_SHA2_finish_512(Hacl_Streaming_SHA2_state_sha2_384 *p, uint8_t *dst) +{ + Hacl_Streaming_SHA2_state_sha2_384 scrut = *p; + uint64_t *block_state = scrut.block_state; + uint8_t *buf_ = scrut.buf; + uint64_t total_len = scrut.total_len; + uint32_t r; + if (total_len % (uint64_t)(uint32_t)128U == (uint64_t)0U && total_len > (uint64_t)0U) + { + r = (uint32_t)128U; + } + else + { + r = (uint32_t)(total_len % (uint64_t)(uint32_t)128U); + } + uint8_t *buf_1 = buf_; + uint64_t tmp_block_state[8U] = { 0U }; + memcpy(tmp_block_state, block_state, (uint32_t)8U * sizeof (uint64_t)); + uint32_t ite; + if (r % (uint32_t)128U == (uint32_t)0U && r > (uint32_t)0U) + { + ite = (uint32_t)128U; + } + else + { + ite = r % (uint32_t)128U; + } + uint8_t *buf_last = buf_1 + r - ite; + uint8_t *buf_multi = buf_1; + Hacl_Hash_SHA2_update_multi_512(tmp_block_state, buf_multi, (uint32_t)0U); + uint64_t prev_len_last = total_len - (uint64_t)r; + Hacl_Hash_SHA2_update_last_512(tmp_block_state, + FStar_UInt128_uint64_to_uint128(prev_len_last), + buf_last, + r); + Hacl_Hash_Core_SHA2_finish_512(tmp_block_state, dst); +} + +void Hacl_Streaming_SHA2_free_512(Hacl_Streaming_SHA2_state_sha2_384 *s) +{ + Hacl_Streaming_SHA2_state_sha2_384 scrut = *s; + uint8_t *buf = scrut.buf; + uint64_t *block_state = scrut.block_state; + KRML_HOST_FREE(block_state); + KRML_HOST_FREE(buf); + KRML_HOST_FREE(s); +} + diff --git a/src/msvc/Lib_Memzero0.c b/src/msvc/Lib_Memzero0.c new file mode 100644 index 00000000..ef3060d4 --- /dev/null +++ b/src/msvc/Lib_Memzero0.c @@ -0,0 +1,53 @@ +#if defined(__has_include) +#if __has_include("config.h") +#include "config.h" +#endif +#endif + +#ifdef _WIN32 +#include +#endif + +#if (defined(__APPLE__) && defined(__MACH__)) || defined(__linux__) +#define __STDC_WANT_LIB_EXT1__ 1 +#include +#endif + +#ifdef __FreeBSD__ +#include +#endif + +#include +#include +#include +#include + +#include "Lib_Memzero0.h" +#include "kremlin/internal/target.h" + +/* The F* formalization talks about the number of elements in the array. The C + implementation wants a number of bytes in the array. KreMLin is aware of this + and inserts a sizeof multiplication. */ +void Lib_Memzero0_memzero(void *dst, uint64_t len) { + /* This is safe: kremlin checks at run-time (if needed) that all object sizes + fit within a size_t, so the size we receive has been checked at + allocation-time, possibly via KRML_CHECK_SIZE, to fit in a size_t. */ + size_t len_ = (size_t) len; + + #ifdef _WIN32 + SecureZeroMemory(dst, len); + #elif defined(__APPLE__) && defined(__MACH__) + memset_s(dst, len_, 0, len_); + #elif (defined(__linux__) && !defined(LINUX_NO_EXPLICIT_BZERO)) || defined(__FreeBSD__) + explicit_bzero(dst, len_); + #elif defined(__NetBSD__) + explicit_memset(dst, 0, len_); + #else + /* Default implementation for platforms with no particular support. */ + #warning "Your platform does not support any safe implementation of memzero -- consider a pull request!" + volatile unsigned char *volatile dst_ = (volatile unsigned char *volatile) dst; + size_t i = 0U; + while (i < len) + dst_[i++] = 0U; + #endif +} diff --git a/src/msvc/Lib_RandomBuffer_System.c b/src/msvc/Lib_RandomBuffer_System.c new file mode 100644 index 00000000..0d7924b4 --- /dev/null +++ b/src/msvc/Lib_RandomBuffer_System.c @@ -0,0 +1,62 @@ +#include "Lib_RandomBuffer_System.h" + +#if (defined(_WIN32) || defined(_WIN64)) + +#include +#include +#include +#include + +bool read_random_bytes(uint32_t len, uint8_t *buf) { + HCRYPTPROV ctxt; + if (!(CryptAcquireContext(&ctxt, NULL, NULL, PROV_RSA_FULL, + CRYPT_VERIFYCONTEXT))) { + DWORD error = GetLastError(); + /* printf("Cannot acquire crypto context: 0x%lx\n", error); */ + return false; + } + bool pass = true; + if (!(CryptGenRandom(ctxt, (uint64_t)len, buf))) { + /* printf("Cannot read random bytes\n"); */ + pass = false; + } + CryptReleaseContext(ctxt, 0); + return pass; +} + +#else + +/* assume POSIX here */ +#include +#include +#include +#include +#include + +bool read_random_bytes(uint32_t len, uint8_t *buf) { +#ifdef SYS_getrandom + ssize_t res = syscall(SYS_getrandom, buf, (size_t)len, 0); + if (res == -1) { + return false; + } +#else // !defined(SYS_getrandom) + int fd = open("/dev/urandom", O_RDONLY); + if (fd == -1) { + return false; + } + ssize_t res = read(fd, buf, (uint64_t)len); + close(fd); +#endif // defined(SYS_getrandom) + return ((size_t)res == (size_t)len); +} + +#endif + +// WARNING: this function is deprecated +bool Lib_RandomBuffer_System_randombytes(uint8_t *x, uint32_t len) { + return read_random_bytes(len, x); +} + +void Lib_RandomBuffer_System_crypto_random(uint8_t *x, uint32_t len) { + while(!read_random_bytes(len, x)) {} +} diff --git a/tests/blake2_vectors.h b/tests/blake2_vectors.h new file mode 100644 index 00000000..c8a59f50 --- /dev/null +++ b/tests/blake2_vectors.h @@ -0,0 +1,251 @@ +#pragma once + +typedef struct +{ + uint8_t* input; + size_t input_len; + uint8_t* key; + size_t key_len; + uint8_t* expected; + size_t expected_len; +} blake2_test_vector; + +static uint8_t input2b1[44] = { + 0x00U, 0x01U, 0x02U, 0x03U, 0x04U, 0x05U, 0x06U, 0x07U, 0x08U, 0x09U, 0x0aU, + 0x0bU, 0x0cU, 0x0dU, 0x0eU, 0x0fU, 0x10U, 0x11U, 0x12U, 0x13U, 0x14U, 0x15U, + 0x16U, 0x17U, 0x18U, 0x19U, 0x1aU, 0x1bU, 0x1cU, 0x1dU, 0x1eU, 0x1fU, 0x20U, + 0x21U, 0x22U, 0x23U, 0x24U, 0x25U, 0x26U, 0x27U, 0x28U, 0x29U, 0x2aU, 0x2bU +}; + +static uint8_t key2b1[64] = { + 0x00U, 0x01U, 0x02U, 0x03U, 0x04U, 0x05U, 0x06U, 0x07U, 0x08U, 0x09U, 0x0aU, + 0x0bU, 0x0cU, 0x0dU, 0x0eU, 0x0fU, 0x10U, 0x11U, 0x12U, 0x13U, 0x14U, 0x15U, + 0x16U, 0x17U, 0x18U, 0x19U, 0x1aU, 0x1bU, 0x1cU, 0x1dU, 0x1eU, 0x1fU, 0x20U, + 0x21U, 0x22U, 0x23U, 0x24U, 0x25U, 0x26U, 0x27U, 0x28U, 0x29U, 0x2aU, 0x2bU, + 0x2cU, 0x2dU, 0x2eU, 0x2fU, 0x30U, 0x31U, 0x32U, 0x33U, 0x34U, 0x35U, 0x36U, + 0x37U, 0x38U, 0x39U, 0x3aU, 0x3bU, 0x3cU, 0x3dU, 0x3eU, 0x3fU +}; + +static uint8_t expected2b1[64] = { + 0xc8U, 0xf6U, 0x8eU, 0x69U, 0x6eU, 0xd2U, 0x82U, 0x42U, 0xbfU, 0x99U, 0x7fU, + 0x5bU, 0x3bU, 0x34U, 0x95U, 0x95U, 0x08U, 0xe4U, 0x2dU, 0x61U, 0x38U, 0x10U, + 0xf1U, 0xe2U, 0xa4U, 0x35U, 0xc9U, 0x6eU, 0xd2U, 0xffU, 0x56U, 0x0cU, 0x70U, + 0x22U, 0xf3U, 0x61U, 0xa9U, 0x23U, 0x4bU, 0x98U, 0x37U, 0xfeU, 0xeeU, 0x90U, + 0xbfU, 0x47U, 0x92U, 0x2eU, 0xe0U, 0xfdU, 0x5fU, 0x8dU, 0xdfU, 0x82U, 0x37U, + 0x18U, 0xd8U, 0x6dU, 0x1eU, 0x16U, 0xc6U, 0x09U, 0x00U, 0x71U +}; + +static uint8_t input2b13[128] = { + 0x00U, 0x01U, 0x02U, 0x03U, 0x04U, 0x05U, 0x06U, 0x07U, 0x08U, 0x09U, 0x0AU, + 0x0BU, 0x0CU, 0x0DU, 0x0EU, 0x0FU, 0x10U, 0x11U, 0x12U, 0x13U, 0x14U, 0x15U, + 0x16U, 0x17U, 0x18U, 0x19U, 0x1AU, 0x1BU, 0x1CU, 0x1DU, 0x1EU, 0x1FU, 0x20U, + 0x21U, 0x22U, 0x23U, 0x24U, 0x25U, 0x26U, 0x27U, 0x28U, 0x29U, 0x2AU, 0x2BU, + 0x2CU, 0x2DU, 0x2EU, 0x2FU, 0x30U, 0x31U, 0x32U, 0x33U, 0x34U, 0x35U, 0x36U, + 0x37U, 0x38U, 0x39U, 0x3AU, 0x3BU, 0x3CU, 0x3DU, 0x3EU, 0x3FU, 0x40U, 0x41U, + 0x42U, 0x43U, 0x44U, 0x45U, 0x46U, 0x47U, 0x48U, 0x49U, 0x4AU, 0x4BU, 0x4CU, + 0x4DU, 0x4EU, 0x4FU, 0x50U, 0x51U, 0x52U, 0x53U, 0x54U, 0x55U, 0x56U, 0x57U, + 0x58U, 0x59U, 0x5AU, 0x5BU, 0x5CU, 0x5DU, 0x5EU, 0x5FU, 0x60U, 0x61U, 0x62U, + 0x63U, 0x64U, 0x65U, 0x66U, 0x67U, 0x68U, 0x69U, 0x6AU, 0x6BU, 0x6CU, 0x6DU, + 0x6EU, 0x6FU, 0x70U, 0x71U, 0x72U, 0x73U, 0x74U, 0x75U, 0x76U, 0x77U, 0x78U, + 0x79U, 0x7AU, 0x7BU, 0x7CU, 0x7DU, 0x7EU, 0x7FU +}; + +static uint8_t key2b13[64] = { + 0x00U, 0x01U, 0x02U, 0x03U, 0x04U, 0x05U, 0x06U, 0x07U, 0x08U, 0x09U, 0x0AU, + 0x0BU, 0x0CU, 0x0DU, 0x0EU, 0x0FU, 0x10U, 0x11U, 0x12U, 0x13U, 0x14U, 0x15U, + 0x16U, 0x17U, 0x18U, 0x19U, 0x1AU, 0x1BU, 0x1CU, 0x1DU, 0x1EU, 0x1FU, 0x20U, + 0x21U, 0x22U, 0x23U, 0x24U, 0x25U, 0x26U, 0x27U, 0x28U, 0x29U, 0x2AU, 0x2BU, + 0x2CU, 0x2DU, 0x2EU, 0x2FU, 0x30U, 0x31U, 0x32U, 0x33U, 0x34U, 0x35U, 0x36U, + 0x37U, 0x38U, 0x39U, 0x3AU, 0x3BU, 0x3CU, 0x3DU, 0x3EU, 0x3FU +}; + +static uint8_t expected2b13[64] = { + 0x72U, 0x06U, 0x5EU, 0xE4U, 0xDDU, 0x91U, 0xC2U, 0xD8U, 0x50U, 0x9FU, 0xA1U, + 0xFCU, 0x28U, 0xA3U, 0x7CU, 0x7FU, 0xC9U, 0xFAU, 0x7DU, 0x5BU, 0x3FU, 0x8AU, + 0xD3U, 0xD0U, 0xD7U, 0xA2U, 0x56U, 0x26U, 0xB5U, 0x7BU, 0x1BU, 0x44U, 0x78U, + 0x8DU, 0x4CU, 0xAFU, 0x80U, 0x62U, 0x90U, 0x42U, 0x5FU, 0x98U, 0x90U, 0xA3U, + 0xA2U, 0xA3U, 0x5AU, 0x90U, 0x5AU, 0xB4U, 0xB3U, 0x7AU, 0xCFU, 0xD0U, 0xDAU, + 0x6EU, 0x45U, 0x17U, 0xB2U, 0x52U, 0x5CU, 0x96U, 0x51U, 0xE4U +}; + +static uint8_t input2s1[3] = { 0x61U, 0x62U, 0x63U }; + +static uint8_t expected2s1[32] = { + 0x50U, 0x8CU, 0x5EU, 0x8CU, 0x32U, 0x7CU, 0x14U, 0xE2U, 0xE1U, 0xA7U, 0x2BU, + 0xA3U, 0x4EU, 0xEBU, 0x45U, 0x2FU, 0x37U, 0x45U, 0x8BU, 0x20U, 0x9EU, 0xD6U, + 0x3AU, 0x29U, 0x4DU, 0x99U, 0x9BU, 0x4CU, 0x86U, 0x67U, 0x59U, 0x82U +}; + +static uint8_t input2s2[1] = { 0x00U }; + +static uint8_t key2s2[32] = { 0x00U, 0x01U, 0x02U, 0x03U, 0x04U, 0x05U, 0x06U, + 0x07U, 0x08U, 0x09U, 0x0aU, 0x0bU, 0x0cU, 0x0dU, + 0x0eU, 0x0fU, 0x10U, 0x11U, 0x12U, 0x13U, 0x14U, + 0x15U, 0x16U, 0x17U, 0x18U, 0x19U, 0x1aU, 0x1bU, + 0x1cU, 0x1dU, 0x1eU, 0x1fU }; + +static uint8_t expected2s2[32] = { + 0x40U, 0xd1U, 0x5fU, 0xeeU, 0x7cU, 0x32U, 0x88U, 0x30U, 0x16U, 0x6aU, 0xc3U, + 0xf9U, 0x18U, 0x65U, 0x0fU, 0x80U, 0x7eU, 0x7eU, 0x01U, 0xe1U, 0x77U, 0x25U, + 0x8cU, 0xdcU, 0x0aU, 0x39U, 0xb1U, 0x1fU, 0x59U, 0x80U, 0x66U, 0xf1U +}; + +static uint8_t input2s3[255] = { + 0x00U, 0x01U, 0x02U, 0x03U, 0x04U, 0x05U, 0x06U, 0x07U, 0x08U, 0x09U, 0x0aU, + 0x0bU, 0x0cU, 0x0dU, 0x0eU, 0x0fU, 0x10U, 0x11U, 0x12U, 0x13U, 0x14U, 0x15U, + 0x16U, 0x17U, 0x18U, 0x19U, 0x1aU, 0x1bU, 0x1cU, 0x1dU, 0x1eU, 0x1fU, 0x20U, + 0x21U, 0x22U, 0x23U, 0x24U, 0x25U, 0x26U, 0x27U, 0x28U, 0x29U, 0x2aU, 0x2bU, + 0x2cU, 0x2dU, 0x2eU, 0x2fU, 0x30U, 0x31U, 0x32U, 0x33U, 0x34U, 0x35U, 0x36U, + 0x37U, 0x38U, 0x39U, 0x3aU, 0x3bU, 0x3cU, 0x3dU, 0x3eU, 0x3fU, 0x40U, 0x41U, + 0x42U, 0x43U, 0x44U, 0x45U, 0x46U, 0x47U, 0x48U, 0x49U, 0x4aU, 0x4bU, 0x4cU, + 0x4dU, 0x4eU, 0x4fU, 0x50U, 0x51U, 0x52U, 0x53U, 0x54U, 0x55U, 0x56U, 0x57U, + 0x58U, 0x59U, 0x5aU, 0x5bU, 0x5cU, 0x5dU, 0x5eU, 0x5fU, 0x60U, 0x61U, 0x62U, + 0x63U, 0x64U, 0x65U, 0x66U, 0x67U, 0x68U, 0x69U, 0x6aU, 0x6bU, 0x6cU, 0x6dU, + 0x6eU, 0x6fU, 0x70U, 0x71U, 0x72U, 0x73U, 0x74U, 0x75U, 0x76U, 0x77U, 0x78U, + 0x79U, 0x7aU, 0x7bU, 0x7cU, 0x7dU, 0x7eU, 0x7fU, 0x80U, 0x81U, 0x82U, 0x83U, + 0x84U, 0x85U, 0x86U, 0x87U, 0x88U, 0x89U, 0x8aU, 0x8bU, 0x8cU, 0x8dU, 0x8eU, + 0x8fU, 0x90U, 0x91U, 0x92U, 0x93U, 0x94U, 0x95U, 0x96U, 0x97U, 0x98U, 0x99U, + 0x9aU, 0x9bU, 0x9cU, 0x9dU, 0x9eU, 0x9fU, 0xa0U, 0xa1U, 0xa2U, 0xa3U, 0xa4U, + 0xa5U, 0xa6U, 0xa7U, 0xa8U, 0xa9U, 0xaaU, 0xabU, 0xacU, 0xadU, 0xaeU, 0xafU, + 0xb0U, 0xb1U, 0xb2U, 0xb3U, 0xb4U, 0xb5U, 0xb6U, 0xb7U, 0xb8U, 0xb9U, 0xbaU, + 0xbbU, 0xbcU, 0xbdU, 0xbeU, 0xbfU, 0xc0U, 0xc1U, 0xc2U, 0xc3U, 0xc4U, 0xc5U, + 0xc6U, 0xc7U, 0xc8U, 0xc9U, 0xcaU, 0xcbU, 0xccU, 0xcdU, 0xceU, 0xcfU, 0xd0U, + 0xd1U, 0xd2U, 0xd3U, 0xd4U, 0xd5U, 0xd6U, 0xd7U, 0xd8U, 0xd9U, 0xdaU, 0xdbU, + 0xdcU, 0xddU, 0xdeU, 0xdfU, 0xe0U, 0xe1U, 0xe2U, 0xe3U, 0xe4U, 0xe5U, 0xe6U, + 0xe7U, 0xe8U, 0xe9U, 0xeaU, 0xebU, 0xecU, 0xedU, 0xeeU, 0xefU, 0xf0U, 0xf1U, + 0xf2U, 0xf3U, 0xf4U, 0xf5U, 0xf6U, 0xf7U, 0xf8U, 0xf9U, 0xfaU, 0xfbU, 0xfcU, + 0xfdU, 0xfeU +}; + +static uint8_t key2s3[32] = { 0x00U, 0x01U, 0x02U, 0x03U, 0x04U, 0x05U, 0x06U, + 0x07U, 0x08U, 0x09U, 0x0aU, 0x0bU, 0x0cU, 0x0dU, + 0x0eU, 0x0fU, 0x10U, 0x11U, 0x12U, 0x13U, 0x14U, + 0x15U, 0x16U, 0x17U, 0x18U, 0x19U, 0x1aU, 0x1bU, + 0x1cU, 0x1dU, 0x1eU, 0x1fU }; + +static uint8_t expected2s3[32] = { + 0x3fU, 0xb7U, 0x35U, 0x06U, 0x1aU, 0xbcU, 0x51U, 0x9dU, 0xfeU, 0x97U, 0x9eU, + 0x54U, 0xc1U, 0xeeU, 0x5bU, 0xfaU, 0xd0U, 0xa9U, 0xd8U, 0x58U, 0xb3U, 0x31U, + 0x5bU, 0xadU, 0x34U, 0xbdU, 0xe9U, 0x99U, 0xefU, 0xd7U, 0x24U, 0xddU +}; + +static uint8_t input2s4[251] = { + 0x00U, 0x01U, 0x02U, 0x03U, 0x04U, 0x05U, 0x06U, 0x07U, 0x08U, 0x09U, 0x0aU, + 0x0bU, 0x0cU, 0x0dU, 0x0eU, 0x0fU, 0x10U, 0x11U, 0x12U, 0x13U, 0x14U, 0x15U, + 0x16U, 0x17U, 0x18U, 0x19U, 0x1aU, 0x1bU, 0x1cU, 0x1dU, 0x1eU, 0x1fU, 0x20U, + 0x21U, 0x22U, 0x23U, 0x24U, 0x25U, 0x26U, 0x27U, 0x28U, 0x29U, 0x2aU, 0x2bU, + 0x2cU, 0x2dU, 0x2eU, 0x2fU, 0x30U, 0x31U, 0x32U, 0x33U, 0x34U, 0x35U, 0x36U, + 0x37U, 0x38U, 0x39U, 0x3aU, 0x3bU, 0x3cU, 0x3dU, 0x3eU, 0x3fU, 0x40U, 0x41U, + 0x42U, 0x43U, 0x44U, 0x45U, 0x46U, 0x47U, 0x48U, 0x49U, 0x4aU, 0x4bU, 0x4cU, + 0x4dU, 0x4eU, 0x4fU, 0x50U, 0x51U, 0x52U, 0x53U, 0x54U, 0x55U, 0x56U, 0x57U, + 0x58U, 0x59U, 0x5aU, 0x5bU, 0x5cU, 0x5dU, 0x5eU, 0x5fU, 0x60U, 0x61U, 0x62U, + 0x63U, 0x64U, 0x65U, 0x66U, 0x67U, 0x68U, 0x69U, 0x6aU, 0x6bU, 0x6cU, 0x6dU, + 0x6eU, 0x6fU, 0x70U, 0x71U, 0x72U, 0x73U, 0x74U, 0x75U, 0x76U, 0x77U, 0x78U, + 0x79U, 0x7aU, 0x7bU, 0x7cU, 0x7dU, 0x7eU, 0x7fU, 0x80U, 0x81U, 0x82U, 0x83U, + 0x84U, 0x85U, 0x86U, 0x87U, 0x88U, 0x89U, 0x8aU, 0x8bU, 0x8cU, 0x8dU, 0x8eU, + 0x8fU, 0x90U, 0x91U, 0x92U, 0x93U, 0x94U, 0x95U, 0x96U, 0x97U, 0x98U, 0x99U, + 0x9aU, 0x9bU, 0x9cU, 0x9dU, 0x9eU, 0x9fU, 0xa0U, 0xa1U, 0xa2U, 0xa3U, 0xa4U, + 0xa5U, 0xa6U, 0xa7U, 0xa8U, 0xa9U, 0xaaU, 0xabU, 0xacU, 0xadU, 0xaeU, 0xafU, + 0xb0U, 0xb1U, 0xb2U, 0xb3U, 0xb4U, 0xb5U, 0xb6U, 0xb7U, 0xb8U, 0xb9U, 0xbaU, + 0xbbU, 0xbcU, 0xbdU, 0xbeU, 0xbfU, 0xc0U, 0xc1U, 0xc2U, 0xc3U, 0xc4U, 0xc5U, + 0xc6U, 0xc7U, 0xc8U, 0xc9U, 0xcaU, 0xcbU, 0xccU, 0xcdU, 0xceU, 0xcfU, 0xd0U, + 0xd1U, 0xd2U, 0xd3U, 0xd4U, 0xd5U, 0xd6U, 0xd7U, 0xd8U, 0xd9U, 0xdaU, 0xdbU, + 0xdcU, 0xddU, 0xdeU, 0xdfU, 0xe0U, 0xe1U, 0xe2U, 0xe3U, 0xe4U, 0xe5U, 0xe6U, + 0xe7U, 0xe8U, 0xe9U, 0xeaU, 0xebU, 0xecU, 0xedU, 0xeeU, 0xefU, 0xf0U, 0xf1U, + 0xf2U, 0xf3U, 0xf4U, 0xf5U, 0xf6U, 0xf7U, 0xf8U, 0xf9U, 0xfaU +}; + +static uint8_t key2s4[32] = { 0x00U, 0x01U, 0x02U, 0x03U, 0x04U, 0x05U, 0x06U, + 0x07U, 0x08U, 0x09U, 0x0aU, 0x0bU, 0x0cU, 0x0dU, + 0x0eU, 0x0fU, 0x10U, 0x11U, 0x12U, 0x13U, 0x14U, + 0x15U, 0x16U, 0x17U, 0x18U, 0x19U, 0x1aU, 0x1bU, + 0x1cU, 0x1dU, 0x1eU, 0x1fU }; + +static uint8_t expected2s4[32] = { + 0xd1U, 0x2bU, 0xf3U, 0x73U, 0x2eU, 0xf4U, 0xafU, 0x5cU, 0x22U, 0xfaU, 0x90U, + 0x35U, 0x6aU, 0xf8U, 0xfcU, 0x50U, 0xfcU, 0xb4U, 0x0fU, 0x8fU, 0x2eU, 0xa5U, + 0xc8U, 0x59U, 0x47U, 0x37U, 0xa3U, 0xb3U, 0xd5U, 0xabU, 0xdbU, 0xd7U +}; + +static uint8_t input2s8[64] = { + 0x00U, 0x01U, 0x02U, 0x03U, 0x04U, 0x05U, 0x06U, 0x07U, 0x08U, 0x09U, 0x0AU, + 0x0BU, 0x0CU, 0x0DU, 0x0EU, 0x0FU, 0x10U, 0x11U, 0x12U, 0x13U, 0x14U, 0x15U, + 0x16U, 0x17U, 0x18U, 0x19U, 0x1AU, 0x1BU, 0x1CU, 0x1DU, 0x1EU, 0x1FU, 0x20U, + 0x21U, 0x22U, 0x23U, 0x24U, 0x25U, 0x26U, 0x27U, 0x28U, 0x29U, 0x2AU, 0x2BU, + 0x2CU, 0x2DU, 0x2EU, 0x2FU, 0x30U, 0x31U, 0x32U, 0x33U, 0x34U, 0x35U, 0x36U, + 0x37U, 0x38U, 0x39U, 0x3AU, 0x3BU, 0x3CU, 0x3DU, 0x3EU, 0x3FU +}; + +static uint8_t key2s8[32] = { 0x00U, 0x01U, 0x02U, 0x03U, 0x04U, 0x05U, 0x06U, + 0x07U, 0x08U, 0x09U, 0x0AU, 0x0BU, 0x0CU, 0x0DU, + 0x0EU, 0x0FU, 0x10U, 0x11U, 0x12U, 0x13U, 0x14U, + 0x15U, 0x16U, 0x17U, 0x18U, 0x19U, 0x1AU, 0x1BU, + 0x1CU, 0x1DU, 0x1EU, 0x1FU }; + +static uint8_t expected2s8[32] = { + 0x89U, 0x75U, 0xB0U, 0x57U, 0x7FU, 0xD3U, 0x55U, 0x66U, 0xD7U, 0x50U, 0xB3U, + 0x62U, 0xB0U, 0x89U, 0x7AU, 0x26U, 0xC3U, 0x99U, 0x13U, 0x6DU, 0xF0U, 0x7BU, + 0xABU, 0xABU, 0xBDU, 0xE6U, 0x20U, 0x3FU, 0xF2U, 0x95U, 0x4EU, 0xD4U +}; + +static blake2_test_vector vectors2b[] = { + { + .input = input2b1, + .input_len = sizeof(input2b1) / sizeof(uint8_t), + .key = key2b1, + .key_len = sizeof(key2b1) / sizeof(uint8_t), + .expected = expected2b1, + .expected_len = sizeof(expected2b1) / sizeof(uint8_t), + }, + { + .input = input2b13, + .input_len = sizeof(input2b13) / sizeof(uint8_t), + .key = key2b13, + .key_len = sizeof(key2b13) / sizeof(uint8_t), + .expected = expected2b13, + .expected_len = sizeof(expected2b13) / sizeof(uint8_t), + } +}; + +static blake2_test_vector vectors2s[] = { + { + .input = input2s1, + .input_len = sizeof(input2s1) / sizeof(uint8_t), + .key = 0, + .key_len = 0, + .expected = expected2s1, + .expected_len = sizeof(expected2s1) / sizeof(uint8_t), + }, + { + .input = input2s2, + .input_len = sizeof(input2s2) / sizeof(uint8_t), + .key = key2s2, + .key_len = sizeof(key2s2) / sizeof(uint8_t), + .expected = expected2s2, + .expected_len = sizeof(expected2s2) / sizeof(uint8_t), + }, + { + .input = input2s3, + .input_len = sizeof(input2s3) / sizeof(uint8_t), + .key = key2s3, + .key_len = sizeof(key2s3) / sizeof(uint8_t), + .expected = expected2s3, + .expected_len = sizeof(expected2s3) / sizeof(uint8_t), + }, + { + .input = input2s4, + .input_len = sizeof(input2s4) / sizeof(uint8_t), + .key = key2s4, + .key_len = sizeof(key2s4) / sizeof(uint8_t), + .expected = expected2s4, + .expected_len = sizeof(expected2s4) / sizeof(uint8_t), + }, + { + .input = input2s8, + .input_len = sizeof(input2s8) / sizeof(uint8_t), + .key = key2s8, + .key_len = sizeof(key2s8) / sizeof(uint8_t), + .expected = expected2s8, + .expected_len = sizeof(expected2s8) / sizeof(uint8_t), + } +}; diff --git a/tests/blake2b.cc b/tests/blake2b.cc new file mode 100644 index 00000000..51342474 --- /dev/null +++ b/tests/blake2b.cc @@ -0,0 +1,92 @@ +/* + * Copyright 2022 Cryspen Sarl + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include + +#include "hacl-cpu-features.h" + +#include "Hacl_Hash_Blake2.h" +#include "blake2_vectors.h" +#include "config.h" +#include "util.h" + +#ifdef HACL_CAN_COMPILE_VEC256 +#include "Hacl_Hash_Blake2b_256.h" +#endif + +#define VALE \ + TARGET_ARCHITECTURE == TARGET_ARCHITECTURE_ID_X64 || \ + TARGET_ARCHITECTURE == TARGET_ARCHITECTURE_ID_X86 + +#if VALE +// Only include this for checking CPU flags. +#include "Vale.h" +#endif + +// Function pointer to multiplex between the different implementations. +typedef void ( + *test_blake)(uint32_t, uint8_t*, uint32_t, uint8_t*, uint32_t, uint8_t*); + +bool +test_blake2b(test_blake blake, + size_t input_len, + uint8_t* input, + size_t key_len, + uint8_t* key, + size_t expected_len, + uint8_t* expected) +{ + bytes comp(expected_len, 0); + (*blake)(expected_len, comp.data(), input_len, input, key_len, key); + return compare_and_print(expected_len, comp.data(), expected); +} + +class Blake2bTesting : public ::testing::TestWithParam +{}; + +TEST_P(Blake2bTesting, TryTestVectors) +{ + const blake2_test_vector& vectors2b(GetParam()); + bool test = test_blake2b(&Hacl_Blake2b_32_blake2b, + vectors2b.input_len, + vectors2b.input, + vectors2b.key_len, + vectors2b.key, + vectors2b.expected_len, + vectors2b.expected); + EXPECT_TRUE(test); + +#ifdef HACL_CAN_COMPILE_VEC256 + // We might have compiled vec256 blake2b but don't have it available on the + // CPU when running now. + if (hacl_vec256_support()) { + test = test_blake2b(&Hacl_Blake2b_256_blake2b, + vectors2b.input_len, + vectors2b.input, + vectors2b.key_len, + vectors2b.key, + vectors2b.expected_len, + vectors2b.expected); + EXPECT_TRUE(test); + } else { + printf(" ! Vec256 was compiled but AVX2 is not available on this CPU.\n"); + } +#endif +} + +INSTANTIATE_TEST_SUITE_P(TestVectors, + Blake2bTesting, + ::testing::ValuesIn(vectors2b)); diff --git a/tests/blake2s.cc b/tests/blake2s.cc new file mode 100644 index 00000000..6e5108a0 --- /dev/null +++ b/tests/blake2s.cc @@ -0,0 +1,65 @@ +/* + * Copyright 2022 Cryspen Sarl + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include + +#ifdef HACL_CAN_COMPILE_VEC128 +#include "Hacl_Hash_Blake2s_128.h" +#endif + +#include "blake2_vectors.h" +#include "util.h" + +bool +print_test2s(int in_len, + uint8_t* in, + int key_len, + uint8_t* key, + int exp_len, + uint8_t* exp) +{ + bytes comp(exp_len, 0); + +#ifdef HACL_CAN_COMPILE_VEC128 + Hacl_Blake2s_128_blake2s(exp_len, comp.data(), in_len, in, key_len, key); + printf("testing blake2s vec-128:\n"); + bool ok = compare_and_print(exp_len, comp.data(), exp); +#else + printf(" !!! NO TESTS RUN! NO VEC128 SUPPORT! !!!\n"); + bool ok = true; +#endif + + return ok; +} + +class Blake2sTesting : public ::testing::TestWithParam +{}; + +TEST_P(Blake2sTesting, TryTestVectors) +{ + const blake2_test_vector& vectors2s(GetParam()); + bool test = print_test2s(vectors2s.input_len, + vectors2s.input, + vectors2s.key_len, + vectors2s.key, + vectors2s.expected_len, + vectors2s.expected); + EXPECT_TRUE(test); +} + +INSTANTIATE_TEST_SUITE_P(TestVectors, + Blake2sTesting, + ::testing::ValuesIn(vectors2s)); diff --git a/tests/chacha20poly1305.cc b/tests/chacha20poly1305.cc new file mode 100644 index 00000000..15a6ef21 --- /dev/null +++ b/tests/chacha20poly1305.cc @@ -0,0 +1,310 @@ +/* + * Copyright 2022 Cryspen Sarl + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include + +#include +#include + +#include "hacl-cpu-features.h" +#include "util.h" + +#include "Hacl_Chacha20Poly1305_32.h" +#ifdef HACL_CAN_COMPILE_VEC128 +#include "Hacl_Chacha20Poly1305_128.h" +#endif +#ifdef HACL_CAN_COMPILE_VEC256 +#include "Hacl_Chacha20Poly1305_256.h" +#endif + +#define VALE \ + TARGET_ARCHITECTURE == TARGET_ARCHITECTURE_ID_X64 || \ + TARGET_ARCHITECTURE == TARGET_ARCHITECTURE_ID_X86 +#if VALE +// Only include this for checking CPU flags. +#include "Vale.h" +#endif + +#include "chacha20poly1305_vectors.h" + +using json = nlohmann::json; + +// Function pointer to multiplex between the different implementations. +typedef void (*test_encrypt)(uint8_t*, + uint8_t*, + uint32_t, + uint8_t*, + uint32_t, + uint8_t*, + uint8_t*, + uint8_t*); +typedef uint32_t (*test_decrypt)(uint8_t*, + uint8_t*, + uint32_t, + uint8_t*, + uint32_t, + uint8_t*, + uint8_t*, + uint8_t*); + +bool +print_test(test_encrypt aead_encrypt, + test_decrypt aead_decrypt, + int in_len, + uint8_t* in, + uint8_t* key, + uint8_t* nonce, + int aad_len, + uint8_t* aad, + uint8_t* exp_mac, + uint8_t* exp_cipher) +{ + uint8_t* plaintext = static_cast(malloc(in_len)); + memset(plaintext, 0, in_len * sizeof plaintext[0]); + uint8_t* ciphertext = static_cast(malloc(in_len)); + memset(ciphertext, 0, in_len * sizeof ciphertext[0]); + uint8_t mac[16] = { 0 }; + + (*aead_encrypt)(key, nonce, aad_len, aad, in_len, in, ciphertext, mac); + bool ok = compare_and_print(in_len, ciphertext, exp_cipher); + ok = ok && compare_and_print(16, mac, exp_mac); + + int res = (*aead_decrypt)( + key, nonce, aad_len, aad, in_len, plaintext, exp_cipher, exp_mac); + ok = ok && (res == 0); + ok = ok && compare_and_print(in_len, plaintext, in); + + free(plaintext); + free(ciphertext); + + return ok; +} + +class Chacha20Poly1305Testing + : public ::testing::TestWithParam +{}; + +TEST_P(Chacha20Poly1305Testing, TryTestVectors) +{ + // Initialize CPU feature detection + hacl_init_cpu_features(); + + const chacha20poly1305_test_vector& vectors(GetParam()); + bool test = print_test(&Hacl_Chacha20Poly1305_32_aead_encrypt, + &Hacl_Chacha20Poly1305_32_aead_decrypt, + vectors.input_len, + vectors.input, + &vectors.key[0], + &vectors.nonce[0], + vectors.aad_len, + vectors.aad, + &vectors.tag[0], + vectors.cipher); + EXPECT_TRUE(test); + +#ifdef HACL_CAN_COMPILE_VEC128 + // We might have compiled vec128 chachapoly but don't have it available on the + // CPU when running now. + if (hacl_vec128_support()) { + test = print_test(&Hacl_Chacha20Poly1305_128_aead_encrypt, + &Hacl_Chacha20Poly1305_128_aead_decrypt, + vectors.input_len, + vectors.input, + &vectors.key[0], + &vectors.nonce[0], + vectors.aad_len, + vectors.aad, + &vectors.tag[0], + vectors.cipher); + EXPECT_TRUE(test); + } else { + printf(" ! Vec128 was compiled but it is not available on this CPU.\n"); + } +#endif // HACL_CAN_COMPILE_VEC128 + +#ifdef HACL_CAN_COMPILE_VEC256 + // We might have compiled vec256 chachapoly but don't have it available on the + // CPU when running now. + if (hacl_vec256_support()) { + test = print_test(&Hacl_Chacha20Poly1305_256_aead_encrypt, + &Hacl_Chacha20Poly1305_256_aead_decrypt, + vectors.input_len, + vectors.input, + &vectors.key[0], + &vectors.nonce[0], + vectors.aad_len, + vectors.aad, + &vectors.tag[0], + vectors.cipher); + EXPECT_TRUE(test); + } else { + printf(" ! Vec256 was compiled but it is not available on this CPU.\n"); + } +#endif // HACL_CAN_COMPILE_VEC256 +} + +INSTANTIATE_TEST_SUITE_P(TestVectors, + Chacha20Poly1305Testing, + ::testing::ValuesIn(vectors)); + +// === Wycheproof tests === // + +#define bytes std::vector + +typedef struct +{ + bytes msg; + bytes key; + bytes iv; + bytes aad; + bytes ct; + bytes tag; + bool valid; +} TestCase; + +std::vector +read_json() +{ + + // Read JSON test vector + std::string test_dir = "chacha20_poly1305_test.json"; + std::ifstream json_test_file(test_dir); + json test_vectors; + json_test_file >> test_vectors; + + std::vector tests_out; + + // Read test group + for (auto& test : test_vectors["testGroups"].items()) { + auto test_value = test.value(); + if (test_value["ivSize"] != 96) { + // HACL only support 12 byte IVs + continue; + } + EXPECT_EQ(test_value["keySize"], 256); + EXPECT_EQ(test_value["tagSize"], 128); + + auto tests = test_value["tests"]; + for (auto& test_case : tests.items()) { + auto test_case_value = test_case.value(); + auto msg = from_hex(test_case_value["msg"]); + auto key = from_hex(test_case_value["key"]); + auto iv = from_hex(test_case_value["iv"]); + auto aad = from_hex(test_case_value["aad"]); + auto ct = from_hex(test_case_value["ct"]); + auto tag = from_hex(test_case_value["tag"]); + auto result = test_case_value["result"]; + bool valid = result == "valid"; + + tests_out.push_back({ msg, key, iv, aad, ct, tag, valid }); + } + } + + return tests_out; +} + +class Chacha20Poly1305Wycheproof : public ::testing::TestWithParam +{}; + +TEST_P(Chacha20Poly1305Wycheproof, TryWycheproof) +{ + // Initialize CPU feature detection + hacl_init_cpu_features(); + const TestCase& test_case(GetParam()); + + auto msg_size = test_case.msg.size(); + bytes plaintext(msg_size, 0); + bytes ciphertext(msg_size, 0); + uint8_t mac[16] = { 0 }; + + // Stupid const + uint8_t* key = const_cast(test_case.key.data()); + uint8_t* iv = const_cast(test_case.iv.data()); + uint8_t* aad = const_cast(test_case.aad.data()); + uint8_t* msg = const_cast(test_case.msg.data()); + uint8_t* tag = const_cast(test_case.tag.data()); + uint8_t* ct = const_cast(test_case.ct.data()); + + // Check that encryption yields the expected cipher text. + Hacl_Chacha20Poly1305_32_aead_encrypt( + key, iv, test_case.aad.size(), aad, msg_size, msg, ciphertext.data(), mac); + if (test_case.valid) { + EXPECT_EQ(ciphertext, test_case.ct); + EXPECT_EQ(std::vector(mac, mac + 16), test_case.tag); + } + + int res = Hacl_Chacha20Poly1305_32_aead_decrypt( + key, iv, test_case.aad.size(), aad, msg_size, plaintext.data(), ct, tag); + EXPECT_EQ(res, test_case.valid ? 0 : 1); + +// XXX: do less c&p +#ifdef HACL_CAN_COMPILE_VEC128 + // We might have compiled vec128 chachapoly but don't have it available on the + // CPU when running now. + if (hacl_vec128_support()) { + // Check that encryption yields the expected cipher text. + Hacl_Chacha20Poly1305_128_aead_encrypt(key, + iv, + test_case.aad.size(), + aad, + msg_size, + msg, + ciphertext.data(), + mac); + if (test_case.valid) { + EXPECT_EQ(ciphertext, test_case.ct); + EXPECT_EQ(std::vector(mac, mac + 16), test_case.tag); + } + + res = Hacl_Chacha20Poly1305_128_aead_decrypt( + key, iv, test_case.aad.size(), aad, msg_size, plaintext.data(), ct, tag); + EXPECT_EQ(res, test_case.valid ? 0 : 1); + } else { + printf(" ! Vec128 was compiled but it is not available on this CPU.\n"); + } +#endif // HACL_CAN_COMPILE_VEC128 + +// XXX: do less c&p +#ifdef HACL_CAN_COMPILE_VEC256 + // We might have compiled vec256 chachapoly but don't have it available on the + // CPU when running now. + if (hacl_vec256_support()) { + // Check that encryption yields the expected cipher text. + Hacl_Chacha20Poly1305_256_aead_encrypt(key, + iv, + test_case.aad.size(), + aad, + msg_size, + msg, + ciphertext.data(), + mac); + if (test_case.valid) { + EXPECT_EQ(ciphertext, test_case.ct); + EXPECT_EQ(std::vector(mac, mac + 16), test_case.tag); + } + + res = Hacl_Chacha20Poly1305_256_aead_decrypt( + key, iv, test_case.aad.size(), aad, msg_size, plaintext.data(), ct, tag); + EXPECT_EQ(res, test_case.valid ? 0 : 1); + } else { + printf(" ! Vec256 was compiled but it is not available on this CPU.\n"); + } +#endif // HACL_CAN_COMPILE_VEC256 +} + +INSTANTIATE_TEST_SUITE_P(Wycheproof, + Chacha20Poly1305Wycheproof, + ::testing::ValuesIn(read_json())); diff --git a/tests/chacha20poly1305/chacha20_poly1305_test.json b/tests/chacha20poly1305/chacha20_poly1305_test.json new file mode 100644 index 00000000..49ebedc9 --- /dev/null +++ b/tests/chacha20poly1305/chacha20_poly1305_test.json @@ -0,0 +1,3679 @@ +{ + "algorithm" : "CHACHA20-POLY1305", + "generatorVersion" : "0.8r12", + "numberOfTests" : 300, + "header" : [ + "Test vectors of type AeadTest test authenticated encryption with", + "additional data. The test vectors are intended for testing both", + "encryption and decryption." + ], + "notes" : { + }, + "schema" : "aead_test_schema.json", + "testGroups" : [ + { + "ivSize" : 96, + "keySize" : 256, + "tagSize" : 128, + "type" : "AeadTest", + "tests" : [ + { + "tcId" : 1, + "comment" : "RFC 7539", + "key" : "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f", + "iv" : "070000004041424344454647", + "aad" : "50515253c0c1c2c3c4c5c6c7", + "msg" : "4c616469657320616e642047656e746c656d656e206f662074686520636c617373206f66202739393a204966204920636f756c64206f6666657220796f75206f6e6c79206f6e652074697020666f7220746865206675747572652c2073756e73637265656e20776f756c642062652069742e", + "ct" : "d31a8d34648e60db7b86afbc53ef7ec2a4aded51296e08fea9e2b5a736ee62d63dbea45e8ca9671282fafb69da92728b1a71de0a9e060b2905d6a5b67ecd3b3692ddbd7f2d778b8c9803aee328091b58fab324e4fad675945585808b4831d7bc3ff4def08e4b7a9de576d26586cec64b6116", + "tag" : "1ae10b594f09e26a7e902ecbd0600691", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 2, + "comment" : "", + "key" : "80ba3192c803ce965ea371d5ff073cf0f43b6a2ab576b208426e11409c09b9b0", + "iv" : "4da5bf8dfd5852c1ea12379d", + "aad" : "", + "msg" : "", + "ct" : "", + "tag" : "76acb342cf3166a5b63c0c0ea1383c8d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 3, + "comment" : "", + "key" : "7a4cd759172e02eb204db2c3f5c746227df584fc1345196391dbb9577a250742", + "iv" : "a92ef0ac991dd516a3c6f689", + "aad" : "bd506764f2d2c410", + "msg" : "", + "ct" : "", + "tag" : "906fa6284b52f87b7359cbaa7563c709", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 4, + "comment" : "", + "key" : "cc56b680552eb75008f5484b4cb803fa5063ebd6eab91f6ab6aef4916a766273", + "iv" : "99e23ec48985bccdeeab60f1", + "aad" : "", + "msg" : "2a", + "ct" : "3a", + "tag" : "cac27dec0968801e9f6eded69d807522", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 5, + "comment" : "", + "key" : "46f0254965f769d52bdb4a70b443199f8ef207520d1220c55e4b70f0fda620ee", + "iv" : "ab0dca716ee051d2782f4403", + "aad" : "91ca6c592cbcca53", + "msg" : "51", + "ct" : "c4", + "tag" : "168310ca45b1f7c66cad4e99e43f72b9", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 6, + "comment" : "", + "key" : "2f7f7e4f592bb389194989743507bf3ee9cbde1786b6695fe6c025fd9ba4c100", + "iv" : "461af122e9f2e0347e03f2db", + "aad" : "", + "msg" : "5c60", + "ct" : "4d13", + "tag" : "91e8b61efb39c122195453077b22e5e2", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 7, + "comment" : "", + "key" : "c8833dce5ea9f248aa2030eacfe72bffe69a620caf793344e5718fe0d7ab1a58", + "iv" : "61546ba5f1720590b6040ac6", + "aad" : "88364fc8060518bf", + "msg" : "ddf2", + "ct" : "b60d", + "tag" : "ead0fd4697ec2e5558237719d02437a2", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 8, + "comment" : "", + "key" : "bd8ed7fb0d607522f04d0b12d42c92570bccc5ba2486953d70ba2e8193f6225a", + "iv" : "d2ab0abb50a8e9fba25429e1", + "aad" : "", + "msg" : "201221", + "ct" : "3cf470", + "tag" : "a27a69c9d7ee84586f11388c6884e63a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 9, + "comment" : "", + "key" : "1c8b59b17a5ceced31bde97d4cefd9aaaa63362e096e863ec1c89580bca79b7a", + "iv" : "94f32a6dff588f2b5a2ead45", + "aad" : "6c8cf2ab3820b695", + "msg" : "453f95", + "ct" : "610925", + "tag" : "a8a7883eb7e40bc40e2e5922ae95ddc3", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 10, + "comment" : "", + "key" : "e4912cb75a1174345f1a457366f18885fe8460b06478e04be2f7fb4ec9c113e5", + "iv" : "7aa5ad8bf5254762171ec869", + "aad" : "", + "msg" : "9e4c1d03", + "ct" : "fe6849aa", + "tag" : "99ad07871b25c27defc31a541bd5c418", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 11, + "comment" : "", + "key" : "e05777ef3d989ace7d2abfba452bfded54801dbd5c66e91c0c2ef00479d85572", + "iv" : "b7f526e3fd71cf5720961aec", + "aad" : "15d93a96d0e6c5a9", + "msg" : "17bfda03", + "ct" : "f4710e51", + "tag" : "b957c6a37b6a4c94996c002186d63b2b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 12, + "comment" : "", + "key" : "1a4c4f39abe890e62345c947bcf7de7c2e33bd5ceeda0a0abf0e7ef935ddf3ee", + "iv" : "9447bf85d5b97d8aee0f8e51", + "aad" : "", + "msg" : "c15a593bd0", + "ct" : "f711647ff1", + "tag" : "22b12dc38cb79629f84cdbdc2425c09d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 13, + "comment" : "", + "key" : "800e9a24791700c9609736695ba2a8b99b2d57f1c3bfb61ed49db1c6c5219583", + "iv" : "3dbe876bd880ec8ea2017043", + "aad" : "96224835610b782b", + "msg" : "a7bfd041e3", + "ct" : "d171f046ea", + "tag" : "d179b1b9c4184378df009019dbb8c249", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 14, + "comment" : "", + "key" : "208c2c376c9430433db20e1a6b7ba817f8ffbfa6827f26759ccede42e591d3ec", + "iv" : "27fb58ec6a21e84696cb8830", + "aad" : "", + "msg" : "af104b5ccd0e", + "ct" : "9351b1b1b082", + "tag" : "560785509f60f26b681933d9cdbfd29f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 15, + "comment" : "", + "key" : "2eb168e53b07ab04355ea792fe11a6be2ce9c39cfe15a997076b1e38c17ad620", + "iv" : "b5965470c383fd29fe7eaee7", + "aad" : "6d52feb2509f7fbf", + "msg" : "6fdf2927e169", + "ct" : "41abff7b71cc", + "tag" : "9b5174297c03cf8902d1f706fd008902", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 16, + "comment" : "", + "key" : "55568158d3a6483f1f7021eab69b703f614251cadc1af5d34a374fdbfc5adac7", + "iv" : "3c4e654d663fa4596dc55bb7", + "aad" : "", + "msg" : "ab85e9c1571731", + "ct" : "5dfe3440dbb3c3", + "tag" : "ed7a434e2602d394281e0afa9fb7aa42", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 17, + "comment" : "", + "key" : "e3c09e7fab1aefb516da6a33022a1dd4eb272c80d540c5da52a730f34d840d7f", + "iv" : "58389375c69ee398de948396", + "aad" : "84e46be8c0919053", + "msg" : "4ee5cda20d4290", + "ct" : "4bd47212941ce3", + "tag" : "185f1408ee7fbf18f5abad6e2253a1ba", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 18, + "comment" : "", + "key" : "51e4bf2bad92b7aff1a4bc05550ba81df4b96fabf41c12c7b00e60e48db7e152", + "iv" : "4f07afedfdc3b6c2361823d3", + "aad" : "", + "msg" : "be3308f72a2c6aed", + "ct" : "8e9439a56eeec817", + "tag" : "fbe8a6ed8fabb1937539dd6c00e90021", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 19, + "comment" : "", + "key" : "1131c1418577a054de7a4ac551950f1a053f9ae46e5b75fe4abd5608d7cddadd", + "iv" : "b4ea666ee119563366484a78", + "aad" : "66c0ae70076cb14d", + "msg" : "a4c9c2801b71f7df", + "ct" : "b9b910433af052b0", + "tag" : "4530f51aeee024e0a445a6328fa67a18", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 20, + "comment" : "", + "key" : "e1094967f86d893cdfe2e2e6d5c7ee4dfef67da3c9c5d64e6ad7c1577dcb38c5", + "iv" : "8092fc245b3326cddbd1424c", + "aad" : "", + "msg" : "c37aa791ddd6accf91", + "ct" : "d9d897a9c1c5bb9f01", + "tag" : "085a430373058f1a12a0d589fd5be68b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 21, + "comment" : "", + "key" : "236f9baee4f9da15beeca40ff4af7c760f254a64bc3a3d7f4fad557e61b68586", + "iv" : "f1ca81338629587acf9372bf", + "aad" : "8c32f47a386152ec", + "msg" : "d7f26d5252e1765f5b", + "ct" : "8fdb429d47761cbf8e", + "tag" : "8ef647ed334fdebbc2bef80be02884e0", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 22, + "comment" : "", + "key" : "4de207a3b70c51e5f23048eed5a5da9bb65e917a69aa93e7c8b4a815cd9724de", + "iv" : "4c15a71dc6791a8c005ad502", + "aad" : "", + "msg" : "f2c54b6b5e490da18659", + "ct" : "700d35adf5100a22a1de", + "tag" : "102d992ffaff599b5bddddeb2dfb399b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 23, + "comment" : "", + "key" : "6d667fd79e5fb725f50343dccc4863227c75ee3f7a578476e3e9f32598d81559", + "iv" : "6220527aba88e27f766658b2", + "aad" : "e1e27ccddb3cb407", + "msg" : "0c8c5a252681f2b5b4c0", + "ct" : "04aad66c60e0bf8ebba9", + "tag" : "c15f69a4d2aef97d7748756ff49d894b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 24, + "comment" : "", + "key" : "8f4bd94ef73e75d1e068c30b37ead576c5344e093ece1330e9101c82f793cf05", + "iv" : "ec1e2967f0f6979e5f5b07fb", + "aad" : "", + "msg" : "b89812b34d9bced4a0ba07", + "ct" : "1c3d53baaa36eaa1d8ec4d", + "tag" : "4d94ebf960f12433bec43aa86d7e6e6d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 25, + "comment" : "", + "key" : "2aa3bc7033351cac51364cdaf6ffac2c20f64046e1550a7b1c65f41800599019", + "iv" : "28cce57a5db2cd206321e340", + "aad" : "a9bc350eaf2e6e3d", + "msg" : "83016823123484b56095b0", + "ct" : "1c8578f8e75203d0336a52", + "tag" : "5910f7a9d5e4df05d7248bd7a8d65e63", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 26, + "comment" : "", + "key" : "99b62bd5afbe3fb015bde93f0abf483957a1c3eb3ca59cb50b39f7f8a9cc51be", + "iv" : "9a59fce26df0005e07538656", + "aad" : "", + "msg" : "42baae5978feaf5c368d14e0", + "ct" : "ff7dc203b26c467a6b50db33", + "tag" : "578c0f2758c2e14e36d4fc106dcb29b4", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 27, + "comment" : "", + "key" : "85f35b6282cff440bc1020c8136ff27031110fa63ec16f1e825118b006b91257", + "iv" : "58dbd4ad2c4ad35dd906e9ce", + "aad" : "a506e1a5c69093f9", + "msg" : "fdc85b94a4b2a6b759b1a0da", + "ct" : "9f8816de0994e938d9e53f95", + "tag" : "d086fc6c9d8fa915fd8423a7cf05072f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 28, + "comment" : "", + "key" : "faf4bfe8019a891c74901b17f4f48cee5cd065d55fdea60118aaf6c4319a0ea5", + "iv" : "b776c3fddba7c81362ce6e1b", + "aad" : "", + "msg" : "8dadff8d60c8e88f604f274833", + "ct" : "e6b33a74a4ac443bd93f9c1b94", + "tag" : "0c115172bdb02bbad3130fff22790d60", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 29, + "comment" : "", + "key" : "841020d1606edcfc536abfb1a638a7b958e21efc10c386ac45a18493450afd5f", + "iv" : "6d62f159731b140eb18ce074", + "aad" : "5a8e1c7aa39810d5", + "msg" : "d6af138f701b801e60c85ffd5c", + "ct" : "b0a7500aca45bb15f01ece4389", + "tag" : "0160e83adbec7f6a2ee2ff0215f9ef00", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 30, + "comment" : "", + "key" : "470f9ce3d2250bd60cbbefdb2e6a1178c012299b5590639c7797b6024fa703d8", + "iv" : "a9ea4d619fe405d04cba7d7a", + "aad" : "", + "msg" : "6ca67dd023fba6507b9f9a1f667e", + "ct" : "d3017e0bb1705b380b34cc333450", + "tag" : "5708e72ca2bd354f487f82f67fbc3acb", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 31, + "comment" : "", + "key" : "e4b97e91e4c8e85eb7ce0a7f30bf8a0abf4468251e4c6386c0e7aacb8e879aa8", + "iv" : "0e23c942a0c9fb526586eead", + "aad" : "eaaaeab26957f9a1", + "msg" : "b84b3f74cd23064bb426fe2ced2b", + "ct" : "52e9672b416d84d97033796072d0", + "tag" : "e83839dc1fd9b8b9d1444c40e488d493", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 32, + "comment" : "", + "key" : "67119627bd988eda906219e08c0d0d779a07d208ce8a4fe0709af755eeec6dcb", + "iv" : "68ab7fdbf61901dad461d23c", + "aad" : "", + "msg" : "51f8c1f731ea14acdb210a6d973e07", + "ct" : "0b29638e1fbdd6df53970be2210042", + "tag" : "2a9134087d67a46e79178d0a93f5e1d2", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 33, + "comment" : "", + "key" : "e6f1118d41e4b43fb58221b7ed79673834e0d8ac5c4fa60bbc8bc4893a58894d", + "iv" : "d95b3243afaef714c5035b6a", + "aad" : "6453a53384632212", + "msg" : "97469da667d6110f9cbda1d1a20673", + "ct" : "32db66c4a3819d81557455e5980fed", + "tag" : "feae30dec94e6ad3a9eea06a0d703917", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 34, + "comment" : "", + "key" : "59d4eafb4de0cfc7d3db99a8f54b15d7b39f0acc8da69763b019c1699f87674a", + "iv" : "2fcb1b38a99e71b84740ad9b", + "aad" : "", + "msg" : "549b365af913f3b081131ccb6b825588", + "ct" : "e9110e9f56ab3ca483500ceabab67a13", + "tag" : "836ccabf15a6a22a51c1071cfa68fa0c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 35, + "comment" : "", + "key" : "b907a45075513fe8a8019edee3f2591487b2a030b03c6e1d771c862571d2ea1e", + "iv" : "118a6964c2d3e380071f5266", + "aad" : "034585621af8d7ff", + "msg" : "55a465644f5b650928cbee7c063214d6", + "ct" : "e4b113cb775945f3d3a8ae9ec141c00c", + "tag" : "7c43f16ce096d0dc27c95849dc383b7d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 36, + "comment" : "", + "key" : "3b2458d8176e1621c0cc24c0c0e24c1e80d72f7ee9149a4b166176629616d011", + "iv" : "45aaa3e5d16d2d42dc03445d", + "aad" : "", + "msg" : "3ff1514b1c503915918f0c0c31094a6e1f", + "ct" : "02cc3acb5ee1fcdd12a03bb857976474d3", + "tag" : "d83b7463a2c3800fe958c28eaa290813", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 37, + "comment" : "", + "key" : "f60c6a1b625725f76c7037b48fe3577fa7f7b87b1bd5a982176d182306ffb870", + "iv" : "f0384fb876121410633d993d", + "aad" : "9aaf299eeea78f79", + "msg" : "63858ca3e2ce69887b578a3c167b421c9c", + "ct" : "35766488d2bc7c2b8d17cbbb9abfad9e6d", + "tag" : "1f391e657b2738dda08448cba2811ceb", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 38, + "comment" : "", + "key" : "37ceb574ccb0b701dd11369388ca27101732339f49d8d908ace4b23af0b7ce89", + "iv" : "37270b368f6b1e3e2ca51744", + "aad" : "", + "msg" : "f26991537257378151f4776aad28ae8bd16b", + "ct" : "b621d76a8dacff00b3f840cdf26c894cc5d1", + "tag" : "e0a21716ed94c0382fa9b0903d15bb68", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 39, + "comment" : "", + "key" : "68888361919bc10622f45df168e5f6a03bd8e884c0611bea2f34c1882ed9832b", + "iv" : "bfd6ff40f2df8ca7845980cc", + "aad" : "b8373438ddb2d6c3", + "msg" : "ff97f2eefb3401ac31fc8dc1590d1a92cbc1", + "ct" : "e0a745186c1a7b147f74faff2a715df5c19d", + "tag" : "917baf703e355d4d950e6c05fe8f349f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 40, + "comment" : "", + "key" : "1b35b856b5a86d3403d28fc2103a631d42deca5175cdb0669a5e5d90b2caafc5", + "iv" : "2343de88be6c7196d33b8694", + "aad" : "", + "msg" : "21ef185c3ae9a96fa5eb473878f4d0b242781d", + "ct" : "d6e0ed54fccef30bd605d72da3320e249a9cb5", + "tag" : "c68bc6724ec803c43984ce42f6bd09ff", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 41, + "comment" : "", + "key" : "d6484e3973f6be8c83ed3208d5be5cfa06fda72fbfdc5b19d09be3f4e4eba29d", + "iv" : "1af1d90e877e11a496efa3df", + "aad" : "cc4efd8364fb114a", + "msg" : "7335ab04b03e706109ec3ee835db9a246ea0ad", + "ct" : "29e54d608237c3c3609dba16e6edf43842d72f", + "tag" : "d3365fdcd506aaaa5368661e80e9d99b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 42, + "comment" : "", + "key" : "422add37849d6e4c3dfd8020dc6a07e8a249788f3d6a83b9cb4d802362c97542", + "iv" : "1e7e67be948de7352ffdb727", + "aad" : "", + "msg" : "d7f5e611dd3a2750fb843fc1b6b93087310dc87d", + "ct" : "7fe606652d858f595ec2e706754fa3d933fcc834", + "tag" : "78d59235aa5d03a4c32590e590c04d22", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 43, + "comment" : "", + "key" : "cdccfe3f46d782ef47df4e72f0c02d9c7f774def970d23486f11a57f54247f17", + "iv" : "376187894605a8d45e30de51", + "aad" : "956846a209e087ed", + "msg" : "e28e0e9f9d22463ac0e42639b530f42102fded75", + "ct" : "14f707c446988a4903775ec7acec6da114d43112", + "tag" : "987d4b147c490d43d376a198cab383f0", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 44, + "comment" : "", + "key" : "e79dfc6d2fc465b8439e1c5baccb5d8ef2853899fc19753b397e6c25b35e977e", + "iv" : "f9d6320d7ce51d8ed0677d3a", + "aad" : "", + "msg" : "4f543e7938d1b878dacaeec81dce4899974816813b", + "ct" : "1003f13ea1329cbb187316f64c3ff3a87cf5b96661", + "tag" : "d2323ad625094bec84790d7958d5583f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 45, + "comment" : "", + "key" : "1d7b8f1d96a1424923aef8a984869d4a777a110990ba465627acf80396c7f376", + "iv" : "50ba1962cdc32a5a2d36e640", + "aad" : "093053e20261daab", + "msg" : "5d3efd5767f3c12efd08af9a44e028ae68c9eff843", + "ct" : "2d48b0834e9ffe3046103ef7a214f02e8e4d33360e", + "tag" : "d533ad089be229ea606ec0f3fa22eb33", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 46, + "comment" : "", + "key" : "dd433e28cfbcb5de4ab36a02bf38686d83208771a0e63dcd08b4df1a07ac47a1", + "iv" : "c9cc0a1afc38ec6c30c38c68", + "aad" : "", + "msg" : "8a3e17aba9606dd49e3b1a4d9e5e42f1742373632489", + "ct" : "e9917ff3e64bbe1783579375e75ea823976b35539949", + "tag" : "074a890669b25105434c75beed3248db", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 47, + "comment" : "", + "key" : "a60924101b42ac24154a88de42142b2334cf599176caf4d1226f712dd9172930", + "iv" : "8ba77644b08d65d5e9f31942", + "aad" : "b2a4e12a19a61c75", + "msg" : "c949957e66439deee4b2ac1d4a6c98a6c527b90f52ab", + "ct" : "db4c700513818972b0dc0e531b1c281ca03e40c60dea", + "tag" : "63f4478bba2af469a7a4dc3b4f141360", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 48, + "comment" : "", + "key" : "1aa42027836965b1e6086fa137f9cf7f1ff48676696829bd281ff81c8ea0a4a9", + "iv" : "4b3dca84ecc407f424f281a9", + "aad" : "", + "msg" : "37252a3eb5c8960f0567e503a9035783b3d0a19a4b9a47", + "ct" : "b5f14617491fc923b683e2cc9562d043dd5986b97dbdbd", + "tag" : "972ce54713c05c4bb4d088c0a30cacd3", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 49, + "comment" : "", + "key" : "5d40db0cc18ef2e42815d3b6245a466a0b30a0f93e318ac10edde3bf8ad98160", + "iv" : "acad618039b317470d21621b", + "aad" : "413036411af75745", + "msg" : "959dde1ef3129b27702c558849e466f2baca1a45bdf4b2", + "ct" : "b7ca3879f95140bf6a97b3212218b7bf864a51e5bb0b3e", + "tag" : "fe558fb570145470ea693eb76eb73171", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 50, + "comment" : "", + "key" : "0212a8de5007ed87b33f1a7090b6114f9e08cefd9607f2c276bdcfdbc5ce9cd7", + "iv" : "e6b1adf2fd58a8762c65f31b", + "aad" : "", + "msg" : "10f1ecf9c60584665d9ae5efe279e7f7377eea6916d2b111", + "ct" : "42f26c56cb4be21d9d8d0c80fc99dde00d75f38074bfe764", + "tag" : "54aa7e13d48fff7d7557039457040a3a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 51, + "comment" : "", + "key" : "c5bc09565646e7edda954f1f739223dada20b95c44ab033d0fae4b0283d18be3", + "iv" : "6b282ebecc541bcd7834ed55", + "aad" : "3e8bc5ade182ff08", + "msg" : "9222f9018e54fd6de1200806a9ee8e4cc904d29f25cba193", + "ct" : "123032437b4bfd6920e8f7e7e0087ae4889ebe7a0ad0e900", + "tag" : "3cf68f179550da63d3b96c2d55411865", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 52, + "comment" : "", + "key" : "9460b3c44ed86e70f3bda66385e1ca10b0c1677ef4f1360532830d17535f996f", + "iv" : "abfaf42e0dba884efcf07823", + "aad" : "", + "msg" : "5c5cce881b93fb7a1b7939af1ffc5f84d3280ada778cca0953", + "ct" : "1d218c9f1f9f02f248a6f976a7557057f37d9393d9f213c1f3", + "tag" : "bc88344c6fdc898feed394fb28511316", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 53, + "comment" : "", + "key" : "c111d6d5d78a071b15ab37cc8c3819199387ab7c1933aa97b1489f6584ba8e2a", + "iv" : "85f18ad8ff72cafee2452ab8", + "aad" : "84cdff939391c022", + "msg" : "6989c646a10b7c76f4d9f7d574da40e152013cf0dd78f5aa8a", + "ct" : "9715d344e8d3f3a3eaa98a9cea57c0cd717c6ef5076027c9ec", + "tag" : "3056ff5ee0aa8636bb639984edb5236b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 54, + "comment" : "", + "key" : "8a1b1e699a0c4a3e610b10902daedab1bf1ea0d505c47d7842cbcee0d3b1b6e6", + "iv" : "a6f9a8d335fa84c3b27dcd2a", + "aad" : "", + "msg" : "ee6a15fc183108f0877e7f2b8a9615f4b3fc36e1c83440f66aad", + "ct" : "9089bbdb8bcfd124e227bf75c4bfe1cba2004a274fc31aa32358", + "tag" : "fd2e21c64a019621c68594826cd7b1cd", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 55, + "comment" : "", + "key" : "74b384e6e013ec4172ed7a28a10fb9bb79b4be2a24f6999e3d3caa28e64a8656", + "iv" : "ebc19fc9ecb2339908ea3836", + "aad" : "85073f2edc13d3a1", + "msg" : "3aa9f7372f056e5a0729752d9a37132d6dd07c56792e1c7582a9", + "ct" : "796ffb70ab43e7fa79f95583e384524727bb3e47fc45b969f714", + "tag" : "c3322b4445de5f3c9f18dcc847cc94c3", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 56, + "comment" : "", + "key" : "77d824795d2029f0eb0e0baab5cfeb32f7e93474913a7f95c737a667a3c33314", + "iv" : "f3307430f492d2b8a72d3a81", + "aad" : "", + "msg" : "0c4179a497d8fdd72796fb725692b805d63b7c718359cf10518aee", + "ct" : "49c81d17d67d7ba9954f497d0b0ddc21f3f839c9d2cc198d30bc2c", + "tag" : "50009899e5b2a9726c8f3556cadfbe84", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 57, + "comment" : "", + "key" : "bec5eac68f893951cbd7d1ecd3ee6611130dd9c3f80cddf95111d07d5edd76d1", + "iv" : "342ada4f0c115124b222df80", + "aad" : "73365f6d80edb1d8", + "msg" : "481433d8b1cd38af4a750e13a64b7a4e8507682b3517595938a20e", + "ct" : "4c129fc13cbdd9d3fe81ac755bf4fbea2fdd7e0aca0505a6ee9637", + "tag" : "9cede1d30a03db5d55265d3648bc40d4", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 58, + "comment" : "", + "key" : "a59c1e13064df8f2b8df77a492b0ca2eae921b52a84b305a3a9a51408a9ecb69", + "iv" : "9544d41ece0c92ef01cfac2d", + "aad" : "", + "msg" : "1c35b898821ba55c2617c25df9e6df2a8002b384902186cd69dfd20e", + "ct" : "a6fa8f57ddc81d6099f667dd62402b6a5d5b7d05a329298029113169", + "tag" : "bb24e38b31dbbc3e575b9e3ee076af2a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 59, + "comment" : "", + "key" : "084b5d7365f1a8fec6365939ed741e6ea5893e0318d82ab47500a97d77aaa041", + "iv" : "829f005e980f0a6e2f983eaa", + "aad" : "770f6e6e89a3fe8e", + "msg" : "7510016efadc385a71ed689ceb590c8ea9cc1e81b793338bddf5f10c", + "ct" : "fd42cb5cf894f879e3cf751662aaa58a2288cc53548802becaf42359", + "tag" : "188329438afe1cd7225d0478aa90c773", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 60, + "comment" : "", + "key" : "5a7f850a1d9aafa77d59ae1b731965e8aaec6352280fc76a7b5e23ef3610cfe4", + "iv" : "4946a0d6adea93b82d4332e5", + "aad" : "", + "msg" : "3c161d791f624fb0388e808f0f69ed790dbe4cbd089ebac46627bcf01d", + "ct" : "402302b56140c4dcc39774732c55883de124ce4bf0a0261cfa1569e2cf", + "tag" : "e830bfe933a96786cff2dd72b82c4bd5", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 61, + "comment" : "", + "key" : "e6d5a4246f6f05618b59c8f9ec3ac8068cc0d3f351c571aa52b09cb251f9c2f6", + "iv" : "2f90a65e9e48725de6ffc727", + "aad" : "f2415377ad283fd8", + "msg" : "964fc9e0e8355947aa1c2caadd7b3dbef82a1024e623606fac436ef573", + "ct" : "d052932bad6e6c4f835f02019e52d7ff807dc2a5aac2040883c79dd3d5", + "tag" : "655f93396b4d755dc4475721665fed91", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 62, + "comment" : "", + "key" : "09e822123adbb1ed89b79a58619c64853992f8371d46338712f6c91ab11a68bb", + "iv" : "a797205a6cacdd7e47a4789d", + "aad" : "", + "msg" : "80b71bbe833629841bd3aeaeb9db6123e51d367b436fe9d2d3454b62cfad", + "ct" : "83f5c77396cabd28dfcc002cba0756d4ea5455e0261d847d5708aac21e8d", + "tag" : "705a05820a21f381d244d40e58d2f16b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 63, + "comment" : "", + "key" : "625735fe7f8fc81b0c1edc3d08a78b41268f87a3c68488b674222630c1d587a5", + "iv" : "9d8cdf289dddd09afdc1b02f", + "aad" : "200a9c95946ff05c", + "msg" : "67ae1882d0b1c1b2485bec98115ecf53b9b438deb1d0400531705038873a", + "ct" : "209b7539385c8b19ecd0fd8b5011b2996e316f1942064e68edfa363acbcd", + "tag" : "fa2f454b9fa2608f780f7c6f9b780fe1", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 64, + "comment" : "", + "key" : "2eb51c469aa8eb9e6c54a8349bae50a20f0e382711bba1152c424f03b6671d71", + "iv" : "04a9be03508a5f31371a6fd2", + "aad" : "", + "msg" : "b053999286a2824f42cc8c203ab24e2c97a685adcc2ad32662558e55a5c729", + "ct" : "45c7d6b53acad4abb68876a6e96a48fb59524d2c92c9d8a189c9fd2db91746", + "tag" : "566d3ca10e311b695f3eae1551652493", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 65, + "comment" : "", + "key" : "7f5b74c07ed1b40fd14358fe2ff2a740c116c7706510e6a437f19ea49911cec4", + "iv" : "470a339ecb3219b8b81a1f8b", + "aad" : "374618a06ea98a48", + "msg" : "f45206abc25552b2abc9ab7fa243035fedaaddc3b2293956f1ea6e7156e7eb", + "ct" : "46a80c4187024720084627580080dde5a3f4a11093a7076ed6f3d326bc7b70", + "tag" : "534d4aa2835a52e72d14df0e4f47f25f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 66, + "comment" : "", + "key" : "e1731d5854e1b70cb3ffe8b786a2b3ebf0994370954757b9dc8c7bc5354634a3", + "iv" : "72cfd90ef3026ca22b7e6e6a", + "aad" : "", + "msg" : "b9c554cbc36ac18ae897df7beecac1dbeb4eafa156bb60ce2e5d48f05715e678", + "ct" : "ea29afa49d36e8760f5fe19723b9811ed5d519934a440f5081ac430b953b0e21", + "tag" : "222541af46b86533c6b68d2ff108a7ea", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 67, + "comment" : "", + "key" : "27d860631b0485a410702fea61bc873f3442260caded4abde25b786a2d97f145", + "iv" : "262880d475f3dac5340dd1b8", + "aad" : "2333e5ce0f93b059", + "msg" : "6b2604996cd30c14a13a5257ed6cffd3bc5e29d6b97eb1799eb335e281ea451e", + "ct" : "6dad637897544d8bf6be9507ed4d1bb2e954bc427e5de729daf50762846ff2f4", + "tag" : "7b997d93c982189d7095dc794c746232", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 68, + "comment" : "", + "key" : "5155dee9aade1cc61ee7e3f92660f7590f5e5ba82f1b59b850e3fa453d2fa6b3", + "iv" : "c26c4b3bfdb97ee6b0f63ca1", + "aad" : "", + "msg" : "2734e08eff8f5c4f84fa0c207f49c7fd78af1ad5123ff81f83f500edf4eda09edf", + "ct" : "f5982b601c7a18fc72a65b218c44974dc564d8314cbe6f87fcf6c6cfbe618b34b1", + "tag" : "c43632f55760b5d1ed37556a94d049b5", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 69, + "comment" : "", + "key" : "573f08ebbe0cce4ac9618e8c3b224bea0a32f055c6996838a32f527ca3c3b695", + "iv" : "ad8050dc6d122dce3e5639ed", + "aad" : "e99698241c599b5f", + "msg" : "668d5e3f95fe030daf432a5fc5837af3a79c81e94b28d8204c5ee262ab3c9908a7", + "ct" : "eaf6810e6ec1cb7a2918856257d1aa3d51a827879146c6337ecf535e9c89b149c5", + "tag" : "a2950c2f394a3466c345f796323c1aa7", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 70, + "comment" : "", + "key" : "cf0d40a4644e5f51815165d5301b22631f4544c49a1878e3a0a5e8e1aae0f264", + "iv" : "e74a515e7e2102b90bef55d2", + "aad" : "", + "msg" : "973d0c753826bae466cf9abb3493152e9de7819e2bd0c71171346b4d2cebf8041aa3cedc0dfd7b467e26228bc86c9a", + "ct" : "fba78ae4f9d808a62e3da40be2cb7700c3613d9eb2c529c652e76a432c658d27095f0eb8f940c324981ea935e507f9", + "tag" : "8f046956db3a512908bd7afc8f2ab0a9", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 71, + "comment" : "", + "key" : "6cbfd71c645d184cf5d23c402bdb0d25ec54898c8a0273d42eb5be109fdcb2ac", + "iv" : "d4d807341683825b31cd4d95", + "aad" : "b3e4064683b02d84", + "msg" : "a98995504df16f748bfb7785ff91eeb3b660ea9ed3450c3d5e7b0e79ef653659a9978d75542ef91c456762215640b9", + "ct" : "a1ffed80761829ecce242e0e88b138049016bca018da2b6e19986b3e318cae8d806198fb4c527cc39350ebddeac573", + "tag" : "c4cbf0befda0b70242c640d7cd02d7a3", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 72, + "comment" : "", + "key" : "5b1d1035c0b17ee0b0444767f80a25b8c1b741f4b50a4d3052226baa1c6fb701", + "iv" : "d61040a313ed492823cc065b", + "aad" : "", + "msg" : "d096803181beef9e008ff85d5ddc38ddacf0f09ee5f7e07f1e4079cb64d0dc8f5e6711cd4921a7887de76e2678fdc67618f1185586bfea9d4c685d50e4bb9a82", + "ct" : "9a4ef22b181677b5755c08f747c0f8d8e8d4c18a9cc2405c12bb51bb1872c8e8b877678bec442cfcbb0ff464a64b74332cf072898c7e0eddf6232ea6e27efe50", + "tag" : "9ff3427a0f32fa566d9ca0a78aefc013", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 73, + "comment" : "", + "key" : "97d635c4f47574d9998a90875da1d3a284b755b2d39297a5725235190e10a97e", + "iv" : "d31c21aba175b70de4ebb19c", + "aad" : "7193f623663321a2", + "msg" : "94ee166d6d6ecf8832437136b4ae805d428864359586d9193a25016293edba443c58e07e7b7195ec5bd84582a9d56c8d4a108c7d7ce34e6c6f8ea1bec0567317", + "ct" : "5fbbdecc34be201614f636031eeb42f1cace3c79a12cffd871ee8e73820c829749f1abb4294367849fb6c2aa56bda8a3078f723d7c1c852024b017b58973fb1e", + "tag" : "09263da7b4cb921452f97dca40f580ec", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 74, + "comment" : "", + "key" : "fe6e55bdaed1f7284ca5fc0f8c5f2b8df56dc0f49e8ca66a41995e783351f901", + "iv" : "17c86a8abbb7e003acde2799", + "aad" : "", + "msg" : "b429eb80fb8fe8baeda0c85b9c333458e7c2992e558475069d12d45c22217564121588032297eff56783742a5fc22d7410ffb29d66098661d76f126c3c27689e43b37267cac5a3a6d3ab49e391da29cd3054a5692e2807e4c3ea46c8761d50f592", + "ct" : "d0102f6c258bf49742cec34cf2d0fedf23d105fb4c84cf98515e1bc9a64f8ad5be8f0721bde50645d00083c3a263a31053b760245f52ae2866a5ec83b19f61be1d30d5c5d9fecc4cbbe08fd385813a2aa39a00ff9c10f7f23702add1e4b2ffa31c", + "tag" : "41865fc71de12b19612127ce49993bb0", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 75, + "comment" : "", + "key" : "aabc063474e65c4c3e9bdc480dea97b45110c8618846ff6b15bdd2a4a5682c4e", + "iv" : "46362f45d6379e63e5229460", + "aad" : "a11c40b603767330", + "msg" : "ceb534ce50dc23ff638ace3ef63ab2cc2973eeada80785fc165d06c2f5100ff5e8ab2882c475afcd05ccd49f2e7d8f55ef3a72e3dc51d6852b8e6b9e7aece57be6556b0b6d9413e33fc5fc24a9a205ad59574bb39d944a92dc47970d84a6ad3176", + "ct" : "7545391b51de01d5c53dfaca777909063e58edee4bb1227e7110ac4d2620c2aec2f848f56deeb037a8dced75afa8a6c890e2dee42f950bb33d9e2424d08a505d899563973ed38870f3de6ee2adc7fe072c366c14e2cf7ca62fb3d36bee11685461", + "tag" : "b70d44ef8c66c5c7bbf10dcadd7facf6", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 76, + "comment" : "", + "key" : "d7addd3889fadf8c893eee14ba2b7ea5bf56b449904869615bd05d5f114cf377", + "iv" : "8a3ad26b28cd13ba6504e260", + "aad" : "", + "msg" : "c877a76bf595560772167c6e3bcc705305db9c6fcbeb90f4fea85116038bc53c3fa5b4b4ea0de5cc534fbe1cf9ae44824c6c2c0a5c885bd8c3cdc906f12675737e434b983e1e231a52a275db5fb1a0cac6a07b3b7dcb19482a5d3b06a9317a54826cea6b36fce452fa9b5475e2aaf25499499d8a8932a19eb987c903bd8502fe", + "ct" : "294a764c03353f5f4f6e93cd7e977480d6c343071db0b7c1f0db1e95b85e6053f0423168a9c7533268db9a194e7665359d14489bc47172a9f21370e89b0bd0e5ef9661738de282572bcc3e541247626e57e75dec0f91ac5c530bd1a53271842996dcd04d865321b1ecb6e7630114fe780291b8dc3e5d0abc8e65b1c5493e9af0", + "tag" : "f2b974ca0f14fb9f92014bff18573cff", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 77, + "comment" : "", + "key" : "80be86fb6fc49bc73428cab576f6ad72ff6aca04001b8b1c57a7128be73900aa", + "iv" : "903188433c1ce8971aa19b9d", + "aad" : "0587af8530ad0547", + "msg" : "67ce499cd8ed68bd717dfe61c60f27d260b1c163a72e8cc8597253d3d987c2dbe1bff2e44d9bd4765d3e53d9c3f8eb3b90e751f47c7157bdc1142bc33f5833ac1cd1262cbb239066b334a4ed99ae82c74f2b49540f1a614bc239d8fc5add8c178184e41281f6e66c5c3117fd953547f7c829425b5082aa69686847eaf5784692", + "ct" : "2b90b4f3de280c44913d1984bdd5dfa0566c6a14a058659a9b623277b0bb6e82101e79395d12e643f62d9a822bae497907493e4f8213fcf99da8a78fdf867af36bc8b0931c1886b4f0ae5729986494dbd59737e956cd8f226c7c522689d082f023894d54acab0c4d609f3746a67369bb8876008f7fd3dc6681c5fb9d728c5911", + "tag" : "f005ebe1c1ada75a9cee8d630881d5b8", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 78, + "comment" : "", + "key" : "7d00b48095adfa3272050607b264185002ba99957c498be022770f2ce2f3143c", + "iv" : "87345f1055fd9e2102d50656", + "aad" : "02", + "msg" : "e5ccaa441bc814688f8f6e8f28b500b2", + "ct" : "7e72f5a185af16a611921b438f749f0b", + "tag" : "1242c670732334029adfe1c5001651e4", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 79, + "comment" : "", + "key" : "6432717f1db85e41ac7836bce25185a080d5762b9e2b18444b6ec72c3bd8e4dc", + "iv" : "87a3163ec0598ad95b3aa713", + "aad" : "b648", + "msg" : "02cde168fba3f544bbd0332f7adeada8", + "ct" : "85f29a719557cdd14d1f8fffab6d9e60", + "tag" : "732ca32becd515a1ed353f542e999858", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 80, + "comment" : "", + "key" : "7afa0f59dfcb5ad3a76490c5c804327c8d052be737a60fa8bcbf0a2c36630a43", + "iv" : "25b7bdf4a6dcbf7c9a3ec2b3", + "aad" : "8b71ac", + "msg" : "623e6ba6d3166a338bfcc7af90a230c8", + "ct" : "d46e8265a8c6a25393dd956bb44397ad", + "tag" : "e28f3ad9e3ef4a3d94ee07bf538eaafb", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 81, + "comment" : "", + "key" : "2ec25b0ec7ac244224e9c7fc2fa5d3ef17809e19fd6e954158dd0d72738a4cc8", + "iv" : "6fb0d1417cdfff4df37db08c", + "aad" : "3a5ddf40", + "msg" : "a1c933768a6d573ebf68a99e5e18dae8", + "ct" : "2d3cb2d9303491e264f2904f0e0753f4", + "tag" : "6c1db959362d217b2322b466536bfea0", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 82, + "comment" : "", + "key" : "0a2cf52371cf9d9f95b10108fc82b4fd6110a8ba9a88a26083685ad29826891a", + "iv" : "2538fc67afb9eab333f83290", + "aad" : "9eec540bb0", + "msg" : "0d8c691d044a3978d790432dc71d69f8", + "ct" : "a988c03c71b956ff086d0470d706bd34", + "tag" : "b35d7cbf2beb894b0c746e0730429e15", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 83, + "comment" : "", + "key" : "307e886b38bb18b445f8a2c6d6f8932492a9cea8d041ba72eb5efdfa70d0b8d2", + "iv" : "a071be999151e2a1c41c81e9", + "aad" : "56e014d97c74", + "msg" : "9aba22b495cb7ec887ddaa62019aa14d", + "ct" : "32bf95d4c195dbaf58d9af4001c6e57d", + "tag" : "4393808703d67a90870578046cd8b525", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 84, + "comment" : "", + "key" : "dacd51a8a8e4d5905b4cbb947ef4013eb296889353f3c9ee35f5577b26737a51", + "iv" : "3fa378a1befdddd61ae68cf4", + "aad" : "bb5a3812f0aefd", + "msg" : "e148313883a77da121124d06b1c77dca", + "ct" : "2a207ca7e9da6b13a229604304d87eb1", + "tag" : "8a6b6afec87d93ec6e8dbe13d84c0f8c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 85, + "comment" : "", + "key" : "7b5fbbb202c16108fd13066446853a850d8b34e9da40519580da446a922f9162", + "iv" : "aa077a5ce9161bde8d8edc40", + "aad" : "f94bb92c1c668a695b", + "msg" : "da471cd6935a0ca8307ddedc6b959962", + "ct" : "548a5ca0ae49211cdf30bbdcb1352d31", + "tag" : "204dacb98f8c8908cc5ea22bb23f901f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 86, + "comment" : "", + "key" : "1ffd101eb97531f6faa821ec4d5c5702725dd033d3b830bb760c4ef27ba983df", + "iv" : "598114e8cf7fbdea8ad29683", + "aad" : "2155627ec15a978fbcb2", + "msg" : "28668ca8db535c7e8eb27491ad0fb7cb", + "ct" : "28cedac24f14caa326c7fe401f68a87c", + "tag" : "2bf1b2c43d3039f8f5ce359c1102f879", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 87, + "comment" : "", + "key" : "d2d0a973d5951af352cbee57ac9dab1c284c99af3b992ce015f219506f64888d", + "iv" : "9acd213570ce9bb9d886c6ef", + "aad" : "37ad668d4d4fe889949763", + "msg" : "3f3f0076250352e1b6b5c12cfa12625e", + "ct" : "7256e856872ad3a54b34a2a6bdca8838", + "tag" : "3b12e4586e45223f78a6eea811efb863", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 88, + "comment" : "", + "key" : "adcc520b381382237d05a6400a7dfbcd0771b6aa9edb7966131ddef6af21f1be", + "iv" : "9183cdf3a8ba7397b6b2d5d5", + "aad" : "b334375415f6215c0bf89a9a", + "msg" : "958295619cf1b36f0b474663c0bc79eb", + "ct" : "852c141b4239a31feeda03550d70a2be", + "tag" : "5fc59287b92d3fcf7d66f13defb11b0d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 89, + "comment" : "", + "key" : "bd534f7adeca466844fb3ba34658be807f15c5291ed6026860a24f179b712c89", + "iv" : "412c3e13ee1f7864bd15ce39", + "aad" : "2866afff0bcc6135dc63af88c8", + "msg" : "d92f8ce5d8d0ad2eb5f11af02ef63949", + "ct" : "89d6d089c4a255952aca11b24a01ff95", + "tag" : "f88fa4531204da315e7317970240ce9e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 90, + "comment" : "", + "key" : "910ade7d324d2c9688439e1f142e0e5f9d130ff832e507fe1985e5a26452a6d0", + "iv" : "9be090dba93deff27adf99ee", + "aad" : "ea2575f123268e936c8e4c8c1bb8", + "msg" : "6e356094ed9d9a7053c7906c48ba3d9f", + "ct" : "01ffb343c757b27843d8a900a36ce39d", + "tag" : "a315541b7d6313c6fddf64b303d71d60", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 91, + "comment" : "", + "key" : "8e34cf73d245a1082a920b86364eb896c4946467bcb3d58929fcb36690e6394f", + "iv" : "6f573aa86baa492ba46596df", + "aad" : "bd4cd02fc7502bbdbdf6c9a3cbe8f0", + "msg" : "16ddd23ff53f3d23c06334487040eb47", + "ct" : "c1b295936d56fadac03e5f742bff73a1", + "tag" : "39c457dbab66382babb3b55800cda5b8", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 92, + "comment" : "", + "key" : "cb5575f5c7c45c91cf320b139fb594237560d0a3e6f865a67d4f633f2c08f016", + "iv" : "1a6518f02ede1da6809266d9", + "aad" : "89cce9fb47441d07e0245a66fe8b778b", + "msg" : "623b7850c321e2cf0c6fbcc8dfd1aff2", + "ct" : "c84c9bb7c61c1bcb17772a1c500c5095", + "tag" : "dbadf7a5138ca03459a2cd65831e092f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 93, + "comment" : "", + "key" : "a5569e729a69b24ba6e0ff15c4627897436824c941e9d00b2e93fddc4ba77657", + "iv" : "564dee49ab00d240fc1068c3", + "aad" : "d19f2d989095f7ab03a5fde84416e00c0e", + "msg" : "87b3a4d7b26d8d3203a0de1d64ef82e3", + "ct" : "94bc80621ed1e71b1fd2b5c3a15e3568", + "tag" : "333511861796978401598b963722f5b3", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 94, + "comment" : "", + "key" : "56207465b4e48e6d04630f4a42f35cfc163ab289c22a2b4784f6f9290330bee0", + "iv" : "df8713e87ec3dbcfad14d53e", + "aad" : "5e6470facd99c1d81e37cd44015fe19480a2a4d3352a4ff560c0640fdbda", + "msg" : "e601b38557797da2f8a4106a089d1da6", + "ct" : "299b5d3f3d03c087209a16e285143111", + "tag" : "4b454ed198de117e83ec49fa8d8508d6", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 95, + "comment" : "", + "key" : "077433022ab34d380fc192fc24c2edc6301fec6f24442f572a1087ff2e05b39a", + "iv" : "28adcbc74364f26dd4b3108b", + "aad" : "e0100eb116cdc5e22a3b9f9b4126c149595e75107f6e237c69e82960052270", + "msg" : "03c874eeaaa6fa9f0da62c758fb0ad04", + "ct" : "1e9687b35fbc8eaa1825ed3847798f76", + "tag" : "0788bf70fd04030ecd1c96d0bc1fcd5d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 96, + "comment" : "", + "key" : "3937986af86dafc1ba0c4672d8abc46c207062682d9c264ab06d6c5807205130", + "iv" : "8df4b15a888c33286a7b7651", + "aad" : "ba446f6f9a0ced22450feb10737d9007fd69abc19b1d4d9049a5551e86ec2b37", + "msg" : "dc9e9eaf11e314182df6a4eba17aec9c", + "ct" : "605bbf90aeb974f6602bc778056f0dca", + "tag" : "38ea23d99054b46b42ffe004129d2204", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 97, + "comment" : "", + "key" : "36372abcdb78e0279646ac3d176b9674e9154eecf0d5469c651ec7e16b4c1199", + "iv" : "be40e5f1a11817a0a8fa8949", + "aad" : "d41a828d5e71829247021905402ea257dccbc3b80fcd5675056b68bb59e62e8873", + "msg" : "81ce84ede9b35859cc8c49a8f6be7dc6", + "ct" : "7b7ce0d824809a70de32562ccf2c2bbd", + "tag" : "15d44a00ce0d19b4231f921e22bc0a43", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 98, + "comment" : "", + "key" : "9f1479ed097d7fe529c11f2f5add9aaff4a1ca0b68997a2cb7f79749bd90aaf4", + "iv" : "84c87dae4eee27730ec35d12", + "aad" : "3f2dd49bbf09d69a78a3d80ea2566614fc379474196c1aae84583da73d7ff85c6f42ca42056a9792cc1b9fb3c7d261", + "msg" : "a66747c89e857af3a18e2c79500087ed", + "ct" : "ca82bff3e2f310ccc976672c4415e69b", + "tag" : "57638c62a5d85ded774f913c813ea032", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 99, + "comment" : "", + "key" : "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f", + "iv" : "000102030405060708090a0b", + "aad" : "00000000000000000000000000000000", + "msg" : "65b63bf074b7283992e24b1ac0df0d22b555dbe2254d94a43f1de748d3cc6f0d", + "ct" : "0000000000000000000000000000000000000000000000000000000000000000", + "tag" : "39f4fce3026d83789ffd1ee6f2cd7c4f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 100, + "comment" : "", + "key" : "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f", + "iv" : "000102030405060708090a0b", + "aad" : "00000000000000000000000000000000", + "msg" : "65b63bf074b7283992e24b1ac0df0d22b555dbe2254d94a43f1de748d3cc6f0d20c142fe898fbbe668d4324394434c1b18b58ead710aed9c31db1f2a8a1f1bb2", + "ct" : "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "tag" : "f5eaa804605c3a4785f9d7f13b6f67d6", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 101, + "comment" : "", + "key" : "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f", + "iv" : "000102030405060708090a0b", + "aad" : "00000000000000000000000000000000", + "msg" : "65b63bf074b7283992e24b1ac0df0d22b555dbe2254d94a43f1de748d3cc6f0d20c142fe898fbbe668d4324394434c1b18b58ead710aed9c31db1f2a8a1f1bb24405c183af94ee1ad630cd931158a6213d48c8fff10d0a1f9ef760188e658802aad55e41a1d99069a18db55c56af7c10a6f21ecc8af9b7ce0a7ea0b67426e925", + "ct" : "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "tag" : "9b5c43a78d954e8a3c659eebc13d5d55", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 102, + "comment" : "", + "key" : "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f", + "iv" : "000102030405060708090a0b", + "aad" : "ffffffffffffffffffffffffffffffff", + "msg" : "9a49c40f8b48d7c66d1db4e53f20f2dd4aaa241ddab26b5bc0e218b72c3390f2", + "ct" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "tag" : "37e3399d9ca696799f08f4f72bc0cdd8", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 103, + "comment" : "", + "key" : "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f", + "iv" : "000102030405060708090a0b", + "aad" : "ffffffffffffffffffffffffffffffff", + "msg" : "9a49c40f8b48d7c66d1db4e53f20f2dd4aaa241ddab26b5bc0e218b72c3390f2df3ebd0176704419972bcdbc6bbcb3e4e74a71528ef51263ce24e0d575e0e44d", + "ct" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "tag" : "3d52710bec86d4ea9fea2ff269549191", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 104, + "comment" : "", + "key" : "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f", + "iv" : "000102030405060708090a0b", + "aad" : "ffffffffffffffffffffffffffffffff", + "msg" : "9a49c40f8b48d7c66d1db4e53f20f2dd4aaa241ddab26b5bc0e218b72c3390f2df3ebd0176704419972bcdbc6bbcb3e4e74a71528ef51263ce24e0d575e0e44dbbfa3e7c506b11e529cf326ceea759dec2b737000ef2f5e061089fe7719a77fd552aa1be5e266f965e724aa3a95083ef590de13375064831f5815f498bd916da", + "ct" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "tag" : "51356329e280b12d55d3d98f0a580cbe", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 105, + "comment" : "", + "key" : "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f", + "iv" : "000102030405060708090a0b", + "aad" : "00000080000000800000008000000080", + "msg" : "65b63b7074b728b992e24b9ac0df0da2b555db62254d94243f1de7c8d3cc6f8d", + "ct" : "0000008000000080000000800000008000000080000000800000008000000080", + "tag" : "c152a4b90c548c71dc479edeaf9211bf", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 106, + "comment" : "", + "key" : "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f", + "iv" : "000102030405060708090a0b", + "aad" : "00000080000000800000008000000080", + "msg" : "65b63b7074b728b992e24b9ac0df0da2b555db62254d94243f1de7c8d3cc6f8d20c1427e898fbb6668d432c394434c9b18b58e2d710aed1c31db1faa8a1f1b32", + "ct" : "00000080000000800000008000000080000000800000008000000080000000800000008000000080000000800000008000000080000000800000008000000080", + "tag" : "40ef6383052d91c2e4b4611b0e32c5ff", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 107, + "comment" : "", + "key" : "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f", + "iv" : "000102030405060708090a0b", + "aad" : "00000080000000800000008000000080", + "msg" : "65b63b7074b728b992e24b9ac0df0da2b555db62254d94243f1de7c8d3cc6f8d20c1427e898fbb6668d432c394434c9b18b58e2d710aed1c31db1faa8a1f1b324405c103af94ee9ad630cd131158a6a13d48c87ff10d0a9f9ef760988e658882aad55ec1a1d990e9a18db5dc56af7c90a6f21e4c8af9b74e0a7ea0367426e9a5", + "ct" : "0000008000000080000000800000008000000080000000800000008000000080000000800000008000000080000000800000008000000080000000800000008000000080000000800000008000000080000000800000008000000080000000800000008000000080000000800000008000000080000000800000008000000080", + "tag" : "ae9b542541e84fc74542eed6be638fee", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 108, + "comment" : "", + "key" : "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f", + "iv" : "000102030405060708090a0b", + "aad" : "80000000800000008000000080000000", + "msg" : "e5b63bf0f4b7283912e24b1a40df0d223555dbe2a54d94a4bf1de74853cc6f0d", + "ct" : "8000000080000000800000008000000080000000800000008000000080000000", + "tag" : "10fee3ecfba9cdf797bae37a626ec83b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 109, + "comment" : "", + "key" : "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f", + "iv" : "000102030405060708090a0b", + "aad" : "80000000800000008000000080000000", + "msg" : "e5b63bf0f4b7283912e24b1a40df0d223555dbe2a54d94a4bf1de74853cc6f0da0c142fe098fbbe6e8d4324314434c1b98b58eadf10aed9cb1db1f2a0a1f1bb2", + "ct" : "80000000800000008000000080000000800000008000000080000000800000008000000080000000800000008000000080000000800000008000000080000000", + "tag" : "7490795bdbbbf5d0aecb9a4f65aa379f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 110, + "comment" : "", + "key" : "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f", + "iv" : "000102030405060708090a0b", + "aad" : "80000000800000008000000080000000", + "msg" : "e5b63bf0f4b7283912e24b1a40df0d223555dbe2a54d94a4bf1de74853cc6f0da0c142fe098fbbe6e8d4324314434c1b98b58eadf10aed9cb1db1f2a0a1f1bb2c405c1832f94ee1a5630cd939158a621bd48c8ff710d0a1f1ef760180e6588022ad55e4121d99069218db55cd6af7c1026f21ecc0af9b7ce8a7ea0b6f426e925", + "ct" : "8000000080000000800000008000000080000000800000008000000080000000800000008000000080000000800000008000000080000000800000008000000080000000800000008000000080000000800000008000000080000000800000008000000080000000800000008000000080000000800000008000000080000000", + "tag" : "1d1096a8ca9e2bda2762c41d5b16f62f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 111, + "comment" : "", + "key" : "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f", + "iv" : "000102030405060708090a0b", + "aad" : "ffffff7fffffff7fffffff7fffffff7f", + "msg" : "9a49c48f8b48d7466d1db4653f20f25d4aaa249ddab26bdbc0e218372c339072", + "ct" : "ffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7f", + "tag" : "af8492c792bf8d8062be74ff6efb3869", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 112, + "comment" : "", + "key" : "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f", + "iv" : "000102030405060708090a0b", + "aad" : "ffffff7fffffff7fffffff7fffffff7f", + "msg" : "9a49c48f8b48d7466d1db4653f20f25d4aaa249ddab26bdbc0e218372c339072df3ebd8176704499972bcd3c6bbcb364e74a71d28ef512e3ce24e05575e0e4cd", + "ct" : "ffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7f", + "tag" : "f24db68c46b67d6f402fa6c897913368", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 113, + "comment" : "", + "key" : "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f", + "iv" : "000102030405060708090a0b", + "aad" : "ffffff7fffffff7fffffff7fffffff7f", + "msg" : "9a49c48f8b48d7466d1db4653f20f25d4aaa249ddab26bdbc0e218372c339072df3ebd8176704499972bcd3c6bbcb364e74a71d28ef512e3ce24e05575e0e4cdbbfa3efc506b116529cf32eceea7595ec2b737800ef2f56061089f67719a777d552aa13e5e266f165e724a23a950836f590de1b3750648b1f5815fc98bd9165a", + "ct" : "ffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7f", + "tag" : "43f651ab2e2eb0f04bf689a40d32da24", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 114, + "comment" : "", + "key" : "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f", + "iv" : "000102030405060708090a0b", + "aad" : "7fffffff7fffffff7fffffff7fffffff", + "msg" : "1a49c40f0b48d7c6ed1db4e5bf20f2ddcaaa241d5ab26b5b40e218b7ac3390f2", + "ct" : "7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff", + "tag" : "60d95294a3694cfaa64b2f63bc1f82ec", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 115, + "comment" : "", + "key" : "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f", + "iv" : "000102030405060708090a0b", + "aad" : "7fffffff7fffffff7fffffff7fffffff", + "msg" : "1a49c40f0b48d7c6ed1db4e5bf20f2ddcaaa241d5ab26b5b40e218b7ac3390f25f3ebd01f6704419172bcdbcebbcb3e4674a71520ef512634e24e0d5f5e0e44d", + "ct" : "7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff", + "tag" : "beaca0b47027196176186d944019c1c8", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 116, + "comment" : "", + "key" : "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f", + "iv" : "000102030405060708090a0b", + "aad" : "7fffffff7fffffff7fffffff7fffffff", + "msg" : "1a49c40f0b48d7c6ed1db4e5bf20f2ddcaaa241d5ab26b5b40e218b7ac3390f25f3ebd01f6704419172bcdbcebbcb3e4674a71520ef512634e24e0d5f5e0e44d3bfa3e7cd06b11e5a9cf326c6ea759de42b737008ef2f5e0e1089fe7f19a77fdd52aa1bede266f96de724aa3295083efd90de133f506483175815f490bd916da", + "ct" : "7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff", + "tag" : "d4811028a577d4dd69d6b35d717f73e3", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 117, + "comment" : "", + "key" : "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f", + "iv" : "000102030405060708090a0b", + "aad" : "00000000ffffffff00000000ffffffff", + "msg" : "65b63bf08b48d7c692e24b1a3f20f2ddb555dbe2dab26b5b3f1de7482c3390f2", + "ct" : "00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff", + "tag" : "10fb61272b555bee104f5a71818716d6", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 118, + "comment" : "", + "key" : "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f", + "iv" : "000102030405060708090a0b", + "aad" : "00000000ffffffff00000000ffffffff", + "msg" : "65b63bf08b48d7c692e24b1a3f20f2ddb555dbe2dab26b5b3f1de7482c3390f220c142fe7670441968d432436bbcb3e418b58ead8ef5126331db1f2a75e0e44d", + "ct" : "00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff", + "tag" : "4756764e59583504182877d8c33120f0", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 119, + "comment" : "", + "key" : "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f", + "iv" : "000102030405060708090a0b", + "aad" : "00000000ffffffff00000000ffffffff", + "msg" : "65b63bf08b48d7c692e24b1a3f20f2ddb555dbe2dab26b5b3f1de7482c3390f220c142fe7670441968d432436bbcb3e418b58ead8ef5126331db1f2a75e0e44d4405c183506b11e5d630cd93eea759de3d48c8ff0ef2f5e09ef76018719a77fdaad55e415e266f96a18db55ca95083efa6f21ecc750648310a7ea0b68bd916da", + "ct" : "00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff", + "tag" : "95a2b12a4a280089d4bd4f904253e754", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 120, + "comment" : "", + "key" : "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f", + "iv" : "000102030405060708090a0b", + "aad" : "ffffffff00000000ffffffff00000000", + "msg" : "9a49c40f74b728396d1db4e5c0df0d224aaa241d254d94a4c0e218b7d3cc6f0d", + "ct" : "ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000", + "tag" : "60dcd45974bebe032eb7b86c9d063452", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 121, + "comment" : "", + "key" : "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f", + "iv" : "000102030405060708090a0b", + "aad" : "ffffffff00000000ffffffff00000000", + "msg" : "9a49c40f74b728396d1db4e5c0df0d224aaa241d254d94a4c0e218b7d3cc6f0ddf3ebd01898fbbe6972bcdbc94434c1be74a7152710aed9cce24e0d58a1f1bb2", + "ct" : "ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000", + "tag" : "f0e6a3c1f28ad92d0dbc900be291d877", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 122, + "comment" : "", + "key" : "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f", + "iv" : "000102030405060708090a0b", + "aad" : "ffffffff00000000ffffffff00000000", + "msg" : "9a49c40f74b728396d1db4e5c0df0d224aaa241d254d94a4c0e218b7d3cc6f0ddf3ebd01898fbbe6972bcdbc94434c1be74a7152710aed9cce24e0d58a1f1bb2bbfa3e7caf94ee1a29cf326c1158a621c2b73700f10d0a1f61089fe78e658802552aa1bea1d990695e724aa356af7c10590de1338af9b7cef5815f497426e925", + "ct" : "ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000", + "tag" : "57eff4a525eeff2ebd7a28eb894282be", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 123, + "comment" : "Flipped bit 0 in tag expected tag:f4409bb729039d0814ac514054323f44", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "", + "ct" : "", + "tag" : "f5409bb729039d0814ac514054323f44", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 124, + "comment" : "Flipped bit 1 in tag expected tag:f4409bb729039d0814ac514054323f44", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "", + "ct" : "", + "tag" : "f6409bb729039d0814ac514054323f44", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 125, + "comment" : "Flipped bit 7 in tag expected tag:f4409bb729039d0814ac514054323f44", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "", + "ct" : "", + "tag" : "74409bb729039d0814ac514054323f44", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 126, + "comment" : "Flipped bit 8 in tag expected tag:f4409bb729039d0814ac514054323f44", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "", + "ct" : "", + "tag" : "f4419bb729039d0814ac514054323f44", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 127, + "comment" : "Flipped bit 31 in tag expected tag:f4409bb729039d0814ac514054323f44", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "", + "ct" : "", + "tag" : "f4409b3729039d0814ac514054323f44", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 128, + "comment" : "Flipped bit 32 in tag expected tag:f4409bb729039d0814ac514054323f44", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "", + "ct" : "", + "tag" : "f4409bb728039d0814ac514054323f44", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 129, + "comment" : "Flipped bit 33 in tag expected tag:f4409bb729039d0814ac514054323f44", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "", + "ct" : "", + "tag" : "f4409bb72b039d0814ac514054323f44", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 130, + "comment" : "Flipped bit 63 in tag expected tag:f4409bb729039d0814ac514054323f44", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "", + "ct" : "", + "tag" : "f4409bb729039d8814ac514054323f44", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 131, + "comment" : "Flipped bit 64 in tag expected tag:f4409bb729039d0814ac514054323f44", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "", + "ct" : "", + "tag" : "f4409bb729039d0815ac514054323f44", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 132, + "comment" : "Flipped bit 77 in tag expected tag:f4409bb729039d0814ac514054323f44", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "", + "ct" : "", + "tag" : "f4409bb729039d08148c514054323f44", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 133, + "comment" : "Flipped bit 80 in tag expected tag:f4409bb729039d0814ac514054323f44", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "", + "ct" : "", + "tag" : "f4409bb729039d0814ac504054323f44", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 134, + "comment" : "Flipped bit 96 in tag expected tag:f4409bb729039d0814ac514054323f44", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "", + "ct" : "", + "tag" : "f4409bb729039d0814ac514055323f44", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 135, + "comment" : "Flipped bit 97 in tag expected tag:f4409bb729039d0814ac514054323f44", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "", + "ct" : "", + "tag" : "f4409bb729039d0814ac514056323f44", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 136, + "comment" : "Flipped bit 120 in tag expected tag:f4409bb729039d0814ac514054323f44", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "", + "ct" : "", + "tag" : "f4409bb729039d0814ac514054323f45", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 137, + "comment" : "Flipped bit 121 in tag expected tag:f4409bb729039d0814ac514054323f44", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "", + "ct" : "", + "tag" : "f4409bb729039d0814ac514054323f46", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 138, + "comment" : "Flipped bit 126 in tag expected tag:f4409bb729039d0814ac514054323f44", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "", + "ct" : "", + "tag" : "f4409bb729039d0814ac514054323f04", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 139, + "comment" : "Flipped bit 127 in tag expected tag:f4409bb729039d0814ac514054323f44", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "", + "ct" : "", + "tag" : "f4409bb729039d0814ac514054323fc4", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 140, + "comment" : "Flipped bit 63 and 127 in tag expected tag:f4409bb729039d0814ac514054323f44", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "", + "ct" : "", + "tag" : "f4409bb729039d8814ac514054323fc4", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 141, + "comment" : "Tag changed to all zero expected tag:f4409bb729039d0814ac514054323f44", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "", + "ct" : "", + "tag" : "00000000000000000000000000000000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 142, + "comment" : "tag change to all 1 expected tag:f4409bb729039d0814ac514054323f44", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "", + "ct" : "", + "tag" : "ffffffffffffffffffffffffffffffff", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 143, + "comment" : "Flipped bit 0 in tag expected tag:29914007a6119dd3f109bba21ce9a7d6", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995a", + "tag" : "28914007a6119dd3f109bba21ce9a7d6", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 144, + "comment" : "Flipped bit 1 in tag expected tag:29914007a6119dd3f109bba21ce9a7d6", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995a", + "tag" : "2b914007a6119dd3f109bba21ce9a7d6", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 145, + "comment" : "Flipped bit 7 in tag expected tag:29914007a6119dd3f109bba21ce9a7d6", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995a", + "tag" : "a9914007a6119dd3f109bba21ce9a7d6", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 146, + "comment" : "Flipped bit 8 in tag expected tag:29914007a6119dd3f109bba21ce9a7d6", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995a", + "tag" : "29904007a6119dd3f109bba21ce9a7d6", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 147, + "comment" : "Flipped bit 31 in tag expected tag:29914007a6119dd3f109bba21ce9a7d6", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995a", + "tag" : "29914087a6119dd3f109bba21ce9a7d6", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 148, + "comment" : "Flipped bit 32 in tag expected tag:29914007a6119dd3f109bba21ce9a7d6", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995a", + "tag" : "29914007a7119dd3f109bba21ce9a7d6", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 149, + "comment" : "Flipped bit 33 in tag expected tag:29914007a6119dd3f109bba21ce9a7d6", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995a", + "tag" : "29914007a4119dd3f109bba21ce9a7d6", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 150, + "comment" : "Flipped bit 63 in tag expected tag:29914007a6119dd3f109bba21ce9a7d6", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995a", + "tag" : "29914007a6119d53f109bba21ce9a7d6", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 151, + "comment" : "Flipped bit 64 in tag expected tag:29914007a6119dd3f109bba21ce9a7d6", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995a", + "tag" : "29914007a6119dd3f009bba21ce9a7d6", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 152, + "comment" : "Flipped bit 77 in tag expected tag:29914007a6119dd3f109bba21ce9a7d6", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995a", + "tag" : "29914007a6119dd3f129bba21ce9a7d6", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 153, + "comment" : "Flipped bit 80 in tag expected tag:29914007a6119dd3f109bba21ce9a7d6", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995a", + "tag" : "29914007a6119dd3f109baa21ce9a7d6", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 154, + "comment" : "Flipped bit 96 in tag expected tag:29914007a6119dd3f109bba21ce9a7d6", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995a", + "tag" : "29914007a6119dd3f109bba21de9a7d6", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 155, + "comment" : "Flipped bit 97 in tag expected tag:29914007a6119dd3f109bba21ce9a7d6", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995a", + "tag" : "29914007a6119dd3f109bba21ee9a7d6", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 156, + "comment" : "Flipped bit 120 in tag expected tag:29914007a6119dd3f109bba21ce9a7d6", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995a", + "tag" : "29914007a6119dd3f109bba21ce9a7d7", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 157, + "comment" : "Flipped bit 121 in tag expected tag:29914007a6119dd3f109bba21ce9a7d6", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995a", + "tag" : "29914007a6119dd3f109bba21ce9a7d4", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 158, + "comment" : "Flipped bit 126 in tag expected tag:29914007a6119dd3f109bba21ce9a7d6", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995a", + "tag" : "29914007a6119dd3f109bba21ce9a796", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 159, + "comment" : "Flipped bit 127 in tag expected tag:29914007a6119dd3f109bba21ce9a7d6", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995a", + "tag" : "29914007a6119dd3f109bba21ce9a756", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 160, + "comment" : "Flipped bit 63 and 127 in tag expected tag:29914007a6119dd3f109bba21ce9a7d6", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995a", + "tag" : "29914007a6119d53f109bba21ce9a756", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 161, + "comment" : "Tag changed to all zero expected tag:29914007a6119dd3f109bba21ce9a7d6", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995a", + "tag" : "00000000000000000000000000000000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 162, + "comment" : "tag change to all 1 expected tag:29914007a6119dd3f109bba21ce9a7d6", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995a", + "tag" : "ffffffffffffffffffffffffffffffff", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 163, + "comment" : "Flipped bit 0 in tag expected tag:66405a16e8b44eba92aa47f5cea52b7a", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f20", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995af1a0466a61bb386a2e12d189a2c4ea15e9", + "tag" : "67405a16e8b44eba92aa47f5cea52b7a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 164, + "comment" : "Flipped bit 1 in tag expected tag:66405a16e8b44eba92aa47f5cea52b7a", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f20", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995af1a0466a61bb386a2e12d189a2c4ea15e9", + "tag" : "64405a16e8b44eba92aa47f5cea52b7a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 165, + "comment" : "Flipped bit 7 in tag expected tag:66405a16e8b44eba92aa47f5cea52b7a", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f20", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995af1a0466a61bb386a2e12d189a2c4ea15e9", + "tag" : "e6405a16e8b44eba92aa47f5cea52b7a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 166, + "comment" : "Flipped bit 8 in tag expected tag:66405a16e8b44eba92aa47f5cea52b7a", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f20", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995af1a0466a61bb386a2e12d189a2c4ea15e9", + "tag" : "66415a16e8b44eba92aa47f5cea52b7a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 167, + "comment" : "Flipped bit 31 in tag expected tag:66405a16e8b44eba92aa47f5cea52b7a", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f20", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995af1a0466a61bb386a2e12d189a2c4ea15e9", + "tag" : "66405a96e8b44eba92aa47f5cea52b7a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 168, + "comment" : "Flipped bit 32 in tag expected tag:66405a16e8b44eba92aa47f5cea52b7a", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f20", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995af1a0466a61bb386a2e12d189a2c4ea15e9", + "tag" : "66405a16e9b44eba92aa47f5cea52b7a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 169, + "comment" : "Flipped bit 33 in tag expected tag:66405a16e8b44eba92aa47f5cea52b7a", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f20", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995af1a0466a61bb386a2e12d189a2c4ea15e9", + "tag" : "66405a16eab44eba92aa47f5cea52b7a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 170, + "comment" : "Flipped bit 63 in tag expected tag:66405a16e8b44eba92aa47f5cea52b7a", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f20", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995af1a0466a61bb386a2e12d189a2c4ea15e9", + "tag" : "66405a16e8b44e3a92aa47f5cea52b7a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 171, + "comment" : "Flipped bit 64 in tag expected tag:66405a16e8b44eba92aa47f5cea52b7a", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f20", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995af1a0466a61bb386a2e12d189a2c4ea15e9", + "tag" : "66405a16e8b44eba93aa47f5cea52b7a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 172, + "comment" : "Flipped bit 77 in tag expected tag:66405a16e8b44eba92aa47f5cea52b7a", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f20", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995af1a0466a61bb386a2e12d189a2c4ea15e9", + "tag" : "66405a16e8b44eba928a47f5cea52b7a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 173, + "comment" : "Flipped bit 80 in tag expected tag:66405a16e8b44eba92aa47f5cea52b7a", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f20", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995af1a0466a61bb386a2e12d189a2c4ea15e9", + "tag" : "66405a16e8b44eba92aa46f5cea52b7a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 174, + "comment" : "Flipped bit 96 in tag expected tag:66405a16e8b44eba92aa47f5cea52b7a", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f20", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995af1a0466a61bb386a2e12d189a2c4ea15e9", + "tag" : "66405a16e8b44eba92aa47f5cfa52b7a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 175, + "comment" : "Flipped bit 97 in tag expected tag:66405a16e8b44eba92aa47f5cea52b7a", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f20", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995af1a0466a61bb386a2e12d189a2c4ea15e9", + "tag" : "66405a16e8b44eba92aa47f5cca52b7a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 176, + "comment" : "Flipped bit 120 in tag expected tag:66405a16e8b44eba92aa47f5cea52b7a", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f20", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995af1a0466a61bb386a2e12d189a2c4ea15e9", + "tag" : "66405a16e8b44eba92aa47f5cea52b7b", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 177, + "comment" : "Flipped bit 121 in tag expected tag:66405a16e8b44eba92aa47f5cea52b7a", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f20", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995af1a0466a61bb386a2e12d189a2c4ea15e9", + "tag" : "66405a16e8b44eba92aa47f5cea52b78", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 178, + "comment" : "Flipped bit 126 in tag expected tag:66405a16e8b44eba92aa47f5cea52b7a", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f20", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995af1a0466a61bb386a2e12d189a2c4ea15e9", + "tag" : "66405a16e8b44eba92aa47f5cea52b3a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 179, + "comment" : "Flipped bit 127 in tag expected tag:66405a16e8b44eba92aa47f5cea52b7a", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f20", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995af1a0466a61bb386a2e12d189a2c4ea15e9", + "tag" : "66405a16e8b44eba92aa47f5cea52bfa", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 180, + "comment" : "Flipped bit 63 and 127 in tag expected tag:66405a16e8b44eba92aa47f5cea52b7a", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f20", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995af1a0466a61bb386a2e12d189a2c4ea15e9", + "tag" : "66405a16e8b44e3a92aa47f5cea52bfa", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 181, + "comment" : "Tag changed to all zero expected tag:66405a16e8b44eba92aa47f5cea52b7a", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f20", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995af1a0466a61bb386a2e12d189a2c4ea15e9", + "tag" : "00000000000000000000000000000000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 182, + "comment" : "tag change to all 1 expected tag:66405a16e8b44eba92aa47f5cea52b7a", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b", + "aad" : "000102", + "msg" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f20", + "ct" : "d03bcb3ca52d48d1d203b1e7b1a5995af1a0466a61bb386a2e12d189a2c4ea15e9", + "tag" : "ffffffffffffffffffffffffffffffff", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 183, + "comment" : "edge case for poly1305 key:ffffffefeb344f6bc37ba77ea2ee06dfe8c7f4ae10810422124fc5e1bd7fe301", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060710abb165", + "aad" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "msg" : "dc8ce708bf26aab862d97e1b42f31ef38c382cf07174142ea564920612997b1c2e38aca2438b588d5459493e97e7fa330ff9bc3b9458297ba0967d86ed090b435103478f2869b93ee29c837e95fb6b9903f3b735b7345428eb93b3db1d9b5187cebb889aa177d83e4f63fc9a5c0596eed939883d06aacdfdea44fdecdf5cb7fc", + "ct" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "tag" : "c296436246c3a7c4b3ba09ab2a6a0889", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 184, + "comment" : "edge case for poly1305 key:278de313ffffffdfffe9acbf3ea59357c4e16a5bc120d346af4a8cf694a84374", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "0001020304050607051e9373", + "aad" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "msg" : "931227274a89d0b3aade7fac62c96262c1e77b8dafd248f10ad37c6ccb69cb7131b041593c8bb8c3db38f39dd8a124c424fce4389dede1d3cb9d46cf95970aea9856b6e313d756197baf4fcb58df275bca8a2188f9e8a1ad04354ede542ddc30e8b735b2f5905f5811799282be94ae842ec126c55d2e667235e9acf1d48798f0", + "ct" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "tag" : "99a3b0fff6fdcbcce9dc5820f2a64861", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 185, + "comment" : "edge case for poly1305 key:0050799fe9e74fcffcffffcfd21aa8b5cb5aa2c6ab347b6886eedaca4bfff3c0", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "0001020304050607048c3c5f", + "aad" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "msg" : "0df91f31230e8941e700a752fef08c897c511ed618fdf8a378a1f439013b40a48d4634c27d9ada7c0bb6f3fa92e341425903d7ecd0c49bee4c77e84b11f1c721922308642885b813fae364da32eaf120d6a43a74fb1632443667bfea6eef1be73eb1c3c0b5a57cee8dc4feed4a1fb9ae02f7b1695588c3c878451cb6ee0cb3dc", + "ct" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "tag" : "eaff8f47ef9268fd0d94e8a9c4b78d24", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 186, + "comment" : "edge case for poly1305 key:dc46b3c53be153ccd4986678ffffffafe484c316c93f64195da65a2742fd3fec", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060703e76f6f", + "aad" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "msg" : "1fde9b9ec8b247d42bbee2016d6715ba428a85431430eada56a2c5dc944b6aa6cef0b056a2eecc51d30838e640615e1458e0943e30f91ba41b4362fa9ed6037b21d14da7b4f76f9f68fa8903138d563ce2590af1201c7cfec2290cfce98a822ebb8d1ed9dc4e20d241755aff91cdfd10fdb69efa0d5c8082692601cbfbb955c7", + "ct" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "tag" : "86ed21fda080a7d13981078d86b3e3cd", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 187, + "comment" : "edge case for poly1305 key:946aff9f2a13f56f92a5f9cfee3cdb1fef6d98d5a55ab563cb28620cd57f19d2", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "00010203040506072dd4cd40", + "aad" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "msg" : "66115e67ecd3d4178c4c60e713ab4e5e66f8d1f971da17437a2b5e04fbca1671e847139a5f4e3f8e92d7a3b71eb4ff0e50354c0c1580af3662d5f8151e3f7e8264a0085c32ddfcbeb01a8be4c34d53319800ac4ef9d4e4014524bc7cd3387242e774f4d1a7a0521e42ec44844d0bd8b9d73fec959212fd7e8eacf4d984996d9b", + "ct" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "tag" : "34f9e0faa515eee0e784e6ef2678befa", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 188, + "comment" : "edge case for poly1305 key:0000003059ffce96438a246ff9536787d92bc40eafa0241a2972780ef6ca1ef8", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060726c6961b", + "aad" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "msg" : "e97244259af5a379238da0cad2a5f493655ec0e5024fd553bbb3deb66a94036d106c3d513407b2dd1cc5936c4c9c1e4f4b37b54dec261c601dc99e90680e23e2dc5c9a8d503d8bea49a8cdca3706bfd2a3daa0afb19a70fd3d355fc37c13f3f9e5c8d0864a5f80a780b36d4698ec2ce9ccc27b97ecbe672e41628ebd773acb81", + "ct" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "tag" : "3c94b9fe60bdb35c6b7b73b765083492", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 189, + "comment" : "edge case for poly1305 key:3fa0ea9c030000a036217d42e775ad189b96e24ee591952e2922ff151334b9ec", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "0001020304050607013da060", + "aad" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "msg" : "9453aa159c3d87f17e21e88adabc37e553b904d00eefc66b8e0905e23576fbdc9c7bea9777f3b8368481932534b3344d309e6307cddfe7b3549300dd9cda7efe9d43c8a115912a392904079ee92bcd33099f7022ea94c1e7353b89bfc54de3ceb56f529a1a608bb5a970e1359609d1f56806b37f8605f4c27451da6066fc557a", + "ct" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "tag" : "2b11cf9f8db8490d409fc62afd7379f3", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 190, + "comment" : "edge case for poly1305 key:a556cb502baf395b020000f03c5108fb1cf76df1b8a8f724e877bd3c588d3285", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060707db33de", + "aad" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "msg" : "2e1836640d810c2709fb83ccf1aef3a971085d1bbfb58a425abf75ccec70b3abde0e80539e83a82546e7372a19481547053308dd7842675e9c4f61302426da0d71c1da3102031030ed928152be009b15b52f71b5911991d39f68a8658d99729df2bbef31c8989f9604558df9f2aba4b3766c58aaef3548de545ec1f080225a88", + "ct" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "tag" : "c9c8366920f88381407712cec61e6607", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 191, + "comment" : "edge case for poly1305 key:0c327fbcc564555545d4fe75020000d0a65799f363ec51b1c5c427b4a04af190", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060702a11942", + "aad" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "msg" : "0ecb4d85c956b5268c9b35a8c63b4e9d3e5cb72b64ef98773841b947bd7d59ef7d0eb0e1c050d49a5424ce7deb527d76087e4746674c958965df32d9e5fb03b46501706128d481217aaeae2f78f9259273358a2954cac0bc2fbfe77447d1d387b9314c6541b69f1270b3438b1042b2b4663e62ba4d49c07ac6f163034afa80af", + "ct" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "tag" : "2373cfa2ab24446ad5a236167b8027fe", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 192, + "comment" : "edge case for poly1305 key:415f08302f210340240d0e903e2b01205ba43e106aebd7e2481016b31118b1ae", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "00010203040506073c0df637", + "aad" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "msg" : "2e8e45e903bfab32f2f0d49d9a3e449bef6f4093e2722cdab2cf935c1822b830fb5a4056516d560dfc8638c9a57d2927200a56f0b67153271d498e8f08dc888c61ef634f7ae40f4608f96f92fea5a1e5bd45131120098dc5de0378e58f2ddb46fa4aa5adb38fe006bb19b69146382f77a79e06214def547cfb5ce37a7008b9b6", + "ct" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "tag" : "5f93946478d8081e7247f414ad39a515", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 193, + "comment" : "edge case for poly1305 key:feffff1ff6b87403fd6435b09775bc92491a0ae62c5842a30e3b82710cc2dad1", + "key" : "9de836aa579585081f330a7c4036e20e38ef15eff3945184d231867f505fffdf", + "iv" : "00000000101112130bc672c3", + "aad" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "msg" : "3619cb470af86dceceb6940f2d9abb34c9a9131476053387445ffebbe240d4f9818377855652f46a8219c7f71c3554f8acef8258de4b7d17c0f3d353ac981cc6a13287be1e6b41dc6d133df4ababebdf43d665ce7a4a5c982a0b139cb8202eebc74173e3224a440e4c37d2b595f384290e939ba016df0d49b36cdb4bd91c39", + "ct" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "tag" : "133fe62391744d11ce44594b96c53baf", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 194, + "comment" : "edge case for poly1305 key:bf358f18ffffffbf4b62ed6e1f53790785c4dabdfc72e2a219d377a682c85f38", + "key" : "9de836aa579585081f330a7c4036e20e38ef15eff3945184d231867f505fffdf", + "iv" : "000000001011121303e9b9a4", + "aad" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "msg" : "af205bda819f7451be0f28667d4b01b59ff2daa8173cab52046c3c9e0d989889c5e021ef7afd06e9ce6cc30e3a6ebab509134ba10d10e570c55587c13eee53e73be54804c8539ffbf23b35922b1ca37b9e9bc24ee204837ca5a294ce05d12600c7eff6aee32270db2feff47dc5a04176169e15850628e6035f78994f9f5603", + "ct" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "tag" : "e3451adb9d23a7710a1aafba26f56387", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 195, + "comment" : "edge case for poly1305 key:d0b7b3a352a4010ffeffffbfe8cc66dc6e5e7451dc61762c5753174fed88e746", + "key" : "9de836aa579585081f330a7c4036e20e38ef15eff3945184d231867f505fffdf", + "iv" : "00000000101112130700b982", + "aad" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "msg" : "68c67272036fb652a0182eeb4781358e4704a4a702fd731bf3b3ea994717989e7d9104e0ae81732a8c7e9a82b3d31d541761a366b67c3396f1a6c67e293ddb65a59e42541dda144dc6c78388cfca982e23350958ac5b3d54a1722fd64733577862e1879c9e9445ebdec5315d1706db7ebbedd4c779935e72057e5b0ecde081", + "ct" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "tag" : "b0bb8a55ff5f52a5043c6e7795847557", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 196, + "comment" : "edge case for poly1305 key:7bee33931a4157a8cb701becfeffff4fbe7e69f19cd065313bb49a252628dd3d", + "key" : "9de836aa579585081f330a7c4036e20e38ef15eff3945184d231867f505fffdf", + "iv" : "0000000010111213019836bb", + "aad" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "msg" : "c483b7334ebe2e879b0c3f9db4fcd9f5219062360d6ce44cdae0f94e04c8345ea7e3ae33855118741dcafe0de4ae98c4e43af7b12b04ee8ab175625823ac040e5abac4403f1d45238adcb8c0cf44bd56917f9f5d93974c82b56951986a9c0450bd9047b5a616e814526ad0580e3ecd8189c9fef2cdb979a22ad3a01930fbd1", + "ct" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "tag" : "f4fc25f4c5543a9afee9819e2904fb68", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 197, + "comment" : "edge case for poly1305 key:7cb5fbdffb40ff5f3c7de74f655ffc1fac03013a7fe468440b861ebe0ab1650a", + "key" : "9de836aa579585081f330a7c4036e20e38ef15eff3945184d231867f505fffdf", + "iv" : "00000000101112131d59f288", + "aad" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "msg" : "bc7f4f15fd1e4c1399740836670abe39a05707be19956ce169b32321759e0f213ae19ad34aa612b3a29f02c4bbac9f785a55a3adfe419ab891bbe0acee9921322ea21002c9dd3dcdd13a7f8554dddc10f9b529ce94be7050937dab76557b7eb17c685aad8f0797e39d62553988989aab1d9764fe431cc1d4c595062ce93ce9", + "ct" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "tag" : "5e67a7b8733e0e4b01ac2178a205ae7e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 198, + "comment" : "edge case for poly1305 key:00000090e6e328c242cde5c83e3d8262d467f2bcd53d3755c781f3c6a2cb0648", + "key" : "9de836aa579585081f330a7c4036e20e38ef15eff3945184d231867f505fffdf", + "iv" : "00000000101112130552a411", + "aad" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "msg" : "eaccaa778935ef249e0900149dd889462d2a061486ba102b8caebe465f3959fb3119ebb5689676ffdd6d851a26739e772b54a2f5f473ea9c7e58ccbc4cfc953e8c420b2175d9dd519265630bb79bd87a601b113231a8b16ce54c331347ec04c2b1c9160f38207aa46e96feb06dee883eb422fa14908df300bb1a1ef758c408", + "ct" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "tag" : "177a77fce114a4349c4f8d5ec825d06f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 199, + "comment" : "edge case for poly1305 key:9e98d64e000000505a07183c5c68c63c14c9266dd37ff86aafc22ddbdb355617", + "key" : "9de836aa579585081f330a7c4036e20e38ef15eff3945184d231867f505fffdf", + "iv" : "00000000101112130c807a72", + "aad" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "msg" : "a76c330e015060a17e64cb7b6d753f201f75be8759fd7539fb92b22aef54c9d3029dba0c15cbf7c95135888319c6b2e6276da21e0c351fd522b29aabb5883a3291d6f427de773b124390ef6fd96621ffbc42dfbf7a34da272cbc9ccb1a498d078033d1ac3bf7e92715948b06d69d5c5039e9164ba9c3a02219ec5908206b3b", + "ct" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "tag" : "623c7d4424f5497aedfd1339cf8cecce", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 200, + "comment" : "edge case for poly1305 key:1048a92e65f5e63102000080d9ae08de4319a7c45fdbe707b9ec1b7e0d635161", + "key" : "9de836aa579585081f330a7c4036e20e38ef15eff3945184d231867f505fffdf", + "iv" : "00000000101112130397a143", + "aad" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "msg" : "228a7e15bcce13051de9145f77f7f4ff7921828b4f99efc4ff55ee0d9344955b69ec2d4798b0517f0273c4456ae5ffc5929cbe74ddb0da51d4f2b4df7578a31240c88ae922c3c5eca7b97d72d497062050a587447c562b343d5c71921944872f9fd06b8f34b3eb5d4341f5ff8a907dd7c2e1676b81252726ba54814da51eab", + "ct" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "tag" : "1c18b69354b189731a1a83fe8f0d57c9", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 201, + "comment" : "edge case for poly1305 key:01517a2ceb89bbfb5741f7d9000000401a65b132ad661072a00ffe7defbb18a5", + "key" : "9de836aa579585081f330a7c4036e20e38ef15eff3945184d231867f505fffdf", + "iv" : "000000001011121308cb0f3f", + "aad" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "msg" : "c7d843188ab193dfef5c4daf583f952cd4b195f240fa2e704d021723023c123371a41e87dfc6e6c3874a42f331cf035988a38c72ba2da854b1208f98bf8cc29948169481ab3a402d5fcc7ff78f9e31925576dc3938074b8c5b27960e3afc750ad686563688b7441787288d5256c1301d563b7744843bd1ab4eff5be6f1653d", + "ct" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "tag" : "2045815b8211b9a2995effe0b8ed9868", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 202, + "comment" : "edge case for poly1305 key:bc90156087e0125006d90c30babd0590427bff19de1f2e7d0757a79528731138", + "key" : "9de836aa579585081f330a7c4036e20e38ef15eff3945184d231867f505fffdf", + "iv" : "00000000101112130d8fcf4e", + "aad" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "msg" : "cfc3db8631c81c69023a3c8a9ad66c35053685144c4fa2a9510add72e211dad9ca5b982e4c194591fdb74116280311d1299ad81227258cb52f079bbcb12aff161d278dec33a326d71276b3de01a8327ee7f45f94179dff18a3fe643e56c30cfd03871c8110ab00f6612b9e17a4647360d7847bb63a3122613c2e7cdddd08ae", + "ct" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "tag" : "1ae2ed84ea9774d78d782bf8d972a8b8", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 203, + "comment" : "edge case for tag", + "key" : "404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f", + "iv" : "000102030405060708090a0b", + "aad" : "ffffffffffffffffffffffffffffffff415771fda4fbcc55c377f73203e60226", + "msg" : "e48caf8a76183327c9561a4651c07c822ccd1642c06607d0d4bc0afb4de15915dbfa3b0b422e77e15c64bf6247031f15fdb643117809821870000adf83834da5", + "ct" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "tag" : "000102030405060708090a0b0c0d0e0f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 204, + "comment" : "edge case for tag", + "key" : "404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f", + "iv" : "000102030405060708090a0b", + "aad" : "f1ffffffffffffffffffffffffffffff615af39eddb5fcd2519190d5507d3b06", + "msg" : "e48caf8a76183327c9561a4651c07c822ccd1642c06607d0d4bc0afb4de15915dbfa3b0b422e77e15c64bf6247031f15fdb643117809821870000adf83834da5", + "ct" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "tag" : "00000000000000000000000000000000", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 205, + "comment" : "edge case for tag", + "key" : "404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f", + "iv" : "000102030405060708090a0b", + "aad" : "b5ffffffffffffffffffffffffffffff764e5d82ce7da0d44148484fd96a6107", + "msg" : "e48caf8a76183327c9561a4651c07c822ccd1642c06607d0d4bc0afb4de15915dbfa3b0b422e77e15c64bf6247031f15fdb643117809821870000adf83834da5", + "ct" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "tag" : "ffffffffffffffffffffffffffffffff", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 206, + "comment" : "edge case for tag", + "key" : "404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f", + "iv" : "000102030405060708090a0b", + "aad" : "fdffffffffffffffffffffffffffffff2bdbf16d8ea4d39dab8dcb3d4bc4e104", + "msg" : "e48caf8a76183327c9561a4651c07c822ccd1642c06607d0d4bc0afb4de15915dbfa3b0b422e77e15c64bf6247031f15fdb643117809821870000adf83834da5", + "ct" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "tag" : "00000080000000800000008000000080", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 207, + "comment" : "edge case for tag", + "key" : "404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f", + "iv" : "000102030405060708090a0b", + "aad" : "a9ffffffffffffffffffffffffffffffaccd5eb31d8fc909e84b0de7de23bb08", + "msg" : "e48caf8a76183327c9561a4651c07c822ccd1642c06607d0d4bc0afb4de15915dbfa3b0b422e77e15c64bf6247031f15fdb643117809821870000adf83834da5", + "ct" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "tag" : "ffffff7fffffff7fffffff7fffffff7f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 208, + "comment" : "edge case for tag", + "key" : "404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f", + "iv" : "000102030405060708090a0b", + "aad" : "d2ffffffffffffffffffffffffffffffdd4b933e7b1a7ed93cc7c050db71dc03", + "msg" : "e48caf8a76183327c9561a4651c07c822ccd1642c06607d0d4bc0afb4de15915dbfa3b0b422e77e15c64bf6247031f15fdb643117809821870000adf83834da5", + "ct" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "tag" : "01000000010000000100000001000000", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 209, + "comment" : "edge case for tag", + "key" : "404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f", + "iv" : "000102030405060708090a0b", + "aad" : "ffffffffffffffffffffffffffffffffa08164425d7642e9e90fc8d5c32d2cf6", + "msg" : "e48caf8a76183327c9561a4651c07c822ccd1642c06607d0d4bc0afb4de15915dbfa3b0b422e77e15c64bf6247031f15fdb643117809821870000adf83834da5", + "ct" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "tag" : "ffffffff000000000000000000000000", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 210, + "comment" : "edge case intermediate sums in poly1305. poly_key:ffffffefeb344f6bc37ba77ea2ee06dfe8c7f4ae10810422124fc5e1bd7fe301", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060710abb165", + "aad" : "ffffffff", + "msg" : "c68ce708bf26aab862d97e1b42f31ef37bb66f8090c149e452ec7f20327eb2ea2e38aca2438b588d5459493e97e7fa330ff9bc23c897df6b00af86931d6c81555103478f2869b93ee29c837e95fb6b9903f3b72debfba2384baa48ceedfedb91", + "ct" : "e5ffffffffffffffffffffffffffffff0871bc8f1e4aa235087712d9df183609ffffffffffffffffffffffffffffffffffffffe7a33009ef5fc604ea0f9a75e9ffffffffffffffffffffffffffffffffffffffe7a33009ef5fc604ea0f9a75e9", + "tag" : "3572162777262c518eef573b720e8e64", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 211, + "comment" : "edge case intermediate sums in poly1305. poly_key:ffffffefeb344f6bc37ba77ea2ee06dfe8c7f4ae10810422124fc5e1bd7fe301", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060710abb165", + "aad" : "ffffffff", + "msg" : "c78ce708bf26aab862d97e1b42f31ef376209eef141691fba5d10eaf581affe62e38aca2438b588d5459493e97e7fa330e73d2dc3bbd954989cb8433b7d6597b5103478f2869b93ee29c837e95fb6b990279d9d218d1e81ac2ce4a6e474403bf", + "ct" : "e4ffffffffffffffffffffffffffffff05e74de09a9d7a2aff4a6356b57c7b05fffffffffffffffffffffffffffffffffe759118501a43cdd6a2064aa520adc7fffffffffffffffffffffffffffffffffe759118501a43cdd6a2064aa520adc7", + "tag" : "347216375f5b7b5c4e6bff4912fd9473", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 212, + "comment" : "edge case intermediate sums in poly1305. poly_key:ffffffefeb344f6bc37ba77ea2ee06dfe8c7f4ae10810422124fc5e1bd7fe301", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060710abb165", + "aad" : "ffffffff", + "msg" : "fc8ce708bf26aab862d97e1b42f31ef38b79403dfaabc0d8c18d23a3469c13e62e38aca2438b588d5459493e97e7fa330a4b941e6b66fcc2ed7d8cb3e8cc7ffc5103478f2869b93ee29c837e95fb6b9906419f10480a8191a67842ee185e2538", + "ct" : "dffffffffffffffffffffffffffffffff8be933274202b099b164e5aabfa9705fffffffffffffffffffffffffffffffffa4dd7da00c12a46b2140ecafa3a8b40fffffffffffffffffffffffffffffffffa4dd7da00c12a46b2140ecafa3a8b40", + "tag" : "30721677ff2eb8894e5a9d8492b7b0af", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 213, + "comment" : "edge case intermediate sums in poly1305. poly_key:ffffffefeb344f6bc37ba77ea2ee06dfe8c7f4ae10810422124fc5e1bd7fe301", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060710abb165", + "aad" : "ffffffff", + "msg" : "fa8ce708bf26aab862d97e1b42f31ef39bcbb8da477d580d772de4229bba7de22938aca2438b588d5459493e97e7fa331e9dedf9dd64a0681bac2969549425bc5603478f2869b93ee29c837e95fb6b991297e6f7fe08dd3b50a9e734a4067f78", + "ct" : "d9ffffffffffffffffffffffffffffffe80c6bd5c9f6b3dc2db689db76dcf901f8ffffffffffffffffffffffffffffffee9bae3db6c376ec44c5ab104662d100f8ffffffffffffffffffffffffffffffee9bae3db6c376ec44c5ab104662d100", + "tag" : "2b7216c7873744c20ec5e2cdb260d3fa", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 214, + "comment" : "edge case intermediate sums in poly1305. poly_key:ffffffefeb344f6bc37ba77ea2ee06dfe8c7f4ae10810422124fc5e1bd7fe301", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060710abb165", + "aad" : "ffffffff", + "msg" : "ee8ce708bf26aab862d97e1b42f31ef3b9f55bd56e0fd74b46063a96354cfbee3238aca2438b588d5459493e97e7fa3320c78886a6f6292d6cc5fbddb546a2b04d03478f2869b93ee29c837e95fb6b992ccd8388859a547e27c0358045d4f874", + "ct" : "cdffffffffffffffffffffffffffffffca3288dae0843c9a1c9d576fd82a7f0de3ffffffffffffffffffffffffffffffd0c1cb42cd51ffa933ac79a4a7b0560ce3ffffffffffffffffffffffffffffffd0c1cb42cd51ffa933ac79a4a7b0560c", + "tag" : "22721657b0130d28cf1ec65153c41182", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 215, + "comment" : "edge case intermediate sums in poly1305. poly_key:ffffffefeb344f6bc37ba77ea2ee06dfe8c7f4ae10810422124fc5e1bd7fe301", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060710abb165", + "aad" : "ffffffff", + "msg" : "ef8ce708bf26aab862d97e1b42f31ef3b46fca24d353ff5e49eac51540e840ea3038aca2438b588d5459493e97e7fa333d311e572202011a75e948586fe268b44f03478f2869b93ee29c837e95fb6b99313b1559016e7c493eec86059f703270", + "ct" : "ccffffffffffffffffffffffffffffffc7a8192b5dd8148f1371a8ecad8ec409e1ffffffffffffffffffffffffffffffcd375d9349a5d79e2a80ca217d149c08e1ffffffffffffffffffffffffffffffcd375d9349a5d79e2a80ca217d149c08", + "tag" : "2172166798485c338f9a6d60f3b21891", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 216, + "comment" : "edge case intermediate sums in poly1305. poly_key:ffffffefeb344f6bc37ba77ea2ee06dfe8c7f4ae10810422124fc5e1bd7fe301", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060710abb165", + "aad" : "ffffffff", + "msg" : "f59d56151de28bef83505f6d89c0b0f7f75b2fa8e6dce386075db283ec85ee62555baffad423af25f66069bb69fb6f4d", + "ct" : "d6ee4ee25d3bdea81e76de8934cc51fb849cfca7685708575dc6df7a01e36a81849cfca7685708575dc6df7a01e36a81", + "tag" : "831312cbb0f165dc3e8ff52125f48640", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 217, + "comment" : "edge case intermediate sums in poly1305. poly_key:ffffffefeb344f6bc37ba77ea2ee06dfe8c7f4ae10810422124fc5e1bd7fe301", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060710abb165", + "aad" : "ffffffff", + "msg" : "f717f8d5b28032d5c8e8061cd44d71e4f2d55de772fe7a91ce85e410db3e2d8d50d5ddb5400136323fb83f285e40aca2", + "ct" : "d464e022f259679255ce87f8694190e881128ee8fc759140941e89e93658a96e81128ee8fc759140941e89e93658a96e", + "tag" : "821312db9826b5e7fe0a9d30c5e28d4f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 218, + "comment" : "edge case intermediate sums in poly1305. poly_key:ffffffefeb344f6bc37ba77ea2ee06dfe8c7f4ae10810422124fc5e1bd7fe301", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060710abb165", + "aad" : "ffffffff", + "msg" : "f28ce708bf26aab862d97e1b42f31ef3e68a922c9219d30f07554d7d99f2bde92c38aca2438b588d5459493e97e7fa33e24c07dd98f9b253ab0c318d9b14f6b15303478f2869b93ee29c837e95fb6b99ee460cd3bb95cf00e009ffd06b86ac75", + "ct" : "d1ffffffffffffffffffffffffffffff954d41231c9238de5dce20847494390afdffffffffffffffffffffffffffffff124a4419f35e64d7f465b3f489e2020dfdffffffffffffffffffffffffffffff124a4419f35e64d7f465b3f489e2020d", + "tag" : "c1045769d487d545cef3f0d34b7a8733", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 219, + "comment" : "edge case intermediate sums in poly1305. poly_key:ffffffefeb344f6bc37ba77ea2ee06dfe8c7f4ae10810422124fc5e1bd7fe301", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060710abb165", + "aad" : "ffffffff", + "msg" : "dc8ce708bf26aab862d97e1b42f31ef32e6784d857df07543d0dc72f179935fbede8c8baf01ee2044b162cbb343b355acc29d82327cd93f2bfd918034ed5c42a", + "ct" : "ffffffffffffffffffffffffffffffff5da057d7d954ec856796aad6faffb1183c2f9be74c6a4576e0b09a7a5c2330963c2f9be74c6a4576e0b09a7a5c233096", + "tag" : "64e7efd24516a83e2c87e06a76e2dea3", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 220, + "comment" : "edge case intermediate sums in poly1305. poly_key:ffffffefeb344f6bc37ba77ea2ee06dfe8c7f4ae10810422124fc5e1bd7fe301", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060710abb165", + "aad" : "ffffffff", + "msg" : "f78ce708bf26aab862d97e1b42f31ef34c6ead26f84a0225d557745d32fc72e72c38aca2438b588d5459493e97e7fa3364db334b69bee579383e61ae742c71bb5303478f2869b93ee29c837e95fb6b9968d138454ad2982a733baff384be2b7f", + "ct" : "d4ffffffffffffffffffffffffffffff3fa97e2976c1e9f48fcc19a4df9af604fdffffffffffffffffffffffffffffff94dd708f021933fd6757e3d766da8507fdffffffffffffffffffffffffffffff94dd708f021933fd6757e3d766da8507", + "tag" : "e6cc6729d79ba558cd73b03cba54d660", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 221, + "comment" : "edge case intermediate sums in poly1305. poly_key:ffffffefeb344f6bc37ba77ea2ee06dfe8c7f4ae10810422124fc5e1bd7fe301", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060710abb165", + "aad" : "ffffffff", + "msg" : "f08ce708bf26aab862d97e1b42f31ef34fd8c3757c9f2938dc3b07d85898bfe22a38aca2438b588d5459493e97e7fa336155412415cbdd760142b62c2ec83fbf5503478f2869b93ee29c837e95fb6b996d5f4a2a36a7a0254a477871de5a657b", + "ct" : "d3ffffffffffffffffffffffffffffff3c1f107af214c2e986a06a21b5fe3b01fbffffffffffffffffffffffffffffff915302e07e6c0bf25e2b34553c3ecb03fbffffffffffffffffffffffffffffff915302e07e6c0bf25e2b34553c3ecb03", + "tag" : "e5cc6739bfd0f4638def574b5a43dd6f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 222, + "comment" : "edge case intermediate sums in poly1305. poly_key:ffffffefeb344f6bc37ba77ea2ee06dfe8c7f4ae10810422124fc5e1bd7fe301", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060710abb165", + "aad" : "ffffffff", + "msg" : "f28ce708bf26aab862d97e1b42f31ef3df03ca84082f7f70ad8e4004cabd2ce42b38aca2438b588d5459493e97e7fa3328fd413caab1d02bf1c65753aa2ad3b95403478f2869b93ee29c837e95fb6b9924f74a3289ddad78bac3990e5ab8897d", + "ct" : "d1ffffffffffffffffffffffffffffffacc4198b86a494a1f7152dfd27dba807faffffffffffffffffffffffffffffffd8fb02f8c11606afaeafd52ab8dc2705faffffffffffffffffffffffffffffffd8fb02f8c11606afaeafd52ab8dc2705", + "tag" : "0fca702228817d53ee64d142b192e665", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 223, + "comment" : "edge case intermediate sums in poly1305. poly_key:ffffffefeb344f6bc37ba77ea2ee06dfe8c7f4ae10810422124fc5e1bd7fe301", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060710abb165", + "aad" : "ffffffff", + "msg" : "f38ce708bf26aab862d97e1b42f31ef31ffc31ae69399394b8c338674c3dfde92938aca2438b588d5459493e97e7fa33477ec8cf3ea3d4d5d76d85ad2b7f0bb85603478f2869b93ee29c837e95fb6b994b74c3c11dcfa9869c684bf0dbed517c", + "ct" : "d0ffffffffffffffffffffffffffffff6c3be2a1e7b27845e258559ea15b790af8ffffffffffffffffffffffffffffffb7788b0b55040251880407d43989ff04f8ffffffffffffffffffffffffffffffb7788b0b55040251880407d43989ff04", + "tag" : "efc3b035ded6b460bfce6f494955e677", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 224, + "comment" : "edge case intermediate sums in poly1305. poly_key:ffffffefeb344f6bc37ba77ea2ee06dfe8c7f4ae10810422124fc5e1bd7fe301", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060710abb165", + "aad" : "ffffffff", + "msg" : "2bfd0d56ece98771756d60d9d9106cd0c6fc106936c7ef347c078fd71c54228164fc903b0438a3978d3a54ef992aa3ae", + "ct" : "088e15a1ac30d236e84be13d641c8ddcb53bc366b84c04e5269ce22ef132a662b53bc366b84c04e5269ce22ef132a662", + "tag" : "345fc9fe573c136c1be83730500ce662", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 225, + "comment" : "edge case intermediate sums in poly1305. poly_key:ffffffefeb344f6bc37ba77ea2ee06dfe8c7f4ae10810422124fc5e1bd7fe301", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060710abb165", + "aad" : "ffffffff", + "msg" : "f68ce708bf26aab862d97e1b42f31ef37cc2255decdf8e0fe1373591da0e28e42838aca2438b588d5459493e97e7fa33e291fb4838019c51dfb7141515bb53b15703478f2869b93ee29c837e95fb6b99ee9bf0461b6de10294b2da48e5290975", + "ct" : "d5ffffffffffffffffffffffffffffff0f05f652625465debbac58683768ac07f9ffffffffffffffffffffffffffffff1297b88c53a64ad580de966c074da70df9ffffffffffffffffffffffffffffff1297b88c53a64ad580de966c074da70d", + "tag" : "336f97a5faa995a2a03781b591588da8", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 226, + "comment" : "edge case intermediate sums in poly1305. poly_key:ffffffefeb344f6bc37ba77ea2ee06dfe8c7f4ae10810422124fc5e1bd7fe301", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060710abb165", + "aad" : "ffffffff", + "msg" : "c68ce708bf26aab862d97e1b42f31ef37ab66f8090c149e452ec7f20327eb2ea0438aca2438b588d5459493e97e7fa338d2613ea0ef8b656b247373ecec015bc7b03478f2869b93ee29c837e95fb6b99812c18e42d94cb05f942f9633e524f78", + "ct" : "e5ffffffffffffffffffffffffffffff0971bc8f1e4aa235087712d9df183609d5ffffffffffffffffffffffffffffff7d20502e655f60d2ed2eb547dc36e100d5ffffffffffffffffffffffffffffff7d20502e655f60d2ed2eb547dc36e100", + "tag" : "9351c680c8a5d34882d42145e89745c4", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 227, + "comment" : "edge case intermediate sums in poly1305. poly_key:ffffffefeb344f6bc37ba77ea2ee06dfe8c7f4ae10810422124fc5e1bd7fe301", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060710abb165", + "aad" : "ffffffff", + "msg" : "c68ce708bf26aab862d97e1b42f31ef374b66f8090c149e452ec7f20327eb2ea2e38aca2438b588d5459493e97e7fa33acd9ec859e0866620cc24c8a97d5d9f55103478f2869b93ee29c837e95fb6b99a0d3e78bbd641b3147c782d767478331", + "ct" : "e5ffffffffffffffffffffffffffffff0771bc8f1e4aa235087712d9df183609ffffffffffffffffffffffffffffffff5cdfaf41f5afb0e653abcef385232d49ffffffffffffffffffffffffffffffff5cdfaf41f5afb0e653abcef385232d49", + "tag" : "d79266cd25a784599a0a8e31fc84d604", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 228, + "comment" : "edge case intermediate sums in poly1305. poly_key:ffffffefeb344f6bc37ba77ea2ee06dfe8c7f4ae10810422124fc5e1bd7fe301", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060710abb165", + "aad" : "ffffffff", + "msg" : "f78ce708bf26aab862d97e1b42f31ef34251cd29b0aaa960557c9ea2828334e4e4e231db0a27fac9ec9e744886eb0133c5232142ddf48b3f185140f0fc05f043", + "ct" : "d4ffffffffffffffffffffffffffffff31961e263e2142b10fe7f35b6fe5b00735256286b6535dbb4738c289eef304ff35256286b6535dbb4738c289eef304ff", + "tag" : "9d671d407d7660459d5d582d83915efe", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 229, + "comment" : "edge case intermediate sums in poly1305. poly_key:ffffffefeb344f6bc37ba77ea2ee06dfe8c7f4ae10810422124fc5e1bd7fe301", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060710abb165", + "aad" : "ffffffff", + "msg" : "f58ce708bf26aab862d97e1b42f31ef373bd9f01bf3331b12e31dd14cf11feee1d38aca2438b588d5459493e97e7fa33625c6965f61a1c36118c747076d5b7b76203478f2869b93ee29c837e95fb6b996e56626bd57661655a89ba2d8647ed73", + "ct" : "d6ffffffffffffffffffffffffffffff007a4c0e31b8da6074aab0ed22777a0dccffffffffffffffffffffffffffffff925a2aa19dbdcab24ee5f6096423430bccffffffffffffffffffffffffffffff925a2aa19dbdcab24ee5f6096423430b", + "tag" : "7b207c2c3278c64f0d6b913fe371fe63", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 230, + "comment" : "edge case intermediate sums in poly1305. poly_key:ffffffefeb344f6bc37ba77ea2ee06dfe8c7f4ae10810422124fc5e1bd7fe301", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060710abb165", + "aad" : "ffffffff", + "msg" : "dc8ce708bf26aab862d97e1b42f31ef3ec0933f0bfb91218cea0d74e061f559e2d38aca2438b588d5459493e97e7fa338d5b67e0acee534ce2d9791487b1ecb25203478f2869b93ee29c837e95fb6b9981516cee8f822e1fa9dcb7497723b676", + "ct" : "ffffffffffffffffffffffffffffffff9fcee0ff3132f9c9943bbab7eb79d17dfcffffffffffffffffffffffffffffff7d5d2424c74985c8bdb0fb6d9547180efcffffffffffffffffffffffffffffff7d5d2424c74985c8bdb0fb6d9547180e", + "tag" : "3672162bb1f3ff537ece013f1aca4f68", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 231, + "comment" : "edge case intermediate sums in poly1305. poly_key:ffffffefeb344f6bc37ba77ea2ee06dfe8c7f4ae10810422124fc5e1bd7fe301", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060710abb165", + "aad" : "ffffffff", + "msg" : "dc8ce708bf26aab862d97e1b42f31ef3ee83a14f48db696291080edfcc898b882b38aca2438b588d5459493e97e7fa338ad5f6b0283a8b39ebedce92785da9b65403478f2869b93ee29c837e95fb6b9986dffdbe0b56f66aa0e800cf88cff372", + "ct" : "ffffffffffffffffffffffffffffffff9d447240c65082b3cb93632621ef0f6bfaffffffffffffffffffffffffffffff7ad3b574439d5dbdb4844ceb6aab5d0afaffffffffffffffffffffffffffffff7ad3b574439d5dbdb4844ceb6aab5d0a", + "tag" : "3572163b99284f5f3e4aa94dbab85677", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 232, + "comment" : "edge case intermediate sums in poly1305. poly_key:ffffffefeb344f6bc37ba77ea2ee06dfe8c7f4ae10810422124fc5e1bd7fe301", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060710abb165", + "aad" : "ffffffff", + "msg" : "dc8ce708bf26aab862d97e1b42f31ef3e87dd08ed4e4e04c5877616cbb02cabb2938aca2438b588d5459493e97e7fa33874f0401d457e336f4311f1152f957ba5603478f2869b93ee29c837e95fb6b998b450f0ff73b9e65bf34d14ca26b0d7e", + "ct" : "ffffffffffffffffffffffffffffffff9bba03815a6f0b9d02ec0c9556644e58f8ffffffffffffffffffffffffffffff774947c5bff035b2ab589d68400fa306f8ffffffffffffffffffffffffffffff774947c5bff035b2ab589d68400fa306", + "tag" : "3472164b815d9e6afec5505c5aa75d86", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 233, + "comment" : "edge case intermediate sums in poly1305. poly_key:ffffffefeb344f6bc37ba77ea2ee06dfe8c7f4ae10810422124fc5e1bd7fe301", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060710abb165", + "aad" : "ffffffff", + "msg" : "c88ce708bf26aab862d97e1b42f31ef36be436e346f8f2b32f4cbbaef95150ef0438aca2438b588d5459493e97e7fa332fb76b5132e930f6d0acf70875e977b57b03478f2869b93ee29c837e95fb6b9923bd605f11854da59ba93955857b2d71", + "ct" : "ebffffffffffffffffffffffffffffff1823e5ecc873196275d7d6571437d40cd5ffffffffffffffffffffffffffffffdfb12895594ee6728fc57571671f8309d5ffffffffffffffffffffffffffffffdfb12895594ee6728fc57571671f8309", + "tag" : "3a7216d7ee1da018ce8412f251656b19", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 234, + "comment" : "edge case intermediate sums in poly1305. poly_key:ffffffefeb344f6bc37ba77ea2ee06dfe8c7f4ae10810422124fc5e1bd7fe301", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060710abb165", + "aad" : "ffffffff", + "msg" : "c58ce708bf26aab862d97e1b42f31ef3783cf9302c7d22914b38aca2e7d374ef1d38aca2438b588d5459493e97e7fa33228f2d23597640d574f8e20c4f6b6bb56203478f2869b93ee29c837e95fb6b992e85262d7a1a3d863ffd2c51bff93171", + "ct" : "e6ffffffffffffffffffffffffffffff0bfb2a3fa2f6c94011a3c15b0ab5f00cccffffffffffffffffffffffffffffffd2896ee732d196512b9160755d9d9f09ccffffffffffffffffffffffffffffffd2896ee732d196512b9160755d9d9f09", + "tag" : "367216178ff1dc45ce73b02cd21f8755", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 235, + "comment" : "edge case intermediate sums in poly1305. poly_key:ffffffefeb344f6bc37ba77ea2ee06dfe8c7f4ae10810422124fc5e1bd7fe301", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060710abb165", + "aad" : "ffffffff", + "msg" : "dc8ce708bf26aab862d97e1b42f31ef35db72f89d1402b1a0373ff0a9c5cd44b6d67af40798f5455501792953248ec234ca6bfd9ae5c25a3a4d8a62d48a61d53", + "ct" : "ffffffffffffffffffffffffffffffff2e70fc865fcbc0cb59e892f3713a50a8bca0fc1dc5fbf327fbb124545a50e9efbca0fc1dc5fbf327fbb124545a50e9ef", + "tag" : "0b4961c9525ea2f2cdad6273e1c7824c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 236, + "comment" : "edge case intermediate sums in poly1305. poly_key:ffffffefeb344f6bc37ba77ea2ee06dfe8c7f4ae10810422124fc5e1bd7fe301", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060710abb165", + "aad" : "ffffffff", + "msg" : "dc8ce708bf26aab862d97e1b42f31ef35f215ec87d62a264cadb519b4ac90a7668d1dd03e56eda6399ac7803e7dd22114910cd9a32bdab956d634cbb9d33d361", + "ct" : "ffffffffffffffffffffffffffffffff2ce68dc7f3e949b590403c62a7af8e95b9168e5e591a7d11320acec28fc527ddb9168e5e591a7d11320acec28fc527dd", + "tag" : "0a4961d93a93f1fd8d290a8281b6895b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 237, + "comment" : "edge case intermediate sums in poly1305. poly_key:ffffffefeb344f6bc37ba77ea2ee06dfe8c7f4ae10810422124fc5e1bd7fe301", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060710abb165", + "aad" : "ffffffff", + "msg" : "dc8ce708bf26aab862d97e1b42f31ef3d15ad590dd0f40ba18acd168f6ac777a0f38aca2438b588d5459493e97e7fa33932a097f1d39a04ad30f1b6c650260bf7003478f2869b93ee29c837e95fb6b999f2002713e55dd19980ad53195903a7b", + "ct" : "ffffffffffffffffffffffffffffffffa29d069f5384ab6b4237bc911bcaf399deffffffffffffffffffffffffffffff632c4abb769e76ce8c66991577f49403deffffffffffffffffffffffffffffff632c4abb769e76ce8c66991577f49403", + "tag" : "3572161355240943de9406292a64c551", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 238, + "comment" : "edge case intermediate sums in poly1305. poly_key:946aff9f2a13f56f92a5f9cfee3cdb1fef6d98d5a55ab563cb28620cd57f19d2", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "00010203040506072dd4cd40", + "aad" : "ffffffff", + "msg" : "40115e67ecd3d4178c4c60e713ab4e5e390ef93aeb61aa307f141323c38e0685fa47139a5f4e3f8e92d7a3b71eb4ff0e259445f4ffc31bce540190edd6ad207876a0085c32ddfcbeb01a8be4c34d5331eda1a5b6139750f973f0d4841baa2cb8", + "ct" : "d9ffffffffffffffffffffffffffffffa009d73c6544428cfac0b2d8c7bbef0bedffffffffffffffffffffffffffffff8a5ef60715bc4b07c92b9707376da105edffffffffffffffffffffffffffffff8a5ef60715bc4b07c92b9707376da105", + "tag" : "19532d9fa0b5fbd582aaeda830602f1d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 239, + "comment" : "edge case intermediate sums in poly1305. poly_key:946aff9f2a13f56f92a5f9cfee3cdb1fef6d98d5a55ab563cb28620cd57f19d2", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "00010203040506072dd4cd40", + "aad" : "ffffffff", + "msg" : "49115e67ecd3d4178c4c60e713ab4e5ee02b87aeae8c3da8895f8cb0f6b9cc80f447139a5f4e3f8e92d7a3b71eb4ff0ecc4b7b803a5f8f4647df169080fe567a78a0085c32ddfcbeb01a8be4c34d5331047e9bc2d60bc471602e52f94df95aba", + "ct" : "d0ffffffffffffffffffffffffffffff792ca9a820a9d5140c8b2d4bf28c250ee3ffffffffffffffffffffffffffffff6381c873d020df8fdaf5117a613ed707e3ffffffffffffffffffffffffffffff6381c873d020df8fdaf5117a613ed707", + "tag" : "adbd2cafc8c8f0e51250e7b81c9d0a2d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 240, + "comment" : "edge case intermediate sums in poly1305. poly_key:946aff9f2a13f56f92a5f9cfee3cdb1fef6d98d5a55ab563cb28620cd57f19d2", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "00010203040506072dd4cd40", + "aad" : "ffffffff", + "msg" : "43eadae036f733ea9b5b7eb22aee395db6f51a4d10bc2460810c229651556acf384ad82e3e280cad69f0df25b42b83b0", + "ct" : "da047b7825db1802e8e8e1aac6ba88fc2ff2344b9e99ccdc04d8836d556083412ff2344b9e99ccdc04d8836d55608341", + "tag" : "973e270a7afcab75348e14dbe19c5156", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 241, + "comment" : "edge case intermediate sums in poly1305. poly_key:946aff9f2a13f56f92a5f9cfee3cdb1fef6d98d5a55ab563cb28620cd57f19d2", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "00010203040506072dd4cd40", + "aad" : "ffffffff", + "msg" : "66115e67ecd3d4178c4c60e713ab4e5e891b797521ba925b24090aaf6c4482bae847139a5f4e3f8e92d7a3b71eb4ff0e6d50c32d05a946cb8cea57c9f1442cb164a0085c32ddfcbeb01a8be4c34d5331a565236fe9fd0dfcab1b13a03c432071", + "ct" : "ffffffffffffffffffffffffffffffff101c5773af9f7ae7a1ddab5468716b34ffffffffffffffffffffffffffffffffc29a70deefd6160211c050231084adccffffffffffffffffffffffffffffffffc29a70deefd6160211c050231084adcc", + "tag" : "e17c273f31758e752322ae4869c1bfbb", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 242, + "comment" : "edge case intermediate sums in poly1305. poly_key:946aff9f2a13f56f92a5f9cfee3cdb1fef6d98d5a55ab563cb28620cd57f19d2", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "00010203040506072dd4cd40", + "aad" : "ffffffff", + "msg" : "6a115e67ecd3d4178c4c60e713ab4e5e519cccebf72573dbee8c12f74255d18c0add1035861ffc0b7f40079b969f8c63b2af4fa3ccd16cb38f425c3996140def", + "ct" : "f3ffffffffffffffffffffffffffffffc89be2ed79009b676b58b30c466038021d65fc5026ae3c7a12685bd377d48c921d65fc5026ae3c7a12685bd377d48c92", + "tag" : "a22390224c5db0f01696743d870725c5", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 243, + "comment" : "edge case intermediate sums in poly1305. poly_key:946aff9f2a13f56f92a5f9cfee3cdb1fef6d98d5a55ab563cb28620cd57f19d2", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "00010203040506072dd4cd40", + "aad" : "ffffffff", + "msg" : "e235b8c21384557085c3f2eb2a8fa36058cffd2af743dacf96b4ae4d51b4e488d6703f49d9d7f2027e4853feb4ca0df7", + "ct" : "7bdb195a00a87e98f6706df3c6db12c1c1c8d32c7966327313600fb655810d06c1c8d32c7966327313600fb655810d06", + "tag" : "437d1efad21b0865a541b5cab62e2a44", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 244, + "comment" : "edge case intermediate sums in poly1305. poly_key:946aff9f2a13f56f92a5f9cfee3cdb1fef6d98d5a55ab563cb28620cd57f19d2", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "00010203040506072dd4cd40", + "aad" : "ffffffff", + "msg" : "66115e67ecd3d4178c4c60e713ab4e5e8fab58574a322bac6f394474e4ce7eaec347139a5f4e3f8e92d7a3b71eb4ff0e71532dfb0e9141b00983394722829e7c4fa0085c32ddfcbeb01a8be4c34d5331b966cdb9e2c50a872e727d2eef8592bc", + "ct" : "ffffffffffffffffffffffffffffffff16ac7651c417c310eaede58fe0fb9720d4ffffffffffffffffffffffffffffffde999e08e4ee117994a93eadc3421f01d4ffffffffffffffffffffffffffffffde999e08e4ee117994a93eadc3421f01", + "tag" : "acf4ffa20c0d06d61a18e9a8d4c84d1d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 245, + "comment" : "edge case intermediate sums in poly1305. poly_key:946aff9f2a13f56f92a5f9cfee3cdb1fef6d98d5a55ab563cb28620cd57f19d2", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "00010203040506072dd4cd40", + "aad" : "ffffffff", + "msg" : "61115e67ecd3d4178c4c60e713ab4e5e5efe679ba17384c55eb8cc193666fe8d04608c3503d217aa3f90a9b0e1b3b313bc12d3a3491c8712cf92f212e138329f", + "ct" : "f8ffffffffffffffffffffffffffffffc7f9499d2f566c79db6c6de23253170313d86050a363d7db52b8f5f800f8b3e213d86050a363d7db52b8f5f800f8b3e2", + "tag" : "cd466d06e75b7fd18d5fe21d9227d9a7", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 246, + "comment" : "edge case intermediate sums in poly1305. poly_key:946aff9f2a13f56f92a5f9cfee3cdb1fef6d98d5a55ab563cb28620cd57f19d2", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "00010203040506072dd4cd40", + "aad" : "ffffffff", + "msg" : "9064b88a282052a1ee44df05ad213da679f8d1f971da17437a2b5e04fbca167151b2650ec945fec70588bc65a616a5f24f354c0c1580af3662d5f8151e3f7e82dd557ec8a4d63df7274594367bef09cd", + "ct" : "098a19123b0c79499df7401d41758c07e0ffffffffffffffffffffffffffffff460a896b69f43eb668a0e02d475da503e0ffffffffffffffffffffffffffffff460a896b69f43eb668a0e02d475da503", + "tag" : "ce8a3d4d887d95613d829b538ed01196", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 247, + "comment" : "edge case intermediate sums in poly1305. poly_key:946aff9f2a13f56f92a5f9cfee3cdb1fef6d98d5a55ab563cb28620cd57f19d2", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "00010203040506072dd4cd40", + "aad" : "ffffffff", + "msg" : "43115e67ecd3d4178c4c60e713ab4e5eeef67bd4795b74015a3493905d544a86e847139a5f4e3f8e92d7a3b71eb4ff0e3197be28eff843592bd8fc8d578421d664a0085c32ddfcbeb01a8be4c34d5331f9a25e6a03ac086e0c29b8e49a832d16", + "ct" : "daffffffffffffffffffffffffffffff77f155d2f77e9cbddfe0326b5961a308ffffffffffffffffffffffffffffffff9e5d0ddb05871390b6f2fb67b644a0abffffffffffffffffffffffffffffffff9e5d0ddb05871390b6f2fb67b644a0ab", + "tag" : "08289f5199df476fe90475cb95225566", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 248, + "comment" : "edge case intermediate sums in poly1305. poly_key:946aff9f2a13f56f92a5f9cfee3cdb1fef6d98d5a55ab563cb28620cd57f19d2", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "00010203040506072dd4cd40", + "aad" : "ffffffff", + "msg" : "6b115e67ecd3d4178c4c60e713ab4e5e1e34412ab0a056e809d5d4b92be1128a4b2a651a62aeab26cf437fb195407574f3583a8c28603b9e3f41241395cbf4f8", + "ct" : "f2ffffffffffffffffffffffffffffff87336f2c3e85be548c0175422fd4fb045c92897fc21f6b57a26b23f9740b75855c92897fc21f6b57a26b23f9740b7585", + "tag" : "06df93f651ea5cc56911f30d3e58f997", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 249, + "comment" : "edge case intermediate sums in poly1305. poly_key:946aff9f2a13f56f92a5f9cfee3cdb1fef6d98d5a55ab563cb28620cd57f19d2", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "00010203040506072dd4cd40", + "aad" : "ffffffff", + "msg" : "3fe606108f35869df4c7aa0128464a1265f8d1f971da17437a2b5e04fbca1671fdbe843a0ad9be25055992ab6dcbc9f153354c0c1580af3662d5f8151e3f7e8271599ffc674a7d152794baf8b03265ce", + "ct" : "a608a7889c19ad7587743519c412fbb3fcffffffffffffffffffffffffffffffea06685faa687e546871cee38c80c900fcffffffffffffffffffffffffffffffea06685faa687e546871cee38c80c900", + "tag" : "9264fc0f47febb30661254daf9a06189", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 250, + "comment" : "edge case intermediate sums in poly1305. poly_key:946aff9f2a13f56f92a5f9cfee3cdb1fef6d98d5a55ab563cb28620cd57f19d2", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "00010203040506072dd4cd40", + "aad" : "ffffffff", + "msg" : "6e8eb98cf7fffe4cd683568cf892991564f8d1f971da17437a2b5e04fbca1671c70f5d8b30c64bf2e6d1d613f40e0bf052354c0c1580af3662d5f8151e3f7e824be8464d5d5588c2c41cfe4029f7a7cf", + "ct" : "f7601814e4d3d5a4a530c99414c628b4fdffffffffffffffffffffffffffffffd0b7b1ee90778b838bf98a5b15450b01fdffffffffffffffffffffffffffffffd0b7b1ee90778b838bf98a5b15450b01", + "tag" : "69a124fc7f96e220d1a031ced5527279", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 251, + "comment" : "edge case intermediate sums in poly1305. poly_key:946aff9f2a13f56f92a5f9cfee3cdb1fef6d98d5a55ab563cb28620cd57f19d2", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "00010203040506072dd4cd40", + "aad" : "ffffffff", + "msg" : "4f115e67ecd3d4178c4c60e713ab4e5e4156269fe3da101eeb0abf8dda20fe8fff47139a5f4e3f8e92d7a3b71eb4ff0e6aece983e64f97e43ff5295bc884fa7773a0085c32ddfcbeb01a8be4c34d5331a2d909c10a1bdcd318046d320583f6b7", + "ct" : "d6ffffffffffffffffffffffffffffffd85108996dfff8a26ede1e76de151701e8ffffffffffffffffffffffffffffffc5265a700c30c72da2df2eb129447b0ae8ffffffffffffffffffffffffffffffc5265a700c30c72da2df2eb129447b0a", + "tag" : "3ea8f9b2012321e63d5fb5bc2c5d332d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 252, + "comment" : "edge case intermediate sums in poly1305. poly_key:946aff9f2a13f56f92a5f9cfee3cdb1fef6d98d5a55ab563cb28620cd57f19d2", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "00010203040506072dd4cd40", + "aad" : "ffffffff", + "msg" : "66115e67ecd3d4178c4c60e713ab4e5e18f125ef374c1454b680e23427e7dc69e447139a5f4e3f8e92d7a3b71eb4ff0e858b08eb1d581570a7cd1e48593b757568a0085c32ddfcbeb01a8be4c34d53314dbee8a9f10c5e47803c5a21943c79b5", + "ct" : "ffffffffffffffffffffffffffffffff81f60be9b969fce8335443cf23d235e7f3ffffffffffffffffffffffffffffff2a41bb18f72745b93ae719a2b8fbf408f3ffffffffffffffffffffffffffffff2a41bb18f72745b93ae719a2b8fbf408", + "tag" : "dfaf8a3a15d45e7f4c3430048d8589f0", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 253, + "comment" : "edge case intermediate sums in poly1305. poly_key:946aff9f2a13f56f92a5f9cfee3cdb1fef6d98d5a55ab563cb28620cd57f19d2", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "00010203040506072dd4cd40", + "aad" : "ffffffff", + "msg" : "b02ab747a310d6a3bbdb97018a3be8b341f8d1f971da17437a2b5e04fbca1671b7a338bc3423895f0fd96cdb27a787f277354c0c1580af3662d5f8151e3f7e823b44237a59b04a6f2d144488fa5e2bcd", + "ct" : "29c416dfb03cfd4bc8680819666f5912d8ffffffffffffffffffffffffffffffa01bd4d99492492e62f13093c6ec8703d8ffffffffffffffffffffffffffffffa01bd4d99492492e62f13093c6ec8703", + "tag" : "3408eb2b13a9b76befcedf699422d61f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 254, + "comment" : "edge case intermediate sums in poly1305. poly_key:946aff9f2a13f56f92a5f9cfee3cdb1fef6d98d5a55ab563cb28620cd57f19d2", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "00010203040506072dd4cd40", + "aad" : "ffffffff", + "msg" : "40115e67ecd3d4178c4c60e713ab4e5e380ef93aeb61aa307f141323c38e0685f647139a5f4e3f8e92d7a3b71eb4ff0e3f769a30e8951ff2fb365fa780fdde7e7aa0085c32ddfcbeb01a8be4c34d5331f7437a7204c154c5dcc71bce4dfad2be", + "ct" : "d9ffffffffffffffffffffffffffffffa109d73c6544428cfac0b2d8c7bbef0be1ffffffffffffffffffffffffffffff90bc29c302ea4f3b661c584d613d5f03e1ffffffffffffffffffffffffffffff90bc29c302ea4f3b661c584d613d5f03", + "tag" : "09f4f2a3936d7461a67ce022176bb8dd", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 255, + "comment" : "edge case intermediate sums in poly1305. poly_key:946aff9f2a13f56f92a5f9cfee3cdb1fef6d98d5a55ab563cb28620cd57f19d2", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "00010203040506072dd4cd40", + "aad" : "ffffffff", + "msg" : "40115e67ecd3d4178c4c60e713ab4e5e060ef93aeb61aa307f141323c38e0685ee47139a5f4e3f8e92d7a3b71eb4ff0e2bca70bfcdf1171ab611d12bed5d627a62a0085c32ddfcbeb01a8be4c34d5331e3ff90fd21a55c2d91e09542205a6eba", + "ct" : "d9ffffffffffffffffffffffffffffff9f09d73c6544428cfac0b2d8c7bbef0bf9ffffffffffffffffffffffffffffff8400c34c278e47d32b3bd6c10c9de307f9ffffffffffffffffffffffffffffff8400c34c278e47d32b3bd6c10c9de307", + "tag" : "2eb2679aadfd824a5fd8fa2e4a55a65c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 256, + "comment" : "edge case intermediate sums in poly1305. poly_key:946aff9f2a13f56f92a5f9cfee3cdb1fef6d98d5a55ab563cb28620cd57f19d2", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "00010203040506072dd4cd40", + "aad" : "ffffffff", + "msg" : "56115e67ecd3d4178c4c60e713ab4e5e6c7e1312c6774fae7d1e5d0cc609028ff547139a5f4e3f8e92d7a3b71eb4ff0e81c9e61cbeeed5546b1ce5d8fef21a7a79a0085c32ddfcbeb01a8be4c34d533149fc065e52ba9e634ceda1b133f516ba", + "ct" : "cffffffffffffffffffffffffffffffff5793d144852a712f8cafcf7c23ceb01e2ffffffffffffffffffffffffffffff2e0355ef5491859df636e2321f329b07e2ffffffffffffffffffffffffffffff2e0355ef5491859df636e2321f329b07", + "tag" : "5e89349f6b011cd6e24ee6ac2f590c21", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 257, + "comment" : "edge case intermediate sums in poly1305. poly_key:946aff9f2a13f56f92a5f9cfee3cdb1fef6d98d5a55ab563cb28620cd57f19d2", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "00010203040506072dd4cd40", + "aad" : "ffffffff", + "msg" : "2ea8410b4dca8c9d5369a033d8db61e46cf8d1f971da17437a2b5e04fbca1671f0f58e8bba6cf1a52146273d8fe0c4fc5a354c0c1580af3662d5f8151e3f7e827c12954dd7ff3295038b0f6e521968c3", + "ct" : "b746e0935ee6a77520da3f2b348fd045f5ffffffffffffffffffffffffffffffe74d62ee1add31d44c6e7b756eabc40df5ffffffffffffffffffffffffffffffe74d62ee1add31d44c6e7b756eabc40d", + "tag" : "b24537fcb0dcb6200b0285cafc9c3a7d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 258, + "comment" : "edge case intermediate sums in poly1305. poly_key:946aff9f2a13f56f92a5f9cfee3cdb1fef6d98d5a55ab563cb28620cd57f19d2", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "00010203040506072dd4cd40", + "aad" : "ffffffff", + "msg" : "17059a7c8883a28b90bd94ae44d1543662f8d1f971da17437a2b5e04fbca1671a23018bf8e68e413e99ac2d4ab3f8df154354c0c1580af3662d5f8151e3f7e822ed70379e3fb2723cb57ea8776c621ce", + "ct" : "8eeb3be49baf8963e30e0bb6a885e597fbffffffffffffffffffffffffffffffb588f4da2ed9246284b29e9c4a748d00fbffffffffffffffffffffffffffffffb588f4da2ed9246284b29e9c4a748d00", + "tag" : "43300400ea36e720361153ce0c5d637d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 259, + "comment" : "edge case intermediate sums in poly1305. poly_key:946aff9f2a13f56f92a5f9cfee3cdb1fef6d98d5a55ab563cb28620cd57f19d2", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "00010203040506072dd4cd40", + "aad" : "ffffffff", + "msg" : "aaa1b258fd4b54b497b520806a66d7aa68f8d1f971da17437a2b5e04fbca167199132a234a8c789bf8544547940ec3f35e354c0c1580af3662d5f8151e3f7e8215f431e5271fbbabda996d1449f76fcc", + "ct" : "334f13c0ee677f5ce406bf988632660bf1ffffffffffffffffffffffffffffff8eabc646ea3db8ea957c190f7545c302f1ffffffffffffffffffffffffffffff8eabc646ea3db8ea957c190f7545c302", + "tag" : "d79a0310124adc30c6b64cdef8993e8d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 260, + "comment" : "edge case intermediate sums in poly1305. poly_key:946aff9f2a13f56f92a5f9cfee3cdb1fef6d98d5a55ab563cb28620cd57f19d2", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "00010203040506072dd4cd40", + "aad" : "ffffffff", + "msg" : "4c115e67ecd3d4178c4c60e713ab4e5ebb5357ed314ad740b9910fad6f01d781f047139a5f4e3f8e92d7a3b71eb4ff0ec8042b414fdd1bba3a6c936b7ed678797ca0085c32ddfcbeb01a8be4c34d53310031cb03a389508d1d9dd702b3d174b9", + "ct" : "d5ffffffffffffffffffffffffffffff225479ebbf6f3ffc3c45ae566b343e0fe7ffffffffffffffffffffffffffffff67ce98b2a5a24b73a74694819f16f904e7ffffffffffffffffffffffffffffff67ce98b2a5a24b73a74694819f16f904", + "tag" : "e6022cc3ba20e3f9065fdfcc43a9dc40", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 261, + "comment" : "edge case intermediate sums in poly1305. poly_key:946aff9f2a13f56f92a5f9cfee3cdb1fef6d98d5a55ab563cb28620cd57f19d2", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "00010203040506072dd4cd40", + "aad" : "ffffffff", + "msg" : "66115e67ecd3d4178c4c60e713ab4e5ef64296975af7fced168181f76c6508e1c947139a5f4e3f8e92d7a3b71eb4ff0e4975060f7ddef4a098699333b30fbf7c45a0085c32ddfcbeb01a8be4c34d53318140e64d918abf97bf98d75a7e08b3bc", + "ct" : "ffffffffffffffffffffffffffffffff6f45b891d4d214519355200c6850e16fdeffffffffffffffffffffffffffffffe6bfb5fc97a1a469054394d952cf3e01deffffffffffffffffffffffffffffffe6bfb5fc97a1a469054394d952cf3e01", + "tag" : "353e304fd8553286b26e0d59942fe7cd", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 262, + "comment" : "edge case intermediate sums in poly1305. poly_key:946aff9f2a13f56f92a5f9cfee3cdb1fef6d98d5a55ab563cb28620cd57f19d2", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "00010203040506072dd4cd40", + "aad" : "ffffffff", + "msg" : "9841cfc927a57dc491ab35427ff935e66ef8d1f971da17437a2b5e04fbca1671a683c8f9f9e6780fda4940ddedd76bf258354c0c1580af3662d5f8151e3f7e822a64d33f9475bb3ff884688e302ec7cd", + "ct" : "01af6e513489562ce218aa5a93ad8447f7ffffffffffffffffffffffffffffffb13b249c5957b87eb7611c950c9c6b03f7ffffffffffffffffffffffffffffffb13b249c5957b87eb7611c950c9c6b03", + "tag" : "0aeb04ecf7def40c42025bbae5509169", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 263, + "comment" : "edge case intermediate sums in poly1305. poly_key:946aff9f2a13f56f92a5f9cfee3cdb1fef6d98d5a55ab563cb28620cd57f19d2", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "00010203040506072dd4cd40", + "aad" : "ffffffff", + "msg" : "42115e67ecd3d4178c4c60e713ab4e5e0b61bf9b7caf83cc34da625593514289e847139a5f4e3f8e92d7a3b71eb4ff0e696a5c7fb9da9cd4a39c8591086db42d64a0085c32ddfcbeb01a8be4c34d5331a15fbc3d558ed7e3846dc1f8c56ab8ed", + "ct" : "dbffffffffffffffffffffffffffffff9266919df28a6b70b10ec3ae9764ab07ffffffffffffffffffffffffffffffffc6a0ef8c53a5cc1d3eb6827be9ad3550ffffffffffffffffffffffffffffffffc6a0ef8c53a5cc1d3eb6827be9ad3550", + "tag" : "8fc4f77a6ee052a4c314780b8df9a2d0", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 264, + "comment" : "edge case intermediate sums in poly1305. poly_key:946aff9f2a13f56f92a5f9cfee3cdb1fef6d98d5a55ab563cb28620cd57f19d2", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "00010203040506072dd4cd40", + "aad" : "ffffffff", + "msg" : "4b115e67ecd3d4178c4c60e713ab4e5ef28e4d0f20ca1644470c9cdac6000887ed47139a5f4e3f8e92d7a3b71eb4ff0e1464775bacd5c69fe26e1a74968ea27e61a0085c32ddfcbeb01a8be4c34d5331dc51971940818da8c59f5e1d5b89aebe", + "ct" : "d2ffffffffffffffffffffffffffffff6b896309aeeffef8c2d83d21c235e109faffffffffffffffffffffffffffffffbbaec4a846aa96567f441d9e774e2303faffffffffffffffffffffffffffffffbbaec4a846aa96567f441d9e774e2303", + "tag" : "232ff78a96f347b453ba711b79367ee0", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 265, + "comment" : "edge case intermediate sums in poly1305. poly_key:946aff9f2a13f56f92a5f9cfee3cdb1fef6d98d5a55ab563cb28620cd57f19d2", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "00010203040506072dd4cd40", + "aad" : "ffffffff", + "msg" : "4d115e67ecd3d4178c4c60e713ab4e5e6ee628fc4b5830184cd293364a213e84fe47139a5f4e3f8e92d7a3b71eb4ff0e29db953ad5458fea61f013ea1854fe7572a0085c32ddfcbeb01a8be4c34d5331e1ee75783911c4dd46015783d553f2b5", + "ct" : "d4fffffffffffffffffffffffffffffff7e106fac57dd8a4c90632cd4e14d70ae9ffffffffffffffffffffffffffffff861126c93f3adf23fcda1400f9947f08e9ffffffffffffffffffffffffffffff861126c93f3adf23fcda1400f9947f08", + "tag" : "e00d2e8bae5d09c28e9bf59409545d09", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 266, + "comment" : "edge case intermediate sums in poly1305. poly_key:dc46b3c53be153ccd4986678ffffffafe484c316c93f64195da65a2742fd3fec", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060703e76f6f", + "aad" : "ffffffff", + "msg" : "19de9b9ec8b247d42bbee2016d6715babc286fd979807951b183a188930ad15edcf0b056a2eecc51d30838e640615e14890e659fd3028c904e65018fdfd6038333d14da7b4f76f9f68fa8903138d563c33b7fb50c3e7ebca970f6f89a88a82d6", + "ct" : "f9ffffffffffffffffffffffffffffff015d1565924f6c7418de9babf8be4407edffffffffffffffffffffffffffffff2e110e5e1c0468cbaad99c8abeffff07edffffffffffffffffffffffffffffff2e110e5e1c0468cbaad99c8abeffff07", + "tag" : "47e5d4294239db73b836c04070ff5b2d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 267, + "comment" : "edge case intermediate sums in poly1305. poly_key:dc46b3c53be153ccd4986678ffffffafe484c316c93f64195da65a2742fd3fec", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060703e76f6f", + "aad" : "ffffffff", + "msg" : "1fde9b9ec8b247d42bbee2016d6715ba839f811ad0310c77052f45320b0d9560c4f0b056a2eecc51d30838e640615e1470d6b14fd209fedf261fd1d250d3478d2bd14da7b4f76f9f68fa8903138d563cca6f2f80c2ec9985ff75bfd4278fc6d8", + "ct" : "ffffffffffffffffffffffffffffffff3eeafba63bfe1952ac727f1160b90039f5ffffffffffffffffffffffffffffffd7c9da8e1d0f1a84c2a34cd731fabb09f5ffffffffffffffffffffffffffffffd7c9da8e1d0f1a84c2a34cd731fabb09", + "tag" : "232c882f7a1a2f808ccf26496cff5b3d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 268, + "comment" : "edge case intermediate sums in poly1305. poly_key:dc46b3c53be153ccd4986678ffffffafe484c316c93f64195da65a2742fd3fec", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060703e76f6f", + "aad" : "ffffffff", + "msg" : "97311cd6e2d25a7b4eaa16f0a61ca6246b8a85431430eada56a2c5dc944b6aa695136310b6b6b5c17c9f8c02ba7d0aeb71e0943e30f91ba41b4362fa9ed6037b7a329ee1a0af160fc76d3de7e99102c3", + "ct" : "771078b7d59fe2509aeb0b0e34844c61d6ffffffffffffffffffffffffffffffa41c2cb9eba7866f50684b1b05e3ab00d6ffffffffffffffffffffffffffffffa41c2cb9eba7866f50684b1b05e3ab00", + "tag" : "d71bc70d5adc74e7dfd89406fc15f044", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 269, + "comment" : "edge case intermediate sums in poly1305. poly_key:dc46b3c53be153ccd4986678ffffffafe484c316c93f64195da65a2742fd3fec", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060703e76f6f", + "aad" : "ffffffff", + "msg" : "34de9b9ec8b247d42bbee2016d6715ba74cf7e9d82b7e8ed9ec965f6ea310951dc104940e08a4222556828eba459f65a4a006d28729d95d79d2372f77aeeab35", + "ct" : "d4ffffffffffffffffffffffffffffffc9ba04216978fdc837945fd581859c08ed1f06e9bd9b718c799feff21bc757b1ed1f06e9bd9b718c799feff21bc757b1", + "tag" : "21e63987d494673f3040ae9de2bc0da0", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 270, + "comment" : "edge case intermediate sums in poly1305. poly_key:dc46b3c53be153ccd4986678ffffffafe484c316c93f64195da65a2742fd3fec", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060703e76f6f", + "aad" : "ffffffff", + "msg" : "e72b83514e5e50509070359c1cac7e1c428a85431430eada56a2c5dc944b6aa6dad35950d8a9b55a472f9bb8860a526358e0943e30f91ba41b4362fa9ed6037b35f2a4a1ceb01694fcdd2a5dd5e65a4b", + "ct" : "070ae7307913e87b443128628e349459ffffffffffffffffffffffffffffffffebdc16f985b886f46bd85ca13994f388ffffffffffffffffffffffffffffffffebdc16f985b886f46bd85ca13994f388", + "tag" : "e4fb945d6a2d0b947834317cc415f024", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 271, + "comment" : "edge case intermediate sums in poly1305. poly_key:dc46b3c53be153ccd4986678ffffffafe484c316c93f64195da65a2742fd3fec", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060703e76f6f", + "aad" : "ffffffff", + "msg" : "8c6165f445443588041b6e044fb6baae728a85431430eada56a2c5dc944b6aa6881a54c09516a1f1cae7b9dd71130ee168e0943e30f91ba41b4362fa9ed6037b673ba931830f023f7115083822ff06c9", + "ct" : "6c40019572098da3d05a73fadd2e50ebcfffffffffffffffffffffffffffffffb9151b69c807925fe6107ec4ce8daf0acfffffffffffffffffffffffffffffffb9151b69c807925fe6107ec4ce8daf0a", + "tag" : "c0424863a20e5fa04ccd9784c015f034", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 272, + "comment" : "edge case intermediate sums in poly1305. poly_key:dc46b3c53be153ccd4986678ffffffafe484c316c93f64195da65a2742fd3fec", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060703e76f6f", + "aad" : "ffffffff", + "msg" : "18e36174545fa7ec9ea9f05d7057c5ca638a85431430eada56a2c5dc944b6aa6434e1c5e71005b690ca5cb8d580b89ed79e0943e30f91ba41b4362fa9ed6037bac6fe1af6719f8a7b7577a680be781c5", + "ct" : "f8c2051563121fc74ae8eda3e2cf2f8fdeffffffffffffffffffffffffffffff724153f72c1168c720520c94e7952806deffffffffffffffffffffffffffffff724153f72c1168c720520c94e7952806", + "tag" : "aa7293ffe5db30a31f2581e0e7ae56ed", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 273, + "comment" : "edge case intermediate sums in poly1305. poly_key:dc46b3c53be153ccd4986678ffffffafe484c316c93f64195da65a2742fd3fec", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060703e76f6f", + "aad" : "ffffffff", + "msg" : "12de9b9ec8b247d42bbee2016d6715ba54305dff6b61c40b775c352d025c1a56d7f0b056a2eecc51d30838e640615e14bce574e9e11afedbdca021e53bb9188338d14da7b4f76f9f68fa8903138d563c065cea26f1ff998105ca4fe34ce599d6", + "ct" : "f2ffffffffffffffffffffffffffffffe945274380aed12ede010f0e69e88f0fe6ffffffffffffffffffffffffffffff1bfa1f282e1c1a80381cbce05a90e407e6ffffffffffffffffffffffffffffff1bfa1f282e1c1a80381cbce05a90e407", + "tag" : "42e5d43d1e808e79f017144d4498c235", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 274, + "comment" : "edge case intermediate sums in poly1305. poly_key:dc46b3c53be153ccd4986678ffffffafe484c316c93f64195da65a2742fd3fec", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060703e76f6f", + "aad" : "ffffffff", + "msg" : "1fde9b9ec8b247d42bbee2016d6715badf0599194b0ce890cc1d8eb383b57f38dcf0b056a2eecc51d30838e640615e1435df81077d068077ce805ea592f6f88833d14da7b4f76f9f68fa8903138d563c8f661fc86de3e72d17ea30a3e5aa79dd", + "ct" : "ffffffffffffffffffffffffffffffff6270e3a5a0c3fdb56540b490e801ea61edffffffffffffffffffffffffffffff92c0eac6b200642c2a3cc3a0f3df040cedffffffffffffffffffffffffffffff92c0eac6b200642c2a3cc3a0f3df040c", + "tag" : "6cf2f9230af8679e7ecb19421362fce3", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 275, + "comment" : "edge case intermediate sums in poly1305. poly_key:dc46b3c53be153ccd4986678ffffffafe484c316c93f64195da65a2742fd3fec", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060703e76f6f", + "aad" : "ffffffff", + "msg" : "39de9b9ec8b247d42bbee2016d6715ba4092e1f9a22c8b18184d805c128ade57c7f0b056a2eecc51d30838e640615e1464fe8b9bdd215a620973affefe93398528d14da7b4f76f9f68fa8903138d563cde471554cdc43d38d019c1f889cfb8d0", + "ct" : "d9fffffffffffffffffffffffffffffffde79b4549e39e3db110ba7f793e4b0ef6ffffffffffffffffffffffffffffffc3e1e05a1227be39edcf32fb9fbac501f6ffffffffffffffffffffffffffffffc3e1e05a1227be39edcf32fb9fbac501", + "tag" : "6d46d2230a9848d518f9d94bb2c49caa", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 276, + "comment" : "edge case intermediate sums in poly1305. poly_key:dc46b3c53be153ccd4986678ffffffafe484c316c93f64195da65a2742fd3fec", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060703e76f6f", + "aad" : "ffffffff", + "msg" : "12de9b9ec8b247d42bbee2016d6715ba327f3a1befb4287c17450391ed0eb854d6f0b056a2eecc51d30838e640615e141460d3545c29ddc790711b8e7533698539d14da7b4f76f9f68fa8903138d563caed94d9b4cccba9d491b7588026fe8d0", + "ct" : "f2ffffffffffffffffffffffffffffff8f0a40a7047b3d59be1839b286ba2d0de7ffffffffffffffffffffffffffffffb37fb895932f399c74cd868b141a9501e7ffffffffffffffffffffffffffffffb37fb895932f399c74cd868b141a9501", + "tag" : "74dda12e0558877bc0e40c3eace0af29", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 277, + "comment" : "edge case intermediate sums in poly1305. poly_key:dc46b3c53be153ccd4986678ffffffafe484c316c93f64195da65a2742fd3fec", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060703e76f6f", + "aad" : "ffffffff", + "msg" : "1bde9b9ec8b247d42bbee2016d6715ba85b67664ee49fa347fbfd2dd92007c57def0b056a2eecc51d30838e640615e14fb27ee075b3c0f0f682babdde63dad8731d14da7b4f76f9f68fa8903138d563c419e70c84bd96855b141c5db91612cd2", + "ct" : "fbffffffffffffffffffffffffffffff38c30cd80586ef11d6e2e8fef9b4e90eefffffffffffffffffffffffffffffff5c3885c6943aeb548c9736d887145103efffffffffffffffffffffffffffffff5c3885c6943aeb548c9736d887145103", + "tag" : "502455343d39db87947d7346a8e0af39", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 278, + "comment" : "edge case intermediate sums in poly1305. poly_key:dc46b3c53be153ccd4986678ffffffafe484c316c93f64195da65a2742fd3fec", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060703e76f6f", + "aad" : "ffffffff", + "msg" : "36de9b9ec8b247d42bbee2016d6715ba1132811b2f18321ba99b12432c7f865aa3352cd2d7ac70b4c6f5419767926e20352508ba45bba7410ebe1b8bb925334f", + "ct" : "d6ffffffffffffffffffffffffffffffac47fba7c4d7273e00c6286047cb1303923a637b8abd431aea02868ed80ccfcb923a637b8abd431aea02868ed80ccfcb", + "tag" : "14fba149d1c0edc8aa665851126b5afd", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 279, + "comment" : "edge case intermediate sums in poly1305. poly_key:dc46b3c53be153ccd4986678ffffffafe484c316c93f64195da65a2742fd3fec", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060703e76f6f", + "aad" : "ffffffff", + "msg" : "1fde9b9ec8b247d42bbee2016d6715baf999461058f6d7733e5cd0d1639d9025cbf0b056a2eecc51d30838e640615e14520a0da50439db00e289e1791342068e24d14da7b4f76f9f68fa8903138d563ce8b3936a14dcbc5a3be38f7f641e87db", + "ct" : "ffffffffffffffffffffffffffffffff44ec3cacb339c2569701eaf20829057cfafffffffffffffffffffffffffffffff5156664cb3f3f5b06357c7c726bfa0afafffffffffffffffffffffffffffffff5156664cb3f3f5b06357c7c726bfa0a", + "tag" : "bf7fbd422cbf0e700fd1605be8fd212f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 280, + "comment" : "edge case intermediate sums in poly1305. poly_key:dc46b3c53be153ccd4986678ffffffafe484c316c93f64195da65a2742fd3fec", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060703e76f6f", + "aad" : "ffffffff", + "msg" : "15de9b9ec8b247d42bbee2016d6715bacc1629a40cd11eafdf04138b45afe458eff0b056a2eecc51d30838e640615e14340ac9b45a5896a418a8cee8032e078f00d14da7b4f76f9f68fa8903138d563c8eb3577b4abdf1fec1c2a0ee747286da", + "ct" : "f5ffffffffffffffffffffffffffffff71635318e71e0b8a765929a82e1b7101deffffffffffffffffffffffffffffff9315a275955e72fffc1453ed6207fb0bdeffffffffffffffffffffffffffffff9315a275955e72fffc1453ed6207fb0b", + "tag" : "c6f23204865b0adde0070037d6538dd3", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 281, + "comment" : "edge case intermediate sums in poly1305. poly_key:dc46b3c53be153ccd4986678ffffffafe484c316c93f64195da65a2742fd3fec", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060703e76f6f", + "aad" : "ffffffff", + "msg" : "31de9b9ec8b247d42bbee2016d6715baff746ef53ec3357cbc3c3ce4ab1d2d51ed9eb456dc9d9b59f656a5d2d974d26a7b8e903e4e8a4cac3e1dffce07c38f05", + "ct" : "d1ffffffffffffffffffffffffffffff42011449d50c2059156106c7c0a9b808dc91fbff818ca8f7daa162cb66ea7381dc91fbff818ca8f7daa162cb66ea7381", + "tag" : "8cff61b7b3919ed6bde72b36e0d31326", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 282, + "comment" : "edge case intermediate sums in poly1305. poly_key:dc46b3c53be153ccd4986678ffffffafe484c316c93f64195da65a2742fd3fec", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060703e76f6f", + "aad" : "ffffffff", + "msg" : "19de9b9ec8b247d42bbee2016d6715babf286fd979807951b183a188930ad15ecef0b056a2eecc51d30838e640615e1464413d71939b9cb0a4d32ef115da9e1021d14da7b4f76f9f68fa8903138d563cdef8a3be837efbea7db940f762861f45", + "ct" : "f9ffffffffffffffffffffffffffffff025d1565924f6c7418de9babf8be4407ffffffffffffffffffffffffffffffffc35e56b05c9d78eb406fb3f474f36294ffffffffffffffffffffffffffffffffc35e56b05c9d78eb406fb3f474f36294", + "tag" : "369cf17011cae47539e2723f010cf980", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 283, + "comment" : "edge case intermediate sums in poly1305. poly_key:dc46b3c53be153ccd4986678ffffffafe484c316c93f64195da65a2742fd3fec", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060703e76f6f", + "aad" : "ffffffff", + "msg" : "19de9b9ec8b247d42bbee2016d6715babd286fd979807951b183a188930ad15ee3f0b056a2eecc51d30838e640615e14f25e78fe1b53ae416d1fbc698522618f0cd14da7b4f76f9f68fa8903138d563c48e7e6310bb6c91bb475d26ff27ee0da", + "ct" : "f9ffffffffffffffffffffffffffffff005d1565924f6c7418de9babf8be4407d2ffffffffffffffffffffffffffffff5541133fd4554a1a89a3216ce40b9d0bd2ffffffffffffffffffffffffffffff5541133fd4554a1a89a3216ce40b9d0b", + "tag" : "532eb8e272a8d171378b0d42dff2bed9", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 284, + "comment" : "edge case intermediate sums in poly1305. poly_key:dc46b3c53be153ccd4986678ffffffafe484c316c93f64195da65a2742fd3fec", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060703e76f6f", + "aad" : "ffffffff", + "msg" : "32de9b9ec8b247d42bbee2016d6715ba258d5d3e441683f546beba2e23755f5ccef0b056a2eecc51d30838e640615e149d13fdf8fa899836fa5c410d4ccd25ea21d14da7b4f76f9f68fa8903138d563c27aa6337ea6cff6c23362f0b3b91a4bf", + "ct" : "d2ffffffffffffffffffffffffffffff98f82782afd996d0efe3800d48c1ca05ffffffffffffffffffffffffffffffff3a0c9639358f7c6d1ee0dc082de4d96effffffffffffffffffffffffffffffff3a0c9639358f7c6d1ee0dc082de4d96e", + "tag" : "d1be7426cd12446fe52e8d45331e0835", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 285, + "comment" : "edge case intermediate sums in poly1305. poly_key:dc46b3c53be153ccd4986678ffffffafe484c316c93f64195da65a2742fd3fec", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060703e76f6f", + "aad" : "ffffffff", + "msg" : "1fde9b9ec8b247d42bbee2016d6715bad64add2aa3c5a30a31d9e65e90f93ad1cbf0b056a2eecc51d30838e640615e14de9aeab86144d5464811b2373ba4cc8324d14da7b4f76f9f68fa8903138d563c6423747771a1b21c917bdc314cf84dd6", + "ct" : "ffffffffffffffffffffffffffffffff6b3fa796480ab62f9884dc7dfb4daf88faffffffffffffffffffffffffffffff79858179ae42311dacad2f325a8d3007faffffffffffffffffffffffffffffff79858179ae42311dacad2f325a8d3007", + "tag" : "62630c18de8c10876adb9f30f300963f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 286, + "comment" : "edge case intermediate sums in poly1305. poly_key:dc46b3c53be153ccd4986678ffffffafe484c316c93f64195da65a2742fd3fec", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060703e76f6f", + "aad" : "ffffffff", + "msg" : "1fde9b9ec8b247d42bbee2016d6715bacc3492272b8a4b112a4e7d7ccf092692cef0b056a2eecc51d30838e640615e1430ce678e9375b2af0b82c2d2fbd7928c21d14da7b4f76f9f68fa8903138d563c8a77f9418390d5f5d2e8acd48c8b13d9", + "ct" : "ffffffffffffffffffffffffffffffff7141e89bc0455e348313475fa4bdb3cbffffffffffffffffffffffffffffffff97d10c4f5c7356f4ef3e5fd79afe6e08ffffffffffffffffffffffffffffffff97d10c4f5c7356f4ef3e5fd79afe6e08", + "tag" : "feb6412b9031f076eddcd9426fff5b31", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 287, + "comment" : "edge case intermediate sums in poly1305. poly_key:dc46b3c53be153ccd4986678ffffffafe484c316c93f64195da65a2742fd3fec", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060703e76f6f", + "aad" : "ffffffff", + "msg" : "34de9b9ec8b247d42bbee2016d6715ba722b6549c9df0f4b04b5f7432203fa54cef0b056a2eecc51d30838e640615e1487de186cd28e43544c73de628fd1d60e21d14da7b4f76f9f68fa8903138d563c3d6786a3c26b240e9519b064f88d575b", + "ct" : "d4ffffffffffffffffffffffffffffffcf5e1ff522101a6eade8cd6049b76f0dffffffffffffffffffffffffffffffff20c173ad1d88a70fa8cf4367eef82a8affffffffffffffffffffffffffffffff20c173ad1d88a70fa8cf4367eef82a8a", + "tag" : "dafdf430c8124483c175404b6bff5b41", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 288, + "comment" : "edge case intermediate sums in poly1305. poly_key:dc46b3c53be153ccd4986678ffffffafe484c316c93f64195da65a2742fd3fec", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060703e76f6f", + "aad" : "ffffffff", + "msg" : "3dde9b9ec8b247d42bbee2016d6715bac5629699cfd4d9036cef478ed705be5650f575882c3800f757ea6e0f8c6d47acc6e551e0be2fd7029fa1341352da1ac3", + "ct" : "ddffffffffffffffffffffffffffffff7817ec25241bcc26c5b27dadbcb12b0f61fa3a21712933597b1da91633f3e64761fa3a21712933597b1da91633f3e647", + "tag" : "f8800c5b6283dddfc41f935c01bd0d24", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 289, + "comment" : "edge case intermediate sums in poly1305. poly_key:dc46b3c53be153ccd4986678ffffffafe484c316c93f64195da65a2742fd3fec", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060703e76f6f", + "aad" : "ffffffff", + "msg" : "1fde9b9ec8b247d42bbee2016d6715ba66d624f288f52941ca24865ce96f0d9736ff33a27c23f4976fc74f1fcd82f5cca0ef17caee342362a78c15031335a8a3", + "ct" : "ffffffffffffffffffffffffffffffffdba35e4e633a3c646379bc7f82db98ce07f07c0b2132c73943308806721c542707f07c0b2132c73943308806721c5427", + "tag" : "38bfb8318c627d86c34bab1f1ebd0db0", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 290, + "comment" : "edge case intermediate sums in poly1305. poly_key:dc46b3c53be153ccd4986678ffffffafe484c316c93f64195da65a2742fd3fec", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060703e76f6f", + "aad" : "ffffffff", + "msg" : "f4ebbe3fca96bc4885b35582c43e0eb3588a85431430eada56a2c5dc944b6aa6b4570e8446e886bcbff82a24f49be5ed42e0943e30f91ba41b4362fa9ed6037b5b76f37550f12572040a9bc1a777edc5", + "ct" : "14cada5efddb046351f2487c56a6e4f6e5ffffffffffffffffffffffffffffff8558412d1bf9b512930fed3d4b054406e5ffffffffffffffffffffffffffffff8558412d1bf9b512930fed3d4b054406", + "tag" : "af7293eb09957d9de7432dd41316f0e4", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 291, + "comment" : "edge case intermediate sums in poly1305. poly_key:dc46b3c53be153ccd4986678ffffffafe484c316c93f64195da65a2742fd3fec", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060703e76f6f", + "aad" : "ffffffff", + "msg" : "1ade9b9ec8b247d42bbee2016d6715ba571a3fca3cda7def4c93d4a382ca3a57eaf0b056a2eecc51d30838e640615e1476cddbee2f185776174f6df3bbe5b38105d14da7b4f76f9f68fa8903138d563ccc7445213ffd302cce2503f5ccb932d4", + "ct" : "faffffffffffffffffffffffffffffffea6f4576d71568cae5ceee80e97eaf0edbffffffffffffffffffffffffffffffd1d2b02fe01eb32df3f3f0f6dacc4f05dbffffffffffffffffffffffffffffffd1d2b02fe01eb32df3f3f0f6dacc4f05", + "tag" : "e178b0d5eb9bc551fa645c49f9f17667", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 292, + "comment" : "edge case intermediate sums in poly1305. poly_key:dc46b3c53be153ccd4986678ffffffafe484c316c93f64195da65a2742fd3fec", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060703e76f6f", + "aad" : "ffffffff", + "msg" : "1fde9b9ec8b247d42bbee2016d6715babe31a501536a7c91e4a102cc27cdfe09d2f0b056a2eecc51d30838e640615e14dd9416a12e2f81bdee023d462feef7833dd14da7b4f76f9f68fa8903138d563c672d886e3ecae6e73768534058b276d6", + "ct" : "ffffffffffffffffffffffffffffffff0344dfbdb8a569b44dfc38ef4c796b50e3ffffffffffffffffffffffffffffff7a8b7d60e12965e60abea0434ec70b07e3ffffffffffffffffffffffffffffff7a8b7d60e12965e60abea0434ec70b07", + "tag" : "bdbf63db237d195ecefdc251f5f17677", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 293, + "comment" : "edge case intermediate sums in poly1305. poly_key:dc46b3c53be153ccd4986678ffffffafe484c316c93f64195da65a2742fd3fec", + "key" : "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "iv" : "000102030405060703e76f6f", + "aad" : "ffffffff", + "msg" : "3ede9b9ec8b247d42bbee2016d6715ba8567a7fde812a3aa2f552a33c1718c58e2f0b056a2eecc51d30838e640615e14bb8729fd148f23b2a916b7f40f2f29810dd14da7b4f76f9f68fa8903138d563c013eb732046a44e8707cd9f27873a8d4", + "ct" : "deffffffffffffffffffffffffffffff3812dd4103ddb68f86081010aac51901d3ffffffffffffffffffffffffffffff1c98423cdb89c7e94daa2af16e06d505d3ffffffffffffffffffffffffffffff1c98423cdb89c7e94daa2af16e06d505", + "tag" : "b4ccb422bc5f7264aff73f3675ff5b19", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "ivSize" : 0, + "keySize" : 256, + "tagSize" : 128, + "type" : "AeadTest", + "tests" : [ + { + "tcId" : 294, + "comment" : "invalid nonce size", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "", + "aad" : "", + "msg" : "", + "ct" : "", + "tag" : "", + "result" : "invalid", + "flags" : [] + } + ] + }, + { + "ivSize" : 64, + "keySize" : 256, + "tagSize" : 128, + "type" : "AeadTest", + "tests" : [ + { + "tcId" : 295, + "comment" : "invalid nonce size", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "0001020304050607", + "aad" : "", + "msg" : "", + "ct" : "", + "tag" : "", + "result" : "invalid", + "flags" : [] + } + ] + }, + { + "ivSize" : 88, + "keySize" : 256, + "tagSize" : 128, + "type" : "AeadTest", + "tests" : [ + { + "tcId" : 296, + "comment" : "invalid nonce size", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a", + "aad" : "", + "msg" : "", + "ct" : "", + "tag" : "", + "result" : "invalid", + "flags" : [] + } + ] + }, + { + "ivSize" : 104, + "keySize" : 256, + "tagSize" : 128, + "type" : "AeadTest", + "tests" : [ + { + "tcId" : 297, + "comment" : "invalid nonce size", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b0c", + "aad" : "", + "msg" : "", + "ct" : "", + "tag" : "", + "result" : "invalid", + "flags" : [] + } + ] + }, + { + "ivSize" : 112, + "keySize" : 256, + "tagSize" : 128, + "type" : "AeadTest", + "tests" : [ + { + "tcId" : 298, + "comment" : "invalid nonce size", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b0c0d", + "aad" : "", + "msg" : "", + "ct" : "", + "tag" : "", + "result" : "invalid", + "flags" : [] + } + ] + }, + { + "ivSize" : 128, + "keySize" : 256, + "tagSize" : 128, + "type" : "AeadTest", + "tests" : [ + { + "tcId" : 299, + "comment" : "invalid nonce size", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b0c0d0e0f", + "aad" : "", + "msg" : "", + "ct" : "", + "tag" : "", + "result" : "invalid", + "flags" : [] + } + ] + }, + { + "ivSize" : 160, + "keySize" : 256, + "tagSize" : 128, + "type" : "AeadTest", + "tests" : [ + { + "tcId" : 300, + "comment" : "invalid nonce size", + "key" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "iv" : "000102030405060708090a0b0c0d0e0f10111213", + "aad" : "", + "msg" : "", + "ct" : "", + "tag" : "", + "result" : "invalid", + "flags" : [] + } + ] + } + ] +} diff --git a/tests/chacha20poly1305_vectors.h b/tests/chacha20poly1305_vectors.h new file mode 100644 index 00000000..bceb0088 --- /dev/null +++ b/tests/chacha20poly1305_vectors.h @@ -0,0 +1,62 @@ +#pragma once + +typedef struct +{ + uint8_t* input; + size_t input_len; + uint8_t* key; + uint8_t* nonce; + uint8_t* aad; + size_t aad_len; + uint8_t* tag; + uint8_t* cipher; +} chacha20poly1305_test_vector; + +static uint8_t input1[114] = { + 0x4c, 0x61, 0x64, 0x69, 0x65, 0x73, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x47, 0x65, + 0x6e, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x20, 0x6f, 0x66, 0x20, 0x74, 0x68, + 0x65, 0x20, 0x63, 0x6c, 0x61, 0x73, 0x73, 0x20, 0x6f, 0x66, 0x20, 0x27, 0x39, + 0x39, 0x3a, 0x20, 0x49, 0x66, 0x20, 0x49, 0x20, 0x63, 0x6f, 0x75, 0x6c, 0x64, + 0x20, 0x6f, 0x66, 0x66, 0x65, 0x72, 0x20, 0x79, 0x6f, 0x75, 0x20, 0x6f, 0x6e, + 0x6c, 0x79, 0x20, 0x6f, 0x6e, 0x65, 0x20, 0x74, 0x69, 0x70, 0x20, 0x66, 0x6f, + 0x72, 0x20, 0x74, 0x68, 0x65, 0x20, 0x66, 0x75, 0x74, 0x75, 0x72, 0x65, 0x2c, + 0x20, 0x73, 0x75, 0x6e, 0x73, 0x63, 0x72, 0x65, 0x65, 0x6e, 0x20, 0x77, 0x6f, + 0x75, 0x6c, 0x64, 0x20, 0x62, 0x65, 0x20, 0x69, 0x74, 0x2e +}; + +static uint8_t cipher1[114] = { + 0xd3, 0x1a, 0x8d, 0x34, 0x64, 0x8e, 0x60, 0xdb, 0x7b, 0x86, 0xaf, 0xbc, 0x53, + 0xef, 0x7e, 0xc2, 0xa4, 0xad, 0xed, 0x51, 0x29, 0x6e, 0x08, 0xfe, 0xa9, 0xe2, + 0xb5, 0xa7, 0x36, 0xee, 0x62, 0xd6, 0x3d, 0xbe, 0xa4, 0x5e, 0x8c, 0xa9, 0x67, + 0x12, 0x82, 0xfa, 0xfb, 0x69, 0xda, 0x92, 0x72, 0x8b, 0x1a, 0x71, 0xde, 0x0a, + 0x9e, 0x06, 0x0b, 0x29, 0x05, 0xd6, 0xa5, 0xb6, 0x7e, 0xcd, 0x3b, 0x36, 0x92, + 0xdd, 0xbd, 0x7f, 0x2d, 0x77, 0x8b, 0x8c, 0x98, 0x03, 0xae, 0xe3, 0x28, 0x09, + 0x1b, 0x58, 0xfa, 0xb3, 0x24, 0xe4, 0xfa, 0xd6, 0x75, 0x94, 0x55, 0x85, 0x80, + 0x8b, 0x48, 0x31, 0xd7, 0xbc, 0x3f, 0xf4, 0xde, 0xf0, 0x8e, 0x4b, 0x7a, 0x9d, + 0xe5, 0x76, 0xd2, 0x65, 0x86, 0xce, 0xc6, 0x4b, 0x61, 0x16 +}; + +static uint8_t aad1[12] = { 0x50, 0x51, 0x52, 0x53, 0xc0, 0xc1, + 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7 }; + +static uint8_t key1[32] = { 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87, + 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f, + 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97, + 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f }; + +static uint8_t nonce1[12] = { 0x07, 0x00, 0x00, 0x00, 0x40, 0x41, + 0x42, 0x43, 0x44, 0x45, 0x46, 0x47 }; + +static uint8_t tag1[16] = { 0x1a, 0xe1, 0x0b, 0x59, 0x4f, 0x09, 0xe2, 0x6a, + 0x7e, 0x90, 0x2e, 0xcb, 0xd0, 0x60, 0x06, 0x91 }; + +static chacha20poly1305_test_vector vectors[] = { + { .input = input1, + .input_len = sizeof(input1) / sizeof(uint8_t), + .key = key1, + .nonce = nonce1, + .aad = aad1, + .aad_len = sizeof(aad1) / sizeof(uint8_t), + .tag = tag1, + .cipher = cipher1 } +}; diff --git a/tests/curve25519_vectors.h b/tests/curve25519_vectors.h new file mode 100644 index 00000000..ff0ad36d --- /dev/null +++ b/tests/curve25519_vectors.h @@ -0,0 +1,35 @@ +#pragma once + +typedef struct +{ + uint8_t scalar[32]; + uint8_t public_key[32]; + uint8_t secret[32]; +} curve25519_test_vector; + +static curve25519_test_vector vectors[] = { + { .scalar = { 0xa5, 0x46, 0xe3, 0x6b, 0xf0, 0x52, 0x7c, 0x9d, + 0x3b, 0x16, 0x15, 0x4b, 0x82, 0x46, 0x5e, 0xdd, + 0x62, 0x14, 0x4c, 0x0a, 0xc1, 0xfc, 0x5a, 0x18, + 0x50, 0x6a, 0x22, 0x44, 0xba, 0x44, 0x9a, 0xc4 }, + .public_key = { 0xe6, 0xdb, 0x68, 0x67, 0x58, 0x30, 0x30, 0xdb, + 0x35, 0x94, 0xc1, 0xa4, 0x24, 0xb1, 0x5f, 0x7c, + 0x72, 0x66, 0x24, 0xec, 0x26, 0xb3, 0x35, 0x3b, + 0x10, 0xa9, 0x03, 0xa6, 0xd0, 0xab, 0x1c, 0x4c }, + .secret = { 0xc3, 0xda, 0x55, 0x37, 0x9d, 0xe9, 0xc6, 0x90, + 0x8e, 0x94, 0xea, 0x4d, 0xf2, 0x8d, 0x08, 0x4f, + 0x32, 0xec, 0xcf, 0x03, 0x49, 0x1c, 0x71, 0xf7, + 0x54, 0xb4, 0x07, 0x55, 0x77, 0xa2, 0x85, 0x52 } }, + { .scalar = { 0x4b, 0x66, 0xe9, 0xd4, 0xd1, 0xb4, 0x67, 0x3c, + 0x5a, 0xd2, 0x26, 0x91, 0x95, 0x7d, 0x6a, 0xf5, + 0xc1, 0x1b, 0x64, 0x21, 0xe0, 0xea, 0x01, 0xd4, + 0x2c, 0xa4, 0x16, 0x9e, 0x79, 0x18, 0xba, 0x0d }, + .public_key = { 0xe5, 0x21, 0x0f, 0x12, 0x78, 0x68, 0x11, 0xd3, + 0xf4, 0xb7, 0x95, 0x9d, 0x05, 0x38, 0xae, 0x2c, + 0x31, 0xdb, 0xe7, 0x10, 0x6f, 0xc0, 0x3c, 0x3e, + 0xfc, 0x4c, 0xd5, 0x49, 0xc7, 0x15, 0xa4, 0x93 }, + .secret = { 0x95, 0xcb, 0xde, 0x94, 0x76, 0xe8, 0x90, 0x7d, + 0x7a, 0xad, 0xe4, 0x5c, 0xb4, 0xb8, 0x73, 0xf8, + 0x8b, 0x59, 0x5a, 0x68, 0x79, 0x9f, 0xa1, 0x52, + 0xe6, 0xf8, 0xf7, 0x64, 0x7a, 0xac, 0x79, 0x57 } } +}; diff --git a/tests/ed25519.cc b/tests/ed25519.cc new file mode 100644 index 00000000..9f0f9e22 --- /dev/null +++ b/tests/ed25519.cc @@ -0,0 +1,103 @@ +/* + * Copyright 2022 Cryspen Sarl + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include + +#include +#include + +#include "util.h" + +#include "Hacl_Ed25519.h" + +using json = nlohmann::json; + +// TODO: Use TEST_P, see chachapoly test for example +TEST(Ed25519Test, WycheproofTest) +{ + // Read JSON test vector + std::string test_dir = "eddsa_test.json"; + std::ifstream json_test_file(test_dir); + json test_vectors; + json_test_file >> test_vectors; + + // Read test group + for (auto& test : test_vectors["testGroups"].items()) { + auto test_value = test.value(); + auto pk = test_value["key"]["pk"]; + auto sk = test_value["key"]["sk"]; + + auto tests = test_value["tests"]; + for (auto& test_case : tests.items()) { + auto test_case_value = test_case.value(); + auto msg = test_case_value["msg"]; + std::string sig = test_case_value["sig"]; + auto result = test_case_value["result"]; + + auto msg_bytes = from_hex(msg); + // XXX: HACL can't handle invalid lengths ... + if (sig.length() == 0) { + EXPECT_TRUE(result == "invalid"); + continue; + } + if (sig.length() > 128) { + EXPECT_TRUE(result == "invalid"); + continue; + } + if (sig.length() < 128) { + EXPECT_TRUE(result == "invalid"); + continue; + } + + // First sign and check that the signature is correct. + auto signature_bytes = from_hex(sig); + uint8_t my_signature[64] = { 0 }; + Hacl_Ed25519_sign(&my_signature[0], + from_hex(sk).data(), + msg_bytes.size(), + msg_bytes.data()); + std::vector my_signature_vector(my_signature, my_signature + 64); + if (result == "valid") { + EXPECT_EQ(my_signature_vector, signature_bytes) + << "Got: " << bytes_to_hex(my_signature_vector) << std::endl + << "Expected: " << sig << std::endl; + + bool self_test = Hacl_Ed25519_verify(from_hex(pk).data(), + msg_bytes.size(), + msg_bytes.data(), + &my_signature[0]); + EXPECT_TRUE(self_test); + } else { + EXPECT_NE(my_signature_vector, signature_bytes) + << "Got: " << bytes_to_hex(my_signature_vector) << std::endl + << "Unexpected: " << sig << std::endl; + } + + // Now verify the signature from the KAT. + bool valid = Hacl_Ed25519_verify(from_hex(pk).data(), + msg_bytes.size(), + msg_bytes.data(), + signature_bytes.data()); + if (result == "valid") { + EXPECT_TRUE(valid); + } else { + EXPECT_FALSE(valid) + << "HACL result: " + << "sign(" << msg << ") := " << sig << " is " << result << std::endl; + } + } + } +} diff --git a/tests/ed25519/eddsa_test.json b/tests/ed25519/eddsa_test.json new file mode 100644 index 00000000..e2a1ae4f --- /dev/null +++ b/tests/ed25519/eddsa_test.json @@ -0,0 +1,2262 @@ +{ + "algorithm" : "EDDSA", + "generatorVersion" : "0.8rc16", + "numberOfTests" : 145, + "header" : [ + "Test vectors of type EddsaVerify are intended for testing", + "the verification of Eddsa signatures." + ], + "notes" : { + "SignatureMalleability" : "EdDSA signatures are non-malleable, if implemented accordingly. Failing to check the range of S allows to modify signatures. See RFC 8032, Section 5.2.7 and Section 8.4." + }, + "schema" : "eddsa_verify_schema.json", + "testGroups" : [ + { + "jwk" : { + "crv" : "Ed25519", + "d" : "rdS7gQN4W6-axTQljoqvZfXxrbXvXz3xm7gKuYnE1ks", + "kid" : "none", + "kty" : "OKP", + "x" : "fU0Of2FTpptiQrUiq77mhf2kQg-INLEIw72uNp71Sfo" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "7d4d0e7f6153a69b6242b522abbee685fda4420f8834b108c3bdae369ef549fa", + "sk" : "add4bb8103785baf9ac534258e8aaf65f5f1adb5ef5f3df19bb80ab989c4d64b", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b65700321007d4d0e7f6153a69b6242b522abbee685fda4420f8834b108c3bdae369ef549fa", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAfU0Of2FTpptiQrUiq77mhf2kQg+INLEIw72uNp71Sfo=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 1, + "comment" : "", + "msg" : "", + "sig" : "d4fbdb52bfa726b44d1786a8c0d171c3e62ca83c9e5bbe63de0bb2483f8fd6cc1429ab72cafc41ab56af02ff8fcc43b99bfe4c7ae940f60f38ebaa9d311c4007", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 2, + "comment" : "", + "msg" : "78", + "sig" : "d80737358ede548acb173ef7e0399f83392fe8125b2ce877de7975d8b726ef5b1e76632280ee38afad12125ea44b961bf92f1178c9fa819d020869975bcbe109", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 3, + "comment" : "", + "msg" : "54657374", + "sig" : "7c38e026f29e14aabd059a0f2db8b0cd783040609a8be684db12f82a27774ab07a9155711ecfaf7f99f277bad0c6ae7e39d4eef676573336a5c51eb6f946b30d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 4, + "comment" : "", + "msg" : "48656c6c6f", + "sig" : "1c1ad976cbaae3b31dee07971cf92c928ce2091a85f5899f5e11ecec90fc9f8e93df18c5037ec9b29c07195ad284e63d548cd0a6fe358cc775bd6c1608d2c905", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 5, + "comment" : "", + "msg" : "313233343030", + "sig" : "657c1492402ab5ce03e2c3a7f0384d051b9cf3570f1207fc78c1bcc98c281c2bf0cf5b3a289976458a1be6277a5055545253b45b07dcc1abd96c8b989c00f301", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 6, + "comment" : "", + "msg" : "000000000000000000000000", + "sig" : "d46543bfb892f84ec124dcdfc847034c19363bf3fc2fa89b1267833a14856e52e60736918783f950b6f1dd8d40dc343247cd43ce054c2d68ef974f7ed0f3c60f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 7, + "comment" : "", + "msg" : "6161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161", + "sig" : "879350045543bc14ed2c08939b68c30d22251d83e018cacbaf0c9d7a48db577e80bdf76ce99e5926762bc13b7b3483260a5ef63d07e34b58eb9c14621ac92f00", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 8, + "comment" : "", + "msg" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f60", + "sig" : "7bdc3f9919a05f1d5db4a3ada896094f6871c1f37afc75db82ec3147d84d6f237b7e5ecc26b59cfea0c7eaf1052dc427b0f724615be9c3d3e01356c65b9b5109", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 9, + "comment" : "", + "msg" : "ffffffffffffffffffffffffffffffff", + "sig" : "5dbd7360e55aa38e855d6ad48c34bd35b7871628508906861a7c4776765ed7d1e13d910faabd689ec8618b78295c8ab8f0e19c8b4b43eb8685778499e943ae04", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 10, + "comment" : "special values for r and s", + "msg" : "3f", + "sig" : "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 11, + "comment" : "special values for r and s", + "msg" : "3f", + "sig" : "00000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 12, + "comment" : "special values for r and s", + "msg" : "3f", + "sig" : "0000000000000000000000000000000000000000000000000000000000000000ecd3f55c1a631258d69cf7a2def9de1400000000000000000000000000000010", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 13, + "comment" : "special values for r and s", + "msg" : "3f", + "sig" : "0000000000000000000000000000000000000000000000000000000000000000edd3f55c1a631258d69cf7a2def9de1400000000000000000000000000000010", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 14, + "comment" : "special values for r and s", + "msg" : "3f", + "sig" : "0000000000000000000000000000000000000000000000000000000000000000edffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 15, + "comment" : "special values for r and s", + "msg" : "3f", + "sig" : "01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 16, + "comment" : "special values for r and s", + "msg" : "3f", + "sig" : "01000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 17, + "comment" : "special values for r and s", + "msg" : "3f", + "sig" : "0100000000000000000000000000000000000000000000000000000000000000ecd3f55c1a631258d69cf7a2def9de1400000000000000000000000000000010", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 18, + "comment" : "special values for r and s", + "msg" : "3f", + "sig" : "0100000000000000000000000000000000000000000000000000000000000000edd3f55c1a631258d69cf7a2def9de1400000000000000000000000000000010", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 19, + "comment" : "special values for r and s", + "msg" : "3f", + "sig" : "0100000000000000000000000000000000000000000000000000000000000000edffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 20, + "comment" : "special values for r and s", + "msg" : "3f", + "sig" : "edd3f55c1a631258d69cf7a2def9de14000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 21, + "comment" : "special values for r and s", + "msg" : "3f", + "sig" : "edd3f55c1a631258d69cf7a2def9de14000000000000000000000000000000100100000000000000000000000000000000000000000000000000000000000000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 22, + "comment" : "special values for r and s", + "msg" : "3f", + "sig" : "edd3f55c1a631258d69cf7a2def9de1400000000000000000000000000000010ecd3f55c1a631258d69cf7a2def9de1400000000000000000000000000000010", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 23, + "comment" : "special values for r and s", + "msg" : "3f", + "sig" : "edd3f55c1a631258d69cf7a2def9de1400000000000000000000000000000010edd3f55c1a631258d69cf7a2def9de1400000000000000000000000000000010", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 24, + "comment" : "special values for r and s", + "msg" : "3f", + "sig" : "edd3f55c1a631258d69cf7a2def9de1400000000000000000000000000000010edffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 25, + "comment" : "special values for r and s", + "msg" : "3f", + "sig" : "edffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f0000000000000000000000000000000000000000000000000000000000000000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 26, + "comment" : "special values for r and s", + "msg" : "3f", + "sig" : "edffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f0100000000000000000000000000000000000000000000000000000000000000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 27, + "comment" : "special values for r and s", + "msg" : "3f", + "sig" : "edffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7fecd3f55c1a631258d69cf7a2def9de1400000000000000000000000000000010", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 28, + "comment" : "special values for r and s", + "msg" : "3f", + "sig" : "edffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7fedd3f55c1a631258d69cf7a2def9de1400000000000000000000000000000010", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 29, + "comment" : "special values for r and s", + "msg" : "3f", + "sig" : "edffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7fedffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 30, + "comment" : "empty signature", + "msg" : "54657374", + "sig" : "", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 31, + "comment" : "s missing", + "msg" : "54657374", + "sig" : "7c38e026f29e14aabd059a0f2db8b0cd783040609a8be684db12f82a27774ab0", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 32, + "comment" : "signature too short", + "msg" : "54657374", + "sig" : "7c38e026f29e14aabd059a0f2db8b0cd783040609a8be684db12f82a27774ab07a9155711ecfaf7f99f277bad0c6ae7e39d4eef676573336a5c51eb6f946", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 33, + "comment" : "signature too long", + "msg" : "54657374", + "sig" : "7c38e026f29e14aabd059a0f2db8b0cd783040609a8be684db12f82a27774ab07a9155711ecfaf7f99f277bad0c6ae7e39d4eef676573336a5c51eb6f946b30d2020", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 34, + "comment" : "include pk in signature", + "msg" : "54657374", + "sig" : "7c38e026f29e14aabd059a0f2db8b0cd783040609a8be684db12f82a27774ab07a9155711ecfaf7f99f277bad0c6ae7e39d4eef676573336a5c51eb6f946b30d7d4d0e7f6153a69b6242b522abbee685fda4420f8834b108c3bdae369ef549fa", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 35, + "comment" : "prepending 0 byte to signature", + "msg" : "54657374", + "sig" : "007c38e026f29e14aabd059a0f2db8b0cd783040609a8be684db12f82a27774ab07a9155711ecfaf7f99f277bad0c6ae7e39d4eef676573336a5c51eb6f946b30d", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 36, + "comment" : "prepending 0 byte to s", + "msg" : "54657374", + "sig" : "7c38e026f29e14aabd059a0f2db8b0cd783040609a8be684db12f82a27774ab0007a9155711ecfaf7f99f277bad0c6ae7e39d4eef676573336a5c51eb6f946b30d", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 37, + "comment" : "appending 0 byte to signature", + "msg" : "54657374", + "sig" : "7c38e026f29e14aabd059a0f2db8b0cd783040609a8be684db12f82a27774ab07a9155711ecfaf7f99f277bad0c6ae7e39d4eef676573336a5c51eb6f946b30d00", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 38, + "comment" : "removing 0 byte from signature", + "msg" : "546573743137", + "sig" : "93de3ca252426c95f735cb9edd92e83321ac62372d5aa5b379786bae111ab6b17251330e8f9a7c30d6993137c596007d7b001409287535ac4804e662bc58a3", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 39, + "comment" : "removing 0 byte from signature", + "msg" : "54657374313236", + "sig" : "dffed33a7f420b62bb1731cfd03be805affd18a281ec02b1067ba6e9d20826569e742347df59c88ae96db1f1969fb189b0ec34381d85633e1889da48d95e0e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 40, + "comment" : "removing leading 0 byte from signature", + "msg" : "546573743530", + "sig" : "6e170c719577c25e0e1e8b8aa7a6346f8b109f37385cc2e85dc3b4c0f46a9c6bcafd67f52324c5dbaf40a1b673fb29c4a56052d2d6999d0838a8337bccb502", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 41, + "comment" : "dropping byte from signature", + "msg" : "54657374333437", + "sig" : "b0928b46e99fbbad3f5cb502d2cd309d94a7e86cfd4d84b1fcf4cea18075a9c36993c0582dba1e9e519fae5a8654f454201ae0c3cb397c37b8f4f8eef18400", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 42, + "comment" : "modified bit 0 in R", + "msg" : "313233343030", + "sig" : "647c1492402ab5ce03e2c3a7f0384d051b9cf3570f1207fc78c1bcc98c281c2b1d125e5538f38afbcc1c84e489521083041d24bc6240767029da063271a1ff0c", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 43, + "comment" : "modified bit 1 in R", + "msg" : "313233343030", + "sig" : "677c1492402ab5ce03e2c3a7f0384d051b9cf3570f1207fc78c1bcc98c281c2bc108ca4b87a49c9ed2cf383aecad8f54a962b2899da891e12004d7993a627e01", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 44, + "comment" : "modified bit 2 in R", + "msg" : "313233343030", + "sig" : "617c1492402ab5ce03e2c3a7f0384d051b9cf3570f1207fc78c1bcc98c281c2b9ce23fc6213ed5b87912e9bbf92f5e2c780eae26d15c50a112d1e97d2ea33c06", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 45, + "comment" : "modified bit 7 in R", + "msg" : "313233343030", + "sig" : "e57c1492402ab5ce03e2c3a7f0384d051b9cf3570f1207fc78c1bcc98c281c2bbb3eb51cd98dddb235a5f46f2bded6af184a58d09cce928bda43f41d69118a03", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 46, + "comment" : "modified bit 8 in R", + "msg" : "313233343030", + "sig" : "657d1492402ab5ce03e2c3a7f0384d051b9cf3570f1207fc78c1bcc98c281c2bcd237dda9a116501f67a5705a854b9adc304f34720803a91b324f2c13e0f5a09", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 47, + "comment" : "modified bit 16 in R", + "msg" : "313233343030", + "sig" : "657c1592402ab5ce03e2c3a7f0384d051b9cf3570f1207fc78c1bcc98c281c2b6b167bbdc0d881cc04d28905552c1876f3709851abc5007376940cc8a435c300", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 48, + "comment" : "modified bit 31 in R", + "msg" : "313233343030", + "sig" : "657c1412402ab5ce03e2c3a7f0384d051b9cf3570f1207fc78c1bcc98c281c2b7fd2ac7da14afffcceeb13f2a0d6b887941cb1a5eb57a52f3cb131a16cce7b0e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 49, + "comment" : "modified bit 32 in R", + "msg" : "313233343030", + "sig" : "657c1492412ab5ce03e2c3a7f0384d051b9cf3570f1207fc78c1bcc98c281c2b7373ba13ebbef99cd2a8ead55ce735c987d85a35320925a8e871702dc7c5c40d", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 50, + "comment" : "modified bit 63 in R", + "msg" : "313233343030", + "sig" : "657c1492402ab54e03e2c3a7f0384d051b9cf3570f1207fc78c1bcc98c281c2bd35bd331c03f0855504ca1cab87b83c36a028425a3cf007ede4f4254c261cb00", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 51, + "comment" : "modified bit 64 in R", + "msg" : "313233343030", + "sig" : "657c1492402ab5ce02e2c3a7f0384d051b9cf3570f1207fc78c1bcc98c281c2bcb35101f73cf467deac8c1a03b6c3dc35af544132734b7e57ab20c89b2e4750d", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 52, + "comment" : "modified bit 97 in R", + "msg" : "313233343030", + "sig" : "657c1492402ab5ce03e2c3a7f2384d051b9cf3570f1207fc78c1bcc98c281c2bb58d2e8878290bff8d3355fdd4ea381924ee578752354eb6dee678ab4011c301", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 53, + "comment" : "modified bit 127 in R", + "msg" : "313233343030", + "sig" : "657c1492402ab5ce03e2c3a7f0384d851b9cf3570f1207fc78c1bcc98c281c2bb978c866187ffb1cc7b29a0b4045aefc08768df65717194ff0c6e63f4dea0d02", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 54, + "comment" : "modified bit 240 in R", + "msg" : "313233343030", + "sig" : "657c1492402ab5ce03e2c3a7f0384d051b9cf3570f1207fc78c1bcc98c281d2b0576ecf8eaf675f00f3dfbe19f75b83b7607a6c96414f6821af920a2498d0305", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 55, + "comment" : "modified bit 247 in R", + "msg" : "313233343030", + "sig" : "657c1492402ab5ce03e2c3a7f0384d051b9cf3570f1207fc78c1bcc98c289c2be5241a345c7b5428054c74b7c382fa10d4a5f1e8f8b79a71d3fdea2254f1ff0e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 56, + "comment" : "modified bit 248 in R", + "msg" : "313233343030", + "sig" : "657c1492402ab5ce03e2c3a7f0384d051b9cf3570f1207fc78c1bcc98c281c2a63950c85cd6dc96364e768de50ff7732b538f8a0b1615d799190ab600849230e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 57, + "comment" : "modified bit 253 in R", + "msg" : "313233343030", + "sig" : "657c1492402ab5ce03e2c3a7f0384d051b9cf3570f1207fc78c1bcc98c281c0b543bd3da0a56a8c9c152f59c9fec12f31fa66434d48b817b30d90cb4efa8b501", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 58, + "comment" : "modified bit 254 in R", + "msg" : "313233343030", + "sig" : "657c1492402ab5ce03e2c3a7f0384d051b9cf3570f1207fc78c1bcc98c281c6b8da07efd07a6dafb015ed6a32fe136319a972ffbc341f3a0beae97ccf8136505", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 59, + "comment" : "modified bit 255 in R", + "msg" : "313233343030", + "sig" : "657c1492402ab5ce03e2c3a7f0384d051b9cf3570f1207fc78c1bcc98c281cab227aedf259f910f0f3a759a335062665217925d019173b88917eae294f75d40f", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 60, + "comment" : "R==0", + "msg" : "313233343030", + "sig" : "0000000000000000000000000000000000000000000000000000000000000000e0b8e7770d51c7a36375d006c5bffd6af43ff54aaf47e4330dc118c71d61ec02", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 61, + "comment" : "invalid R", + "msg" : "313233343030", + "sig" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff463a1908382e7eb7693acef9884f7cf931a215e0791876be22c631a59881fd0e", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 62, + "comment" : "all bits flipped in R", + "msg" : "313233343030", + "sig" : "9a83eb6dbfd54a31fc1d3c580fc7b2fae4630ca8f0edf803873e433673d7e3d40e94254586cb6188c5386c3febed477cb9a6cb29e3979adc4cb27cf5278fb70a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 63, + "comment" : "checking malleability ", + "msg" : "54657374", + "sig" : "7c38e026f29e14aabd059a0f2db8b0cd783040609a8be684db12f82a27774ab067654bce3832c2d76f8f6f5dafc08d9339d4eef676573336a5c51eb6f946b31d", + "result" : "invalid", + "flags" : [ + "SignatureMalleability" + ] + }, + { + "tcId" : 64, + "comment" : "checking malleability ", + "msg" : "54657374", + "sig" : "7c38e026f29e14aabd059a0f2db8b0cd783040609a8be684db12f82a27774ab05439412b5395d42f462c67008eba6ca839d4eef676573336a5c51eb6f946b32d", + "result" : "invalid", + "flags" : [ + "SignatureMalleability" + ] + }, + { + "tcId" : 65, + "comment" : "checking malleability ", + "msg" : "54657374", + "sig" : "7c38e026f29e14aabd059a0f2db8b0cd783040609a8be684db12f82a27774ab02ee12ce5875bf9dff26556464bae2ad239d4eef676573336a5c51eb6f946b34d", + "result" : "invalid", + "flags" : [ + "SignatureMalleability" + ] + }, + { + "tcId" : 66, + "comment" : "checking malleability ", + "msg" : "54657374", + "sig" : "7c38e026f29e14aabd059a0f2db8b0cd783040609a8be684db12f82a27774ab0e2300459f1e742404cd934d2c595a6253ad4eef676573336a5c51eb6f946b38d", + "result" : "invalid", + "flags" : [ + "SignatureMalleability" + ] + }, + { + "tcId" : 67, + "comment" : "checking malleability ", + "msg" : "54657374", + "sig" : "7c38e026f29e14aabd059a0f2db8b0cd783040609a8be684db12f82a27774ab07a9155711ecfaf7f99f277bad0c6ae7e39d4eef676573336a5c51eb6f946b32d", + "result" : "invalid", + "flags" : [ + "SignatureMalleability" + ] + }, + { + "tcId" : 68, + "comment" : "checking malleability ", + "msg" : "54657374", + "sig" : "7c38e026f29e14aabd059a0f2db8b0cd783040609a8be684db12f82a27774ab07a9155711ecfaf7f99f277bad0c6ae7e39d4eef676573336a5c51eb6f946b34d", + "result" : "invalid", + "flags" : [ + "SignatureMalleability" + ] + }, + { + "tcId" : 69, + "comment" : "checking malleability ", + "msg" : "54657374", + "sig" : "7c38e026f29e14aabd059a0f2db8b0cd783040609a8be684db12f82a27774ab07a9155711ecfaf7f99f277bad0c6ae7e39d4eef676573336a5c51eb6f946b38d", + "result" : "invalid", + "flags" : [ + "SignatureMalleability" + ] + }, + { + "tcId" : 70, + "comment" : "checking malleability ", + "msg" : "54657374", + "sig" : "7c38e026f29e14aabd059a0f2db8b0cd783040609a8be684db12f82a27774ab0679155711ecfaf7f99f277bad0c6ae7e39d4eef676573336a5c51eb6f946b38d", + "result" : "invalid", + "flags" : [ + "SignatureMalleability" + ] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "CiOiAHKJEjeqCGS1dlE5UUkIeHh4zXcTWgBZiB0xPwA", + "kid" : "none", + "kty" : "OKP", + "x" : "oSwr63cmXyqslTtQCTSdlBVaA62kFqrUUTGUgOmDykw" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "a12c2beb77265f2aac953b5009349d94155a03ada416aad451319480e983ca4c", + "sk" : "0a23a20072891237aa0864b5765139514908787878cd77135a0059881d313f00", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b6570032100a12c2beb77265f2aac953b5009349d94155a03ada416aad451319480e983ca4c", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAoSwr63cmXyqslTtQCTSdlBVaA62kFqrUUTGUgOmDykw=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 71, + "comment" : "", + "msg" : "", + "sig" : "5056325d2ab440bf30bbf0f7173199aa8b4e6fbc091cf3eb6bc6cf87cd73d992ffc216c85e4ab5b8a0bbc7e9a6e9f8d33b7f6e5ac0ffdc22d9fcaf784af84302", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 72, + "comment" : "", + "msg" : "78", + "sig" : "481fafbf4364d7b682475282f517a3ac0538c9a6b6a562e99a3d8e5afb4f90a559b056b9f07af023905753b02d95eb329a35c77f154b79abbcd291615ce42f02", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 73, + "comment" : "", + "msg" : "54657374", + "sig" : "8a9bb4c465a3863abc9fd0dd35d80bb28f7d33d37d74679802d63f82b20da114b8d765a1206b3e9ad7cf2b2d8d778bb8651f1fa992db293c0039eacb6161480f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 74, + "comment" : "", + "msg" : "48656c6c6f", + "sig" : "d839c20abfda1fd429531831c64f813f84b913e9928540310cf060b44c3dbf9457d44a7721fdc0d67724ff81cb450dd39b10cfb65db15dda4b8bf09d26bd3801", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 75, + "comment" : "", + "msg" : "313233343030", + "sig" : "9bbb1052dcfa8ad2715c2eb716ae4f1902dea353d42ee09fd4c0b4fcb8b52b5219e2200016e1199d0061891c263e31b0bc3b55673c19610c4e0fa5408004160b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 76, + "comment" : "", + "msg" : "000000000000000000000000", + "sig" : "f63b5c0667c7897fc283296416f7f60e84bbde9cbd832e56be463ed9f568069702b17a2f7c341ebf590706a6388ac76ac613c1675ec0f2c7118f2573422a500b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 77, + "comment" : "", + "msg" : "6161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161", + "sig" : "1bc44d7001e6b5b9090fef34b2ca480f9786bbefa7d279353e5881e8dfb91b803ccd46500e270ef0109bfd741037558832120bc2a4f20fbe7b5fb3c3aaf23e08", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 78, + "comment" : "", + "msg" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f60", + "sig" : "ea8e22143b02372e76e99aece3ed36aec529768a27e2bb49bdc135d44378061e1f62d1ac518f33ebf37b2ee8cc6dde68a4bd7d4a2f4d6cb77f015f71ca9fc30d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 79, + "comment" : "", + "msg" : "ffffffffffffffffffffffffffffffff", + "sig" : "8acd679e1a914fc45d5fa83d3021f0509c805c8d271df54e52f43cfbd00cb6222bf81d58fe1de2de378df67ee9f453786626961fe50a9b05f12b6f0899ebdd0a", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "nWGxne_9WmC6hEr0kuwsxERJxWl7MmkZcDusAxyuf2A", + "kid" : "none", + "kty" : "OKP", + "x" : "11qYAYKxCrfVS_7TyWQHOg7hcvPapiMlrwIaaPcHURo" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a", + "sk" : "9d61b19deffd5a60ba844af492ec2cc44449c5697b326919703bac031cae7f60", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b6570032100d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEA11qYAYKxCrfVS/7TyWQHOg7hcvPapiMlrwIaaPcHURo=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 80, + "comment" : "draft-josefsson-eddsa-ed25519-02: Test 1", + "msg" : "", + "sig" : "e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e065224901555fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a100b", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "TM0Imyj_ltqdtsNG7BFOD1uKMZ81q6Yk2oz27U-4pvs", + "kid" : "none", + "kty" : "OKP", + "x" : "PUAXw-hDiVqStwqnTRt-vJyYLM8uxJaMwM1V8Sr0Zgw" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "3d4017c3e843895a92b70aa74d1b7ebc9c982ccf2ec4968cc0cd55f12af4660c", + "sk" : "4ccd089b28ff96da9db6c346ec114e0f5b8a319f35aba624da8cf6ed4fb8a6fb", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b65700321003d4017c3e843895a92b70aa74d1b7ebc9c982ccf2ec4968cc0cd55f12af4660c", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAPUAXw+hDiVqStwqnTRt+vJyYLM8uxJaMwM1V8Sr0Zgw=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 81, + "comment" : "draft-josefsson-eddsa-ed25519-02: Test 2", + "msg" : "72", + "sig" : "92a009a9f0d4cab8720e820b5f642540a2b27b5416503f8fb3762223ebdb69da085ac1e43e15996e458f3613d0f11d8c387b2eaeb4302aeeb00d291612bb0c00", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "xaqN9D-fg3vtt0QvMdy3sWbThTUHbwlLhc46LgtEWPc", + "kid" : "none", + "kty" : "OKP", + "x" : "_FHNjmIYoaONpH7QAjDwWAgW7RO6MwOsXeuRFUiQgCU" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "fc51cd8e6218a1a38da47ed00230f0580816ed13ba3303ac5deb911548908025", + "sk" : "c5aa8df43f9f837bedb7442f31dcb7b166d38535076f094b85ce3a2e0b4458f7", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b6570032100fc51cd8e6218a1a38da47ed00230f0580816ed13ba3303ac5deb911548908025", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEA/FHNjmIYoaONpH7QAjDwWAgW7RO6MwOsXeuRFUiQgCU=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 82, + "comment" : "draft-josefsson-eddsa-ed25519-02: Test 3", + "msg" : "af82", + "sig" : "6291d657deec24024827e69c3abe01a30ce548a284743a445e3680d7db5ac3ac18ff9b538d16f290ae67f760984dc6594a7c15e9716ed28dc027beceea1ec40a", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "9eV2fPFTMZUXYw8iaHa4bIFgzFg7wBN0TGvyVfXMDuU", + "kid" : "none", + "kty" : "OKP", + "x" : "J4EX_BRMcjQPZ9DyMW6Dhs7_vyskKMnFH-98WX8dQm4" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "278117fc144c72340f67d0f2316e8386ceffbf2b2428c9c51fef7c597f1d426e", + "sk" : "f5e5767cf153319517630f226876b86c8160cc583bc013744c6bf255f5cc0ee5", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b6570032100278117fc144c72340f67d0f2316e8386ceffbf2b2428c9c51fef7c597f1d426e", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAJ4EX/BRMcjQPZ9DyMW6Dhs7/vyskKMnFH+98WX8dQm4=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 83, + "comment" : "draft-josefsson-eddsa-ed25519-02: Test 1024", + "msg" : "08b8b2b733424243760fe426a4b54908632110a66c2f6591eabd3345e3e4eb98fa6e264bf09efe12ee50f8f54e9f77b1e355f6c50544e23fb1433ddf73be84d879de7c0046dc4996d9e773f4bc9efe5738829adb26c81b37c93a1b270b20329d658675fc6ea534e0810a4432826bf58c941efb65d57a338bbd2e26640f89ffbc1a858efcb8550ee3a5e1998bd177e93a7363c344fe6b199ee5d02e82d522c4feba15452f80288a821a579116ec6dad2b3b310da903401aa62100ab5d1a36553e06203b33890cc9b832f79ef80560ccb9a39ce767967ed628c6ad573cb116dbefefd75499da96bd68a8a97b928a8bbc103b6621fcde2beca1231d206be6cd9ec7aff6f6c94fcd7204ed3455c68c83f4a41da4af2b74ef5c53f1d8ac70bdcb7ed185ce81bd84359d44254d95629e9855a94a7c1958d1f8ada5d0532ed8a5aa3fb2d17ba70eb6248e594e1a2297acbbb39d502f1a8c6eb6f1ce22b3de1a1f40cc24554119a831a9aad6079cad88425de6bde1a9187ebb6092cf67bf2b13fd65f27088d78b7e883c8759d2c4f5c65adb7553878ad575f9fad878e80a0c9ba63bcbcc2732e69485bbc9c90bfbd62481d9089beccf80cfe2df16a2cf65bd92dd597b0707e0917af48bbb75fed413d238f5555a7a569d80c3414a8d0859dc65a46128bab27af87a71314f318c782b23ebfe808b82b0ce26401d2e22f04d83d1255dc51addd3b75a2b1ae0784504df543af8969be3ea7082ff7fc9888c144da2af58429ec96031dbcad3dad9af0dcbaaaf268cb8fcffead94f3c7ca495e056a9b47acdb751fb73e666c6c655ade8297297d07ad1ba5e43f1bca32301651339e22904cc8c42f58c30c04aafdb038dda0847dd988dcda6f3bfd15c4b4c4525004aa06eeff8ca61783aacec57fb3d1f92b0fe2fd1a85f6724517b65e614ad6808d6f6ee34dff7310fdc82aebfd904b01e1dc54b2927094b2db68d6f903b68401adebf5a7e08d78ff4ef5d63653a65040cf9bfd4aca7984a74d37145986780fc0b16ac451649de6188a7dbdf191f64b5fc5e2ab47b57f7f7276cd419c17a3ca8e1b939ae49e488acba6b965610b5480109c8b17b80e1b7b750dfc7598d5d5011fd2dcc5600a32ef5b52a1ecc820e308aa342721aac0943bf6686b64b2579376504ccc493d97e6aed3fb0f9cd71a43dd497f01f17c0e2cb3797aa2a2f256656168e6c496afc5fb93246f6b1116398a346f1a641f3b041e989f7914f90cc2c7fff357876e506b50d334ba77c225bc307ba537152f3f1610e4eafe595f6d9d90d11faa933a15ef1369546868a7f3a45a96768d40fd9d03412c091c6315cf4fde7cb68606937380db2eaaa707b4c4185c32eddcdd306705e4dc1ffc872eeee475a64dfac86aba41c0618983f8741c5ef68d3a101e8a3b8cac60c905c15fc910840b94c00a0b9d0", + "sig" : "0aab4c900501b3e24d7cdf4663326a3a87df5e4843b2cbdb67cbf6e460fec350aa5371b1508f9f4528ecea23c436d94b5e8fcd4f681e30a6ac00a9704a188a03", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "160_H2u-BHfDw1eoBqGetBrj-UAlA1vIfygfjun8DjQ", + "kid" : "none", + "kty" : "OKP", + "x" : "j9ZZt3tVjtk4gsEVdDhFCshuxi1CHVaOmO4jbzgQKVo" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "8fd659b77b558ed93882c1157438450ac86ec62d421d568e98ee236f3810295a", + "sk" : "d7ad3f1f6bbe0477c3c357a806a19eb41ae3f94025035bc87f281f8ee9fc0e34", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b65700321008fd659b77b558ed93882c1157438450ac86ec62d421d568e98ee236f3810295a", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAj9ZZt3tVjtk4gsEVdDhFCshuxi1CHVaOmO4jbzgQKVo=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 84, + "comment" : "Random test failure 1", + "msg" : "b0729a713593a92e46b56eaa66b9e435f7a09a8e7de03b078f6f282285276635f301e7aaafe42187c45d6f5b13f9f16b11195cc125c05b90d24dfe4c", + "sig" : "7db17557ac470c0eda4eedaabce99197ab62565653cf911f632ee8be0e5ffcfc88fb94276b42e0798fd3aa2f0318be7fc6a29fae75f70c3dcdc414a0ad866601", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "rZsieTM2_NrBDhNsTe6lmb4Yejju-Rwc98ek7IhN2gg", + "kid" : "none", + "kty" : "OKP", + "x" : "KmBr9nrHcMYHA4sAQQGzJe21ae_TQT0tHyw-a05uMII" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "2a606bf67ac770c607038b004101b325edb569efd3413d2d1f2c3e6b4e6e3082", + "sk" : "ad9b22793336fcdac10e136c4deea599be187a38eef91c1cf7c7a4ec884dda08", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b65700321002a606bf67ac770c607038b004101b325edb569efd3413d2d1f2c3e6b4e6e3082", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAKmBr9nrHcMYHA4sAQQGzJe21ae/TQT0tHyw+a05uMII=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 85, + "comment" : "Random test failure 2", + "msg" : "a8546e50ba31cae3234310d32672447be213fad91a227a19669c53d309b959782b0e6b71f8791fdb470043b58122003157d2d96a43a6cbd7d3a8d86bf4c97391883e268d50af80e1e6e12939c2bd50ca746cdadfad4edf1bda875299740724148efb1ebe73fb60088cda890317658627a5f7ab5a0c075d9d8f3f97b6492b35519e50ff6b38377432a7081f9176bb1c29a862deac1336ca20b097a47829cec10a6a7cec178eda2d12f6dc6c87f910454af0123555ba184e68804d9cced60fd5c8c90943e56599c8f0ba59a38491ba5e5a53460682474c07e40ca142983314fd762856bb1093f359da6eb0a756bd93a3160c10dd8feea6b97e7c6a17cb54bd5d7649c05c66d7bdee056671dfdaf689fa3945bb8e29a429f4bd5d355dce9687b06f01d5e33e3999f0e8", + "sig" : "67d84d4c3945aaf06e06d524be63acbfb5dbb1988c4aea96a5ee9f7a9b9eecc29df4f66b8aa1d9e8607a58fb1ef0c2ad69aac005b4f58e34103344a9c8871a09", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 86, + "comment" : "Random test failure 24", + "msg" : "b477b0480bb84642608b908d29a51cf2fce63f24ee95", + "sig" : "28fafbb62b4d688fa79e1ac92851f46e319b161f801d4dc09acc21fdd6780a2c4292b8c1003c61c2bcebe7f3f88ccc4bb26d407387c5f27cb8c94cf6ce810405", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "BKZVPWipuu94ohda83VFjqoBzbdzUMYeKC718McRZZk", + "kid" : "none", + "kty" : "OKP", + "x" : "yclGy8VUSsdO70kfB8WIHBb69-wxzkqpG7YK57RTkFE" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "c9c946cbc5544ac74eef491f07c5881c16faf7ec31ce4aa91bb60ae7b4539051", + "sk" : "04a6553d68a9baef78a2175af375458eaa01cdb77350c61e282ef5f0c7116599", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b6570032100c9c946cbc5544ac74eef491f07c5881c16faf7ec31ce4aa91bb60ae7b4539051", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAyclGy8VUSsdO70kfB8WIHBb69+wxzkqpG7YK57RTkFE=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 87, + "comment" : "Random test failure 3", + "msg" : "cd2212eddb0706f62c995cef958634f0cb7793444cbf4d30e81c27c41ebea6cb02607510131f9c015692dfd521b148841e9a2d3564d20ac401f6cb8e40f520fe0cafbeaa88840b83013369d879f013463fe52a13267aa0c8c59c45cde9399cd1e6be8cc64cf48315ac2eb31a1c567a4fb7d601746d1f63b5ac020712adbbe07519bded6f", + "sig" : "24087d47f3e20af51b9668ae0a88ce76586802d0ec75d8c0f28fc30962b5e1d1a1d509571a1624ed125a8df92a6e963728d6b5de99200b8e285f70feb6f05207", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 88, + "comment" : "Random test failure 20", + "msg" : "27d465bc632743522aefa23c", + "sig" : "c2656951e2a0285585a51ff0eda7e9a23c2dfd2ffa273aee7808f4604e8f9a8c8ea49e9fce4eb2d8d75d36b7238fe6fc13b6c5d9427dd58f8c6615d033c0bd0f", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "w2fI0uvu7NcMHomFtww4CLdWV_JDshuk8yJ5JUDpIlc", + "kid" : "none", + "kty" : "OKP", + "x" : "Mq0Cb2k9DSr-f0OI2RxMlkQm_LnjZlw-vYZQAJuBXI4" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "32ad026f693d0d2afe7f4388d91c4c964426fcb9e3665c3ebd8650009b815c8e", + "sk" : "c367c8d2ebeeecd70c1e8985b70c3808b75657f243b21ba4f322792540e92257", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b657003210032ad026f693d0d2afe7f4388d91c4c964426fcb9e3665c3ebd8650009b815c8e", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAMq0Cb2k9DSr+f0OI2RxMlkQm/LnjZlw+vYZQAJuBXI4=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 89, + "comment" : "Random test failure 4", + "msg" : "ec5c7cb078", + "sig" : "d920d421a5956b69bfe1ba834c025e2babb6c7a6d78c97de1d9bb1116dfdd1185147b2887e34e15578172e150774275ea2aad9e02106f7e8ca1caa669a066f0c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 90, + "comment" : "Random test failure 5", + "msg" : "4668c6a76f0e482190a7175b9f3806a5fe4314a004fa69f988373f7a", + "sig" : "4f62daf7f7c162038552ad7d306e195baa37ecf6ca7604142679d7d1128e1f8af52e4cb3545748c44ef1ff1c64e877e4f4d248259b7f6eb56e3ef72097dc8e0c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 91, + "comment" : "Random test failure 8", + "msg" : "5dc9bb87eb11621a93f92abe53515697d2611b2eef73", + "sig" : "deecafb6f2ede73fec91a6f10e45b9c1c61c4b9bfbe6b6147e2de0b1df6938971f7896c3ab83851fb5d9e537037bff0fca0ccb4a3cc38f056f91f7d7a0557e08", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 92, + "comment" : "Random test failure 10", + "msg" : "7dcfe60f881e1285676f35b68a1b2dbcdd7be6f719a288ababc28d36e3a42ac3010a1ca54b32760e74", + "sig" : "7f8663cf98cbd39d5ff553f00bcf3d0d520605794f8866ce75714d77cc51e66c91818b657d7b0dae430a68353506edc4a714c345f5ddb5c8b958ba3d035f7a01", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 93, + "comment" : "Random test failure 12", + "msg" : "58e456064dff471109def4ca27fa8310a1df32739655b624f27e6418d34b7f007173f3faa5", + "sig" : "6aab49e5c0bc309b783378ee03ffda282f0185cdf94c847701ff307a6ee8d0865411c44e0a8206f6a5f606107451940c2593af790ce1860f4c14ab25b2deae08", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 94, + "comment" : "Random test failure 15", + "msg" : "a1", + "sig" : "1a74ed2cbdc7d8f3827014e8e6ecf8fd2698ac8f86833acccdd400df710fe0d6b0543c9cfa00d52bf024ab7ce0d91981944097233ec134d5c7abbd44bfd32d0d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 95, + "comment" : "Random test failure 19", + "msg" : "11cb1eafa4c42a8402c4193c4696f7b2e6d4585e4b42dcf1a8b67a80b2da80bc9d4b649fb2f35eaf1f56c426fd0b", + "sig" : "14ceb2eaf4688d995d482f44852d71ad878cd7c77b41e60b0065fd01a59b054ee74759224187dbde9e59a763a70277c960892ef89fba997aba2576b2c54ba608", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 96, + "comment" : "Random test failure 25", + "msg" : "aa365b442d12b7f3c925", + "sig" : "83c40ce13d483cc58ff65844875862d93df4bd367af77efa469ec06a8ed9e6d7905a04879535708ddf225567a815c9b941d405c98e918fd0c151165cea7fb101", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 97, + "comment" : "Random test failure 28", + "msg" : "475f", + "sig" : "71a4a06a34075f2fd47bc3abf4714d46db7e97b08cb6180d3f1539ac50b18ce51f8af8ae95ed21d4fa0daab7235925631ecea1fd9d0d8a2ba7a7583fd04b900c", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "VsHiLWFsu23qhpKItLHAK7mGllg8L25lABOgPhcEnGI", + "kid" : "none", + "kty" : "OKP", + "x" : "wp7BiU4G0ntOQEhrT6UGPWanRsf5wyOxIgPAO3K4t4o" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "c29ec1894e06d27b4e40486b4fa5063d66a746c7f9c323b12203c03b72b8b78a", + "sk" : "56c1e22d616cbb6dea869288b4b1c02bb98696583c2f6e650013a03e17049c62", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b6570032100c29ec1894e06d27b4e40486b4fa5063d66a746c7f9c323b12203c03b72b8b78a", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAwp7BiU4G0ntOQEhrT6UGPWanRsf5wyOxIgPAO3K4t4o=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 98, + "comment" : "Random test failure 6", + "msg" : "0f325ffd87e58131ffa23c05ea4579513b287fdba87b44", + "sig" : "6669acf94667c5b541afe5307bde9476b13ae7e0e6058a772101ac8eb0a94331428eb4db0a2c68a9b6c1763b8624dab259b0876cdcfaeacc17b21a18e3fc010a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 99, + "comment" : "Random test failure 21", + "msg" : "5ffa", + "sig" : "931e5152fcef078c22cc5d6a3a65f06e396289f6f5f2d1efa6340254a53526ef5dc6874eeddf35c3f50991c53cd02bf06313e37d93ee1f7022128ffa3b8f300b", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "t9L2QnbfQX_tJ9jhW06Q9v2T2s5wcpTDOL0yvEu9j9s", + "kid" : "none", + "kty" : "OKP", + "x" : "z9pbiZ41dkxSKeWSlf4SIrfdzhdmQ2l8KeRuy7oQzxA" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "cfda5b899e35764c5229e59295fe1222b7ddce176643697c29e46ecbba10cf10", + "sk" : "b7d2f64276df417fed27d8e15b4e90f6fd93dace707294c338bd32bc4bbd8fdb", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b6570032100cfda5b899e35764c5229e59295fe1222b7ddce176643697c29e46ecbba10cf10", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAz9pbiZ41dkxSKeWSlf4SIrfdzhdmQ2l8KeRuy7oQzxA=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 100, + "comment" : "Random test failure 7", + "msg" : "ec5c7cb078", + "sig" : "30490c28f806298225df62103521dcee047153912c33ab8ab8bbdd1ffabd70fd4fdb360f05be535b067d1cf4e78c2cb432206bf280aab3bd21aaa1cb894c5b06", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 101, + "comment" : "Random test failure 9", + "msg" : "67484059b2490b1a0a4f8dee77979e26", + "sig" : "4cd4f77ed473a6647387f3163541c67a1708a3c3bd1673247cb87f0cb68b3c56f04bfa72970c8a483efe659c87009ab4020b590b6641316b3deddb5450544e02", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 102, + "comment" : "Random test failure 11", + "msg" : "a020a4381dc9141f47ee508871ab7a8b5a3648727c4281ae9932376f23a8e1bcda0626b7129197d864178631ec89c4332dbb18", + "sig" : "1e41a24fe732bd7cab14c2a2f5134ee8c87fcbd2e987e60957ed9239e5c32404d56977e1b4282871896cb10625a1937468e4dc266e16a9c1b8e9891177eca802", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 103, + "comment" : "Random test failure 14", + "msg" : "a25176b3afea318b2ec11ddacb10caf7179c0b3f8eabbfa2895581138d3c1e0e", + "sig" : "2a833aadecd9f28235cb5896bf3781521dc71f28af2e91dbe1735a61dce3e31ac15ca24b3fc47817a59d386bbbb2ce60a6adc0a2703bb2bdea8f70f91051f706", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 104, + "comment" : "Random test failure 18", + "msg" : "a9e6d94870a67a9fe1cf13b1e6f9150cdd407bf6480ec841ea586ae3935e9787163cf419c1", + "sig" : "c97e3190f83bae7729ba473ad46b420b8aad735f0808ea42c0f898ccfe6addd4fd9d9fa3355d5e67ee21ab7e1f805cd07f1fce980e307f4d7ad36cc924eef00c", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "fVl8O3KDkp0H7Y8B8x0lloI-XkarImx75CNNGp3K7zc", + "kid" : "none", + "kty" : "OKP", + "x" : "UpkZyceAmFqEHEK6bBgP8tZ6J2zPvigQgOR6txp1j1Y" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "529919c9c780985a841c42ba6c180ff2d67a276ccfbe281080e47ab71a758f56", + "sk" : "7d597c3b7283929d07ed8f01f31d2596823e5e46ab226c7be4234d1a9dcaef37", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b6570032100529919c9c780985a841c42ba6c180ff2d67a276ccfbe281080e47ab71a758f56", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAUpkZyceAmFqEHEK6bBgP8tZ6J2zPvigQgOR6txp1j1Y=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 105, + "comment" : "Random test failure 13", + "msg" : "e1cbf2d86827825613fb7a85811d", + "sig" : "01abfa4d6bbc726b196928ec84fd03f0c953a4fa2b228249562ff1442a4f63a7150b064f3712b51c2af768d2c2711a71aabf8d186833e941a0301b82f0502905", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 106, + "comment" : "Random test failure 22", + "msg" : "25", + "sig" : "e4ae21f7a8f4b3b325c161a8c6e53e2edd7005b9c2f8a2e3b0ac4ba94aa80be6f2ee22ac8d4a96b9a3eb73a825e7bb5aff4a3393bf5b4a38119e9c9b1b041106", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "9AHO5L-xcy8Om42Lp5RpVlwxFSlhQdvffpwxGgrBgjs", + "kid" : "none", + "kty" : "OKP", + "x" : "IlKz1Xx0y_i8Rg3C4IKEeSa8Ai8Jq2rpV1Y2K_0RZ8E" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "2252b3d57c74cbf8bc460dc2e082847926bc022f09ab6ae95756362bfd1167c1", + "sk" : "f401cee4bfb1732f0e9b8d8ba79469565c3115296141dbdf7e9c311a0ac1823b", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b65700321002252b3d57c74cbf8bc460dc2e082847926bc022f09ab6ae95756362bfd1167c1", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAIlKz1Xx0y/i8Rg3C4IKEeSa8Ai8Jq2rpV1Y2K/0RZ8E=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 107, + "comment" : "Random test failure 16", + "msg" : "975ef941710071a9e1e6325a0c860becd7c695b5117c3107b686e330e5", + "sig" : "af0fd9dda7e03e12313410d8d8844ebb6fe6b7f65141f22d7bcba5695a25414a9e54326fb44d59fb14707899a8aae70857b23d4080d7ab2c396ef3a36d45ce02", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 108, + "comment" : "Random test failure 23", + "msg" : "80fdd6218f29c8c8f6bd820945f9b0854e3a8824", + "sig" : "e097e0bd0370bff5bde359175a11b728ee9639095d5df8eda496395565616edfe079977f7d4dc8c75d6113a83d6a55e6e1676408c0967a2906339b43337dcb01", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "PWWJVkEDd9BkRnbSWZVCQSpPOw5Orft_P4NmFfQrGLw", + "kid" : "none", + "kty" : "OKP", + "x" : "wKdzEQ-XXeNzI1W7fsfwxBwJHAJSlmBwIFUWaTuZKko" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "c0a773110f975de3732355bb7ec7f0c41c091c0252966070205516693b992a4a", + "sk" : "3d658956410377d0644676d2599542412a4f3b0e4eadfb7f3f836615f42b18bc", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b6570032100c0a773110f975de3732355bb7ec7f0c41c091c0252966070205516693b992a4a", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAwKdzEQ+XXeNzI1W7fsfwxBwJHAJSlmBwIFUWaTuZKko=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 109, + "comment" : "Random test failure 17", + "msg" : "", + "sig" : "0280427e713378f49d478df6373c6cac847b622b567daa2376c839e7ac10e22c380ab0fa8617c9dcfe76c4d9db5459b21dc1413726e46cc8f387d359e344f407", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "vMthMjhAwqlvw29-VOpsjlX50iH38FeR7WACXgYGRDk", + "kid" : "none", + "kty" : "OKP", + "x" : "VM2mIyRXWa1tQ-YgpgaQi-_GM9YHkrx3mER6DvOOcxE" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "54cda623245759ad6d43e620a606908befc633d60792bc7798447a0ef38e7311", + "sk" : "bccb61323840c2a96fc36f7e54ea6c8e55f9d221f7f05791ed60025e06064439", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b657003210054cda623245759ad6d43e620a606908befc633d60792bc7798447a0ef38e7311", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAVM2mIyRXWa1tQ+YgpgaQi+/GM9YHkrx3mER6DvOOcxE=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 110, + "comment" : "Random test failure 26", + "msg" : "27e792b28b2f1702", + "sig" : "14d9b497c19b91d43481c55bb6f5056de252d9ecb637575c807e58e9b4c5eac8b284089d97e2192dc242014363208e2c9a3435edf8928fb1d893553e9be4c703", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "8tMCO5wZ4kF0i8QDmnpDxZVwHyNnVQUBUhOooqAnTBs", + "kid" : "none", + "kty" : "OKP", + "x" : "I2K6xRTV-tM4AmQul5oegt5utvG8v2pbME8rsCueV_4" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "2362bac514d5fad33802642e979a1e82de6eb6f1bcbf6a5b304f2bb02b9e57fe", + "sk" : "f2d3023b9c19e241748bc4039a7a43c595701f23675505015213a8a2a0274c1b", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b65700321002362bac514d5fad33802642e979a1e82de6eb6f1bcbf6a5b304f2bb02b9e57fe", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAI2K6xRTV+tM4AmQul5oegt5utvG8v2pbME8rsCueV/4=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 111, + "comment" : "Random test failure 27", + "msg" : "eef3bb0f617c17d0420c115c21c28e3762edc7b7fb048529b84a9c2bc6", + "sig" : "242ddb3a5d938d07af690b1b0ef0fa75842c5f9549bf39c8750f75614c712e7cbaf2e37cc0799db38b858d41aec5b9dd2fca6a3c8e082c10408e2cf3932b9d08", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "EvwxxA1aevceBUJGI7qXC2cM9uy0TNphICEOY3AkXds", + "kid" : "none", + "kty" : "OKP", + "x" : "A3tVtCfcjaoPgPzrrwhGkCMJ-KbPGLRlwM6bZTlimsg" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "037b55b427dc8daa0f80fcebaf0846902309f8a6cf18b465c0ce9b6539629ac8", + "sk" : "12fc31c40d5a7af71e05424623ba970b670cf6ecb44cda6120210e6370245ddb", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b6570032100037b55b427dc8daa0f80fcebaf0846902309f8a6cf18b465c0ce9b6539629ac8", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAA3tVtCfcjaoPgPzrrwhGkCMJ+KbPGLRlwM6bZTlimsg=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 112, + "comment" : "Test case for overflow in signature generation", + "msg" : "01234567", + "sig" : "c964e100033ce8888b23466677da4f4aea29923f642ae508f9d0888d788150636ab9b2c3765e91bbb05153801114d9e52dc700df377212222bb766be4b8c020d", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "5UvMTOldtIByx7SVdWF90flAOwchBSWcoG2NAVMNB_s", + "kid" : "none", + "kty" : "OKP", + "x" : "nAAHaY8XeZinZmx895c-K4jpxJRuM4BKe76JaNI5Sy4" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "9c0007698f177998a7666c7cf7973e2b88e9c4946e33804a7bbe8968d2394b2e", + "sk" : "e54bcc4ce95db48072c7b49575617dd1f9403b072105259ca06d8d01530d07fb", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b65700321009c0007698f177998a7666c7cf7973e2b88e9c4946e33804a7bbe8968d2394b2e", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAnAAHaY8XeZinZmx895c+K4jpxJRuM4BKe76JaNI5Sy4=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 113, + "comment" : "Test case for overflow in signature generation", + "msg" : "9399a6db9433d2a28d2b0c11c8794ab7d108c95b", + "sig" : "176065c6d64a136a2227687d77f61f3fca3b16122c966276fd9a8b14a1a2cea4c33b3533d11101717016684e3810efbea63bb23773f7cc480174199abd734f08", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "3n8rsSuHWnnMsFc0Syhnou2yXbwez8jLB8aeLdPfPgI", + "kid" : "none", + "kty" : "OKP", + "x" : "7TpvlyHclynB92Y1vPCA1wNuHC8CKGVMy74ec4wXuWM" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "ed3a6f9721dc9729c1f76635bcf080d7036e1c2f0228654ccbbe1e738c17b963", + "sk" : "de7f2bb12b875a79ccb057344b2867a2edb25dbc1ecfc8cb07c69e2dd3df3e02", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b6570032100ed3a6f9721dc9729c1f76635bcf080d7036e1c2f0228654ccbbe1e738c17b963", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEA7TpvlyHclynB92Y1vPCA1wNuHC8CKGVMy74ec4wXuWM=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 114, + "comment" : "Test case for overflow in signature generation", + "msg" : "7af783afbbd44c1833ab7237ecaf63b94ffdd003", + "sig" : "7ca69331eec8610d38f00e2cdbd46966cb359dcde98a257ac6f362cc00c8f4fe85c02285fe4d66e31a44cadb2bf474e1a7957609eb4fe95a71473fe6699aa70d", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "6nkrep1CC_dPaoKnjliizJTzqz65MScGEbH42nXD1gs", + "kid" : "none", + "kty" : "OKP", + "x" : "Sr-1NTE3BaZXABhEDN7Bo64z5R81IRL6asvQxrw-qFk" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "4abfb535313705a6570018440cdec1a3ae33e51f352112fa6acbd0c6bc3ea859", + "sk" : "ea792b7a9d420bf74f6a82a78e58a2cc94f3ab3eb931270611b1f8da75c3d60b", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b65700321004abfb535313705a6570018440cdec1a3ae33e51f352112fa6acbd0c6bc3ea859", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEASr+1NTE3BaZXABhEDN7Bo64z5R81IRL6asvQxrw+qFk=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 115, + "comment" : "Test case for overflow in signature generation", + "msg" : "321b5f663c19e30ee7bbb85e48ecf44db9d3f512", + "sig" : "f296715e855d8aecccba782b670163dedc4458fe4eb509a856bcac450920fd2e95a3a3eb212d2d9ccaf948c39ae46a2548af125f8e2ad9b77bd18f92d59f9200", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "7KKGRfY2Rlde4uS9s29Rg4FCziR0ZkwrZu8FSzevYSQ", + "kid" : "none", + "kty" : "OKP", + "x" : "TyFi5r8DpxLbDvpBi35wBuI4cdnX7FVaMTiFxK_ZY4U" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "4f2162e6bf03a712db0efa418b7e7006e23871d9d7ec555a313885c4afd96385", + "sk" : "eca28645f63646575ee2e4bdb36f51838142ce2474664c2b66ef054b37af6124", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b65700321004f2162e6bf03a712db0efa418b7e7006e23871d9d7ec555a313885c4afd96385", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEATyFi5r8DpxLbDvpBi35wBuI4cdnX7FVaMTiFxK/ZY4U=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 116, + "comment" : "Test case for overflow in signature generation", + "msg" : "c48890e92aeeb3af04858a8dc1d34f16a4347b91", + "sig" : "367d07253a9d5a77d054b9c1a82d3c0a448a51905343320b3559325ef41839608aa45564978da1b2968c556cfb23b0c98a9be83e594d5e769d69d1156e1b1506", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "coI4YCt-Z1Oz9J6w_EzeOMe7FKtY3crvJTcnWxPpndM", + "kid" : "none", + "kty" : "OKP", + "x" : "BxfXXOJ-oYHtWjDmRWxkm1z0U6a0wSzT-f0Wsx4MJc0" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "0717d75ce27ea181ed5a30e6456c649b5cf453a6b4c12cd3f9fd16b31e0c25cd", + "sk" : "728238602b7e6753b3f49eb0fc4cde38c7bb14ab58ddcaef2537275b13e99dd3", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b65700321000717d75ce27ea181ed5a30e6456c649b5cf453a6b4c12cd3f9fd16b31e0c25cd", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEABxfXXOJ+oYHtWjDmRWxkm1z0U6a0wSzT+f0Wsx4MJc0=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 117, + "comment" : "regression test for arithmetic error", + "msg" : "26d5f0631f49106db58c4cfc903691134811b33c", + "sig" : "9588e02bc815649d359ce710cdc69814556dd8c8bab1c468f40a49ebefb7f0de7ed49725edfd1b708fa1bad277c35d6c1b9c5ec25990997645780f9203d7dd08", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "3ECS14CcawcPKAjENCZ7ZpdCj0qx5GJqtWowWWQ75Dw", + "kid" : "none", + "kty" : "OKP", + "x" : "21ueq36E5aE1BYZfpxHJyJbImGCfwR_JvB5VAo-Ult8" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "db5b9eab7e84e5a13505865fa711c9c896c898609fc11fc9bc1e55028f9496df", + "sk" : "dc4092d7809c6b070f2808c434267b6697428f4ab1e4626ab56a3059643be43c", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b6570032100db5b9eab7e84e5a13505865fa711c9c896c898609fc11fc9bc1e55028f9496df", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEA21ueq36E5aE1BYZfpxHJyJbImGCfwR/JvB5VAo+Ult8=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 118, + "comment" : "regression test for arithmetic error", + "msg" : "2a71f064af982a3a1103a75cef898732d7881981", + "sig" : "2217a0be57dd0d6c0090641496bcb65e37213f02a0df50aff0368ee2808e1376504f37b37494132dfc4d4887f58b9e86eff924040db3925ee4f8e1428c4c500e", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "OHZbiexWg26kGQ_JV4ArakcWf5te-ULpJlKAO33mq_0", + "kid" : "none", + "kty" : "OKP", + "x" : "e6wY9tJiXTkV8jNDTNo4pXckenMypRcLNxQqNGRBReA" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "7bac18f6d2625d3915f233434cda38a577247a7332a5170b37142a34644145e0", + "sk" : "38765b89ec56836ea4190fc957802b6a47167f9b5ef942e92652803b7de6abfd", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b65700321007bac18f6d2625d3915f233434cda38a577247a7332a5170b37142a34644145e0", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAe6wY9tJiXTkV8jNDTNo4pXckenMypRcLNxQqNGRBReA=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 119, + "comment" : "regression test for arithmetic error", + "msg" : "bf26796cef4ddafcf5033c8d105057db0210b6ad", + "sig" : "1fda6dd4519fdbefb515bfa39e8e5911f4a0a8aa65f40ef0c542b8b34b87f9c249dc57f320718ff457ed5915c4d0fc352affc1287724d3f3a9de1ff777a02e01", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "l1dTCKSQrwwUVBHdFtUZoHPvA8LkoKHNa13i6IHl6r4", + "kid" : "none", + "kty" : "OKP", + "x" : "OOrTBGJKvr8-KzHiDlYpUx4_xlkAiIfJEG9eVa27xio" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "38ead304624abebf3e2b31e20e5629531e3fc659008887c9106f5e55adbbc62a", + "sk" : "97575308a490af0c145411dd16d519a073ef03c2e4a0a1cd6b5de2e881e5eabe", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b657003210038ead304624abebf3e2b31e20e5629531e3fc659008887c9106f5e55adbbc62a", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAOOrTBGJKvr8+KzHiDlYpUx4/xlkAiIfJEG9eVa27xio=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 120, + "comment" : "regression test for arithmetic error", + "msg" : "ae03da6997e40cea67935020152d3a9a365cc055", + "sig" : "068eafdc2f36b97f9bae7fbda88b530d16b0e35054d3a351e3a4c914b22854c711505e49682e1a447e10a69e3b04d0759c859897b64f71137acf355b63faf100", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "rRKeieDuyQjfUa3CJ8jEkIqAlddWIVNsiijcpLPDDbs", + "kid" : "none", + "kty" : "OKP", + "x" : "6byVBJr35IF7F8QCJpul52e3NIdXrIAC_sngg5DAqc8" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "e9bc95049af7e4817b17c402269ba5e767b7348757ac8002fec9e08390c0a9cf", + "sk" : "ad129e89e0eec908df51adc227c8c4908a8095d75621536c8a28dca4b3c30dbb", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b6570032100e9bc95049af7e4817b17c402269ba5e767b7348757ac8002fec9e08390c0a9cf", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEA6byVBJr35IF7F8QCJpul52e3NIdXrIAC/sngg5DAqc8=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 121, + "comment" : "regression test for arithmetic error", + "msg" : "489d473f7fb83c7f6823baf65482517bccd8f4ea", + "sig" : "43670abc9f09a8a415e76f4a21c6a46156f066b5a37b3c1e867cf67248c7b927e8d13a763e37abf936f5f27f7a8aa290539d21f740efd26b65fd5ad27085f400", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "A85kPW00G3BlvJ5w2oGTRRz4PKf_WoZA_QevCUZANlo", + "kid" : "none", + "kty" : "OKP", + "x" : "7oFVyk6P57xbylmSBE6rf4w8ahPbEXb0L0bCnaWwZPQ" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "ee8155ca4e8fe7bc5bca5992044eab7f8c3c6a13db1176f42f46c29da5b064f4", + "sk" : "03ce643d6d341b7065bc9e70da8193451cf83ca7ff5a8640fd07af094640365a", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b6570032100ee8155ca4e8fe7bc5bca5992044eab7f8c3c6a13db1176f42f46c29da5b064f4", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEA7oFVyk6P57xbylmSBE6rf4w8ahPbEXb0L0bCnaWwZPQ=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 122, + "comment" : "regression test for arithmetic error", + "msg" : "1b704d6692d60a07ad1e1d047b65e105a80d3459", + "sig" : "56388f2228893b14ce4f2a5e0cc626591061de3a57c50a5ecab7b9d5bb2caeea191560a1cf2344c75fdb4a085444aa68d727b39f498169eaa82cf64a31f59803", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "WB9ZOlzZRZTcD13RQgJqQ2qTDlczkbeu6mqCU-7vbOs", + "kid" : "none", + "kty" : "OKP", + "x" : "21B7_MlXY5P3FXuzYFMrBcX88udktpDMZpikow00kJU" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "db507bfcc9576393f7157bb360532b05c5fcf2e764b690cc6698a4a30d349095", + "sk" : "581f593a5cd94594dc0f5dd142026a436a930e573391b7aeea6a8253eeef6ceb", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b6570032100db507bfcc9576393f7157bb360532b05c5fcf2e764b690cc6698a4a30d349095", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEA21B7/MlXY5P3FXuzYFMrBcX88udktpDMZpikow00kJU=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 123, + "comment" : "regression test for arithmetic error", + "msg" : "dc87030862c4c32f56261e93a367caf458c6be27", + "sig" : "553e5845fc480a577da6544e602caadaa00ae3e5aa3dce9ef332b1541b6d5f21bdf1d01e98baf80b8435f9932f89b3eb70f02da24787aac8e77279e797d0bd0b", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "byB9yUuETU3HH5gtqNnzrgs3tGI-RB7KdbpiYhxSTZg", + "kid" : "none", + "kty" : "OKP", + "x" : "mU6vAzCdatnZWmVrwXROKIbwKQI6N1CzTzUIazxyJ_g" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "994eaf03309d6ad9d95a656bc1744e2886f029023a3750b34f35086b3c7227f8", + "sk" : "6f207dc94b844d4dc71f982da8d9f3ae0b37b4623e441eca75ba62621c524d98", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b6570032100994eaf03309d6ad9d95a656bc1744e2886f029023a3750b34f35086b3c7227f8", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAmU6vAzCdatnZWmVrwXROKIbwKQI6N1CzTzUIazxyJ/g=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 124, + "comment" : "regression test for arithmetic error", + "msg" : "7f41ef68508343ef18813cb2fb332445ec6480cd", + "sig" : "bc10f88081b7be1f2505b6e76c5c82e358cf21ec11b7df1f334fb587bada465b53d9f7b4d4fec964432ee91ead1bc32ed3c82f2167da1c834a37515df7fe130e", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "3qm7ufsgUS-mfuppav14bzkoJl9SCK6rpjjzF30Ntw4", + "kid" : "none", + "kty" : "OKP", + "x" : "En035Abg2D5LVaCeIej1D7iK9H5KQ_AYzev_wZSHV_A" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "127d37e406e0d83e4b55a09e21e8f50fb88af47e4a43f018cdebffc1948757f0", + "sk" : "dea9bbb9fb20512fa67eea696afd786f3928265f5208aeaba638f3177d0db70e", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b6570032100127d37e406e0d83e4b55a09e21e8f50fb88af47e4a43f018cdebffc1948757f0", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAEn035Abg2D5LVaCeIej1D7iK9H5KQ/AYzev/wZSHV/A=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 125, + "comment" : "regression test for arithmetic error", + "msg" : "e1ce107971534bc46a42ac609a1a37b4ca65791d", + "sig" : "00c11e76b5866b7c37528b0670188c1a0473fb93c33b72ae604a8865a7d6e094ff722e8ede3cb18389685ff3c4086c29006047466f81e71a329711e0b9294709", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "yZxSrh5h98eaFk7kkQ_cqgKUYlnqVEP2iyPXIdBHL2M", + "kid" : "none", + "kty" : "OKP", + "x" : "2DuoTt-0vsSfKb4x2Apkt8C1pQJDjNsdDdHg4-VXht4" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "d83ba84edfb4bec49f29be31d80a64b7c0b5a502438cdb1d0dd1e0e3e55786de", + "sk" : "c99c52ae1e61f7c79a164ee4910fdcaa02946259ea5443f68b23d721d0472f63", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b6570032100d83ba84edfb4bec49f29be31d80a64b7c0b5a502438cdb1d0dd1e0e3e55786de", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEA2DuoTt+0vsSfKb4x2Apkt8C1pQJDjNsdDdHg4+VXht4=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 126, + "comment" : "regression test for arithmetic error", + "msg" : "869a827397c585cf35acf88a8728833ab1c8c81e", + "sig" : "0a6f0ac47ea136cb3ff00f7a96638e4984048999ee2da0af6e5c86bffb0e70bb97406b6ad5a4b764f7c99ebb6ec0fd434b8efe253b0423ef876c037998e8ab07", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "2KqtB0nbFZVppotGBIs9PoJm4RAVAlHEKAbwdSqE6Vs", + "kid" : "none", + "kty" : "OKP", + "x" : "08mqLz1u8hehZuiuQD7UNsN_rLvjvs63jfbrQ5-PoEo" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "d3c9aa2f3d6ef217a166e8ae403ed436c37facbbe3beceb78df6eb439f8fa04a", + "sk" : "d8aaad0749db159569a68b46048b3d3e8266e110150251c42806f0752a84e95b", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b6570032100d3c9aa2f3d6ef217a166e8ae403ed436c37facbbe3beceb78df6eb439f8fa04a", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEA08mqLz1u8hehZuiuQD7UNsN/rLvjvs63jfbrQ5+PoEo=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 127, + "comment" : "regression test for arithmetic error", + "msg" : "619d8c4f2c93104be01cd574a385ceca08c33a9e", + "sig" : "b7cbb942a6661e2312f79548224f3e44f5841c6e880c68340756a00ce94a914e8404858265985e6bb97ef01d2d7e5e41340309606bfc43c8c6a8f925126b3d09", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "540mq1tybJ1N-x9jQIKr3tkEMqL9GAicfIUlOl0vx9A", + "kid" : "none", + "kty" : "OKP", + "x" : "1TKANnwcC5WsQRIhi5LGpxxR-2MSzmaN4ZbH1SoTYVU" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "d53280367c1c0b95ac4112218b92c6a71c51fb6312ce668de196c7d52a136155", + "sk" : "e78d26ab5b726c9d4dfb1f634082abded90432a2fd18089c7c85253a5d2fc7d0", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b6570032100d53280367c1c0b95ac4112218b92c6a71c51fb6312ce668de196c7d52a136155", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEA1TKANnwcC5WsQRIhi5LGpxxR+2MSzmaN4ZbH1SoTYVU=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 128, + "comment" : "regression test for arithmetic error", + "msg" : "5257a0bae8326d259a6ce97420c65e6c2794afe2", + "sig" : "27a4f24009e579173ff3064a6eff2a4d20224f8f85fdec982a9cf2e6a3b51537348a1d7851a3a932128a923a393ea84e6b35eb3473c32dceb9d7e9cab03a0f0d", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "jnylbgfxQ4rDYV_Z7HeuY2edDsBZtFlf6_QL5Z2XagU", + "kid" : "none", + "kty" : "OKP", + "x" : "lKwjNrqXpHb7TJ8rVWPkFnyiksbpnkIjUKkRrjFywxU" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "94ac2336ba97a476fb4c9f2b5563e4167ca292c6e99e422350a911ae3172c315", + "sk" : "8e7ca56e07f1438ac3615fd9ec77ae63679d0ec059b4595febf40be59d976a05", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b657003210094ac2336ba97a476fb4c9f2b5563e4167ca292c6e99e422350a911ae3172c315", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAlKwjNrqXpHb7TJ8rVWPkFnyiksbpnkIjUKkRrjFywxU=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 129, + "comment" : "regression test for arithmetic error", + "msg" : "5acb6afc9b368f7acac0e71f6a4831c72d628405", + "sig" : "985b605fe3f449f68081197a68c714da0bfbf6ac2ab9abb0508b6384ea4999cb8d79af98e86f589409e8d2609a8f8bd7e80aaa8d92a84e7737fbe8dcef41920a", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "53Ulr1hWq531q7ZOUxJXa0mMwn9h8mbiHzguBSbU5vs", + "kid" : "none", + "kty" : "OKP", + "x" : "4ecxbSMffydb30AzYDBNoVCf3xrx_SXKIU6qwKKJOY8" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "e1e7316d231f7f275bdf403360304da1509fdf1af1fd25ca214eaac0a289398f", + "sk" : "e77525af5856ab9df5abb64e5312576b498cc27f61f266e21f382e0526d4e6fb", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b6570032100e1e7316d231f7f275bdf403360304da1509fdf1af1fd25ca214eaac0a289398f", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEA4ecxbSMffydb30AzYDBNoVCf3xrx/SXKIU6qwKKJOY8=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 130, + "comment" : "regression test for arithmetic error", + "msg" : "3c87b3453277b353941591fc7eaa7dd37604b42a", + "sig" : "1c8fbda3d39e2b441f06da6071c13115cb4115c7c3341704cf6513324d4cf1ef4a1dd7678a048b0dde84e48994d080befcd70854079d44b6a0b0f9fa002d130c", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "H0MjWtcW8b63VKsPVG36k0SI_fdHK0k9fMPGA1MAXSQ", + "kid" : "none", + "kty" : "OKP", + "x" : "__vupxIV76-YiP7CzGjts3A_8Rpm_WKbU8vaXqvBh1A" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "fffbeea71215efaf9888fec2cc68edb3703ff11a66fd629b53cbda5eabc18750", + "sk" : "1f43235ad716f1beb754ab0f546dfa934488fdf7472b493d7cc3c60353005d24", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b6570032100fffbeea71215efaf9888fec2cc68edb3703ff11a66fd629b53cbda5eabc18750", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEA//vupxIV76+YiP7CzGjts3A/8Rpm/WKbU8vaXqvBh1A=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 131, + "comment" : "regression test for arithmetic error", + "msg" : "0a68e27ef6847bfd9e398b328a0ded3679d4649d", + "sig" : "59097233eb141ed948b4f3c28a9496b9a7eca77454ecfe7e46737d1449a0b76b15aacf77cf48af27a668aa4434cfa26c504d75a2bcc4feac46465446234c0508", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "OXd4W5-MUyDlGjoW-MwixPfmSFdhf5VQFH-jXWhco08", + "kid" : "none", + "kty" : "OKP", + "x" : "GczAUnWZywMuC0xNdOYPE5AXaKmd8EHDvBv2wO8nEWk" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "19ccc0527599cb032e0b4c4d74e60f13901768a99df041c3bc1bf6c0ef271169", + "sk" : "3977785b9f8c5320e51a3a16f8cc22c4f7e64857617f9550147fa35d685ca34f", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b657003210019ccc0527599cb032e0b4c4d74e60f13901768a99df041c3bc1bf6c0ef271169", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAGczAUnWZywMuC0xNdOYPE5AXaKmd8EHDvBv2wO8nEWk=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 132, + "comment" : "regression test for arithmetic error", + "msg" : "4e9bef60737c7d4dd10bd52567e1473a36d3573d", + "sig" : "519105608508fe2f1b6da4cc8b23e39798b1d18d25972beed0404cec722e01ba1b6a0f85e99e092cca8076b101b60d4ac5035684357f4d0daacdc642da742a06", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "GqRBXF2wExvsb6GI0MI9SaZb95VlcVP66Ud34_Gbz1Q", + "kid" : "none", + "kty" : "OKP", + "x" : "DnJuJwR1Y6oKGpwuCF2NJq8qy6Ep0IacZQMePmysMpo" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "0e726e27047563aa0a1a9c2e085d8d26af2acba129d0869c65031e3e6cac329a", + "sk" : "1aa4415c5db0131bec6fa188d0c23d49a65bf795657153fae94777e3f19bcf54", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b65700321000e726e27047563aa0a1a9c2e085d8d26af2acba129d0869c65031e3e6cac329a", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEADnJuJwR1Y6oKGpwuCF2NJq8qy6Ep0IacZQMePmysMpo=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 133, + "comment" : "regression test for arithmetic error", + "msg" : "cc82b3163efda3ba7e9240e765112caa69113694", + "sig" : "d8b03ee579e73f16477527fc9dc37a72eaac0748a733772c483ba013944f01ef64fb4ec5e3a95021dc22f4ae282baff6e9b9cc8433c6b6710d82e7397d72ef04", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "D7doClDT8pQAd-pN_LfrBAoSXE9LXc76FtOvlo_I5d4", + "kid" : "none", + "kty" : "OKP", + "x" : "53cXtUorXlvOW8y48MX9tf1993rCVAIPyRINwNTfQXg" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "e77717b54a2b5e5bce5bccb8f0c5fdb5fd7df77ac254020fc9120dc0d4df4178", + "sk" : "0fb7680a50d3f2940077ea4dfcb7eb040a125c4f4b5dcefa16d3af968fc8e5de", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b6570032100e77717b54a2b5e5bce5bccb8f0c5fdb5fd7df77ac254020fc9120dc0d4df4178", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEA53cXtUorXlvOW8y48MX9tf1993rCVAIPyRINwNTfQXg=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 134, + "comment" : "regression test for arithmetic error", + "msg" : "923a5c9e7b5635bb6c32c5a408a4a15b652450eb", + "sig" : "26da61fdfd38e6d01792813f27840c8b4766b0faaed39d0ee898cb450d94a5d5f57e58b6a003d7f9b56b20561954c6edcf66492d116b8b5e91f205a3a6449d0b", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "4iLERNa8ikeWoNWi1x0ZuYhFzFbjnKr4Iz6kxrBwTwk", + "kid" : "none", + "kty" : "OKP", + "x" : "YiCXLT99FQs2eQ19UiOEh21k1kDNmRMYaBXhYpWC7TY" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "6220972d3f7d150b36790d7d522384876d64d640cd9913186815e1629582ed36", + "sk" : "e222c444d6bc8a4796a0d5a2d71d19b98845cc56e39caaf8233ea4c6b0704f09", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b65700321006220972d3f7d150b36790d7d522384876d64d640cd9913186815e1629582ed36", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAYiCXLT99FQs2eQ19UiOEh21k1kDNmRMYaBXhYpWC7TY=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 135, + "comment" : "regression test for arithmetic error", + "msg" : "6f2f0245de4587062979d0422d349f93ccdc3af2", + "sig" : "4adeaff7a58c5010a5a067feea0ae504d37b0c6a76c6c153e222f13409dff2df0fab69bc5059b97d925dc1b89e9851d7c627cb82d65585f9fd976124553f8902", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "qJ6hhHa5rZDLFLix_yR3fk69AVvIEKYHhakVTazzvlI", + "kid" : "none", + "kty" : "OKP", + "x" : "e2SijFDsdnipDj4aIVIuMKydt7UhWuor-zO-oDfquYc" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "7b64a28c50ec7678a90e3e1a21522e30ac9db7b5215aea2bfb33bea037eab987", + "sk" : "a89ea18476b9ad90cb14b8b1ff24777e4ebd015bc810a60785a9154dacf3be52", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b65700321007b64a28c50ec7678a90e3e1a21522e30ac9db7b5215aea2bfb33bea037eab987", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAe2SijFDsdnipDj4aIVIuMKydt7UhWuor+zO+oDfquYc=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 136, + "comment" : "regression test for arithmetic error", + "msg" : "6e911edb27a170b983d4dee1110554f804330f41", + "sig" : "4204d620cde0c3008c0b2901f5d6b44f88f0e3cb4f4d62252bf6f3cb37c1fb150a9ccb296afe5e7c75f65b5c8edd13dc4910ffe1e1265b3707c59042cf9a5902", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "abHaVs3o0WdsKowOf5XH0L9gc579EwTdLMsCcp0Xoiw", + "kid" : "none", + "kty" : "OKP", + "x" : "ckRSIQqeTJlIGSKb8Sv4TpV2ijqXwI2Nj1-TmkytNMU" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "724452210a9e4c994819229bf12bf84e95768a3a97c08d8d8f5f939a4cad34c5", + "sk" : "69b1da56cde8d1676c2a8c0e7f95c7d0bf60739efd1304dd2ccb02729d17a22c", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b6570032100724452210a9e4c994819229bf12bf84e95768a3a97c08d8d8f5f939a4cad34c5", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAckRSIQqeTJlIGSKb8Sv4TpV2ijqXwI2Nj1+TmkytNMU=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 137, + "comment" : "regression test for arithmetic error", + "msg" : "b8cf807eea809aaf739aa091f3b7a3f2fd39fb51", + "sig" : "f8a69d3fd8c2ff0a9dec41e4c6b43675ce08366a35e220b1185ffc246c339e22c20ac661e866f52054015efd04f42eca2adcee6834c4df923b4a62576e4dff0e", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "szImXPlVlfDJAiFZO1orPFdNYNxjTd_2GG8O7XmAo4M", + "kid" : "none", + "kty" : "OKP", + "x" : "utJlspTtL0IstqFBaUCGI4-_6YdXGqdl2LTzokEFqgE" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "bad265b294ed2f422cb6a141694086238fbfe987571aa765d8b4f3a24105aa01", + "sk" : "b332265cf95595f0c90221593b5a2b3c574d60dc634ddff6186f0eed7980a383", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b6570032100bad265b294ed2f422cb6a141694086238fbfe987571aa765d8b4f3a24105aa01", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAutJlspTtL0IstqFBaUCGI4+/6YdXGqdl2LTzokEFqgE=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 138, + "comment" : "regression test for arithmetic error", + "msg" : "01a2b5f7fee813b4e9bd7fc25137648004795010", + "sig" : "61792c9442bc6338ac41fd42a40bee9b02ec1836503d60ff725128c63d72808880c36e6190b7da525cbee5d12900aa043547dd14a2709ef9e49d628f37f6b70c", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "-uyXZLNp3w7xCJDdAixQLlUaMiK0PoQpRVSWx2_upF0", + "kid" : "none", + "kty" : "OKP", + "x" : "Cq7ktyPbm1G6fSLrI-uKdqWsAvT8ndBvd76kLh037Fo" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "0aaee4b723db9b51ba7d22eb23eb8a76a5ac02f4fc9dd06f77bea42e1d37ec5a", + "sk" : "faec9764b369df0ef10890dd022c502e551a3222b43e8429455496c76feea45d", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b65700321000aaee4b723db9b51ba7d22eb23eb8a76a5ac02f4fc9dd06f77bea42e1d37ec5a", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEACq7ktyPbm1G6fSLrI+uKdqWsAvT8ndBvd76kLh037Fo=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 139, + "comment" : "regression test for arithmetic error", + "msg" : "0fbf5d47cb5d498feace8f98f1896208da38a885", + "sig" : "fa3cd41e3a8c00b19eecd404a63c3cb787cd30de0dfc936966cff2117f5aff18db6bef80fcfd8856f3fb2e9c3dc47593e9471103032af918feee638a33d40505", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "TrGeJ496MKBqfVXkLER3X0qBt6RcBRKq4CYmLnF3Daw", + "kid" : "none", + "kty" : "OKP", + "x" : "gSNErxWpG6g8LJHpbxcnrA88TEE4W5-oTvo5mtpRaL4" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "812344af15a91ba83c2c91e96f1727ac0f3c4c41385b9fa84efa399ada5168be", + "sk" : "4eb19e278f7a30a06a7d55e42c44775f4a81b7a45c0512aae026262e71770dac", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b6570032100812344af15a91ba83c2c91e96f1727ac0f3c4c41385b9fa84efa399ada5168be", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAgSNErxWpG6g8LJHpbxcnrA88TEE4W5+oTvo5mtpRaL4=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 140, + "comment" : "regression test for arithmetic error", + "msg" : "36e67c1939750bffb3e4ba6cb85562612275e862", + "sig" : "97fbbcd7a1d0eb42d2f8c42448ef35a2c2472740556b645547865330d6c57068af377fced08aaf810c08cd3c43d296f1975710312e9334c98b485f831efa4103", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "GZjVlJyrNloA-Cjn0XsGxwjTP-8AMdNTpOFb9yIqc7A", + "kid" : "none", + "kty" : "OKP", + "x" : "DuXLVZf7343MxIsBSF45szqhM7UtMNI3QCdyZ8_sPj4" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "0ee5cb5597fbdf8dccc48b01485e39b33aa133b52d30d23740277267cfec3e3e", + "sk" : "1998d5949cab365a00f828e7d17b06c708d33fef0031d353a4e15bf7222a73b0", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b65700321000ee5cb5597fbdf8dccc48b01485e39b33aa133b52d30d23740277267cfec3e3e", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEADuXLVZf7343MxIsBSF45szqhM7UtMNI3QCdyZ8/sPj4=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 141, + "comment" : "regression test for arithmetic error", + "msg" : "13945c894c1d3fe8562e8b20e5f0efaa26ade8e3", + "sig" : "d7dbaa337ffd2a5fd8d5fd8ad5aeccc0c0f83795c2c59fe62a40b87903b1ae62ed748a8df5af4d32f9f822a65d0e498b6f40eaf369a9342a1164ee7d08b58103", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "YWRnYRTGa9mIfaw0HGYgncWHzPDMXNm6_9-skpWgDEo", + "kid" : "none", + "kty" : "OKP", + "x" : "n7od6StgtbRwMIl2PQ1vkSXk3X765B8IoiiCrvloksQ" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "9fba1de92b60b5b4703089763d0d6f9125e4dd7efae41f08a22882aef96892c4", + "sk" : "6164676114c66bd9887dac341c66209dc587ccf0cc5cd9baffdfac9295a00c4a", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b65700321009fba1de92b60b5b4703089763d0d6f9125e4dd7efae41f08a22882aef96892c4", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAn7od6StgtbRwMIl2PQ1vkSXk3X765B8IoiiCrvloksQ=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 142, + "comment" : "regression test for arithmetic error", + "msg" : "4de142af4b8402f80a47fa812df84f42e283cee7", + "sig" : "09a2ed303a2fa7027a1dd7c3b0d25121eeed2b644a2fbc17aa0c8aea4524071ede7e7dd7a536d5497f8165d29e4e1b63200f74bbae39fbbbccb29889c62c1f09", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "SwvQOgOyAGnMvMIUp0SEc_TnpJH6fOtI3b4kyDxKpLs", + "kid" : "none", + "kty" : "OKP", + "x" : "dYKrG1LhMW5cE2cfQ7Oco2soEzzQgygxvN3QsPIzmMs" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "7582ab1b52e1316e5c13671f43b39ca36b28133cd0832831bcddd0b0f23398cb", + "sk" : "4b0bd03a03b20069ccbcc214a7448473f4e7a491fa7ceb48ddbe24c83c4aa4bb", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b65700321007582ab1b52e1316e5c13671f43b39ca36b28133cd0832831bcddd0b0f23398cb", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAdYKrG1LhMW5cE2cfQ7Oco2soEzzQgygxvN3QsPIzmMs=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 143, + "comment" : "regression test for arithmetic error", + "msg" : "563357f41b8b23b1d83f19f5667177a67da20b18", + "sig" : "e6884a6e6b2e60a0b5862251c001e7c79d581d777d6fc11d218d0aecd79f26a30e2ca22cc7c4674f8b72655bc4ee5cb5494ca07c05177656142ac55cc9d33e02", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "L854cL4fOS0h-x0jUOx4d9uKqZs1n-W91TOP81p5HRw", + "kid" : "none", + "kty" : "OKP", + "x" : "3S1ni64iLz-26CePCMyeGmYznJJsKawKFvlxf17hjNg" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "dd2d678bae222f3fb6e8278f08cc9e1a66339c926c29ac0a16f9717f5ee18cd8", + "sk" : "2fce7870be1f392d21fb1d2350ec7877db8aa99b359fe5bdd5338ff35a791d1c", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b6570032100dd2d678bae222f3fb6e8278f08cc9e1a66339c926c29ac0a16f9717f5ee18cd8", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEA3S1ni64iLz+26CePCMyeGmYznJJsKawKFvlxf17hjNg=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 144, + "comment" : "regression test for arithmetic error", + "msg" : "931bbf9c877a6571cf7d4609fc3eb867edd43f51", + "sig" : "6124c206d864507ea5d984b363b4cf583314db6856a45ded5e61eebff4d5e337e0b4c82b445ae2e52d549d2d961eace2ea01f81158e09a9686baa040db65ad08", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "jwk" : { + "crv" : "Ed25519", + "d" : "qazkIZXduzoW82ayTdnTeooEPtLmAB9UZSKWdQN5Nn0", + "kid" : "none", + "kty" : "OKP", + "x" : "zL58suS8IVzuL4heHSL34NWCsru9eCwQTlSLFS0m_Gk" + }, + "key" : { + "curve" : "edwards25519", + "keySize" : 255, + "pk" : "ccbe7cb2e4bc215cee2f885e1d22f7e0d582b2bbbd782c104e548b152d26fc69", + "sk" : "a9ace42195ddbb3a16f366b24dd9d37a8a043ed2e6001f54652296750379367d", + "type" : "EDDSAKeyPair" + }, + "keyDer" : "302a300506032b6570032100ccbe7cb2e4bc215cee2f885e1d22f7e0d582b2bbbd782c104e548b152d26fc69", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAzL58suS8IVzuL4heHSL34NWCsru9eCwQTlSLFS0m/Gk=\n-----END PUBLIC KEY-----\n", + "type" : "EddsaVerify", + "tests" : [ + { + "tcId" : 145, + "comment" : "regression test for arithmetic error", + "msg" : "44530b0b34f598767a7b875b0caee3c7b9c502d1", + "sig" : "cfbd450a2c83cb8436c348822fe3ee347d4ee937b7f2ea11ed755cc52852407c9eec2c1fa30d2f9aef90e89b2cc3bcef2b1b9ca59f712110d19894a9cf6a2802", + "result" : "valid", + "flags" : [] + } + ] + } + ] +} diff --git a/tests/p256_ecdh.cc b/tests/p256_ecdh.cc new file mode 100644 index 00000000..fc325a39 --- /dev/null +++ b/tests/p256_ecdh.cc @@ -0,0 +1,119 @@ +/* + * Copyright 2022 Cryspen Sarl + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include +#include +#include + +#include "Hacl_P256.h" +#include "util.h" + +using json = nlohmann::json; + +//=== Wycheproof tests ==== + +#define bytes std::vector + +typedef struct +{ + bytes public_key; + bytes private_key; + bytes shared; + bool valid; +} TestCase; + +std::vector +read_json() +{ + + // Read JSON test vector + std::string test_dir = "ecdh_secp256r1_ecpoint_test.json"; + std::ifstream json_test_file(test_dir); + json test_vectors; + json_test_file >> test_vectors; + + std::vector tests_out; + + // Read test group + for (auto& test : test_vectors["testGroups"].items()) { + auto test_value = test.value(); + + auto tests = test_value["tests"]; + for (auto& test_case : tests.items()) { + auto test_case_value = test_case.value(); + auto private_key = from_hex(test_case_value["private"]); + auto public_key = from_hex(test_case_value["public"]); + auto shared = from_hex(test_case_value["shared"]); + auto result = test_case_value["result"]; + bool valid = result == "valid" || result == "acceptable"; + + tests_out.push_back({ public_key, private_key, shared, valid }); + } + } + + return tests_out; +} + +class P256EcdhWycheproof : public ::testing::TestWithParam +{}; + +TEST_P(P256EcdhWycheproof, TryWycheproof) +{ + const TestCase& test_case(GetParam()); + + // Stupid const + uint8_t* private_key = const_cast(test_case.private_key.data()); + uint8_t* public_key = const_cast(test_case.public_key.data()); + + // Convert public key first + uint8_t plain_public_key[64] = { 0 }; + bool uncompressed_point = false; + bool compressed_point = false; + if (test_case.public_key.size() >= 65) { + uncompressed_point = + Hacl_P256_uncompressed_to_raw(public_key, plain_public_key); + } + if (!uncompressed_point && test_case.public_key.size() >= 32) { + compressed_point = + Hacl_P256_compressed_to_raw(public_key, plain_public_key); + } + EXPECT_TRUE(uncompressed_point || compressed_point || !test_case.valid); + + // Convert the private key + uint8_t plain_private_key[32] = { 0 }; + size_t sk_len = test_case.private_key.size(); + if (sk_len > 32) { + sk_len = 32; + } + for (size_t i = 0; i < sk_len; i++) { + plain_private_key[31 - i] = + test_case.private_key[test_case.private_key.size() - 1 - i]; + } + + uint8_t computed_shared[64] = { 0 }; + Hacl_P256_dh_responder(computed_shared, plain_public_key, plain_private_key); + if (test_case.valid) { + EXPECT_EQ(std::vector(computed_shared, computed_shared + 32), + test_case.shared); + } else { + EXPECT_NE(std::vector(computed_shared, computed_shared + 32), + test_case.shared); + } +} + +INSTANTIATE_TEST_SUITE_P(Wycheproof, + P256EcdhWycheproof, + ::testing::ValuesIn(read_json())); diff --git a/tests/p256_ecdh/ecdh_secp256r1_ecpoint_test.json b/tests/p256_ecdh/ecdh_secp256r1_ecpoint_test.json new file mode 100644 index 00000000..ec52db79 --- /dev/null +++ b/tests/p256_ecdh/ecdh_secp256r1_ecpoint_test.json @@ -0,0 +1,1994 @@ +{ + "algorithm" : "ECDH", + "generatorVersion" : "0.8r12", + "numberOfTests" : 216, + "header" : [ + "Test vectors of type EcdhWebTest are intended for", + "testing an ECDH implementations where the public key", + "is just an ASN encoded point." + ], + "notes" : { + "AddSubChain" : "The private key has a special value. Implementations using addition subtraction chains for the point multiplication may get the point at infinity as an intermediate result. See CVE_2017_10176", + "CompressedPoint" : "The point in the public key is compressed. Not every library supports points in compressed format." + }, + "schema" : "ecdh_ecpoint_test_schema.json", + "testGroups" : [ + { + "curve" : "secp256r1", + "encoding" : "ecpoint", + "type" : "EcdhEcpointTest", + "tests" : [ + { + "tcId" : 1, + "comment" : "normal case", + "public" : "0462d5bd3372af75fe85a040715d0f502428e07046868b0bfdfa61d731afe44f26ac333a93a9e70a81cd5a95b5bf8d13990eb741c8c38872b4a07d275a014e30cf", + "private" : "0612465c89a023ab17855b0a6bcebfd3febb53aef84138647b5352e02c10c346", + "shared" : "53020d908b0219328b658b525f26780e3ae12bcd952bb25a93bc0895e1714285", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 2, + "comment" : "compressed public key", + "public" : "0362d5bd3372af75fe85a040715d0f502428e07046868b0bfdfa61d731afe44f26", + "private" : "0612465c89a023ab17855b0a6bcebfd3febb53aef84138647b5352e02c10c346", + "shared" : "53020d908b0219328b658b525f26780e3ae12bcd952bb25a93bc0895e1714285", + "result" : "acceptable", + "flags" : [ + "CompressedPoint" + ] + }, + { + "tcId" : 3, + "comment" : "edge case for shared secret", + "public" : "0458fd4168a87795603e2b04390285bdca6e57de6027fe211dd9d25e2212d29e62080d36bd224d7405509295eed02a17150e03b314f96da37445b0d1d29377d12c", + "private" : "0a0d622a47e48f6bc1038ace438c6f528aa00ad2bd1da5f13ee46bf5f633d71a", + "shared" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 4, + "comment" : "edge case for shared secret", + "public" : "040f6d20c04261ecc3e92846acad48dc8ec5ee35ae0883f0d2ea71216906ee1c47c042689a996dd12830ae459382e94aac56b717af2e2080215f9e41949b1f52be", + "private" : "0a0d622a47e48f6bc1038ace438c6f528aa00ad2bd1da5f13ee46bf5f633d71a", + "shared" : "00000000000000000000000000000000ffffffffffffffffffffffffffffffff", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 5, + "comment" : "edge case for shared secret", + "public" : "0400c7defeb1a16236738e9a1123ba621bc8e9a3f2485b3f8ffde7f9ce98f5a8a1cb338c3912b1792f60c2b06ec5231e2d84b0e596e9b76d419ce105ece3791dbc", + "private" : "0a0d622a47e48f6bc1038ace438c6f528aa00ad2bd1da5f13ee46bf5f633d71a", + "shared" : "0000000000000000ffffffffffffffff00000000000000010000000000000001", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 6, + "comment" : "edge case for shared secret", + "public" : "04e9b98fb2c0ac045f8c76125ffd99eb8a5157be1d7db3e85d655ec1d8210288cf218df24fd2c2746be59df41262ef3a97d986744b2836748a7486230a319ffec0", + "private" : "0a0d622a47e48f6bc1038ace438c6f528aa00ad2bd1da5f13ee46bf5f633d71a", + "shared" : "00000000ffffffff00000000ffffffff00000000ffffffff0000000100000000", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 7, + "comment" : "edge case for shared secret", + "public" : "04e9484e58f3331b66ffed6d90cb1c78065fa28cfba5c7dd4352013d3252ee4277bd7503b045a38b4b247b32c59593580f39e6abfa376c3dca20cf7f9cfb659e13", + "private" : "0a0d622a47e48f6bc1038ace438c6f528aa00ad2bd1da5f13ee46bf5f633d71a", + "shared" : "000003ffffff0000003ffffff0000003ffffff0000003ffffff0000003ffffff", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 8, + "comment" : "edge case for shared secret", + "public" : "04767d7fbb84aa6a4db1079372644e42ecb2fec200c178822392cb8b950ffdd0c91c86853cafd09b52ba2f287f0ebaa26415a3cfabaf92c6a617a19988563d9dea", + "private" : "0a0d622a47e48f6bc1038ace438c6f528aa00ad2bd1da5f13ee46bf5f633d71a", + "shared" : "0000ffff0000ffff0000ffff0000ffff0000ffff0000ffff0000ffff00010001", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 9, + "comment" : "edge case for shared secret", + "public" : "04c74d546f2fcc6dd392f85e5be167e358de908756b0c0bb01cb69d864ca083e1c93f959eece6e10ee11bd3934207d65ae28af68b092585a1509260eceb39b92ef", + "private" : "0a0d622a47e48f6bc1038ace438c6f528aa00ad2bd1da5f13ee46bf5f633d71a", + "shared" : "085ec5a4af40176b63189069aeffcb229c96d3e046e0283ed2f9dac21b15ad3c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 10, + "comment" : "edge case for shared secret", + "public" : "0434fc9f1e7a094cd29598d1841fa9613dbe82313d633a51d63fb6eff074cc9b9a4ecfd9f258c5c4d4210b49751213a24c596982bd1d54e0445443f21ef15492a5", + "private" : "0a0d622a47e48f6bc1038ace438c6f528aa00ad2bd1da5f13ee46bf5f633d71a", + "shared" : "190c25f88ad9ae3a098e6cffe6fd0b1bea42114eb0cedd5868a45c5fe277dff3", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 11, + "comment" : "edge case for shared secret", + "public" : "04d5c96efd1907fd48de2ad715acf82eae5c6690fe3efe16a78d61c68d3bfd10df03eac816b9e7b776192a3f5075887c0e225617505833ca997cda32fd0f673c5e", + "private" : "0a0d622a47e48f6bc1038ace438c6f528aa00ad2bd1da5f13ee46bf5f633d71a", + "shared" : "507442007322aa895340cba4abc2d730bfd0b16c2c79a46815f8780d2c55a2dd", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 12, + "comment" : "edge case for shared secret", + "public" : "04f475f503a770df72c45aedfe42c008f59aa57e72b232f26600bdd0353957cb20bdb8f6405b4918050a3549f44c07a8eba820cdce4ece699888c638df66f54f7c", + "private" : "0a0d622a47e48f6bc1038ace438c6f528aa00ad2bd1da5f13ee46bf5f633d71a", + "shared" : "5f177bfe19baaaee597e68b6a87a519e805e9d28a70cb72fd40f0fe5a754ba45", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 13, + "comment" : "edge case for shared secret", + "public" : "04f3cb6754b7e2a86d064dfb9f903185aaa4c92b481c2c1a1ff276303bbc4183e49c318599b0984c3563df339311fe143a7d921ee75b755a52c6f804f897b809f7", + "private" : "0a0d622a47e48f6bc1038ace438c6f528aa00ad2bd1da5f13ee46bf5f633d71a", + "shared" : "7fff0001fffc0007fff0001fffc0007fff0001fffc0007fff0001fffc0007fff", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 14, + "comment" : "edge case for shared secret", + "public" : "04cce13fbdc96a946dfb8c6d9ed762dbd1731630455689f57a437fee124dd54cecaef78026c653030cf2f314a67064236b0a354defebc5e90c94124e9bf5c4fc24", + "private" : "0a0d622a47e48f6bc1038ace438c6f528aa00ad2bd1da5f13ee46bf5f633d71a", + "shared" : "8000000000000000000000000000000000000000000000000000000000000004", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 15, + "comment" : "edge case for shared secret", + "public" : "047633dfd0ad06765097bc11bd5022b200df31f28c4ff0625421221ac7eeb6e6f4cb9c67693609ddd6f92343a5a1c635408240f4f8e27120c12554c7ff8c76e2fe", + "private" : "0a0d622a47e48f6bc1038ace438c6f528aa00ad2bd1da5f13ee46bf5f633d71a", + "shared" : "8000003ffffff0000007fffffe000000ffffffc000001ffffff8000004000000", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 16, + "comment" : "edge case for shared secret", + "public" : "04a386ace573f87558a68ead2a20088e3fe928bdae9e109446f93a078c15741f0421261e6db2bf12106e4c6bf85b9581b4c0302a526222f90abc5a549206b11011", + "private" : "0a0d622a47e48f6bc1038ace438c6f528aa00ad2bd1da5f13ee46bf5f633d71a", + "shared" : "ff00000001fffffffc00000007fffffff00000001fffffffc00000007fffffff", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 17, + "comment" : "edge case for shared secret", + "public" : "048e7b50f7d8c44d5d3496c43141a502f4a43f153d03ad43eda8e39597f1d477b8647f3da67969b7f989ff4addc393515af40c82085ce1f2ee195412c6f583774f", + "private" : "0a0d622a47e48f6bc1038ace438c6f528aa00ad2bd1da5f13ee46bf5f633d71a", + "shared" : "ffff00000003fffffff00000003fffffff00000003fffffff00000003fffffff", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 18, + "comment" : "edge case for shared secret", + "public" : "04c827fb930fd51d926086191b502af83abb5f717debc8de29897a3934b2571ca05990c0597b0b7a2e42febd56b13235d1d408d76ed2c93b3facf514d902f6910a", + "private" : "0a0d622a47e48f6bc1038ace438c6f528aa00ad2bd1da5f13ee46bf5f633d71a", + "shared" : "ffffffff00000000000000ffffffffffffff00000000000000ffffffffffffff", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 19, + "comment" : "y-coordinate of the public key is small", + "public" : "043cbc1b31b43f17dc200dd70c2944c04c6cb1b082820c234a300b05b7763844c74fde0a4ef93887469793270eb2ff148287da9265b0334f9e2609aac16e8ad503", + "private" : "0a0d622a47e48f6bc1038ace438c6f528aa00ad2bd1da5f13ee46bf5f633d71a", + "shared" : "7fffffffffffffffffffffffeecf2230ffffffffffffffffffffffffffffffff", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 20, + "comment" : "y-coordinate of the public key is small", + "public" : "042830d96489ae24b79cad425056e82746f9e3f419ab9aa21ca1fbb11c7325e7d318abe66f575ee8a2f1c4a80e35260ae82ad7d6f661d15f06967930a585097ef7", + "private" : "0a0d622a47e48f6bc1038ace438c6f528aa00ad2bd1da5f13ee46bf5f633d71a", + "shared" : "000000000000000000000000111124f400000000000000000000000000000000", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 21, + "comment" : "y-coordinate of the public key is small", + "public" : "04450b6b6e2097178e9d2850109518d28eb3b6ded2922a5452003bc2e4a4ec775c894e90f0df1b0e6cadb03b9de24f6a22d1bd0a4a58cd645c273cae1c619bfd61", + "private" : "0a0d622a47e48f6bc1038ace438c6f528aa00ad2bd1da5f13ee46bf5f633d71a", + "shared" : "000000000000000000000001ea77d449ffffffffffffffffffffffffffffffff", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 22, + "comment" : "y-coordinate of the public key is large", + "public" : "043cbc1b31b43f17dc200dd70c2944c04c6cb1b082820c234a300b05b7763844c7b021f5b006c778ba686cd8f14d00eb7d78256d9b4fccb061d9f6553e91752afc", + "private" : "0a0d622a47e48f6bc1038ace438c6f528aa00ad2bd1da5f13ee46bf5f633d71a", + "shared" : "7fffffffffffffffffffffffeecf2230ffffffffffffffffffffffffffffffff", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 23, + "comment" : "y-coordinate of the public key is large", + "public" : "042830d96489ae24b79cad425056e82746f9e3f419ab9aa21ca1fbb11c7325e7d3e754198fa8a1175e0e3b57f1cad9f517d528290a9e2ea0f96986cf5a7af68108", + "private" : "0a0d622a47e48f6bc1038ace438c6f528aa00ad2bd1da5f13ee46bf5f633d71a", + "shared" : "000000000000000000000000111124f400000000000000000000000000000000", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 24, + "comment" : "y-coordinate of the public key is large", + "public" : "04450b6b6e2097178e9d2850109518d28eb3b6ded2922a5452003bc2e4a4ec775c76b16f0e20e4f194524fc4621db095dd2e42f5b6a7329ba3d8c351e39e64029e", + "private" : "0a0d622a47e48f6bc1038ace438c6f528aa00ad2bd1da5f13ee46bf5f633d71a", + "shared" : "000000000000000000000001ea77d449ffffffffffffffffffffffffffffffff", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 25, + "comment" : "y-coordinate of the public key has many trailing 1's", + "public" : "049a0f0e3dd31417bbd9e298bc068ab6d5c36733af26ed67676f410c804b8b2ca1b02c82f3a61a376db795626e9400557112273a36cddb08caaa43953965454730", + "private" : "0a0d622a47e48f6bc1038ace438c6f528aa00ad2bd1da5f13ee46bf5f633d71a", + "shared" : "7fffffffffffffffffffffffca089011ffffffffffffffffffffffffffffffff", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 26, + "comment" : "y-coordinate of the public key has many trailing 1's", + "public" : "048e5d22d5e53ec797c55ecd68a08a7c3361cd99ca7fad1a68ea802a6a4cb58a918ea7a07023ef67677024bd3841e187c64b30a30a3750eb2ee873fbe58fa1357b", + "private" : "0a0d622a47e48f6bc1038ace438c6f528aa00ad2bd1da5f13ee46bf5f633d71a", + "shared" : "0000000000000000000000001f6bd1e500000000000000000000000000000000", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 27, + "comment" : "y-coordinate of the public key has many trailing 1's", + "public" : "04293aa349b934ab2c839cf54b8a737df2304ef9b20fa494e31ad62b315dd6a53c118182b85ef466eb9a8e87f9661f7d017984c15ea82043f536d1ee6a6d95b509", + "private" : "0a0d622a47e48f6bc1038ace438c6f528aa00ad2bd1da5f13ee46bf5f633d71a", + "shared" : "000000000000000000000002099f55d5ffffffffffffffffffffffffffffffff", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 28, + "comment" : "y-coordinate of the public key has many trailing 0's", + "public" : "049a0f0e3dd31417bbd9e298bc068ab6d5c36733af26ed67676f410c804b8b2ca14fd37d0b59e5c893486a9d916bffaa8eedd8c5ca3224f73555bc6ac69abab8cf", + "private" : "0a0d622a47e48f6bc1038ace438c6f528aa00ad2bd1da5f13ee46bf5f633d71a", + "shared" : "7fffffffffffffffffffffffca089011ffffffffffffffffffffffffffffffff", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 29, + "comment" : "y-coordinate of the public key has many trailing 0's", + "public" : "048e5d22d5e53ec797c55ecd68a08a7c3361cd99ca7fad1a68ea802a6a4cb58a9171585f8edc1098998fdb42c7be1e7839b4cf5cf6c8af14d1178c041a705eca84", + "private" : "0a0d622a47e48f6bc1038ace438c6f528aa00ad2bd1da5f13ee46bf5f633d71a", + "shared" : "0000000000000000000000001f6bd1e500000000000000000000000000000000", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 30, + "comment" : "y-coordinate of the public key has many trailing 0's", + "public" : "04293aa349b934ab2c839cf54b8a737df2304ef9b20fa494e31ad62b315dd6a53cee7e7d46a10b99156571780699e082fe867b3ea257dfbc0ac92e1195926a4af6", + "private" : "0a0d622a47e48f6bc1038ace438c6f528aa00ad2bd1da5f13ee46bf5f633d71a", + "shared" : "000000000000000000000002099f55d5ffffffffffffffffffffffffffffffff", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 31, + "comment" : "edge cases for ephemeral key", + "public" : "04000000000000000000000000000000000000000000000000000000000000000066485c780e2f83d72433bd5d84a06bb6541c2af31dae871728bf856a174f93f4", + "private" : "55d55f11bb8da1ea318bca7266f0376662441ea87270aa2077f1b770c4854a48", + "shared" : "cfe4077c8730b1c9384581d36bff5542bc417c9eff5c2afcb98cc8829b2ce848", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 32, + "comment" : "edge cases for ephemeral key", + "public" : "0400000000000000000000000000000000ffffffffffffffffffffffffffffffff4f2b92b4c596a5a47f8b041d2dea6043021ac77b9a80b1343ac9d778f4f8f733", + "private" : "55d55f11bb8da1ea318bca7266f0376662441ea87270aa2077f1b770c4854a48", + "shared" : "49ae50fe096a6cd26698b78356b2c8adf1f6a3490f14e364629f7a0639442509", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 33, + "comment" : "edge cases for ephemeral key", + "public" : "040000000000000000ffffffffffffffff0000000000000001000000000000000138120be6ab31edfa34768c4387d2f84fb4b0be8a9a985864a1575f4436bb37b0", + "private" : "55d55f11bb8da1ea318bca7266f0376662441ea87270aa2077f1b770c4854a48", + "shared" : "5a1334572b2a711ead8b4653eb310cd8d9fd114399379a8f6b872e3b8fdda2d9", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 34, + "comment" : "edge cases for ephemeral key", + "public" : "0400000000ffffffff00000000ffffffff00000000ffffffff0000000100000000462c0466e41802238d6c925ecbefc747cfe505ea196af9a2d11b62850fce946e", + "private" : "55d55f11bb8da1ea318bca7266f0376662441ea87270aa2077f1b770c4854a48", + "shared" : "c73755133b6b9b4b2a00631cbc7940ecbe6ec08f20448071422e3362f2556888", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 35, + "comment" : "edge cases for ephemeral key", + "public" : "04000003ffffff0000003ffffff0000003ffffff0000003ffffff0000003ffffff1582fa32e2d4a89dfcfb3d0b149f667dba3329490f4d64ee2ad586c0c9e8c508", + "private" : "55d55f11bb8da1ea318bca7266f0376662441ea87270aa2077f1b770c4854a48", + "shared" : "06fa1059935e47a9fd667e13f469614eb257cc9a7e3fc599bfb92780d59b146d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 36, + "comment" : "edge cases for ephemeral key", + "public" : "040000ffff0000ffff0000ffff0000ffff0000ffff0000ffff0000ffff00010001684c8a9586ed6f9cbe447058a7da2108bab1e5e0a60d1f73e4e2e713f0a3dfe0", + "private" : "55d55f11bb8da1ea318bca7266f0376662441ea87270aa2077f1b770c4854a48", + "shared" : "f237df4c10bd3e357971bb2b16b293566b7e355bdc8141d6c92cabc682983c45", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 37, + "comment" : "edge cases for ephemeral key", + "public" : "04085ec5a4af40176b63189069aeffcb229c96d3e046e0283ed2f9dac21b15ad3c7859f97cb6e203f46bf3438f61282325e94e681b60b5669788aeb0655bf19d38", + "private" : "55d55f11bb8da1ea318bca7266f0376662441ea87270aa2077f1b770c4854a48", + "shared" : "d874b55678d0a04d216c31b02f3ad1f30c92caaf168f34e3a743356d9276e993", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 38, + "comment" : "edge cases for ephemeral key", + "public" : "04190c25f88ad9ae3a098e6cffe6fd0b1bea42114eb0cedd5868a45c5fe277dff321b8342ef077bc6724112403eaee5a15b4c31a71589f02ded09cd99cc5db9c83", + "private" : "55d55f11bb8da1ea318bca7266f0376662441ea87270aa2077f1b770c4854a48", + "shared" : "11a8582057463fc76fda3ab8087eb0a420b0d601bb3134165a369646931e52a6", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 39, + "comment" : "edge cases for ephemeral key", + "public" : "04507442007322aa895340cba4abc2d730bfd0b16c2c79a46815f8780d2c55a2dd4619d69f9940f51663aa12381bc7cf678bd1a72a49fbc11b0b69cb22d1af9f2d", + "private" : "55d55f11bb8da1ea318bca7266f0376662441ea87270aa2077f1b770c4854a48", + "shared" : "4e173a80907f361fe5a5d335ba7685d5eba93e9dfc8d8fcdb1dcd2d2bde27507", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 40, + "comment" : "edge cases for ephemeral key", + "public" : "045f177bfe19baaaee597e68b6a87a519e805e9d28a70cb72fd40f0fe5a754ba4562ca1103f70a2006cd1f67f5f6a3580b29dc446abc90e0e910c1e05a9aa788cd", + "private" : "55d55f11bb8da1ea318bca7266f0376662441ea87270aa2077f1b770c4854a48", + "shared" : "73220471ec8bad99a297db488a34a259f9bc891ffaf09922e6b5001f5df67018", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 41, + "comment" : "edge cases for ephemeral key", + "public" : "047fff0001fffc0007fff0001fffc0007fff0001fffc0007fff0001fffc0007fff2e2213caf03033e0fd0f7951154f6e6c3a9244a72faca65e9ce9eeb5c8e1cea9", + "private" : "55d55f11bb8da1ea318bca7266f0376662441ea87270aa2077f1b770c4854a48", + "shared" : "55d0a203e22ffb523c8d2705060cee9d28308b51f184beefc518cff690bad346", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 42, + "comment" : "edge cases for ephemeral key", + "public" : "0480000000000000000000000000000000000000000000000000000000000000042be8789db81bb4870a9e60c5c18c80c83de464277281f1af1e640843a1a3148e", + "private" : "55d55f11bb8da1ea318bca7266f0376662441ea87270aa2077f1b770c4854a48", + "shared" : "2518d846e577d95e9e7bc766cde7997cb887fb266d3a6cb598a839fd54aa2f4f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 43, + "comment" : "edge cases for ephemeral key", + "public" : "048000003ffffff0000007fffffe000000ffffffc000001ffffff8000004000000722540f8a471c379083c600b58fde4d95c7dcad5095f4219fc5e9bdde3c5cd39", + "private" : "55d55f11bb8da1ea318bca7266f0376662441ea87270aa2077f1b770c4854a48", + "shared" : "bdb49f4bdf42ac64504e9ce677b3ec5c0a03828c5b3efad726005692d35c0f26", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 44, + "comment" : "edge cases for ephemeral key", + "public" : "04ff00000001fffffffc00000007fffffff00000001fffffffc00000007fffffff5df80fc6cae26b6c1952fbd00ed174ee1209d069335f5b48588e29e80b9191ad", + "private" : "55d55f11bb8da1ea318bca7266f0376662441ea87270aa2077f1b770c4854a48", + "shared" : "f503ac65637e0f17cb4408961cb882c875e4c6ef7a548d2d52d8c2f681838c55", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 45, + "comment" : "edge cases for ephemeral key", + "public" : "04ffff00000003fffffff00000003fffffff00000003fffffff00000003fffffff2c63650e6a5d332e2987dd09a79008e8faabbd37e49cb016bfb92c8cd0f5da77", + "private" : "55d55f11bb8da1ea318bca7266f0376662441ea87270aa2077f1b770c4854a48", + "shared" : "e3c18e7d7377dc540bc45c08d389bdbe255fa80ca8faf1ef6b94d52049987d21", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 46, + "comment" : "edge cases for ephemeral key", + "public" : "04ffffffff00000000000000ffffffffffffff00000000000000ffffffffffffff7a116c964a4cd60668bf89cffe157714a3ce21b93b3ca607c8a5b93ac54ffc0a", + "private" : "55d55f11bb8da1ea318bca7266f0376662441ea87270aa2077f1b770c4854a48", + "shared" : "516d6d329b095a7c7e93b4023d4d05020c1445ef1ddcb3347b3a27d7d7f57265", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 47, + "comment" : "edge cases for ephemeral key", + "public" : "047fffffffffffffffffffffffeecf2230ffffffffffffffffffffffffffffffff00000001c7c30643abed0af0a49fe352cb483ff9b97dccdf427c658e8793240d", + "private" : "55d55f11bb8da1ea318bca7266f0376662441ea87270aa2077f1b770c4854a48", + "shared" : "6fd26661851a8de3c6d06f834ef3acb8f2a5f9c136a985ffe10d5eeb51edcfa3", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 48, + "comment" : "edge cases for ephemeral key", + "public" : "047fffffffffffffffffffffffeecf2230fffffffffffffffffffffffffffffffffffffffd383cf9bd5412f50f5b601cad34b7c00746823320bd839a71786cdbf2", + "private" : "55d55f11bb8da1ea318bca7266f0376662441ea87270aa2077f1b770c4854a48", + "shared" : "6fd26661851a8de3c6d06f834ef3acb8f2a5f9c136a985ffe10d5eeb51edcfa3", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 49, + "comment" : "edge cases for ephemeral key", + "public" : "047fffffffffffffffffffffffca089011ffffffffffffffffffffffffffffffff267bfdf8a61148decd80283732dd4c1095e4bb40b9658408208dc1147fffffff", + "private" : "55d55f11bb8da1ea318bca7266f0376662441ea87270aa2077f1b770c4854a48", + "shared" : "44236c8b9505a19d48774a3903c0292759b0f826e6ac092ff898d87e53d353fc", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 50, + "comment" : "edge cases for ephemeral key", + "public" : "047fffffffffffffffffffffffca089011ffffffffffffffffffffffffffffffffd984020659eeb722327fd7c8cd22b3ef6a1b44c0469a7bf7df723eeb80000000", + "private" : "55d55f11bb8da1ea318bca7266f0376662441ea87270aa2077f1b770c4854a48", + "shared" : "44236c8b9505a19d48774a3903c0292759b0f826e6ac092ff898d87e53d353fc", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 51, + "comment" : "edge cases for ephemeral key", + "public" : "04000000000000000000000000111124f4000000000000000000000000000000000000000d12d381b0760b1c50be8acf859385052c7f53cde67ce13759de3123a0", + "private" : "55d55f11bb8da1ea318bca7266f0376662441ea87270aa2077f1b770c4854a48", + "shared" : "f1f0e43b374feb7e7f96d4ffe7519fa8bb6c3cfd25f6f87dab2623d2a2d33851", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 52, + "comment" : "edge cases for ephemeral key", + "public" : "04000000000000000000000000111124f400000000000000000000000000000000fffffff1ed2c7e5089f4e3af4175307a6c7afad480ac3219831ec8a621cedc5f", + "private" : "55d55f11bb8da1ea318bca7266f0376662441ea87270aa2077f1b770c4854a48", + "shared" : "f1f0e43b374feb7e7f96d4ffe7519fa8bb6c3cfd25f6f87dab2623d2a2d33851", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 53, + "comment" : "edge cases for ephemeral key", + "public" : "040000000000000000000000001f6bd1e5000000000000000000000000000000004096edd6871c320cb8a9f4531751105c97b4c257811bbc32963eaf39ffffffff", + "private" : "55d55f11bb8da1ea318bca7266f0376662441ea87270aa2077f1b770c4854a48", + "shared" : "3ebbace1098a81949d5605dd94a7aa88dc396c2c23e01a9c8cca5bb07bfbb6a1", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 54, + "comment" : "edge cases for ephemeral key", + "public" : "040000000000000000000000001f6bd1e500000000000000000000000000000000bf69122878e3cdf447560bace8aeefa3684b3da97ee443cd69c150c600000000", + "private" : "55d55f11bb8da1ea318bca7266f0376662441ea87270aa2077f1b770c4854a48", + "shared" : "3ebbace1098a81949d5605dd94a7aa88dc396c2c23e01a9c8cca5bb07bfbb6a1", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 55, + "comment" : "edge cases for ephemeral key", + "public" : "04000000000000000000000001ea77d449ffffffffffffffffffffffffffffffff000000007afbc0b325e820646dec622fb558a51c342aa257f4b6a8ec5ddf144f", + "private" : "55d55f11bb8da1ea318bca7266f0376662441ea87270aa2077f1b770c4854a48", + "shared" : "1b085213a9c89d353e1111af078c38c502b7b4771efba51f589b5be243417bdc", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 56, + "comment" : "edge cases for ephemeral key", + "public" : "04000000000000000000000001ea77d449fffffffffffffffffffffffffffffffffffffffe85043f4dda17df9b92139dd04aa75ae4cbd55da80b495713a220ebb0", + "private" : "55d55f11bb8da1ea318bca7266f0376662441ea87270aa2077f1b770c4854a48", + "shared" : "1b085213a9c89d353e1111af078c38c502b7b4771efba51f589b5be243417bdc", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 57, + "comment" : "edge cases for ephemeral key", + "public" : "04000000000000000000000002099f55d5ffffffffffffffffffffffffffffffff152c1a22d823a27855ed03f8e2ab5038bb1df4d87e43865f2daf6948ffffffff", + "private" : "55d55f11bb8da1ea318bca7266f0376662441ea87270aa2077f1b770c4854a48", + "shared" : "67cb63566c7ceb12fdd85ce9d2f77c359242bbaa0ea1bf3cf510a4a26591d1f1", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 58, + "comment" : "edge cases for ephemeral key", + "public" : "04000000000000000000000002099f55d5ffffffffffffffffffffffffffffffffead3e5dc27dc5d88aa12fc071d54afc744e20b2881bc79a0d25096b700000000", + "private" : "55d55f11bb8da1ea318bca7266f0376662441ea87270aa2077f1b770c4854a48", + "shared" : "67cb63566c7ceb12fdd85ce9d2f77c359242bbaa0ea1bf3cf510a4a26591d1f1", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 59, + "comment" : "point with coordinate x = 0", + "public" : "04000000000000000000000000000000000000000000000000000000000000000066485c780e2f83d72433bd5d84a06bb6541c2af31dae871728bf856a174f93f4", + "private" : "00e461c5b5e63d75b4c8c123bf8b9cd45e712af08f7e2e494a8f255ac9d80e058b", + "shared" : "d11c640b4382e60ec8d254ee76f09b8fac57651ab73b6dd3fdc935a61564a3e9", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 60, + "comment" : "point with coordinate x = 0", + "public" : "04100121f1a09443851c9aa2ab6ee6440e2ac5e1be648274bd5d26c12fb3ba3f7f032a1c219fa1457cb20588297e0513cfd4901f9a95414f7e914f9179f38567a6", + "private" : "00e461c5b5e63d75b4c8c123bf8b9cd45e712af08f7e2e494a8f255ac9d80e058b", + "shared" : "90e712e2afd14171c19467a2bfe7abf1c477d1f40f6675f00e622fd5604fa16a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 61, + "comment" : "point with coordinate x = 0", + "public" : "04cad02ab537c80831ccdd395129fc4bfe4a89ae0c866f6619a3e14146d3691694689d477065b40f140ed87b37ad041e28229b0f79a6b3c992689954c97f7336d0", + "private" : "00e461c5b5e63d75b4c8c123bf8b9cd45e712af08f7e2e494a8f255ac9d80e058b", + "shared" : "159583103d83f63538bd4e203607d7348990bb7f847ffbc9e5e509c7e34d392c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 62, + "comment" : "point with coordinate x = 0 in left to right addition chain", + "public" : "04abd12eed4d654baa7d968633770f4a582f173d6633906000ed8acf6233c6365f0912f30bb98e7cb525890d5ea1e217149d52a6c59f7802a9f307e80d2a9fee3a", + "private" : "00e461c5b5e63d75b4c8c123bf8b9cd45e712af08f7e2e494a8f255ac9d80e058b", + "shared" : "546a2dfadb1d60140becac2dc2e62d20c789037755ad5a49e37e48f2ca1b7680", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 63, + "comment" : "point with coordinate x = 0 in left to right addition chain", + "public" : "04a562c1ad9a72217df00147c7d2ceafc65a1620a1469c947e14fe43003ac5371b7ad1d33c01f0eb92b779ed6e460d0334447075a3cf66b2ffbdae31b438df6d7b", + "private" : "00e461c5b5e63d75b4c8c123bf8b9cd45e712af08f7e2e494a8f255ac9d80e058b", + "shared" : "e5859c7811c5c3aca6c236ab499ccad10301c7c5ee913ce91bb66428cde11e4d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 64, + "comment" : "point with coordinate x = 0 in left to right addition chain", + "public" : "048cdbebe9d07d2ebc4e41b1d72a9bac2974cfc4cf738d8b6de71a40ede9920d88dc2439ee0003fbde7b0a3ae41710c64b17b08a8841e97a390e482c9768fe01ea", + "private" : "00e461c5b5e63d75b4c8c123bf8b9cd45e712af08f7e2e494a8f255ac9d80e058b", + "shared" : "65754ab459a10471af00943f414f28de1bc37968b097ad2845fe111420855008", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 65, + "comment" : "point with coordinate x = 0 in left to right addition chain", + "public" : "04f0cd7cd8334678308cfeb785a68a1504a91418d4441c4d4c740c57488b9aafb079d8a8d29973eb502267eccf6eda326626fc6e025d532b85e9f711f8ce6971bb", + "private" : "00e461c5b5e63d75b4c8c123bf8b9cd45e712af08f7e2e494a8f255ac9d80e058b", + "shared" : "8631fedee6ceb3386ac42edf322c188824893d267d6108f0cf5de6964b88331b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 66, + "comment" : "point with coordinate x = 0 in left to right addition chain", + "public" : "048ad0af23b90e0341b4e2a5a963c8522fe011ace19b1b8610cbe7927a17a7249736b87ab9907289a23a0fb20ca4be42d421fe38d35af09d79cbe6e6a4e95a1a8b", + "private" : "00e461c5b5e63d75b4c8c123bf8b9cd45e712af08f7e2e494a8f255ac9d80e058b", + "shared" : "68c58599c123be6d37d343bd41b11cecc5f84b2635661163656f76d7fb04b426", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 67, + "comment" : "point with coordinate x = 0 in left to right addition chain", + "public" : "0459c9cc2d7297ddb0be6304c94cebf42d813e970c50f45287753b8e9cb0c6db45f571d986990897851fc8e1db67c99759e8979c3d9ddfd02f633cf1ea5b6c48ab", + "private" : "00e461c5b5e63d75b4c8c123bf8b9cd45e712af08f7e2e494a8f255ac9d80e058b", + "shared" : "b58d00525c4c4b4f46562852c15ce2e48dbe23a3be37541e048446eff5152ec6", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 68, + "comment" : "point with coordinate x = 0 in left to right addition chain", + "public" : "04e97080da7263a29c3072a65178b7b31587a5dffc19754c561e32fc53199234f04e0b9b70c97b60e940d5629f2266d1a8e242deb71eb7f0b2b2da2e3044738ab0", + "private" : "00e461c5b5e63d75b4c8c123bf8b9cd45e712af08f7e2e494a8f255ac9d80e058b", + "shared" : "4baa01c211af8f94aca89548902a71f7b53f7814bbceb3d4bef31b376e34b476", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 69, + "comment" : "point with coordinate x = 0 in left to right addition chain", + "public" : "0444f600da7160b975a0232cb6a4a9e72803fd77caac84352039ce9f4a67a1da77626045599381e599eb9cd03f282e267b8cfd3ba98dabbb0f29ab1c0944270f3f", + "private" : "00e461c5b5e63d75b4c8c123bf8b9cd45e712af08f7e2e494a8f255ac9d80e058b", + "shared" : "e19fe9d1294cca94a6388825249e6b37931a231eb917cfecb292792d0c18f1b8", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 70, + "comment" : "point with coordinate x = 0 in left to right addition chain", + "public" : "0471e3e9be0e0ee4449a19d2ef7919266814a0fafd04fb677edc32656e6a46e4d2bc5f404c5b54f03e294be22e8820a71b4d4ac04a708e13cd71fdb0041e7e9698", + "private" : "00e461c5b5e63d75b4c8c123bf8b9cd45e712af08f7e2e494a8f255ac9d80e058b", + "shared" : "ddc1f4663b928add06b1e57c48db98ea08c4d33c3c2106371407f3848a9d53f7", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 71, + "comment" : "point with coordinate x = 0 in left to right addition chain", + "public" : "0427b693610154d5b7f08094e46ff2a2ac1c01d3cd826e3208e5254436ed279960f2364e3a604f3b592e19262a1b22b1a148e38cd82c9e54f108ef8f833683f8b4", + "private" : "00e461c5b5e63d75b4c8c123bf8b9cd45e712af08f7e2e494a8f255ac9d80e058b", + "shared" : "91dfa95ed1eacbea419156471a8ddbb6cb93dd456433e18633d26817611b9c64", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 72, + "comment" : "point with coordinate x = 0 in left to right addition chain", + "public" : "04c32a52af6dac369b6a499a49d3e38e7c9534bb9139f57d4984b1d3c04ab8220653cdc2daefac83cf43c0d64604e5f9d85b55dde62b692cd36af99ebff4140c39", + "private" : "00e461c5b5e63d75b4c8c123bf8b9cd45e712af08f7e2e494a8f255ac9d80e058b", + "shared" : "9f91a9633daa4c56465e9fbef4431e13041f68910fb5ba89f8da9381d68a0dfe", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 73, + "comment" : "point with coordinate x = 0 in left to right addition chain", + "public" : "046f4e2f72f32ae66f1f4610966004c436aa0d90b7df07ce9c4aca52b02d46b4d0c6a3ec76bf321b7fe5203cf3d66e2d52e3ee0495ec766d579a4511175e01bc4d", + "private" : "00e461c5b5e63d75b4c8c123bf8b9cd45e712af08f7e2e494a8f255ac9d80e058b", + "shared" : "014ae81442f8cb6df58ff41e6db203db40ea951b91bebf86d42cda7be33fea64", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 74, + "comment" : "point with coordinate x = 0 in left to right addition chain", + "public" : "042e065975df642fcfdafe2fa5affc18b2c68371796f9d963d89c4f5ac5ccea28b990f31522fbb265c3f4d5c4bb82ebf5ddff5a8ea588db4d282acdca7a6ccf428", + "private" : "00e461c5b5e63d75b4c8c123bf8b9cd45e712af08f7e2e494a8f255ac9d80e058b", + "shared" : "78e81e8573c3ae6089df7db1fb29d7be12dc11f15bb25bff2af802e15ddc136e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 75, + "comment" : "point with coordinate x = 0 in left to right addition chain", + "public" : "04e1331eee03c50cc2b90944ddfc0d3a7dd8185e6c21c75fa92a0c14b0f1949ac9154d783f4547dcf5508bbd86c3dd8c3b17b61989f93db5490ec02a46a1005c2c", + "private" : "00e461c5b5e63d75b4c8c123bf8b9cd45e712af08f7e2e494a8f255ac9d80e058b", + "shared" : "ed67195a272c63c50205abf27439291134ffa1e8ec597f3b302716d93632e98d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 76, + "comment" : "point with coordinate x = 0 in left to right addition chain", + "public" : "04e0c56d486e9c01163ed6c3ff25de3cdf5744dbf9e0e00bdcf19965df4ba1f311bd5e44430665823d8c0b34ebec0a6aab5ea96cf239de214fd011e6f9ec501dd4", + "private" : "00e461c5b5e63d75b4c8c123bf8b9cd45e712af08f7e2e494a8f255ac9d80e058b", + "shared" : "50774347848828eeb6230f497cd181f8c57fbd18ffbf8328cd008321a1c37c43", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 77, + "comment" : "point with coordinate x = 0 in left to right addition chain", + "public" : "04885ead6c074f8d751a767e918c4e89210a587c4b19d42244ae07027e361831053e80772be57fbd744955a2e8523063cc6136f2bb37befbef7a681d3bbbc57788", + "private" : "00e461c5b5e63d75b4c8c123bf8b9cd45e712af08f7e2e494a8f255ac9d80e058b", + "shared" : "913da71044b8021a86c8fcaf4f634d0d625ff91ee1c8474d548bd10888964fb1", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 78, + "comment" : "point with coordinate x = 0 in precomputation or right to left addition chain", + "public" : "0441e9d4cfa8efe80b895a8cbcce2568e251db7ecdfd20a7ad710d4a4bf2addc6b5ec36a8339168a03f15b8c80f2a2a828f151d38791584853ba2ff44a2a0460a1", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "b48e119d29eef7dbb76b64218e728ddbf6ec600505ec7ced6ab6fb8763308da5", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 79, + "comment" : "point with coordinate x = 0 in precomputation or right to left addition chain", + "public" : "04776aef1acb82b628e132cc29440988f0a15d4cc2b4f328aecb063c9b86e5018e6e44dfc60444faa9c4e36bc217451f7ac2956cb3b2e9bbd655eba297163d1f34", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "28a88b6b258f233020ba6fa9c00d1d72831f4515b86966a9782f521315e18aa7", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 80, + "comment" : "point with coordinate x = 0 in precomputation or right to left addition chain", + "public" : "049ec06b0b08662c0e1dd9111696a63a1601cc83cee20695778adf84d43064fc90156001f084cd3c1df1a087f626533b6572584889bd3d5c2c99f0e311e22b41e6", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "c4ff865ff3dc4953ea78d92a02f3345a53bdb6050cfd8f41baa4395ecb6acab8", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 81, + "comment" : "point with coordinate x = 0 in precomputation or right to left addition chain", + "public" : "04fa51d128adc2000f09ff12c6fd8e25aa08556d708bf6b0ffff9e8eaad4783f0de22bf529e516e1f64b8e0d09f98fad4e501695a930a1b22076659da707e3ccd0", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "de1069f051637e10166559cef44688afc809341855261215c4f381d9d7da76ca", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 82, + "comment" : "point with coordinate x = 0 in precomputation or right to left addition chain", + "public" : "04614dcfbea4789a3f3eb4a8e2f111c887f0248d9316b99d0864c927a045d6941753a073befe08491a8050a4d96d08ba4790ae18db3ef7f0eaccf59ce1095afc54", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "4207bf4159faa0e50ed238b9c0ff46194a539a1ba03a5a4c8d68f369aecd31a5", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 83, + "comment" : "point with coordinate x = 0 in precomputation or right to left addition chain", + "public" : "04efe7754ed4c0b3c1dd301bc1ed69800aa2ff5d51fb85937715e60d2e7bcada8eb1581ab75fb3c797ef94a9dba3d82568c84617eaf3fa04f279fbfd898f704604", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "b5a0ec92aecc3010d27d2263d3da66e3d2f3395d23947024a3f4744454622027", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 84, + "comment" : "point with coordinate x = 0 in right to left addition chain", + "public" : "04d8e13fbd017f1f9a26be35c611d7b2299f5d10de3c8a26362273fffb85238f3ed1426b748c1f87e3afa2c1e7a0224310c980655e07399590d1494d6d6bea0396", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "d2a5bc66498c6036aecdfaad041cef732a893de190a0a5b42ff71e13f09280e7", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 85, + "comment" : "point with coordinate x = 0 in right to left addition chain", + "public" : "045a1027666a0e372481fec0b3901e058d60107c07b1115550ceb05789b55a6d35063d4c8ee66ed45ff3e1dfdcfd73ed96a9e83193884adbcaa574b2dd118a692b", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "1f812313ddcf36bc38071d0e51a74100d630c8e20cc414326eefa42ecb1b5f8e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 86, + "comment" : "point with coordinate x = 0 in right to left addition chain", + "public" : "047937b9c40986dd755a0656203089782583da7d8113a44190762ab474a20bcf60efcbc1525aed5b4ad8e687cb02c2ef8887095cadca56c765b41b4a9544ff2fe8", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "f284089bddd5e2e1be3f82640efa0658468fa1f10b281963a3ca190c3982fda6", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 87, + "comment" : "point with coordinate x = 0 in right to left addition chain", + "public" : "049368066a0748867a7b870244f5c9f82ea8bd51552959dd550bb7394497159a5d40764add1ae24c8e3f432ee011be97d3130718fe0a6a90ed8b1011b2034d09a0", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "4529f4b631c9984ab216a6801281fc4fd8731a58b65ca8d07bff07811116371f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 88, + "comment" : "point with coordinate x = 0 in right to left addition chain", + "public" : "04981d7449bdf0013f5eeddbb7e42c442f7ccdd9427bd26d7b388755aa5e26f46a1292b88fa6bf5dffca054dd42ed3594277b593dcc402d80340fb7816e4dcab37", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "64bbc9fdd73643eb2954f4ab640381b938c5e601846a0c6b6954966e0dc73e6f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 89, + "comment" : "point with coordinate y = 1", + "public" : "0409e78d4ef60d05f750f6636209092bc43cbdd6b47e11a9de20a9feb2a50bb96c0000000000000000000000000000000000000000000000000000000000000001", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "28f67757acc28b1684ba76ffd534aed42d45b8b3f10b82a5699416eff7199a74", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 90, + "comment" : "point with coordinate y = 1", + "public" : "045384d6c0def78960db967b8096d35477c5a5ce30ef0c6d8879a5568ca87e979401ee56c4581722610b43f3cbfcf3862c082a6e36baa36fd6f78403c0e399faa5", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "9ee653cda46db67612760ce35bac8450bbf48dbf74451ed93abb6db408a9fe10", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 91, + "comment" : "point with coordinate y = 1", + "public" : "044eca7641a4afd5eab0b214657ff3bdcbfc66f1551a53bb59493bc38ed78ff39614a0cadff14c14736edbdcdab510cba07a8924ffd0490ee514aedfaadb648b01", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "9736ad6b2a2ef17ec3f8c8dc2e35715fb1c06f28d82e4e26876f0214588165f1", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 92, + "comment" : "point with coordinate y = 1", + "public" : "048d0177ebab9c6e9e10db6dd095dbac0d6375e8a97b70f611875d877f0069d2c70000000000000000000000000000000000000000000000000000000000000001", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "748fa4f5a399320382dc920026938694c41a26fe2aaa318c5e710198dd71c793", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 93, + "comment" : "point with coordinate y = 1", + "public" : "045fdb7f0cffb8b5b1142d24698a4bda76bf9827d63b1a6bd85a4e2f9b59c510cfbcb35ba9c987108b6d4337ad5393f9f910ec92410c230869d66528ed88c1b98a", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "7f97db83b4d86f04fe286041ee21e80ec3d59f3ce82cdeeaf362016fc87a3e02", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 94, + "comment" : "point with coordinate y = 1", + "public" : "04530b2293e60c6b6f14c75c90b1ef8b9f9fa6b2151b8d9855792eb2b3dc69f07a0db42440e73fd7d6df04aed5022fbe21ceaec33c5fbade1bd6ad321ef2e10d0b", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "21794cf24f56273fa4463cc7ae4232fa34dbe0f18b73613b8ae9cbfb9c36abf0", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 95, + "comment" : "point with coordinate y = 1", + "public" : "046916fac45e568b6b9e2e2ecd611b282e5fcc40a3067d601057f879ce5a8a73cc0000000000000000000000000000000000000000000000000000000000000001", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "915106d07816e879e7643f00abf6d79fb8f1cb78bf64a6a3827f91a7b0ef0f41", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 96, + "comment" : "point with coordinate y = 1", + "public" : "04ed9568c85bc52a6b45733618c3602107c1fdacf23b1a38e486af95978a214e2efa0d71d5e737891c4276e247581ee6139011ca1460db9b1e20b364d9275683e2", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "2fcce552310819dd775ab7ba9ff0f96a1fcadd25a0c709703cef04bb6e1a7bd7", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 97, + "comment" : "point with coordinate y = 1", + "public" : "049ff7731c00f2aa88b3fc174aba907ad17595e602e768a5f1e9462a6d4b89b2d23f178a70b9bb3edce289118338a33df30c432c347f12a3de0a2b03b353878d96", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "757d926a2693bc8a3d2d8c0554a13579ef9e559186578911f37edc88b2f5e61a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 98, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "048270f8179d57436b34dfc0bdf7d417a5c895116b90cb51aec718614f864a635d174804e0c0e06e3d68d3149e0b956621c6aa2bde83f4d17d03d28ef8aa389fff", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "3db29ec6f978d2269e92e9c7eb5c8b5a8e56c2228a4fb9e483feca50aa3e451f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 99, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "04c61750e98abaf20225a881dbfd3510532cfc3df971bbbca4a2bd52f91acc9c59d0fe79342097f88ae78fc79a8032245fdd2c30cc64aceaaa9fd57b0825692531", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "72c57c2e10d77318b3a796097bbf768c6366142d80f98c90a93780a841075f32", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 100, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "049c5d3bb54650d9550e1ee2efa3ea43c14ab99d18bb049f37b42a6dac48232f0bd3a2760d83d33afe4ce6f1d1245489c509bd26b0251f308f8c996e80f7a3f8eb", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "a96b07944e9eb2b22a9a36575eff1f4f6363b4aa3a53b100b8518a67ba5405dd", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 101, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "04f1724efd481ad45a55795f06126b1f5ed28e7d9bb4fee910af2ad8c1373b18ff77edbc34da6c787ec73430347f4da86810032d88f7475f6c42f15914079d179e", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "855883316b6d097ae5eab6c67e8411a1397349a09b9d7d8f096b2ba1bd03ea31", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 102, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "04fc3680af52fa89ffcd193ecc0b0714466fe5db277ee5872846c520bf4e3721d927260a0e225a3d377e6723ecb6bef8d4493c2da78a22a307fcca8f88f4527208", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "5a75bb7a0c96b8340d0842bcccf11974e1a5a2c8f4bc22b333433cce646b6a8a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 103, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "04106b6f81e3482db18d74029291821ae448c38844ef783bf1d6999a404401f63f6a5753f0edc68a62cfd6a0b181bb2599e1f3bac5fa8824af160de79ed867c350", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "d96412e31cf4d26195920cac952fb79ea25f6c50abc79b5ed0ef8026a6e83319", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 104, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "04093cb5193a4f94cd18edaa20a973b87ff79b0c03684c79487ecfee347e5354eb04fcb5752539170777932be15cd84c97f03815ffee8b60b647c178eebb8e14d4", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "2b0eed9badc92a1068196dfec124fe8f9d3f451e294d322eb881cce02f286026", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 105, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "04d6c38f448b964e27b5b450cc38d3cf41ef9df83d8a959771eb9c21855cb36445df638aef46a2aeb13199281e1a26d12fe61b029ec7f68b90faa89f88c7a95942", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "ed0b1d8dfd27a61fce91dc6405bfc53b6d48a8c13ba541c96ef3dcf31d7cdb88", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 106, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "048a748d61f59c3b6a29b733b0d554b2492e7f76fad7cae1c17f2ac3de9e4a65d2eedbe6c26b6fd22bfc03c1687555d2f0a38e02adee5570686171abfec6681917", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "a796dd144f21ba3318f9e10828ecefc9c0f6ef2c427ae31351c16c2fbfa3cfa6", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 107, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "04f1052699d87e5677c75e26b2abe719310648d820a96e5b381fff58b392401581b1bb16ae8b68cbb76a3256870bad1ee5a30ff9fd662fd4f8d1fe5b5f1f98ff46", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "1f3a9615b0745046a972bad5d59794a0b60b032b4ac94fe85f77dfb380d1f32b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 108, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "041219af5230064ee9778667225f0e009cdb961330e386edb34e4fa9fddd0e5be7e2a12554227f613aaaa78938ddbbc99b923f9d181b8192dc4b816577e8f3b7e9", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "caf9141d1fca4d0f10683b5e86d2b41af5602f017991fe7348d44e8d7014115c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 109, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "0460def130f190e6dc44f5eb8a59e12e7efb27db968c7fa6cc6d31785f066b41b1f1bb556ac4cd77033e7aa6c5ba16f47ebafb14975a7fd72dd9b7fe23116bca55", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "6539ec1c98fa75197ba07c678b26300b3da1fe407dd4c68b89457ed669082e06", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 110, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "04f23f09bdb7d17289eb005975a757a39325b4df9b29e55ba2ca679b5ec0973ae918c881f3c7b6c12bed1ec54b837d08c5908e89bdcedd84b9177720378f789600", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "0b6619827cfa948d63f021e9eddb92f884fb5ce8a404bfe059e993fc23447a69", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 111, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "045dbec098c1b7de3e3e2e73d0b62cd49c877e1a0130a1b39eb2fd4dbd4426aa4ccbeee217591a8d76cc8deaf14dde52e3f401e53b30cbb9c1807910d827d0041d", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "2a53a561acf5caec6eb0d8aa40727942881a75d136899dfbff91528236926c39", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 112, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "041e70730dc4f39c8970182e1a29cc836b9e9d6cbd6fcaa8c0dc1062fed9a849693e7b9151f9c8a3345366f8221c8fb700e8c3a9aa7f0cc46a48864e1605592094", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "9b377716ff1d056dac8e392249eaec740d2f5aa62303f4baf6bb1b03b2a276c5", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 113, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "04f428c9ae3e23eaf9c2a5b9a7e41efd1cffbf35f881bfc35694d9c05d1e312b10ef6da9023cfd2dd0cb7b9e2a77d644affe62a63fb0f29d45291c6861aa063c5c", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "0c0c6867669743082547aa94451feb362fa29fbaf228dfb3eaf375f1a5ec2fb3", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 114, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "04b9a16d9a5b85a714e2bb2aa22b086a17404c7a3ff62452732347419c99e90bdad578b462f523994304b6afcf6944a9cc5d0ad1afad956475c8f2953c06b06b97", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "d11f9e32587fd3b6f4a2354812618b4b3b4a7539b8a223b388bb7437f8d138a5", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 115, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "048f659a163a58e9f900c1e9b34fb1cd61ffc9890267be3417c8afe79d57214da05cd5cb68a2b93da0dbe56c1cfc0dce8b6c3260e0c48379c6d2091f16b39221c0", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "4babf6368e0359b78614060241ece46facca3f52f5bbc47ac0b46a075b5dd3a0", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 116, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "04d257f133f00a079f4e6778ea4a9bf42b9f231290431b5b93d7e8b0e35b48010650d6c6b46574d1efce03510b8db4a0981ce138c5bd8fe0e54c988c40c5fc9200", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "9627cc5c8d8b72278be89c32b52210173e6f4b8e2f48e460c6429f46f9f469ae", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 117, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "045ef2ac57c4e93cf78d8f86c35d413b98dc1902dd245affde5c16034afc7ea45547b3e9f77fbc5075bad03c418094f1aec1d03edeafa167fa6af83526552f7034", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "d2b178bc9bb16b5a91a100bb72e15a9639e050c034346061413ec20c4fcc9bbc", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 118, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "04a7b513f96266414fa6ff439a35d8f09ab615db0bb6a3b1a120c217683f724b2342007a2c9feabcd6249a0d17acecd995e2a217fb5f07bec96938016e297efa52", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "6cdca0a731aff1ccfb1904a769cef79eba965fbab1cc64d2049d0df45dccd276", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 119, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "047743ab7248dae5f1a59ac6b0a136e9f1e51aff8bd45795ace5f8187a13edf9adbd9642078378bab5c6d484f9e1ce39675b72170bf39abc9be7942fc01fc435d7", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "bd15e97a7f49aa33e57b54140a75fffce71b788ce0faa334cf8b45623dcc818a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 120, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "040e3aa971bacdace350dc0957fa5bde0946324eb139939d7fc1997c701effd04a4e6c3625d9564168d3a752961221a1de8cf5f3d603752a8c2e6277ac3a918c25", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "c8b5e8e7488857a2dde62c5fc21e4525ebaba0e06b5be83ec6e7dd771e15a01a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 121, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "040f563e21bf9b24015a7cdbb6f000a692784ac2e4bc2715c76f684264a899c8240cab0d76e6b01cabe4f327429d11be115ed6dc0ca74f02c1b987a082f5af43a8", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "1c63a457509b148272687e6e442bde51982d41b0080d8c0c5eb714257af971e7", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 122, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "045da49f10249e4df3dbb4e31ece0b0ee9aa073f2588195aaae63e74f6567a774810b5dd61b6bf219e9eab30ef09c13fc184b3d09ff7a4e192bca8f5111c4163c7", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "73a1ac9ece354a930dfd9c77577b4f50acc0a78964ea0d7775631d64c709c4a2", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 123, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "046f72e6e5c6300679d3f14f0f6e590665643576ae8bbcb7c05b2f4a83e75e6ac3e712cb056ff034da340543c5da6997e65a3ab4cd39e997892bb92ee2c22b8167", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "fcaa406329bb74f995862cea7cecc7425c6bd4148ef1a9f46b5d42da5994556a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 124, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "046b544df9168e7787db282e2ae01dd72306d9c9bc80f5ab38ce594766c3d929e967493ff601ca60862b47d3a0785c917e44584044e36023a54424015e58be5040", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "e49ff11d46b6c4b5dde528b04132d15c040e79f9b7151fbc650030988028cb87", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 125, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "041c31385b9db9b374e92499939ab0fd7e7eda464561eba89fcd7b4769814a8638a4764cf8ce97b5d143bb8eeb9e1b27287f2b73942ecdbc6359aafb1ee7a152c2", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "fc8f64eac1c7e688c52c467185de21914e8b253056d9e4be010ed0128f92a889", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 126, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "04aabcf8b1443d6cbb1de129a0ffe09f60b23fd9d0a44b6bdf25bed7373fdbfd1db716bde7fe9f2f46de0b688e3025e029cff15244429ad4f83484f5dea4af8583", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "6b56d8a01a884319ab5fb9d890cacfc7aabd81ad938cb5eaae207c8c1aa06efb", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 127, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "04e7cd580bd957915d527056832e37793ab3b082ddfad9372412e1908e5c16bbb6208601a970d5844b780d9246e9583eb35918c42ed695c07d52244037f0e31db5", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "2f64b5c8046d41a4e1d631ff23846bff956a4925a47f8534490a20b4b1918b9c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 128, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "042a52db1fe246b71c79c0d0ac49a7d38de67b202995efbbd2a9cc525f6f36010368f494be27e0593e2d612f1fa10a9211437e6aa16e65d97735014072f0dcec94", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "63ac31e718b9a780a85f0670e1d3685bbe306e5f06fee282a8784700b503c124", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 129, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "041c50dc49fef708c4cdd62e766f9b60f784d51afee17a8fe9f3701b2fae55b7a5d10f0d9639d83dce8f26a869705a6d6d38e6d328f5685581142aec0dcd1f90e7", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "555c1917b770cebe6a98337a008ae3d8d04f571565327c93debf61ef90ddddd8", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 130, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "046d0aa1bc1cee6d07d045002c13290d0ca25ca3c8783343a525fac70472b92c62d6fba71174448b472cf172b0ca9e377f1a2603ba7ae1276d153b20c63e7d24bf", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "3a65a9200f8f96635912faa5e7859fa303a76a1c2a41ea97ef61aa39287700a9", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 131, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "04f07e3d8be2ba54c6084141e1fd2b29cfd00d4e6dd6ffb115ed839b10bd8a422f42992cb9a5243897d55408e9bb556043318d87349af35dcc0975ed805c8fa2c9", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "bb7bb52da570ba58e05fd322f82d556c2d65b365db30815879f67f233b089b51", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 132, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "0443a9b90274dbd5f36dd29046fc8390008dde74513ce4c3e8892b236efff80c9dc71547152a5897dbe16957bd15d1a87d770496f814fe2921c8f33df04393c7f8", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "e8cae9944233b867eedf5902fc49ecd07e4c81c46279531e89520b74ba5370b5", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 133, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "04e9af8e8c19da9d5c2f3b3c03b8e927c3cbe2d717f98f500972e56d82eb07c2b14e83fcaacadc26f8bb5e7b94741fe54f31275ebd6e1c969d7ec2fecead8a0dae", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "e72ad0cdb25f4307d1d834a5f792e9af64fd1b69a47041ec8fa46d526f419e4d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 134, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "0433d9582b567aadbe59606fa6ffc11848e4947b5179597317776317b2b4ff65d0b4d8568dc843319cc04f4bf110496dee7c9229fc68cb0958f3cbd37ecca6990f", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "000197fbc260a84dbcbf88136aeaa79b03bb8949aefd2416bef63929ef789bf3", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 135, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "04e21c0282adb1b2055fda744644c68612cfb0c68a70b9812d007f21a78f1adc4849f3e7644bc6633e2773a2f3cc5214fa7208e30afb3de992f077ee321569dc48", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "cdb18bf62670a853488ca510d8f55bab2918991424925bd9b74a821d2c6e7e3c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 136, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "04af27de0da6556e4e64588c9694afee9a84e1cbd0c388972df3a997f760bbcd903c5a02e161551f333d770559ab1af49bf8b68274896590939ce956d9913b676f", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "167303505d22cf9ef78c5b9687a5418fa9fb284f2b0ff68316288ecd7f2e2e09", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 137, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "040da41b82550b358ff474915d83104d41a83a12ef70589b9d392f0f30dc32429edc76163c8fe07a3f709cbd92da0bbfc5045f3db82aa5344cf1fd5b27fcd2f7a6", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "85600ff23c3cde26009fea9b6539664bf045056883728ab0d4498ea0a8f4a453", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 138, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "0419c844b8c7209026a0996a782983e1bd0f0de9255b86739be9bef08ea5475cc669a779ddf57747cf7d9a22f00ed8efc6e818af5827b750d665fee6d6d58a22e8", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "a3250a2bfb145ce86e706ac3ab2bf503a66486ac0b2f7522601c124b0e0f9c5b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 139, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "04bd07bd4326cdcabf42905efa4559a30e68cb215d40c9afb60ce02d4fda617579b927b5cba02d24fb9aafe1d429351e48bae9dd92d7bc7be15e5b8a30a86be13d", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "2d70cc8c8af01366051cc8359c2fc8f258757e2601fd8f3e08422a7b23bfeff5", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 140, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "040089dee27a60d071dabbaf58f3e56614dad3b7f9a8030769fd0463b3e6e0f03a147b4d6e7e7fd939b9b54dab458fd556ad8fdaf4da6c3909588c4e050ca74a67", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "cbe0c571d1080ea34ee20ad1bfd21ea5ecc442ead733fb4eee3c0d7b0cce9935", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 141, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "0442ede106cf85aef46df7e5dba8a8b00459317d9e766a7b77c299aa0e17dea142b6e9a86f4fc3e945d4323ba8e459f6b7b14c563a698c757a2d5f7b0bc301ede2", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "33320fc7917fe4e19280bfbfe16f223c037f7c2dc30c0fda98310740f57fe289", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 142, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "04974b4316c5e7d1348b28dbc4fd61d8d3470de744c30f5be237f85f29969dea77b5f00b58b83cfc7bc51655465b4a28abe1ed3dbec20c6b4643aec85b95a5bec6", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "35c726ead66c39414fe0c24604df7838e5725d2fc1bd0853261e1de3338ecb4f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 143, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "0459873d7523936a121b629e9870f930419f253a5767b9d0dc49716f2c50e17bd0163b71f2bf4318fbde1ceaa585450080eec28474cd18bf7c21d2d1bfde4ff677", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "66ea42fe6fd8741b37599bbdada3ec0e6b08c0b52ea67c29a33172f72742583c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 144, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "04bd85a79f81c4f9613e64fa347886437856c7358d1b69cf1e923d7742d82f9b6767d26918eaa8acb113a1daadaedc709742457303ebc23cdda5572613dc827703", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "2f8a502e4f440133e84fb625292cbeabe2cb79da73987c76d4fed864d1b1b762", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 145, + "comment" : "point with coordinate y = 1 in left to right addition chain", + "public" : "043e6a4effc47c2f5926bb6b4acf2eac48b9524c47d511f816976796778600d6c5bfce593242a5985a977590f8d7485df3f953352957f3c17c13e94583d9c0e7b9", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "06436817d8928b77b73d16c5c3b35e243ad3ef2ab59ad047142c67a6d0923c84", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 146, + "comment" : "point with coordinate y = 1 in precomputation or right to left addition chain", + "public" : "049a4487fcfce8396688e7449e095fe803caa253d4bd7c66dbc6261cc9d9f883a50e5251bae29c5a5cdfa31bc61105671a88a018467398158d35b88829237c0bff", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "7e83fd2c3d713bc85d6d85d9078b3a0842824d410e8abde04da0fd71c7d94705", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 147, + "comment" : "point with coordinate y = 1 in precomputation or right to left addition chain", + "public" : "04fed6ce127290c1291ca5ce64acb4e0f2f8905654d1d25ba57c1f74ab52f21f42963d31671c06b802169929525c4a1fdeff5b1eafab919dc2df6c52be84dfaef3", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "0e3dfdab606ebdc6428282acd443f189c99b3b483aa101fd8d6bed38aec59e02", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 148, + "comment" : "point with coordinate y = 1 in precomputation or right to left addition chain", + "public" : "04f7cee5b55f1869f137dd707c8f8fb8965a2be5840c3149fb759695a4661b9c0d23c78c4e9647b0d6cb2f2602be73ff25cf3d09c96d892b5745fe5eca814aec91", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "f489f2bd93f76b8e41fc6b9f211bc599d49db1f17a38e95bab1d31b2a2b55829", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 149, + "comment" : "point with coordinate y = 1 in precomputation or right to left addition chain", + "public" : "042baaaec3b3e8d54a4e18f0960b947da2535e3cfcca2cfa8b7113aad8e3b6626f72f71e7c9e96042c1d39cc8f1139d5147c6f4fe62e23cf6df364b5f4d899f842", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "cc5738b49d30d5d02cf7e0c54a3de09b5b6f3c4dea91dd0679072a3562444c37", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 150, + "comment" : "point with coordinate y = 1 in precomputation or right to left addition chain", + "public" : "04a51ab1238bc1bed25247e7d179c83a61ae2d4a9fe2288c363ae0eb7a77de432a3c6d35d82ba8017e6ca9041cc785a30703f7bc4427506e624ac5979d715421dd", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "89a11177d6907a81d47467093bf6a3cc8ba55dee05239b160a31a3000f5d807b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 151, + "comment" : "point with coordinate y = 1 in precomputation or right to left addition chain", + "public" : "048b5ae8a0e55f30f509061315abae79ac480f88b44655f7269a385c81526884be262974a31a0e2322126c2d77b26b108abd81f8b952c458ccc95d46fb4924c7c0", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "2cb03c30b20037a5cf4d5b33574f3abac895bfab37867eb2ebed260e0929058d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 152, + "comment" : "point with coordinate y = 1 in precomputation or right to left addition chain", + "public" : "045f60c77e474dd66c8135ee3dafc75ba644649824c72737542091ad469adbb685312c09c69b629d0436bf3bd6c6083ff2a87be484a73ef3a5d2c3e06b5d9b21b3", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "e54d487d0c4b12fe522af3e663ce316e632ba9d63a1f02a36fc5a82bf82731a4", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 153, + "comment" : "point with coordinate y = 1 in precomputation or right to left addition chain", + "public" : "04e06eaa73f6feae45417d859bbad4bc404b2885bcd213ebace594e16f4970e0c411ed3323a3d7afc7076239884307f91849ed5f5e36b6171d309c81344c53e06d", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "ccea969d40fa42933f4fbdc4cabe2185f8a452996254c1f4e0dde5e14feeea8d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 154, + "comment" : "point with coordinate y = 1 in precomputation or right to left addition chain", + "public" : "040f1c1b89e9fc6fc0faefc9109fc4a1247d9f54c7497b6cc975e6a5455bef410836cb3818548ac9b41e2b8336c3eb8d97075ae47e1827fa1ff93d4341d43c0c1d", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "eaae0e188c9427bf3c8b3ded772122204c328d5941e389d808e2724638f9aff8", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 155, + "comment" : "point with coordinate y = 1 in precomputation or right to left addition chain", + "public" : "04577069e8284a95f51dcab919b0536657058971dab76217f8d3ae722a64092e26e51f68a722cc0397f4801401771e9a3d1988d4af76f14f9e2f9c36e0773e29c2", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "fea0cce1358f1ff40ffeaaffbf91b2e8d426d4e31e9627731ace3a122eab6b0d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 156, + "comment" : "point with coordinate y = 1 in precomputation or right to left addition chain", + "public" : "042406a2759050b925dd4f814c5033e355548f42bbf1afb791c110f0031f29f68099d5f4b005de3927f165abeff196a28c7217fab1be2b5209c324e7d62d2dd687", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "837621ea4827bba0376aaa8aa66cfe144a2ff1e359dc619a06441d3e055f9771", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 157, + "comment" : "point with coordinate y = 1 in precomputation or right to left addition chain", + "public" : "04ccaac61f35a27861183621642bc573af913356fb47cf582f0b5299099d6f6c6991f7272b83b738a7a5d30447c87f126a7d98ec72fa2609d0939d18db7ea7eb3a", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "63974ce6153762e5b364523cead93e8ce8bcc77dda56365d676136169fc4e39b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 158, + "comment" : "point with coordinate y = 1 in precomputation or right to left addition chain", + "public" : "0401415917272f1984e7217a36fb311fd2904d41a6b13973f92aae3b90e85e4d56d97c822eb7b21a84d0d1be4867404a80c34867f43139dadcc3619e10b222562b", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "0a0488144bc36d690b62148ac3076047d46d48f7adbb0f34fee9a636295fe737", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 159, + "comment" : "point with coordinate y = 1 in precomputation or right to left addition chain", + "public" : "04b2575d100c6fa056bcd137ab111b5315a8908c29243b84f3dc996d0e45764b9166cabeb41885588ec08b47257df58bd58f7dcd9e012e2669fa2f52e25767fc4c", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "1232165538a44268aa7c199c54d6d207c4ef3f5aa790c10c926a20752ca645ce", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 160, + "comment" : "point with coordinate y = 1 in precomputation or right to left addition chain", + "public" : "04c17355ed30ccd6427f9685709021b25c11ed176e9610c479bcc4cc7552a738e61f75114761dba0ec60cd264bbab763c5d5abcc75cd8fb5651d0645179988cc6d", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "dcab5e874e4fb76bc4312528e9d76dfae56145922533089734110bf5653f4d77", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 161, + "comment" : "point with coordinate y = 1 in right to left addition chain", + "public" : "04341592390ccce485de8880f3d727f664c381914a1becec383b35586751fc81c2add71852b87016e1019cae7a9080e75ce0b0b8aac175d692d5e7b4dad088f5cc", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "4ce2701b2be63a0083a4c53f7a0bf04cf871654f5edb6f625e3ea5e7d0bdcc90", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 162, + "comment" : "point with coordinate y = 1 in right to left addition chain", + "public" : "04fa764b6b76a86c3b762120825d353a24766208c1f5cc0fe3fe7998026a2ec5c43bb2f948fd94cdaa5869b1e0e73a4d97035cc49357fb7b74d7ed0a2c5b8d54eb", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "7abef9765cca721320fbf8edcbef6d2ba25d17b70ffa1776029bc38fe677a12c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 163, + "comment" : "point with coordinate y = 1 in right to left addition chain", + "public" : "04a71fbb617199bd585b4b66212ca33ca9e09370e6bf15c8ea0acefd9c8e945d06840f058863078e743e220ff99f23bbc1daa36835d4b1269f0a7536e63f06d853", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "5f61404dbbbc2867dff95c1f37ed44f4cb8fabcd223b03739d888308d13bc412", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 164, + "comment" : "point with coordinate y = 1 in right to left addition chain", + "public" : "0413c8292d854d39451c0c63a802b8c03e4fcb875ef01239896295ba1c0f386975f82df197086fd86032cb36b69a27876dd75a8e9679f36ffc2210edb128d4be13", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "8d673a577e35bf9d5d00676c08b2c739617c46a052188403aa06dc714af6acc1", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 165, + "comment" : "point with coordinate y = 1 in right to left addition chain", + "public" : "040cd9df415acc0c32fd4e3d6924ce53075b0452bf919a2ab2ebe26597570f1ecd5985d8d2c5df78fc100f87efb6dfa9543757bdffecf083dfcd1ecb38de6c23f8", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "a7835ffee0f2a69dfcf70d4e798dbe3ed32ba03cfddae5ddd11d8c0ac3d74f9b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 166, + "comment" : "point with coordinate y = 1 in right to left addition chain", + "public" : "04d2dbea4046b23fd2b233d1ce31dceddb89b25f26c0627a9d2db3c5605c9cc99535bdc8de7451c1e27e97aa91402cce3882c71269d9cbdcb5d7ac0ceb911b9b6d", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "e98ea22209cd397edb6c319648c1eb24bc4d39598ab11995571926684ce2ceca", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 167, + "comment" : "point with coordinate y = 1 in right to left addition chain", + "public" : "04888fb044fb2b6caa60366bfa662adba479b8365a6555a29887d580f587086ba8482f4ec24082a48d6402afa1622143f26e61d91b7e30d6a4b223630ee10f70fb", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "91b65733860b1bdb9541d9f55895a3dbb3f13c199251d33006b6dcf90ac349ed", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 168, + "comment" : "point with coordinate y = 1 in right to left addition chain", + "public" : "042e2bec134249379d57700301f3a58e4b395a4d28370d2a06e65e7ac89ed76ac697dc960bd795cdf4fbcfdd75149057b8e022331c7b5461f383ac589d764df333", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "1fdf7c5c48047a113e5e5d1b7ed593337e769231cca5c7110160e0c1b97f4256", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 169, + "comment" : "point with coordinate y = 1 in right to left addition chain", + "public" : "04c78cda7e3b9e1772ebed30b2b51dcf155a69a0fc504557836e25147cfb8127d2f8289cf38b033d3763c8f9f6c091787a3142fb83dff5719590282c6f852e0105", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "ba0abc3e71726cb51330489176357b81b8074d7690e4e82e9a3c00151e1fa318", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 170, + "comment" : "point with coordinate y = 1 in right to left addition chain", + "public" : "041e3df4dd7fb7718cb0aa0dd72f8a25c83c4e804e7cbd48c5e965651f9e23bf4ef0ff40dd9796e4a9a5eddd2c4ca4ebd10990d8fb8918d12d53c76001afa9de7f", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "16e632f9752d36602c95ec274b32ad594f39f6ac3bd4b0b20f8637392142cef4", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 171, + "comment" : "point with coordinate y = 1 in right to left addition chain", + "public" : "04e5c5dc3fd88d85668b3b709fd6b4232f1f80949cbccb5588363e6c217a2b3ed88dbd0d6e3cc97f3081d16602aa3d1b655ee0791c87fcb5abe6217d8c8513807e", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "9eed4b96569f604a4d3f5af97499807111fc9888c458ece2e3000e245c2c02b0", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 172, + "comment" : "point with coordinate y = 1 in right to left addition chain", + "public" : "04021c41eceec24e0fba894ad7415a9598cbcd14fa6ca46e25575268a1d8e5bbc63f846c6a185fa3f23bb92c14e7e2cba8c74047c09af766f55ef0c907c80d9451", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "21ac32013838812621dbb584965bded6fc851d3a029810679bc57b2381bb7a7d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 173, + "comment" : "point with coordinate y = 1 in right to left addition chain", + "public" : "048e24192cd33335a114f5070266c014cb0d8c704d16d6042e89c17597bcd4e77ebdb4c5171704c2c09275c22a310e0c4fe092e4084856da99b94abbfa9f469f48", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "fc5978da01ca83e127dddf989a0358871b3c4ce0755bfb020633db467e21a53c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 174, + "comment" : "point with coordinate y = 1 in right to left addition chain", + "public" : "0431c90ae47a93d09a2352b6f3677e7975ea62aadedb56c118eb8b9f771e2dd9f5f2601fb9cca2304e594423cf48064dbed17ae40452f18be6ae018321911e8cb3", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "9f417341261aa45d396b0ccf2a3dee7a466ca47e3ce86ecd2071d9c4db08820e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 175, + "comment" : "point with coordinate y = 1 in right to left addition chain", + "public" : "04d2f211cfab84e01c8e5544036234debe35ae103bb878d7abcea6825f753e03a385f7f1870e64f1262af67a25ef9880419f45608e7f9da6dee83f5f46ceb53dcb", + "private" : "00809c461d8b39163537ff8f5ef5b977e4cdb980e70e38a7ee0b37cc876729e9ff", + "shared" : "f419febb32c254611adf569c2d583b17542b1538caa0001967f0a4bc34b8b789", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 176, + "comment" : "edge case private key", + "public" : "0431028f3377fc8f2b1967edaab90213acad0da9f50897f08f57537f78f116744743a1930189363bbde2ac4cbd1649cdc6f451add71dd2f16a8a867f2b17caa16b", + "private" : "03", + "shared" : "85a0b58519b28e70a694ec5198f72c4bfdabaa30a70f7143b5b1cd7536f716ca", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 177, + "comment" : "edge case private key", + "public" : "0431028f3377fc8f2b1967edaab90213acad0da9f50897f08f57537f78f116744743a1930189363bbde2ac4cbd1649cdc6f451add71dd2f16a8a867f2b17caa16b", + "private" : "00ffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "shared" : "a329a7d80424ea2d6c904393808e510dfbb28155092f1bac284dceda1f13afe5", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 178, + "comment" : "edge case private key", + "public" : "0431028f3377fc8f2b1967edaab90213acad0da9f50897f08f57537f78f116744743a1930189363bbde2ac4cbd1649cdc6f451add71dd2f16a8a867f2b17caa16b", + "private" : "0100000000000000000000000000000000000000000000000000000000000000", + "shared" : "bd26d0293e8851c51ebe0d426345683ae94026aca545282a4759faa85fde6687", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 179, + "comment" : "edge case private key", + "public" : "0431028f3377fc8f2b1967edaab90213acad0da9f50897f08f57537f78f116744743a1930189363bbde2ac4cbd1649cdc6f451add71dd2f16a8a867f2b17caa16b", + "private" : "7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "shared" : "ea9350b2490a2010c7abf43fb1a38be729a2de375ea7a6ac34ff58cc87e51b6c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 180, + "comment" : "edge case private key", + "public" : "0431028f3377fc8f2b1967edaab90213acad0da9f50897f08f57537f78f116744743a1930189363bbde2ac4cbd1649cdc6f451add71dd2f16a8a867f2b17caa16b", + "private" : "008000000000000000000000000000000000000000000000000000000000000000", + "shared" : "34eed3f6673d340b6f716913f6dfa36b5ac85fa667791e2d6a217b0c0b7ba807", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 181, + "comment" : "edge case private key", + "public" : "0431028f3377fc8f2b1967edaab90213acad0da9f50897f08f57537f78f116744743a1930189363bbde2ac4cbd1649cdc6f451add71dd2f16a8a867f2b17caa16b", + "private" : "00ffffffff00000000ffffffffffffffffbce6faada7179e83f3b9cac2fc632551", + "shared" : "1354ce6692c9df7b6fc3119d47c56338afbedccb62faa546c0fe6ed4959e41c3", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 182, + "comment" : "edge case private key", + "public" : "0431028f3377fc8f2b1967edaab90213acad0da9f50897f08f57537f78f116744743a1930189363bbde2ac4cbd1649cdc6f451add71dd2f16a8a867f2b17caa16b", + "private" : "00ffffffff00000000ffffffffffffffffbce6faada7179e84f3a9cac2fc632551", + "shared" : "fe7496c30d534995f0bf428b5471c21585aaafc81733916f0165597a55d12cb4", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 183, + "comment" : "edge case private key", + "public" : "0431028f3377fc8f2b1967edaab90213acad0da9f50897f08f57537f78f116744743a1930189363bbde2ac4cbd1649cdc6f451add71dd2f16a8a867f2b17caa16b", + "private" : "00ffffffff00000000ffffffffffffffffbce6faada7179e84f3b1cac2fc632551", + "shared" : "348bf8042e4edf1d03c8b36ab815156e77c201b764ed4562cfe2ee90638ffef5", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 184, + "comment" : "edge case private key", + "public" : "0431028f3377fc8f2b1967edaab90213acad0da9f50897f08f57537f78f116744743a1930189363bbde2ac4cbd1649cdc6f451add71dd2f16a8a867f2b17caa16b", + "private" : "00ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac1fc632551", + "shared" : "6e4ec5479a7c20a537501700484f6f433a8a8fe53c288f7a25c8e8c92d39e8dc", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 185, + "comment" : "edge case private key", + "public" : "0431028f3377fc8f2b1967edaab90213acad0da9f50897f08f57537f78f116744743a1930189363bbde2ac4cbd1649cdc6f451add71dd2f16a8a867f2b17caa16b", + "private" : "00ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc6324f3", + "shared" : "f7407d61fdf581be4f564621d590ca9b7ba37f31396150f9922f1501da8c83ef", + "result" : "valid", + "flags" : [ + "AddSubChain" + ] + }, + { + "tcId" : 186, + "comment" : "edge case private key", + "public" : "0431028f3377fc8f2b1967edaab90213acad0da9f50897f08f57537f78f116744743a1930189363bbde2ac4cbd1649cdc6f451add71dd2f16a8a867f2b17caa16b", + "private" : "00ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632533", + "shared" : "82236fd272208693e0574555ca465c6cc512163486084fa57f5e1bd2e2ccc0b3", + "result" : "valid", + "flags" : [ + "AddSubChain" + ] + }, + { + "tcId" : 187, + "comment" : "edge case private key", + "public" : "0431028f3377fc8f2b1967edaab90213acad0da9f50897f08f57537f78f116744743a1930189363bbde2ac4cbd1649cdc6f451add71dd2f16a8a867f2b17caa16b", + "private" : "00ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632543", + "shared" : "06537149664dba1a9924654cb7f787ed224851b0df25ef53fcf54f8f26cd5f3f", + "result" : "valid", + "flags" : [ + "AddSubChain" + ] + }, + { + "tcId" : 188, + "comment" : "edge case private key", + "public" : "0431028f3377fc8f2b1967edaab90213acad0da9f50897f08f57537f78f116744743a1930189363bbde2ac4cbd1649cdc6f451add71dd2f16a8a867f2b17caa16b", + "private" : "00ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc63254b", + "shared" : "f2b38539bce995d443c7bfeeefadc9e42cc2c89c60bf4e86eac95d51987bd112", + "result" : "valid", + "flags" : [ + "AddSubChain" + ] + }, + { + "tcId" : 189, + "comment" : "edge case private key", + "public" : "0431028f3377fc8f2b1967edaab90213acad0da9f50897f08f57537f78f116744743a1930189363bbde2ac4cbd1649cdc6f451add71dd2f16a8a867f2b17caa16b", + "private" : "00ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc63254e", + "shared" : "85a0b58519b28e70a694ec5198f72c4bfdabaa30a70f7143b5b1cd7536f716ca", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 190, + "comment" : "edge case private key", + "public" : "0431028f3377fc8f2b1967edaab90213acad0da9f50897f08f57537f78f116744743a1930189363bbde2ac4cbd1649cdc6f451add71dd2f16a8a867f2b17caa16b", + "private" : "00ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc63254f", + "shared" : "027b013a6f166db655d69d643c127ef8ace175311e667dff2520f5b5c75b7659", + "result" : "valid", + "flags" : [ + "AddSubChain" + ] + }, + { + "tcId" : 191, + "comment" : "CVE-2017-8932", + "public" : "04023819813ac969847059028ea88a1f30dfbcde03fc791d3a252c6b41211882eaf93e4ae433cc12cf2a43fc0ef26400c0e125508224cdb649380f25479148a4ad", + "private" : "2a265f8bcbdcaf94d58519141e578124cb40d64a501fba9c11847b28965bc737", + "shared" : "4d4de80f1534850d261075997e3049321a0864082d24a917863366c0724f5ae3", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 192, + "comment" : "CVE-2017-8932", + "public" : "04cc11887b2d66cbae8f4d306627192522932146b42f01d3c6f92bd5c8ba739b06a2f08a029cd06b46183085bae9248b0ed15b70280c7ef13a457f5af382426031", + "private" : "313f72ff9fe811bf573176231b286a3bdb6f1b14e05c40146590727a71c3bccd", + "shared" : "831c3f6b5f762d2f461901577af41354ac5f228c2591f84f8a6e51e2e3f17991", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 193, + "comment" : "point is not on curve", + "public" : "0400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "private" : "7e4aa54f714bf01df85c50269bea3a86721f84afe74f7b41ea58abcf3474e88d", + "shared" : "", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 194, + "comment" : "point is not on curve", + "public" : "0400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001", + "private" : "7e4aa54f714bf01df85c50269bea3a86721f84afe74f7b41ea58abcf3474e88d", + "shared" : "", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 195, + "comment" : "point is not on curve", + "public" : "040000000000000000000000000000000000000000000000000000000000000000ffffffff00000001000000000000000000000000fffffffffffffffffffffffe", + "private" : "7e4aa54f714bf01df85c50269bea3a86721f84afe74f7b41ea58abcf3474e88d", + "shared" : "", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 196, + "comment" : "point is not on curve", + "public" : "040000000000000000000000000000000000000000000000000000000000000000ffffffff00000001000000000000000000000000ffffffffffffffffffffffff", + "private" : "7e4aa54f714bf01df85c50269bea3a86721f84afe74f7b41ea58abcf3474e88d", + "shared" : "", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 197, + "comment" : "point is not on curve", + "public" : "0400000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000000", + "private" : "7e4aa54f714bf01df85c50269bea3a86721f84afe74f7b41ea58abcf3474e88d", + "shared" : "", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 198, + "comment" : "point is not on curve", + "public" : "0400000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000001", + "private" : "7e4aa54f714bf01df85c50269bea3a86721f84afe74f7b41ea58abcf3474e88d", + "shared" : "", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 199, + "comment" : "point is not on curve", + "public" : "040000000000000000000000000000000000000000000000000000000000000001ffffffff00000001000000000000000000000000fffffffffffffffffffffffe", + "private" : "7e4aa54f714bf01df85c50269bea3a86721f84afe74f7b41ea58abcf3474e88d", + "shared" : "", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 200, + "comment" : "point is not on curve", + "public" : "040000000000000000000000000000000000000000000000000000000000000001ffffffff00000001000000000000000000000000ffffffffffffffffffffffff", + "private" : "7e4aa54f714bf01df85c50269bea3a86721f84afe74f7b41ea58abcf3474e88d", + "shared" : "", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 201, + "comment" : "point is not on curve", + "public" : "04ffffffff00000001000000000000000000000000fffffffffffffffffffffffe0000000000000000000000000000000000000000000000000000000000000000", + "private" : "7e4aa54f714bf01df85c50269bea3a86721f84afe74f7b41ea58abcf3474e88d", + "shared" : "", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 202, + "comment" : "point is not on curve", + "public" : "04ffffffff00000001000000000000000000000000fffffffffffffffffffffffe0000000000000000000000000000000000000000000000000000000000000001", + "private" : "7e4aa54f714bf01df85c50269bea3a86721f84afe74f7b41ea58abcf3474e88d", + "shared" : "", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 203, + "comment" : "point is not on curve", + "public" : "04ffffffff00000001000000000000000000000000fffffffffffffffffffffffeffffffff00000001000000000000000000000000fffffffffffffffffffffffe", + "private" : "7e4aa54f714bf01df85c50269bea3a86721f84afe74f7b41ea58abcf3474e88d", + "shared" : "", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 204, + "comment" : "point is not on curve", + "public" : "04ffffffff00000001000000000000000000000000fffffffffffffffffffffffeffffffff00000001000000000000000000000000ffffffffffffffffffffffff", + "private" : "7e4aa54f714bf01df85c50269bea3a86721f84afe74f7b41ea58abcf3474e88d", + "shared" : "", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 205, + "comment" : "point is not on curve", + "public" : "04ffffffff00000001000000000000000000000000ffffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000000000", + "private" : "7e4aa54f714bf01df85c50269bea3a86721f84afe74f7b41ea58abcf3474e88d", + "shared" : "", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 206, + "comment" : "point is not on curve", + "public" : "04ffffffff00000001000000000000000000000000ffffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000000001", + "private" : "7e4aa54f714bf01df85c50269bea3a86721f84afe74f7b41ea58abcf3474e88d", + "shared" : "", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 207, + "comment" : "point is not on curve", + "public" : "04ffffffff00000001000000000000000000000000ffffffffffffffffffffffffffffffff00000001000000000000000000000000fffffffffffffffffffffffe", + "private" : "7e4aa54f714bf01df85c50269bea3a86721f84afe74f7b41ea58abcf3474e88d", + "shared" : "", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 208, + "comment" : "point is not on curve", + "public" : "04ffffffff00000001000000000000000000000000ffffffffffffffffffffffffffffffff00000001000000000000000000000000ffffffffffffffffffffffff", + "private" : "7e4aa54f714bf01df85c50269bea3a86721f84afe74f7b41ea58abcf3474e88d", + "shared" : "", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 209, + "comment" : "", + "public" : "", + "private" : "7e4aa54f714bf01df85c50269bea3a86721f84afe74f7b41ea58abcf3474e88d", + "shared" : "", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 210, + "comment" : "invalid public key", + "public" : "02fd4bf61763b46581fd9174d623516cf3c81edd40e29ffa2777fb6cb0ae3ce535", + "private" : "6f953faff3599e6c762d7f4cabfeed092de2add1df1bc5748c6cbb725cf35458", + "shared" : "", + "result" : "invalid", + "flags" : [ + "CompressedPoint" + ] + }, + { + "tcId" : 211, + "comment" : "public key is a low order point on twist", + "public" : "03efdde3b32872a9effcf3b94cbf73aa7b39f9683ece9121b9852167f4e3da609b", + "private" : "00d27edf0ff5b6b6b465753e7158370332c153b468a1be087ad0f490bdb99e5f02", + "shared" : "", + "result" : "invalid", + "flags" : [ + "CompressedPoint" + ] + }, + { + "tcId" : 212, + "comment" : "public key is a low order point on twist", + "public" : "02efdde3b32872a9effcf3b94cbf73aa7b39f9683ece9121b9852167f4e3da609b", + "private" : "00d27edf0ff5b6b6b465753e7158370332c153b468a1be087ad0f490bdb99e5f03", + "shared" : "", + "result" : "invalid", + "flags" : [ + "CompressedPoint" + ] + }, + { + "tcId" : 213, + "comment" : "public key is a low order point on twist", + "public" : "02c49524b2adfd8f5f972ef554652836e2efb2d306c6d3b0689234cec93ae73db5", + "private" : "0095ead84540c2d027aa3130ff1b47888cc1ed67e8dda46156e71ce0991791e835", + "shared" : "", + "result" : "invalid", + "flags" : [ + "CompressedPoint" + ] + }, + { + "tcId" : 214, + "comment" : "public key is a low order point on twist", + "public" : "0318f9bae7747cd844e98525b7ccd0daf6e1d20a818b2175a9a91e4eae5343bc98", + "private" : "00a8681ef67fb1f189647d95e8db00c52ceef6d41a85ba0a5bd74c44e8e62c8aa4", + "shared" : "", + "result" : "invalid", + "flags" : [ + "CompressedPoint" + ] + }, + { + "tcId" : 215, + "comment" : "public key is a low order point on twist", + "public" : "0218f9bae7747cd844e98525b7ccd0daf6e1d20a818b2175a9a91e4eae5343bc98", + "private" : "00a8681ef67fb1f189647d95e8db00c52ceef6d41a85ba0a5bd74c44e8e62c8aa5", + "shared" : "", + "result" : "invalid", + "flags" : [ + "CompressedPoint" + ] + }, + { + "tcId" : 216, + "comment" : "public key is a low order point on twist", + "public" : "03c49524b2adfd8f5f972ef554652836e2efb2d306c6d3b0689234cec93ae73db5", + "private" : "0095ead84540c2d027aa3130ff1b47888cc1ed67e8dda46156e71ce0991791e834", + "shared" : "", + "result" : "invalid", + "flags" : [ + "CompressedPoint" + ] + } + ] + } + ] +} diff --git a/tests/p256_ecdsa.cc b/tests/p256_ecdsa.cc new file mode 100644 index 00000000..d82c714f --- /dev/null +++ b/tests/p256_ecdsa.cc @@ -0,0 +1,245 @@ +/* + * Copyright 2022 Cryspen Sarl + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include +#include +#include + +#include +#include +#include +#include +#include +#include +#include +#include + +#include "Hacl_P256.h" +#include "util.h" + +using json = nlohmann::json; + +uint8_t prKey[32U] = { + (uint8_t)81U, (uint8_t)155U, (uint8_t)66U, (uint8_t)61U, (uint8_t)113U, + (uint8_t)95U, (uint8_t)139U, (uint8_t)88U, (uint8_t)31U, (uint8_t)79U, + (uint8_t)168U, (uint8_t)238U, (uint8_t)89U, (uint8_t)244U, (uint8_t)119U, + (uint8_t)26U, (uint8_t)91U, (uint8_t)68U, (uint8_t)200U, (uint8_t)19U, + (uint8_t)11U, (uint8_t)78U, (uint8_t)62U, (uint8_t)172U, (uint8_t)202U, + (uint8_t)84U, (uint8_t)165U, (uint8_t)109U, (uint8_t)218U, (uint8_t)114U, + (uint8_t)180U, (uint8_t)100U +}; + +uint8_t digest[32U] = { + (uint8_t)28U, (uint8_t)203U, (uint8_t)233U, (uint8_t)28U, (uint8_t)7U, + (uint8_t)95U, (uint8_t)199U, (uint8_t)244U, (uint8_t)240U, (uint8_t)51U, + (uint8_t)191U, (uint8_t)162U, (uint8_t)72U, (uint8_t)219U, (uint8_t)143U, + (uint8_t)204U, (uint8_t)211U, (uint8_t)86U, (uint8_t)93U, (uint8_t)233U, + (uint8_t)75U, (uint8_t)191U, (uint8_t)177U, (uint8_t)47U, (uint8_t)60U, + (uint8_t)89U, (uint8_t)255U, (uint8_t)70U, (uint8_t)194U, (uint8_t)113U, + (uint8_t)191U, (uint8_t)131U +}; + +uint8_t nonce[32U] = { + (uint8_t)148U, (uint8_t)161U, (uint8_t)187U, (uint8_t)177U, (uint8_t)75U, + (uint8_t)144U, (uint8_t)106U, (uint8_t)97U, (uint8_t)162U, (uint8_t)128U, + (uint8_t)242U, (uint8_t)69U, (uint8_t)249U, (uint8_t)233U, (uint8_t)60U, + (uint8_t)127U, (uint8_t)59U, (uint8_t)74U, (uint8_t)98U, (uint8_t)71U, + (uint8_t)130U, (uint8_t)79U, (uint8_t)93U, (uint8_t)51U, (uint8_t)185U, + (uint8_t)103U, (uint8_t)7U, (uint8_t)135U, (uint8_t)100U, (uint8_t)42U, + (uint8_t)104U, (uint8_t)222U +}; + +uint8_t siggen_vectors_low5[32U] = { + (uint8_t)243U, (uint8_t)172U, (uint8_t)128U, (uint8_t)97U, (uint8_t)181U, + (uint8_t)20U, (uint8_t)121U, (uint8_t)91U, (uint8_t)136U, (uint8_t)67U, + (uint8_t)227U, (uint8_t)214U, (uint8_t)98U, (uint8_t)149U, (uint8_t)39U, + (uint8_t)237U, (uint8_t)42U, (uint8_t)253U, (uint8_t)107U, (uint8_t)31U, + (uint8_t)106U, (uint8_t)85U, (uint8_t)90U, (uint8_t)122U, (uint8_t)202U, + (uint8_t)187U, (uint8_t)94U, (uint8_t)111U, (uint8_t)121U, (uint8_t)200U, + (uint8_t)194U, (uint8_t)172U +}; + +uint8_t siggen_vectors_low6[32U] = { 0xcf, 0xa7, 0x40, 0xfe, 0xc7, 0x67, 0x96, + 0xd2, 0xe3, 0x92, 0x16, 0xbe, 0x7e, 0xbf, + 0x58, 0x0e, 0xa3, 0xc0, 0xef, 0x4b, 0xb0, + 0x0a, 0xb2, 0xe7, 0xe4, 0x20, 0x84, 0x34, + 0xf4, 0x5f, 0x8c, 0x9c }; + +static uint8_t px0_0[32] = { 0x70, 0x0c, 0x48, 0xf7, 0x7f, 0x56, 0x58, 0x4c, + 0x5c, 0xc6, 0x32, 0xca, 0x65, 0x64, 0x0d, 0xb9, + 0x1b, 0x6b, 0xac, 0xce, 0x3a, 0x4d, 0xf6, 0xb4, + 0x2c, 0xe7, 0xcc, 0x83, 0x88, 0x33, 0xd2, 0x87 + +}; +static uint8_t py0_0[32] = { 0xdb, 0x71, 0xe5, 0x09, 0xe3, 0xfd, 0x9b, 0x06, + 0x0d, 0xdb, 0x20, 0xba, 0x5c, 0x51, 0xdc, 0xc5, + 0x94, 0x8d, 0x46, 0xfb, 0xf6, 0x40, 0xdf, 0xe0, + 0x44, 0x17, 0x82, 0xca, 0xb8, 0x5f, 0xa4, 0xac }; + +static uint8_t scalar0[32] = { 0x7d, 0x7d, 0xc5, 0xf7, 0x1e, 0xb2, 0x9d, 0xda, + 0xf8, 0x0d, 0x62, 0x14, 0x63, 0x2e, 0xea, 0xe0, + 0x3d, 0x90, 0x58, 0xaf, 0x1f, 0xb6, 0xd2, 0x2e, + 0xd8, 0x0b, 0xad, 0xb6, 0x2b, 0xc1, 0xa5, 0x34 + +}; + +bool +testImplementationHacl() +{ + uint8_t* result = (uint8_t*)malloc(sizeof(uint8_t) * 64); + bool flag = + Hacl_P256_ecdsa_sign_p256_without_hash(result, 32, digest, prKey, nonce); + bool s0 = compare_and_print(32, result, siggen_vectors_low5); + bool s1 = compare_and_print(32, result + 32, siggen_vectors_low6); + return s0 && s1 && flag; +} + +TEST(P256Test, BasicTest) +{ + EXPECT_TRUE(testImplementationHacl()); +} + +//=== Wycheproof tests ==== + +#define bytes std::vector + +typedef struct +{ + bytes public_key; + bytes msg; + bytes sig; + bool valid; +} TestCase; + +std::vector +read_json() +{ + + // Read JSON test vector + std::string test_dir = "ecdsa_secp256r1_sha256_test.json"; + std::ifstream json_test_file(test_dir); + json test_vectors; + json_test_file >> test_vectors; + + std::vector tests_out; + + // Read test group + for (auto& test : test_vectors["testGroups"].items()) { + auto test_value = test.value(); + + // Read the key + auto key = test_value["key"]; + auto public_key = from_hex(key["uncompressed"]); + + auto tests = test_value["tests"]; + for (auto& test_case : tests.items()) { + auto test_case_value = test_case.value(); + auto msg = from_hex(test_case_value["msg"]); + auto sig = from_hex(test_case_value["sig"]); + auto result = test_case_value["result"]; + bool valid = result == "valid" || result == "acceptable"; + + tests_out.push_back({ public_key, msg, sig, valid }); + } + } + + return tests_out; +} + +class P256EcdsaWycheproof : public ::testing::TestWithParam +{}; + +TEST_P(P256EcdsaWycheproof, TryWycheproof) +{ + const TestCase& test_case(GetParam()); + + // Stupid const + uint8_t* public_key = const_cast(test_case.public_key.data()); + uint8_t* msg = const_cast(test_case.msg.data()); + + // Convert public key first + uint8_t plain_public_key[64] = { 0 }; + bool uncompressed_point = false; + bool compressed_point = false; + if (test_case.public_key.size() >= 65) { + uncompressed_point = + Hacl_P256_uncompressed_to_raw(public_key, plain_public_key); + } + if (!uncompressed_point && test_case.public_key.size() >= 32) { + compressed_point = + Hacl_P256_compressed_to_raw(public_key, plain_public_key); + } + EXPECT_TRUE(uncompressed_point || compressed_point || !test_case.valid); + + // Parse DER signature. + // FIXME: This should really be in the HACL* libraray. + // The parsing here is opportunistic and not robust. + size_t sig_pointer = 0; + if (test_case.valid) { + EXPECT_TRUE(test_case.sig.size() >= 2); + } + bytes r, s; + + if (test_case.sig.size() > 2) { + if (test_case.valid) { + size_t pos = 0; + EXPECT_EQ(test_case.sig[pos++], 0x30); // Sequence tag + auto der_length = test_case.sig[pos++]; + EXPECT_FALSE(der_length & 0x80); + EXPECT_EQ(test_case.sig[pos++], 0x02); // Integer + auto x_length = test_case.sig[pos++]; + r = bytes(&test_case.sig[pos], &test_case.sig[pos] + x_length); + pos += x_length; + EXPECT_EQ(test_case.sig[pos++], 0x02); // Integer + auto y_length = test_case.sig[pos++]; + s = bytes(&test_case.sig[pos], &test_case.sig[pos] + y_length); + pos += y_length; + EXPECT_EQ(pos, der_length + 2); + } + } + if (r.size() != 0 && s.size() != 0) { + // Removing leading 0s and make r and s 32 bytes each + while (r[0] == 0x00) { + r.erase(r.begin()); + } + while (r.size() < 32) { + r.insert(r.begin(), 0); + } + while (s[0] == 0x00) { + s.erase(s.begin()); + } + while (s.size() < 32) { + s.insert(s.begin(), 0); + } + EXPECT_EQ(32, r.size()); + EXPECT_EQ(32, s.size()); + + // Due to https://github.com/project-everest/hacl-star/issues/327 + // we fake the msg pointer here for now if it's NULL. + if (!msg) { + msg = r.data(); // the length is 0 so we never do anything with this. + EXPECT_EQ(0, test_case.msg.size()); + } + EXPECT_EQ( + test_case.valid, + Hacl_P256_ecdsa_verif_p256_sha2( + test_case.msg.size(), msg, plain_public_key, r.data(), s.data())); + } +} + +INSTANTIATE_TEST_SUITE_P(Wycheproof, + P256EcdsaWycheproof, + ::testing::ValuesIn(read_json())); diff --git a/tests/p256_ecdsa/ecdsa_secp256r1_sha256_test.json b/tests/p256_ecdsa/ecdsa_secp256r1_sha256_test.json new file mode 100644 index 00000000..0b8ab9f5 --- /dev/null +++ b/tests/p256_ecdsa/ecdsa_secp256r1_sha256_test.json @@ -0,0 +1,4578 @@ +{ + "algorithm" : "ECDSA", + "generatorVersion" : "0.8r12", + "numberOfTests" : 387, + "header" : [ + "Test vectors of type EcdsaVerify are meant for the verification", + "of ASN encoded ECDSA signatures." + ], + "notes" : { + "BER" : "This is a signature with correct values for (r, s) but using some alternative BER encoding instead of DER encoding. Implementations should not accept such signatures to limit signature malleability.", + "EdgeCase" : "Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA implementation does not check boundaries and computes s^(-1)==0.", + "MissingZero" : "Some implementations of ECDSA and DSA incorrectly encode r and s by not including leading zeros in the ASN encoding of integers when necessary. Hence, some implementations (e.g. jdk) allow signatures with incorrect ASN encodings assuming that the signature is otherwise valid.", + "PointDuplication" : "Some implementations of ECDSA do not handle duplication and points at infinity correctly. This is a test vector that has been specially crafted to check for such an omission." + }, + "schema" : "ecdsa_verify_schema.json", + "testGroups" : [ + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "042927b10512bae3eddcfe467828128bad2903269919f7086069c8c4df6c732838c7787964eaac00e5921fb1498a60f4606766b3d9685001558d1a974e7341513e", + "wx" : "2927b10512bae3eddcfe467828128bad2903269919f7086069c8c4df6c732838", + "wy" : "00c7787964eaac00e5921fb1498a60f4606766b3d9685001558d1a974e7341513e" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200042927b10512bae3eddcfe467828128bad2903269919f7086069c8c4df6c732838c7787964eaac00e5921fb1498a60f4606766b3d9685001558d1a974e7341513e", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEKSexBRK64+3c/kZ4KBKLrSkDJpkZ\n9whgacjE32xzKDjHeHlk6qwA5ZIfsUmKYPRgZ2az2WhQAVWNGpdOc0FRPg==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 1, + "comment" : "signature malleability", + "msg" : "313233343030", + "sig" : "304402202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e1802204cd60b855d442f5b3c7b11eb6c4e0ae7525fe710fab9aa7c77a67f79e6fadd76", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 2, + "comment" : "Legacy:ASN encoding of s misses leading 0", + "msg" : "313233343030", + "sig" : "304402202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e180220b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "acceptable", + "flags" : [ + "MissingZero" + ] + }, + { + "tcId" : 3, + "comment" : "valid", + "msg" : "313233343030", + "sig" : "304502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 4, + "comment" : "long form encoding of length of sequence", + "msg" : "313233343030", + "sig" : "30814502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [ + "BER" + ] + }, + { + "tcId" : 5, + "comment" : "length of sequence contains leading 0", + "msg" : "313233343030", + "sig" : "3082004502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [ + "BER" + ] + }, + { + "tcId" : 6, + "comment" : "wrong length of sequence", + "msg" : "313233343030", + "sig" : "304602202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 7, + "comment" : "wrong length of sequence", + "msg" : "313233343030", + "sig" : "304402202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 8, + "comment" : "uint32 overflow in length of sequence", + "msg" : "313233343030", + "sig" : "3085010000004502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 9, + "comment" : "uint64 overflow in length of sequence", + "msg" : "313233343030", + "sig" : "308901000000000000004502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 10, + "comment" : "length of sequence = 2**31 - 1", + "msg" : "313233343030", + "sig" : "30847fffffff02202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 11, + "comment" : "length of sequence = 2**32 - 1", + "msg" : "313233343030", + "sig" : "3084ffffffff02202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 12, + "comment" : "length of sequence = 2**40 - 1", + "msg" : "313233343030", + "sig" : "3085ffffffffff02202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 13, + "comment" : "length of sequence = 2**64 - 1", + "msg" : "313233343030", + "sig" : "3088ffffffffffffffff02202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 14, + "comment" : "incorrect length of sequence", + "msg" : "313233343030", + "sig" : "30ff02202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 15, + "comment" : "indefinite length without termination", + "msg" : "313233343030", + "sig" : "308002202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 16, + "comment" : "indefinite length without termination", + "msg" : "313233343030", + "sig" : "304502802ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 17, + "comment" : "indefinite length without termination", + "msg" : "313233343030", + "sig" : "304502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18028000b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 18, + "comment" : "removing sequence", + "msg" : "313233343030", + "sig" : "", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 19, + "comment" : "lonely sequence tag", + "msg" : "313233343030", + "sig" : "30", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 20, + "comment" : "appending 0's to sequence", + "msg" : "313233343030", + "sig" : "304702202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db0000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 21, + "comment" : "prepending 0's to sequence", + "msg" : "313233343030", + "sig" : "3047000002202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 22, + "comment" : "appending unused 0's to sequence", + "msg" : "313233343030", + "sig" : "304502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db0000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 23, + "comment" : "appending null value to sequence", + "msg" : "313233343030", + "sig" : "304702202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db0500", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 24, + "comment" : "including garbage", + "msg" : "313233343030", + "sig" : "304a498177304502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 25, + "comment" : "including garbage", + "msg" : "313233343030", + "sig" : "30492500304502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 26, + "comment" : "including garbage", + "msg" : "313233343030", + "sig" : "3047304502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db0004deadbeef", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 27, + "comment" : "including garbage", + "msg" : "313233343030", + "sig" : "304a222549817702202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 28, + "comment" : "including garbage", + "msg" : "313233343030", + "sig" : "30492224250002202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 29, + "comment" : "including garbage", + "msg" : "313233343030", + "sig" : "304d222202202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e180004deadbeef022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 30, + "comment" : "including garbage", + "msg" : "313233343030", + "sig" : "304a02202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e182226498177022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 31, + "comment" : "including garbage", + "msg" : "313233343030", + "sig" : "304902202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e1822252500022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 32, + "comment" : "including garbage", + "msg" : "313233343030", + "sig" : "304d02202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e182223022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db0004deadbeef", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 33, + "comment" : "including undefined tags", + "msg" : "313233343030", + "sig" : "304daa00bb00cd00304502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 34, + "comment" : "including undefined tags", + "msg" : "313233343030", + "sig" : "304baa02aabb304502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 35, + "comment" : "including undefined tags", + "msg" : "313233343030", + "sig" : "304d2228aa00bb00cd0002202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 36, + "comment" : "including undefined tags", + "msg" : "313233343030", + "sig" : "304b2226aa02aabb02202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 37, + "comment" : "including undefined tags", + "msg" : "313233343030", + "sig" : "304d02202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e182229aa00bb00cd00022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 38, + "comment" : "including undefined tags", + "msg" : "313233343030", + "sig" : "304b02202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e182227aa02aabb022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 39, + "comment" : "truncated length of sequence", + "msg" : "313233343030", + "sig" : "3081", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 40, + "comment" : "using composition with indefinite length", + "msg" : "313233343030", + "sig" : "3080304502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db0000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 41, + "comment" : "using composition with indefinite length", + "msg" : "313233343030", + "sig" : "3049228002202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e180000022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 42, + "comment" : "using composition with indefinite length", + "msg" : "313233343030", + "sig" : "304902202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e182280022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db0000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 43, + "comment" : "using composition with wrong tag", + "msg" : "313233343030", + "sig" : "3080314502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db0000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 44, + "comment" : "using composition with wrong tag", + "msg" : "313233343030", + "sig" : "3049228003202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e180000022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 45, + "comment" : "using composition with wrong tag", + "msg" : "313233343030", + "sig" : "304902202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e182280032100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db0000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 46, + "comment" : "Replacing sequence with NULL", + "msg" : "313233343030", + "sig" : "0500", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 47, + "comment" : "changing tag value of sequence", + "msg" : "313233343030", + "sig" : "2e4502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 48, + "comment" : "changing tag value of sequence", + "msg" : "313233343030", + "sig" : "2f4502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 49, + "comment" : "changing tag value of sequence", + "msg" : "313233343030", + "sig" : "314502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 50, + "comment" : "changing tag value of sequence", + "msg" : "313233343030", + "sig" : "324502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 51, + "comment" : "changing tag value of sequence", + "msg" : "313233343030", + "sig" : "ff4502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 52, + "comment" : "dropping value of sequence", + "msg" : "313233343030", + "sig" : "3000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 53, + "comment" : "using composition for sequence", + "msg" : "313233343030", + "sig" : "30493001023044202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 54, + "comment" : "truncated sequence", + "msg" : "313233343030", + "sig" : "304402202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 55, + "comment" : "truncated sequence", + "msg" : "313233343030", + "sig" : "3044202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 56, + "comment" : "indefinite length", + "msg" : "313233343030", + "sig" : "308002202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db0000", + "result" : "invalid", + "flags" : [ + "BER" + ] + }, + { + "tcId" : 57, + "comment" : "indefinite length with truncated delimiter", + "msg" : "313233343030", + "sig" : "308002202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db00", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 58, + "comment" : "indefinite length with additional element", + "msg" : "313233343030", + "sig" : "308002202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db05000000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 59, + "comment" : "indefinite length with truncated element", + "msg" : "313233343030", + "sig" : "308002202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db060811220000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 60, + "comment" : "indefinite length with garbage", + "msg" : "313233343030", + "sig" : "308002202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db0000fe02beef", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 61, + "comment" : "indefinite length with nonempty EOC", + "msg" : "313233343030", + "sig" : "308002202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db0002beef", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 62, + "comment" : "prepend empty sequence", + "msg" : "313233343030", + "sig" : "3047300002202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 63, + "comment" : "append empty sequence", + "msg" : "313233343030", + "sig" : "304702202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db3000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 64, + "comment" : "append garbage with high tag number", + "msg" : "313233343030", + "sig" : "304802202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847dbbf7f00", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 65, + "comment" : "sequence of sequence", + "msg" : "313233343030", + "sig" : "3047304502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 66, + "comment" : "truncated sequence: removed last 1 elements", + "msg" : "313233343030", + "sig" : "302202202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 67, + "comment" : "repeating element in sequence", + "msg" : "313233343030", + "sig" : "306802202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 68, + "comment" : "long form encoding of length of integer", + "msg" : "313233343030", + "sig" : "30460281202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [ + "BER" + ] + }, + { + "tcId" : 69, + "comment" : "long form encoding of length of integer", + "msg" : "313233343030", + "sig" : "304602202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e1802812100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [ + "BER" + ] + }, + { + "tcId" : 70, + "comment" : "length of integer contains leading 0", + "msg" : "313233343030", + "sig" : "3047028200202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [ + "BER" + ] + }, + { + "tcId" : 71, + "comment" : "length of integer contains leading 0", + "msg" : "313233343030", + "sig" : "304702202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e180282002100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [ + "BER" + ] + }, + { + "tcId" : 72, + "comment" : "wrong length of integer", + "msg" : "313233343030", + "sig" : "304502212ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 73, + "comment" : "wrong length of integer", + "msg" : "313233343030", + "sig" : "3045021f2ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 74, + "comment" : "wrong length of integer", + "msg" : "313233343030", + "sig" : "304502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022200b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 75, + "comment" : "wrong length of integer", + "msg" : "313233343030", + "sig" : "304502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022000b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 76, + "comment" : "uint32 overflow in length of integer", + "msg" : "313233343030", + "sig" : "304a028501000000202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 77, + "comment" : "uint32 overflow in length of integer", + "msg" : "313233343030", + "sig" : "304a02202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e180285010000002100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 78, + "comment" : "uint64 overflow in length of integer", + "msg" : "313233343030", + "sig" : "304e02890100000000000000202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 79, + "comment" : "uint64 overflow in length of integer", + "msg" : "313233343030", + "sig" : "304e02202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18028901000000000000002100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 80, + "comment" : "length of integer = 2**31 - 1", + "msg" : "313233343030", + "sig" : "304902847fffffff2ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 81, + "comment" : "length of integer = 2**31 - 1", + "msg" : "313233343030", + "sig" : "304902202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e1802847fffffff00b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 82, + "comment" : "length of integer = 2**32 - 1", + "msg" : "313233343030", + "sig" : "30490284ffffffff2ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 83, + "comment" : "length of integer = 2**32 - 1", + "msg" : "313233343030", + "sig" : "304902202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e180284ffffffff00b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 84, + "comment" : "length of integer = 2**40 - 1", + "msg" : "313233343030", + "sig" : "304a0285ffffffffff2ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 85, + "comment" : "length of integer = 2**40 - 1", + "msg" : "313233343030", + "sig" : "304a02202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e180285ffffffffff00b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 86, + "comment" : "length of integer = 2**64 - 1", + "msg" : "313233343030", + "sig" : "304d0288ffffffffffffffff2ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 87, + "comment" : "length of integer = 2**64 - 1", + "msg" : "313233343030", + "sig" : "304d02202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e180288ffffffffffffffff00b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 88, + "comment" : "incorrect length of integer", + "msg" : "313233343030", + "sig" : "304502ff2ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 89, + "comment" : "incorrect length of integer", + "msg" : "313233343030", + "sig" : "304502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e1802ff00b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 90, + "comment" : "removing integer", + "msg" : "313233343030", + "sig" : "3023022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 91, + "comment" : "lonely integer tag", + "msg" : "313233343030", + "sig" : "302402022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 92, + "comment" : "lonely integer tag", + "msg" : "313233343030", + "sig" : "302302202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e1802", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 93, + "comment" : "appending 0's to integer", + "msg" : "313233343030", + "sig" : "304702222ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e180000022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 94, + "comment" : "appending 0's to integer", + "msg" : "313233343030", + "sig" : "304702202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022300b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db0000", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 95, + "comment" : "prepending 0's to integer", + "msg" : "313233343030", + "sig" : "3047022200002ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [ + "BER" + ] + }, + { + "tcId" : 96, + "comment" : "prepending 0's to integer", + "msg" : "313233343030", + "sig" : "304702202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e180223000000b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [ + "BER" + ] + }, + { + "tcId" : 97, + "comment" : "appending unused 0's to integer", + "msg" : "313233343030", + "sig" : "304702202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e180000022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 98, + "comment" : "appending null value to integer", + "msg" : "313233343030", + "sig" : "304702222ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e180500022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 99, + "comment" : "appending null value to integer", + "msg" : "313233343030", + "sig" : "304702202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022300b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db0500", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 100, + "comment" : "truncated length of integer", + "msg" : "313233343030", + "sig" : "30250281022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 101, + "comment" : "truncated length of integer", + "msg" : "313233343030", + "sig" : "302402202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e180281", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 102, + "comment" : "Replacing integer with NULL", + "msg" : "313233343030", + "sig" : "30250500022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 103, + "comment" : "Replacing integer with NULL", + "msg" : "313233343030", + "sig" : "302402202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e180500", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 104, + "comment" : "changing tag value of integer", + "msg" : "313233343030", + "sig" : "304500202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 105, + "comment" : "changing tag value of integer", + "msg" : "313233343030", + "sig" : "304501202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 106, + "comment" : "changing tag value of integer", + "msg" : "313233343030", + "sig" : "304503202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 107, + "comment" : "changing tag value of integer", + "msg" : "313233343030", + "sig" : "304504202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 108, + "comment" : "changing tag value of integer", + "msg" : "313233343030", + "sig" : "3045ff202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 109, + "comment" : "changing tag value of integer", + "msg" : "313233343030", + "sig" : "304502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18002100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 110, + "comment" : "changing tag value of integer", + "msg" : "313233343030", + "sig" : "304502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18012100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 111, + "comment" : "changing tag value of integer", + "msg" : "313233343030", + "sig" : "304502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18032100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 112, + "comment" : "changing tag value of integer", + "msg" : "313233343030", + "sig" : "304502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18042100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 113, + "comment" : "changing tag value of integer", + "msg" : "313233343030", + "sig" : "304502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18ff2100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 114, + "comment" : "dropping value of integer", + "msg" : "313233343030", + "sig" : "30250200022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 115, + "comment" : "dropping value of integer", + "msg" : "313233343030", + "sig" : "302402202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e180200", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 116, + "comment" : "using composition for integer", + "msg" : "313233343030", + "sig" : "3049222402012b021fa3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 117, + "comment" : "using composition for integer", + "msg" : "313233343030", + "sig" : "304902202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e1822250201000220b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 118, + "comment" : "modify first byte of integer", + "msg" : "313233343030", + "sig" : "3045022029a3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 119, + "comment" : "modify first byte of integer", + "msg" : "313233343030", + "sig" : "304502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022102b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 120, + "comment" : "modify last byte of integer", + "msg" : "313233343030", + "sig" : "304502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e98022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 121, + "comment" : "modify last byte of integer", + "msg" : "313233343030", + "sig" : "304502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b491568475b", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 122, + "comment" : "truncated integer", + "msg" : "313233343030", + "sig" : "3044021f2ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 123, + "comment" : "truncated integer", + "msg" : "313233343030", + "sig" : "3044021fa3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 124, + "comment" : "truncated integer", + "msg" : "313233343030", + "sig" : "304402202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022000b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 125, + "comment" : "leading ff in integer", + "msg" : "313233343030", + "sig" : "30460221ff2ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 126, + "comment" : "leading ff in integer", + "msg" : "313233343030", + "sig" : "304602202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e180222ff00b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 127, + "comment" : "replaced integer by infinity", + "msg" : "313233343030", + "sig" : "3026090180022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 128, + "comment" : "replaced integer by infinity", + "msg" : "313233343030", + "sig" : "302502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18090180", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 129, + "comment" : "replacing integer with zero", + "msg" : "313233343030", + "sig" : "3026020100022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 130, + "comment" : "replacing integer with zero", + "msg" : "313233343030", + "sig" : "302502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18020100", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 131, + "comment" : "Modified r or s, e.g. by adding or subtracting the order of the group", + "msg" : "313233343030", + "sig" : "30460221012ba3a8bd6b94d5ed80a6d9d1190a436ebccc0833490686deac8635bcb9bf5369022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 132, + "comment" : "Modified r or s, e.g. by adding or subtracting the order of the group", + "msg" : "313233343030", + "sig" : "30460221ff2ba3a8bf6b94d5eb80a6d9d1190a436f42fe12d7fad749d4c512a036c0f908c7022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 133, + "comment" : "Modified r or s, e.g. by adding or subtracting the order of the group", + "msg" : "313233343030", + "sig" : "30450220d45c5741946b2a137f59262ee6f5bc91001af27a5e1117a64733950642a3d1e8022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 134, + "comment" : "Modified r or s, e.g. by adding or subtracting the order of the group", + "msg" : "313233343030", + "sig" : "3046022100d45c5740946b2a147f59262ee6f5bc90bd01ed280528b62b3aed5fc93f06f739022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 135, + "comment" : "Modified r or s, e.g. by adding or subtracting the order of the group", + "msg" : "313233343030", + "sig" : "30460221fed45c5742946b2a127f59262ee6f5bc914333f7ccb6f979215379ca434640ac97022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 136, + "comment" : "Modified r or s, e.g. by adding or subtracting the order of the group", + "msg" : "313233343030", + "sig" : "30460221012ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 137, + "comment" : "Modified r or s, e.g. by adding or subtracting the order of the group", + "msg" : "313233343030", + "sig" : "3046022100d45c5741946b2a137f59262ee6f5bc91001af27a5e1117a64733950642a3d1e8022100b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 138, + "comment" : "Modified r or s, e.g. by adding or subtracting the order of the group", + "msg" : "313233343030", + "sig" : "304502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022101b329f478a2bbd0a6c384ee1493b1f518276e0e4a5375928d6fcd160c11cb6d2c", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 139, + "comment" : "Modified r or s, e.g. by adding or subtracting the order of the group", + "msg" : "313233343030", + "sig" : "304402202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e180220b329f47aa2bbd0a4c384ee1493b1f518ada018ef05465583885980861905228a", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 140, + "comment" : "Modified r or s, e.g. by adding or subtracting the order of the group", + "msg" : "313233343030", + "sig" : "304502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e180221ff4cd60b865d442f5a3c7b11eb6c4e0ae79578ec6353a20bf783ecb4b6ea97b825", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 141, + "comment" : "Modified r or s, e.g. by adding or subtracting the order of the group", + "msg" : "313233343030", + "sig" : "304502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e180221fe4cd60b875d442f593c7b11eb6c4e0ae7d891f1b5ac8a6d729032e9f3ee3492d4", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 142, + "comment" : "Modified r or s, e.g. by adding or subtracting the order of the group", + "msg" : "313233343030", + "sig" : "304502202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e18022101b329f479a2bbd0a5c384ee1493b1f5186a87139cac5df4087c134b49156847db", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 143, + "comment" : "Modified r or s, e.g. by adding or subtracting the order of the group", + "msg" : "313233343030", + "sig" : "304402202ba3a8be6b94d5ec80a6d9d1190a436effe50d85a1eee859b8cc6af9bd5c2e1802204cd60b865d442f5a3c7b11eb6c4e0ae79578ec6353a20bf783ecb4b6ea97b825", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 144, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3006020100020100", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 145, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3006020100020101", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 146, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "30060201000201ff", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 147, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3026020100022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 148, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3026020100022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 149, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3026020100022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 150, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3026020100022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 151, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3026020100022100ffffffff00000001000000000000000000000001000000000000000000000000", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 152, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3008020100090380fe01", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 153, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3006020100090142", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 154, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3006020101020100", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 155, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3006020101020101", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 156, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "30060201010201ff", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 157, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3026020101022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 158, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3026020101022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 159, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3026020101022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 160, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3026020101022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 161, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3026020101022100ffffffff00000001000000000000000000000001000000000000000000000000", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 162, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3008020101090380fe01", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 163, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3006020101090142", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 164, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "30060201ff020100", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 165, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "30060201ff020101", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 166, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "30060201ff0201ff", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 167, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "30260201ff022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 168, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "30260201ff022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 169, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "30260201ff022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 170, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "30260201ff022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 171, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "30260201ff022100ffffffff00000001000000000000000000000001000000000000000000000000", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 172, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "30080201ff090380fe01", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 173, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "30060201ff090142", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 174, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3026022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551020100", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 175, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3026022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551020101", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 176, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3026022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc6325510201ff", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 177, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3046022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 178, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3046022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 179, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3046022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 180, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3046022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 181, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3046022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551022100ffffffff00000001000000000000000000000001000000000000000000000000", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 182, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3028022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551090380fe01", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 183, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3026022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551090142", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 184, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3026022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550020100", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 185, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3026022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550020101", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 186, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3026022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc6325500201ff", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 187, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3046022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 188, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3046022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 189, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3046022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 190, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3046022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 191, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3046022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550022100ffffffff00000001000000000000000000000001000000000000000000000000", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 192, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3028022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550090380fe01", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 193, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3026022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550090142", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 194, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3026022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552020100", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 195, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3026022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552020101", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 196, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3026022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc6325520201ff", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 197, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3046022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 198, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3046022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 199, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3046022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 200, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3046022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 201, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3046022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552022100ffffffff00000001000000000000000000000001000000000000000000000000", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 202, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3028022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552090380fe01", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 203, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3026022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552090142", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 204, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3026022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff020100", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 205, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3026022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff020101", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 206, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3026022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff0201ff", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 207, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3046022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 208, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3046022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 209, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3046022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 210, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3046022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 211, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3046022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff022100ffffffff00000001000000000000000000000001000000000000000000000000", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 212, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3028022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff090380fe01", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 213, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3026022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff090142", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 214, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3026022100ffffffff00000001000000000000000000000001000000000000000000000000020100", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 215, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3026022100ffffffff00000001000000000000000000000001000000000000000000000000020101", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 216, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3026022100ffffffff000000010000000000000000000000010000000000000000000000000201ff", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 217, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3046022100ffffffff00000001000000000000000000000001000000000000000000000000022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 218, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3046022100ffffffff00000001000000000000000000000001000000000000000000000000022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 219, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3046022100ffffffff00000001000000000000000000000001000000000000000000000000022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632552", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 220, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3046022100ffffffff00000001000000000000000000000001000000000000000000000000022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 221, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3046022100ffffffff00000001000000000000000000000001000000000000000000000000022100ffffffff00000001000000000000000000000001000000000000000000000000", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 222, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3028022100ffffffff00000001000000000000000000000001000000000000000000000000090380fe01", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 223, + "comment" : "Signature with special case values for r and s", + "msg" : "313233343030", + "sig" : "3026022100ffffffff00000001000000000000000000000001000000000000000000000000090142", + "result" : "invalid", + "flags" : [ + "EdgeCase" + ] + }, + { + "tcId" : 224, + "comment" : "Signature encoding contains wrong types.", + "msg" : "313233343030", + "sig" : "30060201010c0130", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 225, + "comment" : "Signature encoding contains wrong types.", + "msg" : "313233343030", + "sig" : "30050201010c00", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 226, + "comment" : "Signature encoding contains wrong types.", + "msg" : "313233343030", + "sig" : "30090c0225730c03732573", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 227, + "comment" : "Signature encoding contains wrong types.", + "msg" : "313233343030", + "sig" : "30080201013003020100", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 228, + "comment" : "Signature encoding contains wrong types.", + "msg" : "313233343030", + "sig" : "3003020101", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 229, + "comment" : "Signature encoding contains wrong types.", + "msg" : "313233343030", + "sig" : "3006020101010100", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 230, + "comment" : "Edge case for Shamir multiplication", + "msg" : "3639383139", + "sig" : "3044022064a1aab5000d0e804f3e2fc02bdee9be8ff312334e2ba16d11547c97711c898e02206af015971cc30be6d1a206d4e013e0997772a2f91d73286ffd683b9bb2cf4f1b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 231, + "comment" : "special case hash", + "msg" : "343236343739373234", + "sig" : "3044022016aea964a2f6506d6f78c81c91fc7e8bded7d397738448de1e19a0ec580bf2660220252cd762130c6667cfe8b7bc47d27d78391e8e80c578d1cd38c3ff033be928e9", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 232, + "comment" : "special case hash", + "msg" : "37313338363834383931", + "sig" : "30450221009cc98be2347d469bf476dfc26b9b733df2d26d6ef524af917c665baccb23c8820220093496459effe2d8d70727b82462f61d0ec1b7847929d10ea631dacb16b56c32", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 233, + "comment" : "special case hash", + "msg" : "3130333539333331363638", + "sig" : "3044022073b3c90ecd390028058164524dde892703dce3dea0d53fa8093999f07ab8aa4302202f67b0b8e20636695bb7d8bf0a651c802ed25a395387b5f4188c0c4075c88634", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 234, + "comment" : "special case hash", + "msg" : "33393439343031323135", + "sig" : "3046022100bfab3098252847b328fadf2f89b95c851a7f0eb390763378f37e90119d5ba3dd022100bdd64e234e832b1067c2d058ccb44d978195ccebb65c2aaf1e2da9b8b4987e3b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 235, + "comment" : "special case hash", + "msg" : "31333434323933303739", + "sig" : "30440220204a9784074b246d8bf8bf04a4ceb1c1f1c9aaab168b1596d17093c5cd21d2cd022051cce41670636783dc06a759c8847868a406c2506fe17975582fe648d1d88b52", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 236, + "comment" : "special case hash", + "msg" : "33373036323131373132", + "sig" : "3046022100ed66dc34f551ac82f63d4aa4f81fe2cb0031a91d1314f835027bca0f1ceeaa0302210099ca123aa09b13cd194a422e18d5fda167623c3f6e5d4d6abb8953d67c0c48c7", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 237, + "comment" : "special case hash", + "msg" : "333433363838373132", + "sig" : "30450220060b700bef665c68899d44f2356a578d126b062023ccc3c056bf0f60a237012b0221008d186c027832965f4fcc78a3366ca95dedbb410cbef3f26d6be5d581c11d3610", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 238, + "comment" : "special case hash", + "msg" : "31333531353330333730", + "sig" : "30460221009f6adfe8d5eb5b2c24d7aa7934b6cf29c93ea76cd313c9132bb0c8e38c96831d022100b26a9c9e40e55ee0890c944cf271756c906a33e66b5bd15e051593883b5e9902", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 239, + "comment" : "special case hash", + "msg" : "36353533323033313236", + "sig" : "3045022100a1af03ca91677b673ad2f33615e56174a1abf6da168cebfa8868f4ba273f16b7022020aa73ffe48afa6435cd258b173d0c2377d69022e7d098d75caf24c8c5e06b1c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 240, + "comment" : "special case hash", + "msg" : "31353634333436363033", + "sig" : "3045022100fdc70602766f8eed11a6c99a71c973d5659355507b843da6e327a28c11893db902203df5349688a085b137b1eacf456a9e9e0f6d15ec0078ca60a7f83f2b10d21350", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 241, + "comment" : "special case hash", + "msg" : "34343239353339313137", + "sig" : "3046022100b516a314f2fce530d6537f6a6c49966c23456f63c643cf8e0dc738f7b876e675022100d39ffd033c92b6d717dd536fbc5efdf1967c4bd80954479ba66b0120cd16fff2", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 242, + "comment" : "special case hash", + "msg" : "3130393533323631333531", + "sig" : "304402203b2cbf046eac45842ecb7984d475831582717bebb6492fd0a485c101e29ff0a802204c9b7b47a98b0f82de512bc9313aaf51701099cac5f76e68c8595fc1c1d99258", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 243, + "comment" : "special case hash", + "msg" : "35393837333530303431", + "sig" : "3044022030c87d35e636f540841f14af54e2f9edd79d0312cfa1ab656c3fb15bfde48dcf022047c15a5a82d24b75c85a692bd6ecafeb71409ede23efd08e0db9abf6340677ed", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 244, + "comment" : "special case hash", + "msg" : "33343633303036383738", + "sig" : "3044022038686ff0fda2cef6bc43b58cfe6647b9e2e8176d168dec3c68ff262113760f520220067ec3b651f422669601662167fa8717e976e2db5e6a4cf7c2ddabb3fde9d67d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 245, + "comment" : "special case hash", + "msg" : "39383137333230323837", + "sig" : "3044022044a3e23bf314f2b344fc25c7f2de8b6af3e17d27f5ee844b225985ab6e2775cf02202d48e223205e98041ddc87be532abed584f0411f5729500493c9cc3f4dd15e86", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 246, + "comment" : "special case hash", + "msg" : "33323232303431303436", + "sig" : "304402202ded5b7ec8e90e7bf11f967a3d95110c41b99db3b5aa8d330eb9d638781688e902207d5792c53628155e1bfc46fb1a67e3088de049c328ae1f44ec69238a009808f9", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 247, + "comment" : "special case hash", + "msg" : "36363636333037313034", + "sig" : "3046022100bdae7bcb580bf335efd3bc3d31870f923eaccafcd40ec2f605976f15137d8b8f022100f6dfa12f19e525270b0106eecfe257499f373a4fb318994f24838122ce7ec3c7", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 248, + "comment" : "special case hash", + "msg" : "31303335393531383938", + "sig" : "3045022050f9c4f0cd6940e162720957ffff513799209b78596956d21ece251c2401f1c6022100d7033a0a787d338e889defaaabb106b95a4355e411a59c32aa5167dfab244726", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 249, + "comment" : "special case hash", + "msg" : "31383436353937313935", + "sig" : "3045022100f612820687604fa01906066a378d67540982e29575d019aabe90924ead5c860d02203f9367702dd7dd4f75ea98afd20e328a1a99f4857b316525328230ce294b0fef", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 250, + "comment" : "special case hash", + "msg" : "33313336303436313839", + "sig" : "30460221009505e407657d6e8bc93db5da7aa6f5081f61980c1949f56b0f2f507da5782a7a022100c60d31904e3669738ffbeccab6c3656c08e0ed5cb92b3cfa5e7f71784f9c5021", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 251, + "comment" : "special case hash", + "msg" : "32363633373834323534", + "sig" : "3046022100bbd16fbbb656b6d0d83e6a7787cd691b08735aed371732723e1c68a40404517d0221009d8e35dba96028b7787d91315be675877d2d097be5e8ee34560e3e7fd25c0f00", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 252, + "comment" : "special case hash", + "msg" : "31363532313030353234", + "sig" : "304402202ec9760122db98fd06ea76848d35a6da442d2ceef7559a30cf57c61e92df327e02207ab271da90859479701fccf86e462ee3393fb6814c27b760c4963625c0a19878", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 253, + "comment" : "special case hash", + "msg" : "35373438303831363936", + "sig" : "3044022054e76b7683b6650baa6a7fc49b1c51eed9ba9dd463221f7a4f1005a89fe00c5902202ea076886c773eb937ec1cc8374b7915cfd11b1c1ae1166152f2f7806a31c8fd", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 254, + "comment" : "special case hash", + "msg" : "36333433393133343638", + "sig" : "304402205291deaf24659ffbbce6e3c26f6021097a74abdbb69be4fb10419c0c496c9466022065d6fcf336d27cc7cdb982bb4e4ecef5827f84742f29f10abf83469270a03dc3", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 255, + "comment" : "special case hash", + "msg" : "31353431313033353938", + "sig" : "30450220207a3241812d75d947419dc58efb05e8003b33fc17eb50f9d15166a88479f107022100cdee749f2e492b213ce80b32d0574f62f1c5d70793cf55e382d5caadf7592767", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 256, + "comment" : "special case hash", + "msg" : "3130343738353830313238", + "sig" : "304502206554e49f82a855204328ac94913bf01bbe84437a355a0a37c0dee3cf81aa7728022100aea00de2507ddaf5c94e1e126980d3df16250a2eaebc8be486effe7f22b4f929", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 257, + "comment" : "special case hash", + "msg" : "3130353336323835353638", + "sig" : "3046022100a54c5062648339d2bff06f71c88216c26c6e19b4d80a8c602990ac82707efdfc022100e99bbe7fcfafae3e69fd016777517aa01056317f467ad09aff09be73c9731b0d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 258, + "comment" : "special case hash", + "msg" : "393533393034313035", + "sig" : "3045022100975bd7157a8d363b309f1f444012b1a1d23096593133e71b4ca8b059cff37eaf02207faa7a28b1c822baa241793f2abc930bd4c69840fe090f2aacc46786bf919622", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 259, + "comment" : "special case hash", + "msg" : "393738383438303339", + "sig" : "304402205694a6f84b8f875c276afd2ebcfe4d61de9ec90305afb1357b95b3e0da43885e02200dffad9ffd0b757d8051dec02ebdf70d8ee2dc5c7870c0823b6ccc7c679cbaa4", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 260, + "comment" : "special case hash", + "msg" : "33363130363732343432", + "sig" : "3045022100a0c30e8026fdb2b4b4968a27d16a6d08f7098f1a98d21620d7454ba9790f1ba602205e470453a8a399f15baf463f9deceb53acc5ca64459149688bd2760c65424339", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 261, + "comment" : "special case hash", + "msg" : "31303534323430373035", + "sig" : "30440220614ea84acf736527dd73602cd4bb4eea1dfebebd5ad8aca52aa0228cf7b99a880220737cc85f5f2d2f60d1b8183f3ed490e4de14368e96a9482c2a4dd193195c902f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 262, + "comment" : "special case hash", + "msg" : "35313734343438313937", + "sig" : "3045022100bead6734ebe44b810d3fb2ea00b1732945377338febfd439a8d74dfbd0f942fa02206bb18eae36616a7d3cad35919fd21a8af4bbe7a10f73b3e036a46b103ef56e2a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 263, + "comment" : "special case hash", + "msg" : "31393637353631323531", + "sig" : "30440220499625479e161dacd4db9d9ce64854c98d922cbf212703e9654fae182df9bad2022042c177cf37b8193a0131108d97819edd9439936028864ac195b64fca76d9d693", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 264, + "comment" : "special case hash", + "msg" : "33343437323533333433", + "sig" : "3045022008f16b8093a8fb4d66a2c8065b541b3d31e3bfe694f6b89c50fb1aaa6ff6c9b20221009d6455e2d5d1779748573b611cb95d4a21f967410399b39b535ba3e5af81ca2e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 265, + "comment" : "special case hash", + "msg" : "333638323634333138", + "sig" : "3046022100be26231b6191658a19dd72ddb99ed8f8c579b6938d19bce8eed8dc2b338cb5f8022100e1d9a32ee56cffed37f0f22b2dcb57d5c943c14f79694a03b9c5e96952575c89", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 266, + "comment" : "special case hash", + "msg" : "33323631313938363038", + "sig" : "3045022015e76880898316b16204ac920a02d58045f36a229d4aa4f812638c455abe0443022100e74d357d3fcb5c8c5337bd6aba4178b455ca10e226e13f9638196506a1939123", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 267, + "comment" : "special case hash", + "msg" : "39363738373831303934", + "sig" : "30440220352ecb53f8df2c503a45f9846fc28d1d31e6307d3ddbffc1132315cc07f16dad02201348dfa9c482c558e1d05c5242ca1c39436726ecd28258b1899792887dd0a3c6", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 268, + "comment" : "special case hash", + "msg" : "34393538383233383233", + "sig" : "304402204a40801a7e606ba78a0da9882ab23c7677b8642349ed3d652c5bfa5f2a9558fb02203a49b64848d682ef7f605f2832f7384bdc24ed2925825bf8ea77dc5981725782", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 269, + "comment" : "special case hash", + "msg" : "383234363337383337", + "sig" : "3045022100eacc5e1a8304a74d2be412b078924b3bb3511bac855c05c9e5e9e44df3d61e9602207451cd8e18d6ed1885dd827714847f96ec4bb0ed4c36ce9808db8f714204f6d1", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 270, + "comment" : "special case hash", + "msg" : "3131303230383333373736", + "sig" : "304502202f7a5e9e5771d424f30f67fdab61e8ce4f8cd1214882adb65f7de94c31577052022100ac4e69808345809b44acb0b2bd889175fb75dd050c5a449ab9528f8f78daa10c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 271, + "comment" : "special case hash", + "msg" : "313333383731363438", + "sig" : "3045022100ffcda40f792ce4d93e7e0f0e95e1a2147dddd7f6487621c30a03d710b3300219022079938b55f8a17f7ed7ba9ade8f2065a1fa77618f0b67add8d58c422c2453a49a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 272, + "comment" : "special case hash", + "msg" : "333232313434313632", + "sig" : "304602210081f2359c4faba6b53d3e8c8c3fcc16a948350f7ab3a588b28c17603a431e39a8022100cd6f6a5cc3b55ead0ff695d06c6860b509e46d99fccefb9f7f9e101857f74300", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 273, + "comment" : "special case hash", + "msg" : "3130363836363535353436", + "sig" : "3045022100dfc8bf520445cbb8ee1596fb073ea283ea130251a6fdffa5c3f5f2aaf75ca8080220048e33efce147c9dd92823640e338e68bfd7d0dc7a4905b3a7ac711e577e90e7", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 274, + "comment" : "special case hash", + "msg" : "3632313535323436", + "sig" : "3046022100ad019f74c6941d20efda70b46c53db166503a0e393e932f688227688ba6a576202210093320eb7ca0710255346bdbb3102cdcf7964ef2e0988e712bc05efe16c199345", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 275, + "comment" : "special case hash", + "msg" : "37303330383138373734", + "sig" : "3046022100ac8096842e8add68c34e78ce11dd71e4b54316bd3ebf7fffdeb7bd5a3ebc1883022100f5ca2f4f23d674502d4caf85d187215d36e3ce9f0ce219709f21a3aac003b7a8", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 276, + "comment" : "special case hash", + "msg" : "35393234353233373434", + "sig" : "30440220677b2d3a59b18a5ff939b70ea002250889ddcd7b7b9d776854b4943693fb92f702206b4ba856ade7677bf30307b21f3ccda35d2f63aee81efd0bab6972cc0795db55", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 277, + "comment" : "special case hash", + "msg" : "31343935353836363231", + "sig" : "30450220479e1ded14bcaed0379ba8e1b73d3115d84d31d4b7c30e1f05e1fc0d5957cfb0022100918f79e35b3d89487cf634a4f05b2e0c30857ca879f97c771e877027355b2443", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 278, + "comment" : "special case hash", + "msg" : "34303035333134343036", + "sig" : "3044022043dfccd0edb9e280d9a58f01164d55c3d711e14b12ac5cf3b64840ead512a0a302201dbe33fa8ba84533cd5c4934365b3442ca1174899b78ef9a3199f49584389772", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 279, + "comment" : "special case hash", + "msg" : "33303936343537353132", + "sig" : "304402205b09ab637bd4caf0f4c7c7e4bca592fea20e9087c259d26a38bb4085f0bbff11022045b7eb467b6748af618e9d80d6fdcd6aa24964e5a13f885bca8101de08eb0d75", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 280, + "comment" : "special case hash", + "msg" : "32373834303235363230", + "sig" : "304502205e9b1c5a028070df5728c5c8af9b74e0667afa570a6cfa0114a5039ed15ee06f022100b1360907e2d9785ead362bb8d7bd661b6c29eeffd3c5037744edaeb9ad990c20", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 281, + "comment" : "special case hash", + "msg" : "32363138373837343138", + "sig" : "304502200671a0a85c2b72d54a2fb0990e34538b4890050f5a5712f6d1a7a5fb8578f32e022100db1846bab6b7361479ab9c3285ca41291808f27fd5bd4fdac720e5854713694c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 282, + "comment" : "special case hash", + "msg" : "31363432363235323632", + "sig" : "304402207673f8526748446477dbbb0590a45492c5d7d69859d301abbaedb35b2095103a02203dc70ddf9c6b524d886bed9e6af02e0e4dec0d417a414fed3807ef4422913d7c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 283, + "comment" : "special case hash", + "msg" : "36383234313839343336", + "sig" : "304402207f085441070ecd2bb21285089ebb1aa6450d1a06c36d3ff39dfd657a796d12b50220249712012029870a2459d18d47da9aa492a5e6cb4b2d8dafa9e4c5c54a2b9a8b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 284, + "comment" : "special case hash", + "msg" : "343834323435343235", + "sig" : "3046022100914c67fb61dd1e27c867398ea7322d5ab76df04bc5aa6683a8e0f30a5d287348022100fa07474031481dda4953e3ac1959ee8cea7e66ec412b38d6c96d28f6d37304ea", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "040ad99500288d466940031d72a9f5445a4d43784640855bf0a69874d2de5fe103c5011e6ef2c42dcd50d5d3d29f99ae6eba2c80c9244f4c5422f0979ff0c3ba5e", + "wx" : "0ad99500288d466940031d72a9f5445a4d43784640855bf0a69874d2de5fe103", + "wy" : "00c5011e6ef2c42dcd50d5d3d29f99ae6eba2c80c9244f4c5422f0979ff0c3ba5e" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200040ad99500288d466940031d72a9f5445a4d43784640855bf0a69874d2de5fe103c5011e6ef2c42dcd50d5d3d29f99ae6eba2c80c9244f4c5422f0979ff0c3ba5e", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAECtmVACiNRmlAAx1yqfVEWk1DeEZA\nhVvwpph00t5f4QPFAR5u8sQtzVDV09Kfma5uuiyAySRPTFQi8Jef8MO6Xg==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 285, + "comment" : "k*G has a large x-coordinate", + "msg" : "313233343030", + "sig" : "303502104319055358e8617b0c46353d039cdaab022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc63254e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 286, + "comment" : "r too large", + "msg" : "313233343030", + "sig" : "3046022100ffffffff00000001000000000000000000000000fffffffffffffffffffffffc022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc63254e", + "result" : "invalid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04ab05fd9d0de26b9ce6f4819652d9fc69193d0aa398f0fba8013e09c58220455419235271228c786759095d12b75af0692dd4103f19f6a8c32f49435a1e9b8d45", + "wx" : "00ab05fd9d0de26b9ce6f4819652d9fc69193d0aa398f0fba8013e09c582204554", + "wy" : "19235271228c786759095d12b75af0692dd4103f19f6a8c32f49435a1e9b8d45" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004ab05fd9d0de26b9ce6f4819652d9fc69193d0aa398f0fba8013e09c58220455419235271228c786759095d12b75af0692dd4103f19f6a8c32f49435a1e9b8d45", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEqwX9nQ3ia5zm9IGWUtn8aRk9CqOY\n8PuoAT4JxYIgRVQZI1JxIox4Z1kJXRK3WvBpLdQQPxn2qMMvSUNaHpuNRQ==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 287, + "comment" : "r,s are large", + "msg" : "313233343030", + "sig" : "3046022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc63254f022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc63254e", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "0480984f39a1ff38a86a68aa4201b6be5dfbfecf876219710b07badf6fdd4c6c5611feb97390d9826e7a06dfb41871c940d74415ed3cac2089f1445019bb55ed95", + "wx" : "0080984f39a1ff38a86a68aa4201b6be5dfbfecf876219710b07badf6fdd4c6c56", + "wy" : "11feb97390d9826e7a06dfb41871c940d74415ed3cac2089f1445019bb55ed95" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d0301070342000480984f39a1ff38a86a68aa4201b6be5dfbfecf876219710b07badf6fdd4c6c5611feb97390d9826e7a06dfb41871c940d74415ed3cac2089f1445019bb55ed95", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgJhPOaH/OKhqaKpCAba+Xfv+z4di\nGXELB7rfb91MbFYR/rlzkNmCbnoG37QYcclA10QV7TysIInxRFAZu1XtlQ==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 288, + "comment" : "r and s^-1 have a large Hamming weight", + "msg" : "313233343030", + "sig" : "304502207ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd022100909135bdb6799286170f5ead2de4f6511453fe50914f3df2de54a36383df8dd4", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "044201b4272944201c3294f5baa9a3232b6dd687495fcc19a70a95bc602b4f7c0595c37eba9ee8171c1bb5ac6feaf753bc36f463e3aef16629572c0c0a8fb0800e", + "wx" : "4201b4272944201c3294f5baa9a3232b6dd687495fcc19a70a95bc602b4f7c05", + "wy" : "0095c37eba9ee8171c1bb5ac6feaf753bc36f463e3aef16629572c0c0a8fb0800e" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200044201b4272944201c3294f5baa9a3232b6dd687495fcc19a70a95bc602b4f7c0595c37eba9ee8171c1bb5ac6feaf753bc36f463e3aef16629572c0c0a8fb0800e", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEQgG0JylEIBwylPW6qaMjK23Wh0lf\nzBmnCpW8YCtPfAWVw366nugXHBu1rG/q91O8NvRj467xZilXLAwKj7CADg==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 289, + "comment" : "r and s^-1 have a large Hamming weight", + "msg" : "313233343030", + "sig" : "304402207ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd022027b4577ca009376f71303fd5dd227dcef5deb773ad5f5a84360644669ca249a5", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04a71af64de5126a4a4e02b7922d66ce9415ce88a4c9d25514d91082c8725ac9575d47723c8fbe580bb369fec9c2665d8e30a435b9932645482e7c9f11e872296b", + "wx" : "00a71af64de5126a4a4e02b7922d66ce9415ce88a4c9d25514d91082c8725ac957", + "wy" : "5d47723c8fbe580bb369fec9c2665d8e30a435b9932645482e7c9f11e872296b" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004a71af64de5126a4a4e02b7922d66ce9415ce88a4c9d25514d91082c8725ac9575d47723c8fbe580bb369fec9c2665d8e30a435b9932645482e7c9f11e872296b", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEpxr2TeUSakpOAreSLWbOlBXOiKTJ\n0lUU2RCCyHJayVddR3I8j75YC7Np/snCZl2OMKQ1uZMmRUgufJ8R6HIpaw==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 290, + "comment" : "small r and s", + "msg" : "313233343030", + "sig" : "3006020105020101", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "046627cec4f0731ea23fc2931f90ebe5b7572f597d20df08fc2b31ee8ef16b15726170ed77d8d0a14fc5c9c3c4c9be7f0d3ee18f709bb275eaf2073e258fe694a5", + "wx" : "6627cec4f0731ea23fc2931f90ebe5b7572f597d20df08fc2b31ee8ef16b1572", + "wy" : "6170ed77d8d0a14fc5c9c3c4c9be7f0d3ee18f709bb275eaf2073e258fe694a5" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200046627cec4f0731ea23fc2931f90ebe5b7572f597d20df08fc2b31ee8ef16b15726170ed77d8d0a14fc5c9c3c4c9be7f0d3ee18f709bb275eaf2073e258fe694a5", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZifOxPBzHqI/wpMfkOvlt1cvWX0g\n3wj8KzHujvFrFXJhcO132NChT8XJw8TJvn8NPuGPcJuyderyBz4lj+aUpQ==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 291, + "comment" : "small r and s", + "msg" : "313233343030", + "sig" : "3006020105020103", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "045a7c8825e85691cce1f5e7544c54e73f14afc010cb731343262ca7ec5a77f5bfef6edf62a4497c1bd7b147fb6c3d22af3c39bfce95f30e13a16d3d7b2812f813", + "wx" : "5a7c8825e85691cce1f5e7544c54e73f14afc010cb731343262ca7ec5a77f5bf", + "wy" : "00ef6edf62a4497c1bd7b147fb6c3d22af3c39bfce95f30e13a16d3d7b2812f813" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200045a7c8825e85691cce1f5e7544c54e73f14afc010cb731343262ca7ec5a77f5bfef6edf62a4497c1bd7b147fb6c3d22af3c39bfce95f30e13a16d3d7b2812f813", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWnyIJehWkczh9edUTFTnPxSvwBDL\ncxNDJiyn7Fp39b/vbt9ipEl8G9exR/tsPSKvPDm/zpXzDhOhbT17KBL4Ew==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 292, + "comment" : "small r and s", + "msg" : "313233343030", + "sig" : "3006020105020105", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04cbe0c29132cd738364fedd603152990c048e5e2fff996d883fa6caca7978c73770af6a8ce44cb41224b2603606f4c04d188e80bff7cc31ad5189d4ab0d70e8c1", + "wx" : "00cbe0c29132cd738364fedd603152990c048e5e2fff996d883fa6caca7978c737", + "wy" : "70af6a8ce44cb41224b2603606f4c04d188e80bff7cc31ad5189d4ab0d70e8c1" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004cbe0c29132cd738364fedd603152990c048e5e2fff996d883fa6caca7978c73770af6a8ce44cb41224b2603606f4c04d188e80bff7cc31ad5189d4ab0d70e8c1", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEy+DCkTLNc4Nk/t1gMVKZDASOXi//\nmW2IP6bKynl4xzdwr2qM5Ey0EiSyYDYG9MBNGI6Av/fMMa1RidSrDXDowQ==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 293, + "comment" : "small r and s", + "msg" : "313233343030", + "sig" : "3006020105020106", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 294, + "comment" : "r is larger than n", + "msg" : "313233343030", + "sig" : "3026022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632556020106", + "result" : "invalid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "044be4178097002f0deab68f0d9a130e0ed33a6795d02a20796db83444b037e13920f13051e0eecdcfce4dacea0f50d1f247caa669f193c1b4075b51ae296d2d56", + "wx" : "4be4178097002f0deab68f0d9a130e0ed33a6795d02a20796db83444b037e139", + "wy" : "20f13051e0eecdcfce4dacea0f50d1f247caa669f193c1b4075b51ae296d2d56" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200044be4178097002f0deab68f0d9a130e0ed33a6795d02a20796db83444b037e13920f13051e0eecdcfce4dacea0f50d1f247caa669f193c1b4075b51ae296d2d56", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAES+QXgJcALw3qto8NmhMODtM6Z5XQ\nKiB5bbg0RLA34Tkg8TBR4O7Nz85NrOoPUNHyR8qmafGTwbQHW1GuKW0tVg==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 295, + "comment" : "s is larger than n", + "msg" : "313233343030", + "sig" : "3026020105022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc75fbd8", + "result" : "invalid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04d0f73792203716afd4be4329faa48d269f15313ebbba379d7783c97bf3e890d9971f4a3206605bec21782bf5e275c714417e8f566549e6bc68690d2363c89cc1", + "wx" : "00d0f73792203716afd4be4329faa48d269f15313ebbba379d7783c97bf3e890d9", + "wy" : "00971f4a3206605bec21782bf5e275c714417e8f566549e6bc68690d2363c89cc1" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004d0f73792203716afd4be4329faa48d269f15313ebbba379d7783c97bf3e890d9971f4a3206605bec21782bf5e275c714417e8f566549e6bc68690d2363c89cc1", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0Pc3kiA3Fq/UvkMp+qSNJp8VMT67\nujedd4PJe/PokNmXH0oyBmBb7CF4K/XidccUQX6PVmVJ5rxoaQ0jY8icwQ==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 296, + "comment" : "small r and s^-1", + "msg" : "313233343030", + "sig" : "3027020201000221008f1e3c7862c58b16bb76eddbb76eddbb516af4f63f2d74d76e0d28c9bb75ea88", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "044838b2be35a6276a80ef9e228140f9d9b96ce83b7a254f71ccdebbb8054ce05ffa9cbc123c919b19e00238198d04069043bd660a828814051fcb8aac738a6c6b", + "wx" : "4838b2be35a6276a80ef9e228140f9d9b96ce83b7a254f71ccdebbb8054ce05f", + "wy" : "00fa9cbc123c919b19e00238198d04069043bd660a828814051fcb8aac738a6c6b" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200044838b2be35a6276a80ef9e228140f9d9b96ce83b7a254f71ccdebbb8054ce05ffa9cbc123c919b19e00238198d04069043bd660a828814051fcb8aac738a6c6b", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAESDiyvjWmJ2qA754igUD52bls6Dt6\nJU9xzN67uAVM4F/6nLwSPJGbGeACOBmNBAaQQ71mCoKIFAUfy4qsc4psaw==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 297, + "comment" : "smallish r and s^-1", + "msg" : "313233343030", + "sig" : "302c02072d9b4d347952d6022100ef3043e7329581dbb3974497710ab11505ee1c87ff907beebadd195a0ffe6d7a", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "047393983ca30a520bbc4783dc9960746aab444ef520c0a8e771119aa4e74b0f64e9d7be1ab01a0bf626e709863e6a486dbaf32793afccf774e2c6cd27b1857526", + "wx" : "7393983ca30a520bbc4783dc9960746aab444ef520c0a8e771119aa4e74b0f64", + "wy" : "00e9d7be1ab01a0bf626e709863e6a486dbaf32793afccf774e2c6cd27b1857526" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200047393983ca30a520bbc4783dc9960746aab444ef520c0a8e771119aa4e74b0f64e9d7be1ab01a0bf626e709863e6a486dbaf32793afccf774e2c6cd27b1857526", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEc5OYPKMKUgu8R4PcmWB0aqtETvUg\nwKjncRGapOdLD2Tp174asBoL9ibnCYY+akhtuvMnk6/M93Tixs0nsYV1Jg==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 298, + "comment" : "100-bit r and small s^-1", + "msg" : "313233343030", + "sig" : "3032020d1033e67e37b32b445580bf4eff0221008b748b74000000008b748b748b748b7466e769ad4a16d3dcd87129b8e91d1b4d", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "045ac331a1103fe966697379f356a937f350588a05477e308851b8a502d5dfcdc5fe9993df4b57939b2b8da095bf6d794265204cfe03be995a02e65d408c871c0b", + "wx" : "5ac331a1103fe966697379f356a937f350588a05477e308851b8a502d5dfcdc5", + "wy" : "00fe9993df4b57939b2b8da095bf6d794265204cfe03be995a02e65d408c871c0b" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200045ac331a1103fe966697379f356a937f350588a05477e308851b8a502d5dfcdc5fe9993df4b57939b2b8da095bf6d794265204cfe03be995a02e65d408c871c0b", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWsMxoRA/6WZpc3nzVqk381BYigVH\nfjCIUbilAtXfzcX+mZPfS1eTmyuNoJW/bXlCZSBM/gO+mVoC5l1AjIccCw==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 299, + "comment" : "small r and 100 bit s^-1", + "msg" : "313233343030", + "sig" : "302702020100022100ef9f6ba4d97c09d03178fa20b4aaad83be3cf9cb824a879fec3270fc4b81ef5b", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "041d209be8de2de877095a399d3904c74cc458d926e27bb8e58e5eae5767c41509dd59e04c214f7b18dce351fc2a549893a6860e80163f38cc60a4f2c9d040d8c9", + "wx" : "1d209be8de2de877095a399d3904c74cc458d926e27bb8e58e5eae5767c41509", + "wy" : "00dd59e04c214f7b18dce351fc2a549893a6860e80163f38cc60a4f2c9d040d8c9" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200041d209be8de2de877095a399d3904c74cc458d926e27bb8e58e5eae5767c41509dd59e04c214f7b18dce351fc2a549893a6860e80163f38cc60a4f2c9d040d8c9", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEHSCb6N4t6HcJWjmdOQTHTMRY2Sbi\ne7jljl6uV2fEFQndWeBMIU97GNzjUfwqVJiTpoYOgBY/OMxgpPLJ0EDYyQ==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 300, + "comment" : "100-bit r and s^-1", + "msg" : "313233343030", + "sig" : "3032020d062522bbd3ecbe7c39e93e7c25022100ef9f6ba4d97c09d03178fa20b4aaad83be3cf9cb824a879fec3270fc4b81ef5b", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04083539fbee44625e3acaafa2fcb41349392cef0633a1b8fabecee0c133b10e99915c1ebe7bf00df8535196770a58047ae2a402f26326bb7d41d4d7616337911e", + "wx" : "083539fbee44625e3acaafa2fcb41349392cef0633a1b8fabecee0c133b10e99", + "wy" : "00915c1ebe7bf00df8535196770a58047ae2a402f26326bb7d41d4d7616337911e" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004083539fbee44625e3acaafa2fcb41349392cef0633a1b8fabecee0c133b10e99915c1ebe7bf00df8535196770a58047ae2a402f26326bb7d41d4d7616337911e", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAECDU5++5EYl46yq+i/LQTSTks7wYz\nobj6vs7gwTOxDpmRXB6+e/AN+FNRlncKWAR64qQC8mMmu31B1NdhYzeRHg==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 301, + "comment" : "r and s^-1 are close to n", + "msg" : "313233343030", + "sig" : "3045022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc6324d50220555555550000000055555555555555553ef7a8e48d07df81a693439654210c70", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "048aeb368a7027a4d64abdea37390c0c1d6a26f399e2d9734de1eb3d0e1937387405bd13834715e1dbae9b875cf07bd55e1b6691c7f7536aef3b19bf7a4adf576d", + "wx" : "008aeb368a7027a4d64abdea37390c0c1d6a26f399e2d9734de1eb3d0e19373874", + "wy" : "05bd13834715e1dbae9b875cf07bd55e1b6691c7f7536aef3b19bf7a4adf576d" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200048aeb368a7027a4d64abdea37390c0c1d6a26f399e2d9734de1eb3d0e1937387405bd13834715e1dbae9b875cf07bd55e1b6691c7f7536aef3b19bf7a4adf576d", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEius2inAnpNZKveo3OQwMHWom85ni\n2XNN4es9Dhk3OHQFvRODRxXh266bh1zwe9VeG2aRx/dTau87Gb96St9XbQ==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 302, + "comment" : "s == 1", + "msg" : "313233343030", + "sig" : "30250220555555550000000055555555555555553ef7a8e48d07df81a693439654210c70020101", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 303, + "comment" : "s == 0", + "msg" : "313233343030", + "sig" : "30250220555555550000000055555555555555553ef7a8e48d07df81a693439654210c70020100", + "result" : "invalid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04b533d4695dd5b8c5e07757e55e6e516f7e2c88fa0239e23f60e8ec07dd70f2871b134ee58cc583278456863f33c3a85d881f7d4a39850143e29d4eaf009afe47", + "wx" : "00b533d4695dd5b8c5e07757e55e6e516f7e2c88fa0239e23f60e8ec07dd70f287", + "wy" : "1b134ee58cc583278456863f33c3a85d881f7d4a39850143e29d4eaf009afe47" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004b533d4695dd5b8c5e07757e55e6e516f7e2c88fa0239e23f60e8ec07dd70f2871b134ee58cc583278456863f33c3a85d881f7d4a39850143e29d4eaf009afe47", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEtTPUaV3VuMXgd1flXm5Rb34siPoC\nOeI/YOjsB91w8ocbE07ljMWDJ4RWhj8zw6hdiB99SjmFAUPinU6vAJr+Rw==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 304, + "comment" : "point at infinity during verify", + "msg" : "313233343030", + "sig" : "304402207fffffff800000007fffffffffffffffde737d56d38bcf4279dce5617e3192a80220555555550000000055555555555555553ef7a8e48d07df81a693439654210c70", + "result" : "invalid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04f50d371b91bfb1d7d14e1323523bc3aa8cbf2c57f9e284de628c8b4536787b86f94ad887ac94d527247cd2e7d0c8b1291c553c9730405380b14cbb209f5fa2dd", + "wx" : "00f50d371b91bfb1d7d14e1323523bc3aa8cbf2c57f9e284de628c8b4536787b86", + "wy" : "00f94ad887ac94d527247cd2e7d0c8b1291c553c9730405380b14cbb209f5fa2dd" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004f50d371b91bfb1d7d14e1323523bc3aa8cbf2c57f9e284de628c8b4536787b86f94ad887ac94d527247cd2e7d0c8b1291c553c9730405380b14cbb209f5fa2dd", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE9Q03G5G/sdfRThMjUjvDqoy/LFf5\n4oTeYoyLRTZ4e4b5StiHrJTVJyR80ufQyLEpHFU8lzBAU4CxTLsgn1+i3Q==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 305, + "comment" : "edge case for signature malleability", + "msg" : "313233343030", + "sig" : "304402207fffffff800000007fffffffffffffffde737d56d38bcf4279dce5617e3192a902207fffffff800000007fffffffffffffffde737d56d38bcf4279dce5617e3192a8", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "0468ec6e298eafe16539156ce57a14b04a7047c221bafc3a582eaeb0d857c4d94697bed1af17850117fdb39b2324f220a5698ed16c426a27335bb385ac8ca6fb30", + "wx" : "68ec6e298eafe16539156ce57a14b04a7047c221bafc3a582eaeb0d857c4d946", + "wy" : "0097bed1af17850117fdb39b2324f220a5698ed16c426a27335bb385ac8ca6fb30" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d0301070342000468ec6e298eafe16539156ce57a14b04a7047c221bafc3a582eaeb0d857c4d94697bed1af17850117fdb39b2324f220a5698ed16c426a27335bb385ac8ca6fb30", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEaOxuKY6v4WU5FWzlehSwSnBHwiG6\n/DpYLq6w2FfE2UaXvtGvF4UBF/2zmyMk8iClaY7RbEJqJzNbs4WsjKb7MA==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 306, + "comment" : "edge case for signature malleability", + "msg" : "313233343030", + "sig" : "304402207fffffff800000007fffffffffffffffde737d56d38bcf4279dce5617e3192a902207fffffff800000007fffffffffffffffde737d56d38bcf4279dce5617e3192a9", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "0469da0364734d2e530fece94019265fefb781a0f1b08f6c8897bdf6557927c8b866d2d3c7dcd518b23d726960f069ad71a933d86ef8abbcce8b20f71e2a847002", + "wx" : "69da0364734d2e530fece94019265fefb781a0f1b08f6c8897bdf6557927c8b8", + "wy" : "66d2d3c7dcd518b23d726960f069ad71a933d86ef8abbcce8b20f71e2a847002" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d0301070342000469da0364734d2e530fece94019265fefb781a0f1b08f6c8897bdf6557927c8b866d2d3c7dcd518b23d726960f069ad71a933d86ef8abbcce8b20f71e2a847002", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEadoDZHNNLlMP7OlAGSZf77eBoPGw\nj2yIl732VXknyLhm0tPH3NUYsj1yaWDwaa1xqTPYbvirvM6LIPceKoRwAg==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 307, + "comment" : "u1 == 1", + "msg" : "313233343030", + "sig" : "30450220555555550000000055555555555555553ef7a8e48d07df81a693439654210c70022100bb5a52f42f9c9261ed4361f59422a1e30036e7c32b270c8807a419feca605023", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04d8adc00023a8edc02576e2b63e3e30621a471e2b2320620187bf067a1ac1ff3233e2b50ec09807accb36131fff95ed12a09a86b4ea9690aa32861576ba2362e1", + "wx" : "00d8adc00023a8edc02576e2b63e3e30621a471e2b2320620187bf067a1ac1ff32", + "wy" : "33e2b50ec09807accb36131fff95ed12a09a86b4ea9690aa32861576ba2362e1" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004d8adc00023a8edc02576e2b63e3e30621a471e2b2320620187bf067a1ac1ff3233e2b50ec09807accb36131fff95ed12a09a86b4ea9690aa32861576ba2362e1", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2K3AACOo7cAlduK2Pj4wYhpHHisj\nIGIBh78GehrB/zIz4rUOwJgHrMs2Ex//le0SoJqGtOqWkKoyhhV2uiNi4Q==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 308, + "comment" : "u1 == n - 1", + "msg" : "313233343030", + "sig" : "30440220555555550000000055555555555555553ef7a8e48d07df81a693439654210c70022044a5ad0ad0636d9f12bc9e0a6bdd5e1cbcb012ea7bf091fcec15b0c43202d52e", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "043623ac973ced0a56fa6d882f03a7d5c7edca02cfc7b2401fab3690dbe75ab7858db06908e64b28613da7257e737f39793da8e713ba0643b92e9bb3252be7f8fe", + "wx" : "3623ac973ced0a56fa6d882f03a7d5c7edca02cfc7b2401fab3690dbe75ab785", + "wy" : "008db06908e64b28613da7257e737f39793da8e713ba0643b92e9bb3252be7f8fe" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200043623ac973ced0a56fa6d882f03a7d5c7edca02cfc7b2401fab3690dbe75ab7858db06908e64b28613da7257e737f39793da8e713ba0643b92e9bb3252be7f8fe", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAENiOslzztClb6bYgvA6fVx+3KAs/H\nskAfqzaQ2+dat4WNsGkI5ksoYT2nJX5zfzl5PajnE7oGQ7kum7MlK+f4/g==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 309, + "comment" : "u2 == 1", + "msg" : "313233343030", + "sig" : "30440220555555550000000055555555555555553ef7a8e48d07df81a693439654210c700220555555550000000055555555555555553ef7a8e48d07df81a693439654210c70", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04cf04ea77e9622523d894b93ff52dc3027b31959503b6fa3890e5e04263f922f1e8528fb7c006b3983c8b8400e57b4ed71740c2f3975438821199bedeaecab2e9", + "wx" : "00cf04ea77e9622523d894b93ff52dc3027b31959503b6fa3890e5e04263f922f1", + "wy" : "00e8528fb7c006b3983c8b8400e57b4ed71740c2f3975438821199bedeaecab2e9" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004cf04ea77e9622523d894b93ff52dc3027b31959503b6fa3890e5e04263f922f1e8528fb7c006b3983c8b8400e57b4ed71740c2f3975438821199bedeaecab2e9", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEzwTqd+liJSPYlLk/9S3DAnsxlZUD\ntvo4kOXgQmP5IvHoUo+3wAazmDyLhADle07XF0DC85dUOIIRmb7ersqy6Q==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 310, + "comment" : "u2 == n - 1", + "msg" : "313233343030", + "sig" : "30450220555555550000000055555555555555553ef7a8e48d07df81a693439654210c70022100aaaaaaaa00000000aaaaaaaaaaaaaaaa7def51c91a0fbf034d26872ca84218e1", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04db7a2c8a1ab573e5929dc24077b508d7e683d49227996bda3e9f78dbeff773504f417f3bc9a88075c2e0aadd5a13311730cf7cc76a82f11a36eaf08a6c99a206", + "wx" : "00db7a2c8a1ab573e5929dc24077b508d7e683d49227996bda3e9f78dbeff77350", + "wy" : "4f417f3bc9a88075c2e0aadd5a13311730cf7cc76a82f11a36eaf08a6c99a206" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004db7a2c8a1ab573e5929dc24077b508d7e683d49227996bda3e9f78dbeff773504f417f3bc9a88075c2e0aadd5a13311730cf7cc76a82f11a36eaf08a6c99a206", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE23osihq1c+WSncJAd7UI1+aD1JIn\nmWvaPp942+/3c1BPQX87yaiAdcLgqt1aEzEXMM98x2qC8Ro26vCKbJmiBg==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 311, + "comment" : "edge case for u1", + "msg" : "313233343030", + "sig" : "304502207ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd022100e91e1ba60fdedb76a46bcb51dc0b8b4b7e019f0a28721885fa5d3a8196623397", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04dead11c7a5b396862f21974dc4752fadeff994efe9bbd05ab413765ea80b6e1f1de3f0640e8ac6edcf89cff53c40e265bb94078a343736df07aa0318fc7fe1ff", + "wx" : "00dead11c7a5b396862f21974dc4752fadeff994efe9bbd05ab413765ea80b6e1f", + "wy" : "1de3f0640e8ac6edcf89cff53c40e265bb94078a343736df07aa0318fc7fe1ff" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004dead11c7a5b396862f21974dc4752fadeff994efe9bbd05ab413765ea80b6e1f1de3f0640e8ac6edcf89cff53c40e265bb94078a343736df07aa0318fc7fe1ff", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE3q0Rx6WzloYvIZdNxHUvre/5lO/p\nu9BatBN2XqgLbh8d4/BkDorG7c+Jz/U8QOJlu5QHijQ3Nt8HqgMY/H/h/w==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 312, + "comment" : "edge case for u1", + "msg" : "313233343030", + "sig" : "304502207ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd022100fdea5843ffeb73af94313ba4831b53fe24f799e525b1e8e8c87b59b95b430ad9", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04d0bc472e0d7c81ebaed3a6ef96c18613bb1fea6f994326fbe80e00dfde67c7e9986c723ea4843d48389b946f64ad56c83ad70ff17ba85335667d1bb9fa619efd", + "wx" : "00d0bc472e0d7c81ebaed3a6ef96c18613bb1fea6f994326fbe80e00dfde67c7e9", + "wy" : "00986c723ea4843d48389b946f64ad56c83ad70ff17ba85335667d1bb9fa619efd" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004d0bc472e0d7c81ebaed3a6ef96c18613bb1fea6f994326fbe80e00dfde67c7e9986c723ea4843d48389b946f64ad56c83ad70ff17ba85335667d1bb9fa619efd", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0LxHLg18geuu06bvlsGGE7sf6m+Z\nQyb76A4A395nx+mYbHI+pIQ9SDiblG9krVbIOtcP8XuoUzVmfRu5+mGe/Q==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 313, + "comment" : "edge case for u1", + "msg" : "313233343030", + "sig" : "304402207ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd022003ffcabf2f1b4d2a65190db1680d62bb994e41c5251cd73b3c3dfc5e5bafc035", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04a0a44ca947d66a2acb736008b9c08d1ab2ad03776e02640f78495d458dd51c326337fe5cf8c4604b1f1c409dc2d872d4294a4762420df43a30a2392e40426add", + "wx" : "00a0a44ca947d66a2acb736008b9c08d1ab2ad03776e02640f78495d458dd51c32", + "wy" : "6337fe5cf8c4604b1f1c409dc2d872d4294a4762420df43a30a2392e40426add" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004a0a44ca947d66a2acb736008b9c08d1ab2ad03776e02640f78495d458dd51c326337fe5cf8c4604b1f1c409dc2d872d4294a4762420df43a30a2392e40426add", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEoKRMqUfWairLc2AIucCNGrKtA3du\nAmQPeEldRY3VHDJjN/5c+MRgSx8cQJ3C2HLUKUpHYkIN9DowojkuQEJq3Q==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 314, + "comment" : "edge case for u1", + "msg" : "313233343030", + "sig" : "304402207ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd02204dfbc401f971cd304b33dfdb17d0fed0fe4c1a88ae648e0d2847f74977534989", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04c9c2115290d008b45fb65fad0f602389298c25420b775019d42b62c3ce8a96b73877d25a8080dc02d987ca730f0405c2c9dbefac46f9e601cc3f06e9713973fd", + "wx" : "00c9c2115290d008b45fb65fad0f602389298c25420b775019d42b62c3ce8a96b7", + "wy" : "3877d25a8080dc02d987ca730f0405c2c9dbefac46f9e601cc3f06e9713973fd" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004c9c2115290d008b45fb65fad0f602389298c25420b775019d42b62c3ce8a96b73877d25a8080dc02d987ca730f0405c2c9dbefac46f9e601cc3f06e9713973fd", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEycIRUpDQCLRftl+tD2AjiSmMJUIL\nd1AZ1Ctiw86Klrc4d9JagIDcAtmHynMPBAXCydvvrEb55gHMPwbpcTlz/Q==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 315, + "comment" : "edge case for u1", + "msg" : "313233343030", + "sig" : "304502207ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd022100bc4024761cd2ffd43dfdb17d0fed112b988977055cd3a8e54971eba9cda5ca71", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "045eca1ef4c287dddc66b8bccf1b88e8a24c0018962f3c5e7efa83bc1a5ff6033e5e79c4cb2c245b8c45abdce8a8e4da758d92a607c32cd407ecaef22f1c934a71", + "wx" : "5eca1ef4c287dddc66b8bccf1b88e8a24c0018962f3c5e7efa83bc1a5ff6033e", + "wy" : "5e79c4cb2c245b8c45abdce8a8e4da758d92a607c32cd407ecaef22f1c934a71" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200045eca1ef4c287dddc66b8bccf1b88e8a24c0018962f3c5e7efa83bc1a5ff6033e5e79c4cb2c245b8c45abdce8a8e4da758d92a607c32cd407ecaef22f1c934a71", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEXsoe9MKH3dxmuLzPG4jookwAGJYv\nPF5++oO8Gl/2Az5eecTLLCRbjEWr3Oio5Np1jZKmB8Ms1AfsrvIvHJNKcQ==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 316, + "comment" : "edge case for u1", + "msg" : "313233343030", + "sig" : "304402207ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd0220788048ed39a5ffa77bfb62fa1fda2257742bf35d128fb3459f2a0c909ee86f91", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "045caaa030e7fdf0e4936bc7ab5a96353e0a01e4130c3f8bf22d473e317029a47adeb6adc462f7058f2a20d371e9702254e9b201642005b3ceda926b42b178bef9", + "wx" : "5caaa030e7fdf0e4936bc7ab5a96353e0a01e4130c3f8bf22d473e317029a47a", + "wy" : "00deb6adc462f7058f2a20d371e9702254e9b201642005b3ceda926b42b178bef9" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200045caaa030e7fdf0e4936bc7ab5a96353e0a01e4130c3f8bf22d473e317029a47adeb6adc462f7058f2a20d371e9702254e9b201642005b3ceda926b42b178bef9", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEXKqgMOf98OSTa8erWpY1PgoB5BMM\nP4vyLUc+MXAppHretq3EYvcFjyog03HpcCJU6bIBZCAFs87akmtCsXi++Q==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 317, + "comment" : "edge case for u1", + "msg" : "313233343030", + "sig" : "304402207ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd0220476d9131fd381bd917d0fed112bc9e0a5924b5ed5b11167edd8b23582b3cb15e", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04c2fd20bac06e555bb8ac0ce69eb1ea20f83a1fc3501c8a66469b1a31f619b0986237050779f52b615bd7b8d76a25fc95ca2ed32525c75f27ffc87ac397e6cbaf", + "wx" : "00c2fd20bac06e555bb8ac0ce69eb1ea20f83a1fc3501c8a66469b1a31f619b098", + "wy" : "6237050779f52b615bd7b8d76a25fc95ca2ed32525c75f27ffc87ac397e6cbaf" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004c2fd20bac06e555bb8ac0ce69eb1ea20f83a1fc3501c8a66469b1a31f619b0986237050779f52b615bd7b8d76a25fc95ca2ed32525c75f27ffc87ac397e6cbaf", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEwv0gusBuVVu4rAzmnrHqIPg6H8NQ\nHIpmRpsaMfYZsJhiNwUHefUrYVvXuNdqJfyVyi7TJSXHXyf/yHrDl+bLrw==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 318, + "comment" : "edge case for u1", + "msg" : "313233343030", + "sig" : "304502207ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd0221008374253e3e21bd154448d0a8f640fe46fafa8b19ce78d538f6cc0a19662d3601", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "043fd6a1ca7f77fb3b0bbe726c372010068426e11ea6ae78ce17bedae4bba86ced03ce5516406bf8cfaab8745eac1cd69018ad6f50b5461872ddfc56e0db3c8ff4", + "wx" : "3fd6a1ca7f77fb3b0bbe726c372010068426e11ea6ae78ce17bedae4bba86ced", + "wy" : "03ce5516406bf8cfaab8745eac1cd69018ad6f50b5461872ddfc56e0db3c8ff4" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200043fd6a1ca7f77fb3b0bbe726c372010068426e11ea6ae78ce17bedae4bba86ced03ce5516406bf8cfaab8745eac1cd69018ad6f50b5461872ddfc56e0db3c8ff4", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEP9ahyn93+zsLvnJsNyAQBoQm4R6m\nrnjOF77a5LuobO0DzlUWQGv4z6q4dF6sHNaQGK1vULVGGHLd/Fbg2zyP9A==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 319, + "comment" : "edge case for u1", + "msg" : "313233343030", + "sig" : "304402207ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd0220357cfd3be4d01d413c5b9ede36cba5452c11ee7fe14879e749ae6a2d897a52d6", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "049cb8e51e27a5ae3b624a60d6dc32734e4989db20e9bca3ede1edf7b086911114b4c104ab3c677e4b36d6556e8ad5f523410a19f2e277aa895fc57322b4427544", + "wx" : "009cb8e51e27a5ae3b624a60d6dc32734e4989db20e9bca3ede1edf7b086911114", + "wy" : "00b4c104ab3c677e4b36d6556e8ad5f523410a19f2e277aa895fc57322b4427544" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200049cb8e51e27a5ae3b624a60d6dc32734e4989db20e9bca3ede1edf7b086911114b4c104ab3c677e4b36d6556e8ad5f523410a19f2e277aa895fc57322b4427544", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEnLjlHielrjtiSmDW3DJzTkmJ2yDp\nvKPt4e33sIaRERS0wQSrPGd+SzbWVW6K1fUjQQoZ8uJ3qolfxXMitEJ1RA==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 320, + "comment" : "edge case for u1", + "msg" : "313233343030", + "sig" : "304402207ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd022029798c5c0ee287d4a5e8e6b799fd86b8df5225298e6ffc807cd2f2bc27a0a6d8", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04a3e52c156dcaf10502620b7955bc2b40bc78ef3d569e1223c262512d8f49602a4a2039f31c1097024ad3cc86e57321de032355463486164cf192944977df147f", + "wx" : "00a3e52c156dcaf10502620b7955bc2b40bc78ef3d569e1223c262512d8f49602a", + "wy" : "4a2039f31c1097024ad3cc86e57321de032355463486164cf192944977df147f" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004a3e52c156dcaf10502620b7955bc2b40bc78ef3d569e1223c262512d8f49602a4a2039f31c1097024ad3cc86e57321de032355463486164cf192944977df147f", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEo+UsFW3K8QUCYgt5VbwrQLx47z1W\nnhIjwmJRLY9JYCpKIDnzHBCXAkrTzIblcyHeAyNVRjSGFkzxkpRJd98Ufw==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 321, + "comment" : "edge case for u1", + "msg" : "313233343030", + "sig" : "304402207ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd02200b70f22c781092452dca1a5711fa3a5a1f72add1bf52c2ff7cae4820b30078dd", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04f19b78928720d5bee8e670fb90010fb15c37bf91b58a5157c3f3c059b2655e88cf701ec962fb4a11dcf273f5dc357e58468560c7cfeb942d074abd4329260509", + "wx" : "00f19b78928720d5bee8e670fb90010fb15c37bf91b58a5157c3f3c059b2655e88", + "wy" : "00cf701ec962fb4a11dcf273f5dc357e58468560c7cfeb942d074abd4329260509" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004f19b78928720d5bee8e670fb90010fb15c37bf91b58a5157c3f3c059b2655e88cf701ec962fb4a11dcf273f5dc357e58468560c7cfeb942d074abd4329260509", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8Zt4kocg1b7o5nD7kAEPsVw3v5G1\nilFXw/PAWbJlXojPcB7JYvtKEdzyc/XcNX5YRoVgx8/rlC0HSr1DKSYFCQ==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 322, + "comment" : "edge case for u1", + "msg" : "313233343030", + "sig" : "304402207ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd022016e1e458f021248a5b9434ae23f474b43ee55ba37ea585fef95c90416600f1ba", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "0483a744459ecdfb01a5cf52b27a05bb7337482d242f235d7b4cb89345545c90a8c05d49337b9649813287de9ffe90355fd905df5f3c32945828121f37cc50de6e", + "wx" : "0083a744459ecdfb01a5cf52b27a05bb7337482d242f235d7b4cb89345545c90a8", + "wy" : "00c05d49337b9649813287de9ffe90355fd905df5f3c32945828121f37cc50de6e" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d0301070342000483a744459ecdfb01a5cf52b27a05bb7337482d242f235d7b4cb89345545c90a8c05d49337b9649813287de9ffe90355fd905df5f3c32945828121f37cc50de6e", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEg6dERZ7N+wGlz1KyegW7czdILSQv\nI117TLiTRVRckKjAXUkze5ZJgTKH3p/+kDVf2QXfXzwylFgoEh83zFDebg==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 323, + "comment" : "edge case for u1", + "msg" : "313233343030", + "sig" : "304402207ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd02202252d6856831b6cf895e4f0535eeaf0e5e5809753df848fe760ad86219016a97", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04dd13c6b34c56982ddae124f039dfd23f4b19bbe88cee8e528ae51e5d6f3a21d7bfad4c2e6f263fe5eb59ca974d039fc0e4c3345692fb5320bdae4bd3b42a45ff", + "wx" : "00dd13c6b34c56982ddae124f039dfd23f4b19bbe88cee8e528ae51e5d6f3a21d7", + "wy" : "00bfad4c2e6f263fe5eb59ca974d039fc0e4c3345692fb5320bdae4bd3b42a45ff" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004dd13c6b34c56982ddae124f039dfd23f4b19bbe88cee8e528ae51e5d6f3a21d7bfad4c2e6f263fe5eb59ca974d039fc0e4c3345692fb5320bdae4bd3b42a45ff", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE3RPGs0xWmC3a4STwOd/SP0sZu+iM\n7o5SiuUeXW86Ide/rUwubyY/5etZypdNA5/A5MM0VpL7UyC9rkvTtCpF/w==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 324, + "comment" : "edge case for u1", + "msg" : "313233343030", + "sig" : "304502207ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd02210081ffe55f178da695b28c86d8b406b15dab1a9e39661a3ae017fbe390ac0972c3", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "0467e6f659cdde869a2f65f094e94e5b4dfad636bbf95192feeed01b0f3deb7460a37e0a51f258b7aeb51dfe592f5cfd5685bbe58712c8d9233c62886437c38ba0", + "wx" : "67e6f659cdde869a2f65f094e94e5b4dfad636bbf95192feeed01b0f3deb7460", + "wy" : "00a37e0a51f258b7aeb51dfe592f5cfd5685bbe58712c8d9233c62886437c38ba0" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d0301070342000467e6f659cdde869a2f65f094e94e5b4dfad636bbf95192feeed01b0f3deb7460a37e0a51f258b7aeb51dfe592f5cfd5685bbe58712c8d9233c62886437c38ba0", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZ+b2Wc3ehpovZfCU6U5bTfrWNrv5\nUZL+7tAbDz3rdGCjfgpR8li3rrUd/lkvXP1WhbvlhxLI2SM8YohkN8OLoA==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 325, + "comment" : "edge case for u2", + "msg" : "313233343030", + "sig" : "304402207ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd02207fffffffaaaaaaaaffffffffffffffffe9a2538f37b28a2c513dee40fecbb71a", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "042eb6412505aec05c6545f029932087e490d05511e8ec1f599617bb367f9ecaaf805f51efcc4803403f9b1ae0124890f06a43fedcddb31830f6669af292895cb0", + "wx" : "2eb6412505aec05c6545f029932087e490d05511e8ec1f599617bb367f9ecaaf", + "wy" : "00805f51efcc4803403f9b1ae0124890f06a43fedcddb31830f6669af292895cb0" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200042eb6412505aec05c6545f029932087e490d05511e8ec1f599617bb367f9ecaaf805f51efcc4803403f9b1ae0124890f06a43fedcddb31830f6669af292895cb0", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELrZBJQWuwFxlRfApkyCH5JDQVRHo\n7B9Zlhe7Nn+eyq+AX1HvzEgDQD+bGuASSJDwakP+3N2zGDD2ZprykolcsA==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 326, + "comment" : "edge case for u2", + "msg" : "313233343030", + "sig" : "304502207ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd022100b62f26b5f2a2b26f6de86d42ad8a13da3ab3cccd0459b201de009e526adf21f2", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "0484db645868eab35e3a9fd80e056e2e855435e3a6b68d75a50a854625fe0d7f356d2589ac655edc9a11ef3e075eddda9abf92e72171570ef7bf43a2ee39338cfe", + "wx" : "0084db645868eab35e3a9fd80e056e2e855435e3a6b68d75a50a854625fe0d7f35", + "wy" : "6d2589ac655edc9a11ef3e075eddda9abf92e72171570ef7bf43a2ee39338cfe" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d0301070342000484db645868eab35e3a9fd80e056e2e855435e3a6b68d75a50a854625fe0d7f356d2589ac655edc9a11ef3e075eddda9abf92e72171570ef7bf43a2ee39338cfe", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEhNtkWGjqs146n9gOBW4uhVQ146a2\njXWlCoVGJf4NfzVtJYmsZV7cmhHvPgde3dqav5LnIXFXDve/Q6LuOTOM/g==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 327, + "comment" : "edge case for u2", + "msg" : "313233343030", + "sig" : "304502207ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd022100bb1d9ac949dd748cd02bbbe749bd351cd57b38bb61403d700686aa7b4c90851e", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "0491b9e47c56278662d75c0983b22ca8ea6aa5059b7a2ff7637eb2975e386ad66349aa8ff283d0f77c18d6d11dc062165fd13c3c0310679c1408302a16854ecfbd", + "wx" : "0091b9e47c56278662d75c0983b22ca8ea6aa5059b7a2ff7637eb2975e386ad663", + "wy" : "49aa8ff283d0f77c18d6d11dc062165fd13c3c0310679c1408302a16854ecfbd" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d0301070342000491b9e47c56278662d75c0983b22ca8ea6aa5059b7a2ff7637eb2975e386ad66349aa8ff283d0f77c18d6d11dc062165fd13c3c0310679c1408302a16854ecfbd", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEkbnkfFYnhmLXXAmDsiyo6mqlBZt6\nL/djfrKXXjhq1mNJqo/yg9D3fBjW0R3AYhZf0Tw8AxBnnBQIMCoWhU7PvQ==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 328, + "comment" : "edge case for u2", + "msg" : "313233343030", + "sig" : "304402207ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd022066755a00638cdaec1c732513ca0234ece52545dac11f816e818f725b4f60aaf2", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04f3ec2f13caf04d0192b47fb4c5311fb6d4dc6b0a9e802e5327f7ec5ee8e4834df97e3e468b7d0db867d6ecfe81e2b0f9531df87efdb47c1338ac321fefe5a432", + "wx" : "00f3ec2f13caf04d0192b47fb4c5311fb6d4dc6b0a9e802e5327f7ec5ee8e4834d", + "wy" : "00f97e3e468b7d0db867d6ecfe81e2b0f9531df87efdb47c1338ac321fefe5a432" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004f3ec2f13caf04d0192b47fb4c5311fb6d4dc6b0a9e802e5327f7ec5ee8e4834df97e3e468b7d0db867d6ecfe81e2b0f9531df87efdb47c1338ac321fefe5a432", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8+wvE8rwTQGStH+0xTEfttTcawqe\ngC5TJ/fsXujkg035fj5Gi30NuGfW7P6B4rD5Ux34fv20fBM4rDIf7+WkMg==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 329, + "comment" : "edge case for u2", + "msg" : "313233343030", + "sig" : "304402207ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd022055a00c9fcdaebb6032513ca0234ecfffe98ebe492fdf02e48ca48e982beb3669", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04d92b200aefcab6ac7dafd9acaf2fa10b3180235b8f46b4503e4693c670fccc885ef2f3aebf5b317475336256768f7c19efb7352d27e4cccadc85b6b8ab922c72", + "wx" : "00d92b200aefcab6ac7dafd9acaf2fa10b3180235b8f46b4503e4693c670fccc88", + "wy" : "5ef2f3aebf5b317475336256768f7c19efb7352d27e4cccadc85b6b8ab922c72" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004d92b200aefcab6ac7dafd9acaf2fa10b3180235b8f46b4503e4693c670fccc885ef2f3aebf5b317475336256768f7c19efb7352d27e4cccadc85b6b8ab922c72", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2SsgCu/Ktqx9r9msry+hCzGAI1uP\nRrRQPkaTxnD8zIhe8vOuv1sxdHUzYlZ2j3wZ77c1LSfkzMrchba4q5Iscg==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 330, + "comment" : "edge case for u2", + "msg" : "313233343030", + "sig" : "304502207ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd022100ab40193f9b5d76c064a27940469d9fffd31d7c925fbe05c919491d3057d66cd2", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "040a88361eb92ecca2625b38e5f98bbabb96bf179b3d76fc48140a3bcd881523cde6bdf56033f84a5054035597375d90866aa2c96b86a41ccf6edebf47298ad489", + "wx" : "0a88361eb92ecca2625b38e5f98bbabb96bf179b3d76fc48140a3bcd881523cd", + "wy" : "00e6bdf56033f84a5054035597375d90866aa2c96b86a41ccf6edebf47298ad489" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200040a88361eb92ecca2625b38e5f98bbabb96bf179b3d76fc48140a3bcd881523cde6bdf56033f84a5054035597375d90866aa2c96b86a41ccf6edebf47298ad489", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAECog2HrkuzKJiWzjl+Yu6u5a/F5s9\ndvxIFAo7zYgVI83mvfVgM/hKUFQDVZc3XZCGaqLJa4akHM9u3r9HKYrUiQ==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 331, + "comment" : "edge case for u2", + "msg" : "313233343030", + "sig" : "304502207ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd022100ca0234ebb5fdcb13ca0234ecffffffffcb0dadbbc7f549f8a26b4408d0dc8600", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04d0fb17ccd8fafe827e0c1afc5d8d80366e2b20e7f14a563a2ba50469d84375e868612569d39e2bb9f554355564646de99ac602cc6349cf8c1e236a7de7637d93", + "wx" : "00d0fb17ccd8fafe827e0c1afc5d8d80366e2b20e7f14a563a2ba50469d84375e8", + "wy" : "68612569d39e2bb9f554355564646de99ac602cc6349cf8c1e236a7de7637d93" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004d0fb17ccd8fafe827e0c1afc5d8d80366e2b20e7f14a563a2ba50469d84375e868612569d39e2bb9f554355564646de99ac602cc6349cf8c1e236a7de7637d93", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0PsXzNj6/oJ+DBr8XY2ANm4rIOfx\nSlY6K6UEadhDdehoYSVp054rufVUNVVkZG3pmsYCzGNJz4weI2p952N9kw==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 332, + "comment" : "edge case for u2", + "msg" : "313233343030", + "sig" : "304502207ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd022100bfffffff3ea3677e082b9310572620ae19933a9e65b285598711c77298815ad3", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04836f33bbc1dc0d3d3abbcef0d91f11e2ac4181076c9af0a22b1e4309d3edb2769ab443ff6f901e30c773867582997c2bec2b0cb8120d760236f3a95bbe881f75", + "wx" : "00836f33bbc1dc0d3d3abbcef0d91f11e2ac4181076c9af0a22b1e4309d3edb276", + "wy" : "009ab443ff6f901e30c773867582997c2bec2b0cb8120d760236f3a95bbe881f75" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004836f33bbc1dc0d3d3abbcef0d91f11e2ac4181076c9af0a22b1e4309d3edb2769ab443ff6f901e30c773867582997c2bec2b0cb8120d760236f3a95bbe881f75", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEg28zu8HcDT06u87w2R8R4qxBgQds\nmvCiKx5DCdPtsnaatEP/b5AeMMdzhnWCmXwr7CsMuBINdgI286lbvogfdQ==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 333, + "comment" : "edge case for u2", + "msg" : "313233343030", + "sig" : "304402207ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd0220266666663bbbbbbbe6666666666666665b37902e023fab7c8f055d86e5cc41f4", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "0492f99fbe973ed4a299719baee4b432741237034dec8d72ba5103cb33e55feeb8033dd0e91134c734174889f3ebcf1b7a1ac05767289280ee7a794cebd6e69697", + "wx" : "0092f99fbe973ed4a299719baee4b432741237034dec8d72ba5103cb33e55feeb8", + "wy" : "033dd0e91134c734174889f3ebcf1b7a1ac05767289280ee7a794cebd6e69697" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d0301070342000492f99fbe973ed4a299719baee4b432741237034dec8d72ba5103cb33e55feeb8033dd0e91134c734174889f3ebcf1b7a1ac05767289280ee7a794cebd6e69697", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEkvmfvpc+1KKZcZuu5LQydBI3A03s\njXK6UQPLM+Vf7rgDPdDpETTHNBdIifPrzxt6GsBXZyiSgO56eUzr1uaWlw==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 334, + "comment" : "edge case for u2", + "msg" : "313233343030", + "sig" : "304502207ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd022100bfffffff36db6db7a492492492492492146c573f4c6dfc8d08a443e258970b09", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04d35ba58da30197d378e618ec0fa7e2e2d12cffd73ebbb2049d130bba434af09eff83986e6875e41ea432b7585a49b3a6c77cbb3c47919f8e82874c794635c1d2", + "wx" : "00d35ba58da30197d378e618ec0fa7e2e2d12cffd73ebbb2049d130bba434af09e", + "wy" : "00ff83986e6875e41ea432b7585a49b3a6c77cbb3c47919f8e82874c794635c1d2" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004d35ba58da30197d378e618ec0fa7e2e2d12cffd73ebbb2049d130bba434af09eff83986e6875e41ea432b7585a49b3a6c77cbb3c47919f8e82874c794635c1d2", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE01uljaMBl9N45hjsD6fi4tEs/9c+\nu7IEnRMLukNK8J7/g5huaHXkHqQyt1haSbOmx3y7PEeRn46Ch0x5RjXB0g==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 335, + "comment" : "edge case for u2", + "msg" : "313233343030", + "sig" : "304502207ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd022100bfffffff2aaaaaab7fffffffffffffffc815d0e60b3e596ecb1ad3a27cfd49c4", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "048651ce490f1b46d73f3ff475149be29136697334a519d7ddab0725c8d0793224e11c65bd8ca92dc8bc9ae82911f0b52751ce21dd9003ae60900bd825f590cc28", + "wx" : "008651ce490f1b46d73f3ff475149be29136697334a519d7ddab0725c8d0793224", + "wy" : "00e11c65bd8ca92dc8bc9ae82911f0b52751ce21dd9003ae60900bd825f590cc28" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200048651ce490f1b46d73f3ff475149be29136697334a519d7ddab0725c8d0793224e11c65bd8ca92dc8bc9ae82911f0b52751ce21dd9003ae60900bd825f590cc28", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEhlHOSQ8bRtc/P/R1FJvikTZpczSl\nGdfdqwclyNB5MiThHGW9jKktyLya6CkR8LUnUc4h3ZADrmCQC9gl9ZDMKA==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 336, + "comment" : "edge case for u2", + "msg" : "313233343030", + "sig" : "304402207ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd02207fffffff55555555ffffffffffffffffd344a71e6f651458a27bdc81fd976e37", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "046d8e1b12c831a0da8795650ff95f101ed921d9e2f72b15b1cdaca9826b9cfc6def6d63e2bc5c089570394a4bc9f892d5e6c7a6a637b20469a58c106ad486bf37", + "wx" : "6d8e1b12c831a0da8795650ff95f101ed921d9e2f72b15b1cdaca9826b9cfc6d", + "wy" : "00ef6d63e2bc5c089570394a4bc9f892d5e6c7a6a637b20469a58c106ad486bf37" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200046d8e1b12c831a0da8795650ff95f101ed921d9e2f72b15b1cdaca9826b9cfc6def6d63e2bc5c089570394a4bc9f892d5e6c7a6a637b20469a58c106ad486bf37", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEbY4bEsgxoNqHlWUP+V8QHtkh2eL3\nKxWxzaypgmuc/G3vbWPivFwIlXA5SkvJ+JLV5sempjeyBGmljBBq1Ia/Nw==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 337, + "comment" : "edge case for u2", + "msg" : "313233343030", + "sig" : "304402207ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd02203fffffff800000007fffffffffffffffde737d56d38bcf4279dce5617e3192aa", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "040ae580bae933b4ef2997cbdbb0922328ca9a410f627a0f7dff24cb4d920e15428911e7f8cc365a8a88eb81421a361ccc2b99e309d8dcd9a98ba83c3949d893e3", + "wx" : "0ae580bae933b4ef2997cbdbb0922328ca9a410f627a0f7dff24cb4d920e1542", + "wy" : "008911e7f8cc365a8a88eb81421a361ccc2b99e309d8dcd9a98ba83c3949d893e3" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200040ae580bae933b4ef2997cbdbb0922328ca9a410f627a0f7dff24cb4d920e15428911e7f8cc365a8a88eb81421a361ccc2b99e309d8dcd9a98ba83c3949d893e3", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAECuWAuukztO8pl8vbsJIjKMqaQQ9i\neg99/yTLTZIOFUKJEef4zDZaiojrgUIaNhzMK5njCdjc2amLqDw5SdiT4w==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 338, + "comment" : "edge case for u2", + "msg" : "313233343030", + "sig" : "304402207ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd02205d8ecd64a4eeba466815ddf3a4de9a8e6abd9c5db0a01eb80343553da648428f", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "045b812fd521aafa69835a849cce6fbdeb6983b442d2444fe70e134c027fc46963838a40f2a36092e9004e92d8d940cf5638550ce672ce8b8d4e15eba5499249e9", + "wx" : "5b812fd521aafa69835a849cce6fbdeb6983b442d2444fe70e134c027fc46963", + "wy" : "00838a40f2a36092e9004e92d8d940cf5638550ce672ce8b8d4e15eba5499249e9" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200045b812fd521aafa69835a849cce6fbdeb6983b442d2444fe70e134c027fc46963838a40f2a36092e9004e92d8d940cf5638550ce672ce8b8d4e15eba5499249e9", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEW4Ev1SGq+mmDWoSczm+962mDtELS\nRE/nDhNMAn/EaWODikDyo2CS6QBOktjZQM9WOFUM5nLOi41OFeulSZJJ6Q==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 339, + "comment" : "point duplication during verification", + "msg" : "313233343030", + "sig" : "304502206f2347cab7dd76858fe0555ac3bc99048c4aacafdfb6bcbe05ea6c42c4934569022100bb726660235793aa9957a61e76e00c2c435109cf9a15dd624d53f4301047856b", + "result" : "valid", + "flags" : [ + "PointDuplication" + ] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "045b812fd521aafa69835a849cce6fbdeb6983b442d2444fe70e134c027fc469637c75bf0c5c9f6d17ffb16d2726bf30a9c7aaf31a8d317472b1ea145ab66db616", + "wx" : "5b812fd521aafa69835a849cce6fbdeb6983b442d2444fe70e134c027fc46963", + "wy" : "7c75bf0c5c9f6d17ffb16d2726bf30a9c7aaf31a8d317472b1ea145ab66db616" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200045b812fd521aafa69835a849cce6fbdeb6983b442d2444fe70e134c027fc469637c75bf0c5c9f6d17ffb16d2726bf30a9c7aaf31a8d317472b1ea145ab66db616", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEW4Ev1SGq+mmDWoSczm+962mDtELS\nRE/nDhNMAn/EaWN8db8MXJ9tF/+xbScmvzCpx6rzGo0xdHKx6hRatm22Fg==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 340, + "comment" : "duplication bug", + "msg" : "313233343030", + "sig" : "304502206f2347cab7dd76858fe0555ac3bc99048c4aacafdfb6bcbe05ea6c42c4934569022100bb726660235793aa9957a61e76e00c2c435109cf9a15dd624d53f4301047856b", + "result" : "invalid", + "flags" : [ + "PointDuplication" + ] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "046adda82b90261b0f319faa0d878665a6b6da497f09c903176222c34acfef72a647e6f50dcc40ad5d9b59f7602bb222fad71a41bf5e1f9df4959a364c62e488d9", + "wx" : "6adda82b90261b0f319faa0d878665a6b6da497f09c903176222c34acfef72a6", + "wy" : "47e6f50dcc40ad5d9b59f7602bb222fad71a41bf5e1f9df4959a364c62e488d9" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200046adda82b90261b0f319faa0d878665a6b6da497f09c903176222c34acfef72a647e6f50dcc40ad5d9b59f7602bb222fad71a41bf5e1f9df4959a364c62e488d9", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEat2oK5AmGw8xn6oNh4ZlprbaSX8J\nyQMXYiLDSs/vcqZH5vUNzECtXZtZ92ArsiL61xpBv14fnfSVmjZMYuSI2Q==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 341, + "comment" : "point with x-coordinate 0", + "msg" : "313233343030", + "sig" : "30250201010220555555550000000055555555555555553ef7a8e48d07df81a693439654210c70", + "result" : "invalid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "042fca0d0a47914de77ed56e7eccc3276a601120c6df0069c825c8f6a01c9f382065f3450a1d17c6b24989a39beb1c7decfca8384fbdc294418e5d807b3c6ed7de", + "wx" : "2fca0d0a47914de77ed56e7eccc3276a601120c6df0069c825c8f6a01c9f3820", + "wy" : "65f3450a1d17c6b24989a39beb1c7decfca8384fbdc294418e5d807b3c6ed7de" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200042fca0d0a47914de77ed56e7eccc3276a601120c6df0069c825c8f6a01c9f382065f3450a1d17c6b24989a39beb1c7decfca8384fbdc294418e5d807b3c6ed7de", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEL8oNCkeRTed+1W5+zMMnamARIMbf\nAGnIJcj2oByfOCBl80UKHRfGskmJo5vrHH3s/Kg4T73ClEGOXYB7PG7X3g==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 342, + "comment" : "point with x-coordinate 0", + "msg" : "313233343030", + "sig" : "3045022101000000000000000000000000000000000000000000000000000000000000000002203333333300000000333333333333333325c7cbbc549e52e763f1f55a327a3aa9", + "result" : "invalid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04dd86d3b5f4a13e8511083b78002081c53ff467f11ebd98a51a633db76665d25045d5c8200c89f2fa10d849349226d21d8dfaed6ff8d5cb3e1b7e17474ebc18f7", + "wx" : "00dd86d3b5f4a13e8511083b78002081c53ff467f11ebd98a51a633db76665d250", + "wy" : "45d5c8200c89f2fa10d849349226d21d8dfaed6ff8d5cb3e1b7e17474ebc18f7" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004dd86d3b5f4a13e8511083b78002081c53ff467f11ebd98a51a633db76665d25045d5c8200c89f2fa10d849349226d21d8dfaed6ff8d5cb3e1b7e17474ebc18f7", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE3YbTtfShPoURCDt4ACCBxT/0Z/Ee\nvZilGmM9t2Zl0lBF1cggDIny+hDYSTSSJtIdjfrtb/jVyz4bfhdHTrwY9w==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 343, + "comment" : "comparison with point at infinity ", + "msg" : "313233343030", + "sig" : "30440220555555550000000055555555555555553ef7a8e48d07df81a693439654210c7002203333333300000000333333333333333325c7cbbc549e52e763f1f55a327a3aa9", + "result" : "invalid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "044fea55b32cb32aca0c12c4cd0abfb4e64b0f5a516e578c016591a93f5a0fbcc5d7d3fd10b2be668c547b212f6bb14c88f0fecd38a8a4b2c785ed3be62ce4b280", + "wx" : "4fea55b32cb32aca0c12c4cd0abfb4e64b0f5a516e578c016591a93f5a0fbcc5", + "wy" : "00d7d3fd10b2be668c547b212f6bb14c88f0fecd38a8a4b2c785ed3be62ce4b280" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200044fea55b32cb32aca0c12c4cd0abfb4e64b0f5a516e578c016591a93f5a0fbcc5d7d3fd10b2be668c547b212f6bb14c88f0fecd38a8a4b2c785ed3be62ce4b280", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAET+pVsyyzKsoMEsTNCr+05ksPWlFu\nV4wBZZGpP1oPvMXX0/0Qsr5mjFR7IS9rsUyI8P7NOKiksseF7TvmLOSygA==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 344, + "comment" : "extreme value for k and edgecase s", + "msg" : "313233343030", + "sig" : "304402207cf27b188d034f7e8a52380304b51ac3c08969e277f21b35a60b48fc476699780220555555550000000055555555555555553ef7a8e48d07df81a693439654210c70", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04c6a771527024227792170a6f8eee735bf32b7f98af669ead299802e32d7c3107bc3b4b5e65ab887bbd343572b3e5619261fe3a073e2ffd78412f726867db589e", + "wx" : "00c6a771527024227792170a6f8eee735bf32b7f98af669ead299802e32d7c3107", + "wy" : "00bc3b4b5e65ab887bbd343572b3e5619261fe3a073e2ffd78412f726867db589e" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004c6a771527024227792170a6f8eee735bf32b7f98af669ead299802e32d7c3107bc3b4b5e65ab887bbd343572b3e5619261fe3a073e2ffd78412f726867db589e", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExqdxUnAkIneSFwpvju5zW/Mrf5iv\nZp6tKZgC4y18MQe8O0teZauIe700NXKz5WGSYf46Bz4v/XhBL3JoZ9tYng==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 345, + "comment" : "extreme value for k and s^-1", + "msg" : "313233343030", + "sig" : "304502207cf27b188d034f7e8a52380304b51ac3c08969e277f21b35a60b48fc47669978022100b6db6db6249249254924924924924924625bd7a09bec4ca81bcdd9f8fd6b63cc", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04851c2bbad08e54ec7a9af99f49f03644d6ec6d59b207fec98de85a7d15b956efcee9960283045075684b410be8d0f7494b91aa2379f60727319f10ddeb0fe9d6", + "wx" : "00851c2bbad08e54ec7a9af99f49f03644d6ec6d59b207fec98de85a7d15b956ef", + "wy" : "00cee9960283045075684b410be8d0f7494b91aa2379f60727319f10ddeb0fe9d6" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004851c2bbad08e54ec7a9af99f49f03644d6ec6d59b207fec98de85a7d15b956efcee9960283045075684b410be8d0f7494b91aa2379f60727319f10ddeb0fe9d6", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEhRwrutCOVOx6mvmfSfA2RNbsbVmy\nB/7JjehafRW5Vu/O6ZYCgwRQdWhLQQvo0PdJS5GqI3n2BycxnxDd6w/p1g==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 346, + "comment" : "extreme value for k and s^-1", + "msg" : "313233343030", + "sig" : "304502207cf27b188d034f7e8a52380304b51ac3c08969e277f21b35a60b48fc47669978022100cccccccc00000000cccccccccccccccc971f2ef152794b9d8fc7d568c9e8eaa7", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04f6417c8a670584e388676949e53da7fc55911ff68318d1bf3061205acb19c48f8f2b743df34ad0f72674acb7505929784779cd9ac916c3669ead43026ab6d43f", + "wx" : "00f6417c8a670584e388676949e53da7fc55911ff68318d1bf3061205acb19c48f", + "wy" : "008f2b743df34ad0f72674acb7505929784779cd9ac916c3669ead43026ab6d43f" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004f6417c8a670584e388676949e53da7fc55911ff68318d1bf3061205acb19c48f8f2b743df34ad0f72674acb7505929784779cd9ac916c3669ead43026ab6d43f", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE9kF8imcFhOOIZ2lJ5T2n/FWRH/aD\nGNG/MGEgWssZxI+PK3Q980rQ9yZ0rLdQWSl4R3nNmskWw2aerUMCarbUPw==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 347, + "comment" : "extreme value for k and s^-1", + "msg" : "313233343030", + "sig" : "304402207cf27b188d034f7e8a52380304b51ac3c08969e277f21b35a60b48fc4766997802203333333300000000333333333333333325c7cbbc549e52e763f1f55a327a3aaa", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04501421277be45a5eefec6c639930d636032565af420cf3373f557faa7f8a06438673d6cb6076e1cfcdc7dfe7384c8e5cac08d74501f2ae6e89cad195d0aa1371", + "wx" : "501421277be45a5eefec6c639930d636032565af420cf3373f557faa7f8a0643", + "wy" : "008673d6cb6076e1cfcdc7dfe7384c8e5cac08d74501f2ae6e89cad195d0aa1371" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004501421277be45a5eefec6c639930d636032565af420cf3373f557faa7f8a06438673d6cb6076e1cfcdc7dfe7384c8e5cac08d74501f2ae6e89cad195d0aa1371", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEUBQhJ3vkWl7v7GxjmTDWNgMlZa9C\nDPM3P1V/qn+KBkOGc9bLYHbhz83H3+c4TI5crAjXRQHyrm6JytGV0KoTcQ==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 348, + "comment" : "extreme value for k and s^-1", + "msg" : "313233343030", + "sig" : "304402207cf27b188d034f7e8a52380304b51ac3c08969e277f21b35a60b48fc47669978022049249248db6db6dbb6db6db6db6db6db5a8b230d0b2b51dcd7ebf0c9fef7c185", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "040d935bf9ffc115a527735f729ca8a4ca23ee01a4894adf0e3415ac84e808bb343195a3762fea29ed38912bd9ea6c4fde70c3050893a4375850ce61d82eba33c5", + "wx" : "0d935bf9ffc115a527735f729ca8a4ca23ee01a4894adf0e3415ac84e808bb34", + "wy" : "3195a3762fea29ed38912bd9ea6c4fde70c3050893a4375850ce61d82eba33c5" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200040d935bf9ffc115a527735f729ca8a4ca23ee01a4894adf0e3415ac84e808bb343195a3762fea29ed38912bd9ea6c4fde70c3050893a4375850ce61d82eba33c5", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEDZNb+f/BFaUnc19ynKikyiPuAaSJ\nSt8ONBWshOgIuzQxlaN2L+op7TiRK9nqbE/ecMMFCJOkN1hQzmHYLrozxQ==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 349, + "comment" : "extreme value for k", + "msg" : "313233343030", + "sig" : "304402207cf27b188d034f7e8a52380304b51ac3c08969e277f21b35a60b48fc47669978022016a4502e2781e11ac82cbc9d1edd8c981584d13e18411e2f6e0478c34416e3bb", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "045e59f50708646be8a589355014308e60b668fb670196206c41e748e64e4dca215de37fee5c97bcaf7144d5b459982f52eeeafbdf03aacbafef38e213624a01de", + "wx" : "5e59f50708646be8a589355014308e60b668fb670196206c41e748e64e4dca21", + "wy" : "5de37fee5c97bcaf7144d5b459982f52eeeafbdf03aacbafef38e213624a01de" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200045e59f50708646be8a589355014308e60b668fb670196206c41e748e64e4dca215de37fee5c97bcaf7144d5b459982f52eeeafbdf03aacbafef38e213624a01de", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEXln1Bwhka+iliTVQFDCOYLZo+2cB\nliBsQedI5k5NyiFd43/uXJe8r3FE1bRZmC9S7ur73wOqy6/vOOITYkoB3g==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 350, + "comment" : "extreme value for k and edgecase s", + "msg" : "313233343030", + "sig" : "304402206b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c2960220555555550000000055555555555555553ef7a8e48d07df81a693439654210c70", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04169fb797325843faff2f7a5b5445da9e2fd6226f7ef90ef0bfe924104b02db8e7bbb8de662c7b9b1cf9b22f7a2e582bd46d581d68878efb2b861b131d8a1d667", + "wx" : "169fb797325843faff2f7a5b5445da9e2fd6226f7ef90ef0bfe924104b02db8e", + "wy" : "7bbb8de662c7b9b1cf9b22f7a2e582bd46d581d68878efb2b861b131d8a1d667" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004169fb797325843faff2f7a5b5445da9e2fd6226f7ef90ef0bfe924104b02db8e7bbb8de662c7b9b1cf9b22f7a2e582bd46d581d68878efb2b861b131d8a1d667", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFp+3lzJYQ/r/L3pbVEXani/WIm9+\n+Q7wv+kkEEsC2457u43mYse5sc+bIvei5YK9RtWB1oh477K4YbEx2KHWZw==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 351, + "comment" : "extreme value for k and s^-1", + "msg" : "313233343030", + "sig" : "304502206b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296022100b6db6db6249249254924924924924924625bd7a09bec4ca81bcdd9f8fd6b63cc", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04271cd89c000143096b62d4e9e4ca885aef2f7023d18affdaf8b7b548981487540a1c6e954e32108435b55fa385b0f76481a609b9149ccb4b02b2ca47fe8e4da5", + "wx" : "271cd89c000143096b62d4e9e4ca885aef2f7023d18affdaf8b7b54898148754", + "wy" : "0a1c6e954e32108435b55fa385b0f76481a609b9149ccb4b02b2ca47fe8e4da5" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004271cd89c000143096b62d4e9e4ca885aef2f7023d18affdaf8b7b548981487540a1c6e954e32108435b55fa385b0f76481a609b9149ccb4b02b2ca47fe8e4da5", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJxzYnAABQwlrYtTp5MqIWu8vcCPR\niv/a+Le1SJgUh1QKHG6VTjIQhDW1X6OFsPdkgaYJuRScy0sCsspH/o5NpQ==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 352, + "comment" : "extreme value for k and s^-1", + "msg" : "313233343030", + "sig" : "304502206b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296022100cccccccc00000000cccccccccccccccc971f2ef152794b9d8fc7d568c9e8eaa7", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "043d0bc7ed8f09d2cb7ddb46ebc1ed799ab1563a9ab84bf524587a220afe499c12e22dc3b3c103824a4f378d96adb0a408abf19ce7d68aa6244f78cb216fa3f8df", + "wx" : "3d0bc7ed8f09d2cb7ddb46ebc1ed799ab1563a9ab84bf524587a220afe499c12", + "wy" : "00e22dc3b3c103824a4f378d96adb0a408abf19ce7d68aa6244f78cb216fa3f8df" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200043d0bc7ed8f09d2cb7ddb46ebc1ed799ab1563a9ab84bf524587a220afe499c12e22dc3b3c103824a4f378d96adb0a408abf19ce7d68aa6244f78cb216fa3f8df", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEPQvH7Y8J0st920brwe15mrFWOpq4\nS/UkWHoiCv5JnBLiLcOzwQOCSk83jZatsKQIq/Gc59aKpiRPeMshb6P43w==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 353, + "comment" : "extreme value for k and s^-1", + "msg" : "313233343030", + "sig" : "304402206b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c29602203333333300000000333333333333333325c7cbbc549e52e763f1f55a327a3aaa", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04a6c885ade1a4c566f9bb010d066974abb281797fa701288c721bcbd23663a9b72e424b690957168d193a6096fc77a2b004a9c7d467e007e1f2058458f98af316", + "wx" : "00a6c885ade1a4c566f9bb010d066974abb281797fa701288c721bcbd23663a9b7", + "wy" : "2e424b690957168d193a6096fc77a2b004a9c7d467e007e1f2058458f98af316" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004a6c885ade1a4c566f9bb010d066974abb281797fa701288c721bcbd23663a9b72e424b690957168d193a6096fc77a2b004a9c7d467e007e1f2058458f98af316", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEpsiFreGkxWb5uwENBml0q7KBeX+n\nASiMchvL0jZjqbcuQktpCVcWjRk6YJb8d6KwBKnH1GfgB+HyBYRY+YrzFg==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 354, + "comment" : "extreme value for k and s^-1", + "msg" : "313233343030", + "sig" : "304402206b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296022049249248db6db6dbb6db6db6db6db6db5a8b230d0b2b51dcd7ebf0c9fef7c185", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "048d3c2c2c3b765ba8289e6ac3812572a25bf75df62d87ab7330c3bdbad9ebfa5c4c6845442d66935b238578d43aec54f7caa1621d1af241d4632e0b780c423f5d", + "wx" : "008d3c2c2c3b765ba8289e6ac3812572a25bf75df62d87ab7330c3bdbad9ebfa5c", + "wy" : "4c6845442d66935b238578d43aec54f7caa1621d1af241d4632e0b780c423f5d" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200048d3c2c2c3b765ba8289e6ac3812572a25bf75df62d87ab7330c3bdbad9ebfa5c4c6845442d66935b238578d43aec54f7caa1621d1af241d4632e0b780c423f5d", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEjTwsLDt2W6gonmrDgSVyolv3XfYt\nh6tzMMO9utnr+lxMaEVELWaTWyOFeNQ67FT3yqFiHRryQdRjLgt4DEI/XQ==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 355, + "comment" : "extreme value for k", + "msg" : "313233343030", + "sig" : "304402206b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296022016a4502e2781e11ac82cbc9d1edd8c981584d13e18411e2f6e0478c34416e3bb", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "046b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c2964fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5", + "wx" : "6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296", + "wy" : "4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200046b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c2964fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEaxfR8uEsQkf4vOblY6RA8ncDfYEt\n6zOg9KE5RdiYwpZP40Li/hp/m47n60p8D54WK84zV2sxXs7LtkBoN79R9Q==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 356, + "comment" : "testing point duplication", + "msg" : "313233343030", + "sig" : "3045022100bb5a52f42f9c9261ed4361f59422a1e30036e7c32b270c8807a419feca6050230220249249246db6db6ddb6db6db6db6db6dad4591868595a8ee6bf5f864ff7be0c2", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 357, + "comment" : "testing point duplication", + "msg" : "313233343030", + "sig" : "3044022044a5ad0ad0636d9f12bc9e0a6bdd5e1cbcb012ea7bf091fcec15b0c43202d52e0220249249246db6db6ddb6db6db6db6db6dad4591868595a8ee6bf5f864ff7be0c2", + "result" : "invalid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "046b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296b01cbd1c01e58065711814b583f061e9d431cca994cea1313449bf97c840ae0a", + "wx" : "6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296", + "wy" : "00b01cbd1c01e58065711814b583f061e9d431cca994cea1313449bf97c840ae0a" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200046b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296b01cbd1c01e58065711814b583f061e9d431cca994cea1313449bf97c840ae0a", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEaxfR8uEsQkf4vOblY6RA8ncDfYEt\n6zOg9KE5RdiYwpawHL0cAeWAZXEYFLWD8GHp1DHMqZTOoTE0Sb+XyECuCg==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 358, + "comment" : "testing point duplication", + "msg" : "313233343030", + "sig" : "3045022100bb5a52f42f9c9261ed4361f59422a1e30036e7c32b270c8807a419feca6050230220249249246db6db6ddb6db6db6db6db6dad4591868595a8ee6bf5f864ff7be0c2", + "result" : "invalid", + "flags" : [] + }, + { + "tcId" : 359, + "comment" : "testing point duplication", + "msg" : "313233343030", + "sig" : "3044022044a5ad0ad0636d9f12bc9e0a6bdd5e1cbcb012ea7bf091fcec15b0c43202d52e0220249249246db6db6ddb6db6db6db6db6dad4591868595a8ee6bf5f864ff7be0c2", + "result" : "invalid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "0404aaec73635726f213fb8a9e64da3b8632e41495a944d0045b522eba7240fad587d9315798aaa3a5ba01775787ced05eaaf7b4e09fc81d6d1aa546e8365d525d", + "wx" : "04aaec73635726f213fb8a9e64da3b8632e41495a944d0045b522eba7240fad5", + "wy" : "0087d9315798aaa3a5ba01775787ced05eaaf7b4e09fc81d6d1aa546e8365d525d" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d0301070342000404aaec73635726f213fb8a9e64da3b8632e41495a944d0045b522eba7240fad587d9315798aaa3a5ba01775787ced05eaaf7b4e09fc81d6d1aa546e8365d525d", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEBKrsc2NXJvIT+4qeZNo7hjLkFJWp\nRNAEW1IuunJA+tWH2TFXmKqjpboBd1eHztBeqve04J/IHW0apUboNl1SXQ==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 360, + "comment" : "pseudorandom signature", + "msg" : "", + "sig" : "3045022100b292a619339f6e567a305c951c0dcbcc42d16e47f219f9e98e76e09d8770b34a02200177e60492c5a8242f76f07bfe3661bde59ec2a17ce5bd2dab2abebdf89a62e2", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 361, + "comment" : "pseudorandom signature", + "msg" : "4d7367", + "sig" : "30450220530bd6b0c9af2d69ba897f6b5fb59695cfbf33afe66dbadcf5b8d2a2a6538e23022100d85e489cb7a161fd55ededcedbf4cc0c0987e3e3f0f242cae934c72caa3f43e9", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 362, + "comment" : "pseudorandom signature", + "msg" : "313233343030", + "sig" : "3046022100a8ea150cb80125d7381c4c1f1da8e9de2711f9917060406a73d7904519e51388022100f3ab9fa68bd47973a73b2d40480c2ba50c22c9d76ec217257288293285449b86", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 363, + "comment" : "pseudorandom signature", + "msg" : "0000000000000000000000000000000000000000", + "sig" : "3045022100986e65933ef2ed4ee5aada139f52b70539aaf63f00a91f29c69178490d57fb7102203dafedfb8da6189d372308cbf1489bbbdabf0c0217d1c0ff0f701aaa7a694b9c", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "044f337ccfd67726a805e4f1600ae2849df3807eca117380239fbd816900000000ed9dea124cc8c396416411e988c30f427eb504af43a3146cd5df7ea60666d685", + "wx" : "4f337ccfd67726a805e4f1600ae2849df3807eca117380239fbd816900000000", + "wy" : "00ed9dea124cc8c396416411e988c30f427eb504af43a3146cd5df7ea60666d685" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200044f337ccfd67726a805e4f1600ae2849df3807eca117380239fbd816900000000ed9dea124cc8c396416411e988c30f427eb504af43a3146cd5df7ea60666d685", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAETzN8z9Z3JqgF5PFgCuKEnfOAfsoR\nc4Ajn72BaQAAAADtneoSTMjDlkFkEemIww9CfrUEr0OjFGzV336mBmbWhQ==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 364, + "comment" : "x-coordinate of the public key has many trailing 0's", + "msg" : "4d657373616765", + "sig" : "3046022100d434e262a49eab7781e353a3565e482550dd0fd5defa013c7f29745eff3569f10221009b0c0a93f267fb6052fd8077be769c2b98953195d7bc10de844218305c6ba17a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 365, + "comment" : "x-coordinate of the public key has many trailing 0's", + "msg" : "4d657373616765", + "sig" : "304402200fe774355c04d060f76d79fd7a772e421463489221bf0a33add0be9b1979110b0220500dcba1c69a8fbd43fa4f57f743ce124ca8b91a1f325f3fac6181175df55737", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 366, + "comment" : "x-coordinate of the public key has many trailing 0's", + "msg" : "4d657373616765", + "sig" : "3045022100bb40bf217bed3fb3950c7d39f03d36dc8e3b2cd79693f125bfd06595ee1135e30220541bf3532351ebb032710bdb6a1bf1bfc89a1e291ac692b3fa4780745bb55677", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "043cf03d614d8939cfd499a07873fac281618f06b8ff87e8015c3f49726500493584fa174d791c72bf2ce3880a8960dd2a7c7a1338a82f85a9e59cdbde80000000", + "wx" : "3cf03d614d8939cfd499a07873fac281618f06b8ff87e8015c3f497265004935", + "wy" : "0084fa174d791c72bf2ce3880a8960dd2a7c7a1338a82f85a9e59cdbde80000000" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200043cf03d614d8939cfd499a07873fac281618f06b8ff87e8015c3f49726500493584fa174d791c72bf2ce3880a8960dd2a7c7a1338a82f85a9e59cdbde80000000", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEPPA9YU2JOc/UmaB4c/rCgWGPBrj/\nh+gBXD9JcmUASTWE+hdNeRxyvyzjiAqJYN0qfHoTOKgvhanlnNvegAAAAA==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 367, + "comment" : "y-coordinate of the public key has many trailing 0's", + "msg" : "4d657373616765", + "sig" : "30440220664eb7ee6db84a34df3c86ea31389a5405badd5ca99231ff556d3e75a233e73a022059f3c752e52eca46137642490a51560ce0badc678754b8f72e51a2901426a1bd", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 368, + "comment" : "y-coordinate of the public key has many trailing 0's", + "msg" : "4d657373616765", + "sig" : "304502204cd0429bbabd2827009d6fcd843d4ce39c3e42e2d1631fd001985a79d1fd8b430221009638bf12dd682f60be7ef1d0e0d98f08b7bca77a1a2b869ae466189d2acdabe3", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 369, + "comment" : "y-coordinate of the public key has many trailing 0's", + "msg" : "4d657373616765", + "sig" : "3046022100e56c6ea2d1b017091c44d8b6cb62b9f460e3ce9aed5e5fd41e8added97c56c04022100a308ec31f281e955be20b457e463440b4fcf2b80258078207fc1378180f89b55", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "043cf03d614d8939cfd499a07873fac281618f06b8ff87e8015c3f4972650049357b05e8b186e38d41d31c77f5769f22d58385ecc857d07a561a6324217fffffff", + "wx" : "3cf03d614d8939cfd499a07873fac281618f06b8ff87e8015c3f497265004935", + "wy" : "7b05e8b186e38d41d31c77f5769f22d58385ecc857d07a561a6324217fffffff" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200043cf03d614d8939cfd499a07873fac281618f06b8ff87e8015c3f4972650049357b05e8b186e38d41d31c77f5769f22d58385ecc857d07a561a6324217fffffff", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEPPA9YU2JOc/UmaB4c/rCgWGPBrj/\nh+gBXD9JcmUASTV7BeixhuONQdMcd/V2nyLVg4XsyFfQelYaYyQhf////w==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 370, + "comment" : "y-coordinate of the public key has many trailing 1's", + "msg" : "4d657373616765", + "sig" : "304402201158a08d291500b4cabed3346d891eee57c176356a2624fb011f8fbbf34668300220228a8c486a736006e082325b85290c5bc91f378b75d487dda46798c18f285519", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 371, + "comment" : "y-coordinate of the public key has many trailing 1's", + "msg" : "4d657373616765", + "sig" : "3045022100b1db9289649f59410ea36b0c0fc8d6aa2687b29176939dd23e0dde56d309fa9d02203e1535e4280559015b0dbd987366dcf43a6d1af5c23c7d584e1c3f48a1251336", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 372, + "comment" : "y-coordinate of the public key has many trailing 1's", + "msg" : "4d657373616765", + "sig" : "3046022100b7b16e762286cb96446aa8d4e6e7578b0a341a79f2dd1a220ac6f0ca4e24ed86022100ddc60a700a139b04661c547d07bbb0721780146df799ccf55e55234ecb8f12bc", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "042829c31faa2e400e344ed94bca3fcd0545956ebcfe8ad0f6dfa5ff8effffffffa01aafaf000e52585855afa7676ade284113099052df57e7eb3bd37ebeb9222e", + "wx" : "2829c31faa2e400e344ed94bca3fcd0545956ebcfe8ad0f6dfa5ff8effffffff", + "wy" : "00a01aafaf000e52585855afa7676ade284113099052df57e7eb3bd37ebeb9222e" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d030107034200042829c31faa2e400e344ed94bca3fcd0545956ebcfe8ad0f6dfa5ff8effffffffa01aafaf000e52585855afa7676ade284113099052df57e7eb3bd37ebeb9222e", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEKCnDH6ouQA40TtlLyj/NBUWVbrz+\nitD236X/jv////+gGq+vAA5SWFhVr6dnat4oQRMJkFLfV+frO9N+vrkiLg==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 373, + "comment" : "x-coordinate of the public key has many trailing 1's", + "msg" : "4d657373616765", + "sig" : "3045022100d82a7c2717261187c8e00d8df963ff35d796edad36bc6e6bd1c91c670d9105b402203dcabddaf8fcaa61f4603e7cbac0f3c0351ecd5988efb23f680d07debd139929", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 374, + "comment" : "x-coordinate of the public key has many trailing 1's", + "msg" : "4d657373616765", + "sig" : "304402205eb9c8845de68eb13d5befe719f462d77787802baff30ce96a5cba063254af7802202c026ae9be2e2a5e7ca0ff9bbd92fb6e44972186228ee9a62b87ddbe2ef66fb5", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 375, + "comment" : "x-coordinate of the public key has many trailing 1's", + "msg" : "4d657373616765", + "sig" : "304602210096843dd03c22abd2f3b782b170239f90f277921becc117d0404a8e4e36230c28022100f2be378f526f74a543f67165976de9ed9a31214eb4d7e6db19e1ede123dd991d", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04fffffff948081e6a0458dd8f9e738f2665ff9059ad6aac0708318c4ca9a7a4f55a8abcba2dda8474311ee54149b973cae0c0fb89557ad0bf78e6529a1663bd73", + "wx" : "00fffffff948081e6a0458dd8f9e738f2665ff9059ad6aac0708318c4ca9a7a4f5", + "wy" : "5a8abcba2dda8474311ee54149b973cae0c0fb89557ad0bf78e6529a1663bd73" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004fffffff948081e6a0458dd8f9e738f2665ff9059ad6aac0708318c4ca9a7a4f55a8abcba2dda8474311ee54149b973cae0c0fb89557ad0bf78e6529a1663bd73", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE////+UgIHmoEWN2PnnOPJmX/kFmt\naqwHCDGMTKmnpPVairy6LdqEdDEe5UFJuXPK4MD7iVV60L945lKaFmO9cw==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 376, + "comment" : "x-coordinate of the public key is large", + "msg" : "4d657373616765", + "sig" : "30440220766456dce1857c906f9996af729339464d27e9d98edc2d0e3b760297067421f60220402385ecadae0d8081dccaf5d19037ec4e55376eced699e93646bfbbf19d0b41", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 377, + "comment" : "x-coordinate of the public key is large", + "msg" : "4d657373616765", + "sig" : "3046022100c605c4b2edeab20419e6518a11b2dbc2b97ed8b07cced0b19c34f777de7b9fd9022100edf0f612c5f46e03c719647bc8af1b29b2cde2eda700fb1cff5e159d47326dba", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 378, + "comment" : "x-coordinate of the public key is large", + "msg" : "4d657373616765", + "sig" : "3046022100d48b68e6cabfe03cf6141c9ac54141f210e64485d9929ad7b732bfe3b7eb8a84022100feedae50c61bd00e19dc26f9b7e2265e4508c389109ad2f208f0772315b6c941", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "0400000003fa15f963949d5f03a6f5c7f86f9e0015eeb23aebbff1173937ba748e1099872070e8e87c555fa13659cca5d7fadcfcb0023ea889548ca48af2ba7e71", + "wx" : "03fa15f963949d5f03a6f5c7f86f9e0015eeb23aebbff1173937ba748e", + "wy" : "1099872070e8e87c555fa13659cca5d7fadcfcb0023ea889548ca48af2ba7e71" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d0301070342000400000003fa15f963949d5f03a6f5c7f86f9e0015eeb23aebbff1173937ba748e1099872070e8e87c555fa13659cca5d7fadcfcb0023ea889548ca48af2ba7e71", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEAAAAA/oV+WOUnV8DpvXH+G+eABXu\nsjrrv/EXOTe6dI4QmYcgcOjofFVfoTZZzKXX+tz8sAI+qIlUjKSK8rp+cQ==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 379, + "comment" : "x-coordinate of the public key is small", + "msg" : "4d657373616765", + "sig" : "3046022100b7c81457d4aeb6aa65957098569f0479710ad7f6595d5874c35a93d12a5dd4c7022100b7961a0b652878c2d568069a432ca18a1a9199f2ca574dad4b9e3a05c0a1cdb3", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 380, + "comment" : "x-coordinate of the public key is small", + "msg" : "4d657373616765", + "sig" : "304402206b01332ddb6edfa9a30a1321d5858e1ee3cf97e263e669f8de5e9652e76ff3f702205939545fced457309a6a04ace2bd0f70139c8f7d86b02cb1cc58f9e69e96cd5a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 381, + "comment" : "x-coordinate of the public key is small", + "msg" : "4d657373616765", + "sig" : "3046022100efdb884720eaeadc349f9fc356b6c0344101cd2fd8436b7d0e6a4fb93f106361022100f24bee6ad5dc05f7613975473aadf3aacba9e77de7d69b6ce48cb60d8113385d", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04bcbb2914c79f045eaa6ecbbc612816b3be5d2d6796707d8125e9f851c18af015000000001352bb4a0fa2ea4cceb9ab63dd684ade5a1127bcf300a698a7193bc2", + "wx" : "00bcbb2914c79f045eaa6ecbbc612816b3be5d2d6796707d8125e9f851c18af015", + "wy" : "1352bb4a0fa2ea4cceb9ab63dd684ade5a1127bcf300a698a7193bc2" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004bcbb2914c79f045eaa6ecbbc612816b3be5d2d6796707d8125e9f851c18af015000000001352bb4a0fa2ea4cceb9ab63dd684ade5a1127bcf300a698a7193bc2", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEvLspFMefBF6qbsu8YSgWs75dLWeW\ncH2BJen4UcGK8BUAAAAAE1K7Sg+i6kzOuatj3WhK3loRJ7zzAKaYpxk7wg==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 382, + "comment" : "y-coordinate of the public key is small", + "msg" : "4d657373616765", + "sig" : "3044022031230428405560dcb88fb5a646836aea9b23a23dd973dcbe8014c87b8b20eb0702200f9344d6e812ce166646747694a41b0aaf97374e19f3c5fb8bd7ae3d9bd0beff", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 383, + "comment" : "y-coordinate of the public key is small", + "msg" : "4d657373616765", + "sig" : "3046022100caa797da65b320ab0d5c470cda0b36b294359c7db9841d679174db34c4855743022100cf543a62f23e212745391aaf7505f345123d2685ee3b941d3de6d9b36242e5a0", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 384, + "comment" : "y-coordinate of the public key is small", + "msg" : "4d657373616765", + "sig" : "304502207e5f0ab5d900d3d3d7867657e5d6d36519bc54084536e7d21c336ed8001859450221009450c07f201faec94b82dfb322e5ac676688294aad35aa72e727ff0b19b646aa", + "result" : "valid", + "flags" : [] + } + ] + }, + { + "key" : { + "curve" : "secp256r1", + "keySize" : 256, + "type" : "EcPublicKey", + "uncompressed" : "04bcbb2914c79f045eaa6ecbbc612816b3be5d2d6796707d8125e9f851c18af015fffffffeecad44b6f05d15b33146549c2297b522a5eed8430cff596758e6c43d", + "wx" : "00bcbb2914c79f045eaa6ecbbc612816b3be5d2d6796707d8125e9f851c18af015", + "wy" : "00fffffffeecad44b6f05d15b33146549c2297b522a5eed8430cff596758e6c43d" + }, + "keyDer" : "3059301306072a8648ce3d020106082a8648ce3d03010703420004bcbb2914c79f045eaa6ecbbc612816b3be5d2d6796707d8125e9f851c18af015fffffffeecad44b6f05d15b33146549c2297b522a5eed8430cff596758e6c43d", + "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEvLspFMefBF6qbsu8YSgWs75dLWeW\ncH2BJen4UcGK8BX////+7K1EtvBdFbMxRlScIpe1IqXu2EMM/1lnWObEPQ==\n-----END PUBLIC KEY-----", + "sha" : "SHA-256", + "type" : "EcdsaVerify", + "tests" : [ + { + "tcId" : 385, + "comment" : "y-coordinate of the public key is large", + "msg" : "4d657373616765", + "sig" : "3046022100d7d70c581ae9e3f66dc6a480bf037ae23f8a1e4a2136fe4b03aa69f0ca25b35602210089c460f8a5a5c2bbba962c8a3ee833a413e85658e62a59e2af41d9127cc47224", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 386, + "comment" : "y-coordinate of the public key is large", + "msg" : "4d657373616765", + "sig" : "30440220341c1b9ff3c83dd5e0dfa0bf68bcdf4bb7aa20c625975e5eeee34bb396266b34022072b69f061b750fd5121b22b11366fad549c634e77765a017902a67099e0a4469", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 387, + "comment" : "y-coordinate of the public key is large", + "msg" : "4d657373616765", + "sig" : "3045022070bebe684cdcb5ca72a42f0d873879359bd1781a591809947628d313a3814f67022100aec03aca8f5587a4d535fa31027bbe9cc0e464b1c3577f4c2dcde6b2094798a9", + "result" : "valid", + "flags" : [] + } + ] + } + ] +} diff --git a/tests/util.h b/tests/util.h new file mode 100644 index 00000000..1b327d02 --- /dev/null +++ b/tests/util.h @@ -0,0 +1,56 @@ +#include +#include +#include + +typedef std::vector bytes; + +std::vector +from_hex(const std::string& hex) +{ + if (hex.length() % 2 == 1) { + throw std::invalid_argument("Odd-length hex string"); + } + + int len = static_cast(hex.length()) / 2; + std::vector out(len); + for (int i = 0; i < len; i += 1) { + std::string byte = hex.substr(2 * i, 2); + out[i] = static_cast(strtol(byte.c_str(), nullptr, 16)); + } + + return out; +} + +std::string +bytes_to_hex(const std::vector& data) +{ + std::stringstream hex(std::ios_base::out); + hex.flags(std::ios::hex); + for (const auto& byte : data) { + hex << std::setw(2) << std::setfill('0') << int(byte); + } + return hex.str(); +} + +std::string +array_to_hex(const uint8_t* data, size_t len) +{ + std::stringstream hex(std::ios_base::out); + hex.flags(std::ios::hex); + for (size_t i = 0; i < len; i++) { + hex << std::setw(2) << std::setfill('0') << int(data[i]); + } + return hex.str(); +} + +static inline bool +compare_and_print(size_t len, uint8_t* comp, uint8_t* exp) +{ + bool ok = memcmp(exp, comp, len) == 0; + if (!ok) { + printf(" ERROR\n"); + printf(" computed: %s\n", array_to_hex(comp, len).c_str()); + printf(" expected: %s\n", array_to_hex(exp, len).c_str()); + } + return ok; +} diff --git a/tests/x25519.cc b/tests/x25519.cc new file mode 100644 index 00000000..c7d623b6 --- /dev/null +++ b/tests/x25519.cc @@ -0,0 +1,127 @@ +/* + * Copyright 2022 Cryspen Sarl + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include + +#include "hacl-cpu-features.h" + +#include +#include + +#define VALE TARGET_ARCHITECTURE == TARGET_ARCHITECTURE_ID_X64 + +#include "Hacl_Curve25519_51.h" +#include "curve25519_vectors.h" + +#if VALE +#include "Hacl_Curve25519_64.h" +#include "Vale.h" +#endif + +#include "config.h" +#include "util.h" + +#define bytes std::vector + +TEST(x25519Test, HaclTest) +{ + for (int i = 0; i < sizeof(vectors) / sizeof(curve25519_test_vector); ++i) { + uint8_t comp[32] = { 0 }; + Hacl_Curve25519_51_ecdh(comp, vectors[i].scalar, vectors[i].public_key); + EXPECT_TRUE(compare_and_print(32, comp, vectors[i].secret)); + +#if VALE + // We have vale compiled. But we have to check that we can actually use it + // when calling HACL functions. + if (vale_x25519_support()) { + memset(comp, 0, 32); + Hacl_Curve25519_64_ecdh(comp, vectors[i].scalar, vectors[i].public_key); + EXPECT_TRUE(compare_and_print(32, comp, vectors[i].secret)); + } else { + printf(" ! Vale is available but ADX and/or BMI2 extensions are " + "missing.\n"); + } +#endif + } +} + +//=== Wycheproof tests ==== + +typedef struct +{ + bytes public_key; + bytes private_key; + bytes shared; + bool valid; +} TestCase; + +std::vector +read_json() +{ + + // Read JSON test vector + std::string test_dir = "x25519_test.json"; + std::ifstream json_test_file(test_dir); + nlohmann::json test_vectors; + json_test_file >> test_vectors; + + std::vector tests_out; + + // Read test group + for (auto& test : test_vectors["testGroups"].items()) { + auto test_value = test.value(); + + auto tests = test_value["tests"]; + for (auto& test_case : tests.items()) { + auto test_case_value = test_case.value(); + auto private_key = from_hex(test_case_value["private"]); + auto public_key = from_hex(test_case_value["public"]); + auto shared = from_hex(test_case_value["shared"]); + auto result = test_case_value["result"]; + bool valid = result == "valid" || result == "acceptable"; + + tests_out.push_back({ public_key, private_key, shared, valid }); + } + } + + return tests_out; +} + +class X25519Wycheproof : public ::testing::TestWithParam +{}; + +TEST_P(X25519Wycheproof, TryWycheproof) +{ + const TestCase& test_case(GetParam()); + + // Stupid const + uint8_t* private_key = const_cast(test_case.private_key.data()); + uint8_t* public_key = const_cast(test_case.public_key.data()); + + uint8_t computed_shared[32] = { 0 }; + Hacl_Curve25519_51_ecdh(computed_shared, private_key, public_key); + if (test_case.valid) { + EXPECT_EQ(std::vector(computed_shared, computed_shared + 32), + test_case.shared); + } else { + EXPECT_NE(std::vector(computed_shared, computed_shared + 32), + test_case.shared); + } +} + +INSTANTIATE_TEST_SUITE_P(Wycheproof, + X25519Wycheproof, + ::testing::ValuesIn(read_json())); diff --git a/tests/x25519/x25519_test.json b/tests/x25519/x25519_test.json new file mode 100644 index 00000000..431b434b --- /dev/null +++ b/tests/x25519/x25519_test.json @@ -0,0 +1,5248 @@ +{ + "algorithm" : "XDH", + "generatorVersion" : "0.8r12", + "numberOfTests" : 518, + "header" : [ + "Test vectors of type XdhComp are intended for tests that verify the", + "computation of and Xdh key exchange." + ], + "notes" : { + "LowOrderPublic" : "The curves and its twists contain some points of low order. This test vector contains a public key with such a point. While many libraries reject such public keys, doing so is not a strict requirement according to RFC 7748.", + "NonCanonicalPublic" : "The public key is in non-canonical form. RFC 7749, section 5 defines the value that this public key represents. Section 7 of the same RFC recommends accepting such keys. If a non-canonical key is accepted then it must follow the RFC.", + "SmallPublicKey" : "The public key is insecure and does not belong to a valid private key. Some libraries reject such keys.", + "Twist" : "Public keys are either points on a given curve or points on its twist. The functions X25519 and X448 are defined for points on a twist with the goal that the output of computations do not leak private keys. Implementations may accept or reject points on a twist. If a point multiplication is performed then it is important that the result is correct, since otherwise attacks with invalid keys are possible.", + "ZeroSharedSecret" : "Some libraries include a check that the shared secret is not all-zero. This check is described in Section 6.1 of RFC 7748. " + }, + "schema" : "xdh_comp_schema.json", + "testGroups" : [ + { + "curve" : "curve25519", + "type" : "XdhComp", + "tests" : [ + { + "tcId" : 1, + "comment" : "normal case", + "public" : "504a36999f489cd2fdbc08baff3d88fa00569ba986cba22548ffde80f9806829", + "private" : "c8a9d5a91091ad851c668b0736c1c9a02936c0d3ad62670858088047ba057475", + "shared" : "436a2c040cf45fea9b29a0cb81b1f41458f863d0d61b453d0a982720d6d61320", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 2, + "comment" : "public key on twist", + "public" : "63aa40c6e38346c5caf23a6df0a5e6c80889a08647e551b3563449befcfc9733", + "private" : "d85d8c061a50804ac488ad774ac716c3f5ba714b2712e048491379a500211958", + "shared" : "279df67a7c4611db4708a0e8282b195e5ac0ed6f4b2f292c6fbd0acac30d1332", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 3, + "comment" : "public key on twist", + "public" : "0f83c36fded9d32fadf4efa3ae93a90bb5cfa66893bc412c43fa7287dbb99779", + "private" : "c8b45bfd32e55325d9fd648cb302848039000b390e44d521e58aab3b29a6964b", + "shared" : "4bc7e01e7d83d6cf67632bf90033487a5fc29eba5328890ea7b1026d23b9a45f", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 4, + "comment" : "public key on twist", + "public" : "0b8211a2b6049097f6871c6c052d3c5fc1ba17da9e32ae458403b05bb283092a", + "private" : "f876e34bcbe1f47fbc0fddfd7c1e1aa53d57bfe0f66d243067b424bb6210be51", + "shared" : "119d37ed4b109cbd6418b1f28dea83c836c844715cdf98a3a8c362191debd514", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 5, + "comment" : "public key on twist", + "public" : "343ac20a3b9c6a27b1008176509ad30735856ec1c8d8fcae13912d08d152f46c", + "private" : "006ac1f3a653a4cdb1d37bba94738f8b957a57beb24d646e994dc29a276aad45", + "shared" : "cc4873aed3fcee4b3aaea7f0d20716b4276359081f634b7bea4b705bfc8a4d3e", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 6, + "comment" : "public key on twist", + "public" : "fa695fc7be8d1be5bf704898f388c452bafdd3b8eae805f8681a8d15c2d4e142", + "private" : "08da77b26d06dff9d9f7fd4c5b3769f8cdd5b30516a5ab806be324ff3eb69e60", + "shared" : "b6f8e2fcb1affc79e2ff798319b2701139b95ad6dd07f05cbac78bd83edfd92e", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 7, + "comment" : "public key on twist", + "public" : "0200000000000000000000000000000000000000000000000000000000000000", + "private" : "d03edde9f3e7b799045f9ac3793d4a9277dadeadc41bec0290f81f744f73775f", + "shared" : "b87a1722cc6c1e2feecb54e97abd5a22acc27616f78f6e315fd2b73d9f221e57", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 8, + "comment" : "public key on twist", + "public" : "0300000000000000000000000000000000000000000000000000000000000000", + "private" : "e09d57a914e3c29036fd9a442ba526b5cdcdf28216153e636c10677acab6bd6a", + "shared" : "a29d8dad28d590cd3017aa97a4761f851bf1d3672b042a4256a45881e2ad9035", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 9, + "comment" : "public key on twist", + "public" : "ff00000000000000000000000000000000000000000000000000000000000000", + "private" : "e0ed78e6ee02f08bec1c15d66fbbe5b83ffc37ea14e1512cc1bd4b2ea6d8066f", + "shared" : "e703bc8aa94b7d87ba34e2678353d12cdaaa1a97b5ca3e1b8c060c4636087f07", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 10, + "comment" : "public key on twist", + "public" : "ffff000000000000000000000000000000000000000000000000000000000000", + "private" : "a8a1a2ec9fa9915ae7aace6a37c68591d39e15995c4ef5ebd3561c02f72dda41", + "shared" : "ff5cf041e924dbe1a64ac9bdba96bdcdfaf7d59d91c7e33e76ed0e4c8c836446", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 11, + "comment" : "public key on twist", + "public" : "0000010000000000000000000000000000000000000000000000000000000000", + "private" : "a8c9df5820eb399d471dfa3215d96055b3c7d0f4ea49f8ab028d6a6e3194517b", + "shared" : "a92a96fa029960f9530e6fe37e2429cd113be4d8f3f4431f8546e6c76351475d", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 12, + "comment" : "public key on twist", + "public" : "ffffff0f00000000000000000000000000000000000000000000000000000000", + "private" : "d0d31c491cbd39271859b4a63a316826507b1db8c701709fd0ffe3eb21c4467c", + "shared" : "9f8954868158ec62b6b586b8cae1d67d1b9f4c03d5b3ca0393cee71accc9ab65", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 13, + "comment" : "public key on twist", + "public" : "ffffffff00000000000000000000000000000000000000000000000000000000", + "private" : "d053e7bf1902619cd61c9c739e09d54c4147f46d190720966f7de1d9cffbbd4e", + "shared" : "6cbf1dc9af97bc148513a18be4a257de1a3b065584df94e8b43c1ab89720b110", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 14, + "comment" : "public key on twist", + "public" : "0000000000001000000000000000000000000000000000000000000000000000", + "private" : "a021d75009a4596e5a33f12921c10f3670933bc80dde3bba22881b6120582144", + "shared" : "38284b7086095a9406028c1f800c071ea106039ad7a1d7f82fe00906fd90594b", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 15, + "comment" : "public key on twist", + "public" : "0000000000000001000000000000000000000000000000000000000000000000", + "private" : "a89c6687f99bd569a01fd8bd438236160d15ce2c57c1d71ebaa3f2da88233863", + "shared" : "c721041df0244071794a8db06b9f7eaeec690c257265343666f4416f4166840f", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 16, + "comment" : "public key on twist", + "public" : "ffffffffffffffff000000000000000000000000000000000000000000000000", + "private" : "68964bca51465bf0f5ba524b1482ceff0e960a1ed9f48dcc30f1608d0e501a50", + "shared" : "25ff9a6631b143dbdbdc207b38e38f832ae079a52a618c534322e77345fd9049", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 17, + "comment" : "public key on twist", + "public" : "0000000000000000000000000000000000000000000000000100000000000000", + "private" : "a8e56bb13a9f2b33b8e6750b4a6e6621dc26ae8c5c624a0992c8f0d5b910f170", + "shared" : "f294e7922c6cea587aefe72911630d50f2456a2ba7f21207d57f1ecce04f6213", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 18, + "comment" : "public key on twist", + "public" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000", + "private" : "e045f55c159451e97814d747050fd7769bd478434a01876a56e553f66384a74c", + "shared" : "ff4715bd8cf847b77c244ce2d9b008b19efaa8e845feb85ce4889b5b2c6a4b4d", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 19, + "comment" : "public key on twist", + "public" : "ffffff030000f8ffff1f0000c0ffffff000000feffff070000f0ffff3f000000", + "private" : "105d621e1ef339c3d99245cfb77cd3a5bd0c4427a0e4d8752c3b51f045889b4f", + "shared" : "61eace52da5f5ecefafa4f199b077ff64f2e3d2a6ece6f8ec0497826b212ef5f", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 20, + "comment" : "public key on twist", + "public" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f0000", + "private" : "d88a441e706f606ae7f630f8b21f3c2554739e3e549f804118c03771f608017b", + "shared" : "ff1b509a0a1a54726086f1e1c0acf040ab463a2a542e5d54e92c6df8126cf636", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 21, + "comment" : "public key on twist", + "public" : "0000000000000000000000000000000000000000000000000000000000800000", + "private" : "80bbad168222276200aafd36f7f25fdc025632d8bf9f6354bb762e06fb63e250", + "shared" : "f134e6267bf93903085117b99932cc0c7ba26f25fca12102a26d7533d9c4272a", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 22, + "comment" : "public key on twist", + "public" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff1f", + "private" : "68e134092e94e622c8a0cd18aff55be23dabd994ebdee982d90601f6f0f4b369", + "shared" : "74bfc15e5597e9f5193f941e10a5c008fc89f051392723886a4a8fe5093a7354", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 23, + "comment" : "public key on twist", + "public" : "0000000000000000000000000000000000000000000000000000000000000020", + "private" : "e8e43fc1ebac0bbc9b99c8035ee1ac59b90f19a16c42c0b90f96adfcc5fdee78", + "shared" : "0d41a5b3af770bf2fcd34ff7972243a0e2cf4d34f2046a144581ae1ec68df03b", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 24, + "comment" : "public key on twist", + "public" : "000000fcffff070000e0ffff3f000000ffffff010000f8ffff0f0000c0ffff7f", + "private" : "18bffb16f92680a9e267473e43c464476d5372ddd1f664f3d0678efe7c98bc79", + "shared" : "5894e0963583ae14a0b80420894167f4b759c8d2eb9b69cb675543f66510f646", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 25, + "comment" : "public key on twist", + "public" : "ffffffffffffff00000000000000ffffffffffffff00000000000000ffffff7f", + "private" : "300305eb002bf86c71fe9c0b311993727b9dc618d0ce7251d0dfd8552d17905d", + "shared" : "f8624d6e35e6c548ac47832f2e5d151a8e53b9290363b28d2ab8d84ab7cb6a72", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 26, + "comment" : "public key on twist", + "public" : "00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffff7f", + "private" : "80da9f02842247d4ade5ddbac51dbce55ea7dca2844e7f97ab8987ce7fd8bc71", + "shared" : "bfe183ba3d4157a7b53ef178613db619e27800f85359c0b39a9fd6e32152c208", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 27, + "comment" : "public key on twist", + "public" : "edfffffffffffffffffffffffffffeffffffffffffffffffffffffffffffff7f", + "private" : "806e7f26ca3246de8182946cbed09f52b95da626c823c7b50450001a47b7b252", + "shared" : "bca4a0724f5c1feb184078448c898c8620e7caf81f64cca746f557dff2498859", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 28, + "comment" : "public key on twist", + "public" : "edfffffffffffffeffffffffffffffffffffffffffffffffffffffffffffff7f", + "private" : "58354fd64bc022cba3a71b2ae64281e4ea7bf6d65fdbaead1440eeb18604fe62", + "shared" : "b3418a52464c15ab0cacbbd43887a1199206d59229ced49202300638d7a40f04", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 29, + "comment" : "public key on twist", + "public" : "edffffffffffefffffffffffffffffffffffffffffffffffffffffffffffff7f", + "private" : "f0019cf05159794cc8052b00c2e75b7f46fb6693c4b38c02b12a4fe272e8556a", + "shared" : "fcde6e0a3d5fd5b63f10c2d3aad4efa05196f26bc0cb26fd6d9d3bd015eaa74f", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 30, + "comment" : "public key on twist", + "public" : "edfeffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f", + "private" : "d0fca64cc5f3a0c8e75c824e8b09d1615aa79aeba139bb7302e2bb2fcbe54b40", + "shared" : "7d62f189444c6231a48afab10a0af2eee4a52e431ea05ff781d616af2114672f", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 31, + "comment" : "public key on twist", + "public" : "eaffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f", + "private" : "d02456e456911d3c6cd054933199807732dfdc958642ad1aebe900c793bef24a", + "shared" : "07ba5fcbda21a9a17845c401492b10e6de0a168d5c94b606694c11bac39bea41", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 32, + "comment" : "public key = 0", + "public" : "0000000000000000000000000000000000000000000000000000000000000000", + "private" : "88227494038f2bb811d47805bcdf04a2ac585ada7f2f23389bfd4658f9ddd45e", + "shared" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "acceptable", + "flags" : [ + "SmallPublicKey", + "LowOrderPublic", + "ZeroSharedSecret" + ] + }, + { + "tcId" : 33, + "comment" : "public key = 1", + "public" : "0100000000000000000000000000000000000000000000000000000000000000", + "private" : "48232e8972b61c7e61930eb9450b5070eae1c670475685541f0476217e48184f", + "shared" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "acceptable", + "flags" : [ + "SmallPublicKey", + "LowOrderPublic", + "ZeroSharedSecret" + ] + }, + { + "tcId" : 34, + "comment" : "edge case public key", + "public" : "0400000000000000000000000000000000000000000000000000000000000000", + "private" : "a8386f7f16c50731d64f82e6a170b142a4e34f31fd7768fcb8902925e7d1e25a", + "shared" : "34b7e4fa53264420d9f943d15513902342b386b172a0b0b7c8b8f2dd3d669f59", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 35, + "comment" : "edge case public key", + "public" : "0001000000000000000000000000000000000000000000000000000000000000", + "private" : "d05abd08bf5e62538cb9a5ed105dbedd6de38d07940085072b4311c2678ed77d", + "shared" : "3aa227a30781ed746bd4b3365e5f61461b844d09410c70570abd0d75574dfc77", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 36, + "comment" : "edge case public key", + "public" : "0000001000000000000000000000000000000000000000000000000000000000", + "private" : "f0b8b0998c8394364d7dcb25a3885e571374f91615275440db0645ee7c0a6f6b", + "shared" : "97755e7e775789184e176847ffbc2f8ef98799d46a709c6a1c0ffd29081d7039", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 37, + "comment" : "edge case public key", + "public" : "0000000001000000000000000000000000000000000000000000000000000000", + "private" : "d00c35dc17460f360bfae7b94647bc4e9a7ad9ce82abeadb50a2f1a0736e2175", + "shared" : "c212bfceb91f8588d46cd94684c2c9ee0734087796dc0a9f3404ff534012123d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 38, + "comment" : "edge case public key", + "public" : "ffffffffffff0f00000000000000000000000000000000000000000000000000", + "private" : "385fc8058900a85021dd92425d2fb39a62d4e23aef1d5104c4c2d88712d39e4d", + "shared" : "388faffb4a85d06702ba3e479c6b216a8f33efce0542979bf129d860f93b9f02", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 39, + "comment" : "edge case public key", + "public" : "ffffffffffffff00000000000000000000000000000000000000000000000000", + "private" : "e0614b0c408af24d9d24c0a72f9137fbd6b16f02ccc94797ea3971ab16073a7f", + "shared" : "877fec0669d8c1a5c866641420eea9f6bd1dfd38d36a5d55a8c0ab2bf3105c68", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 40, + "comment" : "edge case public key", + "public" : "0000000000000000010000000000000000000000000000000000000000000000", + "private" : "f004b8fd05d9fffd853cdc6d2266389b737e8dfc296ad00b5a69b2a9dcf72956", + "shared" : "180373ea0f23ea73447e5a90398a97d490b541c69320719d7dd733fb80d5480f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 41, + "comment" : "edge case public key", + "public" : "ffffffffffffffffffffffffffff000000000000000000000000000000000000", + "private" : "e80bf0e609bf3b035b552f9db7e9ecbc44a04b7910b1493661a524f46c3c2277", + "shared" : "208142350af938aba52a156dce19d3c27ab1628729683cf4ef2667c3dc60cf38", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 42, + "comment" : "edge case public key", + "public" : "0000000000000000000000000000010000000000000000000000000000000000", + "private" : "48890e95d1b03e603bcb51fdf6f296f1f1d10f5df10e00b8a25c9809f9aa1a54", + "shared" : "1c3263890f7a081cefe50cb92abd496582d90dcc2b9cb858bd286854aa6b0a7e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 43, + "comment" : "edge case public key", + "public" : "ffffffffffffffffffffffffffffffff00000000000000000000000000000000", + "private" : "a806f1e39b742615a7dde3b29415ed827c68f07d4a47a4d9595c40c7fccb9263", + "shared" : "56128e78d7c66f48e863e7e6f2caa9c0988fd439deac11d4aac9664083087f7a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 44, + "comment" : "edge case public key", + "public" : "0000000000000000000000000000000001000000000000000000000000000000", + "private" : "9899d5e265e1fc7c32345227d6699a6d6b5517cf33b43ab156ee20df4878794e", + "shared" : "30eca56f1f1c2e8ff780134e0e9382c5927d305d86b53477e9aeca79fc9ced05", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 45, + "comment" : "edge case public key", + "public" : "ffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000", + "private" : "d842316e5476aeaee838204258a06f15de011ba40b9962705e7f6e889fe71f40", + "shared" : "cb21b7aa3f992ecfc92954849154b3af6b96a01f17bf21c612da748db38eb364", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 46, + "comment" : "edge case public key", + "public" : "ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000", + "private" : "a0933ee30512b25ee4e900aaa07f73e507a8ec53b53a44626e0f589af4e0356c", + "shared" : "c5caf8cabc36f086deaf1ab226434098c222abdf8acd3ce75c75e9debb271524", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 47, + "comment" : "edge case public key", + "public" : "0000000000000000000000000000000000000000000000000000000001000000", + "private" : "38d6403e1377734cdce98285e820f256ad6b769d6b5612bcf42cf2b97945c073", + "shared" : "4d46052c7eabba215df8d91327e0c4610421d2d9129b1486d914c766cf104c27", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 48, + "comment" : "edge case public key", + "public" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff03", + "private" : "182191b7052e9cd630ef08007fc6b43bc7652913be6774e2fd271b71b962a641", + "shared" : "a0e0315175788362d4ebe05e6ac76d52d40187bd687492af05abc7ba7c70197d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 49, + "comment" : "edge case public key", + "public" : "ffffff0f000000ffffff0f000000ffffff0f000000ffffff0f000000ffffff0f", + "private" : "106221fe5694a710d6e147696c5d5b93d6887d584f24f228182ebe1b1d2db85d", + "shared" : "5e64924b91873b499a5402fa64337c65d4b2ed54beeb3fa5d7347809e43aef1c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 50, + "comment" : "edge case public key", + "public" : "000000fcffff030000e0ffff1f000000ffffff000000f8ffff070000c0ffff3f", + "private" : "d035de9456080d85a912083b2e3c7ddd7971f786f25a96c5e782cf6f4376e362", + "shared" : "c052466f9712d9ec4ef40f276bb7e6441c5434a83efd8e41d20ce83f2dbf5952", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 51, + "comment" : "edge case public key", + "public" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff3f", + "private" : "a8f37318a4c760f3cb2d894822918735683cb1edacf3e666e15694154978fd6d", + "shared" : "d151b97cba9c25d48e6d576338b97d53dd8b25e84f65f7a2091a17016317c553", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 52, + "comment" : "edge case public key", + "public" : "edffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff5f", + "private" : "20d4d624cf732f826f09e8088017742f13f2da98f4dcf4b40519adb790cebf64", + "shared" : "5716296baf2b1a6b9cd15b23ba86829743d60b0396569be1d5b40014c06b477d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 53, + "comment" : "edge case public key", + "public" : "edffffffffffffffffffffffffffffffffffffffffffffffffffffffff7fff7f", + "private" : "d806a735d138efb3b404683c9d84485ab4af540d0af253b574323d8913003c66", + "shared" : "ddbd56d0454b794c1d1d4923f023a51f6f34ef3f4868e3d6659307c683c74126", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 54, + "comment" : "edge case public key", + "public" : "fffffffffeffff7ffffffffffeffff7ffffffffffeffff7ffffffffffeffff7f", + "private" : "184198c6228177f3ef41dc9a341258f8181ae365fe9ec98d93639b0bbee1467d", + "shared" : "8039eebed1a4f3b811ea92102a6267d4da412370f3f0d6b70f1faaa2e8d5236d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 55, + "comment" : "edge case public key", + "public" : "edfffffffffffffffffffffffffffffffffffffffffffffffffffffffeffff7f", + "private" : "f0a46a7f4b989fe515edc441109346ba746ec1516896ec5b7e4f4d903064b463", + "shared" : "b69524e3955da23df6ad1a7cd38540047f50860f1c8fded9b1fdfcc9e812a035", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 56, + "comment" : "edge case public key", + "public" : "edfffffffffffffffffffffffffffffffffffffffffffffffeffffffffffff7f", + "private" : "881874fda3a99c0f0216e1172fbd07ab1c7df78602cc6b11264e57aab5f23a49", + "shared" : "e417bb8854f3b4f70ecea557454c5c4e5f3804ae537960a8097b9f338410d757", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 57, + "comment" : "edge case public key", + "public" : "edfffffffffffffffffffffffffffffffeffffffffffffffffffffffffffff7f", + "private" : "b8d0f1ae05a5072831443150e202ac6db00322cdf341f467e9f296588b04db72", + "shared" : "afca72bb8ef727b60c530c937a2f7d06bb39c39b903a7f4435b3f5d8fc1ca810", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 58, + "comment" : "edge case public key", + "public" : "edfffffffffffffffeffffffffffffffffffffffffffffffffffffffffffff7f", + "private" : "c8619ba988859db7d6f20fbf3ffb8b113418cc278065b4e8bb6d4e5b3e7cb569", + "shared" : "7e41c2886fed4af04c1641a59af93802f25af0f9cba7a29ae72e2a92f35a1e5a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 59, + "comment" : "edge case public key", + "public" : "edfffffffeffffffffffffffffffffffffffffffffffffffffffffffffffff7f", + "private" : "f8d4ca1f37a30ec9acd6dbe5a6e150e5bc447d22b355d80ba002c5b05c26935d", + "shared" : "dd3abd4746bf4f2a0d93c02a7d19f76d921c090d07e6ea5abae7f28848355947", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 60, + "comment" : "edge case public key", + "public" : "edffffefffffffffffffffffffffffffffffffffffffffffffffffffffffff7f", + "private" : "88037ac8e33c72c2c51037c7c8c5288bba9265c82fd8c31796dd7ea5df9aaa4a", + "shared" : "8c27b3bff8d3c1f6daf2d3b7b3479cf9ad2056e2002be247992a3b29de13a625", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 61, + "comment" : "edge case public key", + "public" : "edfffeffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f", + "private" : "5034ee7bf83a13d9167df86b0640294f3620f4f4d9030e5e293f9190824ae562", + "shared" : "8e1d2207b47432f881677448b9d426a30de1a1f3fd38cad6f4b23dbdfe8a2901", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 62, + "comment" : "edge case public key", + "public" : "ebffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f", + "private" : "40bd4e1caf39d9def7663823502dad3e7d30eb6eb01e9b89516d4f2f45b7cd7f", + "shared" : "2cf6974b0c070e3707bf92e721d3ea9de3db6f61ed810e0a23d72d433365f631", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 63, + "comment" : "public key with low order", + "public" : "e0eb7a7c3b41b8ae1656e3faf19fc46ada098deb9c32b1fd866205165f49b800", + "private" : "e0f978dfcd3a8f1a5093418de54136a584c20b7b349afdf6c0520886f95b1272", + "shared" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "acceptable", + "flags" : [ + "LowOrderPublic", + "ZeroSharedSecret" + ] + }, + { + "tcId" : 64, + "comment" : "public key with low order", + "public" : "5f9c95bca3508c24b1d0b1559c83ef5b04445cc4581c8e86d8224eddd09f1157", + "private" : "387355d995616090503aafad49da01fb3dc3eda962704eaee6b86f9e20c92579", + "shared" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "acceptable", + "flags" : [ + "LowOrderPublic", + "ZeroSharedSecret" + ] + }, + { + "tcId" : 65, + "comment" : "public key with low order", + "public" : "ecffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f", + "private" : "c8fe0df92ae68a03023fc0c9adb9557d31be7feed0d3ab36c558143daf4dbb40", + "shared" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "acceptable", + "flags" : [ + "LowOrderPublic", + "Twist", + "ZeroSharedSecret" + ] + }, + { + "tcId" : 66, + "comment" : "public key with low order", + "public" : "e0eb7a7c3b41b8ae1656e3faf19fc46ada098deb9c32b1fd866205165f49b880", + "private" : "c8d74acde5934e64b9895d5ff7afbffd7f704f7dfccff7ac28fa62a1e6410347", + "shared" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "acceptable", + "flags" : [ + "LowOrderPublic", + "NonCanonicalPublic", + "Twist", + "ZeroSharedSecret" + ] + }, + { + "tcId" : 67, + "comment" : "public key with low order", + "public" : "5f9c95bca3508c24b1d0b1559c83ef5b04445cc4581c8e86d8224eddd09f11d7", + "private" : "b85649d5120e01e8ccaf7b2fb8d81b62e8ad6f3d5c0553fdde1906cb9d79c050", + "shared" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "acceptable", + "flags" : [ + "LowOrderPublic", + "NonCanonicalPublic", + "Twist", + "ZeroSharedSecret" + ] + }, + { + "tcId" : 68, + "comment" : "public key with low order", + "public" : "ecffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "private" : "2064b2f4c9dc97ec7cf58932fdfa3265ba6ea4d11f0259b8efc8afb35db88c48", + "shared" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "acceptable", + "flags" : [ + "LowOrderPublic", + "NonCanonicalPublic", + "ZeroSharedSecret" + ] + }, + { + "tcId" : 69, + "comment" : "public key with low order", + "public" : "0000000000000000000000000000000000000000000000000000000000000000", + "private" : "786a33a4f7af297a20e7642925932bf509e7070fa1bc36986af1eb13f4f50b55", + "shared" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "acceptable", + "flags" : [ + "LowOrderPublic", + "ZeroSharedSecret" + ] + }, + { + "tcId" : 70, + "comment" : "public key with low order", + "public" : "0100000000000000000000000000000000000000000000000000000000000000", + "private" : "786a33a4f7af297a20e7642925932bf509e7070fa1bc36986af1eb13f4f50b55", + "shared" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "acceptable", + "flags" : [ + "LowOrderPublic", + "ZeroSharedSecret" + ] + }, + { + "tcId" : 71, + "comment" : "public key with low order", + "public" : "ecffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f", + "private" : "786a33a4f7af297a20e7642925932bf509e7070fa1bc36986af1eb13f4f50b55", + "shared" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "acceptable", + "flags" : [ + "LowOrderPublic", + "ZeroSharedSecret" + ] + }, + { + "tcId" : 72, + "comment" : "public key with low order", + "public" : "5f9c95bca3508c24b1d0b1559c83ef5b04445cc4581c8e86d8224eddd09f1157", + "private" : "786a33a4f7af297a20e7642925932bf509e7070fa1bc36986af1eb13f4f50b55", + "shared" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "acceptable", + "flags" : [ + "LowOrderPublic", + "ZeroSharedSecret" + ] + }, + { + "tcId" : 73, + "comment" : "public key with low order", + "public" : "e0eb7a7c3b41b8ae1656e3faf19fc46ada098deb9c32b1fd866205165f49b800", + "private" : "786a33a4f7af297a20e7642925932bf509e7070fa1bc36986af1eb13f4f50b55", + "shared" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "acceptable", + "flags" : [ + "LowOrderPublic", + "ZeroSharedSecret" + ] + }, + { + "tcId" : 74, + "comment" : "public key with low order", + "public" : "edffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f", + "private" : "786a33a4f7af297a20e7642925932bf509e7070fa1bc36986af1eb13f4f50b55", + "shared" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "acceptable", + "flags" : [ + "LowOrderPublic", + "ZeroSharedSecret" + ] + }, + { + "tcId" : 75, + "comment" : "public key with low order", + "public" : "eeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f", + "private" : "786a33a4f7af297a20e7642925932bf509e7070fa1bc36986af1eb13f4f50b55", + "shared" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "acceptable", + "flags" : [ + "LowOrderPublic", + "ZeroSharedSecret" + ] + }, + { + "tcId" : 76, + "comment" : "public key with low order", + "public" : "0000000000000000000000000000000000000000000000000000000000000080", + "private" : "786a33a4f7af297a20e7642925932bf509e7070fa1bc36986af1eb13f4f50b55", + "shared" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "acceptable", + "flags" : [ + "LowOrderPublic", + "ZeroSharedSecret" + ] + }, + { + "tcId" : 77, + "comment" : "public key with low order", + "public" : "0100000000000000000000000000000000000000000000000000000000000080", + "private" : "786a33a4f7af297a20e7642925932bf509e7070fa1bc36986af1eb13f4f50b55", + "shared" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "acceptable", + "flags" : [ + "LowOrderPublic", + "ZeroSharedSecret" + ] + }, + { + "tcId" : 78, + "comment" : "public key with low order", + "public" : "ecffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "private" : "786a33a4f7af297a20e7642925932bf509e7070fa1bc36986af1eb13f4f50b55", + "shared" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "acceptable", + "flags" : [ + "LowOrderPublic", + "ZeroSharedSecret" + ] + }, + { + "tcId" : 79, + "comment" : "public key with low order", + "public" : "5f9c95bca3508c24b1d0b1559c83ef5b04445cc4581c8e86d8224eddd09f11d7", + "private" : "786a33a4f7af297a20e7642925932bf509e7070fa1bc36986af1eb13f4f50b55", + "shared" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "acceptable", + "flags" : [ + "LowOrderPublic", + "ZeroSharedSecret" + ] + }, + { + "tcId" : 80, + "comment" : "public key with low order", + "public" : "e0eb7a7c3b41b8ae1656e3faf19fc46ada098deb9c32b1fd866205165f49b880", + "private" : "786a33a4f7af297a20e7642925932bf509e7070fa1bc36986af1eb13f4f50b55", + "shared" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "acceptable", + "flags" : [ + "LowOrderPublic", + "ZeroSharedSecret" + ] + }, + { + "tcId" : 81, + "comment" : "public key with low order", + "public" : "edffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "private" : "786a33a4f7af297a20e7642925932bf509e7070fa1bc36986af1eb13f4f50b55", + "shared" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "acceptable", + "flags" : [ + "LowOrderPublic", + "ZeroSharedSecret" + ] + }, + { + "tcId" : 82, + "comment" : "public key with low order", + "public" : "eeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "private" : "786a33a4f7af297a20e7642925932bf509e7070fa1bc36986af1eb13f4f50b55", + "shared" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "acceptable", + "flags" : [ + "LowOrderPublic", + "ZeroSharedSecret" + ] + }, + { + "tcId" : 83, + "comment" : "public key = 57896044618658097711785492504343953926634992332820282019728792003956564819949", + "public" : "edffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f", + "private" : "40ff586e73d61f0960dc2d763ac19e98225f1194f6fe43d5dd97ad55b3d35961", + "shared" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "acceptable", + "flags" : [ + "SmallPublicKey", + "LowOrderPublic", + "ZeroSharedSecret" + ] + }, + { + "tcId" : 84, + "comment" : "public key = 57896044618658097711785492504343953926634992332820282019728792003956564819950", + "public" : "eeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f", + "private" : "584fceaebae944bfe93b2e0d0a575f706ce5ada1da2b1311c3b421f9186c7a6f", + "shared" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "acceptable", + "flags" : [ + "SmallPublicKey", + "LowOrderPublic", + "NonCanonicalPublic", + "ZeroSharedSecret" + ] + }, + { + "tcId" : 85, + "comment" : "non-canonical public key", + "public" : "efffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f", + "private" : "0016b62af5cabde8c40938ebf2108e05d27fa0533ed85d70015ad4ad39762d54", + "shared" : "b4d10e832714972f96bd3382e4d082a21a8333a16315b3ffb536061d2482360d", + "result" : "acceptable", + "flags" : [ + "NonCanonicalPublic", + "Twist" + ] + }, + { + "tcId" : 86, + "comment" : "non-canonical public key", + "public" : "f0ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f", + "private" : "d83650ba7cec115881916255e3fa5fa0d6b8dcf968731bd2c9d2aec3f561f649", + "shared" : "515eac8f1ed0b00c70762322c3ef86716cd2c51fe77cec3d31b6388bc6eea336", + "result" : "acceptable", + "flags" : [ + "NonCanonicalPublic", + "Twist" + ] + }, + { + "tcId" : 87, + "comment" : "non-canonical public key", + "public" : "f1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f", + "private" : "88dd14e2711ebd0b0026c651264ca965e7e3da5082789fbab7e24425e7b4377e", + "shared" : "6919992d6a591e77b3f2bacbd74caf3aea4be4802b18b2bc07eb09ade3ad6662", + "result" : "acceptable", + "flags" : [ + "NonCanonicalPublic" + ] + }, + { + "tcId" : 88, + "comment" : "non-canonical public key", + "public" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f", + "private" : "98c2b08cbac14e15953154e3b558d42bb1268a365b0ef2f22725129d8ac5cb7f", + "shared" : "9c034fcd8d3bf69964958c0105161fcb5d1ea5b8f8abb371491e42a7684c2322", + "result" : "acceptable", + "flags" : [ + "NonCanonicalPublic" + ] + }, + { + "tcId" : 89, + "comment" : "non-canonical public key", + "public" : "0200000000000000000000000000000000000000000000000000000000000080", + "private" : "c0697b6f05e0f3433b44ea352f20508eb0623098a7770853af5ca09727340c4e", + "shared" : "ed18b06da512cab63f22d2d51d77d99facd3c4502e4abf4e97b094c20a9ddf10", + "result" : "acceptable", + "flags" : [ + "NonCanonicalPublic", + "Twist" + ] + }, + { + "tcId" : 90, + "comment" : "non-canonical public key", + "public" : "0300000000000000000000000000000000000000000000000000000000000080", + "private" : "18422b58a18e0f4519b7a887b8cfb649e0bfe4b34d75963350a9944e5b7f5b7e", + "shared" : "448ce410fffc7e6149c5abec0ad5f3607dfde8a34e2ac3243c3009176168b432", + "result" : "acceptable", + "flags" : [ + "NonCanonicalPublic", + "Twist" + ] + }, + { + "tcId" : 91, + "comment" : "non-canonical public key", + "public" : "0400000000000000000000000000000000000000000000000000000000000080", + "private" : "20620d82487707bedf9ee3549e95cb9390d2618f50cf6acba47ffaa103224a6f", + "shared" : "03a633df01480d0d5048d92f51b20dc1d11f73e9515c699429b90a4f6903122a", + "result" : "acceptable", + "flags" : [ + "NonCanonicalPublic" + ] + }, + { + "tcId" : 92, + "comment" : "non-canonical public key", + "public" : "daffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "private" : "285a6a7ceeb7122f2c78d99c53b2a902b490892f7dff326f89d12673c3101b53", + "shared" : "9b01287717d72f4cfb583ec85f8f936849b17d978dbae7b837db56a62f100a68", + "result" : "acceptable", + "flags" : [ + "NonCanonicalPublic" + ] + }, + { + "tcId" : 93, + "comment" : "non-canonical public key", + "public" : "dbffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "private" : "c8e0330ae9dceeff887fba761225879a4bd2e0db08799244136e4721b2c88970", + "shared" : "dfe60831c9f4f96c816e51048804dbdc27795d760eced75ef575cbe3b464054b", + "result" : "acceptable", + "flags" : [ + "NonCanonicalPublic" + ] + }, + { + "tcId" : 94, + "comment" : "non-canonical public key", + "public" : "dcffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "private" : "10db6210fc1fb13382472fa1787b004b5d11868ab3a79510e0cee30f4a6df26b", + "shared" : "50bfa826ca77036dd2bbfd092c3f78e2e4a1f980d7c8e78f2f14dca3cce5cc3c", + "result" : "acceptable", + "flags" : [ + "NonCanonicalPublic", + "Twist" + ] + }, + { + "tcId" : 95, + "comment" : "non-canonical public key", + "public" : "eaffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "private" : "9041c6e044a277df8466275ca8b5ee0da7bc028648054ade5c592add3057474e", + "shared" : "13da5695a4c206115409b5277a934782fe985fa050bc902cba5616f9156fe277", + "result" : "acceptable", + "flags" : [ + "NonCanonicalPublic" + ] + }, + { + "tcId" : 96, + "comment" : "non-canonical public key", + "public" : "ebffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "private" : "b8d499041a6713c0f6f876db7406587fdb44582f9542356ae89cfa958a34d266", + "shared" : "63483b5d69236c63cddbed33d8e22baecc2b0ccf886598e863c844d2bf256704", + "result" : "acceptable", + "flags" : [ + "NonCanonicalPublic" + ] + }, + { + "tcId" : 97, + "comment" : "non-canonical public key", + "public" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "private" : "c85f08e60c845f82099141a66dc4583d2b1040462c544d33d0453b20b1a6377e", + "shared" : "e9db74bc88d0d9bf046ddd13f943bccbe6dbb47d49323f8dfeedc4a694991a3c", + "result" : "acceptable", + "flags" : [ + "NonCanonicalPublic" + ] + }, + { + "tcId" : 98, + "comment" : "public key = 57896044618658097711785492504343953926634992332820282019728792003956564819968", + "public" : "0000000000000000000000000000000000000000000000000000000000000080", + "private" : "7887889bac4c629a101d3724f2ed8b98d936fde79e1a1f77d86779626bf8f263", + "shared" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "acceptable", + "flags" : [ + "SmallPublicKey", + "LowOrderPublic", + "NonCanonicalPublic", + "ZeroSharedSecret" + ] + }, + { + "tcId" : 99, + "comment" : "public key = 57896044618658097711785492504343953926634992332820282019728792003956564819969", + "public" : "0100000000000000000000000000000000000000000000000000000000000080", + "private" : "e07971ee820e48b0b266d8be3cdbbb5e900a43f59ee8535c6572418615de4962", + "shared" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "acceptable", + "flags" : [ + "SmallPublicKey", + "LowOrderPublic", + "NonCanonicalPublic", + "Twist", + "ZeroSharedSecret" + ] + }, + { + "tcId" : 100, + "comment" : "RFC 7748", + "public" : "e6db6867583030db3594c1a424b15f7c726624ec26b3353b10a903a6d0ab1c4c", + "private" : "a046e36bf0527c9d3b16154b82465edd62144c0ac1fc5a18506a2244ba449a44", + "shared" : "c3da55379de9c6908e94ea4df28d084f32eccf03491c71f754b4075577a28552", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 101, + "comment" : "RFC 7748", + "public" : "e5210f12786811d3f4b7959d0538ae2c31dbe7106fc03c3efc4cd549c715a413", + "private" : "4866e9d4d1b4673c5ad22691957d6af5c11b6421e0ea01d42ca4169e7918ba4d", + "shared" : "95cbde9476e8907d7aade45cb4b873f88b595a68799fa152e6f8f7647aac7957", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 102, + "comment" : "RFC 8037, Section A.6", + "public" : "de9edb7d7b7dc1b4d35b61c2ece435373f8343c85b78674dadfc7e146f882b4f", + "private" : "77076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c2a", + "shared" : "4a5d9d5ba4ce2de1728e3bf480350f25e07e21c947d19e3376f09b3c1e161742", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 103, + "comment" : "edge case for shared secret", + "public" : "b7b6d39c765cb60c0c8542f4f3952ffb51d3002d4aeb9f8ff988b192043e6d0a", + "private" : "60a3a4f130b98a5be4b1cedb7cb85584a3520e142d474dc9ccb909a073a9767f", + "shared" : "0200000000000000000000000000000000000000000000000000000000000000", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 104, + "comment" : "edge case for shared secret", + "public" : "3b18df1e50b899ebd588c3161cbd3bf98ebcc2c1f7df53b811bd0e91b4d5153d", + "private" : "60a3a4f130b98a5be4b1cedb7cb85584a3520e142d474dc9ccb909a073a9767f", + "shared" : "0900000000000000000000000000000000000000000000000000000000000000", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 105, + "comment" : "edge case for shared secret", + "public" : "cab6f9e7d8ce00dfcea9bbd8f069ef7fb2ac504abf83b87db601b5ae0a7f7615", + "private" : "60a3a4f130b98a5be4b1cedb7cb85584a3520e142d474dc9ccb909a073a9767f", + "shared" : "1000000000000000000000000000000000000000000000000000000000000000", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 106, + "comment" : "edge case for shared secret", + "public" : "4977d0d897e1ba566590f60f2eb0db6f7b24c13d436918ccfd32708dfad7e247", + "private" : "60a3a4f130b98a5be4b1cedb7cb85584a3520e142d474dc9ccb909a073a9767f", + "shared" : "feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff3f", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 107, + "comment" : "edge case for shared secret", + "public" : "98730bc03e29e8b057fb1d20ef8c0bffc822485d3db7f45f4e3cc2c3c6d1d14c", + "private" : "60a3a4f130b98a5be4b1cedb7cb85584a3520e142d474dc9ccb909a073a9767f", + "shared" : "fcffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff3f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 108, + "comment" : "edge case for shared secret", + "public" : "97b4fff682df7f096cd1756569e252db482d45406a3198a1aff282a5da474c49", + "private" : "60a3a4f130b98a5be4b1cedb7cb85584a3520e142d474dc9ccb909a073a9767f", + "shared" : "f9ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff3f", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 109, + "comment" : "edge case for shared secret", + "public" : "317781b0163bae74accc06c0d44ef9a911a22b0d37faf7726621591f9343ea2f", + "private" : "60a3a4f130b98a5be4b1cedb7cb85584a3520e142d474dc9ccb909a073a9767f", + "shared" : "f3ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff3f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 110, + "comment" : "edge case for shared secret", + "public" : "7e26f8f24cb590027f9d1bc49b0e1a242c7d8f43624d3e8fab28ee08e02cb45e", + "private" : "60a3a4f130b98a5be4b1cedb7cb85584a3520e142d474dc9ccb909a073a9767f", + "shared" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff03", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 111, + "comment" : "edge case for shared secret", + "public" : "e96d2780e5469a74620ab5aa2f62151d140c473320dbe1b028f1a48f8e76f95f", + "private" : "60a3a4f130b98a5be4b1cedb7cb85584a3520e142d474dc9ccb909a073a9767f", + "shared" : "e5ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 112, + "comment" : "edge case for shared secret", + "public" : "8d612c5831aa64b057300e7e310f3aa332af34066fefcab2b089c9592878f832", + "private" : "60a3a4f130b98a5be4b1cedb7cb85584a3520e142d474dc9ccb909a073a9767f", + "shared" : "e3ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 113, + "comment" : "edge case for shared secret", + "public" : "8d44108d05d940d3dfe5647ea7a87be24d0d036c9f0a95a2386b839e7b7bf145", + "private" : "60a3a4f130b98a5be4b1cedb7cb85584a3520e142d474dc9ccb909a073a9767f", + "shared" : "ddffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 114, + "comment" : "edge case for shared secret", + "public" : "21a35d5db1b6237c739b56345a930aeee373cdcfb4701266782a8ac594913b29", + "private" : "60a3a4f130b98a5be4b1cedb7cb85584a3520e142d474dc9ccb909a073a9767f", + "shared" : "dbffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 115, + "comment" : "edge case for shared secret", + "public" : "3e5efb63c352ce942762482bc9337a5d35ba55664743ac5e93d11f957336cb10", + "private" : "60a3a4f130b98a5be4b1cedb7cb85584a3520e142d474dc9ccb909a073a9767f", + "shared" : "0000000000000000000000000000000000000000000000000000000000000002", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 116, + "comment" : "edge case for shared secret", + "public" : "8e41f05ea3c76572be104ad8788e970863c6e2ca3daae64d1c2f46decfffa571", + "private" : "60a3a4f130b98a5be4b1cedb7cb85584a3520e142d474dc9ccb909a073a9767f", + "shared" : "0000000000000000000000000000000000000000000000000000000000008000", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 117, + "comment" : "special case public key", + "public" : "0000000000000000000000000000000000000000000000000000000000000000", + "private" : "c8d07c46bbfb827753b92c70e49583ce8bfa44641a7382258ea903d6a832c96b", + "shared" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "acceptable", + "flags" : [ + "SmallPublicKey", + "LowOrderPublic", + "ZeroSharedSecret" + ] + }, + { + "tcId" : 118, + "comment" : "special case public key", + "public" : "0100000000000000000000000000000000000000000000000000000000000000", + "private" : "90b7ef237a055f348dcb4c4364a59d7d31edc7ab78f2ca254e2c810975c3f543", + "shared" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "acceptable", + "flags" : [ + "SmallPublicKey", + "LowOrderPublic", + "ZeroSharedSecret" + ] + }, + { + "tcId" : 119, + "comment" : "special case public key", + "public" : "0200000000000000000000000000000000000000000000000000000000000000", + "private" : "e0a8be63315c4f0f0a3fee607f44d30a55be63f09561d9af93e0a1c9cf0ed751", + "shared" : "0c50ac2bfb6815b47d0734c5981379882a24a2de6166853c735329d978baee4d", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 120, + "comment" : "special case public key", + "public" : "1200000000000000000000000000000000000000000000000000000000000000", + "private" : "0840a8af5bc4c48da8850e973d7e14220f45c192cea4020d377eecd25c7c3643", + "shared" : "77557137a2a2a651c49627a9b239ac1f2bf78b8a3e72168ccecc10a51fc5ae66", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 121, + "comment" : "special case public key", + "public" : "1400000000000000000000000000000000000000000000000000000000000000", + "private" : "0092229c753a71284d0853909470ad847ab62f439ea51482fb41d30cc3b44743", + "shared" : "c88e719ae5c2248b5f90da346a92ae214f44a5d129fd4e9c26cf6a0da1efe077", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 122, + "comment" : "special case public key", + "public" : "0000000000000000000000000080000000000000000000000000000000000000", + "private" : "b8da2bd2d7cf25a3e54e5f87ee15911effb9ff86baec4076d56c8e953670bf5b", + "shared" : "4bf6789c7ea036f973cde0af02d6fdb9b64a0b957022111439570fad7d7a453f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 123, + "comment" : "special case public key", + "public" : "ffffffffffffffffffffffffffff000000000000000000000000000000000000", + "private" : "684cd420af41abb3d10c61e773238cf729c2155f941ac27e15f4c37f49b29576", + "shared" : "bcac235ae15cc7148372e11f9315e3bc76ceb904b3d2a8246bd9d9be2082bb62", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 124, + "comment" : "special case public key", + "public" : "0100000000000000000000000000010000000000000000000000000000000000", + "private" : "38cfacaa4460796b4de434bdd6739f0d043671f97fa829517511e6b47aa93474", + "shared" : "5dd7d16fff25cc5fdf9e03c3157cb0a235cea17d618f36e6f13461567edeb943", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 125, + "comment" : "special case public key", + "public" : "0000000000000000000000000000000000000000000000000000004000000000", + "private" : "30832e8cb627ac195f77b1105258e4bb18b99a5ed944404bfacb3a039fbdb14b", + "shared" : "2816fd031d51d6750f9225ede950625cca47441ca97e43092650396991afcb6d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 126, + "comment" : "special case public key", + "public" : "0000000000000000000000000000000000000000000000000000008000000000", + "private" : "d818fd6971e546447f361d33d3dbb3eadcf02fb28f246f1d5107b9073a93cd4f", + "shared" : "7ed8f2d5424e7ebb3edbdf4abe455447e5a48b658e64abd06c218f33bd151f64", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 127, + "comment" : "special case public key", + "public" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000", + "private" : "1021cd8682bdc3f5da9100adff5b2230b3acd836b3a455db8352a2c27e69d17e", + "shared" : "e8620ed5ca89c72c5ea5503e6dcd01131cd5e875c30e13d5dc619ce28ec7d559", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 128, + "comment" : "special case public key", + "public" : "0100000000000000000000000000000000000000000000000000000001000000", + "private" : "20e4c9247102292655d6765d7d84c6fce5309b8004045daea6d7d7dcad462871", + "shared" : "ceadb264379dcadd6e3bb8ad24dd653d2a609dd703d41da6caf3ad00f001862c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 129, + "comment" : "special case public key", + "public" : "a8b9c7372118a53a9de9eaf0868e3b1a3d88e81cb2e407ff7125e9f5c5088715", + "private" : "90b150d462de512056d5bd55173074969b496f262fb6916b733f6263a8078971", + "shared" : "f86cc7bf1be49574fc97a074282e9bb5cd238e002bc8e9a7b8552b2d60eccb52", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 130, + "comment" : "special case public key", + "public" : "aab9c7372118a53a9de9eaf0868e3b1a3d88e81cb2e407ff7125e9f5c5088715", + "private" : "9887286b3261c8d857a16f6db21277f75d88d4e861b3ebe7596699047e816668", + "shared" : "ccbb8fd9dee165a398b2dbd7c8396f81736c1b3da36b35fbec8f326f38f92767", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 131, + "comment" : "special case public key", + "public" : "585007a5930d77623cf29756038ca197d3ebfd9e4c80a69585efe0274092c115", + "private" : "20ca2c85cc8762e96b7047bf15c71c050ffe0ed1616040a953ae32a1297ad871", + "shared" : "46add6f48ffff461777d4f89b6fdf1155aa051a96387d45f3e5e371a236b6e52", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 132, + "comment" : "special case public key", + "public" : "fbffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff1f", + "private" : "d027656605b10bf18dea28bc52546f9f1f08cef06cafd200fc84f87dbb4ebe46", + "shared" : "1adbe32207e21f71e1af53884d2a2276481e298e557f4dacb3720f2458e3082d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 133, + "comment" : "special case public key", + "public" : "0000000000000000000000000000000000000000000000000000000000000020", + "private" : "4867a83ee9d01b7510840867db1af6a6049bdbb056b74443f70c358e162c8867", + "shared" : "e12cc58fbeb70a5e35c861c33710be6516a6a92e52376060211b2487db542b4f", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 134, + "comment" : "special case public key", + "public" : "afa00e4a271beec478e42fad0618432fa7d7fb3d99004d2b0bdfc14f8024832b", + "private" : "a015970a8add940fca5b1b5d23875397d547d8d494fcb314f2045a67a2d12c4b", + "shared" : "421bed1b26da1e9adbeada1f32b91a0fb4ced0f1110e0a4a88e735a19ee4571e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 135, + "comment" : "special case public key", + "public" : "b1a00e4a271beec478e42fad0618432fa7d7fb3d99004d2b0bdfc14f8024832b", + "private" : "4058cb6b9aaba02a338aaa392dbc10039e26e9e444117e758e24c5d8b232ea5e", + "shared" : "d7b47463e2f4ca9a1a7deea098da8e74ac3b4a109083d997259b12992e7e7e06", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 136, + "comment" : "special case public key", + "public" : "fbffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff2f", + "private" : "b876b05daff0530b139d9e11250563418077178246c5fa7005ba00e9b6647763", + "shared" : "686eb910a937211b9147c8a051a1197906818fdc626668eb5f5d394afd86d41b", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 137, + "comment" : "special case public key", + "public" : "22231c64ef73ad62318b8a87bc38e272e1bb8bf1a60d7c00476d0b059d7b3c35", + "private" : "d87fd6aa5d8deef6dee9619a56846a0829620590f2da40835d8e251597e39078", + "shared" : "09559733b35bcc6bb8ac574b5abe3a4d8841deff051c294a07487e3eec3c5558", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 138, + "comment" : "special case public key", + "public" : "f6ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff3f", + "private" : "90036321b63751f7622aa93da34d85e59ce81009ac5b9a068921d83bc4715b57", + "shared" : "f7d5cbcf39eb722b01ed20c85563ebb81d076511aead4ccc429027866b9fd270", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 139, + "comment" : "special case public key", + "public" : "f7ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff3f", + "private" : "a06781fd4c4a0874e00e72ba131b9dd87a83b2904e294de176e8a9af1f695d67", + "shared" : "e995ad6a1ec6c5ab32922cff9d204721704673143c4a11deaa203f3c81989b3f", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 140, + "comment" : "special case public key", + "public" : "feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff3f", + "private" : "b822d72d8b68bdb4fbf67e56a61d672b2c7747e94479fe5ae4072d0accdd6571", + "shared" : "32b6dabe01d13867f3b5b0892fefd80dca666f2edc5afb43cd0baf703c3e6926", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 141, + "comment" : "special case public key", + "public" : "0000000000000000000000000000000000000000000000000000000000000040", + "private" : "d08ce1237e248d02cdf619d20bea5848ade4f6ffd171b8dee8793fc67c459640", + "shared" : "a93d83fc9ea0f6cb0cc8b631da600019b76cbb2ec57222f2e42dd540e3da850b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 142, + "comment" : "special case public key", + "public" : "cbdce39b108c529dce74757843c71d8d1e44740e59f283ffb892f4fa6284c34a", + "private" : "180ae3c928514cfb9edd06e7dc1d5d066160e967445a5c58e4463b69ed205e6d", + "shared" : "017cbfa2b38e9ef3297a339ecce1a917bdcf7e910036086a41d1e22d04241870", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 143, + "comment" : "special case public key", + "public" : "3c5ff1b5d8e4113b871bd052f9e7bcd0582804c266ffb2d4f4203eb07fdb7c54", + "private" : "e881d806a110560cd8fee899d59c0249f1233a4322c41aa369c7a2a99f5b5962", + "shared" : "71133905b8a57ea8c38de0ecf213699a75b096c2df21f07f7e9eb03e9fa53f5c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 144, + "comment" : "special case public key", + "public" : "3e5ff1b5d8e4113b871bd052f9e7bcd0582804c266ffb2d4f4203eb07fdb7c54", + "private" : "08e410e1d7e8b9411236af4a35d6b62a5d8931478e4c62197cfafb491467b162", + "shared" : "3dc7b70e110766b2bf525252ebed98a100b2e532dc69544464da1bbab8625f6d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 145, + "comment" : "special case public key", + "public" : "f2ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff5f", + "private" : "e02fdf7e0ee3d55b4440f01432dd253c949793bc04da44ddece83e54c8c39b40", + "shared" : "e317e5cc438b5f79ead5533ac7c45519a117b31033cc2140b19edf8572011240", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 146, + "comment" : "special case public key", + "public" : "f6ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff5f", + "private" : "f05d18f68ef7a5865c14db3a9c255fdf2dabea2aa36581e94f68b727b582867b", + "shared" : "d86810516aeddc18061036f599a9eb84d1c6146b0f543652dd4526743ba42c04", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 147, + "comment" : "special case public key", + "public" : "95aff85a6cf2889dc30d68a9fc735e682c140261b37f596a7a101fd8bf6d3e6a", + "private" : "00c103578d5c079d7bcc22c1c31e787c1b15c57fcb493fdafefa20371cfc746b", + "shared" : "dfa988a477003be125b95ccbf2223d97729577d25e1d6e89e3da0afabdd0ae71", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 148, + "comment" : "special case public key", + "public" : "434638c8dee75ac56216150f7971c4e5c27717e34d1bf8008eda160a3af7786a", + "private" : "7005bb927485c435642b424a3dde014bcf76345e5be64ae6e9b24db39e1cdb51", + "shared" : "d450af45b8ed5fe140cc5263ffb7b52e66736899a8b872b6e28552129819b25b", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 149, + "comment" : "special case public key", + "public" : "454638c8dee75ac56216150f7971c4e5c27717e34d1bf8008eda160a3af7786a", + "private" : "0822039a5dc13c40fcccf346e2a7769b4fd272052d43260ad626468a50d44162", + "shared" : "58002c89bf8bc32ae6fc205b796acd13ef7f8476f6492ae4b2be47f1095e8a4f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 150, + "comment" : "special case public key", + "public" : "ecfffffffffffffffffffffffffffeffffffffffffffffffffffffffffffff7f", + "private" : "40a6349c03f0dc0a42358f6353ca67632af687b14c9dff626c54e211e8fc355a", + "shared" : "7773aad6e72eb1735b65ad51f7dad258c11d7bfff53094424cb103cd6bfb4368", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 151, + "comment" : "special case public key", + "public" : "eefffffffffffffffffffffffffffeffffffffffffffffffffffffffffffff7f", + "private" : "50696d4d05209971d6ba0676ea274262ba639aac74fa75e5df4570768ad8ae74", + "shared" : "c118ddf6462fbea80f14ef1f2972a1ab12cafa511d1323d4d22d0d426d651b5b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 152, + "comment" : "special case public key", + "public" : "edffffffffffffffffffffffff7fffffffffffffffffffffffffffffffffff7f", + "private" : "68bb680c853f4e4daa47c586dc886cf4568d7b0383770f6df439a53be4a3236d", + "shared" : "cc0775bfd970a2706b11c7222a4436a3d17160382c83b76f89b66192c81b4408", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 153, + "comment" : "special case public key", + "public" : "ebffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f", + "private" : "b0f6c28dbdc647068a76d71805ef770f087cf76b82afdc0d26c45b71ace49768", + "shared" : "f0097fa0ba70d019126277ab15c56ecc170ca88180b2bf9d80fcda3d7d74552a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 154, + "comment" : "special case public key", + "public" : "ecffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f", + "private" : "18630f93598637c35da623a74559cf944374a559114c7937811041fc8605564a", + "shared" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "acceptable", + "flags" : [ + "LowOrderPublic", + "Twist", + "ZeroSharedSecret" + ] + }, + { + "tcId" : 155, + "comment" : "special case for E in multiplication by 2", + "public" : "0000000000000000000008000000000000000000000000000000000000000000", + "private" : "581ecbda5a4a228044fefd6e03df234558c3c79152c6e2c5e60b142c4f26a851", + "shared" : "59e7b1e6f47065a48bd34913d910176b6792a1372aad22e73cd7df45fcf91a0e", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 156, + "comment" : "special case for E in multiplication by 2", + "public" : "77af0d3897a715dfe25df5d538cf133bc9ab7ad52df6bd922a2fb75621d59901", + "private" : "b0561a38000795b7cb537b55e975ea452c2118506295d5eb15fd9c83b67f7a50", + "shared" : "179f6b020748acba349133eaa4518f1bd8bab7bfc4fb05fd4c24e7553da1e960", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 157, + "comment" : "special case for E in multiplication by 2", + "public" : "4e39866127b6a12a54914e106aab86464af55631f3cb61766d5999aa8d2e070e", + "private" : "b00f7df2d47128441c7270b9a87eee45b6056fc64236a57bdf81dbcccf5f5d42", + "shared" : "43c5ee1451f213ef7624729e595a0fee7c9af7ee5d27eb03278ee9f94c202352", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 158, + "comment" : "special case for E in multiplication by 2", + "public" : "adc6799ed8495ed5ab6eb1ef955479b9b50aa9ce0c349e8992a6665572d1f811", + "private" : "c8f7a0c0bfb1e9c72576c534f86854fbe4af521d4fa807f67e2440e100ec8852", + "shared" : "2f350bcf0b40784d1d756c9ca3e38ec9dd68ba80faf1f9847de50779c0d4902a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 159, + "comment" : "special case for E in multiplication by 2", + "public" : "770f4218ef234f5e185466e32442c302bbec21bbb6cd28c979e783fe5013333f", + "private" : "58181f581aa37022ff71c56c6e68e6175d967c5c995a249885f66565074ded4d", + "shared" : "d5d650dc621072eca952e4344efc7320b2b1459aba48f5e2480db881c50cc650", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 160, + "comment" : "special case for E in multiplication by 2", + "public" : "5c6118c4c74cfb842d9a87449f9d8db8b992d46c5a9093ce2fcb7a49b535c451", + "private" : "301c935cae4357070b0adaf9cd6192830b2c989c153729eed99f589eb45f884b", + "shared" : "909cc57275d54f20c67b45f9af9484fd67581afb7d887bee1db5461f303ef257", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 161, + "comment" : "special case for E in multiplication by 2", + "public" : "4039866127b6a12a54914e106aab86464af55631f3cb61766d5999aa8d2e076e", + "private" : "d002292d4359a3d42bc8767f1380009332e7a0df2f3379011ab78f789f6baa54", + "shared" : "4a7e2c5caf1d8180eb1c4f22692f29a14b4cdc9b193bd1d16e2f27438eef1448", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 162, + "comment" : "special case for E in multiplication by 2", + "public" : "078fa523498fb51cba1112d83b20af448b8009d8eea14368564d01b8f9b6086f", + "private" : "d0c2c49e644ab738270707ff9917065942687e2f12886d961161db46c05b565f", + "shared" : "c0ee59d3685fc2c3c803608b5ee39a7f8da30b48e4293ae011f0ea1e5aeb7173", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 163, + "comment" : "special case for E in multiplication by 2", + "public" : "9fc6799ed8495ed5ab6eb1ef955479b9b50aa9ce0c349e8992a6665572d1f871", + "private" : "f087d38b274c1dad1bce6eaa36b48e2190b90b9bf8ca59669cc5e00464534342", + "shared" : "b252bc8eabfaa68c56e54d61b99061a35d11e3a7b9bda417d90f69b1119bcf45", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 164, + "comment" : "special case for E in multiplication by 2", + "public" : "7650f2c76858ea201da2022ac730ecc43654852ad209426dd5d048a9de2a667e", + "private" : "48dbcc5a695f1514bbbaa6ad00842b69d9ae5216b1963add07fb2947c97b8447", + "shared" : "fbda33bc930c08df837208e19afdc1cfe3fd0f8f0e3976be34775e58a4a7771f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 165, + "comment" : "D = 0 in multiplication by 2", + "public" : "e0eb7a7c3b41b8ae1656e3faf19fc46ada098deb9c32b1fd866205165f49b800", + "private" : "5891c9272cf9a197735b701e5715268d36d7436b7e351a3e997a0862e4807d4d", + "shared" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "acceptable", + "flags" : [ + "LowOrderPublic", + "ZeroSharedSecret" + ] + }, + { + "tcId" : 166, + "comment" : "D = 0 in multiplication by 2", + "public" : "5f9c95bca3508c24b1d0b1559c83ef5b04445cc4581c8e86d8224eddd09f1157", + "private" : "c0f9c60aea73731d92ab5ed9f4cea122f9a6eb2577bda72f94948fea4d4cc65d", + "shared" : "0000000000000000000000000000000000000000000000000000000000000000", + "result" : "acceptable", + "flags" : [ + "LowOrderPublic", + "ZeroSharedSecret" + ] + }, + { + "tcId" : 167, + "comment" : "special case for DA - CB in multiplication by 2", + "public" : "b0224e7134cf92d40a31515f2f0e89c2a2777e8ac2fe741db0dc39399fdf2702", + "private" : "0066dd7674fe51f9326c1e239b875f8ac0701aae69a804c25fe43595e8660b45", + "shared" : "8dacfe7beaaa62b94bf6e50ee5214d99ad7cda5a431ea0c62f2b20a89d73c62e", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 168, + "comment" : "special case for DA - CB in multiplication by 2", + "public" : "601e3febb848ec3e57fce64588aad82afc9c2af99bbcdffcc4cd58d4b3d15c07", + "private" : "80067f30f40d61318b420c859fce128c9017ab81b47b76028a57bc30d5856846", + "shared" : "20f1d3fe90e08bc6f152bf5dacc3ed35899785333f1470e6a62c3b8cbe28d260", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 169, + "comment" : "special case for DA - CB in multiplication by 2", + "public" : "82a3807bbdec2fa9938fb4141e27dc57456606301f78ff7133cf24f3d13ee117", + "private" : "584577669d21ce0ae3e30b02c9783ffe97709cbfe396889aa31e8ee43352dc52", + "shared" : "2b28cc5140b816add5ad3a77a81b1c073d67bf51bf95bda2064a14eb12d5f766", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 170, + "comment" : "special case for DA - CB in multiplication by 2", + "public" : "f329ab2376462e5f3128a2682086253c19222ac1e2bca45692f0c3b528f4c428", + "private" : "18e597a4e2ccdb5e8052d57c9009938c2d4c43d6d8c9f93c98727b7311035953", + "shared" : "8392160083b9af9e0ef44fcfce53ba8ff7282ee7a6c71ab66f8843a55d09cd68", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 171, + "comment" : "special case for DA in multiplication by 2", + "public" : "4fce3bb6c8aaf022dbd100e3cde3941b37d543f00401dba7da9bc143dfc55709", + "private" : "88281cc51d5512d8814ea5249b879dcbad0323d38512dafbdc7ba85bba8c8d5d", + "shared" : "42184e22c535530c457bd3b4f1084cbf5e297f502fe136b8d1daecf5334cc96c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 172, + "comment" : "special case for DA in multiplication by 2", + "public" : "15c68851c1db844b5a1ef3456a659f188854b1a75fbdb2f68f514c9289ce711f", + "private" : "d0e795450df0a813c6573496ec5793ca02e1bdbad10ed08df83fdaed68b3385f", + "shared" : "f654d78e5945b24bc63e3e6d790e0ae986e53937764068b1bce920e1d79b756f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 173, + "comment" : "special case for DA in multiplication by 2", + "public" : "4200a242434337b8914f49345301ed782b13594f9ede089c41fb1e7ea82c9053", + "private" : "30b69a1cc1eb2d0b83ea213846e90a2c922088bdf294a6995bf6e6e77c646c41", + "shared" : "cd8a09b04795edcc7061867373981aa748651ebdce5ec218a335b878cefe4872", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 174, + "comment" : "special case for DA in multiplication by 2", + "public" : "baabf0174aaaea4de48cc83adfb0401461a741903ea6fb130d7d64b7bf03a966", + "private" : "78b30bb63cd8ade71b7a77d426f4419d05f199ffef349e89faa9d9a5f21f6654", + "shared" : "c9f8258f237db1c80702c5c4d9048dfba9dfe259da4aeee90dc2945526961275", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 175, + "comment" : "special case for x_2 in multiplication by 2", + "public" : "f12f18bd59c126348f6a7a9f4a5fdd9fcaf581345073a851fba098e5d64b4a0c", + "private" : "c0b386f4ef0d4698686404977e7b60cb6c1f8b6012a22e29d6224c5947439041", + "shared" : "6600cbe900616a770a126b8b19156d5e27e1174bd538d0944eb3c0be4899c758", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 176, + "comment" : "special case for x_2 in multiplication by 2", + "public" : "bee386527b772490aeb96fc4d23b9304037cb4430f64b228f3d8b3b498319f22", + "private" : "9886602e719bacafea092bb75b51ae7258abe1a364c176857f3dc188c03e6759", + "shared" : "3fe710d6344ff0cb342e52349e1c5b57b7a271f2a133bb5249bbe40dc86e1b40", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 177, + "comment" : "special case for x_2 in multiplication by 2", + "public" : "cf911ac91b0d944049cec66ae5ef0c4549d1e612e107c68e87263a2fbcf8323f", + "private" : "b83960f5d0613cdaac6dda690351666e9f277bba6bd406b0e27a1886bb2d3e46", + "shared" : "71373ebe67f39a2c230027c7db4b3b74bab80ed212b232679785ee10f47c304e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 178, + "comment" : "special case for x_2 in multiplication by 2", + "public" : "1e6ee536e4f26bbfb63139951a10f3bab62e19ed1ef8397178d9c5d04307cd40", + "private" : "d03b75f09ac807dfd2ee352c04a1f25984720f785ffaa0af88bc5db6ff9c3453", + "shared" : "238eef43c589822e1d3de41c1cc46dcfec7a93febf37c8546b6625e1a123815d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 179, + "comment" : "special case for x_2 in multiplication by 2", + "public" : "2f1c79ad8488db6f5146903b2dc46cfbfc834bbcf09b4dd70c274c4b67ce605d", + "private" : "d036948c0ec223f0ee577e390dbf87222358ed199f2823345ad154bbc4cbcc47", + "shared" : "87a79c9c231d3b9526b49bf3d683bf38c3c319af7c7c5d1456487398da535010", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 180, + "comment" : "special case for x_2 in multiplication by 2", + "public" : "fccfe742a63ed9cb70958560b5a02260350a7ecbaf8c57ae045f671a29b4b573", + "private" : "d054ded613febf2950ac5c927fcb120c387de0ba61b331cd33024c8b6e737048", + "shared" : "d683ca6194452d878c12d7da35f22833f99728bba89931a51274f61210336a5f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 181, + "comment" : "special case for AA in multiplication by 2", + "public" : "cb3d4a90f86b3011da3369d9988597c7fff1499273b4a04f84d0e26ed1683c0d", + "private" : "e82c480631fb153ba2211fe603032b3e71b162dbd3c11bec03208ffcd510655f", + "shared" : "dbf6203516635840cf69a02db87cf0d95dae315da7fc1ec7ce2b29e1f2db6666", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 182, + "comment" : "special case for AA in multiplication by 2", + "public" : "101e13f7bc0570fa2638caa20a67c6e0c21dab132f4b456191590264c493d018", + "private" : "c0c01d28c1cab01f59700aca5f18d2697658b37fdd54a339ff391c0a1a1b1645", + "shared" : "1fe314744390d525278b1f5fbf108101b8ded587081375ed4ac4ac690d92414f", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 183, + "comment" : "special case for AA in multiplication by 2", + "public" : "dce1ec0843fa8f05d9c7355df598391f3de254ecd0b4ba9e6ea6fd9b3b6c2f67", + "private" : "c82bde72df36479688c485a8bf442f4a34412e429c02db97704f03daf4dfd542", + "shared" : "ad454395ee392be677be7b9cb914038d57d2d87ec56cc98678dd84f19920912b", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 184, + "comment" : "special case for AA in multiplication by 2", + "public" : "21c2b56f0794cfee25cc9626677a6838000eb66d8c4b5fb07b2f1d912e97c372", + "private" : "503f697617fb02a7b8ef00ba34e7fc8ce93f9ec3e1cbfe4bf2c05bcee0cb9757", + "shared" : "c6d6499255133398f9dd7f32525db977a538118800bfaf3aad8bcd26f02c3863", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 185, + "comment" : "special case for BB in multiplication by 2", + "public" : "cc3d4a90f86b3011da3369d9988597c7fff1499273b4a04f84d0e26ed1683c0d", + "private" : "58cd4ca1e4331188de2b2889419ce20ec5ef88a0e93af092099065551b904e41", + "shared" : "0d74214da1344b111d59dfad3713eb56effe7c560c59cbbb99ec313962dbba58", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 186, + "comment" : "special case for BB in multiplication by 2", + "public" : "111e13f7bc0570fa2638caa20a67c6e0c21dab132f4b456191590264c493d018", + "private" : "004ea3448b84ca509efec5fcc24c63ee984def63b29deb9037894709709c0957", + "shared" : "7b9dbf8d6c6d65898b518167bf4011d54ddc265d953c0743d7868e22d9909e67", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 187, + "comment" : "special case for BB in multiplication by 2", + "public" : "dde1ec0843fa8f05d9c7355df598391f3de254ecd0b4ba9e6ea6fd9b3b6c2f67", + "private" : "c8a6eb00a4d74bbdff239522c3c891ed7ce1904be2a329cd0ae0061a253c9542", + "shared" : "fb0e0209c5b9d51b401183d7e56a59081d37a62ab1e05753a0667eebd377fd39", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 188, + "comment" : "special case for BB in multiplication by 2", + "public" : "22c2b56f0794cfee25cc9626677a6838000eb66d8c4b5fb07b2f1d912e97c372", + "private" : "50322ff0d0dcdd6b14f307c04dfecefe5b7cdeaf92bffb919e9d62ed27079040", + "shared" : "dbe7a1fe3b337c9720123e6fcc02cf96953a17dc9b395a2206cb1bf91d41756e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 189, + "comment" : "special case for D in multiplication by 2", + "public" : "e58baccede32bcf33b3b6e3d69c02af8284a9631de74b6af3f046a9369df040f", + "private" : "e0328c7d188d98faf2ac72d728b7d14f2bbbd7a94d0fbd8e8f79abe0b1fe1055", + "shared" : "97bd42093e0d48f973f059dd7ab9f97d13d5b0d5eedffdf6da3c3c432872c549", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 190, + "comment" : "special case for D in multiplication by 2", + "public" : "c6d5c693fc0a4e2df6b290026860566a166b6d7aebe3c98828d492745c8df936", + "private" : "5017679a17bd23adf95ad47e310fc6526f4ba9ca3b0839b53bd0d92839eb5b4f", + "shared" : "99bcbc7b9aa5e25580f92bf589e95dae874b83e420225d8a93e18e96dac00b63", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 191, + "comment" : "special case for D in multiplication by 2", + "public" : "d15f4bf2ef5c7bda4ee95196f3c0df710df5d3d206360fc3174ea75c3aa3a743", + "private" : "2864aaf61c146df06cc256b065f66b34985cc015da5b1d647a6ed4e2c76bfc43", + "shared" : "afa2adb52a670aa9c3ec3020d5fda285474ede5c4f4c30e9238b884a77969443", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 192, + "comment" : "special case for D in multiplication by 2", + "public" : "6dffb0a25888bf23cf1ac701bfbdede8a18e323b9d4d3d31e516a05fce7ce872", + "private" : "184a6cfbabcbd1507a2ea41f52796583dbdb851b88a85781ee8e3c28782c3349", + "shared" : "e6a2fc8ed93ce3530178fef94bb0056f43118e5be3a6eabee7d2ed384a73800c", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 193, + "comment" : "special case for D in multiplication by 2", + "public" : "21f86d123c923a92aaf2563df94b5b5c93874f5b7ab9954aaa53e3d72f0ff67e", + "private" : "c85f954b85bc102aca799671793452176538d077862ee45e0b253619767dff42", + "shared" : "7fc28781631410c5a6f25c9cfd91ec0a848adb7a9eb40bc5b495d0f4753f2260", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 194, + "comment" : "special case for D in multiplication by 2", + "public" : "587c347c8cb249564ab77383de358cc2a19fe7370a8476d43091123598941c7f", + "private" : "50e3e5a9a19be2ee3548b0964672fb5e3134cb0d2f7adf000e4556d0ffa37643", + "shared" : "314d8a2b5c76cc7ee1217df2283b7e6724436e273aeb80628dce0600ab478a63", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 195, + "comment" : "special case for DA + CB in multiplication by 2", + "public" : "f5c6311a1dd1b9e0f8cfd034ac6d01bf28d9d0f962a1934ae2cb97cb173dd810", + "private" : "08ece580bb6ddf96559b81d7a97dd4531def6cc78d448a70cebabdd26caab146", + "shared" : "2bfd8e5308c34498eb2b4daf9ed51cf623da3beaeb0efd3d687f2b8becbf3101", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 196, + "comment" : "special case for DA + CB in multiplication by 2", + "public" : "9316c06d27b24abc673ffb5105c5b9a89bdfaa79e81cdbb89556074377c70320", + "private" : "a886033e9dc2b6a913fffbc2bd402e8c11ec34d49c0dc0fa1429329b694a285f", + "shared" : "d53c3d6f538c126b9336785d1d4e6935dc8b21f3d7e9c25bc240a03e39023363", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 197, + "comment" : "special case for DA + CB in multiplication by 2", + "public" : "8a4179807b07649e04f711bf9473a79993f84293e4a8b9afee44a22ef1000b21", + "private" : "98b1cc2020a8ec575d5c46c76024cf7c7ad7628eb909730bc4f460aaf0e6da4b", + "shared" : "4531881ad9cf011693ddf02842fbdab86d71e27680e9b4b3f93b4cf15e737e50", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 198, + "comment" : "special case for DA + CB in multiplication by 2", + "public" : "a773277ae1029f854749137b0f3a02b5b3560b9c4ca4dbdeb3125ec896b81841", + "private" : "c8e193de162aa349a3432c7a0c0521d92cbc5e3bf82615e42955dd67ec12345f", + "shared" : "7ba4d3de697aa11addf3911e93c94b7e943beff3e3b1b56b7de4461f9e48be6b", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 199, + "comment" : "special case for DA + CB in multiplication by 2", + "public" : "1eceb2b3763231bc3c99dc62266a09ab5d3661c756524cddc5aabcedee92da61", + "private" : "88e01237b336014075676082afbde51d595d47e1fa5214b51a351abbf6491442", + "shared" : "bcf0884052f912a63bbab8c5c674b91c4989ae051fa07fcf30cb5317fb1f2e72", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 200, + "comment" : "special case for DA + CB in multiplication by 2", + "public" : "9a2acbb3b5a386a6102e3728be3a97de03981d5c71fd2d954604bee3d3d0ce62", + "private" : "e82313e451a198dce4ae95c6832a8281d847fc87b28db00fe43757c16cc49c4a", + "shared" : "e5772a92b103ee696a999705cf07110c460f0545682db3fac5d875d69648bc68", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 201, + "comment" : "special case for DA + CB in multiplication by 2", + "public" : "27430e1c2d3089708bca56d7a5ad03792828d47685b6131e023dd0808716b863", + "private" : "2828594d16768e586df39601ecc86d3fad6389d872b53fca3edcaf6fb958f653", + "shared" : "378c29e3be97a21b9f81afca0d0f5c242fd4f896114f77a77155d06ce5fbfa5e", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 202, + "comment" : "special case for z_2 in multiplication by 2", + "public" : "4ef367901aac8ba90a50e0cf86ca4e4a3ff164fb121605be346e2e48d04ac912", + "private" : "a84f488e193139f986b0e5b249635b137d385e420342aef1f194fcde1fe5e850", + "shared" : "7eb48a60b14fb9ea5728f6410aef627d1522fad481b934af64e2c483b64d585f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 203, + "comment" : "special case for z_2 in multiplication by 2", + "public" : "d1de303c4ddd05d57c29df92ad172dd8c8f424e63ec93445beaea44f9d124b17", + "private" : "30fd2a781e095c34a483907b3dd2d8bd2736e279617bfa6b8b4e0e1cf90fbd46", + "shared" : "b71bdbed78023a06deed1c182e14c98f7cf46bc627a4a2c102ad23c41cf32454", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 204, + "comment" : "special case for z_2 in multiplication by 2", + "public" : "5bccd739fd7517d9344bf6b2b0f19a1e0c38d9349a25ad1f94af4a2cdcf5e837", + "private" : "28312e17b47dd32d90561168245187963c7469a31c881e4a5c94384262b71959", + "shared" : "5bb56877caf2cdac98611b60367fbb74265984614e5e73996e8ea1bd6f749f1a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 205, + "comment" : "special case for z_2 in multiplication by 2", + "public" : "8a7a939310df7ea768454df51bcd0dfbd7be4fcbb2ffc98429d913ec6911f337", + "private" : "a87640cf8237b473c638b3e9df08644e8607e563b5964363ccc42133b2996742", + "shared" : "b568ed46d04f6291f8c176dca8aff6d221de4c9cce4b404d5401fbe70a324501", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 206, + "comment" : "special case for z_2 in multiplication by 2", + "public" : "fe3590fc382da7a82e28d07fafe40d4afc91183a4536e3e6b550fee84a4b7b4b", + "private" : "780c5b882720d85e5ddfaf1033e9a1385df9e21689eeda4dcc7444ad28330a50", + "shared" : "11fb44e810bce8536a957eaa56e02d04dd866700298f13b04ebeb48e20d93647", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 207, + "comment" : "special case for z_2 in multiplication by 2", + "public" : "fad9ab3e803b49fc81b27ee69db6fc9fdb82e35453b59ef8fab2a3beb5e1134c", + "private" : "209e5e0ae1994bd859ce8992b62ec3a66df2eb50232bcc3a3d27b6614f6b014d", + "shared" : "85d9db8f182bc68db67de3471f786b45b1619aec0f32b108ace30ee7b2624305", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 208, + "comment" : "special case for z_2 in multiplication by 2", + "public" : "98bed955f1516c7a442751ac590046d7d52ca64f76df82be09d32e5d33b49073", + "private" : "806d1dee5ff6aea84a848916991a89ef3625583e1bd4ae0b3dd25c2524a4ff46", + "shared" : "61d4ef71cbe7be3128be829ab26ed3463eb4ab25937c309788e876b23412aa7c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 209, + "comment" : "special case for z_2 in multiplication by 2", + "public" : "e59be4917b3f05b6fc8748c9b90f1b910273c9c6e17ff96ef415ff3d927d987e", + "private" : "00f98b02ae0df5274cc899f526eb1b877289e0963440a57dd97e414cdd2f7c51", + "shared" : "5ba4394ed1a664811b01557944becf7585652a8acbdbf806742911207bd79346", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 210, + "comment" : "special case for A in multiplication by 2", + "public" : "8c9885a26cb334054700a270f7a5f4aac06bad8263b651ebf0712eca1ebb6416", + "private" : "d86c18f2be396b3bb72f22e6ece22e273af6e1506a1c09ad4d01bdd2f439f843", + "shared" : "a5952588613eb7a5cd49dd526f1f20a4f0ffe9423e82cea302c2dd90ce559955", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 211, + "comment" : "special case for A in multiplication by 2", + "public" : "f6135fe9741c2c9de7dcf7627ef08832f351cb325dbb3a26f93a2b48620e1727", + "private" : "f81aadb9053eb698996d0f781d9cda67f82ddefa3987d276ff5a94ffdf5d255f", + "shared" : "cb6fb623084b6197443ec9ba1050c0923332e5e829ae0194269cfaf920a43601", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 212, + "comment" : "special case for A in multiplication by 2", + "public" : "f6ffffffffffffffffffffffffffffbfffffffffffffffffffffffffffffff3f", + "private" : "305b4db4321b4923fc559bf91df677d0e12c3a31b16ec655cb708b759d7c114d", + "shared" : "9e526079c2fcf12426ae6c2a54b5ffb70f2ec662e29ea5ce0c8385c3b21cd162", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 213, + "comment" : "special case for A in multiplication by 2", + "public" : "f6ffffffffffffffffffffffffffff3f00000000000000000000000000000040", + "private" : "900638d1979802db9b52e4dd84fa19579f61cd7bef3c0b62fcccaeaa15fa484d", + "shared" : "6329c7dc2318ec36153ef4f6f91bc6e7d1e008f5293065d9586ab88abb58f241", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 214, + "comment" : "special case for A in multiplication by 2", + "public" : "f6eba0168be3d3621823089d810f77cd0cae34cda244c5d906c5d4b79df1e858", + "private" : "38575cf7c8691ecc79cd5f8d7d4703aa48592ff6e7f64731c2d98a19aeae514f", + "shared" : "603f4fc410081f880944e0e13d56fc542a430eec813fad302b7c5ac380576f1c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 215, + "comment" : "special case for A in multiplication by 2", + "public" : "60677a5d934ccbfab8ff5d8f085a0b553f94527d9c49ae140f8ed135e1449b69", + "private" : "e88bd02c7016547a24f428bc2a9dcccad6c6f880c17bffcf66fc68459627af4e", + "shared" : "834bbad5470e1498c4b0148782dfe630e8bfadff1997de802ac8ce302a1bda28", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 216, + "comment" : "special case for B in multiplication by 2", + "public" : "8d9885a26cb334054700a270f7a5f4aac06bad8263b651ebf0712eca1ebb6416", + "private" : "9036ed7d68f7448ac440dc51216b49840dcabd3d5e32e3b4ffc32a5fe9e96742", + "shared" : "ec9070ad3491a5ff50d7d0db6c9c844783dde1c6fbd4fe163e9ade1ce9cd041d", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 217, + "comment" : "special case for B in multiplication by 2", + "public" : "f7135fe9741c2c9de7dcf7627ef08832f351cb325dbb3a26f93a2b48620e1727", + "private" : "90c55e77aa0fe4afb1287109fd010f526364dea18d88e2fd870ac01b66e3fa4e", + "shared" : "dc6d05b92edcdb5dc334b1fc3dff58fe5b24a5c5f0b2d4311555d0fc945d7759", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 218, + "comment" : "special case for B in multiplication by 2", + "public" : "f7ffffffffffffffffffffffffffffbfffffffffffffffffffffffffffffff3f", + "private" : "a021ba2fd4e3ad57bcbf204d6f6c3e8018d8978552633b6dff1b7447bf529459", + "shared" : "1b174b189981d81bc6887932083e8488df8bbbed57f9214c9cfa59d59b572359", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 219, + "comment" : "special case for B in multiplication by 2", + "public" : "f7ffffffffffffffffffffffffffff3f00000000000000000000000000000040", + "private" : "3035083e984837587f6b7346af871bf3fc9581c50eb55c83aefabeed68cee349", + "shared" : "15a052148abaad1b0f2e7481a34edb61403589439b5bd5e5646cecebe2a1be2b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 220, + "comment" : "special case for B in multiplication by 2", + "public" : "f7eba0168be3d3621823089d810f77cd0cae34cda244c5d906c5d4b79df1e858", + "private" : "30435ce187f2723f9a3bdea0eef892207e152e4cee8985fa72d2db4147bd2a53", + "shared" : "1d048cbe2f8df07c233a8f93706f307d17130c2497fb752eeaa31fe3edfc725a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 221, + "comment" : "special case for B in multiplication by 2", + "public" : "61677a5d934ccbfab8ff5d8f085a0b553f94527d9c49ae140f8ed135e1449b69", + "private" : "580f0a9bba7281a30fb033490e0f429f22e3f267852caeacefa3e5291f0e614e", + "shared" : "cb92a98b6aa99ac9e3c5750cea6f0846b0181faa5992845b798923d419e82756", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 222, + "comment" : "special case for C in multiplication by 2", + "public" : "c8239b710136fe431fb4d98436157e47c9e78a10f09ff92e98baff159926061c", + "private" : "709098feb2e25c67b4bfd3be0a01af409adb6da52b3fbe3d970642dd2c983856", + "shared" : "f1bd12d9d32c6f4c5b2dcb3a5c52d9fd454d52ca704c2c137956ec8ad9aef107", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 223, + "comment" : "special case for C in multiplication by 2", + "public" : "b7a2f79e0de9b58147691b5546d9ec463da8325e1440e58bb20aa129d1b97327", + "private" : "185ac62e729f88528950926c0de7c481c924bf9cf26a122f443b861e8b6af640", + "shared" : "e6f1c494c9e4bd2325c17183e82d31ab0bbee6c847d4b0e4a99c7c6891117c3f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 224, + "comment" : "special case for C in multiplication by 2", + "public" : "2dc624e1663f42a7b9336350f277541b50b8ddc7ee0d86133ad53273aed4e62e", + "private" : "f03743eead7c2f7719794324f271072817d1a04cbda42b232f3bee43f397cc40", + "shared" : "aa2a12edf752d279bdb000fb1405a5df8c5f1d41309b4f2bd41aed7ac1ed0149", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 225, + "comment" : "special case for C in multiplication by 2", + "public" : "0e5eceee9104a64f82c9093b9bf7b4076ee5bc70815af7ee9f942ef015756176", + "private" : "a8fbb4f90da45794981405d59ef310621e3c3b6b7760b5e30308c7822c88ae5f", + "shared" : "74d5606ba0b6ad1d8ba36ae6f264d6315f479b3984de573e9b001e0555247c32", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 226, + "comment" : "special case for CB in multiplication by 2", + "public" : "737d45477e2beb77a6c38b98e2a19b05c395df7da998cb91f6dfab5819614f27", + "private" : "c887886fd07107c7221f6d9dd36c305ec779ceca132ac933ff77dab2beac6345", + "shared" : "8cf4538ae5f445cc6d273df4ad300a45d7bb2f6e373a562440f1b37773904e32", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 227, + "comment" : "special case for CB in multiplication by 2", + "public" : "873f8b260ea9d9ddac08b7b030727bf0072315ab54075ecc393a37a975882b7e", + "private" : "58096ee29361978f630ad1fb00c1267c5a901f99c502f9569b933ad0dcce0f50", + "shared" : "d5766753211d9968de4ac2559998f22ef44e8aa879f3328cbc46aa858dcb433c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 228, + "comment" : "special case for CB in multiplication by 2", + "public" : "75e1587c5eefc83715d71020aa6be5347bb9ec9d91ce5b28a9bbb74c92ef407e", + "private" : "0829a49046dce2c07ab28440dbad146453e128960e85dd2e6a69a1512873dd44", + "shared" : "761d8cecf13f93b379a772e5fac5b9ffe996cad9af06152580afe87ff9651c71", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 229, + "comment" : "special case for x_2 in multiplication by 3", + "public" : "f85a06065ea2527238fc5ec1b75ead9262e6b1aed61feff83b91230aeb4b7d01", + "private" : "587ac36b9a23594632679adea1a826f2f62d79738220fb487464039f36ca2372", + "shared" : "f12acd36f6299a4d192c03aa4efeea7df51e2d15d763172e68accf7bc6f5c230", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 230, + "comment" : "special case for x_2 in multiplication by 3", + "public" : "6e0f1d00b1099d2a71f7be86655feb8988bba5577b02f964043a49f00c749613", + "private" : "a8a442b7c0a99227b4cb5c75fb9e5a72cea25eba8a0bdf07271bb4a93c2b6665", + "shared" : "b2bbbd173f41d952d329251da973a9500300628177ad0fb79d01e2e263905b38", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 231, + "comment" : "special case for x_2 in multiplication by 3", + "public" : "696757ced3097fa960c8390a09e8bd6d390dbde8d1fa170261f3422edc192929", + "private" : "d8f7233e9612c00c9dca2c751ec1d3f5f67bad77c2e714a20e71eb3f220a6671", + "shared" : "45ecfa275f1daa25d3fadf33cdf89a152afea25eae37e68e00b30c367789887a", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 232, + "comment" : "special case for x_2 in multiplication by 3", + "public" : "fd84b3f2fbfa16aebf40c27f46e18d77bafa0c7971bedde4909212e771bd3c35", + "private" : "d80c7c7557c9907e1b11e844bf1369cba669bc38e9b7b253e51f239bda322374", + "shared" : "595e144e07bbe65b38e0e4163d02ad75a65e422e74067db35c90dfa6e055d456", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 233, + "comment" : "special case for x_2 in multiplication by 3", + "public" : "805485703ccfc4a221ef281267f52b61cebc879f0f13b1e5f521c17352a0784f", + "private" : "8002a85115ad7b41c50f84f35fac750ee8e19734807102830ff6a306beed4464", + "shared" : "226e16a279ac81e268437eb3e09e07406324cb72a9d4ee58e4cf009147497201", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 234, + "comment" : "special case for x_2 in multiplication by 3", + "public" : "80642a3279da6bf5fc13db14a569c7089db014225cfcae7dff5a0d25ecc9235b", + "private" : "782db0c8e3e68f106fe0c56415e0bd13d812dea0e94cbd18bdf6761295613a6d", + "shared" : "790d09b1726d210957ce8f65869ca1ec8fa0b2b06b6bcf9483b3eb55e49e9272", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 235, + "comment" : "special case for z_2 in multiplication by 3", + "public" : "84e827f78cae0cf063e4340198f788c284e07430b3a94a3873df38b1f872ce02", + "private" : "909fb0bdbf53a69a2fe39c8b2497abd4fa57d2d54e046b5f514595e2c0f33d63", + "shared" : "684cc83af806bcd9cd251e1858f3c10f0166e0a0cd2be154339a886b13e7c76f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 236, + "comment" : "special case for z_2 in multiplication by 3", + "public" : "d445e1df0083bb6b8e886e6632251807171d4e88c41816fc684373c09d7e5d6e", + "private" : "78a67909757248665f79371eb014825ab6bd4af3571f140389c636e004bcf46b", + "shared" : "e426e4a3c54d3e77f4f157301e0ac7d9e12337a2b58df16780041cf6d6198c5a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 237, + "comment" : "special case for z_2 in multiplication by 3", + "public" : "f26aa6151a4b22390176f6233e742f40f2ecd5137166fb2e1ec9b2f2454ac277", + "private" : "286a302d5b076d2aba7c2a4daf9e7cc9d8539b7c0391307db65a2f4220d30f70", + "shared" : "862df92e25277bd94f9af2e1dda51f905a6e2a3f6068a92fabfc6c53da21ec11", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 238, + "comment" : "special case for DA - CB in multiplication by 3", + "public" : "2b02db3c82477fe21aa7a94d85df379f571c8449b43cbd0605d0acc53c472f05", + "private" : "a838b70d17161cb38222f7bc69a3c8576032d580275b3b7d63fba08908cb4879", + "shared" : "3f438dbf03947995c99fd4cb366ca7e00e8cfbce64c3039c26d9fad00fa49c70", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 239, + "comment" : "special case for DA - CB in multiplication by 3", + "public" : "d71dd7db122330c9bbaab5da6cf1f6e1c25345ee6a66b17512b1804ace287359", + "private" : "b0733b4203267ab3c94c506acadb949a76cc600486fcd601478fcdef79c29d6c", + "shared" : "95f3f1849b0a070184e6077c92ae36ba3324bf1441168b89bb4b9167edd67308", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 240, + "comment" : "special case for BB in multiplication by 3", + "public" : "737bc07de0729bbcfbee3a08e696f97f3770577e4b01ec108f59caf46406d205", + "private" : "d844a36b58aefdb08b981796029a2766101884b348f70eed947c2541064caf6a", + "shared" : "6a969af6d236aba08fa83160f699e9ed76fb6355f0662f03dbc5915a3c23063e", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 241, + "comment" : "special case for BB in multiplication by 3", + "public" : "9758061a7b3e2c02fb5c20875ae6b55b11fb6795990a0f4fdcd1147be5521607", + "private" : "a0b7d312d9b832e124d1bc8cb21db545440e3cf14e7473ee9ccbe9b682f2156c", + "shared" : "ab39db4aa29ac4017c7446f1ad0c7daa9a37f1b6b4f2e9d2902ccefb84839d28", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 242, + "comment" : "special case for BB in multiplication by 3", + "public" : "37cd65d33036205f3449e8655a50d4b0c86fec02100b4f2db7da92dcf5e3aa0a", + "private" : "787f1ddd78cc6473d3e63949409ad3f35bfe0ce0738f255dee682f2bfbc80f7f", + "shared" : "13de41659e3e308d6e26c94282fcc3e0364ddf0809ddee6c8e7abb5091b02b00", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 243, + "comment" : "special case for BB in multiplication by 3", + "public" : "a9b6e8081460383adc587c8f91a02c59a7a35576ca62436ccd1b5fef1b92545d", + "private" : "4080ae60a85c1fa95aad9beabd98b405e7f28141bf08f2c9a4fdbde1c5680265", + "shared" : "69ed8a0a27812ae6741474bd5c6a4e683a126649f7245aa0f91a3a384bcde25a", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 244, + "comment" : "special case for E in multiplication by 3", + "public" : "fd1a2cd17a93f850deb8c45a2d34539232dfd8a558304209781c6cb58229870e", + "private" : "08f9f4a4fac4db413315f74a59818b2452fc7b7685592e26556775f9b86d907f", + "shared" : "010218bd67b1b92fee3e7fa4578c13617d73195de10279747e53ba01a254525a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 245, + "comment" : "special case for E in multiplication by 3", + "public" : "b88119e5ae6d9e6b912d52524739e612ef19ab7e5dd3d946cb9bc003c378f81f", + "private" : "1888cfae3085867657b09435c42b74cc762457839451a3659db218d4214fdd63", + "shared" : "e6b298de9cb6358fbbb00f11890f5714a3858e8f05a2a8d1cf39fe78cc55dd4e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 246, + "comment" : "special case for E in multiplication by 3", + "public" : "7b70e29dce0479cde4a36c7f9786582f104bc0788f046b48af495e67bdb88f36", + "private" : "789ce13ed007818d7a5181e629eed944a20a058cfe39669c9831bfa5215a1269", + "shared" : "967bbe298494b4a5f95853cfde9dc85970b2a4b5dd2c92782901e853957f5809", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 247, + "comment" : "special case for E in multiplication by 3", + "public" : "2a209e2ace0e3d6973ffbf7403f9857ff97a5fdcd27f2c7098b444fc3c166738", + "private" : "00022b43775ab2f4b91bc1cb54c97f78026289eaaf02abeed04ca84f736c686c", + "shared" : "9f66848681d534e52b659946ea2c92d2fabed43fe6e69032c11153db43dca75b", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 248, + "comment" : "special case for E in multiplication by 3", + "public" : "f50709aca7f314e8d05b5ff97a427e427bd5e85c4e86712125076a771be21448", + "private" : "8097a52fc562e8a516682f5363cc5e7c88e9c78e308df0deef40497b35cc127d", + "shared" : "ea7572e27a9120de1f13b85710ba69a3471b7b3f5d12bc430c12c4bbf8aa3957", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 249, + "comment" : "special case for E in multiplication by 3", + "public" : "0f13955978b93d7b9f9a2e70d96df922850a8ffd8412e236fb074aef99d37d54", + "private" : "4028802030d8a8221a7160eebbf1846116c1c253abc467d6e43cb850f1459860", + "shared" : "e23d63a46be67c7443c07b9371ff6a06afcd7a5794bf2537926074b88190307a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 250, + "comment" : "special case for E in multiplication by 3", + "public" : "18ffe992a729ce70c3b7cdc55bab55f2210d279134b3082a9f682d3a0b131273", + "private" : "d8515d45c7ab2b9529816543150068b8e4bb614cf2b68a8a99363975af503d74", + "shared" : "33ccaf24e1e26290ed7e462093e9f77607ef52a0626b2cd2511c41cd24c13849", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 251, + "comment" : "special case for AA in multiplication by 3", + "public" : "c3ba28057728d0533965ec34979fe7bd93cf6cb644e8da038baa87997b8dc20e", + "private" : "d8815bd144518fa526befdd373f5f9cff254d5d3c4660e8a90ef2a22c6876a74", + "shared" : "74f95b4700f0185f33c5b5528ed5012a3363f8bbd6f6a840aa1f0f3bdb7c9650", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 252, + "comment" : "special case for AA in multiplication by 3", + "public" : "4eb095a86d1e781bb182233075ebf1db109d57135bf91d54fdb18eb371427640", + "private" : "a82d996093eefdaf283f4049bba4f5af6ecc2e64894f325ee1f9ca1e156d0567", + "shared" : "e9677b854851c41cc489e03981ae78690be6cbf0054ea9834759de3e27bcf03e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 253, + "comment" : "special case for AA in multiplication by 3", + "public" : "83f67d7c92b11c8fb072484642a01f43deb022b54d94a4015e39849a2e2e9555", + "private" : "c02609df3d5436c123dcd7ee11f23f1da321666c09f379d37914203340510861", + "shared" : "f148716ebe7269a7076f0cf1f22b6978d3c7e3607b0bcc87a8c7a85b9fd20c2f", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 254, + "comment" : "special case for AA in multiplication by 3", + "public" : "20cc75d376d8453b9d049c84f58eafcf61126c08a03661e735f0a8be228fd466", + "private" : "a0e3b78c0f3be2a760b2c916f244df219624fdda2e9e31b15328f4a77690296a", + "shared" : "1d5c123e88e9dc7a3b16ec90b60578dfca7e11eab9b88c6eca7bc33d91fde83b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 255, + "comment" : "special case for AA in multiplication by 3", + "public" : "ef31b43d19c0a5434deb56129c16298a394a7032a2e52cb997476bdeca325b73", + "private" : "701f130a290584cb28c7d6539506a1a054f926a17ef7c568ae43047c05e10f60", + "shared" : "2fc065ba8f5040a0a659f6f7330554bd1b9d7c893b91e316e0af90c37af4f135", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 256, + "comment" : "special case for AA in multiplication by 3", + "public" : "d8c8e2c6f33a98525df3767d1d04430dab0bda41f1f904c95bc61cc122caca74", + "private" : "d0e67f68183a4c1aed9c56864b36278bb7bb75d57a78321bc7c24ff61636607a", + "shared" : "ef7612c156078dae3a81e50ef33951cab661fb07731d8f419bc0105c4d6d6050", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 257, + "comment" : "special case for AA in multiplication by 3", + "public" : "1833619516b80db0c05b225509e6698df028d83b66ed6bac6f0f6308970d2c7d", + "private" : "88eb7775dacc32b045ceb35f261b3616315efa98b780e08c79d544edadb5467d", + "shared" : "a3cf3d81ec56896a68fca0da6335171d0c622568738c0db26fe117033726a049", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 258, + "comment" : "special case for AA in multiplication by 3", + "public" : "e2e989aad2397fc34b6cbe2db27d5ab69b28048383c91d9e8226d548253fab7e", + "private" : "7055b1c0576e7ab6c89fcc1ce49e79c8c371bf9fc2b22b8f8396a9b64c5ae26d", + "shared" : "e7f45823a45b6a46192b37d73e8609b5bda68cd7cfbdccaa49082080993e640f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 259, + "comment" : "special case for D in multiplication by 4", + "public" : "b9bd793624d6a7e808486110058853edb25e136bd4d6a795d6d2ef53b25e3804", + "private" : "906a9bfcfd71014d18967680d4509eaa41c666424af98bf9ff7ff49eb1baba41", + "shared" : "7c6148134c9e8b2ba5daeca41e6a1f3a82d8f75d0b292b23c40fe7f5ce0a2b7a", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 260, + "comment" : "special case for D in multiplication by 4", + "public" : "e3f444e208da9043f3f74c20e28d7f404bb687a346709abcd555156f88607820", + "private" : "28392b1b035a8465aa22aabb571061c6effeed40cc2530b628e4fd40395ae04a", + "shared" : "ea5e772bac4693ce69ea3ac761011fa7674037653a433c7f05456e7291cd3c4e", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 261, + "comment" : "special case for D in multiplication by 4", + "public" : "87b43f90f76d12fb3a469fa8687c27e369d4a82f95cf95e8dc3970de8f86d92b", + "private" : "78cbb35204cc88676c14e0ff18171392e998411b23d905d4c4dceab70511f442", + "shared" : "81c395aed5cc5f5e2a206a8a4cacecd501df5b81e49433835ad8a3779edffb30", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 262, + "comment" : "special case for D in multiplication by 4", + "public" : "86441ea06c5cd2a34c6b51261e93a2f30ea7db0f74e14c42f0fc443c6735973c", + "private" : "a8225b49ef7b7330e3de787cbc40479644db7ab126370295c94189673430d745", + "shared" : "513eba5870dc5187e2552fe3ba8292b516d2af9ecb9a9bdc51eac2ce2de40112", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 263, + "comment" : "special case for D in multiplication by 4", + "public" : "4624aa4ae9d12725bf92b85f93e3e8cea16b7bd83fda0eb18fab2dbe0e8bf742", + "private" : "0841e1a5c7420b94b6cc6991316ebdd608626339c09d0f67b24088588b9d0d49", + "shared" : "983b7e236ffaddb4b759b7353fe87846f59fb6f28a3ed65c256176b6609b7c6e", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 264, + "comment" : "special case for D in multiplication by 4", + "public" : "a625a5b7a04cea462d123b485c39ea44a8079aa223c59e9ca97abcd30b500e4b", + "private" : "08ecf76e31a23039ea8a15ee474b6251a9d725bff1a5751eb5ecde9d7d4e2f49", + "shared" : "c941369b085c7465d50d23ceaf6717ab06e24638f217a7b8055ce8ebd3ca1225", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 265, + "comment" : "special case for D in multiplication by 4", + "public" : "8a5f2063f259f3317ae3e0b459f82c4677666e49a2eb9bf0369aee663631265b", + "private" : "6038fb0a830d1001ca8ea74a613ea98f6ab8512644e55e8d45a29071bd4bef45", + "shared" : "a3f7e169db44d0d179c242e66347364ab92744dc6ad80e4775aef7f4ff9d5f34", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 266, + "comment" : "special case for D in multiplication by 4", + "public" : "54cfb6ad0d03e3115acafee12606397f2bb46a8c5f326a255c494118aead3b62", + "private" : "c04cf129f0b33332e2654f8e45225c042d7fa6cbc793c88bd4c731985289b045", + "shared" : "401aabfbb73fe6694c446ecfffb43006427a9d4756e049a1ffc79578d62f1660", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 267, + "comment" : "special case for E in multiplication by 4", + "public" : "0ee3bee8cb3a0afcec22fa2233706e8ec29ccf1af212c0a674745ebba34f9d08", + "private" : "3806b036c92d7bc0771998d24dbda2945b601d42449bd3ec4bbf3757d01b894d", + "shared" : "20322dd024fb5a40f327cf7c00da203734c2a279b9666a9ff7d8527c927b675e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 268, + "comment" : "special case for E in multiplication by 4", + "public" : "797ec7512afbf0ad918d0e4947903be95234f3abf36750a8f854888d117b774e", + "private" : "380d9056b5a2f4b3dffb30e6ceb722ac4684245f1befafb5661bc8c7a9ad4c43", + "shared" : "46152d59c2d2f3ecf03ce652d2b6978d401d5ede4570a6c911771bdcfb37cd41", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 269, + "comment" : "special case for E in multiplication by 4", + "public" : "d570c7810f69e502b355253afa7c667bfa5060d90dc86e358ab445f6381e415d", + "private" : "384929a42c8d8df146db9508e2f21a4e8cd4d99c1b1338df17a457e88afb0043", + "shared" : "37567f7ec0449c7b823cf7b0e219e9dd880e56a1464d0417a9e67eff42332866", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 270, + "comment" : "special case for E in multiplication by 4", + "public" : "2c611cb94448f1c7822425a4cf5356236b90a555b1ed4747820ba7f739c8f57d", + "private" : "48a986825b2680e2f2547ba75a9599b04ed57f8ed18d98e7099c544efbdf284b", + "shared" : "fbf6587ec181116cf1ace7dcd548029d69c130e50fcf6ad5dfcd25c23ee9f939", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 271, + "comment" : "special case for B in multiplication by 4", + "public" : "e559c417da7fd5851352f508b90031d49b5d2d0aac88a9c8b5fb6e80165ac10b", + "private" : "98452ad7df4e26bc4b3d403f9ebf72bb2d7b6b7d5860dbf6fb9a4f78dc02704a", + "shared" : "c7c6f6d7ce1e4f54c727e5900686c34e6a6953254bd470bbbf0c7c18bbddad73", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 272, + "comment" : "special case for B in multiplication by 4", + "public" : "746d97e7774292a3d703f604e79d8764c99a6a2fe280eaa9811115f5e038f21a", + "private" : "a8dbc9be5034ed7fe7f469264f2135e9c67cd30f525570d2d841e4bdeac52349", + "shared" : "cf7d2a66ea4dfed94469b2d343533ff302a576f8402ed2187904437038e54665", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 273, + "comment" : "special case for B in multiplication by 4", + "public" : "1f354aa8ffc4eae2b40dad2ebf830db3feb07e2a1a2da39e55df87c8c613de1d", + "private" : "f8d26878dff25ced02d3b27ce74002695bb879b3c4328930934315ecae842b47", + "shared" : "b204d3bbcbdc624f9f1a743fa3daa8f4c8785ed088d37d08cd13c601170a461b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 274, + "comment" : "special case for B in multiplication by 4", + "public" : "9c3f0023e1a4832586af2483bbec64ce9f06f3ea806d4019a5e4abb1b5627029", + "private" : "d0f5e9c43c95b1ffc36f832b943601d5e17647f7d78e2e7710ace63ff274d447", + "shared" : "b9f21465615f39dddcc37520ce9b956f7de9883ac93a870d74e388b8e1775463", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 275, + "comment" : "special case for B in multiplication by 4", + "public" : "d05656aa014d476022dfc55e8d3b4884ed0bdf85209be8b55351394d52be684b", + "private" : "700679e8c24df828f2e5212a3263d5e93ea61679988298bab3b480f46f961a48", + "shared" : "20f1fc613874495f20562c10b7a8be47bfc12c168d829d6321aa2de17060e40d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 276, + "comment" : "special case for B in multiplication by 4", + "public" : "c4a19b8686e18c29359aa548427f06a368d55a8737483d4893523adac6795a4c", + "private" : "d0d077c9461f747e5660be85cc620428b4cefe805de0fd254adaa465ea5e784f", + "shared" : "652b18ffd41cfb7d1f0b6dc79baa3b2a392ef1617f5cf6259b5b4ff065916a16", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 277, + "comment" : "special case for B in multiplication by 4", + "public" : "4989de79853ff35be8c9f92fc94674feef38a0e65788471c521f8e259adf015d", + "private" : "00711ac08ef88c3d43a3cbda67b6fe5f34f54723dbe6d725c8a3569070ab9a4e", + "shared" : "679825c259392d86f8edb15328d4faf52300779d979a503a76e27be3d7a85e03", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 278, + "comment" : "special case for B in multiplication by 4", + "public" : "a981483cb0ea4385ffbb552826c3dd110d4ae89ff52ed0cd6018f99d3387987b", + "private" : "989a75b40451139ec36ca6aa043765c61a18be323a5987fcb025c2dad8d4bd40", + "shared" : "9cadc14ac153fa383ef66d1833f589100dff90523272e32b06e2c6f1f4424040", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 279, + "comment" : "special case for BB in multiplication by 4", + "public" : "1df3dfdab74ff38177dac294b2da2f49a348bc3b3bc6ce9312bea5ef3ecdd30b", + "private" : "90c3cfedd919a2ccd51fb455649e3ad2da1ef0ff619b59a7f9c55a68a8219645", + "shared" : "bcc95fb4890ed311f3fb4f44c2b60866cdddec97db820a7f79f475337e16284a", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 280, + "comment" : "special case for BB in multiplication by 4", + "public" : "fc6b718ba8b47d24b1cfd6b5d0dd8b20fd920960fabc302dbe4f93bd2a06e933", + "private" : "e8fef5c9b60f84984e8836d535acb372096ba8159824a0b49a17eccda843bd41", + "shared" : "06f1b495b04a0010845c9d39b13bf2784ade860d9632c8847618c0b34297c249", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 281, + "comment" : "special case for BB in multiplication by 4", + "public" : "b279b6c065f95c7040f148bcb4a3d310e34bdb005931a879be469573deedd041", + "private" : "c0e05bde7727db4e352b5e7f035327b4d86a42d513ca116e22d64a4ede56434a", + "shared" : "cce7bb644df94501421db49d15e821c7b0aaabecdf8837ab989b1f23bac08f35", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 282, + "comment" : "special case for BB in multiplication by 4", + "public" : "98e2cd4c10554e41b0a3e41082c8b6b61b55447d26c0aa97f9a06baeeb54b55b", + "private" : "d87308bf753573f596ac8330b204014b2152dbdfc9881a0d9975058582bdf646", + "shared" : "71fdd3405c30805701ae4dfad98c493aecfcf2e3b563e7068373c1b19137c268", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 283, + "comment" : "special case for BB in multiplication by 4", + "public" : "872897f1bd1885da08b9d03e46811044fbb04186ba30c806f38b94ebdc27186a", + "private" : "d80059a8a387e16f6ded6e7e980e806d1f78b470bb61103d0ca70623ccee8b4f", + "shared" : "bf280aeecb74ab34e1310aa6fe8dc972f94dc40c7f88b72137ccfe34ed343c13", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 284, + "comment" : "special case for x_2 in multiplication by 4", + "public" : "c08f72760d9cb4a542aad6e2af777920c44563bd90356168c3608c6b9af2ef0f", + "private" : "b0a4fe63515169bd82639b515ff7e5c4ac85bba0a53bbaca80477eb3b4250d44", + "shared" : "72566a91ccd2bcf38cf639e4a5fcb296f0b67de192c6091242a62fae467fb635", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 285, + "comment" : "special case for x_2 in multiplication by 4", + "public" : "4f03849c24d584534d74302220cfdc90e1bc360bb5e297c0fd0fd5f8d799e416", + "private" : "984256b12ef154ff6c2e1d030826164cba3614e3df7688d82b59e16201c9114d", + "shared" : "24acb4afa63919621df795206c3929b599ec9d253693895d51a0555072e89a34", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 286, + "comment" : "special case for x_2 in multiplication by 4", + "public" : "4959771a931e242d5713d5cb76f33310c6a283df16645604289553809cda6518", + "private" : "6847141d5d4377af96a2a647c642ee81600fe48d3467e3a70f3ee312bb621742", + "shared" : "5ba2112a41b5bb381f202446fa9f23c54d2de149f9ad233753417263840ea432", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 287, + "comment" : "special case for x_2 in multiplication by 4", + "public" : "f6fe690cf547049635bb3a7785537b4379c9ee06b46120493b8bdb152e09c81d", + "private" : "e85f1164e2ab6faf62667c74b03ce529b49a0e2041b1ac0fa242e522d2b7694c", + "shared" : "a87c9fdf40c409b9edab481b2cc69687ee1ab92e340c3db0107d40b5de6e7a20", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 288, + "comment" : "special case for x_2 in multiplication by 4", + "public" : "b468681a1275850c11d37ec736af939a75a7098514e04cfc1c6ca78239a88426", + "private" : "281e1bbfa711de69921a64c5d2183c338db5504606ce2b6b4ce1cdd54b41e14a", + "shared" : "3be98798f01e71639f3cb8fd4a17bf273e10c67f8974dd9802eed59d847d4020", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 289, + "comment" : "special case for x_2 in multiplication by 4", + "public" : "2d71e8457099e3f445f9e2a14f18b0f5914bb35f482f9c069b64bf63710d4228", + "private" : "20aacf1902b3cd609d7ee15cc96453cc22e2899d7d17852680f2a728bac6dc4a", + "shared" : "338c9917dbf11a0cabe8ad4a65959229bc00f99c211e752b20b8b49b87756d0b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 290, + "comment" : "special case for x_2 in multiplication by 4", + "public" : "fa8f24e944de5d003746d4630350c0f4f6175a3269c19184824105398fbdd329", + "private" : "009e8e9fa993804dce94cecb96b1de2568245a97059e4d7ae116ecdb1badd141", + "shared" : "56e2bfc7f6ab7da8fc734afc515e57d0794d002434f9bc8e18bd0b72c0df3c4a", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 291, + "comment" : "special case for x_2 in multiplication by 4", + "public" : "ae4e37ef53c79e25e8275a60f2fc1dfc277ebc5d3b88428c6432c3f98494212c", + "private" : "f01574643f231ffac055bd235ee74dd416b94c8e55a2ab2b4d13a8b788d90148", + "shared" : "17fa1276d9fd5025172736449a1c0ae33512e5037014a18db5903e47bb3bc950", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 292, + "comment" : "special case for x_2 in multiplication by 4", + "public" : "95e56a830792478f7c42504043a9cab8e2eebff5fd90983709e29e03c0a41b64", + "private" : "3800a42659954281ca266d7cf1ea9db6d79891a406a70f9e84c3570a6a12d24e", + "shared" : "167a3b2fdce9413c89ee892daf9f839a2eea80ea8044924035db1724a5b0217c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 293, + "comment" : "special case for x_2 in multiplication by 4", + "public" : "5f16aa7ccabf4da6b686bd28c7460e106bb1b97a823792527765c29a9ad8fc71", + "private" : "70a826b186962218dbafca113319daefb5ddf3cf14e15fe3faadc4c0a2e46648", + "shared" : "30a4ba793f2dffe1700c61428b4d84b5fcd0aa99a23b903f84a48eca5cc9fb0a", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 294, + "comment" : "special case for DA + CB in multiplication by 4", + "public" : "47fb78111805a11982a3d6c5d83e8e189e7fcc462c9abf805d3625be7a6eac11", + "private" : "a85a5eda0a269500b3ab0b58495fc254c2691028ac533494b5f86d44e9dc654c", + "shared" : "2bf9ab750bd58ff6f877b783eda45a71a65cc9b7c037fcfef4cb5f4c8842f529", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 295, + "comment" : "special case for DA + CB in multiplication by 4", + "public" : "03b8ca5efd1777d6d625a945db52b81f11214daf015d09fdc9df7d47b9850e31", + "private" : "183f28ec867624ef5eca4827ed0714a5525ef21d5e35038b24d307a3391a2846", + "shared" : "35e9289234bd5e531da65d161a065a14f785076088d741c9a2d886efd7d17921", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 296, + "comment" : "special case for DA + CB in multiplication by 4", + "public" : "4eca5f8731b0fa0c106acf578b83a350fa8173a290f1eba803956de34eeb7671", + "private" : "888c6444ff5eb482b2b10bd4e8a01bdccb65f32934d8026106f16a91349f484c", + "shared" : "833afb867054b8b9ac70d6013c163e8b7676fd45ae49a1325f3acb75975d8c13", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 297, + "comment" : "special case for A in multiplication by 4", + "public" : "a5562b4ba86b464dff4c2cfae85b384be211771efe8a9697e51d84de47f1eb14", + "private" : "c8a85d140ba150f5c6a8d3cb363bcbcb75365e51c61640e974a0725b5e9d5940", + "shared" : "8a914760129575c8ab3270d04b0465fc2f327acaf1676463113803bbb2ec8021", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 298, + "comment" : "special case for A in multiplication by 4", + "public" : "88ae1631cd08ab54c24a31e1fec860391fe29bc50db23eb66709362ec4264929", + "private" : "90a3aeb1417c3d61c1efef1ac052218fb55d3a59c4fe930b5a33cc5183b48547", + "shared" : "c1988b6e1f020151ec913b4fb2695bae2c21cc553d0f91cf0c668623a3e5a43d", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 299, + "comment" : "special case for A in multiplication by 4", + "public" : "cbc4d55d5bfddd0bc5c5edbe3a04836b2c701d25195b26221cbea19311e55a3d", + "private" : "b858d7414bd9ab9a3ebea79064ab87bc050e74407f4d4748f62fa4d9d203b640", + "shared" : "bb24817bd9fff423dc0972908e2c03fddf4dbe100016b459f28fe9594adb3714", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 300, + "comment" : "special case for A in multiplication by 4", + "public" : "d66a2f9f7577e2df4a56cb51962b3056ff5cc0494c60f39511782e79923edd41", + "private" : "f825edf1f79eddd715a72b3ac267d6b2e97e18bb13bcafdac5940370b85ba64b", + "shared" : "b3b4513f8a3102e1ae782fbc69888177f2c24c569303a5d01ab1c3c5e285524a", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 301, + "comment" : "special case for DA - CB in multiplication by 4", + "public" : "de0fed2fab6e01492675bc75cbe45d7b45b0306cec8dc67611699811c9aaef16", + "private" : "b0a710b470e324bb56a7d8ff8788d05eb327616129b84972482425ea4ad4f34b", + "shared" : "471ba91a99634f9acf34fd7fd58f72682be97ee1c821486d62ba4e448cbc0417", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 302, + "comment" : "special case for DA - CB in multiplication by 4", + "public" : "6418d49fe440a755c9ff1a3582d35dc9b44c818498f15782c95284fe868a914c", + "private" : "b898f0329794747d33269a3989b67e43a7ab5a55fa1210b0e5dba193f4fa094e", + "shared" : "cdb3ca02d5fdb536dbc7395bab12bdcfd55b1ae771a4176dedb55eb4d755c752", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 303, + "comment" : "special case for DA - CB in multiplication by 4", + "public" : "a89bcfa236bbccf07c434b59f8655fb085b6cbe5ed6376281df813afba22b752", + "private" : "a0528ed9a8ec22ebe9cc2e32fafc3f467500a9a22f5377382df6604edcdf4f44", + "shared" : "cd3245403fd9edfcf91c9581ebb2eb7c77ad6837fca372479e78de9faf60a34a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 304, + "comment" : "special case for DA - CB in multiplication by 4", + "public" : "cdb1f95f6eacc24b6d029c6ed976666dc51794db8e4aa966ba850fd7f5048965", + "private" : "f06888bde75d689d056874f6436000497d22d8ad9b95a1c67de1dda4ada3164d", + "shared" : "ab7c47ecb0c0167156f44f66a527264b958fc992c21ce98cef3ae214d66bd82d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 305, + "comment" : "special case for DA - CB in multiplication by 4", + "public" : "9491a82744f1cb6105b76b0442e54e605ac67f47a1b2b3b552d486f75bd98e6a", + "private" : "e034fcaa3ae40603f9b22af159fd67ef009380946de92cb1d83cc489e8b35041", + "shared" : "1bfa264a7c7229147a20dd021211891e61f5d8c76cd83f0be24bc70e466a815b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 306, + "comment" : "special case for C in multiplication by 4", + "public" : "4d19e156e084fe582a0eb79b2f12b61d0b03f3f229227e798a933eea5a1b6129", + "private" : "702a7448c0ed58e1f4e0e332d096a36360beca2f6955c815bc120b3a691d7742", + "shared" : "c46057fcf63088b3a80e0be5ce24c8026dfadd341b5d8215b8afcb2a5a02bb2b", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 307, + "comment" : "special case for C in multiplication by 4", + "public" : "cc4729c4eae292e431ec3a5cf5020e19f9bea50ef3218d9a790034526c3ee14a", + "private" : "50025cb508ad4faa06fafd0f4a33b747ccf1b3573885d3426500d51b56300144", + "shared" : "d4361e26127adfbe37c2ed8f42cce4ebab8ab74ed9e74f14c3435d612c1a992a", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 308, + "comment" : "special case for C in multiplication by 4", + "public" : "4a474249af8f771f0cfb1116f24fda4c42f4136d2afb766d1b291c73c6668d5a", + "private" : "7082fc53299a4d30e5d0c383c035935b1eeebd9408fe4d04b93eec24be52eb47", + "shared" : "80dfae7a28bb13d9e51ff199267cec2a19dfc8b6f4974e3446b2f62fe9b62470", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 309, + "comment" : "special case for C in multiplication by 4", + "public" : "0f2a5cbbe503139531ac0529183da8e624d25286f6e35d1407ab1f4d76ebc260", + "private" : "98ff7e711d65cc7fd9d0ac12dfe8b894e0a93602ca9e75bf0eabbf0bfe670148", + "shared" : "7a5c373065e339b26ee537cff1cf4597cfcb4bf2dc7c4bcfec9884443281c273", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 310, + "comment" : "special case for z_2 in multiplication by 4", + "public" : "2fe11d723dba63559e1b96147893cb7ec862711806316daa86cd4da769d4b22d", + "private" : "b080f4ac1e758bbfbfa888a78cb8d624d97b8688002b2017e35f52f3d7c79649", + "shared" : "c5edcc5d447071c08dfa8281414ae6a02de753e2f7bb80af5f6253e56db43422", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 311, + "comment" : "special case for z_2 in multiplication by 4", + "public" : "98e1211dcf6651fa9f2d00eb083ae5855869a2a53e835f2e03b30c0a19ba8051", + "private" : "e815bf9a967e1208af8e74ce9af6d113dab17c01c90f1ae2bc25e3e2f9e3a44a", + "shared" : "263a38fe538b50e8e988bf07ae86f33d49886b14c7143efd1d2025c840e36a25", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 312, + "comment" : "special case for z_2 in multiplication by 4", + "public" : "2f1b938b81a4c90e1251135ad7fabe835f6a8bc5e22d4b2ab119f6f677877677", + "private" : "4051b01cdf90af38f0a96ffb83f8d4133abe4fb035b6fe6f65276447caa7314f", + "shared" : "340acf2801de71c18f4c79cfea372bc354e4c8a5eb5c2cce8b45d885df162f45", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 313, + "comment" : "special case for CB in multiplication by 4", + "public" : "340b9f613550d14e3c6256caf029b31cad3fe6db588294e2d3af37605a68d837", + "private" : "98c092363184e58ad6ce510bd32b309c9d5a46f8d9ee6f64a69d8180bbc6cb45", + "shared" : "9efe5cd71102d899a333a45ea6d2c089604b926db8c2645ce5ff21492f27a314", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 314, + "comment" : "special case for CB in multiplication by 4", + "public" : "edfbd6f09aa32435440b0ca8ba436308319613f8f2d501133c526c3ff55c7b3d", + "private" : "686e51c00116d1c191aa9d5823b96e5956102e8fe75f5cf2376d99989f6f4342", + "shared" : "196182095bcd2ef46b18f64c63607e0ab162a0869e6265ac8ae35e358c3d8a63", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 315, + "comment" : "special case for CB in multiplication by 4", + "public" : "9b0538cd618b0a4de09e45420f84d54d74514fbb1a31c1a4aa1e93306f20723f", + "private" : "208af2c9442b36b521fc3a1ecefe342aac308bd6e6296ee091c196dc02e7ae40", + "shared" : "a3c6b75168211e8e0a49ca815bfe3f469f29864dc8166152b456e7074afa9b5b", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 316, + "comment" : "special case for CB in multiplication by 4", + "public" : "ae8cf2fcdde710c2c1184524bc32430874dfa08c125f61d6919daf8e66db415a", + "private" : "c0d861a6d5ff91f91e3bd05934161ff0ab0f3ce7e4a2b5b4fcb31ae34b46664f", + "shared" : "deaae6c9952844a3a1d01688e7105b0bbeadc160763c2002b6d0bcf35c22d123", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 317, + "comment" : "special case for AA in multiplication by 4", + "public" : "2a59f478402d2829cd3b62e9f7cc01445e8e73a42cb11af00b6b9a9f0e44cb3b", + "private" : "70785cad160972b711318659b47b574f6941ef6da1ea06508b2650f57ec9e54a", + "shared" : "c204bd15f01a11a2efdabe2e902b7cd0aa079316f60e911b3ee5d46262e98631", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 318, + "comment" : "special case for AA in multiplication by 4", + "public" : "836c8e45dd890e658c33e69b6f578a5a774c48b435bc3b91ac693df94a055857", + "private" : "60afc8eb1f87df4b55287f3c4698c5f8b997b28a73c573fc273e9c467fb7e44c", + "shared" : "c5457487e90932f57b94af2e8750403e09c9ac727e2bd213590462b6937b0753", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 319, + "comment" : "special case for AA in multiplication by 4", + "public" : "59519ead7995a6df89bb54c840d61a8481881098b8a4f83c6a2f6ba800338257", + "private" : "a83c11b2834136b9aaf0152d90e76e3c27177693a2834e8beda0a3571bce6947", + "shared" : "4ed6f8d62932541c6bea16e03835f1f758a5c41722b5c9989c9c7cc08e34e37b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 320, + "comment" : "special case for AA in multiplication by 4", + "public" : "32f34da84ab4bfca369c4b884691becf54be7fbed16449dc86969da7ea9abf62", + "private" : "b80d8795735806579e71759894939d758853592127efe84fc82eb7cdee45014f", + "shared" : "521a5b8149a132d155e6b4ed113900506cfc2f76d2a3e14196d69eb85db3c952", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 321, + "comment" : "special case for AA in multiplication by 4", + "public" : "82ae48dcf59bc5e469f9a11b18a32d4753ac818692dfae27d675411a2272b363", + "private" : "e08ffa45efbe1f96584c76254554adb9177b58ed09609a6ce499e5bd22d35c45", + "shared" : "e831d6cee95ca1b4c96bb89457562fff36cb4d08b81da89b810b425ecdbafd78", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 322, + "comment" : "special case for AA in multiplication by 4", + "public" : "b33bd3ad14b66896f971cbdf27785fc3aa3cfb39adc6c29257d22ea4df8cbf63", + "private" : "688e1bbb5114f34e8531c278b2d9714ba07c32a7aea6e627135bd1fc65238045", + "shared" : "350e3ab9d0dbff78f3f2157428beba189333be274827c10d59673f21c0c48a24", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 323, + "comment" : "special case for AA in multiplication by 4", + "public" : "18e58df6bfbe184b0e3c7c4bf2a051ed055b793501c0d4fc47bc8a95c4deec7c", + "private" : "8036a4e2e93e9ed82d99d71a522aac9289bd9905fe41d01d08a499376a258442", + "shared" : "ade71d6460287fe808e947560e67a9d6ff2f96eaa1355d2e9fbbe549e883381b", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 324, + "comment" : "special case for DA in multiplication by 4", + "public" : "772e31e776e8d4f23b7af2037af28a37e68f61e740b3904f4ec4c90157be1478", + "private" : "901b20f0cda74076c3d4bf4e02653cd406ed480c355159e22ca44b984f10764f", + "shared" : "91a9bec28cf18c7094e2d80d2764df59ada0cb1946be422864bd7ad0e533b663", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 325, + "comment" : "special case for z_2 in multiplication by 5", + "public" : "a8d55d5c1137e9bb626557f9d6eea8d3120e9364f8bcd9b67934260b1a091801", + "private" : "d83eb7affd1bcc1ec0b4823cee5cf0b15b5f57085aa2708ed437a2925329b550", + "shared" : "6c1b8e240edfa5db2abb3dc12bcf9e8ac9ca10dd3507083746f6f36dc035d755", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 326, + "comment" : "special case for z_2 in multiplication by 5", + "public" : "33c94be58b0f0e6cf363e1b12a2ebfb93040715be91518f21df2953eeab5fb01", + "private" : "989eee317b9c254dc023f9e35eff0224bc2e0bc871996b946a96970e7506a85e", + "shared" : "d4c3b3467714f2d105904a84cc7e81d7f291304e908041682d8906a683c12125", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 327, + "comment" : "special case for z_2 in multiplication by 5", + "public" : "a218ae9624b07ce05178b9d0cc1b71dee21f27852a2ceb18610b4052b244f00f", + "private" : "b8355455d358f2dd7c5707b2c6973c9c27b99e7d8ac1650c791e5fdbcbea4957", + "shared" : "1ebe6ca711a649ae487b332747e3dc0306340560cab6bc6029e44f6a7e0ee41c", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 328, + "comment" : "special case for z_2 in multiplication by 5", + "public" : "d7067faeafd3e966e57525f930b3317c9e8b9c9a9ae946e76c1e4602a59a7e33", + "private" : "8065567ef082b16c20853487f54893012ba4762224e5c59f250dfbf82581e85a", + "shared" : "03e7a777e648bdc612189f3cd42d34e35736d3e52e6edc8ac873a58e244a6073", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 329, + "comment" : "special case for z_2 in multiplication by 5", + "public" : "8df9682cbe8802478a8531377e752cdde54738d528d639bea9eaf47702f8bf3b", + "private" : "00b51448139a61fe6c5fbf9395877d53d820ef59da3be856458b5eb90985ba53", + "shared" : "308ef99dae1064a444fa90775b5dd5b1952d7224a0e5ae031df432640f416208", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 330, + "comment" : "special case for z_2 in multiplication by 5", + "public" : "7d92706868aa09538638d633c255f333b9da03bc74b49b35941c57820cd3fd47", + "private" : "e8eb9f6f62f93dbc325b833aa763a90f13f0acb2c2c4b8b33decd471ce70c45f", + "shared" : "f33e2e86443a2c68823b72a2b59d6a028e0a8e283cfe29fea4f7aa22bd1afe72", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 331, + "comment" : "special case for E in multiplication by 5", + "public" : "dfb1ffc176aff84db30182d2378f83728f83dd1b33d79856f3da5459cf9df907", + "private" : "68a1a7ccc50bab4b01e55e18cbd464aff43131fb0741e68d53cdebfc54f33051", + "shared" : "7b535fc31c6c2a3803d8bd45410a1781bd90a09205da28c9df120df23a9fa32d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 332, + "comment" : "special case for E in multiplication by 5", + "public" : "12e81e838b21eac96dc130432571216d7a9b4a817f1938721d2267dd150ebf20", + "private" : "e075bcfc165a471b2f76c3003fb0172c82f707137de2fa7082e43a87a255935c", + "shared" : "ca23a781da0911e4115a29a9f56447157c23bee187b0c17369c4f7730d781718", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 333, + "comment" : "special case for E in multiplication by 5", + "public" : "832a46aec02240d716fe22dea94ad566a3fafbeedcce35c83e41e58076c99749", + "private" : "c0e19634dbf6460e1486930c46e8556b3c16d6de959904600549bb3e08603455", + "shared" : "cd0686b32ea4cddb8e13ff20a78d380749a5d4f6a3dc55d72f4813d949a0ea57", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 334, + "comment" : "special case for E in multiplication by 5", + "public" : "8c8033432bcc12d479f67d6d876b1c8e89f16a234b9b093322effa9dee94554d", + "private" : "b84caa18acc3db37225d32cab4f60e6fba4acab1277e20425d30f94cab2e2c55", + "shared" : "a950aa57bb2beb9ed5d3228c7ef448dab69552f3d3b1e466accf41bfb6d5b874", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 335, + "comment" : "special case for E in multiplication by 5", + "public" : "6df799bba6cdf5f46a57ab227f93fba491dad296a2fdb7e491921d610cce8f5e", + "private" : "2896818cddf572521943e9f0c5e845f530b740427588a0f6de2504bd5bf40c53", + "shared" : "54f5ae57e676d08c8f8a3cf891e36ddaab751093f92f409060c57e745941700e", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 336, + "comment" : "special case for AA in multiplication by 5", + "public" : "0c8090e1cfe7f761cfdf08d944d4aeb7a509a07a6101645b9a4c7c9e9c3d4609", + "private" : "a01f0cad98cf2905b812d3530531bb3ac899391abd1eaf4a3ebed96ac6126f58", + "shared" : "2d49b09f81f3f6fab2c67e32f1bcead2ad09ac9e0d642b0873becfb64de2ab23", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 337, + "comment" : "special case for AA in multiplication by 5", + "public" : "08352936c8afd8543ac95f24bce9a07e3e3235763ea512a584298967b83c070a", + "private" : "106b36344cc4a5a389d8168137786806ff03cd4a00f8636bb7e758d456151d59", + "shared" : "a199368e683c3036a48f4c5f32b32a547dd39f3d1007ca0a0bebcad0a8ac6f5c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 338, + "comment" : "special case for AA in multiplication by 5", + "public" : "73bdeef8cc044f5ad8d6a241273e1995e0007dc9e6579046df86aa6cd97f5d2a", + "private" : "88f9a0d2354adfcbab2d12a0e09b3c7719c944384edfbaa27fe0731cb9c6fc5a", + "shared" : "5aa750de4207869ec7fddab34c639559b1eb27ef244aaf2a702c84963b6d6e7c", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 339, + "comment" : "special case for AA in multiplication by 5", + "public" : "7fdd399b6ef4a3f5cade62e74113b29c27db15203f9b8e398d2c6f230051cd2b", + "private" : "0811f2e560a205e96e28bc312bcad45fe8befefb7f6da5faa035311eed80b251", + "shared" : "a6947ee089ff28ce3644ea4c6eb33dbb20c7974fb8d853f4e146e2466177502d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 340, + "comment" : "special case for DA - CB in multiplication by 5", + "public" : "f0173a96273c646fb63d13b0c686b89e37676fcc7178faf4a6f4601f3068150d", + "private" : "40ad984066a69080fb4a315878e736096cc577dae4c42c40d893d8c2173b785a", + "shared" : "230b6aa1f24df90a60839179ba5e9de673cff11cab59e8020b20626c22090b0a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 341, + "comment" : "special case for DA - CB in multiplication by 5", + "public" : "255bbe7230cd2bee90d283f418a474ab30146ce5e801a0f5ed60ee8def3e6558", + "private" : "48b10cd45639bbbf83a0b28f0dd3ad0b7b00caf48d05534480556a8278116d59", + "shared" : "2299e384958bedd2c3d367759155136d1ff76e4434dc1d9e8212cdca52ea8421", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 342, + "comment" : "special case for DA - CB in multiplication by 5", + "public" : "21accf97b7fee173001ccfcab21637c175ef5186ff0002502b3d52fa8c51e766", + "private" : "e8fad77946e0de4cf4236798490b838948b82cfb29f8e7686001b11e8d961657", + "shared" : "97fca065acd3b943c654997c0f125767f9abc4b7c9d8b7246942f12be65d9231", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 343, + "comment" : "special case for BB in multiplication by 5", + "public" : "5b40777e80ff6efe378b5e81959ccdcbb4ca04b9d77edc6b3006deb99926fa22", + "private" : "d07babed90b27c4eacafdc871703bd036b720a82b5c094dceb4749eeaeb81052", + "shared" : "f482531e523d058d6e3fe3a427fc40dbce6dd6f18defbc097bfd7d0cdd2f710d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 344, + "comment" : "special case for BB in multiplication by 5", + "public" : "48d952a2924ff167f037707469ec715da72bb65f49aaf4dce7ec5a17039ddb42", + "private" : "68a3049aef8c069b906cf743286d3952a888bf2b9b93bc8775fb5adde06e9f53", + "shared" : "de88af905d37417d8331105345dabaab9fd2d3cb1ee902911c1c8eae2991d911", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 345, + "comment" : "special case for BB in multiplication by 5", + "public" : "a5ef265ccbc5c54021d34f82364a4624030f5b9d5ff7e63d7a379e533de5e742", + "private" : "18d8c3d2a4e366185a85c38698d937e13bbbafdbdab1a0a83dbbe89badf70756", + "shared" : "075d18ccc984761b70752279e7f6a757208f6c11e29480c32b40aba128a4d52b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 346, + "comment" : "special case for x_2 in multiplication by 5", + "public" : "9051e55a4050ef4dce0b0c40811f16371e8b16932541da37f069406d848ea424", + "private" : "18efcd5fe345be4985316695391d2c952eee13b0e1ee7584721fbe8b19d4fc5f", + "shared" : "212dbf9bc89b6873a60dfc8731a10be11ab2dca4b172142e6c9f06614cd72852", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 347, + "comment" : "special case for x_2 in multiplication by 5", + "public" : "419adb8b1f2f87de016b0c78d1029a210492eb8cadd164b12cd65b1d57bf3634", + "private" : "28ec7c693e222c72ac0815f1fd36661357e0a8da7bc996daeeeafcd21c013451", + "shared" : "379f9221abebf3582681a0e857f3da578a1b0121982b96f14b94de5dc8b24528", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 348, + "comment" : "special case for x_2 in multiplication by 5", + "public" : "13e00dae3b1ccc97ccd649088c4a7f32ca9976214d645667bd082039bbd9ab7a", + "private" : "78b35e7ae549308b6414bb610196c04f2af79d4266c86e8a9ce0c02bbdb88d59", + "shared" : "cff2596b7afe36f4cab9c70133d7aa0f9914f9abc6c3b9895472e2a5894a8037", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 349, + "comment" : "special case for C in multiplication by 6", + "public" : "441c487a48f0a4989d931cd77a6142a0a13d1aabad82623ba8d94b5c374f4f08", + "private" : "f0de9c5f8a9372f30c41ca47a55743ce697d46e32e7a9ae26d32503fd5222767", + "shared" : "d47c46b4329bedcbc1986b3c6d2aa9bcd027d6b68925175d35bbb536b3440801", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 350, + "comment" : "special case for C in multiplication by 6", + "public" : "0e67ee5c6b65aa802259810b2605f8d7accf9b49bf14cb4a536928e883172915", + "private" : "686be5a12b310420f9bfb209381fd459a5ccd55c752b88337ebe89e1921ae765", + "shared" : "1d730158da880533dbf1e6c64a8e99f9169611660969b0a84fb42dd8dc2efa3d", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 351, + "comment" : "special case for C in multiplication by 6", + "public" : "dc9d7ef1cb49c191e258663a94e731b9c066c11a17d8b5fdea1987f5d9a00568", + "private" : "a0c0337c5bec5ca24dea2f1d701498ae2bad87b8269ac23be113929fe4eb1963", + "shared" : "07732529a628badeb8d74946775ba457c700bf8390f46bc523fb64e471c86a7e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 352, + "comment" : "special case for C in multiplication by 6", + "public" : "556b3ee7cd0d37979056ecc1f56a5677a4935be6e49ce28e394f8bfb73d13b6a", + "private" : "b8824cfce5550b5e17b12f74e28459cab34eb49895cc36bf645a0cf00e3d2d67", + "shared" : "9e3aae35fa1cc80a359878e212180294ff6608dcb4929e91901abbf976f39c16", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 353, + "comment" : "special case for C in multiplication by 6", + "public" : "1211be5809605b54f5727d233c783a2a199a3db24ed4499d7b48c7603e4ad371", + "private" : "e02dba7335af8fb9168de2fcd310c2e2df4a3e25263e0ab9ada87bfb8258a66b", + "shared" : "880f6dc73220307a597670f3282fc366aa66f04a0a9ca30d895fdde337afe825", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 354, + "comment" : "special case for CB in multiplication by 6", + "public" : "505e7851e2352e311ca9536a1fe6c0d95d648197374ce08e4b8a0fbddf62910b", + "private" : "30ce71f856ceb874fe580039ca67e896e6d08207a73cd55db7059127c1342b67", + "shared" : "ea62b0eda2d7b249a42417675a2b82b1e6c0d69a4e7cef336448844d2f432251", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 355, + "comment" : "special case for CB in multiplication by 6", + "public" : "ddf4e90503dd82610c3a034b925a880b72dbde30c626009202b358c6eb00f418", + "private" : "e881f46d4141ea69a671649b93b63e97dc67c12521d445862f087b2626fa2b6f", + "shared" : "302c4f83b5c5bf30c1e3afd9f643f65bfe56ca1628ee042b1ab7393bafe36c06", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 356, + "comment" : "special case for CB in multiplication by 6", + "public" : "0e9c4431999ef1ce177e900d37ec6ae665e387e2d4fa27cba8e7baebc65c6520", + "private" : "e879752683cd73a834251c65749135e06eb9064d3ae35095d88cde14a02ba366", + "shared" : "8ff2ac65c85ee2fe9452fce460f8c87f9570d769cadddc87fe93ef8b7657c726", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 357, + "comment" : "special case for CB in multiplication by 6", + "public" : "5761d6c08624104d4117ff17c75e9211a591c9ca9aecca3a665a7ed844195225", + "private" : "20576ab456da26c18da5fbf06ec4d16564e111bfae2a92b9f6e1927c15770a62", + "shared" : "97c91a23c3e4f3ff727d188a352b67ad490b62381566fb3e111cb67aa9e3435c", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 358, + "comment" : "special case for CB in multiplication by 6", + "public" : "e92d45b3ec56531266303c5113c46310c41650001065b4d87b02b382fc82662e", + "private" : "a8467418b924c2c003c56e1610a35469356360c29d52aa557a2bb30fb8a9a464", + "shared" : "24346bb133dd9ae3ff02d2f50510b3a92d9030834d60e5af08b0eebbf1d4dd6f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 359, + "comment" : "special case for CB in multiplication by 6", + "public" : "f38b63459d05e422ad024c2dcea5029a0a7a6b6c4c1d2093ce556aab331e2540", + "private" : "f0f5e162923d7c299388bed781199417ade097475515162d9590976a196fb16f", + "shared" : "b3453c9c82a2d1d956156de2399cb70dd4e1ec53aea967e035753c1cdae13c39", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 360, + "comment" : "special case for CB in multiplication by 6", + "public" : "a7ded0eea45a400b8f5637154d42974aa98c92962314d822ef88b01383a9da4d", + "private" : "608fcf787fe789644a09bcab958f0737aa81a9e29d505f51035c78e374b9e46b", + "shared" : "ebeb0c7b7a4165cd02a278f3a222c236eed83266b806d13494c1c3f98a2f3425", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 361, + "comment" : "special case for CB in multiplication by 6", + "public" : "7b0ecb4c72ee147789d74813ced3ebe40f45c3da526ed1272952e453e43b796d", + "private" : "58a3396d291eb23571b52d98a31549e514e501e8d0958ad9f25fe5a76c503e69", + "shared" : "9213a53f22ff0cb5eca87b27b193c773bfdf4c01a193a11f37c157474e15cb07", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 362, + "comment" : "special case for x_2 in multiplication by 6", + "public" : "a244413ddc3a205d038d64266833eea1efba51ba62c9c6cdcdbe943be52bb00c", + "private" : "d805a7014755dd656f98d2b331f2d2d4912725ef3d03752f26f74dc1ad61666a", + "shared" : "66484a4120e0eb0c7e0505e1d2c5d15de9b52b72e094c9bac88634200c557267", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 363, + "comment" : "special case for x_2 in multiplication by 6", + "public" : "ec3c8b0c10b1fa65dbbd17cf1ba5f86381284765709b07c5f0428e3d5bcd3920", + "private" : "40cb1fe06b08f068f7080ba07c695eda91a2bebeadd4db95c97dd7c91af2566d", + "shared" : "384f2221618e71d456b1551651efdb708a161d7f89f5604b27eb872d4aa93276", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 364, + "comment" : "special case for x_2 in multiplication by 6", + "public" : "6330d3e28a8b6126ace165a9dfccc6e4bd40dbc9768cfb16330cb7f27f906230", + "private" : "8021464c64c9d6d3c0c852f6972d11969b04c9e066562fa7f0d5fa0d98ebad62", + "shared" : "8daf5f4b84730144ea8a53ce39cc907e39a89ed09f0202e7be0d3bda38da663b", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 365, + "comment" : "special case for x_2 in multiplication by 6", + "public" : "8678aa29cbc06e78b218d22a3e66c38ec0da8fdb0f2570c585c62517c9704f37", + "private" : "707a2d710b32f55c6eba34898020a2fb981d61b1e822fca84c47d9321e279268", + "shared" : "da8b7eba6f72c3f3ef33d8982093492e06be39bb0db29c465d95a8e52ef64341", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 366, + "comment" : "special case for x_2 in multiplication by 6", + "public" : "303289c2b1079ea59412faccfeba8c113d2299b9dcfedeabc42697b0829c4658", + "private" : "204a43dea79d779577581b8c2a51be66e1effce96425b7422b9ca65bdf1a4867", + "shared" : "0419a71a08d3fdd574cbc932e8f1605933ddcdd9774f5614269b7ed850c8650e", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 367, + "comment" : "special case for x_2 in multiplication by 6", + "public" : "3e6e16e02d44ebd94680832e065aeddcbb74af64fbb7c6d8367e7605be13ff5b", + "private" : "58e4741735d2589322151947a1ce2f5829908626886941cb1631d25a8a684169", + "shared" : "9f2fcd0c756288c1716ecd1f2a74864b93a7717bfaf5248858dcb6fdbea12864", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 368, + "comment" : "special case for x_2 in multiplication by 6", + "public" : "a7c1716a41ed23a8870438714ff9745fb0e46f7a5baeb37c9a2d83fe477d146c", + "private" : "d0af3428ea5205f6bf8d4f1b4e4903cd76f04236a1c0b3ecfdcaf28b21348e63", + "shared" : "261ab6267c35a9755359e957473870522b7f923fe839f2b155408649cc5e8004", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 369, + "comment" : "special case for DA - CB in multiplication by 6", + "public" : "dad981552c57541c57ef395ed770ce5edc48f8015461b2ba7aa831ec593ceb15", + "private" : "c0ea97e442e5dc1c8142bfab7089ecb9bb9c5ae372f9907c2825e678defae567", + "shared" : "9093bfa3ed3491d0891f02ae466e5e13c980df229db7404c5b9d34e4ed21c653", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 370, + "comment" : "special case for DA - CB in multiplication by 6", + "public" : "c588dfe6e733d90581cbe112079749d8eb30ab8631134ec29abfb98b32e76522", + "private" : "b0333f09ac1eaacd3cd617eb8832e9de488b458b735cb4b5345f517130c25d6b", + "shared" : "6e88bb6bf75596bbe5f1fbe91e365a527a156f4f1b57c13ac1e3e6db93191239", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 371, + "comment" : "special case for DA - CB in multiplication by 6", + "public" : "0670116a435e8d9b7a12ffc4322fd6b149d0b1dc799b5c0957d9d6e42546e824", + "private" : "10719099dc63bcc282ef525845c108897ac9fae9590b593e0d505d1cf167c061", + "shared" : "e6de74d2c5cea54094d7a70af03c768afe05d52a038bb72d56dcacf0ba502d74", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 372, + "comment" : "special case for DA - CB in multiplication by 6", + "public" : "8b200dd226c5c0f7e116e5388ba162438caf1dddf4edc3b6ba838c21b5929737", + "private" : "10e20e4fda57084ca90f7ad572a78aa8e6575c659cd01f30c43c58040c20e860", + "shared" : "78c9c3aff9416a538ce3ea8fa553244528d1fbecbcf91695a33ca464ef76b85a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 373, + "comment" : "special case for DA - CB in multiplication by 6", + "public" : "419a076b179f79720096eaabaf03477e8f89d61f885c8d7f58f6eaa4fa77df5f", + "private" : "a8312df473adfec7171e1635f5bad44f0753a88a6b3174ec5ae762703ae25e60", + "shared" : "c1a96ccba08bdd82d0fc12e8cde4cc1f25cfd5276dce7f18e407ed0e4a898466", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 374, + "comment" : "special case for DA + CB in multiplication by 6", + "public" : "aa34d772e9ace43c4d92f4f85596ab9ccd8c36c4f4cbddc819afe2a33cb8b216", + "private" : "109697f400210f9a92de80a8bed264097199bc240e22767b54d8bb22050b7a61", + "shared" : "2533b845bb83e3d48cffa8dbd1edd5d601778662d5da03759152a5e0a84b357d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 375, + "comment" : "special case for DA + CB in multiplication by 6", + "public" : "1f06cfe464ccc0e27a5ec5f9edd9bc7bc822ad2ff5068ca5c963d20edd1a2d22", + "private" : "d036308a53c11bebcb02e83688ad74fec43f8462ef4d806272676637d99b3765", + "shared" : "eb40a3974b1b0310b1597d1f1f4101c08dca727455a9d8224cd061a7aa3cb628", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 376, + "comment" : "special case for DA + CB in multiplication by 6", + "public" : "9d4b2ed7817132af5830e899627ea97dc39bd3772e82f2d05769a918273dc02e", + "private" : "786e5a5ff37405c769d0d3788c3c1b05a62a8442c385570e4438bc5f2eaacd67", + "shared" : "9509757e289553cfa2cc71313473c3ff1eebce484ee237eae554fda3d3d22f0e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 377, + "comment" : "special case for DA + CB in multiplication by 6", + "public" : "4e056b317a31dd96f8ec14b48474af587d195efcc2a70f01f052ef882d7b3a45", + "private" : "c01f66cb094289d728421dd46c6f9718412e1c546dad70e586851be4da58bf67", + "shared" : "bad9f7b27dac64b0fc980a41f1cefa50c5ca40c714296c0c4042095c2db60e11", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 378, + "comment" : "special case for DA + CB in multiplication by 6", + "public" : "72c60535e9c423f302d6a10796d954d778032cd4dbd40ca0f359e204d67b6f4c", + "private" : "3877d9ce25cededeb572604f2d123df685690c26e181f777ed33302b82082966", + "shared" : "51c359768ab0219003af193e2bdb8e5cc9f8e176b8db49e597afca3e7125e370", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 379, + "comment" : "special case for DA + CB in multiplication by 6", + "public" : "5856358ed420047cd084f17ae696bad79a4d26c6d5bb79bfb82bbc6332442d51", + "private" : "50b84618d073c4618f9aa69a3b8518da76dbb2127286214fb43a2b44503b9969", + "shared" : "fa9fb0df4cfbacd0fbf3262d3a1bf8d7aacb45f73bf94671775e509c8043df7d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 380, + "comment" : "special case for DA + CB in multiplication by 6", + "public" : "c31e37b04332abca8315f317171566aef38111f622d8bffa29c23c0151cdad6e", + "private" : "109acfa638e112f6bbec21e352a74e8fc9b7ffe5d9dc28634eeb516e59830a63", + "shared" : "91ac72b0ed8d7fc4c8846b8a2530d9fb8f0532064880c00dab100c977697db28", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 381, + "comment" : "special case for z_2 in multiplication by 6", + "public" : "b775e016b32a97f49971121906763f3a0b41689092b9583b6710cf7dee03a61c", + "private" : "685c0784aa6d194c1b859bda44c4e27cd1dfdf34776e498dd03d09f87ae68a65", + "shared" : "11393bb548813e04fb54133edbe0626458e80981885e1fe5f3377e8ebe9afa52", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 382, + "comment" : "special case for z_2 in multiplication by 6", + "public" : "f8bd0e7cf6ec6186f205ab03ab72c8f6b3cde8f6ad9b166916a04d43d1d6d546", + "private" : "18e9a05a20436cf0dbc3d5b92dac8d996e62ea11fbb3445f29195fc75a8beb69", + "shared" : "0a83a224fbfcbc5d0f07f6dd8ebb2e9bbee8134f0fab268002ce837f5495d833", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 383, + "comment" : "special case for z_2 in multiplication by 6", + "public" : "8dfee48ad8b367488ea4dafcf7086e305356a80901f87c720149a5f522337453", + "private" : "00e099eb23125dab5ec35a419d455d0ba8c01da160f9354e9fb21e6a55d55c64", + "shared" : "45dc39831f3471d7466bbe29c8142b1a6d6b00c47fea021be2ffc452d9046806", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 384, + "comment" : "special case for z_2 in multiplication by 6", + "public" : "8f68bfc57d792c322ebb27f44a37c1c93e7eb15c5d5fcedffc1de850487b3372", + "private" : "b0ca251e0dbae7324a6ca0c2c8d6a888edd12d1447d400a47bcba004b648716e", + "shared" : "a29005c6b9dbf1707dc2adce4506b55831e8675b7d2d54b0c1037741e3bc611b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 385, + "comment" : "special case for D in multiplication by 6", + "public" : "ff0f15adeab334afeda3916785ddd38d252dce9876c2357b643b5dc2c06a3b1d", + "private" : "a8b64b8ed397773b8290425ca5c2f7c3e50fac7a4781bd4a54c133781c9a1360", + "shared" : "9f04e42c1b2f311d87e1470a4708bba25ac6ffd3f7b486f9b6b502ecbb2c004e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 386, + "comment" : "special case for D in multiplication by 6", + "public" : "1076fdc827f2550ee95ff9a15d044aedfac65b5e9ba809f62438ccea54637a29", + "private" : "d0cd0db51ff232afa0919d3106fcb3a8ae581ef12d09c877aa6f31ef74eed068", + "shared" : "688000bd60af375b4eeac4a7d0e0782c0e6188eabdc608b732f49b4d6ccab44f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 387, + "comment" : "special case for D in multiplication by 6", + "public" : "ed1c82082b74cc2aaebf3dc772ba09557c0fc14139a8814fc5f9370bb8e98858", + "private" : "204a3b5652854ff48e25cd385cabe6360f64ce44fea5621db1fa2f6e219f3063", + "shared" : "e0a82f313046024b3cea93b98e2f8ecf228cbfab8ae10b10292c32feccff1603", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 388, + "comment" : "special case for D in multiplication by 6", + "public" : "12e1589a34094af5f121c9bd3c1119f2b1f05264c573f667a748683c5633a47e", + "private" : "88109b1d0e7bace44d41a15d5bcbcd36968c5b8b47c0a2c606b57c4a68cc5f66", + "shared" : "1fcc50333eb90706935f25b02f437bfd22b6b16cc375afff8a1aa7432fb86251", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 389, + "comment" : "special case for DA in multiplication by 6", + "public" : "151f54a8a899711757b3b118fc5501779d621d25227af53d0af00b7583ba8824", + "private" : "5082e497c42979cdbfdd1b3b0653cfea6f2ceb7d07639ebf3541866bb60edb62", + "shared" : "fac30a74f4ca99f6cf233065e9acd826690cab364bf69320b58095783ed76e11", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 390, + "comment" : "special case for DA in multiplication by 6", + "public" : "a819c667ed466bd9a69ea0b38642ee8e53f40a50377b051eb590142dd27e3431", + "private" : "f85a8db44f9e56b11729f51682a9769fc504f93597cbe39444616b224532106e", + "shared" : "17f6543c4727e7f129ee82477655577635c125a20c3dc8ba206ca3cc4854ca6c", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 391, + "comment" : "special case for DA in multiplication by 6", + "public" : "40b053d056668982a1f550be95e16348e303945f53a3ac64491a9a56d4095b71", + "private" : "505a076641fac398fc7d8c629937f42db559db5e12052ad366d46d7b20e95769", + "shared" : "889a8d611e0a7da71475e7c93a2d7f6f7228c787a00ee5cf55474adc376ff762", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 392, + "comment" : "special case for DA in multiplication by 6", + "public" : "e7dd0549a765bbef34be2e8da18a1bc1b989a8b0614d358ebf38c12a9ca64079", + "private" : "e8db2bf1af5b8907420789c56e71414706aef0d9f6ffaed0c249c3b7ab14bf65", + "shared" : "37232fb397af27f5fb5ca493284ff1c5d25786b0d716c73b33aca8d42265f318", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 393, + "comment" : "special case for z_2 in multiplication by 7", + "public" : "1ee1b9a74604ac31c3db83280170e3811504fcc78c7626b5b2c07a99d80daa0a", + "private" : "c006ab1762720882017d106b9a4675fdd47005657155c90ca61d4cbf7cc4f973", + "shared" : "a1b30418436ba1908804ffcce1be2cdcf50c61a8e3938d95c790abdb786b8022", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 394, + "comment" : "special case for z_2 in multiplication by 7", + "public" : "f226c2d6bd7831eda1b51ee5aec29443a507ef9f7a04e2340f349dbf14933844", + "private" : "d071807d607953da432d8574d5f3f420676dafdbc6a285a36e1d737624d77c75", + "shared" : "a5976fda89954a81e442107f9e416a2b4b481bbd4654ebc0c7b57a78b45b4979", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 395, + "comment" : "special case for z_2 in multiplication by 7", + "public" : "c5197312de3a7a3ee11b29873bae3fc8c85109c66784804f89435db210fcc24b", + "private" : "304b526f6fe994731980c0975529bca4d061017fbec56f6070d42678d3e11177", + "shared" : "55b5b5eb38b127617ffe00056d84d35a5071d18783e3a82b5f4e131b1538b150", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 396, + "comment" : "special case for z_2 in multiplication by 7", + "public" : "590ed0b879319c38a19962a5d216ff2bfaf33555518877969c20c054cbe43e56", + "private" : "982ddf2c035789379b8a58917d5c3c6c061b503b19a0028e01894c2eb371d079", + "shared" : "0080e5b9985a960a832133812a7ab9951c6b2c75894deb3e35509190a6bdf457", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 397, + "comment" : "special case for z_2 in multiplication by 7", + "public" : "7c5f0143a6682f60ccad16f21150c7bb5bc6f807254d08b353fc96ce07bceb6f", + "private" : "78cc3ec0687e3e53d9cec56b79d11bf049d173f127f5b40fae122a6d0016cd76", + "shared" : "5241222226638c4bbbc98792cdbd74882ca2e08aa2edf313070425031009e925", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 398, + "comment" : "special case for BB in multiplication by 7", + "public" : "010850a0974d3e89c029d252b46f739548294c0f9a23183863f9455b9559c211", + "private" : "c86fc76650cf3b58837aa0f0633560415241c6c4f8f293ba0222b7d6a3875773", + "shared" : "63788190b10d7451f5fc2b82c421151db4f3e22782e392da6d8d3aba2c344306", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 399, + "comment" : "special case for BB in multiplication by 7", + "public" : "ad1dd82c23d6a0d5fe0f2a4561d1c16733a3e1e6afa6d902dd077dc43a961628", + "private" : "888d51c0a2230369e5b65a814b3213dde2e62f2eb95d0971486b733e4f90c174", + "shared" : "e4b40974a166ac49ed831715c071c751752744b891465e6c45001855aacdc362", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 400, + "comment" : "special case for BB in multiplication by 7", + "public" : "d0c0d6393c41f4d7e0d5e850b7716f401eda1e028a4ed4a05bea8bf81acfd930", + "private" : "68bed425d534315584d80f79da6eab9b7e6036b51fe62e1ad933e266640b4673", + "shared" : "514a4cd0676f1c3101c8c45c17ad416bd33e20a405544fc1a60449abb22fa104", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 401, + "comment" : "special case for E in multiplication by 7", + "public" : "0f460100d88a1d316dff02d1b22ffb2e42d99d0b92474fc3ec7d62567d0cf112", + "private" : "98ff2856ef44b4fa14d86782ea793828bdf6f1ef9b669cac1aae338a7bb69376", + "shared" : "ed83e810ce5ff0868f8589623bb13478dec1c22326c92765ae5e48c84bbabb24", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 402, + "comment" : "special case for E in multiplication by 7", + "public" : "13756a411ff3ae0c39222dde0810f08c432463162d81ef061071249a48439e15", + "private" : "b0cdbfdd98bd988d7c6a530455c51c57dd33fd2c7aee3961971bd3a31388fc71", + "shared" : "ff94862117d3c6edc9dd5f4852fa8a589452b924ca8a75cb23b3d68dfed88c4b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 403, + "comment" : "special case for E in multiplication by 7", + "public" : "8fc1fae969a6185404db22749ef6d225de86773a4d1bf3857eb8fbbd829a1b47", + "private" : "e0677644ed4935f01e052e9967302d0fb78ff22bb92fbae0605f3ee54e2f6878", + "shared" : "1c94868bc8acb3137498209b2812feb53501389f5aa37fecbfd5cb54e1358e0e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 404, + "comment" : "special case for E in multiplication by 7", + "public" : "7bab0891ecb9e72a15771f0a4fff90547024206339c340b1a2fdb53bcfb86b59", + "private" : "887b61553843ca99ad1ca92253a6fe082b82494752513fd53ff6530f54c40572", + "shared" : "adbf3b439b16dbc653578f53374ed3a86f9c0bf1f736573349773bc3b8d60734", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 405, + "comment" : "special case for AA in multiplication by 7", + "public" : "102e95eadca7c3c28e5d52336c857bad99ea246f299b06334f401276f49ca814", + "private" : "00615e4697014fc12484ef53a1440206410a8df78caa0bfff82161db83fea574", + "shared" : "3952efb93573ae9ce2162d10e4b8c46435859f3f2778db89f72bc579e695cb51", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 406, + "comment" : "special case for AA in multiplication by 7", + "public" : "3548c16bf31afdcd445ad9bef0e60d7bd6195aa591ca8c82813cd7d446226720", + "private" : "58175113550faad56458fb375a6cb3f05df2f6ff3c4ee09d4a6ba643e022d17a", + "shared" : "96128f929fc03c1269d429f609a1a8acac7a758e3446a125ecf4a359a0e37b73", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 407, + "comment" : "special case for AA in multiplication by 7", + "public" : "ba74e766d44855ec93bd441aa41058a4c4ad2be63c639a3f9a87bde51eeaba20", + "private" : "009738e1e6efef9e2cad8b416fe90a098eb5cb0199f2df5218166c7b181ea079", + "shared" : "fec3e94cb5f316625b090c2c820828ce0f3ee431e8d6e12abccc7ef2bd0be81a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 408, + "comment" : "special case for AA in multiplication by 7", + "public" : "9a5a1d37e5010c356aa80afb347c3d613542ddfa0be7abb8e8cdcd6674411449", + "private" : "c82019159be792747a39f388ea48a8c568594e3383273e51100721b376e8ba73", + "shared" : "96903bac9dc60b6178d734890c25db4bed9ea4dbcf6fcbcdc90e6f5694c8b21c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 409, + "comment" : "special case for AA in multiplication by 7", + "public" : "630847e28274dbae5491210303c85a359074ee742957b0fc3c9ff55d9e019a50", + "private" : "10ac9f8383262ef280faac1e4da15a7de4f2cb74af33b50e0d82dcb85d8bcb70", + "shared" : "50050d0ab1ddd2dd90c460ab8f09e1f80e37cae57d4231adae10c10a4a2b003e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 410, + "comment" : "special case for AA in multiplication by 7", + "public" : "11749b00a45067af2c7e7d50f8d178d5a9fedb8f1b69b239763885bc611b136c", + "private" : "b84c098382f6e37d510cc33e62ddc664e02c8bb6ed9ed0e5fa78cc099a26fe73", + "shared" : "9170c4c628d5fcfd0ec719cf6e1796dab0a69e46d6379fffa247d444a0056041", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 411, + "comment" : "special case for AA in multiplication by 7", + "public" : "df1021d8f95950afde77c86ba5ee2f5876ef778376a7fdc7efb8dff0e4836e7b", + "private" : "78cde8930a1d81aef6601f71409728854987578b0f8349588c04adbe2c1f6e74", + "shared" : "d7d2a82953f680cee0c81c4d00fe628ac530ce682eb7fb3b0af24f804a58ef5c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 412, + "comment" : "special case for x_2 in multiplication by 7", + "public" : "2743ba408d5f68c65324a485086a004b6bbf784cc9e8b1a7dbeb8c4b9414b018", + "private" : "b0fe7b06b9950600b3a7ce1d7bb2a1d984194cc9d6c8964504c364dd5c875b74", + "shared" : "a6b97da989dccf730f122d455152328051c8ed9abc1815c19eec6501d6cfc77c", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 413, + "comment" : "special case for x_2 in multiplication by 7", + "public" : "cc275a2cdd9125e52f20ce2abad41f920afa5a643fb7f276ef416f761d689f1e", + "private" : "f0c9c3984854d5bd599d3819738a023eb795e93586dc0e5e29b1c870c612d178", + "shared" : "b210e368729501d9f9b6ebefbebae38f195f91eaf2a5a3a49288bb615ff2216c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 414, + "comment" : "special case for x_2 in multiplication by 7", + "public" : "4929543101ee7ae239059cd134c35d400e50d0821441351d0fa6c3d54efb342e", + "private" : "906c2f12be89702db26fa7ee905ce36525d2dee4e96a879ca07da097a6aa5075", + "shared" : "b9e3796c58701ded4237c52994501cee14e18f2fb02b781a8400923484bd4a6c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 415, + "comment" : "special case for x_2 in multiplication by 7", + "public" : "1324e0368597b3181555bb5b2cc7b7ebba46931aeabb6f05ababd4240f0fb933", + "private" : "f026031ea373e1d16e6e7e0357bc96bc093f4b6bb76a738cbb54fe6cfd2ea271", + "shared" : "6dcdf8e86903b0caded124d8a7da18e623430ca869aaf267d31029d93de99e66", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 416, + "comment" : "special case for x_2 in multiplication by 7", + "public" : "c7f3842297d6941cac63d6f1bdaea0709437c82dbc9161fc1bae6c79d668eb44", + "private" : "703f4ac8667d77f9536045cf748f18d42345e39ccab10c18dde0f5170d307f73", + "shared" : "385ddbf2505ebf537bf5e976b61a4b69d190ae965b7e4a81ae4e1c16b7148748", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 417, + "comment" : "special case for x_2 in multiplication by 7", + "public" : "1e4660ba865fb8085afd4692885d74237fa3bca5af4b84ba3de400f16a5ac45c", + "private" : "c8a96ae4e77271a0680dd24fcb09f9c5d3ee8316536eec7cc2276597e50fe37f", + "shared" : "0fbaea73f9518795e026c1fc1079c3738aeb9ee9c8dc9761d65bbf8f94e30154", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 418, + "comment" : "special case for x_2 in multiplication by 7", + "public" : "2488bb6fadb79d46585ff01c160c5b4172799d92bd168edceb65cededc492762", + "private" : "d0dde8eda38c3783442864c0cb46a0e9832dcf784c21268a21bed2cace87cd70", + "shared" : "510c64151e5d0737fc324bd15fb5d3966908751cd1a06954b556196655ee5540", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 419, + "comment" : "special case for x_2 in multiplication by 7", + "public" : "a0c1087811af1491171bc51691b8ca84716af36c4baa764ec536280cc1983d6d", + "private" : "c09cd47e1ce53604f14e4e13426c8f08962f556bcd81f8d75375b1507c6fda78", + "shared" : "23ef825e1c8e6e64428001a7463e32a9701c81cf78203e6ae753740c91570e6b", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 420, + "comment" : "special case for x_2 in multiplication by 7", + "public" : "cc5c97934607d8b981bce1d6a232bb3aecc3001f698ae1ae84938fbf2861077b", + "private" : "e09a5f74f318f02303857aa0208d76913d9e240a80549d12013118bad620597f", + "shared" : "0e55a7ec1a2ddbea1ac5981200812232f7f4c3a60ee3c9ab09f2163bd13da329", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 421, + "comment" : "special case for DA - CB in multiplication by 7", + "public" : "238de7fcc8a3f194c3554c328efb1215d0640ac674b61a98ef934ec004cfd73b", + "private" : "706cee5f9b357c03b2f1913294f6e4f0ca5a190a87d30268327d0cb6bdd5bc79", + "shared" : "0681036a0d27583ba6f2be7630613171a33fb8a6c8991c53b379999f0f15923b", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 422, + "comment" : "special case for DA - CB in multiplication by 7", + "public" : "ac9fd80a45da109fa2329390e5a951cfc03065d7bb4a7855826ccb22c3bfeb3d", + "private" : "40e300cb1ff260574f85b3f04aac478464a86e6203b3d4656418f4305157877b", + "shared" : "67b88774f19bd1081d6f23656a135803e34ae1cdcae10818124a78569c299f42", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 423, + "comment" : "special case for DA - CB in multiplication by 7", + "public" : "a45ab1dc2fa2c50718fb4985d9791401e8d2d34ffe3cd93cffb4e870cce5e855", + "private" : "882f78b4558b7faa835904c9235e32f300fc8b5ef0a718406a5c8520ca54d071", + "shared" : "a512e864bd898a5ba6551adcebd836c6a78e7871728e1b8ee528d483af276104", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 424, + "comment" : "special case for DA - CB in multiplication by 7", + "public" : "1761d3d50ba46b446655aa6a8d9b8b75aa5bb24a7953208d5b69fcc38f18ec7a", + "private" : "d8649b735590a17d0fc4c378fbf4c2f7d6600569b2e84cbe0ff7bcdbac0b5f71", + "shared" : "518b778cf5e976c60235abcf6211a18bad2a8e693ab261074c7fab43dbb5da27", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 425, + "comment" : "special case for D in multiplication by 8", + "public" : "dc99ad0031463e4537c01e16629966d1b962c0b4e4872f067ca3c26ccc957001", + "private" : "a8edec59ae6ba23813ec54d66df152e0626762b97d4b0c20e0dd8a5695d86e47", + "shared" : "6cfa935f24b031ff261a7cd3526660fd6b396c5c30e299575f6a322281191e03", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 426, + "comment" : "special case for D in multiplication by 8", + "public" : "b32750fd80d2d7c62c6b8e39670654baea5719a3e072e99507fd5bcb23898264", + "private" : "1098723ffe567ea6dcc8d04ecc01efafeea0aee44e1c733be8b1e5d97c8b8041", + "shared" : "c623e2d2083f18110a525f2b66d89ed82d313b6a2dd082f6b7a6e733134f5a06", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 427, + "comment" : "special case for D in multiplication by 8", + "public" : "e7b3205777b375f1b1515a50a16a6067953ff221e12b4f416d74fb28c1c85865", + "private" : "a0f20df98b49218ac832f26fa8c218a0d6872eb7aea07c1d43c9ff699b465b47", + "shared" : "388ea421650a8d837bad8904018195e99ef494c2d170b93ee721a67d2c108729", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 428, + "comment" : "special case for DA + CB in multiplication by 8", + "public" : "21cc338d7869e5863349cc739c8a6946cfc797cb82fbf62dcd2154844b106003", + "private" : "30473a77a98374f67d5bd43df231ce142916aea0d271e72333fa47dc441a0247", + "shared" : "b9e5728b37435b1d339988f93267d59f3bd1c517851c5a258e74cb64aea73d2d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 429, + "comment" : "special case for DA + CB in multiplication by 8", + "public" : "c34217c02072d7e2bca0454525030780cfb60215d7ca82dbec8f4a59034c5f43", + "private" : "d8657be3a30fc85fb2f3a68e92ace1b31b26e76e6bdb6727aea507cb7c10dc45", + "shared" : "20b67b205e22ce87fd44a8e8fd10a6d8890b9270b60e1c6a68b4aa78e6e37961", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 430, + "comment" : "special case for DA + CB in multiplication by 8", + "public" : "8abb8cfd60c6f8a4d84d0750d3b40a4f846b30edf2052fef7df84142cd0d9e47", + "private" : "882f5578ae4a13d8f5af473bdde1709bf2e059df809ee05b505f34de857c3447", + "shared" : "5faba645fc21f9421ebd35c69bdb1d85b46f95e3746ff7f4886bc280a9ab2522", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 431, + "comment" : "special case for DA + CB in multiplication by 8", + "public" : "9fd7b49a08f206688d72db737df8e517aa7b764f5de7c9a2b1c3fcbaa985f64c", + "private" : "98294db7cbf4958bfb3ed21d5d5c91e13cc8dc27b3c716c86f7167a4819f8741", + "shared" : "9cb8a0f4ad86a27b96ca61242eab198db2767d3862dd323e41368fcdcc5fab68", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 432, + "comment" : "special case for DA + CB in multiplication by 8", + "public" : "c4fefac7acd448e8fd4d6ac4f5dd1bc21f2c67d638444060918fb344aa77e757", + "private" : "789bc4047ad81b9b6656eef298b766e8763a2f8ea64e374a603dc1fdf2eee146", + "shared" : "4b42fcf84b51b2b82f1f70b3cf49bd9dc6ab2672920a8de37e81ba7e99acf734", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 433, + "comment" : "special case for DA + CB in multiplication by 8", + "public" : "a8341deecc0be6db11401ef7f884ac3ade35650cc21f14b5cdb0a5cf0ee6b15a", + "private" : "801ffe4e0f6eeb8a50c8fe79663ff585f9d6aebcfbf4b7edc676c693900cb141", + "shared" : "e55fc931669bd02d1c64689eda62648212b1078c43b5caf97cf9763ff87a3455", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 434, + "comment" : "special case for DA + CB in multiplication by 8", + "public" : "55a0e6631a52f29fb90a1777ccbc69ff94547459d541f72e8316e4d616535a67", + "private" : "e04e412383a63b338b70e1be5fd75995350321dee428aa4f3ba62a50a3b0de44", + "shared" : "87f7976a17f3e03a7f1eb74e6db950b8c0994f40b7903495599d227725809e01", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 435, + "comment" : "special case for DA + CB in multiplication by 8", + "public" : "7976d520f1a2512d564af41c68313f5351b0156d5118be4817f192798ae9777d", + "private" : "382dbe9f10158bfbb7d1d79a35a7809214899a6b8572b35b55875d79bd2f1640", + "shared" : "3bb3e30105a71901b115065e39bdb3e053d387b39027b12c92cdf4c638adf00d", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 436, + "comment" : "special case for AA in multiplication by 8", + "public" : "a26a722f7ba71ccfc96ed8e108d7c9f842d17f92051ee7d429ea7fa7908ab907", + "private" : "60c9af7f4d03136a6034ae52deadfd9d4f274ad8122812eb92a53169c8354141", + "shared" : "f5cb3a1b76185a29a6360b2142feebb11f3d08f4fd8d73df3a5228624a521c02", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 437, + "comment" : "special case for AA in multiplication by 8", + "public" : "ca3a2d96f5dda482b002324cbbdcf1dacc9815eab797c7151c3a88c75cded621", + "private" : "283fae8bd8b294de2848056449751965abb5c7fa86ba4c2c5cdc3bb524dad140", + "shared" : "b0b47868e70465ee2dd737f1ba5a6399e09cd813d72da7585ab45c946cc28d4d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 438, + "comment" : "special case for AA in multiplication by 8", + "public" : "eebd858850b56febb707f27a7aad5ff5ab4b0e0c73b9c86ec4ca0f42e7f38e75", + "private" : "401539703ca4980db4ba42c59fc29e83b4189f2ddea53ba54ca966c06898a640", + "shared" : "581e4b12b0f39a7cc42dee4513ecfdd20b595f905f17ad8c1fbf1b5cb2068b31", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 439, + "comment" : "special case for z_2 in multiplication by 8", + "public" : "c800bf799783275eb93312b43dc032ccdfb00a4b77c8b3772cd2fec8db7e4a09", + "private" : "c8eb056286e098e6b2c79e42f007ebc6ab3705346cdbdace949b5de1e8c36743", + "shared" : "6bf264532fc70a6a7e459f4579eca6b84f8f76ab85c3264b20bca725a6eb6c40", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 440, + "comment" : "special case for z_2 in multiplication by 8", + "public" : "7bbc504e04d134eedc13f06dfdfc69c518257a3f374040a49a8d21dac109110c", + "private" : "487882956c49c69fd0e2d7277a24fb1dbe4b0365b36a13f63440248bca2fbb42", + "shared" : "690305c9e192cd8a513f705b3f101ecdf3db1ea15a09c4a1bce3a8cdc3a1a93f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 441, + "comment" : "special case for z_2 in multiplication by 8", + "public" : "132533db62aff4fa06e96314383bf58ebdec5183a19f2e4cb17552ae19a3366e", + "private" : "9876010f4d64c77ffc4d7dccd72b9ac82078deb883609650b8cff8a686719d46", + "shared" : "c58591b33e490e4766ff7addff570ce4e89a98338015a55df3d2f232aea3fc4f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 442, + "comment" : "special case for B in multiplication by 8", + "public" : "ceb90c56508cf330c7f25bab42b05b5612a8310690107ac63a404c0ade788009", + "private" : "a8a5d4f7894a519537babfac736de36054f508dae434b4fe63cd5633846a2647", + "shared" : "3d145851b6ff2b92b5807ed1df21eb50c9f24c4474d4721db3abb7356df7b764", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 443, + "comment" : "special case for B in multiplication by 8", + "public" : "66a09767a0d83bb18d404e1200375a745d1f1f749d5dc6f84a205efa6a11bc65", + "private" : "f83e4647e82c560aa082c59641e13bf366be8f24dc01d14801e67841160bed47", + "shared" : "1401829aac4e64bcfa297a7effc60477090d3627a64a35b872ae055d2091785f", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 444, + "comment" : "special case for B in multiplication by 8", + "public" : "39d431316307c85747bd2bcf4f9e0f8892ee45df15f7806ce65147d97f503478", + "private" : "58c6b94bce9b15f64946c2aa6a4e383b0b2d4365b7997eb2310ac4eef1803145", + "shared" : "a0ebe6908c5472f937769b9aeb313224437fc5d73f4f866fe7ef41f30e359e09", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 445, + "comment" : "special case for C in multiplication by 8", + "public" : "84c92d8ecf3d0cb22dde7d721f04140c2d9c179cc813ce6cf8db2dce6168880d", + "private" : "786a97207adbd4b0d6bfc9f49b18660ad3606c12e325044b8690b4fa07874641", + "shared" : "07538f1b6583041c4949fafae3349d62f9dd302d3d86857af0dedc0d5ad6741f", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 446, + "comment" : "special case for C in multiplication by 8", + "public" : "a9cedb9e942a47221e4296953220d10007db327d2acb68da6ef3a4f877b8ef1e", + "private" : "282310210e575a59393cf19bbe6e24752dc247706f1e0031e5d39b2de4fff745", + "shared" : "1223505fbb534c1bc6108e6b98b4f0af29e11158c02d333d6559beecd6d3e558", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 447, + "comment" : "special case for C in multiplication by 8", + "public" : "64e1c0c5f59405bbc6c7db41a3485cc9f91c183b0f2b7e1894a7abd8fbbeeb23", + "private" : "c8bf2fd4c40d00f1465aada682b12fa92dec10343484ab62b8871337de1d3345", + "shared" : "ee031868165f456f75907bf39742b820e0f8e6df9f9768d757d408e1cc92ff7b", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 448, + "comment" : "special case for C in multiplication by 8", + "public" : "a68d2f55e60eac7983926310f4fae13f95b2bbf140be5ea91751884d900ab44d", + "private" : "c06a4a4b70f613136f18c0f88e2245086c3d1a52717210a21ac9d63682f2e740", + "shared" : "c954fa7b042c32943e03191e367d54be0085fa8950ef2bec99620df79ecbea4b", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 449, + "comment" : "special case for x_2 in multiplication by 8", + "public" : "6d3cd623f26a7453fa05a01ae758ba84d3c58d93d60ce32735a15e0d053d5b12", + "private" : "20596e1dc56596823d37698dfa699c79874aaefde797f863ef92135980fb2043", + "shared" : "7c3219b3c1fae1f95590ac843efd2084a1f4bd3efa2f592f022032db64ebcd77", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 450, + "comment" : "special case for x_2 in multiplication by 8", + "public" : "8f195547346b3d53b7ea4f742b22f1ef7b3cc01a7d3dcd19aa7c5b03f31bd214", + "private" : "38141518e8e5efa1d031c6c4d95480239f6c30b8ccd8c751a9e04bd3aec17342", + "shared" : "a31f6b249d64a87c4aed329c6c05c3f2240b3ca938ccdc920ba8016c1aeaeb45", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 451, + "comment" : "special case for x_2 in multiplication by 8", + "public" : "ffc4fe2c2127a309c739565651e9812f834a86dbadbb78776977f786ecdb0217", + "private" : "207147f2b68fef1efc10a04f988f0eb18b273b0b5ed17aa7af32c90480e19b43", + "shared" : "4cff9f53ce82064882329a18ea4e4d0bc6d80a631c87c9e6fdc918f9c1bda34a", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 452, + "comment" : "special case for x_2 in multiplication by 8", + "public" : "8475babeeab9980d426abd5323dfb335b219e129bddae4d6cebcda50754a6825", + "private" : "488084537b840f9c93ca57b3ee80491418d44221113e03f56355302604d03547", + "shared" : "248d3d1a49b7d173eb080ab716ac8fde6bd1c3ed8e7fd5b448af21bcdc2c1616", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 453, + "comment" : "special case for x_2 in multiplication by 8", + "public" : "81f90a2f6633d30c2b72a25795d2a49463a80b6b0edc5aa68bae4bf738185539", + "private" : "28cfc1d03f5c7428ff3e20b137268b33ccc74db03582d2127c566df4ac99f441", + "shared" : "66c6e70cf630be90a2c88fcde7f58cff3868660fa96406e8df4ac677dbd85f50", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 454, + "comment" : "special case for x_2 in multiplication by 8", + "public" : "41626e33b3c8f48bd19e49ded307f2b63bde705c4f3cdf9d4f92bf37c48cba42", + "private" : "c8e37d10f3d03db3f43e467bddf98f595cb529ad253c20d491282d1400b9e740", + "shared" : "06283fcf69dc83e99d92e5336f499a1d8fa75ed2c819b5ae6ea8094454324b27", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 455, + "comment" : "special case for x_2 in multiplication by 8", + "public" : "ebb32f781c0e89b252e611f9d8f79f8567874c966598314b2f16aa44cfc07843", + "private" : "00237e91406a7b4db61e780c5976fbb926cdace2fbdfdbcfce65e6dbe7782a42", + "shared" : "7d2affb43355f5db1294daff55f59b1f17e7d25bca20746f12484d78e5015517", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 456, + "comment" : "special case for x_2 in multiplication by 8", + "public" : "fa75e6f08ca815b4e42af24a8e057c9e00e828e33d12c0e94d1012a758336744", + "private" : "489c4184a23a8f5eec68a31b41aa2c0392cd6fb123f10acdb4de75292b4b9a43", + "shared" : "ef8e78cab091d667888489fd3a2ec93fb633427d02eb77b328d556f2b2b0e266", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 457, + "comment" : "special case for x_2 in multiplication by 8", + "public" : "4d96320cdb0ca52655e91118c33f93afe4ae69e9e513ff4506750b8ea784ce46", + "private" : "c05957fbc3a0e2c22a2aef627651ca1e99307b82a0c6170f7950a334f3004941", + "shared" : "c8d85bfa74b4b26461297b350c975183fea9d33ba29c3a4934509c2ecda58a79", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 458, + "comment" : "special case for x_2 in multiplication by 8", + "public" : "c0ef1b7c20237db370501f24274e4eba91998ae4545f937007e1c4a2eab63365", + "private" : "60111c6629f73635985be964b845f87a88ae5652d45bb1451ce8cfd2ea45fe41", + "shared" : "22557e0d8741ed2a63afd5e313aa1579fc0c88c7772e23a676c94b60c89df577", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 459, + "comment" : "special case for x_2 in multiplication by 8", + "public" : "d534d8ff4d56a73ef7615e94523b17e35edb3d0fb87e98c68536f63f114a8d6c", + "private" : "58785889a216d15456582d4e1e3de9e9ca4a432954416d81caf52b2b434c1746", + "shared" : "54d7fc17bad00296ba50b0f3d5bf8fb83f82d571952a5fdb5a494120cc61446b", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 460, + "comment" : "special case for x_2 in multiplication by 8", + "public" : "733a711ba01b6e9b64a0be4cdca8c7cf3c66df2435d5248fb4413fec6ee03f70", + "private" : "60bef38a3890ec1ed05c299fceb77db5ead4b88d9e931b0f21d664f77df9b544", + "shared" : "db6851b12585bc11be9362c96a545c6f2ba55f04009792463b96a38cb9b3f07c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 461, + "comment" : "special case for x_2 in multiplication by 8", + "public" : "35738dd539d60f69cd1a1cffc8a42b6af68fe7de45392d02831e2a77500ea278", + "private" : "5854ee566878ef8b7ebaf5a058306f250edf0c84fd52af2d74b7ce3c1edda746", + "shared" : "f6d1a664257fa5de3d4d57f04eda2976bf1e35cc3ac513e1ee84d57d2135ed13", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 462, + "comment" : "special case for x_2 in multiplication by 8", + "public" : "ce932b5af4be4721f96f7b79ba1c43b20687d4af49c37b58dc894279e04bb578", + "private" : "985b551261fce38ddc8ff3add32f5c26811d271b9a1794e249dd76a38df28446", + "shared" : "f8f7625ac5bde63f753a9bb4aefbfb9c4647207708af9d774ef08ff1b1e5a354", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 463, + "comment" : "special case for E in multiplication by 8", + "public" : "e3655448339e4850806eb58abba0c89185511ea72c37c49e9583ee6dd235d213", + "private" : "8815052344dcad97efd1341e9072a808cf999e46e52cf04e0cfbcd9901e18d43", + "shared" : "5e10dfbff4443efcae2ccc78c289a41460d5a82f79df726b8824ccbef7146d40", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 464, + "comment" : "special case for E in multiplication by 8", + "public" : "4d16965b1637e9d7ae8feb499ed0553962a9aa0022d1620c928072f6501bc41b", + "private" : "b8e032e9e5ffbaa004390f3a0b900bc7cf5d11238b7ec964afc4bda2aa6c3444", + "shared" : "19d7b44c1847c44e8f37a22ab69c180fd9d787f204123013e1b16800b9cd0f57", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 465, + "comment" : "special case for E in multiplication by 8", + "public" : "c6b9e6288737ad40452cec1022871d90af1642d10bd0a97792b1a9c8998e2220", + "private" : "7012852211f6536fca79937e7e316c9149b0e20ea03f951e1bb072895ca0e044", + "shared" : "db990d979f4f22f766e7826d93554e771b361de461274d6c37baadeb8ef7be4e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 466, + "comment" : "special case for E in multiplication by 8", + "public" : "d566fab505ac4c7a3dc3b9403ef121392cbbe21216e5bcb8eab2dc9408986e34", + "private" : "d039c1b9ec4763e0ad8a0ef2b0870297d0f8b487e660595a484105d180e14a47", + "shared" : "6d7fc5d4a8f534b1bc0fa5e078104234675c02664736957abdb27df6faf07c00", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 467, + "comment" : "special case for E in multiplication by 8", + "public" : "468d35ecfb6d9b7272523276cc5e13760519667f0e1e3888da4c56955fe91151", + "private" : "58efcbc8777c1b54f09c61a216efd427292eb12312dbb3b32bd45254a6683e47", + "shared" : "539c8d629ab51c2f3ea7278fd5f1c31b6c150a82fe3f786b93ffa159fd6d9316", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 468, + "comment" : "special case for E in multiplication by 8", + "public" : "1929538743977dfea20bf4927ddabb2f3bb15cac2461054508849718854b5568", + "private" : "c8d73446026cd0ea795773c2eb7b16348cd5f228e352dbc77328c2d8b9cde240", + "shared" : "dee3fd19c8f296415448b21af44385ec46727bbe67d4839b93efe2f680e76d34", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 469, + "comment" : "special case for E in multiplication by 8", + "public" : "2d7ab4c6f59865355ee8e9de57db19aadf7708b7c1d1a818487c340623badc6d", + "private" : "98b559523bc778b0418af53c0c32f6ff5cf771ff5df8ae7cbf7c3b72aedb5b43", + "shared" : "2a0340aaafa05d00529c09057ed0145f34d2de66a3e149cf084ea97168914f39", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 470, + "comment" : "special case for E in multiplication by 8", + "public" : "43839f4a6aa206c82c5a73f49d8c9e573826b3ba7235d312987c17aebee62776", + "private" : "589815027caf82714e96c9f91bace66ec4ba3e92df3fa14b9b8fe503556e4543", + "shared" : "00313717d33e3b41a0865986157582e053502a172b88d01bb7b10831a9fc4e6c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 471, + "comment" : "special case for E in multiplication by 8", + "public" : "3c321e7f0b9e555bc264a2cea617e6b2b562ebab21fe0c226c3e487b7df9a27d", + "private" : "80715f67270c99789855ceaea99b9957ccda33326f76bb4474ab52ab1ec37041", + "shared" : "9b6be9e6f2fdb5d3321842225d3e91d14828cc53ba6654dabe190b0c3edeb309", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 472, + "comment" : "special case for DA - CB in multiplication by 8", + "public" : "42e5a6b8e9654bb4ad624af3f491877977513cc8775c8fb312ad19dbf3903a28", + "private" : "101b990bd83d684126ff047d930c27d086a588dd19683d2629f0e34f4374ab41", + "shared" : "223f1eb552308373026d11c954684ce6db870b638b190b9443e50aae219f4e3e", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 473, + "comment" : "special case for DA - CB in multiplication by 8", + "public" : "0a51dd90ab985f6deaf72f16c45014da26df848697f6582d75688f5223342b51", + "private" : "200089b712d9a2050597779d463712fcd223e3d67879c0fb7606f8f5f0efee40", + "shared" : "fb95ce4a3c1f325638b7d47f4216d39a7c6c5da9a01caa297c37b62816555b2a", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 474, + "comment" : "special case for DA - CB in multiplication by 8", + "public" : "8842317357bde825ef438a1c53906fb8b04ea360f7ef338c78e668586047936a", + "private" : "f04f87f4e623af4c31ceca0bb87fac2d5b12517b5a7284902ad75838e65f1e41", + "shared" : "488b8341c9cb1bbf124510b9f8dae4faf2e0dca9b84e00e952a63b5aa328a860", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 475, + "comment" : "special case for DA - CB in multiplication by 8", + "public" : "c71d92d3c92dbfaed755fb32797b667cc86b0e79362498e2aca38c689713b16e", + "private" : "383cbd5a3dd0901d09a3cac3d3a77a979cecf15e206a553e4ca3f24b90783945", + "shared" : "1129eae97bf75f7314f2e1b403b18737ad830c80429e2ba0d4866b362399855f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 476, + "comment" : "special case for DA - CB in multiplication by 8", + "public" : "3a21d1cf7b3744d1ad26197335844982c2a0c6a5aa835492bd03c401a4fe6778", + "private" : "701df09e57b98aec375745df147b72949a6b2bb2ca3a34881512ee31e790ad42", + "shared" : "072f51d94727f392d59dc7caff1f4460452352ec39c32a1c9f071e388833da56", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 477, + "comment" : "special case for CB in multiplication by 8", + "public" : "d128ea3e13325ed6ebd6533a9fd3045a55f25ad8b67def30912843504c1aab29", + "private" : "b0ffa5f4922bb117ad75ff43acac62331efaa45536fe88306e4a4cb58db73a47", + "shared" : "30512142d3e3a4cad6726d9d35f2e043fca9dfb750884ae22b2547c840f3587b", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 478, + "comment" : "special case for CB in multiplication by 8", + "public" : "e079c8f8423165c7e0a2c48b4abe90aece4e6d903d7a5a1625fad0410cd55b32", + "private" : "685e3271d2015741756612a930e858b930acf2018145f382c83d8cced2e22044", + "shared" : "5b81b3761a66d199e8ef99d2494bd57a0229d4564a7f6d6055f22aa48681bd3a", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 479, + "comment" : "special case for BB in multiplication by 8", + "public" : "65922a06e9be4e8a5e8aceb1a4e08fe90f01e10ef2dd27315427cedfcf95ec32", + "private" : "f8e161d69297e017d7c51b1b1ff3ba703d4c4cf8fc2b8ff47f74c3ff8c7d3541", + "shared" : "038de7fdb9cc0030f5c11dda00589f0a95f65658815b06ed013553a02b6c5017", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 480, + "comment" : "special case for BB in multiplication by 8", + "public" : "d36a240e972dc16e9b97a997ada337f02760d05c46d7f8d7b4e9ea9a635c7c64", + "private" : "105d7589f8abef0acf0940da84a69e8f2f306fa73c9afd27342287c1dba80044", + "shared" : "22b0dea3b3b7ca55eceeaae6443426548c7c15cc7ddf31780318d1c23879c16a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 481, + "comment" : "special case for BB in multiplication by 8", + "public" : "4f5b8b9892b8a46df08d76a4745b1c58d4e7a394905435875688ca11f1e9d86a", + "private" : "1893d4388b0e90f0b50208aa8f0cc24f576d03641baf1c3eddb2a3efa69c9d40", + "shared" : "a25e1306684ad7870a31f0404566e8d28f2d83d4b9497822c57f8781b18fec20", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 482, + "comment" : "special case for BB in multiplication by 8", + "public" : "aa2f02628269139a7a8a16fde95c9bad7da7ffbd5439c396a7d77b6c3213e67f", + "private" : "0065171301bf6b90fb16efa35509161f1bd6b3b93130d490af9fe224dd155f45", + "shared" : "bb4431bea7a5871c1be27a2674094627eaaa4425c99cd3fa41bd7e13cbd7bf7e", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 483, + "comment" : "special case for A in multiplication by 8", + "public" : "d995cb287e9a9c5791f3cae3d494a5b516a1e26cbc930f43e73c8b70b69d783b", + "private" : "10c81a4e78d82145b266e1d74b3869bf1c27427803ebb11c92ff8073d1e4cc46", + "shared" : "330f5d0b5bccc90f7694dfdd9c6449a62d93af8840eaf571e3e0610e0198b03f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 484, + "comment" : "special case for A in multiplication by 8", + "public" : "479afb1e73dc77c3743e51e9ec0bcc61ce66ed084dc10bfa2794b4c3e4953769", + "private" : "48b98b4a99eadd73012c07fe5c4a0b9590ac55e821353b41d5f665e17188bc41", + "shared" : "bdef00caa514b2f8ab1fb2241e83787a02601ecdff6cf166c4210f8c1ade4211", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 485, + "comment" : "special case for DA in multiplication by 8", + "public" : "378eda41470b0f238a200f80809ad562ca41e62411a61feb7f7e9b752b554642", + "private" : "1897678e38222a61fe105dc6643c1eb5940e8dbc73ed6c00f25a34328f43a641", + "shared" : "bfd5b5acd2d89f213a26caf54062f9a24e6f6fd8ddd0cd2e5e47b7fea4a9c537", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 486, + "comment" : "special case for DA in multiplication by 8", + "public" : "0cad7545ade2fd93fcae007c97648348f26d85829bdb7223a63eccb84e56d475", + "private" : "a898af8138e11ae45bbcefa737182a571885f92d515c32056c7cb0d7deac4741", + "shared" : "c8085877800c175e949cdd88e196eb9c4841da2ac446dfed9085bda5bbec265d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 487, + "comment" : "special case for AA in multiplication by 9", + "public" : "60f27ed0a27804ced237cf3c1cc776650fb320bae6d5acb564e97b56cba25210", + "private" : "b0bfef6ec095b5a1f93917d32f16a21d0462c1fde17446f5a590232d9c895f4a", + "shared" : "4c300895827382a9d1079028bd6f694a7a12ddac9c76abac6fdf5d29457a3310", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 488, + "comment" : "special case for AA in multiplication by 9", + "public" : "f93a73270ac19194b8e4ffd02be4b1438525f84a76224688ea89a9dd6a1bd623", + "private" : "60497d4464ed8823c50fbc6b68620826c4f629c1d9193058df6bf857c6aecc4b", + "shared" : "7285fbb3f76340a979ab6e288727a2113332cf933809b018b8739a796a09d00b", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 489, + "comment" : "special case for AA in multiplication by 9", + "public" : "cf80c30fcbfd535666ca1da499e2e99cc537063e2de19458fcf92f5ee34acf47", + "private" : "08c6cbe03792a3829f06e8ad54c55db113236ac0dcc9ab6a9a6b10eed1041b48", + "shared" : "dabc3bd49f19cf7071802e43c863ed0b1d93a841588098b98a0c581bf4fe0a11", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 490, + "comment" : "special case for AA in multiplication by 9", + "public" : "698effe0ad42e15ee1f46fde6fc5074ffda183bcf1b2db8647f561ddd191dd60", + "private" : "50044da3315dd082e9dfb6a1994aabb331f53e0d1c12633383b2a3c8678cfe4c", + "shared" : "a61a3b150b4770532373676298c9a5da28adcc4365b06fe07c959ca80e477a57", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 491, + "comment" : "special case for AA in multiplication by 9", + "public" : "bd1565b4a3f8515dff577be6dcb414511d3d4ec2de15e0bd45b28e9cc4caef60", + "private" : "285640da7a48252e35ddce60c14addb73097fbc9ac2f87c8d2772ce89aa6be4d", + "shared" : "916ab4f3bfc8321e1087d9c5444f8f7a43e9ca6d29e7ba98a19dc05fff34ed4c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 492, + "comment" : "special case for AA in multiplication by 9", + "public" : "b8649e13843f80cf5702398e4a9a8c378f29da96dfd6579f1eb4f7ea34df6765", + "private" : "783271c21199ba2e94ead92cd9dd79f70aab378b59497455d327a5907dafcb4a", + "shared" : "844a5dd5139554ca7b41cbe6a4796193912e7aa4e201cc68944ce2a55774a10f", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 493, + "comment" : "special case for AA in multiplication by 9", + "public" : "c396938737abdf791e09a97eba577c437d9b67c2dae94e13eab7296ec0fc737e", + "private" : "d0676a0b9a046c62d5b2e740d9cc43fa37965dea93c23254f7bf569f2bebaa4a", + "shared" : "10780333b2a6170136265bb5ebc6c818817f2e48ae372528c8f34433fdd6215a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 494, + "comment" : "special case for DA - CB in multiplication by 9", + "public" : "557b825012d98f065bb95a2ab9b2d2d8b83fd2037912508c263f86d7e36c4f24", + "private" : "608c84d2b76fccda579e974db3d3b2ce39a6bc0dad440599db22411b60467849", + "shared" : "5ce84842dbae8b795b3d545343558045508f271383bfb3dd3943f4101398c864", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 495, + "comment" : "special case for z_2 in multiplication by 9", + "public" : "ae98296d4a2fbcbb40b472f4063231608bb1465c226c8a4a2dff29afd915882a", + "private" : "80f233936a8821936d39114c84d929e79760b27680779e5009e1709410dd8e4f", + "shared" : "4f11aa0c313195f96f25cadcbf49f06a932d8b051879ea537d1c6dfee7f36d35", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 496, + "comment" : "special case for z_2 in multiplication by 9", + "public" : "8b9d249829fbe81333d85050da88998f63fac665679e27dbbe21b745dd14e145", + "private" : "c8d80b1a34f21194f047a6f0328bb947e2e7aff6a043553aa07f2abf99aaf048", + "shared" : "1d619070bf5626064be10025e74e336c81ef3166b743f99c751fb90587c31d7e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 497, + "comment" : "special case for z_2 in multiplication by 9", + "public" : "61896093e2697c78230afdda12639cbe4342827b8d2b093281f148eb60b9034b", + "private" : "9021477b452361580059364c6f94f4981ee94ea3f9b7d37439bc82ae45816f4d", + "shared" : "532e797861db56b9d5db8825fb72f8629c2422f8abea721ad2d7b9e77a95b576", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 498, + "comment" : "special case for z_2 in multiplication by 9", + "public" : "ccc1dc186229dba9a9360a0f7ff00247a3732625acaacd18ea13a9a8b40fac4f", + "private" : "6079dae04c40a59ea4e0c8c17092e4c85ea9133d143307363487836df4e30349", + "shared" : "4f678b64fd1f85cbbd5f7e7f3c8ac95ec7500e102e9006d6d42f48fb2473ab02", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 499, + "comment" : "special case for z_2 in multiplication by 9", + "public" : "69e368c0b7e78eb9f3a53bf458f6e79dc4883bf9458f04a8c12c4ddd94d62151", + "private" : "281db6a5ac9a47d4a7b2b91a87f6536ce62d4e5129b8d647b97f9c504014894c", + "shared" : "e069fd06702f10f33adb8cf0766880634865b510e2da409241fb5f178050514a", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 500, + "comment" : "special case for z_2 in multiplication by 9", + "public" : "f21f9badd98dd8a103cc2ab5484fac6c2bfdd2671ee6e674134a86b89cee9160", + "private" : "d830f3c4785829a0f945857e0e85e0ae723702b57783b933cd2a2ad05484fe49", + "shared" : "fee218eb1f92864486e83c1731f04bb8c7e6d7143e3915bcbf80fe03ff69dc77", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 501, + "comment" : "special case for E in multiplication by 9", + "public" : "e853062b2d6f38d021d645163ea208d0e193a479f11f99971b98e21188fd0b2c", + "private" : "10230bd0721f4c8c4b921881dd88c603af501ee80e2102f8acc30cf8b2acd349", + "shared" : "64bdfa0207a174ca17eeba8df74d79b25f54510e6174923034a4d6ee0c167e7b", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 502, + "comment" : "special case for E in multiplication by 9", + "public" : "362eb92dab9fb29f7ed0e03843dcc15797928c2b4e51ec260204179c1c12945f", + "private" : "f0a34d6d76896e17cb8f66feda23115ffb96f246b823bb63dec08335787de74c", + "shared" : "d7f4583ee4fe86af3a3f1dfcb295ba3a3e37bced7b9c6f000a95336530318902", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 503, + "comment" : "special case for E in multiplication by 9", + "public" : "ff543f1e81996e88631f030ceba7e603b13033efd205e68bd36b28468134aa73", + "private" : "9073c1d0a173c7ff02dc966a165993d9c4c9357514f7a6bb7aaa4b0827718948", + "shared" : "c1b5e5f4401c98fa14eba8aafae30a641bfd8fb132be03413f3bf29290d49e0b", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 504, + "comment" : "special case for x_2 in multiplication by 9", + "public" : "90ef70844ead1613f69df7d78c057813f866c0d95e6d22caee4a012b9c1c4b33", + "private" : "b0c1822566e016c12ae35ec035edd09af3cb7a48f55c9028e05e1178a8c3824e", + "shared" : "9369ebb3d2b744341cba77302719a4b2d63aff612872f86d9877a76bc919ca1c", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 505, + "comment" : "special case for x_2 in multiplication by 9", + "public" : "88c1ae575ad073dda66c6eacb7b7f436e1f8ad72a0db5c04e5660b7b719e4c4b", + "private" : "e06fe64e2117796f997bbcd3bcad3067cf1291640a3a643fb359809a4016834d", + "shared" : "335394be9c154901c0b4063300001804b1cd01b27fa562e44f3302168837166e", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 506, + "comment" : "special case for x_2 in multiplication by 9", + "public" : "dcffc4c1e1fba5fda9d5c98421d99c257afa90921bc212a046d90f6683e8a467", + "private" : "707ee81f113a244c9d87608b12158c50f9ac1f2c8948d170ad16ab0ad866d74b", + "shared" : "7ecdd54c5e15f7b4061be2c30b5a4884a0256581f87df60d579a3345653eb641", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 507, + "comment" : "special case for BB in multiplication by 9", + "public" : "6c0044cd10578c5aff1ff4917b041b76c9a9ae23664eb8cf978bd7aa192cf249", + "private" : "7089654baacbb65bd00cd8cb9de4680e748075e8842ca69d448fb50fea85e74e", + "shared" : "0d8c21fa800ee63ce5e473d4c2975495062d8afa655091122cb41799d374594f", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 508, + "comment" : "special case for BB in multiplication by 9", + "public" : "d9089de902e143dcd9107e5a3393a3f7fe05d926c357b47e307a236cb590fd64", + "private" : "8089784c52cd67e4536e568218c7b7033b28413f942fca24ed69e43496efa14b", + "shared" : "db6fec44bf118316a6bdfbae9af447baede4d82daa16bed596ea6f05d4a51400", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 509, + "comment" : "special case for BB in multiplication by 9", + "public" : "8c4a26aa319c2cc4a4158c2bc69a0d5b340b60628a14cf31bb0ae5ddc38ae866", + "private" : "00e73e4e013148b9f05273bad626bb126a40ec4558f5425096b48947e0a9de4a", + "shared" : "ecc1204bc753c4cec4c9059fd7b504944ebf995ab1b1d49f0b3b325353be3a15", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 510, + "comment" : "special case for BB in multiplication by 9", + "public" : "ce7295d1227c9062aab9cf02fc5671fb81632e725367f131d4122824a6132d68", + "private" : "78ed4c9bf9f44db8d93388985191ecf59226b9c1205fe7e762c327581c75884e", + "shared" : "3740de297ff0122067951e8985247123440e0f27171da99e263d5b4450f59f3d", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 511, + "comment" : "private key == -1 (mod order)", + "public" : "6c05871352a451dbe182ed5e6ba554f2034456ffe041a054ff9cc56b8e946376", + "private" : "a023cdd083ef5bb82f10d62e59e15a6800000000000000000000000000000050", + "shared" : "6c05871352a451dbe182ed5e6ba554f2034456ffe041a054ff9cc56b8e946376", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 512, + "comment" : "private key == 1 (mod order) on twist", + "public" : "2eae5ec3dd494e9f2d37d258f873a8e6e9d0dbd1e383ef64d98bb91b3e0be035", + "private" : "58083dd261ad91eff952322ec824c682ffffffffffffffffffffffffffffff5f", + "shared" : "2eae5ec3dd494e9f2d37d258f873a8e6e9d0dbd1e383ef64d98bb91b3e0be035", + "result" : "acceptable", + "flags" : [ + "Twist" + ] + }, + { + "tcId" : 513, + "comment" : "special case private key", + "public" : "3e3e7708ef72a6dd78d858025089765b1c30a19715ac19e8d917067d208e0666", + "private" : "4855555555555555555555555555555555555555555555555555555555555555", + "shared" : "63ef7d1c586476ec78bb7f747e321e01102166bf967a9ea9ba9741f49d439510", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 514, + "comment" : "special case private key", + "public" : "9f40bb30f68ab67b1c4b8b664982fdab04ff385cd850deac732f7fb705e6013a", + "private" : "4855555555555555555555555555555555555555555555555555555555555555", + "shared" : "8b98ef4d6bf30df7f88e58d51505d37ed6845a969fe598747c033dcd08014065", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 515, + "comment" : "special case private key", + "public" : "be3b3edeffaf83c54ae526379b23dd79f1cb41446e3687fef347eb9b5f0dc308", + "private" : "4855555555555555555555555555555555555555555555555555555555555555", + "shared" : "cfa83e098829fe82fd4c14355f70829015219942c01e2b85bdd9ac4889ec2921", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 516, + "comment" : "special case private key", + "public" : "3e3e7708ef72a6dd78d858025089765b1c30a19715ac19e8d917067d208e0666", + "private" : "b8aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa6a", + "shared" : "4782036d6b136ca44a2fd7674d8afb0169943230ac8eab5160a212376c06d778", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 517, + "comment" : "special case private key", + "public" : "9f40bb30f68ab67b1c4b8b664982fdab04ff385cd850deac732f7fb705e6013a", + "private" : "b8aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa6a", + "shared" : "65fc1e7453a3f8c7ebcd577ade4b8efe1035efc181ab3bdb2fcc7484cbcf1e4e", + "result" : "valid", + "flags" : [] + }, + { + "tcId" : 518, + "comment" : "special case private key", + "public" : "be3b3edeffaf83c54ae526379b23dd79f1cb41446e3687fef347eb9b5f0dc308", + "private" : "b8aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa6a", + "shared" : "e3c649beae7cc4a0698d519a0a61932ee5493cbb590dbe14db0274cc8611f914", + "result" : "valid", + "flags" : [] + } + ] + } + ] +} diff --git a/tools/configure.py b/tools/configure.py new file mode 100644 index 00000000..a97e42af --- /dev/null +++ b/tools/configure.py @@ -0,0 +1,255 @@ +# Copyright 2022 Cryspen Sarl +# +# Licensed under the Apache License, Version 2.0 or MIT. +# * http://www.apache.org/licenses/LICENSE-2.0 +# * http://opensource.org/licenses/MIT + +import os +import json +import re +import subprocess +from os.path import join +from os import sep as separator +from glob import glob + + +class Config: + + def dependencies(self, source_dir, algorithm, source_file): + """Collect dependencies for a given c file + + Use `$CC -MM` to collect dependencies for a given c file assuming header + and source files are named the same. + """ + # Build dependency graph + # FIXME: read include paths and CC from config.json + includes = '-I ' + ' -I '.join(self.include_paths) + result = subprocess.run( + self.compiler + ' ' + includes + ' -I' + + join(source_dir, 'internal') + ' -MM ' + + join(source_dir, source_file), + stdout=subprocess.PIPE, + shell=True, + check=True) + stdout = result.stdout.decode('utf-8') + + files = [] + for line in stdout.splitlines(): + # Remove object file and the c file itself + first_line_search = "(\w*).o: " + \ + re.escape(join(source_dir, "(\w*).c")) + line = re.sub(first_line_search, "", line) + line = line.strip() + line = line.split(' ') + try: + line.remove("\\") + except: + # This is fine + pass + files.extend(line) + + # Get all source files in source_dir + source_files = glob(join(source_dir, "*.c")) + # remove source_dir and .c + source_files = list( + map(lambda s: s[len(source_dir)+1:-2], source_files)) + + # Now let's collect the c files from the included headers + # This adds all files without looking at the feature requirements into deps. + deps = [] + includes = [] + for include in files: + # Get the file name from the path + file_name = os.path.splitext(os.path.basename(include))[0] + # Only add the dependency if there's a corresponding source file. + if file_name in source_files: + deps.append(join(source_dir, file_name+".c")) + # We take all includes though + if include.endswith(".h"): + includes.append(include) + return deps, includes + + def __init__(self, config_file, source_dir, include_dir, algorithms=[], compiler='clang'): + """Read the build config from the json file""" + print(" [mach] Using %s to configure ..." % (config_file)) + if len(algorithms) != 0: + print(" [mach] enabling %s" % " ".join(algorithms)) + + # read file + with open(config_file, 'r') as f: + data = f.read() + + self.compiler = compiler + + # parse file + self.config = json.loads(data) + self.hacl_files = self.config["hacl_sources"] + self.evercrypt_files = self.config["evercrypt_sources"] + self.vale_files = self.config["vale_sources"] + self.tests = self.config["tests"] + + self.include_paths = [include_dir] + # We need the config.h generated by CMake + self.include_paths.append("build") + # Set kremlin as include paths + self.include_paths.extend(self.config["kremlin_include_paths"]) + # If vale is compiled add the include path + if len(self.vale_files) != 0: + self.include_paths.extend(self.config["vale_include_paths"]) + + # Filter algorithms in hacl_files + # In the default case (empty list of algorithms) we don't do anything. + if len(algorithms) != 0: + # Check if the algorithms are actually valid + for alg in algorithms: + if not alg in self.hacl_files: + print(" [mach] ! Unsupported algorithm requested: %s" % alg) + exit(1) + for a, _ in list(self.hacl_files.items()): + if not a in algorithms: + del self.hacl_files[a] + for a, _ in list(self.evercrypt_files.items()): + if not a in algorithms: + del self.evercrypt_files[a] + for a, _ in list(self.tests.items()): + if not a in algorithms: + del self.tests[a] + for a, _ in list(self.vale_files.items()): + if not a in algorithms and a != "std": + del self.vale_files[a] + + # Collect dependencies for the hacl files. + self.hacl_compile_feature = {} + self.hacl_includes = [] + for a in self.hacl_files: + for source_file in self.hacl_files[a]: + files, includes = self.dependencies( + source_dir, a, source_file["file"]) + self.hacl_includes.extend(includes if type( + includes) == list else [includes]) + feature = source_file["features"] + if feature in self.hacl_compile_feature: + self.hacl_compile_feature[feature].extend( + files if type(files) == list else [files]) + else: + # Add the new feature dependency + self.hacl_compile_feature[feature] = files if type(files) == list else [ + files] + # Remove files that require additional features from hacl_compile_files + for feature in self.hacl_compile_feature: + if feature != "std": + # Filter all feature files to remove std files. + self.hacl_compile_feature[feature] = [ + file for file in self.hacl_compile_feature[feature] if file not in self.hacl_compile_feature["std"]] + + # Flatten test sources + self.test_sources = [f for files in [self.tests[b] + for b in self.tests] for f in files] + + # Flatten vale files into a single list for each platform. + # This is all or nothing. + platforms = {} + for algorithm in self.vale_files: + for p in self.vale_files[algorithm]: + if p in platforms: + platforms[p].extend(self.vale_files[algorithm][p]) + else: + platforms[p] = self.vale_files[algorithm][p] + for p in platforms: + platforms[p] = [join("vale", "src", f) for f in platforms[p]] + self.vale_files = platforms + + # Evercrypt has feature detection and we don't disable anything. + self.evercrypt_compile_files = [] + for a in self.evercrypt_files: + for source_file in self.evercrypt_files[a]: + files, includes = self.dependencies(source_dir, a, source_file) + self.evercrypt_compile_files.extend(files) + self.hacl_includes.extend(includes if type( + includes) == list else [includes]) + + # Remove duplicates from all lists + for k in self.hacl_compile_feature: + self.hacl_compile_feature[k] = list( + dict.fromkeys(self.hacl_compile_feature[k])) + self.evercrypt_compile_files = list( + dict.fromkeys(self.evercrypt_compile_files)) + self.hacl_includes = list(dict.fromkeys(self.hacl_includes)) + # Drop Hacl_ files from evercrypt + self.evercrypt_compile_files = [ + f for f in self.evercrypt_compile_files if "Hacl_" not in f] + self.hacl_compile_feature['std'].extend(self.evercrypt_compile_files) + + # We don't want internal excludes to be installed. + self.public_includes = [file for file in self.hacl_includes if join( + "internal", os.path.basename(file)) not in file] + + def write_cmake_config(self, cmake_config): + print(" [mach] Writing cmake config to %s ..." % (cmake_config)) + # cmake wants the unix style for paths apparently + with open(cmake_config, 'w') as out: + for a in self.hacl_compile_feature: + out.write("set(SOURCES_%s %s)\n" % + (a, " ".join(join("${PROJECT_SOURCE_DIR}", f) for f in self.hacl_compile_feature[a]).replace(separator, '/'))) + + out.write("set(INCLUDES %s)\n" % + " ".join(join("${PROJECT_SOURCE_DIR}", a) for a in self.hacl_includes).replace(separator, '/')) + + out.write("set(PUBLIC_INCLUDES %s)\n" % + " ".join(join("${PROJECT_SOURCE_DIR}", a) for a in self.public_includes).replace(separator, '/')) + + out.write("set(ALGORITHMS %s)\n" % + " ".join(a for a in self.hacl_files).replace(separator, '/')) + + out.write("set(INCLUDE_PATHS %s)\n" % + " ".join(join("${PROJECT_SOURCE_DIR}", p) for p in self.include_paths).replace(separator, '/')) + + out.write("set(TEST_SOURCES %s)\n" % + (" ".join(join("${PROJECT_SOURCE_DIR}", "tests", f) for f in self.test_sources).replace(separator, '/'))) + + for os in self.vale_files: + out.write("set(VALE_SOURCES_%s %s)\n" % + (os, " ".join(join("${PROJECT_SOURCE_DIR}", f) for f in self.vale_files[os]).replace(separator, '/'))) + + out.write("set(ALGORITHM_TEST_FILES %s)\n" % + " ".join("TEST_FILES_"+a for a in self.tests).replace(separator, '/')) + for a in self.tests: + out.write("set(TEST_FILES_%s %s)\n" % + (a, " ".join(f for f in self.tests[a]).replace(separator, '/'))) + + def dep_config(self): + print(" [mach] Collecting files and dependencies ...") + includes = [ + include for include in self.hacl_includes if not include.startswith("kremlin") and not include.startswith("vale")] + vale_includes = [ + include for include in self.hacl_includes if include.startswith("vale")] + kremlin_includes = [ + include for include in self.hacl_includes if include.startswith("kremlin")] + return { + "sources": self.hacl_compile_feature, + "includes": includes, + "kremlin_includes": kremlin_includes, + "vale_sources": self.vale_files, + "vale_includes": vale_includes, + } + + def write_dep_config(self, dep_config): + config = self.dep_config() + json_data = json.dumps(config, indent=4) + with open(dep_config, "w") as outfile: + outfile.write(json_data) + + def source_files(self): + """Get a list of all source files in the config.""" + out = [] + # FIXME + # for a in self.hacl_compile_files: + # out.extend(self.hacl_compile_files[a]) + for a in self.evercrypt_compile_files: + out.extend(self.evercrypt_compile_files[a]) + return out + + # TODO: we first have to create a list of headers + def header_files(self): + """Get a list of all header files in the config.""" + pass diff --git a/tools/macos.py b/tools/macos.py new file mode 100644 index 00000000..60c8266c --- /dev/null +++ b/tools/macos.py @@ -0,0 +1,23 @@ +# Copyright 2022 Cryspen Sarl +# +# Licensed under the Apache License, Version 2.0 or MIT. +# * http://www.apache.org/licenses/LICENSE-2.0 +# * http://opensource.org/licenses/MIT + +import subprocess + +# Helper functions for macOS. + + +def ios_sysroot(): + '''Returns the sysroot of the iOS SDK''' + result = subprocess.run("xcrun --sdk iphoneos --show-sdk-path", + stdout=subprocess.PIPE, + shell=True, + check=True) + return result.stdout.decode('utf-8')[:-1] + + +def aarch64_ios_args(): + '''Returns clang arguments to build for aarch64 iOS''' + return ['-isysroot', ios_sysroot()] diff --git a/tools/ocaml.py b/tools/ocaml.py new file mode 100644 index 00000000..9e8512eb --- /dev/null +++ b/tools/ocaml.py @@ -0,0 +1,68 @@ +# Copyright 2022 Cryspen Sarl +# +# Licensed under the Apache License, Version 2.0 or MIT. +# * http://www.apache.org/licenses/LICENSE-2.0 +# * http://opensource.org/licenses/MIT + +import os +from os.path import join as path_join +import subprocess +import sys + +from tools.utils import cmake_generated_config +from tools.utils import mprint as print +from ocaml.setup import copy_lib + + +def read_config(): + '''The make build requires environment variables from CMake. + Read them here. + ''' + with open(cmake_generated_config(), 'r') as f: + cmake_config = f.readlines() + environment = {**os.environ} + for line in cmake_config: + variable, value = line.split('=') + if value == "TRUE": + environment[variable] = "1" + return environment + + +def build_ocaml(): + '''Build the OCaml bindings. + ''' + # XXX: Windows is not supported + if sys.platform == 'darwin': + so = 'dylib' + else: + so = 'so' + cwd = path_join(os.path.dirname(os.path.realpath(__file__)), '..') + environment = {**os.environ, + "HACL_MAKE_CONFIG": path_join(cwd, "config", "cached-config.txt")} + copy_lib(path_join(cwd, 'include'), + path_join(cwd, 'vale', 'include'), + path_join(cwd, 'build', 'Release'), + path_join(cwd, 'kremlin'), + path_join(cwd, 'build'), + "libhacl_static.a", "libhacl."+so, "config.h", + path_join(cwd, 'ocaml', 'c')) + make_cmd = 'make -C ocaml ocamlevercrypt.cmxa -j' + subprocess.run(make_cmd, check=True, shell=True, env=environment) + make_cmd = 'make -C ocaml -j' + subprocess.run(make_cmd, check=True, shell=True, env=environment) + + +def test_ocaml(): + '''Test the OCaml bindings''' + cwd = path_join(os.path.dirname(os.path.realpath(__file__)), '..') + environment = {**os.environ, + "HACL_MAKE_CONFIG": path_join(cwd, "config", "cached-config.txt")} + make_cmd = 'make -C ocaml test -j' + subprocess.run(make_cmd, check=True, shell=True, env=environment) + + +def clean_ocaml(): + '''Clean the OCaml build. + ''' + make_cmd = ['make', '-C', 'ocaml', 'clean'] + subprocess.run(make_cmd, check=True) diff --git a/tools/test.py b/tools/test.py new file mode 100644 index 00000000..75450dbb --- /dev/null +++ b/tools/test.py @@ -0,0 +1,83 @@ + +# Copyright 2022 Cryspen Sarl +# +# Licensed under the Apache License, Version 2.0 or MIT. +# * http://www.apache.org/licenses/LICENSE-2.0 +# * http://opensource.org/licenses/MIT + +import json +import os +import re +import subprocess +import sys +from tools.configure import Config +from tools.ocaml import test_ocaml +from tools.utils import subcommand, argument, cli, subparsers, mprint as print, binary_path, json_config + +from os.path import join +from pathlib import Path + + +def run_tests(tests, bin_path, test_args=[], algorithms=[]): + print("Running tests ...") + if not os.path.exists(binary_path(bin_path)): + print("! Nothing is built! Please build first. Aborting!") + exit(1) + os.chdir(binary_path(bin_path)) + my_env = dict(os.environ) + my_env["TEST_DIR"] = join(os.getcwd(), "..", "..", "tests") + for algorithm in tests: + for test in tests[algorithm]: + test_name = os.path.splitext(test)[0] + if len(algorithms) == 0 or test_name in algorithms or algorithm in algorithms: + file_name = Path(test).stem + if sys.platform == "win32": + file_name += ".exe" + if not os.path.exists(file_name): + print("! Test '%s' doesn't exist. Aborting!" % + (file_name)) + print(" Running this test requires a build first.") + print(" See mach.py build --help") + exit(1) + test_cmd = [join(".", file_name)] + test_cmd.extend(test_args) + print(" ".join(test_cmd)) + subprocess.run(test_cmd, check=True, shell=True, env=my_env) + +# TODO: add arguments (pass through gtest arguments and easy filters) + + +@subcommand([argument("-a", "--algorithms", + help="The algorithms to test.", type=str), + argument("-l", "--language", + help="Language bindings to test.", type=str), + argument("-v", "--verbose", help="Make tests verbose.", + action='store_true')]) +def test(args): + """Test HACL* + """ + if args.language: + # We ignore algorithms here. Just run the language bindings' tests. + if args.language == "ocaml": + test_ocaml() + exit(0) + elif args.language == "rust": + subprocess.run( + ['cargo', 'test', '--manifest-path=rust/Cargo.toml'], check=True) + exit(0) + else: + print( + "Unknown language binding %s. Please see --help for supported bindings" % (args.l)) + exit(1) + + algorithms = [] + if args.algorithms: + algorithms = re.split(r"\W+", args.algorithms) + + # read file + with open(json_config(), 'r') as f: + data = f.read() + + # parse file + config = json.loads(data) + run_tests(config['tests'], "Debug", algorithms=algorithms) diff --git a/tools/utils.py b/tools/utils.py new file mode 100644 index 00000000..73218dbd --- /dev/null +++ b/tools/utils.py @@ -0,0 +1,108 @@ +# Copyright 2022 Cryspen Sarl +# +# Licensed under the Apache License, Version 2.0 or MIT. +# * http://www.apache.org/licenses/LICENSE-2.0 +# * http://opensource.org/licenses/MIT + +from argparse import ArgumentParser, RawTextHelpFormatter +import os +from os.path import join +import subprocess +from pathlib import Path +import sys + +# The main parser to attach to with the decorator. +cli = ArgumentParser() +subparsers = cli.add_subparsers(dest="subcommand") + + +def json_config(): + return os.path.join("config", "config.json") + + +def cmake_config(): + return os.path.join("config", "config.cmake") + + +def cmake_generated_config(): + return os.path.join("config", "cached-config.txt") + + +def dep_config(): + return os.path.join("config", "dep_config.json") + + +def config_check_file(): + return join("config", ".dependency_check") + + +def config_cache(): + return os.path.join("config", ".cache") + +# FIXME: #10 add config.type (Debug/Release) + + +def cwd(): + return os.path.dirname(os.path.realpath(__file__)) + + +def binary_path(target): + return os.path.join("build", target) + + +def absolute_file_paths(directory): + for dirpath, _, filenames in os.walk(directory): + for f in filenames: + yield os.path.abspath(os.path.join(dirpath, f)) + + +def subcommand(args=[], parent=subparsers): + """Decorator for sub commands.""" + dependency_check() + + def decorator(func): + parser = parent.add_parser( + func.__name__, description=func.__doc__, formatter_class=RawTextHelpFormatter) + for arg in args: + parser.add_argument(*arg[0], **arg[1]) + parser.set_defaults(func=func) + return decorator + + +def argument(*name_or_flags, **kwargs): + """Helper for subcommand decorator""" + return ([*name_or_flags], kwargs) + + +def mprint(*args, **kwargs): + """Print with mach indicators""" + print(" [mach] "+" ".join(map(str, args)), **kwargs) + + +def check_cmd(cmd): + mprint("Found ", end="") + return_code = subprocess.run( + [cmd, '--version'], capture_output=True).returncode + if return_code == 0: + print("%s" % cmd, end=" ") + else: + print() + mprint( + '! Please make sure that "%s" is installed and in your path.' % (cmd)) + exit(1) + + +def dependency_check(): + """Check that all necessary commands and dependencies are available.""" + file_exists = os.path.exists(config_check_file()) + if file_exists: + # Nothing to do here, we checked already. + return + + mprint("Dependency checks ...") + + check_cmd('cmake') + check_cmd("ninja") + check_cmd("clang") + print() + Path(config_check_file()).touch() diff --git a/tools/vcbuild.cmd b/tools/vcbuild.cmd new file mode 100644 index 00000000..dd5d3715 --- /dev/null +++ b/tools/vcbuild.cmd @@ -0,0 +1,7 @@ +@echo off + +for /f "usebackq tokens=*" %%i in (`vswhere -latest -products * -requires Microsoft.VisualStudio.Component.VC.Tools.x86.x64 -property installationPath`) do ( + set InstallDir=%%i +) + +"%InstallDir%\VC\Auxiliary\Build\vcvars64.bat" diff --git a/update.py b/update.py new file mode 100755 index 00000000..3d405e8c --- /dev/null +++ b/update.py @@ -0,0 +1,194 @@ +#!/usr/bin/env python3 +# +# Copyright 2022 Cryspen Sarl +# +# Licensed under the Apache License, Version 2.0 or MIT. +# * http://www.apache.org/licenses/LICENSE-2.0 +# * http://opensource.org/licenses/MIT + +import json +import os +import pathlib +import re +import shutil +import subprocess + + +def raw_dependencies(src_dir, c_file): + compiler = os.getenv('CC', 'clang') + include_paths = ['kremlin/kremlib/dist/minimal', + 'kremlin/include', src_dir] + includes = '-I ' + ' -I '.join(include_paths) + result = subprocess.run( + compiler + ' ' + includes + ' -MM ' + os.path.join(src_dir, c_file), + stdout=subprocess.PIPE, + shell=True, + check=True) + return result.stdout.decode('utf-8') + + +def abs_path(relative): + return os.path.abspath(os.path.join(os.path.dirname(__file__), relative)) + + +def source_files(directory): + source_files_abs = [] + source_file_names = [] + for f in os.listdir(directory): + f = os.path.join(directory, f) + if os.path.isfile(f) and f[-2:] == '.c': + source_files_abs.append(os.path.abspath(f)) + source_file_names.append(os.path.basename(f)) + return source_files_abs, source_file_names + + +def dependencies(src_dir, c_file): + # Get a list of all source files + _, source_names = source_files(src_dir) + raw_deps = raw_dependencies(src_dir, c_file) + + files = [] + for line in raw_deps.splitlines(): + # Remove object file and split the lines + line = re.sub("(\w*).o: ", "", line) + line = line.strip() + line = line.split(' ') + try: + line.remove("\\") + except: + # This is fine + pass + + # Drop kremlin files. + line = [file for file in line if not file.startswith('kremlin')] + + # Sources + # For source files we only care about the file name. Drop the path. + line = list(map(lambda file: os.path.basename(file), line)) + # Make them c files. + line = list(map(lambda file: file[:-2]+'.c', line)) + # If there's a corresponding c file to the header, we need this. + line = [file for file in line if file in source_names] + # Make paths absolute + line = list(map(lambda file: abs_path( + os.path.join(src_dir, file)), line)) + files.extend(line) + + file_names = [] + for file in files: + file_names.append(os.path.basename(file)) + + return files, file_names + + +def read_config(config_file_name): + # read file + with open(config_file_name, 'r') as f: + data = f.read() + + # parse file + config = json.loads(data) + hacl_files = config["hacl_sources"] + vale_files = config["vale_sources"] + evercrypt_files = config["evercrypt_sources"] + + # flatten file lists + files = [] + for algorithm in hacl_files: + files.extend(map(lambda e: e["file"], hacl_files[algorithm])) + for algorithm in vale_files: + for platform in vale_files[algorithm]: + files.extend(vale_files[algorithm][platform]) + for algorithm in evercrypt_files: + files.extend(evercrypt_files[algorithm]) + return files + + +def headers(editions): + includes = {} + include_names = {} + for edition, new_dist_dir, _, _ in editions: + files = [file for file in os.listdir( + new_dist_dir) if file.endswith('.h')] + include_names[edition] = [os.path.basename(file) for file in files] + includes[edition] = [abs_path(os.path.join( + new_dist_dir, file)) for file in files] + return includes, include_names + + +def all_files(config_file, editions): + required_files = read_config(config_file) + + files = {} + file_names = {} + for edition, new_dist_dir, _, _ in editions: + for file in required_files: + if file.endswith('.c'): + t_files, t_file_names = dependencies(new_dist_dir, file) + if edition in files: + files[edition].extend(t_files) + else: + files[edition] = t_files + if edition in file_names: + file_names[edition].extend(t_file_names) + else: + file_names[edition] = t_file_names + + includes, include_names = headers(editions) + + # remove duplicates + for edition in files: + files[edition] = list(dict.fromkeys(files[edition])) + file_names[edition] = list(dict.fromkeys(file_names[edition])) + # remove vale + files[edition] = [file for file in files[edition] if not "Vale" in file] + file_names[edition] = [ + file for file in file_names[edition] if not "Vale" in file] + includes[edition] = [ + file for file in includes[edition] if not "Vale" in file] + include_names[edition] = [ + file for file in include_names[edition] if not "Vale" in file] + + return files, file_names, includes, include_names + + +def rm(file): + if os.path.isfile(file): + os.remove(file) + else: + shutil.rmtree(file, ignore_errors=True) + + +def clean(): + for filename in os.listdir('src'): + rm(os.path.join('src', filename)) + for filename in os.listdir('include'): + rm(os.path.join('include', filename)) + + +def update_hacl(files, includes, editions): + clean() + for edition, new_dist_dir, dest, include_dest in editions: + dest = abs_path(dest) + for file in files[edition]: + pathlib.Path(dest).mkdir(parents=True, exist_ok=True) + shutil.copyfile(file, os.path.join(dest, os.path.basename(file))) + include_dest = abs_path(include_dest) + for file in includes[edition]: + pathlib.Path(include_dest).mkdir(parents=True, exist_ok=True) + shutil.copyfile(file, os.path.join( + include_dest, os.path.basename(file))) + internal_includes = os.path.join(abs_path(new_dist_dir), 'internal') + dest_internal = os.path.join(include_dest, 'internal') + shutil.copytree(internal_includes, dest_internal) + + +""" +editions = [(name, new-code, target-src-dir, target-include-dir)] +""" +editions = [('std', '../hacl-star/dist/gcc-compatible', 'src', 'include'), + ('c89', '../hacl-star/dist/c89-compatible', 'src/c89', 'include/c89'), + ('msvc', '../hacl-star/dist/msvc-compatible', 'src/msvc', 'include/msvc')] +config_file = 'config/config.json' +files, file_names, includes, include_names = all_files(config_file, editions) +update_hacl(files, includes, editions) diff --git a/vale/include/EverCrypt_Vale.h b/vale/include/EverCrypt_Vale.h new file mode 100644 index 00000000..fab34396 --- /dev/null +++ b/vale/include/EverCrypt_Vale.h @@ -0,0 +1,93 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __EverCrypt_Vale_H +#define __EverCrypt_Vale_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include +#include "kremlin/internal/target.h" + + + + +extern void aes128_key_expansion_sbox(uint8_t *key, uint8_t *w, uint8_t *sbox); + +extern void +aes128_encrypt_one_block(uint8_t *cipher, uint8_t *plain, uint8_t *w, uint8_t *sbox); + +typedef struct gcm_args_s +{ + uint8_t *plain; + uint64_t plain_len; + uint8_t *aad; + uint64_t aad_len; + uint8_t *iv; + uint8_t *expanded_key; + uint8_t *cipher; + uint8_t *tag; +} +gcm_args; + +uint8_t *__proj__Mkgcm_args__item__plain(gcm_args projectee); + +uint64_t __proj__Mkgcm_args__item__plain_len(gcm_args projectee); + +uint8_t *__proj__Mkgcm_args__item__aad(gcm_args projectee); + +uint64_t __proj__Mkgcm_args__item__aad_len(gcm_args projectee); + +uint8_t *__proj__Mkgcm_args__item__iv(gcm_args projectee); + +uint8_t *__proj__Mkgcm_args__item__expanded_key(gcm_args projectee); + +uint8_t *__proj__Mkgcm_args__item__cipher(gcm_args projectee); + +uint8_t *__proj__Mkgcm_args__item__tag(gcm_args projectee); + +extern void __stdcall old_aes128_key_expansion(uint8_t *key_ptr, uint8_t *expanded_key_ptr); + +extern void __stdcall old_gcm128_encrypt(gcm_args *uu___); + +extern uint32_t __stdcall old_gcm128_decrypt(gcm_args *uu___); + +extern void __stdcall old_aes256_key_expansion(uint8_t *key_ptr, uint8_t *expanded_key_ptr); + +extern void __stdcall old_gcm256_encrypt(gcm_args *uu___); + +extern uint32_t __stdcall old_gcm256_decrypt(gcm_args *uu___); + +#if defined(__cplusplus) +} +#endif + +#define __EverCrypt_Vale_H_DEFINED +#endif diff --git a/vale/include/Vale.h b/vale/include/Vale.h new file mode 100644 index 00000000..1c854201 --- /dev/null +++ b/vale/include/Vale.h @@ -0,0 +1,217 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Vale_H +#define __Vale_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include "evercrypt_targetconfig.h" +#include "libintvector.h" +#include "kremlin/internal/types.h" +#include "kremlin/lowstar_endianness.h" +#include +#include "kremlin/internal/target.h" + + + + +extern uint64_t add_scalar_e(uint64_t *x0, uint64_t *x1, uint64_t x2); + +extern uint64_t fadd_e(uint64_t *x0, uint64_t *x1, uint64_t *x2); + +extern uint64_t sha256_update(uint32_t *x0, uint8_t *x1, uint64_t x2, uint32_t *x3); + +extern uint64_t x64_poly1305(uint8_t *x0, uint8_t *x1, uint64_t x2, uint64_t x3); + +extern uint64_t check_aesni(); + +extern uint64_t check_sha(); + +extern uint64_t check_adx_bmi2(); + +extern uint64_t check_avx(); + +extern uint64_t check_avx2(); + +extern uint64_t check_movbe(); + +extern uint64_t check_sse(); + +extern uint64_t check_rdrand(); + +extern uint64_t check_avx512(); + +extern uint64_t check_osxsave(); + +extern uint64_t check_avx_xcr0(); + +extern uint64_t check_avx512_xcr0(); + +extern uint64_t cswap2_e(uint64_t x0, uint64_t *x1, uint64_t *x2); + +extern uint64_t fsqr_e(uint64_t *x0, uint64_t *x1, uint64_t *x2); + +extern uint64_t fsqr2_e(uint64_t *x0, uint64_t *x1, uint64_t *x2); + +extern uint64_t fmul_e(uint64_t *x0, uint64_t *x1, uint64_t *x2, uint64_t *x3); + +extern uint64_t fmul2_e(uint64_t *x0, uint64_t *x1, uint64_t *x2, uint64_t *x3); + +extern uint64_t fmul_scalar_e(uint64_t *x0, uint64_t *x1, uint64_t x2); + +extern uint64_t fsub_e(uint64_t *x0, uint64_t *x1, uint64_t *x2); + +extern uint64_t +gcm128_decrypt_opt( + uint8_t *x0, + uint64_t x1, + uint64_t x2, + uint8_t *x3, + uint8_t *x4, + uint8_t *x5, + uint8_t *x6, + uint8_t *x7, + uint8_t *x8, + uint64_t x9, + uint8_t *x10, + uint8_t *x11, + uint64_t x12, + uint8_t *x13, + uint64_t x14, + uint8_t *x15, + uint8_t *x16 +); + +extern uint64_t +gcm256_decrypt_opt( + uint8_t *x0, + uint64_t x1, + uint64_t x2, + uint8_t *x3, + uint8_t *x4, + uint8_t *x5, + uint8_t *x6, + uint8_t *x7, + uint8_t *x8, + uint64_t x9, + uint8_t *x10, + uint8_t *x11, + uint64_t x12, + uint8_t *x13, + uint64_t x14, + uint8_t *x15, + uint8_t *x16 +); + +extern uint64_t aes128_key_expansion(uint8_t *x0, uint8_t *x1); + +extern uint64_t aes256_key_expansion(uint8_t *x0, uint8_t *x1); + +extern uint64_t +compute_iv_stdcall( + uint8_t *x0, + uint64_t x1, + uint64_t x2, + uint8_t *x3, + uint8_t *x4, + uint8_t *x5 +); + +extern uint64_t +gcm128_encrypt_opt( + uint8_t *x0, + uint64_t x1, + uint64_t x2, + uint8_t *x3, + uint8_t *x4, + uint8_t *x5, + uint8_t *x6, + uint8_t *x7, + uint8_t *x8, + uint64_t x9, + uint8_t *x10, + uint8_t *x11, + uint64_t x12, + uint8_t *x13, + uint64_t x14, + uint8_t *x15, + uint8_t *x16 +); + +extern uint64_t +gcm256_encrypt_opt( + uint8_t *x0, + uint64_t x1, + uint64_t x2, + uint8_t *x3, + uint8_t *x4, + uint8_t *x5, + uint8_t *x6, + uint8_t *x7, + uint8_t *x8, + uint64_t x9, + uint8_t *x10, + uint8_t *x11, + uint64_t x12, + uint8_t *x13, + uint64_t x14, + uint8_t *x15, + uint8_t *x16 +); + +extern uint64_t aes128_keyhash_init(uint8_t *x0, uint8_t *x1); + +extern uint64_t aes256_keyhash_init(uint8_t *x0, uint8_t *x1); + +extern uint64_t +gctr128_bytes( + uint8_t *x0, + uint64_t x1, + uint8_t *x2, + uint8_t *x3, + uint8_t *x4, + uint8_t *x5, + uint64_t x6 +); + +extern uint64_t +gctr256_bytes( + uint8_t *x0, + uint64_t x1, + uint8_t *x2, + uint8_t *x3, + uint8_t *x4, + uint8_t *x5, + uint64_t x6 +); + +#if defined(__cplusplus) +} +#endif + +#define __Vale_H_DEFINED +#endif diff --git a/vale/src/EverCrypt_Vale.c b/vale/src/EverCrypt_Vale.c new file mode 100644 index 00000000..e960a9e9 --- /dev/null +++ b/vale/src/EverCrypt_Vale.c @@ -0,0 +1,66 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "EverCrypt_Vale.h" + +uint8_t *__proj__Mkgcm_args__item__plain(gcm_args projectee) +{ + return projectee.plain; +} + +uint64_t __proj__Mkgcm_args__item__plain_len(gcm_args projectee) +{ + return projectee.plain_len; +} + +uint8_t *__proj__Mkgcm_args__item__aad(gcm_args projectee) +{ + return projectee.aad; +} + +uint64_t __proj__Mkgcm_args__item__aad_len(gcm_args projectee) +{ + return projectee.aad_len; +} + +uint8_t *__proj__Mkgcm_args__item__iv(gcm_args projectee) +{ + return projectee.iv; +} + +uint8_t *__proj__Mkgcm_args__item__expanded_key(gcm_args projectee) +{ + return projectee.expanded_key; +} + +uint8_t *__proj__Mkgcm_args__item__cipher(gcm_args projectee) +{ + return projectee.cipher; +} + +uint8_t *__proj__Mkgcm_args__item__tag(gcm_args projectee) +{ + return projectee.tag; +} + diff --git a/vale/src/Vale.c b/vale/src/Vale.c new file mode 100644 index 00000000..8880aa09 --- /dev/null +++ b/vale/src/Vale.c @@ -0,0 +1,28 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Vale.h" + +typedef uint64_t als_ret; + diff --git a/vale/src/aes-i686.asm b/vale/src/aes-i686.asm new file mode 100644 index 00000000..1f2da001 --- /dev/null +++ b/vale/src/aes-i686.asm @@ -0,0 +1,342 @@ +.686p +.model flat +.code +.XMM +ALIGN 16 +_KeyExpansionStdcall@12 proc + mov eax, dword ptr [esp + 4] + movdqu xmm1, xmmword ptr [eax + 0] + mov eax, dword ptr [esp + 8] + movdqu xmmword ptr [eax + 0], xmm1 + aeskeygenassist xmm2, xmm1, 1 + pshufd xmm2, xmm2, 255 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + pxor xmm1, xmm2 + movdqu xmmword ptr [eax + 16], xmm1 + aeskeygenassist xmm2, xmm1, 2 + pshufd xmm2, xmm2, 255 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + pxor xmm1, xmm2 + movdqu xmmword ptr [eax + 32], xmm1 + aeskeygenassist xmm2, xmm1, 4 + pshufd xmm2, xmm2, 255 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + pxor xmm1, xmm2 + movdqu xmmword ptr [eax + 48], xmm1 + aeskeygenassist xmm2, xmm1, 8 + pshufd xmm2, xmm2, 255 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + pxor xmm1, xmm2 + movdqu xmmword ptr [eax + 64], xmm1 + aeskeygenassist xmm2, xmm1, 16 + pshufd xmm2, xmm2, 255 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + pxor xmm1, xmm2 + movdqu xmmword ptr [eax + 80], xmm1 + aeskeygenassist xmm2, xmm1, 32 + pshufd xmm2, xmm2, 255 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + pxor xmm1, xmm2 + movdqu xmmword ptr [eax + 96], xmm1 + aeskeygenassist xmm2, xmm1, 64 + pshufd xmm2, xmm2, 255 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + pxor xmm1, xmm2 + movdqu xmmword ptr [eax + 112], xmm1 + aeskeygenassist xmm2, xmm1, 128 + pshufd xmm2, xmm2, 255 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + pxor xmm1, xmm2 + movdqu xmmword ptr [eax + 128], xmm1 + aeskeygenassist xmm2, xmm1, 27 + pshufd xmm2, xmm2, 255 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + pxor xmm1, xmm2 + movdqu xmmword ptr [eax + 144], xmm1 + aeskeygenassist xmm2, xmm1, 54 + pshufd xmm2, xmm2, 255 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + pxor xmm1, xmm2 + movdqu xmmword ptr [eax + 160], xmm1 + xor eax, eax + pxor xmm1, xmm1 + pxor xmm2, xmm2 + pxor xmm3, xmm3 + ret 12 +_KeyExpansionStdcall@12 endp +ALIGN 16 +_KeyExpansionAndInversionStdcall@12 proc + mov eax, dword ptr [esp + 4] + movdqu xmm1, xmmword ptr [eax + 0] + mov eax, dword ptr [esp + 8] + movdqu xmmword ptr [eax + 0], xmm1 + aeskeygenassist xmm2, xmm1, 1 + pshufd xmm2, xmm2, 255 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + pxor xmm1, xmm2 + movdqu xmmword ptr [eax + 16], xmm1 + aeskeygenassist xmm2, xmm1, 2 + pshufd xmm2, xmm2, 255 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + pxor xmm1, xmm2 + movdqu xmmword ptr [eax + 32], xmm1 + aeskeygenassist xmm2, xmm1, 4 + pshufd xmm2, xmm2, 255 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + pxor xmm1, xmm2 + movdqu xmmword ptr [eax + 48], xmm1 + aeskeygenassist xmm2, xmm1, 8 + pshufd xmm2, xmm2, 255 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + pxor xmm1, xmm2 + movdqu xmmword ptr [eax + 64], xmm1 + aeskeygenassist xmm2, xmm1, 16 + pshufd xmm2, xmm2, 255 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + pxor xmm1, xmm2 + movdqu xmmword ptr [eax + 80], xmm1 + aeskeygenassist xmm2, xmm1, 32 + pshufd xmm2, xmm2, 255 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + pxor xmm1, xmm2 + movdqu xmmword ptr [eax + 96], xmm1 + aeskeygenassist xmm2, xmm1, 64 + pshufd xmm2, xmm2, 255 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + pxor xmm1, xmm2 + movdqu xmmword ptr [eax + 112], xmm1 + aeskeygenassist xmm2, xmm1, 128 + pshufd xmm2, xmm2, 255 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + pxor xmm1, xmm2 + movdqu xmmword ptr [eax + 128], xmm1 + aeskeygenassist xmm2, xmm1, 27 + pshufd xmm2, xmm2, 255 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + pxor xmm1, xmm2 + movdqu xmmword ptr [eax + 144], xmm1 + aeskeygenassist xmm2, xmm1, 54 + pshufd xmm2, xmm2, 255 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + pxor xmm1, xmm2 + movdqu xmmword ptr [eax + 160], xmm1 + movdqu xmm1, xmmword ptr [eax + 16] + aesimc xmm1, xmm1 + movdqu xmmword ptr [eax + 16], xmm1 + movdqu xmm1, xmmword ptr [eax + 32] + aesimc xmm1, xmm1 + movdqu xmmword ptr [eax + 32], xmm1 + movdqu xmm1, xmmword ptr [eax + 48] + aesimc xmm1, xmm1 + movdqu xmmword ptr [eax + 48], xmm1 + movdqu xmm1, xmmword ptr [eax + 64] + aesimc xmm1, xmm1 + movdqu xmmword ptr [eax + 64], xmm1 + movdqu xmm1, xmmword ptr [eax + 80] + aesimc xmm1, xmm1 + movdqu xmmword ptr [eax + 80], xmm1 + movdqu xmm1, xmmword ptr [eax + 96] + aesimc xmm1, xmm1 + movdqu xmmword ptr [eax + 96], xmm1 + movdqu xmm1, xmmword ptr [eax + 112] + aesimc xmm1, xmm1 + movdqu xmmword ptr [eax + 112], xmm1 + movdqu xmm1, xmmword ptr [eax + 128] + aesimc xmm1, xmm1 + movdqu xmmword ptr [eax + 128], xmm1 + movdqu xmm1, xmmword ptr [eax + 144] + aesimc xmm1, xmm1 + movdqu xmmword ptr [eax + 144], xmm1 + xor eax, eax + pxor xmm1, xmm1 + pxor xmm2, xmm2 + pxor xmm3, xmm3 + ret 12 +_KeyExpansionAndInversionStdcall@12 endp +ALIGN 16 +_AES128EncryptOneBlockStdcall@16 proc + mov eax, dword ptr [esp + 8] + movdqu xmm0, xmmword ptr [eax + 0] + mov eax, dword ptr [esp + 12] + movdqu xmm2, xmmword ptr [eax + 0] + pxor xmm0, xmm2 + movdqu xmm2, xmmword ptr [eax + 16] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [eax + 32] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [eax + 48] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [eax + 64] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [eax + 80] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [eax + 96] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [eax + 112] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [eax + 128] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [eax + 144] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [eax + 160] + aesenclast xmm0, xmm2 + pxor xmm2, xmm2 + mov eax, dword ptr [esp + 4] + movdqu xmmword ptr [eax + 0], xmm0 + ret 16 +_AES128EncryptOneBlockStdcall@16 endp +ALIGN 16 +_AES128EncryptOneBlock proc + movdqu xmm2, xmmword ptr [eax + 0] + pxor xmm0, xmm2 + movdqu xmm2, xmmword ptr [eax + 16] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [eax + 32] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [eax + 48] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [eax + 64] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [eax + 80] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [eax + 96] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [eax + 112] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [eax + 128] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [eax + 144] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [eax + 160] + aesenclast xmm0, xmm2 + pxor xmm2, xmm2 + ret 8 +_AES128EncryptOneBlock endp +ALIGN 16 +_AES128DecryptOneBlock proc + movdqu xmm2, xmmword ptr [eax + 160] + pxor xmm0, xmm2 + movdqu xmm2, xmmword ptr [eax + 144] + aesdec xmm0, xmm2 + movdqu xmm2, xmmword ptr [eax + 128] + aesdec xmm0, xmm2 + movdqu xmm2, xmmword ptr [eax + 112] + aesdec xmm0, xmm2 + movdqu xmm2, xmmword ptr [eax + 96] + aesdec xmm0, xmm2 + movdqu xmm2, xmmword ptr [eax + 80] + aesdec xmm0, xmm2 + movdqu xmm2, xmmword ptr [eax + 64] + aesdec xmm0, xmm2 + movdqu xmm2, xmmword ptr [eax + 48] + aesdec xmm0, xmm2 + movdqu xmm2, xmmword ptr [eax + 32] + aesdec xmm0, xmm2 + movdqu xmm2, xmmword ptr [eax + 16] + aesdec xmm0, xmm2 + movdqu xmm2, xmmword ptr [eax + 0] + aesdeclast xmm0, xmm2 + pxor xmm2, xmm2 + ret 8 +_AES128DecryptOneBlock endp +end diff --git a/vale/src/aes-x86_64-darwin.S b/vale/src/aes-x86_64-darwin.S new file mode 100644 index 00000000..a5aae4b5 --- /dev/null +++ b/vale/src/aes-x86_64-darwin.S @@ -0,0 +1,279 @@ +.text +.global _KeyExpansionStdcall +_KeyExpansionStdcall: + movdqu 0 (%rdi), %xmm1 + mov %rsi, %rdx + movdqu %xmm1, 0 (%rdx) + aeskeygenassist $1, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 16 (%rdx) + aeskeygenassist $2, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 32 (%rdx) + aeskeygenassist $4, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 48 (%rdx) + aeskeygenassist $8, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 64 (%rdx) + aeskeygenassist $16, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 80 (%rdx) + aeskeygenassist $32, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 96 (%rdx) + aeskeygenassist $64, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 112 (%rdx) + aeskeygenassist $128, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 128 (%rdx) + aeskeygenassist $27, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 144 (%rdx) + aeskeygenassist $54, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 160 (%rdx) + pxor %xmm1, %xmm1 + pxor %xmm2, %xmm2 + pxor %xmm3, %xmm3 + ret + +.global _KeyExpansionAndInversionStdcall +_KeyExpansionAndInversionStdcall: + movdqu 0 (%rdi), %xmm1 + mov %rsi, %rdx + movdqu %xmm1, 0 (%rdx) + aeskeygenassist $1, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 16 (%rdx) + aeskeygenassist $2, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 32 (%rdx) + aeskeygenassist $4, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 48 (%rdx) + aeskeygenassist $8, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 64 (%rdx) + aeskeygenassist $16, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 80 (%rdx) + aeskeygenassist $32, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 96 (%rdx) + aeskeygenassist $64, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 112 (%rdx) + aeskeygenassist $128, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 128 (%rdx) + aeskeygenassist $27, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 144 (%rdx) + aeskeygenassist $54, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 160 (%rdx) + movdqu 16 (%rdx), %xmm1 + aesimc %xmm1, %xmm1 + movdqu %xmm1, 16 (%rdx) + movdqu 32 (%rdx), %xmm1 + aesimc %xmm1, %xmm1 + movdqu %xmm1, 32 (%rdx) + movdqu 48 (%rdx), %xmm1 + aesimc %xmm1, %xmm1 + movdqu %xmm1, 48 (%rdx) + movdqu 64 (%rdx), %xmm1 + aesimc %xmm1, %xmm1 + movdqu %xmm1, 64 (%rdx) + movdqu 80 (%rdx), %xmm1 + aesimc %xmm1, %xmm1 + movdqu %xmm1, 80 (%rdx) + movdqu 96 (%rdx), %xmm1 + aesimc %xmm1, %xmm1 + movdqu %xmm1, 96 (%rdx) + movdqu 112 (%rdx), %xmm1 + aesimc %xmm1, %xmm1 + movdqu %xmm1, 112 (%rdx) + movdqu 128 (%rdx), %xmm1 + aesimc %xmm1, %xmm1 + movdqu %xmm1, 128 (%rdx) + movdqu 144 (%rdx), %xmm1 + aesimc %xmm1, %xmm1 + movdqu %xmm1, 144 (%rdx) + pxor %xmm1, %xmm1 + pxor %xmm2, %xmm2 + pxor %xmm3, %xmm3 + ret + +.global _AES128EncryptOneBlockStdcall +_AES128EncryptOneBlockStdcall: + movdqu 0 (%rsi), %xmm0 + mov %rdx, %r8 + movdqu 0 (%r8), %xmm2 + pxor %xmm2, %xmm0 + movdqu 16 (%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 32 (%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 48 (%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 64 (%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 80 (%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 96 (%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 112 (%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 128 (%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 144 (%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 160 (%r8), %xmm2 + aesenclast %xmm2, %xmm0 + pxor %xmm2, %xmm2 + movdqu %xmm0, 0 (%rdi) + ret + + diff --git a/vale/src/aes-x86_64-linux.S b/vale/src/aes-x86_64-linux.S new file mode 100644 index 00000000..870e34ef --- /dev/null +++ b/vale/src/aes-x86_64-linux.S @@ -0,0 +1,279 @@ +.text +.global KeyExpansionStdcall +KeyExpansionStdcall: + movdqu 0 (%rdi), %xmm1 + mov %rsi, %rdx + movdqu %xmm1, 0 (%rdx) + aeskeygenassist $1, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 16 (%rdx) + aeskeygenassist $2, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 32 (%rdx) + aeskeygenassist $4, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 48 (%rdx) + aeskeygenassist $8, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 64 (%rdx) + aeskeygenassist $16, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 80 (%rdx) + aeskeygenassist $32, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 96 (%rdx) + aeskeygenassist $64, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 112 (%rdx) + aeskeygenassist $128, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 128 (%rdx) + aeskeygenassist $27, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 144 (%rdx) + aeskeygenassist $54, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 160 (%rdx) + pxor %xmm1, %xmm1 + pxor %xmm2, %xmm2 + pxor %xmm3, %xmm3 + ret + +.global KeyExpansionAndInversionStdcall +KeyExpansionAndInversionStdcall: + movdqu 0 (%rdi), %xmm1 + mov %rsi, %rdx + movdqu %xmm1, 0 (%rdx) + aeskeygenassist $1, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 16 (%rdx) + aeskeygenassist $2, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 32 (%rdx) + aeskeygenassist $4, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 48 (%rdx) + aeskeygenassist $8, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 64 (%rdx) + aeskeygenassist $16, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 80 (%rdx) + aeskeygenassist $32, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 96 (%rdx) + aeskeygenassist $64, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 112 (%rdx) + aeskeygenassist $128, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 128 (%rdx) + aeskeygenassist $27, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 144 (%rdx) + aeskeygenassist $54, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 160 (%rdx) + movdqu 16 (%rdx), %xmm1 + aesimc %xmm1, %xmm1 + movdqu %xmm1, 16 (%rdx) + movdqu 32 (%rdx), %xmm1 + aesimc %xmm1, %xmm1 + movdqu %xmm1, 32 (%rdx) + movdqu 48 (%rdx), %xmm1 + aesimc %xmm1, %xmm1 + movdqu %xmm1, 48 (%rdx) + movdqu 64 (%rdx), %xmm1 + aesimc %xmm1, %xmm1 + movdqu %xmm1, 64 (%rdx) + movdqu 80 (%rdx), %xmm1 + aesimc %xmm1, %xmm1 + movdqu %xmm1, 80 (%rdx) + movdqu 96 (%rdx), %xmm1 + aesimc %xmm1, %xmm1 + movdqu %xmm1, 96 (%rdx) + movdqu 112 (%rdx), %xmm1 + aesimc %xmm1, %xmm1 + movdqu %xmm1, 112 (%rdx) + movdqu 128 (%rdx), %xmm1 + aesimc %xmm1, %xmm1 + movdqu %xmm1, 128 (%rdx) + movdqu 144 (%rdx), %xmm1 + aesimc %xmm1, %xmm1 + movdqu %xmm1, 144 (%rdx) + pxor %xmm1, %xmm1 + pxor %xmm2, %xmm2 + pxor %xmm3, %xmm3 + ret + +.global AES128EncryptOneBlockStdcall +AES128EncryptOneBlockStdcall: + movdqu 0 (%rsi), %xmm0 + mov %rdx, %r8 + movdqu 0 (%r8), %xmm2 + pxor %xmm2, %xmm0 + movdqu 16 (%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 32 (%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 48 (%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 64 (%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 80 (%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 96 (%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 112 (%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 128 (%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 144 (%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 160 (%r8), %xmm2 + aesenclast %xmm2, %xmm0 + pxor %xmm2, %xmm2 + movdqu %xmm0, 0 (%rdi) + ret + + diff --git a/vale/src/aes-x86_64-mingw.S b/vale/src/aes-x86_64-mingw.S new file mode 100644 index 00000000..fdec29da --- /dev/null +++ b/vale/src/aes-x86_64-mingw.S @@ -0,0 +1,276 @@ +.text +.global KeyExpansionStdcall +KeyExpansionStdcall: + movdqu 0 (%rcx), %xmm1 + movdqu %xmm1, 0 (%rdx) + aeskeygenassist $1, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 16 (%rdx) + aeskeygenassist $2, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 32 (%rdx) + aeskeygenassist $4, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 48 (%rdx) + aeskeygenassist $8, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 64 (%rdx) + aeskeygenassist $16, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 80 (%rdx) + aeskeygenassist $32, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 96 (%rdx) + aeskeygenassist $64, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 112 (%rdx) + aeskeygenassist $128, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 128 (%rdx) + aeskeygenassist $27, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 144 (%rdx) + aeskeygenassist $54, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 160 (%rdx) + pxor %xmm1, %xmm1 + pxor %xmm2, %xmm2 + pxor %xmm3, %xmm3 + ret + +.global KeyExpansionAndInversionStdcall +KeyExpansionAndInversionStdcall: + movdqu 0 (%rcx), %xmm1 + movdqu %xmm1, 0 (%rdx) + aeskeygenassist $1, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 16 (%rdx) + aeskeygenassist $2, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 32 (%rdx) + aeskeygenassist $4, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 48 (%rdx) + aeskeygenassist $8, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 64 (%rdx) + aeskeygenassist $16, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 80 (%rdx) + aeskeygenassist $32, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 96 (%rdx) + aeskeygenassist $64, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 112 (%rdx) + aeskeygenassist $128, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 128 (%rdx) + aeskeygenassist $27, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 144 (%rdx) + aeskeygenassist $54, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 160 (%rdx) + movdqu 16 (%rdx), %xmm1 + aesimc %xmm1, %xmm1 + movdqu %xmm1, 16 (%rdx) + movdqu 32 (%rdx), %xmm1 + aesimc %xmm1, %xmm1 + movdqu %xmm1, 32 (%rdx) + movdqu 48 (%rdx), %xmm1 + aesimc %xmm1, %xmm1 + movdqu %xmm1, 48 (%rdx) + movdqu 64 (%rdx), %xmm1 + aesimc %xmm1, %xmm1 + movdqu %xmm1, 64 (%rdx) + movdqu 80 (%rdx), %xmm1 + aesimc %xmm1, %xmm1 + movdqu %xmm1, 80 (%rdx) + movdqu 96 (%rdx), %xmm1 + aesimc %xmm1, %xmm1 + movdqu %xmm1, 96 (%rdx) + movdqu 112 (%rdx), %xmm1 + aesimc %xmm1, %xmm1 + movdqu %xmm1, 112 (%rdx) + movdqu 128 (%rdx), %xmm1 + aesimc %xmm1, %xmm1 + movdqu %xmm1, 128 (%rdx) + movdqu 144 (%rdx), %xmm1 + aesimc %xmm1, %xmm1 + movdqu %xmm1, 144 (%rdx) + pxor %xmm1, %xmm1 + pxor %xmm2, %xmm2 + pxor %xmm3, %xmm3 + ret + +.global AES128EncryptOneBlockStdcall +AES128EncryptOneBlockStdcall: + movdqu 0 (%rdx), %xmm0 + movdqu 0 (%r8), %xmm2 + pxor %xmm2, %xmm0 + movdqu 16 (%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 32 (%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 48 (%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 64 (%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 80 (%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 96 (%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 112 (%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 128 (%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 144 (%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 160 (%r8), %xmm2 + aesenclast %xmm2, %xmm0 + pxor %xmm2, %xmm2 + movdqu %xmm0, 0 (%rcx) + ret + + diff --git a/vale/src/aes-x86_64-msvc.asm b/vale/src/aes-x86_64-msvc.asm new file mode 100644 index 00000000..98bdd6c6 --- /dev/null +++ b/vale/src/aes-x86_64-msvc.asm @@ -0,0 +1,276 @@ +.code +ALIGN 16 +KeyExpansionStdcall proc + movdqu xmm1, xmmword ptr [rcx + 0] + movdqu xmmword ptr [rdx + 0], xmm1 + aeskeygenassist xmm2, xmm1, 1 + pshufd xmm2, xmm2, 255 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + pxor xmm1, xmm2 + movdqu xmmword ptr [rdx + 16], xmm1 + aeskeygenassist xmm2, xmm1, 2 + pshufd xmm2, xmm2, 255 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + pxor xmm1, xmm2 + movdqu xmmword ptr [rdx + 32], xmm1 + aeskeygenassist xmm2, xmm1, 4 + pshufd xmm2, xmm2, 255 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + pxor xmm1, xmm2 + movdqu xmmword ptr [rdx + 48], xmm1 + aeskeygenassist xmm2, xmm1, 8 + pshufd xmm2, xmm2, 255 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + pxor xmm1, xmm2 + movdqu xmmword ptr [rdx + 64], xmm1 + aeskeygenassist xmm2, xmm1, 16 + pshufd xmm2, xmm2, 255 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + pxor xmm1, xmm2 + movdqu xmmword ptr [rdx + 80], xmm1 + aeskeygenassist xmm2, xmm1, 32 + pshufd xmm2, xmm2, 255 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + pxor xmm1, xmm2 + movdqu xmmword ptr [rdx + 96], xmm1 + aeskeygenassist xmm2, xmm1, 64 + pshufd xmm2, xmm2, 255 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + pxor xmm1, xmm2 + movdqu xmmword ptr [rdx + 112], xmm1 + aeskeygenassist xmm2, xmm1, 128 + pshufd xmm2, xmm2, 255 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + pxor xmm1, xmm2 + movdqu xmmword ptr [rdx + 128], xmm1 + aeskeygenassist xmm2, xmm1, 27 + pshufd xmm2, xmm2, 255 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + pxor xmm1, xmm2 + movdqu xmmword ptr [rdx + 144], xmm1 + aeskeygenassist xmm2, xmm1, 54 + pshufd xmm2, xmm2, 255 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + pxor xmm1, xmm2 + movdqu xmmword ptr [rdx + 160], xmm1 + pxor xmm1, xmm1 + pxor xmm2, xmm2 + pxor xmm3, xmm3 + ret +KeyExpansionStdcall endp +ALIGN 16 +KeyExpansionAndInversionStdcall proc + movdqu xmm1, xmmword ptr [rcx + 0] + movdqu xmmword ptr [rdx + 0], xmm1 + aeskeygenassist xmm2, xmm1, 1 + pshufd xmm2, xmm2, 255 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + pxor xmm1, xmm2 + movdqu xmmword ptr [rdx + 16], xmm1 + aeskeygenassist xmm2, xmm1, 2 + pshufd xmm2, xmm2, 255 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + pxor xmm1, xmm2 + movdqu xmmword ptr [rdx + 32], xmm1 + aeskeygenassist xmm2, xmm1, 4 + pshufd xmm2, xmm2, 255 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + pxor xmm1, xmm2 + movdqu xmmword ptr [rdx + 48], xmm1 + aeskeygenassist xmm2, xmm1, 8 + pshufd xmm2, xmm2, 255 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + pxor xmm1, xmm2 + movdqu xmmword ptr [rdx + 64], xmm1 + aeskeygenassist xmm2, xmm1, 16 + pshufd xmm2, xmm2, 255 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + pxor xmm1, xmm2 + movdqu xmmword ptr [rdx + 80], xmm1 + aeskeygenassist xmm2, xmm1, 32 + pshufd xmm2, xmm2, 255 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + pxor xmm1, xmm2 + movdqu xmmword ptr [rdx + 96], xmm1 + aeskeygenassist xmm2, xmm1, 64 + pshufd xmm2, xmm2, 255 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + pxor xmm1, xmm2 + movdqu xmmword ptr [rdx + 112], xmm1 + aeskeygenassist xmm2, xmm1, 128 + pshufd xmm2, xmm2, 255 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + pxor xmm1, xmm2 + movdqu xmmword ptr [rdx + 128], xmm1 + aeskeygenassist xmm2, xmm1, 27 + pshufd xmm2, xmm2, 255 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + pxor xmm1, xmm2 + movdqu xmmword ptr [rdx + 144], xmm1 + aeskeygenassist xmm2, xmm1, 54 + pshufd xmm2, xmm2, 255 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + pxor xmm1, xmm2 + movdqu xmmword ptr [rdx + 160], xmm1 + movdqu xmm1, xmmword ptr [rdx + 16] + aesimc xmm1, xmm1 + movdqu xmmword ptr [rdx + 16], xmm1 + movdqu xmm1, xmmword ptr [rdx + 32] + aesimc xmm1, xmm1 + movdqu xmmword ptr [rdx + 32], xmm1 + movdqu xmm1, xmmword ptr [rdx + 48] + aesimc xmm1, xmm1 + movdqu xmmword ptr [rdx + 48], xmm1 + movdqu xmm1, xmmword ptr [rdx + 64] + aesimc xmm1, xmm1 + movdqu xmmword ptr [rdx + 64], xmm1 + movdqu xmm1, xmmword ptr [rdx + 80] + aesimc xmm1, xmm1 + movdqu xmmword ptr [rdx + 80], xmm1 + movdqu xmm1, xmmword ptr [rdx + 96] + aesimc xmm1, xmm1 + movdqu xmmword ptr [rdx + 96], xmm1 + movdqu xmm1, xmmword ptr [rdx + 112] + aesimc xmm1, xmm1 + movdqu xmmword ptr [rdx + 112], xmm1 + movdqu xmm1, xmmword ptr [rdx + 128] + aesimc xmm1, xmm1 + movdqu xmmword ptr [rdx + 128], xmm1 + movdqu xmm1, xmmword ptr [rdx + 144] + aesimc xmm1, xmm1 + movdqu xmmword ptr [rdx + 144], xmm1 + pxor xmm1, xmm1 + pxor xmm2, xmm2 + pxor xmm3, xmm3 + ret +KeyExpansionAndInversionStdcall endp +ALIGN 16 +AES128EncryptOneBlockStdcall proc + movdqu xmm0, xmmword ptr [rdx + 0] + movdqu xmm2, xmmword ptr [r8 + 0] + pxor xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 16] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 32] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 48] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 64] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 80] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 96] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 112] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 128] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 144] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 160] + aesenclast xmm0, xmm2 + pxor xmm2, xmm2 + movdqu xmmword ptr [rcx + 0], xmm0 + ret +AES128EncryptOneBlockStdcall endp +end diff --git a/vale/src/aesgcm-x86_64-darwin.S b/vale/src/aesgcm-x86_64-darwin.S new file mode 100644 index 00000000..e0c8c9f6 --- /dev/null +++ b/vale/src/aesgcm-x86_64-darwin.S @@ -0,0 +1,8101 @@ +.text +.global _aes128_key_expansion +_aes128_key_expansion: + movdqu 0(%rdi), %xmm1 + mov %rsi, %rdx + movdqu %xmm1, 0(%rdx) + aeskeygenassist $1, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 16(%rdx) + aeskeygenassist $2, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 32(%rdx) + aeskeygenassist $4, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 48(%rdx) + aeskeygenassist $8, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 64(%rdx) + aeskeygenassist $16, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 80(%rdx) + aeskeygenassist $32, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 96(%rdx) + aeskeygenassist $64, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 112(%rdx) + aeskeygenassist $128, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 128(%rdx) + aeskeygenassist $27, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 144(%rdx) + aeskeygenassist $54, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 160(%rdx) + pxor %xmm1, %xmm1 + pxor %xmm2, %xmm2 + pxor %xmm3, %xmm3 + ret + +.global _aes128_keyhash_init +_aes128_keyhash_init: + mov $579005069656919567, %r8 + pinsrq $0, %r8, %xmm4 + mov $283686952306183, %r8 + pinsrq $1, %r8, %xmm4 + pxor %xmm0, %xmm0 + movdqu %xmm0, 80(%rsi) + mov %rdi, %r8 + movdqu 0(%r8), %xmm2 + pxor %xmm2, %xmm0 + movdqu 16(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 32(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 48(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 64(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 80(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 96(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 112(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 128(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 144(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 160(%r8), %xmm2 + aesenclast %xmm2, %xmm0 + pxor %xmm2, %xmm2 + pshufb %xmm4, %xmm0 + mov %rsi, %rcx + movdqu %xmm0, 32(%rcx) + movdqu %xmm6, %xmm0 + mov %r12, %rax + movdqu 32(%rcx), %xmm1 + movdqu %xmm1, %xmm6 + movdqu %xmm1, %xmm3 + pxor %xmm4, %xmm4 + pxor %xmm5, %xmm5 + mov $3254779904, %r12 + pinsrd $3, %r12d, %xmm4 + mov $1, %r12 + pinsrd $0, %r12d, %xmm4 + mov $2147483648, %r12 + pinsrd $3, %r12d, %xmm5 + movdqu %xmm3, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pand %xmm5, %xmm3 + pcmpeqd %xmm5, %xmm3 + pshufd $255, %xmm3, %xmm3 + pand %xmm4, %xmm3 + vpxor %xmm3, %xmm1, %xmm1 + movdqu %xmm1, 0(%rcx) + movdqu %xmm6, %xmm1 + movdqu %xmm6, %xmm2 + movdqu %xmm1, %xmm5 + pclmulqdq $16, %xmm2, %xmm1 + movdqu %xmm1, %xmm3 + movdqu %xmm5, %xmm1 + pclmulqdq $1, %xmm2, %xmm1 + movdqu %xmm1, %xmm4 + movdqu %xmm5, %xmm1 + pclmulqdq $0, %xmm2, %xmm1 + pclmulqdq $17, %xmm2, %xmm5 + movdqu %xmm5, %xmm2 + movdqu %xmm1, %xmm5 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm4, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm1 + pshufd $79, %xmm1, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm4 + pshufd $79, %xmm4, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm5, %xmm1 + movdqu %xmm1, %xmm3 + psrld $31, %xmm3 + movdqu %xmm2, %xmm4 + psrld $31, %xmm4 + pslld $1, %xmm1 + pslld $1, %xmm2 + vpslldq $4, %xmm3, %xmm5 + vpslldq $4, %xmm4, %xmm4 + mov $0, %r12 + pinsrd $0, %r12d, %xmm3 + pshufd $3, %xmm3, %xmm3 + pxor %xmm4, %xmm3 + pxor %xmm5, %xmm1 + pxor %xmm3, %xmm2 + movdqu %xmm2, %xmm6 + pxor %xmm2, %xmm2 + mov $3774873600, %r12 + pinsrd $3, %r12d, %xmm2 + movdqu %xmm1, %xmm5 + pclmulqdq $16, %xmm2, %xmm1 + movdqu %xmm1, %xmm3 + movdqu %xmm5, %xmm1 + pclmulqdq $1, %xmm2, %xmm1 + movdqu %xmm1, %xmm4 + movdqu %xmm5, %xmm1 + pclmulqdq $0, %xmm2, %xmm1 + pclmulqdq $17, %xmm2, %xmm5 + movdqu %xmm5, %xmm2 + movdqu %xmm1, %xmm5 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm4, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm1 + pshufd $79, %xmm1, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm4 + pshufd $79, %xmm4, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm5, %xmm1 + movdqu %xmm1, %xmm3 + psrld $31, %xmm3 + movdqu %xmm2, %xmm4 + psrld $31, %xmm4 + pslld $1, %xmm1 + pslld $1, %xmm2 + vpslldq $4, %xmm3, %xmm5 + vpslldq $4, %xmm4, %xmm4 + mov $0, %r12 + pinsrd $0, %r12d, %xmm3 + pshufd $3, %xmm3, %xmm3 + pxor %xmm4, %xmm3 + pxor %xmm5, %xmm1 + pxor %xmm3, %xmm2 + movdqu %xmm2, %xmm5 + pxor %xmm2, %xmm2 + mov $3774873600, %r12 + pinsrd $3, %r12d, %xmm2 + pclmulqdq $17, %xmm2, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pxor %xmm5, %xmm1 + pxor %xmm6, %xmm1 + movdqu %xmm1, %xmm6 + movdqu %xmm1, %xmm3 + pxor %xmm4, %xmm4 + pxor %xmm5, %xmm5 + mov $3254779904, %r12 + pinsrd $3, %r12d, %xmm4 + mov $1, %r12 + pinsrd $0, %r12d, %xmm4 + mov $2147483648, %r12 + pinsrd $3, %r12d, %xmm5 + movdqu %xmm3, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pand %xmm5, %xmm3 + pcmpeqd %xmm5, %xmm3 + pshufd $255, %xmm3, %xmm3 + pand %xmm4, %xmm3 + vpxor %xmm3, %xmm1, %xmm1 + movdqu %xmm1, 16(%rcx) + movdqu %xmm6, %xmm2 + movdqu 32(%rcx), %xmm1 + movdqu %xmm1, %xmm5 + pclmulqdq $16, %xmm2, %xmm1 + movdqu %xmm1, %xmm3 + movdqu %xmm5, %xmm1 + pclmulqdq $1, %xmm2, %xmm1 + movdqu %xmm1, %xmm4 + movdqu %xmm5, %xmm1 + pclmulqdq $0, %xmm2, %xmm1 + pclmulqdq $17, %xmm2, %xmm5 + movdqu %xmm5, %xmm2 + movdqu %xmm1, %xmm5 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm4, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm1 + pshufd $79, %xmm1, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm4 + pshufd $79, %xmm4, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm5, %xmm1 + movdqu %xmm1, %xmm3 + psrld $31, %xmm3 + movdqu %xmm2, %xmm4 + psrld $31, %xmm4 + pslld $1, %xmm1 + pslld $1, %xmm2 + vpslldq $4, %xmm3, %xmm5 + vpslldq $4, %xmm4, %xmm4 + mov $0, %r12 + pinsrd $0, %r12d, %xmm3 + pshufd $3, %xmm3, %xmm3 + pxor %xmm4, %xmm3 + pxor %xmm5, %xmm1 + pxor %xmm3, %xmm2 + movdqu %xmm2, %xmm6 + pxor %xmm2, %xmm2 + mov $3774873600, %r12 + pinsrd $3, %r12d, %xmm2 + movdqu %xmm1, %xmm5 + pclmulqdq $16, %xmm2, %xmm1 + movdqu %xmm1, %xmm3 + movdqu %xmm5, %xmm1 + pclmulqdq $1, %xmm2, %xmm1 + movdqu %xmm1, %xmm4 + movdqu %xmm5, %xmm1 + pclmulqdq $0, %xmm2, %xmm1 + pclmulqdq $17, %xmm2, %xmm5 + movdqu %xmm5, %xmm2 + movdqu %xmm1, %xmm5 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm4, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm1 + pshufd $79, %xmm1, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm4 + pshufd $79, %xmm4, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm5, %xmm1 + movdqu %xmm1, %xmm3 + psrld $31, %xmm3 + movdqu %xmm2, %xmm4 + psrld $31, %xmm4 + pslld $1, %xmm1 + pslld $1, %xmm2 + vpslldq $4, %xmm3, %xmm5 + vpslldq $4, %xmm4, %xmm4 + mov $0, %r12 + pinsrd $0, %r12d, %xmm3 + pshufd $3, %xmm3, %xmm3 + pxor %xmm4, %xmm3 + pxor %xmm5, %xmm1 + pxor %xmm3, %xmm2 + movdqu %xmm2, %xmm5 + pxor %xmm2, %xmm2 + mov $3774873600, %r12 + pinsrd $3, %r12d, %xmm2 + pclmulqdq $17, %xmm2, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pxor %xmm5, %xmm1 + pxor %xmm6, %xmm1 + movdqu %xmm1, %xmm6 + movdqu %xmm1, %xmm3 + pxor %xmm4, %xmm4 + pxor %xmm5, %xmm5 + mov $3254779904, %r12 + pinsrd $3, %r12d, %xmm4 + mov $1, %r12 + pinsrd $0, %r12d, %xmm4 + mov $2147483648, %r12 + pinsrd $3, %r12d, %xmm5 + movdqu %xmm3, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pand %xmm5, %xmm3 + pcmpeqd %xmm5, %xmm3 + pshufd $255, %xmm3, %xmm3 + pand %xmm4, %xmm3 + vpxor %xmm3, %xmm1, %xmm1 + movdqu %xmm1, 48(%rcx) + movdqu %xmm6, %xmm2 + movdqu 32(%rcx), %xmm1 + movdqu %xmm1, %xmm5 + pclmulqdq $16, %xmm2, %xmm1 + movdqu %xmm1, %xmm3 + movdqu %xmm5, %xmm1 + pclmulqdq $1, %xmm2, %xmm1 + movdqu %xmm1, %xmm4 + movdqu %xmm5, %xmm1 + pclmulqdq $0, %xmm2, %xmm1 + pclmulqdq $17, %xmm2, %xmm5 + movdqu %xmm5, %xmm2 + movdqu %xmm1, %xmm5 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm4, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm1 + pshufd $79, %xmm1, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm4 + pshufd $79, %xmm4, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm5, %xmm1 + movdqu %xmm1, %xmm3 + psrld $31, %xmm3 + movdqu %xmm2, %xmm4 + psrld $31, %xmm4 + pslld $1, %xmm1 + pslld $1, %xmm2 + vpslldq $4, %xmm3, %xmm5 + vpslldq $4, %xmm4, %xmm4 + mov $0, %r12 + pinsrd $0, %r12d, %xmm3 + pshufd $3, %xmm3, %xmm3 + pxor %xmm4, %xmm3 + pxor %xmm5, %xmm1 + pxor %xmm3, %xmm2 + movdqu %xmm2, %xmm6 + pxor %xmm2, %xmm2 + mov $3774873600, %r12 + pinsrd $3, %r12d, %xmm2 + movdqu %xmm1, %xmm5 + pclmulqdq $16, %xmm2, %xmm1 + movdqu %xmm1, %xmm3 + movdqu %xmm5, %xmm1 + pclmulqdq $1, %xmm2, %xmm1 + movdqu %xmm1, %xmm4 + movdqu %xmm5, %xmm1 + pclmulqdq $0, %xmm2, %xmm1 + pclmulqdq $17, %xmm2, %xmm5 + movdqu %xmm5, %xmm2 + movdqu %xmm1, %xmm5 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm4, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm1 + pshufd $79, %xmm1, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm4 + pshufd $79, %xmm4, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm5, %xmm1 + movdqu %xmm1, %xmm3 + psrld $31, %xmm3 + movdqu %xmm2, %xmm4 + psrld $31, %xmm4 + pslld $1, %xmm1 + pslld $1, %xmm2 + vpslldq $4, %xmm3, %xmm5 + vpslldq $4, %xmm4, %xmm4 + mov $0, %r12 + pinsrd $0, %r12d, %xmm3 + pshufd $3, %xmm3, %xmm3 + pxor %xmm4, %xmm3 + pxor %xmm5, %xmm1 + pxor %xmm3, %xmm2 + movdqu %xmm2, %xmm5 + pxor %xmm2, %xmm2 + mov $3774873600, %r12 + pinsrd $3, %r12d, %xmm2 + pclmulqdq $17, %xmm2, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pxor %xmm5, %xmm1 + pxor %xmm6, %xmm1 + movdqu %xmm1, %xmm6 + movdqu %xmm1, %xmm3 + pxor %xmm4, %xmm4 + pxor %xmm5, %xmm5 + mov $3254779904, %r12 + pinsrd $3, %r12d, %xmm4 + mov $1, %r12 + pinsrd $0, %r12d, %xmm4 + mov $2147483648, %r12 + pinsrd $3, %r12d, %xmm5 + movdqu %xmm3, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pand %xmm5, %xmm3 + pcmpeqd %xmm5, %xmm3 + pshufd $255, %xmm3, %xmm3 + pand %xmm4, %xmm3 + vpxor %xmm3, %xmm1, %xmm1 + movdqu %xmm1, 64(%rcx) + movdqu %xmm6, %xmm2 + movdqu 32(%rcx), %xmm1 + movdqu %xmm1, %xmm5 + pclmulqdq $16, %xmm2, %xmm1 + movdqu %xmm1, %xmm3 + movdqu %xmm5, %xmm1 + pclmulqdq $1, %xmm2, %xmm1 + movdqu %xmm1, %xmm4 + movdqu %xmm5, %xmm1 + pclmulqdq $0, %xmm2, %xmm1 + pclmulqdq $17, %xmm2, %xmm5 + movdqu %xmm5, %xmm2 + movdqu %xmm1, %xmm5 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm4, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm1 + pshufd $79, %xmm1, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm4 + pshufd $79, %xmm4, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm5, %xmm1 + movdqu %xmm1, %xmm3 + psrld $31, %xmm3 + movdqu %xmm2, %xmm4 + psrld $31, %xmm4 + pslld $1, %xmm1 + pslld $1, %xmm2 + vpslldq $4, %xmm3, %xmm5 + vpslldq $4, %xmm4, %xmm4 + mov $0, %r12 + pinsrd $0, %r12d, %xmm3 + pshufd $3, %xmm3, %xmm3 + pxor %xmm4, %xmm3 + pxor %xmm5, %xmm1 + pxor %xmm3, %xmm2 + movdqu %xmm2, %xmm6 + pxor %xmm2, %xmm2 + mov $3774873600, %r12 + pinsrd $3, %r12d, %xmm2 + movdqu %xmm1, %xmm5 + pclmulqdq $16, %xmm2, %xmm1 + movdqu %xmm1, %xmm3 + movdqu %xmm5, %xmm1 + pclmulqdq $1, %xmm2, %xmm1 + movdqu %xmm1, %xmm4 + movdqu %xmm5, %xmm1 + pclmulqdq $0, %xmm2, %xmm1 + pclmulqdq $17, %xmm2, %xmm5 + movdqu %xmm5, %xmm2 + movdqu %xmm1, %xmm5 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm4, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm1 + pshufd $79, %xmm1, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm4 + pshufd $79, %xmm4, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm5, %xmm1 + movdqu %xmm1, %xmm3 + psrld $31, %xmm3 + movdqu %xmm2, %xmm4 + psrld $31, %xmm4 + pslld $1, %xmm1 + pslld $1, %xmm2 + vpslldq $4, %xmm3, %xmm5 + vpslldq $4, %xmm4, %xmm4 + mov $0, %r12 + pinsrd $0, %r12d, %xmm3 + pshufd $3, %xmm3, %xmm3 + pxor %xmm4, %xmm3 + pxor %xmm5, %xmm1 + pxor %xmm3, %xmm2 + movdqu %xmm2, %xmm5 + pxor %xmm2, %xmm2 + mov $3774873600, %r12 + pinsrd $3, %r12d, %xmm2 + pclmulqdq $17, %xmm2, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pxor %xmm5, %xmm1 + pxor %xmm6, %xmm1 + movdqu %xmm1, %xmm6 + movdqu %xmm1, %xmm3 + pxor %xmm4, %xmm4 + pxor %xmm5, %xmm5 + mov $3254779904, %r12 + pinsrd $3, %r12d, %xmm4 + mov $1, %r12 + pinsrd $0, %r12d, %xmm4 + mov $2147483648, %r12 + pinsrd $3, %r12d, %xmm5 + movdqu %xmm3, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pand %xmm5, %xmm3 + pcmpeqd %xmm5, %xmm3 + pshufd $255, %xmm3, %xmm3 + pand %xmm4, %xmm3 + vpxor %xmm3, %xmm1, %xmm1 + movdqu %xmm1, 96(%rcx) + movdqu %xmm6, %xmm2 + movdqu 32(%rcx), %xmm1 + movdqu %xmm1, %xmm5 + pclmulqdq $16, %xmm2, %xmm1 + movdqu %xmm1, %xmm3 + movdqu %xmm5, %xmm1 + pclmulqdq $1, %xmm2, %xmm1 + movdqu %xmm1, %xmm4 + movdqu %xmm5, %xmm1 + pclmulqdq $0, %xmm2, %xmm1 + pclmulqdq $17, %xmm2, %xmm5 + movdqu %xmm5, %xmm2 + movdqu %xmm1, %xmm5 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm4, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm1 + pshufd $79, %xmm1, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm4 + pshufd $79, %xmm4, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm5, %xmm1 + movdqu %xmm1, %xmm3 + psrld $31, %xmm3 + movdqu %xmm2, %xmm4 + psrld $31, %xmm4 + pslld $1, %xmm1 + pslld $1, %xmm2 + vpslldq $4, %xmm3, %xmm5 + vpslldq $4, %xmm4, %xmm4 + mov $0, %r12 + pinsrd $0, %r12d, %xmm3 + pshufd $3, %xmm3, %xmm3 + pxor %xmm4, %xmm3 + pxor %xmm5, %xmm1 + pxor %xmm3, %xmm2 + movdqu %xmm2, %xmm6 + pxor %xmm2, %xmm2 + mov $3774873600, %r12 + pinsrd $3, %r12d, %xmm2 + movdqu %xmm1, %xmm5 + pclmulqdq $16, %xmm2, %xmm1 + movdqu %xmm1, %xmm3 + movdqu %xmm5, %xmm1 + pclmulqdq $1, %xmm2, %xmm1 + movdqu %xmm1, %xmm4 + movdqu %xmm5, %xmm1 + pclmulqdq $0, %xmm2, %xmm1 + pclmulqdq $17, %xmm2, %xmm5 + movdqu %xmm5, %xmm2 + movdqu %xmm1, %xmm5 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm4, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm1 + pshufd $79, %xmm1, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm4 + pshufd $79, %xmm4, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm5, %xmm1 + movdqu %xmm1, %xmm3 + psrld $31, %xmm3 + movdqu %xmm2, %xmm4 + psrld $31, %xmm4 + pslld $1, %xmm1 + pslld $1, %xmm2 + vpslldq $4, %xmm3, %xmm5 + vpslldq $4, %xmm4, %xmm4 + mov $0, %r12 + pinsrd $0, %r12d, %xmm3 + pshufd $3, %xmm3, %xmm3 + pxor %xmm4, %xmm3 + pxor %xmm5, %xmm1 + pxor %xmm3, %xmm2 + movdqu %xmm2, %xmm5 + pxor %xmm2, %xmm2 + mov $3774873600, %r12 + pinsrd $3, %r12d, %xmm2 + pclmulqdq $17, %xmm2, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pxor %xmm5, %xmm1 + pxor %xmm6, %xmm1 + movdqu %xmm1, %xmm6 + movdqu %xmm1, %xmm3 + pxor %xmm4, %xmm4 + pxor %xmm5, %xmm5 + mov $3254779904, %r12 + pinsrd $3, %r12d, %xmm4 + mov $1, %r12 + pinsrd $0, %r12d, %xmm4 + mov $2147483648, %r12 + pinsrd $3, %r12d, %xmm5 + movdqu %xmm3, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pand %xmm5, %xmm3 + pcmpeqd %xmm5, %xmm3 + pshufd $255, %xmm3, %xmm3 + pand %xmm4, %xmm3 + vpxor %xmm3, %xmm1, %xmm1 + movdqu %xmm1, 112(%rcx) + movdqu %xmm0, %xmm6 + mov %rax, %r12 + ret + +.global _aes256_key_expansion +_aes256_key_expansion: + movdqu 0(%rdi), %xmm1 + movdqu 16(%rdi), %xmm3 + mov %rsi, %rdx + movdqu %xmm1, 0(%rdx) + movdqu %xmm3, 16(%rdx) + aeskeygenassist $1, %xmm3, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm4 + pxor %xmm4, %xmm1 + vpslldq $4, %xmm1, %xmm4 + pxor %xmm4, %xmm1 + vpslldq $4, %xmm1, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 32(%rdx) + aeskeygenassist $0, %xmm1, %xmm2 + pshufd $170, %xmm2, %xmm2 + vpslldq $4, %xmm3, %xmm4 + pxor %xmm4, %xmm3 + vpslldq $4, %xmm3, %xmm4 + pxor %xmm4, %xmm3 + vpslldq $4, %xmm3, %xmm4 + pxor %xmm4, %xmm3 + pxor %xmm2, %xmm3 + movdqu %xmm3, 48(%rdx) + aeskeygenassist $2, %xmm3, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm4 + pxor %xmm4, %xmm1 + vpslldq $4, %xmm1, %xmm4 + pxor %xmm4, %xmm1 + vpslldq $4, %xmm1, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 64(%rdx) + aeskeygenassist $0, %xmm1, %xmm2 + pshufd $170, %xmm2, %xmm2 + vpslldq $4, %xmm3, %xmm4 + pxor %xmm4, %xmm3 + vpslldq $4, %xmm3, %xmm4 + pxor %xmm4, %xmm3 + vpslldq $4, %xmm3, %xmm4 + pxor %xmm4, %xmm3 + pxor %xmm2, %xmm3 + movdqu %xmm3, 80(%rdx) + aeskeygenassist $4, %xmm3, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm4 + pxor %xmm4, %xmm1 + vpslldq $4, %xmm1, %xmm4 + pxor %xmm4, %xmm1 + vpslldq $4, %xmm1, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 96(%rdx) + aeskeygenassist $0, %xmm1, %xmm2 + pshufd $170, %xmm2, %xmm2 + vpslldq $4, %xmm3, %xmm4 + pxor %xmm4, %xmm3 + vpslldq $4, %xmm3, %xmm4 + pxor %xmm4, %xmm3 + vpslldq $4, %xmm3, %xmm4 + pxor %xmm4, %xmm3 + pxor %xmm2, %xmm3 + movdqu %xmm3, 112(%rdx) + aeskeygenassist $8, %xmm3, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm4 + pxor %xmm4, %xmm1 + vpslldq $4, %xmm1, %xmm4 + pxor %xmm4, %xmm1 + vpslldq $4, %xmm1, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 128(%rdx) + aeskeygenassist $0, %xmm1, %xmm2 + pshufd $170, %xmm2, %xmm2 + vpslldq $4, %xmm3, %xmm4 + pxor %xmm4, %xmm3 + vpslldq $4, %xmm3, %xmm4 + pxor %xmm4, %xmm3 + vpslldq $4, %xmm3, %xmm4 + pxor %xmm4, %xmm3 + pxor %xmm2, %xmm3 + movdqu %xmm3, 144(%rdx) + aeskeygenassist $16, %xmm3, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm4 + pxor %xmm4, %xmm1 + vpslldq $4, %xmm1, %xmm4 + pxor %xmm4, %xmm1 + vpslldq $4, %xmm1, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 160(%rdx) + aeskeygenassist $0, %xmm1, %xmm2 + pshufd $170, %xmm2, %xmm2 + vpslldq $4, %xmm3, %xmm4 + pxor %xmm4, %xmm3 + vpslldq $4, %xmm3, %xmm4 + pxor %xmm4, %xmm3 + vpslldq $4, %xmm3, %xmm4 + pxor %xmm4, %xmm3 + pxor %xmm2, %xmm3 + movdqu %xmm3, 176(%rdx) + aeskeygenassist $32, %xmm3, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm4 + pxor %xmm4, %xmm1 + vpslldq $4, %xmm1, %xmm4 + pxor %xmm4, %xmm1 + vpslldq $4, %xmm1, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 192(%rdx) + aeskeygenassist $0, %xmm1, %xmm2 + pshufd $170, %xmm2, %xmm2 + vpslldq $4, %xmm3, %xmm4 + pxor %xmm4, %xmm3 + vpslldq $4, %xmm3, %xmm4 + pxor %xmm4, %xmm3 + vpslldq $4, %xmm3, %xmm4 + pxor %xmm4, %xmm3 + pxor %xmm2, %xmm3 + movdqu %xmm3, 208(%rdx) + aeskeygenassist $64, %xmm3, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm4 + pxor %xmm4, %xmm1 + vpslldq $4, %xmm1, %xmm4 + pxor %xmm4, %xmm1 + vpslldq $4, %xmm1, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 224(%rdx) + pxor %xmm1, %xmm1 + pxor %xmm2, %xmm2 + pxor %xmm3, %xmm3 + pxor %xmm4, %xmm4 + ret + +.global _aes256_keyhash_init +_aes256_keyhash_init: + mov $579005069656919567, %r8 + pinsrq $0, %r8, %xmm4 + mov $283686952306183, %r8 + pinsrq $1, %r8, %xmm4 + pxor %xmm0, %xmm0 + movdqu %xmm0, 80(%rsi) + mov %rdi, %r8 + movdqu 0(%r8), %xmm2 + pxor %xmm2, %xmm0 + movdqu 16(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 32(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 48(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 64(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 80(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 96(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 112(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 128(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 144(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 160(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 176(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 192(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 208(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 224(%r8), %xmm2 + aesenclast %xmm2, %xmm0 + pxor %xmm2, %xmm2 + pshufb %xmm4, %xmm0 + mov %rsi, %rcx + movdqu %xmm0, 32(%rcx) + movdqu %xmm6, %xmm0 + mov %r12, %rax + movdqu 32(%rcx), %xmm1 + movdqu %xmm1, %xmm6 + movdqu %xmm1, %xmm3 + pxor %xmm4, %xmm4 + pxor %xmm5, %xmm5 + mov $3254779904, %r12 + pinsrd $3, %r12d, %xmm4 + mov $1, %r12 + pinsrd $0, %r12d, %xmm4 + mov $2147483648, %r12 + pinsrd $3, %r12d, %xmm5 + movdqu %xmm3, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pand %xmm5, %xmm3 + pcmpeqd %xmm5, %xmm3 + pshufd $255, %xmm3, %xmm3 + pand %xmm4, %xmm3 + vpxor %xmm3, %xmm1, %xmm1 + movdqu %xmm1, 0(%rcx) + movdqu %xmm6, %xmm1 + movdqu %xmm6, %xmm2 + movdqu %xmm1, %xmm5 + pclmulqdq $16, %xmm2, %xmm1 + movdqu %xmm1, %xmm3 + movdqu %xmm5, %xmm1 + pclmulqdq $1, %xmm2, %xmm1 + movdqu %xmm1, %xmm4 + movdqu %xmm5, %xmm1 + pclmulqdq $0, %xmm2, %xmm1 + pclmulqdq $17, %xmm2, %xmm5 + movdqu %xmm5, %xmm2 + movdqu %xmm1, %xmm5 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm4, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm1 + pshufd $79, %xmm1, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm4 + pshufd $79, %xmm4, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm5, %xmm1 + movdqu %xmm1, %xmm3 + psrld $31, %xmm3 + movdqu %xmm2, %xmm4 + psrld $31, %xmm4 + pslld $1, %xmm1 + pslld $1, %xmm2 + vpslldq $4, %xmm3, %xmm5 + vpslldq $4, %xmm4, %xmm4 + mov $0, %r12 + pinsrd $0, %r12d, %xmm3 + pshufd $3, %xmm3, %xmm3 + pxor %xmm4, %xmm3 + pxor %xmm5, %xmm1 + pxor %xmm3, %xmm2 + movdqu %xmm2, %xmm6 + pxor %xmm2, %xmm2 + mov $3774873600, %r12 + pinsrd $3, %r12d, %xmm2 + movdqu %xmm1, %xmm5 + pclmulqdq $16, %xmm2, %xmm1 + movdqu %xmm1, %xmm3 + movdqu %xmm5, %xmm1 + pclmulqdq $1, %xmm2, %xmm1 + movdqu %xmm1, %xmm4 + movdqu %xmm5, %xmm1 + pclmulqdq $0, %xmm2, %xmm1 + pclmulqdq $17, %xmm2, %xmm5 + movdqu %xmm5, %xmm2 + movdqu %xmm1, %xmm5 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm4, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm1 + pshufd $79, %xmm1, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm4 + pshufd $79, %xmm4, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm5, %xmm1 + movdqu %xmm1, %xmm3 + psrld $31, %xmm3 + movdqu %xmm2, %xmm4 + psrld $31, %xmm4 + pslld $1, %xmm1 + pslld $1, %xmm2 + vpslldq $4, %xmm3, %xmm5 + vpslldq $4, %xmm4, %xmm4 + mov $0, %r12 + pinsrd $0, %r12d, %xmm3 + pshufd $3, %xmm3, %xmm3 + pxor %xmm4, %xmm3 + pxor %xmm5, %xmm1 + pxor %xmm3, %xmm2 + movdqu %xmm2, %xmm5 + pxor %xmm2, %xmm2 + mov $3774873600, %r12 + pinsrd $3, %r12d, %xmm2 + pclmulqdq $17, %xmm2, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pxor %xmm5, %xmm1 + pxor %xmm6, %xmm1 + movdqu %xmm1, %xmm6 + movdqu %xmm1, %xmm3 + pxor %xmm4, %xmm4 + pxor %xmm5, %xmm5 + mov $3254779904, %r12 + pinsrd $3, %r12d, %xmm4 + mov $1, %r12 + pinsrd $0, %r12d, %xmm4 + mov $2147483648, %r12 + pinsrd $3, %r12d, %xmm5 + movdqu %xmm3, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pand %xmm5, %xmm3 + pcmpeqd %xmm5, %xmm3 + pshufd $255, %xmm3, %xmm3 + pand %xmm4, %xmm3 + vpxor %xmm3, %xmm1, %xmm1 + movdqu %xmm1, 16(%rcx) + movdqu %xmm6, %xmm2 + movdqu 32(%rcx), %xmm1 + movdqu %xmm1, %xmm5 + pclmulqdq $16, %xmm2, %xmm1 + movdqu %xmm1, %xmm3 + movdqu %xmm5, %xmm1 + pclmulqdq $1, %xmm2, %xmm1 + movdqu %xmm1, %xmm4 + movdqu %xmm5, %xmm1 + pclmulqdq $0, %xmm2, %xmm1 + pclmulqdq $17, %xmm2, %xmm5 + movdqu %xmm5, %xmm2 + movdqu %xmm1, %xmm5 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm4, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm1 + pshufd $79, %xmm1, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm4 + pshufd $79, %xmm4, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm5, %xmm1 + movdqu %xmm1, %xmm3 + psrld $31, %xmm3 + movdqu %xmm2, %xmm4 + psrld $31, %xmm4 + pslld $1, %xmm1 + pslld $1, %xmm2 + vpslldq $4, %xmm3, %xmm5 + vpslldq $4, %xmm4, %xmm4 + mov $0, %r12 + pinsrd $0, %r12d, %xmm3 + pshufd $3, %xmm3, %xmm3 + pxor %xmm4, %xmm3 + pxor %xmm5, %xmm1 + pxor %xmm3, %xmm2 + movdqu %xmm2, %xmm6 + pxor %xmm2, %xmm2 + mov $3774873600, %r12 + pinsrd $3, %r12d, %xmm2 + movdqu %xmm1, %xmm5 + pclmulqdq $16, %xmm2, %xmm1 + movdqu %xmm1, %xmm3 + movdqu %xmm5, %xmm1 + pclmulqdq $1, %xmm2, %xmm1 + movdqu %xmm1, %xmm4 + movdqu %xmm5, %xmm1 + pclmulqdq $0, %xmm2, %xmm1 + pclmulqdq $17, %xmm2, %xmm5 + movdqu %xmm5, %xmm2 + movdqu %xmm1, %xmm5 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm4, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm1 + pshufd $79, %xmm1, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm4 + pshufd $79, %xmm4, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm5, %xmm1 + movdqu %xmm1, %xmm3 + psrld $31, %xmm3 + movdqu %xmm2, %xmm4 + psrld $31, %xmm4 + pslld $1, %xmm1 + pslld $1, %xmm2 + vpslldq $4, %xmm3, %xmm5 + vpslldq $4, %xmm4, %xmm4 + mov $0, %r12 + pinsrd $0, %r12d, %xmm3 + pshufd $3, %xmm3, %xmm3 + pxor %xmm4, %xmm3 + pxor %xmm5, %xmm1 + pxor %xmm3, %xmm2 + movdqu %xmm2, %xmm5 + pxor %xmm2, %xmm2 + mov $3774873600, %r12 + pinsrd $3, %r12d, %xmm2 + pclmulqdq $17, %xmm2, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pxor %xmm5, %xmm1 + pxor %xmm6, %xmm1 + movdqu %xmm1, %xmm6 + movdqu %xmm1, %xmm3 + pxor %xmm4, %xmm4 + pxor %xmm5, %xmm5 + mov $3254779904, %r12 + pinsrd $3, %r12d, %xmm4 + mov $1, %r12 + pinsrd $0, %r12d, %xmm4 + mov $2147483648, %r12 + pinsrd $3, %r12d, %xmm5 + movdqu %xmm3, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pand %xmm5, %xmm3 + pcmpeqd %xmm5, %xmm3 + pshufd $255, %xmm3, %xmm3 + pand %xmm4, %xmm3 + vpxor %xmm3, %xmm1, %xmm1 + movdqu %xmm1, 48(%rcx) + movdqu %xmm6, %xmm2 + movdqu 32(%rcx), %xmm1 + movdqu %xmm1, %xmm5 + pclmulqdq $16, %xmm2, %xmm1 + movdqu %xmm1, %xmm3 + movdqu %xmm5, %xmm1 + pclmulqdq $1, %xmm2, %xmm1 + movdqu %xmm1, %xmm4 + movdqu %xmm5, %xmm1 + pclmulqdq $0, %xmm2, %xmm1 + pclmulqdq $17, %xmm2, %xmm5 + movdqu %xmm5, %xmm2 + movdqu %xmm1, %xmm5 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm4, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm1 + pshufd $79, %xmm1, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm4 + pshufd $79, %xmm4, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm5, %xmm1 + movdqu %xmm1, %xmm3 + psrld $31, %xmm3 + movdqu %xmm2, %xmm4 + psrld $31, %xmm4 + pslld $1, %xmm1 + pslld $1, %xmm2 + vpslldq $4, %xmm3, %xmm5 + vpslldq $4, %xmm4, %xmm4 + mov $0, %r12 + pinsrd $0, %r12d, %xmm3 + pshufd $3, %xmm3, %xmm3 + pxor %xmm4, %xmm3 + pxor %xmm5, %xmm1 + pxor %xmm3, %xmm2 + movdqu %xmm2, %xmm6 + pxor %xmm2, %xmm2 + mov $3774873600, %r12 + pinsrd $3, %r12d, %xmm2 + movdqu %xmm1, %xmm5 + pclmulqdq $16, %xmm2, %xmm1 + movdqu %xmm1, %xmm3 + movdqu %xmm5, %xmm1 + pclmulqdq $1, %xmm2, %xmm1 + movdqu %xmm1, %xmm4 + movdqu %xmm5, %xmm1 + pclmulqdq $0, %xmm2, %xmm1 + pclmulqdq $17, %xmm2, %xmm5 + movdqu %xmm5, %xmm2 + movdqu %xmm1, %xmm5 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm4, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm1 + pshufd $79, %xmm1, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm4 + pshufd $79, %xmm4, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm5, %xmm1 + movdqu %xmm1, %xmm3 + psrld $31, %xmm3 + movdqu %xmm2, %xmm4 + psrld $31, %xmm4 + pslld $1, %xmm1 + pslld $1, %xmm2 + vpslldq $4, %xmm3, %xmm5 + vpslldq $4, %xmm4, %xmm4 + mov $0, %r12 + pinsrd $0, %r12d, %xmm3 + pshufd $3, %xmm3, %xmm3 + pxor %xmm4, %xmm3 + pxor %xmm5, %xmm1 + pxor %xmm3, %xmm2 + movdqu %xmm2, %xmm5 + pxor %xmm2, %xmm2 + mov $3774873600, %r12 + pinsrd $3, %r12d, %xmm2 + pclmulqdq $17, %xmm2, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pxor %xmm5, %xmm1 + pxor %xmm6, %xmm1 + movdqu %xmm1, %xmm6 + movdqu %xmm1, %xmm3 + pxor %xmm4, %xmm4 + pxor %xmm5, %xmm5 + mov $3254779904, %r12 + pinsrd $3, %r12d, %xmm4 + mov $1, %r12 + pinsrd $0, %r12d, %xmm4 + mov $2147483648, %r12 + pinsrd $3, %r12d, %xmm5 + movdqu %xmm3, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pand %xmm5, %xmm3 + pcmpeqd %xmm5, %xmm3 + pshufd $255, %xmm3, %xmm3 + pand %xmm4, %xmm3 + vpxor %xmm3, %xmm1, %xmm1 + movdqu %xmm1, 64(%rcx) + movdqu %xmm6, %xmm2 + movdqu 32(%rcx), %xmm1 + movdqu %xmm1, %xmm5 + pclmulqdq $16, %xmm2, %xmm1 + movdqu %xmm1, %xmm3 + movdqu %xmm5, %xmm1 + pclmulqdq $1, %xmm2, %xmm1 + movdqu %xmm1, %xmm4 + movdqu %xmm5, %xmm1 + pclmulqdq $0, %xmm2, %xmm1 + pclmulqdq $17, %xmm2, %xmm5 + movdqu %xmm5, %xmm2 + movdqu %xmm1, %xmm5 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm4, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm1 + pshufd $79, %xmm1, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm4 + pshufd $79, %xmm4, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm5, %xmm1 + movdqu %xmm1, %xmm3 + psrld $31, %xmm3 + movdqu %xmm2, %xmm4 + psrld $31, %xmm4 + pslld $1, %xmm1 + pslld $1, %xmm2 + vpslldq $4, %xmm3, %xmm5 + vpslldq $4, %xmm4, %xmm4 + mov $0, %r12 + pinsrd $0, %r12d, %xmm3 + pshufd $3, %xmm3, %xmm3 + pxor %xmm4, %xmm3 + pxor %xmm5, %xmm1 + pxor %xmm3, %xmm2 + movdqu %xmm2, %xmm6 + pxor %xmm2, %xmm2 + mov $3774873600, %r12 + pinsrd $3, %r12d, %xmm2 + movdqu %xmm1, %xmm5 + pclmulqdq $16, %xmm2, %xmm1 + movdqu %xmm1, %xmm3 + movdqu %xmm5, %xmm1 + pclmulqdq $1, %xmm2, %xmm1 + movdqu %xmm1, %xmm4 + movdqu %xmm5, %xmm1 + pclmulqdq $0, %xmm2, %xmm1 + pclmulqdq $17, %xmm2, %xmm5 + movdqu %xmm5, %xmm2 + movdqu %xmm1, %xmm5 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm4, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm1 + pshufd $79, %xmm1, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm4 + pshufd $79, %xmm4, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm5, %xmm1 + movdqu %xmm1, %xmm3 + psrld $31, %xmm3 + movdqu %xmm2, %xmm4 + psrld $31, %xmm4 + pslld $1, %xmm1 + pslld $1, %xmm2 + vpslldq $4, %xmm3, %xmm5 + vpslldq $4, %xmm4, %xmm4 + mov $0, %r12 + pinsrd $0, %r12d, %xmm3 + pshufd $3, %xmm3, %xmm3 + pxor %xmm4, %xmm3 + pxor %xmm5, %xmm1 + pxor %xmm3, %xmm2 + movdqu %xmm2, %xmm5 + pxor %xmm2, %xmm2 + mov $3774873600, %r12 + pinsrd $3, %r12d, %xmm2 + pclmulqdq $17, %xmm2, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pxor %xmm5, %xmm1 + pxor %xmm6, %xmm1 + movdqu %xmm1, %xmm6 + movdqu %xmm1, %xmm3 + pxor %xmm4, %xmm4 + pxor %xmm5, %xmm5 + mov $3254779904, %r12 + pinsrd $3, %r12d, %xmm4 + mov $1, %r12 + pinsrd $0, %r12d, %xmm4 + mov $2147483648, %r12 + pinsrd $3, %r12d, %xmm5 + movdqu %xmm3, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pand %xmm5, %xmm3 + pcmpeqd %xmm5, %xmm3 + pshufd $255, %xmm3, %xmm3 + pand %xmm4, %xmm3 + vpxor %xmm3, %xmm1, %xmm1 + movdqu %xmm1, 96(%rcx) + movdqu %xmm6, %xmm2 + movdqu 32(%rcx), %xmm1 + movdqu %xmm1, %xmm5 + pclmulqdq $16, %xmm2, %xmm1 + movdqu %xmm1, %xmm3 + movdqu %xmm5, %xmm1 + pclmulqdq $1, %xmm2, %xmm1 + movdqu %xmm1, %xmm4 + movdqu %xmm5, %xmm1 + pclmulqdq $0, %xmm2, %xmm1 + pclmulqdq $17, %xmm2, %xmm5 + movdqu %xmm5, %xmm2 + movdqu %xmm1, %xmm5 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm4, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm1 + pshufd $79, %xmm1, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm4 + pshufd $79, %xmm4, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm5, %xmm1 + movdqu %xmm1, %xmm3 + psrld $31, %xmm3 + movdqu %xmm2, %xmm4 + psrld $31, %xmm4 + pslld $1, %xmm1 + pslld $1, %xmm2 + vpslldq $4, %xmm3, %xmm5 + vpslldq $4, %xmm4, %xmm4 + mov $0, %r12 + pinsrd $0, %r12d, %xmm3 + pshufd $3, %xmm3, %xmm3 + pxor %xmm4, %xmm3 + pxor %xmm5, %xmm1 + pxor %xmm3, %xmm2 + movdqu %xmm2, %xmm6 + pxor %xmm2, %xmm2 + mov $3774873600, %r12 + pinsrd $3, %r12d, %xmm2 + movdqu %xmm1, %xmm5 + pclmulqdq $16, %xmm2, %xmm1 + movdqu %xmm1, %xmm3 + movdqu %xmm5, %xmm1 + pclmulqdq $1, %xmm2, %xmm1 + movdqu %xmm1, %xmm4 + movdqu %xmm5, %xmm1 + pclmulqdq $0, %xmm2, %xmm1 + pclmulqdq $17, %xmm2, %xmm5 + movdqu %xmm5, %xmm2 + movdqu %xmm1, %xmm5 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm4, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm1 + pshufd $79, %xmm1, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm4 + pshufd $79, %xmm4, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm5, %xmm1 + movdqu %xmm1, %xmm3 + psrld $31, %xmm3 + movdqu %xmm2, %xmm4 + psrld $31, %xmm4 + pslld $1, %xmm1 + pslld $1, %xmm2 + vpslldq $4, %xmm3, %xmm5 + vpslldq $4, %xmm4, %xmm4 + mov $0, %r12 + pinsrd $0, %r12d, %xmm3 + pshufd $3, %xmm3, %xmm3 + pxor %xmm4, %xmm3 + pxor %xmm5, %xmm1 + pxor %xmm3, %xmm2 + movdqu %xmm2, %xmm5 + pxor %xmm2, %xmm2 + mov $3774873600, %r12 + pinsrd $3, %r12d, %xmm2 + pclmulqdq $17, %xmm2, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pxor %xmm5, %xmm1 + pxor %xmm6, %xmm1 + movdqu %xmm1, %xmm6 + movdqu %xmm1, %xmm3 + pxor %xmm4, %xmm4 + pxor %xmm5, %xmm5 + mov $3254779904, %r12 + pinsrd $3, %r12d, %xmm4 + mov $1, %r12 + pinsrd $0, %r12d, %xmm4 + mov $2147483648, %r12 + pinsrd $3, %r12d, %xmm5 + movdqu %xmm3, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pand %xmm5, %xmm3 + pcmpeqd %xmm5, %xmm3 + pshufd $255, %xmm3, %xmm3 + pand %xmm4, %xmm3 + vpxor %xmm3, %xmm1, %xmm1 + movdqu %xmm1, 112(%rcx) + movdqu %xmm0, %xmm6 + mov %rax, %r12 + ret + +.global _gctr128_bytes +_gctr128_bytes: + push %r15 + push %r14 + push %r13 + push %r12 + push %rsi + push %rdi + push %rbp + push %rbx + movdqu 0(%r9), %xmm7 + mov %rdi, %rax + mov %rdx, %rbx + mov %rcx, %r13 + mov 72(%rsp), %rcx + mov %rcx, %rbp + imul $16, %rbp + mov $579005069656919567, %r12 + pinsrq $0, %r12, %xmm8 + mov $283686952306183, %r12 + pinsrq $1, %r12, %xmm8 + mov %rcx, %rdx + shr $2, %rdx + and $3, %rcx + cmp $0, %rdx + jbe L0 + mov %rax, %r9 + mov %rbx, %r10 + pshufb %xmm8, %xmm7 + movdqu %xmm7, %xmm9 + mov $579005069656919567, %rax + pinsrq $0, %rax, %xmm0 + mov $579005069656919567, %rax + pinsrq $1, %rax, %xmm0 + pshufb %xmm0, %xmm9 + movdqu %xmm9, %xmm10 + pxor %xmm3, %xmm3 + mov $1, %rax + pinsrd $2, %eax, %xmm3 + paddd %xmm3, %xmm9 + mov $3, %rax + pinsrd $2, %eax, %xmm3 + mov $2, %rax + pinsrd $0, %eax, %xmm3 + paddd %xmm3, %xmm10 + pshufb %xmm8, %xmm9 + pshufb %xmm8, %xmm10 + pextrq $0, %xmm7, %rdi + mov $283686952306183, %rax + pinsrq $0, %rax, %xmm0 + mov $579005069656919567, %rax + pinsrq $1, %rax, %xmm0 + pxor %xmm15, %xmm15 + mov $4, %rax + pinsrd $0, %eax, %xmm15 + mov $4, %rax + pinsrd $2, %eax, %xmm15 + jmp L3 +.balign 16 +L2: + pinsrq $0, %rdi, %xmm2 + pinsrq $0, %rdi, %xmm12 + pinsrq $0, %rdi, %xmm13 + pinsrq $0, %rdi, %xmm14 + shufpd $2, %xmm9, %xmm2 + shufpd $0, %xmm9, %xmm12 + shufpd $2, %xmm10, %xmm13 + shufpd $0, %xmm10, %xmm14 + pshufb %xmm0, %xmm9 + pshufb %xmm0, %xmm10 + movdqu 0(%r8), %xmm3 + movdqu 16(%r8), %xmm4 + movdqu 32(%r8), %xmm5 + movdqu 48(%r8), %xmm6 + paddd %xmm15, %xmm9 + paddd %xmm15, %xmm10 + pxor %xmm3, %xmm2 + pxor %xmm3, %xmm12 + pxor %xmm3, %xmm13 + pxor %xmm3, %xmm14 + pshufb %xmm0, %xmm9 + pshufb %xmm0, %xmm10 + aesenc %xmm4, %xmm2 + aesenc %xmm4, %xmm12 + aesenc %xmm4, %xmm13 + aesenc %xmm4, %xmm14 + aesenc %xmm5, %xmm2 + aesenc %xmm5, %xmm12 + aesenc %xmm5, %xmm13 + aesenc %xmm5, %xmm14 + aesenc %xmm6, %xmm2 + aesenc %xmm6, %xmm12 + aesenc %xmm6, %xmm13 + aesenc %xmm6, %xmm14 + movdqu 64(%r8), %xmm3 + movdqu 80(%r8), %xmm4 + movdqu 96(%r8), %xmm5 + movdqu 112(%r8), %xmm6 + aesenc %xmm3, %xmm2 + aesenc %xmm3, %xmm12 + aesenc %xmm3, %xmm13 + aesenc %xmm3, %xmm14 + aesenc %xmm4, %xmm2 + aesenc %xmm4, %xmm12 + aesenc %xmm4, %xmm13 + aesenc %xmm4, %xmm14 + aesenc %xmm5, %xmm2 + aesenc %xmm5, %xmm12 + aesenc %xmm5, %xmm13 + aesenc %xmm5, %xmm14 + aesenc %xmm6, %xmm2 + aesenc %xmm6, %xmm12 + aesenc %xmm6, %xmm13 + aesenc %xmm6, %xmm14 + movdqu 128(%r8), %xmm3 + movdqu 144(%r8), %xmm4 + movdqu 160(%r8), %xmm5 + aesenc %xmm3, %xmm2 + aesenc %xmm3, %xmm12 + aesenc %xmm3, %xmm13 + aesenc %xmm3, %xmm14 + aesenc %xmm4, %xmm2 + aesenc %xmm4, %xmm12 + aesenc %xmm4, %xmm13 + aesenc %xmm4, %xmm14 + aesenclast %xmm5, %xmm2 + aesenclast %xmm5, %xmm12 + aesenclast %xmm5, %xmm13 + aesenclast %xmm5, %xmm14 + movdqu 0(%r9), %xmm7 + pxor %xmm7, %xmm2 + movdqu 16(%r9), %xmm7 + pxor %xmm7, %xmm12 + movdqu 32(%r9), %xmm7 + pxor %xmm7, %xmm13 + movdqu 48(%r9), %xmm7 + pxor %xmm7, %xmm14 + movdqu %xmm2, 0(%r10) + movdqu %xmm12, 16(%r10) + movdqu %xmm13, 32(%r10) + movdqu %xmm14, 48(%r10) + sub $1, %rdx + add $64, %r9 + add $64, %r10 +.balign 16 +L3: + cmp $0, %rdx + ja L2 + movdqu %xmm9, %xmm7 + pinsrq $0, %rdi, %xmm7 + pshufb %xmm8, %xmm7 + mov %r9, %rax + mov %r10, %rbx + jmp L1 +L0: +L1: + mov $0, %rdx + mov %rax, %r9 + mov %rbx, %r10 + pxor %xmm4, %xmm4 + mov $1, %r12 + pinsrd $0, %r12d, %xmm4 + jmp L5 +.balign 16 +L4: + movdqu %xmm7, %xmm0 + pshufb %xmm8, %xmm0 + movdqu 0(%r8), %xmm2 + pxor %xmm2, %xmm0 + movdqu 16(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 32(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 48(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 64(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 80(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 96(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 112(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 128(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 144(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 160(%r8), %xmm2 + aesenclast %xmm2, %xmm0 + pxor %xmm2, %xmm2 + movdqu 0(%r9), %xmm2 + pxor %xmm0, %xmm2 + movdqu %xmm2, 0(%r10) + add $1, %rdx + add $16, %r9 + add $16, %r10 + paddd %xmm4, %xmm7 +.balign 16 +L5: + cmp %rcx, %rdx + jne L4 + cmp %rbp, %rsi + jbe L6 + movdqu 0(%r13), %xmm1 + movdqu %xmm7, %xmm0 + mov $579005069656919567, %r12 + pinsrq $0, %r12, %xmm2 + mov $283686952306183, %r12 + pinsrq $1, %r12, %xmm2 + pshufb %xmm2, %xmm0 + movdqu 0(%r8), %xmm2 + pxor %xmm2, %xmm0 + movdqu 16(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 32(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 48(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 64(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 80(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 96(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 112(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 128(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 144(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 160(%r8), %xmm2 + aesenclast %xmm2, %xmm0 + pxor %xmm2, %xmm2 + pxor %xmm0, %xmm1 + movdqu %xmm1, 0(%r13) + jmp L7 +L6: +L7: + pop %rbx + pop %rbp + pop %rdi + pop %rsi + pop %r12 + pop %r13 + pop %r14 + pop %r15 + ret + +.global _gctr256_bytes +_gctr256_bytes: + push %r15 + push %r14 + push %r13 + push %r12 + push %rsi + push %rdi + push %rbp + push %rbx + movdqu 0(%r9), %xmm7 + mov %rdi, %rax + mov %rdx, %rbx + mov %rcx, %r13 + mov 72(%rsp), %rcx + mov %rcx, %rbp + imul $16, %rbp + mov $579005069656919567, %r12 + pinsrq $0, %r12, %xmm8 + mov $283686952306183, %r12 + pinsrq $1, %r12, %xmm8 + mov %rcx, %rdx + shr $2, %rdx + and $3, %rcx + cmp $0, %rdx + jbe L8 + mov %rax, %r9 + mov %rbx, %r10 + pshufb %xmm8, %xmm7 + movdqu %xmm7, %xmm9 + mov $579005069656919567, %rax + pinsrq $0, %rax, %xmm0 + mov $579005069656919567, %rax + pinsrq $1, %rax, %xmm0 + pshufb %xmm0, %xmm9 + movdqu %xmm9, %xmm10 + pxor %xmm3, %xmm3 + mov $1, %rax + pinsrd $2, %eax, %xmm3 + paddd %xmm3, %xmm9 + mov $3, %rax + pinsrd $2, %eax, %xmm3 + mov $2, %rax + pinsrd $0, %eax, %xmm3 + paddd %xmm3, %xmm10 + pshufb %xmm8, %xmm9 + pshufb %xmm8, %xmm10 + pextrq $0, %xmm7, %rdi + mov $283686952306183, %rax + pinsrq $0, %rax, %xmm0 + mov $579005069656919567, %rax + pinsrq $1, %rax, %xmm0 + pxor %xmm15, %xmm15 + mov $4, %rax + pinsrd $0, %eax, %xmm15 + mov $4, %rax + pinsrd $2, %eax, %xmm15 + jmp L11 +.balign 16 +L10: + pinsrq $0, %rdi, %xmm2 + pinsrq $0, %rdi, %xmm12 + pinsrq $0, %rdi, %xmm13 + pinsrq $0, %rdi, %xmm14 + shufpd $2, %xmm9, %xmm2 + shufpd $0, %xmm9, %xmm12 + shufpd $2, %xmm10, %xmm13 + shufpd $0, %xmm10, %xmm14 + pshufb %xmm0, %xmm9 + pshufb %xmm0, %xmm10 + movdqu 0(%r8), %xmm3 + movdqu 16(%r8), %xmm4 + movdqu 32(%r8), %xmm5 + movdqu 48(%r8), %xmm6 + paddd %xmm15, %xmm9 + paddd %xmm15, %xmm10 + pxor %xmm3, %xmm2 + pxor %xmm3, %xmm12 + pxor %xmm3, %xmm13 + pxor %xmm3, %xmm14 + pshufb %xmm0, %xmm9 + pshufb %xmm0, %xmm10 + aesenc %xmm4, %xmm2 + aesenc %xmm4, %xmm12 + aesenc %xmm4, %xmm13 + aesenc %xmm4, %xmm14 + aesenc %xmm5, %xmm2 + aesenc %xmm5, %xmm12 + aesenc %xmm5, %xmm13 + aesenc %xmm5, %xmm14 + aesenc %xmm6, %xmm2 + aesenc %xmm6, %xmm12 + aesenc %xmm6, %xmm13 + aesenc %xmm6, %xmm14 + movdqu 64(%r8), %xmm3 + movdqu 80(%r8), %xmm4 + movdqu 96(%r8), %xmm5 + movdqu 112(%r8), %xmm6 + aesenc %xmm3, %xmm2 + aesenc %xmm3, %xmm12 + aesenc %xmm3, %xmm13 + aesenc %xmm3, %xmm14 + aesenc %xmm4, %xmm2 + aesenc %xmm4, %xmm12 + aesenc %xmm4, %xmm13 + aesenc %xmm4, %xmm14 + aesenc %xmm5, %xmm2 + aesenc %xmm5, %xmm12 + aesenc %xmm5, %xmm13 + aesenc %xmm5, %xmm14 + aesenc %xmm6, %xmm2 + aesenc %xmm6, %xmm12 + aesenc %xmm6, %xmm13 + aesenc %xmm6, %xmm14 + movdqu 128(%r8), %xmm3 + movdqu 144(%r8), %xmm4 + movdqu 160(%r8), %xmm5 + aesenc %xmm3, %xmm2 + aesenc %xmm3, %xmm12 + aesenc %xmm3, %xmm13 + aesenc %xmm3, %xmm14 + aesenc %xmm4, %xmm2 + aesenc %xmm4, %xmm12 + aesenc %xmm4, %xmm13 + aesenc %xmm4, %xmm14 + movdqu %xmm5, %xmm3 + movdqu 176(%r8), %xmm4 + movdqu 192(%r8), %xmm5 + movdqu 208(%r8), %xmm6 + aesenc %xmm3, %xmm2 + aesenc %xmm3, %xmm12 + aesenc %xmm3, %xmm13 + aesenc %xmm3, %xmm14 + aesenc %xmm4, %xmm2 + aesenc %xmm4, %xmm12 + aesenc %xmm4, %xmm13 + aesenc %xmm4, %xmm14 + aesenc %xmm5, %xmm2 + aesenc %xmm5, %xmm12 + aesenc %xmm5, %xmm13 + aesenc %xmm5, %xmm14 + aesenc %xmm6, %xmm2 + aesenc %xmm6, %xmm12 + aesenc %xmm6, %xmm13 + aesenc %xmm6, %xmm14 + movdqu 224(%r8), %xmm5 + aesenclast %xmm5, %xmm2 + aesenclast %xmm5, %xmm12 + aesenclast %xmm5, %xmm13 + aesenclast %xmm5, %xmm14 + movdqu 0(%r9), %xmm7 + pxor %xmm7, %xmm2 + movdqu 16(%r9), %xmm7 + pxor %xmm7, %xmm12 + movdqu 32(%r9), %xmm7 + pxor %xmm7, %xmm13 + movdqu 48(%r9), %xmm7 + pxor %xmm7, %xmm14 + movdqu %xmm2, 0(%r10) + movdqu %xmm12, 16(%r10) + movdqu %xmm13, 32(%r10) + movdqu %xmm14, 48(%r10) + sub $1, %rdx + add $64, %r9 + add $64, %r10 +.balign 16 +L11: + cmp $0, %rdx + ja L10 + movdqu %xmm9, %xmm7 + pinsrq $0, %rdi, %xmm7 + pshufb %xmm8, %xmm7 + mov %r9, %rax + mov %r10, %rbx + jmp L9 +L8: +L9: + mov $0, %rdx + mov %rax, %r9 + mov %rbx, %r10 + pxor %xmm4, %xmm4 + mov $1, %r12 + pinsrd $0, %r12d, %xmm4 + jmp L13 +.balign 16 +L12: + movdqu %xmm7, %xmm0 + pshufb %xmm8, %xmm0 + movdqu 0(%r8), %xmm2 + pxor %xmm2, %xmm0 + movdqu 16(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 32(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 48(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 64(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 80(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 96(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 112(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 128(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 144(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 160(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 176(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 192(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 208(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 224(%r8), %xmm2 + aesenclast %xmm2, %xmm0 + pxor %xmm2, %xmm2 + movdqu 0(%r9), %xmm2 + pxor %xmm0, %xmm2 + movdqu %xmm2, 0(%r10) + add $1, %rdx + add $16, %r9 + add $16, %r10 + paddd %xmm4, %xmm7 +.balign 16 +L13: + cmp %rcx, %rdx + jne L12 + cmp %rbp, %rsi + jbe L14 + movdqu 0(%r13), %xmm1 + movdqu %xmm7, %xmm0 + mov $579005069656919567, %r12 + pinsrq $0, %r12, %xmm2 + mov $283686952306183, %r12 + pinsrq $1, %r12, %xmm2 + pshufb %xmm2, %xmm0 + movdqu 0(%r8), %xmm2 + pxor %xmm2, %xmm0 + movdqu 16(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 32(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 48(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 64(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 80(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 96(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 112(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 128(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 144(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 160(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 176(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 192(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 208(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 224(%r8), %xmm2 + aesenclast %xmm2, %xmm0 + pxor %xmm2, %xmm2 + pxor %xmm0, %xmm1 + movdqu %xmm1, 0(%r13) + jmp L15 +L14: +L15: + pop %rbx + pop %rbp + pop %rdi + pop %rsi + pop %r12 + pop %r13 + pop %r14 + pop %r15 + ret + +.global _compute_iv_stdcall +_compute_iv_stdcall: + cmp $12, %rsi + jne L16 + cmp $12, %rsi + jne L18 + movdqu 0(%r8), %xmm0 + mov $579005069656919567, %rax + pinsrq $0, %rax, %xmm1 + mov $283686952306183, %rax + pinsrq $1, %rax, %xmm1 + pshufb %xmm1, %xmm0 + mov $1, %rax + pinsrd $0, %eax, %xmm0 + movdqu %xmm0, 0(%rcx) + jmp L19 +L18: + mov %rcx, %rax + add $32, %r9 + mov %r8, %rbx + mov %rdx, %rcx + imul $16, %rcx + mov $579005069656919567, %r10 + pinsrq $0, %r10, %xmm9 + mov $283686952306183, %r10 + pinsrq $1, %r10, %xmm9 + pxor %xmm8, %xmm8 + mov %rdi, %r11 + jmp L21 +.balign 16 +L20: + add $80, %r11 + movdqu -32(%r9), %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + movdqu %xmm1, %xmm4 + movdqu -16(%r9), %xmm1 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 16(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 64(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 80(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + vpxor %xmm1, %xmm4, %xmm4 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r10 + pinsrd $3, %r10d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + add $96, %r11 + sub $6, %rdx +.balign 16 +L21: + cmp $6, %rdx + jae L20 + cmp $0, %rdx + jbe L22 + mov %rdx, %r10 + sub $1, %r10 + imul $16, %r10 + add %r10, %r11 + movdqu -32(%r9), %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + cmp $1, %rdx + jne L24 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + jmp L25 +L24: + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + movdqu %xmm1, %xmm4 + movdqu -16(%r9), %xmm1 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + movdqu %xmm1, %xmm5 + cmp $2, %rdx + je L26 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 16(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + cmp $3, %rdx + je L28 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + cmp $4, %rdx + je L30 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 64(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + jmp L31 +L30: +L31: + jmp L29 +L28: +L29: + jmp L27 +L26: +L27: + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + vpxor %xmm1, %xmm4, %xmm4 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 +L25: + pxor %xmm3, %xmm3 + mov $3254779904, %r10 + pinsrd $3, %r10d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + jmp L23 +L22: +L23: + mov %rsi, %r15 + cmp %rcx, %rsi + jbe L32 + movdqu 0(%rbx), %xmm0 + mov %rsi, %r10 + and $15, %r10 + cmp $8, %r10 + jae L34 + mov $0, %rcx + pinsrq $1, %rcx, %xmm0 + mov %r10, %rcx + shl $3, %rcx + mov $1, %r11 + shl %cl, %r11 + sub $1, %r11 + pextrq $0, %xmm0, %rcx + and %r11, %rcx + pinsrq $0, %rcx, %xmm0 + jmp L35 +L34: + mov %r10, %rcx + sub $8, %rcx + shl $3, %rcx + mov $1, %r11 + shl %cl, %r11 + sub $1, %r11 + pextrq $1, %xmm0, %rcx + and %r11, %rcx + pinsrq $1, %rcx, %xmm0 +L35: + pshufb %xmm9, %xmm0 + movdqu -32(%r9), %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r11 + pinsrd $3, %r11d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + jmp L33 +L32: +L33: + mov %rax, %rcx + mov $0, %r11 + mov %rsi, %r13 + pxor %xmm0, %xmm0 + mov %r11, %rax + imul $8, %rax + pinsrq $1, %rax, %xmm0 + mov %r13, %rax + imul $8, %rax + pinsrq $0, %rax, %xmm0 + movdqu -32(%r9), %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r11 + pinsrd $3, %r11d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + movdqu %xmm8, 0(%rcx) +L19: + jmp L17 +L16: + push %r15 + push %r14 + push %r13 + push %r12 + push %rsi + push %rdi + push %rbp + push %rbx + cmp $12, %rsi + jne L36 + movdqu 0(%r8), %xmm0 + mov $579005069656919567, %rax + pinsrq $0, %rax, %xmm1 + mov $283686952306183, %rax + pinsrq $1, %rax, %xmm1 + pshufb %xmm1, %xmm0 + mov $1, %rax + pinsrd $0, %eax, %xmm0 + movdqu %xmm0, 0(%rcx) + jmp L37 +L36: + mov %rcx, %rax + add $32, %r9 + mov %r8, %rbx + mov %rdx, %rcx + imul $16, %rcx + mov $579005069656919567, %r10 + pinsrq $0, %r10, %xmm9 + mov $283686952306183, %r10 + pinsrq $1, %r10, %xmm9 + pxor %xmm8, %xmm8 + mov %rdi, %r11 + jmp L39 +.balign 16 +L38: + add $80, %r11 + movdqu -32(%r9), %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + movdqu %xmm1, %xmm4 + movdqu -16(%r9), %xmm1 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 16(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 64(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 80(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + vpxor %xmm1, %xmm4, %xmm4 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r10 + pinsrd $3, %r10d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + add $96, %r11 + sub $6, %rdx +.balign 16 +L39: + cmp $6, %rdx + jae L38 + cmp $0, %rdx + jbe L40 + mov %rdx, %r10 + sub $1, %r10 + imul $16, %r10 + add %r10, %r11 + movdqu -32(%r9), %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + cmp $1, %rdx + jne L42 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + jmp L43 +L42: + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + movdqu %xmm1, %xmm4 + movdqu -16(%r9), %xmm1 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + movdqu %xmm1, %xmm5 + cmp $2, %rdx + je L44 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 16(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + cmp $3, %rdx + je L46 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + cmp $4, %rdx + je L48 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 64(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + jmp L49 +L48: +L49: + jmp L47 +L46: +L47: + jmp L45 +L44: +L45: + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + vpxor %xmm1, %xmm4, %xmm4 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 +L43: + pxor %xmm3, %xmm3 + mov $3254779904, %r10 + pinsrd $3, %r10d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + jmp L41 +L40: +L41: + mov %rsi, %r15 + cmp %rcx, %rsi + jbe L50 + movdqu 0(%rbx), %xmm0 + mov %rsi, %r10 + and $15, %r10 + cmp $8, %r10 + jae L52 + mov $0, %rcx + pinsrq $1, %rcx, %xmm0 + mov %r10, %rcx + shl $3, %rcx + mov $1, %r11 + shl %cl, %r11 + sub $1, %r11 + pextrq $0, %xmm0, %rcx + and %r11, %rcx + pinsrq $0, %rcx, %xmm0 + jmp L53 +L52: + mov %r10, %rcx + sub $8, %rcx + shl $3, %rcx + mov $1, %r11 + shl %cl, %r11 + sub $1, %r11 + pextrq $1, %xmm0, %rcx + and %r11, %rcx + pinsrq $1, %rcx, %xmm0 +L53: + pshufb %xmm9, %xmm0 + movdqu -32(%r9), %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r11 + pinsrd $3, %r11d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + jmp L51 +L50: +L51: + mov %rax, %rcx + mov $0, %r11 + mov %rsi, %r13 + pxor %xmm0, %xmm0 + mov %r11, %rax + imul $8, %rax + pinsrq $1, %rax, %xmm0 + mov %r13, %rax + imul $8, %rax + pinsrq $0, %rax, %xmm0 + movdqu -32(%r9), %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r11 + pinsrd $3, %r11d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + movdqu %xmm8, 0(%rcx) +L37: + pop %rbx + pop %rbp + pop %rdi + pop %rsi + pop %r12 + pop %r13 + pop %r14 + pop %r15 +L17: + ret + +.global _gcm128_encrypt_opt +_gcm128_encrypt_opt: + push %r15 + push %r14 + push %r13 + push %r12 + push %rsi + push %rdi + push %rbp + push %rbx + mov 144(%rsp), %rbp + mov %rcx, %r13 + lea 32(%r9), %r9 + mov 72(%rsp), %rbx + mov %rdx, %rcx + imul $16, %rcx + mov $579005069656919567, %r10 + pinsrq $0, %r10, %xmm9 + mov $283686952306183, %r10 + pinsrq $1, %r10, %xmm9 + pxor %xmm8, %xmm8 + mov %rdi, %r11 + jmp L55 +.balign 16 +L54: + add $80, %r11 + movdqu -32(%r9), %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + movdqu %xmm1, %xmm4 + movdqu -16(%r9), %xmm1 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 16(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 64(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 80(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + vpxor %xmm1, %xmm4, %xmm4 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r10 + pinsrd $3, %r10d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + add $96, %r11 + sub $6, %rdx +.balign 16 +L55: + cmp $6, %rdx + jae L54 + cmp $0, %rdx + jbe L56 + mov %rdx, %r10 + sub $1, %r10 + imul $16, %r10 + add %r10, %r11 + movdqu -32(%r9), %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + cmp $1, %rdx + jne L58 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + jmp L59 +L58: + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + movdqu %xmm1, %xmm4 + movdqu -16(%r9), %xmm1 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + movdqu %xmm1, %xmm5 + cmp $2, %rdx + je L60 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 16(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + cmp $3, %rdx + je L62 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + cmp $4, %rdx + je L64 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 64(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + jmp L65 +L64: +L65: + jmp L63 +L62: +L63: + jmp L61 +L60: +L61: + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + vpxor %xmm1, %xmm4, %xmm4 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 +L59: + pxor %xmm3, %xmm3 + mov $3254779904, %r10 + pinsrd $3, %r10d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + jmp L57 +L56: +L57: + mov %rsi, %r15 + cmp %rcx, %rsi + jbe L66 + movdqu 0(%rbx), %xmm0 + mov %rsi, %r10 + and $15, %r10 + cmp $8, %r10 + jae L68 + mov $0, %rcx + pinsrq $1, %rcx, %xmm0 + mov %r10, %rcx + shl $3, %rcx + mov $1, %r11 + shl %cl, %r11 + sub $1, %r11 + pextrq $0, %xmm0, %rcx + and %r11, %rcx + pinsrq $0, %rcx, %xmm0 + jmp L69 +L68: + mov %r10, %rcx + sub $8, %rcx + shl $3, %rcx + mov $1, %r11 + shl %cl, %r11 + sub $1, %r11 + pextrq $1, %xmm0, %rcx + and %r11, %rcx + pinsrq $1, %rcx, %xmm0 +L69: + pshufb %xmm9, %xmm0 + movdqu -32(%r9), %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r11 + pinsrd $3, %r11d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + jmp L67 +L66: +L67: + mov 80(%rsp), %rdi + mov 88(%rsp), %rsi + mov 96(%rsp), %rdx + mov %r13, %rcx + movdqu %xmm9, %xmm0 + movdqu 0(%r8), %xmm1 + movdqu %xmm1, 0(%rbp) + pxor %xmm10, %xmm10 + mov $1, %r11 + pinsrq $0, %r11, %xmm10 + vpaddd %xmm10, %xmm1, %xmm1 + cmp $0, %rdx + jne L70 + vpshufb %xmm0, %xmm1, %xmm1 + movdqu %xmm1, 32(%rbp) + jmp L71 +L70: + movdqu %xmm8, 32(%rbp) + add $128, %rcx + pextrq $0, %xmm1, %rbx + and $255, %rbx + vpshufb %xmm0, %xmm1, %xmm1 + lea 96(%rsi), %r14 + movdqu -128(%rcx), %xmm4 + pxor %xmm2, %xmm2 + mov $72057594037927936, %r11 + pinsrq $1, %r11, %xmm2 + movdqu -112(%rcx), %xmm15 + mov %rcx, %r12 + sub $96, %r12 + vpxor %xmm4, %xmm1, %xmm9 + add $6, %rbx + cmp $256, %rbx + jae L72 + vpaddd %xmm2, %xmm1, %xmm10 + vpaddd %xmm2, %xmm10, %xmm11 + vpxor %xmm4, %xmm10, %xmm10 + vpaddd %xmm2, %xmm11, %xmm12 + vpxor %xmm4, %xmm11, %xmm11 + vpaddd %xmm2, %xmm12, %xmm13 + vpxor %xmm4, %xmm12, %xmm12 + vpaddd %xmm2, %xmm13, %xmm14 + vpxor %xmm4, %xmm13, %xmm13 + vpaddd %xmm2, %xmm14, %xmm1 + vpxor %xmm4, %xmm14, %xmm14 + jmp L73 +L72: + sub $256, %rbx + vpshufb %xmm0, %xmm1, %xmm6 + pxor %xmm5, %xmm5 + mov $1, %r11 + pinsrq $0, %r11, %xmm5 + vpaddd %xmm5, %xmm6, %xmm10 + pxor %xmm5, %xmm5 + mov $2, %r11 + pinsrq $0, %r11, %xmm5 + vpaddd %xmm5, %xmm6, %xmm11 + vpaddd %xmm5, %xmm10, %xmm12 + vpshufb %xmm0, %xmm10, %xmm10 + vpaddd %xmm5, %xmm11, %xmm13 + vpshufb %xmm0, %xmm11, %xmm11 + vpxor %xmm4, %xmm10, %xmm10 + vpaddd %xmm5, %xmm12, %xmm14 + vpshufb %xmm0, %xmm12, %xmm12 + vpxor %xmm4, %xmm11, %xmm11 + vpaddd %xmm5, %xmm13, %xmm1 + vpshufb %xmm0, %xmm13, %xmm13 + vpxor %xmm4, %xmm12, %xmm12 + vpshufb %xmm0, %xmm14, %xmm14 + vpxor %xmm4, %xmm13, %xmm13 + vpshufb %xmm0, %xmm1, %xmm1 + vpxor %xmm4, %xmm14, %xmm14 +L73: + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -96(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -80(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -64(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -48(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -32(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -16(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu 0(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu 16(%rcx), %xmm15 + movdqu 32(%rcx), %xmm3 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor 0(%rdi), %xmm3, %xmm4 + vaesenc %xmm15, %xmm10, %xmm10 + vpxor 16(%rdi), %xmm3, %xmm5 + vaesenc %xmm15, %xmm11, %xmm11 + vpxor 32(%rdi), %xmm3, %xmm6 + vaesenc %xmm15, %xmm12, %xmm12 + vpxor 48(%rdi), %xmm3, %xmm8 + vaesenc %xmm15, %xmm13, %xmm13 + vpxor 64(%rdi), %xmm3, %xmm2 + vaesenc %xmm15, %xmm14, %xmm14 + vpxor 80(%rdi), %xmm3, %xmm3 + lea 96(%rdi), %rdi + vaesenclast %xmm4, %xmm9, %xmm9 + vaesenclast %xmm5, %xmm10, %xmm10 + vaesenclast %xmm6, %xmm11, %xmm11 + vaesenclast %xmm8, %xmm12, %xmm12 + vaesenclast %xmm2, %xmm13, %xmm13 + vaesenclast %xmm3, %xmm14, %xmm14 + movdqu %xmm9, 0(%rsi) + movdqu %xmm10, 16(%rsi) + movdqu %xmm11, 32(%rsi) + movdqu %xmm12, 48(%rsi) + movdqu %xmm13, 64(%rsi) + movdqu %xmm14, 80(%rsi) + lea 96(%rsi), %rsi + vpshufb %xmm0, %xmm9, %xmm8 + vpshufb %xmm0, %xmm10, %xmm2 + movdqu %xmm8, 112(%rbp) + vpshufb %xmm0, %xmm11, %xmm4 + movdqu %xmm2, 96(%rbp) + vpshufb %xmm0, %xmm12, %xmm5 + movdqu %xmm4, 80(%rbp) + vpshufb %xmm0, %xmm13, %xmm6 + movdqu %xmm5, 64(%rbp) + vpshufb %xmm0, %xmm14, %xmm7 + movdqu %xmm6, 48(%rbp) + movdqu -128(%rcx), %xmm4 + pxor %xmm2, %xmm2 + mov $72057594037927936, %r11 + pinsrq $1, %r11, %xmm2 + movdqu -112(%rcx), %xmm15 + mov %rcx, %r12 + sub $96, %r12 + vpxor %xmm4, %xmm1, %xmm9 + add $6, %rbx + cmp $256, %rbx + jae L74 + vpaddd %xmm2, %xmm1, %xmm10 + vpaddd %xmm2, %xmm10, %xmm11 + vpxor %xmm4, %xmm10, %xmm10 + vpaddd %xmm2, %xmm11, %xmm12 + vpxor %xmm4, %xmm11, %xmm11 + vpaddd %xmm2, %xmm12, %xmm13 + vpxor %xmm4, %xmm12, %xmm12 + vpaddd %xmm2, %xmm13, %xmm14 + vpxor %xmm4, %xmm13, %xmm13 + vpaddd %xmm2, %xmm14, %xmm1 + vpxor %xmm4, %xmm14, %xmm14 + jmp L75 +L74: + sub $256, %rbx + vpshufb %xmm0, %xmm1, %xmm6 + pxor %xmm5, %xmm5 + mov $1, %r11 + pinsrq $0, %r11, %xmm5 + vpaddd %xmm5, %xmm6, %xmm10 + pxor %xmm5, %xmm5 + mov $2, %r11 + pinsrq $0, %r11, %xmm5 + vpaddd %xmm5, %xmm6, %xmm11 + vpaddd %xmm5, %xmm10, %xmm12 + vpshufb %xmm0, %xmm10, %xmm10 + vpaddd %xmm5, %xmm11, %xmm13 + vpshufb %xmm0, %xmm11, %xmm11 + vpxor %xmm4, %xmm10, %xmm10 + vpaddd %xmm5, %xmm12, %xmm14 + vpshufb %xmm0, %xmm12, %xmm12 + vpxor %xmm4, %xmm11, %xmm11 + vpaddd %xmm5, %xmm13, %xmm1 + vpshufb %xmm0, %xmm13, %xmm13 + vpxor %xmm4, %xmm12, %xmm12 + vpshufb %xmm0, %xmm14, %xmm14 + vpxor %xmm4, %xmm13, %xmm13 + vpshufb %xmm0, %xmm1, %xmm1 + vpxor %xmm4, %xmm14, %xmm14 +L75: + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -96(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -80(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -64(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -48(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -32(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -16(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu 0(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu 16(%rcx), %xmm15 + movdqu 32(%rcx), %xmm3 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor 0(%rdi), %xmm3, %xmm4 + vaesenc %xmm15, %xmm10, %xmm10 + vpxor 16(%rdi), %xmm3, %xmm5 + vaesenc %xmm15, %xmm11, %xmm11 + vpxor 32(%rdi), %xmm3, %xmm6 + vaesenc %xmm15, %xmm12, %xmm12 + vpxor 48(%rdi), %xmm3, %xmm8 + vaesenc %xmm15, %xmm13, %xmm13 + vpxor 64(%rdi), %xmm3, %xmm2 + vaesenc %xmm15, %xmm14, %xmm14 + vpxor 80(%rdi), %xmm3, %xmm3 + lea 96(%rdi), %rdi + vaesenclast %xmm4, %xmm9, %xmm9 + vaesenclast %xmm5, %xmm10, %xmm10 + vaesenclast %xmm6, %xmm11, %xmm11 + vaesenclast %xmm8, %xmm12, %xmm12 + vaesenclast %xmm2, %xmm13, %xmm13 + vaesenclast %xmm3, %xmm14, %xmm14 + movdqu %xmm9, 0(%rsi) + movdqu %xmm10, 16(%rsi) + movdqu %xmm11, 32(%rsi) + movdqu %xmm12, 48(%rsi) + movdqu %xmm13, 64(%rsi) + movdqu %xmm14, 80(%rsi) + lea 96(%rsi), %rsi + sub $12, %rdx + movdqu 32(%rbp), %xmm8 + pxor %xmm2, %xmm2 + mov $72057594037927936, %r11 + pinsrq $1, %r11, %xmm2 + vpxor %xmm4, %xmm4, %xmm4 + movdqu -128(%rcx), %xmm15 + vpaddd %xmm2, %xmm1, %xmm10 + vpaddd %xmm2, %xmm10, %xmm11 + vpaddd %xmm2, %xmm11, %xmm12 + vpaddd %xmm2, %xmm12, %xmm13 + vpaddd %xmm2, %xmm13, %xmm14 + vpxor %xmm15, %xmm1, %xmm9 + movdqu %xmm4, 16(%rbp) + jmp L77 +.balign 16 +L76: + add $6, %rbx + cmp $256, %rbx + jb L78 + mov $579005069656919567, %r11 + pinsrq $0, %r11, %xmm0 + mov $283686952306183, %r11 + pinsrq $1, %r11, %xmm0 + vpshufb %xmm0, %xmm1, %xmm6 + pxor %xmm5, %xmm5 + mov $1, %r11 + pinsrq $0, %r11, %xmm5 + vpaddd %xmm5, %xmm6, %xmm10 + pxor %xmm5, %xmm5 + mov $2, %r11 + pinsrq $0, %r11, %xmm5 + vpaddd %xmm5, %xmm6, %xmm11 + movdqu -32(%r9), %xmm3 + vpaddd %xmm5, %xmm10, %xmm12 + vpshufb %xmm0, %xmm10, %xmm10 + vpaddd %xmm5, %xmm11, %xmm13 + vpshufb %xmm0, %xmm11, %xmm11 + vpxor %xmm15, %xmm10, %xmm10 + vpaddd %xmm5, %xmm12, %xmm14 + vpshufb %xmm0, %xmm12, %xmm12 + vpxor %xmm15, %xmm11, %xmm11 + vpaddd %xmm5, %xmm13, %xmm1 + vpshufb %xmm0, %xmm13, %xmm13 + vpshufb %xmm0, %xmm14, %xmm14 + vpshufb %xmm0, %xmm1, %xmm1 + sub $256, %rbx + jmp L79 +L78: + movdqu -32(%r9), %xmm3 + vpaddd %xmm14, %xmm2, %xmm1 + vpxor %xmm15, %xmm10, %xmm10 + vpxor %xmm15, %xmm11, %xmm11 +L79: + movdqu %xmm1, 128(%rbp) + vpclmulqdq $16, %xmm3, %xmm7, %xmm5 + vpxor %xmm15, %xmm12, %xmm12 + movdqu -112(%rcx), %xmm2 + vpclmulqdq $1, %xmm3, %xmm7, %xmm6 + vaesenc %xmm2, %xmm9, %xmm9 + movdqu 48(%rbp), %xmm0 + vpxor %xmm15, %xmm13, %xmm13 + vpclmulqdq $0, %xmm3, %xmm7, %xmm1 + vaesenc %xmm2, %xmm10, %xmm10 + vpxor %xmm15, %xmm14, %xmm14 + vpclmulqdq $17, %xmm3, %xmm7, %xmm7 + vaesenc %xmm2, %xmm11, %xmm11 + movdqu -16(%r9), %xmm3 + vaesenc %xmm2, %xmm12, %xmm12 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $0, %xmm3, %xmm0, %xmm5 + vpxor %xmm4, %xmm8, %xmm8 + vaesenc %xmm2, %xmm13, %xmm13 + vpxor %xmm5, %xmm1, %xmm4 + vpclmulqdq $16, %xmm3, %xmm0, %xmm1 + vaesenc %xmm2, %xmm14, %xmm14 + movdqu -96(%rcx), %xmm15 + vpclmulqdq $1, %xmm3, %xmm0, %xmm2 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor 16(%rbp), %xmm8, %xmm8 + vpclmulqdq $17, %xmm3, %xmm0, %xmm3 + movdqu 64(%rbp), %xmm0 + vaesenc %xmm15, %xmm10, %xmm10 + movbeq 88(%r14), %r13 + vaesenc %xmm15, %xmm11, %xmm11 + movbeq 80(%r14), %r12 + vaesenc %xmm15, %xmm12, %xmm12 + movq %r13, 32(%rbp) + vaesenc %xmm15, %xmm13, %xmm13 + movq %r12, 40(%rbp) + movdqu 16(%r9), %xmm5 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -80(%rcx), %xmm15 + vpxor %xmm1, %xmm6, %xmm6 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor %xmm2, %xmm6, %xmm6 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vaesenc %xmm15, %xmm10, %xmm10 + vpxor %xmm3, %xmm7, %xmm7 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vaesenc %xmm15, %xmm11, %xmm11 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 80(%rbp), %xmm0 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -64(%rcx), %xmm15 + vpxor %xmm2, %xmm6, %xmm6 + vpclmulqdq $0, %xmm1, %xmm0, %xmm2 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor %xmm3, %xmm6, %xmm6 + vpclmulqdq $16, %xmm1, %xmm0, %xmm3 + vaesenc %xmm15, %xmm10, %xmm10 + movbeq 72(%r14), %r13 + vpxor %xmm5, %xmm7, %xmm7 + vpclmulqdq $1, %xmm1, %xmm0, %xmm5 + vaesenc %xmm15, %xmm11, %xmm11 + movbeq 64(%r14), %r12 + vpclmulqdq $17, %xmm1, %xmm0, %xmm1 + movdqu 96(%rbp), %xmm0 + vaesenc %xmm15, %xmm12, %xmm12 + movq %r13, 48(%rbp) + vaesenc %xmm15, %xmm13, %xmm13 + movq %r12, 56(%rbp) + vpxor %xmm2, %xmm4, %xmm4 + movdqu 64(%r9), %xmm2 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -48(%rcx), %xmm15 + vpxor %xmm3, %xmm6, %xmm6 + vpclmulqdq $0, %xmm2, %xmm0, %xmm3 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $16, %xmm2, %xmm0, %xmm5 + vaesenc %xmm15, %xmm10, %xmm10 + movbeq 56(%r14), %r13 + vpxor %xmm1, %xmm7, %xmm7 + vpclmulqdq $1, %xmm2, %xmm0, %xmm1 + vpxor 112(%rbp), %xmm8, %xmm8 + vaesenc %xmm15, %xmm11, %xmm11 + movbeq 48(%r14), %r12 + vpclmulqdq $17, %xmm2, %xmm0, %xmm2 + vaesenc %xmm15, %xmm12, %xmm12 + movq %r13, 64(%rbp) + vaesenc %xmm15, %xmm13, %xmm13 + movq %r12, 72(%rbp) + vpxor %xmm3, %xmm4, %xmm4 + movdqu 80(%r9), %xmm3 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -32(%rcx), %xmm15 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $16, %xmm3, %xmm8, %xmm5 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor %xmm1, %xmm6, %xmm6 + vpclmulqdq $1, %xmm3, %xmm8, %xmm1 + vaesenc %xmm15, %xmm10, %xmm10 + movbeq 40(%r14), %r13 + vpxor %xmm2, %xmm7, %xmm7 + vpclmulqdq $0, %xmm3, %xmm8, %xmm2 + vaesenc %xmm15, %xmm11, %xmm11 + movbeq 32(%r14), %r12 + vpclmulqdq $17, %xmm3, %xmm8, %xmm8 + vaesenc %xmm15, %xmm12, %xmm12 + movq %r13, 80(%rbp) + vaesenc %xmm15, %xmm13, %xmm13 + movq %r12, 88(%rbp) + vpxor %xmm5, %xmm6, %xmm6 + vaesenc %xmm15, %xmm14, %xmm14 + vpxor %xmm1, %xmm6, %xmm6 + movdqu -16(%rcx), %xmm15 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm2, %xmm4, %xmm4 + pxor %xmm3, %xmm3 + mov $13979173243358019584, %r11 + pinsrq $1, %r11, %xmm3 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor %xmm8, %xmm7, %xmm7 + vaesenc %xmm15, %xmm10, %xmm10 + vpxor %xmm5, %xmm4, %xmm4 + movbeq 24(%r14), %r13 + vaesenc %xmm15, %xmm11, %xmm11 + movbeq 16(%r14), %r12 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + movq %r13, 96(%rbp) + vaesenc %xmm15, %xmm12, %xmm12 + movq %r12, 104(%rbp) + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu 0(%rcx), %xmm1 + vaesenc %xmm1, %xmm9, %xmm9 + movdqu 16(%rcx), %xmm15 + vaesenc %xmm1, %xmm10, %xmm10 + vpsrldq $8, %xmm6, %xmm6 + vaesenc %xmm1, %xmm11, %xmm11 + vpxor %xmm6, %xmm7, %xmm7 + vaesenc %xmm1, %xmm12, %xmm12 + vpxor %xmm0, %xmm4, %xmm4 + movbeq 8(%r14), %r13 + vaesenc %xmm1, %xmm13, %xmm13 + movbeq 0(%r14), %r12 + vaesenc %xmm1, %xmm14, %xmm14 + movdqu 32(%rcx), %xmm1 + vaesenc %xmm15, %xmm9, %xmm9 + movdqu %xmm7, 16(%rbp) + vpalignr $8, %xmm4, %xmm4, %xmm8 + vaesenc %xmm15, %xmm10, %xmm10 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor 0(%rdi), %xmm1, %xmm2 + vaesenc %xmm15, %xmm11, %xmm11 + vpxor 16(%rdi), %xmm1, %xmm0 + vaesenc %xmm15, %xmm12, %xmm12 + vpxor 32(%rdi), %xmm1, %xmm5 + vaesenc %xmm15, %xmm13, %xmm13 + vpxor 48(%rdi), %xmm1, %xmm6 + vaesenc %xmm15, %xmm14, %xmm14 + vpxor 64(%rdi), %xmm1, %xmm7 + vpxor 80(%rdi), %xmm1, %xmm3 + movdqu 128(%rbp), %xmm1 + vaesenclast %xmm2, %xmm9, %xmm9 + pxor %xmm2, %xmm2 + mov $72057594037927936, %r11 + pinsrq $1, %r11, %xmm2 + vaesenclast %xmm0, %xmm10, %xmm10 + vpaddd %xmm2, %xmm1, %xmm0 + movq %r13, 112(%rbp) + lea 96(%rdi), %rdi + vaesenclast %xmm5, %xmm11, %xmm11 + vpaddd %xmm2, %xmm0, %xmm5 + movq %r12, 120(%rbp) + lea 96(%rsi), %rsi + movdqu -128(%rcx), %xmm15 + vaesenclast %xmm6, %xmm12, %xmm12 + vpaddd %xmm2, %xmm5, %xmm6 + vaesenclast %xmm7, %xmm13, %xmm13 + vpaddd %xmm2, %xmm6, %xmm7 + vaesenclast %xmm3, %xmm14, %xmm14 + vpaddd %xmm2, %xmm7, %xmm3 + sub $6, %rdx + add $96, %r14 + cmp $0, %rdx + jbe L80 + movdqu %xmm9, -96(%rsi) + vpxor %xmm15, %xmm1, %xmm9 + movdqu %xmm10, -80(%rsi) + movdqu %xmm0, %xmm10 + movdqu %xmm11, -64(%rsi) + movdqu %xmm5, %xmm11 + movdqu %xmm12, -48(%rsi) + movdqu %xmm6, %xmm12 + movdqu %xmm13, -32(%rsi) + movdqu %xmm7, %xmm13 + movdqu %xmm14, -16(%rsi) + movdqu %xmm3, %xmm14 + movdqu 32(%rbp), %xmm7 + jmp L81 +L80: + vpxor 16(%rbp), %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 +L81: +.balign 16 +L77: + cmp $0, %rdx + ja L76 + movdqu 32(%rbp), %xmm7 + movdqu %xmm1, 32(%rbp) + pxor %xmm4, %xmm4 + movdqu %xmm4, 16(%rbp) + movdqu -32(%r9), %xmm3 + vpclmulqdq $0, %xmm3, %xmm7, %xmm1 + vpclmulqdq $16, %xmm3, %xmm7, %xmm5 + movdqu 48(%rbp), %xmm0 + vpclmulqdq $1, %xmm3, %xmm7, %xmm6 + vpclmulqdq $17, %xmm3, %xmm7, %xmm7 + movdqu -16(%r9), %xmm3 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $0, %xmm3, %xmm0, %xmm5 + vpxor %xmm4, %xmm8, %xmm8 + vpxor %xmm5, %xmm1, %xmm4 + vpclmulqdq $16, %xmm3, %xmm0, %xmm1 + vpclmulqdq $1, %xmm3, %xmm0, %xmm2 + vpxor 16(%rbp), %xmm8, %xmm8 + vpclmulqdq $17, %xmm3, %xmm0, %xmm3 + movdqu 64(%rbp), %xmm0 + movdqu 16(%r9), %xmm5 + vpxor %xmm1, %xmm6, %xmm6 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpxor %xmm3, %xmm7, %xmm7 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 80(%rbp), %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpclmulqdq $0, %xmm1, %xmm0, %xmm2 + vpxor %xmm3, %xmm6, %xmm6 + vpclmulqdq $16, %xmm1, %xmm0, %xmm3 + vpxor %xmm5, %xmm7, %xmm7 + vpclmulqdq $1, %xmm1, %xmm0, %xmm5 + vpclmulqdq $17, %xmm1, %xmm0, %xmm1 + movdqu 96(%rbp), %xmm0 + vpxor %xmm2, %xmm4, %xmm4 + movdqu 64(%r9), %xmm2 + vpxor %xmm3, %xmm6, %xmm6 + vpclmulqdq $0, %xmm2, %xmm0, %xmm3 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $16, %xmm2, %xmm0, %xmm5 + vpxor %xmm1, %xmm7, %xmm7 + vpclmulqdq $1, %xmm2, %xmm0, %xmm1 + vpxor 112(%rbp), %xmm8, %xmm8 + vpclmulqdq $17, %xmm2, %xmm0, %xmm2 + vpxor %xmm3, %xmm4, %xmm4 + movdqu 80(%r9), %xmm3 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $16, %xmm3, %xmm8, %xmm5 + vpxor %xmm1, %xmm6, %xmm6 + vpclmulqdq $1, %xmm3, %xmm8, %xmm1 + vpxor %xmm2, %xmm7, %xmm7 + vpclmulqdq $0, %xmm3, %xmm8, %xmm2 + vpclmulqdq $17, %xmm3, %xmm8, %xmm8 + vpxor %xmm5, %xmm6, %xmm6 + vpxor %xmm1, %xmm6, %xmm6 + vpxor %xmm2, %xmm4, %xmm4 + pxor %xmm3, %xmm3 + mov $3254779904, %rax + pinsrd $3, %eax, %xmm3 + vpxor %xmm8, %xmm7, %xmm7 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + mov $579005069656919567, %r12 + pinsrq $0, %r12, %xmm0 + mov $283686952306183, %r12 + pinsrq $1, %r12, %xmm0 + movdqu %xmm9, -96(%rsi) + vpshufb %xmm0, %xmm9, %xmm9 + vpxor %xmm7, %xmm1, %xmm1 + movdqu %xmm10, -80(%rsi) + vpshufb %xmm0, %xmm10, %xmm10 + movdqu %xmm11, -64(%rsi) + vpshufb %xmm0, %xmm11, %xmm11 + movdqu %xmm12, -48(%rsi) + vpshufb %xmm0, %xmm12, %xmm12 + movdqu %xmm13, -32(%rsi) + vpshufb %xmm0, %xmm13, %xmm13 + movdqu %xmm14, -16(%rsi) + vpshufb %xmm0, %xmm14, %xmm14 + pxor %xmm4, %xmm4 + movdqu %xmm14, %xmm7 + movdqu %xmm4, 16(%rbp) + movdqu %xmm13, 48(%rbp) + movdqu %xmm12, 64(%rbp) + movdqu %xmm11, 80(%rbp) + movdqu %xmm10, 96(%rbp) + movdqu %xmm9, 112(%rbp) + movdqu -32(%r9), %xmm3 + vpclmulqdq $0, %xmm3, %xmm7, %xmm1 + vpclmulqdq $16, %xmm3, %xmm7, %xmm5 + movdqu 48(%rbp), %xmm0 + vpclmulqdq $1, %xmm3, %xmm7, %xmm6 + vpclmulqdq $17, %xmm3, %xmm7, %xmm7 + movdqu -16(%r9), %xmm3 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $0, %xmm3, %xmm0, %xmm5 + vpxor %xmm4, %xmm8, %xmm8 + vpxor %xmm5, %xmm1, %xmm4 + vpclmulqdq $16, %xmm3, %xmm0, %xmm1 + vpclmulqdq $1, %xmm3, %xmm0, %xmm2 + vpxor 16(%rbp), %xmm8, %xmm8 + vpclmulqdq $17, %xmm3, %xmm0, %xmm3 + movdqu 64(%rbp), %xmm0 + movdqu 16(%r9), %xmm5 + vpxor %xmm1, %xmm6, %xmm6 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpxor %xmm3, %xmm7, %xmm7 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 80(%rbp), %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpclmulqdq $0, %xmm1, %xmm0, %xmm2 + vpxor %xmm3, %xmm6, %xmm6 + vpclmulqdq $16, %xmm1, %xmm0, %xmm3 + vpxor %xmm5, %xmm7, %xmm7 + vpclmulqdq $1, %xmm1, %xmm0, %xmm5 + vpclmulqdq $17, %xmm1, %xmm0, %xmm1 + movdqu 96(%rbp), %xmm0 + vpxor %xmm2, %xmm4, %xmm4 + movdqu 64(%r9), %xmm2 + vpxor %xmm3, %xmm6, %xmm6 + vpclmulqdq $0, %xmm2, %xmm0, %xmm3 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $16, %xmm2, %xmm0, %xmm5 + vpxor %xmm1, %xmm7, %xmm7 + vpclmulqdq $1, %xmm2, %xmm0, %xmm1 + vpxor 112(%rbp), %xmm8, %xmm8 + vpclmulqdq $17, %xmm2, %xmm0, %xmm2 + vpxor %xmm3, %xmm4, %xmm4 + movdqu 80(%r9), %xmm3 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $16, %xmm3, %xmm8, %xmm5 + vpxor %xmm1, %xmm6, %xmm6 + vpclmulqdq $1, %xmm3, %xmm8, %xmm1 + vpxor %xmm2, %xmm7, %xmm7 + vpclmulqdq $0, %xmm3, %xmm8, %xmm2 + vpclmulqdq $17, %xmm3, %xmm8, %xmm8 + vpxor %xmm5, %xmm6, %xmm6 + vpxor %xmm1, %xmm6, %xmm6 + vpxor %xmm2, %xmm4, %xmm4 + pxor %xmm3, %xmm3 + mov $3254779904, %rax + pinsrd $3, %eax, %xmm3 + vpxor %xmm8, %xmm7, %xmm7 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + sub $128, %rcx +L71: + movdqu 32(%rbp), %xmm11 + mov %rcx, %r8 + mov 104(%rsp), %rax + mov 112(%rsp), %rdi + mov 120(%rsp), %rdx + mov %rdx, %r14 + mov $579005069656919567, %r12 + pinsrq $0, %r12, %xmm9 + mov $283686952306183, %r12 + pinsrq $1, %r12, %xmm9 + pshufb %xmm9, %xmm11 + pxor %xmm10, %xmm10 + mov $1, %rbx + pinsrd $0, %ebx, %xmm10 + mov %rax, %r11 + mov %rdi, %r10 + mov $0, %rbx + jmp L83 +.balign 16 +L82: + movdqu %xmm11, %xmm0 + pshufb %xmm9, %xmm0 + movdqu 0(%r8), %xmm2 + pxor %xmm2, %xmm0 + movdqu 16(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 32(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 48(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 64(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 80(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 96(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 112(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 128(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 144(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 160(%r8), %xmm2 + aesenclast %xmm2, %xmm0 + pxor %xmm2, %xmm2 + movdqu 0(%r11), %xmm2 + pxor %xmm0, %xmm2 + movdqu %xmm2, 0(%r10) + add $1, %rbx + add $16, %r11 + add $16, %r10 + paddd %xmm10, %xmm11 +.balign 16 +L83: + cmp %rdx, %rbx + jne L82 + mov %rdi, %r11 + jmp L85 +.balign 16 +L84: + add $80, %r11 + movdqu -32(%r9), %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + movdqu %xmm1, %xmm4 + movdqu -16(%r9), %xmm1 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 16(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 64(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 80(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + vpxor %xmm1, %xmm4, %xmm4 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r10 + pinsrd $3, %r10d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + add $96, %r11 + sub $6, %rdx +.balign 16 +L85: + cmp $6, %rdx + jae L84 + cmp $0, %rdx + jbe L86 + mov %rdx, %r10 + sub $1, %r10 + imul $16, %r10 + add %r10, %r11 + movdqu -32(%r9), %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + cmp $1, %rdx + jne L88 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + jmp L89 +L88: + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + movdqu %xmm1, %xmm4 + movdqu -16(%r9), %xmm1 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + movdqu %xmm1, %xmm5 + cmp $2, %rdx + je L90 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 16(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + cmp $3, %rdx + je L92 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + cmp $4, %rdx + je L94 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 64(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + jmp L95 +L94: +L95: + jmp L93 +L92: +L93: + jmp L91 +L90: +L91: + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + vpxor %xmm1, %xmm4, %xmm4 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 +L89: + pxor %xmm3, %xmm3 + mov $3254779904, %r10 + pinsrd $3, %r10d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + jmp L87 +L86: +L87: + add 96(%rsp), %r14 + imul $16, %r14 + mov 136(%rsp), %r13 + cmp %r14, %r13 + jbe L96 + mov 128(%rsp), %rax + mov %r13, %r10 + and $15, %r10 + movdqu %xmm11, %xmm0 + pshufb %xmm9, %xmm0 + movdqu 0(%r8), %xmm2 + pxor %xmm2, %xmm0 + movdqu 16(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 32(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 48(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 64(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 80(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 96(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 112(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 128(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 144(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 160(%r8), %xmm2 + aesenclast %xmm2, %xmm0 + pxor %xmm2, %xmm2 + movdqu 0(%rax), %xmm4 + pxor %xmm4, %xmm0 + movdqu %xmm0, 0(%rax) + cmp $8, %r10 + jae L98 + mov $0, %rcx + pinsrq $1, %rcx, %xmm0 + mov %r10, %rcx + shl $3, %rcx + mov $1, %r11 + shl %cl, %r11 + sub $1, %r11 + pextrq $0, %xmm0, %rcx + and %r11, %rcx + pinsrq $0, %rcx, %xmm0 + jmp L99 +L98: + mov %r10, %rcx + sub $8, %rcx + shl $3, %rcx + mov $1, %r11 + shl %cl, %r11 + sub $1, %r11 + pextrq $1, %xmm0, %rcx + and %r11, %rcx + pinsrq $1, %rcx, %xmm0 +L99: + pshufb %xmm9, %xmm0 + movdqu -32(%r9), %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r11 + pinsrd $3, %r11d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + jmp L97 +L96: +L97: + mov %r15, %r11 + pxor %xmm0, %xmm0 + mov %r11, %rax + imul $8, %rax + pinsrq $1, %rax, %xmm0 + mov %r13, %rax + imul $8, %rax + pinsrq $0, %rax, %xmm0 + movdqu -32(%r9), %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r11 + pinsrd $3, %r11d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + movdqu 0(%rbp), %xmm0 + pshufb %xmm9, %xmm0 + movdqu 0(%r8), %xmm2 + pxor %xmm2, %xmm0 + movdqu 16(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 32(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 48(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 64(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 80(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 96(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 112(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 128(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 144(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 160(%r8), %xmm2 + aesenclast %xmm2, %xmm0 + pxor %xmm2, %xmm2 + pshufb %xmm9, %xmm8 + pxor %xmm0, %xmm8 + mov 152(%rsp), %r15 + movdqu %xmm8, 0(%r15) + pop %rbx + pop %rbp + pop %rdi + pop %rsi + pop %r12 + pop %r13 + pop %r14 + pop %r15 + ret + +.global _gcm256_encrypt_opt +_gcm256_encrypt_opt: + push %r15 + push %r14 + push %r13 + push %r12 + push %rsi + push %rdi + push %rbp + push %rbx + mov 144(%rsp), %rbp + mov %rcx, %r13 + lea 32(%r9), %r9 + mov 72(%rsp), %rbx + mov %rdx, %rcx + imul $16, %rcx + mov $579005069656919567, %r10 + pinsrq $0, %r10, %xmm9 + mov $283686952306183, %r10 + pinsrq $1, %r10, %xmm9 + pxor %xmm8, %xmm8 + mov %rdi, %r11 + jmp L101 +.balign 16 +L100: + add $80, %r11 + movdqu -32(%r9), %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + movdqu %xmm1, %xmm4 + movdqu -16(%r9), %xmm1 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 16(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 64(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 80(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + vpxor %xmm1, %xmm4, %xmm4 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r10 + pinsrd $3, %r10d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + add $96, %r11 + sub $6, %rdx +.balign 16 +L101: + cmp $6, %rdx + jae L100 + cmp $0, %rdx + jbe L102 + mov %rdx, %r10 + sub $1, %r10 + imul $16, %r10 + add %r10, %r11 + movdqu -32(%r9), %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + cmp $1, %rdx + jne L104 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + jmp L105 +L104: + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + movdqu %xmm1, %xmm4 + movdqu -16(%r9), %xmm1 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + movdqu %xmm1, %xmm5 + cmp $2, %rdx + je L106 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 16(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + cmp $3, %rdx + je L108 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + cmp $4, %rdx + je L110 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 64(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + jmp L111 +L110: +L111: + jmp L109 +L108: +L109: + jmp L107 +L106: +L107: + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + vpxor %xmm1, %xmm4, %xmm4 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 +L105: + pxor %xmm3, %xmm3 + mov $3254779904, %r10 + pinsrd $3, %r10d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + jmp L103 +L102: +L103: + mov %rsi, %r15 + cmp %rcx, %rsi + jbe L112 + movdqu 0(%rbx), %xmm0 + mov %rsi, %r10 + and $15, %r10 + cmp $8, %r10 + jae L114 + mov $0, %rcx + pinsrq $1, %rcx, %xmm0 + mov %r10, %rcx + shl $3, %rcx + mov $1, %r11 + shl %cl, %r11 + sub $1, %r11 + pextrq $0, %xmm0, %rcx + and %r11, %rcx + pinsrq $0, %rcx, %xmm0 + jmp L115 +L114: + mov %r10, %rcx + sub $8, %rcx + shl $3, %rcx + mov $1, %r11 + shl %cl, %r11 + sub $1, %r11 + pextrq $1, %xmm0, %rcx + and %r11, %rcx + pinsrq $1, %rcx, %xmm0 +L115: + pshufb %xmm9, %xmm0 + movdqu -32(%r9), %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r11 + pinsrd $3, %r11d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + jmp L113 +L112: +L113: + mov 80(%rsp), %rdi + mov 88(%rsp), %rsi + mov 96(%rsp), %rdx + mov %r13, %rcx + movdqu %xmm9, %xmm0 + movdqu 0(%r8), %xmm1 + movdqu %xmm1, 0(%rbp) + pxor %xmm10, %xmm10 + mov $1, %r11 + pinsrq $0, %r11, %xmm10 + vpaddd %xmm10, %xmm1, %xmm1 + cmp $0, %rdx + jne L116 + vpshufb %xmm0, %xmm1, %xmm1 + movdqu %xmm1, 32(%rbp) + jmp L117 +L116: + movdqu %xmm8, 32(%rbp) + add $128, %rcx + pextrq $0, %xmm1, %rbx + and $255, %rbx + vpshufb %xmm0, %xmm1, %xmm1 + lea 96(%rsi), %r14 + movdqu -128(%rcx), %xmm4 + pxor %xmm2, %xmm2 + mov $72057594037927936, %r11 + pinsrq $1, %r11, %xmm2 + movdqu -112(%rcx), %xmm15 + mov %rcx, %r12 + sub $96, %r12 + vpxor %xmm4, %xmm1, %xmm9 + add $6, %rbx + cmp $256, %rbx + jae L118 + vpaddd %xmm2, %xmm1, %xmm10 + vpaddd %xmm2, %xmm10, %xmm11 + vpxor %xmm4, %xmm10, %xmm10 + vpaddd %xmm2, %xmm11, %xmm12 + vpxor %xmm4, %xmm11, %xmm11 + vpaddd %xmm2, %xmm12, %xmm13 + vpxor %xmm4, %xmm12, %xmm12 + vpaddd %xmm2, %xmm13, %xmm14 + vpxor %xmm4, %xmm13, %xmm13 + vpaddd %xmm2, %xmm14, %xmm1 + vpxor %xmm4, %xmm14, %xmm14 + jmp L119 +L118: + sub $256, %rbx + vpshufb %xmm0, %xmm1, %xmm6 + pxor %xmm5, %xmm5 + mov $1, %r11 + pinsrq $0, %r11, %xmm5 + vpaddd %xmm5, %xmm6, %xmm10 + pxor %xmm5, %xmm5 + mov $2, %r11 + pinsrq $0, %r11, %xmm5 + vpaddd %xmm5, %xmm6, %xmm11 + vpaddd %xmm5, %xmm10, %xmm12 + vpshufb %xmm0, %xmm10, %xmm10 + vpaddd %xmm5, %xmm11, %xmm13 + vpshufb %xmm0, %xmm11, %xmm11 + vpxor %xmm4, %xmm10, %xmm10 + vpaddd %xmm5, %xmm12, %xmm14 + vpshufb %xmm0, %xmm12, %xmm12 + vpxor %xmm4, %xmm11, %xmm11 + vpaddd %xmm5, %xmm13, %xmm1 + vpshufb %xmm0, %xmm13, %xmm13 + vpxor %xmm4, %xmm12, %xmm12 + vpshufb %xmm0, %xmm14, %xmm14 + vpxor %xmm4, %xmm13, %xmm13 + vpshufb %xmm0, %xmm1, %xmm1 + vpxor %xmm4, %xmm14, %xmm14 +L119: + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -96(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -80(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -64(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -48(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -32(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -16(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu 0(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu 16(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu 32(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu 48(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu 64(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu 80(%rcx), %xmm15 + movdqu 96(%rcx), %xmm3 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor 0(%rdi), %xmm3, %xmm4 + vaesenc %xmm15, %xmm10, %xmm10 + vpxor 16(%rdi), %xmm3, %xmm5 + vaesenc %xmm15, %xmm11, %xmm11 + vpxor 32(%rdi), %xmm3, %xmm6 + vaesenc %xmm15, %xmm12, %xmm12 + vpxor 48(%rdi), %xmm3, %xmm8 + vaesenc %xmm15, %xmm13, %xmm13 + vpxor 64(%rdi), %xmm3, %xmm2 + vaesenc %xmm15, %xmm14, %xmm14 + vpxor 80(%rdi), %xmm3, %xmm3 + lea 96(%rdi), %rdi + vaesenclast %xmm4, %xmm9, %xmm9 + vaesenclast %xmm5, %xmm10, %xmm10 + vaesenclast %xmm6, %xmm11, %xmm11 + vaesenclast %xmm8, %xmm12, %xmm12 + vaesenclast %xmm2, %xmm13, %xmm13 + vaesenclast %xmm3, %xmm14, %xmm14 + movdqu %xmm9, 0(%rsi) + movdqu %xmm10, 16(%rsi) + movdqu %xmm11, 32(%rsi) + movdqu %xmm12, 48(%rsi) + movdqu %xmm13, 64(%rsi) + movdqu %xmm14, 80(%rsi) + lea 96(%rsi), %rsi + vpshufb %xmm0, %xmm9, %xmm8 + vpshufb %xmm0, %xmm10, %xmm2 + movdqu %xmm8, 112(%rbp) + vpshufb %xmm0, %xmm11, %xmm4 + movdqu %xmm2, 96(%rbp) + vpshufb %xmm0, %xmm12, %xmm5 + movdqu %xmm4, 80(%rbp) + vpshufb %xmm0, %xmm13, %xmm6 + movdqu %xmm5, 64(%rbp) + vpshufb %xmm0, %xmm14, %xmm7 + movdqu %xmm6, 48(%rbp) + movdqu -128(%rcx), %xmm4 + pxor %xmm2, %xmm2 + mov $72057594037927936, %r11 + pinsrq $1, %r11, %xmm2 + movdqu -112(%rcx), %xmm15 + mov %rcx, %r12 + sub $96, %r12 + vpxor %xmm4, %xmm1, %xmm9 + add $6, %rbx + cmp $256, %rbx + jae L120 + vpaddd %xmm2, %xmm1, %xmm10 + vpaddd %xmm2, %xmm10, %xmm11 + vpxor %xmm4, %xmm10, %xmm10 + vpaddd %xmm2, %xmm11, %xmm12 + vpxor %xmm4, %xmm11, %xmm11 + vpaddd %xmm2, %xmm12, %xmm13 + vpxor %xmm4, %xmm12, %xmm12 + vpaddd %xmm2, %xmm13, %xmm14 + vpxor %xmm4, %xmm13, %xmm13 + vpaddd %xmm2, %xmm14, %xmm1 + vpxor %xmm4, %xmm14, %xmm14 + jmp L121 +L120: + sub $256, %rbx + vpshufb %xmm0, %xmm1, %xmm6 + pxor %xmm5, %xmm5 + mov $1, %r11 + pinsrq $0, %r11, %xmm5 + vpaddd %xmm5, %xmm6, %xmm10 + pxor %xmm5, %xmm5 + mov $2, %r11 + pinsrq $0, %r11, %xmm5 + vpaddd %xmm5, %xmm6, %xmm11 + vpaddd %xmm5, %xmm10, %xmm12 + vpshufb %xmm0, %xmm10, %xmm10 + vpaddd %xmm5, %xmm11, %xmm13 + vpshufb %xmm0, %xmm11, %xmm11 + vpxor %xmm4, %xmm10, %xmm10 + vpaddd %xmm5, %xmm12, %xmm14 + vpshufb %xmm0, %xmm12, %xmm12 + vpxor %xmm4, %xmm11, %xmm11 + vpaddd %xmm5, %xmm13, %xmm1 + vpshufb %xmm0, %xmm13, %xmm13 + vpxor %xmm4, %xmm12, %xmm12 + vpshufb %xmm0, %xmm14, %xmm14 + vpxor %xmm4, %xmm13, %xmm13 + vpshufb %xmm0, %xmm1, %xmm1 + vpxor %xmm4, %xmm14, %xmm14 +L121: + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -96(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -80(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -64(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -48(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -32(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -16(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu 0(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu 16(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu 32(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu 48(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu 64(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu 80(%rcx), %xmm15 + movdqu 96(%rcx), %xmm3 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor 0(%rdi), %xmm3, %xmm4 + vaesenc %xmm15, %xmm10, %xmm10 + vpxor 16(%rdi), %xmm3, %xmm5 + vaesenc %xmm15, %xmm11, %xmm11 + vpxor 32(%rdi), %xmm3, %xmm6 + vaesenc %xmm15, %xmm12, %xmm12 + vpxor 48(%rdi), %xmm3, %xmm8 + vaesenc %xmm15, %xmm13, %xmm13 + vpxor 64(%rdi), %xmm3, %xmm2 + vaesenc %xmm15, %xmm14, %xmm14 + vpxor 80(%rdi), %xmm3, %xmm3 + lea 96(%rdi), %rdi + vaesenclast %xmm4, %xmm9, %xmm9 + vaesenclast %xmm5, %xmm10, %xmm10 + vaesenclast %xmm6, %xmm11, %xmm11 + vaesenclast %xmm8, %xmm12, %xmm12 + vaesenclast %xmm2, %xmm13, %xmm13 + vaesenclast %xmm3, %xmm14, %xmm14 + movdqu %xmm9, 0(%rsi) + movdqu %xmm10, 16(%rsi) + movdqu %xmm11, 32(%rsi) + movdqu %xmm12, 48(%rsi) + movdqu %xmm13, 64(%rsi) + movdqu %xmm14, 80(%rsi) + lea 96(%rsi), %rsi + sub $12, %rdx + movdqu 32(%rbp), %xmm8 + pxor %xmm2, %xmm2 + mov $72057594037927936, %r11 + pinsrq $1, %r11, %xmm2 + vpxor %xmm4, %xmm4, %xmm4 + movdqu -128(%rcx), %xmm15 + vpaddd %xmm2, %xmm1, %xmm10 + vpaddd %xmm2, %xmm10, %xmm11 + vpaddd %xmm2, %xmm11, %xmm12 + vpaddd %xmm2, %xmm12, %xmm13 + vpaddd %xmm2, %xmm13, %xmm14 + vpxor %xmm15, %xmm1, %xmm9 + movdqu %xmm4, 16(%rbp) + jmp L123 +.balign 16 +L122: + add $6, %rbx + cmp $256, %rbx + jb L124 + mov $579005069656919567, %r11 + pinsrq $0, %r11, %xmm0 + mov $283686952306183, %r11 + pinsrq $1, %r11, %xmm0 + vpshufb %xmm0, %xmm1, %xmm6 + pxor %xmm5, %xmm5 + mov $1, %r11 + pinsrq $0, %r11, %xmm5 + vpaddd %xmm5, %xmm6, %xmm10 + pxor %xmm5, %xmm5 + mov $2, %r11 + pinsrq $0, %r11, %xmm5 + vpaddd %xmm5, %xmm6, %xmm11 + movdqu -32(%r9), %xmm3 + vpaddd %xmm5, %xmm10, %xmm12 + vpshufb %xmm0, %xmm10, %xmm10 + vpaddd %xmm5, %xmm11, %xmm13 + vpshufb %xmm0, %xmm11, %xmm11 + vpxor %xmm15, %xmm10, %xmm10 + vpaddd %xmm5, %xmm12, %xmm14 + vpshufb %xmm0, %xmm12, %xmm12 + vpxor %xmm15, %xmm11, %xmm11 + vpaddd %xmm5, %xmm13, %xmm1 + vpshufb %xmm0, %xmm13, %xmm13 + vpshufb %xmm0, %xmm14, %xmm14 + vpshufb %xmm0, %xmm1, %xmm1 + sub $256, %rbx + jmp L125 +L124: + movdqu -32(%r9), %xmm3 + vpaddd %xmm14, %xmm2, %xmm1 + vpxor %xmm15, %xmm10, %xmm10 + vpxor %xmm15, %xmm11, %xmm11 +L125: + movdqu %xmm1, 128(%rbp) + vpclmulqdq $16, %xmm3, %xmm7, %xmm5 + vpxor %xmm15, %xmm12, %xmm12 + movdqu -112(%rcx), %xmm2 + vpclmulqdq $1, %xmm3, %xmm7, %xmm6 + vaesenc %xmm2, %xmm9, %xmm9 + movdqu 48(%rbp), %xmm0 + vpxor %xmm15, %xmm13, %xmm13 + vpclmulqdq $0, %xmm3, %xmm7, %xmm1 + vaesenc %xmm2, %xmm10, %xmm10 + vpxor %xmm15, %xmm14, %xmm14 + vpclmulqdq $17, %xmm3, %xmm7, %xmm7 + vaesenc %xmm2, %xmm11, %xmm11 + movdqu -16(%r9), %xmm3 + vaesenc %xmm2, %xmm12, %xmm12 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $0, %xmm3, %xmm0, %xmm5 + vpxor %xmm4, %xmm8, %xmm8 + vaesenc %xmm2, %xmm13, %xmm13 + vpxor %xmm5, %xmm1, %xmm4 + vpclmulqdq $16, %xmm3, %xmm0, %xmm1 + vaesenc %xmm2, %xmm14, %xmm14 + movdqu -96(%rcx), %xmm15 + vpclmulqdq $1, %xmm3, %xmm0, %xmm2 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor 16(%rbp), %xmm8, %xmm8 + vpclmulqdq $17, %xmm3, %xmm0, %xmm3 + movdqu 64(%rbp), %xmm0 + vaesenc %xmm15, %xmm10, %xmm10 + movbeq 88(%r14), %r13 + vaesenc %xmm15, %xmm11, %xmm11 + movbeq 80(%r14), %r12 + vaesenc %xmm15, %xmm12, %xmm12 + movq %r13, 32(%rbp) + vaesenc %xmm15, %xmm13, %xmm13 + movq %r12, 40(%rbp) + movdqu 16(%r9), %xmm5 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -80(%rcx), %xmm15 + vpxor %xmm1, %xmm6, %xmm6 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor %xmm2, %xmm6, %xmm6 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vaesenc %xmm15, %xmm10, %xmm10 + vpxor %xmm3, %xmm7, %xmm7 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vaesenc %xmm15, %xmm11, %xmm11 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 80(%rbp), %xmm0 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -64(%rcx), %xmm15 + vpxor %xmm2, %xmm6, %xmm6 + vpclmulqdq $0, %xmm1, %xmm0, %xmm2 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor %xmm3, %xmm6, %xmm6 + vpclmulqdq $16, %xmm1, %xmm0, %xmm3 + vaesenc %xmm15, %xmm10, %xmm10 + movbeq 72(%r14), %r13 + vpxor %xmm5, %xmm7, %xmm7 + vpclmulqdq $1, %xmm1, %xmm0, %xmm5 + vaesenc %xmm15, %xmm11, %xmm11 + movbeq 64(%r14), %r12 + vpclmulqdq $17, %xmm1, %xmm0, %xmm1 + movdqu 96(%rbp), %xmm0 + vaesenc %xmm15, %xmm12, %xmm12 + movq %r13, 48(%rbp) + vaesenc %xmm15, %xmm13, %xmm13 + movq %r12, 56(%rbp) + vpxor %xmm2, %xmm4, %xmm4 + movdqu 64(%r9), %xmm2 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -48(%rcx), %xmm15 + vpxor %xmm3, %xmm6, %xmm6 + vpclmulqdq $0, %xmm2, %xmm0, %xmm3 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $16, %xmm2, %xmm0, %xmm5 + vaesenc %xmm15, %xmm10, %xmm10 + movbeq 56(%r14), %r13 + vpxor %xmm1, %xmm7, %xmm7 + vpclmulqdq $1, %xmm2, %xmm0, %xmm1 + vpxor 112(%rbp), %xmm8, %xmm8 + vaesenc %xmm15, %xmm11, %xmm11 + movbeq 48(%r14), %r12 + vpclmulqdq $17, %xmm2, %xmm0, %xmm2 + vaesenc %xmm15, %xmm12, %xmm12 + movq %r13, 64(%rbp) + vaesenc %xmm15, %xmm13, %xmm13 + movq %r12, 72(%rbp) + vpxor %xmm3, %xmm4, %xmm4 + movdqu 80(%r9), %xmm3 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -32(%rcx), %xmm15 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $16, %xmm3, %xmm8, %xmm5 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor %xmm1, %xmm6, %xmm6 + vpclmulqdq $1, %xmm3, %xmm8, %xmm1 + vaesenc %xmm15, %xmm10, %xmm10 + movbeq 40(%r14), %r13 + vpxor %xmm2, %xmm7, %xmm7 + vpclmulqdq $0, %xmm3, %xmm8, %xmm2 + vaesenc %xmm15, %xmm11, %xmm11 + movbeq 32(%r14), %r12 + vpclmulqdq $17, %xmm3, %xmm8, %xmm8 + vaesenc %xmm15, %xmm12, %xmm12 + movq %r13, 80(%rbp) + vaesenc %xmm15, %xmm13, %xmm13 + movq %r12, 88(%rbp) + vpxor %xmm5, %xmm6, %xmm6 + vaesenc %xmm15, %xmm14, %xmm14 + vpxor %xmm1, %xmm6, %xmm6 + movdqu -16(%rcx), %xmm15 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm2, %xmm4, %xmm4 + pxor %xmm3, %xmm3 + mov $13979173243358019584, %r11 + pinsrq $1, %r11, %xmm3 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor %xmm8, %xmm7, %xmm7 + vaesenc %xmm15, %xmm10, %xmm10 + vpxor %xmm5, %xmm4, %xmm4 + movbeq 24(%r14), %r13 + vaesenc %xmm15, %xmm11, %xmm11 + movbeq 16(%r14), %r12 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + movq %r13, 96(%rbp) + vaesenc %xmm15, %xmm12, %xmm12 + movq %r12, 104(%rbp) + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu 0(%rcx), %xmm1 + vaesenc %xmm1, %xmm9, %xmm9 + movdqu 16(%rcx), %xmm15 + vaesenc %xmm1, %xmm10, %xmm10 + vpsrldq $8, %xmm6, %xmm6 + vaesenc %xmm1, %xmm11, %xmm11 + vpxor %xmm6, %xmm7, %xmm7 + vaesenc %xmm1, %xmm12, %xmm12 + vpxor %xmm0, %xmm4, %xmm4 + movbeq 8(%r14), %r13 + vaesenc %xmm1, %xmm13, %xmm13 + movbeq 0(%r14), %r12 + vaesenc %xmm1, %xmm14, %xmm14 + movdqu 32(%rcx), %xmm1 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + vaesenc %xmm1, %xmm9, %xmm9 + vaesenc %xmm1, %xmm10, %xmm10 + vaesenc %xmm1, %xmm11, %xmm11 + vaesenc %xmm1, %xmm12, %xmm12 + vaesenc %xmm1, %xmm13, %xmm13 + movdqu 48(%rcx), %xmm15 + vaesenc %xmm1, %xmm14, %xmm14 + movdqu 64(%rcx), %xmm1 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + vaesenc %xmm1, %xmm9, %xmm9 + vaesenc %xmm1, %xmm10, %xmm10 + vaesenc %xmm1, %xmm11, %xmm11 + vaesenc %xmm1, %xmm12, %xmm12 + vaesenc %xmm1, %xmm13, %xmm13 + movdqu 80(%rcx), %xmm15 + vaesenc %xmm1, %xmm14, %xmm14 + movdqu 96(%rcx), %xmm1 + vaesenc %xmm15, %xmm9, %xmm9 + movdqu %xmm7, 16(%rbp) + vpalignr $8, %xmm4, %xmm4, %xmm8 + vaesenc %xmm15, %xmm10, %xmm10 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor 0(%rdi), %xmm1, %xmm2 + vaesenc %xmm15, %xmm11, %xmm11 + vpxor 16(%rdi), %xmm1, %xmm0 + vaesenc %xmm15, %xmm12, %xmm12 + vpxor 32(%rdi), %xmm1, %xmm5 + vaesenc %xmm15, %xmm13, %xmm13 + vpxor 48(%rdi), %xmm1, %xmm6 + vaesenc %xmm15, %xmm14, %xmm14 + vpxor 64(%rdi), %xmm1, %xmm7 + vpxor 80(%rdi), %xmm1, %xmm3 + movdqu 128(%rbp), %xmm1 + vaesenclast %xmm2, %xmm9, %xmm9 + pxor %xmm2, %xmm2 + mov $72057594037927936, %r11 + pinsrq $1, %r11, %xmm2 + vaesenclast %xmm0, %xmm10, %xmm10 + vpaddd %xmm2, %xmm1, %xmm0 + movq %r13, 112(%rbp) + lea 96(%rdi), %rdi + vaesenclast %xmm5, %xmm11, %xmm11 + vpaddd %xmm2, %xmm0, %xmm5 + movq %r12, 120(%rbp) + lea 96(%rsi), %rsi + movdqu -128(%rcx), %xmm15 + vaesenclast %xmm6, %xmm12, %xmm12 + vpaddd %xmm2, %xmm5, %xmm6 + vaesenclast %xmm7, %xmm13, %xmm13 + vpaddd %xmm2, %xmm6, %xmm7 + vaesenclast %xmm3, %xmm14, %xmm14 + vpaddd %xmm2, %xmm7, %xmm3 + sub $6, %rdx + add $96, %r14 + cmp $0, %rdx + jbe L126 + movdqu %xmm9, -96(%rsi) + vpxor %xmm15, %xmm1, %xmm9 + movdqu %xmm10, -80(%rsi) + movdqu %xmm0, %xmm10 + movdqu %xmm11, -64(%rsi) + movdqu %xmm5, %xmm11 + movdqu %xmm12, -48(%rsi) + movdqu %xmm6, %xmm12 + movdqu %xmm13, -32(%rsi) + movdqu %xmm7, %xmm13 + movdqu %xmm14, -16(%rsi) + movdqu %xmm3, %xmm14 + movdqu 32(%rbp), %xmm7 + jmp L127 +L126: + vpxor 16(%rbp), %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 +L127: +.balign 16 +L123: + cmp $0, %rdx + ja L122 + movdqu 32(%rbp), %xmm7 + movdqu %xmm1, 32(%rbp) + pxor %xmm4, %xmm4 + movdqu %xmm4, 16(%rbp) + movdqu -32(%r9), %xmm3 + vpclmulqdq $0, %xmm3, %xmm7, %xmm1 + vpclmulqdq $16, %xmm3, %xmm7, %xmm5 + movdqu 48(%rbp), %xmm0 + vpclmulqdq $1, %xmm3, %xmm7, %xmm6 + vpclmulqdq $17, %xmm3, %xmm7, %xmm7 + movdqu -16(%r9), %xmm3 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $0, %xmm3, %xmm0, %xmm5 + vpxor %xmm4, %xmm8, %xmm8 + vpxor %xmm5, %xmm1, %xmm4 + vpclmulqdq $16, %xmm3, %xmm0, %xmm1 + vpclmulqdq $1, %xmm3, %xmm0, %xmm2 + vpxor 16(%rbp), %xmm8, %xmm8 + vpclmulqdq $17, %xmm3, %xmm0, %xmm3 + movdqu 64(%rbp), %xmm0 + movdqu 16(%r9), %xmm5 + vpxor %xmm1, %xmm6, %xmm6 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpxor %xmm3, %xmm7, %xmm7 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 80(%rbp), %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpclmulqdq $0, %xmm1, %xmm0, %xmm2 + vpxor %xmm3, %xmm6, %xmm6 + vpclmulqdq $16, %xmm1, %xmm0, %xmm3 + vpxor %xmm5, %xmm7, %xmm7 + vpclmulqdq $1, %xmm1, %xmm0, %xmm5 + vpclmulqdq $17, %xmm1, %xmm0, %xmm1 + movdqu 96(%rbp), %xmm0 + vpxor %xmm2, %xmm4, %xmm4 + movdqu 64(%r9), %xmm2 + vpxor %xmm3, %xmm6, %xmm6 + vpclmulqdq $0, %xmm2, %xmm0, %xmm3 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $16, %xmm2, %xmm0, %xmm5 + vpxor %xmm1, %xmm7, %xmm7 + vpclmulqdq $1, %xmm2, %xmm0, %xmm1 + vpxor 112(%rbp), %xmm8, %xmm8 + vpclmulqdq $17, %xmm2, %xmm0, %xmm2 + vpxor %xmm3, %xmm4, %xmm4 + movdqu 80(%r9), %xmm3 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $16, %xmm3, %xmm8, %xmm5 + vpxor %xmm1, %xmm6, %xmm6 + vpclmulqdq $1, %xmm3, %xmm8, %xmm1 + vpxor %xmm2, %xmm7, %xmm7 + vpclmulqdq $0, %xmm3, %xmm8, %xmm2 + vpclmulqdq $17, %xmm3, %xmm8, %xmm8 + vpxor %xmm5, %xmm6, %xmm6 + vpxor %xmm1, %xmm6, %xmm6 + vpxor %xmm2, %xmm4, %xmm4 + pxor %xmm3, %xmm3 + mov $3254779904, %rax + pinsrd $3, %eax, %xmm3 + vpxor %xmm8, %xmm7, %xmm7 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + mov $579005069656919567, %r12 + pinsrq $0, %r12, %xmm0 + mov $283686952306183, %r12 + pinsrq $1, %r12, %xmm0 + movdqu %xmm9, -96(%rsi) + vpshufb %xmm0, %xmm9, %xmm9 + vpxor %xmm7, %xmm1, %xmm1 + movdqu %xmm10, -80(%rsi) + vpshufb %xmm0, %xmm10, %xmm10 + movdqu %xmm11, -64(%rsi) + vpshufb %xmm0, %xmm11, %xmm11 + movdqu %xmm12, -48(%rsi) + vpshufb %xmm0, %xmm12, %xmm12 + movdqu %xmm13, -32(%rsi) + vpshufb %xmm0, %xmm13, %xmm13 + movdqu %xmm14, -16(%rsi) + vpshufb %xmm0, %xmm14, %xmm14 + pxor %xmm4, %xmm4 + movdqu %xmm14, %xmm7 + movdqu %xmm4, 16(%rbp) + movdqu %xmm13, 48(%rbp) + movdqu %xmm12, 64(%rbp) + movdqu %xmm11, 80(%rbp) + movdqu %xmm10, 96(%rbp) + movdqu %xmm9, 112(%rbp) + movdqu -32(%r9), %xmm3 + vpclmulqdq $0, %xmm3, %xmm7, %xmm1 + vpclmulqdq $16, %xmm3, %xmm7, %xmm5 + movdqu 48(%rbp), %xmm0 + vpclmulqdq $1, %xmm3, %xmm7, %xmm6 + vpclmulqdq $17, %xmm3, %xmm7, %xmm7 + movdqu -16(%r9), %xmm3 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $0, %xmm3, %xmm0, %xmm5 + vpxor %xmm4, %xmm8, %xmm8 + vpxor %xmm5, %xmm1, %xmm4 + vpclmulqdq $16, %xmm3, %xmm0, %xmm1 + vpclmulqdq $1, %xmm3, %xmm0, %xmm2 + vpxor 16(%rbp), %xmm8, %xmm8 + vpclmulqdq $17, %xmm3, %xmm0, %xmm3 + movdqu 64(%rbp), %xmm0 + movdqu 16(%r9), %xmm5 + vpxor %xmm1, %xmm6, %xmm6 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpxor %xmm3, %xmm7, %xmm7 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 80(%rbp), %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpclmulqdq $0, %xmm1, %xmm0, %xmm2 + vpxor %xmm3, %xmm6, %xmm6 + vpclmulqdq $16, %xmm1, %xmm0, %xmm3 + vpxor %xmm5, %xmm7, %xmm7 + vpclmulqdq $1, %xmm1, %xmm0, %xmm5 + vpclmulqdq $17, %xmm1, %xmm0, %xmm1 + movdqu 96(%rbp), %xmm0 + vpxor %xmm2, %xmm4, %xmm4 + movdqu 64(%r9), %xmm2 + vpxor %xmm3, %xmm6, %xmm6 + vpclmulqdq $0, %xmm2, %xmm0, %xmm3 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $16, %xmm2, %xmm0, %xmm5 + vpxor %xmm1, %xmm7, %xmm7 + vpclmulqdq $1, %xmm2, %xmm0, %xmm1 + vpxor 112(%rbp), %xmm8, %xmm8 + vpclmulqdq $17, %xmm2, %xmm0, %xmm2 + vpxor %xmm3, %xmm4, %xmm4 + movdqu 80(%r9), %xmm3 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $16, %xmm3, %xmm8, %xmm5 + vpxor %xmm1, %xmm6, %xmm6 + vpclmulqdq $1, %xmm3, %xmm8, %xmm1 + vpxor %xmm2, %xmm7, %xmm7 + vpclmulqdq $0, %xmm3, %xmm8, %xmm2 + vpclmulqdq $17, %xmm3, %xmm8, %xmm8 + vpxor %xmm5, %xmm6, %xmm6 + vpxor %xmm1, %xmm6, %xmm6 + vpxor %xmm2, %xmm4, %xmm4 + pxor %xmm3, %xmm3 + mov $3254779904, %rax + pinsrd $3, %eax, %xmm3 + vpxor %xmm8, %xmm7, %xmm7 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + sub $128, %rcx +L117: + movdqu 32(%rbp), %xmm11 + mov %rcx, %r8 + mov 104(%rsp), %rax + mov 112(%rsp), %rdi + mov 120(%rsp), %rdx + mov %rdx, %r14 + mov $579005069656919567, %r12 + pinsrq $0, %r12, %xmm9 + mov $283686952306183, %r12 + pinsrq $1, %r12, %xmm9 + pshufb %xmm9, %xmm11 + pxor %xmm10, %xmm10 + mov $1, %rbx + pinsrd $0, %ebx, %xmm10 + mov %rax, %r11 + mov %rdi, %r10 + mov $0, %rbx + jmp L129 +.balign 16 +L128: + movdqu %xmm11, %xmm0 + pshufb %xmm9, %xmm0 + movdqu 0(%r8), %xmm2 + pxor %xmm2, %xmm0 + movdqu 16(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 32(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 48(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 64(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 80(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 96(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 112(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 128(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 144(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 160(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 176(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 192(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 208(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 224(%r8), %xmm2 + aesenclast %xmm2, %xmm0 + pxor %xmm2, %xmm2 + movdqu 0(%r11), %xmm2 + pxor %xmm0, %xmm2 + movdqu %xmm2, 0(%r10) + add $1, %rbx + add $16, %r11 + add $16, %r10 + paddd %xmm10, %xmm11 +.balign 16 +L129: + cmp %rdx, %rbx + jne L128 + mov %rdi, %r11 + jmp L131 +.balign 16 +L130: + add $80, %r11 + movdqu -32(%r9), %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + movdqu %xmm1, %xmm4 + movdqu -16(%r9), %xmm1 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 16(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 64(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 80(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + vpxor %xmm1, %xmm4, %xmm4 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r10 + pinsrd $3, %r10d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + add $96, %r11 + sub $6, %rdx +.balign 16 +L131: + cmp $6, %rdx + jae L130 + cmp $0, %rdx + jbe L132 + mov %rdx, %r10 + sub $1, %r10 + imul $16, %r10 + add %r10, %r11 + movdqu -32(%r9), %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + cmp $1, %rdx + jne L134 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + jmp L135 +L134: + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + movdqu %xmm1, %xmm4 + movdqu -16(%r9), %xmm1 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + movdqu %xmm1, %xmm5 + cmp $2, %rdx + je L136 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 16(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + cmp $3, %rdx + je L138 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + cmp $4, %rdx + je L140 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 64(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + jmp L141 +L140: +L141: + jmp L139 +L138: +L139: + jmp L137 +L136: +L137: + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + vpxor %xmm1, %xmm4, %xmm4 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 +L135: + pxor %xmm3, %xmm3 + mov $3254779904, %r10 + pinsrd $3, %r10d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + jmp L133 +L132: +L133: + add 96(%rsp), %r14 + imul $16, %r14 + mov 136(%rsp), %r13 + cmp %r14, %r13 + jbe L142 + mov 128(%rsp), %rax + mov %r13, %r10 + and $15, %r10 + movdqu %xmm11, %xmm0 + pshufb %xmm9, %xmm0 + movdqu 0(%r8), %xmm2 + pxor %xmm2, %xmm0 + movdqu 16(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 32(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 48(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 64(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 80(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 96(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 112(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 128(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 144(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 160(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 176(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 192(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 208(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 224(%r8), %xmm2 + aesenclast %xmm2, %xmm0 + pxor %xmm2, %xmm2 + movdqu 0(%rax), %xmm4 + pxor %xmm4, %xmm0 + movdqu %xmm0, 0(%rax) + cmp $8, %r10 + jae L144 + mov $0, %rcx + pinsrq $1, %rcx, %xmm0 + mov %r10, %rcx + shl $3, %rcx + mov $1, %r11 + shl %cl, %r11 + sub $1, %r11 + pextrq $0, %xmm0, %rcx + and %r11, %rcx + pinsrq $0, %rcx, %xmm0 + jmp L145 +L144: + mov %r10, %rcx + sub $8, %rcx + shl $3, %rcx + mov $1, %r11 + shl %cl, %r11 + sub $1, %r11 + pextrq $1, %xmm0, %rcx + and %r11, %rcx + pinsrq $1, %rcx, %xmm0 +L145: + pshufb %xmm9, %xmm0 + movdqu -32(%r9), %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r11 + pinsrd $3, %r11d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + jmp L143 +L142: +L143: + mov %r15, %r11 + pxor %xmm0, %xmm0 + mov %r11, %rax + imul $8, %rax + pinsrq $1, %rax, %xmm0 + mov %r13, %rax + imul $8, %rax + pinsrq $0, %rax, %xmm0 + movdqu -32(%r9), %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r11 + pinsrd $3, %r11d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + movdqu 0(%rbp), %xmm0 + pshufb %xmm9, %xmm0 + movdqu 0(%r8), %xmm2 + pxor %xmm2, %xmm0 + movdqu 16(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 32(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 48(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 64(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 80(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 96(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 112(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 128(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 144(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 160(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 176(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 192(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 208(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 224(%r8), %xmm2 + aesenclast %xmm2, %xmm0 + pxor %xmm2, %xmm2 + pshufb %xmm9, %xmm8 + pxor %xmm0, %xmm8 + mov 152(%rsp), %r15 + movdqu %xmm8, 0(%r15) + pop %rbx + pop %rbp + pop %rdi + pop %rsi + pop %r12 + pop %r13 + pop %r14 + pop %r15 + ret + +.global _gcm128_decrypt_opt +_gcm128_decrypt_opt: + push %r15 + push %r14 + push %r13 + push %r12 + push %rsi + push %rdi + push %rbp + push %rbx + mov 144(%rsp), %rbp + mov %rcx, %r13 + lea 32(%r9), %r9 + mov 72(%rsp), %rbx + mov %rdx, %rcx + imul $16, %rcx + mov $579005069656919567, %r10 + pinsrq $0, %r10, %xmm9 + mov $283686952306183, %r10 + pinsrq $1, %r10, %xmm9 + pxor %xmm8, %xmm8 + mov %rdi, %r11 + jmp L147 +.balign 16 +L146: + add $80, %r11 + movdqu -32(%r9), %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + movdqu %xmm1, %xmm4 + movdqu -16(%r9), %xmm1 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 16(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 64(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 80(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + vpxor %xmm1, %xmm4, %xmm4 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r10 + pinsrd $3, %r10d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + add $96, %r11 + sub $6, %rdx +.balign 16 +L147: + cmp $6, %rdx + jae L146 + cmp $0, %rdx + jbe L148 + mov %rdx, %r10 + sub $1, %r10 + imul $16, %r10 + add %r10, %r11 + movdqu -32(%r9), %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + cmp $1, %rdx + jne L150 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + jmp L151 +L150: + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + movdqu %xmm1, %xmm4 + movdqu -16(%r9), %xmm1 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + movdqu %xmm1, %xmm5 + cmp $2, %rdx + je L152 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 16(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + cmp $3, %rdx + je L154 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + cmp $4, %rdx + je L156 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 64(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + jmp L157 +L156: +L157: + jmp L155 +L154: +L155: + jmp L153 +L152: +L153: + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + vpxor %xmm1, %xmm4, %xmm4 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 +L151: + pxor %xmm3, %xmm3 + mov $3254779904, %r10 + pinsrd $3, %r10d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + jmp L149 +L148: +L149: + mov %rsi, %r15 + cmp %rcx, %rsi + jbe L158 + movdqu 0(%rbx), %xmm0 + mov %rsi, %r10 + and $15, %r10 + cmp $8, %r10 + jae L160 + mov $0, %rcx + pinsrq $1, %rcx, %xmm0 + mov %r10, %rcx + shl $3, %rcx + mov $1, %r11 + shl %cl, %r11 + sub $1, %r11 + pextrq $0, %xmm0, %rcx + and %r11, %rcx + pinsrq $0, %rcx, %xmm0 + jmp L161 +L160: + mov %r10, %rcx + sub $8, %rcx + shl $3, %rcx + mov $1, %r11 + shl %cl, %r11 + sub $1, %r11 + pextrq $1, %xmm0, %rcx + and %r11, %rcx + pinsrq $1, %rcx, %xmm0 +L161: + pshufb %xmm9, %xmm0 + movdqu -32(%r9), %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r11 + pinsrd $3, %r11d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + jmp L159 +L158: +L159: + mov 80(%rsp), %rdi + mov 88(%rsp), %rsi + mov 96(%rsp), %rdx + mov %r13, %rcx + movdqu %xmm9, %xmm0 + movdqu 0(%r8), %xmm1 + movdqu %xmm1, 0(%rbp) + pxor %xmm10, %xmm10 + mov $1, %r11 + pinsrq $0, %r11, %xmm10 + vpaddd %xmm10, %xmm1, %xmm1 + cmp $0, %rdx + jne L162 + vpshufb %xmm0, %xmm1, %xmm1 + movdqu %xmm1, 32(%rbp) + jmp L163 +L162: + movdqu %xmm8, 32(%rbp) + add $128, %rcx + pextrq $0, %xmm1, %rbx + and $255, %rbx + vpshufb %xmm0, %xmm1, %xmm1 + lea 96(%rdi), %r14 + movdqu 32(%rbp), %xmm8 + movdqu 80(%rdi), %xmm7 + movdqu 64(%rdi), %xmm4 + movdqu 48(%rdi), %xmm5 + movdqu 32(%rdi), %xmm6 + vpshufb %xmm0, %xmm7, %xmm7 + movdqu 16(%rdi), %xmm2 + vpshufb %xmm0, %xmm4, %xmm4 + movdqu 0(%rdi), %xmm3 + vpshufb %xmm0, %xmm5, %xmm5 + movdqu %xmm4, 48(%rbp) + vpshufb %xmm0, %xmm6, %xmm6 + movdqu %xmm5, 64(%rbp) + vpshufb %xmm0, %xmm2, %xmm2 + movdqu %xmm6, 80(%rbp) + vpshufb %xmm0, %xmm3, %xmm3 + movdqu %xmm2, 96(%rbp) + movdqu %xmm3, 112(%rbp) + pxor %xmm2, %xmm2 + mov $72057594037927936, %r11 + pinsrq $1, %r11, %xmm2 + vpxor %xmm4, %xmm4, %xmm4 + movdqu -128(%rcx), %xmm15 + vpaddd %xmm2, %xmm1, %xmm10 + vpaddd %xmm2, %xmm10, %xmm11 + vpaddd %xmm2, %xmm11, %xmm12 + vpaddd %xmm2, %xmm12, %xmm13 + vpaddd %xmm2, %xmm13, %xmm14 + vpxor %xmm15, %xmm1, %xmm9 + movdqu %xmm4, 16(%rbp) + cmp $6, %rdx + jne L164 + sub $96, %r14 + jmp L165 +L164: +L165: + jmp L167 +.balign 16 +L166: + add $6, %rbx + cmp $256, %rbx + jb L168 + mov $579005069656919567, %r11 + pinsrq $0, %r11, %xmm0 + mov $283686952306183, %r11 + pinsrq $1, %r11, %xmm0 + vpshufb %xmm0, %xmm1, %xmm6 + pxor %xmm5, %xmm5 + mov $1, %r11 + pinsrq $0, %r11, %xmm5 + vpaddd %xmm5, %xmm6, %xmm10 + pxor %xmm5, %xmm5 + mov $2, %r11 + pinsrq $0, %r11, %xmm5 + vpaddd %xmm5, %xmm6, %xmm11 + movdqu -32(%r9), %xmm3 + vpaddd %xmm5, %xmm10, %xmm12 + vpshufb %xmm0, %xmm10, %xmm10 + vpaddd %xmm5, %xmm11, %xmm13 + vpshufb %xmm0, %xmm11, %xmm11 + vpxor %xmm15, %xmm10, %xmm10 + vpaddd %xmm5, %xmm12, %xmm14 + vpshufb %xmm0, %xmm12, %xmm12 + vpxor %xmm15, %xmm11, %xmm11 + vpaddd %xmm5, %xmm13, %xmm1 + vpshufb %xmm0, %xmm13, %xmm13 + vpshufb %xmm0, %xmm14, %xmm14 + vpshufb %xmm0, %xmm1, %xmm1 + sub $256, %rbx + jmp L169 +L168: + movdqu -32(%r9), %xmm3 + vpaddd %xmm14, %xmm2, %xmm1 + vpxor %xmm15, %xmm10, %xmm10 + vpxor %xmm15, %xmm11, %xmm11 +L169: + movdqu %xmm1, 128(%rbp) + vpclmulqdq $16, %xmm3, %xmm7, %xmm5 + vpxor %xmm15, %xmm12, %xmm12 + movdqu -112(%rcx), %xmm2 + vpclmulqdq $1, %xmm3, %xmm7, %xmm6 + vaesenc %xmm2, %xmm9, %xmm9 + movdqu 48(%rbp), %xmm0 + vpxor %xmm15, %xmm13, %xmm13 + vpclmulqdq $0, %xmm3, %xmm7, %xmm1 + vaesenc %xmm2, %xmm10, %xmm10 + vpxor %xmm15, %xmm14, %xmm14 + vpclmulqdq $17, %xmm3, %xmm7, %xmm7 + vaesenc %xmm2, %xmm11, %xmm11 + movdqu -16(%r9), %xmm3 + vaesenc %xmm2, %xmm12, %xmm12 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $0, %xmm3, %xmm0, %xmm5 + vpxor %xmm4, %xmm8, %xmm8 + vaesenc %xmm2, %xmm13, %xmm13 + vpxor %xmm5, %xmm1, %xmm4 + vpclmulqdq $16, %xmm3, %xmm0, %xmm1 + vaesenc %xmm2, %xmm14, %xmm14 + movdqu -96(%rcx), %xmm15 + vpclmulqdq $1, %xmm3, %xmm0, %xmm2 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor 16(%rbp), %xmm8, %xmm8 + vpclmulqdq $17, %xmm3, %xmm0, %xmm3 + movdqu 64(%rbp), %xmm0 + vaesenc %xmm15, %xmm10, %xmm10 + movbeq 88(%r14), %r13 + vaesenc %xmm15, %xmm11, %xmm11 + movbeq 80(%r14), %r12 + vaesenc %xmm15, %xmm12, %xmm12 + movq %r13, 32(%rbp) + vaesenc %xmm15, %xmm13, %xmm13 + movq %r12, 40(%rbp) + movdqu 16(%r9), %xmm5 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -80(%rcx), %xmm15 + vpxor %xmm1, %xmm6, %xmm6 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor %xmm2, %xmm6, %xmm6 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vaesenc %xmm15, %xmm10, %xmm10 + vpxor %xmm3, %xmm7, %xmm7 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vaesenc %xmm15, %xmm11, %xmm11 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 80(%rbp), %xmm0 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -64(%rcx), %xmm15 + vpxor %xmm2, %xmm6, %xmm6 + vpclmulqdq $0, %xmm1, %xmm0, %xmm2 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor %xmm3, %xmm6, %xmm6 + vpclmulqdq $16, %xmm1, %xmm0, %xmm3 + vaesenc %xmm15, %xmm10, %xmm10 + movbeq 72(%r14), %r13 + vpxor %xmm5, %xmm7, %xmm7 + vpclmulqdq $1, %xmm1, %xmm0, %xmm5 + vaesenc %xmm15, %xmm11, %xmm11 + movbeq 64(%r14), %r12 + vpclmulqdq $17, %xmm1, %xmm0, %xmm1 + movdqu 96(%rbp), %xmm0 + vaesenc %xmm15, %xmm12, %xmm12 + movq %r13, 48(%rbp) + vaesenc %xmm15, %xmm13, %xmm13 + movq %r12, 56(%rbp) + vpxor %xmm2, %xmm4, %xmm4 + movdqu 64(%r9), %xmm2 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -48(%rcx), %xmm15 + vpxor %xmm3, %xmm6, %xmm6 + vpclmulqdq $0, %xmm2, %xmm0, %xmm3 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $16, %xmm2, %xmm0, %xmm5 + vaesenc %xmm15, %xmm10, %xmm10 + movbeq 56(%r14), %r13 + vpxor %xmm1, %xmm7, %xmm7 + vpclmulqdq $1, %xmm2, %xmm0, %xmm1 + vpxor 112(%rbp), %xmm8, %xmm8 + vaesenc %xmm15, %xmm11, %xmm11 + movbeq 48(%r14), %r12 + vpclmulqdq $17, %xmm2, %xmm0, %xmm2 + vaesenc %xmm15, %xmm12, %xmm12 + movq %r13, 64(%rbp) + vaesenc %xmm15, %xmm13, %xmm13 + movq %r12, 72(%rbp) + vpxor %xmm3, %xmm4, %xmm4 + movdqu 80(%r9), %xmm3 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -32(%rcx), %xmm15 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $16, %xmm3, %xmm8, %xmm5 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor %xmm1, %xmm6, %xmm6 + vpclmulqdq $1, %xmm3, %xmm8, %xmm1 + vaesenc %xmm15, %xmm10, %xmm10 + movbeq 40(%r14), %r13 + vpxor %xmm2, %xmm7, %xmm7 + vpclmulqdq $0, %xmm3, %xmm8, %xmm2 + vaesenc %xmm15, %xmm11, %xmm11 + movbeq 32(%r14), %r12 + vpclmulqdq $17, %xmm3, %xmm8, %xmm8 + vaesenc %xmm15, %xmm12, %xmm12 + movq %r13, 80(%rbp) + vaesenc %xmm15, %xmm13, %xmm13 + movq %r12, 88(%rbp) + vpxor %xmm5, %xmm6, %xmm6 + vaesenc %xmm15, %xmm14, %xmm14 + vpxor %xmm1, %xmm6, %xmm6 + movdqu -16(%rcx), %xmm15 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm2, %xmm4, %xmm4 + pxor %xmm3, %xmm3 + mov $13979173243358019584, %r11 + pinsrq $1, %r11, %xmm3 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor %xmm8, %xmm7, %xmm7 + vaesenc %xmm15, %xmm10, %xmm10 + vpxor %xmm5, %xmm4, %xmm4 + movbeq 24(%r14), %r13 + vaesenc %xmm15, %xmm11, %xmm11 + movbeq 16(%r14), %r12 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + movq %r13, 96(%rbp) + vaesenc %xmm15, %xmm12, %xmm12 + movq %r12, 104(%rbp) + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu 0(%rcx), %xmm1 + vaesenc %xmm1, %xmm9, %xmm9 + movdqu 16(%rcx), %xmm15 + vaesenc %xmm1, %xmm10, %xmm10 + vpsrldq $8, %xmm6, %xmm6 + vaesenc %xmm1, %xmm11, %xmm11 + vpxor %xmm6, %xmm7, %xmm7 + vaesenc %xmm1, %xmm12, %xmm12 + vpxor %xmm0, %xmm4, %xmm4 + movbeq 8(%r14), %r13 + vaesenc %xmm1, %xmm13, %xmm13 + movbeq 0(%r14), %r12 + vaesenc %xmm1, %xmm14, %xmm14 + movdqu 32(%rcx), %xmm1 + vaesenc %xmm15, %xmm9, %xmm9 + movdqu %xmm7, 16(%rbp) + vpalignr $8, %xmm4, %xmm4, %xmm8 + vaesenc %xmm15, %xmm10, %xmm10 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor 0(%rdi), %xmm1, %xmm2 + vaesenc %xmm15, %xmm11, %xmm11 + vpxor 16(%rdi), %xmm1, %xmm0 + vaesenc %xmm15, %xmm12, %xmm12 + vpxor 32(%rdi), %xmm1, %xmm5 + vaesenc %xmm15, %xmm13, %xmm13 + vpxor 48(%rdi), %xmm1, %xmm6 + vaesenc %xmm15, %xmm14, %xmm14 + vpxor 64(%rdi), %xmm1, %xmm7 + vpxor 80(%rdi), %xmm1, %xmm3 + movdqu 128(%rbp), %xmm1 + vaesenclast %xmm2, %xmm9, %xmm9 + pxor %xmm2, %xmm2 + mov $72057594037927936, %r11 + pinsrq $1, %r11, %xmm2 + vaesenclast %xmm0, %xmm10, %xmm10 + vpaddd %xmm2, %xmm1, %xmm0 + movq %r13, 112(%rbp) + lea 96(%rdi), %rdi + vaesenclast %xmm5, %xmm11, %xmm11 + vpaddd %xmm2, %xmm0, %xmm5 + movq %r12, 120(%rbp) + lea 96(%rsi), %rsi + movdqu -128(%rcx), %xmm15 + vaesenclast %xmm6, %xmm12, %xmm12 + vpaddd %xmm2, %xmm5, %xmm6 + vaesenclast %xmm7, %xmm13, %xmm13 + vpaddd %xmm2, %xmm6, %xmm7 + vaesenclast %xmm3, %xmm14, %xmm14 + vpaddd %xmm2, %xmm7, %xmm3 + sub $6, %rdx + cmp $6, %rdx + jbe L170 + add $96, %r14 + jmp L171 +L170: +L171: + cmp $0, %rdx + jbe L172 + movdqu %xmm9, -96(%rsi) + vpxor %xmm15, %xmm1, %xmm9 + movdqu %xmm10, -80(%rsi) + movdqu %xmm0, %xmm10 + movdqu %xmm11, -64(%rsi) + movdqu %xmm5, %xmm11 + movdqu %xmm12, -48(%rsi) + movdqu %xmm6, %xmm12 + movdqu %xmm13, -32(%rsi) + movdqu %xmm7, %xmm13 + movdqu %xmm14, -16(%rsi) + movdqu %xmm3, %xmm14 + movdqu 32(%rbp), %xmm7 + jmp L173 +L172: + vpxor 16(%rbp), %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 +L173: +.balign 16 +L167: + cmp $0, %rdx + ja L166 + movdqu %xmm1, 32(%rbp) + movdqu %xmm9, -96(%rsi) + movdqu %xmm10, -80(%rsi) + movdqu %xmm11, -64(%rsi) + movdqu %xmm12, -48(%rsi) + movdqu %xmm13, -32(%rsi) + movdqu %xmm14, -16(%rsi) + sub $128, %rcx +L163: + movdqu 32(%rbp), %xmm11 + mov %rcx, %r8 + mov 104(%rsp), %rax + mov 112(%rsp), %rdi + mov 120(%rsp), %rdx + mov %rdx, %r14 + mov $579005069656919567, %r12 + pinsrq $0, %r12, %xmm9 + mov $283686952306183, %r12 + pinsrq $1, %r12, %xmm9 + pshufb %xmm9, %xmm11 + mov %rdi, %rbx + mov %rdx, %r12 + mov %rax, %rdi + mov %rdi, %r11 + jmp L175 +.balign 16 +L174: + add $80, %r11 + movdqu -32(%r9), %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + movdqu %xmm1, %xmm4 + movdqu -16(%r9), %xmm1 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 16(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 64(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 80(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + vpxor %xmm1, %xmm4, %xmm4 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r10 + pinsrd $3, %r10d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + add $96, %r11 + sub $6, %rdx +.balign 16 +L175: + cmp $6, %rdx + jae L174 + cmp $0, %rdx + jbe L176 + mov %rdx, %r10 + sub $1, %r10 + imul $16, %r10 + add %r10, %r11 + movdqu -32(%r9), %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + cmp $1, %rdx + jne L178 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + jmp L179 +L178: + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + movdqu %xmm1, %xmm4 + movdqu -16(%r9), %xmm1 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + movdqu %xmm1, %xmm5 + cmp $2, %rdx + je L180 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 16(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + cmp $3, %rdx + je L182 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + cmp $4, %rdx + je L184 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 64(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + jmp L185 +L184: +L185: + jmp L183 +L182: +L183: + jmp L181 +L180: +L181: + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + vpxor %xmm1, %xmm4, %xmm4 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 +L179: + pxor %xmm3, %xmm3 + mov $3254779904, %r10 + pinsrd $3, %r10d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + jmp L177 +L176: +L177: + mov %rbx, %rdi + mov %r12, %rdx + pxor %xmm10, %xmm10 + mov $1, %rbx + pinsrd $0, %ebx, %xmm10 + mov %rax, %r11 + mov %rdi, %r10 + mov $0, %rbx + jmp L187 +.balign 16 +L186: + movdqu %xmm11, %xmm0 + pshufb %xmm9, %xmm0 + movdqu 0(%r8), %xmm2 + pxor %xmm2, %xmm0 + movdqu 16(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 32(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 48(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 64(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 80(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 96(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 112(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 128(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 144(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 160(%r8), %xmm2 + aesenclast %xmm2, %xmm0 + pxor %xmm2, %xmm2 + movdqu 0(%r11), %xmm2 + pxor %xmm0, %xmm2 + movdqu %xmm2, 0(%r10) + add $1, %rbx + add $16, %r11 + add $16, %r10 + paddd %xmm10, %xmm11 +.balign 16 +L187: + cmp %rdx, %rbx + jne L186 + add 96(%rsp), %r14 + imul $16, %r14 + mov 136(%rsp), %r13 + cmp %r14, %r13 + jbe L188 + mov 128(%rsp), %rax + mov %r13, %r10 + and $15, %r10 + movdqu 0(%rax), %xmm0 + movdqu %xmm0, %xmm10 + cmp $8, %r10 + jae L190 + mov $0, %rcx + pinsrq $1, %rcx, %xmm0 + mov %r10, %rcx + shl $3, %rcx + mov $1, %r11 + shl %cl, %r11 + sub $1, %r11 + pextrq $0, %xmm0, %rcx + and %r11, %rcx + pinsrq $0, %rcx, %xmm0 + jmp L191 +L190: + mov %r10, %rcx + sub $8, %rcx + shl $3, %rcx + mov $1, %r11 + shl %cl, %r11 + sub $1, %r11 + pextrq $1, %xmm0, %rcx + and %r11, %rcx + pinsrq $1, %rcx, %xmm0 +L191: + pshufb %xmm9, %xmm0 + movdqu -32(%r9), %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r11 + pinsrd $3, %r11d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + movdqu %xmm11, %xmm0 + pshufb %xmm9, %xmm0 + movdqu 0(%r8), %xmm2 + pxor %xmm2, %xmm0 + movdqu 16(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 32(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 48(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 64(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 80(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 96(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 112(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 128(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 144(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 160(%r8), %xmm2 + aesenclast %xmm2, %xmm0 + pxor %xmm2, %xmm2 + pxor %xmm0, %xmm10 + movdqu %xmm10, 0(%rax) + jmp L189 +L188: +L189: + mov %r15, %r11 + pxor %xmm0, %xmm0 + mov %r11, %rax + imul $8, %rax + pinsrq $1, %rax, %xmm0 + mov %r13, %rax + imul $8, %rax + pinsrq $0, %rax, %xmm0 + movdqu -32(%r9), %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r11 + pinsrd $3, %r11d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + movdqu 0(%rbp), %xmm0 + pshufb %xmm9, %xmm0 + movdqu 0(%r8), %xmm2 + pxor %xmm2, %xmm0 + movdqu 16(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 32(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 48(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 64(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 80(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 96(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 112(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 128(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 144(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 160(%r8), %xmm2 + aesenclast %xmm2, %xmm0 + pxor %xmm2, %xmm2 + pshufb %xmm9, %xmm8 + pxor %xmm0, %xmm8 + mov 152(%rsp), %r15 + movdqu 0(%r15), %xmm0 + pcmpeqd %xmm8, %xmm0 + pextrq $0, %xmm0, %rdx + sub $18446744073709551615, %rdx + mov $0, %rax + adc $0, %rax + pextrq $1, %xmm0, %rdx + sub $18446744073709551615, %rdx + mov $0, %rdx + adc $0, %rdx + add %rdx, %rax + mov %rax, %rcx + pop %rbx + pop %rbp + pop %rdi + pop %rsi + pop %r12 + pop %r13 + pop %r14 + pop %r15 + mov %rcx, %rax + ret + +.global _gcm256_decrypt_opt +_gcm256_decrypt_opt: + push %r15 + push %r14 + push %r13 + push %r12 + push %rsi + push %rdi + push %rbp + push %rbx + mov 144(%rsp), %rbp + mov %rcx, %r13 + lea 32(%r9), %r9 + mov 72(%rsp), %rbx + mov %rdx, %rcx + imul $16, %rcx + mov $579005069656919567, %r10 + pinsrq $0, %r10, %xmm9 + mov $283686952306183, %r10 + pinsrq $1, %r10, %xmm9 + pxor %xmm8, %xmm8 + mov %rdi, %r11 + jmp L193 +.balign 16 +L192: + add $80, %r11 + movdqu -32(%r9), %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + movdqu %xmm1, %xmm4 + movdqu -16(%r9), %xmm1 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 16(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 64(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 80(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + vpxor %xmm1, %xmm4, %xmm4 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r10 + pinsrd $3, %r10d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + add $96, %r11 + sub $6, %rdx +.balign 16 +L193: + cmp $6, %rdx + jae L192 + cmp $0, %rdx + jbe L194 + mov %rdx, %r10 + sub $1, %r10 + imul $16, %r10 + add %r10, %r11 + movdqu -32(%r9), %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + cmp $1, %rdx + jne L196 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + jmp L197 +L196: + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + movdqu %xmm1, %xmm4 + movdqu -16(%r9), %xmm1 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + movdqu %xmm1, %xmm5 + cmp $2, %rdx + je L198 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 16(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + cmp $3, %rdx + je L200 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + cmp $4, %rdx + je L202 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 64(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + jmp L203 +L202: +L203: + jmp L201 +L200: +L201: + jmp L199 +L198: +L199: + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + vpxor %xmm1, %xmm4, %xmm4 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 +L197: + pxor %xmm3, %xmm3 + mov $3254779904, %r10 + pinsrd $3, %r10d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + jmp L195 +L194: +L195: + mov %rsi, %r15 + cmp %rcx, %rsi + jbe L204 + movdqu 0(%rbx), %xmm0 + mov %rsi, %r10 + and $15, %r10 + cmp $8, %r10 + jae L206 + mov $0, %rcx + pinsrq $1, %rcx, %xmm0 + mov %r10, %rcx + shl $3, %rcx + mov $1, %r11 + shl %cl, %r11 + sub $1, %r11 + pextrq $0, %xmm0, %rcx + and %r11, %rcx + pinsrq $0, %rcx, %xmm0 + jmp L207 +L206: + mov %r10, %rcx + sub $8, %rcx + shl $3, %rcx + mov $1, %r11 + shl %cl, %r11 + sub $1, %r11 + pextrq $1, %xmm0, %rcx + and %r11, %rcx + pinsrq $1, %rcx, %xmm0 +L207: + pshufb %xmm9, %xmm0 + movdqu -32(%r9), %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r11 + pinsrd $3, %r11d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + jmp L205 +L204: +L205: + mov 80(%rsp), %rdi + mov 88(%rsp), %rsi + mov 96(%rsp), %rdx + mov %r13, %rcx + movdqu %xmm9, %xmm0 + movdqu 0(%r8), %xmm1 + movdqu %xmm1, 0(%rbp) + pxor %xmm10, %xmm10 + mov $1, %r11 + pinsrq $0, %r11, %xmm10 + vpaddd %xmm10, %xmm1, %xmm1 + cmp $0, %rdx + jne L208 + vpshufb %xmm0, %xmm1, %xmm1 + movdqu %xmm1, 32(%rbp) + jmp L209 +L208: + movdqu %xmm8, 32(%rbp) + add $128, %rcx + pextrq $0, %xmm1, %rbx + and $255, %rbx + vpshufb %xmm0, %xmm1, %xmm1 + lea 96(%rdi), %r14 + movdqu 32(%rbp), %xmm8 + movdqu 80(%rdi), %xmm7 + movdqu 64(%rdi), %xmm4 + movdqu 48(%rdi), %xmm5 + movdqu 32(%rdi), %xmm6 + vpshufb %xmm0, %xmm7, %xmm7 + movdqu 16(%rdi), %xmm2 + vpshufb %xmm0, %xmm4, %xmm4 + movdqu 0(%rdi), %xmm3 + vpshufb %xmm0, %xmm5, %xmm5 + movdqu %xmm4, 48(%rbp) + vpshufb %xmm0, %xmm6, %xmm6 + movdqu %xmm5, 64(%rbp) + vpshufb %xmm0, %xmm2, %xmm2 + movdqu %xmm6, 80(%rbp) + vpshufb %xmm0, %xmm3, %xmm3 + movdqu %xmm2, 96(%rbp) + movdqu %xmm3, 112(%rbp) + pxor %xmm2, %xmm2 + mov $72057594037927936, %r11 + pinsrq $1, %r11, %xmm2 + vpxor %xmm4, %xmm4, %xmm4 + movdqu -128(%rcx), %xmm15 + vpaddd %xmm2, %xmm1, %xmm10 + vpaddd %xmm2, %xmm10, %xmm11 + vpaddd %xmm2, %xmm11, %xmm12 + vpaddd %xmm2, %xmm12, %xmm13 + vpaddd %xmm2, %xmm13, %xmm14 + vpxor %xmm15, %xmm1, %xmm9 + movdqu %xmm4, 16(%rbp) + cmp $6, %rdx + jne L210 + sub $96, %r14 + jmp L211 +L210: +L211: + jmp L213 +.balign 16 +L212: + add $6, %rbx + cmp $256, %rbx + jb L214 + mov $579005069656919567, %r11 + pinsrq $0, %r11, %xmm0 + mov $283686952306183, %r11 + pinsrq $1, %r11, %xmm0 + vpshufb %xmm0, %xmm1, %xmm6 + pxor %xmm5, %xmm5 + mov $1, %r11 + pinsrq $0, %r11, %xmm5 + vpaddd %xmm5, %xmm6, %xmm10 + pxor %xmm5, %xmm5 + mov $2, %r11 + pinsrq $0, %r11, %xmm5 + vpaddd %xmm5, %xmm6, %xmm11 + movdqu -32(%r9), %xmm3 + vpaddd %xmm5, %xmm10, %xmm12 + vpshufb %xmm0, %xmm10, %xmm10 + vpaddd %xmm5, %xmm11, %xmm13 + vpshufb %xmm0, %xmm11, %xmm11 + vpxor %xmm15, %xmm10, %xmm10 + vpaddd %xmm5, %xmm12, %xmm14 + vpshufb %xmm0, %xmm12, %xmm12 + vpxor %xmm15, %xmm11, %xmm11 + vpaddd %xmm5, %xmm13, %xmm1 + vpshufb %xmm0, %xmm13, %xmm13 + vpshufb %xmm0, %xmm14, %xmm14 + vpshufb %xmm0, %xmm1, %xmm1 + sub $256, %rbx + jmp L215 +L214: + movdqu -32(%r9), %xmm3 + vpaddd %xmm14, %xmm2, %xmm1 + vpxor %xmm15, %xmm10, %xmm10 + vpxor %xmm15, %xmm11, %xmm11 +L215: + movdqu %xmm1, 128(%rbp) + vpclmulqdq $16, %xmm3, %xmm7, %xmm5 + vpxor %xmm15, %xmm12, %xmm12 + movdqu -112(%rcx), %xmm2 + vpclmulqdq $1, %xmm3, %xmm7, %xmm6 + vaesenc %xmm2, %xmm9, %xmm9 + movdqu 48(%rbp), %xmm0 + vpxor %xmm15, %xmm13, %xmm13 + vpclmulqdq $0, %xmm3, %xmm7, %xmm1 + vaesenc %xmm2, %xmm10, %xmm10 + vpxor %xmm15, %xmm14, %xmm14 + vpclmulqdq $17, %xmm3, %xmm7, %xmm7 + vaesenc %xmm2, %xmm11, %xmm11 + movdqu -16(%r9), %xmm3 + vaesenc %xmm2, %xmm12, %xmm12 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $0, %xmm3, %xmm0, %xmm5 + vpxor %xmm4, %xmm8, %xmm8 + vaesenc %xmm2, %xmm13, %xmm13 + vpxor %xmm5, %xmm1, %xmm4 + vpclmulqdq $16, %xmm3, %xmm0, %xmm1 + vaesenc %xmm2, %xmm14, %xmm14 + movdqu -96(%rcx), %xmm15 + vpclmulqdq $1, %xmm3, %xmm0, %xmm2 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor 16(%rbp), %xmm8, %xmm8 + vpclmulqdq $17, %xmm3, %xmm0, %xmm3 + movdqu 64(%rbp), %xmm0 + vaesenc %xmm15, %xmm10, %xmm10 + movbeq 88(%r14), %r13 + vaesenc %xmm15, %xmm11, %xmm11 + movbeq 80(%r14), %r12 + vaesenc %xmm15, %xmm12, %xmm12 + movq %r13, 32(%rbp) + vaesenc %xmm15, %xmm13, %xmm13 + movq %r12, 40(%rbp) + movdqu 16(%r9), %xmm5 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -80(%rcx), %xmm15 + vpxor %xmm1, %xmm6, %xmm6 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor %xmm2, %xmm6, %xmm6 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vaesenc %xmm15, %xmm10, %xmm10 + vpxor %xmm3, %xmm7, %xmm7 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vaesenc %xmm15, %xmm11, %xmm11 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 80(%rbp), %xmm0 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -64(%rcx), %xmm15 + vpxor %xmm2, %xmm6, %xmm6 + vpclmulqdq $0, %xmm1, %xmm0, %xmm2 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor %xmm3, %xmm6, %xmm6 + vpclmulqdq $16, %xmm1, %xmm0, %xmm3 + vaesenc %xmm15, %xmm10, %xmm10 + movbeq 72(%r14), %r13 + vpxor %xmm5, %xmm7, %xmm7 + vpclmulqdq $1, %xmm1, %xmm0, %xmm5 + vaesenc %xmm15, %xmm11, %xmm11 + movbeq 64(%r14), %r12 + vpclmulqdq $17, %xmm1, %xmm0, %xmm1 + movdqu 96(%rbp), %xmm0 + vaesenc %xmm15, %xmm12, %xmm12 + movq %r13, 48(%rbp) + vaesenc %xmm15, %xmm13, %xmm13 + movq %r12, 56(%rbp) + vpxor %xmm2, %xmm4, %xmm4 + movdqu 64(%r9), %xmm2 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -48(%rcx), %xmm15 + vpxor %xmm3, %xmm6, %xmm6 + vpclmulqdq $0, %xmm2, %xmm0, %xmm3 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $16, %xmm2, %xmm0, %xmm5 + vaesenc %xmm15, %xmm10, %xmm10 + movbeq 56(%r14), %r13 + vpxor %xmm1, %xmm7, %xmm7 + vpclmulqdq $1, %xmm2, %xmm0, %xmm1 + vpxor 112(%rbp), %xmm8, %xmm8 + vaesenc %xmm15, %xmm11, %xmm11 + movbeq 48(%r14), %r12 + vpclmulqdq $17, %xmm2, %xmm0, %xmm2 + vaesenc %xmm15, %xmm12, %xmm12 + movq %r13, 64(%rbp) + vaesenc %xmm15, %xmm13, %xmm13 + movq %r12, 72(%rbp) + vpxor %xmm3, %xmm4, %xmm4 + movdqu 80(%r9), %xmm3 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -32(%rcx), %xmm15 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $16, %xmm3, %xmm8, %xmm5 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor %xmm1, %xmm6, %xmm6 + vpclmulqdq $1, %xmm3, %xmm8, %xmm1 + vaesenc %xmm15, %xmm10, %xmm10 + movbeq 40(%r14), %r13 + vpxor %xmm2, %xmm7, %xmm7 + vpclmulqdq $0, %xmm3, %xmm8, %xmm2 + vaesenc %xmm15, %xmm11, %xmm11 + movbeq 32(%r14), %r12 + vpclmulqdq $17, %xmm3, %xmm8, %xmm8 + vaesenc %xmm15, %xmm12, %xmm12 + movq %r13, 80(%rbp) + vaesenc %xmm15, %xmm13, %xmm13 + movq %r12, 88(%rbp) + vpxor %xmm5, %xmm6, %xmm6 + vaesenc %xmm15, %xmm14, %xmm14 + vpxor %xmm1, %xmm6, %xmm6 + movdqu -16(%rcx), %xmm15 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm2, %xmm4, %xmm4 + pxor %xmm3, %xmm3 + mov $13979173243358019584, %r11 + pinsrq $1, %r11, %xmm3 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor %xmm8, %xmm7, %xmm7 + vaesenc %xmm15, %xmm10, %xmm10 + vpxor %xmm5, %xmm4, %xmm4 + movbeq 24(%r14), %r13 + vaesenc %xmm15, %xmm11, %xmm11 + movbeq 16(%r14), %r12 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + movq %r13, 96(%rbp) + vaesenc %xmm15, %xmm12, %xmm12 + movq %r12, 104(%rbp) + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu 0(%rcx), %xmm1 + vaesenc %xmm1, %xmm9, %xmm9 + movdqu 16(%rcx), %xmm15 + vaesenc %xmm1, %xmm10, %xmm10 + vpsrldq $8, %xmm6, %xmm6 + vaesenc %xmm1, %xmm11, %xmm11 + vpxor %xmm6, %xmm7, %xmm7 + vaesenc %xmm1, %xmm12, %xmm12 + vpxor %xmm0, %xmm4, %xmm4 + movbeq 8(%r14), %r13 + vaesenc %xmm1, %xmm13, %xmm13 + movbeq 0(%r14), %r12 + vaesenc %xmm1, %xmm14, %xmm14 + movdqu 32(%rcx), %xmm1 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + vaesenc %xmm1, %xmm9, %xmm9 + vaesenc %xmm1, %xmm10, %xmm10 + vaesenc %xmm1, %xmm11, %xmm11 + vaesenc %xmm1, %xmm12, %xmm12 + vaesenc %xmm1, %xmm13, %xmm13 + movdqu 48(%rcx), %xmm15 + vaesenc %xmm1, %xmm14, %xmm14 + movdqu 64(%rcx), %xmm1 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + vaesenc %xmm1, %xmm9, %xmm9 + vaesenc %xmm1, %xmm10, %xmm10 + vaesenc %xmm1, %xmm11, %xmm11 + vaesenc %xmm1, %xmm12, %xmm12 + vaesenc %xmm1, %xmm13, %xmm13 + movdqu 80(%rcx), %xmm15 + vaesenc %xmm1, %xmm14, %xmm14 + movdqu 96(%rcx), %xmm1 + vaesenc %xmm15, %xmm9, %xmm9 + movdqu %xmm7, 16(%rbp) + vpalignr $8, %xmm4, %xmm4, %xmm8 + vaesenc %xmm15, %xmm10, %xmm10 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor 0(%rdi), %xmm1, %xmm2 + vaesenc %xmm15, %xmm11, %xmm11 + vpxor 16(%rdi), %xmm1, %xmm0 + vaesenc %xmm15, %xmm12, %xmm12 + vpxor 32(%rdi), %xmm1, %xmm5 + vaesenc %xmm15, %xmm13, %xmm13 + vpxor 48(%rdi), %xmm1, %xmm6 + vaesenc %xmm15, %xmm14, %xmm14 + vpxor 64(%rdi), %xmm1, %xmm7 + vpxor 80(%rdi), %xmm1, %xmm3 + movdqu 128(%rbp), %xmm1 + vaesenclast %xmm2, %xmm9, %xmm9 + pxor %xmm2, %xmm2 + mov $72057594037927936, %r11 + pinsrq $1, %r11, %xmm2 + vaesenclast %xmm0, %xmm10, %xmm10 + vpaddd %xmm2, %xmm1, %xmm0 + movq %r13, 112(%rbp) + lea 96(%rdi), %rdi + vaesenclast %xmm5, %xmm11, %xmm11 + vpaddd %xmm2, %xmm0, %xmm5 + movq %r12, 120(%rbp) + lea 96(%rsi), %rsi + movdqu -128(%rcx), %xmm15 + vaesenclast %xmm6, %xmm12, %xmm12 + vpaddd %xmm2, %xmm5, %xmm6 + vaesenclast %xmm7, %xmm13, %xmm13 + vpaddd %xmm2, %xmm6, %xmm7 + vaesenclast %xmm3, %xmm14, %xmm14 + vpaddd %xmm2, %xmm7, %xmm3 + sub $6, %rdx + cmp $6, %rdx + jbe L216 + add $96, %r14 + jmp L217 +L216: +L217: + cmp $0, %rdx + jbe L218 + movdqu %xmm9, -96(%rsi) + vpxor %xmm15, %xmm1, %xmm9 + movdqu %xmm10, -80(%rsi) + movdqu %xmm0, %xmm10 + movdqu %xmm11, -64(%rsi) + movdqu %xmm5, %xmm11 + movdqu %xmm12, -48(%rsi) + movdqu %xmm6, %xmm12 + movdqu %xmm13, -32(%rsi) + movdqu %xmm7, %xmm13 + movdqu %xmm14, -16(%rsi) + movdqu %xmm3, %xmm14 + movdqu 32(%rbp), %xmm7 + jmp L219 +L218: + vpxor 16(%rbp), %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 +L219: +.balign 16 +L213: + cmp $0, %rdx + ja L212 + movdqu %xmm1, 32(%rbp) + movdqu %xmm9, -96(%rsi) + movdqu %xmm10, -80(%rsi) + movdqu %xmm11, -64(%rsi) + movdqu %xmm12, -48(%rsi) + movdqu %xmm13, -32(%rsi) + movdqu %xmm14, -16(%rsi) + sub $128, %rcx +L209: + movdqu 32(%rbp), %xmm11 + mov %rcx, %r8 + mov 104(%rsp), %rax + mov 112(%rsp), %rdi + mov 120(%rsp), %rdx + mov %rdx, %r14 + mov $579005069656919567, %r12 + pinsrq $0, %r12, %xmm9 + mov $283686952306183, %r12 + pinsrq $1, %r12, %xmm9 + pshufb %xmm9, %xmm11 + mov %rdi, %rbx + mov %rdx, %r12 + mov %rax, %rdi + mov %rdi, %r11 + jmp L221 +.balign 16 +L220: + add $80, %r11 + movdqu -32(%r9), %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + movdqu %xmm1, %xmm4 + movdqu -16(%r9), %xmm1 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 16(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 64(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 80(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + vpxor %xmm1, %xmm4, %xmm4 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r10 + pinsrd $3, %r10d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + add $96, %r11 + sub $6, %rdx +.balign 16 +L221: + cmp $6, %rdx + jae L220 + cmp $0, %rdx + jbe L222 + mov %rdx, %r10 + sub $1, %r10 + imul $16, %r10 + add %r10, %r11 + movdqu -32(%r9), %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + cmp $1, %rdx + jne L224 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + jmp L225 +L224: + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + movdqu %xmm1, %xmm4 + movdqu -16(%r9), %xmm1 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + movdqu %xmm1, %xmm5 + cmp $2, %rdx + je L226 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 16(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + cmp $3, %rdx + je L228 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + cmp $4, %rdx + je L230 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 64(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + jmp L231 +L230: +L231: + jmp L229 +L228: +L229: + jmp L227 +L226: +L227: + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + vpxor %xmm1, %xmm4, %xmm4 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 +L225: + pxor %xmm3, %xmm3 + mov $3254779904, %r10 + pinsrd $3, %r10d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + jmp L223 +L222: +L223: + mov %rbx, %rdi + mov %r12, %rdx + pxor %xmm10, %xmm10 + mov $1, %rbx + pinsrd $0, %ebx, %xmm10 + mov %rax, %r11 + mov %rdi, %r10 + mov $0, %rbx + jmp L233 +.balign 16 +L232: + movdqu %xmm11, %xmm0 + pshufb %xmm9, %xmm0 + movdqu 0(%r8), %xmm2 + pxor %xmm2, %xmm0 + movdqu 16(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 32(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 48(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 64(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 80(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 96(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 112(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 128(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 144(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 160(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 176(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 192(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 208(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 224(%r8), %xmm2 + aesenclast %xmm2, %xmm0 + pxor %xmm2, %xmm2 + movdqu 0(%r11), %xmm2 + pxor %xmm0, %xmm2 + movdqu %xmm2, 0(%r10) + add $1, %rbx + add $16, %r11 + add $16, %r10 + paddd %xmm10, %xmm11 +.balign 16 +L233: + cmp %rdx, %rbx + jne L232 + add 96(%rsp), %r14 + imul $16, %r14 + mov 136(%rsp), %r13 + cmp %r14, %r13 + jbe L234 + mov 128(%rsp), %rax + mov %r13, %r10 + and $15, %r10 + movdqu 0(%rax), %xmm0 + movdqu %xmm0, %xmm10 + cmp $8, %r10 + jae L236 + mov $0, %rcx + pinsrq $1, %rcx, %xmm0 + mov %r10, %rcx + shl $3, %rcx + mov $1, %r11 + shl %cl, %r11 + sub $1, %r11 + pextrq $0, %xmm0, %rcx + and %r11, %rcx + pinsrq $0, %rcx, %xmm0 + jmp L237 +L236: + mov %r10, %rcx + sub $8, %rcx + shl $3, %rcx + mov $1, %r11 + shl %cl, %r11 + sub $1, %r11 + pextrq $1, %xmm0, %rcx + and %r11, %rcx + pinsrq $1, %rcx, %xmm0 +L237: + pshufb %xmm9, %xmm0 + movdqu -32(%r9), %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r11 + pinsrd $3, %r11d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + movdqu %xmm11, %xmm0 + pshufb %xmm9, %xmm0 + movdqu 0(%r8), %xmm2 + pxor %xmm2, %xmm0 + movdqu 16(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 32(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 48(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 64(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 80(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 96(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 112(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 128(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 144(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 160(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 176(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 192(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 208(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 224(%r8), %xmm2 + aesenclast %xmm2, %xmm0 + pxor %xmm2, %xmm2 + pxor %xmm0, %xmm10 + movdqu %xmm10, 0(%rax) + jmp L235 +L234: +L235: + mov %r15, %r11 + pxor %xmm0, %xmm0 + mov %r11, %rax + imul $8, %rax + pinsrq $1, %rax, %xmm0 + mov %r13, %rax + imul $8, %rax + pinsrq $0, %rax, %xmm0 + movdqu -32(%r9), %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r11 + pinsrd $3, %r11d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + movdqu 0(%rbp), %xmm0 + pshufb %xmm9, %xmm0 + movdqu 0(%r8), %xmm2 + pxor %xmm2, %xmm0 + movdqu 16(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 32(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 48(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 64(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 80(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 96(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 112(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 128(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 144(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 160(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 176(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 192(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 208(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 224(%r8), %xmm2 + aesenclast %xmm2, %xmm0 + pxor %xmm2, %xmm2 + pshufb %xmm9, %xmm8 + pxor %xmm0, %xmm8 + mov 152(%rsp), %r15 + movdqu 0(%r15), %xmm0 + pcmpeqd %xmm8, %xmm0 + pextrq $0, %xmm0, %rdx + sub $18446744073709551615, %rdx + mov $0, %rax + adc $0, %rax + pextrq $1, %xmm0, %rdx + sub $18446744073709551615, %rdx + mov $0, %rdx + adc $0, %rdx + add %rdx, %rax + mov %rax, %rcx + pop %rbx + pop %rbp + pop %rdi + pop %rsi + pop %r12 + pop %r13 + pop %r14 + pop %r15 + mov %rcx, %rax + ret + + diff --git a/vale/src/aesgcm-x86_64-linux.S b/vale/src/aesgcm-x86_64-linux.S new file mode 100644 index 00000000..232a8530 --- /dev/null +++ b/vale/src/aesgcm-x86_64-linux.S @@ -0,0 +1,8101 @@ +.text +.global aes128_key_expansion +aes128_key_expansion: + movdqu 0(%rdi), %xmm1 + mov %rsi, %rdx + movdqu %xmm1, 0(%rdx) + aeskeygenassist $1, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 16(%rdx) + aeskeygenassist $2, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 32(%rdx) + aeskeygenassist $4, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 48(%rdx) + aeskeygenassist $8, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 64(%rdx) + aeskeygenassist $16, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 80(%rdx) + aeskeygenassist $32, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 96(%rdx) + aeskeygenassist $64, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 112(%rdx) + aeskeygenassist $128, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 128(%rdx) + aeskeygenassist $27, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 144(%rdx) + aeskeygenassist $54, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 160(%rdx) + pxor %xmm1, %xmm1 + pxor %xmm2, %xmm2 + pxor %xmm3, %xmm3 + ret + +.global aes128_keyhash_init +aes128_keyhash_init: + mov $579005069656919567, %r8 + pinsrq $0, %r8, %xmm4 + mov $283686952306183, %r8 + pinsrq $1, %r8, %xmm4 + pxor %xmm0, %xmm0 + movdqu %xmm0, 80(%rsi) + mov %rdi, %r8 + movdqu 0(%r8), %xmm2 + pxor %xmm2, %xmm0 + movdqu 16(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 32(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 48(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 64(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 80(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 96(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 112(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 128(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 144(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 160(%r8), %xmm2 + aesenclast %xmm2, %xmm0 + pxor %xmm2, %xmm2 + pshufb %xmm4, %xmm0 + mov %rsi, %rcx + movdqu %xmm0, 32(%rcx) + movdqu %xmm6, %xmm0 + mov %r12, %rax + movdqu 32(%rcx), %xmm1 + movdqu %xmm1, %xmm6 + movdqu %xmm1, %xmm3 + pxor %xmm4, %xmm4 + pxor %xmm5, %xmm5 + mov $3254779904, %r12 + pinsrd $3, %r12d, %xmm4 + mov $1, %r12 + pinsrd $0, %r12d, %xmm4 + mov $2147483648, %r12 + pinsrd $3, %r12d, %xmm5 + movdqu %xmm3, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pand %xmm5, %xmm3 + pcmpeqd %xmm5, %xmm3 + pshufd $255, %xmm3, %xmm3 + pand %xmm4, %xmm3 + vpxor %xmm3, %xmm1, %xmm1 + movdqu %xmm1, 0(%rcx) + movdqu %xmm6, %xmm1 + movdqu %xmm6, %xmm2 + movdqu %xmm1, %xmm5 + pclmulqdq $16, %xmm2, %xmm1 + movdqu %xmm1, %xmm3 + movdqu %xmm5, %xmm1 + pclmulqdq $1, %xmm2, %xmm1 + movdqu %xmm1, %xmm4 + movdqu %xmm5, %xmm1 + pclmulqdq $0, %xmm2, %xmm1 + pclmulqdq $17, %xmm2, %xmm5 + movdqu %xmm5, %xmm2 + movdqu %xmm1, %xmm5 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm4, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm1 + pshufd $79, %xmm1, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm4 + pshufd $79, %xmm4, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm5, %xmm1 + movdqu %xmm1, %xmm3 + psrld $31, %xmm3 + movdqu %xmm2, %xmm4 + psrld $31, %xmm4 + pslld $1, %xmm1 + pslld $1, %xmm2 + vpslldq $4, %xmm3, %xmm5 + vpslldq $4, %xmm4, %xmm4 + mov $0, %r12 + pinsrd $0, %r12d, %xmm3 + pshufd $3, %xmm3, %xmm3 + pxor %xmm4, %xmm3 + pxor %xmm5, %xmm1 + pxor %xmm3, %xmm2 + movdqu %xmm2, %xmm6 + pxor %xmm2, %xmm2 + mov $3774873600, %r12 + pinsrd $3, %r12d, %xmm2 + movdqu %xmm1, %xmm5 + pclmulqdq $16, %xmm2, %xmm1 + movdqu %xmm1, %xmm3 + movdqu %xmm5, %xmm1 + pclmulqdq $1, %xmm2, %xmm1 + movdqu %xmm1, %xmm4 + movdqu %xmm5, %xmm1 + pclmulqdq $0, %xmm2, %xmm1 + pclmulqdq $17, %xmm2, %xmm5 + movdqu %xmm5, %xmm2 + movdqu %xmm1, %xmm5 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm4, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm1 + pshufd $79, %xmm1, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm4 + pshufd $79, %xmm4, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm5, %xmm1 + movdqu %xmm1, %xmm3 + psrld $31, %xmm3 + movdqu %xmm2, %xmm4 + psrld $31, %xmm4 + pslld $1, %xmm1 + pslld $1, %xmm2 + vpslldq $4, %xmm3, %xmm5 + vpslldq $4, %xmm4, %xmm4 + mov $0, %r12 + pinsrd $0, %r12d, %xmm3 + pshufd $3, %xmm3, %xmm3 + pxor %xmm4, %xmm3 + pxor %xmm5, %xmm1 + pxor %xmm3, %xmm2 + movdqu %xmm2, %xmm5 + pxor %xmm2, %xmm2 + mov $3774873600, %r12 + pinsrd $3, %r12d, %xmm2 + pclmulqdq $17, %xmm2, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pxor %xmm5, %xmm1 + pxor %xmm6, %xmm1 + movdqu %xmm1, %xmm6 + movdqu %xmm1, %xmm3 + pxor %xmm4, %xmm4 + pxor %xmm5, %xmm5 + mov $3254779904, %r12 + pinsrd $3, %r12d, %xmm4 + mov $1, %r12 + pinsrd $0, %r12d, %xmm4 + mov $2147483648, %r12 + pinsrd $3, %r12d, %xmm5 + movdqu %xmm3, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pand %xmm5, %xmm3 + pcmpeqd %xmm5, %xmm3 + pshufd $255, %xmm3, %xmm3 + pand %xmm4, %xmm3 + vpxor %xmm3, %xmm1, %xmm1 + movdqu %xmm1, 16(%rcx) + movdqu %xmm6, %xmm2 + movdqu 32(%rcx), %xmm1 + movdqu %xmm1, %xmm5 + pclmulqdq $16, %xmm2, %xmm1 + movdqu %xmm1, %xmm3 + movdqu %xmm5, %xmm1 + pclmulqdq $1, %xmm2, %xmm1 + movdqu %xmm1, %xmm4 + movdqu %xmm5, %xmm1 + pclmulqdq $0, %xmm2, %xmm1 + pclmulqdq $17, %xmm2, %xmm5 + movdqu %xmm5, %xmm2 + movdqu %xmm1, %xmm5 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm4, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm1 + pshufd $79, %xmm1, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm4 + pshufd $79, %xmm4, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm5, %xmm1 + movdqu %xmm1, %xmm3 + psrld $31, %xmm3 + movdqu %xmm2, %xmm4 + psrld $31, %xmm4 + pslld $1, %xmm1 + pslld $1, %xmm2 + vpslldq $4, %xmm3, %xmm5 + vpslldq $4, %xmm4, %xmm4 + mov $0, %r12 + pinsrd $0, %r12d, %xmm3 + pshufd $3, %xmm3, %xmm3 + pxor %xmm4, %xmm3 + pxor %xmm5, %xmm1 + pxor %xmm3, %xmm2 + movdqu %xmm2, %xmm6 + pxor %xmm2, %xmm2 + mov $3774873600, %r12 + pinsrd $3, %r12d, %xmm2 + movdqu %xmm1, %xmm5 + pclmulqdq $16, %xmm2, %xmm1 + movdqu %xmm1, %xmm3 + movdqu %xmm5, %xmm1 + pclmulqdq $1, %xmm2, %xmm1 + movdqu %xmm1, %xmm4 + movdqu %xmm5, %xmm1 + pclmulqdq $0, %xmm2, %xmm1 + pclmulqdq $17, %xmm2, %xmm5 + movdqu %xmm5, %xmm2 + movdqu %xmm1, %xmm5 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm4, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm1 + pshufd $79, %xmm1, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm4 + pshufd $79, %xmm4, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm5, %xmm1 + movdqu %xmm1, %xmm3 + psrld $31, %xmm3 + movdqu %xmm2, %xmm4 + psrld $31, %xmm4 + pslld $1, %xmm1 + pslld $1, %xmm2 + vpslldq $4, %xmm3, %xmm5 + vpslldq $4, %xmm4, %xmm4 + mov $0, %r12 + pinsrd $0, %r12d, %xmm3 + pshufd $3, %xmm3, %xmm3 + pxor %xmm4, %xmm3 + pxor %xmm5, %xmm1 + pxor %xmm3, %xmm2 + movdqu %xmm2, %xmm5 + pxor %xmm2, %xmm2 + mov $3774873600, %r12 + pinsrd $3, %r12d, %xmm2 + pclmulqdq $17, %xmm2, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pxor %xmm5, %xmm1 + pxor %xmm6, %xmm1 + movdqu %xmm1, %xmm6 + movdqu %xmm1, %xmm3 + pxor %xmm4, %xmm4 + pxor %xmm5, %xmm5 + mov $3254779904, %r12 + pinsrd $3, %r12d, %xmm4 + mov $1, %r12 + pinsrd $0, %r12d, %xmm4 + mov $2147483648, %r12 + pinsrd $3, %r12d, %xmm5 + movdqu %xmm3, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pand %xmm5, %xmm3 + pcmpeqd %xmm5, %xmm3 + pshufd $255, %xmm3, %xmm3 + pand %xmm4, %xmm3 + vpxor %xmm3, %xmm1, %xmm1 + movdqu %xmm1, 48(%rcx) + movdqu %xmm6, %xmm2 + movdqu 32(%rcx), %xmm1 + movdqu %xmm1, %xmm5 + pclmulqdq $16, %xmm2, %xmm1 + movdqu %xmm1, %xmm3 + movdqu %xmm5, %xmm1 + pclmulqdq $1, %xmm2, %xmm1 + movdqu %xmm1, %xmm4 + movdqu %xmm5, %xmm1 + pclmulqdq $0, %xmm2, %xmm1 + pclmulqdq $17, %xmm2, %xmm5 + movdqu %xmm5, %xmm2 + movdqu %xmm1, %xmm5 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm4, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm1 + pshufd $79, %xmm1, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm4 + pshufd $79, %xmm4, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm5, %xmm1 + movdqu %xmm1, %xmm3 + psrld $31, %xmm3 + movdqu %xmm2, %xmm4 + psrld $31, %xmm4 + pslld $1, %xmm1 + pslld $1, %xmm2 + vpslldq $4, %xmm3, %xmm5 + vpslldq $4, %xmm4, %xmm4 + mov $0, %r12 + pinsrd $0, %r12d, %xmm3 + pshufd $3, %xmm3, %xmm3 + pxor %xmm4, %xmm3 + pxor %xmm5, %xmm1 + pxor %xmm3, %xmm2 + movdqu %xmm2, %xmm6 + pxor %xmm2, %xmm2 + mov $3774873600, %r12 + pinsrd $3, %r12d, %xmm2 + movdqu %xmm1, %xmm5 + pclmulqdq $16, %xmm2, %xmm1 + movdqu %xmm1, %xmm3 + movdqu %xmm5, %xmm1 + pclmulqdq $1, %xmm2, %xmm1 + movdqu %xmm1, %xmm4 + movdqu %xmm5, %xmm1 + pclmulqdq $0, %xmm2, %xmm1 + pclmulqdq $17, %xmm2, %xmm5 + movdqu %xmm5, %xmm2 + movdqu %xmm1, %xmm5 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm4, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm1 + pshufd $79, %xmm1, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm4 + pshufd $79, %xmm4, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm5, %xmm1 + movdqu %xmm1, %xmm3 + psrld $31, %xmm3 + movdqu %xmm2, %xmm4 + psrld $31, %xmm4 + pslld $1, %xmm1 + pslld $1, %xmm2 + vpslldq $4, %xmm3, %xmm5 + vpslldq $4, %xmm4, %xmm4 + mov $0, %r12 + pinsrd $0, %r12d, %xmm3 + pshufd $3, %xmm3, %xmm3 + pxor %xmm4, %xmm3 + pxor %xmm5, %xmm1 + pxor %xmm3, %xmm2 + movdqu %xmm2, %xmm5 + pxor %xmm2, %xmm2 + mov $3774873600, %r12 + pinsrd $3, %r12d, %xmm2 + pclmulqdq $17, %xmm2, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pxor %xmm5, %xmm1 + pxor %xmm6, %xmm1 + movdqu %xmm1, %xmm6 + movdqu %xmm1, %xmm3 + pxor %xmm4, %xmm4 + pxor %xmm5, %xmm5 + mov $3254779904, %r12 + pinsrd $3, %r12d, %xmm4 + mov $1, %r12 + pinsrd $0, %r12d, %xmm4 + mov $2147483648, %r12 + pinsrd $3, %r12d, %xmm5 + movdqu %xmm3, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pand %xmm5, %xmm3 + pcmpeqd %xmm5, %xmm3 + pshufd $255, %xmm3, %xmm3 + pand %xmm4, %xmm3 + vpxor %xmm3, %xmm1, %xmm1 + movdqu %xmm1, 64(%rcx) + movdqu %xmm6, %xmm2 + movdqu 32(%rcx), %xmm1 + movdqu %xmm1, %xmm5 + pclmulqdq $16, %xmm2, %xmm1 + movdqu %xmm1, %xmm3 + movdqu %xmm5, %xmm1 + pclmulqdq $1, %xmm2, %xmm1 + movdqu %xmm1, %xmm4 + movdqu %xmm5, %xmm1 + pclmulqdq $0, %xmm2, %xmm1 + pclmulqdq $17, %xmm2, %xmm5 + movdqu %xmm5, %xmm2 + movdqu %xmm1, %xmm5 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm4, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm1 + pshufd $79, %xmm1, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm4 + pshufd $79, %xmm4, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm5, %xmm1 + movdqu %xmm1, %xmm3 + psrld $31, %xmm3 + movdqu %xmm2, %xmm4 + psrld $31, %xmm4 + pslld $1, %xmm1 + pslld $1, %xmm2 + vpslldq $4, %xmm3, %xmm5 + vpslldq $4, %xmm4, %xmm4 + mov $0, %r12 + pinsrd $0, %r12d, %xmm3 + pshufd $3, %xmm3, %xmm3 + pxor %xmm4, %xmm3 + pxor %xmm5, %xmm1 + pxor %xmm3, %xmm2 + movdqu %xmm2, %xmm6 + pxor %xmm2, %xmm2 + mov $3774873600, %r12 + pinsrd $3, %r12d, %xmm2 + movdqu %xmm1, %xmm5 + pclmulqdq $16, %xmm2, %xmm1 + movdqu %xmm1, %xmm3 + movdqu %xmm5, %xmm1 + pclmulqdq $1, %xmm2, %xmm1 + movdqu %xmm1, %xmm4 + movdqu %xmm5, %xmm1 + pclmulqdq $0, %xmm2, %xmm1 + pclmulqdq $17, %xmm2, %xmm5 + movdqu %xmm5, %xmm2 + movdqu %xmm1, %xmm5 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm4, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm1 + pshufd $79, %xmm1, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm4 + pshufd $79, %xmm4, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm5, %xmm1 + movdqu %xmm1, %xmm3 + psrld $31, %xmm3 + movdqu %xmm2, %xmm4 + psrld $31, %xmm4 + pslld $1, %xmm1 + pslld $1, %xmm2 + vpslldq $4, %xmm3, %xmm5 + vpslldq $4, %xmm4, %xmm4 + mov $0, %r12 + pinsrd $0, %r12d, %xmm3 + pshufd $3, %xmm3, %xmm3 + pxor %xmm4, %xmm3 + pxor %xmm5, %xmm1 + pxor %xmm3, %xmm2 + movdqu %xmm2, %xmm5 + pxor %xmm2, %xmm2 + mov $3774873600, %r12 + pinsrd $3, %r12d, %xmm2 + pclmulqdq $17, %xmm2, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pxor %xmm5, %xmm1 + pxor %xmm6, %xmm1 + movdqu %xmm1, %xmm6 + movdqu %xmm1, %xmm3 + pxor %xmm4, %xmm4 + pxor %xmm5, %xmm5 + mov $3254779904, %r12 + pinsrd $3, %r12d, %xmm4 + mov $1, %r12 + pinsrd $0, %r12d, %xmm4 + mov $2147483648, %r12 + pinsrd $3, %r12d, %xmm5 + movdqu %xmm3, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pand %xmm5, %xmm3 + pcmpeqd %xmm5, %xmm3 + pshufd $255, %xmm3, %xmm3 + pand %xmm4, %xmm3 + vpxor %xmm3, %xmm1, %xmm1 + movdqu %xmm1, 96(%rcx) + movdqu %xmm6, %xmm2 + movdqu 32(%rcx), %xmm1 + movdqu %xmm1, %xmm5 + pclmulqdq $16, %xmm2, %xmm1 + movdqu %xmm1, %xmm3 + movdqu %xmm5, %xmm1 + pclmulqdq $1, %xmm2, %xmm1 + movdqu %xmm1, %xmm4 + movdqu %xmm5, %xmm1 + pclmulqdq $0, %xmm2, %xmm1 + pclmulqdq $17, %xmm2, %xmm5 + movdqu %xmm5, %xmm2 + movdqu %xmm1, %xmm5 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm4, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm1 + pshufd $79, %xmm1, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm4 + pshufd $79, %xmm4, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm5, %xmm1 + movdqu %xmm1, %xmm3 + psrld $31, %xmm3 + movdqu %xmm2, %xmm4 + psrld $31, %xmm4 + pslld $1, %xmm1 + pslld $1, %xmm2 + vpslldq $4, %xmm3, %xmm5 + vpslldq $4, %xmm4, %xmm4 + mov $0, %r12 + pinsrd $0, %r12d, %xmm3 + pshufd $3, %xmm3, %xmm3 + pxor %xmm4, %xmm3 + pxor %xmm5, %xmm1 + pxor %xmm3, %xmm2 + movdqu %xmm2, %xmm6 + pxor %xmm2, %xmm2 + mov $3774873600, %r12 + pinsrd $3, %r12d, %xmm2 + movdqu %xmm1, %xmm5 + pclmulqdq $16, %xmm2, %xmm1 + movdqu %xmm1, %xmm3 + movdqu %xmm5, %xmm1 + pclmulqdq $1, %xmm2, %xmm1 + movdqu %xmm1, %xmm4 + movdqu %xmm5, %xmm1 + pclmulqdq $0, %xmm2, %xmm1 + pclmulqdq $17, %xmm2, %xmm5 + movdqu %xmm5, %xmm2 + movdqu %xmm1, %xmm5 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm4, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm1 + pshufd $79, %xmm1, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm4 + pshufd $79, %xmm4, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm5, %xmm1 + movdqu %xmm1, %xmm3 + psrld $31, %xmm3 + movdqu %xmm2, %xmm4 + psrld $31, %xmm4 + pslld $1, %xmm1 + pslld $1, %xmm2 + vpslldq $4, %xmm3, %xmm5 + vpslldq $4, %xmm4, %xmm4 + mov $0, %r12 + pinsrd $0, %r12d, %xmm3 + pshufd $3, %xmm3, %xmm3 + pxor %xmm4, %xmm3 + pxor %xmm5, %xmm1 + pxor %xmm3, %xmm2 + movdqu %xmm2, %xmm5 + pxor %xmm2, %xmm2 + mov $3774873600, %r12 + pinsrd $3, %r12d, %xmm2 + pclmulqdq $17, %xmm2, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pxor %xmm5, %xmm1 + pxor %xmm6, %xmm1 + movdqu %xmm1, %xmm6 + movdqu %xmm1, %xmm3 + pxor %xmm4, %xmm4 + pxor %xmm5, %xmm5 + mov $3254779904, %r12 + pinsrd $3, %r12d, %xmm4 + mov $1, %r12 + pinsrd $0, %r12d, %xmm4 + mov $2147483648, %r12 + pinsrd $3, %r12d, %xmm5 + movdqu %xmm3, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pand %xmm5, %xmm3 + pcmpeqd %xmm5, %xmm3 + pshufd $255, %xmm3, %xmm3 + pand %xmm4, %xmm3 + vpxor %xmm3, %xmm1, %xmm1 + movdqu %xmm1, 112(%rcx) + movdqu %xmm0, %xmm6 + mov %rax, %r12 + ret + +.global aes256_key_expansion +aes256_key_expansion: + movdqu 0(%rdi), %xmm1 + movdqu 16(%rdi), %xmm3 + mov %rsi, %rdx + movdqu %xmm1, 0(%rdx) + movdqu %xmm3, 16(%rdx) + aeskeygenassist $1, %xmm3, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm4 + pxor %xmm4, %xmm1 + vpslldq $4, %xmm1, %xmm4 + pxor %xmm4, %xmm1 + vpslldq $4, %xmm1, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 32(%rdx) + aeskeygenassist $0, %xmm1, %xmm2 + pshufd $170, %xmm2, %xmm2 + vpslldq $4, %xmm3, %xmm4 + pxor %xmm4, %xmm3 + vpslldq $4, %xmm3, %xmm4 + pxor %xmm4, %xmm3 + vpslldq $4, %xmm3, %xmm4 + pxor %xmm4, %xmm3 + pxor %xmm2, %xmm3 + movdqu %xmm3, 48(%rdx) + aeskeygenassist $2, %xmm3, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm4 + pxor %xmm4, %xmm1 + vpslldq $4, %xmm1, %xmm4 + pxor %xmm4, %xmm1 + vpslldq $4, %xmm1, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 64(%rdx) + aeskeygenassist $0, %xmm1, %xmm2 + pshufd $170, %xmm2, %xmm2 + vpslldq $4, %xmm3, %xmm4 + pxor %xmm4, %xmm3 + vpslldq $4, %xmm3, %xmm4 + pxor %xmm4, %xmm3 + vpslldq $4, %xmm3, %xmm4 + pxor %xmm4, %xmm3 + pxor %xmm2, %xmm3 + movdqu %xmm3, 80(%rdx) + aeskeygenassist $4, %xmm3, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm4 + pxor %xmm4, %xmm1 + vpslldq $4, %xmm1, %xmm4 + pxor %xmm4, %xmm1 + vpslldq $4, %xmm1, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 96(%rdx) + aeskeygenassist $0, %xmm1, %xmm2 + pshufd $170, %xmm2, %xmm2 + vpslldq $4, %xmm3, %xmm4 + pxor %xmm4, %xmm3 + vpslldq $4, %xmm3, %xmm4 + pxor %xmm4, %xmm3 + vpslldq $4, %xmm3, %xmm4 + pxor %xmm4, %xmm3 + pxor %xmm2, %xmm3 + movdqu %xmm3, 112(%rdx) + aeskeygenassist $8, %xmm3, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm4 + pxor %xmm4, %xmm1 + vpslldq $4, %xmm1, %xmm4 + pxor %xmm4, %xmm1 + vpslldq $4, %xmm1, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 128(%rdx) + aeskeygenassist $0, %xmm1, %xmm2 + pshufd $170, %xmm2, %xmm2 + vpslldq $4, %xmm3, %xmm4 + pxor %xmm4, %xmm3 + vpslldq $4, %xmm3, %xmm4 + pxor %xmm4, %xmm3 + vpslldq $4, %xmm3, %xmm4 + pxor %xmm4, %xmm3 + pxor %xmm2, %xmm3 + movdqu %xmm3, 144(%rdx) + aeskeygenassist $16, %xmm3, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm4 + pxor %xmm4, %xmm1 + vpslldq $4, %xmm1, %xmm4 + pxor %xmm4, %xmm1 + vpslldq $4, %xmm1, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 160(%rdx) + aeskeygenassist $0, %xmm1, %xmm2 + pshufd $170, %xmm2, %xmm2 + vpslldq $4, %xmm3, %xmm4 + pxor %xmm4, %xmm3 + vpslldq $4, %xmm3, %xmm4 + pxor %xmm4, %xmm3 + vpslldq $4, %xmm3, %xmm4 + pxor %xmm4, %xmm3 + pxor %xmm2, %xmm3 + movdqu %xmm3, 176(%rdx) + aeskeygenassist $32, %xmm3, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm4 + pxor %xmm4, %xmm1 + vpslldq $4, %xmm1, %xmm4 + pxor %xmm4, %xmm1 + vpslldq $4, %xmm1, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 192(%rdx) + aeskeygenassist $0, %xmm1, %xmm2 + pshufd $170, %xmm2, %xmm2 + vpslldq $4, %xmm3, %xmm4 + pxor %xmm4, %xmm3 + vpslldq $4, %xmm3, %xmm4 + pxor %xmm4, %xmm3 + vpslldq $4, %xmm3, %xmm4 + pxor %xmm4, %xmm3 + pxor %xmm2, %xmm3 + movdqu %xmm3, 208(%rdx) + aeskeygenassist $64, %xmm3, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm4 + pxor %xmm4, %xmm1 + vpslldq $4, %xmm1, %xmm4 + pxor %xmm4, %xmm1 + vpslldq $4, %xmm1, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 224(%rdx) + pxor %xmm1, %xmm1 + pxor %xmm2, %xmm2 + pxor %xmm3, %xmm3 + pxor %xmm4, %xmm4 + ret + +.global aes256_keyhash_init +aes256_keyhash_init: + mov $579005069656919567, %r8 + pinsrq $0, %r8, %xmm4 + mov $283686952306183, %r8 + pinsrq $1, %r8, %xmm4 + pxor %xmm0, %xmm0 + movdqu %xmm0, 80(%rsi) + mov %rdi, %r8 + movdqu 0(%r8), %xmm2 + pxor %xmm2, %xmm0 + movdqu 16(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 32(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 48(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 64(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 80(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 96(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 112(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 128(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 144(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 160(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 176(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 192(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 208(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 224(%r8), %xmm2 + aesenclast %xmm2, %xmm0 + pxor %xmm2, %xmm2 + pshufb %xmm4, %xmm0 + mov %rsi, %rcx + movdqu %xmm0, 32(%rcx) + movdqu %xmm6, %xmm0 + mov %r12, %rax + movdqu 32(%rcx), %xmm1 + movdqu %xmm1, %xmm6 + movdqu %xmm1, %xmm3 + pxor %xmm4, %xmm4 + pxor %xmm5, %xmm5 + mov $3254779904, %r12 + pinsrd $3, %r12d, %xmm4 + mov $1, %r12 + pinsrd $0, %r12d, %xmm4 + mov $2147483648, %r12 + pinsrd $3, %r12d, %xmm5 + movdqu %xmm3, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pand %xmm5, %xmm3 + pcmpeqd %xmm5, %xmm3 + pshufd $255, %xmm3, %xmm3 + pand %xmm4, %xmm3 + vpxor %xmm3, %xmm1, %xmm1 + movdqu %xmm1, 0(%rcx) + movdqu %xmm6, %xmm1 + movdqu %xmm6, %xmm2 + movdqu %xmm1, %xmm5 + pclmulqdq $16, %xmm2, %xmm1 + movdqu %xmm1, %xmm3 + movdqu %xmm5, %xmm1 + pclmulqdq $1, %xmm2, %xmm1 + movdqu %xmm1, %xmm4 + movdqu %xmm5, %xmm1 + pclmulqdq $0, %xmm2, %xmm1 + pclmulqdq $17, %xmm2, %xmm5 + movdqu %xmm5, %xmm2 + movdqu %xmm1, %xmm5 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm4, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm1 + pshufd $79, %xmm1, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm4 + pshufd $79, %xmm4, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm5, %xmm1 + movdqu %xmm1, %xmm3 + psrld $31, %xmm3 + movdqu %xmm2, %xmm4 + psrld $31, %xmm4 + pslld $1, %xmm1 + pslld $1, %xmm2 + vpslldq $4, %xmm3, %xmm5 + vpslldq $4, %xmm4, %xmm4 + mov $0, %r12 + pinsrd $0, %r12d, %xmm3 + pshufd $3, %xmm3, %xmm3 + pxor %xmm4, %xmm3 + pxor %xmm5, %xmm1 + pxor %xmm3, %xmm2 + movdqu %xmm2, %xmm6 + pxor %xmm2, %xmm2 + mov $3774873600, %r12 + pinsrd $3, %r12d, %xmm2 + movdqu %xmm1, %xmm5 + pclmulqdq $16, %xmm2, %xmm1 + movdqu %xmm1, %xmm3 + movdqu %xmm5, %xmm1 + pclmulqdq $1, %xmm2, %xmm1 + movdqu %xmm1, %xmm4 + movdqu %xmm5, %xmm1 + pclmulqdq $0, %xmm2, %xmm1 + pclmulqdq $17, %xmm2, %xmm5 + movdqu %xmm5, %xmm2 + movdqu %xmm1, %xmm5 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm4, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm1 + pshufd $79, %xmm1, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm4 + pshufd $79, %xmm4, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm5, %xmm1 + movdqu %xmm1, %xmm3 + psrld $31, %xmm3 + movdqu %xmm2, %xmm4 + psrld $31, %xmm4 + pslld $1, %xmm1 + pslld $1, %xmm2 + vpslldq $4, %xmm3, %xmm5 + vpslldq $4, %xmm4, %xmm4 + mov $0, %r12 + pinsrd $0, %r12d, %xmm3 + pshufd $3, %xmm3, %xmm3 + pxor %xmm4, %xmm3 + pxor %xmm5, %xmm1 + pxor %xmm3, %xmm2 + movdqu %xmm2, %xmm5 + pxor %xmm2, %xmm2 + mov $3774873600, %r12 + pinsrd $3, %r12d, %xmm2 + pclmulqdq $17, %xmm2, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pxor %xmm5, %xmm1 + pxor %xmm6, %xmm1 + movdqu %xmm1, %xmm6 + movdqu %xmm1, %xmm3 + pxor %xmm4, %xmm4 + pxor %xmm5, %xmm5 + mov $3254779904, %r12 + pinsrd $3, %r12d, %xmm4 + mov $1, %r12 + pinsrd $0, %r12d, %xmm4 + mov $2147483648, %r12 + pinsrd $3, %r12d, %xmm5 + movdqu %xmm3, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pand %xmm5, %xmm3 + pcmpeqd %xmm5, %xmm3 + pshufd $255, %xmm3, %xmm3 + pand %xmm4, %xmm3 + vpxor %xmm3, %xmm1, %xmm1 + movdqu %xmm1, 16(%rcx) + movdqu %xmm6, %xmm2 + movdqu 32(%rcx), %xmm1 + movdqu %xmm1, %xmm5 + pclmulqdq $16, %xmm2, %xmm1 + movdqu %xmm1, %xmm3 + movdqu %xmm5, %xmm1 + pclmulqdq $1, %xmm2, %xmm1 + movdqu %xmm1, %xmm4 + movdqu %xmm5, %xmm1 + pclmulqdq $0, %xmm2, %xmm1 + pclmulqdq $17, %xmm2, %xmm5 + movdqu %xmm5, %xmm2 + movdqu %xmm1, %xmm5 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm4, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm1 + pshufd $79, %xmm1, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm4 + pshufd $79, %xmm4, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm5, %xmm1 + movdqu %xmm1, %xmm3 + psrld $31, %xmm3 + movdqu %xmm2, %xmm4 + psrld $31, %xmm4 + pslld $1, %xmm1 + pslld $1, %xmm2 + vpslldq $4, %xmm3, %xmm5 + vpslldq $4, %xmm4, %xmm4 + mov $0, %r12 + pinsrd $0, %r12d, %xmm3 + pshufd $3, %xmm3, %xmm3 + pxor %xmm4, %xmm3 + pxor %xmm5, %xmm1 + pxor %xmm3, %xmm2 + movdqu %xmm2, %xmm6 + pxor %xmm2, %xmm2 + mov $3774873600, %r12 + pinsrd $3, %r12d, %xmm2 + movdqu %xmm1, %xmm5 + pclmulqdq $16, %xmm2, %xmm1 + movdqu %xmm1, %xmm3 + movdqu %xmm5, %xmm1 + pclmulqdq $1, %xmm2, %xmm1 + movdqu %xmm1, %xmm4 + movdqu %xmm5, %xmm1 + pclmulqdq $0, %xmm2, %xmm1 + pclmulqdq $17, %xmm2, %xmm5 + movdqu %xmm5, %xmm2 + movdqu %xmm1, %xmm5 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm4, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm1 + pshufd $79, %xmm1, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm4 + pshufd $79, %xmm4, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm5, %xmm1 + movdqu %xmm1, %xmm3 + psrld $31, %xmm3 + movdqu %xmm2, %xmm4 + psrld $31, %xmm4 + pslld $1, %xmm1 + pslld $1, %xmm2 + vpslldq $4, %xmm3, %xmm5 + vpslldq $4, %xmm4, %xmm4 + mov $0, %r12 + pinsrd $0, %r12d, %xmm3 + pshufd $3, %xmm3, %xmm3 + pxor %xmm4, %xmm3 + pxor %xmm5, %xmm1 + pxor %xmm3, %xmm2 + movdqu %xmm2, %xmm5 + pxor %xmm2, %xmm2 + mov $3774873600, %r12 + pinsrd $3, %r12d, %xmm2 + pclmulqdq $17, %xmm2, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pxor %xmm5, %xmm1 + pxor %xmm6, %xmm1 + movdqu %xmm1, %xmm6 + movdqu %xmm1, %xmm3 + pxor %xmm4, %xmm4 + pxor %xmm5, %xmm5 + mov $3254779904, %r12 + pinsrd $3, %r12d, %xmm4 + mov $1, %r12 + pinsrd $0, %r12d, %xmm4 + mov $2147483648, %r12 + pinsrd $3, %r12d, %xmm5 + movdqu %xmm3, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pand %xmm5, %xmm3 + pcmpeqd %xmm5, %xmm3 + pshufd $255, %xmm3, %xmm3 + pand %xmm4, %xmm3 + vpxor %xmm3, %xmm1, %xmm1 + movdqu %xmm1, 48(%rcx) + movdqu %xmm6, %xmm2 + movdqu 32(%rcx), %xmm1 + movdqu %xmm1, %xmm5 + pclmulqdq $16, %xmm2, %xmm1 + movdqu %xmm1, %xmm3 + movdqu %xmm5, %xmm1 + pclmulqdq $1, %xmm2, %xmm1 + movdqu %xmm1, %xmm4 + movdqu %xmm5, %xmm1 + pclmulqdq $0, %xmm2, %xmm1 + pclmulqdq $17, %xmm2, %xmm5 + movdqu %xmm5, %xmm2 + movdqu %xmm1, %xmm5 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm4, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm1 + pshufd $79, %xmm1, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm4 + pshufd $79, %xmm4, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm5, %xmm1 + movdqu %xmm1, %xmm3 + psrld $31, %xmm3 + movdqu %xmm2, %xmm4 + psrld $31, %xmm4 + pslld $1, %xmm1 + pslld $1, %xmm2 + vpslldq $4, %xmm3, %xmm5 + vpslldq $4, %xmm4, %xmm4 + mov $0, %r12 + pinsrd $0, %r12d, %xmm3 + pshufd $3, %xmm3, %xmm3 + pxor %xmm4, %xmm3 + pxor %xmm5, %xmm1 + pxor %xmm3, %xmm2 + movdqu %xmm2, %xmm6 + pxor %xmm2, %xmm2 + mov $3774873600, %r12 + pinsrd $3, %r12d, %xmm2 + movdqu %xmm1, %xmm5 + pclmulqdq $16, %xmm2, %xmm1 + movdqu %xmm1, %xmm3 + movdqu %xmm5, %xmm1 + pclmulqdq $1, %xmm2, %xmm1 + movdqu %xmm1, %xmm4 + movdqu %xmm5, %xmm1 + pclmulqdq $0, %xmm2, %xmm1 + pclmulqdq $17, %xmm2, %xmm5 + movdqu %xmm5, %xmm2 + movdqu %xmm1, %xmm5 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm4, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm1 + pshufd $79, %xmm1, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm4 + pshufd $79, %xmm4, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm5, %xmm1 + movdqu %xmm1, %xmm3 + psrld $31, %xmm3 + movdqu %xmm2, %xmm4 + psrld $31, %xmm4 + pslld $1, %xmm1 + pslld $1, %xmm2 + vpslldq $4, %xmm3, %xmm5 + vpslldq $4, %xmm4, %xmm4 + mov $0, %r12 + pinsrd $0, %r12d, %xmm3 + pshufd $3, %xmm3, %xmm3 + pxor %xmm4, %xmm3 + pxor %xmm5, %xmm1 + pxor %xmm3, %xmm2 + movdqu %xmm2, %xmm5 + pxor %xmm2, %xmm2 + mov $3774873600, %r12 + pinsrd $3, %r12d, %xmm2 + pclmulqdq $17, %xmm2, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pxor %xmm5, %xmm1 + pxor %xmm6, %xmm1 + movdqu %xmm1, %xmm6 + movdqu %xmm1, %xmm3 + pxor %xmm4, %xmm4 + pxor %xmm5, %xmm5 + mov $3254779904, %r12 + pinsrd $3, %r12d, %xmm4 + mov $1, %r12 + pinsrd $0, %r12d, %xmm4 + mov $2147483648, %r12 + pinsrd $3, %r12d, %xmm5 + movdqu %xmm3, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pand %xmm5, %xmm3 + pcmpeqd %xmm5, %xmm3 + pshufd $255, %xmm3, %xmm3 + pand %xmm4, %xmm3 + vpxor %xmm3, %xmm1, %xmm1 + movdqu %xmm1, 64(%rcx) + movdqu %xmm6, %xmm2 + movdqu 32(%rcx), %xmm1 + movdqu %xmm1, %xmm5 + pclmulqdq $16, %xmm2, %xmm1 + movdqu %xmm1, %xmm3 + movdqu %xmm5, %xmm1 + pclmulqdq $1, %xmm2, %xmm1 + movdqu %xmm1, %xmm4 + movdqu %xmm5, %xmm1 + pclmulqdq $0, %xmm2, %xmm1 + pclmulqdq $17, %xmm2, %xmm5 + movdqu %xmm5, %xmm2 + movdqu %xmm1, %xmm5 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm4, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm1 + pshufd $79, %xmm1, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm4 + pshufd $79, %xmm4, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm5, %xmm1 + movdqu %xmm1, %xmm3 + psrld $31, %xmm3 + movdqu %xmm2, %xmm4 + psrld $31, %xmm4 + pslld $1, %xmm1 + pslld $1, %xmm2 + vpslldq $4, %xmm3, %xmm5 + vpslldq $4, %xmm4, %xmm4 + mov $0, %r12 + pinsrd $0, %r12d, %xmm3 + pshufd $3, %xmm3, %xmm3 + pxor %xmm4, %xmm3 + pxor %xmm5, %xmm1 + pxor %xmm3, %xmm2 + movdqu %xmm2, %xmm6 + pxor %xmm2, %xmm2 + mov $3774873600, %r12 + pinsrd $3, %r12d, %xmm2 + movdqu %xmm1, %xmm5 + pclmulqdq $16, %xmm2, %xmm1 + movdqu %xmm1, %xmm3 + movdqu %xmm5, %xmm1 + pclmulqdq $1, %xmm2, %xmm1 + movdqu %xmm1, %xmm4 + movdqu %xmm5, %xmm1 + pclmulqdq $0, %xmm2, %xmm1 + pclmulqdq $17, %xmm2, %xmm5 + movdqu %xmm5, %xmm2 + movdqu %xmm1, %xmm5 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm4, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm1 + pshufd $79, %xmm1, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm4 + pshufd $79, %xmm4, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm5, %xmm1 + movdqu %xmm1, %xmm3 + psrld $31, %xmm3 + movdqu %xmm2, %xmm4 + psrld $31, %xmm4 + pslld $1, %xmm1 + pslld $1, %xmm2 + vpslldq $4, %xmm3, %xmm5 + vpslldq $4, %xmm4, %xmm4 + mov $0, %r12 + pinsrd $0, %r12d, %xmm3 + pshufd $3, %xmm3, %xmm3 + pxor %xmm4, %xmm3 + pxor %xmm5, %xmm1 + pxor %xmm3, %xmm2 + movdqu %xmm2, %xmm5 + pxor %xmm2, %xmm2 + mov $3774873600, %r12 + pinsrd $3, %r12d, %xmm2 + pclmulqdq $17, %xmm2, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pxor %xmm5, %xmm1 + pxor %xmm6, %xmm1 + movdqu %xmm1, %xmm6 + movdqu %xmm1, %xmm3 + pxor %xmm4, %xmm4 + pxor %xmm5, %xmm5 + mov $3254779904, %r12 + pinsrd $3, %r12d, %xmm4 + mov $1, %r12 + pinsrd $0, %r12d, %xmm4 + mov $2147483648, %r12 + pinsrd $3, %r12d, %xmm5 + movdqu %xmm3, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pand %xmm5, %xmm3 + pcmpeqd %xmm5, %xmm3 + pshufd $255, %xmm3, %xmm3 + pand %xmm4, %xmm3 + vpxor %xmm3, %xmm1, %xmm1 + movdqu %xmm1, 96(%rcx) + movdqu %xmm6, %xmm2 + movdqu 32(%rcx), %xmm1 + movdqu %xmm1, %xmm5 + pclmulqdq $16, %xmm2, %xmm1 + movdqu %xmm1, %xmm3 + movdqu %xmm5, %xmm1 + pclmulqdq $1, %xmm2, %xmm1 + movdqu %xmm1, %xmm4 + movdqu %xmm5, %xmm1 + pclmulqdq $0, %xmm2, %xmm1 + pclmulqdq $17, %xmm2, %xmm5 + movdqu %xmm5, %xmm2 + movdqu %xmm1, %xmm5 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm4, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm1 + pshufd $79, %xmm1, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm4 + pshufd $79, %xmm4, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm5, %xmm1 + movdqu %xmm1, %xmm3 + psrld $31, %xmm3 + movdqu %xmm2, %xmm4 + psrld $31, %xmm4 + pslld $1, %xmm1 + pslld $1, %xmm2 + vpslldq $4, %xmm3, %xmm5 + vpslldq $4, %xmm4, %xmm4 + mov $0, %r12 + pinsrd $0, %r12d, %xmm3 + pshufd $3, %xmm3, %xmm3 + pxor %xmm4, %xmm3 + pxor %xmm5, %xmm1 + pxor %xmm3, %xmm2 + movdqu %xmm2, %xmm6 + pxor %xmm2, %xmm2 + mov $3774873600, %r12 + pinsrd $3, %r12d, %xmm2 + movdqu %xmm1, %xmm5 + pclmulqdq $16, %xmm2, %xmm1 + movdqu %xmm1, %xmm3 + movdqu %xmm5, %xmm1 + pclmulqdq $1, %xmm2, %xmm1 + movdqu %xmm1, %xmm4 + movdqu %xmm5, %xmm1 + pclmulqdq $0, %xmm2, %xmm1 + pclmulqdq $17, %xmm2, %xmm5 + movdqu %xmm5, %xmm2 + movdqu %xmm1, %xmm5 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm4, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm1 + pshufd $79, %xmm1, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm4 + pshufd $79, %xmm4, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm5, %xmm1 + movdqu %xmm1, %xmm3 + psrld $31, %xmm3 + movdqu %xmm2, %xmm4 + psrld $31, %xmm4 + pslld $1, %xmm1 + pslld $1, %xmm2 + vpslldq $4, %xmm3, %xmm5 + vpslldq $4, %xmm4, %xmm4 + mov $0, %r12 + pinsrd $0, %r12d, %xmm3 + pshufd $3, %xmm3, %xmm3 + pxor %xmm4, %xmm3 + pxor %xmm5, %xmm1 + pxor %xmm3, %xmm2 + movdqu %xmm2, %xmm5 + pxor %xmm2, %xmm2 + mov $3774873600, %r12 + pinsrd $3, %r12d, %xmm2 + pclmulqdq $17, %xmm2, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pxor %xmm5, %xmm1 + pxor %xmm6, %xmm1 + movdqu %xmm1, %xmm6 + movdqu %xmm1, %xmm3 + pxor %xmm4, %xmm4 + pxor %xmm5, %xmm5 + mov $3254779904, %r12 + pinsrd $3, %r12d, %xmm4 + mov $1, %r12 + pinsrd $0, %r12d, %xmm4 + mov $2147483648, %r12 + pinsrd $3, %r12d, %xmm5 + movdqu %xmm3, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pand %xmm5, %xmm3 + pcmpeqd %xmm5, %xmm3 + pshufd $255, %xmm3, %xmm3 + pand %xmm4, %xmm3 + vpxor %xmm3, %xmm1, %xmm1 + movdqu %xmm1, 112(%rcx) + movdqu %xmm0, %xmm6 + mov %rax, %r12 + ret + +.global gctr128_bytes +gctr128_bytes: + push %r15 + push %r14 + push %r13 + push %r12 + push %rsi + push %rdi + push %rbp + push %rbx + movdqu 0(%r9), %xmm7 + mov %rdi, %rax + mov %rdx, %rbx + mov %rcx, %r13 + mov 72(%rsp), %rcx + mov %rcx, %rbp + imul $16, %rbp + mov $579005069656919567, %r12 + pinsrq $0, %r12, %xmm8 + mov $283686952306183, %r12 + pinsrq $1, %r12, %xmm8 + mov %rcx, %rdx + shr $2, %rdx + and $3, %rcx + cmp $0, %rdx + jbe L0 + mov %rax, %r9 + mov %rbx, %r10 + pshufb %xmm8, %xmm7 + movdqu %xmm7, %xmm9 + mov $579005069656919567, %rax + pinsrq $0, %rax, %xmm0 + mov $579005069656919567, %rax + pinsrq $1, %rax, %xmm0 + pshufb %xmm0, %xmm9 + movdqu %xmm9, %xmm10 + pxor %xmm3, %xmm3 + mov $1, %rax + pinsrd $2, %eax, %xmm3 + paddd %xmm3, %xmm9 + mov $3, %rax + pinsrd $2, %eax, %xmm3 + mov $2, %rax + pinsrd $0, %eax, %xmm3 + paddd %xmm3, %xmm10 + pshufb %xmm8, %xmm9 + pshufb %xmm8, %xmm10 + pextrq $0, %xmm7, %rdi + mov $283686952306183, %rax + pinsrq $0, %rax, %xmm0 + mov $579005069656919567, %rax + pinsrq $1, %rax, %xmm0 + pxor %xmm15, %xmm15 + mov $4, %rax + pinsrd $0, %eax, %xmm15 + mov $4, %rax + pinsrd $2, %eax, %xmm15 + jmp L3 +.balign 16 +L2: + pinsrq $0, %rdi, %xmm2 + pinsrq $0, %rdi, %xmm12 + pinsrq $0, %rdi, %xmm13 + pinsrq $0, %rdi, %xmm14 + shufpd $2, %xmm9, %xmm2 + shufpd $0, %xmm9, %xmm12 + shufpd $2, %xmm10, %xmm13 + shufpd $0, %xmm10, %xmm14 + pshufb %xmm0, %xmm9 + pshufb %xmm0, %xmm10 + movdqu 0(%r8), %xmm3 + movdqu 16(%r8), %xmm4 + movdqu 32(%r8), %xmm5 + movdqu 48(%r8), %xmm6 + paddd %xmm15, %xmm9 + paddd %xmm15, %xmm10 + pxor %xmm3, %xmm2 + pxor %xmm3, %xmm12 + pxor %xmm3, %xmm13 + pxor %xmm3, %xmm14 + pshufb %xmm0, %xmm9 + pshufb %xmm0, %xmm10 + aesenc %xmm4, %xmm2 + aesenc %xmm4, %xmm12 + aesenc %xmm4, %xmm13 + aesenc %xmm4, %xmm14 + aesenc %xmm5, %xmm2 + aesenc %xmm5, %xmm12 + aesenc %xmm5, %xmm13 + aesenc %xmm5, %xmm14 + aesenc %xmm6, %xmm2 + aesenc %xmm6, %xmm12 + aesenc %xmm6, %xmm13 + aesenc %xmm6, %xmm14 + movdqu 64(%r8), %xmm3 + movdqu 80(%r8), %xmm4 + movdqu 96(%r8), %xmm5 + movdqu 112(%r8), %xmm6 + aesenc %xmm3, %xmm2 + aesenc %xmm3, %xmm12 + aesenc %xmm3, %xmm13 + aesenc %xmm3, %xmm14 + aesenc %xmm4, %xmm2 + aesenc %xmm4, %xmm12 + aesenc %xmm4, %xmm13 + aesenc %xmm4, %xmm14 + aesenc %xmm5, %xmm2 + aesenc %xmm5, %xmm12 + aesenc %xmm5, %xmm13 + aesenc %xmm5, %xmm14 + aesenc %xmm6, %xmm2 + aesenc %xmm6, %xmm12 + aesenc %xmm6, %xmm13 + aesenc %xmm6, %xmm14 + movdqu 128(%r8), %xmm3 + movdqu 144(%r8), %xmm4 + movdqu 160(%r8), %xmm5 + aesenc %xmm3, %xmm2 + aesenc %xmm3, %xmm12 + aesenc %xmm3, %xmm13 + aesenc %xmm3, %xmm14 + aesenc %xmm4, %xmm2 + aesenc %xmm4, %xmm12 + aesenc %xmm4, %xmm13 + aesenc %xmm4, %xmm14 + aesenclast %xmm5, %xmm2 + aesenclast %xmm5, %xmm12 + aesenclast %xmm5, %xmm13 + aesenclast %xmm5, %xmm14 + movdqu 0(%r9), %xmm7 + pxor %xmm7, %xmm2 + movdqu 16(%r9), %xmm7 + pxor %xmm7, %xmm12 + movdqu 32(%r9), %xmm7 + pxor %xmm7, %xmm13 + movdqu 48(%r9), %xmm7 + pxor %xmm7, %xmm14 + movdqu %xmm2, 0(%r10) + movdqu %xmm12, 16(%r10) + movdqu %xmm13, 32(%r10) + movdqu %xmm14, 48(%r10) + sub $1, %rdx + add $64, %r9 + add $64, %r10 +.balign 16 +L3: + cmp $0, %rdx + ja L2 + movdqu %xmm9, %xmm7 + pinsrq $0, %rdi, %xmm7 + pshufb %xmm8, %xmm7 + mov %r9, %rax + mov %r10, %rbx + jmp L1 +L0: +L1: + mov $0, %rdx + mov %rax, %r9 + mov %rbx, %r10 + pxor %xmm4, %xmm4 + mov $1, %r12 + pinsrd $0, %r12d, %xmm4 + jmp L5 +.balign 16 +L4: + movdqu %xmm7, %xmm0 + pshufb %xmm8, %xmm0 + movdqu 0(%r8), %xmm2 + pxor %xmm2, %xmm0 + movdqu 16(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 32(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 48(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 64(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 80(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 96(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 112(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 128(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 144(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 160(%r8), %xmm2 + aesenclast %xmm2, %xmm0 + pxor %xmm2, %xmm2 + movdqu 0(%r9), %xmm2 + pxor %xmm0, %xmm2 + movdqu %xmm2, 0(%r10) + add $1, %rdx + add $16, %r9 + add $16, %r10 + paddd %xmm4, %xmm7 +.balign 16 +L5: + cmp %rcx, %rdx + jne L4 + cmp %rbp, %rsi + jbe L6 + movdqu 0(%r13), %xmm1 + movdqu %xmm7, %xmm0 + mov $579005069656919567, %r12 + pinsrq $0, %r12, %xmm2 + mov $283686952306183, %r12 + pinsrq $1, %r12, %xmm2 + pshufb %xmm2, %xmm0 + movdqu 0(%r8), %xmm2 + pxor %xmm2, %xmm0 + movdqu 16(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 32(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 48(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 64(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 80(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 96(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 112(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 128(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 144(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 160(%r8), %xmm2 + aesenclast %xmm2, %xmm0 + pxor %xmm2, %xmm2 + pxor %xmm0, %xmm1 + movdqu %xmm1, 0(%r13) + jmp L7 +L6: +L7: + pop %rbx + pop %rbp + pop %rdi + pop %rsi + pop %r12 + pop %r13 + pop %r14 + pop %r15 + ret + +.global gctr256_bytes +gctr256_bytes: + push %r15 + push %r14 + push %r13 + push %r12 + push %rsi + push %rdi + push %rbp + push %rbx + movdqu 0(%r9), %xmm7 + mov %rdi, %rax + mov %rdx, %rbx + mov %rcx, %r13 + mov 72(%rsp), %rcx + mov %rcx, %rbp + imul $16, %rbp + mov $579005069656919567, %r12 + pinsrq $0, %r12, %xmm8 + mov $283686952306183, %r12 + pinsrq $1, %r12, %xmm8 + mov %rcx, %rdx + shr $2, %rdx + and $3, %rcx + cmp $0, %rdx + jbe L8 + mov %rax, %r9 + mov %rbx, %r10 + pshufb %xmm8, %xmm7 + movdqu %xmm7, %xmm9 + mov $579005069656919567, %rax + pinsrq $0, %rax, %xmm0 + mov $579005069656919567, %rax + pinsrq $1, %rax, %xmm0 + pshufb %xmm0, %xmm9 + movdqu %xmm9, %xmm10 + pxor %xmm3, %xmm3 + mov $1, %rax + pinsrd $2, %eax, %xmm3 + paddd %xmm3, %xmm9 + mov $3, %rax + pinsrd $2, %eax, %xmm3 + mov $2, %rax + pinsrd $0, %eax, %xmm3 + paddd %xmm3, %xmm10 + pshufb %xmm8, %xmm9 + pshufb %xmm8, %xmm10 + pextrq $0, %xmm7, %rdi + mov $283686952306183, %rax + pinsrq $0, %rax, %xmm0 + mov $579005069656919567, %rax + pinsrq $1, %rax, %xmm0 + pxor %xmm15, %xmm15 + mov $4, %rax + pinsrd $0, %eax, %xmm15 + mov $4, %rax + pinsrd $2, %eax, %xmm15 + jmp L11 +.balign 16 +L10: + pinsrq $0, %rdi, %xmm2 + pinsrq $0, %rdi, %xmm12 + pinsrq $0, %rdi, %xmm13 + pinsrq $0, %rdi, %xmm14 + shufpd $2, %xmm9, %xmm2 + shufpd $0, %xmm9, %xmm12 + shufpd $2, %xmm10, %xmm13 + shufpd $0, %xmm10, %xmm14 + pshufb %xmm0, %xmm9 + pshufb %xmm0, %xmm10 + movdqu 0(%r8), %xmm3 + movdqu 16(%r8), %xmm4 + movdqu 32(%r8), %xmm5 + movdqu 48(%r8), %xmm6 + paddd %xmm15, %xmm9 + paddd %xmm15, %xmm10 + pxor %xmm3, %xmm2 + pxor %xmm3, %xmm12 + pxor %xmm3, %xmm13 + pxor %xmm3, %xmm14 + pshufb %xmm0, %xmm9 + pshufb %xmm0, %xmm10 + aesenc %xmm4, %xmm2 + aesenc %xmm4, %xmm12 + aesenc %xmm4, %xmm13 + aesenc %xmm4, %xmm14 + aesenc %xmm5, %xmm2 + aesenc %xmm5, %xmm12 + aesenc %xmm5, %xmm13 + aesenc %xmm5, %xmm14 + aesenc %xmm6, %xmm2 + aesenc %xmm6, %xmm12 + aesenc %xmm6, %xmm13 + aesenc %xmm6, %xmm14 + movdqu 64(%r8), %xmm3 + movdqu 80(%r8), %xmm4 + movdqu 96(%r8), %xmm5 + movdqu 112(%r8), %xmm6 + aesenc %xmm3, %xmm2 + aesenc %xmm3, %xmm12 + aesenc %xmm3, %xmm13 + aesenc %xmm3, %xmm14 + aesenc %xmm4, %xmm2 + aesenc %xmm4, %xmm12 + aesenc %xmm4, %xmm13 + aesenc %xmm4, %xmm14 + aesenc %xmm5, %xmm2 + aesenc %xmm5, %xmm12 + aesenc %xmm5, %xmm13 + aesenc %xmm5, %xmm14 + aesenc %xmm6, %xmm2 + aesenc %xmm6, %xmm12 + aesenc %xmm6, %xmm13 + aesenc %xmm6, %xmm14 + movdqu 128(%r8), %xmm3 + movdqu 144(%r8), %xmm4 + movdqu 160(%r8), %xmm5 + aesenc %xmm3, %xmm2 + aesenc %xmm3, %xmm12 + aesenc %xmm3, %xmm13 + aesenc %xmm3, %xmm14 + aesenc %xmm4, %xmm2 + aesenc %xmm4, %xmm12 + aesenc %xmm4, %xmm13 + aesenc %xmm4, %xmm14 + movdqu %xmm5, %xmm3 + movdqu 176(%r8), %xmm4 + movdqu 192(%r8), %xmm5 + movdqu 208(%r8), %xmm6 + aesenc %xmm3, %xmm2 + aesenc %xmm3, %xmm12 + aesenc %xmm3, %xmm13 + aesenc %xmm3, %xmm14 + aesenc %xmm4, %xmm2 + aesenc %xmm4, %xmm12 + aesenc %xmm4, %xmm13 + aesenc %xmm4, %xmm14 + aesenc %xmm5, %xmm2 + aesenc %xmm5, %xmm12 + aesenc %xmm5, %xmm13 + aesenc %xmm5, %xmm14 + aesenc %xmm6, %xmm2 + aesenc %xmm6, %xmm12 + aesenc %xmm6, %xmm13 + aesenc %xmm6, %xmm14 + movdqu 224(%r8), %xmm5 + aesenclast %xmm5, %xmm2 + aesenclast %xmm5, %xmm12 + aesenclast %xmm5, %xmm13 + aesenclast %xmm5, %xmm14 + movdqu 0(%r9), %xmm7 + pxor %xmm7, %xmm2 + movdqu 16(%r9), %xmm7 + pxor %xmm7, %xmm12 + movdqu 32(%r9), %xmm7 + pxor %xmm7, %xmm13 + movdqu 48(%r9), %xmm7 + pxor %xmm7, %xmm14 + movdqu %xmm2, 0(%r10) + movdqu %xmm12, 16(%r10) + movdqu %xmm13, 32(%r10) + movdqu %xmm14, 48(%r10) + sub $1, %rdx + add $64, %r9 + add $64, %r10 +.balign 16 +L11: + cmp $0, %rdx + ja L10 + movdqu %xmm9, %xmm7 + pinsrq $0, %rdi, %xmm7 + pshufb %xmm8, %xmm7 + mov %r9, %rax + mov %r10, %rbx + jmp L9 +L8: +L9: + mov $0, %rdx + mov %rax, %r9 + mov %rbx, %r10 + pxor %xmm4, %xmm4 + mov $1, %r12 + pinsrd $0, %r12d, %xmm4 + jmp L13 +.balign 16 +L12: + movdqu %xmm7, %xmm0 + pshufb %xmm8, %xmm0 + movdqu 0(%r8), %xmm2 + pxor %xmm2, %xmm0 + movdqu 16(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 32(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 48(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 64(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 80(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 96(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 112(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 128(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 144(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 160(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 176(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 192(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 208(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 224(%r8), %xmm2 + aesenclast %xmm2, %xmm0 + pxor %xmm2, %xmm2 + movdqu 0(%r9), %xmm2 + pxor %xmm0, %xmm2 + movdqu %xmm2, 0(%r10) + add $1, %rdx + add $16, %r9 + add $16, %r10 + paddd %xmm4, %xmm7 +.balign 16 +L13: + cmp %rcx, %rdx + jne L12 + cmp %rbp, %rsi + jbe L14 + movdqu 0(%r13), %xmm1 + movdqu %xmm7, %xmm0 + mov $579005069656919567, %r12 + pinsrq $0, %r12, %xmm2 + mov $283686952306183, %r12 + pinsrq $1, %r12, %xmm2 + pshufb %xmm2, %xmm0 + movdqu 0(%r8), %xmm2 + pxor %xmm2, %xmm0 + movdqu 16(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 32(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 48(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 64(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 80(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 96(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 112(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 128(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 144(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 160(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 176(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 192(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 208(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 224(%r8), %xmm2 + aesenclast %xmm2, %xmm0 + pxor %xmm2, %xmm2 + pxor %xmm0, %xmm1 + movdqu %xmm1, 0(%r13) + jmp L15 +L14: +L15: + pop %rbx + pop %rbp + pop %rdi + pop %rsi + pop %r12 + pop %r13 + pop %r14 + pop %r15 + ret + +.global compute_iv_stdcall +compute_iv_stdcall: + cmp $12, %rsi + jne L16 + cmp $12, %rsi + jne L18 + movdqu 0(%r8), %xmm0 + mov $579005069656919567, %rax + pinsrq $0, %rax, %xmm1 + mov $283686952306183, %rax + pinsrq $1, %rax, %xmm1 + pshufb %xmm1, %xmm0 + mov $1, %rax + pinsrd $0, %eax, %xmm0 + movdqu %xmm0, 0(%rcx) + jmp L19 +L18: + mov %rcx, %rax + add $32, %r9 + mov %r8, %rbx + mov %rdx, %rcx + imul $16, %rcx + mov $579005069656919567, %r10 + pinsrq $0, %r10, %xmm9 + mov $283686952306183, %r10 + pinsrq $1, %r10, %xmm9 + pxor %xmm8, %xmm8 + mov %rdi, %r11 + jmp L21 +.balign 16 +L20: + add $80, %r11 + movdqu -32(%r9), %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + movdqu %xmm1, %xmm4 + movdqu -16(%r9), %xmm1 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 16(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 64(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 80(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + vpxor %xmm1, %xmm4, %xmm4 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r10 + pinsrd $3, %r10d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + add $96, %r11 + sub $6, %rdx +.balign 16 +L21: + cmp $6, %rdx + jae L20 + cmp $0, %rdx + jbe L22 + mov %rdx, %r10 + sub $1, %r10 + imul $16, %r10 + add %r10, %r11 + movdqu -32(%r9), %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + cmp $1, %rdx + jne L24 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + jmp L25 +L24: + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + movdqu %xmm1, %xmm4 + movdqu -16(%r9), %xmm1 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + movdqu %xmm1, %xmm5 + cmp $2, %rdx + je L26 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 16(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + cmp $3, %rdx + je L28 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + cmp $4, %rdx + je L30 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 64(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + jmp L31 +L30: +L31: + jmp L29 +L28: +L29: + jmp L27 +L26: +L27: + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + vpxor %xmm1, %xmm4, %xmm4 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 +L25: + pxor %xmm3, %xmm3 + mov $3254779904, %r10 + pinsrd $3, %r10d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + jmp L23 +L22: +L23: + mov %rsi, %r15 + cmp %rcx, %rsi + jbe L32 + movdqu 0(%rbx), %xmm0 + mov %rsi, %r10 + and $15, %r10 + cmp $8, %r10 + jae L34 + mov $0, %rcx + pinsrq $1, %rcx, %xmm0 + mov %r10, %rcx + shl $3, %rcx + mov $1, %r11 + shl %cl, %r11 + sub $1, %r11 + pextrq $0, %xmm0, %rcx + and %r11, %rcx + pinsrq $0, %rcx, %xmm0 + jmp L35 +L34: + mov %r10, %rcx + sub $8, %rcx + shl $3, %rcx + mov $1, %r11 + shl %cl, %r11 + sub $1, %r11 + pextrq $1, %xmm0, %rcx + and %r11, %rcx + pinsrq $1, %rcx, %xmm0 +L35: + pshufb %xmm9, %xmm0 + movdqu -32(%r9), %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r11 + pinsrd $3, %r11d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + jmp L33 +L32: +L33: + mov %rax, %rcx + mov $0, %r11 + mov %rsi, %r13 + pxor %xmm0, %xmm0 + mov %r11, %rax + imul $8, %rax + pinsrq $1, %rax, %xmm0 + mov %r13, %rax + imul $8, %rax + pinsrq $0, %rax, %xmm0 + movdqu -32(%r9), %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r11 + pinsrd $3, %r11d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + movdqu %xmm8, 0(%rcx) +L19: + jmp L17 +L16: + push %r15 + push %r14 + push %r13 + push %r12 + push %rsi + push %rdi + push %rbp + push %rbx + cmp $12, %rsi + jne L36 + movdqu 0(%r8), %xmm0 + mov $579005069656919567, %rax + pinsrq $0, %rax, %xmm1 + mov $283686952306183, %rax + pinsrq $1, %rax, %xmm1 + pshufb %xmm1, %xmm0 + mov $1, %rax + pinsrd $0, %eax, %xmm0 + movdqu %xmm0, 0(%rcx) + jmp L37 +L36: + mov %rcx, %rax + add $32, %r9 + mov %r8, %rbx + mov %rdx, %rcx + imul $16, %rcx + mov $579005069656919567, %r10 + pinsrq $0, %r10, %xmm9 + mov $283686952306183, %r10 + pinsrq $1, %r10, %xmm9 + pxor %xmm8, %xmm8 + mov %rdi, %r11 + jmp L39 +.balign 16 +L38: + add $80, %r11 + movdqu -32(%r9), %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + movdqu %xmm1, %xmm4 + movdqu -16(%r9), %xmm1 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 16(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 64(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 80(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + vpxor %xmm1, %xmm4, %xmm4 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r10 + pinsrd $3, %r10d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + add $96, %r11 + sub $6, %rdx +.balign 16 +L39: + cmp $6, %rdx + jae L38 + cmp $0, %rdx + jbe L40 + mov %rdx, %r10 + sub $1, %r10 + imul $16, %r10 + add %r10, %r11 + movdqu -32(%r9), %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + cmp $1, %rdx + jne L42 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + jmp L43 +L42: + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + movdqu %xmm1, %xmm4 + movdqu -16(%r9), %xmm1 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + movdqu %xmm1, %xmm5 + cmp $2, %rdx + je L44 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 16(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + cmp $3, %rdx + je L46 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + cmp $4, %rdx + je L48 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 64(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + jmp L49 +L48: +L49: + jmp L47 +L46: +L47: + jmp L45 +L44: +L45: + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + vpxor %xmm1, %xmm4, %xmm4 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 +L43: + pxor %xmm3, %xmm3 + mov $3254779904, %r10 + pinsrd $3, %r10d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + jmp L41 +L40: +L41: + mov %rsi, %r15 + cmp %rcx, %rsi + jbe L50 + movdqu 0(%rbx), %xmm0 + mov %rsi, %r10 + and $15, %r10 + cmp $8, %r10 + jae L52 + mov $0, %rcx + pinsrq $1, %rcx, %xmm0 + mov %r10, %rcx + shl $3, %rcx + mov $1, %r11 + shl %cl, %r11 + sub $1, %r11 + pextrq $0, %xmm0, %rcx + and %r11, %rcx + pinsrq $0, %rcx, %xmm0 + jmp L53 +L52: + mov %r10, %rcx + sub $8, %rcx + shl $3, %rcx + mov $1, %r11 + shl %cl, %r11 + sub $1, %r11 + pextrq $1, %xmm0, %rcx + and %r11, %rcx + pinsrq $1, %rcx, %xmm0 +L53: + pshufb %xmm9, %xmm0 + movdqu -32(%r9), %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r11 + pinsrd $3, %r11d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + jmp L51 +L50: +L51: + mov %rax, %rcx + mov $0, %r11 + mov %rsi, %r13 + pxor %xmm0, %xmm0 + mov %r11, %rax + imul $8, %rax + pinsrq $1, %rax, %xmm0 + mov %r13, %rax + imul $8, %rax + pinsrq $0, %rax, %xmm0 + movdqu -32(%r9), %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r11 + pinsrd $3, %r11d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + movdqu %xmm8, 0(%rcx) +L37: + pop %rbx + pop %rbp + pop %rdi + pop %rsi + pop %r12 + pop %r13 + pop %r14 + pop %r15 +L17: + ret + +.global gcm128_encrypt_opt +gcm128_encrypt_opt: + push %r15 + push %r14 + push %r13 + push %r12 + push %rsi + push %rdi + push %rbp + push %rbx + mov 144(%rsp), %rbp + mov %rcx, %r13 + lea 32(%r9), %r9 + mov 72(%rsp), %rbx + mov %rdx, %rcx + imul $16, %rcx + mov $579005069656919567, %r10 + pinsrq $0, %r10, %xmm9 + mov $283686952306183, %r10 + pinsrq $1, %r10, %xmm9 + pxor %xmm8, %xmm8 + mov %rdi, %r11 + jmp L55 +.balign 16 +L54: + add $80, %r11 + movdqu -32(%r9), %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + movdqu %xmm1, %xmm4 + movdqu -16(%r9), %xmm1 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 16(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 64(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 80(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + vpxor %xmm1, %xmm4, %xmm4 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r10 + pinsrd $3, %r10d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + add $96, %r11 + sub $6, %rdx +.balign 16 +L55: + cmp $6, %rdx + jae L54 + cmp $0, %rdx + jbe L56 + mov %rdx, %r10 + sub $1, %r10 + imul $16, %r10 + add %r10, %r11 + movdqu -32(%r9), %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + cmp $1, %rdx + jne L58 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + jmp L59 +L58: + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + movdqu %xmm1, %xmm4 + movdqu -16(%r9), %xmm1 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + movdqu %xmm1, %xmm5 + cmp $2, %rdx + je L60 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 16(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + cmp $3, %rdx + je L62 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + cmp $4, %rdx + je L64 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 64(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + jmp L65 +L64: +L65: + jmp L63 +L62: +L63: + jmp L61 +L60: +L61: + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + vpxor %xmm1, %xmm4, %xmm4 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 +L59: + pxor %xmm3, %xmm3 + mov $3254779904, %r10 + pinsrd $3, %r10d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + jmp L57 +L56: +L57: + mov %rsi, %r15 + cmp %rcx, %rsi + jbe L66 + movdqu 0(%rbx), %xmm0 + mov %rsi, %r10 + and $15, %r10 + cmp $8, %r10 + jae L68 + mov $0, %rcx + pinsrq $1, %rcx, %xmm0 + mov %r10, %rcx + shl $3, %rcx + mov $1, %r11 + shl %cl, %r11 + sub $1, %r11 + pextrq $0, %xmm0, %rcx + and %r11, %rcx + pinsrq $0, %rcx, %xmm0 + jmp L69 +L68: + mov %r10, %rcx + sub $8, %rcx + shl $3, %rcx + mov $1, %r11 + shl %cl, %r11 + sub $1, %r11 + pextrq $1, %xmm0, %rcx + and %r11, %rcx + pinsrq $1, %rcx, %xmm0 +L69: + pshufb %xmm9, %xmm0 + movdqu -32(%r9), %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r11 + pinsrd $3, %r11d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + jmp L67 +L66: +L67: + mov 80(%rsp), %rdi + mov 88(%rsp), %rsi + mov 96(%rsp), %rdx + mov %r13, %rcx + movdqu %xmm9, %xmm0 + movdqu 0(%r8), %xmm1 + movdqu %xmm1, 0(%rbp) + pxor %xmm10, %xmm10 + mov $1, %r11 + pinsrq $0, %r11, %xmm10 + vpaddd %xmm10, %xmm1, %xmm1 + cmp $0, %rdx + jne L70 + vpshufb %xmm0, %xmm1, %xmm1 + movdqu %xmm1, 32(%rbp) + jmp L71 +L70: + movdqu %xmm8, 32(%rbp) + add $128, %rcx + pextrq $0, %xmm1, %rbx + and $255, %rbx + vpshufb %xmm0, %xmm1, %xmm1 + lea 96(%rsi), %r14 + movdqu -128(%rcx), %xmm4 + pxor %xmm2, %xmm2 + mov $72057594037927936, %r11 + pinsrq $1, %r11, %xmm2 + movdqu -112(%rcx), %xmm15 + mov %rcx, %r12 + sub $96, %r12 + vpxor %xmm4, %xmm1, %xmm9 + add $6, %rbx + cmp $256, %rbx + jae L72 + vpaddd %xmm2, %xmm1, %xmm10 + vpaddd %xmm2, %xmm10, %xmm11 + vpxor %xmm4, %xmm10, %xmm10 + vpaddd %xmm2, %xmm11, %xmm12 + vpxor %xmm4, %xmm11, %xmm11 + vpaddd %xmm2, %xmm12, %xmm13 + vpxor %xmm4, %xmm12, %xmm12 + vpaddd %xmm2, %xmm13, %xmm14 + vpxor %xmm4, %xmm13, %xmm13 + vpaddd %xmm2, %xmm14, %xmm1 + vpxor %xmm4, %xmm14, %xmm14 + jmp L73 +L72: + sub $256, %rbx + vpshufb %xmm0, %xmm1, %xmm6 + pxor %xmm5, %xmm5 + mov $1, %r11 + pinsrq $0, %r11, %xmm5 + vpaddd %xmm5, %xmm6, %xmm10 + pxor %xmm5, %xmm5 + mov $2, %r11 + pinsrq $0, %r11, %xmm5 + vpaddd %xmm5, %xmm6, %xmm11 + vpaddd %xmm5, %xmm10, %xmm12 + vpshufb %xmm0, %xmm10, %xmm10 + vpaddd %xmm5, %xmm11, %xmm13 + vpshufb %xmm0, %xmm11, %xmm11 + vpxor %xmm4, %xmm10, %xmm10 + vpaddd %xmm5, %xmm12, %xmm14 + vpshufb %xmm0, %xmm12, %xmm12 + vpxor %xmm4, %xmm11, %xmm11 + vpaddd %xmm5, %xmm13, %xmm1 + vpshufb %xmm0, %xmm13, %xmm13 + vpxor %xmm4, %xmm12, %xmm12 + vpshufb %xmm0, %xmm14, %xmm14 + vpxor %xmm4, %xmm13, %xmm13 + vpshufb %xmm0, %xmm1, %xmm1 + vpxor %xmm4, %xmm14, %xmm14 +L73: + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -96(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -80(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -64(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -48(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -32(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -16(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu 0(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu 16(%rcx), %xmm15 + movdqu 32(%rcx), %xmm3 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor 0(%rdi), %xmm3, %xmm4 + vaesenc %xmm15, %xmm10, %xmm10 + vpxor 16(%rdi), %xmm3, %xmm5 + vaesenc %xmm15, %xmm11, %xmm11 + vpxor 32(%rdi), %xmm3, %xmm6 + vaesenc %xmm15, %xmm12, %xmm12 + vpxor 48(%rdi), %xmm3, %xmm8 + vaesenc %xmm15, %xmm13, %xmm13 + vpxor 64(%rdi), %xmm3, %xmm2 + vaesenc %xmm15, %xmm14, %xmm14 + vpxor 80(%rdi), %xmm3, %xmm3 + lea 96(%rdi), %rdi + vaesenclast %xmm4, %xmm9, %xmm9 + vaesenclast %xmm5, %xmm10, %xmm10 + vaesenclast %xmm6, %xmm11, %xmm11 + vaesenclast %xmm8, %xmm12, %xmm12 + vaesenclast %xmm2, %xmm13, %xmm13 + vaesenclast %xmm3, %xmm14, %xmm14 + movdqu %xmm9, 0(%rsi) + movdqu %xmm10, 16(%rsi) + movdqu %xmm11, 32(%rsi) + movdqu %xmm12, 48(%rsi) + movdqu %xmm13, 64(%rsi) + movdqu %xmm14, 80(%rsi) + lea 96(%rsi), %rsi + vpshufb %xmm0, %xmm9, %xmm8 + vpshufb %xmm0, %xmm10, %xmm2 + movdqu %xmm8, 112(%rbp) + vpshufb %xmm0, %xmm11, %xmm4 + movdqu %xmm2, 96(%rbp) + vpshufb %xmm0, %xmm12, %xmm5 + movdqu %xmm4, 80(%rbp) + vpshufb %xmm0, %xmm13, %xmm6 + movdqu %xmm5, 64(%rbp) + vpshufb %xmm0, %xmm14, %xmm7 + movdqu %xmm6, 48(%rbp) + movdqu -128(%rcx), %xmm4 + pxor %xmm2, %xmm2 + mov $72057594037927936, %r11 + pinsrq $1, %r11, %xmm2 + movdqu -112(%rcx), %xmm15 + mov %rcx, %r12 + sub $96, %r12 + vpxor %xmm4, %xmm1, %xmm9 + add $6, %rbx + cmp $256, %rbx + jae L74 + vpaddd %xmm2, %xmm1, %xmm10 + vpaddd %xmm2, %xmm10, %xmm11 + vpxor %xmm4, %xmm10, %xmm10 + vpaddd %xmm2, %xmm11, %xmm12 + vpxor %xmm4, %xmm11, %xmm11 + vpaddd %xmm2, %xmm12, %xmm13 + vpxor %xmm4, %xmm12, %xmm12 + vpaddd %xmm2, %xmm13, %xmm14 + vpxor %xmm4, %xmm13, %xmm13 + vpaddd %xmm2, %xmm14, %xmm1 + vpxor %xmm4, %xmm14, %xmm14 + jmp L75 +L74: + sub $256, %rbx + vpshufb %xmm0, %xmm1, %xmm6 + pxor %xmm5, %xmm5 + mov $1, %r11 + pinsrq $0, %r11, %xmm5 + vpaddd %xmm5, %xmm6, %xmm10 + pxor %xmm5, %xmm5 + mov $2, %r11 + pinsrq $0, %r11, %xmm5 + vpaddd %xmm5, %xmm6, %xmm11 + vpaddd %xmm5, %xmm10, %xmm12 + vpshufb %xmm0, %xmm10, %xmm10 + vpaddd %xmm5, %xmm11, %xmm13 + vpshufb %xmm0, %xmm11, %xmm11 + vpxor %xmm4, %xmm10, %xmm10 + vpaddd %xmm5, %xmm12, %xmm14 + vpshufb %xmm0, %xmm12, %xmm12 + vpxor %xmm4, %xmm11, %xmm11 + vpaddd %xmm5, %xmm13, %xmm1 + vpshufb %xmm0, %xmm13, %xmm13 + vpxor %xmm4, %xmm12, %xmm12 + vpshufb %xmm0, %xmm14, %xmm14 + vpxor %xmm4, %xmm13, %xmm13 + vpshufb %xmm0, %xmm1, %xmm1 + vpxor %xmm4, %xmm14, %xmm14 +L75: + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -96(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -80(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -64(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -48(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -32(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -16(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu 0(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu 16(%rcx), %xmm15 + movdqu 32(%rcx), %xmm3 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor 0(%rdi), %xmm3, %xmm4 + vaesenc %xmm15, %xmm10, %xmm10 + vpxor 16(%rdi), %xmm3, %xmm5 + vaesenc %xmm15, %xmm11, %xmm11 + vpxor 32(%rdi), %xmm3, %xmm6 + vaesenc %xmm15, %xmm12, %xmm12 + vpxor 48(%rdi), %xmm3, %xmm8 + vaesenc %xmm15, %xmm13, %xmm13 + vpxor 64(%rdi), %xmm3, %xmm2 + vaesenc %xmm15, %xmm14, %xmm14 + vpxor 80(%rdi), %xmm3, %xmm3 + lea 96(%rdi), %rdi + vaesenclast %xmm4, %xmm9, %xmm9 + vaesenclast %xmm5, %xmm10, %xmm10 + vaesenclast %xmm6, %xmm11, %xmm11 + vaesenclast %xmm8, %xmm12, %xmm12 + vaesenclast %xmm2, %xmm13, %xmm13 + vaesenclast %xmm3, %xmm14, %xmm14 + movdqu %xmm9, 0(%rsi) + movdqu %xmm10, 16(%rsi) + movdqu %xmm11, 32(%rsi) + movdqu %xmm12, 48(%rsi) + movdqu %xmm13, 64(%rsi) + movdqu %xmm14, 80(%rsi) + lea 96(%rsi), %rsi + sub $12, %rdx + movdqu 32(%rbp), %xmm8 + pxor %xmm2, %xmm2 + mov $72057594037927936, %r11 + pinsrq $1, %r11, %xmm2 + vpxor %xmm4, %xmm4, %xmm4 + movdqu -128(%rcx), %xmm15 + vpaddd %xmm2, %xmm1, %xmm10 + vpaddd %xmm2, %xmm10, %xmm11 + vpaddd %xmm2, %xmm11, %xmm12 + vpaddd %xmm2, %xmm12, %xmm13 + vpaddd %xmm2, %xmm13, %xmm14 + vpxor %xmm15, %xmm1, %xmm9 + movdqu %xmm4, 16(%rbp) + jmp L77 +.balign 16 +L76: + add $6, %rbx + cmp $256, %rbx + jb L78 + mov $579005069656919567, %r11 + pinsrq $0, %r11, %xmm0 + mov $283686952306183, %r11 + pinsrq $1, %r11, %xmm0 + vpshufb %xmm0, %xmm1, %xmm6 + pxor %xmm5, %xmm5 + mov $1, %r11 + pinsrq $0, %r11, %xmm5 + vpaddd %xmm5, %xmm6, %xmm10 + pxor %xmm5, %xmm5 + mov $2, %r11 + pinsrq $0, %r11, %xmm5 + vpaddd %xmm5, %xmm6, %xmm11 + movdqu -32(%r9), %xmm3 + vpaddd %xmm5, %xmm10, %xmm12 + vpshufb %xmm0, %xmm10, %xmm10 + vpaddd %xmm5, %xmm11, %xmm13 + vpshufb %xmm0, %xmm11, %xmm11 + vpxor %xmm15, %xmm10, %xmm10 + vpaddd %xmm5, %xmm12, %xmm14 + vpshufb %xmm0, %xmm12, %xmm12 + vpxor %xmm15, %xmm11, %xmm11 + vpaddd %xmm5, %xmm13, %xmm1 + vpshufb %xmm0, %xmm13, %xmm13 + vpshufb %xmm0, %xmm14, %xmm14 + vpshufb %xmm0, %xmm1, %xmm1 + sub $256, %rbx + jmp L79 +L78: + movdqu -32(%r9), %xmm3 + vpaddd %xmm14, %xmm2, %xmm1 + vpxor %xmm15, %xmm10, %xmm10 + vpxor %xmm15, %xmm11, %xmm11 +L79: + movdqu %xmm1, 128(%rbp) + vpclmulqdq $16, %xmm3, %xmm7, %xmm5 + vpxor %xmm15, %xmm12, %xmm12 + movdqu -112(%rcx), %xmm2 + vpclmulqdq $1, %xmm3, %xmm7, %xmm6 + vaesenc %xmm2, %xmm9, %xmm9 + movdqu 48(%rbp), %xmm0 + vpxor %xmm15, %xmm13, %xmm13 + vpclmulqdq $0, %xmm3, %xmm7, %xmm1 + vaesenc %xmm2, %xmm10, %xmm10 + vpxor %xmm15, %xmm14, %xmm14 + vpclmulqdq $17, %xmm3, %xmm7, %xmm7 + vaesenc %xmm2, %xmm11, %xmm11 + movdqu -16(%r9), %xmm3 + vaesenc %xmm2, %xmm12, %xmm12 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $0, %xmm3, %xmm0, %xmm5 + vpxor %xmm4, %xmm8, %xmm8 + vaesenc %xmm2, %xmm13, %xmm13 + vpxor %xmm5, %xmm1, %xmm4 + vpclmulqdq $16, %xmm3, %xmm0, %xmm1 + vaesenc %xmm2, %xmm14, %xmm14 + movdqu -96(%rcx), %xmm15 + vpclmulqdq $1, %xmm3, %xmm0, %xmm2 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor 16(%rbp), %xmm8, %xmm8 + vpclmulqdq $17, %xmm3, %xmm0, %xmm3 + movdqu 64(%rbp), %xmm0 + vaesenc %xmm15, %xmm10, %xmm10 + movbeq 88(%r14), %r13 + vaesenc %xmm15, %xmm11, %xmm11 + movbeq 80(%r14), %r12 + vaesenc %xmm15, %xmm12, %xmm12 + movq %r13, 32(%rbp) + vaesenc %xmm15, %xmm13, %xmm13 + movq %r12, 40(%rbp) + movdqu 16(%r9), %xmm5 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -80(%rcx), %xmm15 + vpxor %xmm1, %xmm6, %xmm6 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor %xmm2, %xmm6, %xmm6 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vaesenc %xmm15, %xmm10, %xmm10 + vpxor %xmm3, %xmm7, %xmm7 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vaesenc %xmm15, %xmm11, %xmm11 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 80(%rbp), %xmm0 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -64(%rcx), %xmm15 + vpxor %xmm2, %xmm6, %xmm6 + vpclmulqdq $0, %xmm1, %xmm0, %xmm2 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor %xmm3, %xmm6, %xmm6 + vpclmulqdq $16, %xmm1, %xmm0, %xmm3 + vaesenc %xmm15, %xmm10, %xmm10 + movbeq 72(%r14), %r13 + vpxor %xmm5, %xmm7, %xmm7 + vpclmulqdq $1, %xmm1, %xmm0, %xmm5 + vaesenc %xmm15, %xmm11, %xmm11 + movbeq 64(%r14), %r12 + vpclmulqdq $17, %xmm1, %xmm0, %xmm1 + movdqu 96(%rbp), %xmm0 + vaesenc %xmm15, %xmm12, %xmm12 + movq %r13, 48(%rbp) + vaesenc %xmm15, %xmm13, %xmm13 + movq %r12, 56(%rbp) + vpxor %xmm2, %xmm4, %xmm4 + movdqu 64(%r9), %xmm2 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -48(%rcx), %xmm15 + vpxor %xmm3, %xmm6, %xmm6 + vpclmulqdq $0, %xmm2, %xmm0, %xmm3 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $16, %xmm2, %xmm0, %xmm5 + vaesenc %xmm15, %xmm10, %xmm10 + movbeq 56(%r14), %r13 + vpxor %xmm1, %xmm7, %xmm7 + vpclmulqdq $1, %xmm2, %xmm0, %xmm1 + vpxor 112(%rbp), %xmm8, %xmm8 + vaesenc %xmm15, %xmm11, %xmm11 + movbeq 48(%r14), %r12 + vpclmulqdq $17, %xmm2, %xmm0, %xmm2 + vaesenc %xmm15, %xmm12, %xmm12 + movq %r13, 64(%rbp) + vaesenc %xmm15, %xmm13, %xmm13 + movq %r12, 72(%rbp) + vpxor %xmm3, %xmm4, %xmm4 + movdqu 80(%r9), %xmm3 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -32(%rcx), %xmm15 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $16, %xmm3, %xmm8, %xmm5 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor %xmm1, %xmm6, %xmm6 + vpclmulqdq $1, %xmm3, %xmm8, %xmm1 + vaesenc %xmm15, %xmm10, %xmm10 + movbeq 40(%r14), %r13 + vpxor %xmm2, %xmm7, %xmm7 + vpclmulqdq $0, %xmm3, %xmm8, %xmm2 + vaesenc %xmm15, %xmm11, %xmm11 + movbeq 32(%r14), %r12 + vpclmulqdq $17, %xmm3, %xmm8, %xmm8 + vaesenc %xmm15, %xmm12, %xmm12 + movq %r13, 80(%rbp) + vaesenc %xmm15, %xmm13, %xmm13 + movq %r12, 88(%rbp) + vpxor %xmm5, %xmm6, %xmm6 + vaesenc %xmm15, %xmm14, %xmm14 + vpxor %xmm1, %xmm6, %xmm6 + movdqu -16(%rcx), %xmm15 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm2, %xmm4, %xmm4 + pxor %xmm3, %xmm3 + mov $13979173243358019584, %r11 + pinsrq $1, %r11, %xmm3 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor %xmm8, %xmm7, %xmm7 + vaesenc %xmm15, %xmm10, %xmm10 + vpxor %xmm5, %xmm4, %xmm4 + movbeq 24(%r14), %r13 + vaesenc %xmm15, %xmm11, %xmm11 + movbeq 16(%r14), %r12 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + movq %r13, 96(%rbp) + vaesenc %xmm15, %xmm12, %xmm12 + movq %r12, 104(%rbp) + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu 0(%rcx), %xmm1 + vaesenc %xmm1, %xmm9, %xmm9 + movdqu 16(%rcx), %xmm15 + vaesenc %xmm1, %xmm10, %xmm10 + vpsrldq $8, %xmm6, %xmm6 + vaesenc %xmm1, %xmm11, %xmm11 + vpxor %xmm6, %xmm7, %xmm7 + vaesenc %xmm1, %xmm12, %xmm12 + vpxor %xmm0, %xmm4, %xmm4 + movbeq 8(%r14), %r13 + vaesenc %xmm1, %xmm13, %xmm13 + movbeq 0(%r14), %r12 + vaesenc %xmm1, %xmm14, %xmm14 + movdqu 32(%rcx), %xmm1 + vaesenc %xmm15, %xmm9, %xmm9 + movdqu %xmm7, 16(%rbp) + vpalignr $8, %xmm4, %xmm4, %xmm8 + vaesenc %xmm15, %xmm10, %xmm10 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor 0(%rdi), %xmm1, %xmm2 + vaesenc %xmm15, %xmm11, %xmm11 + vpxor 16(%rdi), %xmm1, %xmm0 + vaesenc %xmm15, %xmm12, %xmm12 + vpxor 32(%rdi), %xmm1, %xmm5 + vaesenc %xmm15, %xmm13, %xmm13 + vpxor 48(%rdi), %xmm1, %xmm6 + vaesenc %xmm15, %xmm14, %xmm14 + vpxor 64(%rdi), %xmm1, %xmm7 + vpxor 80(%rdi), %xmm1, %xmm3 + movdqu 128(%rbp), %xmm1 + vaesenclast %xmm2, %xmm9, %xmm9 + pxor %xmm2, %xmm2 + mov $72057594037927936, %r11 + pinsrq $1, %r11, %xmm2 + vaesenclast %xmm0, %xmm10, %xmm10 + vpaddd %xmm2, %xmm1, %xmm0 + movq %r13, 112(%rbp) + lea 96(%rdi), %rdi + vaesenclast %xmm5, %xmm11, %xmm11 + vpaddd %xmm2, %xmm0, %xmm5 + movq %r12, 120(%rbp) + lea 96(%rsi), %rsi + movdqu -128(%rcx), %xmm15 + vaesenclast %xmm6, %xmm12, %xmm12 + vpaddd %xmm2, %xmm5, %xmm6 + vaesenclast %xmm7, %xmm13, %xmm13 + vpaddd %xmm2, %xmm6, %xmm7 + vaesenclast %xmm3, %xmm14, %xmm14 + vpaddd %xmm2, %xmm7, %xmm3 + sub $6, %rdx + add $96, %r14 + cmp $0, %rdx + jbe L80 + movdqu %xmm9, -96(%rsi) + vpxor %xmm15, %xmm1, %xmm9 + movdqu %xmm10, -80(%rsi) + movdqu %xmm0, %xmm10 + movdqu %xmm11, -64(%rsi) + movdqu %xmm5, %xmm11 + movdqu %xmm12, -48(%rsi) + movdqu %xmm6, %xmm12 + movdqu %xmm13, -32(%rsi) + movdqu %xmm7, %xmm13 + movdqu %xmm14, -16(%rsi) + movdqu %xmm3, %xmm14 + movdqu 32(%rbp), %xmm7 + jmp L81 +L80: + vpxor 16(%rbp), %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 +L81: +.balign 16 +L77: + cmp $0, %rdx + ja L76 + movdqu 32(%rbp), %xmm7 + movdqu %xmm1, 32(%rbp) + pxor %xmm4, %xmm4 + movdqu %xmm4, 16(%rbp) + movdqu -32(%r9), %xmm3 + vpclmulqdq $0, %xmm3, %xmm7, %xmm1 + vpclmulqdq $16, %xmm3, %xmm7, %xmm5 + movdqu 48(%rbp), %xmm0 + vpclmulqdq $1, %xmm3, %xmm7, %xmm6 + vpclmulqdq $17, %xmm3, %xmm7, %xmm7 + movdqu -16(%r9), %xmm3 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $0, %xmm3, %xmm0, %xmm5 + vpxor %xmm4, %xmm8, %xmm8 + vpxor %xmm5, %xmm1, %xmm4 + vpclmulqdq $16, %xmm3, %xmm0, %xmm1 + vpclmulqdq $1, %xmm3, %xmm0, %xmm2 + vpxor 16(%rbp), %xmm8, %xmm8 + vpclmulqdq $17, %xmm3, %xmm0, %xmm3 + movdqu 64(%rbp), %xmm0 + movdqu 16(%r9), %xmm5 + vpxor %xmm1, %xmm6, %xmm6 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpxor %xmm3, %xmm7, %xmm7 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 80(%rbp), %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpclmulqdq $0, %xmm1, %xmm0, %xmm2 + vpxor %xmm3, %xmm6, %xmm6 + vpclmulqdq $16, %xmm1, %xmm0, %xmm3 + vpxor %xmm5, %xmm7, %xmm7 + vpclmulqdq $1, %xmm1, %xmm0, %xmm5 + vpclmulqdq $17, %xmm1, %xmm0, %xmm1 + movdqu 96(%rbp), %xmm0 + vpxor %xmm2, %xmm4, %xmm4 + movdqu 64(%r9), %xmm2 + vpxor %xmm3, %xmm6, %xmm6 + vpclmulqdq $0, %xmm2, %xmm0, %xmm3 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $16, %xmm2, %xmm0, %xmm5 + vpxor %xmm1, %xmm7, %xmm7 + vpclmulqdq $1, %xmm2, %xmm0, %xmm1 + vpxor 112(%rbp), %xmm8, %xmm8 + vpclmulqdq $17, %xmm2, %xmm0, %xmm2 + vpxor %xmm3, %xmm4, %xmm4 + movdqu 80(%r9), %xmm3 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $16, %xmm3, %xmm8, %xmm5 + vpxor %xmm1, %xmm6, %xmm6 + vpclmulqdq $1, %xmm3, %xmm8, %xmm1 + vpxor %xmm2, %xmm7, %xmm7 + vpclmulqdq $0, %xmm3, %xmm8, %xmm2 + vpclmulqdq $17, %xmm3, %xmm8, %xmm8 + vpxor %xmm5, %xmm6, %xmm6 + vpxor %xmm1, %xmm6, %xmm6 + vpxor %xmm2, %xmm4, %xmm4 + pxor %xmm3, %xmm3 + mov $3254779904, %rax + pinsrd $3, %eax, %xmm3 + vpxor %xmm8, %xmm7, %xmm7 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + mov $579005069656919567, %r12 + pinsrq $0, %r12, %xmm0 + mov $283686952306183, %r12 + pinsrq $1, %r12, %xmm0 + movdqu %xmm9, -96(%rsi) + vpshufb %xmm0, %xmm9, %xmm9 + vpxor %xmm7, %xmm1, %xmm1 + movdqu %xmm10, -80(%rsi) + vpshufb %xmm0, %xmm10, %xmm10 + movdqu %xmm11, -64(%rsi) + vpshufb %xmm0, %xmm11, %xmm11 + movdqu %xmm12, -48(%rsi) + vpshufb %xmm0, %xmm12, %xmm12 + movdqu %xmm13, -32(%rsi) + vpshufb %xmm0, %xmm13, %xmm13 + movdqu %xmm14, -16(%rsi) + vpshufb %xmm0, %xmm14, %xmm14 + pxor %xmm4, %xmm4 + movdqu %xmm14, %xmm7 + movdqu %xmm4, 16(%rbp) + movdqu %xmm13, 48(%rbp) + movdqu %xmm12, 64(%rbp) + movdqu %xmm11, 80(%rbp) + movdqu %xmm10, 96(%rbp) + movdqu %xmm9, 112(%rbp) + movdqu -32(%r9), %xmm3 + vpclmulqdq $0, %xmm3, %xmm7, %xmm1 + vpclmulqdq $16, %xmm3, %xmm7, %xmm5 + movdqu 48(%rbp), %xmm0 + vpclmulqdq $1, %xmm3, %xmm7, %xmm6 + vpclmulqdq $17, %xmm3, %xmm7, %xmm7 + movdqu -16(%r9), %xmm3 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $0, %xmm3, %xmm0, %xmm5 + vpxor %xmm4, %xmm8, %xmm8 + vpxor %xmm5, %xmm1, %xmm4 + vpclmulqdq $16, %xmm3, %xmm0, %xmm1 + vpclmulqdq $1, %xmm3, %xmm0, %xmm2 + vpxor 16(%rbp), %xmm8, %xmm8 + vpclmulqdq $17, %xmm3, %xmm0, %xmm3 + movdqu 64(%rbp), %xmm0 + movdqu 16(%r9), %xmm5 + vpxor %xmm1, %xmm6, %xmm6 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpxor %xmm3, %xmm7, %xmm7 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 80(%rbp), %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpclmulqdq $0, %xmm1, %xmm0, %xmm2 + vpxor %xmm3, %xmm6, %xmm6 + vpclmulqdq $16, %xmm1, %xmm0, %xmm3 + vpxor %xmm5, %xmm7, %xmm7 + vpclmulqdq $1, %xmm1, %xmm0, %xmm5 + vpclmulqdq $17, %xmm1, %xmm0, %xmm1 + movdqu 96(%rbp), %xmm0 + vpxor %xmm2, %xmm4, %xmm4 + movdqu 64(%r9), %xmm2 + vpxor %xmm3, %xmm6, %xmm6 + vpclmulqdq $0, %xmm2, %xmm0, %xmm3 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $16, %xmm2, %xmm0, %xmm5 + vpxor %xmm1, %xmm7, %xmm7 + vpclmulqdq $1, %xmm2, %xmm0, %xmm1 + vpxor 112(%rbp), %xmm8, %xmm8 + vpclmulqdq $17, %xmm2, %xmm0, %xmm2 + vpxor %xmm3, %xmm4, %xmm4 + movdqu 80(%r9), %xmm3 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $16, %xmm3, %xmm8, %xmm5 + vpxor %xmm1, %xmm6, %xmm6 + vpclmulqdq $1, %xmm3, %xmm8, %xmm1 + vpxor %xmm2, %xmm7, %xmm7 + vpclmulqdq $0, %xmm3, %xmm8, %xmm2 + vpclmulqdq $17, %xmm3, %xmm8, %xmm8 + vpxor %xmm5, %xmm6, %xmm6 + vpxor %xmm1, %xmm6, %xmm6 + vpxor %xmm2, %xmm4, %xmm4 + pxor %xmm3, %xmm3 + mov $3254779904, %rax + pinsrd $3, %eax, %xmm3 + vpxor %xmm8, %xmm7, %xmm7 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + sub $128, %rcx +L71: + movdqu 32(%rbp), %xmm11 + mov %rcx, %r8 + mov 104(%rsp), %rax + mov 112(%rsp), %rdi + mov 120(%rsp), %rdx + mov %rdx, %r14 + mov $579005069656919567, %r12 + pinsrq $0, %r12, %xmm9 + mov $283686952306183, %r12 + pinsrq $1, %r12, %xmm9 + pshufb %xmm9, %xmm11 + pxor %xmm10, %xmm10 + mov $1, %rbx + pinsrd $0, %ebx, %xmm10 + mov %rax, %r11 + mov %rdi, %r10 + mov $0, %rbx + jmp L83 +.balign 16 +L82: + movdqu %xmm11, %xmm0 + pshufb %xmm9, %xmm0 + movdqu 0(%r8), %xmm2 + pxor %xmm2, %xmm0 + movdqu 16(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 32(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 48(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 64(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 80(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 96(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 112(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 128(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 144(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 160(%r8), %xmm2 + aesenclast %xmm2, %xmm0 + pxor %xmm2, %xmm2 + movdqu 0(%r11), %xmm2 + pxor %xmm0, %xmm2 + movdqu %xmm2, 0(%r10) + add $1, %rbx + add $16, %r11 + add $16, %r10 + paddd %xmm10, %xmm11 +.balign 16 +L83: + cmp %rdx, %rbx + jne L82 + mov %rdi, %r11 + jmp L85 +.balign 16 +L84: + add $80, %r11 + movdqu -32(%r9), %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + movdqu %xmm1, %xmm4 + movdqu -16(%r9), %xmm1 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 16(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 64(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 80(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + vpxor %xmm1, %xmm4, %xmm4 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r10 + pinsrd $3, %r10d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + add $96, %r11 + sub $6, %rdx +.balign 16 +L85: + cmp $6, %rdx + jae L84 + cmp $0, %rdx + jbe L86 + mov %rdx, %r10 + sub $1, %r10 + imul $16, %r10 + add %r10, %r11 + movdqu -32(%r9), %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + cmp $1, %rdx + jne L88 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + jmp L89 +L88: + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + movdqu %xmm1, %xmm4 + movdqu -16(%r9), %xmm1 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + movdqu %xmm1, %xmm5 + cmp $2, %rdx + je L90 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 16(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + cmp $3, %rdx + je L92 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + cmp $4, %rdx + je L94 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 64(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + jmp L95 +L94: +L95: + jmp L93 +L92: +L93: + jmp L91 +L90: +L91: + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + vpxor %xmm1, %xmm4, %xmm4 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 +L89: + pxor %xmm3, %xmm3 + mov $3254779904, %r10 + pinsrd $3, %r10d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + jmp L87 +L86: +L87: + add 96(%rsp), %r14 + imul $16, %r14 + mov 136(%rsp), %r13 + cmp %r14, %r13 + jbe L96 + mov 128(%rsp), %rax + mov %r13, %r10 + and $15, %r10 + movdqu %xmm11, %xmm0 + pshufb %xmm9, %xmm0 + movdqu 0(%r8), %xmm2 + pxor %xmm2, %xmm0 + movdqu 16(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 32(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 48(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 64(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 80(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 96(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 112(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 128(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 144(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 160(%r8), %xmm2 + aesenclast %xmm2, %xmm0 + pxor %xmm2, %xmm2 + movdqu 0(%rax), %xmm4 + pxor %xmm4, %xmm0 + movdqu %xmm0, 0(%rax) + cmp $8, %r10 + jae L98 + mov $0, %rcx + pinsrq $1, %rcx, %xmm0 + mov %r10, %rcx + shl $3, %rcx + mov $1, %r11 + shl %cl, %r11 + sub $1, %r11 + pextrq $0, %xmm0, %rcx + and %r11, %rcx + pinsrq $0, %rcx, %xmm0 + jmp L99 +L98: + mov %r10, %rcx + sub $8, %rcx + shl $3, %rcx + mov $1, %r11 + shl %cl, %r11 + sub $1, %r11 + pextrq $1, %xmm0, %rcx + and %r11, %rcx + pinsrq $1, %rcx, %xmm0 +L99: + pshufb %xmm9, %xmm0 + movdqu -32(%r9), %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r11 + pinsrd $3, %r11d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + jmp L97 +L96: +L97: + mov %r15, %r11 + pxor %xmm0, %xmm0 + mov %r11, %rax + imul $8, %rax + pinsrq $1, %rax, %xmm0 + mov %r13, %rax + imul $8, %rax + pinsrq $0, %rax, %xmm0 + movdqu -32(%r9), %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r11 + pinsrd $3, %r11d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + movdqu 0(%rbp), %xmm0 + pshufb %xmm9, %xmm0 + movdqu 0(%r8), %xmm2 + pxor %xmm2, %xmm0 + movdqu 16(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 32(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 48(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 64(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 80(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 96(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 112(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 128(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 144(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 160(%r8), %xmm2 + aesenclast %xmm2, %xmm0 + pxor %xmm2, %xmm2 + pshufb %xmm9, %xmm8 + pxor %xmm0, %xmm8 + mov 152(%rsp), %r15 + movdqu %xmm8, 0(%r15) + pop %rbx + pop %rbp + pop %rdi + pop %rsi + pop %r12 + pop %r13 + pop %r14 + pop %r15 + ret + +.global gcm256_encrypt_opt +gcm256_encrypt_opt: + push %r15 + push %r14 + push %r13 + push %r12 + push %rsi + push %rdi + push %rbp + push %rbx + mov 144(%rsp), %rbp + mov %rcx, %r13 + lea 32(%r9), %r9 + mov 72(%rsp), %rbx + mov %rdx, %rcx + imul $16, %rcx + mov $579005069656919567, %r10 + pinsrq $0, %r10, %xmm9 + mov $283686952306183, %r10 + pinsrq $1, %r10, %xmm9 + pxor %xmm8, %xmm8 + mov %rdi, %r11 + jmp L101 +.balign 16 +L100: + add $80, %r11 + movdqu -32(%r9), %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + movdqu %xmm1, %xmm4 + movdqu -16(%r9), %xmm1 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 16(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 64(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 80(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + vpxor %xmm1, %xmm4, %xmm4 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r10 + pinsrd $3, %r10d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + add $96, %r11 + sub $6, %rdx +.balign 16 +L101: + cmp $6, %rdx + jae L100 + cmp $0, %rdx + jbe L102 + mov %rdx, %r10 + sub $1, %r10 + imul $16, %r10 + add %r10, %r11 + movdqu -32(%r9), %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + cmp $1, %rdx + jne L104 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + jmp L105 +L104: + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + movdqu %xmm1, %xmm4 + movdqu -16(%r9), %xmm1 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + movdqu %xmm1, %xmm5 + cmp $2, %rdx + je L106 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 16(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + cmp $3, %rdx + je L108 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + cmp $4, %rdx + je L110 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 64(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + jmp L111 +L110: +L111: + jmp L109 +L108: +L109: + jmp L107 +L106: +L107: + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + vpxor %xmm1, %xmm4, %xmm4 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 +L105: + pxor %xmm3, %xmm3 + mov $3254779904, %r10 + pinsrd $3, %r10d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + jmp L103 +L102: +L103: + mov %rsi, %r15 + cmp %rcx, %rsi + jbe L112 + movdqu 0(%rbx), %xmm0 + mov %rsi, %r10 + and $15, %r10 + cmp $8, %r10 + jae L114 + mov $0, %rcx + pinsrq $1, %rcx, %xmm0 + mov %r10, %rcx + shl $3, %rcx + mov $1, %r11 + shl %cl, %r11 + sub $1, %r11 + pextrq $0, %xmm0, %rcx + and %r11, %rcx + pinsrq $0, %rcx, %xmm0 + jmp L115 +L114: + mov %r10, %rcx + sub $8, %rcx + shl $3, %rcx + mov $1, %r11 + shl %cl, %r11 + sub $1, %r11 + pextrq $1, %xmm0, %rcx + and %r11, %rcx + pinsrq $1, %rcx, %xmm0 +L115: + pshufb %xmm9, %xmm0 + movdqu -32(%r9), %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r11 + pinsrd $3, %r11d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + jmp L113 +L112: +L113: + mov 80(%rsp), %rdi + mov 88(%rsp), %rsi + mov 96(%rsp), %rdx + mov %r13, %rcx + movdqu %xmm9, %xmm0 + movdqu 0(%r8), %xmm1 + movdqu %xmm1, 0(%rbp) + pxor %xmm10, %xmm10 + mov $1, %r11 + pinsrq $0, %r11, %xmm10 + vpaddd %xmm10, %xmm1, %xmm1 + cmp $0, %rdx + jne L116 + vpshufb %xmm0, %xmm1, %xmm1 + movdqu %xmm1, 32(%rbp) + jmp L117 +L116: + movdqu %xmm8, 32(%rbp) + add $128, %rcx + pextrq $0, %xmm1, %rbx + and $255, %rbx + vpshufb %xmm0, %xmm1, %xmm1 + lea 96(%rsi), %r14 + movdqu -128(%rcx), %xmm4 + pxor %xmm2, %xmm2 + mov $72057594037927936, %r11 + pinsrq $1, %r11, %xmm2 + movdqu -112(%rcx), %xmm15 + mov %rcx, %r12 + sub $96, %r12 + vpxor %xmm4, %xmm1, %xmm9 + add $6, %rbx + cmp $256, %rbx + jae L118 + vpaddd %xmm2, %xmm1, %xmm10 + vpaddd %xmm2, %xmm10, %xmm11 + vpxor %xmm4, %xmm10, %xmm10 + vpaddd %xmm2, %xmm11, %xmm12 + vpxor %xmm4, %xmm11, %xmm11 + vpaddd %xmm2, %xmm12, %xmm13 + vpxor %xmm4, %xmm12, %xmm12 + vpaddd %xmm2, %xmm13, %xmm14 + vpxor %xmm4, %xmm13, %xmm13 + vpaddd %xmm2, %xmm14, %xmm1 + vpxor %xmm4, %xmm14, %xmm14 + jmp L119 +L118: + sub $256, %rbx + vpshufb %xmm0, %xmm1, %xmm6 + pxor %xmm5, %xmm5 + mov $1, %r11 + pinsrq $0, %r11, %xmm5 + vpaddd %xmm5, %xmm6, %xmm10 + pxor %xmm5, %xmm5 + mov $2, %r11 + pinsrq $0, %r11, %xmm5 + vpaddd %xmm5, %xmm6, %xmm11 + vpaddd %xmm5, %xmm10, %xmm12 + vpshufb %xmm0, %xmm10, %xmm10 + vpaddd %xmm5, %xmm11, %xmm13 + vpshufb %xmm0, %xmm11, %xmm11 + vpxor %xmm4, %xmm10, %xmm10 + vpaddd %xmm5, %xmm12, %xmm14 + vpshufb %xmm0, %xmm12, %xmm12 + vpxor %xmm4, %xmm11, %xmm11 + vpaddd %xmm5, %xmm13, %xmm1 + vpshufb %xmm0, %xmm13, %xmm13 + vpxor %xmm4, %xmm12, %xmm12 + vpshufb %xmm0, %xmm14, %xmm14 + vpxor %xmm4, %xmm13, %xmm13 + vpshufb %xmm0, %xmm1, %xmm1 + vpxor %xmm4, %xmm14, %xmm14 +L119: + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -96(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -80(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -64(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -48(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -32(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -16(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu 0(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu 16(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu 32(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu 48(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu 64(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu 80(%rcx), %xmm15 + movdqu 96(%rcx), %xmm3 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor 0(%rdi), %xmm3, %xmm4 + vaesenc %xmm15, %xmm10, %xmm10 + vpxor 16(%rdi), %xmm3, %xmm5 + vaesenc %xmm15, %xmm11, %xmm11 + vpxor 32(%rdi), %xmm3, %xmm6 + vaesenc %xmm15, %xmm12, %xmm12 + vpxor 48(%rdi), %xmm3, %xmm8 + vaesenc %xmm15, %xmm13, %xmm13 + vpxor 64(%rdi), %xmm3, %xmm2 + vaesenc %xmm15, %xmm14, %xmm14 + vpxor 80(%rdi), %xmm3, %xmm3 + lea 96(%rdi), %rdi + vaesenclast %xmm4, %xmm9, %xmm9 + vaesenclast %xmm5, %xmm10, %xmm10 + vaesenclast %xmm6, %xmm11, %xmm11 + vaesenclast %xmm8, %xmm12, %xmm12 + vaesenclast %xmm2, %xmm13, %xmm13 + vaesenclast %xmm3, %xmm14, %xmm14 + movdqu %xmm9, 0(%rsi) + movdqu %xmm10, 16(%rsi) + movdqu %xmm11, 32(%rsi) + movdqu %xmm12, 48(%rsi) + movdqu %xmm13, 64(%rsi) + movdqu %xmm14, 80(%rsi) + lea 96(%rsi), %rsi + vpshufb %xmm0, %xmm9, %xmm8 + vpshufb %xmm0, %xmm10, %xmm2 + movdqu %xmm8, 112(%rbp) + vpshufb %xmm0, %xmm11, %xmm4 + movdqu %xmm2, 96(%rbp) + vpshufb %xmm0, %xmm12, %xmm5 + movdqu %xmm4, 80(%rbp) + vpshufb %xmm0, %xmm13, %xmm6 + movdqu %xmm5, 64(%rbp) + vpshufb %xmm0, %xmm14, %xmm7 + movdqu %xmm6, 48(%rbp) + movdqu -128(%rcx), %xmm4 + pxor %xmm2, %xmm2 + mov $72057594037927936, %r11 + pinsrq $1, %r11, %xmm2 + movdqu -112(%rcx), %xmm15 + mov %rcx, %r12 + sub $96, %r12 + vpxor %xmm4, %xmm1, %xmm9 + add $6, %rbx + cmp $256, %rbx + jae L120 + vpaddd %xmm2, %xmm1, %xmm10 + vpaddd %xmm2, %xmm10, %xmm11 + vpxor %xmm4, %xmm10, %xmm10 + vpaddd %xmm2, %xmm11, %xmm12 + vpxor %xmm4, %xmm11, %xmm11 + vpaddd %xmm2, %xmm12, %xmm13 + vpxor %xmm4, %xmm12, %xmm12 + vpaddd %xmm2, %xmm13, %xmm14 + vpxor %xmm4, %xmm13, %xmm13 + vpaddd %xmm2, %xmm14, %xmm1 + vpxor %xmm4, %xmm14, %xmm14 + jmp L121 +L120: + sub $256, %rbx + vpshufb %xmm0, %xmm1, %xmm6 + pxor %xmm5, %xmm5 + mov $1, %r11 + pinsrq $0, %r11, %xmm5 + vpaddd %xmm5, %xmm6, %xmm10 + pxor %xmm5, %xmm5 + mov $2, %r11 + pinsrq $0, %r11, %xmm5 + vpaddd %xmm5, %xmm6, %xmm11 + vpaddd %xmm5, %xmm10, %xmm12 + vpshufb %xmm0, %xmm10, %xmm10 + vpaddd %xmm5, %xmm11, %xmm13 + vpshufb %xmm0, %xmm11, %xmm11 + vpxor %xmm4, %xmm10, %xmm10 + vpaddd %xmm5, %xmm12, %xmm14 + vpshufb %xmm0, %xmm12, %xmm12 + vpxor %xmm4, %xmm11, %xmm11 + vpaddd %xmm5, %xmm13, %xmm1 + vpshufb %xmm0, %xmm13, %xmm13 + vpxor %xmm4, %xmm12, %xmm12 + vpshufb %xmm0, %xmm14, %xmm14 + vpxor %xmm4, %xmm13, %xmm13 + vpshufb %xmm0, %xmm1, %xmm1 + vpxor %xmm4, %xmm14, %xmm14 +L121: + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -96(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -80(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -64(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -48(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -32(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -16(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu 0(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu 16(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu 32(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu 48(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu 64(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu 80(%rcx), %xmm15 + movdqu 96(%rcx), %xmm3 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor 0(%rdi), %xmm3, %xmm4 + vaesenc %xmm15, %xmm10, %xmm10 + vpxor 16(%rdi), %xmm3, %xmm5 + vaesenc %xmm15, %xmm11, %xmm11 + vpxor 32(%rdi), %xmm3, %xmm6 + vaesenc %xmm15, %xmm12, %xmm12 + vpxor 48(%rdi), %xmm3, %xmm8 + vaesenc %xmm15, %xmm13, %xmm13 + vpxor 64(%rdi), %xmm3, %xmm2 + vaesenc %xmm15, %xmm14, %xmm14 + vpxor 80(%rdi), %xmm3, %xmm3 + lea 96(%rdi), %rdi + vaesenclast %xmm4, %xmm9, %xmm9 + vaesenclast %xmm5, %xmm10, %xmm10 + vaesenclast %xmm6, %xmm11, %xmm11 + vaesenclast %xmm8, %xmm12, %xmm12 + vaesenclast %xmm2, %xmm13, %xmm13 + vaesenclast %xmm3, %xmm14, %xmm14 + movdqu %xmm9, 0(%rsi) + movdqu %xmm10, 16(%rsi) + movdqu %xmm11, 32(%rsi) + movdqu %xmm12, 48(%rsi) + movdqu %xmm13, 64(%rsi) + movdqu %xmm14, 80(%rsi) + lea 96(%rsi), %rsi + sub $12, %rdx + movdqu 32(%rbp), %xmm8 + pxor %xmm2, %xmm2 + mov $72057594037927936, %r11 + pinsrq $1, %r11, %xmm2 + vpxor %xmm4, %xmm4, %xmm4 + movdqu -128(%rcx), %xmm15 + vpaddd %xmm2, %xmm1, %xmm10 + vpaddd %xmm2, %xmm10, %xmm11 + vpaddd %xmm2, %xmm11, %xmm12 + vpaddd %xmm2, %xmm12, %xmm13 + vpaddd %xmm2, %xmm13, %xmm14 + vpxor %xmm15, %xmm1, %xmm9 + movdqu %xmm4, 16(%rbp) + jmp L123 +.balign 16 +L122: + add $6, %rbx + cmp $256, %rbx + jb L124 + mov $579005069656919567, %r11 + pinsrq $0, %r11, %xmm0 + mov $283686952306183, %r11 + pinsrq $1, %r11, %xmm0 + vpshufb %xmm0, %xmm1, %xmm6 + pxor %xmm5, %xmm5 + mov $1, %r11 + pinsrq $0, %r11, %xmm5 + vpaddd %xmm5, %xmm6, %xmm10 + pxor %xmm5, %xmm5 + mov $2, %r11 + pinsrq $0, %r11, %xmm5 + vpaddd %xmm5, %xmm6, %xmm11 + movdqu -32(%r9), %xmm3 + vpaddd %xmm5, %xmm10, %xmm12 + vpshufb %xmm0, %xmm10, %xmm10 + vpaddd %xmm5, %xmm11, %xmm13 + vpshufb %xmm0, %xmm11, %xmm11 + vpxor %xmm15, %xmm10, %xmm10 + vpaddd %xmm5, %xmm12, %xmm14 + vpshufb %xmm0, %xmm12, %xmm12 + vpxor %xmm15, %xmm11, %xmm11 + vpaddd %xmm5, %xmm13, %xmm1 + vpshufb %xmm0, %xmm13, %xmm13 + vpshufb %xmm0, %xmm14, %xmm14 + vpshufb %xmm0, %xmm1, %xmm1 + sub $256, %rbx + jmp L125 +L124: + movdqu -32(%r9), %xmm3 + vpaddd %xmm14, %xmm2, %xmm1 + vpxor %xmm15, %xmm10, %xmm10 + vpxor %xmm15, %xmm11, %xmm11 +L125: + movdqu %xmm1, 128(%rbp) + vpclmulqdq $16, %xmm3, %xmm7, %xmm5 + vpxor %xmm15, %xmm12, %xmm12 + movdqu -112(%rcx), %xmm2 + vpclmulqdq $1, %xmm3, %xmm7, %xmm6 + vaesenc %xmm2, %xmm9, %xmm9 + movdqu 48(%rbp), %xmm0 + vpxor %xmm15, %xmm13, %xmm13 + vpclmulqdq $0, %xmm3, %xmm7, %xmm1 + vaesenc %xmm2, %xmm10, %xmm10 + vpxor %xmm15, %xmm14, %xmm14 + vpclmulqdq $17, %xmm3, %xmm7, %xmm7 + vaesenc %xmm2, %xmm11, %xmm11 + movdqu -16(%r9), %xmm3 + vaesenc %xmm2, %xmm12, %xmm12 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $0, %xmm3, %xmm0, %xmm5 + vpxor %xmm4, %xmm8, %xmm8 + vaesenc %xmm2, %xmm13, %xmm13 + vpxor %xmm5, %xmm1, %xmm4 + vpclmulqdq $16, %xmm3, %xmm0, %xmm1 + vaesenc %xmm2, %xmm14, %xmm14 + movdqu -96(%rcx), %xmm15 + vpclmulqdq $1, %xmm3, %xmm0, %xmm2 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor 16(%rbp), %xmm8, %xmm8 + vpclmulqdq $17, %xmm3, %xmm0, %xmm3 + movdqu 64(%rbp), %xmm0 + vaesenc %xmm15, %xmm10, %xmm10 + movbeq 88(%r14), %r13 + vaesenc %xmm15, %xmm11, %xmm11 + movbeq 80(%r14), %r12 + vaesenc %xmm15, %xmm12, %xmm12 + movq %r13, 32(%rbp) + vaesenc %xmm15, %xmm13, %xmm13 + movq %r12, 40(%rbp) + movdqu 16(%r9), %xmm5 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -80(%rcx), %xmm15 + vpxor %xmm1, %xmm6, %xmm6 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor %xmm2, %xmm6, %xmm6 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vaesenc %xmm15, %xmm10, %xmm10 + vpxor %xmm3, %xmm7, %xmm7 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vaesenc %xmm15, %xmm11, %xmm11 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 80(%rbp), %xmm0 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -64(%rcx), %xmm15 + vpxor %xmm2, %xmm6, %xmm6 + vpclmulqdq $0, %xmm1, %xmm0, %xmm2 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor %xmm3, %xmm6, %xmm6 + vpclmulqdq $16, %xmm1, %xmm0, %xmm3 + vaesenc %xmm15, %xmm10, %xmm10 + movbeq 72(%r14), %r13 + vpxor %xmm5, %xmm7, %xmm7 + vpclmulqdq $1, %xmm1, %xmm0, %xmm5 + vaesenc %xmm15, %xmm11, %xmm11 + movbeq 64(%r14), %r12 + vpclmulqdq $17, %xmm1, %xmm0, %xmm1 + movdqu 96(%rbp), %xmm0 + vaesenc %xmm15, %xmm12, %xmm12 + movq %r13, 48(%rbp) + vaesenc %xmm15, %xmm13, %xmm13 + movq %r12, 56(%rbp) + vpxor %xmm2, %xmm4, %xmm4 + movdqu 64(%r9), %xmm2 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -48(%rcx), %xmm15 + vpxor %xmm3, %xmm6, %xmm6 + vpclmulqdq $0, %xmm2, %xmm0, %xmm3 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $16, %xmm2, %xmm0, %xmm5 + vaesenc %xmm15, %xmm10, %xmm10 + movbeq 56(%r14), %r13 + vpxor %xmm1, %xmm7, %xmm7 + vpclmulqdq $1, %xmm2, %xmm0, %xmm1 + vpxor 112(%rbp), %xmm8, %xmm8 + vaesenc %xmm15, %xmm11, %xmm11 + movbeq 48(%r14), %r12 + vpclmulqdq $17, %xmm2, %xmm0, %xmm2 + vaesenc %xmm15, %xmm12, %xmm12 + movq %r13, 64(%rbp) + vaesenc %xmm15, %xmm13, %xmm13 + movq %r12, 72(%rbp) + vpxor %xmm3, %xmm4, %xmm4 + movdqu 80(%r9), %xmm3 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -32(%rcx), %xmm15 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $16, %xmm3, %xmm8, %xmm5 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor %xmm1, %xmm6, %xmm6 + vpclmulqdq $1, %xmm3, %xmm8, %xmm1 + vaesenc %xmm15, %xmm10, %xmm10 + movbeq 40(%r14), %r13 + vpxor %xmm2, %xmm7, %xmm7 + vpclmulqdq $0, %xmm3, %xmm8, %xmm2 + vaesenc %xmm15, %xmm11, %xmm11 + movbeq 32(%r14), %r12 + vpclmulqdq $17, %xmm3, %xmm8, %xmm8 + vaesenc %xmm15, %xmm12, %xmm12 + movq %r13, 80(%rbp) + vaesenc %xmm15, %xmm13, %xmm13 + movq %r12, 88(%rbp) + vpxor %xmm5, %xmm6, %xmm6 + vaesenc %xmm15, %xmm14, %xmm14 + vpxor %xmm1, %xmm6, %xmm6 + movdqu -16(%rcx), %xmm15 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm2, %xmm4, %xmm4 + pxor %xmm3, %xmm3 + mov $13979173243358019584, %r11 + pinsrq $1, %r11, %xmm3 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor %xmm8, %xmm7, %xmm7 + vaesenc %xmm15, %xmm10, %xmm10 + vpxor %xmm5, %xmm4, %xmm4 + movbeq 24(%r14), %r13 + vaesenc %xmm15, %xmm11, %xmm11 + movbeq 16(%r14), %r12 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + movq %r13, 96(%rbp) + vaesenc %xmm15, %xmm12, %xmm12 + movq %r12, 104(%rbp) + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu 0(%rcx), %xmm1 + vaesenc %xmm1, %xmm9, %xmm9 + movdqu 16(%rcx), %xmm15 + vaesenc %xmm1, %xmm10, %xmm10 + vpsrldq $8, %xmm6, %xmm6 + vaesenc %xmm1, %xmm11, %xmm11 + vpxor %xmm6, %xmm7, %xmm7 + vaesenc %xmm1, %xmm12, %xmm12 + vpxor %xmm0, %xmm4, %xmm4 + movbeq 8(%r14), %r13 + vaesenc %xmm1, %xmm13, %xmm13 + movbeq 0(%r14), %r12 + vaesenc %xmm1, %xmm14, %xmm14 + movdqu 32(%rcx), %xmm1 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + vaesenc %xmm1, %xmm9, %xmm9 + vaesenc %xmm1, %xmm10, %xmm10 + vaesenc %xmm1, %xmm11, %xmm11 + vaesenc %xmm1, %xmm12, %xmm12 + vaesenc %xmm1, %xmm13, %xmm13 + movdqu 48(%rcx), %xmm15 + vaesenc %xmm1, %xmm14, %xmm14 + movdqu 64(%rcx), %xmm1 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + vaesenc %xmm1, %xmm9, %xmm9 + vaesenc %xmm1, %xmm10, %xmm10 + vaesenc %xmm1, %xmm11, %xmm11 + vaesenc %xmm1, %xmm12, %xmm12 + vaesenc %xmm1, %xmm13, %xmm13 + movdqu 80(%rcx), %xmm15 + vaesenc %xmm1, %xmm14, %xmm14 + movdqu 96(%rcx), %xmm1 + vaesenc %xmm15, %xmm9, %xmm9 + movdqu %xmm7, 16(%rbp) + vpalignr $8, %xmm4, %xmm4, %xmm8 + vaesenc %xmm15, %xmm10, %xmm10 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor 0(%rdi), %xmm1, %xmm2 + vaesenc %xmm15, %xmm11, %xmm11 + vpxor 16(%rdi), %xmm1, %xmm0 + vaesenc %xmm15, %xmm12, %xmm12 + vpxor 32(%rdi), %xmm1, %xmm5 + vaesenc %xmm15, %xmm13, %xmm13 + vpxor 48(%rdi), %xmm1, %xmm6 + vaesenc %xmm15, %xmm14, %xmm14 + vpxor 64(%rdi), %xmm1, %xmm7 + vpxor 80(%rdi), %xmm1, %xmm3 + movdqu 128(%rbp), %xmm1 + vaesenclast %xmm2, %xmm9, %xmm9 + pxor %xmm2, %xmm2 + mov $72057594037927936, %r11 + pinsrq $1, %r11, %xmm2 + vaesenclast %xmm0, %xmm10, %xmm10 + vpaddd %xmm2, %xmm1, %xmm0 + movq %r13, 112(%rbp) + lea 96(%rdi), %rdi + vaesenclast %xmm5, %xmm11, %xmm11 + vpaddd %xmm2, %xmm0, %xmm5 + movq %r12, 120(%rbp) + lea 96(%rsi), %rsi + movdqu -128(%rcx), %xmm15 + vaesenclast %xmm6, %xmm12, %xmm12 + vpaddd %xmm2, %xmm5, %xmm6 + vaesenclast %xmm7, %xmm13, %xmm13 + vpaddd %xmm2, %xmm6, %xmm7 + vaesenclast %xmm3, %xmm14, %xmm14 + vpaddd %xmm2, %xmm7, %xmm3 + sub $6, %rdx + add $96, %r14 + cmp $0, %rdx + jbe L126 + movdqu %xmm9, -96(%rsi) + vpxor %xmm15, %xmm1, %xmm9 + movdqu %xmm10, -80(%rsi) + movdqu %xmm0, %xmm10 + movdqu %xmm11, -64(%rsi) + movdqu %xmm5, %xmm11 + movdqu %xmm12, -48(%rsi) + movdqu %xmm6, %xmm12 + movdqu %xmm13, -32(%rsi) + movdqu %xmm7, %xmm13 + movdqu %xmm14, -16(%rsi) + movdqu %xmm3, %xmm14 + movdqu 32(%rbp), %xmm7 + jmp L127 +L126: + vpxor 16(%rbp), %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 +L127: +.balign 16 +L123: + cmp $0, %rdx + ja L122 + movdqu 32(%rbp), %xmm7 + movdqu %xmm1, 32(%rbp) + pxor %xmm4, %xmm4 + movdqu %xmm4, 16(%rbp) + movdqu -32(%r9), %xmm3 + vpclmulqdq $0, %xmm3, %xmm7, %xmm1 + vpclmulqdq $16, %xmm3, %xmm7, %xmm5 + movdqu 48(%rbp), %xmm0 + vpclmulqdq $1, %xmm3, %xmm7, %xmm6 + vpclmulqdq $17, %xmm3, %xmm7, %xmm7 + movdqu -16(%r9), %xmm3 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $0, %xmm3, %xmm0, %xmm5 + vpxor %xmm4, %xmm8, %xmm8 + vpxor %xmm5, %xmm1, %xmm4 + vpclmulqdq $16, %xmm3, %xmm0, %xmm1 + vpclmulqdq $1, %xmm3, %xmm0, %xmm2 + vpxor 16(%rbp), %xmm8, %xmm8 + vpclmulqdq $17, %xmm3, %xmm0, %xmm3 + movdqu 64(%rbp), %xmm0 + movdqu 16(%r9), %xmm5 + vpxor %xmm1, %xmm6, %xmm6 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpxor %xmm3, %xmm7, %xmm7 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 80(%rbp), %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpclmulqdq $0, %xmm1, %xmm0, %xmm2 + vpxor %xmm3, %xmm6, %xmm6 + vpclmulqdq $16, %xmm1, %xmm0, %xmm3 + vpxor %xmm5, %xmm7, %xmm7 + vpclmulqdq $1, %xmm1, %xmm0, %xmm5 + vpclmulqdq $17, %xmm1, %xmm0, %xmm1 + movdqu 96(%rbp), %xmm0 + vpxor %xmm2, %xmm4, %xmm4 + movdqu 64(%r9), %xmm2 + vpxor %xmm3, %xmm6, %xmm6 + vpclmulqdq $0, %xmm2, %xmm0, %xmm3 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $16, %xmm2, %xmm0, %xmm5 + vpxor %xmm1, %xmm7, %xmm7 + vpclmulqdq $1, %xmm2, %xmm0, %xmm1 + vpxor 112(%rbp), %xmm8, %xmm8 + vpclmulqdq $17, %xmm2, %xmm0, %xmm2 + vpxor %xmm3, %xmm4, %xmm4 + movdqu 80(%r9), %xmm3 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $16, %xmm3, %xmm8, %xmm5 + vpxor %xmm1, %xmm6, %xmm6 + vpclmulqdq $1, %xmm3, %xmm8, %xmm1 + vpxor %xmm2, %xmm7, %xmm7 + vpclmulqdq $0, %xmm3, %xmm8, %xmm2 + vpclmulqdq $17, %xmm3, %xmm8, %xmm8 + vpxor %xmm5, %xmm6, %xmm6 + vpxor %xmm1, %xmm6, %xmm6 + vpxor %xmm2, %xmm4, %xmm4 + pxor %xmm3, %xmm3 + mov $3254779904, %rax + pinsrd $3, %eax, %xmm3 + vpxor %xmm8, %xmm7, %xmm7 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + mov $579005069656919567, %r12 + pinsrq $0, %r12, %xmm0 + mov $283686952306183, %r12 + pinsrq $1, %r12, %xmm0 + movdqu %xmm9, -96(%rsi) + vpshufb %xmm0, %xmm9, %xmm9 + vpxor %xmm7, %xmm1, %xmm1 + movdqu %xmm10, -80(%rsi) + vpshufb %xmm0, %xmm10, %xmm10 + movdqu %xmm11, -64(%rsi) + vpshufb %xmm0, %xmm11, %xmm11 + movdqu %xmm12, -48(%rsi) + vpshufb %xmm0, %xmm12, %xmm12 + movdqu %xmm13, -32(%rsi) + vpshufb %xmm0, %xmm13, %xmm13 + movdqu %xmm14, -16(%rsi) + vpshufb %xmm0, %xmm14, %xmm14 + pxor %xmm4, %xmm4 + movdqu %xmm14, %xmm7 + movdqu %xmm4, 16(%rbp) + movdqu %xmm13, 48(%rbp) + movdqu %xmm12, 64(%rbp) + movdqu %xmm11, 80(%rbp) + movdqu %xmm10, 96(%rbp) + movdqu %xmm9, 112(%rbp) + movdqu -32(%r9), %xmm3 + vpclmulqdq $0, %xmm3, %xmm7, %xmm1 + vpclmulqdq $16, %xmm3, %xmm7, %xmm5 + movdqu 48(%rbp), %xmm0 + vpclmulqdq $1, %xmm3, %xmm7, %xmm6 + vpclmulqdq $17, %xmm3, %xmm7, %xmm7 + movdqu -16(%r9), %xmm3 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $0, %xmm3, %xmm0, %xmm5 + vpxor %xmm4, %xmm8, %xmm8 + vpxor %xmm5, %xmm1, %xmm4 + vpclmulqdq $16, %xmm3, %xmm0, %xmm1 + vpclmulqdq $1, %xmm3, %xmm0, %xmm2 + vpxor 16(%rbp), %xmm8, %xmm8 + vpclmulqdq $17, %xmm3, %xmm0, %xmm3 + movdqu 64(%rbp), %xmm0 + movdqu 16(%r9), %xmm5 + vpxor %xmm1, %xmm6, %xmm6 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpxor %xmm3, %xmm7, %xmm7 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 80(%rbp), %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpclmulqdq $0, %xmm1, %xmm0, %xmm2 + vpxor %xmm3, %xmm6, %xmm6 + vpclmulqdq $16, %xmm1, %xmm0, %xmm3 + vpxor %xmm5, %xmm7, %xmm7 + vpclmulqdq $1, %xmm1, %xmm0, %xmm5 + vpclmulqdq $17, %xmm1, %xmm0, %xmm1 + movdqu 96(%rbp), %xmm0 + vpxor %xmm2, %xmm4, %xmm4 + movdqu 64(%r9), %xmm2 + vpxor %xmm3, %xmm6, %xmm6 + vpclmulqdq $0, %xmm2, %xmm0, %xmm3 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $16, %xmm2, %xmm0, %xmm5 + vpxor %xmm1, %xmm7, %xmm7 + vpclmulqdq $1, %xmm2, %xmm0, %xmm1 + vpxor 112(%rbp), %xmm8, %xmm8 + vpclmulqdq $17, %xmm2, %xmm0, %xmm2 + vpxor %xmm3, %xmm4, %xmm4 + movdqu 80(%r9), %xmm3 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $16, %xmm3, %xmm8, %xmm5 + vpxor %xmm1, %xmm6, %xmm6 + vpclmulqdq $1, %xmm3, %xmm8, %xmm1 + vpxor %xmm2, %xmm7, %xmm7 + vpclmulqdq $0, %xmm3, %xmm8, %xmm2 + vpclmulqdq $17, %xmm3, %xmm8, %xmm8 + vpxor %xmm5, %xmm6, %xmm6 + vpxor %xmm1, %xmm6, %xmm6 + vpxor %xmm2, %xmm4, %xmm4 + pxor %xmm3, %xmm3 + mov $3254779904, %rax + pinsrd $3, %eax, %xmm3 + vpxor %xmm8, %xmm7, %xmm7 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + sub $128, %rcx +L117: + movdqu 32(%rbp), %xmm11 + mov %rcx, %r8 + mov 104(%rsp), %rax + mov 112(%rsp), %rdi + mov 120(%rsp), %rdx + mov %rdx, %r14 + mov $579005069656919567, %r12 + pinsrq $0, %r12, %xmm9 + mov $283686952306183, %r12 + pinsrq $1, %r12, %xmm9 + pshufb %xmm9, %xmm11 + pxor %xmm10, %xmm10 + mov $1, %rbx + pinsrd $0, %ebx, %xmm10 + mov %rax, %r11 + mov %rdi, %r10 + mov $0, %rbx + jmp L129 +.balign 16 +L128: + movdqu %xmm11, %xmm0 + pshufb %xmm9, %xmm0 + movdqu 0(%r8), %xmm2 + pxor %xmm2, %xmm0 + movdqu 16(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 32(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 48(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 64(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 80(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 96(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 112(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 128(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 144(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 160(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 176(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 192(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 208(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 224(%r8), %xmm2 + aesenclast %xmm2, %xmm0 + pxor %xmm2, %xmm2 + movdqu 0(%r11), %xmm2 + pxor %xmm0, %xmm2 + movdqu %xmm2, 0(%r10) + add $1, %rbx + add $16, %r11 + add $16, %r10 + paddd %xmm10, %xmm11 +.balign 16 +L129: + cmp %rdx, %rbx + jne L128 + mov %rdi, %r11 + jmp L131 +.balign 16 +L130: + add $80, %r11 + movdqu -32(%r9), %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + movdqu %xmm1, %xmm4 + movdqu -16(%r9), %xmm1 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 16(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 64(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 80(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + vpxor %xmm1, %xmm4, %xmm4 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r10 + pinsrd $3, %r10d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + add $96, %r11 + sub $6, %rdx +.balign 16 +L131: + cmp $6, %rdx + jae L130 + cmp $0, %rdx + jbe L132 + mov %rdx, %r10 + sub $1, %r10 + imul $16, %r10 + add %r10, %r11 + movdqu -32(%r9), %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + cmp $1, %rdx + jne L134 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + jmp L135 +L134: + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + movdqu %xmm1, %xmm4 + movdqu -16(%r9), %xmm1 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + movdqu %xmm1, %xmm5 + cmp $2, %rdx + je L136 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 16(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + cmp $3, %rdx + je L138 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + cmp $4, %rdx + je L140 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 64(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + jmp L141 +L140: +L141: + jmp L139 +L138: +L139: + jmp L137 +L136: +L137: + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + vpxor %xmm1, %xmm4, %xmm4 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 +L135: + pxor %xmm3, %xmm3 + mov $3254779904, %r10 + pinsrd $3, %r10d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + jmp L133 +L132: +L133: + add 96(%rsp), %r14 + imul $16, %r14 + mov 136(%rsp), %r13 + cmp %r14, %r13 + jbe L142 + mov 128(%rsp), %rax + mov %r13, %r10 + and $15, %r10 + movdqu %xmm11, %xmm0 + pshufb %xmm9, %xmm0 + movdqu 0(%r8), %xmm2 + pxor %xmm2, %xmm0 + movdqu 16(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 32(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 48(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 64(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 80(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 96(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 112(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 128(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 144(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 160(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 176(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 192(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 208(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 224(%r8), %xmm2 + aesenclast %xmm2, %xmm0 + pxor %xmm2, %xmm2 + movdqu 0(%rax), %xmm4 + pxor %xmm4, %xmm0 + movdqu %xmm0, 0(%rax) + cmp $8, %r10 + jae L144 + mov $0, %rcx + pinsrq $1, %rcx, %xmm0 + mov %r10, %rcx + shl $3, %rcx + mov $1, %r11 + shl %cl, %r11 + sub $1, %r11 + pextrq $0, %xmm0, %rcx + and %r11, %rcx + pinsrq $0, %rcx, %xmm0 + jmp L145 +L144: + mov %r10, %rcx + sub $8, %rcx + shl $3, %rcx + mov $1, %r11 + shl %cl, %r11 + sub $1, %r11 + pextrq $1, %xmm0, %rcx + and %r11, %rcx + pinsrq $1, %rcx, %xmm0 +L145: + pshufb %xmm9, %xmm0 + movdqu -32(%r9), %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r11 + pinsrd $3, %r11d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + jmp L143 +L142: +L143: + mov %r15, %r11 + pxor %xmm0, %xmm0 + mov %r11, %rax + imul $8, %rax + pinsrq $1, %rax, %xmm0 + mov %r13, %rax + imul $8, %rax + pinsrq $0, %rax, %xmm0 + movdqu -32(%r9), %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r11 + pinsrd $3, %r11d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + movdqu 0(%rbp), %xmm0 + pshufb %xmm9, %xmm0 + movdqu 0(%r8), %xmm2 + pxor %xmm2, %xmm0 + movdqu 16(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 32(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 48(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 64(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 80(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 96(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 112(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 128(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 144(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 160(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 176(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 192(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 208(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 224(%r8), %xmm2 + aesenclast %xmm2, %xmm0 + pxor %xmm2, %xmm2 + pshufb %xmm9, %xmm8 + pxor %xmm0, %xmm8 + mov 152(%rsp), %r15 + movdqu %xmm8, 0(%r15) + pop %rbx + pop %rbp + pop %rdi + pop %rsi + pop %r12 + pop %r13 + pop %r14 + pop %r15 + ret + +.global gcm128_decrypt_opt +gcm128_decrypt_opt: + push %r15 + push %r14 + push %r13 + push %r12 + push %rsi + push %rdi + push %rbp + push %rbx + mov 144(%rsp), %rbp + mov %rcx, %r13 + lea 32(%r9), %r9 + mov 72(%rsp), %rbx + mov %rdx, %rcx + imul $16, %rcx + mov $579005069656919567, %r10 + pinsrq $0, %r10, %xmm9 + mov $283686952306183, %r10 + pinsrq $1, %r10, %xmm9 + pxor %xmm8, %xmm8 + mov %rdi, %r11 + jmp L147 +.balign 16 +L146: + add $80, %r11 + movdqu -32(%r9), %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + movdqu %xmm1, %xmm4 + movdqu -16(%r9), %xmm1 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 16(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 64(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 80(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + vpxor %xmm1, %xmm4, %xmm4 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r10 + pinsrd $3, %r10d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + add $96, %r11 + sub $6, %rdx +.balign 16 +L147: + cmp $6, %rdx + jae L146 + cmp $0, %rdx + jbe L148 + mov %rdx, %r10 + sub $1, %r10 + imul $16, %r10 + add %r10, %r11 + movdqu -32(%r9), %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + cmp $1, %rdx + jne L150 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + jmp L151 +L150: + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + movdqu %xmm1, %xmm4 + movdqu -16(%r9), %xmm1 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + movdqu %xmm1, %xmm5 + cmp $2, %rdx + je L152 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 16(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + cmp $3, %rdx + je L154 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + cmp $4, %rdx + je L156 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 64(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + jmp L157 +L156: +L157: + jmp L155 +L154: +L155: + jmp L153 +L152: +L153: + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + vpxor %xmm1, %xmm4, %xmm4 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 +L151: + pxor %xmm3, %xmm3 + mov $3254779904, %r10 + pinsrd $3, %r10d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + jmp L149 +L148: +L149: + mov %rsi, %r15 + cmp %rcx, %rsi + jbe L158 + movdqu 0(%rbx), %xmm0 + mov %rsi, %r10 + and $15, %r10 + cmp $8, %r10 + jae L160 + mov $0, %rcx + pinsrq $1, %rcx, %xmm0 + mov %r10, %rcx + shl $3, %rcx + mov $1, %r11 + shl %cl, %r11 + sub $1, %r11 + pextrq $0, %xmm0, %rcx + and %r11, %rcx + pinsrq $0, %rcx, %xmm0 + jmp L161 +L160: + mov %r10, %rcx + sub $8, %rcx + shl $3, %rcx + mov $1, %r11 + shl %cl, %r11 + sub $1, %r11 + pextrq $1, %xmm0, %rcx + and %r11, %rcx + pinsrq $1, %rcx, %xmm0 +L161: + pshufb %xmm9, %xmm0 + movdqu -32(%r9), %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r11 + pinsrd $3, %r11d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + jmp L159 +L158: +L159: + mov 80(%rsp), %rdi + mov 88(%rsp), %rsi + mov 96(%rsp), %rdx + mov %r13, %rcx + movdqu %xmm9, %xmm0 + movdqu 0(%r8), %xmm1 + movdqu %xmm1, 0(%rbp) + pxor %xmm10, %xmm10 + mov $1, %r11 + pinsrq $0, %r11, %xmm10 + vpaddd %xmm10, %xmm1, %xmm1 + cmp $0, %rdx + jne L162 + vpshufb %xmm0, %xmm1, %xmm1 + movdqu %xmm1, 32(%rbp) + jmp L163 +L162: + movdqu %xmm8, 32(%rbp) + add $128, %rcx + pextrq $0, %xmm1, %rbx + and $255, %rbx + vpshufb %xmm0, %xmm1, %xmm1 + lea 96(%rdi), %r14 + movdqu 32(%rbp), %xmm8 + movdqu 80(%rdi), %xmm7 + movdqu 64(%rdi), %xmm4 + movdqu 48(%rdi), %xmm5 + movdqu 32(%rdi), %xmm6 + vpshufb %xmm0, %xmm7, %xmm7 + movdqu 16(%rdi), %xmm2 + vpshufb %xmm0, %xmm4, %xmm4 + movdqu 0(%rdi), %xmm3 + vpshufb %xmm0, %xmm5, %xmm5 + movdqu %xmm4, 48(%rbp) + vpshufb %xmm0, %xmm6, %xmm6 + movdqu %xmm5, 64(%rbp) + vpshufb %xmm0, %xmm2, %xmm2 + movdqu %xmm6, 80(%rbp) + vpshufb %xmm0, %xmm3, %xmm3 + movdqu %xmm2, 96(%rbp) + movdqu %xmm3, 112(%rbp) + pxor %xmm2, %xmm2 + mov $72057594037927936, %r11 + pinsrq $1, %r11, %xmm2 + vpxor %xmm4, %xmm4, %xmm4 + movdqu -128(%rcx), %xmm15 + vpaddd %xmm2, %xmm1, %xmm10 + vpaddd %xmm2, %xmm10, %xmm11 + vpaddd %xmm2, %xmm11, %xmm12 + vpaddd %xmm2, %xmm12, %xmm13 + vpaddd %xmm2, %xmm13, %xmm14 + vpxor %xmm15, %xmm1, %xmm9 + movdqu %xmm4, 16(%rbp) + cmp $6, %rdx + jne L164 + sub $96, %r14 + jmp L165 +L164: +L165: + jmp L167 +.balign 16 +L166: + add $6, %rbx + cmp $256, %rbx + jb L168 + mov $579005069656919567, %r11 + pinsrq $0, %r11, %xmm0 + mov $283686952306183, %r11 + pinsrq $1, %r11, %xmm0 + vpshufb %xmm0, %xmm1, %xmm6 + pxor %xmm5, %xmm5 + mov $1, %r11 + pinsrq $0, %r11, %xmm5 + vpaddd %xmm5, %xmm6, %xmm10 + pxor %xmm5, %xmm5 + mov $2, %r11 + pinsrq $0, %r11, %xmm5 + vpaddd %xmm5, %xmm6, %xmm11 + movdqu -32(%r9), %xmm3 + vpaddd %xmm5, %xmm10, %xmm12 + vpshufb %xmm0, %xmm10, %xmm10 + vpaddd %xmm5, %xmm11, %xmm13 + vpshufb %xmm0, %xmm11, %xmm11 + vpxor %xmm15, %xmm10, %xmm10 + vpaddd %xmm5, %xmm12, %xmm14 + vpshufb %xmm0, %xmm12, %xmm12 + vpxor %xmm15, %xmm11, %xmm11 + vpaddd %xmm5, %xmm13, %xmm1 + vpshufb %xmm0, %xmm13, %xmm13 + vpshufb %xmm0, %xmm14, %xmm14 + vpshufb %xmm0, %xmm1, %xmm1 + sub $256, %rbx + jmp L169 +L168: + movdqu -32(%r9), %xmm3 + vpaddd %xmm14, %xmm2, %xmm1 + vpxor %xmm15, %xmm10, %xmm10 + vpxor %xmm15, %xmm11, %xmm11 +L169: + movdqu %xmm1, 128(%rbp) + vpclmulqdq $16, %xmm3, %xmm7, %xmm5 + vpxor %xmm15, %xmm12, %xmm12 + movdqu -112(%rcx), %xmm2 + vpclmulqdq $1, %xmm3, %xmm7, %xmm6 + vaesenc %xmm2, %xmm9, %xmm9 + movdqu 48(%rbp), %xmm0 + vpxor %xmm15, %xmm13, %xmm13 + vpclmulqdq $0, %xmm3, %xmm7, %xmm1 + vaesenc %xmm2, %xmm10, %xmm10 + vpxor %xmm15, %xmm14, %xmm14 + vpclmulqdq $17, %xmm3, %xmm7, %xmm7 + vaesenc %xmm2, %xmm11, %xmm11 + movdqu -16(%r9), %xmm3 + vaesenc %xmm2, %xmm12, %xmm12 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $0, %xmm3, %xmm0, %xmm5 + vpxor %xmm4, %xmm8, %xmm8 + vaesenc %xmm2, %xmm13, %xmm13 + vpxor %xmm5, %xmm1, %xmm4 + vpclmulqdq $16, %xmm3, %xmm0, %xmm1 + vaesenc %xmm2, %xmm14, %xmm14 + movdqu -96(%rcx), %xmm15 + vpclmulqdq $1, %xmm3, %xmm0, %xmm2 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor 16(%rbp), %xmm8, %xmm8 + vpclmulqdq $17, %xmm3, %xmm0, %xmm3 + movdqu 64(%rbp), %xmm0 + vaesenc %xmm15, %xmm10, %xmm10 + movbeq 88(%r14), %r13 + vaesenc %xmm15, %xmm11, %xmm11 + movbeq 80(%r14), %r12 + vaesenc %xmm15, %xmm12, %xmm12 + movq %r13, 32(%rbp) + vaesenc %xmm15, %xmm13, %xmm13 + movq %r12, 40(%rbp) + movdqu 16(%r9), %xmm5 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -80(%rcx), %xmm15 + vpxor %xmm1, %xmm6, %xmm6 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor %xmm2, %xmm6, %xmm6 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vaesenc %xmm15, %xmm10, %xmm10 + vpxor %xmm3, %xmm7, %xmm7 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vaesenc %xmm15, %xmm11, %xmm11 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 80(%rbp), %xmm0 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -64(%rcx), %xmm15 + vpxor %xmm2, %xmm6, %xmm6 + vpclmulqdq $0, %xmm1, %xmm0, %xmm2 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor %xmm3, %xmm6, %xmm6 + vpclmulqdq $16, %xmm1, %xmm0, %xmm3 + vaesenc %xmm15, %xmm10, %xmm10 + movbeq 72(%r14), %r13 + vpxor %xmm5, %xmm7, %xmm7 + vpclmulqdq $1, %xmm1, %xmm0, %xmm5 + vaesenc %xmm15, %xmm11, %xmm11 + movbeq 64(%r14), %r12 + vpclmulqdq $17, %xmm1, %xmm0, %xmm1 + movdqu 96(%rbp), %xmm0 + vaesenc %xmm15, %xmm12, %xmm12 + movq %r13, 48(%rbp) + vaesenc %xmm15, %xmm13, %xmm13 + movq %r12, 56(%rbp) + vpxor %xmm2, %xmm4, %xmm4 + movdqu 64(%r9), %xmm2 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -48(%rcx), %xmm15 + vpxor %xmm3, %xmm6, %xmm6 + vpclmulqdq $0, %xmm2, %xmm0, %xmm3 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $16, %xmm2, %xmm0, %xmm5 + vaesenc %xmm15, %xmm10, %xmm10 + movbeq 56(%r14), %r13 + vpxor %xmm1, %xmm7, %xmm7 + vpclmulqdq $1, %xmm2, %xmm0, %xmm1 + vpxor 112(%rbp), %xmm8, %xmm8 + vaesenc %xmm15, %xmm11, %xmm11 + movbeq 48(%r14), %r12 + vpclmulqdq $17, %xmm2, %xmm0, %xmm2 + vaesenc %xmm15, %xmm12, %xmm12 + movq %r13, 64(%rbp) + vaesenc %xmm15, %xmm13, %xmm13 + movq %r12, 72(%rbp) + vpxor %xmm3, %xmm4, %xmm4 + movdqu 80(%r9), %xmm3 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -32(%rcx), %xmm15 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $16, %xmm3, %xmm8, %xmm5 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor %xmm1, %xmm6, %xmm6 + vpclmulqdq $1, %xmm3, %xmm8, %xmm1 + vaesenc %xmm15, %xmm10, %xmm10 + movbeq 40(%r14), %r13 + vpxor %xmm2, %xmm7, %xmm7 + vpclmulqdq $0, %xmm3, %xmm8, %xmm2 + vaesenc %xmm15, %xmm11, %xmm11 + movbeq 32(%r14), %r12 + vpclmulqdq $17, %xmm3, %xmm8, %xmm8 + vaesenc %xmm15, %xmm12, %xmm12 + movq %r13, 80(%rbp) + vaesenc %xmm15, %xmm13, %xmm13 + movq %r12, 88(%rbp) + vpxor %xmm5, %xmm6, %xmm6 + vaesenc %xmm15, %xmm14, %xmm14 + vpxor %xmm1, %xmm6, %xmm6 + movdqu -16(%rcx), %xmm15 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm2, %xmm4, %xmm4 + pxor %xmm3, %xmm3 + mov $13979173243358019584, %r11 + pinsrq $1, %r11, %xmm3 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor %xmm8, %xmm7, %xmm7 + vaesenc %xmm15, %xmm10, %xmm10 + vpxor %xmm5, %xmm4, %xmm4 + movbeq 24(%r14), %r13 + vaesenc %xmm15, %xmm11, %xmm11 + movbeq 16(%r14), %r12 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + movq %r13, 96(%rbp) + vaesenc %xmm15, %xmm12, %xmm12 + movq %r12, 104(%rbp) + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu 0(%rcx), %xmm1 + vaesenc %xmm1, %xmm9, %xmm9 + movdqu 16(%rcx), %xmm15 + vaesenc %xmm1, %xmm10, %xmm10 + vpsrldq $8, %xmm6, %xmm6 + vaesenc %xmm1, %xmm11, %xmm11 + vpxor %xmm6, %xmm7, %xmm7 + vaesenc %xmm1, %xmm12, %xmm12 + vpxor %xmm0, %xmm4, %xmm4 + movbeq 8(%r14), %r13 + vaesenc %xmm1, %xmm13, %xmm13 + movbeq 0(%r14), %r12 + vaesenc %xmm1, %xmm14, %xmm14 + movdqu 32(%rcx), %xmm1 + vaesenc %xmm15, %xmm9, %xmm9 + movdqu %xmm7, 16(%rbp) + vpalignr $8, %xmm4, %xmm4, %xmm8 + vaesenc %xmm15, %xmm10, %xmm10 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor 0(%rdi), %xmm1, %xmm2 + vaesenc %xmm15, %xmm11, %xmm11 + vpxor 16(%rdi), %xmm1, %xmm0 + vaesenc %xmm15, %xmm12, %xmm12 + vpxor 32(%rdi), %xmm1, %xmm5 + vaesenc %xmm15, %xmm13, %xmm13 + vpxor 48(%rdi), %xmm1, %xmm6 + vaesenc %xmm15, %xmm14, %xmm14 + vpxor 64(%rdi), %xmm1, %xmm7 + vpxor 80(%rdi), %xmm1, %xmm3 + movdqu 128(%rbp), %xmm1 + vaesenclast %xmm2, %xmm9, %xmm9 + pxor %xmm2, %xmm2 + mov $72057594037927936, %r11 + pinsrq $1, %r11, %xmm2 + vaesenclast %xmm0, %xmm10, %xmm10 + vpaddd %xmm2, %xmm1, %xmm0 + movq %r13, 112(%rbp) + lea 96(%rdi), %rdi + vaesenclast %xmm5, %xmm11, %xmm11 + vpaddd %xmm2, %xmm0, %xmm5 + movq %r12, 120(%rbp) + lea 96(%rsi), %rsi + movdqu -128(%rcx), %xmm15 + vaesenclast %xmm6, %xmm12, %xmm12 + vpaddd %xmm2, %xmm5, %xmm6 + vaesenclast %xmm7, %xmm13, %xmm13 + vpaddd %xmm2, %xmm6, %xmm7 + vaesenclast %xmm3, %xmm14, %xmm14 + vpaddd %xmm2, %xmm7, %xmm3 + sub $6, %rdx + cmp $6, %rdx + jbe L170 + add $96, %r14 + jmp L171 +L170: +L171: + cmp $0, %rdx + jbe L172 + movdqu %xmm9, -96(%rsi) + vpxor %xmm15, %xmm1, %xmm9 + movdqu %xmm10, -80(%rsi) + movdqu %xmm0, %xmm10 + movdqu %xmm11, -64(%rsi) + movdqu %xmm5, %xmm11 + movdqu %xmm12, -48(%rsi) + movdqu %xmm6, %xmm12 + movdqu %xmm13, -32(%rsi) + movdqu %xmm7, %xmm13 + movdqu %xmm14, -16(%rsi) + movdqu %xmm3, %xmm14 + movdqu 32(%rbp), %xmm7 + jmp L173 +L172: + vpxor 16(%rbp), %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 +L173: +.balign 16 +L167: + cmp $0, %rdx + ja L166 + movdqu %xmm1, 32(%rbp) + movdqu %xmm9, -96(%rsi) + movdqu %xmm10, -80(%rsi) + movdqu %xmm11, -64(%rsi) + movdqu %xmm12, -48(%rsi) + movdqu %xmm13, -32(%rsi) + movdqu %xmm14, -16(%rsi) + sub $128, %rcx +L163: + movdqu 32(%rbp), %xmm11 + mov %rcx, %r8 + mov 104(%rsp), %rax + mov 112(%rsp), %rdi + mov 120(%rsp), %rdx + mov %rdx, %r14 + mov $579005069656919567, %r12 + pinsrq $0, %r12, %xmm9 + mov $283686952306183, %r12 + pinsrq $1, %r12, %xmm9 + pshufb %xmm9, %xmm11 + mov %rdi, %rbx + mov %rdx, %r12 + mov %rax, %rdi + mov %rdi, %r11 + jmp L175 +.balign 16 +L174: + add $80, %r11 + movdqu -32(%r9), %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + movdqu %xmm1, %xmm4 + movdqu -16(%r9), %xmm1 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 16(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 64(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 80(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + vpxor %xmm1, %xmm4, %xmm4 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r10 + pinsrd $3, %r10d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + add $96, %r11 + sub $6, %rdx +.balign 16 +L175: + cmp $6, %rdx + jae L174 + cmp $0, %rdx + jbe L176 + mov %rdx, %r10 + sub $1, %r10 + imul $16, %r10 + add %r10, %r11 + movdqu -32(%r9), %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + cmp $1, %rdx + jne L178 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + jmp L179 +L178: + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + movdqu %xmm1, %xmm4 + movdqu -16(%r9), %xmm1 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + movdqu %xmm1, %xmm5 + cmp $2, %rdx + je L180 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 16(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + cmp $3, %rdx + je L182 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + cmp $4, %rdx + je L184 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 64(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + jmp L185 +L184: +L185: + jmp L183 +L182: +L183: + jmp L181 +L180: +L181: + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + vpxor %xmm1, %xmm4, %xmm4 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 +L179: + pxor %xmm3, %xmm3 + mov $3254779904, %r10 + pinsrd $3, %r10d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + jmp L177 +L176: +L177: + mov %rbx, %rdi + mov %r12, %rdx + pxor %xmm10, %xmm10 + mov $1, %rbx + pinsrd $0, %ebx, %xmm10 + mov %rax, %r11 + mov %rdi, %r10 + mov $0, %rbx + jmp L187 +.balign 16 +L186: + movdqu %xmm11, %xmm0 + pshufb %xmm9, %xmm0 + movdqu 0(%r8), %xmm2 + pxor %xmm2, %xmm0 + movdqu 16(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 32(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 48(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 64(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 80(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 96(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 112(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 128(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 144(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 160(%r8), %xmm2 + aesenclast %xmm2, %xmm0 + pxor %xmm2, %xmm2 + movdqu 0(%r11), %xmm2 + pxor %xmm0, %xmm2 + movdqu %xmm2, 0(%r10) + add $1, %rbx + add $16, %r11 + add $16, %r10 + paddd %xmm10, %xmm11 +.balign 16 +L187: + cmp %rdx, %rbx + jne L186 + add 96(%rsp), %r14 + imul $16, %r14 + mov 136(%rsp), %r13 + cmp %r14, %r13 + jbe L188 + mov 128(%rsp), %rax + mov %r13, %r10 + and $15, %r10 + movdqu 0(%rax), %xmm0 + movdqu %xmm0, %xmm10 + cmp $8, %r10 + jae L190 + mov $0, %rcx + pinsrq $1, %rcx, %xmm0 + mov %r10, %rcx + shl $3, %rcx + mov $1, %r11 + shl %cl, %r11 + sub $1, %r11 + pextrq $0, %xmm0, %rcx + and %r11, %rcx + pinsrq $0, %rcx, %xmm0 + jmp L191 +L190: + mov %r10, %rcx + sub $8, %rcx + shl $3, %rcx + mov $1, %r11 + shl %cl, %r11 + sub $1, %r11 + pextrq $1, %xmm0, %rcx + and %r11, %rcx + pinsrq $1, %rcx, %xmm0 +L191: + pshufb %xmm9, %xmm0 + movdqu -32(%r9), %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r11 + pinsrd $3, %r11d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + movdqu %xmm11, %xmm0 + pshufb %xmm9, %xmm0 + movdqu 0(%r8), %xmm2 + pxor %xmm2, %xmm0 + movdqu 16(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 32(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 48(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 64(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 80(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 96(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 112(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 128(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 144(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 160(%r8), %xmm2 + aesenclast %xmm2, %xmm0 + pxor %xmm2, %xmm2 + pxor %xmm0, %xmm10 + movdqu %xmm10, 0(%rax) + jmp L189 +L188: +L189: + mov %r15, %r11 + pxor %xmm0, %xmm0 + mov %r11, %rax + imul $8, %rax + pinsrq $1, %rax, %xmm0 + mov %r13, %rax + imul $8, %rax + pinsrq $0, %rax, %xmm0 + movdqu -32(%r9), %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r11 + pinsrd $3, %r11d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + movdqu 0(%rbp), %xmm0 + pshufb %xmm9, %xmm0 + movdqu 0(%r8), %xmm2 + pxor %xmm2, %xmm0 + movdqu 16(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 32(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 48(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 64(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 80(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 96(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 112(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 128(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 144(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 160(%r8), %xmm2 + aesenclast %xmm2, %xmm0 + pxor %xmm2, %xmm2 + pshufb %xmm9, %xmm8 + pxor %xmm0, %xmm8 + mov 152(%rsp), %r15 + movdqu 0(%r15), %xmm0 + pcmpeqd %xmm8, %xmm0 + pextrq $0, %xmm0, %rdx + sub $18446744073709551615, %rdx + mov $0, %rax + adc $0, %rax + pextrq $1, %xmm0, %rdx + sub $18446744073709551615, %rdx + mov $0, %rdx + adc $0, %rdx + add %rdx, %rax + mov %rax, %rcx + pop %rbx + pop %rbp + pop %rdi + pop %rsi + pop %r12 + pop %r13 + pop %r14 + pop %r15 + mov %rcx, %rax + ret + +.global gcm256_decrypt_opt +gcm256_decrypt_opt: + push %r15 + push %r14 + push %r13 + push %r12 + push %rsi + push %rdi + push %rbp + push %rbx + mov 144(%rsp), %rbp + mov %rcx, %r13 + lea 32(%r9), %r9 + mov 72(%rsp), %rbx + mov %rdx, %rcx + imul $16, %rcx + mov $579005069656919567, %r10 + pinsrq $0, %r10, %xmm9 + mov $283686952306183, %r10 + pinsrq $1, %r10, %xmm9 + pxor %xmm8, %xmm8 + mov %rdi, %r11 + jmp L193 +.balign 16 +L192: + add $80, %r11 + movdqu -32(%r9), %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + movdqu %xmm1, %xmm4 + movdqu -16(%r9), %xmm1 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 16(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 64(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 80(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + vpxor %xmm1, %xmm4, %xmm4 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r10 + pinsrd $3, %r10d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + add $96, %r11 + sub $6, %rdx +.balign 16 +L193: + cmp $6, %rdx + jae L192 + cmp $0, %rdx + jbe L194 + mov %rdx, %r10 + sub $1, %r10 + imul $16, %r10 + add %r10, %r11 + movdqu -32(%r9), %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + cmp $1, %rdx + jne L196 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + jmp L197 +L196: + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + movdqu %xmm1, %xmm4 + movdqu -16(%r9), %xmm1 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + movdqu %xmm1, %xmm5 + cmp $2, %rdx + je L198 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 16(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + cmp $3, %rdx + je L200 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + cmp $4, %rdx + je L202 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 64(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + jmp L203 +L202: +L203: + jmp L201 +L200: +L201: + jmp L199 +L198: +L199: + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + vpxor %xmm1, %xmm4, %xmm4 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 +L197: + pxor %xmm3, %xmm3 + mov $3254779904, %r10 + pinsrd $3, %r10d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + jmp L195 +L194: +L195: + mov %rsi, %r15 + cmp %rcx, %rsi + jbe L204 + movdqu 0(%rbx), %xmm0 + mov %rsi, %r10 + and $15, %r10 + cmp $8, %r10 + jae L206 + mov $0, %rcx + pinsrq $1, %rcx, %xmm0 + mov %r10, %rcx + shl $3, %rcx + mov $1, %r11 + shl %cl, %r11 + sub $1, %r11 + pextrq $0, %xmm0, %rcx + and %r11, %rcx + pinsrq $0, %rcx, %xmm0 + jmp L207 +L206: + mov %r10, %rcx + sub $8, %rcx + shl $3, %rcx + mov $1, %r11 + shl %cl, %r11 + sub $1, %r11 + pextrq $1, %xmm0, %rcx + and %r11, %rcx + pinsrq $1, %rcx, %xmm0 +L207: + pshufb %xmm9, %xmm0 + movdqu -32(%r9), %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r11 + pinsrd $3, %r11d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + jmp L205 +L204: +L205: + mov 80(%rsp), %rdi + mov 88(%rsp), %rsi + mov 96(%rsp), %rdx + mov %r13, %rcx + movdqu %xmm9, %xmm0 + movdqu 0(%r8), %xmm1 + movdqu %xmm1, 0(%rbp) + pxor %xmm10, %xmm10 + mov $1, %r11 + pinsrq $0, %r11, %xmm10 + vpaddd %xmm10, %xmm1, %xmm1 + cmp $0, %rdx + jne L208 + vpshufb %xmm0, %xmm1, %xmm1 + movdqu %xmm1, 32(%rbp) + jmp L209 +L208: + movdqu %xmm8, 32(%rbp) + add $128, %rcx + pextrq $0, %xmm1, %rbx + and $255, %rbx + vpshufb %xmm0, %xmm1, %xmm1 + lea 96(%rdi), %r14 + movdqu 32(%rbp), %xmm8 + movdqu 80(%rdi), %xmm7 + movdqu 64(%rdi), %xmm4 + movdqu 48(%rdi), %xmm5 + movdqu 32(%rdi), %xmm6 + vpshufb %xmm0, %xmm7, %xmm7 + movdqu 16(%rdi), %xmm2 + vpshufb %xmm0, %xmm4, %xmm4 + movdqu 0(%rdi), %xmm3 + vpshufb %xmm0, %xmm5, %xmm5 + movdqu %xmm4, 48(%rbp) + vpshufb %xmm0, %xmm6, %xmm6 + movdqu %xmm5, 64(%rbp) + vpshufb %xmm0, %xmm2, %xmm2 + movdqu %xmm6, 80(%rbp) + vpshufb %xmm0, %xmm3, %xmm3 + movdqu %xmm2, 96(%rbp) + movdqu %xmm3, 112(%rbp) + pxor %xmm2, %xmm2 + mov $72057594037927936, %r11 + pinsrq $1, %r11, %xmm2 + vpxor %xmm4, %xmm4, %xmm4 + movdqu -128(%rcx), %xmm15 + vpaddd %xmm2, %xmm1, %xmm10 + vpaddd %xmm2, %xmm10, %xmm11 + vpaddd %xmm2, %xmm11, %xmm12 + vpaddd %xmm2, %xmm12, %xmm13 + vpaddd %xmm2, %xmm13, %xmm14 + vpxor %xmm15, %xmm1, %xmm9 + movdqu %xmm4, 16(%rbp) + cmp $6, %rdx + jne L210 + sub $96, %r14 + jmp L211 +L210: +L211: + jmp L213 +.balign 16 +L212: + add $6, %rbx + cmp $256, %rbx + jb L214 + mov $579005069656919567, %r11 + pinsrq $0, %r11, %xmm0 + mov $283686952306183, %r11 + pinsrq $1, %r11, %xmm0 + vpshufb %xmm0, %xmm1, %xmm6 + pxor %xmm5, %xmm5 + mov $1, %r11 + pinsrq $0, %r11, %xmm5 + vpaddd %xmm5, %xmm6, %xmm10 + pxor %xmm5, %xmm5 + mov $2, %r11 + pinsrq $0, %r11, %xmm5 + vpaddd %xmm5, %xmm6, %xmm11 + movdqu -32(%r9), %xmm3 + vpaddd %xmm5, %xmm10, %xmm12 + vpshufb %xmm0, %xmm10, %xmm10 + vpaddd %xmm5, %xmm11, %xmm13 + vpshufb %xmm0, %xmm11, %xmm11 + vpxor %xmm15, %xmm10, %xmm10 + vpaddd %xmm5, %xmm12, %xmm14 + vpshufb %xmm0, %xmm12, %xmm12 + vpxor %xmm15, %xmm11, %xmm11 + vpaddd %xmm5, %xmm13, %xmm1 + vpshufb %xmm0, %xmm13, %xmm13 + vpshufb %xmm0, %xmm14, %xmm14 + vpshufb %xmm0, %xmm1, %xmm1 + sub $256, %rbx + jmp L215 +L214: + movdqu -32(%r9), %xmm3 + vpaddd %xmm14, %xmm2, %xmm1 + vpxor %xmm15, %xmm10, %xmm10 + vpxor %xmm15, %xmm11, %xmm11 +L215: + movdqu %xmm1, 128(%rbp) + vpclmulqdq $16, %xmm3, %xmm7, %xmm5 + vpxor %xmm15, %xmm12, %xmm12 + movdqu -112(%rcx), %xmm2 + vpclmulqdq $1, %xmm3, %xmm7, %xmm6 + vaesenc %xmm2, %xmm9, %xmm9 + movdqu 48(%rbp), %xmm0 + vpxor %xmm15, %xmm13, %xmm13 + vpclmulqdq $0, %xmm3, %xmm7, %xmm1 + vaesenc %xmm2, %xmm10, %xmm10 + vpxor %xmm15, %xmm14, %xmm14 + vpclmulqdq $17, %xmm3, %xmm7, %xmm7 + vaesenc %xmm2, %xmm11, %xmm11 + movdqu -16(%r9), %xmm3 + vaesenc %xmm2, %xmm12, %xmm12 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $0, %xmm3, %xmm0, %xmm5 + vpxor %xmm4, %xmm8, %xmm8 + vaesenc %xmm2, %xmm13, %xmm13 + vpxor %xmm5, %xmm1, %xmm4 + vpclmulqdq $16, %xmm3, %xmm0, %xmm1 + vaesenc %xmm2, %xmm14, %xmm14 + movdqu -96(%rcx), %xmm15 + vpclmulqdq $1, %xmm3, %xmm0, %xmm2 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor 16(%rbp), %xmm8, %xmm8 + vpclmulqdq $17, %xmm3, %xmm0, %xmm3 + movdqu 64(%rbp), %xmm0 + vaesenc %xmm15, %xmm10, %xmm10 + movbeq 88(%r14), %r13 + vaesenc %xmm15, %xmm11, %xmm11 + movbeq 80(%r14), %r12 + vaesenc %xmm15, %xmm12, %xmm12 + movq %r13, 32(%rbp) + vaesenc %xmm15, %xmm13, %xmm13 + movq %r12, 40(%rbp) + movdqu 16(%r9), %xmm5 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -80(%rcx), %xmm15 + vpxor %xmm1, %xmm6, %xmm6 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor %xmm2, %xmm6, %xmm6 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vaesenc %xmm15, %xmm10, %xmm10 + vpxor %xmm3, %xmm7, %xmm7 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vaesenc %xmm15, %xmm11, %xmm11 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 80(%rbp), %xmm0 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -64(%rcx), %xmm15 + vpxor %xmm2, %xmm6, %xmm6 + vpclmulqdq $0, %xmm1, %xmm0, %xmm2 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor %xmm3, %xmm6, %xmm6 + vpclmulqdq $16, %xmm1, %xmm0, %xmm3 + vaesenc %xmm15, %xmm10, %xmm10 + movbeq 72(%r14), %r13 + vpxor %xmm5, %xmm7, %xmm7 + vpclmulqdq $1, %xmm1, %xmm0, %xmm5 + vaesenc %xmm15, %xmm11, %xmm11 + movbeq 64(%r14), %r12 + vpclmulqdq $17, %xmm1, %xmm0, %xmm1 + movdqu 96(%rbp), %xmm0 + vaesenc %xmm15, %xmm12, %xmm12 + movq %r13, 48(%rbp) + vaesenc %xmm15, %xmm13, %xmm13 + movq %r12, 56(%rbp) + vpxor %xmm2, %xmm4, %xmm4 + movdqu 64(%r9), %xmm2 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -48(%rcx), %xmm15 + vpxor %xmm3, %xmm6, %xmm6 + vpclmulqdq $0, %xmm2, %xmm0, %xmm3 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $16, %xmm2, %xmm0, %xmm5 + vaesenc %xmm15, %xmm10, %xmm10 + movbeq 56(%r14), %r13 + vpxor %xmm1, %xmm7, %xmm7 + vpclmulqdq $1, %xmm2, %xmm0, %xmm1 + vpxor 112(%rbp), %xmm8, %xmm8 + vaesenc %xmm15, %xmm11, %xmm11 + movbeq 48(%r14), %r12 + vpclmulqdq $17, %xmm2, %xmm0, %xmm2 + vaesenc %xmm15, %xmm12, %xmm12 + movq %r13, 64(%rbp) + vaesenc %xmm15, %xmm13, %xmm13 + movq %r12, 72(%rbp) + vpxor %xmm3, %xmm4, %xmm4 + movdqu 80(%r9), %xmm3 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -32(%rcx), %xmm15 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $16, %xmm3, %xmm8, %xmm5 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor %xmm1, %xmm6, %xmm6 + vpclmulqdq $1, %xmm3, %xmm8, %xmm1 + vaesenc %xmm15, %xmm10, %xmm10 + movbeq 40(%r14), %r13 + vpxor %xmm2, %xmm7, %xmm7 + vpclmulqdq $0, %xmm3, %xmm8, %xmm2 + vaesenc %xmm15, %xmm11, %xmm11 + movbeq 32(%r14), %r12 + vpclmulqdq $17, %xmm3, %xmm8, %xmm8 + vaesenc %xmm15, %xmm12, %xmm12 + movq %r13, 80(%rbp) + vaesenc %xmm15, %xmm13, %xmm13 + movq %r12, 88(%rbp) + vpxor %xmm5, %xmm6, %xmm6 + vaesenc %xmm15, %xmm14, %xmm14 + vpxor %xmm1, %xmm6, %xmm6 + movdqu -16(%rcx), %xmm15 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm2, %xmm4, %xmm4 + pxor %xmm3, %xmm3 + mov $13979173243358019584, %r11 + pinsrq $1, %r11, %xmm3 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor %xmm8, %xmm7, %xmm7 + vaesenc %xmm15, %xmm10, %xmm10 + vpxor %xmm5, %xmm4, %xmm4 + movbeq 24(%r14), %r13 + vaesenc %xmm15, %xmm11, %xmm11 + movbeq 16(%r14), %r12 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + movq %r13, 96(%rbp) + vaesenc %xmm15, %xmm12, %xmm12 + movq %r12, 104(%rbp) + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu 0(%rcx), %xmm1 + vaesenc %xmm1, %xmm9, %xmm9 + movdqu 16(%rcx), %xmm15 + vaesenc %xmm1, %xmm10, %xmm10 + vpsrldq $8, %xmm6, %xmm6 + vaesenc %xmm1, %xmm11, %xmm11 + vpxor %xmm6, %xmm7, %xmm7 + vaesenc %xmm1, %xmm12, %xmm12 + vpxor %xmm0, %xmm4, %xmm4 + movbeq 8(%r14), %r13 + vaesenc %xmm1, %xmm13, %xmm13 + movbeq 0(%r14), %r12 + vaesenc %xmm1, %xmm14, %xmm14 + movdqu 32(%rcx), %xmm1 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + vaesenc %xmm1, %xmm9, %xmm9 + vaesenc %xmm1, %xmm10, %xmm10 + vaesenc %xmm1, %xmm11, %xmm11 + vaesenc %xmm1, %xmm12, %xmm12 + vaesenc %xmm1, %xmm13, %xmm13 + movdqu 48(%rcx), %xmm15 + vaesenc %xmm1, %xmm14, %xmm14 + movdqu 64(%rcx), %xmm1 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + vaesenc %xmm1, %xmm9, %xmm9 + vaesenc %xmm1, %xmm10, %xmm10 + vaesenc %xmm1, %xmm11, %xmm11 + vaesenc %xmm1, %xmm12, %xmm12 + vaesenc %xmm1, %xmm13, %xmm13 + movdqu 80(%rcx), %xmm15 + vaesenc %xmm1, %xmm14, %xmm14 + movdqu 96(%rcx), %xmm1 + vaesenc %xmm15, %xmm9, %xmm9 + movdqu %xmm7, 16(%rbp) + vpalignr $8, %xmm4, %xmm4, %xmm8 + vaesenc %xmm15, %xmm10, %xmm10 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor 0(%rdi), %xmm1, %xmm2 + vaesenc %xmm15, %xmm11, %xmm11 + vpxor 16(%rdi), %xmm1, %xmm0 + vaesenc %xmm15, %xmm12, %xmm12 + vpxor 32(%rdi), %xmm1, %xmm5 + vaesenc %xmm15, %xmm13, %xmm13 + vpxor 48(%rdi), %xmm1, %xmm6 + vaesenc %xmm15, %xmm14, %xmm14 + vpxor 64(%rdi), %xmm1, %xmm7 + vpxor 80(%rdi), %xmm1, %xmm3 + movdqu 128(%rbp), %xmm1 + vaesenclast %xmm2, %xmm9, %xmm9 + pxor %xmm2, %xmm2 + mov $72057594037927936, %r11 + pinsrq $1, %r11, %xmm2 + vaesenclast %xmm0, %xmm10, %xmm10 + vpaddd %xmm2, %xmm1, %xmm0 + movq %r13, 112(%rbp) + lea 96(%rdi), %rdi + vaesenclast %xmm5, %xmm11, %xmm11 + vpaddd %xmm2, %xmm0, %xmm5 + movq %r12, 120(%rbp) + lea 96(%rsi), %rsi + movdqu -128(%rcx), %xmm15 + vaesenclast %xmm6, %xmm12, %xmm12 + vpaddd %xmm2, %xmm5, %xmm6 + vaesenclast %xmm7, %xmm13, %xmm13 + vpaddd %xmm2, %xmm6, %xmm7 + vaesenclast %xmm3, %xmm14, %xmm14 + vpaddd %xmm2, %xmm7, %xmm3 + sub $6, %rdx + cmp $6, %rdx + jbe L216 + add $96, %r14 + jmp L217 +L216: +L217: + cmp $0, %rdx + jbe L218 + movdqu %xmm9, -96(%rsi) + vpxor %xmm15, %xmm1, %xmm9 + movdqu %xmm10, -80(%rsi) + movdqu %xmm0, %xmm10 + movdqu %xmm11, -64(%rsi) + movdqu %xmm5, %xmm11 + movdqu %xmm12, -48(%rsi) + movdqu %xmm6, %xmm12 + movdqu %xmm13, -32(%rsi) + movdqu %xmm7, %xmm13 + movdqu %xmm14, -16(%rsi) + movdqu %xmm3, %xmm14 + movdqu 32(%rbp), %xmm7 + jmp L219 +L218: + vpxor 16(%rbp), %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 +L219: +.balign 16 +L213: + cmp $0, %rdx + ja L212 + movdqu %xmm1, 32(%rbp) + movdqu %xmm9, -96(%rsi) + movdqu %xmm10, -80(%rsi) + movdqu %xmm11, -64(%rsi) + movdqu %xmm12, -48(%rsi) + movdqu %xmm13, -32(%rsi) + movdqu %xmm14, -16(%rsi) + sub $128, %rcx +L209: + movdqu 32(%rbp), %xmm11 + mov %rcx, %r8 + mov 104(%rsp), %rax + mov 112(%rsp), %rdi + mov 120(%rsp), %rdx + mov %rdx, %r14 + mov $579005069656919567, %r12 + pinsrq $0, %r12, %xmm9 + mov $283686952306183, %r12 + pinsrq $1, %r12, %xmm9 + pshufb %xmm9, %xmm11 + mov %rdi, %rbx + mov %rdx, %r12 + mov %rax, %rdi + mov %rdi, %r11 + jmp L221 +.balign 16 +L220: + add $80, %r11 + movdqu -32(%r9), %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + movdqu %xmm1, %xmm4 + movdqu -16(%r9), %xmm1 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 16(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 64(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 80(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + vpxor %xmm1, %xmm4, %xmm4 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r10 + pinsrd $3, %r10d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + add $96, %r11 + sub $6, %rdx +.balign 16 +L221: + cmp $6, %rdx + jae L220 + cmp $0, %rdx + jbe L222 + mov %rdx, %r10 + sub $1, %r10 + imul $16, %r10 + add %r10, %r11 + movdqu -32(%r9), %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + cmp $1, %rdx + jne L224 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + jmp L225 +L224: + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + movdqu %xmm1, %xmm4 + movdqu -16(%r9), %xmm1 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + movdqu %xmm1, %xmm5 + cmp $2, %rdx + je L226 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 16(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + cmp $3, %rdx + je L228 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + cmp $4, %rdx + je L230 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 64(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + jmp L231 +L230: +L231: + jmp L229 +L228: +L229: + jmp L227 +L226: +L227: + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + vpxor %xmm1, %xmm4, %xmm4 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 +L225: + pxor %xmm3, %xmm3 + mov $3254779904, %r10 + pinsrd $3, %r10d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + jmp L223 +L222: +L223: + mov %rbx, %rdi + mov %r12, %rdx + pxor %xmm10, %xmm10 + mov $1, %rbx + pinsrd $0, %ebx, %xmm10 + mov %rax, %r11 + mov %rdi, %r10 + mov $0, %rbx + jmp L233 +.balign 16 +L232: + movdqu %xmm11, %xmm0 + pshufb %xmm9, %xmm0 + movdqu 0(%r8), %xmm2 + pxor %xmm2, %xmm0 + movdqu 16(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 32(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 48(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 64(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 80(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 96(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 112(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 128(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 144(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 160(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 176(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 192(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 208(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 224(%r8), %xmm2 + aesenclast %xmm2, %xmm0 + pxor %xmm2, %xmm2 + movdqu 0(%r11), %xmm2 + pxor %xmm0, %xmm2 + movdqu %xmm2, 0(%r10) + add $1, %rbx + add $16, %r11 + add $16, %r10 + paddd %xmm10, %xmm11 +.balign 16 +L233: + cmp %rdx, %rbx + jne L232 + add 96(%rsp), %r14 + imul $16, %r14 + mov 136(%rsp), %r13 + cmp %r14, %r13 + jbe L234 + mov 128(%rsp), %rax + mov %r13, %r10 + and $15, %r10 + movdqu 0(%rax), %xmm0 + movdqu %xmm0, %xmm10 + cmp $8, %r10 + jae L236 + mov $0, %rcx + pinsrq $1, %rcx, %xmm0 + mov %r10, %rcx + shl $3, %rcx + mov $1, %r11 + shl %cl, %r11 + sub $1, %r11 + pextrq $0, %xmm0, %rcx + and %r11, %rcx + pinsrq $0, %rcx, %xmm0 + jmp L237 +L236: + mov %r10, %rcx + sub $8, %rcx + shl $3, %rcx + mov $1, %r11 + shl %cl, %r11 + sub $1, %r11 + pextrq $1, %xmm0, %rcx + and %r11, %rcx + pinsrq $1, %rcx, %xmm0 +L237: + pshufb %xmm9, %xmm0 + movdqu -32(%r9), %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r11 + pinsrd $3, %r11d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + movdqu %xmm11, %xmm0 + pshufb %xmm9, %xmm0 + movdqu 0(%r8), %xmm2 + pxor %xmm2, %xmm0 + movdqu 16(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 32(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 48(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 64(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 80(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 96(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 112(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 128(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 144(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 160(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 176(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 192(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 208(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 224(%r8), %xmm2 + aesenclast %xmm2, %xmm0 + pxor %xmm2, %xmm2 + pxor %xmm0, %xmm10 + movdqu %xmm10, 0(%rax) + jmp L235 +L234: +L235: + mov %r15, %r11 + pxor %xmm0, %xmm0 + mov %r11, %rax + imul $8, %rax + pinsrq $1, %rax, %xmm0 + mov %r13, %rax + imul $8, %rax + pinsrq $0, %rax, %xmm0 + movdqu -32(%r9), %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r11 + pinsrd $3, %r11d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + movdqu 0(%rbp), %xmm0 + pshufb %xmm9, %xmm0 + movdqu 0(%r8), %xmm2 + pxor %xmm2, %xmm0 + movdqu 16(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 32(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 48(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 64(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 80(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 96(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 112(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 128(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 144(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 160(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 176(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 192(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 208(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 224(%r8), %xmm2 + aesenclast %xmm2, %xmm0 + pxor %xmm2, %xmm2 + pshufb %xmm9, %xmm8 + pxor %xmm0, %xmm8 + mov 152(%rsp), %r15 + movdqu 0(%r15), %xmm0 + pcmpeqd %xmm8, %xmm0 + pextrq $0, %xmm0, %rdx + sub $18446744073709551615, %rdx + mov $0, %rax + adc $0, %rax + pextrq $1, %xmm0, %rdx + sub $18446744073709551615, %rdx + mov $0, %rdx + adc $0, %rdx + add %rdx, %rax + mov %rax, %rcx + pop %rbx + pop %rbp + pop %rdi + pop %rsi + pop %r12 + pop %r13 + pop %r14 + pop %r15 + mov %rcx, %rax + ret + + diff --git a/vale/src/aesgcm-x86_64-mingw.S b/vale/src/aesgcm-x86_64-mingw.S new file mode 100644 index 00000000..b42c8a7b --- /dev/null +++ b/vale/src/aesgcm-x86_64-mingw.S @@ -0,0 +1,8705 @@ +.text +.global aes128_key_expansion +aes128_key_expansion: + movdqu 0(%rcx), %xmm1 + movdqu %xmm1, 0(%rdx) + aeskeygenassist $1, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 16(%rdx) + aeskeygenassist $2, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 32(%rdx) + aeskeygenassist $4, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 48(%rdx) + aeskeygenassist $8, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 64(%rdx) + aeskeygenassist $16, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 80(%rdx) + aeskeygenassist $32, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 96(%rdx) + aeskeygenassist $64, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 112(%rdx) + aeskeygenassist $128, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 128(%rdx) + aeskeygenassist $27, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 144(%rdx) + aeskeygenassist $54, %xmm1, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + vpslldq $4, %xmm1, %xmm3 + pxor %xmm3, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 160(%rdx) + pxor %xmm1, %xmm1 + pxor %xmm2, %xmm2 + pxor %xmm3, %xmm3 + ret + +.global aes128_keyhash_init +aes128_keyhash_init: + mov $579005069656919567, %r8 + pinsrq $0, %r8, %xmm4 + mov $283686952306183, %r8 + pinsrq $1, %r8, %xmm4 + pxor %xmm0, %xmm0 + movdqu %xmm0, 80(%rdx) + mov %rcx, %r8 + movdqu 0(%r8), %xmm2 + pxor %xmm2, %xmm0 + movdqu 16(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 32(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 48(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 64(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 80(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 96(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 112(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 128(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 144(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 160(%r8), %xmm2 + aesenclast %xmm2, %xmm0 + pxor %xmm2, %xmm2 + pshufb %xmm4, %xmm0 + mov %rdx, %rcx + movdqu %xmm0, 32(%rcx) + movdqu %xmm6, %xmm0 + mov %r12, %rax + movdqu 32(%rcx), %xmm1 + movdqu %xmm1, %xmm6 + movdqu %xmm1, %xmm3 + pxor %xmm4, %xmm4 + pxor %xmm5, %xmm5 + mov $3254779904, %r12 + pinsrd $3, %r12d, %xmm4 + mov $1, %r12 + pinsrd $0, %r12d, %xmm4 + mov $2147483648, %r12 + pinsrd $3, %r12d, %xmm5 + movdqu %xmm3, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pand %xmm5, %xmm3 + pcmpeqd %xmm5, %xmm3 + pshufd $255, %xmm3, %xmm3 + pand %xmm4, %xmm3 + vpxor %xmm3, %xmm1, %xmm1 + movdqu %xmm1, 0(%rcx) + movdqu %xmm6, %xmm1 + movdqu %xmm6, %xmm2 + movdqu %xmm1, %xmm5 + pclmulqdq $16, %xmm2, %xmm1 + movdqu %xmm1, %xmm3 + movdqu %xmm5, %xmm1 + pclmulqdq $1, %xmm2, %xmm1 + movdqu %xmm1, %xmm4 + movdqu %xmm5, %xmm1 + pclmulqdq $0, %xmm2, %xmm1 + pclmulqdq $17, %xmm2, %xmm5 + movdqu %xmm5, %xmm2 + movdqu %xmm1, %xmm5 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm4, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm1 + pshufd $79, %xmm1, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm4 + pshufd $79, %xmm4, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm5, %xmm1 + movdqu %xmm1, %xmm3 + psrld $31, %xmm3 + movdqu %xmm2, %xmm4 + psrld $31, %xmm4 + pslld $1, %xmm1 + pslld $1, %xmm2 + vpslldq $4, %xmm3, %xmm5 + vpslldq $4, %xmm4, %xmm4 + mov $0, %r12 + pinsrd $0, %r12d, %xmm3 + pshufd $3, %xmm3, %xmm3 + pxor %xmm4, %xmm3 + pxor %xmm5, %xmm1 + pxor %xmm3, %xmm2 + movdqu %xmm2, %xmm6 + pxor %xmm2, %xmm2 + mov $3774873600, %r12 + pinsrd $3, %r12d, %xmm2 + movdqu %xmm1, %xmm5 + pclmulqdq $16, %xmm2, %xmm1 + movdqu %xmm1, %xmm3 + movdqu %xmm5, %xmm1 + pclmulqdq $1, %xmm2, %xmm1 + movdqu %xmm1, %xmm4 + movdqu %xmm5, %xmm1 + pclmulqdq $0, %xmm2, %xmm1 + pclmulqdq $17, %xmm2, %xmm5 + movdqu %xmm5, %xmm2 + movdqu %xmm1, %xmm5 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm4, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm1 + pshufd $79, %xmm1, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm4 + pshufd $79, %xmm4, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm5, %xmm1 + movdqu %xmm1, %xmm3 + psrld $31, %xmm3 + movdqu %xmm2, %xmm4 + psrld $31, %xmm4 + pslld $1, %xmm1 + pslld $1, %xmm2 + vpslldq $4, %xmm3, %xmm5 + vpslldq $4, %xmm4, %xmm4 + mov $0, %r12 + pinsrd $0, %r12d, %xmm3 + pshufd $3, %xmm3, %xmm3 + pxor %xmm4, %xmm3 + pxor %xmm5, %xmm1 + pxor %xmm3, %xmm2 + movdqu %xmm2, %xmm5 + pxor %xmm2, %xmm2 + mov $3774873600, %r12 + pinsrd $3, %r12d, %xmm2 + pclmulqdq $17, %xmm2, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pxor %xmm5, %xmm1 + pxor %xmm6, %xmm1 + movdqu %xmm1, %xmm6 + movdqu %xmm1, %xmm3 + pxor %xmm4, %xmm4 + pxor %xmm5, %xmm5 + mov $3254779904, %r12 + pinsrd $3, %r12d, %xmm4 + mov $1, %r12 + pinsrd $0, %r12d, %xmm4 + mov $2147483648, %r12 + pinsrd $3, %r12d, %xmm5 + movdqu %xmm3, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pand %xmm5, %xmm3 + pcmpeqd %xmm5, %xmm3 + pshufd $255, %xmm3, %xmm3 + pand %xmm4, %xmm3 + vpxor %xmm3, %xmm1, %xmm1 + movdqu %xmm1, 16(%rcx) + movdqu %xmm6, %xmm2 + movdqu 32(%rcx), %xmm1 + movdqu %xmm1, %xmm5 + pclmulqdq $16, %xmm2, %xmm1 + movdqu %xmm1, %xmm3 + movdqu %xmm5, %xmm1 + pclmulqdq $1, %xmm2, %xmm1 + movdqu %xmm1, %xmm4 + movdqu %xmm5, %xmm1 + pclmulqdq $0, %xmm2, %xmm1 + pclmulqdq $17, %xmm2, %xmm5 + movdqu %xmm5, %xmm2 + movdqu %xmm1, %xmm5 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm4, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm1 + pshufd $79, %xmm1, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm4 + pshufd $79, %xmm4, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm5, %xmm1 + movdqu %xmm1, %xmm3 + psrld $31, %xmm3 + movdqu %xmm2, %xmm4 + psrld $31, %xmm4 + pslld $1, %xmm1 + pslld $1, %xmm2 + vpslldq $4, %xmm3, %xmm5 + vpslldq $4, %xmm4, %xmm4 + mov $0, %r12 + pinsrd $0, %r12d, %xmm3 + pshufd $3, %xmm3, %xmm3 + pxor %xmm4, %xmm3 + pxor %xmm5, %xmm1 + pxor %xmm3, %xmm2 + movdqu %xmm2, %xmm6 + pxor %xmm2, %xmm2 + mov $3774873600, %r12 + pinsrd $3, %r12d, %xmm2 + movdqu %xmm1, %xmm5 + pclmulqdq $16, %xmm2, %xmm1 + movdqu %xmm1, %xmm3 + movdqu %xmm5, %xmm1 + pclmulqdq $1, %xmm2, %xmm1 + movdqu %xmm1, %xmm4 + movdqu %xmm5, %xmm1 + pclmulqdq $0, %xmm2, %xmm1 + pclmulqdq $17, %xmm2, %xmm5 + movdqu %xmm5, %xmm2 + movdqu %xmm1, %xmm5 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm4, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm1 + pshufd $79, %xmm1, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm4 + pshufd $79, %xmm4, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm5, %xmm1 + movdqu %xmm1, %xmm3 + psrld $31, %xmm3 + movdqu %xmm2, %xmm4 + psrld $31, %xmm4 + pslld $1, %xmm1 + pslld $1, %xmm2 + vpslldq $4, %xmm3, %xmm5 + vpslldq $4, %xmm4, %xmm4 + mov $0, %r12 + pinsrd $0, %r12d, %xmm3 + pshufd $3, %xmm3, %xmm3 + pxor %xmm4, %xmm3 + pxor %xmm5, %xmm1 + pxor %xmm3, %xmm2 + movdqu %xmm2, %xmm5 + pxor %xmm2, %xmm2 + mov $3774873600, %r12 + pinsrd $3, %r12d, %xmm2 + pclmulqdq $17, %xmm2, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pxor %xmm5, %xmm1 + pxor %xmm6, %xmm1 + movdqu %xmm1, %xmm6 + movdqu %xmm1, %xmm3 + pxor %xmm4, %xmm4 + pxor %xmm5, %xmm5 + mov $3254779904, %r12 + pinsrd $3, %r12d, %xmm4 + mov $1, %r12 + pinsrd $0, %r12d, %xmm4 + mov $2147483648, %r12 + pinsrd $3, %r12d, %xmm5 + movdqu %xmm3, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pand %xmm5, %xmm3 + pcmpeqd %xmm5, %xmm3 + pshufd $255, %xmm3, %xmm3 + pand %xmm4, %xmm3 + vpxor %xmm3, %xmm1, %xmm1 + movdqu %xmm1, 48(%rcx) + movdqu %xmm6, %xmm2 + movdqu 32(%rcx), %xmm1 + movdqu %xmm1, %xmm5 + pclmulqdq $16, %xmm2, %xmm1 + movdqu %xmm1, %xmm3 + movdqu %xmm5, %xmm1 + pclmulqdq $1, %xmm2, %xmm1 + movdqu %xmm1, %xmm4 + movdqu %xmm5, %xmm1 + pclmulqdq $0, %xmm2, %xmm1 + pclmulqdq $17, %xmm2, %xmm5 + movdqu %xmm5, %xmm2 + movdqu %xmm1, %xmm5 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm4, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm1 + pshufd $79, %xmm1, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm4 + pshufd $79, %xmm4, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm5, %xmm1 + movdqu %xmm1, %xmm3 + psrld $31, %xmm3 + movdqu %xmm2, %xmm4 + psrld $31, %xmm4 + pslld $1, %xmm1 + pslld $1, %xmm2 + vpslldq $4, %xmm3, %xmm5 + vpslldq $4, %xmm4, %xmm4 + mov $0, %r12 + pinsrd $0, %r12d, %xmm3 + pshufd $3, %xmm3, %xmm3 + pxor %xmm4, %xmm3 + pxor %xmm5, %xmm1 + pxor %xmm3, %xmm2 + movdqu %xmm2, %xmm6 + pxor %xmm2, %xmm2 + mov $3774873600, %r12 + pinsrd $3, %r12d, %xmm2 + movdqu %xmm1, %xmm5 + pclmulqdq $16, %xmm2, %xmm1 + movdqu %xmm1, %xmm3 + movdqu %xmm5, %xmm1 + pclmulqdq $1, %xmm2, %xmm1 + movdqu %xmm1, %xmm4 + movdqu %xmm5, %xmm1 + pclmulqdq $0, %xmm2, %xmm1 + pclmulqdq $17, %xmm2, %xmm5 + movdqu %xmm5, %xmm2 + movdqu %xmm1, %xmm5 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm4, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm1 + pshufd $79, %xmm1, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm4 + pshufd $79, %xmm4, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm5, %xmm1 + movdqu %xmm1, %xmm3 + psrld $31, %xmm3 + movdqu %xmm2, %xmm4 + psrld $31, %xmm4 + pslld $1, %xmm1 + pslld $1, %xmm2 + vpslldq $4, %xmm3, %xmm5 + vpslldq $4, %xmm4, %xmm4 + mov $0, %r12 + pinsrd $0, %r12d, %xmm3 + pshufd $3, %xmm3, %xmm3 + pxor %xmm4, %xmm3 + pxor %xmm5, %xmm1 + pxor %xmm3, %xmm2 + movdqu %xmm2, %xmm5 + pxor %xmm2, %xmm2 + mov $3774873600, %r12 + pinsrd $3, %r12d, %xmm2 + pclmulqdq $17, %xmm2, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pxor %xmm5, %xmm1 + pxor %xmm6, %xmm1 + movdqu %xmm1, %xmm6 + movdqu %xmm1, %xmm3 + pxor %xmm4, %xmm4 + pxor %xmm5, %xmm5 + mov $3254779904, %r12 + pinsrd $3, %r12d, %xmm4 + mov $1, %r12 + pinsrd $0, %r12d, %xmm4 + mov $2147483648, %r12 + pinsrd $3, %r12d, %xmm5 + movdqu %xmm3, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pand %xmm5, %xmm3 + pcmpeqd %xmm5, %xmm3 + pshufd $255, %xmm3, %xmm3 + pand %xmm4, %xmm3 + vpxor %xmm3, %xmm1, %xmm1 + movdqu %xmm1, 64(%rcx) + movdqu %xmm6, %xmm2 + movdqu 32(%rcx), %xmm1 + movdqu %xmm1, %xmm5 + pclmulqdq $16, %xmm2, %xmm1 + movdqu %xmm1, %xmm3 + movdqu %xmm5, %xmm1 + pclmulqdq $1, %xmm2, %xmm1 + movdqu %xmm1, %xmm4 + movdqu %xmm5, %xmm1 + pclmulqdq $0, %xmm2, %xmm1 + pclmulqdq $17, %xmm2, %xmm5 + movdqu %xmm5, %xmm2 + movdqu %xmm1, %xmm5 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm4, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm1 + pshufd $79, %xmm1, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm4 + pshufd $79, %xmm4, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm5, %xmm1 + movdqu %xmm1, %xmm3 + psrld $31, %xmm3 + movdqu %xmm2, %xmm4 + psrld $31, %xmm4 + pslld $1, %xmm1 + pslld $1, %xmm2 + vpslldq $4, %xmm3, %xmm5 + vpslldq $4, %xmm4, %xmm4 + mov $0, %r12 + pinsrd $0, %r12d, %xmm3 + pshufd $3, %xmm3, %xmm3 + pxor %xmm4, %xmm3 + pxor %xmm5, %xmm1 + pxor %xmm3, %xmm2 + movdqu %xmm2, %xmm6 + pxor %xmm2, %xmm2 + mov $3774873600, %r12 + pinsrd $3, %r12d, %xmm2 + movdqu %xmm1, %xmm5 + pclmulqdq $16, %xmm2, %xmm1 + movdqu %xmm1, %xmm3 + movdqu %xmm5, %xmm1 + pclmulqdq $1, %xmm2, %xmm1 + movdqu %xmm1, %xmm4 + movdqu %xmm5, %xmm1 + pclmulqdq $0, %xmm2, %xmm1 + pclmulqdq $17, %xmm2, %xmm5 + movdqu %xmm5, %xmm2 + movdqu %xmm1, %xmm5 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm4, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm1 + pshufd $79, %xmm1, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm4 + pshufd $79, %xmm4, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm5, %xmm1 + movdqu %xmm1, %xmm3 + psrld $31, %xmm3 + movdqu %xmm2, %xmm4 + psrld $31, %xmm4 + pslld $1, %xmm1 + pslld $1, %xmm2 + vpslldq $4, %xmm3, %xmm5 + vpslldq $4, %xmm4, %xmm4 + mov $0, %r12 + pinsrd $0, %r12d, %xmm3 + pshufd $3, %xmm3, %xmm3 + pxor %xmm4, %xmm3 + pxor %xmm5, %xmm1 + pxor %xmm3, %xmm2 + movdqu %xmm2, %xmm5 + pxor %xmm2, %xmm2 + mov $3774873600, %r12 + pinsrd $3, %r12d, %xmm2 + pclmulqdq $17, %xmm2, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pxor %xmm5, %xmm1 + pxor %xmm6, %xmm1 + movdqu %xmm1, %xmm6 + movdqu %xmm1, %xmm3 + pxor %xmm4, %xmm4 + pxor %xmm5, %xmm5 + mov $3254779904, %r12 + pinsrd $3, %r12d, %xmm4 + mov $1, %r12 + pinsrd $0, %r12d, %xmm4 + mov $2147483648, %r12 + pinsrd $3, %r12d, %xmm5 + movdqu %xmm3, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pand %xmm5, %xmm3 + pcmpeqd %xmm5, %xmm3 + pshufd $255, %xmm3, %xmm3 + pand %xmm4, %xmm3 + vpxor %xmm3, %xmm1, %xmm1 + movdqu %xmm1, 96(%rcx) + movdqu %xmm6, %xmm2 + movdqu 32(%rcx), %xmm1 + movdqu %xmm1, %xmm5 + pclmulqdq $16, %xmm2, %xmm1 + movdqu %xmm1, %xmm3 + movdqu %xmm5, %xmm1 + pclmulqdq $1, %xmm2, %xmm1 + movdqu %xmm1, %xmm4 + movdqu %xmm5, %xmm1 + pclmulqdq $0, %xmm2, %xmm1 + pclmulqdq $17, %xmm2, %xmm5 + movdqu %xmm5, %xmm2 + movdqu %xmm1, %xmm5 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm4, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm1 + pshufd $79, %xmm1, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm4 + pshufd $79, %xmm4, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm5, %xmm1 + movdqu %xmm1, %xmm3 + psrld $31, %xmm3 + movdqu %xmm2, %xmm4 + psrld $31, %xmm4 + pslld $1, %xmm1 + pslld $1, %xmm2 + vpslldq $4, %xmm3, %xmm5 + vpslldq $4, %xmm4, %xmm4 + mov $0, %r12 + pinsrd $0, %r12d, %xmm3 + pshufd $3, %xmm3, %xmm3 + pxor %xmm4, %xmm3 + pxor %xmm5, %xmm1 + pxor %xmm3, %xmm2 + movdqu %xmm2, %xmm6 + pxor %xmm2, %xmm2 + mov $3774873600, %r12 + pinsrd $3, %r12d, %xmm2 + movdqu %xmm1, %xmm5 + pclmulqdq $16, %xmm2, %xmm1 + movdqu %xmm1, %xmm3 + movdqu %xmm5, %xmm1 + pclmulqdq $1, %xmm2, %xmm1 + movdqu %xmm1, %xmm4 + movdqu %xmm5, %xmm1 + pclmulqdq $0, %xmm2, %xmm1 + pclmulqdq $17, %xmm2, %xmm5 + movdqu %xmm5, %xmm2 + movdqu %xmm1, %xmm5 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm4, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm1 + pshufd $79, %xmm1, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm4 + pshufd $79, %xmm4, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm5, %xmm1 + movdqu %xmm1, %xmm3 + psrld $31, %xmm3 + movdqu %xmm2, %xmm4 + psrld $31, %xmm4 + pslld $1, %xmm1 + pslld $1, %xmm2 + vpslldq $4, %xmm3, %xmm5 + vpslldq $4, %xmm4, %xmm4 + mov $0, %r12 + pinsrd $0, %r12d, %xmm3 + pshufd $3, %xmm3, %xmm3 + pxor %xmm4, %xmm3 + pxor %xmm5, %xmm1 + pxor %xmm3, %xmm2 + movdqu %xmm2, %xmm5 + pxor %xmm2, %xmm2 + mov $3774873600, %r12 + pinsrd $3, %r12d, %xmm2 + pclmulqdq $17, %xmm2, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pxor %xmm5, %xmm1 + pxor %xmm6, %xmm1 + movdqu %xmm1, %xmm6 + movdqu %xmm1, %xmm3 + pxor %xmm4, %xmm4 + pxor %xmm5, %xmm5 + mov $3254779904, %r12 + pinsrd $3, %r12d, %xmm4 + mov $1, %r12 + pinsrd $0, %r12d, %xmm4 + mov $2147483648, %r12 + pinsrd $3, %r12d, %xmm5 + movdqu %xmm3, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pand %xmm5, %xmm3 + pcmpeqd %xmm5, %xmm3 + pshufd $255, %xmm3, %xmm3 + pand %xmm4, %xmm3 + vpxor %xmm3, %xmm1, %xmm1 + movdqu %xmm1, 112(%rcx) + movdqu %xmm0, %xmm6 + mov %rax, %r12 + ret + +.global aes256_key_expansion +aes256_key_expansion: + movdqu 0(%rcx), %xmm1 + movdqu 16(%rcx), %xmm3 + movdqu %xmm1, 0(%rdx) + movdqu %xmm3, 16(%rdx) + aeskeygenassist $1, %xmm3, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm4 + pxor %xmm4, %xmm1 + vpslldq $4, %xmm1, %xmm4 + pxor %xmm4, %xmm1 + vpslldq $4, %xmm1, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 32(%rdx) + aeskeygenassist $0, %xmm1, %xmm2 + pshufd $170, %xmm2, %xmm2 + vpslldq $4, %xmm3, %xmm4 + pxor %xmm4, %xmm3 + vpslldq $4, %xmm3, %xmm4 + pxor %xmm4, %xmm3 + vpslldq $4, %xmm3, %xmm4 + pxor %xmm4, %xmm3 + pxor %xmm2, %xmm3 + movdqu %xmm3, 48(%rdx) + aeskeygenassist $2, %xmm3, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm4 + pxor %xmm4, %xmm1 + vpslldq $4, %xmm1, %xmm4 + pxor %xmm4, %xmm1 + vpslldq $4, %xmm1, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 64(%rdx) + aeskeygenassist $0, %xmm1, %xmm2 + pshufd $170, %xmm2, %xmm2 + vpslldq $4, %xmm3, %xmm4 + pxor %xmm4, %xmm3 + vpslldq $4, %xmm3, %xmm4 + pxor %xmm4, %xmm3 + vpslldq $4, %xmm3, %xmm4 + pxor %xmm4, %xmm3 + pxor %xmm2, %xmm3 + movdqu %xmm3, 80(%rdx) + aeskeygenassist $4, %xmm3, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm4 + pxor %xmm4, %xmm1 + vpslldq $4, %xmm1, %xmm4 + pxor %xmm4, %xmm1 + vpslldq $4, %xmm1, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 96(%rdx) + aeskeygenassist $0, %xmm1, %xmm2 + pshufd $170, %xmm2, %xmm2 + vpslldq $4, %xmm3, %xmm4 + pxor %xmm4, %xmm3 + vpslldq $4, %xmm3, %xmm4 + pxor %xmm4, %xmm3 + vpslldq $4, %xmm3, %xmm4 + pxor %xmm4, %xmm3 + pxor %xmm2, %xmm3 + movdqu %xmm3, 112(%rdx) + aeskeygenassist $8, %xmm3, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm4 + pxor %xmm4, %xmm1 + vpslldq $4, %xmm1, %xmm4 + pxor %xmm4, %xmm1 + vpslldq $4, %xmm1, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 128(%rdx) + aeskeygenassist $0, %xmm1, %xmm2 + pshufd $170, %xmm2, %xmm2 + vpslldq $4, %xmm3, %xmm4 + pxor %xmm4, %xmm3 + vpslldq $4, %xmm3, %xmm4 + pxor %xmm4, %xmm3 + vpslldq $4, %xmm3, %xmm4 + pxor %xmm4, %xmm3 + pxor %xmm2, %xmm3 + movdqu %xmm3, 144(%rdx) + aeskeygenassist $16, %xmm3, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm4 + pxor %xmm4, %xmm1 + vpslldq $4, %xmm1, %xmm4 + pxor %xmm4, %xmm1 + vpslldq $4, %xmm1, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 160(%rdx) + aeskeygenassist $0, %xmm1, %xmm2 + pshufd $170, %xmm2, %xmm2 + vpslldq $4, %xmm3, %xmm4 + pxor %xmm4, %xmm3 + vpslldq $4, %xmm3, %xmm4 + pxor %xmm4, %xmm3 + vpslldq $4, %xmm3, %xmm4 + pxor %xmm4, %xmm3 + pxor %xmm2, %xmm3 + movdqu %xmm3, 176(%rdx) + aeskeygenassist $32, %xmm3, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm4 + pxor %xmm4, %xmm1 + vpslldq $4, %xmm1, %xmm4 + pxor %xmm4, %xmm1 + vpslldq $4, %xmm1, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 192(%rdx) + aeskeygenassist $0, %xmm1, %xmm2 + pshufd $170, %xmm2, %xmm2 + vpslldq $4, %xmm3, %xmm4 + pxor %xmm4, %xmm3 + vpslldq $4, %xmm3, %xmm4 + pxor %xmm4, %xmm3 + vpslldq $4, %xmm3, %xmm4 + pxor %xmm4, %xmm3 + pxor %xmm2, %xmm3 + movdqu %xmm3, 208(%rdx) + aeskeygenassist $64, %xmm3, %xmm2 + pshufd $255, %xmm2, %xmm2 + vpslldq $4, %xmm1, %xmm4 + pxor %xmm4, %xmm1 + vpslldq $4, %xmm1, %xmm4 + pxor %xmm4, %xmm1 + vpslldq $4, %xmm1, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm2, %xmm1 + movdqu %xmm1, 224(%rdx) + pxor %xmm1, %xmm1 + pxor %xmm2, %xmm2 + pxor %xmm3, %xmm3 + pxor %xmm4, %xmm4 + ret + +.global aes256_keyhash_init +aes256_keyhash_init: + mov $579005069656919567, %r8 + pinsrq $0, %r8, %xmm4 + mov $283686952306183, %r8 + pinsrq $1, %r8, %xmm4 + pxor %xmm0, %xmm0 + movdqu %xmm0, 80(%rdx) + mov %rcx, %r8 + movdqu 0(%r8), %xmm2 + pxor %xmm2, %xmm0 + movdqu 16(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 32(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 48(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 64(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 80(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 96(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 112(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 128(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 144(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 160(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 176(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 192(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 208(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 224(%r8), %xmm2 + aesenclast %xmm2, %xmm0 + pxor %xmm2, %xmm2 + pshufb %xmm4, %xmm0 + mov %rdx, %rcx + movdqu %xmm0, 32(%rcx) + movdqu %xmm6, %xmm0 + mov %r12, %rax + movdqu 32(%rcx), %xmm1 + movdqu %xmm1, %xmm6 + movdqu %xmm1, %xmm3 + pxor %xmm4, %xmm4 + pxor %xmm5, %xmm5 + mov $3254779904, %r12 + pinsrd $3, %r12d, %xmm4 + mov $1, %r12 + pinsrd $0, %r12d, %xmm4 + mov $2147483648, %r12 + pinsrd $3, %r12d, %xmm5 + movdqu %xmm3, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pand %xmm5, %xmm3 + pcmpeqd %xmm5, %xmm3 + pshufd $255, %xmm3, %xmm3 + pand %xmm4, %xmm3 + vpxor %xmm3, %xmm1, %xmm1 + movdqu %xmm1, 0(%rcx) + movdqu %xmm6, %xmm1 + movdqu %xmm6, %xmm2 + movdqu %xmm1, %xmm5 + pclmulqdq $16, %xmm2, %xmm1 + movdqu %xmm1, %xmm3 + movdqu %xmm5, %xmm1 + pclmulqdq $1, %xmm2, %xmm1 + movdqu %xmm1, %xmm4 + movdqu %xmm5, %xmm1 + pclmulqdq $0, %xmm2, %xmm1 + pclmulqdq $17, %xmm2, %xmm5 + movdqu %xmm5, %xmm2 + movdqu %xmm1, %xmm5 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm4, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm1 + pshufd $79, %xmm1, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm4 + pshufd $79, %xmm4, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm5, %xmm1 + movdqu %xmm1, %xmm3 + psrld $31, %xmm3 + movdqu %xmm2, %xmm4 + psrld $31, %xmm4 + pslld $1, %xmm1 + pslld $1, %xmm2 + vpslldq $4, %xmm3, %xmm5 + vpslldq $4, %xmm4, %xmm4 + mov $0, %r12 + pinsrd $0, %r12d, %xmm3 + pshufd $3, %xmm3, %xmm3 + pxor %xmm4, %xmm3 + pxor %xmm5, %xmm1 + pxor %xmm3, %xmm2 + movdqu %xmm2, %xmm6 + pxor %xmm2, %xmm2 + mov $3774873600, %r12 + pinsrd $3, %r12d, %xmm2 + movdqu %xmm1, %xmm5 + pclmulqdq $16, %xmm2, %xmm1 + movdqu %xmm1, %xmm3 + movdqu %xmm5, %xmm1 + pclmulqdq $1, %xmm2, %xmm1 + movdqu %xmm1, %xmm4 + movdqu %xmm5, %xmm1 + pclmulqdq $0, %xmm2, %xmm1 + pclmulqdq $17, %xmm2, %xmm5 + movdqu %xmm5, %xmm2 + movdqu %xmm1, %xmm5 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm4, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm1 + pshufd $79, %xmm1, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm4 + pshufd $79, %xmm4, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm5, %xmm1 + movdqu %xmm1, %xmm3 + psrld $31, %xmm3 + movdqu %xmm2, %xmm4 + psrld $31, %xmm4 + pslld $1, %xmm1 + pslld $1, %xmm2 + vpslldq $4, %xmm3, %xmm5 + vpslldq $4, %xmm4, %xmm4 + mov $0, %r12 + pinsrd $0, %r12d, %xmm3 + pshufd $3, %xmm3, %xmm3 + pxor %xmm4, %xmm3 + pxor %xmm5, %xmm1 + pxor %xmm3, %xmm2 + movdqu %xmm2, %xmm5 + pxor %xmm2, %xmm2 + mov $3774873600, %r12 + pinsrd $3, %r12d, %xmm2 + pclmulqdq $17, %xmm2, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pxor %xmm5, %xmm1 + pxor %xmm6, %xmm1 + movdqu %xmm1, %xmm6 + movdqu %xmm1, %xmm3 + pxor %xmm4, %xmm4 + pxor %xmm5, %xmm5 + mov $3254779904, %r12 + pinsrd $3, %r12d, %xmm4 + mov $1, %r12 + pinsrd $0, %r12d, %xmm4 + mov $2147483648, %r12 + pinsrd $3, %r12d, %xmm5 + movdqu %xmm3, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pand %xmm5, %xmm3 + pcmpeqd %xmm5, %xmm3 + pshufd $255, %xmm3, %xmm3 + pand %xmm4, %xmm3 + vpxor %xmm3, %xmm1, %xmm1 + movdqu %xmm1, 16(%rcx) + movdqu %xmm6, %xmm2 + movdqu 32(%rcx), %xmm1 + movdqu %xmm1, %xmm5 + pclmulqdq $16, %xmm2, %xmm1 + movdqu %xmm1, %xmm3 + movdqu %xmm5, %xmm1 + pclmulqdq $1, %xmm2, %xmm1 + movdqu %xmm1, %xmm4 + movdqu %xmm5, %xmm1 + pclmulqdq $0, %xmm2, %xmm1 + pclmulqdq $17, %xmm2, %xmm5 + movdqu %xmm5, %xmm2 + movdqu %xmm1, %xmm5 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm4, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm1 + pshufd $79, %xmm1, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm4 + pshufd $79, %xmm4, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm5, %xmm1 + movdqu %xmm1, %xmm3 + psrld $31, %xmm3 + movdqu %xmm2, %xmm4 + psrld $31, %xmm4 + pslld $1, %xmm1 + pslld $1, %xmm2 + vpslldq $4, %xmm3, %xmm5 + vpslldq $4, %xmm4, %xmm4 + mov $0, %r12 + pinsrd $0, %r12d, %xmm3 + pshufd $3, %xmm3, %xmm3 + pxor %xmm4, %xmm3 + pxor %xmm5, %xmm1 + pxor %xmm3, %xmm2 + movdqu %xmm2, %xmm6 + pxor %xmm2, %xmm2 + mov $3774873600, %r12 + pinsrd $3, %r12d, %xmm2 + movdqu %xmm1, %xmm5 + pclmulqdq $16, %xmm2, %xmm1 + movdqu %xmm1, %xmm3 + movdqu %xmm5, %xmm1 + pclmulqdq $1, %xmm2, %xmm1 + movdqu %xmm1, %xmm4 + movdqu %xmm5, %xmm1 + pclmulqdq $0, %xmm2, %xmm1 + pclmulqdq $17, %xmm2, %xmm5 + movdqu %xmm5, %xmm2 + movdqu %xmm1, %xmm5 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm4, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm1 + pshufd $79, %xmm1, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm4 + pshufd $79, %xmm4, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm5, %xmm1 + movdqu %xmm1, %xmm3 + psrld $31, %xmm3 + movdqu %xmm2, %xmm4 + psrld $31, %xmm4 + pslld $1, %xmm1 + pslld $1, %xmm2 + vpslldq $4, %xmm3, %xmm5 + vpslldq $4, %xmm4, %xmm4 + mov $0, %r12 + pinsrd $0, %r12d, %xmm3 + pshufd $3, %xmm3, %xmm3 + pxor %xmm4, %xmm3 + pxor %xmm5, %xmm1 + pxor %xmm3, %xmm2 + movdqu %xmm2, %xmm5 + pxor %xmm2, %xmm2 + mov $3774873600, %r12 + pinsrd $3, %r12d, %xmm2 + pclmulqdq $17, %xmm2, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pxor %xmm5, %xmm1 + pxor %xmm6, %xmm1 + movdqu %xmm1, %xmm6 + movdqu %xmm1, %xmm3 + pxor %xmm4, %xmm4 + pxor %xmm5, %xmm5 + mov $3254779904, %r12 + pinsrd $3, %r12d, %xmm4 + mov $1, %r12 + pinsrd $0, %r12d, %xmm4 + mov $2147483648, %r12 + pinsrd $3, %r12d, %xmm5 + movdqu %xmm3, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pand %xmm5, %xmm3 + pcmpeqd %xmm5, %xmm3 + pshufd $255, %xmm3, %xmm3 + pand %xmm4, %xmm3 + vpxor %xmm3, %xmm1, %xmm1 + movdqu %xmm1, 48(%rcx) + movdqu %xmm6, %xmm2 + movdqu 32(%rcx), %xmm1 + movdqu %xmm1, %xmm5 + pclmulqdq $16, %xmm2, %xmm1 + movdqu %xmm1, %xmm3 + movdqu %xmm5, %xmm1 + pclmulqdq $1, %xmm2, %xmm1 + movdqu %xmm1, %xmm4 + movdqu %xmm5, %xmm1 + pclmulqdq $0, %xmm2, %xmm1 + pclmulqdq $17, %xmm2, %xmm5 + movdqu %xmm5, %xmm2 + movdqu %xmm1, %xmm5 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm4, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm1 + pshufd $79, %xmm1, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm4 + pshufd $79, %xmm4, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm5, %xmm1 + movdqu %xmm1, %xmm3 + psrld $31, %xmm3 + movdqu %xmm2, %xmm4 + psrld $31, %xmm4 + pslld $1, %xmm1 + pslld $1, %xmm2 + vpslldq $4, %xmm3, %xmm5 + vpslldq $4, %xmm4, %xmm4 + mov $0, %r12 + pinsrd $0, %r12d, %xmm3 + pshufd $3, %xmm3, %xmm3 + pxor %xmm4, %xmm3 + pxor %xmm5, %xmm1 + pxor %xmm3, %xmm2 + movdqu %xmm2, %xmm6 + pxor %xmm2, %xmm2 + mov $3774873600, %r12 + pinsrd $3, %r12d, %xmm2 + movdqu %xmm1, %xmm5 + pclmulqdq $16, %xmm2, %xmm1 + movdqu %xmm1, %xmm3 + movdqu %xmm5, %xmm1 + pclmulqdq $1, %xmm2, %xmm1 + movdqu %xmm1, %xmm4 + movdqu %xmm5, %xmm1 + pclmulqdq $0, %xmm2, %xmm1 + pclmulqdq $17, %xmm2, %xmm5 + movdqu %xmm5, %xmm2 + movdqu %xmm1, %xmm5 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm4, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm1 + pshufd $79, %xmm1, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm4 + pshufd $79, %xmm4, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm5, %xmm1 + movdqu %xmm1, %xmm3 + psrld $31, %xmm3 + movdqu %xmm2, %xmm4 + psrld $31, %xmm4 + pslld $1, %xmm1 + pslld $1, %xmm2 + vpslldq $4, %xmm3, %xmm5 + vpslldq $4, %xmm4, %xmm4 + mov $0, %r12 + pinsrd $0, %r12d, %xmm3 + pshufd $3, %xmm3, %xmm3 + pxor %xmm4, %xmm3 + pxor %xmm5, %xmm1 + pxor %xmm3, %xmm2 + movdqu %xmm2, %xmm5 + pxor %xmm2, %xmm2 + mov $3774873600, %r12 + pinsrd $3, %r12d, %xmm2 + pclmulqdq $17, %xmm2, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pxor %xmm5, %xmm1 + pxor %xmm6, %xmm1 + movdqu %xmm1, %xmm6 + movdqu %xmm1, %xmm3 + pxor %xmm4, %xmm4 + pxor %xmm5, %xmm5 + mov $3254779904, %r12 + pinsrd $3, %r12d, %xmm4 + mov $1, %r12 + pinsrd $0, %r12d, %xmm4 + mov $2147483648, %r12 + pinsrd $3, %r12d, %xmm5 + movdqu %xmm3, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pand %xmm5, %xmm3 + pcmpeqd %xmm5, %xmm3 + pshufd $255, %xmm3, %xmm3 + pand %xmm4, %xmm3 + vpxor %xmm3, %xmm1, %xmm1 + movdqu %xmm1, 64(%rcx) + movdqu %xmm6, %xmm2 + movdqu 32(%rcx), %xmm1 + movdqu %xmm1, %xmm5 + pclmulqdq $16, %xmm2, %xmm1 + movdqu %xmm1, %xmm3 + movdqu %xmm5, %xmm1 + pclmulqdq $1, %xmm2, %xmm1 + movdqu %xmm1, %xmm4 + movdqu %xmm5, %xmm1 + pclmulqdq $0, %xmm2, %xmm1 + pclmulqdq $17, %xmm2, %xmm5 + movdqu %xmm5, %xmm2 + movdqu %xmm1, %xmm5 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm4, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm1 + pshufd $79, %xmm1, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm4 + pshufd $79, %xmm4, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm5, %xmm1 + movdqu %xmm1, %xmm3 + psrld $31, %xmm3 + movdqu %xmm2, %xmm4 + psrld $31, %xmm4 + pslld $1, %xmm1 + pslld $1, %xmm2 + vpslldq $4, %xmm3, %xmm5 + vpslldq $4, %xmm4, %xmm4 + mov $0, %r12 + pinsrd $0, %r12d, %xmm3 + pshufd $3, %xmm3, %xmm3 + pxor %xmm4, %xmm3 + pxor %xmm5, %xmm1 + pxor %xmm3, %xmm2 + movdqu %xmm2, %xmm6 + pxor %xmm2, %xmm2 + mov $3774873600, %r12 + pinsrd $3, %r12d, %xmm2 + movdqu %xmm1, %xmm5 + pclmulqdq $16, %xmm2, %xmm1 + movdqu %xmm1, %xmm3 + movdqu %xmm5, %xmm1 + pclmulqdq $1, %xmm2, %xmm1 + movdqu %xmm1, %xmm4 + movdqu %xmm5, %xmm1 + pclmulqdq $0, %xmm2, %xmm1 + pclmulqdq $17, %xmm2, %xmm5 + movdqu %xmm5, %xmm2 + movdqu %xmm1, %xmm5 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm4, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm1 + pshufd $79, %xmm1, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm4 + pshufd $79, %xmm4, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm5, %xmm1 + movdqu %xmm1, %xmm3 + psrld $31, %xmm3 + movdqu %xmm2, %xmm4 + psrld $31, %xmm4 + pslld $1, %xmm1 + pslld $1, %xmm2 + vpslldq $4, %xmm3, %xmm5 + vpslldq $4, %xmm4, %xmm4 + mov $0, %r12 + pinsrd $0, %r12d, %xmm3 + pshufd $3, %xmm3, %xmm3 + pxor %xmm4, %xmm3 + pxor %xmm5, %xmm1 + pxor %xmm3, %xmm2 + movdqu %xmm2, %xmm5 + pxor %xmm2, %xmm2 + mov $3774873600, %r12 + pinsrd $3, %r12d, %xmm2 + pclmulqdq $17, %xmm2, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pxor %xmm5, %xmm1 + pxor %xmm6, %xmm1 + movdqu %xmm1, %xmm6 + movdqu %xmm1, %xmm3 + pxor %xmm4, %xmm4 + pxor %xmm5, %xmm5 + mov $3254779904, %r12 + pinsrd $3, %r12d, %xmm4 + mov $1, %r12 + pinsrd $0, %r12d, %xmm4 + mov $2147483648, %r12 + pinsrd $3, %r12d, %xmm5 + movdqu %xmm3, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pand %xmm5, %xmm3 + pcmpeqd %xmm5, %xmm3 + pshufd $255, %xmm3, %xmm3 + pand %xmm4, %xmm3 + vpxor %xmm3, %xmm1, %xmm1 + movdqu %xmm1, 96(%rcx) + movdqu %xmm6, %xmm2 + movdqu 32(%rcx), %xmm1 + movdqu %xmm1, %xmm5 + pclmulqdq $16, %xmm2, %xmm1 + movdqu %xmm1, %xmm3 + movdqu %xmm5, %xmm1 + pclmulqdq $1, %xmm2, %xmm1 + movdqu %xmm1, %xmm4 + movdqu %xmm5, %xmm1 + pclmulqdq $0, %xmm2, %xmm1 + pclmulqdq $17, %xmm2, %xmm5 + movdqu %xmm5, %xmm2 + movdqu %xmm1, %xmm5 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm4, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm1 + pshufd $79, %xmm1, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm4 + pshufd $79, %xmm4, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm5, %xmm1 + movdqu %xmm1, %xmm3 + psrld $31, %xmm3 + movdqu %xmm2, %xmm4 + psrld $31, %xmm4 + pslld $1, %xmm1 + pslld $1, %xmm2 + vpslldq $4, %xmm3, %xmm5 + vpslldq $4, %xmm4, %xmm4 + mov $0, %r12 + pinsrd $0, %r12d, %xmm3 + pshufd $3, %xmm3, %xmm3 + pxor %xmm4, %xmm3 + pxor %xmm5, %xmm1 + pxor %xmm3, %xmm2 + movdqu %xmm2, %xmm6 + pxor %xmm2, %xmm2 + mov $3774873600, %r12 + pinsrd $3, %r12d, %xmm2 + movdqu %xmm1, %xmm5 + pclmulqdq $16, %xmm2, %xmm1 + movdqu %xmm1, %xmm3 + movdqu %xmm5, %xmm1 + pclmulqdq $1, %xmm2, %xmm1 + movdqu %xmm1, %xmm4 + movdqu %xmm5, %xmm1 + pclmulqdq $0, %xmm2, %xmm1 + pclmulqdq $17, %xmm2, %xmm5 + movdqu %xmm5, %xmm2 + movdqu %xmm1, %xmm5 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm4, %xmm1 + mov $0, %r12 + pinsrd $0, %r12d, %xmm1 + pshufd $14, %xmm1, %xmm1 + pxor %xmm1, %xmm2 + movdqu %xmm3, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm1 + pshufd $79, %xmm1, %xmm1 + mov $0, %r12 + pinsrd $3, %r12d, %xmm4 + pshufd $79, %xmm4, %xmm4 + pxor %xmm4, %xmm1 + pxor %xmm5, %xmm1 + movdqu %xmm1, %xmm3 + psrld $31, %xmm3 + movdqu %xmm2, %xmm4 + psrld $31, %xmm4 + pslld $1, %xmm1 + pslld $1, %xmm2 + vpslldq $4, %xmm3, %xmm5 + vpslldq $4, %xmm4, %xmm4 + mov $0, %r12 + pinsrd $0, %r12d, %xmm3 + pshufd $3, %xmm3, %xmm3 + pxor %xmm4, %xmm3 + pxor %xmm5, %xmm1 + pxor %xmm3, %xmm2 + movdqu %xmm2, %xmm5 + pxor %xmm2, %xmm2 + mov $3774873600, %r12 + pinsrd $3, %r12d, %xmm2 + pclmulqdq $17, %xmm2, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pxor %xmm5, %xmm1 + pxor %xmm6, %xmm1 + movdqu %xmm1, %xmm6 + movdqu %xmm1, %xmm3 + pxor %xmm4, %xmm4 + pxor %xmm5, %xmm5 + mov $3254779904, %r12 + pinsrd $3, %r12d, %xmm4 + mov $1, %r12 + pinsrd $0, %r12d, %xmm4 + mov $2147483648, %r12 + pinsrd $3, %r12d, %xmm5 + movdqu %xmm3, %xmm1 + movdqu %xmm1, %xmm2 + psrld $31, %xmm2 + pslld $1, %xmm1 + vpslldq $4, %xmm2, %xmm2 + pxor %xmm2, %xmm1 + pand %xmm5, %xmm3 + pcmpeqd %xmm5, %xmm3 + pshufd $255, %xmm3, %xmm3 + pand %xmm4, %xmm3 + vpxor %xmm3, %xmm1, %xmm1 + movdqu %xmm1, 112(%rcx) + movdqu %xmm0, %xmm6 + mov %rax, %r12 + ret + +.global gctr128_bytes +gctr128_bytes: + push %r15 + push %r14 + push %r13 + push %r12 + push %rsi + push %rdi + push %rbp + push %rbx + pextrq $0, %xmm15, %rax + push %rax + pextrq $1, %xmm15, %rax + push %rax + pextrq $0, %xmm14, %rax + push %rax + pextrq $1, %xmm14, %rax + push %rax + pextrq $0, %xmm13, %rax + push %rax + pextrq $1, %xmm13, %rax + push %rax + pextrq $0, %xmm12, %rax + push %rax + pextrq $1, %xmm12, %rax + push %rax + pextrq $0, %xmm11, %rax + push %rax + pextrq $1, %xmm11, %rax + push %rax + pextrq $0, %xmm10, %rax + push %rax + pextrq $1, %xmm10, %rax + push %rax + pextrq $0, %xmm9, %rax + push %rax + pextrq $1, %xmm9, %rax + push %rax + pextrq $0, %xmm8, %rax + push %rax + pextrq $1, %xmm8, %rax + push %rax + pextrq $0, %xmm7, %rax + push %rax + pextrq $1, %xmm7, %rax + push %rax + pextrq $0, %xmm6, %rax + push %rax + pextrq $1, %xmm6, %rax + push %rax + mov 272(%rsp), %rax + movdqu 0(%rax), %xmm7 + mov %rcx, %rax + mov %r8, %rbx + mov %rdx, %rsi + mov %r9, %r13 + mov 264(%rsp), %r8 + mov 280(%rsp), %rcx + mov %rcx, %rbp + imul $16, %rbp + mov $579005069656919567, %r12 + pinsrq $0, %r12, %xmm8 + mov $283686952306183, %r12 + pinsrq $1, %r12, %xmm8 + mov %rcx, %rdx + shr $2, %rdx + and $3, %rcx + cmp $0, %rdx + jbe L0 + mov %rax, %r9 + mov %rbx, %r10 + pshufb %xmm8, %xmm7 + movdqu %xmm7, %xmm9 + mov $579005069656919567, %rax + pinsrq $0, %rax, %xmm0 + mov $579005069656919567, %rax + pinsrq $1, %rax, %xmm0 + pshufb %xmm0, %xmm9 + movdqu %xmm9, %xmm10 + pxor %xmm3, %xmm3 + mov $1, %rax + pinsrd $2, %eax, %xmm3 + paddd %xmm3, %xmm9 + mov $3, %rax + pinsrd $2, %eax, %xmm3 + mov $2, %rax + pinsrd $0, %eax, %xmm3 + paddd %xmm3, %xmm10 + pshufb %xmm8, %xmm9 + pshufb %xmm8, %xmm10 + pextrq $0, %xmm7, %rdi + mov $283686952306183, %rax + pinsrq $0, %rax, %xmm0 + mov $579005069656919567, %rax + pinsrq $1, %rax, %xmm0 + pxor %xmm15, %xmm15 + mov $4, %rax + pinsrd $0, %eax, %xmm15 + mov $4, %rax + pinsrd $2, %eax, %xmm15 + jmp L3 +.balign 16 +L2: + pinsrq $0, %rdi, %xmm2 + pinsrq $0, %rdi, %xmm12 + pinsrq $0, %rdi, %xmm13 + pinsrq $0, %rdi, %xmm14 + shufpd $2, %xmm9, %xmm2 + shufpd $0, %xmm9, %xmm12 + shufpd $2, %xmm10, %xmm13 + shufpd $0, %xmm10, %xmm14 + pshufb %xmm0, %xmm9 + pshufb %xmm0, %xmm10 + movdqu 0(%r8), %xmm3 + movdqu 16(%r8), %xmm4 + movdqu 32(%r8), %xmm5 + movdqu 48(%r8), %xmm6 + paddd %xmm15, %xmm9 + paddd %xmm15, %xmm10 + pxor %xmm3, %xmm2 + pxor %xmm3, %xmm12 + pxor %xmm3, %xmm13 + pxor %xmm3, %xmm14 + pshufb %xmm0, %xmm9 + pshufb %xmm0, %xmm10 + aesenc %xmm4, %xmm2 + aesenc %xmm4, %xmm12 + aesenc %xmm4, %xmm13 + aesenc %xmm4, %xmm14 + aesenc %xmm5, %xmm2 + aesenc %xmm5, %xmm12 + aesenc %xmm5, %xmm13 + aesenc %xmm5, %xmm14 + aesenc %xmm6, %xmm2 + aesenc %xmm6, %xmm12 + aesenc %xmm6, %xmm13 + aesenc %xmm6, %xmm14 + movdqu 64(%r8), %xmm3 + movdqu 80(%r8), %xmm4 + movdqu 96(%r8), %xmm5 + movdqu 112(%r8), %xmm6 + aesenc %xmm3, %xmm2 + aesenc %xmm3, %xmm12 + aesenc %xmm3, %xmm13 + aesenc %xmm3, %xmm14 + aesenc %xmm4, %xmm2 + aesenc %xmm4, %xmm12 + aesenc %xmm4, %xmm13 + aesenc %xmm4, %xmm14 + aesenc %xmm5, %xmm2 + aesenc %xmm5, %xmm12 + aesenc %xmm5, %xmm13 + aesenc %xmm5, %xmm14 + aesenc %xmm6, %xmm2 + aesenc %xmm6, %xmm12 + aesenc %xmm6, %xmm13 + aesenc %xmm6, %xmm14 + movdqu 128(%r8), %xmm3 + movdqu 144(%r8), %xmm4 + movdqu 160(%r8), %xmm5 + aesenc %xmm3, %xmm2 + aesenc %xmm3, %xmm12 + aesenc %xmm3, %xmm13 + aesenc %xmm3, %xmm14 + aesenc %xmm4, %xmm2 + aesenc %xmm4, %xmm12 + aesenc %xmm4, %xmm13 + aesenc %xmm4, %xmm14 + aesenclast %xmm5, %xmm2 + aesenclast %xmm5, %xmm12 + aesenclast %xmm5, %xmm13 + aesenclast %xmm5, %xmm14 + movdqu 0(%r9), %xmm7 + pxor %xmm7, %xmm2 + movdqu 16(%r9), %xmm7 + pxor %xmm7, %xmm12 + movdqu 32(%r9), %xmm7 + pxor %xmm7, %xmm13 + movdqu 48(%r9), %xmm7 + pxor %xmm7, %xmm14 + movdqu %xmm2, 0(%r10) + movdqu %xmm12, 16(%r10) + movdqu %xmm13, 32(%r10) + movdqu %xmm14, 48(%r10) + sub $1, %rdx + add $64, %r9 + add $64, %r10 +.balign 16 +L3: + cmp $0, %rdx + ja L2 + movdqu %xmm9, %xmm7 + pinsrq $0, %rdi, %xmm7 + pshufb %xmm8, %xmm7 + mov %r9, %rax + mov %r10, %rbx + jmp L1 +L0: +L1: + mov $0, %rdx + mov %rax, %r9 + mov %rbx, %r10 + pxor %xmm4, %xmm4 + mov $1, %r12 + pinsrd $0, %r12d, %xmm4 + jmp L5 +.balign 16 +L4: + movdqu %xmm7, %xmm0 + pshufb %xmm8, %xmm0 + movdqu 0(%r8), %xmm2 + pxor %xmm2, %xmm0 + movdqu 16(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 32(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 48(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 64(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 80(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 96(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 112(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 128(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 144(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 160(%r8), %xmm2 + aesenclast %xmm2, %xmm0 + pxor %xmm2, %xmm2 + movdqu 0(%r9), %xmm2 + pxor %xmm0, %xmm2 + movdqu %xmm2, 0(%r10) + add $1, %rdx + add $16, %r9 + add $16, %r10 + paddd %xmm4, %xmm7 +.balign 16 +L5: + cmp %rcx, %rdx + jne L4 + cmp %rbp, %rsi + jbe L6 + movdqu 0(%r13), %xmm1 + movdqu %xmm7, %xmm0 + mov $579005069656919567, %r12 + pinsrq $0, %r12, %xmm2 + mov $283686952306183, %r12 + pinsrq $1, %r12, %xmm2 + pshufb %xmm2, %xmm0 + movdqu 0(%r8), %xmm2 + pxor %xmm2, %xmm0 + movdqu 16(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 32(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 48(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 64(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 80(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 96(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 112(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 128(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 144(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 160(%r8), %xmm2 + aesenclast %xmm2, %xmm0 + pxor %xmm2, %xmm2 + pxor %xmm0, %xmm1 + movdqu %xmm1, 0(%r13) + jmp L7 +L6: +L7: + pop %rax + pinsrq $1, %rax, %xmm6 + pop %rax + pinsrq $0, %rax, %xmm6 + pop %rax + pinsrq $1, %rax, %xmm7 + pop %rax + pinsrq $0, %rax, %xmm7 + pop %rax + pinsrq $1, %rax, %xmm8 + pop %rax + pinsrq $0, %rax, %xmm8 + pop %rax + pinsrq $1, %rax, %xmm9 + pop %rax + pinsrq $0, %rax, %xmm9 + pop %rax + pinsrq $1, %rax, %xmm10 + pop %rax + pinsrq $0, %rax, %xmm10 + pop %rax + pinsrq $1, %rax, %xmm11 + pop %rax + pinsrq $0, %rax, %xmm11 + pop %rax + pinsrq $1, %rax, %xmm12 + pop %rax + pinsrq $0, %rax, %xmm12 + pop %rax + pinsrq $1, %rax, %xmm13 + pop %rax + pinsrq $0, %rax, %xmm13 + pop %rax + pinsrq $1, %rax, %xmm14 + pop %rax + pinsrq $0, %rax, %xmm14 + pop %rax + pinsrq $1, %rax, %xmm15 + pop %rax + pinsrq $0, %rax, %xmm15 + pop %rbx + pop %rbp + pop %rdi + pop %rsi + pop %r12 + pop %r13 + pop %r14 + pop %r15 + ret + +.global gctr256_bytes +gctr256_bytes: + push %r15 + push %r14 + push %r13 + push %r12 + push %rsi + push %rdi + push %rbp + push %rbx + pextrq $0, %xmm15, %rax + push %rax + pextrq $1, %xmm15, %rax + push %rax + pextrq $0, %xmm14, %rax + push %rax + pextrq $1, %xmm14, %rax + push %rax + pextrq $0, %xmm13, %rax + push %rax + pextrq $1, %xmm13, %rax + push %rax + pextrq $0, %xmm12, %rax + push %rax + pextrq $1, %xmm12, %rax + push %rax + pextrq $0, %xmm11, %rax + push %rax + pextrq $1, %xmm11, %rax + push %rax + pextrq $0, %xmm10, %rax + push %rax + pextrq $1, %xmm10, %rax + push %rax + pextrq $0, %xmm9, %rax + push %rax + pextrq $1, %xmm9, %rax + push %rax + pextrq $0, %xmm8, %rax + push %rax + pextrq $1, %xmm8, %rax + push %rax + pextrq $0, %xmm7, %rax + push %rax + pextrq $1, %xmm7, %rax + push %rax + pextrq $0, %xmm6, %rax + push %rax + pextrq $1, %xmm6, %rax + push %rax + mov 272(%rsp), %rax + movdqu 0(%rax), %xmm7 + mov %rcx, %rax + mov %r8, %rbx + mov %rdx, %rsi + mov %r9, %r13 + mov 264(%rsp), %r8 + mov 280(%rsp), %rcx + mov %rcx, %rbp + imul $16, %rbp + mov $579005069656919567, %r12 + pinsrq $0, %r12, %xmm8 + mov $283686952306183, %r12 + pinsrq $1, %r12, %xmm8 + mov %rcx, %rdx + shr $2, %rdx + and $3, %rcx + cmp $0, %rdx + jbe L8 + mov %rax, %r9 + mov %rbx, %r10 + pshufb %xmm8, %xmm7 + movdqu %xmm7, %xmm9 + mov $579005069656919567, %rax + pinsrq $0, %rax, %xmm0 + mov $579005069656919567, %rax + pinsrq $1, %rax, %xmm0 + pshufb %xmm0, %xmm9 + movdqu %xmm9, %xmm10 + pxor %xmm3, %xmm3 + mov $1, %rax + pinsrd $2, %eax, %xmm3 + paddd %xmm3, %xmm9 + mov $3, %rax + pinsrd $2, %eax, %xmm3 + mov $2, %rax + pinsrd $0, %eax, %xmm3 + paddd %xmm3, %xmm10 + pshufb %xmm8, %xmm9 + pshufb %xmm8, %xmm10 + pextrq $0, %xmm7, %rdi + mov $283686952306183, %rax + pinsrq $0, %rax, %xmm0 + mov $579005069656919567, %rax + pinsrq $1, %rax, %xmm0 + pxor %xmm15, %xmm15 + mov $4, %rax + pinsrd $0, %eax, %xmm15 + mov $4, %rax + pinsrd $2, %eax, %xmm15 + jmp L11 +.balign 16 +L10: + pinsrq $0, %rdi, %xmm2 + pinsrq $0, %rdi, %xmm12 + pinsrq $0, %rdi, %xmm13 + pinsrq $0, %rdi, %xmm14 + shufpd $2, %xmm9, %xmm2 + shufpd $0, %xmm9, %xmm12 + shufpd $2, %xmm10, %xmm13 + shufpd $0, %xmm10, %xmm14 + pshufb %xmm0, %xmm9 + pshufb %xmm0, %xmm10 + movdqu 0(%r8), %xmm3 + movdqu 16(%r8), %xmm4 + movdqu 32(%r8), %xmm5 + movdqu 48(%r8), %xmm6 + paddd %xmm15, %xmm9 + paddd %xmm15, %xmm10 + pxor %xmm3, %xmm2 + pxor %xmm3, %xmm12 + pxor %xmm3, %xmm13 + pxor %xmm3, %xmm14 + pshufb %xmm0, %xmm9 + pshufb %xmm0, %xmm10 + aesenc %xmm4, %xmm2 + aesenc %xmm4, %xmm12 + aesenc %xmm4, %xmm13 + aesenc %xmm4, %xmm14 + aesenc %xmm5, %xmm2 + aesenc %xmm5, %xmm12 + aesenc %xmm5, %xmm13 + aesenc %xmm5, %xmm14 + aesenc %xmm6, %xmm2 + aesenc %xmm6, %xmm12 + aesenc %xmm6, %xmm13 + aesenc %xmm6, %xmm14 + movdqu 64(%r8), %xmm3 + movdqu 80(%r8), %xmm4 + movdqu 96(%r8), %xmm5 + movdqu 112(%r8), %xmm6 + aesenc %xmm3, %xmm2 + aesenc %xmm3, %xmm12 + aesenc %xmm3, %xmm13 + aesenc %xmm3, %xmm14 + aesenc %xmm4, %xmm2 + aesenc %xmm4, %xmm12 + aesenc %xmm4, %xmm13 + aesenc %xmm4, %xmm14 + aesenc %xmm5, %xmm2 + aesenc %xmm5, %xmm12 + aesenc %xmm5, %xmm13 + aesenc %xmm5, %xmm14 + aesenc %xmm6, %xmm2 + aesenc %xmm6, %xmm12 + aesenc %xmm6, %xmm13 + aesenc %xmm6, %xmm14 + movdqu 128(%r8), %xmm3 + movdqu 144(%r8), %xmm4 + movdqu 160(%r8), %xmm5 + aesenc %xmm3, %xmm2 + aesenc %xmm3, %xmm12 + aesenc %xmm3, %xmm13 + aesenc %xmm3, %xmm14 + aesenc %xmm4, %xmm2 + aesenc %xmm4, %xmm12 + aesenc %xmm4, %xmm13 + aesenc %xmm4, %xmm14 + movdqu %xmm5, %xmm3 + movdqu 176(%r8), %xmm4 + movdqu 192(%r8), %xmm5 + movdqu 208(%r8), %xmm6 + aesenc %xmm3, %xmm2 + aesenc %xmm3, %xmm12 + aesenc %xmm3, %xmm13 + aesenc %xmm3, %xmm14 + aesenc %xmm4, %xmm2 + aesenc %xmm4, %xmm12 + aesenc %xmm4, %xmm13 + aesenc %xmm4, %xmm14 + aesenc %xmm5, %xmm2 + aesenc %xmm5, %xmm12 + aesenc %xmm5, %xmm13 + aesenc %xmm5, %xmm14 + aesenc %xmm6, %xmm2 + aesenc %xmm6, %xmm12 + aesenc %xmm6, %xmm13 + aesenc %xmm6, %xmm14 + movdqu 224(%r8), %xmm5 + aesenclast %xmm5, %xmm2 + aesenclast %xmm5, %xmm12 + aesenclast %xmm5, %xmm13 + aesenclast %xmm5, %xmm14 + movdqu 0(%r9), %xmm7 + pxor %xmm7, %xmm2 + movdqu 16(%r9), %xmm7 + pxor %xmm7, %xmm12 + movdqu 32(%r9), %xmm7 + pxor %xmm7, %xmm13 + movdqu 48(%r9), %xmm7 + pxor %xmm7, %xmm14 + movdqu %xmm2, 0(%r10) + movdqu %xmm12, 16(%r10) + movdqu %xmm13, 32(%r10) + movdqu %xmm14, 48(%r10) + sub $1, %rdx + add $64, %r9 + add $64, %r10 +.balign 16 +L11: + cmp $0, %rdx + ja L10 + movdqu %xmm9, %xmm7 + pinsrq $0, %rdi, %xmm7 + pshufb %xmm8, %xmm7 + mov %r9, %rax + mov %r10, %rbx + jmp L9 +L8: +L9: + mov $0, %rdx + mov %rax, %r9 + mov %rbx, %r10 + pxor %xmm4, %xmm4 + mov $1, %r12 + pinsrd $0, %r12d, %xmm4 + jmp L13 +.balign 16 +L12: + movdqu %xmm7, %xmm0 + pshufb %xmm8, %xmm0 + movdqu 0(%r8), %xmm2 + pxor %xmm2, %xmm0 + movdqu 16(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 32(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 48(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 64(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 80(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 96(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 112(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 128(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 144(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 160(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 176(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 192(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 208(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 224(%r8), %xmm2 + aesenclast %xmm2, %xmm0 + pxor %xmm2, %xmm2 + movdqu 0(%r9), %xmm2 + pxor %xmm0, %xmm2 + movdqu %xmm2, 0(%r10) + add $1, %rdx + add $16, %r9 + add $16, %r10 + paddd %xmm4, %xmm7 +.balign 16 +L13: + cmp %rcx, %rdx + jne L12 + cmp %rbp, %rsi + jbe L14 + movdqu 0(%r13), %xmm1 + movdqu %xmm7, %xmm0 + mov $579005069656919567, %r12 + pinsrq $0, %r12, %xmm2 + mov $283686952306183, %r12 + pinsrq $1, %r12, %xmm2 + pshufb %xmm2, %xmm0 + movdqu 0(%r8), %xmm2 + pxor %xmm2, %xmm0 + movdqu 16(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 32(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 48(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 64(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 80(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 96(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 112(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 128(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 144(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 160(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 176(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 192(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 208(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 224(%r8), %xmm2 + aesenclast %xmm2, %xmm0 + pxor %xmm2, %xmm2 + pxor %xmm0, %xmm1 + movdqu %xmm1, 0(%r13) + jmp L15 +L14: +L15: + pop %rax + pinsrq $1, %rax, %xmm6 + pop %rax + pinsrq $0, %rax, %xmm6 + pop %rax + pinsrq $1, %rax, %xmm7 + pop %rax + pinsrq $0, %rax, %xmm7 + pop %rax + pinsrq $1, %rax, %xmm8 + pop %rax + pinsrq $0, %rax, %xmm8 + pop %rax + pinsrq $1, %rax, %xmm9 + pop %rax + pinsrq $0, %rax, %xmm9 + pop %rax + pinsrq $1, %rax, %xmm10 + pop %rax + pinsrq $0, %rax, %xmm10 + pop %rax + pinsrq $1, %rax, %xmm11 + pop %rax + pinsrq $0, %rax, %xmm11 + pop %rax + pinsrq $1, %rax, %xmm12 + pop %rax + pinsrq $0, %rax, %xmm12 + pop %rax + pinsrq $1, %rax, %xmm13 + pop %rax + pinsrq $0, %rax, %xmm13 + pop %rax + pinsrq $1, %rax, %xmm14 + pop %rax + pinsrq $0, %rax, %xmm14 + pop %rax + pinsrq $1, %rax, %xmm15 + pop %rax + pinsrq $0, %rax, %xmm15 + pop %rbx + pop %rbp + pop %rdi + pop %rsi + pop %r12 + pop %r13 + pop %r14 + pop %r15 + ret + +.global compute_iv_stdcall +compute_iv_stdcall: + cmp $12, %rdx + jne L16 + push %rdi + push %rsi + mov %rcx, %rdi + mov %rdx, %rsi + mov %r8, %rdx + mov %r9, %rcx + mov 56(%rsp), %r8 + mov 64(%rsp), %r9 + cmp $12, %rsi + jne L18 + movdqu 0(%r8), %xmm0 + mov $579005069656919567, %rax + pinsrq $0, %rax, %xmm1 + mov $283686952306183, %rax + pinsrq $1, %rax, %xmm1 + pshufb %xmm1, %xmm0 + mov $1, %rax + pinsrd $0, %eax, %xmm0 + movdqu %xmm0, 0(%rcx) + jmp L19 +L18: + mov %rcx, %rax + add $32, %r9 + mov %r8, %rbx + mov %rdx, %rcx + imul $16, %rcx + mov $579005069656919567, %r10 + pinsrq $0, %r10, %xmm9 + mov $283686952306183, %r10 + pinsrq $1, %r10, %xmm9 + pxor %xmm8, %xmm8 + mov %rdi, %r11 + jmp L21 +.balign 16 +L20: + add $80, %r11 + movdqu -32(%r9), %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + movdqu %xmm1, %xmm4 + movdqu -16(%r9), %xmm1 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 16(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 64(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 80(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + vpxor %xmm1, %xmm4, %xmm4 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r10 + pinsrd $3, %r10d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + add $96, %r11 + sub $6, %rdx +.balign 16 +L21: + cmp $6, %rdx + jae L20 + cmp $0, %rdx + jbe L22 + mov %rdx, %r10 + sub $1, %r10 + imul $16, %r10 + add %r10, %r11 + movdqu -32(%r9), %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + cmp $1, %rdx + jne L24 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + jmp L25 +L24: + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + movdqu %xmm1, %xmm4 + movdqu -16(%r9), %xmm1 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + movdqu %xmm1, %xmm5 + cmp $2, %rdx + je L26 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 16(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + cmp $3, %rdx + je L28 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + cmp $4, %rdx + je L30 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 64(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + jmp L31 +L30: +L31: + jmp L29 +L28: +L29: + jmp L27 +L26: +L27: + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + vpxor %xmm1, %xmm4, %xmm4 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 +L25: + pxor %xmm3, %xmm3 + mov $3254779904, %r10 + pinsrd $3, %r10d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + jmp L23 +L22: +L23: + mov %rsi, %r15 + cmp %rcx, %rsi + jbe L32 + movdqu 0(%rbx), %xmm0 + mov %rsi, %r10 + and $15, %r10 + cmp $8, %r10 + jae L34 + mov $0, %rcx + pinsrq $1, %rcx, %xmm0 + mov %r10, %rcx + shl $3, %rcx + mov $1, %r11 + shl %cl, %r11 + sub $1, %r11 + pextrq $0, %xmm0, %rcx + and %r11, %rcx + pinsrq $0, %rcx, %xmm0 + jmp L35 +L34: + mov %r10, %rcx + sub $8, %rcx + shl $3, %rcx + mov $1, %r11 + shl %cl, %r11 + sub $1, %r11 + pextrq $1, %xmm0, %rcx + and %r11, %rcx + pinsrq $1, %rcx, %xmm0 +L35: + pshufb %xmm9, %xmm0 + movdqu -32(%r9), %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r11 + pinsrd $3, %r11d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + jmp L33 +L32: +L33: + mov %rax, %rcx + mov $0, %r11 + mov %rsi, %r13 + pxor %xmm0, %xmm0 + mov %r11, %rax + imul $8, %rax + pinsrq $1, %rax, %xmm0 + mov %r13, %rax + imul $8, %rax + pinsrq $0, %rax, %xmm0 + movdqu -32(%r9), %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r11 + pinsrd $3, %r11d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + movdqu %xmm8, 0(%rcx) +L19: + pop %rsi + pop %rdi + jmp L17 +L16: + push %r15 + push %r14 + push %r13 + push %r12 + push %rsi + push %rdi + push %rbp + push %rbx + pextrq $0, %xmm15, %rax + push %rax + pextrq $1, %xmm15, %rax + push %rax + pextrq $0, %xmm14, %rax + push %rax + pextrq $1, %xmm14, %rax + push %rax + pextrq $0, %xmm13, %rax + push %rax + pextrq $1, %xmm13, %rax + push %rax + pextrq $0, %xmm12, %rax + push %rax + pextrq $1, %xmm12, %rax + push %rax + pextrq $0, %xmm11, %rax + push %rax + pextrq $1, %xmm11, %rax + push %rax + pextrq $0, %xmm10, %rax + push %rax + pextrq $1, %xmm10, %rax + push %rax + pextrq $0, %xmm9, %rax + push %rax + pextrq $1, %xmm9, %rax + push %rax + pextrq $0, %xmm8, %rax + push %rax + pextrq $1, %xmm8, %rax + push %rax + pextrq $0, %xmm7, %rax + push %rax + pextrq $1, %xmm7, %rax + push %rax + pextrq $0, %xmm6, %rax + push %rax + pextrq $1, %xmm6, %rax + push %rax + mov %rcx, %rdi + mov %rdx, %rsi + mov %r8, %rdx + mov %r9, %rcx + mov 264(%rsp), %r8 + mov 272(%rsp), %r9 + cmp $12, %rsi + jne L36 + movdqu 0(%r8), %xmm0 + mov $579005069656919567, %rax + pinsrq $0, %rax, %xmm1 + mov $283686952306183, %rax + pinsrq $1, %rax, %xmm1 + pshufb %xmm1, %xmm0 + mov $1, %rax + pinsrd $0, %eax, %xmm0 + movdqu %xmm0, 0(%rcx) + jmp L37 +L36: + mov %rcx, %rax + add $32, %r9 + mov %r8, %rbx + mov %rdx, %rcx + imul $16, %rcx + mov $579005069656919567, %r10 + pinsrq $0, %r10, %xmm9 + mov $283686952306183, %r10 + pinsrq $1, %r10, %xmm9 + pxor %xmm8, %xmm8 + mov %rdi, %r11 + jmp L39 +.balign 16 +L38: + add $80, %r11 + movdqu -32(%r9), %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + movdqu %xmm1, %xmm4 + movdqu -16(%r9), %xmm1 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 16(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 64(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 80(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + vpxor %xmm1, %xmm4, %xmm4 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r10 + pinsrd $3, %r10d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + add $96, %r11 + sub $6, %rdx +.balign 16 +L39: + cmp $6, %rdx + jae L38 + cmp $0, %rdx + jbe L40 + mov %rdx, %r10 + sub $1, %r10 + imul $16, %r10 + add %r10, %r11 + movdqu -32(%r9), %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + cmp $1, %rdx + jne L42 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + jmp L43 +L42: + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + movdqu %xmm1, %xmm4 + movdqu -16(%r9), %xmm1 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + movdqu %xmm1, %xmm5 + cmp $2, %rdx + je L44 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 16(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + cmp $3, %rdx + je L46 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + cmp $4, %rdx + je L48 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 64(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + jmp L49 +L48: +L49: + jmp L47 +L46: +L47: + jmp L45 +L44: +L45: + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + vpxor %xmm1, %xmm4, %xmm4 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 +L43: + pxor %xmm3, %xmm3 + mov $3254779904, %r10 + pinsrd $3, %r10d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + jmp L41 +L40: +L41: + mov %rsi, %r15 + cmp %rcx, %rsi + jbe L50 + movdqu 0(%rbx), %xmm0 + mov %rsi, %r10 + and $15, %r10 + cmp $8, %r10 + jae L52 + mov $0, %rcx + pinsrq $1, %rcx, %xmm0 + mov %r10, %rcx + shl $3, %rcx + mov $1, %r11 + shl %cl, %r11 + sub $1, %r11 + pextrq $0, %xmm0, %rcx + and %r11, %rcx + pinsrq $0, %rcx, %xmm0 + jmp L53 +L52: + mov %r10, %rcx + sub $8, %rcx + shl $3, %rcx + mov $1, %r11 + shl %cl, %r11 + sub $1, %r11 + pextrq $1, %xmm0, %rcx + and %r11, %rcx + pinsrq $1, %rcx, %xmm0 +L53: + pshufb %xmm9, %xmm0 + movdqu -32(%r9), %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r11 + pinsrd $3, %r11d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + jmp L51 +L50: +L51: + mov %rax, %rcx + mov $0, %r11 + mov %rsi, %r13 + pxor %xmm0, %xmm0 + mov %r11, %rax + imul $8, %rax + pinsrq $1, %rax, %xmm0 + mov %r13, %rax + imul $8, %rax + pinsrq $0, %rax, %xmm0 + movdqu -32(%r9), %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r11 + pinsrd $3, %r11d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + movdqu %xmm8, 0(%rcx) +L37: + pop %rax + pinsrq $1, %rax, %xmm6 + pop %rax + pinsrq $0, %rax, %xmm6 + pop %rax + pinsrq $1, %rax, %xmm7 + pop %rax + pinsrq $0, %rax, %xmm7 + pop %rax + pinsrq $1, %rax, %xmm8 + pop %rax + pinsrq $0, %rax, %xmm8 + pop %rax + pinsrq $1, %rax, %xmm9 + pop %rax + pinsrq $0, %rax, %xmm9 + pop %rax + pinsrq $1, %rax, %xmm10 + pop %rax + pinsrq $0, %rax, %xmm10 + pop %rax + pinsrq $1, %rax, %xmm11 + pop %rax + pinsrq $0, %rax, %xmm11 + pop %rax + pinsrq $1, %rax, %xmm12 + pop %rax + pinsrq $0, %rax, %xmm12 + pop %rax + pinsrq $1, %rax, %xmm13 + pop %rax + pinsrq $0, %rax, %xmm13 + pop %rax + pinsrq $1, %rax, %xmm14 + pop %rax + pinsrq $0, %rax, %xmm14 + pop %rax + pinsrq $1, %rax, %xmm15 + pop %rax + pinsrq $0, %rax, %xmm15 + pop %rbx + pop %rbp + pop %rdi + pop %rsi + pop %r12 + pop %r13 + pop %r14 + pop %r15 +L17: + ret + +.global gcm128_encrypt_opt +gcm128_encrypt_opt: + push %r15 + push %r14 + push %r13 + push %r12 + push %rsi + push %rdi + push %rbp + push %rbx + pextrq $0, %xmm15, %rax + push %rax + pextrq $1, %xmm15, %rax + push %rax + pextrq $0, %xmm14, %rax + push %rax + pextrq $1, %xmm14, %rax + push %rax + pextrq $0, %xmm13, %rax + push %rax + pextrq $1, %xmm13, %rax + push %rax + pextrq $0, %xmm12, %rax + push %rax + pextrq $1, %xmm12, %rax + push %rax + pextrq $0, %xmm11, %rax + push %rax + pextrq $1, %xmm11, %rax + push %rax + pextrq $0, %xmm10, %rax + push %rax + pextrq $1, %xmm10, %rax + push %rax + pextrq $0, %xmm9, %rax + push %rax + pextrq $1, %xmm9, %rax + push %rax + pextrq $0, %xmm8, %rax + push %rax + pextrq $1, %xmm8, %rax + push %rax + pextrq $0, %xmm7, %rax + push %rax + pextrq $1, %xmm7, %rax + push %rax + pextrq $0, %xmm6, %rax + push %rax + pextrq $1, %xmm6, %rax + push %rax + mov %rcx, %rdi + mov %rdx, %rsi + mov %r8, %rdx + mov %r9, %rcx + mov 264(%rsp), %r8 + mov 272(%rsp), %r9 + mov 352(%rsp), %rbp + mov %rcx, %r13 + lea 32(%r9), %r9 + mov 280(%rsp), %rbx + mov %rdx, %rcx + imul $16, %rcx + mov $579005069656919567, %r10 + pinsrq $0, %r10, %xmm9 + mov $283686952306183, %r10 + pinsrq $1, %r10, %xmm9 + pxor %xmm8, %xmm8 + mov %rdi, %r11 + jmp L55 +.balign 16 +L54: + add $80, %r11 + movdqu -32(%r9), %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + movdqu %xmm1, %xmm4 + movdqu -16(%r9), %xmm1 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 16(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 64(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 80(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + vpxor %xmm1, %xmm4, %xmm4 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r10 + pinsrd $3, %r10d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + add $96, %r11 + sub $6, %rdx +.balign 16 +L55: + cmp $6, %rdx + jae L54 + cmp $0, %rdx + jbe L56 + mov %rdx, %r10 + sub $1, %r10 + imul $16, %r10 + add %r10, %r11 + movdqu -32(%r9), %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + cmp $1, %rdx + jne L58 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + jmp L59 +L58: + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + movdqu %xmm1, %xmm4 + movdqu -16(%r9), %xmm1 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + movdqu %xmm1, %xmm5 + cmp $2, %rdx + je L60 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 16(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + cmp $3, %rdx + je L62 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + cmp $4, %rdx + je L64 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 64(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + jmp L65 +L64: +L65: + jmp L63 +L62: +L63: + jmp L61 +L60: +L61: + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + vpxor %xmm1, %xmm4, %xmm4 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 +L59: + pxor %xmm3, %xmm3 + mov $3254779904, %r10 + pinsrd $3, %r10d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + jmp L57 +L56: +L57: + mov %rsi, %r15 + cmp %rcx, %rsi + jbe L66 + movdqu 0(%rbx), %xmm0 + mov %rsi, %r10 + and $15, %r10 + cmp $8, %r10 + jae L68 + mov $0, %rcx + pinsrq $1, %rcx, %xmm0 + mov %r10, %rcx + shl $3, %rcx + mov $1, %r11 + shl %cl, %r11 + sub $1, %r11 + pextrq $0, %xmm0, %rcx + and %r11, %rcx + pinsrq $0, %rcx, %xmm0 + jmp L69 +L68: + mov %r10, %rcx + sub $8, %rcx + shl $3, %rcx + mov $1, %r11 + shl %cl, %r11 + sub $1, %r11 + pextrq $1, %xmm0, %rcx + and %r11, %rcx + pinsrq $1, %rcx, %xmm0 +L69: + pshufb %xmm9, %xmm0 + movdqu -32(%r9), %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r11 + pinsrd $3, %r11d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + jmp L67 +L66: +L67: + mov 288(%rsp), %rdi + mov 296(%rsp), %rsi + mov 304(%rsp), %rdx + mov %r13, %rcx + movdqu %xmm9, %xmm0 + movdqu 0(%r8), %xmm1 + movdqu %xmm1, 0(%rbp) + pxor %xmm10, %xmm10 + mov $1, %r11 + pinsrq $0, %r11, %xmm10 + vpaddd %xmm10, %xmm1, %xmm1 + cmp $0, %rdx + jne L70 + vpshufb %xmm0, %xmm1, %xmm1 + movdqu %xmm1, 32(%rbp) + jmp L71 +L70: + movdqu %xmm8, 32(%rbp) + add $128, %rcx + pextrq $0, %xmm1, %rbx + and $255, %rbx + vpshufb %xmm0, %xmm1, %xmm1 + lea 96(%rsi), %r14 + movdqu -128(%rcx), %xmm4 + pxor %xmm2, %xmm2 + mov $72057594037927936, %r11 + pinsrq $1, %r11, %xmm2 + movdqu -112(%rcx), %xmm15 + mov %rcx, %r12 + sub $96, %r12 + vpxor %xmm4, %xmm1, %xmm9 + add $6, %rbx + cmp $256, %rbx + jae L72 + vpaddd %xmm2, %xmm1, %xmm10 + vpaddd %xmm2, %xmm10, %xmm11 + vpxor %xmm4, %xmm10, %xmm10 + vpaddd %xmm2, %xmm11, %xmm12 + vpxor %xmm4, %xmm11, %xmm11 + vpaddd %xmm2, %xmm12, %xmm13 + vpxor %xmm4, %xmm12, %xmm12 + vpaddd %xmm2, %xmm13, %xmm14 + vpxor %xmm4, %xmm13, %xmm13 + vpaddd %xmm2, %xmm14, %xmm1 + vpxor %xmm4, %xmm14, %xmm14 + jmp L73 +L72: + sub $256, %rbx + vpshufb %xmm0, %xmm1, %xmm6 + pxor %xmm5, %xmm5 + mov $1, %r11 + pinsrq $0, %r11, %xmm5 + vpaddd %xmm5, %xmm6, %xmm10 + pxor %xmm5, %xmm5 + mov $2, %r11 + pinsrq $0, %r11, %xmm5 + vpaddd %xmm5, %xmm6, %xmm11 + vpaddd %xmm5, %xmm10, %xmm12 + vpshufb %xmm0, %xmm10, %xmm10 + vpaddd %xmm5, %xmm11, %xmm13 + vpshufb %xmm0, %xmm11, %xmm11 + vpxor %xmm4, %xmm10, %xmm10 + vpaddd %xmm5, %xmm12, %xmm14 + vpshufb %xmm0, %xmm12, %xmm12 + vpxor %xmm4, %xmm11, %xmm11 + vpaddd %xmm5, %xmm13, %xmm1 + vpshufb %xmm0, %xmm13, %xmm13 + vpxor %xmm4, %xmm12, %xmm12 + vpshufb %xmm0, %xmm14, %xmm14 + vpxor %xmm4, %xmm13, %xmm13 + vpshufb %xmm0, %xmm1, %xmm1 + vpxor %xmm4, %xmm14, %xmm14 +L73: + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -96(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -80(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -64(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -48(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -32(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -16(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu 0(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu 16(%rcx), %xmm15 + movdqu 32(%rcx), %xmm3 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor 0(%rdi), %xmm3, %xmm4 + vaesenc %xmm15, %xmm10, %xmm10 + vpxor 16(%rdi), %xmm3, %xmm5 + vaesenc %xmm15, %xmm11, %xmm11 + vpxor 32(%rdi), %xmm3, %xmm6 + vaesenc %xmm15, %xmm12, %xmm12 + vpxor 48(%rdi), %xmm3, %xmm8 + vaesenc %xmm15, %xmm13, %xmm13 + vpxor 64(%rdi), %xmm3, %xmm2 + vaesenc %xmm15, %xmm14, %xmm14 + vpxor 80(%rdi), %xmm3, %xmm3 + lea 96(%rdi), %rdi + vaesenclast %xmm4, %xmm9, %xmm9 + vaesenclast %xmm5, %xmm10, %xmm10 + vaesenclast %xmm6, %xmm11, %xmm11 + vaesenclast %xmm8, %xmm12, %xmm12 + vaesenclast %xmm2, %xmm13, %xmm13 + vaesenclast %xmm3, %xmm14, %xmm14 + movdqu %xmm9, 0(%rsi) + movdqu %xmm10, 16(%rsi) + movdqu %xmm11, 32(%rsi) + movdqu %xmm12, 48(%rsi) + movdqu %xmm13, 64(%rsi) + movdqu %xmm14, 80(%rsi) + lea 96(%rsi), %rsi + vpshufb %xmm0, %xmm9, %xmm8 + vpshufb %xmm0, %xmm10, %xmm2 + movdqu %xmm8, 112(%rbp) + vpshufb %xmm0, %xmm11, %xmm4 + movdqu %xmm2, 96(%rbp) + vpshufb %xmm0, %xmm12, %xmm5 + movdqu %xmm4, 80(%rbp) + vpshufb %xmm0, %xmm13, %xmm6 + movdqu %xmm5, 64(%rbp) + vpshufb %xmm0, %xmm14, %xmm7 + movdqu %xmm6, 48(%rbp) + movdqu -128(%rcx), %xmm4 + pxor %xmm2, %xmm2 + mov $72057594037927936, %r11 + pinsrq $1, %r11, %xmm2 + movdqu -112(%rcx), %xmm15 + mov %rcx, %r12 + sub $96, %r12 + vpxor %xmm4, %xmm1, %xmm9 + add $6, %rbx + cmp $256, %rbx + jae L74 + vpaddd %xmm2, %xmm1, %xmm10 + vpaddd %xmm2, %xmm10, %xmm11 + vpxor %xmm4, %xmm10, %xmm10 + vpaddd %xmm2, %xmm11, %xmm12 + vpxor %xmm4, %xmm11, %xmm11 + vpaddd %xmm2, %xmm12, %xmm13 + vpxor %xmm4, %xmm12, %xmm12 + vpaddd %xmm2, %xmm13, %xmm14 + vpxor %xmm4, %xmm13, %xmm13 + vpaddd %xmm2, %xmm14, %xmm1 + vpxor %xmm4, %xmm14, %xmm14 + jmp L75 +L74: + sub $256, %rbx + vpshufb %xmm0, %xmm1, %xmm6 + pxor %xmm5, %xmm5 + mov $1, %r11 + pinsrq $0, %r11, %xmm5 + vpaddd %xmm5, %xmm6, %xmm10 + pxor %xmm5, %xmm5 + mov $2, %r11 + pinsrq $0, %r11, %xmm5 + vpaddd %xmm5, %xmm6, %xmm11 + vpaddd %xmm5, %xmm10, %xmm12 + vpshufb %xmm0, %xmm10, %xmm10 + vpaddd %xmm5, %xmm11, %xmm13 + vpshufb %xmm0, %xmm11, %xmm11 + vpxor %xmm4, %xmm10, %xmm10 + vpaddd %xmm5, %xmm12, %xmm14 + vpshufb %xmm0, %xmm12, %xmm12 + vpxor %xmm4, %xmm11, %xmm11 + vpaddd %xmm5, %xmm13, %xmm1 + vpshufb %xmm0, %xmm13, %xmm13 + vpxor %xmm4, %xmm12, %xmm12 + vpshufb %xmm0, %xmm14, %xmm14 + vpxor %xmm4, %xmm13, %xmm13 + vpshufb %xmm0, %xmm1, %xmm1 + vpxor %xmm4, %xmm14, %xmm14 +L75: + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -96(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -80(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -64(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -48(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -32(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -16(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu 0(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu 16(%rcx), %xmm15 + movdqu 32(%rcx), %xmm3 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor 0(%rdi), %xmm3, %xmm4 + vaesenc %xmm15, %xmm10, %xmm10 + vpxor 16(%rdi), %xmm3, %xmm5 + vaesenc %xmm15, %xmm11, %xmm11 + vpxor 32(%rdi), %xmm3, %xmm6 + vaesenc %xmm15, %xmm12, %xmm12 + vpxor 48(%rdi), %xmm3, %xmm8 + vaesenc %xmm15, %xmm13, %xmm13 + vpxor 64(%rdi), %xmm3, %xmm2 + vaesenc %xmm15, %xmm14, %xmm14 + vpxor 80(%rdi), %xmm3, %xmm3 + lea 96(%rdi), %rdi + vaesenclast %xmm4, %xmm9, %xmm9 + vaesenclast %xmm5, %xmm10, %xmm10 + vaesenclast %xmm6, %xmm11, %xmm11 + vaesenclast %xmm8, %xmm12, %xmm12 + vaesenclast %xmm2, %xmm13, %xmm13 + vaesenclast %xmm3, %xmm14, %xmm14 + movdqu %xmm9, 0(%rsi) + movdqu %xmm10, 16(%rsi) + movdqu %xmm11, 32(%rsi) + movdqu %xmm12, 48(%rsi) + movdqu %xmm13, 64(%rsi) + movdqu %xmm14, 80(%rsi) + lea 96(%rsi), %rsi + sub $12, %rdx + movdqu 32(%rbp), %xmm8 + pxor %xmm2, %xmm2 + mov $72057594037927936, %r11 + pinsrq $1, %r11, %xmm2 + vpxor %xmm4, %xmm4, %xmm4 + movdqu -128(%rcx), %xmm15 + vpaddd %xmm2, %xmm1, %xmm10 + vpaddd %xmm2, %xmm10, %xmm11 + vpaddd %xmm2, %xmm11, %xmm12 + vpaddd %xmm2, %xmm12, %xmm13 + vpaddd %xmm2, %xmm13, %xmm14 + vpxor %xmm15, %xmm1, %xmm9 + movdqu %xmm4, 16(%rbp) + jmp L77 +.balign 16 +L76: + add $6, %rbx + cmp $256, %rbx + jb L78 + mov $579005069656919567, %r11 + pinsrq $0, %r11, %xmm0 + mov $283686952306183, %r11 + pinsrq $1, %r11, %xmm0 + vpshufb %xmm0, %xmm1, %xmm6 + pxor %xmm5, %xmm5 + mov $1, %r11 + pinsrq $0, %r11, %xmm5 + vpaddd %xmm5, %xmm6, %xmm10 + pxor %xmm5, %xmm5 + mov $2, %r11 + pinsrq $0, %r11, %xmm5 + vpaddd %xmm5, %xmm6, %xmm11 + movdqu -32(%r9), %xmm3 + vpaddd %xmm5, %xmm10, %xmm12 + vpshufb %xmm0, %xmm10, %xmm10 + vpaddd %xmm5, %xmm11, %xmm13 + vpshufb %xmm0, %xmm11, %xmm11 + vpxor %xmm15, %xmm10, %xmm10 + vpaddd %xmm5, %xmm12, %xmm14 + vpshufb %xmm0, %xmm12, %xmm12 + vpxor %xmm15, %xmm11, %xmm11 + vpaddd %xmm5, %xmm13, %xmm1 + vpshufb %xmm0, %xmm13, %xmm13 + vpshufb %xmm0, %xmm14, %xmm14 + vpshufb %xmm0, %xmm1, %xmm1 + sub $256, %rbx + jmp L79 +L78: + movdqu -32(%r9), %xmm3 + vpaddd %xmm14, %xmm2, %xmm1 + vpxor %xmm15, %xmm10, %xmm10 + vpxor %xmm15, %xmm11, %xmm11 +L79: + movdqu %xmm1, 128(%rbp) + vpclmulqdq $16, %xmm3, %xmm7, %xmm5 + vpxor %xmm15, %xmm12, %xmm12 + movdqu -112(%rcx), %xmm2 + vpclmulqdq $1, %xmm3, %xmm7, %xmm6 + vaesenc %xmm2, %xmm9, %xmm9 + movdqu 48(%rbp), %xmm0 + vpxor %xmm15, %xmm13, %xmm13 + vpclmulqdq $0, %xmm3, %xmm7, %xmm1 + vaesenc %xmm2, %xmm10, %xmm10 + vpxor %xmm15, %xmm14, %xmm14 + vpclmulqdq $17, %xmm3, %xmm7, %xmm7 + vaesenc %xmm2, %xmm11, %xmm11 + movdqu -16(%r9), %xmm3 + vaesenc %xmm2, %xmm12, %xmm12 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $0, %xmm3, %xmm0, %xmm5 + vpxor %xmm4, %xmm8, %xmm8 + vaesenc %xmm2, %xmm13, %xmm13 + vpxor %xmm5, %xmm1, %xmm4 + vpclmulqdq $16, %xmm3, %xmm0, %xmm1 + vaesenc %xmm2, %xmm14, %xmm14 + movdqu -96(%rcx), %xmm15 + vpclmulqdq $1, %xmm3, %xmm0, %xmm2 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor 16(%rbp), %xmm8, %xmm8 + vpclmulqdq $17, %xmm3, %xmm0, %xmm3 + movdqu 64(%rbp), %xmm0 + vaesenc %xmm15, %xmm10, %xmm10 + movbeq 88(%r14), %r13 + vaesenc %xmm15, %xmm11, %xmm11 + movbeq 80(%r14), %r12 + vaesenc %xmm15, %xmm12, %xmm12 + movq %r13, 32(%rbp) + vaesenc %xmm15, %xmm13, %xmm13 + movq %r12, 40(%rbp) + movdqu 16(%r9), %xmm5 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -80(%rcx), %xmm15 + vpxor %xmm1, %xmm6, %xmm6 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor %xmm2, %xmm6, %xmm6 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vaesenc %xmm15, %xmm10, %xmm10 + vpxor %xmm3, %xmm7, %xmm7 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vaesenc %xmm15, %xmm11, %xmm11 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 80(%rbp), %xmm0 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -64(%rcx), %xmm15 + vpxor %xmm2, %xmm6, %xmm6 + vpclmulqdq $0, %xmm1, %xmm0, %xmm2 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor %xmm3, %xmm6, %xmm6 + vpclmulqdq $16, %xmm1, %xmm0, %xmm3 + vaesenc %xmm15, %xmm10, %xmm10 + movbeq 72(%r14), %r13 + vpxor %xmm5, %xmm7, %xmm7 + vpclmulqdq $1, %xmm1, %xmm0, %xmm5 + vaesenc %xmm15, %xmm11, %xmm11 + movbeq 64(%r14), %r12 + vpclmulqdq $17, %xmm1, %xmm0, %xmm1 + movdqu 96(%rbp), %xmm0 + vaesenc %xmm15, %xmm12, %xmm12 + movq %r13, 48(%rbp) + vaesenc %xmm15, %xmm13, %xmm13 + movq %r12, 56(%rbp) + vpxor %xmm2, %xmm4, %xmm4 + movdqu 64(%r9), %xmm2 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -48(%rcx), %xmm15 + vpxor %xmm3, %xmm6, %xmm6 + vpclmulqdq $0, %xmm2, %xmm0, %xmm3 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $16, %xmm2, %xmm0, %xmm5 + vaesenc %xmm15, %xmm10, %xmm10 + movbeq 56(%r14), %r13 + vpxor %xmm1, %xmm7, %xmm7 + vpclmulqdq $1, %xmm2, %xmm0, %xmm1 + vpxor 112(%rbp), %xmm8, %xmm8 + vaesenc %xmm15, %xmm11, %xmm11 + movbeq 48(%r14), %r12 + vpclmulqdq $17, %xmm2, %xmm0, %xmm2 + vaesenc %xmm15, %xmm12, %xmm12 + movq %r13, 64(%rbp) + vaesenc %xmm15, %xmm13, %xmm13 + movq %r12, 72(%rbp) + vpxor %xmm3, %xmm4, %xmm4 + movdqu 80(%r9), %xmm3 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -32(%rcx), %xmm15 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $16, %xmm3, %xmm8, %xmm5 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor %xmm1, %xmm6, %xmm6 + vpclmulqdq $1, %xmm3, %xmm8, %xmm1 + vaesenc %xmm15, %xmm10, %xmm10 + movbeq 40(%r14), %r13 + vpxor %xmm2, %xmm7, %xmm7 + vpclmulqdq $0, %xmm3, %xmm8, %xmm2 + vaesenc %xmm15, %xmm11, %xmm11 + movbeq 32(%r14), %r12 + vpclmulqdq $17, %xmm3, %xmm8, %xmm8 + vaesenc %xmm15, %xmm12, %xmm12 + movq %r13, 80(%rbp) + vaesenc %xmm15, %xmm13, %xmm13 + movq %r12, 88(%rbp) + vpxor %xmm5, %xmm6, %xmm6 + vaesenc %xmm15, %xmm14, %xmm14 + vpxor %xmm1, %xmm6, %xmm6 + movdqu -16(%rcx), %xmm15 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm2, %xmm4, %xmm4 + pxor %xmm3, %xmm3 + mov $13979173243358019584, %r11 + pinsrq $1, %r11, %xmm3 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor %xmm8, %xmm7, %xmm7 + vaesenc %xmm15, %xmm10, %xmm10 + vpxor %xmm5, %xmm4, %xmm4 + movbeq 24(%r14), %r13 + vaesenc %xmm15, %xmm11, %xmm11 + movbeq 16(%r14), %r12 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + movq %r13, 96(%rbp) + vaesenc %xmm15, %xmm12, %xmm12 + movq %r12, 104(%rbp) + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu 0(%rcx), %xmm1 + vaesenc %xmm1, %xmm9, %xmm9 + movdqu 16(%rcx), %xmm15 + vaesenc %xmm1, %xmm10, %xmm10 + vpsrldq $8, %xmm6, %xmm6 + vaesenc %xmm1, %xmm11, %xmm11 + vpxor %xmm6, %xmm7, %xmm7 + vaesenc %xmm1, %xmm12, %xmm12 + vpxor %xmm0, %xmm4, %xmm4 + movbeq 8(%r14), %r13 + vaesenc %xmm1, %xmm13, %xmm13 + movbeq 0(%r14), %r12 + vaesenc %xmm1, %xmm14, %xmm14 + movdqu 32(%rcx), %xmm1 + vaesenc %xmm15, %xmm9, %xmm9 + movdqu %xmm7, 16(%rbp) + vpalignr $8, %xmm4, %xmm4, %xmm8 + vaesenc %xmm15, %xmm10, %xmm10 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor 0(%rdi), %xmm1, %xmm2 + vaesenc %xmm15, %xmm11, %xmm11 + vpxor 16(%rdi), %xmm1, %xmm0 + vaesenc %xmm15, %xmm12, %xmm12 + vpxor 32(%rdi), %xmm1, %xmm5 + vaesenc %xmm15, %xmm13, %xmm13 + vpxor 48(%rdi), %xmm1, %xmm6 + vaesenc %xmm15, %xmm14, %xmm14 + vpxor 64(%rdi), %xmm1, %xmm7 + vpxor 80(%rdi), %xmm1, %xmm3 + movdqu 128(%rbp), %xmm1 + vaesenclast %xmm2, %xmm9, %xmm9 + pxor %xmm2, %xmm2 + mov $72057594037927936, %r11 + pinsrq $1, %r11, %xmm2 + vaesenclast %xmm0, %xmm10, %xmm10 + vpaddd %xmm2, %xmm1, %xmm0 + movq %r13, 112(%rbp) + lea 96(%rdi), %rdi + vaesenclast %xmm5, %xmm11, %xmm11 + vpaddd %xmm2, %xmm0, %xmm5 + movq %r12, 120(%rbp) + lea 96(%rsi), %rsi + movdqu -128(%rcx), %xmm15 + vaesenclast %xmm6, %xmm12, %xmm12 + vpaddd %xmm2, %xmm5, %xmm6 + vaesenclast %xmm7, %xmm13, %xmm13 + vpaddd %xmm2, %xmm6, %xmm7 + vaesenclast %xmm3, %xmm14, %xmm14 + vpaddd %xmm2, %xmm7, %xmm3 + sub $6, %rdx + add $96, %r14 + cmp $0, %rdx + jbe L80 + movdqu %xmm9, -96(%rsi) + vpxor %xmm15, %xmm1, %xmm9 + movdqu %xmm10, -80(%rsi) + movdqu %xmm0, %xmm10 + movdqu %xmm11, -64(%rsi) + movdqu %xmm5, %xmm11 + movdqu %xmm12, -48(%rsi) + movdqu %xmm6, %xmm12 + movdqu %xmm13, -32(%rsi) + movdqu %xmm7, %xmm13 + movdqu %xmm14, -16(%rsi) + movdqu %xmm3, %xmm14 + movdqu 32(%rbp), %xmm7 + jmp L81 +L80: + vpxor 16(%rbp), %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 +L81: +.balign 16 +L77: + cmp $0, %rdx + ja L76 + movdqu 32(%rbp), %xmm7 + movdqu %xmm1, 32(%rbp) + pxor %xmm4, %xmm4 + movdqu %xmm4, 16(%rbp) + movdqu -32(%r9), %xmm3 + vpclmulqdq $0, %xmm3, %xmm7, %xmm1 + vpclmulqdq $16, %xmm3, %xmm7, %xmm5 + movdqu 48(%rbp), %xmm0 + vpclmulqdq $1, %xmm3, %xmm7, %xmm6 + vpclmulqdq $17, %xmm3, %xmm7, %xmm7 + movdqu -16(%r9), %xmm3 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $0, %xmm3, %xmm0, %xmm5 + vpxor %xmm4, %xmm8, %xmm8 + vpxor %xmm5, %xmm1, %xmm4 + vpclmulqdq $16, %xmm3, %xmm0, %xmm1 + vpclmulqdq $1, %xmm3, %xmm0, %xmm2 + vpxor 16(%rbp), %xmm8, %xmm8 + vpclmulqdq $17, %xmm3, %xmm0, %xmm3 + movdqu 64(%rbp), %xmm0 + movdqu 16(%r9), %xmm5 + vpxor %xmm1, %xmm6, %xmm6 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpxor %xmm3, %xmm7, %xmm7 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 80(%rbp), %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpclmulqdq $0, %xmm1, %xmm0, %xmm2 + vpxor %xmm3, %xmm6, %xmm6 + vpclmulqdq $16, %xmm1, %xmm0, %xmm3 + vpxor %xmm5, %xmm7, %xmm7 + vpclmulqdq $1, %xmm1, %xmm0, %xmm5 + vpclmulqdq $17, %xmm1, %xmm0, %xmm1 + movdqu 96(%rbp), %xmm0 + vpxor %xmm2, %xmm4, %xmm4 + movdqu 64(%r9), %xmm2 + vpxor %xmm3, %xmm6, %xmm6 + vpclmulqdq $0, %xmm2, %xmm0, %xmm3 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $16, %xmm2, %xmm0, %xmm5 + vpxor %xmm1, %xmm7, %xmm7 + vpclmulqdq $1, %xmm2, %xmm0, %xmm1 + vpxor 112(%rbp), %xmm8, %xmm8 + vpclmulqdq $17, %xmm2, %xmm0, %xmm2 + vpxor %xmm3, %xmm4, %xmm4 + movdqu 80(%r9), %xmm3 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $16, %xmm3, %xmm8, %xmm5 + vpxor %xmm1, %xmm6, %xmm6 + vpclmulqdq $1, %xmm3, %xmm8, %xmm1 + vpxor %xmm2, %xmm7, %xmm7 + vpclmulqdq $0, %xmm3, %xmm8, %xmm2 + vpclmulqdq $17, %xmm3, %xmm8, %xmm8 + vpxor %xmm5, %xmm6, %xmm6 + vpxor %xmm1, %xmm6, %xmm6 + vpxor %xmm2, %xmm4, %xmm4 + pxor %xmm3, %xmm3 + mov $3254779904, %rax + pinsrd $3, %eax, %xmm3 + vpxor %xmm8, %xmm7, %xmm7 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + mov $579005069656919567, %r12 + pinsrq $0, %r12, %xmm0 + mov $283686952306183, %r12 + pinsrq $1, %r12, %xmm0 + movdqu %xmm9, -96(%rsi) + vpshufb %xmm0, %xmm9, %xmm9 + vpxor %xmm7, %xmm1, %xmm1 + movdqu %xmm10, -80(%rsi) + vpshufb %xmm0, %xmm10, %xmm10 + movdqu %xmm11, -64(%rsi) + vpshufb %xmm0, %xmm11, %xmm11 + movdqu %xmm12, -48(%rsi) + vpshufb %xmm0, %xmm12, %xmm12 + movdqu %xmm13, -32(%rsi) + vpshufb %xmm0, %xmm13, %xmm13 + movdqu %xmm14, -16(%rsi) + vpshufb %xmm0, %xmm14, %xmm14 + pxor %xmm4, %xmm4 + movdqu %xmm14, %xmm7 + movdqu %xmm4, 16(%rbp) + movdqu %xmm13, 48(%rbp) + movdqu %xmm12, 64(%rbp) + movdqu %xmm11, 80(%rbp) + movdqu %xmm10, 96(%rbp) + movdqu %xmm9, 112(%rbp) + movdqu -32(%r9), %xmm3 + vpclmulqdq $0, %xmm3, %xmm7, %xmm1 + vpclmulqdq $16, %xmm3, %xmm7, %xmm5 + movdqu 48(%rbp), %xmm0 + vpclmulqdq $1, %xmm3, %xmm7, %xmm6 + vpclmulqdq $17, %xmm3, %xmm7, %xmm7 + movdqu -16(%r9), %xmm3 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $0, %xmm3, %xmm0, %xmm5 + vpxor %xmm4, %xmm8, %xmm8 + vpxor %xmm5, %xmm1, %xmm4 + vpclmulqdq $16, %xmm3, %xmm0, %xmm1 + vpclmulqdq $1, %xmm3, %xmm0, %xmm2 + vpxor 16(%rbp), %xmm8, %xmm8 + vpclmulqdq $17, %xmm3, %xmm0, %xmm3 + movdqu 64(%rbp), %xmm0 + movdqu 16(%r9), %xmm5 + vpxor %xmm1, %xmm6, %xmm6 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpxor %xmm3, %xmm7, %xmm7 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 80(%rbp), %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpclmulqdq $0, %xmm1, %xmm0, %xmm2 + vpxor %xmm3, %xmm6, %xmm6 + vpclmulqdq $16, %xmm1, %xmm0, %xmm3 + vpxor %xmm5, %xmm7, %xmm7 + vpclmulqdq $1, %xmm1, %xmm0, %xmm5 + vpclmulqdq $17, %xmm1, %xmm0, %xmm1 + movdqu 96(%rbp), %xmm0 + vpxor %xmm2, %xmm4, %xmm4 + movdqu 64(%r9), %xmm2 + vpxor %xmm3, %xmm6, %xmm6 + vpclmulqdq $0, %xmm2, %xmm0, %xmm3 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $16, %xmm2, %xmm0, %xmm5 + vpxor %xmm1, %xmm7, %xmm7 + vpclmulqdq $1, %xmm2, %xmm0, %xmm1 + vpxor 112(%rbp), %xmm8, %xmm8 + vpclmulqdq $17, %xmm2, %xmm0, %xmm2 + vpxor %xmm3, %xmm4, %xmm4 + movdqu 80(%r9), %xmm3 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $16, %xmm3, %xmm8, %xmm5 + vpxor %xmm1, %xmm6, %xmm6 + vpclmulqdq $1, %xmm3, %xmm8, %xmm1 + vpxor %xmm2, %xmm7, %xmm7 + vpclmulqdq $0, %xmm3, %xmm8, %xmm2 + vpclmulqdq $17, %xmm3, %xmm8, %xmm8 + vpxor %xmm5, %xmm6, %xmm6 + vpxor %xmm1, %xmm6, %xmm6 + vpxor %xmm2, %xmm4, %xmm4 + pxor %xmm3, %xmm3 + mov $3254779904, %rax + pinsrd $3, %eax, %xmm3 + vpxor %xmm8, %xmm7, %xmm7 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + sub $128, %rcx +L71: + movdqu 32(%rbp), %xmm11 + mov %rcx, %r8 + mov 312(%rsp), %rax + mov 320(%rsp), %rdi + mov 328(%rsp), %rdx + mov %rdx, %r14 + mov $579005069656919567, %r12 + pinsrq $0, %r12, %xmm9 + mov $283686952306183, %r12 + pinsrq $1, %r12, %xmm9 + pshufb %xmm9, %xmm11 + pxor %xmm10, %xmm10 + mov $1, %rbx + pinsrd $0, %ebx, %xmm10 + mov %rax, %r11 + mov %rdi, %r10 + mov $0, %rbx + jmp L83 +.balign 16 +L82: + movdqu %xmm11, %xmm0 + pshufb %xmm9, %xmm0 + movdqu 0(%r8), %xmm2 + pxor %xmm2, %xmm0 + movdqu 16(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 32(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 48(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 64(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 80(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 96(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 112(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 128(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 144(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 160(%r8), %xmm2 + aesenclast %xmm2, %xmm0 + pxor %xmm2, %xmm2 + movdqu 0(%r11), %xmm2 + pxor %xmm0, %xmm2 + movdqu %xmm2, 0(%r10) + add $1, %rbx + add $16, %r11 + add $16, %r10 + paddd %xmm10, %xmm11 +.balign 16 +L83: + cmp %rdx, %rbx + jne L82 + mov %rdi, %r11 + jmp L85 +.balign 16 +L84: + add $80, %r11 + movdqu -32(%r9), %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + movdqu %xmm1, %xmm4 + movdqu -16(%r9), %xmm1 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 16(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 64(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 80(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + vpxor %xmm1, %xmm4, %xmm4 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r10 + pinsrd $3, %r10d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + add $96, %r11 + sub $6, %rdx +.balign 16 +L85: + cmp $6, %rdx + jae L84 + cmp $0, %rdx + jbe L86 + mov %rdx, %r10 + sub $1, %r10 + imul $16, %r10 + add %r10, %r11 + movdqu -32(%r9), %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + cmp $1, %rdx + jne L88 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + jmp L89 +L88: + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + movdqu %xmm1, %xmm4 + movdqu -16(%r9), %xmm1 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + movdqu %xmm1, %xmm5 + cmp $2, %rdx + je L90 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 16(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + cmp $3, %rdx + je L92 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + cmp $4, %rdx + je L94 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 64(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + jmp L95 +L94: +L95: + jmp L93 +L92: +L93: + jmp L91 +L90: +L91: + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + vpxor %xmm1, %xmm4, %xmm4 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 +L89: + pxor %xmm3, %xmm3 + mov $3254779904, %r10 + pinsrd $3, %r10d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + jmp L87 +L86: +L87: + add 304(%rsp), %r14 + imul $16, %r14 + mov 344(%rsp), %r13 + cmp %r14, %r13 + jbe L96 + mov 336(%rsp), %rax + mov %r13, %r10 + and $15, %r10 + movdqu %xmm11, %xmm0 + pshufb %xmm9, %xmm0 + movdqu 0(%r8), %xmm2 + pxor %xmm2, %xmm0 + movdqu 16(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 32(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 48(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 64(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 80(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 96(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 112(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 128(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 144(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 160(%r8), %xmm2 + aesenclast %xmm2, %xmm0 + pxor %xmm2, %xmm2 + movdqu 0(%rax), %xmm4 + pxor %xmm4, %xmm0 + movdqu %xmm0, 0(%rax) + cmp $8, %r10 + jae L98 + mov $0, %rcx + pinsrq $1, %rcx, %xmm0 + mov %r10, %rcx + shl $3, %rcx + mov $1, %r11 + shl %cl, %r11 + sub $1, %r11 + pextrq $0, %xmm0, %rcx + and %r11, %rcx + pinsrq $0, %rcx, %xmm0 + jmp L99 +L98: + mov %r10, %rcx + sub $8, %rcx + shl $3, %rcx + mov $1, %r11 + shl %cl, %r11 + sub $1, %r11 + pextrq $1, %xmm0, %rcx + and %r11, %rcx + pinsrq $1, %rcx, %xmm0 +L99: + pshufb %xmm9, %xmm0 + movdqu -32(%r9), %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r11 + pinsrd $3, %r11d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + jmp L97 +L96: +L97: + mov %r15, %r11 + pxor %xmm0, %xmm0 + mov %r11, %rax + imul $8, %rax + pinsrq $1, %rax, %xmm0 + mov %r13, %rax + imul $8, %rax + pinsrq $0, %rax, %xmm0 + movdqu -32(%r9), %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r11 + pinsrd $3, %r11d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + movdqu 0(%rbp), %xmm0 + pshufb %xmm9, %xmm0 + movdqu 0(%r8), %xmm2 + pxor %xmm2, %xmm0 + movdqu 16(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 32(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 48(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 64(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 80(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 96(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 112(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 128(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 144(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 160(%r8), %xmm2 + aesenclast %xmm2, %xmm0 + pxor %xmm2, %xmm2 + pshufb %xmm9, %xmm8 + pxor %xmm0, %xmm8 + mov 360(%rsp), %r15 + movdqu %xmm8, 0(%r15) + pop %rax + pinsrq $1, %rax, %xmm6 + pop %rax + pinsrq $0, %rax, %xmm6 + pop %rax + pinsrq $1, %rax, %xmm7 + pop %rax + pinsrq $0, %rax, %xmm7 + pop %rax + pinsrq $1, %rax, %xmm8 + pop %rax + pinsrq $0, %rax, %xmm8 + pop %rax + pinsrq $1, %rax, %xmm9 + pop %rax + pinsrq $0, %rax, %xmm9 + pop %rax + pinsrq $1, %rax, %xmm10 + pop %rax + pinsrq $0, %rax, %xmm10 + pop %rax + pinsrq $1, %rax, %xmm11 + pop %rax + pinsrq $0, %rax, %xmm11 + pop %rax + pinsrq $1, %rax, %xmm12 + pop %rax + pinsrq $0, %rax, %xmm12 + pop %rax + pinsrq $1, %rax, %xmm13 + pop %rax + pinsrq $0, %rax, %xmm13 + pop %rax + pinsrq $1, %rax, %xmm14 + pop %rax + pinsrq $0, %rax, %xmm14 + pop %rax + pinsrq $1, %rax, %xmm15 + pop %rax + pinsrq $0, %rax, %xmm15 + pop %rbx + pop %rbp + pop %rdi + pop %rsi + pop %r12 + pop %r13 + pop %r14 + pop %r15 + ret + +.global gcm256_encrypt_opt +gcm256_encrypt_opt: + push %r15 + push %r14 + push %r13 + push %r12 + push %rsi + push %rdi + push %rbp + push %rbx + pextrq $0, %xmm15, %rax + push %rax + pextrq $1, %xmm15, %rax + push %rax + pextrq $0, %xmm14, %rax + push %rax + pextrq $1, %xmm14, %rax + push %rax + pextrq $0, %xmm13, %rax + push %rax + pextrq $1, %xmm13, %rax + push %rax + pextrq $0, %xmm12, %rax + push %rax + pextrq $1, %xmm12, %rax + push %rax + pextrq $0, %xmm11, %rax + push %rax + pextrq $1, %xmm11, %rax + push %rax + pextrq $0, %xmm10, %rax + push %rax + pextrq $1, %xmm10, %rax + push %rax + pextrq $0, %xmm9, %rax + push %rax + pextrq $1, %xmm9, %rax + push %rax + pextrq $0, %xmm8, %rax + push %rax + pextrq $1, %xmm8, %rax + push %rax + pextrq $0, %xmm7, %rax + push %rax + pextrq $1, %xmm7, %rax + push %rax + pextrq $0, %xmm6, %rax + push %rax + pextrq $1, %xmm6, %rax + push %rax + mov %rcx, %rdi + mov %rdx, %rsi + mov %r8, %rdx + mov %r9, %rcx + mov 264(%rsp), %r8 + mov 272(%rsp), %r9 + mov 352(%rsp), %rbp + mov %rcx, %r13 + lea 32(%r9), %r9 + mov 280(%rsp), %rbx + mov %rdx, %rcx + imul $16, %rcx + mov $579005069656919567, %r10 + pinsrq $0, %r10, %xmm9 + mov $283686952306183, %r10 + pinsrq $1, %r10, %xmm9 + pxor %xmm8, %xmm8 + mov %rdi, %r11 + jmp L101 +.balign 16 +L100: + add $80, %r11 + movdqu -32(%r9), %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + movdqu %xmm1, %xmm4 + movdqu -16(%r9), %xmm1 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 16(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 64(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 80(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + vpxor %xmm1, %xmm4, %xmm4 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r10 + pinsrd $3, %r10d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + add $96, %r11 + sub $6, %rdx +.balign 16 +L101: + cmp $6, %rdx + jae L100 + cmp $0, %rdx + jbe L102 + mov %rdx, %r10 + sub $1, %r10 + imul $16, %r10 + add %r10, %r11 + movdqu -32(%r9), %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + cmp $1, %rdx + jne L104 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + jmp L105 +L104: + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + movdqu %xmm1, %xmm4 + movdqu -16(%r9), %xmm1 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + movdqu %xmm1, %xmm5 + cmp $2, %rdx + je L106 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 16(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + cmp $3, %rdx + je L108 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + cmp $4, %rdx + je L110 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 64(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + jmp L111 +L110: +L111: + jmp L109 +L108: +L109: + jmp L107 +L106: +L107: + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + vpxor %xmm1, %xmm4, %xmm4 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 +L105: + pxor %xmm3, %xmm3 + mov $3254779904, %r10 + pinsrd $3, %r10d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + jmp L103 +L102: +L103: + mov %rsi, %r15 + cmp %rcx, %rsi + jbe L112 + movdqu 0(%rbx), %xmm0 + mov %rsi, %r10 + and $15, %r10 + cmp $8, %r10 + jae L114 + mov $0, %rcx + pinsrq $1, %rcx, %xmm0 + mov %r10, %rcx + shl $3, %rcx + mov $1, %r11 + shl %cl, %r11 + sub $1, %r11 + pextrq $0, %xmm0, %rcx + and %r11, %rcx + pinsrq $0, %rcx, %xmm0 + jmp L115 +L114: + mov %r10, %rcx + sub $8, %rcx + shl $3, %rcx + mov $1, %r11 + shl %cl, %r11 + sub $1, %r11 + pextrq $1, %xmm0, %rcx + and %r11, %rcx + pinsrq $1, %rcx, %xmm0 +L115: + pshufb %xmm9, %xmm0 + movdqu -32(%r9), %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r11 + pinsrd $3, %r11d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + jmp L113 +L112: +L113: + mov 288(%rsp), %rdi + mov 296(%rsp), %rsi + mov 304(%rsp), %rdx + mov %r13, %rcx + movdqu %xmm9, %xmm0 + movdqu 0(%r8), %xmm1 + movdqu %xmm1, 0(%rbp) + pxor %xmm10, %xmm10 + mov $1, %r11 + pinsrq $0, %r11, %xmm10 + vpaddd %xmm10, %xmm1, %xmm1 + cmp $0, %rdx + jne L116 + vpshufb %xmm0, %xmm1, %xmm1 + movdqu %xmm1, 32(%rbp) + jmp L117 +L116: + movdqu %xmm8, 32(%rbp) + add $128, %rcx + pextrq $0, %xmm1, %rbx + and $255, %rbx + vpshufb %xmm0, %xmm1, %xmm1 + lea 96(%rsi), %r14 + movdqu -128(%rcx), %xmm4 + pxor %xmm2, %xmm2 + mov $72057594037927936, %r11 + pinsrq $1, %r11, %xmm2 + movdqu -112(%rcx), %xmm15 + mov %rcx, %r12 + sub $96, %r12 + vpxor %xmm4, %xmm1, %xmm9 + add $6, %rbx + cmp $256, %rbx + jae L118 + vpaddd %xmm2, %xmm1, %xmm10 + vpaddd %xmm2, %xmm10, %xmm11 + vpxor %xmm4, %xmm10, %xmm10 + vpaddd %xmm2, %xmm11, %xmm12 + vpxor %xmm4, %xmm11, %xmm11 + vpaddd %xmm2, %xmm12, %xmm13 + vpxor %xmm4, %xmm12, %xmm12 + vpaddd %xmm2, %xmm13, %xmm14 + vpxor %xmm4, %xmm13, %xmm13 + vpaddd %xmm2, %xmm14, %xmm1 + vpxor %xmm4, %xmm14, %xmm14 + jmp L119 +L118: + sub $256, %rbx + vpshufb %xmm0, %xmm1, %xmm6 + pxor %xmm5, %xmm5 + mov $1, %r11 + pinsrq $0, %r11, %xmm5 + vpaddd %xmm5, %xmm6, %xmm10 + pxor %xmm5, %xmm5 + mov $2, %r11 + pinsrq $0, %r11, %xmm5 + vpaddd %xmm5, %xmm6, %xmm11 + vpaddd %xmm5, %xmm10, %xmm12 + vpshufb %xmm0, %xmm10, %xmm10 + vpaddd %xmm5, %xmm11, %xmm13 + vpshufb %xmm0, %xmm11, %xmm11 + vpxor %xmm4, %xmm10, %xmm10 + vpaddd %xmm5, %xmm12, %xmm14 + vpshufb %xmm0, %xmm12, %xmm12 + vpxor %xmm4, %xmm11, %xmm11 + vpaddd %xmm5, %xmm13, %xmm1 + vpshufb %xmm0, %xmm13, %xmm13 + vpxor %xmm4, %xmm12, %xmm12 + vpshufb %xmm0, %xmm14, %xmm14 + vpxor %xmm4, %xmm13, %xmm13 + vpshufb %xmm0, %xmm1, %xmm1 + vpxor %xmm4, %xmm14, %xmm14 +L119: + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -96(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -80(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -64(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -48(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -32(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -16(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu 0(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu 16(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu 32(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu 48(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu 64(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu 80(%rcx), %xmm15 + movdqu 96(%rcx), %xmm3 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor 0(%rdi), %xmm3, %xmm4 + vaesenc %xmm15, %xmm10, %xmm10 + vpxor 16(%rdi), %xmm3, %xmm5 + vaesenc %xmm15, %xmm11, %xmm11 + vpxor 32(%rdi), %xmm3, %xmm6 + vaesenc %xmm15, %xmm12, %xmm12 + vpxor 48(%rdi), %xmm3, %xmm8 + vaesenc %xmm15, %xmm13, %xmm13 + vpxor 64(%rdi), %xmm3, %xmm2 + vaesenc %xmm15, %xmm14, %xmm14 + vpxor 80(%rdi), %xmm3, %xmm3 + lea 96(%rdi), %rdi + vaesenclast %xmm4, %xmm9, %xmm9 + vaesenclast %xmm5, %xmm10, %xmm10 + vaesenclast %xmm6, %xmm11, %xmm11 + vaesenclast %xmm8, %xmm12, %xmm12 + vaesenclast %xmm2, %xmm13, %xmm13 + vaesenclast %xmm3, %xmm14, %xmm14 + movdqu %xmm9, 0(%rsi) + movdqu %xmm10, 16(%rsi) + movdqu %xmm11, 32(%rsi) + movdqu %xmm12, 48(%rsi) + movdqu %xmm13, 64(%rsi) + movdqu %xmm14, 80(%rsi) + lea 96(%rsi), %rsi + vpshufb %xmm0, %xmm9, %xmm8 + vpshufb %xmm0, %xmm10, %xmm2 + movdqu %xmm8, 112(%rbp) + vpshufb %xmm0, %xmm11, %xmm4 + movdqu %xmm2, 96(%rbp) + vpshufb %xmm0, %xmm12, %xmm5 + movdqu %xmm4, 80(%rbp) + vpshufb %xmm0, %xmm13, %xmm6 + movdqu %xmm5, 64(%rbp) + vpshufb %xmm0, %xmm14, %xmm7 + movdqu %xmm6, 48(%rbp) + movdqu -128(%rcx), %xmm4 + pxor %xmm2, %xmm2 + mov $72057594037927936, %r11 + pinsrq $1, %r11, %xmm2 + movdqu -112(%rcx), %xmm15 + mov %rcx, %r12 + sub $96, %r12 + vpxor %xmm4, %xmm1, %xmm9 + add $6, %rbx + cmp $256, %rbx + jae L120 + vpaddd %xmm2, %xmm1, %xmm10 + vpaddd %xmm2, %xmm10, %xmm11 + vpxor %xmm4, %xmm10, %xmm10 + vpaddd %xmm2, %xmm11, %xmm12 + vpxor %xmm4, %xmm11, %xmm11 + vpaddd %xmm2, %xmm12, %xmm13 + vpxor %xmm4, %xmm12, %xmm12 + vpaddd %xmm2, %xmm13, %xmm14 + vpxor %xmm4, %xmm13, %xmm13 + vpaddd %xmm2, %xmm14, %xmm1 + vpxor %xmm4, %xmm14, %xmm14 + jmp L121 +L120: + sub $256, %rbx + vpshufb %xmm0, %xmm1, %xmm6 + pxor %xmm5, %xmm5 + mov $1, %r11 + pinsrq $0, %r11, %xmm5 + vpaddd %xmm5, %xmm6, %xmm10 + pxor %xmm5, %xmm5 + mov $2, %r11 + pinsrq $0, %r11, %xmm5 + vpaddd %xmm5, %xmm6, %xmm11 + vpaddd %xmm5, %xmm10, %xmm12 + vpshufb %xmm0, %xmm10, %xmm10 + vpaddd %xmm5, %xmm11, %xmm13 + vpshufb %xmm0, %xmm11, %xmm11 + vpxor %xmm4, %xmm10, %xmm10 + vpaddd %xmm5, %xmm12, %xmm14 + vpshufb %xmm0, %xmm12, %xmm12 + vpxor %xmm4, %xmm11, %xmm11 + vpaddd %xmm5, %xmm13, %xmm1 + vpshufb %xmm0, %xmm13, %xmm13 + vpxor %xmm4, %xmm12, %xmm12 + vpshufb %xmm0, %xmm14, %xmm14 + vpxor %xmm4, %xmm13, %xmm13 + vpshufb %xmm0, %xmm1, %xmm1 + vpxor %xmm4, %xmm14, %xmm14 +L121: + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -96(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -80(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -64(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -48(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -32(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -16(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu 0(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu 16(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu 32(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu 48(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu 64(%rcx), %xmm15 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu 80(%rcx), %xmm15 + movdqu 96(%rcx), %xmm3 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor 0(%rdi), %xmm3, %xmm4 + vaesenc %xmm15, %xmm10, %xmm10 + vpxor 16(%rdi), %xmm3, %xmm5 + vaesenc %xmm15, %xmm11, %xmm11 + vpxor 32(%rdi), %xmm3, %xmm6 + vaesenc %xmm15, %xmm12, %xmm12 + vpxor 48(%rdi), %xmm3, %xmm8 + vaesenc %xmm15, %xmm13, %xmm13 + vpxor 64(%rdi), %xmm3, %xmm2 + vaesenc %xmm15, %xmm14, %xmm14 + vpxor 80(%rdi), %xmm3, %xmm3 + lea 96(%rdi), %rdi + vaesenclast %xmm4, %xmm9, %xmm9 + vaesenclast %xmm5, %xmm10, %xmm10 + vaesenclast %xmm6, %xmm11, %xmm11 + vaesenclast %xmm8, %xmm12, %xmm12 + vaesenclast %xmm2, %xmm13, %xmm13 + vaesenclast %xmm3, %xmm14, %xmm14 + movdqu %xmm9, 0(%rsi) + movdqu %xmm10, 16(%rsi) + movdqu %xmm11, 32(%rsi) + movdqu %xmm12, 48(%rsi) + movdqu %xmm13, 64(%rsi) + movdqu %xmm14, 80(%rsi) + lea 96(%rsi), %rsi + sub $12, %rdx + movdqu 32(%rbp), %xmm8 + pxor %xmm2, %xmm2 + mov $72057594037927936, %r11 + pinsrq $1, %r11, %xmm2 + vpxor %xmm4, %xmm4, %xmm4 + movdqu -128(%rcx), %xmm15 + vpaddd %xmm2, %xmm1, %xmm10 + vpaddd %xmm2, %xmm10, %xmm11 + vpaddd %xmm2, %xmm11, %xmm12 + vpaddd %xmm2, %xmm12, %xmm13 + vpaddd %xmm2, %xmm13, %xmm14 + vpxor %xmm15, %xmm1, %xmm9 + movdqu %xmm4, 16(%rbp) + jmp L123 +.balign 16 +L122: + add $6, %rbx + cmp $256, %rbx + jb L124 + mov $579005069656919567, %r11 + pinsrq $0, %r11, %xmm0 + mov $283686952306183, %r11 + pinsrq $1, %r11, %xmm0 + vpshufb %xmm0, %xmm1, %xmm6 + pxor %xmm5, %xmm5 + mov $1, %r11 + pinsrq $0, %r11, %xmm5 + vpaddd %xmm5, %xmm6, %xmm10 + pxor %xmm5, %xmm5 + mov $2, %r11 + pinsrq $0, %r11, %xmm5 + vpaddd %xmm5, %xmm6, %xmm11 + movdqu -32(%r9), %xmm3 + vpaddd %xmm5, %xmm10, %xmm12 + vpshufb %xmm0, %xmm10, %xmm10 + vpaddd %xmm5, %xmm11, %xmm13 + vpshufb %xmm0, %xmm11, %xmm11 + vpxor %xmm15, %xmm10, %xmm10 + vpaddd %xmm5, %xmm12, %xmm14 + vpshufb %xmm0, %xmm12, %xmm12 + vpxor %xmm15, %xmm11, %xmm11 + vpaddd %xmm5, %xmm13, %xmm1 + vpshufb %xmm0, %xmm13, %xmm13 + vpshufb %xmm0, %xmm14, %xmm14 + vpshufb %xmm0, %xmm1, %xmm1 + sub $256, %rbx + jmp L125 +L124: + movdqu -32(%r9), %xmm3 + vpaddd %xmm14, %xmm2, %xmm1 + vpxor %xmm15, %xmm10, %xmm10 + vpxor %xmm15, %xmm11, %xmm11 +L125: + movdqu %xmm1, 128(%rbp) + vpclmulqdq $16, %xmm3, %xmm7, %xmm5 + vpxor %xmm15, %xmm12, %xmm12 + movdqu -112(%rcx), %xmm2 + vpclmulqdq $1, %xmm3, %xmm7, %xmm6 + vaesenc %xmm2, %xmm9, %xmm9 + movdqu 48(%rbp), %xmm0 + vpxor %xmm15, %xmm13, %xmm13 + vpclmulqdq $0, %xmm3, %xmm7, %xmm1 + vaesenc %xmm2, %xmm10, %xmm10 + vpxor %xmm15, %xmm14, %xmm14 + vpclmulqdq $17, %xmm3, %xmm7, %xmm7 + vaesenc %xmm2, %xmm11, %xmm11 + movdqu -16(%r9), %xmm3 + vaesenc %xmm2, %xmm12, %xmm12 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $0, %xmm3, %xmm0, %xmm5 + vpxor %xmm4, %xmm8, %xmm8 + vaesenc %xmm2, %xmm13, %xmm13 + vpxor %xmm5, %xmm1, %xmm4 + vpclmulqdq $16, %xmm3, %xmm0, %xmm1 + vaesenc %xmm2, %xmm14, %xmm14 + movdqu -96(%rcx), %xmm15 + vpclmulqdq $1, %xmm3, %xmm0, %xmm2 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor 16(%rbp), %xmm8, %xmm8 + vpclmulqdq $17, %xmm3, %xmm0, %xmm3 + movdqu 64(%rbp), %xmm0 + vaesenc %xmm15, %xmm10, %xmm10 + movbeq 88(%r14), %r13 + vaesenc %xmm15, %xmm11, %xmm11 + movbeq 80(%r14), %r12 + vaesenc %xmm15, %xmm12, %xmm12 + movq %r13, 32(%rbp) + vaesenc %xmm15, %xmm13, %xmm13 + movq %r12, 40(%rbp) + movdqu 16(%r9), %xmm5 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -80(%rcx), %xmm15 + vpxor %xmm1, %xmm6, %xmm6 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor %xmm2, %xmm6, %xmm6 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vaesenc %xmm15, %xmm10, %xmm10 + vpxor %xmm3, %xmm7, %xmm7 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vaesenc %xmm15, %xmm11, %xmm11 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 80(%rbp), %xmm0 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -64(%rcx), %xmm15 + vpxor %xmm2, %xmm6, %xmm6 + vpclmulqdq $0, %xmm1, %xmm0, %xmm2 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor %xmm3, %xmm6, %xmm6 + vpclmulqdq $16, %xmm1, %xmm0, %xmm3 + vaesenc %xmm15, %xmm10, %xmm10 + movbeq 72(%r14), %r13 + vpxor %xmm5, %xmm7, %xmm7 + vpclmulqdq $1, %xmm1, %xmm0, %xmm5 + vaesenc %xmm15, %xmm11, %xmm11 + movbeq 64(%r14), %r12 + vpclmulqdq $17, %xmm1, %xmm0, %xmm1 + movdqu 96(%rbp), %xmm0 + vaesenc %xmm15, %xmm12, %xmm12 + movq %r13, 48(%rbp) + vaesenc %xmm15, %xmm13, %xmm13 + movq %r12, 56(%rbp) + vpxor %xmm2, %xmm4, %xmm4 + movdqu 64(%r9), %xmm2 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -48(%rcx), %xmm15 + vpxor %xmm3, %xmm6, %xmm6 + vpclmulqdq $0, %xmm2, %xmm0, %xmm3 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $16, %xmm2, %xmm0, %xmm5 + vaesenc %xmm15, %xmm10, %xmm10 + movbeq 56(%r14), %r13 + vpxor %xmm1, %xmm7, %xmm7 + vpclmulqdq $1, %xmm2, %xmm0, %xmm1 + vpxor 112(%rbp), %xmm8, %xmm8 + vaesenc %xmm15, %xmm11, %xmm11 + movbeq 48(%r14), %r12 + vpclmulqdq $17, %xmm2, %xmm0, %xmm2 + vaesenc %xmm15, %xmm12, %xmm12 + movq %r13, 64(%rbp) + vaesenc %xmm15, %xmm13, %xmm13 + movq %r12, 72(%rbp) + vpxor %xmm3, %xmm4, %xmm4 + movdqu 80(%r9), %xmm3 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -32(%rcx), %xmm15 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $16, %xmm3, %xmm8, %xmm5 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor %xmm1, %xmm6, %xmm6 + vpclmulqdq $1, %xmm3, %xmm8, %xmm1 + vaesenc %xmm15, %xmm10, %xmm10 + movbeq 40(%r14), %r13 + vpxor %xmm2, %xmm7, %xmm7 + vpclmulqdq $0, %xmm3, %xmm8, %xmm2 + vaesenc %xmm15, %xmm11, %xmm11 + movbeq 32(%r14), %r12 + vpclmulqdq $17, %xmm3, %xmm8, %xmm8 + vaesenc %xmm15, %xmm12, %xmm12 + movq %r13, 80(%rbp) + vaesenc %xmm15, %xmm13, %xmm13 + movq %r12, 88(%rbp) + vpxor %xmm5, %xmm6, %xmm6 + vaesenc %xmm15, %xmm14, %xmm14 + vpxor %xmm1, %xmm6, %xmm6 + movdqu -16(%rcx), %xmm15 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm2, %xmm4, %xmm4 + pxor %xmm3, %xmm3 + mov $13979173243358019584, %r11 + pinsrq $1, %r11, %xmm3 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor %xmm8, %xmm7, %xmm7 + vaesenc %xmm15, %xmm10, %xmm10 + vpxor %xmm5, %xmm4, %xmm4 + movbeq 24(%r14), %r13 + vaesenc %xmm15, %xmm11, %xmm11 + movbeq 16(%r14), %r12 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + movq %r13, 96(%rbp) + vaesenc %xmm15, %xmm12, %xmm12 + movq %r12, 104(%rbp) + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu 0(%rcx), %xmm1 + vaesenc %xmm1, %xmm9, %xmm9 + movdqu 16(%rcx), %xmm15 + vaesenc %xmm1, %xmm10, %xmm10 + vpsrldq $8, %xmm6, %xmm6 + vaesenc %xmm1, %xmm11, %xmm11 + vpxor %xmm6, %xmm7, %xmm7 + vaesenc %xmm1, %xmm12, %xmm12 + vpxor %xmm0, %xmm4, %xmm4 + movbeq 8(%r14), %r13 + vaesenc %xmm1, %xmm13, %xmm13 + movbeq 0(%r14), %r12 + vaesenc %xmm1, %xmm14, %xmm14 + movdqu 32(%rcx), %xmm1 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + vaesenc %xmm1, %xmm9, %xmm9 + vaesenc %xmm1, %xmm10, %xmm10 + vaesenc %xmm1, %xmm11, %xmm11 + vaesenc %xmm1, %xmm12, %xmm12 + vaesenc %xmm1, %xmm13, %xmm13 + movdqu 48(%rcx), %xmm15 + vaesenc %xmm1, %xmm14, %xmm14 + movdqu 64(%rcx), %xmm1 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + vaesenc %xmm1, %xmm9, %xmm9 + vaesenc %xmm1, %xmm10, %xmm10 + vaesenc %xmm1, %xmm11, %xmm11 + vaesenc %xmm1, %xmm12, %xmm12 + vaesenc %xmm1, %xmm13, %xmm13 + movdqu 80(%rcx), %xmm15 + vaesenc %xmm1, %xmm14, %xmm14 + movdqu 96(%rcx), %xmm1 + vaesenc %xmm15, %xmm9, %xmm9 + movdqu %xmm7, 16(%rbp) + vpalignr $8, %xmm4, %xmm4, %xmm8 + vaesenc %xmm15, %xmm10, %xmm10 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor 0(%rdi), %xmm1, %xmm2 + vaesenc %xmm15, %xmm11, %xmm11 + vpxor 16(%rdi), %xmm1, %xmm0 + vaesenc %xmm15, %xmm12, %xmm12 + vpxor 32(%rdi), %xmm1, %xmm5 + vaesenc %xmm15, %xmm13, %xmm13 + vpxor 48(%rdi), %xmm1, %xmm6 + vaesenc %xmm15, %xmm14, %xmm14 + vpxor 64(%rdi), %xmm1, %xmm7 + vpxor 80(%rdi), %xmm1, %xmm3 + movdqu 128(%rbp), %xmm1 + vaesenclast %xmm2, %xmm9, %xmm9 + pxor %xmm2, %xmm2 + mov $72057594037927936, %r11 + pinsrq $1, %r11, %xmm2 + vaesenclast %xmm0, %xmm10, %xmm10 + vpaddd %xmm2, %xmm1, %xmm0 + movq %r13, 112(%rbp) + lea 96(%rdi), %rdi + vaesenclast %xmm5, %xmm11, %xmm11 + vpaddd %xmm2, %xmm0, %xmm5 + movq %r12, 120(%rbp) + lea 96(%rsi), %rsi + movdqu -128(%rcx), %xmm15 + vaesenclast %xmm6, %xmm12, %xmm12 + vpaddd %xmm2, %xmm5, %xmm6 + vaesenclast %xmm7, %xmm13, %xmm13 + vpaddd %xmm2, %xmm6, %xmm7 + vaesenclast %xmm3, %xmm14, %xmm14 + vpaddd %xmm2, %xmm7, %xmm3 + sub $6, %rdx + add $96, %r14 + cmp $0, %rdx + jbe L126 + movdqu %xmm9, -96(%rsi) + vpxor %xmm15, %xmm1, %xmm9 + movdqu %xmm10, -80(%rsi) + movdqu %xmm0, %xmm10 + movdqu %xmm11, -64(%rsi) + movdqu %xmm5, %xmm11 + movdqu %xmm12, -48(%rsi) + movdqu %xmm6, %xmm12 + movdqu %xmm13, -32(%rsi) + movdqu %xmm7, %xmm13 + movdqu %xmm14, -16(%rsi) + movdqu %xmm3, %xmm14 + movdqu 32(%rbp), %xmm7 + jmp L127 +L126: + vpxor 16(%rbp), %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 +L127: +.balign 16 +L123: + cmp $0, %rdx + ja L122 + movdqu 32(%rbp), %xmm7 + movdqu %xmm1, 32(%rbp) + pxor %xmm4, %xmm4 + movdqu %xmm4, 16(%rbp) + movdqu -32(%r9), %xmm3 + vpclmulqdq $0, %xmm3, %xmm7, %xmm1 + vpclmulqdq $16, %xmm3, %xmm7, %xmm5 + movdqu 48(%rbp), %xmm0 + vpclmulqdq $1, %xmm3, %xmm7, %xmm6 + vpclmulqdq $17, %xmm3, %xmm7, %xmm7 + movdqu -16(%r9), %xmm3 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $0, %xmm3, %xmm0, %xmm5 + vpxor %xmm4, %xmm8, %xmm8 + vpxor %xmm5, %xmm1, %xmm4 + vpclmulqdq $16, %xmm3, %xmm0, %xmm1 + vpclmulqdq $1, %xmm3, %xmm0, %xmm2 + vpxor 16(%rbp), %xmm8, %xmm8 + vpclmulqdq $17, %xmm3, %xmm0, %xmm3 + movdqu 64(%rbp), %xmm0 + movdqu 16(%r9), %xmm5 + vpxor %xmm1, %xmm6, %xmm6 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpxor %xmm3, %xmm7, %xmm7 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 80(%rbp), %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpclmulqdq $0, %xmm1, %xmm0, %xmm2 + vpxor %xmm3, %xmm6, %xmm6 + vpclmulqdq $16, %xmm1, %xmm0, %xmm3 + vpxor %xmm5, %xmm7, %xmm7 + vpclmulqdq $1, %xmm1, %xmm0, %xmm5 + vpclmulqdq $17, %xmm1, %xmm0, %xmm1 + movdqu 96(%rbp), %xmm0 + vpxor %xmm2, %xmm4, %xmm4 + movdqu 64(%r9), %xmm2 + vpxor %xmm3, %xmm6, %xmm6 + vpclmulqdq $0, %xmm2, %xmm0, %xmm3 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $16, %xmm2, %xmm0, %xmm5 + vpxor %xmm1, %xmm7, %xmm7 + vpclmulqdq $1, %xmm2, %xmm0, %xmm1 + vpxor 112(%rbp), %xmm8, %xmm8 + vpclmulqdq $17, %xmm2, %xmm0, %xmm2 + vpxor %xmm3, %xmm4, %xmm4 + movdqu 80(%r9), %xmm3 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $16, %xmm3, %xmm8, %xmm5 + vpxor %xmm1, %xmm6, %xmm6 + vpclmulqdq $1, %xmm3, %xmm8, %xmm1 + vpxor %xmm2, %xmm7, %xmm7 + vpclmulqdq $0, %xmm3, %xmm8, %xmm2 + vpclmulqdq $17, %xmm3, %xmm8, %xmm8 + vpxor %xmm5, %xmm6, %xmm6 + vpxor %xmm1, %xmm6, %xmm6 + vpxor %xmm2, %xmm4, %xmm4 + pxor %xmm3, %xmm3 + mov $3254779904, %rax + pinsrd $3, %eax, %xmm3 + vpxor %xmm8, %xmm7, %xmm7 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + mov $579005069656919567, %r12 + pinsrq $0, %r12, %xmm0 + mov $283686952306183, %r12 + pinsrq $1, %r12, %xmm0 + movdqu %xmm9, -96(%rsi) + vpshufb %xmm0, %xmm9, %xmm9 + vpxor %xmm7, %xmm1, %xmm1 + movdqu %xmm10, -80(%rsi) + vpshufb %xmm0, %xmm10, %xmm10 + movdqu %xmm11, -64(%rsi) + vpshufb %xmm0, %xmm11, %xmm11 + movdqu %xmm12, -48(%rsi) + vpshufb %xmm0, %xmm12, %xmm12 + movdqu %xmm13, -32(%rsi) + vpshufb %xmm0, %xmm13, %xmm13 + movdqu %xmm14, -16(%rsi) + vpshufb %xmm0, %xmm14, %xmm14 + pxor %xmm4, %xmm4 + movdqu %xmm14, %xmm7 + movdqu %xmm4, 16(%rbp) + movdqu %xmm13, 48(%rbp) + movdqu %xmm12, 64(%rbp) + movdqu %xmm11, 80(%rbp) + movdqu %xmm10, 96(%rbp) + movdqu %xmm9, 112(%rbp) + movdqu -32(%r9), %xmm3 + vpclmulqdq $0, %xmm3, %xmm7, %xmm1 + vpclmulqdq $16, %xmm3, %xmm7, %xmm5 + movdqu 48(%rbp), %xmm0 + vpclmulqdq $1, %xmm3, %xmm7, %xmm6 + vpclmulqdq $17, %xmm3, %xmm7, %xmm7 + movdqu -16(%r9), %xmm3 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $0, %xmm3, %xmm0, %xmm5 + vpxor %xmm4, %xmm8, %xmm8 + vpxor %xmm5, %xmm1, %xmm4 + vpclmulqdq $16, %xmm3, %xmm0, %xmm1 + vpclmulqdq $1, %xmm3, %xmm0, %xmm2 + vpxor 16(%rbp), %xmm8, %xmm8 + vpclmulqdq $17, %xmm3, %xmm0, %xmm3 + movdqu 64(%rbp), %xmm0 + movdqu 16(%r9), %xmm5 + vpxor %xmm1, %xmm6, %xmm6 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpxor %xmm3, %xmm7, %xmm7 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 80(%rbp), %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpclmulqdq $0, %xmm1, %xmm0, %xmm2 + vpxor %xmm3, %xmm6, %xmm6 + vpclmulqdq $16, %xmm1, %xmm0, %xmm3 + vpxor %xmm5, %xmm7, %xmm7 + vpclmulqdq $1, %xmm1, %xmm0, %xmm5 + vpclmulqdq $17, %xmm1, %xmm0, %xmm1 + movdqu 96(%rbp), %xmm0 + vpxor %xmm2, %xmm4, %xmm4 + movdqu 64(%r9), %xmm2 + vpxor %xmm3, %xmm6, %xmm6 + vpclmulqdq $0, %xmm2, %xmm0, %xmm3 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $16, %xmm2, %xmm0, %xmm5 + vpxor %xmm1, %xmm7, %xmm7 + vpclmulqdq $1, %xmm2, %xmm0, %xmm1 + vpxor 112(%rbp), %xmm8, %xmm8 + vpclmulqdq $17, %xmm2, %xmm0, %xmm2 + vpxor %xmm3, %xmm4, %xmm4 + movdqu 80(%r9), %xmm3 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $16, %xmm3, %xmm8, %xmm5 + vpxor %xmm1, %xmm6, %xmm6 + vpclmulqdq $1, %xmm3, %xmm8, %xmm1 + vpxor %xmm2, %xmm7, %xmm7 + vpclmulqdq $0, %xmm3, %xmm8, %xmm2 + vpclmulqdq $17, %xmm3, %xmm8, %xmm8 + vpxor %xmm5, %xmm6, %xmm6 + vpxor %xmm1, %xmm6, %xmm6 + vpxor %xmm2, %xmm4, %xmm4 + pxor %xmm3, %xmm3 + mov $3254779904, %rax + pinsrd $3, %eax, %xmm3 + vpxor %xmm8, %xmm7, %xmm7 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + sub $128, %rcx +L117: + movdqu 32(%rbp), %xmm11 + mov %rcx, %r8 + mov 312(%rsp), %rax + mov 320(%rsp), %rdi + mov 328(%rsp), %rdx + mov %rdx, %r14 + mov $579005069656919567, %r12 + pinsrq $0, %r12, %xmm9 + mov $283686952306183, %r12 + pinsrq $1, %r12, %xmm9 + pshufb %xmm9, %xmm11 + pxor %xmm10, %xmm10 + mov $1, %rbx + pinsrd $0, %ebx, %xmm10 + mov %rax, %r11 + mov %rdi, %r10 + mov $0, %rbx + jmp L129 +.balign 16 +L128: + movdqu %xmm11, %xmm0 + pshufb %xmm9, %xmm0 + movdqu 0(%r8), %xmm2 + pxor %xmm2, %xmm0 + movdqu 16(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 32(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 48(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 64(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 80(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 96(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 112(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 128(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 144(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 160(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 176(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 192(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 208(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 224(%r8), %xmm2 + aesenclast %xmm2, %xmm0 + pxor %xmm2, %xmm2 + movdqu 0(%r11), %xmm2 + pxor %xmm0, %xmm2 + movdqu %xmm2, 0(%r10) + add $1, %rbx + add $16, %r11 + add $16, %r10 + paddd %xmm10, %xmm11 +.balign 16 +L129: + cmp %rdx, %rbx + jne L128 + mov %rdi, %r11 + jmp L131 +.balign 16 +L130: + add $80, %r11 + movdqu -32(%r9), %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + movdqu %xmm1, %xmm4 + movdqu -16(%r9), %xmm1 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 16(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 64(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 80(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + vpxor %xmm1, %xmm4, %xmm4 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r10 + pinsrd $3, %r10d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + add $96, %r11 + sub $6, %rdx +.balign 16 +L131: + cmp $6, %rdx + jae L130 + cmp $0, %rdx + jbe L132 + mov %rdx, %r10 + sub $1, %r10 + imul $16, %r10 + add %r10, %r11 + movdqu -32(%r9), %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + cmp $1, %rdx + jne L134 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + jmp L135 +L134: + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + movdqu %xmm1, %xmm4 + movdqu -16(%r9), %xmm1 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + movdqu %xmm1, %xmm5 + cmp $2, %rdx + je L136 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 16(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + cmp $3, %rdx + je L138 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + cmp $4, %rdx + je L140 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 64(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + jmp L141 +L140: +L141: + jmp L139 +L138: +L139: + jmp L137 +L136: +L137: + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + vpxor %xmm1, %xmm4, %xmm4 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 +L135: + pxor %xmm3, %xmm3 + mov $3254779904, %r10 + pinsrd $3, %r10d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + jmp L133 +L132: +L133: + add 304(%rsp), %r14 + imul $16, %r14 + mov 344(%rsp), %r13 + cmp %r14, %r13 + jbe L142 + mov 336(%rsp), %rax + mov %r13, %r10 + and $15, %r10 + movdqu %xmm11, %xmm0 + pshufb %xmm9, %xmm0 + movdqu 0(%r8), %xmm2 + pxor %xmm2, %xmm0 + movdqu 16(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 32(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 48(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 64(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 80(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 96(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 112(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 128(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 144(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 160(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 176(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 192(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 208(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 224(%r8), %xmm2 + aesenclast %xmm2, %xmm0 + pxor %xmm2, %xmm2 + movdqu 0(%rax), %xmm4 + pxor %xmm4, %xmm0 + movdqu %xmm0, 0(%rax) + cmp $8, %r10 + jae L144 + mov $0, %rcx + pinsrq $1, %rcx, %xmm0 + mov %r10, %rcx + shl $3, %rcx + mov $1, %r11 + shl %cl, %r11 + sub $1, %r11 + pextrq $0, %xmm0, %rcx + and %r11, %rcx + pinsrq $0, %rcx, %xmm0 + jmp L145 +L144: + mov %r10, %rcx + sub $8, %rcx + shl $3, %rcx + mov $1, %r11 + shl %cl, %r11 + sub $1, %r11 + pextrq $1, %xmm0, %rcx + and %r11, %rcx + pinsrq $1, %rcx, %xmm0 +L145: + pshufb %xmm9, %xmm0 + movdqu -32(%r9), %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r11 + pinsrd $3, %r11d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + jmp L143 +L142: +L143: + mov %r15, %r11 + pxor %xmm0, %xmm0 + mov %r11, %rax + imul $8, %rax + pinsrq $1, %rax, %xmm0 + mov %r13, %rax + imul $8, %rax + pinsrq $0, %rax, %xmm0 + movdqu -32(%r9), %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r11 + pinsrd $3, %r11d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + movdqu 0(%rbp), %xmm0 + pshufb %xmm9, %xmm0 + movdqu 0(%r8), %xmm2 + pxor %xmm2, %xmm0 + movdqu 16(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 32(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 48(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 64(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 80(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 96(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 112(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 128(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 144(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 160(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 176(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 192(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 208(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 224(%r8), %xmm2 + aesenclast %xmm2, %xmm0 + pxor %xmm2, %xmm2 + pshufb %xmm9, %xmm8 + pxor %xmm0, %xmm8 + mov 360(%rsp), %r15 + movdqu %xmm8, 0(%r15) + pop %rax + pinsrq $1, %rax, %xmm6 + pop %rax + pinsrq $0, %rax, %xmm6 + pop %rax + pinsrq $1, %rax, %xmm7 + pop %rax + pinsrq $0, %rax, %xmm7 + pop %rax + pinsrq $1, %rax, %xmm8 + pop %rax + pinsrq $0, %rax, %xmm8 + pop %rax + pinsrq $1, %rax, %xmm9 + pop %rax + pinsrq $0, %rax, %xmm9 + pop %rax + pinsrq $1, %rax, %xmm10 + pop %rax + pinsrq $0, %rax, %xmm10 + pop %rax + pinsrq $1, %rax, %xmm11 + pop %rax + pinsrq $0, %rax, %xmm11 + pop %rax + pinsrq $1, %rax, %xmm12 + pop %rax + pinsrq $0, %rax, %xmm12 + pop %rax + pinsrq $1, %rax, %xmm13 + pop %rax + pinsrq $0, %rax, %xmm13 + pop %rax + pinsrq $1, %rax, %xmm14 + pop %rax + pinsrq $0, %rax, %xmm14 + pop %rax + pinsrq $1, %rax, %xmm15 + pop %rax + pinsrq $0, %rax, %xmm15 + pop %rbx + pop %rbp + pop %rdi + pop %rsi + pop %r12 + pop %r13 + pop %r14 + pop %r15 + ret + +.global gcm128_decrypt_opt +gcm128_decrypt_opt: + push %r15 + push %r14 + push %r13 + push %r12 + push %rsi + push %rdi + push %rbp + push %rbx + pextrq $0, %xmm15, %rax + push %rax + pextrq $1, %xmm15, %rax + push %rax + pextrq $0, %xmm14, %rax + push %rax + pextrq $1, %xmm14, %rax + push %rax + pextrq $0, %xmm13, %rax + push %rax + pextrq $1, %xmm13, %rax + push %rax + pextrq $0, %xmm12, %rax + push %rax + pextrq $1, %xmm12, %rax + push %rax + pextrq $0, %xmm11, %rax + push %rax + pextrq $1, %xmm11, %rax + push %rax + pextrq $0, %xmm10, %rax + push %rax + pextrq $1, %xmm10, %rax + push %rax + pextrq $0, %xmm9, %rax + push %rax + pextrq $1, %xmm9, %rax + push %rax + pextrq $0, %xmm8, %rax + push %rax + pextrq $1, %xmm8, %rax + push %rax + pextrq $0, %xmm7, %rax + push %rax + pextrq $1, %xmm7, %rax + push %rax + pextrq $0, %xmm6, %rax + push %rax + pextrq $1, %xmm6, %rax + push %rax + mov %rcx, %rdi + mov %rdx, %rsi + mov %r8, %rdx + mov %r9, %rcx + mov 264(%rsp), %r8 + mov 272(%rsp), %r9 + mov 352(%rsp), %rbp + mov %rcx, %r13 + lea 32(%r9), %r9 + mov 280(%rsp), %rbx + mov %rdx, %rcx + imul $16, %rcx + mov $579005069656919567, %r10 + pinsrq $0, %r10, %xmm9 + mov $283686952306183, %r10 + pinsrq $1, %r10, %xmm9 + pxor %xmm8, %xmm8 + mov %rdi, %r11 + jmp L147 +.balign 16 +L146: + add $80, %r11 + movdqu -32(%r9), %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + movdqu %xmm1, %xmm4 + movdqu -16(%r9), %xmm1 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 16(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 64(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 80(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + vpxor %xmm1, %xmm4, %xmm4 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r10 + pinsrd $3, %r10d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + add $96, %r11 + sub $6, %rdx +.balign 16 +L147: + cmp $6, %rdx + jae L146 + cmp $0, %rdx + jbe L148 + mov %rdx, %r10 + sub $1, %r10 + imul $16, %r10 + add %r10, %r11 + movdqu -32(%r9), %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + cmp $1, %rdx + jne L150 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + jmp L151 +L150: + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + movdqu %xmm1, %xmm4 + movdqu -16(%r9), %xmm1 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + movdqu %xmm1, %xmm5 + cmp $2, %rdx + je L152 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 16(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + cmp $3, %rdx + je L154 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + cmp $4, %rdx + je L156 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 64(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + jmp L157 +L156: +L157: + jmp L155 +L154: +L155: + jmp L153 +L152: +L153: + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + vpxor %xmm1, %xmm4, %xmm4 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 +L151: + pxor %xmm3, %xmm3 + mov $3254779904, %r10 + pinsrd $3, %r10d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + jmp L149 +L148: +L149: + mov %rsi, %r15 + cmp %rcx, %rsi + jbe L158 + movdqu 0(%rbx), %xmm0 + mov %rsi, %r10 + and $15, %r10 + cmp $8, %r10 + jae L160 + mov $0, %rcx + pinsrq $1, %rcx, %xmm0 + mov %r10, %rcx + shl $3, %rcx + mov $1, %r11 + shl %cl, %r11 + sub $1, %r11 + pextrq $0, %xmm0, %rcx + and %r11, %rcx + pinsrq $0, %rcx, %xmm0 + jmp L161 +L160: + mov %r10, %rcx + sub $8, %rcx + shl $3, %rcx + mov $1, %r11 + shl %cl, %r11 + sub $1, %r11 + pextrq $1, %xmm0, %rcx + and %r11, %rcx + pinsrq $1, %rcx, %xmm0 +L161: + pshufb %xmm9, %xmm0 + movdqu -32(%r9), %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r11 + pinsrd $3, %r11d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + jmp L159 +L158: +L159: + mov 288(%rsp), %rdi + mov 296(%rsp), %rsi + mov 304(%rsp), %rdx + mov %r13, %rcx + movdqu %xmm9, %xmm0 + movdqu 0(%r8), %xmm1 + movdqu %xmm1, 0(%rbp) + pxor %xmm10, %xmm10 + mov $1, %r11 + pinsrq $0, %r11, %xmm10 + vpaddd %xmm10, %xmm1, %xmm1 + cmp $0, %rdx + jne L162 + vpshufb %xmm0, %xmm1, %xmm1 + movdqu %xmm1, 32(%rbp) + jmp L163 +L162: + movdqu %xmm8, 32(%rbp) + add $128, %rcx + pextrq $0, %xmm1, %rbx + and $255, %rbx + vpshufb %xmm0, %xmm1, %xmm1 + lea 96(%rdi), %r14 + movdqu 32(%rbp), %xmm8 + movdqu 80(%rdi), %xmm7 + movdqu 64(%rdi), %xmm4 + movdqu 48(%rdi), %xmm5 + movdqu 32(%rdi), %xmm6 + vpshufb %xmm0, %xmm7, %xmm7 + movdqu 16(%rdi), %xmm2 + vpshufb %xmm0, %xmm4, %xmm4 + movdqu 0(%rdi), %xmm3 + vpshufb %xmm0, %xmm5, %xmm5 + movdqu %xmm4, 48(%rbp) + vpshufb %xmm0, %xmm6, %xmm6 + movdqu %xmm5, 64(%rbp) + vpshufb %xmm0, %xmm2, %xmm2 + movdqu %xmm6, 80(%rbp) + vpshufb %xmm0, %xmm3, %xmm3 + movdqu %xmm2, 96(%rbp) + movdqu %xmm3, 112(%rbp) + pxor %xmm2, %xmm2 + mov $72057594037927936, %r11 + pinsrq $1, %r11, %xmm2 + vpxor %xmm4, %xmm4, %xmm4 + movdqu -128(%rcx), %xmm15 + vpaddd %xmm2, %xmm1, %xmm10 + vpaddd %xmm2, %xmm10, %xmm11 + vpaddd %xmm2, %xmm11, %xmm12 + vpaddd %xmm2, %xmm12, %xmm13 + vpaddd %xmm2, %xmm13, %xmm14 + vpxor %xmm15, %xmm1, %xmm9 + movdqu %xmm4, 16(%rbp) + cmp $6, %rdx + jne L164 + sub $96, %r14 + jmp L165 +L164: +L165: + jmp L167 +.balign 16 +L166: + add $6, %rbx + cmp $256, %rbx + jb L168 + mov $579005069656919567, %r11 + pinsrq $0, %r11, %xmm0 + mov $283686952306183, %r11 + pinsrq $1, %r11, %xmm0 + vpshufb %xmm0, %xmm1, %xmm6 + pxor %xmm5, %xmm5 + mov $1, %r11 + pinsrq $0, %r11, %xmm5 + vpaddd %xmm5, %xmm6, %xmm10 + pxor %xmm5, %xmm5 + mov $2, %r11 + pinsrq $0, %r11, %xmm5 + vpaddd %xmm5, %xmm6, %xmm11 + movdqu -32(%r9), %xmm3 + vpaddd %xmm5, %xmm10, %xmm12 + vpshufb %xmm0, %xmm10, %xmm10 + vpaddd %xmm5, %xmm11, %xmm13 + vpshufb %xmm0, %xmm11, %xmm11 + vpxor %xmm15, %xmm10, %xmm10 + vpaddd %xmm5, %xmm12, %xmm14 + vpshufb %xmm0, %xmm12, %xmm12 + vpxor %xmm15, %xmm11, %xmm11 + vpaddd %xmm5, %xmm13, %xmm1 + vpshufb %xmm0, %xmm13, %xmm13 + vpshufb %xmm0, %xmm14, %xmm14 + vpshufb %xmm0, %xmm1, %xmm1 + sub $256, %rbx + jmp L169 +L168: + movdqu -32(%r9), %xmm3 + vpaddd %xmm14, %xmm2, %xmm1 + vpxor %xmm15, %xmm10, %xmm10 + vpxor %xmm15, %xmm11, %xmm11 +L169: + movdqu %xmm1, 128(%rbp) + vpclmulqdq $16, %xmm3, %xmm7, %xmm5 + vpxor %xmm15, %xmm12, %xmm12 + movdqu -112(%rcx), %xmm2 + vpclmulqdq $1, %xmm3, %xmm7, %xmm6 + vaesenc %xmm2, %xmm9, %xmm9 + movdqu 48(%rbp), %xmm0 + vpxor %xmm15, %xmm13, %xmm13 + vpclmulqdq $0, %xmm3, %xmm7, %xmm1 + vaesenc %xmm2, %xmm10, %xmm10 + vpxor %xmm15, %xmm14, %xmm14 + vpclmulqdq $17, %xmm3, %xmm7, %xmm7 + vaesenc %xmm2, %xmm11, %xmm11 + movdqu -16(%r9), %xmm3 + vaesenc %xmm2, %xmm12, %xmm12 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $0, %xmm3, %xmm0, %xmm5 + vpxor %xmm4, %xmm8, %xmm8 + vaesenc %xmm2, %xmm13, %xmm13 + vpxor %xmm5, %xmm1, %xmm4 + vpclmulqdq $16, %xmm3, %xmm0, %xmm1 + vaesenc %xmm2, %xmm14, %xmm14 + movdqu -96(%rcx), %xmm15 + vpclmulqdq $1, %xmm3, %xmm0, %xmm2 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor 16(%rbp), %xmm8, %xmm8 + vpclmulqdq $17, %xmm3, %xmm0, %xmm3 + movdqu 64(%rbp), %xmm0 + vaesenc %xmm15, %xmm10, %xmm10 + movbeq 88(%r14), %r13 + vaesenc %xmm15, %xmm11, %xmm11 + movbeq 80(%r14), %r12 + vaesenc %xmm15, %xmm12, %xmm12 + movq %r13, 32(%rbp) + vaesenc %xmm15, %xmm13, %xmm13 + movq %r12, 40(%rbp) + movdqu 16(%r9), %xmm5 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -80(%rcx), %xmm15 + vpxor %xmm1, %xmm6, %xmm6 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor %xmm2, %xmm6, %xmm6 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vaesenc %xmm15, %xmm10, %xmm10 + vpxor %xmm3, %xmm7, %xmm7 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vaesenc %xmm15, %xmm11, %xmm11 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 80(%rbp), %xmm0 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -64(%rcx), %xmm15 + vpxor %xmm2, %xmm6, %xmm6 + vpclmulqdq $0, %xmm1, %xmm0, %xmm2 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor %xmm3, %xmm6, %xmm6 + vpclmulqdq $16, %xmm1, %xmm0, %xmm3 + vaesenc %xmm15, %xmm10, %xmm10 + movbeq 72(%r14), %r13 + vpxor %xmm5, %xmm7, %xmm7 + vpclmulqdq $1, %xmm1, %xmm0, %xmm5 + vaesenc %xmm15, %xmm11, %xmm11 + movbeq 64(%r14), %r12 + vpclmulqdq $17, %xmm1, %xmm0, %xmm1 + movdqu 96(%rbp), %xmm0 + vaesenc %xmm15, %xmm12, %xmm12 + movq %r13, 48(%rbp) + vaesenc %xmm15, %xmm13, %xmm13 + movq %r12, 56(%rbp) + vpxor %xmm2, %xmm4, %xmm4 + movdqu 64(%r9), %xmm2 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -48(%rcx), %xmm15 + vpxor %xmm3, %xmm6, %xmm6 + vpclmulqdq $0, %xmm2, %xmm0, %xmm3 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $16, %xmm2, %xmm0, %xmm5 + vaesenc %xmm15, %xmm10, %xmm10 + movbeq 56(%r14), %r13 + vpxor %xmm1, %xmm7, %xmm7 + vpclmulqdq $1, %xmm2, %xmm0, %xmm1 + vpxor 112(%rbp), %xmm8, %xmm8 + vaesenc %xmm15, %xmm11, %xmm11 + movbeq 48(%r14), %r12 + vpclmulqdq $17, %xmm2, %xmm0, %xmm2 + vaesenc %xmm15, %xmm12, %xmm12 + movq %r13, 64(%rbp) + vaesenc %xmm15, %xmm13, %xmm13 + movq %r12, 72(%rbp) + vpxor %xmm3, %xmm4, %xmm4 + movdqu 80(%r9), %xmm3 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -32(%rcx), %xmm15 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $16, %xmm3, %xmm8, %xmm5 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor %xmm1, %xmm6, %xmm6 + vpclmulqdq $1, %xmm3, %xmm8, %xmm1 + vaesenc %xmm15, %xmm10, %xmm10 + movbeq 40(%r14), %r13 + vpxor %xmm2, %xmm7, %xmm7 + vpclmulqdq $0, %xmm3, %xmm8, %xmm2 + vaesenc %xmm15, %xmm11, %xmm11 + movbeq 32(%r14), %r12 + vpclmulqdq $17, %xmm3, %xmm8, %xmm8 + vaesenc %xmm15, %xmm12, %xmm12 + movq %r13, 80(%rbp) + vaesenc %xmm15, %xmm13, %xmm13 + movq %r12, 88(%rbp) + vpxor %xmm5, %xmm6, %xmm6 + vaesenc %xmm15, %xmm14, %xmm14 + vpxor %xmm1, %xmm6, %xmm6 + movdqu -16(%rcx), %xmm15 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm2, %xmm4, %xmm4 + pxor %xmm3, %xmm3 + mov $13979173243358019584, %r11 + pinsrq $1, %r11, %xmm3 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor %xmm8, %xmm7, %xmm7 + vaesenc %xmm15, %xmm10, %xmm10 + vpxor %xmm5, %xmm4, %xmm4 + movbeq 24(%r14), %r13 + vaesenc %xmm15, %xmm11, %xmm11 + movbeq 16(%r14), %r12 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + movq %r13, 96(%rbp) + vaesenc %xmm15, %xmm12, %xmm12 + movq %r12, 104(%rbp) + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu 0(%rcx), %xmm1 + vaesenc %xmm1, %xmm9, %xmm9 + movdqu 16(%rcx), %xmm15 + vaesenc %xmm1, %xmm10, %xmm10 + vpsrldq $8, %xmm6, %xmm6 + vaesenc %xmm1, %xmm11, %xmm11 + vpxor %xmm6, %xmm7, %xmm7 + vaesenc %xmm1, %xmm12, %xmm12 + vpxor %xmm0, %xmm4, %xmm4 + movbeq 8(%r14), %r13 + vaesenc %xmm1, %xmm13, %xmm13 + movbeq 0(%r14), %r12 + vaesenc %xmm1, %xmm14, %xmm14 + movdqu 32(%rcx), %xmm1 + vaesenc %xmm15, %xmm9, %xmm9 + movdqu %xmm7, 16(%rbp) + vpalignr $8, %xmm4, %xmm4, %xmm8 + vaesenc %xmm15, %xmm10, %xmm10 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor 0(%rdi), %xmm1, %xmm2 + vaesenc %xmm15, %xmm11, %xmm11 + vpxor 16(%rdi), %xmm1, %xmm0 + vaesenc %xmm15, %xmm12, %xmm12 + vpxor 32(%rdi), %xmm1, %xmm5 + vaesenc %xmm15, %xmm13, %xmm13 + vpxor 48(%rdi), %xmm1, %xmm6 + vaesenc %xmm15, %xmm14, %xmm14 + vpxor 64(%rdi), %xmm1, %xmm7 + vpxor 80(%rdi), %xmm1, %xmm3 + movdqu 128(%rbp), %xmm1 + vaesenclast %xmm2, %xmm9, %xmm9 + pxor %xmm2, %xmm2 + mov $72057594037927936, %r11 + pinsrq $1, %r11, %xmm2 + vaesenclast %xmm0, %xmm10, %xmm10 + vpaddd %xmm2, %xmm1, %xmm0 + movq %r13, 112(%rbp) + lea 96(%rdi), %rdi + vaesenclast %xmm5, %xmm11, %xmm11 + vpaddd %xmm2, %xmm0, %xmm5 + movq %r12, 120(%rbp) + lea 96(%rsi), %rsi + movdqu -128(%rcx), %xmm15 + vaesenclast %xmm6, %xmm12, %xmm12 + vpaddd %xmm2, %xmm5, %xmm6 + vaesenclast %xmm7, %xmm13, %xmm13 + vpaddd %xmm2, %xmm6, %xmm7 + vaesenclast %xmm3, %xmm14, %xmm14 + vpaddd %xmm2, %xmm7, %xmm3 + sub $6, %rdx + cmp $6, %rdx + jbe L170 + add $96, %r14 + jmp L171 +L170: +L171: + cmp $0, %rdx + jbe L172 + movdqu %xmm9, -96(%rsi) + vpxor %xmm15, %xmm1, %xmm9 + movdqu %xmm10, -80(%rsi) + movdqu %xmm0, %xmm10 + movdqu %xmm11, -64(%rsi) + movdqu %xmm5, %xmm11 + movdqu %xmm12, -48(%rsi) + movdqu %xmm6, %xmm12 + movdqu %xmm13, -32(%rsi) + movdqu %xmm7, %xmm13 + movdqu %xmm14, -16(%rsi) + movdqu %xmm3, %xmm14 + movdqu 32(%rbp), %xmm7 + jmp L173 +L172: + vpxor 16(%rbp), %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 +L173: +.balign 16 +L167: + cmp $0, %rdx + ja L166 + movdqu %xmm1, 32(%rbp) + movdqu %xmm9, -96(%rsi) + movdqu %xmm10, -80(%rsi) + movdqu %xmm11, -64(%rsi) + movdqu %xmm12, -48(%rsi) + movdqu %xmm13, -32(%rsi) + movdqu %xmm14, -16(%rsi) + sub $128, %rcx +L163: + movdqu 32(%rbp), %xmm11 + mov %rcx, %r8 + mov 312(%rsp), %rax + mov 320(%rsp), %rdi + mov 328(%rsp), %rdx + mov %rdx, %r14 + mov $579005069656919567, %r12 + pinsrq $0, %r12, %xmm9 + mov $283686952306183, %r12 + pinsrq $1, %r12, %xmm9 + pshufb %xmm9, %xmm11 + mov %rdi, %rbx + mov %rdx, %r12 + mov %rax, %rdi + mov %rdi, %r11 + jmp L175 +.balign 16 +L174: + add $80, %r11 + movdqu -32(%r9), %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + movdqu %xmm1, %xmm4 + movdqu -16(%r9), %xmm1 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 16(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 64(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 80(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + vpxor %xmm1, %xmm4, %xmm4 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r10 + pinsrd $3, %r10d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + add $96, %r11 + sub $6, %rdx +.balign 16 +L175: + cmp $6, %rdx + jae L174 + cmp $0, %rdx + jbe L176 + mov %rdx, %r10 + sub $1, %r10 + imul $16, %r10 + add %r10, %r11 + movdqu -32(%r9), %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + cmp $1, %rdx + jne L178 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + jmp L179 +L178: + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + movdqu %xmm1, %xmm4 + movdqu -16(%r9), %xmm1 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + movdqu %xmm1, %xmm5 + cmp $2, %rdx + je L180 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 16(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + cmp $3, %rdx + je L182 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + cmp $4, %rdx + je L184 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 64(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + jmp L185 +L184: +L185: + jmp L183 +L182: +L183: + jmp L181 +L180: +L181: + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + vpxor %xmm1, %xmm4, %xmm4 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 +L179: + pxor %xmm3, %xmm3 + mov $3254779904, %r10 + pinsrd $3, %r10d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + jmp L177 +L176: +L177: + mov %rbx, %rdi + mov %r12, %rdx + pxor %xmm10, %xmm10 + mov $1, %rbx + pinsrd $0, %ebx, %xmm10 + mov %rax, %r11 + mov %rdi, %r10 + mov $0, %rbx + jmp L187 +.balign 16 +L186: + movdqu %xmm11, %xmm0 + pshufb %xmm9, %xmm0 + movdqu 0(%r8), %xmm2 + pxor %xmm2, %xmm0 + movdqu 16(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 32(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 48(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 64(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 80(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 96(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 112(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 128(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 144(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 160(%r8), %xmm2 + aesenclast %xmm2, %xmm0 + pxor %xmm2, %xmm2 + movdqu 0(%r11), %xmm2 + pxor %xmm0, %xmm2 + movdqu %xmm2, 0(%r10) + add $1, %rbx + add $16, %r11 + add $16, %r10 + paddd %xmm10, %xmm11 +.balign 16 +L187: + cmp %rdx, %rbx + jne L186 + add 304(%rsp), %r14 + imul $16, %r14 + mov 344(%rsp), %r13 + cmp %r14, %r13 + jbe L188 + mov 336(%rsp), %rax + mov %r13, %r10 + and $15, %r10 + movdqu 0(%rax), %xmm0 + movdqu %xmm0, %xmm10 + cmp $8, %r10 + jae L190 + mov $0, %rcx + pinsrq $1, %rcx, %xmm0 + mov %r10, %rcx + shl $3, %rcx + mov $1, %r11 + shl %cl, %r11 + sub $1, %r11 + pextrq $0, %xmm0, %rcx + and %r11, %rcx + pinsrq $0, %rcx, %xmm0 + jmp L191 +L190: + mov %r10, %rcx + sub $8, %rcx + shl $3, %rcx + mov $1, %r11 + shl %cl, %r11 + sub $1, %r11 + pextrq $1, %xmm0, %rcx + and %r11, %rcx + pinsrq $1, %rcx, %xmm0 +L191: + pshufb %xmm9, %xmm0 + movdqu -32(%r9), %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r11 + pinsrd $3, %r11d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + movdqu %xmm11, %xmm0 + pshufb %xmm9, %xmm0 + movdqu 0(%r8), %xmm2 + pxor %xmm2, %xmm0 + movdqu 16(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 32(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 48(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 64(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 80(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 96(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 112(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 128(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 144(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 160(%r8), %xmm2 + aesenclast %xmm2, %xmm0 + pxor %xmm2, %xmm2 + pxor %xmm0, %xmm10 + movdqu %xmm10, 0(%rax) + jmp L189 +L188: +L189: + mov %r15, %r11 + pxor %xmm0, %xmm0 + mov %r11, %rax + imul $8, %rax + pinsrq $1, %rax, %xmm0 + mov %r13, %rax + imul $8, %rax + pinsrq $0, %rax, %xmm0 + movdqu -32(%r9), %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r11 + pinsrd $3, %r11d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + movdqu 0(%rbp), %xmm0 + pshufb %xmm9, %xmm0 + movdqu 0(%r8), %xmm2 + pxor %xmm2, %xmm0 + movdqu 16(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 32(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 48(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 64(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 80(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 96(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 112(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 128(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 144(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 160(%r8), %xmm2 + aesenclast %xmm2, %xmm0 + pxor %xmm2, %xmm2 + pshufb %xmm9, %xmm8 + pxor %xmm0, %xmm8 + mov 360(%rsp), %r15 + movdqu 0(%r15), %xmm0 + pcmpeqd %xmm8, %xmm0 + pextrq $0, %xmm0, %rdx + sub $18446744073709551615, %rdx + mov $0, %rax + adc $0, %rax + pextrq $1, %xmm0, %rdx + sub $18446744073709551615, %rdx + mov $0, %rdx + adc $0, %rdx + add %rdx, %rax + mov %rax, %rcx + pop %rax + pinsrq $1, %rax, %xmm6 + pop %rax + pinsrq $0, %rax, %xmm6 + pop %rax + pinsrq $1, %rax, %xmm7 + pop %rax + pinsrq $0, %rax, %xmm7 + pop %rax + pinsrq $1, %rax, %xmm8 + pop %rax + pinsrq $0, %rax, %xmm8 + pop %rax + pinsrq $1, %rax, %xmm9 + pop %rax + pinsrq $0, %rax, %xmm9 + pop %rax + pinsrq $1, %rax, %xmm10 + pop %rax + pinsrq $0, %rax, %xmm10 + pop %rax + pinsrq $1, %rax, %xmm11 + pop %rax + pinsrq $0, %rax, %xmm11 + pop %rax + pinsrq $1, %rax, %xmm12 + pop %rax + pinsrq $0, %rax, %xmm12 + pop %rax + pinsrq $1, %rax, %xmm13 + pop %rax + pinsrq $0, %rax, %xmm13 + pop %rax + pinsrq $1, %rax, %xmm14 + pop %rax + pinsrq $0, %rax, %xmm14 + pop %rax + pinsrq $1, %rax, %xmm15 + pop %rax + pinsrq $0, %rax, %xmm15 + pop %rbx + pop %rbp + pop %rdi + pop %rsi + pop %r12 + pop %r13 + pop %r14 + pop %r15 + mov %rcx, %rax + ret + +.global gcm256_decrypt_opt +gcm256_decrypt_opt: + push %r15 + push %r14 + push %r13 + push %r12 + push %rsi + push %rdi + push %rbp + push %rbx + pextrq $0, %xmm15, %rax + push %rax + pextrq $1, %xmm15, %rax + push %rax + pextrq $0, %xmm14, %rax + push %rax + pextrq $1, %xmm14, %rax + push %rax + pextrq $0, %xmm13, %rax + push %rax + pextrq $1, %xmm13, %rax + push %rax + pextrq $0, %xmm12, %rax + push %rax + pextrq $1, %xmm12, %rax + push %rax + pextrq $0, %xmm11, %rax + push %rax + pextrq $1, %xmm11, %rax + push %rax + pextrq $0, %xmm10, %rax + push %rax + pextrq $1, %xmm10, %rax + push %rax + pextrq $0, %xmm9, %rax + push %rax + pextrq $1, %xmm9, %rax + push %rax + pextrq $0, %xmm8, %rax + push %rax + pextrq $1, %xmm8, %rax + push %rax + pextrq $0, %xmm7, %rax + push %rax + pextrq $1, %xmm7, %rax + push %rax + pextrq $0, %xmm6, %rax + push %rax + pextrq $1, %xmm6, %rax + push %rax + mov %rcx, %rdi + mov %rdx, %rsi + mov %r8, %rdx + mov %r9, %rcx + mov 264(%rsp), %r8 + mov 272(%rsp), %r9 + mov 352(%rsp), %rbp + mov %rcx, %r13 + lea 32(%r9), %r9 + mov 280(%rsp), %rbx + mov %rdx, %rcx + imul $16, %rcx + mov $579005069656919567, %r10 + pinsrq $0, %r10, %xmm9 + mov $283686952306183, %r10 + pinsrq $1, %r10, %xmm9 + pxor %xmm8, %xmm8 + mov %rdi, %r11 + jmp L193 +.balign 16 +L192: + add $80, %r11 + movdqu -32(%r9), %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + movdqu %xmm1, %xmm4 + movdqu -16(%r9), %xmm1 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 16(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 64(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 80(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + vpxor %xmm1, %xmm4, %xmm4 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r10 + pinsrd $3, %r10d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + add $96, %r11 + sub $6, %rdx +.balign 16 +L193: + cmp $6, %rdx + jae L192 + cmp $0, %rdx + jbe L194 + mov %rdx, %r10 + sub $1, %r10 + imul $16, %r10 + add %r10, %r11 + movdqu -32(%r9), %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + cmp $1, %rdx + jne L196 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + jmp L197 +L196: + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + movdqu %xmm1, %xmm4 + movdqu -16(%r9), %xmm1 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + movdqu %xmm1, %xmm5 + cmp $2, %rdx + je L198 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 16(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + cmp $3, %rdx + je L200 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + cmp $4, %rdx + je L202 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 64(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + jmp L203 +L202: +L203: + jmp L201 +L200: +L201: + jmp L199 +L198: +L199: + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + vpxor %xmm1, %xmm4, %xmm4 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 +L197: + pxor %xmm3, %xmm3 + mov $3254779904, %r10 + pinsrd $3, %r10d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + jmp L195 +L194: +L195: + mov %rsi, %r15 + cmp %rcx, %rsi + jbe L204 + movdqu 0(%rbx), %xmm0 + mov %rsi, %r10 + and $15, %r10 + cmp $8, %r10 + jae L206 + mov $0, %rcx + pinsrq $1, %rcx, %xmm0 + mov %r10, %rcx + shl $3, %rcx + mov $1, %r11 + shl %cl, %r11 + sub $1, %r11 + pextrq $0, %xmm0, %rcx + and %r11, %rcx + pinsrq $0, %rcx, %xmm0 + jmp L207 +L206: + mov %r10, %rcx + sub $8, %rcx + shl $3, %rcx + mov $1, %r11 + shl %cl, %r11 + sub $1, %r11 + pextrq $1, %xmm0, %rcx + and %r11, %rcx + pinsrq $1, %rcx, %xmm0 +L207: + pshufb %xmm9, %xmm0 + movdqu -32(%r9), %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r11 + pinsrd $3, %r11d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + jmp L205 +L204: +L205: + mov 288(%rsp), %rdi + mov 296(%rsp), %rsi + mov 304(%rsp), %rdx + mov %r13, %rcx + movdqu %xmm9, %xmm0 + movdqu 0(%r8), %xmm1 + movdqu %xmm1, 0(%rbp) + pxor %xmm10, %xmm10 + mov $1, %r11 + pinsrq $0, %r11, %xmm10 + vpaddd %xmm10, %xmm1, %xmm1 + cmp $0, %rdx + jne L208 + vpshufb %xmm0, %xmm1, %xmm1 + movdqu %xmm1, 32(%rbp) + jmp L209 +L208: + movdqu %xmm8, 32(%rbp) + add $128, %rcx + pextrq $0, %xmm1, %rbx + and $255, %rbx + vpshufb %xmm0, %xmm1, %xmm1 + lea 96(%rdi), %r14 + movdqu 32(%rbp), %xmm8 + movdqu 80(%rdi), %xmm7 + movdqu 64(%rdi), %xmm4 + movdqu 48(%rdi), %xmm5 + movdqu 32(%rdi), %xmm6 + vpshufb %xmm0, %xmm7, %xmm7 + movdqu 16(%rdi), %xmm2 + vpshufb %xmm0, %xmm4, %xmm4 + movdqu 0(%rdi), %xmm3 + vpshufb %xmm0, %xmm5, %xmm5 + movdqu %xmm4, 48(%rbp) + vpshufb %xmm0, %xmm6, %xmm6 + movdqu %xmm5, 64(%rbp) + vpshufb %xmm0, %xmm2, %xmm2 + movdqu %xmm6, 80(%rbp) + vpshufb %xmm0, %xmm3, %xmm3 + movdqu %xmm2, 96(%rbp) + movdqu %xmm3, 112(%rbp) + pxor %xmm2, %xmm2 + mov $72057594037927936, %r11 + pinsrq $1, %r11, %xmm2 + vpxor %xmm4, %xmm4, %xmm4 + movdqu -128(%rcx), %xmm15 + vpaddd %xmm2, %xmm1, %xmm10 + vpaddd %xmm2, %xmm10, %xmm11 + vpaddd %xmm2, %xmm11, %xmm12 + vpaddd %xmm2, %xmm12, %xmm13 + vpaddd %xmm2, %xmm13, %xmm14 + vpxor %xmm15, %xmm1, %xmm9 + movdqu %xmm4, 16(%rbp) + cmp $6, %rdx + jne L210 + sub $96, %r14 + jmp L211 +L210: +L211: + jmp L213 +.balign 16 +L212: + add $6, %rbx + cmp $256, %rbx + jb L214 + mov $579005069656919567, %r11 + pinsrq $0, %r11, %xmm0 + mov $283686952306183, %r11 + pinsrq $1, %r11, %xmm0 + vpshufb %xmm0, %xmm1, %xmm6 + pxor %xmm5, %xmm5 + mov $1, %r11 + pinsrq $0, %r11, %xmm5 + vpaddd %xmm5, %xmm6, %xmm10 + pxor %xmm5, %xmm5 + mov $2, %r11 + pinsrq $0, %r11, %xmm5 + vpaddd %xmm5, %xmm6, %xmm11 + movdqu -32(%r9), %xmm3 + vpaddd %xmm5, %xmm10, %xmm12 + vpshufb %xmm0, %xmm10, %xmm10 + vpaddd %xmm5, %xmm11, %xmm13 + vpshufb %xmm0, %xmm11, %xmm11 + vpxor %xmm15, %xmm10, %xmm10 + vpaddd %xmm5, %xmm12, %xmm14 + vpshufb %xmm0, %xmm12, %xmm12 + vpxor %xmm15, %xmm11, %xmm11 + vpaddd %xmm5, %xmm13, %xmm1 + vpshufb %xmm0, %xmm13, %xmm13 + vpshufb %xmm0, %xmm14, %xmm14 + vpshufb %xmm0, %xmm1, %xmm1 + sub $256, %rbx + jmp L215 +L214: + movdqu -32(%r9), %xmm3 + vpaddd %xmm14, %xmm2, %xmm1 + vpxor %xmm15, %xmm10, %xmm10 + vpxor %xmm15, %xmm11, %xmm11 +L215: + movdqu %xmm1, 128(%rbp) + vpclmulqdq $16, %xmm3, %xmm7, %xmm5 + vpxor %xmm15, %xmm12, %xmm12 + movdqu -112(%rcx), %xmm2 + vpclmulqdq $1, %xmm3, %xmm7, %xmm6 + vaesenc %xmm2, %xmm9, %xmm9 + movdqu 48(%rbp), %xmm0 + vpxor %xmm15, %xmm13, %xmm13 + vpclmulqdq $0, %xmm3, %xmm7, %xmm1 + vaesenc %xmm2, %xmm10, %xmm10 + vpxor %xmm15, %xmm14, %xmm14 + vpclmulqdq $17, %xmm3, %xmm7, %xmm7 + vaesenc %xmm2, %xmm11, %xmm11 + movdqu -16(%r9), %xmm3 + vaesenc %xmm2, %xmm12, %xmm12 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $0, %xmm3, %xmm0, %xmm5 + vpxor %xmm4, %xmm8, %xmm8 + vaesenc %xmm2, %xmm13, %xmm13 + vpxor %xmm5, %xmm1, %xmm4 + vpclmulqdq $16, %xmm3, %xmm0, %xmm1 + vaesenc %xmm2, %xmm14, %xmm14 + movdqu -96(%rcx), %xmm15 + vpclmulqdq $1, %xmm3, %xmm0, %xmm2 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor 16(%rbp), %xmm8, %xmm8 + vpclmulqdq $17, %xmm3, %xmm0, %xmm3 + movdqu 64(%rbp), %xmm0 + vaesenc %xmm15, %xmm10, %xmm10 + movbeq 88(%r14), %r13 + vaesenc %xmm15, %xmm11, %xmm11 + movbeq 80(%r14), %r12 + vaesenc %xmm15, %xmm12, %xmm12 + movq %r13, 32(%rbp) + vaesenc %xmm15, %xmm13, %xmm13 + movq %r12, 40(%rbp) + movdqu 16(%r9), %xmm5 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -80(%rcx), %xmm15 + vpxor %xmm1, %xmm6, %xmm6 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor %xmm2, %xmm6, %xmm6 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vaesenc %xmm15, %xmm10, %xmm10 + vpxor %xmm3, %xmm7, %xmm7 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vaesenc %xmm15, %xmm11, %xmm11 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 80(%rbp), %xmm0 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -64(%rcx), %xmm15 + vpxor %xmm2, %xmm6, %xmm6 + vpclmulqdq $0, %xmm1, %xmm0, %xmm2 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor %xmm3, %xmm6, %xmm6 + vpclmulqdq $16, %xmm1, %xmm0, %xmm3 + vaesenc %xmm15, %xmm10, %xmm10 + movbeq 72(%r14), %r13 + vpxor %xmm5, %xmm7, %xmm7 + vpclmulqdq $1, %xmm1, %xmm0, %xmm5 + vaesenc %xmm15, %xmm11, %xmm11 + movbeq 64(%r14), %r12 + vpclmulqdq $17, %xmm1, %xmm0, %xmm1 + movdqu 96(%rbp), %xmm0 + vaesenc %xmm15, %xmm12, %xmm12 + movq %r13, 48(%rbp) + vaesenc %xmm15, %xmm13, %xmm13 + movq %r12, 56(%rbp) + vpxor %xmm2, %xmm4, %xmm4 + movdqu 64(%r9), %xmm2 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -48(%rcx), %xmm15 + vpxor %xmm3, %xmm6, %xmm6 + vpclmulqdq $0, %xmm2, %xmm0, %xmm3 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $16, %xmm2, %xmm0, %xmm5 + vaesenc %xmm15, %xmm10, %xmm10 + movbeq 56(%r14), %r13 + vpxor %xmm1, %xmm7, %xmm7 + vpclmulqdq $1, %xmm2, %xmm0, %xmm1 + vpxor 112(%rbp), %xmm8, %xmm8 + vaesenc %xmm15, %xmm11, %xmm11 + movbeq 48(%r14), %r12 + vpclmulqdq $17, %xmm2, %xmm0, %xmm2 + vaesenc %xmm15, %xmm12, %xmm12 + movq %r13, 64(%rbp) + vaesenc %xmm15, %xmm13, %xmm13 + movq %r12, 72(%rbp) + vpxor %xmm3, %xmm4, %xmm4 + movdqu 80(%r9), %xmm3 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu -32(%rcx), %xmm15 + vpxor %xmm5, %xmm6, %xmm6 + vpclmulqdq $16, %xmm3, %xmm8, %xmm5 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor %xmm1, %xmm6, %xmm6 + vpclmulqdq $1, %xmm3, %xmm8, %xmm1 + vaesenc %xmm15, %xmm10, %xmm10 + movbeq 40(%r14), %r13 + vpxor %xmm2, %xmm7, %xmm7 + vpclmulqdq $0, %xmm3, %xmm8, %xmm2 + vaesenc %xmm15, %xmm11, %xmm11 + movbeq 32(%r14), %r12 + vpclmulqdq $17, %xmm3, %xmm8, %xmm8 + vaesenc %xmm15, %xmm12, %xmm12 + movq %r13, 80(%rbp) + vaesenc %xmm15, %xmm13, %xmm13 + movq %r12, 88(%rbp) + vpxor %xmm5, %xmm6, %xmm6 + vaesenc %xmm15, %xmm14, %xmm14 + vpxor %xmm1, %xmm6, %xmm6 + movdqu -16(%rcx), %xmm15 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm2, %xmm4, %xmm4 + pxor %xmm3, %xmm3 + mov $13979173243358019584, %r11 + pinsrq $1, %r11, %xmm3 + vaesenc %xmm15, %xmm9, %xmm9 + vpxor %xmm8, %xmm7, %xmm7 + vaesenc %xmm15, %xmm10, %xmm10 + vpxor %xmm5, %xmm4, %xmm4 + movbeq 24(%r14), %r13 + vaesenc %xmm15, %xmm11, %xmm11 + movbeq 16(%r14), %r12 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + movq %r13, 96(%rbp) + vaesenc %xmm15, %xmm12, %xmm12 + movq %r12, 104(%rbp) + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + movdqu 0(%rcx), %xmm1 + vaesenc %xmm1, %xmm9, %xmm9 + movdqu 16(%rcx), %xmm15 + vaesenc %xmm1, %xmm10, %xmm10 + vpsrldq $8, %xmm6, %xmm6 + vaesenc %xmm1, %xmm11, %xmm11 + vpxor %xmm6, %xmm7, %xmm7 + vaesenc %xmm1, %xmm12, %xmm12 + vpxor %xmm0, %xmm4, %xmm4 + movbeq 8(%r14), %r13 + vaesenc %xmm1, %xmm13, %xmm13 + movbeq 0(%r14), %r12 + vaesenc %xmm1, %xmm14, %xmm14 + movdqu 32(%rcx), %xmm1 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + vaesenc %xmm1, %xmm9, %xmm9 + vaesenc %xmm1, %xmm10, %xmm10 + vaesenc %xmm1, %xmm11, %xmm11 + vaesenc %xmm1, %xmm12, %xmm12 + vaesenc %xmm1, %xmm13, %xmm13 + movdqu 48(%rcx), %xmm15 + vaesenc %xmm1, %xmm14, %xmm14 + movdqu 64(%rcx), %xmm1 + vaesenc %xmm15, %xmm9, %xmm9 + vaesenc %xmm15, %xmm10, %xmm10 + vaesenc %xmm15, %xmm11, %xmm11 + vaesenc %xmm15, %xmm12, %xmm12 + vaesenc %xmm15, %xmm13, %xmm13 + vaesenc %xmm15, %xmm14, %xmm14 + vaesenc %xmm1, %xmm9, %xmm9 + vaesenc %xmm1, %xmm10, %xmm10 + vaesenc %xmm1, %xmm11, %xmm11 + vaesenc %xmm1, %xmm12, %xmm12 + vaesenc %xmm1, %xmm13, %xmm13 + movdqu 80(%rcx), %xmm15 + vaesenc %xmm1, %xmm14, %xmm14 + movdqu 96(%rcx), %xmm1 + vaesenc %xmm15, %xmm9, %xmm9 + movdqu %xmm7, 16(%rbp) + vpalignr $8, %xmm4, %xmm4, %xmm8 + vaesenc %xmm15, %xmm10, %xmm10 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor 0(%rdi), %xmm1, %xmm2 + vaesenc %xmm15, %xmm11, %xmm11 + vpxor 16(%rdi), %xmm1, %xmm0 + vaesenc %xmm15, %xmm12, %xmm12 + vpxor 32(%rdi), %xmm1, %xmm5 + vaesenc %xmm15, %xmm13, %xmm13 + vpxor 48(%rdi), %xmm1, %xmm6 + vaesenc %xmm15, %xmm14, %xmm14 + vpxor 64(%rdi), %xmm1, %xmm7 + vpxor 80(%rdi), %xmm1, %xmm3 + movdqu 128(%rbp), %xmm1 + vaesenclast %xmm2, %xmm9, %xmm9 + pxor %xmm2, %xmm2 + mov $72057594037927936, %r11 + pinsrq $1, %r11, %xmm2 + vaesenclast %xmm0, %xmm10, %xmm10 + vpaddd %xmm2, %xmm1, %xmm0 + movq %r13, 112(%rbp) + lea 96(%rdi), %rdi + vaesenclast %xmm5, %xmm11, %xmm11 + vpaddd %xmm2, %xmm0, %xmm5 + movq %r12, 120(%rbp) + lea 96(%rsi), %rsi + movdqu -128(%rcx), %xmm15 + vaesenclast %xmm6, %xmm12, %xmm12 + vpaddd %xmm2, %xmm5, %xmm6 + vaesenclast %xmm7, %xmm13, %xmm13 + vpaddd %xmm2, %xmm6, %xmm7 + vaesenclast %xmm3, %xmm14, %xmm14 + vpaddd %xmm2, %xmm7, %xmm3 + sub $6, %rdx + cmp $6, %rdx + jbe L216 + add $96, %r14 + jmp L217 +L216: +L217: + cmp $0, %rdx + jbe L218 + movdqu %xmm9, -96(%rsi) + vpxor %xmm15, %xmm1, %xmm9 + movdqu %xmm10, -80(%rsi) + movdqu %xmm0, %xmm10 + movdqu %xmm11, -64(%rsi) + movdqu %xmm5, %xmm11 + movdqu %xmm12, -48(%rsi) + movdqu %xmm6, %xmm12 + movdqu %xmm13, -32(%rsi) + movdqu %xmm7, %xmm13 + movdqu %xmm14, -16(%rsi) + movdqu %xmm3, %xmm14 + movdqu 32(%rbp), %xmm7 + jmp L219 +L218: + vpxor 16(%rbp), %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 +L219: +.balign 16 +L213: + cmp $0, %rdx + ja L212 + movdqu %xmm1, 32(%rbp) + movdqu %xmm9, -96(%rsi) + movdqu %xmm10, -80(%rsi) + movdqu %xmm11, -64(%rsi) + movdqu %xmm12, -48(%rsi) + movdqu %xmm13, -32(%rsi) + movdqu %xmm14, -16(%rsi) + sub $128, %rcx +L209: + movdqu 32(%rbp), %xmm11 + mov %rcx, %r8 + mov 312(%rsp), %rax + mov 320(%rsp), %rdi + mov 328(%rsp), %rdx + mov %rdx, %r14 + mov $579005069656919567, %r12 + pinsrq $0, %r12, %xmm9 + mov $283686952306183, %r12 + pinsrq $1, %r12, %xmm9 + pshufb %xmm9, %xmm11 + mov %rdi, %rbx + mov %rdx, %r12 + mov %rax, %rdi + mov %rdi, %r11 + jmp L221 +.balign 16 +L220: + add $80, %r11 + movdqu -32(%r9), %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + movdqu %xmm1, %xmm4 + movdqu -16(%r9), %xmm1 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 16(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 64(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 80(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + vpxor %xmm1, %xmm4, %xmm4 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r10 + pinsrd $3, %r10d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + add $96, %r11 + sub $6, %rdx +.balign 16 +L221: + cmp $6, %rdx + jae L220 + cmp $0, %rdx + jbe L222 + mov %rdx, %r10 + sub $1, %r10 + imul $16, %r10 + add %r10, %r11 + movdqu -32(%r9), %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + cmp $1, %rdx + jne L224 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + jmp L225 +L224: + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + movdqu %xmm1, %xmm4 + movdqu -16(%r9), %xmm1 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + movdqu %xmm1, %xmm5 + cmp $2, %rdx + je L226 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 16(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + cmp $3, %rdx + je L228 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 32(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + cmp $4, %rdx + je L230 + sub $16, %r11 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu 0(%r11), %xmm0 + pshufb %xmm9, %xmm0 + vpxor %xmm1, %xmm4, %xmm4 + movdqu 64(%r9), %xmm1 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 + movdqu %xmm1, %xmm5 + jmp L231 +L230: +L231: + jmp L229 +L228: +L229: + jmp L227 +L226: +L227: + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + vpxor %xmm1, %xmm4, %xmm4 + vpxor %xmm2, %xmm6, %xmm6 + vpxor %xmm3, %xmm6, %xmm6 + vpxor %xmm5, %xmm7, %xmm7 +L225: + pxor %xmm3, %xmm3 + mov $3254779904, %r10 + pinsrd $3, %r10d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + jmp L223 +L222: +L223: + mov %rbx, %rdi + mov %r12, %rdx + pxor %xmm10, %xmm10 + mov $1, %rbx + pinsrd $0, %ebx, %xmm10 + mov %rax, %r11 + mov %rdi, %r10 + mov $0, %rbx + jmp L233 +.balign 16 +L232: + movdqu %xmm11, %xmm0 + pshufb %xmm9, %xmm0 + movdqu 0(%r8), %xmm2 + pxor %xmm2, %xmm0 + movdqu 16(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 32(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 48(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 64(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 80(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 96(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 112(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 128(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 144(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 160(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 176(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 192(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 208(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 224(%r8), %xmm2 + aesenclast %xmm2, %xmm0 + pxor %xmm2, %xmm2 + movdqu 0(%r11), %xmm2 + pxor %xmm0, %xmm2 + movdqu %xmm2, 0(%r10) + add $1, %rbx + add $16, %r11 + add $16, %r10 + paddd %xmm10, %xmm11 +.balign 16 +L233: + cmp %rdx, %rbx + jne L232 + add 304(%rsp), %r14 + imul $16, %r14 + mov 344(%rsp), %r13 + cmp %r14, %r13 + jbe L234 + mov 336(%rsp), %rax + mov %r13, %r10 + and $15, %r10 + movdqu 0(%rax), %xmm0 + movdqu %xmm0, %xmm10 + cmp $8, %r10 + jae L236 + mov $0, %rcx + pinsrq $1, %rcx, %xmm0 + mov %r10, %rcx + shl $3, %rcx + mov $1, %r11 + shl %cl, %r11 + sub $1, %r11 + pextrq $0, %xmm0, %rcx + and %r11, %rcx + pinsrq $0, %rcx, %xmm0 + jmp L237 +L236: + mov %r10, %rcx + sub $8, %rcx + shl $3, %rcx + mov $1, %r11 + shl %cl, %r11 + sub $1, %r11 + pextrq $1, %xmm0, %rcx + and %r11, %rcx + pinsrq $1, %rcx, %xmm0 +L237: + pshufb %xmm9, %xmm0 + movdqu -32(%r9), %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r11 + pinsrd $3, %r11d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + movdqu %xmm11, %xmm0 + pshufb %xmm9, %xmm0 + movdqu 0(%r8), %xmm2 + pxor %xmm2, %xmm0 + movdqu 16(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 32(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 48(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 64(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 80(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 96(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 112(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 128(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 144(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 160(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 176(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 192(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 208(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 224(%r8), %xmm2 + aesenclast %xmm2, %xmm0 + pxor %xmm2, %xmm2 + pxor %xmm0, %xmm10 + movdqu %xmm10, 0(%rax) + jmp L235 +L234: +L235: + mov %r15, %r11 + pxor %xmm0, %xmm0 + mov %r11, %rax + imul $8, %rax + pinsrq $1, %rax, %xmm0 + mov %r13, %rax + imul $8, %rax + pinsrq $0, %rax, %xmm0 + movdqu -32(%r9), %xmm5 + vpxor %xmm0, %xmm8, %xmm0 + vpclmulqdq $0, %xmm5, %xmm0, %xmm1 + vpclmulqdq $16, %xmm5, %xmm0, %xmm2 + vpclmulqdq $1, %xmm5, %xmm0, %xmm3 + vpclmulqdq $17, %xmm5, %xmm0, %xmm5 + movdqu %xmm1, %xmm4 + vpxor %xmm3, %xmm2, %xmm6 + movdqu %xmm5, %xmm7 + pxor %xmm3, %xmm3 + mov $3254779904, %r11 + pinsrd $3, %r11d, %xmm3 + vpslldq $8, %xmm6, %xmm5 + vpxor %xmm5, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm0 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpsrldq $8, %xmm6, %xmm6 + vpxor %xmm6, %xmm7, %xmm7 + vpxor %xmm0, %xmm4, %xmm4 + vpalignr $8, %xmm4, %xmm4, %xmm8 + vpclmulqdq $16, %xmm3, %xmm4, %xmm4 + vpxor %xmm7, %xmm8, %xmm8 + vpxor %xmm4, %xmm8, %xmm8 + movdqu 0(%rbp), %xmm0 + pshufb %xmm9, %xmm0 + movdqu 0(%r8), %xmm2 + pxor %xmm2, %xmm0 + movdqu 16(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 32(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 48(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 64(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 80(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 96(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 112(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 128(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 144(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 160(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 176(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 192(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 208(%r8), %xmm2 + aesenc %xmm2, %xmm0 + movdqu 224(%r8), %xmm2 + aesenclast %xmm2, %xmm0 + pxor %xmm2, %xmm2 + pshufb %xmm9, %xmm8 + pxor %xmm0, %xmm8 + mov 360(%rsp), %r15 + movdqu 0(%r15), %xmm0 + pcmpeqd %xmm8, %xmm0 + pextrq $0, %xmm0, %rdx + sub $18446744073709551615, %rdx + mov $0, %rax + adc $0, %rax + pextrq $1, %xmm0, %rdx + sub $18446744073709551615, %rdx + mov $0, %rdx + adc $0, %rdx + add %rdx, %rax + mov %rax, %rcx + pop %rax + pinsrq $1, %rax, %xmm6 + pop %rax + pinsrq $0, %rax, %xmm6 + pop %rax + pinsrq $1, %rax, %xmm7 + pop %rax + pinsrq $0, %rax, %xmm7 + pop %rax + pinsrq $1, %rax, %xmm8 + pop %rax + pinsrq $0, %rax, %xmm8 + pop %rax + pinsrq $1, %rax, %xmm9 + pop %rax + pinsrq $0, %rax, %xmm9 + pop %rax + pinsrq $1, %rax, %xmm10 + pop %rax + pinsrq $0, %rax, %xmm10 + pop %rax + pinsrq $1, %rax, %xmm11 + pop %rax + pinsrq $0, %rax, %xmm11 + pop %rax + pinsrq $1, %rax, %xmm12 + pop %rax + pinsrq $0, %rax, %xmm12 + pop %rax + pinsrq $1, %rax, %xmm13 + pop %rax + pinsrq $0, %rax, %xmm13 + pop %rax + pinsrq $1, %rax, %xmm14 + pop %rax + pinsrq $0, %rax, %xmm14 + pop %rax + pinsrq $1, %rax, %xmm15 + pop %rax + pinsrq $0, %rax, %xmm15 + pop %rbx + pop %rbp + pop %rdi + pop %rsi + pop %r12 + pop %r13 + pop %r14 + pop %r15 + mov %rcx, %rax + ret + + diff --git a/vale/src/aesgcm-x86_64-msvc.asm b/vale/src/aesgcm-x86_64-msvc.asm new file mode 100644 index 00000000..958a475d --- /dev/null +++ b/vale/src/aesgcm-x86_64-msvc.asm @@ -0,0 +1,8705 @@ +.code +ALIGN 16 +aes128_key_expansion proc + movdqu xmm1, xmmword ptr [rcx + 0] + movdqu xmmword ptr [rdx + 0], xmm1 + aeskeygenassist xmm2, xmm1, 1 + pshufd xmm2, xmm2, 255 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + pxor xmm1, xmm2 + movdqu xmmword ptr [rdx + 16], xmm1 + aeskeygenassist xmm2, xmm1, 2 + pshufd xmm2, xmm2, 255 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + pxor xmm1, xmm2 + movdqu xmmword ptr [rdx + 32], xmm1 + aeskeygenassist xmm2, xmm1, 4 + pshufd xmm2, xmm2, 255 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + pxor xmm1, xmm2 + movdqu xmmword ptr [rdx + 48], xmm1 + aeskeygenassist xmm2, xmm1, 8 + pshufd xmm2, xmm2, 255 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + pxor xmm1, xmm2 + movdqu xmmword ptr [rdx + 64], xmm1 + aeskeygenassist xmm2, xmm1, 16 + pshufd xmm2, xmm2, 255 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + pxor xmm1, xmm2 + movdqu xmmword ptr [rdx + 80], xmm1 + aeskeygenassist xmm2, xmm1, 32 + pshufd xmm2, xmm2, 255 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + pxor xmm1, xmm2 + movdqu xmmword ptr [rdx + 96], xmm1 + aeskeygenassist xmm2, xmm1, 64 + pshufd xmm2, xmm2, 255 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + pxor xmm1, xmm2 + movdqu xmmword ptr [rdx + 112], xmm1 + aeskeygenassist xmm2, xmm1, 128 + pshufd xmm2, xmm2, 255 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + pxor xmm1, xmm2 + movdqu xmmword ptr [rdx + 128], xmm1 + aeskeygenassist xmm2, xmm1, 27 + pshufd xmm2, xmm2, 255 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + pxor xmm1, xmm2 + movdqu xmmword ptr [rdx + 144], xmm1 + aeskeygenassist xmm2, xmm1, 54 + pshufd xmm2, xmm2, 255 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + vpslldq xmm3, xmm1, 4 + pxor xmm1, xmm3 + pxor xmm1, xmm2 + movdqu xmmword ptr [rdx + 160], xmm1 + pxor xmm1, xmm1 + pxor xmm2, xmm2 + pxor xmm3, xmm3 + ret +aes128_key_expansion endp +ALIGN 16 +aes128_keyhash_init proc + mov r8, 579005069656919567 + pinsrq xmm4, r8, 0 + mov r8, 283686952306183 + pinsrq xmm4, r8, 1 + pxor xmm0, xmm0 + movdqu xmmword ptr [rdx + 80], xmm0 + mov r8, rcx + movdqu xmm2, xmmword ptr [r8 + 0] + pxor xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 16] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 32] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 48] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 64] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 80] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 96] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 112] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 128] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 144] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 160] + aesenclast xmm0, xmm2 + pxor xmm2, xmm2 + pshufb xmm0, xmm4 + mov rcx, rdx + movdqu xmmword ptr [rcx + 32], xmm0 + movdqu xmm0, xmm6 + mov rax, r12 + movdqu xmm1, xmmword ptr [rcx + 32] + movdqu xmm6, xmm1 + movdqu xmm3, xmm1 + pxor xmm4, xmm4 + pxor xmm5, xmm5 + mov r12, 3254779904 + pinsrd xmm4, r12d, 3 + mov r12, 1 + pinsrd xmm4, r12d, 0 + mov r12, 2147483648 + pinsrd xmm5, r12d, 3 + movdqu xmm1, xmm3 + movdqu xmm2, xmm1 + psrld xmm2, 31 + pslld xmm1, 1 + vpslldq xmm2, xmm2, 4 + pxor xmm1, xmm2 + pand xmm3, xmm5 + pcmpeqd xmm3, xmm5 + pshufd xmm3, xmm3, 255 + pand xmm3, xmm4 + vpxor xmm1, xmm1, xmm3 + movdqu xmmword ptr [rcx + 0], xmm1 + movdqu xmm1, xmm6 + movdqu xmm2, xmm6 + movdqu xmm5, xmm1 + pclmulqdq xmm1, xmm2, 16 + movdqu xmm3, xmm1 + movdqu xmm1, xmm5 + pclmulqdq xmm1, xmm2, 1 + movdqu xmm4, xmm1 + movdqu xmm1, xmm5 + pclmulqdq xmm1, xmm2, 0 + pclmulqdq xmm5, xmm2, 17 + movdqu xmm2, xmm5 + movdqu xmm5, xmm1 + movdqu xmm1, xmm3 + mov r12, 0 + pinsrd xmm1, r12d, 0 + pshufd xmm1, xmm1, 14 + pxor xmm2, xmm1 + movdqu xmm1, xmm4 + mov r12, 0 + pinsrd xmm1, r12d, 0 + pshufd xmm1, xmm1, 14 + pxor xmm2, xmm1 + movdqu xmm1, xmm3 + mov r12, 0 + pinsrd xmm1, r12d, 3 + pshufd xmm1, xmm1, 79 + mov r12, 0 + pinsrd xmm4, r12d, 3 + pshufd xmm4, xmm4, 79 + pxor xmm1, xmm4 + pxor xmm1, xmm5 + movdqu xmm3, xmm1 + psrld xmm3, 31 + movdqu xmm4, xmm2 + psrld xmm4, 31 + pslld xmm1, 1 + pslld xmm2, 1 + vpslldq xmm5, xmm3, 4 + vpslldq xmm4, xmm4, 4 + mov r12, 0 + pinsrd xmm3, r12d, 0 + pshufd xmm3, xmm3, 3 + pxor xmm3, xmm4 + pxor xmm1, xmm5 + pxor xmm2, xmm3 + movdqu xmm6, xmm2 + pxor xmm2, xmm2 + mov r12, 3774873600 + pinsrd xmm2, r12d, 3 + movdqu xmm5, xmm1 + pclmulqdq xmm1, xmm2, 16 + movdqu xmm3, xmm1 + movdqu xmm1, xmm5 + pclmulqdq xmm1, xmm2, 1 + movdqu xmm4, xmm1 + movdqu xmm1, xmm5 + pclmulqdq xmm1, xmm2, 0 + pclmulqdq xmm5, xmm2, 17 + movdqu xmm2, xmm5 + movdqu xmm5, xmm1 + movdqu xmm1, xmm3 + mov r12, 0 + pinsrd xmm1, r12d, 0 + pshufd xmm1, xmm1, 14 + pxor xmm2, xmm1 + movdqu xmm1, xmm4 + mov r12, 0 + pinsrd xmm1, r12d, 0 + pshufd xmm1, xmm1, 14 + pxor xmm2, xmm1 + movdqu xmm1, xmm3 + mov r12, 0 + pinsrd xmm1, r12d, 3 + pshufd xmm1, xmm1, 79 + mov r12, 0 + pinsrd xmm4, r12d, 3 + pshufd xmm4, xmm4, 79 + pxor xmm1, xmm4 + pxor xmm1, xmm5 + movdqu xmm3, xmm1 + psrld xmm3, 31 + movdqu xmm4, xmm2 + psrld xmm4, 31 + pslld xmm1, 1 + pslld xmm2, 1 + vpslldq xmm5, xmm3, 4 + vpslldq xmm4, xmm4, 4 + mov r12, 0 + pinsrd xmm3, r12d, 0 + pshufd xmm3, xmm3, 3 + pxor xmm3, xmm4 + pxor xmm1, xmm5 + pxor xmm2, xmm3 + movdqu xmm5, xmm2 + pxor xmm2, xmm2 + mov r12, 3774873600 + pinsrd xmm2, r12d, 3 + pclmulqdq xmm1, xmm2, 17 + movdqu xmm2, xmm1 + psrld xmm2, 31 + pslld xmm1, 1 + vpslldq xmm2, xmm2, 4 + pxor xmm1, xmm2 + pxor xmm1, xmm5 + pxor xmm1, xmm6 + movdqu xmm6, xmm1 + movdqu xmm3, xmm1 + pxor xmm4, xmm4 + pxor xmm5, xmm5 + mov r12, 3254779904 + pinsrd xmm4, r12d, 3 + mov r12, 1 + pinsrd xmm4, r12d, 0 + mov r12, 2147483648 + pinsrd xmm5, r12d, 3 + movdqu xmm1, xmm3 + movdqu xmm2, xmm1 + psrld xmm2, 31 + pslld xmm1, 1 + vpslldq xmm2, xmm2, 4 + pxor xmm1, xmm2 + pand xmm3, xmm5 + pcmpeqd xmm3, xmm5 + pshufd xmm3, xmm3, 255 + pand xmm3, xmm4 + vpxor xmm1, xmm1, xmm3 + movdqu xmmword ptr [rcx + 16], xmm1 + movdqu xmm2, xmm6 + movdqu xmm1, xmmword ptr [rcx + 32] + movdqu xmm5, xmm1 + pclmulqdq xmm1, xmm2, 16 + movdqu xmm3, xmm1 + movdqu xmm1, xmm5 + pclmulqdq xmm1, xmm2, 1 + movdqu xmm4, xmm1 + movdqu xmm1, xmm5 + pclmulqdq xmm1, xmm2, 0 + pclmulqdq xmm5, xmm2, 17 + movdqu xmm2, xmm5 + movdqu xmm5, xmm1 + movdqu xmm1, xmm3 + mov r12, 0 + pinsrd xmm1, r12d, 0 + pshufd xmm1, xmm1, 14 + pxor xmm2, xmm1 + movdqu xmm1, xmm4 + mov r12, 0 + pinsrd xmm1, r12d, 0 + pshufd xmm1, xmm1, 14 + pxor xmm2, xmm1 + movdqu xmm1, xmm3 + mov r12, 0 + pinsrd xmm1, r12d, 3 + pshufd xmm1, xmm1, 79 + mov r12, 0 + pinsrd xmm4, r12d, 3 + pshufd xmm4, xmm4, 79 + pxor xmm1, xmm4 + pxor xmm1, xmm5 + movdqu xmm3, xmm1 + psrld xmm3, 31 + movdqu xmm4, xmm2 + psrld xmm4, 31 + pslld xmm1, 1 + pslld xmm2, 1 + vpslldq xmm5, xmm3, 4 + vpslldq xmm4, xmm4, 4 + mov r12, 0 + pinsrd xmm3, r12d, 0 + pshufd xmm3, xmm3, 3 + pxor xmm3, xmm4 + pxor xmm1, xmm5 + pxor xmm2, xmm3 + movdqu xmm6, xmm2 + pxor xmm2, xmm2 + mov r12, 3774873600 + pinsrd xmm2, r12d, 3 + movdqu xmm5, xmm1 + pclmulqdq xmm1, xmm2, 16 + movdqu xmm3, xmm1 + movdqu xmm1, xmm5 + pclmulqdq xmm1, xmm2, 1 + movdqu xmm4, xmm1 + movdqu xmm1, xmm5 + pclmulqdq xmm1, xmm2, 0 + pclmulqdq xmm5, xmm2, 17 + movdqu xmm2, xmm5 + movdqu xmm5, xmm1 + movdqu xmm1, xmm3 + mov r12, 0 + pinsrd xmm1, r12d, 0 + pshufd xmm1, xmm1, 14 + pxor xmm2, xmm1 + movdqu xmm1, xmm4 + mov r12, 0 + pinsrd xmm1, r12d, 0 + pshufd xmm1, xmm1, 14 + pxor xmm2, xmm1 + movdqu xmm1, xmm3 + mov r12, 0 + pinsrd xmm1, r12d, 3 + pshufd xmm1, xmm1, 79 + mov r12, 0 + pinsrd xmm4, r12d, 3 + pshufd xmm4, xmm4, 79 + pxor xmm1, xmm4 + pxor xmm1, xmm5 + movdqu xmm3, xmm1 + psrld xmm3, 31 + movdqu xmm4, xmm2 + psrld xmm4, 31 + pslld xmm1, 1 + pslld xmm2, 1 + vpslldq xmm5, xmm3, 4 + vpslldq xmm4, xmm4, 4 + mov r12, 0 + pinsrd xmm3, r12d, 0 + pshufd xmm3, xmm3, 3 + pxor xmm3, xmm4 + pxor xmm1, xmm5 + pxor xmm2, xmm3 + movdqu xmm5, xmm2 + pxor xmm2, xmm2 + mov r12, 3774873600 + pinsrd xmm2, r12d, 3 + pclmulqdq xmm1, xmm2, 17 + movdqu xmm2, xmm1 + psrld xmm2, 31 + pslld xmm1, 1 + vpslldq xmm2, xmm2, 4 + pxor xmm1, xmm2 + pxor xmm1, xmm5 + pxor xmm1, xmm6 + movdqu xmm6, xmm1 + movdqu xmm3, xmm1 + pxor xmm4, xmm4 + pxor xmm5, xmm5 + mov r12, 3254779904 + pinsrd xmm4, r12d, 3 + mov r12, 1 + pinsrd xmm4, r12d, 0 + mov r12, 2147483648 + pinsrd xmm5, r12d, 3 + movdqu xmm1, xmm3 + movdqu xmm2, xmm1 + psrld xmm2, 31 + pslld xmm1, 1 + vpslldq xmm2, xmm2, 4 + pxor xmm1, xmm2 + pand xmm3, xmm5 + pcmpeqd xmm3, xmm5 + pshufd xmm3, xmm3, 255 + pand xmm3, xmm4 + vpxor xmm1, xmm1, xmm3 + movdqu xmmword ptr [rcx + 48], xmm1 + movdqu xmm2, xmm6 + movdqu xmm1, xmmword ptr [rcx + 32] + movdqu xmm5, xmm1 + pclmulqdq xmm1, xmm2, 16 + movdqu xmm3, xmm1 + movdqu xmm1, xmm5 + pclmulqdq xmm1, xmm2, 1 + movdqu xmm4, xmm1 + movdqu xmm1, xmm5 + pclmulqdq xmm1, xmm2, 0 + pclmulqdq xmm5, xmm2, 17 + movdqu xmm2, xmm5 + movdqu xmm5, xmm1 + movdqu xmm1, xmm3 + mov r12, 0 + pinsrd xmm1, r12d, 0 + pshufd xmm1, xmm1, 14 + pxor xmm2, xmm1 + movdqu xmm1, xmm4 + mov r12, 0 + pinsrd xmm1, r12d, 0 + pshufd xmm1, xmm1, 14 + pxor xmm2, xmm1 + movdqu xmm1, xmm3 + mov r12, 0 + pinsrd xmm1, r12d, 3 + pshufd xmm1, xmm1, 79 + mov r12, 0 + pinsrd xmm4, r12d, 3 + pshufd xmm4, xmm4, 79 + pxor xmm1, xmm4 + pxor xmm1, xmm5 + movdqu xmm3, xmm1 + psrld xmm3, 31 + movdqu xmm4, xmm2 + psrld xmm4, 31 + pslld xmm1, 1 + pslld xmm2, 1 + vpslldq xmm5, xmm3, 4 + vpslldq xmm4, xmm4, 4 + mov r12, 0 + pinsrd xmm3, r12d, 0 + pshufd xmm3, xmm3, 3 + pxor xmm3, xmm4 + pxor xmm1, xmm5 + pxor xmm2, xmm3 + movdqu xmm6, xmm2 + pxor xmm2, xmm2 + mov r12, 3774873600 + pinsrd xmm2, r12d, 3 + movdqu xmm5, xmm1 + pclmulqdq xmm1, xmm2, 16 + movdqu xmm3, xmm1 + movdqu xmm1, xmm5 + pclmulqdq xmm1, xmm2, 1 + movdqu xmm4, xmm1 + movdqu xmm1, xmm5 + pclmulqdq xmm1, xmm2, 0 + pclmulqdq xmm5, xmm2, 17 + movdqu xmm2, xmm5 + movdqu xmm5, xmm1 + movdqu xmm1, xmm3 + mov r12, 0 + pinsrd xmm1, r12d, 0 + pshufd xmm1, xmm1, 14 + pxor xmm2, xmm1 + movdqu xmm1, xmm4 + mov r12, 0 + pinsrd xmm1, r12d, 0 + pshufd xmm1, xmm1, 14 + pxor xmm2, xmm1 + movdqu xmm1, xmm3 + mov r12, 0 + pinsrd xmm1, r12d, 3 + pshufd xmm1, xmm1, 79 + mov r12, 0 + pinsrd xmm4, r12d, 3 + pshufd xmm4, xmm4, 79 + pxor xmm1, xmm4 + pxor xmm1, xmm5 + movdqu xmm3, xmm1 + psrld xmm3, 31 + movdqu xmm4, xmm2 + psrld xmm4, 31 + pslld xmm1, 1 + pslld xmm2, 1 + vpslldq xmm5, xmm3, 4 + vpslldq xmm4, xmm4, 4 + mov r12, 0 + pinsrd xmm3, r12d, 0 + pshufd xmm3, xmm3, 3 + pxor xmm3, xmm4 + pxor xmm1, xmm5 + pxor xmm2, xmm3 + movdqu xmm5, xmm2 + pxor xmm2, xmm2 + mov r12, 3774873600 + pinsrd xmm2, r12d, 3 + pclmulqdq xmm1, xmm2, 17 + movdqu xmm2, xmm1 + psrld xmm2, 31 + pslld xmm1, 1 + vpslldq xmm2, xmm2, 4 + pxor xmm1, xmm2 + pxor xmm1, xmm5 + pxor xmm1, xmm6 + movdqu xmm6, xmm1 + movdqu xmm3, xmm1 + pxor xmm4, xmm4 + pxor xmm5, xmm5 + mov r12, 3254779904 + pinsrd xmm4, r12d, 3 + mov r12, 1 + pinsrd xmm4, r12d, 0 + mov r12, 2147483648 + pinsrd xmm5, r12d, 3 + movdqu xmm1, xmm3 + movdqu xmm2, xmm1 + psrld xmm2, 31 + pslld xmm1, 1 + vpslldq xmm2, xmm2, 4 + pxor xmm1, xmm2 + pand xmm3, xmm5 + pcmpeqd xmm3, xmm5 + pshufd xmm3, xmm3, 255 + pand xmm3, xmm4 + vpxor xmm1, xmm1, xmm3 + movdqu xmmword ptr [rcx + 64], xmm1 + movdqu xmm2, xmm6 + movdqu xmm1, xmmword ptr [rcx + 32] + movdqu xmm5, xmm1 + pclmulqdq xmm1, xmm2, 16 + movdqu xmm3, xmm1 + movdqu xmm1, xmm5 + pclmulqdq xmm1, xmm2, 1 + movdqu xmm4, xmm1 + movdqu xmm1, xmm5 + pclmulqdq xmm1, xmm2, 0 + pclmulqdq xmm5, xmm2, 17 + movdqu xmm2, xmm5 + movdqu xmm5, xmm1 + movdqu xmm1, xmm3 + mov r12, 0 + pinsrd xmm1, r12d, 0 + pshufd xmm1, xmm1, 14 + pxor xmm2, xmm1 + movdqu xmm1, xmm4 + mov r12, 0 + pinsrd xmm1, r12d, 0 + pshufd xmm1, xmm1, 14 + pxor xmm2, xmm1 + movdqu xmm1, xmm3 + mov r12, 0 + pinsrd xmm1, r12d, 3 + pshufd xmm1, xmm1, 79 + mov r12, 0 + pinsrd xmm4, r12d, 3 + pshufd xmm4, xmm4, 79 + pxor xmm1, xmm4 + pxor xmm1, xmm5 + movdqu xmm3, xmm1 + psrld xmm3, 31 + movdqu xmm4, xmm2 + psrld xmm4, 31 + pslld xmm1, 1 + pslld xmm2, 1 + vpslldq xmm5, xmm3, 4 + vpslldq xmm4, xmm4, 4 + mov r12, 0 + pinsrd xmm3, r12d, 0 + pshufd xmm3, xmm3, 3 + pxor xmm3, xmm4 + pxor xmm1, xmm5 + pxor xmm2, xmm3 + movdqu xmm6, xmm2 + pxor xmm2, xmm2 + mov r12, 3774873600 + pinsrd xmm2, r12d, 3 + movdqu xmm5, xmm1 + pclmulqdq xmm1, xmm2, 16 + movdqu xmm3, xmm1 + movdqu xmm1, xmm5 + pclmulqdq xmm1, xmm2, 1 + movdqu xmm4, xmm1 + movdqu xmm1, xmm5 + pclmulqdq xmm1, xmm2, 0 + pclmulqdq xmm5, xmm2, 17 + movdqu xmm2, xmm5 + movdqu xmm5, xmm1 + movdqu xmm1, xmm3 + mov r12, 0 + pinsrd xmm1, r12d, 0 + pshufd xmm1, xmm1, 14 + pxor xmm2, xmm1 + movdqu xmm1, xmm4 + mov r12, 0 + pinsrd xmm1, r12d, 0 + pshufd xmm1, xmm1, 14 + pxor xmm2, xmm1 + movdqu xmm1, xmm3 + mov r12, 0 + pinsrd xmm1, r12d, 3 + pshufd xmm1, xmm1, 79 + mov r12, 0 + pinsrd xmm4, r12d, 3 + pshufd xmm4, xmm4, 79 + pxor xmm1, xmm4 + pxor xmm1, xmm5 + movdqu xmm3, xmm1 + psrld xmm3, 31 + movdqu xmm4, xmm2 + psrld xmm4, 31 + pslld xmm1, 1 + pslld xmm2, 1 + vpslldq xmm5, xmm3, 4 + vpslldq xmm4, xmm4, 4 + mov r12, 0 + pinsrd xmm3, r12d, 0 + pshufd xmm3, xmm3, 3 + pxor xmm3, xmm4 + pxor xmm1, xmm5 + pxor xmm2, xmm3 + movdqu xmm5, xmm2 + pxor xmm2, xmm2 + mov r12, 3774873600 + pinsrd xmm2, r12d, 3 + pclmulqdq xmm1, xmm2, 17 + movdqu xmm2, xmm1 + psrld xmm2, 31 + pslld xmm1, 1 + vpslldq xmm2, xmm2, 4 + pxor xmm1, xmm2 + pxor xmm1, xmm5 + pxor xmm1, xmm6 + movdqu xmm6, xmm1 + movdqu xmm3, xmm1 + pxor xmm4, xmm4 + pxor xmm5, xmm5 + mov r12, 3254779904 + pinsrd xmm4, r12d, 3 + mov r12, 1 + pinsrd xmm4, r12d, 0 + mov r12, 2147483648 + pinsrd xmm5, r12d, 3 + movdqu xmm1, xmm3 + movdqu xmm2, xmm1 + psrld xmm2, 31 + pslld xmm1, 1 + vpslldq xmm2, xmm2, 4 + pxor xmm1, xmm2 + pand xmm3, xmm5 + pcmpeqd xmm3, xmm5 + pshufd xmm3, xmm3, 255 + pand xmm3, xmm4 + vpxor xmm1, xmm1, xmm3 + movdqu xmmword ptr [rcx + 96], xmm1 + movdqu xmm2, xmm6 + movdqu xmm1, xmmword ptr [rcx + 32] + movdqu xmm5, xmm1 + pclmulqdq xmm1, xmm2, 16 + movdqu xmm3, xmm1 + movdqu xmm1, xmm5 + pclmulqdq xmm1, xmm2, 1 + movdqu xmm4, xmm1 + movdqu xmm1, xmm5 + pclmulqdq xmm1, xmm2, 0 + pclmulqdq xmm5, xmm2, 17 + movdqu xmm2, xmm5 + movdqu xmm5, xmm1 + movdqu xmm1, xmm3 + mov r12, 0 + pinsrd xmm1, r12d, 0 + pshufd xmm1, xmm1, 14 + pxor xmm2, xmm1 + movdqu xmm1, xmm4 + mov r12, 0 + pinsrd xmm1, r12d, 0 + pshufd xmm1, xmm1, 14 + pxor xmm2, xmm1 + movdqu xmm1, xmm3 + mov r12, 0 + pinsrd xmm1, r12d, 3 + pshufd xmm1, xmm1, 79 + mov r12, 0 + pinsrd xmm4, r12d, 3 + pshufd xmm4, xmm4, 79 + pxor xmm1, xmm4 + pxor xmm1, xmm5 + movdqu xmm3, xmm1 + psrld xmm3, 31 + movdqu xmm4, xmm2 + psrld xmm4, 31 + pslld xmm1, 1 + pslld xmm2, 1 + vpslldq xmm5, xmm3, 4 + vpslldq xmm4, xmm4, 4 + mov r12, 0 + pinsrd xmm3, r12d, 0 + pshufd xmm3, xmm3, 3 + pxor xmm3, xmm4 + pxor xmm1, xmm5 + pxor xmm2, xmm3 + movdqu xmm6, xmm2 + pxor xmm2, xmm2 + mov r12, 3774873600 + pinsrd xmm2, r12d, 3 + movdqu xmm5, xmm1 + pclmulqdq xmm1, xmm2, 16 + movdqu xmm3, xmm1 + movdqu xmm1, xmm5 + pclmulqdq xmm1, xmm2, 1 + movdqu xmm4, xmm1 + movdqu xmm1, xmm5 + pclmulqdq xmm1, xmm2, 0 + pclmulqdq xmm5, xmm2, 17 + movdqu xmm2, xmm5 + movdqu xmm5, xmm1 + movdqu xmm1, xmm3 + mov r12, 0 + pinsrd xmm1, r12d, 0 + pshufd xmm1, xmm1, 14 + pxor xmm2, xmm1 + movdqu xmm1, xmm4 + mov r12, 0 + pinsrd xmm1, r12d, 0 + pshufd xmm1, xmm1, 14 + pxor xmm2, xmm1 + movdqu xmm1, xmm3 + mov r12, 0 + pinsrd xmm1, r12d, 3 + pshufd xmm1, xmm1, 79 + mov r12, 0 + pinsrd xmm4, r12d, 3 + pshufd xmm4, xmm4, 79 + pxor xmm1, xmm4 + pxor xmm1, xmm5 + movdqu xmm3, xmm1 + psrld xmm3, 31 + movdqu xmm4, xmm2 + psrld xmm4, 31 + pslld xmm1, 1 + pslld xmm2, 1 + vpslldq xmm5, xmm3, 4 + vpslldq xmm4, xmm4, 4 + mov r12, 0 + pinsrd xmm3, r12d, 0 + pshufd xmm3, xmm3, 3 + pxor xmm3, xmm4 + pxor xmm1, xmm5 + pxor xmm2, xmm3 + movdqu xmm5, xmm2 + pxor xmm2, xmm2 + mov r12, 3774873600 + pinsrd xmm2, r12d, 3 + pclmulqdq xmm1, xmm2, 17 + movdqu xmm2, xmm1 + psrld xmm2, 31 + pslld xmm1, 1 + vpslldq xmm2, xmm2, 4 + pxor xmm1, xmm2 + pxor xmm1, xmm5 + pxor xmm1, xmm6 + movdqu xmm6, xmm1 + movdqu xmm3, xmm1 + pxor xmm4, xmm4 + pxor xmm5, xmm5 + mov r12, 3254779904 + pinsrd xmm4, r12d, 3 + mov r12, 1 + pinsrd xmm4, r12d, 0 + mov r12, 2147483648 + pinsrd xmm5, r12d, 3 + movdqu xmm1, xmm3 + movdqu xmm2, xmm1 + psrld xmm2, 31 + pslld xmm1, 1 + vpslldq xmm2, xmm2, 4 + pxor xmm1, xmm2 + pand xmm3, xmm5 + pcmpeqd xmm3, xmm5 + pshufd xmm3, xmm3, 255 + pand xmm3, xmm4 + vpxor xmm1, xmm1, xmm3 + movdqu xmmword ptr [rcx + 112], xmm1 + movdqu xmm6, xmm0 + mov r12, rax + ret +aes128_keyhash_init endp +ALIGN 16 +aes256_key_expansion proc + movdqu xmm1, xmmword ptr [rcx + 0] + movdqu xmm3, xmmword ptr [rcx + 16] + movdqu xmmword ptr [rdx + 0], xmm1 + movdqu xmmword ptr [rdx + 16], xmm3 + aeskeygenassist xmm2, xmm3, 1 + pshufd xmm2, xmm2, 255 + vpslldq xmm4, xmm1, 4 + pxor xmm1, xmm4 + vpslldq xmm4, xmm1, 4 + pxor xmm1, xmm4 + vpslldq xmm4, xmm1, 4 + pxor xmm1, xmm4 + pxor xmm1, xmm2 + movdqu xmmword ptr [rdx + 32], xmm1 + aeskeygenassist xmm2, xmm1, 0 + pshufd xmm2, xmm2, 170 + vpslldq xmm4, xmm3, 4 + pxor xmm3, xmm4 + vpslldq xmm4, xmm3, 4 + pxor xmm3, xmm4 + vpslldq xmm4, xmm3, 4 + pxor xmm3, xmm4 + pxor xmm3, xmm2 + movdqu xmmword ptr [rdx + 48], xmm3 + aeskeygenassist xmm2, xmm3, 2 + pshufd xmm2, xmm2, 255 + vpslldq xmm4, xmm1, 4 + pxor xmm1, xmm4 + vpslldq xmm4, xmm1, 4 + pxor xmm1, xmm4 + vpslldq xmm4, xmm1, 4 + pxor xmm1, xmm4 + pxor xmm1, xmm2 + movdqu xmmword ptr [rdx + 64], xmm1 + aeskeygenassist xmm2, xmm1, 0 + pshufd xmm2, xmm2, 170 + vpslldq xmm4, xmm3, 4 + pxor xmm3, xmm4 + vpslldq xmm4, xmm3, 4 + pxor xmm3, xmm4 + vpslldq xmm4, xmm3, 4 + pxor xmm3, xmm4 + pxor xmm3, xmm2 + movdqu xmmword ptr [rdx + 80], xmm3 + aeskeygenassist xmm2, xmm3, 4 + pshufd xmm2, xmm2, 255 + vpslldq xmm4, xmm1, 4 + pxor xmm1, xmm4 + vpslldq xmm4, xmm1, 4 + pxor xmm1, xmm4 + vpslldq xmm4, xmm1, 4 + pxor xmm1, xmm4 + pxor xmm1, xmm2 + movdqu xmmword ptr [rdx + 96], xmm1 + aeskeygenassist xmm2, xmm1, 0 + pshufd xmm2, xmm2, 170 + vpslldq xmm4, xmm3, 4 + pxor xmm3, xmm4 + vpslldq xmm4, xmm3, 4 + pxor xmm3, xmm4 + vpslldq xmm4, xmm3, 4 + pxor xmm3, xmm4 + pxor xmm3, xmm2 + movdqu xmmword ptr [rdx + 112], xmm3 + aeskeygenassist xmm2, xmm3, 8 + pshufd xmm2, xmm2, 255 + vpslldq xmm4, xmm1, 4 + pxor xmm1, xmm4 + vpslldq xmm4, xmm1, 4 + pxor xmm1, xmm4 + vpslldq xmm4, xmm1, 4 + pxor xmm1, xmm4 + pxor xmm1, xmm2 + movdqu xmmword ptr [rdx + 128], xmm1 + aeskeygenassist xmm2, xmm1, 0 + pshufd xmm2, xmm2, 170 + vpslldq xmm4, xmm3, 4 + pxor xmm3, xmm4 + vpslldq xmm4, xmm3, 4 + pxor xmm3, xmm4 + vpslldq xmm4, xmm3, 4 + pxor xmm3, xmm4 + pxor xmm3, xmm2 + movdqu xmmword ptr [rdx + 144], xmm3 + aeskeygenassist xmm2, xmm3, 16 + pshufd xmm2, xmm2, 255 + vpslldq xmm4, xmm1, 4 + pxor xmm1, xmm4 + vpslldq xmm4, xmm1, 4 + pxor xmm1, xmm4 + vpslldq xmm4, xmm1, 4 + pxor xmm1, xmm4 + pxor xmm1, xmm2 + movdqu xmmword ptr [rdx + 160], xmm1 + aeskeygenassist xmm2, xmm1, 0 + pshufd xmm2, xmm2, 170 + vpslldq xmm4, xmm3, 4 + pxor xmm3, xmm4 + vpslldq xmm4, xmm3, 4 + pxor xmm3, xmm4 + vpslldq xmm4, xmm3, 4 + pxor xmm3, xmm4 + pxor xmm3, xmm2 + movdqu xmmword ptr [rdx + 176], xmm3 + aeskeygenassist xmm2, xmm3, 32 + pshufd xmm2, xmm2, 255 + vpslldq xmm4, xmm1, 4 + pxor xmm1, xmm4 + vpslldq xmm4, xmm1, 4 + pxor xmm1, xmm4 + vpslldq xmm4, xmm1, 4 + pxor xmm1, xmm4 + pxor xmm1, xmm2 + movdqu xmmword ptr [rdx + 192], xmm1 + aeskeygenassist xmm2, xmm1, 0 + pshufd xmm2, xmm2, 170 + vpslldq xmm4, xmm3, 4 + pxor xmm3, xmm4 + vpslldq xmm4, xmm3, 4 + pxor xmm3, xmm4 + vpslldq xmm4, xmm3, 4 + pxor xmm3, xmm4 + pxor xmm3, xmm2 + movdqu xmmword ptr [rdx + 208], xmm3 + aeskeygenassist xmm2, xmm3, 64 + pshufd xmm2, xmm2, 255 + vpslldq xmm4, xmm1, 4 + pxor xmm1, xmm4 + vpslldq xmm4, xmm1, 4 + pxor xmm1, xmm4 + vpslldq xmm4, xmm1, 4 + pxor xmm1, xmm4 + pxor xmm1, xmm2 + movdqu xmmword ptr [rdx + 224], xmm1 + pxor xmm1, xmm1 + pxor xmm2, xmm2 + pxor xmm3, xmm3 + pxor xmm4, xmm4 + ret +aes256_key_expansion endp +ALIGN 16 +aes256_keyhash_init proc + mov r8, 579005069656919567 + pinsrq xmm4, r8, 0 + mov r8, 283686952306183 + pinsrq xmm4, r8, 1 + pxor xmm0, xmm0 + movdqu xmmword ptr [rdx + 80], xmm0 + mov r8, rcx + movdqu xmm2, xmmword ptr [r8 + 0] + pxor xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 16] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 32] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 48] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 64] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 80] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 96] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 112] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 128] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 144] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 160] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 176] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 192] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 208] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 224] + aesenclast xmm0, xmm2 + pxor xmm2, xmm2 + pshufb xmm0, xmm4 + mov rcx, rdx + movdqu xmmword ptr [rcx + 32], xmm0 + movdqu xmm0, xmm6 + mov rax, r12 + movdqu xmm1, xmmword ptr [rcx + 32] + movdqu xmm6, xmm1 + movdqu xmm3, xmm1 + pxor xmm4, xmm4 + pxor xmm5, xmm5 + mov r12, 3254779904 + pinsrd xmm4, r12d, 3 + mov r12, 1 + pinsrd xmm4, r12d, 0 + mov r12, 2147483648 + pinsrd xmm5, r12d, 3 + movdqu xmm1, xmm3 + movdqu xmm2, xmm1 + psrld xmm2, 31 + pslld xmm1, 1 + vpslldq xmm2, xmm2, 4 + pxor xmm1, xmm2 + pand xmm3, xmm5 + pcmpeqd xmm3, xmm5 + pshufd xmm3, xmm3, 255 + pand xmm3, xmm4 + vpxor xmm1, xmm1, xmm3 + movdqu xmmword ptr [rcx + 0], xmm1 + movdqu xmm1, xmm6 + movdqu xmm2, xmm6 + movdqu xmm5, xmm1 + pclmulqdq xmm1, xmm2, 16 + movdqu xmm3, xmm1 + movdqu xmm1, xmm5 + pclmulqdq xmm1, xmm2, 1 + movdqu xmm4, xmm1 + movdqu xmm1, xmm5 + pclmulqdq xmm1, xmm2, 0 + pclmulqdq xmm5, xmm2, 17 + movdqu xmm2, xmm5 + movdqu xmm5, xmm1 + movdqu xmm1, xmm3 + mov r12, 0 + pinsrd xmm1, r12d, 0 + pshufd xmm1, xmm1, 14 + pxor xmm2, xmm1 + movdqu xmm1, xmm4 + mov r12, 0 + pinsrd xmm1, r12d, 0 + pshufd xmm1, xmm1, 14 + pxor xmm2, xmm1 + movdqu xmm1, xmm3 + mov r12, 0 + pinsrd xmm1, r12d, 3 + pshufd xmm1, xmm1, 79 + mov r12, 0 + pinsrd xmm4, r12d, 3 + pshufd xmm4, xmm4, 79 + pxor xmm1, xmm4 + pxor xmm1, xmm5 + movdqu xmm3, xmm1 + psrld xmm3, 31 + movdqu xmm4, xmm2 + psrld xmm4, 31 + pslld xmm1, 1 + pslld xmm2, 1 + vpslldq xmm5, xmm3, 4 + vpslldq xmm4, xmm4, 4 + mov r12, 0 + pinsrd xmm3, r12d, 0 + pshufd xmm3, xmm3, 3 + pxor xmm3, xmm4 + pxor xmm1, xmm5 + pxor xmm2, xmm3 + movdqu xmm6, xmm2 + pxor xmm2, xmm2 + mov r12, 3774873600 + pinsrd xmm2, r12d, 3 + movdqu xmm5, xmm1 + pclmulqdq xmm1, xmm2, 16 + movdqu xmm3, xmm1 + movdqu xmm1, xmm5 + pclmulqdq xmm1, xmm2, 1 + movdqu xmm4, xmm1 + movdqu xmm1, xmm5 + pclmulqdq xmm1, xmm2, 0 + pclmulqdq xmm5, xmm2, 17 + movdqu xmm2, xmm5 + movdqu xmm5, xmm1 + movdqu xmm1, xmm3 + mov r12, 0 + pinsrd xmm1, r12d, 0 + pshufd xmm1, xmm1, 14 + pxor xmm2, xmm1 + movdqu xmm1, xmm4 + mov r12, 0 + pinsrd xmm1, r12d, 0 + pshufd xmm1, xmm1, 14 + pxor xmm2, xmm1 + movdqu xmm1, xmm3 + mov r12, 0 + pinsrd xmm1, r12d, 3 + pshufd xmm1, xmm1, 79 + mov r12, 0 + pinsrd xmm4, r12d, 3 + pshufd xmm4, xmm4, 79 + pxor xmm1, xmm4 + pxor xmm1, xmm5 + movdqu xmm3, xmm1 + psrld xmm3, 31 + movdqu xmm4, xmm2 + psrld xmm4, 31 + pslld xmm1, 1 + pslld xmm2, 1 + vpslldq xmm5, xmm3, 4 + vpslldq xmm4, xmm4, 4 + mov r12, 0 + pinsrd xmm3, r12d, 0 + pshufd xmm3, xmm3, 3 + pxor xmm3, xmm4 + pxor xmm1, xmm5 + pxor xmm2, xmm3 + movdqu xmm5, xmm2 + pxor xmm2, xmm2 + mov r12, 3774873600 + pinsrd xmm2, r12d, 3 + pclmulqdq xmm1, xmm2, 17 + movdqu xmm2, xmm1 + psrld xmm2, 31 + pslld xmm1, 1 + vpslldq xmm2, xmm2, 4 + pxor xmm1, xmm2 + pxor xmm1, xmm5 + pxor xmm1, xmm6 + movdqu xmm6, xmm1 + movdqu xmm3, xmm1 + pxor xmm4, xmm4 + pxor xmm5, xmm5 + mov r12, 3254779904 + pinsrd xmm4, r12d, 3 + mov r12, 1 + pinsrd xmm4, r12d, 0 + mov r12, 2147483648 + pinsrd xmm5, r12d, 3 + movdqu xmm1, xmm3 + movdqu xmm2, xmm1 + psrld xmm2, 31 + pslld xmm1, 1 + vpslldq xmm2, xmm2, 4 + pxor xmm1, xmm2 + pand xmm3, xmm5 + pcmpeqd xmm3, xmm5 + pshufd xmm3, xmm3, 255 + pand xmm3, xmm4 + vpxor xmm1, xmm1, xmm3 + movdqu xmmword ptr [rcx + 16], xmm1 + movdqu xmm2, xmm6 + movdqu xmm1, xmmword ptr [rcx + 32] + movdqu xmm5, xmm1 + pclmulqdq xmm1, xmm2, 16 + movdqu xmm3, xmm1 + movdqu xmm1, xmm5 + pclmulqdq xmm1, xmm2, 1 + movdqu xmm4, xmm1 + movdqu xmm1, xmm5 + pclmulqdq xmm1, xmm2, 0 + pclmulqdq xmm5, xmm2, 17 + movdqu xmm2, xmm5 + movdqu xmm5, xmm1 + movdqu xmm1, xmm3 + mov r12, 0 + pinsrd xmm1, r12d, 0 + pshufd xmm1, xmm1, 14 + pxor xmm2, xmm1 + movdqu xmm1, xmm4 + mov r12, 0 + pinsrd xmm1, r12d, 0 + pshufd xmm1, xmm1, 14 + pxor xmm2, xmm1 + movdqu xmm1, xmm3 + mov r12, 0 + pinsrd xmm1, r12d, 3 + pshufd xmm1, xmm1, 79 + mov r12, 0 + pinsrd xmm4, r12d, 3 + pshufd xmm4, xmm4, 79 + pxor xmm1, xmm4 + pxor xmm1, xmm5 + movdqu xmm3, xmm1 + psrld xmm3, 31 + movdqu xmm4, xmm2 + psrld xmm4, 31 + pslld xmm1, 1 + pslld xmm2, 1 + vpslldq xmm5, xmm3, 4 + vpslldq xmm4, xmm4, 4 + mov r12, 0 + pinsrd xmm3, r12d, 0 + pshufd xmm3, xmm3, 3 + pxor xmm3, xmm4 + pxor xmm1, xmm5 + pxor xmm2, xmm3 + movdqu xmm6, xmm2 + pxor xmm2, xmm2 + mov r12, 3774873600 + pinsrd xmm2, r12d, 3 + movdqu xmm5, xmm1 + pclmulqdq xmm1, xmm2, 16 + movdqu xmm3, xmm1 + movdqu xmm1, xmm5 + pclmulqdq xmm1, xmm2, 1 + movdqu xmm4, xmm1 + movdqu xmm1, xmm5 + pclmulqdq xmm1, xmm2, 0 + pclmulqdq xmm5, xmm2, 17 + movdqu xmm2, xmm5 + movdqu xmm5, xmm1 + movdqu xmm1, xmm3 + mov r12, 0 + pinsrd xmm1, r12d, 0 + pshufd xmm1, xmm1, 14 + pxor xmm2, xmm1 + movdqu xmm1, xmm4 + mov r12, 0 + pinsrd xmm1, r12d, 0 + pshufd xmm1, xmm1, 14 + pxor xmm2, xmm1 + movdqu xmm1, xmm3 + mov r12, 0 + pinsrd xmm1, r12d, 3 + pshufd xmm1, xmm1, 79 + mov r12, 0 + pinsrd xmm4, r12d, 3 + pshufd xmm4, xmm4, 79 + pxor xmm1, xmm4 + pxor xmm1, xmm5 + movdqu xmm3, xmm1 + psrld xmm3, 31 + movdqu xmm4, xmm2 + psrld xmm4, 31 + pslld xmm1, 1 + pslld xmm2, 1 + vpslldq xmm5, xmm3, 4 + vpslldq xmm4, xmm4, 4 + mov r12, 0 + pinsrd xmm3, r12d, 0 + pshufd xmm3, xmm3, 3 + pxor xmm3, xmm4 + pxor xmm1, xmm5 + pxor xmm2, xmm3 + movdqu xmm5, xmm2 + pxor xmm2, xmm2 + mov r12, 3774873600 + pinsrd xmm2, r12d, 3 + pclmulqdq xmm1, xmm2, 17 + movdqu xmm2, xmm1 + psrld xmm2, 31 + pslld xmm1, 1 + vpslldq xmm2, xmm2, 4 + pxor xmm1, xmm2 + pxor xmm1, xmm5 + pxor xmm1, xmm6 + movdqu xmm6, xmm1 + movdqu xmm3, xmm1 + pxor xmm4, xmm4 + pxor xmm5, xmm5 + mov r12, 3254779904 + pinsrd xmm4, r12d, 3 + mov r12, 1 + pinsrd xmm4, r12d, 0 + mov r12, 2147483648 + pinsrd xmm5, r12d, 3 + movdqu xmm1, xmm3 + movdqu xmm2, xmm1 + psrld xmm2, 31 + pslld xmm1, 1 + vpslldq xmm2, xmm2, 4 + pxor xmm1, xmm2 + pand xmm3, xmm5 + pcmpeqd xmm3, xmm5 + pshufd xmm3, xmm3, 255 + pand xmm3, xmm4 + vpxor xmm1, xmm1, xmm3 + movdqu xmmword ptr [rcx + 48], xmm1 + movdqu xmm2, xmm6 + movdqu xmm1, xmmword ptr [rcx + 32] + movdqu xmm5, xmm1 + pclmulqdq xmm1, xmm2, 16 + movdqu xmm3, xmm1 + movdqu xmm1, xmm5 + pclmulqdq xmm1, xmm2, 1 + movdqu xmm4, xmm1 + movdqu xmm1, xmm5 + pclmulqdq xmm1, xmm2, 0 + pclmulqdq xmm5, xmm2, 17 + movdqu xmm2, xmm5 + movdqu xmm5, xmm1 + movdqu xmm1, xmm3 + mov r12, 0 + pinsrd xmm1, r12d, 0 + pshufd xmm1, xmm1, 14 + pxor xmm2, xmm1 + movdqu xmm1, xmm4 + mov r12, 0 + pinsrd xmm1, r12d, 0 + pshufd xmm1, xmm1, 14 + pxor xmm2, xmm1 + movdqu xmm1, xmm3 + mov r12, 0 + pinsrd xmm1, r12d, 3 + pshufd xmm1, xmm1, 79 + mov r12, 0 + pinsrd xmm4, r12d, 3 + pshufd xmm4, xmm4, 79 + pxor xmm1, xmm4 + pxor xmm1, xmm5 + movdqu xmm3, xmm1 + psrld xmm3, 31 + movdqu xmm4, xmm2 + psrld xmm4, 31 + pslld xmm1, 1 + pslld xmm2, 1 + vpslldq xmm5, xmm3, 4 + vpslldq xmm4, xmm4, 4 + mov r12, 0 + pinsrd xmm3, r12d, 0 + pshufd xmm3, xmm3, 3 + pxor xmm3, xmm4 + pxor xmm1, xmm5 + pxor xmm2, xmm3 + movdqu xmm6, xmm2 + pxor xmm2, xmm2 + mov r12, 3774873600 + pinsrd xmm2, r12d, 3 + movdqu xmm5, xmm1 + pclmulqdq xmm1, xmm2, 16 + movdqu xmm3, xmm1 + movdqu xmm1, xmm5 + pclmulqdq xmm1, xmm2, 1 + movdqu xmm4, xmm1 + movdqu xmm1, xmm5 + pclmulqdq xmm1, xmm2, 0 + pclmulqdq xmm5, xmm2, 17 + movdqu xmm2, xmm5 + movdqu xmm5, xmm1 + movdqu xmm1, xmm3 + mov r12, 0 + pinsrd xmm1, r12d, 0 + pshufd xmm1, xmm1, 14 + pxor xmm2, xmm1 + movdqu xmm1, xmm4 + mov r12, 0 + pinsrd xmm1, r12d, 0 + pshufd xmm1, xmm1, 14 + pxor xmm2, xmm1 + movdqu xmm1, xmm3 + mov r12, 0 + pinsrd xmm1, r12d, 3 + pshufd xmm1, xmm1, 79 + mov r12, 0 + pinsrd xmm4, r12d, 3 + pshufd xmm4, xmm4, 79 + pxor xmm1, xmm4 + pxor xmm1, xmm5 + movdqu xmm3, xmm1 + psrld xmm3, 31 + movdqu xmm4, xmm2 + psrld xmm4, 31 + pslld xmm1, 1 + pslld xmm2, 1 + vpslldq xmm5, xmm3, 4 + vpslldq xmm4, xmm4, 4 + mov r12, 0 + pinsrd xmm3, r12d, 0 + pshufd xmm3, xmm3, 3 + pxor xmm3, xmm4 + pxor xmm1, xmm5 + pxor xmm2, xmm3 + movdqu xmm5, xmm2 + pxor xmm2, xmm2 + mov r12, 3774873600 + pinsrd xmm2, r12d, 3 + pclmulqdq xmm1, xmm2, 17 + movdqu xmm2, xmm1 + psrld xmm2, 31 + pslld xmm1, 1 + vpslldq xmm2, xmm2, 4 + pxor xmm1, xmm2 + pxor xmm1, xmm5 + pxor xmm1, xmm6 + movdqu xmm6, xmm1 + movdqu xmm3, xmm1 + pxor xmm4, xmm4 + pxor xmm5, xmm5 + mov r12, 3254779904 + pinsrd xmm4, r12d, 3 + mov r12, 1 + pinsrd xmm4, r12d, 0 + mov r12, 2147483648 + pinsrd xmm5, r12d, 3 + movdqu xmm1, xmm3 + movdqu xmm2, xmm1 + psrld xmm2, 31 + pslld xmm1, 1 + vpslldq xmm2, xmm2, 4 + pxor xmm1, xmm2 + pand xmm3, xmm5 + pcmpeqd xmm3, xmm5 + pshufd xmm3, xmm3, 255 + pand xmm3, xmm4 + vpxor xmm1, xmm1, xmm3 + movdqu xmmword ptr [rcx + 64], xmm1 + movdqu xmm2, xmm6 + movdqu xmm1, xmmword ptr [rcx + 32] + movdqu xmm5, xmm1 + pclmulqdq xmm1, xmm2, 16 + movdqu xmm3, xmm1 + movdqu xmm1, xmm5 + pclmulqdq xmm1, xmm2, 1 + movdqu xmm4, xmm1 + movdqu xmm1, xmm5 + pclmulqdq xmm1, xmm2, 0 + pclmulqdq xmm5, xmm2, 17 + movdqu xmm2, xmm5 + movdqu xmm5, xmm1 + movdqu xmm1, xmm3 + mov r12, 0 + pinsrd xmm1, r12d, 0 + pshufd xmm1, xmm1, 14 + pxor xmm2, xmm1 + movdqu xmm1, xmm4 + mov r12, 0 + pinsrd xmm1, r12d, 0 + pshufd xmm1, xmm1, 14 + pxor xmm2, xmm1 + movdqu xmm1, xmm3 + mov r12, 0 + pinsrd xmm1, r12d, 3 + pshufd xmm1, xmm1, 79 + mov r12, 0 + pinsrd xmm4, r12d, 3 + pshufd xmm4, xmm4, 79 + pxor xmm1, xmm4 + pxor xmm1, xmm5 + movdqu xmm3, xmm1 + psrld xmm3, 31 + movdqu xmm4, xmm2 + psrld xmm4, 31 + pslld xmm1, 1 + pslld xmm2, 1 + vpslldq xmm5, xmm3, 4 + vpslldq xmm4, xmm4, 4 + mov r12, 0 + pinsrd xmm3, r12d, 0 + pshufd xmm3, xmm3, 3 + pxor xmm3, xmm4 + pxor xmm1, xmm5 + pxor xmm2, xmm3 + movdqu xmm6, xmm2 + pxor xmm2, xmm2 + mov r12, 3774873600 + pinsrd xmm2, r12d, 3 + movdqu xmm5, xmm1 + pclmulqdq xmm1, xmm2, 16 + movdqu xmm3, xmm1 + movdqu xmm1, xmm5 + pclmulqdq xmm1, xmm2, 1 + movdqu xmm4, xmm1 + movdqu xmm1, xmm5 + pclmulqdq xmm1, xmm2, 0 + pclmulqdq xmm5, xmm2, 17 + movdqu xmm2, xmm5 + movdqu xmm5, xmm1 + movdqu xmm1, xmm3 + mov r12, 0 + pinsrd xmm1, r12d, 0 + pshufd xmm1, xmm1, 14 + pxor xmm2, xmm1 + movdqu xmm1, xmm4 + mov r12, 0 + pinsrd xmm1, r12d, 0 + pshufd xmm1, xmm1, 14 + pxor xmm2, xmm1 + movdqu xmm1, xmm3 + mov r12, 0 + pinsrd xmm1, r12d, 3 + pshufd xmm1, xmm1, 79 + mov r12, 0 + pinsrd xmm4, r12d, 3 + pshufd xmm4, xmm4, 79 + pxor xmm1, xmm4 + pxor xmm1, xmm5 + movdqu xmm3, xmm1 + psrld xmm3, 31 + movdqu xmm4, xmm2 + psrld xmm4, 31 + pslld xmm1, 1 + pslld xmm2, 1 + vpslldq xmm5, xmm3, 4 + vpslldq xmm4, xmm4, 4 + mov r12, 0 + pinsrd xmm3, r12d, 0 + pshufd xmm3, xmm3, 3 + pxor xmm3, xmm4 + pxor xmm1, xmm5 + pxor xmm2, xmm3 + movdqu xmm5, xmm2 + pxor xmm2, xmm2 + mov r12, 3774873600 + pinsrd xmm2, r12d, 3 + pclmulqdq xmm1, xmm2, 17 + movdqu xmm2, xmm1 + psrld xmm2, 31 + pslld xmm1, 1 + vpslldq xmm2, xmm2, 4 + pxor xmm1, xmm2 + pxor xmm1, xmm5 + pxor xmm1, xmm6 + movdqu xmm6, xmm1 + movdqu xmm3, xmm1 + pxor xmm4, xmm4 + pxor xmm5, xmm5 + mov r12, 3254779904 + pinsrd xmm4, r12d, 3 + mov r12, 1 + pinsrd xmm4, r12d, 0 + mov r12, 2147483648 + pinsrd xmm5, r12d, 3 + movdqu xmm1, xmm3 + movdqu xmm2, xmm1 + psrld xmm2, 31 + pslld xmm1, 1 + vpslldq xmm2, xmm2, 4 + pxor xmm1, xmm2 + pand xmm3, xmm5 + pcmpeqd xmm3, xmm5 + pshufd xmm3, xmm3, 255 + pand xmm3, xmm4 + vpxor xmm1, xmm1, xmm3 + movdqu xmmword ptr [rcx + 96], xmm1 + movdqu xmm2, xmm6 + movdqu xmm1, xmmword ptr [rcx + 32] + movdqu xmm5, xmm1 + pclmulqdq xmm1, xmm2, 16 + movdqu xmm3, xmm1 + movdqu xmm1, xmm5 + pclmulqdq xmm1, xmm2, 1 + movdqu xmm4, xmm1 + movdqu xmm1, xmm5 + pclmulqdq xmm1, xmm2, 0 + pclmulqdq xmm5, xmm2, 17 + movdqu xmm2, xmm5 + movdqu xmm5, xmm1 + movdqu xmm1, xmm3 + mov r12, 0 + pinsrd xmm1, r12d, 0 + pshufd xmm1, xmm1, 14 + pxor xmm2, xmm1 + movdqu xmm1, xmm4 + mov r12, 0 + pinsrd xmm1, r12d, 0 + pshufd xmm1, xmm1, 14 + pxor xmm2, xmm1 + movdqu xmm1, xmm3 + mov r12, 0 + pinsrd xmm1, r12d, 3 + pshufd xmm1, xmm1, 79 + mov r12, 0 + pinsrd xmm4, r12d, 3 + pshufd xmm4, xmm4, 79 + pxor xmm1, xmm4 + pxor xmm1, xmm5 + movdqu xmm3, xmm1 + psrld xmm3, 31 + movdqu xmm4, xmm2 + psrld xmm4, 31 + pslld xmm1, 1 + pslld xmm2, 1 + vpslldq xmm5, xmm3, 4 + vpslldq xmm4, xmm4, 4 + mov r12, 0 + pinsrd xmm3, r12d, 0 + pshufd xmm3, xmm3, 3 + pxor xmm3, xmm4 + pxor xmm1, xmm5 + pxor xmm2, xmm3 + movdqu xmm6, xmm2 + pxor xmm2, xmm2 + mov r12, 3774873600 + pinsrd xmm2, r12d, 3 + movdqu xmm5, xmm1 + pclmulqdq xmm1, xmm2, 16 + movdqu xmm3, xmm1 + movdqu xmm1, xmm5 + pclmulqdq xmm1, xmm2, 1 + movdqu xmm4, xmm1 + movdqu xmm1, xmm5 + pclmulqdq xmm1, xmm2, 0 + pclmulqdq xmm5, xmm2, 17 + movdqu xmm2, xmm5 + movdqu xmm5, xmm1 + movdqu xmm1, xmm3 + mov r12, 0 + pinsrd xmm1, r12d, 0 + pshufd xmm1, xmm1, 14 + pxor xmm2, xmm1 + movdqu xmm1, xmm4 + mov r12, 0 + pinsrd xmm1, r12d, 0 + pshufd xmm1, xmm1, 14 + pxor xmm2, xmm1 + movdqu xmm1, xmm3 + mov r12, 0 + pinsrd xmm1, r12d, 3 + pshufd xmm1, xmm1, 79 + mov r12, 0 + pinsrd xmm4, r12d, 3 + pshufd xmm4, xmm4, 79 + pxor xmm1, xmm4 + pxor xmm1, xmm5 + movdqu xmm3, xmm1 + psrld xmm3, 31 + movdqu xmm4, xmm2 + psrld xmm4, 31 + pslld xmm1, 1 + pslld xmm2, 1 + vpslldq xmm5, xmm3, 4 + vpslldq xmm4, xmm4, 4 + mov r12, 0 + pinsrd xmm3, r12d, 0 + pshufd xmm3, xmm3, 3 + pxor xmm3, xmm4 + pxor xmm1, xmm5 + pxor xmm2, xmm3 + movdqu xmm5, xmm2 + pxor xmm2, xmm2 + mov r12, 3774873600 + pinsrd xmm2, r12d, 3 + pclmulqdq xmm1, xmm2, 17 + movdqu xmm2, xmm1 + psrld xmm2, 31 + pslld xmm1, 1 + vpslldq xmm2, xmm2, 4 + pxor xmm1, xmm2 + pxor xmm1, xmm5 + pxor xmm1, xmm6 + movdqu xmm6, xmm1 + movdqu xmm3, xmm1 + pxor xmm4, xmm4 + pxor xmm5, xmm5 + mov r12, 3254779904 + pinsrd xmm4, r12d, 3 + mov r12, 1 + pinsrd xmm4, r12d, 0 + mov r12, 2147483648 + pinsrd xmm5, r12d, 3 + movdqu xmm1, xmm3 + movdqu xmm2, xmm1 + psrld xmm2, 31 + pslld xmm1, 1 + vpslldq xmm2, xmm2, 4 + pxor xmm1, xmm2 + pand xmm3, xmm5 + pcmpeqd xmm3, xmm5 + pshufd xmm3, xmm3, 255 + pand xmm3, xmm4 + vpxor xmm1, xmm1, xmm3 + movdqu xmmword ptr [rcx + 112], xmm1 + movdqu xmm6, xmm0 + mov r12, rax + ret +aes256_keyhash_init endp +ALIGN 16 +gctr128_bytes proc + push r15 + push r14 + push r13 + push r12 + push rsi + push rdi + push rbp + push rbx + pextrq rax, xmm15, 0 + push rax + pextrq rax, xmm15, 1 + push rax + pextrq rax, xmm14, 0 + push rax + pextrq rax, xmm14, 1 + push rax + pextrq rax, xmm13, 0 + push rax + pextrq rax, xmm13, 1 + push rax + pextrq rax, xmm12, 0 + push rax + pextrq rax, xmm12, 1 + push rax + pextrq rax, xmm11, 0 + push rax + pextrq rax, xmm11, 1 + push rax + pextrq rax, xmm10, 0 + push rax + pextrq rax, xmm10, 1 + push rax + pextrq rax, xmm9, 0 + push rax + pextrq rax, xmm9, 1 + push rax + pextrq rax, xmm8, 0 + push rax + pextrq rax, xmm8, 1 + push rax + pextrq rax, xmm7, 0 + push rax + pextrq rax, xmm7, 1 + push rax + pextrq rax, xmm6, 0 + push rax + pextrq rax, xmm6, 1 + push rax + mov rax, qword ptr [rsp + 272] + movdqu xmm7, xmmword ptr [rax + 0] + mov rax, rcx + mov rbx, r8 + mov rsi, rdx + mov r13, r9 + mov r8, qword ptr [rsp + 264] + mov rcx, qword ptr [rsp + 280] + mov rbp, rcx + imul rbp, 16 + mov r12, 579005069656919567 + pinsrq xmm8, r12, 0 + mov r12, 283686952306183 + pinsrq xmm8, r12, 1 + mov rdx, rcx + shr rdx, 2 + and rcx, 3 + cmp rdx, 0 + jbe L0 + mov r9, rax + mov r10, rbx + pshufb xmm7, xmm8 + movdqu xmm9, xmm7 + mov rax, 579005069656919567 + pinsrq xmm0, rax, 0 + mov rax, 579005069656919567 + pinsrq xmm0, rax, 1 + pshufb xmm9, xmm0 + movdqu xmm10, xmm9 + pxor xmm3, xmm3 + mov rax, 1 + pinsrd xmm3, eax, 2 + paddd xmm9, xmm3 + mov rax, 3 + pinsrd xmm3, eax, 2 + mov rax, 2 + pinsrd xmm3, eax, 0 + paddd xmm10, xmm3 + pshufb xmm9, xmm8 + pshufb xmm10, xmm8 + pextrq rdi, xmm7, 0 + mov rax, 283686952306183 + pinsrq xmm0, rax, 0 + mov rax, 579005069656919567 + pinsrq xmm0, rax, 1 + pxor xmm15, xmm15 + mov rax, 4 + pinsrd xmm15, eax, 0 + mov rax, 4 + pinsrd xmm15, eax, 2 + jmp L3 +ALIGN 16 +L2: + pinsrq xmm2, rdi, 0 + pinsrq xmm12, rdi, 0 + pinsrq xmm13, rdi, 0 + pinsrq xmm14, rdi, 0 + shufpd xmm2, xmm9, 2 + shufpd xmm12, xmm9, 0 + shufpd xmm13, xmm10, 2 + shufpd xmm14, xmm10, 0 + pshufb xmm9, xmm0 + pshufb xmm10, xmm0 + movdqu xmm3, xmmword ptr [r8 + 0] + movdqu xmm4, xmmword ptr [r8 + 16] + movdqu xmm5, xmmword ptr [r8 + 32] + movdqu xmm6, xmmword ptr [r8 + 48] + paddd xmm9, xmm15 + paddd xmm10, xmm15 + pxor xmm2, xmm3 + pxor xmm12, xmm3 + pxor xmm13, xmm3 + pxor xmm14, xmm3 + pshufb xmm9, xmm0 + pshufb xmm10, xmm0 + aesenc xmm2, xmm4 + aesenc xmm12, xmm4 + aesenc xmm13, xmm4 + aesenc xmm14, xmm4 + aesenc xmm2, xmm5 + aesenc xmm12, xmm5 + aesenc xmm13, xmm5 + aesenc xmm14, xmm5 + aesenc xmm2, xmm6 + aesenc xmm12, xmm6 + aesenc xmm13, xmm6 + aesenc xmm14, xmm6 + movdqu xmm3, xmmword ptr [r8 + 64] + movdqu xmm4, xmmword ptr [r8 + 80] + movdqu xmm5, xmmword ptr [r8 + 96] + movdqu xmm6, xmmword ptr [r8 + 112] + aesenc xmm2, xmm3 + aesenc xmm12, xmm3 + aesenc xmm13, xmm3 + aesenc xmm14, xmm3 + aesenc xmm2, xmm4 + aesenc xmm12, xmm4 + aesenc xmm13, xmm4 + aesenc xmm14, xmm4 + aesenc xmm2, xmm5 + aesenc xmm12, xmm5 + aesenc xmm13, xmm5 + aesenc xmm14, xmm5 + aesenc xmm2, xmm6 + aesenc xmm12, xmm6 + aesenc xmm13, xmm6 + aesenc xmm14, xmm6 + movdqu xmm3, xmmword ptr [r8 + 128] + movdqu xmm4, xmmword ptr [r8 + 144] + movdqu xmm5, xmmword ptr [r8 + 160] + aesenc xmm2, xmm3 + aesenc xmm12, xmm3 + aesenc xmm13, xmm3 + aesenc xmm14, xmm3 + aesenc xmm2, xmm4 + aesenc xmm12, xmm4 + aesenc xmm13, xmm4 + aesenc xmm14, xmm4 + aesenclast xmm2, xmm5 + aesenclast xmm12, xmm5 + aesenclast xmm13, xmm5 + aesenclast xmm14, xmm5 + movdqu xmm7, xmmword ptr [r9 + 0] + pxor xmm2, xmm7 + movdqu xmm7, xmmword ptr [r9 + 16] + pxor xmm12, xmm7 + movdqu xmm7, xmmword ptr [r9 + 32] + pxor xmm13, xmm7 + movdqu xmm7, xmmword ptr [r9 + 48] + pxor xmm14, xmm7 + movdqu xmmword ptr [r10 + 0], xmm2 + movdqu xmmword ptr [r10 + 16], xmm12 + movdqu xmmword ptr [r10 + 32], xmm13 + movdqu xmmword ptr [r10 + 48], xmm14 + sub rdx, 1 + add r9, 64 + add r10, 64 +ALIGN 16 +L3: + cmp rdx, 0 + ja L2 + movdqu xmm7, xmm9 + pinsrq xmm7, rdi, 0 + pshufb xmm7, xmm8 + mov rax, r9 + mov rbx, r10 + jmp L1 +L0: +L1: + mov rdx, 0 + mov r9, rax + mov r10, rbx + pxor xmm4, xmm4 + mov r12, 1 + pinsrd xmm4, r12d, 0 + jmp L5 +ALIGN 16 +L4: + movdqu xmm0, xmm7 + pshufb xmm0, xmm8 + movdqu xmm2, xmmword ptr [r8 + 0] + pxor xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 16] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 32] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 48] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 64] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 80] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 96] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 112] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 128] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 144] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 160] + aesenclast xmm0, xmm2 + pxor xmm2, xmm2 + movdqu xmm2, xmmword ptr [r9 + 0] + pxor xmm2, xmm0 + movdqu xmmword ptr [r10 + 0], xmm2 + add rdx, 1 + add r9, 16 + add r10, 16 + paddd xmm7, xmm4 +ALIGN 16 +L5: + cmp rdx, rcx + jne L4 + cmp rsi, rbp + jbe L6 + movdqu xmm1, xmmword ptr [r13 + 0] + movdqu xmm0, xmm7 + mov r12, 579005069656919567 + pinsrq xmm2, r12, 0 + mov r12, 283686952306183 + pinsrq xmm2, r12, 1 + pshufb xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 0] + pxor xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 16] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 32] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 48] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 64] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 80] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 96] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 112] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 128] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 144] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 160] + aesenclast xmm0, xmm2 + pxor xmm2, xmm2 + pxor xmm1, xmm0 + movdqu xmmword ptr [r13 + 0], xmm1 + jmp L7 +L6: +L7: + pop rax + pinsrq xmm6, rax, 1 + pop rax + pinsrq xmm6, rax, 0 + pop rax + pinsrq xmm7, rax, 1 + pop rax + pinsrq xmm7, rax, 0 + pop rax + pinsrq xmm8, rax, 1 + pop rax + pinsrq xmm8, rax, 0 + pop rax + pinsrq xmm9, rax, 1 + pop rax + pinsrq xmm9, rax, 0 + pop rax + pinsrq xmm10, rax, 1 + pop rax + pinsrq xmm10, rax, 0 + pop rax + pinsrq xmm11, rax, 1 + pop rax + pinsrq xmm11, rax, 0 + pop rax + pinsrq xmm12, rax, 1 + pop rax + pinsrq xmm12, rax, 0 + pop rax + pinsrq xmm13, rax, 1 + pop rax + pinsrq xmm13, rax, 0 + pop rax + pinsrq xmm14, rax, 1 + pop rax + pinsrq xmm14, rax, 0 + pop rax + pinsrq xmm15, rax, 1 + pop rax + pinsrq xmm15, rax, 0 + pop rbx + pop rbp + pop rdi + pop rsi + pop r12 + pop r13 + pop r14 + pop r15 + ret +gctr128_bytes endp +ALIGN 16 +gctr256_bytes proc + push r15 + push r14 + push r13 + push r12 + push rsi + push rdi + push rbp + push rbx + pextrq rax, xmm15, 0 + push rax + pextrq rax, xmm15, 1 + push rax + pextrq rax, xmm14, 0 + push rax + pextrq rax, xmm14, 1 + push rax + pextrq rax, xmm13, 0 + push rax + pextrq rax, xmm13, 1 + push rax + pextrq rax, xmm12, 0 + push rax + pextrq rax, xmm12, 1 + push rax + pextrq rax, xmm11, 0 + push rax + pextrq rax, xmm11, 1 + push rax + pextrq rax, xmm10, 0 + push rax + pextrq rax, xmm10, 1 + push rax + pextrq rax, xmm9, 0 + push rax + pextrq rax, xmm9, 1 + push rax + pextrq rax, xmm8, 0 + push rax + pextrq rax, xmm8, 1 + push rax + pextrq rax, xmm7, 0 + push rax + pextrq rax, xmm7, 1 + push rax + pextrq rax, xmm6, 0 + push rax + pextrq rax, xmm6, 1 + push rax + mov rax, qword ptr [rsp + 272] + movdqu xmm7, xmmword ptr [rax + 0] + mov rax, rcx + mov rbx, r8 + mov rsi, rdx + mov r13, r9 + mov r8, qword ptr [rsp + 264] + mov rcx, qword ptr [rsp + 280] + mov rbp, rcx + imul rbp, 16 + mov r12, 579005069656919567 + pinsrq xmm8, r12, 0 + mov r12, 283686952306183 + pinsrq xmm8, r12, 1 + mov rdx, rcx + shr rdx, 2 + and rcx, 3 + cmp rdx, 0 + jbe L8 + mov r9, rax + mov r10, rbx + pshufb xmm7, xmm8 + movdqu xmm9, xmm7 + mov rax, 579005069656919567 + pinsrq xmm0, rax, 0 + mov rax, 579005069656919567 + pinsrq xmm0, rax, 1 + pshufb xmm9, xmm0 + movdqu xmm10, xmm9 + pxor xmm3, xmm3 + mov rax, 1 + pinsrd xmm3, eax, 2 + paddd xmm9, xmm3 + mov rax, 3 + pinsrd xmm3, eax, 2 + mov rax, 2 + pinsrd xmm3, eax, 0 + paddd xmm10, xmm3 + pshufb xmm9, xmm8 + pshufb xmm10, xmm8 + pextrq rdi, xmm7, 0 + mov rax, 283686952306183 + pinsrq xmm0, rax, 0 + mov rax, 579005069656919567 + pinsrq xmm0, rax, 1 + pxor xmm15, xmm15 + mov rax, 4 + pinsrd xmm15, eax, 0 + mov rax, 4 + pinsrd xmm15, eax, 2 + jmp L11 +ALIGN 16 +L10: + pinsrq xmm2, rdi, 0 + pinsrq xmm12, rdi, 0 + pinsrq xmm13, rdi, 0 + pinsrq xmm14, rdi, 0 + shufpd xmm2, xmm9, 2 + shufpd xmm12, xmm9, 0 + shufpd xmm13, xmm10, 2 + shufpd xmm14, xmm10, 0 + pshufb xmm9, xmm0 + pshufb xmm10, xmm0 + movdqu xmm3, xmmword ptr [r8 + 0] + movdqu xmm4, xmmword ptr [r8 + 16] + movdqu xmm5, xmmword ptr [r8 + 32] + movdqu xmm6, xmmword ptr [r8 + 48] + paddd xmm9, xmm15 + paddd xmm10, xmm15 + pxor xmm2, xmm3 + pxor xmm12, xmm3 + pxor xmm13, xmm3 + pxor xmm14, xmm3 + pshufb xmm9, xmm0 + pshufb xmm10, xmm0 + aesenc xmm2, xmm4 + aesenc xmm12, xmm4 + aesenc xmm13, xmm4 + aesenc xmm14, xmm4 + aesenc xmm2, xmm5 + aesenc xmm12, xmm5 + aesenc xmm13, xmm5 + aesenc xmm14, xmm5 + aesenc xmm2, xmm6 + aesenc xmm12, xmm6 + aesenc xmm13, xmm6 + aesenc xmm14, xmm6 + movdqu xmm3, xmmword ptr [r8 + 64] + movdqu xmm4, xmmword ptr [r8 + 80] + movdqu xmm5, xmmword ptr [r8 + 96] + movdqu xmm6, xmmword ptr [r8 + 112] + aesenc xmm2, xmm3 + aesenc xmm12, xmm3 + aesenc xmm13, xmm3 + aesenc xmm14, xmm3 + aesenc xmm2, xmm4 + aesenc xmm12, xmm4 + aesenc xmm13, xmm4 + aesenc xmm14, xmm4 + aesenc xmm2, xmm5 + aesenc xmm12, xmm5 + aesenc xmm13, xmm5 + aesenc xmm14, xmm5 + aesenc xmm2, xmm6 + aesenc xmm12, xmm6 + aesenc xmm13, xmm6 + aesenc xmm14, xmm6 + movdqu xmm3, xmmword ptr [r8 + 128] + movdqu xmm4, xmmword ptr [r8 + 144] + movdqu xmm5, xmmword ptr [r8 + 160] + aesenc xmm2, xmm3 + aesenc xmm12, xmm3 + aesenc xmm13, xmm3 + aesenc xmm14, xmm3 + aesenc xmm2, xmm4 + aesenc xmm12, xmm4 + aesenc xmm13, xmm4 + aesenc xmm14, xmm4 + movdqu xmm3, xmm5 + movdqu xmm4, xmmword ptr [r8 + 176] + movdqu xmm5, xmmword ptr [r8 + 192] + movdqu xmm6, xmmword ptr [r8 + 208] + aesenc xmm2, xmm3 + aesenc xmm12, xmm3 + aesenc xmm13, xmm3 + aesenc xmm14, xmm3 + aesenc xmm2, xmm4 + aesenc xmm12, xmm4 + aesenc xmm13, xmm4 + aesenc xmm14, xmm4 + aesenc xmm2, xmm5 + aesenc xmm12, xmm5 + aesenc xmm13, xmm5 + aesenc xmm14, xmm5 + aesenc xmm2, xmm6 + aesenc xmm12, xmm6 + aesenc xmm13, xmm6 + aesenc xmm14, xmm6 + movdqu xmm5, xmmword ptr [r8 + 224] + aesenclast xmm2, xmm5 + aesenclast xmm12, xmm5 + aesenclast xmm13, xmm5 + aesenclast xmm14, xmm5 + movdqu xmm7, xmmword ptr [r9 + 0] + pxor xmm2, xmm7 + movdqu xmm7, xmmword ptr [r9 + 16] + pxor xmm12, xmm7 + movdqu xmm7, xmmword ptr [r9 + 32] + pxor xmm13, xmm7 + movdqu xmm7, xmmword ptr [r9 + 48] + pxor xmm14, xmm7 + movdqu xmmword ptr [r10 + 0], xmm2 + movdqu xmmword ptr [r10 + 16], xmm12 + movdqu xmmword ptr [r10 + 32], xmm13 + movdqu xmmword ptr [r10 + 48], xmm14 + sub rdx, 1 + add r9, 64 + add r10, 64 +ALIGN 16 +L11: + cmp rdx, 0 + ja L10 + movdqu xmm7, xmm9 + pinsrq xmm7, rdi, 0 + pshufb xmm7, xmm8 + mov rax, r9 + mov rbx, r10 + jmp L9 +L8: +L9: + mov rdx, 0 + mov r9, rax + mov r10, rbx + pxor xmm4, xmm4 + mov r12, 1 + pinsrd xmm4, r12d, 0 + jmp L13 +ALIGN 16 +L12: + movdqu xmm0, xmm7 + pshufb xmm0, xmm8 + movdqu xmm2, xmmword ptr [r8 + 0] + pxor xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 16] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 32] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 48] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 64] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 80] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 96] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 112] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 128] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 144] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 160] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 176] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 192] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 208] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 224] + aesenclast xmm0, xmm2 + pxor xmm2, xmm2 + movdqu xmm2, xmmword ptr [r9 + 0] + pxor xmm2, xmm0 + movdqu xmmword ptr [r10 + 0], xmm2 + add rdx, 1 + add r9, 16 + add r10, 16 + paddd xmm7, xmm4 +ALIGN 16 +L13: + cmp rdx, rcx + jne L12 + cmp rsi, rbp + jbe L14 + movdqu xmm1, xmmword ptr [r13 + 0] + movdqu xmm0, xmm7 + mov r12, 579005069656919567 + pinsrq xmm2, r12, 0 + mov r12, 283686952306183 + pinsrq xmm2, r12, 1 + pshufb xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 0] + pxor xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 16] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 32] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 48] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 64] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 80] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 96] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 112] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 128] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 144] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 160] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 176] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 192] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 208] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 224] + aesenclast xmm0, xmm2 + pxor xmm2, xmm2 + pxor xmm1, xmm0 + movdqu xmmword ptr [r13 + 0], xmm1 + jmp L15 +L14: +L15: + pop rax + pinsrq xmm6, rax, 1 + pop rax + pinsrq xmm6, rax, 0 + pop rax + pinsrq xmm7, rax, 1 + pop rax + pinsrq xmm7, rax, 0 + pop rax + pinsrq xmm8, rax, 1 + pop rax + pinsrq xmm8, rax, 0 + pop rax + pinsrq xmm9, rax, 1 + pop rax + pinsrq xmm9, rax, 0 + pop rax + pinsrq xmm10, rax, 1 + pop rax + pinsrq xmm10, rax, 0 + pop rax + pinsrq xmm11, rax, 1 + pop rax + pinsrq xmm11, rax, 0 + pop rax + pinsrq xmm12, rax, 1 + pop rax + pinsrq xmm12, rax, 0 + pop rax + pinsrq xmm13, rax, 1 + pop rax + pinsrq xmm13, rax, 0 + pop rax + pinsrq xmm14, rax, 1 + pop rax + pinsrq xmm14, rax, 0 + pop rax + pinsrq xmm15, rax, 1 + pop rax + pinsrq xmm15, rax, 0 + pop rbx + pop rbp + pop rdi + pop rsi + pop r12 + pop r13 + pop r14 + pop r15 + ret +gctr256_bytes endp +ALIGN 16 +compute_iv_stdcall proc + cmp rdx, 12 + jne L16 + push rdi + push rsi + mov rdi, rcx + mov rsi, rdx + mov rdx, r8 + mov rcx, r9 + mov r8, qword ptr [rsp + 56] + mov r9, qword ptr [rsp + 64] + cmp rsi, 12 + jne L18 + movdqu xmm0, xmmword ptr [r8 + 0] + mov rax, 579005069656919567 + pinsrq xmm1, rax, 0 + mov rax, 283686952306183 + pinsrq xmm1, rax, 1 + pshufb xmm0, xmm1 + mov rax, 1 + pinsrd xmm0, eax, 0 + movdqu xmmword ptr [rcx + 0], xmm0 + jmp L19 +L18: + mov rax, rcx + add r9, 32 + mov rbx, r8 + mov rcx, rdx + imul rcx, 16 + mov r10, 579005069656919567 + pinsrq xmm9, r10, 0 + mov r10, 283686952306183 + pinsrq xmm9, r10, 1 + pxor xmm8, xmm8 + mov r11, rdi + jmp L21 +ALIGN 16 +L20: + add r11, 80 + movdqu xmm5, xmmword ptr [r9 + -32] + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + movdqu xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + -16] + vpxor xmm6, xmm2, xmm3 + movdqu xmm7, xmm5 + movdqu xmm5, xmm1 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 16] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 32] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 64] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 80] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + vpxor xmm0, xmm8, xmm0 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + vpxor xmm4, xmm4, xmm1 + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + pxor xmm3, xmm3 + mov r10, 3254779904 + pinsrd xmm3, r10d, 3 + vpslldq xmm5, xmm6, 8 + vpxor xmm4, xmm4, xmm5 + vpalignr xmm0, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpsrldq xmm6, xmm6, 8 + vpxor xmm7, xmm7, xmm6 + vpxor xmm4, xmm4, xmm0 + vpalignr xmm8, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpxor xmm8, xmm8, xmm7 + vpxor xmm8, xmm8, xmm4 + add r11, 96 + sub rdx, 6 +ALIGN 16 +L21: + cmp rdx, 6 + jae L20 + cmp rdx, 0 + jbe L22 + mov r10, rdx + sub r10, 1 + imul r10, 16 + add r11, r10 + movdqu xmm5, xmmword ptr [r9 + -32] + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + cmp rdx, 1 + jne L24 + vpxor xmm0, xmm8, xmm0 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm4, xmm1 + vpxor xmm6, xmm2, xmm3 + movdqu xmm7, xmm5 + jmp L25 +L24: + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + movdqu xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + -16] + vpxor xmm6, xmm2, xmm3 + movdqu xmm7, xmm5 + movdqu xmm5, xmm1 + cmp rdx, 2 + je L26 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 16] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + cmp rdx, 3 + je L28 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 32] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + cmp rdx, 4 + je L30 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 64] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + jmp L31 +L30: +L31: + jmp L29 +L28: +L29: + jmp L27 +L26: +L27: + vpxor xmm0, xmm8, xmm0 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + vpxor xmm4, xmm4, xmm1 + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 +L25: + pxor xmm3, xmm3 + mov r10, 3254779904 + pinsrd xmm3, r10d, 3 + vpslldq xmm5, xmm6, 8 + vpxor xmm4, xmm4, xmm5 + vpalignr xmm0, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpsrldq xmm6, xmm6, 8 + vpxor xmm7, xmm7, xmm6 + vpxor xmm4, xmm4, xmm0 + vpalignr xmm8, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpxor xmm8, xmm8, xmm7 + vpxor xmm8, xmm8, xmm4 + jmp L23 +L22: +L23: + mov r15, rsi + cmp rsi, rcx + jbe L32 + movdqu xmm0, xmmword ptr [rbx + 0] + mov r10, rsi + and r10, 15 + cmp r10, 8 + jae L34 + mov rcx, 0 + pinsrq xmm0, rcx, 1 + mov rcx, r10 + shl rcx, 3 + mov r11, 1 + shl r11, cl + sub r11, 1 + pextrq rcx, xmm0, 0 + and rcx, r11 + pinsrq xmm0, rcx, 0 + jmp L35 +L34: + mov rcx, r10 + sub rcx, 8 + shl rcx, 3 + mov r11, 1 + shl r11, cl + sub r11, 1 + pextrq rcx, xmm0, 1 + and rcx, r11 + pinsrq xmm0, rcx, 1 +L35: + pshufb xmm0, xmm9 + movdqu xmm5, xmmword ptr [r9 + -32] + vpxor xmm0, xmm8, xmm0 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm4, xmm1 + vpxor xmm6, xmm2, xmm3 + movdqu xmm7, xmm5 + pxor xmm3, xmm3 + mov r11, 3254779904 + pinsrd xmm3, r11d, 3 + vpslldq xmm5, xmm6, 8 + vpxor xmm4, xmm4, xmm5 + vpalignr xmm0, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpsrldq xmm6, xmm6, 8 + vpxor xmm7, xmm7, xmm6 + vpxor xmm4, xmm4, xmm0 + vpalignr xmm8, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpxor xmm8, xmm8, xmm7 + vpxor xmm8, xmm8, xmm4 + jmp L33 +L32: +L33: + mov rcx, rax + mov r11, 0 + mov r13, rsi + pxor xmm0, xmm0 + mov rax, r11 + imul rax, 8 + pinsrq xmm0, rax, 1 + mov rax, r13 + imul rax, 8 + pinsrq xmm0, rax, 0 + movdqu xmm5, xmmword ptr [r9 + -32] + vpxor xmm0, xmm8, xmm0 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm4, xmm1 + vpxor xmm6, xmm2, xmm3 + movdqu xmm7, xmm5 + pxor xmm3, xmm3 + mov r11, 3254779904 + pinsrd xmm3, r11d, 3 + vpslldq xmm5, xmm6, 8 + vpxor xmm4, xmm4, xmm5 + vpalignr xmm0, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpsrldq xmm6, xmm6, 8 + vpxor xmm7, xmm7, xmm6 + vpxor xmm4, xmm4, xmm0 + vpalignr xmm8, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpxor xmm8, xmm8, xmm7 + vpxor xmm8, xmm8, xmm4 + movdqu xmmword ptr [rcx + 0], xmm8 +L19: + pop rsi + pop rdi + jmp L17 +L16: + push r15 + push r14 + push r13 + push r12 + push rsi + push rdi + push rbp + push rbx + pextrq rax, xmm15, 0 + push rax + pextrq rax, xmm15, 1 + push rax + pextrq rax, xmm14, 0 + push rax + pextrq rax, xmm14, 1 + push rax + pextrq rax, xmm13, 0 + push rax + pextrq rax, xmm13, 1 + push rax + pextrq rax, xmm12, 0 + push rax + pextrq rax, xmm12, 1 + push rax + pextrq rax, xmm11, 0 + push rax + pextrq rax, xmm11, 1 + push rax + pextrq rax, xmm10, 0 + push rax + pextrq rax, xmm10, 1 + push rax + pextrq rax, xmm9, 0 + push rax + pextrq rax, xmm9, 1 + push rax + pextrq rax, xmm8, 0 + push rax + pextrq rax, xmm8, 1 + push rax + pextrq rax, xmm7, 0 + push rax + pextrq rax, xmm7, 1 + push rax + pextrq rax, xmm6, 0 + push rax + pextrq rax, xmm6, 1 + push rax + mov rdi, rcx + mov rsi, rdx + mov rdx, r8 + mov rcx, r9 + mov r8, qword ptr [rsp + 264] + mov r9, qword ptr [rsp + 272] + cmp rsi, 12 + jne L36 + movdqu xmm0, xmmword ptr [r8 + 0] + mov rax, 579005069656919567 + pinsrq xmm1, rax, 0 + mov rax, 283686952306183 + pinsrq xmm1, rax, 1 + pshufb xmm0, xmm1 + mov rax, 1 + pinsrd xmm0, eax, 0 + movdqu xmmword ptr [rcx + 0], xmm0 + jmp L37 +L36: + mov rax, rcx + add r9, 32 + mov rbx, r8 + mov rcx, rdx + imul rcx, 16 + mov r10, 579005069656919567 + pinsrq xmm9, r10, 0 + mov r10, 283686952306183 + pinsrq xmm9, r10, 1 + pxor xmm8, xmm8 + mov r11, rdi + jmp L39 +ALIGN 16 +L38: + add r11, 80 + movdqu xmm5, xmmword ptr [r9 + -32] + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + movdqu xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + -16] + vpxor xmm6, xmm2, xmm3 + movdqu xmm7, xmm5 + movdqu xmm5, xmm1 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 16] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 32] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 64] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 80] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + vpxor xmm0, xmm8, xmm0 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + vpxor xmm4, xmm4, xmm1 + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + pxor xmm3, xmm3 + mov r10, 3254779904 + pinsrd xmm3, r10d, 3 + vpslldq xmm5, xmm6, 8 + vpxor xmm4, xmm4, xmm5 + vpalignr xmm0, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpsrldq xmm6, xmm6, 8 + vpxor xmm7, xmm7, xmm6 + vpxor xmm4, xmm4, xmm0 + vpalignr xmm8, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpxor xmm8, xmm8, xmm7 + vpxor xmm8, xmm8, xmm4 + add r11, 96 + sub rdx, 6 +ALIGN 16 +L39: + cmp rdx, 6 + jae L38 + cmp rdx, 0 + jbe L40 + mov r10, rdx + sub r10, 1 + imul r10, 16 + add r11, r10 + movdqu xmm5, xmmword ptr [r9 + -32] + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + cmp rdx, 1 + jne L42 + vpxor xmm0, xmm8, xmm0 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm4, xmm1 + vpxor xmm6, xmm2, xmm3 + movdqu xmm7, xmm5 + jmp L43 +L42: + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + movdqu xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + -16] + vpxor xmm6, xmm2, xmm3 + movdqu xmm7, xmm5 + movdqu xmm5, xmm1 + cmp rdx, 2 + je L44 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 16] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + cmp rdx, 3 + je L46 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 32] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + cmp rdx, 4 + je L48 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 64] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + jmp L49 +L48: +L49: + jmp L47 +L46: +L47: + jmp L45 +L44: +L45: + vpxor xmm0, xmm8, xmm0 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + vpxor xmm4, xmm4, xmm1 + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 +L43: + pxor xmm3, xmm3 + mov r10, 3254779904 + pinsrd xmm3, r10d, 3 + vpslldq xmm5, xmm6, 8 + vpxor xmm4, xmm4, xmm5 + vpalignr xmm0, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpsrldq xmm6, xmm6, 8 + vpxor xmm7, xmm7, xmm6 + vpxor xmm4, xmm4, xmm0 + vpalignr xmm8, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpxor xmm8, xmm8, xmm7 + vpxor xmm8, xmm8, xmm4 + jmp L41 +L40: +L41: + mov r15, rsi + cmp rsi, rcx + jbe L50 + movdqu xmm0, xmmword ptr [rbx + 0] + mov r10, rsi + and r10, 15 + cmp r10, 8 + jae L52 + mov rcx, 0 + pinsrq xmm0, rcx, 1 + mov rcx, r10 + shl rcx, 3 + mov r11, 1 + shl r11, cl + sub r11, 1 + pextrq rcx, xmm0, 0 + and rcx, r11 + pinsrq xmm0, rcx, 0 + jmp L53 +L52: + mov rcx, r10 + sub rcx, 8 + shl rcx, 3 + mov r11, 1 + shl r11, cl + sub r11, 1 + pextrq rcx, xmm0, 1 + and rcx, r11 + pinsrq xmm0, rcx, 1 +L53: + pshufb xmm0, xmm9 + movdqu xmm5, xmmword ptr [r9 + -32] + vpxor xmm0, xmm8, xmm0 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm4, xmm1 + vpxor xmm6, xmm2, xmm3 + movdqu xmm7, xmm5 + pxor xmm3, xmm3 + mov r11, 3254779904 + pinsrd xmm3, r11d, 3 + vpslldq xmm5, xmm6, 8 + vpxor xmm4, xmm4, xmm5 + vpalignr xmm0, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpsrldq xmm6, xmm6, 8 + vpxor xmm7, xmm7, xmm6 + vpxor xmm4, xmm4, xmm0 + vpalignr xmm8, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpxor xmm8, xmm8, xmm7 + vpxor xmm8, xmm8, xmm4 + jmp L51 +L50: +L51: + mov rcx, rax + mov r11, 0 + mov r13, rsi + pxor xmm0, xmm0 + mov rax, r11 + imul rax, 8 + pinsrq xmm0, rax, 1 + mov rax, r13 + imul rax, 8 + pinsrq xmm0, rax, 0 + movdqu xmm5, xmmword ptr [r9 + -32] + vpxor xmm0, xmm8, xmm0 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm4, xmm1 + vpxor xmm6, xmm2, xmm3 + movdqu xmm7, xmm5 + pxor xmm3, xmm3 + mov r11, 3254779904 + pinsrd xmm3, r11d, 3 + vpslldq xmm5, xmm6, 8 + vpxor xmm4, xmm4, xmm5 + vpalignr xmm0, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpsrldq xmm6, xmm6, 8 + vpxor xmm7, xmm7, xmm6 + vpxor xmm4, xmm4, xmm0 + vpalignr xmm8, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpxor xmm8, xmm8, xmm7 + vpxor xmm8, xmm8, xmm4 + movdqu xmmword ptr [rcx + 0], xmm8 +L37: + pop rax + pinsrq xmm6, rax, 1 + pop rax + pinsrq xmm6, rax, 0 + pop rax + pinsrq xmm7, rax, 1 + pop rax + pinsrq xmm7, rax, 0 + pop rax + pinsrq xmm8, rax, 1 + pop rax + pinsrq xmm8, rax, 0 + pop rax + pinsrq xmm9, rax, 1 + pop rax + pinsrq xmm9, rax, 0 + pop rax + pinsrq xmm10, rax, 1 + pop rax + pinsrq xmm10, rax, 0 + pop rax + pinsrq xmm11, rax, 1 + pop rax + pinsrq xmm11, rax, 0 + pop rax + pinsrq xmm12, rax, 1 + pop rax + pinsrq xmm12, rax, 0 + pop rax + pinsrq xmm13, rax, 1 + pop rax + pinsrq xmm13, rax, 0 + pop rax + pinsrq xmm14, rax, 1 + pop rax + pinsrq xmm14, rax, 0 + pop rax + pinsrq xmm15, rax, 1 + pop rax + pinsrq xmm15, rax, 0 + pop rbx + pop rbp + pop rdi + pop rsi + pop r12 + pop r13 + pop r14 + pop r15 +L17: + ret +compute_iv_stdcall endp +ALIGN 16 +gcm128_encrypt_opt proc + push r15 + push r14 + push r13 + push r12 + push rsi + push rdi + push rbp + push rbx + pextrq rax, xmm15, 0 + push rax + pextrq rax, xmm15, 1 + push rax + pextrq rax, xmm14, 0 + push rax + pextrq rax, xmm14, 1 + push rax + pextrq rax, xmm13, 0 + push rax + pextrq rax, xmm13, 1 + push rax + pextrq rax, xmm12, 0 + push rax + pextrq rax, xmm12, 1 + push rax + pextrq rax, xmm11, 0 + push rax + pextrq rax, xmm11, 1 + push rax + pextrq rax, xmm10, 0 + push rax + pextrq rax, xmm10, 1 + push rax + pextrq rax, xmm9, 0 + push rax + pextrq rax, xmm9, 1 + push rax + pextrq rax, xmm8, 0 + push rax + pextrq rax, xmm8, 1 + push rax + pextrq rax, xmm7, 0 + push rax + pextrq rax, xmm7, 1 + push rax + pextrq rax, xmm6, 0 + push rax + pextrq rax, xmm6, 1 + push rax + mov rdi, rcx + mov rsi, rdx + mov rdx, r8 + mov rcx, r9 + mov r8, qword ptr [rsp + 264] + mov r9, qword ptr [rsp + 272] + mov rbp, qword ptr [rsp + 352] + mov r13, rcx + lea r9, qword ptr [r9 + 32] + mov rbx, qword ptr [rsp + 280] + mov rcx, rdx + imul rcx, 16 + mov r10, 579005069656919567 + pinsrq xmm9, r10, 0 + mov r10, 283686952306183 + pinsrq xmm9, r10, 1 + pxor xmm8, xmm8 + mov r11, rdi + jmp L55 +ALIGN 16 +L54: + add r11, 80 + movdqu xmm5, xmmword ptr [r9 + -32] + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + movdqu xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + -16] + vpxor xmm6, xmm2, xmm3 + movdqu xmm7, xmm5 + movdqu xmm5, xmm1 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 16] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 32] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 64] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 80] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + vpxor xmm0, xmm8, xmm0 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + vpxor xmm4, xmm4, xmm1 + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + pxor xmm3, xmm3 + mov r10, 3254779904 + pinsrd xmm3, r10d, 3 + vpslldq xmm5, xmm6, 8 + vpxor xmm4, xmm4, xmm5 + vpalignr xmm0, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpsrldq xmm6, xmm6, 8 + vpxor xmm7, xmm7, xmm6 + vpxor xmm4, xmm4, xmm0 + vpalignr xmm8, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpxor xmm8, xmm8, xmm7 + vpxor xmm8, xmm8, xmm4 + add r11, 96 + sub rdx, 6 +ALIGN 16 +L55: + cmp rdx, 6 + jae L54 + cmp rdx, 0 + jbe L56 + mov r10, rdx + sub r10, 1 + imul r10, 16 + add r11, r10 + movdqu xmm5, xmmword ptr [r9 + -32] + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + cmp rdx, 1 + jne L58 + vpxor xmm0, xmm8, xmm0 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm4, xmm1 + vpxor xmm6, xmm2, xmm3 + movdqu xmm7, xmm5 + jmp L59 +L58: + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + movdqu xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + -16] + vpxor xmm6, xmm2, xmm3 + movdqu xmm7, xmm5 + movdqu xmm5, xmm1 + cmp rdx, 2 + je L60 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 16] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + cmp rdx, 3 + je L62 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 32] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + cmp rdx, 4 + je L64 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 64] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + jmp L65 +L64: +L65: + jmp L63 +L62: +L63: + jmp L61 +L60: +L61: + vpxor xmm0, xmm8, xmm0 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + vpxor xmm4, xmm4, xmm1 + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 +L59: + pxor xmm3, xmm3 + mov r10, 3254779904 + pinsrd xmm3, r10d, 3 + vpslldq xmm5, xmm6, 8 + vpxor xmm4, xmm4, xmm5 + vpalignr xmm0, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpsrldq xmm6, xmm6, 8 + vpxor xmm7, xmm7, xmm6 + vpxor xmm4, xmm4, xmm0 + vpalignr xmm8, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpxor xmm8, xmm8, xmm7 + vpxor xmm8, xmm8, xmm4 + jmp L57 +L56: +L57: + mov r15, rsi + cmp rsi, rcx + jbe L66 + movdqu xmm0, xmmword ptr [rbx + 0] + mov r10, rsi + and r10, 15 + cmp r10, 8 + jae L68 + mov rcx, 0 + pinsrq xmm0, rcx, 1 + mov rcx, r10 + shl rcx, 3 + mov r11, 1 + shl r11, cl + sub r11, 1 + pextrq rcx, xmm0, 0 + and rcx, r11 + pinsrq xmm0, rcx, 0 + jmp L69 +L68: + mov rcx, r10 + sub rcx, 8 + shl rcx, 3 + mov r11, 1 + shl r11, cl + sub r11, 1 + pextrq rcx, xmm0, 1 + and rcx, r11 + pinsrq xmm0, rcx, 1 +L69: + pshufb xmm0, xmm9 + movdqu xmm5, xmmword ptr [r9 + -32] + vpxor xmm0, xmm8, xmm0 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm4, xmm1 + vpxor xmm6, xmm2, xmm3 + movdqu xmm7, xmm5 + pxor xmm3, xmm3 + mov r11, 3254779904 + pinsrd xmm3, r11d, 3 + vpslldq xmm5, xmm6, 8 + vpxor xmm4, xmm4, xmm5 + vpalignr xmm0, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpsrldq xmm6, xmm6, 8 + vpxor xmm7, xmm7, xmm6 + vpxor xmm4, xmm4, xmm0 + vpalignr xmm8, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpxor xmm8, xmm8, xmm7 + vpxor xmm8, xmm8, xmm4 + jmp L67 +L66: +L67: + mov rdi, qword ptr [rsp + 288] + mov rsi, qword ptr [rsp + 296] + mov rdx, qword ptr [rsp + 304] + mov rcx, r13 + movdqu xmm0, xmm9 + movdqu xmm1, xmmword ptr [r8 + 0] + movdqu xmmword ptr [rbp + 0], xmm1 + pxor xmm10, xmm10 + mov r11, 1 + pinsrq xmm10, r11, 0 + vpaddd xmm1, xmm1, xmm10 + cmp rdx, 0 + jne L70 + vpshufb xmm1, xmm1, xmm0 + movdqu xmmword ptr [rbp + 32], xmm1 + jmp L71 +L70: + movdqu xmmword ptr [rbp + 32], xmm8 + add rcx, 128 + pextrq rbx, xmm1, 0 + and rbx, 255 + vpshufb xmm1, xmm1, xmm0 + lea r14, qword ptr [rsi + 96] + movdqu xmm4, xmmword ptr [rcx + -128] + pxor xmm2, xmm2 + mov r11, 72057594037927936 + pinsrq xmm2, r11, 1 + movdqu xmm15, xmmword ptr [rcx + -112] + mov r12, rcx + sub r12, 96 + vpxor xmm9, xmm1, xmm4 + add rbx, 6 + cmp rbx, 256 + jae L72 + vpaddd xmm10, xmm1, xmm2 + vpaddd xmm11, xmm10, xmm2 + vpxor xmm10, xmm10, xmm4 + vpaddd xmm12, xmm11, xmm2 + vpxor xmm11, xmm11, xmm4 + vpaddd xmm13, xmm12, xmm2 + vpxor xmm12, xmm12, xmm4 + vpaddd xmm14, xmm13, xmm2 + vpxor xmm13, xmm13, xmm4 + vpaddd xmm1, xmm14, xmm2 + vpxor xmm14, xmm14, xmm4 + jmp L73 +L72: + sub rbx, 256 + vpshufb xmm6, xmm1, xmm0 + pxor xmm5, xmm5 + mov r11, 1 + pinsrq xmm5, r11, 0 + vpaddd xmm10, xmm6, xmm5 + pxor xmm5, xmm5 + mov r11, 2 + pinsrq xmm5, r11, 0 + vpaddd xmm11, xmm6, xmm5 + vpaddd xmm12, xmm10, xmm5 + vpshufb xmm10, xmm10, xmm0 + vpaddd xmm13, xmm11, xmm5 + vpshufb xmm11, xmm11, xmm0 + vpxor xmm10, xmm10, xmm4 + vpaddd xmm14, xmm12, xmm5 + vpshufb xmm12, xmm12, xmm0 + vpxor xmm11, xmm11, xmm4 + vpaddd xmm1, xmm13, xmm5 + vpshufb xmm13, xmm13, xmm0 + vpxor xmm12, xmm12, xmm4 + vpshufb xmm14, xmm14, xmm0 + vpxor xmm13, xmm13, xmm4 + vpshufb xmm1, xmm1, xmm0 + vpxor xmm14, xmm14, xmm4 +L73: + vaesenc xmm9, xmm9, xmm15 + vaesenc xmm10, xmm10, xmm15 + vaesenc xmm11, xmm11, xmm15 + vaesenc xmm12, xmm12, xmm15 + vaesenc xmm13, xmm13, xmm15 + vaesenc xmm14, xmm14, xmm15 + movdqu xmm15, xmmword ptr [rcx + -96] + vaesenc xmm9, xmm9, xmm15 + vaesenc xmm10, xmm10, xmm15 + vaesenc xmm11, xmm11, xmm15 + vaesenc xmm12, xmm12, xmm15 + vaesenc xmm13, xmm13, xmm15 + vaesenc xmm14, xmm14, xmm15 + movdqu xmm15, xmmword ptr [rcx + -80] + vaesenc xmm9, xmm9, xmm15 + vaesenc xmm10, xmm10, xmm15 + vaesenc xmm11, xmm11, xmm15 + vaesenc xmm12, xmm12, xmm15 + vaesenc xmm13, xmm13, xmm15 + vaesenc xmm14, xmm14, xmm15 + movdqu xmm15, xmmword ptr [rcx + -64] + vaesenc xmm9, xmm9, xmm15 + vaesenc xmm10, xmm10, xmm15 + vaesenc xmm11, xmm11, xmm15 + vaesenc xmm12, xmm12, xmm15 + vaesenc xmm13, xmm13, xmm15 + vaesenc xmm14, xmm14, xmm15 + movdqu xmm15, xmmword ptr [rcx + -48] + vaesenc xmm9, xmm9, xmm15 + vaesenc xmm10, xmm10, xmm15 + vaesenc xmm11, xmm11, xmm15 + vaesenc xmm12, xmm12, xmm15 + vaesenc xmm13, xmm13, xmm15 + vaesenc xmm14, xmm14, xmm15 + movdqu xmm15, xmmword ptr [rcx + -32] + vaesenc xmm9, xmm9, xmm15 + vaesenc xmm10, xmm10, xmm15 + vaesenc xmm11, xmm11, xmm15 + vaesenc xmm12, xmm12, xmm15 + vaesenc xmm13, xmm13, xmm15 + vaesenc xmm14, xmm14, xmm15 + movdqu xmm15, xmmword ptr [rcx + -16] + vaesenc xmm9, xmm9, xmm15 + vaesenc xmm10, xmm10, xmm15 + vaesenc xmm11, xmm11, xmm15 + vaesenc xmm12, xmm12, xmm15 + vaesenc xmm13, xmm13, xmm15 + vaesenc xmm14, xmm14, xmm15 + movdqu xmm15, xmmword ptr [rcx + 0] + vaesenc xmm9, xmm9, xmm15 + vaesenc xmm10, xmm10, xmm15 + vaesenc xmm11, xmm11, xmm15 + vaesenc xmm12, xmm12, xmm15 + vaesenc xmm13, xmm13, xmm15 + vaesenc xmm14, xmm14, xmm15 + movdqu xmm15, xmmword ptr [rcx + 16] + movdqu xmm3, xmmword ptr [rcx + 32] + vaesenc xmm9, xmm9, xmm15 + vpxor xmm4, xmm3, xmmword ptr [rdi + 0] + vaesenc xmm10, xmm10, xmm15 + vpxor xmm5, xmm3, xmmword ptr [rdi + 16] + vaesenc xmm11, xmm11, xmm15 + vpxor xmm6, xmm3, xmmword ptr [rdi + 32] + vaesenc xmm12, xmm12, xmm15 + vpxor xmm8, xmm3, xmmword ptr [rdi + 48] + vaesenc xmm13, xmm13, xmm15 + vpxor xmm2, xmm3, xmmword ptr [rdi + 64] + vaesenc xmm14, xmm14, xmm15 + vpxor xmm3, xmm3, xmmword ptr [rdi + 80] + lea rdi, qword ptr [rdi + 96] + vaesenclast xmm9, xmm9, xmm4 + vaesenclast xmm10, xmm10, xmm5 + vaesenclast xmm11, xmm11, xmm6 + vaesenclast xmm12, xmm12, xmm8 + vaesenclast xmm13, xmm13, xmm2 + vaesenclast xmm14, xmm14, xmm3 + movdqu xmmword ptr [rsi + 0], xmm9 + movdqu xmmword ptr [rsi + 16], xmm10 + movdqu xmmword ptr [rsi + 32], xmm11 + movdqu xmmword ptr [rsi + 48], xmm12 + movdqu xmmword ptr [rsi + 64], xmm13 + movdqu xmmword ptr [rsi + 80], xmm14 + lea rsi, qword ptr [rsi + 96] + vpshufb xmm8, xmm9, xmm0 + vpshufb xmm2, xmm10, xmm0 + movdqu xmmword ptr [rbp + 112], xmm8 + vpshufb xmm4, xmm11, xmm0 + movdqu xmmword ptr [rbp + 96], xmm2 + vpshufb xmm5, xmm12, xmm0 + movdqu xmmword ptr [rbp + 80], xmm4 + vpshufb xmm6, xmm13, xmm0 + movdqu xmmword ptr [rbp + 64], xmm5 + vpshufb xmm7, xmm14, xmm0 + movdqu xmmword ptr [rbp + 48], xmm6 + movdqu xmm4, xmmword ptr [rcx + -128] + pxor xmm2, xmm2 + mov r11, 72057594037927936 + pinsrq xmm2, r11, 1 + movdqu xmm15, xmmword ptr [rcx + -112] + mov r12, rcx + sub r12, 96 + vpxor xmm9, xmm1, xmm4 + add rbx, 6 + cmp rbx, 256 + jae L74 + vpaddd xmm10, xmm1, xmm2 + vpaddd xmm11, xmm10, xmm2 + vpxor xmm10, xmm10, xmm4 + vpaddd xmm12, xmm11, xmm2 + vpxor xmm11, xmm11, xmm4 + vpaddd xmm13, xmm12, xmm2 + vpxor xmm12, xmm12, xmm4 + vpaddd xmm14, xmm13, xmm2 + vpxor xmm13, xmm13, xmm4 + vpaddd xmm1, xmm14, xmm2 + vpxor xmm14, xmm14, xmm4 + jmp L75 +L74: + sub rbx, 256 + vpshufb xmm6, xmm1, xmm0 + pxor xmm5, xmm5 + mov r11, 1 + pinsrq xmm5, r11, 0 + vpaddd xmm10, xmm6, xmm5 + pxor xmm5, xmm5 + mov r11, 2 + pinsrq xmm5, r11, 0 + vpaddd xmm11, xmm6, xmm5 + vpaddd xmm12, xmm10, xmm5 + vpshufb xmm10, xmm10, xmm0 + vpaddd xmm13, xmm11, xmm5 + vpshufb xmm11, xmm11, xmm0 + vpxor xmm10, xmm10, xmm4 + vpaddd xmm14, xmm12, xmm5 + vpshufb xmm12, xmm12, xmm0 + vpxor xmm11, xmm11, xmm4 + vpaddd xmm1, xmm13, xmm5 + vpshufb xmm13, xmm13, xmm0 + vpxor xmm12, xmm12, xmm4 + vpshufb xmm14, xmm14, xmm0 + vpxor xmm13, xmm13, xmm4 + vpshufb xmm1, xmm1, xmm0 + vpxor xmm14, xmm14, xmm4 +L75: + vaesenc xmm9, xmm9, xmm15 + vaesenc xmm10, xmm10, xmm15 + vaesenc xmm11, xmm11, xmm15 + vaesenc xmm12, xmm12, xmm15 + vaesenc xmm13, xmm13, xmm15 + vaesenc xmm14, xmm14, xmm15 + movdqu xmm15, xmmword ptr [rcx + -96] + vaesenc xmm9, xmm9, xmm15 + vaesenc xmm10, xmm10, xmm15 + vaesenc xmm11, xmm11, xmm15 + vaesenc xmm12, xmm12, xmm15 + vaesenc xmm13, xmm13, xmm15 + vaesenc xmm14, xmm14, xmm15 + movdqu xmm15, xmmword ptr [rcx + -80] + vaesenc xmm9, xmm9, xmm15 + vaesenc xmm10, xmm10, xmm15 + vaesenc xmm11, xmm11, xmm15 + vaesenc xmm12, xmm12, xmm15 + vaesenc xmm13, xmm13, xmm15 + vaesenc xmm14, xmm14, xmm15 + movdqu xmm15, xmmword ptr [rcx + -64] + vaesenc xmm9, xmm9, xmm15 + vaesenc xmm10, xmm10, xmm15 + vaesenc xmm11, xmm11, xmm15 + vaesenc xmm12, xmm12, xmm15 + vaesenc xmm13, xmm13, xmm15 + vaesenc xmm14, xmm14, xmm15 + movdqu xmm15, xmmword ptr [rcx + -48] + vaesenc xmm9, xmm9, xmm15 + vaesenc xmm10, xmm10, xmm15 + vaesenc xmm11, xmm11, xmm15 + vaesenc xmm12, xmm12, xmm15 + vaesenc xmm13, xmm13, xmm15 + vaesenc xmm14, xmm14, xmm15 + movdqu xmm15, xmmword ptr [rcx + -32] + vaesenc xmm9, xmm9, xmm15 + vaesenc xmm10, xmm10, xmm15 + vaesenc xmm11, xmm11, xmm15 + vaesenc xmm12, xmm12, xmm15 + vaesenc xmm13, xmm13, xmm15 + vaesenc xmm14, xmm14, xmm15 + movdqu xmm15, xmmword ptr [rcx + -16] + vaesenc xmm9, xmm9, xmm15 + vaesenc xmm10, xmm10, xmm15 + vaesenc xmm11, xmm11, xmm15 + vaesenc xmm12, xmm12, xmm15 + vaesenc xmm13, xmm13, xmm15 + vaesenc xmm14, xmm14, xmm15 + movdqu xmm15, xmmword ptr [rcx + 0] + vaesenc xmm9, xmm9, xmm15 + vaesenc xmm10, xmm10, xmm15 + vaesenc xmm11, xmm11, xmm15 + vaesenc xmm12, xmm12, xmm15 + vaesenc xmm13, xmm13, xmm15 + vaesenc xmm14, xmm14, xmm15 + movdqu xmm15, xmmword ptr [rcx + 16] + movdqu xmm3, xmmword ptr [rcx + 32] + vaesenc xmm9, xmm9, xmm15 + vpxor xmm4, xmm3, xmmword ptr [rdi + 0] + vaesenc xmm10, xmm10, xmm15 + vpxor xmm5, xmm3, xmmword ptr [rdi + 16] + vaesenc xmm11, xmm11, xmm15 + vpxor xmm6, xmm3, xmmword ptr [rdi + 32] + vaesenc xmm12, xmm12, xmm15 + vpxor xmm8, xmm3, xmmword ptr [rdi + 48] + vaesenc xmm13, xmm13, xmm15 + vpxor xmm2, xmm3, xmmword ptr [rdi + 64] + vaesenc xmm14, xmm14, xmm15 + vpxor xmm3, xmm3, xmmword ptr [rdi + 80] + lea rdi, qword ptr [rdi + 96] + vaesenclast xmm9, xmm9, xmm4 + vaesenclast xmm10, xmm10, xmm5 + vaesenclast xmm11, xmm11, xmm6 + vaesenclast xmm12, xmm12, xmm8 + vaesenclast xmm13, xmm13, xmm2 + vaesenclast xmm14, xmm14, xmm3 + movdqu xmmword ptr [rsi + 0], xmm9 + movdqu xmmword ptr [rsi + 16], xmm10 + movdqu xmmword ptr [rsi + 32], xmm11 + movdqu xmmword ptr [rsi + 48], xmm12 + movdqu xmmword ptr [rsi + 64], xmm13 + movdqu xmmword ptr [rsi + 80], xmm14 + lea rsi, qword ptr [rsi + 96] + sub rdx, 12 + movdqu xmm8, xmmword ptr [rbp + 32] + pxor xmm2, xmm2 + mov r11, 72057594037927936 + pinsrq xmm2, r11, 1 + vpxor xmm4, xmm4, xmm4 + movdqu xmm15, xmmword ptr [rcx + -128] + vpaddd xmm10, xmm1, xmm2 + vpaddd xmm11, xmm10, xmm2 + vpaddd xmm12, xmm11, xmm2 + vpaddd xmm13, xmm12, xmm2 + vpaddd xmm14, xmm13, xmm2 + vpxor xmm9, xmm1, xmm15 + movdqu xmmword ptr [rbp + 16], xmm4 + jmp L77 +ALIGN 16 +L76: + add rbx, 6 + cmp rbx, 256 + jb L78 + mov r11, 579005069656919567 + pinsrq xmm0, r11, 0 + mov r11, 283686952306183 + pinsrq xmm0, r11, 1 + vpshufb xmm6, xmm1, xmm0 + pxor xmm5, xmm5 + mov r11, 1 + pinsrq xmm5, r11, 0 + vpaddd xmm10, xmm6, xmm5 + pxor xmm5, xmm5 + mov r11, 2 + pinsrq xmm5, r11, 0 + vpaddd xmm11, xmm6, xmm5 + movdqu xmm3, xmmword ptr [r9 + -32] + vpaddd xmm12, xmm10, xmm5 + vpshufb xmm10, xmm10, xmm0 + vpaddd xmm13, xmm11, xmm5 + vpshufb xmm11, xmm11, xmm0 + vpxor xmm10, xmm10, xmm15 + vpaddd xmm14, xmm12, xmm5 + vpshufb xmm12, xmm12, xmm0 + vpxor xmm11, xmm11, xmm15 + vpaddd xmm1, xmm13, xmm5 + vpshufb xmm13, xmm13, xmm0 + vpshufb xmm14, xmm14, xmm0 + vpshufb xmm1, xmm1, xmm0 + sub rbx, 256 + jmp L79 +L78: + movdqu xmm3, xmmword ptr [r9 + -32] + vpaddd xmm1, xmm2, xmm14 + vpxor xmm10, xmm10, xmm15 + vpxor xmm11, xmm11, xmm15 +L79: + movdqu xmmword ptr [rbp + 128], xmm1 + vpclmulqdq xmm5, xmm7, xmm3, 16 + vpxor xmm12, xmm12, xmm15 + movdqu xmm2, xmmword ptr [rcx + -112] + vpclmulqdq xmm6, xmm7, xmm3, 1 + vaesenc xmm9, xmm9, xmm2 + movdqu xmm0, xmmword ptr [rbp + 48] + vpxor xmm13, xmm13, xmm15 + vpclmulqdq xmm1, xmm7, xmm3, 0 + vaesenc xmm10, xmm10, xmm2 + vpxor xmm14, xmm14, xmm15 + vpclmulqdq xmm7, xmm7, xmm3, 17 + vaesenc xmm11, xmm11, xmm2 + movdqu xmm3, xmmword ptr [r9 + -16] + vaesenc xmm12, xmm12, xmm2 + vpxor xmm6, xmm6, xmm5 + vpclmulqdq xmm5, xmm0, xmm3, 0 + vpxor xmm8, xmm8, xmm4 + vaesenc xmm13, xmm13, xmm2 + vpxor xmm4, xmm1, xmm5 + vpclmulqdq xmm1, xmm0, xmm3, 16 + vaesenc xmm14, xmm14, xmm2 + movdqu xmm15, xmmword ptr [rcx + -96] + vpclmulqdq xmm2, xmm0, xmm3, 1 + vaesenc xmm9, xmm9, xmm15 + vpxor xmm8, xmm8, xmmword ptr [rbp + 16] + vpclmulqdq xmm3, xmm0, xmm3, 17 + movdqu xmm0, xmmword ptr [rbp + 64] + vaesenc xmm10, xmm10, xmm15 + movbe r13, qword ptr [r14 + 88] + vaesenc xmm11, xmm11, xmm15 + movbe r12, qword ptr [r14 + 80] + vaesenc xmm12, xmm12, xmm15 + mov qword ptr [rbp + 32], r13 + vaesenc xmm13, xmm13, xmm15 + mov qword ptr [rbp + 40], r12 + movdqu xmm5, xmmword ptr [r9 + 16] + vaesenc xmm14, xmm14, xmm15 + movdqu xmm15, xmmword ptr [rcx + -80] + vpxor xmm6, xmm6, xmm1 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vaesenc xmm9, xmm9, xmm15 + vpxor xmm6, xmm6, xmm2 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vaesenc xmm10, xmm10, xmm15 + vpxor xmm7, xmm7, xmm3 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vaesenc xmm11, xmm11, xmm15 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [rbp + 80] + vaesenc xmm12, xmm12, xmm15 + vaesenc xmm13, xmm13, xmm15 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 32] + vaesenc xmm14, xmm14, xmm15 + movdqu xmm15, xmmword ptr [rcx + -64] + vpxor xmm6, xmm6, xmm2 + vpclmulqdq xmm2, xmm0, xmm1, 0 + vaesenc xmm9, xmm9, xmm15 + vpxor xmm6, xmm6, xmm3 + vpclmulqdq xmm3, xmm0, xmm1, 16 + vaesenc xmm10, xmm10, xmm15 + movbe r13, qword ptr [r14 + 72] + vpxor xmm7, xmm7, xmm5 + vpclmulqdq xmm5, xmm0, xmm1, 1 + vaesenc xmm11, xmm11, xmm15 + movbe r12, qword ptr [r14 + 64] + vpclmulqdq xmm1, xmm0, xmm1, 17 + movdqu xmm0, xmmword ptr [rbp + 96] + vaesenc xmm12, xmm12, xmm15 + mov qword ptr [rbp + 48], r13 + vaesenc xmm13, xmm13, xmm15 + mov qword ptr [rbp + 56], r12 + vpxor xmm4, xmm4, xmm2 + movdqu xmm2, xmmword ptr [r9 + 64] + vaesenc xmm14, xmm14, xmm15 + movdqu xmm15, xmmword ptr [rcx + -48] + vpxor xmm6, xmm6, xmm3 + vpclmulqdq xmm3, xmm0, xmm2, 0 + vaesenc xmm9, xmm9, xmm15 + vpxor xmm6, xmm6, xmm5 + vpclmulqdq xmm5, xmm0, xmm2, 16 + vaesenc xmm10, xmm10, xmm15 + movbe r13, qword ptr [r14 + 56] + vpxor xmm7, xmm7, xmm1 + vpclmulqdq xmm1, xmm0, xmm2, 1 + vpxor xmm8, xmm8, xmmword ptr [rbp + 112] + vaesenc xmm11, xmm11, xmm15 + movbe r12, qword ptr [r14 + 48] + vpclmulqdq xmm2, xmm0, xmm2, 17 + vaesenc xmm12, xmm12, xmm15 + mov qword ptr [rbp + 64], r13 + vaesenc xmm13, xmm13, xmm15 + mov qword ptr [rbp + 72], r12 + vpxor xmm4, xmm4, xmm3 + movdqu xmm3, xmmword ptr [r9 + 80] + vaesenc xmm14, xmm14, xmm15 + movdqu xmm15, xmmword ptr [rcx + -32] + vpxor xmm6, xmm6, xmm5 + vpclmulqdq xmm5, xmm8, xmm3, 16 + vaesenc xmm9, xmm9, xmm15 + vpxor xmm6, xmm6, xmm1 + vpclmulqdq xmm1, xmm8, xmm3, 1 + vaesenc xmm10, xmm10, xmm15 + movbe r13, qword ptr [r14 + 40] + vpxor xmm7, xmm7, xmm2 + vpclmulqdq xmm2, xmm8, xmm3, 0 + vaesenc xmm11, xmm11, xmm15 + movbe r12, qword ptr [r14 + 32] + vpclmulqdq xmm8, xmm8, xmm3, 17 + vaesenc xmm12, xmm12, xmm15 + mov qword ptr [rbp + 80], r13 + vaesenc xmm13, xmm13, xmm15 + mov qword ptr [rbp + 88], r12 + vpxor xmm6, xmm6, xmm5 + vaesenc xmm14, xmm14, xmm15 + vpxor xmm6, xmm6, xmm1 + movdqu xmm15, xmmword ptr [rcx + -16] + vpslldq xmm5, xmm6, 8 + vpxor xmm4, xmm4, xmm2 + pxor xmm3, xmm3 + mov r11, 13979173243358019584 + pinsrq xmm3, r11, 1 + vaesenc xmm9, xmm9, xmm15 + vpxor xmm7, xmm7, xmm8 + vaesenc xmm10, xmm10, xmm15 + vpxor xmm4, xmm4, xmm5 + movbe r13, qword ptr [r14 + 24] + vaesenc xmm11, xmm11, xmm15 + movbe r12, qword ptr [r14 + 16] + vpalignr xmm0, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + mov qword ptr [rbp + 96], r13 + vaesenc xmm12, xmm12, xmm15 + mov qword ptr [rbp + 104], r12 + vaesenc xmm13, xmm13, xmm15 + vaesenc xmm14, xmm14, xmm15 + movdqu xmm1, xmmword ptr [rcx + 0] + vaesenc xmm9, xmm9, xmm1 + movdqu xmm15, xmmword ptr [rcx + 16] + vaesenc xmm10, xmm10, xmm1 + vpsrldq xmm6, xmm6, 8 + vaesenc xmm11, xmm11, xmm1 + vpxor xmm7, xmm7, xmm6 + vaesenc xmm12, xmm12, xmm1 + vpxor xmm4, xmm4, xmm0 + movbe r13, qword ptr [r14 + 8] + vaesenc xmm13, xmm13, xmm1 + movbe r12, qword ptr [r14 + 0] + vaesenc xmm14, xmm14, xmm1 + movdqu xmm1, xmmword ptr [rcx + 32] + vaesenc xmm9, xmm9, xmm15 + movdqu xmmword ptr [rbp + 16], xmm7 + vpalignr xmm8, xmm4, xmm4, 8 + vaesenc xmm10, xmm10, xmm15 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpxor xmm2, xmm1, xmmword ptr [rdi + 0] + vaesenc xmm11, xmm11, xmm15 + vpxor xmm0, xmm1, xmmword ptr [rdi + 16] + vaesenc xmm12, xmm12, xmm15 + vpxor xmm5, xmm1, xmmword ptr [rdi + 32] + vaesenc xmm13, xmm13, xmm15 + vpxor xmm6, xmm1, xmmword ptr [rdi + 48] + vaesenc xmm14, xmm14, xmm15 + vpxor xmm7, xmm1, xmmword ptr [rdi + 64] + vpxor xmm3, xmm1, xmmword ptr [rdi + 80] + movdqu xmm1, xmmword ptr [rbp + 128] + vaesenclast xmm9, xmm9, xmm2 + pxor xmm2, xmm2 + mov r11, 72057594037927936 + pinsrq xmm2, r11, 1 + vaesenclast xmm10, xmm10, xmm0 + vpaddd xmm0, xmm1, xmm2 + mov qword ptr [rbp + 112], r13 + lea rdi, qword ptr [rdi + 96] + vaesenclast xmm11, xmm11, xmm5 + vpaddd xmm5, xmm0, xmm2 + mov qword ptr [rbp + 120], r12 + lea rsi, qword ptr [rsi + 96] + movdqu xmm15, xmmword ptr [rcx + -128] + vaesenclast xmm12, xmm12, xmm6 + vpaddd xmm6, xmm5, xmm2 + vaesenclast xmm13, xmm13, xmm7 + vpaddd xmm7, xmm6, xmm2 + vaesenclast xmm14, xmm14, xmm3 + vpaddd xmm3, xmm7, xmm2 + sub rdx, 6 + add r14, 96 + cmp rdx, 0 + jbe L80 + movdqu xmmword ptr [rsi + -96], xmm9 + vpxor xmm9, xmm1, xmm15 + movdqu xmmword ptr [rsi + -80], xmm10 + movdqu xmm10, xmm0 + movdqu xmmword ptr [rsi + -64], xmm11 + movdqu xmm11, xmm5 + movdqu xmmword ptr [rsi + -48], xmm12 + movdqu xmm12, xmm6 + movdqu xmmword ptr [rsi + -32], xmm13 + movdqu xmm13, xmm7 + movdqu xmmword ptr [rsi + -16], xmm14 + movdqu xmm14, xmm3 + movdqu xmm7, xmmword ptr [rbp + 32] + jmp L81 +L80: + vpxor xmm8, xmm8, xmmword ptr [rbp + 16] + vpxor xmm8, xmm8, xmm4 +L81: +ALIGN 16 +L77: + cmp rdx, 0 + ja L76 + movdqu xmm7, xmmword ptr [rbp + 32] + movdqu xmmword ptr [rbp + 32], xmm1 + pxor xmm4, xmm4 + movdqu xmmword ptr [rbp + 16], xmm4 + movdqu xmm3, xmmword ptr [r9 + -32] + vpclmulqdq xmm1, xmm7, xmm3, 0 + vpclmulqdq xmm5, xmm7, xmm3, 16 + movdqu xmm0, xmmword ptr [rbp + 48] + vpclmulqdq xmm6, xmm7, xmm3, 1 + vpclmulqdq xmm7, xmm7, xmm3, 17 + movdqu xmm3, xmmword ptr [r9 + -16] + vpxor xmm6, xmm6, xmm5 + vpclmulqdq xmm5, xmm0, xmm3, 0 + vpxor xmm8, xmm8, xmm4 + vpxor xmm4, xmm1, xmm5 + vpclmulqdq xmm1, xmm0, xmm3, 16 + vpclmulqdq xmm2, xmm0, xmm3, 1 + vpxor xmm8, xmm8, xmmword ptr [rbp + 16] + vpclmulqdq xmm3, xmm0, xmm3, 17 + movdqu xmm0, xmmword ptr [rbp + 64] + movdqu xmm5, xmmword ptr [r9 + 16] + vpxor xmm6, xmm6, xmm1 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpxor xmm6, xmm6, xmm2 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpxor xmm7, xmm7, xmm3 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [rbp + 80] + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 32] + vpxor xmm6, xmm6, xmm2 + vpclmulqdq xmm2, xmm0, xmm1, 0 + vpxor xmm6, xmm6, xmm3 + vpclmulqdq xmm3, xmm0, xmm1, 16 + vpxor xmm7, xmm7, xmm5 + vpclmulqdq xmm5, xmm0, xmm1, 1 + vpclmulqdq xmm1, xmm0, xmm1, 17 + movdqu xmm0, xmmword ptr [rbp + 96] + vpxor xmm4, xmm4, xmm2 + movdqu xmm2, xmmword ptr [r9 + 64] + vpxor xmm6, xmm6, xmm3 + vpclmulqdq xmm3, xmm0, xmm2, 0 + vpxor xmm6, xmm6, xmm5 + vpclmulqdq xmm5, xmm0, xmm2, 16 + vpxor xmm7, xmm7, xmm1 + vpclmulqdq xmm1, xmm0, xmm2, 1 + vpxor xmm8, xmm8, xmmword ptr [rbp + 112] + vpclmulqdq xmm2, xmm0, xmm2, 17 + vpxor xmm4, xmm4, xmm3 + movdqu xmm3, xmmword ptr [r9 + 80] + vpxor xmm6, xmm6, xmm5 + vpclmulqdq xmm5, xmm8, xmm3, 16 + vpxor xmm6, xmm6, xmm1 + vpclmulqdq xmm1, xmm8, xmm3, 1 + vpxor xmm7, xmm7, xmm2 + vpclmulqdq xmm2, xmm8, xmm3, 0 + vpclmulqdq xmm8, xmm8, xmm3, 17 + vpxor xmm6, xmm6, xmm5 + vpxor xmm6, xmm6, xmm1 + vpxor xmm4, xmm4, xmm2 + pxor xmm3, xmm3 + mov rax, 3254779904 + pinsrd xmm3, eax, 3 + vpxor xmm7, xmm7, xmm8 + vpslldq xmm5, xmm6, 8 + vpxor xmm4, xmm4, xmm5 + vpalignr xmm0, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpsrldq xmm6, xmm6, 8 + vpxor xmm7, xmm7, xmm6 + vpxor xmm4, xmm4, xmm0 + vpalignr xmm8, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpxor xmm8, xmm8, xmm7 + vpxor xmm8, xmm8, xmm4 + mov r12, 579005069656919567 + pinsrq xmm0, r12, 0 + mov r12, 283686952306183 + pinsrq xmm0, r12, 1 + movdqu xmmword ptr [rsi + -96], xmm9 + vpshufb xmm9, xmm9, xmm0 + vpxor xmm1, xmm1, xmm7 + movdqu xmmword ptr [rsi + -80], xmm10 + vpshufb xmm10, xmm10, xmm0 + movdqu xmmword ptr [rsi + -64], xmm11 + vpshufb xmm11, xmm11, xmm0 + movdqu xmmword ptr [rsi + -48], xmm12 + vpshufb xmm12, xmm12, xmm0 + movdqu xmmword ptr [rsi + -32], xmm13 + vpshufb xmm13, xmm13, xmm0 + movdqu xmmword ptr [rsi + -16], xmm14 + vpshufb xmm14, xmm14, xmm0 + pxor xmm4, xmm4 + movdqu xmm7, xmm14 + movdqu xmmword ptr [rbp + 16], xmm4 + movdqu xmmword ptr [rbp + 48], xmm13 + movdqu xmmword ptr [rbp + 64], xmm12 + movdqu xmmword ptr [rbp + 80], xmm11 + movdqu xmmword ptr [rbp + 96], xmm10 + movdqu xmmword ptr [rbp + 112], xmm9 + movdqu xmm3, xmmword ptr [r9 + -32] + vpclmulqdq xmm1, xmm7, xmm3, 0 + vpclmulqdq xmm5, xmm7, xmm3, 16 + movdqu xmm0, xmmword ptr [rbp + 48] + vpclmulqdq xmm6, xmm7, xmm3, 1 + vpclmulqdq xmm7, xmm7, xmm3, 17 + movdqu xmm3, xmmword ptr [r9 + -16] + vpxor xmm6, xmm6, xmm5 + vpclmulqdq xmm5, xmm0, xmm3, 0 + vpxor xmm8, xmm8, xmm4 + vpxor xmm4, xmm1, xmm5 + vpclmulqdq xmm1, xmm0, xmm3, 16 + vpclmulqdq xmm2, xmm0, xmm3, 1 + vpxor xmm8, xmm8, xmmword ptr [rbp + 16] + vpclmulqdq xmm3, xmm0, xmm3, 17 + movdqu xmm0, xmmword ptr [rbp + 64] + movdqu xmm5, xmmword ptr [r9 + 16] + vpxor xmm6, xmm6, xmm1 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpxor xmm6, xmm6, xmm2 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpxor xmm7, xmm7, xmm3 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [rbp + 80] + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 32] + vpxor xmm6, xmm6, xmm2 + vpclmulqdq xmm2, xmm0, xmm1, 0 + vpxor xmm6, xmm6, xmm3 + vpclmulqdq xmm3, xmm0, xmm1, 16 + vpxor xmm7, xmm7, xmm5 + vpclmulqdq xmm5, xmm0, xmm1, 1 + vpclmulqdq xmm1, xmm0, xmm1, 17 + movdqu xmm0, xmmword ptr [rbp + 96] + vpxor xmm4, xmm4, xmm2 + movdqu xmm2, xmmword ptr [r9 + 64] + vpxor xmm6, xmm6, xmm3 + vpclmulqdq xmm3, xmm0, xmm2, 0 + vpxor xmm6, xmm6, xmm5 + vpclmulqdq xmm5, xmm0, xmm2, 16 + vpxor xmm7, xmm7, xmm1 + vpclmulqdq xmm1, xmm0, xmm2, 1 + vpxor xmm8, xmm8, xmmword ptr [rbp + 112] + vpclmulqdq xmm2, xmm0, xmm2, 17 + vpxor xmm4, xmm4, xmm3 + movdqu xmm3, xmmword ptr [r9 + 80] + vpxor xmm6, xmm6, xmm5 + vpclmulqdq xmm5, xmm8, xmm3, 16 + vpxor xmm6, xmm6, xmm1 + vpclmulqdq xmm1, xmm8, xmm3, 1 + vpxor xmm7, xmm7, xmm2 + vpclmulqdq xmm2, xmm8, xmm3, 0 + vpclmulqdq xmm8, xmm8, xmm3, 17 + vpxor xmm6, xmm6, xmm5 + vpxor xmm6, xmm6, xmm1 + vpxor xmm4, xmm4, xmm2 + pxor xmm3, xmm3 + mov rax, 3254779904 + pinsrd xmm3, eax, 3 + vpxor xmm7, xmm7, xmm8 + vpslldq xmm5, xmm6, 8 + vpxor xmm4, xmm4, xmm5 + vpalignr xmm0, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpsrldq xmm6, xmm6, 8 + vpxor xmm7, xmm7, xmm6 + vpxor xmm4, xmm4, xmm0 + vpalignr xmm8, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpxor xmm8, xmm8, xmm7 + vpxor xmm8, xmm8, xmm4 + sub rcx, 128 +L71: + movdqu xmm11, xmmword ptr [rbp + 32] + mov r8, rcx + mov rax, qword ptr [rsp + 312] + mov rdi, qword ptr [rsp + 320] + mov rdx, qword ptr [rsp + 328] + mov r14, rdx + mov r12, 579005069656919567 + pinsrq xmm9, r12, 0 + mov r12, 283686952306183 + pinsrq xmm9, r12, 1 + pshufb xmm11, xmm9 + pxor xmm10, xmm10 + mov rbx, 1 + pinsrd xmm10, ebx, 0 + mov r11, rax + mov r10, rdi + mov rbx, 0 + jmp L83 +ALIGN 16 +L82: + movdqu xmm0, xmm11 + pshufb xmm0, xmm9 + movdqu xmm2, xmmword ptr [r8 + 0] + pxor xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 16] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 32] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 48] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 64] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 80] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 96] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 112] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 128] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 144] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 160] + aesenclast xmm0, xmm2 + pxor xmm2, xmm2 + movdqu xmm2, xmmword ptr [r11 + 0] + pxor xmm2, xmm0 + movdqu xmmword ptr [r10 + 0], xmm2 + add rbx, 1 + add r11, 16 + add r10, 16 + paddd xmm11, xmm10 +ALIGN 16 +L83: + cmp rbx, rdx + jne L82 + mov r11, rdi + jmp L85 +ALIGN 16 +L84: + add r11, 80 + movdqu xmm5, xmmword ptr [r9 + -32] + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + movdqu xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + -16] + vpxor xmm6, xmm2, xmm3 + movdqu xmm7, xmm5 + movdqu xmm5, xmm1 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 16] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 32] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 64] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 80] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + vpxor xmm0, xmm8, xmm0 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + vpxor xmm4, xmm4, xmm1 + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + pxor xmm3, xmm3 + mov r10, 3254779904 + pinsrd xmm3, r10d, 3 + vpslldq xmm5, xmm6, 8 + vpxor xmm4, xmm4, xmm5 + vpalignr xmm0, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpsrldq xmm6, xmm6, 8 + vpxor xmm7, xmm7, xmm6 + vpxor xmm4, xmm4, xmm0 + vpalignr xmm8, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpxor xmm8, xmm8, xmm7 + vpxor xmm8, xmm8, xmm4 + add r11, 96 + sub rdx, 6 +ALIGN 16 +L85: + cmp rdx, 6 + jae L84 + cmp rdx, 0 + jbe L86 + mov r10, rdx + sub r10, 1 + imul r10, 16 + add r11, r10 + movdqu xmm5, xmmword ptr [r9 + -32] + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + cmp rdx, 1 + jne L88 + vpxor xmm0, xmm8, xmm0 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm4, xmm1 + vpxor xmm6, xmm2, xmm3 + movdqu xmm7, xmm5 + jmp L89 +L88: + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + movdqu xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + -16] + vpxor xmm6, xmm2, xmm3 + movdqu xmm7, xmm5 + movdqu xmm5, xmm1 + cmp rdx, 2 + je L90 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 16] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + cmp rdx, 3 + je L92 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 32] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + cmp rdx, 4 + je L94 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 64] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + jmp L95 +L94: +L95: + jmp L93 +L92: +L93: + jmp L91 +L90: +L91: + vpxor xmm0, xmm8, xmm0 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + vpxor xmm4, xmm4, xmm1 + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 +L89: + pxor xmm3, xmm3 + mov r10, 3254779904 + pinsrd xmm3, r10d, 3 + vpslldq xmm5, xmm6, 8 + vpxor xmm4, xmm4, xmm5 + vpalignr xmm0, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpsrldq xmm6, xmm6, 8 + vpxor xmm7, xmm7, xmm6 + vpxor xmm4, xmm4, xmm0 + vpalignr xmm8, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpxor xmm8, xmm8, xmm7 + vpxor xmm8, xmm8, xmm4 + jmp L87 +L86: +L87: + add r14, qword ptr [rsp + 304] + imul r14, 16 + mov r13, qword ptr [rsp + 344] + cmp r13, r14 + jbe L96 + mov rax, qword ptr [rsp + 336] + mov r10, r13 + and r10, 15 + movdqu xmm0, xmm11 + pshufb xmm0, xmm9 + movdqu xmm2, xmmword ptr [r8 + 0] + pxor xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 16] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 32] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 48] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 64] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 80] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 96] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 112] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 128] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 144] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 160] + aesenclast xmm0, xmm2 + pxor xmm2, xmm2 + movdqu xmm4, xmmword ptr [rax + 0] + pxor xmm0, xmm4 + movdqu xmmword ptr [rax + 0], xmm0 + cmp r10, 8 + jae L98 + mov rcx, 0 + pinsrq xmm0, rcx, 1 + mov rcx, r10 + shl rcx, 3 + mov r11, 1 + shl r11, cl + sub r11, 1 + pextrq rcx, xmm0, 0 + and rcx, r11 + pinsrq xmm0, rcx, 0 + jmp L99 +L98: + mov rcx, r10 + sub rcx, 8 + shl rcx, 3 + mov r11, 1 + shl r11, cl + sub r11, 1 + pextrq rcx, xmm0, 1 + and rcx, r11 + pinsrq xmm0, rcx, 1 +L99: + pshufb xmm0, xmm9 + movdqu xmm5, xmmword ptr [r9 + -32] + vpxor xmm0, xmm8, xmm0 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm4, xmm1 + vpxor xmm6, xmm2, xmm3 + movdqu xmm7, xmm5 + pxor xmm3, xmm3 + mov r11, 3254779904 + pinsrd xmm3, r11d, 3 + vpslldq xmm5, xmm6, 8 + vpxor xmm4, xmm4, xmm5 + vpalignr xmm0, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpsrldq xmm6, xmm6, 8 + vpxor xmm7, xmm7, xmm6 + vpxor xmm4, xmm4, xmm0 + vpalignr xmm8, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpxor xmm8, xmm8, xmm7 + vpxor xmm8, xmm8, xmm4 + jmp L97 +L96: +L97: + mov r11, r15 + pxor xmm0, xmm0 + mov rax, r11 + imul rax, 8 + pinsrq xmm0, rax, 1 + mov rax, r13 + imul rax, 8 + pinsrq xmm0, rax, 0 + movdqu xmm5, xmmword ptr [r9 + -32] + vpxor xmm0, xmm8, xmm0 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm4, xmm1 + vpxor xmm6, xmm2, xmm3 + movdqu xmm7, xmm5 + pxor xmm3, xmm3 + mov r11, 3254779904 + pinsrd xmm3, r11d, 3 + vpslldq xmm5, xmm6, 8 + vpxor xmm4, xmm4, xmm5 + vpalignr xmm0, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpsrldq xmm6, xmm6, 8 + vpxor xmm7, xmm7, xmm6 + vpxor xmm4, xmm4, xmm0 + vpalignr xmm8, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpxor xmm8, xmm8, xmm7 + vpxor xmm8, xmm8, xmm4 + movdqu xmm0, xmmword ptr [rbp + 0] + pshufb xmm0, xmm9 + movdqu xmm2, xmmword ptr [r8 + 0] + pxor xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 16] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 32] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 48] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 64] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 80] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 96] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 112] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 128] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 144] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 160] + aesenclast xmm0, xmm2 + pxor xmm2, xmm2 + pshufb xmm8, xmm9 + pxor xmm8, xmm0 + mov r15, qword ptr [rsp + 360] + movdqu xmmword ptr [r15 + 0], xmm8 + pop rax + pinsrq xmm6, rax, 1 + pop rax + pinsrq xmm6, rax, 0 + pop rax + pinsrq xmm7, rax, 1 + pop rax + pinsrq xmm7, rax, 0 + pop rax + pinsrq xmm8, rax, 1 + pop rax + pinsrq xmm8, rax, 0 + pop rax + pinsrq xmm9, rax, 1 + pop rax + pinsrq xmm9, rax, 0 + pop rax + pinsrq xmm10, rax, 1 + pop rax + pinsrq xmm10, rax, 0 + pop rax + pinsrq xmm11, rax, 1 + pop rax + pinsrq xmm11, rax, 0 + pop rax + pinsrq xmm12, rax, 1 + pop rax + pinsrq xmm12, rax, 0 + pop rax + pinsrq xmm13, rax, 1 + pop rax + pinsrq xmm13, rax, 0 + pop rax + pinsrq xmm14, rax, 1 + pop rax + pinsrq xmm14, rax, 0 + pop rax + pinsrq xmm15, rax, 1 + pop rax + pinsrq xmm15, rax, 0 + pop rbx + pop rbp + pop rdi + pop rsi + pop r12 + pop r13 + pop r14 + pop r15 + ret +gcm128_encrypt_opt endp +ALIGN 16 +gcm256_encrypt_opt proc + push r15 + push r14 + push r13 + push r12 + push rsi + push rdi + push rbp + push rbx + pextrq rax, xmm15, 0 + push rax + pextrq rax, xmm15, 1 + push rax + pextrq rax, xmm14, 0 + push rax + pextrq rax, xmm14, 1 + push rax + pextrq rax, xmm13, 0 + push rax + pextrq rax, xmm13, 1 + push rax + pextrq rax, xmm12, 0 + push rax + pextrq rax, xmm12, 1 + push rax + pextrq rax, xmm11, 0 + push rax + pextrq rax, xmm11, 1 + push rax + pextrq rax, xmm10, 0 + push rax + pextrq rax, xmm10, 1 + push rax + pextrq rax, xmm9, 0 + push rax + pextrq rax, xmm9, 1 + push rax + pextrq rax, xmm8, 0 + push rax + pextrq rax, xmm8, 1 + push rax + pextrq rax, xmm7, 0 + push rax + pextrq rax, xmm7, 1 + push rax + pextrq rax, xmm6, 0 + push rax + pextrq rax, xmm6, 1 + push rax + mov rdi, rcx + mov rsi, rdx + mov rdx, r8 + mov rcx, r9 + mov r8, qword ptr [rsp + 264] + mov r9, qword ptr [rsp + 272] + mov rbp, qword ptr [rsp + 352] + mov r13, rcx + lea r9, qword ptr [r9 + 32] + mov rbx, qword ptr [rsp + 280] + mov rcx, rdx + imul rcx, 16 + mov r10, 579005069656919567 + pinsrq xmm9, r10, 0 + mov r10, 283686952306183 + pinsrq xmm9, r10, 1 + pxor xmm8, xmm8 + mov r11, rdi + jmp L101 +ALIGN 16 +L100: + add r11, 80 + movdqu xmm5, xmmword ptr [r9 + -32] + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + movdqu xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + -16] + vpxor xmm6, xmm2, xmm3 + movdqu xmm7, xmm5 + movdqu xmm5, xmm1 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 16] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 32] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 64] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 80] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + vpxor xmm0, xmm8, xmm0 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + vpxor xmm4, xmm4, xmm1 + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + pxor xmm3, xmm3 + mov r10, 3254779904 + pinsrd xmm3, r10d, 3 + vpslldq xmm5, xmm6, 8 + vpxor xmm4, xmm4, xmm5 + vpalignr xmm0, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpsrldq xmm6, xmm6, 8 + vpxor xmm7, xmm7, xmm6 + vpxor xmm4, xmm4, xmm0 + vpalignr xmm8, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpxor xmm8, xmm8, xmm7 + vpxor xmm8, xmm8, xmm4 + add r11, 96 + sub rdx, 6 +ALIGN 16 +L101: + cmp rdx, 6 + jae L100 + cmp rdx, 0 + jbe L102 + mov r10, rdx + sub r10, 1 + imul r10, 16 + add r11, r10 + movdqu xmm5, xmmword ptr [r9 + -32] + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + cmp rdx, 1 + jne L104 + vpxor xmm0, xmm8, xmm0 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm4, xmm1 + vpxor xmm6, xmm2, xmm3 + movdqu xmm7, xmm5 + jmp L105 +L104: + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + movdqu xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + -16] + vpxor xmm6, xmm2, xmm3 + movdqu xmm7, xmm5 + movdqu xmm5, xmm1 + cmp rdx, 2 + je L106 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 16] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + cmp rdx, 3 + je L108 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 32] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + cmp rdx, 4 + je L110 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 64] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + jmp L111 +L110: +L111: + jmp L109 +L108: +L109: + jmp L107 +L106: +L107: + vpxor xmm0, xmm8, xmm0 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + vpxor xmm4, xmm4, xmm1 + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 +L105: + pxor xmm3, xmm3 + mov r10, 3254779904 + pinsrd xmm3, r10d, 3 + vpslldq xmm5, xmm6, 8 + vpxor xmm4, xmm4, xmm5 + vpalignr xmm0, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpsrldq xmm6, xmm6, 8 + vpxor xmm7, xmm7, xmm6 + vpxor xmm4, xmm4, xmm0 + vpalignr xmm8, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpxor xmm8, xmm8, xmm7 + vpxor xmm8, xmm8, xmm4 + jmp L103 +L102: +L103: + mov r15, rsi + cmp rsi, rcx + jbe L112 + movdqu xmm0, xmmword ptr [rbx + 0] + mov r10, rsi + and r10, 15 + cmp r10, 8 + jae L114 + mov rcx, 0 + pinsrq xmm0, rcx, 1 + mov rcx, r10 + shl rcx, 3 + mov r11, 1 + shl r11, cl + sub r11, 1 + pextrq rcx, xmm0, 0 + and rcx, r11 + pinsrq xmm0, rcx, 0 + jmp L115 +L114: + mov rcx, r10 + sub rcx, 8 + shl rcx, 3 + mov r11, 1 + shl r11, cl + sub r11, 1 + pextrq rcx, xmm0, 1 + and rcx, r11 + pinsrq xmm0, rcx, 1 +L115: + pshufb xmm0, xmm9 + movdqu xmm5, xmmword ptr [r9 + -32] + vpxor xmm0, xmm8, xmm0 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm4, xmm1 + vpxor xmm6, xmm2, xmm3 + movdqu xmm7, xmm5 + pxor xmm3, xmm3 + mov r11, 3254779904 + pinsrd xmm3, r11d, 3 + vpslldq xmm5, xmm6, 8 + vpxor xmm4, xmm4, xmm5 + vpalignr xmm0, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpsrldq xmm6, xmm6, 8 + vpxor xmm7, xmm7, xmm6 + vpxor xmm4, xmm4, xmm0 + vpalignr xmm8, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpxor xmm8, xmm8, xmm7 + vpxor xmm8, xmm8, xmm4 + jmp L113 +L112: +L113: + mov rdi, qword ptr [rsp + 288] + mov rsi, qword ptr [rsp + 296] + mov rdx, qword ptr [rsp + 304] + mov rcx, r13 + movdqu xmm0, xmm9 + movdqu xmm1, xmmword ptr [r8 + 0] + movdqu xmmword ptr [rbp + 0], xmm1 + pxor xmm10, xmm10 + mov r11, 1 + pinsrq xmm10, r11, 0 + vpaddd xmm1, xmm1, xmm10 + cmp rdx, 0 + jne L116 + vpshufb xmm1, xmm1, xmm0 + movdqu xmmword ptr [rbp + 32], xmm1 + jmp L117 +L116: + movdqu xmmword ptr [rbp + 32], xmm8 + add rcx, 128 + pextrq rbx, xmm1, 0 + and rbx, 255 + vpshufb xmm1, xmm1, xmm0 + lea r14, qword ptr [rsi + 96] + movdqu xmm4, xmmword ptr [rcx + -128] + pxor xmm2, xmm2 + mov r11, 72057594037927936 + pinsrq xmm2, r11, 1 + movdqu xmm15, xmmword ptr [rcx + -112] + mov r12, rcx + sub r12, 96 + vpxor xmm9, xmm1, xmm4 + add rbx, 6 + cmp rbx, 256 + jae L118 + vpaddd xmm10, xmm1, xmm2 + vpaddd xmm11, xmm10, xmm2 + vpxor xmm10, xmm10, xmm4 + vpaddd xmm12, xmm11, xmm2 + vpxor xmm11, xmm11, xmm4 + vpaddd xmm13, xmm12, xmm2 + vpxor xmm12, xmm12, xmm4 + vpaddd xmm14, xmm13, xmm2 + vpxor xmm13, xmm13, xmm4 + vpaddd xmm1, xmm14, xmm2 + vpxor xmm14, xmm14, xmm4 + jmp L119 +L118: + sub rbx, 256 + vpshufb xmm6, xmm1, xmm0 + pxor xmm5, xmm5 + mov r11, 1 + pinsrq xmm5, r11, 0 + vpaddd xmm10, xmm6, xmm5 + pxor xmm5, xmm5 + mov r11, 2 + pinsrq xmm5, r11, 0 + vpaddd xmm11, xmm6, xmm5 + vpaddd xmm12, xmm10, xmm5 + vpshufb xmm10, xmm10, xmm0 + vpaddd xmm13, xmm11, xmm5 + vpshufb xmm11, xmm11, xmm0 + vpxor xmm10, xmm10, xmm4 + vpaddd xmm14, xmm12, xmm5 + vpshufb xmm12, xmm12, xmm0 + vpxor xmm11, xmm11, xmm4 + vpaddd xmm1, xmm13, xmm5 + vpshufb xmm13, xmm13, xmm0 + vpxor xmm12, xmm12, xmm4 + vpshufb xmm14, xmm14, xmm0 + vpxor xmm13, xmm13, xmm4 + vpshufb xmm1, xmm1, xmm0 + vpxor xmm14, xmm14, xmm4 +L119: + vaesenc xmm9, xmm9, xmm15 + vaesenc xmm10, xmm10, xmm15 + vaesenc xmm11, xmm11, xmm15 + vaesenc xmm12, xmm12, xmm15 + vaesenc xmm13, xmm13, xmm15 + vaesenc xmm14, xmm14, xmm15 + movdqu xmm15, xmmword ptr [rcx + -96] + vaesenc xmm9, xmm9, xmm15 + vaesenc xmm10, xmm10, xmm15 + vaesenc xmm11, xmm11, xmm15 + vaesenc xmm12, xmm12, xmm15 + vaesenc xmm13, xmm13, xmm15 + vaesenc xmm14, xmm14, xmm15 + movdqu xmm15, xmmword ptr [rcx + -80] + vaesenc xmm9, xmm9, xmm15 + vaesenc xmm10, xmm10, xmm15 + vaesenc xmm11, xmm11, xmm15 + vaesenc xmm12, xmm12, xmm15 + vaesenc xmm13, xmm13, xmm15 + vaesenc xmm14, xmm14, xmm15 + movdqu xmm15, xmmword ptr [rcx + -64] + vaesenc xmm9, xmm9, xmm15 + vaesenc xmm10, xmm10, xmm15 + vaesenc xmm11, xmm11, xmm15 + vaesenc xmm12, xmm12, xmm15 + vaesenc xmm13, xmm13, xmm15 + vaesenc xmm14, xmm14, xmm15 + movdqu xmm15, xmmword ptr [rcx + -48] + vaesenc xmm9, xmm9, xmm15 + vaesenc xmm10, xmm10, xmm15 + vaesenc xmm11, xmm11, xmm15 + vaesenc xmm12, xmm12, xmm15 + vaesenc xmm13, xmm13, xmm15 + vaesenc xmm14, xmm14, xmm15 + movdqu xmm15, xmmword ptr [rcx + -32] + vaesenc xmm9, xmm9, xmm15 + vaesenc xmm10, xmm10, xmm15 + vaesenc xmm11, xmm11, xmm15 + vaesenc xmm12, xmm12, xmm15 + vaesenc xmm13, xmm13, xmm15 + vaesenc xmm14, xmm14, xmm15 + movdqu xmm15, xmmword ptr [rcx + -16] + vaesenc xmm9, xmm9, xmm15 + vaesenc xmm10, xmm10, xmm15 + vaesenc xmm11, xmm11, xmm15 + vaesenc xmm12, xmm12, xmm15 + vaesenc xmm13, xmm13, xmm15 + vaesenc xmm14, xmm14, xmm15 + movdqu xmm15, xmmword ptr [rcx + 0] + vaesenc xmm9, xmm9, xmm15 + vaesenc xmm10, xmm10, xmm15 + vaesenc xmm11, xmm11, xmm15 + vaesenc xmm12, xmm12, xmm15 + vaesenc xmm13, xmm13, xmm15 + vaesenc xmm14, xmm14, xmm15 + movdqu xmm15, xmmword ptr [rcx + 16] + vaesenc xmm9, xmm9, xmm15 + vaesenc xmm10, xmm10, xmm15 + vaesenc xmm11, xmm11, xmm15 + vaesenc xmm12, xmm12, xmm15 + vaesenc xmm13, xmm13, xmm15 + vaesenc xmm14, xmm14, xmm15 + movdqu xmm15, xmmword ptr [rcx + 32] + vaesenc xmm9, xmm9, xmm15 + vaesenc xmm10, xmm10, xmm15 + vaesenc xmm11, xmm11, xmm15 + vaesenc xmm12, xmm12, xmm15 + vaesenc xmm13, xmm13, xmm15 + vaesenc xmm14, xmm14, xmm15 + movdqu xmm15, xmmword ptr [rcx + 48] + vaesenc xmm9, xmm9, xmm15 + vaesenc xmm10, xmm10, xmm15 + vaesenc xmm11, xmm11, xmm15 + vaesenc xmm12, xmm12, xmm15 + vaesenc xmm13, xmm13, xmm15 + vaesenc xmm14, xmm14, xmm15 + movdqu xmm15, xmmword ptr [rcx + 64] + vaesenc xmm9, xmm9, xmm15 + vaesenc xmm10, xmm10, xmm15 + vaesenc xmm11, xmm11, xmm15 + vaesenc xmm12, xmm12, xmm15 + vaesenc xmm13, xmm13, xmm15 + vaesenc xmm14, xmm14, xmm15 + movdqu xmm15, xmmword ptr [rcx + 80] + movdqu xmm3, xmmword ptr [rcx + 96] + vaesenc xmm9, xmm9, xmm15 + vpxor xmm4, xmm3, xmmword ptr [rdi + 0] + vaesenc xmm10, xmm10, xmm15 + vpxor xmm5, xmm3, xmmword ptr [rdi + 16] + vaesenc xmm11, xmm11, xmm15 + vpxor xmm6, xmm3, xmmword ptr [rdi + 32] + vaesenc xmm12, xmm12, xmm15 + vpxor xmm8, xmm3, xmmword ptr [rdi + 48] + vaesenc xmm13, xmm13, xmm15 + vpxor xmm2, xmm3, xmmword ptr [rdi + 64] + vaesenc xmm14, xmm14, xmm15 + vpxor xmm3, xmm3, xmmword ptr [rdi + 80] + lea rdi, qword ptr [rdi + 96] + vaesenclast xmm9, xmm9, xmm4 + vaesenclast xmm10, xmm10, xmm5 + vaesenclast xmm11, xmm11, xmm6 + vaesenclast xmm12, xmm12, xmm8 + vaesenclast xmm13, xmm13, xmm2 + vaesenclast xmm14, xmm14, xmm3 + movdqu xmmword ptr [rsi + 0], xmm9 + movdqu xmmword ptr [rsi + 16], xmm10 + movdqu xmmword ptr [rsi + 32], xmm11 + movdqu xmmword ptr [rsi + 48], xmm12 + movdqu xmmword ptr [rsi + 64], xmm13 + movdqu xmmword ptr [rsi + 80], xmm14 + lea rsi, qword ptr [rsi + 96] + vpshufb xmm8, xmm9, xmm0 + vpshufb xmm2, xmm10, xmm0 + movdqu xmmword ptr [rbp + 112], xmm8 + vpshufb xmm4, xmm11, xmm0 + movdqu xmmword ptr [rbp + 96], xmm2 + vpshufb xmm5, xmm12, xmm0 + movdqu xmmword ptr [rbp + 80], xmm4 + vpshufb xmm6, xmm13, xmm0 + movdqu xmmword ptr [rbp + 64], xmm5 + vpshufb xmm7, xmm14, xmm0 + movdqu xmmword ptr [rbp + 48], xmm6 + movdqu xmm4, xmmword ptr [rcx + -128] + pxor xmm2, xmm2 + mov r11, 72057594037927936 + pinsrq xmm2, r11, 1 + movdqu xmm15, xmmword ptr [rcx + -112] + mov r12, rcx + sub r12, 96 + vpxor xmm9, xmm1, xmm4 + add rbx, 6 + cmp rbx, 256 + jae L120 + vpaddd xmm10, xmm1, xmm2 + vpaddd xmm11, xmm10, xmm2 + vpxor xmm10, xmm10, xmm4 + vpaddd xmm12, xmm11, xmm2 + vpxor xmm11, xmm11, xmm4 + vpaddd xmm13, xmm12, xmm2 + vpxor xmm12, xmm12, xmm4 + vpaddd xmm14, xmm13, xmm2 + vpxor xmm13, xmm13, xmm4 + vpaddd xmm1, xmm14, xmm2 + vpxor xmm14, xmm14, xmm4 + jmp L121 +L120: + sub rbx, 256 + vpshufb xmm6, xmm1, xmm0 + pxor xmm5, xmm5 + mov r11, 1 + pinsrq xmm5, r11, 0 + vpaddd xmm10, xmm6, xmm5 + pxor xmm5, xmm5 + mov r11, 2 + pinsrq xmm5, r11, 0 + vpaddd xmm11, xmm6, xmm5 + vpaddd xmm12, xmm10, xmm5 + vpshufb xmm10, xmm10, xmm0 + vpaddd xmm13, xmm11, xmm5 + vpshufb xmm11, xmm11, xmm0 + vpxor xmm10, xmm10, xmm4 + vpaddd xmm14, xmm12, xmm5 + vpshufb xmm12, xmm12, xmm0 + vpxor xmm11, xmm11, xmm4 + vpaddd xmm1, xmm13, xmm5 + vpshufb xmm13, xmm13, xmm0 + vpxor xmm12, xmm12, xmm4 + vpshufb xmm14, xmm14, xmm0 + vpxor xmm13, xmm13, xmm4 + vpshufb xmm1, xmm1, xmm0 + vpxor xmm14, xmm14, xmm4 +L121: + vaesenc xmm9, xmm9, xmm15 + vaesenc xmm10, xmm10, xmm15 + vaesenc xmm11, xmm11, xmm15 + vaesenc xmm12, xmm12, xmm15 + vaesenc xmm13, xmm13, xmm15 + vaesenc xmm14, xmm14, xmm15 + movdqu xmm15, xmmword ptr [rcx + -96] + vaesenc xmm9, xmm9, xmm15 + vaesenc xmm10, xmm10, xmm15 + vaesenc xmm11, xmm11, xmm15 + vaesenc xmm12, xmm12, xmm15 + vaesenc xmm13, xmm13, xmm15 + vaesenc xmm14, xmm14, xmm15 + movdqu xmm15, xmmword ptr [rcx + -80] + vaesenc xmm9, xmm9, xmm15 + vaesenc xmm10, xmm10, xmm15 + vaesenc xmm11, xmm11, xmm15 + vaesenc xmm12, xmm12, xmm15 + vaesenc xmm13, xmm13, xmm15 + vaesenc xmm14, xmm14, xmm15 + movdqu xmm15, xmmword ptr [rcx + -64] + vaesenc xmm9, xmm9, xmm15 + vaesenc xmm10, xmm10, xmm15 + vaesenc xmm11, xmm11, xmm15 + vaesenc xmm12, xmm12, xmm15 + vaesenc xmm13, xmm13, xmm15 + vaesenc xmm14, xmm14, xmm15 + movdqu xmm15, xmmword ptr [rcx + -48] + vaesenc xmm9, xmm9, xmm15 + vaesenc xmm10, xmm10, xmm15 + vaesenc xmm11, xmm11, xmm15 + vaesenc xmm12, xmm12, xmm15 + vaesenc xmm13, xmm13, xmm15 + vaesenc xmm14, xmm14, xmm15 + movdqu xmm15, xmmword ptr [rcx + -32] + vaesenc xmm9, xmm9, xmm15 + vaesenc xmm10, xmm10, xmm15 + vaesenc xmm11, xmm11, xmm15 + vaesenc xmm12, xmm12, xmm15 + vaesenc xmm13, xmm13, xmm15 + vaesenc xmm14, xmm14, xmm15 + movdqu xmm15, xmmword ptr [rcx + -16] + vaesenc xmm9, xmm9, xmm15 + vaesenc xmm10, xmm10, xmm15 + vaesenc xmm11, xmm11, xmm15 + vaesenc xmm12, xmm12, xmm15 + vaesenc xmm13, xmm13, xmm15 + vaesenc xmm14, xmm14, xmm15 + movdqu xmm15, xmmword ptr [rcx + 0] + vaesenc xmm9, xmm9, xmm15 + vaesenc xmm10, xmm10, xmm15 + vaesenc xmm11, xmm11, xmm15 + vaesenc xmm12, xmm12, xmm15 + vaesenc xmm13, xmm13, xmm15 + vaesenc xmm14, xmm14, xmm15 + movdqu xmm15, xmmword ptr [rcx + 16] + vaesenc xmm9, xmm9, xmm15 + vaesenc xmm10, xmm10, xmm15 + vaesenc xmm11, xmm11, xmm15 + vaesenc xmm12, xmm12, xmm15 + vaesenc xmm13, xmm13, xmm15 + vaesenc xmm14, xmm14, xmm15 + movdqu xmm15, xmmword ptr [rcx + 32] + vaesenc xmm9, xmm9, xmm15 + vaesenc xmm10, xmm10, xmm15 + vaesenc xmm11, xmm11, xmm15 + vaesenc xmm12, xmm12, xmm15 + vaesenc xmm13, xmm13, xmm15 + vaesenc xmm14, xmm14, xmm15 + movdqu xmm15, xmmword ptr [rcx + 48] + vaesenc xmm9, xmm9, xmm15 + vaesenc xmm10, xmm10, xmm15 + vaesenc xmm11, xmm11, xmm15 + vaesenc xmm12, xmm12, xmm15 + vaesenc xmm13, xmm13, xmm15 + vaesenc xmm14, xmm14, xmm15 + movdqu xmm15, xmmword ptr [rcx + 64] + vaesenc xmm9, xmm9, xmm15 + vaesenc xmm10, xmm10, xmm15 + vaesenc xmm11, xmm11, xmm15 + vaesenc xmm12, xmm12, xmm15 + vaesenc xmm13, xmm13, xmm15 + vaesenc xmm14, xmm14, xmm15 + movdqu xmm15, xmmword ptr [rcx + 80] + movdqu xmm3, xmmword ptr [rcx + 96] + vaesenc xmm9, xmm9, xmm15 + vpxor xmm4, xmm3, xmmword ptr [rdi + 0] + vaesenc xmm10, xmm10, xmm15 + vpxor xmm5, xmm3, xmmword ptr [rdi + 16] + vaesenc xmm11, xmm11, xmm15 + vpxor xmm6, xmm3, xmmword ptr [rdi + 32] + vaesenc xmm12, xmm12, xmm15 + vpxor xmm8, xmm3, xmmword ptr [rdi + 48] + vaesenc xmm13, xmm13, xmm15 + vpxor xmm2, xmm3, xmmword ptr [rdi + 64] + vaesenc xmm14, xmm14, xmm15 + vpxor xmm3, xmm3, xmmword ptr [rdi + 80] + lea rdi, qword ptr [rdi + 96] + vaesenclast xmm9, xmm9, xmm4 + vaesenclast xmm10, xmm10, xmm5 + vaesenclast xmm11, xmm11, xmm6 + vaesenclast xmm12, xmm12, xmm8 + vaesenclast xmm13, xmm13, xmm2 + vaesenclast xmm14, xmm14, xmm3 + movdqu xmmword ptr [rsi + 0], xmm9 + movdqu xmmword ptr [rsi + 16], xmm10 + movdqu xmmword ptr [rsi + 32], xmm11 + movdqu xmmword ptr [rsi + 48], xmm12 + movdqu xmmword ptr [rsi + 64], xmm13 + movdqu xmmword ptr [rsi + 80], xmm14 + lea rsi, qword ptr [rsi + 96] + sub rdx, 12 + movdqu xmm8, xmmword ptr [rbp + 32] + pxor xmm2, xmm2 + mov r11, 72057594037927936 + pinsrq xmm2, r11, 1 + vpxor xmm4, xmm4, xmm4 + movdqu xmm15, xmmword ptr [rcx + -128] + vpaddd xmm10, xmm1, xmm2 + vpaddd xmm11, xmm10, xmm2 + vpaddd xmm12, xmm11, xmm2 + vpaddd xmm13, xmm12, xmm2 + vpaddd xmm14, xmm13, xmm2 + vpxor xmm9, xmm1, xmm15 + movdqu xmmword ptr [rbp + 16], xmm4 + jmp L123 +ALIGN 16 +L122: + add rbx, 6 + cmp rbx, 256 + jb L124 + mov r11, 579005069656919567 + pinsrq xmm0, r11, 0 + mov r11, 283686952306183 + pinsrq xmm0, r11, 1 + vpshufb xmm6, xmm1, xmm0 + pxor xmm5, xmm5 + mov r11, 1 + pinsrq xmm5, r11, 0 + vpaddd xmm10, xmm6, xmm5 + pxor xmm5, xmm5 + mov r11, 2 + pinsrq xmm5, r11, 0 + vpaddd xmm11, xmm6, xmm5 + movdqu xmm3, xmmword ptr [r9 + -32] + vpaddd xmm12, xmm10, xmm5 + vpshufb xmm10, xmm10, xmm0 + vpaddd xmm13, xmm11, xmm5 + vpshufb xmm11, xmm11, xmm0 + vpxor xmm10, xmm10, xmm15 + vpaddd xmm14, xmm12, xmm5 + vpshufb xmm12, xmm12, xmm0 + vpxor xmm11, xmm11, xmm15 + vpaddd xmm1, xmm13, xmm5 + vpshufb xmm13, xmm13, xmm0 + vpshufb xmm14, xmm14, xmm0 + vpshufb xmm1, xmm1, xmm0 + sub rbx, 256 + jmp L125 +L124: + movdqu xmm3, xmmword ptr [r9 + -32] + vpaddd xmm1, xmm2, xmm14 + vpxor xmm10, xmm10, xmm15 + vpxor xmm11, xmm11, xmm15 +L125: + movdqu xmmword ptr [rbp + 128], xmm1 + vpclmulqdq xmm5, xmm7, xmm3, 16 + vpxor xmm12, xmm12, xmm15 + movdqu xmm2, xmmword ptr [rcx + -112] + vpclmulqdq xmm6, xmm7, xmm3, 1 + vaesenc xmm9, xmm9, xmm2 + movdqu xmm0, xmmword ptr [rbp + 48] + vpxor xmm13, xmm13, xmm15 + vpclmulqdq xmm1, xmm7, xmm3, 0 + vaesenc xmm10, xmm10, xmm2 + vpxor xmm14, xmm14, xmm15 + vpclmulqdq xmm7, xmm7, xmm3, 17 + vaesenc xmm11, xmm11, xmm2 + movdqu xmm3, xmmword ptr [r9 + -16] + vaesenc xmm12, xmm12, xmm2 + vpxor xmm6, xmm6, xmm5 + vpclmulqdq xmm5, xmm0, xmm3, 0 + vpxor xmm8, xmm8, xmm4 + vaesenc xmm13, xmm13, xmm2 + vpxor xmm4, xmm1, xmm5 + vpclmulqdq xmm1, xmm0, xmm3, 16 + vaesenc xmm14, xmm14, xmm2 + movdqu xmm15, xmmword ptr [rcx + -96] + vpclmulqdq xmm2, xmm0, xmm3, 1 + vaesenc xmm9, xmm9, xmm15 + vpxor xmm8, xmm8, xmmword ptr [rbp + 16] + vpclmulqdq xmm3, xmm0, xmm3, 17 + movdqu xmm0, xmmword ptr [rbp + 64] + vaesenc xmm10, xmm10, xmm15 + movbe r13, qword ptr [r14 + 88] + vaesenc xmm11, xmm11, xmm15 + movbe r12, qword ptr [r14 + 80] + vaesenc xmm12, xmm12, xmm15 + mov qword ptr [rbp + 32], r13 + vaesenc xmm13, xmm13, xmm15 + mov qword ptr [rbp + 40], r12 + movdqu xmm5, xmmword ptr [r9 + 16] + vaesenc xmm14, xmm14, xmm15 + movdqu xmm15, xmmword ptr [rcx + -80] + vpxor xmm6, xmm6, xmm1 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vaesenc xmm9, xmm9, xmm15 + vpxor xmm6, xmm6, xmm2 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vaesenc xmm10, xmm10, xmm15 + vpxor xmm7, xmm7, xmm3 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vaesenc xmm11, xmm11, xmm15 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [rbp + 80] + vaesenc xmm12, xmm12, xmm15 + vaesenc xmm13, xmm13, xmm15 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 32] + vaesenc xmm14, xmm14, xmm15 + movdqu xmm15, xmmword ptr [rcx + -64] + vpxor xmm6, xmm6, xmm2 + vpclmulqdq xmm2, xmm0, xmm1, 0 + vaesenc xmm9, xmm9, xmm15 + vpxor xmm6, xmm6, xmm3 + vpclmulqdq xmm3, xmm0, xmm1, 16 + vaesenc xmm10, xmm10, xmm15 + movbe r13, qword ptr [r14 + 72] + vpxor xmm7, xmm7, xmm5 + vpclmulqdq xmm5, xmm0, xmm1, 1 + vaesenc xmm11, xmm11, xmm15 + movbe r12, qword ptr [r14 + 64] + vpclmulqdq xmm1, xmm0, xmm1, 17 + movdqu xmm0, xmmword ptr [rbp + 96] + vaesenc xmm12, xmm12, xmm15 + mov qword ptr [rbp + 48], r13 + vaesenc xmm13, xmm13, xmm15 + mov qword ptr [rbp + 56], r12 + vpxor xmm4, xmm4, xmm2 + movdqu xmm2, xmmword ptr [r9 + 64] + vaesenc xmm14, xmm14, xmm15 + movdqu xmm15, xmmword ptr [rcx + -48] + vpxor xmm6, xmm6, xmm3 + vpclmulqdq xmm3, xmm0, xmm2, 0 + vaesenc xmm9, xmm9, xmm15 + vpxor xmm6, xmm6, xmm5 + vpclmulqdq xmm5, xmm0, xmm2, 16 + vaesenc xmm10, xmm10, xmm15 + movbe r13, qword ptr [r14 + 56] + vpxor xmm7, xmm7, xmm1 + vpclmulqdq xmm1, xmm0, xmm2, 1 + vpxor xmm8, xmm8, xmmword ptr [rbp + 112] + vaesenc xmm11, xmm11, xmm15 + movbe r12, qword ptr [r14 + 48] + vpclmulqdq xmm2, xmm0, xmm2, 17 + vaesenc xmm12, xmm12, xmm15 + mov qword ptr [rbp + 64], r13 + vaesenc xmm13, xmm13, xmm15 + mov qword ptr [rbp + 72], r12 + vpxor xmm4, xmm4, xmm3 + movdqu xmm3, xmmword ptr [r9 + 80] + vaesenc xmm14, xmm14, xmm15 + movdqu xmm15, xmmword ptr [rcx + -32] + vpxor xmm6, xmm6, xmm5 + vpclmulqdq xmm5, xmm8, xmm3, 16 + vaesenc xmm9, xmm9, xmm15 + vpxor xmm6, xmm6, xmm1 + vpclmulqdq xmm1, xmm8, xmm3, 1 + vaesenc xmm10, xmm10, xmm15 + movbe r13, qword ptr [r14 + 40] + vpxor xmm7, xmm7, xmm2 + vpclmulqdq xmm2, xmm8, xmm3, 0 + vaesenc xmm11, xmm11, xmm15 + movbe r12, qword ptr [r14 + 32] + vpclmulqdq xmm8, xmm8, xmm3, 17 + vaesenc xmm12, xmm12, xmm15 + mov qword ptr [rbp + 80], r13 + vaesenc xmm13, xmm13, xmm15 + mov qword ptr [rbp + 88], r12 + vpxor xmm6, xmm6, xmm5 + vaesenc xmm14, xmm14, xmm15 + vpxor xmm6, xmm6, xmm1 + movdqu xmm15, xmmword ptr [rcx + -16] + vpslldq xmm5, xmm6, 8 + vpxor xmm4, xmm4, xmm2 + pxor xmm3, xmm3 + mov r11, 13979173243358019584 + pinsrq xmm3, r11, 1 + vaesenc xmm9, xmm9, xmm15 + vpxor xmm7, xmm7, xmm8 + vaesenc xmm10, xmm10, xmm15 + vpxor xmm4, xmm4, xmm5 + movbe r13, qword ptr [r14 + 24] + vaesenc xmm11, xmm11, xmm15 + movbe r12, qword ptr [r14 + 16] + vpalignr xmm0, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + mov qword ptr [rbp + 96], r13 + vaesenc xmm12, xmm12, xmm15 + mov qword ptr [rbp + 104], r12 + vaesenc xmm13, xmm13, xmm15 + vaesenc xmm14, xmm14, xmm15 + movdqu xmm1, xmmword ptr [rcx + 0] + vaesenc xmm9, xmm9, xmm1 + movdqu xmm15, xmmword ptr [rcx + 16] + vaesenc xmm10, xmm10, xmm1 + vpsrldq xmm6, xmm6, 8 + vaesenc xmm11, xmm11, xmm1 + vpxor xmm7, xmm7, xmm6 + vaesenc xmm12, xmm12, xmm1 + vpxor xmm4, xmm4, xmm0 + movbe r13, qword ptr [r14 + 8] + vaesenc xmm13, xmm13, xmm1 + movbe r12, qword ptr [r14 + 0] + vaesenc xmm14, xmm14, xmm1 + movdqu xmm1, xmmword ptr [rcx + 32] + vaesenc xmm9, xmm9, xmm15 + vaesenc xmm10, xmm10, xmm15 + vaesenc xmm11, xmm11, xmm15 + vaesenc xmm12, xmm12, xmm15 + vaesenc xmm13, xmm13, xmm15 + vaesenc xmm14, xmm14, xmm15 + vaesenc xmm9, xmm9, xmm1 + vaesenc xmm10, xmm10, xmm1 + vaesenc xmm11, xmm11, xmm1 + vaesenc xmm12, xmm12, xmm1 + vaesenc xmm13, xmm13, xmm1 + movdqu xmm15, xmmword ptr [rcx + 48] + vaesenc xmm14, xmm14, xmm1 + movdqu xmm1, xmmword ptr [rcx + 64] + vaesenc xmm9, xmm9, xmm15 + vaesenc xmm10, xmm10, xmm15 + vaesenc xmm11, xmm11, xmm15 + vaesenc xmm12, xmm12, xmm15 + vaesenc xmm13, xmm13, xmm15 + vaesenc xmm14, xmm14, xmm15 + vaesenc xmm9, xmm9, xmm1 + vaesenc xmm10, xmm10, xmm1 + vaesenc xmm11, xmm11, xmm1 + vaesenc xmm12, xmm12, xmm1 + vaesenc xmm13, xmm13, xmm1 + movdqu xmm15, xmmword ptr [rcx + 80] + vaesenc xmm14, xmm14, xmm1 + movdqu xmm1, xmmword ptr [rcx + 96] + vaesenc xmm9, xmm9, xmm15 + movdqu xmmword ptr [rbp + 16], xmm7 + vpalignr xmm8, xmm4, xmm4, 8 + vaesenc xmm10, xmm10, xmm15 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpxor xmm2, xmm1, xmmword ptr [rdi + 0] + vaesenc xmm11, xmm11, xmm15 + vpxor xmm0, xmm1, xmmword ptr [rdi + 16] + vaesenc xmm12, xmm12, xmm15 + vpxor xmm5, xmm1, xmmword ptr [rdi + 32] + vaesenc xmm13, xmm13, xmm15 + vpxor xmm6, xmm1, xmmword ptr [rdi + 48] + vaesenc xmm14, xmm14, xmm15 + vpxor xmm7, xmm1, xmmword ptr [rdi + 64] + vpxor xmm3, xmm1, xmmword ptr [rdi + 80] + movdqu xmm1, xmmword ptr [rbp + 128] + vaesenclast xmm9, xmm9, xmm2 + pxor xmm2, xmm2 + mov r11, 72057594037927936 + pinsrq xmm2, r11, 1 + vaesenclast xmm10, xmm10, xmm0 + vpaddd xmm0, xmm1, xmm2 + mov qword ptr [rbp + 112], r13 + lea rdi, qword ptr [rdi + 96] + vaesenclast xmm11, xmm11, xmm5 + vpaddd xmm5, xmm0, xmm2 + mov qword ptr [rbp + 120], r12 + lea rsi, qword ptr [rsi + 96] + movdqu xmm15, xmmword ptr [rcx + -128] + vaesenclast xmm12, xmm12, xmm6 + vpaddd xmm6, xmm5, xmm2 + vaesenclast xmm13, xmm13, xmm7 + vpaddd xmm7, xmm6, xmm2 + vaesenclast xmm14, xmm14, xmm3 + vpaddd xmm3, xmm7, xmm2 + sub rdx, 6 + add r14, 96 + cmp rdx, 0 + jbe L126 + movdqu xmmword ptr [rsi + -96], xmm9 + vpxor xmm9, xmm1, xmm15 + movdqu xmmword ptr [rsi + -80], xmm10 + movdqu xmm10, xmm0 + movdqu xmmword ptr [rsi + -64], xmm11 + movdqu xmm11, xmm5 + movdqu xmmword ptr [rsi + -48], xmm12 + movdqu xmm12, xmm6 + movdqu xmmword ptr [rsi + -32], xmm13 + movdqu xmm13, xmm7 + movdqu xmmword ptr [rsi + -16], xmm14 + movdqu xmm14, xmm3 + movdqu xmm7, xmmword ptr [rbp + 32] + jmp L127 +L126: + vpxor xmm8, xmm8, xmmword ptr [rbp + 16] + vpxor xmm8, xmm8, xmm4 +L127: +ALIGN 16 +L123: + cmp rdx, 0 + ja L122 + movdqu xmm7, xmmword ptr [rbp + 32] + movdqu xmmword ptr [rbp + 32], xmm1 + pxor xmm4, xmm4 + movdqu xmmword ptr [rbp + 16], xmm4 + movdqu xmm3, xmmword ptr [r9 + -32] + vpclmulqdq xmm1, xmm7, xmm3, 0 + vpclmulqdq xmm5, xmm7, xmm3, 16 + movdqu xmm0, xmmword ptr [rbp + 48] + vpclmulqdq xmm6, xmm7, xmm3, 1 + vpclmulqdq xmm7, xmm7, xmm3, 17 + movdqu xmm3, xmmword ptr [r9 + -16] + vpxor xmm6, xmm6, xmm5 + vpclmulqdq xmm5, xmm0, xmm3, 0 + vpxor xmm8, xmm8, xmm4 + vpxor xmm4, xmm1, xmm5 + vpclmulqdq xmm1, xmm0, xmm3, 16 + vpclmulqdq xmm2, xmm0, xmm3, 1 + vpxor xmm8, xmm8, xmmword ptr [rbp + 16] + vpclmulqdq xmm3, xmm0, xmm3, 17 + movdqu xmm0, xmmword ptr [rbp + 64] + movdqu xmm5, xmmword ptr [r9 + 16] + vpxor xmm6, xmm6, xmm1 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpxor xmm6, xmm6, xmm2 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpxor xmm7, xmm7, xmm3 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [rbp + 80] + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 32] + vpxor xmm6, xmm6, xmm2 + vpclmulqdq xmm2, xmm0, xmm1, 0 + vpxor xmm6, xmm6, xmm3 + vpclmulqdq xmm3, xmm0, xmm1, 16 + vpxor xmm7, xmm7, xmm5 + vpclmulqdq xmm5, xmm0, xmm1, 1 + vpclmulqdq xmm1, xmm0, xmm1, 17 + movdqu xmm0, xmmword ptr [rbp + 96] + vpxor xmm4, xmm4, xmm2 + movdqu xmm2, xmmword ptr [r9 + 64] + vpxor xmm6, xmm6, xmm3 + vpclmulqdq xmm3, xmm0, xmm2, 0 + vpxor xmm6, xmm6, xmm5 + vpclmulqdq xmm5, xmm0, xmm2, 16 + vpxor xmm7, xmm7, xmm1 + vpclmulqdq xmm1, xmm0, xmm2, 1 + vpxor xmm8, xmm8, xmmword ptr [rbp + 112] + vpclmulqdq xmm2, xmm0, xmm2, 17 + vpxor xmm4, xmm4, xmm3 + movdqu xmm3, xmmword ptr [r9 + 80] + vpxor xmm6, xmm6, xmm5 + vpclmulqdq xmm5, xmm8, xmm3, 16 + vpxor xmm6, xmm6, xmm1 + vpclmulqdq xmm1, xmm8, xmm3, 1 + vpxor xmm7, xmm7, xmm2 + vpclmulqdq xmm2, xmm8, xmm3, 0 + vpclmulqdq xmm8, xmm8, xmm3, 17 + vpxor xmm6, xmm6, xmm5 + vpxor xmm6, xmm6, xmm1 + vpxor xmm4, xmm4, xmm2 + pxor xmm3, xmm3 + mov rax, 3254779904 + pinsrd xmm3, eax, 3 + vpxor xmm7, xmm7, xmm8 + vpslldq xmm5, xmm6, 8 + vpxor xmm4, xmm4, xmm5 + vpalignr xmm0, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpsrldq xmm6, xmm6, 8 + vpxor xmm7, xmm7, xmm6 + vpxor xmm4, xmm4, xmm0 + vpalignr xmm8, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpxor xmm8, xmm8, xmm7 + vpxor xmm8, xmm8, xmm4 + mov r12, 579005069656919567 + pinsrq xmm0, r12, 0 + mov r12, 283686952306183 + pinsrq xmm0, r12, 1 + movdqu xmmword ptr [rsi + -96], xmm9 + vpshufb xmm9, xmm9, xmm0 + vpxor xmm1, xmm1, xmm7 + movdqu xmmword ptr [rsi + -80], xmm10 + vpshufb xmm10, xmm10, xmm0 + movdqu xmmword ptr [rsi + -64], xmm11 + vpshufb xmm11, xmm11, xmm0 + movdqu xmmword ptr [rsi + -48], xmm12 + vpshufb xmm12, xmm12, xmm0 + movdqu xmmword ptr [rsi + -32], xmm13 + vpshufb xmm13, xmm13, xmm0 + movdqu xmmword ptr [rsi + -16], xmm14 + vpshufb xmm14, xmm14, xmm0 + pxor xmm4, xmm4 + movdqu xmm7, xmm14 + movdqu xmmword ptr [rbp + 16], xmm4 + movdqu xmmword ptr [rbp + 48], xmm13 + movdqu xmmword ptr [rbp + 64], xmm12 + movdqu xmmword ptr [rbp + 80], xmm11 + movdqu xmmword ptr [rbp + 96], xmm10 + movdqu xmmword ptr [rbp + 112], xmm9 + movdqu xmm3, xmmword ptr [r9 + -32] + vpclmulqdq xmm1, xmm7, xmm3, 0 + vpclmulqdq xmm5, xmm7, xmm3, 16 + movdqu xmm0, xmmword ptr [rbp + 48] + vpclmulqdq xmm6, xmm7, xmm3, 1 + vpclmulqdq xmm7, xmm7, xmm3, 17 + movdqu xmm3, xmmword ptr [r9 + -16] + vpxor xmm6, xmm6, xmm5 + vpclmulqdq xmm5, xmm0, xmm3, 0 + vpxor xmm8, xmm8, xmm4 + vpxor xmm4, xmm1, xmm5 + vpclmulqdq xmm1, xmm0, xmm3, 16 + vpclmulqdq xmm2, xmm0, xmm3, 1 + vpxor xmm8, xmm8, xmmword ptr [rbp + 16] + vpclmulqdq xmm3, xmm0, xmm3, 17 + movdqu xmm0, xmmword ptr [rbp + 64] + movdqu xmm5, xmmword ptr [r9 + 16] + vpxor xmm6, xmm6, xmm1 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpxor xmm6, xmm6, xmm2 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpxor xmm7, xmm7, xmm3 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [rbp + 80] + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 32] + vpxor xmm6, xmm6, xmm2 + vpclmulqdq xmm2, xmm0, xmm1, 0 + vpxor xmm6, xmm6, xmm3 + vpclmulqdq xmm3, xmm0, xmm1, 16 + vpxor xmm7, xmm7, xmm5 + vpclmulqdq xmm5, xmm0, xmm1, 1 + vpclmulqdq xmm1, xmm0, xmm1, 17 + movdqu xmm0, xmmword ptr [rbp + 96] + vpxor xmm4, xmm4, xmm2 + movdqu xmm2, xmmword ptr [r9 + 64] + vpxor xmm6, xmm6, xmm3 + vpclmulqdq xmm3, xmm0, xmm2, 0 + vpxor xmm6, xmm6, xmm5 + vpclmulqdq xmm5, xmm0, xmm2, 16 + vpxor xmm7, xmm7, xmm1 + vpclmulqdq xmm1, xmm0, xmm2, 1 + vpxor xmm8, xmm8, xmmword ptr [rbp + 112] + vpclmulqdq xmm2, xmm0, xmm2, 17 + vpxor xmm4, xmm4, xmm3 + movdqu xmm3, xmmword ptr [r9 + 80] + vpxor xmm6, xmm6, xmm5 + vpclmulqdq xmm5, xmm8, xmm3, 16 + vpxor xmm6, xmm6, xmm1 + vpclmulqdq xmm1, xmm8, xmm3, 1 + vpxor xmm7, xmm7, xmm2 + vpclmulqdq xmm2, xmm8, xmm3, 0 + vpclmulqdq xmm8, xmm8, xmm3, 17 + vpxor xmm6, xmm6, xmm5 + vpxor xmm6, xmm6, xmm1 + vpxor xmm4, xmm4, xmm2 + pxor xmm3, xmm3 + mov rax, 3254779904 + pinsrd xmm3, eax, 3 + vpxor xmm7, xmm7, xmm8 + vpslldq xmm5, xmm6, 8 + vpxor xmm4, xmm4, xmm5 + vpalignr xmm0, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpsrldq xmm6, xmm6, 8 + vpxor xmm7, xmm7, xmm6 + vpxor xmm4, xmm4, xmm0 + vpalignr xmm8, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpxor xmm8, xmm8, xmm7 + vpxor xmm8, xmm8, xmm4 + sub rcx, 128 +L117: + movdqu xmm11, xmmword ptr [rbp + 32] + mov r8, rcx + mov rax, qword ptr [rsp + 312] + mov rdi, qword ptr [rsp + 320] + mov rdx, qword ptr [rsp + 328] + mov r14, rdx + mov r12, 579005069656919567 + pinsrq xmm9, r12, 0 + mov r12, 283686952306183 + pinsrq xmm9, r12, 1 + pshufb xmm11, xmm9 + pxor xmm10, xmm10 + mov rbx, 1 + pinsrd xmm10, ebx, 0 + mov r11, rax + mov r10, rdi + mov rbx, 0 + jmp L129 +ALIGN 16 +L128: + movdqu xmm0, xmm11 + pshufb xmm0, xmm9 + movdqu xmm2, xmmword ptr [r8 + 0] + pxor xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 16] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 32] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 48] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 64] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 80] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 96] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 112] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 128] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 144] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 160] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 176] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 192] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 208] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 224] + aesenclast xmm0, xmm2 + pxor xmm2, xmm2 + movdqu xmm2, xmmword ptr [r11 + 0] + pxor xmm2, xmm0 + movdqu xmmword ptr [r10 + 0], xmm2 + add rbx, 1 + add r11, 16 + add r10, 16 + paddd xmm11, xmm10 +ALIGN 16 +L129: + cmp rbx, rdx + jne L128 + mov r11, rdi + jmp L131 +ALIGN 16 +L130: + add r11, 80 + movdqu xmm5, xmmword ptr [r9 + -32] + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + movdqu xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + -16] + vpxor xmm6, xmm2, xmm3 + movdqu xmm7, xmm5 + movdqu xmm5, xmm1 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 16] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 32] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 64] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 80] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + vpxor xmm0, xmm8, xmm0 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + vpxor xmm4, xmm4, xmm1 + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + pxor xmm3, xmm3 + mov r10, 3254779904 + pinsrd xmm3, r10d, 3 + vpslldq xmm5, xmm6, 8 + vpxor xmm4, xmm4, xmm5 + vpalignr xmm0, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpsrldq xmm6, xmm6, 8 + vpxor xmm7, xmm7, xmm6 + vpxor xmm4, xmm4, xmm0 + vpalignr xmm8, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpxor xmm8, xmm8, xmm7 + vpxor xmm8, xmm8, xmm4 + add r11, 96 + sub rdx, 6 +ALIGN 16 +L131: + cmp rdx, 6 + jae L130 + cmp rdx, 0 + jbe L132 + mov r10, rdx + sub r10, 1 + imul r10, 16 + add r11, r10 + movdqu xmm5, xmmword ptr [r9 + -32] + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + cmp rdx, 1 + jne L134 + vpxor xmm0, xmm8, xmm0 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm4, xmm1 + vpxor xmm6, xmm2, xmm3 + movdqu xmm7, xmm5 + jmp L135 +L134: + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + movdqu xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + -16] + vpxor xmm6, xmm2, xmm3 + movdqu xmm7, xmm5 + movdqu xmm5, xmm1 + cmp rdx, 2 + je L136 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 16] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + cmp rdx, 3 + je L138 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 32] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + cmp rdx, 4 + je L140 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 64] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + jmp L141 +L140: +L141: + jmp L139 +L138: +L139: + jmp L137 +L136: +L137: + vpxor xmm0, xmm8, xmm0 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + vpxor xmm4, xmm4, xmm1 + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 +L135: + pxor xmm3, xmm3 + mov r10, 3254779904 + pinsrd xmm3, r10d, 3 + vpslldq xmm5, xmm6, 8 + vpxor xmm4, xmm4, xmm5 + vpalignr xmm0, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpsrldq xmm6, xmm6, 8 + vpxor xmm7, xmm7, xmm6 + vpxor xmm4, xmm4, xmm0 + vpalignr xmm8, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpxor xmm8, xmm8, xmm7 + vpxor xmm8, xmm8, xmm4 + jmp L133 +L132: +L133: + add r14, qword ptr [rsp + 304] + imul r14, 16 + mov r13, qword ptr [rsp + 344] + cmp r13, r14 + jbe L142 + mov rax, qword ptr [rsp + 336] + mov r10, r13 + and r10, 15 + movdqu xmm0, xmm11 + pshufb xmm0, xmm9 + movdqu xmm2, xmmword ptr [r8 + 0] + pxor xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 16] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 32] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 48] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 64] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 80] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 96] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 112] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 128] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 144] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 160] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 176] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 192] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 208] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 224] + aesenclast xmm0, xmm2 + pxor xmm2, xmm2 + movdqu xmm4, xmmword ptr [rax + 0] + pxor xmm0, xmm4 + movdqu xmmword ptr [rax + 0], xmm0 + cmp r10, 8 + jae L144 + mov rcx, 0 + pinsrq xmm0, rcx, 1 + mov rcx, r10 + shl rcx, 3 + mov r11, 1 + shl r11, cl + sub r11, 1 + pextrq rcx, xmm0, 0 + and rcx, r11 + pinsrq xmm0, rcx, 0 + jmp L145 +L144: + mov rcx, r10 + sub rcx, 8 + shl rcx, 3 + mov r11, 1 + shl r11, cl + sub r11, 1 + pextrq rcx, xmm0, 1 + and rcx, r11 + pinsrq xmm0, rcx, 1 +L145: + pshufb xmm0, xmm9 + movdqu xmm5, xmmword ptr [r9 + -32] + vpxor xmm0, xmm8, xmm0 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm4, xmm1 + vpxor xmm6, xmm2, xmm3 + movdqu xmm7, xmm5 + pxor xmm3, xmm3 + mov r11, 3254779904 + pinsrd xmm3, r11d, 3 + vpslldq xmm5, xmm6, 8 + vpxor xmm4, xmm4, xmm5 + vpalignr xmm0, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpsrldq xmm6, xmm6, 8 + vpxor xmm7, xmm7, xmm6 + vpxor xmm4, xmm4, xmm0 + vpalignr xmm8, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpxor xmm8, xmm8, xmm7 + vpxor xmm8, xmm8, xmm4 + jmp L143 +L142: +L143: + mov r11, r15 + pxor xmm0, xmm0 + mov rax, r11 + imul rax, 8 + pinsrq xmm0, rax, 1 + mov rax, r13 + imul rax, 8 + pinsrq xmm0, rax, 0 + movdqu xmm5, xmmword ptr [r9 + -32] + vpxor xmm0, xmm8, xmm0 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm4, xmm1 + vpxor xmm6, xmm2, xmm3 + movdqu xmm7, xmm5 + pxor xmm3, xmm3 + mov r11, 3254779904 + pinsrd xmm3, r11d, 3 + vpslldq xmm5, xmm6, 8 + vpxor xmm4, xmm4, xmm5 + vpalignr xmm0, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpsrldq xmm6, xmm6, 8 + vpxor xmm7, xmm7, xmm6 + vpxor xmm4, xmm4, xmm0 + vpalignr xmm8, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpxor xmm8, xmm8, xmm7 + vpxor xmm8, xmm8, xmm4 + movdqu xmm0, xmmword ptr [rbp + 0] + pshufb xmm0, xmm9 + movdqu xmm2, xmmword ptr [r8 + 0] + pxor xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 16] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 32] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 48] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 64] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 80] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 96] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 112] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 128] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 144] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 160] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 176] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 192] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 208] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 224] + aesenclast xmm0, xmm2 + pxor xmm2, xmm2 + pshufb xmm8, xmm9 + pxor xmm8, xmm0 + mov r15, qword ptr [rsp + 360] + movdqu xmmword ptr [r15 + 0], xmm8 + pop rax + pinsrq xmm6, rax, 1 + pop rax + pinsrq xmm6, rax, 0 + pop rax + pinsrq xmm7, rax, 1 + pop rax + pinsrq xmm7, rax, 0 + pop rax + pinsrq xmm8, rax, 1 + pop rax + pinsrq xmm8, rax, 0 + pop rax + pinsrq xmm9, rax, 1 + pop rax + pinsrq xmm9, rax, 0 + pop rax + pinsrq xmm10, rax, 1 + pop rax + pinsrq xmm10, rax, 0 + pop rax + pinsrq xmm11, rax, 1 + pop rax + pinsrq xmm11, rax, 0 + pop rax + pinsrq xmm12, rax, 1 + pop rax + pinsrq xmm12, rax, 0 + pop rax + pinsrq xmm13, rax, 1 + pop rax + pinsrq xmm13, rax, 0 + pop rax + pinsrq xmm14, rax, 1 + pop rax + pinsrq xmm14, rax, 0 + pop rax + pinsrq xmm15, rax, 1 + pop rax + pinsrq xmm15, rax, 0 + pop rbx + pop rbp + pop rdi + pop rsi + pop r12 + pop r13 + pop r14 + pop r15 + ret +gcm256_encrypt_opt endp +ALIGN 16 +gcm128_decrypt_opt proc + push r15 + push r14 + push r13 + push r12 + push rsi + push rdi + push rbp + push rbx + pextrq rax, xmm15, 0 + push rax + pextrq rax, xmm15, 1 + push rax + pextrq rax, xmm14, 0 + push rax + pextrq rax, xmm14, 1 + push rax + pextrq rax, xmm13, 0 + push rax + pextrq rax, xmm13, 1 + push rax + pextrq rax, xmm12, 0 + push rax + pextrq rax, xmm12, 1 + push rax + pextrq rax, xmm11, 0 + push rax + pextrq rax, xmm11, 1 + push rax + pextrq rax, xmm10, 0 + push rax + pextrq rax, xmm10, 1 + push rax + pextrq rax, xmm9, 0 + push rax + pextrq rax, xmm9, 1 + push rax + pextrq rax, xmm8, 0 + push rax + pextrq rax, xmm8, 1 + push rax + pextrq rax, xmm7, 0 + push rax + pextrq rax, xmm7, 1 + push rax + pextrq rax, xmm6, 0 + push rax + pextrq rax, xmm6, 1 + push rax + mov rdi, rcx + mov rsi, rdx + mov rdx, r8 + mov rcx, r9 + mov r8, qword ptr [rsp + 264] + mov r9, qword ptr [rsp + 272] + mov rbp, qword ptr [rsp + 352] + mov r13, rcx + lea r9, qword ptr [r9 + 32] + mov rbx, qword ptr [rsp + 280] + mov rcx, rdx + imul rcx, 16 + mov r10, 579005069656919567 + pinsrq xmm9, r10, 0 + mov r10, 283686952306183 + pinsrq xmm9, r10, 1 + pxor xmm8, xmm8 + mov r11, rdi + jmp L147 +ALIGN 16 +L146: + add r11, 80 + movdqu xmm5, xmmword ptr [r9 + -32] + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + movdqu xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + -16] + vpxor xmm6, xmm2, xmm3 + movdqu xmm7, xmm5 + movdqu xmm5, xmm1 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 16] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 32] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 64] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 80] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + vpxor xmm0, xmm8, xmm0 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + vpxor xmm4, xmm4, xmm1 + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + pxor xmm3, xmm3 + mov r10, 3254779904 + pinsrd xmm3, r10d, 3 + vpslldq xmm5, xmm6, 8 + vpxor xmm4, xmm4, xmm5 + vpalignr xmm0, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpsrldq xmm6, xmm6, 8 + vpxor xmm7, xmm7, xmm6 + vpxor xmm4, xmm4, xmm0 + vpalignr xmm8, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpxor xmm8, xmm8, xmm7 + vpxor xmm8, xmm8, xmm4 + add r11, 96 + sub rdx, 6 +ALIGN 16 +L147: + cmp rdx, 6 + jae L146 + cmp rdx, 0 + jbe L148 + mov r10, rdx + sub r10, 1 + imul r10, 16 + add r11, r10 + movdqu xmm5, xmmword ptr [r9 + -32] + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + cmp rdx, 1 + jne L150 + vpxor xmm0, xmm8, xmm0 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm4, xmm1 + vpxor xmm6, xmm2, xmm3 + movdqu xmm7, xmm5 + jmp L151 +L150: + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + movdqu xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + -16] + vpxor xmm6, xmm2, xmm3 + movdqu xmm7, xmm5 + movdqu xmm5, xmm1 + cmp rdx, 2 + je L152 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 16] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + cmp rdx, 3 + je L154 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 32] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + cmp rdx, 4 + je L156 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 64] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + jmp L157 +L156: +L157: + jmp L155 +L154: +L155: + jmp L153 +L152: +L153: + vpxor xmm0, xmm8, xmm0 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + vpxor xmm4, xmm4, xmm1 + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 +L151: + pxor xmm3, xmm3 + mov r10, 3254779904 + pinsrd xmm3, r10d, 3 + vpslldq xmm5, xmm6, 8 + vpxor xmm4, xmm4, xmm5 + vpalignr xmm0, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpsrldq xmm6, xmm6, 8 + vpxor xmm7, xmm7, xmm6 + vpxor xmm4, xmm4, xmm0 + vpalignr xmm8, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpxor xmm8, xmm8, xmm7 + vpxor xmm8, xmm8, xmm4 + jmp L149 +L148: +L149: + mov r15, rsi + cmp rsi, rcx + jbe L158 + movdqu xmm0, xmmword ptr [rbx + 0] + mov r10, rsi + and r10, 15 + cmp r10, 8 + jae L160 + mov rcx, 0 + pinsrq xmm0, rcx, 1 + mov rcx, r10 + shl rcx, 3 + mov r11, 1 + shl r11, cl + sub r11, 1 + pextrq rcx, xmm0, 0 + and rcx, r11 + pinsrq xmm0, rcx, 0 + jmp L161 +L160: + mov rcx, r10 + sub rcx, 8 + shl rcx, 3 + mov r11, 1 + shl r11, cl + sub r11, 1 + pextrq rcx, xmm0, 1 + and rcx, r11 + pinsrq xmm0, rcx, 1 +L161: + pshufb xmm0, xmm9 + movdqu xmm5, xmmword ptr [r9 + -32] + vpxor xmm0, xmm8, xmm0 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm4, xmm1 + vpxor xmm6, xmm2, xmm3 + movdqu xmm7, xmm5 + pxor xmm3, xmm3 + mov r11, 3254779904 + pinsrd xmm3, r11d, 3 + vpslldq xmm5, xmm6, 8 + vpxor xmm4, xmm4, xmm5 + vpalignr xmm0, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpsrldq xmm6, xmm6, 8 + vpxor xmm7, xmm7, xmm6 + vpxor xmm4, xmm4, xmm0 + vpalignr xmm8, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpxor xmm8, xmm8, xmm7 + vpxor xmm8, xmm8, xmm4 + jmp L159 +L158: +L159: + mov rdi, qword ptr [rsp + 288] + mov rsi, qword ptr [rsp + 296] + mov rdx, qword ptr [rsp + 304] + mov rcx, r13 + movdqu xmm0, xmm9 + movdqu xmm1, xmmword ptr [r8 + 0] + movdqu xmmword ptr [rbp + 0], xmm1 + pxor xmm10, xmm10 + mov r11, 1 + pinsrq xmm10, r11, 0 + vpaddd xmm1, xmm1, xmm10 + cmp rdx, 0 + jne L162 + vpshufb xmm1, xmm1, xmm0 + movdqu xmmword ptr [rbp + 32], xmm1 + jmp L163 +L162: + movdqu xmmword ptr [rbp + 32], xmm8 + add rcx, 128 + pextrq rbx, xmm1, 0 + and rbx, 255 + vpshufb xmm1, xmm1, xmm0 + lea r14, qword ptr [rdi + 96] + movdqu xmm8, xmmword ptr [rbp + 32] + movdqu xmm7, xmmword ptr [rdi + 80] + movdqu xmm4, xmmword ptr [rdi + 64] + movdqu xmm5, xmmword ptr [rdi + 48] + movdqu xmm6, xmmword ptr [rdi + 32] + vpshufb xmm7, xmm7, xmm0 + movdqu xmm2, xmmword ptr [rdi + 16] + vpshufb xmm4, xmm4, xmm0 + movdqu xmm3, xmmword ptr [rdi + 0] + vpshufb xmm5, xmm5, xmm0 + movdqu xmmword ptr [rbp + 48], xmm4 + vpshufb xmm6, xmm6, xmm0 + movdqu xmmword ptr [rbp + 64], xmm5 + vpshufb xmm2, xmm2, xmm0 + movdqu xmmword ptr [rbp + 80], xmm6 + vpshufb xmm3, xmm3, xmm0 + movdqu xmmword ptr [rbp + 96], xmm2 + movdqu xmmword ptr [rbp + 112], xmm3 + pxor xmm2, xmm2 + mov r11, 72057594037927936 + pinsrq xmm2, r11, 1 + vpxor xmm4, xmm4, xmm4 + movdqu xmm15, xmmword ptr [rcx + -128] + vpaddd xmm10, xmm1, xmm2 + vpaddd xmm11, xmm10, xmm2 + vpaddd xmm12, xmm11, xmm2 + vpaddd xmm13, xmm12, xmm2 + vpaddd xmm14, xmm13, xmm2 + vpxor xmm9, xmm1, xmm15 + movdqu xmmword ptr [rbp + 16], xmm4 + cmp rdx, 6 + jne L164 + sub r14, 96 + jmp L165 +L164: +L165: + jmp L167 +ALIGN 16 +L166: + add rbx, 6 + cmp rbx, 256 + jb L168 + mov r11, 579005069656919567 + pinsrq xmm0, r11, 0 + mov r11, 283686952306183 + pinsrq xmm0, r11, 1 + vpshufb xmm6, xmm1, xmm0 + pxor xmm5, xmm5 + mov r11, 1 + pinsrq xmm5, r11, 0 + vpaddd xmm10, xmm6, xmm5 + pxor xmm5, xmm5 + mov r11, 2 + pinsrq xmm5, r11, 0 + vpaddd xmm11, xmm6, xmm5 + movdqu xmm3, xmmword ptr [r9 + -32] + vpaddd xmm12, xmm10, xmm5 + vpshufb xmm10, xmm10, xmm0 + vpaddd xmm13, xmm11, xmm5 + vpshufb xmm11, xmm11, xmm0 + vpxor xmm10, xmm10, xmm15 + vpaddd xmm14, xmm12, xmm5 + vpshufb xmm12, xmm12, xmm0 + vpxor xmm11, xmm11, xmm15 + vpaddd xmm1, xmm13, xmm5 + vpshufb xmm13, xmm13, xmm0 + vpshufb xmm14, xmm14, xmm0 + vpshufb xmm1, xmm1, xmm0 + sub rbx, 256 + jmp L169 +L168: + movdqu xmm3, xmmword ptr [r9 + -32] + vpaddd xmm1, xmm2, xmm14 + vpxor xmm10, xmm10, xmm15 + vpxor xmm11, xmm11, xmm15 +L169: + movdqu xmmword ptr [rbp + 128], xmm1 + vpclmulqdq xmm5, xmm7, xmm3, 16 + vpxor xmm12, xmm12, xmm15 + movdqu xmm2, xmmword ptr [rcx + -112] + vpclmulqdq xmm6, xmm7, xmm3, 1 + vaesenc xmm9, xmm9, xmm2 + movdqu xmm0, xmmword ptr [rbp + 48] + vpxor xmm13, xmm13, xmm15 + vpclmulqdq xmm1, xmm7, xmm3, 0 + vaesenc xmm10, xmm10, xmm2 + vpxor xmm14, xmm14, xmm15 + vpclmulqdq xmm7, xmm7, xmm3, 17 + vaesenc xmm11, xmm11, xmm2 + movdqu xmm3, xmmword ptr [r9 + -16] + vaesenc xmm12, xmm12, xmm2 + vpxor xmm6, xmm6, xmm5 + vpclmulqdq xmm5, xmm0, xmm3, 0 + vpxor xmm8, xmm8, xmm4 + vaesenc xmm13, xmm13, xmm2 + vpxor xmm4, xmm1, xmm5 + vpclmulqdq xmm1, xmm0, xmm3, 16 + vaesenc xmm14, xmm14, xmm2 + movdqu xmm15, xmmword ptr [rcx + -96] + vpclmulqdq xmm2, xmm0, xmm3, 1 + vaesenc xmm9, xmm9, xmm15 + vpxor xmm8, xmm8, xmmword ptr [rbp + 16] + vpclmulqdq xmm3, xmm0, xmm3, 17 + movdqu xmm0, xmmword ptr [rbp + 64] + vaesenc xmm10, xmm10, xmm15 + movbe r13, qword ptr [r14 + 88] + vaesenc xmm11, xmm11, xmm15 + movbe r12, qword ptr [r14 + 80] + vaesenc xmm12, xmm12, xmm15 + mov qword ptr [rbp + 32], r13 + vaesenc xmm13, xmm13, xmm15 + mov qword ptr [rbp + 40], r12 + movdqu xmm5, xmmword ptr [r9 + 16] + vaesenc xmm14, xmm14, xmm15 + movdqu xmm15, xmmword ptr [rcx + -80] + vpxor xmm6, xmm6, xmm1 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vaesenc xmm9, xmm9, xmm15 + vpxor xmm6, xmm6, xmm2 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vaesenc xmm10, xmm10, xmm15 + vpxor xmm7, xmm7, xmm3 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vaesenc xmm11, xmm11, xmm15 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [rbp + 80] + vaesenc xmm12, xmm12, xmm15 + vaesenc xmm13, xmm13, xmm15 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 32] + vaesenc xmm14, xmm14, xmm15 + movdqu xmm15, xmmword ptr [rcx + -64] + vpxor xmm6, xmm6, xmm2 + vpclmulqdq xmm2, xmm0, xmm1, 0 + vaesenc xmm9, xmm9, xmm15 + vpxor xmm6, xmm6, xmm3 + vpclmulqdq xmm3, xmm0, xmm1, 16 + vaesenc xmm10, xmm10, xmm15 + movbe r13, qword ptr [r14 + 72] + vpxor xmm7, xmm7, xmm5 + vpclmulqdq xmm5, xmm0, xmm1, 1 + vaesenc xmm11, xmm11, xmm15 + movbe r12, qword ptr [r14 + 64] + vpclmulqdq xmm1, xmm0, xmm1, 17 + movdqu xmm0, xmmword ptr [rbp + 96] + vaesenc xmm12, xmm12, xmm15 + mov qword ptr [rbp + 48], r13 + vaesenc xmm13, xmm13, xmm15 + mov qword ptr [rbp + 56], r12 + vpxor xmm4, xmm4, xmm2 + movdqu xmm2, xmmword ptr [r9 + 64] + vaesenc xmm14, xmm14, xmm15 + movdqu xmm15, xmmword ptr [rcx + -48] + vpxor xmm6, xmm6, xmm3 + vpclmulqdq xmm3, xmm0, xmm2, 0 + vaesenc xmm9, xmm9, xmm15 + vpxor xmm6, xmm6, xmm5 + vpclmulqdq xmm5, xmm0, xmm2, 16 + vaesenc xmm10, xmm10, xmm15 + movbe r13, qword ptr [r14 + 56] + vpxor xmm7, xmm7, xmm1 + vpclmulqdq xmm1, xmm0, xmm2, 1 + vpxor xmm8, xmm8, xmmword ptr [rbp + 112] + vaesenc xmm11, xmm11, xmm15 + movbe r12, qword ptr [r14 + 48] + vpclmulqdq xmm2, xmm0, xmm2, 17 + vaesenc xmm12, xmm12, xmm15 + mov qword ptr [rbp + 64], r13 + vaesenc xmm13, xmm13, xmm15 + mov qword ptr [rbp + 72], r12 + vpxor xmm4, xmm4, xmm3 + movdqu xmm3, xmmword ptr [r9 + 80] + vaesenc xmm14, xmm14, xmm15 + movdqu xmm15, xmmword ptr [rcx + -32] + vpxor xmm6, xmm6, xmm5 + vpclmulqdq xmm5, xmm8, xmm3, 16 + vaesenc xmm9, xmm9, xmm15 + vpxor xmm6, xmm6, xmm1 + vpclmulqdq xmm1, xmm8, xmm3, 1 + vaesenc xmm10, xmm10, xmm15 + movbe r13, qword ptr [r14 + 40] + vpxor xmm7, xmm7, xmm2 + vpclmulqdq xmm2, xmm8, xmm3, 0 + vaesenc xmm11, xmm11, xmm15 + movbe r12, qword ptr [r14 + 32] + vpclmulqdq xmm8, xmm8, xmm3, 17 + vaesenc xmm12, xmm12, xmm15 + mov qword ptr [rbp + 80], r13 + vaesenc xmm13, xmm13, xmm15 + mov qword ptr [rbp + 88], r12 + vpxor xmm6, xmm6, xmm5 + vaesenc xmm14, xmm14, xmm15 + vpxor xmm6, xmm6, xmm1 + movdqu xmm15, xmmword ptr [rcx + -16] + vpslldq xmm5, xmm6, 8 + vpxor xmm4, xmm4, xmm2 + pxor xmm3, xmm3 + mov r11, 13979173243358019584 + pinsrq xmm3, r11, 1 + vaesenc xmm9, xmm9, xmm15 + vpxor xmm7, xmm7, xmm8 + vaesenc xmm10, xmm10, xmm15 + vpxor xmm4, xmm4, xmm5 + movbe r13, qword ptr [r14 + 24] + vaesenc xmm11, xmm11, xmm15 + movbe r12, qword ptr [r14 + 16] + vpalignr xmm0, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + mov qword ptr [rbp + 96], r13 + vaesenc xmm12, xmm12, xmm15 + mov qword ptr [rbp + 104], r12 + vaesenc xmm13, xmm13, xmm15 + vaesenc xmm14, xmm14, xmm15 + movdqu xmm1, xmmword ptr [rcx + 0] + vaesenc xmm9, xmm9, xmm1 + movdqu xmm15, xmmword ptr [rcx + 16] + vaesenc xmm10, xmm10, xmm1 + vpsrldq xmm6, xmm6, 8 + vaesenc xmm11, xmm11, xmm1 + vpxor xmm7, xmm7, xmm6 + vaesenc xmm12, xmm12, xmm1 + vpxor xmm4, xmm4, xmm0 + movbe r13, qword ptr [r14 + 8] + vaesenc xmm13, xmm13, xmm1 + movbe r12, qword ptr [r14 + 0] + vaesenc xmm14, xmm14, xmm1 + movdqu xmm1, xmmword ptr [rcx + 32] + vaesenc xmm9, xmm9, xmm15 + movdqu xmmword ptr [rbp + 16], xmm7 + vpalignr xmm8, xmm4, xmm4, 8 + vaesenc xmm10, xmm10, xmm15 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpxor xmm2, xmm1, xmmword ptr [rdi + 0] + vaesenc xmm11, xmm11, xmm15 + vpxor xmm0, xmm1, xmmword ptr [rdi + 16] + vaesenc xmm12, xmm12, xmm15 + vpxor xmm5, xmm1, xmmword ptr [rdi + 32] + vaesenc xmm13, xmm13, xmm15 + vpxor xmm6, xmm1, xmmword ptr [rdi + 48] + vaesenc xmm14, xmm14, xmm15 + vpxor xmm7, xmm1, xmmword ptr [rdi + 64] + vpxor xmm3, xmm1, xmmword ptr [rdi + 80] + movdqu xmm1, xmmword ptr [rbp + 128] + vaesenclast xmm9, xmm9, xmm2 + pxor xmm2, xmm2 + mov r11, 72057594037927936 + pinsrq xmm2, r11, 1 + vaesenclast xmm10, xmm10, xmm0 + vpaddd xmm0, xmm1, xmm2 + mov qword ptr [rbp + 112], r13 + lea rdi, qword ptr [rdi + 96] + vaesenclast xmm11, xmm11, xmm5 + vpaddd xmm5, xmm0, xmm2 + mov qword ptr [rbp + 120], r12 + lea rsi, qword ptr [rsi + 96] + movdqu xmm15, xmmword ptr [rcx + -128] + vaesenclast xmm12, xmm12, xmm6 + vpaddd xmm6, xmm5, xmm2 + vaesenclast xmm13, xmm13, xmm7 + vpaddd xmm7, xmm6, xmm2 + vaesenclast xmm14, xmm14, xmm3 + vpaddd xmm3, xmm7, xmm2 + sub rdx, 6 + cmp rdx, 6 + jbe L170 + add r14, 96 + jmp L171 +L170: +L171: + cmp rdx, 0 + jbe L172 + movdqu xmmword ptr [rsi + -96], xmm9 + vpxor xmm9, xmm1, xmm15 + movdqu xmmword ptr [rsi + -80], xmm10 + movdqu xmm10, xmm0 + movdqu xmmword ptr [rsi + -64], xmm11 + movdqu xmm11, xmm5 + movdqu xmmword ptr [rsi + -48], xmm12 + movdqu xmm12, xmm6 + movdqu xmmword ptr [rsi + -32], xmm13 + movdqu xmm13, xmm7 + movdqu xmmword ptr [rsi + -16], xmm14 + movdqu xmm14, xmm3 + movdqu xmm7, xmmword ptr [rbp + 32] + jmp L173 +L172: + vpxor xmm8, xmm8, xmmword ptr [rbp + 16] + vpxor xmm8, xmm8, xmm4 +L173: +ALIGN 16 +L167: + cmp rdx, 0 + ja L166 + movdqu xmmword ptr [rbp + 32], xmm1 + movdqu xmmword ptr [rsi + -96], xmm9 + movdqu xmmword ptr [rsi + -80], xmm10 + movdqu xmmword ptr [rsi + -64], xmm11 + movdqu xmmword ptr [rsi + -48], xmm12 + movdqu xmmword ptr [rsi + -32], xmm13 + movdqu xmmword ptr [rsi + -16], xmm14 + sub rcx, 128 +L163: + movdqu xmm11, xmmword ptr [rbp + 32] + mov r8, rcx + mov rax, qword ptr [rsp + 312] + mov rdi, qword ptr [rsp + 320] + mov rdx, qword ptr [rsp + 328] + mov r14, rdx + mov r12, 579005069656919567 + pinsrq xmm9, r12, 0 + mov r12, 283686952306183 + pinsrq xmm9, r12, 1 + pshufb xmm11, xmm9 + mov rbx, rdi + mov r12, rdx + mov rdi, rax + mov r11, rdi + jmp L175 +ALIGN 16 +L174: + add r11, 80 + movdqu xmm5, xmmword ptr [r9 + -32] + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + movdqu xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + -16] + vpxor xmm6, xmm2, xmm3 + movdqu xmm7, xmm5 + movdqu xmm5, xmm1 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 16] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 32] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 64] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 80] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + vpxor xmm0, xmm8, xmm0 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + vpxor xmm4, xmm4, xmm1 + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + pxor xmm3, xmm3 + mov r10, 3254779904 + pinsrd xmm3, r10d, 3 + vpslldq xmm5, xmm6, 8 + vpxor xmm4, xmm4, xmm5 + vpalignr xmm0, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpsrldq xmm6, xmm6, 8 + vpxor xmm7, xmm7, xmm6 + vpxor xmm4, xmm4, xmm0 + vpalignr xmm8, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpxor xmm8, xmm8, xmm7 + vpxor xmm8, xmm8, xmm4 + add r11, 96 + sub rdx, 6 +ALIGN 16 +L175: + cmp rdx, 6 + jae L174 + cmp rdx, 0 + jbe L176 + mov r10, rdx + sub r10, 1 + imul r10, 16 + add r11, r10 + movdqu xmm5, xmmword ptr [r9 + -32] + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + cmp rdx, 1 + jne L178 + vpxor xmm0, xmm8, xmm0 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm4, xmm1 + vpxor xmm6, xmm2, xmm3 + movdqu xmm7, xmm5 + jmp L179 +L178: + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + movdqu xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + -16] + vpxor xmm6, xmm2, xmm3 + movdqu xmm7, xmm5 + movdqu xmm5, xmm1 + cmp rdx, 2 + je L180 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 16] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + cmp rdx, 3 + je L182 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 32] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + cmp rdx, 4 + je L184 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 64] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + jmp L185 +L184: +L185: + jmp L183 +L182: +L183: + jmp L181 +L180: +L181: + vpxor xmm0, xmm8, xmm0 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + vpxor xmm4, xmm4, xmm1 + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 +L179: + pxor xmm3, xmm3 + mov r10, 3254779904 + pinsrd xmm3, r10d, 3 + vpslldq xmm5, xmm6, 8 + vpxor xmm4, xmm4, xmm5 + vpalignr xmm0, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpsrldq xmm6, xmm6, 8 + vpxor xmm7, xmm7, xmm6 + vpxor xmm4, xmm4, xmm0 + vpalignr xmm8, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpxor xmm8, xmm8, xmm7 + vpxor xmm8, xmm8, xmm4 + jmp L177 +L176: +L177: + mov rdi, rbx + mov rdx, r12 + pxor xmm10, xmm10 + mov rbx, 1 + pinsrd xmm10, ebx, 0 + mov r11, rax + mov r10, rdi + mov rbx, 0 + jmp L187 +ALIGN 16 +L186: + movdqu xmm0, xmm11 + pshufb xmm0, xmm9 + movdqu xmm2, xmmword ptr [r8 + 0] + pxor xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 16] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 32] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 48] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 64] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 80] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 96] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 112] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 128] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 144] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 160] + aesenclast xmm0, xmm2 + pxor xmm2, xmm2 + movdqu xmm2, xmmword ptr [r11 + 0] + pxor xmm2, xmm0 + movdqu xmmword ptr [r10 + 0], xmm2 + add rbx, 1 + add r11, 16 + add r10, 16 + paddd xmm11, xmm10 +ALIGN 16 +L187: + cmp rbx, rdx + jne L186 + add r14, qword ptr [rsp + 304] + imul r14, 16 + mov r13, qword ptr [rsp + 344] + cmp r13, r14 + jbe L188 + mov rax, qword ptr [rsp + 336] + mov r10, r13 + and r10, 15 + movdqu xmm0, xmmword ptr [rax + 0] + movdqu xmm10, xmm0 + cmp r10, 8 + jae L190 + mov rcx, 0 + pinsrq xmm0, rcx, 1 + mov rcx, r10 + shl rcx, 3 + mov r11, 1 + shl r11, cl + sub r11, 1 + pextrq rcx, xmm0, 0 + and rcx, r11 + pinsrq xmm0, rcx, 0 + jmp L191 +L190: + mov rcx, r10 + sub rcx, 8 + shl rcx, 3 + mov r11, 1 + shl r11, cl + sub r11, 1 + pextrq rcx, xmm0, 1 + and rcx, r11 + pinsrq xmm0, rcx, 1 +L191: + pshufb xmm0, xmm9 + movdqu xmm5, xmmword ptr [r9 + -32] + vpxor xmm0, xmm8, xmm0 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm4, xmm1 + vpxor xmm6, xmm2, xmm3 + movdqu xmm7, xmm5 + pxor xmm3, xmm3 + mov r11, 3254779904 + pinsrd xmm3, r11d, 3 + vpslldq xmm5, xmm6, 8 + vpxor xmm4, xmm4, xmm5 + vpalignr xmm0, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpsrldq xmm6, xmm6, 8 + vpxor xmm7, xmm7, xmm6 + vpxor xmm4, xmm4, xmm0 + vpalignr xmm8, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpxor xmm8, xmm8, xmm7 + vpxor xmm8, xmm8, xmm4 + movdqu xmm0, xmm11 + pshufb xmm0, xmm9 + movdqu xmm2, xmmword ptr [r8 + 0] + pxor xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 16] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 32] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 48] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 64] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 80] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 96] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 112] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 128] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 144] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 160] + aesenclast xmm0, xmm2 + pxor xmm2, xmm2 + pxor xmm10, xmm0 + movdqu xmmword ptr [rax + 0], xmm10 + jmp L189 +L188: +L189: + mov r11, r15 + pxor xmm0, xmm0 + mov rax, r11 + imul rax, 8 + pinsrq xmm0, rax, 1 + mov rax, r13 + imul rax, 8 + pinsrq xmm0, rax, 0 + movdqu xmm5, xmmword ptr [r9 + -32] + vpxor xmm0, xmm8, xmm0 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm4, xmm1 + vpxor xmm6, xmm2, xmm3 + movdqu xmm7, xmm5 + pxor xmm3, xmm3 + mov r11, 3254779904 + pinsrd xmm3, r11d, 3 + vpslldq xmm5, xmm6, 8 + vpxor xmm4, xmm4, xmm5 + vpalignr xmm0, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpsrldq xmm6, xmm6, 8 + vpxor xmm7, xmm7, xmm6 + vpxor xmm4, xmm4, xmm0 + vpalignr xmm8, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpxor xmm8, xmm8, xmm7 + vpxor xmm8, xmm8, xmm4 + movdqu xmm0, xmmword ptr [rbp + 0] + pshufb xmm0, xmm9 + movdqu xmm2, xmmword ptr [r8 + 0] + pxor xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 16] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 32] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 48] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 64] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 80] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 96] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 112] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 128] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 144] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 160] + aesenclast xmm0, xmm2 + pxor xmm2, xmm2 + pshufb xmm8, xmm9 + pxor xmm8, xmm0 + mov r15, qword ptr [rsp + 360] + movdqu xmm0, xmmword ptr [r15 + 0] + pcmpeqd xmm0, xmm8 + pextrq rdx, xmm0, 0 + sub rdx, 18446744073709551615 + mov rax, 0 + adc rax, 0 + pextrq rdx, xmm0, 1 + sub rdx, 18446744073709551615 + mov rdx, 0 + adc rdx, 0 + add rax, rdx + mov rcx, rax + pop rax + pinsrq xmm6, rax, 1 + pop rax + pinsrq xmm6, rax, 0 + pop rax + pinsrq xmm7, rax, 1 + pop rax + pinsrq xmm7, rax, 0 + pop rax + pinsrq xmm8, rax, 1 + pop rax + pinsrq xmm8, rax, 0 + pop rax + pinsrq xmm9, rax, 1 + pop rax + pinsrq xmm9, rax, 0 + pop rax + pinsrq xmm10, rax, 1 + pop rax + pinsrq xmm10, rax, 0 + pop rax + pinsrq xmm11, rax, 1 + pop rax + pinsrq xmm11, rax, 0 + pop rax + pinsrq xmm12, rax, 1 + pop rax + pinsrq xmm12, rax, 0 + pop rax + pinsrq xmm13, rax, 1 + pop rax + pinsrq xmm13, rax, 0 + pop rax + pinsrq xmm14, rax, 1 + pop rax + pinsrq xmm14, rax, 0 + pop rax + pinsrq xmm15, rax, 1 + pop rax + pinsrq xmm15, rax, 0 + pop rbx + pop rbp + pop rdi + pop rsi + pop r12 + pop r13 + pop r14 + pop r15 + mov rax, rcx + ret +gcm128_decrypt_opt endp +ALIGN 16 +gcm256_decrypt_opt proc + push r15 + push r14 + push r13 + push r12 + push rsi + push rdi + push rbp + push rbx + pextrq rax, xmm15, 0 + push rax + pextrq rax, xmm15, 1 + push rax + pextrq rax, xmm14, 0 + push rax + pextrq rax, xmm14, 1 + push rax + pextrq rax, xmm13, 0 + push rax + pextrq rax, xmm13, 1 + push rax + pextrq rax, xmm12, 0 + push rax + pextrq rax, xmm12, 1 + push rax + pextrq rax, xmm11, 0 + push rax + pextrq rax, xmm11, 1 + push rax + pextrq rax, xmm10, 0 + push rax + pextrq rax, xmm10, 1 + push rax + pextrq rax, xmm9, 0 + push rax + pextrq rax, xmm9, 1 + push rax + pextrq rax, xmm8, 0 + push rax + pextrq rax, xmm8, 1 + push rax + pextrq rax, xmm7, 0 + push rax + pextrq rax, xmm7, 1 + push rax + pextrq rax, xmm6, 0 + push rax + pextrq rax, xmm6, 1 + push rax + mov rdi, rcx + mov rsi, rdx + mov rdx, r8 + mov rcx, r9 + mov r8, qword ptr [rsp + 264] + mov r9, qword ptr [rsp + 272] + mov rbp, qword ptr [rsp + 352] + mov r13, rcx + lea r9, qword ptr [r9 + 32] + mov rbx, qword ptr [rsp + 280] + mov rcx, rdx + imul rcx, 16 + mov r10, 579005069656919567 + pinsrq xmm9, r10, 0 + mov r10, 283686952306183 + pinsrq xmm9, r10, 1 + pxor xmm8, xmm8 + mov r11, rdi + jmp L193 +ALIGN 16 +L192: + add r11, 80 + movdqu xmm5, xmmword ptr [r9 + -32] + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + movdqu xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + -16] + vpxor xmm6, xmm2, xmm3 + movdqu xmm7, xmm5 + movdqu xmm5, xmm1 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 16] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 32] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 64] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 80] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + vpxor xmm0, xmm8, xmm0 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + vpxor xmm4, xmm4, xmm1 + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + pxor xmm3, xmm3 + mov r10, 3254779904 + pinsrd xmm3, r10d, 3 + vpslldq xmm5, xmm6, 8 + vpxor xmm4, xmm4, xmm5 + vpalignr xmm0, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpsrldq xmm6, xmm6, 8 + vpxor xmm7, xmm7, xmm6 + vpxor xmm4, xmm4, xmm0 + vpalignr xmm8, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpxor xmm8, xmm8, xmm7 + vpxor xmm8, xmm8, xmm4 + add r11, 96 + sub rdx, 6 +ALIGN 16 +L193: + cmp rdx, 6 + jae L192 + cmp rdx, 0 + jbe L194 + mov r10, rdx + sub r10, 1 + imul r10, 16 + add r11, r10 + movdqu xmm5, xmmword ptr [r9 + -32] + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + cmp rdx, 1 + jne L196 + vpxor xmm0, xmm8, xmm0 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm4, xmm1 + vpxor xmm6, xmm2, xmm3 + movdqu xmm7, xmm5 + jmp L197 +L196: + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + movdqu xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + -16] + vpxor xmm6, xmm2, xmm3 + movdqu xmm7, xmm5 + movdqu xmm5, xmm1 + cmp rdx, 2 + je L198 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 16] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + cmp rdx, 3 + je L200 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 32] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + cmp rdx, 4 + je L202 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 64] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + jmp L203 +L202: +L203: + jmp L201 +L200: +L201: + jmp L199 +L198: +L199: + vpxor xmm0, xmm8, xmm0 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + vpxor xmm4, xmm4, xmm1 + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 +L197: + pxor xmm3, xmm3 + mov r10, 3254779904 + pinsrd xmm3, r10d, 3 + vpslldq xmm5, xmm6, 8 + vpxor xmm4, xmm4, xmm5 + vpalignr xmm0, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpsrldq xmm6, xmm6, 8 + vpxor xmm7, xmm7, xmm6 + vpxor xmm4, xmm4, xmm0 + vpalignr xmm8, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpxor xmm8, xmm8, xmm7 + vpxor xmm8, xmm8, xmm4 + jmp L195 +L194: +L195: + mov r15, rsi + cmp rsi, rcx + jbe L204 + movdqu xmm0, xmmword ptr [rbx + 0] + mov r10, rsi + and r10, 15 + cmp r10, 8 + jae L206 + mov rcx, 0 + pinsrq xmm0, rcx, 1 + mov rcx, r10 + shl rcx, 3 + mov r11, 1 + shl r11, cl + sub r11, 1 + pextrq rcx, xmm0, 0 + and rcx, r11 + pinsrq xmm0, rcx, 0 + jmp L207 +L206: + mov rcx, r10 + sub rcx, 8 + shl rcx, 3 + mov r11, 1 + shl r11, cl + sub r11, 1 + pextrq rcx, xmm0, 1 + and rcx, r11 + pinsrq xmm0, rcx, 1 +L207: + pshufb xmm0, xmm9 + movdqu xmm5, xmmword ptr [r9 + -32] + vpxor xmm0, xmm8, xmm0 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm4, xmm1 + vpxor xmm6, xmm2, xmm3 + movdqu xmm7, xmm5 + pxor xmm3, xmm3 + mov r11, 3254779904 + pinsrd xmm3, r11d, 3 + vpslldq xmm5, xmm6, 8 + vpxor xmm4, xmm4, xmm5 + vpalignr xmm0, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpsrldq xmm6, xmm6, 8 + vpxor xmm7, xmm7, xmm6 + vpxor xmm4, xmm4, xmm0 + vpalignr xmm8, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpxor xmm8, xmm8, xmm7 + vpxor xmm8, xmm8, xmm4 + jmp L205 +L204: +L205: + mov rdi, qword ptr [rsp + 288] + mov rsi, qword ptr [rsp + 296] + mov rdx, qword ptr [rsp + 304] + mov rcx, r13 + movdqu xmm0, xmm9 + movdqu xmm1, xmmword ptr [r8 + 0] + movdqu xmmword ptr [rbp + 0], xmm1 + pxor xmm10, xmm10 + mov r11, 1 + pinsrq xmm10, r11, 0 + vpaddd xmm1, xmm1, xmm10 + cmp rdx, 0 + jne L208 + vpshufb xmm1, xmm1, xmm0 + movdqu xmmword ptr [rbp + 32], xmm1 + jmp L209 +L208: + movdqu xmmword ptr [rbp + 32], xmm8 + add rcx, 128 + pextrq rbx, xmm1, 0 + and rbx, 255 + vpshufb xmm1, xmm1, xmm0 + lea r14, qword ptr [rdi + 96] + movdqu xmm8, xmmword ptr [rbp + 32] + movdqu xmm7, xmmword ptr [rdi + 80] + movdqu xmm4, xmmword ptr [rdi + 64] + movdqu xmm5, xmmword ptr [rdi + 48] + movdqu xmm6, xmmword ptr [rdi + 32] + vpshufb xmm7, xmm7, xmm0 + movdqu xmm2, xmmword ptr [rdi + 16] + vpshufb xmm4, xmm4, xmm0 + movdqu xmm3, xmmword ptr [rdi + 0] + vpshufb xmm5, xmm5, xmm0 + movdqu xmmword ptr [rbp + 48], xmm4 + vpshufb xmm6, xmm6, xmm0 + movdqu xmmword ptr [rbp + 64], xmm5 + vpshufb xmm2, xmm2, xmm0 + movdqu xmmword ptr [rbp + 80], xmm6 + vpshufb xmm3, xmm3, xmm0 + movdqu xmmword ptr [rbp + 96], xmm2 + movdqu xmmword ptr [rbp + 112], xmm3 + pxor xmm2, xmm2 + mov r11, 72057594037927936 + pinsrq xmm2, r11, 1 + vpxor xmm4, xmm4, xmm4 + movdqu xmm15, xmmword ptr [rcx + -128] + vpaddd xmm10, xmm1, xmm2 + vpaddd xmm11, xmm10, xmm2 + vpaddd xmm12, xmm11, xmm2 + vpaddd xmm13, xmm12, xmm2 + vpaddd xmm14, xmm13, xmm2 + vpxor xmm9, xmm1, xmm15 + movdqu xmmword ptr [rbp + 16], xmm4 + cmp rdx, 6 + jne L210 + sub r14, 96 + jmp L211 +L210: +L211: + jmp L213 +ALIGN 16 +L212: + add rbx, 6 + cmp rbx, 256 + jb L214 + mov r11, 579005069656919567 + pinsrq xmm0, r11, 0 + mov r11, 283686952306183 + pinsrq xmm0, r11, 1 + vpshufb xmm6, xmm1, xmm0 + pxor xmm5, xmm5 + mov r11, 1 + pinsrq xmm5, r11, 0 + vpaddd xmm10, xmm6, xmm5 + pxor xmm5, xmm5 + mov r11, 2 + pinsrq xmm5, r11, 0 + vpaddd xmm11, xmm6, xmm5 + movdqu xmm3, xmmword ptr [r9 + -32] + vpaddd xmm12, xmm10, xmm5 + vpshufb xmm10, xmm10, xmm0 + vpaddd xmm13, xmm11, xmm5 + vpshufb xmm11, xmm11, xmm0 + vpxor xmm10, xmm10, xmm15 + vpaddd xmm14, xmm12, xmm5 + vpshufb xmm12, xmm12, xmm0 + vpxor xmm11, xmm11, xmm15 + vpaddd xmm1, xmm13, xmm5 + vpshufb xmm13, xmm13, xmm0 + vpshufb xmm14, xmm14, xmm0 + vpshufb xmm1, xmm1, xmm0 + sub rbx, 256 + jmp L215 +L214: + movdqu xmm3, xmmword ptr [r9 + -32] + vpaddd xmm1, xmm2, xmm14 + vpxor xmm10, xmm10, xmm15 + vpxor xmm11, xmm11, xmm15 +L215: + movdqu xmmword ptr [rbp + 128], xmm1 + vpclmulqdq xmm5, xmm7, xmm3, 16 + vpxor xmm12, xmm12, xmm15 + movdqu xmm2, xmmword ptr [rcx + -112] + vpclmulqdq xmm6, xmm7, xmm3, 1 + vaesenc xmm9, xmm9, xmm2 + movdqu xmm0, xmmword ptr [rbp + 48] + vpxor xmm13, xmm13, xmm15 + vpclmulqdq xmm1, xmm7, xmm3, 0 + vaesenc xmm10, xmm10, xmm2 + vpxor xmm14, xmm14, xmm15 + vpclmulqdq xmm7, xmm7, xmm3, 17 + vaesenc xmm11, xmm11, xmm2 + movdqu xmm3, xmmword ptr [r9 + -16] + vaesenc xmm12, xmm12, xmm2 + vpxor xmm6, xmm6, xmm5 + vpclmulqdq xmm5, xmm0, xmm3, 0 + vpxor xmm8, xmm8, xmm4 + vaesenc xmm13, xmm13, xmm2 + vpxor xmm4, xmm1, xmm5 + vpclmulqdq xmm1, xmm0, xmm3, 16 + vaesenc xmm14, xmm14, xmm2 + movdqu xmm15, xmmword ptr [rcx + -96] + vpclmulqdq xmm2, xmm0, xmm3, 1 + vaesenc xmm9, xmm9, xmm15 + vpxor xmm8, xmm8, xmmword ptr [rbp + 16] + vpclmulqdq xmm3, xmm0, xmm3, 17 + movdqu xmm0, xmmword ptr [rbp + 64] + vaesenc xmm10, xmm10, xmm15 + movbe r13, qword ptr [r14 + 88] + vaesenc xmm11, xmm11, xmm15 + movbe r12, qword ptr [r14 + 80] + vaesenc xmm12, xmm12, xmm15 + mov qword ptr [rbp + 32], r13 + vaesenc xmm13, xmm13, xmm15 + mov qword ptr [rbp + 40], r12 + movdqu xmm5, xmmword ptr [r9 + 16] + vaesenc xmm14, xmm14, xmm15 + movdqu xmm15, xmmword ptr [rcx + -80] + vpxor xmm6, xmm6, xmm1 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vaesenc xmm9, xmm9, xmm15 + vpxor xmm6, xmm6, xmm2 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vaesenc xmm10, xmm10, xmm15 + vpxor xmm7, xmm7, xmm3 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vaesenc xmm11, xmm11, xmm15 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [rbp + 80] + vaesenc xmm12, xmm12, xmm15 + vaesenc xmm13, xmm13, xmm15 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 32] + vaesenc xmm14, xmm14, xmm15 + movdqu xmm15, xmmword ptr [rcx + -64] + vpxor xmm6, xmm6, xmm2 + vpclmulqdq xmm2, xmm0, xmm1, 0 + vaesenc xmm9, xmm9, xmm15 + vpxor xmm6, xmm6, xmm3 + vpclmulqdq xmm3, xmm0, xmm1, 16 + vaesenc xmm10, xmm10, xmm15 + movbe r13, qword ptr [r14 + 72] + vpxor xmm7, xmm7, xmm5 + vpclmulqdq xmm5, xmm0, xmm1, 1 + vaesenc xmm11, xmm11, xmm15 + movbe r12, qword ptr [r14 + 64] + vpclmulqdq xmm1, xmm0, xmm1, 17 + movdqu xmm0, xmmword ptr [rbp + 96] + vaesenc xmm12, xmm12, xmm15 + mov qword ptr [rbp + 48], r13 + vaesenc xmm13, xmm13, xmm15 + mov qword ptr [rbp + 56], r12 + vpxor xmm4, xmm4, xmm2 + movdqu xmm2, xmmword ptr [r9 + 64] + vaesenc xmm14, xmm14, xmm15 + movdqu xmm15, xmmword ptr [rcx + -48] + vpxor xmm6, xmm6, xmm3 + vpclmulqdq xmm3, xmm0, xmm2, 0 + vaesenc xmm9, xmm9, xmm15 + vpxor xmm6, xmm6, xmm5 + vpclmulqdq xmm5, xmm0, xmm2, 16 + vaesenc xmm10, xmm10, xmm15 + movbe r13, qword ptr [r14 + 56] + vpxor xmm7, xmm7, xmm1 + vpclmulqdq xmm1, xmm0, xmm2, 1 + vpxor xmm8, xmm8, xmmword ptr [rbp + 112] + vaesenc xmm11, xmm11, xmm15 + movbe r12, qword ptr [r14 + 48] + vpclmulqdq xmm2, xmm0, xmm2, 17 + vaesenc xmm12, xmm12, xmm15 + mov qword ptr [rbp + 64], r13 + vaesenc xmm13, xmm13, xmm15 + mov qword ptr [rbp + 72], r12 + vpxor xmm4, xmm4, xmm3 + movdqu xmm3, xmmword ptr [r9 + 80] + vaesenc xmm14, xmm14, xmm15 + movdqu xmm15, xmmword ptr [rcx + -32] + vpxor xmm6, xmm6, xmm5 + vpclmulqdq xmm5, xmm8, xmm3, 16 + vaesenc xmm9, xmm9, xmm15 + vpxor xmm6, xmm6, xmm1 + vpclmulqdq xmm1, xmm8, xmm3, 1 + vaesenc xmm10, xmm10, xmm15 + movbe r13, qword ptr [r14 + 40] + vpxor xmm7, xmm7, xmm2 + vpclmulqdq xmm2, xmm8, xmm3, 0 + vaesenc xmm11, xmm11, xmm15 + movbe r12, qword ptr [r14 + 32] + vpclmulqdq xmm8, xmm8, xmm3, 17 + vaesenc xmm12, xmm12, xmm15 + mov qword ptr [rbp + 80], r13 + vaesenc xmm13, xmm13, xmm15 + mov qword ptr [rbp + 88], r12 + vpxor xmm6, xmm6, xmm5 + vaesenc xmm14, xmm14, xmm15 + vpxor xmm6, xmm6, xmm1 + movdqu xmm15, xmmword ptr [rcx + -16] + vpslldq xmm5, xmm6, 8 + vpxor xmm4, xmm4, xmm2 + pxor xmm3, xmm3 + mov r11, 13979173243358019584 + pinsrq xmm3, r11, 1 + vaesenc xmm9, xmm9, xmm15 + vpxor xmm7, xmm7, xmm8 + vaesenc xmm10, xmm10, xmm15 + vpxor xmm4, xmm4, xmm5 + movbe r13, qword ptr [r14 + 24] + vaesenc xmm11, xmm11, xmm15 + movbe r12, qword ptr [r14 + 16] + vpalignr xmm0, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + mov qword ptr [rbp + 96], r13 + vaesenc xmm12, xmm12, xmm15 + mov qword ptr [rbp + 104], r12 + vaesenc xmm13, xmm13, xmm15 + vaesenc xmm14, xmm14, xmm15 + movdqu xmm1, xmmword ptr [rcx + 0] + vaesenc xmm9, xmm9, xmm1 + movdqu xmm15, xmmword ptr [rcx + 16] + vaesenc xmm10, xmm10, xmm1 + vpsrldq xmm6, xmm6, 8 + vaesenc xmm11, xmm11, xmm1 + vpxor xmm7, xmm7, xmm6 + vaesenc xmm12, xmm12, xmm1 + vpxor xmm4, xmm4, xmm0 + movbe r13, qword ptr [r14 + 8] + vaesenc xmm13, xmm13, xmm1 + movbe r12, qword ptr [r14 + 0] + vaesenc xmm14, xmm14, xmm1 + movdqu xmm1, xmmword ptr [rcx + 32] + vaesenc xmm9, xmm9, xmm15 + vaesenc xmm10, xmm10, xmm15 + vaesenc xmm11, xmm11, xmm15 + vaesenc xmm12, xmm12, xmm15 + vaesenc xmm13, xmm13, xmm15 + vaesenc xmm14, xmm14, xmm15 + vaesenc xmm9, xmm9, xmm1 + vaesenc xmm10, xmm10, xmm1 + vaesenc xmm11, xmm11, xmm1 + vaesenc xmm12, xmm12, xmm1 + vaesenc xmm13, xmm13, xmm1 + movdqu xmm15, xmmword ptr [rcx + 48] + vaesenc xmm14, xmm14, xmm1 + movdqu xmm1, xmmword ptr [rcx + 64] + vaesenc xmm9, xmm9, xmm15 + vaesenc xmm10, xmm10, xmm15 + vaesenc xmm11, xmm11, xmm15 + vaesenc xmm12, xmm12, xmm15 + vaesenc xmm13, xmm13, xmm15 + vaesenc xmm14, xmm14, xmm15 + vaesenc xmm9, xmm9, xmm1 + vaesenc xmm10, xmm10, xmm1 + vaesenc xmm11, xmm11, xmm1 + vaesenc xmm12, xmm12, xmm1 + vaesenc xmm13, xmm13, xmm1 + movdqu xmm15, xmmword ptr [rcx + 80] + vaesenc xmm14, xmm14, xmm1 + movdqu xmm1, xmmword ptr [rcx + 96] + vaesenc xmm9, xmm9, xmm15 + movdqu xmmword ptr [rbp + 16], xmm7 + vpalignr xmm8, xmm4, xmm4, 8 + vaesenc xmm10, xmm10, xmm15 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpxor xmm2, xmm1, xmmword ptr [rdi + 0] + vaesenc xmm11, xmm11, xmm15 + vpxor xmm0, xmm1, xmmword ptr [rdi + 16] + vaesenc xmm12, xmm12, xmm15 + vpxor xmm5, xmm1, xmmword ptr [rdi + 32] + vaesenc xmm13, xmm13, xmm15 + vpxor xmm6, xmm1, xmmword ptr [rdi + 48] + vaesenc xmm14, xmm14, xmm15 + vpxor xmm7, xmm1, xmmword ptr [rdi + 64] + vpxor xmm3, xmm1, xmmword ptr [rdi + 80] + movdqu xmm1, xmmword ptr [rbp + 128] + vaesenclast xmm9, xmm9, xmm2 + pxor xmm2, xmm2 + mov r11, 72057594037927936 + pinsrq xmm2, r11, 1 + vaesenclast xmm10, xmm10, xmm0 + vpaddd xmm0, xmm1, xmm2 + mov qword ptr [rbp + 112], r13 + lea rdi, qword ptr [rdi + 96] + vaesenclast xmm11, xmm11, xmm5 + vpaddd xmm5, xmm0, xmm2 + mov qword ptr [rbp + 120], r12 + lea rsi, qword ptr [rsi + 96] + movdqu xmm15, xmmword ptr [rcx + -128] + vaesenclast xmm12, xmm12, xmm6 + vpaddd xmm6, xmm5, xmm2 + vaesenclast xmm13, xmm13, xmm7 + vpaddd xmm7, xmm6, xmm2 + vaesenclast xmm14, xmm14, xmm3 + vpaddd xmm3, xmm7, xmm2 + sub rdx, 6 + cmp rdx, 6 + jbe L216 + add r14, 96 + jmp L217 +L216: +L217: + cmp rdx, 0 + jbe L218 + movdqu xmmword ptr [rsi + -96], xmm9 + vpxor xmm9, xmm1, xmm15 + movdqu xmmword ptr [rsi + -80], xmm10 + movdqu xmm10, xmm0 + movdqu xmmword ptr [rsi + -64], xmm11 + movdqu xmm11, xmm5 + movdqu xmmword ptr [rsi + -48], xmm12 + movdqu xmm12, xmm6 + movdqu xmmword ptr [rsi + -32], xmm13 + movdqu xmm13, xmm7 + movdqu xmmword ptr [rsi + -16], xmm14 + movdqu xmm14, xmm3 + movdqu xmm7, xmmword ptr [rbp + 32] + jmp L219 +L218: + vpxor xmm8, xmm8, xmmword ptr [rbp + 16] + vpxor xmm8, xmm8, xmm4 +L219: +ALIGN 16 +L213: + cmp rdx, 0 + ja L212 + movdqu xmmword ptr [rbp + 32], xmm1 + movdqu xmmword ptr [rsi + -96], xmm9 + movdqu xmmword ptr [rsi + -80], xmm10 + movdqu xmmword ptr [rsi + -64], xmm11 + movdqu xmmword ptr [rsi + -48], xmm12 + movdqu xmmword ptr [rsi + -32], xmm13 + movdqu xmmword ptr [rsi + -16], xmm14 + sub rcx, 128 +L209: + movdqu xmm11, xmmword ptr [rbp + 32] + mov r8, rcx + mov rax, qword ptr [rsp + 312] + mov rdi, qword ptr [rsp + 320] + mov rdx, qword ptr [rsp + 328] + mov r14, rdx + mov r12, 579005069656919567 + pinsrq xmm9, r12, 0 + mov r12, 283686952306183 + pinsrq xmm9, r12, 1 + pshufb xmm11, xmm9 + mov rbx, rdi + mov r12, rdx + mov rdi, rax + mov r11, rdi + jmp L221 +ALIGN 16 +L220: + add r11, 80 + movdqu xmm5, xmmword ptr [r9 + -32] + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + movdqu xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + -16] + vpxor xmm6, xmm2, xmm3 + movdqu xmm7, xmm5 + movdqu xmm5, xmm1 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 16] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 32] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 64] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 80] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + vpxor xmm0, xmm8, xmm0 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + vpxor xmm4, xmm4, xmm1 + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + pxor xmm3, xmm3 + mov r10, 3254779904 + pinsrd xmm3, r10d, 3 + vpslldq xmm5, xmm6, 8 + vpxor xmm4, xmm4, xmm5 + vpalignr xmm0, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpsrldq xmm6, xmm6, 8 + vpxor xmm7, xmm7, xmm6 + vpxor xmm4, xmm4, xmm0 + vpalignr xmm8, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpxor xmm8, xmm8, xmm7 + vpxor xmm8, xmm8, xmm4 + add r11, 96 + sub rdx, 6 +ALIGN 16 +L221: + cmp rdx, 6 + jae L220 + cmp rdx, 0 + jbe L222 + mov r10, rdx + sub r10, 1 + imul r10, 16 + add r11, r10 + movdqu xmm5, xmmword ptr [r9 + -32] + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + cmp rdx, 1 + jne L224 + vpxor xmm0, xmm8, xmm0 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm4, xmm1 + vpxor xmm6, xmm2, xmm3 + movdqu xmm7, xmm5 + jmp L225 +L224: + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + movdqu xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + -16] + vpxor xmm6, xmm2, xmm3 + movdqu xmm7, xmm5 + movdqu xmm5, xmm1 + cmp rdx, 2 + je L226 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 16] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + cmp rdx, 3 + je L228 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 32] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + cmp rdx, 4 + je L230 + sub r11, 16 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm0, xmmword ptr [r11 + 0] + pshufb xmm0, xmm9 + vpxor xmm4, xmm4, xmm1 + movdqu xmm1, xmmword ptr [r9 + 64] + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 + movdqu xmm5, xmm1 + jmp L231 +L230: +L231: + jmp L229 +L228: +L229: + jmp L227 +L226: +L227: + vpxor xmm0, xmm8, xmm0 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + vpxor xmm4, xmm4, xmm1 + vpxor xmm6, xmm6, xmm2 + vpxor xmm6, xmm6, xmm3 + vpxor xmm7, xmm7, xmm5 +L225: + pxor xmm3, xmm3 + mov r10, 3254779904 + pinsrd xmm3, r10d, 3 + vpslldq xmm5, xmm6, 8 + vpxor xmm4, xmm4, xmm5 + vpalignr xmm0, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpsrldq xmm6, xmm6, 8 + vpxor xmm7, xmm7, xmm6 + vpxor xmm4, xmm4, xmm0 + vpalignr xmm8, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpxor xmm8, xmm8, xmm7 + vpxor xmm8, xmm8, xmm4 + jmp L223 +L222: +L223: + mov rdi, rbx + mov rdx, r12 + pxor xmm10, xmm10 + mov rbx, 1 + pinsrd xmm10, ebx, 0 + mov r11, rax + mov r10, rdi + mov rbx, 0 + jmp L233 +ALIGN 16 +L232: + movdqu xmm0, xmm11 + pshufb xmm0, xmm9 + movdqu xmm2, xmmword ptr [r8 + 0] + pxor xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 16] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 32] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 48] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 64] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 80] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 96] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 112] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 128] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 144] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 160] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 176] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 192] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 208] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 224] + aesenclast xmm0, xmm2 + pxor xmm2, xmm2 + movdqu xmm2, xmmword ptr [r11 + 0] + pxor xmm2, xmm0 + movdqu xmmword ptr [r10 + 0], xmm2 + add rbx, 1 + add r11, 16 + add r10, 16 + paddd xmm11, xmm10 +ALIGN 16 +L233: + cmp rbx, rdx + jne L232 + add r14, qword ptr [rsp + 304] + imul r14, 16 + mov r13, qword ptr [rsp + 344] + cmp r13, r14 + jbe L234 + mov rax, qword ptr [rsp + 336] + mov r10, r13 + and r10, 15 + movdqu xmm0, xmmword ptr [rax + 0] + movdqu xmm10, xmm0 + cmp r10, 8 + jae L236 + mov rcx, 0 + pinsrq xmm0, rcx, 1 + mov rcx, r10 + shl rcx, 3 + mov r11, 1 + shl r11, cl + sub r11, 1 + pextrq rcx, xmm0, 0 + and rcx, r11 + pinsrq xmm0, rcx, 0 + jmp L237 +L236: + mov rcx, r10 + sub rcx, 8 + shl rcx, 3 + mov r11, 1 + shl r11, cl + sub r11, 1 + pextrq rcx, xmm0, 1 + and rcx, r11 + pinsrq xmm0, rcx, 1 +L237: + pshufb xmm0, xmm9 + movdqu xmm5, xmmword ptr [r9 + -32] + vpxor xmm0, xmm8, xmm0 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm4, xmm1 + vpxor xmm6, xmm2, xmm3 + movdqu xmm7, xmm5 + pxor xmm3, xmm3 + mov r11, 3254779904 + pinsrd xmm3, r11d, 3 + vpslldq xmm5, xmm6, 8 + vpxor xmm4, xmm4, xmm5 + vpalignr xmm0, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpsrldq xmm6, xmm6, 8 + vpxor xmm7, xmm7, xmm6 + vpxor xmm4, xmm4, xmm0 + vpalignr xmm8, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpxor xmm8, xmm8, xmm7 + vpxor xmm8, xmm8, xmm4 + movdqu xmm0, xmm11 + pshufb xmm0, xmm9 + movdqu xmm2, xmmword ptr [r8 + 0] + pxor xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 16] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 32] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 48] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 64] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 80] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 96] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 112] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 128] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 144] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 160] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 176] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 192] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 208] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 224] + aesenclast xmm0, xmm2 + pxor xmm2, xmm2 + pxor xmm10, xmm0 + movdqu xmmword ptr [rax + 0], xmm10 + jmp L235 +L234: +L235: + mov r11, r15 + pxor xmm0, xmm0 + mov rax, r11 + imul rax, 8 + pinsrq xmm0, rax, 1 + mov rax, r13 + imul rax, 8 + pinsrq xmm0, rax, 0 + movdqu xmm5, xmmword ptr [r9 + -32] + vpxor xmm0, xmm8, xmm0 + vpclmulqdq xmm1, xmm0, xmm5, 0 + vpclmulqdq xmm2, xmm0, xmm5, 16 + vpclmulqdq xmm3, xmm0, xmm5, 1 + vpclmulqdq xmm5, xmm0, xmm5, 17 + movdqu xmm4, xmm1 + vpxor xmm6, xmm2, xmm3 + movdqu xmm7, xmm5 + pxor xmm3, xmm3 + mov r11, 3254779904 + pinsrd xmm3, r11d, 3 + vpslldq xmm5, xmm6, 8 + vpxor xmm4, xmm4, xmm5 + vpalignr xmm0, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpsrldq xmm6, xmm6, 8 + vpxor xmm7, xmm7, xmm6 + vpxor xmm4, xmm4, xmm0 + vpalignr xmm8, xmm4, xmm4, 8 + vpclmulqdq xmm4, xmm4, xmm3, 16 + vpxor xmm8, xmm8, xmm7 + vpxor xmm8, xmm8, xmm4 + movdqu xmm0, xmmword ptr [rbp + 0] + pshufb xmm0, xmm9 + movdqu xmm2, xmmword ptr [r8 + 0] + pxor xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 16] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 32] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 48] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 64] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 80] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 96] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 112] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 128] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 144] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 160] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 176] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 192] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 208] + aesenc xmm0, xmm2 + movdqu xmm2, xmmword ptr [r8 + 224] + aesenclast xmm0, xmm2 + pxor xmm2, xmm2 + pshufb xmm8, xmm9 + pxor xmm8, xmm0 + mov r15, qword ptr [rsp + 360] + movdqu xmm0, xmmword ptr [r15 + 0] + pcmpeqd xmm0, xmm8 + pextrq rdx, xmm0, 0 + sub rdx, 18446744073709551615 + mov rax, 0 + adc rax, 0 + pextrq rdx, xmm0, 1 + sub rdx, 18446744073709551615 + mov rdx, 0 + adc rdx, 0 + add rax, rdx + mov rcx, rax + pop rax + pinsrq xmm6, rax, 1 + pop rax + pinsrq xmm6, rax, 0 + pop rax + pinsrq xmm7, rax, 1 + pop rax + pinsrq xmm7, rax, 0 + pop rax + pinsrq xmm8, rax, 1 + pop rax + pinsrq xmm8, rax, 0 + pop rax + pinsrq xmm9, rax, 1 + pop rax + pinsrq xmm9, rax, 0 + pop rax + pinsrq xmm10, rax, 1 + pop rax + pinsrq xmm10, rax, 0 + pop rax + pinsrq xmm11, rax, 1 + pop rax + pinsrq xmm11, rax, 0 + pop rax + pinsrq xmm12, rax, 1 + pop rax + pinsrq xmm12, rax, 0 + pop rax + pinsrq xmm13, rax, 1 + pop rax + pinsrq xmm13, rax, 0 + pop rax + pinsrq xmm14, rax, 1 + pop rax + pinsrq xmm14, rax, 0 + pop rax + pinsrq xmm15, rax, 1 + pop rax + pinsrq xmm15, rax, 0 + pop rbx + pop rbp + pop rdi + pop rsi + pop r12 + pop r13 + pop r14 + pop r15 + mov rax, rcx + ret +gcm256_decrypt_opt endp +end diff --git a/vale/src/cpuid-x86_64-darwin.S b/vale/src/cpuid-x86_64-darwin.S new file mode 100644 index 00000000..1205b915 --- /dev/null +++ b/vale/src/cpuid-x86_64-darwin.S @@ -0,0 +1,166 @@ +.text +.global _check_aesni +_check_aesni: + mov %rbx, %r9 + mov $0, %rcx + mov $1, %rax + cpuid + mov %rcx, %rax + and $33554432, %rax + shr $24, %rax + and $2, %rcx + and %rcx, %rax + mov %r9, %rbx + ret + +.global _check_sha +_check_sha: + mov %rbx, %r9 + mov $7, %rax + mov $0, %rcx + cpuid + and $536870912, %rbx + mov %rbx, %rax + mov %r9, %rbx + ret + +.global _check_adx_bmi2 +_check_adx_bmi2: + mov %rbx, %r9 + mov $7, %rax + mov $0, %rcx + cpuid + mov %rbx, %rax + and $524288, %rax + shr $11, %rax + and $256, %rbx + and %rbx, %rax + mov %r9, %rbx + ret + +.global _check_avx +_check_avx: + mov %rbx, %r9 + mov $0, %rcx + mov $1, %rax + cpuid + mov %rcx, %rax + and $268435456, %rax + shr $27, %rax + mov %r9, %rbx + ret + +.global _check_avx2 +_check_avx2: + mov %rbx, %r9 + mov $7, %rax + mov $0, %rcx + cpuid + and $32, %rbx + mov %rbx, %rax + mov %r9, %rbx + ret + +.global _check_movbe +_check_movbe: + mov %rbx, %r9 + mov $0, %rcx + mov $1, %rax + cpuid + mov %rcx, %rax + and $4194304, %rax + shr $21, %rax + mov %r9, %rbx + ret + +.global _check_sse +_check_sse: + mov %rbx, %r9 + mov $0, %rcx + mov $1, %rax + cpuid + mov %rcx, %rax + and $524288, %rax + and $512, %rcx + and $67108864, %rdx + shr $10, %rax + shr $17, %rdx + and %rdx, %rax + and %rcx, %rax + mov %r9, %rbx + ret + +.global _check_rdrand +_check_rdrand: + mov %rbx, %r9 + mov $0, %rcx + mov $1, %rax + cpuid + mov %rcx, %rax + and $1073741824, %rax + shr $29, %rax + mov %r9, %rbx + ret + +.global _check_avx512 +_check_avx512: + mov %rbx, %r9 + mov $7, %rax + mov $0, %rcx + cpuid + mov %rbx, %rax + mov %rbx, %r10 + mov %rbx, %r11 + and $65536, %rbx + and $131072, %rax + and $1073741824, %r10 + shr $1, %rax + shr $14, %r10 + and %rbx, %rax + mov $2147483648, %rbx + and %rbx, %r11 + shr $15, %r11 + and %r10, %rax + and %r11, %rax + mov %r9, %rbx + ret + +.global _check_osxsave +_check_osxsave: + mov %rbx, %r9 + mov $0, %rcx + mov $1, %rax + cpuid + mov %rcx, %rax + and $134217728, %rax + shr $26, %rax + mov %r9, %rbx + ret + +.global _check_avx_xcr0 +_check_avx_xcr0: + mov $0, %rcx + xgetbv + mov %rax, %rcx + and $4, %rax + shr $1, %rax + and $2, %rcx + and %rcx, %rax + ret + +.global _check_avx512_xcr0 +_check_avx512_xcr0: + mov $0, %rcx + xgetbv + mov %rax, %rcx + mov %rax, %rdx + and $32, %rax + and $64, %rcx + and $128, %rdx + shr $2, %rdx + shr $1, %rcx + and %rdx, %rax + and %rcx, %rax + ret + + diff --git a/vale/src/cpuid-x86_64-linux.S b/vale/src/cpuid-x86_64-linux.S new file mode 100644 index 00000000..47633417 --- /dev/null +++ b/vale/src/cpuid-x86_64-linux.S @@ -0,0 +1,166 @@ +.text +.global check_aesni +check_aesni: + mov %rbx, %r9 + mov $0, %rcx + mov $1, %rax + cpuid + mov %rcx, %rax + and $33554432, %rax + shr $24, %rax + and $2, %rcx + and %rcx, %rax + mov %r9, %rbx + ret + +.global check_sha +check_sha: + mov %rbx, %r9 + mov $7, %rax + mov $0, %rcx + cpuid + and $536870912, %rbx + mov %rbx, %rax + mov %r9, %rbx + ret + +.global check_adx_bmi2 +check_adx_bmi2: + mov %rbx, %r9 + mov $7, %rax + mov $0, %rcx + cpuid + mov %rbx, %rax + and $524288, %rax + shr $11, %rax + and $256, %rbx + and %rbx, %rax + mov %r9, %rbx + ret + +.global check_avx +check_avx: + mov %rbx, %r9 + mov $0, %rcx + mov $1, %rax + cpuid + mov %rcx, %rax + and $268435456, %rax + shr $27, %rax + mov %r9, %rbx + ret + +.global check_avx2 +check_avx2: + mov %rbx, %r9 + mov $7, %rax + mov $0, %rcx + cpuid + and $32, %rbx + mov %rbx, %rax + mov %r9, %rbx + ret + +.global check_movbe +check_movbe: + mov %rbx, %r9 + mov $0, %rcx + mov $1, %rax + cpuid + mov %rcx, %rax + and $4194304, %rax + shr $21, %rax + mov %r9, %rbx + ret + +.global check_sse +check_sse: + mov %rbx, %r9 + mov $0, %rcx + mov $1, %rax + cpuid + mov %rcx, %rax + and $524288, %rax + and $512, %rcx + and $67108864, %rdx + shr $10, %rax + shr $17, %rdx + and %rdx, %rax + and %rcx, %rax + mov %r9, %rbx + ret + +.global check_rdrand +check_rdrand: + mov %rbx, %r9 + mov $0, %rcx + mov $1, %rax + cpuid + mov %rcx, %rax + and $1073741824, %rax + shr $29, %rax + mov %r9, %rbx + ret + +.global check_avx512 +check_avx512: + mov %rbx, %r9 + mov $7, %rax + mov $0, %rcx + cpuid + mov %rbx, %rax + mov %rbx, %r10 + mov %rbx, %r11 + and $65536, %rbx + and $131072, %rax + and $1073741824, %r10 + shr $1, %rax + shr $14, %r10 + and %rbx, %rax + mov $2147483648, %rbx + and %rbx, %r11 + shr $15, %r11 + and %r10, %rax + and %r11, %rax + mov %r9, %rbx + ret + +.global check_osxsave +check_osxsave: + mov %rbx, %r9 + mov $0, %rcx + mov $1, %rax + cpuid + mov %rcx, %rax + and $134217728, %rax + shr $26, %rax + mov %r9, %rbx + ret + +.global check_avx_xcr0 +check_avx_xcr0: + mov $0, %rcx + xgetbv + mov %rax, %rcx + and $4, %rax + shr $1, %rax + and $2, %rcx + and %rcx, %rax + ret + +.global check_avx512_xcr0 +check_avx512_xcr0: + mov $0, %rcx + xgetbv + mov %rax, %rcx + mov %rax, %rdx + and $32, %rax + and $64, %rcx + and $128, %rdx + shr $2, %rdx + shr $1, %rcx + and %rdx, %rax + and %rcx, %rax + ret + + diff --git a/vale/src/cpuid-x86_64-mingw.S b/vale/src/cpuid-x86_64-mingw.S new file mode 100644 index 00000000..47633417 --- /dev/null +++ b/vale/src/cpuid-x86_64-mingw.S @@ -0,0 +1,166 @@ +.text +.global check_aesni +check_aesni: + mov %rbx, %r9 + mov $0, %rcx + mov $1, %rax + cpuid + mov %rcx, %rax + and $33554432, %rax + shr $24, %rax + and $2, %rcx + and %rcx, %rax + mov %r9, %rbx + ret + +.global check_sha +check_sha: + mov %rbx, %r9 + mov $7, %rax + mov $0, %rcx + cpuid + and $536870912, %rbx + mov %rbx, %rax + mov %r9, %rbx + ret + +.global check_adx_bmi2 +check_adx_bmi2: + mov %rbx, %r9 + mov $7, %rax + mov $0, %rcx + cpuid + mov %rbx, %rax + and $524288, %rax + shr $11, %rax + and $256, %rbx + and %rbx, %rax + mov %r9, %rbx + ret + +.global check_avx +check_avx: + mov %rbx, %r9 + mov $0, %rcx + mov $1, %rax + cpuid + mov %rcx, %rax + and $268435456, %rax + shr $27, %rax + mov %r9, %rbx + ret + +.global check_avx2 +check_avx2: + mov %rbx, %r9 + mov $7, %rax + mov $0, %rcx + cpuid + and $32, %rbx + mov %rbx, %rax + mov %r9, %rbx + ret + +.global check_movbe +check_movbe: + mov %rbx, %r9 + mov $0, %rcx + mov $1, %rax + cpuid + mov %rcx, %rax + and $4194304, %rax + shr $21, %rax + mov %r9, %rbx + ret + +.global check_sse +check_sse: + mov %rbx, %r9 + mov $0, %rcx + mov $1, %rax + cpuid + mov %rcx, %rax + and $524288, %rax + and $512, %rcx + and $67108864, %rdx + shr $10, %rax + shr $17, %rdx + and %rdx, %rax + and %rcx, %rax + mov %r9, %rbx + ret + +.global check_rdrand +check_rdrand: + mov %rbx, %r9 + mov $0, %rcx + mov $1, %rax + cpuid + mov %rcx, %rax + and $1073741824, %rax + shr $29, %rax + mov %r9, %rbx + ret + +.global check_avx512 +check_avx512: + mov %rbx, %r9 + mov $7, %rax + mov $0, %rcx + cpuid + mov %rbx, %rax + mov %rbx, %r10 + mov %rbx, %r11 + and $65536, %rbx + and $131072, %rax + and $1073741824, %r10 + shr $1, %rax + shr $14, %r10 + and %rbx, %rax + mov $2147483648, %rbx + and %rbx, %r11 + shr $15, %r11 + and %r10, %rax + and %r11, %rax + mov %r9, %rbx + ret + +.global check_osxsave +check_osxsave: + mov %rbx, %r9 + mov $0, %rcx + mov $1, %rax + cpuid + mov %rcx, %rax + and $134217728, %rax + shr $26, %rax + mov %r9, %rbx + ret + +.global check_avx_xcr0 +check_avx_xcr0: + mov $0, %rcx + xgetbv + mov %rax, %rcx + and $4, %rax + shr $1, %rax + and $2, %rcx + and %rcx, %rax + ret + +.global check_avx512_xcr0 +check_avx512_xcr0: + mov $0, %rcx + xgetbv + mov %rax, %rcx + mov %rax, %rdx + and $32, %rax + and $64, %rcx + and $128, %rdx + shr $2, %rdx + shr $1, %rcx + and %rdx, %rax + and %rcx, %rax + ret + + diff --git a/vale/src/cpuid-x86_64-msvc.asm b/vale/src/cpuid-x86_64-msvc.asm new file mode 100644 index 00000000..5659ec6c --- /dev/null +++ b/vale/src/cpuid-x86_64-msvc.asm @@ -0,0 +1,166 @@ +.code +ALIGN 16 +check_aesni proc + mov r9, rbx + mov rcx, 0 + mov rax, 1 + cpuid + mov rax, rcx + and rax, 33554432 + shr rax, 24 + and rcx, 2 + and rax, rcx + mov rbx, r9 + ret +check_aesni endp +ALIGN 16 +check_sha proc + mov r9, rbx + mov rax, 7 + mov rcx, 0 + cpuid + and rbx, 536870912 + mov rax, rbx + mov rbx, r9 + ret +check_sha endp +ALIGN 16 +check_adx_bmi2 proc + mov r9, rbx + mov rax, 7 + mov rcx, 0 + cpuid + mov rax, rbx + and rax, 524288 + shr rax, 11 + and rbx, 256 + and rax, rbx + mov rbx, r9 + ret +check_adx_bmi2 endp +ALIGN 16 +check_avx proc + mov r9, rbx + mov rcx, 0 + mov rax, 1 + cpuid + mov rax, rcx + and rax, 268435456 + shr rax, 27 + mov rbx, r9 + ret +check_avx endp +ALIGN 16 +check_avx2 proc + mov r9, rbx + mov rax, 7 + mov rcx, 0 + cpuid + and rbx, 32 + mov rax, rbx + mov rbx, r9 + ret +check_avx2 endp +ALIGN 16 +check_movbe proc + mov r9, rbx + mov rcx, 0 + mov rax, 1 + cpuid + mov rax, rcx + and rax, 4194304 + shr rax, 21 + mov rbx, r9 + ret +check_movbe endp +ALIGN 16 +check_sse proc + mov r9, rbx + mov rcx, 0 + mov rax, 1 + cpuid + mov rax, rcx + and rax, 524288 + and rcx, 512 + and rdx, 67108864 + shr rax, 10 + shr rdx, 17 + and rax, rdx + and rax, rcx + mov rbx, r9 + ret +check_sse endp +ALIGN 16 +check_rdrand proc + mov r9, rbx + mov rcx, 0 + mov rax, 1 + cpuid + mov rax, rcx + and rax, 1073741824 + shr rax, 29 + mov rbx, r9 + ret +check_rdrand endp +ALIGN 16 +check_avx512 proc + mov r9, rbx + mov rax, 7 + mov rcx, 0 + cpuid + mov rax, rbx + mov r10, rbx + mov r11, rbx + and rbx, 65536 + and rax, 131072 + and r10, 1073741824 + shr rax, 1 + shr r10, 14 + and rax, rbx + mov rbx, 2147483648 + and r11, rbx + shr r11, 15 + and rax, r10 + and rax, r11 + mov rbx, r9 + ret +check_avx512 endp +ALIGN 16 +check_osxsave proc + mov r9, rbx + mov rcx, 0 + mov rax, 1 + cpuid + mov rax, rcx + and rax, 134217728 + shr rax, 26 + mov rbx, r9 + ret +check_osxsave endp +ALIGN 16 +check_avx_xcr0 proc + mov rcx, 0 + xgetbv + mov rcx, rax + and rax, 4 + shr rax, 1 + and rcx, 2 + and rax, rcx + ret +check_avx_xcr0 endp +ALIGN 16 +check_avx512_xcr0 proc + mov rcx, 0 + xgetbv + mov rcx, rax + mov rdx, rax + and rax, 32 + and rcx, 64 + and rdx, 128 + shr rdx, 2 + shr rcx, 1 + and rax, rdx + and rax, rcx + ret +check_avx512_xcr0 endp +end diff --git a/vale/src/curve25519-inline.h b/vale/src/curve25519-inline.h new file mode 100644 index 00000000..d8e6bf6d --- /dev/null +++ b/vale/src/curve25519-inline.h @@ -0,0 +1,751 @@ +#ifdef __GNUC__ +#if defined(__x86_64__) || defined(_M_X64) +#pragma once +#include + +// Computes the addition of four-element f1 with value in f2 +// and returns the carry (if any) +static inline uint64_t add_scalar (uint64_t *out, uint64_t *f1, uint64_t f2) +{ + uint64_t carry_r; + + asm volatile( + // Clear registers to propagate the carry bit + " xor %%r8d, %%r8d;" + " xor %%r9d, %%r9d;" + " xor %%r10d, %%r10d;" + " xor %%r11d, %%r11d;" + " xor %k1, %k1;" + + // Begin addition chain + " addq 0(%3), %0;" + " movq %0, 0(%2);" + " adcxq 8(%3), %%r8;" + " movq %%r8, 8(%2);" + " adcxq 16(%3), %%r9;" + " movq %%r9, 16(%2);" + " adcxq 24(%3), %%r10;" + " movq %%r10, 24(%2);" + + // Return the carry bit in a register + " adcx %%r11, %1;" + : "+&r" (f2), "=&r" (carry_r) + : "r" (out), "r" (f1) + : "%r8", "%r9", "%r10", "%r11", "memory", "cc" + ); + + return carry_r; +} + +// Computes the field addition of two field elements +static inline void fadd (uint64_t *out, uint64_t *f1, uint64_t *f2) +{ + asm volatile( + // Compute the raw addition of f1 + f2 + " movq 0(%0), %%r8;" + " addq 0(%2), %%r8;" + " movq 8(%0), %%r9;" + " adcxq 8(%2), %%r9;" + " movq 16(%0), %%r10;" + " adcxq 16(%2), %%r10;" + " movq 24(%0), %%r11;" + " adcxq 24(%2), %%r11;" + + /////// Wrap the result back into the field ////// + + // Step 1: Compute carry*38 + " mov $0, %%rax;" + " mov $38, %0;" + " cmovc %0, %%rax;" + + // Step 2: Add carry*38 to the original sum + " xor %%ecx, %%ecx;" + " add %%rax, %%r8;" + " adcx %%rcx, %%r9;" + " movq %%r9, 8(%1);" + " adcx %%rcx, %%r10;" + " movq %%r10, 16(%1);" + " adcx %%rcx, %%r11;" + " movq %%r11, 24(%1);" + + // Step 3: Fold the carry bit back in; guaranteed not to carry at this point + " mov $0, %%rax;" + " cmovc %0, %%rax;" + " add %%rax, %%r8;" + " movq %%r8, 0(%1);" + : "+&r" (f2) + : "r" (out), "r" (f1) + : "%rax", "%rcx", "%r8", "%r9", "%r10", "%r11", "memory", "cc" + ); +} + +// Computes the field substraction of two field elements +static inline void fsub (uint64_t *out, uint64_t *f1, uint64_t *f2) +{ + asm volatile( + // Compute the raw substraction of f1-f2 + " movq 0(%1), %%r8;" + " subq 0(%2), %%r8;" + " movq 8(%1), %%r9;" + " sbbq 8(%2), %%r9;" + " movq 16(%1), %%r10;" + " sbbq 16(%2), %%r10;" + " movq 24(%1), %%r11;" + " sbbq 24(%2), %%r11;" + + /////// Wrap the result back into the field ////// + + // Step 1: Compute carry*38 + " mov $0, %%rax;" + " mov $38, %%rcx;" + " cmovc %%rcx, %%rax;" + + // Step 2: Substract carry*38 from the original difference + " sub %%rax, %%r8;" + " sbb $0, %%r9;" + " sbb $0, %%r10;" + " sbb $0, %%r11;" + + // Step 3: Fold the carry bit back in; guaranteed not to carry at this point + " mov $0, %%rax;" + " cmovc %%rcx, %%rax;" + " sub %%rax, %%r8;" + + // Store the result + " movq %%r8, 0(%0);" + " movq %%r9, 8(%0);" + " movq %%r10, 16(%0);" + " movq %%r11, 24(%0);" + : + : "r" (out), "r" (f1), "r" (f2) + : "%rax", "%rcx", "%r8", "%r9", "%r10", "%r11", "memory", "cc" + ); +} + +// Computes a field multiplication: out <- f1 * f2 +// Uses the 8-element buffer tmp for intermediate results +static inline void fmul (uint64_t *out, uint64_t *f1, uint64_t *f2, uint64_t *tmp) +{ + asm volatile( + + /////// Compute the raw multiplication: tmp <- src1 * src2 ////// + + // Compute src1[0] * src2 + " movq 0(%1), %%rdx;" + " mulxq 0(%2), %%r8, %%r9;" " xor %%r10d, %%r10d;" " movq %%r8, 0(%3);" + " mulxq 8(%2), %%r10, %%r11;" " adox %%r9, %%r10;" " movq %%r10, 8(%3);" + " mulxq 16(%2), %%rbx, %%r13;" " adox %%r11, %%rbx;" + " mulxq 24(%2), %%r14, %%rdx;" " adox %%r13, %%r14;" " mov $0, %%rax;" + " adox %%rdx, %%rax;" + + // Compute src1[1] * src2 + " movq 8(%1), %%rdx;" + " mulxq 0(%2), %%r8, %%r9;" " xor %%r10d, %%r10d;" " adcxq 8(%3), %%r8;" " movq %%r8, 8(%3);" + " mulxq 8(%2), %%r10, %%r11;" " adox %%r9, %%r10;" " adcx %%rbx, %%r10;" " movq %%r10, 16(%3);" + " mulxq 16(%2), %%rbx, %%r13;" " adox %%r11, %%rbx;" " adcx %%r14, %%rbx;" " mov $0, %%r8;" + " mulxq 24(%2), %%r14, %%rdx;" " adox %%r13, %%r14;" " adcx %%rax, %%r14;" " mov $0, %%rax;" + " adox %%rdx, %%rax;" " adcx %%r8, %%rax;" + + + // Compute src1[2] * src2 + " movq 16(%1), %%rdx;" + " mulxq 0(%2), %%r8, %%r9;" " xor %%r10d, %%r10d;" " adcxq 16(%3), %%r8;" " movq %%r8, 16(%3);" + " mulxq 8(%2), %%r10, %%r11;" " adox %%r9, %%r10;" " adcx %%rbx, %%r10;" " movq %%r10, 24(%3);" + " mulxq 16(%2), %%rbx, %%r13;" " adox %%r11, %%rbx;" " adcx %%r14, %%rbx;" " mov $0, %%r8;" + " mulxq 24(%2), %%r14, %%rdx;" " adox %%r13, %%r14;" " adcx %%rax, %%r14;" " mov $0, %%rax;" + " adox %%rdx, %%rax;" " adcx %%r8, %%rax;" + + + // Compute src1[3] * src2 + " movq 24(%1), %%rdx;" + " mulxq 0(%2), %%r8, %%r9;" " xor %%r10d, %%r10d;" " adcxq 24(%3), %%r8;" " movq %%r8, 24(%3);" + " mulxq 8(%2), %%r10, %%r11;" " adox %%r9, %%r10;" " adcx %%rbx, %%r10;" " movq %%r10, 32(%3);" + " mulxq 16(%2), %%rbx, %%r13;" " adox %%r11, %%rbx;" " adcx %%r14, %%rbx;" " movq %%rbx, 40(%3);" " mov $0, %%r8;" + " mulxq 24(%2), %%r14, %%rdx;" " adox %%r13, %%r14;" " adcx %%rax, %%r14;" " movq %%r14, 48(%3);" " mov $0, %%rax;" + " adox %%rdx, %%rax;" " adcx %%r8, %%rax;" " movq %%rax, 56(%3);" + + // Line up pointers + " mov %3, %1;" + " mov %0, %3;" + + /////// Wrap the result back into the field ////// + + // Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo + " mov $38, %%rdx;" + " mulxq 32(%1), %%r8, %%r13;" + " xor %k2, %k2;" + " adoxq 0(%1), %%r8;" + " mulxq 40(%1), %%r9, %%rbx;" + " adcx %%r13, %%r9;" + " adoxq 8(%1), %%r9;" + " mulxq 48(%1), %%r10, %%r13;" + " adcx %%rbx, %%r10;" + " adoxq 16(%1), %%r10;" + " mulxq 56(%1), %%r11, %%rax;" + " adcx %%r13, %%r11;" + " adoxq 24(%1), %%r11;" + " adcx %2, %%rax;" + " adox %2, %%rax;" + " imul %%rdx, %%rax;" + + // Step 2: Fold the carry back into dst + " add %%rax, %%r8;" + " adcx %2, %%r9;" + " movq %%r9, 8(%3);" + " adcx %2, %%r10;" + " movq %%r10, 16(%3);" + " adcx %2, %%r11;" + " movq %%r11, 24(%3);" + + // Step 3: Fold the carry bit back in; guaranteed not to carry at this point + " mov $0, %%rax;" + " cmovc %%rdx, %%rax;" + " add %%rax, %%r8;" + " movq %%r8, 0(%3);" + : "+&r" (out), "+&r" (f1), "+&r" (f2), "+&r" (tmp) + : + : "%rax", "%rbx", "%rdx", "%r8", "%r9", "%r10", "%r11", "%r13", "%r14", "memory", "cc" + ); +} + +// Computes two field multiplications: +// out[0] <- f1[0] * f2[0] +// out[1] <- f1[1] * f2[1] +// Uses the 16-element buffer tmp for intermediate results: +static inline void fmul2 (uint64_t *out, uint64_t *f1, uint64_t *f2, uint64_t *tmp) +{ + asm volatile( + + /////// Compute the raw multiplication tmp[0] <- f1[0] * f2[0] ////// + + // Compute src1[0] * src2 + " movq 0(%1), %%rdx;" + " mulxq 0(%2), %%r8, %%r9;" " xor %%r10d, %%r10d;" " movq %%r8, 0(%3);" + " mulxq 8(%2), %%r10, %%r11;" " adox %%r9, %%r10;" " movq %%r10, 8(%3);" + " mulxq 16(%2), %%rbx, %%r13;" " adox %%r11, %%rbx;" + " mulxq 24(%2), %%r14, %%rdx;" " adox %%r13, %%r14;" " mov $0, %%rax;" + " adox %%rdx, %%rax;" + + // Compute src1[1] * src2 + " movq 8(%1), %%rdx;" + " mulxq 0(%2), %%r8, %%r9;" " xor %%r10d, %%r10d;" " adcxq 8(%3), %%r8;" " movq %%r8, 8(%3);" + " mulxq 8(%2), %%r10, %%r11;" " adox %%r9, %%r10;" " adcx %%rbx, %%r10;" " movq %%r10, 16(%3);" + " mulxq 16(%2), %%rbx, %%r13;" " adox %%r11, %%rbx;" " adcx %%r14, %%rbx;" " mov $0, %%r8;" + " mulxq 24(%2), %%r14, %%rdx;" " adox %%r13, %%r14;" " adcx %%rax, %%r14;" " mov $0, %%rax;" + " adox %%rdx, %%rax;" " adcx %%r8, %%rax;" + + + // Compute src1[2] * src2 + " movq 16(%1), %%rdx;" + " mulxq 0(%2), %%r8, %%r9;" " xor %%r10d, %%r10d;" " adcxq 16(%3), %%r8;" " movq %%r8, 16(%3);" + " mulxq 8(%2), %%r10, %%r11;" " adox %%r9, %%r10;" " adcx %%rbx, %%r10;" " movq %%r10, 24(%3);" + " mulxq 16(%2), %%rbx, %%r13;" " adox %%r11, %%rbx;" " adcx %%r14, %%rbx;" " mov $0, %%r8;" + " mulxq 24(%2), %%r14, %%rdx;" " adox %%r13, %%r14;" " adcx %%rax, %%r14;" " mov $0, %%rax;" + " adox %%rdx, %%rax;" " adcx %%r8, %%rax;" + + + // Compute src1[3] * src2 + " movq 24(%1), %%rdx;" + " mulxq 0(%2), %%r8, %%r9;" " xor %%r10d, %%r10d;" " adcxq 24(%3), %%r8;" " movq %%r8, 24(%3);" + " mulxq 8(%2), %%r10, %%r11;" " adox %%r9, %%r10;" " adcx %%rbx, %%r10;" " movq %%r10, 32(%3);" + " mulxq 16(%2), %%rbx, %%r13;" " adox %%r11, %%rbx;" " adcx %%r14, %%rbx;" " movq %%rbx, 40(%3);" " mov $0, %%r8;" + " mulxq 24(%2), %%r14, %%rdx;" " adox %%r13, %%r14;" " adcx %%rax, %%r14;" " movq %%r14, 48(%3);" " mov $0, %%rax;" + " adox %%rdx, %%rax;" " adcx %%r8, %%rax;" " movq %%rax, 56(%3);" + + /////// Compute the raw multiplication tmp[1] <- f1[1] * f2[1] ////// + + // Compute src1[0] * src2 + " movq 32(%1), %%rdx;" + " mulxq 32(%2), %%r8, %%r9;" " xor %%r10d, %%r10d;" " movq %%r8, 64(%3);" + " mulxq 40(%2), %%r10, %%r11;" " adox %%r9, %%r10;" " movq %%r10, 72(%3);" + " mulxq 48(%2), %%rbx, %%r13;" " adox %%r11, %%rbx;" + " mulxq 56(%2), %%r14, %%rdx;" " adox %%r13, %%r14;" " mov $0, %%rax;" + " adox %%rdx, %%rax;" + + // Compute src1[1] * src2 + " movq 40(%1), %%rdx;" + " mulxq 32(%2), %%r8, %%r9;" " xor %%r10d, %%r10d;" " adcxq 72(%3), %%r8;" " movq %%r8, 72(%3);" + " mulxq 40(%2), %%r10, %%r11;" " adox %%r9, %%r10;" " adcx %%rbx, %%r10;" " movq %%r10, 80(%3);" + " mulxq 48(%2), %%rbx, %%r13;" " adox %%r11, %%rbx;" " adcx %%r14, %%rbx;" " mov $0, %%r8;" + " mulxq 56(%2), %%r14, %%rdx;" " adox %%r13, %%r14;" " adcx %%rax, %%r14;" " mov $0, %%rax;" + " adox %%rdx, %%rax;" " adcx %%r8, %%rax;" + + + // Compute src1[2] * src2 + " movq 48(%1), %%rdx;" + " mulxq 32(%2), %%r8, %%r9;" " xor %%r10d, %%r10d;" " adcxq 80(%3), %%r8;" " movq %%r8, 80(%3);" + " mulxq 40(%2), %%r10, %%r11;" " adox %%r9, %%r10;" " adcx %%rbx, %%r10;" " movq %%r10, 88(%3);" + " mulxq 48(%2), %%rbx, %%r13;" " adox %%r11, %%rbx;" " adcx %%r14, %%rbx;" " mov $0, %%r8;" + " mulxq 56(%2), %%r14, %%rdx;" " adox %%r13, %%r14;" " adcx %%rax, %%r14;" " mov $0, %%rax;" + " adox %%rdx, %%rax;" " adcx %%r8, %%rax;" + + + // Compute src1[3] * src2 + " movq 56(%1), %%rdx;" + " mulxq 32(%2), %%r8, %%r9;" " xor %%r10d, %%r10d;" " adcxq 88(%3), %%r8;" " movq %%r8, 88(%3);" + " mulxq 40(%2), %%r10, %%r11;" " adox %%r9, %%r10;" " adcx %%rbx, %%r10;" " movq %%r10, 96(%3);" + " mulxq 48(%2), %%rbx, %%r13;" " adox %%r11, %%rbx;" " adcx %%r14, %%rbx;" " movq %%rbx, 104(%3);" " mov $0, %%r8;" + " mulxq 56(%2), %%r14, %%rdx;" " adox %%r13, %%r14;" " adcx %%rax, %%r14;" " movq %%r14, 112(%3);" " mov $0, %%rax;" + " adox %%rdx, %%rax;" " adcx %%r8, %%rax;" " movq %%rax, 120(%3);" + + // Line up pointers + " mov %3, %1;" + " mov %0, %3;" + + /////// Wrap the results back into the field ////// + + // Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo + " mov $38, %%rdx;" + " mulxq 32(%1), %%r8, %%r13;" + " xor %k2, %k2;" + " adoxq 0(%1), %%r8;" + " mulxq 40(%1), %%r9, %%rbx;" + " adcx %%r13, %%r9;" + " adoxq 8(%1), %%r9;" + " mulxq 48(%1), %%r10, %%r13;" + " adcx %%rbx, %%r10;" + " adoxq 16(%1), %%r10;" + " mulxq 56(%1), %%r11, %%rax;" + " adcx %%r13, %%r11;" + " adoxq 24(%1), %%r11;" + " adcx %2, %%rax;" + " adox %2, %%rax;" + " imul %%rdx, %%rax;" + + // Step 2: Fold the carry back into dst + " add %%rax, %%r8;" + " adcx %2, %%r9;" + " movq %%r9, 8(%3);" + " adcx %2, %%r10;" + " movq %%r10, 16(%3);" + " adcx %2, %%r11;" + " movq %%r11, 24(%3);" + + // Step 3: Fold the carry bit back in; guaranteed not to carry at this point + " mov $0, %%rax;" + " cmovc %%rdx, %%rax;" + " add %%rax, %%r8;" + " movq %%r8, 0(%3);" + + // Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo + " mov $38, %%rdx;" + " mulxq 96(%1), %%r8, %%r13;" + " xor %k2, %k2;" + " adoxq 64(%1), %%r8;" + " mulxq 104(%1), %%r9, %%rbx;" + " adcx %%r13, %%r9;" + " adoxq 72(%1), %%r9;" + " mulxq 112(%1), %%r10, %%r13;" + " adcx %%rbx, %%r10;" + " adoxq 80(%1), %%r10;" + " mulxq 120(%1), %%r11, %%rax;" + " adcx %%r13, %%r11;" + " adoxq 88(%1), %%r11;" + " adcx %2, %%rax;" + " adox %2, %%rax;" + " imul %%rdx, %%rax;" + + // Step 2: Fold the carry back into dst + " add %%rax, %%r8;" + " adcx %2, %%r9;" + " movq %%r9, 40(%3);" + " adcx %2, %%r10;" + " movq %%r10, 48(%3);" + " adcx %2, %%r11;" + " movq %%r11, 56(%3);" + + // Step 3: Fold the carry bit back in; guaranteed not to carry at this point + " mov $0, %%rax;" + " cmovc %%rdx, %%rax;" + " add %%rax, %%r8;" + " movq %%r8, 32(%3);" + : "+&r" (out), "+&r" (f1), "+&r" (f2), "+&r" (tmp) + : + : "%rax", "%rbx", "%rdx", "%r8", "%r9", "%r10", "%r11", "%r13", "%r14", "memory", "cc" + ); +} + +// Computes the field multiplication of four-element f1 with value in f2 +// Requires f2 to be smaller than 2^17 +static inline void fmul_scalar (uint64_t *out, uint64_t *f1, uint64_t f2) +{ + register uint64_t f2_r asm("rdx") = f2; + + asm volatile( + // Compute the raw multiplication of f1*f2 + " mulxq 0(%2), %%r8, %%rcx;" // f1[0]*f2 + " mulxq 8(%2), %%r9, %%rbx;" // f1[1]*f2 + " add %%rcx, %%r9;" + " mov $0, %%rcx;" + " mulxq 16(%2), %%r10, %%r13;" // f1[2]*f2 + " adcx %%rbx, %%r10;" + " mulxq 24(%2), %%r11, %%rax;" // f1[3]*f2 + " adcx %%r13, %%r11;" + " adcx %%rcx, %%rax;" + + /////// Wrap the result back into the field ////// + + // Step 1: Compute carry*38 + " mov $38, %%rdx;" + " imul %%rdx, %%rax;" + + // Step 2: Fold the carry back into dst + " add %%rax, %%r8;" + " adcx %%rcx, %%r9;" + " movq %%r9, 8(%1);" + " adcx %%rcx, %%r10;" + " movq %%r10, 16(%1);" + " adcx %%rcx, %%r11;" + " movq %%r11, 24(%1);" + + // Step 3: Fold the carry bit back in; guaranteed not to carry at this point + " mov $0, %%rax;" + " cmovc %%rdx, %%rax;" + " add %%rax, %%r8;" + " movq %%r8, 0(%1);" + : "+&r" (f2_r) + : "r" (out), "r" (f1) + : "%rax", "%rbx", "%rcx", "%r8", "%r9", "%r10", "%r11", "%r13", "memory", "cc" + ); +} + +// Computes p1 <- bit ? p2 : p1 in constant time +static inline void cswap2 (uint64_t bit, uint64_t *p1, uint64_t *p2) +{ + asm volatile( + // Transfer bit into CF flag + " add $18446744073709551615, %0;" + + // cswap p1[0], p2[0] + " movq 0(%1), %%r8;" + " movq 0(%2), %%r9;" + " mov %%r8, %%r10;" + " cmovc %%r9, %%r8;" + " cmovc %%r10, %%r9;" + " movq %%r8, 0(%1);" + " movq %%r9, 0(%2);" + + // cswap p1[1], p2[1] + " movq 8(%1), %%r8;" + " movq 8(%2), %%r9;" + " mov %%r8, %%r10;" + " cmovc %%r9, %%r8;" + " cmovc %%r10, %%r9;" + " movq %%r8, 8(%1);" + " movq %%r9, 8(%2);" + + // cswap p1[2], p2[2] + " movq 16(%1), %%r8;" + " movq 16(%2), %%r9;" + " mov %%r8, %%r10;" + " cmovc %%r9, %%r8;" + " cmovc %%r10, %%r9;" + " movq %%r8, 16(%1);" + " movq %%r9, 16(%2);" + + // cswap p1[3], p2[3] + " movq 24(%1), %%r8;" + " movq 24(%2), %%r9;" + " mov %%r8, %%r10;" + " cmovc %%r9, %%r8;" + " cmovc %%r10, %%r9;" + " movq %%r8, 24(%1);" + " movq %%r9, 24(%2);" + + // cswap p1[4], p2[4] + " movq 32(%1), %%r8;" + " movq 32(%2), %%r9;" + " mov %%r8, %%r10;" + " cmovc %%r9, %%r8;" + " cmovc %%r10, %%r9;" + " movq %%r8, 32(%1);" + " movq %%r9, 32(%2);" + + // cswap p1[5], p2[5] + " movq 40(%1), %%r8;" + " movq 40(%2), %%r9;" + " mov %%r8, %%r10;" + " cmovc %%r9, %%r8;" + " cmovc %%r10, %%r9;" + " movq %%r8, 40(%1);" + " movq %%r9, 40(%2);" + + // cswap p1[6], p2[6] + " movq 48(%1), %%r8;" + " movq 48(%2), %%r9;" + " mov %%r8, %%r10;" + " cmovc %%r9, %%r8;" + " cmovc %%r10, %%r9;" + " movq %%r8, 48(%1);" + " movq %%r9, 48(%2);" + + // cswap p1[7], p2[7] + " movq 56(%1), %%r8;" + " movq 56(%2), %%r9;" + " mov %%r8, %%r10;" + " cmovc %%r9, %%r8;" + " cmovc %%r10, %%r9;" + " movq %%r8, 56(%1);" + " movq %%r9, 56(%2);" + : "+&r" (bit) + : "r" (p1), "r" (p2) + : "%r8", "%r9", "%r10", "memory", "cc" + ); +} + +// Computes the square of a field element: out <- f * f +// Uses the 8-element buffer tmp for intermediate results +static inline void fsqr (uint64_t *out, uint64_t *f, uint64_t *tmp) +{ + asm volatile( + + /////// Compute the raw multiplication: tmp <- f * f ////// + + // Step 1: Compute all partial products + " movq 0(%1), %%rdx;" // f[0] + " mulxq 8(%1), %%r8, %%r14;" " xor %%r15d, %%r15d;" // f[1]*f[0] + " mulxq 16(%1), %%r9, %%r10;" " adcx %%r14, %%r9;" // f[2]*f[0] + " mulxq 24(%1), %%rax, %%rcx;" " adcx %%rax, %%r10;" // f[3]*f[0] + " movq 24(%1), %%rdx;" // f[3] + " mulxq 8(%1), %%r11, %%rbx;" " adcx %%rcx, %%r11;" // f[1]*f[3] + " mulxq 16(%1), %%rax, %%r13;" " adcx %%rax, %%rbx;" // f[2]*f[3] + " movq 8(%1), %%rdx;" " adcx %%r15, %%r13;" // f1 + " mulxq 16(%1), %%rax, %%rcx;" " mov $0, %%r14;" // f[2]*f[1] + + // Step 2: Compute two parallel carry chains + " xor %%r15d, %%r15d;" + " adox %%rax, %%r10;" + " adcx %%r8, %%r8;" + " adox %%rcx, %%r11;" + " adcx %%r9, %%r9;" + " adox %%r15, %%rbx;" + " adcx %%r10, %%r10;" + " adox %%r15, %%r13;" + " adcx %%r11, %%r11;" + " adox %%r15, %%r14;" + " adcx %%rbx, %%rbx;" + " adcx %%r13, %%r13;" + " adcx %%r14, %%r14;" + + // Step 3: Compute intermediate squares + " movq 0(%1), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" // f[0]^2 + " movq %%rax, 0(%2);" + " add %%rcx, %%r8;" " movq %%r8, 8(%2);" + " movq 8(%1), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" // f[1]^2 + " adcx %%rax, %%r9;" " movq %%r9, 16(%2);" + " adcx %%rcx, %%r10;" " movq %%r10, 24(%2);" + " movq 16(%1), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" // f[2]^2 + " adcx %%rax, %%r11;" " movq %%r11, 32(%2);" + " adcx %%rcx, %%rbx;" " movq %%rbx, 40(%2);" + " movq 24(%1), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" // f[3]^2 + " adcx %%rax, %%r13;" " movq %%r13, 48(%2);" + " adcx %%rcx, %%r14;" " movq %%r14, 56(%2);" + + // Line up pointers + " mov %2, %1;" + " mov %0, %2;" + + /////// Wrap the result back into the field ////// + + // Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo + " mov $38, %%rdx;" + " mulxq 32(%1), %%r8, %%r13;" + " xor %%ecx, %%ecx;" + " adoxq 0(%1), %%r8;" + " mulxq 40(%1), %%r9, %%rbx;" + " adcx %%r13, %%r9;" + " adoxq 8(%1), %%r9;" + " mulxq 48(%1), %%r10, %%r13;" + " adcx %%rbx, %%r10;" + " adoxq 16(%1), %%r10;" + " mulxq 56(%1), %%r11, %%rax;" + " adcx %%r13, %%r11;" + " adoxq 24(%1), %%r11;" + " adcx %%rcx, %%rax;" + " adox %%rcx, %%rax;" + " imul %%rdx, %%rax;" + + // Step 2: Fold the carry back into dst + " add %%rax, %%r8;" + " adcx %%rcx, %%r9;" + " movq %%r9, 8(%2);" + " adcx %%rcx, %%r10;" + " movq %%r10, 16(%2);" + " adcx %%rcx, %%r11;" + " movq %%r11, 24(%2);" + + // Step 3: Fold the carry bit back in; guaranteed not to carry at this point + " mov $0, %%rax;" + " cmovc %%rdx, %%rax;" + " add %%rax, %%r8;" + " movq %%r8, 0(%2);" + : "+&r" (out), "+&r" (f), "+&r" (tmp) + : + : "%rax", "%rbx", "%rcx", "%rdx", "%r8", "%r9", "%r10", "%r11", "%r13", "%r14", "%r15", "memory", "cc" + ); +} + +// Computes two field squarings: +// out[0] <- f[0] * f[0] +// out[1] <- f[1] * f[1] +// Uses the 16-element buffer tmp for intermediate results +static inline void fsqr2 (uint64_t *out, uint64_t *f, uint64_t *tmp) +{ + asm volatile( + // Step 1: Compute all partial products + " movq 0(%1), %%rdx;" // f[0] + " mulxq 8(%1), %%r8, %%r14;" " xor %%r15d, %%r15d;" // f[1]*f[0] + " mulxq 16(%1), %%r9, %%r10;" " adcx %%r14, %%r9;" // f[2]*f[0] + " mulxq 24(%1), %%rax, %%rcx;" " adcx %%rax, %%r10;" // f[3]*f[0] + " movq 24(%1), %%rdx;" // f[3] + " mulxq 8(%1), %%r11, %%rbx;" " adcx %%rcx, %%r11;" // f[1]*f[3] + " mulxq 16(%1), %%rax, %%r13;" " adcx %%rax, %%rbx;" // f[2]*f[3] + " movq 8(%1), %%rdx;" " adcx %%r15, %%r13;" // f1 + " mulxq 16(%1), %%rax, %%rcx;" " mov $0, %%r14;" // f[2]*f[1] + + // Step 2: Compute two parallel carry chains + " xor %%r15d, %%r15d;" + " adox %%rax, %%r10;" + " adcx %%r8, %%r8;" + " adox %%rcx, %%r11;" + " adcx %%r9, %%r9;" + " adox %%r15, %%rbx;" + " adcx %%r10, %%r10;" + " adox %%r15, %%r13;" + " adcx %%r11, %%r11;" + " adox %%r15, %%r14;" + " adcx %%rbx, %%rbx;" + " adcx %%r13, %%r13;" + " adcx %%r14, %%r14;" + + // Step 3: Compute intermediate squares + " movq 0(%1), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" // f[0]^2 + " movq %%rax, 0(%2);" + " add %%rcx, %%r8;" " movq %%r8, 8(%2);" + " movq 8(%1), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" // f[1]^2 + " adcx %%rax, %%r9;" " movq %%r9, 16(%2);" + " adcx %%rcx, %%r10;" " movq %%r10, 24(%2);" + " movq 16(%1), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" // f[2]^2 + " adcx %%rax, %%r11;" " movq %%r11, 32(%2);" + " adcx %%rcx, %%rbx;" " movq %%rbx, 40(%2);" + " movq 24(%1), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" // f[3]^2 + " adcx %%rax, %%r13;" " movq %%r13, 48(%2);" + " adcx %%rcx, %%r14;" " movq %%r14, 56(%2);" + + // Step 1: Compute all partial products + " movq 32(%1), %%rdx;" // f[0] + " mulxq 40(%1), %%r8, %%r14;" " xor %%r15d, %%r15d;" // f[1]*f[0] + " mulxq 48(%1), %%r9, %%r10;" " adcx %%r14, %%r9;" // f[2]*f[0] + " mulxq 56(%1), %%rax, %%rcx;" " adcx %%rax, %%r10;" // f[3]*f[0] + " movq 56(%1), %%rdx;" // f[3] + " mulxq 40(%1), %%r11, %%rbx;" " adcx %%rcx, %%r11;" // f[1]*f[3] + " mulxq 48(%1), %%rax, %%r13;" " adcx %%rax, %%rbx;" // f[2]*f[3] + " movq 40(%1), %%rdx;" " adcx %%r15, %%r13;" // f1 + " mulxq 48(%1), %%rax, %%rcx;" " mov $0, %%r14;" // f[2]*f[1] + + // Step 2: Compute two parallel carry chains + " xor %%r15d, %%r15d;" + " adox %%rax, %%r10;" + " adcx %%r8, %%r8;" + " adox %%rcx, %%r11;" + " adcx %%r9, %%r9;" + " adox %%r15, %%rbx;" + " adcx %%r10, %%r10;" + " adox %%r15, %%r13;" + " adcx %%r11, %%r11;" + " adox %%r15, %%r14;" + " adcx %%rbx, %%rbx;" + " adcx %%r13, %%r13;" + " adcx %%r14, %%r14;" + + // Step 3: Compute intermediate squares + " movq 32(%1), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" // f[0]^2 + " movq %%rax, 64(%2);" + " add %%rcx, %%r8;" " movq %%r8, 72(%2);" + " movq 40(%1), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" // f[1]^2 + " adcx %%rax, %%r9;" " movq %%r9, 80(%2);" + " adcx %%rcx, %%r10;" " movq %%r10, 88(%2);" + " movq 48(%1), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" // f[2]^2 + " adcx %%rax, %%r11;" " movq %%r11, 96(%2);" + " adcx %%rcx, %%rbx;" " movq %%rbx, 104(%2);" + " movq 56(%1), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" // f[3]^2 + " adcx %%rax, %%r13;" " movq %%r13, 112(%2);" + " adcx %%rcx, %%r14;" " movq %%r14, 120(%2);" + + // Line up pointers + " mov %2, %1;" + " mov %0, %2;" + + // Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo + " mov $38, %%rdx;" + " mulxq 32(%1), %%r8, %%r13;" + " xor %%ecx, %%ecx;" + " adoxq 0(%1), %%r8;" + " mulxq 40(%1), %%r9, %%rbx;" + " adcx %%r13, %%r9;" + " adoxq 8(%1), %%r9;" + " mulxq 48(%1), %%r10, %%r13;" + " adcx %%rbx, %%r10;" + " adoxq 16(%1), %%r10;" + " mulxq 56(%1), %%r11, %%rax;" + " adcx %%r13, %%r11;" + " adoxq 24(%1), %%r11;" + " adcx %%rcx, %%rax;" + " adox %%rcx, %%rax;" + " imul %%rdx, %%rax;" + + // Step 2: Fold the carry back into dst + " add %%rax, %%r8;" + " adcx %%rcx, %%r9;" + " movq %%r9, 8(%2);" + " adcx %%rcx, %%r10;" + " movq %%r10, 16(%2);" + " adcx %%rcx, %%r11;" + " movq %%r11, 24(%2);" + + // Step 3: Fold the carry bit back in; guaranteed not to carry at this point + " mov $0, %%rax;" + " cmovc %%rdx, %%rax;" + " add %%rax, %%r8;" + " movq %%r8, 0(%2);" + + // Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo + " mov $38, %%rdx;" + " mulxq 96(%1), %%r8, %%r13;" + " xor %%ecx, %%ecx;" + " adoxq 64(%1), %%r8;" + " mulxq 104(%1), %%r9, %%rbx;" + " adcx %%r13, %%r9;" + " adoxq 72(%1), %%r9;" + " mulxq 112(%1), %%r10, %%r13;" + " adcx %%rbx, %%r10;" + " adoxq 80(%1), %%r10;" + " mulxq 120(%1), %%r11, %%rax;" + " adcx %%r13, %%r11;" + " adoxq 88(%1), %%r11;" + " adcx %%rcx, %%rax;" + " adox %%rcx, %%rax;" + " imul %%rdx, %%rax;" + + // Step 2: Fold the carry back into dst + " add %%rax, %%r8;" + " adcx %%rcx, %%r9;" + " movq %%r9, 40(%2);" + " adcx %%rcx, %%r10;" + " movq %%r10, 48(%2);" + " adcx %%rcx, %%r11;" + " movq %%r11, 56(%2);" + + // Step 3: Fold the carry bit back in; guaranteed not to carry at this point + " mov $0, %%rax;" + " cmovc %%rdx, %%rax;" + " add %%rax, %%r8;" + " movq %%r8, 32(%2);" + : "+&r" (out), "+&r" (f), "+&r" (tmp) + : + : "%rax", "%rbx", "%rcx", "%rdx", "%r8", "%r9", "%r10", "%r11", "%r13", "%r14", "%r15", "memory", "cc" + ); +} + +#endif /* defined(__x86_64__) || defined(_M_X64) */ +#endif /* __GNUC__ */ diff --git a/vale/src/curve25519-x86_64-darwin.S b/vale/src/curve25519-x86_64-darwin.S new file mode 100644 index 00000000..26147d9d --- /dev/null +++ b/vale/src/curve25519-x86_64-darwin.S @@ -0,0 +1,986 @@ +.text +.global _add_scalar_e +_add_scalar_e: + push %rdi + push %rsi + ;# Clear registers to propagate the carry bit + xor %r8d, %r8d + xor %r9d, %r9d + xor %r10d, %r10d + xor %r11d, %r11d + xor %eax, %eax + + ;# Begin addition chain + addq 0(%rsi), %rdx + movq %rdx, 0(%rdi) + adcxq 8(%rsi), %r8 + movq %r8, 8(%rdi) + adcxq 16(%rsi), %r9 + movq %r9, 16(%rdi) + adcxq 24(%rsi), %r10 + movq %r10, 24(%rdi) + + ;# Return the carry bit in a register + adcx %r11, %rax + pop %rsi + pop %rdi + ret + +.global _fadd_e +_fadd_e: + ;# Compute the raw addition of f1 + f2 + movq 0(%rdx), %r8 + addq 0(%rsi), %r8 + movq 8(%rdx), %r9 + adcxq 8(%rsi), %r9 + movq 16(%rdx), %r10 + adcxq 16(%rsi), %r10 + movq 24(%rdx), %r11 + adcxq 24(%rsi), %r11 + ;# Wrap the result back into the field + ;# Step 1: Compute carry*38 + mov $0, %rax + mov $38, %rdx + cmovc %rdx, %rax + + ;# Step 2: Add carry*38 to the original sum + xor %ecx, %ecx + add %rax, %r8 + adcx %rcx, %r9 + movq %r9, 8(%rdi) + adcx %rcx, %r10 + movq %r10, 16(%rdi) + adcx %rcx, %r11 + movq %r11, 24(%rdi) + + ;# Step 3: Fold the carry bit back in; guaranteed not to carry at this point + mov $0, %rax + cmovc %rdx, %rax + add %rax, %r8 + movq %r8, 0(%rdi) + ret + +.global _fsub_e +_fsub_e: + ;# Compute the raw substraction of f1-f2 + movq 0(%rsi), %r8 + subq 0(%rdx), %r8 + movq 8(%rsi), %r9 + sbbq 8(%rdx), %r9 + movq 16(%rsi), %r10 + sbbq 16(%rdx), %r10 + movq 24(%rsi), %r11 + sbbq 24(%rdx), %r11 + ;# Wrap the result back into the field + ;# Step 1: Compute carry*38 + mov $0, %rax + mov $38, %rcx + cmovc %rcx, %rax + + ;# Step 2: Substract carry*38 from the original difference + sub %rax, %r8 + sbb $0, %r9 + sbb $0, %r10 + sbb $0, %r11 + + ;# Step 3: Fold the carry bit back in; guaranteed not to carry at this point + mov $0, %rax + cmovc %rcx, %rax + sub %rax, %r8 + + ;# Store the result + movq %r8, 0(%rdi) + movq %r9, 8(%rdi) + movq %r10, 16(%rdi) + movq %r11, 24(%rdi) + ret + +.global _fmul_scalar_e +_fmul_scalar_e: + push %rdi + push %r13 + push %rbx + ;# Compute the raw multiplication of f1*f2 + mulxq 0(%rsi), %r8, %rcx + ;# f1[0]*f2 + mulxq 8(%rsi), %r9, %rbx + ;# f1[1]*f2 + add %rcx, %r9 + mov $0, %rcx + mulxq 16(%rsi), %r10, %r13 + ;# f1[2]*f2 + adcx %rbx, %r10 + mulxq 24(%rsi), %r11, %rax + ;# f1[3]*f2 + adcx %r13, %r11 + adcx %rcx, %rax + ;# Wrap the result back into the field + ;# Step 1: Compute carry*38 + mov $38, %rdx + imul %rdx, %rax + + ;# Step 2: Fold the carry back into dst + add %rax, %r8 + adcx %rcx, %r9 + movq %r9, 8(%rdi) + adcx %rcx, %r10 + movq %r10, 16(%rdi) + adcx %rcx, %r11 + movq %r11, 24(%rdi) + + ;# Step 3: Fold the carry bit back in; guaranteed not to carry at this point + mov $0, %rax + cmovc %rdx, %rax + add %rax, %r8 + movq %r8, 0(%rdi) + pop %rbx + pop %r13 + pop %rdi + ret + +.global _fmul_e +_fmul_e: + push %r13 + push %r14 + push %r15 + push %rbx + mov %rdx, %r15 + ;# Compute the raw multiplication: tmp <- src1 * src2 + ;# Compute src1[0] * src2 + movq 0(%rsi), %rdx + mulxq 0(%rcx), %r8, %r9 + xor %r10d, %r10d + movq %r8, 0(%rdi) + + mulxq 8(%rcx), %r10, %r11 + adox %r9, %r10 + movq %r10, 8(%rdi) + + mulxq 16(%rcx), %rbx, %r13 + adox %r11, %rbx + mulxq 24(%rcx), %r14, %rdx + adox %r13, %r14 + mov $0, %rax + adox %rdx, %rax + + + ;# Compute src1[1] * src2 + movq 8(%rsi), %rdx + mulxq 0(%rcx), %r8, %r9 + xor %r10d, %r10d + adcxq 8(%rdi), %r8 + movq %r8, 8(%rdi) + mulxq 8(%rcx), %r10, %r11 + adox %r9, %r10 + adcx %rbx, %r10 + movq %r10, 16(%rdi) + mulxq 16(%rcx), %rbx, %r13 + adox %r11, %rbx + adcx %r14, %rbx + mov $0, %r8 + mulxq 24(%rcx), %r14, %rdx + adox %r13, %r14 + adcx %rax, %r14 + mov $0, %rax + adox %rdx, %rax + adcx %r8, %rax + + + ;# Compute src1[2] * src2 + movq 16(%rsi), %rdx + mulxq 0(%rcx), %r8, %r9 + xor %r10d, %r10d + adcxq 16(%rdi), %r8 + movq %r8, 16(%rdi) + mulxq 8(%rcx), %r10, %r11 + adox %r9, %r10 + adcx %rbx, %r10 + movq %r10, 24(%rdi) + mulxq 16(%rcx), %rbx, %r13 + adox %r11, %rbx + adcx %r14, %rbx + mov $0, %r8 + mulxq 24(%rcx), %r14, %rdx + adox %r13, %r14 + adcx %rax, %r14 + mov $0, %rax + adox %rdx, %rax + adcx %r8, %rax + + + ;# Compute src1[3] * src2 + movq 24(%rsi), %rdx + mulxq 0(%rcx), %r8, %r9 + xor %r10d, %r10d + adcxq 24(%rdi), %r8 + movq %r8, 24(%rdi) + mulxq 8(%rcx), %r10, %r11 + adox %r9, %r10 + adcx %rbx, %r10 + movq %r10, 32(%rdi) + mulxq 16(%rcx), %rbx, %r13 + adox %r11, %rbx + adcx %r14, %rbx + movq %rbx, 40(%rdi) + mov $0, %r8 + mulxq 24(%rcx), %r14, %rdx + adox %r13, %r14 + adcx %rax, %r14 + movq %r14, 48(%rdi) + mov $0, %rax + adox %rdx, %rax + adcx %r8, %rax + movq %rax, 56(%rdi) + + + ;# Line up pointers + mov %rdi, %rsi + mov %r15, %rdi + ;# Wrap the result back into the field + ;# Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo + mov $38, %rdx + mulxq 32(%rsi), %r8, %r13 + xor %ecx, %ecx + adoxq 0(%rsi), %r8 + mulxq 40(%rsi), %r9, %rbx + adcx %r13, %r9 + adoxq 8(%rsi), %r9 + mulxq 48(%rsi), %r10, %r13 + adcx %rbx, %r10 + adoxq 16(%rsi), %r10 + mulxq 56(%rsi), %r11, %rax + adcx %r13, %r11 + adoxq 24(%rsi), %r11 + adcx %rcx, %rax + adox %rcx, %rax + imul %rdx, %rax + + ;# Step 2: Fold the carry back into dst + add %rax, %r8 + adcx %rcx, %r9 + movq %r9, 8(%rdi) + adcx %rcx, %r10 + movq %r10, 16(%rdi) + adcx %rcx, %r11 + movq %r11, 24(%rdi) + + ;# Step 3: Fold the carry bit back in; guaranteed not to carry at this point + mov $0, %rax + cmovc %rdx, %rax + add %rax, %r8 + movq %r8, 0(%rdi) + pop %rbx + pop %r15 + pop %r14 + pop %r13 + ret + +.global _fmul2_e +_fmul2_e: + push %r13 + push %r14 + push %r15 + push %rbx + mov %rdx, %r15 + ;# Compute the raw multiplication tmp[0] <- f1[0] * f2[0] + ;# Compute src1[0] * src2 + movq 0(%rsi), %rdx + mulxq 0(%rcx), %r8, %r9 + xor %r10d, %r10d + movq %r8, 0(%rdi) + + mulxq 8(%rcx), %r10, %r11 + adox %r9, %r10 + movq %r10, 8(%rdi) + + mulxq 16(%rcx), %rbx, %r13 + adox %r11, %rbx + mulxq 24(%rcx), %r14, %rdx + adox %r13, %r14 + mov $0, %rax + adox %rdx, %rax + + + ;# Compute src1[1] * src2 + movq 8(%rsi), %rdx + mulxq 0(%rcx), %r8, %r9 + xor %r10d, %r10d + adcxq 8(%rdi), %r8 + movq %r8, 8(%rdi) + mulxq 8(%rcx), %r10, %r11 + adox %r9, %r10 + adcx %rbx, %r10 + movq %r10, 16(%rdi) + mulxq 16(%rcx), %rbx, %r13 + adox %r11, %rbx + adcx %r14, %rbx + mov $0, %r8 + mulxq 24(%rcx), %r14, %rdx + adox %r13, %r14 + adcx %rax, %r14 + mov $0, %rax + adox %rdx, %rax + adcx %r8, %rax + + + ;# Compute src1[2] * src2 + movq 16(%rsi), %rdx + mulxq 0(%rcx), %r8, %r9 + xor %r10d, %r10d + adcxq 16(%rdi), %r8 + movq %r8, 16(%rdi) + mulxq 8(%rcx), %r10, %r11 + adox %r9, %r10 + adcx %rbx, %r10 + movq %r10, 24(%rdi) + mulxq 16(%rcx), %rbx, %r13 + adox %r11, %rbx + adcx %r14, %rbx + mov $0, %r8 + mulxq 24(%rcx), %r14, %rdx + adox %r13, %r14 + adcx %rax, %r14 + mov $0, %rax + adox %rdx, %rax + adcx %r8, %rax + + + ;# Compute src1[3] * src2 + movq 24(%rsi), %rdx + mulxq 0(%rcx), %r8, %r9 + xor %r10d, %r10d + adcxq 24(%rdi), %r8 + movq %r8, 24(%rdi) + mulxq 8(%rcx), %r10, %r11 + adox %r9, %r10 + adcx %rbx, %r10 + movq %r10, 32(%rdi) + mulxq 16(%rcx), %rbx, %r13 + adox %r11, %rbx + adcx %r14, %rbx + movq %rbx, 40(%rdi) + mov $0, %r8 + mulxq 24(%rcx), %r14, %rdx + adox %r13, %r14 + adcx %rax, %r14 + movq %r14, 48(%rdi) + mov $0, %rax + adox %rdx, %rax + adcx %r8, %rax + movq %rax, 56(%rdi) + + ;# Compute the raw multiplication tmp[1] <- f1[1] * f2[1] + ;# Compute src1[0] * src2 + movq 32(%rsi), %rdx + mulxq 32(%rcx), %r8, %r9 + xor %r10d, %r10d + movq %r8, 64(%rdi) + + mulxq 40(%rcx), %r10, %r11 + adox %r9, %r10 + movq %r10, 72(%rdi) + + mulxq 48(%rcx), %rbx, %r13 + adox %r11, %rbx + mulxq 56(%rcx), %r14, %rdx + adox %r13, %r14 + mov $0, %rax + adox %rdx, %rax + + + ;# Compute src1[1] * src2 + movq 40(%rsi), %rdx + mulxq 32(%rcx), %r8, %r9 + xor %r10d, %r10d + adcxq 72(%rdi), %r8 + movq %r8, 72(%rdi) + mulxq 40(%rcx), %r10, %r11 + adox %r9, %r10 + adcx %rbx, %r10 + movq %r10, 80(%rdi) + mulxq 48(%rcx), %rbx, %r13 + adox %r11, %rbx + adcx %r14, %rbx + mov $0, %r8 + mulxq 56(%rcx), %r14, %rdx + adox %r13, %r14 + adcx %rax, %r14 + mov $0, %rax + adox %rdx, %rax + adcx %r8, %rax + + + ;# Compute src1[2] * src2 + movq 48(%rsi), %rdx + mulxq 32(%rcx), %r8, %r9 + xor %r10d, %r10d + adcxq 80(%rdi), %r8 + movq %r8, 80(%rdi) + mulxq 40(%rcx), %r10, %r11 + adox %r9, %r10 + adcx %rbx, %r10 + movq %r10, 88(%rdi) + mulxq 48(%rcx), %rbx, %r13 + adox %r11, %rbx + adcx %r14, %rbx + mov $0, %r8 + mulxq 56(%rcx), %r14, %rdx + adox %r13, %r14 + adcx %rax, %r14 + mov $0, %rax + adox %rdx, %rax + adcx %r8, %rax + + + ;# Compute src1[3] * src2 + movq 56(%rsi), %rdx + mulxq 32(%rcx), %r8, %r9 + xor %r10d, %r10d + adcxq 88(%rdi), %r8 + movq %r8, 88(%rdi) + mulxq 40(%rcx), %r10, %r11 + adox %r9, %r10 + adcx %rbx, %r10 + movq %r10, 96(%rdi) + mulxq 48(%rcx), %rbx, %r13 + adox %r11, %rbx + adcx %r14, %rbx + movq %rbx, 104(%rdi) + mov $0, %r8 + mulxq 56(%rcx), %r14, %rdx + adox %r13, %r14 + adcx %rax, %r14 + movq %r14, 112(%rdi) + mov $0, %rax + adox %rdx, %rax + adcx %r8, %rax + movq %rax, 120(%rdi) + + + ;# Line up pointers + mov %rdi, %rsi + mov %r15, %rdi + ;# Wrap the results back into the field + ;# Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo + mov $38, %rdx + mulxq 32(%rsi), %r8, %r13 + xor %ecx, %ecx + adoxq 0(%rsi), %r8 + mulxq 40(%rsi), %r9, %rbx + adcx %r13, %r9 + adoxq 8(%rsi), %r9 + mulxq 48(%rsi), %r10, %r13 + adcx %rbx, %r10 + adoxq 16(%rsi), %r10 + mulxq 56(%rsi), %r11, %rax + adcx %r13, %r11 + adoxq 24(%rsi), %r11 + adcx %rcx, %rax + adox %rcx, %rax + imul %rdx, %rax + + ;# Step 2: Fold the carry back into dst + add %rax, %r8 + adcx %rcx, %r9 + movq %r9, 8(%rdi) + adcx %rcx, %r10 + movq %r10, 16(%rdi) + adcx %rcx, %r11 + movq %r11, 24(%rdi) + + ;# Step 3: Fold the carry bit back in; guaranteed not to carry at this point + mov $0, %rax + cmovc %rdx, %rax + add %rax, %r8 + movq %r8, 0(%rdi) + + ;# Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo + mov $38, %rdx + mulxq 96(%rsi), %r8, %r13 + xor %ecx, %ecx + adoxq 64(%rsi), %r8 + mulxq 104(%rsi), %r9, %rbx + adcx %r13, %r9 + adoxq 72(%rsi), %r9 + mulxq 112(%rsi), %r10, %r13 + adcx %rbx, %r10 + adoxq 80(%rsi), %r10 + mulxq 120(%rsi), %r11, %rax + adcx %r13, %r11 + adoxq 88(%rsi), %r11 + adcx %rcx, %rax + adox %rcx, %rax + imul %rdx, %rax + + ;# Step 2: Fold the carry back into dst + add %rax, %r8 + adcx %rcx, %r9 + movq %r9, 40(%rdi) + adcx %rcx, %r10 + movq %r10, 48(%rdi) + adcx %rcx, %r11 + movq %r11, 56(%rdi) + + ;# Step 3: Fold the carry bit back in; guaranteed not to carry at this point + mov $0, %rax + cmovc %rdx, %rax + add %rax, %r8 + movq %r8, 32(%rdi) + pop %rbx + pop %r15 + pop %r14 + pop %r13 + ret + +.global _fsqr_e +_fsqr_e: + push %r15 + push %r13 + push %r14 + push %r12 + push %rbx + mov %rdx, %r12 + ;# Compute the raw multiplication: tmp <- f * f + ;# Step 1: Compute all partial products + movq 0(%rsi), %rdx + ;# f[0] + mulxq 8(%rsi), %r8, %r14 + xor %r15d, %r15d + ;# f[1]*f[0] + mulxq 16(%rsi), %r9, %r10 + adcx %r14, %r9 + ;# f[2]*f[0] + mulxq 24(%rsi), %rax, %rcx + adcx %rax, %r10 + ;# f[3]*f[0] + movq 24(%rsi), %rdx + ;# f[3] + mulxq 8(%rsi), %r11, %rbx + adcx %rcx, %r11 + ;# f[1]*f[3] + mulxq 16(%rsi), %rax, %r13 + adcx %rax, %rbx + ;# f[2]*f[3] + movq 8(%rsi), %rdx + adcx %r15, %r13 + ;# f1 + mulxq 16(%rsi), %rax, %rcx + mov $0, %r14 + ;# f[2]*f[1] + + ;# Step 2: Compute two parallel carry chains + xor %r15d, %r15d + adox %rax, %r10 + adcx %r8, %r8 + adox %rcx, %r11 + adcx %r9, %r9 + adox %r15, %rbx + adcx %r10, %r10 + adox %r15, %r13 + adcx %r11, %r11 + adox %r15, %r14 + adcx %rbx, %rbx + adcx %r13, %r13 + adcx %r14, %r14 + + ;# Step 3: Compute intermediate squares + movq 0(%rsi), %rdx + mulx %rdx, %rax, %rcx + ;# f[0]^2 + movq %rax, 0(%rdi) + + add %rcx, %r8 + movq %r8, 8(%rdi) + + movq 8(%rsi), %rdx + mulx %rdx, %rax, %rcx + ;# f[1]^2 + adcx %rax, %r9 + movq %r9, 16(%rdi) + + adcx %rcx, %r10 + movq %r10, 24(%rdi) + + movq 16(%rsi), %rdx + mulx %rdx, %rax, %rcx + ;# f[2]^2 + adcx %rax, %r11 + movq %r11, 32(%rdi) + + adcx %rcx, %rbx + movq %rbx, 40(%rdi) + + movq 24(%rsi), %rdx + mulx %rdx, %rax, %rcx + ;# f[3]^2 + adcx %rax, %r13 + movq %r13, 48(%rdi) + + adcx %rcx, %r14 + movq %r14, 56(%rdi) + + + ;# Line up pointers + mov %rdi, %rsi + mov %r12, %rdi + ;# Wrap the result back into the field + ;# Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo + mov $38, %rdx + mulxq 32(%rsi), %r8, %r13 + xor %ecx, %ecx + adoxq 0(%rsi), %r8 + mulxq 40(%rsi), %r9, %rbx + adcx %r13, %r9 + adoxq 8(%rsi), %r9 + mulxq 48(%rsi), %r10, %r13 + adcx %rbx, %r10 + adoxq 16(%rsi), %r10 + mulxq 56(%rsi), %r11, %rax + adcx %r13, %r11 + adoxq 24(%rsi), %r11 + adcx %rcx, %rax + adox %rcx, %rax + imul %rdx, %rax + + ;# Step 2: Fold the carry back into dst + add %rax, %r8 + adcx %rcx, %r9 + movq %r9, 8(%rdi) + adcx %rcx, %r10 + movq %r10, 16(%rdi) + adcx %rcx, %r11 + movq %r11, 24(%rdi) + + ;# Step 3: Fold the carry bit back in; guaranteed not to carry at this point + mov $0, %rax + cmovc %rdx, %rax + add %rax, %r8 + movq %r8, 0(%rdi) + pop %rbx + pop %r12 + pop %r14 + pop %r13 + pop %r15 + ret + +.global _fsqr2_e +_fsqr2_e: + push %r15 + push %r13 + push %r14 + push %r12 + push %rbx + mov %rdx, %r12 + ;# Step 1: Compute all partial products + movq 0(%rsi), %rdx + ;# f[0] + mulxq 8(%rsi), %r8, %r14 + xor %r15d, %r15d + ;# f[1]*f[0] + mulxq 16(%rsi), %r9, %r10 + adcx %r14, %r9 + ;# f[2]*f[0] + mulxq 24(%rsi), %rax, %rcx + adcx %rax, %r10 + ;# f[3]*f[0] + movq 24(%rsi), %rdx + ;# f[3] + mulxq 8(%rsi), %r11, %rbx + adcx %rcx, %r11 + ;# f[1]*f[3] + mulxq 16(%rsi), %rax, %r13 + adcx %rax, %rbx + ;# f[2]*f[3] + movq 8(%rsi), %rdx + adcx %r15, %r13 + ;# f1 + mulxq 16(%rsi), %rax, %rcx + mov $0, %r14 + ;# f[2]*f[1] + + ;# Step 2: Compute two parallel carry chains + xor %r15d, %r15d + adox %rax, %r10 + adcx %r8, %r8 + adox %rcx, %r11 + adcx %r9, %r9 + adox %r15, %rbx + adcx %r10, %r10 + adox %r15, %r13 + adcx %r11, %r11 + adox %r15, %r14 + adcx %rbx, %rbx + adcx %r13, %r13 + adcx %r14, %r14 + + ;# Step 3: Compute intermediate squares + movq 0(%rsi), %rdx + mulx %rdx, %rax, %rcx + ;# f[0]^2 + movq %rax, 0(%rdi) + + add %rcx, %r8 + movq %r8, 8(%rdi) + + movq 8(%rsi), %rdx + mulx %rdx, %rax, %rcx + ;# f[1]^2 + adcx %rax, %r9 + movq %r9, 16(%rdi) + + adcx %rcx, %r10 + movq %r10, 24(%rdi) + + movq 16(%rsi), %rdx + mulx %rdx, %rax, %rcx + ;# f[2]^2 + adcx %rax, %r11 + movq %r11, 32(%rdi) + + adcx %rcx, %rbx + movq %rbx, 40(%rdi) + + movq 24(%rsi), %rdx + mulx %rdx, %rax, %rcx + ;# f[3]^2 + adcx %rax, %r13 + movq %r13, 48(%rdi) + + adcx %rcx, %r14 + movq %r14, 56(%rdi) + + + ;# Step 1: Compute all partial products + movq 32(%rsi), %rdx + ;# f[0] + mulxq 40(%rsi), %r8, %r14 + xor %r15d, %r15d + ;# f[1]*f[0] + mulxq 48(%rsi), %r9, %r10 + adcx %r14, %r9 + ;# f[2]*f[0] + mulxq 56(%rsi), %rax, %rcx + adcx %rax, %r10 + ;# f[3]*f[0] + movq 56(%rsi), %rdx + ;# f[3] + mulxq 40(%rsi), %r11, %rbx + adcx %rcx, %r11 + ;# f[1]*f[3] + mulxq 48(%rsi), %rax, %r13 + adcx %rax, %rbx + ;# f[2]*f[3] + movq 40(%rsi), %rdx + adcx %r15, %r13 + ;# f1 + mulxq 48(%rsi), %rax, %rcx + mov $0, %r14 + ;# f[2]*f[1] + + ;# Step 2: Compute two parallel carry chains + xor %r15d, %r15d + adox %rax, %r10 + adcx %r8, %r8 + adox %rcx, %r11 + adcx %r9, %r9 + adox %r15, %rbx + adcx %r10, %r10 + adox %r15, %r13 + adcx %r11, %r11 + adox %r15, %r14 + adcx %rbx, %rbx + adcx %r13, %r13 + adcx %r14, %r14 + + ;# Step 3: Compute intermediate squares + movq 32(%rsi), %rdx + mulx %rdx, %rax, %rcx + ;# f[0]^2 + movq %rax, 64(%rdi) + + add %rcx, %r8 + movq %r8, 72(%rdi) + + movq 40(%rsi), %rdx + mulx %rdx, %rax, %rcx + ;# f[1]^2 + adcx %rax, %r9 + movq %r9, 80(%rdi) + + adcx %rcx, %r10 + movq %r10, 88(%rdi) + + movq 48(%rsi), %rdx + mulx %rdx, %rax, %rcx + ;# f[2]^2 + adcx %rax, %r11 + movq %r11, 96(%rdi) + + adcx %rcx, %rbx + movq %rbx, 104(%rdi) + + movq 56(%rsi), %rdx + mulx %rdx, %rax, %rcx + ;# f[3]^2 + adcx %rax, %r13 + movq %r13, 112(%rdi) + + adcx %rcx, %r14 + movq %r14, 120(%rdi) + + + ;# Line up pointers + mov %rdi, %rsi + mov %r12, %rdi + + ;# Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo + mov $38, %rdx + mulxq 32(%rsi), %r8, %r13 + xor %ecx, %ecx + adoxq 0(%rsi), %r8 + mulxq 40(%rsi), %r9, %rbx + adcx %r13, %r9 + adoxq 8(%rsi), %r9 + mulxq 48(%rsi), %r10, %r13 + adcx %rbx, %r10 + adoxq 16(%rsi), %r10 + mulxq 56(%rsi), %r11, %rax + adcx %r13, %r11 + adoxq 24(%rsi), %r11 + adcx %rcx, %rax + adox %rcx, %rax + imul %rdx, %rax + + ;# Step 2: Fold the carry back into dst + add %rax, %r8 + adcx %rcx, %r9 + movq %r9, 8(%rdi) + adcx %rcx, %r10 + movq %r10, 16(%rdi) + adcx %rcx, %r11 + movq %r11, 24(%rdi) + + ;# Step 3: Fold the carry bit back in; guaranteed not to carry at this point + mov $0, %rax + cmovc %rdx, %rax + add %rax, %r8 + movq %r8, 0(%rdi) + + ;# Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo + mov $38, %rdx + mulxq 96(%rsi), %r8, %r13 + xor %ecx, %ecx + adoxq 64(%rsi), %r8 + mulxq 104(%rsi), %r9, %rbx + adcx %r13, %r9 + adoxq 72(%rsi), %r9 + mulxq 112(%rsi), %r10, %r13 + adcx %rbx, %r10 + adoxq 80(%rsi), %r10 + mulxq 120(%rsi), %r11, %rax + adcx %r13, %r11 + adoxq 88(%rsi), %r11 + adcx %rcx, %rax + adox %rcx, %rax + imul %rdx, %rax + + ;# Step 2: Fold the carry back into dst + add %rax, %r8 + adcx %rcx, %r9 + movq %r9, 40(%rdi) + adcx %rcx, %r10 + movq %r10, 48(%rdi) + adcx %rcx, %r11 + movq %r11, 56(%rdi) + + ;# Step 3: Fold the carry bit back in; guaranteed not to carry at this point + mov $0, %rax + cmovc %rdx, %rax + add %rax, %r8 + movq %r8, 32(%rdi) + pop %rbx + pop %r12 + pop %r14 + pop %r13 + pop %r15 + ret + +.global _cswap2_e +_cswap2_e: + ;# Transfer bit into CF flag + add $18446744073709551615, %rdi + + ;# cswap p1[0], p2[0] + movq 0(%rsi), %r8 + movq 0(%rdx), %r9 + mov %r8, %r10 + cmovc %r9, %r8 + cmovc %r10, %r9 + movq %r8, 0(%rsi) + movq %r9, 0(%rdx) + + ;# cswap p1[1], p2[1] + movq 8(%rsi), %r8 + movq 8(%rdx), %r9 + mov %r8, %r10 + cmovc %r9, %r8 + cmovc %r10, %r9 + movq %r8, 8(%rsi) + movq %r9, 8(%rdx) + + ;# cswap p1[2], p2[2] + movq 16(%rsi), %r8 + movq 16(%rdx), %r9 + mov %r8, %r10 + cmovc %r9, %r8 + cmovc %r10, %r9 + movq %r8, 16(%rsi) + movq %r9, 16(%rdx) + + ;# cswap p1[3], p2[3] + movq 24(%rsi), %r8 + movq 24(%rdx), %r9 + mov %r8, %r10 + cmovc %r9, %r8 + cmovc %r10, %r9 + movq %r8, 24(%rsi) + movq %r9, 24(%rdx) + + ;# cswap p1[4], p2[4] + movq 32(%rsi), %r8 + movq 32(%rdx), %r9 + mov %r8, %r10 + cmovc %r9, %r8 + cmovc %r10, %r9 + movq %r8, 32(%rsi) + movq %r9, 32(%rdx) + + ;# cswap p1[5], p2[5] + movq 40(%rsi), %r8 + movq 40(%rdx), %r9 + mov %r8, %r10 + cmovc %r9, %r8 + cmovc %r10, %r9 + movq %r8, 40(%rsi) + movq %r9, 40(%rdx) + + ;# cswap p1[6], p2[6] + movq 48(%rsi), %r8 + movq 48(%rdx), %r9 + mov %r8, %r10 + cmovc %r9, %r8 + cmovc %r10, %r9 + movq %r8, 48(%rsi) + movq %r9, 48(%rdx) + + ;# cswap p1[7], p2[7] + movq 56(%rsi), %r8 + movq 56(%rdx), %r9 + mov %r8, %r10 + cmovc %r9, %r8 + cmovc %r10, %r9 + movq %r8, 56(%rsi) + movq %r9, 56(%rdx) + ret + + diff --git a/vale/src/curve25519-x86_64-linux.S b/vale/src/curve25519-x86_64-linux.S new file mode 100644 index 00000000..fcad33c8 --- /dev/null +++ b/vale/src/curve25519-x86_64-linux.S @@ -0,0 +1,986 @@ +.text +.global add_scalar_e +add_scalar_e: + push %rdi + push %rsi + ;# Clear registers to propagate the carry bit + xor %r8d, %r8d + xor %r9d, %r9d + xor %r10d, %r10d + xor %r11d, %r11d + xor %eax, %eax + + ;# Begin addition chain + addq 0(%rsi), %rdx + movq %rdx, 0(%rdi) + adcxq 8(%rsi), %r8 + movq %r8, 8(%rdi) + adcxq 16(%rsi), %r9 + movq %r9, 16(%rdi) + adcxq 24(%rsi), %r10 + movq %r10, 24(%rdi) + + ;# Return the carry bit in a register + adcx %r11, %rax + pop %rsi + pop %rdi + ret + +.global fadd_e +fadd_e: + ;# Compute the raw addition of f1 + f2 + movq 0(%rdx), %r8 + addq 0(%rsi), %r8 + movq 8(%rdx), %r9 + adcxq 8(%rsi), %r9 + movq 16(%rdx), %r10 + adcxq 16(%rsi), %r10 + movq 24(%rdx), %r11 + adcxq 24(%rsi), %r11 + ;# Wrap the result back into the field + ;# Step 1: Compute carry*38 + mov $0, %rax + mov $38, %rdx + cmovc %rdx, %rax + + ;# Step 2: Add carry*38 to the original sum + xor %ecx, %ecx + add %rax, %r8 + adcx %rcx, %r9 + movq %r9, 8(%rdi) + adcx %rcx, %r10 + movq %r10, 16(%rdi) + adcx %rcx, %r11 + movq %r11, 24(%rdi) + + ;# Step 3: Fold the carry bit back in; guaranteed not to carry at this point + mov $0, %rax + cmovc %rdx, %rax + add %rax, %r8 + movq %r8, 0(%rdi) + ret + +.global fsub_e +fsub_e: + ;# Compute the raw substraction of f1-f2 + movq 0(%rsi), %r8 + subq 0(%rdx), %r8 + movq 8(%rsi), %r9 + sbbq 8(%rdx), %r9 + movq 16(%rsi), %r10 + sbbq 16(%rdx), %r10 + movq 24(%rsi), %r11 + sbbq 24(%rdx), %r11 + ;# Wrap the result back into the field + ;# Step 1: Compute carry*38 + mov $0, %rax + mov $38, %rcx + cmovc %rcx, %rax + + ;# Step 2: Substract carry*38 from the original difference + sub %rax, %r8 + sbb $0, %r9 + sbb $0, %r10 + sbb $0, %r11 + + ;# Step 3: Fold the carry bit back in; guaranteed not to carry at this point + mov $0, %rax + cmovc %rcx, %rax + sub %rax, %r8 + + ;# Store the result + movq %r8, 0(%rdi) + movq %r9, 8(%rdi) + movq %r10, 16(%rdi) + movq %r11, 24(%rdi) + ret + +.global fmul_scalar_e +fmul_scalar_e: + push %rdi + push %r13 + push %rbx + ;# Compute the raw multiplication of f1*f2 + mulxq 0(%rsi), %r8, %rcx + ;# f1[0]*f2 + mulxq 8(%rsi), %r9, %rbx + ;# f1[1]*f2 + add %rcx, %r9 + mov $0, %rcx + mulxq 16(%rsi), %r10, %r13 + ;# f1[2]*f2 + adcx %rbx, %r10 + mulxq 24(%rsi), %r11, %rax + ;# f1[3]*f2 + adcx %r13, %r11 + adcx %rcx, %rax + ;# Wrap the result back into the field + ;# Step 1: Compute carry*38 + mov $38, %rdx + imul %rdx, %rax + + ;# Step 2: Fold the carry back into dst + add %rax, %r8 + adcx %rcx, %r9 + movq %r9, 8(%rdi) + adcx %rcx, %r10 + movq %r10, 16(%rdi) + adcx %rcx, %r11 + movq %r11, 24(%rdi) + + ;# Step 3: Fold the carry bit back in; guaranteed not to carry at this point + mov $0, %rax + cmovc %rdx, %rax + add %rax, %r8 + movq %r8, 0(%rdi) + pop %rbx + pop %r13 + pop %rdi + ret + +.global fmul_e +fmul_e: + push %r13 + push %r14 + push %r15 + push %rbx + mov %rdx, %r15 + ;# Compute the raw multiplication: tmp <- src1 * src2 + ;# Compute src1[0] * src2 + movq 0(%rsi), %rdx + mulxq 0(%rcx), %r8, %r9 + xor %r10d, %r10d + movq %r8, 0(%rdi) + + mulxq 8(%rcx), %r10, %r11 + adox %r9, %r10 + movq %r10, 8(%rdi) + + mulxq 16(%rcx), %rbx, %r13 + adox %r11, %rbx + mulxq 24(%rcx), %r14, %rdx + adox %r13, %r14 + mov $0, %rax + adox %rdx, %rax + + + ;# Compute src1[1] * src2 + movq 8(%rsi), %rdx + mulxq 0(%rcx), %r8, %r9 + xor %r10d, %r10d + adcxq 8(%rdi), %r8 + movq %r8, 8(%rdi) + mulxq 8(%rcx), %r10, %r11 + adox %r9, %r10 + adcx %rbx, %r10 + movq %r10, 16(%rdi) + mulxq 16(%rcx), %rbx, %r13 + adox %r11, %rbx + adcx %r14, %rbx + mov $0, %r8 + mulxq 24(%rcx), %r14, %rdx + adox %r13, %r14 + adcx %rax, %r14 + mov $0, %rax + adox %rdx, %rax + adcx %r8, %rax + + + ;# Compute src1[2] * src2 + movq 16(%rsi), %rdx + mulxq 0(%rcx), %r8, %r9 + xor %r10d, %r10d + adcxq 16(%rdi), %r8 + movq %r8, 16(%rdi) + mulxq 8(%rcx), %r10, %r11 + adox %r9, %r10 + adcx %rbx, %r10 + movq %r10, 24(%rdi) + mulxq 16(%rcx), %rbx, %r13 + adox %r11, %rbx + adcx %r14, %rbx + mov $0, %r8 + mulxq 24(%rcx), %r14, %rdx + adox %r13, %r14 + adcx %rax, %r14 + mov $0, %rax + adox %rdx, %rax + adcx %r8, %rax + + + ;# Compute src1[3] * src2 + movq 24(%rsi), %rdx + mulxq 0(%rcx), %r8, %r9 + xor %r10d, %r10d + adcxq 24(%rdi), %r8 + movq %r8, 24(%rdi) + mulxq 8(%rcx), %r10, %r11 + adox %r9, %r10 + adcx %rbx, %r10 + movq %r10, 32(%rdi) + mulxq 16(%rcx), %rbx, %r13 + adox %r11, %rbx + adcx %r14, %rbx + movq %rbx, 40(%rdi) + mov $0, %r8 + mulxq 24(%rcx), %r14, %rdx + adox %r13, %r14 + adcx %rax, %r14 + movq %r14, 48(%rdi) + mov $0, %rax + adox %rdx, %rax + adcx %r8, %rax + movq %rax, 56(%rdi) + + + ;# Line up pointers + mov %rdi, %rsi + mov %r15, %rdi + ;# Wrap the result back into the field + ;# Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo + mov $38, %rdx + mulxq 32(%rsi), %r8, %r13 + xor %ecx, %ecx + adoxq 0(%rsi), %r8 + mulxq 40(%rsi), %r9, %rbx + adcx %r13, %r9 + adoxq 8(%rsi), %r9 + mulxq 48(%rsi), %r10, %r13 + adcx %rbx, %r10 + adoxq 16(%rsi), %r10 + mulxq 56(%rsi), %r11, %rax + adcx %r13, %r11 + adoxq 24(%rsi), %r11 + adcx %rcx, %rax + adox %rcx, %rax + imul %rdx, %rax + + ;# Step 2: Fold the carry back into dst + add %rax, %r8 + adcx %rcx, %r9 + movq %r9, 8(%rdi) + adcx %rcx, %r10 + movq %r10, 16(%rdi) + adcx %rcx, %r11 + movq %r11, 24(%rdi) + + ;# Step 3: Fold the carry bit back in; guaranteed not to carry at this point + mov $0, %rax + cmovc %rdx, %rax + add %rax, %r8 + movq %r8, 0(%rdi) + pop %rbx + pop %r15 + pop %r14 + pop %r13 + ret + +.global fmul2_e +fmul2_e: + push %r13 + push %r14 + push %r15 + push %rbx + mov %rdx, %r15 + ;# Compute the raw multiplication tmp[0] <- f1[0] * f2[0] + ;# Compute src1[0] * src2 + movq 0(%rsi), %rdx + mulxq 0(%rcx), %r8, %r9 + xor %r10d, %r10d + movq %r8, 0(%rdi) + + mulxq 8(%rcx), %r10, %r11 + adox %r9, %r10 + movq %r10, 8(%rdi) + + mulxq 16(%rcx), %rbx, %r13 + adox %r11, %rbx + mulxq 24(%rcx), %r14, %rdx + adox %r13, %r14 + mov $0, %rax + adox %rdx, %rax + + + ;# Compute src1[1] * src2 + movq 8(%rsi), %rdx + mulxq 0(%rcx), %r8, %r9 + xor %r10d, %r10d + adcxq 8(%rdi), %r8 + movq %r8, 8(%rdi) + mulxq 8(%rcx), %r10, %r11 + adox %r9, %r10 + adcx %rbx, %r10 + movq %r10, 16(%rdi) + mulxq 16(%rcx), %rbx, %r13 + adox %r11, %rbx + adcx %r14, %rbx + mov $0, %r8 + mulxq 24(%rcx), %r14, %rdx + adox %r13, %r14 + adcx %rax, %r14 + mov $0, %rax + adox %rdx, %rax + adcx %r8, %rax + + + ;# Compute src1[2] * src2 + movq 16(%rsi), %rdx + mulxq 0(%rcx), %r8, %r9 + xor %r10d, %r10d + adcxq 16(%rdi), %r8 + movq %r8, 16(%rdi) + mulxq 8(%rcx), %r10, %r11 + adox %r9, %r10 + adcx %rbx, %r10 + movq %r10, 24(%rdi) + mulxq 16(%rcx), %rbx, %r13 + adox %r11, %rbx + adcx %r14, %rbx + mov $0, %r8 + mulxq 24(%rcx), %r14, %rdx + adox %r13, %r14 + adcx %rax, %r14 + mov $0, %rax + adox %rdx, %rax + adcx %r8, %rax + + + ;# Compute src1[3] * src2 + movq 24(%rsi), %rdx + mulxq 0(%rcx), %r8, %r9 + xor %r10d, %r10d + adcxq 24(%rdi), %r8 + movq %r8, 24(%rdi) + mulxq 8(%rcx), %r10, %r11 + adox %r9, %r10 + adcx %rbx, %r10 + movq %r10, 32(%rdi) + mulxq 16(%rcx), %rbx, %r13 + adox %r11, %rbx + adcx %r14, %rbx + movq %rbx, 40(%rdi) + mov $0, %r8 + mulxq 24(%rcx), %r14, %rdx + adox %r13, %r14 + adcx %rax, %r14 + movq %r14, 48(%rdi) + mov $0, %rax + adox %rdx, %rax + adcx %r8, %rax + movq %rax, 56(%rdi) + + ;# Compute the raw multiplication tmp[1] <- f1[1] * f2[1] + ;# Compute src1[0] * src2 + movq 32(%rsi), %rdx + mulxq 32(%rcx), %r8, %r9 + xor %r10d, %r10d + movq %r8, 64(%rdi) + + mulxq 40(%rcx), %r10, %r11 + adox %r9, %r10 + movq %r10, 72(%rdi) + + mulxq 48(%rcx), %rbx, %r13 + adox %r11, %rbx + mulxq 56(%rcx), %r14, %rdx + adox %r13, %r14 + mov $0, %rax + adox %rdx, %rax + + + ;# Compute src1[1] * src2 + movq 40(%rsi), %rdx + mulxq 32(%rcx), %r8, %r9 + xor %r10d, %r10d + adcxq 72(%rdi), %r8 + movq %r8, 72(%rdi) + mulxq 40(%rcx), %r10, %r11 + adox %r9, %r10 + adcx %rbx, %r10 + movq %r10, 80(%rdi) + mulxq 48(%rcx), %rbx, %r13 + adox %r11, %rbx + adcx %r14, %rbx + mov $0, %r8 + mulxq 56(%rcx), %r14, %rdx + adox %r13, %r14 + adcx %rax, %r14 + mov $0, %rax + adox %rdx, %rax + adcx %r8, %rax + + + ;# Compute src1[2] * src2 + movq 48(%rsi), %rdx + mulxq 32(%rcx), %r8, %r9 + xor %r10d, %r10d + adcxq 80(%rdi), %r8 + movq %r8, 80(%rdi) + mulxq 40(%rcx), %r10, %r11 + adox %r9, %r10 + adcx %rbx, %r10 + movq %r10, 88(%rdi) + mulxq 48(%rcx), %rbx, %r13 + adox %r11, %rbx + adcx %r14, %rbx + mov $0, %r8 + mulxq 56(%rcx), %r14, %rdx + adox %r13, %r14 + adcx %rax, %r14 + mov $0, %rax + adox %rdx, %rax + adcx %r8, %rax + + + ;# Compute src1[3] * src2 + movq 56(%rsi), %rdx + mulxq 32(%rcx), %r8, %r9 + xor %r10d, %r10d + adcxq 88(%rdi), %r8 + movq %r8, 88(%rdi) + mulxq 40(%rcx), %r10, %r11 + adox %r9, %r10 + adcx %rbx, %r10 + movq %r10, 96(%rdi) + mulxq 48(%rcx), %rbx, %r13 + adox %r11, %rbx + adcx %r14, %rbx + movq %rbx, 104(%rdi) + mov $0, %r8 + mulxq 56(%rcx), %r14, %rdx + adox %r13, %r14 + adcx %rax, %r14 + movq %r14, 112(%rdi) + mov $0, %rax + adox %rdx, %rax + adcx %r8, %rax + movq %rax, 120(%rdi) + + + ;# Line up pointers + mov %rdi, %rsi + mov %r15, %rdi + ;# Wrap the results back into the field + ;# Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo + mov $38, %rdx + mulxq 32(%rsi), %r8, %r13 + xor %ecx, %ecx + adoxq 0(%rsi), %r8 + mulxq 40(%rsi), %r9, %rbx + adcx %r13, %r9 + adoxq 8(%rsi), %r9 + mulxq 48(%rsi), %r10, %r13 + adcx %rbx, %r10 + adoxq 16(%rsi), %r10 + mulxq 56(%rsi), %r11, %rax + adcx %r13, %r11 + adoxq 24(%rsi), %r11 + adcx %rcx, %rax + adox %rcx, %rax + imul %rdx, %rax + + ;# Step 2: Fold the carry back into dst + add %rax, %r8 + adcx %rcx, %r9 + movq %r9, 8(%rdi) + adcx %rcx, %r10 + movq %r10, 16(%rdi) + adcx %rcx, %r11 + movq %r11, 24(%rdi) + + ;# Step 3: Fold the carry bit back in; guaranteed not to carry at this point + mov $0, %rax + cmovc %rdx, %rax + add %rax, %r8 + movq %r8, 0(%rdi) + + ;# Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo + mov $38, %rdx + mulxq 96(%rsi), %r8, %r13 + xor %ecx, %ecx + adoxq 64(%rsi), %r8 + mulxq 104(%rsi), %r9, %rbx + adcx %r13, %r9 + adoxq 72(%rsi), %r9 + mulxq 112(%rsi), %r10, %r13 + adcx %rbx, %r10 + adoxq 80(%rsi), %r10 + mulxq 120(%rsi), %r11, %rax + adcx %r13, %r11 + adoxq 88(%rsi), %r11 + adcx %rcx, %rax + adox %rcx, %rax + imul %rdx, %rax + + ;# Step 2: Fold the carry back into dst + add %rax, %r8 + adcx %rcx, %r9 + movq %r9, 40(%rdi) + adcx %rcx, %r10 + movq %r10, 48(%rdi) + adcx %rcx, %r11 + movq %r11, 56(%rdi) + + ;# Step 3: Fold the carry bit back in; guaranteed not to carry at this point + mov $0, %rax + cmovc %rdx, %rax + add %rax, %r8 + movq %r8, 32(%rdi) + pop %rbx + pop %r15 + pop %r14 + pop %r13 + ret + +.global fsqr_e +fsqr_e: + push %r15 + push %r13 + push %r14 + push %r12 + push %rbx + mov %rdx, %r12 + ;# Compute the raw multiplication: tmp <- f * f + ;# Step 1: Compute all partial products + movq 0(%rsi), %rdx + ;# f[0] + mulxq 8(%rsi), %r8, %r14 + xor %r15d, %r15d + ;# f[1]*f[0] + mulxq 16(%rsi), %r9, %r10 + adcx %r14, %r9 + ;# f[2]*f[0] + mulxq 24(%rsi), %rax, %rcx + adcx %rax, %r10 + ;# f[3]*f[0] + movq 24(%rsi), %rdx + ;# f[3] + mulxq 8(%rsi), %r11, %rbx + adcx %rcx, %r11 + ;# f[1]*f[3] + mulxq 16(%rsi), %rax, %r13 + adcx %rax, %rbx + ;# f[2]*f[3] + movq 8(%rsi), %rdx + adcx %r15, %r13 + ;# f1 + mulxq 16(%rsi), %rax, %rcx + mov $0, %r14 + ;# f[2]*f[1] + + ;# Step 2: Compute two parallel carry chains + xor %r15d, %r15d + adox %rax, %r10 + adcx %r8, %r8 + adox %rcx, %r11 + adcx %r9, %r9 + adox %r15, %rbx + adcx %r10, %r10 + adox %r15, %r13 + adcx %r11, %r11 + adox %r15, %r14 + adcx %rbx, %rbx + adcx %r13, %r13 + adcx %r14, %r14 + + ;# Step 3: Compute intermediate squares + movq 0(%rsi), %rdx + mulx %rdx, %rax, %rcx + ;# f[0]^2 + movq %rax, 0(%rdi) + + add %rcx, %r8 + movq %r8, 8(%rdi) + + movq 8(%rsi), %rdx + mulx %rdx, %rax, %rcx + ;# f[1]^2 + adcx %rax, %r9 + movq %r9, 16(%rdi) + + adcx %rcx, %r10 + movq %r10, 24(%rdi) + + movq 16(%rsi), %rdx + mulx %rdx, %rax, %rcx + ;# f[2]^2 + adcx %rax, %r11 + movq %r11, 32(%rdi) + + adcx %rcx, %rbx + movq %rbx, 40(%rdi) + + movq 24(%rsi), %rdx + mulx %rdx, %rax, %rcx + ;# f[3]^2 + adcx %rax, %r13 + movq %r13, 48(%rdi) + + adcx %rcx, %r14 + movq %r14, 56(%rdi) + + + ;# Line up pointers + mov %rdi, %rsi + mov %r12, %rdi + ;# Wrap the result back into the field + ;# Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo + mov $38, %rdx + mulxq 32(%rsi), %r8, %r13 + xor %ecx, %ecx + adoxq 0(%rsi), %r8 + mulxq 40(%rsi), %r9, %rbx + adcx %r13, %r9 + adoxq 8(%rsi), %r9 + mulxq 48(%rsi), %r10, %r13 + adcx %rbx, %r10 + adoxq 16(%rsi), %r10 + mulxq 56(%rsi), %r11, %rax + adcx %r13, %r11 + adoxq 24(%rsi), %r11 + adcx %rcx, %rax + adox %rcx, %rax + imul %rdx, %rax + + ;# Step 2: Fold the carry back into dst + add %rax, %r8 + adcx %rcx, %r9 + movq %r9, 8(%rdi) + adcx %rcx, %r10 + movq %r10, 16(%rdi) + adcx %rcx, %r11 + movq %r11, 24(%rdi) + + ;# Step 3: Fold the carry bit back in; guaranteed not to carry at this point + mov $0, %rax + cmovc %rdx, %rax + add %rax, %r8 + movq %r8, 0(%rdi) + pop %rbx + pop %r12 + pop %r14 + pop %r13 + pop %r15 + ret + +.global fsqr2_e +fsqr2_e: + push %r15 + push %r13 + push %r14 + push %r12 + push %rbx + mov %rdx, %r12 + ;# Step 1: Compute all partial products + movq 0(%rsi), %rdx + ;# f[0] + mulxq 8(%rsi), %r8, %r14 + xor %r15d, %r15d + ;# f[1]*f[0] + mulxq 16(%rsi), %r9, %r10 + adcx %r14, %r9 + ;# f[2]*f[0] + mulxq 24(%rsi), %rax, %rcx + adcx %rax, %r10 + ;# f[3]*f[0] + movq 24(%rsi), %rdx + ;# f[3] + mulxq 8(%rsi), %r11, %rbx + adcx %rcx, %r11 + ;# f[1]*f[3] + mulxq 16(%rsi), %rax, %r13 + adcx %rax, %rbx + ;# f[2]*f[3] + movq 8(%rsi), %rdx + adcx %r15, %r13 + ;# f1 + mulxq 16(%rsi), %rax, %rcx + mov $0, %r14 + ;# f[2]*f[1] + + ;# Step 2: Compute two parallel carry chains + xor %r15d, %r15d + adox %rax, %r10 + adcx %r8, %r8 + adox %rcx, %r11 + adcx %r9, %r9 + adox %r15, %rbx + adcx %r10, %r10 + adox %r15, %r13 + adcx %r11, %r11 + adox %r15, %r14 + adcx %rbx, %rbx + adcx %r13, %r13 + adcx %r14, %r14 + + ;# Step 3: Compute intermediate squares + movq 0(%rsi), %rdx + mulx %rdx, %rax, %rcx + ;# f[0]^2 + movq %rax, 0(%rdi) + + add %rcx, %r8 + movq %r8, 8(%rdi) + + movq 8(%rsi), %rdx + mulx %rdx, %rax, %rcx + ;# f[1]^2 + adcx %rax, %r9 + movq %r9, 16(%rdi) + + adcx %rcx, %r10 + movq %r10, 24(%rdi) + + movq 16(%rsi), %rdx + mulx %rdx, %rax, %rcx + ;# f[2]^2 + adcx %rax, %r11 + movq %r11, 32(%rdi) + + adcx %rcx, %rbx + movq %rbx, 40(%rdi) + + movq 24(%rsi), %rdx + mulx %rdx, %rax, %rcx + ;# f[3]^2 + adcx %rax, %r13 + movq %r13, 48(%rdi) + + adcx %rcx, %r14 + movq %r14, 56(%rdi) + + + ;# Step 1: Compute all partial products + movq 32(%rsi), %rdx + ;# f[0] + mulxq 40(%rsi), %r8, %r14 + xor %r15d, %r15d + ;# f[1]*f[0] + mulxq 48(%rsi), %r9, %r10 + adcx %r14, %r9 + ;# f[2]*f[0] + mulxq 56(%rsi), %rax, %rcx + adcx %rax, %r10 + ;# f[3]*f[0] + movq 56(%rsi), %rdx + ;# f[3] + mulxq 40(%rsi), %r11, %rbx + adcx %rcx, %r11 + ;# f[1]*f[3] + mulxq 48(%rsi), %rax, %r13 + adcx %rax, %rbx + ;# f[2]*f[3] + movq 40(%rsi), %rdx + adcx %r15, %r13 + ;# f1 + mulxq 48(%rsi), %rax, %rcx + mov $0, %r14 + ;# f[2]*f[1] + + ;# Step 2: Compute two parallel carry chains + xor %r15d, %r15d + adox %rax, %r10 + adcx %r8, %r8 + adox %rcx, %r11 + adcx %r9, %r9 + adox %r15, %rbx + adcx %r10, %r10 + adox %r15, %r13 + adcx %r11, %r11 + adox %r15, %r14 + adcx %rbx, %rbx + adcx %r13, %r13 + adcx %r14, %r14 + + ;# Step 3: Compute intermediate squares + movq 32(%rsi), %rdx + mulx %rdx, %rax, %rcx + ;# f[0]^2 + movq %rax, 64(%rdi) + + add %rcx, %r8 + movq %r8, 72(%rdi) + + movq 40(%rsi), %rdx + mulx %rdx, %rax, %rcx + ;# f[1]^2 + adcx %rax, %r9 + movq %r9, 80(%rdi) + + adcx %rcx, %r10 + movq %r10, 88(%rdi) + + movq 48(%rsi), %rdx + mulx %rdx, %rax, %rcx + ;# f[2]^2 + adcx %rax, %r11 + movq %r11, 96(%rdi) + + adcx %rcx, %rbx + movq %rbx, 104(%rdi) + + movq 56(%rsi), %rdx + mulx %rdx, %rax, %rcx + ;# f[3]^2 + adcx %rax, %r13 + movq %r13, 112(%rdi) + + adcx %rcx, %r14 + movq %r14, 120(%rdi) + + + ;# Line up pointers + mov %rdi, %rsi + mov %r12, %rdi + + ;# Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo + mov $38, %rdx + mulxq 32(%rsi), %r8, %r13 + xor %ecx, %ecx + adoxq 0(%rsi), %r8 + mulxq 40(%rsi), %r9, %rbx + adcx %r13, %r9 + adoxq 8(%rsi), %r9 + mulxq 48(%rsi), %r10, %r13 + adcx %rbx, %r10 + adoxq 16(%rsi), %r10 + mulxq 56(%rsi), %r11, %rax + adcx %r13, %r11 + adoxq 24(%rsi), %r11 + adcx %rcx, %rax + adox %rcx, %rax + imul %rdx, %rax + + ;# Step 2: Fold the carry back into dst + add %rax, %r8 + adcx %rcx, %r9 + movq %r9, 8(%rdi) + adcx %rcx, %r10 + movq %r10, 16(%rdi) + adcx %rcx, %r11 + movq %r11, 24(%rdi) + + ;# Step 3: Fold the carry bit back in; guaranteed not to carry at this point + mov $0, %rax + cmovc %rdx, %rax + add %rax, %r8 + movq %r8, 0(%rdi) + + ;# Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo + mov $38, %rdx + mulxq 96(%rsi), %r8, %r13 + xor %ecx, %ecx + adoxq 64(%rsi), %r8 + mulxq 104(%rsi), %r9, %rbx + adcx %r13, %r9 + adoxq 72(%rsi), %r9 + mulxq 112(%rsi), %r10, %r13 + adcx %rbx, %r10 + adoxq 80(%rsi), %r10 + mulxq 120(%rsi), %r11, %rax + adcx %r13, %r11 + adoxq 88(%rsi), %r11 + adcx %rcx, %rax + adox %rcx, %rax + imul %rdx, %rax + + ;# Step 2: Fold the carry back into dst + add %rax, %r8 + adcx %rcx, %r9 + movq %r9, 40(%rdi) + adcx %rcx, %r10 + movq %r10, 48(%rdi) + adcx %rcx, %r11 + movq %r11, 56(%rdi) + + ;# Step 3: Fold the carry bit back in; guaranteed not to carry at this point + mov $0, %rax + cmovc %rdx, %rax + add %rax, %r8 + movq %r8, 32(%rdi) + pop %rbx + pop %r12 + pop %r14 + pop %r13 + pop %r15 + ret + +.global cswap2_e +cswap2_e: + ;# Transfer bit into CF flag + add $18446744073709551615, %rdi + + ;# cswap p1[0], p2[0] + movq 0(%rsi), %r8 + movq 0(%rdx), %r9 + mov %r8, %r10 + cmovc %r9, %r8 + cmovc %r10, %r9 + movq %r8, 0(%rsi) + movq %r9, 0(%rdx) + + ;# cswap p1[1], p2[1] + movq 8(%rsi), %r8 + movq 8(%rdx), %r9 + mov %r8, %r10 + cmovc %r9, %r8 + cmovc %r10, %r9 + movq %r8, 8(%rsi) + movq %r9, 8(%rdx) + + ;# cswap p1[2], p2[2] + movq 16(%rsi), %r8 + movq 16(%rdx), %r9 + mov %r8, %r10 + cmovc %r9, %r8 + cmovc %r10, %r9 + movq %r8, 16(%rsi) + movq %r9, 16(%rdx) + + ;# cswap p1[3], p2[3] + movq 24(%rsi), %r8 + movq 24(%rdx), %r9 + mov %r8, %r10 + cmovc %r9, %r8 + cmovc %r10, %r9 + movq %r8, 24(%rsi) + movq %r9, 24(%rdx) + + ;# cswap p1[4], p2[4] + movq 32(%rsi), %r8 + movq 32(%rdx), %r9 + mov %r8, %r10 + cmovc %r9, %r8 + cmovc %r10, %r9 + movq %r8, 32(%rsi) + movq %r9, 32(%rdx) + + ;# cswap p1[5], p2[5] + movq 40(%rsi), %r8 + movq 40(%rdx), %r9 + mov %r8, %r10 + cmovc %r9, %r8 + cmovc %r10, %r9 + movq %r8, 40(%rsi) + movq %r9, 40(%rdx) + + ;# cswap p1[6], p2[6] + movq 48(%rsi), %r8 + movq 48(%rdx), %r9 + mov %r8, %r10 + cmovc %r9, %r8 + cmovc %r10, %r9 + movq %r8, 48(%rsi) + movq %r9, 48(%rdx) + + ;# cswap p1[7], p2[7] + movq 56(%rsi), %r8 + movq 56(%rdx), %r9 + mov %r8, %r10 + cmovc %r9, %r8 + cmovc %r10, %r9 + movq %r8, 56(%rsi) + movq %r9, 56(%rdx) + ret + + diff --git a/vale/src/curve25519-x86_64-mingw.S b/vale/src/curve25519-x86_64-mingw.S new file mode 100644 index 00000000..93dd798e --- /dev/null +++ b/vale/src/curve25519-x86_64-mingw.S @@ -0,0 +1,1041 @@ +.text +.global add_scalar_e +add_scalar_e: + push %rdi + push %rsi + mov %rcx, %rdi + mov %rdx, %rsi + mov %r8, %rdx + ;# Clear registers to propagate the carry bit + xor %r8d, %r8d + xor %r9d, %r9d + xor %r10d, %r10d + xor %r11d, %r11d + xor %eax, %eax + + ;# Begin addition chain + addq 0(%rsi), %rdx + movq %rdx, 0(%rdi) + adcxq 8(%rsi), %r8 + movq %r8, 8(%rdi) + adcxq 16(%rsi), %r9 + movq %r9, 16(%rdi) + adcxq 24(%rsi), %r10 + movq %r10, 24(%rdi) + + ;# Return the carry bit in a register + adcx %r11, %rax + pop %rsi + pop %rdi + ret + +.global fadd_e +fadd_e: + push %rdi + push %rsi + mov %rcx, %rdi + mov %rdx, %rsi + mov %r8, %rdx + ;# Compute the raw addition of f1 + f2 + movq 0(%rdx), %r8 + addq 0(%rsi), %r8 + movq 8(%rdx), %r9 + adcxq 8(%rsi), %r9 + movq 16(%rdx), %r10 + adcxq 16(%rsi), %r10 + movq 24(%rdx), %r11 + adcxq 24(%rsi), %r11 + ;# Wrap the result back into the field + ;# Step 1: Compute carry*38 + mov $0, %rax + mov $38, %rdx + cmovc %rdx, %rax + + ;# Step 2: Add carry*38 to the original sum + xor %ecx, %ecx + add %rax, %r8 + adcx %rcx, %r9 + movq %r9, 8(%rdi) + adcx %rcx, %r10 + movq %r10, 16(%rdi) + adcx %rcx, %r11 + movq %r11, 24(%rdi) + + ;# Step 3: Fold the carry bit back in; guaranteed not to carry at this point + mov $0, %rax + cmovc %rdx, %rax + add %rax, %r8 + movq %r8, 0(%rdi) + pop %rsi + pop %rdi + ret + +.global fsub_e +fsub_e: + push %rdi + push %rsi + mov %rcx, %rdi + mov %rdx, %rsi + mov %r8, %rdx + ;# Compute the raw substraction of f1-f2 + movq 0(%rsi), %r8 + subq 0(%rdx), %r8 + movq 8(%rsi), %r9 + sbbq 8(%rdx), %r9 + movq 16(%rsi), %r10 + sbbq 16(%rdx), %r10 + movq 24(%rsi), %r11 + sbbq 24(%rdx), %r11 + ;# Wrap the result back into the field + ;# Step 1: Compute carry*38 + mov $0, %rax + mov $38, %rcx + cmovc %rcx, %rax + + ;# Step 2: Substract carry*38 from the original difference + sub %rax, %r8 + sbb $0, %r9 + sbb $0, %r10 + sbb $0, %r11 + + ;# Step 3: Fold the carry bit back in; guaranteed not to carry at this point + mov $0, %rax + cmovc %rcx, %rax + sub %rax, %r8 + + ;# Store the result + movq %r8, 0(%rdi) + movq %r9, 8(%rdi) + movq %r10, 16(%rdi) + movq %r11, 24(%rdi) + pop %rsi + pop %rdi + ret + +.global fmul_scalar_e +fmul_scalar_e: + push %rdi + push %r13 + push %rbx + push %rsi + mov %rcx, %rdi + mov %rdx, %rsi + mov %r8, %rdx + ;# Compute the raw multiplication of f1*f2 + mulxq 0(%rsi), %r8, %rcx + ;# f1[0]*f2 + mulxq 8(%rsi), %r9, %rbx + ;# f1[1]*f2 + add %rcx, %r9 + mov $0, %rcx + mulxq 16(%rsi), %r10, %r13 + ;# f1[2]*f2 + adcx %rbx, %r10 + mulxq 24(%rsi), %r11, %rax + ;# f1[3]*f2 + adcx %r13, %r11 + adcx %rcx, %rax + ;# Wrap the result back into the field + ;# Step 1: Compute carry*38 + mov $38, %rdx + imul %rdx, %rax + + ;# Step 2: Fold the carry back into dst + add %rax, %r8 + adcx %rcx, %r9 + movq %r9, 8(%rdi) + adcx %rcx, %r10 + movq %r10, 16(%rdi) + adcx %rcx, %r11 + movq %r11, 24(%rdi) + + ;# Step 3: Fold the carry bit back in; guaranteed not to carry at this point + mov $0, %rax + cmovc %rdx, %rax + add %rax, %r8 + movq %r8, 0(%rdi) + pop %rsi + pop %rbx + pop %r13 + pop %rdi + ret + +.global fmul_e +fmul_e: + push %r13 + push %r14 + push %r15 + push %rbx + push %rsi + push %rdi + mov %rcx, %rdi + mov %rdx, %rsi + mov %r8, %r15 + mov %r9, %rcx + ;# Compute the raw multiplication: tmp <- src1 * src2 + ;# Compute src1[0] * src2 + movq 0(%rsi), %rdx + mulxq 0(%rcx), %r8, %r9 + xor %r10d, %r10d + movq %r8, 0(%rdi) + + mulxq 8(%rcx), %r10, %r11 + adox %r9, %r10 + movq %r10, 8(%rdi) + + mulxq 16(%rcx), %rbx, %r13 + adox %r11, %rbx + mulxq 24(%rcx), %r14, %rdx + adox %r13, %r14 + mov $0, %rax + adox %rdx, %rax + + + ;# Compute src1[1] * src2 + movq 8(%rsi), %rdx + mulxq 0(%rcx), %r8, %r9 + xor %r10d, %r10d + adcxq 8(%rdi), %r8 + movq %r8, 8(%rdi) + mulxq 8(%rcx), %r10, %r11 + adox %r9, %r10 + adcx %rbx, %r10 + movq %r10, 16(%rdi) + mulxq 16(%rcx), %rbx, %r13 + adox %r11, %rbx + adcx %r14, %rbx + mov $0, %r8 + mulxq 24(%rcx), %r14, %rdx + adox %r13, %r14 + adcx %rax, %r14 + mov $0, %rax + adox %rdx, %rax + adcx %r8, %rax + + + ;# Compute src1[2] * src2 + movq 16(%rsi), %rdx + mulxq 0(%rcx), %r8, %r9 + xor %r10d, %r10d + adcxq 16(%rdi), %r8 + movq %r8, 16(%rdi) + mulxq 8(%rcx), %r10, %r11 + adox %r9, %r10 + adcx %rbx, %r10 + movq %r10, 24(%rdi) + mulxq 16(%rcx), %rbx, %r13 + adox %r11, %rbx + adcx %r14, %rbx + mov $0, %r8 + mulxq 24(%rcx), %r14, %rdx + adox %r13, %r14 + adcx %rax, %r14 + mov $0, %rax + adox %rdx, %rax + adcx %r8, %rax + + + ;# Compute src1[3] * src2 + movq 24(%rsi), %rdx + mulxq 0(%rcx), %r8, %r9 + xor %r10d, %r10d + adcxq 24(%rdi), %r8 + movq %r8, 24(%rdi) + mulxq 8(%rcx), %r10, %r11 + adox %r9, %r10 + adcx %rbx, %r10 + movq %r10, 32(%rdi) + mulxq 16(%rcx), %rbx, %r13 + adox %r11, %rbx + adcx %r14, %rbx + movq %rbx, 40(%rdi) + mov $0, %r8 + mulxq 24(%rcx), %r14, %rdx + adox %r13, %r14 + adcx %rax, %r14 + movq %r14, 48(%rdi) + mov $0, %rax + adox %rdx, %rax + adcx %r8, %rax + movq %rax, 56(%rdi) + + + ;# Line up pointers + mov %rdi, %rsi + mov %r15, %rdi + ;# Wrap the result back into the field + ;# Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo + mov $38, %rdx + mulxq 32(%rsi), %r8, %r13 + xor %ecx, %ecx + adoxq 0(%rsi), %r8 + mulxq 40(%rsi), %r9, %rbx + adcx %r13, %r9 + adoxq 8(%rsi), %r9 + mulxq 48(%rsi), %r10, %r13 + adcx %rbx, %r10 + adoxq 16(%rsi), %r10 + mulxq 56(%rsi), %r11, %rax + adcx %r13, %r11 + adoxq 24(%rsi), %r11 + adcx %rcx, %rax + adox %rcx, %rax + imul %rdx, %rax + + ;# Step 2: Fold the carry back into dst + add %rax, %r8 + adcx %rcx, %r9 + movq %r9, 8(%rdi) + adcx %rcx, %r10 + movq %r10, 16(%rdi) + adcx %rcx, %r11 + movq %r11, 24(%rdi) + + ;# Step 3: Fold the carry bit back in; guaranteed not to carry at this point + mov $0, %rax + cmovc %rdx, %rax + add %rax, %r8 + movq %r8, 0(%rdi) + pop %rdi + pop %rsi + pop %rbx + pop %r15 + pop %r14 + pop %r13 + ret + +.global fmul2_e +fmul2_e: + push %r13 + push %r14 + push %r15 + push %rbx + push %rsi + push %rdi + mov %rcx, %rdi + mov %rdx, %rsi + mov %r8, %r15 + mov %r9, %rcx + ;# Compute the raw multiplication tmp[0] <- f1[0] * f2[0] + ;# Compute src1[0] * src2 + movq 0(%rsi), %rdx + mulxq 0(%rcx), %r8, %r9 + xor %r10d, %r10d + movq %r8, 0(%rdi) + + mulxq 8(%rcx), %r10, %r11 + adox %r9, %r10 + movq %r10, 8(%rdi) + + mulxq 16(%rcx), %rbx, %r13 + adox %r11, %rbx + mulxq 24(%rcx), %r14, %rdx + adox %r13, %r14 + mov $0, %rax + adox %rdx, %rax + + + ;# Compute src1[1] * src2 + movq 8(%rsi), %rdx + mulxq 0(%rcx), %r8, %r9 + xor %r10d, %r10d + adcxq 8(%rdi), %r8 + movq %r8, 8(%rdi) + mulxq 8(%rcx), %r10, %r11 + adox %r9, %r10 + adcx %rbx, %r10 + movq %r10, 16(%rdi) + mulxq 16(%rcx), %rbx, %r13 + adox %r11, %rbx + adcx %r14, %rbx + mov $0, %r8 + mulxq 24(%rcx), %r14, %rdx + adox %r13, %r14 + adcx %rax, %r14 + mov $0, %rax + adox %rdx, %rax + adcx %r8, %rax + + + ;# Compute src1[2] * src2 + movq 16(%rsi), %rdx + mulxq 0(%rcx), %r8, %r9 + xor %r10d, %r10d + adcxq 16(%rdi), %r8 + movq %r8, 16(%rdi) + mulxq 8(%rcx), %r10, %r11 + adox %r9, %r10 + adcx %rbx, %r10 + movq %r10, 24(%rdi) + mulxq 16(%rcx), %rbx, %r13 + adox %r11, %rbx + adcx %r14, %rbx + mov $0, %r8 + mulxq 24(%rcx), %r14, %rdx + adox %r13, %r14 + adcx %rax, %r14 + mov $0, %rax + adox %rdx, %rax + adcx %r8, %rax + + + ;# Compute src1[3] * src2 + movq 24(%rsi), %rdx + mulxq 0(%rcx), %r8, %r9 + xor %r10d, %r10d + adcxq 24(%rdi), %r8 + movq %r8, 24(%rdi) + mulxq 8(%rcx), %r10, %r11 + adox %r9, %r10 + adcx %rbx, %r10 + movq %r10, 32(%rdi) + mulxq 16(%rcx), %rbx, %r13 + adox %r11, %rbx + adcx %r14, %rbx + movq %rbx, 40(%rdi) + mov $0, %r8 + mulxq 24(%rcx), %r14, %rdx + adox %r13, %r14 + adcx %rax, %r14 + movq %r14, 48(%rdi) + mov $0, %rax + adox %rdx, %rax + adcx %r8, %rax + movq %rax, 56(%rdi) + + ;# Compute the raw multiplication tmp[1] <- f1[1] * f2[1] + ;# Compute src1[0] * src2 + movq 32(%rsi), %rdx + mulxq 32(%rcx), %r8, %r9 + xor %r10d, %r10d + movq %r8, 64(%rdi) + + mulxq 40(%rcx), %r10, %r11 + adox %r9, %r10 + movq %r10, 72(%rdi) + + mulxq 48(%rcx), %rbx, %r13 + adox %r11, %rbx + mulxq 56(%rcx), %r14, %rdx + adox %r13, %r14 + mov $0, %rax + adox %rdx, %rax + + + ;# Compute src1[1] * src2 + movq 40(%rsi), %rdx + mulxq 32(%rcx), %r8, %r9 + xor %r10d, %r10d + adcxq 72(%rdi), %r8 + movq %r8, 72(%rdi) + mulxq 40(%rcx), %r10, %r11 + adox %r9, %r10 + adcx %rbx, %r10 + movq %r10, 80(%rdi) + mulxq 48(%rcx), %rbx, %r13 + adox %r11, %rbx + adcx %r14, %rbx + mov $0, %r8 + mulxq 56(%rcx), %r14, %rdx + adox %r13, %r14 + adcx %rax, %r14 + mov $0, %rax + adox %rdx, %rax + adcx %r8, %rax + + + ;# Compute src1[2] * src2 + movq 48(%rsi), %rdx + mulxq 32(%rcx), %r8, %r9 + xor %r10d, %r10d + adcxq 80(%rdi), %r8 + movq %r8, 80(%rdi) + mulxq 40(%rcx), %r10, %r11 + adox %r9, %r10 + adcx %rbx, %r10 + movq %r10, 88(%rdi) + mulxq 48(%rcx), %rbx, %r13 + adox %r11, %rbx + adcx %r14, %rbx + mov $0, %r8 + mulxq 56(%rcx), %r14, %rdx + adox %r13, %r14 + adcx %rax, %r14 + mov $0, %rax + adox %rdx, %rax + adcx %r8, %rax + + + ;# Compute src1[3] * src2 + movq 56(%rsi), %rdx + mulxq 32(%rcx), %r8, %r9 + xor %r10d, %r10d + adcxq 88(%rdi), %r8 + movq %r8, 88(%rdi) + mulxq 40(%rcx), %r10, %r11 + adox %r9, %r10 + adcx %rbx, %r10 + movq %r10, 96(%rdi) + mulxq 48(%rcx), %rbx, %r13 + adox %r11, %rbx + adcx %r14, %rbx + movq %rbx, 104(%rdi) + mov $0, %r8 + mulxq 56(%rcx), %r14, %rdx + adox %r13, %r14 + adcx %rax, %r14 + movq %r14, 112(%rdi) + mov $0, %rax + adox %rdx, %rax + adcx %r8, %rax + movq %rax, 120(%rdi) + + + ;# Line up pointers + mov %rdi, %rsi + mov %r15, %rdi + ;# Wrap the results back into the field + ;# Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo + mov $38, %rdx + mulxq 32(%rsi), %r8, %r13 + xor %ecx, %ecx + adoxq 0(%rsi), %r8 + mulxq 40(%rsi), %r9, %rbx + adcx %r13, %r9 + adoxq 8(%rsi), %r9 + mulxq 48(%rsi), %r10, %r13 + adcx %rbx, %r10 + adoxq 16(%rsi), %r10 + mulxq 56(%rsi), %r11, %rax + adcx %r13, %r11 + adoxq 24(%rsi), %r11 + adcx %rcx, %rax + adox %rcx, %rax + imul %rdx, %rax + + ;# Step 2: Fold the carry back into dst + add %rax, %r8 + adcx %rcx, %r9 + movq %r9, 8(%rdi) + adcx %rcx, %r10 + movq %r10, 16(%rdi) + adcx %rcx, %r11 + movq %r11, 24(%rdi) + + ;# Step 3: Fold the carry bit back in; guaranteed not to carry at this point + mov $0, %rax + cmovc %rdx, %rax + add %rax, %r8 + movq %r8, 0(%rdi) + + ;# Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo + mov $38, %rdx + mulxq 96(%rsi), %r8, %r13 + xor %ecx, %ecx + adoxq 64(%rsi), %r8 + mulxq 104(%rsi), %r9, %rbx + adcx %r13, %r9 + adoxq 72(%rsi), %r9 + mulxq 112(%rsi), %r10, %r13 + adcx %rbx, %r10 + adoxq 80(%rsi), %r10 + mulxq 120(%rsi), %r11, %rax + adcx %r13, %r11 + adoxq 88(%rsi), %r11 + adcx %rcx, %rax + adox %rcx, %rax + imul %rdx, %rax + + ;# Step 2: Fold the carry back into dst + add %rax, %r8 + adcx %rcx, %r9 + movq %r9, 40(%rdi) + adcx %rcx, %r10 + movq %r10, 48(%rdi) + adcx %rcx, %r11 + movq %r11, 56(%rdi) + + ;# Step 3: Fold the carry bit back in; guaranteed not to carry at this point + mov $0, %rax + cmovc %rdx, %rax + add %rax, %r8 + movq %r8, 32(%rdi) + pop %rdi + pop %rsi + pop %rbx + pop %r15 + pop %r14 + pop %r13 + ret + +.global fsqr_e +fsqr_e: + push %r15 + push %r13 + push %r14 + push %r12 + push %rbx + push %rsi + push %rdi + mov %rcx, %rdi + mov %rdx, %rsi + mov %r8, %r12 + ;# Compute the raw multiplication: tmp <- f * f + ;# Step 1: Compute all partial products + movq 0(%rsi), %rdx + ;# f[0] + mulxq 8(%rsi), %r8, %r14 + xor %r15d, %r15d + ;# f[1]*f[0] + mulxq 16(%rsi), %r9, %r10 + adcx %r14, %r9 + ;# f[2]*f[0] + mulxq 24(%rsi), %rax, %rcx + adcx %rax, %r10 + ;# f[3]*f[0] + movq 24(%rsi), %rdx + ;# f[3] + mulxq 8(%rsi), %r11, %rbx + adcx %rcx, %r11 + ;# f[1]*f[3] + mulxq 16(%rsi), %rax, %r13 + adcx %rax, %rbx + ;# f[2]*f[3] + movq 8(%rsi), %rdx + adcx %r15, %r13 + ;# f1 + mulxq 16(%rsi), %rax, %rcx + mov $0, %r14 + ;# f[2]*f[1] + + ;# Step 2: Compute two parallel carry chains + xor %r15d, %r15d + adox %rax, %r10 + adcx %r8, %r8 + adox %rcx, %r11 + adcx %r9, %r9 + adox %r15, %rbx + adcx %r10, %r10 + adox %r15, %r13 + adcx %r11, %r11 + adox %r15, %r14 + adcx %rbx, %rbx + adcx %r13, %r13 + adcx %r14, %r14 + + ;# Step 3: Compute intermediate squares + movq 0(%rsi), %rdx + mulx %rdx, %rax, %rcx + ;# f[0]^2 + movq %rax, 0(%rdi) + + add %rcx, %r8 + movq %r8, 8(%rdi) + + movq 8(%rsi), %rdx + mulx %rdx, %rax, %rcx + ;# f[1]^2 + adcx %rax, %r9 + movq %r9, 16(%rdi) + + adcx %rcx, %r10 + movq %r10, 24(%rdi) + + movq 16(%rsi), %rdx + mulx %rdx, %rax, %rcx + ;# f[2]^2 + adcx %rax, %r11 + movq %r11, 32(%rdi) + + adcx %rcx, %rbx + movq %rbx, 40(%rdi) + + movq 24(%rsi), %rdx + mulx %rdx, %rax, %rcx + ;# f[3]^2 + adcx %rax, %r13 + movq %r13, 48(%rdi) + + adcx %rcx, %r14 + movq %r14, 56(%rdi) + + + ;# Line up pointers + mov %rdi, %rsi + mov %r12, %rdi + ;# Wrap the result back into the field + ;# Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo + mov $38, %rdx + mulxq 32(%rsi), %r8, %r13 + xor %ecx, %ecx + adoxq 0(%rsi), %r8 + mulxq 40(%rsi), %r9, %rbx + adcx %r13, %r9 + adoxq 8(%rsi), %r9 + mulxq 48(%rsi), %r10, %r13 + adcx %rbx, %r10 + adoxq 16(%rsi), %r10 + mulxq 56(%rsi), %r11, %rax + adcx %r13, %r11 + adoxq 24(%rsi), %r11 + adcx %rcx, %rax + adox %rcx, %rax + imul %rdx, %rax + + ;# Step 2: Fold the carry back into dst + add %rax, %r8 + adcx %rcx, %r9 + movq %r9, 8(%rdi) + adcx %rcx, %r10 + movq %r10, 16(%rdi) + adcx %rcx, %r11 + movq %r11, 24(%rdi) + + ;# Step 3: Fold the carry bit back in; guaranteed not to carry at this point + mov $0, %rax + cmovc %rdx, %rax + add %rax, %r8 + movq %r8, 0(%rdi) + pop %rdi + pop %rsi + pop %rbx + pop %r12 + pop %r14 + pop %r13 + pop %r15 + ret + +.global fsqr2_e +fsqr2_e: + push %r15 + push %r13 + push %r14 + push %r12 + push %rbx + push %rsi + push %rdi + mov %rcx, %rdi + mov %rdx, %rsi + mov %r8, %r12 + ;# Step 1: Compute all partial products + movq 0(%rsi), %rdx + ;# f[0] + mulxq 8(%rsi), %r8, %r14 + xor %r15d, %r15d + ;# f[1]*f[0] + mulxq 16(%rsi), %r9, %r10 + adcx %r14, %r9 + ;# f[2]*f[0] + mulxq 24(%rsi), %rax, %rcx + adcx %rax, %r10 + ;# f[3]*f[0] + movq 24(%rsi), %rdx + ;# f[3] + mulxq 8(%rsi), %r11, %rbx + adcx %rcx, %r11 + ;# f[1]*f[3] + mulxq 16(%rsi), %rax, %r13 + adcx %rax, %rbx + ;# f[2]*f[3] + movq 8(%rsi), %rdx + adcx %r15, %r13 + ;# f1 + mulxq 16(%rsi), %rax, %rcx + mov $0, %r14 + ;# f[2]*f[1] + + ;# Step 2: Compute two parallel carry chains + xor %r15d, %r15d + adox %rax, %r10 + adcx %r8, %r8 + adox %rcx, %r11 + adcx %r9, %r9 + adox %r15, %rbx + adcx %r10, %r10 + adox %r15, %r13 + adcx %r11, %r11 + adox %r15, %r14 + adcx %rbx, %rbx + adcx %r13, %r13 + adcx %r14, %r14 + + ;# Step 3: Compute intermediate squares + movq 0(%rsi), %rdx + mulx %rdx, %rax, %rcx + ;# f[0]^2 + movq %rax, 0(%rdi) + + add %rcx, %r8 + movq %r8, 8(%rdi) + + movq 8(%rsi), %rdx + mulx %rdx, %rax, %rcx + ;# f[1]^2 + adcx %rax, %r9 + movq %r9, 16(%rdi) + + adcx %rcx, %r10 + movq %r10, 24(%rdi) + + movq 16(%rsi), %rdx + mulx %rdx, %rax, %rcx + ;# f[2]^2 + adcx %rax, %r11 + movq %r11, 32(%rdi) + + adcx %rcx, %rbx + movq %rbx, 40(%rdi) + + movq 24(%rsi), %rdx + mulx %rdx, %rax, %rcx + ;# f[3]^2 + adcx %rax, %r13 + movq %r13, 48(%rdi) + + adcx %rcx, %r14 + movq %r14, 56(%rdi) + + + ;# Step 1: Compute all partial products + movq 32(%rsi), %rdx + ;# f[0] + mulxq 40(%rsi), %r8, %r14 + xor %r15d, %r15d + ;# f[1]*f[0] + mulxq 48(%rsi), %r9, %r10 + adcx %r14, %r9 + ;# f[2]*f[0] + mulxq 56(%rsi), %rax, %rcx + adcx %rax, %r10 + ;# f[3]*f[0] + movq 56(%rsi), %rdx + ;# f[3] + mulxq 40(%rsi), %r11, %rbx + adcx %rcx, %r11 + ;# f[1]*f[3] + mulxq 48(%rsi), %rax, %r13 + adcx %rax, %rbx + ;# f[2]*f[3] + movq 40(%rsi), %rdx + adcx %r15, %r13 + ;# f1 + mulxq 48(%rsi), %rax, %rcx + mov $0, %r14 + ;# f[2]*f[1] + + ;# Step 2: Compute two parallel carry chains + xor %r15d, %r15d + adox %rax, %r10 + adcx %r8, %r8 + adox %rcx, %r11 + adcx %r9, %r9 + adox %r15, %rbx + adcx %r10, %r10 + adox %r15, %r13 + adcx %r11, %r11 + adox %r15, %r14 + adcx %rbx, %rbx + adcx %r13, %r13 + adcx %r14, %r14 + + ;# Step 3: Compute intermediate squares + movq 32(%rsi), %rdx + mulx %rdx, %rax, %rcx + ;# f[0]^2 + movq %rax, 64(%rdi) + + add %rcx, %r8 + movq %r8, 72(%rdi) + + movq 40(%rsi), %rdx + mulx %rdx, %rax, %rcx + ;# f[1]^2 + adcx %rax, %r9 + movq %r9, 80(%rdi) + + adcx %rcx, %r10 + movq %r10, 88(%rdi) + + movq 48(%rsi), %rdx + mulx %rdx, %rax, %rcx + ;# f[2]^2 + adcx %rax, %r11 + movq %r11, 96(%rdi) + + adcx %rcx, %rbx + movq %rbx, 104(%rdi) + + movq 56(%rsi), %rdx + mulx %rdx, %rax, %rcx + ;# f[3]^2 + adcx %rax, %r13 + movq %r13, 112(%rdi) + + adcx %rcx, %r14 + movq %r14, 120(%rdi) + + + ;# Line up pointers + mov %rdi, %rsi + mov %r12, %rdi + + ;# Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo + mov $38, %rdx + mulxq 32(%rsi), %r8, %r13 + xor %ecx, %ecx + adoxq 0(%rsi), %r8 + mulxq 40(%rsi), %r9, %rbx + adcx %r13, %r9 + adoxq 8(%rsi), %r9 + mulxq 48(%rsi), %r10, %r13 + adcx %rbx, %r10 + adoxq 16(%rsi), %r10 + mulxq 56(%rsi), %r11, %rax + adcx %r13, %r11 + adoxq 24(%rsi), %r11 + adcx %rcx, %rax + adox %rcx, %rax + imul %rdx, %rax + + ;# Step 2: Fold the carry back into dst + add %rax, %r8 + adcx %rcx, %r9 + movq %r9, 8(%rdi) + adcx %rcx, %r10 + movq %r10, 16(%rdi) + adcx %rcx, %r11 + movq %r11, 24(%rdi) + + ;# Step 3: Fold the carry bit back in; guaranteed not to carry at this point + mov $0, %rax + cmovc %rdx, %rax + add %rax, %r8 + movq %r8, 0(%rdi) + + ;# Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo + mov $38, %rdx + mulxq 96(%rsi), %r8, %r13 + xor %ecx, %ecx + adoxq 64(%rsi), %r8 + mulxq 104(%rsi), %r9, %rbx + adcx %r13, %r9 + adoxq 72(%rsi), %r9 + mulxq 112(%rsi), %r10, %r13 + adcx %rbx, %r10 + adoxq 80(%rsi), %r10 + mulxq 120(%rsi), %r11, %rax + adcx %r13, %r11 + adoxq 88(%rsi), %r11 + adcx %rcx, %rax + adox %rcx, %rax + imul %rdx, %rax + + ;# Step 2: Fold the carry back into dst + add %rax, %r8 + adcx %rcx, %r9 + movq %r9, 40(%rdi) + adcx %rcx, %r10 + movq %r10, 48(%rdi) + adcx %rcx, %r11 + movq %r11, 56(%rdi) + + ;# Step 3: Fold the carry bit back in; guaranteed not to carry at this point + mov $0, %rax + cmovc %rdx, %rax + add %rax, %r8 + movq %r8, 32(%rdi) + pop %rdi + pop %rsi + pop %rbx + pop %r12 + pop %r14 + pop %r13 + pop %r15 + ret + +.global cswap2_e +cswap2_e: + push %rdi + push %rsi + mov %rcx, %rdi + mov %rdx, %rsi + mov %r8, %rdx + ;# Transfer bit into CF flag + add $18446744073709551615, %rdi + + ;# cswap p1[0], p2[0] + movq 0(%rsi), %r8 + movq 0(%rdx), %r9 + mov %r8, %r10 + cmovc %r9, %r8 + cmovc %r10, %r9 + movq %r8, 0(%rsi) + movq %r9, 0(%rdx) + + ;# cswap p1[1], p2[1] + movq 8(%rsi), %r8 + movq 8(%rdx), %r9 + mov %r8, %r10 + cmovc %r9, %r8 + cmovc %r10, %r9 + movq %r8, 8(%rsi) + movq %r9, 8(%rdx) + + ;# cswap p1[2], p2[2] + movq 16(%rsi), %r8 + movq 16(%rdx), %r9 + mov %r8, %r10 + cmovc %r9, %r8 + cmovc %r10, %r9 + movq %r8, 16(%rsi) + movq %r9, 16(%rdx) + + ;# cswap p1[3], p2[3] + movq 24(%rsi), %r8 + movq 24(%rdx), %r9 + mov %r8, %r10 + cmovc %r9, %r8 + cmovc %r10, %r9 + movq %r8, 24(%rsi) + movq %r9, 24(%rdx) + + ;# cswap p1[4], p2[4] + movq 32(%rsi), %r8 + movq 32(%rdx), %r9 + mov %r8, %r10 + cmovc %r9, %r8 + cmovc %r10, %r9 + movq %r8, 32(%rsi) + movq %r9, 32(%rdx) + + ;# cswap p1[5], p2[5] + movq 40(%rsi), %r8 + movq 40(%rdx), %r9 + mov %r8, %r10 + cmovc %r9, %r8 + cmovc %r10, %r9 + movq %r8, 40(%rsi) + movq %r9, 40(%rdx) + + ;# cswap p1[6], p2[6] + movq 48(%rsi), %r8 + movq 48(%rdx), %r9 + mov %r8, %r10 + cmovc %r9, %r8 + cmovc %r10, %r9 + movq %r8, 48(%rsi) + movq %r9, 48(%rdx) + + ;# cswap p1[7], p2[7] + movq 56(%rsi), %r8 + movq 56(%rdx), %r9 + mov %r8, %r10 + cmovc %r9, %r8 + cmovc %r10, %r9 + movq %r8, 56(%rsi) + movq %r9, 56(%rdx) + pop %rsi + pop %rdi + ret + + diff --git a/vale/src/curve25519-x86_64-msvc.asm b/vale/src/curve25519-x86_64-msvc.asm new file mode 100644 index 00000000..202da85a --- /dev/null +++ b/vale/src/curve25519-x86_64-msvc.asm @@ -0,0 +1,1041 @@ +.code +ALIGN 16 +add_scalar_e proc + push rdi + push rsi + mov rdi, rcx + mov rsi, rdx + mov rdx, r8 + ;# Clear registers to propagate the carry bit + xor r8d, r8d + xor r9d, r9d + xor r10d, r10d + xor r11d, r11d + xor eax, eax + + ;# Begin addition chain + add rdx, qword ptr [rsi + 0] + mov qword ptr [rdi + 0], rdx + adcx r8, qword ptr [rsi + 8] + mov qword ptr [rdi + 8], r8 + adcx r9, qword ptr [rsi + 16] + mov qword ptr [rdi + 16], r9 + adcx r10, qword ptr [rsi + 24] + mov qword ptr [rdi + 24], r10 + + ;# Return the carry bit in a register + adcx rax, r11 + pop rsi + pop rdi + ret +add_scalar_e endp +ALIGN 16 +fadd_e proc + push rdi + push rsi + mov rdi, rcx + mov rsi, rdx + mov rdx, r8 + ;# Compute the raw addition of f1 + f2 + mov r8, qword ptr [rdx + 0] + add r8, qword ptr [rsi + 0] + mov r9, qword ptr [rdx + 8] + adcx r9, qword ptr [rsi + 8] + mov r10, qword ptr [rdx + 16] + adcx r10, qword ptr [rsi + 16] + mov r11, qword ptr [rdx + 24] + adcx r11, qword ptr [rsi + 24] + ;# Wrap the result back into the field + ;# Step 1: Compute carry*38 + mov rax, 0 + mov rdx, 38 + cmovc rax, rdx + + ;# Step 2: Add carry*38 to the original sum + xor ecx, ecx + add r8, rax + adcx r9, rcx + mov qword ptr [rdi + 8], r9 + adcx r10, rcx + mov qword ptr [rdi + 16], r10 + adcx r11, rcx + mov qword ptr [rdi + 24], r11 + + ;# Step 3: Fold the carry bit back in; guaranteed not to carry at this point + mov rax, 0 + cmovc rax, rdx + add r8, rax + mov qword ptr [rdi + 0], r8 + pop rsi + pop rdi + ret +fadd_e endp +ALIGN 16 +fsub_e proc + push rdi + push rsi + mov rdi, rcx + mov rsi, rdx + mov rdx, r8 + ;# Compute the raw substraction of f1-f2 + mov r8, qword ptr [rsi + 0] + sub r8, qword ptr [rdx + 0] + mov r9, qword ptr [rsi + 8] + sbb r9, qword ptr [rdx + 8] + mov r10, qword ptr [rsi + 16] + sbb r10, qword ptr [rdx + 16] + mov r11, qword ptr [rsi + 24] + sbb r11, qword ptr [rdx + 24] + ;# Wrap the result back into the field + ;# Step 1: Compute carry*38 + mov rax, 0 + mov rcx, 38 + cmovc rax, rcx + + ;# Step 2: Substract carry*38 from the original difference + sub r8, rax + sbb r9, 0 + sbb r10, 0 + sbb r11, 0 + + ;# Step 3: Fold the carry bit back in; guaranteed not to carry at this point + mov rax, 0 + cmovc rax, rcx + sub r8, rax + + ;# Store the result + mov qword ptr [rdi + 0], r8 + mov qword ptr [rdi + 8], r9 + mov qword ptr [rdi + 16], r10 + mov qword ptr [rdi + 24], r11 + pop rsi + pop rdi + ret +fsub_e endp +ALIGN 16 +fmul_scalar_e proc + push rdi + push r13 + push rbx + push rsi + mov rdi, rcx + mov rsi, rdx + mov rdx, r8 + ;# Compute the raw multiplication of f1*f2 + mulx rcx, r8, qword ptr [rsi + 0] + ;# f1[0]*f2 + mulx rbx, r9, qword ptr [rsi + 8] + ;# f1[1]*f2 + add r9, rcx + mov rcx, 0 + mulx r13, r10, qword ptr [rsi + 16] + ;# f1[2]*f2 + adcx r10, rbx + mulx rax, r11, qword ptr [rsi + 24] + ;# f1[3]*f2 + adcx r11, r13 + adcx rax, rcx + ;# Wrap the result back into the field + ;# Step 1: Compute carry*38 + mov rdx, 38 + imul rax, rdx + + ;# Step 2: Fold the carry back into dst + add r8, rax + adcx r9, rcx + mov qword ptr [rdi + 8], r9 + adcx r10, rcx + mov qword ptr [rdi + 16], r10 + adcx r11, rcx + mov qword ptr [rdi + 24], r11 + + ;# Step 3: Fold the carry bit back in; guaranteed not to carry at this point + mov rax, 0 + cmovc rax, rdx + add r8, rax + mov qword ptr [rdi + 0], r8 + pop rsi + pop rbx + pop r13 + pop rdi + ret +fmul_scalar_e endp +ALIGN 16 +fmul_e proc + push r13 + push r14 + push r15 + push rbx + push rsi + push rdi + mov rdi, rcx + mov rsi, rdx + mov r15, r8 + mov rcx, r9 + ;# Compute the raw multiplication: tmp <- src1 * src2 + ;# Compute src1[0] * src2 + mov rdx, qword ptr [rsi + 0] + mulx r9, r8, qword ptr [rcx + 0] + xor r10d, r10d + mov qword ptr [rdi + 0], r8 + + mulx r11, r10, qword ptr [rcx + 8] + adox r10, r9 + mov qword ptr [rdi + 8], r10 + + mulx r13, rbx, qword ptr [rcx + 16] + adox rbx, r11 + mulx rdx, r14, qword ptr [rcx + 24] + adox r14, r13 + mov rax, 0 + adox rax, rdx + + + ;# Compute src1[1] * src2 + mov rdx, qword ptr [rsi + 8] + mulx r9, r8, qword ptr [rcx + 0] + xor r10d, r10d + adcx r8, qword ptr [rdi + 8] + mov qword ptr [rdi + 8], r8 + mulx r11, r10, qword ptr [rcx + 8] + adox r10, r9 + adcx r10, rbx + mov qword ptr [rdi + 16], r10 + mulx r13, rbx, qword ptr [rcx + 16] + adox rbx, r11 + adcx rbx, r14 + mov r8, 0 + mulx rdx, r14, qword ptr [rcx + 24] + adox r14, r13 + adcx r14, rax + mov rax, 0 + adox rax, rdx + adcx rax, r8 + + + ;# Compute src1[2] * src2 + mov rdx, qword ptr [rsi + 16] + mulx r9, r8, qword ptr [rcx + 0] + xor r10d, r10d + adcx r8, qword ptr [rdi + 16] + mov qword ptr [rdi + 16], r8 + mulx r11, r10, qword ptr [rcx + 8] + adox r10, r9 + adcx r10, rbx + mov qword ptr [rdi + 24], r10 + mulx r13, rbx, qword ptr [rcx + 16] + adox rbx, r11 + adcx rbx, r14 + mov r8, 0 + mulx rdx, r14, qword ptr [rcx + 24] + adox r14, r13 + adcx r14, rax + mov rax, 0 + adox rax, rdx + adcx rax, r8 + + + ;# Compute src1[3] * src2 + mov rdx, qword ptr [rsi + 24] + mulx r9, r8, qword ptr [rcx + 0] + xor r10d, r10d + adcx r8, qword ptr [rdi + 24] + mov qword ptr [rdi + 24], r8 + mulx r11, r10, qword ptr [rcx + 8] + adox r10, r9 + adcx r10, rbx + mov qword ptr [rdi + 32], r10 + mulx r13, rbx, qword ptr [rcx + 16] + adox rbx, r11 + adcx rbx, r14 + mov qword ptr [rdi + 40], rbx + mov r8, 0 + mulx rdx, r14, qword ptr [rcx + 24] + adox r14, r13 + adcx r14, rax + mov qword ptr [rdi + 48], r14 + mov rax, 0 + adox rax, rdx + adcx rax, r8 + mov qword ptr [rdi + 56], rax + + + ;# Line up pointers + mov rsi, rdi + mov rdi, r15 + ;# Wrap the result back into the field + ;# Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo + mov rdx, 38 + mulx r13, r8, qword ptr [rsi + 32] + xor ecx, ecx + adox r8, qword ptr [rsi + 0] + mulx rbx, r9, qword ptr [rsi + 40] + adcx r9, r13 + adox r9, qword ptr [rsi + 8] + mulx r13, r10, qword ptr [rsi + 48] + adcx r10, rbx + adox r10, qword ptr [rsi + 16] + mulx rax, r11, qword ptr [rsi + 56] + adcx r11, r13 + adox r11, qword ptr [rsi + 24] + adcx rax, rcx + adox rax, rcx + imul rax, rdx + + ;# Step 2: Fold the carry back into dst + add r8, rax + adcx r9, rcx + mov qword ptr [rdi + 8], r9 + adcx r10, rcx + mov qword ptr [rdi + 16], r10 + adcx r11, rcx + mov qword ptr [rdi + 24], r11 + + ;# Step 3: Fold the carry bit back in; guaranteed not to carry at this point + mov rax, 0 + cmovc rax, rdx + add r8, rax + mov qword ptr [rdi + 0], r8 + pop rdi + pop rsi + pop rbx + pop r15 + pop r14 + pop r13 + ret +fmul_e endp +ALIGN 16 +fmul2_e proc + push r13 + push r14 + push r15 + push rbx + push rsi + push rdi + mov rdi, rcx + mov rsi, rdx + mov r15, r8 + mov rcx, r9 + ;# Compute the raw multiplication tmp[0] <- f1[0] * f2[0] + ;# Compute src1[0] * src2 + mov rdx, qword ptr [rsi + 0] + mulx r9, r8, qword ptr [rcx + 0] + xor r10d, r10d + mov qword ptr [rdi + 0], r8 + + mulx r11, r10, qword ptr [rcx + 8] + adox r10, r9 + mov qword ptr [rdi + 8], r10 + + mulx r13, rbx, qword ptr [rcx + 16] + adox rbx, r11 + mulx rdx, r14, qword ptr [rcx + 24] + adox r14, r13 + mov rax, 0 + adox rax, rdx + + + ;# Compute src1[1] * src2 + mov rdx, qword ptr [rsi + 8] + mulx r9, r8, qword ptr [rcx + 0] + xor r10d, r10d + adcx r8, qword ptr [rdi + 8] + mov qword ptr [rdi + 8], r8 + mulx r11, r10, qword ptr [rcx + 8] + adox r10, r9 + adcx r10, rbx + mov qword ptr [rdi + 16], r10 + mulx r13, rbx, qword ptr [rcx + 16] + adox rbx, r11 + adcx rbx, r14 + mov r8, 0 + mulx rdx, r14, qword ptr [rcx + 24] + adox r14, r13 + adcx r14, rax + mov rax, 0 + adox rax, rdx + adcx rax, r8 + + + ;# Compute src1[2] * src2 + mov rdx, qword ptr [rsi + 16] + mulx r9, r8, qword ptr [rcx + 0] + xor r10d, r10d + adcx r8, qword ptr [rdi + 16] + mov qword ptr [rdi + 16], r8 + mulx r11, r10, qword ptr [rcx + 8] + adox r10, r9 + adcx r10, rbx + mov qword ptr [rdi + 24], r10 + mulx r13, rbx, qword ptr [rcx + 16] + adox rbx, r11 + adcx rbx, r14 + mov r8, 0 + mulx rdx, r14, qword ptr [rcx + 24] + adox r14, r13 + adcx r14, rax + mov rax, 0 + adox rax, rdx + adcx rax, r8 + + + ;# Compute src1[3] * src2 + mov rdx, qword ptr [rsi + 24] + mulx r9, r8, qword ptr [rcx + 0] + xor r10d, r10d + adcx r8, qword ptr [rdi + 24] + mov qword ptr [rdi + 24], r8 + mulx r11, r10, qword ptr [rcx + 8] + adox r10, r9 + adcx r10, rbx + mov qword ptr [rdi + 32], r10 + mulx r13, rbx, qword ptr [rcx + 16] + adox rbx, r11 + adcx rbx, r14 + mov qword ptr [rdi + 40], rbx + mov r8, 0 + mulx rdx, r14, qword ptr [rcx + 24] + adox r14, r13 + adcx r14, rax + mov qword ptr [rdi + 48], r14 + mov rax, 0 + adox rax, rdx + adcx rax, r8 + mov qword ptr [rdi + 56], rax + + ;# Compute the raw multiplication tmp[1] <- f1[1] * f2[1] + ;# Compute src1[0] * src2 + mov rdx, qword ptr [rsi + 32] + mulx r9, r8, qword ptr [rcx + 32] + xor r10d, r10d + mov qword ptr [rdi + 64], r8 + + mulx r11, r10, qword ptr [rcx + 40] + adox r10, r9 + mov qword ptr [rdi + 72], r10 + + mulx r13, rbx, qword ptr [rcx + 48] + adox rbx, r11 + mulx rdx, r14, qword ptr [rcx + 56] + adox r14, r13 + mov rax, 0 + adox rax, rdx + + + ;# Compute src1[1] * src2 + mov rdx, qword ptr [rsi + 40] + mulx r9, r8, qword ptr [rcx + 32] + xor r10d, r10d + adcx r8, qword ptr [rdi + 72] + mov qword ptr [rdi + 72], r8 + mulx r11, r10, qword ptr [rcx + 40] + adox r10, r9 + adcx r10, rbx + mov qword ptr [rdi + 80], r10 + mulx r13, rbx, qword ptr [rcx + 48] + adox rbx, r11 + adcx rbx, r14 + mov r8, 0 + mulx rdx, r14, qword ptr [rcx + 56] + adox r14, r13 + adcx r14, rax + mov rax, 0 + adox rax, rdx + adcx rax, r8 + + + ;# Compute src1[2] * src2 + mov rdx, qword ptr [rsi + 48] + mulx r9, r8, qword ptr [rcx + 32] + xor r10d, r10d + adcx r8, qword ptr [rdi + 80] + mov qword ptr [rdi + 80], r8 + mulx r11, r10, qword ptr [rcx + 40] + adox r10, r9 + adcx r10, rbx + mov qword ptr [rdi + 88], r10 + mulx r13, rbx, qword ptr [rcx + 48] + adox rbx, r11 + adcx rbx, r14 + mov r8, 0 + mulx rdx, r14, qword ptr [rcx + 56] + adox r14, r13 + adcx r14, rax + mov rax, 0 + adox rax, rdx + adcx rax, r8 + + + ;# Compute src1[3] * src2 + mov rdx, qword ptr [rsi + 56] + mulx r9, r8, qword ptr [rcx + 32] + xor r10d, r10d + adcx r8, qword ptr [rdi + 88] + mov qword ptr [rdi + 88], r8 + mulx r11, r10, qword ptr [rcx + 40] + adox r10, r9 + adcx r10, rbx + mov qword ptr [rdi + 96], r10 + mulx r13, rbx, qword ptr [rcx + 48] + adox rbx, r11 + adcx rbx, r14 + mov qword ptr [rdi + 104], rbx + mov r8, 0 + mulx rdx, r14, qword ptr [rcx + 56] + adox r14, r13 + adcx r14, rax + mov qword ptr [rdi + 112], r14 + mov rax, 0 + adox rax, rdx + adcx rax, r8 + mov qword ptr [rdi + 120], rax + + + ;# Line up pointers + mov rsi, rdi + mov rdi, r15 + ;# Wrap the results back into the field + ;# Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo + mov rdx, 38 + mulx r13, r8, qword ptr [rsi + 32] + xor ecx, ecx + adox r8, qword ptr [rsi + 0] + mulx rbx, r9, qword ptr [rsi + 40] + adcx r9, r13 + adox r9, qword ptr [rsi + 8] + mulx r13, r10, qword ptr [rsi + 48] + adcx r10, rbx + adox r10, qword ptr [rsi + 16] + mulx rax, r11, qword ptr [rsi + 56] + adcx r11, r13 + adox r11, qword ptr [rsi + 24] + adcx rax, rcx + adox rax, rcx + imul rax, rdx + + ;# Step 2: Fold the carry back into dst + add r8, rax + adcx r9, rcx + mov qword ptr [rdi + 8], r9 + adcx r10, rcx + mov qword ptr [rdi + 16], r10 + adcx r11, rcx + mov qword ptr [rdi + 24], r11 + + ;# Step 3: Fold the carry bit back in; guaranteed not to carry at this point + mov rax, 0 + cmovc rax, rdx + add r8, rax + mov qword ptr [rdi + 0], r8 + + ;# Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo + mov rdx, 38 + mulx r13, r8, qword ptr [rsi + 96] + xor ecx, ecx + adox r8, qword ptr [rsi + 64] + mulx rbx, r9, qword ptr [rsi + 104] + adcx r9, r13 + adox r9, qword ptr [rsi + 72] + mulx r13, r10, qword ptr [rsi + 112] + adcx r10, rbx + adox r10, qword ptr [rsi + 80] + mulx rax, r11, qword ptr [rsi + 120] + adcx r11, r13 + adox r11, qword ptr [rsi + 88] + adcx rax, rcx + adox rax, rcx + imul rax, rdx + + ;# Step 2: Fold the carry back into dst + add r8, rax + adcx r9, rcx + mov qword ptr [rdi + 40], r9 + adcx r10, rcx + mov qword ptr [rdi + 48], r10 + adcx r11, rcx + mov qword ptr [rdi + 56], r11 + + ;# Step 3: Fold the carry bit back in; guaranteed not to carry at this point + mov rax, 0 + cmovc rax, rdx + add r8, rax + mov qword ptr [rdi + 32], r8 + pop rdi + pop rsi + pop rbx + pop r15 + pop r14 + pop r13 + ret +fmul2_e endp +ALIGN 16 +fsqr_e proc + push r15 + push r13 + push r14 + push r12 + push rbx + push rsi + push rdi + mov rdi, rcx + mov rsi, rdx + mov r12, r8 + ;# Compute the raw multiplication: tmp <- f * f + ;# Step 1: Compute all partial products + mov rdx, qword ptr [rsi + 0] + ;# f[0] + mulx r14, r8, qword ptr [rsi + 8] + xor r15d, r15d + ;# f[1]*f[0] + mulx r10, r9, qword ptr [rsi + 16] + adcx r9, r14 + ;# f[2]*f[0] + mulx rcx, rax, qword ptr [rsi + 24] + adcx r10, rax + ;# f[3]*f[0] + mov rdx, qword ptr [rsi + 24] + ;# f[3] + mulx rbx, r11, qword ptr [rsi + 8] + adcx r11, rcx + ;# f[1]*f[3] + mulx r13, rax, qword ptr [rsi + 16] + adcx rbx, rax + ;# f[2]*f[3] + mov rdx, qword ptr [rsi + 8] + adcx r13, r15 + ;# f1 + mulx rcx, rax, qword ptr [rsi + 16] + mov r14, 0 + ;# f[2]*f[1] + + ;# Step 2: Compute two parallel carry chains + xor r15d, r15d + adox r10, rax + adcx r8, r8 + adox r11, rcx + adcx r9, r9 + adox rbx, r15 + adcx r10, r10 + adox r13, r15 + adcx r11, r11 + adox r14, r15 + adcx rbx, rbx + adcx r13, r13 + adcx r14, r14 + + ;# Step 3: Compute intermediate squares + mov rdx, qword ptr [rsi + 0] + mulx rcx, rax, rdx + ;# f[0]^2 + mov qword ptr [rdi + 0], rax + + add r8, rcx + mov qword ptr [rdi + 8], r8 + + mov rdx, qword ptr [rsi + 8] + mulx rcx, rax, rdx + ;# f[1]^2 + adcx r9, rax + mov qword ptr [rdi + 16], r9 + + adcx r10, rcx + mov qword ptr [rdi + 24], r10 + + mov rdx, qword ptr [rsi + 16] + mulx rcx, rax, rdx + ;# f[2]^2 + adcx r11, rax + mov qword ptr [rdi + 32], r11 + + adcx rbx, rcx + mov qword ptr [rdi + 40], rbx + + mov rdx, qword ptr [rsi + 24] + mulx rcx, rax, rdx + ;# f[3]^2 + adcx r13, rax + mov qword ptr [rdi + 48], r13 + + adcx r14, rcx + mov qword ptr [rdi + 56], r14 + + + ;# Line up pointers + mov rsi, rdi + mov rdi, r12 + ;# Wrap the result back into the field + ;# Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo + mov rdx, 38 + mulx r13, r8, qword ptr [rsi + 32] + xor ecx, ecx + adox r8, qword ptr [rsi + 0] + mulx rbx, r9, qword ptr [rsi + 40] + adcx r9, r13 + adox r9, qword ptr [rsi + 8] + mulx r13, r10, qword ptr [rsi + 48] + adcx r10, rbx + adox r10, qword ptr [rsi + 16] + mulx rax, r11, qword ptr [rsi + 56] + adcx r11, r13 + adox r11, qword ptr [rsi + 24] + adcx rax, rcx + adox rax, rcx + imul rax, rdx + + ;# Step 2: Fold the carry back into dst + add r8, rax + adcx r9, rcx + mov qword ptr [rdi + 8], r9 + adcx r10, rcx + mov qword ptr [rdi + 16], r10 + adcx r11, rcx + mov qword ptr [rdi + 24], r11 + + ;# Step 3: Fold the carry bit back in; guaranteed not to carry at this point + mov rax, 0 + cmovc rax, rdx + add r8, rax + mov qword ptr [rdi + 0], r8 + pop rdi + pop rsi + pop rbx + pop r12 + pop r14 + pop r13 + pop r15 + ret +fsqr_e endp +ALIGN 16 +fsqr2_e proc + push r15 + push r13 + push r14 + push r12 + push rbx + push rsi + push rdi + mov rdi, rcx + mov rsi, rdx + mov r12, r8 + ;# Step 1: Compute all partial products + mov rdx, qword ptr [rsi + 0] + ;# f[0] + mulx r14, r8, qword ptr [rsi + 8] + xor r15d, r15d + ;# f[1]*f[0] + mulx r10, r9, qword ptr [rsi + 16] + adcx r9, r14 + ;# f[2]*f[0] + mulx rcx, rax, qword ptr [rsi + 24] + adcx r10, rax + ;# f[3]*f[0] + mov rdx, qword ptr [rsi + 24] + ;# f[3] + mulx rbx, r11, qword ptr [rsi + 8] + adcx r11, rcx + ;# f[1]*f[3] + mulx r13, rax, qword ptr [rsi + 16] + adcx rbx, rax + ;# f[2]*f[3] + mov rdx, qword ptr [rsi + 8] + adcx r13, r15 + ;# f1 + mulx rcx, rax, qword ptr [rsi + 16] + mov r14, 0 + ;# f[2]*f[1] + + ;# Step 2: Compute two parallel carry chains + xor r15d, r15d + adox r10, rax + adcx r8, r8 + adox r11, rcx + adcx r9, r9 + adox rbx, r15 + adcx r10, r10 + adox r13, r15 + adcx r11, r11 + adox r14, r15 + adcx rbx, rbx + adcx r13, r13 + adcx r14, r14 + + ;# Step 3: Compute intermediate squares + mov rdx, qword ptr [rsi + 0] + mulx rcx, rax, rdx + ;# f[0]^2 + mov qword ptr [rdi + 0], rax + + add r8, rcx + mov qword ptr [rdi + 8], r8 + + mov rdx, qword ptr [rsi + 8] + mulx rcx, rax, rdx + ;# f[1]^2 + adcx r9, rax + mov qword ptr [rdi + 16], r9 + + adcx r10, rcx + mov qword ptr [rdi + 24], r10 + + mov rdx, qword ptr [rsi + 16] + mulx rcx, rax, rdx + ;# f[2]^2 + adcx r11, rax + mov qword ptr [rdi + 32], r11 + + adcx rbx, rcx + mov qword ptr [rdi + 40], rbx + + mov rdx, qword ptr [rsi + 24] + mulx rcx, rax, rdx + ;# f[3]^2 + adcx r13, rax + mov qword ptr [rdi + 48], r13 + + adcx r14, rcx + mov qword ptr [rdi + 56], r14 + + + ;# Step 1: Compute all partial products + mov rdx, qword ptr [rsi + 32] + ;# f[0] + mulx r14, r8, qword ptr [rsi + 40] + xor r15d, r15d + ;# f[1]*f[0] + mulx r10, r9, qword ptr [rsi + 48] + adcx r9, r14 + ;# f[2]*f[0] + mulx rcx, rax, qword ptr [rsi + 56] + adcx r10, rax + ;# f[3]*f[0] + mov rdx, qword ptr [rsi + 56] + ;# f[3] + mulx rbx, r11, qword ptr [rsi + 40] + adcx r11, rcx + ;# f[1]*f[3] + mulx r13, rax, qword ptr [rsi + 48] + adcx rbx, rax + ;# f[2]*f[3] + mov rdx, qword ptr [rsi + 40] + adcx r13, r15 + ;# f1 + mulx rcx, rax, qword ptr [rsi + 48] + mov r14, 0 + ;# f[2]*f[1] + + ;# Step 2: Compute two parallel carry chains + xor r15d, r15d + adox r10, rax + adcx r8, r8 + adox r11, rcx + adcx r9, r9 + adox rbx, r15 + adcx r10, r10 + adox r13, r15 + adcx r11, r11 + adox r14, r15 + adcx rbx, rbx + adcx r13, r13 + adcx r14, r14 + + ;# Step 3: Compute intermediate squares + mov rdx, qword ptr [rsi + 32] + mulx rcx, rax, rdx + ;# f[0]^2 + mov qword ptr [rdi + 64], rax + + add r8, rcx + mov qword ptr [rdi + 72], r8 + + mov rdx, qword ptr [rsi + 40] + mulx rcx, rax, rdx + ;# f[1]^2 + adcx r9, rax + mov qword ptr [rdi + 80], r9 + + adcx r10, rcx + mov qword ptr [rdi + 88], r10 + + mov rdx, qword ptr [rsi + 48] + mulx rcx, rax, rdx + ;# f[2]^2 + adcx r11, rax + mov qword ptr [rdi + 96], r11 + + adcx rbx, rcx + mov qword ptr [rdi + 104], rbx + + mov rdx, qword ptr [rsi + 56] + mulx rcx, rax, rdx + ;# f[3]^2 + adcx r13, rax + mov qword ptr [rdi + 112], r13 + + adcx r14, rcx + mov qword ptr [rdi + 120], r14 + + + ;# Line up pointers + mov rsi, rdi + mov rdi, r12 + + ;# Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo + mov rdx, 38 + mulx r13, r8, qword ptr [rsi + 32] + xor ecx, ecx + adox r8, qword ptr [rsi + 0] + mulx rbx, r9, qword ptr [rsi + 40] + adcx r9, r13 + adox r9, qword ptr [rsi + 8] + mulx r13, r10, qword ptr [rsi + 48] + adcx r10, rbx + adox r10, qword ptr [rsi + 16] + mulx rax, r11, qword ptr [rsi + 56] + adcx r11, r13 + adox r11, qword ptr [rsi + 24] + adcx rax, rcx + adox rax, rcx + imul rax, rdx + + ;# Step 2: Fold the carry back into dst + add r8, rax + adcx r9, rcx + mov qword ptr [rdi + 8], r9 + adcx r10, rcx + mov qword ptr [rdi + 16], r10 + adcx r11, rcx + mov qword ptr [rdi + 24], r11 + + ;# Step 3: Fold the carry bit back in; guaranteed not to carry at this point + mov rax, 0 + cmovc rax, rdx + add r8, rax + mov qword ptr [rdi + 0], r8 + + ;# Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo + mov rdx, 38 + mulx r13, r8, qword ptr [rsi + 96] + xor ecx, ecx + adox r8, qword ptr [rsi + 64] + mulx rbx, r9, qword ptr [rsi + 104] + adcx r9, r13 + adox r9, qword ptr [rsi + 72] + mulx r13, r10, qword ptr [rsi + 112] + adcx r10, rbx + adox r10, qword ptr [rsi + 80] + mulx rax, r11, qword ptr [rsi + 120] + adcx r11, r13 + adox r11, qword ptr [rsi + 88] + adcx rax, rcx + adox rax, rcx + imul rax, rdx + + ;# Step 2: Fold the carry back into dst + add r8, rax + adcx r9, rcx + mov qword ptr [rdi + 40], r9 + adcx r10, rcx + mov qword ptr [rdi + 48], r10 + adcx r11, rcx + mov qword ptr [rdi + 56], r11 + + ;# Step 3: Fold the carry bit back in; guaranteed not to carry at this point + mov rax, 0 + cmovc rax, rdx + add r8, rax + mov qword ptr [rdi + 32], r8 + pop rdi + pop rsi + pop rbx + pop r12 + pop r14 + pop r13 + pop r15 + ret +fsqr2_e endp +ALIGN 16 +cswap2_e proc + push rdi + push rsi + mov rdi, rcx + mov rsi, rdx + mov rdx, r8 + ;# Transfer bit into CF flag + add rdi, 18446744073709551615 + + ;# cswap p1[0], p2[0] + mov r8, qword ptr [rsi + 0] + mov r9, qword ptr [rdx + 0] + mov r10, r8 + cmovc r8, r9 + cmovc r9, r10 + mov qword ptr [rsi + 0], r8 + mov qword ptr [rdx + 0], r9 + + ;# cswap p1[1], p2[1] + mov r8, qword ptr [rsi + 8] + mov r9, qword ptr [rdx + 8] + mov r10, r8 + cmovc r8, r9 + cmovc r9, r10 + mov qword ptr [rsi + 8], r8 + mov qword ptr [rdx + 8], r9 + + ;# cswap p1[2], p2[2] + mov r8, qword ptr [rsi + 16] + mov r9, qword ptr [rdx + 16] + mov r10, r8 + cmovc r8, r9 + cmovc r9, r10 + mov qword ptr [rsi + 16], r8 + mov qword ptr [rdx + 16], r9 + + ;# cswap p1[3], p2[3] + mov r8, qword ptr [rsi + 24] + mov r9, qword ptr [rdx + 24] + mov r10, r8 + cmovc r8, r9 + cmovc r9, r10 + mov qword ptr [rsi + 24], r8 + mov qword ptr [rdx + 24], r9 + + ;# cswap p1[4], p2[4] + mov r8, qword ptr [rsi + 32] + mov r9, qword ptr [rdx + 32] + mov r10, r8 + cmovc r8, r9 + cmovc r9, r10 + mov qword ptr [rsi + 32], r8 + mov qword ptr [rdx + 32], r9 + + ;# cswap p1[5], p2[5] + mov r8, qword ptr [rsi + 40] + mov r9, qword ptr [rdx + 40] + mov r10, r8 + cmovc r8, r9 + cmovc r9, r10 + mov qword ptr [rsi + 40], r8 + mov qword ptr [rdx + 40], r9 + + ;# cswap p1[6], p2[6] + mov r8, qword ptr [rsi + 48] + mov r9, qword ptr [rdx + 48] + mov r10, r8 + cmovc r8, r9 + cmovc r9, r10 + mov qword ptr [rsi + 48], r8 + mov qword ptr [rdx + 48], r9 + + ;# cswap p1[7], p2[7] + mov r8, qword ptr [rsi + 56] + mov r9, qword ptr [rdx + 56] + mov r10, r8 + cmovc r8, r9 + cmovc r9, r10 + mov qword ptr [rsi + 56], r8 + mov qword ptr [rdx + 56], r9 + pop rsi + pop rdi + ret +cswap2_e endp +end diff --git a/vale/src/evercrypt_vale_stubs.c b/vale/src/evercrypt_vale_stubs.c new file mode 100644 index 00000000..a2c237f5 --- /dev/null +++ b/vale/src/evercrypt_vale_stubs.c @@ -0,0 +1,66 @@ +#include +#include "kremlin/internal/target.h" + +#if defined(_MSC_VER) /* Visual Studio - always use __stdcall */ + #define STDCALL __stdcall +#elif defined(WIN32) /* GCC/MinGW targeting Windows 32-bit - use the __stdcall macro */ + #define STDCALL __attribute__((stdcall)) +#else /* Targeting other platforms - use the ambient calling convention */ + #define STDCALL +#endif + +/* Real names from aes.asm */ +extern void STDCALL KeyExpansionStdcall(const void *key_ptr, void *expanded_key_ptr, void *placeholder); +extern void STDCALL AES128EncryptOneBlockStdcall(void *output_ptr, const void *input_ptr, const void *expanded_key_ptr, void *placeholder); + +/* From EverCrypt.Vale.fsti */ +void aes128_key_expansion_sbox(uint8_t *k, uint8_t *w, uint8_t *sb) +{ + KeyExpansionStdcall(k, w, sb); +} + +/* From EverCrypt.Vale.fsti */ +void aes128_encrypt_one_block(uint8_t *out, uint8_t *in, uint8_t *w, uint8_t *sb) +{ + AES128EncryptOneBlockStdcall(out, in, w, sb); +} + +#if !defined(_M_X64) && !defined(__x86_64__) +/* On non-x64 builds, define no-op stubs for Vale assembly code to avoid */ +/* unresolved symbols while we wait for 32-bit Vale implementations. */ +void __stdcall old_aes128_key_expansion(uint8_t *key_ptr, uint8_t *expanded_key_ptr) +{ + KRML_HOST_EPRINTF("Vale aes128_key_expansion() isn't implemented in this platform. Do not call.\n"); + KRML_HOST_EXIT(255); +} + +void __stdcall old_gcm128_encrypt(void *x0) +{ + KRML_HOST_EPRINTF("Vale gcm128_encrypt() isn't implemented in this platform. Do not call.\n"); + KRML_HOST_EXIT(255); +} + +void __stdcall old_gcm128_decrypt(void *x0) +{ + KRML_HOST_EPRINTF("Vale gcm128_decrypt() isn't implemented in this platform. Do not call.\n"); + KRML_HOST_EXIT(255); +} + +void __stdcall old_aes256_key_expansion(uint8_t *key_ptr, uint8_t *expanded_key_ptr) +{ + KRML_HOST_EPRINTF("Vale aes256_key_expansion() isn't implemented in this platform. Do not call.\n"); + KRML_HOST_EXIT(255); +} + +void __stdcall old_gcm256_encrypt(void *x0) +{ + KRML_HOST_EPRINTF("Vale gcm256_encrypt() isn't implemented in this platform. Do not call.\n"); + KRML_HOST_EXIT(255); +} + +void __stdcall old_gcm256_decrypt(void *x0) +{ + KRML_HOST_EPRINTF("Vale gcm256_decrypt() isn't implemented in this platform. Do not call.\n"); + KRML_HOST_EXIT(255); +} +#endif diff --git a/vale/src/poly1305-x86_64-darwin.S b/vale/src/poly1305-x86_64-darwin.S new file mode 100644 index 00000000..1e9d2425 --- /dev/null +++ b/vale/src/poly1305-x86_64-darwin.S @@ -0,0 +1,203 @@ +.text +.global _x64_poly1305 +_x64_poly1305: + mov %rdi, %rax + mov %rsi, %r11 + movq %rcx, 184(%rdi) + push %rbx + push %rbp + push %rax + push %r11 + push %r12 + push %r13 + push %r14 + push %r15 + movq 24(%rdi), %r11 + movq 32(%rdi), %r12 + mov $1152921487695413247, %rcx + and %rcx, %r11 + mov $1152921487695413244, %rcx + and %rcx, %r12 + movq %r11, 24(%rdi) + movq %r12, 32(%rdi) + mov %rdx, %rax + and $15, %rax + sub %rax, %rdx + movq %rax, 56(%rdi) + movq %rdx, 64(%rdi) + mov $1, %rcx + shr $4, %rdx + mov %rdx, %r15 + movq 24(%rdi), %r11 + movq 32(%rdi), %r13 + movq 0(%rdi), %r14 + movq 8(%rdi), %rbx + movq 16(%rdi), %rbp + mov %r13, %r12 + shr $2, %r13 + mov %r12, %rax + add %r12, %r13 + jmp L1 +.balign 16 +L0: + addq 0(%rsi), %r14 + adcq 8(%rsi), %rbx + lea 16(%rsi), %rsi + adc %rcx, %rbp + mul %r14 + mov %rax, %r9 + mov %r11, %rax + mov %rdx, %r10 + mul %r14 + mov %rax, %r14 + mov %r11, %rax + mov %rdx, %r8 + mul %rbx + add %rax, %r9 + mov %r13, %rax + adc %rdx, %r10 + mul %rbx + mov %rbp, %rbx + add %rax, %r14 + adc %rdx, %r8 + imul %r13, %rbx + add %rbx, %r9 + mov %r8, %rbx + adc $0, %r10 + imul %r11, %rbp + add %r9, %rbx + mov $18446744073709551612, %rax + adc %rbp, %r10 + and %r10, %rax + mov %r10, %rbp + shr $2, %r10 + and $3, %rbp + add %r10, %rax + add %rax, %r14 + adc $0, %rbx + adc $0, %rbp + mov %r12, %rax + sub $1, %r15 +.balign 16 +L1: + cmp $0, %r15 + jne L0 + movq %r14, 0(%rdi) + movq %rbx, 8(%rdi) + movq %rbp, 16(%rdi) + movq 184(%rdi), %rax + cmp $1, %rax + jne L2 + movq 56(%rdi), %r15 + cmp $0, %r15 + je L4 + movq 32(%rdi), %rax + movq 0(%rsi), %r8 + movq 8(%rsi), %r9 + cmp $8, %r15 + jae L6 + mov %r15, %rcx + shl $3, %rcx + mov $1, %rdx + shl %cl, %rdx + mov %rdx, %rcx + sub $1, %rcx + and %rcx, %r8 + mov $0, %r9 + add %r8, %r14 + adc %r9, %rbx + adc $0, %rbp + add %rdx, %r14 + adc $0, %rbx + adc $0, %rbp + jmp L7 +L6: + mov %r15, %rcx + sub $8, %rcx + shl $3, %rcx + mov $1, %rdx + shl %cl, %rdx + mov %rdx, %rcx + sub $1, %rcx + and %rcx, %r9 + add %r8, %r14 + adc %r9, %rbx + adc $0, %rbp + add $0, %r14 + adc %rdx, %rbx + adc $0, %rbp +L7: + mul %r14 + mov %rax, %r9 + mov %r11, %rax + mov %rdx, %r10 + mul %r14 + mov %rax, %r14 + mov %r11, %rax + mov %rdx, %r8 + mul %rbx + add %rax, %r9 + mov %r13, %rax + adc %rdx, %r10 + mul %rbx + mov %rbp, %rbx + add %rax, %r14 + adc %rdx, %r8 + imul %r13, %rbx + add %rbx, %r9 + mov %r8, %rbx + adc $0, %r10 + imul %r11, %rbp + add %r9, %rbx + mov $18446744073709551612, %rax + adc %rbp, %r10 + and %r10, %rax + mov %r10, %rbp + shr $2, %r10 + and $3, %rbp + add %r10, %rax + add %rax, %r14 + adc $0, %rbx + adc $0, %rbp + jmp L5 +L4: +L5: + mov %r14, %r8 + mov %rbx, %r9 + mov %rbp, %r10 + add $5, %r8 + adc $0, %r9 + adc $0, %r10 + shr $2, %r10 + mov %r10, %rax + sub $1, %rax + and %rax, %r14 + and %rax, %rbx + mov $0, %rax + sub %r10, %rax + and %rax, %r8 + and %rax, %r9 + add %r8, %r14 + add %r9, %rbx + movq 40(%rdi), %rax + movq 48(%rdi), %rdx + add %rax, %r14 + adc %rdx, %rbx + jmp L3 +L2: +L3: + movq %r14, 0(%rdi) + movq %rbx, 8(%rdi) + movq %rbp, 16(%rdi) + pop %r15 + pop %r14 + pop %r13 + pop %r12 + pop %rsi + pop %rax + pop %rbp + pop %rbx + mov %rax, %rdi + ret + + diff --git a/vale/src/poly1305-x86_64-linux.S b/vale/src/poly1305-x86_64-linux.S new file mode 100644 index 00000000..715923c4 --- /dev/null +++ b/vale/src/poly1305-x86_64-linux.S @@ -0,0 +1,203 @@ +.text +.global x64_poly1305 +x64_poly1305: + mov %rdi, %rax + mov %rsi, %r11 + movq %rcx, 184(%rdi) + push %rbx + push %rbp + push %rax + push %r11 + push %r12 + push %r13 + push %r14 + push %r15 + movq 24(%rdi), %r11 + movq 32(%rdi), %r12 + mov $1152921487695413247, %rcx + and %rcx, %r11 + mov $1152921487695413244, %rcx + and %rcx, %r12 + movq %r11, 24(%rdi) + movq %r12, 32(%rdi) + mov %rdx, %rax + and $15, %rax + sub %rax, %rdx + movq %rax, 56(%rdi) + movq %rdx, 64(%rdi) + mov $1, %rcx + shr $4, %rdx + mov %rdx, %r15 + movq 24(%rdi), %r11 + movq 32(%rdi), %r13 + movq 0(%rdi), %r14 + movq 8(%rdi), %rbx + movq 16(%rdi), %rbp + mov %r13, %r12 + shr $2, %r13 + mov %r12, %rax + add %r12, %r13 + jmp L1 +.balign 16 +L0: + addq 0(%rsi), %r14 + adcq 8(%rsi), %rbx + lea 16(%rsi), %rsi + adc %rcx, %rbp + mul %r14 + mov %rax, %r9 + mov %r11, %rax + mov %rdx, %r10 + mul %r14 + mov %rax, %r14 + mov %r11, %rax + mov %rdx, %r8 + mul %rbx + add %rax, %r9 + mov %r13, %rax + adc %rdx, %r10 + mul %rbx + mov %rbp, %rbx + add %rax, %r14 + adc %rdx, %r8 + imul %r13, %rbx + add %rbx, %r9 + mov %r8, %rbx + adc $0, %r10 + imul %r11, %rbp + add %r9, %rbx + mov $18446744073709551612, %rax + adc %rbp, %r10 + and %r10, %rax + mov %r10, %rbp + shr $2, %r10 + and $3, %rbp + add %r10, %rax + add %rax, %r14 + adc $0, %rbx + adc $0, %rbp + mov %r12, %rax + sub $1, %r15 +.balign 16 +L1: + cmp $0, %r15 + jne L0 + movq %r14, 0(%rdi) + movq %rbx, 8(%rdi) + movq %rbp, 16(%rdi) + movq 184(%rdi), %rax + cmp $1, %rax + jne L2 + movq 56(%rdi), %r15 + cmp $0, %r15 + je L4 + movq 32(%rdi), %rax + movq 0(%rsi), %r8 + movq 8(%rsi), %r9 + cmp $8, %r15 + jae L6 + mov %r15, %rcx + shl $3, %rcx + mov $1, %rdx + shl %cl, %rdx + mov %rdx, %rcx + sub $1, %rcx + and %rcx, %r8 + mov $0, %r9 + add %r8, %r14 + adc %r9, %rbx + adc $0, %rbp + add %rdx, %r14 + adc $0, %rbx + adc $0, %rbp + jmp L7 +L6: + mov %r15, %rcx + sub $8, %rcx + shl $3, %rcx + mov $1, %rdx + shl %cl, %rdx + mov %rdx, %rcx + sub $1, %rcx + and %rcx, %r9 + add %r8, %r14 + adc %r9, %rbx + adc $0, %rbp + add $0, %r14 + adc %rdx, %rbx + adc $0, %rbp +L7: + mul %r14 + mov %rax, %r9 + mov %r11, %rax + mov %rdx, %r10 + mul %r14 + mov %rax, %r14 + mov %r11, %rax + mov %rdx, %r8 + mul %rbx + add %rax, %r9 + mov %r13, %rax + adc %rdx, %r10 + mul %rbx + mov %rbp, %rbx + add %rax, %r14 + adc %rdx, %r8 + imul %r13, %rbx + add %rbx, %r9 + mov %r8, %rbx + adc $0, %r10 + imul %r11, %rbp + add %r9, %rbx + mov $18446744073709551612, %rax + adc %rbp, %r10 + and %r10, %rax + mov %r10, %rbp + shr $2, %r10 + and $3, %rbp + add %r10, %rax + add %rax, %r14 + adc $0, %rbx + adc $0, %rbp + jmp L5 +L4: +L5: + mov %r14, %r8 + mov %rbx, %r9 + mov %rbp, %r10 + add $5, %r8 + adc $0, %r9 + adc $0, %r10 + shr $2, %r10 + mov %r10, %rax + sub $1, %rax + and %rax, %r14 + and %rax, %rbx + mov $0, %rax + sub %r10, %rax + and %rax, %r8 + and %rax, %r9 + add %r8, %r14 + add %r9, %rbx + movq 40(%rdi), %rax + movq 48(%rdi), %rdx + add %rax, %r14 + adc %rdx, %rbx + jmp L3 +L2: +L3: + movq %r14, 0(%rdi) + movq %rbx, 8(%rdi) + movq %rbp, 16(%rdi) + pop %r15 + pop %r14 + pop %r13 + pop %r12 + pop %rsi + pop %rax + pop %rbp + pop %rbx + mov %rax, %rdi + ret + + diff --git a/vale/src/poly1305-x86_64-mingw.S b/vale/src/poly1305-x86_64-mingw.S new file mode 100644 index 00000000..6a2b3348 --- /dev/null +++ b/vale/src/poly1305-x86_64-mingw.S @@ -0,0 +1,207 @@ +.text +.global x64_poly1305 +x64_poly1305: + mov %rdi, %rax + mov %rsi, %r11 + mov %rcx, %rdi + mov %rdx, %rsi + mov %r8, %rdx + mov %r9, %rcx + movq %rcx, 184(%rdi) + push %rbx + push %rbp + push %rax + push %r11 + push %r12 + push %r13 + push %r14 + push %r15 + movq 24(%rdi), %r11 + movq 32(%rdi), %r12 + mov $1152921487695413247, %rcx + and %rcx, %r11 + mov $1152921487695413244, %rcx + and %rcx, %r12 + movq %r11, 24(%rdi) + movq %r12, 32(%rdi) + mov %rdx, %rax + and $15, %rax + sub %rax, %rdx + movq %rax, 56(%rdi) + movq %rdx, 64(%rdi) + mov $1, %rcx + shr $4, %rdx + mov %rdx, %r15 + movq 24(%rdi), %r11 + movq 32(%rdi), %r13 + movq 0(%rdi), %r14 + movq 8(%rdi), %rbx + movq 16(%rdi), %rbp + mov %r13, %r12 + shr $2, %r13 + mov %r12, %rax + add %r12, %r13 + jmp L1 +.balign 16 +L0: + addq 0(%rsi), %r14 + adcq 8(%rsi), %rbx + lea 16(%rsi), %rsi + adc %rcx, %rbp + mul %r14 + mov %rax, %r9 + mov %r11, %rax + mov %rdx, %r10 + mul %r14 + mov %rax, %r14 + mov %r11, %rax + mov %rdx, %r8 + mul %rbx + add %rax, %r9 + mov %r13, %rax + adc %rdx, %r10 + mul %rbx + mov %rbp, %rbx + add %rax, %r14 + adc %rdx, %r8 + imul %r13, %rbx + add %rbx, %r9 + mov %r8, %rbx + adc $0, %r10 + imul %r11, %rbp + add %r9, %rbx + mov $18446744073709551612, %rax + adc %rbp, %r10 + and %r10, %rax + mov %r10, %rbp + shr $2, %r10 + and $3, %rbp + add %r10, %rax + add %rax, %r14 + adc $0, %rbx + adc $0, %rbp + mov %r12, %rax + sub $1, %r15 +.balign 16 +L1: + cmp $0, %r15 + jne L0 + movq %r14, 0(%rdi) + movq %rbx, 8(%rdi) + movq %rbp, 16(%rdi) + movq 184(%rdi), %rax + cmp $1, %rax + jne L2 + movq 56(%rdi), %r15 + cmp $0, %r15 + je L4 + movq 32(%rdi), %rax + movq 0(%rsi), %r8 + movq 8(%rsi), %r9 + cmp $8, %r15 + jae L6 + mov %r15, %rcx + shl $3, %rcx + mov $1, %rdx + shl %cl, %rdx + mov %rdx, %rcx + sub $1, %rcx + and %rcx, %r8 + mov $0, %r9 + add %r8, %r14 + adc %r9, %rbx + adc $0, %rbp + add %rdx, %r14 + adc $0, %rbx + adc $0, %rbp + jmp L7 +L6: + mov %r15, %rcx + sub $8, %rcx + shl $3, %rcx + mov $1, %rdx + shl %cl, %rdx + mov %rdx, %rcx + sub $1, %rcx + and %rcx, %r9 + add %r8, %r14 + adc %r9, %rbx + adc $0, %rbp + add $0, %r14 + adc %rdx, %rbx + adc $0, %rbp +L7: + mul %r14 + mov %rax, %r9 + mov %r11, %rax + mov %rdx, %r10 + mul %r14 + mov %rax, %r14 + mov %r11, %rax + mov %rdx, %r8 + mul %rbx + add %rax, %r9 + mov %r13, %rax + adc %rdx, %r10 + mul %rbx + mov %rbp, %rbx + add %rax, %r14 + adc %rdx, %r8 + imul %r13, %rbx + add %rbx, %r9 + mov %r8, %rbx + adc $0, %r10 + imul %r11, %rbp + add %r9, %rbx + mov $18446744073709551612, %rax + adc %rbp, %r10 + and %r10, %rax + mov %r10, %rbp + shr $2, %r10 + and $3, %rbp + add %r10, %rax + add %rax, %r14 + adc $0, %rbx + adc $0, %rbp + jmp L5 +L4: +L5: + mov %r14, %r8 + mov %rbx, %r9 + mov %rbp, %r10 + add $5, %r8 + adc $0, %r9 + adc $0, %r10 + shr $2, %r10 + mov %r10, %rax + sub $1, %rax + and %rax, %r14 + and %rax, %rbx + mov $0, %rax + sub %r10, %rax + and %rax, %r8 + and %rax, %r9 + add %r8, %r14 + add %r9, %rbx + movq 40(%rdi), %rax + movq 48(%rdi), %rdx + add %rax, %r14 + adc %rdx, %rbx + jmp L3 +L2: +L3: + movq %r14, 0(%rdi) + movq %rbx, 8(%rdi) + movq %rbp, 16(%rdi) + pop %r15 + pop %r14 + pop %r13 + pop %r12 + pop %rsi + pop %rax + pop %rbp + pop %rbx + mov %rax, %rdi + ret + + diff --git a/vale/src/poly1305-x86_64-msvc.asm b/vale/src/poly1305-x86_64-msvc.asm new file mode 100644 index 00000000..4eae4224 --- /dev/null +++ b/vale/src/poly1305-x86_64-msvc.asm @@ -0,0 +1,207 @@ +.code +ALIGN 16 +x64_poly1305 proc + mov rax, rdi + mov r11, rsi + mov rdi, rcx + mov rsi, rdx + mov rdx, r8 + mov rcx, r9 + mov qword ptr [rdi + 184], rcx + push rbx + push rbp + push rax + push r11 + push r12 + push r13 + push r14 + push r15 + mov r11, qword ptr [rdi + 24] + mov r12, qword ptr [rdi + 32] + mov rcx, 1152921487695413247 + and r11, rcx + mov rcx, 1152921487695413244 + and r12, rcx + mov qword ptr [rdi + 24], r11 + mov qword ptr [rdi + 32], r12 + mov rax, rdx + and rax, 15 + sub rdx, rax + mov qword ptr [rdi + 56], rax + mov qword ptr [rdi + 64], rdx + mov rcx, 1 + shr rdx, 4 + mov r15, rdx + mov r11, qword ptr [rdi + 24] + mov r13, qword ptr [rdi + 32] + mov r14, qword ptr [rdi + 0] + mov rbx, qword ptr [rdi + 8] + mov rbp, qword ptr [rdi + 16] + mov r12, r13 + shr r13, 2 + mov rax, r12 + add r13, r12 + jmp L1 +ALIGN 16 +L0: + add r14, qword ptr [rsi + 0] + adc rbx, qword ptr [rsi + 8] + lea rsi, qword ptr [rsi + 16] + adc rbp, rcx + mul r14 + mov r9, rax + mov rax, r11 + mov r10, rdx + mul r14 + mov r14, rax + mov rax, r11 + mov r8, rdx + mul rbx + add r9, rax + mov rax, r13 + adc r10, rdx + mul rbx + mov rbx, rbp + add r14, rax + adc r8, rdx + imul rbx, r13 + add r9, rbx + mov rbx, r8 + adc r10, 0 + imul rbp, r11 + add rbx, r9 + mov rax, 18446744073709551612 + adc r10, rbp + and rax, r10 + mov rbp, r10 + shr r10, 2 + and rbp, 3 + add rax, r10 + add r14, rax + adc rbx, 0 + adc rbp, 0 + mov rax, r12 + sub r15, 1 +ALIGN 16 +L1: + cmp r15, 0 + jne L0 + mov qword ptr [rdi + 0], r14 + mov qword ptr [rdi + 8], rbx + mov qword ptr [rdi + 16], rbp + mov rax, qword ptr [rdi + 184] + cmp rax, 1 + jne L2 + mov r15, qword ptr [rdi + 56] + cmp r15, 0 + je L4 + mov rax, qword ptr [rdi + 32] + mov r8, qword ptr [rsi + 0] + mov r9, qword ptr [rsi + 8] + cmp r15, 8 + jae L6 + mov rcx, r15 + shl rcx, 3 + mov rdx, 1 + shl rdx, cl + mov rcx, rdx + sub rcx, 1 + and r8, rcx + mov r9, 0 + add r14, r8 + adc rbx, r9 + adc rbp, 0 + add r14, rdx + adc rbx, 0 + adc rbp, 0 + jmp L7 +L6: + mov rcx, r15 + sub rcx, 8 + shl rcx, 3 + mov rdx, 1 + shl rdx, cl + mov rcx, rdx + sub rcx, 1 + and r9, rcx + add r14, r8 + adc rbx, r9 + adc rbp, 0 + add r14, 0 + adc rbx, rdx + adc rbp, 0 +L7: + mul r14 + mov r9, rax + mov rax, r11 + mov r10, rdx + mul r14 + mov r14, rax + mov rax, r11 + mov r8, rdx + mul rbx + add r9, rax + mov rax, r13 + adc r10, rdx + mul rbx + mov rbx, rbp + add r14, rax + adc r8, rdx + imul rbx, r13 + add r9, rbx + mov rbx, r8 + adc r10, 0 + imul rbp, r11 + add rbx, r9 + mov rax, 18446744073709551612 + adc r10, rbp + and rax, r10 + mov rbp, r10 + shr r10, 2 + and rbp, 3 + add rax, r10 + add r14, rax + adc rbx, 0 + adc rbp, 0 + jmp L5 +L4: +L5: + mov r8, r14 + mov r9, rbx + mov r10, rbp + add r8, 5 + adc r9, 0 + adc r10, 0 + shr r10, 2 + mov rax, r10 + sub rax, 1 + and r14, rax + and rbx, rax + mov rax, 0 + sub rax, r10 + and r8, rax + and r9, rax + add r14, r8 + add rbx, r9 + mov rax, qword ptr [rdi + 40] + mov rdx, qword ptr [rdi + 48] + add r14, rax + adc rbx, rdx + jmp L3 +L2: +L3: + mov qword ptr [rdi + 0], r14 + mov qword ptr [rdi + 8], rbx + mov qword ptr [rdi + 16], rbp + pop r15 + pop r14 + pop r13 + pop r12 + pop rsi + pop rax + pop rbp + pop rbx + mov rdi, rax + ret +x64_poly1305 endp +end diff --git a/vale/src/sha256-x86_64-darwin.S b/vale/src/sha256-x86_64-darwin.S new file mode 100644 index 00000000..de8b8e99 --- /dev/null +++ b/vale/src/sha256-x86_64-darwin.S @@ -0,0 +1,257 @@ +.text +.global _sha256_update +_sha256_update: + push %r15 + push %r14 + push %r13 + push %r12 + push %rsi + push %rdi + push %rbp + push %rbx + movdqu 0(%rdi), %xmm1 + movdqu 16(%rdi), %xmm2 + mov $289644378169868803, %rax + pinsrq $0, %rax, %xmm7 + mov $868365760874482187, %rax + pinsrq $1, %rax, %xmm7 + pshufd $27, %xmm1, %xmm0 + pshufd $177, %xmm1, %xmm1 + pshufd $27, %xmm2, %xmm2 + movdqu %xmm7, %xmm8 + palignr $8, %xmm2, %xmm1 + shufpd $0, %xmm0, %xmm2 + jmp L1 +.balign 16 +L0: + movdqu 0(%rsi), %xmm3 + movdqu 16(%rsi), %xmm4 + movdqu 32(%rsi), %xmm5 + pshufb %xmm7, %xmm3 + movdqu 48(%rsi), %xmm6 + movdqu 0(%rcx), %xmm0 + paddd %xmm3, %xmm0 + pshufb %xmm7, %xmm4 + movdqu %xmm2, %xmm10 + sha256rnds2 %xmm1, %xmm2 + pshufd $14, %xmm0, %xmm0 + movdqu %xmm1, %xmm9 + sha256rnds2 %xmm2, %xmm1 + movdqu 16(%rcx), %xmm0 + paddd %xmm4, %xmm0 + pshufb %xmm7, %xmm5 + sha256rnds2 %xmm1, %xmm2 + pshufd $14, %xmm0, %xmm0 + add $64, %rsi + sha256msg1 %xmm4, %xmm3 + sha256rnds2 %xmm2, %xmm1 + movdqu 32(%rcx), %xmm0 + paddd %xmm5, %xmm0 + pshufb %xmm7, %xmm6 + sha256rnds2 %xmm1, %xmm2 + pshufd $14, %xmm0, %xmm0 + movdqu %xmm6, %xmm7 + palignr $4, %xmm5, %xmm7 + paddd %xmm7, %xmm3 + sha256msg1 %xmm5, %xmm4 + sha256rnds2 %xmm2, %xmm1 + movdqu 48(%rcx), %xmm0 + paddd %xmm6, %xmm0 + sha256msg2 %xmm6, %xmm3 + sha256rnds2 %xmm1, %xmm2 + pshufd $14, %xmm0, %xmm0 + movdqu %xmm3, %xmm7 + palignr $4, %xmm6, %xmm7 + paddd %xmm7, %xmm4 + sha256msg1 %xmm6, %xmm5 + sha256rnds2 %xmm2, %xmm1 + movdqu 64(%rcx), %xmm0 + paddd %xmm3, %xmm0 + sha256msg2 %xmm3, %xmm4 + sha256rnds2 %xmm1, %xmm2 + pshufd $14, %xmm0, %xmm0 + movdqu %xmm4, %xmm7 + palignr $4, %xmm3, %xmm7 + paddd %xmm7, %xmm5 + sha256msg1 %xmm3, %xmm6 + sha256rnds2 %xmm2, %xmm1 + movdqu %xmm3, %xmm7 + movdqu %xmm6, %xmm0 + movdqu %xmm4, %xmm3 + movdqu %xmm5, %xmm4 + movdqu %xmm7, %xmm6 + movdqu %xmm0, %xmm5 + movdqu 80(%rcx), %xmm0 + paddd %xmm3, %xmm0 + sha256msg2 %xmm3, %xmm4 + sha256rnds2 %xmm1, %xmm2 + pshufd $14, %xmm0, %xmm0 + movdqu %xmm4, %xmm7 + palignr $4, %xmm3, %xmm7 + paddd %xmm7, %xmm5 + sha256msg1 %xmm3, %xmm6 + sha256rnds2 %xmm2, %xmm1 + movdqu %xmm3, %xmm7 + movdqu %xmm6, %xmm0 + movdqu %xmm4, %xmm3 + movdqu %xmm5, %xmm4 + movdqu %xmm7, %xmm6 + movdqu %xmm0, %xmm5 + movdqu 96(%rcx), %xmm0 + paddd %xmm3, %xmm0 + sha256msg2 %xmm3, %xmm4 + sha256rnds2 %xmm1, %xmm2 + pshufd $14, %xmm0, %xmm0 + movdqu %xmm4, %xmm7 + palignr $4, %xmm3, %xmm7 + paddd %xmm7, %xmm5 + sha256msg1 %xmm3, %xmm6 + sha256rnds2 %xmm2, %xmm1 + movdqu %xmm3, %xmm7 + movdqu %xmm6, %xmm0 + movdqu %xmm4, %xmm3 + movdqu %xmm5, %xmm4 + movdqu %xmm7, %xmm6 + movdqu %xmm0, %xmm5 + movdqu 112(%rcx), %xmm0 + paddd %xmm3, %xmm0 + sha256msg2 %xmm3, %xmm4 + sha256rnds2 %xmm1, %xmm2 + pshufd $14, %xmm0, %xmm0 + movdqu %xmm4, %xmm7 + palignr $4, %xmm3, %xmm7 + paddd %xmm7, %xmm5 + sha256msg1 %xmm3, %xmm6 + sha256rnds2 %xmm2, %xmm1 + movdqu %xmm3, %xmm7 + movdqu %xmm6, %xmm0 + movdqu %xmm4, %xmm3 + movdqu %xmm5, %xmm4 + movdqu %xmm7, %xmm6 + movdqu %xmm0, %xmm5 + movdqu 128(%rcx), %xmm0 + paddd %xmm3, %xmm0 + sha256msg2 %xmm3, %xmm4 + sha256rnds2 %xmm1, %xmm2 + pshufd $14, %xmm0, %xmm0 + movdqu %xmm4, %xmm7 + palignr $4, %xmm3, %xmm7 + paddd %xmm7, %xmm5 + sha256msg1 %xmm3, %xmm6 + sha256rnds2 %xmm2, %xmm1 + movdqu %xmm3, %xmm7 + movdqu %xmm6, %xmm0 + movdqu %xmm4, %xmm3 + movdqu %xmm5, %xmm4 + movdqu %xmm7, %xmm6 + movdqu %xmm0, %xmm5 + movdqu 144(%rcx), %xmm0 + paddd %xmm3, %xmm0 + sha256msg2 %xmm3, %xmm4 + sha256rnds2 %xmm1, %xmm2 + pshufd $14, %xmm0, %xmm0 + movdqu %xmm4, %xmm7 + palignr $4, %xmm3, %xmm7 + paddd %xmm7, %xmm5 + sha256msg1 %xmm3, %xmm6 + sha256rnds2 %xmm2, %xmm1 + movdqu %xmm3, %xmm7 + movdqu %xmm6, %xmm0 + movdqu %xmm4, %xmm3 + movdqu %xmm5, %xmm4 + movdqu %xmm7, %xmm6 + movdqu %xmm0, %xmm5 + movdqu 160(%rcx), %xmm0 + paddd %xmm3, %xmm0 + sha256msg2 %xmm3, %xmm4 + sha256rnds2 %xmm1, %xmm2 + pshufd $14, %xmm0, %xmm0 + movdqu %xmm4, %xmm7 + palignr $4, %xmm3, %xmm7 + paddd %xmm7, %xmm5 + sha256msg1 %xmm3, %xmm6 + sha256rnds2 %xmm2, %xmm1 + movdqu %xmm3, %xmm7 + movdqu %xmm6, %xmm0 + movdqu %xmm4, %xmm3 + movdqu %xmm5, %xmm4 + movdqu %xmm7, %xmm6 + movdqu %xmm0, %xmm5 + movdqu 176(%rcx), %xmm0 + paddd %xmm3, %xmm0 + sha256msg2 %xmm3, %xmm4 + sha256rnds2 %xmm1, %xmm2 + pshufd $14, %xmm0, %xmm0 + movdqu %xmm4, %xmm7 + palignr $4, %xmm3, %xmm7 + paddd %xmm7, %xmm5 + sha256msg1 %xmm3, %xmm6 + sha256rnds2 %xmm2, %xmm1 + movdqu %xmm3, %xmm7 + movdqu %xmm6, %xmm0 + movdqu %xmm4, %xmm3 + movdqu %xmm5, %xmm4 + movdqu %xmm7, %xmm6 + movdqu %xmm0, %xmm5 + movdqu 192(%rcx), %xmm0 + paddd %xmm3, %xmm0 + sha256msg2 %xmm3, %xmm4 + sha256rnds2 %xmm1, %xmm2 + pshufd $14, %xmm0, %xmm0 + movdqu %xmm4, %xmm7 + palignr $4, %xmm3, %xmm7 + paddd %xmm7, %xmm5 + sha256msg1 %xmm3, %xmm6 + sha256rnds2 %xmm2, %xmm1 + movdqu %xmm3, %xmm7 + movdqu %xmm6, %xmm0 + movdqu %xmm4, %xmm3 + movdqu %xmm5, %xmm4 + movdqu %xmm7, %xmm6 + movdqu %xmm0, %xmm5 + movdqu 208(%rcx), %xmm0 + paddd %xmm3, %xmm0 + sha256msg2 %xmm3, %xmm4 + sha256rnds2 %xmm1, %xmm2 + pshufd $14, %xmm0, %xmm0 + movdqu %xmm4, %xmm7 + palignr $4, %xmm3, %xmm7 + sha256rnds2 %xmm2, %xmm1 + paddd %xmm7, %xmm5 + movdqu 224(%rcx), %xmm0 + paddd %xmm4, %xmm0 + sha256rnds2 %xmm1, %xmm2 + pshufd $14, %xmm0, %xmm0 + sha256msg2 %xmm4, %xmm5 + movdqu %xmm8, %xmm7 + sha256rnds2 %xmm2, %xmm1 + movdqu 240(%rcx), %xmm0 + paddd %xmm5, %xmm0 + sha256rnds2 %xmm1, %xmm2 + pshufd $14, %xmm0, %xmm0 + sub $1, %rdx + sha256rnds2 %xmm2, %xmm1 + paddd %xmm10, %xmm2 + paddd %xmm9, %xmm1 +.balign 16 +L1: + cmp $0, %rdx + ja L0 + pshufd $177, %xmm2, %xmm2 + pshufd $27, %xmm1, %xmm7 + pshufd $177, %xmm1, %xmm1 + shufpd $3, %xmm2, %xmm1 + palignr $8, %xmm7, %xmm2 + movdqu %xmm1, 0(%rdi) + movdqu %xmm2, 16(%rdi) + pop %rbx + pop %rbp + pop %rdi + pop %rsi + pop %r12 + pop %r13 + pop %r14 + pop %r15 + ret + + diff --git a/vale/src/sha256-x86_64-linux.S b/vale/src/sha256-x86_64-linux.S new file mode 100644 index 00000000..450100a1 --- /dev/null +++ b/vale/src/sha256-x86_64-linux.S @@ -0,0 +1,257 @@ +.text +.global sha256_update +sha256_update: + push %r15 + push %r14 + push %r13 + push %r12 + push %rsi + push %rdi + push %rbp + push %rbx + movdqu 0(%rdi), %xmm1 + movdqu 16(%rdi), %xmm2 + mov $289644378169868803, %rax + pinsrq $0, %rax, %xmm7 + mov $868365760874482187, %rax + pinsrq $1, %rax, %xmm7 + pshufd $27, %xmm1, %xmm0 + pshufd $177, %xmm1, %xmm1 + pshufd $27, %xmm2, %xmm2 + movdqu %xmm7, %xmm8 + palignr $8, %xmm2, %xmm1 + shufpd $0, %xmm0, %xmm2 + jmp L1 +.balign 16 +L0: + movdqu 0(%rsi), %xmm3 + movdqu 16(%rsi), %xmm4 + movdqu 32(%rsi), %xmm5 + pshufb %xmm7, %xmm3 + movdqu 48(%rsi), %xmm6 + movdqu 0(%rcx), %xmm0 + paddd %xmm3, %xmm0 + pshufb %xmm7, %xmm4 + movdqu %xmm2, %xmm10 + sha256rnds2 %xmm1, %xmm2 + pshufd $14, %xmm0, %xmm0 + movdqu %xmm1, %xmm9 + sha256rnds2 %xmm2, %xmm1 + movdqu 16(%rcx), %xmm0 + paddd %xmm4, %xmm0 + pshufb %xmm7, %xmm5 + sha256rnds2 %xmm1, %xmm2 + pshufd $14, %xmm0, %xmm0 + add $64, %rsi + sha256msg1 %xmm4, %xmm3 + sha256rnds2 %xmm2, %xmm1 + movdqu 32(%rcx), %xmm0 + paddd %xmm5, %xmm0 + pshufb %xmm7, %xmm6 + sha256rnds2 %xmm1, %xmm2 + pshufd $14, %xmm0, %xmm0 + movdqu %xmm6, %xmm7 + palignr $4, %xmm5, %xmm7 + paddd %xmm7, %xmm3 + sha256msg1 %xmm5, %xmm4 + sha256rnds2 %xmm2, %xmm1 + movdqu 48(%rcx), %xmm0 + paddd %xmm6, %xmm0 + sha256msg2 %xmm6, %xmm3 + sha256rnds2 %xmm1, %xmm2 + pshufd $14, %xmm0, %xmm0 + movdqu %xmm3, %xmm7 + palignr $4, %xmm6, %xmm7 + paddd %xmm7, %xmm4 + sha256msg1 %xmm6, %xmm5 + sha256rnds2 %xmm2, %xmm1 + movdqu 64(%rcx), %xmm0 + paddd %xmm3, %xmm0 + sha256msg2 %xmm3, %xmm4 + sha256rnds2 %xmm1, %xmm2 + pshufd $14, %xmm0, %xmm0 + movdqu %xmm4, %xmm7 + palignr $4, %xmm3, %xmm7 + paddd %xmm7, %xmm5 + sha256msg1 %xmm3, %xmm6 + sha256rnds2 %xmm2, %xmm1 + movdqu %xmm3, %xmm7 + movdqu %xmm6, %xmm0 + movdqu %xmm4, %xmm3 + movdqu %xmm5, %xmm4 + movdqu %xmm7, %xmm6 + movdqu %xmm0, %xmm5 + movdqu 80(%rcx), %xmm0 + paddd %xmm3, %xmm0 + sha256msg2 %xmm3, %xmm4 + sha256rnds2 %xmm1, %xmm2 + pshufd $14, %xmm0, %xmm0 + movdqu %xmm4, %xmm7 + palignr $4, %xmm3, %xmm7 + paddd %xmm7, %xmm5 + sha256msg1 %xmm3, %xmm6 + sha256rnds2 %xmm2, %xmm1 + movdqu %xmm3, %xmm7 + movdqu %xmm6, %xmm0 + movdqu %xmm4, %xmm3 + movdqu %xmm5, %xmm4 + movdqu %xmm7, %xmm6 + movdqu %xmm0, %xmm5 + movdqu 96(%rcx), %xmm0 + paddd %xmm3, %xmm0 + sha256msg2 %xmm3, %xmm4 + sha256rnds2 %xmm1, %xmm2 + pshufd $14, %xmm0, %xmm0 + movdqu %xmm4, %xmm7 + palignr $4, %xmm3, %xmm7 + paddd %xmm7, %xmm5 + sha256msg1 %xmm3, %xmm6 + sha256rnds2 %xmm2, %xmm1 + movdqu %xmm3, %xmm7 + movdqu %xmm6, %xmm0 + movdqu %xmm4, %xmm3 + movdqu %xmm5, %xmm4 + movdqu %xmm7, %xmm6 + movdqu %xmm0, %xmm5 + movdqu 112(%rcx), %xmm0 + paddd %xmm3, %xmm0 + sha256msg2 %xmm3, %xmm4 + sha256rnds2 %xmm1, %xmm2 + pshufd $14, %xmm0, %xmm0 + movdqu %xmm4, %xmm7 + palignr $4, %xmm3, %xmm7 + paddd %xmm7, %xmm5 + sha256msg1 %xmm3, %xmm6 + sha256rnds2 %xmm2, %xmm1 + movdqu %xmm3, %xmm7 + movdqu %xmm6, %xmm0 + movdqu %xmm4, %xmm3 + movdqu %xmm5, %xmm4 + movdqu %xmm7, %xmm6 + movdqu %xmm0, %xmm5 + movdqu 128(%rcx), %xmm0 + paddd %xmm3, %xmm0 + sha256msg2 %xmm3, %xmm4 + sha256rnds2 %xmm1, %xmm2 + pshufd $14, %xmm0, %xmm0 + movdqu %xmm4, %xmm7 + palignr $4, %xmm3, %xmm7 + paddd %xmm7, %xmm5 + sha256msg1 %xmm3, %xmm6 + sha256rnds2 %xmm2, %xmm1 + movdqu %xmm3, %xmm7 + movdqu %xmm6, %xmm0 + movdqu %xmm4, %xmm3 + movdqu %xmm5, %xmm4 + movdqu %xmm7, %xmm6 + movdqu %xmm0, %xmm5 + movdqu 144(%rcx), %xmm0 + paddd %xmm3, %xmm0 + sha256msg2 %xmm3, %xmm4 + sha256rnds2 %xmm1, %xmm2 + pshufd $14, %xmm0, %xmm0 + movdqu %xmm4, %xmm7 + palignr $4, %xmm3, %xmm7 + paddd %xmm7, %xmm5 + sha256msg1 %xmm3, %xmm6 + sha256rnds2 %xmm2, %xmm1 + movdqu %xmm3, %xmm7 + movdqu %xmm6, %xmm0 + movdqu %xmm4, %xmm3 + movdqu %xmm5, %xmm4 + movdqu %xmm7, %xmm6 + movdqu %xmm0, %xmm5 + movdqu 160(%rcx), %xmm0 + paddd %xmm3, %xmm0 + sha256msg2 %xmm3, %xmm4 + sha256rnds2 %xmm1, %xmm2 + pshufd $14, %xmm0, %xmm0 + movdqu %xmm4, %xmm7 + palignr $4, %xmm3, %xmm7 + paddd %xmm7, %xmm5 + sha256msg1 %xmm3, %xmm6 + sha256rnds2 %xmm2, %xmm1 + movdqu %xmm3, %xmm7 + movdqu %xmm6, %xmm0 + movdqu %xmm4, %xmm3 + movdqu %xmm5, %xmm4 + movdqu %xmm7, %xmm6 + movdqu %xmm0, %xmm5 + movdqu 176(%rcx), %xmm0 + paddd %xmm3, %xmm0 + sha256msg2 %xmm3, %xmm4 + sha256rnds2 %xmm1, %xmm2 + pshufd $14, %xmm0, %xmm0 + movdqu %xmm4, %xmm7 + palignr $4, %xmm3, %xmm7 + paddd %xmm7, %xmm5 + sha256msg1 %xmm3, %xmm6 + sha256rnds2 %xmm2, %xmm1 + movdqu %xmm3, %xmm7 + movdqu %xmm6, %xmm0 + movdqu %xmm4, %xmm3 + movdqu %xmm5, %xmm4 + movdqu %xmm7, %xmm6 + movdqu %xmm0, %xmm5 + movdqu 192(%rcx), %xmm0 + paddd %xmm3, %xmm0 + sha256msg2 %xmm3, %xmm4 + sha256rnds2 %xmm1, %xmm2 + pshufd $14, %xmm0, %xmm0 + movdqu %xmm4, %xmm7 + palignr $4, %xmm3, %xmm7 + paddd %xmm7, %xmm5 + sha256msg1 %xmm3, %xmm6 + sha256rnds2 %xmm2, %xmm1 + movdqu %xmm3, %xmm7 + movdqu %xmm6, %xmm0 + movdqu %xmm4, %xmm3 + movdqu %xmm5, %xmm4 + movdqu %xmm7, %xmm6 + movdqu %xmm0, %xmm5 + movdqu 208(%rcx), %xmm0 + paddd %xmm3, %xmm0 + sha256msg2 %xmm3, %xmm4 + sha256rnds2 %xmm1, %xmm2 + pshufd $14, %xmm0, %xmm0 + movdqu %xmm4, %xmm7 + palignr $4, %xmm3, %xmm7 + sha256rnds2 %xmm2, %xmm1 + paddd %xmm7, %xmm5 + movdqu 224(%rcx), %xmm0 + paddd %xmm4, %xmm0 + sha256rnds2 %xmm1, %xmm2 + pshufd $14, %xmm0, %xmm0 + sha256msg2 %xmm4, %xmm5 + movdqu %xmm8, %xmm7 + sha256rnds2 %xmm2, %xmm1 + movdqu 240(%rcx), %xmm0 + paddd %xmm5, %xmm0 + sha256rnds2 %xmm1, %xmm2 + pshufd $14, %xmm0, %xmm0 + sub $1, %rdx + sha256rnds2 %xmm2, %xmm1 + paddd %xmm10, %xmm2 + paddd %xmm9, %xmm1 +.balign 16 +L1: + cmp $0, %rdx + ja L0 + pshufd $177, %xmm2, %xmm2 + pshufd $27, %xmm1, %xmm7 + pshufd $177, %xmm1, %xmm1 + shufpd $3, %xmm2, %xmm1 + palignr $8, %xmm7, %xmm2 + movdqu %xmm1, 0(%rdi) + movdqu %xmm2, 16(%rdi) + pop %rbx + pop %rbp + pop %rdi + pop %rsi + pop %r12 + pop %r13 + pop %r14 + pop %r15 + ret + + diff --git a/vale/src/sha256-x86_64-mingw.S b/vale/src/sha256-x86_64-mingw.S new file mode 100644 index 00000000..a833e05e --- /dev/null +++ b/vale/src/sha256-x86_64-mingw.S @@ -0,0 +1,341 @@ +.text +.global sha256_update +sha256_update: + pextrq $0, %xmm15, %rax + push %rax + pextrq $1, %xmm15, %rax + push %rax + pextrq $0, %xmm14, %rax + push %rax + pextrq $1, %xmm14, %rax + push %rax + pextrq $0, %xmm13, %rax + push %rax + pextrq $1, %xmm13, %rax + push %rax + pextrq $0, %xmm12, %rax + push %rax + pextrq $1, %xmm12, %rax + push %rax + pextrq $0, %xmm11, %rax + push %rax + pextrq $1, %xmm11, %rax + push %rax + pextrq $0, %xmm10, %rax + push %rax + pextrq $1, %xmm10, %rax + push %rax + pextrq $0, %xmm9, %rax + push %rax + pextrq $1, %xmm9, %rax + push %rax + pextrq $0, %xmm8, %rax + push %rax + pextrq $1, %xmm8, %rax + push %rax + pextrq $0, %xmm7, %rax + push %rax + pextrq $1, %xmm7, %rax + push %rax + pextrq $0, %xmm6, %rax + push %rax + pextrq $1, %xmm6, %rax + push %rax + push %r15 + push %r14 + push %r13 + push %r12 + push %rsi + push %rdi + push %rbp + push %rbx + mov %rcx, %rdi + mov %rdx, %rsi + mov %r8, %rdx + mov %r9, %rcx + movdqu 0(%rdi), %xmm1 + movdqu 16(%rdi), %xmm2 + mov $289644378169868803, %rax + pinsrq $0, %rax, %xmm7 + mov $868365760874482187, %rax + pinsrq $1, %rax, %xmm7 + pshufd $27, %xmm1, %xmm0 + pshufd $177, %xmm1, %xmm1 + pshufd $27, %xmm2, %xmm2 + movdqu %xmm7, %xmm8 + palignr $8, %xmm2, %xmm1 + shufpd $0, %xmm0, %xmm2 + jmp L1 +.balign 16 +L0: + movdqu 0(%rsi), %xmm3 + movdqu 16(%rsi), %xmm4 + movdqu 32(%rsi), %xmm5 + pshufb %xmm7, %xmm3 + movdqu 48(%rsi), %xmm6 + movdqu 0(%rcx), %xmm0 + paddd %xmm3, %xmm0 + pshufb %xmm7, %xmm4 + movdqu %xmm2, %xmm10 + sha256rnds2 %xmm1, %xmm2 + pshufd $14, %xmm0, %xmm0 + movdqu %xmm1, %xmm9 + sha256rnds2 %xmm2, %xmm1 + movdqu 16(%rcx), %xmm0 + paddd %xmm4, %xmm0 + pshufb %xmm7, %xmm5 + sha256rnds2 %xmm1, %xmm2 + pshufd $14, %xmm0, %xmm0 + add $64, %rsi + sha256msg1 %xmm4, %xmm3 + sha256rnds2 %xmm2, %xmm1 + movdqu 32(%rcx), %xmm0 + paddd %xmm5, %xmm0 + pshufb %xmm7, %xmm6 + sha256rnds2 %xmm1, %xmm2 + pshufd $14, %xmm0, %xmm0 + movdqu %xmm6, %xmm7 + palignr $4, %xmm5, %xmm7 + paddd %xmm7, %xmm3 + sha256msg1 %xmm5, %xmm4 + sha256rnds2 %xmm2, %xmm1 + movdqu 48(%rcx), %xmm0 + paddd %xmm6, %xmm0 + sha256msg2 %xmm6, %xmm3 + sha256rnds2 %xmm1, %xmm2 + pshufd $14, %xmm0, %xmm0 + movdqu %xmm3, %xmm7 + palignr $4, %xmm6, %xmm7 + paddd %xmm7, %xmm4 + sha256msg1 %xmm6, %xmm5 + sha256rnds2 %xmm2, %xmm1 + movdqu 64(%rcx), %xmm0 + paddd %xmm3, %xmm0 + sha256msg2 %xmm3, %xmm4 + sha256rnds2 %xmm1, %xmm2 + pshufd $14, %xmm0, %xmm0 + movdqu %xmm4, %xmm7 + palignr $4, %xmm3, %xmm7 + paddd %xmm7, %xmm5 + sha256msg1 %xmm3, %xmm6 + sha256rnds2 %xmm2, %xmm1 + movdqu %xmm3, %xmm7 + movdqu %xmm6, %xmm0 + movdqu %xmm4, %xmm3 + movdqu %xmm5, %xmm4 + movdqu %xmm7, %xmm6 + movdqu %xmm0, %xmm5 + movdqu 80(%rcx), %xmm0 + paddd %xmm3, %xmm0 + sha256msg2 %xmm3, %xmm4 + sha256rnds2 %xmm1, %xmm2 + pshufd $14, %xmm0, %xmm0 + movdqu %xmm4, %xmm7 + palignr $4, %xmm3, %xmm7 + paddd %xmm7, %xmm5 + sha256msg1 %xmm3, %xmm6 + sha256rnds2 %xmm2, %xmm1 + movdqu %xmm3, %xmm7 + movdqu %xmm6, %xmm0 + movdqu %xmm4, %xmm3 + movdqu %xmm5, %xmm4 + movdqu %xmm7, %xmm6 + movdqu %xmm0, %xmm5 + movdqu 96(%rcx), %xmm0 + paddd %xmm3, %xmm0 + sha256msg2 %xmm3, %xmm4 + sha256rnds2 %xmm1, %xmm2 + pshufd $14, %xmm0, %xmm0 + movdqu %xmm4, %xmm7 + palignr $4, %xmm3, %xmm7 + paddd %xmm7, %xmm5 + sha256msg1 %xmm3, %xmm6 + sha256rnds2 %xmm2, %xmm1 + movdqu %xmm3, %xmm7 + movdqu %xmm6, %xmm0 + movdqu %xmm4, %xmm3 + movdqu %xmm5, %xmm4 + movdqu %xmm7, %xmm6 + movdqu %xmm0, %xmm5 + movdqu 112(%rcx), %xmm0 + paddd %xmm3, %xmm0 + sha256msg2 %xmm3, %xmm4 + sha256rnds2 %xmm1, %xmm2 + pshufd $14, %xmm0, %xmm0 + movdqu %xmm4, %xmm7 + palignr $4, %xmm3, %xmm7 + paddd %xmm7, %xmm5 + sha256msg1 %xmm3, %xmm6 + sha256rnds2 %xmm2, %xmm1 + movdqu %xmm3, %xmm7 + movdqu %xmm6, %xmm0 + movdqu %xmm4, %xmm3 + movdqu %xmm5, %xmm4 + movdqu %xmm7, %xmm6 + movdqu %xmm0, %xmm5 + movdqu 128(%rcx), %xmm0 + paddd %xmm3, %xmm0 + sha256msg2 %xmm3, %xmm4 + sha256rnds2 %xmm1, %xmm2 + pshufd $14, %xmm0, %xmm0 + movdqu %xmm4, %xmm7 + palignr $4, %xmm3, %xmm7 + paddd %xmm7, %xmm5 + sha256msg1 %xmm3, %xmm6 + sha256rnds2 %xmm2, %xmm1 + movdqu %xmm3, %xmm7 + movdqu %xmm6, %xmm0 + movdqu %xmm4, %xmm3 + movdqu %xmm5, %xmm4 + movdqu %xmm7, %xmm6 + movdqu %xmm0, %xmm5 + movdqu 144(%rcx), %xmm0 + paddd %xmm3, %xmm0 + sha256msg2 %xmm3, %xmm4 + sha256rnds2 %xmm1, %xmm2 + pshufd $14, %xmm0, %xmm0 + movdqu %xmm4, %xmm7 + palignr $4, %xmm3, %xmm7 + paddd %xmm7, %xmm5 + sha256msg1 %xmm3, %xmm6 + sha256rnds2 %xmm2, %xmm1 + movdqu %xmm3, %xmm7 + movdqu %xmm6, %xmm0 + movdqu %xmm4, %xmm3 + movdqu %xmm5, %xmm4 + movdqu %xmm7, %xmm6 + movdqu %xmm0, %xmm5 + movdqu 160(%rcx), %xmm0 + paddd %xmm3, %xmm0 + sha256msg2 %xmm3, %xmm4 + sha256rnds2 %xmm1, %xmm2 + pshufd $14, %xmm0, %xmm0 + movdqu %xmm4, %xmm7 + palignr $4, %xmm3, %xmm7 + paddd %xmm7, %xmm5 + sha256msg1 %xmm3, %xmm6 + sha256rnds2 %xmm2, %xmm1 + movdqu %xmm3, %xmm7 + movdqu %xmm6, %xmm0 + movdqu %xmm4, %xmm3 + movdqu %xmm5, %xmm4 + movdqu %xmm7, %xmm6 + movdqu %xmm0, %xmm5 + movdqu 176(%rcx), %xmm0 + paddd %xmm3, %xmm0 + sha256msg2 %xmm3, %xmm4 + sha256rnds2 %xmm1, %xmm2 + pshufd $14, %xmm0, %xmm0 + movdqu %xmm4, %xmm7 + palignr $4, %xmm3, %xmm7 + paddd %xmm7, %xmm5 + sha256msg1 %xmm3, %xmm6 + sha256rnds2 %xmm2, %xmm1 + movdqu %xmm3, %xmm7 + movdqu %xmm6, %xmm0 + movdqu %xmm4, %xmm3 + movdqu %xmm5, %xmm4 + movdqu %xmm7, %xmm6 + movdqu %xmm0, %xmm5 + movdqu 192(%rcx), %xmm0 + paddd %xmm3, %xmm0 + sha256msg2 %xmm3, %xmm4 + sha256rnds2 %xmm1, %xmm2 + pshufd $14, %xmm0, %xmm0 + movdqu %xmm4, %xmm7 + palignr $4, %xmm3, %xmm7 + paddd %xmm7, %xmm5 + sha256msg1 %xmm3, %xmm6 + sha256rnds2 %xmm2, %xmm1 + movdqu %xmm3, %xmm7 + movdqu %xmm6, %xmm0 + movdqu %xmm4, %xmm3 + movdqu %xmm5, %xmm4 + movdqu %xmm7, %xmm6 + movdqu %xmm0, %xmm5 + movdqu 208(%rcx), %xmm0 + paddd %xmm3, %xmm0 + sha256msg2 %xmm3, %xmm4 + sha256rnds2 %xmm1, %xmm2 + pshufd $14, %xmm0, %xmm0 + movdqu %xmm4, %xmm7 + palignr $4, %xmm3, %xmm7 + sha256rnds2 %xmm2, %xmm1 + paddd %xmm7, %xmm5 + movdqu 224(%rcx), %xmm0 + paddd %xmm4, %xmm0 + sha256rnds2 %xmm1, %xmm2 + pshufd $14, %xmm0, %xmm0 + sha256msg2 %xmm4, %xmm5 + movdqu %xmm8, %xmm7 + sha256rnds2 %xmm2, %xmm1 + movdqu 240(%rcx), %xmm0 + paddd %xmm5, %xmm0 + sha256rnds2 %xmm1, %xmm2 + pshufd $14, %xmm0, %xmm0 + sub $1, %rdx + sha256rnds2 %xmm2, %xmm1 + paddd %xmm10, %xmm2 + paddd %xmm9, %xmm1 +.balign 16 +L1: + cmp $0, %rdx + ja L0 + pshufd $177, %xmm2, %xmm2 + pshufd $27, %xmm1, %xmm7 + pshufd $177, %xmm1, %xmm1 + shufpd $3, %xmm2, %xmm1 + palignr $8, %xmm7, %xmm2 + movdqu %xmm1, 0(%rdi) + movdqu %xmm2, 16(%rdi) + pop %rbx + pop %rbp + pop %rdi + pop %rsi + pop %r12 + pop %r13 + pop %r14 + pop %r15 + pop %rax + pinsrq $1, %rax, %xmm6 + pop %rax + pinsrq $0, %rax, %xmm6 + pop %rax + pinsrq $1, %rax, %xmm7 + pop %rax + pinsrq $0, %rax, %xmm7 + pop %rax + pinsrq $1, %rax, %xmm8 + pop %rax + pinsrq $0, %rax, %xmm8 + pop %rax + pinsrq $1, %rax, %xmm9 + pop %rax + pinsrq $0, %rax, %xmm9 + pop %rax + pinsrq $1, %rax, %xmm10 + pop %rax + pinsrq $0, %rax, %xmm10 + pop %rax + pinsrq $1, %rax, %xmm11 + pop %rax + pinsrq $0, %rax, %xmm11 + pop %rax + pinsrq $1, %rax, %xmm12 + pop %rax + pinsrq $0, %rax, %xmm12 + pop %rax + pinsrq $1, %rax, %xmm13 + pop %rax + pinsrq $0, %rax, %xmm13 + pop %rax + pinsrq $1, %rax, %xmm14 + pop %rax + pinsrq $0, %rax, %xmm14 + pop %rax + pinsrq $1, %rax, %xmm15 + pop %rax + pinsrq $0, %rax, %xmm15 + ret + + diff --git a/vale/src/sha256-x86_64-msvc.asm b/vale/src/sha256-x86_64-msvc.asm new file mode 100644 index 00000000..9bdde169 --- /dev/null +++ b/vale/src/sha256-x86_64-msvc.asm @@ -0,0 +1,341 @@ +.code +ALIGN 16 +sha256_update proc + pextrq rax, xmm15, 0 + push rax + pextrq rax, xmm15, 1 + push rax + pextrq rax, xmm14, 0 + push rax + pextrq rax, xmm14, 1 + push rax + pextrq rax, xmm13, 0 + push rax + pextrq rax, xmm13, 1 + push rax + pextrq rax, xmm12, 0 + push rax + pextrq rax, xmm12, 1 + push rax + pextrq rax, xmm11, 0 + push rax + pextrq rax, xmm11, 1 + push rax + pextrq rax, xmm10, 0 + push rax + pextrq rax, xmm10, 1 + push rax + pextrq rax, xmm9, 0 + push rax + pextrq rax, xmm9, 1 + push rax + pextrq rax, xmm8, 0 + push rax + pextrq rax, xmm8, 1 + push rax + pextrq rax, xmm7, 0 + push rax + pextrq rax, xmm7, 1 + push rax + pextrq rax, xmm6, 0 + push rax + pextrq rax, xmm6, 1 + push rax + push r15 + push r14 + push r13 + push r12 + push rsi + push rdi + push rbp + push rbx + mov rdi, rcx + mov rsi, rdx + mov rdx, r8 + mov rcx, r9 + movdqu xmm1, xmmword ptr [rdi + 0] + movdqu xmm2, xmmword ptr [rdi + 16] + mov rax, 289644378169868803 + pinsrq xmm7, rax, 0 + mov rax, 868365760874482187 + pinsrq xmm7, rax, 1 + pshufd xmm0, xmm1, 27 + pshufd xmm1, xmm1, 177 + pshufd xmm2, xmm2, 27 + movdqu xmm8, xmm7 + palignr xmm1, xmm2, 8 + shufpd xmm2, xmm0, 0 + jmp L1 +ALIGN 16 +L0: + movdqu xmm3, xmmword ptr [rsi + 0] + movdqu xmm4, xmmword ptr [rsi + 16] + movdqu xmm5, xmmword ptr [rsi + 32] + pshufb xmm3, xmm7 + movdqu xmm6, xmmword ptr [rsi + 48] + movdqu xmm0, xmmword ptr [rcx + 0] + paddd xmm0, xmm3 + pshufb xmm4, xmm7 + movdqu xmm10, xmm2 + sha256rnds2 xmm2, xmm1, xmm0 + pshufd xmm0, xmm0, 14 + movdqu xmm9, xmm1 + sha256rnds2 xmm1, xmm2, xmm0 + movdqu xmm0, xmmword ptr [rcx + 16] + paddd xmm0, xmm4 + pshufb xmm5, xmm7 + sha256rnds2 xmm2, xmm1, xmm0 + pshufd xmm0, xmm0, 14 + add rsi, 64 + sha256msg1 xmm3, xmm4 + sha256rnds2 xmm1, xmm2, xmm0 + movdqu xmm0, xmmword ptr [rcx + 32] + paddd xmm0, xmm5 + pshufb xmm6, xmm7 + sha256rnds2 xmm2, xmm1, xmm0 + pshufd xmm0, xmm0, 14 + movdqu xmm7, xmm6 + palignr xmm7, xmm5, 4 + paddd xmm3, xmm7 + sha256msg1 xmm4, xmm5 + sha256rnds2 xmm1, xmm2, xmm0 + movdqu xmm0, xmmword ptr [rcx + 48] + paddd xmm0, xmm6 + sha256msg2 xmm3, xmm6 + sha256rnds2 xmm2, xmm1, xmm0 + pshufd xmm0, xmm0, 14 + movdqu xmm7, xmm3 + palignr xmm7, xmm6, 4 + paddd xmm4, xmm7 + sha256msg1 xmm5, xmm6 + sha256rnds2 xmm1, xmm2, xmm0 + movdqu xmm0, xmmword ptr [rcx + 64] + paddd xmm0, xmm3 + sha256msg2 xmm4, xmm3 + sha256rnds2 xmm2, xmm1, xmm0 + pshufd xmm0, xmm0, 14 + movdqu xmm7, xmm4 + palignr xmm7, xmm3, 4 + paddd xmm5, xmm7 + sha256msg1 xmm6, xmm3 + sha256rnds2 xmm1, xmm2, xmm0 + movdqu xmm7, xmm3 + movdqu xmm0, xmm6 + movdqu xmm3, xmm4 + movdqu xmm4, xmm5 + movdqu xmm6, xmm7 + movdqu xmm5, xmm0 + movdqu xmm0, xmmword ptr [rcx + 80] + paddd xmm0, xmm3 + sha256msg2 xmm4, xmm3 + sha256rnds2 xmm2, xmm1, xmm0 + pshufd xmm0, xmm0, 14 + movdqu xmm7, xmm4 + palignr xmm7, xmm3, 4 + paddd xmm5, xmm7 + sha256msg1 xmm6, xmm3 + sha256rnds2 xmm1, xmm2, xmm0 + movdqu xmm7, xmm3 + movdqu xmm0, xmm6 + movdqu xmm3, xmm4 + movdqu xmm4, xmm5 + movdqu xmm6, xmm7 + movdqu xmm5, xmm0 + movdqu xmm0, xmmword ptr [rcx + 96] + paddd xmm0, xmm3 + sha256msg2 xmm4, xmm3 + sha256rnds2 xmm2, xmm1, xmm0 + pshufd xmm0, xmm0, 14 + movdqu xmm7, xmm4 + palignr xmm7, xmm3, 4 + paddd xmm5, xmm7 + sha256msg1 xmm6, xmm3 + sha256rnds2 xmm1, xmm2, xmm0 + movdqu xmm7, xmm3 + movdqu xmm0, xmm6 + movdqu xmm3, xmm4 + movdqu xmm4, xmm5 + movdqu xmm6, xmm7 + movdqu xmm5, xmm0 + movdqu xmm0, xmmword ptr [rcx + 112] + paddd xmm0, xmm3 + sha256msg2 xmm4, xmm3 + sha256rnds2 xmm2, xmm1, xmm0 + pshufd xmm0, xmm0, 14 + movdqu xmm7, xmm4 + palignr xmm7, xmm3, 4 + paddd xmm5, xmm7 + sha256msg1 xmm6, xmm3 + sha256rnds2 xmm1, xmm2, xmm0 + movdqu xmm7, xmm3 + movdqu xmm0, xmm6 + movdqu xmm3, xmm4 + movdqu xmm4, xmm5 + movdqu xmm6, xmm7 + movdqu xmm5, xmm0 + movdqu xmm0, xmmword ptr [rcx + 128] + paddd xmm0, xmm3 + sha256msg2 xmm4, xmm3 + sha256rnds2 xmm2, xmm1, xmm0 + pshufd xmm0, xmm0, 14 + movdqu xmm7, xmm4 + palignr xmm7, xmm3, 4 + paddd xmm5, xmm7 + sha256msg1 xmm6, xmm3 + sha256rnds2 xmm1, xmm2, xmm0 + movdqu xmm7, xmm3 + movdqu xmm0, xmm6 + movdqu xmm3, xmm4 + movdqu xmm4, xmm5 + movdqu xmm6, xmm7 + movdqu xmm5, xmm0 + movdqu xmm0, xmmword ptr [rcx + 144] + paddd xmm0, xmm3 + sha256msg2 xmm4, xmm3 + sha256rnds2 xmm2, xmm1, xmm0 + pshufd xmm0, xmm0, 14 + movdqu xmm7, xmm4 + palignr xmm7, xmm3, 4 + paddd xmm5, xmm7 + sha256msg1 xmm6, xmm3 + sha256rnds2 xmm1, xmm2, xmm0 + movdqu xmm7, xmm3 + movdqu xmm0, xmm6 + movdqu xmm3, xmm4 + movdqu xmm4, xmm5 + movdqu xmm6, xmm7 + movdqu xmm5, xmm0 + movdqu xmm0, xmmword ptr [rcx + 160] + paddd xmm0, xmm3 + sha256msg2 xmm4, xmm3 + sha256rnds2 xmm2, xmm1, xmm0 + pshufd xmm0, xmm0, 14 + movdqu xmm7, xmm4 + palignr xmm7, xmm3, 4 + paddd xmm5, xmm7 + sha256msg1 xmm6, xmm3 + sha256rnds2 xmm1, xmm2, xmm0 + movdqu xmm7, xmm3 + movdqu xmm0, xmm6 + movdqu xmm3, xmm4 + movdqu xmm4, xmm5 + movdqu xmm6, xmm7 + movdqu xmm5, xmm0 + movdqu xmm0, xmmword ptr [rcx + 176] + paddd xmm0, xmm3 + sha256msg2 xmm4, xmm3 + sha256rnds2 xmm2, xmm1, xmm0 + pshufd xmm0, xmm0, 14 + movdqu xmm7, xmm4 + palignr xmm7, xmm3, 4 + paddd xmm5, xmm7 + sha256msg1 xmm6, xmm3 + sha256rnds2 xmm1, xmm2, xmm0 + movdqu xmm7, xmm3 + movdqu xmm0, xmm6 + movdqu xmm3, xmm4 + movdqu xmm4, xmm5 + movdqu xmm6, xmm7 + movdqu xmm5, xmm0 + movdqu xmm0, xmmword ptr [rcx + 192] + paddd xmm0, xmm3 + sha256msg2 xmm4, xmm3 + sha256rnds2 xmm2, xmm1, xmm0 + pshufd xmm0, xmm0, 14 + movdqu xmm7, xmm4 + palignr xmm7, xmm3, 4 + paddd xmm5, xmm7 + sha256msg1 xmm6, xmm3 + sha256rnds2 xmm1, xmm2, xmm0 + movdqu xmm7, xmm3 + movdqu xmm0, xmm6 + movdqu xmm3, xmm4 + movdqu xmm4, xmm5 + movdqu xmm6, xmm7 + movdqu xmm5, xmm0 + movdqu xmm0, xmmword ptr [rcx + 208] + paddd xmm0, xmm3 + sha256msg2 xmm4, xmm3 + sha256rnds2 xmm2, xmm1, xmm0 + pshufd xmm0, xmm0, 14 + movdqu xmm7, xmm4 + palignr xmm7, xmm3, 4 + sha256rnds2 xmm1, xmm2, xmm0 + paddd xmm5, xmm7 + movdqu xmm0, xmmword ptr [rcx + 224] + paddd xmm0, xmm4 + sha256rnds2 xmm2, xmm1, xmm0 + pshufd xmm0, xmm0, 14 + sha256msg2 xmm5, xmm4 + movdqu xmm7, xmm8 + sha256rnds2 xmm1, xmm2, xmm0 + movdqu xmm0, xmmword ptr [rcx + 240] + paddd xmm0, xmm5 + sha256rnds2 xmm2, xmm1, xmm0 + pshufd xmm0, xmm0, 14 + sub rdx, 1 + sha256rnds2 xmm1, xmm2, xmm0 + paddd xmm2, xmm10 + paddd xmm1, xmm9 +ALIGN 16 +L1: + cmp rdx, 0 + ja L0 + pshufd xmm2, xmm2, 177 + pshufd xmm7, xmm1, 27 + pshufd xmm1, xmm1, 177 + shufpd xmm1, xmm2, 3 + palignr xmm2, xmm7, 8 + movdqu xmmword ptr [rdi + 0], xmm1 + movdqu xmmword ptr [rdi + 16], xmm2 + pop rbx + pop rbp + pop rdi + pop rsi + pop r12 + pop r13 + pop r14 + pop r15 + pop rax + pinsrq xmm6, rax, 1 + pop rax + pinsrq xmm6, rax, 0 + pop rax + pinsrq xmm7, rax, 1 + pop rax + pinsrq xmm7, rax, 0 + pop rax + pinsrq xmm8, rax, 1 + pop rax + pinsrq xmm8, rax, 0 + pop rax + pinsrq xmm9, rax, 1 + pop rax + pinsrq xmm9, rax, 0 + pop rax + pinsrq xmm10, rax, 1 + pop rax + pinsrq xmm10, rax, 0 + pop rax + pinsrq xmm11, rax, 1 + pop rax + pinsrq xmm11, rax, 0 + pop rax + pinsrq xmm12, rax, 1 + pop rax + pinsrq xmm12, rax, 0 + pop rax + pinsrq xmm13, rax, 1 + pop rax + pinsrq xmm13, rax, 0 + pop rax + pinsrq xmm14, rax, 1 + pop rax + pinsrq xmm14, rax, 0 + pop rax + pinsrq xmm15, rax, 1 + pop rax + pinsrq xmm15, rax, 0 + ret +sha256_update endp +end